pax_global_header00006660000000000000000000000064144016002630014506gustar00rootroot0000000000000052 comment=49c0c5193ef945f1a3dca30b59fa093a7b43437d why3-1.6.0/000077500000000000000000000000001440160026300124045ustar00rootroot00000000000000why3-1.6.0/.merlin.in000066400000000000000000000013471440160026300143050ustar00rootroot00000000000000S src/util S src/core S src/driver S src/extract S src/infer S src/mlw S src/parser S src/transform S src/printer S src/whyml S src/session S src/tools S src/ide S src/why3session S src/why3doc S src/jessie S src/trywhy3 S plugins/parser S plugins/printer S plugins/transform S plugins/tptp S plugins/python B src/util B src/core B src/driver B src/extract B src/infer B src/mlw B src/parser B src/transform B src/printer B src/whyml B src/session B src/tools B src/ide B src/why3session B src/why3doc B src/jessie B src/trywhy3 B plugins/parser B plugins/printer B plugins/transform B plugins/tptp B plugins/python B lib/why3 PKG @RELIB@ unix num dynlink @ZIPLIB@ @LABLGTKPKG@ @META_OCAMLGRAPH@ @JSOFOCAMLPKG@ @MLMPFR@ @INFERPKG@ @SEXPLIB@ why3-1.6.0/.ocp-indent000066400000000000000000000000201440160026300144350ustar00rootroot00000000000000match_clause = 4why3-1.6.0/AUTHORS000066400000000000000000000011311440160026300134500ustar00rootroot00000000000000The Why3 Verification Platform is developed by François Bobot Jean-Christophe Filliâtre Claude Marché Guillaume Melquiond Andrei Paskevich with contributions of Stefan Berghofer Sylvie Boldo Martin Clochard Simon Cruanes Sylvain Dailler Clément Fumex Léon Gondelman David Hauzar Daisuke Ishii Johannes Kanig Mikhail Mandrykin David Mentré Benjamin Monate Kim Nguyễn Thi-Minh-Tuyen Nguyen Mário Pereira Raphaël Rieu-Helft Simão Melo de Sousa Asma Tafat Piotr Trojanek Makarius Wenzel why3-1.6.0/CHANGES.md000066400000000000000000001362251440160026300140070ustar00rootroot00000000000000:x: marks a potential source of incompatibility Version 1.6.0, March 7 2023 --------------------------- Core * added meta `vc:proved_wf` for annotating well-founded relations, to make them easier to use in variants; see Section 8.2.3 of the manual Standard library * relations `ult`, `ugt`, `slt`, and `sgt` from `bv` modules are now recognized as well-founded Tools * `libdir` and `datadir` are not stored anymore in the configuration file, but they can still be manually set there if needed; see also the environment variables `WHY3LIB` and `WHY3DATA` * several debug flags have been renamed; use `why3 --list-debug-flags` to obtain the new names :x: * global directives in extra drivers are now taken into account * time limits now have a sub-second accuracy, e.g., `--timelimit=0.5` IDE * pressing Tab now auto-completes commands * added menu item "File/Export as Zip" to export a zip archive of the current session and all the related files Web interface TryWhy3 * proof obligations are now displayed as a sequent rather than a full task Python language * added `by` and `so` connectives in predicates * fixed overloading of `+` in Python code * added `add_list` for list concatenation in logic MLCFG language * attributes on function bodies are now supported * attributes `[@cfg:stackify]` and `[@cfg:subregion_analysis]` can be used to improve the VC structure and generate extra invariants; see Sections 7.3.5 and 7.3.6 of the manual API * source locations now use both a starting line and an ending line; the fourth number is thus the column on the last line :x: * several functions from `Call_prover` and `Driver` now take as input a `Whyconf.main` configuration type instead of directly taking `libdir` and `datadir` :x: * `Whyconf.load_driver` has been replaced by `Driver.load_driver_for_prover` :x: * `Warning.emit` has been replaced by `Loc.warning` :x: * representation of counterexamples has been modified; see Sections 5.3.7.1, 11.10.3, and 12.11 of the manual Provers * support for CVC5 1.0.0 to 1.0.4 (released Jan 31, 2023) * support for Alt-Ergo 2.4.2 (released Aug 1, 2022) * support for Z3 4.12.0 and 4.12.1 (released Jan 18, 2023) * support for Isabelle 2022 (released Oct 2022) Miscellaneous * fixed soundness bug with existential quantifiers in `introduce_premises` * configuration option `--enable-profiling` has been removed * configuration now fails for explicit yet unsuccessful `--enable-foo` options * OCaml >= 4.08 is now required * LablGtk2 is no longer supported Version 1.5.1, September 12, 2022 --------------------------------- Documentation * documented most options of `why3 prove` and `why3 execute` Python language * added construct `e1 if e2 else e3` * added support for tuples and multiple assignments * added `#@ axiom` and `#@ lemma` * global variables annotated with `#@ constant` are available in the logic * pure functions (i.e., limited to `return e`) annotated with `#@ function` are available in the logic * logical functions can be given a variant with `variant {term}` (contribution by Jean-Paul Bodeveix) Provers * support for Z3 4.9.0 and 4.9.1 (released Jul 6, 2022) * support for Z3 4.10.0, 4.10.1, and 4.10.2 (released Jul 30, 2022) * support for Z3 4.11.0 (released Aug 18, 2022) * support for Coq 8.16.0 (release Sep 5, 2022) * support for Gappa 1.4.0 (released Apr 16, 2022) Version 1.5.0, April 29, 2022 ----------------------------- Standard library * deeply revised library `mach.bv` for bitvector operations in programs; pre- and post-conditions are now expressed both in terms of mathematical integers and in terms of pure bitvectors, thanks to conversion to 128 bits :x: Core * equality of numeric literals is now semantic, i.e., independent of the radix :x: WhyML language * generalized witness expressions for type invariants * `absurd` is now implicitly inserted on the normal execution path of `match foo with exception Bar -> ...`, which is thus no longer parsed as `try foo with Bar -> ...` :x: Python language * added `break` and `continue` * added range with one, two, or three arguments * added slice, i.e., `list[i1:i2]` * added negative index, i.e., `list[n]` with `-len(list) ≤ n < len(list)` * added list methods: - `list.append(n)` - `list.pop()` - `list.clear()` - `list.sort()` - `list.reverse()` * added `is_permutation(list1, list2)` predicate * added assignment operators `+=`, `-=`, `*=`, `//=`, `%=` * functions can now return `bool` and `list` * logical functions and predicates can now be defined * added support for type annotations IDE * strategies now support step limits, passed as the third integer argument to the `call` command Web interface TryWhy3 * step limits are now configurable in the HTML file * "prove" now splits the VCs if they are not proven after "First-attempt limit" steps * added some "split" and "prove" buttons next to each task * moved the example list to `examples/config.json` and made it per-language * added some examples for Python and Micro-C * the Alt-Ergo worker is now the upstream one Tools * options `why3 --list-*` have been moved to a dedicated tool `why3 show`, e.g., `why3 show metas` * added `why3 show attributes` to list all the known attributes * `why3 prove` now supports transformations that require an argument * `why3 execute` now supports `io.StdIO` and `debug.Debug` * `why3 config detect` now also looks for provers with executable names `prover-[0-9].*` * sections `[detected_binary]` and `[manual_binary]` in `why3.conf` have been merged into a common section `[partial_prover]` :x: Coq realizations * floating-point theories are now built on top of Flocq's `BinarySingleNaN` formalization (requires Flocq >= 3.4 and Coq >= 8.11) :x: Provers * support for Z3 versions from 4.8.11 to 4.8.15 (released Mar 20, 2022) * support for Coq 8.14.0 (released Oct 14, 2021) and 8.15.0 (released Jan 13, 2022) * dropped support for Coq 8.6 * disabled support for SMTLIB strings in CVC4 1.7; only CVC4 1.8 is supported Miscellaneous * bytecode plugins are now compiled as `.cma` libraries instead of `.cmo` files :x: Version 1.4.1, February 18, 2022 -------------------------------- Bug fixes * fixed usage of various dependencies: `menhir`, `camlzip`, `ppx_deriving`, `coq-flocq`, `mlmpfr` Provers * support for Alt-Ergo 2.4.1 (released Jul 28, 2021) Version 1.4.0, March 13, 2021 ----------------------------- WhyML language * sub-namespaces are now allowed in `for each` loops; see Section 7.4.7 of the manual * function literals are now supported; see Sections 7.3.2 and 7.4.9 of the manual Standard library * added lemma `permut_sub_trans` to `array.ArrayPermut` * added function `inter` (intersection) to `bag.Bag` * added a new theory `option.Map` * added a precondition to `string.OCaml.([])` * added functions `set`, `init`, `sub` to `mach.array.ArrayInt63` * moved OCaml exception `Invalid_argument` to `ocaml.Exceptions` :x: * added function `length` in `mach.c.String` * added functions `sdiv` and `srem` to `bv` * added signed operations to `mach.bv` * added missing module for double-precision floats to `mach.floats` Tools * command-line options now follow the getopt standard; in particular, long options start with `--` :x: * binaries `why3config`, `why3prove`, etc, no longer exist; they are now plugins that can be loaded only using the main `why3` binary, e.g., `why3 config` :x: * `why3 config` now uses subcommands instead of options; in particular, prover detection is performed using `why3 config detect` and manual prover addition is performed using `why3 config add-prover`; see Section 6.1 of the manual :x: * `why3 execute` now provides runtime assertion checking; see Section 6.8.1 of the manual * runtime assertion checking is also used to validate counterexamples in `why3 prove` * loop invariants can now be inferred automatically; see Section 8.5 of the manual * JSON output of counterexamples was modified :x: IDE * native keyboard modifiers are now used on macOS * `why3 ide` in the Docker image can now be used through a web browser instead of an X server; see Section 5.1.2 of the manual Input formats * a new front-end named MLCFG was added; it supports unstructured program codes, including `goto` statements; see Section 9.3 of the manual * translation of `<>` and `not` have been fixed for micro-C and Python Extraction * allowed transitive inclusion (`export`) of interfaces and preludes * added `remove module` for drivers to exclude modules * added C extraction of strings * improved handling of C header files * added support of `blacklist` to C extraction * fixed extraction of partially applied functions * fixed OCaml extraction of nested tuples * fixed OCaml extraction of `OneTime` integers Web interface TryWhy3 * `?lang=foo` can now be used to select an input format other than WhyML; the input format can also be changed dynamically using a combobox * `?code=foo` can now be used to fill the editor with some code; the encoded string can be retrieved by clicking the "Copy URL" button * examples are no longer embedded; only files mentioned in `examples/index.txt` are considered :x: * Alt-Ergo workers can now be stopped without losing the session Provers * support for PVS 7.1 (released Apr 30, 2020) * support for Z3 4.8.7 (released Nov 19, 2019) * support for Z3 4.8.8 (released May 9, 2020) * support for Z3 4.8.9 (released Sep 11, 2020) * support for Z3 4.8.10 (released Jan 20, 2021) * support for AltErgo 2.3.3 (released Aug 19, 2020) * support for AltErgo 2.4.0 (released Jan 22, 2021) * support for Coq 8.13.0 (released Jan 7, 2021) * support for CVC4 1.8 (released Jun 19, 2020) Documentation * Why3 modes for editors (Section 5.3) * Why3-specific configuration for shells (Section 5.4) * detailed explanations on semantics of various WhyML statements (Section 7.4) * detailed explanations on WhyML module system (Section 7.5) * explanations on how users can customize drivers (Section 12.5) API * helpers were added to ease production of parse trees; see Section 4.9 of the manual * generation of counterexamples was changed; see Section 4.10 of the manual :x: Additional bug fixes * fixed `why3 prove` when called on a DIMACS file * improved detection of out-of-range values in `why3 execute` * fixed micro-Python parser when there is no newline at end of file * fixed SMT translation of negative floating-point literals * fixed set of reserved symbols for SMT solvers * restored `hypothesis_selection` transformation * fixed unsoundness of transformations `case` and `destruct` in presence of polymorphic formulas Version 1.3.3, September 11, 2020 --------------------------------- Bug fixes * fixed compilation on OpenBSD Provers * support for Coq 8.12.0 (released Jul 27, 2020) Version 1.3.2, September 5, 2020 -------------------------------- Bug fixes * fixed compilation on FreeBSD and macOS * fixed `use_api` examples * removed support for strings from the default variant of CVC4 1.7 * fixed custom editors for provers not being saved Version 1.3.1, March 24, 2020 ----------------------------- Bug fixes * fixed conflicting symbols for CVC4 1.7 * fixed META file * fixed infinite loops in strategies Version 1.3.0, March 17, 2020 ----------------------------- Standard library * `pqueue.Pqueue` is now modeled using sequences instead of lists :x: * `queue.Queue` is now modeled using sequences instead of lists :x: * the `set` library has been revamped :x: - in `set.Fset`, type `set` becomes `fset`; `choose` becomes `pick` - module `appset.Appset` becomes `set.SetApp`; `impset.Impset` becomes `set.SetImp` - in `set.SetApp` and `set.SetImp`, type `t` becomes `set`; field `contents` becomes `to_fset`; call to `empty` becomes `empty ()` * new library `fmap` for finite maps - `Fmap`: polymorphic, logic finite maps to be used in logic - `MapApp`, `MapAppInt`, `MapImp`, `MapImpInt`: monomorphic finite maps to be used in programs * no more libraries `appmap` and `impmap` :x: * no more library `sum.Sum` (subsumed by `int.Sum`) :x: * new library `string` for character strings - `String`: basic string operations - `OCaml`: additional operations dedicated to extraction to OCaml - `RegExpr`: regular expressions Language * the type `string` is a new built-in type; string literals can be given between double-quotes; see manual, Section 7.1 :x: * it is now possible to give a name to preconditions and assertions; `requires Foo { a = 3 }` sets the attribute `[@hyp_name:Foo]`, which tries to give the name `Foo` to the corresponding hypothesis after introduction * identifiers used for specification (resp. definition) of a function `foo` have been renamed from `foo_spec` (resp. `foo_def`) to `foo'spec` (resp. `foo'def`) :x: * identifiers used for goals `VC foo` have been renamed to `foo'vc` * identifiers used for record constructor `mk foo` have been renamed to `foo'mk` :x: * the `alias` clause can now be used in program functions to force the aliasing of function parameters and/or named returns Tools * counterexamples given by `why3prove` are no longer printed using JSON by default; pass option `--json` to restore the previous behavior * new tool `why3pp` to pretty print Why3 source code (inductive definitions to LaTeX, formatting of mlw files) Documentation * improved Chapter 7 on the WhyML language (record types, various kinds of function declarations, module cloning, etc.) * improved Section 11.4 on drivers, including an automatically generated dependency graph of driver files * improved Section 11.5 on transformations, including transformations with arguments API * `Call_provers.print_prover_result` now takes an additional argument `~json_model` to indicate whether counterexamples are printed using JSON :x: * indices of array are now `model_value` for counterexamples :x: * ITP constructor `Task` now contains the location of the goal :x: * ITP constructor `Source_and_ce` has now 3 arguments instead of 2 :x: * ITP constructors `File_contents` and `Source_and_ce` have a new argument for the file format :x: * ITP constructor `File_contents` has a new boolean argument for interpretation of the file in the IDE as `read_only` :x: * new ITP constructor `Ident_notif_loc` :x: * ITP constructor `Get_first_unproven_node` now takes a heuristic name argument :x: Transformations * `apply` and `rewrite` now behave better in presence of `let`; hypotheses with nested let-bindings can now be applied :x: * passing arguments to argument-free transformations is now forbidden (previously ignored) :x: * passing too many arguments to a transformation does not display a popup anymore * `induction_arg_ty_lex` is now equivalent to `induction_ty_lex` * `induction_arg_pr` now takes an optional argument that indicates what to generalize in the induction * `destruct` now destructs `not p` into `p -> false`; `destruct_rec` can further destruct afterwards; `destruct` can also destruct `true` and `false` :x: * decision procedures used for reflection must now be declared explicitly using `meta reflection val foo` :x: * `remove` and `bisect` should not raise unnecessary popups anymore * added `remove_rec` * attribute `inline:trivial` can be put on definitions to force their inlining by the transformation `inline_trivial` IDE * display of counterexamples in the Task view has been improved * auto jumping to next unproved goal can now be disabled in the preferences * added a "reset proofs" command in the Tools menu to remove all the proofs from the session * default proof strategies "Auto level 1" and "Auto level 2" have been respectively renamed "Auto level 2" and "Auto level 3"; "Auto level 1" now behaves similarly to "Auto level 0" but with a longer time limit; more details in the manual, Section 10.6 "Proof Strategies" :x: * strategies can now be defined using `%t` (resp. `%m`) to call a prover with the default timelimit (resp. memlimit) * added minimal search menu * a merlin-like feature to find the identifier located under the cursor has been added in the Edit menu. * read-only files can now be displayed and removed by right-clicking on their tab titles * colors for error can now be edited in why3.conf more precisely * most of the preferences can now be changed for the current session * Ctrl-Down/Ctrl-Up are mapped to more straightforward moves; the former movements can be triggered with Ctrl-Left/Ctrl-Right Realizations * added experimental realizations for new Set theories in both Isabelle and Coq Provers * support for Alt-Ergo 2.3.1 (released Feb 19, 2020) * support for Isabelle 2019 (released Jun 2019) * support for Vampire 4.2.2 (released Dec 14, 2017) * support for Coq 8.10.0 (released Oct 8, 2019) * support for Coq 8.10.1 (released Oct 25, 2019) * support for Coq 8.10.2 (released Oct 29, 2019) * support for Coq 8.11.0 (released Jan 30, 2020) * make use of built-in support for strings by Z3 (4.8.6), and CVC4 (1.7) Version 1.2.1, October 28, 2019 ------------------------------- Bug fixes * fixed compilation with OCaml 4.09 * fixed compilation with Lablgtk3 Provers * support for Z3 4.8.6 (released Sep 20, 2019) * support for Z3 4.8.5 (released Jun 3, 2019) * support for CVC4 1.7 (released Apr 9, 2019) * support for Alt-Ergo 2.3.0 (released Feb 11, 2019) * support for Coq 8.9.1 (released May 20, 2019) Version 1.2.0, February 11, 2019 -------------------------------- Session * file paths stored in session files are now represented in a system-independent way Drivers * the clause `syntax converter` has been removed; any former use should be replaced by `syntax literal` and/or `syntax function` :x: Language * a syntactic sugar called "auto-dereference" is introduced, so as to avoid, on simple programs, the heavy use of `(!)` character on references; see details in Section A.1 of the manual Transformations * `split_vc` and `subst_all` now avoid substituting user symbols by generated ones :x: * `destruct_rec` applies `destruct` recursively on a goal * `destruct` now simplifies away equalities on constructors :x: * `destruct` now simplifies `if .. then .. else ..` and `match .. with ..` :x: * `destruct_alg` renamed to `destruct_term`; it also has a new experimental keyword `using` to name newly destructed elements :x: Tools * added a command `why3 session update` to modify sessions from the command line; so far, only option `-rename-file` exists, for renaming files * `why3 config --add-prover` now takes the shortcut as second argument; option `--list-prover-ids` has been renamed to `--list-prover-families` :x: IDE * clicking on the status of a failed proof attempt in the proof tree now generates counterexamples * added support for GTK3 Counterexamples * the trigger for counterexamples has been changed; read Section 5.3.7 of the manual for details :x: * various improvements on the generated counterexamples * field names now use ident names instead of smt generated ones, e.g., `int32qtint` -> `int32'int` :x: * fixed parsing of bitvector values from counterexamples generated by Z3 Extraction * fixed extraction of functions passed as arguments * fixed extraction of recursive polymorphic functions for Ocaml * improved extraction of records for C Standard library * `Stack.length` and `Queue.length` now return a `Peano.t`, for improved extraction :x: Provers * support for Z3 4.8.1 (released Oct 16, 2018) * support for Z3 4.8.3 (released Nov 20, 2018) * support for Z3 4.8.4 (released Dec 20, 2018) * support for Coq 8.9.0 (released Jan 17, 2019) * upgraded Coq realizations for floating-point arithmetic to Flocq 3.1 * dropped support for Coq 8.5 Version 1.1.1, December 17, 2018 -------------------------------- Bug fixes * prevented broken extraction of `any` * fixed evaluation order when extracting nested mutators * fixed extraction of nested recursive polymorphic functions * fixed cloning of expressions raising exceptions Version 1.1.0, October 17, 2018 ------------------------------- Core * variants can now be inferred on some lemma functions * coercions are now supported for `if` and `match` branches * `interrupt` command should now properly interrupt running provers. * clearer typing error messages thanks to printing qualified names * fixed handling of prover upgrades, resurrected the policy "duplicate" and added a policy "remove" API * added `Call_provers.interrupt_call` to interrupt a running prover (contribution by Pierre-Yves Strub) Language * program functions can now be marked `partial` to prevent them from being used in ghost context; the annotation does not have to be explicitly put on their callers * `use` now accepts several module names separated by commas * symbolic operators can be used in identifiers like `(+)_ident` or `([])'ident` * range types have now a default ordering to be used in `variant` clause Standard library * library `ieee_float`: floating-point operations can now be used in programs Transformations * `split_vc` behaves slightly differently :x: Provers * support for Alt-Ergo 2.1.0 (released Mar 14, 2018) * support for Alt-Ergo 2.2.0 (released Apr 26, 2018) * support for Coq 8.8.1 (released Jun 29, 2018) * support for Coq 8.8.2 (released Sep 26, 2018) * support for CVC4 1.6 (released Jun 25, 2018) * support for Z3 4.7.1 (released May 23, 2018) * support for Isabelle 2018 (released Aug 2018) (contribution by Stefan Berghofer) * dropped support for Isabelle 2016 (2017 still supported) :x: * dropped support for Alt-Ergo versions < 2.0.0 :x: Version 1.0.0, June 25, 2018 ---------------------------- Core * improved support of counter-examples * attribute `[@vc:sp]` on an expression switches from traditional WP to Flanagan-Saxe-like VC generation * type invariants now produce logical axioms; a type with an invariant must be proved to be inhabited :x: * logical symbols can no longer be used in non-ghost code; in particular, there is no polymorphic equality in programs any more, so equality functions must be declared/defined on a per-type basis (already done for type `int` in the standard library) :x: Language * numerous changes to syntax, see documentation appendix :x: * `let function`, `let predicate`, `val function`, and `val predicate` introduce symbols in both logic and programs * added overloading of program symbols * new contract clause `alias { with , ... }` :x: * support for parallel assignment `,... <- ,...` * support for local exceptions using `exception ... in ...` * added `break`, `continue`, and `return` statements * support for `exception` branches in `match` constructs * support for `for` loops on range types (including machine integers from the standard library) * support for type coercions in logic using `meta coercion` * keyword `theory` is deprecated; use `module` instead * term on the left of sequence `;` must be of type `unit` :x: * cloned axioms turn into lemmas; use `with axiom my_axiom` or `with axiom .` to keep them as axioms :x: * `any ` produces an existential precondition; use `val f : in ...` (unsafe!) instead :x: * `use T` and `clone T` now import the generated namespace T; use `use T as T` and `clone T as T` to prevent this :x: * `pure { }` produces a ghost value in program code * `a <-> b <-> c` is now parsed as `(a <-> b) /\ (b <-> c)`; `a <-> b -> c` is now rejected :x: Standard library * machine integers in `mach.int.*` are now range types :x: * added a minimal memory model for the C language in `mach.c` * new modules `witness.Witness` and `witness.Nat` Extraction * improved extraction to OCaml * added partial extraction to C using the memory model of `mach.c` * added extraction to CakeML (using `why3 extract -D cakeml ...`) Transformations * transformations can now have arguments * added transformations `assert`, `apply`, `cut`, `rewrite`, etc., à la Coq * added transformations for reflection-based proofs Drivers * support for `use` in theory drivers IDE * replaced left toolbar by a contextual menu * source is now editable * premises are no longer implicitly introduced * added textual interface to call transformations and provers Tools * deprecated `.why` file extension; use `.mlw` instead Provers * removed the `why3` Coq tactic :x: * dropped support for Coq 8.4 :x: Miscellaneous * moved the opam base package to `why3`; added `why3-ide` and `why3-coq` Version 0.88.3, January 11, 2018 -------------------------------- Provers * support for Alt-Ergo 2.0.0 (released Nov 14, 2017) * support for Coq 8.7.1 (released Dec 16, 2017) * support for Z3 4.6.0 (released Dec 18, 2017) Standard library * fixed soundness of theory `int.Exponentiation` when multiplication is not commutative :x: Miscellaneous * fixed support for `--enable_relocation=yes` * fixed support for Windows Version 0.88.2, December 7, 2017 -------------------------------- Miscellaneous * `why3 session html`: improved compliance of generated files * `why3 doc`: fixed missing anchors for operator definitions * improved build process when `coqtop.byte` is missing Version 0.88.1, November 6, 2017 -------------------------------- API * exported function `Call_provers.get_new_results` Provers * improved support for Isabelle 2017 * fixed support for Coq 8.7 (released Oct 17, 2017) Miscellaneous * fixed compilation for OCaml 4.06 * improved support for nullary `val` declarations with regions Version 0.88.0, October 6, 2017 ------------------------------- Language * added two new forms of type declarations: integer range types and floating-point types. To denote constants in such types, integer constants and real constants can be cast to such types. This support is exploited in drivers for provers that support bitvector theories (CVC4, Z3) and floating-point theory (Z3). More details in the manual, section 7.2.4 "Theories". * a quote character `'` inside an identifier must either be at the end, or be followed by either a digit, the underscore character `_` or another quote. Identifiers with a quote followed by a letter are reserved. :x: Standard library * new theory `ieee_float` formalizing floating-point arithmetic, compliant to IEEE-754, mapped to SMT-LIB FP theory. User features * proof strategies: `why3 config` now generates default proof strategies using the installed provers. These are available under name "Auto level 0", "Auto level 1" and "Auto level 2" in `why3 ide`. More details in the manual, section 10.6 "Proof Strategies". * counterexamples: better support for array values, support for floating-point values, support for Z3 in addition to CVC4. More details in the manual, section 6.3.5 "Displaying Counterexamples". Plugins * new input format for a small subset of Python Provers * support for Isabelle 2017 (released Oct 2017) * dropped support for Isabelle 2016 (2016-1 still supported) :x: * support for Coq 8.6.1 (released Jul 25, 2017) * tentative support for Coq 8.7 * dropped tactic support for Coq 8.4 (proofs still supported) :x: * support for CVC4 1.5 (released Jul 10, 2017) * support for E 2.0 (released Jul 4, 2017) * support for E 1.9.1 (release Aug 31, 2016) Version 0.87.3, January 12, 2017 -------------------------------- Bug fixes * fixed OCaml extraction with respect to ghost parameters * assorted bug fixes Provers * support for Alt-Ergo 1.30 (released Nov 21, 2016) * support for Coq 8.6 (released Dec 8, 2016) * support for Gappa 1.3 (released Jul 20, 2016) * dropped support for Isabelle 2015 :x: * support for Isabelle 2016-1 (released Dec 2016) * support for Z3 4.5.0 (released Nov 8, 2016) Version 0.87.2, September 1, 2016 --------------------------------- Bug fixes * improved well-formedness of extracted OCaml code * assorted bug fixes Version 0.87.1, May 27, 2016 ---------------------------- Bug fixes * assorted bug fixes Version 0.87.0, March 15, 2016 ------------------------------ Language * added two new logical connectives `by` and `so` as keywords :x: Tools * added a command-line option `--extra-expl-prefix` to specify additional possible prefixes for VC explanations. Available for `why3` commands `prove` and `ide`. * removed `jstree` style from the `session` command :x: Transformations * all split transformations respect the `"stop_split"` label now. `split_*_wp` is a synonym for `split_*_right` :x: * the `split_*_right` transformations split the left-hand side subformulas when they carry the `"case_split"` label :x: * `split_intro` is now the composition of `split_goal_right` and `introduce_premises` :x: Standard library * improved bitvector theories :x: API * renamed functions in module `Split_goal` :x: * `split_intro` moved to Introduction :x: Encoding * if a task has no polymorphic object (except for the special cases of equality and maps), then the translation to SMT-LIB format is direct :x: Provers * dropped support for Alt-Ergo versions older than 0.95.2 :x: * support for Alt-Ergo 1.01 (released Feb 16, 2016) and non-free versions 1.10 and 1.20 * support for Coq 8.4pl6 (released Apr 9, 2015) * support for Coq 8.5 (released Jan 21, 2016) * support for Gappa 1.2.0 (released May 19, 2015) * dropped support for Isabelle 2014 :x: * support for Isabelle 2015 (released May 25, 2015) and Isabelle 2016 (released Feb 17, 2016) * support for Z3 4.4.0 (released Apr 29, 2015) and 4.4.1 (released Oct 5, 2015) * support for Zenon 0.8.0 (released Oct 21, 2014) * support for Zenon_modulo 0.4.1 (released Jul 2, 2015) Distribution * non-free files have been removed: `boomy` icon set, javascript helpers for `why3 session html --style jstree` Version 0.86.3, February 8, 2016 -------------------------------- Bug fixes * assorted bug fixes Provers * fix compilation issues with Coq 8.5 (the tactic for 8.5 now behaves like `idtac` on successfully proved goals) :x: Version 0.86.2, October 13, 2015 -------------------------------- Bug fixes * assorted bug fixes Version 0.86.1, May 22, 2015 ---------------------------- IDE * improved task highlighting for negated premises (contributed by Mikhail Mandrykin, AstraVer project) Provers * support for Gappa 1.2 (released May 19, 2015) Bug fixes * `why3doc`: garbled output Version 0.86, May 11, 2015 -------------------------- Core * steps limit for reliable replay of proofs, available for Alt-Ergo and CVC4 Transformations * new transformations `induction_pr` and `inversion_pr` to reason with inductive predicates Standard library * renamed theory `int.NumOfParam` into `int.NumOf`; the predicate `numof` now takes some higher-order predicate as argument (no more need for cloning). Similar change in modules `array.NumOf`... :x: * improved theory `real.PowerReal` :x: * new theory: sequences * new theories for bitvectors, mapped to BV theories of SMT solvers Z3 and CVC4 Provers * support for Coq 8.4pl5 (released Nov 7, 2014) * support for Z3 4.3.2 (released Oct 25, 2014) * support for MetiTarski 2.4 (released Oct 21, 2014) * support for Alt-Ergo 0.99.1 (released Dec 30, 2014) * support for Alt-Ergo 1.00.prv (released Jan 29, 2015) * support for veriT 201410 (released Nov 2014) * support for Psyche (experimental, http://www.lix.polytechnique.fr/~lengrand/Psyche/) * preliminary support for upcoming CVC4 1.5 (steps feature) IDE * config file not automatically saved anymore at exit. Configuration is saved on disk for future sessions if, and only if, preferences window is exited by hitting the "Save&Close" button * right part of main window organized in tabs * better explanations and task highlighting (contributed by Mikhail Mandrykin, AstraVer project) Bug fixes * bug in interpreter in presence of nested mutable fields * IDE: proofs in progress should never be "cleaned" * IDE: display warnings after reload Version 0.85, September 17, 2014 -------------------------------- Langage * fix a soundness bug in the detection of aliases when calling a WhyML function: some alias could have been forgotten when a type variable was substituted with a mutable type :x: Proof sessions * use the full path of identifiers when the user introduces namespaces (BTS #17181) Transformations * fix a soundness bug in `compute_in_goal` regarding the handling of logical implication. :x: * several improvements to `compute_in_goal`: - left-hand side of rewrite rules can be any symbols, not only non-interpreted ones. - perform beta-reduction when possible - the maximal number of reduction steps can be increased using meta `compute_max_steps` - the transformation is documented in details in the manual * new transformation `compute_specified`: less aggressive variant of `compute_in_goal`. Unfolding of definitions is controlled using meta `rewrite_def` * fixed a bug in `eliminate_if` when applied on inductive definitions Provers * fixed wrong warning when detecting Isabelle2014 Version 0.84, September 1, 2014 ------------------------------- Tools * the file generated by `why3 session html f.mlw` is now `f/why3session.html` and not `f/f.html` :x: * the default behavior of `why3` has been moved to the `prove` subcommand :x: * options `--exec`, `--extract`, and `--realize`, have been moved to subcommands: `execute`, `extract`, and `realize` :x: * `why3replayer` has been moved to the `replay` subcommand :x: * other tools have been moved to `why3` subcommands too: `config`, `doc`, `ide`, `session`, `wc`. For local usage, the old commands are still available. :x: Proof sessions * session files are split in two parts: `why3session.xml` and `why3shapes`. The latter file contains the checksums and the shapes for the goals. That second file is not strictly needed for replaying a proof session, it is only useful when input programs are modified, to track obsolete goals. If Why3 is compiled with compression support (provided by the `ocamlzip` library) then files for shapes are compressed into `why3shapes.gz`. Standard library * renamed `array.ArraySorted` into `array.IntArraySorted`; `array.ArraySorted` is now generic, with type and order relation parameters :x: * reduced amount of `use export` in the standard library: theories now only export the symbols they define. Users may need to insert more `use import` in their theories (typically `int.Int`, `option.Option`, `list.List`, etc.). :x: Provers * fixed Coq printer (former Coq proofs may have to be updated, by removing non-emptiness constraints from polymorphic type applications) :x: * support for Coq8.4pl4 * support for Isabelle2014 * support for CVC4 1.4 * updated support for TPTP TFA syntax (used by provers Beagle and Princess) Transformations * new transformation `compute_in_goal` that simplifies the goal, by computation, as much as possible Version 0.83, March 14, 2014 ---------------------------- Language * extra semicolons are now allowed at end of blocks * new clause `diverges`; loops and recursive calls not annotated with variants will generate a warning, unless the`"diverges` clause is given * clauses `reads` and `writes` now accept an empty set * modified syntax for `abstract`: `abstract end` :x: * types in quantifiers are now optional * formulas and Boolean terms can be used interchangeably Standard library * removed inconsistency in libraries `map.MapPermut` and `array.ArrayPermut` (names, definitions, and meaning of symbols `permut...` have been modified) :x: Provers * new version of prover: Coq 8.4pl3 * new version of prover: Gappa 1.1.0 * new version of prover: E prover 1.8 * dropped support for Coq 8.3 :x: * improved support for Isabelle2013-2 * fixed Coq printer (former Coq proofs may have to be updated, with extra qualification of imported symbols) :x: Tools * new option `--exec` to interpret WhyML programs; see doc chapter 8 * new option `--extract` to compile WhyML programs to OCaml; see doc chapter 8 and `modules/mach/{int,array}.mlw` * `why3replayer` renamed option `-obsolete-only` to `--obsolete-only`, `-smoke-detector` to `--smoke-detector`, `-force` to `--force` :x: * `why3replayer` now fails replaying if new goals are added :x: API * new type-inferring API for logical terms and program expressions Miscellaneous * fixed compilation bug with lablgtk 2.18 Version 0.82, December 12, 2013 ------------------------------- Core * lemma functions * polymorphic recursion permitted * opaque types API * more examples of use in `examples/use_api/` Tools * `why3session csv` can create graph with option `--gnuplot [png|svg|pdf|qt]` * shape algorithm modified (see VSTTE'13 paper) but is backward compatible thanks to `shape_version` numbers in `why3session.xml` files * options name and default of `why3session csv` changed :x: Miscellaneous * emacs: `why.el` renamed to `why3.el` :x: * GTK sourceview: `why.lang` renamed to `why3.lang` :x: * `Loc.try[1-7]` functions now take location as an optional parameter :x: Provers * new prover: Metitarski (2.2, contribution by Piotr Trojanek) * new prover: Metis (2.3) * new prover: Beagle (0.4.1) * new prover: Princess (2013-05-13) * new prover: Yices2 (2.0.4) * new prover: Isabelle (2013-2, contribution by Stefan Berghofer) * new version of prover: Alt-Ergo 0.95.2 * new version of prover: CVC4 1.1 & 1.2 & 1.3 * new version of prover: Coq 8.4pl2 * new version of prover: Gappa 1.0.0 * new version of prover: SPASS 3.8ds * new version of prover: veriT (201310) Bug fixes * remove extra leading zeros in decimal literals when a prover don't like them * PVS output: types are always non-empty * PVS: fixed configuration and installation process * Coq tactic: now loads dynamic plug-ins * bug #15493: correct Coq output for polymorphic algebraic data types * wish #15053: Remove proof time from "Goals proved by only one prover" section of `why3session info --stats` :x: * bug #13736: `why3ml` was slow when there were many inclusions * bug #16488: decimals in TPTP syntax * bug #16454: do not send arithmetic triggers anymore to alt-Ergo * syntax highlighting bugs should be fixed by removing the old language file `alt-ergo.lang` from Alt-ergo distribution Version 0.81, March 25, 2013 ---------------------------- Provers * experimental support for SPASS >= 3.8 (with types) * support for Z3 4.3.* * fixed Coq 8.4 support for theory `real.Trigonometry` * support for CVC4 * support for mathematica * support for MathSAT5 Core * accept type expressions in clone substitutions WhyML * support for relation chains (e.g., `e1 = e2 < e3`) * every exception raised in a function must be listed in as `raises { ... }` clause. A postcondition may be omitted and equals to `true` by default. :x: * if a function definition contains a `writes { ... }` clause, then every write effect must be listed. If a function definition contains a `reads { ... }` clause, then every read _and_ write effect must be listed. :x: Drivers * syntax rules, metas, and preludes are inherited through cloning. Keyword `cloned` becomes unnecessary and is not accepted anymore. :x: Version 0.80, October 31, 2012 ------------------------------ WhyML * modified syntax for mlw programs; a summary of changes is given in Appendix A of the manual :x: * support for type invariants and ghost code API * Ocaml interfaces for constructing program modules Transformations * experimental support for induction on integers and on algebraic types Interface * new system of warnings, that includes: - form `exists x, P -> Q`, likely an error - unused bound logic variables in `forall`, `exists`, and `let` Tools * replayer: new option `-q`, for running quietly * improved output of `why3session latex`; LaTeX macros have more arguments :x: * modifiers in `--extra-config` are now called `[prover_modifier]` instead of just `[prover]` :x: Provers * support for Coq 8.4 * dropped support for Coq 8.2 :x: * support for forthcoming PVS 6.0, including realizations * support for iProver and Zenon * new output scheme for Coq using type classes, to ensures types are inhabited Drivers * theory realizations now use meta `realized_theory` instead of `realized` :x: Version 0.73, July 19, 2012 --------------------------- Core * co-inductive predicates WhyML * new construct `abstract e { q }` that matches the structure of the goal Proof sessions * small change in the format. Why3 is still able to read session files in the old format. Standard library * fixed a consistency issue with `set.Fset` theory Tools * option `-obsolete-only` for `why3replayer` * new option `-e` for `why3session latex` to specify when to split tables in parts * no more executable `why3ml` (`why3` now handles WhyML files) :x: Provers * support for Z3 4.0 * workaround for a bug about modulo operator in Alt-Ergo 0.94 * quotes in identifiers remain quotes in Coq * Coq default tactic is now `intros ...` with a pattern IDE * "Clean" was cleaning too much Miscellaneous * completed support for the "Out Of Memory" prover result Version 0.72, May 11, 2012 -------------------------- Provers * Coq: new tactic `why3` to call external provers as oracles * Coq: new feature: theory realizations (see manual, chapter 9) Tools * new tool `why3session` (see manual, section 6.7) * new tool `why3doc` (see manual, section 6.8) * support for multiple versions of the same prover (see manual, section 5.5) IDE * new features, including prover upgrade, alternate editors Miscellaneous * complete support for limiting provers' memory usage * improved support on Microsoft Windows * new parser for TPTP files with support for the newest TFA1 format (TPTP with polymorphic types and arithmetic) Bug fixes * fixed BTS 14221 * fixed BTS 14190 * fixed BTS 12457 * fixed BTS 13854 * fixed BTS 13849 Language * new syntax `constant x:ty` and `constant x:ty = e` to introduce constants, as an alternative to `function` API * `Dtype` declaration kind is split into two: `Dtype` for declarations of a single abstract type or type alias, and `Ddata` for a list of (mutually recursive) algebraic types. Similarly, `Dlogic` declaration kind is split into `Dparam` for a single abstract function/predicate symbol and `Dlogic` for a list of (mutually recursive) defined symbols. Version 0.71, October 13, 2011 ------------------------------ Examples * a lot of new program examples in directory examples/programs Tools * `why3replayer`: new option `-latex` to output a proof session in LaTeX format WhyML * significant improvement of the efficiency of the WP calculus * fixed labels and source locations in WPs IDE * better coloring and source positioning including from front-ends such as Krakatoa and Jessie plugin of Frama-C Proof sessions * during reload, new method for pairing old and new subgoals based on goal shapes, stored in database. * prover versions are stored in database. A proof is marked obsolete if it was made by a prover with another version than the current. Version 0.70, July 6, 2011 -------------------------- WhyML * language and VC generator Language * record types - introduced with syntax `type t = {| a:int; b:bool |}` actually syntactic sugar for `type t = 'mk t' (a:int) (b:bool)` i.e. an algebraic with one constructor and projection functions - a record expression is written `{| a = 1; b = True |}` - access to field `a` with syntax `x.a` - update with syntax `{| x with b = False |}` - record patterns * new syntax for conjunction `/\` and disjunction `\/` (`and` and `or` do not exist anymore) :x: * `logic` is not a keyword anymore, use `function` and `predicate` :x: Tools * new tool `why3replayer`: batch replay of a Why3 session created in IDE Provers * Alt-Ergo, Z3, CVC3, Yices: support for built-in theory of arrays IDE * interactive detection of provers disabled because incompatible with session. Detection must be done with `why3config --detect-provers` * tool "Replay" works * tool "Reload" reloads the file from disk. No need to exit IDE anymore * does not use `Threads` anymore, thanks to `Call_provers.query_call` * displays explanations using labels of the form `"expl:..."` * dropped dependency on `Sqlite3` API * functions to create an environment are now exported from `Env` :x: * calls to prover can now be asynchronous. `Driver.prove_task` now returns some intermediate value (of type `prover_call`), which can be queried in two ways: - blocking way with `Call_provers.wait_on_call` - non-blocking way with `Call_provers.query_call` So old code performing `prove_task t () ()` should be translated to `wait_on_call (prove_task t ()) ()`. :x: Bug fixes * IDE: bug 12244 resolved by using `Task.task_equal` * Alt-Ergo: no triggers for `exists` quantifier * Coq: polymorphic inductive predicates * Coq: fixed bug 12934: type def with several type params Version 0.64, February 16, 2011 ------------------------------- Language * `/\` renamed into `&&` and `\/` into `||` :x: * algebraic types: must be well-founded, non-positive constructors are forbidden, recursive functions and predicates must structurally terminate * accept lowercase names for axioms, lemmas, goals, and cases in inductive predicates Transformations * `split-goal` does not split under disjunction anymore Tools * `why.conf` is no more looked for in the current directory; use `-C` or `WHY3CONFIG` instead * when `why.conf` is changed, a backup copy is made in `why.conf.bak` * `why.conf` now contains a magic number; configuration must be rebuilt with `why3config` if the magic number has changed * `why3config`: `--autodetect-provers` renamed to `--detect-provers`, `--autodetect-plugins` renamed to `--detect-plugins`; new option `--detect` to perform both detections * `why3config`: `--conf_file` is replaced by `-C` and `--config` Drivers * TPTP: encoding by explicit polymorphism is not anymore the default encoding for TPTP provers. It is now forbidden to use this encoding in presence of finite types. IDE * source file names are stored in database with paths relative to the database, so that databases are now easier to move from a machine to another (e.g when they are stored in source control repositories) Provers * better Gappa output: support for `sqrt`, for negative constants Miscellaneous * `configure`: fixed `--enable-local` * `configure`: if possible, use `ocamlfind` to find `lablgtk2` and `sqlite3` * labels in terms and formulas are not printed by default Version 0.63, December 21, 2010 ------------------------------- * first public release. See release notes in manual why3-1.6.0/CONTRIBUTING.md000066400000000000000000000121501440160026300146340ustar00rootroot00000000000000Welcome, contributor, to the Why3 verification platform! If you wish to contribute, open an issue or otherwise interact with our [Gitlab](https://gitlab.inria.fr/why3/why3), you will need to have an INRIA account. External users can file bug reports using our [mailing list](mailto:why3-club@lists.gforge.inria.fr). We're sorry for the inconvenience. # Building To build Why3 locally you will need a functional installation of OCaml (at least 4.08), `menhir`, `num` and `autoconf`. You can set up your developer build using the following commands: ``` autoconf ./configure --enable-local # stores the built binaries under ./bin make ``` Note: there can be issues around Num, recall and document those. ## Building Documentation Building the Why3 documentation requires an installation of Sphinx, as well as the `sphinxcontrib-bibtex` package. If your package manager does not have up to date versions of these packages, or they otherwise fail to install, you can install them using `pip3` as follows: ``` pip3 install sphinx sphinxcontrib-bibtex ``` You will need to re-configure Why3 to enable documentation building. Once it has been configured, documentation can be built by running `make doc`. # Testing To execute the Why3 tests run: ``` ./bench/bench ``` ## Running specific tests You may run specific classes of tests through the `-only` flag, the full listing of classes can be obtained from `-help`. For example to run the 'good file' tests, use: ``` ./bench/bench -only goodfiles ``` ## Adding new test suites To add a new directory of tests add a new line in `bench/bench`. The suite should be added to the relevant block, which is determined by the kind of assertion it performs. For example, if you wished to add a set of files which should successfully prove, add a line like `goods path/to/tests` to the appropriate block. Certain tests, those in `examples/`, `examples/bts`, `examples/programs` and `examples/check-builtin` are replayed every night on Moloch. To ensure accuracy and avoid flakiness, the sessions for these tests must be created on Moloch as well. ## Nightly CI Every night, the latest master is tested against a series of standard configurations, on Moloch (`moloch.lri.fr`). This ensures that regressions are caught across a wide array of different prover versions and families. The results of Nightly CI are emailed in the `why3-commits@lists.gforge.inria.fr` mailing list each morning. If you require access to Moloch in order to update sessions or test a new prover, ask one of the maintainers for help. # Standards Why3 uses a Pull Request development model. Contributions should be made to separate branches and a Merge Request should be opened in Gitlab, explaining the contents and purpose of its contents. While code review is not strictly enforced it is *highly* encouraged. ## Commits Every commit should: - Compile, and pass CI. - Be stripped of trailing whitespace. - Use appropriate indentation. - Be limited to 80 columns. - Have a clear and relevant commit message - Be as functionally isolated as possible # Contributing to counterexamples generation and checking The module `src/core/model_parser` contains the main data structure for counterexamples. Parser functions for counterexamples must be declared in driver files (e.g. declaring `model_parser "smtv2"` somewhere). Such functions should first be registered using `Model_parser.register_model_parser`. The latter function takes as input a so-called `raw_model_parser` (e.g. `Smtv2_model_parser.parse`). This `raw_model_parser` is an input of the internal function `Model_parser.model_parser`, which is the main function for counterexamples generation. A `raw_model_parser` is a function that processes a solver textual output and produces a preliminary structure for counterexamples, which is completed by `Model_parser.model_parser`. So, as mentioned above, an example of a `raw_model_parser`, for SMTv2 solvers, is `Smtv2_model_parser.parse`, which makes use of another data type `Smtv2_model_defs.function_def`. This specific `Smtv2_model_parser.parse` function proceeds in 2 main phases: - first transforms the textual output into an S-expression, - then the latter S-expression is transformed into a `Model_parser.model_element list`. The `raw_model_parser` functions are using the variable names as printed by the printer. It is only the `Model_parser.build_model_rec` function that recovers the original Why3 name from the `printing_info`. The type `printing_info` is declared in module `src/core/printer`. Task printers are taking as arguments a record of type `Printer.printer_args`. The field `printing_info` is supposed to be modified in place by printers. # profiling Profiling execution of Why3 can be performed out-of-the-box using under Linux using `perf`. A typical usage is ``` perf record --call-graph=dwarf -- why3 command perf report ``` Note that perf may complain you don't have enough priviledges. A typical configuration change required is, for the sssion only, execute ``` sysctl kernel.perf_event_paranoid=2 ``` or, to make this setting permanent, add the line ``` kernel.perf_event_paranoid = 2 ``` to `sys/sysctl.conf`. why3-1.6.0/INSTALL.md000066400000000000000000000014621440160026300140370ustar00rootroot00000000000000Installation instructions ========================= Installation from a source distribution (tarball) ------------------------------------------------- After unpacking, installation is done by ./configure make make install # as super-user if needed To also install Why3's OCaml library, do make byte make install-lib # as super-user if needed Installation from the git repository ------------------------------------ First run autoconf to build the `./configure` file, then follow the instructions from the section above. Detailed instructions --------------------- For detailed instructions and required dependencies, please see the manual [doc/latex/manual.pdf](http://why3.lri.fr/manual.pdf), Chapter 5 [Compilation, Installation](http://why3.lri.fr/doc/install.html). why3-1.6.0/LICENSE000066400000000000000000000663731440160026300134300ustar00rootroot00000000000000The Library is distributed under the terms of the GNU Lesser General Public License version 2.1 (included below). As a special exception to the GNU Lesser General Public License, you may link, statically or dynamically, a "work that uses the Library" with a publicly distributed version of the Library to produce an executable file containing portions of the Library, and distribute that executable file under terms of your choice, without any of the additional requirements listed in clause 6 of the GNU Lesser General Public License. By "a publicly distributed version of the Library", we mean either the unmodified Library as distributed by the authors, or a modified version of the Library that is distributed under the conditions defined in clause 3 of the GNU Lesser General Public License. This exception does not however invalidate any other reasons why the executable file might be covered by the GNU Lesser General Public License. The files src/util/extmap.ml{i} are derived from the sources of OCaml 3.12 standard library, and are distributed under the GNU LGPL version 2 (see file OCAML-LICENSE). Icon sets for the graphical interface of Why3 are subject to specific licenses, some of them may forbid commercial usage. These specific licenses are detailed in files share/images/*/*.txt ====================================================================== GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. GNU LESSER GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! why3-1.6.0/Makefile.in000066400000000000000000002205751440160026300144640ustar00rootroot00000000000000#################################################################### # # # The Why3 Verification Platform / The Why3 Development Team # # Copyright 2010-2023 -- Inria - CNRS - Paris-Saclay University # # # # This software is distributed under the terms of the GNU Lesser # # General Public License version 2.1, with the special exception # # on linking described in file LICENSE. # # # #################################################################### VERBOSEMAKE ?= @enable_verbose_make@ ifeq ($(VERBOSEMAKE),yes) SHOW = @true HIDE = else SHOW = @echo HIDE = @ endif # install the binaries DESTDIR = prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ BINDIR = $(DESTDIR)@bindir@ LIBDIR = $(DESTDIR)@libdir@ DATADIR = $(DESTDIR)@datarootdir@ MANDIR = $(DESTDIR)@mandir@ TOOLDIR = $(LIBDIR)/why3/commands # OS specific stuff EXE = @EXE@ # other variables CC = @CC@ MKDIR_P = @MKDIR_P@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ ifeq (@enable_ocamlfind@,yes) OCAMLC = @OCAMLFIND@ ocamlc OCAMLOPT = @OCAMLFIND@ ocamlopt OCAMLDEP = @OCAMLFIND@ ocamldep OCAMLDOC = @OCAMLFIND@ ocamldoc else OCAMLC = @OCAMLC@ OCAMLOPT = @OCAMLOPT@ OCAMLDEP = @OCAMLDEP@ OCAMLDOC = @OCAMLDOC@ endif OCAMLFIND = @OCAMLFIND@ OCAMLLEX = @OCAMLLEX@ OCAMLYACC = @OCAMLYACC@ OCAMLLIB = @OCAMLLIB@ OCAMLINSTALLLIB = $(DESTDIR)@OCAMLINSTALLLIB@ OCAMLBEST = @OCAMLBEST@ OCAMLVERSION = @OCAMLVERSION@ COQC = @COQC@ COQDEP = @COQDEP@ FRAMAC_LIBDIR = $(DESTDIR)@FRAMAC_LIBDIR@ MENHIR = @MENHIR@ DEPFLAGS = -slash ifeq (@enable_why3_lib@,yes) INCLUDES += -I lib/why3 endif ifeq (@OCAMLBEST@,opt) # the semantics of the -native flag changed in ocaml 4.03.0 #DEPFLAGS += -native endif ifeq (@OCAMLBEST@,opt) SHAREDBEST=cmxs else SHAREDBEST=cma endif ifeq (@LATEX@,rubber) LATEXCOMP=rubber --warn all --pdf LATEXCLEAN=rubber --pdf --clean endif ifeq (@LATEX@,latexmk) LATEXCOMP=LATEXOPTS= latexmk --pdf LATEXCLEAN=LATEXOPTS= latexmk --pdf -C endif ifeq (@LATEX@,pdflatex) LATEXCOMP=pdflatex LATEXCLEAN=true endif SPHINX = @SPHINX@ EMACS = @EMACS@ #PSVIEWER = @PSVIEWER@ #PDFVIEWER = @PDFVIEWER@ EXTINCLUDES = @WHY3INCLUDE@ @REINCLUDE@ @ZIPINCLUDE@ @MENHIRINCLUDE@ @NUMINCLUDE@ @INFERINCLUDE@ # warnings are enabled and non fatal by default, except: # - disabled: # 4 Fragile pattern matching: matching that will remain complete even # if additional constructors are added to one of the variant types # matched. # 9 Missing fields in a record pattern. # 41 Ambiguous constructor or label name. # 42 Reliance on type-directed disambiguation # 44 Open statement shadows an already defined identifier. # 45 Open statement shadows an already defined label or constructor. # 52 The argument of this constructor should not be matched against a # constant pattern; the actual value of the argument could change # in the future. # - fatal: # 5 Partially applied function: expression whose result has function # type and is ignored. # 8 Partial match: missing cases in pattern-matching. # 14 Illegal backslash escape in string # 48 Implicit elimination of optional arguments. # 50 Unexpected documentation comment. WARNINGS = A-4-9-41-42-44-45-52@5@8@14@48@50 FLAGS = -w $(WARNINGS) -safe-string -keep-locs -bin-annot -dtypes -g -thread $(INCLUDES) OFLAGS = $(FLAGS) BFLAGS = $(FLAGS) ifeq (@enable_ocamlfind@,yes) FLAGS += $(addprefix -package ,$(EXTPKGS)) OLINKFLAGS += -linkpkg -linkall BLINKFLAGS += -linkpkg -linkall else FLAGS += $(EXTINCLUDES) OLINKFLAGS = -linkall $(EXTCMXA) BLINKFLAGS = -linkall $(EXTCMA) endif # see http://caml.inria.fr/mantis/view.php?id=4991 CMIHACK = -intf-suffix .cmi CMP_CP = cmp -s $< $@ || cp $< $@ # external libraries common to all binaries ifeq (@menhirlib_cmo@,yes) EXTOBJS = menhirLib EXTLIBS = else EXTOBJS = EXTLIBS = menhirLib endif EXTLIBS += @RELIB@ unix nums dynlink @ZIPLIB@ @WHY3LIB@ @INFERLIB@ EXTPKGS = menhirLib @RELIB@ unix num dynlink @ZIPLIB@ @MLMPFR@ @WHY3LIB@ @INFERPKG@ @SEXPLIB@ @SEXPLIBPPX@ EXTCMA = $(addsuffix .cmo,$(EXTOBJS)) $(addsuffix .cma,$(EXTLIBS)) EXTCMXA = $(addsuffix .cmx,$(EXTOBJS)) $(addsuffix .cmxa,$(EXTLIBS)) INSTALLED_LIB_EXTS = a cma cmx cmi cmxa cmxs cmt cmti COMPILED_LIB_EXTS = $(INSTALLED_LIB_EXTS) o cmo annot dep conflicts TOTARGET = > "$@" || (RV=$$?; rm -f "$@"; exit $${RV}) # Variables added for checking realizations GENERATED_PREFIX_COQ="lib/coq" GENERATED_PREFIX_ISABELLE=lib/isabelle ifeq (@enable_why3_lib@,yes) WHY3CMA = lib/why3/why3.cma WHY3CMXA = lib/why3/why3.cmxa else WHY3CMA = WHY3CMXA = endif ############### # main target ############### ifeq (@enable_why3_lib@,yes) all: @OCAMLBEST@ else all: endif plugins: plugins.@OCAMLBEST@ opt: plugins.opt byte: plugins.byte ifeq (@enable_local@,yes) all: install_local endif .PHONY: byte opt clean depend all install install-lib uninstall .PHONY: install-bin install-data uninstall-bin uninstall-data .PHONY: install-bash install-emacs install-framac .PHONY: uninstall-bash uninstall-emacs uninstall-framac .PHONY: ide install-ide uninstall-ide .PHONY: coq install-coq uninstall-coq clean-coq .PHONY: pvs install-pvs uninstall-pvs clean-pvs .PHONY: install-isabelle clean-isabelle .PHONY: plugins plugins.byte plugins.opt .PHONY: trywhy3 clean-trywhy3 .SUFFIXES: MAKEINC = CLEANDIRS = CLEANLIBS = GENERATED = ############## # Why3 library ############## LIBGENERATED = \ src/util/config.ml \ src/util/rc.ml src/util/lexlib.ml src/util/mysexplib.ml \ src/util/json_parser.mli src/util/json_parser.ml \ src/util/json_lexer.ml src/util/mlmpfr_wrapper.ml \ src/parser/lexer.ml \ src/core/parser_tokens.mli src/core/parser_tokens.ml \ src/parser/parser.mli src/parser/parser.ml \ src/parser/parser_messages.ml \ src/driver/driver_parser.mli src/driver/driver_parser.ml \ src/driver/driver_lexer.ml \ src/driver/sexp.ml \ src/session/compress.ml src/session/xml.ml \ src/session/strategy_parser.ml LIB_UTIL = mysexplib config bigInt mlmpfr_wrapper util opt lists strings \ pp extmap extset exthtbl weakhtbl diffmap \ hashcons wstdlib exn_printer getopt \ json_base json_parser json_lexer \ debug loc lexlib print_tree \ cmdline sysutil rc plugin bigInt number constant vector pqueue ifeq (@enable_re@,no) LIB_UTIL += re endif LIB_CORE = \ ident ty term pattern decl coercion theory \ parser_tokens keywords \ task pretty dterm env trans printer model_parser LIB_DRIVER = prove_client whyconf call_provers driver_parser driver_lexer driver \ autodetection smtv2_model_defs sexp smtv2_model_parser LIB_MLW = ity expr pdecl eval_match typeinv vc pmodule dexpr big_real \ pinterp_core rac pinterp check_ce ifeq (@enable_infer@,yes) LIB_INFER = o2oterm domain infer_why3 quant_domain union_find disjunctive_term_domain uf_domain infer_cfg infer_loop endif ifeq (@enable_bddinfer@,yes) LIB_BDDINFER = bddparam abstract ast interp_expression infer why3infer endif LIB_EXTRACT = mltree compile mlinterp pdriver ml_printer \ c ocaml cakeml LIB_PARSER = ptree ptree_helpers glob typing \ parser_messages parser typing report lexer mlw_printer LIB_TRANSFORM = simplify_formula inlining split_goal \ args_wrapper reduction_engine compute \ remove_unused detect_polymorphism \ eliminate_definition \ abstract_quantifiers eliminate_unknown_types \ eliminate_unknown_lsymbols eliminate_symbol \ eliminate_inductive eliminate_let eliminate_if \ libencoding eliminate_algebraic discriminate encoding \ encoding_select encoding_guards_full encoding_tags_full \ encoding_guards encoding_tags encoding_twin \ encoding_sort simplify_array filter_trigger \ abstraction close_epsilon lift_epsilon \ eliminate_epsilon intro_projections_counterexmp \ instantiate_predicate smoke_detector \ prop_curry eliminate_literal \ generic_arg_trans_utils case apply subst \ introduction ind_itp destruct cut congruence \ intro_vc_vars_counterexmp prepare_for_counterexmp \ induction induction_pr reflection keep_only_arithmetic LIB_PRINTER = cntexmp_printer alt_ergo why3printer smtv1 smtv2 coq\ pvs isabelle \ simplify gappa cvc3 yices mathematica LIB_SESSION = compress xml termcode session_itp \ strategy strategy_parser controller_itp \ server_utils itp_communication \ itp_server json_util unix_scheduler LIB_CMIONLY = driver/driver_ast LIBMODULES = $(addprefix src/util/, $(LIB_UTIL)) \ $(addprefix src/core/, $(LIB_CORE)) \ $(addprefix src/driver/, $(LIB_DRIVER)) \ $(addprefix src/mlw/, $(LIB_MLW)) \ $(addprefix src/infer/, $(LIB_INFER)) \ $(addprefix src/bddinfer/, $(LIB_BDDINFER)) \ $(addprefix src/extract/, $(LIB_EXTRACT)) \ $(addprefix src/parser/, $(LIB_PARSER)) \ $(addprefix src/transform/, $(LIB_TRANSFORM)) \ $(addprefix src/printer/, $(LIB_PRINTER)) \ $(addprefix src/session/, $(LIB_SESSION)) LIBDIRS = util core driver mlw extract parser transform printer session ifeq (@enable_infer@,yes) LIBDIRS += infer endif ifeq (@enable_bddinfer@,yes) LIBDIRS += bddinfer endif LIBINCLUDES = $(addprefix -I src/, $(LIBDIRS)) LIBDEP = $(addsuffix .dep, $(LIBMODULES)) $(LIB_CMIONLY:%=src/%.dep) LIBCMO = $(addsuffix .cmo, $(LIBMODULES)) LIBCMX = $(addsuffix .cmx, $(LIBMODULES)) LIBCMI = $(addsuffix .cmi, $(LIBMODULES)) $(LIB_CMIONLY:%=src/%.cmi) $(LIBDEP) $(LIBCMO) $(LIBCMX) $(LIBCMI): INCLUDES += $(LIBINCLUDES) $(LIBCMX): OFLAGS += -for-pack Why3 $(LIBDEP): $(LIBGENERATED) src/parser/ptree.cmx src/parser/ptree.cmo: FLAGS += -w -70 src/util/mysexplib.cmx src/util/mysexplib.cmo: FLAGS += -w -70 # Mlmpfr ifeq (@enable_mpfr@,yes) ifeq (@old_mpfr@,yes) src/util/mlmpfr_wrapper.ml: src/util/mlmpfr_old.ml Makefile $(CMP_CP) else ifeq (@enable_mpfr@,yes) src/util/mlmpfr_wrapper.ml: src/util/mlmpfr_real.ml Makefile $(CMP_CP) endif else src/util/mlmpfr_wrapper.ml: src/util/mlmpfr_dummy.ml Makefile $(CMP_CP) endif # Ocamlzip ifeq (@enable_zip@,yes) src/session/compress.ml: src/session/compress_z.ml Makefile $(CMP_CP) else src/session/compress.ml: src/session/compress_none.ml Makefile $(CMP_CP) endif # pp_sexp_conv ifeq (@enable_pp_sexp@, yes) src/util/mysexplib.ml: src/util/mysexplib-real.ml Makefile $(CMP_CP) src/tools/why3pp_sexp.ml: src/tools/why3pp_sexp-real.ml Makefile $(CMP_CP) else src/util/mysexplib.ml: src/util/mysexplib-dummy.ml Makefile $(CMP_CP) src/tools/why3pp_sexp.ml: src/tools/why3pp_sexp-dummy.ml Makefile $(CMP_CP) endif .PHONY: initialize_messages update-parsing-error-handling PARSERS=src/parser/parser_common.mly src/parser/parser.mly src/parser/parser_messages.ml: src/parser/handcrafted.messages @rm -f src/parser/parser_messages.ml src/parser/parser_messages.ml.tmp @$(MENHIR) --explain --strict $(PARSERS) --base src/parser/parser --update-errors \ src/parser/handcrafted.messages > src/parser/handcrafted.messages.temp @if ! diff -b src/parser/handcrafted.messages src/parser/handcrafted.messages.temp > /dev/null; then \ echo "Parsing error handling must be updated, the file 'src/parser/handcrafted.messages.temp' \ contains an updated version that must be checked before replacing 'src/parser/handcrafted.messages'"; \ exit 1; \ fi @rm -f src/parser/handcrafted.messages.temp $(MENHIR) --explain --strict $(PARSERS) --base src/parser/parser --compile-errors \ src/parser/handcrafted.messages > src/parser/parser_messages.ml clean:: rm -f src/parser/parser_messages.ml.tmp src/parser/handcrafted.messages.temp # debug optimisation ppx ifeq (@enable_ppx@,yes) src/util/ppx_debug_optim: src/util/debug_optim.ml $(SHOW) 'Linking $@' $(HIDE) $(OCAMLFIND) opt -package compiler-libs.common -linkpkg src/util/debug_optim.ml -o $@ src/transform/reflection.cmx: src/util/ppx_debug_optim src/transform/reflection.cmx: OFLAGS += -ppx src/util/ppx_debug_optim src/extract/mlinterp.cmx: src/util/ppx_debug_optim src/extract/mlinterp.cmx: OFLAGS += -ppx src/util/ppx_debug_optim clean:: rm -f src/util/ppx_debug_optim endif # Re ifeq (@enable_re@,no) src/util/re.ml: src/util/recompat.ml Makefile $(CMP_CP) LIBGENERATED += src/util/re.ml endif GENERATED += src/util/re.ml # build targets byte: lib/why3/why3.cma opt: lib/why3/why3.cmxa lib/why3/why3.cmxs lib/why3/why3.cma: lib/why3/why3.cmo lib/why3/why3.cmxa: lib/why3/why3.cmx lib/why3/why3.cmxs: lib/why3/why3.cmx lib/why3/why3.cmo: $(LIBCMO) $(SHOW) 'Linking $@' $(HIDE)$(OCAMLC) $(BFLAGS) -pack -o $@ $^ lib/why3/why3.cmx: $(LIBCMX) lib/why3/why3.cmo $(SHOW) 'Linking $@' $(HIDE)$(OCAMLOPT) $(OFLAGS) $(CMIHACK) -pack -o $@ $(filter %.cmx, $^) # clean and depend MAKEINC += $(LIBDEP) CLEANDIRS += src $(addprefix src/, $(LIBDIRS)) CLEANLIBS += lib/why3/why3 GENERATED += $(LIBGENERATED) ############### # installation ############### uninstall-data:: rm -rf $(DATADIR)/why3 install-data:: $(MKDIR_P) $(DATADIR)/why3 $(MKDIR_P) $(DATADIR)/why3/vim $(MKDIR_P) $(DATADIR)/why3/vim/ftdetect $(MKDIR_P) $(DATADIR)/why3/vim/syntax $(MKDIR_P) $(DATADIR)/why3/lang $(MKDIR_P) $(DATADIR)/why3/stdlib $(MKDIR_P) $(DATADIR)/why3/stdlib/mach $(MKDIR_P) $(DATADIR)/why3/drivers $(MKDIR_P) $(DATADIR)/why3/extraction_drivers $(INSTALL_DATA) stdlib/*.mlw $(DATADIR)/why3/stdlib $(INSTALL_DATA) stdlib/mach/*.mlw $(DATADIR)/why3/stdlib/mach $(INSTALL_DATA) drivers/*.drv drivers/*.gen $(DATADIR)/why3/drivers $(INSTALL_DATA) extraction_drivers/*.drv $(DATADIR)/why3/extraction_drivers $(INSTALL_DATA) LICENSE $(DATADIR)/why3/ $(INSTALL_DATA) share/provers-detection-data.conf $(DATADIR)/why3/ $(INSTALL_DATA) share/why3session.dtd $(DATADIR)/why3 $(INSTALL_DATA) share/Makefile.config $(DATADIR)/why3 $(INSTALL_DATA) share/vim/ftdetect/why3.vim $(DATADIR)/why3/vim/ftdetect/why3.vim $(INSTALL_DATA) share/vim/syntax/why3.vim $(DATADIR)/why3/vim/syntax/why3.vim $(INSTALL_DATA) share/lang/why3.lang $(DATADIR)/why3/lang/why3.lang $(INSTALL_DATA) share/lang/why3c.lang $(DATADIR)/why3/lang/why3c.lang $(INSTALL_DATA) share/lang/why3py.lang $(DATADIR)/why3/lang/why3py.lang ifeq (@enable_local@,yes) else install:: install-bin install-data uninstall:: uninstall-bin uninstall-data rm -rf $(LIBDIR)/why3 endif uninstall-lib: if test -d $(OCAMLINSTALLLIB) -a -w $(OCAMLINSTALLLIB); then \ rm -rf $(OCAMLINSTALLLIB)/why3; \ fi uninstall:: uninstall-lib install-lib:: $(MKDIR_P) $(OCAMLINSTALLLIB)/why3 $(INSTALL_DATA) $(wildcard $(addprefix lib/why3/why3., $(INSTALLED_LIB_EXTS))) \ lib/why3/META $(OCAMLINSTALLLIB)/why3 ################## # Why3 emacs mode ################## %.elc: %.el $(EMACS) --batch --no-init-file -f batch-byte-compile $< clean:: rm -f share/emacs/why3.elc uninstall-emacs: rm -f $(DATADIR)/emacs/site-lisp/why3.el rm -f $(DATADIR)/emacs/site-lisp/why3.elc uninstall:: uninstall-emacs install-emacs: $(MKDIR_P) $(DATADIR)/emacs/site-lisp/ $(INSTALL_DATA) share/emacs/why3.el $(DATADIR)/emacs/site-lisp/why3.el ifeq (@enable_emacs_compilation@,yes) $(INSTALL_DATA) share/emacs/why3.elc $(DATADIR)/emacs/site-lisp/why3.elc endif install:: install-emacs ifeq (@enable_emacs_compilation@,yes) all: share/emacs/why3.elc endif ################## # Why3 plugins ################## PLUGGENERATED = \ plugins/tptp/tptp_lexer.ml \ plugins/tptp/tptp_parser.ml plugins/tptp/tptp_parser.mli \ plugins/python/py_lexer.ml \ plugins/python/py_parser.ml plugins/python/py_parser.mli \ plugins/microc/mc_lexer.ml \ plugins/microc/mc_parser.ml plugins/microc/mc_parser.mli \ plugins/cfg/cfg_lexer.ml \ plugins/cfg/cfg_parser.ml plugins/cfg/cfg_parser.mli \ plugins/parser/dimacs.ml PLUG_PARSER = genequlin dimacs PLUG_PRINTER = PLUG_TRANSFORM = PLUG_TPTP = tptp_parser tptp_typing tptp_lexer tptp_printer PLUG_PYTHON = py_parser py_lexer py_main PLUG_MICROC = mc_parser mc_lexer mc_printer mc_main PLUG_CFG = cfg_parser cfg_lexer cfg_paths subregion_analysis cfg_main ifeq (@enable_stackify@,yes) PLUG_CFG += stackify cfg_stackify endif PLUG_CMIONLY = tptp/tptp_ast python/py_ast microc/mc_ast cfg/cfg_ast PLUGINS = genequlin dimacs tptp python microc cfg TPTPMODULES = $(addprefix plugins/tptp/, $(PLUG_TPTP)) PYTHONMODULES = $(addprefix plugins/python/, $(PLUG_PYTHON)) MICROCMODULES = $(addprefix plugins/microc/, $(PLUG_MICROC)) CFGMODULES = $(addprefix plugins/cfg/, $(PLUG_CFG)) TPTPCMO = $(addsuffix .cmo, $(TPTPMODULES)) TPTPCMX = $(addsuffix .cmx, $(TPTPMODULES)) PYTHONCMO = $(addsuffix .cmo, $(PYTHONMODULES)) PYTHONCMX = $(addsuffix .cmx, $(PYTHONMODULES)) MICROCCMO = $(addsuffix .cmo, $(MICROCMODULES)) MICROCCMX = $(addsuffix .cmx, $(MICROCMODULES)) ifeq (@enable_hypothesis_selection@,yes) PLUG_TRANSFORM += hypothesis_selection PLUGINS += hypothesis_selection lib/plugins/hypothesis_selection.cmxs: EXTINCLUDES += -I @OCAMLGRAPHLIB@ lib/plugins/hypothesis_selection.cma: EXTINCLUDES += -I @OCAMLGRAPHLIB@ lib/plugins/hypothesis_selection.cmxs: EXTLIBS += graph.cmxa lib/plugins/hypothesis_selection.cma: EXTOBJS += graph.cma ifeq (@enable_ocamlfind@,yes) lib/plugins/hypothesis_selection.cmxs: FLAGS += -package ocamlgraph -dontlink "$(EXTPKGS)" -linkpkg lib/plugins/hypothesis_selection.cma: FLAGS += -package ocamlgraph -dontlink "$(EXTPKGS)" -linkpkg endif endif PLUGMODULES = $(addprefix plugins/parser/, $(PLUG_PARSER)) \ $(addprefix plugins/printer/, $(PLUG_PRINTER)) \ $(addprefix plugins/transform/, $(PLUG_TRANSFORM)) \ $(TPTPMODULES) $(PYTHONMODULES) $(MICROCMODULES) \ $(CFGMODULES) PLUGDEP = $(addsuffix .dep, $(PLUGMODULES)) $(PLUG_CMIONLY:%=plugins/%.dep) PLUGCMO = $(addsuffix .cmo, $(PLUGMODULES)) PLUGCMX = $(addsuffix .cmx, $(PLUGMODULES)) PLUGCMI = $(addsuffix .cmi, $(PLUGMODULES)) $(PLUG_CMIONLY:%=plugins/%.cmi) PLUGDIRS = parser printer transform tptp python microc cfg PLUGINCLUDES = $(addprefix -I plugins/, $(PLUGDIRS)) ifeq (@enable_stackify@,yes) plugins/cfg/stackify.cmx: EXTINCLUDES += -I @OCAMLGRAPHLIB@ plugins/cfg/stackify.cmo: EXTINCLUDES += -I @OCAMLGRAPHLIB@ plugins/cfg/stackify.cmx: EXTLIBS += graph.cmxa plugins/cfg/stackify.cmo: EXTOBJS += graph.cma ifeq (@enable_ocamlfind@,yes) plugins/cfg/stackify.cmx: FLAGS += -package ocamlgraph plugins/cfg/stackify.cmo: FLAGS += -package ocamlgraph lib/plugins/cfg.cmxs: FLAGS += -package ocamlgraph -dontlink "$(EXTPKGS)" -linkpkg lib/plugins/cfg.cma: FLAGS += -package ocamlgraph -dontlink "$(EXTPKGS)" -linkpkg endif endif $(PLUGDEP) $(PLUGCMO) $(PLUGCMX) $(PLUGCMI): INCLUDES += $(PLUGINCLUDES) $(PLUGDEP): $(PLUGGENERATED) LIBPLUGCMA = $(PLUGINS:%=lib/plugins/%.cma) LIBPLUGCMXS = $(PLUGINS:%=lib/plugins/%.cmxs) plugins.byte: $(LIBPLUGCMA) plugins.opt : $(LIBPLUGCMXS) lib/plugins: mkdir lib/plugins lib/plugins/%.cmxs: | lib/plugins $(SHOW) 'Linking $@' $(HIDE)$(OCAMLOPT) $(OFLAGS) -shared -o $@ $^ lib/plugins/%.cma: | lib/plugins $(SHOW) 'Linking $@' $(HIDE)$(OCAMLC) $(BFLAGS) -a -o $@ $^ $(PLUG_PARSER:%=lib/plugins/%.cmxs): lib/plugins/%.cmxs: plugins/parser/%.cmx $(PLUG_PARSER:%=lib/plugins/%.cma): lib/plugins/%.cma: plugins/parser/%.cmo $(PLUG_PRINTER:%=lib/plugins/%.cmxs): lib/plugins/%.cmxs: plugins/printer/%.cmx $(PLUG_PRINTER:%=lib/plugins/%.cma): lib/plugins/%.cma: plugins/printer/%.cmo $(PLUG_TRANSFORM:%=lib/plugins/%.cmxs): lib/plugins/%.cmxs: plugins/transform/%.cmx $(PLUG_TRANSFORM:%=lib/plugins/%.cma): lib/plugins/%.cma: plugins/transform/%.cmo lib/plugins/tptp.cmxs: $(TPTPCMX) lib/plugins/tptp.cma: $(TPTPCMO) lib/plugins/python.cmxs: $(PYTHONCMX) lib/plugins/python.cma: $(PYTHONCMO) lib/plugins/microc.cmxs: $(MICROCCMX) lib/plugins/microc.cma: $(MICROCCMO) lib/plugins/cfg.cmxs: $(addsuffix .cmx, $(CFGMODULES)) lib/plugins/cfg.cma: $(addsuffix .cmo, $(CFGMODULES)) # depend and clean targets MAKEINC += $(PLUGDEP) CLEANDIRS += plugins $(addprefix plugins/, $(PLUGDIRS)) lib/plugins GENERATED += $(PLUGGENERATED) uninstall-bin:: rm -f $(PLUGINS:%=$(LIBDIR)/why3/plugins/%.cma) rm -f $(PLUGINS:%=$(LIBDIR)/why3/plugins/%.cmxs) install-bin:: $(MKDIR_P) $(LIBDIR)/why3/plugins $(INSTALL_DATA) $(wildcard $(LIBPLUGCMA) $(LIBPLUGCMXS)) $(LIBDIR)/why3/plugins ############### # Why3 commands ############### TOOLSGENERATED = src/tools/why3wc.ml TOOLS_BIN = \ why3config why3execute why3extract why3prove \ why3realize why3replay why3show why3wc TOOLS_FILES = main $(TOOLS_BIN) TOOLSMODULES = $(addprefix src/tools/, $(TOOLS_FILES)) TOOLSDEP = $(addsuffix .dep, $(TOOLSMODULES)) TOOLSCMO = $(addsuffix .cmo, $(TOOLSMODULES)) TOOLSCMX = $(addsuffix .cmx, $(TOOLSMODULES)) $(TOOLSDEP) $(TOOLSCMO) $(TOOLSCMX): INCLUDES += -I src/tools $(TOOLSDEP): $(TOOLSGENERATED) byte: bin/why3.byte $(TOOLS_BIN:%=bin/%.cma) opt: bin/why3.opt $(TOOLS_BIN:%=bin/%.cmxs) bin/why3.opt: $(WHY3CMXA) src/tools/main.cmx bin/why3.byte: $(WHY3CMA) src/tools/main.cmo $(TOOLS_BIN:%=bin/%.cma): bin/%.cma: src/tools/%.cmo $(TOOLS_BIN:%=bin/%.cmxs): bin/%.cmxs: src/tools/%.cmx uninstall-bin:: rm -f $(BINDIR)/why3$(EXE) rm -f $(TOOLS_BIN:%=bin/%.$(SHAREDBEST)) install-bin:: $(MKDIR_P) $(BINDIR) $(INSTALL) bin/why3.@OCAMLBEST@ $(BINDIR)/why3$(EXE) $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) $(TOOLS_BIN:%=bin/%.$(SHAREDBEST)) $(TOOLDIR) install_local:: bin/why3 $(TOOLS_BIN:%=bin/%.$(SHAREDBEST)) bin/%: bin/%.@OCAMLBEST@ ln -sf $(notdir $<) $@ install_local:: share/drivers share/extraction_drivers share/stdlib share/drivers share/extraction_drivers share/stdlib: share/%: ln -snf ../$* $@ MAKEINC += $(TOOLSDEP) CLEANDIRS += src/tools GENERATED += $(TOOLSGENERATED) clean:: rm -f bin/why3* ############## # Why3server # ############## SERVER_MODULES := logging arraylist options queue readbuf request \ proc writebuf server-unix server-win CPULIM_MODULES := cpulimit-unix cpulimit-win SERVER_O := $(SERVER_MODULES:%=src/server/%.o) CPULIM_O := $(CPULIM_MODULES:%=src/server/%.o) TOOLS = lib/why3server$(EXE) lib/why3cpulimit$(EXE) all: $(TOOLS) lib/why3server$(EXE): $(SERVER_O) $(CC) -Wall -o $@ $^ lib/why3cpulimit$(EXE): $(CPULIM_O) $(CC) -Wall -o $@ $^ %.o: %.c $(CC) -Wall -O -g -o $@ -c $< uninstall-bin:: rm -f $(LIBDIR)/why3/why3server$(EXE) $(LIBDIR)/why3/why3cpulimit$(EXE) rm -f $(LIBDIR)/why3/why3-call-pvs install-bin:: $(MKDIR_P) $(LIBDIR)/why3 $(INSTALL) lib/why3server$(EXE) $(LIBDIR)/why3/why3server$(EXE) $(INSTALL) lib/why3cpulimit$(EXE) $(LIBDIR)/why3/why3cpulimit$(EXE) $(INSTALL) lib/why3-call-pvs $(LIBDIR)/why3/why3-call-pvs clean:: rm -f $(SERVER_O) $(CPULIM_O) $(TOOLS) ########## # gallery ########## # we export exactly the programs that have a why3session.xml file .PHONY: gallery gallery-simple gallery-subs gallery: gallery-simple gallery-subs gallery-simple: @if test "$(GALLERYDIR)" = ""; then echo "set GALLERYDIR first"; exit 1; fi @cd examples/; \ for x in `git ls-files */why3session.xml` ; do \ f=`dirname $$x`; \ if echo $$f | grep -q -e '\(_vc_sp\|^bignum\)$$'; then continue; fi; \ echo "exporting $$f"; \ mkdir -p $(GALLERYDIR)/$$f; \ WHY3CONFIG="" ../bin/why3.@OCAMLBEST@ session html $$x -o $(GALLERYDIR)/$$f; \ cp $$f.mlw $(GALLERYDIR)/$$f/; \ rm -f $(GALLERYDIR)/$$f/$$f.zip; \ git archive --format=zip -o $(GALLERYDIR)/$$f/$$f.zip HEAD $$f.mlw $$f; \ done GALLERYSUBS=WP_revisited verifythis_2016_matrix_multiplication avl double_wp prover multiprecision gallery-subs: @if test "$(GALLERYDIR)" = ""; then echo "set GALLERYDIR first"; exit 1; fi @for d in $(GALLERYSUBS) ; do \ echo "exporting examples/$$d"; \ mkdir -p $(GALLERYDIR)/$$d; \ cd examples/$$d; \ WHY3CONFIG="" ../../bin/why3.@OCAMLBEST@ doc --no-stdlib --no-load-default-plugins -L ../../stdlib -L . --stdlib-url http://why3.lri.fr/stdlib/ --debug ignore_unused_vars *.mlw -o $(GALLERYDIR)/$$d; \ cd ..; \ rm -f $(GALLERYDIR)/$$d/$$d.zip; \ git archive --format=zip -o $(GALLERYDIR)/$$d/$$d.zip HEAD $$d; \ cd ..; \ done ######## # XML DTD validation ######## .PHONY: xml-validate xml-validate-local xml-validate: @for x in `find examples/ -name why3session.xml`; do \ xmllint --noout --valid $$x 2>&1 | head -1; \ done xml-validate-local: @for x in `find examples/ -path examples/in_progress -prune -o -name why3session.xml -print`; do \ xmllint --nonet --noout --path share --valid $$x 2>&1 | sed -e '/I.O error/d' | head -1; \ done ############### # IDE ############### IDEGENERATED = GENERATED += $(IDEGENERATED) ifeq (@enable_ide@,yes) IDE_FILES = ifeq (@enable_statmemprof@,yes) IDE_FILES += statmemprof bin/why3ide.cmxs bin/why3ide.cma: EXTPKGS += @STATMEMPROFPKG@ endif IDE_FILES += gconfig ide_utils why3ide IDEMODULES = $(addprefix src/ide/, $(IDE_FILES)) IDEDEP = $(addsuffix .dep, $(IDEMODULES)) IDECMO = $(addsuffix .cmo, $(IDEMODULES)) IDECMX = $(addsuffix .cmx, $(IDEMODULES)) $(IDEDEP) $(IDECMO) $(IDECMX): INCLUDES += -I src/ide $(IDEDEP): $(IDEGENERATED) # build targets byte: bin/why3ide.cma opt: bin/why3ide.cmxs bin/why3ide.cmxs bin/why3ide.cma: FLAGS += $(addprefix -package ,@LABLGTKPKG@) -dontlink "$(EXTPKGS)" -linkpkg bin/why3ide.cmxs: $(IDECMX) bin/why3ide.cma: $(IDECMO) # depend and clean targets MAKEINC += $(IDEDEP) CLEANDIRS += src/ide ide: bin/why3ide.$(SHAREDBEST) uninstall-ide: rm -f $(TOOLDIR)/why3ide.$(SHAREDBEST) rm -rf $(DATADIR)/why3/images uninstall:: uninstall-ide install-ide: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3ide.$(SHAREDBEST) $(TOOLDIR) $(MKDIR_P) $(DATADIR)/why3/images for i in share/images/*.rc; do \ d=`basename $$i .rc`; \ $(INSTALL_DATA) $$i $(DATADIR)/why3/images; \ $(MKDIR_P) $(DATADIR)/why3/images/$$d; \ $(INSTALL_DATA) share/images/$$d/* $(DATADIR)/why3/images/$$d; \ done $(INSTALL_DATA) share/images/*.png $(DATADIR)/why3/images install:: install-ide install_local:: bin/why3ide.$(SHAREDBEST) endif ############### # WEBSERV ############### WEBSERV_FILES = wserver why3web WEBSERVMODULES = $(addprefix src/ide/, $(WEBSERV_FILES)) WEBSERVDEP = $(addsuffix .dep, $(WEBSERVMODULES)) WEBSERVCMO = $(addsuffix .cmo, $(WEBSERVMODULES)) WEBSERVCMX = $(addsuffix .cmx, $(WEBSERVMODULES)) $(WEBSERVDEP) $(WEBSERVCMO) $(WEBSERVCMX): INCLUDES += -I src/ide # build targets byte: bin/why3webserver.cma opt: bin/why3webserver.cmxs bin/why3webserver.cmxs: $(WEBSERVCMX) bin/why3webserver.cma: $(WEBSERVCMO) # depend and clean targets MAKEINC += $(WEBSERVDEP) CLEANDIRS += src/ide uninstall-bin:: rm -f $(TOOLDIR)/why3webserver.$(SHAREDBEST) install-bin:: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3webserver.$(SHAREDBEST) $(TOOLDIR) install_local:: bin/why3webserver.$(SHAREDBEST) ############### # Session ############### SESSION_FILES = why3session_lib why3session_info \ why3session_html why3session_latex why3session_update \ why3session_main # TODO: why3session_copy why3session_rm why3session_csv why3session_run # why3session_output SESSIONMODULES = $(addprefix src/why3session/, $(SESSION_FILES)) SESSIONDEP = $(addsuffix .dep, $(SESSIONMODULES)) SESSIONCMO = $(addsuffix .cmo, $(SESSIONMODULES)) SESSIONCMX = $(addsuffix .cmx, $(SESSIONMODULES)) $(SESSIONDEP) $(SESSIONCMO) $(SESSIONCMX): INCLUDES += -I src/why3session # build targets byte: bin/why3session.cma opt: bin/why3session.cmxs bin/why3session.cmxs: $(SESSIONCMX) bin/why3session.cma: $(SESSIONCMO) # depend and clean targets MAKEINC += $(SESSIONDEP) CLEANDIRS += src/why3session uninstall-bin:: rm -f $(TOOLDIR)/why3session.$(SHAREDBEST) install-bin:: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3session.$(SHAREDBEST) $(TOOLDIR) install_local:: bin/why3session.$(SHAREDBEST) ############### # Why3 Shell ############### SHELL_FILES = why3shell SHELLMODULES = $(addprefix src/tools/, $(SHELL_FILES)) SHELLDEP = $(addsuffix .dep, $(SHELLMODULES)) SHELLCMO = $(addsuffix .cmo, $(SHELLMODULES)) SHELLCMX = $(addsuffix .cmx, $(SHELLMODULES)) $(SHELLDEP) $(SHELLCMO) $(SHELLCMX): INCLUDES += -I src/tools # build targets byte: bin/why3shell.cma opt: bin/why3shell.cmxs bin/why3shell.cmxs: $(SHELLCMX) bin/why3shell.cma: $(SHELLCMO) # depend and clean targets MAKEINC += $(SHELLDEP) uninstall-bin:: rm -f $(TOOLDIR)/why3shell.$(SHAREDBEST) install-bin:: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3shell.$(SHAREDBEST) $(TOOLDIR) install_local:: bin/why3shell.$(SHAREDBEST) #################### # Coq realizations #################### COQVERSIONSPECIFIC= COQVERSIONSPECIFICTARGETS=$(addprefix lib/coq/, $(COQVERSIONSPECIFIC)) $(COQVERSIONSPECIFICTARGETS): %: %.@coq_compat_version@ $(CMP_CP) clean-coq:: rm -f $(COQVERSIONSPECIFICTARGETS) COQLIBS_INT_FILES = Abs ComputerDivision Div2 EuclideanDivision Int MinMax Power NumOf COQLIBS_INT_ALL_FILES = Exponentiation $(COQLIBS_INT_FILES) COQLIBS_INT = $(addprefix lib/coq/int/, $(COQLIBS_INT_ALL_FILES)) COQLIBS_BOOL_FILES = Bool COQLIBS_BOOL = $(addprefix lib/coq/bool/, $(COQLIBS_BOOL_FILES)) ifeq (@enable_coq_fp_libs@,yes) COQLIBS_REAL_FILES = Abs ExpLog FromInt MinMax PowerInt PowerReal Real RealInfix Square Trigonometry Truncate else COQLIBS_REAL_FILES = Abs ExpLog FromInt MinMax PowerInt PowerReal Real RealInfix Square Trigonometry endif COQLIBS_REAL = $(addprefix lib/coq/real/, $(COQLIBS_REAL_FILES)) COQLIBS_NUMBER_FILES = Divisibility Gcd Parity Prime Coprime COQLIBS_NUMBER = $(addprefix lib/coq/number/, $(COQLIBS_NUMBER_FILES)) COQLIBS_SET_FILES = Set Cardinal Fset FsetInduction FsetInt FsetSum SetApp SetAppInt SetImp SetImpInt COQLIBS_SET = $(addprefix lib/coq/set/, $(COQLIBS_SET_FILES)) COQLIBS_MAP_FILES = Map Const Occ MapPermut MapInjection COQLIBS_MAP = $(addprefix lib/coq/map/, $(COQLIBS_MAP_FILES)) COQLIBS_LIST_FILES = List Length Mem Nth NthLength HdTl NthHdTl Append NthLengthAppend Reverse HdTlNoOpt NthNoOpt RevAppend Combine Distinct NumOcc Permut COQLIBS_LIST = $(addprefix lib/coq/list/, $(COQLIBS_LIST_FILES)) COQLIBS_OPTION_FILES = Option COQLIBS_OPTION = $(addprefix lib/coq/option/, $(COQLIBS_OPTION_FILES)) COQLIBS_BV_FILES = Pow2int BV_Gen COQLIBS_BV = $(addprefix lib/coq/bv/, $(COQLIBS_BV_FILES)) ifeq (@enable_coq_fp_libs@,yes) COQLIBS_FP_FILES = Rounding SingleFormat Single DoubleFormat Double COQLIBS_FP_ALL_FILES = GenFloat $(COQLIBS_FP_FILES) COQLIBS_FP = $(addprefix lib/coq/floating_point/, $(COQLIBS_FP_ALL_FILES)) COQLIBS_IEEEFLOAT_FILES = RoundingMode GenericFloat Float32 Float64 COQLIBS_IEEEFLOAT = $(addprefix lib/coq/ieee_float/, $(COQLIBS_IEEEFLOAT_FILES)) endif COQLIBS_FOR_DRIVERS_FILES = ComputerOfEuclideanDivision COQLIBS_FOR_DRIVERS = $(addprefix lib/coq/for_drivers/, $(COQLIBS_FOR_DRIVERS_FILES)) COQLIBS_FILES = lib/coq/BuiltIn lib/coq/HighOrd lib/coq/WellFounded $(COQLIBS_INT) $(COQLIBS_BOOL) $(COQLIBS_REAL) $(COQLIBS_NUMBER) $(COQLIBS_SET) $(COQLIBS_MAP) $(COQLIBS_LIST) $(COQLIBS_OPTION) $(COQLIBS_FP) $(COQLIBS_BV) $(COQLIBS_IEEEFLOAT) $(COQLIBS_FOR_DRIVERS) %.vo: %.v $(SHOW) 'Coqc $<' $(HIDE)$(COQC) -R lib/coq Why3 $< %.vd: %.v $(SHOW) 'Coqdep $<' $(HIDE)$(COQDEP) -R lib/coq Why3 $< $(TOTARGET) COQV = $(addsuffix .v, $(COQLIBS_FILES)) COQVO = $(addsuffix .vo, $(COQLIBS_FILES)) COQVD = $(addsuffix .vd, $(COQLIBS_FILES)) coq: $(COQVO) drivers/coq-realizations.aux lib/coq/version clean-coq:: rm -f $(COQVO) $(COQVD) $(addsuffix .glob, $(COQLIBS_FILES)) lib/coq/version \ $(foreach f,$(COQLIBS_FILES),$(dir $f).$(notdir $f).aux) drivers/coq-realizations.aux: Makefile $(SHOW) 'Generate $@' $(HIDE)(echo "(* generated automatically at compilation time *)"; \ echo 'theory BuiltIn meta "realized_theory" "BuiltIn", "" end'; \ echo 'theory HighOrd meta "realized_theory" "HighOrd", "" end'; \ echo 'theory WellFounded meta "realized_theory" "WellFounded", "" end'; \ for f in $(COQLIBS_INT_FILES); do \ echo 'theory int.'"$$f"' meta "realized_theory" "int.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_BOOL_FILES); do \ echo 'theory bool.'"$$f"' meta "realized_theory" "bool.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_REAL_FILES); do \ echo 'theory real.'"$$f"' meta "realized_theory" "real.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_NUMBER_FILES); do \ echo 'theory number.'"$$f"' meta "realized_theory" "number.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_SET_FILES); do \ echo 'theory set.'"$$f"' meta "realized_theory" "set.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_MAP_FILES); do \ echo 'theory map.'"$$f"' meta "realized_theory" "map.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_LIST_FILES); do \ echo 'theory list.'"$$f"' meta "realized_theory" "list.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_OPTION_FILES); do \ echo 'theory option.'"$$f"' meta "realized_theory" "option.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_BV_FILES); do \ echo 'theory bv.'"$$f"' meta "realized_theory" "bv.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_IEEEFLOAT_FILES); do \ echo 'theory ieee_float.'"$$f"' meta "realized_theory" "ieee_float.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_FP_FILES); do \ echo 'theory floating_point.'"$$f"' meta "realized_theory" "floating_point.'"$$f"'", "" end'; done; \ for f in $(COQLIBS_FOR_DRIVERS_FILES); do \ echo 'theory for_drivers.'"$$f"' meta "realized_theory" "for_drivers.'"$$f"'", "" end'; done; \ ) > $@ update-coq: update-coq-int update-coq-bool update-coq-real update-coq-number update-coq-set update-coq-map update-coq-list update-coq-option update-coq-fp update-coq-bv update-coq-ieee_float update-coq-for-drivers LOCAL_STDLIB=-L stdlib --no-stdlib --no-load-default-plugins update-coq-int: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/int.mlw for f in $(COQLIBS_INT_ALL_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T int.$$f -o $(GENERATED_PREFIX_COQ)/int/; done update-coq-bool: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/bool.mlw for f in $(COQLIBS_BOOL_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T bool.$$f -o $(GENERATED_PREFIX_COQ)/bool/; done update-coq-real: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/real.mlw for f in $(COQLIBS_REAL_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T real.$$f -o $(GENERATED_PREFIX_COQ)/real/; done update-coq-number: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/number.mlw for f in $(COQLIBS_NUMBER_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T number.$$f -o $(GENERATED_PREFIX_COQ)/number/; done update-coq-set: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/set.mlw for f in $(COQLIBS_SET_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T set.$$f -o $(GENERATED_PREFIX_COQ)/set/; done update-coq-map: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/map.mlw for f in $(COQLIBS_MAP_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T map.$$f -o $(GENERATED_PREFIX_COQ)/map/; done update-coq-list: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/list.mlw for f in $(COQLIBS_LIST_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T list.$$f -o $(GENERATED_PREFIX_COQ)/list/; done update-coq-option: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/option.mlw for f in $(COQLIBS_OPTION_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T option.$$f -o $(GENERATED_PREFIX_COQ)/option/; done update-coq-bv: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/bv.mlw for f in $(COQLIBS_BV_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T bv.$$f -o $(GENERATED_PREFIX_COQ)/bv/; done update-coq-for-drivers: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/for_drivers.mlw for f in $(COQLIBS_FOR_DRIVERS_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T for_drivers.$$f -o $(GENERATED_PREFIX_COQ)/for_drivers/; done update-coq-ieee_float: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/ieee_float.mlw for f in $(COQLIBS_IEEEFLOAT_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T ieee_float.$$f -o $(GENERATED_PREFIX_COQ)/ieee_float/; done update-coq-fp: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/coq-realizations.aux stdlib/floating_point.mlw for f in $(COQLIBS_FP_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D coq-realize -T floating_point.$$f -o $(GENERATED_PREFIX_COQ)/floating_point/; done ifeq (@enable_coq_libs@,yes) uninstall-coq: rm -rf $(LIBDIR)/why3/coq install-coq: $(MKDIR_P) $(LIBDIR)/why3/coq $(INSTALL_DATA) lib/coq/version $(LIBDIR)/why3/coq/ $(INSTALL_DATA) lib/coq/BuiltIn.vo lib/coq/HighOrd.vo lib/coq/WellFounded.vo $(LIBDIR)/why3/coq/ $(MKDIR_P) $(LIBDIR)/why3/coq/int $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_INT)) $(LIBDIR)/why3/coq/int/ $(MKDIR_P) $(LIBDIR)/why3/coq/bool $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_BOOL)) $(LIBDIR)/why3/coq/bool/ $(MKDIR_P) $(LIBDIR)/why3/coq/real $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_REAL)) $(LIBDIR)/why3/coq/real/ $(MKDIR_P) $(LIBDIR)/why3/coq/number $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_NUMBER)) $(LIBDIR)/why3/coq/number/ $(MKDIR_P) $(LIBDIR)/why3/coq/set $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_SET)) $(LIBDIR)/why3/coq/set/ $(MKDIR_P) $(LIBDIR)/why3/coq/map $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_MAP)) $(LIBDIR)/why3/coq/map/ $(MKDIR_P) $(LIBDIR)/why3/coq/list $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_LIST)) $(LIBDIR)/why3/coq/list/ $(MKDIR_P) $(LIBDIR)/why3/coq/option $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_OPTION)) $(LIBDIR)/why3/coq/option/ $(MKDIR_P) $(LIBDIR)/why3/coq/bv $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_BV)) $(LIBDIR)/why3/coq/bv/ ifeq (@enable_coq_fp_libs@,yes) $(MKDIR_P) $(LIBDIR)/why3/coq/floating_point $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_FP)) $(LIBDIR)/why3/coq/floating_point/ $(MKDIR_P) $(LIBDIR)/why3/coq/ieee_float $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_IEEEFLOAT)) $(LIBDIR)/why3/coq/ieee_float/ endif $(MKDIR_P) $(LIBDIR)/why3/coq/for_drivers $(INSTALL_DATA) $(addsuffix .vo, $(COQLIBS_FOR_DRIVERS)) $(LIBDIR)/why3/coq/for_drivers/ $(MKDIR_P) $(DATADIR)/why3/drivers $(INSTALL_DATA) drivers/coq-realizations.aux $(DATADIR)/why3/drivers/ install:: install-coq all: coq ifneq "$(MAKECMDGOALS:update-coq%=update-coq)" "update-coq" MAKEINC += $(COQVD) endif endif install-data:: $(MKDIR_P) $(DATADIR)/why3/drivers $(INSTALL_DATA) drivers/coq-realizations.aux $(DATADIR)/why3/drivers/ all: drivers/coq-realizations.aux clean:: clean-coq rm -f drivers/coq-realizations.aux #################### # PVS realizations #################### PVSLIBS_INT_FILES = Int Abs MinMax ComputerDivision EuclideanDivision PVSLIBS_INT = $(addprefix lib/pvs/int/, $(PVSLIBS_INT_FILES)) PVSLIBS_REAL_FILES = Abs FromInt MinMax Real Square ExpLog Trigonometry \ PowerInt # RealInfix PVSLIBS_REAL = $(addprefix lib/pvs/real/, $(PVSLIBS_REAL_FILES)) PVSLIBS_LIST_FILES = # Nth PVSLIBS_LIST = $(addprefix lib/pvs/int/, $(PVSLIBS_LIST_FILES)) PVSLIBS_NUMBER_FILES = # Divisibility Gcd Parity Prime PVSLIBS_NUMBER = $(addprefix lib/pvs/number/, $(PVSLIBS_NUMBER_FILES)) PVSLIBS_FP_FILES = Rounding SingleFormat Single DoubleFormat Double PVSLIBS_FP_ALL_FILES = $(PVSLIBS_FP_FILES) PVSLIBS_FP = $(addprefix lib/pvs/floating_point/, $(PVSLIBS_FP_ALL_FILES)) PVSLIBS_FILES = $(PVSLIBS_INT) $(PVSLIBS_REAL) $(PVSLIBS_LIST) \ $(PVSLIBS_NUMBER) $(PVSLIBS_FP) update-pvs: bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/pvs-realizations.aux for f in $(PVSLIBS_INT_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D pvs-realize -T int.$$f -o lib/pvs/int/; done for f in $(PVSLIBS_REAL_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D pvs-realize -T real.$$f -o lib/pvs/real/; done for f in $(PVSLIBS_LIST_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D pvs-realize -T list.$$f -o lib/pvs/list/; done for f in $(PVSLIBS_NUMBER_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D pvs-realize -T number.$$f -o lib/pvs/number/; done for f in $(PVSLIBS_FP_FILES); do WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D pvs-realize -T floating_point.$$f -o lib/pvs/floating_point/; done drivers/pvs-realizations.aux: Makefile $(SHOW) 'Generate $@' $(HIDE)(echo "(* generated automatically at compilation time *)"; \ for f in $(PVSLIBS_INT_FILES); do \ echo 'theory int.'"$$f"' meta "realized_theory" "int.'"$$f"'", "" end'; done; \ for f in $(PVSLIBS_REAL_FILES); do \ echo 'theory real.'"$$f"' meta "realized_theory" "real.'"$$f"'", "" end'; done; \ for f in $(PVSLIBS_LIST_FILES); do \ echo 'theory list.'"$$f"' meta "realized_theory" "list.'"$$f"'", "" end'; done; \ for f in $(PVSLIBS_NUMBER_FILES); do \ echo 'theory number.'"$$f"' meta "realized_theory" "number.'"$$f"'", "" end'; done; \ for f in $(PVSLIBS_FP_FILES); do \ echo 'theory floating_point.'"$$f"' meta "realized_theory" "floating_point.'"$$f"'", "" end'; done; \ ) > $@ pvs: lib/pvs/version clean-pvs: rm -f lib/pvs/version ifeq (@enable_pvs_libs@,yes) uninstall-pvs: rm -rf $(LIBDIR)/why3/pvs install-pvs: $(MKDIR_P) $(LIBDIR)/why3/pvs $(INSTALL_DATA) lib/pvs/version $(LIBDIR)/why3/pvs/ $(MKDIR_P) $(LIBDIR)/why3/pvs/int $(INSTALL_DATA) $(addsuffix .pvs, $(PVSLIBS_INT)) $(LIBDIR)/why3/pvs/int/ $(INSTALL_DATA) $(addsuffix .prf, $(PVSLIBS_INT)) $(LIBDIR)/why3/pvs/int/ $(MKDIR_P) $(LIBDIR)/why3/pvs/real $(INSTALL_DATA) $(addsuffix .pvs, $(PVSLIBS_REAL)) $(LIBDIR)/why3/pvs/real/ $(INSTALL_DATA) $(addsuffix .prf, $(PVSLIBS_REAL)) $(LIBDIR)/why3/pvs/real/ $(MKDIR_P) $(LIBDIR)/why3/pvs/floating_point/ $(INSTALL_DATA) $(addsuffix .pvs, $(PVSLIBS_FP)) $(LIBDIR)/why3/pvs/floating_point/ $(MKDIR_P) $(DATADIR)/why3/drivers/ $(INSTALL_DATA) drivers/pvs-realizations.aux $(DATADIR)/why3/drivers/ install:: install-pvs all: pvs endif install-data:: $(MKDIR_P) $(DATADIR)/why3/drivers/ $(INSTALL_DATA) drivers/pvs-realizations.aux $(DATADIR)/why3/drivers/ all: drivers/pvs-realizations.aux clean:: clean-pvs rm -f drivers/pvs-realizations.aux ####################### # Isabelle realizations ####################### ISABELLEVERSIONSPECIFIC=ROOT why3.ML Why3_BV.thy Why3_Map.thy ISABELLEVERSIONSPECIFICTARGETS=$(addprefix lib/isabelle/, $(ISABELLEVERSIONSPECIFIC)) ISABELLEREALIZEDRV=isabelle-realize ISABELLEREALIZEDRVPATH=drivers/$(ISABELLEREALIZEDRV).drv $(ISABELLEVERSIONSPECIFICTARGETS): %: %.@ISABELLEVERSION@ $(CMP_CP) clean-isabelle:: rm -f $(ISABELLEVERSIONSPECIFICTARGETS) ISABELLELIBS_INT_FILES = Abs ComputerDivision Div2 EuclideanDivision Int MinMax Power ISABELLELIBS_INT = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/int/, $(ISABELLELIBS_INT_FILES))) ISABELLELIBS_BOOL_FILES = Bool ISABELLELIBS_BOOL = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/bool/, $(ISABELLELIBS_BOOL_FILES))) ISABELLELIBS_REAL_FILES = Real RealInfix Abs MinMax FromInt Truncate Square ExpLog Trigonometry PowerInt # not yet realized : PowerReal Hyperbolic Polar ISABELLELIBS_REAL = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/real/, $(ISABELLELIBS_REAL_FILES))) ISABELLELIBS_NUMBER_FILES = Divisibility Gcd Parity Prime Coprime ISABELLELIBS_NUMBER = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/number/, $(ISABELLELIBS_NUMBER_FILES))) ISABELLELIBS_SET_FILES = Set Fset ISABELLELIBS_SET = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/set/, $(ISABELLELIBS_SET_FILES))) ISABELLELIBS_MAP_FILES = Map Const Occ MapPermut MapInjection ISABELLELIBS_MAP = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/map/, $(ISABELLELIBS_MAP_FILES))) ISABELLELIBS_LIST_FILES = List Length Mem Nth NthNoOpt NthLength HdTl NthHdTl Append NthLengthAppend Reverse HdTlNoOpt RevAppend Combine Distinct NumOcc Permut ISABELLELIBS_LIST = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/list/, $(ISABELLELIBS_LIST_FILES))) ISABELLELIBS_BV_FILES = Pow2int # BV8 BV16 BV32 BV64 BVConverter_32_64 BVConverter_16_64 BVConverter_8_64 BVConverter_16_32 BVConverter_8_32 BVConverter_8_16 ISABELLELIBS_BV = $(addsuffix .xml, $(addprefix $(GENERATED_PREFIX_ISABELLE)/bv/, $(ISABELLELIBS_BV_FILES))) ISABELLELIBS = $(ISABELLELIBS_INT) $(ISABELLELIBS_BOOL) $(ISABELLELIBS_REAL) $(ISABELLELIBS_NUMBER) $(ISABELLELIBS_SET) $(ISABELLELIBS_MAP) $(ISABELLELIBS_LIST) $(ISABELLELIBS_OPTION) $(ISABELLELIBS_BV) drivers/isabelle-realizations.aux: Makefile $(SHOW) 'Generate $@' $(HIDE)(echo "(* generated automatically at compilation time *)"; \ echo 'theory BuiltIn meta "realized_theory" "BuiltIn", "" end'; \ for f in $(ISABELLELIBS_INT_FILES); do \ echo 'theory int.'"$$f"' meta "realized_theory" "int.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_BOOL_FILES); do \ echo 'theory bool.'"$$f"' meta "realized_theory" "bool.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_REAL_FILES); do \ echo 'theory real.'"$$f"' meta "realized_theory" "real.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_NUMBER_FILES); do \ echo 'theory number.'"$$f"' meta "realized_theory" "number.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_SET_FILES); do \ echo 'theory set.'"$$f"' meta "realized_theory" "set.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_MAP_FILES); do \ echo 'theory map.'"$$f"' meta "realized_theory" "map.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_LIST_FILES); do \ echo 'theory list.'"$$f"' meta "realized_theory" "list.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_OPTION_FILES); do \ echo 'theory option.'"$$f"' meta "realized_theory" "option.'"$$f"'", "" end'; done; \ for f in $(ISABELLELIBS_BV_FILES); do \ echo 'theory bv.'"$$f"' meta "realized_theory" "bv.'"$$f"'", "" end'; done; \ ) > $@ ifeq (@enable_local@,yes) ISABELLE_TARGET_DIR=`pwd`/lib/isabelle else ISABELLE_TARGET_DIR=$(LIBDIR)/why3/isabelle endif $(GENERATED_PREFIX_ISABELLE)/realizations: $(ISABELLELIBS) $(HIDE)sha1sum $^ | sed -e "s,$(GENERATED_PREFIX_ISABELLE)/,," > $@ update-isabelle: $(GENERATED_PREFIX_ISABELLE)/realizations $(ISABELLELIBS_INT): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/int.mlw $(SHOW) "Generating Isabelle realization for int.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/int $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T int.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/int/ $(ISABELLELIBS_BOOL): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/bool.mlw $(SHOW) "Generating Isabelle realization for bool.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/bool $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T bool.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/bool/ $(ISABELLELIBS_REAL): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/real.mlw $(SHOW) "Generating Isabelle realization for real.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/real $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T real.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/real/ $(ISABELLELIBS_NUMBER): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/number.mlw $(SHOW) "Generating Isabelle realization for number.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/number $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T number.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/number/ $(ISABELLELIBS_SET): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/set.mlw $(SHOW) "Generating Isabelle realization for set.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/set $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T set.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/set/ $(ISABELLELIBS_MAP): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/map.mlw $(SHOW) "Generating Isabelle realization for map.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/map $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T map.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/map/ $(ISABELLELIBS_LIST): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/list.mlw $(SHOW) "Generating Isabelle realization for list.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/list $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T list.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/list/ $(ISABELLELIBS_OPTION): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/option.mlw $(SHOW) "Generating Isabelle realization for option.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/option $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T option.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/option/ $(ISABELLELIBS_BV): bin/why3.@OCAMLBEST@ bin/why3realize.$(SHAREDBEST) drivers/isabelle-realizations.aux \ $(ISABELLEREALIZEDRVPATH) drivers/isabelle-common.gen stdlib/bv.mlw $(SHOW) "Generating Isabelle realization for bv.$(notdir $(basename $@))" $(HIDE)mkdir -p $(GENERATED_PREFIX_ISABELLE)/bv $(HIDE)WHY3CONFIG="" bin/why3.@OCAMLBEST@ realize $(LOCAL_STDLIB) -D $(ISABELLEREALIZEDRV) -T bv.$(notdir $(basename $@)) -o $(GENERATED_PREFIX_ISABELLE)/bv/ ifeq (@enable_isabelle_libs@,yes) $(GENERATED_PREFIX_ISABELLE)/last_build: $(ISABELLEVERSIONSPECIFICTARGETS) $(ISABELLELIBS) ifneq (@enable_local@,yes) cp -r $(GENERATED_PREFIX_ISABELLE) "$(LIBDIR)/why3" endif @(if isabelle components -l | grep -q "$(ISABELLE_TARGET_DIR)$$"; then \ echo "Building the Why3 heap for Isabelle/HOL:"; \ isabelle build -bc Why3; \ touch $@; \ else \ echo "[Warning] Cannot pre-build the Isabelle heap because"; \ echo " the Isabelle component configuration does not contain"; \ echo " [$(ISABELLE_TARGET_DIR)]"; \ fi) install-isabelle: $(GENERATED_PREFIX_ISABELLE)/last_build install_local:: install-isabelle install:: install-isabelle endif all: drivers/isabelle-realizations.aux install-data:: $(INSTALL_DATA) drivers/isabelle-realizations.aux $(DATADIR)/why3/drivers/ clean-isabelle:: rm -f $(GENERATED_PREFIX_ISABELLE)/*/*.xml clean:: clean-isabelle rm -f drivers/isabelle-realizations.aux ####################### # Isabelle client ####################### ISABELLEC_FILES := isabelle_client_main ISABELLECMODULES := $(addprefix src/isabelle-client/, $(ISABELLEC_FILES)) ISABELLECDEP = $(addsuffix .dep, $(ISABELLECMODULES)) ISABELLECCMO = $(addsuffix .cmo, $(ISABELLECMODULES)) ISABELLECCMX = $(addsuffix .cmx, $(ISABELLECMODULES)) $(ISABELLECDEP) $(ISABELLECCMO) $(ISABELLECCMX): INCLUDES += -I src/isabelle-client -I src/util depend: $(ISABELLECDEP) CLEANDIRS += src/isabelle-client # build targets byte: bin/isabelle_client.byte opt: bin/isabelle_client.opt bin/isabelle_client.opt: lib/why3/why3.cmxa $(ISABELLECCMX) bin/isabelle_client.byte: lib/why3/why3.cma $(ISABELLECCMO) install-bin:: cp -f bin/isabelle_client.@OCAMLBEST@ $(BINDIR)/isabelle_client$(EXE) uninstall-bin:: rm -f $(BINDIR)/isabelle_client$(EXE) MAKEINC += $(ISABELLECDEP) clean:: rm -f bin/isabelle_client.byte bin/isabelle_client.opt bin/isabelle_client ################ # Jessie3 plugin ################ ifeq (@enable_frama_c@,yes) nobyte: jessie.byte noopt: jessie.opt jessie.byte: src/jessie/Makefile $(WHY3CMA) @$(MAKE) -C src/jessie Jessie3.cma jessie.opt: src/jessie/Makefile $(WHY3CMXA) @$(MAKE) -C src/jessie Jessie3.cmxs uninstall-framac: rm -f $(FRAMAC_LIBDIR)/plugins/Jessie3.* uninstall:: uninstall-framac install-framac: $(MKDIR_P) $(FRAMAC_LIBDIR)/plugins/ $(INSTALL_DATA) $(wildcard $(addprefix src/jessie/Jessie3., $(INSTALLED_LIB_EXTS))) \ $(FRAMAC_LIBDIR)/plugins/ install:: install-framac clean:: $(MAKE) -C src/jessie clean endif ############### # Why3 pp ############### PRETTYPRINT_FILES = why3pp_sexp why3pp PRETTYPRINTMODULES = $(addprefix src/tools/, $(PRETTYPRINT_FILES)) PRETTYPRINTDEP = $(addsuffix .dep, $(PRETTYPRINTMODULES)) PRETTYPRINTCMO = $(addsuffix .cmo, $(PRETTYPRINTMODULES)) PRETTYPRINTCMX = $(addsuffix .cmx, $(PRETTYPRINTMODULES)) $(PRETTYPRINTDEP) $(PRETTYPRINTCMO) $(PRETTYPRINTCMX): INCLUDES += -I src/tools PRETTYPRINTGENERATED = src/tools/why3pp_sexp.ml $(PRETTYPRINTDEP): $(PRETTYPRINTGENERATED) GENERATED += $(PRETTYPRINTGENERATED) # build targets byte: bin/why3pp.cma opt: bin/why3pp.cmxs bin/why3pp.cmxs: $(PRETTYPRINTCMX) bin/why3pp.cma: $(PRETTYPRINTCMO) # depend and clean targets MAKEINC += $(PRETTYPRINTDEP) uninstall-bin:: rm -f $(TOOLDIR)/why3pp.$(SHAREDBEST) install-bin:: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3pp.$(SHAREDBEST) $(TOOLDIR) install_local:: bin/why3pp.$(SHAREDBEST) ######### # why3doc ######### WHY3DOCGENERATED = src/why3doc/doc_lexer.ml WHY3DOC_FILES = doc_html doc_def doc_lexer doc_main WHY3DOCMODULES = $(addprefix src/why3doc/, $(WHY3DOC_FILES)) WHY3DOCDEP = $(addsuffix .dep, $(WHY3DOCMODULES)) WHY3DOCCMO = $(addsuffix .cmo, $(WHY3DOCMODULES)) WHY3DOCCMX = $(addsuffix .cmx, $(WHY3DOCMODULES)) $(WHY3DOCDEP) $(WHY3DOCCMO) $(WHY3DOCCMX): INCLUDES += -I src/why3doc $(WHY3DOCDEP): $(WHY3DOCGENERATED) # build targets byte: bin/why3doc.cma opt: bin/why3doc.cmxs bin/why3doc.cmxs: $(WHY3DOCCMX) bin/why3doc.cma: $(WHY3DOCCMO) # depend and clean targets MAKEINC += $(WHY3DOCDEP) CLEANDIRS += src/why3doc GENERATED += $(WHY3DOCGENERATED) uninstall-bin:: rm -f $(TOOLDIR)/why3doc.$(SHAREDBEST) install-bin:: $(MKDIR_P) $(TOOLDIR) $(INSTALL_DATA) bin/why3doc.$(SHAREDBEST) $(TOOLDIR) install_local:: bin/why3doc.$(SHAREDBEST) ######### # trywhy3 ######### ifeq ($(DEBUGJS),yes) JSOO_DEBUG=--pretty --debug-info --source-map JS_MAPS=trywhy3.map why3_worker.map else JSOO_DEBUG= JS_MAPS= endif TRYWHY3_FILES = json_base json_parser json_lexer bindings shortener trywhy3 why3_worker worker_proto TRYWHY3MODULES = $(addprefix src/trywhy3/, $(TRYWHY3_FILES)) TRYWHY3DEP = $(addsuffix .dep, $(TRYWHY3MODULES)) TRYWHY3CMO = $(addsuffix .cmo, $(TRYWHY3MODULES)) TRYWHY3CMI = $(addsuffix .cmi, $(TRYWHY3MODULES)) $(TRYWHY3DEP) $(TRYWHY3CMO) $(TRYWHY3CMI): INCLUDES += -I src/trywhy3 TRYWHY3_PACK = \ trywhy3.js trywhy3.html trywhy3.css \ help_whyml.html help_python.html help_micro-C.html \ why3_worker.js alt-ergo-worker.js \ README.md examples/ \ trywhy3_custom.css \ ace-builds/src-min-noconflict/ace.js \ ace-builds/src-min-noconflict/mode-why3.js \ ace-builds/src-min-noconflict/mode-python.js \ ace-builds/src-min-noconflict/mode-c_cpp.js \ ace-builds/src-min-noconflict/theme-chrome.js $(JS_MAPS) trywhy3.tar.gz: $(addprefix src/trywhy3/, $(TRYWHY3_PACK)) tar czf trywhy3.tar.gz -C src $(addprefix trywhy3/, $(TRYWHY3_PACK)) trywhy3: src/trywhy3/trywhy3.js src/trywhy3/why3_worker.js src/trywhy3/trywhy3.js: src/trywhy3/trywhy3.byte js_of_ocaml $(JSOO_DEBUG) $< src/trywhy3/trywhy3.byte: $(addprefix src/trywhy3/, json_base.cmo json_parser.cmo json_lexer.cmo bindings.cmo worker_proto.cmo shortener.cmo trywhy3.cmo) $(OCAMLFIND) ocamlc -o $@ -package js_of_ocaml -package menhirLib -linkpkg $^ src/trywhy3/why3_worker.js: src/trywhy3/why3_worker.byte src/trywhy3/trywhy3.conf src/trywhy3/try_alt_ergo.drv js_of_ocaml $(JSOO_DEBUG) --extern-fs -I . -I src/trywhy3 \ --file=trywhy3.conf:/ \ --file=try_alt_ergo.drv:/ \ `find stdlib -name "*.mlw" -exec printf " --file=%s:/%s" {} {} ";"` \ +dynlink.js +toplevel.js $< src/trywhy3/why3_worker.byte: $(WHY3CMA) $(PYTHONCMO) $(MICROCCMO) \ $(addprefix src/trywhy3/, bindings.cmo worker_proto.cmo why3_worker.cmo) $(OCAMLFIND) ocamlc $(filter-out -thread,$(BFLAGS)) -package js_of_ocaml -o $@ -linkpkg $^ src/trywhy3/%.cmo: src/trywhy3/%.ml $(OCAMLFIND) ocamlc $(BFLAGS) -c $< src/trywhy3/%.cmi: src/trywhy3/%.mli $(OCAMLFIND) ocamlc $(BFLAGS) -c $< $(addprefix src/trywhy3/, worker_proto.cmo why3_worker.cmo): BFLAGS += -package js_of_ocaml $(addprefix src/trywhy3/, bindings.cmo trywhy3.cmo): BFLAGS += -package js_of_ocaml -package js_of_ocaml-ppx TRYWHY3JSON_FILES = json_base json_parser json_lexer TRYWHY3JSON = $(TRYWHY3JSON_FILES:%=src/trywhy3/%.ml) $(TRYWHY3JSON_FILES:%=src/trywhy3/%.mli) $(TRYWHY3JSON): src/trywhy3/%: src/util/% cp $< $@ GENERATED += $(TRYWHY3JSON) $(TRYWHY3DEP): $(TRYWHY3JSON) MAKEINC += $(TRYWHY3DEP) clean-trywhy3: rm -f src/trywhy3/trywhy3.js src/trywhy3/trywhy3.byte \ src/trywhy3/why3_worker.js src/trywhy3/why3_worker.byte \ trywhy3.tar.gz clean:: clean-trywhy3 CLEANDIRS += src/trywhy3 ######### # why3webserver and full web/js interface ######### ifeq (@enable_web_ide@,yes) JSOCAMLCW=$(OCAMLFIND) ocamlc -package js_of_ocaml -package js_of_ocaml-ppx \ -I src/ide src/ide/why3_js.cmo: src/ide/why3_js.ml lib/why3/why3.cma $(JSOCAMLCW) $(BFLAGS) -c $< src/ide/why3_js.byte: lib/why3/why3.cma src/ide/why3_js.cmo $(JSOCAMLCW) $(filter-out -thread,$(BFLAGS)) -o $@ -linkpkg $(BLINKFLAGS) $^ src/ide/why3_js.js: src/ide/why3_js.byte js_of_ocaml +dynlink.js +toplevel.js $< web_ide: src/ide/why3_js.js opt: bin/why3webserver.cmxs byte: bin/why3webserver.cma src/ide/why3_js.cmo endif ######## # bench ######## .PHONY: bench test bench:: bin/why3.@OCAMLBEST@ bin/why3config.$(SHAREDBEST) plugins $(TOOLS) \ share/Makefile.config bin/why3extract.$(SHAREDBEST) bin/why3.@OCAMLBEST@ config list-provers | grep -q Alt-Ergo || \ bin/why3.@OCAMLBEST@ config detect @echo "=== Check API examples ===" $(MAKE) bench-api @echo "=== Check examples ===" bash bench/bench -suffix ".@OCAMLBEST@" @echo "=== Check parsing messages ===" bench/parsing-bench APITESTS = \ clone \ counterexample \ create_session \ logic \ mlw_expr \ mlw_tree \ transform \ ifeq (@enable_infer@,yes) APITESTS += mlw_tree_infer_invs endif ifeq (@enable_infer@,yes) APITESTS += mlw_tree_bddinfer_invs endif bench-api: $(addprefix test-api-, $(APITESTS)) clean:: rm -rf bench/infer/*.out rm -rf bench/bddinfer/*.out rm -rf bench/check-ce/*.out ############### # test targets ############### test-itp.opt: src/printer/itp.ml lib/why3/why3.cmxa $(if $(QUIET),@echo 'Ocamlopt $<' &&) \ $(OCAMLOPT) -o $@ -I lib/why3 $(INCLUDES) $(OLINKFLAGS) lib/why3/why3.cmxa $< test-api-%.byte: examples/use_api/%.ml lib/why3/why3.cma $(SHOW) 'Ocaml $<' $(HIDE)($(OCAMLC) -o $@ -I lib/why3 $(BFLAGS) $(BLINKFLAGS) lib/why3/why3.cma $<) \ || (printf "Compilation failed for API test $@. Please fix it.\n"; exit 2) test-api-%.opt: examples/use_api/%.ml lib/why3/why3.cmxa $(SHOW) 'Ocamlopt $<' $(HIDE)($(OCAMLOPT) -o $@ -I lib/why3 $(OFLAGS) $(OLINKFLAGS) lib/why3/why3.cmxa $<) \ || (printf "Compilation failed for API test $@. Please fix it.\n"; exit 2) test-api-%: test-api-%.@OCAMLBEST@ $(HIDE)mkdir -p examples/use_api/results $(HIDE)(./$< | sed -e 's/^\(Versions of Alt-Ergo found: \).*$$/\1/' \ -e 's/0\.0[0-9]/0.0x/g;s/[0-9][0-9]* steps/xx steps/' \ > examples/use_api/results/$@.stdout ) \ || (printf "Execution failed for API test $<. Please fix it.\n"; exit 2) $(HIDE)(diff -u examples/use_api/oracles/$@.stdout examples/use_api/results/$@.stdout) \ || (printf "Oracle failed for API test $<. Please fix it.\n"; exit 2) $(HIDE)rm -f $< why3session.xml why3shapes why3shapes.gz #test-shape: lib/why3/why3.cma # ocaml -I lib/why3 $(INCLUDES) $(BLINKFLAGS) $? examples/test_shape.ml ################ # documentation ################ .PHONY: doc predoc doc/generated/drivers-all.dot: drivers/*.drv drivers/*.gen doc/drv_depgraph $^ > $@ doc/generated/drivers-%.dot: doc/generated/drivers-all.dot ccomps -X $(NODE) $< > $@ doc/generated/drivers-smt.dot: NODE = smt-libv2.gen doc/generated/drivers-tptp.dot: NODE = tptp.gen doc/generated/drivers-coq.dot: NODE = coq-common.gen doc/generated/drivers-isabelle.dot: NODE = isabelle-common.gen doc/generated/drivers-pvs.dot: NODE = pvs-common.gen DRVDOT = $(patsubst %,doc/generated/drivers-%.dot, smt tptp coq isabelle pvs) DOC = index zebibliography genindex \ foreword starting whyml api install manpages syntaxref vcgen \ input_formats exec itp technical changes DOCRST = $(DOC:%=doc/%.rst) doc/manual.bib LIBDOT = $(patsubst %,doc/generated/library-%.dot, int array) doc/generated/library-%.dot: stdlib/%.mlw bin/why3 pp --output=dep $< | tred > $@ predoc: $(DRVDOT) $(LIBDOT) update-doc-png: export UBUNTU_MENUPROXY=0; \ export WHY3CONFIG=doc/why3ide-doc.conf; \ export WHY3LOADPATH=stdlib; \ export GTK_THEME=Adwaita; \ export WAYLAND_DISPLAY=; \ sed -n -e 's/^.. %EXECUTE \(.*\)/\1/p' $(DOCRST) | $(SHELL) -e ifeq (@enable_doc@,yes) doc: doc/html/index.html TESTSAPIDOC = $(addsuffix .ml, $(addprefix examples/use_api/, $(APITESTS))) doc/html/index.html: $(DOCRST) $(DRVDOT) $(LIBDOT) $(TESTSAPIDOC) doc/conf.py $(SPHINX) -b html -d doc/.doctrees doc doc/html doc/latex/manual.tex: $(DOCRST) $(DRVDOT) $(LIBDOT) $(TESTSAPIDOC) doc/conf.py $(SPHINX) -b latex -d doc/.doctrees doc doc/latex ifeq (@enable_pdf_doc@,yes) doc: doc/latex/manual.pdf doc/latex/manual.pdf: doc/latex/manual.tex @echo "running LaTeX compilation..." cd doc/latex; $(LATEXCOMP) manual.tex >/dev/null ifeq (@LATEX@,pdflatex) @cd doc/latex; if grep 'may have changed. Rerun to get' manual.log; then \ makeindex manual; \ echo "running LaTeX again to try to fix references..."; \ pdflatex manual >/dev/null; \ fi @cd doc/latex; if grep 'may have changed. Rerun to get' manual.log; then \ echo "running LaTeX again to try to fix references..."; \ pdflatex manual >/dev/null; \ fi endif endif clean:: rm -rf doc/html doc/latex rm -rf doc/generated/*.dot else doc: endif ########## # API DOC ########## .PHONY: apidoc apidot MODULESTODOC = \ util/util util/opt util/lists util/strings util/getopt \ util/extmap util/extset util/exthtbl \ util/weakhtbl util/wstdlib util/rc util/debug \ util/loc util/pp util/bigInt util/number \ util/mlmpfr_wrapper \ core/ident core/ty core/term core/decl core/coercion core/theory \ core/env core/task core/trans core/pretty core/printer \ core/model_parser \ parser/ptree.ml \ parser/ptree_helpers parser/typing parser/mlw_printer \ driver/whyconf driver/call_provers driver/driver \ transform/args_wrapper \ mlw/ity mlw/expr mlw/pdecl mlw/pmodule mlw/vc \ mlw/pinterp_core mlw/rac mlw/pinterp mlw/check_ce \ session/session_itp session/controller_itp \ session/itp_communication session/itp_server ifeq (@enable_bddinfer@,yes) MODULESTODOC += bddinfer/why3infer endif FILESTODOC = $(subst .ml.mli,.ml,$(MODULESTODOC:%=src/%.mli)) DOCFLAGS = $(INCLUDES) $(LIBINCLUDES) ifeq (@enable_ocamlfind@,yes) DOCFLAGS += $(addprefix -package ,$(EXTPKGS)) else DOCFLAGS += $(EXTINCLUDES) endif doc/apidoc: mkdir -p doc/apidoc apidoc: doc/apidoc $(FILESTODOC) $(OCAMLDOC) $(DOCFLAGS) -d doc/apidoc -charset utf-8 -html \ -t "Why3 API documentation" -keep-code $(FILESTODOC) # could we include also the dependency graph ? -- someone # At least we can give a way to create it -- francois apidot: doc/apidoc/dg.svg doc/apidoc/dg.png #The sed remove configuration for dot that gives bad result doc/apidoc/dg.dot: doc/apidoc $(FILESTODOC) $(OCAMLDOC) $(DOCFLAGS) -o doc/apidoc/dg.dot.tmp -dot $(FILESTODOC) sed -e "s/ \(size\|ratio\|rotate\|fontsize\).*$$//" doc/apidoc/dg.dot.tmp \ | tred > doc/apidoc/dg.dot rm -f doc/apidoc/dg.dot.tmp doc/apidoc/dg.svg: doc/apidoc/dg.dot dot -T svg $< > $@ doc/apidoc/dg.png: doc/apidoc/dg.dot dot -T png $< > $@ doc/apidoc.tex: $(FILESTODOC) $(OCAMLDOC) $(DOCFLAGS) -o doc/apidoc.tex -latex -noheader -notrailer $(FILESTODOC) clean:: rm -f doc/apidoc/* ########## # Install rules for bash completions ########## uninstall-bash: if test -d /etc/bash_completion.d -a -w /etc/bash_completion.d; then \ rm -f /etc/bash_completion.d/why3; \ fi uninstall:: uninstall-bash install-bash:: if test -d /etc/bash_completion.d -a -w /etc/bash_completion.d; then \ $(INSTALL) share/bash/why3 /etc/bash_completion.d; \ fi install:: install-bash ########## # Stdlib formatted with why3doc ########## .PHONY: stdlibdoc STDMACHLIBS = \ array bv c float fxp int matrix onetime peano tagset STDLIBS = \ algebra array \ bag bintree bool bv \ cursor \ exn \ floating_point fmap function \ graph hashtbl \ ieee_float int io \ list \ map matrix \ null number option ocaml \ pigeon pqueue \ queue \ random real ref regexp relations \ seq set stack string \ tree \ witness \ $(addprefix mach/, $(STDMACHLIBS)) # NO NEED DOC: # debug: too basic, needs large improvement # io: too basic, needs large improvement # tptp: for TPTP provers ? # for_drivers: used only in drivers STDLIBFILES = $(patsubst %,stdlib/%.mlw, $(STDLIBS)) # TODO: remove the hack about int.mlw once it has become builtin stdlibdoc: $(STDLIBFILES) bin/why3.@OCAMLBEST@ bin/why3doc.$(SHAREDBEST) mkdir -p doc/stdlibdoc sed -e "s/use Int/use int.Int/" stdlib/int.mlw > int.mlw rm -f doc/stdlibdoc/style.css WHY3CONFIG="" bin/why3.@OCAMLBEST@ doc $(LOCAL_STDLIB) \ -o doc/stdlibdoc --title="Why3 Standard Library" \ $(subst stdlib/int.mlw,int.mlw,$(STDLIBFILES)) rm int.mlw cd doc/stdlibdoc; \ for f in stdlib.*.html; \ do mv "$$f" "$${f#stdlib.}"; done sed -i -e "s#stdlib.##g" doc/stdlibdoc/index.html sed -i -e "s#int\.\( $$f.new && mv $$f.new $$f; done %.ml %.mli: %.mly $(SHOW) 'Menhir $<' $(HIDE)$(MENHIR) --table --explain --strict $< %.dep: %.ml %.mli $(SHOW) 'Ocamldep $<' $(HIDE)$(OCAMLDEP) $(DEPFLAGS) $(INCLUDES) $< $ $@ # jc/jc_ai.ml: jc/jc_annot_inference.ml jc/jc_annot_fail.ml Makefile # if test "@enable_apron@" = "yes" ; then \ # echo "# 1 \"jc/jc_annot_inference.ml\"" > jc/jc_ai.ml; \ # cat jc/jc_annot_inference.ml >> jc/jc_ai.ml; \ # else \ # echo "# 1 \"jc/jc_annot_fail.ml\"" > jc/jc_ai.ml; \ # cat jc/jc_annot_fail.ml >> jc/jc_ai.ml; \ # fi # %_why.v: %.mlw $(BINARY) # $(BINARY) -coq $*.mlw # %_why.pvs: %.mlw $(BINARY) # $(BINARY) -pvs $*.mlw # Emacs tags ############ tags: find src -regex ".*\.ml[^#]*" | grep -v ".svn" | sort -r | xargs \ etags "--regex-ocaml=/let[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/let[ \t]+rec[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/and[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/type[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/exception[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/val[ \t]+\([^ \t]+\)/\1/" \ "--regex-ocaml=/module[ \t]+\([^ \t]+\)/\1/" otags: find \( -name '*.ml' -or -name '*.mli' \) -print0 | xargs -0 otags # otags src/*.mli src/*.ml c/*.mli c/*.ml intf/*.mli intf/*.ml # the previous seems broken. This one is intented for vi(m) users, but could # be adapted for emacs (remove the -vi option ?) otags-vi: find \( -name '*.ml' -or -name '*.mli' \) -print0 | xargs -0 otags -vi wc: ocamlwc -p src/*.ml* src/*/*.ml* #dep: depend # cat .depend* | ocamldot | dot -Tpdf > dep.pdf # $(PDFVIEWER) dep.pdf # distrib ######### NAME = why3-@VERSION@ # see .gitattributes for the list of files that are not distributed MORE_DIST = configure dist: $(MORE_DIST) rm -f distrib/$(NAME).tar.gz mkdir -p distrib/ git archive --format=tar --prefix=$(NAME)/ -o distrib/$(NAME).tar HEAD tar rf distrib/$(NAME).tar --transform="s,^,$(NAME)/," --mtime="`git show -s --format=%ci`" --owner=0 --group=0 $(MORE_DIST) gzip -n -f --best distrib/$(NAME).tar ############### # file headers ############### headers: headache -c misc/headache_config.txt -h misc/header.txt \ Makefile.in configure.in \ src/*/*.ml src/*/*.ml[ily] \ plugins/*/*.ml plugins/*/*.ml[ily] \ lib/coq/*.v lib/coq/*/*.v \ src/server/*.[ch] \ examples/use_api/*.ml ######### # myself ######### AUTOCONF_FILES = \ Makefile \ src/jessie/Makefile \ src/config.sh \ .merlin \ src/jessie/.merlin \ lib/why3/META \ lib/coq/version \ lib/pvs/version $(AUTOCONF_FILES): %: %.in config.status ./config.status chmod --file $@ src/util/config.ml share/Makefile.config: src/config.sh $(SHOW) 'Generate $@' $(HIDE)BINDIR=$(BINDIR) LIBDIR=$(LIBDIR) DATADIR=$(DATADIR) src/config.sh clean:: rm -f share/Makefile.config config.status: configure ./config.status --recheck configure: configure.in autoconf -f ################### # clean and depend ################### .PHONY: distclean distclean: clean rm -f config.status config.cache config.log \ src/util/config.ml $(AUTOCONF_FILES) ifneq "$(MAKECMDGOALS:clean%=clean)" "clean" ifneq "$(MAKECMDGOALS)" "depend" -include $(MAKEINC) endif endif depend: $(MAKEINC) clean:: rm -f $(GENERATED) $(foreach d,$(CLEANDIRS),rm -f $(addprefix $(d)/*.,$(COMPILED_LIB_EXTS));) $(foreach p,$(CLEANLIBS),rm -f $(addprefix $(p).,$(COMPILED_LIB_EXTS));) detect-unused: @L1=$$(mktemp); \ L2=$$(mktemp); \ for d in `find examples/ -name 'why3session.xml' -printf '%h\n'`; do \ sed -n -e 's/.*proof.*name="\([^"]*\)".*/\1/p' $$d/why3session.xml | sort > $$L1; \ (cd $$d; git ls-files) | grep -v -e '^why3session.xml' -e '^why3shapes' -e '^[.]gitignore' -e '^Makefile' -e '[.]ml$$' -e '[.]html$$' | sed -e 's/[.]prf$$/.pvs/;s/[.]thy$$/.xml/' | sort -u > $$L2; \ diff -u --label="$$d/why3session.xml" --label="$$d/" $$L1 $$L2 || echo; \ done; \ rm $$L1 $$L2 ################################################################## # Building the Why3 platform with ocamlbuild (OCaml 3.10 needed) # ################################################################## # There used to be targets here but they are no longer useful. # To build using Ocamlbuild: # 1) Run "make Makefile" to ensure that the generated files (config.ml, ...) # are generated. # 2) Run Ocamlbuild with any target to generate the sanitization script. # 3) Run ./sanitize to delete the generated files that shouldn't be generated # (i.e. all lexers and parsers). # 4) Run Ocamlbuild with the target you need, for example: # ocamlbuild jc/jc_main.native # You can also use the Makefile ./build.makefile which has some handy targets. why3-1.6.0/OCAML-LICENSE000066400000000000000000000764011440160026300142520ustar00rootroot00000000000000In the following, "the Library" refers to all files marked "Copyright INRIA" in the following directories and their sub-directories: asmrun, byterun, camlp4, config, otherlibs, stdlib, win32caml and "the Compiler" refers to all files marked "Copyright INRIA" in the following directories and their sub-directories: asmcomp, boot, bytecomp, debugger, driver, lex, ocamldoc, parsing, tools, toplevel, typing, utils, yacc The Compiler is distributed under the terms of the Q Public License version 1.0 with a change to choice of law (included below). The Library is distributed under the terms of the GNU Library General Public License version 2 (included below). As a special exception to the Q Public Licence, you may develop application programs, reusable components and other software items that link with the original or modified versions of the Compiler and are not made available to the general public, without any of the additional requirements listed in clause 6c of the Q Public licence. As a special exception to the GNU Library General Public License, you may link, statically or dynamically, a "work that uses the Library" with a publicly distributed version of the Library to produce an executable file containing portions of the Library, and distribute that executable file under terms of your choice, without any of the additional requirements listed in clause 6 of the GNU Library General Public License. By "a publicly distributed version of the Library", we mean either the unmodified Library as distributed by INRIA, or a modified version of the Library that is distributed under the conditions defined in clause 2 of the GNU Library General Public License. This exception does not however invalidate any other reasons why the executable file might be covered by the GNU Library General Public License. ---------------------------------------------------------------------- THE Q PUBLIC LICENSE version 1.0 Copyright (C) 1999 Troll Tech AS, Norway. Everyone is permitted to copy and distribute this license document. The intent of this license is to establish freedom to share and change the software regulated by this license under the open source model. This license applies to any software containing a notice placed by the copyright holder saying that it may be distributed under the terms of the Q Public License version 1.0. Such software is herein referred to as the Software. This license covers modification and distribution of the Software, use of third-party application programs based on the Software, and development of free software which uses the Software. Granted Rights 1. You are granted the non-exclusive rights set forth in this license provided you agree to and comply with any and all conditions in this license. Whole or partial distribution of the Software, or software items that link with the Software, in any form signifies acceptance of this license. 2. You may copy and distribute the Software in unmodified form provided that the entire package, including - but not restricted to - copyright, trademark notices and disclaimers, as released by the initial developer of the Software, is distributed. 3. You may make modifications to the Software and distribute your modifications, in a form that is separate from the Software, such as patches. The following restrictions apply to modifications: a. Modifications must not alter or remove any copyright notices in the Software. b. When modifications to the Software are released under this license, a non-exclusive royalty-free right is granted to the initial developer of the Software to distribute your modification in future versions of the Software provided such versions remain available under these terms in addition to any other license(s) of the initial developer. 4. You may distribute machine-executable forms of the Software or machine-executable forms of modified versions of the Software, provided that you meet these restrictions: a. You must include this license document in the distribution. b. You must ensure that all recipients of the machine-executable forms are also able to receive the complete machine-readable source code to the distributed Software, including all modifications, without any charge beyond the costs of data transfer, and place prominent notices in the distribution explaining this. c. You must ensure that all modifications included in the machine-executable forms are available under the terms of this license. 5. You may use the original or modified versions of the Software to compile, link and run application programs legally developed by you or by others. 6. You may develop application programs, reusable components and other software items that link with the original or modified versions of the Software. These items, when distributed, are subject to the following requirements: a. You must ensure that all recipients of machine-executable forms of these items are also able to receive and use the complete machine-readable source code to the items without any charge beyond the costs of data transfer. b. You must explicitly license all recipients of your items to use and re-distribute original and modified versions of the items in both machine-executable and source code forms. The recipients must be able to do so without any charges whatsoever, and they must be able to re-distribute to anyone they choose. c. If the items are not available to the general public, and the initial developer of the Software requests a copy of the items, then you must supply one. Limitations of Liability In no event shall the initial developers or copyright holders be liable for any damages whatsoever, including - but not restricted to - lost revenue or profits or other direct, indirect, special, incidental or consequential damages, even if they have been advised of the possibility of such damages, except to the extent invariable law, if any, provides otherwise. No Warranty The Software and this license document are provided AS IS with NO WARRANTY OF ANY KIND, INCLUDING THE WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Choice of Law This license is governed by the Laws of France. ---------------------------------------------------------------------- GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. [This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.] Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. GNU LIBRARY GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) "Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) The modified work must itself be a software library. b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things: a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Libraries If you develop a new library, and you want it to be of the greatest possible use to the public, we recommend making it free software that everyone can redistribute and change. You can do so by permitting redistribution under these terms (or, alternatively, under the terms of the ordinary General Public License). To apply these terms, attach the following notices to the library. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This library is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Also add information on how to contact you by electronic and paper mail. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the library, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the library `Frob' (a library for tweaking knobs) written by James Random Hacker. , 1 April 1990 Ty Coon, President of Vice That's all there is to it! why3-1.6.0/README.md000066400000000000000000000034071440160026300136670ustar00rootroot00000000000000WHY3 ==== Why3 is a platform for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs. PROJECT HOME ------------ http://why3.lri.fr/ https://gitlab.inria.fr/why3/why3 DOCUMENTATION ------------- The documentation (a tutorial and a reference manual) is in the file [doc/manual.pdf](http://why3.lri.fr/manual.pdf) or online at http://why3.lri.fr/doc/. Various examples can be found in the subdirectories [stdlib/](stdlib) and [examples/](examples). Mailing list (Why3 Club): http://lists.gforge.inria.fr/mailman/listinfo/why3-club Bug Tracking System: https://gitlab.inria.fr/why3/why3/issues COPYRIGHT --------- This program is distributed under the GNU LGPL 2.1. See the enclosed file [LICENSE](LICENSE). The files [src/util/extmap.ml{i}](src/util/extmap.mli) are derived from the sources of OCaml 3.12 standard library, and are distributed under the GNU LGPL version 2 (see file [OCAML-LICENSE](OCAML-LICENSE)). Icon sets for the graphical interface of Why3 are subject to specific licenses, some of them may forbid commercial usage. These specific licenses are detailed in files [share/images/\*/\*.txt](share/images). INSTALLATION ------------ See the file [INSTALL.md](INSTALL.md). why3-1.6.0/autogen.sh000077500000000000000000000000741440160026300144060ustar00rootroot00000000000000#!/bin/sh -eux if [ ! -f "configure" ]; then autoconf fi why3-1.6.0/bench/000077500000000000000000000000001440160026300134635ustar00rootroot00000000000000why3-1.6.0/bench/bddinfer-bench000077500000000000000000000045251440160026300162510ustar00rootroot00000000000000#!/bin/bash has_infer=`sed -n -e 's/INFERLIB *= *\([^ ]\+\)/\1/p' share/Makefile.config` if test -z "$has_infer"; then echo "Inference of loop invariants not enabled!" exit 3 fi updateoracle=false forceupdateoracle=false files="" dirs="" success=true why3prove="bin/why3 prove" why3libs="" if test $# = 0; then printf "no files provided\n" exit 2 fi while test $# != 0; do case "$1" in "-update-oracle") updateoracle=true;; "-force-update-oracle") forceupdateoracle=true;; -L=?*) why3libs="$why3libs ${1#*=}";; "-"*) printf "unknown option: %s\n" "$1" printf "usage: bddinfer-bench [-update-oracle] \n" printf " if is a directory, it runs on all the *.mlw files\n" exit 2;; *) if [ -d "$1" ]; then dirs="$dirs $1" else if [ -f "$1" ]; then files="$files $1" else echo "File not found: $1" exit 2 fi fi esac shift done if test -n "$why3libs"; then why3libs="-L $why3libs" fi for d in $dirs; do d=$(echo $d | sed 's:/*$::') #remove trailling slashs mlw="$(ls $d/*.mlw 2> /dev/null)" files="$files $mlw" done failed="" # $1 = file run () { printf "running for $1" file_base="$(basename $1)" file_dir="$(dirname $1)" out_file="$file_dir/${file_base%.*}.bddout" oracle_file="$file_dir/bddinfer-oracles/${file_base%.*}.oracle" $why3prove $1 -t 1 -P alt-ergo --debug=bddinfer $why3libs > "$out_file" 2>&1 str_out=$(sed 's/[0-9]\+\.[0-9]\+s//g' $out_file | sed 's/[0-9]\+ steps//g') str_oracle=$(sed 's/[0-9]\+\.[0-9]\+s//g' $oracle_file | sed 's/[0-9]\+ steps//g') if [ "$str_oracle" = "$str_out" ] ; then printf " - ok\n" else printf "\n" if $updateoracle; then echo "Updating oracle for $file_base" cp "$out_file" "$oracle_file" else echo "FAILED!" echo "diff is the following:" echo "$f" diff <(echo "$str_oracle") <(echo "$str_out") failed="$failed\n$1" success=false fi fi if $forceupdateoracle; then echo "Forcing update oracle for $file_base" cp "$out_file" "$oracle_file" fi rm "$out_file" } for file in $files; do run $file done if $success; then echo "BDD-infer bench: success" exit 0 else echo "BDD-infer bench: failed" printf "$failed\n" exit 1 fi why3-1.6.0/bench/bench000077500000000000000000000547131440160026300145020ustar00rootroot00000000000000#!/bin/bash # auto bench for why # Useless in this script ? # export WHY3LIB=lib # export WHY3DATA=. # export WHY3LOADPATH=theories has_mpfr=`sed -n -e 's/MPFRLIB *= *\([^ ]\+\)/\1/p' share/Makefile.config` has_infer=`sed -n -e 's/INFERLIB *= *\([^ ]\+\)/\1/p' share/Makefile.config` has_stackify=`sed -n -e 's/STACKIFY *= *\(yes\)/\1/p' share/Makefile.config` shopt -s nullglob suffix= categories="badfiles bddinfer drivers execution extraction goodfiles inferloop invalidgoals list mlwprinter rac realizations replay replay-without-shapes stdlib steplimit memlimit validgoals validsplitgoals stackify" enabled_categories="" while [ $# != 0 ]; do case "$1" in "-suffix") suffix="$2" shift 2 ;; *) if [[ ! " $categories " =~ " $1 " ]]; then echo "Usage: $0 [-suffix s] [categories...]" echo "The suffix for calling bin/why3 is either '.opt' or '.byte' or ''." echo "Specific tests can be selected using some of the following categories:" echo " $categories" exit 1 fi enabled_categories="$enabled_categories $1" shift 1 ;; esac done enabled () { [[ -z "$enabled_categories" || " $enabled_categories " =~ " $1 " ]] } simple_test() { if ! "$@" > /dev/null 2> /dev/null; then echo "failed!" echo "$@" "$@" exit 1 fi echo "ok" } # TODO: remove the hack about int.mlw once it has become builtin goods () { pgm="bin/why3$suffix prove" ERROR= test -d $1 || exit 1 rm -f bench_errors ext= case $1 in *python) ext=py;; *micro-c) ext=c;; esac for f in $1/*.{why,mlw,mlcfg} $1/*.$ext ; do printf " $f... " opts="$2" if test $f = stdlib/int.mlw; then opts="$2 --type-only"; fi # running Why if ! $pgm $opts $f > /dev/null 2> bench_error; then echo "failed!" # echo "env: WHY3DATA='$WHY3DATA'" echo "invocation: $pgm $opts $f" | tee -a bench_errors cat bench_error | tee -a bench_errors ERROR=yes elif test -s bench_error; then echo "warning!" cat bench_error else echo "ok" fi done rm -f bench_error if test -n "$ERROR"; then echo "bench aborted due to the following errors:" cat bench_errors rm bench_errors exit 1 fi } plugin_bads () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 for f in $1/*.$3 ; do printf " $f... " if $pgm $2 $f > /dev/null 2>&1; then echo "failed! (should have an error)" echo $pgm $2 $f $pgm $2 $f exit 1 fi echo "ok" done } bads () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 for f in $1/*.[wm][hl][yw] ; do printf " $f... " if $pgm $2 $f > /dev/null 2>&1; then echo "failed! (should have an error)" echo $pgm $2 $f $pgm $2 $f exit 1 fi echo "ok" done } warns () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 rm -f bench_errors for f in $1/*.[wm][hl][yw] ; do printf " $f... " if ! $pgm $2 $f > /dev/null 2>bench_errors; then echo "failed!" echo $pgm $2 $f $pgm $2 $f exit 1 fi if ! test -s bench_errors; then echo "failed! (should have a warning)" echo $pgm $2 $f $pgm $2 $f exit 1 fi echo "ok" done } drivers () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 for f in $1/*.drv; do printf " $f... " # using the basename only, otherwise there would be an # ambiguity signaled, drivers/d.drv being both present in the # current directory and in DATADIR/drivers (they are the same!) b=`basename $f` # running Why if ! echo "theory Test goal G : 1=2 end" | $pgm -F whyml --driver=$b - > /dev/null; then echo "failed!" echo "theory Test goal G : 1=2 end" | $pgm -F whyml --driver=$b - exit 1 fi echo "ok" done } valid_goals () { bin/why3$suffix config list-provers | grep -q Alt-Ergo || return 0 pgm="bin/why3$suffix prove" test -d $1 || exit 1 for f in $1/*.mlw; do printf " $f... " simple_test $pgm -t 15 -P alt-ergo $2 $f done } invalid_goals () { bin/why3$suffix config list-provers | grep -q Alt-Ergo || return 0 pgm="bin/why3$suffix prove" test -d $1 || exit 1 for f in $1/*.mlw; do printf " $f... " if $pgm -t 3 -P alt-ergo $f | grep -q Valid; then echo "failed!" echo $pgm -t 3 -P alt-ergo $f $pgm -t 3 -P alt-ergo $f exit 1 fi echo "ok" done } step_limit () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 provers=`bin/why3$suffix config list-provers | grep 'Alt-Ergo 2\.[3-9]\\.[0-9]$\|CVC4 1\.[6-8]$\|CVC5 1\.[0-9]\.[0-9]$\|Z3 4\.[6-8]\.[0-9]\+$' | tr ' ' ',' | tr -d '()'` for f in $1/*.mlw; do for p in $provers ; do printf " $f (steps limit for $p)... " if $pgm --stepslimit 10 -P $p $f | \ grep -q "Prover result is: Step limit exceeded" ; then echo "ok" else echo "failed!" echo $pgm --stepslimit 10 -P $p $f $pgm --stepslimit 10 -P $p $f exit 1 fi done done } mem_limit () { pgm="bin/why3$suffix prove" test -d $1 || exit 1 provers=`bin/why3$suffix config list-provers | grep 'Alt-Ergo \(2\.3\.3\|2\.4\.1\)$\|CVC4 1\.[78]$\|CVC5 1\.[0-9]\.[0-9]$\|Z3 \(4\.8\.\(4\|10\)\|4\.9\.[0-9]\+\)$' | tr ' ' ',' | tr -d '()'` for f in $1/*.mlw; do for p in $provers ; do if [[ "$p" =~ .*strings.* ]]; then # FIXME: the behavior is different with the strings alternative # (the prover replies Unknown and not Out of memory) # to be investigated echo " $f (memory limit for $p)... skipped " else case `basename "$f"` in is_prime.mlw|syracuse.mlw) # FIXME: these examples makes the gitlab CI fail too often # to be investigated echo " $f (memory limit for $p)... skipped " ;; *) # Testing that at least one run between --memlimit=50 and # --memlimit=30 replies Out of memory seems a reasonable # heuristic steps=1000 highmemlimit=50 lowmemlimit=30 case $p in Alt-Ergo*) steps=5000; highmemlimit=35 ;; CVC4*) steps=100000 ;; CVC5*) steps=100000 ;; Z3*) steps=5000000; lowmemlimit=45 ;; esac printf " $f (memlimit=$highmemlimit, stepslimit=$steps for $p)... " if $pgm --memlimit="$highmemlimit" --timelimit=60 --stepslimit="$steps" -P $p $f | \ grep -q "Prover result is: Out of memory"; then printf "ok\n" else steps="$steps"0 printf "(retrying with memlimit=$lowmemlimit, stepslimit=$steps) " tmp="why3run.out" cmd="$pgm --memlimit=$lowmemlimit --timelimit=60 --stepslimit=$steps -P $p $f" $cmd > $tmp if grep -q "Prover result is: Out of memory" $tmp; then printf "ok\n" rm $tmp else printf "failed!\n" printf "$cmd\n" cat $tmp rm $tmp exit 1 fi fi esac fi done done } replay () { pgm="bin/why3$suffix replay" test -d $1 || exit 1 for f in $1/*/; do printf " $f... " simple_test $pgm $2 $f done } replay_without_shape () { pgm="bin/why3$suffix replay" test=$1 test -d "$test" || exit 1 printf " $test with shapes... " simple_test $pgm "$test" printf " $test without shapes... " noshapes=$(mktemp -d -p $(dirname "$test") "$(basename "$test")-without-shapes.XXXXXXXX") cp "$test/why3session.xml" "$noshapes" if $pgm "$noshapes" > /dev/null 2>&1 ; then echo "ok" rm -rf "$noshapes" else echo "failed!" echo $pgm $noshapes $pgm "$noshapes" rm -rf "$noshapes" exit 1 fi } execute () { pgm="bin/why3$suffix execute" printf " $1... " if $pgm "$@" > /dev/null; then echo "ok" else echo "failed!" echo $pgm "$@" $pgm "$@" exit 1 fi } extract () { dir=$1 dst=$2 for f in $dir/*.mlw; do printf " $f... " g=$(basename -s.mlw $f).$dst if make -C $dir $g > /dev/null 2> /dev/null; then echo "ok" else echo "failed!" make -C $dir clean > /dev/null echo make -C $dir $g make -C $dir $g make -C $dir clean > /dev/null exit 1 fi done make -C $dir clean > /dev/null } extract_and_run () { dir=$1 shift make="make BENCH=yes -C $dir" printf " $dir... clean... " if ! $make clean > /dev/null 2>&1; then echo "failed!" echo $make clean $make clean exit 1 fi printf "extract... " if ! $make extract > /dev/null 2>&1; then echo "failed!" echo $make extract $make extract exit 1 fi printf "compile... " if ! $make > /dev/null 2>&1; then echo "failed!" echo $make $make exit 1 fi printf "execute... " if ! $dir/main.opt "$@" > /dev/null 2>&1; then echo "failed!" echo $dir/main.opt "$@" $dir/main.opt "$@" exit 1 fi printf "doc... " if ! $make doc > /dev/null 2>&1; then echo "failed!" echo $make doc $make doc exit 1 fi echo "ok" } extract_and_test_c () { dir=$1 shift make="make BENCH=yes -C $dir" printf " $dir... clean... " if ! $make clean > /dev/null 2>&1; then echo "failed!" echo $make clean $make clean exit 1 fi printf "extract... " if ! $make extract > /dev/null 2>&1; then echo "failed!" echo $make extract $make extract exit 1 fi printf "compile... " if ! $make build/tests > /dev/null 2>&1; then echo "failed!" echo $make build/tests $make build/tests exit 1 fi printf "execute... " if ! $dir/build/tests > /dev/null 2>&1; then echo "failed!" echo $dir/build/tests $dir/build/tests exit 1 fi echo "ok" } list_stuff () { pgm="bin/why3$suffix" printf " $*... " simple_test $pgm "$@" } test_mlw_printer () { why3="bin/why3$suffix" if ! python3 -m sexpdata 2> /dev/null; then echo "Skipping (Python module sexpdata not installed)" >&2 return fi if ! "$why3" pp --output=sexp <(echo '') > /dev/null 2>&1; then echo "Skipping (s-exp output unavailable in Why3)" >&2 return fi find stdlib examples bench -name '*.mlw' \ -not -path '*/\.*' \ -not -path "bench/parsing/bad/*" \ -not -path "bench/programs/bad-to-keep/*" \ -not -path "examples/in_progress/*" | sort | \ while read filename; do bench/test_mlw_printer "$why3" "$filename" || exit 1 done } rac () { file=$1 mod=$2 shift 2 echo echo "* $mod" echo -n " $mod:" >&2 for expr in "$@"; do echo -n " $expr" >&2 # Add () as argument if there is none [[ $expr != *" "* ]] && expr="$expr ()" echo "** $mod.$expr" bin/why3"$suffix" execute --rac --rac-prover="cvc4" \ "${RACARGS[@]}" "$file" --use="$mod" "$expr" \ --debug="rac:check_term_result" 2>&1 |\ sed "s|$(bin/why3$suffix --print-datadir)|WHY3DATA|g" |\ sed "s|$(bin/why3$suffix --print-libdir)|WHY3LIB|g" done echo >&2 } if enabled stdlib; then echo "=== Checking stdlib ===" goods stdlib goods stdlib/mach echo "" fi if enabled drivers; then echo "=== Checking drivers ===" drivers drivers echo "" fi if enabled badfiles; then echo "=== Checking bad files ===" goods bench/typing/bad --parse-only goods bench/programs/bad-typing --parse-only goods bench/programs/warn-typing --parse-only bads bench/typing/bad --type-only bads bench/programs/bad-typing --type-only warns bench/programs/warn-typing --type-only goods bench/typing/x-bad --type-only plugin_bads bench/plugins/mlcfg/bad --parse-only mlcfg echo "" fi if enabled goodfiles; then echo "=== Checking good files ===" goods bench/typing/good goods bench/typing/x-good --parse-only bads bench/typing/x-good --type-only goods bench/programs/good goods bench/check-ce "-L bench/check-ce" goods src/trywhy3/examples/whyml "--debug=ignore_missing_diverges" goods src/trywhy3/examples/python "--debug=ignore_missing_diverges" goods src/trywhy3/examples/micro-c "--debug=ignore_missing_diverges" goods examples/bts goods examples/tests goods examples/tests-provers goods examples/check-builtin goods examples/logic goods examples goods examples/foveoos11-cm goods examples/WP_revisited goods examples/vacid_0_binary_heaps "-L examples/vacid_0_binary_heaps" goods examples/bitvectors "-L examples/bitvectors" goods examples/avl "-L examples/avl" goods examples/verifythis_2016_matrix_multiplication "-L examples/verifythis_2016_matrix_multiplication" goods examples/double_wp "-L examples/double_wp" goods examples/in_progress/ring_decision "-L examples/in_progress/ring_decision" goods examples/multiprecision "-L examples/multiprecision" goods examples/prover "-L examples/prover --debug=ignore_unused_vars" goods examples/python goods examples/micro-c goods examples/in_progress goods bench/plugins/mlcfg echo "" fi if enabled validgoals; then echo "=== Checking valid goals ===" valid_goals bench/valid echo "" fi if enabled validsplitgoals; then echo "=== Checking splitted valid goals ===" valid_goals bench/valid/split_vc "-a split_vc" echo "" fi if enabled invalidgoals; then echo "=== Checking invalid goals ===" invalid_goals bench/invalid echo "" fi if enabled steplimit; then echo "=== Checking step limits ===" step_limit bench/steplimit echo "" fi if enabled memlimit; then echo "=== Checking memory limits ===" mem_limit bench/memlimit echo "" fi if enabled rac; then echo "=== Checking RAC ===" mlw="examples/tests/rac.mlw" output="examples/tests/rac.out" ( rac "$mlw" Local test1 test2 test3 test4 test5 rac "$mlw" Global test1 test2 rac "$mlw" Functions test1 test2 test3a test3b test4 test5 test6 rac "$mlw" Loops test1 test2 test3 rac "$mlw" Aliasing test1 test2 rac "$mlw" Labels test1 # rac "$mlw" Chars test1 # TODO # rac "$mlw" Strings test1 # TODO rac "$mlw" RecordMutGhost test rac "$mlw" PolyContext test1 test2 rac "$mlw" PolyRefContracts test1 test2a test2b test2c rac "$mlw" RecordPoly test1 test2 test3 rac "$mlw" PolyFunc test1 test2 rac "$mlw" ArrayExec test1 test2 test3 test4 rac "$mlw" Ghost test1 test2 rac "$mlw" Predicates test1 test2 rac "$mlw" Arrays test0 test1 test2 test3 rac "$mlw" Variants loop_var_ok1 loop_var_ok2 loop_var_fail1 loop_var_fail2 loop_custom_variant rac "$mlw" TestUInt64 test rac "$mlw" Premises test1 rac "$mlw" FunctionVariant 'test1 2' 'test2 2' 'test3 2' 'test4 2' 'test5 2' rac "$mlw" ArrayList main ) > "$output" if git diff --exit-code --src-prefix=EXPECTED/ --dst-prefix=ACTUAL/ "$output"; then echo "RAC: ok" else echo "RAC: diff in output $output" exit 1 fi echo "" fi if enabled execution; then echo "=== Checking execution ===" execute examples/euler001.mlw "bench ()" --use=Euler001 execute examples/euler002.mlw "bench ()" --use=Solve execute examples/fibonacci.mlw "bench ()" --use=FibRecGhost execute examples/fibonacci.mlw "bench ()" --use=FibonacciLogarithmic execute examples/hello-world.mlw "main" --use=Test # fails: cannot execute Cany # execute examples/same_fringe.mlw SameFringe.bench # fails: cannot evaluate condition a=b (how to do it?) # execute examples/same_fringe.mlw SameFringe.test5 execute examples/same_fringe.mlw "test1 ()" --use=Test execute examples/vstte12_combinators.mlw "test_SKK ()" --use=Combinators execute examples/selection_sort.mlw "bench ()" --use=SelectionSort execute examples/insertion_sort.mlw "bench ()" --use=InsertionSort execute examples/quicksort.mlw "bench ()" --use=Test execute examples/conjugate.mlw "bench ()" --use=Test # fails: needs support for "val" without code (how to do it?) # examples/vacid_0_sparse_array.mlw Harness.bench execute examples/knuth_prime_numbers.mlw "bench ()" --use=PrimeNumbers execute examples/vstte10_max_sum.mlw "test_case ()" --use=TestCase execute examples/verifythis_fm2012_LRS.mlw "bench ()" --use=LCP_test execute examples/verifythis_fm2012_LRS.mlw "bench ()" --use=SuffixSort_test execute examples/verifythis_fm2012_LRS.mlw "bench ()" --use=SuffixArray_test execute examples/verifythis_fm2012_LRS.mlw "bench ()" --use=LRS_test execute examples/verifythis_PrefixSumRec.mlw "bench ()" --use=PrefixSumRec execute examples/vstte10_queens.mlw "test8 ()" --use=NQueens # fails: "Cannot decide condition of if: (not ((~)((<<)((~)(0), 8)) = 0))" # examples/queens.mlw NQueensBits.test8 # fails: cannot find definition of routine eq # examples/residual.mlw Test.test_astar # test of execution on real numbers; only if mpfr installed if test -n "$has_mpfr"; then # Reals execute bench/interp/real.mlw "test0 ()" --use=R execute bench/interp/real.mlw "test1 ()" --use=R execute bench/interp/real.mlw "test2 ()" --use=R execute bench/interp/real.mlw "test3 ()" --use=R execute bench/interp/real.mlw "test_exp ()" --use=R execute bench/interp/real.mlw "test_log ()" --use=R execute bench/interp/real.mlw "test_exp_log ()" --use=R execute bench/interp/real.mlw "bench1 ()" --use=R execute bench/interp/real.mlw "bench2 ()" --use=R execute bench/interp/real.mlw "bench3 ()" --use=R # Float32 execute bench/interp/float32.mlw "bench1 ()" --use=N execute bench/interp/float32.mlw "bench2 ()" --use=N execute bench/interp/float32.mlw "bench3 ()" --use=N execute bench/interp/float32.mlw "bench4 ()" --use=N execute bench/interp/float32.mlw "bench5 ()" --use=N execute bench/interp/float32.mlw "bench6 ()" --use=N execute bench/interp/float32.mlw "bench7 ()" --use=N execute bench/interp/float32.mlw "bench8 ()" --use=N # Float64 execute bench/interp/float64.mlw "bench1 ()" --use=N execute bench/interp/float64.mlw "bench2 ()" --use=N execute bench/interp/float64.mlw "bench3 ()" --use=N execute bench/interp/float64.mlw "bench4 ()" --use=N execute bench/interp/float64.mlw "bench5 ()" --use=N execute bench/interp/float64.mlw "bench6 ()" --use=N execute bench/interp/float64.mlw "bench7 ()" --use=N execute bench/interp/float64.mlw "bench8 ()" --use=N else echo "MPFR not installed, skipping tests" fi echo "" fi if enabled extraction; then echo "=== Checking extraction to OCaml ===" extract bench/extraction cmo extract_and_run bench/extraction/test extract_and_run examples/euler001 1000000 extract_and_run examples/gcd 6 15 extract_and_run examples/vstte10_max_sum extract_and_run examples/vstte12_combinators "((((K K) K) K) K)" extract_and_run examples/defunctionalization extract_and_run examples/sudoku 2,0,9,0,0,0,0,1,0,0,0,0,0,6,0,0,0,0,0,5,3,8,0,2,7,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,7,5,0,0,3,0,4,1,2,0,8,9,0,0,0,0,4,0,9,0,0,2,0,8,0,0,0,0,1,0,0,5,0,0,0,0,0,0,0,7,6 echo "" echo "=== Checking extraction to C ===" extract_and_test_c examples/multiprecision extract_and_test_c examples/c_cursor echo "" fi if enabled replay-without-shapes; then echo "=== Checking replay without shapes ===" replay_without_shape examples/tests/replay echo "" fi if enabled replay; then echo "=== Checking replay (no prover) ===" replay bench/replay replay examples/stdlib --merging-only replay examples/bts --merging-only replay examples/tests --merging-only replay examples/tests-provers --merging-only replay examples/check-builtin --merging-only replay examples/logic --merging-only replay examples --merging-only replay examples/foveoos11-cm --merging-only replay examples/WP_revisited --merging-only replay examples/micro-c --merging-only replay examples/python --merging-only replay examples/vacid_0_binary_heaps "-L examples/vacid_0_binary_heaps --merging-only" replay examples/bitvectors "-L examples/bitvectors --merging-only" replay examples/avl "-L examples/avl --merging-only" replay examples/c_cursor "-L examples/c_cursor --merging-only" replay examples/verifythis_2016_matrix_multiplication "-L examples/verifythis_2016_matrix_multiplication --merging-only" replay examples/double_wp "-L examples/double_wp --merging-only" #replay examples/in_progress/ring_decision "-L examples/in_progress/ring_decision --merging-only" replay examples/multiprecision "-L examples/multiprecision --merging-only" replay examples/prover "-L examples/prover --merging-only --debug=ignore_unused_vars" #replay examples/in_progress --merging-only replay examples/mlcfg --merging-only echo "" fi if enabled stackify && test -n "$has_stackify"; then echo "=== Checking stackify ===" replay examples/stackify --merging-only fi if enabled list; then echo "=== Checking lists ===" list_stuff show attributes list_stuff show formats list_stuff show metas list_stuff show printers list_stuff show transformations list_stuff config list-provers list_stuff --list-debug-flags echo "" fi if enabled realizations; then echo "=== Checking realizations ===" bench/check_realizations.sh || exit $? fi if enabled mlwprinter; then echo "=== Checking mlw_printer ===" test_mlw_printer fi if enabled inferloop && test -n "$has_infer"; then echo "=== Checking loop invariant inference with inferloop component ===" bench/infer-bench bench/infer fi if enabled bddinfer && test -n "$has_infer"; then echo "=== Checking loop invariant inference with bddinfer component ===" bench/bddinfer-bench bench/infer fi why3-1.6.0/bench/ce-stats.py000077500000000000000000000122561440160026300155710ustar00rootroot00000000000000#!/usr/bin/env python # Helper script to compute statistics about checking counterexamples. # The script creates 4 files: # - [export_file_raw], a CSV file with columns date / file / prover / # verdict / concrete_RAC / abstract_RAC for each CE that is checked # - [export_file], the same data aggregated according to the verdict # - [export_file_incomplete_small_step], only the data corresponding # to incomplete verdicts, grouped by small-step RAC result # - [export_file_incomplete_giant_step], only the data corresponding # to incomplete verdicts, grouped by giant-step RAC result from datetime import date import os import pandas as pd import re dir = "./bench/check-ce/oracles" export_file_raw = "./data_raw.csv" export_file = "./data.csv" export_file_incomplete_small_step = "./data_incomplete_small_step.csv" export_file_incomplete_giant_step = "./data_incomplete_giant_step.csv" rx_model = re.compile(r"Selected model [0|1]: (?P[A-Z_]*)\n") rx_concrete_RAC = re.compile(r"Concrete RAC: (?P[A-Z_]*)(?P.*)\n") rx_abstract_RAC = re.compile(r"Abstract RAC: (?P[A-Z_]*)(?P.*)\n") rx_dict_incomplete = { "cannot decide": re.compile(r"(.*)cannot be evaluated(.*)"), "cannot import": re.compile(r"(.*)cannot import value(.*)"), "missing return value": re.compile(r"(.*)missing value for return value(.*)"), "many args for exec": re.compile(r"(.*)many args for exec fun(.*)"), "uncaught exception": re.compile(r"(.*)uncaught exception(.*)"), "undefined argument": re.compile(r"(.*)undefined argument(.*)"), } list_of_verdicts = [ "INCOMPLETE", "NC", "BAD_CE", "NC_SW", "SW", ] rx_filepath = re.compile(r"bench/check-ce/oracles/(?P[a-zA-Z0-9-_]*)_(?P

[A-Z0-9,.]*)_[W|S]P.oracle") def _parse_line(line,rx): match = rx.search(line) if match: return match return None def _parse_reason(reason, rx_dict): for key, rx in rx_dict.items(): match = rx.search(reason) if match: return key print ("WARNING! Unknown reason: " + reason) return reason def _add_reason(res, reason, rx_dict): if res in ["FAILURE", "NORMAL", "STUCK"]: return res elif res in ["INCOMPLETE"]: return (res + " " + _parse_reason(reason, rx_dict)) else: print("WARNING! Unknown RAC result: " + res) return res def parse_file(filepath, data, date): with open(filepath, "r") as file_object: filepath = _parse_line(filepath,rx_filepath) if filepath is not None: file = filepath.group("f") prover = filepath.group("p") line = file_object.readline() else: print("WARNING! Could not parse filepath") while line: match = _parse_line(line,rx_model) if match is not None: verdict = match.group("v") line = file_object.readline() match_concrete = _parse_line(line,rx_concrete_RAC) line = file_object.readline() match_abstract = _parse_line(line,rx_abstract_RAC) if (match_concrete is not None) & (match_abstract is not None): concrete_RAC = match_concrete.group("c") reason_concrete = match_concrete.group("cr") abstract_RAC = match_abstract.group("a") reason_abstract = match_abstract.group("ar") if verdict in list_of_verdicts: concrete_RAC = _add_reason(concrete_RAC, reason_concrete, rx_dict_incomplete) abstract_RAC = _add_reason(abstract_RAC, reason_abstract, rx_dict_incomplete) else: print("WARNING! Unknown verdict: " + verdict) data.append( { "date": date, "file": file, "prover": prover, "verdict": verdict, "concrete_RAC": concrete_RAC, "abstract_RAC": abstract_RAC, } ) line = file_object.readline() data = [] date = date.today() print(date) for filename in os.listdir(dir): f = os.path.join(dir, filename) if os.path.isfile(f): if f.endswith(".oracle"): parse_file(f, data, date.strftime("%Y%m%d")) data = pd.DataFrame(data) data.to_csv(export_file_raw, mode="w", header=True) agg_data = data.groupby("date")["verdict"].value_counts().rename("nb") agg_data = pd.DataFrame(agg_data) agg_data.to_csv(export_file, mode="w", header=True) agg_data_incomplete_small_step = data.query('verdict == "INCOMPLETE"').groupby("date")["concrete_RAC"].value_counts().rename("nb") agg_data_incomplete_small_step = pd.DataFrame(agg_data_incomplete_small_step) agg_data_incomplete_small_step.to_csv(export_file_incomplete_small_step, mode="w", header=True) agg_data_incomplete_giant_step = data.query('verdict == "INCOMPLETE"').groupby("date")["abstract_RAC"].value_counts().rename("nb") agg_data_incomplete_giant_step = pd.DataFrame(agg_data_incomplete_giant_step) agg_data_incomplete_giant_step.to_csv(export_file_incomplete_giant_step, mode="w", header=True) why3-1.6.0/bench/check-ce-bench000077500000000000000000000131711440160026300161330ustar00rootroot00000000000000#!/bin/bash set -euo pipefail dir=`dirname $0` updateoracle=false suffix=.opt removeoutfile=true files="" failed="" whydata=$(bin/why3"$suffix" --print-datadir) whylib=$(bin/why3"$suffix" --print-libdir) while test $# != 0; do case "$1" in "--update-oracle") updateoracle=true shift 1 ;; "--keep-out-files") removeoutfile=false shift 1 ;; "--suffix") suffix="$2" shift 2 ;; "-"*) printf "unknown option: %s\n" "$1" printf "usage: check-ce-bench [--update-oracle] [--keep-out-file] [--suffix s] \n" printf " must be given without the '.mlw' suffix.\n" printf " If is empty, use all files from directory 'check-ce'.\n" printf " The suffix is appended on the Why3 executable name, e.g. '.opt'.\n" exit 2 ;; *) files="$files $1" shift 1 esac done if test "$files" = "" ; then files="$dir/check-ce/*.mlw" fi colorize() { if command -v pygmentize &> /dev/null; then pygmentize -ldiff else cat fi } remove_solver_details () { sed -e "s|$whydata|WHY3DATA|g" -e "s|$whylib|WHY3LIB|g" \ | sed 's/ ([0-9.]\+\.[0-9]\+s, [0-9]\+ steps)\.$/\./' \ | sed 's/Prover result is: \(Timeout\.\|Unknown (\(unknown\|incomplete\|unknown + \(incomplete\|interrupted\)\))\.\|Out of memory.\|Step limit exceeded\.\|Step limit exceeded ([^)]*)\.\)$/Prover result is: Unknown or time\/memory\/step limit./' } record_time () { elapsed=$(date +%s%N) } # print elapsed time elapsed_time () { t=$(date +%s%N) d=$(expr $t - $elapsed) # printf "d=${d}\n" l=$(expr length $d) # printf "l=${l}\n" lmn=$(expr $l - 9 || true) if [ "$lmn" = "0" ] ; then d=0"$d" lmn=1 fi # printf "lmn=${lmn}\n" s=$(expr substr "${d}" 1 ${lmn} || true) # printf "s=${s}\n" c=$(expr substr "${d}" ${lmn} 2 || true) # printf "c=${c}\n" elapsed="$s"."$c" # printf "${elapsed}\n" } # $1 = prover # $2 = dir # $3 = filename # $4 = true for WP, false for SP # $5 = steps run () { file_path="$2/$3" debug_vc_sp="" if $4; then f="${file_path}_$1_WP" oracle_file="$2/oracles/$3_$1_WP.oracle" printf "${file_path},WP,$1... " else f="${file_path}_$1_SP" oracle_file="$2/oracles/$3_$1_SP.oracle" debug_vc_sp=",vc_sp" printf "${file_path},SP,$1... " fi steps=$5 if [ "$3" = "strings" ] && [[ $1 == CVC* ]] ; then prover="$1,strings+counterexamples" else prover="$1,counterexamples" fi # one may add reduction_cont_size,stack_trace, in # the debug flags below to test cont_invariant in reduction engine # (note that stack trace may be more detailed with bytecode) record_time ($dir/../bin/why3"$suffix" prove -a split_vc -P $prover\ --stepslimit=$steps --timelimit=10 \ --rac-steplimit=$steps --rac-timelimit=10 \ --check-ce --rac-prover="$1" --ce-log-verbosity=5 \ --library="$2" "${file_path}.mlw" \ --debug=check_ce:categorization${debug_vc_sp} \ || true) 2>&1 \ | remove_solver_details \ > "$f.out" elapsed_time str_out=$(cat "$f.out") if [ -e "$oracle_file" ]; then str_oracle=$(cat "$oracle_file") else str_oracle="" fi if [ "$str_oracle" = "$str_out" ] ; then echo "OK (in ${elapsed}s)" else if $updateoracle; then echo "Updating oracle" cp "$f.out" "${oracle_file}" else echo "FAILED" echo "diff is the following:" (diff -u "$oracle_file" "$f.out" \ || [ $? -eq 1 ])|colorize failed="$failed$f\n" fi fi if $removeoutfile; then rm "$f.out" fi } start=$(date +%s) for file in $files; do filedir=`dirname $file` filebase=`basename $file .mlw` if [ "$filebase" = "maps_poly" -o "$filebase" = "maps_mono" ] ; then echo "Skipping tests on $filedir/$filebase.mlw"; else printf "# Running provers on $filedir/$filebase.mlw\n"; cvc4steps=150000 cvc5steps=150000 z3steps=3000000 case "$filebase" in "640_no_loc_failure") z3steps=500000 ;; "657") z3steps=500000 ;; "668_projection") z3steps=500000 ;; "bv32") z3steps=2500000 ;; "bv32_mono") z3steps=100000 ;; "bv32_toBig") z3steps=100000 ;; "floats") z3steps=400000 ;; "int_overflow") z3steps=400000 ;; "loop_inv_real") z3steps=1000000 ;; "maps_poly") cvc5steps=300000 ;; "strings") z3steps=3000 ;; "threshold") z3steps=500000 ;; *) ;; esac run CVC4,1.8 $filedir $filebase true $cvc4steps run CVC4,1.8 $filedir $filebase false $cvc4steps run CVC5,1.0.0 $filedir $filebase true $cvc5steps run CVC5,1.0.0 $filedir $filebase false $cvc5steps run Z3,4.8.10 $filedir $filebase true $z3steps run Z3,4.8.10 $filedir $filebase false $z3steps fi done # Check the reproduction of the experiments by Petiot (2018). if $updateoracle; then updatearg="--updateoracle" else updatearg="" fi # $1 = prover # $2 = stepslimit petiot () { bench/check-ce/petiot2018/experiments.sh \ --prover $1 --rac-prover $1 \ --ce-prover $1,counterexamples --stepslimit $2 \ $updatearg if [ $? = 1 ]; then failed="${failed}Petiot experiments with $1.\n"; fi } petiot Z3,4.8.10 500000 petiot CVC4,1.8 10000 petiot CVC5,1.0.0 10000 end=$(date +%s) runtime=$((end-start)) if [ "$failed" = "" ]; then echo "check-ce-bench: success (runtime = $runtime seconds)" exit 0 else printf "\ncheck-ce-bench: failed for the following files (runtime = $runtime seconds)\n$failed\n" exit 1 fi why3-1.6.0/bench/check-ce/000077500000000000000000000000001440160026300151255ustar00rootroot00000000000000why3-1.6.0/bench/check-ce/614.mlw000066400000000000000000000001241440160026300161550ustar00rootroot00000000000000 use int.Int let f (x : int) : unit = check { [@expl:e] (0 < x \/ x < 0) }; () why3-1.6.0/bench/check-ce/615.mlw000066400000000000000000000001301440160026300161530ustar00rootroot00000000000000use int.Int let f (t : int) (x : int) : unit = check { 0 <= x /\ x <= 0 }; () why3-1.6.0/bench/check-ce/640_no_loc_failure.mlw000066400000000000000000000006161440160026300212220ustar00rootroot00000000000000module WrongLocationFound use bv.BV64 as BV64 goal wrong : ([@vc:annotation] forall x : BV64.t. BV64.sle x (0x29 : BV64.t)) end module WrongLocationFoundBis use bv.BV64 as BV64 lemma wrong : ([@model_vc_post] forall x : BV64.t. BV64.sle x (0x29 : BV64.t)) end module WrongLocationNotFound use bv.BV64 as BV64 lemma wrong : (forall x : BV64.t. BV64.sle x (0x29 : BV64.t)) end why3-1.6.0/bench/check-ce/657.mlw000066400000000000000000000004631440160026300161720ustar00rootroot00000000000000use bv.BV32 as BV32 use bv.BV64 as BV64 use bv.BVConverter_32_64 as C val u (i : BV64.t) : () requires { BV64.sle i (10:BV64.t) } let ok (i : BV32.t) : () = u (C.toBig i) let ko (i : BV32.t) : () = u (C.stoBig i) let ko2 (i : BV32.t) : BV64.t ensures { BV64.sle (0:BV64.t) result } = C.stoBig i why3-1.6.0/bench/check-ce/668_projection.mlw000066400000000000000000000004711440160026300204270ustar00rootroot00000000000000module Int32 type t = < range -0x8000_0000 0x7fff_ffff > end module Main_module use Int32 use bv.BV64 let rec f (n : Int32.t) (min : Int32.t) : Int32.t ensures { Int32.t'int min = Int32.t'int result } = n let rec g (n : Int32.t) (min : Int32.t) : Int32.t ensures { min = result } = n end why3-1.6.0/bench/check-ce/703_reduce_term.mlw000066400000000000000000000566341440160026300205530ustar00rootroot00000000000000module Use_flags__base use int.Int use bv.BV32 as BV32 val function base : BV32.t end module Flags__Oor use int.Int use bv.BV32 as BV32 val function oor (param__l: BV32.t) (param__r: BV32.t) : BV32.t val function oor__function_guard (temp___result_168: BV32.t) (param__l: BV32.t) (param__r: BV32.t) : BV32.t end module Flags__Oand use int.Int use bv.BV32 as BV32 val function oand (param__l: BV32.t) (param__r: BV32.t) : BV32.t val function oand__function_guard (temp___result_169: BV32.t) (param__l: BV32.t) (param__r: BV32.t) : BV32.t end module Use_flags__local___axiom use int.Int use bv.BV32 as BV32 use Flags__Oor as Flags__Oor use Flags__Oand as Flags__Oand val local (param__f: BV32.t) : unit requires { ((let temp___260 = let temp___258 = 16777216 : BV32.t in let temp___257 = let temp___255 = 8388608 : BV32.t in let temp___254 = let temp___252 = 4194304 : BV32.t in let temp___251 = let temp___249 = 2097152 : BV32.t in let temp___248 = let temp___246 = 1048576 : BV32.t in let temp___245 = let temp___243 = 524288 : BV32.t in let temp___242 = let temp___240 = 262144 : BV32.t in let temp___239 = let temp___237 = 131072 : BV32.t in let temp___236 = let temp___234 = 65536 : BV32.t in let temp___233 = let temp___231 = 32768 : BV32.t in let temp___230 = let temp___228 = 16384 : BV32.t in let temp___227 = let temp___225 = 8192 : BV32.t in let temp___224 = let temp___222 = 4096 : BV32.t in let temp___221 = let temp___219 = 2048 : BV32.t in let temp___218 = let temp___216 = 1024 : BV32.t in let temp___215 = let temp___213 = 512 : BV32.t in let temp___212 = let temp___210 = 256 : BV32.t in let temp___209 = let temp___207 = 128 : BV32.t in let temp___206 = let temp___204 = 64 : BV32.t in let temp___203 = let temp___201 = 32 : BV32.t in let temp___200 = let temp___198 = 16 : BV32.t in let temp___197 = let temp___195 = 8 : BV32.t in let temp___194 = let temp___192 = 4 : BV32.t in let temp___191 = let temp___189 = 2 : BV32.t in let temp___188 = let temp___186 = 1 : BV32.t in let temp___185 = 0 : BV32.t in let temp___result_184: BV32.t = ([@rac:call_id:1] (Flags__Oor.oor temp___185 temp___186)) in ([@rac:call_id:2] (Flags__Oor.oor__function_guard temp___result_184 temp___185 temp___186)) in let temp___result_187: BV32.t = ([@rac:call_id:3] (Flags__Oor.oor temp___188 temp___189)) in ([@rac:call_id:4] (Flags__Oor.oor__function_guard temp___result_187 temp___188 temp___189)) in let temp___result_190: BV32.t = ([@rac:call_id:5] (Flags__Oor.oor temp___191 temp___192)) in ([@rac:call_id:6] (Flags__Oor.oor__function_guard temp___result_190 temp___191 temp___192)) in let temp___result_193: BV32.t = ([@rac:call_id:7] (Flags__Oor.oor temp___194 temp___195)) in ([@rac:call_id:8] (Flags__Oor.oor__function_guard temp___result_193 temp___194 temp___195)) in let temp___result_196: BV32.t = ([@rac:call_id:9] (Flags__Oor.oor temp___197 temp___198)) in ([@rac:call_id:10] (Flags__Oor.oor__function_guard temp___result_196 temp___197 temp___198)) in let temp___result_199: BV32.t = ([@rac:call_id:11] (Flags__Oor.oor temp___200 temp___201)) in ([@rac:call_id:12] (Flags__Oor.oor__function_guard temp___result_199 temp___200 temp___201)) in let temp___result_202: BV32.t = ([@rac:call_id:13] (Flags__Oor.oor temp___203 temp___204)) in ([@rac:call_id:14] (Flags__Oor.oor__function_guard temp___result_202 temp___203 temp___204)) in let temp___result_205: BV32.t = ([@rac:call_id:15] (Flags__Oor.oor temp___206 temp___207)) in ([@rac:call_id:16] (Flags__Oor.oor__function_guard temp___result_205 temp___206 temp___207)) in let temp___result_208: BV32.t = ([@rac:call_id:17] (Flags__Oor.oor temp___209 temp___210)) in ([@rac:call_id:18] (Flags__Oor.oor__function_guard temp___result_208 temp___209 temp___210)) in let temp___result_211: BV32.t = ([@rac:call_id:19] (Flags__Oor.oor temp___212 temp___213)) in ([@rac:call_id:20] (Flags__Oor.oor__function_guard temp___result_211 temp___212 temp___213)) in let temp___result_214: BV32.t = ([@rac:call_id:21] (Flags__Oor.oor temp___215 temp___216)) in ([@rac:call_id:22] (Flags__Oor.oor__function_guard temp___result_214 temp___215 temp___216)) in let temp___result_217: BV32.t = ([@rac:call_id:23] (Flags__Oor.oor temp___218 temp___219)) in ([@rac:call_id:24] (Flags__Oor.oor__function_guard temp___result_217 temp___218 temp___219)) in let temp___result_220: BV32.t = ([@rac:call_id:25] (Flags__Oor.oor temp___221 temp___222)) in ([@rac:call_id:26] (Flags__Oor.oor__function_guard temp___result_220 temp___221 temp___222)) in let temp___result_223: BV32.t = ([@rac:call_id:27] (Flags__Oor.oor temp___224 temp___225)) in ([@rac:call_id:28] (Flags__Oor.oor__function_guard temp___result_223 temp___224 temp___225)) in let temp___result_226: BV32.t = ([@rac:call_id:29] (Flags__Oor.oor temp___227 temp___228)) in ([@rac:call_id:30] (Flags__Oor.oor__function_guard temp___result_226 temp___227 temp___228)) in let temp___result_229: BV32.t = ([@rac:call_id:31] (Flags__Oor.oor temp___230 temp___231)) in ([@rac:call_id:32] (Flags__Oor.oor__function_guard temp___result_229 temp___230 temp___231)) in let temp___result_232: BV32.t = ([@rac:call_id:33] (Flags__Oor.oor temp___233 temp___234)) in ([@rac:call_id:34] (Flags__Oor.oor__function_guard temp___result_232 temp___233 temp___234)) in let temp___result_235: BV32.t = ([@rac:call_id:35] (Flags__Oor.oor temp___236 temp___237)) in ([@rac:call_id:36] (Flags__Oor.oor__function_guard temp___result_235 temp___236 temp___237)) in let temp___result_238: BV32.t = ([@rac:call_id:37] (Flags__Oor.oor temp___239 temp___240)) in ([@rac:call_id:38] (Flags__Oor.oor__function_guard temp___result_238 temp___239 temp___240)) in let temp___result_241: BV32.t = ([@rac:call_id:39] (Flags__Oor.oor temp___242 temp___243)) in ([@rac:call_id:40] (Flags__Oor.oor__function_guard temp___result_241 temp___242 temp___243)) in let temp___result_244: BV32.t = ([@rac:call_id:41] (Flags__Oor.oor temp___245 temp___246)) in ([@rac:call_id:42] (Flags__Oor.oor__function_guard temp___result_244 temp___245 temp___246)) in let temp___result_247: BV32.t = ([@rac:call_id:43] (Flags__Oor.oor temp___248 temp___249)) in ([@rac:call_id:44] (Flags__Oor.oor__function_guard temp___result_247 temp___248 temp___249)) in let temp___result_250: BV32.t = ([@rac:call_id:45] (Flags__Oor.oor temp___251 temp___252)) in ([@rac:call_id:46] (Flags__Oor.oor__function_guard temp___result_250 temp___251 temp___252)) in let temp___result_253: BV32.t = ([@rac:call_id:47] (Flags__Oor.oor temp___254 temp___255)) in ([@rac:call_id:48] (Flags__Oor.oor__function_guard temp___result_253 temp___254 temp___255)) in let temp___result_256: BV32.t = ([@rac:call_id:49] (Flags__Oor.oor temp___257 temp___258)) in ([@rac:call_id:50] (Flags__Oor.oor__function_guard temp___result_256 temp___257 temp___258)) in let temp___result_259: BV32.t = ([@rac:call_id:51] (Flags__Oand.oand param__f temp___260)) in ([@rac:call_id:52] (Flags__Oand.oand__function_guard temp___result_259 param__f temp___260))) = param__f) } ensures { true } end module Use_flags__subprogram_def use int.Int use bv.BV32 as BV32 use Use_flags__base as Use_flags__base use Flags__Oor as Flags__Oor use Flags__Oand as Flags__Oand use Use_flags__local___axiom as Use_flags__local___axiom (*meta "compute_max_steps" 10*) let def (__void_param : unit) = Use_flags__local___axiom.local Use_flags__base.base endwhy3-1.6.0/bench/check-ce/algebraic_types_mono.mlw000066400000000000000000000007271440160026300220410ustar00rootroot00000000000000module M use int.Int type int_type = Integer int goal G : forall x : int_type. match x with Integer y -> y > 0 end type t = A | B int goal g2: forall x. x = A goal g4: forall x. x = B 0 type u = Au int int goal g5: forall x. x = Au 0 0 type mylist = | Nil | Cons int mylist let rec function len l = match l with | Nil -> 0 | Cons _ l' -> 1 + len l' end goal g1: forall l: mylist. len l = 0 goal g7: forall l: mylist. l = Nil end why3-1.6.0/bench/check-ce/algebraic_types_poly.mlw000066400000000000000000000016331440160026300220510ustar00rootroot00000000000000module M use int.Int use list.List use list.Length goal g: forall l: list int. length l = 0 type int_type = Integer int (********************************* ** Non-terminating projections ** *********************************) (* Warning: if definition of the following projections are present, the proof of everything below will not terminate. *) function projfl [@model_trace:.projfl] (l : list int_type) : int = match l with | Nil -> 0 | Cons (Integer n) _ -> n | _ -> 0 end meta "inline:no" function projfl meta "model_projection" function projfl (* list int_type will be projected using projfl to int, int will be projected using projfi, projf1, and projf2 Warning: does not terminate. *) let proj_test ( l [@model_projected] : list int_type) : int ensures { result > 0 } = match l with | Nil -> 1 | Cons (Integer n) _ -> n | _ -> 1 end end why3-1.6.0/bench/check-ce/anonymous1.mlw000066400000000000000000000004471440160026300177640ustar00rootroot00000000000000 use int.Int let f (x: int) = let w = (fun y -> y + 2) x in assert {w = x + 1} (* Why3 intermediate form let f (x:int) : () = let w = let h (y:int) : int ensures { result = (y + 2) } = let o = 2 in y + o in h x in assert { w = (x + 1) } *)why3-1.6.0/bench/check-ce/anonymous2.mlw000066400000000000000000000011131440160026300177540ustar00rootroot00000000000000use int.Int val ref z: int let f (x: int) requires { x > 0 } = z <- 0; (fun y -> z <- z + y) x; assert { z > 0 } (* Why3 intermediate form let f (x:int) : () reads { z } writes { (z:ref int @rho).contents } covers { z:ref int @rho } requires { x > 0 } = let o = 0 in (z:ref int).contents <- o; let h (y:int) : () reads { z } writes { (z:ref int @rho).contents } covers { z:ref int @rho } = let o = let o1 = contents z in o1 + y in (z:ref int).contents <- o in h x; assert { contents z > 0 } *)why3-1.6.0/bench/check-ce/anonymous3.mlw000066400000000000000000000001411440160026300177550ustar00rootroot00000000000000 use int.Int let f (x: int) = (fun y -> y + x) let g (y: int) ensures { result > y } = f y y why3-1.6.0/bench/check-ce/anonymous4.mlw000066400000000000000000000002101440160026300177530ustar00rootroot00000000000000 use int.Int let f (x: int) = (fun y -> assume {y > 0}; y + x) let g (y: int) requires { y >= 0 } ensures { result > y } = f y y why3-1.6.0/bench/check-ce/anonymous5.mlw000066400000000000000000000001511440160026300177600ustar00rootroot00000000000000 use int.Int let f (x: int) = (fun y z -> z + y + x) let g (y: int) ensures { result > y } = f y y y why3-1.6.0/bench/check-ce/anonymous6.mlw000066400000000000000000000001471440160026300177660ustar00rootroot00000000000000 use int.Int let f () = let ref z = 0 in begin ensures { 1 < z < 4 } z <- 2 end; assert {z = 2}why3-1.6.0/bench/check-ce/anonymous6_mono.mlw000066400000000000000000000002251440160026300210130ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let f () = let z : t = { c = 0 } in begin ensures { 1 < z.c < 4 } z.c <- 2 end; assert {z.c = 2} why3-1.6.0/bench/check-ce/array_mono.mlw000066400000000000000000000016131440160026300200150ustar00rootroot00000000000000 module Array use int.Int use map.Map type array = private { mutable ghost elts : int -> int; length : int } invariant { 0 <= length } function ([]) (a: array) (i: int) : int = a.elts i val ([]) (a: array) (i: int) : int requires { [@expl:index in array bounds] 0 <= i < length a } ensures { result = a[i] } val ghost function ([<-]) (a: array) (i: int) (v: int): array ensures { result.length = a.length } ensures { result.elts = Map.set a.elts i v } val ([]<-) (a: array) (i: int) (v: int) : unit writes {a} requires { [@expl:index in array bounds] 0 <= i < length a } ensures { a.elts = Map.set (old a).elts i v } ensures { a = (old a)[i <- v] } end module A use int.Int use Array let f1 (a:array) : int = a[0] let f2 (a:array) : unit requires { a.length >= 2 } ensures { a[0] <> a[1] } = a[0] <- 42 end why3-1.6.0/bench/check-ce/array_poly.mlw000066400000000000000000000006761440160026300200400ustar00rootroot00000000000000 module A use int.Int use array.Array let f1 (a:array int) : int = a[0] let f2 (a:array int) : unit requires { a.length >= 2 } ensures { a[0] <> a[1] } = a[0] <- 42 end module B use int.Int use array.Array clone array.Sorted with type elt=int, predicate le=(<=) let f1 (a:array int) : unit ensures { sorted a } = () let f2 (a:array int) : array int ensures { sorted result } = a endwhy3-1.6.0/bench/check-ce/array_records_mono.mlw000066400000000000000000000034251440160026300215410ustar00rootroot00000000000000module ArrayRecords use int.Int use map.Map type value = int type index = int function to_rep value: int meta "model_projection" function to_rep type basic_record = { flag [@model_trace:flag] : bool; first_value [@model_trace:first_val] : value; second_value [@model_trace:sec_val] : value; } type array_of_records = private { mutable ghost elts : int -> basic_record; length : int } invariant { 0 <= length } function ([]) (a: array_of_records) (i: int) : basic_record = a.elts i val ([]) (a: array_of_records) (i: int) : basic_record requires { [@expl:index in array bounds] 0 <= i < length a } ensures { result = a[i] } val ghost function ([<-]) (a: array_of_records) (i: int) (v: basic_record): array_of_records ensures { result.length = a.length } ensures { result.elts = Map.set a.elts i v } val ([]<-) (a: array_of_records) (i: int) (v: basic_record) : unit writes {a} requires { [@expl:index in array bounds] 0 <= i < length a } ensures { a.elts = Map.set (old a).elts i v } ensures { a = (old a)[i <- v] } end module Test use int.Int use ArrayRecords let var_overwrite (a: array_of_records) (i: int) : unit requires { a[i] = {flag = true; first_value = 3; second_value = 5}} ensures { a[i].first_value = 42 } = a[i] <- {flag = a[i].flag; first_value= a[i].first_value; second_value = 69}; a[i] <- {flag = a[i].flag; first_value= 42; second_value = a[i].second_value}; a[i] <- {flag = a[i].flag; first_value= 23; second_value = a[i].second_value}; a[i] <- {flag = false; first_value= a[i].first_value; second_value = a[i].second_value}; assert {a[i].second_value = 69}; end why3-1.6.0/bench/check-ce/array_records_poly.mlw000066400000000000000000000017201440160026300215500ustar00rootroot00000000000000 module Array_records use int.Int use array.Array type value = int type index = int function to_rep value: int meta "model_projection" function to_rep type basic_record = { flag [@model_trace:flag] : bool; first_value [@model_trace:first_val] : value; second_value [@model_trace:sec_val] : value; } type array_of_records = array basic_record let var_overwrite (a: array_of_records) (i: int) : unit requires { a[i] = {flag = true; first_value = 3; second_value = 5}} ensures { a[i].first_value = 42 } = a[i] <- {flag = a[i].flag; first_value= a[i].first_value; second_value = 69}; a[i] <- {flag = a[i].flag; first_value= 42; second_value = a[i].second_value}; a[i] <- {flag = a[i].flag; first_value= 23; second_value = a[i].second_value}; a[i] <- {flag = false; first_value= a[i].first_value; second_value = a[i].second_value}; assert {a[i].second_value = 69}; end why3-1.6.0/bench/check-ce/attributes.mlw000066400000000000000000000005551440160026300200410ustar00rootroot00000000000000 use int.Int let f () diverges = let ref x = 0 in [@loop1] while x < 10 do x <- x + 3 done; [@loop2] while x < 100 do x <- x + 7 done; [@loop3] while x < 1000 do x <- x + 10; assert { x < 200 } done val h (ref y:int) : unit writes { y } ensures { y > old y } let g () = let ref x = 0 in [@call1] h x; [@call2] h x; assert { x < 200 } why3-1.6.0/bench/check-ce/attributes_mono.mlw000066400000000000000000000006511440160026300210660ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let f () diverges = let x = { c = 0 } in [@loop1] while x.c < 10 do x.c <- x.c + 3 done; [@loop2] while x.c < 100 do x.c <- x.c + 7 done; [@loop3] while x.c < 1000 do x.c <- x.c + 10; assert { x.c < 200 } done val h (y:t) : unit writes { y.c } ensures { y.c > old y.c } let g () = let x = { c = 0 } in [@call1] h x; [@call2] h x; assert { x.c < 200 } why3-1.6.0/bench/check-ce/blackbox.mlw000066400000000000000000000003351440160026300174340ustar00rootroot00000000000000 use int.Int function g int : bool val f (y:int) : bool ensures { result = g y } val ref t : int let main (x:int) = t <- 0; begin ensures { true } let b = f 1 in assert { b } end; assert { x > 0 } why3-1.6.0/bench/check-ce/bv32.mlw000066400000000000000000000005541440160026300164260ustar00rootroot00000000000000module Ce_int32bv use mach.bv.BVCheck32 type bv32 = BVCheck32.t let dummy_update (ref r : bv32) requires { r = (0x22:bv32) } ensures { r = (0x42:bv32) } = r <- (0x42:bv32); r <- add r r let dummy_update_with_int (ref r : bv32) requires { t'int r = 0x22 } ensures { t'int r = 0x42 } = r <- (0x42:bv32); r <- add r r end why3-1.6.0/bench/check-ce/bv32_mono.mlw000066400000000000000000000006261440160026300174560ustar00rootroot00000000000000module Ce_int32bv use mach.bv.BVCheck32 type bv32 = BVCheck32.t type t = { mutable c : bv32 } let dummy_update (r : t) requires { r.c = (0x22:bv32) } ensures { r.c = (0x42:bv32) } = r.c <- (0x42:bv32); r.c <- add r.c r.c let dummy_update_with_int (r : t) requires { t'int r.c = 0x22 } ensures { t'int r.c = 0x42 } = r.c <- (0x42:bv32); r.c <- add r.c r.c end why3-1.6.0/bench/check-ce/bv32_toBig.mlw000066400000000000000000000011711440160026300175460ustar00rootroot00000000000000use bv.BV32 as BV32 use bv.BV64 as BV64 use bv.BVConverter_32_64 as C val u (i : BV64.t) : () requires { BV64.sle (10:BV64.t) i } let ok (i : BV32.t) : () = u (C.toBig i) let ko (i : BV32.t) : () = u (C.stoBig i) let ko2 (i : BV32.t) : BV64.t ensures { BV64.sle (0:BV64.t) result } = C.stoBig i (* See https://gitlab.inria.fr/why3/why3/-/issues/657 This command: why3 prove pb.mlw -P "CVC4,1.8,counterexamples" --check-ce --rac-prover cvc4 finds counter-examples for ok, ko and ko2 but the RAC can only confirm that the one for ok is a valid cex. Fixed by https://gitlab.inria.fr/why3/why3/-/merge_requests/696 *) why3-1.6.0/bench/check-ce/call-val-function.mlw000066400000000000000000000010041440160026300211570ustar00rootroot00000000000000module OK use int.Int val f (x:int) : int ensures { result > x } let main (y:int) ensures { result <> 44 } = let z = f y in z+1 end module KO1 use int.Int function f(x:int) : int axiom f_def : forall x. f x = x+1 val f (x:int) : int ensures { result = f x } let main (y:int) ensures { result <> 44 } = let z = f y in z+1 end module KO2 use int.Int val function f(x:int) : int axiom f_def : forall x. f x = x+1 let main (y:int) ensures { result <> 44 } = let z = f y in z+1 end why3-1.6.0/bench/check-ce/double_projection.mlw000066400000000000000000000004711440160026300213560ustar00rootroot00000000000000 module Test use int.Int type t function d (x : t) : int meta "model_projection" function d function c (x : t) : int meta "model_projection" function c (* Here the counterexample should not be a record *) let f (x: t) : (_t: t) requires { c x > 0 } ensures { d x < 0 } = x end why3-1.6.0/bench/check-ce/falseCE.mlw000066400000000000000000000005501440160026300171500ustar00rootroot00000000000000(* Taken from Sylvain Dailler, David Hauzar, Claude Marché, Yannick Moy: Instrumenting a weakest precondition calculus for counterexample generation. J. Log. Algebraic Methods Program. 99: 97-113 (2018) Example 15 *) use int.Int let rsa (a b: int) requires { a >= 2 /\ b >= 2 } = let c = 12166397 in assert { a * b <> c } (* 3407 * 3571 = 12166397 *)why3-1.6.0/bench/check-ce/fide21.mlw000066400000000000000000000004151440160026300167200ustar00rootroot00000000000000 use int.Int val ref x : int let set_x (n:int) : unit ensures { x > n } = x <- n + 1 let main () : unit = x <- 0; set_x 2; assert { x = 3 } let incr (x:int) : int ensures { result > x } = x+1 let test () = let y = incr 1 in assert { y = 2 } why3-1.6.0/bench/check-ce/floats.mlw000066400000000000000000000035171440160026300171440ustar00rootroot00000000000000theory T32 use ieee_float.Float32 goal g1 : forall x:t. t'isFinite x -> eq x (0.0:t) goal g2 : forall x:t. t'isFinite x -> eq x (1.25:t) goal g3 : forall x:t. not (eq x (0.0:t)) goal g4 : forall x:t. not (eq x (1.25:t)) goal g5 : forall x:t. not (ge x (4.25:t)) goal g6 : forall x:t. eq x x goal g7 : forall x:t. t'isFinite x -> gt (add RNE x (1.0:t)) x goal g8 : forall x:t. not (eq x (div RNE (1.0:t) (0.0:t))) goal g9 : forall x:t. gt x (0.0:t) -> gt (div RNE x (2.0:t)) (0.0:t) (** should give the smallest positive, i.e., 2^{-149} *) goal g10: forall x:t. not (ge (mul RNE (10.0:t) x) (1.0:t) /\ (le (mul RTZ (10.0:t) x) (1.0:t))) goal g11: forall x:t. not (eq x (0x1p-126:t)) (** 2^{-126} is normal *) goal g12: forall x:t. not (eq x (0x0.FFFFFEp-126:t)) (** prec of 2^{-126} is subnormal *) goal g13: forall x:t. not (eq x (0x1p-127:t)) (** 2^{-127} is subnormal *) end theory T64 use ieee_float.Float64 goal g1 : forall x:t. t'isFinite x -> eq x (0.0:t) goal g2 : forall x:t. t'isFinite x -> eq x (1.25:t) goal g3 : forall x:t. not (eq x (0.0:t)) goal g4 : forall x:t. not (eq x (1.25:t)) goal g5 : forall x:t. not (ge x (4.25:t)) goal g6 : forall x:t. eq x x goal g7 : forall x:t. t'isFinite x -> gt (add RNE x (1.0:t)) x goal g8 : forall x:t. not (eq x (div RNE (1.0:t) (0.0:t))) goal g9 : forall x:t. gt x (0.0:t) -> gt (div RNE x (2.0:t)) (0.0:t) (** should give the smallest positive, i.e., 2^{-1074} *) goal g10: forall x:t. not (ge (mul RNE (10.0:t) x) (1.0:t) /\ (le (mul RTZ (10.0:t) x) (1.0:t))) goal g11: forall x:t. not (eq x (0x1p-1022:t)) (** 2^{-1022} is normal *) goal g12: forall x:t. not (eq x (0x0.FFFFFFFFFFFFFp-1022:t)) (** prec of 2^{-1022} is subnormal *) goal g13: forall x:t. not (eq x (0x1p-1023:t)) (** 2^{-1023} is subnormal *) end why3-1.6.0/bench/check-ce/for.mlw000066400000000000000000000007761440160026300164460ustar00rootroot00000000000000 use int.Int let f () = let ref x1 = 0 in let ref x2 = 0 in for i = 0 to 1 do invariant { i > 0 -> x1 = 1 } if i = 0 then x1 <- x1 + 1 else x2 <- x2 + 1 done (* counterexamle: `x1 = -1`, `i = 0` at the beggining of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretly; - terminates in error if executed abstractly (invariant preservation fails) It is a real counterexample due to underspecification (weak loop invariant). *)why3-1.6.0/bench/check-ce/for1.mlw000066400000000000000000000006761440160026300165260ustar00rootroot00000000000000use int.Int let f () ensures { result = 2 } = let ref x = 0 in for i = 0 to 1 do invariant { x >= 0 } x <- x + 1 done; x (* counterexamle: `x = 0`, `i = 2` at beggining of loop. The execution of `f` with the counterexample: - terminates normally if executed concretly; - terminates in error if executed abstractly (postcondition fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/for1_mono.mlw000066400000000000000000000007501440160026300175470ustar00rootroot00000000000000use int.Int type t = { mutable c : int } let f () ensures { result = 2 } = let x = { c = 0 } in for i = 0 to 1 do invariant { x.c >= 0 } x.c <- x.c + 1 done; x.c (* counterexamle: `x = 0`, `i = 2` at beggining of loop. The execution of `f` with the counterexample: - terminates normally if executed concretly; - terminates in error if executed abstractly (postcondition fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/for_mono.mlw000066400000000000000000000010571440160026300174670ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let f () = let x1 = { c = 0 } in let x2 = { c = 0 } in for i = 0 to 1 do invariant { i > 0 -> x1.c = 1 } if i = 0 then x1.c <- x1.c + 1 else x2.c <- x2.c + 1 done (* counterexamle: `x1 = -1`, `i = 0` at the beggining of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretly; - terminates in error if executed abstractly (invariant preservation fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/func_call.mlw000066400000000000000000000002141440160026300175710ustar00rootroot00000000000000 use int.Int val ref z: int let g () writes { z } ensures { z > old z } = z <- z + 1 let f () = z <- 0; g (); assert { z = 1 } why3-1.6.0/bench/check-ce/func_call1.mlw000066400000000000000000000003071440160026300176550ustar00rootroot00000000000000 use int.Int val ref z: int let g (x: int) writes { z } ensures { z > old z } ensures { result = x + 1 } = z <- z + 1; x + 1 let f () = z <- 0; let w = g (2) + 3 in assert { z = 1 } why3-1.6.0/bench/check-ce/func_call1_mono.mlw000066400000000000000000000003531440160026300207060ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } val z: t let g (x: int) writes { z.c } ensures { z.c > old z.c } ensures { result = x + 1 } = z.c <- z.c + 1; x + 1 let f () = z.c <- 0; let w = g 2 + 3 in assert { z.c = 1 } why3-1.6.0/bench/check-ce/func_call2.mlw000066400000000000000000000002071440160026300176550ustar00rootroot00000000000000 use int.Int val ref z: int let g (x: int) writes { z } ensures { z > old z } ensures { result = x + 2 } = z <- z + 1; x + 1 why3-1.6.0/bench/check-ce/func_call3.mlw000066400000000000000000000002071440160026300176560ustar00rootroot00000000000000 use int.Int val ref z: int let g (x: int) writes { z } ensures { z > old z } returns { r -> r = x + 2 } = z <- z + 1; x + 1 why3-1.6.0/bench/check-ce/func_call4.mlw000066400000000000000000000002011440160026300176510ustar00rootroot00000000000000 use int.Int val ref z: int val g (): unit writes { z } ensures { z > old z } let f () = z <- 0; g (); assert { z = 1 } why3-1.6.0/bench/check-ce/func_call4_mono.mlw000066400000000000000000000002431440160026300207070ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } val z: t val g (): unit writes { z.c } ensures { z.c > old z.c } let f () = z.c <- 0; g (); assert { z.c = 1 } why3-1.6.0/bench/check-ce/func_call5.mlw000066400000000000000000000004121440160026300176560ustar00rootroot00000000000000 use int.Int use ref.Ref let g1 (y: int) requires { y > 0 } ensures { !result >= y } = ref y let f1 (x : int) requires { x > 0 } = let z = g1 x in assert { !z = x } let g2 (y: int) = ref (y + 1) let f2 (x: int) = let z = g2 x in assert { !z = x } why3-1.6.0/bench/check-ce/func_call5_mono.mlw000066400000000000000000000004451440160026300207140ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let g1 (y: int) requires { y > 0 } ensures { result.c >= y } = { c = y } let f1 (x : int) requires { x > 0 } = let z = g1 x in assert { z.c = x } let g2 (y: int) = { c = y + 1 } let f2 (x: int) = let z = g2 x in assert { z.c = x } why3-1.6.0/bench/check-ce/func_call6.mlw000066400000000000000000000003321440160026300176600ustar00rootroot00000000000000 (* similar to func_call4.mlw but uses a let to declare z *) use int.Int use ref.Ref let z = ref (any int) val g (): unit writes { z } ensures { !z > !(old z) } let f () = z := 0; g (); assert { !z = 1 } why3-1.6.0/bench/check-ce/func_call6_mono.mlw000066400000000000000000000003631440160026300207140ustar00rootroot00000000000000 (* similar to func_call4.mlw but uses a let to declare z *) use int.Int type t = { mutable c : int } let z = { c = any int } val g (): unit writes { z.c } ensures { z.c > old z.c } let f () = z.c <- 0; g (); assert { z.c = 1 } why3-1.6.0/bench/check-ce/func_call_mono.mlw000066400000000000000000000002621440160026300206240ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } val z: t let g () writes { z.c } ensures { z.c > old z.c } = z.c <- z.c + 1 let f () = z.c <- 0; g (); assert { z.c = 1 } why3-1.6.0/bench/check-ce/global_logic_constant.mlw000066400000000000000000000003301440160026300221700ustar00rootroot00000000000000 module M1 use int.Int val constant v1: int (* CE f1'vc: -1 *) let f1 () : int ensures { result = 0 } = v1 val ref v2: int (* CE f2'vc: 2 *) let f2 () : int ensures { result = 0 } = v2 endwhy3-1.6.0/bench/check-ce/if_assign.mlw000066400000000000000000000006271440160026300176150ustar00rootroot00000000000000 module Test use int.Int use ref.Ref val x : ref int let f (_a : int) : int ensures { result = 0} = x := 42; !x let fTest1 (a : int) : int ensures { result = 0} = (if a = 0 then x.contents <- 42 else x := 18); !x let fTest2 (a : int) : int ensures { result = 0} = (if a = 0 then (x.contents <- 42; assert{ !x = 13}) else (x := 18; assert { !x = 18}) ); 17 end why3-1.6.0/bench/check-ce/if_decision_branch.mlw000066400000000000000000000012511440160026300214350ustar00rootroot00000000000000 module Main use int.Int type path_sel_type = { mutable sel_path : bool} val path_selector [@model_trace:TEMP_NAME]: path_sel_type end module Other use int.Int use Main let f (a : int) ensures {result = 5} = (* The counterexample should contain the node_id 5454 here but not 121 *) if (path_selector.sel_path <- (a = 1); ([@branch_id=5454] path_selector).sel_path) then 5 else begin path_selector.sel_path <- true; (* The counterexample should contain the node_id 121 but not 5454 *) if (path_selector.sel_path <- (a = 5); ([@branch_id=121] path_selector).sel_path) then 15 else 22 end end why3-1.6.0/bench/check-ce/int32.mlw000066400000000000000000000002671440160026300166120ustar00rootroot00000000000000module Ce_int32 use mach.int.Int32 let dummy_update (ref r : int32) requires { int32'int r = 22} ensures { int32'int r = 42} = r <- (42:int32); r <- r + r; end why3-1.6.0/bench/check-ce/int32_mono.mlw000066400000000000000000000003351440160026300176360ustar00rootroot00000000000000module Ce_int32 use mach.int.Int32 type t = { mutable c : int32 } let dummy_update (r : t) requires { int32'int r.c = 22} ensures { int32'int r.c = 42} = r.c <- (42:int32); r.c <- r.c + r.c; end why3-1.6.0/bench/check-ce/int_overflow.mlw000066400000000000000000000025351440160026300203700ustar00rootroot00000000000000theory ModelInt use int.Int (* PASS *) goal test0 : forall x:int. not (0 < x < 1) (* CE *) goal test1 : forall x:int. not (0 <= x <= 1) use int.EuclideanDivision (* CE *) goal test2 : forall x:int. div x x = 1 (* CE *) goal test_overflow: forall x y : int. 0 <= x <= 65535 /\ 0 <= y <= 65535 -> 0 <= x + y <= 65535 (* CE *) goal test_overflow2: forall x y : int. -2 <= x <= 65535 /\ -2 <= y <= 65535 -> -2 <= x + y <= 65535 predicate is_int16 (x:int) = -65536 <= x <= 65535 (* CE *) goal test_overflow_int16: forall x y : int. is_int16 x /\ is_int16 y -> is_int16 (x + y) (* CE *) goal test_overflow_int16_alt: forall x y : int. -65536 <= x <= 65535 /\ -65536 <= y <= 65535 -> -65536 <= x+y <= 65535 (* CE *) goal test_overflow_int16_bis: forall x y : int. is_int16 x /\ is_int16 y /\ (0 <= x) /\ (x <= y) -> is_int16 (x + y) predicate is_int32 (x:int) = -2147483648 <= x <= 2147483647 (* CE *) goal test_overflow_int32: forall x y : int. is_int32 x /\ is_int32 y -> is_int32 (x + y) (* CE *) goal test_overflow_int32_bis: forall x y : int. is_int32 x /\ is_int32 y /\ 0 <= x <= y -> is_int32 (x + y) (* CE *) goal test_overflow_int32_bis_inline: forall x y : int. -2147483648 <= x <= 2147483647 /\ -2147483648 <= y <= 2147483647 /\ 0 <= x <= y -> -2147483648 <= x + y <= 2147483647 end why3-1.6.0/bench/check-ce/integers.mlw000066400000000000000000000007321440160026300174700ustar00rootroot00000000000000theory T use int.Int goal g_lab : forall x [@model] :int. x >= 42 -> x + 3 <= 50 goal g_no_lab : forall x:int. x >= 42 -> x + 3 <= 50 constant g : int goal g2_lab : forall x:int. (g >= x) goal newgoal : forall x1 [@model] [@model_trace:X] x2 x3 x4 x5 x6 x7 x8. (x1 + 1 = 2) -> (x2 + 1 = 2) -> (x3 + 1 = 2) -> (x4 + 1 = 2) -> (x5 + 1 = 2) -> (x6 + 1 = 2) -> (x7 + 1 = 2) -> (x8 + 1 = 2) -> (x1 + x2 + x3 + x4 + x5 + x6 + x7 + x8 = 2) end why3-1.6.0/bench/check-ce/jlamp0_mono.mlw000066400000000000000000000015751440160026300200710ustar00rootroot00000000000000module M use int.Int type intref = { mutable contents : int } let function (!) x = x.contents let (:=) x v ensures { !x = v } = x.contents <- v val a : intref let p1 (b : intref) requires { 0 <= !a <= 10 /\ 3 <= !b <= 17 } ensures { 17 <= !a <= 42 } = a := !a + !b; assert { 5 <= !a <= 15 }; if !a >= 10 then a := !a - 1 val c : intref let p2 () requires { 0 <= !a <= 10 } ensures { 7 <= !a <= 42 } = c := 1; while !c <= 10 do invariant { 2 <= !c <= 11 } invariant { 3 <= !a <= 10 } variant { !c } a := !a + !c; c := !c + 2 done let p3 () requires { 0 <= !a <= 10 } requires { 3 <= !c <= 5 } ensures { 7 <= !a <= 42 } = while !c <= 10 do invariant { 2 <= !c <= 11 } invariant { 3 <= !a <= 10 } variant { !c } a := !a + !c; c := !c + 2 done end why3-1.6.0/bench/check-ce/jlamp0_poly.mlw000066400000000000000000000007761440160026300201060ustar00rootroot00000000000000module M use int.Int use ref.Ref val a : ref int let p1 (b : ref int) requires { 0 <= !a <= 10 /\ 3 <= !b <= 17 } ensures { 17 <= !a <= 42 } = a := !a + !b; assert { 5 <= !a <= 15 }; if !a >= 10 then a := !a - 1 val c : ref int let p2 () requires { 0 <= !a <= 10 } ensures { 7 <= !a <= 42 } = c := 1; while !c <= 10 do invariant { 2 <= !c <= 11 } invariant { 3 <= !a <= 10 } variant { !c } a := !a + !c; c := !c + 2 done endwhy3-1.6.0/bench/check-ce/jlamp_array_mono.mlw000066400000000000000000000025261440160026300212040ustar00rootroot00000000000000module Array use int.Int use map.Map type t function to_int t : int meta "model_projection" function to_int val function two : t axiom two_def : to_int two = 2 val function three : t axiom three_def : to_int three = 3 type array = private { mutable ghost elts : int -> t; length : int } invariant { 0 <= length } function ([]) (a: array) (i: int) : t = a.elts i val ([]) (a: array) (i: int) : t requires { [@expl:index in array bounds] 0 <= i < length a } ensures { result = a[i] } val ghost function ([<-]) (a: array) (i: int) (v: t): array ensures { result.length = a.length } ensures { result.elts = Map.set a.elts i v } val ([]<-) (a: array) (i: int) (v: t) : unit writes {a} requires { [@expl:index in array bounds] 0 <= i < length a } ensures { a.elts = Map.set (old a).elts i v } ensures { a = (old a)[i <- v] } end module Test use int.Int use Array let f (a : array) : unit requires { a[42] = three } writes { a } ensures { a[42] = three } = a[42] <- two let g (a : array) : unit requires { a.length >= 43 /\ a[17] = three } writes { a } ensures { a[42] = three } = a[42] <- two let h (a : array) : unit requires { a.length >= 43 /\ a[17] = three } writes { a } ensures { a[42] = three } = a[17] <- two end why3-1.6.0/bench/check-ce/jlamp_array_poly.mlw000066400000000000000000000012271440160026300212140ustar00rootroot00000000000000module Array use int.Int use array.Array type t function to_int t : int meta "model_projection" function to_int val function two : t axiom two_def : to_int two = 2 val function three : t axiom three_def : to_int three = 3 let f (a : array t) : unit requires { a[42] = three } writes { a } ensures { a[42] = three } = a[42] <- two let g (a : array t) : unit requires { a.length >= 43 /\ a[17] = three } writes { a } ensures { a[42] = three } = a[42] <- two let h (a : array t) : unit requires { a.length >= 43 /\ a[17] = three } writes { a } ensures { a[42] = three } = a[17] <- two end why3-1.6.0/bench/check-ce/jlamp_projections.mlw000066400000000000000000000014661440160026300213770ustar00rootroot00000000000000 module Abstract use int.Int type byte function to_int byte : int meta "model_projection" function to_int predicate in_range (x : int) = -128 <= x <= 127 axiom range_axiom : forall x:byte. in_range (to_int x) val of_int (x:int) : byte requires { in_range x } ensures { to_int result = x } val add (x y : byte) : byte requires { [@expl:integer overflow] in_range (to_int x + to_int y) } ensures { to_int result = to_int x + to_int y } end module AbstractAlone use int.Int use Abstract let p3 (a : byte) : byte = add a (of_int 1) end module AbstractWithRef use int.Int use ref.Ref use Abstract let p3 (a : ref byte) = a := add !a (of_int 1) end module Record use int.Int use Abstract type r = {mutable f : byte; mutable g : bool} let p4 (b : r) = if b.g then b.f <- add b.f (of_int 1) end why3-1.6.0/bench/check-ce/let_constant.mlw000066400000000000000000000002271440160026300203440ustar00rootroot00000000000000module Let_constant use int.Int let dummy () = [@vc:sp] let a [@model_trace:T] = 25 in let b = 65 in assert { a + b > 150 }; end why3-1.6.0/bench/check-ce/let_function.mlw000066400000000000000000000001661440160026300203420ustar00rootroot00000000000000use int.Int let function f(x:int) : int = x+1 let main_f (y:int) ensures { result <> 44 } = let z = f y in z+1why3-1.6.0/bench/check-ce/let_function_logic.mlw000066400000000000000000000003061440160026300215130ustar00rootroot00000000000000use int.Int function g(x:int) : int axiom g_def : forall x. g x = x + 1 let f(x:int) : int ensures { result = g x } = x+1 let main (y:int) ensures { result <> 44 } = let z = f y in z+1why3-1.6.0/bench/check-ce/lists.mlw000066400000000000000000000006461440160026300170120ustar00rootroot00000000000000 module List_int use int.Int type list = Nil | Cons int list function length (l:list) : int = match l with | Nil -> 0 | Cons _ l -> 1 + length l end goal g1: forall l:list. length l <> 0 goal g2: forall l:list. length l <> 1 end module List_poly use list.List use list.Length goal g1: forall l:list int. length l <> 0 goal g2: forall l:list int. length l <> 1 endwhy3-1.6.0/bench/check-ce/logic_constant.mlw000066400000000000000000000001431440160026300206520ustar00rootroot00000000000000 use int.Int constant c : int let main (y:int) : unit requires { y = 0 } = assert { c <> y } why3-1.6.0/bench/check-ce/logic_function.mlw000066400000000000000000000004741440160026300206550ustar00rootroot00000000000000 use int.Int function g (x:int) : int let main_g (y:int) : unit = assert { g y <> 42 } function h (x1:int) (x2:bool) : int let main_h (y1:int) (y2:bool) : unit = assert { h y1 y2 <> 42 } function f (x:int) : int let main_f (y:int) : unit requires { y = 0 } = assert { f 0 <> y }; assert { f 1 <> y } why3-1.6.0/bench/check-ce/loop_ce.mlw000066400000000000000000000005241440160026300172670ustar00rootroot00000000000000 module M1 use int.Int let ref a = 0 let ref b = 0 let f () = a <- -1; a <- 1; b <- 2; while b < 10 do variant { 10 - b } invariant { b - a < 5 } b <- b + a; done end module M2 use int.Int let g (ref a: int) ensures { a = old a + 1 } = label X in if a <> 10 then a <- a + 1; assert { a = a at X } end why3-1.6.0/bench/check-ce/loop_ce_mono.mlw000066400000000000000000000006641440160026300203240ustar00rootroot00000000000000 module M1 use int.Int type t = { mutable c : int } let a = { c = 0 } let b = { c = 0 } let f () = a.c <- -1; a.c <- 1; b.c <- 2; while b.c < 10 do variant { 10 - b.c } invariant { b.c - a.c < 5 } b.c <- b.c + a.c; done end module M2 use int.Int type t = { mutable c : int } let g (a: t) ensures { a.c = old a.c + 1 } = label X in if a.c <> 10 then a.c <- a.c + 1; assert { a.c = a.c at X } end why3-1.6.0/bench/check-ce/loop_inv_int.mlw000066400000000000000000000006031440160026300203440ustar00rootroot00000000000000 module M use int.Int let f () : unit diverges = let ref a = 0 in a <- 1; let ref b = 2 in while b < 10 do invariant { b < a + 5 } b <- a + b done end module N use int.Int val ref a : int val ref b : int let f () : int diverges ensures { result < a } = a <- 1; b <- 2; while b < 10 do invariant { b < a + 5 } b <- a + b done; b end why3-1.6.0/bench/check-ce/loop_inv_int_mono.mlw000066400000000000000000000007351440160026300214020ustar00rootroot00000000000000 module M use int.Int type t = { mutable c : int } let f () : unit diverges = let a = { c = 0 } in a.c <- 1; let b = { c = 2 } in while b.c < 10 do invariant { b.c < a.c + 5 } b.c <- a.c + b.c done end module N use int.Int type t = { mutable c : int } val a : t val b : t let f () : int diverges ensures { result < a.c } = a.c <- 1; b.c <- 2; while b.c < 10 do invariant { b.c < a.c + 5 } b.c <- a.c + b.c done; b.c end why3-1.6.0/bench/check-ce/loop_inv_real.mlw000066400000000000000000000003401440160026300204730ustar00rootroot00000000000000 module R use real.Real val ref a : real val ref b : real let f () : real diverges ensures { result < a } = a <- 1.0; b <- 2.0; while b < 10.0 do invariant { b < a + 5.0 } b <- a + b done; b end why3-1.6.0/bench/check-ce/loop_inv_real_mono.mlw000066400000000000000000000004051440160026300215250ustar00rootroot00000000000000 module R use real.Real type t = { mutable c : real } val a : t val b : t let f () : real diverges ensures { result < a.c } = a.c <- 1.0; b.c <- 2.0; while b.c < 10.0 do invariant { b.c < a.c + 5.0 } b.c <- a.c + b.c done; b.c end why3-1.6.0/bench/check-ce/manual_map.mlw000066400000000000000000000002231440160026300177550ustar00rootroot00000000000000use int.Int use map.Map let ghost test_map (ghost x : (map int int)) : map int int ensures { result[0] <> result[1] } = Map.set x 0 3 why3-1.6.0/bench/check-ce/maps_mono.mlw000066400000000000000000000035241440160026300176420ustar00rootroot00000000000000module MapIntInt type mapintint = int -> int let function get (f: mapintint) (x: int) : int = f x let ghost function set (f: mapintint) (x: int) (v: int) : mapintint = fun y -> if pure {y = x} then v else f y end module MapIntBool type mapintbool = int -> bool let function get (f: mapintbool) (x: int) : bool = f x let ghost function set (f: mapintbool) (x: int) (v: bool) : mapintbool = fun y -> if pure {y = x} then v else f y end module MapMulti use MapIntInt type mapmulti = int -> mapintint let function get (f: mapmulti) (x: int) : mapintint = f x let ghost function set (f: mapmulti) (x: int) (v: mapintint) : mapmulti = fun y -> if pure {y = x} then v else f y end module M use int.Int use ref.Ref use MapIntInt use MapIntBool use MapMulti let ghost test_map (ghost x : ref mapintint) : unit ensures { MapIntInt.get !x 0 <> MapIntInt.get !x 1 } = x := MapIntInt.set !x 0 3 (* Multi-dimensional maps *) let ghost test_map_multidim1 (ghost x : ref mapmulti) : unit ensures { MapIntInt.get (MapMulti.get !x 0) 0 <> MapIntInt.get (MapMulti.get !x 1) 1 } = x := MapMulti.set !x 0 (MapMulti.get !x 1) let ghost test_map_multidim2 (ghost x : ref mapmulti) : unit ensures { MapIntInt.get (MapMulti.get !x 0) 0 <> MapIntInt.get (MapMulti.get !x 1) 1 } = let x0 = MapMulti.get !x 0 in let x0 = MapIntInt.set x0 0 3 in x := MapMulti.set !x 0 x0 let ghost proj_map_test1 (ghost x : ref mapintint) : unit ensures { MapIntInt.get !x 0 <> MapIntInt.get !x 1 } = x := MapIntInt.set !x 0 3 let ghost proj_map_test2 (ghost x : ref mapintbool) : unit ensures { MapIntBool.get !x 0 <> MapIntBool.get !x 1 } = x := MapIntBool.set !x 0 true end theory ModelMap use MapIntInt goal t1 : forall t:mapintint, i : int. get (set t 0 42) i = get t i end why3-1.6.0/bench/check-ce/maps_poly.mlw000066400000000000000000000020121440160026300176440ustar00rootroot00000000000000module M use int.Int use ref.Ref use map.Map let ghost test_map (ghost x : ref (map int int)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 3 (* Multi-dimensional maps *) let ghost test_map_multidim1 (ghost x : ref (map int (map int int))) : unit ensures { !x[0][0] <> !x[1][1] } = x := Map.set !x 0 (Map.get !x 1) let ghost test_map_multidim2 (ghost x : ref (map int (map int int))) : unit ensures { !x[0][0] <> !x[1][1] } = let x0 = Map.get !x 0 in let x0 = Map.set x0 0 3 in x := Map.set !x 0 x0 let ghost proj_map_test1 (ghost x : ref (map int int)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 3 let ghost proj_map_test2 (ghost x : ref (map int bool)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 true end theory ModelMap use map.Map goal t1 : forall t:map int int, i : int. get (set t 0 42) i = get t i end module OtherIndices use map.Map goal g : forall m: map real real. m 0.1 = 0.0 \/ m 0.2 = m 0.1 endwhy3-1.6.0/bench/check-ce/multifile1.mlw000066400000000000000000000003171440160026300177220ustar00rootroot00000000000000 module M use int.Int let decr (x: int) ensures { result < x } = x - 1 let incr (x: int) ensures { result > x } = decr x + 2 val incr_val (x: int) : int ensures { result > x } endwhy3-1.6.0/bench/check-ce/multifile2.mlw000066400000000000000000000004461440160026300177260ustar00rootroot00000000000000 use multifile1.M use int.Int (* underspec *) let f (x: int) ensures { result = x + 1 } = incr x (* wrong program w.r.t. postcondition *) let g (x: int) ensures { result = x + 2 } = incr x (* wrong program w.r.t. postcondition *) let h (x: int) ensures { result = x + 2 } = incr_val xwhy3-1.6.0/bench/check-ce/oracles/000077500000000000000000000000001440160026300165555ustar00rootroot00000000000000why3-1.6.0/bench/check-ce/oracles/614_CVC4,1.8_SP.oracle000066400000000000000000000017231440160026300217450ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_CVC4,1.8_WP.oracle000066400000000000000000000017231440160026300217510ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_CVC5,1.0.0_SP.oracle000066400000000000000000000017231440160026300220740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_CVC5,1.0.0_WP.oracle000066400000000000000000000017231440160026300221000ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_Z3,4.8.10_SP.oracle000066400000000000000000000017231440160026300217640ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_Z3,4.8.10_WP.oracle000066400000000000000000000017231440160026300217700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_Z3,4.8.4_SP.oracle000066400000000000000000000126751440160026300217170ustar00rootroot00000000000000Check model 0 ("bench/check-ce/614.mlw", line 5, characters 20-36) Checking model: File 614.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 Check model 1 ("bench/check-ce/614.mlw", line 5, characters 20-36) Checking model: File 614.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat) (0.00s, 693 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/614_Z3,4.8.4_WP.oracle000066400000000000000000000126751440160026300217230ustar00rootroot00000000000000Check model 0 ("bench/check-ce/614.mlw", line 5, characters 20-36) Checking model: File 614.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 Check model 1 ("bench/check-ce/614.mlw", line 5, characters 20-36) Checking model: File 614.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/614.mlw", line 4, characters 7-8: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) - Abstract RAC: FAILURE (check at "bench/check-ce/614.mlw", line 5, characters 20-36) File "bench/check-ce/614.mlw", line 5, characters 20-36: Sub-goal E of goal f'vc. Prover result is: Unknown (sat) (0.03s, 693 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 614.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Property failure at check with: x = 0 why3-1.6.0/bench/check-ce/oracles/615_CVC4,1.8_SP.oracle000066400000000000000000000021321440160026300217410ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = (- 1) t = 0 x = (- 1) Execution of main function `f` with env: t = 0 x = (- 1) zero = 0 one = 1 Line 3: Property failure at check with: x = (- 1) why3-1.6.0/bench/check-ce/oracles/615_CVC4,1.8_WP.oracle000066400000000000000000000021321440160026300217450ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = (- 1) t = 0 x = (- 1) Execution of main function `f` with env: t = 0 x = (- 1) zero = 0 one = 1 Line 3: Property failure at check with: x = (- 1) why3-1.6.0/bench/check-ce/oracles/615_CVC5,1.0.0_SP.oracle000066400000000000000000000021321440160026300220700ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = (- 1) t = 0 x = (- 1) Execution of main function `f` with env: t = 0 x = (- 1) zero = 0 one = 1 Line 3: Property failure at check with: x = (- 1) why3-1.6.0/bench/check-ce/oracles/615_CVC5,1.0.0_WP.oracle000066400000000000000000000021321440160026300220740ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = (- 1) t = 0 x = (- 1) Execution of main function `f` with env: t = 0 x = (- 1) zero = 0 one = 1 Line 3: Property failure at check with: x = (- 1) why3-1.6.0/bench/check-ce/oracles/615_Z3,4.8.10_SP.oracle000066400000000000000000000021121440160026300217560ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 why3-1.6.0/bench/check-ce/oracles/615_Z3,4.8.10_WP.oracle000066400000000000000000000021121440160026300217620ustar00rootroot00000000000000Warning, file "bench/check-ce/615.mlw", line 2, characters 9-10: unused variable t Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 why3-1.6.0/bench/check-ce/oracles/615_Z3,4.8.4_SP.oracle000066400000000000000000000144101440160026300217050ustar00rootroot00000000000000File "bench/check-ce/615.mlw", line 2, characters 9-10: warning: unused variable t Check model 0 ("bench/check-ce/615.mlw", line 3, characters 12-28) Checking model: File 615.mlw: Line 2: x = {"type": "Integer", "val": "1"} Line 3: x = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Result of checking model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 Check model 1 ("bench/check-ce/615.mlw", line 3, characters 12-28) Checking model: File 615.mlw: Line 2: x = {"type": "Integer", "val": "1"} Line 3: x = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Result of checking model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 Results: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat) (0.01s, 723 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 why3-1.6.0/bench/check-ce/oracles/615_Z3,4.8.4_WP.oracle000066400000000000000000000144101440160026300217110ustar00rootroot00000000000000File "bench/check-ce/615.mlw", line 2, characters 9-10: warning: unused variable t Check model 0 ("bench/check-ce/615.mlw", line 3, characters 12-28) Checking model: File 615.mlw: Line 2: x = {"type": "Integer", "val": "1"} Line 3: x = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Result of checking model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 Check model 1 ("bench/check-ce/615.mlw", line 3, characters 12-28) Checking model: File 615.mlw: Line 2: x = {"type": "Integer", "val": "1"} Line 3: x = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `t` at "bench/check-ce/615.mlw", line 2, characters 9-10: 0 Value from model for parameter `x` at "bench/check-ce/615.mlw", line 2, characters 19-20: 1 Result of checking model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 Results: - Selected model 0: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Checked model 1: NC - Concrete RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) - Abstract RAC: FAILURE (check at "bench/check-ce/615.mlw", line 3, characters 12-28) File "bench/check-ce/615.mlw", line 3, characters 12-28: Sub-goal Check of goal f'vc. Prover result is: Unknown (sat) (0.02s, 723 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File 615.mlw: Line 2: t = 0 x = 1 t = 0 x = 1 Execution of main function `f` with env: t = 0 x = 1 zero = 0 one = 1 Line 3: Property failure at check with: x = 1 why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_CVC4,1.8_SP.oracle000066400000000000000000000051361440160026300250060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (4611686018427387904:t) Line 4: x = (4611686018427387904:t) Execution of main function `wrong'goal` with env: x = (4611686018427387904:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (4611686018427387904:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_CVC4,1.8_WP.oracle000066400000000000000000000051361440160026300250120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (4611686018427387904:t) Line 4: x = (4611686018427387904:t) Execution of main function `wrong'goal` with env: x = (4611686018427387904:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (4611686018427387904:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_CVC5,1.0.0_SP.oracle000066400000000000000000000050321440160026300251300ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (42:t) Line 4: x = (42:t) Execution of main function `wrong'goal` with env: x = (42:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (42:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_CVC5,1.0.0_WP.oracle000066400000000000000000000050321440160026300251340ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (42:t) Line 4: x = (42:t) Execution of main function `wrong'goal` with env: x = (42:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (42:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_Z3,4.8.10_SP.oracle000066400000000000000000000054701440160026300250260ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (42:t) Line 4: x = (42:t) Execution of main function `wrong'goal` with env: x = (42:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (42:t) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `wrong'lemma` at "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65) - Abstract RAC: STUCK (failure in postcondition of `wrong'lemma` at "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `wrong'lemma1` at "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48) - Abstract RAC: STUCK (failure in postcondition of `wrong'lemma1` at "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/640_no_loc_failure_Z3,4.8.10_WP.oracle000066400000000000000000000054701440160026300250320ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 5, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 640_no_loc_failure.mlw: Line 5: x = (42:t) Line 4: x = (42:t) Execution of main function `wrong'goal` with env: x = (42:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Unknown location: Normal execution of function `Tuple0` with args: File 640_no_loc_failure.mlw: Line 5: Property failure at postcondition of `wrong'goal` with: x = (42:t) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `wrong'lemma` at "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65) - Abstract RAC: STUCK (failure in postcondition of `wrong'lemma` at "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 12, characters 39-65: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `wrong'lemma1` at "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48) - Abstract RAC: STUCK (failure in postcondition of `wrong'lemma1` at "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/640_no_loc_failure.mlw", line 19, characters 22-48: Goal wrong. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/657_CVC4,1.8_SP.oracle000066400000000000000000000154601440160026300217570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (2147483648:t) i = (2147483648:t) Execution of main function `ok` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (2147483648:t) result of `toBig` = (2147483648:t1) (giant-step) execution of unimplemented function `u` i = (2147483648:t1) Property failure at precondition of `u` with: i = (2147483648:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (1073741824:t) i = (1073741824:t) Execution of main function `ko` with env: i = (1073741824:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (1073741824:t) result of `stoBig` = (1073741824:t1) (giant-step) execution of unimplemented function `u` i = (1073741824:t1) Property failure at precondition of `u` with: i = (1073741824:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/657_CVC4,1.8_WP.oracle000066400000000000000000000154601440160026300217630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (2147483648:t) i = (2147483648:t) Execution of main function `ok` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (2147483648:t) result of `toBig` = (2147483648:t1) (giant-step) execution of unimplemented function `u` i = (2147483648:t1) Property failure at precondition of `u` with: i = (2147483648:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (1073741824:t) i = (1073741824:t) Execution of main function `ko` with env: i = (1073741824:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (1073741824:t) result of `stoBig` = (1073741824:t1) (giant-step) execution of unimplemented function `u` i = (1073741824:t1) Property failure at precondition of `u` with: i = (1073741824:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/657_CVC4,1.8_WP.out000066400000000000000000000001211440160026300213110ustar00rootroot00000000000000anomaly: (Sys_error "bench/check-ce/oracles/657.mlw: No such file or directory") why3-1.6.0/bench/check-ce/oracles/657_CVC5,1.0.0_SP.oracle000066400000000000000000000153001440160026300220770ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (11:t) i = (11:t) Execution of main function `ok` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (11:t) result of `toBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (11:t) i = (11:t) Execution of main function `ko` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (11:t) result of `stoBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/657_CVC5,1.0.0_WP.oracle000066400000000000000000000153001440160026300221030ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (11:t) i = (11:t) Execution of main function `ok` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (11:t) result of `toBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (11:t) i = (11:t) Execution of main function `ko` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (11:t) result of `stoBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/657_Z3,4.8.10_SP.oracle000066400000000000000000000144421440160026300217750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (11:t) i = (11:t) Execution of main function `ok` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (11:t) result of `toBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (11:t) i = (11:t) Execution of main function `ko` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (11:t) result of `stoBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/657_Z3,4.8.10_WP.oracle000066400000000000000000000144421440160026300220010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 8, characters 27-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 8: i = (11:t) i = (11:t) Execution of main function `ok` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (11:t) result of `toBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/657.mlw", line 10, characters 27-41) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 10: i = (11:t) i = (11:t) Execution of main function `ko` with env: i = (11:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (11:t) result of `stoBig` = (11:t1) (giant-step) execution of unimplemented function `u` i = (11:t1) Property failure at precondition of `u` with: i = (11:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/657.mlw", line 13, characters 14-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/657.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File 657.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/668_projection_CVC4,1.8_SP.oracle000066400000000000000000000042211440160026300242060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 Execution of main function `f` with env: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 0 result = epsilon x:t. t'int x = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/668_projection_CVC4,1.8_WP.oracle000066400000000000000000000042211440160026300242120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 Execution of main function `f` with env: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 0 result = epsilon x:t. t'int x = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/668_projection_CVC5,1.0.0_SP.oracle000066400000000000000000000042211440160026300243350ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 Execution of main function `f` with env: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 0 result = epsilon x:t. t'int x = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/668_projection_CVC5,1.0.0_WP.oracle000066400000000000000000000042211440160026300243410ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 Execution of main function `f` with env: n = epsilon x:t. t'int x = (- 1) min = epsilon x:t. t'int x = 0 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 0 result = epsilon x:t. t'int x = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/668_projection_Z3,4.8.10_SP.oracle000066400000000000000000000037371440160026300242400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 Execution of main function `f` with env: n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 2 result = epsilon x:t. t'int x = 3 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/668_projection_Z3,4.8.10_WP.oracle000066400000000000000000000037371440160026300242440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/668_projection.mlw", line 13, characters 14-50) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 13, characters 14-50: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 File 668_projection.mlw: Line 12: n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 Execution of main function `f` with env: n = epsilon x:t. t'int x = 3 min = epsilon x:t. t'int x = 2 zero = 0 one = 1 zeros = 0 one = 0 ones = 0 Line 13: Property failure at postcondition of `f` with: min = epsilon x:t. t'int x = 2 result = epsilon x:t. t'int x = 3 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/668_projection.mlw", line 16, characters 14-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/703_reduce_term_CVC4,1.8_SP.oracle000066400000000000000000000766231440160026300243350ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #b00000000000000000000000000000011 Line 13: oor : t -> t -> t = fun bOUND_VARIABLE_2395 bOUND_VARIABLE_2396 -> if bOUND_VARIABLE_2395 = #b00000000000000000000000000110101 then if bOUND_VARIABLE_2396 = #b00000000100000000000000000000000 then #b00000000000000000000000000110110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000110011 then if bOUND_VARIABLE_2396 = #b00000000010000000000000000000000 then #b00000000000000000000000000110100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000110001 then if bOUND_VARIABLE_2396 = #b00000000001000000000000000000000 then #b00000000000000000000000000110010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101111 then if bOUND_VARIABLE_2396 = #b00000000000100000000000000000000 then #b00000000000000000000000000110000 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101101 then if bOUND_VARIABLE_2396 = #b00000000000010000000000000000000 then #b00000000000000000000000000101110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101011 then if bOUND_VARIABLE_2396 = #b00000000000001000000000000000000 then #b00000000000000000000000000101100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101001 then if bOUND_VARIABLE_2396 = #b00000000000000100000000000000000 then #b00000000000000000000000000101010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100111 then if bOUND_VARIABLE_2396 = #b00000000000000010000000000000000 then #b00000000000000000000000000101000 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100101 then if bOUND_VARIABLE_2396 = #b00000000000000001000000000000000 then #b00000000000000000000000000100110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100011 then if bOUND_VARIABLE_2396 = #b00000000000000000100000000000000 then #b00000000000000000000000000100100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100001 then if bOUND_VARIABLE_2396 = #b00000000000000000010000000000000 then #b00000000000000000000000000100010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011110 then if bOUND_VARIABLE_2396 = #b00000000000000000001000000000000 then #b00000000000000000000000000011111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011100 then if bOUND_VARIABLE_2396 = #b00000000000000000000100000000000 then #b00000000000000000000000000011101 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011010 then if bOUND_VARIABLE_2396 = #b00000000000000000000010000000000 then #b00000000000000000000000000011011 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011000 then if bOUND_VARIABLE_2396 = #b00000000000000000000001000000000 then #b00000000000000000000000000011001 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010110 then if bOUND_VARIABLE_2396 = #b00000000000000000000000100000000 then #b00000000000000000000000000010111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010100 then if bOUND_VARIABLE_2396 = #b00000000000000000000000010000000 then #b00000000000000000000000000010101 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010010 then if bOUND_VARIABLE_2396 = #b00000000000000000000000001000000 then #b00000000000000000000000000010011 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001111 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000100000 then #b00000000000000000000000000010001 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001101 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000010000 then #b00000000000000000000000000001110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001011 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000001000 then #b00000000000000000000000000001100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001001 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000100 then #b00000000000000000000000000001010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000000110 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000010 then #b00000000000000000000000000000111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000000000 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000001 then #b00000000000000000000000000000101 else #b00000000000000000000000000111000 else #b00000000000000000000000000111000 Line 16: oor__function_guard : t -> t -> t -> t = fun bOUND_VARIABLE_2944 bOUND_VARIABLE_2945 bOUND_VARIABLE_2946 -> if bOUND_VARIABLE_2944 = #b00000000000000000000000000111000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110111 then if bOUND_VARIABLE_2946 = #b00000001000000000000000000000000 then #b00000000000000000000000000111001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110101 then if bOUND_VARIABLE_2946 = #b00000000100000000000000000000000 then #b00000000000000000000000000110111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110011 then if bOUND_VARIABLE_2946 = #b00000000010000000000000000000000 then #b00000000000000000000000000110101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110001 then if bOUND_VARIABLE_2946 = #b00000000001000000000000000000000 then #b00000000000000000000000000110011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101111 then if bOUND_VARIABLE_2946 = #b00000000000100000000000000000000 then #b00000000000000000000000000110001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101101 then if bOUND_VARIABLE_2946 = #b00000000000010000000000000000000 then #b00000000000000000000000000101111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101011 then if bOUND_VARIABLE_2946 = #b00000000000001000000000000000000 then #b00000000000000000000000000101101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101001 then if bOUND_VARIABLE_2946 = #b00000000000000100000000000000000 then #b00000000000000000000000000101011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100111 then if bOUND_VARIABLE_2946 = #b00000000000000010000000000000000 then #b00000000000000000000000000101001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100101 then if bOUND_VARIABLE_2946 = #b00000000000000001000000000000000 then #b00000000000000000000000000100111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100011 then if bOUND_VARIABLE_2946 = #b00000000000000000100000000000000 then #b00000000000000000000000000100101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100001 then if bOUND_VARIABLE_2946 = #b00000000000000000010000000000000 then #b00000000000000000000000000100011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011110 then if bOUND_VARIABLE_2946 = #b00000000000000000001000000000000 then #b00000000000000000000000000100001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011101 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011100 then if bOUND_VARIABLE_2946 = #b00000000000000000000100000000000 then #b00000000000000000000000000011110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011011 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011010 then if bOUND_VARIABLE_2946 = #b00000000000000000000010000000000 then #b00000000000000000000000000011100 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011001 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011000 then if bOUND_VARIABLE_2946 = #b00000000000000000000001000000000 then #b00000000000000000000000000011010 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010110 then if bOUND_VARIABLE_2946 = #b00000000000000000000000100000000 then #b00000000000000000000000000011000 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010101 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010100 then if bOUND_VARIABLE_2946 = #b00000000000000000000000010000000 then #b00000000000000000000000000010110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010011 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010010 then if bOUND_VARIABLE_2946 = #b00000000000000000000000001000000 then #b00000000000000000000000000010100 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010001 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001111 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000100000 then #b00000000000000000000000000010010 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001101 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000010000 then #b00000000000000000000000000001111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001011 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000001000 then #b00000000000000000000000000001101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001001 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000000100 then #b00000000000000000000000000001011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000000111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000000110 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000000010 then #b00000000000000000000000000001001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 Line 24: oand : t -> t -> t = fun bOUND_VARIABLE_2395 bOUND_VARIABLE_2396 -> #b00000000000000000000000000111010 Line 27: oand__function_guard : t -> t -> t -> t = fun bOUND_VARIABLE_2944 bOUND_VARIABLE_2945 bOUND_VARIABLE_2946 -> #b00000000000000000000000000111011 Line 391: base : t = #b00000000000000000000000000000011 why3-1.6.0/bench/check-ce/oracles/703_reduce_term_CVC4,1.8_WP.oracle000066400000000000000000000766231440160026300243410ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #b00000000000000000000000000000011 Line 13: oor : t -> t -> t = fun bOUND_VARIABLE_2395 bOUND_VARIABLE_2396 -> if bOUND_VARIABLE_2395 = #b00000000000000000000000000110101 then if bOUND_VARIABLE_2396 = #b00000000100000000000000000000000 then #b00000000000000000000000000110110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000110011 then if bOUND_VARIABLE_2396 = #b00000000010000000000000000000000 then #b00000000000000000000000000110100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000110001 then if bOUND_VARIABLE_2396 = #b00000000001000000000000000000000 then #b00000000000000000000000000110010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101111 then if bOUND_VARIABLE_2396 = #b00000000000100000000000000000000 then #b00000000000000000000000000110000 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101101 then if bOUND_VARIABLE_2396 = #b00000000000010000000000000000000 then #b00000000000000000000000000101110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101011 then if bOUND_VARIABLE_2396 = #b00000000000001000000000000000000 then #b00000000000000000000000000101100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000101001 then if bOUND_VARIABLE_2396 = #b00000000000000100000000000000000 then #b00000000000000000000000000101010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100111 then if bOUND_VARIABLE_2396 = #b00000000000000010000000000000000 then #b00000000000000000000000000101000 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100101 then if bOUND_VARIABLE_2396 = #b00000000000000001000000000000000 then #b00000000000000000000000000100110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100011 then if bOUND_VARIABLE_2396 = #b00000000000000000100000000000000 then #b00000000000000000000000000100100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000100001 then if bOUND_VARIABLE_2396 = #b00000000000000000010000000000000 then #b00000000000000000000000000100010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011110 then if bOUND_VARIABLE_2396 = #b00000000000000000001000000000000 then #b00000000000000000000000000011111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011100 then if bOUND_VARIABLE_2396 = #b00000000000000000000100000000000 then #b00000000000000000000000000011101 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011010 then if bOUND_VARIABLE_2396 = #b00000000000000000000010000000000 then #b00000000000000000000000000011011 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000011000 then if bOUND_VARIABLE_2396 = #b00000000000000000000001000000000 then #b00000000000000000000000000011001 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010110 then if bOUND_VARIABLE_2396 = #b00000000000000000000000100000000 then #b00000000000000000000000000010111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010100 then if bOUND_VARIABLE_2396 = #b00000000000000000000000010000000 then #b00000000000000000000000000010101 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000010010 then if bOUND_VARIABLE_2396 = #b00000000000000000000000001000000 then #b00000000000000000000000000010011 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001111 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000100000 then #b00000000000000000000000000010001 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001101 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000010000 then #b00000000000000000000000000001110 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001011 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000001000 then #b00000000000000000000000000001100 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000001001 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000100 then #b00000000000000000000000000001010 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000000110 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000010 then #b00000000000000000000000000000111 else #b00000000000000000000000000111000 else if bOUND_VARIABLE_2395 = #b00000000000000000000000000000000 then if bOUND_VARIABLE_2396 = #b00000000000000000000000000000001 then #b00000000000000000000000000000101 else #b00000000000000000000000000111000 else #b00000000000000000000000000111000 Line 16: oor__function_guard : t -> t -> t -> t = fun bOUND_VARIABLE_2944 bOUND_VARIABLE_2945 bOUND_VARIABLE_2946 -> if bOUND_VARIABLE_2944 = #b00000000000000000000000000111000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110111 then if bOUND_VARIABLE_2946 = #b00000001000000000000000000000000 then #b00000000000000000000000000111001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110101 then if bOUND_VARIABLE_2946 = #b00000000100000000000000000000000 then #b00000000000000000000000000110111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110011 then if bOUND_VARIABLE_2946 = #b00000000010000000000000000000000 then #b00000000000000000000000000110101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000110001 then if bOUND_VARIABLE_2946 = #b00000000001000000000000000000000 then #b00000000000000000000000000110011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000110000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101111 then if bOUND_VARIABLE_2946 = #b00000000000100000000000000000000 then #b00000000000000000000000000110001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101101 then if bOUND_VARIABLE_2946 = #b00000000000010000000000000000000 then #b00000000000000000000000000101111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101011 then if bOUND_VARIABLE_2946 = #b00000000000001000000000000000000 then #b00000000000000000000000000101101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000101001 then if bOUND_VARIABLE_2946 = #b00000000000000100000000000000000 then #b00000000000000000000000000101011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000101000 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100111 then if bOUND_VARIABLE_2946 = #b00000000000000010000000000000000 then #b00000000000000000000000000101001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100101 then if bOUND_VARIABLE_2946 = #b00000000000000001000000000000000 then #b00000000000000000000000000100111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100011 then if bOUND_VARIABLE_2946 = #b00000000000000000100000000000000 then #b00000000000000000000000000100101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000100010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000100001 then if bOUND_VARIABLE_2946 = #b00000000000000000010000000000000 then #b00000000000000000000000000100011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011110 then if bOUND_VARIABLE_2946 = #b00000000000000000001000000000000 then #b00000000000000000000000000100001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011101 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011100 then if bOUND_VARIABLE_2946 = #b00000000000000000000100000000000 then #b00000000000000000000000000011110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011011 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011010 then if bOUND_VARIABLE_2946 = #b00000000000000000000010000000000 then #b00000000000000000000000000011100 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000011001 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000011000 then if bOUND_VARIABLE_2946 = #b00000000000000000000001000000000 then #b00000000000000000000000000011010 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010110 then if bOUND_VARIABLE_2946 = #b00000000000000000000000100000000 then #b00000000000000000000000000011000 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010101 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010100 then if bOUND_VARIABLE_2946 = #b00000000000000000000000010000000 then #b00000000000000000000000000010110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010011 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000010010 then if bOUND_VARIABLE_2946 = #b00000000000000000000000001000000 then #b00000000000000000000000000010100 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000010001 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001111 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000100000 then #b00000000000000000000000000010010 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001110 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001101 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000010000 then #b00000000000000000000000000001111 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001100 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001011 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000001000 then #b00000000000000000000000000001101 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000001010 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000001001 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000000100 then #b00000000000000000000000000001011 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else if bOUND_VARIABLE_2944 = #b00000000000000000000000000000111 then if bOUND_VARIABLE_2945 = #b00000000000000000000000000000110 then if bOUND_VARIABLE_2946 = #b00000000000000000000000000000010 then #b00000000000000000000000000001001 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 else #b00000000000000000000000000000110 Line 24: oand : t -> t -> t = fun bOUND_VARIABLE_2395 bOUND_VARIABLE_2396 -> #b00000000000000000000000000111010 Line 27: oand__function_guard : t -> t -> t -> t = fun bOUND_VARIABLE_2944 bOUND_VARIABLE_2945 bOUND_VARIABLE_2946 -> #b00000000000000000000000000111011 Line 391: base : t = #b00000000000000000000000000000011 why3-1.6.0/bench/check-ce/oracles/703_reduce_term_CVC5,1.0.0_SP.oracle000066400000000000000000000041031440160026300244440ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #b11111111111111111111111111111111 Line 13: oor : t -> t -> t = fun _arg_1 _arg_2 -> #b00000000000000000000000000000000 Line 16: oor__function_guard : t -> t -> t -> t = fun _arg_1 _arg_2 _arg_3 -> #b00000000000000000000000000000000 Line 24: oand : t -> t -> t = fun _arg_1 _arg_2 -> #b00000000000000000000000000000000 Line 27: oand__function_guard : t -> t -> t -> t = fun _arg_1 _arg_2 _arg_3 -> #b11111111111111111111111111111110 Line 391: base : t = #b11111111111111111111111111111111 why3-1.6.0/bench/check-ce/oracles/703_reduce_term_CVC5,1.0.0_WP.oracle000066400000000000000000000041031440160026300244500ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #b11111111111111111111111111111111 Line 13: oor : t -> t -> t = fun _arg_1 _arg_2 -> #b00000000000000000000000000000000 Line 16: oor__function_guard : t -> t -> t -> t = fun _arg_1 _arg_2 _arg_3 -> #b00000000000000000000000000000000 Line 24: oand : t -> t -> t = fun _arg_1 _arg_2 -> #b00000000000000000000000000000000 Line 27: oand__function_guard : t -> t -> t -> t = fun _arg_1 _arg_2 _arg_3 -> #b11111111111111111111111111111110 Line 391: base : t = #b11111111111111111111111111111111 why3-1.6.0/bench/check-ce/oracles/703_reduce_term_Z3,4.8.10_SP.oracle000066400000000000000000000424621440160026300243460ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Timeout (10.00s). The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #x00000001 Line 13: oor : t -> t -> t = fun x!0 x!1 -> if x!0 = #x00000000 /\ x!1 = #x00000001 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000002 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000004 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000008 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000010 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000020 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000040 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000080 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000100 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000200 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000400 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000800 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00001000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00002000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00004000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00008000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00010000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00020000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00040000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00080000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00100000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00200000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00400000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00800000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x01000000 then #x00000000 else #x00000000 Line 16: oor__function_guard : t -> t -> t -> t = fun x!0 x!1 x!2 -> if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000001 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000002 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000004 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000008 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000010 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000020 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000040 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000080 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000100 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000200 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000400 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000800 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00001000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00002000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00004000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00008000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00010000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00020000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00040000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00080000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00100000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00200000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00400000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00800000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x01000000 then #x00000000 else #x00000000 Line 24: oand : t -> t -> t = fun x!0 x!1 -> if x!0 = #x00000001 /\ x!1 = #x00000000 then #x00000000 else #x00000000 Line 27: oand__function_guard : t -> t -> t -> t = fun x!0 x!1 x!2 -> if x!0 = #x00000000 /\ x!1 = #x00000001 /\ x!2 = #x00000000 then #x00000000 else #x00000000 Line 391: base : t = #x00000001 why3-1.6.0/bench/check-ce/oracles/703_reduce_term_Z3,4.8.10_WP.oracle000066400000000000000000000424621440160026300243520ustar00rootroot00000000000000Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (term size blows up from 289 to 491721, after 278 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `local` cannot be evaluated) File "bench/check-ce/703_reduce_term.mlw", line 391, characters 4-55: Sub-goal Precondition of goal def'vc. Prover result is: Timeout (10.00s). The following counterexample model could not be verified (both RAC terminated because Precondition of `local` cannot be evaluated): File 703_reduce_term.mlw: Line 5: base : t = #x00000001 Line 13: oor : t -> t -> t = fun x!0 x!1 -> if x!0 = #x00000000 /\ x!1 = #x00000001 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000002 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000004 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000008 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000010 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000020 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000040 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000080 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000100 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000200 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000400 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000800 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00001000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00002000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00004000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00008000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00010000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00020000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00040000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00080000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00100000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00200000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00400000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00800000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x01000000 then #x00000000 else #x00000000 Line 16: oor__function_guard : t -> t -> t -> t = fun x!0 x!1 x!2 -> if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000001 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000002 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000004 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000008 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000010 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000020 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000040 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000080 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000100 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000200 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000400 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00000800 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00001000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00002000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00004000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00008000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00010000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00020000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00040000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00080000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00100000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00200000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00400000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x00800000 then #x00000000 else if x!0 = #x00000000 /\ x!1 = #x00000000 /\ x!2 = #x01000000 then #x00000000 else #x00000000 Line 24: oand : t -> t -> t = fun x!0 x!1 -> if x!0 = #x00000001 /\ x!1 = #x00000000 then #x00000000 else #x00000000 Line 27: oand__function_guard : t -> t -> t -> t = fun x!0 x!1 x!2 -> if x!0 = #x00000000 /\ x!1 = #x00000001 /\ x!2 = #x00000000 then #x00000000 else #x00000000 Line 391: base : t = #x00000001 why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_CVC4,1.8_SP.oracle000066400000000000000000000336001440160026300256170ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 0) x = (B 0) Execution of main function `g2'goal` with env: x = (B 0) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 0) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 0 1) x = (Au 0 1) Execution of main function `g5'goal` with env: x = (Au 0 1) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 0 1) Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38) - Checked model 2: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 25: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Execution of main function `g1'goal` with env: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 25: Property failure at postcondition of `g1'goal1` with: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 0 Nil) l = (Cons 0 Nil) Execution of main function `g7'goal` with env: l = (Cons 0 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 0 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_CVC4,1.8_WP.oracle000066400000000000000000000336001440160026300256230ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 0) x = (B 0) Execution of main function `g2'goal` with env: x = (B 0) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 0) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 0 1) x = (Au 0 1) Execution of main function `g5'goal` with env: x = (Au 0 1) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 0 1) Warning: term reduction aborted (takes more than 1024 steps). Warning: term reduction aborted (takes more than 1024 steps). Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38) - Checked model 2: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 25: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Execution of main function `g1'goal` with env: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 25: Property failure at postcondition of `g1'goal1` with: l = (Cons 1 (Cons 2 (Cons 3 (Cons 4 (Cons 5 (Cons 6 (Cons 7 (Cons 8 (Cons 9 (Cons 10 (Cons 11 (Cons 12 (Cons 13 (Cons 14 (Cons 15 (Cons 16 (Cons 17 (Cons 18 (Cons 19 (Cons 20 (Cons 21 (Cons 22 (Cons 23 (Cons 24 (Cons 25 (Cons 26 (Cons 27 (Cons 28 (Cons 29 (Cons 30 (Cons 31 (Cons 32 (Cons 33 (Cons 34 (Cons 35 (Cons 36 (Cons 37 (Cons 38 (Cons 39 (Cons 40 (Cons 41 (Cons 42 (Cons 43 (Cons 44 (Cons 45 (Cons 46 (Cons 47 (Cons 48 (Cons 49 (Cons 50 (Cons 51 (Cons 52 (Cons 53 (Cons 54 (Cons 55 (Cons 56 (Cons 57 (Cons 58 (Cons 59 (Cons 60 (Cons 61 (Cons 62 (Cons 63 (Cons 64 (Cons 65 (Cons 66 (Cons 67 (Cons 68 (Cons 69 (Cons 70 (Cons 71 (Cons 72 (Cons 73 (Cons 74 (Cons 75 (Cons 76 (Cons 77 (Cons 78 (Cons 79 (Cons 80 (Cons 81 (Cons 82 (Cons 83 (Cons 84 (Cons 85 (Cons 86 (Cons 87 (Cons 88 (Cons 89 (Cons 90 (Cons 91 (Cons 92 (Cons 93 (Cons 94 (Cons 95 (Cons 96 (Cons 97 (Cons 98 (Cons 99 (Cons 100 (Cons 101 (Cons 102 (Cons 103 (Cons 104 (Cons 105 (Cons 106 (Cons 107 (Cons 108 (Cons 109 (Cons 110 (Cons 111 (Cons 112 (Cons 113 (Cons 114 (Cons 115 (Cons 116 (Cons 117 (Cons 118 (Cons 119 (Cons 120 (Cons 121 (Cons 122 (Cons 123 (Cons 124 (Cons 125 (Cons 126 (Cons 127 (Cons 128 (Cons 129 (Cons 130 (Cons 131 (Cons 132 (Cons 133 (Cons 134 (Cons 135 (Cons 136 (Cons 137 (Cons 138 (Cons 139 (Cons 140 (Cons 141 (Cons 142 (Cons 143 (Cons 144 (Cons 145 (Cons 146 (Cons 147 (Cons 148 (Cons 149 (Cons 150 (Cons 151 (Cons 152 (Cons 153 (Cons 154 (Cons 155 (Cons 156 (Cons 157 (Cons 158 (Cons 159 (Cons 160 (Cons 161 (Cons 162 (Cons 163 (Cons 164 (Cons 165 (Cons 166 (Cons 167 (Cons 168 (Cons 169 (Cons 170 (Cons 171 (Cons 0 Nil)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 0 Nil) l = (Cons 0 Nil) Execution of main function `g7'goal` with env: l = (Cons 0 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 0 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000140541440160026300257500ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 0) x = (B 0) Execution of main function `g2'goal` with env: x = (B 0) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 0) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 0 1) x = (Au 0 1) Execution of main function `g5'goal` with env: x = (Au 0 1) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 0 1) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 0 Nil) l = (Cons 0 Nil) Execution of main function `g7'goal` with env: l = (Cons 0 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 0 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000140541440160026300257540ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 0) x = (B 0) Execution of main function `g2'goal` with env: x = (B 0) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 0) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 0 1) x = (Au 0 1) Execution of main function `g5'goal` with env: x = (Au 0 1) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 0 1) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 0 Nil) l = (Cons 0 Nil) Execution of main function `g7'goal` with env: l = (Cons 0 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 0 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_Z3,4.8.10_SP.oracle000066400000000000000000000140541440160026300256400ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 2) x = (B 2) Execution of main function `g2'goal` with env: x = (B 2) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 2 2) x = (Au 2 2) Execution of main function `g5'goal` with env: x = (Au 2 2) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 2 2) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 2 Nil) l = (Cons 2 Nil) Execution of main function `g7'goal` with env: l = (Cons 2 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 2 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_mono_Z3,4.8.10_WP.oracle000066400000000000000000000140541440160026300256440ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 32-67) File "bench/check-ce/algebraic_types_mono.mlw", line 6, characters 58-63: Goal G. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26) File "bench/check-ce/algebraic_types_mono.mlw", line 10, characters 21-26: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 10: x = (B 2) x = (B 2) Execution of main function `g2'goal` with env: x = (B 2) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 10: Property failure at postcondition of `g2'goal` with: A = UNDEFINED x = (B 2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28) File "bench/check-ce/algebraic_types_mono.mlw", line 12, characters 21-28: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 12: x = A x = A Execution of main function `g4'goal` with env: x = A zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 12: Property failure at postcondition of `g4'goal` with: x = A Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31) File "bench/check-ce/algebraic_types_mono.mlw", line 16, characters 21-31: Goal g5. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 16: x = (Au 2 2) x = (Au 2 2) Execution of main function `g5'goal` with env: x = (Au 2 2) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 16: Property failure at postcondition of `g5'goal` with: x = (Au 2 2) Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_mono.mlw", line 25, characters 29-38: Goal g1. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36) File "bench/check-ce/algebraic_types_mono.mlw", line 27, characters 29-36: Goal g7. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File algebraic_types_mono.mlw: Line 27: l = (Cons 2 Nil) l = (Cons 2 Nil) Execution of main function `g7'goal` with env: l = (Cons 2 Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File algebraic_types_mono.mlw: Line 27: Property failure at postcondition of `g7'goal` with: Nil = UNDEFINED l = (Cons 2 Nil) why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_CVC4,1.8_SP.oracle000066400000000000000000000017201440160026300256300ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_CVC4,1.8_WP.oracle000066400000000000000000000017201440160026300256340ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000017201440160026300257570ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000017201440160026300257630ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_Z3,4.8.10_SP.oracle000066400000000000000000000017201440160026300256470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/algebraic_types_poly_Z3,4.8.10_WP.oracle000066400000000000000000000017201440160026300256530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 7, characters 30-42: Goal g. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/algebraic_types_poly.mlw", line 30, characters 12-22: Sub-goal Postcondition of goal proj_test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous1_CVC4,1.8_SP.oracle000066400000000000000000000022651440160026300235460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_CVC4,1.8_WP.oracle000066400000000000000000000022651440160026300235520ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_CVC5,1.0.0_SP.oracle000066400000000000000000000022651440160026300236750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_CVC5,1.0.0_WP.oracle000066400000000000000000000022651440160026300237010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_Z3,4.8.10_SP.oracle000066400000000000000000000022651440160026300235650ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_Z3,4.8.10_WP.oracle000066400000000000000000000022651440160026300235710ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_Z3,4.8.4_SP.oracle000066400000000000000000000165351440160026300235150ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous1.mlw", line 6, characters 10-19) Checking model: File anonymous1.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: result = {"type": "Integer", "val": "2"} w = {"type": "Integer", "val": "2"} Line 6: w = {"type": "Integer", "val": "2"} x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Value from model for return value of call to h at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28 at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `h` with args: y = 0 result of `h` = 2 Line 6: Property failure at assertion with: x = 0 w = 2 Check model 1 ("bench/check-ce/anonymous1.mlw", line 6, characters 10-19) Checking model: File anonymous1.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: result = {"type": "Integer", "val": "2"} w = {"type": "Integer", "val": "2"} Line 6: w = {"type": "Integer", "val": "2"} x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Value from model for return value of call to h at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28 at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `h` with args: y = 0 result of `h` = 2 Line 6: Property failure at assertion with: x = 0 w = 2 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat) (0.02s, 830 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous1_Z3,4.8.4_WP.oracle000066400000000000000000000165351440160026300235210ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous1.mlw", line 6, characters 10-19) Checking model: File anonymous1.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: result = {"type": "Integer", "val": "2"} w = {"type": "Integer", "val": "2"} Line 6: w = {"type": "Integer", "val": "2"} x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Value from model for return value of call to h at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28 at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `h` with args: y = 0 result of `h` = 2 Line 6: Property failure at assertion with: x = 0 w = 2 Check model 1 ("bench/check-ce/anonymous1.mlw", line 6, characters 10-19) Checking model: File anonymous1.mlw: Line 4: x = {"type": "Integer", "val": "0"} Line 5: result = {"type": "Integer", "val": "2"} w = {"type": "Integer", "val": "2"} Line 6: w = {"type": "Integer", "val": "2"} x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Value from model for return value of call to h at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28 at "bench/check-ce/anonymous1.mlw", line 5, characters 10-28: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/anonymous1.mlw", line 4, characters 7-8: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `h` with args: y = 0 result of `h` = 2 Line 6: Property failure at assertion with: x = 0 w = 2 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous1.mlw", line 6, characters 10-19) File "bench/check-ce/anonymous1.mlw", line 6, characters 10-19: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat) (0.03s, 830 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous1.mlw: Line 4: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 5: Normal execution of function `h` with args: y = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 6: Property failure at assertion with: x = 0 w = 2 why3-1.6.0/bench/check-ce/oracles/anonymous2_CVC4,1.8_SP.oracle000066400000000000000000000024711440160026300235460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_CVC4,1.8_WP.oracle000066400000000000000000000024711440160026300235520ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_CVC5,1.0.0_SP.oracle000066400000000000000000000024711440160026300236750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_CVC5,1.0.0_WP.oracle000066400000000000000000000024711440160026300237010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_Z3,4.8.10_SP.oracle000066400000000000000000000024711440160026300235650ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_Z3,4.8.10_WP.oracle000066400000000000000000000024711440160026300235710ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_Z3,4.8.4_SP.oracle000066400000000000000000000271411440160026300235110ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous2.mlw", line 9, characters 11-16) Checking model: File anonymous2.mlw: Line 5: x = {"type": "Integer", "val": "1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Value from model for variable `z` at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: {contents= 0} Type default value for return value of call to h at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Normal execution of function `h` with args: y = 1 Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 5: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} Check model 1 ("bench/check-ce/anonymous2.mlw", line 9, characters 11-16) Checking model: File anonymous2.mlw: Line 5: x = {"type": "Integer", "val": "1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Value from model for variable `z` at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: {contents= 0} Type default value for return value of call to h at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Normal execution of function `h` with args: y = 1 Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 5: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.17s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous2_Z3,4.8.4_WP.oracle000066400000000000000000000271411440160026300235150ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous2.mlw", line 9, characters 11-16) Checking model: File anonymous2.mlw: Line 5: x = {"type": "Integer", "val": "1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Value from model for variable `z` at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: {contents= 0} Type default value for return value of call to h at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Normal execution of function `h` with args: y = 1 Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 5: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} Check model 1 ("bench/check-ce/anonymous2.mlw", line 9, characters 11-16) Checking model: File anonymous2.mlw: Line 5: x = {"type": "Integer", "val": "1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Value from model for variable `z` at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: {contents= 0} Type default value for return value of call to h at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25 at "bench/check-ce/anonymous2.mlw", line 8, characters 2-25: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14 at "bench/check-ce/anonymous2.mlw", line 3, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/anonymous2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/anonymous2.mlw", line 5, characters 7-8: 1 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Normal execution of function `h` with args: y = 1 Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 5: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous2.mlw", line 9, characters 11-16) File "bench/check-ce/anonymous2.mlw", line 9, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.15s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous2.mlw: Line 3: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Line 5: x = 1 x = 1 Execution of main function `f` with env: z = {contents= 0} x = 1 zero = 0 one = 1 Line 8: Giant-step execution of function `h` with args: y = 1 z = {contents= 0} result of `h` = () Line 9: Property failure at assertion with: z = {contents= 0} why3-1.6.0/bench/check-ce/oracles/anonymous3_CVC4,1.8_SP.oracle000066400000000000000000000025031440160026300235430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_CVC4,1.8_WP.oracle000066400000000000000000000025031440160026300235470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_CVC5,1.0.0_SP.oracle000066400000000000000000000025031440160026300236720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_CVC5,1.0.0_WP.oracle000066400000000000000000000025031440160026300236760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_Z3,4.8.10_SP.oracle000066400000000000000000000025641440160026300235710ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_Z3,4.8.10_WP.oracle000066400000000000000000000025641440160026300235750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_Z3,4.8.4_SP.oracle000066400000000000000000000667541440160026300235270ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous3.mlw", line 7, characters 12-22) Checking model: File anonymous3.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 7: y = {"type": "Integer", "val": "0"} Line 8: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) Check model 1 ("bench/check-ce/anonymous3.mlw", line 7, characters 12-22) Checking model: File anonymous3.mlw: Line 6: y = {"type": "Integer", "val": "-1186"} Line 7: y = {"type": "Integer", "val": "-1186"} Line 8: result = {"type": "Integer", "val": "-2372"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-7173"}, "value": {"type": "Integer", "val": "-8359"}}, {"indice": {"type": "Integer", "val": "-7172"}, "value": {"type": "Integer", "val": "-8358"}}, {"indice": {"type": "Integer", "val": "-7171"}, "value": {"type": "Integer", "val": "-8357"}}, {"indice": {"type": "Integer", "val": "-7170"}, "value": {"type": "Integer", "val": "-8356"}}, {"indice": {"type": "Integer", "val": "-7169"}, "value": {"type": "Integer", "val": "-8355"}}, {"indice": {"type": "Integer", "val": "-7168"}, "value": {"type": "Integer", "val": "-8354"}}, {"indice": {"type": "Integer", "val": "-7167"}, "value": {"type": "Integer", "val": "-8353"}}, {"indice": {"type": "Integer", "val": "-7166"}, "value": {"type": "Integer", "val": "-8352"}}, {"indice": {"type": "Integer", "val": "-7165"}, "value": {"type": "Integer", "val": "-8351"}}, {"indice": {"type": "Integer", "val": "-7164"}, "value": {"type": "Integer", "val": "-8350"}}, {"indice": {"type": "Integer", "val": "-7163"}, "value": {"type": "Integer", "val": "-8349"}}, {"indice": {"type": "Integer", "val": "-7162"}, "value": {"type": "Integer", "val": "-8348"}}, {"indice": {"type": "Integer", "val": "-7161"}, "value": {"type": "Integer", "val": "-8347"}}, {"indice": {"type": "Integer", "val": "-7160"}, "value": {"type": "Integer", "val": "-8346"}}, {"indice": {"type": "Integer", "val": "-7159"}, "value": {"type": "Integer", "val": "-8345"}}, {"indice": {"type": "Integer", "val": "-7158"}, "value": {"type": "Integer", "val": "-8344"}}, {"indice": {"type": "Integer", "val": "-7157"}, "value": {"type": "Integer", "val": "-8343"}}, {"indice": {"type": "Integer", "val": "-7156"}, "value": {"type": "Integer", "val": "-8342"}}, {"indice": {"type": "Integer", "val": "-7155"}, "value": {"type": "Integer", "val": "-8341"}}, {"indice": {"type": "Integer", "val": "-7154"}, "value": {"type": "Integer", "val": "-8340"}}, {"indice": {"type": "Integer", "val": "-7153"}, "value": {"type": "Integer", "val": "-8339"}}, {"indice": {"type": "Integer", "val": "-7152"}, "value": {"type": "Integer", "val": "-8338"}}, {"indice": {"type": "Integer", "val": "-7151"}, "value": {"type": "Integer", "val": "-8337"}}, {"indice": {"type": "Integer", "val": "-7150"}, "value": {"type": "Integer", "val": "-8336"}}, {"indice": {"type": "Integer", "val": "-7149"}, "value": {"type": "Integer", "val": "-8335"}}, {"indice": {"type": "Integer", "val": "-7148"}, "value": {"type": "Integer", "val": "-8334"}}, {"indice": {"type": "Integer", "val": "-7147"}, "value": {"type": "Integer", "val": "-8333"}}, {"indice": {"type": "Integer", "val": "-7146"}, "value": {"type": "Integer", "val": "-8332"}}, {"indice": {"type": "Integer", "val": "-7145"}, "value": {"type": "Integer", "val": "-8331"}}, {"indice": {"type": "Integer", "val": "-7144"}, "value": {"type": "Integer", "val": "-8330"}}, {"indice": {"type": "Integer", "val": "-7143"}, "value": {"type": "Integer", "val": "-8329"}}, {"indice": {"type": "Integer", "val": "-7142"}, "value": {"type": "Integer", "val": "-8328"}}, {"indice": {"type": "Integer", "val": "-7141"}, "value": {"type": "Integer", "val": "-8327"}}, {"indice": {"type": "Integer", "val": "-7139"}, "value": {"type": "Integer", "val": "-8325"}}, {"indice": {"type": "Integer", "val": "-7138"}, "value": {"type": "Integer", "val": "-8324"}}, {"indice": {"type": "Integer", "val": "-7137"}, "value": {"type": "Integer", "val": "-8323"}}, {"indice": {"type": "Integer", "val": "-7136"}, "value": {"type": "Integer", "val": "-8322"}}, {"indice": {"type": "Integer", "val": "-7135"}, "value": {"type": "Integer", "val": "-8321"}}, {"indice": {"type": "Integer", "val": "-7134"}, "value": {"type": "Integer", "val": "-8320"}}, {"indice": {"type": "Integer", "val": "-7133"}, "value": {"type": "Integer", "val": "-8319"}}, {"indice": {"type": "Integer", "val": "-7132"}, "value": {"type": "Integer", "val": "-8318"}}, {"indice": {"type": "Integer", "val": "-7131"}, "value": {"type": "Integer", "val": "-8317"}}, {"indice": {"type": "Integer", "val": "-7130"}, "value": {"type": "Integer", "val": "-8316"}}, {"indice": {"type": "Integer", "val": "-7129"}, "value": {"type": "Integer", "val": "-8315"}}, {"indice": {"type": "Integer", "val": "-7128"}, "value": {"type": "Integer", "val": "-8314"}}, {"indice": {"type": "Integer", "val": "-7127"}, "value": {"type": "Integer", "val": "-8313"}}, {"indice": {"type": "Integer", "val": "-7126"}, "value": {"type": "Integer", "val": "-8312"}}, {"indice": {"type": "Integer", "val": "-7125"}, "value": {"type": "Integer", "val": "-8311"}}, {"indice": {"type": "Integer", "val": "-7124"}, "value": {"type": "Integer", "val": "-8310"}}, {"indice": {"type": "Integer", "val": "-7123"}, "value": {"type": "Integer", "val": "-8309"}}, {"indice": {"type": "Integer", "val": "-7122"}, "value": {"type": "Integer", "val": "-8308"}}, {"indice": {"type": "Integer", "val": "-7121"}, "value": {"type": "Integer", "val": "-8307"}}, {"indice": {"type": "Integer", "val": "-7120"}, "value": {"type": "Integer", "val": "-8306"}}, {"indice": {"type": "Integer", "val": "-7119"}, "value": {"type": "Integer", "val": "-8305"}}, {"indice": {"type": "Integer", "val": "-7118"}, "value": {"type": "Integer", "val": "-8304"}}, {"indice": {"type": "Integer", "val": "-7117"}, "value": {"type": "Integer", "val": "-8303"}}, {"indice": {"type": "Integer", "val": "-7116"}, "value": {"type": "Integer", "val": "-8302"}}, {"indice": {"type": "Integer", "val": "-7115"}, "value": {"type": "Integer", "val": "-8301"}}, {"indice": {"type": "Integer", "val": "-7114"}, "value": {"type": "Integer", "val": "-8300"}}, {"indice": {"type": "Integer", "val": "-7113"}, "value": {"type": "Integer", "val": "-8299"}}, {"indice": {"type": "Integer", "val": "-7112"}, "value": {"type": "Integer", "val": "-8298"}}, {"indice": {"type": "Integer", "val": "-7111"}, "value": {"type": "Integer", "val": "-8297"}}, {"indice": {"type": "Integer", "val": "-7110"}, "value": {"type": "Integer", "val": "-8296"}}, {"indice": {"type": "Integer", "val": "-7109"}, "value": {"type": "Integer", "val": "-8295"}}, {"indice": {"type": "Integer", "val": "-7108"}, "value": {"type": "Integer", "val": "-8294"}}, {"indice": {"type": "Integer", "val": "-7107"}, "value": {"type": "Integer", "val": "-8293"}}, {"indice": {"type": "Integer", "val": "-7106"}, "value": {"type": "Integer", "val": "-8292"}}, {"indice": {"type": "Integer", "val": "-7105"}, "value": {"type": "Integer", "val": "-8291"}}, {"indice": {"type": "Integer", "val": "-7104"}, "value": {"type": "Integer", "val": "-8290"}}, {"indice": {"type": "Integer", "val": "-7103"}, "value": {"type": "Integer", "val": "-8289"}}, {"indice": {"type": "Integer", "val": "-7102"}, "value": {"type": "Integer", "val": "-8288"}}, {"indice": {"type": "Integer", "val": "-7101"}, "value": {"type": "Integer", "val": "-8287"}}, {"indice": {"type": "Integer", "val": "-7100"}, "value": {"type": "Integer", "val": "-8286"}}, {"indice": {"type": "Integer", "val": "-7099"}, "value": {"type": "Integer", "val": "-8285"}}, {"indice": {"type": "Integer", "val": "-7098"}, "value": {"type": "Integer", "val": "-8284"}}, {"indice": {"type": "Integer", "val": "-7097"}, "value": {"type": "Integer", "val": "-8283"}}, {"indice": {"type": "Integer", "val": "-1774"}, "value": {"type": "Integer", "val": "-2960"}}, {"indice": {"type": "Integer", "val": "-1773"}, "value": {"type": "Integer", "val": "-2959"}}, {"indice": {"type": "Integer", "val": "-1772"}, "value": {"type": "Integer", "val": "-2958"}}, {"indice": {"type": "Integer", "val": "-1771"}, "value": {"type": "Integer", "val": "-2957"}}, {"indice": {"type": "Integer", "val": "-1770"}, "value": {"type": "Integer", "val": "-2956"}}, {"indice": {"type": "Integer", "val": "-1769"}, "value": {"type": "Integer", "val": "-2955"}}, {"indice": {"type": "Integer", "val": "-1768"}, "value": {"type": "Integer", "val": "-2954"}}, {"indice": {"type": "Integer", "val": "-1189"}, "value": {"type": "Integer", "val": "-2375"}}, {"indice": {"type": "Integer", "val": "-1188"}, "value": {"type": "Integer", "val": "-2374"}}, {"indice": {"type": "Integer", "val": "-1187"}, "value": {"type": "Integer", "val": "-2373"}}, {"indice": {"type": "Integer", "val": "-1186"}, "value": {"type": "Integer", "val": "-2372"}}, {"indice": {"type": "Integer", "val": "-1185"}, "value": {"type": "Integer", "val": "-2371"}}, {"indice": {"type": "Integer", "val": "-1"}, "value": {"type": "Integer", "val": "-1187"}}, {"indice": {"type": "Integer", "val": "0"}, "value": {"type": "Integer", "val": "-1186"}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Integer", "val": "-1171"}}, {"indice": {"type": "Integer", "val": "17"}, "value": {"type": "Integer", "val": "-1169"}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Integer", "val": "-1102"}}, {"indice": {"type": "Integer", "val": "92"}, "value": {"type": "Integer", "val": "-1094"}}, {"indice": {"type": "Integer", "val": "2956"}, "value": {"type": "Integer", "val": "1770"}}, {"indice": {"type": "Integer", "val": "9948"}, "value": {"type": "Integer", "val": "8762"}}, {"indice": {"type": "Integer", "val": "9949"}, "value": {"type": "Integer", "val": "8763"}}, {"others": {"type": "Integer", "val": "-8326"}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: (-1186) Value from model for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5: [| (-7173) -> (-8359); (-7172) -> (-8358); (-7171) -> (-8357); (-7170) -> (-8356); (-7169) -> (-8355); (-7168) -> (-8354); (-7167) -> (-8353); (-7166) -> (-8352); (-7165) -> (-8351); (-7164) -> (-8350); (-7163) -> (-8349); (-7162) -> (-8348); (-7161) -> (-8347); (-7160) -> (-8346); (-7159) -> (-8345); (-7158) -> (-8344); (-7157) -> (-8343); (-7156) -> (-8342); (-7155) -> (-8341); (-7154) -> (-8340); (-7153) -> (-8339); (-7152) -> (-8338); (-7151) -> (-8337); (-7150) -> (-8336); (-7149) -> (-8335); (-7148) -> (-8334); (-7147) -> (-8333); (-7146) -> (-8332); (-7145) -> (-8331); (-7144) -> (-8330); (-7143) -> (-8329); (-7142) -> (-8328); (-7141) -> (-8327); (-7139) -> (-8325); (-7138) -> (-8324); (-7137) -> (-8323); (-7136) -> (-8322); (-7135) -> (-8321); (-7134) -> (-8320); (-7133) -> (-8319); (-7132) -> (-8318); (-7131) -> (-8317); (-7130) -> (-8316); (-7129) -> (-8315); (-7128) -> (-8314); (-7127) -> (-8313); (-7126) -> (-8312); (-7125) -> (-8311); (-7124) -> (-8310); (-7123) -> (-8309); (-7122) -> (-8308); (-7121) -> (-8307); (-7120) -> (-8306); (-7119) -> (-8305); (-7118) -> (-8304); (-7117) -> (-8303); (-7116) -> (-8302); (-7115) -> (-8301); (-7114) -> (-8300); (-7113) -> (-8299); (-7112) -> (-8298); (-7111) -> (-8297); (-7110) -> (-8296); (-7109) -> (-8295); (-7108) -> (-8294); (-7107) -> (-8293); (-7106) -> (-8292); (-7105) -> (-8291); (-7104) -> (-8290); (-7103) -> (-8289); (-7102) -> (-8288); (-7101) -> (-8287); (-7100) -> (-8286); (-7099) -> (-8285); (-7098) -> (-8284); (-7097) -> (-8283); (-1774) -> (-2960); (-1773) -> (-2959); (-1772) -> (-2958); (-1771) -> (-2957); (-1770) -> (-2956); (-1769) -> (-2955); (-1768) -> (-2954); (-1189) -> (-2375); (-1188) -> (-2374); (-1187) -> (-2373); (-1186) -> (-2372); (-1185) -> (-2371); (-1) -> (-1187); 0 -> (-1186); 15 -> (-1171); 17 -> (-1169); 84 -> (-1102); 92 -> (-1094); 2956 -> 1770; 9948 -> 8762; 9949 -> 8763; _ -> (-8326)|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: (-1186) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = (-1186) y = (-1186) Execution of main function `g` with env: y = (-1186) zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = (-1186) Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = (-1186) u = (-1186) Line 4: Normal execution of function `(+)` with args: _ = (-1186) _ = (-1186) Line 7: Property failure at postcondition of `g` with: y = (-1186) result = (-2372) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.27s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous3_Z3,4.8.4_WP.oracle000066400000000000000000000667541440160026300235330ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous3.mlw", line 7, characters 12-22) Checking model: File anonymous3.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 7: y = {"type": "Integer", "val": "0"} Line 8: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) Check model 1 ("bench/check-ce/anonymous3.mlw", line 7, characters 12-22) Checking model: File anonymous3.mlw: Line 6: y = {"type": "Integer", "val": "-1186"} Line 7: y = {"type": "Integer", "val": "-1186"} Line 8: result = {"type": "Integer", "val": "-2372"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-7173"}, "value": {"type": "Integer", "val": "-8359"}}, {"indice": {"type": "Integer", "val": "-7172"}, "value": {"type": "Integer", "val": "-8358"}}, {"indice": {"type": "Integer", "val": "-7171"}, "value": {"type": "Integer", "val": "-8357"}}, {"indice": {"type": "Integer", "val": "-7170"}, "value": {"type": "Integer", "val": "-8356"}}, {"indice": {"type": "Integer", "val": "-7169"}, "value": {"type": "Integer", "val": "-8355"}}, {"indice": {"type": "Integer", "val": "-7168"}, "value": {"type": "Integer", "val": "-8354"}}, {"indice": {"type": "Integer", "val": "-7167"}, "value": {"type": "Integer", "val": "-8353"}}, {"indice": {"type": "Integer", "val": "-7166"}, "value": {"type": "Integer", "val": "-8352"}}, {"indice": {"type": "Integer", "val": "-7165"}, "value": {"type": "Integer", "val": "-8351"}}, {"indice": {"type": "Integer", "val": "-7164"}, "value": {"type": "Integer", "val": "-8350"}}, {"indice": {"type": "Integer", "val": "-7163"}, "value": {"type": "Integer", "val": "-8349"}}, {"indice": {"type": "Integer", "val": "-7162"}, "value": {"type": "Integer", "val": "-8348"}}, {"indice": {"type": "Integer", "val": "-7161"}, "value": {"type": "Integer", "val": "-8347"}}, {"indice": {"type": "Integer", "val": "-7160"}, "value": {"type": "Integer", "val": "-8346"}}, {"indice": {"type": "Integer", "val": "-7159"}, "value": {"type": "Integer", "val": "-8345"}}, {"indice": {"type": "Integer", "val": "-7158"}, "value": {"type": "Integer", "val": "-8344"}}, {"indice": {"type": "Integer", "val": "-7157"}, "value": {"type": "Integer", "val": "-8343"}}, {"indice": {"type": "Integer", "val": "-7156"}, "value": {"type": "Integer", "val": "-8342"}}, {"indice": {"type": "Integer", "val": "-7155"}, "value": {"type": "Integer", "val": "-8341"}}, {"indice": {"type": "Integer", "val": "-7154"}, "value": {"type": "Integer", "val": "-8340"}}, {"indice": {"type": "Integer", "val": "-7153"}, "value": {"type": "Integer", "val": "-8339"}}, {"indice": {"type": "Integer", "val": "-7152"}, "value": {"type": "Integer", "val": "-8338"}}, {"indice": {"type": "Integer", "val": "-7151"}, "value": {"type": "Integer", "val": "-8337"}}, {"indice": {"type": "Integer", "val": "-7150"}, "value": {"type": "Integer", "val": "-8336"}}, {"indice": {"type": "Integer", "val": "-7149"}, "value": {"type": "Integer", "val": "-8335"}}, {"indice": {"type": "Integer", "val": "-7148"}, "value": {"type": "Integer", "val": "-8334"}}, {"indice": {"type": "Integer", "val": "-7147"}, "value": {"type": "Integer", "val": "-8333"}}, {"indice": {"type": "Integer", "val": "-7146"}, "value": {"type": "Integer", "val": "-8332"}}, {"indice": {"type": "Integer", "val": "-7145"}, "value": {"type": "Integer", "val": "-8331"}}, {"indice": {"type": "Integer", "val": "-7144"}, "value": {"type": "Integer", "val": "-8330"}}, {"indice": {"type": "Integer", "val": "-7143"}, "value": {"type": "Integer", "val": "-8329"}}, {"indice": {"type": "Integer", "val": "-7142"}, "value": {"type": "Integer", "val": "-8328"}}, {"indice": {"type": "Integer", "val": "-7141"}, "value": {"type": "Integer", "val": "-8327"}}, {"indice": {"type": "Integer", "val": "-7139"}, "value": {"type": "Integer", "val": "-8325"}}, {"indice": {"type": "Integer", "val": "-7138"}, "value": {"type": "Integer", "val": "-8324"}}, {"indice": {"type": "Integer", "val": "-7137"}, "value": {"type": "Integer", "val": "-8323"}}, {"indice": {"type": "Integer", "val": "-7136"}, "value": {"type": "Integer", "val": "-8322"}}, {"indice": {"type": "Integer", "val": "-7135"}, "value": {"type": "Integer", "val": "-8321"}}, {"indice": {"type": "Integer", "val": "-7134"}, "value": {"type": "Integer", "val": "-8320"}}, {"indice": {"type": "Integer", "val": "-7133"}, "value": {"type": "Integer", "val": "-8319"}}, {"indice": {"type": "Integer", "val": "-7132"}, "value": {"type": "Integer", "val": "-8318"}}, {"indice": {"type": "Integer", "val": "-7131"}, "value": {"type": "Integer", "val": "-8317"}}, {"indice": {"type": "Integer", "val": "-7130"}, "value": {"type": "Integer", "val": "-8316"}}, {"indice": {"type": "Integer", "val": "-7129"}, "value": {"type": "Integer", "val": "-8315"}}, {"indice": {"type": "Integer", "val": "-7128"}, "value": {"type": "Integer", "val": "-8314"}}, {"indice": {"type": "Integer", "val": "-7127"}, "value": {"type": "Integer", "val": "-8313"}}, {"indice": {"type": "Integer", "val": "-7126"}, "value": {"type": "Integer", "val": "-8312"}}, {"indice": {"type": "Integer", "val": "-7125"}, "value": {"type": "Integer", "val": "-8311"}}, {"indice": {"type": "Integer", "val": "-7124"}, "value": {"type": "Integer", "val": "-8310"}}, {"indice": {"type": "Integer", "val": "-7123"}, "value": {"type": "Integer", "val": "-8309"}}, {"indice": {"type": "Integer", "val": "-7122"}, "value": {"type": "Integer", "val": "-8308"}}, {"indice": {"type": "Integer", "val": "-7121"}, "value": {"type": "Integer", "val": "-8307"}}, {"indice": {"type": "Integer", "val": "-7120"}, "value": {"type": "Integer", "val": "-8306"}}, {"indice": {"type": "Integer", "val": "-7119"}, "value": {"type": "Integer", "val": "-8305"}}, {"indice": {"type": "Integer", "val": "-7118"}, "value": {"type": "Integer", "val": "-8304"}}, {"indice": {"type": "Integer", "val": "-7117"}, "value": {"type": "Integer", "val": "-8303"}}, {"indice": {"type": "Integer", "val": "-7116"}, "value": {"type": "Integer", "val": "-8302"}}, {"indice": {"type": "Integer", "val": "-7115"}, "value": {"type": "Integer", "val": "-8301"}}, {"indice": {"type": "Integer", "val": "-7114"}, "value": {"type": "Integer", "val": "-8300"}}, {"indice": {"type": "Integer", "val": "-7113"}, "value": {"type": "Integer", "val": "-8299"}}, {"indice": {"type": "Integer", "val": "-7112"}, "value": {"type": "Integer", "val": "-8298"}}, {"indice": {"type": "Integer", "val": "-7111"}, "value": {"type": "Integer", "val": "-8297"}}, {"indice": {"type": "Integer", "val": "-7110"}, "value": {"type": "Integer", "val": "-8296"}}, {"indice": {"type": "Integer", "val": "-7109"}, "value": {"type": "Integer", "val": "-8295"}}, {"indice": {"type": "Integer", "val": "-7108"}, "value": {"type": "Integer", "val": "-8294"}}, {"indice": {"type": "Integer", "val": "-7107"}, "value": {"type": "Integer", "val": "-8293"}}, {"indice": {"type": "Integer", "val": "-7106"}, "value": {"type": "Integer", "val": "-8292"}}, {"indice": {"type": "Integer", "val": "-7105"}, "value": {"type": "Integer", "val": "-8291"}}, {"indice": {"type": "Integer", "val": "-7104"}, "value": {"type": "Integer", "val": "-8290"}}, {"indice": {"type": "Integer", "val": "-7103"}, "value": {"type": "Integer", "val": "-8289"}}, {"indice": {"type": "Integer", "val": "-7102"}, "value": {"type": "Integer", "val": "-8288"}}, {"indice": {"type": "Integer", "val": "-7101"}, "value": {"type": "Integer", "val": "-8287"}}, {"indice": {"type": "Integer", "val": "-7100"}, "value": {"type": "Integer", "val": "-8286"}}, {"indice": {"type": "Integer", "val": "-7099"}, "value": {"type": "Integer", "val": "-8285"}}, {"indice": {"type": "Integer", "val": "-7098"}, "value": {"type": "Integer", "val": "-8284"}}, {"indice": {"type": "Integer", "val": "-7097"}, "value": {"type": "Integer", "val": "-8283"}}, {"indice": {"type": "Integer", "val": "-1774"}, "value": {"type": "Integer", "val": "-2960"}}, {"indice": {"type": "Integer", "val": "-1773"}, "value": {"type": "Integer", "val": "-2959"}}, {"indice": {"type": "Integer", "val": "-1772"}, "value": {"type": "Integer", "val": "-2958"}}, {"indice": {"type": "Integer", "val": "-1771"}, "value": {"type": "Integer", "val": "-2957"}}, {"indice": {"type": "Integer", "val": "-1770"}, "value": {"type": "Integer", "val": "-2956"}}, {"indice": {"type": "Integer", "val": "-1769"}, "value": {"type": "Integer", "val": "-2955"}}, {"indice": {"type": "Integer", "val": "-1768"}, "value": {"type": "Integer", "val": "-2954"}}, {"indice": {"type": "Integer", "val": "-1189"}, "value": {"type": "Integer", "val": "-2375"}}, {"indice": {"type": "Integer", "val": "-1188"}, "value": {"type": "Integer", "val": "-2374"}}, {"indice": {"type": "Integer", "val": "-1187"}, "value": {"type": "Integer", "val": "-2373"}}, {"indice": {"type": "Integer", "val": "-1186"}, "value": {"type": "Integer", "val": "-2372"}}, {"indice": {"type": "Integer", "val": "-1185"}, "value": {"type": "Integer", "val": "-2371"}}, {"indice": {"type": "Integer", "val": "-1"}, "value": {"type": "Integer", "val": "-1187"}}, {"indice": {"type": "Integer", "val": "0"}, "value": {"type": "Integer", "val": "-1186"}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Integer", "val": "-1171"}}, {"indice": {"type": "Integer", "val": "17"}, "value": {"type": "Integer", "val": "-1169"}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Integer", "val": "-1102"}}, {"indice": {"type": "Integer", "val": "92"}, "value": {"type": "Integer", "val": "-1094"}}, {"indice": {"type": "Integer", "val": "2956"}, "value": {"type": "Integer", "val": "1770"}}, {"indice": {"type": "Integer", "val": "9948"}, "value": {"type": "Integer", "val": "8762"}}, {"indice": {"type": "Integer", "val": "9949"}, "value": {"type": "Integer", "val": "8763"}}, {"others": {"type": "Integer", "val": "-8326"}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: (-1186) Value from model for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5: [| (-7173) -> (-8359); (-7172) -> (-8358); (-7171) -> (-8357); (-7170) -> (-8356); (-7169) -> (-8355); (-7168) -> (-8354); (-7167) -> (-8353); (-7166) -> (-8352); (-7165) -> (-8351); (-7164) -> (-8350); (-7163) -> (-8349); (-7162) -> (-8348); (-7161) -> (-8347); (-7160) -> (-8346); (-7159) -> (-8345); (-7158) -> (-8344); (-7157) -> (-8343); (-7156) -> (-8342); (-7155) -> (-8341); (-7154) -> (-8340); (-7153) -> (-8339); (-7152) -> (-8338); (-7151) -> (-8337); (-7150) -> (-8336); (-7149) -> (-8335); (-7148) -> (-8334); (-7147) -> (-8333); (-7146) -> (-8332); (-7145) -> (-8331); (-7144) -> (-8330); (-7143) -> (-8329); (-7142) -> (-8328); (-7141) -> (-8327); (-7139) -> (-8325); (-7138) -> (-8324); (-7137) -> (-8323); (-7136) -> (-8322); (-7135) -> (-8321); (-7134) -> (-8320); (-7133) -> (-8319); (-7132) -> (-8318); (-7131) -> (-8317); (-7130) -> (-8316); (-7129) -> (-8315); (-7128) -> (-8314); (-7127) -> (-8313); (-7126) -> (-8312); (-7125) -> (-8311); (-7124) -> (-8310); (-7123) -> (-8309); (-7122) -> (-8308); (-7121) -> (-8307); (-7120) -> (-8306); (-7119) -> (-8305); (-7118) -> (-8304); (-7117) -> (-8303); (-7116) -> (-8302); (-7115) -> (-8301); (-7114) -> (-8300); (-7113) -> (-8299); (-7112) -> (-8298); (-7111) -> (-8297); (-7110) -> (-8296); (-7109) -> (-8295); (-7108) -> (-8294); (-7107) -> (-8293); (-7106) -> (-8292); (-7105) -> (-8291); (-7104) -> (-8290); (-7103) -> (-8289); (-7102) -> (-8288); (-7101) -> (-8287); (-7100) -> (-8286); (-7099) -> (-8285); (-7098) -> (-8284); (-7097) -> (-8283); (-1774) -> (-2960); (-1773) -> (-2959); (-1772) -> (-2958); (-1771) -> (-2957); (-1770) -> (-2956); (-1769) -> (-2955); (-1768) -> (-2954); (-1189) -> (-2375); (-1188) -> (-2374); (-1187) -> (-2373); (-1186) -> (-2372); (-1185) -> (-2371); (-1) -> (-1187); 0 -> (-1186); 15 -> (-1171); 17 -> (-1169); 84 -> (-1102); 92 -> (-1094); 2956 -> 1770; 9948 -> 8762; 9949 -> 8763; _ -> (-8326)|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous3.mlw", line 6, characters 7-8: (-1186) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = (-1186) y = (-1186) Execution of main function `g` with env: y = (-1186) zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = (-1186) Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = (-1186) u = (-1186) Line 4: Normal execution of function `(+)` with args: _ = (-1186) _ = (-1186) Line 7: Property failure at postcondition of `g` with: y = (-1186) result = (-2372) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous3.mlw", line 8, characters 2-5) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/anonymous3.mlw", line 7, characters 12-22) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous3.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.24s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous3.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> y + x) with x = 0 u = 0 Line 4: Normal execution of function `(+)` with args: _ = 0 _ = 0 Line 7: Property failure at postcondition of `g` with: y = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/anonymous4_CVC4,1.8_SP.oracle000066400000000000000000000013131440160026300235420ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_CVC4,1.8_WP.oracle000066400000000000000000000013131440160026300235460ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_CVC5,1.0.0_SP.oracle000066400000000000000000000013131440160026300236710ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_CVC5,1.0.0_WP.oracle000066400000000000000000000013131440160026300236750ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_Z3,4.8.10_SP.oracle000066400000000000000000000013741440160026300235700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_Z3,4.8.10_WP.oracle000066400000000000000000000013741440160026300235740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_Z3,4.8.4_SP.oracle000066400000000000000000000472741440160026300235240ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous4.mlw", line 8, characters 13-23) Checking model: File anonymous4.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 8: y = {"type": "Integer", "val": "0"} Line 9: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Result of checking model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous4.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 9: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> assume { y > 0 }; y + x) with x = 0 u = 0 Line 4: Execution got stuck at assumption with: y = 0 - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) Check model 1 ("bench/check-ce/anonymous4.mlw", line 8, characters 13-23) Checking model: File anonymous4.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 8: y = {"type": "Integer", "val": "0"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-61"}, "value": {"type": "Integer", "val": "-61"}}, {"indice": {"type": "Integer", "val": "-60"}, "value": {"type": "Integer", "val": "-60"}}, {"indice": {"type": "Integer", "val": "-59"}, "value": {"type": "Integer", "val": "-59"}}, {"indice": {"type": "Integer", "val": "-58"}, "value": {"type": "Integer", "val": "-58"}}, {"indice": {"type": "Integer", "val": "-57"}, "value": {"type": "Integer", "val": "-57"}}, {"indice": {"type": "Integer", "val": "-56"}, "value": {"type": "Integer", "val": "-56"}}, {"indice": {"type": "Integer", "val": "-55"}, "value": {"type": "Integer", "val": "-55"}}, {"indice": {"type": "Integer", "val": "-54"}, "value": {"type": "Integer", "val": "-54"}}, {"indice": {"type": "Integer", "val": "-53"}, "value": {"type": "Integer", "val": "-53"}}, {"indice": {"type": "Integer", "val": "-52"}, "value": {"type": "Integer", "val": "-52"}}, {"indice": {"type": "Integer", "val": "-51"}, "value": {"type": "Integer", "val": "-51"}}, {"indice": {"type": "Integer", "val": "-50"}, "value": {"type": "Integer", "val": "-50"}}, {"indice": {"type": "Integer", "val": "-49"}, "value": {"type": "Integer", "val": "-49"}}, {"indice": {"type": "Integer", "val": "-48"}, "value": {"type": "Integer", "val": "-48"}}, {"indice": {"type": "Integer", "val": "-47"}, "value": {"type": "Integer", "val": "-47"}}, {"indice": {"type": "Integer", "val": "-46"}, "value": {"type": "Integer", "val": "-46"}}, {"indice": {"type": "Integer", "val": "-45"}, "value": {"type": "Integer", "val": "-45"}}, {"indice": {"type": "Integer", "val": "-44"}, "value": {"type": "Integer", "val": "-44"}}, {"indice": {"type": "Integer", "val": "-43"}, "value": {"type": "Integer", "val": "-43"}}, {"indice": {"type": "Integer", "val": "-42"}, "value": {"type": "Integer", "val": "-42"}}, {"indice": {"type": "Integer", "val": "-41"}, "value": {"type": "Integer", "val": "-41"}}, {"indice": {"type": "Integer", "val": "-40"}, "value": {"type": "Integer", "val": "-40"}}, {"indice": {"type": "Integer", "val": "-39"}, "value": {"type": "Integer", "val": "-39"}}, {"indice": {"type": "Integer", "val": "-38"}, "value": {"type": "Integer", "val": "-38"}}, {"indice": {"type": "Integer", "val": "-37"}, "value": {"type": "Integer", "val": "-37"}}, {"indice": {"type": "Integer", "val": "-36"}, "value": {"type": "Integer", "val": "-36"}}, {"indice": {"type": "Integer", "val": "-35"}, "value": {"type": "Integer", "val": "-35"}}, {"indice": {"type": "Integer", "val": "-34"}, "value": {"type": "Integer", "val": "-34"}}, {"indice": {"type": "Integer", "val": "-33"}, "value": {"type": "Integer", "val": "-33"}}, {"indice": {"type": "Integer", "val": "-31"}, "value": {"type": "Integer", "val": "-31"}}, {"indice": {"type": "Integer", "val": "-30"}, "value": {"type": "Integer", "val": "-30"}}, {"indice": {"type": "Integer", "val": "-29"}, "value": {"type": "Integer", "val": "-29"}}, {"indice": {"type": "Integer", "val": "-28"}, "value": {"type": "Integer", "val": "-28"}}, {"indice": {"type": "Integer", "val": "-27"}, "value": {"type": "Integer", "val": "-27"}}, {"indice": {"type": "Integer", "val": "-26"}, "value": {"type": "Integer", "val": "-26"}}, {"indice": {"type": "Integer", "val": "-25"}, "value": {"type": "Integer", "val": "-25"}}, {"indice": {"type": "Integer", "val": "-24"}, "value": {"type": "Integer", "val": "-24"}}, {"indice": {"type": "Integer", "val": "-23"}, "value": {"type": "Integer", "val": "-23"}}, {"indice": {"type": "Integer", "val": "-22"}, "value": {"type": "Integer", "val": "-22"}}, {"indice": {"type": "Integer", "val": "-21"}, "value": {"type": "Integer", "val": "-21"}}, {"indice": {"type": "Integer", "val": "-20"}, "value": {"type": "Integer", "val": "-20"}}, {"indice": {"type": "Integer", "val": "-19"}, "value": {"type": "Integer", "val": "-19"}}, {"indice": {"type": "Integer", "val": "-18"}, "value": {"type": "Integer", "val": "-18"}}, {"indice": {"type": "Integer", "val": "-17"}, "value": {"type": "Integer", "val": "-17"}}, {"indice": {"type": "Integer", "val": "-16"}, "value": {"type": "Integer", "val": "-16"}}, {"indice": {"type": "Integer", "val": "-15"}, "value": {"type": "Integer", "val": "-15"}}, {"indice": {"type": "Integer", "val": "-14"}, "value": {"type": "Integer", "val": "-14"}}, {"indice": {"type": "Integer", "val": "-13"}, "value": {"type": "Integer", "val": "-13"}}, {"indice": {"type": "Integer", "val": "-12"}, "value": {"type": "Integer", "val": "-12"}}, {"indice": {"type": "Integer", "val": "-11"}, "value": {"type": "Integer", "val": "-11"}}, {"indice": {"type": "Integer", "val": "-10"}, "value": {"type": "Integer", "val": "-10"}}, {"indice": {"type": "Integer", "val": "-9"}, "value": {"type": "Integer", "val": "-9"}}, {"indice": {"type": "Integer", "val": "-8"}, "value": {"type": "Integer", "val": "-8"}}, {"indice": {"type": "Integer", "val": "-7"}, "value": {"type": "Integer", "val": "-7"}}, {"indice": {"type": "Integer", "val": "-6"}, "value": {"type": "Integer", "val": "-6"}}, {"indice": {"type": "Integer", "val": "-5"}, "value": {"type": "Integer", "val": "-5"}}, {"indice": {"type": "Integer", "val": "-4"}, "value": {"type": "Integer", "val": "-4"}}, {"indice": {"type": "Integer", "val": "-3"}, "value": {"type": "Integer", "val": "-3"}}, {"indice": {"type": "Integer", "val": "-2"}, "value": {"type": "Integer", "val": "-2"}}, {"indice": {"type": "Integer", "val": "-1"}, "value": {"type": "Integer", "val": "-1"}}, {"indice": {"type": "Integer", "val": "0"}, "value": {"type": "Integer", "val": "0"}}, {"indice": {"type": "Integer", "val": "1"}, "value": {"type": "Integer", "val": "1"}}, {"indice": {"type": "Integer", "val": "4"}, "value": {"type": "Integer", "val": "4"}}, {"indice": {"type": "Integer", "val": "5"}, "value": {"type": "Integer", "val": "5"}}, {"indice": {"type": "Integer", "val": "14"}, "value": {"type": "Integer", "val": "14"}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Integer", "val": "15"}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Integer", "val": "84"}}, {"indice": {"type": "Integer", "val": "6082"}, "value": {"type": "Integer", "val": "6082"}}, {"others": {"type": "Integer", "val": "-32"}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Value from model for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5: [| (-61) -> (-61); (-60) -> (-60); (-59) -> (-59); (-58) -> (-58); (-57) -> (-57); (-56) -> (-56); (-55) -> (-55); (-54) -> (-54); (-53) -> (-53); (-52) -> (-52); (-51) -> (-51); (-50) -> (-50); (-49) -> (-49); (-48) -> (-48); (-47) -> (-47); (-46) -> (-46); (-45) -> (-45); (-44) -> (-44); (-43) -> (-43); (-42) -> (-42); (-41) -> (-41); (-40) -> (-40); (-39) -> (-39); (-38) -> (-38); (-37) -> (-37); (-36) -> (-36); (-35) -> (-35); (-34) -> (-34); (-33) -> (-33); (-31) -> (-31); (-30) -> (-30); (-29) -> (-29); (-28) -> (-28); (-27) -> (-27); (-26) -> (-26); (-25) -> (-25); (-24) -> (-24); (-23) -> (-23); (-22) -> (-22); (-21) -> (-21); (-20) -> (-20); (-19) -> (-19); (-18) -> (-18); (-17) -> (-17); (-16) -> (-16); (-15) -> (-15); (-14) -> (-14); (-13) -> (-13); (-12) -> (-12); (-11) -> (-11); (-10) -> (-10); (-9) -> (-9); (-8) -> (-8); (-7) -> (-7); (-6) -> (-6); (-5) -> (-5); (-4) -> (-4); (-3) -> (-3); (-2) -> (-2); (-1) -> (-1); 0 -> 0; 1 -> 1; 4 -> 4; 5 -> 5; 14 -> 14; 15 -> 15; 84 -> 84; 6082 -> 6082; _ -> (-32)|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Result of checking model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous4.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 9: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> assume { y > 0 }; y + x) with x = 0 u = 0 Line 4: Execution got stuck at assumption with: y = 0 - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.11s, 7500000 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous4_Z3,4.8.4_WP.oracle000066400000000000000000000472741440160026300235300ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous4.mlw", line 8, characters 13-23) Checking model: File anonymous4.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 8: y = {"type": "Integer", "val": "0"} Line 9: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Result of checking model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous4.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 9: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> assume { y > 0 }; y + x) with x = 0 u = 0 Line 4: Execution got stuck at assumption with: y = 0 - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) Check model 1 ("bench/check-ce/anonymous4.mlw", line 8, characters 13-23) Checking model: File anonymous4.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 8: y = {"type": "Integer", "val": "0"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-61"}, "value": {"type": "Integer", "val": "-61"}}, {"indice": {"type": "Integer", "val": "-60"}, "value": {"type": "Integer", "val": "-60"}}, {"indice": {"type": "Integer", "val": "-59"}, "value": {"type": "Integer", "val": "-59"}}, {"indice": {"type": "Integer", "val": "-58"}, "value": {"type": "Integer", "val": "-58"}}, {"indice": {"type": "Integer", "val": "-57"}, "value": {"type": "Integer", "val": "-57"}}, {"indice": {"type": "Integer", "val": "-56"}, "value": {"type": "Integer", "val": "-56"}}, {"indice": {"type": "Integer", "val": "-55"}, "value": {"type": "Integer", "val": "-55"}}, {"indice": {"type": "Integer", "val": "-54"}, "value": {"type": "Integer", "val": "-54"}}, {"indice": {"type": "Integer", "val": "-53"}, "value": {"type": "Integer", "val": "-53"}}, {"indice": {"type": "Integer", "val": "-52"}, "value": {"type": "Integer", "val": "-52"}}, {"indice": {"type": "Integer", "val": "-51"}, "value": {"type": "Integer", "val": "-51"}}, {"indice": {"type": "Integer", "val": "-50"}, "value": {"type": "Integer", "val": "-50"}}, {"indice": {"type": "Integer", "val": "-49"}, "value": {"type": "Integer", "val": "-49"}}, {"indice": {"type": "Integer", "val": "-48"}, "value": {"type": "Integer", "val": "-48"}}, {"indice": {"type": "Integer", "val": "-47"}, "value": {"type": "Integer", "val": "-47"}}, {"indice": {"type": "Integer", "val": "-46"}, "value": {"type": "Integer", "val": "-46"}}, {"indice": {"type": "Integer", "val": "-45"}, "value": {"type": "Integer", "val": "-45"}}, {"indice": {"type": "Integer", "val": "-44"}, "value": {"type": "Integer", "val": "-44"}}, {"indice": {"type": "Integer", "val": "-43"}, "value": {"type": "Integer", "val": "-43"}}, {"indice": {"type": "Integer", "val": "-42"}, "value": {"type": "Integer", "val": "-42"}}, {"indice": {"type": "Integer", "val": "-41"}, "value": {"type": "Integer", "val": "-41"}}, {"indice": {"type": "Integer", "val": "-40"}, "value": {"type": "Integer", "val": "-40"}}, {"indice": {"type": "Integer", "val": "-39"}, "value": {"type": "Integer", "val": "-39"}}, {"indice": {"type": "Integer", "val": "-38"}, "value": {"type": "Integer", "val": "-38"}}, {"indice": {"type": "Integer", "val": "-37"}, "value": {"type": "Integer", "val": "-37"}}, {"indice": {"type": "Integer", "val": "-36"}, "value": {"type": "Integer", "val": "-36"}}, {"indice": {"type": "Integer", "val": "-35"}, "value": {"type": "Integer", "val": "-35"}}, {"indice": {"type": "Integer", "val": "-34"}, "value": {"type": "Integer", "val": "-34"}}, {"indice": {"type": "Integer", "val": "-33"}, "value": {"type": "Integer", "val": "-33"}}, {"indice": {"type": "Integer", "val": "-31"}, "value": {"type": "Integer", "val": "-31"}}, {"indice": {"type": "Integer", "val": "-30"}, "value": {"type": "Integer", "val": "-30"}}, {"indice": {"type": "Integer", "val": "-29"}, "value": {"type": "Integer", "val": "-29"}}, {"indice": {"type": "Integer", "val": "-28"}, "value": {"type": "Integer", "val": "-28"}}, {"indice": {"type": "Integer", "val": "-27"}, "value": {"type": "Integer", "val": "-27"}}, {"indice": {"type": "Integer", "val": "-26"}, "value": {"type": "Integer", "val": "-26"}}, {"indice": {"type": "Integer", "val": "-25"}, "value": {"type": "Integer", "val": "-25"}}, {"indice": {"type": "Integer", "val": "-24"}, "value": {"type": "Integer", "val": "-24"}}, {"indice": {"type": "Integer", "val": "-23"}, "value": {"type": "Integer", "val": "-23"}}, {"indice": {"type": "Integer", "val": "-22"}, "value": {"type": "Integer", "val": "-22"}}, {"indice": {"type": "Integer", "val": "-21"}, "value": {"type": "Integer", "val": "-21"}}, {"indice": {"type": "Integer", "val": "-20"}, "value": {"type": "Integer", "val": "-20"}}, {"indice": {"type": "Integer", "val": "-19"}, "value": {"type": "Integer", "val": "-19"}}, {"indice": {"type": "Integer", "val": "-18"}, "value": {"type": "Integer", "val": "-18"}}, {"indice": {"type": "Integer", "val": "-17"}, "value": {"type": "Integer", "val": "-17"}}, {"indice": {"type": "Integer", "val": "-16"}, "value": {"type": "Integer", "val": "-16"}}, {"indice": {"type": "Integer", "val": "-15"}, "value": {"type": "Integer", "val": "-15"}}, {"indice": {"type": "Integer", "val": "-14"}, "value": {"type": "Integer", "val": "-14"}}, {"indice": {"type": "Integer", "val": "-13"}, "value": {"type": "Integer", "val": "-13"}}, {"indice": {"type": "Integer", "val": "-12"}, "value": {"type": "Integer", "val": "-12"}}, {"indice": {"type": "Integer", "val": "-11"}, "value": {"type": "Integer", "val": "-11"}}, {"indice": {"type": "Integer", "val": "-10"}, "value": {"type": "Integer", "val": "-10"}}, {"indice": {"type": "Integer", "val": "-9"}, "value": {"type": "Integer", "val": "-9"}}, {"indice": {"type": "Integer", "val": "-8"}, "value": {"type": "Integer", "val": "-8"}}, {"indice": {"type": "Integer", "val": "-7"}, "value": {"type": "Integer", "val": "-7"}}, {"indice": {"type": "Integer", "val": "-6"}, "value": {"type": "Integer", "val": "-6"}}, {"indice": {"type": "Integer", "val": "-5"}, "value": {"type": "Integer", "val": "-5"}}, {"indice": {"type": "Integer", "val": "-4"}, "value": {"type": "Integer", "val": "-4"}}, {"indice": {"type": "Integer", "val": "-3"}, "value": {"type": "Integer", "val": "-3"}}, {"indice": {"type": "Integer", "val": "-2"}, "value": {"type": "Integer", "val": "-2"}}, {"indice": {"type": "Integer", "val": "-1"}, "value": {"type": "Integer", "val": "-1"}}, {"indice": {"type": "Integer", "val": "0"}, "value": {"type": "Integer", "val": "0"}}, {"indice": {"type": "Integer", "val": "1"}, "value": {"type": "Integer", "val": "1"}}, {"indice": {"type": "Integer", "val": "4"}, "value": {"type": "Integer", "val": "4"}}, {"indice": {"type": "Integer", "val": "5"}, "value": {"type": "Integer", "val": "5"}}, {"indice": {"type": "Integer", "val": "14"}, "value": {"type": "Integer", "val": "14"}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Integer", "val": "15"}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Integer", "val": "84"}}, {"indice": {"type": "Integer", "val": "6082"}, "value": {"type": "Integer", "val": "6082"}}, {"others": {"type": "Integer", "val": "-32"}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Value from model for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5 at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5: [| (-61) -> (-61); (-60) -> (-60); (-59) -> (-59); (-58) -> (-58); (-57) -> (-57); (-56) -> (-56); (-55) -> (-55); (-54) -> (-54); (-53) -> (-53); (-52) -> (-52); (-51) -> (-51); (-50) -> (-50); (-49) -> (-49); (-48) -> (-48); (-47) -> (-47); (-46) -> (-46); (-45) -> (-45); (-44) -> (-44); (-43) -> (-43); (-42) -> (-42); (-41) -> (-41); (-40) -> (-40); (-39) -> (-39); (-38) -> (-38); (-37) -> (-37); (-36) -> (-36); (-35) -> (-35); (-34) -> (-34); (-33) -> (-33); (-31) -> (-31); (-30) -> (-30); (-29) -> (-29); (-28) -> (-28); (-27) -> (-27); (-26) -> (-26); (-25) -> (-25); (-24) -> (-24); (-23) -> (-23); (-22) -> (-22); (-21) -> (-21); (-20) -> (-20); (-19) -> (-19); (-18) -> (-18); (-17) -> (-17); (-16) -> (-16); (-15) -> (-15); (-14) -> (-14); (-13) -> (-13); (-12) -> (-12); (-11) -> (-11); (-10) -> (-10); (-9) -> (-9); (-8) -> (-8); (-7) -> (-7); (-6) -> (-6); (-5) -> (-5); (-4) -> (-4); (-3) -> (-3); (-2) -> (-2); (-1) -> (-1); 0 -> 0; 1 -> 1; 4 -> 4; 5 -> 5; 14 -> 14; 15 -> 15; 84 -> 84; 6082 -> 6082; _ -> (-32)|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous4.mlw", line 6, characters 7-8: 0 Result of checking model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File anonymous4.mlw: Line 6: y = 0 y = 0 Execution of main function `g` with env: y = 0 zero = 0 one = 1 Line 9: Normal execution of function `f` with args: x = 0 Normal execution of function `(@)` with args: u = (fun y -> assume { y > 0 }; y + x) with x = 0 u = 0 Line 4: Execution got stuck at assumption with: y = 0 - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous4.mlw", line 9, characters 2-5) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in assumption at "bench/check-ce/anonymous4.mlw", line 4, characters 35-40) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous4.mlw", line 8, characters 13-23: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.12s, 7500000 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous5_CVC4,1.8_SP.oracle000066400000000000000000000022301440160026300235420ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y : int = 0 Line 7: result : int = 0 result : int = 0 y : int = 0 Line 8: result of call at line 8, characters 2-9 : int = 0 result of call at line 8, characters 2-7 : int -> int = [|_ => 0|] result of call at line 8, characters 2-5 : int -> int -> int = [|_ => [|_ => 0|]|] result : int = 0 why3-1.6.0/bench/check-ce/oracles/anonymous5_CVC4,1.8_WP.oracle000066400000000000000000000022301440160026300235460ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y : int = 0 Line 7: result : int = 0 result : int = 0 y : int = 0 Line 8: result of call at line 8, characters 2-9 : int = 0 result of call at line 8, characters 2-7 : int -> int = [|_ => 0|] result of call at line 8, characters 2-5 : int -> int -> int = [|_ => [|_ => 0|]|] result : int = 0 why3-1.6.0/bench/check-ce/oracles/anonymous5_CVC5,1.0.0_SP.oracle000066400000000000000000000022301440160026300236710ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y : int = 0 Line 7: result : int = 0 result : int = 0 y : int = 0 Line 8: result of call at line 8, characters 2-9 : int = 0 result of call at line 8, characters 2-7 : int -> int = [|_ => 0|] result of call at line 8, characters 2-5 : int -> int -> int = [|_ => [|_ => 0|]|] result : int = 0 why3-1.6.0/bench/check-ce/oracles/anonymous5_CVC5,1.0.0_WP.oracle000066400000000000000000000022301440160026300236750ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y : int = 0 Line 7: result : int = 0 result : int = 0 y : int = 0 Line 8: result of call at line 8, characters 2-9 : int = 0 result of call at line 8, characters 2-7 : int -> int = [|_ => 0|] result of call at line 8, characters 2-5 : int -> int -> int = [|_ => [|_ => 0|]|] result : int = 0 why3-1.6.0/bench/check-ce/oracles/anonymous5_Z3,4.8.10_SP.oracle000066400000000000000000000012701440160026300235640ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous5_Z3,4.8.10_WP.oracle000066400000000000000000000012701440160026300235700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: STUCK (failure in postcondition of `f` at unknown location) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/anonymous5_Z3,4.8.4_SP.oracle000066400000000000000000002030231440160026300235070ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous5.mlw", line 7, characters 12-22) Checking model: File anonymous5.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 7: y = {"type": "Integer", "val": "0"} Line 8: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: 0 Result of checking model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) Check model 1 ("bench/check-ce/anonymous5.mlw", line 7, characters 12-22) Checking model: File anonymous5.mlw: Line 6: y = {"type": "Integer", "val": "-3941"} Line 7: y = {"type": "Integer", "val": "-3941"} Line 8: result = {"type": "Integer", "val": "-11823"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-88787"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-134552"}}]}}, {"indice": {"type": "Integer", "val": "-88786"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-96668"}}]}}, {"indice": {"type": "Integer", "val": "-88785"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-134511"}}]}}, {"indice": {"type": "Integer", "val": "-88784"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-181509"}}]}}, {"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Integer", "val": "-87481"}}, {"others": {"type": "Integer", "val": "-67747"}}]}}, {"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-50449"}}, {"indice": {"type": "Integer", "val": "-9702"}, "value": {"type": "Integer", "val": "-36897"}}, {"others": {"type": "Integer", "val": "-49231"}}]}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-47988"}}, {"indice": {"type": "Integer", "val": "-22022"}, "value": {"type": "Integer", "val": "-47986"}}, {"others": {"type": "Integer", "val": "-47987"}}]}}, {"indice": {"type": "Integer", "val": "-21857"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-9726"}, "value": {"type": "Integer", "val": "-35524"}}, {"indice": {"type": "Integer", "val": "-9725"}, "value": {"type": "Integer", "val": "-35523"}}, {"others": {"type": "Integer", "val": "-47655"}}]}}, {"indice": {"type": "Integer", "val": "-18162"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-45357"}}, {"others": {"type": "Integer", "val": "-40265"}}]}}, {"indice": {"type": "Integer", "val": "-13543"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-31027"}}]}}, {"indice": {"type": "Integer", "val": "-9912"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-23765"}}]}}, {"indice": {"type": "Integer", "val": "-7557"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-19055"}}]}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41850"}, "value": {"type": "Integer", "val": "-49732"}}, {"indice": {"type": "Integer", "val": "-41849"}, "value": {"type": "Integer", "val": "-49731"}}, {"indice": {"type": "Integer", "val": "-41848"}, "value": {"type": "Integer", "val": "-49730"}}, {"indice": {"type": "Integer", "val": "-41847"}, "value": {"type": "Integer", "val": "-49729"}}, {"indice": {"type": "Integer", "val": "-41846"}, "value": {"type": "Integer", "val": "-49728"}}, {"indice": {"type": "Integer", "val": "-41845"}, "value": {"type": "Integer", "val": "-49727"}}, {"indice": {"type": "Integer", "val": "-41844"}, "value": {"type": "Integer", "val": "-49726"}}, {"indice": {"type": "Integer", "val": "-41843"}, "value": {"type": "Integer", "val": "-49725"}}, {"indice": {"type": "Integer", "val": "-41842"}, "value": {"type": "Integer", "val": "-49724"}}, {"indice": {"type": "Integer", "val": "-41841"}, "value": {"type": "Integer", "val": "-49723"}}, {"indice": {"type": "Integer", "val": "-41840"}, "value": {"type": "Integer", "val": "-49722"}}, {"indice": {"type": "Integer", "val": "-41839"}, "value": {"type": "Integer", "val": "-49721"}}, {"indice": {"type": "Integer", "val": "-41838"}, "value": {"type": "Integer", "val": "-49720"}}, {"indice": {"type": "Integer", "val": "-41837"}, "value": {"type": "Integer", "val": "-49719"}}, {"indice": {"type": "Integer", "val": "-41836"}, "value": {"type": "Integer", "val": "-49718"}}, {"indice": {"type": "Integer", "val": "-41835"}, "value": {"type": "Integer", "val": "-49717"}}, {"indice": {"type": "Integer", "val": "-41834"}, "value": {"type": "Integer", "val": "-49716"}}, {"indice": {"type": "Integer", "val": "-41833"}, "value": {"type": "Integer", "val": "-49715"}}, {"indice": {"type": "Integer", "val": "-41832"}, "value": {"type": "Integer", "val": "-49714"}}, {"indice": {"type": "Integer", "val": "-41831"}, "value": {"type": "Integer", "val": "-49713"}}, {"indice": {"type": "Integer", "val": "-41830"}, "value": {"type": "Integer", "val": "-49712"}}, {"indice": {"type": "Integer", "val": "-41829"}, "value": {"type": "Integer", "val": "-49711"}}, {"indice": {"type": "Integer", "val": "-41828"}, "value": {"type": "Integer", "val": "-49710"}}, {"indice": {"type": "Integer", "val": "-41827"}, "value": {"type": "Integer", "val": "-49709"}}, {"indice": {"type": "Integer", "val": "-41826"}, "value": {"type": "Integer", "val": "-49708"}}, {"indice": {"type": "Integer", "val": "-41825"}, "value": {"type": "Integer", "val": "-49707"}}, {"indice": {"type": "Integer", "val": "-41824"}, "value": {"type": "Integer", "val": "-49706"}}, {"indice": {"type": "Integer", "val": "-41823"}, "value": {"type": "Integer", "val": "-49705"}}, {"indice": {"type": "Integer", "val": "-41822"}, "value": {"type": "Integer", "val": "-49704"}}, {"indice": {"type": "Integer", "val": "-41821"}, "value": {"type": "Integer", "val": "-49703"}}, {"indice": {"type": "Integer", "val": "-41820"}, "value": {"type": "Integer", "val": "-49702"}}, {"indice": {"type": "Integer", "val": "-41818"}, "value": {"type": "Integer", "val": "-49700"}}, {"indice": {"type": "Integer", "val": "-41817"}, "value": {"type": "Integer", "val": "-49699"}}, {"indice": {"type": "Integer", "val": "-41816"}, "value": {"type": "Integer", "val": "-49698"}}, {"indice": {"type": "Integer", "val": "-41815"}, "value": {"type": "Integer", "val": "-49697"}}, {"indice": {"type": "Integer", "val": "-41814"}, "value": {"type": "Integer", "val": "-49696"}}, {"indice": {"type": "Integer", "val": "-41813"}, "value": {"type": "Integer", "val": "-49695"}}, {"indice": {"type": "Integer", "val": "-41812"}, "value": {"type": "Integer", "val": "-49694"}}, {"indice": {"type": "Integer", "val": "-41811"}, "value": {"type": "Integer", "val": "-49693"}}, {"indice": {"type": "Integer", "val": "-41810"}, "value": {"type": "Integer", "val": "-49692"}}, {"indice": {"type": "Integer", "val": "-41809"}, "value": {"type": "Integer", "val": "-49691"}}, {"indice": {"type": "Integer", "val": "-41808"}, "value": {"type": "Integer", "val": "-49690"}}, {"indice": {"type": "Integer", "val": "-41807"}, "value": {"type": "Integer", "val": "-49689"}}, {"indice": {"type": "Integer", "val": "-41806"}, "value": {"type": "Integer", "val": "-49688"}}, {"indice": {"type": "Integer", "val": "-41805"}, "value": {"type": "Integer", "val": "-49687"}}, {"indice": {"type": "Integer", "val": "-41804"}, "value": {"type": "Integer", "val": "-49686"}}, {"indice": {"type": "Integer", "val": "-41803"}, "value": {"type": "Integer", "val": "-49685"}}, {"indice": {"type": "Integer", "val": "-41802"}, "value": {"type": "Integer", "val": "-49684"}}, {"indice": {"type": "Integer", "val": "-41801"}, "value": {"type": "Integer", "val": "-49683"}}, {"indice": {"type": "Integer", "val": "-41800"}, "value": {"type": "Integer", "val": "-49682"}}, {"indice": {"type": "Integer", "val": "-41799"}, "value": {"type": "Integer", "val": "-49681"}}, {"indice": {"type": "Integer", "val": "-41798"}, "value": {"type": "Integer", "val": "-49680"}}, {"indice": {"type": "Integer", "val": "-41797"}, "value": {"type": "Integer", "val": "-49679"}}, {"indice": {"type": "Integer", "val": "-41796"}, "value": {"type": "Integer", "val": "-49678"}}, {"indice": {"type": "Integer", "val": "-41795"}, "value": {"type": "Integer", "val": "-49677"}}, {"indice": {"type": "Integer", "val": "-41794"}, "value": {"type": "Integer", "val": "-49676"}}, {"indice": {"type": "Integer", "val": "-41793"}, "value": {"type": "Integer", "val": "-49675"}}, {"indice": {"type": "Integer", "val": "-41789"}, "value": {"type": "Integer", "val": "-49671"}}, {"indice": {"type": "Integer", "val": "-41775"}, "value": {"type": "Integer", "val": "-49657"}}, {"indice": {"type": "Integer", "val": "-22025"}, "value": {"type": "Integer", "val": "-29907"}}, {"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-29906"}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Integer", "val": "-29905"}}, {"indice": {"type": "Integer", "val": "-9704"}, "value": {"type": "Integer", "val": "-17586"}}, {"indice": {"type": "Integer", "val": "-9703"}, "value": {"type": "Integer", "val": "-17585"}}, {"indice": {"type": "Integer", "val": "-9702"}, "value": {"type": "Integer", "val": "-17584"}}, {"indice": {"type": "Integer", "val": "-9701"}, "value": {"type": "Integer", "val": "-17583"}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Integer", "val": "-11823"}}, {"others": {"type": "Integer", "val": "-49701"}}]}}, {"indice": {"type": "Integer", "val": "-2714"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-9369"}}]}}, {"indice": {"type": "Integer", "val": "5"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3931"}}]}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3911"}}]}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3773"}}]}}, {"indice": {"type": "Integer", "val": "1803"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-335"}}]}}, {"indice": {"type": "Integer", "val": "3945"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "3949"}}]}}, {"indice": {"type": "Integer", "val": "4643"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-4635"}, "value": {"type": "Integer", "val": "-3933"}}, {"others": {"type": "Integer", "val": "-3932"}}]}}, {"indice": {"type": "Integer", "val": "8365"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41798"}, "value": {"type": "Integer", "val": "-37374"}}, {"indice": {"type": "Integer", "val": "-41797"}, "value": {"type": "Integer", "val": "-37373"}}, {"indice": {"type": "Integer", "val": "-41796"}, "value": {"type": "Integer", "val": "-37372"}}, {"indice": {"type": "Integer", "val": "-41794"}, "value": {"type": "Integer", "val": "-37370"}}, {"indice": {"type": "Integer", "val": "-41793"}, "value": {"type": "Integer", "val": "-37369"}}, {"indice": {"type": "Integer", "val": "-41792"}, "value": {"type": "Integer", "val": "-37368"}}, {"indice": {"type": "Integer", "val": "-41791"}, "value": {"type": "Integer", "val": "-37367"}}, {"indice": {"type": "Integer", "val": "-41790"}, "value": {"type": "Integer", "val": "-37366"}}, {"indice": {"type": "Integer", "val": "-41789"}, "value": {"type": "Integer", "val": "-37365"}}, {"indice": {"type": "Integer", "val": "-41788"}, "value": {"type": "Integer", "val": "-37364"}}, {"indice": {"type": "Integer", "val": "-41787"}, "value": {"type": "Integer", "val": "-37363"}}, {"indice": {"type": "Integer", "val": "-41786"}, "value": {"type": "Integer", "val": "-37362"}}, {"indice": {"type": "Integer", "val": "-41785"}, "value": {"type": "Integer", "val": "-37361"}}, {"indice": {"type": "Integer", "val": "-41784"}, "value": {"type": "Integer", "val": "-37360"}}, {"indice": {"type": "Integer", "val": "-41783"}, "value": {"type": "Integer", "val": "-37359"}}, {"indice": {"type": "Integer", "val": "-41782"}, "value": {"type": "Integer", "val": "-37358"}}, {"indice": {"type": "Integer", "val": "-41781"}, "value": {"type": "Integer", "val": "-37357"}}, {"indice": {"type": "Integer", "val": "-41780"}, "value": {"type": "Integer", "val": "-37356"}}, {"indice": {"type": "Integer", "val": "-41779"}, "value": {"type": "Integer", "val": "-37355"}}, {"indice": {"type": "Integer", "val": "-41778"}, "value": {"type": "Integer", "val": "-37354"}}, {"indice": {"type": "Integer", "val": "-41777"}, "value": {"type": "Integer", "val": "-37353"}}, {"indice": {"type": "Integer", "val": "-41776"}, "value": {"type": "Integer", "val": "-37352"}}, {"indice": {"type": "Integer", "val": "-41775"}, "value": {"type": "Integer", "val": "-37351"}}, {"indice": {"type": "Integer", "val": "-41774"}, "value": {"type": "Integer", "val": "-37350"}}, {"indice": {"type": "Integer", "val": "-41773"}, "value": {"type": "Integer", "val": "-37349"}}, {"indice": {"type": "Integer", "val": "-41772"}, "value": {"type": "Integer", "val": "-37348"}}, {"indice": {"type": "Integer", "val": "-41771"}, "value": {"type": "Integer", "val": "-37347"}}, {"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Integer", "val": "-37346"}}, {"indice": {"type": "Integer", "val": "-41769"}, "value": {"type": "Integer", "val": "-37345"}}, {"indice": {"type": "Integer", "val": "-23257"}, "value": {"type": "Integer", "val": "-18833"}}, {"indice": {"type": "Integer", "val": "-23256"}, "value": {"type": "Integer", "val": "-18832"}}, {"indice": {"type": "Integer", "val": "-23255"}, "value": {"type": "Integer", "val": "-18831"}}, {"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-18830"}}, {"indice": {"type": "Integer", "val": "-23253"}, "value": {"type": "Integer", "val": "-18829"}}, {"indice": {"type": "Integer", "val": "-23252"}, "value": {"type": "Integer", "val": "-18828"}}, {"indice": {"type": "Integer", "val": "-22041"}, "value": {"type": "Integer", "val": "-17617"}}, {"indice": {"type": "Integer", "val": "-22040"}, "value": {"type": "Integer", "val": "-17616"}}, {"indice": {"type": "Integer", "val": "-22039"}, "value": {"type": "Integer", "val": "-17615"}}, {"indice": {"type": "Integer", "val": "-22038"}, "value": {"type": "Integer", "val": "-17614"}}, {"indice": {"type": "Integer", "val": "-22037"}, "value": {"type": "Integer", "val": "-17613"}}, {"indice": {"type": "Integer", "val": "-22036"}, "value": {"type": "Integer", "val": "-17612"}}, {"indice": {"type": "Integer", "val": "-22035"}, "value": {"type": "Integer", "val": "-17611"}}, {"indice": {"type": "Integer", "val": "-22034"}, "value": {"type": "Integer", "val": "-17610"}}, {"indice": {"type": "Integer", "val": "-22033"}, "value": {"type": "Integer", "val": "-17609"}}, {"indice": {"type": "Integer", "val": "-22032"}, "value": {"type": "Integer", "val": "-17608"}}, {"indice": {"type": "Integer", "val": "-22031"}, "value": {"type": "Integer", "val": "-17607"}}, {"indice": {"type": "Integer", "val": "-22030"}, "value": {"type": "Integer", "val": "-17606"}}, {"indice": {"type": "Integer", "val": "-22029"}, "value": {"type": "Integer", "val": "-17605"}}, {"indice": {"type": "Integer", "val": "-22028"}, "value": {"type": "Integer", "val": "-17604"}}, {"indice": {"type": "Integer", "val": "-22027"}, "value": {"type": "Integer", "val": "-17603"}}, {"indice": {"type": "Integer", "val": "-22026"}, "value": {"type": "Integer", "val": "-17602"}}, {"indice": {"type": "Integer", "val": "-22025"}, "value": {"type": "Integer", "val": "-17601"}}, {"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-17600"}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Integer", "val": "-17599"}}, {"indice": {"type": "Integer", "val": "-22022"}, "value": {"type": "Integer", "val": "-17598"}}, {"indice": {"type": "Integer", "val": "-22021"}, "value": {"type": "Integer", "val": "-17597"}}, {"indice": {"type": "Integer", "val": "-22020"}, "value": {"type": "Integer", "val": "-17596"}}, {"indice": {"type": "Integer", "val": "-22019"}, "value": {"type": "Integer", "val": "-17595"}}, {"indice": {"type": "Integer", "val": "-22018"}, "value": {"type": "Integer", "val": "-17594"}}, {"indice": {"type": "Integer", "val": "-22017"}, "value": {"type": "Integer", "val": "-17593"}}, {"indice": {"type": "Integer", "val": "-22016"}, "value": {"type": "Integer", "val": "-17592"}}, {"indice": {"type": "Integer", "val": "-22015"}, "value": {"type": "Integer", "val": "-17591"}}, {"indice": {"type": "Integer", "val": "-22014"}, "value": {"type": "Integer", "val": "-17590"}}, {"indice": {"type": "Integer", "val": "-22013"}, "value": {"type": "Integer", "val": "-17589"}}, {"indice": {"type": "Integer", "val": "-22012"}, "value": {"type": "Integer", "val": "-17588"}}, {"indice": {"type": "Integer", "val": "-22011"}, "value": {"type": "Integer", "val": "-17587"}}, {"indice": {"type": "Integer", "val": "-9734"}, "value": {"type": "Integer", "val": "-5310"}}, {"indice": {"type": "Integer", "val": "-9733"}, "value": {"type": "Integer", "val": "-5309"}}, {"indice": {"type": "Integer", "val": "-9732"}, "value": {"type": "Integer", "val": "-5308"}}, {"indice": {"type": "Integer", "val": "-9731"}, "value": {"type": "Integer", "val": "-5307"}}, {"indice": {"type": "Integer", "val": "-9730"}, "value": {"type": "Integer", "val": "-5306"}}, {"indice": {"type": "Integer", "val": "-9729"}, "value": {"type": "Integer", "val": "-5305"}}, {"indice": {"type": "Integer", "val": "-9728"}, "value": {"type": "Integer", "val": "-5304"}}, {"indice": {"type": "Integer", "val": "-9727"}, "value": {"type": "Integer", "val": "-5303"}}, {"indice": {"type": "Integer", "val": "-9726"}, "value": {"type": "Integer", "val": "-5302"}}, {"indice": {"type": "Integer", "val": "-9725"}, "value": {"type": "Integer", "val": "-5301"}}, {"indice": {"type": "Integer", "val": "-9724"}, "value": {"type": "Integer", "val": "-5300"}}, {"indice": {"type": "Integer", "val": "-9723"}, "value": {"type": "Integer", "val": "-5299"}}, {"indice": {"type": "Integer", "val": "-9722"}, "value": {"type": "Integer", "val": "-5298"}}, {"indice": {"type": "Integer", "val": "-9721"}, "value": {"type": "Integer", "val": "-5297"}}, {"indice": {"type": "Integer", "val": "-9720"}, "value": {"type": "Integer", "val": "-5296"}}, {"indice": {"type": "Integer", "val": "-9719"}, "value": {"type": "Integer", "val": "-5295"}}, {"indice": {"type": "Integer", "val": "-9718"}, "value": {"type": "Integer", "val": "-5294"}}, {"indice": {"type": "Integer", "val": "-9717"}, "value": {"type": "Integer", "val": "-5293"}}, {"indice": {"type": "Integer", "val": "-9716"}, "value": {"type": "Integer", "val": "-5292"}}, {"indice": {"type": "Integer", "val": "-9715"}, "value": {"type": "Integer", "val": "-5291"}}, {"indice": {"type": "Integer", "val": "-9714"}, "value": {"type": "Integer", "val": "-5290"}}, {"indice": {"type": "Integer", "val": "-9713"}, "value": {"type": "Integer", "val": "-5289"}}, {"indice": {"type": "Integer", "val": "-9712"}, "value": {"type": "Integer", "val": "-5288"}}, {"indice": {"type": "Integer", "val": "-9711"}, "value": {"type": "Integer", "val": "-5287"}}, {"indice": {"type": "Integer", "val": "-9710"}, "value": {"type": "Integer", "val": "-5286"}}, {"indice": {"type": "Integer", "val": "-9709"}, "value": {"type": "Integer", "val": "-5285"}}, {"indice": {"type": "Integer", "val": "-9708"}, "value": {"type": "Integer", "val": "-5284"}}, {"indice": {"type": "Integer", "val": "-9707"}, "value": {"type": "Integer", "val": "-5283"}}, {"indice": {"type": "Integer", "val": "-9706"}, "value": {"type": "Integer", "val": "-5282"}}, {"indice": {"type": "Integer", "val": "-9705"}, "value": {"type": "Integer", "val": "-5281"}}, {"indice": {"type": "Integer", "val": "-9704"}, "value": {"type": "Integer", "val": "-5280"}}, {"indice": {"type": "Integer", "val": "-9703"}, "value": {"type": "Integer", "val": "-5279"}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Integer", "val": "483"}}, {"indice": {"type": "Integer", "val": "6737"}, "value": {"type": "Integer", "val": "11161"}}, {"others": {"type": "Integer", "val": "-37371"}}]}}, {"indice": {"type": "Integer", "val": "22037"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-22037"}, "value": {"type": "Integer", "val": "-3941"}}, {"indice": {"type": "Integer", "val": "-22036"}, "value": {"type": "Integer", "val": "-3940"}}, {"indice": {"type": "Integer", "val": "-22035"}, "value": {"type": "Integer", "val": "-3939"}}, {"indice": {"type": "Integer", "val": "-22033"}, "value": {"type": "Integer", "val": "-3937"}}, {"indice": {"type": "Integer", "val": "-22032"}, "value": {"type": "Integer", "val": "-3936"}}, {"indice": {"type": "Integer", "val": "-22031"}, "value": {"type": "Integer", "val": "-3935"}}, {"indice": {"type": "Integer", "val": "-22030"}, "value": {"type": "Integer", "val": "-3934"}}, {"indice": {"type": "Integer", "val": "-22029"}, "value": {"type": "Integer", "val": "-3933"}}, {"indice": {"type": "Integer", "val": "-22028"}, "value": {"type": "Integer", "val": "-3932"}}, {"indice": {"type": "Integer", "val": "-22027"}, "value": {"type": "Integer", "val": "-3931"}}, {"indice": {"type": "Integer", "val": "-22026"}, "value": {"type": "Integer", "val": "-3930"}}, {"others": {"type": "Integer", "val": "-3938"}}]}}, {"indice": {"type": "Integer", "val": "22044"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3932"}}]}}, {"indice": {"type": "Integer", "val": "22047"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3930"}}]}}, {"indice": {"type": "Integer", "val": "33189"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "62437"}}]}}, {"indice": {"type": "Integer", "val": "44046"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "18069"}}]}}, {"indice": {"type": "Integer", "val": "44047"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-4635"}, "value": {"type": "Integer", "val": "35471"}}, {"others": {"type": "Integer", "val": "84153"}}]}}, {"others": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-11499"}}]}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: (-3941) Value from model for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5: [| (-88787) -> [|; _ -> (-134552)|]; (-88786) -> [|; _ -> (-96668)|]; (-88785) -> [|; _ -> (-134511)|]; (-88784) -> [|; _ -> (-181509)|]; (-41770) -> [| (-41770) -> (-87481); _ -> (-67747)|]; (-23254) -> [| (-23254) -> (-50449); (-9702) -> (-36897); _ -> (-49231)|]; (-22023) -> [| (-22024) -> (-47988); (-22022) -> (-47986); _ -> (-47987)|]; (-21857) -> [| (-9726) -> (-35524); (-9725) -> (-35523); _ -> (-47655)|]; (-18162) -> [| (-23254) -> (-45357); _ -> (-40265)|]; (-13543) -> [|; _ -> (-31027)|]; (-9912) -> [|; _ -> (-23765)|]; (-7557) -> [|; _ -> (-19055)|]; (-3941) -> [| (-41850) -> (-49732); (-41849) -> (-49731); (-41848) -> (-49730); (-41847) -> (-49729); (-41846) -> (-49728); (-41845) -> (-49727); (-41844) -> (-49726); (-41843) -> (-49725); (-41842) -> (-49724); (-41841) -> (-49723); (-41840) -> (-49722); (-41839) -> (-49721); (-41838) -> (-49720); (-41837) -> (-49719); (-41836) -> (-49718); (-41835) -> (-49717); (-41834) -> (-49716); (-41833) -> (-49715); (-41832) -> (-49714); (-41831) -> (-49713); (-41830) -> (-49712); (-41829) -> (-49711); (-41828) -> (-49710); (-41827) -> (-49709); (-41826) -> (-49708); (-41825) -> (-49707); (-41824) -> (-49706); (-41823) -> (-49705); (-41822) -> (-49704); (-41821) -> (-49703); (-41820) -> (-49702); (-41818) -> (-49700); (-41817) -> (-49699); (-41816) -> (-49698); (-41815) -> (-49697); (-41814) -> (-49696); (-41813) -> (-49695); (-41812) -> (-49694); (-41811) -> (-49693); (-41810) -> (-49692); (-41809) -> (-49691); (-41808) -> (-49690); (-41807) -> (-49689); (-41806) -> (-49688); (-41805) -> (-49687); (-41804) -> (-49686); (-41803) -> (-49685); (-41802) -> (-49684); (-41801) -> (-49683); (-41800) -> (-49682); (-41799) -> (-49681); (-41798) -> (-49680); (-41797) -> (-49679); (-41796) -> (-49678); (-41795) -> (-49677); (-41794) -> (-49676); (-41793) -> (-49675); (-41789) -> (-49671); (-41775) -> (-49657); (-22025) -> (-29907); (-22024) -> (-29906); (-22023) -> (-29905); (-9704) -> (-17586); (-9703) -> (-17585); (-9702) -> (-17584); (-9701) -> (-17583); (-3941) -> (-11823); _ -> (-49701)|]; (-2714) -> [|; _ -> (-9369)|]; 5 -> [|; _ -> (-3931)|]; 15 -> [|; _ -> (-3911)|]; 84 -> [|; _ -> (-3773)|]; 1803 -> [|; _ -> (-335)|]; 3945 -> [|; _ -> 3949|]; 4643 -> [| (-4635) -> (-3933); _ -> (-3932)|]; 8365 -> [| (-41798) -> (-37374); (-41797) -> (-37373); (-41796) -> (-37372); (-41794) -> (-37370); (-41793) -> (-37369); (-41792) -> (-37368); (-41791) -> (-37367); (-41790) -> (-37366); (-41789) -> (-37365); (-41788) -> (-37364); (-41787) -> (-37363); (-41786) -> (-37362); (-41785) -> (-37361); (-41784) -> (-37360); (-41783) -> (-37359); (-41782) -> (-37358); (-41781) -> (-37357); (-41780) -> (-37356); (-41779) -> (-37355); (-41778) -> (-37354); (-41777) -> (-37353); (-41776) -> (-37352); (-41775) -> (-37351); (-41774) -> (-37350); (-41773) -> (-37349); (-41772) -> (-37348); (-41771) -> (-37347); (-41770) -> (-37346); (-41769) -> (-37345); (-23257) -> (-18833); (-23256) -> (-18832); (-23255) -> (-18831); (-23254) -> (-18830); (-23253) -> (-18829); (-23252) -> (-18828); (-22041) -> (-17617); (-22040) -> (-17616); (-22039) -> (-17615); (-22038) -> (-17614); (-22037) -> (-17613); (-22036) -> (-17612); (-22035) -> (-17611); (-22034) -> (-17610); (-22033) -> (-17609); (-22032) -> (-17608); (-22031) -> (-17607); (-22030) -> (-17606); (-22029) -> (-17605); (-22028) -> (-17604); (-22027) -> (-17603); (-22026) -> (-17602); (-22025) -> (-17601); (-22024) -> (-17600); (-22023) -> (-17599); (-22022) -> (-17598); (-22021) -> (-17597); (-22020) -> (-17596); (-22019) -> (-17595); (-22018) -> (-17594); (-22017) -> (-17593); (-22016) -> (-17592); (-22015) -> (-17591); (-22014) -> (-17590); (-22013) -> (-17589); (-22012) -> (-17588); (-22011) -> (-17587); (-9734) -> (-5310); (-9733) -> (-5309); (-9732) -> (-5308); (-9731) -> (-5307); (-9730) -> (-5306); (-9729) -> (-5305); (-9728) -> (-5304); (-9727) -> (-5303); (-9726) -> (-5302); (-9725) -> (-5301); (-9724) -> (-5300); (-9723) -> (-5299); (-9722) -> (-5298); (-9721) -> (-5297); (-9720) -> (-5296); (-9719) -> (-5295); (-9718) -> (-5294); (-9717) -> (-5293); (-9716) -> (-5292); (-9715) -> (-5291); (-9714) -> (-5290); (-9713) -> (-5289); (-9712) -> (-5288); (-9711) -> (-5287); (-9710) -> (-5286); (-9709) -> (-5285); (-9708) -> (-5284); (-9707) -> (-5283); (-9706) -> (-5282); (-9705) -> (-5281); (-9704) -> (-5280); (-9703) -> (-5279); (-3941) -> 483; 6737 -> 11161; _ -> (-37371)|]; 22037 -> [| (-22037) -> (-3941); (-22036) -> (-3940); (-22035) -> (-3939); (-22033) -> (-3937); (-22032) -> (-3936); (-22031) -> (-3935); (-22030) -> (-3934); (-22029) -> (-3933); (-22028) -> (-3932); (-22027) -> (-3931); (-22026) -> (-3930); _ -> (-3938)|]; 22044 -> [|; _ -> (-3932)|]; 22047 -> [|; _ -> (-3930)|]; 33189 -> [|; _ -> 62437|]; 44046 -> [|; _ -> 18069|]; 44047 -> [| (-4635) -> 35471; _ -> 84153|]; _ -> [|; _ -> (-11499)|]|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: (-3941) Result of checking model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.85s, 7500000 steps). The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y = -3941 (-0XF65) Line 7: y = -3941 (-0XF65) Line 8: result = -11823 (-0X2E2F) result of call at line 8, characters 2-5 = (-88787 (-0X15AD3) => (others => -134552 (-0X20D98)), -88786 (-0X15AD2) => (others => -96668 (-0X1799C)), -88785 (-0X15AD1) => (others => -134511 (-0X20D6F)), -88784 (-0X15AD0) => (others => -181509 (-0X2C505)), -41770 (-0XA32A) => (-41770 (-0XA32A) => -87481 (-0X155B9), others => -67747 (-0X108A3)), -23254 (-0X5AD6) => (-23254 (-0X5AD6) => -50449 (-0XC511), -9702 (-0X25E6) => -36897 (-0X9021), others => -49231 (-0XC04F)), -22023 (-0X5607) => (-22024 (-0X5608) => -47988 (-0XBB74), -22022 (-0X5606) => -47986 (-0XBB72), others => -47987 (-0XBB73)), -21857 (-0X5561) => (-9726 (-0X25FE) => -35524 (-0X8AC4), -9725 (-0X25FD) => -35523 (-0X8AC3), others => -47655 (-0XBA27)), -18162 (-0X46F2) => (-23254 (-0X5AD6) => -45357 (-0XB12D), others => -40265 (-0X9D49)), -13543 (-0X34E7) => (others => -31027 (-0X7933)), -9912 (-0X26B8) => (others => -23765 (-0X5CD5)), -7557 (-0X1D85) => (others => -19055 (-0X4A6F)), -3941 (-0XF65) => (-41850 (-0XA37A) => -49732 (-0XC244), -41849 (-0XA379) => -49731 (-0XC243), -41848 (-0XA378) => -49730 (-0XC242), -41847 (-0XA377) => -49729 (-0XC241), -41846 (-0XA376) => -49728 (-0XC240), -41845 (-0XA375) => -49727 (-0XC23F), -41844 (-0XA374) => -49726 (-0XC23E), -41843 (-0XA373) => -49725 (-0XC23D), -41842 (-0XA372) => -49724 (-0XC23C), -41841 (-0XA371) => -49723 (-0XC23B), -41840 (-0XA370) => -49722 (-0XC23A), -41839 (-0XA36F) => -49721 (-0XC239), -41838 (-0XA36E) => -49720 (-0XC238), -41837 (-0XA36D) => -49719 (-0XC237), -41836 (-0XA36C) => -49718 (-0XC236), -41835 (-0XA36B) => -49717 (-0XC235), -41834 (-0XA36A) => -49716 (-0XC234), -41833 (-0XA369) => -49715 (-0XC233), -41832 (-0XA368) => -49714 (-0XC232), -41831 (-0XA367) => -49713 (-0XC231), -41830 (-0XA366) => -49712 (-0XC230), -41829 (-0XA365) => -49711 (-0XC22F), -41828 (-0XA364) => -49710 (-0XC22E), -41827 (-0XA363) => -49709 (-0XC22D), -41826 (-0XA362) => -49708 (-0XC22C), -41825 (-0XA361) => -49707 (-0XC22B), -41824 (-0XA360) => -49706 (-0XC22A), -41823 (-0XA35F) => -49705 (-0XC229), -41822 (-0XA35E) => -49704 (-0XC228), -41821 (-0XA35D) => -49703 (-0XC227), -41820 (-0XA35C) => -49702 (-0XC226), -41818 (-0XA35A) => -49700 (-0XC224), -41817 (-0XA359) => -49699 (-0XC223), -41816 (-0XA358) => -49698 (-0XC222), -41815 (-0XA357) => -49697 (-0XC221), -41814 (-0XA356) => -49696 (-0XC220), -41813 (-0XA355) => -49695 (-0XC21F), -41812 (-0XA354) => -49694 (-0XC21E), -41811 (-0XA353) => -49693 (-0XC21D), -41810 (-0XA352) => -49692 (-0XC21C), -41809 (-0XA351) => -49691 (-0XC21B), -41808 (-0XA350) => -49690 (-0XC21A), -41807 (-0XA34F) => -49689 (-0XC219), -41806 (-0XA34E) => -49688 (-0XC218), -41805 (-0XA34D) => -49687 (-0XC217), -41804 (-0XA34C) => -49686 (-0XC216), -41803 (-0XA34B) => -49685 (-0XC215), -41802 (-0XA34A) => -49684 (-0XC214), -41801 (-0XA349) => -49683 (-0XC213), -41800 (-0XA348) => -49682 (-0XC212), -41799 (-0XA347) => -49681 (-0XC211), -41798 (-0XA346) => -49680 (-0XC210), -41797 (-0XA345) => -49679 (-0XC20F), -41796 (-0XA344) => -49678 (-0XC20E), -41795 (-0XA343) => -49677 (-0XC20D), -41794 (-0XA342) => -49676 (-0XC20C), -41793 (-0XA341) => -49675 (-0XC20B), -41789 (-0XA33D) => -49671 (-0XC207), -41775 (-0XA32F) => -49657 (-0XC1F9), -22025 (-0X5609) => -29907 (-0X74D3), -22024 (-0X5608) => -29906 (-0X74D2), -22023 (-0X5607) => -29905 (-0X74D1), -9704 (-0X25E8) => -17586 (-0X44B2), -9703 (-0X25E7) => -17585 (-0X44B1), -9702 (-0X25E6) => -17584 (-0X44B0), -9701 (-0X25E5) => -17583 (-0X44AF), -3941 (-0XF65) => -11823 (-0X2E2F), others => -49701 (-0XC225)), -2714 (-0XA9A) => (others => -9369 (-0X2499)), 5 => (others => -3931 (-0XF5B)), 15 (0XF) => (others => -3911 (-0XF47)), 84 (0X54) => (others => -3773 (-0XEBD)), 1803 (0X70B) => (others => -335 (-0X14F)), 3945 (0XF69) => (others => 3949 (0XF6D)), 4643 (0X1223) => (-4635 (-0X121B) => -3933 (-0XF5D), others => -3932 (-0XF5C)), 8365 (0X20AD) => (-41798 (-0XA346) => -37374 (-0X91FE), -41797 (-0XA345) => -37373 (-0X91FD), -41796 (-0XA344) => -37372 (-0X91FC), -41794 (-0XA342) => -37370 (-0X91FA), -41793 (-0XA341) => -37369 (-0X91F9), -41792 (-0XA340) => -37368 (-0X91F8), -41791 (-0XA33F) => -37367 (-0X91F7), -41790 (-0XA33E) => -37366 (-0X91F6), -41789 (-0XA33D) => -37365 (-0X91F5), -41788 (-0XA33C) => -37364 (-0X91F4), -41787 (-0XA33B) => -37363 (-0X91F3), -41786 (-0XA33A) => -37362 (-0X91F2), -41785 (-0XA339) => -37361 (-0X91F1), -41784 (-0XA338) => -37360 (-0X91F0), -41783 (-0XA337) => -37359 (-0X91EF), -41782 (-0XA336) => -37358 (-0X91EE), -41781 (-0XA335) => -37357 (-0X91ED), -41780 (-0XA334) => -37356 (-0X91EC), -41779 (-0XA333) => -37355 (-0X91EB), -41778 (-0XA332) => -37354 (-0X91EA), -41777 (-0XA331) => -37353 (-0X91E9), -41776 (-0XA330) => -37352 (-0X91E8), -41775 (-0XA32F) => -37351 (-0X91E7), -41774 (-0XA32E) => -37350 (-0X91E6), -41773 (-0XA32D) => -37349 (-0X91E5), -41772 (-0XA32C) => -37348 (-0X91E4), -41771 (-0XA32B) => -37347 (-0X91E3), -41770 (-0XA32A) => -37346 (-0X91E2), -41769 (-0XA329) => -37345 (-0X91E1), -23257 (-0X5AD9) => -18833 (-0X4991), -23256 (-0X5AD8) => -18832 (-0X4990), -23255 (-0X5AD7) => -18831 (-0X498F), -23254 (-0X5AD6) => -18830 (-0X498E), -23253 (-0X5AD5) => -18829 (-0X498D), -23252 (-0X5AD4) => -18828 (-0X498C), -22041 (-0X5619) => -17617 (-0X44D1), -22040 (-0X5618) => -17616 (-0X44D0), -22039 (-0X5617) => -17615 (-0X44CF), -22038 (-0X5616) => -17614 (-0X44CE), -22037 (-0X5615) => -17613 (-0X44CD), -22036 (-0X5614) => -17612 (-0X44CC), -22035 (-0X5613) => -17611 (-0X44CB), -22034 (-0X5612) => -17610 (-0X44CA), -22033 (-0X5611) => -17609 (-0X44C9), -22032 (-0X5610) => -17608 (-0X44C8), -22031 (-0X560F) => -17607 (-0X44C7), -22030 (-0X560E) => -17606 (-0X44C6), -22029 (-0X560D) => -17605 (-0X44C5), -22028 (-0X560C) => -17604 (-0X44C4), -22027 (-0X560B) => -17603 (-0X44C3), -22026 (-0X560A) => -17602 (-0X44C2), -22025 (-0X5609) => -17601 (-0X44C1), -22024 (-0X5608) => -17600 (-0X44C0), -22023 (-0X5607) => -17599 (-0X44BF), -22022 (-0X5606) => -17598 (-0X44BE), -22021 (-0X5605) => -17597 (-0X44BD), -22020 (-0X5604) => -17596 (-0X44BC), -22019 (-0X5603) => -17595 (-0X44BB), -22018 (-0X5602) => -17594 (-0X44BA), -22017 (-0X5601) => -17593 (-0X44B9), -22016 (-0X5600) => -17592 (-0X44B8), -22015 (-0X55FF) => -17591 (-0X44B7), -22014 (-0X55FE) => -17590 (-0X44B6), -22013 (-0X55FD) => -17589 (-0X44B5), -22012 (-0X55FC) => -17588 (-0X44B4), -22011 (-0X55FB) => -17587 (-0X44B3), -9734 (-0X2606) => -5310 (-0X14BE), -9733 (-0X2605) => -5309 (-0X14BD), -9732 (-0X2604) => -5308 (-0X14BC), -9731 (-0X2603) => -5307 (-0X14BB), -9730 (-0X2602) => -5306 (-0X14BA), -9729 (-0X2601) => -5305 (-0X14B9), -9728 (-0X2600) => -5304 (-0X14B8), -9727 (-0X25FF) => -5303 (-0X14B7), -9726 (-0X25FE) => -5302 (-0X14B6), -9725 (-0X25FD) => -5301 (-0X14B5), -9724 (-0X25FC) => -5300 (-0X14B4), -9723 (-0X25FB) => -5299 (-0X14B3), -9722 (-0X25FA) => -5298 (-0X14B2), -9721 (-0X25F9) => -5297 (-0X14B1), -9720 (-0X25F8) => -5296 (-0X14B0), -9719 (-0X25F7) => -5295 (-0X14AF), -9718 (-0X25F6) => -5294 (-0X14AE), -9717 (-0X25F5) => -5293 (-0X14AD), -9716 (-0X25F4) => -5292 (-0X14AC), -9715 (-0X25F3) => -5291 (-0X14AB), -9714 (-0X25F2) => -5290 (-0X14AA), -9713 (-0X25F1) => -5289 (-0X14A9), -9712 (-0X25F0) => -5288 (-0X14A8), -9711 (-0X25EF) => -5287 (-0X14A7), -9710 (-0X25EE) => -5286 (-0X14A6), -9709 (-0X25ED) => -5285 (-0X14A5), -9708 (-0X25EC) => -5284 (-0X14A4), -9707 (-0X25EB) => -5283 (-0X14A3), -9706 (-0X25EA) => -5282 (-0X14A2), -9705 (-0X25E9) => -5281 (-0X14A1), -9704 (-0X25E8) => -5280 (-0X14A0), -9703 (-0X25E7) => -5279 (-0X149F), -3941 (-0XF65) => 483 (0X1E3), 6737 (0X1A51) => 11161 (0X2B99), others => -37371 (-0X91FB)), 22037 (0X5615) => (-22037 (-0X5615) => -3941 (-0XF65), -22036 (-0X5614) => -3940 (-0XF64), -22035 (-0X5613) => -3939 (-0XF63), -22033 (-0X5611) => -3937 (-0XF61), -22032 (-0X5610) => -3936 (-0XF60), -22031 (-0X560F) => -3935 (-0XF5F), -22030 (-0X560E) => -3934 (-0XF5E), -22029 (-0X560D) => -3933 (-0XF5D), -22028 (-0X560C) => -3932 (-0XF5C), -22027 (-0X560B) => -3931 (-0XF5B), -22026 (-0X560A) => -3930 (-0XF5A), others => -3938 (-0XF62)), 22044 (0X561C) => (others => -3932 (-0XF5C)), 22047 (0X561F) => (others => -3930 (-0XF5A)), 33189 (0X81A5) => (others => 62437 (0XF3E5)), 44046 (0XAC0E) => (others => 18069 (0X4695)), 44047 (0XAC0F) => (-4635 (-0X121B) => 35471 (0X8A8F), others => 84153 (0X148B9)), others => (others => -11499 (-0X2CEB))) why3-1.6.0/bench/check-ce/oracles/anonymous5_Z3,4.8.4_WP.oracle000066400000000000000000002030231440160026300235130ustar00rootroot00000000000000Check model 0 ("bench/check-ce/anonymous5.mlw", line 7, characters 12-22) Checking model: File anonymous5.mlw: Line 6: y = {"type": "Integer", "val": "0"} Line 7: y = {"type": "Integer", "val": "0"} Line 8: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: 0 No value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: 0 Result of checking model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) Check model 1 ("bench/check-ce/anonymous5.mlw", line 7, characters 12-22) Checking model: File anonymous5.mlw: Line 6: y = {"type": "Integer", "val": "-3941"} Line 7: y = {"type": "Integer", "val": "-3941"} Line 8: result = {"type": "Integer", "val": "-11823"} result = {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-88787"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-134552"}}]}}, {"indice": {"type": "Integer", "val": "-88786"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-96668"}}]}}, {"indice": {"type": "Integer", "val": "-88785"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-134511"}}]}}, {"indice": {"type": "Integer", "val": "-88784"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-181509"}}]}}, {"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Integer", "val": "-87481"}}, {"others": {"type": "Integer", "val": "-67747"}}]}}, {"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-50449"}}, {"indice": {"type": "Integer", "val": "-9702"}, "value": {"type": "Integer", "val": "-36897"}}, {"others": {"type": "Integer", "val": "-49231"}}]}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-47988"}}, {"indice": {"type": "Integer", "val": "-22022"}, "value": {"type": "Integer", "val": "-47986"}}, {"others": {"type": "Integer", "val": "-47987"}}]}}, {"indice": {"type": "Integer", "val": "-21857"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-9726"}, "value": {"type": "Integer", "val": "-35524"}}, {"indice": {"type": "Integer", "val": "-9725"}, "value": {"type": "Integer", "val": "-35523"}}, {"others": {"type": "Integer", "val": "-47655"}}]}}, {"indice": {"type": "Integer", "val": "-18162"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-45357"}}, {"others": {"type": "Integer", "val": "-40265"}}]}}, {"indice": {"type": "Integer", "val": "-13543"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-31027"}}]}}, {"indice": {"type": "Integer", "val": "-9912"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-23765"}}]}}, {"indice": {"type": "Integer", "val": "-7557"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-19055"}}]}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41850"}, "value": {"type": "Integer", "val": "-49732"}}, {"indice": {"type": "Integer", "val": "-41849"}, "value": {"type": "Integer", "val": "-49731"}}, {"indice": {"type": "Integer", "val": "-41848"}, "value": {"type": "Integer", "val": "-49730"}}, {"indice": {"type": "Integer", "val": "-41847"}, "value": {"type": "Integer", "val": "-49729"}}, {"indice": {"type": "Integer", "val": "-41846"}, "value": {"type": "Integer", "val": "-49728"}}, {"indice": {"type": "Integer", "val": "-41845"}, "value": {"type": "Integer", "val": "-49727"}}, {"indice": {"type": "Integer", "val": "-41844"}, "value": {"type": "Integer", "val": "-49726"}}, {"indice": {"type": "Integer", "val": "-41843"}, "value": {"type": "Integer", "val": "-49725"}}, {"indice": {"type": "Integer", "val": "-41842"}, "value": {"type": "Integer", "val": "-49724"}}, {"indice": {"type": "Integer", "val": "-41841"}, "value": {"type": "Integer", "val": "-49723"}}, {"indice": {"type": "Integer", "val": "-41840"}, "value": {"type": "Integer", "val": "-49722"}}, {"indice": {"type": "Integer", "val": "-41839"}, "value": {"type": "Integer", "val": "-49721"}}, {"indice": {"type": "Integer", "val": "-41838"}, "value": {"type": "Integer", "val": "-49720"}}, {"indice": {"type": "Integer", "val": "-41837"}, "value": {"type": "Integer", "val": "-49719"}}, {"indice": {"type": "Integer", "val": "-41836"}, "value": {"type": "Integer", "val": "-49718"}}, {"indice": {"type": "Integer", "val": "-41835"}, "value": {"type": "Integer", "val": "-49717"}}, {"indice": {"type": "Integer", "val": "-41834"}, "value": {"type": "Integer", "val": "-49716"}}, {"indice": {"type": "Integer", "val": "-41833"}, "value": {"type": "Integer", "val": "-49715"}}, {"indice": {"type": "Integer", "val": "-41832"}, "value": {"type": "Integer", "val": "-49714"}}, {"indice": {"type": "Integer", "val": "-41831"}, "value": {"type": "Integer", "val": "-49713"}}, {"indice": {"type": "Integer", "val": "-41830"}, "value": {"type": "Integer", "val": "-49712"}}, {"indice": {"type": "Integer", "val": "-41829"}, "value": {"type": "Integer", "val": "-49711"}}, {"indice": {"type": "Integer", "val": "-41828"}, "value": {"type": "Integer", "val": "-49710"}}, {"indice": {"type": "Integer", "val": "-41827"}, "value": {"type": "Integer", "val": "-49709"}}, {"indice": {"type": "Integer", "val": "-41826"}, "value": {"type": "Integer", "val": "-49708"}}, {"indice": {"type": "Integer", "val": "-41825"}, "value": {"type": "Integer", "val": "-49707"}}, {"indice": {"type": "Integer", "val": "-41824"}, "value": {"type": "Integer", "val": "-49706"}}, {"indice": {"type": "Integer", "val": "-41823"}, "value": {"type": "Integer", "val": "-49705"}}, {"indice": {"type": "Integer", "val": "-41822"}, "value": {"type": "Integer", "val": "-49704"}}, {"indice": {"type": "Integer", "val": "-41821"}, "value": {"type": "Integer", "val": "-49703"}}, {"indice": {"type": "Integer", "val": "-41820"}, "value": {"type": "Integer", "val": "-49702"}}, {"indice": {"type": "Integer", "val": "-41818"}, "value": {"type": "Integer", "val": "-49700"}}, {"indice": {"type": "Integer", "val": "-41817"}, "value": {"type": "Integer", "val": "-49699"}}, {"indice": {"type": "Integer", "val": "-41816"}, "value": {"type": "Integer", "val": "-49698"}}, {"indice": {"type": "Integer", "val": "-41815"}, "value": {"type": "Integer", "val": "-49697"}}, {"indice": {"type": "Integer", "val": "-41814"}, "value": {"type": "Integer", "val": "-49696"}}, {"indice": {"type": "Integer", "val": "-41813"}, "value": {"type": "Integer", "val": "-49695"}}, {"indice": {"type": "Integer", "val": "-41812"}, "value": {"type": "Integer", "val": "-49694"}}, {"indice": {"type": "Integer", "val": "-41811"}, "value": {"type": "Integer", "val": "-49693"}}, {"indice": {"type": "Integer", "val": "-41810"}, "value": {"type": "Integer", "val": "-49692"}}, {"indice": {"type": "Integer", "val": "-41809"}, "value": {"type": "Integer", "val": "-49691"}}, {"indice": {"type": "Integer", "val": "-41808"}, "value": {"type": "Integer", "val": "-49690"}}, {"indice": {"type": "Integer", "val": "-41807"}, "value": {"type": "Integer", "val": "-49689"}}, {"indice": {"type": "Integer", "val": "-41806"}, "value": {"type": "Integer", "val": "-49688"}}, {"indice": {"type": "Integer", "val": "-41805"}, "value": {"type": "Integer", "val": "-49687"}}, {"indice": {"type": "Integer", "val": "-41804"}, "value": {"type": "Integer", "val": "-49686"}}, {"indice": {"type": "Integer", "val": "-41803"}, "value": {"type": "Integer", "val": "-49685"}}, {"indice": {"type": "Integer", "val": "-41802"}, "value": {"type": "Integer", "val": "-49684"}}, {"indice": {"type": "Integer", "val": "-41801"}, "value": {"type": "Integer", "val": "-49683"}}, {"indice": {"type": "Integer", "val": "-41800"}, "value": {"type": "Integer", "val": "-49682"}}, {"indice": {"type": "Integer", "val": "-41799"}, "value": {"type": "Integer", "val": "-49681"}}, {"indice": {"type": "Integer", "val": "-41798"}, "value": {"type": "Integer", "val": "-49680"}}, {"indice": {"type": "Integer", "val": "-41797"}, "value": {"type": "Integer", "val": "-49679"}}, {"indice": {"type": "Integer", "val": "-41796"}, "value": {"type": "Integer", "val": "-49678"}}, {"indice": {"type": "Integer", "val": "-41795"}, "value": {"type": "Integer", "val": "-49677"}}, {"indice": {"type": "Integer", "val": "-41794"}, "value": {"type": "Integer", "val": "-49676"}}, {"indice": {"type": "Integer", "val": "-41793"}, "value": {"type": "Integer", "val": "-49675"}}, {"indice": {"type": "Integer", "val": "-41789"}, "value": {"type": "Integer", "val": "-49671"}}, {"indice": {"type": "Integer", "val": "-41775"}, "value": {"type": "Integer", "val": "-49657"}}, {"indice": {"type": "Integer", "val": "-22025"}, "value": {"type": "Integer", "val": "-29907"}}, {"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-29906"}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Integer", "val": "-29905"}}, {"indice": {"type": "Integer", "val": "-9704"}, "value": {"type": "Integer", "val": "-17586"}}, {"indice": {"type": "Integer", "val": "-9703"}, "value": {"type": "Integer", "val": "-17585"}}, {"indice": {"type": "Integer", "val": "-9702"}, "value": {"type": "Integer", "val": "-17584"}}, {"indice": {"type": "Integer", "val": "-9701"}, "value": {"type": "Integer", "val": "-17583"}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Integer", "val": "-11823"}}, {"others": {"type": "Integer", "val": "-49701"}}]}}, {"indice": {"type": "Integer", "val": "-2714"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-9369"}}]}}, {"indice": {"type": "Integer", "val": "5"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3931"}}]}}, {"indice": {"type": "Integer", "val": "15"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3911"}}]}}, {"indice": {"type": "Integer", "val": "84"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3773"}}]}}, {"indice": {"type": "Integer", "val": "1803"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-335"}}]}}, {"indice": {"type": "Integer", "val": "3945"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "3949"}}]}}, {"indice": {"type": "Integer", "val": "4643"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-4635"}, "value": {"type": "Integer", "val": "-3933"}}, {"others": {"type": "Integer", "val": "-3932"}}]}}, {"indice": {"type": "Integer", "val": "8365"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-41798"}, "value": {"type": "Integer", "val": "-37374"}}, {"indice": {"type": "Integer", "val": "-41797"}, "value": {"type": "Integer", "val": "-37373"}}, {"indice": {"type": "Integer", "val": "-41796"}, "value": {"type": "Integer", "val": "-37372"}}, {"indice": {"type": "Integer", "val": "-41794"}, "value": {"type": "Integer", "val": "-37370"}}, {"indice": {"type": "Integer", "val": "-41793"}, "value": {"type": "Integer", "val": "-37369"}}, {"indice": {"type": "Integer", "val": "-41792"}, "value": {"type": "Integer", "val": "-37368"}}, {"indice": {"type": "Integer", "val": "-41791"}, "value": {"type": "Integer", "val": "-37367"}}, {"indice": {"type": "Integer", "val": "-41790"}, "value": {"type": "Integer", "val": "-37366"}}, {"indice": {"type": "Integer", "val": "-41789"}, "value": {"type": "Integer", "val": "-37365"}}, {"indice": {"type": "Integer", "val": "-41788"}, "value": {"type": "Integer", "val": "-37364"}}, {"indice": {"type": "Integer", "val": "-41787"}, "value": {"type": "Integer", "val": "-37363"}}, {"indice": {"type": "Integer", "val": "-41786"}, "value": {"type": "Integer", "val": "-37362"}}, {"indice": {"type": "Integer", "val": "-41785"}, "value": {"type": "Integer", "val": "-37361"}}, {"indice": {"type": "Integer", "val": "-41784"}, "value": {"type": "Integer", "val": "-37360"}}, {"indice": {"type": "Integer", "val": "-41783"}, "value": {"type": "Integer", "val": "-37359"}}, {"indice": {"type": "Integer", "val": "-41782"}, "value": {"type": "Integer", "val": "-37358"}}, {"indice": {"type": "Integer", "val": "-41781"}, "value": {"type": "Integer", "val": "-37357"}}, {"indice": {"type": "Integer", "val": "-41780"}, "value": {"type": "Integer", "val": "-37356"}}, {"indice": {"type": "Integer", "val": "-41779"}, "value": {"type": "Integer", "val": "-37355"}}, {"indice": {"type": "Integer", "val": "-41778"}, "value": {"type": "Integer", "val": "-37354"}}, {"indice": {"type": "Integer", "val": "-41777"}, "value": {"type": "Integer", "val": "-37353"}}, {"indice": {"type": "Integer", "val": "-41776"}, "value": {"type": "Integer", "val": "-37352"}}, {"indice": {"type": "Integer", "val": "-41775"}, "value": {"type": "Integer", "val": "-37351"}}, {"indice": {"type": "Integer", "val": "-41774"}, "value": {"type": "Integer", "val": "-37350"}}, {"indice": {"type": "Integer", "val": "-41773"}, "value": {"type": "Integer", "val": "-37349"}}, {"indice": {"type": "Integer", "val": "-41772"}, "value": {"type": "Integer", "val": "-37348"}}, {"indice": {"type": "Integer", "val": "-41771"}, "value": {"type": "Integer", "val": "-37347"}}, {"indice": {"type": "Integer", "val": "-41770"}, "value": {"type": "Integer", "val": "-37346"}}, {"indice": {"type": "Integer", "val": "-41769"}, "value": {"type": "Integer", "val": "-37345"}}, {"indice": {"type": "Integer", "val": "-23257"}, "value": {"type": "Integer", "val": "-18833"}}, {"indice": {"type": "Integer", "val": "-23256"}, "value": {"type": "Integer", "val": "-18832"}}, {"indice": {"type": "Integer", "val": "-23255"}, "value": {"type": "Integer", "val": "-18831"}}, {"indice": {"type": "Integer", "val": "-23254"}, "value": {"type": "Integer", "val": "-18830"}}, {"indice": {"type": "Integer", "val": "-23253"}, "value": {"type": "Integer", "val": "-18829"}}, {"indice": {"type": "Integer", "val": "-23252"}, "value": {"type": "Integer", "val": "-18828"}}, {"indice": {"type": "Integer", "val": "-22041"}, "value": {"type": "Integer", "val": "-17617"}}, {"indice": {"type": "Integer", "val": "-22040"}, "value": {"type": "Integer", "val": "-17616"}}, {"indice": {"type": "Integer", "val": "-22039"}, "value": {"type": "Integer", "val": "-17615"}}, {"indice": {"type": "Integer", "val": "-22038"}, "value": {"type": "Integer", "val": "-17614"}}, {"indice": {"type": "Integer", "val": "-22037"}, "value": {"type": "Integer", "val": "-17613"}}, {"indice": {"type": "Integer", "val": "-22036"}, "value": {"type": "Integer", "val": "-17612"}}, {"indice": {"type": "Integer", "val": "-22035"}, "value": {"type": "Integer", "val": "-17611"}}, {"indice": {"type": "Integer", "val": "-22034"}, "value": {"type": "Integer", "val": "-17610"}}, {"indice": {"type": "Integer", "val": "-22033"}, "value": {"type": "Integer", "val": "-17609"}}, {"indice": {"type": "Integer", "val": "-22032"}, "value": {"type": "Integer", "val": "-17608"}}, {"indice": {"type": "Integer", "val": "-22031"}, "value": {"type": "Integer", "val": "-17607"}}, {"indice": {"type": "Integer", "val": "-22030"}, "value": {"type": "Integer", "val": "-17606"}}, {"indice": {"type": "Integer", "val": "-22029"}, "value": {"type": "Integer", "val": "-17605"}}, {"indice": {"type": "Integer", "val": "-22028"}, "value": {"type": "Integer", "val": "-17604"}}, {"indice": {"type": "Integer", "val": "-22027"}, "value": {"type": "Integer", "val": "-17603"}}, {"indice": {"type": "Integer", "val": "-22026"}, "value": {"type": "Integer", "val": "-17602"}}, {"indice": {"type": "Integer", "val": "-22025"}, "value": {"type": "Integer", "val": "-17601"}}, {"indice": {"type": "Integer", "val": "-22024"}, "value": {"type": "Integer", "val": "-17600"}}, {"indice": {"type": "Integer", "val": "-22023"}, "value": {"type": "Integer", "val": "-17599"}}, {"indice": {"type": "Integer", "val": "-22022"}, "value": {"type": "Integer", "val": "-17598"}}, {"indice": {"type": "Integer", "val": "-22021"}, "value": {"type": "Integer", "val": "-17597"}}, {"indice": {"type": "Integer", "val": "-22020"}, "value": {"type": "Integer", "val": "-17596"}}, {"indice": {"type": "Integer", "val": "-22019"}, "value": {"type": "Integer", "val": "-17595"}}, {"indice": {"type": "Integer", "val": "-22018"}, "value": {"type": "Integer", "val": "-17594"}}, {"indice": {"type": "Integer", "val": "-22017"}, "value": {"type": "Integer", "val": "-17593"}}, {"indice": {"type": "Integer", "val": "-22016"}, "value": {"type": "Integer", "val": "-17592"}}, {"indice": {"type": "Integer", "val": "-22015"}, "value": {"type": "Integer", "val": "-17591"}}, {"indice": {"type": "Integer", "val": "-22014"}, "value": {"type": "Integer", "val": "-17590"}}, {"indice": {"type": "Integer", "val": "-22013"}, "value": {"type": "Integer", "val": "-17589"}}, {"indice": {"type": "Integer", "val": "-22012"}, "value": {"type": "Integer", "val": "-17588"}}, {"indice": {"type": "Integer", "val": "-22011"}, "value": {"type": "Integer", "val": "-17587"}}, {"indice": {"type": "Integer", "val": "-9734"}, "value": {"type": "Integer", "val": "-5310"}}, {"indice": {"type": "Integer", "val": "-9733"}, "value": {"type": "Integer", "val": "-5309"}}, {"indice": {"type": "Integer", "val": "-9732"}, "value": {"type": "Integer", "val": "-5308"}}, {"indice": {"type": "Integer", "val": "-9731"}, "value": {"type": "Integer", "val": "-5307"}}, {"indice": {"type": "Integer", "val": "-9730"}, "value": {"type": "Integer", "val": "-5306"}}, {"indice": {"type": "Integer", "val": "-9729"}, "value": {"type": "Integer", "val": "-5305"}}, {"indice": {"type": "Integer", "val": "-9728"}, "value": {"type": "Integer", "val": "-5304"}}, {"indice": {"type": "Integer", "val": "-9727"}, "value": {"type": "Integer", "val": "-5303"}}, {"indice": {"type": "Integer", "val": "-9726"}, "value": {"type": "Integer", "val": "-5302"}}, {"indice": {"type": "Integer", "val": "-9725"}, "value": {"type": "Integer", "val": "-5301"}}, {"indice": {"type": "Integer", "val": "-9724"}, "value": {"type": "Integer", "val": "-5300"}}, {"indice": {"type": "Integer", "val": "-9723"}, "value": {"type": "Integer", "val": "-5299"}}, {"indice": {"type": "Integer", "val": "-9722"}, "value": {"type": "Integer", "val": "-5298"}}, {"indice": {"type": "Integer", "val": "-9721"}, "value": {"type": "Integer", "val": "-5297"}}, {"indice": {"type": "Integer", "val": "-9720"}, "value": {"type": "Integer", "val": "-5296"}}, {"indice": {"type": "Integer", "val": "-9719"}, "value": {"type": "Integer", "val": "-5295"}}, {"indice": {"type": "Integer", "val": "-9718"}, "value": {"type": "Integer", "val": "-5294"}}, {"indice": {"type": "Integer", "val": "-9717"}, "value": {"type": "Integer", "val": "-5293"}}, {"indice": {"type": "Integer", "val": "-9716"}, "value": {"type": "Integer", "val": "-5292"}}, {"indice": {"type": "Integer", "val": "-9715"}, "value": {"type": "Integer", "val": "-5291"}}, {"indice": {"type": "Integer", "val": "-9714"}, "value": {"type": "Integer", "val": "-5290"}}, {"indice": {"type": "Integer", "val": "-9713"}, "value": {"type": "Integer", "val": "-5289"}}, {"indice": {"type": "Integer", "val": "-9712"}, "value": {"type": "Integer", "val": "-5288"}}, {"indice": {"type": "Integer", "val": "-9711"}, "value": {"type": "Integer", "val": "-5287"}}, {"indice": {"type": "Integer", "val": "-9710"}, "value": {"type": "Integer", "val": "-5286"}}, {"indice": {"type": "Integer", "val": "-9709"}, "value": {"type": "Integer", "val": "-5285"}}, {"indice": {"type": "Integer", "val": "-9708"}, "value": {"type": "Integer", "val": "-5284"}}, {"indice": {"type": "Integer", "val": "-9707"}, "value": {"type": "Integer", "val": "-5283"}}, {"indice": {"type": "Integer", "val": "-9706"}, "value": {"type": "Integer", "val": "-5282"}}, {"indice": {"type": "Integer", "val": "-9705"}, "value": {"type": "Integer", "val": "-5281"}}, {"indice": {"type": "Integer", "val": "-9704"}, "value": {"type": "Integer", "val": "-5280"}}, {"indice": {"type": "Integer", "val": "-9703"}, "value": {"type": "Integer", "val": "-5279"}}, {"indice": {"type": "Integer", "val": "-3941"}, "value": {"type": "Integer", "val": "483"}}, {"indice": {"type": "Integer", "val": "6737"}, "value": {"type": "Integer", "val": "11161"}}, {"others": {"type": "Integer", "val": "-37371"}}]}}, {"indice": {"type": "Integer", "val": "22037"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-22037"}, "value": {"type": "Integer", "val": "-3941"}}, {"indice": {"type": "Integer", "val": "-22036"}, "value": {"type": "Integer", "val": "-3940"}}, {"indice": {"type": "Integer", "val": "-22035"}, "value": {"type": "Integer", "val": "-3939"}}, {"indice": {"type": "Integer", "val": "-22033"}, "value": {"type": "Integer", "val": "-3937"}}, {"indice": {"type": "Integer", "val": "-22032"}, "value": {"type": "Integer", "val": "-3936"}}, {"indice": {"type": "Integer", "val": "-22031"}, "value": {"type": "Integer", "val": "-3935"}}, {"indice": {"type": "Integer", "val": "-22030"}, "value": {"type": "Integer", "val": "-3934"}}, {"indice": {"type": "Integer", "val": "-22029"}, "value": {"type": "Integer", "val": "-3933"}}, {"indice": {"type": "Integer", "val": "-22028"}, "value": {"type": "Integer", "val": "-3932"}}, {"indice": {"type": "Integer", "val": "-22027"}, "value": {"type": "Integer", "val": "-3931"}}, {"indice": {"type": "Integer", "val": "-22026"}, "value": {"type": "Integer", "val": "-3930"}}, {"others": {"type": "Integer", "val": "-3938"}}]}}, {"indice": {"type": "Integer", "val": "22044"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3932"}}]}}, {"indice": {"type": "Integer", "val": "22047"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-3930"}}]}}, {"indice": {"type": "Integer", "val": "33189"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "62437"}}]}}, {"indice": {"type": "Integer", "val": "44046"}, "value": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "18069"}}]}}, {"indice": {"type": "Integer", "val": "44047"}, "value": {"type": "Array", "val": [{"indice": {"type": "Integer", "val": "-4635"}, "value": {"type": "Integer", "val": "35471"}}, {"others": {"type": "Integer", "val": "84153"}}]}}, {"others": {"type": "Array", "val": [{"others": {"type": "Integer", "val": "-11499"}}]}}]} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: (-3941) Value from model for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5 at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5: [| (-88787) -> [|; _ -> (-134552)|]; (-88786) -> [|; _ -> (-96668)|]; (-88785) -> [|; _ -> (-134511)|]; (-88784) -> [|; _ -> (-181509)|]; (-41770) -> [| (-41770) -> (-87481); _ -> (-67747)|]; (-23254) -> [| (-23254) -> (-50449); (-9702) -> (-36897); _ -> (-49231)|]; (-22023) -> [| (-22024) -> (-47988); (-22022) -> (-47986); _ -> (-47987)|]; (-21857) -> [| (-9726) -> (-35524); (-9725) -> (-35523); _ -> (-47655)|]; (-18162) -> [| (-23254) -> (-45357); _ -> (-40265)|]; (-13543) -> [|; _ -> (-31027)|]; (-9912) -> [|; _ -> (-23765)|]; (-7557) -> [|; _ -> (-19055)|]; (-3941) -> [| (-41850) -> (-49732); (-41849) -> (-49731); (-41848) -> (-49730); (-41847) -> (-49729); (-41846) -> (-49728); (-41845) -> (-49727); (-41844) -> (-49726); (-41843) -> (-49725); (-41842) -> (-49724); (-41841) -> (-49723); (-41840) -> (-49722); (-41839) -> (-49721); (-41838) -> (-49720); (-41837) -> (-49719); (-41836) -> (-49718); (-41835) -> (-49717); (-41834) -> (-49716); (-41833) -> (-49715); (-41832) -> (-49714); (-41831) -> (-49713); (-41830) -> (-49712); (-41829) -> (-49711); (-41828) -> (-49710); (-41827) -> (-49709); (-41826) -> (-49708); (-41825) -> (-49707); (-41824) -> (-49706); (-41823) -> (-49705); (-41822) -> (-49704); (-41821) -> (-49703); (-41820) -> (-49702); (-41818) -> (-49700); (-41817) -> (-49699); (-41816) -> (-49698); (-41815) -> (-49697); (-41814) -> (-49696); (-41813) -> (-49695); (-41812) -> (-49694); (-41811) -> (-49693); (-41810) -> (-49692); (-41809) -> (-49691); (-41808) -> (-49690); (-41807) -> (-49689); (-41806) -> (-49688); (-41805) -> (-49687); (-41804) -> (-49686); (-41803) -> (-49685); (-41802) -> (-49684); (-41801) -> (-49683); (-41800) -> (-49682); (-41799) -> (-49681); (-41798) -> (-49680); (-41797) -> (-49679); (-41796) -> (-49678); (-41795) -> (-49677); (-41794) -> (-49676); (-41793) -> (-49675); (-41789) -> (-49671); (-41775) -> (-49657); (-22025) -> (-29907); (-22024) -> (-29906); (-22023) -> (-29905); (-9704) -> (-17586); (-9703) -> (-17585); (-9702) -> (-17584); (-9701) -> (-17583); (-3941) -> (-11823); _ -> (-49701)|]; (-2714) -> [|; _ -> (-9369)|]; 5 -> [|; _ -> (-3931)|]; 15 -> [|; _ -> (-3911)|]; 84 -> [|; _ -> (-3773)|]; 1803 -> [|; _ -> (-335)|]; 3945 -> [|; _ -> 3949|]; 4643 -> [| (-4635) -> (-3933); _ -> (-3932)|]; 8365 -> [| (-41798) -> (-37374); (-41797) -> (-37373); (-41796) -> (-37372); (-41794) -> (-37370); (-41793) -> (-37369); (-41792) -> (-37368); (-41791) -> (-37367); (-41790) -> (-37366); (-41789) -> (-37365); (-41788) -> (-37364); (-41787) -> (-37363); (-41786) -> (-37362); (-41785) -> (-37361); (-41784) -> (-37360); (-41783) -> (-37359); (-41782) -> (-37358); (-41781) -> (-37357); (-41780) -> (-37356); (-41779) -> (-37355); (-41778) -> (-37354); (-41777) -> (-37353); (-41776) -> (-37352); (-41775) -> (-37351); (-41774) -> (-37350); (-41773) -> (-37349); (-41772) -> (-37348); (-41771) -> (-37347); (-41770) -> (-37346); (-41769) -> (-37345); (-23257) -> (-18833); (-23256) -> (-18832); (-23255) -> (-18831); (-23254) -> (-18830); (-23253) -> (-18829); (-23252) -> (-18828); (-22041) -> (-17617); (-22040) -> (-17616); (-22039) -> (-17615); (-22038) -> (-17614); (-22037) -> (-17613); (-22036) -> (-17612); (-22035) -> (-17611); (-22034) -> (-17610); (-22033) -> (-17609); (-22032) -> (-17608); (-22031) -> (-17607); (-22030) -> (-17606); (-22029) -> (-17605); (-22028) -> (-17604); (-22027) -> (-17603); (-22026) -> (-17602); (-22025) -> (-17601); (-22024) -> (-17600); (-22023) -> (-17599); (-22022) -> (-17598); (-22021) -> (-17597); (-22020) -> (-17596); (-22019) -> (-17595); (-22018) -> (-17594); (-22017) -> (-17593); (-22016) -> (-17592); (-22015) -> (-17591); (-22014) -> (-17590); (-22013) -> (-17589); (-22012) -> (-17588); (-22011) -> (-17587); (-9734) -> (-5310); (-9733) -> (-5309); (-9732) -> (-5308); (-9731) -> (-5307); (-9730) -> (-5306); (-9729) -> (-5305); (-9728) -> (-5304); (-9727) -> (-5303); (-9726) -> (-5302); (-9725) -> (-5301); (-9724) -> (-5300); (-9723) -> (-5299); (-9722) -> (-5298); (-9721) -> (-5297); (-9720) -> (-5296); (-9719) -> (-5295); (-9718) -> (-5294); (-9717) -> (-5293); (-9716) -> (-5292); (-9715) -> (-5291); (-9714) -> (-5290); (-9713) -> (-5289); (-9712) -> (-5288); (-9711) -> (-5287); (-9710) -> (-5286); (-9709) -> (-5285); (-9708) -> (-5284); (-9707) -> (-5283); (-9706) -> (-5282); (-9705) -> (-5281); (-9704) -> (-5280); (-9703) -> (-5279); (-3941) -> 483; 6737 -> 11161; _ -> (-37371)|]; 22037 -> [| (-22037) -> (-3941); (-22036) -> (-3940); (-22035) -> (-3939); (-22033) -> (-3937); (-22032) -> (-3936); (-22031) -> (-3935); (-22030) -> (-3934); (-22029) -> (-3933); (-22028) -> (-3932); (-22027) -> (-3931); (-22026) -> (-3930); _ -> (-3938)|]; 22044 -> [|; _ -> (-3932)|]; 22047 -> [|; _ -> (-3930)|]; 33189 -> [|; _ -> 62437|]; 44046 -> [|; _ -> 18069|]; 44047 -> [| (-4635) -> 35471; _ -> 84153|]; _ -> [|; _ -> (-11499)|]|] Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `y` at "bench/check-ce/anonymous5.mlw", line 6, characters 7-8: (-3941) Result of checking model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) Results: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/anonymous5.mlw", line 8, characters 2-5) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because many args for exec fun) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/anonymous5.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (2.79s, 7500000 steps). The following counterexample model could not be verified (concrete RAC terminated because many args for exec fun, abstract RAC terminated because Postcondition of `f` cannot be evaluated): File anonymous5.mlw: Line 6: y = -3941 (-0XF65) Line 7: y = -3941 (-0XF65) Line 8: result = -11823 (-0X2E2F) result of call at line 8, characters 2-5 = (-88787 (-0X15AD3) => (others => -134552 (-0X20D98)), -88786 (-0X15AD2) => (others => -96668 (-0X1799C)), -88785 (-0X15AD1) => (others => -134511 (-0X20D6F)), -88784 (-0X15AD0) => (others => -181509 (-0X2C505)), -41770 (-0XA32A) => (-41770 (-0XA32A) => -87481 (-0X155B9), others => -67747 (-0X108A3)), -23254 (-0X5AD6) => (-23254 (-0X5AD6) => -50449 (-0XC511), -9702 (-0X25E6) => -36897 (-0X9021), others => -49231 (-0XC04F)), -22023 (-0X5607) => (-22024 (-0X5608) => -47988 (-0XBB74), -22022 (-0X5606) => -47986 (-0XBB72), others => -47987 (-0XBB73)), -21857 (-0X5561) => (-9726 (-0X25FE) => -35524 (-0X8AC4), -9725 (-0X25FD) => -35523 (-0X8AC3), others => -47655 (-0XBA27)), -18162 (-0X46F2) => (-23254 (-0X5AD6) => -45357 (-0XB12D), others => -40265 (-0X9D49)), -13543 (-0X34E7) => (others => -31027 (-0X7933)), -9912 (-0X26B8) => (others => -23765 (-0X5CD5)), -7557 (-0X1D85) => (others => -19055 (-0X4A6F)), -3941 (-0XF65) => (-41850 (-0XA37A) => -49732 (-0XC244), -41849 (-0XA379) => -49731 (-0XC243), -41848 (-0XA378) => -49730 (-0XC242), -41847 (-0XA377) => -49729 (-0XC241), -41846 (-0XA376) => -49728 (-0XC240), -41845 (-0XA375) => -49727 (-0XC23F), -41844 (-0XA374) => -49726 (-0XC23E), -41843 (-0XA373) => -49725 (-0XC23D), -41842 (-0XA372) => -49724 (-0XC23C), -41841 (-0XA371) => -49723 (-0XC23B), -41840 (-0XA370) => -49722 (-0XC23A), -41839 (-0XA36F) => -49721 (-0XC239), -41838 (-0XA36E) => -49720 (-0XC238), -41837 (-0XA36D) => -49719 (-0XC237), -41836 (-0XA36C) => -49718 (-0XC236), -41835 (-0XA36B) => -49717 (-0XC235), -41834 (-0XA36A) => -49716 (-0XC234), -41833 (-0XA369) => -49715 (-0XC233), -41832 (-0XA368) => -49714 (-0XC232), -41831 (-0XA367) => -49713 (-0XC231), -41830 (-0XA366) => -49712 (-0XC230), -41829 (-0XA365) => -49711 (-0XC22F), -41828 (-0XA364) => -49710 (-0XC22E), -41827 (-0XA363) => -49709 (-0XC22D), -41826 (-0XA362) => -49708 (-0XC22C), -41825 (-0XA361) => -49707 (-0XC22B), -41824 (-0XA360) => -49706 (-0XC22A), -41823 (-0XA35F) => -49705 (-0XC229), -41822 (-0XA35E) => -49704 (-0XC228), -41821 (-0XA35D) => -49703 (-0XC227), -41820 (-0XA35C) => -49702 (-0XC226), -41818 (-0XA35A) => -49700 (-0XC224), -41817 (-0XA359) => -49699 (-0XC223), -41816 (-0XA358) => -49698 (-0XC222), -41815 (-0XA357) => -49697 (-0XC221), -41814 (-0XA356) => -49696 (-0XC220), -41813 (-0XA355) => -49695 (-0XC21F), -41812 (-0XA354) => -49694 (-0XC21E), -41811 (-0XA353) => -49693 (-0XC21D), -41810 (-0XA352) => -49692 (-0XC21C), -41809 (-0XA351) => -49691 (-0XC21B), -41808 (-0XA350) => -49690 (-0XC21A), -41807 (-0XA34F) => -49689 (-0XC219), -41806 (-0XA34E) => -49688 (-0XC218), -41805 (-0XA34D) => -49687 (-0XC217), -41804 (-0XA34C) => -49686 (-0XC216), -41803 (-0XA34B) => -49685 (-0XC215), -41802 (-0XA34A) => -49684 (-0XC214), -41801 (-0XA349) => -49683 (-0XC213), -41800 (-0XA348) => -49682 (-0XC212), -41799 (-0XA347) => -49681 (-0XC211), -41798 (-0XA346) => -49680 (-0XC210), -41797 (-0XA345) => -49679 (-0XC20F), -41796 (-0XA344) => -49678 (-0XC20E), -41795 (-0XA343) => -49677 (-0XC20D), -41794 (-0XA342) => -49676 (-0XC20C), -41793 (-0XA341) => -49675 (-0XC20B), -41789 (-0XA33D) => -49671 (-0XC207), -41775 (-0XA32F) => -49657 (-0XC1F9), -22025 (-0X5609) => -29907 (-0X74D3), -22024 (-0X5608) => -29906 (-0X74D2), -22023 (-0X5607) => -29905 (-0X74D1), -9704 (-0X25E8) => -17586 (-0X44B2), -9703 (-0X25E7) => -17585 (-0X44B1), -9702 (-0X25E6) => -17584 (-0X44B0), -9701 (-0X25E5) => -17583 (-0X44AF), -3941 (-0XF65) => -11823 (-0X2E2F), others => -49701 (-0XC225)), -2714 (-0XA9A) => (others => -9369 (-0X2499)), 5 => (others => -3931 (-0XF5B)), 15 (0XF) => (others => -3911 (-0XF47)), 84 (0X54) => (others => -3773 (-0XEBD)), 1803 (0X70B) => (others => -335 (-0X14F)), 3945 (0XF69) => (others => 3949 (0XF6D)), 4643 (0X1223) => (-4635 (-0X121B) => -3933 (-0XF5D), others => -3932 (-0XF5C)), 8365 (0X20AD) => (-41798 (-0XA346) => -37374 (-0X91FE), -41797 (-0XA345) => -37373 (-0X91FD), -41796 (-0XA344) => -37372 (-0X91FC), -41794 (-0XA342) => -37370 (-0X91FA), -41793 (-0XA341) => -37369 (-0X91F9), -41792 (-0XA340) => -37368 (-0X91F8), -41791 (-0XA33F) => -37367 (-0X91F7), -41790 (-0XA33E) => -37366 (-0X91F6), -41789 (-0XA33D) => -37365 (-0X91F5), -41788 (-0XA33C) => -37364 (-0X91F4), -41787 (-0XA33B) => -37363 (-0X91F3), -41786 (-0XA33A) => -37362 (-0X91F2), -41785 (-0XA339) => -37361 (-0X91F1), -41784 (-0XA338) => -37360 (-0X91F0), -41783 (-0XA337) => -37359 (-0X91EF), -41782 (-0XA336) => -37358 (-0X91EE), -41781 (-0XA335) => -37357 (-0X91ED), -41780 (-0XA334) => -37356 (-0X91EC), -41779 (-0XA333) => -37355 (-0X91EB), -41778 (-0XA332) => -37354 (-0X91EA), -41777 (-0XA331) => -37353 (-0X91E9), -41776 (-0XA330) => -37352 (-0X91E8), -41775 (-0XA32F) => -37351 (-0X91E7), -41774 (-0XA32E) => -37350 (-0X91E6), -41773 (-0XA32D) => -37349 (-0X91E5), -41772 (-0XA32C) => -37348 (-0X91E4), -41771 (-0XA32B) => -37347 (-0X91E3), -41770 (-0XA32A) => -37346 (-0X91E2), -41769 (-0XA329) => -37345 (-0X91E1), -23257 (-0X5AD9) => -18833 (-0X4991), -23256 (-0X5AD8) => -18832 (-0X4990), -23255 (-0X5AD7) => -18831 (-0X498F), -23254 (-0X5AD6) => -18830 (-0X498E), -23253 (-0X5AD5) => -18829 (-0X498D), -23252 (-0X5AD4) => -18828 (-0X498C), -22041 (-0X5619) => -17617 (-0X44D1), -22040 (-0X5618) => -17616 (-0X44D0), -22039 (-0X5617) => -17615 (-0X44CF), -22038 (-0X5616) => -17614 (-0X44CE), -22037 (-0X5615) => -17613 (-0X44CD), -22036 (-0X5614) => -17612 (-0X44CC), -22035 (-0X5613) => -17611 (-0X44CB), -22034 (-0X5612) => -17610 (-0X44CA), -22033 (-0X5611) => -17609 (-0X44C9), -22032 (-0X5610) => -17608 (-0X44C8), -22031 (-0X560F) => -17607 (-0X44C7), -22030 (-0X560E) => -17606 (-0X44C6), -22029 (-0X560D) => -17605 (-0X44C5), -22028 (-0X560C) => -17604 (-0X44C4), -22027 (-0X560B) => -17603 (-0X44C3), -22026 (-0X560A) => -17602 (-0X44C2), -22025 (-0X5609) => -17601 (-0X44C1), -22024 (-0X5608) => -17600 (-0X44C0), -22023 (-0X5607) => -17599 (-0X44BF), -22022 (-0X5606) => -17598 (-0X44BE), -22021 (-0X5605) => -17597 (-0X44BD), -22020 (-0X5604) => -17596 (-0X44BC), -22019 (-0X5603) => -17595 (-0X44BB), -22018 (-0X5602) => -17594 (-0X44BA), -22017 (-0X5601) => -17593 (-0X44B9), -22016 (-0X5600) => -17592 (-0X44B8), -22015 (-0X55FF) => -17591 (-0X44B7), -22014 (-0X55FE) => -17590 (-0X44B6), -22013 (-0X55FD) => -17589 (-0X44B5), -22012 (-0X55FC) => -17588 (-0X44B4), -22011 (-0X55FB) => -17587 (-0X44B3), -9734 (-0X2606) => -5310 (-0X14BE), -9733 (-0X2605) => -5309 (-0X14BD), -9732 (-0X2604) => -5308 (-0X14BC), -9731 (-0X2603) => -5307 (-0X14BB), -9730 (-0X2602) => -5306 (-0X14BA), -9729 (-0X2601) => -5305 (-0X14B9), -9728 (-0X2600) => -5304 (-0X14B8), -9727 (-0X25FF) => -5303 (-0X14B7), -9726 (-0X25FE) => -5302 (-0X14B6), -9725 (-0X25FD) => -5301 (-0X14B5), -9724 (-0X25FC) => -5300 (-0X14B4), -9723 (-0X25FB) => -5299 (-0X14B3), -9722 (-0X25FA) => -5298 (-0X14B2), -9721 (-0X25F9) => -5297 (-0X14B1), -9720 (-0X25F8) => -5296 (-0X14B0), -9719 (-0X25F7) => -5295 (-0X14AF), -9718 (-0X25F6) => -5294 (-0X14AE), -9717 (-0X25F5) => -5293 (-0X14AD), -9716 (-0X25F4) => -5292 (-0X14AC), -9715 (-0X25F3) => -5291 (-0X14AB), -9714 (-0X25F2) => -5290 (-0X14AA), -9713 (-0X25F1) => -5289 (-0X14A9), -9712 (-0X25F0) => -5288 (-0X14A8), -9711 (-0X25EF) => -5287 (-0X14A7), -9710 (-0X25EE) => -5286 (-0X14A6), -9709 (-0X25ED) => -5285 (-0X14A5), -9708 (-0X25EC) => -5284 (-0X14A4), -9707 (-0X25EB) => -5283 (-0X14A3), -9706 (-0X25EA) => -5282 (-0X14A2), -9705 (-0X25E9) => -5281 (-0X14A1), -9704 (-0X25E8) => -5280 (-0X14A0), -9703 (-0X25E7) => -5279 (-0X149F), -3941 (-0XF65) => 483 (0X1E3), 6737 (0X1A51) => 11161 (0X2B99), others => -37371 (-0X91FB)), 22037 (0X5615) => (-22037 (-0X5615) => -3941 (-0XF65), -22036 (-0X5614) => -3940 (-0XF64), -22035 (-0X5613) => -3939 (-0XF63), -22033 (-0X5611) => -3937 (-0XF61), -22032 (-0X5610) => -3936 (-0XF60), -22031 (-0X560F) => -3935 (-0XF5F), -22030 (-0X560E) => -3934 (-0XF5E), -22029 (-0X560D) => -3933 (-0XF5D), -22028 (-0X560C) => -3932 (-0XF5C), -22027 (-0X560B) => -3931 (-0XF5B), -22026 (-0X560A) => -3930 (-0XF5A), others => -3938 (-0XF62)), 22044 (0X561C) => (others => -3932 (-0XF5C)), 22047 (0X561F) => (others => -3930 (-0XF5A)), 33189 (0X81A5) => (others => 62437 (0XF3E5)), 44046 (0XAC0E) => (others => 18069 (0X4695)), 44047 (0XAC0F) => (-4635 (-0X121B) => 35471 (0X8A8F), others => 84153 (0X148B9)), others => (others => -11499 (-0X2CEB))) why3-1.6.0/bench/check-ce/oracles/anonymous6_CVC4,1.8_SP.oracle000066400000000000000000000024611440160026300235510ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_CVC4,1.8_WP.oracle000066400000000000000000000024611440160026300235550ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_CVC5,1.0.0_SP.oracle000066400000000000000000000024611440160026300237000ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_CVC5,1.0.0_WP.oracle000066400000000000000000000024611440160026300237040ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_Z3,4.8.10_SP.oracle000066400000000000000000000025301440160026300235650ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of anonymous function at "bench/check-ce/anonymous6.mlw", line 6, characters 18-27) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_Z3,4.8.10_WP.oracle000066400000000000000000000025301440160026300235710ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of anonymous function at "bench/check-ce/anonymous6.mlw", line 6, characters 18-27) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_Z3,4.8.4_SP.oracle000066400000000000000000000222741440160026300235170ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid (0.01s, 143 steps). Check model 0 ("bench/check-ce/anonymous6.mlw", line 7, characters 10-15) Checking model: File anonymous6.mlw: Line 6: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 7: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15 at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `z` at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: {contents= 3} Type default value for return value of call at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of anonymous function with args: z = {contents= 0} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} Check model 1 ("bench/check-ce/anonymous6.mlw", line 7, characters 10-15) Checking model: File anonymous6.mlw: Line 6: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 7: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15 at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `z` at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: {contents= 3} Type default value for return value of call at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of anonymous function with args: z = {contents= 0} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.10s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_Z3,4.8.4_WP.oracle000066400000000000000000000222741440160026300235230ustar00rootroot00000000000000File "bench/check-ce/anonymous6.mlw", line 6, characters 18-27: Sub-goal Postcondition of goal f'vc. Prover result is: Valid (0.02s, 143 steps). Check model 0 ("bench/check-ce/anonymous6.mlw", line 7, characters 10-15) Checking model: File anonymous6.mlw: Line 6: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 7: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15 at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `z` at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: {contents= 3} Type default value for return value of call at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of anonymous function with args: z = {contents= 0} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} Check model 1 ("bench/check-ce/anonymous6.mlw", line 7, characters 10-15) Checking model: File anonymous6.mlw: Line 6: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 7: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15 at "bench/check-ce/anonymous6.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `z` at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: {contents= 3} Type default value for return value of call at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40 at "bench/check-ce/anonymous6.mlw", line 6, characters 2-40: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of anonymous function with args: z = {contents= 0} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6.mlw", line 7, characters 10-15) File "bench/check-ce/anonymous6.mlw", line 7, characters 10-15: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.11s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of anonymous function with args: z = {contents= 0} z = {contents= 3} result = () Line 7: Property failure at assertion with: z = {contents= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_CVC4,1.8_SP.oracle000066400000000000000000000023671440160026300246060ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_CVC4,1.8_WP.oracle000066400000000000000000000023671440160026300246120ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000023671440160026300247350ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000023671440160026300247410ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_Z3,4.8.10_SP.oracle000066400000000000000000000023671440160026300246250ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/anonymous6_mono_Z3,4.8.10_WP.oracle000066400000000000000000000023671440160026300246310ustar00rootroot00000000000000File "bench/check-ce/anonymous6_mono.mlw", line 9, characters 18-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17) File "bench/check-ce/anonymous6_mono.mlw", line 10, characters 10-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File anonymous6_mono.mlw: Line 7: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step execution of anonymous function with args: z = {c= 0} z = {c= 3} result = () Line 10: Property failure at assertion with: z = {c= 3} why3-1.6.0/bench/check-ce/oracles/array_mono_CVC4,1.8_SP.oracle000066400000000000000000000066721440160026300236110ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 9: elts : array -> int -> int = [|_ => [|0 => 42; 1 => 42; _ => 0|]|] Line 10: length : array -> int = [|_ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun bOUND_VARIABLE_450 bOUND_VARIABLE_451 bOUND_VARIABLE_452 -> {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 23: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 25: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} old a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 38: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 40: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 41: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} why3-1.6.0/bench/check-ce/oracles/array_mono_CVC4,1.8_WP.oracle000066400000000000000000000066721440160026300236150ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 9: elts : array -> int -> int = [|_ => [|0 => 42; 1 => 42; _ => 0|]|] Line 10: length : array -> int = [|_ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun bOUND_VARIABLE_450 bOUND_VARIABLE_451 bOUND_VARIABLE_452 -> {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 23: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 25: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} old a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 38: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 40: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 41: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} why3-1.6.0/bench/check-ce/oracles/array_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000062701440160026300237320ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 9: elts : array -> int -> int = [|_ => [|0 => 42; 1 => 42; _ => 0|]|] Line 10: length : array -> int = [|_ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 23: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 25: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} old a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 38: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 40: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 41: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} why3-1.6.0/bench/check-ce/oracles/array_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000062701440160026300237360ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 9: elts : array -> int -> int = [|_ => [|0 => 42; 1 => 42; _ => 0|]|] Line 10: length : array -> int = [|_ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 23: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 25: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} old a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 38: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 40: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} Line 41: a : array = {Array.elts = [|0 => 42; 1 => 42; _ => 0|]; Array.length = 2} why3-1.6.0/bench/check-ce/oracles/array_mono_Z3,4.8.10_SP.oracle000066400000000000000000000062021440160026300236150ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `([])` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `([])` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 10: length : array -> int = [|epsilon x. (Array.length x) = 2 => 2; epsilon x. (Array.length x) = 2 => 2; _ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun x!0 x!1 x!2 -> if x!0 = epsilon x. (Array.length x) = 2 /\ x!1 = 0 /\ x!2 = 42 then epsilon x. (Array.length x) = 2 else epsilon x. (Array.length x) = 2 Line 23: a : array = epsilon x. (Array.length x) = 2 Line 25: a : array = epsilon x. (Array.length x) = 2 old a : array = epsilon x. (Array.length x) = 2 Line 38: a : array = epsilon x. (Array.length x) = 2 Line 40: a : array = epsilon x. (Array.length x) = 2 Line 41: a : array = epsilon x. (Array.length x) = 2 why3-1.6.0/bench/check-ce/oracles/array_mono_Z3,4.8.10_WP.oracle000066400000000000000000000062021440160026300236210ustar00rootroot00000000000000File bench/check-ce/array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_mono.mlw", line 36, characters 4-8) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `([])` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `([])` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 36, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_mono.mlw: Line 35: a = {elts= fun (x:int) -> 0; length= 0} a = {elts= fun (x:int) -> 0; length= 0} Execution of main function `f1` with env: a = {elts= fun (x:int) -> 0; length= 0} zero = 0 one = 1 Line 36: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> 0; length= 0} i = 0 Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> 0; length= 0} i = 0 File "bench/check-ce/array_mono.mlw", line 41, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([]<-)` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f2` cannot be evaluated) File "bench/check-ce/array_mono.mlw", line 40, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `([]<-)` cannot be evaluated): File array_mono.mlw: Line 10: length : array -> int = [|epsilon x. (Array.length x) = 2 => 2; epsilon x. (Array.length x) = 2 => 2; _ => 2|] Line 19: mixfix [<-] : array -> int -> int -> array = fun x!0 x!1 x!2 -> if x!0 = epsilon x. (Array.length x) = 2 /\ x!1 = 0 /\ x!2 = 42 then epsilon x. (Array.length x) = 2 else epsilon x. (Array.length x) = 2 Line 23: a : array = epsilon x. (Array.length x) = 2 Line 25: a : array = epsilon x. (Array.length x) = 2 old a : array = epsilon x. (Array.length x) = 2 Line 38: a : array = epsilon x. (Array.length x) = 2 Line 40: a : array = epsilon x. (Array.length x) = 2 Line 41: a : array = epsilon x. (Array.length x) = 2 why3-1.6.0/bench/check-ce/oracles/array_poly_CVC4,1.8_SP.oracle000066400000000000000000000077211440160026300236200ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 2: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_466 bOUND_VARIABLE_467 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_470 bOUND_VARIABLE_471 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] why3-1.6.0/bench/check-ce/oracles/array_poly_CVC4,1.8_WP.oracle000066400000000000000000000077211440160026300236240ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 2: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_466 bOUND_VARIABLE_467 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_470 bOUND_VARIABLE_471 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] why3-1.6.0/bench/check-ce/oracles/array_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000071371440160026300237500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun _arg_1 _arg_2 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun _arg_1 _arg_2 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] why3-1.6.0/bench/check-ce/oracles/array_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000071371440160026300237540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun _arg_1 _arg_2 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun _arg_1 _arg_2 -> 2 Line 232: sorted : array int -> bool = [|_ => false|] why3-1.6.0/bench/check-ce/oracles/array_poly_Z3,4.8.10_SP.oracle000066400000000000000000000067411440160026300236400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun x!021 x!11 -> 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun x!022 x!11 -> 0 why3-1.6.0/bench/check-ce/oracles/array_poly_Z3,4.8.10_WP.oracle000066400000000000000000000067411440160026300236440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_poly.mlw", line 8, characters 4-8) File "bench/check-ce/array_poly.mlw", line 8, characters 4-8: Sub-goal Index in array bounds of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_poly.mlw: Line 7: a = [] a = [] Execution of main function `f1` with env: a = [] zero = 0 one = 1 Line 8: Normal execution of function `([])` with args: a = [] i = 0 Property failure at precondition of `([])` with: a = [] i = 0 File "bench/check-ce/array_poly.mlw", line 13, characters 4-14: Sub-goal Index in array bounds of goal f2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `f2` at "bench/check-ce/array_poly.mlw", line 10, characters 6-8) File "bench/check-ce/array_poly.mlw", line 12, characters 14-26: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 27, characters 14-22: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun x!021 x!11 -> 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/array_poly.mlw", line 32, characters 14-27: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated with uncaught exception): File array.mlw: Line 17: length : ty -> uni -> int = fun x!022 x!11 -> 0 why3-1.6.0/bench/check-ce/oracles/array_records_mono_CVC4,1.8_SP.oracle000066400000000000000000000267611440160026300253330ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_records_mono.mlw: Line 45: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Execution of main function `var_overwrite` with env: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) zero = 0 one = 1 Line 49: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/array_records_mono_CVC4,1.8_WP.oracle000066400000000000000000000267611440160026300253370ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_records_mono.mlw: Line 45: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Execution of main function `var_overwrite` with env: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) zero = 0 one = 1 Line 49: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/array_records_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000267611440160026300254620ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_records_mono.mlw: Line 45: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Execution of main function `var_overwrite` with env: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) zero = 0 one = 1 Line 49: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/array_records_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000267611440160026300254660ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File array_records_mono.mlw: Line 45: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Execution of main function `var_overwrite` with env: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) zero = 0 one = 1 Line 49: (giant-step) execution of unimplemented function `([])` a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Property failure at precondition of `([])` with: a = {elts= fun (x:int) -> if x = (- 1) then basic_record'mk True 3 5 else basic_record'mk False 0 0; length= 0} i = (- 1) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) - Abstract RAC: FAILURE (precondition at "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/array_records_mono_Z3,4.8.10_SP.oracle000066400000000000000000001331731440160026300253460ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!0 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!0 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!01 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!01 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!02 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!02 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!03 x!1 x!2 -> if x!03 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!04 x!1 x!2 -> if x!04 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!05 x!1 x!2 -> if x!05 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!06 x!1 x!2 -> if x!06 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!06 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!07 x!1 x!2 -> if x!07 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!07 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!08 x!1 x!2 -> if x!08 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!08 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!09 x!1 x!2 -> if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!010 x!1 x!2 -> if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!011 x!1 x!2 -> if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 52, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 52, characters 41-57 : int = 23 result of call at line 52, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; _ => 4|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!012 x!1 x!2 -> if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = false; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else epsilon x. (ArrayRecords.length x) = 4 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 Line 35: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 47: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 52, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 52, characters 41-57 : int = 23 result of call at line 52, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} why3-1.6.0/bench/check-ce/oracles/array_records_mono_Z3,4.8.10_WP.oracle000066400000000000000000001331731440160026300253520ustar00rootroot00000000000000File bench/check-ce/array_records_mono.mlw: Goal array_of_records'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!0 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!0 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!01 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!01 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 49, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|_ => 0|] Line 23: mixfix [] : array_of_records -> int -> basic_record = fun x!02 x!1 -> {flag = true; first_val = 3; sec_val = 5} Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!02 x!1 x!2 -> epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!03 x!1 x!2 -> if x!03 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!04 x!1 x!2 -> if x!04 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 50, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!05 x!1 x!2 -> if x!05 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!06 x!1 x!2 -> if x!06 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!06 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!07 x!1 x!2 -> if x!07 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!07 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 51, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!08 x!1 x!2 -> if x!08 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!08 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!09 x!1 x!2 -> if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!09 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 26: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!010 x!1 x!2 -> if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!010 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 52, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; epsilon x. (ArrayRecords.length x) = 0 => 0; _ => 0|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!011 x!1 x!2 -> if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else if x!011 = epsilon x. (ArrayRecords.length x) = 0 /\ x!1 = -1 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 0 else epsilon x. (ArrayRecords.length x) = 0 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 0 i : int = -1 result of call at line 52, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 52, characters 41-57 : int = 23 result of call at line 52, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} File "bench/check-ce/array_records_mono.mlw", line 53, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_mono.mlw", line 47, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_mono.mlw: Line 20: length : array_of_records -> int = [|epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; epsilon x. (ArrayRecords.length x) = 4 => 4; _ => 4|] Line 27: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 29: mixfix [<-] : array_of_records -> int -> basic_record -> array_of_records = fun x!012 x!1 x!2 -> if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 3; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 42; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = true; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else if x!012 = epsilon x. (ArrayRecords.length x) = 4 /\ x!1 = 2 /\ x!2 = {flag = false; first_val = 23; sec_val = 69} then epsilon x. (ArrayRecords.length x) = 4 else epsilon x. (ArrayRecords.length x) = 4 Line 33: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 Line 35: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 Line 45: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 47: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 i : int = 2 Line 49: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 49, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 49, characters 21-30 : bool = true result of call at line 49, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 49, characters 45-61 : int = 3 result of call at line 49, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 50: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 50, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 50, characters 21-30 : bool = true result of call at line 50, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 50, characters 64-81 : int = 69 result of call at line 50, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 51: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 51, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 51, characters 21-30 : bool = true result of call at line 51, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 51, characters 64-81 : int = 69 result of call at line 51, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 52: a : array_of_records = epsilon x. (ArrayRecords.length x) = 4 result of call at line 52, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 52, characters 41-57 : int = 23 result of call at line 52, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 52, characters 74-91 : int = 69 result of call at line 52, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} why3-1.6.0/bench/check-ce/oracles/array_records_poly_CVC4,1.8_SP.oracle000066400000000000000000001176731440160026300253510ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_543 bOUND_VARIABLE_544 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_580 bOUND_VARIABLE_581 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_693 bOUND_VARIABLE_694 bOUND_VARIABLE_695 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_552 bOUND_VARIABLE_553 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_589 bOUND_VARIABLE_590 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_702 bOUND_VARIABLE_703 bOUND_VARIABLE_704 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_572 bOUND_VARIABLE_573 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_609 bOUND_VARIABLE_610 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_722 bOUND_VARIABLE_723 bOUND_VARIABLE_724 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_688 bOUND_VARIABLE_689 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_720 bOUND_VARIABLE_721 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_8371 bOUND_VARIABLE_8381 bOUND_VARIABLE_8391 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_702 bOUND_VARIABLE_703 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_734 bOUND_VARIABLE_735 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_8511 bOUND_VARIABLE_8521 bOUND_VARIABLE_8531 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 0 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_739 bOUND_VARIABLE_740 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_774 bOUND_VARIABLE_775 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_5973 bOUND_VARIABLE_5974 bOUND_VARIABLE_5975 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 28, characters 64-81 : int = 0 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_831 bOUND_VARIABLE_832 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1036 -> if {flag = true; first_value = 3; second_value = 69} = bOUND_VARIABLE_1036 then 69 else 5 Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Line 29: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_845 bOUND_VARIABLE_846 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1050 -> if {flag = true; first_value = 3; second_value = 69} = bOUND_VARIABLE_1050 then 69 else 5 Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|-1 => {flag = false; first_value = 1; second_value = 2}; _ => {flag = false; first_value = 1; second_value = 2}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_888 bOUND_VARIABLE_889 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => false|] Line 17: first_val : basic_record -> int = [|_ => 1|] Line 18: sec_val : basic_record -> int = [|_ => 2|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 27, characters 21-30 : bool = false result of call at line 27, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 27, characters 45-61 : int = 1 result of call at line 27, characters 45-49 : basic_record = {flag = false; first_value = 1; second_value = 2} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_value = 1; second_value = 2} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 29, characters 64-81 : int = 2 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_value = 1; second_value = 2} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_965 bOUND_VARIABLE_966 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1195 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_979 bOUND_VARIABLE_980 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1209 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_998 bOUND_VARIABLE_999 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1228 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1128 bOUND_VARIABLE_1129 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = fun bOUND_VARIABLE_1403 -> if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 42 = bOUND_VARIABLE_1403 then 42 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 23 else 3 Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1403 -> if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 42 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1403 then 69 else 5 Line 23: i : int = 0 Line 25: i : int = 0 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: result of call at line 30, characters 13-92 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 why3-1.6.0/bench/check-ce/oracles/array_records_poly_CVC4,1.8_WP.oracle000066400000000000000000001176731440160026300253550ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_543 bOUND_VARIABLE_544 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_580 bOUND_VARIABLE_581 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_693 bOUND_VARIABLE_694 bOUND_VARIABLE_695 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_552 bOUND_VARIABLE_553 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_589 bOUND_VARIABLE_590 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_702 bOUND_VARIABLE_703 bOUND_VARIABLE_704 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_572 bOUND_VARIABLE_573 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_609 bOUND_VARIABLE_610 -> {flag = true; first_value = 3; second_value = 5} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_722 bOUND_VARIABLE_723 bOUND_VARIABLE_724 -> {flag = true; first_value = 3; second_value = 5} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 5|] Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_688 bOUND_VARIABLE_689 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_720 bOUND_VARIABLE_721 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_8371 bOUND_VARIABLE_8381 bOUND_VARIABLE_8391 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_702 bOUND_VARIABLE_703 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_734 bOUND_VARIABLE_735 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_8511 bOUND_VARIABLE_8521 bOUND_VARIABLE_8531 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 0 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|_ => {flag = true; first_value = 3; second_value = 0}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_739 bOUND_VARIABLE_740 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun bOUND_VARIABLE_774 bOUND_VARIABLE_775 -> {flag = true; first_value = 3; second_value = 0} File array_records_poly.mlw: Line 14: basic_record'mk : bool -> int -> int -> basic_record = fun bOUND_VARIABLE_5973 bOUND_VARIABLE_5974 bOUND_VARIABLE_5975 -> {flag = true; first_value = 3; second_value = 0} Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = [|_ => 0|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 0} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 0} result of call at line 28, characters 64-81 : int = 0 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_831 bOUND_VARIABLE_832 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1036 -> if {flag = true; first_value = 3; second_value = 69} = bOUND_VARIABLE_1036 then 69 else 5 Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Line 29: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_845 bOUND_VARIABLE_846 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => true|] Line 17: first_val : basic_record -> int = [|_ => 3|] Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1050 -> if {flag = true; first_value = 3; second_value = 69} = bOUND_VARIABLE_1050 then 69 else 5 Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_value = 3; second_value = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_value = 3; second_value = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_value = 3; second_value = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 16: elts : array basic_record -> int -> basic_record = [|_ => [|-1 => {flag = false; first_value = 1; second_value = 2}; _ => {flag = false; first_value = 1; second_value = 2}|]|] Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_888 bOUND_VARIABLE_889 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 16: flag : basic_record -> bool = [|_ => false|] Line 17: first_val : basic_record -> int = [|_ => 1|] Line 18: sec_val : basic_record -> int = [|_ => 2|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 27, characters 21-30 : bool = false result of call at line 27, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 27, characters 45-61 : int = 1 result of call at line 27, characters 45-49 : basic_record = {flag = false; first_value = 1; second_value = 2} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_value = 1; second_value = 2} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_value = 1; second_value = 2} result of call at line 29, characters 64-81 : int = 2 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_value = 1; second_value = 2} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_965 bOUND_VARIABLE_966 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1195 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1195 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_979 bOUND_VARIABLE_980 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1209 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1209 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_998 bOUND_VARIABLE_999 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 42; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 23 else 3|] Line 18: sec_val : basic_record -> int = [|epsilon x. (second_value x) = 69 /\ (first_value x) = 42 => 69; _ => if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1228 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1228 then 69 else 5|] Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1128 bOUND_VARIABLE_1129 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 17: first_val : basic_record -> int = fun bOUND_VARIABLE_1403 -> if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 23 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 42 = bOUND_VARIABLE_1403 then 42 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 23 else 3 Line 18: sec_val : basic_record -> int = fun bOUND_VARIABLE_1403 -> if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 42 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 23 = bOUND_VARIABLE_1403 then 69 else if epsilon x. (second_value x) = 69 /\ (first_value x) = 3 = bOUND_VARIABLE_1403 then 69 else 5 Line 23: i : int = 0 Line 25: i : int = 0 Line 27: result of call at line 27, characters 13-81 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = epsilon x. (second_value x) = 5 /\ (first_value x) = 3 Line 28: result of call at line 28, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 3 Line 29: result of call at line 29, characters 13-82 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 42 Line 30: result of call at line 30, characters 13-92 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = epsilon x. (second_value x) = 69 /\ (first_value x) = 23 why3-1.6.0/bench/check-ce/oracles/array_records_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000671401440160026300254710ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1883 bOUND_VARIABLE_1884 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1904 bOUND_VARIABLE_1905 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1936 bOUND_VARIABLE_1937 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2063 bOUND_VARIABLE_2064 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2081 bOUND_VARIABLE_2082 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2109 bOUND_VARIABLE_2110 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2540 bOUND_VARIABLE_2541 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2560 bOUND_VARIABLE_2561 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2588 bOUND_VARIABLE_2589 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3159 bOUND_VARIABLE_3160 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3181 bOUND_VARIABLE_3182 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3209 bOUND_VARIABLE_3210 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3969 bOUND_VARIABLE_3970 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = 0 Line 25: i : int = 0 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} why3-1.6.0/bench/check-ce/oracles/array_records_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000671401440160026300254750ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1883 bOUND_VARIABLE_1884 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1904 bOUND_VARIABLE_1905 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1936 bOUND_VARIABLE_1937 -> 0 length : array basic_record -> int = [|_ => 0|] Line 20: mixfix [] : array basic_record -> int -> basic_record = fun _arg_1 _arg_2 -> {flag = true; first_val = 3; sec_val = 5} File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2063 bOUND_VARIABLE_2064 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2081 bOUND_VARIABLE_2082 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2109 bOUND_VARIABLE_2110 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2540 bOUND_VARIABLE_2541 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2560 bOUND_VARIABLE_2561 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_2588 bOUND_VARIABLE_2589 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3159 bOUND_VARIABLE_3160 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3181 bOUND_VARIABLE_3182 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3209 bOUND_VARIABLE_3210 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_3969 bOUND_VARIABLE_3970 -> 0 length : array basic_record -> int = [|_ => 0|] File array_records_poly.mlw: Line 23: i : int = 0 Line 25: i : int = 0 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 28, characters 21-30 : bool = true result of call at line 28, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 28, characters 64-81 : int = 69 result of call at line 28, characters 64-68 : basic_record = {flag = true; first_val = 3; sec_val = 69} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 29, characters 21-30 : bool = true result of call at line 29, characters 21-25 : basic_record = {flag = true; first_val = 42; sec_val = 69} result of call at line 29, characters 64-81 : int = 69 result of call at line 29, characters 64-68 : basic_record = {flag = true; first_val = 42; sec_val = 69} Line 30: result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 23; sec_val = 69} result of call at line 30, characters 41-57 : int = 23 result of call at line 30, characters 41-45 : basic_record = {flag = true; first_val = 23; sec_val = 69} result of call at line 30, characters 74-91 : int = 69 result of call at line 30, characters 74-78 : basic_record = {flag = true; first_val = 23; sec_val = 69} why3-1.6.0/bench/check-ce/oracles/array_records_poly_Z3,4.8.10_SP.oracle000066400000000000000000000625761440160026300253710ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!065 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!069 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!073 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!077 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!081 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!085 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!089 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!093 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 8 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 9; sec_val = 8} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!097 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 30, characters 41-57 : int = 9 result of call at line 30, characters 41-45 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 30, characters 74-91 : int = 8 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 9; sec_val = 8} File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!0105 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = 2 Line 25: i : int = 2 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 6} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 28, characters 64-81 : int = 6 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 8} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 29, characters 64-81 : int = 8 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 9; sec_val = 8} Line 30: result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 11; sec_val = 10} result of call at line 30, characters 41-57 : int = 11 result of call at line 30, characters 41-45 : basic_record = {flag = false; first_val = 11; sec_val = 10} result of call at line 30, characters 74-91 : int = 10 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 11; sec_val = 10} why3-1.6.0/bench/check-ce/oracles/array_records_poly_Z3,4.8.10_WP.oracle000066400000000000000000000625761440160026300253750ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 45-49: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 27, characters 5-81: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array_records_poly.mlw: Line 23: i : int = -1 Line 27: i : int = -1 result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!065 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!069 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 28, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!073 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: i : int = -1 result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 64-68: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!077 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 21-25: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!081 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 29, characters 5-82: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!085 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: i : int = -1 result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 74-78: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!089 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 41-45: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!093 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 result of call at line 30, characters 74-91 : int = 8 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 9; sec_val = 8} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 30, characters 5-92: Sub-goal Index in array bounds of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!097 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = -1 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 2} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 4; sec_val = 2} result of call at line 28, characters 64-81 : int = 2 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 4; sec_val = 2} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 6} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 29, characters 64-81 : int = 6 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 30: i : int = -1 result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 30, characters 41-57 : int = 9 result of call at line 30, characters 41-45 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 30, characters 74-91 : int = 8 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 9; sec_val = 8} File "bench/check-ce/array_records_poly.mlw", line 31, characters 13-35: Sub-goal Assertion of goal var_overwrite'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `var_overwrite` cannot be evaluated) File "bench/check-ce/array_records_poly.mlw", line 25, characters 15-36: Sub-goal Postcondition of goal var_overwrite'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `var_overwrite` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!0105 x!13 -> 0 File array_records_poly.mlw: Line 23: i : int = 2 Line 25: i : int = 2 Line 27: result of call at line 27, characters 13-81 : basic_record = {flag = true; first_val = 3; sec_val = 69} result of call at line 27, characters 21-30 : bool = true result of call at line 27, characters 21-25 : basic_record = {flag = true; first_val = 3; sec_val = 5} result of call at line 27, characters 45-61 : int = 3 result of call at line 27, characters 45-49 : basic_record = {flag = true; first_val = 3; sec_val = 5} Line 28: result of call at line 28, characters 13-82 : basic_record = {flag = false; first_val = 42; sec_val = 6} result of call at line 28, characters 21-30 : bool = false result of call at line 28, characters 21-25 : basic_record = {flag = false; first_val = 7; sec_val = 6} result of call at line 28, characters 64-81 : int = 6 result of call at line 28, characters 64-68 : basic_record = {flag = false; first_val = 7; sec_val = 6} Line 29: result of call at line 29, characters 13-82 : basic_record = {flag = false; first_val = 23; sec_val = 8} result of call at line 29, characters 21-30 : bool = false result of call at line 29, characters 21-25 : basic_record = {flag = false; first_val = 9; sec_val = 8} result of call at line 29, characters 64-81 : int = 8 result of call at line 29, characters 64-68 : basic_record = {flag = false; first_val = 9; sec_val = 8} Line 30: result of call at line 30, characters 13-92 : basic_record = {flag = false; first_val = 11; sec_val = 10} result of call at line 30, characters 41-57 : int = 11 result of call at line 30, characters 41-45 : basic_record = {flag = false; first_val = 11; sec_val = 10} result of call at line 30, characters 74-91 : int = 10 result of call at line 30, characters 74-78 : basic_record = {flag = false; first_val = 11; sec_val = 10} why3-1.6.0/bench/check-ce/oracles/attributes_CVC4,1.8_SP.oracle000066400000000000000000000303161440160026300236210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_CVC4,1.8_WP.oracle000066400000000000000000000303161440160026300236250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_CVC5,1.0.0_SP.oracle000066400000000000000000000303161440160026300237500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_CVC5,1.0.0_WP.oracle000066400000000000000000000303161440160026300237540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_Z3,4.8.10_SP.oracle000066400000000000000000000304261440160026300236420ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/attributes.mlw", line 7, characters 2-33) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `h` at "bench/check-ce/attributes.mlw", line 17, characters 12-21) - Abstract RAC: STUCK (failure in postcondition of `h` at "bench/check-ce/attributes.mlw", line 17, characters 12-21) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_Z3,4.8.10_WP.oracle000066400000000000000000000304261440160026300236460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 11, characters 42-49) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/attributes.mlw", line 7, characters 2-33) File "bench/check-ce/attributes.mlw", line 11, characters 42-49: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 9: Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 11: Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `contents` with args: arg = {contents= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {contents= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes.mlw", line 23, characters 11-18) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `h` at "bench/check-ce/attributes.mlw", line 17, characters 12-21) - Abstract RAC: STUCK (failure in postcondition of `h` at "bench/check-ce/attributes.mlw", line 17, characters 12-21) File "bench/check-ce/attributes.mlw", line 23, characters 11-18: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes.mlw: Line 19: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 20: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 21: (giant-step) execution of unimplemented function `h` y = {contents= 0} x = {contents= 1} result of `h` = () Line 22: (giant-step) execution of unimplemented function `h` y = {contents= 1} x = {contents= 200} result of `h` = () Line 23: Property failure at assertion with: x = {contents= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_CVC4,1.8_SP.oracle000066400000000000000000000264151440160026300246560ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_CVC4,1.8_WP.oracle000066400000000000000000000264151440160026300246620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000264151440160026300250050ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000264151440160026300250110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_Z3,4.8.10_SP.oracle000066400000000000000000000264151440160026300246750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/attributes_mono_Z3,4.8.10_WP.oracle000066400000000000000000000264151440160026300247010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57) File "bench/check-ce/attributes_mono.mlw", line 13, characters 48-57: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 3 Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(<)` with args: _ = 6 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 6} Normal execution of function `(+)` with args: _ = 6 _ = 3 Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(<)` with args: _ = 9 _ = 10 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 9} Normal execution of function `(+)` with args: _ = 9 _ = 3 Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 10 Line 11: Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(<)` with args: _ = 12 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 12} Normal execution of function `(+)` with args: _ = 12 _ = 7 Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(<)` with args: _ = 19 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 19} Normal execution of function `(+)` with args: _ = 19 _ = 7 Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(<)` with args: _ = 26 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 26} Normal execution of function `(+)` with args: _ = 26 _ = 7 Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(<)` with args: _ = 33 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 33} Normal execution of function `(+)` with args: _ = 33 _ = 7 Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(<)` with args: _ = 40 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 40} Normal execution of function `(+)` with args: _ = 40 _ = 7 Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(<)` with args: _ = 47 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 47} Normal execution of function `(+)` with args: _ = 47 _ = 7 Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(<)` with args: _ = 54 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 54} Normal execution of function `(+)` with args: _ = 54 _ = 7 Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(<)` with args: _ = 61 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 61} Normal execution of function `(+)` with args: _ = 61 _ = 7 Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(<)` with args: _ = 68 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 68} Normal execution of function `(+)` with args: _ = 68 _ = 7 Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(<)` with args: _ = 75 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 75} Normal execution of function `(+)` with args: _ = 75 _ = 7 Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(<)` with args: _ = 82 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 82} Normal execution of function `(+)` with args: _ = 82 _ = 7 Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(<)` with args: _ = 89 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 89} Normal execution of function `(+)` with args: _ = 89 _ = 7 Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(<)` with args: _ = 96 _ = 100 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 96} Normal execution of function `(+)` with args: _ = 96 _ = 7 Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 100 Line 13: Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(<)` with args: _ = 103 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 103} Normal execution of function `(+)` with args: _ = 103 _ = 10 Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(<)` with args: _ = 113 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 113} Normal execution of function `(+)` with args: _ = 113 _ = 10 Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(<)` with args: _ = 123 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 123} Normal execution of function `(+)` with args: _ = 123 _ = 10 Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(<)` with args: _ = 133 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 133} Normal execution of function `(+)` with args: _ = 133 _ = 10 Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(<)` with args: _ = 143 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 143} Normal execution of function `(+)` with args: _ = 143 _ = 10 Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(<)` with args: _ = 153 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 153} Normal execution of function `(+)` with args: _ = 153 _ = 10 Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(<)` with args: _ = 163 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 163} Normal execution of function `(+)` with args: _ = 163 _ = 10 Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(<)` with args: _ = 173 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 173} Normal execution of function `(+)` with args: _ = 173 _ = 10 Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(<)` with args: _ = 183 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 183} Normal execution of function `(+)` with args: _ = 183 _ = 10 Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(<)` with args: _ = 193 _ = 1000 Normal iteration of loop Normal execution of function `c` with args: arg = {c= 193} Normal execution of function `(+)` with args: _ = 193 _ = 10 Property failure at assertion with: x = {c= 203} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20) File "bench/check-ce/attributes_mono.mlw", line 25, characters 11-20: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File attributes_mono.mlw: Line 21: _ = () Execution of main function `g` with env: _ = () zero = 0 one = 1 Line 22: Normal execution of function `t'mk` with args: c = 0 Line 23: (giant-step) execution of unimplemented function `h` y = {c= 0} x = {c= 1} result of `h` = () Line 24: (giant-step) execution of unimplemented function `h` y = {c= 1} x = {c= 200} result of `h` = () Line 25: Property failure at assertion with: x = {c= 200} why3-1.6.0/bench/check-ce/oracles/blackbox_CVC4,1.8_SP.oracle000066400000000000000000000065141440160026300232230ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (bOUND_VARIABLE_313:int) -> False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (bOUND_VARIABLE_313:int) -> False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/blackbox_CVC4,1.8_WP.oracle000066400000000000000000000065141440160026300232270ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (bOUND_VARIABLE_313:int) -> False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (bOUND_VARIABLE_313:int) -> False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/blackbox_CVC5,1.0.0_SP.oracle000066400000000000000000000064641440160026300233560ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (_arg_1:int) -> False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (_arg_1:int) -> False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/blackbox_CVC5,1.0.0_WP.oracle000066400000000000000000000064641440160026300233620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (_arg_1:int) -> False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (_arg_1:int) -> False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/blackbox_Z3,4.8.10_SP.oracle000066400000000000000000000065441440160026300232450ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (x!0:int) -> if x!0 = 1 then False else False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (x!0:int) -> if x!0 = 1 then False else False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/blackbox_Z3,4.8.10_WP.oracle000066400000000000000000000065441440160026300232510ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 15, characters 13-14) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 15, characters 13-14: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 4: g = fun (x!0:int) -> if x!0 = 1 then False else False Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: g = fun (x!0:int) -> if x!0 = 1 then False else False t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Normal execution of anonymous function with args: Line 14: (giant-step) execution of unimplemented function `f` y = 1 result of `f` = false Line 15: Property failure at assertion with: True = UNDEFINED b = false File "bench/check-ce/blackbox.mlw", line 13, characters 14-18: Sub-goal Postcondition of goal main'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) - Checked model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to f at "bench/check-ce/blackbox.mlw", line 14, characters 12-15) - Abstract RAC: FAILURE (assertion at "bench/check-ce/blackbox.mlw", line 17, characters 11-16) File "bench/check-ce/blackbox.mlw", line 17, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File blackbox.mlw: Line 8: Constant t initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 t = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `main` with env: t = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of anonymous function with args: result = () Line 17: Property failure at assertion with: x = 0 why3-1.6.0/bench/check-ce/oracles/bv32_CVC4,1.8_SP.oracle000066400000000000000000000056571440160026300222210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_CVC4,1.8_WP.oracle000066400000000000000000000056571440160026300222250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_CVC5,1.0.0_SP.oracle000066400000000000000000000056571440160026300223500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_CVC5,1.0.0_WP.oracle000066400000000000000000000056571440160026300223540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32.mlw", line 13, characters 5-26) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_Z3,4.8.10_SP.oracle000066400000000000000000000065421440160026300222320ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Timeout (10.00s). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `dummy_update_with_int` cannot be evaluated): File bv.mlw: Line 653: of_int : int -> t = [|_ => #x00000000|] File bv32.mlw: Line 13: r : t = #x00000022 Line 15: r : t = #x00000084 r : t = #x00000084 Line 16: r : t = #x00000042 Line 17: r : t = #x00000084 result of call at line 17, characters 9-16 : t = #x00000084 why3-1.6.0/bench/check-ce/oracles/bv32_Z3,4.8.10_WP.oracle000066400000000000000000000065421440160026300222360ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32.mlw", line 9, characters 14-29) File "bench/check-ce/bv32.mlw", line 9, characters 14-29: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Timeout (10.00s). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32.mlw: Line 7: r = {contents= (34:t)} r = {contents= (34:t)} Execution of main function `dummy_update` with env: r = {contents= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 11: Normal execution of function `contents` with args: arg = {contents= 66} Normal execution of function `contents` with args: arg = {contents= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 9: Property failure at postcondition of `dummy_update` with: r = {contents= (132:t)} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update_with_int` cannot be evaluated) File "bench/check-ce/bv32.mlw", line 15, characters 14-28: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `dummy_update_with_int` cannot be evaluated): File bv.mlw: Line 653: of_int : int -> t = [|_ => #x00000000|] File bv32.mlw: Line 13: r : t = #x00000022 Line 15: r : t = #x00000084 r : t = #x00000084 Line 16: r : t = #x00000042 Line 17: r : t = #x00000084 result of call at line 17, characters 9-16 : t = #x00000084 why3-1.6.0/bench/check-ce/oracles/bv32_mono_CVC4,1.8_SP.oracle000066400000000000000000000056521440160026300232440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_mono_CVC4,1.8_WP.oracle000066400000000000000000000056521440160026300232500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000056521440160026300233730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000056521440160026300233770ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/bv32_mono_Z3,4.8.10_SP.oracle000066400000000000000000000117161440160026300232610ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update` at "bench/check-ce/bv32_mono.mlw", line 9, characters 6-18) - Abstract RAC: STUCK (failure in precondition of `dummy_update` at "bench/check-ce/bv32_mono.mlw", line 9, characters 6-18) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 15: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update_with_int` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 19: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 17: Property failure at postcondition of `dummy_update_with_int` with: r = {c= (132:t)} why3-1.6.0/bench/check-ce/oracles/bv32_mono_Z3,4.8.10_WP.oracle000066400000000000000000000117161440160026300232650ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update` at "bench/check-ce/bv32_mono.mlw", line 9, characters 6-18) - Abstract RAC: STUCK (failure in precondition of `dummy_update` at "bench/check-ce/bv32_mono.mlw", line 9, characters 6-18) File "bench/check-ce/bv32_mono.mlw", line 11, characters 14-31: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 9: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 11: Property failure at postcondition of `dummy_update` with: r = {c= (132:t)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) - Abstract RAC: STUCK (failure in precondition of `dummy_update_with_int` at "bench/check-ce/bv32_mono.mlw", line 15, characters 5-26) File "bench/check-ce/bv32_mono.mlw", line 17, characters 14-30: Sub-goal Postcondition of goal dummy_update_with_int'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_mono.mlw: Line 15: r = {c= (34:t)} r = {c= (34:t)} Execution of main function `dummy_update_with_int` with env: r = {c= (34:t)} zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 19: Normal execution of function `c` with args: arg = {c= 66} Normal execution of function `c` with args: arg = {c= 66} (giant-step) execution of unimplemented function `add` v1 = 66 v2 = 66 result of `add` = (132:t) Line 17: Property failure at postcondition of `dummy_update_with_int` with: r = {c= (132:t)} why3-1.6.0/bench/check-ce/oracles/bv32_toBig_CVC4,1.8_SP.oracle000066400000000000000000000156151440160026300233400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (0:t) i = (0:t) Execution of main function `ok` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (0:t) result of `toBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (2147483660:t) i = (2147483660:t) Execution of main function `ko` with env: i = (2147483660:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (2147483660:t) result of `stoBig` = (18446744071562067980:t1) (giant-step) execution of unimplemented function `u` i = (18446744071562067980:t1) Property failure at precondition of `u` with: i = (18446744071562067980:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/bv32_toBig_CVC4,1.8_WP.oracle000066400000000000000000000156151440160026300233440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (0:t) i = (0:t) Execution of main function `ok` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (0:t) result of `toBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (2147483660:t) i = (2147483660:t) Execution of main function `ko` with env: i = (2147483660:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (2147483660:t) result of `stoBig` = (18446744071562067980:t1) (giant-step) execution of unimplemented function `u` i = (18446744071562067980:t1) Property failure at precondition of `u` with: i = (18446744071562067980:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/bv32_toBig_CVC5,1.0.0_SP.oracle000066400000000000000000000154601440160026300234650ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (8:t) i = (8:t) Execution of main function `ok` with env: i = (8:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (8:t) result of `toBig` = (8:t1) (giant-step) execution of unimplemented function `u` i = (8:t1) Property failure at precondition of `u` with: i = (8:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (8:t) i = (8:t) Execution of main function `ko` with env: i = (8:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (8:t) result of `stoBig` = (8:t1) (giant-step) execution of unimplemented function `u` i = (8:t1) Property failure at precondition of `u` with: i = (8:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/bv32_toBig_CVC5,1.0.0_WP.oracle000066400000000000000000000154601440160026300234710ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (8:t) i = (8:t) Execution of main function `ok` with env: i = (8:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (8:t) result of `toBig` = (8:t1) (giant-step) execution of unimplemented function `u` i = (8:t1) Property failure at precondition of `u` with: i = (8:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (8:t) i = (8:t) Execution of main function `ko` with env: i = (8:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (8:t) result of `stoBig` = (8:t1) (giant-step) execution of unimplemented function `u` i = (8:t1) Property failure at precondition of `u` with: i = (8:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/bv32_toBig_Z3,4.8.10_SP.oracle000066400000000000000000000152261440160026300233550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (0:t) i = (0:t) Execution of main function `ok` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (0:t) result of `toBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (0:t) i = (0:t) Execution of main function `ko` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (0:t) result of `stoBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/bv32_toBig_Z3,4.8.10_WP.oracle000066400000000000000000000152261440160026300233610ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40) File "bench/check-ce/bv32_toBig.mlw", line 8, characters 27-40: Sub-goal Precondition of goal ok'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 8: i = (0:t) i = (0:t) Execution of main function `ok` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `toBig` _ = (0:t) result of `toBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) - Abstract RAC: FAILURE (precondition at "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41) File "bench/check-ce/bv32_toBig.mlw", line 10, characters 27-41: Sub-goal Precondition of goal ko'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 10: i = (0:t) i = (0:t) Execution of main function `ko` with env: i = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 (giant-step) execution of unimplemented function `stoBig` _ = (0:t) result of `stoBig` = (0:t1) (giant-step) execution of unimplemented function `u` i = (0:t1) Property failure at precondition of `u` with: i = (0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/bv32_toBig.mlw", line 13, characters 14-40: Sub-goal Postcondition of goal ko2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 632: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 632: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 632: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 632: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File bv32_toBig.mlw: Line 12: i = (2147483648:t) i = (2147483648:t) Execution of main function `ko2` with env: i = (2147483648:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 13: (giant-step) execution of unimplemented function `stoBig` _ = (2147483648:t) result of `stoBig` = (18446744071562067968:t1) Property failure at postcondition of `ko2` with: result = (18446744071562067968:t1) why3-1.6.0/bench/check-ce/oracles/call-val-function_CVC4,1.8_SP.oracle000066400000000000000000000077611440160026300247610ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (bOUND_VARIABLE_374:int) -> 43 Line 27: y = 0 y = 0 Execution of main function `main` with env: f = fun (bOUND_VARIABLE_374:int) -> 43 y = 0 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 0 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/call-val-function_CVC4,1.8_WP.oracle000066400000000000000000000077611440160026300247650ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (bOUND_VARIABLE_374:int) -> 43 Line 27: y = 0 y = 0 Execution of main function `main` with env: f = fun (bOUND_VARIABLE_374:int) -> 43 y = 0 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 0 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/call-val-function_CVC5,1.0.0_SP.oracle000066400000000000000000000077311440160026300251050ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (_arg_1:int) -> 43 Line 27: y = 0 y = 0 Execution of main function `main` with env: f = fun (_arg_1:int) -> 43 y = 0 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 0 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/call-val-function_CVC5,1.0.0_WP.oracle000066400000000000000000000077311440160026300251110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (_arg_1:int) -> 43 Line 27: y = 0 y = 0 Execution of main function `main` with env: f = fun (_arg_1:int) -> 43 y = 0 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 0 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/call-val-function_Z3,4.8.10_SP.oracle000066400000000000000000000077331440160026300247770ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (x!0:int) -> if x!0 = 2 then 43 else 43 Line 27: y = 2 y = 2 Execution of main function `main` with env: f = fun (x!0:int) -> if x!0 = 2 then 43 else 43 y = 2 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 2 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/call-val-function_Z3,4.8.10_WP.oracle000066400000000000000000000077331440160026300250030ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 9, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 9, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 8: y = 0 y = 0 Execution of main function `main` with env: y = 0 zero = 0 one = 1 Line 11: (giant-step) execution of unimplemented function `f` x = 0 result of `f` = 43 Line 12: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 9: Property failure at postcondition of `main` with: result = 44 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 28, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 28, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 20: f = fun (x!0:int) -> if x!0 = 2 then 43 else 43 Line 27: y = 2 y = 2 Execution of main function `main` with env: f = fun (x!0:int) -> if x!0 = 2 then 43 else 43 y = 2 zero = 0 one = 1 Line 30: (giant-step) execution of unimplemented function `f1` x = 2 result of `f1` = 43 Line 31: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 28: Property failure at postcondition of `main1` with: result = 44 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `f2` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `f2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/call-val-function.mlw", line 44, characters 12-24) File "bench/check-ce/call-val-function.mlw", line 44, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File call-val-function.mlw: Line 43: y = 42 y = 42 Execution of main function `main` with env: y = 42 zero = 0 one = 1 Line 46: (giant-step) execution of unimplemented function `f2` x = 42 result of `f2` = 43 Line 47: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 44: Property failure at postcondition of `main2` with: result = 44 why3-1.6.0/bench/check-ce/oracles/double_projection_CVC4,1.8_SP.oracle000066400000000000000000000026321440160026300251410ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File double_projection.mlw: Line 8: d = fun (bOUND_VARIABLE_344:t) -> 0 Line 12: c = fun (bOUND_VARIABLE_344:t) -> 1 Line 17: x = epsilon x:t. d x = 0 /\ c x = 1 x = epsilon x:t. d x = 0 /\ c x = 1 Execution of main function `f` with env: d = fun (bOUND_VARIABLE_344:t) -> 0 c = fun (bOUND_VARIABLE_344:t) -> 1 x = epsilon x:t. d x = 0 /\ c x = 1 zero = 0 one = 1 Line 19: Property failure at postcondition of `f` with: x = epsilon x:t. d x = 0 /\ c x = 1 why3-1.6.0/bench/check-ce/oracles/double_projection_CVC4,1.8_WP.oracle000066400000000000000000000026321440160026300251450ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File double_projection.mlw: Line 8: d = fun (bOUND_VARIABLE_344:t) -> 0 Line 12: c = fun (bOUND_VARIABLE_344:t) -> 1 Line 17: x = epsilon x:t. d x = 0 /\ c x = 1 x = epsilon x:t. d x = 0 /\ c x = 1 Execution of main function `f` with env: d = fun (bOUND_VARIABLE_344:t) -> 0 c = fun (bOUND_VARIABLE_344:t) -> 1 x = epsilon x:t. d x = 0 /\ c x = 1 zero = 0 one = 1 Line 19: Property failure at postcondition of `f` with: x = epsilon x:t. d x = 0 /\ c x = 1 why3-1.6.0/bench/check-ce/oracles/double_projection_CVC5,1.0.0_SP.oracle000066400000000000000000000025521440160026300252710ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File double_projection.mlw: Line 8: d = fun (_arg_1:t) -> 0 Line 12: c = fun (_arg_1:t) -> 1 Line 17: x = epsilon x:t. d x = 0 /\ c x = 1 x = epsilon x:t. d x = 0 /\ c x = 1 Execution of main function `f` with env: d = fun (_arg_1:t) -> 0 c = fun (_arg_1:t) -> 1 x = epsilon x:t. d x = 0 /\ c x = 1 zero = 0 one = 1 Line 19: Property failure at postcondition of `f` with: x = epsilon x:t. d x = 0 /\ c x = 1 why3-1.6.0/bench/check-ce/oracles/double_projection_CVC5,1.0.0_WP.oracle000066400000000000000000000025521440160026300252750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/double_projection.mlw", line 19, characters 15-22) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File double_projection.mlw: Line 8: d = fun (_arg_1:t) -> 0 Line 12: c = fun (_arg_1:t) -> 1 Line 17: x = epsilon x:t. d x = 0 /\ c x = 1 x = epsilon x:t. d x = 0 /\ c x = 1 Execution of main function `f` with env: d = fun (_arg_1:t) -> 0 c = fun (_arg_1:t) -> 1 x = epsilon x:t. d x = 0 /\ c x = 1 zero = 0 one = 1 Line 19: Property failure at postcondition of `f` with: x = epsilon x:t. d x = 0 /\ c x = 1 why3-1.6.0/bench/check-ce/oracles/double_projection_Z3,4.8.10_SP.oracle000066400000000000000000000020611440160026300251540ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated with uncaught exception): File double_projection.mlw: Line 8: d : t -> int = [|epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 => 0; _ => 0|] Line 12: c : t -> int = [|epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 => 1; _ => 1|] Line 17: x : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 Line 19: x : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 Line 21: _t : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 why3-1.6.0/bench/check-ce/oracles/double_projection_Z3,4.8.10_WP.oracle000066400000000000000000000020611440160026300251600ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated with uncaught exception) - Abstract RAC: INCOMPLETE (terminated with uncaught exception) File "bench/check-ce/double_projection.mlw", line 19, characters 15-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated with uncaught exception): File double_projection.mlw: Line 8: d : t -> int = [|epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 => 0; _ => 0|] Line 12: c : t -> int = [|epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 => 1; _ => 1|] Line 17: x : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 Line 19: x : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 Line 21: _t : t = epsilon x. (Test.d x) = 0 /\ (Test.c x) = 1 why3-1.6.0/bench/check-ce/oracles/example_CVC4,1.8_SP.oracle000066400000000000000000000146421440160026300230720ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "0"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.07s, 4706 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_CVC4,1.8_WP.oracle000066400000000000000000000146421440160026300230760ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "0"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.05s, 4706 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_CVC5,1.0.0_SP.oracle000066400000000000000000000146421440160026300232210ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "0"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.07s, 4706 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_CVC5,1.0.0_WP.oracle000066400000000000000000000146421440160026300232250ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "0"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.05s, 4706 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_Z3,4.8.10_SP.oracle000066400000000000000000000146351440160026300231130ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: the check fails with all inputs Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.01s, 684 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_Z3,4.8.10_WP.oracle000066400000000000000000000146351440160026300231170ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: the check fails with all inputs Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.02s, 684 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_Z3,4.8.4_SP.oracle000066400000000000000000000146351440160026300230360ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: the check fails with all inputs Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.01s, 684 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/example_Z3,4.8.4_WP.oracle000066400000000000000000000146351440160026300230420ustar00rootroot00000000000000Check model 0 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: the check fails with all inputs Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 0: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 1 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 1: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Check model 2 ("bench/check-ce/example.mlw", line 7, characters 15-22) Validating model: File example.mlw: Line 4: a = {"type": "Integer", "val": "42"} Line 7: a = {"type": "Integer", "val": "42"} Interpreting concretly Missing value for parameter _, continue with default value (). Interpreting abstractly Missing value for parameter _, continue with default value (). Result of checking model 2: - Concrete: good model (Concrete RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 - Abstract: good model (Abstract RAC confirms the counter-example) File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 Models: - Selected model 0 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 1 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal - Checked model 2 (Concrete: good model, Abstract: good model) Summary: The program does not comply to the verification goal File "bench/check-ce/example.mlw", line 7, characters 15-22: Goal Assertion from verification condition def'vc. Prover result is: unknown (sat) (0.02s, 684 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization Line 14: Constant one initialization File example.mlw: Line 4: a = 42 Line 6: _ = () Execution of main function def's body with env: _ = () zero = 0 one = 1 a = 42 Line 7: Property failure, Assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/falseCE_CVC4,1.8_SP.oracle000066400000000000000000000006331440160026300227340ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/falseCE_CVC4,1.8_WP.oracle000066400000000000000000000006331440160026300227400ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/falseCE_CVC5,1.0.0_SP.oracle000066400000000000000000000007151440160026300230640ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/falseCE_CVC5,1.0.0_WP.oracle000066400000000000000000000007151440160026300230700ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/falseCE_Z3,4.8.10_SP.oracle000066400000000000000000000021511440160026300227500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 3571 b = 3407 a = 3571 b = 3407 Execution of main function `rsa` with env: a = 3571 b = 3407 zero = 0 one = 1 Line 15: Property failure at assertion with: a = 3571 b = 3407 c = 12166397 why3-1.6.0/bench/check-ce/oracles/falseCE_Z3,4.8.10_WP.oracle000066400000000000000000000021511440160026300227540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/falseCE.mlw", line 15, characters 11-21) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 3571 b = 3407 a = 3571 b = 3407 Execution of main function `rsa` with env: a = 3571 b = 3407 zero = 0 one = 1 Line 15: Property failure at assertion with: a = 3571 b = 3407 c = 12166397 why3-1.6.0/bench/check-ce/oracles/falseCE_Z3,4.8.4_SP.oracle000066400000000000000000000060251440160026300226770ustar00rootroot00000000000000Check model 0 ("bench/check-ce/falseCE.mlw", line 15, characters 11-21) Checking model: Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `a` at "bench/check-ce/falseCE.mlw", line 12, characters 9-10: 0 Type default value for parameter `b` at "bench/check-ce/falseCE.mlw", line 12, characters 11-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `a` at "bench/check-ce/falseCE.mlw", line 12, characters 9-10: 0 Type default value for parameter `b` at "bench/check-ce/falseCE.mlw", line 12, characters 11-12: 0 Result of checking model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 0 b = 0 a = 0 b = 0 Execution of main function `rsa` with env: a = 0 b = 0 zero = 0 one = 1 Execution got stuck at precondition of `rsa` with: a = 0 b = 0 - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 0 b = 0 a = 0 b = 0 Execution of main function `rsa` with env: a = 0 b = 0 zero = 0 one = 1 Execution got stuck at precondition of `rsa` with: a = 0 b = 0 Results: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown (unknown) (1.55s, 7500000 steps). why3-1.6.0/bench/check-ce/oracles/falseCE_Z3,4.8.4_WP.oracle000066400000000000000000000060251440160026300227030ustar00rootroot00000000000000Check model 0 ("bench/check-ce/falseCE.mlw", line 15, characters 11-21) Checking model: Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `a` at "bench/check-ce/falseCE.mlw", line 12, characters 9-10: 0 Type default value for parameter `b` at "bench/check-ce/falseCE.mlw", line 12, characters 11-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `a` at "bench/check-ce/falseCE.mlw", line 12, characters 9-10: 0 Type default value for parameter `b` at "bench/check-ce/falseCE.mlw", line 12, characters 11-12: 0 Result of checking model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 0 b = 0 a = 0 b = 0 Execution of main function `rsa` with env: a = 0 b = 0 zero = 0 one = 1 Execution got stuck at precondition of `rsa` with: a = 0 b = 0 - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File falseCE.mlw: Line 12: a = 0 b = 0 a = 0 b = 0 Execution of main function `rsa` with env: a = 0 b = 0 zero = 0 one = 1 Execution got stuck at precondition of `rsa` with: a = 0 b = 0 Results: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) - Abstract RAC: STUCK (failure in precondition of `rsa` at "bench/check-ce/falseCE.mlw", line 12, characters 4-7) File "bench/check-ce/falseCE.mlw", line 15, characters 11-21: Sub-goal Assertion of goal rsa'vc. Prover result is: Unknown (unknown) (1.57s, 7500000 steps). why3-1.6.0/bench/check-ce/oracles/fide21_CVC4,1.8_SP.oracle000066400000000000000000000056631440160026300225140ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_CVC4,1.8_WP.oracle000066400000000000000000000056631440160026300225200ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_CVC5,1.0.0_SP.oracle000066400000000000000000000056631440160026300226430ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_CVC5,1.0.0_WP.oracle000066400000000000000000000056631440160026300226470ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_Z3,4.8.10_SP.oracle000066400000000000000000000057161440160026300225320ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set_x` at "bench/check-ce/fide21.mlw", line 7, characters 12-17) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_Z3,4.8.10_WP.oracle000066400000000000000000000057161440160026300225360ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set_x` at "bench/check-ce/fide21.mlw", line 7, characters 12-17) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_Z3,4.8.4_SP.oracle000066400000000000000000000306331440160026300224510ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid (0.02s, 131 steps). Check model 0 ("bench/check-ce/fide21.mlw", line 15, characters 11-16) Checking model: File fide21.mlw: Line 7: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 14: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 15: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `x` at "bench/check-ce/fide21.mlw", line 14, characters 2-9 at "bench/check-ce/fide21.mlw", line 14, characters 2-9: {contents= 4} Type default value for return value of call to set_x at "bench/check-ce/fide21.mlw", line 14, characters 2-9 at "bench/check-ce/fide21.mlw", line 14, characters 2-9: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `set_x` with args: n = 2 Line 9: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Step limit exceeded (1.04s). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid (0.01s, 42 steps). Check model 0 ("bench/check-ce/fide21.mlw", line 24, characters 11-16) Checking model: File fide21.mlw: Line 19: y = {"type": "Integer", "val": "3"} Line 23: result = {"type": "Integer", "val": "3"} y = {"type": "Integer", "val": "3"} Line 24: y = {"type": "Integer", "val": "3"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for return value of call to incr at "bench/check-ce/fide21.mlw", line 23, characters 10-16 at "bench/check-ce/fide21.mlw", line 23, characters 10-16: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Normal execution of function `incr` with args: x = 1 Line 20: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 22: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Step limit exceeded (1.06s). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/fide21_Z3,4.8.4_WP.oracle000066400000000000000000000306331440160026300224550ustar00rootroot00000000000000File "bench/check-ce/fide21.mlw", line 7, characters 12-17: Sub-goal Postcondition of goal set_x'vc. Prover result is: Valid (0.03s, 131 steps). Check model 0 ("bench/check-ce/fide21.mlw", line 15, characters 11-16) Checking model: File fide21.mlw: Line 7: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 14: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 15: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `x` at "bench/check-ce/fide21.mlw", line 14, characters 2-9 at "bench/check-ce/fide21.mlw", line 14, characters 2-9: {contents= 4} Type default value for return value of call to set_x at "bench/check-ce/fide21.mlw", line 14, characters 2-9 at "bench/check-ce/fide21.mlw", line 14, characters 2-9: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `set_x` with args: n = 2 Line 9: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 15, characters 11-16) File "bench/check-ce/fide21.mlw", line 15, characters 11-16: Sub-goal Assertion of goal main'vc. Prover result is: Step limit exceeded (1.06s). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 11: _ = () Execution of main function `main` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `set_x` with args: n = 2 x = {contents= 4} result of `set_x` = () Line 15: Property failure at assertion with: x = {contents= 4} File "bench/check-ce/fide21.mlw", line 19, characters 12-22: Sub-goal Postcondition of goal incr'vc. Prover result is: Valid (0.00s, 42 steps). Check model 0 ("bench/check-ce/fide21.mlw", line 24, characters 11-16) Checking model: File fide21.mlw: Line 19: y = {"type": "Integer", "val": "3"} Line 23: result = {"type": "Integer", "val": "3"} y = {"type": "Integer", "val": "3"} Line 24: y = {"type": "Integer", "val": "3"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for return value of call to incr at "bench/check-ce/fide21.mlw", line 23, characters 10-16 at "bench/check-ce/fide21.mlw", line 23, characters 10-16: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/fide21.mlw", line 4, characters 10-15 at "bench/check-ce/fide21.mlw", line 4, characters 10-15: 0 RHS evaluated for global `x` at "bench/check-ce/fide21.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Normal execution of function `incr` with args: x = 1 Line 20: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 22: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/fide21.mlw", line 24, characters 11-16) File "bench/check-ce/fide21.mlw", line 24, characters 11-16: Sub-goal Assertion of goal test'vc. Prover result is: Step limit exceeded (1.05s). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File fide21.mlw: Line 4: Constant x initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 x = {contents= 0} Unknown location: _ = () File fide21.mlw: Line 22: _ = () Execution of main function `test` with env: x = {contents= 0} _ = () zero = 0 one = 1 Line 23: Giant-step execution of function `incr` with args: x = 1 result of `incr` = 3 Line 24: Property failure at assertion with: y = 3 why3-1.6.0/bench/check-ce/oracles/floats_CVC4,1.8_SP.oracle000066400000000000000000001143621440160026300227270ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = (0x1.000002p0:t) x = (0x1.000002p0:t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.000002p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = (0x1.000002p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = (0x1.000002p0:t) x = (0x1.000002p0:t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.000002p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = (0x1.000002p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.04p32:t) x = (0x1.04p32:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.04p32:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.04p32:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = (0x1.8008p27:t) x = (0x1.8008p27:t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.8008p27:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = (0x1.8008p27:t) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal1` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 21: x = (0x0.000002p-126:t) x = (0x0.000002p-126:t) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.000002p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 21: Property failure at postcondition of `g9'goal` with: RNE = UNDEFINED x = (0x0.000002p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = (0x1.0000000000001p0:t1) x = (0x1.0000000000001p0:t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0000000000001p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = (0x1.0000000000001p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = (0x1.0000000000001p0:t1) x = (0x1.0000000000001p0:t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0000000000001p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = (0x1.0000000000001p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.0p64:t1) x = (0x1.0p64:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p64:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.0p64:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 53: x = (0x1.AD43755C4BE7Ep53:t1) x = (0x1.AD43755C4BE7Ep53:t1) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.AD43755C4BE7Ep53:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 53: Property failure at postcondition of `g7'goal2` with: RNE = UNDEFINED x = (0x1.AD43755C4BE7Ep53:t1) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal3` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 57: x = (0x0.0000000000001p-1022:t1) x = (0x0.0000000000001p-1022:t1) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.0000000000001p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 57: Property failure at postcondition of `g9'goal2` with: RNE = UNDEFINED x = (0x0.0000000000001p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/floats_CVC4,1.8_WP.oracle000066400000000000000000001143621440160026300227330ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = (0x1.000002p0:t) x = (0x1.000002p0:t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.000002p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = (0x1.000002p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = (0x1.000002p0:t) x = (0x1.000002p0:t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.000002p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = (0x1.000002p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.04p32:t) x = (0x1.04p32:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.04p32:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.04p32:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = (0x1.8008p27:t) x = (0x1.8008p27:t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.8008p27:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = (0x1.8008p27:t) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal1` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 21: x = (0x0.000002p-126:t) x = (0x0.000002p-126:t) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.000002p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 21: Property failure at postcondition of `g9'goal` with: RNE = UNDEFINED x = (0x0.000002p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = (0x1.0000000000001p0:t1) x = (0x1.0000000000001p0:t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0000000000001p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = (0x1.0000000000001p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = (0x1.0000000000001p0:t1) x = (0x1.0000000000001p0:t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0000000000001p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = (0x1.0000000000001p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.0p64:t1) x = (0x1.0p64:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p64:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.0p64:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 53: x = (0x1.AD43755C4BE7Ep53:t1) x = (0x1.AD43755C4BE7Ep53:t1) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.AD43755C4BE7Ep53:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 53: Property failure at postcondition of `g7'goal2` with: RNE = UNDEFINED x = (0x1.AD43755C4BE7Ep53:t1) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal3` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 57: x = (0x0.0000000000001p-1022:t1) x = (0x0.0000000000001p-1022:t1) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.0000000000001p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 57: Property failure at postcondition of `g9'goal2` with: RNE = UNDEFINED x = (0x0.0000000000001p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/floats_CVC5,1.0.0_SP.oracle000066400000000000000000001144631440160026300230600ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g1'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = ((- 0x1.0p0):t) x = ((- 0x1.0p0):t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p0):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = ((- 0x1.0p0):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g2'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = (0x1.4p1:t) x = (0x1.4p1:t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p1:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = (0x1.4p1:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g3'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g4'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.100002p18:t) x = (0x1.100002p18:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.100002p18:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.100002p18:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g6'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = (0x1.0p89:t) x = (0x1.0p89:t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p89:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = (0x1.0p89:t) Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 21: x = (0x0.000002p-126:t) x = (0x0.000002p-126:t) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.000002p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 21: Property failure at postcondition of `g9'goal` with: RNE = UNDEFINED x = (0x0.000002p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g11'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g12'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g13'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g13'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g1'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g1'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = ((- 0x1.0p0):t1) x = ((- 0x1.0p0):t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p0):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = ((- 0x1.0p0):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g2'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g2'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = (0x1.4p1:t1) x = (0x1.4p1:t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p1:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = (0x1.4p1:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g3'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g3'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g4'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g4'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.1000000000001p34:t1) x = (0x1.1000000000001p34:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.1000000000001p34:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.1000000000001p34:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g6'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g6'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 53: x = ((- 0x1.FFFFFFFFFFFFFp58):t1) x = ((- 0x1.FFFFFFFFFFFFFp58):t1) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.FFFFFFFFFFFFFp58):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 53: Property failure at postcondition of `g7'goal2` with: RNE = UNDEFINED x = ((- 0x1.FFFFFFFFFFFFFp58):t1) Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal2` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 57: x = (0x0.0000000000001p-1022:t1) x = (0x0.0000000000001p-1022:t1) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.0000000000001p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 57: Property failure at postcondition of `g9'goal2` with: RNE = UNDEFINED x = (0x0.0000000000001p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g11'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g11'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g12'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g12'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g13'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g13'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/floats_CVC5,1.0.0_WP.oracle000066400000000000000000001144631440160026300230640ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g1'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = ((- 0x1.0p0):t) x = ((- 0x1.0p0):t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p0):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = ((- 0x1.0p0):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g2'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = (0x1.4p1:t) x = (0x1.4p1:t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p1:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = (0x1.4p1:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g3'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g4'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.100002p18:t) x = (0x1.100002p18:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.100002p18:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.100002p18:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g6'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = (0x1.0p89:t) x = (0x1.0p89:t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p89:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = (0x1.0p89:t) Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 21, characters 40-70) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 21: x = (0x0.000002p-126:t) x = (0x0.000002p-126:t) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.000002p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 21: Property failure at postcondition of `g9'goal` with: RNE = UNDEFINED x = (0x0.000002p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g11'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g12'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g13'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g13'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g1'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g1'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = ((- 0x1.0p0):t1) x = ((- 0x1.0p0):t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p0):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = ((- 0x1.0p0):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g2'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g2'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = (0x1.4p1:t1) x = (0x1.4p1:t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p1:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = (0x1.4p1:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g3'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g3'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g4'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g4'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.1000000000001p34:t1) x = (0x1.1000000000001p34:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.1000000000001p34:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.1000000000001p34:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g6'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g6'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 53, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 53: x = ((- 0x1.FFFFFFFFFFFFFp58):t1) x = ((- 0x1.FFFFFFFFFFFFFp58):t1) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.FFFFFFFFFFFFFp58):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 53: Property failure at postcondition of `g7'goal2` with: RNE = UNDEFINED x = ((- 0x1.FFFFFFFFFFFFFp58):t1) Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal2` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File real.mlw: Line 203: sqrt : real -> real = [|_ => 0.0|] File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 57, characters 40-70) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 57: x = (0x0.0000000000001p-1022:t1) x = (0x0.0000000000001p-1022:t1) Execution of main function `g9'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.0000000000001p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 57: Property failure at postcondition of `g9'goal2` with: RNE = UNDEFINED x = (0x0.0000000000001p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g11'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g11'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g12'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g12'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g13'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g13'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/floats_Z3,4.8.10_SP.oracle000066400000000000000000001047261440160026300227510ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = ((- 0x1.000002p-126):t) x = ((- 0x1.000002p-126):t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.000002p-126):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = ((- 0x1.000002p-126):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = ((- 0x0.000002p-126):t) x = ((- 0x0.000002p-126):t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x0.000002p-126):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = ((- 0x0.000002p-126):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.50002p3:t) x = (0x1.50002p3:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.50002p3:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.50002p3:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = ((- 0x1.0p64):t) x = ((- 0x1.0p64):t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p64):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = ((- 0x1.0p64):t) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal1` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal` cannot be evaluated) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = ((- 0x1.0000000000001p-1022):t1) x = ((- 0x1.0000000000001p-1022):t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0000000000001p-1022):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = ((- 0x1.0000000000001p-1022):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = ((- 0x0.0000000000001p-1022):t1) x = ((- 0x0.0000000000001p-1022):t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x0.0000000000001p-1022):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = ((- 0x0.0000000000001p-1022):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.3000000000002p3:t1) x = (0x1.3000000000002p3:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.3000000000002p3:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.3000000000002p3:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal2` cannot be evaluated) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal3` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/floats_Z3,4.8.10_WP.oracle000066400000000000000000001047261440160026300227550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 5, characters 40-52) File "bench/check-ce/floats.mlw", line 5, characters 40-52: Goal g1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 5: x = ((- 0x1.000002p-126):t) x = ((- 0x1.000002p-126):t) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.000002p-126):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 5: Property failure at postcondition of `g1'goal` with: x = ((- 0x1.000002p-126):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 7, characters 40-53) File "bench/check-ce/floats.mlw", line 7, characters 40-53: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 7: x = ((- 0x0.000002p-126):t) x = ((- 0x0.000002p-126):t) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x0.000002p-126):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 7: Property failure at postcondition of `g2'goal` with: x = ((- 0x0.000002p-126):t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 9, characters 24-42) File "bench/check-ce/floats.mlw", line 9, characters 24-42: Goal g3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 9: x = (0.0:t) x = (0.0:t) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 9: Property failure at postcondition of `g3'goal` with: x = (0.0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 11, characters 24-43) File "bench/check-ce/floats.mlw", line 11, characters 24-43: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 11: x = (0x1.4p0:t) x = (0x1.4p0:t) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 11: Property failure at postcondition of `g4'goal` with: x = (0x1.4p0:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 13, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 13, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 13: x = (0x1.50002p3:t) x = (0x1.50002p3:t) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.50002p3:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 13: Property failure at postcondition of `g5'goal` with: x = (0x1.50002p3:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 15, characters 24-30) File "bench/check-ce/floats.mlw", line 15, characters 24-30: Goal g6. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 15: x = epsilon x:t. is_nan x x = epsilon x:t. is_nan x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t. is_nan x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 15: Property failure at postcondition of `g6'goal` with: x = epsilon x:t. is_nan x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 17, characters 40-64) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 17, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 17: x = ((- 0x1.0p64):t) x = ((- 0x1.0p64):t) Execution of main function `g7'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0p64):t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 17: Property failure at postcondition of `g7'goal` with: RNE = UNDEFINED x = ((- 0x1.0p64):t) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 19, characters 24-60: Goal g8. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal1` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File floats.mlw: Line 19: x : t = ∞ Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal` cannot be evaluated) File "bench/check-ce/floats.mlw", line 21, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 24, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 24, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 24: x = (0x1.99999Cp-4:t) x = (0x1.99999Cp-4:t) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.99999Cp-4:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 24: Property failure at postcondition of `g10'goal` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.99999Cp-4:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 26, characters 24-47) File "bench/check-ce/floats.mlw", line 26, characters 24-47: Goal g11. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 26: x = (0x1.0p-126:t) x = (0x1.0p-126:t) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 26: Property failure at postcondition of `g11'goal` with: x = (0x1.0p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 29, characters 24-54) File "bench/check-ce/floats.mlw", line 29, characters 24-54: Goal g12. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 29: x = (0x0.FFFFFEp-126:t) x = (0x0.FFFFFEp-126:t) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFEp-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 29: Property failure at postcondition of `g12'goal` with: x = (0x0.FFFFFEp-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 32, characters 24-47) File "bench/check-ce/floats.mlw", line 32, characters 24-47: Goal g13. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 861: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 861: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 32: x = (0x0.8p-126:t) x = (0x0.8p-126:t) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-126:t) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 32: Property failure at postcondition of `g13'goal` with: x = (0x0.8p-126:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 41, characters 40-52) File "bench/check-ce/floats.mlw", line 41, characters 40-52: Goal g1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 41: x = ((- 0x1.0000000000001p-1022):t1) x = ((- 0x1.0000000000001p-1022):t1) Execution of main function `g1'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x1.0000000000001p-1022):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 41: Property failure at postcondition of `g1'goal2` with: x = ((- 0x1.0000000000001p-1022):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 43, characters 40-53) File "bench/check-ce/floats.mlw", line 43, characters 40-53: Goal g2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 43: x = ((- 0x0.0000000000001p-1022):t1) x = ((- 0x0.0000000000001p-1022):t1) Execution of main function `g2'goal` with env: max_real = 0.0 max_int = 0 x = ((- 0x0.0000000000001p-1022):t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 43: Property failure at postcondition of `g2'goal2` with: x = ((- 0x0.0000000000001p-1022):t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 45, characters 24-42) File "bench/check-ce/floats.mlw", line 45, characters 24-42: Goal g3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 45: x = (0.0:t1) x = (0.0:t1) Execution of main function `g3'goal` with env: max_real = 0.0 max_int = 0 x = (0.0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 45: Property failure at postcondition of `g3'goal2` with: x = (0.0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 47, characters 24-43) File "bench/check-ce/floats.mlw", line 47, characters 24-43: Goal g4. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 47: x = (0x1.4p0:t1) x = (0x1.4p0:t1) Execution of main function `g4'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.4p0:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 47: Property failure at postcondition of `g4'goal2` with: x = (0x1.4p0:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 49, characters 24-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g5'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 49, characters 24-43: Goal g5. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 49: x = (0x1.3000000000002p3:t1) x = (0x1.3000000000002p3:t1) Execution of main function `g5'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.3000000000002p3:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 49: Property failure at postcondition of `g5'goal2` with: x = (0x1.3000000000002p3:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 51, characters 24-30) File "bench/check-ce/floats.mlw", line 51, characters 24-30: Goal g6. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 51: x = epsilon x:t1. is_nan1 x x = epsilon x:t1. is_nan1 x Execution of main function `g6'goal` with env: max_real = 0.0 max_int = 0 x = epsilon x:t1. is_nan1 x zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 51: Property failure at postcondition of `g6'goal2` with: x = epsilon x:t1. is_nan1 x Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g7'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g7'goal2` cannot be evaluated) File "bench/check-ce/floats.mlw", line 53, characters 40-64: Goal g7. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal2` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g8'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 55, characters 24-60: Goal g8. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `g8'goal3` cannot be evaluated): File ieee_float.mlw: Line 223: max_real : real = 0.0 Line 224: max_int : int = 0 File floats.mlw: Line 55: x : t1 = ∞ Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g9'goal1` cannot be evaluated) File "bench/check-ce/floats.mlw", line 57, characters 40-70: Goal g9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 60, characters 24-98) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `g10'goal3` cannot be evaluated) File "bench/check-ce/floats.mlw", line 60, characters 24-98: Goal g10. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 60: x = (0x1.999999999999Bp-4:t1) x = (0x1.999999999999Bp-4:t1) Execution of main function `g10'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.999999999999Bp-4:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 60: Property failure at postcondition of `g10'goal2` with: RNE = UNDEFINED RTZ = UNDEFINED x = (0x1.999999999999Bp-4:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 62, characters 24-48) File "bench/check-ce/floats.mlw", line 62, characters 24-48: Goal g11. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 62: x = (0x1.0p-1022:t1) x = (0x1.0p-1022:t1) Execution of main function `g11'goal` with env: max_real = 0.0 max_int = 0 x = (0x1.0p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 62: Property failure at postcondition of `g11'goal2` with: x = (0x1.0p-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 65, characters 24-62) File "bench/check-ce/floats.mlw", line 65, characters 24-62: Goal g12. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 65: x = (0x0.FFFFFFFFFFFFFp-1022:t1) x = (0x0.FFFFFFFFFFFFFp-1022:t1) Execution of main function `g12'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.FFFFFFFFFFFFFp-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 65: Property failure at postcondition of `g12'goal2` with: x = (0x0.FFFFFFFFFFFFFp-1022:t1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/floats.mlw", line 68, characters 24-48) File "bench/check-ce/floats.mlw", line 68, characters 24-48: Goal g13. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ieee_float.mlw: Line 902: Constant zeroF initialization Line 63: (giant-step) execution of unimplemented function with args: result = UNDEFINED Line 902: zeroF = UNDEFINED Line 223: max_real = 0.0 Line 224: max_int = 0 File floats.mlw: Line 68: x = (0x0.8p-1022:t1) x = (0x0.8p-1022:t1) Execution of main function `g13'goal` with env: max_real = 0.0 max_int = 0 x = (0x0.8p-1022:t1) zero = 0 one = 1 zeroF = UNDEFINED Unknown location: Normal execution of function `Tuple0` with args: File floats.mlw: Line 68: Property failure at postcondition of `g13'goal2` with: x = (0x0.8p-1022:t1) why3-1.6.0/bench/check-ce/oracles/for1_CVC4,1.8_SP.oracle000066400000000000000000000027251440160026300223050ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 0} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Line 4: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/for1_CVC4,1.8_WP.oracle000066400000000000000000000030641440160026300223060ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 0} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Line 4: Property failure at postcondition of `f` with: result = 0 File "bench/check-ce/for1.mlw", line 4, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for1_CVC5,1.0.0_SP.oracle000066400000000000000000000027251440160026300224340ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 0} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Line 4: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/for1_CVC5,1.0.0_WP.oracle000066400000000000000000000030641440160026300224350ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 0} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Line 4: Property failure at postcondition of `f` with: result = 0 File "bench/check-ce/for1.mlw", line 4, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for1_Z3,4.8.10_SP.oracle000066400000000000000000000027251440160026300223240ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/for1_Z3,4.8.10_WP.oracle000066400000000000000000000030641440160026300223250ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 File "bench/check-ce/for1.mlw", line 4, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for1_Z3,4.8.4_SP.oracle000066400000000000000000000253661440160026300222550ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 51 steps). File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.02s, 2580 steps). Check model 0 ("bench/check-ce/for1.mlw", line 4, characters 12-22) Checking model: File for1.mlw: Line 4: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 5: result = {"type": "Integer", "val": "1"} Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for1.mlw", line 5, characters 14-15 at "bench/check-ce/for1.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `x` at "bench/check-ce/for1.mlw", line 6, characters 4-74 at "bench/check-ce/for1.mlw", line 6, characters 4-74: {contents= 1} Default value for variable `i` at "bench/check-ce/for1.mlw", line 6, characters 8-9: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 2} Line 3: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 Check model 1 ("bench/check-ce/for1.mlw", line 4, characters 12-22) Checking model: File for1.mlw: Line 4: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 5: result = {"type": "Integer", "val": "1"} Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for1.mlw", line 5, characters 14-15 at "bench/check-ce/for1.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `x` at "bench/check-ce/for1.mlw", line 6, characters 4-74 at "bench/check-ce/for1.mlw", line 6, characters 4-74: {contents= 1} Default value for variable `i` at "bench/check-ce/for1.mlw", line 6, characters 8-9: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 2} Line 3: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (unknown) (1.11s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 File "bench/check-ce/for1.mlw", line 4, characters 12-22: Goal f'vc. Prover result is: Valid (0.01s, 52 steps). why3-1.6.0/bench/check-ce/oracles/for1_Z3,4.8.4_WP.oracle000066400000000000000000000253661440160026300222610ustar00rootroot00000000000000File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 51 steps). File "bench/check-ce/for1.mlw", line 7, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.02s, 2580 steps). Check model 0 ("bench/check-ce/for1.mlw", line 4, characters 12-22) Checking model: File for1.mlw: Line 4: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 5: result = {"type": "Integer", "val": "1"} Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for1.mlw", line 5, characters 14-15 at "bench/check-ce/for1.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `x` at "bench/check-ce/for1.mlw", line 6, characters 4-74 at "bench/check-ce/for1.mlw", line 6, characters 4-74: {contents= 1} Default value for variable `i` at "bench/check-ce/for1.mlw", line 6, characters 8-9: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 2} Line 3: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 Check model 1 ("bench/check-ce/for1.mlw", line 4, characters 12-22) Checking model: File for1.mlw: Line 4: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 5: result = {"type": "Integer", "val": "1"} Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for1.mlw", line 5, characters 14-15 at "bench/check-ce/for1.mlw", line 5, characters 14-15: {contents= 0} Value from model for variable `x` at "bench/check-ce/for1.mlw", line 6, characters 4-74 at "bench/check-ce/for1.mlw", line 6, characters 4-74: {contents= 1} Default value for variable `i` at "bench/check-ce/for1.mlw", line 6, characters 8-9: 2 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 6: Normal iteration of loop Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 2} Line 3: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1.mlw", line 4, characters 12-22) File "bench/check-ce/for1.mlw", line 4, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (unknown) (1.15s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1.mlw: Line 3: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step iteration of loop x = {contents= 1} i = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Line 4: Property failure at postcondition of `f` with: result = 1 File "bench/check-ce/for1.mlw", line 4, characters 12-22: Goal f'vc. Prover result is: Valid (0.00s, 52 steps). why3-1.6.0/bench/check-ce/oracles/for1_mono_CVC4,1.8_SP.oracle000066400000000000000000000026341440160026300233340ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 0} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 0} Line 6: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/for1_mono_CVC4,1.8_WP.oracle000066400000000000000000000030001440160026300233240ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 0} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 0} Line 6: Property failure at postcondition of `f` with: result = 0 File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for1_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000026341440160026300234630ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 0} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 0} Line 6: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/for1_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000030001440160026300234530ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 0} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 0} Line 6: Property failure at postcondition of `f` with: result = 0 File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for1_mono_Z3,4.8.10_SP.oracle000066400000000000000000000026341440160026300233530ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 1} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 1} Line 6: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/for1_mono_Z3,4.8.10_WP.oracle000066400000000000000000000030001440160026300233430ustar00rootroot00000000000000File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/for1_mono.mlw", line 9, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/for1_mono.mlw", line 6, characters 12-22) File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for1_mono.mlw: Line 5: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Giant-step iteration of loop x = {c= 1} i = 2 Line 12: Normal execution of function `c` with args: arg = {c= 1} Line 6: Property failure at postcondition of `f` with: result = 1 File "bench/check-ce/for1_mono.mlw", line 6, characters 12-22: Goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_CVC4,1.8_SP.oracle000066400000000000000000000033501440160026300222170ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 why3-1.6.0/bench/check-ce/oracles/for_CVC4,1.8_WP.oracle000066400000000000000000000035561440160026300222330ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_CVC5,1.0.0_SP.oracle000066400000000000000000000033501440160026300223460ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 why3-1.6.0/bench/check-ce/oracles/for_CVC5,1.0.0_WP.oracle000066400000000000000000000035561440160026300223620ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_Z3,4.8.10_SP.oracle000066400000000000000000000034001440160026300222320ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in loop invariant preservation after last iteration at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= 1} x2 = {contents= 400} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= 2} i = 1 why3-1.6.0/bench/check-ce/oracles/for_Z3,4.8.10_WP.oracle000066400000000000000000000036331440160026300222460ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in loop invariant preservation after last iteration at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (- 176)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 176)} Normal execution of function `(+)` with args: _ = (- 176) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-175)} i = 1 File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_Z3,4.8.4_SP.oracle000066400000000000000000000356671440160026300222010ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.01s, 60 steps). Check model 0 ("bench/check-ce/for.mlw", line 8, characters 25-31) Checking model: File for.mlw: Line 7: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-401"}}]}} Line 8: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Line 9: result = {"type": "Boolean", "val": true} Line 10: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 5, characters 15-16 at "bench/check-ce/for.mlw", line 5, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 6, characters 15-16 at "bench/check-ce/for.mlw", line 6, characters 15-16: {contents= 0} Value from model for variable `x1` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= (-401)} Type default value for variable `x2` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= 0} Value from model for variable `i` at "bench/check-ce/for.mlw", line 7, characters 6-7: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 1 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 Check model 1 ("bench/check-ce/for.mlw", line 8, characters 25-31) Checking model: File for.mlw: Line 7: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 8: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: result = {"type": "Boolean", "val": true} Line 10: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 5, characters 15-16 at "bench/check-ce/for.mlw", line 5, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 6, characters 15-16 at "bench/check-ce/for.mlw", line 6, characters 15-16: {contents= 0} Value from model for variable `x1` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= (-6083)} Type default value for variable `x2` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= 0} Value from model for variable `i` at "bench/check-ce/for.mlw", line 7, characters 6-7: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 1 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-6083)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-6082)} i = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.18s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.00s, 2619 steps). why3-1.6.0/bench/check-ce/oracles/for_Z3,4.8.4_WP.oracle000066400000000000000000000356671440160026300222050ustar00rootroot00000000000000File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 60 steps). Check model 0 ("bench/check-ce/for.mlw", line 8, characters 25-31) Checking model: File for.mlw: Line 7: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-401"}}]}} Line 8: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Line 9: result = {"type": "Boolean", "val": true} Line 10: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 5, characters 15-16 at "bench/check-ce/for.mlw", line 5, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 6, characters 15-16 at "bench/check-ce/for.mlw", line 6, characters 15-16: {contents= 0} Value from model for variable `x1` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= (-401)} Type default value for variable `x2` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= 0} Value from model for variable `i` at "bench/check-ce/for.mlw", line 7, characters 6-7: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 1 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 Check model 1 ("bench/check-ce/for.mlw", line 8, characters 25-31) Checking model: File for.mlw: Line 7: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 8: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: result = {"type": "Boolean", "val": true} Line 10: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 5, characters 15-16 at "bench/check-ce/for.mlw", line 5, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/for.mlw", line 6, characters 15-16 at "bench/check-ce/for.mlw", line 6, characters 15-16: {contents= 0} Value from model for variable `x1` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= (-6083)} Type default value for variable `x2` at "bench/check-ce/for.mlw", line 7, characters 2-125 at "bench/check-ce/for.mlw", line 7, characters 2-125: {contents= 0} Value from model for variable `i` at "bench/check-ce/for.mlw", line 7, characters 6-7: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 7: Normal iteration of loop Line 9: Normal execution of function `(=)` with args: x = 1 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-6083)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-6082)} i = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for.mlw", line 8, characters 16-31) File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.16s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 9: Normal execution of function `(=)` with args: x = 0 y = 0 Line 10: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 8: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 File "bench/check-ce/for.mlw", line 8, characters 25-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2619 steps). why3-1.6.0/bench/check-ce/oracles/for_mono_CVC4,1.8_SP.oracle000066400000000000000000000031641440160026300232520ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 why3-1.6.0/bench/check-ce/oracles/for_mono_CVC4,1.8_WP.oracle000066400000000000000000000034001440160026300232470ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000031641440160026300234010ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 why3-1.6.0/bench/check-ce/oracles/for_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000034001440160026300233760ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/for_mono_Z3,4.8.10_SP.oracle000066400000000000000000000031521440160026300232660ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= 1} x2 = {c= 400} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= 2} i = 1 why3-1.6.0/bench/check-ce/oracles/for_mono_Z3,4.8.10_WP.oracle000066400000000000000000000034131440160026300232720ustar00rootroot00000000000000File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/for_mono.mlw", line 10, characters 16-33) File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File for_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Giant-step iteration of loop x1 = {c= (- 176)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 11: Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `c` with args: arg = {c= (- 176)} Normal execution of function `(+)` with args: _ = (- 176) _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {c= (-175)} i = 1 File "bench/check-ce/for_mono.mlw", line 10, characters 25-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/func_call1_CVC4,1.8_SP.oracle000066400000000000000000000034361440160026300234450ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_CVC4,1.8_WP.oracle000066400000000000000000000034361440160026300234510ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_CVC5,1.0.0_SP.oracle000066400000000000000000000034361440160026300235740ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_CVC5,1.0.0_WP.oracle000066400000000000000000000034361440160026300236000ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_Z3,4.8.10_SP.oracle000066400000000000000000000034651440160026300234660ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call1.mlw", line 8, characters 12-21) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_Z3,4.8.10_WP.oracle000066400000000000000000000034651440160026300234720ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1.mlw", line 15, characters 6-7: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call1.mlw", line 8, characters 12-21) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_Z3,4.8.4_SP.oracle000066400000000000000000000347171440160026300234150ustar00rootroot00000000000000File "bench/check-ce/func_call1.mlw", line 15, characters 6-7: warning: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.01s, 183 steps). File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.01s, 66 steps). Check model 0 ("bench/check-ce/func_call1.mlw", line 16, characters 11-16) Checking model: File func_call1.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: result = {"type": "Integer", "val": "3"} w = {"type": "Integer", "val": "6"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: {contents= 2} Value from model for return value of call to g at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `g` with args: x = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call1.mlw", line 16, characters 11-16) Checking model: File func_call1.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: result = {"type": "Integer", "val": "3"} w = {"type": "Integer", "val": "6"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: {contents= 177} Value from model for return value of call to g at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `g` with args: x = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 177} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.21s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_Z3,4.8.4_WP.oracle000066400000000000000000000347171440160026300234210ustar00rootroot00000000000000File "bench/check-ce/func_call1.mlw", line 15, characters 6-7: warning: unused variable w File "bench/check-ce/func_call1.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.02s, 183 steps). File "bench/check-ce/func_call1.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.01s, 66 steps). Check model 0 ("bench/check-ce/func_call1.mlw", line 16, characters 11-16) Checking model: File func_call1.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: result = {"type": "Integer", "val": "3"} w = {"type": "Integer", "val": "6"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: {contents= 2} Value from model for return value of call to g at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `g` with args: x = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call1.mlw", line 16, characters 11-16) Checking model: File func_call1.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: result = {"type": "Integer", "val": "3"} w = {"type": "Integer", "val": "6"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: {contents= 177} Value from model for return value of call to g at "bench/check-ce/func_call1.mlw", line 15, characters 10-15 at "bench/check-ce/func_call1.mlw", line 15, characters 10-15: 3 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call1.mlw", line 4, characters 9-14 at "bench/check-ce/func_call1.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call1.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `g` with args: x = 2 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 177} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1.mlw", line 16, characters 11-16) File "bench/check-ce/func_call1.mlw", line 16, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call1.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 15: Giant-step execution of function `g` with args: x = 2 z = {contents= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_CVC4,1.8_SP.oracle000066400000000000000000000030361440160026300244710ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_CVC4,1.8_WP.oracle000066400000000000000000000030361440160026300244750ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000030361440160026300246200ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000030361440160026300246240ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_Z3,4.8.10_SP.oracle000066400000000000000000000030361440160026300245100ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call1_mono_Z3,4.8.10_WP.oracle000066400000000000000000000030361440160026300245140ustar00rootroot00000000000000Warning, file "bench/check-ce/func_call1_mono.mlw", line 17, characters 6-7: unused variable w File "bench/check-ce/func_call1_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/func_call1_mono.mlw", line 11, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18) File "bench/check-ce/func_call1_mono.mlw", line 18, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call1_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call1_mono.mlw: Line 15: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 17: Giant-step execution of function `g` with args: x = 2 z = {c= 2} result of `g` = 3 Normal execution of function `(+)` with args: _ = 3 _ = 3 Line 18: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call2_CVC4,1.8_SP.oracle000066400000000000000000000030371440160026300234430ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_CVC4,1.8_WP.oracle000066400000000000000000000030371440160026300234470ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_CVC5,1.0.0_SP.oracle000066400000000000000000000030371440160026300235720ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_CVC5,1.0.0_WP.oracle000066400000000000000000000030371440160026300235760ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_Z3,4.8.10_SP.oracle000066400000000000000000000030171440160026300234600ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= 0} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= 0} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_Z3,4.8.10_WP.oracle000066400000000000000000000030171440160026300234640ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= 0} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= 0} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/func_call2_Z3,4.8.4_SP.oracle000066400000000000000000000252241440160026300234070ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.02s, 183 steps). Check model 0 ("bench/check-ce/func_call2.mlw", line 9, characters 12-26) Checking model: File func_call2.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 Check model 1 ("bench/check-ce/func_call2.mlw", line 9, characters 12-26) Checking model: File func_call2.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 why3-1.6.0/bench/check-ce/oracles/func_call2_Z3,4.8.4_WP.oracle000066400000000000000000000252241440160026300234130ustar00rootroot00000000000000File "bench/check-ce/func_call2.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.03s, 183 steps). Check model 0 ("bench/check-ce/func_call2.mlw", line 9, characters 12-26) Checking model: File func_call2.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 Check model 1 ("bench/check-ce/func_call2.mlw", line 9, characters 12-26) Checking model: File func_call2.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call2.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call2.mlw", line 6, characters 7-8: (-1) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call2.mlw", line 9, characters 12-26) File "bench/check-ce/func_call2.mlw", line 9, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (1.26s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call2.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) result = 0 why3-1.6.0/bench/check-ce/oracles/func_call3_CVC4,1.8_SP.oracle000066400000000000000000000030321440160026300234370ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_CVC4,1.8_WP.oracle000066400000000000000000000030321440160026300234430ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_CVC5,1.0.0_SP.oracle000066400000000000000000000030321440160026300235660ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_CVC5,1.0.0_WP.oracle000066400000000000000000000030321440160026300235720ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (- 1)} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= (- 1)} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_Z3,4.8.10_SP.oracle000066400000000000000000000030121440160026300234540ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= 0} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= 0} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_Z3,4.8.10_WP.oracle000066400000000000000000000030121440160026300234600ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= 0} Line 6: x = 0 x = 0 Execution of main function `g` with env: z = {contents= 0} x = 0 zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 9: Property failure at postcondition of `g` with: x = 0 r = 1 why3-1.6.0/bench/check-ce/oracles/func_call3_Z3,4.8.4_SP.oracle000066400000000000000000000251731440160026300234130ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.02s, 183 steps). Check model 0 ("bench/check-ce/func_call3.mlw", line 9, characters 17-26) Checking model: File func_call3.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 Check model 1 ("bench/check-ce/func_call3.mlw", line 9, characters 17-26) Checking model: File func_call3.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (1.29s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 why3-1.6.0/bench/check-ce/oracles/func_call3_Z3,4.8.4_WP.oracle000066400000000000000000000251731440160026300234170ustar00rootroot00000000000000File "bench/check-ce/func_call3.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.02s, 183 steps). Check model 0 ("bench/check-ce/func_call3.mlw", line 9, characters 17-26) Checking model: File func_call3.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-1)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 Check model 1 ("bench/check-ce/func_call3.mlw", line 9, characters 17-26) Checking model: File func_call3.mlw: Line 4: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 6: x = {"type": "Integer", "val": "-1"} Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 9: x = {"type": "Integer", "val": "-1"} Line 10: result = {"type": "Integer", "val": "0"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `z` at "bench/check-ce/func_call3.mlw", line 4, characters 8-9: {contents= (-6083)} Value from model for parameter `x` at "bench/check-ce/func_call3.mlw", line 6, characters 7-8: (-1) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-6083)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-6083)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/func_call3.mlw", line 9, characters 17-26) File "bench/check-ce/func_call3.mlw", line 9, characters 17-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (unknown) (1.27s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call3.mlw: Line 4: z = {contents= (-1)} Line 6: x = (-1) x = (-1) Execution of main function `g` with env: z = {contents= (-1)} x = (-1) zero = 0 one = 1 Line 10: Normal execution of function `contents` with args: arg = {contents= (-1)} Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Line 9: Property failure at postcondition of `g` with: x = (-1) r = 0 why3-1.6.0/bench/check-ce/oracles/func_call4_CVC4,1.8_SP.oracle000066400000000000000000000031041440160026300234400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_CVC4,1.8_WP.oracle000066400000000000000000000031041440160026300234440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_CVC5,1.0.0_SP.oracle000066400000000000000000000031041440160026300235670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_CVC5,1.0.0_WP.oracle000066400000000000000000000031041440160026300235730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_Z3,4.8.10_SP.oracle000066400000000000000000000031561440160026300234660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call4.mlw", line 8, characters 12-21) - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call4.mlw", line 8, characters 12-21) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_Z3,4.8.10_WP.oracle000066400000000000000000000031561440160026300234720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call4.mlw", line 8, characters 12-21) - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call4.mlw", line 8, characters 12-21) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_Z3,4.8.4_SP.oracle000066400000000000000000000332101440160026300234030ustar00rootroot00000000000000Check model 0 ("bench/check-ce/func_call4.mlw", line 11, characters 25-30) Checking model: File func_call4.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call4.mlw", line 11, characters 25-30) Checking model: File func_call4.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 177} result of `g` = () Property failure at assertion with: z = {contents= 177} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.27s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_Z3,4.8.4_WP.oracle000066400000000000000000000332101440160026300234070ustar00rootroot00000000000000Check model 0 ("bench/check-ce/func_call4.mlw", line 11, characters 25-30) Checking model: File func_call4.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call4.mlw", line 11, characters 25-30) Checking model: File func_call4.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call4.mlw", line 4, characters 9-14 at "bench/check-ce/func_call4.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call4.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call4.mlw", line 11, characters 10-14 at "bench/check-ce/func_call4.mlw", line 11, characters 10-14: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 177} result of `g` = () Property failure at assertion with: z = {contents= 177} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4.mlw", line 11, characters 25-30) File "bench/check-ce/func_call4.mlw", line 11, characters 25-30: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.34s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call4.mlw: Line 10: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 11: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_CVC4,1.8_SP.oracle000066400000000000000000000024751440160026300245020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_CVC4,1.8_WP.oracle000066400000000000000000000024751440160026300245060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000024751440160026300246310ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000024751440160026300246350ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_Z3,4.8.10_SP.oracle000066400000000000000000000024751440160026300245210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call4_mono_Z3,4.8.10_WP.oracle000066400000000000000000000024751440160026300245250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34) File "bench/check-ce/func_call4_mono.mlw", line 13, characters 27-34: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call4_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call4_mono.mlw: Line 12: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call5_CVC4,1.8_SP.oracle000066400000000000000000000051271440160026300234500ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_CVC4,1.8_WP.oracle000066400000000000000000000051271440160026300234540ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_CVC5,1.0.0_SP.oracle000066400000000000000000000051271440160026300235770ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_CVC5,1.0.0_WP.oracle000066400000000000000000000051271440160026300236030ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_Z3,4.8.10_SP.oracle000066400000000000000000000052111440160026300234610ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f1` at "bench/check-ce/func_call5.mlw", line 11, characters 4-6) - Abstract RAC: STUCK (failure in precondition of `f1` at "bench/check-ce/func_call5.mlw", line 11, characters 4-6) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_Z3,4.8.10_WP.oracle000066400000000000000000000052111440160026300234650ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f1` at "bench/check-ce/func_call5.mlw", line 11, characters 4-6) - Abstract RAC: STUCK (failure in precondition of `f1` at "bench/check-ce/func_call5.mlw", line 11, characters 4-6) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x : int = 1 z : int = 2 Line 11: x : int = 1 Line 14: z : int = 2 Line 15: x : int = 1 z : int = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_Z3,4.8.4_SP.oracle000066400000000000000000000362531440160026300234160ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid (0.02s, 56 steps). File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid (0.01s, 86 steps). Check model 0 ("bench/check-ce/func_call5.mlw", line 15, characters 11-17) Checking model: File func_call5.mlw: Line 8: x = {"type": "Integer", "val": "1"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 11: x = {"type": "Integer", "val": "1"} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 15: x = {"type": "Integer", "val": "1"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 1 No value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 1 Result of checking model 0: INCOMPLETE - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 11: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 14: Normal execution of function `g1` with args: y = 1 Line 9: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 11: Execution of main function terminated normally - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) Check model 1 ("bench/check-ce/func_call5.mlw", line 15, characters 11-17) Checking model: File func_call5.mlw: Line 8: x = {"type": "Integer", "val": "176"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 11: x = {"type": "Integer", "val": "176"} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 15: x = {"type": "Integer", "val": "176"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 176 No value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 176 Result of checking model 1: INCOMPLETE - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 11: x = 176 x = 176 Execution of main function `f1` with env: x = 176 zero = 0 one = 1 Line 14: Normal execution of function `g1` with args: y = 176 Line 9: Normal execution of function `ref` with args: contents = 176 Normal execution of function `ref'mk` with args: contents = 176 Line 11: Execution of main function terminated normally - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) Results: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x = 176 (0XB0) z = 177 (0XB1) Line 11: x = 176 (0XB0) Line 14: z = 177 (0XB1) Line 15: x = 176 (0XB0) z = 177 (0XB1) Check model 0 ("bench/check-ce/func_call5.mlw", line 21, characters 11-17) Checking model: File func_call5.mlw: Line 19: x = {"type": "Integer", "val": "0"} Line 21: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 0 Value computed from postcondition for return value of call to g2 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14: {contents= 1} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Giant-step execution of function `g2` with args: y = 0 result of `g2` = {contents= 1} Line 21: Property failure at assertion with: x = 0 z = {contents= 1} Check model 1 ("bench/check-ce/func_call5.mlw", line 21, characters 11-17) Checking model: File func_call5.mlw: Line 19: x = {"type": "Integer", "val": "175"} Line 21: x = {"type": "Integer", "val": "175"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 175 Value computed from postcondition for return value of call to g2 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14: {contents= 176} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 175 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 175 x = 175 Execution of main function `f2` with env: x = 175 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 175 Line 17: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `ref` with args: contents = 176 Normal execution of function `ref'mk` with args: contents = 176 Line 21: Property failure at assertion with: x = 175 z = {contents= 176} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 175 x = 175 Execution of main function `f2` with env: x = 175 zero = 0 one = 1 Line 20: Giant-step execution of function `g2` with args: y = 175 result of `g2` = {contents= 176} Line 21: Property failure at assertion with: x = 175 z = {contents= 176} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (unknown) (1.22s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_Z3,4.8.4_WP.oracle000066400000000000000000000362531440160026300234220ustar00rootroot00000000000000File "bench/check-ce/func_call5.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid (0.02s, 56 steps). File "bench/check-ce/func_call5.mlw", line 14, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid (0.01s, 86 steps). Check model 0 ("bench/check-ce/func_call5.mlw", line 15, characters 11-17) Checking model: File func_call5.mlw: Line 8: x = {"type": "Integer", "val": "1"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 11: x = {"type": "Integer", "val": "1"} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 15: x = {"type": "Integer", "val": "1"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 1 No value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 1 Result of checking model 0: INCOMPLETE - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 11: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 14: Normal execution of function `g1` with args: y = 1 Line 9: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 11: Execution of main function terminated normally - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) Check model 1 ("bench/check-ce/func_call5.mlw", line 15, characters 11-17) Checking model: File func_call5.mlw: Line 8: x = {"type": "Integer", "val": "176"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 11: x = {"type": "Integer", "val": "176"} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 15: x = {"type": "Integer", "val": "176"} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 176 No value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 11, characters 8-9: 176 Result of checking model 1: INCOMPLETE - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 11: x = 176 x = 176 Execution of main function `f1` with env: x = 176 zero = 0 one = 1 Line 14: Normal execution of function `g1` with args: y = 176 Line 9: Normal execution of function `ref` with args: contents = 176 Normal execution of function `ref'mk` with args: contents = 176 Line 11: Execution of main function terminated normally - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) Results: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) - Selected model 1: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14) File "bench/check-ce/func_call5.mlw", line 15, characters 11-17: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (unknown) (1.31s, 7500000 steps). The following counterexample model could not be verified (abstract RAC terminated because missing value for return value of call to g1 at "bench/check-ce/func_call5.mlw", line 14, characters 10-14): File func_call5.mlw: Line 8: x = 176 (0XB0) z = 177 (0XB1) Line 11: x = 176 (0XB0) Line 14: z = 177 (0XB1) Line 15: x = 176 (0XB0) z = 177 (0XB1) Check model 0 ("bench/check-ce/func_call5.mlw", line 21, characters 11-17) Checking model: File func_call5.mlw: Line 19: x = {"type": "Integer", "val": "0"} Line 21: x = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 0 Value computed from postcondition for return value of call to g2 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14: {contents= 1} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Giant-step execution of function `g2` with args: y = 0 result of `g2` = {contents= 1} Line 21: Property failure at assertion with: x = 0 z = {contents= 1} Check model 1 ("bench/check-ce/func_call5.mlw", line 21, characters 11-17) Checking model: File func_call5.mlw: Line 19: x = {"type": "Integer", "val": "175"} Line 21: x = {"type": "Integer", "val": "175"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 175 Value computed from postcondition for return value of call to g2 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14 at "bench/check-ce/func_call5.mlw", line 20, characters 10-14: {contents= 176} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/func_call5.mlw", line 19, characters 8-9: 175 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 175 x = 175 Execution of main function `f2` with env: x = 175 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 175 Line 17: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `ref` with args: contents = 176 Normal execution of function `ref'mk` with args: contents = 176 Line 21: Property failure at assertion with: x = 175 z = {contents= 176} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 175 x = 175 Execution of main function `f2` with env: x = 175 zero = 0 one = 1 Line 20: Giant-step execution of function `g2` with args: y = 175 result of `g2` = {contents= 176} Line 21: Property failure at assertion with: x = 175 z = {contents= 176} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5.mlw", line 21, characters 11-17) File "bench/check-ce/func_call5.mlw", line 21, characters 11-17: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (unknown) (1.20s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5.mlw: Line 19: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 20: Normal execution of function `g2` with args: y = 0 Line 17: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 21: Property failure at assertion with: x = 0 z = {contents= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_CVC4,1.8_SP.oracle000066400000000000000000000051171440160026300244770ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_CVC4,1.8_WP.oracle000066400000000000000000000051171440160026300245030ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000051171440160026300246260ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000051171440160026300246320ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_Z3,4.8.10_SP.oracle000066400000000000000000000051171440160026300245160ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call5_mono_Z3,4.8.10_WP.oracle000066400000000000000000000051171440160026300245220ustar00rootroot00000000000000File "bench/check-ce/func_call5_mono.mlw", line 9, characters 12-25: Sub-goal Postcondition of goal g1'vc. Prover result is: Valid. File "bench/check-ce/func_call5_mono.mlw", line 15, characters 10-14: Sub-goal Precondition of goal f1'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f1'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 12: x = 1 x = 1 Execution of main function `f1` with env: x = 1 zero = 0 one = 1 Line 15: Giant-step execution of function `g1` with args: y = 1 result of `g1` = {c= 2} Line 16: Property failure at assertion with: x = 1 z = {c= 2} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18) File "bench/check-ce/func_call5_mono.mlw", line 22, characters 11-18: Sub-goal Assertion of goal f2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call5_mono.mlw: Line 20: x = 0 x = 0 Execution of main function `f2` with env: x = 0 zero = 0 one = 1 Line 21: Normal execution of function `g2` with args: y = 0 Line 18: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `t'mk` with args: c = 1 Line 22: Property failure at assertion with: x = 0 z = {c= 1} why3-1.6.0/bench/check-ce/oracles/func_call6_CVC4,1.8_SP.oracle000066400000000000000000000032611440160026300234460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_CVC4,1.8_WP.oracle000066400000000000000000000032611440160026300234520ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_CVC5,1.0.0_SP.oracle000066400000000000000000000032611440160026300235750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_CVC5,1.0.0_WP.oracle000066400000000000000000000032611440160026300236010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_Z3,4.8.10_SP.oracle000066400000000000000000000033351440160026300234670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call6.mlw", line 11, characters 12-25) - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call6.mlw", line 11, characters 12-25) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_Z3,4.8.10_WP.oracle000066400000000000000000000033351440160026300234730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call6.mlw", line 11, characters 12-25) - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call6.mlw", line 11, characters 12-25) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_Z3,4.8.4_SP.oracle000066400000000000000000000376711440160026300234240ustar00rootroot00000000000000Check model 0 ("bench/check-ce/func_call6.mlw", line 16, characters 11-17) Checking model: File func_call6.mlw: Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: {contents= 0} Type default value for return value of call to (:=) at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `(:=)` with args: r = {contents= 0} v = 0 z = {contents= 0} result of `(:=)` = () Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call6.mlw", line 16, characters 11-17) Checking model: File func_call6.mlw: Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: {contents= 0} Type default value for return value of call to (:=) at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 177} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 177} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `(:=)` with args: r = {contents= 0} v = 0 z = {contents= 0} result of `(:=)` = () Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.32s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_Z3,4.8.4_WP.oracle000066400000000000000000000376711440160026300234300ustar00rootroot00000000000000Check model 0 ("bench/check-ce/func_call6.mlw", line 16, characters 11-17) Checking model: File func_call6.mlw: Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: {contents= 0} Type default value for return value of call to (:=) at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `(:=)` with args: r = {contents= 0} v = 0 z = {contents= 0} result of `(:=)` = () Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call6.mlw", line 16, characters 11-17) Checking model: File func_call6.mlw: Line 11: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 15: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 16: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: {contents= 0} Type default value for return value of call to (:=) at "bench/check-ce/func_call6.mlw", line 14, characters 2-8 at "bench/check-ce/func_call6.mlw", line 14, characters 2-8: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call6.mlw", line 7, characters 12-21 at "bench/check-ce/func_call6.mlw", line 7, characters 12-21: 0 RHS evaluated for global `z` at "bench/check-ce/func_call6.mlw", line 7, characters 4-5: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call6.mlw", line 15, characters 2-6 at "bench/check-ce/func_call6.mlw", line 15, characters 2-6: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 177} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 177} - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `(:=)` with args: r = {contents= 0} v = 0 z = {contents= 0} result of `(:=)` = () Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6.mlw", line 16, characters 11-17) File "bench/check-ce/func_call6.mlw", line 16, characters 11-17: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.27s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6.mlw: Line 7: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call6.mlw: Line 13: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `(:=)` with args: r = {contents= 0} v = 0 Line 15: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {contents= 2} result of `g` = () Line 16: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_CVC4,1.8_SP.oracle000066400000000000000000000025101440160026300244720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_CVC4,1.8_WP.oracle000066400000000000000000000025101440160026300244760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000025101440160026300246210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000025101440160026300246250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_Z3,4.8.10_SP.oracle000066400000000000000000000025101440160026300245110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call6_mono_Z3,4.8.10_WP.oracle000066400000000000000000000025101440160026300245150ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18) File "bench/check-ce/func_call6_mono.mlw", line 17, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call6_mono.mlw: Line 8: z = {c= 0} Unknown location: _ = () File func_call6_mono.mlw: Line 14: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 16: Normal execution of function `Tuple0` with args: (giant-step) execution of unimplemented function `g` _ = () z = {c= 2} result of `g` = () Line 17: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_CVC4,1.8_SP.oracle000066400000000000000000000030541440160026300233600ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_CVC4,1.8_WP.oracle000066400000000000000000000030541440160026300233640ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_CVC5,1.0.0_SP.oracle000066400000000000000000000030541440160026300235070ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_CVC5,1.0.0_WP.oracle000066400000000000000000000030541440160026300235130ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_Z3,4.8.10_SP.oracle000066400000000000000000000031031440160026300233720ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call.mlw", line 8, characters 12-21) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_Z3,4.8.10_WP.oracle000066400000000000000000000031031440160026300233760ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/func_call.mlw", line 8, characters 12-21) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_Z3,4.8.4_SP.oracle000066400000000000000000000327011440160026300233230ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.03s, 159 steps). Check model 0 ("bench/check-ce/func_call.mlw", line 14, characters 11-16) Checking model: File func_call.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 12: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 13: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call.mlw", line 14, characters 11-16) Checking model: File func_call.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 12: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 13: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.27s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_Z3,4.8.4_WP.oracle000066400000000000000000000327011440160026300233270ustar00rootroot00000000000000File "bench/check-ce/func_call.mlw", line 8, characters 12-21: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.02s, 159 steps). Check model 0 ("bench/check-ce/func_call.mlw", line 14, characters 11-16) Checking model: File func_call.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 12: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 13: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: {contents= 2} Type default value for return value of call to g at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/func_call.mlw", line 14, characters 11-16) Checking model: File func_call.mlw: Line 8: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 12: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 13: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 14: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: {contents= 177} Type default value for return value of call to g at "bench/check-ce/func_call.mlw", line 13, characters 2-6 at "bench/check-ce/func_call.mlw", line 13, characters 2-6: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/func_call.mlw", line 4, characters 9-14 at "bench/check-ce/func_call.mlw", line 4, characters 9-14: 0 RHS evaluated for global `z` at "bench/check-ce/func_call.mlw", line 4, characters 8-9: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 11: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call.mlw", line 14, characters 11-16) File "bench/check-ce/func_call.mlw", line 14, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.30s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call.mlw: Line 4: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File func_call.mlw: Line 11: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 13: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 14: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_CVC4,1.8_SP.oracle000066400000000000000000000024411440160026300244070ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_CVC4,1.8_WP.oracle000066400000000000000000000024411440160026300244130ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000024411440160026300245360ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000024411440160026300245420ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_Z3,4.8.10_SP.oracle000066400000000000000000000024411440160026300244260ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/func_call_mono_Z3,4.8.10_WP.oracle000066400000000000000000000024411440160026300244320ustar00rootroot00000000000000File "bench/check-ce/func_call_mono.mlw", line 10, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18) File "bench/check-ce/func_call_mono.mlw", line 16, characters 11-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File func_call_mono.mlw: Line 6: z = {c= 0} Unknown location: _ = () File func_call_mono.mlw: Line 13: _ = () Execution of main function `f` with env: z = {c= 0} _ = () zero = 0 one = 1 Line 15: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c= 2} result of `g` = () Line 16: Property failure at assertion with: z = {c= 2} why3-1.6.0/bench/check-ce/oracles/global_logic_constant_CVC4,1.8_SP.oracle000066400000000000000000000052001440160026300257530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = (- 1) Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = (- 1) Line 9: Property failure at postcondition of `f1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= (- 1)} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= (- 1)} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 15: Property failure at postcondition of `f2` with: result = (- 1) why3-1.6.0/bench/check-ce/oracles/global_logic_constant_CVC4,1.8_WP.oracle000066400000000000000000000052001440160026300257570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = (- 1) Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = (- 1) Line 9: Property failure at postcondition of `f1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= (- 1)} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= (- 1)} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 15: Property failure at postcondition of `f2` with: result = (- 1) why3-1.6.0/bench/check-ce/oracles/global_logic_constant_CVC5,1.0.0_SP.oracle000066400000000000000000000052001440160026300261020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = (- 1) Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = (- 1) Line 9: Property failure at postcondition of `f1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= (- 1)} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= (- 1)} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 15: Property failure at postcondition of `f2` with: result = (- 1) why3-1.6.0/bench/check-ce/oracles/global_logic_constant_CVC5,1.0.0_WP.oracle000066400000000000000000000052001440160026300261060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = (- 1) Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = (- 1) Line 9: Property failure at postcondition of `f1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= (- 1)} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= (- 1)} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 15: Property failure at postcondition of `f2` with: result = (- 1) why3-1.6.0/bench/check-ce/oracles/global_logic_constant_Z3,4.8.10_SP.oracle000066400000000000000000000046641440160026300260070ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 2 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 2 Line 9: Property failure at postcondition of `f1` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 why3-1.6.0/bench/check-ce/oracles/global_logic_constant_Z3,4.8.10_WP.oracle000066400000000000000000000046641440160026300260130ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 2 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 2 Line 9: Property failure at postcondition of `f1` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 why3-1.6.0/bench/check-ce/oracles/global_logic_constant_Z3,4.8.4_SP.oracle000066400000000000000000000443301440160026300257240ustar00rootroot00000000000000Check model 0 ("bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) Checking model: File global_logic_constant.mlw: Line 6: v1 = {"type": "Integer", "val": "1"} Line 9: v1 = {"type": "Integer", "val": "1"} Line 10: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Check model 1 ("bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) Checking model: File global_logic_constant.mlw: Line 6: v1 = {"type": "Integer", "val": "1"} Line 9: v1 = {"type": "Integer", "val": "1"} Line 10: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat) (0.02s, 698 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Check model 0 ("bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) Checking model: File global_logic_constant.mlw: Line 12: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 15: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: result = {"type": "Integer", "val": "2"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 2} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 Check model 1 ("bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) Checking model: File global_logic_constant.mlw: Line 12: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 16: result = {"type": "Integer", "val": "3"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 3} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 3} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 3} Line 15: Property failure at postcondition of `f2` with: result = 3 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 3} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 3} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 3} Line 15: Property failure at postcondition of `f2` with: result = 3 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown (unknown) (1.17s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 why3-1.6.0/bench/check-ce/oracles/global_logic_constant_Z3,4.8.4_WP.oracle000066400000000000000000000443301440160026300257300ustar00rootroot00000000000000Check model 0 ("bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) Checking model: File global_logic_constant.mlw: Line 6: v1 = {"type": "Integer", "val": "1"} Line 9: v1 = {"type": "Integer", "val": "1"} Line 10: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Check model 1 ("bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) Checking model: File global_logic_constant.mlw: Line 6: v1 = {"type": "Integer", "val": "1"} Line 9: v1 = {"type": "Integer", "val": "1"} Line 10: result = {"type": "Integer", "val": "1"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 9, characters 14-24: Sub-goal Postcondition of goal f1'vc. Prover result is: Unknown (sat) (0.02s, 698 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: v1 = 1 Unknown location: _ = () File global_logic_constant.mlw: Line 8: _ = () Execution of main function `f1` with env: _ = () zero = 0 one = 1 v1 = 1 Line 9: Property failure at postcondition of `f1` with: result = 1 Check model 0 ("bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) Checking model: File global_logic_constant.mlw: Line 12: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 15: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 16: result = {"type": "Integer", "val": "2"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 2} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 Check model 1 ("bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) Checking model: File global_logic_constant.mlw: Line 12: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: v2 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 16: result = {"type": "Integer", "val": "3"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22 at "bench/check-ce/global_logic_constant.mlw", line 6, characters 17-22: 0 RHS evaluated for global `v1` at "bench/check-ce/global_logic_constant.mlw", line 6, characters 15-17: 0 Value from model for global `v2` at "bench/check-ce/global_logic_constant.mlw", line 12, characters 10-12: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 3} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 3} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 3} Line 15: Property failure at postcondition of `f2` with: result = 3 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 3} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 3} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 3} Line 15: Property failure at postcondition of `f2` with: result = 3 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24) File "bench/check-ce/global_logic_constant.mlw", line 15, characters 14-24: Sub-goal Postcondition of goal f2'vc. Prover result is: Unknown (unknown) (1.22s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File global_logic_constant.mlw: Line 6: Constant v1 initialization (giant-step) execution of unimplemented function with args: result = 0 v1 = 0 Line 12: v2 = {contents= 2} Unknown location: _ = () File global_logic_constant.mlw: Line 14: _ = () Execution of main function `f2` with env: v2 = {contents= 2} _ = () zero = 0 one = 1 v1 = 0 Line 16: Normal execution of function `contents` with args: arg = {contents= 2} Line 15: Property failure at postcondition of `f2` with: result = 2 why3-1.6.0/bench/check-ce/oracles/if_assign_CVC4,1.8_SP.oracle000066400000000000000000000145641440160026300234040ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = (- 1) a = (- 1) Execution of main function `fTest1` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 21: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 22: Normal execution of function `(!)` with args: r = {contents= 18} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 18} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 18 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 2: BAD_CE - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = (- 1) a = (- 1) Execution of main function `fTest2` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_assign_CVC4,1.8_WP.oracle000066400000000000000000000175251440160026300234100ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 0 a = 0 Execution of main function `fTest1` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 22: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = (- 1) a = (- 1) Execution of main function `fTest1` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 21: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 22: Normal execution of function `(!)` with args: r = {contents= 18} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 18} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 18 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Valid. File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = (- 1) a = (- 1) Execution of main function `fTest2` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_assign_CVC5,1.0.0_SP.oracle000066400000000000000000000140411440160026300235210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 0 a = 0 Execution of main function `fTest1` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 22: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = (- 1) a = (- 1) Execution of main function `fTest2` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_assign_CVC5,1.0.0_WP.oracle000066400000000000000000000175251440160026300235370ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 0 a = 0 Execution of main function `fTest1` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 22: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = (- 1) a = (- 1) Execution of main function `fTest1` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 21: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 22: Normal execution of function `(!)` with args: r = {contents= 18} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 18} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 18 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Valid. File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = (- 1) a = (- 1) Execution of main function `fTest2` with env: x = {contents= 0} a = (- 1) zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = (- 1) y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_assign_Z3,4.8.10_SP.oracle000066400000000000000000000140331440160026300234120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 0 a = 0 Execution of main function `fTest1` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 22: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 2 a = 2 Execution of main function `fTest2` with env: x = {contents= 0} a = 2 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 2 y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_assign_Z3,4.8.10_WP.oracle000066400000000000000000000174771440160026300234350ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 10, characters 12-23) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/if_assign.mlw", line 10, characters 12-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 9: _a = 0 _a = 0 Execution of main function `f` with env: x = {contents= 0} _a = 0 zero = 0 one = 1 Line 12: Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 13: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 10: Property failure at postcondition of `f` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 0 a = 0 Execution of main function `fTest1` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 22: Normal execution of function `(!)` with args: r = {contents= 42} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 42} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 16, characters 12-23) File "bench/check-ce/if_assign.mlw", line 16, characters 12-23: Sub-goal Postcondition of goal fTest1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 15: a = 2 a = 2 Execution of main function `fTest1` with env: x = {contents= 0} a = 2 zero = 0 one = 1 Line 18: Normal execution of function `(=)` with args: x = 2 y = 0 Line 21: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 22: Normal execution of function `(!)` with args: r = {contents= 18} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 18} File if_assign.mlw: Line 16: Property failure at postcondition of `fTest1` with: result = 18 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 28, characters 31-38: Sub-goal Assertion of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 0 a = 0 Execution of main function `fTest2` with env: x = {contents= 0} a = 0 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 0 y = 0 Line 28: Property failure at assertion with: x = {contents= 42} File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Valid. File "bench/check-ce/if_assign.mlw", line 30, characters 23-30: Sub-goal Assertion of goal fTest2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_assign.mlw", line 25, characters 12-23) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) - Abstract RAC: FAILURE (assertion at "bench/check-ce/if_assign.mlw", line 28, characters 31-38) File "bench/check-ce/if_assign.mlw", line 25, characters 12-23: Sub-goal Postcondition of goal fTest2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_assign.mlw: Line 7: Constant x initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} x = {contents= 0} Line 24: a = 2 a = 2 Execution of main function `fTest2` with env: x = {contents= 0} a = 2 zero = 0 one = 1 Line 27: Normal execution of function `(=)` with args: x = 2 y = 0 Line 30: Normal execution of function `(:=)` with args: r = {contents= 0} v = 18 Line 25: Property failure at postcondition of `fTest2` with: result = 17 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_CVC4,1.8_SP.oracle000066400000000000000000000033501440160026300252210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 0 a = 0 Execution of main function `f` with env: path_selector = {sel_path= false} a = 0 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 0 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 0 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 19: Property failure at postcondition of `f` with: result = 22 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_CVC4,1.8_WP.oracle000066400000000000000000000035601440160026300252300ustar00rootroot00000000000000File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 0 a = 0 Execution of main function `f` with env: path_selector = {sel_path= false} a = 0 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 0 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 0 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 19: Property failure at postcondition of `f` with: result = 22 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_CVC5,1.0.0_SP.oracle000066400000000000000000000033471440160026300253560ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 5 a = 5 Execution of main function `f` with env: path_selector = {sel_path= false} a = 5 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 5 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 5 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= true} Line 19: Property failure at postcondition of `f` with: result = 15 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_CVC5,1.0.0_WP.oracle000066400000000000000000000035571440160026300253650ustar00rootroot00000000000000File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 5 a = 5 Execution of main function `f` with env: path_selector = {sel_path= false} a = 5 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 5 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 5 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= true} Line 19: Property failure at postcondition of `f` with: result = 15 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_Z3,4.8.10_SP.oracle000066400000000000000000000033471440160026300252460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 5 a = 5 Execution of main function `f` with env: path_selector = {sel_path= false} a = 5 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 5 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 5 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= true} Line 19: Property failure at postcondition of `f` with: result = 15 why3-1.6.0/bench/check-ce/oracles/if_decision_branch_Z3,4.8.10_WP.oracle000066400000000000000000000035571440160026300252550ustar00rootroot00000000000000File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23) File "bench/check-ce/if_decision_branch.mlw", line 19, characters 13-23: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File if_decision_branch.mlw: Line 8: Constant path_selector initialization (giant-step) execution of unimplemented function with args: result = {sel_path= false} path_selector = {sel_path= false} Line 18: a = 5 a = 5 Execution of main function `f` with env: path_selector = {sel_path= false} a = 5 zero = 0 one = 1 Line 22: Normal execution of function `(=)` with args: x = 5 y = 1 Normal execution of function `sel_path` with args: arg = {sel_path= false} Line 25: Normal execution of function `True` with args: Line 27: Normal execution of function `(=)` with args: x = 5 y = 5 Normal execution of function `sel_path` with args: arg = {sel_path= true} Line 19: Property failure at postcondition of `f` with: result = 15 why3-1.6.0/bench/check-ce/oracles/int32_CVC4,1.8_SP.oracle000066400000000000000000000036511440160026300223740ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_CVC4,1.8_WP.oracle000066400000000000000000000036511440160026300224000ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_CVC5,1.0.0_SP.oracle000066400000000000000000000036511440160026300225230ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_CVC5,1.0.0_WP.oracle000066400000000000000000000036511440160026300225270ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_Z3,4.8.10_SP.oracle000066400000000000000000000036671440160026300224220ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update` cannot be evaluated) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_Z3,4.8.10_WP.oracle000066400000000000000000000036671440160026300224260ustar00rootroot00000000000000File "bench/check-ce/int32.mlw", line 9, characters 9-14: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32.mlw", line 7, characters 14-30) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `dummy_update` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `dummy_update` cannot be evaluated) File "bench/check-ce/int32.mlw", line 7, characters 14-30: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32.mlw: Line 5: r = {contents= epsilon x:int32. int32'int x = 22} r = {contents= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {contents= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 9: Normal execution of function `contents` with args: arg = {contents= 42} Normal execution of function `contents` with args: arg = {contents= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 7: Property failure at postcondition of `dummy_update` with: r = {contents= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_CVC4,1.8_SP.oracle000066400000000000000000000036271440160026300234270ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_CVC4,1.8_WP.oracle000066400000000000000000000036271440160026300234330ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000036271440160026300235560ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000036271440160026300235620ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_Z3,4.8.10_SP.oracle000066400000000000000000000036031440160026300234400ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int32_mono_Z3,4.8.10_WP.oracle000066400000000000000000000036031440160026300234440ustar00rootroot00000000000000File "bench/check-ce/int32_mono.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal dummy_update'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int32_mono.mlw", line 9, characters 14-32) File "bench/check-ce/int32_mono.mlw", line 9, characters 14-32: Sub-goal Postcondition of goal dummy_update'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File int32_mono.mlw: Line 7: r = {c= epsilon x:int32. int32'int x = 22} r = {c= epsilon x:int32. int32'int x = 22} Execution of main function `dummy_update` with env: r = {c= epsilon x:int32. int32'int x = 22} zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: Normal execution of function `c` with args: arg = {c= 42} Normal execution of function `c` with args: arg = {c= 42} (giant-step) execution of unimplemented function `(+)` a = 42 b = 42 result of `(+)` = epsilon x:int32. int32'int x = 84 Line 9: Property failure at postcondition of `dummy_update` with: r = {c= epsilon x:int32. int32'int x = 84} why3-1.6.0/bench/check-ce/oracles/int_overflow_CVC4,1.8_SP.oracle000066400000000000000000000256251440160026300241570ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal1` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = (- 65536) y = (- 1) Line 29: x = (- 65536) y = (- 1) Execution of main function `test_overflow_int16'goal` with env: y = (- 1) x = (- 65536) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = (- 1) x = (- 65536) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 32768 y = 32768 Line 39: x = 32768 y = 32768 Execution of main function `test_overflow_int16_bis'goal` with env: y = 32768 x = 32768 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 32768 x = 32768 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = (- 2147483648) y = (- 1) Line 47: x = (- 2147483648) y = (- 1) Execution of main function `test_overflow_int32'goal` with env: y = (- 1) x = (- 2147483648) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = (- 1) x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1073741824 y = 1073741824 Line 52: x = 1073741824 y = 1073741824 Execution of main function `test_overflow_int32_bis'goal` with env: y = 1073741824 x = 1073741824 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 1073741824 x = 1073741824 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/int_overflow_CVC4,1.8_WP.oracle000066400000000000000000000256251440160026300241630ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal1` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = (- 65536) y = (- 1) Line 29: x = (- 65536) y = (- 1) Execution of main function `test_overflow_int16'goal` with env: y = (- 1) x = (- 65536) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = (- 1) x = (- 65536) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 32768 y = 32768 Line 39: x = 32768 y = 32768 Execution of main function `test_overflow_int16_bis'goal` with env: y = 32768 x = 32768 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 32768 x = 32768 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = (- 2147483648) y = (- 1) Line 47: x = (- 2147483648) y = (- 1) Execution of main function `test_overflow_int32'goal` with env: y = (- 1) x = (- 2147483648) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = (- 1) x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1073741824 y = 1073741824 Line 52: x = 1073741824 y = 1073741824 Execution of main function `test_overflow_int32_bis'goal` with env: y = 1073741824 x = 1073741824 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 1073741824 x = 1073741824 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/int_overflow_CVC5,1.0.0_SP.oracle000066400000000000000000000256251440160026300243060ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal1` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = (- 65536) y = (- 1) Line 29: x = (- 65536) y = (- 1) Execution of main function `test_overflow_int16'goal` with env: y = (- 1) x = (- 65536) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = (- 1) x = (- 65536) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 32768 y = 32768 Line 39: x = 32768 y = 32768 Execution of main function `test_overflow_int16_bis'goal` with env: y = 32768 x = 32768 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 32768 x = 32768 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = (- 2147483648) y = (- 1) Line 47: x = (- 2147483648) y = (- 1) Execution of main function `test_overflow_int32'goal` with env: y = (- 1) x = (- 2147483648) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = (- 1) x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1073741824 y = 1073741824 Line 52: x = 1073741824 y = 1073741824 Execution of main function `test_overflow_int32_bis'goal` with env: y = 1073741824 x = 1073741824 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 1073741824 x = 1073741824 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/int_overflow_CVC5,1.0.0_WP.oracle000066400000000000000000000256251440160026300243120ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal1` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = (- 65536) y = (- 1) Line 29: x = (- 65536) y = (- 1) Execution of main function `test_overflow_int16'goal` with env: y = (- 1) x = (- 65536) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = (- 1) x = (- 65536) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 32768 y = 32768 Line 39: x = 32768 y = 32768 Execution of main function `test_overflow_int16_bis'goal` with env: y = 32768 x = 32768 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 32768 x = 32768 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = (- 2147483648) y = (- 1) Line 47: x = (- 2147483648) y = (- 1) Execution of main function `test_overflow_int32'goal` with env: y = (- 1) x = (- 2147483648) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = (- 1) x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1073741824 y = 1073741824 Line 52: x = 1073741824 y = 1073741824 Execution of main function `test_overflow_int32_bis'goal` with env: y = 1073741824 x = 1073741824 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 1073741824 x = 1073741824 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/int_overflow_Z3,4.8.10_SP.oracle000066400000000000000000000233541440160026300241730ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = 1 y = 65535 Line 29: x = 1 y = 65535 Execution of main function `test_overflow_int16'goal` with env: y = 65535 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = 65535 x = 1 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 1 y = 65535 Line 39: x = 1 y = 65535 Execution of main function `test_overflow_int16_bis'goal` with env: y = 65535 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 65535 x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = 1 y = 2147483647 Line 47: x = 1 y = 2147483647 Execution of main function `test_overflow_int32'goal` with env: y = 2147483647 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = 2147483647 x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1 y = 2147483647 Line 52: x = 1 y = 2147483647 Execution of main function `test_overflow_int32_bis'goal` with env: y = 2147483647 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 2147483647 x = 1 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/int_overflow_Z3,4.8.10_WP.oracle000066400000000000000000000233541440160026300241770ustar00rootroot00000000000000File "bench/check-ce/int_overflow.mlw", line 6, characters 27-42: Goal test0. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 9, characters 27-44) File "bench/check-ce/int_overflow.mlw", line 9, characters 27-44: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 9: x = 0 x = 0 Execution of main function `test1'goal` with env: x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 9: Property failure at postcondition of `test1'goal` with: x = 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/int_overflow.mlw", line 14, characters 27-38: Goal test2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test2'goal` cannot be evaluated): File int_overflow.mlw: Line 14: x : int = 0 File "bench/check-ce/int_overflow.mlw", line 19, characters 43-53: Goal test_overflow. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 19, characters 48-62: Goal test_overflow. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 24, characters 45-56: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 24, characters 51-65: Goal test_overflow2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 31, characters 33-49) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 31, characters 33-49: Goal test_overflow_int16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 30: x = 1 y = 65535 Line 29: x = 1 y = 65535 Execution of main function `test_overflow_int16'goal` with env: y = 65535 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 31: Property failure at postcondition of `test_overflow_int16'goal` with: y = 65535 x = 1 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 36, characters 54-67: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 36, characters 64-76: Goal test_overflow_int16_alt. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 42, characters 29-45) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 42, characters 29-45: Goal test_overflow_int16_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 40: x = 1 y = 65535 Line 39: x = 1 y = 65535 Execution of main function `test_overflow_int16_bis'goal` with env: y = 65535 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 42: Property failure at postcondition of `test_overflow_int16_bis'goal` with: y = 65535 x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 49, characters 33-49) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 49, characters 33-49: Goal test_overflow_int32. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 48: x = 1 y = 2147483647 Line 47: x = 1 y = 2147483647 Execution of main function `test_overflow_int32'goal` with env: y = 2147483647 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 49: Property failure at postcondition of `test_overflow_int32'goal` with: y = 2147483647 x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/int_overflow.mlw", line 54, characters 48-64) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 54, characters 48-64: Goal test_overflow_int32_bis. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int_overflow.mlw: Line 53: x = 1 y = 2147483647 Line 52: x = 1 y = 2147483647 Execution of main function `test_overflow_int32_bis'goal` with env: y = 2147483647 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File int_overflow.mlw: Line 54: Property failure at postcondition of `test_overflow_int32_bis'goal` with: y = 2147483647 x = 1 File "bench/check-ce/int_overflow.mlw", line 59, characters 88-108: Goal test_overflow_int32_bis_inline. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at unknown location) - Abstract RAC: FAILURE (postcondition at unknown location) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/int_overflow.mlw", line 59, characters 103-122: Goal test_overflow_int32_bis_inline. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/integers_CVC4,1.8_SP.oracle000066400000000000000000000116731440160026300232600ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = (- 1) Line 11: x = 0 x = 0 Execution of main function `g2_lab'goal` with env: g = (- 1) x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/integers_CVC4,1.8_WP.oracle000066400000000000000000000116731440160026300232640ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = (- 1) Line 11: x = 0 x = 0 Execution of main function `g2_lab'goal` with env: g = (- 1) x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/integers_CVC5,1.0.0_SP.oracle000066400000000000000000000116731440160026300234070ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = (- 1) Line 11: x = 0 x = 0 Execution of main function `g2_lab'goal` with env: g = (- 1) x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/integers_CVC5,1.0.0_WP.oracle000066400000000000000000000116731440160026300234130ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = (- 1) Line 11: x = 0 x = 0 Execution of main function `g2_lab'goal` with env: g = (- 1) x = 0 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/integers_Z3,4.8.10_SP.oracle000066400000000000000000000116631440160026300232760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 11: x = 1 x = 1 Execution of main function `g2_lab'goal` with env: g = 0 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/integers_Z3,4.8.10_WP.oracle000066400000000000000000000116631440160026300233020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 5, characters 50-61) File "bench/check-ce/integers.mlw", line 5, characters 50-61: Goal g_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 5: x = 48 x = 48 Execution of main function `g_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 5: Property failure at postcondition of `g_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 7, characters 43-54) File "bench/check-ce/integers.mlw", line 7, characters 43-54: Goal g_no_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 7: x = 48 x = 48 Execution of main function `g_no_lab'goal` with env: x = 48 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 7: Property failure at postcondition of `g_no_lab'goal` with: x = 48 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 11, characters 30-38) File "bench/check-ce/integers.mlw", line 11, characters 30-38: Goal g2_lab. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 11: x = 1 x = 1 Execution of main function `g2_lab'goal` with env: g = 0 x = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 11: Property failure at postcondition of `g2_lab'goal` with: x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/integers.mlw", line 22, characters 2-45) File "bench/check-ce/integers.mlw", line 22, characters 2-45: Goal newgoal. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File integers.mlw: Line 9: g = 0 Line 13: x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 x1 = 1 x2 = 1 x3 = 1 x4 = 1 x5 = 1 x6 = 1 x7 = 1 x8 = 1 Execution of main function `newgoal'goal` with env: g = 0 x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File integers.mlw: Line 22: Property failure at postcondition of `newgoal'goal` with: x8 = 1 x7 = 1 x6 = 1 x5 = 1 x4 = 1 x3 = 1 x2 = 1 x1 = 1 why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_CVC4,1.8_SP.oracle000066400000000000000000000335011440160026300236450ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 0} v = 3 Line 17: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: x = {contents= 0} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_CVC4,1.8_WP.oracle000066400000000000000000000404531440160026300236550ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 0} v = 3 Line 17: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: x = {contents= 0} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: x = {contents= 0} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000344621440160026300240030ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 0} v = 3 Line 17: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: x = {contents= 0} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000404531440160026300240040ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 0} v = 3 Line 17: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: x = {contents= 0} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: x = {contents= 0} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_Z3,4.8.10_SP.oracle000066400000000000000000000335111440160026300236650ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 16} b = {contents= 16} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 16} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 16} Line 7: Normal execution of function `contents` with args: arg = {contents= 16} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 16 Normal execution of function `(:=)` with args: x = {contents= 0} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: x = {contents= 0} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_Z3,4.8.10_WP.oracle000066400000000000000000000404651440160026300236770ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 16} b = {contents= 16} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 16} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 16} Line 7: Normal execution of function `contents` with args: arg = {contents= 16} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 16 Normal execution of function `(:=)` with args: x = {contents= 0} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 14} b = {contents= 14} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 14} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 14} Line 7: Normal execution of function `contents` with args: arg = {contents= 14} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 14 Normal execution of function `(:=)` with args: x = {contents= 0} v = 14 Line 18: Normal execution of function `(!)` with args: x = {contents= 14} Line 7: Normal execution of function `contents` with args: arg = {contents= 14} Line 18: Normal execution of function `(>=)` with args: x = 14 y = 10 Normal execution of function `(!)` with args: x = {contents= 14} Line 7: Normal execution of function `contents` with args: arg = {contents= 14} Line 18: Normal execution of function `(-)` with args: x = 14 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 14 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 14} v = 13 Line 15: Property failure at postcondition of `p1` with: a = {contents= 13} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 13: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 16: Normal execution of function `(!)` with args: x = {contents= 0} Line 7: Normal execution of function `contents` with args: arg = {contents= 0} Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: x = {contents= 0} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_Z3,4.8.4_SP.oracle000066400000000000000000006305121440160026300236140ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid (0.03s, 46 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) Checking model: File jlamp0_mono.mlw: Line 7: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 17: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 6 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 10 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 16} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 6} result of `(!)` = 6 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(+)` with args: _ = 10 _ = 6 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 16 a = {contents= 16} result of `(:=)` = () Line 17: Property failure at assertion with: a = {contents= 16} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) Checking model: File jlamp0_mono.mlw: Line 7: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 17: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 6 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 10 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 16} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 6} result of `(!)` = 6 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(+)` with args: _ = 10 _ = 6 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 16 a = {contents= 16} result of `(:=)` = () Line 17: Property failure at assertion with: a = {contents= 16} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat) (0.02s, 1101 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 7 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 10} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 10 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28: 10 Value computed from postcondition for return value of call to (-) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32: 9 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: {contents= 9} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 7} result of `(!)` = 7 Normal execution of function `(+)` with args: _ = 7 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 7} v = 10 a = {contents= 10} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(>=)` with args: x = 10 y = 10 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Giant-step execution of function `(-)` with args: x = 10 y = 1 result of `(-)` = 9 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 9 a = {contents= 9} result of `(:=)` = () Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 7 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 10} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 10 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28: 10 Value computed from postcondition for return value of call to (-) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32: 9 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: {contents= 9} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 7} result of `(!)` = 7 Normal execution of function `(+)` with args: _ = 7 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 7} v = 10 a = {contents= 10} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(>=)` with args: x = 10 y = 10 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Giant-step execution of function `(-)` with args: x = 10 y = 1 result of `(-)` = 9 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 9 a = {contents= 9} result of `(:=)` = () Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat) (0.00s, 1323 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 2 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 5} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 2} result of `(!)` = 2 Normal execution of function `(+)` with args: _ = 2 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 5 a = {contents= 5} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 5} result of `(!)` = 5 Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 2 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 5} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 2} result of `(!)` = 2 Normal execution of function `(+)` with args: _ = 2 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 5 a = {contents= 5} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 5} result of `(!)` = 5 Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat) (0.01s, 1177 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 0} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 0} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 845 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid (0.00s, 123 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 29: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 29: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat) (0.00s, 1506 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 1559 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 28: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 28: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 1608 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 11} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 11} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 11} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 11} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 1213 steps). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid (0.01s, 560 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 972 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 42: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 42: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1543 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 40: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 40: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1707 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1640 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 37: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 37: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1249 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_mono_Z3,4.8.4_WP.oracle000066400000000000000000006305121440160026300236200ustar00rootroot00000000000000File "bench/check-ce/jlamp0_mono.mlw", line 9, characters 25-31: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid (0.02s, 46 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) Checking model: File jlamp0_mono.mlw: Line 7: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 17: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 6 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 10 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 16} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 6} result of `(!)` = 6 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(+)` with args: _ = 10 _ = 6 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 16 a = {contents= 16} result of `(:=)` = () Line 17: Property failure at assertion with: a = {contents= 16} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) Checking model: File jlamp0_mono.mlw: Line 7: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Line 17: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "16"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 6 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 10 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 16} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 10} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 6} Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 6} result of `(!)` = 6 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(+)` with args: _ = 10 _ = 6 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 16 a = {contents= 16} result of `(:=)` = () Line 17: Property failure at assertion with: a = {contents= 16} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26) File "bench/check-ce/jlamp0_mono.mlw", line 17, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown (sat) (0.02s, 1101 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 10} Line 13: b = {contents= 6} b = {contents= 6} Execution of main function `p1` with env: a = {contents= 10} b = {contents= 6} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 6} Line 7: Normal execution of function `contents` with args: arg = {contents= 6} Line 16: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 16: Normal execution of function `(+)` with args: _ = 10 _ = 6 Normal execution of function `(:=)` with args: x = {contents= 10} v = 16 Line 17: Property failure at assertion with: a = {contents= 16} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 7 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 10} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 10 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28: 10 Value computed from postcondition for return value of call to (-) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32: 9 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: {contents= 9} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 7} result of `(!)` = 7 Normal execution of function `(+)` with args: _ = 7 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 7} v = 10 a = {contents= 10} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(>=)` with args: x = 10 y = 10 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Giant-step execution of function `(-)` with args: x = 10 y = 1 result of `(-)` = 9 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 9 a = {contents= 9} result of `(:=)` = () Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 7 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 10} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 10 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-28: 10 Value computed from postcondition for return value of call to (-) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 26-32: 9 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: {contents= 9} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 21-32: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 7} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 7} result of `(!)` = 7 Normal execution of function `(+)` with args: _ = 7 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 7} v = 10 a = {contents= 10} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Normal execution of function `(>=)` with args: x = 10 y = 10 Giant-step execution of function `(!)` with args: x = {contents= 10} result of `(!)` = 10 Giant-step execution of function `(-)` with args: x = 10 y = 1 result of `(-)` = 9 Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 9 a = {contents= 9} result of `(:=)` = () Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat) (0.00s, 1323 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 7} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 7} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 7} Line 7: Normal execution of function `contents` with args: arg = {contents= 7} Line 16: Normal execution of function `(+)` with args: _ = 7 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 7} v = 10 Line 18: Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: x = {contents= 10} Line 7: Normal execution of function `contents` with args: arg = {contents= 10} Line 18: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_mono.mlw: Line 18: Normal execution of function `(:=)` with args: x = {contents= 10} v = 9 Line 15: Property failure at postcondition of `p1` with: a = {contents= 9} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 2 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 5} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 2} result of `(!)` = 2 Normal execution of function `(+)` with args: _ = 2 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 5 a = {contents= 5} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 5} result of `(!)` = 5 Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) Checking model: File jlamp0_mono.mlw: Line 7: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 13: b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} b = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 16: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 14-16: 3 Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 9-11: 2 Value from model for variable `a` at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: {contents= 5} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16 at "bench/check-ce/jlamp0_mono.mlw", line 16, characters 4-16: () Value computed from postcondition for return value of call to (!) at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9 at "bench/check-ce/jlamp0_mono.mlw", line 18, characters 7-9: 5 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 2} Value from model for parameter `b` at "bench/check-ce/jlamp0_mono.mlw", line 13, characters 10-11: {contents= 3} Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Giant-step execution of function `(!)` with args: x = {contents= 3} result of `(!)` = 3 Giant-step execution of function `(!)` with args: x = {contents= 2} result of `(!)` = 2 Normal execution of function `(+)` with args: _ = 2 _ = 3 Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 5 a = {contents= 5} result of `(:=)` = () Line 18: Giant-step execution of function `(!)` with args: x = {contents= 5} result of `(!)` = 5 Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29) File "bench/check-ce/jlamp0_mono.mlw", line 15, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown (sat) (0.01s, 1177 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 2} Line 13: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 2} b = {contents= 3} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: x = {contents= 3} Line 7: Normal execution of function `contents` with args: arg = {contents= 3} Line 16: Normal execution of function `(!)` with args: x = {contents= 2} Line 7: Normal execution of function `contents` with args: arg = {contents= 2} Line 16: Normal execution of function `(+)` with args: _ = 2 _ = 3 Normal execution of function `(:=)` with args: x = {contents= 2} v = 5 Line 18: Normal execution of function `(!)` with args: x = {contents= 5} Line 7: Normal execution of function `contents` with args: arg = {contents= 5} Line 18: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 15: Property failure at postcondition of `p1` with: a = {contents= 5} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 0} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Type default value for return value of call at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16 at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 8-16: {contents= 0} RHS evaluated for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 0} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown (sat) (0.00s, 845 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 0} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid (0.01s, 123 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 29: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 29: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "5"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 29, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown (sat) (0.00s, 1506 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 27: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "13"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 10} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 10} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 1559 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 10} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 10} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 10} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 28: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 28: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 30: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 31: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 2} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 2} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 2} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 2} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 2} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 28, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown (sat) (0.00s, 1608 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 11} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 11} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 25: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 26: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Value from model for variable `c` at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: {contents= 1} Type default value for return value of call to (:=) at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10 at "bench/check-ce/jlamp0_mono.mlw", line 25, characters 4-10: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 11} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Normal execution of function `(:=)` with args: x = {contents= 11} v = 1 Line 27: Property failure at loop invariant init with: c = {contents= 1} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 11} Unknown location: _ = () File jlamp0_mono.mlw: Line 22: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 11} _ = () zero = 0 one = 1 Line 25: Giant-step execution of function `(:=)` with args: x = {contents= 11} v = 1 c = {contents= 1} result of `(:=)` = () Line 27: Property failure at loop invariant init with: c = {contents= 1} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 27, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 24, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown (sat) (0.01s, 1213 steps). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Valid (0.00s, 560 steps). Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant init of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 972 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 42: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 42: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 42, characters 16-18: Sub-goal Loop variant decrease of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1543 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 40: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "10"}}]}} Line 40: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "20"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "12"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 40, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1707 steps). Sorry, we don't have a good counterexample for you :( Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 9: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "9"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 41: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 43: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 44: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "4"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31: Sub-goal Loop invariant preservation of goal p3'vc. Prover result is: Unknown (sat) (0.00s, 1640 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 0 ("bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 37: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Check model 1 ("bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28) Checking model: File jlamp0_mono.mlw: Line 7: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Line 11: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 20: c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "3"}}]}} Line 37: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} Line 39: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "6"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} c = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "11"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for global `a` at "bench/check-ce/jlamp0_mono.mlw", line 11, characters 6-7: {contents= 0} Value from model for global `c` at "bench/check-ce/jlamp0_mono.mlw", line 20, characters 6-7: {contents= 3} Type default value for parameter `_` at NO LOC: () Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_mono.mlw: Line 11: a = {contents= 0} Line 20: c = {contents= 3} Unknown location: _ = () File jlamp0_mono.mlw: Line 34: _ = () Execution of main function `p3` with env: a = {contents= 0} c = {contents= 3} _ = () zero = 0 one = 1 Line 41: Property failure at loop invariant init with: a = {contents= 0} Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_mono.mlw", line 41, characters 18-31) File "bench/check-ce/jlamp0_mono.mlw", line 37, characters 15-28: Sub-goal Postcondition of goal p3'vc. Prover result is: Unknown (sat) (0.01s, 1249 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_CVC4,1.8_SP.oracle000066400000000000000000000223751440160026300236670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 12: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: r = {contents= 0} v = 5 Line 13: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 10: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_CVC4,1.8_WP.oracle000066400000000000000000000276151440160026300236750ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 12: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: r = {contents= 0} v = 10 Line 13: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_poly.mlw: Line 13: Normal execution of function `(:=)` with args: r = {contents= 10} v = 9 Line 10: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: r = {contents= 0} v = 5 Line 13: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 10: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000234231440160026300240110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 12: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: r = {contents= 0} v = 10 Line 13: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_poly.mlw: Line 13: Normal execution of function `(:=)` with args: r = {contents= 10} v = 9 Line 10: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000276151440160026300240240ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 12: Property failure at assertion with: a = {contents= 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 10} b = {contents= 10} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 10} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 10 Normal execution of function `(:=)` with args: r = {contents= 0} v = 10 Line 13: Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 10 y = 10 Normal execution of function `(!)` with args: r = {contents= 10} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 10} File jlamp0_poly.mlw: Line 13: Normal execution of function `(-)` with args: x = 10 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 10 _ = (-1) File jlamp0_poly.mlw: Line 13: Normal execution of function `(:=)` with args: r = {contents= 10} v = 9 Line 10: Property failure at postcondition of `p1` with: a = {contents= 9} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: r = {contents= 0} v = 5 Line 13: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 10: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_Z3,4.8.10_SP.oracle000066400000000000000000000225471440160026300237070ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 16} b = {contents= 16} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 16} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 16} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 16} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 16 Normal execution of function `(:=)` with args: r = {contents= 0} v = 16 Line 12: Property failure at assertion with: a = {contents= 16} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: r = {contents= 0} v = 5 Line 13: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 10: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp0_poly_Z3,4.8.10_WP.oracle000066400000000000000000000300271440160026300237030ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) File "bench/check-ce/jlamp0_poly.mlw", line 12, characters 13-26: Sub-goal Assertion of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 16} b = {contents= 16} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 16} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 16} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 16} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 16 Normal execution of function `(:=)` with args: r = {contents= 0} v = 16 Line 12: Property failure at assertion with: a = {contents= 16} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 14} b = {contents= 14} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 14} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 14} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 14} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 14 Normal execution of function `(:=)` with args: r = {contents= 0} v = 14 Line 13: Normal execution of function `(!)` with args: r = {contents= 14} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 14} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 14 y = 10 Normal execution of function `(!)` with args: r = {contents= 14} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 14} File jlamp0_poly.mlw: Line 13: Normal execution of function `(-)` with args: x = 14 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 14 _ = (-1) File jlamp0_poly.mlw: Line 13: Normal execution of function `(:=)` with args: r = {contents= 14} v = 13 Line 10: Property failure at postcondition of `p1` with: a = {contents= 13} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/jlamp0_poly.mlw", line 8, characters 6-8) File "bench/check-ce/jlamp0_poly.mlw", line 10, characters 15-29: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 8: b = {contents= 5} b = {contents= 5} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 5} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File jlamp0_poly.mlw: Line 11: Normal execution of function `(+)` with args: _ = 0 _ = 5 Normal execution of function `(:=)` with args: r = {contents= 0} v = 5 Line 13: Normal execution of function `(!)` with args: r = {contents= 5} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 5} File jlamp0_poly.mlw: Line 13: Normal execution of function `(>=)` with args: x = 5 y = 10 Normal execution of function `Tuple0` with args: Line 10: Property failure at postcondition of `p1` with: a = {contents= 5} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant init of goal p2'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 24, characters 16-18: Sub-goal Loop variant decrease of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp0_poly.mlw: Line 6: a = {contents= 0} Line 15: Constant c initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} c = {contents= 0} Unknown location: _ = () File jlamp0_poly.mlw: Line 17: _ = () Execution of main function `p2` with env: a = {contents= 0} c = {contents= 0} _ = () zero = 0 one = 1 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 22: Property failure at loop invariant init with: c = {contents= 1} Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 23, characters 18-31: Sub-goal Loop invariant preservation of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/jlamp0_poly.mlw", line 22, characters 18-31) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/jlamp0_poly.mlw", line 19, characters 15-28: Sub-goal Postcondition of goal p2'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_CVC4,1.8_SP.oracle000066400000000000000000000242641440160026300247710ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_406 -> if {Array.to_int => 3} = bOUND_VARIABLE_406 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_440 bOUND_VARIABLE_441 bOUND_VARIABLE_442 -> {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 33: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_495 -> if {Array.to_int => 3} = bOUND_VARIABLE_495 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun bOUND_VARIABLE_510 -> if {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} = bOUND_VARIABLE_510 then [|_ => {Array.to_int => 3}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_532 bOUND_VARIABLE_533 bOUND_VARIABLE_534 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} Line 32: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} old a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 47: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} three : t = {Array.to_int => 3} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_479 -> if {Array.to_int => 3} = bOUND_VARIABLE_479 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_508 bOUND_VARIABLE_509 bOUND_VARIABLE_510 -> {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 50: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 53: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 54: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_519 -> if {Array.to_int => 3} = bOUND_VARIABLE_519 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun bOUND_VARIABLE_534 -> if {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} = bOUND_VARIABLE_534 then [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_556 bOUND_VARIABLE_557 bOUND_VARIABLE_558 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 56: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 59: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 60: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_CVC4,1.8_WP.oracle000066400000000000000000000242641440160026300247750ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_406 -> if {Array.to_int => 3} = bOUND_VARIABLE_406 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_440 bOUND_VARIABLE_441 bOUND_VARIABLE_442 -> {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 33: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_495 -> if {Array.to_int => 3} = bOUND_VARIABLE_495 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun bOUND_VARIABLE_510 -> if {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} = bOUND_VARIABLE_510 then [|_ => {Array.to_int => 3}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_532 bOUND_VARIABLE_533 bOUND_VARIABLE_534 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} Line 32: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} old a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 47: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} three : t = {Array.to_int => 3} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 2: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_479 -> if {Array.to_int => 3} = bOUND_VARIABLE_479 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_508 bOUND_VARIABLE_509 bOUND_VARIABLE_510 -> {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 50: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 53: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 54: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_519 -> if {Array.to_int => 3} = bOUND_VARIABLE_519 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun bOUND_VARIABLE_534 -> if {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} = bOUND_VARIABLE_534 then [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_556 bOUND_VARIABLE_557 bOUND_VARIABLE_558 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 56: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 59: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 60: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000232621440160026300251150ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_566 bOUND_VARIABLE_567 bOUND_VARIABLE_568 -> {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 33: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun _arg_1 -> if {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} = _arg_1 then [|_ => {Array.to_int => 3}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} Line 32: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} old a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 47: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} three : t = {Array.to_int => 3} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 50: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 53: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 54: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun _arg_1 -> if {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} = _arg_1 then [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 56: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 59: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 60: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000232621440160026300251210ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun bOUND_VARIABLE_566 bOUND_VARIABLE_567 bOUND_VARIABLE_568 -> {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 33: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 0} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun _arg_1 -> if {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} = _arg_1 then [|_ => {Array.to_int => 3}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|] Line 19: length : array -> int = [|_ => 0|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} Line 32: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} old a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 44: a : array = {Array.elts = [|_ => {Array.to_int => 3}|]; Array.length = 0} Line 47: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} three : t = {Array.to_int => 3} Line 48: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 3}|]; Array.length = 0} File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = [|_ => [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 50: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 53: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 54: a : array = {Array.elts = [|17 => {Array.to_int => 3}; _ => {Array.to_int => 2}|]; Array.length = 43} File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 18: elts : array -> int -> t = fun _arg_1 -> if {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} = _arg_1 then [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] else [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|] Line 19: length : array -> int = [|_ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun _arg_1 _arg_2 _arg_3 -> {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 32: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 34: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} old a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 56: a : array = {Array.elts = [|17 => {Array.to_int => 3}; 42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} Line 59: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} three : t = {Array.to_int => 3} Line 60: a : array = {Array.elts = [|42 => {Array.to_int => 2}; _ => {Array.to_int => 2}|]; Array.length = 43} why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_Z3,4.8.10_SP.oracle000066400000000000000000000165611440160026300250110ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 0 => 0; _ => 0|] Line 22: mixfix [] : array -> int -> t = fun x!0 x!1 -> {Array.to_int => 3} Line 28: mixfix [<-] : array -> int -> t -> array = fun x!0 x!1 x!2 -> epsilon x. (Array.length x) = 0 Line 33: a : array = epsilon x. (Array.length x) = 0 Line 44: a : array = epsilon x. (Array.length x) = 0 Line 48: a : array = epsilon x. (Array.length x) = 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 4 => 4; epsilon x. (Array.length x) = 4 => 4; _ => 4|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!01 x!11 x!2 -> if x!01 = epsilon x. (Array.length x) = 4 /\ x!11 = 42 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 4 else epsilon x. (Array.length x) = 4 Line 32: a : array = epsilon x. (Array.length x) = 4 Line 34: a : array = epsilon x. (Array.length x) = 4 old a : array = epsilon x. (Array.length x) = 4 Line 44: a : array = epsilon x. (Array.length x) = 4 Line 47: a : array = epsilon x. (Array.length x) = 4 three : t = {Array.to_int => 3} Line 48: a : array = epsilon x. (Array.length x) = 4 File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 43 => 43; epsilon x. (Array.length x) = 43 => 43; _ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!02 x!11 x!2 -> if x!02 = epsilon x. (Array.length x) = 43 /\ x!11 = 42 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 43 else epsilon x. (Array.length x) = 43 Line 32: a : array = epsilon x. (Array.length x) = 43 Line 34: a : array = epsilon x. (Array.length x) = 43 old a : array = epsilon x. (Array.length x) = 43 Line 50: a : array = epsilon x. (Array.length x) = 43 Line 53: a : array = epsilon x. (Array.length x) = 43 three : t = {Array.to_int => 3} Line 54: a : array = epsilon x. (Array.length x) = 43 File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 43 => 43; epsilon x. (Array.length x) = 43 => 43; _ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!03 x!11 x!2 -> if x!03 = epsilon x. (Array.length x) = 43 /\ x!11 = 17 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 43 else epsilon x. (Array.length x) = 43 Line 32: a : array = epsilon x. (Array.length x) = 43 Line 34: a : array = epsilon x. (Array.length x) = 43 old a : array = epsilon x. (Array.length x) = 43 Line 56: a : array = epsilon x. (Array.length x) = 43 Line 59: a : array = epsilon x. (Array.length x) = 43 three : t = {Array.to_int => 3} Line 60: a : array = epsilon x. (Array.length x) = 43 why3-1.6.0/bench/check-ce/oracles/jlamp_array_mono_Z3,4.8.10_WP.oracle000066400000000000000000000165611440160026300250150ustar00rootroot00000000000000File bench/check-ce/jlamp_array_mono.mlw: Goal array'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 48, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 0 => 0; _ => 0|] Line 22: mixfix [] : array -> int -> t = fun x!0 x!1 -> {Array.to_int => 3} Line 28: mixfix [<-] : array -> int -> t -> array = fun x!0 x!1 x!2 -> epsilon x. (Array.length x) = 0 Line 33: a : array = epsilon x. (Array.length x) = 0 Line 44: a : array = epsilon x. (Array.length x) = 0 Line 48: a : array = epsilon x. (Array.length x) = 0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 47, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 4 => 4; epsilon x. (Array.length x) = 4 => 4; _ => 4|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!01 x!11 x!2 -> if x!01 = epsilon x. (Array.length x) = 4 /\ x!11 = 42 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 4 else epsilon x. (Array.length x) = 4 Line 32: a : array = epsilon x. (Array.length x) = 4 Line 34: a : array = epsilon x. (Array.length x) = 4 old a : array = epsilon x. (Array.length x) = 4 Line 44: a : array = epsilon x. (Array.length x) = 4 Line 47: a : array = epsilon x. (Array.length x) = 4 three : t = {Array.to_int => 3} Line 48: a : array = epsilon x. (Array.length x) = 4 File "bench/check-ce/jlamp_array_mono.mlw", line 54, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `g` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 53, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `g` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 43 => 43; epsilon x. (Array.length x) = 43 => 43; _ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!02 x!11 x!2 -> if x!02 = epsilon x. (Array.length x) = 43 /\ x!11 = 42 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 43 else epsilon x. (Array.length x) = 43 Line 32: a : array = epsilon x. (Array.length x) = 43 Line 34: a : array = epsilon x. (Array.length x) = 43 old a : array = epsilon x. (Array.length x) = 43 Line 50: a : array = epsilon x. (Array.length x) = 43 Line 53: a : array = epsilon x. (Array.length x) = 43 three : t = {Array.to_int => 3} Line 54: a : array = epsilon x. (Array.length x) = 43 File "bench/check-ce/jlamp_array_mono.mlw", line 60, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `h` cannot be evaluated) File "bench/check-ce/jlamp_array_mono.mlw", line 59, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `h` cannot be evaluated): File jlamp_array_mono.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 19: length : array -> int = [|epsilon x. (Array.length x) = 43 => 43; epsilon x. (Array.length x) = 43 => 43; _ => 43|] Line 28: mixfix [<-] : array -> int -> t -> array = fun x!03 x!11 x!2 -> if x!03 = epsilon x. (Array.length x) = 43 /\ x!11 = 17 /\ x!2 = {Array.to_int => 2} then epsilon x. (Array.length x) = 43 else epsilon x. (Array.length x) = 43 Line 32: a : array = epsilon x. (Array.length x) = 43 Line 34: a : array = epsilon x. (Array.length x) = 43 old a : array = epsilon x. (Array.length x) = 43 Line 56: a : array = epsilon x. (Array.length x) = 43 Line 59: a : array = epsilon x. (Array.length x) = 43 three : t = {Array.to_int => 3} Line 60: a : array = epsilon x. (Array.length x) = 43 why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_CVC4,1.8_SP.oracle000066400000000000000000000113061440160026300247750ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_555 bOUND_VARIABLE_556 -> 0 length : array t -> int = [|_ => 0|] Line 20: mixfix [] : array t -> int -> t = fun bOUND_VARIABLE_589 bOUND_VARIABLE_590 -> {Array.to_int => 3} File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_698 -> if {Array.to_int => 3} = bOUND_VARIABLE_698 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_622 bOUND_VARIABLE_623 -> 0 length : array t -> int = [|_ => 0|] File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_773 -> if {Array.to_int => 3} = bOUND_VARIABLE_773 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 2: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_CVC4,1.8_WP.oracle000066400000000000000000000113061440160026300250010ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_555 bOUND_VARIABLE_556 -> 0 length : array t -> int = [|_ => 0|] Line 20: mixfix [] : array t -> int -> t = fun bOUND_VARIABLE_589 bOUND_VARIABLE_590 -> {Array.to_int => 3} File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_698 -> if {Array.to_int => 3} = bOUND_VARIABLE_698 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_622 bOUND_VARIABLE_623 -> 0 length : array t -> int = [|_ => 0|] File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun bOUND_VARIABLE_773 -> if {Array.to_int => 3} = bOUND_VARIABLE_773 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 2: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000105301440160026300251220ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1630 bOUND_VARIABLE_1631 -> 0 length : array t -> int = [|_ => 0|] Line 20: mixfix [] : array t -> int -> t = fun _arg_1 _arg_2 -> {Array.to_int => 3} File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1621 bOUND_VARIABLE_1622 -> 0 length : array t -> int = [|_ => 0|] File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000105301440160026300251260ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1630 bOUND_VARIABLE_1631 -> 0 length : array t -> int = [|_ => 0|] Line 20: mixfix [] : array t -> int -> t = fun _arg_1 _arg_2 -> {Array.to_int => 3} File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun bOUND_VARIABLE_1621 bOUND_VARIABLE_1622 -> 0 length : array t -> int = [|_ => 0|] File jlamp_array_poly.mlw: Line 8: to_int : t -> int = fun _arg_1 -> if {Array.to_int => 3} = _arg_1 then 3 else 2 Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Selected model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_Z3,4.8.10_SP.oracle000066400000000000000000000077111440160026300250210ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_poly.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!024 x!11 -> 0 File jlamp_array_poly.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_array_poly_Z3,4.8.10_WP.oracle000066400000000000000000000077111440160026300250250ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 22, characters 4-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File jlamp_array_poly.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `f` cannot be evaluated) File "bench/check-ce/jlamp_array_poly.mlw", line 21, characters 14-27: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `f` cannot be evaluated): File array.mlw: Line 17: length : ty -> uni -> int = fun x!024 x!11 -> 0 File jlamp_array_poly.mlw: Line 8: to_int : t -> int = [|{Array.to_int => 2} => 2; {Array.to_int => 3} => 3; _ => 2|] Line 11: two : t = {Array.to_int => 2} Line 14: three : t = {Array.to_int => 3} Line 21: three : t = {Array.to_int => 3} File "bench/check-ce/jlamp_array_poly.mlw", line 28, characters 4-16: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `g` at "bench/check-ce/jlamp_array_poly.mlw", line 24, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 27, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/jlamp_array_poly.mlw", line 34, characters 4-16: Sub-goal Index in array bounds of goal h'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) - Abstract RAC: STUCK (failure in precondition of `h` at "bench/check-ce/jlamp_array_poly.mlw", line 30, characters 6-7) File "bench/check-ce/jlamp_array_poly.mlw", line 33, characters 14-27: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/jlamp_projections_CVC4,1.8_SP.oracle000066400000000000000000000137261440160026300251630ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_394:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_394 then 1 else 127 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (bOUND_VARIABLE_394:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_394 then 1 else 127 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_398:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_398 then 1 else 127 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (bOUND_VARIABLE_398:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_398 then 1 else 127 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_487:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_487 then 1 else 127 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (bOUND_VARIABLE_487:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_487 then 1 else 127 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/jlamp_projections_CVC4,1.8_WP.oracle000066400000000000000000000137261440160026300251670ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_394:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_394 then 1 else 127 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (bOUND_VARIABLE_394:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_394 then 1 else 127 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_398:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_398 then 1 else 127 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (bOUND_VARIABLE_398:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_398 then 1 else 127 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (bOUND_VARIABLE_487:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_487 then 1 else 127 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (bOUND_VARIABLE_487:byte) -> if (epsilon x:byte. to_int x = 1) = bOUND_VARIABLE_487 then 1 else 127 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/jlamp_projections_CVC5,1.0.0_SP.oracle000066400000000000000000000133541440160026300253070ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/jlamp_projections_CVC5,1.0.0_WP.oracle000066400000000000000000000133541440160026300253130ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (_arg_1:byte) -> if (epsilon x:byte. to_int x = 1) = _arg_1 then 1 else 127 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/jlamp_projections_Z3,4.8.10_SP.oracle000066400000000000000000000172271440160026300252020ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 2 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 2 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if x!0 = (epsilon x:byte. to_int x = 1) then 1 else if x!0 = (epsilon x:byte. to_int x = 127) then 127 else 1 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (x!0:byte) -> if x!0 = (epsilon x:byte. to_int x = 1) then 1 else if x!0 = (epsilon x:byte. to_int x = 127) then 127 else 1 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 3 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 3 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/jlamp_projections_Z3,4.8.10_WP.oracle000066400000000000000000000172271440160026300252060ustar00rootroot00000000000000File "bench/check-ce/jlamp_projections.mlw", line 29, characters 8-18: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18) File "bench/check-ce/jlamp_projections.mlw", line 29, characters 2-18: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 2 Line 28: a = epsilon x:byte. to_int x = 127 a = epsilon x:byte. to_int x = 127 Execution of main function `p3` with env: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 2 a = epsilon x:byte. to_int x = 127 zero = 0 one = 1 Line 29: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 42, characters 14-24: Sub-goal Precondition of goal p3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24) File "bench/check-ce/jlamp_projections.mlw", line 42, characters 7-24: Sub-goal Integer overflow of goal p3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if x!0 = (epsilon x:byte. to_int x = 1) then 1 else if x!0 = (epsilon x:byte. to_int x = 127) then 127 else 1 Line 41: a = {contents= epsilon x:byte. to_int x = 127} a = {contents= epsilon x:byte. to_int x = 127} Execution of main function `p3` with env: to_int = fun (x!0:byte) -> if x!0 = (epsilon x:byte. to_int x = 1) then 1 else if x!0 = (epsilon x:byte. to_int x = 127) then 127 else 1 a = {contents= epsilon x:byte. to_int x = 127} zero = 0 one = 1 Line 42: (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `(!)` with args: r = {contents= epsilon x:byte. to_int x = 127} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= epsilon x:byte. to_int x = 127} File jlamp_projections.mlw: Line 42: (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 File "bench/check-ce/jlamp_projections.mlw", line 54, characters 29-39: Sub-goal Precondition of goal p4'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) - Abstract RAC: FAILURE (precondition at "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39) File "bench/check-ce/jlamp_projections.mlw", line 54, characters 21-39: Sub-goal Integer overflow of goal p4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File jlamp_projections.mlw: Line 7: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 3 Line 53: b = {f= epsilon x:byte. to_int x = 127; g= true} b = {f= epsilon x:byte. to_int x = 127; g= true} Execution of main function `p4` with env: to_int = fun (x!0:byte) -> if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x: byte. to_int x = 127 else epsilon x:byte. to_int x = 1) = (epsilon x:byte. to_int x = 1) then 1 else if (if x!0 = (epsilon x:byte. to_int x = 127) then epsilon x:byte. to_int x = 127 else epsilon x: byte. to_int x = 1) = (epsilon x:byte. to_int x = 127) then 127 else 3 b = {f= epsilon x:byte. to_int x = 127; g= true} zero = 0 one = 1 Line 54: Normal execution of function `g` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `of_int` x = 1 result of `of_int` = epsilon x:byte. to_int x = 1 Normal execution of function `f` with args: arg = {f= epsilon x:byte. to_int x = 127; g= true} (giant-step) execution of unimplemented function `add` x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 Property failure at precondition of `add` with: x = epsilon x:byte. to_int x = 127 y = epsilon x:byte. to_int x = 1 why3-1.6.0/bench/check-ce/oracles/let_constant_CVC4,1.8_SP.oracle000066400000000000000000000021201440160026300241200ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_constant_CVC4,1.8_WP.oracle000066400000000000000000000021201440160026300241240ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_constant_CVC5,1.0.0_SP.oracle000066400000000000000000000021201440160026300242470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_constant_CVC5,1.0.0_WP.oracle000066400000000000000000000021201440160026300242530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_constant_Z3,4.8.10_SP.oracle000066400000000000000000000021201440160026300241370ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_constant_Z3,4.8.10_WP.oracle000066400000000000000000000021201440160026300241430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/let_constant.mlw", line 9, characters 13-24) File "bench/check-ce/let_constant.mlw", line 9, characters 13-24: Sub-goal Assertion of goal dummy'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File let_constant.mlw: Line 5: _ = () Execution of main function `dummy` with env: _ = () zero = 0 one = 1 Line 9: Property failure at assertion with: a = 25 b = 65 why3-1.6.0/bench/check-ce/oracles/let_function_CVC4,1.8_SP.oracle000066400000000000000000000025151440160026300241240ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_CVC4,1.8_WP.oracle000066400000000000000000000025151440160026300241300ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_CVC5,1.0.0_SP.oracle000066400000000000000000000025151440160026300242530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_CVC5,1.0.0_WP.oracle000066400000000000000000000025151440160026300242570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_Z3,4.8.10_SP.oracle000066400000000000000000000025151440160026300241430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_Z3,4.8.10_WP.oracle000066400000000000000000000025151440160026300241470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function.mlw", line 6, characters 12-24) File "bench/check-ce/let_function.mlw", line 6, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function.mlw: Line 5: y = 42 y = 42 Execution of main function `main_f` with env: y = 42 zero = 0 one = 1 Line 8: Normal execution of function `f` with args: x = 42 Line 3: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 9: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 6: Property failure at postcondition of `main_f` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_CVC4,1.8_SP.oracle000066400000000000000000000031651440160026300253030ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (bOUND_VARIABLE_374:int) -> 43 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (bOUND_VARIABLE_374:int) -> 43 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_CVC4,1.8_WP.oracle000066400000000000000000000031651440160026300253070ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (bOUND_VARIABLE_374:int) -> 43 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (bOUND_VARIABLE_374:int) -> 43 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_CVC5,1.0.0_SP.oracle000066400000000000000000000031351440160026300254270ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (_arg_1:int) -> 43 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (_arg_1:int) -> 43 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_CVC5,1.0.0_WP.oracle000066400000000000000000000031351440160026300254330ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (_arg_1:int) -> 43 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (_arg_1:int) -> 43 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_Z3,4.8.10_SP.oracle000066400000000000000000000031771440160026300253250ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (x!0:int) -> if x!0 = 42 then 43 else 1 + x!0 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (x!0:int) -> if x!0 = 42 then 43 else 1 + x!0 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/let_function_logic_Z3,4.8.10_WP.oracle000066400000000000000000000031771440160026300253310ustar00rootroot00000000000000File "bench/check-ce/let_function_logic.mlw", line 8, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 14, characters 10-13) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24) File "bench/check-ce/let_function_logic.mlw", line 12, characters 12-24: Sub-goal Postcondition of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File let_function_logic.mlw: Line 3: g = fun (x!0:int) -> if x!0 = 42 then 43 else 1 + x!0 Line 11: y = 42 y = 42 Execution of main function `main` with env: g = fun (x!0:int) -> if x!0 = 42 then 43 else 1 + x!0 y = 42 zero = 0 one = 1 Line 14: Normal execution of function `f` with args: x = 42 Line 9: Normal execution of function `(+)` with args: _ = 42 _ = 1 Line 15: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 12: Property failure at postcondition of `main` with: result = 44 why3-1.6.0/bench/check-ce/oracles/lists_CVC4,1.8_SP.oracle000066400000000000000000000072651440160026300226000ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 16: l = (Cons (- 1) Nil) l = (Cons (- 1) Nil) Execution of main function `g2'goal` with env: l = (Cons (- 1) Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 16: Property failure at postcondition of `g2'goal1` with: l = (Cons (- 1) Nil) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/lists_CVC4,1.8_WP.oracle000066400000000000000000000072651440160026300226040ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 16: l = (Cons (- 1) Nil) l = (Cons (- 1) Nil) Execution of main function `g2'goal` with env: l = (Cons (- 1) Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 16: Property failure at postcondition of `g2'goal1` with: l = (Cons (- 1) Nil) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/lists_CVC5,1.0.0_SP.oracle000066400000000000000000000072651440160026300227270ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 16: l = (Cons (- 1) Nil) l = (Cons (- 1) Nil) Execution of main function `g2'goal` with env: l = (Cons (- 1) Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 16: Property failure at postcondition of `g2'goal1` with: l = (Cons (- 1) Nil) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/lists_CVC5,1.0.0_WP.oracle000066400000000000000000000072651440160026300227330ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 16, characters 26-39) File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 16: l = (Cons (- 1) Nil) l = (Cons (- 1) Nil) Execution of main function `g2'goal` with env: l = (Cons (- 1) Nil) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 16: Property failure at postcondition of `g2'goal1` with: l = (Cons (- 1) Nil) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/lists_Z3,4.8.10_SP.oracle000066400000000000000000000060131440160026300226050ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/lists_Z3,4.8.10_WP.oracle000066400000000000000000000060131440160026300226110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 14, characters 26-39) File "bench/check-ce/lists.mlw", line 14, characters 26-39: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 14: l = Nil l = Nil Execution of main function `g1'goal` with env: l = Nil zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 14: Property failure at postcondition of `g1'goal` with: l = Nil Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 16, characters 26-39: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/lists.mlw", line 25, characters 30-43) File "bench/check-ce/lists.mlw", line 25, characters 30-43: Goal g1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File lists.mlw: Line 25: l = Nil1 l = Nil1 Execution of main function `g1'goal` with env: l = Nil1 zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File lists.mlw: Line 25: Property failure at postcondition of `g1'goal2` with: l = Nil1 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/lists.mlw", line 27, characters 30-43: Goal g2. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/logic_constant_CVC4,1.8_SP.oracle000066400000000000000000000021271440160026300244400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_constant_CVC4,1.8_WP.oracle000066400000000000000000000021271440160026300244440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_constant_CVC5,1.0.0_SP.oracle000066400000000000000000000021271440160026300245670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_constant_CVC5,1.0.0_WP.oracle000066400000000000000000000021271440160026300245730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_constant_Z3,4.8.10_SP.oracle000066400000000000000000000021271440160026300244570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_constant_Z3,4.8.10_WP.oracle000066400000000000000000000021271440160026300244630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_constant.mlw", line 9, characters 11-17) File "bench/check-ce/logic_constant.mlw", line 9, characters 11-17: Sub-goal Assertion of goal main'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_constant.mlw: Line 4: c = 0 Line 6: y = 0 y = 0 Execution of main function `main` with env: c = 0 y = 0 zero = 0 one = 1 Line 9: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_CVC4,1.8_SP.oracle000066400000000000000000000115501440160026300244340ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (bOUND_VARIABLE_324:int) -> 42 Line 6: y = 0 y = 0 Execution of main function `main_g` with env: g = fun (bOUND_VARIABLE_324:int) -> 42 y = 0 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (bOUND_VARIABLE_343:int) (bOUND_VARIABLE_344:bool) -> 42 Line 12: y1 = 0 y2 = false y1 = 0 y2 = false Execution of main function `main_h` with env: h = fun (bOUND_VARIABLE_343:int) (bOUND_VARIABLE_344:bool) -> 42 y1 = 0 y2 = false zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 0 y2 = false Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (bOUND_VARIABLE_321:int) -> 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (bOUND_VARIABLE_321:int) -> 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (bOUND_VARIABLE_350:int) -> if bOUND_VARIABLE_350 = 1 then 0 else (- 1) Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (bOUND_VARIABLE_350:int) -> if bOUND_VARIABLE_350 = 1 then 0 else (- 1) y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_CVC4,1.8_WP.oracle000066400000000000000000000115501440160026300244400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (bOUND_VARIABLE_324:int) -> 42 Line 6: y = 0 y = 0 Execution of main function `main_g` with env: g = fun (bOUND_VARIABLE_324:int) -> 42 y = 0 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (bOUND_VARIABLE_343:int) (bOUND_VARIABLE_344:bool) -> 42 Line 12: y1 = 0 y2 = false y1 = 0 y2 = false Execution of main function `main_h` with env: h = fun (bOUND_VARIABLE_343:int) (bOUND_VARIABLE_344:bool) -> 42 y1 = 0 y2 = false zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 0 y2 = false Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (bOUND_VARIABLE_321:int) -> 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (bOUND_VARIABLE_321:int) -> 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (bOUND_VARIABLE_350:int) -> if bOUND_VARIABLE_350 = 1 then 0 else (- 1) Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (bOUND_VARIABLE_350:int) -> if bOUND_VARIABLE_350 = 1 then 0 else (- 1) y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_CVC5,1.0.0_SP.oracle000066400000000000000000000113001440160026300245540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (_arg_1:int) -> 42 Line 6: y = 0 y = 0 Execution of main function `main_g` with env: g = fun (_arg_1:int) -> 42 y = 0 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (_arg_1:int) (_arg_2:bool) -> 42 Line 12: y1 = 0 y2 = true y1 = 0 y2 = true Execution of main function `main_h` with env: h = fun (_arg_1:int) (_arg_2:bool) -> 42 y1 = 0 y2 = true zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 0 y2 = true Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (_arg_1:int) -> 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (_arg_1:int) -> 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (_arg_1:int) -> if _arg_1 = 1 then 0 else (- 1) Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (_arg_1:int) -> if _arg_1 = 1 then 0 else (- 1) y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_CVC5,1.0.0_WP.oracle000066400000000000000000000113001440160026300245600ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (_arg_1:int) -> 42 Line 6: y = 0 y = 0 Execution of main function `main_g` with env: g = fun (_arg_1:int) -> 42 y = 0 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (_arg_1:int) (_arg_2:bool) -> 42 Line 12: y1 = 0 y2 = true y1 = 0 y2 = true Execution of main function `main_h` with env: h = fun (_arg_1:int) (_arg_2:bool) -> 42 y1 = 0 y2 = true zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 0 y2 = true Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (_arg_1:int) -> 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (_arg_1:int) -> 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (_arg_1:int) -> if _arg_1 = 1 then 0 else (- 1) Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (_arg_1:int) -> if _arg_1 = 1 then 0 else (- 1) y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_Z3,4.8.10_SP.oracle000066400000000000000000000115751440160026300244620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (x!0:int) -> if x!0 = 2 then 42 else 42 Line 6: y = 2 y = 2 Execution of main function `main_g` with env: g = fun (x!0:int) -> if x!0 = 2 then 42 else 42 y = 2 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (x!0:int) (x!1:bool) -> if x!0 = 2 /\ x!1 = False then 42 else 42 Line 12: y1 = 2 y2 = false y1 = 2 y2 = false Execution of main function `main_h` with env: h = fun (x!0:int) (x!1:bool) -> if x!0 = 2 /\ x!1 = False then 42 else 42 y1 = 2 y2 = false zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 2 y2 = false Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (x!0:int) -> if x!0 = 0 then 0 else 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (x!0:int) -> if x!0 = 0 then 0 else 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (x!0:int) -> if x!0 = 0 then 2 else if x!0 = 1 then 0 else 2 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (x!0:int) -> if x!0 = 0 then 2 else if x!0 = 1 then 0 else 2 y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/logic_function_Z3,4.8.10_WP.oracle000066400000000000000000000115751440160026300244660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 8, characters 11-20) File "bench/check-ce/logic_function.mlw", line 8, characters 11-20: Sub-goal Assertion of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 4: g = fun (x!0:int) -> if x!0 = 2 then 42 else 42 Line 6: y = 2 y = 2 Execution of main function `main_g` with env: g = fun (x!0:int) -> if x!0 = 2 then 42 else 42 y = 2 zero = 0 one = 1 Line 8: Property failure at assertion with: y = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 14, characters 11-24) File "bench/check-ce/logic_function.mlw", line 14, characters 11-24: Sub-goal Assertion of goal main_h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 10: h = fun (x!0:int) (x!1:bool) -> if x!0 = 2 /\ x!1 = False then 42 else 42 Line 12: y1 = 2 y2 = false y1 = 2 y2 = false Execution of main function `main_h` with env: h = fun (x!0:int) (x!1:bool) -> if x!0 = 2 /\ x!1 = False then 42 else 42 y1 = 2 y2 = false zero = 0 one = 1 Line 14: Property failure at assertion with: y1 = 2 y2 = false Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 21, characters 11-19) File "bench/check-ce/logic_function.mlw", line 21, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (x!0:int) -> if x!0 = 0 then 0 else 0 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (x!0:int) -> if x!0 = 0 then 0 else 0 y = 0 zero = 0 one = 1 Line 21: Property failure at assertion with: y = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) - Abstract RAC: FAILURE (assertion at "bench/check-ce/logic_function.mlw", line 22, characters 11-19) File "bench/check-ce/logic_function.mlw", line 22, characters 11-19: Sub-goal Assertion of goal main_f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File logic_function.mlw: Line 16: f = fun (x!0:int) -> if x!0 = 0 then 2 else if x!0 = 1 then 0 else 2 Line 18: y = 0 y = 0 Execution of main function `main_f` with env: f = fun (x!0:int) -> if x!0 = 0 then 2 else if x!0 = 1 then 0 else 2 y = 0 zero = 0 one = 1 Line 22: Property failure at assertion with: y = 0 why3-1.6.0/bench/check-ce/oracles/loop_ce_CVC4,1.8_SP.oracle000066400000000000000000000152131440160026300230520ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= (- 1)} a = {contents= (- 1)} Execution of main function `g` with env: a = {contents= (- 1)} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Property failure at assertion with: a = {contents= 0} a = ref'mk (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_CVC4,1.8_WP.oracle000066400000000000000000000155411440160026300230620ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 0} a = {contents= 0} Execution of main function `g` with env: a = {contents= 0} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Property failure at assertion with: a = {contents= 1} a = ref'mk 0 File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_CVC5,1.0.0_SP.oracle000066400000000000000000000152131440160026300232010ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= (- 1)} a = {contents= (- 1)} Execution of main function `g` with env: a = {contents= (- 1)} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Property failure at assertion with: a = {contents= 0} a = ref'mk (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_CVC5,1.0.0_WP.oracle000066400000000000000000000155411440160026300232110ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 0} a = {contents= 0} Execution of main function `g` with env: a = {contents= 0} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Property failure at assertion with: a = {contents= 1} a = ref'mk 0 File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_Z3,4.8.10_SP.oracle000066400000000000000000000152461440160026300230770ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_ce.mlw", line 14, character 2 to line 18, character 6) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= (- 1)} a = {contents= (- 1)} Execution of main function `g` with env: a = {contents= (- 1)} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Property failure at assertion with: a = {contents= 0} a = ref'mk (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_Z3,4.8.10_WP.oracle000066400000000000000000000155741440160026300231070ustar00rootroot00000000000000File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 15, characters 14-20: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce.mlw", line 16, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_ce.mlw", line 14, character 2 to line 18, character 6) File "bench/check-ce/loop_ce.mlw", line 16, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 6: Constant a initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 8: Constant b initialization Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_ce.mlw: Line 10: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 17: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 16: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 0} a = {contents= 0} Execution of main function `g` with env: a = {contents= 0} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce.mlw: Line 30: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Property failure at assertion with: a = {contents= 1} a = ref'mk 0 File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce.mlw", line 31, characters 11-21: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce.mlw", line 27, characters 12-25) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce.mlw", line 31, characters 11-21) File "bench/check-ce/loop_ce.mlw", line 27, characters 12-25: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce.mlw: Line 26: a = {contents= 10} a = {contents= 10} Execution of main function `g` with env: a = {contents= 10} zero = 0 one = 1 Line 30: Normal execution of function `contents` with args: arg = {contents= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce.mlw: Line 30: Normal execution of function `Tuple0` with args: Line 27: Property failure at postcondition of `g` with: a = {contents= 10} a = {contents= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_CVC4,1.8_SP.oracle000066400000000000000000000142321440160026300241020ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= (- 1)} a = {c1= (- 1)} Execution of main function `g` with env: a = {c1= (- 1)} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 35: Property failure at assertion with: a = {c1= 0} a = t'mk1 (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_CVC4,1.8_WP.oracle000066400000000000000000000145721440160026300241150ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 0} a = {c1= 0} Execution of main function `g` with env: a = {c1= 0} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 35: Property failure at assertion with: a = {c1= 1} a = t'mk1 0 File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000142321440160026300242310ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= (- 1)} a = {c1= (- 1)} Execution of main function `g` with env: a = {c1= (- 1)} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 35: Property failure at assertion with: a = {c1= 0} a = t'mk1 (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000145721440160026300242440ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 0} a = {c1= 0} Execution of main function `g` with env: a = {c1= 0} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 35: Property failure at assertion with: a = {c1= 1} a = t'mk1 0 File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_Z3,4.8.10_SP.oracle000066400000000000000000000142321440160026300241210ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= (- 1)} a = {c1= (- 1)} Execution of main function `g` with env: a = {c1= (- 1)} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(=)` with args: x = (- 1) y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 35: Property failure at assertion with: a = {c1= 0} a = t'mk1 (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_ce_mono_Z3,4.8.10_WP.oracle000066400000000000000000000145721440160026300241340ustar00rootroot00000000000000File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 17, characters 14-22: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29) File "bench/check-ce/loop_ce_mono.mlw", line 18, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 8: Constant a initialization Normal execution of function `t'mk` with args: c = 0 a = {c= 0} Line 10: b = {c= 5} Unknown location: _ = () File loop_ce_mono.mlw: Line 12: _ = () Execution of main function `f` with env: a = {c= 0} b = {c= 5} _ = () zero = 0 one = 1 Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(+)` with args: _ = 4 _ = 1 Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 19: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(+)` with args: _ = 5 _ = 1 Line 18: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) - Abstract RAC: FAILURE (assertion at "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25) File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 0} a = {c1= 0} Execution of main function `g` with env: a = {c1= 0} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(=)` with args: x = 0 y = 10 Unknown location: Normal execution of function `True` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 35: Property failure at assertion with: a = {c1= 1} a = t'mk1 0 File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/loop_ce_mono.mlw", line 35, characters 11-25: Sub-goal Assertion of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29) File "bench/check-ce/loop_ce_mono.mlw", line 31, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_ce_mono.mlw: Line 30: a = {c1= 10} a = {c1= 10} Execution of main function `g` with env: a = {c1= 10} zero = 0 one = 1 Line 34: Normal execution of function `c` with args: arg = {c1= 10} Normal execution of function `(=)` with args: x = 10 y = 10 Unknown location: Normal execution of function `False` with args: File loop_ce_mono.mlw: Line 34: Normal execution of function `Tuple0` with args: Line 31: Property failure at postcondition of `g` with: a = {c1= 10} a = {c1= 10} why3-1.6.0/bench/check-ce/oracles/loop_inv_int_CVC4,1.8_SP.oracle000066400000000000000000000163371440160026300241410ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_CVC4,1.8_WP.oracle000066400000000000000000000163371440160026300241450ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_CVC5,1.0.0_SP.oracle000066400000000000000000000163371440160026300242700ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_CVC5,1.0.0_WP.oracle000066400000000000000000000163371440160026300242740ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_Z3,4.8.10_SP.oracle000066400000000000000000000164351440160026300241570ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_inv_int.mlw", line 12, character 2 to line 15, character 6) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_inv_int.mlw", line 33, character 2 to line 36, character 6) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_Z3,4.8.10_WP.oracle000066400000000000000000000164351440160026300241630ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_inv_int.mlw", line 12, character 2 to line 15, character 6) File "bench/check-ce/loop_inv_int.mlw", line 13, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 9: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 11: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 12: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 12: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 12: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 14: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 13: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25) - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/loop_inv_int.mlw", line 33, character 2 to line 36, character 6) File "bench/check-ce/loop_inv_int.mlw", line 34, characters 16-25: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int.mlw: Line 23: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 25: Constant b initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 b = {contents= 0} Unknown location: _ = () File loop_inv_int.mlw: Line 27: _ = () Execution of main function `f` with env: a = {contents= 0} b = {contents= 0} _ = () zero = 0 one = 1 Line 33: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 33: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 3} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 33: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 4} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 33: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 35: Normal execution of function `contents` with args: arg = {contents= 5} Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 34: Property failure at loop invariant preservation with: a = {contents= 1} b = {contents= 6} File "bench/check-ce/loop_inv_int.mlw", line 29, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_CVC4,1.8_SP.oracle000066400000000000000000000147501440160026300251660ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_CVC4,1.8_WP.oracle000066400000000000000000000147501440160026300251720ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000147501440160026300253150ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000147501440160026300253210ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_Z3,4.8.10_SP.oracle000066400000000000000000000147501440160026300252050ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_int_mono_Z3,4.8.10_WP.oracle000066400000000000000000000147501440160026300252110ustar00rootroot00000000000000File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 15, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File loop_inv_int_mono.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 11: Normal execution of function `t'mk` with args: c = 0 Line 13: Normal execution of function `t'mk` with args: c = 2 Line 14: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 14: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 3} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 14: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 4} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 14: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 16: Normal execution of function `c` with args: arg = {c= 5} Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 15: Property failure at loop invariant preservation with: a = {c= 1} b = {c= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Checked model 1: NC - Concrete RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29) File "bench/check-ce/loop_inv_int_mono.mlw", line 38, characters 16-29: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File loop_inv_int_mono.mlw: Line 27: Constant a initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} a = {c1= 0} Line 29: Constant b initialization (giant-step) execution of unimplemented function with args: result = {c1= 0} b = {c1= 0} Unknown location: _ = () File loop_inv_int_mono.mlw: Line 31: _ = () Execution of main function `f` with env: a = {c1= 0} b = {c1= 0} _ = () zero = 0 one = 1 Line 37: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `(<)` with args: _ = 2 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 2} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 37: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `(<)` with args: _ = 3 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 3} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 3 Line 37: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `(<)` with args: _ = 4 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 4} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 4 Line 37: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `(<)` with args: _ = 5 _ = 10 Normal iteration of loop Line 39: Normal execution of function `c` with args: arg = {c1= 5} Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 5 Line 38: Property failure at loop invariant preservation with: a = {c1= 1} b = {c1= 6} File "bench/check-ce/loop_inv_int_mono.mlw", line 33, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_CVC4,1.8_SP.oracle000066400000000000000000000027041440160026300242630ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_CVC4,1.8_WP.oracle000066400000000000000000000027041440160026300242670ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_CVC5,1.0.0_SP.oracle000066400000000000000000000027041440160026300244120ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_CVC5,1.0.0_WP.oracle000066400000000000000000000027041440160026300244160ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_Z3,4.8.10_SP.oracle000066400000000000000000000027041440160026300243020ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_Z3,4.8.10_WP.oracle000066400000000000000000000027041440160026300243060ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real.mlw", line 17, characters 16-27: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real.mlw: Line 14: a : real = 1.0 Line 15: b : real = 2.0 Line 16: [before iteration] b : real = 5.0 result of call at line 16, characters 8-16 : bool = true Line 17: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 18: [current iteration] b : real = 6.0 result of call at line 18, characters 9-14 : real = 6.0 File "bench/check-ce/loop_inv_real.mlw", line 12, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_CVC4,1.8_SP.oracle000066400000000000000000000034161440160026300253140ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : t = {c = 1.0} a : real = 1.0 Line 17: b : t = {c = 2.0} b : real = 2.0 Line 18: [before iteration] b : t = {c = 5.0} [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : t = {c = 6.0} [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_CVC4,1.8_WP.oracle000066400000000000000000000034161440160026300253200ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : t = {c = 1.0} a : real = 1.0 Line 17: b : t = {c = 2.0} b : real = 2.0 Line 18: [before iteration] b : t = {c = 5.0} [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : t = {c = 6.0} [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000032171440160026300254420ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : real = 1.0 Line 17: b : real = 2.0 Line 18: [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000032171440160026300254460ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : real = 1.0 Line 17: b : real = 2.0 Line 18: [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_Z3,4.8.10_SP.oracle000066400000000000000000000033721440160026300253340ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : t = {c = 1.0} a : real = 1.0 Line 17: b : t = {c = 2.0} b : real = 2.0 Line 18: [before iteration] b : t = {c = 5.0} [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : t = {c = 6.0} [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/loop_inv_real_mono_Z3,4.8.10_WP.oracle000066400000000000000000000033721440160026300253400ustar00rootroot00000000000000File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Loop invariant init cannot be evaluated) File "bench/check-ce/loop_inv_real_mono.mlw", line 19, characters 16-31: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Loop invariant init cannot be evaluated): File loop_inv_real_mono.mlw: Line 16: a : t = {c = 1.0} a : real = 1.0 Line 17: b : t = {c = 2.0} b : real = 2.0 Line 18: [before iteration] b : t = {c = 5.0} [before iteration] b : real = 5.0 result of call at line 18, characters 8-18 : bool = true result of call at line 18, characters 8-11 : real = 5.0 Line 19: [current iteration] a : real = 1.0 [current iteration] b : real = 6.0 [current iteration] b : real = 6.0 Line 20: [current iteration] b : t = {c = 6.0} [current iteration] b : real = 6.0 result of call at line 20, characters 11-20 : real = 6.0 result of call at line 20, characters 11-14 : real = 1.0 result of call at line 20, characters 17-20 : real = 5.0 File "bench/check-ce/loop_inv_real_mono.mlw", line 14, characters 12-24: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/manual_map_CVC4,1.8_SP.oracle000066400000000000000000000027261440160026300235510ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File manual_map.mlw: Line 4: x = fun (x:int) -> if x = 1 then 3 else 0 x = fun (x:int) -> if x = 1 then 3 else 0 Execution of main function `test_map` with env: x = fun (x:int) -> if x = 1 then 3 else 0 zero = 0 one = 1 Line 7: Normal execution of function `set` with args: f = fun (x:int) -> if x = 1 then 3 else 0 x = 0 v = 3 Line 5: Property failure at postcondition of `test_map` with: result = (fun y -> if pure { if y = x then True else False } then v else f y) with f = fun (x1:int) -> if x1 = 1 then 3 else 0, x = 0, v = 3 why3-1.6.0/bench/check-ce/oracles/manual_map_CVC4,1.8_WP.oracle000066400000000000000000000027261440160026300235550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File manual_map.mlw: Line 4: x = fun (x:int) -> if x = 1 then 3 else 0 x = fun (x:int) -> if x = 1 then 3 else 0 Execution of main function `test_map` with env: x = fun (x:int) -> if x = 1 then 3 else 0 zero = 0 one = 1 Line 7: Normal execution of function `set` with args: f = fun (x:int) -> if x = 1 then 3 else 0 x = 0 v = 3 Line 5: Property failure at postcondition of `test_map` with: result = (fun y -> if pure { if y = x then True else False } then v else f y) with f = fun (x1:int) -> if x1 = 1 then 3 else 0, x = 0, v = 3 why3-1.6.0/bench/check-ce/oracles/manual_map_CVC5,1.0.0_SP.oracle000066400000000000000000000027261440160026300237000ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File manual_map.mlw: Line 4: x = fun (x:int) -> if x = 1 then 3 else 0 x = fun (x:int) -> if x = 1 then 3 else 0 Execution of main function `test_map` with env: x = fun (x:int) -> if x = 1 then 3 else 0 zero = 0 one = 1 Line 7: Normal execution of function `set` with args: f = fun (x:int) -> if x = 1 then 3 else 0 x = 0 v = 3 Line 5: Property failure at postcondition of `test_map` with: result = (fun y -> if pure { if y = x then True else False } then v else f y) with f = fun (x1:int) -> if x1 = 1 then 3 else 0, x = 0, v = 3 why3-1.6.0/bench/check-ce/oracles/manual_map_CVC5,1.0.0_WP.oracle000066400000000000000000000027261440160026300237040ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/manual_map.mlw", line 5, characters 14-36) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File manual_map.mlw: Line 4: x = fun (x:int) -> if x = 1 then 3 else 0 x = fun (x:int) -> if x = 1 then 3 else 0 Execution of main function `test_map` with env: x = fun (x:int) -> if x = 1 then 3 else 0 zero = 0 one = 1 Line 7: Normal execution of function `set` with args: f = fun (x:int) -> if x = 1 then 3 else 0 x = 0 v = 3 Line 5: Property failure at postcondition of `test_map` with: result = (fun y -> if pure { if y = x then True else False } then v else f y) with f = fun (x1:int) -> if x1 = 1 then 3 else 0, x = 0, v = 3 why3-1.6.0/bench/check-ce/oracles/manual_map_Z3,4.8.10_SP.oracle000066400000000000000000000007311440160026300235620ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to set at "bench/check-ce/manual_map.mlw", line 7, characters 5-18) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). why3-1.6.0/bench/check-ce/oracles/manual_map_Z3,4.8.10_WP.oracle000066400000000000000000000007311440160026300235660ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to set at "bench/check-ce/manual_map.mlw", line 7, characters 5-18) File "bench/check-ce/manual_map.mlw", line 5, characters 14-36: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown (sat). why3-1.6.0/bench/check-ce/oracles/maps_mono_CVC4,1.8_SP.oracle000066400000000000000000000341101440160026300234170ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 58: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 58: Normal execution of function `get` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 Line 59: Normal execution of function `set` with args: f = [|0 -> 3; _ -> 1|] x = 0 v = 3 Line 60: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 60: Normal execution of function `set` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; _ -> 1|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 3; _ -> 1|], x = 0, v = 3 Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 3; _ -> 1|], x = 0, v = 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set2` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} x = {contents= [|0 -> true; 1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> true; 1 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> true; 1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 43; _ -> 0|] why3-1.6.0/bench/check-ce/oracles/maps_mono_CVC4,1.8_WP.oracle000066400000000000000000000341101440160026300234230ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 58: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 58: Normal execution of function `get` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 Line 59: Normal execution of function `set` with args: f = [|0 -> 3; _ -> 1|] x = 0 v = 3 Line 60: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 60: Normal execution of function `set` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; _ -> 1|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 3; _ -> 1|], x = 0, v = 3 Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 3; _ -> 1|], x = 0, v = 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set2` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} x = {contents= [|0 -> true; 1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> true; 1 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> true; 1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 43; _ -> 0|] why3-1.6.0/bench/check-ce/oracles/maps_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000314241440160026300235530ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because Postcondition of `(:=)` cannot be evaluated) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 58: Giant-step execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(!)` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `get` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 result of `get` = [|0 -> 3; _ -> 1|] Line 59: Giant-step execution of function `set` with args: f = [|0 -> 3; _ -> 1|] x = 0 v = 3 result of `set` = [|0 -> 3; _ -> 1|] Line 60: Giant-step execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(!)` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `set` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = [|0 -> 3; _ -> 1|] result of `set1` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(:=)` = () Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} x = {contents= [|0 -> true; 1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> true; 1 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> true; 1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 43; _ -> 0|] why3-1.6.0/bench/check-ce/oracles/maps_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000314241440160026300235570ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 0; _ -> 1|]; _ -> [|; _ -> 0|]|], x1 = 0, v1 = [|; _ -> 0|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC_SW - Concrete RAC: INCOMPLETE (terminated because Postcondition of `(:=)` cannot be evaluated) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, or the contracts of some loop or function are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 58: Giant-step execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(!)` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `get` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 result of `get` = [|0 -> 3; _ -> 1|] Line 59: Giant-step execution of function `set` with args: f = [|0 -> 3; _ -> 1|] x = 0 v = 3 result of `set` = [|0 -> 3; _ -> 1|] Line 60: Giant-step execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(!)` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `set` with args: f = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = [|0 -> 3; _ -> 1|] result of `set1` = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] Giant-step execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} result of `(:=)` = () Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= [|0 -> [|0 -> 3; _ -> 1|]; 1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: NORMAL - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 3; 1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 3; 1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 3; 1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} x = {contents= [|0 -> true; 1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> true; 1 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> true; 1 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> true; 1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> true; 1 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> true; 1 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 43; _ -> 0|] why3-1.6.0/bench/check-ce/oracles/maps_mono_Z3,4.8.10_SP.oracle000066400000000000000000001005331440160026300234410ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] x = 0 v = [|; _ -> 2|] Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|], x1 = 0, v1 = [|; _ -> 2|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|], x1 = 0, v1 = [|; _ -> 2|]} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} zero = 0 one = 1 Line 58: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File maps_mono.mlw: Line 58: Normal execution of function `get` with args: f = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] x = 0 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] u = 0 Line 59: Normal execution of function `set` with args: f = [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|] x = 0 v = 3 Line 60: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File maps_mono.mlw: Line 60: Normal execution of function `set` with args: f = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3 Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set2` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 2; 4 -> 5; _ -> 2|] i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] why3-1.6.0/bench/check-ce/oracles/maps_mono_Z3,4.8.10_WP.oracle000066400000000000000000001005331440160026300234450ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 45, characters 14-54) - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) File "bench/check-ce/maps_mono.mlw", line 45, characters 14-54: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 44: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} Execution of main function `test_map` with env: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} zero = 0 one = 1 Line 47: Normal execution of function `(!)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File maps_mono.mlw: Line 47: Normal execution of function `set` with args: f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3 Line 45: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 51, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set1` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 51, characters 14-88: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 50: x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} zero = 0 one = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File maps_mono.mlw: Line 53: Normal execution of function `get` with args: f = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] x = 1 Line 29: Normal execution of function `(@)` with args: u = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] u = 1 Line 53: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} File maps_mono.mlw: Line 53: Normal execution of function `set` with args: f = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|] x = 0 v = [|; _ -> 2|] Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|], x1 = 0, v1 = [|; _ -> 2|] Line 51: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|1 -> [|; _ -> 2|]; 3 -> [|4 -> 5; _ -> 5|]; _ -> [|4 -> 5; _ -> 5|]|], x1 = 0, v1 = [|; _ -> 2|]} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 56, characters 14-88) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 56, characters 14-88: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 55: x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} zero = 0 one = 1 Line 58: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File maps_mono.mlw: Line 58: Normal execution of function `get` with args: f = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] x = 0 Line 29: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] u = 0 Line 59: Normal execution of function `set` with args: f = [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|] x = 0 v = 3 Line 60: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} File maps_mono.mlw: Line 60: Normal execution of function `set` with args: f = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|]} v = (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3 Line 56: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y1 -> if pure { if y1 = x1 then True else False } then v1 else f1 y1) with f1 = [|0 -> [|0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|]; 1 -> [|1 -> 3; _ -> 170|]; 193 -> [|137 -> 136; _ -> 138|]; 196 -> [|128 -> 127; _ -> 129|]; 198 -> [|118 -> 120; _ -> 121|]; 201 -> [|0 -> 103; 7 -> 94; 28 -> 95; 63 -> 98; 91 -> 90; 93 -> 92; 97 -> 96; 100 -> 99; 102 -> 101; _ -> 104|]; 204 -> [|76 -> 75; _ -> 77|]; 206 -> [|13 -> 66; 22 -> 55; 57 -> 56; 59 -> 58; 61 -> 60; 63 -> 62; 65 -> 64; 68 -> 67; _ -> 69|]; 208 -> [|48 -> 50; _ -> 51|]; 210 -> [|17 -> 35; 22 -> 21; 24 -> 23; 26 -> 25; 28 -> 27; 30 -> 29; 32 -> 31; 34 -> 33; _ -> 36|]; 211 -> [|7 -> 2; 9 -> 8; 11 -> 10; 13 -> 12; 15 -> 14; 17 -> 16; 19 -> 18; _ -> 20|]; _ -> [|; _ -> 186|]|], x1 = 0, v1 = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 184; 9 -> 176; 26 -> 175; 45 -> 171; 57 -> 174; 97 -> 180; 143 -> 172; 146 -> 182; 148 -> 173; 157 -> 183; 165 -> 177; 168 -> 179; 181 -> 141; _ -> 185|], x = 0, v = 3} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 63, characters 14-54) - Abstract RAC: STUCK (failure in postcondition of `set` at unknown location) File "bench/check-ce/maps_mono.mlw", line 63, characters 14-54: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 62: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} Execution of main function `proj_map_test1` with env: x = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} zero = 0 one = 1 Line 65: Normal execution of function `(!)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} File maps_mono.mlw: Line 65: Normal execution of function `set` with args: f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3 Line 63: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 12; 1 -> 3; 13 -> 15; 16 -> 18; 19 -> 20; 22 -> 24; 34 -> 35; 36 -> 38; 45 -> 46; 58 -> 60; _ -> 2|], x = 0, v = 3} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `set2` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 68, characters 14-56) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `set2` cannot be evaluated) File "bench/check-ce/maps_mono.mlw", line 68, characters 14-56: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_mono.mlw: Line 67: x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} zero = 0 one = 1 Line 70: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} File maps_mono.mlw: Line 70: Normal execution of function `set` with args: f = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|]} v = (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|], x2 = 0, v2 = true Line 68: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y2 -> if pure { if y2 = x2 then True else False } then v2 else f2 y2) with f2 = [|0 -> false; 1 -> true; 2 -> true; 3 -> false; 5 -> false; 6 -> true; 7 -> true; _ -> false|], x2 = 0, v2 = true} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_mono.mlw", line 79, characters 3-31) File "bench/check-ce/maps_mono.mlw", line 79, characters 3-31: Goal t1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File maps_mono.mlw: Line 78: t = [|0 -> 2; 4 -> 5; _ -> 2|] i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] Unknown location: Normal execution of function `Tuple0` with args: File maps_mono.mlw: Line 79: Property failure at postcondition of `t1'goal1` with: i = 0 t = [|0 -> 2; 4 -> 5; _ -> 2|] why3-1.6.0/bench/check-ce/oracles/maps_poly_CVC4,1.8_SP.oracle000066400000000000000000000341711440160026300234410ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|; _ -> [|; _ -> 0|]|]} x = {contents= [|; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|; _ -> [|; _ -> 0|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|; _ -> [|; _ -> 0|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|; _ -> 0|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 43; _ -> 0|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/10 => -1.0, others => 0) why3-1.6.0/bench/check-ce/oracles/maps_poly_CVC4,1.8_WP.oracle000066400000000000000000000341711440160026300234450ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|; _ -> [|; _ -> 0|]|]} x = {contents= [|; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|; _ -> [|; _ -> 0|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|; _ -> [|; _ -> 0|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|; _ -> 0|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 43; _ -> 0|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/10 => -1.0, others => 0) why3-1.6.0/bench/check-ce/oracles/maps_poly_CVC5,1.0.0_SP.oracle000066400000000000000000000341711440160026300235700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|; _ -> [|; _ -> 0|]|]} x = {contents= [|; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|; _ -> [|; _ -> 0|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|; _ -> [|; _ -> 0|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|; _ -> 0|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 43; _ -> 0|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/10 => -1, others => 0.0) why3-1.6.0/bench/check-ce/oracles/maps_poly_CVC5,1.0.0_WP.oracle000066400000000000000000000341711440160026300235740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|; _ -> [|; _ -> 0|]|]} x = {contents= [|; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|; _ -> [|; _ -> 0|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|; _ -> [|; _ -> 0|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|; _ -> [|; _ -> 0|]|] x = 0 v = [|; _ -> 0|] Normal execution of function `(:=)` with args: r = {contents= [|; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> [|; _ -> 0|]|], x = 0, v = [|; _ -> 0|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|; _ -> 0|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> [|1 -> 3; _ -> 0|]; _ -> [|; _ -> 0|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 0|]} x = {contents= [|1 -> 3; _ -> 0|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 0|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 0|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 0|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 0|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 0|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 0|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 43; _ -> 0|] i = 0 t = [|0 -> 43; _ -> 0|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 43; _ -> 0|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 43; _ -> 0|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/10 => -1, others => 0.0) why3-1.6.0/bench/check-ce/oracles/maps_poly_Z3,4.8.10_SP.oracle000066400000000000000000000404741440160026300234630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 2|]} x = {contents= [|1 -> 3; _ -> 2|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 2|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 2|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|0 -> 6; _ -> 5|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 6; _ -> 5|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 6; _ -> 5|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 6; _ -> 5|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 2|]} x = {contents= [|1 -> 3; _ -> 2|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 2|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 2|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 3; _ -> 2|] i = 0 t = [|0 -> 3; _ -> 2|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 3; _ -> 2|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 3; _ -> 2|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/5 => 3.0, 1/10 => 2.0, others => 2.0) why3-1.6.0/bench/check-ce/oracles/maps_poly_Z3,4.8.10_WP.oracle000066400000000000000000000404741440160026300234670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 8, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 8, characters 14-28: Sub-goal Postcondition of goal test_map'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 7: x = {contents= [|1 -> 3; _ -> 2|]} x = {contents= [|1 -> 3; _ -> 2|]} Execution of main function `test_map` with env: x = {contents= [|1 -> 3; _ -> 2|]} zero = 0 one = 1 Line 10: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 2|]} File maps_poly.mlw: Line 10: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3 Line 8: Property failure at postcondition of `test_map` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 14, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 14, characters 14-34: Sub-goal Postcondition of goal test_map_multidim1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 13: x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} Execution of main function `test_map_multidim1` with env: x = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} zero = 0 one = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 16: Normal execution of function `get` with args: f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 1 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] u = 1 File maps_poly.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 16: Normal execution of function `set` with args: f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|] Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|] Line 14: Property failure at postcondition of `test_map_multidim1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|6 -> 8; _ -> 5|]; 1 -> [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = [|0 -> 3; 1 -> 3; 6 -> 7; _ -> 2|]} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 19, characters 14-34) File "bench/check-ce/maps_poly.mlw", line 19, characters 14-34: Sub-goal Postcondition of goal test_map_multidim2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 18: x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} Execution of main function `test_map_multidim2` with env: x = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} zero = 0 one = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 21: Normal execution of function `get` with args: f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 File map.mlw: Line 11: Normal execution of function `(@)` with args: u = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] u = 0 File maps_poly.mlw: Line 22: Normal execution of function `set` with args: f = [|0 -> 6; _ -> 5|] x = 0 v = 3 Line 23: Normal execution of function `(!)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} File maps_poly.mlw: Line 23: Normal execution of function `set` with args: f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|] x = 0 v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> 6; _ -> 5|], x = 0, v = 3 Normal execution of function `(:=)` with args: r = {contents= [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 6; _ -> 5|], x = 0, v = 3 Line 19: Property failure at postcondition of `test_map_multidim2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|0 -> [|0 -> 6; _ -> 5|]; 1 -> [|1 -> 3; _ -> 2|]; _ -> [|; _ -> 4|]|], x = 0, v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [| 0 -> 6; _ -> 5|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 26, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 26, characters 14-28: Sub-goal Postcondition of goal proj_map_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 25: x = {contents= [|1 -> 3; _ -> 2|]} x = {contents= [|1 -> 3; _ -> 2|]} Execution of main function `proj_map_test1` with env: x = {contents= [|1 -> 3; _ -> 2|]} zero = 0 one = 1 Line 28: Normal execution of function `(!)` with args: r = {contents= [|1 -> 3; _ -> 2|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> 3; _ -> 2|]} File maps_poly.mlw: Line 28: Normal execution of function `set` with args: f = [|1 -> 3; _ -> 2|] x = 0 v = 3 Normal execution of function `(:=)` with args: r = {contents= [|1 -> 3; _ -> 2|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3 Line 26: Property failure at postcondition of `proj_map_test1` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> 3; _ -> 2|], x = 0, v = 3} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 31, characters 14-28) File "bench/check-ce/maps_poly.mlw", line 31, characters 14-28: Sub-goal Postcondition of goal proj_map_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File maps_poly.mlw: Line 30: x = {contents= [|1 -> true; _ -> false|]} x = {contents= [|1 -> true; _ -> false|]} Execution of main function `proj_map_test2` with env: x = {contents= [|1 -> true; _ -> false|]} zero = 0 one = 1 Line 33: Normal execution of function `True` with args: Normal execution of function `(!)` with args: r = {contents= [|1 -> true; _ -> false|]} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= [|1 -> true; _ -> false|]} File maps_poly.mlw: Line 33: Normal execution of function `set` with args: f = [|1 -> true; _ -> false|] x = 0 v = true Normal execution of function `(:=)` with args: r = {contents= [|1 -> true; _ -> false|]} v = (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true Line 31: Property failure at postcondition of `proj_map_test2` with: x = {contents= (fun y -> if pure { if y = x then True else False } then v else f y) with f = [|1 -> true; _ -> false|], x = 0, v = true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/maps_poly.mlw", line 42, characters 3-31) File "bench/check-ce/maps_poly.mlw", line 42, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File maps_poly.mlw: Line 41: t = [|0 -> 3; _ -> 2|] i = 0 t = [|0 -> 3; _ -> 2|] i = 0 Execution of main function `t1'goal` with env: i = 0 t = [|0 -> 3; _ -> 2|] Unknown location: Normal execution of function `Tuple0` with args: File maps_poly.mlw: Line 42: Property failure at postcondition of `t1'goal` with: i = 0 t = [|0 -> 3; _ -> 2|] Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) - Abstract RAC: INCOMPLETE (terminated because cannot import value from model: not implemented for value 1/10) File "bench/check-ce/maps_poly.mlw", line 50, characters 36-64: Goal g. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because cannot import value from model: not implemented for value 1/10): File maps_poly.mlw: Line 50: m = (1/5 => 3.0, 1/10 => 2.0, others => 2.0) why3-1.6.0/bench/check-ce/oracles/multifile1_CVC4,1.8_SP.oracle000066400000000000000000000023641440160026300235100ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_CVC4,1.8_WP.oracle000066400000000000000000000023641440160026300235140ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_CVC5,1.0.0_SP.oracle000066400000000000000000000023641440160026300236370ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_CVC5,1.0.0_WP.oracle000066400000000000000000000023641440160026300236430ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_Z3,4.8.10_SP.oracle000066400000000000000000000023641440160026300235270ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_Z3,4.8.10_WP.oracle000066400000000000000000000023641440160026300235330ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 0 x = 0 Execution of main function `incr` with env: x = 0 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 0 result of `decr` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 0 result = 0 why3-1.6.0/bench/check-ce/oracles/multifile1_Z3,4.8.4_SP.oracle000066400000000000000000000211161440160026300234460ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid (0.02s, 26 steps). Check model 0 ("bench/check-ce/multifile1.mlw", line 10, characters 14-24) Checking model: File multifile1.mlw: Line 6: x = {"type": "Integer", "val": "2"} Line 9: x = {"type": "Integer", "val": "2"} Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "2"} Line 11: result = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Value from model for return value of call to decr at "bench/check-ce/multifile1.mlw", line 11, characters 4-10 at "bench/check-ce/multifile1.mlw", line 11, characters 4-10: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Normal execution of function `decr` with args: x = 2 Line 7: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 9: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 Check model 1 ("bench/check-ce/multifile1.mlw", line 10, characters 14-24) Checking model: File multifile1.mlw: Line 6: x = {"type": "Integer", "val": "2"} Line 9: x = {"type": "Integer", "val": "2"} Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "2"} Line 11: result = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Value from model for return value of call to decr at "bench/check-ce/multifile1.mlw", line 11, characters 4-10 at "bench/check-ce/multifile1.mlw", line 11, characters 4-10: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Normal execution of function `decr` with args: x = 2 Line 7: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 9: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat) (0.00s, 914 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 why3-1.6.0/bench/check-ce/oracles/multifile1_Z3,4.8.4_WP.oracle000066400000000000000000000211161440160026300234520ustar00rootroot00000000000000File "bench/check-ce/multifile1.mlw", line 6, characters 14-24: Sub-goal Postcondition of goal decr'vc. Prover result is: Valid (0.01s, 26 steps). Check model 0 ("bench/check-ce/multifile1.mlw", line 10, characters 14-24) Checking model: File multifile1.mlw: Line 6: x = {"type": "Integer", "val": "2"} Line 9: x = {"type": "Integer", "val": "2"} Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "2"} Line 11: result = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Value from model for return value of call to decr at "bench/check-ce/multifile1.mlw", line 11, characters 4-10 at "bench/check-ce/multifile1.mlw", line 11, characters 4-10: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Normal execution of function `decr` with args: x = 2 Line 7: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 9: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 Check model 1 ("bench/check-ce/multifile1.mlw", line 10, characters 14-24) Checking model: File multifile1.mlw: Line 6: x = {"type": "Integer", "val": "2"} Line 9: x = {"type": "Integer", "val": "2"} Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "2"} Line 11: result = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Value from model for return value of call to decr at "bench/check-ce/multifile1.mlw", line 11, characters 4-10 at "bench/check-ce/multifile1.mlw", line 11, characters 4-10: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile1.mlw", line 9, characters 12-13: 2 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Normal execution of function `decr` with args: x = 2 Line 7: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = 1 _ = 2 Line 9: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile1.mlw", line 10, characters 14-24) File "bench/check-ce/multifile1.mlw", line 10, characters 14-24: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown (sat) (0.02s, 914 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile1.mlw: Line 9: x = 2 x = 2 Execution of main function `incr` with env: x = 2 zero = 0 one = 1 Line 11: Giant-step execution of function `decr` with args: x = 2 result of `decr` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 2 Line 10: Property failure at postcondition of `incr` with: x = 2 result = 2 why3-1.6.0/bench/check-ce/oracles/multifile2_CVC4,1.8_SP.oracle000066400000000000000000000075121440160026300235110ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = 0 result of `incr` = 2 Line 8: Property failure at postcondition of `f` with: x = 0 result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = 0 x = 0 Execution of main function `g` with env: x = 0 zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = 0 File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = 0 Line 7: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = 0 result = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = 0 x = 0 Execution of main function `h` with env: x = 0 zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = 0 result of `incr_val` = 1 Line 18: Property failure at postcondition of `h` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/multifile2_CVC4,1.8_WP.oracle000066400000000000000000000075121440160026300235150ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = 0 result of `incr` = 2 Line 8: Property failure at postcondition of `f` with: x = 0 result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = 0 x = 0 Execution of main function `g` with env: x = 0 zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = 0 File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = 0 Line 7: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = 0 result = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = 0 x = 0 Execution of main function `h` with env: x = 0 zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = 0 result of `incr_val` = 1 Line 18: Property failure at postcondition of `h` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/multifile2_CVC5,1.0.0_SP.oracle000066400000000000000000000075121440160026300236400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = 0 result of `incr` = 2 Line 8: Property failure at postcondition of `f` with: x = 0 result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = 0 x = 0 Execution of main function `g` with env: x = 0 zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = 0 File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = 0 Line 7: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = 0 result = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = 0 x = 0 Execution of main function `h` with env: x = 0 zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = 0 result of `incr_val` = 1 Line 18: Property failure at postcondition of `h` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/multifile2_CVC5,1.0.0_WP.oracle000066400000000000000000000075121440160026300236440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = 0 x = 0 Execution of main function `f` with env: x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = 0 result of `incr` = 2 Line 8: Property failure at postcondition of `f` with: x = 0 result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = 0 x = 0 Execution of main function `g` with env: x = 0 zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = 0 File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = 0 Line 7: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = 0 result = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = 0 x = 0 Execution of main function `h` with env: x = 0 zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = 0 result of `incr_val` = 1 Line 18: Property failure at postcondition of `h` with: x = 0 result = 1 why3-1.6.0/bench/check-ce/oracles/multifile2_Z3,4.8.10_SP.oracle000066400000000000000000000076251440160026300235350ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (- 2) x = (- 2) Execution of main function `f` with env: x = (- 2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (- 2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (- 2) result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (- 3) x = (- 3) Execution of main function `g` with env: x = (- 3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (- 3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (- 3) Line 7: Normal execution of function `(-)` with args: x = (- 3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (- 3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (- 3) result = (-2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = (- 3) x = (- 3) Execution of main function `h` with env: x = (- 3) zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = (- 3) result of `incr_val` = 0 Line 18: Property failure at postcondition of `h` with: x = (- 3) result = 0 why3-1.6.0/bench/check-ce/oracles/multifile2_Z3,4.8.10_WP.oracle000066400000000000000000000076251440160026300235410ustar00rootroot00000000000000Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (- 2) x = (- 2) Execution of main function `f` with env: x = (- 2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (- 2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (- 2) result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (- 3) x = (- 3) Execution of main function `g` with env: x = (- 3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (- 3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (- 3) Line 7: Normal execution of function `(-)` with args: x = (- 3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (- 3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (- 3) result = (-2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 18, characters 12-26) File "bench/check-ce/multifile2.mlw", line 18, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 17: x = (- 3) x = (- 3) Execution of main function `h` with env: x = (- 3) zero = 0 one = 1 Line 19: (giant-step) execution of unimplemented function `incr_val` x = (- 3) result of `incr_val` = 0 Line 18: Property failure at postcondition of `h` with: x = (- 3) result = 0 why3-1.6.0/bench/check-ce/oracles/multifile2_Z3,4.8.4_SP.oracle000066400000000000000000000646211440160026300234570ustar00rootroot00000000000000Check model 0 ("bench/check-ce/multifile2.mlw", line 8, characters 12-26) Checking model: File multifile2.mlw: Line 7: x = {"type": "Integer", "val": "-2"} Line 8: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-2"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 9, characters 2-8 at "bench/check-ce/multifile2.mlw", line 9, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Normal execution of function `incr` with args: x = (-2) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-2) Line 7: Normal execution of function `(-)` with args: x = (-2) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-3) _ = 2 File multifile2.mlw: Line 7: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 8, characters 12-26) Checking model: File multifile2.mlw: Line 7: x = {"type": "Integer", "val": "-2"} Line 8: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-2"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 9, characters 2-8 at "bench/check-ce/multifile2.mlw", line 9, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Normal execution of function `incr` with args: x = (-2) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-2) Line 7: Normal execution of function `(-)` with args: x = (-2) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-3) _ = 2 File multifile2.mlw: Line 7: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat) (0.00s, 857 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Check model 0 ("bench/check-ce/multifile2.mlw", line 13, characters 12-26) Checking model: File multifile1.mlw: Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 12: x = {"type": "Integer", "val": "-3"} Line 13: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 14: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 14, characters 2-8 at "bench/check-ce/multifile2.mlw", line 14, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Giant-step execution of function `incr` with args: x = (-3) result of `incr` = 0 Line 13: Property failure at postcondition of `g` with: x = (-3) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 13, characters 12-26) Checking model: File multifile1.mlw: Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 12: x = {"type": "Integer", "val": "-3"} Line 13: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 14: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 14, characters 2-8 at "bench/check-ce/multifile2.mlw", line 14, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Giant-step execution of function `incr` with args: x = (-3) result of `incr` = 0 Line 13: Property failure at postcondition of `g` with: x = (-3) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat) (0.01s, 871 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) Check model 0 ("bench/check-ce/multifile2.mlw", line 19, characters 12-26) Checking model: File multifile1.mlw: Line 14: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 18: x = {"type": "Integer", "val": "-3"} Line 19: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 20: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: Giant-step execution of function `incr_val` with args: x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 19, characters 12-26) Checking model: File multifile1.mlw: Line 14: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 18: x = {"type": "Integer", "val": "-3"} Line 19: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 20: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: Giant-step execution of function `incr_val` with args: x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File "bench/check-ce/multifile2.mlw", line 19, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat) (0.01s, 871 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 why3-1.6.0/bench/check-ce/oracles/multifile2_Z3,4.8.4_WP.oracle000066400000000000000000000646211440160026300234630ustar00rootroot00000000000000Check model 0 ("bench/check-ce/multifile2.mlw", line 8, characters 12-26) Checking model: File multifile2.mlw: Line 7: x = {"type": "Integer", "val": "-2"} Line 8: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-2"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 9, characters 2-8 at "bench/check-ce/multifile2.mlw", line 9, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Normal execution of function `incr` with args: x = (-2) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-2) Line 7: Normal execution of function `(-)` with args: x = (-2) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-3) _ = 2 File multifile2.mlw: Line 7: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 8, characters 12-26) Checking model: File multifile2.mlw: Line 7: x = {"type": "Integer", "val": "-2"} Line 8: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-2"} Line 9: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 9, characters 2-8 at "bench/check-ce/multifile2.mlw", line 9, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 7, characters 7-8: (-2) Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Normal execution of function `incr` with args: x = (-2) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-2) Line 7: Normal execution of function `(-)` with args: x = (-2) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-3) _ = 2 File multifile2.mlw: Line 7: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 8, characters 12-26) File "bench/check-ce/multifile2.mlw", line 8, characters 12-26: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat) (0.02s, 857 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 7: x = (-2) x = (-2) Execution of main function `f` with env: x = (-2) zero = 0 one = 1 Line 9: Giant-step execution of function `incr` with args: x = (-2) result of `incr` = 0 Line 8: Property failure at postcondition of `f` with: x = (-2) result = 0 Check model 0 ("bench/check-ce/multifile2.mlw", line 13, characters 12-26) Checking model: File multifile1.mlw: Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 12: x = {"type": "Integer", "val": "-3"} Line 13: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 14: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 14, characters 2-8 at "bench/check-ce/multifile2.mlw", line 14, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Giant-step execution of function `incr` with args: x = (-3) result of `incr` = 0 Line 13: Property failure at postcondition of `g` with: x = (-3) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 13, characters 12-26) Checking model: File multifile1.mlw: Line 10: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 12: x = {"type": "Integer", "val": "-3"} Line 13: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 14: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Value from model for return value of call to incr at "bench/check-ce/multifile2.mlw", line 14, characters 2-8 at "bench/check-ce/multifile2.mlw", line 14, characters 2-8: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 12, characters 7-8: (-3) Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Giant-step execution of function `incr` with args: x = (-3) result of `incr` = 0 Line 13: Property failure at postcondition of `g` with: x = (-3) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 13, characters 12-26) File "bench/check-ce/multifile2.mlw", line 13, characters 12-26: Sub-goal Postcondition of goal g'vc. Prover result is: Unknown (sat) (0.00s, 871 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 12: x = (-3) x = (-3) Execution of main function `g` with env: x = (-3) zero = 0 one = 1 Line 14: Normal execution of function `incr` with args: x = (-3) File multifile1.mlw: Line 11: Normal execution of function `decr` with args: x = (-3) Line 7: Normal execution of function `(-)` with args: x = (-3) y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = (-3) _ = (-1) File multifile1.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-4) _ = 2 File multifile2.mlw: Line 13: Property failure at postcondition of `g` with: x = (-3) result = (-2) Check model 0 ("bench/check-ce/multifile2.mlw", line 19, characters 12-26) Checking model: File multifile1.mlw: Line 14: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 18: x = {"type": "Integer", "val": "-3"} Line 19: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 20: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: Giant-step execution of function `incr_val` with args: x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 Check model 1 ("bench/check-ce/multifile2.mlw", line 19, characters 12-26) Checking model: File multifile1.mlw: Line 14: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} File multifile2.mlw: Line 18: x = {"type": "Integer", "val": "-3"} Line 19: result = {"type": "Integer", "val": "0"} x = {"type": "Integer", "val": "-3"} Line 20: result = {"type": "Integer", "val": "0"} result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/multifile2.mlw", line 18, characters 7-8: (-3) Value from model for return value of call to incr_val at "bench/check-ce/multifile2.mlw", line 20, characters 2-12 at "bench/check-ce/multifile2.mlw", line 20, characters 2-12: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: Giant-step execution of function `incr_val` with args: x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/multifile2.mlw", line 19, characters 12-26) File "bench/check-ce/multifile2.mlw", line 19, characters 12-26: Sub-goal Postcondition of goal h'vc. Prover result is: Unknown (sat) (0.01s, 871 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File multifile2.mlw: Line 18: x = (-3) x = (-3) Execution of main function `h` with env: x = (-3) zero = 0 one = 1 Line 20: (giant-step) execution of unimplemented function `incr_val` x = (-3) result of `incr_val` = 0 Line 19: Property failure at postcondition of `h` with: x = (-3) result = 0 why3-1.6.0/bench/check-ce/oracles/polymorphism_CVC4,1.8_SP.oracle000066400000000000000000000045051440160026300241760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 1) x = (B 1) Execution of main function `gm'goal` with env: x = (B 1) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 0 true) x = (C 0 true) Execution of main function `gm2'goal` with env: x = (C 0 true) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 0 true) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/polymorphism_CVC4,1.8_WP.oracle000066400000000000000000000045051440160026300242020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 1) x = (B 1) Execution of main function `gm'goal` with env: x = (B 1) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 0 true) x = (C 0 true) Execution of main function `gm2'goal` with env: x = (C 0 true) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 0 true) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/polymorphism_CVC5,1.0.0_SP.oracle000066400000000000000000000045051440160026300243250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 1) x = (B 1) Execution of main function `gm'goal` with env: x = (B 1) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 0 true) x = (C 0 true) Execution of main function `gm2'goal` with env: x = (C 0 true) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 0 true) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/polymorphism_CVC5,1.0.0_WP.oracle000066400000000000000000000045051440160026300243310ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 1) x = (B 1) Execution of main function `gm'goal` with env: x = (B 1) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 0 true) x = (C 0 true) Execution of main function `gm2'goal` with env: x = (C 0 true) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 0 true) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/polymorphism_Z3,4.8.10_SP.oracle000066400000000000000000000045111440160026300242120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 2) x = (B 2) Execution of main function `gm'goal` with env: x = (B 2) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 2 false) x = (C 2 false) Execution of main function `gm2'goal` with env: x = (C 2 false) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 2 false) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/polymorphism_Z3,4.8.10_WP.oracle000066400000000000000000000045111440160026300242160ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 7, characters 27-34) File "bench/check-ce/polymorphism.mlw", line 7, characters 27-34: Goal gm. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 7: x = (B 2) x = (B 2) Execution of main function `gm'goal` with env: x = (B 2) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 7: Property failure at postcondition of `gm'goal` with: x = (B 2) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/polymorphism.mlw", line 11, characters 22-35) File "bench/check-ce/polymorphism.mlw", line 11, characters 22-35: Goal gm2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File polymorphism.mlw: Line 11: x = (C 2 false) x = (C 2 false) Execution of main function `gm2'goal` with env: x = (C 2 false) Unknown location: Normal execution of function `Tuple0` with args: File polymorphism.mlw: Line 11: Property failure at postcondition of `gm2'goal` with: False = UNDEFINED x = (C 2 false) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/polymorphism.mlw", line 15, characters 30-37: Goal g. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/range_type_float_CVC4,1.8_SP.oracle000066400000000000000000000020501440160026300247470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_float_CVC4,1.8_WP.oracle000066400000000000000000000020501440160026300247530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_float_CVC5,1.0.0_SP.oracle000066400000000000000000000017741440160026300251120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Assertion cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Assertion cannot be evaluated) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_float_CVC5,1.0.0_WP.oracle000066400000000000000000000017741440160026300251160ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Assertion cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Assertion cannot be evaluated) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_float_Z3,4.8.10_SP.oracle000066400000000000000000000020241440160026300247670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_float_Z3,4.8.10_WP.oracle000066400000000000000000000020241440160026300247730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_float.mlw", line 10, characters 12-26) File "bench/check-ce/range_type_float.mlw", line 10, characters 12-26: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File range_type_float.mlw: Line 8: x = epsilon x:t. t'real x = 10.0 x = epsilon x:t. t'real x = 10.0 Execution of main function `f` with env: x = epsilon x:t. t'real x = 10.0 Line 10: Property failure at assertion with: x = epsilon x:t. t'real x = 10.0 why3-1.6.0/bench/check-ce/oracles/range_type_int_CVC4,1.8_SP.oracle000066400000000000000000000022551440160026300244430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/range_type_int_CVC4,1.8_WP.oracle000066400000000000000000000022551440160026300244470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/range_type_int_CVC5,1.0.0_SP.oracle000066400000000000000000000022551440160026300245720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/range_type_int_CVC5,1.0.0_WP.oracle000066400000000000000000000022551440160026300245760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/range_type_int_Z3,4.8.10_SP.oracle000066400000000000000000000022551440160026300244620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/range_type_int_Z3,4.8.10_WP.oracle000066400000000000000000000022551440160026300244660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) - Abstract RAC: FAILURE (assertion at "bench/check-ce/range_type_int.mlw", line 9, characters 12-27) File "bench/check-ce/range_type_int.mlw", line 9, characters 12-27: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File range_type_int.mlw: Line 7: x = epsilon x:int32. int32'int x = 5 x = epsilon x:int32. int32'int x = 5 Execution of main function `f` with env: x = epsilon x:int32. int32'int x = 5 zero = 0 one = 1 Line 9: Property failure at assertion with: x = epsilon x:int32. int32'int x = 5 why3-1.6.0/bench/check-ce/oracles/real_values_CVC4,1.8_SP.oracle000066400000000000000000000077111440160026300237400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 4.0 x = 1.0 / 4.0 Execution of main function `test3'goal` with env: x = 1.0 / 4.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 4.0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal1` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/real_values_CVC4,1.8_WP.oracle000066400000000000000000000077111440160026300237440ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 4.0 x = 1.0 / 4.0 Execution of main function `test3'goal` with env: x = 1.0 / 4.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 4.0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal1` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/real_values_CVC5,1.0.0_SP.oracle000066400000000000000000000077161440160026300240740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test1'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test3'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 4.0 x = 1.0 / 4.0 Execution of main function `test3'goal` with env: x = 1.0 / 4.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 4.0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/real_values_CVC5,1.0.0_WP.oracle000066400000000000000000000077161440160026300241000ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test1'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test2'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test3'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 4.0 x = 1.0 / 4.0 Execution of main function `test3'goal` with env: x = 1.0 / 4.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 4.0 Categorizations of models: - Selected model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/real_values_Z3,4.8.10_SP.oracle000066400000000000000000000075711440160026300237630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 2.0 x = 1.0 / 2.0 Execution of main function `test3'goal` with env: x = 1.0 / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 2.0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal1` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/real_values_Z3,4.8.10_WP.oracle000066400000000000000000000075711440160026300237670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 3, characters 28-43) File "bench/check-ce/real_values.mlw", line 3, characters 28-43: Goal test1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 3: x = (- 1.0) / 2.0 x = (- 1.0) / 2.0 Execution of main function `test1'goal` with env: x = (- 1.0) / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 3: Property failure at postcondition of `test1'goal` with: x = (- 1.0) / 2.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 5, characters 28-37) File "bench/check-ce/real_values.mlw", line 5, characters 28-37: Goal test2. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 5: x = 10.0 x = 10.0 Execution of main function `test2'goal` with env: x = 10.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 5: Property failure at postcondition of `test2'goal` with: x = 10.0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/real_values.mlw", line 7, characters 28-47) File "bench/check-ce/real_values.mlw", line 7, characters 28-47: Goal test3. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File real_values.mlw: Line 7: x = 1.0 / 2.0 x = 1.0 / 2.0 Execution of main function `test3'goal` with env: x = 1.0 / 2.0 Unknown location: Normal execution of function `Tuple0` with args: File real_values.mlw: Line 7: Property failure at postcondition of `test3'goal` with: x = 1.0 / 2.0 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `test4'goal1` cannot be evaluated) File "bench/check-ce/real_values.mlw", line 9, characters 28-39: Goal test4. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `test4'goal1` cannot be evaluated): File real_values.mlw: Line 9: x : real = 0.0 why3-1.6.0/bench/check-ce/oracles/record_map_CVC4,1.8_SP.oracle000066400000000000000000000123401440160026300235430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 40: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False Execution of main function `map_record_proj_test1` with env: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False zero = 0 one = 1 Line 43: Normal execution of function `True` with args: Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False u = true File record_map.mlw: Line 43: Normal execution of function `f` with args: arg = r'mk (- 1) False Line 41: Property failure at postcondition of `map_record_proj_test1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 45: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} Execution of main function `record_map_proj_test2` with env: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} zero = 0 one = 1 Line 48: Normal execution of function `True` with args: Normal execution of function `f_map` with args: arg = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then (- 1) else 0 x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then (- 1) else 0 u = true File record_map.mlw: Line 46: Property failure at postcondition of `record_map_proj_test2` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 50: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} Line 52: rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} Execution of main function `record_map_proj_test3` with env: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} zero = 0 one = 1 Line 53: Property failure at postcondition of `record_map_proj_test3` with: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} result = {f_map= fun (x:bool) -> 0; g_bool= false} why3-1.6.0/bench/check-ce/oracles/record_map_CVC4,1.8_WP.oracle000066400000000000000000000123401440160026300235470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 40: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False Execution of main function `map_record_proj_test1` with env: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False zero = 0 one = 1 Line 43: Normal execution of function `True` with args: Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then r'mk (- 1) False else r'mk 0 False u = true File record_map.mlw: Line 43: Normal execution of function `f` with args: arg = r'mk (- 1) False Line 41: Property failure at postcondition of `map_record_proj_test1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 45: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} Execution of main function `record_map_proj_test2` with env: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} zero = 0 one = 1 Line 48: Normal execution of function `True` with args: Normal execution of function `f_map` with args: arg = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= false} Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then (- 1) else 0 x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then (- 1) else 0 u = true File record_map.mlw: Line 46: Property failure at postcondition of `record_map_proj_test2` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 50: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} Line 52: rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} Execution of main function `record_map_proj_test3` with env: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} zero = 0 one = 1 Line 53: Property failure at postcondition of `record_map_proj_test3` with: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} result = {f_map= fun (x:bool) -> 0; g_bool= false} why3-1.6.0/bench/check-ce/oracles/record_map_CVC5,1.0.0_SP.oracle000066400000000000000000000123261440160026300236760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 40: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False Execution of main function `map_record_proj_test1` with env: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False zero = 0 one = 1 Line 43: Normal execution of function `True` with args: Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False u = true File record_map.mlw: Line 43: Normal execution of function `f` with args: arg = r'mk (- 1) True Line 41: Property failure at postcondition of `map_record_proj_test1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 45: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} Execution of main function `record_map_proj_test2` with env: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} zero = 0 one = 1 Line 48: Normal execution of function `True` with args: Normal execution of function `f_map` with args: arg = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then (- 1) else 0 x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then (- 1) else 0 u = true File record_map.mlw: Line 46: Property failure at postcondition of `record_map_proj_test2` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 50: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} Line 52: rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} Execution of main function `record_map_proj_test3` with env: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} zero = 0 one = 1 Line 53: Property failure at postcondition of `record_map_proj_test3` with: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} result = {f_map= fun (x:bool) -> 0; g_bool= false} why3-1.6.0/bench/check-ce/oracles/record_map_CVC5,1.0.0_WP.oracle000066400000000000000000000123261440160026300237020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 41, characters 12-22) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 40: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False Execution of main function `map_record_proj_test1` with env: map_rec = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False zero = 0 one = 1 Line 43: Normal execution of function `True` with args: Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then r'mk (- 1) True else r'mk 0 False u = true File record_map.mlw: Line 43: Normal execution of function `f` with args: arg = r'mk (- 1) True Line 41: Property failure at postcondition of `map_record_proj_test1` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 46, characters 12-22) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 45: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} Execution of main function `record_map_proj_test2` with env: rec_map = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} zero = 0 one = 1 Line 48: Normal execution of function `True` with args: Normal execution of function `f_map` with args: arg = {f_map= fun (x:bool) -> if x = True then (- 1) else 0; g_bool= true} Normal execution of function `([])` with args: f = fun (x:bool) -> if x = True then (- 1) else 0 x = true File map.mlw: Line 17: Normal execution of function `(@)` with args: u = fun (x:bool) -> if x = True then (- 1) else 0 u = true File record_map.mlw: Line 46: Property failure at postcondition of `record_map_proj_test2` with: result = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_map.mlw", line 53, characters 12-31) File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_map.mlw: Line 50: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} Line 52: rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} Execution of main function `record_map_proj_test3` with env: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} rec_map = {f_map= fun (x:bool) -> 0; g_bool= false} zero = 0 one = 1 Line 53: Property failure at postcondition of `record_map_proj_test3` with: re_rec_map = {f_map= fun (x:bool) -> 0; g_bool= true} result = {f_map= fun (x:bool) -> 0; g_bool= false} why3-1.6.0/bench/check-ce/oracles/record_map_Z3,4.8.10_SP.oracle000066400000000000000000000045271440160026300235720ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (concrete RAC terminated because an undefined argument was passed to (@), abstract RAC terminated because Postcondition of `([])` cannot be evaluated): File record_map.mlw: Line 41: result : int = 2 result : int = 2 Line 43: result of call at line 43, characters 2-17 : int = 2 result of call at line 43, characters 2-15 : r = {.field_f = 2; g = false} result : int = 2 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (concrete RAC terminated because an undefined argument was passed to (@), abstract RAC terminated because Postcondition of `([])` cannot be evaluated): File record_map.mlw: Line 46: result : int = 2 result : int = 2 Line 48: result of call at line 48, characters 2-21 : int = 2 result : int = 2 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). why3-1.6.0/bench/check-ce/oracles/record_map_Z3,4.8.10_WP.oracle000066400000000000000000000045271440160026300235760ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) File "bench/check-ce/record_map.mlw", line 41, characters 12-22: Sub-goal Postcondition of goal map_record_proj_test1'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (concrete RAC terminated because an undefined argument was passed to (@), abstract RAC terminated because Postcondition of `([])` cannot be evaluated): File record_map.mlw: Line 41: result : int = 2 result : int = 2 Line 43: result of call at line 43, characters 2-17 : int = 2 result of call at line 43, characters 2-15 : r = {.field_f = 2; g = false} result : int = 2 Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because an undefined argument was passed to (@)) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `([])` cannot be evaluated) File "bench/check-ce/record_map.mlw", line 46, characters 12-22: Sub-goal Postcondition of goal record_map_proj_test2'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (concrete RAC terminated because an undefined argument was passed to (@), abstract RAC terminated because Postcondition of `([])` cannot be evaluated): File record_map.mlw: Line 46: result : int = 2 result : int = 2 Line 48: result of call at line 48, characters 2-21 : int = 2 result : int = 2 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/record_map.mlw", line 53, characters 12-31: Sub-goal Postcondition of goal record_map_proj_test3'vc. Prover result is: Unknown (sat). why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_CVC4,1.8_SP.oracle000066400000000000000000000052651440160026300262640ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Execution of main function `test_post` with env: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two1= {cont_one1= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two1= {cont_one1= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two1= {cont_one1= 0}} Normal execution of function `cont_one` with args: arg = {cont_one1= 0} Line 16: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two1= {cont_one1= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two1= {cont_one1= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_CVC4,1.8_WP.oracle000066400000000000000000000052651440160026300262700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Execution of main function `test_post` with env: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two1= {cont_one1= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two1= {cont_one1= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two1= {cont_one1= 0}} Normal execution of function `cont_one` with args: arg = {cont_one1= 0} Line 16: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two1= {cont_one1= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two1= {cont_one1= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 1 y = {cont_four1= {contents= {cont_two1= {cont_one1= 0}}}} why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_CVC5,1.0.0_SP.oracle000066400000000000000000000052301440160026300264030ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Execution of main function `test_post` with env: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two= {cont_one= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Normal execution of function `cont_one` with args: arg = {cont_one= 0} Line 16: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_CVC5,1.0.0_WP.oracle000066400000000000000000000052301440160026300264070ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Execution of main function `test_post` with env: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two= {cont_one= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Normal execution of function `cont_one` with args: arg = {cont_one= 0} Line 16: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 1 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_Z3,4.8.10_SP.oracle000066400000000000000000000052361440160026300263010ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Execution of main function `test_post` with env: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two= {cont_one= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Normal execution of function `cont_one` with args: arg = {cont_one= 0} Line 16: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= (-1)}}}} why3-1.6.0/bench/check-ce/oracles/record_nested_one_field_Z3,4.8.10_WP.oracle000066400000000000000000000052361440160026300263050ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51) File "bench/check-ce/record_nested_one_field.mlw", line 14, characters 14-51: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File record_nested_one_field.mlw: Line 13: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Execution of main function `test_post` with env: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= 0}}}} zero = 0 one = 1 Line 17: Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `(!)` with args: r = {contents= {cont_two= {cont_one= 0}}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} File record_nested_one_field.mlw: Line 17: Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Normal execution of function `cont_one` with args: arg = {cont_one= 0} Line 16: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File record_nested_one_field.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 0 Normal execution of function `cont_four` with args: arg = {cont_four= {contents= {cont_two= {cont_one= 0}}}} Normal execution of function `contents` with args: arg = {contents= {cont_two= {cont_one= 0}}} Normal execution of function `cont_two` with args: arg = {cont_two= {cont_one= 0}} Line 14: Property failure at postcondition of `test_post` with: x = 0 y = {cont_four= {contents= {cont_two= {cont_one= (-1)}}}} why3-1.6.0/bench/check-ce/oracles/records_inv_CVC4,1.8_SP.oracle000066400000000000000000000360321440160026300237510ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 0; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test2` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 0; g1= false} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_inv_CVC4,1.8_WP.oracle000066400000000000000000000360321440160026300237550ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 0; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test2` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 0; g1= false} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_inv_CVC5,1.0.0_SP.oracle000066400000000000000000000360261440160026300241030ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 0; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test2` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_inv_CVC5,1.0.0_WP.oracle000066400000000000000000000360261440160026300241070ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 0; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 0; g1= true} x = {f1= 0; g1= true} Execution of main function `record_match_eval_test2` with env: x = {f1= 0; g1= true} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 0; g1= true} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 0; g1= false} x = {f1= 0; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 0; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_inv_Z3,4.8.10_SP.oracle000066400000000000000000000357721440160026300240020ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Abstract RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Abstract RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 2; g1= true} x = {f1= 2; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 2; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 2; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 2; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test2` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 2; g1= false} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_inv_Z3,4.8.10_WP.oracle000066400000000000000000000357721440160026300240060ustar00rootroot00000000000000File bench/check-ce/records_inv.mlw: Goal r'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Abstract RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 16, characters 14-24) File "bench/check-ce/records_inv.mlw", line 16, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 15: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_match_eval_test1` with env: x = {f= 0; g= true} zero = 0 one = 1 Line 18: Normal execution of function `g` with args: arg = {f= 0; g= true} Line 19: Normal execution of function `f` with args: arg = {f= 0; g= true} Line 16: Property failure at postcondition of `record_match_eval_test1` with: result = 0 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Abstract RAC: STUCK (failure in type invariant of type r at "bench/check-ce/records_inv.mlw", line 13, characters 16-21) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 24, characters 14-24) File "bench/check-ce/records_inv.mlw", line 24, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 23: x = {f= 0; g= UNDEFINED} x = {f= 0; g= UNDEFINED} Execution of main function `record_match_eval_test2` with env: x = {f= 0; g= UNDEFINED} zero = 0 one = 1 Line 26: Normal execution of function `f` with args: arg = {f= 0; g= UNDEFINED} Line 24: Property failure at postcondition of `record_match_eval_test2` with: result = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 31, characters 9-25) File "bench/check-ce/records_inv.mlw", line 31, characters 9-25: Sub-goal Precondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 28: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test3` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 31: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 29, characters 14-18: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 36, characters 9-26) File "bench/check-ce/records_inv.mlw", line 36, characters 9-26: Sub-goal Precondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 33: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test4` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 36: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 36: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 34, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 42, characters 9-26) File "bench/check-ce/records_inv.mlw", line 42, characters 9-26: Sub-goal Precondition of goal record_match_eval_test44'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 39: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `record_match_eval_test44` with env: x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 42: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 43, characters 13-22: Sub-goal Assertion of goal record_match_eval_test44'vc. Prover result is: Valid. File "bench/check-ce/records_inv.mlw", line 40, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test44'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) - Abstract RAC: FAILURE (precondition at "bench/check-ce/records_inv.mlw", line 51, characters 9-26) File "bench/check-ce/records_inv.mlw", line 51, characters 9-26: Sub-goal Precondition of goal test_record_match_eval_test5'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 46: re = {contents= {f= 0; g= false}} Line 48: x = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} Execution of main function `test_record_match_eval_test5` with env: re = {contents= {f= 0; g= false}} x = {contents= {f= 0; g= false}} zero = 0 one = 1 Line 51: Normal execution of function `(!)` with args: r = {contents= {f= 0; g= false}} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= {f= 0; g= false}} File records_inv.mlw: Line 51: Normal execution of function `g` with args: arg = {f= 0; g= false} Normal execution of function `r'mk` with args: f = 6 g = false Property failure at precondition of `r'mk` with: f = 6 File "bench/check-ce/records_inv.mlw", line 49, characters 14-26: Sub-goal Postcondition of goal test_record_match_eval_test5'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 66, characters 14-24) File "bench/check-ce/records_inv.mlw", line 66, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 65: x = {f1= 2; g1= true} x = {f1= 2; g1= true} Execution of main function `record_match_eval_test1` with env: x = {f1= 2; g1= true} zero = 0 one = 1 Line 68: Normal execution of function `g` with args: arg = {f1= 2; g1= true} Line 69: Normal execution of function `f` with args: arg = {f1= 2; g1= true} Line 66: Property failure at postcondition of `record_match_eval_test11` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 74, characters 14-24) File "bench/check-ce/records_inv.mlw", line 74, characters 14-24: Sub-goal Postcondition of goal record_match_eval_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 73: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test2` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 76: Normal execution of function `f` with args: arg = {f1= 2; g1= false} Line 74: Property failure at postcondition of `record_match_eval_test21` with: result = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 79, characters 14-17) File "bench/check-ce/records_inv.mlw", line 79, characters 14-17: Sub-goal Postcondition of goal record_match_eval_test3'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 78: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test3` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 79: Property failure at postcondition of `record_match_eval_test31` with: True = UNDEFINED x = {f1= 6; g1= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_inv.mlw", line 84, characters 14-22) File "bench/check-ce/records_inv.mlw", line 84, characters 14-22: Sub-goal Postcondition of goal record_match_eval_test4'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_inv.mlw: Line 83: x = {f1= 2; g1= false} x = {f1= 2; g1= false} Execution of main function `record_match_eval_test4` with env: x = {f1= 2; g1= false} zero = 0 one = 1 Line 84: Property failure at postcondition of `record_match_eval_test41` with: True = UNDEFINED result = {f1= 6; g1= false} why3-1.6.0/bench/check-ce/oracles/records_label_CVC4,1.8_SP.oracle000066400000000000000000000076211440160026300242360ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 11: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `record_old_test1` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= false} x = {f= 0; g= false} y = {f= 0; g= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 16: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `record_at_test2` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= false} x = {f= 12; g= false} x = r'mk 0 False x = r'mk 6 False Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 0 False x = r'mk 0 False why3-1.6.0/bench/check-ce/oracles/records_label_CVC4,1.8_WP.oracle000066400000000000000000000076211440160026300242420ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 11: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `record_old_test1` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= false} x = {f= 0; g= false} y = {f= 0; g= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 16: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `record_at_test2` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= false} x = {f= 12; g= false} x = r'mk 0 False x = r'mk 6 False Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 0 False x = r'mk 0 False why3-1.6.0/bench/check-ce/oracles/records_label_CVC5,1.0.0_SP.oracle000066400000000000000000000076001440160026300243620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= true} Line 11: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_old_test1` with env: y = {f= 0; g= true} x = {f= 0; g= true} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= true} x = {f= 0; g= true} y = {f= 0; g= true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= true} Line 16: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_at_test2` with env: y = {f= 0; g= true} x = {f= 0; g= true} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= true} x = {f= 12; g= true} x = r'mk 0 True x = r'mk 6 True Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 0 False x = r'mk 0 False why3-1.6.0/bench/check-ce/oracles/records_label_CVC5,1.0.0_WP.oracle000066400000000000000000000076001440160026300243660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= true} Line 11: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_old_test1` with env: y = {f= 0; g= true} x = {f= 0; g= true} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= true} x = {f= 0; g= true} y = {f= 0; g= true} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= true} Line 16: x = {f= 0; g= true} x = {f= 0; g= true} Execution of main function `record_at_test2` with env: y = {f= 0; g= true} x = {f= 0; g= true} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= true} x = {f= 12; g= true} x = r'mk 0 True x = r'mk 6 True Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 0; g= false} x = {f= 0; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 0; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 0 False x = r'mk 0 False why3-1.6.0/bench/check-ce/oracles/records_label_Z3,4.8.10_SP.oracle000066400000000000000000000077011440160026300242540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 11: x = {f= (- 175); g= false} x = {f= (- 175); g= false} Execution of main function `record_old_test1` with env: y = {f= 0; g= false} x = {f= (- 175); g= false} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= false} x = {f= (- 175); g= false} y = {f= 0; g= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 16: x = {f= (- 175); g= false} x = {f= (- 175); g= false} Execution of main function `record_at_test2` with env: y = {f= 0; g= false} x = {f= (- 175); g= false} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= false} x = {f= 12; g= false} x = r'mk (- 175) False x = r'mk 6 False Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 1; g= false} x = {f= 1; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 1; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 1 False x = r'mk 1 False why3-1.6.0/bench/check-ce/oracles/records_label_Z3,4.8.10_WP.oracle000066400000000000000000000077011440160026300242600ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/records_label.mlw", line 12, characters 14-35) File "bench/check-ce/records_label.mlw", line 12, characters 14-35: Sub-goal Postcondition of goal record_old_test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 11: x = {f= (- 175); g= false} x = {f= (- 175); g= false} Execution of main function `record_old_test1` with env: y = {f= 0; g= false} x = {f= (- 175); g= false} zero = 0 one = 1 Line 12: Property failure at postcondition of `record_old_test1` with: x = {f= 6; g= false} x = {f= (- 175); g= false} y = {f= 0; g= false} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 22, characters 13-58) File "bench/check-ce/records_label.mlw", line 22, characters 13-58: Sub-goal Assertion of goal record_at_test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: y = {f= 0; g= false} Line 16: x = {f= (- 175); g= false} x = {f= (- 175); g= false} Execution of main function `record_at_test2` with env: y = {f= 0; g= false} x = {f= (- 175); g= false} zero = 0 one = 1 Line 22: Property failure at assertion with: y = {f= 0; g= false} x = {f= 12; g= false} x = r'mk (- 175) False x = r'mk 6 False Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) - Abstract RAC: FAILURE (assertion at "bench/check-ce/records_label.mlw", line 30, characters 13-37) File "bench/check-ce/records_label.mlw", line 30, characters 13-37: Sub-goal Assertion of goal several_hats'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File records_label.mlw: Line 9: Constant y initialization (giant-step) execution of unimplemented function with args: result = {f= 0; g= false} y = {f= 0; g= false} Line 24: x = {f= 1; g= false} x = {f= 1; g= false} Execution of main function `several_hats` with env: y = {f= 0; g= false} x = {f= 1; g= false} zero = 0 one = 1 Line 30: Property failure at assertion with: x = r'mk 1 False x = r'mk 1 False why3-1.6.0/bench/check-ce/oracles/recursive_model_CVC4,1.8_SP.oracle000066400000000000000000000006441440160026300246230ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/recursive_model_CVC4,1.8_WP.oracle000066400000000000000000000006441440160026300246270ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/recursive_model_CVC5,1.0.0_SP.oracle000066400000000000000000000024221440160026300247460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File recursive_model.mlw: Line 6: global = (S Z) Line 8: i = (- 1) i = (- 1) Execution of main function `test` with env: global = (S Z) i = (- 1) zero = 0 one = 1 Line 10: Property failure at assertion with: Z = UNDEFINED global = (S Z) i = (- 1) why3-1.6.0/bench/check-ce/oracles/recursive_model_CVC5,1.0.0_WP.oracle000066400000000000000000000024221440160026300247520ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File recursive_model.mlw: Line 6: global = (S Z) Line 8: i = (- 1) i = (- 1) Execution of main function `test` with env: global = (S Z) i = (- 1) zero = 0 one = 1 Line 10: Property failure at assertion with: Z = UNDEFINED global = (S Z) i = (- 1) why3-1.6.0/bench/check-ce/oracles/recursive_model_Z3,4.8.10_SP.oracle000066400000000000000000000020761440160026300246430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File recursive_model.mlw: Line 6: global = (S Z) Line 8: i = 2 i = 2 Execution of main function `test` with env: global = (S Z) i = 2 zero = 0 one = 1 Line 10: Property failure at assertion with: Z = UNDEFINED global = (S Z) i = 2 why3-1.6.0/bench/check-ce/oracles/recursive_model_Z3,4.8.10_WP.oracle000066400000000000000000000020761440160026300246470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Abstract RAC: FAILURE (assertion at "bench/check-ce/recursive_model.mlw", line 10, character 6 to line 11, character 26) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/recursive_model.mlw", line 11, characters 21-26: Sub-goal Assertion of goal test'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File recursive_model.mlw: Line 6: global = (S Z) Line 8: i = 2 i = 2 Execution of main function `test` with env: global = (S Z) i = 2 zero = 0 one = 1 Line 10: Property failure at assertion with: Z = UNDEFINED global = (S Z) i = 2 why3-1.6.0/bench/check-ce/oracles/ref1_CVC4,1.8_SP.oracle000066400000000000000000000016211440160026300222650ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_CVC4,1.8_WP.oracle000066400000000000000000000016211440160026300222710ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_CVC5,1.0.0_SP.oracle000066400000000000000000000016211440160026300224140ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_CVC5,1.0.0_WP.oracle000066400000000000000000000016211440160026300224200ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_Z3,4.8.10_SP.oracle000066400000000000000000000016211440160026300223040ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_Z3,4.8.10_WP.oracle000066400000000000000000000016211440160026300223100ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_Z3,4.8.4_SP.oracle000066400000000000000000000051711440160026300222330ustar00rootroot00000000000000File "bench/check-ce/ref1.mlw", line 5, characters 6-7: warning: unused variable x Check model 0 ("bench/check-ce/ref1.mlw", line 6, characters 11-16) Checking model: Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref1.mlw", line 5, characters 10-15 at "bench/check-ce/ref1.mlw", line 5, characters 10-15: {contents= 1} Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Property failure at assertion with: Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Step limit exceeded (0.91s). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_Z3,4.8.4_WP.oracle000066400000000000000000000051711440160026300222370ustar00rootroot00000000000000File "bench/check-ce/ref1.mlw", line 5, characters 6-7: warning: unused variable x Check model 0 ("bench/check-ce/ref1.mlw", line 6, characters 11-16) Checking model: Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref1.mlw", line 5, characters 10-15 at "bench/check-ce/ref1.mlw", line 5, characters 10-15: {contents= 1} Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Property failure at assertion with: Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1.mlw", line 6, characters 11-16) File "bench/check-ce/ref1.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Step limit exceeded (0.90s). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_CVC4,1.8_SP.oracle000066400000000000000000000020421440160026300233130ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_CVC4,1.8_WP.oracle000066400000000000000000000020421440160026300233170ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000020421440160026300234420ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000020421440160026300234460ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_Z3,4.8.10_SP.oracle000066400000000000000000000020421440160026300233320ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref1_mono_Z3,4.8.10_WP.oracle000066400000000000000000000020421440160026300233360ustar00rootroot00000000000000Warning, file "bench/check-ce/ref1_mono.mlw", line 5, characters 6-7: unused variable x Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16) File "bench/check-ce/ref1_mono.mlw", line 6, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref1_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 6: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_CVC4,1.8_SP.oracle000066400000000000000000000021571440160026300222730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_CVC4,1.8_WP.oracle000066400000000000000000000021571440160026300222770ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_CVC5,1.0.0_SP.oracle000066400000000000000000000021571440160026300224220ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_CVC5,1.0.0_WP.oracle000066400000000000000000000021571440160026300224260ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_Z3,4.8.10_SP.oracle000066400000000000000000000022071440160026300223060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_Z3,4.8.10_WP.oracle000066400000000000000000000022071440160026300223120ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_Z3,4.8.4_SP.oracle000066400000000000000000000152231440160026300222330ustar00rootroot00000000000000Check model 0 ("bench/check-ce/ref2.mlw", line 7, characters 11-16) Checking model: File ref2.mlw: Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref2.mlw", line 5, characters 10-15 at "bench/check-ce/ref2.mlw", line 5, characters 10-15: {contents= 1} Value from model for variable `x` at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: {contents= 2} Type default value for return value of call to (:=) at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: () Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Giant-step execution of function `(:=)` with args: r = {contents= 1} v = 2 x = {contents= 2} result of `(:=)` = () Line 7: Property failure at assertion with: Check model 1 ("bench/check-ce/ref2.mlw", line 7, characters 11-16) Checking model: File ref2.mlw: Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref2.mlw", line 5, characters 10-15 at "bench/check-ce/ref2.mlw", line 5, characters 10-15: {contents= 1} Value from model for variable `x` at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: {contents= 2} Type default value for return value of call to (:=) at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: () Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Giant-step execution of function `(:=)` with args: r = {contents= 1} v = 2 x = {contents= 2} result of `(:=)` = () Line 7: Property failure at assertion with: Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.32s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_Z3,4.8.4_WP.oracle000066400000000000000000000152231440160026300222370ustar00rootroot00000000000000Check model 0 ("bench/check-ce/ref2.mlw", line 7, characters 11-16) Checking model: File ref2.mlw: Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref2.mlw", line 5, characters 10-15 at "bench/check-ce/ref2.mlw", line 5, characters 10-15: {contents= 1} Value from model for variable `x` at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: {contents= 2} Type default value for return value of call to (:=) at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: () Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Giant-step execution of function `(:=)` with args: r = {contents= 1} v = 2 x = {contents= 2} result of `(:=)` = () Line 7: Property failure at assertion with: Check model 1 ("bench/check-ce/ref2.mlw", line 7, characters 11-16) Checking model: File ref2.mlw: Line 6: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/ref2.mlw", line 5, characters 10-15 at "bench/check-ce/ref2.mlw", line 5, characters 10-15: {contents= 1} Value from model for variable `x` at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: {contents= 2} Type default value for return value of call to (:=) at "bench/check-ce/ref2.mlw", line 6, characters 2-8 at "bench/check-ce/ref2.mlw", line 6, characters 2-8: () Normal RAC Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Giant-step execution of function `ref` with args: contents = 1 result of `ref` = {contents= 1} Line 6: Giant-step execution of function `(:=)` with args: r = {contents= 1} v = 2 x = {contents= 2} result of `(:=)` = () Line 7: Property failure at assertion with: Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2.mlw", line 7, characters 11-16) File "bench/check-ce/ref2.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.29s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `ref` with args: contents = 1 Normal execution of function `ref'mk` with args: contents = 1 Line 6: Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_CVC4,1.8_SP.oracle000066400000000000000000000017121440160026300233170ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_CVC4,1.8_WP.oracle000066400000000000000000000017121440160026300233230ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000017121440160026300234460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000017121440160026300234520ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_Z3,4.8.10_SP.oracle000066400000000000000000000017121440160026300233360ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref2_mono_Z3,4.8.10_WP.oracle000066400000000000000000000017121440160026300233420ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) - Abstract RAC: FAILURE (assertion at "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16) File "bench/check-ce/ref2_mono.mlw", line 7, characters 11-16: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: Unknown location: _ = () File ref2_mono.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () Line 5: Normal execution of function `t'mk` with args: c = 1 Line 7: Property failure at assertion with: why3-1.6.0/bench/check-ce/oracles/ref_ex_CVC4,1.8_SP.oracle000066400000000000000000000205161440160026300227040ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_CVC4,1.8_WP.oracle000066400000000000000000000205161440160026300227100ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_CVC5,1.0.0_SP.oracle000066400000000000000000000205161440160026300230330ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_CVC5,1.0.0_WP.oracle000066400000000000000000000205161440160026300230370ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_Z3,4.8.10_SP.oracle000066400000000000000000000300271440160026300227210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex.mlw", line 13, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex.mlw", line 13, characters 6-16) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 174} x23 = {contents= 174} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 174} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 174} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 174} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 174 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 174} v = 175 Line 31: Normal execution of function `(!)` with args: r = {contents= 175} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 175} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 175} v = 176 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 176} x23 = {contents= 174} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 33: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 37: Normal execution of function `incr` with args: x23 = {contents= 0} Line 29: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 40: Property failure at loop invariant init with: x = {contents= 2} x = ref'mk 0 x = ref'mk 2 File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 33: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 37: Normal execution of function `incr` with args: x23 = {contents= 0} Line 29: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 40: Property failure at loop invariant init with: x = {contents= 2} x = ref'mk 0 x = ref'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_Z3,4.8.10_WP.oracle000066400000000000000000000300271440160026300227250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 9, characters 14-25) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref_ex.mlw", line 9, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 8: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 11: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 11: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex.mlw: Line 11: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 9: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 15, characters 14-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex.mlw", line 13, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex.mlw", line 13, characters 6-16) File "bench/check-ce/ref_ex.mlw", line 15, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 13: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 17: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 17: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex.mlw: Line 17: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 15: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44) File "bench/check-ce/ref_ex.mlw", line 26, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: y = {contents= (- 1)} Line 25: x23 = {contents= 174} x23 = {contents= 174} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 174} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= (- 1)} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= (- 1)} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 30: Normal execution of function `(!)` with args: r = {contents= 174} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 174} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 174 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 174} v = 175 Line 31: Normal execution of function `(!)` with args: r = {contents= 175} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 175} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 175} v = 176 Line 26: Property failure at postcondition of `incr` with: x23 = {contents= 176} x23 = {contents= 174} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 33: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 37: Normal execution of function `incr` with args: x23 = {contents= 0} Line 29: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 40: Property failure at loop invariant init with: x = {contents= 2} x = ref'mk 0 x = ref'mk 2 File "bench/check-ce/ref_ex.mlw", line 41, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 40, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex.mlw: Line 23: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 33: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 37: Normal execution of function `incr` with args: x23 = {contents= 0} Line 29: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 29: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 30: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File ref_ex.mlw: Line 30: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 31: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File ref_ex.mlw: Line 31: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 40: Property failure at loop invariant init with: x = {contents= 2} x = ref'mk 0 x = ref'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex.mlw", line 37, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex.mlw", line 40, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex.mlw", line 26, characters 12-36) File "bench/check-ce/ref_ex.mlw", line 34, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_CVC4,1.8_SP.oracle000066400000000000000000000164371440160026300237430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c1= (- 1)} x = 0 y = {c1= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c1= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c1= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c1= 0} x = 43 y = {c1= 0} Execution of main function `test_post2` with env: x = 43 y = {c1= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c1= 42} y = {c1= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c1= (- 1)} Line 26: x23 = {c1= 0} x23 = {c1= 0} Execution of main function `incr` with env: y = {c1= (- 1)} x23 = {c1= 0} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c1= 2} x23 = {c1= 0} y = {c1= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_CVC4,1.8_WP.oracle000066400000000000000000000164371440160026300237470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c1= (- 1)} x = 0 y = {c1= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c1= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c1= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c1= 0} x = 43 y = {c1= 0} Execution of main function `test_post2` with env: x = 43 y = {c1= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c1= 42} y = {c1= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c1= (- 1)} Line 26: x23 = {c1= 0} x23 = {c1= 0} Execution of main function `incr` with env: y = {c1= (- 1)} x23 = {c1= 0} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c1= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c1= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c1= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c1= 2} x23 = {c1= 0} y = {c1= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000164111440160026300240620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c= (- 1)} x = 0 y = {c= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c= 0} x = 43 y = {c= 0} Execution of main function `test_post2` with env: x = 43 y = {c= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c= 42} y = {c= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c= (- 1)} Line 26: x23 = {c= 0} x23 = {c= 0} Execution of main function `incr` with env: y = {c= (- 1)} x23 = {c= 0} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c= 2} x23 = {c= 0} y = {c= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000164111440160026300240660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c= (- 1)} x = 0 y = {c= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c= 0} x = 43 y = {c= 0} Execution of main function `test_post2` with env: x = 43 y = {c= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c= 42} y = {c= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c= (- 1)} Line 26: x23 = {c= 0} x23 = {c= 0} Execution of main function `incr` with env: y = {c= (- 1)} x23 = {c= 0} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c= 2} x23 = {c= 0} y = {c= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_Z3,4.8.10_SP.oracle000066400000000000000000000224621440160026300237550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c= (- 1)} x = 0 y = {c= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex_mono.mlw", line 14, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex_mono.mlw", line 14, characters 6-16) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c= 0} x = 43 y = {c= 0} Execution of main function `test_post2` with env: x = 43 y = {c= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c= 42} y = {c= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c= (- 1)} Line 26: x23 = {c= 399} x23 = {c= 399} Execution of main function `incr` with env: y = {c= (- 1)} x23 = {c= 399} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 399} Normal execution of function `(+)` with args: _ = 399 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 400} Normal execution of function `(+)` with args: _ = 400 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c= 401} x23 = {c= 399} y = {c= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: Constant y initialization (giant-step) execution of unimplemented function with args: result = {c= 0} y = {c= 0} Line 34: x = {c= 0} x = {c= 0} Execution of main function `test_loop` with env: y = {c= 0} x = {c= 0} zero = 0 one = 1 Line 38: Normal execution of function `incr` with args: x23 = {c= 0} Line 30: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 41: Property failure at loop invariant init with: x = {c= 2} x = t'mk 0 x = t'mk 2 File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: Constant y initialization (giant-step) execution of unimplemented function with args: result = {c= 0} y = {c= 0} Line 34: x = {c= 0} x = {c= 0} Execution of main function `test_loop` with env: y = {c= 0} x = {c= 0} zero = 0 one = 1 Line 38: Normal execution of function `incr` with args: x23 = {c= 0} Line 30: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 41: Property failure at loop invariant init with: x = {c= 2} x = t'mk 0 x = t'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_ex_mono_Z3,4.8.10_WP.oracle000066400000000000000000000224621440160026300237610ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/ref_ex_mono.mlw", line 10, characters 14-26: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 9: x = 0 y = {c= (- 1)} x = 0 y = {c= (- 1)} Execution of main function `test_post` with env: x = 0 y = {c= (- 1)} zero = 0 one = 1 Line 12: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_ex_mono.mlw: Line 12: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Line 10: Property failure at postcondition of `test_post` with: x = 0 y = {c= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex_mono.mlw", line 14, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_ex_mono.mlw", line 14, characters 6-16) File "bench/check-ce/ref_ex_mono.mlw", line 16, characters 14-31: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 14: x = 43 y = {c= 0} x = 43 y = {c= 0} Execution of main function `test_post2` with env: x = 43 y = {c= 0} zero = 0 one = 1 Line 18: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_ex_mono.mlw: Line 18: Normal execution of function `(+)` with args: _ = 42 _ = 0 Line 16: Property failure at postcondition of `test_post2` with: x = 43 y = {c= 42} y = {c= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: y = {c= (- 1)} Line 26: x23 = {c= 399} x23 = {c= 399} Execution of main function `incr` with env: y = {c= (- 1)} x23 = {c= 399} zero = 0 one = 1 Line 30: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 399} Normal execution of function `(+)` with args: _ = 399 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 400} Normal execution of function `(+)` with args: _ = 400 _ = 1 Line 27: Property failure at postcondition of `incr` with: x23 = {c= 401} x23 = {c= 399} y = {c= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: Constant y initialization (giant-step) execution of unimplemented function with args: result = {c= 0} y = {c= 0} Line 34: x = {c= 0} x = {c= 0} Execution of main function `test_loop` with env: y = {c= 0} x = {c= 0} zero = 0 one = 1 Line 38: Normal execution of function `incr` with args: x23 = {c= 0} Line 30: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 41: Property failure at loop invariant init with: x = {c= 2} x = t'mk 0 x = t'mk 2 File "bench/check-ce/ref_ex_mono.mlw", line 42, characters 12-15: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_ex_mono.mlw: Line 24: Constant y initialization (giant-step) execution of unimplemented function with args: result = {c= 0} y = {c= 0} Line 34: x = {c= 0} x = {c= 0} Execution of main function `test_loop` with env: y = {c= 0} x = {c= 0} zero = 0 one = 1 Line 38: Normal execution of function `incr` with args: x23 = {c= 0} Line 30: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 31: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 32: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 41: Property failure at loop invariant init with: x = {c= 2} x = t'mk 0 x = t'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_ex_mono.mlw", line 38, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_ex_mono.mlw", line 41, characters 14-39) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_ex_mono.mlw", line 27, characters 12-39) File "bench/check-ce/ref_ex_mono.mlw", line 35, characters 12-25: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_CVC4,1.8_SP.oracle000066400000000000000000000212461440160026300232410ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents1= (- 1)} x = 0 y = {contents1= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents1= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents1= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents1= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents1= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents1= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents1= 0} x = 43 y = {contents1= 0} Execution of main function `test_post2` with env: x = 43 y = {contents1= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents1= 0} Line 9: Normal execution of function `contents` with args: arg = {contents1= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents1= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents1= 42} y = {contents1= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents1= (- 1)} Line 37: x23 = {contents1= 0} x23 = {contents1= 0} Execution of main function `incr` with env: y = {contents1= (- 1)} x23 = {contents1= 0} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents1= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents1= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents1= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents1= 0} Line 9: Normal execution of function `contents` with args: arg = {contents1= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents1= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents1= 1} Line 9: Normal execution of function `contents` with args: arg = {contents1= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents1= 1} v = 2 Line 38: Property failure at postcondition of `incr` with: x23 = {contents1= 2} x23 = {contents1= 0} y = {contents1= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_CVC4,1.8_WP.oracle000066400000000000000000000212461440160026300232450ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents1= (- 1)} x = 0 y = {contents1= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents1= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents1= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents1= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents1= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents1= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents1= 0} x = 43 y = {contents1= 0} Execution of main function `test_post2` with env: x = 43 y = {contents1= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents1= 0} Line 9: Normal execution of function `contents` with args: arg = {contents1= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents1= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents1= 42} y = {contents1= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents1= (- 1)} Line 37: x23 = {contents1= 0} x23 = {contents1= 0} Execution of main function `incr` with env: y = {contents1= (- 1)} x23 = {contents1= 0} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents1= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents1= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents1= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents1= 0} Line 9: Normal execution of function `contents` with args: arg = {contents1= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents1= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents1= 1} Line 9: Normal execution of function `contents` with args: arg = {contents1= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents1= 1} v = 2 Line 38: Property failure at postcondition of `incr` with: x23 = {contents1= 2} x23 = {contents1= 0} y = {contents1= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000212061440160026300233640ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents= (- 1)} Line 37: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 38: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000212061440160026300233700ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents= (- 1)} Line 37: x23 = {contents= 0} x23 = {contents= 0} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 0} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 38: Property failure at postcondition of `incr` with: x23 = {contents= 2} x23 = {contents= 0} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_Z3,4.8.10_SP.oracle000066400000000000000000000302251440160026300232550ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "bench/check-ce/ref_mono.mlw", line 11, characters 38-44) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_mono.mlw", line 25, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_mono.mlw", line 25, characters 6-16) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "bench/check-ce/ref_mono.mlw", line 11, characters 38-44) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents= (- 1)} Line 37: x23 = {contents= 174} x23 = {contents= 174} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 174} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents= 174} Line 9: Normal execution of function `contents` with args: arg = {contents= 174} Line 41: Normal execution of function `(+)` with args: _ = 174 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 174} v = 175 Line 42: Normal execution of function `(!)` with args: r = {contents= 175} Line 9: Normal execution of function `contents` with args: arg = {contents= 175} Line 42: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 175} v = 176 Line 38: Property failure at postcondition of `incr` with: x23 = {contents= 176} x23 = {contents= 174} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 44: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 48: Normal execution of function `incr` with args: x23 = {contents= 0} Line 40: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 51: Property failure at loop invariant init with: x = {contents= 2} x = ref1'mk 0 x = ref1'mk 2 File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 44: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 48: Normal execution of function `incr` with args: x23 = {contents= 0} Line 40: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 51: Property failure at loop invariant init with: x = {contents= 2} x = ref1'mk 0 x = ref1'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/ref_mono_Z3,4.8.10_WP.oracle000066400000000000000000000302251440160026300232610ustar00rootroot00000000000000File "bench/check-ce/ref_mono.mlw", line 7, characters 39-55: Sub-goal Postcondition of goal ref1'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 9, characters 29-40: Sub-goal Postcondition of goal prefix !'vc. Prover result is: Valid. File "bench/check-ce/ref_mono.mlw", line 11, characters 38-44: Sub-goal Postcondition of goal infix :='vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 21, characters 14-25) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "bench/check-ce/ref_mono.mlw", line 11, characters 38-44) File "bench/check-ce/ref_mono.mlw", line 21, characters 14-25: Sub-goal Postcondition of goal test_post'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 20: x = 0 y = {contents= (- 1)} x = 0 y = {contents= (- 1)} Execution of main function `test_post` with env: x = 0 y = {contents= (- 1)} zero = 0 one = 1 Line 23: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 23: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File ref_mono.mlw: Line 23: Normal execution of function `(+)` with args: _ = (-1) _ = (- 1) Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = (-2) Line 21: Property failure at postcondition of `test_post` with: x = 0 y = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 27, characters 14-29) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_mono.mlw", line 25, characters 6-16) - Abstract RAC: STUCK (failure in precondition of `test_post2` at "bench/check-ce/ref_mono.mlw", line 25, characters 6-16) File "bench/check-ce/ref_mono.mlw", line 27, characters 14-29: Sub-goal Postcondition of goal test_post2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 25: x = 43 y = {contents= 0} x = 43 y = {contents= 0} Execution of main function `test_post2` with env: x = 43 y = {contents= 0} zero = 0 one = 1 Line 29: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 29: Normal execution of function `(-)` with args: x = 43 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 43 _ = (-1) File ref_mono.mlw: Line 29: Normal execution of function `(+)` with args: _ = 42 _ = 0 Normal execution of function `(:=)` with args: r = {contents= 0} v = 42 Line 27: Property failure at postcondition of `test_post2` with: x = 43 y = {contents= 42} y = {contents= 0} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `(:=)` at "bench/check-ce/ref_mono.mlw", line 11, characters 38-44) File "bench/check-ce/ref_mono.mlw", line 38, characters 12-36: Sub-goal Postcondition of goal incr'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: y = {contents= (- 1)} Line 37: x23 = {contents= 174} x23 = {contents= 174} Execution of main function `incr` with env: y = {contents= (- 1)} x23 = {contents= 174} zero = 0 one = 1 Line 40: Normal execution of function `(!)` with args: r = {contents= (- 1)} Line 9: Normal execution of function `contents` with args: arg = {contents= (- 1)} Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(:=)` with args: r = {contents= (- 1)} v = 0 Line 41: Normal execution of function `(!)` with args: r = {contents= 174} Line 9: Normal execution of function `contents` with args: arg = {contents= 174} Line 41: Normal execution of function `(+)` with args: _ = 174 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 174} v = 175 Line 42: Normal execution of function `(!)` with args: r = {contents= 175} Line 9: Normal execution of function `contents` with args: arg = {contents= 175} Line 42: Normal execution of function `(+)` with args: _ = 175 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 175} v = 176 Line 38: Property failure at postcondition of `incr` with: x23 = {contents= 176} x23 = {contents= 174} y = {contents= (- 1)} Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant init of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 44: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 48: Normal execution of function `incr` with args: x23 = {contents= 0} Line 40: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 51: Property failure at loop invariant init with: x = {contents= 2} x = ref1'mk 0 x = ref1'mk 2 File "bench/check-ce/ref_mono.mlw", line 52, characters 12-14: Sub-goal Loop variant decrease of goal test_loop'vc. Prover result is: Valid. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Selected model 1: NC - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 51, characters 14-36: Sub-goal Loop invariant preservation of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File ref_mono.mlw: Line 35: Constant y initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} y = {contents= 0} Line 44: x = {contents= 0} x = {contents= 0} Execution of main function `test_loop` with env: y = {contents= 0} x = {contents= 0} zero = 0 one = 1 Line 48: Normal execution of function `incr` with args: x23 = {contents= 0} Line 40: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 41: Normal execution of function `(!)` with args: r = {contents= 0} Line 9: Normal execution of function `contents` with args: arg = {contents= 0} Line 41: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 42: Normal execution of function `(!)` with args: r = {contents= 1} Line 9: Normal execution of function `contents` with args: arg = {contents= 1} Line 42: Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `(:=)` with args: r = {contents= 1} v = 2 Line 51: Property failure at loop invariant init with: x = {contents= 2} x = ref1'mk 0 x = ref1'mk 2 Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/ref_mono.mlw", line 48, characters 2-8) - Abstract RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (loop invariant init at "bench/check-ce/ref_mono.mlw", line 51, characters 14-36) - Abstract RAC: STUCK (failure in postcondition of `incr` at "bench/check-ce/ref_mono.mlw", line 38, characters 12-36) File "bench/check-ce/ref_mono.mlw", line 45, characters 12-23: Sub-goal Postcondition of goal test_loop'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/result_CVC4,1.8_SP.oracle000066400000000000000000000075321440160026300227550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 0} Line 9: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 13: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 3} result = 4 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/result_CVC4,1.8_WP.oracle000066400000000000000000000075321440160026300227610ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 0} Line 9: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 13: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 3} result = 4 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/result_CVC5,1.0.0_SP.oracle000066400000000000000000000075321440160026300231040ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 0} Line 9: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 13: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 3} result = 4 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/result_CVC5,1.0.0_WP.oracle000066400000000000000000000075321440160026300231100ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 0} Line 9: b = {contents= 3} b = {contents= 3} Execution of main function `p1` with env: a = {contents= 0} b = {contents= 3} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 0} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 0} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 0 _ = 3 Normal execution of function `(:=)` with args: r = {contents= 0} v = 3 Line 13: Normal execution of function `(!)` with args: r = {contents= 3} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 3} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 3 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 3} result = 4 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/result_Z3,4.8.10_SP.oracle000066400000000000000000000076421440160026300227760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/result.mlw", line 9, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/result.mlw", line 9, characters 6-8) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 4} Line 9: b = {contents= 17} b = {contents= 17} Execution of main function `p1` with env: a = {contents= 4} b = {contents= 17} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 17} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 17} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 4} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 4} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 4 _ = 17 Normal execution of function `(:=)` with args: r = {contents= 4} v = 21 Line 13: Normal execution of function `(!)` with args: r = {contents= 21} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 21} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 21 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 21} result = 22 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f` at "bench/check-ce/result.mlw", line 16, characters 4-5) - Abstract RAC: STUCK (failure in precondition of `f` at "bench/check-ce/result.mlw", line 16, characters 4-5) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/result_Z3,4.8.10_WP.oracle000066400000000000000000000076421440160026300230020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 11, characters 15-38) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/result.mlw", line 9, characters 6-8) - Abstract RAC: STUCK (failure in precondition of `p1` at "bench/check-ce/result.mlw", line 9, characters 6-8) File "bench/check-ce/result.mlw", line 11, characters 15-38: Sub-goal Postcondition of goal p1'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: a = {contents= 4} Line 9: b = {contents= 17} b = {contents= 17} Execution of main function `p1` with env: a = {contents= 4} b = {contents= 17} zero = 0 one = 1 Line 12: Normal execution of function `(!)` with args: r = {contents= 17} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 17} File result.mlw: Line 12: Normal execution of function `(!)` with args: r = {contents= 4} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 4} File result.mlw: Line 12: Normal execution of function `(+)` with args: _ = 4 _ = 17 Normal execution of function `(:=)` with args: r = {contents= 4} v = 21 Line 13: Normal execution of function `(!)` with args: r = {contents= 21} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 21} File result.mlw: Line 13: Normal execution of function `(+)` with args: _ = 21 _ = 1 Line 11: Property failure at postcondition of `p1` with: a = {contents= 21} result = 22 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/result.mlw", line 18, characters 12-36) - Checked model 1: BAD_CE - Concrete RAC: STUCK (failure in precondition of `f` at "bench/check-ce/result.mlw", line 16, characters 4-5) - Abstract RAC: STUCK (failure in precondition of `f` at "bench/check-ce/result.mlw", line 16, characters 4-5) File "bench/check-ce/result.mlw", line 18, characters 12-36: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File result.mlw: Line 7: Constant a initialization (giant-step) execution of unimplemented function with args: result = {contents= 0} a = {contents= 0} Line 16: a = {contents= 42} a = {contents= 42} Execution of main function `f` with env: a = {contents= 0} a = {contents= 42} zero = 0 one = 1 Line 19: Normal execution of function `(:=)` with args: r = {contents= 42} v = 0 Line 20: Normal execution of function `(:=)` with args: r = {contents= 0} v = 1 Line 21: Normal execution of function `(!)` with args: r = {contents= 1} File ref.mlw: Line 18: Normal execution of function `contents` with args: arg = {contents= 1} File result.mlw: Line 21: Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 18: Property failure at postcondition of `f` with: a = {contents= 1} a = {contents= 42} result = 2 why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_CVC4,1.8_SP.oracle000066400000000000000000000026461440160026300302340ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_CVC4,1.8_WP.oracle000066400000000000000000000026461440160026300302400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_CVC5,1.0.0_SP.oracle000066400000000000000000000026461440160026300303630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_CVC5,1.0.0_WP.oracle000066400000000000000000000026461440160026300303670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_Z3,4.8.10_SP.oracle000066400000000000000000000026461440160026300302530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/return_value_below_if_when_vc_sp_Z3,4.8.10_WP.oracle000066400000000000000000000026461440160026300302570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65) File "bench/check-ce/return_value_below_if_when_vc_sp.mlw", line 7, characters 12-65: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File return_value_below_if_when_vc_sp.mlw: Line 6: b = true y = 42 b = true y = 42 Execution of main function `f` with env: b = true y = 42 zero = 0 one = 1 Line 8: (giant-step) execution of unimplemented function `bool_neq` x = 42 y = 0 result of `bool_neq` = true Line 7: Property failure at postcondition of `f` with: True = UNDEFINED b = true y = 42 result = true why3-1.6.0/bench/check-ce/oracles/simple_array_CVC4,1.8_SP.oracle000066400000000000000000000022621440160026300241210ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File simple_array.mlw: Line 5: t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 Execution of main function `t1'goal` with env: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 Unknown location: Normal execution of function `Tuple0` with args: File simple_array.mlw: Line 6: Property failure at postcondition of `t1'goal` with: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 why3-1.6.0/bench/check-ce/oracles/simple_array_CVC4,1.8_WP.oracle000066400000000000000000000022621440160026300241250ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File simple_array.mlw: Line 5: t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 Execution of main function `t1'goal` with env: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 Unknown location: Normal execution of function `Tuple0` with args: File simple_array.mlw: Line 6: Property failure at postcondition of `t1'goal` with: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 why3-1.6.0/bench/check-ce/oracles/simple_array_CVC5,1.0.0_SP.oracle000066400000000000000000000022621440160026300242500ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File simple_array.mlw: Line 5: t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 Execution of main function `t1'goal` with env: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 Unknown location: Normal execution of function `Tuple0` with args: File simple_array.mlw: Line 6: Property failure at postcondition of `t1'goal` with: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 why3-1.6.0/bench/check-ce/oracles/simple_array_CVC5,1.0.0_WP.oracle000066400000000000000000000022621440160026300242540ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/simple_array.mlw", line 6, characters 3-31) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File simple_array.mlw: Line 5: t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 i = 0 Execution of main function `t1'goal` with env: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 Unknown location: Normal execution of function `Tuple0` with args: File simple_array.mlw: Line 6: Property failure at postcondition of `t1'goal` with: i = 0 t = fun (x:int) -> if x = 0 then 43 else 0 why3-1.6.0/bench/check-ce/oracles/simple_array_Z3,4.8.10_SP.oracle000066400000000000000000000014361440160026300241420ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `t1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `t1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `t1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `t1'goal1` cannot be evaluated) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `t1'goal1` cannot be evaluated): File simple_array.mlw: Line 5: i : int = 0 why3-1.6.0/bench/check-ce/oracles/simple_array_Z3,4.8.10_WP.oracle000066400000000000000000000014361440160026300241460ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `t1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `t1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `t1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `t1'goal1` cannot be evaluated) File "bench/check-ce/simple_array.mlw", line 6, characters 3-31: Goal t1. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `t1'goal1` cannot be evaluated): File simple_array.mlw: Line 5: i : int = 0 why3-1.6.0/bench/check-ce/oracles/strings_CVC4,1.8_SP.oracle000066400000000000000000000361221440160026300231250ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T1'goal1` cannot be evaluated): File strings.mlw: Line 6: s : string = "A" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T2'goal1` cannot be evaluated): File strings.mlw: Line 7: s : string = "AAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T3'goal1` cannot be evaluated): File strings.mlw: Line 8: s1 : string = "A" s2 : string = "B" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T4'goal1` cannot be evaluated): File strings.mlw: Line 9: s : string = "AAAAAAAAAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T5'goal1` cannot be evaluated): File strings.mlw: Line 10: s : string = "aAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T6'goal1` cannot be evaluated): File strings.mlw: Line 11: s : string = "aAAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T7'goal1` cannot be evaluated): File strings.mlw: Line 12: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T8'goal1` cannot be evaluated): File strings.mlw: Line 13: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T9'goal1` cannot be evaluated): File strings.mlw: Line 14: s : string = "b{uohu{5c}x09i" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T10'goal1` cannot be evaluated): File strings.mlw: Line 15: s : string = "aAAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T11'goal1` cannot be evaluated): File strings.mlw: Line 16: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T12'goal1` cannot be evaluated): File strings.mlw: Line 17: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = ("":string) s = ("":string) Execution of main function `T13'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = ("":string) s = ("":string) Execution of main function `T14'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = 0 s = ("":string) i = 0 Execution of main function `T15'goal` with env: i = 0 s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = 0 s = ("":string) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T16'goal1` cannot be evaluated): File strings.mlw: Line 21: s : string = "" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T17'goal1` cannot be evaluated): File strings.mlw: Line 22: s : string = "abc" why3-1.6.0/bench/check-ce/oracles/strings_CVC4,1.8_WP.oracle000066400000000000000000000361221440160026300231310ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T1'goal1` cannot be evaluated): File strings.mlw: Line 6: s : string = "A" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T2'goal1` cannot be evaluated): File strings.mlw: Line 7: s : string = "AAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T3'goal1` cannot be evaluated): File strings.mlw: Line 8: s1 : string = "A" s2 : string = "B" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T4'goal1` cannot be evaluated): File strings.mlw: Line 9: s : string = "AAAAAAAAAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T5'goal1` cannot be evaluated): File strings.mlw: Line 10: s : string = "aAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T6'goal1` cannot be evaluated): File strings.mlw: Line 11: s : string = "aAAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T7'goal1` cannot be evaluated): File strings.mlw: Line 12: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T8'goal1` cannot be evaluated): File strings.mlw: Line 13: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T9'goal1` cannot be evaluated): File strings.mlw: Line 14: s : string = "b{uohu{5c}x09i" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T10'goal1` cannot be evaluated): File strings.mlw: Line 15: s : string = "aAAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T11'goal1` cannot be evaluated): File strings.mlw: Line 16: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T12'goal1` cannot be evaluated): File strings.mlw: Line 17: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = ("":string) s = ("":string) Execution of main function `T13'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = ("":string) s = ("":string) Execution of main function `T14'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = 0 s = ("":string) i = 0 Execution of main function `T15'goal` with env: i = 0 s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = 0 s = ("":string) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T16'goal1` cannot be evaluated): File strings.mlw: Line 21: s : string = "" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T17'goal1` cannot be evaluated): File strings.mlw: Line 22: s : string = "abc" why3-1.6.0/bench/check-ce/oracles/strings_CVC5,1.0.0_SP.oracle000066400000000000000000000361331440160026300232560ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T1'goal1` cannot be evaluated): File strings.mlw: Line 6: s : string = "A" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T2'goal1` cannot be evaluated): File strings.mlw: Line 7: s : string = "AAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T3'goal1` cannot be evaluated): File strings.mlw: Line 8: s1 : string = "A" s2 : string = "B" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T4'goal1` cannot be evaluated): File strings.mlw: Line 9: s : string = "AAAAAAAAAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T5'goal1` cannot be evaluated): File strings.mlw: Line 10: s : string = "u{0}AAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T6'goal1` cannot be evaluated): File strings.mlw: Line 11: s : string = "u{0}AAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T7'goal1` cannot be evaluated): File strings.mlw: Line 12: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T8'goal1` cannot be evaluated): File strings.mlw: Line 13: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T9'goal1` cannot be evaluated): File strings.mlw: Line 14: s : string = "b{uohu{5c}x09i" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T10'goal1` cannot be evaluated): File strings.mlw: Line 15: s : string = "u{0}AAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T11'goal1` cannot be evaluated): File strings.mlw: Line 16: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T12'goal1` cannot be evaluated): File strings.mlw: Line 17: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = ("":string) s = ("":string) Execution of main function `T13'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = ("":string) s = ("":string) Execution of main function `T14'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = 0 s = ("":string) i = 0 Execution of main function `T15'goal` with env: i = 0 s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = 0 s = ("":string) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T16'goal1` cannot be evaluated): File strings.mlw: Line 21: s : string = "" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T17'goal1` cannot be evaluated): File strings.mlw: Line 22: s : string = "abc" why3-1.6.0/bench/check-ce/oracles/strings_CVC5,1.0.0_WP.oracle000066400000000000000000000361331440160026300232620ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T1'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T1'goal1` cannot be evaluated): File strings.mlw: Line 6: s : string = "A" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T2'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T2'goal1` cannot be evaluated): File strings.mlw: Line 7: s : string = "AAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T3'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T3'goal1` cannot be evaluated): File strings.mlw: Line 8: s1 : string = "A" s2 : string = "B" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T4'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T4'goal1` cannot be evaluated): File strings.mlw: Line 9: s : string = "AAAAAAAAAAA" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T5'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T5'goal1` cannot be evaluated): File strings.mlw: Line 10: s : string = "u{0}AAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T6'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T6'goal1` cannot be evaluated): File strings.mlw: Line 11: s : string = "u{0}AAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T7'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T7'goal1` cannot be evaluated): File strings.mlw: Line 12: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T8'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T8'goal1` cannot be evaluated): File strings.mlw: Line 13: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T9'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T9'goal1` cannot be evaluated): File strings.mlw: Line 14: s : string = "b{uohu{5c}x09i" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T10'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T10'goal1` cannot be evaluated): File strings.mlw: Line 15: s : string = "u{0}AAAAAAAAAA" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T11'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T11'goal1` cannot be evaluated): File strings.mlw: Line 16: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T12'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T12'goal1` cannot be evaluated): File strings.mlw: Line 17: s : string = "" x : string = "b{uohu{5c}x09i" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = ("":string) s = ("":string) Execution of main function `T13'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = ("":string) s = ("":string) Execution of main function `T14'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = 0 s = ("":string) i = 0 Execution of main function `T15'goal` with env: i = 0 s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = 0 s = ("":string) Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `T16'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Postcondition of `T16'goal1` cannot be evaluated): File strings.mlw: Line 21: s : string = "" Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Precondition of `T17'goal1` cannot be evaluated) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The following counterexample model could not be verified (both RAC terminated because Precondition of `T17'goal1` cannot be evaluated): File strings.mlw: Line 22: s : string = "abc" why3-1.6.0/bench/check-ce/oracles/strings_Z3,4.8.10_SP.oracle000066400000000000000000000344011440160026300231420ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 6: s = ("\x00":string) s = ("\x00":string) Execution of main function `T1'goal` with env: s = ("\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 6: Property failure at postcondition of `T1'goal` with: s = ("\x00":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 7: s = ("\x00\x00\x00\x00":string) s = ("\x00\x00\x00\x00":string) Execution of main function `T2'goal` with env: s = ("\x00\x00\x00\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 7: Property failure at postcondition of `T2'goal` with: s = ("\x00\x00\x00\x00":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 8: s1 = ("\x00":string) s2 = ("\x02":string) s1 = ("\x00":string) s2 = ("\x02":string) Execution of main function `T3'goal` with env: s2 = ("\x02":string) s1 = ("\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 8: Property failure at postcondition of `T3'goal` with: s2 = ("\x02":string) s1 = ("\x00":string) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `T4'goal` at "bench/check-ce/strings.mlw", line 9, characters 7-9) - Abstract RAC: STUCK (failure in precondition of `T4'goal` at "bench/check-ce/strings.mlw", line 9, characters 7-9) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 12, characters 21-78) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 12, characters 21-78) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 12: s = "" s = "" Execution of main function `T7'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 12: Property failure at postcondition of `T7'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 13, characters 21-79) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 13, characters 21-79) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 13: s = "" s = "" Execution of main function `T8'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 13: Property failure at postcondition of `T8'goal` with: s = "" Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 16, characters 22-79) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 16, characters 22-79) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 16: s = "" s = "" Execution of main function `T11'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 16: Property failure at postcondition of `T11'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 17, characters 22-80) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 17, characters 22-80) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 17: s = "" s = "" Execution of main function `T12'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 17: Property failure at postcondition of `T12'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = "" s = "" Execution of main function `T13'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = "" s = "" Execution of main function `T14'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = (- 1) s = ("":string) i = (- 1) Execution of main function `T15'goal` with env: i = (- 1) s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = (- 1) s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 21: s = ("":string) s = ("":string) Execution of main function `T16'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 21: Property failure at postcondition of `T16'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 22: s = ("abc":string) s = ("abc":string) Execution of main function `T17'goal` with env: s = ("abc":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 22: Property failure at postcondition of `T17'goal` with: s = ("abc":string) why3-1.6.0/bench/check-ce/oracles/strings_Z3,4.8.10_WP.oracle000066400000000000000000000344011440160026300231460ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 6, characters 21-34) File "bench/check-ce/strings.mlw", line 6, characters 21-34: Goal T1. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 6: s = ("\x00":string) s = ("\x00":string) Execution of main function `T1'goal` with env: s = ("\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 6: Property failure at postcondition of `T1'goal` with: s = ("\x00":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 7, characters 21-35) File "bench/check-ce/strings.mlw", line 7, characters 21-35: Goal T2. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 7: s = ("\x00\x00\x00\x00":string) s = ("\x00\x00\x00\x00":string) Execution of main function `T2'goal` with env: s = ("\x00\x00\x00\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 7: Property failure at postcondition of `T2'goal` with: s = ("\x00\x00\x00\x00":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 8, characters 25-52) File "bench/check-ce/strings.mlw", line 8, characters 25-52: Goal T3. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 8: s1 = ("\x00":string) s2 = ("\x02":string) s1 = ("\x00":string) s2 = ("\x02":string) Execution of main function `T3'goal` with env: s2 = ("\x02":string) s1 = ("\x00":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 8: Property failure at postcondition of `T3'goal` with: s2 = ("\x02":string) s1 = ("\x00":string) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in precondition of `T4'goal` at "bench/check-ce/strings.mlw", line 9, characters 7-9) - Abstract RAC: STUCK (failure in precondition of `T4'goal` at "bench/check-ce/strings.mlw", line 9, characters 7-9) File "bench/check-ce/strings.mlw", line 9, characters 38-55: Goal T4. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 10, characters 59-78: Goal T5. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 11, characters 59-79: Goal T6. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 12, characters 21-78) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 12, characters 21-78) File "bench/check-ce/strings.mlw", line 12, characters 59-78: Goal T7. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 12: s = "" s = "" Execution of main function `T7'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 12: Property failure at postcondition of `T7'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 13, characters 21-79) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 13, characters 21-79) File "bench/check-ce/strings.mlw", line 13, characters 59-79: Goal T8. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 13: s = "" s = "" Execution of main function `T8'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 13: Property failure at postcondition of `T8'goal` with: s = "" Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 14, characters 59-78: Goal T9. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/strings.mlw", line 15, characters 60-80: Goal T10. Prover result is: Unknown or time/memory/step limit. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 16, characters 22-79) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 16, characters 22-79) File "bench/check-ce/strings.mlw", line 16, characters 60-79: Goal T11. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 16: s = "" s = "" Execution of main function `T11'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 16: Property failure at postcondition of `T11'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 17, characters 22-80) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 17, characters 22-80) File "bench/check-ce/strings.mlw", line 17, characters 60-80: Goal T12. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 17: s = "" s = "" Execution of main function `T12'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 17: Property failure at postcondition of `T12'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 18, characters 22-28) File "bench/check-ce/strings.mlw", line 18, characters 22-28: Goal T13. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 18: s = "" s = "" Execution of main function `T13'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 18: Property failure at postcondition of `T13'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 19, characters 22-34) File "bench/check-ce/strings.mlw", line 19, characters 22-34: Goal T14. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 19: s = "" s = "" Execution of main function `T14'goal` with env: s = "" zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 19: Property failure at postcondition of `T14'goal` with: s = "" Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 20, characters 24-45) File "bench/check-ce/strings.mlw", line 20, characters 24-45: Goal T15. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 20: s = ("":string) i = (- 1) s = ("":string) i = (- 1) Execution of main function `T15'goal` with env: i = (- 1) s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 20: Property failure at postcondition of `T15'goal` with: i = (- 1) s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 21, characters 22-38) File "bench/check-ce/strings.mlw", line 21, characters 22-38: Goal T16. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 21: s = ("":string) s = ("":string) Execution of main function `T16'goal` with env: s = ("":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 21: Property failure at postcondition of `T16'goal` with: s = ("":string) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/strings.mlw", line 22, characters 42-54) File "bench/check-ce/strings.mlw", line 22, characters 42-54: Goal T17. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File strings.mlw: Line 22: s = ("abc":string) s = ("abc":string) Execution of main function `T17'goal` with env: s = ("abc":string) zero = 0 one = 1 Unknown location: Normal execution of function `Tuple0` with args: File strings.mlw: Line 22: Property failure at postcondition of `T17'goal` with: s = ("abc":string) why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_CVC4,1.8_SP.oracle000066400000000000000000000023141440160026300257300ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_CVC4,1.8_WP.oracle000066400000000000000000000023141440160026300257340ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_CVC5,1.0.0_SP.oracle000066400000000000000000000023141440160026300260570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_CVC5,1.0.0_WP.oracle000066400000000000000000000023141440160026300260630ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_Z3,4.8.10_SP.oracle000066400000000000000000000023141440160026300257470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_Z3,4.8.10_WP.oracle000066400000000000000000000023141440160026300257530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_Z3,4.8.4_SP.oracle000066400000000000000000000176721440160026300257070ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) Checking model: File test_result_ce_value0.mlw: Line 4: a = {"type": "Integer", "val": "42"} x = {"type": "Integer", "val": "0"} Line 6: x = {"type": "Integer", "val": "0"} Line 7: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "42"} Line 8: a = {"type": "Integer", "val": "42"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: Giant-step execution of function `id` with args: x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) Checking model: File test_result_ce_value0.mlw: Line 4: a = {"type": "Integer", "val": "42"} x = {"type": "Integer", "val": "0"} Line 6: x = {"type": "Integer", "val": "0"} Line 7: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "42"} Line 8: a = {"type": "Integer", "val": "42"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: Giant-step execution of function `id` with args: x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat) (0.03s, 754 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value0_Z3,4.8.4_WP.oracle000066400000000000000000000176721440160026300257130ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) Checking model: File test_result_ce_value0.mlw: Line 4: a = {"type": "Integer", "val": "42"} x = {"type": "Integer", "val": "0"} Line 6: x = {"type": "Integer", "val": "0"} Line 7: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "42"} Line 8: a = {"type": "Integer", "val": "42"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: Giant-step execution of function `id` with args: x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) Checking model: File test_result_ce_value0.mlw: Line 4: a = {"type": "Integer", "val": "42"} x = {"type": "Integer", "val": "0"} Line 6: x = {"type": "Integer", "val": "0"} Line 7: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "42"} Line 8: a = {"type": "Integer", "val": "42"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value0.mlw", line 6, characters 11-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14 at "bench/check-ce/test_result_ce_value0.mlw", line 7, characters 10-14: 42 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: Giant-step execution of function `id` with args: x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18) File "bench/check-ce/test_result_ce_value0.mlw", line 8, characters 11-18: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (sat) (0.02s, 754 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value0.mlw: Line 6: x = 0 x = 0 Execution of main function `test2` with env: x = 0 zero = 0 one = 1 Line 7: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 42 Line 8: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_CVC4,1.8_SP.oracle000066400000000000000000000054471440160026300257430ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_CVC4,1.8_WP.oracle000066400000000000000000000054471440160026300257470ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_CVC5,1.0.0_SP.oracle000066400000000000000000000054471440160026300260720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_CVC5,1.0.0_WP.oracle000066400000000000000000000054471440160026300260760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_Z3,4.8.10_SP.oracle000066400000000000000000000054471440160026300257620ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_Z3,4.8.10_WP.oracle000066400000000000000000000054471440160026300257660ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (- 1) x = (- 1) Execution of main function `test1` with env: x = (- 1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (- 1) x = (- 1) Execution of main function `test1bis` with env: x = (- 1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (- 1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_Z3,4.8.4_SP.oracle000066400000000000000000000502651440160026300257030ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 8: x = {"type": "Integer", "val": "-1"} Line 9: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} Line 10: result = {"type": "Integer", "val": "0"} Line 12: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Line 9: Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 8: x = {"type": "Integer", "val": "-1"} Line 9: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} Line 10: result = {"type": "Integer", "val": "0"} Line 12: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Line 9: Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat) (0.03s, 898 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Check model 0 ("bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 14: x = {"type": "Integer", "val": "-1"} Line 15: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 16: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 14: x = {"type": "Integer", "val": "-1"} Line 15: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 16: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat) (0.01s, 898 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value1_Z3,4.8.4_WP.oracle000066400000000000000000000502651440160026300257070ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 8: x = {"type": "Integer", "val": "-1"} Line 9: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} Line 10: result = {"type": "Integer", "val": "0"} Line 12: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Line 9: Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 8: x = {"type": "Integer", "val": "-1"} Line 9: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} Line 10: result = {"type": "Integer", "val": "0"} Line 12: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 8, characters 11-12: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12 at "bench/check-ce/test_result_ce_value1.mlw", line 10, characters 6-12: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25 at "bench/check-ce/test_result_ce_value1.mlw", line 9, characters 10-25: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Line 9: Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 12, characters 11-18: Sub-goal Assertion of goal test1'vc. Prover result is: Unknown (sat) (0.03s, 898 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 8: x = (-1) x = (-1) Execution of main function `test1` with env: x = (-1) zero = 0 one = 1 Line 10: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 Line 9: (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 12: Property failure at assertion with: a = 42 Check model 0 ("bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 14: x = {"type": "Integer", "val": "-1"} Line 15: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 16: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 Check model 1 ("bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) Checking model: File test_result_ce_value1.mlw: Line 6: x = {"type": "Integer", "val": "-1"} Line 14: x = {"type": "Integer", "val": "-1"} Line 15: a = {"type": "Integer", "val": "42"} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 16: result = {"type": "Integer", "val": "41"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `x` at "bench/check-ce/test_result_ce_value1.mlw", line 14, characters 14-15: (-1) Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 13-19: 0 Value from model for return value of call to id at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19 at "bench/check-ce/test_result_ce_value1.mlw", line 15, characters 10-19: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: Giant-step execution of function `id` with args: x = (-1) result of `id` = 0 Giant-step execution of function `id` with args: x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18) File "bench/check-ce/test_result_ce_value1.mlw", line 16, characters 11-18: Sub-goal Assertion of goal test1bis'vc. Prover result is: Unknown (sat) (0.00s, 898 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value1.mlw: Line 14: x = (-1) x = (-1) Execution of main function `test1bis` with env: x = (-1) zero = 0 one = 1 Line 15: (giant-step) execution of unimplemented function `id` x = (-1) result of `id` = 0 (giant-step) execution of unimplemented function `id` x = 0 result of `id` = 41 Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 16: Property failure at assertion with: a = 42 why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_CVC4,1.8_SP.oracle000066400000000000000000000123471440160026300257410ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 99 x = 99 Execution of main function `test3` with env: a = {contents= 0} x = 99 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 99 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_CVC4,1.8_WP.oracle000066400000000000000000000227101440160026300257400ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_CVC5,1.0.0_SP.oracle000066400000000000000000000123471440160026300260700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 99 x = 99 Execution of main function `test3` with env: a = {contents= 0} x = 99 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 99 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_CVC5,1.0.0_WP.oracle000066400000000000000000000227101440160026300260670ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_Z3,4.8.10_SP.oracle000066400000000000000000000132531440160026300257550ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_Z3,4.8.10_WP.oracle000066400000000000000000000237761440160026300257740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (- 1) x = (- 1) Execution of main function `test2` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (- 1)} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (- 1) x = (- 1) Execution of main function `test3` with env: a = {contents= 0} x = (- 1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= (- 1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (- 1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_Z3,4.8.4_SP.oracle000066400000000000000000002557421440160026300257130ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 10: x = {"type": "Integer", "val": "-1"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} result = {"type": "Integer", "val": "0"} Line 13: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 10: x = {"type": "Integer", "val": "-1"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} result = {"type": "Integer", "val": "0"} Line 13: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (unknown) (1.25s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 10: x = {"type": "Integer", "val": "0"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} result = {"type": "Integer", "val": "43"} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 10: x = {"type": "Integer", "val": "0"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} result = {"type": "Integer", "val": "43"} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (unknown) (1.28s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} result = {"type": "Integer", "val": "51"} result = {"type": "Integer", "val": "0"} Line 22: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} result = {"type": "Integer", "val": "51"} result = {"type": "Integer", "val": "0"} Line 22: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.23s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Valid (0.01s, 67 steps). Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "0"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "100"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "0"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "100"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.28s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/test_result_ce_value2_Z3,4.8.4_WP.oracle000066400000000000000000002557421440160026300257170ustar00rootroot00000000000000Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 10: x = {"type": "Integer", "val": "-1"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} result = {"type": "Integer", "val": "0"} Line 13: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 10: x = {"type": "Integer", "val": "-1"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} result = {"type": "Integer", "val": "0"} Line 13: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 0 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 13, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (unknown) (1.25s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = (-1) x = (-1) Execution of main function `test2` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 10 Line 13: Property failure at assertion with: a = {contents= (-1)} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 10: x = {"type": "Integer", "val": "0"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} result = {"type": "Integer", "val": "43"} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 10: x = {"type": "Integer", "val": "0"} Line 12: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} result = {"type": "Integer", "val": "43"} Line 15: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 10, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: {contents= 42} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 12, characters 5-9: 43 Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: Giant-step execution of function `id` with args: x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) - Abstract RAC: FAILURE (assertion at "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20) File "bench/check-ce/test_result_ce_value2.mlw", line 15, characters 14-20: Sub-goal Assertion of goal test2'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 10: x = 0 x = 0 Execution of main function `test2` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 12: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 42} result of `id` = 43 Normal execution of function `(<)` with args: _ = 43 _ = 10 Line 15: Property failure at assertion with: a = {contents= 42} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} result = {"type": "Integer", "val": "51"} result = {"type": "Integer", "val": "0"} Line 22: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "41"}}]}} result = {"type": "Integer", "val": "51"} result = {"type": "Integer", "val": "0"} Line 22: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 41} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 51 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.23s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 41} result of `id` = 51 Normal execution of function `(>)` with args: x = 51 y = 50 Line 22: Normal execution of function `contents` with args: arg = {contents= 41} Normal execution of function `(+)` with args: _ = 41 _ = 1 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "-1"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "-1"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "41"} result = {"type": "Integer", "val": "0"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: (-1) Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= (-1)} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 19-23: 41 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 Giant-step execution of function `id` with args: x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.23s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = (-1) x = (-1) Execution of main function `test3` with env: a = {contents= 0} x = (-1) zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= (-1)} result of `id` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 100 (giant-step) execution of unimplemented function `id` x = (-1) a = {contents= 40} result of `id` = 41 Normal execution of function `(>)` with args: x = 41 y = 50 Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Valid (0.01s, 67 steps). Check model 0 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "0"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "100"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Result of checking model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Check model 1 ("bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) Checking model: File test_result_ce_value2.mlw: Line 7: x = {"type": "Integer", "val": "0"} Line 8: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} Line 17: x = {"type": "Integer", "val": "0"} Line 18: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Line 21: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "40"}}]}} result = {"type": "Integer", "val": "100"} Line 24: a = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "42"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15 at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 10-15: 0 RHS evaluated for global `a` at "bench/check-ce/test_result_ce_value2.mlw", line 3, characters 8-9: {contents= 0} Value from model for parameter `x` at "bench/check-ce/test_result_ce_value2.mlw", line 17, characters 11-12: 0 Value from model for variable `a` at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: {contents= 40} Value from model for return value of call to id at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9 at "bench/check-ce/test_result_ce_value2.mlw", line 21, characters 5-9: 100 Result of checking model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: Giant-step execution of function `id` with args: x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} Results: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19) File "bench/check-ce/test_result_ce_value2.mlw", line 18, characters 12-19: Sub-goal Postcondition of goal test3'vc. Prover result is: Unknown (unknown) (1.25s, 7500000 steps). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File test_result_ce_value2.mlw: Line 3: Constant a initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 a = {contents= 0} Line 17: x = 0 x = 0 Execution of main function `test3` with env: a = {contents= 0} x = 0 zero = 0 one = 1 Line 21: (giant-step) execution of unimplemented function `id` x = 0 a = {contents= 40} result of `id` = 100 Normal execution of function `(<)` with args: _ = 100 _ = 100 Unknown location: Normal execution of function `False` with args: File test_result_ce_value2.mlw: Line 24: Normal execution of function `contents` with args: arg = {contents= 40} Normal execution of function `(+)` with args: _ = 40 _ = 2 Line 18: Property failure at postcondition of `test3` with: a = {contents= 42} why3-1.6.0/bench/check-ce/oracles/threshold_CVC4,1.8_SP.oracle000066400000000000000000000227221440160026300234310ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 0 result of `(+)` = epsilon x:int32. int32'int x = 1 Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 1 result of `(<)` = false (giant-step) execution of unimplemented function `(>)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 0 result of `(>)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 result = epsilon x:int32. int32'int x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (4294967295:t) max = (4294967295:t) n = (0:t) min = (4294967295:t) max = (4294967295:t) Execution of main function `f` with env: n = (0:t) min = (4294967295:t) max = (4294967295:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (4294967295:t) b = (4294967295:t) Property failure at precondition of `u_add` with: a = (4294967295:t) b = (4294967295:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) Execution of main function `f` with env: n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (2147483648:t) b = (2147483647:t) result of `u_add` = (4294967295:t) Line 31: (giant-step) execution of unimplemented function `u_lt` a = (4294967295:t) b = (2147483648:t) result of `u_lt` = false (giant-step) execution of unimplemented function `u_gt` a = (4294967295:t) b = (2147483647:t) result of `u_gt` = true Line 27: Property failure at postcondition of `f1` with: min = (2147483648:t) max = (2147483647:t) result = (2147483647:t) why3-1.6.0/bench/check-ce/oracles/threshold_CVC4,1.8_WP.oracle000066400000000000000000000227221440160026300234350ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 0 result of `(+)` = epsilon x:int32. int32'int x = 1 Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 1 result of `(<)` = false (giant-step) execution of unimplemented function `(>)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 0 result of `(>)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 1 max = epsilon x:int32. int32'int x = 0 result = epsilon x:int32. int32'int x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (4294967295:t) max = (4294967295:t) n = (0:t) min = (4294967295:t) max = (4294967295:t) Execution of main function `f` with env: n = (0:t) min = (4294967295:t) max = (4294967295:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (4294967295:t) b = (4294967295:t) Property failure at precondition of `u_add` with: a = (4294967295:t) b = (4294967295:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) Execution of main function `f` with env: n = (4294967295:t) min = (2147483648:t) max = (2147483647:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (2147483648:t) b = (2147483647:t) result of `u_add` = (4294967295:t) Line 31: (giant-step) execution of unimplemented function `u_lt` a = (4294967295:t) b = (2147483648:t) result of `u_lt` = false (giant-step) execution of unimplemented function `u_gt` a = (4294967295:t) b = (2147483647:t) result of `u_gt` = true Line 27: Property failure at postcondition of `f1` with: min = (2147483648:t) max = (2147483647:t) result = (2147483647:t) why3-1.6.0/bench/check-ce/oracles/threshold_CVC5,1.0.0_SP.oracle000066400000000000000000000157701440160026300235650ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = (- 1) result of `(+)` = epsilon x:int32. int32'int x = (- 1) Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = 0 result of `(<)` = false (giant-step) execution of unimplemented function `(>)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = (- 1) result of `(>)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) result = epsilon x:int32. int32'int x = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (4294967295:t) max = (4294967295:t) n = (0:t) min = (4294967295:t) max = (4294967295:t) Execution of main function `f` with env: n = (0:t) min = (4294967295:t) max = (4294967295:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (4294967295:t) b = (4294967295:t) Property failure at precondition of `u_add` with: a = (4294967295:t) b = (4294967295:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/threshold_CVC5,1.0.0_WP.oracle000066400000000000000000000157701440160026300235710ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 13-16) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = (- 1) max = epsilon x:int32. int32'int x = (- 2147483648) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = (- 2147483648) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 0 min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = (- 1) result of `(+)` = epsilon x:int32. int32'int x = (- 1) Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = 0 result of `(<)` = false (giant-step) execution of unimplemented function `(>)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = (- 1) result of `(>)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) result = epsilon x:int32. int32'int x = (- 1) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (4294967295:t) max = (4294967295:t) n = (0:t) min = (4294967295:t) max = (4294967295:t) Execution of main function `f` with env: n = (0:t) min = (4294967295:t) max = (4294967295:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (4294967295:t) b = (4294967295:t) Property failure at precondition of `u_add` with: a = (4294967295:t) b = (4294967295:t) Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. why3-1.6.0/bench/check-ce/oracles/threshold_Z3,4.8.10_SP.oracle000066400000000000000000000213351440160026300234470ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 9-12) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 9-12) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 2147483647 b = epsilon x:int32. int32'int x = 1 Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = 2147483647 b = epsilon x:int32. int32'int x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) Execution of main function `f` with env: n = epsilon x:int32. int32'int x = (- 1) min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 0 b = epsilon x:int32. int32'int x = (- 1) result of `(+)` = epsilon x:int32. int32'int x = (- 1) Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = (- 1) b = epsilon x:int32. int32'int x = 0 result of `(<)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 0 max = epsilon x:int32. int32'int x = (- 1) result = epsilon x:int32. int32'int x = 0 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (2147516419:t) max = (2147524228:t) n = (0:t) min = (2147516419:t) max = (2147524228:t) Execution of main function `f` with env: n = (0:t) min = (2147516419:t) max = (2147524228:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (2147516419:t) b = (2147524228:t) Property failure at precondition of `u_add` with: a = (2147516419:t) b = (2147524228:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (2:t) min = (268435459:t) max = (0:t) n = (2:t) min = (268435459:t) max = (0:t) Execution of main function `f` with env: n = (2:t) min = (268435459:t) max = (0:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (268435459:t) b = (0:t) result of `u_add` = (268435459:t) Line 31: (giant-step) execution of unimplemented function `u_lt` a = (2:t) b = (268435459:t) result of `u_lt` = true Line 27: Property failure at postcondition of `f1` with: min = (268435459:t) max = (0:t) result = (268435459:t) why3-1.6.0/bench/check-ce/oracles/threshold_Z3,4.8.10_WP.oracle000066400000000000000000000213511440160026300234510ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 9-12) - Abstract RAC: STUCK (for range projection int32 at "bench/check-ce/threshold.mlw", line 8, characters 9-12) - Selected model 1: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 11, characters 11-20) File "bench/check-ce/threshold.mlw", line 11, characters 11-20: Sub-goal Integer overflow of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2147483647 max = epsilon x:int32. int32'int x = 1 zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 2147483647 b = epsilon x:int32. int32'int x = 1 Property failure at precondition of `(+)` with: a = epsilon x:int32. int32'int x = 2147483647 b = epsilon x:int32. int32'int x = 1 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Checked model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 9, characters 13-33) File "bench/check-ce/threshold.mlw", line 9, characters 13-33: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File int.mlw: Line 258: Constant min_int32 initialization min_int32 = (-2147483648) Line 259: Constant max_int32 initialization max_int32 = 2147483647 File threshold.mlw: Line 8: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2 max = epsilon x:int32. int32'int x = 0 n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2 max = epsilon x:int32. int32'int x = 0 Execution of main function `f` with env: n = epsilon x:int32. int32'int x = 1 min = epsilon x:int32. int32'int x = 2 max = epsilon x:int32. int32'int x = 0 zero = 0 one = 1 min_int32 = (-2147483648) max_int32 = 2147483647 Line 11: (giant-step) execution of unimplemented function `(+)` a = epsilon x:int32. int32'int x = 2 b = epsilon x:int32. int32'int x = 0 result of `(+)` = epsilon x:int32. int32'int x = 2 Line 12: (giant-step) execution of unimplemented function `(<)` a = epsilon x:int32. int32'int x = 1 b = epsilon x:int32. int32'int x = 2 result of `(<)` = true Line 9: Property failure at postcondition of `f` with: min = epsilon x:int32. int32'int x = 2 max = epsilon x:int32. int32'int x = 0 result = epsilon x:int32. int32'int x = 2 Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Abstract RAC: FAILURE (precondition at "bench/check-ce/threshold.mlw", line 30, characters 11-24) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 30, characters 11-24: Sub-goal Arithmetic overflow of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (0:t) min = (2147516419:t) max = (2147524228:t) n = (0:t) min = (2147516419:t) max = (2147524228:t) Execution of main function `f` with env: n = (0:t) min = (2147516419:t) max = (2147524228:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (2147516419:t) b = (2147524228:t) Property failure at precondition of `u_add` with: a = (2147516419:t) b = (2147524228:t) Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/threshold.mlw", line 27, characters 13-45) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/threshold.mlw", line 27, characters 13-45: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File bv.mlw: Line 611: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 611: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 611: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 611: ones = 0 Line 653: Constant zeros initialization Line 192: (giant-step) execution of unimplemented function with args: result = 0 Line 653: zeros = 0 Constant one initialization Line 197: (giant-step) execution of unimplemented function with args: result = 0 Line 653: one = 0 Constant ones initialization Line 199: (giant-step) execution of unimplemented function with args: result = 0 Line 653: ones = 0 File threshold.mlw: Line 26: n = (1084386:t) min = (2147651297:t) max = (35552:t) n = (1084386:t) min = (2147651297:t) max = (35552:t) Execution of main function `f` with env: n = (1084386:t) min = (2147651297:t) max = (35552:t) zero = 0 one = 1 zeros = 0 one = 0 ones = 0 zeros = 0 one = 0 ones = 0 Line 30: (giant-step) execution of unimplemented function `u_add` a = (2147651297:t) b = (35552:t) result of `u_add` = (2147686849:t) Line 31: (giant-step) execution of unimplemented function `u_lt` a = (1084386:t) b = (2147651297:t) result of `u_lt` = true Line 27: Property failure at postcondition of `f1` with: min = (2147651297:t) max = (35552:t) result = (2147651297:t) why3-1.6.0/bench/check-ce/oracles/tuple1_CVC4,1.8_SP.oracle000066400000000000000000000016371440160026300226510ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_CVC4,1.8_WP.oracle000066400000000000000000000016371440160026300226550ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_CVC5,1.0.0_SP.oracle000066400000000000000000000016371440160026300230000ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_CVC5,1.0.0_WP.oracle000066400000000000000000000016371440160026300230040ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Selected model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_Z3,4.8.10_SP.oracle000066400000000000000000000016371440160026300226700ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_Z3,4.8.10_WP.oracle000066400000000000000000000016371440160026300226740ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: NORMAL File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid. File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/tuple1_Z3,4.8.4_SP.oracle000066400000000000000000000224501440160026300226070ustar00rootroot00000000000000Check model 0 ("bench/check-ce/tuple1.mlw", line 7, characters 14-19) Checking model: File int.mlw: Line 432: max_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427387903"}} Line 434: min_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "-4611686018427387904"}} File tuple1.mlw: Line 6: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} Line 7: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Result of checking model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) Check model 1 ("bench/check-ce/tuple1.mlw", line 7, characters 14-19) Checking model: File int.mlw: Line 432: max_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427387903"}} Line 434: min_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "-4611686018427387904"}} File tuple1.mlw: Line 6: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427379887"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "8017"}} Line 7: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427379887"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "8017"}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Result of checking model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) Results: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The following counterexample model could not be verified (both RAC terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74): File int.mlw: Line 432: max_int = {int63'int => 4611686018427387903 (0X3FFFFFFFFFFFFFFF)} Line 434: min_int = {int63'int => -4611686018427387904 (-0X4000000000000000)} File tuple1.mlw: Line 6: a = {int63'int => 4611686018427379887 (0X3FFFFFFFFFFFE0AF)} b = {int63'int => 8017 (0X1F51)} Line 7: a = {int63'int => 4611686018427379887 (0X3FFFFFFFFFFFE0AF)} b = {int63'int => 8017 (0X1F51)} File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 7546 steps). File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 8058 steps). File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 8257 steps). File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid (0.01s, 8713 steps). why3-1.6.0/bench/check-ce/oracles/tuple1_Z3,4.8.4_WP.oracle000066400000000000000000000224501440160026300226130ustar00rootroot00000000000000Check model 0 ("bench/check-ce/tuple1.mlw", line 7, characters 14-19) Checking model: File int.mlw: Line 432: max_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427387903"}} Line 434: min_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "-4611686018427387904"}} File tuple1.mlw: Line 6: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} Line 7: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "0"}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Result of checking model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) Check model 1 ("bench/check-ce/tuple1.mlw", line 7, characters 14-19) Checking model: File int.mlw: Line 432: max_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427387903"}} Line 434: min_int = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "-4611686018427387904"}} File tuple1.mlw: Line 6: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427379887"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "8017"}} Line 7: a = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "4611686018427379887"}} b = {"proj_name": "int63'int", "type": "Proj", "value": {"type": "Integer", "val": "8017"}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 RHS evaluated for global `min_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 418, characters 15-24: (-4611686018427387904) RHS evaluated for global `max_int63` at "WHY3DATA/stdlib/mach/int.mlw", line 419, characters 15-24: 4611686018427387903 RHS evaluated for global `zero` at "WHY3DATA/stdlib/mach/int.mlw", line 430, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/mach/int.mlw", line 431, characters 15-18: 1 Value from model for global `max_int` at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 15-22: {int63'int => 4611686018427387903} No value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74 Result of checking model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) Results: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) - Abstract RAC: INCOMPLETE (terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74) File "bench/check-ce/tuple1.mlw", line 7, characters 14-19: Sub-goal Integer overflow of goal swap'vc. Prover result is: Unknown (unknown) (1.23s, 7500000 steps). The following counterexample model could not be verified (both RAC terminated because missing value for return value of call at "WHY3DATA/stdlib/mach/int.mlw", line 432, characters 22-74): File int.mlw: Line 432: max_int = {int63'int => 4611686018427387903 (0X3FFFFFFFFFFFFFFF)} Line 434: min_int = {int63'int => -4611686018427387904 (-0X4000000000000000)} File tuple1.mlw: Line 6: a = {int63'int => 4611686018427379887 (0X3FFFFFFFFFFFE0AF)} b = {int63'int => 8017 (0X1F51)} Line 7: a = {int63'int => 4611686018427379887 (0X3FFFFFFFFFFFE0AF)} b = {int63'int => 8017 (0X1F51)} File "bench/check-ce/tuple1.mlw", line 7, characters 14-23: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 7546 steps). File "bench/check-ce/tuple1.mlw", line 7, characters 3-8: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 8058 steps). File "bench/check-ce/tuple1.mlw", line 7, characters 3-12: Sub-goal Integer overflow of goal swap'vc. Prover result is: Valid (0.01s, 8257 steps). File "bench/check-ce/tuple1.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Valid (0.01s, 8713 steps). why3-1.6.0/bench/check-ce/oracles/tuple_CVC4,1.8_SP.oracle000066400000000000000000000013011440160026300225540ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_CVC4,1.8_WP.oracle000066400000000000000000000013011440160026300225600ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_CVC5,1.0.0_SP.oracle000066400000000000000000000013011440160026300227030ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_CVC5,1.0.0_WP.oracle000066400000000000000000000013011440160026300227070ustar00rootroot00000000000000Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_Z3,4.8.10_SP.oracle000066400000000000000000000013011440160026300225730ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_Z3,4.8.10_WP.oracle000066400000000000000000000013011440160026300225770ustar00rootroot00000000000000Categorizations of models: - Selected model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Checked model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown or time/memory/step limit. Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_Z3,4.8.4_SP.oracle000066400000000000000000000260111440160026300225230ustar00rootroot00000000000000Check model 0 ("bench/check-ce/tuple.mlw", line 5, characters 38-43) Checking model: File tuple.mlw: Line 5: a = {"type": "Integer", "val": "-1"} b = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Line 6: result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 14-23 at "bench/check-ce/tuple.mlw", line 7, characters 14-23: 0 Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 3-12 at "bench/check-ce/tuple.mlw", line 7, characters 3-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) Check model 1 ("bench/check-ce/tuple.mlw", line 5, characters 38-43) Checking model: File tuple.mlw: Line 5: a = {"type": "Integer", "val": "-1"} b = {"type": "Integer", "val": "3"} result = {"type": "Integer", "val": "0"} Line 6: result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 14-23 at "bench/check-ce/tuple.mlw", line 7, characters 14-23: 0 Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 3-12 at "bench/check-ce/tuple.mlw", line 7, characters 3-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown (unknown) (1.17s, 7500000 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/tuple_Z3,4.8.4_WP.oracle000066400000000000000000000260111440160026300225270ustar00rootroot00000000000000Check model 0 ("bench/check-ce/tuple.mlw", line 5, characters 38-43) Checking model: File tuple.mlw: Line 5: a = {"type": "Integer", "val": "-1"} b = {"type": "Integer", "val": "2"} result = {"type": "Integer", "val": "0"} Line 6: result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 14-23 at "bench/check-ce/tuple.mlw", line 7, characters 14-23: 0 Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 3-12 at "bench/check-ce/tuple.mlw", line 7, characters 3-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Result of checking model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) Check model 1 ("bench/check-ce/tuple.mlw", line 5, characters 38-43) Checking model: File tuple.mlw: Line 5: a = {"type": "Integer", "val": "-1"} b = {"type": "Integer", "val": "3"} result = {"type": "Integer", "val": "0"} Line 6: result = {"type": "Integer", "val": "0"} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 14-23 at "bench/check-ce/tuple.mlw", line 7, characters 14-23: 0 Value computed from postcondition for return value of call to (-) at "bench/check-ce/tuple.mlw", line 7, characters 3-12 at "bench/check-ce/tuple.mlw", line 7, characters 3-12: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `x` at "bench/check-ce/tuple.mlw", line 4, characters 10-11: (0, 0) Result of checking model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Normal execution of function `(-)` with args: x = 0 y = 0 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 0 File tuple.mlw: Line 7: Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File tuple.mlw: Line 4: x = (0, 0) x = (0, 0) Execution of main function `swap` with env: x = (0, 0) zero = 0 one = 1 Line 7: Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 0 Giant-step execution of function `(-)` with args: x = 0 y = 0 result of `(-)` = 0 Normal execution of function `Tuple2` with args: u = 0 u = 1 Line 5: Property failure at postcondition of `swap` with: x = (0, 0) result = (0, 1) Results: - Checked model 0: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Selected model 1: BAD_CE - Concrete RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/tuple.mlw", line 5, characters 12-43) File "bench/check-ce/tuple.mlw", line 5, characters 38-43: Sub-goal Postcondition of goal swap'vc. Prover result is: Unknown (unknown) (1.17s, 7500000 steps). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/oracles/underspec_CVC4,1.8_SP.oracle000066400000000000000000000064761440160026300234350ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_CVC4,1.8_WP.oracle000066400000000000000000000067131440160026300234330ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_CVC5,1.0.0_SP.oracle000066400000000000000000000064761440160026300235640ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_CVC5,1.0.0_WP.oracle000066400000000000000000000067131440160026300235620ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (- 1)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= 0} i = 1 File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_Z3,4.8.10_SP.oracle000066400000000000000000000065561440160026300234530ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in loop invariant preservation after last iteration at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= 1} x2 = {contents= 400} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= 2} i = 1 File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/underspec.mlw", line 31, characters 14-23) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_Z3,4.8.10_WP.oracle000066400000000000000000000070201440160026300234420ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in loop invariant preservation after last iteration at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (- 176)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (- 176)} Normal execution of function `(+)` with args: _ = (- 176) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-175)} i = 1 File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec.mlw", line 31, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 37, characters 13-18) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (failure in postcondition of `g` at "bench/check-ce/underspec.mlw", line 31, characters 14-23) File "bench/check-ce/underspec.mlw", line 37, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 27: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 34: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 36: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 37: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_Z3,4.8.4_SP.oracle000066400000000000000000000712551440160026300233740ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 60 steps). Check model 0 ("bench/check-ce/underspec.mlw", line 17, characters 27-33) Checking model: File underspec.mlw: Line 16: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-401"}}]}} Line 17: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Line 18: result = {"type": "Boolean", "val": true} Line 19: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 14, characters 17-18 at "bench/check-ce/underspec.mlw", line 14, characters 17-18: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 15, characters 17-18 at "bench/check-ce/underspec.mlw", line 15, characters 17-18: {contents= 0} Value from model for variable `x1` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= (-401)} Type default value for variable `x2` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= 0} Value from model for variable `i` at "bench/check-ce/underspec.mlw", line 16, characters 8-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 15: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 1 y = 0 Line 21: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 Check model 1 ("bench/check-ce/underspec.mlw", line 17, characters 27-33) Checking model: File underspec.mlw: Line 16: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 17: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 18: result = {"type": "Boolean", "val": true} Line 19: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 14, characters 17-18 at "bench/check-ce/underspec.mlw", line 14, characters 17-18: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 15, characters 17-18 at "bench/check-ce/underspec.mlw", line 15, characters 17-18: {contents= 0} Value from model for variable `x1` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= (-6083)} Type default value for variable `x2` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= 0} Value from model for variable `i` at "bench/check-ce/underspec.mlw", line 16, characters 8-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 15: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 1 y = 0 Line 21: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-6083)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-6082)} i = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.23s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2619 steps). File "bench/check-ce/underspec.mlw", line 41, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.01s, 159 steps). Check model 0 ("bench/check-ce/underspec.mlw", line 47, characters 13-18) Checking model: File underspec.mlw: Line 41: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 45: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 46: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 47: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: {contents= 2} Type default value for return value of call to g at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 42: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 44: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/underspec.mlw", line 47, characters 13-18) Checking model: File underspec.mlw: Line 41: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 45: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 46: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 47: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: {contents= 177} Type default value for return value of call to g at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 42: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 44: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File "bench/check-ce/underspec.mlw", line 47, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.34s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_Z3,4.8.4_WP.oracle000066400000000000000000000712551440160026300234000ustar00rootroot00000000000000File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 60 steps). Check model 0 ("bench/check-ce/underspec.mlw", line 17, characters 27-33) Checking model: File underspec.mlw: Line 16: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-401"}}]}} Line 17: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Line 18: result = {"type": "Boolean", "val": true} Line 19: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-400"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 14, characters 17-18 at "bench/check-ce/underspec.mlw", line 14, characters 17-18: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 15, characters 17-18 at "bench/check-ce/underspec.mlw", line 15, characters 17-18: {contents= 0} Value from model for variable `x1` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= (-401)} Type default value for variable `x2` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= 0} Value from model for variable `i` at "bench/check-ce/underspec.mlw", line 16, characters 8-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 15: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 1 y = 0 Line 21: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 Check model 1 ("bench/check-ce/underspec.mlw", line 17, characters 27-33) Checking model: File underspec.mlw: Line 16: i = {"type": "Integer", "val": "0"} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6083"}}]}} Line 17: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Line 18: result = {"type": "Boolean", "val": true} Line 19: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-6082"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 14, characters 17-18 at "bench/check-ce/underspec.mlw", line 14, characters 17-18: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/underspec.mlw", line 15, characters 17-18 at "bench/check-ce/underspec.mlw", line 15, characters 17-18: {contents= 0} Value from model for variable `x1` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= (-6083)} Type default value for variable `x2` at "bench/check-ce/underspec.mlw", line 16, characters 4-139 at "bench/check-ce/underspec.mlw", line 16, characters 4-139: {contents= 0} Value from model for variable `i` at "bench/check-ce/underspec.mlw", line 16, characters 8-9: 0 Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 15: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 16: Normal iteration of loop Line 18: Normal execution of function `(=)` with args: x = 1 y = 0 Line 21: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 13: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-6083)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-6083)} Normal execution of function `(+)` with args: _ = (-6083) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-6082)} i = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec.mlw", line 17, characters 18-33) File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.24s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec.mlw: Line 13: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 14: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 15: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 16: Giant-step iteration of loop x1 = {contents= (-401)} x2 = {contents= 0} i = 0 Giant-step iteration of loop Line 18: Normal execution of function `(=)` with args: x = 0 y = 0 Line 19: Normal execution of function `contents` with args: arg = {contents= (-401)} Normal execution of function `(+)` with args: _ = (-401) _ = 1 Line 17: Property failure at loop invariant preservation with: x1 = {contents= (-400)} i = 1 File "bench/check-ce/underspec.mlw", line 17, characters 27-33: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2619 steps). File "bench/check-ce/underspec.mlw", line 41, characters 14-23: Sub-goal Postcondition of goal g'vc. Prover result is: Valid (0.01s, 159 steps). Check model 0 ("bench/check-ce/underspec.mlw", line 47, characters 13-18) Checking model: File underspec.mlw: Line 41: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 45: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 46: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Line 47: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: {contents= 2} Type default value for return value of call to g at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 42: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 44: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 2} Check model 1 ("bench/check-ce/underspec.mlw", line 47, characters 13-18) Checking model: File underspec.mlw: Line 41: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 45: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} Line 46: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Line 47: z = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "177"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Value from model for variable `z` at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: {contents= 177} Type default value for return value of call to g at "bench/check-ce/underspec.mlw", line 46, characters 4-8 at "bench/check-ce/underspec.mlw", line 46, characters 4-8: () Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for return value of call at "bench/check-ce/underspec.mlw", line 37, characters 11-16 at "bench/check-ce/underspec.mlw", line 37, characters 11-16: 0 RHS evaluated for global `z` at "bench/check-ce/underspec.mlw", line 37, characters 10-11: {contents= 0} Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Normal execution of function `g` with args: _ = () Line 42: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 44: Execution of main function terminated normally - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 177} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 177} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec.mlw", line 47, characters 13-18) File "bench/check-ce/underspec.mlw", line 47, characters 13-18: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (unknown) (1.34s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec.mlw: Line 37: Constant z initialization (giant-step) execution of unimplemented function with args: result = 0 Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 z = {contents= 0} Unknown location: _ = () File underspec.mlw: Line 44: _ = () Execution of main function `f` with env: z = {contents= 0} _ = () zero = 0 one = 1 Line 46: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {contents= 2} result of `g` = () Line 47: Property failure at assertion with: z = {contents= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_CVC4,1.8_SP.oracle000066400000000000000000000056741440160026300244640ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_CVC4,1.8_WP.oracle000066400000000000000000000061161440160026300244600ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000056741440160026300246130ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000061161440160026300246070ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= (- 1)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= (- 1)} Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= 0} i = 1 File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_Z3,4.8.10_SP.oracle000066400000000000000000000056621440160026300245000ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= 1} x2 = {c= 400} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= 2} i = 1 File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/underspec_mono_Z3,4.8.10_WP.oracle000066400000000000000000000061311440160026300244740ustar00rootroot00000000000000File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/underspec_mono.mlw", line 19, characters 18-35) File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File underspec_mono.mlw: Line 15: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 16: Normal execution of function `t'mk` with args: c = 0 Line 17: Normal execution of function `t'mk` with args: c = 0 Line 18: Giant-step iteration of loop x1 = {c= (- 176)} x2 = {c= 0} i = 0 Giant-step iteration of loop Line 20: Normal execution of function `(=)` with args: x = 0 y = 0 Line 21: Normal execution of function `c` with args: arg = {c= (- 176)} Normal execution of function `(+)` with args: _ = (- 176) _ = 1 Line 19: Property failure at loop invariant preservation with: x1 = {c= (-175)} i = 1 File "bench/check-ce/underspec_mono.mlw", line 19, characters 27-35: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/underspec_mono.mlw", line 37, characters 14-27: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (assertion at "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20) File "bench/check-ce/underspec_mono.mlw", line 43, characters 13-20: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File underspec_mono.mlw: Line 33: z = {c1= 0} Unknown location: _ = () File underspec_mono.mlw: Line 40: _ = () Execution of main function `f` with env: z = {c1= 0} _ = () zero = 0 one = 1 Line 42: Normal execution of function `Tuple0` with args: Giant-step execution of function `g` with args: _ = () z = {c1= 2} result of `g` = () Line 43: Property failure at assertion with: z = {c1= 2} why3-1.6.0/bench/check-ce/oracles/val_function_CVC4,1.8_SP.oracle000066400000000000000000000043311440160026300241200ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|_ => 42|] Line 6: y : int = 0 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/val_function_CVC4,1.8_WP.oracle000066400000000000000000000043311440160026300241240ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|_ => 42|] Line 6: y : int = 0 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/val_function_CVC5,1.0.0_SP.oracle000066400000000000000000000043311440160026300242470ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|_ => 42|] Line 6: y : int = 0 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/val_function_CVC5,1.0.0_WP.oracle000066400000000000000000000043311440160026300242530ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|_ => 42|] Line 6: y : int = 0 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown or time/memory/step limit. The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/val_function_Z3,4.8.10_SP.oracle000066400000000000000000000043161440160026300241420ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|2 => 42; _ => 42|] Line 6: y : int = 2 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/val_function_Z3,4.8.10_WP.oracle000066400000000000000000000043161440160026300241460ustar00rootroot00000000000000Categorizations of models: - Checked model 0: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Selected model 1: INCOMPLETE - Concrete RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) - Abstract RAC: INCOMPLETE (terminated because Postcondition of `f` cannot be evaluated) File "bench/check-ce/val_function.mlw", line 7, characters 12-24: Sub-goal Postcondition of goal main_f'vc. Prover result is: Unknown (sat). The following counterexample model could not be verified (both RAC terminated because Postcondition of `f` cannot be evaluated): File val_function.mlw: Line 4: f : int -> int = [|2 => 42; _ => 42|] Line 6: y : int = 2 Line 7: result : int = 42 result : int = 42 Line 9: result of call at line 9, characters 2-5 : int = 42 result : int = 42 Categorizations of models: - Checked model 0: BAD_CE - Concrete RAC: STUCK (failure in postcondition of `g` at unknown location) - Abstract RAC: STUCK (failure in postcondition of `g` at unknown location) - Selected model 1: NC - Concrete RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) - Abstract RAC: FAILURE (postcondition at "bench/check-ce/val_function.mlw", line 16, characters 12-24) File "bench/check-ce/val_function.mlw", line 16, characters 12-24: Sub-goal Postcondition of goal main_g'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File val_function.mlw: Line 15: y = 42 y = 42 Execution of main function `main_g` with env: y = 42 zero = 0 one = 1 Line 18: (giant-step) execution of unimplemented function `g` x = 42 result of `g` = 43 Line 19: Normal execution of function `(+)` with args: _ = 43 _ = 1 Line 16: Property failure at postcondition of `main_g` with: result = 44 why3-1.6.0/bench/check-ce/oracles/var_clones_CVC4,1.8_SP.oracle000066400000000000000000000020001440160026300235530ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_CVC4,1.8_WP.oracle000066400000000000000000000020001440160026300235570ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_CVC5,1.0.0_SP.oracle000066400000000000000000000020001440160026300237020ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_CVC5,1.0.0_WP.oracle000066400000000000000000000020001440160026300237060ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_Z3,4.8.10_SP.oracle000066400000000000000000000020001440160026300235720ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_Z3,4.8.10_WP.oracle000066400000000000000000000020001440160026300235760ustar00rootroot00000000000000Categorizations of models: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_Z3,4.8.4_SP.oracle000066400000000000000000000130521440160026300235260ustar00rootroot00000000000000Check model 0 ("bench/check-ce/var_clones.mlw", line 9, characters 13-39) Checking model: File var_clones.mlw: Line 6: n = {"type": "Integer", "val": "111"} Line 7: n = {"type": "Integer", "val": "222"} Line 9: n = {"type": "Integer", "val": "222"} Giant-step RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Normal RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 Check model 1 ("bench/check-ce/var_clones.mlw", line 9, characters 13-39) Checking model: File var_clones.mlw: Line 6: n = {"type": "Integer", "val": "111"} Line 7: n = {"type": "Integer", "val": "222"} Line 9: n = {"type": "Integer", "val": "222"} Giant-step RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Normal RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat) (0.02s, 145 steps). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/var_clones_Z3,4.8.4_WP.oracle000066400000000000000000000130521440160026300235320ustar00rootroot00000000000000Check model 0 ("bench/check-ce/var_clones.mlw", line 9, characters 13-39) Checking model: File var_clones.mlw: Line 6: n = {"type": "Integer", "val": "111"} Line 7: n = {"type": "Integer", "val": "222"} Line 9: n = {"type": "Integer", "val": "222"} Giant-step RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Normal RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Result of checking model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 Check model 1 ("bench/check-ce/var_clones.mlw", line 9, characters 13-39) Checking model: File var_clones.mlw: Line 6: n = {"type": "Integer", "val": "111"} Line 7: n = {"type": "Integer", "val": "222"} Line 9: n = {"type": "Integer", "val": "222"} Giant-step RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Normal RAC Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 6, characters 2-16: 111 Value from model for global `n` at "bench/check-ce/var_clones.mlw", line 7, characters 2-16: 222 Type default value for parameter `_` at NO LOC: () Result of checking model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 Results: - Selected model 0: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Checked model 1: NC - Concrete RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) - Abstract RAC: FAILURE (assertion at "bench/check-ce/var_clones.mlw", line 9, characters 13-39) File "bench/check-ce/var_clones.mlw", line 9, characters 13-39: Sub-goal Assertion of goal f'vc. Prover result is: Unknown (sat) (0.01s, 145 steps). The program does not comply to the verification goal, for example during the following execution: File var_clones.mlw: Line 6: n = 111 Line 7: n = 222 Unknown location: _ = () File var_clones.mlw: Line 8: _ = () Execution of main function `f` with env: _ = () n = 111 n = 222 Line 9: Property failure at assertion with: n = 111 n = 222 why3-1.6.0/bench/check-ce/oracles/while1_CVC4,1.8_SP.oracle000066400000000000000000000036041440160026300226240ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 0} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Line 5: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_CVC4,1.8_WP.oracle000066400000000000000000000036041440160026300226300ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 0} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Line 5: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_CVC5,1.0.0_SP.oracle000066400000000000000000000036041440160026300227530ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 0} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Line 5: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_CVC5,1.0.0_WP.oracle000066400000000000000000000036041440160026300227570ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 0} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Line 5: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_Z3,4.8.10_SP.oracle000066400000000000000000000036651440160026300226520ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/while1.mlw", line 8, character 4 to line 13, character 8) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while1_Z3,4.8.10_WP.oracle000066400000000000000000000036651440160026300226560ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/while1.mlw", line 8, character 4 to line 13, character 8) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while1_Z3,4.8.4_SP.oracle000066400000000000000000000405701440160026300225710ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.03s, 52 steps). File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.01s, 2861 steps). File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.02s, 2808 steps). Check model 0 ("bench/check-ce/while1.mlw", line 5, characters 12-22) Checking model: File while1.mlw: Line 5: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 6: result = {"type": "Integer", "val": "1"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 6, characters 16-17 at "bench/check-ce/while1.mlw", line 6, characters 16-17: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 7, characters 16-17 at "bench/check-ce/while1.mlw", line 7, characters 16-17: {contents= 0} Value from model for variable `x` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 1} Value from model for variable `i` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 2} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 Check model 1 ("bench/check-ce/while1.mlw", line 5, characters 12-22) Checking model: File while1.mlw: Line 5: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 6: result = {"type": "Integer", "val": "1"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7870"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7870"}}]}} x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 6, characters 16-17 at "bench/check-ce/while1.mlw", line 6, characters 16-17: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 7, characters 16-17 at "bench/check-ce/while1.mlw", line 7, characters 16-17: {contents= 0} Value from model for variable `x` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 1} Value from model for variable `i` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 7870} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 7870} Normal execution of function `contents` with args: arg = {contents= 7870} Normal execution of function `(<)` with args: _ = 7870 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (unknown) (1.60s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while1_Z3,4.8.4_WP.oracle000066400000000000000000000405701440160026300225750ustar00rootroot00000000000000File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 52 steps). File "bench/check-ce/while1.mlw", line 9, characters 16-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.02s, 2861 steps). File "bench/check-ce/while1.mlw", line 10, characters 18-24: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2808 steps). Check model 0 ("bench/check-ce/while1.mlw", line 5, characters 12-22) Checking model: File while1.mlw: Line 5: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 6: result = {"type": "Integer", "val": "1"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "2"}}]}} x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 6, characters 16-17 at "bench/check-ce/while1.mlw", line 6, characters 16-17: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 7, characters 16-17 at "bench/check-ce/while1.mlw", line 7, characters 16-17: {contents= 0} Value from model for variable `x` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 1} Value from model for variable `i` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 2} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 Check model 1 ("bench/check-ce/while1.mlw", line 5, characters 12-22) Checking model: File while1.mlw: Line 5: x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Line 6: result = {"type": "Integer", "val": "1"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7870"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "7870"}}]}} x = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 6, characters 16-17 at "bench/check-ce/while1.mlw", line 6, characters 16-17: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while1.mlw", line 7, characters 16-17 at "bench/check-ce/while1.mlw", line 7, characters 16-17: {contents= 0} Value from model for variable `x` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 1} Value from model for variable `i` at "bench/check-ce/while1.mlw", line 8, characters 4-113 at "bench/check-ce/while1.mlw", line 8, characters 4-113: {contents= 7870} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Type default value for parameter `_` at NO LOC: () Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 12: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 2} Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 7870} Normal execution of function `contents` with args: arg = {contents= 7870} Normal execution of function `(<)` with args: _ = 7870 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1.mlw", line 5, characters 12-22) File "bench/check-ce/while1.mlw", line 5, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (unknown) (1.18s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1.mlw: Line 4: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x = {contents= 1} i = {contents= 2} Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 14: Normal execution of function `contents` with args: arg = {contents= 1} Line 5: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while1_mono_CVC4,1.8_SP.oracle000066400000000000000000000034171440160026300236560ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 0} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 0} Line 7: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_mono_CVC4,1.8_WP.oracle000066400000000000000000000034171440160026300236620ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 0} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 0} Line 7: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000034171440160026300240050ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 0} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 0} Line 7: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000034171440160026300240110ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 0} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 0} Line 7: Property failure at postcondition of `f` with: result = 0 why3-1.6.0/bench/check-ce/oracles/while1_mono_Z3,4.8.10_SP.oracle000066400000000000000000000034171440160026300236750ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 1} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 1} Line 7: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while1_mono_Z3,4.8.10_WP.oracle000066400000000000000000000034171440160026300237010ustar00rootroot00000000000000File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 11, characters 16-23: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while1_mono.mlw", line 12, characters 18-26: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (postcondition at "bench/check-ce/while1_mono.mlw", line 7, characters 12-22) File "bench/check-ce/while1_mono.mlw", line 7, characters 12-22: Sub-goal Postcondition of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 Unknown location: _ = () File while1_mono.mlw: Line 6: _ = () Execution of main function `f` with env: _ = () zero = 0 one = 1 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x = {c= 1} i = {c= 2} Normal execution of function `c` with args: arg = {c= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 16: Normal execution of function `c` with args: arg = {c= 1} Line 7: Property failure at postcondition of `f` with: result = 1 why3-1.6.0/bench/check-ce/oracles/while_CVC4,1.8_SP.oracle000066400000000000000000000046051440160026300225450ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} why3-1.6.0/bench/check-ce/oracles/while_CVC4,1.8_WP.oracle000066400000000000000000000052201440160026300225430ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/while_CVC5,1.0.0_SP.oracle000066400000000000000000000046051440160026300226740ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} why3-1.6.0/bench/check-ce/oracles/while_CVC5,1.0.0_WP.oracle000066400000000000000000000052201440160026300226720ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/while_Z3,4.8.10_SP.oracle000066400000000000000000000046511440160026300225650ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/while.mlw", line 8, character 2 to line 16, character 6) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 175} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} why3-1.6.0/bench/check-ce/oracles/while_Z3,4.8.10_WP.oracle000066400000000000000000000052621440160026300225700ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: BAD_CE - Concrete RAC: NORMAL - Abstract RAC: STUCK (when reaching the end of a loop iteration at "bench/check-ce/while.mlw", line 8, character 2 to line 16, character 6) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown or time/memory/step limit. The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (- 2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/while_Z3,4.8.4_SP.oracle000066400000000000000000000561461440160026300225160ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 64 steps). File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.01s, 2967 steps). Check model 0 ("bench/check-ce/while.mlw", line 10, characters 25-32) Checking model: File while.mlw: Line 4: z = {"type": "Integer", "val": "2"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-2"}}]}} Line 10: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 11: result = {"type": "Boolean", "val": true} Line 12: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 15: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 5, characters 15-16 at "bench/check-ce/while.mlw", line 5, characters 15-16: {contents= 2} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 6, characters 15-16 at "bench/check-ce/while.mlw", line 6, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 7, characters 14-15 at "bench/check-ce/while.mlw", line 7, characters 14-15: {contents= 0} Value from model for variable `x1` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= (-2)} Type default value for variable `x2` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Value from model for variable `i` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(=)` with args: x = 1 y = 0 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-2)} Normal execution of function `(+)` with args: _ = (-2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} Check model 1 ("bench/check-ce/while.mlw", line 10, characters 25-32) Checking model: File while.mlw: Line 4: z = {"type": "Integer", "val": "2"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7870"}}]}} Line 10: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} Line 11: result = {"type": "Boolean", "val": true} Line 12: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} Line 15: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 5, characters 15-16 at "bench/check-ce/while.mlw", line 5, characters 15-16: {contents= 2} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 6, characters 15-16 at "bench/check-ce/while.mlw", line 6, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 7, characters 14-15 at "bench/check-ce/while.mlw", line 7, characters 14-15: {contents= 0} Value from model for variable `x1` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= (-7870)} Type default value for variable `x2` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Value from model for variable `i` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(=)` with args: x = 1 y = 0 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-7870)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-7870)} Normal execution of function `(+)` with args: _ = (-7870) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-7869)} i = {contents= 1} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.14s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-2)} Normal execution of function `(+)` with args: _ = (-2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.01s, 2928 steps). File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2901 steps). why3-1.6.0/bench/check-ce/oracles/while_Z3,4.8.4_WP.oracle000066400000000000000000000561461440160026300225220ustar00rootroot00000000000000File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid (0.02s, 64 steps). File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.01s, 2967 steps). Check model 0 ("bench/check-ce/while.mlw", line 10, characters 25-32) Checking model: File while.mlw: Line 4: z = {"type": "Integer", "val": "2"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-2"}}]}} Line 10: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 11: result = {"type": "Boolean", "val": true} Line 12: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-1"}}]}} Line 15: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 5, characters 15-16 at "bench/check-ce/while.mlw", line 5, characters 15-16: {contents= 2} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 6, characters 15-16 at "bench/check-ce/while.mlw", line 6, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 7, characters 14-15 at "bench/check-ce/while.mlw", line 7, characters 14-15: {contents= 0} Value from model for variable `x1` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= (-2)} Type default value for variable `x2` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Value from model for variable `i` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Result of checking model 0: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(=)` with args: x = 1 y = 0 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-2)} Normal execution of function `(+)` with args: _ = (-2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} Check model 1 ("bench/check-ce/while.mlw", line 10, characters 25-32) Checking model: File while.mlw: Line 4: z = {"type": "Integer", "val": "2"} Line 8: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "0"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7870"}}]}} Line 10: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} Line 11: result = {"type": "Boolean", "val": true} Line 12: x1 = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "-7869"}}]}} Line 15: i = {"type": "Record", "val": {"Field": [{"field": "contents", "value": {"type": "Integer", "val": "1"}}]}} Giant-step RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 5, characters 15-16 at "bench/check-ce/while.mlw", line 5, characters 15-16: {contents= 2} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 6, characters 15-16 at "bench/check-ce/while.mlw", line 6, characters 15-16: {contents= 0} Value computed from postcondition for return value of call to ref at "bench/check-ce/while.mlw", line 7, characters 14-15 at "bench/check-ce/while.mlw", line 7, characters 14-15: {contents= 0} Value from model for variable `x1` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= (-7870)} Type default value for variable `x2` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Value from model for variable `i` at "bench/check-ce/while.mlw", line 8, characters 2-161 at "bench/check-ce/while.mlw", line 8, characters 2-161: {contents= 0} Normal RAC RHS evaluated for global `zero` at "WHY3DATA/stdlib/int.mlw", line 13, characters 15-19: 0 RHS evaluated for global `one` at "WHY3DATA/stdlib/int.mlw", line 14, characters 15-18: 1 Value from model for parameter `z` at "bench/check-ce/while.mlw", line 4, characters 7-8: 2 Result of checking model 1: SW - Concrete RAC: NORMAL File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Normal execution of function `ref` with args: contents = 2 Normal execution of function `ref'mk` with args: contents = 2 Line 6: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 7: Normal execution of function `ref` with args: contents = 0 Normal execution of function `ref'mk` with args: contents = 0 Line 8: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(+)` with args: _ = 2 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(<)` with args: _ = 1 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(=)` with args: x = 1 y = 0 Line 14: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 1} Normal execution of function `(+)` with args: _ = 1 _ = 1 Line 8: Normal execution of function `contents` with args: arg = {contents= 2} Normal execution of function `(<)` with args: _ = 2 _ = 2 Line 4: Execution of main function terminated normally - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-7870)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-7870)} Normal execution of function `(+)` with args: _ = (-7870) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-7869)} i = {contents= 1} Results: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while.mlw", line 10, characters 16-32) File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (unknown) (1.43s, 7500000 steps). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while.mlw: Line 4: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 5: Giant-step execution of function `ref` with args: contents = 2 result of `ref` = {contents= 2} Line 6: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 7: Giant-step execution of function `ref` with args: contents = 0 result of `ref` = {contents= 0} Line 8: Giant-step iteration of loop x1 = {contents= (-2)} x2 = {contents= 0} i = {contents= 0} Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 11: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 12: Normal execution of function `contents` with args: arg = {contents= (-2)} Normal execution of function `(+)` with args: _ = (-2) _ = 1 Line 15: Normal execution of function `contents` with args: arg = {contents= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 10: Property failure at loop invariant preservation with: x1 = {contents= (-1)} i = {contents= 1} File "bench/check-ce/while.mlw", line 9, characters 14-19: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid (0.01s, 2928 steps). File "bench/check-ce/while.mlw", line 10, characters 25-32: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid (0.01s, 2901 steps). why3-1.6.0/bench/check-ce/oracles/while_mono_CVC4,1.8_SP.oracle000066400000000000000000000042541440160026300235750ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 0} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} why3-1.6.0/bench/check-ce/oracles/while_mono_CVC4,1.8_WP.oracle000066400000000000000000000047021440160026300235770ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 0} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/while_mono_CVC5,1.0.0_SP.oracle000066400000000000000000000042541440160026300237240ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 0} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} why3-1.6.0/bench/check-ce/oracles/while_mono_CVC5,1.0.0_WP.oracle000066400000000000000000000047021440160026300237260ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 0 z = 0 Execution of main function `f` with env: z = 0 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 0 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 0} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/oracles/while_mono_Z3,4.8.10_SP.oracle000066400000000000000000000042561440160026300236160ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 2 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 175} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} why3-1.6.0/bench/check-ce/oracles/while_mono_Z3,4.8.10_WP.oracle000066400000000000000000000047021440160026300236160ustar00rootroot00000000000000File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. Categorizations of models: - Selected model 0: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) - Checked model 1: SW - Concrete RAC: NORMAL - Abstract RAC: FAILURE (loop invariant preservation at "bench/check-ce/while_mono.mlw", line 12, characters 16-36) File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File int.mlw: Line 13: Constant zero initialization zero = 0 Line 14: Constant one initialization one = 1 File while_mono.mlw: Line 6: z = 2 z = 2 Execution of main function `f` with env: z = 2 zero = 0 one = 1 Line 7: Normal execution of function `t'mk` with args: c = 2 Line 8: Normal execution of function `t'mk` with args: c = 0 Line 9: Normal execution of function `t'mk` with args: c = 0 Line 10: Giant-step iteration of loop x1 = {c= (- 2)} x2 = {c= 0} i = {c= 0} Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(<)` with args: _ = 0 _ = 2 Normal iteration of loop Line 13: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(=)` with args: x = 0 y = 0 Line 14: Normal execution of function `c` with args: arg = {c= (- 2)} Normal execution of function `(+)` with args: _ = (- 2) _ = 1 Line 17: Normal execution of function `c` with args: arg = {c= 0} Normal execution of function `(+)` with args: _ = 0 _ = 1 Line 12: Property failure at loop invariant preservation with: x1 = {c= (-1)} i = {c= 1} File "bench/check-ce/while_mono.mlw", line 11, characters 14-21: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/while_mono.mlw", line 12, characters 27-36: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/petiot2018/000077500000000000000000000000001440160026300167445ustar00rootroot00000000000000why3-1.6.0/bench/check-ce/petiot2018/binary_search.mlw000066400000000000000000000013541440160026300223010ustar00rootroot00000000000000use int.Int, int.ComputerDivision, lib.IntArray, lib.IntRef let binary_search (t: int_array) (x: int) : int requires P1 { 1 <= t.length <= 10000 } requires P2 { forall i j. 0 <= i < j < t.length -> t[i] <= t[j] } ensures Q1 { -1 <= result <= t.length - 1 } ensures Q2 { forall i. 0 <= i <= result -> t[i] <= x } ensures Q3 { forall i. result < i < t.length -> t[i] > x } = let l = int_ref (-1) in let r = int_ref (t.length-1) in while !l < !r do invariant I1 { -1 <= !l <= !r < t.length } invariant I2 { forall i. 0 <= i <= !l -> t[i] <= x } invariant I3 { forall i. !r < i < t.length -> t[i] > x } variant { !r - !l } let m = div (!l + !r + 1) 2 in if t[m] > x then r := m-1 else l := m done; !l why3-1.6.0/bench/check-ce/petiot2018/experiments.sh000077500000000000000000000136151440160026300216540ustar00rootroot00000000000000#!/usr/bin/env bash set -Eeuo pipefail # Replicate the experiments by Petiot (2018) using RAC execution of CEs. prover="cvc4" proverce="cvc4-ce" proverrac="cvc4" steps= why3="bin/why3" outbase="$(dirname $0)" libdir="$(dirname $0)" only="" updateoracle=false usage () { echo "Usage: $0 [--help] [--prover PROVER] [--ce-prover CE_PROVER] [--stepslimit STEPS] [--rac-prover RAC_PROVER] [--only PROGRAM] [--outdir OUTDIR] [--updateoracle]" (echo "PROVER is used to prove the unmodified programs (default:" echo "$prover), CE_PROVER is used to generate counterexamples in the" echo "modified programs (default: $proverce). STEPS is used as option" echo "--stepslimit for counterexample generation if non-empty (default:" echo "$steps). RAC_PROVER is used for option --prover-rac during CE checking" echo "(default: $proverrac). If --only PROGRAM is given only the experiments" echo "on that program are run. The modified programs and the output is" echo "stored in directory OUTDIR.") | fmt # The results reported in the F-IDE paper and report were generated with Z3: # $ experiments.sh --ce-prover Z3,4.8.4,counterexamples --rac-prover Z3,4.8.4 } while [ "$#" != 0 ]; do case "$1" in --prover) prover="$2" shift 2 ;; --ce-prover) proverce="$2" shift 2 ;; --stepslimit) steps="$2" shift 2 ;; --rac-prover) proverrac="$2" shift 2 ;; --only) only="$2" shift 2 ;; --outdir) outbase="$2" shift 2 ;; --updateoracle) updateoracle=true shift 1 ;; --help) usage exit 0 ;; *) echo "Unknown option: $1" usage exit 1 ;; esac done really () { [ -z "$only" -o "$only" = "$1" ] } # Clean experiment output clean () { sed 's/ ([0-9.]\+s, [0-9]\+ steps)\././' | \ sed -r 's/Valid \(.*$/Valid/' } # Run why3 prove with CE checking on sub-goal $1 in file $2 why3provece () { goal="$1" expfile="$2" command=("$why3" prove --library="$libdir" "$expfile" --apply-transform=split_vc --prover="$proverce" --timelimit=15 --check-ce --rac-prover="$proverrac" --sub-goal="$goal") [ -n "$steps" ] && command+=(--stepslimit="$steps") echo "${command[@]}" 2>&1 "${command[@]}" 2>&1 || [ $? -eq 2 ] } # Run an experiment with name $1. The program modifications are read from stdin. # Stdout and stderr of the calls to why3 goes to stdout and will be piped to # outfiles in under $outbase/, progress goes to stderr. echo "# Petiot (2018) experiments for prover $prover:" experiment () { experiment=$1 echo -n "Experiment $experiment:" >&2 echo "* Experiment $experiment" echo "** Original" prove_opts=(--apply-transform=split_vc --prover="$prover" --library="$libdir") $why3 prove "${prove_opts[@]}" "$libdir/$experiment.mlw" || echo "FAILED (retcode=$?): $why3 prove ${prove_opts[@]} $libdir/$experiment.mlw" >&2 mkdir -p "$outbase/experiments" while IFS=$'\t' read -r id lines mod goal; do echo -n " $id" >&2 name="$experiment-$id" expfile="$outbase/experiments/$name.mlw" echo "** $name" sedargs=() for line in $lines; do sedargs+=(-e "$line c $mod") done sed "${sedargs[@]}" "$libdir/$experiment.mlw" > "$expfile" why3provece "$goal" "$expfile" done echo >&2 } # Input is TSV with columns: ID, Line(s), Line replacement, Goal really isqrt && ( experiment isqrt | clean > "$outbase/isqrt.out" ) < n + 1 do :5@postcondition S7 12 (* empty *) :5@postcondition S8 19 !r - 1 :5@postcondition S9 14 variant { !r - n } :14@loop variant decrease S10 10 invariant I1 { !r <= n } :14@loop variant decrease EOF really binary_search && ( experiment binary_search | clean > "$outbase/binary_search.out" ) < "$outbase/rgf.out" ) < /dev/null; then pygmentize -ldiff else cat fi } success=true failed="" filebases=('binary_search' 'isqrt' 'rgf') for filebase in "${filebases[@]}"; do oracle_file="$outbase/oracles/${filebase}_${prover}.oracle" out_file="$outbase/${filebase}.out" str_oracle=$(tr -d ' \n' < "${oracle_file}") str_out=$(tr -d ' \n' < "${out_file}") printf "Check diffs for ${filebase}... " if [ "$str_oracle" = "$str_out" ] ; then echo "OK" else echo "FAILED!" if $updateoracle; then echo "Updating oracle for ${filebase}, prover ${prover}" echo mv "${out_file}" "${oracle_file}" mv "${out_file}" "${oracle_file}" else echo "diff is the following:" echo "$outbase/${filebase}" echo diff -u "${oracle_file}" "${out_file}" (diff -u "${oracle_file}" "${out_file}" || [ $? -eq 1 ])|colorize failed="$failed$filebase\n" success=false fi fi done if [ "$success" = true ]; then echo "experiments with prover $prover: success" exit 0 else printf "\nPetiot (2018) experiments with prover $prover: failed\n$failed\n" exit 1 fi why3-1.6.0/bench/check-ce/petiot2018/isqrt.mlw000066400000000000000000000007401440160026300206300ustar00rootroot00000000000000use int.Int, lib.IntRef let isqrt (n: int) requires { 0 <= n } (* <= 10000 *) ensures { result * result <= n < (result + 1) * (result + 1) } = let r = int_ref n in let y = int_ref (n * n) in let z = int_ref (-2 * n + 1) in while !y > n do invariant I1 { 0 <= !r <= n } invariant I2 { !y = !r * !r } invariant I3 { n < (!r+1) * (!r+1) } invariant I4 { !z = -2 * !r + 1 } variant { !r } y := !y + !z; z := !z + 2; r := !r - 1 done; !r why3-1.6.0/bench/check-ce/petiot2018/lib.mlw000066400000000000000000000024721440160026300202400ustar00rootroot00000000000000 (** An integer reference. Monomorphic (instead of ref.Ref) to get counterexamples *) module IntRef use int.Int type int_ref = { mutable contents: int } let int_ref (i: int) : int_ref ensures { result.contents = i } = { contents= i } let (:=) (r: int_ref) (i: int) : unit writes { r } ensures { r.contents = i } = r.contents <- i function (!) (r: int_ref) : int = r.contents let (!) (r: int_ref) : int ensures { result = r.contents } = r.contents end (** An integer array. Monomorphic (instead of array.Array) to get counterexamples, implemented for the concrete execution. *) module IntArray use int.Int use map.Map type int_array = { length: int; mutable elts: int -> int } (* invariant { 0 <= length } *) function ([]) (a: int_array) (i: int) : int = a.elts i function make (l: int) (v: int) : int_array = {length= l; elts= fun _ -> v} let ([]) (a: int_array) (i: int) : int requires { [@expl:index in array bounds] 0 <= i < a.length } ensures { result = Map.get a.elts i } = a.elts i let ([]<-) (a: int_array) (i: int) (v: int) : unit writes { a.elts } requires { [@expl:index in array bounds] 0 <= i < a.length } ensures { a.elts = Map.set (old a).elts i v } = a.elts <- let elts = a.elts in (fun j -> if j = i then v else elts j) end why3-1.6.0/bench/check-ce/petiot2018/oracles/000077500000000000000000000000001440160026300203745ustar00rootroot00000000000000why3-1.6.0/bench/check-ce/petiot2018/oracles/binary_search_CVC4,1.7.oracle000066400000000000000000000503621440160026300254630ustar00rootroot00000000000000* Experiment binary_search ** Original File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 16, characters 12-31: Sub-goal Precondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 17, characters 7-11: Sub-goal Index in array bounds of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 6, characters 15-43: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 7, characters 45-54: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. ** binary_search-B1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B1.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= [|; _ -> 0|]} x = (-1) zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = (-1) Line 18: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File binary_search-B1.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 1} i = (-1) Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= [|; _ -> 0|]} r = {contents= (-1)} r = {contents= 1} t = {length= 2; elts= [|; _ -> 0|]} File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= [|; _ -> 0|]} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= [|; _ -> 0|]} r = {contents= 1} r = {contents= 1} t = {length= 2; elts= [|; _ -> 0|]} ** binary_search-B2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B2.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Unknown (unknown + incomplete). The program does not comply to the verification goal, for example during the following execution: File binary_search-B2.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= [|; _ -> 0|]} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `div` with args: x = 0 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = 0 _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= 0} i = 0 Line 15: Property failure at loop variant decrease with: l = {contents= 0} r = {contents= 1} r = {contents= 1} l = {contents= 0} ** binary_search-B3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B3.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:14@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B3.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 3; elts= [|1 -> 1; _ -> 0|]} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 3; elts= [|1 -> 1; _ -> 0|]} Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `int_ref` with args: i = 2 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 2 File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 2 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 2 Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `div` with args: x = 2 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 3; elts= [|1 -> 1; _ -> 0|]} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 3; elts= [|1 -> 1; _ -> 0|]} Normal execution of function `(@)` with args: u = [|1 -> 1; _ -> 0|] u = 1 File binary_search-B3.mlw: Line 17: Normal execution of function `(>)` with args: x = 1 y = 0 Line 18: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File binary_search-B3.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 2} i = 0 Line 14: Property failure at loop invariant preservation with: t = {length= 3; elts= [|1 -> 1; _ -> 0|]} x = 0 r = {contents= 0} File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. ** binary_search-B4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B4.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:8@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B4.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Unknown (unknown + incomplete). The contracts of some function or loop are too weak, for example during the following execution: File binary_search-B4.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= [|; _ -> 0|]} x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `int_ref` with args: i = (-1) result of `int_ref` = {contents= (-1)} Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= [|; _ -> 0|]} Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 11: Giant-step iteration of loop l = {contents= 0} r = {contents= 0} Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 0 Line 21: Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Line 8: Property failure at postcondition of `binary_search` with: t = {length= 2; elts= [|; _ -> 0|]} x = 0 result = 0 why3-1.6.0/bench/check-ce/petiot2018/oracles/binary_search_CVC4,1.8.oracle000066400000000000000000000517701440160026300254700ustar00rootroot00000000000000* Experiment binary_search ** Original File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 16, characters 12-31: Sub-goal Precondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 17, characters 7-11: Sub-goal Index in array bounds of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 6, characters 15-43: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 7, characters 45-54: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. ** binary_search-B1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B1.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (bOUND_VARIABLE_825:int) (bOUND_VARIABLE_826:int) -> 0 mod = fun (bOUND_VARIABLE_825:int) (bOUND_VARIABLE_826:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = (- 1) zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = (- 1) Line 18: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File binary_search-B1.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 1} i = (-1) Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= fun (x:int) -> 0} r = {contents= (-1)} r = {contents= 1} t = {length= 2; elts= fun (x:int) -> 0} File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (bOUND_VARIABLE_741:int) (bOUND_VARIABLE_742:int) -> 0 mod = fun (bOUND_VARIABLE_741:int) (bOUND_VARIABLE_742:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= fun (x:int) -> 0} r = {contents= 1} r = {contents= 1} t = {length= 2; elts= fun (x:int) -> 0} ** binary_search-B2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B2.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B2.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (bOUND_VARIABLE_715:int) (bOUND_VARIABLE_716:int) -> 0 mod = fun (bOUND_VARIABLE_715:int) (bOUND_VARIABLE_716:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `div` with args: x = 0 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = 0 _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= 0} i = 0 Line 15: Property failure at loop variant decrease with: l = {contents= 0} r = {contents= 1} r = {contents= 1} l = {contents= 0} ** binary_search-B3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B3.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:14@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B3.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (bOUND_VARIABLE_872:int) (bOUND_VARIABLE_873:int) -> 1 mod = fun (bOUND_VARIABLE_872:int) (bOUND_VARIABLE_873:int) -> 0 t = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `int_ref` with args: i = 2 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 2 File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 2 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 2 Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `div` with args: x = 2 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 1 then 1 else 0 u = 1 File binary_search-B3.mlw: Line 17: Normal execution of function `(>)` with args: x = 1 y = 0 Line 18: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File binary_search-B3.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 2} i = 0 Line 14: Property failure at loop invariant preservation with: t = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} x = 0 r = {contents= 0} File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. ** binary_search-B4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B4.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:8@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B4.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Unknown (unknown + incomplete). The contracts of some function or loop are too weak, for example during the following execution: File binary_search-B4.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `int_ref` with args: i = (-1) result of `int_ref` = {contents= (- 1)} Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 11: Giant-step iteration of loop l = {contents= 0} r = {contents= 0} Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 0 Line 21: Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Line 8: Property failure at postcondition of `binary_search` with: t = {length= 2; elts= fun (x:int) -> 0} x = 0 result = 0 why3-1.6.0/bench/check-ce/petiot2018/oracles/binary_search_CVC5,1.0.0.oracle000066400000000000000000000516501440160026300256140ustar00rootroot00000000000000* Experiment binary_search ** Original File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 16, characters 12-31: Sub-goal Precondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 17, characters 7-11: Sub-goal Index in array bounds of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 6, characters 15-43: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 7, characters 45-54: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. ** binary_search-B1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B1.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (_arg_1:int) (_arg_2:int) -> 0 mod = fun (bOUND_VARIABLE_827:int) (bOUND_VARIABLE_828:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = (- 1) zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = (- 1) Line 18: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File binary_search-B1.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 1} i = (-1) Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= fun (x:int) -> 0} r = {contents= (-1)} r = {contents= 1} t = {length= 2; elts= fun (x:int) -> 0} File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B1.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (_arg_1:int) (_arg_2:int) -> 0 mod = fun (bOUND_VARIABLE_766:int) (bOUND_VARIABLE_767:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B1.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B1.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B1.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B1.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 15: Property failure at loop variant decrease with: t = {length= 2; elts= fun (x:int) -> 0} r = {contents= 1} r = {contents= 1} t = {length= 2; elts= fun (x:int) -> 0} ** binary_search-B2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B2.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:15@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B2.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (_arg_1:int) (_arg_2:int) -> 0 mod = fun (bOUND_VARIABLE_777:int) (bOUND_VARIABLE_778:int) -> 0 t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File binary_search-B2.mlw: Line 10: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `div` with args: x = 0 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= (-1)} i = 0 Line 11: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 11: Normal execution of function `(<)` with args: _ = 0 _ = 1 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File binary_search-B2.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File binary_search-B2.mlw: Line 16: Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `div` with args: x = 1 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File binary_search-B2.mlw: Line 17: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(:=)` with args: r = {contents= 0} i = 0 Line 15: Property failure at loop variant decrease with: l = {contents= 0} r = {contents= 1} r = {contents= 1} l = {contents= 0} ** binary_search-B3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B3.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:14@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File binary_search-B3.mlw: Line 3: Execution of main function `binary_search` with env: div = fun (_arg_1:int) (_arg_2:int) -> 1 mod = fun (bOUND_VARIABLE_896:int) (bOUND_VARIABLE_897:int) -> 0 t = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} x = 0 zero = 0 one = 1 Line 9: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `length` with args: arg = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File binary_search-B3.mlw: Line 10: Normal execution of function `int_ref` with args: i = 2 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 2 File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 11: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 11: Normal execution of function `(<)` with args: _ = (-1) _ = 2 Normal iteration of loop Line 16: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File binary_search-B3.mlw: Line 16: Normal execution of function `(!)` with args: r = {contents= (-1)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-1)} File binary_search-B3.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-1) _ = 2 Normal execution of function `(+)` with args: _ = 1 _ = 1 Normal execution of function `div` with args: x = 2 y = 2 Line 17: Normal execution of function `([])` with args: a = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 1 then 1 else 0 u = 1 File binary_search-B3.mlw: Line 17: Normal execution of function `(>)` with args: x = 1 y = 0 Line 18: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File binary_search-B3.mlw: Line 18: Normal execution of function `(:=)` with args: r = {contents= 2} i = 0 Line 14: Property failure at loop invariant preservation with: t = {length= 3; elts= fun (x:int) -> if x = 1 then 1 else 0} x = 0 r = {contents= 0} File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. ** binary_search-B4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B4.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:8@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/binary_search-B4.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Unknown (unknown + incomplete). The contracts of some function or loop are too weak, for example during the following execution: File binary_search-B4.mlw: Line 3: Execution of main function `binary_search` with env: t = {length= 2; elts= fun (x:int) -> 0} x = 0 zero = 0 one = 1 Line 9: Giant-step execution of function `int_ref` with args: i = (-1) result of `int_ref` = {contents= (- 1)} Line 10: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 11: Giant-step iteration of loop l = {contents= 0} r = {contents= 0} Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Normal execution of function `(<)` with args: _ = 0 _ = 0 Line 21: Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Line 8: Property failure at postcondition of `binary_search` with: t = {length= 2; elts= fun (x:int) -> 0} x = 0 result = 0 why3-1.6.0/bench/check-ce/petiot2018/oracles/binary_search_Z3,4.8.10.oracle000066400000000000000000000124221440160026300254760ustar00rootroot00000000000000* Experiment binary_search ** Original File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant init of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 16, characters 12-31: Sub-goal Precondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 17, characters 7-11: Sub-goal Index in array bounds of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 12, characters 19-44: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 13, characters 45-54: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 6, characters 15-43: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 7, characters 45-54: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/binary_search.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Valid. ** binary_search-B1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B1.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:15@loop variant decrease --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/petiot2018/experiments/binary_search-B1.mlw", line 15, characters 10-23: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. Sorry, we don't have a good counterexample for you :( ** binary_search-B2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B2.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:15@loop variant decrease --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/binary_search-B2.mlw", line 15, characters 14-21: Sub-goal Loop variant decrease of goal binary_search'vc. Prover result is: Step limit exceeded. Sorry, we don't have a good counterexample for you :( ** binary_search-B3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B3.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:14@loop invariant preservation --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Step limit exceeded. Sorry, we don't have a good counterexample for you :( File "bench/check-ce/petiot2018/experiments/binary_search-B3.mlw", line 14, characters 50-58: Sub-goal Loop invariant preservation of goal binary_search'vc. Prover result is: Valid. ** binary_search-B4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/binary_search-B4.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:8@postcondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/binary_search-B4.mlw", line 8, characters 50-58: Sub-goal Postcondition of goal binary_search'vc. Prover result is: Unknown (sat). Sorry, we don't have a good counterexample for you :( why3-1.6.0/bench/check-ce/petiot2018/oracles/isqrt_CVC4,1.7.oracle000066400000000000000000000711401440160026300240110ustar00rootroot00000000000000* Experiment isqrt ** Original File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Valid. ** isqrt-S1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S1.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:10@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S1.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S1.mlw: Line 3: Execution of main function `isqrt` with env: n = (-1) zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S1.mlw: Line 7: Normal execution of function `( * )` with args: _ = (-1) _ = (-1) Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S1.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = (-1) Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S1.mlw: Line 10: Property failure at loop invariant init with: n = (-1) r = {contents= (-1)} ** isqrt-S2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S2.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S2.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S2.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 8: Normal execution of function `( * )` with args: _ = 2 _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S2.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= 3} ** isqrt-S3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S3.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S3.mlw", line 13, characters 15-30: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S3.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = 1 Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S3.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= (-1)} ** isqrt-S4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S4.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S4.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S4.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S4.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S4.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S4.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 15: Normal execution of function `(-)` with args: x = 9 y = (-5) File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = (-5) Normal execution of function `(+)` with args: _ = 9 _ = 5 File isqrt-S4.mlw: Line 15: Normal execution of function `(:=)` with args: r = {contents= 9} i = 14 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S4.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S4.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 11: Property failure at loop invariant preservation with: r = {contents= 2} y = {contents= 14} ** isqrt-S5 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S5.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S5.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S5.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 3 result of `int_ref` = {contents= 3} Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Giant-step execution of function `int_ref` with args: i = 9 result of `int_ref` = {contents= 9} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Giant-step execution of function `int_ref` with args: i = (-5) result of `int_ref` = {contents= (-5)} Line 9: Giant-step iteration of loop r = {contents= 2} y = {contents= 4} z = {contents= (-2)} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= (-2)} result of `(!)` = (-2) Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = (-2) Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 2 y = {contents= 2} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= (-2)} result of `(!)` = (-2) Normal execution of function `(+)` with args: _ = (-2) _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= (-2)} i = 0 z = {contents= 0} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= 2} result of `(!)` = 2 Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `(:=)` with args: r = {contents= 2} i = 1 r = {contents= 1} result of `(:=)` = () Line 11: Property failure at loop invariant preservation with: r = {contents= 1} y = {contents= 2} ** isqrt-S6 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S6.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S6.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S6.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S6.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S6.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S6.mlw: Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 4 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S6.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S6.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 4 Line 19: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S6.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 3 result = 2 ** isqrt-S7 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S7.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S7.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S7.mlw: Line 3: Execution of main function `isqrt` with env: n = 4 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 4 result of `int_ref` = {contents= 4} Line 7: Normal execution of function `( * )` with args: _ = 4 _ = 4 Giant-step execution of function `int_ref` with args: i = 16 result of `int_ref` = {contents= 16} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 4 Normal execution of function `(+)` with args: _ = (-8) _ = 1 Giant-step execution of function `int_ref` with args: i = (-7) result of `int_ref` = {contents= (-7)} Line 9: Giant-step iteration of loop r = {contents= 1} y = {contents= 1} z = {contents= (-1)} Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Normal execution of function `(>)` with args: x = 1 y = 4 Line 19: Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Line 5: Property failure at postcondition of `isqrt` with: n = 4 result = 1 ** isqrt-S8 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S8.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S8.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S8.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S8.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 9: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 19: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File isqrt-S8.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 0 result = (-1) ** isqrt-S9 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S9.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S9.mlw", line 14, characters 10-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S9.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S9.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S9.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S9.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 4 _ = (-3) Normal execution of function `(:=)` with args: r = {contents= 4} i = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-3) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-3)} i = (-1) Line 17: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 2} i = 1 Line 14: Property failure at loop variant decrease with: n = 3 r = {contents= 1} r = {contents= 2} n = 3 ** isqrt-S10 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S10.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S10.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S10.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 9: Giant-step iteration of loop r = {contents= (-2)} y = {contents= 4} z = {contents= 5} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 0 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = 5 Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 9 y = {contents= 9} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Normal execution of function `(+)` with args: _ = 5 _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= 5} i = 7 z = {contents= 7} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= (-2)} result of `(!)` = (-2) Giant-step execution of function `(-)` with args: x = (-2) y = 1 result of `(-)` = (-3) Giant-step execution of function `(:=)` with args: r = {contents= (-2)} i = (-3) r = {contents= (-3)} result of `(:=)` = () Line 14: Property failure at loop variant decrease with: r = {contents= (-3)} r = {contents= (-2)} why3-1.6.0/bench/check-ce/petiot2018/oracles/isqrt_CVC4,1.8.oracle000066400000000000000000000711751440160026300240220ustar00rootroot00000000000000* Experiment isqrt ** Original File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Valid. ** isqrt-S1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S1.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:10@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S1.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S1.mlw: Line 3: Execution of main function `isqrt` with env: n = (- 1) zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = (- 1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (- 1) File isqrt-S1.mlw: Line 7: Normal execution of function `( * )` with args: _ = (- 1) _ = (- 1) Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S1.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = (- 1) Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S1.mlw: Line 10: Property failure at loop invariant init with: n = (- 1) r = {contents= (- 1)} ** isqrt-S2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S2.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S2.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S2.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 8: Normal execution of function `( * )` with args: _ = 2 _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S2.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= 3} ** isqrt-S3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S3.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S3.mlw", line 13, characters 15-30: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S3.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = 1 Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S3.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= (-1)} ** isqrt-S4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S4.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S4.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S4.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S4.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S4.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S4.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 15: Normal execution of function `(-)` with args: x = 9 y = (-5) File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = (-5) Normal execution of function `(+)` with args: _ = 9 _ = 5 File isqrt-S4.mlw: Line 15: Normal execution of function `(:=)` with args: r = {contents= 9} i = 14 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S4.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S4.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 11: Property failure at loop invariant preservation with: r = {contents= 2} y = {contents= 14} ** isqrt-S5 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S5.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S5.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S5.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 3 result of `int_ref` = {contents= 3} Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Giant-step execution of function `int_ref` with args: i = 9 result of `int_ref` = {contents= 9} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Giant-step execution of function `int_ref` with args: i = (-5) result of `int_ref` = {contents= (- 5)} Line 9: Giant-step iteration of loop r = {contents= 2} y = {contents= 4} z = {contents= (- 2)} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = (- 2) Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 2 y = {contents= 2} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= (- 2)} i = 0 z = {contents= 0} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= 2} result of `(!)` = 2 Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `(:=)` with args: r = {contents= 2} i = 1 r = {contents= 1} result of `(:=)` = () Line 11: Property failure at loop invariant preservation with: r = {contents= 1} y = {contents= 2} ** isqrt-S6 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S6.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S6.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S6.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S6.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S6.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S6.mlw: Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 4 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S6.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S6.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 4 Line 19: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S6.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 3 result = 2 ** isqrt-S7 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S7.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S7.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S7.mlw: Line 3: Execution of main function `isqrt` with env: n = 4 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 4 result of `int_ref` = {contents= 4} Line 7: Normal execution of function `( * )` with args: _ = 4 _ = 4 Giant-step execution of function `int_ref` with args: i = 16 result of `int_ref` = {contents= 16} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 4 Normal execution of function `(+)` with args: _ = (-8) _ = 1 Giant-step execution of function `int_ref` with args: i = (-7) result of `int_ref` = {contents= (- 7)} Line 9: Giant-step iteration of loop r = {contents= 1} y = {contents= 1} z = {contents= (- 1)} Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Normal execution of function `(>)` with args: x = 1 y = 4 Line 19: Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Line 5: Property failure at postcondition of `isqrt` with: n = 4 result = 1 ** isqrt-S8 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S8.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S8.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S8.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S8.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 9: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 19: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File isqrt-S8.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 0 result = (-1) ** isqrt-S9 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S9.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S9.mlw", line 14, characters 10-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S9.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S9.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S9.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S9.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 4 _ = (-3) Normal execution of function `(:=)` with args: r = {contents= 4} i = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-3) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-3)} i = (-1) Line 17: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 2} i = 1 Line 14: Property failure at loop variant decrease with: n = 3 r = {contents= 1} r = {contents= 2} n = 3 ** isqrt-S10 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S10.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S10.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S10.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 9: Giant-step iteration of loop r = {contents= (- 2)} y = {contents= 4} z = {contents= 5} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 0 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = 5 Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 9 y = {contents= 9} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Normal execution of function `(+)` with args: _ = 5 _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= 5} i = 7 z = {contents= 7} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Giant-step execution of function `(-)` with args: x = (- 2) y = 1 result of `(-)` = (- 3) Giant-step execution of function `(:=)` with args: r = {contents= (- 2)} i = (- 3) r = {contents= (- 3)} result of `(:=)` = () Line 14: Property failure at loop variant decrease with: r = {contents= (- 3)} r = {contents= (- 2)} why3-1.6.0/bench/check-ce/petiot2018/oracles/isqrt_CVC5,1.0.0.oracle000066400000000000000000000712451440160026300241470ustar00rootroot00000000000000* Experiment isqrt ** Original File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Valid. ** isqrt-S1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S1.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:10@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S1.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S1.mlw: Line 3: Execution of main function `isqrt` with env: n = (- 1) zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = (- 1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (- 1) File isqrt-S1.mlw: Line 7: Normal execution of function `( * )` with args: _ = (- 1) _ = (- 1) Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S1.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = (- 1) Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S1.mlw: Line 10: Property failure at loop invariant init with: n = (- 1) r = {contents= (- 1)} ** isqrt-S2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S2.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S2.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S2.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 8: Normal execution of function `( * )` with args: _ = 2 _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S2.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= 3} ** isqrt-S3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S3.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:13@loop invariant init --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S3.mlw", line 13, characters 15-30: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S3.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = 1 Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S3.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= (-1)} ** isqrt-S4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S4.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S4.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S4.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S4.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S4.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S4.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S4.mlw: Line 15: Normal execution of function `(-)` with args: x = 9 y = (-5) File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = (-5) Normal execution of function `(+)` with args: _ = 9 _ = 5 File isqrt-S4.mlw: Line 15: Normal execution of function `(:=)` with args: r = {contents= 9} i = 14 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S4.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S4.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S4.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 11: Property failure at loop invariant preservation with: r = {contents= 2} y = {contents= 14} ** isqrt-S5 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S5.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:11@loop invariant preservation --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S5.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S5.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 3 result of `int_ref` = {contents= 3} Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Giant-step execution of function `int_ref` with args: i = 9 result of `int_ref` = {contents= 9} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Giant-step execution of function `int_ref` with args: i = (-5) result of `int_ref` = {contents= (- 5)} Line 9: Giant-step iteration of loop r = {contents= 2} y = {contents= 4} z = {contents= (- 2)} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = (- 2) Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 2 y = {contents= 2} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Normal execution of function `(+)` with args: _ = (- 2) _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= (- 2)} i = 0 z = {contents= 0} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= 2} result of `(!)` = 2 Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `(:=)` with args: r = {contents= 2} i = 1 r = {contents= 1} result of `(:=)` = () Line 11: Property failure at loop invariant preservation with: r = {contents= 1} y = {contents= 2} ** isqrt-S6 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S6.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S6.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S6.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S6.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S6.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S6.mlw: Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 4 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S6.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S6.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 4 Line 19: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S6.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 3 result = 2 ** isqrt-S7 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S7.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S7.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S7.mlw: Line 3: Execution of main function `isqrt` with env: n = 4 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 4 result of `int_ref` = {contents= 4} Line 7: Normal execution of function `( * )` with args: _ = 4 _ = 4 Giant-step execution of function `int_ref` with args: i = 16 result of `int_ref` = {contents= 16} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 4 Normal execution of function `(+)` with args: _ = (-8) _ = 1 Giant-step execution of function `int_ref` with args: i = (-7) result of `int_ref` = {contents= (- 7)} Line 9: Giant-step iteration of loop r = {contents= 1} y = {contents= 1} z = {contents= (- 1)} Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Normal execution of function `(>)` with args: x = 1 y = 4 Line 19: Giant-step execution of function `(!)` with args: r = {contents= 1} result of `(!)` = 1 Line 5: Property failure at postcondition of `isqrt` with: n = 4 result = 1 ** isqrt-S8 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S8.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:5@postcondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S8.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S8.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S8.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 9: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 19: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File isqrt-S8.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 0 result = (-1) ** isqrt-S9 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S9.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S9.mlw", line 14, characters 10-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S9.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S9.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S9.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S9.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 4 _ = (-3) Normal execution of function `(:=)` with args: r = {contents= 4} i = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-3) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-3)} i = (-1) Line 17: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 2} i = 1 Line 14: Property failure at loop variant decrease with: n = 3 r = {contents= 1} r = {contents= 2} n = 3 ** isqrt-S10 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S10.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:14@loop variant decrease --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/isqrt-S10.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S10.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 9: Giant-step iteration of loop r = {contents= (- 2)} y = {contents= 4} z = {contents= 5} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 0 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = 5 Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 9 y = {contents= 9} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Normal execution of function `(+)` with args: _ = 5 _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= 5} i = 7 z = {contents= 7} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= (- 2)} result of `(!)` = (- 2) Giant-step execution of function `(-)` with args: x = (- 2) y = 1 result of `(-)` = (- 3) Giant-step execution of function `(:=)` with args: r = {contents= (- 2)} i = (- 3) r = {contents= (- 3)} result of `(:=)` = () Line 14: Property failure at loop variant decrease with: r = {contents= (- 3)} r = {contents= (- 2)} why3-1.6.0/bench/check-ce/petiot2018/oracles/isqrt_Z3,4.8.10.oracle000066400000000000000000000712261440160026300240360ustar00rootroot00000000000000* Experiment isqrt ** Original File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 10, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 12, characters 19-38: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 13, characters 19-35: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/isqrt.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Valid. ** isqrt-S1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S1.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:10@loop invariant init --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S1.mlw", line 10, characters 19-31: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S1.mlw: Line 3: Execution of main function `isqrt` with env: n = (-1) zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S1.mlw: Line 7: Normal execution of function `( * )` with args: _ = (-1) _ = (-1) Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S1.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = (-1) Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S1.mlw: Line 10: Property failure at loop invariant init with: n = (-1) r = {contents= (-1)} ** isqrt-S2 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S2.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:13@loop invariant init --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S2.mlw", line 13, characters 19-35: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S2.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S2.mlw: Line 8: Normal execution of function `( * )` with args: _ = 2 _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = 1 Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S2.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= 3} ** isqrt-S3 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S3.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:13@loop invariant init --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S3.mlw", line 13, characters 15-30: Sub-goal Loop invariant init of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S3.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S3.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = 1 Normal execution of function `int_ref` with args: i = (-1) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-1) File isqrt-S3.mlw: Line 13: Property failure at loop invariant init with: r = {contents= 1} z = {contents= (-1)} ** isqrt-S4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S4.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:11@loop invariant preservation --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S4.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S4.mlw: Line 3: Execution of main function `isqrt` with env: n = 8 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 8 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 8 File isqrt-S4.mlw: Line 7: Normal execution of function `( * )` with args: _ = 8 _ = 8 Normal execution of function `int_ref` with args: i = 64 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 64 File isqrt-S4.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 8 Normal execution of function `(+)` with args: _ = (-16) _ = 1 Normal execution of function `int_ref` with args: i = (-15) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-15) File isqrt-S4.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 64} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 64} File isqrt-S4.mlw: Line 9: Normal execution of function `(>)` with args: x = 64 y = 8 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-15)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-15)} File isqrt-S4.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 64} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 64} File isqrt-S4.mlw: Line 15: Normal execution of function `(-)` with args: x = 64 y = (-15) File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = (-15) Normal execution of function `(+)` with args: _ = 64 _ = 15 File isqrt-S4.mlw: Line 15: Normal execution of function `(:=)` with args: r = {contents= 64} i = 79 Line 16: Normal execution of function `(!)` with args: r = {contents= (-15)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-15)} File isqrt-S4.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-15) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-15)} i = (-13) Line 17: Normal execution of function `(!)` with args: r = {contents= 8} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 8} File isqrt-S4.mlw: Line 17: Normal execution of function `(-)` with args: x = 8 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 8 _ = (-1) File isqrt-S4.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 8} i = 7 Line 11: Property failure at loop invariant preservation with: r = {contents= 7} y = {contents= 79} ** isqrt-S5 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S5.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:11@loop invariant preservation --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S5.mlw", line 11, characters 19-31: Sub-goal Loop invariant preservation of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S5.mlw: Line 3: Execution of main function `isqrt` with env: n = 2 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 2 result of `int_ref` = {contents= 2} Line 7: Normal execution of function `( * )` with args: _ = 2 _ = 2 Giant-step execution of function `int_ref` with args: i = 4 result of `int_ref` = {contents= 4} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 2 Normal execution of function `(+)` with args: _ = (-4) _ = 1 Giant-step execution of function `int_ref` with args: i = (-3) result of `int_ref` = {contents= (-3)} Line 9: Giant-step iteration of loop r = {contents= 2} y = {contents= 4} z = {contents= (-4)} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 2 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= (-4)} result of `(!)` = (-4) Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = (-4) Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 0 y = {contents= 0} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= (-4)} result of `(!)` = (-4) Normal execution of function `(+)` with args: _ = (-4) _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= (-4)} i = (-2) z = {contents= (-2)} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= 2} result of `(!)` = 2 Giant-step execution of function `(-)` with args: x = 2 y = 1 result of `(-)` = 1 Giant-step execution of function `(:=)` with args: r = {contents= 2} i = 1 r = {contents= 1} result of `(:=)` = () Line 11: Property failure at loop invariant preservation with: r = {contents= 1} y = {contents= 0} ** isqrt-S6 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S6.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:5@postcondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S6.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S6.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S6.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S6.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S6.mlw: Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 4 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S6.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S6.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S6.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S6.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(+)` with args: _ = 3 _ = 1 Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S6.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 4 Line 19: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S6.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 3 result = 2 ** isqrt-S7 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S7.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:5@postcondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S7.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S7.mlw: Line 3: Execution of main function `isqrt` with env: n = 1 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 7: Normal execution of function `( * )` with args: _ = 1 _ = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 1 Normal execution of function `(+)` with args: _ = (-2) _ = 1 Giant-step execution of function `int_ref` with args: i = (-1) result of `int_ref` = {contents= (-1)} Line 9: Giant-step iteration of loop r = {contents= 0} y = {contents= 0} z = {contents= 1} Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Normal execution of function `(>)` with args: x = 0 y = 1 Line 19: Giant-step execution of function `(!)` with args: r = {contents= 0} result of `(!)` = 0 Line 5: Property failure at postcondition of `isqrt` with: n = 1 result = 0 ** isqrt-S8 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S8.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:5@postcondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S8.mlw", line 5, characters 12-62: Sub-goal Postcondition of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S8.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Normal execution of function `int_ref` with args: i = 0 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 0 File isqrt-S8.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File isqrt-S8.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 9: Normal execution of function `(>)` with args: x = 0 y = 0 Line 19: Normal execution of function `(!)` with args: r = {contents= 0} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 0} File isqrt-S8.mlw: Line 19: Normal execution of function `(-)` with args: x = 0 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 0 _ = (-1) File isqrt-S8.mlw: Line 5: Property failure at postcondition of `isqrt` with: n = 0 result = (-1) ** isqrt-S9 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S9.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:14@loop variant decrease --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S9.mlw", line 14, characters 10-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The program does not comply to the verification goal, for example during the following execution: File isqrt-S9.mlw: Line 3: Execution of main function `isqrt` with env: n = 3 zero = 0 one = 1 Line 6: Normal execution of function `int_ref` with args: i = 3 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 3 File isqrt-S9.mlw: Line 7: Normal execution of function `( * )` with args: _ = 3 _ = 3 Normal execution of function `int_ref` with args: i = 9 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 9 File isqrt-S9.mlw: Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 3 Normal execution of function `(+)` with args: _ = (-6) _ = 1 Normal execution of function `int_ref` with args: i = (-5) File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = (-5) File isqrt-S9.mlw: Line 9: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 9 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 9} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 9} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 9 _ = (-5) Normal execution of function `(:=)` with args: r = {contents= 9} i = 4 Line 16: Normal execution of function `(!)` with args: r = {contents= (-5)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-5)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-5) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-5)} i = (-3) Line 17: Normal execution of function `(!)` with args: r = {contents= 3} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 3} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 3 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 3 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 3} i = 2 Line 9: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 9: Normal execution of function `(>)` with args: x = 4 y = 3 Normal iteration of loop Line 15: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 15: Normal execution of function `(!)` with args: r = {contents= 4} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 4} File isqrt-S9.mlw: Line 15: Normal execution of function `(+)` with args: _ = 4 _ = (-3) Normal execution of function `(:=)` with args: r = {contents= 4} i = 1 Line 16: Normal execution of function `(!)` with args: r = {contents= (-3)} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= (-3)} File isqrt-S9.mlw: Line 16: Normal execution of function `(+)` with args: _ = (-3) _ = 2 Normal execution of function `(:=)` with args: r = {contents= (-3)} i = (-1) Line 17: Normal execution of function `(!)` with args: r = {contents= 2} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 2} File isqrt-S9.mlw: Line 17: Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File isqrt-S9.mlw: Line 17: Normal execution of function `(:=)` with args: r = {contents= 2} i = 1 Line 14: Property failure at loop variant decrease with: n = 3 r = {contents= 1} r = {contents= 2} n = 3 ** isqrt-S10 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/isqrt-S10.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:14@loop variant decrease --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/isqrt-S10.mlw", line 14, characters 14-16: Sub-goal Loop variant decrease of goal isqrt'vc. Prover result is: Unknown (sat). The contracts of some function or loop are too weak, for example during the following execution: File isqrt-S10.mlw: Line 3: Execution of main function `isqrt` with env: n = 0 zero = 0 one = 1 Line 6: Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 7: Normal execution of function `( * )` with args: _ = 0 _ = 0 Giant-step execution of function `int_ref` with args: i = 0 result of `int_ref` = {contents= 0} Line 8: Normal execution of function `( * )` with args: _ = (-2) _ = 0 Normal execution of function `(+)` with args: _ = 0 _ = 1 Giant-step execution of function `int_ref` with args: i = 1 result of `int_ref` = {contents= 1} Line 9: Giant-step iteration of loop r = {contents= (-2)} y = {contents= 4} z = {contents= 5} Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(>)` with args: x = 4 y = 0 Normal iteration of loop Line 15: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Giant-step execution of function `(!)` with args: r = {contents= 4} result of `(!)` = 4 Normal execution of function `(+)` with args: _ = 4 _ = 5 Giant-step execution of function `(:=)` with args: r = {contents= 4} i = 9 y = {contents= 9} result of `(:=)` = () Line 16: Giant-step execution of function `(!)` with args: r = {contents= 5} result of `(!)` = 5 Normal execution of function `(+)` with args: _ = 5 _ = 2 Giant-step execution of function `(:=)` with args: r = {contents= 5} i = 7 z = {contents= 7} result of `(:=)` = () Line 17: Giant-step execution of function `(!)` with args: r = {contents= (-2)} result of `(!)` = (-2) Giant-step execution of function `(-)` with args: x = (-2) y = 1 result of `(-)` = (-3) Giant-step execution of function `(:=)` with args: r = {contents= (-2)} i = (-3) r = {contents= (-3)} result of `(:=)` = () Line 14: Property failure at loop variant decrease with: r = {contents= (-3)} r = {contents= (-2)} why3-1.6.0/bench/check-ce/petiot2018/oracles/rgf_CVC4,1.7.oracle000066400000000000000000000401131440160026300234210ustar00rootroot00000000000000* Experiment rgf ** Original File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Variant decrease of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 9, characters 36-45: Sub-goal Postcondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 21, characters 4-13: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 16, characters 37-54: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 17, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File bench/check-ce/petiot2018/rgf.mlw: Sub-goal Out of loop bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 16-23: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 7-12: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, characters 4-105: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, characters 4-105: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 35, characters 14-16: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, characters 4-105: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, characters 4-105: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. ** rgf-R1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R1.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Unknown (unknown + incomplete). The program does not comply to the verification goal, for example during the following execution: File rgf-R1.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R1.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R1.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} Normal execution of function `(@)` with args: u = [|0 -> (-1); 1 -> (-1); _ -> 0|] u = 0 File rgf-R1.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} Normal execution of function `(@)` with args: u = [|0 -> (-1); 1 -> (-1); _ -> 0|] u = 1 File rgf-R1.mlw: Line 36: Normal execution of function `(<=)` with args: x = (-1) y = (-1) Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R1.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} Normal execution of function `(@)` with args: u = [|0 -> (-1); 1 -> (-1); _ -> 0|] u = 1 File rgf-R1.mlw: Line 40: Normal execution of function `(+)` with args: _ = (-1) _ = 1 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 1 v = 0 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= [|0 -> (-1); 1 -> (-1); _ -> 0|]} File rgf-R1.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = [|0 -> (-1); 1 -> (-1); _ -> 0|]} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. ** rgf-R4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R4.mlw --apply-transform=split_vc --prover=CVC4,1.7,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.7 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File rgf-R4.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= [|; _ -> 0|]} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R4.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R4.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 0 File rgf-R4.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 1 File rgf-R4.mlw: Line 36: Normal execution of function `(<=)` with args: x = 0 y = 0 Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R4.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} Normal execution of function `(@)` with args: u = [|; _ -> 0|] u = 1 File rgf-R4.mlw: Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 2 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= [|; _ -> 0|]} i = 1 v = 2 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= [|; _ -> 0|]} File rgf-R4.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = [|; _ -> 0|]} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = [|; _ -> 0|]} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/petiot2018/oracles/rgf_CVC4,1.8.oracle000066400000000000000000000425641440160026300234360ustar00rootroot00000000000000* Experiment rgf ** Original File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Variant decrease of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 9, characters 36-45: Sub-goal Postcondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 21, characters 4-13: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 16, characters 37-54: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 17, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File bench/check-ce/petiot2018/rgf.mlw: Sub-goal Out of loop bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 16-23: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 7-12: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 35, characters 14-16: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. ** rgf-R1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R1.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Unknown (unknown + incomplete). The program does not comply to the verification goal, for example during the following execution: File rgf-R1.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R1.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R1.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 0 File rgf-R1.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 1 File rgf-R1.mlw: Line 36: Normal execution of function `(<=)` with args: x = (- 1) y = (- 1) Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R1.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 1 File rgf-R1.mlw: Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 v = 0 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} File rgf-R1.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. ** rgf-R4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R4.mlw --apply-transform=split_vc --prover=CVC4,1.8,counterexamples --timelimit=15 --check-ce --rac-prover=CVC4,1.8 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File rgf-R4.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= fun (x:int) -> 0} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R4.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R4.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File rgf-R4.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 1 File rgf-R4.mlw: Line 36: Normal execution of function `(<=)` with args: x = 0 y = 0 Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R4.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 1 File rgf-R4.mlw: Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 2 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 v = 2 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} File rgf-R4.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = fun (x:int) -> 0} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = fun (x:int) -> 0} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/petiot2018/oracles/rgf_CVC5,1.0.0.oracle000066400000000000000000000425741440160026300235660ustar00rootroot00000000000000* Experiment rgf ** Original File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Variant decrease of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 9, characters 36-45: Sub-goal Postcondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 21, characters 4-13: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 16, characters 37-54: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 17, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File bench/check-ce/petiot2018/rgf.mlw: Sub-goal Out of loop bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 16-23: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 7-12: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 35, characters 14-16: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. ** rgf-R1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R1.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Unknown (unknown + incomplete). The program does not comply to the verification goal, for example during the following execution: File rgf-R1.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R1.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R1.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 0 File rgf-R1.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 1 File rgf-R1.mlw: Line 36: Normal execution of function `(<=)` with args: x = (- 1) y = (- 1) Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R1.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} Normal execution of function `(@)` with args: u = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0 u = 1 File rgf-R1.mlw: Line 40: Normal execution of function `(+)` with args: _ = (- 1) _ = 1 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 v = 0 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} File rgf-R1.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R1.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 0, elts1 = fun (x:int) -> if x = 0 then (- 1) else if x = 1 then (- 1) else 0} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. ** rgf-R4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R4.mlw --apply-transform=split_vc --prover=CVC5,1.0.0,counterexamples --timelimit=15 --check-ce --rac-prover=CVC5,1.0.0 --sub-goal=:41@precondition --stepslimit=10000 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Step limit exceeded. The program does not comply to the verification goal, for example during the following execution: File rgf-R4.mlw: Line 24: Execution of main function `f` with env: a = {length= 2; elts= fun (x:int) -> 0} zero = 0 one = 1 Line 32: Normal execution of function `length` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(-)` with args: x = 2 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 2 _ = (-1) File rgf-R4.mlw: Line 32: Normal execution of function `int_ref` with args: i = 1 File lib.mlw: Line 12: Normal execution of function `int_ref'mk` with args: contents = 1 File rgf-R4.mlw: Line 33: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 33: Normal execution of function `(>=)` with args: x = 1 y = 1 Normal iteration of loop Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `(-)` with args: x = 1 y = 1 File int.mlw: Line 23: Normal execution of function `(-_)` with args: _ = 1 Normal execution of function `(+)` with args: _ = 1 _ = (-1) File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 0 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 0 File rgf-R4.mlw: Line 36: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 36: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 1 File rgf-R4.mlw: Line 36: Normal execution of function `(<=)` with args: x = 0 y = 0 Normal execution of function `Tuple0` with args: Unknown location: Normal execution of function `Tuple0` with args: File rgf-R4.mlw: Line 39: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 39: Normal execution of function `(=)` with args: x = 1 y = 0 Normal execution of function `Tuple0` with args: Line 40: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([])` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 File lib.mlw: Line 43: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} Normal execution of function `(@)` with args: u = fun (x:int) -> 0 u = 1 File rgf-R4.mlw: Line 40: Normal execution of function `(+)` with args: _ = 0 _ = 2 Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 40: Normal execution of function `([]<-)` with args: a = {length= 2; elts= fun (x:int) -> 0} i = 1 v = 2 File lib.mlw: Line 48: Normal execution of function `elts` with args: arg = {length= 2; elts= fun (x:int) -> 0} File rgf-R4.mlw: Line 41: Normal execution of function `(!)` with args: r = {contents= 1} File lib.mlw: Line 23: Normal execution of function `contents` with args: arg = {contents= 1} File rgf-R4.mlw: Line 41: Normal execution of function `g` with args: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = fun (x:int) -> 0} i = 1 Property failure at precondition of `g` with: a = {length= 2; elts= (fun j -> if j = i then v else elts1 j) with i = 1, v = 2, elts1 = fun (x:int) -> 0} i = 1 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/petiot2018/oracles/rgf_Z3,4.8.10.oracle000066400000000000000000000147751440160026300234600ustar00rootroot00000000000000* Experiment rgf ** Original File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Variant decrease of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 11, characters 16-33: Sub-goal Precondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 9, characters 36-45: Sub-goal Postcondition of goal max_rgf'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant init of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 21, characters 4-13: Sub-goal Index in array bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 19, characters 16-26: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 20, characters 41-58: Sub-goal Loop invariant preservation of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 16, characters 37-54: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 17, characters 12-29: Sub-goal Postcondition of goal g'vc. Prover result is: Valid. File bench/check-ce/petiot2018/rgf.mlw: Sub-goal Out of loop bounds of goal g'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant init of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 16-23: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 36, characters 7-12: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 35, characters 14-16: Sub-goal Loop variant decrease of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 34, characters 16-39: Sub-goal Loop invariant preservation of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 11-16: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 40, characters 2-20: Sub-goal Index in array bounds of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 42, characters 36-53: Sub-goal Assertion of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 27, characters 12-29: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/rgf.mlw", line 29, character 4 to line 31, character 45: Sub-goal Postcondition of goal f'vc. Prover result is: Valid. ** rgf-R1 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R1.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:41@precondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Unknown (unknown). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R1.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. ** rgf-R4 bin/why3 prove --library=bench/check-ce/petiot2018 bench/check-ce/petiot2018/experiments/rgf-R4.mlw --apply-transform=split_vc --prover=Z3,4.8.10,counterexamples --timelimit=15 --check-ce --rac-prover=Z3,4.8.10 --sub-goal=:41@precondition --stepslimit=500000 File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Unknown (unknown). Sorry, we don't have a good counterexample for you :( File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. File "bench/check-ce/petiot2018/experiments/rgf-R4.mlw", line 41, characters 2-8: Sub-goal Precondition of goal f'vc. Prover result is: Valid. why3-1.6.0/bench/check-ce/petiot2018/rgf.mlw000066400000000000000000000023731440160026300202500ustar00rootroot00000000000000use int.Int, lib.IntArray, lib.IntRef predicate is_rgf (a: int_array) (n: int) = a.length > 0 /\ a[0] = 0 /\ forall i. 1 <= i < n -> 0 <= a[i] <= a[i-1]+1 let rec lemma max_rgf (a: int_array) (n: int) requires { is_rgf a n } requires { 0 <= n < a.length } ensures { forall i. 0 <= i < n -> a[i] <= i } variant { n } = if n > 0 then max_rgf a (n - 1) let g (a: int_array) (i: int) requires P1 { 1 <= i <= a.length } requires P2 { is_rgf a (i+1) } ensures { forall j. 0 <= j <= i -> (old a)[j] = a[j] } ensures { is_rgf a a.length } = for k = i + 1 to a.length - 1 do invariant { is_rgf a k } invariant { forall j. 0 <= j <= i -> (old a)[j] = a[j] } a[k] <- 0 done let f (a: int_array) : bool requires { 0 < a.length < 10000 } requires { is_rgf a a.length } ensures { is_rgf a a.length } ensures { result = True -> exists j. 0 <= j < a.length /\ (old a)[j] < a[j] /\ forall k. 0 <= k < j -> (old a)[k] = a[k] } = let i = int_ref (a.length - 1) in while !i >= 1 do invariant { 0 <= !i <= a.length - 1 } variant { !i } if a[!i] <= a[!i-1] then break; i := !i - 1 done; if !i = 0 then return False; a[!i] <- a[!i] + 1; g a !i; assert { forall j. 0 <= j < !i -> (old a)[j] = a[j] }; return True why3-1.6.0/bench/check-ce/polymorphism.mlw000066400000000000000000000003201440160026300204030ustar00rootroot00000000000000 module Test type mono = B int goal gm: forall x: mono. x = B 0 type mono2 = C int bool goal gm2: forall x. x = C 0 false type poly 'a = A 'a goal g: forall x: poly int. x = A 0 endwhy3-1.6.0/bench/check-ce/range_type_float.mlw000066400000000000000000000001651440160026300211720ustar00rootroot00000000000000 module Range_float use real.Real type t = < float 8 24 > let f (x: t) = assert {t'real x < 10.} end why3-1.6.0/bench/check-ce/range_type_int.mlw000066400000000000000000000002151440160026300206530ustar00rootroot00000000000000module Range_int use int.Int type int32 = < range -0x8000_0000 0x7fff_ffff > let f (x: int32) = assert {int32'int x < 5} end why3-1.6.0/bench/check-ce/real_values.mlw000066400000000000000000000002741440160026300201530ustar00rootroot00000000000000use real.Real goal test1 : forall x:real. x * 2.0 <> -1.0 goal test2 : forall x:real. x <> 10.0 goal test3 : forall x:real. not (0.0 < x < 1.0) goal test4 : forall x:real. (x/x = 1.0) why3-1.6.0/bench/check-ce/record_map.mlw000066400000000000000000000027271440160026300177710ustar00rootroot00000000000000module M use map.Map use int.Int type r = {f [@model_trace:.field_f] :int; g:bool} (* Projection functions *) function projf_r_f [@model_trace:.f] (x : r) : int = x.f function projf_r_g [@model_trace:.g] (x : r) : bool = x.g meta "inline:no" function projf_r_f meta "model_projection" function projf_r_f meta "inline:no" function projf_r_g meta "model_projection" function projf_r_g (*********************************************************** ** Getting counterexamples for records and maps together ** ***********************************************************) (*** Records and maps together ***) type r_map = {f_map:map bool int; g_bool:bool} function projf_r_map_f_map [@model_trace:.f_map] (rec_map : r_map) : map bool int = rec_map.f_map function projf_r_map_g [@model_trace:.g_map] (rec_map : r_map) : bool = rec_map.g_bool meta "inline:no" function projf_r_map_f_map meta "model_projection" function projf_r_map_f_map meta "inline:no" function projf_r_map_g meta "model_projection" function projf_r_map_g (* Tests *) let map_record_proj_test1 (map_rec [@model_projected] : map bool r) ensures { result = 0 } = map_rec[true].f let record_map_proj_test2 (rec_map [@model_projected] : r_map) ensures { result = 0 } = rec_map.f_map[true] val re_rec_map [@model_projected] : r_map let record_map_proj_test3 (rec_map [@model_projected] : r_map) ensures { result = re_rec_map } = rec_map end why3-1.6.0/bench/check-ce/record_nested_one_field.mlw000066400000000000000000000007431440160026300224760ustar00rootroot00000000000000module Nested use int.Int use ref.Ref type ref_one = { mutable cont_one [@model_trace:cont_one_attr] : int } type ref_two = { mutable cont_two : ref_one } type ref_three = ref ref_two type ref_four = { mutable cont_four [@model_trace:cont_four_attr]: ref_three } let test_post (x : int) (y : ref_four): unit ensures { !(y.cont_four).cont_two.cont_one >= x } = y.cont_four.contents.cont_two.cont_one <- x - 1 + !(y.cont_four).cont_two.cont_one end why3-1.6.0/bench/check-ce/records_inv.mlw000066400000000000000000000027451440160026300201730ustar00rootroot00000000000000 (***************************************** ** Getting counterexamples for records ** *****************************************) module M use ref.Ref use int.Int (*** In all cases, records are decomposed using match eval ***) type r = {f [@model_trace:.my_field_f] :int; g:bool} invariant { f = 0 } let record_match_eval_test1 (x : r) : int ensures { result = 1 } = if x.g then x.f else 1 let record_match_eval_test2 (x : r ) : int ensures { result = 1 } = x.f let record_match_eval_test3 (x : ref r) : unit ensures { !x.g } = x := { !x with f = 6} let record_match_eval_test4 (x : ref r) : r ensures { result.g } = x := { !x with f = 6 }; !x let record_match_eval_test44 (x : ref r) : r ensures { result.g } = [@vc:sp] x := { !x with f = 6 }; assert { !x.f = 12}; !x val re : ref r let test_record_match_eval_test5 (x : ref r) : r ensures { result = !re } = x := { !x with f = 6 }; !x end module Mutable use int.Int type r = {mutable f [@model_trace:.my_field_f] :int; mutable g:bool} let record_match_eval_test1 (x : r) : int ensures { result = 1 } = if x.g then x.f else 1 let record_match_eval_test2 (x : r ) : int ensures { result = 1 } = x.f let record_match_eval_test3 (x : r) : unit ensures { x.g } = x.f <- 6 let record_match_eval_test4 (x : r) : r ensures { result.g } = x.f <- 6; x end why3-1.6.0/bench/check-ce/records_label.mlw000066400000000000000000000010421440160026300204430ustar00rootroot00000000000000 module Old use int.Int type r = {mutable f : int; mutable g : bool} val y : r let record_old_test1 (x : r) : unit ensures { old (x.f + y.f) = x.f } = x.f <- 6 let record_at_test2 (x : r) : unit = label L in x.f <- 6; label M in x.f <- 12; assert { x.f at L = ((x.f + x.f + 1) at M + x.f + y.f)} let several_hats (x : r): unit = label L in label M in x.f <- 6; (* Here, the counterexample variable should mention both M and L *) assert { x.f at L = x.f at M + 1} endwhy3-1.6.0/bench/check-ce/recursive_model.mlw000066400000000000000000000004261440160026300210370ustar00rootroot00000000000000module Test use int.Int type nat = Z | S nat val global : nat let test (i : int) = assert { let _p = (0, 0) in (* <- The tuple introduces polymorphism! *) global <> Z -> i = 0 } end (* adapted from https://gitlab.inria.fr/why3/why3/-/issues/578 *) why3-1.6.0/bench/check-ce/ref1.mlw000066400000000000000000000000771440160026300165070ustar00rootroot00000000000000 use ref.Ref let f () = let x = ref 1 in assert { false } why3-1.6.0/bench/check-ce/ref1_mono.mlw000066400000000000000000000001241440160026300175300ustar00rootroot00000000000000 type t = { mutable c : int } let f () = let x = { c = 1 } in assert { false } why3-1.6.0/bench/check-ce/ref2.mlw000066400000000000000000000001101440160026300164740ustar00rootroot00000000000000 use ref.Ref let f () = let x = ref 1 in x := 2; assert { false }why3-1.6.0/bench/check-ce/ref2_mono.mlw000066400000000000000000000001401440160026300175270ustar00rootroot00000000000000 type t = { mutable c : int } let f () = let x = { c = 1 } in x.c <- 2; assert { false } why3-1.6.0/bench/check-ce/ref_ex.mlw000066400000000000000000000015421440160026300171200ustar00rootroot00000000000000 module M use ref.Ref use list.List use int.Int let test_post (x: int) (y: ref int): unit ensures { old !y >= x } = y := x - 1 + !y let test_post2 (x: int) (y: ref int): unit requires { x > 42 } ensures { old !y > !y + x } = y := x - 1 + !y (********************************************************** ** Getting counterexamples for terms of primitive types ** **********************************************************) val y :ref int let incr (x23: ref int): unit ensures { !x23 = old !x23 + 2 + !y } = (*#"random_path.random" 62 27 32#*) y := !y + 1; x23 := !x23 + 1; x23 := !x23 + 1 let test_loop (x: ref int): unit ensures { !x < old !x } = label L in incr x; label M in while !x > 0 do invariant { !x > !x at L + !x at M } variant { !x } x := !x - 1 done end why3-1.6.0/bench/check-ce/ref_ex_mono.mlw000066400000000000000000000015661440160026300201560ustar00rootroot00000000000000 module M use list.List use int.Int type t = { mutable c : int } let test_post (x: int) (y: t): unit ensures { old y.c >= x } = y.c <- x - 1 + y.c let test_post2 (x: int) (y: t): unit requires { x > 42 } ensures { old y.c > y.c + x } = y.c <- x - 1 + y.c (********************************************************** ** Getting counterexamples for terms of primitive types ** **********************************************************) val y : t let incr (x23: t): unit ensures { x23.c = old x23.c + 2 + y.c } = (*#"random_path.random" 62 27 32#*) y.c <- y.c + 1; x23.c <- x23.c + 1; x23.c <- x23.c + 1 let test_loop (x: t): unit ensures { x.c < old x.c } = label L in incr x; label M in while x.c > 0 do invariant { x.c > x.c at L + x.c at M } variant { x.c } x.c <- x.c - 1 done end why3-1.6.0/bench/check-ce/ref_mono.mlw000066400000000000000000000021301440160026300174460ustar00rootroot00000000000000module Ref type ref1 = { mutable contents : int } function (!) (x: ref1) : int = x.contents let ref1 (v: int) ensures { result = { contents = v } } = { contents = v } let (!) (r:ref1) ensures { result = !r } = r.contents let (:=) (r:ref1) (v:int) ensures { !r = v } = r.contents <- v end module M use list.List use int.Int use Ref let test_post (x: int) (y: ref1): unit ensures { old !y >= x } = y := x - 1 + !y let test_post2 (x: int) (y: ref1): unit requires { x > 42 } ensures { old !y > !y + x } = y := x - 1 + !y (********************************************************** ** Getting counterexamples for terms of primitive types ** **********************************************************) val y :ref1 let incr (x23: ref1): unit ensures { !x23 = old !x23 + 2 + !y } = y := !y + 1; x23 := !x23 + 1; x23 := !x23 + 1 let test_loop (x: ref1): unit ensures { !x < old !x } = label L in incr x; label M in while !x > 0 do invariant { !x > !x at L + !x at M } variant { !x } x := !x - 1 done end why3-1.6.0/bench/check-ce/result.mlw000066400000000000000000000005341440160026300171660ustar00rootroot00000000000000 module M use int.Int use ref.Ref val a : ref int let p1 (b : ref int) : int requires { 0 <= !a <= 10 /\ 3 <= !b <= 17 } ensures { 17 <= !a + result <= 42 } = a := !a + !b; !a + 1 let f (a [@model] [@model_trace:A]: ref int) requires { !a = 42 } ensures { !a = 2 + old !a + result } = a := 0; a := 1; !a+1 endwhy3-1.6.0/bench/check-ce/return_value_below_if_when_vc_sp.mlw000066400000000000000000000003501440160026300244400ustar00rootroot00000000000000use int.Int val bool_neq (x y : int) : bool ensures { (result = True) <-> (x <> y) } let f (b:bool) (y:int) : bool ensures { (result = True) <-> (b = True /\ (y <> 0 /\ y <> 42)) } = [@vc:sp] if b then bool_neq y 0 else False why3-1.6.0/bench/check-ce/simple_array.mlw000066400000000000000000000001561440160026300203370ustar00rootroot00000000000000theory ModelArray use map.Map goal t1 : forall t: map int int, i: int. get (set t 0 42) i = get t i end why3-1.6.0/bench/check-ce/strings.mlw000066400000000000000000000021021440160026300173320ustar00rootroot00000000000000module TestCounterexample use string.String use int.Int goal T1: forall s. length s <> 1 goal T2: forall s. (length s) < 4 goal T3: forall s1 s2. concat s1 s2 = concat s2 s1 goal T4: forall s. length s > 10 -> s = "qwertyuiop[" goal T5: forall s. let x = "b\123u\111h\ti" in lt s x -> length s < length x goal T6: forall s. let x = "b\123u\111h\ti" in lt s x -> length s <= length x goal T7: forall s. let x = "b\123u\111h\ti" in lt s x -> length s > length x goal T8: forall s. let x = "b\123u\111h\ti" in lt s x -> length s >= length x goal T9: forall s. let x = "b\123u\111h\ti" in le s x -> length s < length x goal T10: forall s. let x = "b\123u\111h\ti" in le s x -> length s <= length x goal T11: forall s. let x = "b\123u\111h\ti" in le s x -> length s > length x goal T12: forall s. let x = "b\123u\111h\ti" in le s x -> length s >= length x goal T13: forall s. lt s s goal T14: forall s. not (le s s) goal T15: forall s i. length (s_at s i) = 1 goal T16: forall s. prefixof "abc" s goal T17: forall s. prefixof "abc" s -> length s > 3 end why3-1.6.0/bench/check-ce/test_result_ce_value0.mlw000066400000000000000000000001701440160026300221440ustar00rootroot00000000000000use int.Int val id (x: int) : int ensures { result > x } let test2 (x:int) = let a = id x in assert { a <> 42 } why3-1.6.0/bench/check-ce/test_result_ce_value1.mlw000066400000000000000000000003261440160026300221500ustar00rootroot00000000000000 use int.Int val id (x: int) : int ensures { result > x } let test1 (x:int) = let a = id (id x) + 1 in assert { a <> 42 } let test1bis (x:int) = let a = id (id x) + 1 in assert { a <> 42 }why3-1.6.0/bench/check-ce/test_result_ce_value2.mlw000066400000000000000000000005401440160026300221470ustar00rootroot00000000000000use int.Int val ref a : int val id (x: int) : int writes { a } ensures { result > x } ensures { result > a } let test2 (x:int) = a <- 17; if id x < 10 then assert { a > 42 } else assert { a < 42 } let test3 (x:int) ensures { a <> 42 } = a <- 17; if id x < 100 && id x > 50 then a <- a + 1 else a <- a + 2 why3-1.6.0/bench/check-ce/threshold.mlw000066400000000000000000000010741440160026300176440ustar00rootroot00000000000000 module WithInt32 use int.Int use mach.int.Int32 let f (n min max:int32) : int32 ensures { min <= result <= max } = let _x = min + max in if n < min then min else if n > max then max else n end (** same version with (signed) bit-vectors *) module WithBV32 use int.Int use bv.BV32 use mach.bv.BVCheck32 let f (n min max:BV32.t) : BV32.t ensures { ule min result /\ ule result max } (* ensures { BV32.t'int min <= BV32.t'int result <= BV32.t'int max } *) = let _x = u_add min max in if u_lt n min then min else if u_gt n max then max else n end why3-1.6.0/bench/check-ce/tuple.mlw000066400000000000000000000002021440160026300167710ustar00rootroot00000000000000 use int.Int let swap (x:(int,int)) ensures { let (a,b) = x in result = (b,a)} = let (a,b) = x in (a + b - a, b + a - b + 1) why3-1.6.0/bench/check-ce/tuple1.mlw000066400000000000000000000002111440160026300170520ustar00rootroot00000000000000 use mach.int.Int63 let swap (x:(int63,int63)) ensures { let (a,b) = x in result = (b,a)} = let (a,b) = x in (a + b - a, b + a - b) why3-1.6.0/bench/check-ce/underspec.mlw000066400000000000000000000011721440160026300176370ustar00rootroot00000000000000module LoopInvariant use int.Int (* use array.Array *) (* let h () = *) (* let a = Array.make 10 0 in *) (* for i = 0 to 9 do *) (* invariant { forall j. 0 <= j < i -> a[j] = 1 } *) (* a[i] <- a[i] + 1 *) (* done *) let f () = let ref x1 = 0 in let ref x2 = 0 in for i = 0 to 1 do invariant { i > 0 -> x1 = 1 } if i = 0 then x1 <- x1 + 1 else x2 <- x2 + 1 done end module PostCondition use int.Int val ref z: int let g () writes { z } ensures { z > old z } = z <- z + 1 let f () = z <- 0; g (); assert { z = 1 } endwhy3-1.6.0/bench/check-ce/underspec_mono.mlw000066400000000000000000000013271440160026300206710ustar00rootroot00000000000000module LoopInvariant use int.Int type t = { mutable c : int } (* use array.Array *) (* let h () = *) (* let a = Array.make 10 0 in *) (* for i = 0 to 9 do *) (* invariant { forall j. 0 <= j < i -> a[j] = 1 } *) (* a[i] <- a[i] + 1 *) (* done *) let f () = let x1 = { c = 0 } in let x2 = { c = 0 } in for i = 0 to 1 do invariant { i > 0 -> x1.c = 1 } if i = 0 then x1.c <- x1.c + 1 else x2.c <- x2.c + 1 done end module PostCondition use int.Int type t = { mutable c : int } val z: t let g () writes { z.c } ensures { z.c > old z.c } = z.c <- z.c + 1 let f () = z.c <- 0; g (); assert { z.c = 1 } end why3-1.6.0/bench/check-ce/val_function.mlw000066400000000000000000000003571440160026300203420ustar00rootroot00000000000000 use int.Int val function f (x:int) : int let main_f (y:int) : int ensures { result <> 42 } = f y val function g(x:int) : int axiom g_def : forall x. g x = x+1 let main_g (y:int) ensures { result <> 44 } = let z = g y in z+1why3-1.6.0/bench/check-ce/var_clones.mlw000066400000000000000000000002131440160026300177750ustar00rootroot00000000000000module M0 val constant n: int end module N clone M0 as M1 clone M0 as M2 let f () = assert { M1.n <> 111 \/ M2.n <> 222 } end why3-1.6.0/bench/check-ce/while.mlw000066400000000000000000000010751440160026300167610ustar00rootroot00000000000000 use int.Int let f (z: int) = let ref x1 = z in let ref x2 = 0 in let ref i = 0 in while i < 2 do variant { 2 - i } invariant { i > 0 -> x1 >= 0 } if i = 0 then x1 <- x1 + 1 else x2 <- x2 + 1; i <- i + 1 done (* counterexample: `x1 = -2`, `i = 0` at the beginning of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretely; - terminates in error if executed abstractly (invariant preservation fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/while1.mlw000066400000000000000000000010031440160026300170310ustar00rootroot00000000000000 use int.Int let f () ensures { result = 2 } = let ref x = 0 in let ref i = 0 in while i < 2 do variant { 2 - i } invariant { x >= 0 } x <- x + 1; i <- i + 1 done; x (* counterexample: `x = 0`, `i = 2` at beginning of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretely; - terminates in error if executed abstractly (postcondition fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/while1_mono.mlw000066400000000000000000000010711440160026300200660ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let f () ensures { result = 2 } = let x = { c = 0 } in let i = { c = 0 } in while i.c < 2 do variant { 2 - i.c } invariant { x.c >= 0 } x.c <- x.c + 1; i.c <- i.c + 1 done; x.c (* counterexample: `x = 0`, `i = 2` at beginning of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretely; - terminates in error if executed abstractly (postcondition fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check-ce/while_mono.mlw000066400000000000000000000011751440160026300200120ustar00rootroot00000000000000 use int.Int type t = { mutable c : int } let f (z: int) = let x1 = { c = z } in let x2 = { c = 0 } in let i = { c = 0 } in while i.c < 2 do variant { 2 - i.c } invariant { i.c > 0 -> x1.c >= 0 } if i.c = 0 then x1.c <- x1.c + 1 else x2.c <- x2.c + 1; i.c <- i.c + 1 done (* counterexample: `x1 = -2`, `i = 0` at the beginning of the loop. The execution of `f` with the counterexample: - terminates normally if executed concretely; - terminates in error if executed abstractly (invariant preservation fails) It is a real counterexample due to underspecification (weak loop invariant). *) why3-1.6.0/bench/check_realizations.sh000077500000000000000000000024271440160026300176700ustar00rootroot00000000000000#!/bin/bash # temporary directory where we generate realizations TMPREAL=$(mktemp -d /tmp/why3realizations-XXXXXXX) mkdir -p $TMPREAL/lib res=0 echo "Testing Isabelle realizations" # We want to use the makefile to be sure to check exhaustively the # realizations that are built make GENERATED_PREFIX_ISABELLE="$TMPREAL/lib/isabelle" update-isabelle > /dev/null 2> /dev/null LANG=C diff -u lib/isabelle/realizations $TMPREAL/lib/isabelle/realizations > $TMPREAL/diff-isabelle if test -s "$TMPREAL/diff-isabelle"; then echo "Isabelle realizations FAILED, please regenerate and prove them" cat $TMPREAL/diff-isabelle res=1 else echo "Isabelle realizations OK" fi echo "Testing Coq realizations" # First copy current realizations in a tmp directory cp -r lib/coq $TMPREAL/lib/ # We want to use the makefile to be sure to check exhaustively the # realizations that are built make GENERATED_PREFIX_COQ="$TMPREAL/lib/coq" update-coq > /dev/null 2> /dev/null LANG=C diff -w -r -q -x '*.bak' -x '*~' -x '*.aux' lib/coq $TMPREAL/lib/coq > $TMPREAL/diff-coq if test -s "$TMPREAL/diff-coq"; then echo "Coq realizations FAILED, please regenerate and prove them" sed -e "s,$TMPREAL/lib/coq,new," $TMPREAL/diff-coq res=1 else echo "Coq realizations OK" fi rm -rf $TMPREAL exit $res why3-1.6.0/bench/copy_oracles.sh000077500000000000000000000007441440160026300165110ustar00rootroot00000000000000#!/bin/bash # This script can be used when upgrading the prover versions in the # bench/check-ce-bench script. # This script copies the oracle files in bench/check-ce/oracles # and rename the files in replacing the older version of a prover # by a newer one. for file in bench/check-ce/oracles/*_CVC4,1.7_*.oracle; do cp "$file" "${file//CVC4,1.7/CVC4,1.8}" done for file in bench/check-ce/petiot2018/oracles/*_CVC4,1.7.oracle; do cp "$file" "${file//CVC4,1.7/CVC4,1.8}" done why3-1.6.0/bench/extraction/000077500000000000000000000000001440160026300156435ustar00rootroot00000000000000why3-1.6.0/bench/extraction/239_extract_higher_order.mlw000066400000000000000000000001431440160026300231520ustar00rootroot00000000000000let f (g: unit -> 'a) : 'a = g () let g (_:unit) = () let good = f (fun x -> g x) let bad = f g why3-1.6.0/bench/extraction/240_extraction_polymorphic.mlw000066400000000000000000000001651440160026300235600ustar00rootroot00000000000000 let rec f x = let rec aux y = () in aux x let rec g x diverges = let rec aux y diverges = g () in aux x why3-1.6.0/bench/extraction/509_onetime.mlw000066400000000000000000000001441440160026300204200ustar00rootroot00000000000000use mach.onetime.OneTime let ot_zero () : OneTime.t = zero () let ot_one () : OneTime.t = one () why3-1.6.0/bench/extraction/509_tuples.mlw000066400000000000000000000002011440160026300202660ustar00rootroot00000000000000type pos = (unit, unit) type t = Range pos pos let merge (a b: t) : t = let Range x y = a in let Range w z = b in Range x z why3-1.6.0/bench/extraction/Makefile000066400000000000000000000005161440160026300173050ustar00rootroot00000000000000include ../../share/Makefile.config WHY3 = ../../bin/why3.$(OCAMLBEST) INCLUDE += -I ../../lib/why3 %.ml: %.mlw $(WHY3) extract -D ocaml64 $< > $@ %.cmo: %.ml ocamlc $(INCLUDE) -c $< %.cmx: %.ml ocamlopt $(INCLUDE) -c $< %.c: %.mlw $(WHY3) extract -D c $< > $@ %.o: %.c $(CC) -Wall -c $< clean:: rm -f *.ml *.c *.o *.cm* why3-1.6.0/bench/extraction/optimize_record.mlw000066400000000000000000000003051440160026300215600ustar00rootroot00000000000000module T use int.Int type t = { x : int } invariant { 0 < x } by { x = 1 } let f b = if b then let y = { x = 1 } in y else { x = 2 } end why3-1.6.0/bench/extraction/peano_onetime.mlw000066400000000000000000000011771440160026300212140ustar00rootroot00000000000000 (* check OCaml extraction of Peano and OneTime integers *) use mach.peano.Peano let test_peano () = let low = zero in let high = succ (succ (succ (abs (neg one)))) in let x = add one one low high in let y = sub x x low high in let z = mul one y low high in lt x y && le y z && gt z z && ge x z && eq x x && ne y z, add one (of_int 2 low high) low high use mach.onetime.OneTime let test_onetime () = let x = succ (zero ()) in let y = add x (one ()) in let z = abs (neg (pred (transfer y))) in let t = to_peano y in let a, b = split z t in lt x y && le y z && gt z z && ge x z && eq x x && ne y z, sub a b why3-1.6.0/bench/extraction/test.mlw000066400000000000000000000215041440160026300173450ustar00rootroot00000000000000 (* test of the OCaml extraction run "make test-ocaml-extraction" from the top directory *) (* TODO : add a test for match .. with .. exception expressions *) module TestExtraction use int.Int use int.ComputerDivision let f (x: int) : int = x+1 let test_int () = f 31 + (div 33 3 + 2 - 4) - -1 use mach.int.Int63 let f63 (x: int63) : int63 = x + 1 let test_int63 () = to_int (f63 31 + (33 / 3 + 2 - 4) - (-1)) use list.List type ttt = T (list int63) let test_list (t: ttt) = match t with T (Cons x Nil) -> x | _ -> absurd end use int.Int use ref.Ref use ref.Refint let test_ref () : int = let r = ref 0 in incr r; r := !r * 43; decr r; !r let test_underapplied_plus () = (+) (0:int63) use array.Array let test_array () = let a = Array.make 43 (0:int63) in for i = 1 to 42 do a[i] <- a[i-1] + 1 done; a[42] let test_underapplied_length () = length use mach.array.Array63 let test_array63 () : int = let a = Array63.make 43 0 in for i = 1 to 42 do a[Int63.of_int i] <- a[Int63.of_int (i - 1)] + 1 done; a[42] use seq.Seq use int.Int use mach.int.Int (* FIXME: this function is never used. Use it somewhere and supply a driver? *) (* val test_val (x: int) : int *) (* ensures { result > x } *) let function f_function (y: int) (x: int) : int requires { x >= 0 } ensures { result >= 0 } = x let g (ghost z: int) (x: int) : int requires { x > 0 } ensures { result > 0 } = let y = x in y type t 'a 'b 'c 'd type list 'a = Nil | Cons 'a (list 'a) type btree 'a = E | N (btree 'a) 'a (btree 'a) type ntree 'a = Empty | Node 'a (list 'a) type list_int = list int type cursor 'a = { collection : list 'a; index : int; mutable index2 : int; ghost mutable v : seq 'a; } type r 'a = { aa: 'a; ghost i: int; } (* let create_cursor (l: list int) (i i2: int) : cursor int = *) (* { collection = l; index = i; index2 = i2; v = empty } *) let create_r (x: int) (y: int) : r int = { aa = x; i = y } use ref.Ref let update (c: cursor int) : int = c.index exception Empty (list int, int) exception Out_of_bounds int let ref_f (y:int63) = let ref x = 42 in let ref z = 13 in x <- y; x <- z let ref_g (r: ref int63) (c: int63) = {r with contents = c} let ref_h (r : ref int63) = match r with {contents = c} -> c end type r' = { x : int63; y : int63 } let r_g (x: r') (c:int63) = { x with x = c } let r_h (x: r') = match x with { x = a; y = b } -> a + b end (* exception are unary constructors *) (* let raise1 () = raises { Empty -> true } raise (Empty (Nil, 0)) let raise2 () = raises { Empty -> true } let p = (Nil, 0) in raise (Empty p) *) let rec length (l: list 'a) : int variant { l } = match l with | Nil -> 0 | Cons _ r -> 1 + length r end let t (x:int) : int requires { false } = absurd let a () : unit = assert { true } let singleton (x: int) (l: list int) : list int = let x = Nil in x (* FIXME constructors in Why3 can be partially applied => an eta-expansion is needed be careful with side-effects "let c = Cons e in" should be translated to "let c = let o = e in fun x -> Cons (o, x) in ..." in OCaml Mário: I think A-normal form takes care of the side-effects problem *) let constructor1 () = let x = Cons in x (42:int63) let foofoo (x: int) : int = let ghost y = x + 1 in x let test (x: int) : int = let y = let z = x in (ghost z) + 1 in 42 type list_ghost = Nil2 | Cons2 int list_ghost (ghost int) let add_list_ghost (x: int) (l: list_ghost) : list_ghost = match l with | Cons2 _ Nil2 _ | Nil2 -> Cons2 x Nil2 (1+2) | Cons2 _ _ n -> Cons2 x l (n+1) end let ggg () : int = 42 let call (x:int) : int = ggg () + 42 (* functions with ghost arguments *) let test_filter_ghost_args (x: int) (ghost y: int) = (1:int) / 0 let test_call (x: int) : int = test_filter_ghost_args x 0 + 1 let constant test_partial : int = let partial_ex = test_filter_ghost_args 3 in 42 let constant test_partial2 : int = let r = ref 0 in let f (x: int) (ghost y) = r := !r + 21 in let g = f 17 in g (0:int); g (1:int); !r let test_zero_args () : int = test_partial2 + 0 let test_filter_ghost_args2 (x: int) (ghost y: int) (z: int) : int = x + z let test_filter_ghost_args3 (ghost y: int) : int = 1 / 0 let many_args (a b c d e f g h i j k l m: int) : int = 42 let foo (x: int) : int = let _ = (42:int63) in (* FIXME? print _ in OCaml *) x let test_fun (x: int) : int -> int = fun (y: int) -> x + y let test_local (x: int) : int = let fact (x: int) (y: int): int = x + y in fact x 42 let test_lets (x: int) : int = let y = x in let z = y + 1 in let yxz = y * x * z in let xzy = x + z + y in let res = yxz - xzy in res let test_partial3 (x: int) : int = let sum : int -> int -> int = fun x y -> x + y in let incr_a (a: int) = sum a in incr_a x x let test_partial4 : int = let f (ghost x1:int) (y:int) (z:int) = y + z + 64 in let g = f 1 in let h = g 2 in h 3 let constr_partial (x: int) : list int = let x = Cons 42 in x Nil let filter_record (c: cursor 'a) : int = match c with | { collection = l; index = i; index2 = i2; v = v} -> i end (** for loops *) let for_loop1 () = let r = ref (0: int63) in for i = 0 to 10 do r := !r + i done; !r (** optional and named arguments *) use option.Option let opt_f (x [@ocaml:named]: int) (y [@ocaml:named]) = x+y let constant opt_a = opt_f 40 2 let opt_g (x [@ocaml:optional]) (y [@ocaml:named]: int) = match x with None -> y | Some x -> x + y end let constant opt_c = opt_g (Some 40) 2 let opt_f_poly (x [@ocaml:optional]: option 'a) (y: int) : int = match x with | None -> y | Some _ -> 89 end let call_f_poly (x: 'a) = opt_f_poly (Some x) 42 (* FIXME: partial application with named arguments not yet supported *) let constant opt_b = fun y -> opt_g y 42 let opt_h () = fun y -> opt_f 40 y let opt_i () = opt_h () 2 (** test the execution of the extracted code *) use ocaml.Pervasives let test1 () raises { AssertFailure } = ocaml_assert ((1:int) + 1 = 2) (** parallel assignement *) type record1 = { mutable field: int } let test_parallel_assign () raises { AssertFailure } = let a = { field = 0 } in let b = { field = 1 } in (a.field, b.field) <- (b.field, a.field); ocaml_assert (a.field = 1) (** machine arithmetic *) use mach.int.Int63 let get_min_int63 (x: int63) : int = min_int63 let test2 () raises { AssertFailure } = ocaml_assert ((1:int63) + 1 = 2) (* testing proxy-variables inlining mechanism inside a lambda *) let test3 () raises { AssertFailure } = let i = ref (42:int63) in let c = Cons !i in i := 0; let c = c Nil in ocaml_assert (match c with Cons x _ -> x = 42 | _ -> true end) (* testing proxy-variables inlining with conflicting effects *) let test4 () raises { AssertFailure } = let f (x y: int63) raises { AssertFailure } = ocaml_assert (y = 42); x + y in let i = ref 42 in let res = f (i := 0; !i) !i in ocaml_assert (!i = 0); ocaml_assert (res = 42) let main () raises { AssertFailure } = test1 (); test2 (); test3 (); test4 (); test_parallel_assign () (* scopes *) type ty = A | B | C scope S type ty = A | B | C (* locally hides toplevel function foo: int -> int *) let foo (x: bool) : bool = x let test_foo () = foo true end let test_foo () = foo 42 (* range types *) type small_range = let test_small_range () = for x = 1: small_range to 3 do () done type big_range = let test_big_range () = for x = 1: big_range to 3 do () done let test_if (b:bool) (t:ty) : int = if b then let r = ref 0 in r := (match t with A -> 1 | B -> 2 | C -> 3 end); !r else match t with A -> 2 | B -> 3 | C -> 1 end let i1 [@extraction:inline] (x:int63) = x+2 let i2 [@extraction:inline] (x:int63) (y:int63) = requires { y <> 0 } let d = x / y in let m = x % y in y * d + m let i3 [@extraction:inline] (n:int63) = i1 (i2 n n) let inlining () = let a = 40 in let b = i1 a + i1 a in let c = i2 b b in i3 c let function letf (ghost x:int63) : int63 = 42 let test_letf () = let y = letf 26 in y + 2 type poly_r 'a = { l : int63; b : bool } let test_underapplied_l () = l let test_match (y:int) : int = match (match y with x -> x + 42 end) with _ -> 89 end end (* Local Variables: compile-command: "make -C .. test-ocaml-extraction" End: *) why3-1.6.0/bench/extraction/test/000077500000000000000000000000001440160026300166225ustar00rootroot00000000000000why3-1.6.0/bench/extraction/test/Makefile000066400000000000000000000005651440160026300202700ustar00rootroot00000000000000include ../../../share/Makefile.config WHY3 = ../../../bin/why3.$(OCAMLBEST) .PHONY: extract doc main.opt: test.ml main.ml ocamlopt $(INCLUDE) $(BIGINTLIB).cmxa $^ -o main.opt extract: test.ml doc: %.ml: ../%.mlw $(WHY3) extract -D ocaml64 $< > $@ %.cmo: %.ml ocamlc $(INCLUDE) -c $< %.cmx: %.ml ocamlopt $(INCLUDE) -c $< clean:: rm -f test.ml main.opt *.cm* why3-1.6.0/bench/extraction/test/main.ml000066400000000000000000000010341440160026300200760ustar00rootroot00000000000000 (* main file for ../test_extraction.mlw so that we *run* the extracted code *) open Test let () = assert (test_array () = 42) let (=) = Z.equal let b42 = Z.of_int 42 let () = assert (test_int () = b42) let () = assert (test_int63 () = b42) let () = assert (test_ref () = b42) let () = assert (test_array63 () = b42) let () = assert (test_partial2 = b42) let () = main () let () = Format.printf "OCaml extraction test successful@." (* Local Variables: compile-command: "make -C ../.. test-ocaml-extraction" End: *) why3-1.6.0/bench/ide-bench000077500000000000000000000030221440160026300152240ustar00rootroot00000000000000#!/bin/bash dir=`dirname $0` updateoracle=false files="" success=true while test $# != 0; do case "$1" in "-update-oracle") updateoracle=true;; "-"*) printf "unknown option: %s\n" "$1" printf "usage: ide-bench [-update-oracle] \n" printf " must be given with the '.mlw' suffix\n" printf " if empty, use all files from directory 'ide'\n" exit 2;; *) files="$files $1" esac shift done if test "$files" = "" ; then files="$dir/ide/*.mlw" fi # $1 = dir, $2 = filename run () { printf "$2..." file_path="$1/$2" oracle_file="$1/oracles/$2.oracle" echo "$file_path" xvfb-run -a bin/why3.opt ide --batch="down;down;type split_vc;wait 1;down;down;color;" "${file_path}.mlw" > "${file_path}.out" str_oracle=$(tr -d ' \n' < "${oracle_file}") str_out=$(tr -d ' \n' < "${file_path}.out") if [ "$str_oracle" = "$str_out" ] ; then echo "ok" else if $updateoracle; then echo "Updating oracle for ${file_path}" mv "${file_path}.out" "${oracle_file}" else echo "FAILED!" echo "Oracle is ${str_oracle}" echo "Output is ${str_out}" echo "diff is the following:" echo "${file_path}" diff "${oracle_file}" "${file_path}.out" success=false fi fi } for file in $files; do filedir=`dirname $file` filebase=`basename $file .mlw` run $filedir $filebase done if $success; then exit 0 else exit 1 fi why3-1.6.0/bench/ide/000077500000000000000000000000001440160026300142245ustar00rootroot00000000000000why3-1.6.0/bench/ide/isqrt.mlw000066400000000000000000000005411440160026300161070ustar00rootroot00000000000000module Simple use int.Int use ref.Refint let isqrt (x:int) : int requires { x >= 0 } = let ref count = 0 in let ref sum = 1 in while sum <= x do invariant { count >= 0 } variant { x - count } count += 1; sum += 2 * count + 1 done; count let main () ensures { result = 4 } = isqrt 17 end why3-1.6.0/bench/ide/map.mlw000066400000000000000000000020121440160026300155150ustar00rootroot00000000000000module M use int.Int use ref.Ref use map.Map let ghost test_map (ghost x : ref (map int int)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 3 (* Multi-dimensional maps *) let ghost test_map_multidim1 (ghost x : ref (map int (map int int))) : unit ensures { !x[0][0] <> !x[1][1] } = x := Map.set !x 0 (Map.get !x 1) let ghost test_map_multidim2 (ghost x : ref (map int (map int int))) : unit ensures { !x[0][0] <> !x[1][1] } = let x0 = Map.get !x 0 in let x0 = Map.set x0 0 3 in x := Map.set !x 0 x0 let ghost proj_map_test1 (ghost x : ref (map int int)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 3 let ghost proj_map_test2 (ghost x : ref (map int bool)) : unit ensures { !x[0] <> !x[1] } = x := Map.set !x 0 true end theory ModelMap use map.Map goal t1 : forall t:map int int, i : int. get (set t 0 42) i = get t i end module OtherIndices use map.Map goal g : forall m: map real real. m 0.1 = 0.0 \/ m 0.2 = m 0.1 endwhy3-1.6.0/bench/ide/oracles/000077500000000000000000000000001440160026300156545ustar00rootroot00000000000000why3-1.6.0/bench/ide/oracles/isqrt.oracle000077500000000000000000000004011440160026300202030ustar00rootroot00000000000000Cursor is placed at position: (11, 18) Recorded colors on the source code are: Color "goal_tag" from (5, 6) to (5, 11) Color "premise_tag" from (6, 15) to (6, 21) Color "goal_tag" from (7, 20) to (7, 21) Color "goal_tag" from (10, 18) to (10, 28) End color why3-1.6.0/bench/ide/oracles/map.oracle000077500000000000000000000003251440160026300176230ustar00rootroot00000000000000Cursor is placed at position: (8, 14) Recorded colors on the source code are: Color "goal_tag" from (6, 12) to (6, 20) Color "goal_tag" from (7, 14) to (7, 28) Color "premise_tag" from (9, 4) to (9, 23) End color why3-1.6.0/bench/infer-bench000077500000000000000000000045171440160026300156000ustar00rootroot00000000000000#!/bin/bash has_infer=`sed -n -e 's/INFERLIB *= *\([^ ]\+\)/\1/p' share/Makefile.config` if test -z "$has_infer"; then echo "Inference of loop invariants not enabled!" exit 3 fi updateoracle=false forceupdateoracle=false files="" dirs="" success=true why3prove="bin/why3 prove" why3libs="" if test $# = 0; then printf "no files provided\n" exit 2 fi while test $# != 0; do case "$1" in "-update-oracle") updateoracle=true;; "-force-update-oracle") forceupdateoracle=true;; -L=?*) why3libs="$why3libs ${1#*=}";; "-"*) printf "unknown option: %s\n" "$1" printf "usage: infer-bench [-update-oracle] \n" printf " if is a directory, it runs on all the *.mlw files\n" exit 2;; *) if [ -d "$1" ]; then dirs="$dirs $1" else if [ -f "$1" ]; then files="$files $1" else echo "File not found: $1" exit 2 fi fi esac shift done if test -n "$why3libs"; then why3libs="-L $why3libs" fi for d in $dirs; do d=$(echo $d | sed 's:/*$::') #remove trailling slashs mlw="$(ls $d/*.mlw 2> /dev/null)" files="$files $mlw" done failed="" # $1 = file run () { printf "running for $1" file_base="$(basename $1)" file_dir="$(dirname $1)" out_file="$file_dir/${file_base%.*}.out" oracle_file="$file_dir/infer-oracles/${file_base%.*}.oracle" $why3prove $1 -t 1 -P alt-ergo --debug=print-inferred-invs $why3libs > "$out_file" 2>&1 str_out=$(sed 's/[0-9]\+\.[0-9]\+s//g' $out_file | sed 's/[0-9]\+ steps//g') str_oracle=$(sed 's/[0-9]\+\.[0-9]\+s//g' $oracle_file | sed 's/[0-9]\+ steps//g') if [ "$str_oracle" = "$str_out" ] ; then printf " - ok\n" else printf "\n" if $updateoracle; then echo "Updating oracle for $file_base" cp "$out_file" "$oracle_file" else echo "FAILED!" echo "diff is the following:" echo "$f" diff <(echo "$str_oracle") <(echo "$str_out") failed="$failed\n$1" success=false fi fi if $forceupdateoracle; then echo "Forcing update oracle for $file_base" cp "$out_file" "$oracle_file" fi rm "$out_file" } for file in $files; do run $file done if $success; then echo "Infer bench: success" exit 0 else echo "Infer bench: failed" printf "$failed\n" exit 1 fi why3-1.6.0/bench/infer/000077500000000000000000000000001440160026300145665ustar00rootroot00000000000000why3-1.6.0/bench/infer/aliasing.mlw000066400000000000000000000011161440160026300170750ustar00rootroot00000000000000module Aliasing1 use int.Int use ref.Ref let b [@bddinfer] [@infer](_:int) : int ensures { result = 10 } = let i = ref 0 in let j = i in while !i < 10 do variant { 10 - !i } i := !i + 1; done; !j let c [@bddinfer] [@infer:oct](_:int) : int ensures { result = 10 } = let i = ref 0 in let j = i in while !i < 10 do variant { 10 - !i } i := !i + 1; done; !j let d [@bddinfer] [@infer:box](_:int) : int ensures { result = 10 } = let i = ref 0 in let j = i in while !i < 10 do variant { 10 - !i } i := !i + 1; done; !j end why3-1.6.0/bench/infer/assign_bool.mlw000066400000000000000000000001421440160026300176030ustar00rootroot00000000000000use int.Int use bool.Bool val ref x : bool let main [@bddinfer] () = x <- True; x <- Falsewhy3-1.6.0/bench/infer/assign_cond.mlw000066400000000000000000000002011440160026300175670ustar00rootroot00000000000000use int.Int use bool.Bool val ref x : bool val ref y : int let main [@bddinfer] () = y <- 42; x <- y > 0; assert { x } why3-1.6.0/bench/infer/auto_array1.mlw000066400000000000000000000102661440160026300175430ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let basic [@bddinfer] [@infer](x:int): unit = let a = make x 2 in while (true) do variant { 0 } invariant { forall w:int. 0 <= w < x -> a[w] = 2 } () done; () let basic1 [@bddinfer] [@infer:oct](x:int): unit = let a = make x 2 in while (true) do variant { 0 } invariant { forall w:int. 0 <= w < x -> a[w] = 2 } () done; () let basic2 [@bddinfer] [@infer:box](x:int): unit = let a = make x 2 in while (true) do variant { 0 } invariant { forall w:int. 0 <= w < x -> a[w] = 2 } () done; () let b(x:int): unit = let a = make x 2 in a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 42 } () done; () let b2(x:int): unit = let a = make x 2 in a[1] <- 42; while (true) do variant { 0 } invariant { forall k: int. 0 <= k < length a -> (k > 1 -> a[k] = 2) } () done; () let c(x:int): unit requires { x >= 2 } = let a = make x 1 in a[0] <- 0; a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 42 /\ (forall k: int. (0 <= k <= 1 /\ a[k] = 42 *k) \/ k <> 0) } () done; () let d_basic(x:int): unit requires { x >= 3 } = let a = make x 1 in a[0] <- 0; a[1] <- 42; while (true) do variant { 0 } invariant { length a = x } () done; () let d(x:int): unit requires { x >= 3 } = let a = make x 1 in a[0] <- 0; a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 42 /\ (forall k: int. k = 2 -> a[k] = 1) } () done; () let e(x:int): unit requires { x >= 3 } = let a = make x 1 in while (true) do variant { 0 } invariant { forall k: int. k = 0 -> (a[k] = 10 \/ a[k] = 1) } a[0] <- 10; () done; () let f(x:int): unit requires { x >= 3 } = let a = make x 0 in let k = ref 0 in while (true) do variant { 0 } invariant { forall i: int. (i = 0 -> (a[i] = !k)) } a[0] <- !k + 1; incr k; done; () let cond(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7 else a[0] <- 9; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 9 \/ a[0] = 7))) } () done; () let cond2(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 1 \/ a[0] = 7))) } () done; () let init1(x:int): unit requires { x >= 3 } = let a = make x 0 in let k = ref 0 in while (!k < x) do variant { 0 } invariant { forall i: int. (0 <= i < !k -> (a[i] = 8)) } a[!k] <- 8; incr k; done; () let init2(x:int): unit requires { x >= 3 } = let a = make x 0 in let k = ref 0 in while (!k < x) do variant { 0 } invariant { forall i: int. (0 <= i < !k -> (a[i] = i)) } a[!k] <- !k; incr k; done; () let init3(x:int): unit requires { x >= 10 } = let a = make x 0 in let k = ref 0 in while (!k < 4) do variant { 0 } invariant { forall i: int. (0 <= i < !k -> (a[i] = 8)) } a[!k] <- 8; incr k; done; () let init5 (x:int) (y:int) : array int requires { x > y >= 0 } ensures { forall i: int. (0 <= i < y -> result[i] = 1) /\ (y <= i < x -> result[i] = 2) } = let a = make x 0 in let k = ref 0 in while (!k < x) do variant { x - !k } invariant { true } if !k >= y then a[!k] <- 42 else a[!k] <- 43; incr k; done; a let init_non_lin(x:int): array int requires { x >= 0 } ensures { forall i: int. 0 <= i < x -> result[i] = i * i } = let a = make x 0 in let k = ref 0 in while (!k < x) do variant { x - !k } invariant { true } a[!k] <- !k * !k; incr k; done; a let instantiation [@bddinfer] [@infer](n: int): unit requires { n >= 0 } = let a = make n 10 in let b = a[5] in while true do variant { 0 } invariant { b = 10 } () done; () let instantiation2 [@bddinfer] [@infer:oct](n: int): unit requires { n >= 0 } = let a = make n 10 in let b = a[5] in while true do variant { 0 } invariant { b = 10 } () done; () let instantiation3 [@bddinfer] [@infer:box](n: int): unit requires { n >= 0 } = let a = make n 10 in let b = a[5] in while true do variant { 0 } invariant { b = 10 } () done; () end why3-1.6.0/bench/infer/auto_array_false.mlw000066400000000000000000000060701440160026300206320ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b(x:int): unit = let a = make x 1 in a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 43 } () done; () let c [@bddinfer] [@infer](x:int): unit requires { x >= 2 } = while (true) do variant { 0 } invariant { (forall k: int. k <> 0) } () done; () let c2 [@bddinfer] [@infer:oct](x:int): unit requires { x >= 2 } = while (true) do variant { 0 } invariant { (forall k: int. k <> 0) } () done; () let c3 [@bddinfer] [@infer:box](x:int): unit requires { x >= 2 } = while (true) do variant { 0 } invariant { (forall k: int. k <> 0) } () done; () let dd(x:int): unit requires { x >= 2 } = let a = make x 1 in a[0] <- 0; while (true) do variant { 0 } invariant { forall k: int. k <> 0 } () done; () let d(x:int): unit requires { x >= 2 } = let a = make x 1 in a[0] <- 0; a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 42 /\ a[0] = 0 /\ (forall k: int. (k = 0 -> a[k] = 18)) } () done; () let e(x:int): unit requires { x >= 3 } = let a = make x 1 in a[0] <- 0; a[1] <- 42; while (true) do variant { 0 } invariant { a[1] = 42 /\ a[0] = 0 /\ (forall k: int. k = 2 -> a[k] = 2) } () done; () let ee(x:int): unit requires { x >= 3 } = let a = make x 1 in a[0] <- 0; while (true) do variant { 0 } invariant {(forall k: int. k = 0 -> a[k] = 1) } () done; () let f(x:int): unit requires { x >= 3 } = let a = make x 1 in while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 10))) } a[0] <- 10; () done; () let g(x:int): unit requires { x >= 3 } = let a = make x 1 in a[0] <- 10; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 1))) } () done; () let cond(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7 else a[0] <- 9; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 1 \/ a[0] = 7))) } () done; () let cond2(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7 else a[0] <- 9; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 1 \/ a[0] = 9))) } () done; () let h(x:int): unit requires { x >= 3 } = let a = make x 1 in while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> (a[k] = 1))) } a[0] <- 10; () done; () let cond3(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> ( a[0] = 7))) } () done; () let cond4(x:int): unit requires { x >= 3 } = let a = make x 1 in if x >= 5 then a[0] <- 7; while (true) do variant { 0 } invariant { (forall k: int. (k = 0 -> ( a[0] = 1))) } () done; () let fe(x:int): unit requires { x >= 3 } = let a = make x 0 in let k = ref 0 in while (true) do variant { 0 } invariant { 0 <= !k < 2 } a[0] <- !k + 1; incr k; done; () end why3-1.6.0/bench/infer/auto_cst1.mlw000066400000000000000000000017151440160026300172150ustar00rootroot00000000000000module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](_:int): unit = let y = 10 in while (true) do variant { 0 } invariant { y = 10 } () done; () let b2 [@bddinfer] [@infer:oct](_:int): unit = let y = 10 in while (true) do variant { 0 } invariant { y = 10 } () done; () let b3 [@bddinfer] [@infer:box](_:int): unit = let y = 10 in while (true) do variant { 0 } invariant { y = 10 } () done; () let c [@bddinfer] [@infer](_:int): unit = let y = 10 in let k = 42 in while (true) do variant { 0 } invariant { y = 10 /\ k = 42 } () done; () let c2 [@bddinfer] [@infer:oct](_:int): unit = let y = 10 in let k = 42 in while (true) do variant { 0 } invariant { y = 10 /\ k = 42 } () done; () let c3 [@bddinfer] [@infer:box](_:int): unit = let y = 10 in let k = 42 in while (true) do variant { 0 } invariant { y = 10 /\ k = 42 } () done; () end why3-1.6.0/bench/infer/auto_ref0.mlw000066400000000000000000000007451440160026300172010ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use int.Int let b [@bddinfer] [@infer](_:unit): unit = let k = ref 0 in while (true) do variant { 0 } invariant { !k = 0 } () done; () let b2 [@bddinfer] [@infer:oct](_:unit): unit = let k = ref 0 in while (true) do variant { 0 } invariant { !k = 0 } () done; () let b3 [@bddinfer] [@infer:box](_:unit): unit = let k = ref 0 in while (true) do variant { 0 } invariant { !k = 0 } () done; () end why3-1.6.0/bench/infer/auto_ref1.mlw000066400000000000000000000011401440160026300171700ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](_:unit): unit = let k = ref 0 in incr k; while (true) do variant { 0 } invariant { !k = 1 /\ !k = 0 + 1 /\ !k - 1 = 0 } () done; () let b2 [@bddinfer] [@infer](_:unit): unit = let k = ref 0 in incr k; while (true) do variant { 0 } invariant { !k = 1 /\ !k = 0 + 1 /\ !k - 1 = 0 } () done; () let b3 [@bddinfer] [@infer](_:unit): unit = let k = ref 0 in incr k; while (true) do variant { 0 } invariant { !k = 1 /\ !k = 0 + 1 /\ !k - 1 = 0 } () done; () end why3-1.6.0/bench/infer/auto_ref2.mlw000066400000000000000000000010561440160026300171770ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](_:unit): unit = let k = ref 0 in incr k; incr k; while (true) do variant { 0 } invariant { !k = 2} () done; () let b2 [@bddinfer] [@infer:oct](_:unit): unit = let k = ref 0 in incr k; incr k; while (true) do variant { 0 } invariant { !k = 2} () done; () let b3 [@bddinfer] [@infer:box](_:unit): unit = let k = ref 0 in incr k; incr k; while (true) do variant { 0 } invariant { !k = 2} () done; () end why3-1.6.0/bench/infer/auto_ref3.mlw000066400000000000000000000021711440160026300171770ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](x:int): unit = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { !k = 0 \/ 0 <= !k <= x} incr k; () done; () let b3 [@bddinfer] [@infer:box](x:int): unit = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { !k = 0 \/ 0 <= !k <= x} incr k; () done; () let c [@bddinfer] [@infer](x:int): unit = let k = ref 0 in let j = ref 0 in while (!k < x) do variant { x - !k } invariant { !k = 0 \/ 0 <= !k <= x /\ !k *2 = !j} incr k; j := !j + 2; () done; () let e [@bddinfer] [@infer](x:int) : unit requires { x > 0 } = let k = ref 0 in k := x; while (true) do variant {0} invariant { !k = x } () done; () let e2 [@bddinfer] [@infer:oct](x:int) : unit requires { x > 0 } = let k = ref 0 in k := x; while (true) do variant {0} invariant { !k = x } () done; () let e3 [@bddinfer] [@infer:box](x:int) : unit requires { x > 0 } = let k = ref 0 in k := x; while (true) do variant {0} invariant { !k = x } () done; () end why3-1.6.0/bench/infer/auto_ref_false.mlw000066400000000000000000000020541440160026300202660ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](x:int): unit requires { x >= 1 } = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { !k < 1 } incr k; () done; () let b3 [@bddinfer] [@infer:box](x:int): unit requires { x >= 1 } = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { !k < 1 } incr k; () done; () let c [@bddinfer] [@infer](x:int): unit requires { x >= 2 } = let k = ref 0 in let j = ref 0 in while (!k < x) do variant { x - !k } invariant { !j < 4 } incr k; j := !j + 2; () done; () let c2 [@bddinfer] [@infer:oct](x:int): unit requires { x >= 2 } = let k = ref 0 in let j = ref 0 in while (!k < x) do variant { x - !k } invariant { !j < 4 } incr k; j := !j + 2; () done; () let c3 [@bddinfer] [@infer:box](x:int): unit requires { x >= 2 } = let k = ref 0 in let j = ref 0 in while (!k < x) do variant { x - !k } invariant { !j < 4 } incr k; j := !j + 2; () done; () end why3-1.6.0/bench/infer/bddinfer-oracles/000077500000000000000000000000001440160026300177715ustar00rootroot00000000000000why3-1.6.0/bench/infer/bddinfer-oracles/aliasing.oracle000066400000000000000000000014461440160026300227540ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((0 <= i.contents /\ i.contents <= 10) /\ j.contents = 0) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;10]; j = [0;0] Invariant for loop [anonymous_loop_0] is ((0 <= i1.contents /\ i1.contents <= 10) /\ j1.contents = 0) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i1 = [0;10]; j1 = [0;0] Invariant for loop [anonymous_loop_0] is ((0 <= i2.contents /\ i2.contents <= 10) /\ j2.contents = 0) /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; i2 = [0;10]; j2 = [0;0] File bench/infer/aliasing.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/aliasing.mlw: Goal c'vc. Prover result is: Unknown () (0.01s). File bench/infer/aliasing.mlw: Goal d'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/bddinfer-oracles/assign_cond.oracle000066400000000000000000000001331440160026300234440ustar00rootroot00000000000000File bench/infer/assign_cond.mlw: Goal main'vc. Prover result is: Valid (0.00s, 5 steps). why3-1.6.0/bench/infer/bddinfer-oracles/auto_array1.oracle000066400000000000000000000050761440160026300234170ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `array int` (type_of: region type `array int`) File bench/infer/auto_array1.mlw: Goal basic'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array1.mlw: Goal basic1'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array1.mlw: Goal basic2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array1.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array1.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array1.mlw: Goal c'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal d_basic'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal d'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal e'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal f'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal cond'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal cond2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init1'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init3'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init5'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init_non_lin'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_array_false.oracle000066400000000000000000000033611440160026300245030ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: normalized_fmla_to_why1_cond: term `forall k:int. not k = 0` BDD-infer failure: unsupported feature, unsupported feature: normalized_fmla_to_why1_cond: term `forall k:int. not k = 0` BDD-infer failure: unsupported feature, unsupported feature: normalized_fmla_to_why1_cond: term `forall k:int. not k = 0` File bench/infer/auto_array_false.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array_false.mlw: Goal c'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array_false.mlw: Goal c2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array_false.mlw: Goal c3'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_array_false.mlw: Goal dd'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal d'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal e'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal ee'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal f'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal g'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal h'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond3'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond4'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal fe'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_cst1.oracle000066400000000000000000000027071440160026300230700ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is y = 10 Domains for loop [anonymous_loop_0] are y = [10;10] The generated invariant implies { y = 10 } Invariant for loop [anonymous_loop_0] is y1 = 10 Domains for loop [anonymous_loop_0] are y1 = [10;10] The generated invariant implies { y = 10 } Invariant for loop [anonymous_loop_0] is y2 = 10 Domains for loop [anonymous_loop_0] are y2 = [10;10] The generated invariant implies { y = 10 } Invariant for loop [anonymous_loop_0] is k = 42 /\ y3 = 10 Domains for loop [anonymous_loop_0] are y3 = [10;10]; k = [42;42] The generated invariant implies { (y = 10 && k = 42) } Invariant for loop [anonymous_loop_0] is k1 = 42 /\ y4 = 10 Domains for loop [anonymous_loop_0] are y4 = [10;10]; k1 = [42;42] The generated invariant implies { (y = 10 && k = 42) } Invariant for loop [anonymous_loop_0] is k2 = 42 /\ y5 = 10 Domains for loop [anonymous_loop_0] are y5 = [10;10]; k2 = [42;42] The generated invariant implies { (y = 10 && k = 42) } File bench/infer/auto_cst1.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_cst1.mlw: Goal b2'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_cst1.mlw: Goal b3'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_cst1.mlw: Goal c'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_cst1.mlw: Goal c2'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_cst1.mlw: Goal c3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_ref0.oracle000066400000000000000000000013731440160026300230500ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is k.contents = 0 /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; k = [0;0] The generated invariant implies { k = 0 } Invariant for loop [anonymous_loop_0] is k1.contents = 0 /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; k1 = [0;0] The generated invariant implies { k = 0 } Invariant for loop [anonymous_loop_0] is k2.contents = 0 /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; k2 = [0;0] The generated invariant implies { k = 0 } File bench/infer/auto_ref0.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref0.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref0.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_ref1.oracle000066400000000000000000000015411440160026300230460ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is k.contents = 1 /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; k = [1;1] The generated invariant implies { (k = 1 && (k = (0 + 1) && (k - 1) = 0)) } Invariant for loop [anonymous_loop_0] is k1.contents = 1 /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; k1 = [1;1] The generated invariant implies { (k = 1 && (k = (0 + 1) && (k - 1) = 0)) } Invariant for loop [anonymous_loop_0] is k2.contents = 1 /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; k2 = [1;1] The generated invariant implies { (k = 1 && (k = (0 + 1) && (k - 1) = 0)) } File bench/infer/auto_ref1.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/auto_ref1.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_ref1.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_ref2.oracle000066400000000000000000000013731440160026300230520ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is k.contents = 2 /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; k = [2;2] The generated invariant implies { k = 2 } Invariant for loop [anonymous_loop_0] is k1.contents = 2 /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; k1 = [2;2] The generated invariant implies { k = 2 } Invariant for loop [anonymous_loop_0] is k2.contents = 2 /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; k2 = [2;2] The generated invariant implies { k = 2 } File bench/infer/auto_ref2.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref2.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_ref2.mlw: Goal b3'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_ref3.oracle000066400000000000000000000036221440160026300230520ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= k.contents /\ o = 0 Domains for loop [anonymous_loop_0] are x = ]-oo;+oo[; o = [0;0]; k = [0;+oo[ The generated invariant implies { (k = 0 || (0 <= k && k <= x)) } Invariant for loop [anonymous_loop_0] is 0 <= k1.contents /\ o1 = 0 Domains for loop [anonymous_loop_0] are x1 = ]-oo;+oo[; o1 = [0;0]; k1 = [0;+oo[ The generated invariant implies { (k = 0 || (0 <= k && k <= x)) } Invariant for loop [anonymous_loop_0] is ((0 <= j.contents /\ o2 = 0) /\ o3 = 0) /\ (k2.contents * 2) = j.contents Domains for loop [anonymous_loop_0] are x2 = ]-oo;+oo[; o3 = [0;0]; k2 = [0;+oo[; o2 = [0;0]; j = [0;+oo[ The generated invariant implies { (k = 0 || ((0 <= k && k <= x) && (k * 2) = j)) } Invariant for loop [anonymous_loop_0] is (1 <= k3.contents /\ o4 = 0) /\ x3 = k3.contents Domains for loop [anonymous_loop_0] are x3 = [1;+oo[; o4 = [0;0]; k3 = [1;+oo[ The generated invariant implies { k = x } Invariant for loop [anonymous_loop_0] is (1 <= k4.contents /\ o5 = 0) /\ x4 = k4.contents Domains for loop [anonymous_loop_0] are x4 = [1;+oo[; o5 = [0;0]; k4 = [1;+oo[ The generated invariant implies { k = x } Invariant for loop [anonymous_loop_0] is (1 <= k5.contents /\ o6 = 0) /\ x5 = k5.contents Domains for loop [anonymous_loop_0] are x5 = [1;+oo[; o6 = [0;0]; k5 = [1;+oo[ The generated invariant implies { k = x } File bench/infer/auto_ref3.mlw: Goal b'vc. Prover result is: Valid (0.00s, 9 steps). File bench/infer/auto_ref3.mlw: Goal b3'vc. Prover result is: Valid (0.00s, 9 steps). File bench/infer/auto_ref3.mlw: Goal c'vc. Prover result is: Valid (0.00s, 13 steps). File bench/infer/auto_ref3.mlw: Goal e'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_ref3.mlw: Goal e2'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_ref3.mlw: Goal e3'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/bddinfer-oracles/auto_ref_false.oracle000066400000000000000000000035131440160026300241400ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((0 <= k.contents /\ 1 <= x) /\ k.contents <= x) /\ o = 0 Domains for loop [anonymous_loop_0] are x = [1;+oo[; o = [0;0]; k = [0;+oo[ The generated invariant does not imply { k < 1 } Invariant for loop [anonymous_loop_0] is ((0 <= k1.contents /\ 1 <= x1) /\ k1.contents <= x1) /\ o1 = 0 Domains for loop [anonymous_loop_0] are x1 = [1;+oo[; o1 = [0;0]; k1 = [0;+oo[ The generated invariant does not imply { k < 1 } Invariant for loop [anonymous_loop_0] is ((((0 <= j.contents /\ 2 <= x2) /\ j.contents <= (x2 * 2)) /\ o2 = 0) /\ o3 = 0) /\ (k2.contents * 2) = j.contents Domains for loop [anonymous_loop_0] are x2 = [2;+oo[; o3 = [0;0]; k2 = [0;+oo[; o2 = [0;0]; j = [0;+oo[ The generated invariant does not imply { j < 4 } Invariant for loop [anonymous_loop_0] is ((((0 <= j1.contents /\ 2 <= x3) /\ j1.contents <= (x3 * 2)) /\ o4 = 0) /\ o5 = 0) /\ (k3.contents * 2) = j1.contents Domains for loop [anonymous_loop_0] are x3 = [2;+oo[; o5 = [0;0]; k3 = [0;+oo[; o4 = [0;0]; j1 = [0;+oo[ The generated invariant does not imply { j < 4 } Invariant for loop [anonymous_loop_0] is ((((0 <= j2.contents /\ 2 <= x4) /\ j2.contents <= (x4 * 2)) /\ o6 = 0) /\ o7 = 0) /\ (k4.contents * 2) = j2.contents Domains for loop [anonymous_loop_0] are x4 = [2;+oo[; o7 = [0;0]; k4 = [0;+oo[; o6 = [0;0]; j2 = [0;+oo[ The generated invariant does not imply { j < 4 } File bench/infer/auto_ref_false.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref_false.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_ref_false.mlw: Goal c'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref_false.mlw: Goal c2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref_false.mlw: Goal c3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/binary_search.oracle000066400000000000000000000010711440160026300237700ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/binary_search.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search.mlw: Goal binary_search2'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search.mlw: Goal binary_search3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/binary_search1.oracle000066400000000000000000000010741440160026300240540ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/binary_search1.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search1.mlw: Goal binary_search2'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search1.mlw: Goal binary_search3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/binary_search2.oracle000066400000000000000000000010741440160026300240550ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/binary_search2.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search2.mlw: Goal binary_search2'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search2.mlw: Goal binary_search3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/bool_bw_and.oracle000066400000000000000000000001341440160026300234230ustar00rootroot00000000000000File bench/infer/bool_bw_and.mlw: Goal main'vc. Prover result is: Valid (0.00s, 28 steps). why3-1.6.0/bench/infer/bddinfer-oracles/bool_cond.oracle000066400000000000000000000003251440160026300231160ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= d.contents /\ d.contents <= 1 Domains for loop [anonymous_loop_0] are d = [0;1] File bench/infer/bool_cond.mlw: Goal e'vc. Prover result is: Valid (0.00s, 17 steps). why3-1.6.0/bench/infer/bddinfer-oracles/bool_ops.oracle000066400000000000000000000010021440160026300227650ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((((a.contents = True /\ z.contents = True /\ y.contents = True /\ x.contents = True \/ a.contents = False /\ z.contents = False /\ (y.contents = False \/ x.contents = False)) /\ o = True) /\ o1 = True) /\ o2 = True) /\ o3 = True Domains for loop [anonymous_loop_0] are o3 = true; x = top; o2 = true; y = top; o1 = true; z = top; o = true; a = top File bench/infer/bool_ops.mlw: Goal f'vc. Prover result is: Valid (0.00s, 8 steps). why3-1.6.0/bench/infer/bddinfer-oracles/bools.oracle000066400000000000000000000015621440160026300223020ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((x <= x1.contents /\ x1.contents <= 0) /\ y.contents = True) /\ o = True Domains for loop [anonymous_loop_0] are x = ]-oo;0]; x1 = ]-oo;0]; o = true; y = true Invariant for loop [anonymous_loop_0] is ((x2 <= x3.contents /\ x3.contents <= 0) /\ y1.contents = True) /\ o1 = True Domains for loop [anonymous_loop_0] are x2 = ]-oo;0]; x3 = ]-oo;0]; o1 = true; y1 = true Invariant for loop [anonymous_loop_0] is ((x4 <= x5.contents /\ x5.contents <= 0) /\ y2.contents = True) /\ o2 = True Domains for loop [anonymous_loop_0] are x4 = ]-oo;0]; x5 = ]-oo;0]; o2 = true; y2 = true File bench/infer/bools.mlw: Goal f'vc. Prover result is: Valid (0.00s, 20 steps). File bench/infer/bools.mlw: Goal f2'vc. Prover result is: Valid (0.00s, 20 steps). File bench/infer/bools.mlw: Goal f3'vc. Prover result is: Valid (0.00s, 20 steps). why3-1.6.0/bench/infer/bddinfer-oracles/call_inside_expr.oracle000066400000000000000000000003621440160026300244650ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is true Domains for loop [anonymous_loop_0] are m = top; x = top; y = top; c0 = ]-oo;+oo[; s0 = ]-oo;+oo[ File bench/infer/call_inside_expr.mlw: Goal main'vc. Prover result is: Valid (0.00s, 0 steps). why3-1.6.0/bench/infer/bddinfer-oracles/disjunction1.oracle000066400000000000000000000004431440160026300235730ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((0 <= j.contents /\ j.contents <= 6) /\ o = 0) /\ o1 = 0 Domains for loop [anonymous_loop_0] are x = ]-oo;+oo[; o = [0;0]; i = ]-oo;+oo[; o1 = [0;0]; j = [0;6] File bench/infer/disjunction1.mlw: Goal a'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/bddinfer-oracles/divmod.oracle000066400000000000000000000003001440160026300224330ustar00rootroot00000000000000Check: assertion [check1] is valid Check: assertion [check2] is NOT valid Check: assertion [check3] is NOT valid File bench/infer/divmod.mlw: Goal s'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/if.oracle000066400000000000000000000012601440160026300215550ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is ((((0 <= i.contents /\ j.contents <= (i.contents + 1)) /\ j.contents <= 10) /\ i.contents <= j.contents) /\ o = 0) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;10]; o1 = [0;0]; j = [0;10] Invariant for loop [anonymous_loop_0] is ((((j1.contents <= i1.contents /\ 0 <= j1.contents) /\ j1.contents <= 9) /\ i1.contents <= (j1.contents + 1)) /\ o2 = 0) /\ o3 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; i1 = [0;10]; o3 = [0;0]; j1 = [0;9] File bench/infer/if.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/if.mlw: Goal c'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/iff.oracle000066400000000000000000000001651440160026300217260ustar00rootroot00000000000000Check: assertion [afterif] is valid File bench/infer/iff.mlw: Goal f'vc. Prover result is: Valid (0.00s, 1 steps). why3-1.6.0/bench/infer/bddinfer-oracles/ifint.oracle000066400000000000000000000004031440160026300222660ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (y.contents <= x.contents /\ 0 <= y.contents) /\ x.contents <= 11 Domains for loop [anonymous_loop_0] are x = [0;11]; y = [0;11] File bench/infer/ifint.mlw: Goal test1'vc. Prover result is: Valid (0.01s, 30 steps). why3-1.6.0/bench/infer/bddinfer-oracles/incr.oracle000066400000000000000000000007031440160026300221130ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= i.contents /\ o = 0 Domains for loop [anonymous_loop_0] are x = ]-oo;+oo[; o = [0;0]; i = [0;+oo[ Invariant for loop [anonymous_loop_0] is 0 <= i1.contents /\ o1 = 0 Domains for loop [anonymous_loop_0] are x1 = ]-oo;+oo[; o1 = [0;0]; i1 = [0;+oo[ File bench/infer/incr.mlw: Goal incr1'vc. Prover result is: Timeout (1.00s). File bench/infer/incr.mlw: Goal incr3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/junjie.oracle000066400000000000000000000005221440160026300224430ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((0 <= ((y.contents * 52) + x.contents) /\ 0 <= (y.contents + 1)) /\ y.contents <= x.contents) /\ o = 0) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; x = [0;+oo[; o = [0;0]; y = [-1;+oo[ File bench/infer/junjie.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/logic_def.oracle000066400000000000000000000003611440160026300230730ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= a.contents /\ a.contents <= 101) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; a = [0;101] File bench/infer/logic_def.mlw: Goal f'vc. Prover result is: Valid (0.00s, 11 steps). why3-1.6.0/bench/infer/bddinfer-oracles/mccarthy.oracle000066400000000000000000000055441440160026300230020ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((((e.contents * 10) + 91) <= n.contents /\ 0 <= e.contents) /\ e.contents <= 1) /\ o = 1) /\ ((e.contents * 10) + n0) = (n.contents + 10) Domains for loop [anonymous_loop_0] are n0 = [101;+oo[; o = [1;1]; e = [0;1]; n = [91;+oo[ The generated invariant implies { T } Invariant for loop [anonymous_loop_0] is (((((e1.contents * 10) + 91) <= n1.contents /\ 0 <= e1.contents) /\ e1.contents <= 1) /\ o1 = 1) /\ ((e1.contents * 10) + n01) = (n1.contents + 10) Domains for loop [anonymous_loop_0] are n01 = [101;+oo[; o1 = [1;1]; e1 = [0;1]; n1 = [91;+oo[ The generated invariant implies { T } Invariant for loop [anonymous_loop_0] is (((((e2.contents * 10) + 91) <= n2.contents /\ 0 <= e2.contents) /\ e2.contents <= 1) /\ o2 = 1) /\ ((e2.contents * 10) + n02) = (n2.contents + 10) Domains for loop [anonymous_loop_0] are n02 = [101;+oo[; o2 = [1;1]; e2 = [0;1]; n2 = [91;+oo[ The generated invariant implies { T } Invariant for loop [anonymous_loop_0] is ((((((((e3.contents * 99) + (n03 * 10)) <= ((n3.contents * 10) + 99) /\ n03 <= (n3.contents + 9)) /\ ((e3.contents * 11) + n03) <= (n3.contents + 11)) /\ 0 <= e3.contents) /\ n03 <= 100) /\ n3.contents <= ((e3.contents * 10) + 91)) /\ n3.contents <= 111) /\ o3 = 1 Domains for loop [anonymous_loop_0] are n03 = ]-oo;100]; o3 = [1;1]; e3 = [0;+oo[; n3 = ]-oo;111] The generated invariant implies { (e <> 0 || n > 90) } Invariant for loop [anonymous_loop_0] is ((((e4.contents * 10) + n04) <= (n4.contents + 10) /\ ((e4.contents * 11) + n04) <= (n4.contents + 11)) /\ 0 <= e4.contents) /\ o4 = 1 Domains for loop [anonymous_loop_0] are n04 = ]-oo;+oo[; o4 = [1;1]; e4 = [0;+oo[; n4 = ]-oo;+oo[ The generated invariant implies { T } Invariant for loop [anonymous_loop_0] is ((((e5.contents * 10) + n05) <= (n5.contents + 10) /\ ((e5.contents * 11) + n05) <= (n5.contents + 11)) /\ 0 <= e5.contents) /\ o5 = 1 Domains for loop [anonymous_loop_0] are n05 = ]-oo;+oo[; o5 = [1;1]; e5 = [0;+oo[; n5 = ]-oo;+oo[ The generated invariant implies { T } File bench/infer/mccarthy.mlw: Goal f91'vc. Prover result is: Valid (0.01s, 81 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec'vc. Prover result is: Valid (0.01s, 57 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec_oct'vc. Prover result is: Valid (0.01s, 57 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec_box'vc. Prover result is: Valid (0.01s, 57 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec2'vc. Prover result is: Valid (0.01s, 92 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec_hard'vc. Prover result is: Unknown () (0.01s). File bench/infer/mccarthy.mlw: Goal f91_nonrec_hard_box'vc. Prover result is: Unknown () (0.02s). File bench/infer/mccarthy.mlw: Goal f91_pseudorec'vc. Prover result is: Valid (0.01s, 99 steps). why3-1.6.0/bench/infer/bddinfer-oracles/merge_sort.oracle000066400000000000000000000023711440160026300233310ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_expr: execution of call to function `length` BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_expr: execution of call to function `length` BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/merge_sort.mlw: Goal merge'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal merge_using'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal mergesort_rec'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal mergesort'vc. Prover result is: Valid (0.01s, 91 steps). File bench/infer/merge_sort.mlw: Goal bottom_up_mergesort'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal find_run'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal find_run2'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal natural_mergesort'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal naturalrec'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal natural_mergesort2'vc. Prover result is: Valid (0.01s, 60 steps). why3-1.6.0/bench/infer/bddinfer-oracles/minus1.oracle000066400000000000000000000017411440160026300223770ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((0 <= j.contents /\ j.contents <= 18) /\ (j.contents + (i.contents * 2)) = 20) /\ o = 0) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_0] is (((0 <= j1.contents /\ j1.contents <= 18) /\ (j1.contents + (i1.contents * 2)) = 20) /\ o2 = 0) /\ o3 = 0 Domains for loop [anonymous_loop_0] are o3 = [0;0]; i1 = [1;10]; o2 = [0;0]; j1 = [0;18] Invariant for loop [anonymous_loop_0] is (((0 <= j2.contents /\ j2.contents <= 18) /\ (j2.contents + (i2.contents * 2)) = 20) /\ o4 = 0) /\ o5 = 0 Domains for loop [anonymous_loop_0] are o5 = [0;0]; i2 = [1;10]; o4 = [0;0]; j2 = [0;18] File bench/infer/minus1.mlw: Goal b'vc. Prover result is: Valid (0.01s, 20 steps). File bench/infer/minus1.mlw: Goal b2'vc. Prover result is: Valid (0.00s, 20 steps). File bench/infer/minus1.mlw: Goal b3'vc. Prover result is: Valid (0.00s, 20 steps). why3-1.6.0/bench/infer/bddinfer-oracles/mult.oracle000066400000000000000000000011531440160026300221410ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is i.contents = 0 /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;0] Invariant for loop [anonymous_loop_0] is i1.contents = 0 /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i1 = [0;0] Invariant for loop [anonymous_loop_0] is i2.contents = 0 /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; i2 = [0;0] File bench/infer/mult.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/mult.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/mult.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/neg1.oracle000066400000000000000000000007201440160026300220110ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= i.contents /\ i.contents <= 12) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;12] Invariant for loop [anonymous_loop_0] is (0 <= i1.contents /\ i1.contents <= 12) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i1 = [0;12] File bench/infer/neg1.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/neg1.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/bddinfer-oracles/pbinfer2.oracle000066400000000000000000000004241440160026300226670ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Epure File bench/infer/pbinfer2.mlw: Goal to_true'vc. Prover result is: Valid (0.00s, 2 steps). File bench/infer/pbinfer2.mlw: Goal pgmtest'vc. Prover result is: Valid (0.00s, 14 steps). why3-1.6.0/bench/infer/bddinfer-oracles/pbinfer2_simplified.oracle000066400000000000000000000004031440160026300250710ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (a.contents = False \/ x = True) /\ o = False Domains for loop [anonymous_loop_0] are x = top; o = false; a = top File bench/infer/pbinfer2_simplified.mlw: Goal pgmtest'vc. Prover result is: Valid (0.00s, 4 steps). why3-1.6.0/bench/infer/bddinfer-oracles/precision0.oracle000066400000000000000000000003421440160026300232320ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d0.contents = 0 /\ d1.contents = 0 Domains for loop [anonymous_loop_0] are d0 = [0;0]; d1 = [0;0] File bench/infer/precision0.mlw: Goal s'vc. Prover result is: Valid (0.00s, 8 steps). why3-1.6.0/bench/infer/bddinfer-oracles/precision1.oracle000066400000000000000000000003421440160026300232330ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d0.contents = 0 /\ d1.contents = 0 Domains for loop [anonymous_loop_0] are d0 = [0;0]; d1 = [0;0] File bench/infer/precision1.mlw: Goal s'vc. Prover result is: Valid (0.00s, 8 steps). why3-1.6.0/bench/infer/bddinfer-oracles/precision2.oracle000066400000000000000000000003011440160026300232270ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d.contents = 0 Domains for loop [anonymous_loop_0] are d = [0;0] File bench/infer/precision2.mlw: Goal e'vc. Prover result is: Valid (0.00s, 3 steps). why3-1.6.0/bench/infer/bddinfer-oracles/precision3.oracle000066400000000000000000000003261440160026300232370ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= d.contents /\ d.contents <= 1 Domains for loop [anonymous_loop_0] are d = [0;1] File bench/infer/precision3.mlw: Goal e'vc. Prover result is: Valid (0.00s, 17 steps). why3-1.6.0/bench/infer/bddinfer-oracles/ref3.oracle000066400000000000000000000010761440160026300220230ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= k.contents /\ o = 0 Domains for loop [anonymous_loop_0] are x = ]-oo;+oo[; o = [0;0]; k = [0;+oo[ The generated invariant does not imply { (0 <= k && k < x) } Invariant for loop [anonymous_loop_0] is 0 <= k1.contents /\ o1 = 0 Domains for loop [anonymous_loop_0] are x1 = ]-oo;+oo[; o1 = [0;0]; k1 = [0;+oo[ The generated invariant does not imply { (0 <= k && k < x) } File bench/infer/ref3.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/ref3.mlw: Goal b3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/bddinfer-oracles/return_function.oracle000066400000000000000000000001371440160026300244050ustar00rootroot00000000000000File bench/infer/return_function.mlw: Goal main'vc. Prover result is: Valid (0.00s, 2 steps). why3-1.6.0/bench/infer/bddinfer-oracles/support1.oracle000066400000000000000000000003341440160026300227550ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d0.contents = 0 Domains for loop [anonymous_loop_0] are d0 = [0;0]; d1 = ]-oo;+oo[ File bench/infer/support1.mlw: Goal example_scan'vc. Prover result is: Valid (0.00s, 7 steps). why3-1.6.0/bench/infer/bddinfer-oracles/support2.oracle000066400000000000000000000003541440160026300227600ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d0.contents = 0 /\ d1.contents = 0 Domains for loop [anonymous_loop_0] are d0 = [0;0]; d1 = [0;0] File bench/infer/support2.mlw: Goal example_scan'vc. Prover result is: Valid (0.00s, 35 steps). why3-1.6.0/bench/infer/bddinfer-oracles/support3.oracle000066400000000000000000000003051440160026300227550ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is true Domains for loop [anonymous_loop_0] are d0 = ]-oo;+oo[ File bench/infer/support3.mlw: Goal example_scan'vc. Prover result is: Valid (0.00s, 0 steps). why3-1.6.0/bench/infer/bddinfer-oracles/support4.oracle000066400000000000000000000003431440160026300227600ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= d.contents /\ d.contents <= 101 Domains for loop [anonymous_loop_0] are d = [0;101] File bench/infer/support4.mlw: Goal example_scan'vc. Prover result is: Valid (0.00s, 10 steps). why3-1.6.0/bench/infer/bddinfer-oracles/support5.oracle000066400000000000000000000003401440160026300227560ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is d0.contents = 0 /\ d1.contents = 0 Domains for loop [anonymous_loop_0] are d0 = [0;0]; d1 = [0;0] File bench/infer/support5.mlw: Goal s'vc. Prover result is: Valid (0.00s, 6 steps). why3-1.6.0/bench/infer/bddinfer-oracles/try1.oracle000066400000000000000000000005271440160026300220630ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/try1.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/try1.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/try3.oracle000066400000000000000000000005271440160026300220650ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/try3.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/try3.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/tuple1.oracle000066400000000000000000000010111440160026300223630ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/tuple1.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/tuple1.mlw: Goal b2'vc. Prover result is: Unknown () (0.00s). File bench/infer/tuple1.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/tuple2.oracle000066400000000000000000000010111440160026300223640ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch BDD-infer failure: unsupported feature, unsupported feature: mlw_expr_to_simple_expr: Ematch File bench/infer/tuple2.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). File bench/infer/tuple2.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/tuple2.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/twoway.oracle000066400000000000000000000010521440160026300225100ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: normalized_fmla_to_why1_cond: term `forall k:int. !j < k /\ k < a.length -> a[k] = True` BDD-infer failure: unsupported feature, unsupported feature: normalized_fmla_to_why1_cond: term `forall k:int. !j1 < k /\ k < a1.length -> a1[k] = True` File bench/infer/twoway.mlw: Goal two_way_sort'vc. Prover result is: Timeout (1.00s). File bench/infer/twoway.mlw: Goal two_way_sort3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/bddinfer-oracles/uf6.oracle000066400000000000000000000015031440160026300216570ustar00rootroot00000000000000BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `list 'xi` (type_of: `Ityapp(list,['xi],[])`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `list 'xi1` (type_of: `Ityapp(list,['xi1],[])`) BDD-infer failure: unsupported feature, unsupported feature: simple_expr_to_why1_stmt: let on type `list 'xi2` (type_of: `Ityapp(list,['xi2],[])`) File bench/infer/uf6.mlw: Goal cons'vc. Prover result is: Unknown () (0.02s). File bench/infer/uf6.mlw: Goal nil'vc. Prover result is: Unknown () (0.01s). File bench/infer/uf6.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/uf6.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/uf6.mlw: Goal b3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/bddinfer-oracles/while1.oracle000066400000000000000000000017111440160026300223510ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((1 <= i.contents /\ i.contents <= 10) /\ o = 1) /\ o1 = 0) /\ (j.contents + 2) = (i.contents * 2) Domains for loop [anonymous_loop_0] are o = [1;1]; i = [1;10]; o1 = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_0] is (((1 <= i1.contents /\ i1.contents <= 10) /\ o2 = 1) /\ o3 = 0) /\ (j1.contents + 2) = (i1.contents * 2) Domains for loop [anonymous_loop_0] are o2 = [1;1]; i1 = [1;10]; o3 = [0;0]; j1 = [0;18] Invariant for loop [anonymous_loop_0] is (((1 <= i2.contents /\ i2.contents <= 10) /\ o4 = 1) /\ o5 = 0) /\ (j2.contents + 2) = (i2.contents * 2) Domains for loop [anonymous_loop_0] are o4 = [1;1]; i2 = [1;10]; o5 = [0;0]; j2 = [0;18] File bench/infer/while1.mlw: Goal b'vc. Prover result is: Valid (0.00s, 16 steps). File bench/infer/while1.mlw: Goal b2'vc. Prover result is: Valid (0.00s, 16 steps). File bench/infer/while1.mlw: Goal b3'vc. Prover result is: Valid (0.00s, 16 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while2.oracle000066400000000000000000000010461440160026300223530ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_0] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_1] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_1] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] File bench/infer/while2.mlw: Goal b'vc. Prover result is: Valid (0.01s, 51 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while3.oracle000066400000000000000000000010461440160026300223540ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_0] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_1] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_1] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] File bench/infer/while3.mlw: Goal b'vc. Prover result is: Valid (0.01s, 51 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while4.oracle000066400000000000000000000013371440160026300223600ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_0] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_1] is (((0 <= j.contents /\ j.contents <= 18) /\ o = 0) /\ o1 = 0) /\ (i.contents * 2) = (j.contents + 2) Domains for loop [anonymous_loop_1] are o1 = [0;0]; i = [1;10]; o = [0;0]; j = [0;18] Invariant for loop [anonymous_loop_2] is ((j.contents = 0 /\ o = 0) /\ i.contents = 1) /\ o1 = 0 Domains for loop [anonymous_loop_2] are o1 = [0;0]; i = [1;1]; o = [0;0]; j = [0;0] File bench/infer/while4.mlw: Goal b'vc. Prover result is: Valid (0.00s, 56 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while5.oracle000066400000000000000000000007241440160026300223600ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= i.contents /\ i.contents <= 15) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;15] Invariant for loop [anonymous_loop_0] is (0 <= i1.contents /\ i1.contents <= 15) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i1 = [0;15] File bench/infer/while5.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/while5.mlw: Goal b2'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/bddinfer-oracles/while6.oracle000066400000000000000000000003511440160026300223550ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= i.contents /\ i.contents <= 105) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;105] File bench/infer/while6.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). why3-1.6.0/bench/infer/bddinfer-oracles/while7.oracle000066400000000000000000000013071440160026300223600ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= i.contents /\ i.contents <= 102) /\ o = 0 Domains for loop [anonymous_loop_0] are o = [0;0]; i = [0;102] Invariant for loop [anonymous_loop_0] is (0 <= i1.contents /\ i1.contents <= 102) /\ o1 = 0 Domains for loop [anonymous_loop_0] are o1 = [0;0]; i1 = [0;102] Invariant for loop [anonymous_loop_0] is (0 <= i2.contents /\ i2.contents <= 102) /\ o2 = 0 Domains for loop [anonymous_loop_0] are o2 = [0;0]; i2 = [0;102] File bench/infer/while7.mlw: Goal b'vc. Prover result is: Unknown () (0.01s). File bench/infer/while7.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/while7.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/bddinfer-oracles/while_and_int.oracle000066400000000000000000000004211440160026300237610ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is (0 <= x.contents /\ x.contents <= 61) /\ (x.contents + y.contents) = 60 Domains for loop [anonymous_loop_0] are x = [0;61]; y = [-1;60] File bench/infer/while_and_int.mlw: Goal main'vc. Prover result is: Valid (0.00s, 17 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_break.oracle000066400000000000000000000003331440160026300234330ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= x.contents /\ x.contents <= 100 Domains for loop [anonymous_loop_0] are x = [0;100] File bench/infer/while_break.mlw: Goal f'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_break_bool.oracle000066400000000000000000000003121440160026300244430ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is x.contents = True Domains for loop [anonymous_loop_0] are x = true File bench/infer/while_break_bool.mlw: Goal f'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_inv_loc_var.oracle000066400000000000000000000003441440160026300246520ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= x.contents /\ x.contents <= 101 Domains for loop [anonymous_loop_0] are x = [0;101] File bench/infer/while_inv_loc_var.mlw: Goal main'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_loop.oracle000066400000000000000000000004011440160026300233140ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= x.contents /\ x.contents <= 101 Domains for loop [anonymous_loop_0] are x = [0;101] Check: assertion [check0] is valid File bench/infer/while_loop.mlw: Goal main'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_loop_bis.oracle000066400000000000000000000003471440160026300241620ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= x.contents /\ x.contents <= 10001 Domains for loop [anonymous_loop_0] are x = [0;10001] File bench/infer/while_loop_bis.mlw: Goal main'vc. Prover result is: Valid (0.00s, 10 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_loop_bool.oracle000066400000000000000000000006721440160026300243410ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is a.contents = True /\ b.contents = True /\ 0 <= x.contents /\ x.contents <= 101 \/ a.contents = False /\ b.contents = False /\ 1 <= x.contents /\ x.contents <= 101 Domains for loop [anonymous_loop_0] are x = [0;101]; a = top; b = top Check: assertion [A1] is valid Check: assertion [A2] is valid File bench/infer/while_loop_bool.mlw: Goal main'vc. Prover result is: Valid (0.01s, 48 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_loop_count.oracle000066400000000000000000000005111440160026300245260ustar00rootroot00000000000000Invariant for loop [myloop] is exit.contents = True /\ 42 <= c.contents \/ exit.contents = False /\ 0 <= c.contents /\ c.contents <= 41 Domains for loop [myloop] are exit = top; c = [0;+oo[ Check: assertion [myassert] is valid File bench/infer/while_loop_count.mlw: Goal test'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/bddinfer-oracles/while_loop_ref.oracle000066400000000000000000000003411440160026300241530ustar00rootroot00000000000000Invariant for loop [anonymous_loop_0] is 0 <= x.contents /\ x.contents <= 101 Domains for loop [anonymous_loop_0] are x = [0;101] File bench/infer/while_loop_ref.mlw: Goal main'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/binary_search.mlw000066400000000000000000000054651440160026300201320ustar00rootroot00000000000000(* Binary search A classical example. Searches a sorted array for a given value v. *) module BinarySearch use int.Int use int.ComputerDivision use ref.Ref use array.Array (* the code and its specification *) exception Break int (* raised to exit the loop *) exception Not_found (* raised to signal a search failure *) val mydiv(x:int):int ensures { 2*result = x } let binary_search [@bddinfer] [@infer](a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search2 [@bddinfer] [@infer:oct](a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search3 [@bddinfer] [@infer:box](a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end end why3-1.6.0/bench/infer/binary_search1.mlw000066400000000000000000000054701440160026300202070ustar00rootroot00000000000000(* Binary search A classical example. Searches a sorted array for a given value v. *) module BinarySearch use int.Int use int.ComputerDivision use ref.Ref use array.Array (* the code and its specification *) exception Break int (* raised to exit the loop *) exception Not_found (* raised to signal a search failure *) val mydiv(x:int):int ensures { 2*result = x } let binary_search [@bddinfer] [@infer] (a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search2 [@bddinfer] [@infer:oct] (a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search3 [@bddinfer] [@infer:box] (a : array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + mydiv (!u - !l) in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end end why3-1.6.0/bench/infer/binary_search2.mlw000066400000000000000000000053221440160026300202040ustar00rootroot00000000000000(* A generalization: the midpoint is computed by some abstract function. The only requirement is that it lies between l and u. *) module BinarySearchAnyMidPoint use int.Int use ref.Ref use array.Array exception Break int (* raised to exit the loop *) exception Not_found (* raised to signal a search failure *) val midpoint (l:int) (u:int) : int requires { l <= u } ensures { l <= result <= u } let binary_search [@bddinfer] [@infer](a :array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = midpoint !l !u in if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search2 [@bddinfer] [@infer:oct](a :array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = midpoint !l !u in if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end let binary_search3 [@bddinfer] [@infer:box](a :array int) (v : int) requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = try let l = ref 0 in l := 0; let u = ref (length a - 1) in while !l <= !u do invariant { !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = midpoint !l !u in if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else raise (Break m) done; raise Not_found with Break i -> i end end why3-1.6.0/bench/infer/bool_bw_and.mlw000066400000000000000000000004331440160026300175540ustar00rootroot00000000000000 use int.Int use bool.Bool use ref.Ref val ref x : bool val ref y : bool val ref z : bool val ref t : bool val ref u : bool let main [@bddinfer] () = x <- True; y <- False; z <- True; t <- andb x y; u <- andb x z; assert Au { u }; assert Ant { not t }why3-1.6.0/bench/infer/bool_cond.mlw000066400000000000000000000006321440160026300172460ustar00rootroot00000000000000 use int.Int val cp (input : bool) (src : int) (ref tgt : int) : unit writes { tgt } ensures { (input = True /\ tgt = src) \/ ((input = False) /\ tgt = old tgt)} val ref d : int let e [@bddinfer] () diverges requires { d = 0 } = while True do d <- d+1; (* cp (0 < d) 0 d *) (* This gives [0;0] as domain for d *) cp (1 < d) 0 d (* This gives [0;0[ as domain for d *) done why3-1.6.0/bench/infer/bool_ops.mlw000066400000000000000000000006541440160026300171300ustar00rootroot00000000000000 use ref.Ref use int.Int use bool.Bool val random_bool () : bool val andb (x:bool) (y:bool) : bool ensures { result = True <-> x = True /\ y = True } let f [@bddinfer] [@infer] () : bool diverges = let x = ref True in let y = ref True in let z = ref True in let a = ref True in while !z do x := random_bool (); y := random_bool (); z := andb !x !y; a := !z; done; !a why3-1.6.0/bench/infer/bools.mlw000066400000000000000000000015011440160026300164220ustar00rootroot00000000000000 module Example1 use ref.Ref use int.Int use bool.Bool let f [@bddinfer] [@infer](x: int) : bool = requires {x <= 0} ensures { result = true } let x = ref x in let y = ref true in while !x < 0 do variant {0 - !x} y := andb !y (!x < 0); x := !x + 1 done; !y let f2 [@bddinfer] [@infer:oct](x: int) : bool = requires {x <= 0} ensures { result = true } let x = ref x in let y = ref true in while !x < 0 do variant {0 - !x} y := andb !y (!x < 0); x := !x + 1 done; !y let f3 [@bddinfer] [@infer:box](x: int) : bool = requires {x <= 0} ensures { result = true } let x = ref x in let y = ref true in while !x < 0 do variant {0 - !x} y := andb !y (!x < 0); x := !x + 1 done; !y end why3-1.6.0/bench/infer/call_inside_expr.mlw000066400000000000000000000007651440160026300206230ustar00rootroot00000000000000 use ref.Ref use bool.Bool use int.Int val f (c : int) (s : int) : bool ensures { (result = True && (c >= s)) || (result = False && (c < s)) } val rand () : bool val m : ref bool val x : ref bool val y : ref bool val c0 : ref int val s0 : ref int let main [@bddinfer] () diverges = while true do let _tmp = andb (orb ((!x)) ((!y))) (andb (not (!m)) (f !c0 !s0)) in x := rand () done why3-1.6.0/bench/infer/disjunction1.mlw000066400000000000000000000004241440160026300177210ustar00rootroot00000000000000module Disjunction1 use ref.Ref use int.Int let a [@bddinfer] [@infer](x:int) : int ensures { result <> 5 } = let i = ref 0 in let j = ref 0 in while !i < x do variant { x - !i } if !i <= 5 then j := 3 else j := 6; i := !i + 1; done; !j end why3-1.6.0/bench/infer/divmod.mlw000066400000000000000000000004601440160026300165710ustar00rootroot00000000000000 use int.Int use int.ComputerDivision let s [@bddinfer] (x y:int) : unit requires { 1 <= y <= 100 } requires { 0 <= x <= 100 } = let ref z = div x y in let ref t = mod x y in [@bddinfer:check1] check { t >= 0 }; [@bddinfer:check2] check { z >= 0 }; [@bddinfer:check3] check { t < y } why3-1.6.0/bench/infer/if.mlw000066400000000000000000000007521440160026300157110ustar00rootroot00000000000000module If1 use int.Int use ref.Ref let b[@infer] [@bddinfer] (_:int) : int ensures { result = 18 } = let i = ref 0 in let j = ref 0 in while !i < 10 do variant { 10 - !i } if !i < !j then i := !i + 1 else j := !j + 1 done; !j let c[@infer] [@bddinfer] (_:int) : int ensures { result = 18 } = let i = ref 0 in let j = ref 0 in while !i < 10 do variant { 10 - !i } if !i <= !j then i := !i + 1 else j := !j + 1 done; !j end why3-1.6.0/bench/infer/iff.mlw000066400000000000000000000004451440160026300160560ustar00rootroot00000000000000 use int.Int val g (x:int) : bool ensures { (result = True) <-> (x >= 0) } let f [@bddinfer] (x:int) : unit = let ref y = 0 in let z = g x in [@bddinfer:beforeif] if z then [@bddinfer:then] y <- x else [@bddinfer:else] y <- -x; [@bddinfer:afterif] assert { y >= 0 } why3-1.6.0/bench/infer/ifint.mlw000066400000000000000000000005431440160026300164220ustar00rootroot00000000000000 (* Tests for path sensitivity with respect to Integer expressions *) use ref.Ref use int.Int val x : ref int val y : ref int (* just the expression 'x=y' *) let test1 [@infer:Polyhedra:4] [@bddinfer] () : unit = x := 0; y := 0; while (!x <= 10) do variant { 10 - !x } if !x = !y then y := !y+1 else y := 0; x := !x + 1; done why3-1.6.0/bench/infer/incr.mlw000066400000000000000000000006441440160026300162460ustar00rootroot00000000000000module Incr use int.Int use int.MinMax use ref.Ref use ref.Refint let incr1 [@infer] [@bddinfer] (x:int) : int ensures { result = max x 0 } = let i = ref 0 in while !i < x do variant { x - !i } incr i; done; !i let incr3 [@infer:box] [@bddinfer] (x:int) : int ensures { result = max x 0 } = let i = ref 0 in while !i < x do variant { x - !i } incr i; done; !i end why3-1.6.0/bench/infer/infer-oracles/000077500000000000000000000000001440160026300173175ustar00rootroot00000000000000why3-1.6.0/bench/infer/infer-oracles/aliasing.oracle000066400000000000000000000016751440160026300223060ustar00rootroot00000000000000CFG size: 26 nodes, 26 hyperedges Time elapsed 0.010257s ### Debug: inferred invariants ### 0 <= contents i /\ contents i <= 10 ### CFG size: 26 nodes, 26 hyperedges Time elapsed 0.060254s ### Debug: inferred invariants ### contents i1 <= 10 /\ 0 <= contents i1 ### CFG size: 26 nodes, 26 hyperedges Time elapsed 0.255914s ### Debug: inferred invariants ### ((((0 = contents i2 /\ j2 = i2) /\ contents i2 = 0) /\ contents j2 = 0 \/ 9 = contents i2 \/ 5 = contents i2 \/ 8 = contents i2 \/ 6 = contents i2 \/ 1 = contents i2 /\ 1 = contents i2 \/ 7 = contents i2 \/ 3 = contents i2 \/ 10 = contents i2 \/ 2 = contents i2 \/ 4 = contents i2) /\ contents i2 <= 10) /\ 0 <= contents i2 ### File bench/infer/aliasing.mlw: Goal b'vc. Prover result is: Valid (0.01s, 8 steps). File bench/infer/aliasing.mlw: Goal c'vc. Prover result is: Valid (0.01s, 8 steps). File bench/infer/aliasing.mlw: Goal d'vc. Prover result is: Valid (0.01s, 27 steps). why3-1.6.0/bench/infer/infer-oracles/auto_array1.oracle000066400000000000000000000142121440160026300227350ustar00rootroot00000000000000CFG size: 14 nodes, 14 hyperedges Time elapsed 0.038870s ### Debug: inferred invariants ### ((forall w1:int. ((length (make x 2) = length a /\ length (make x 2) = x) /\ w1 < 0) /\ length (make x 2) = length a \/ ((length (make x 2) = length a /\ length (make x 2) = x) /\ length (make x 2) <= w1) /\ length (make x 2) = length a \/ (2 = (elts a @ w1) /\ length (make x (elts a @ w1)) = length a) /\ (elts a @ w1) = 2) /\ x = length a) /\ x = length a ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.122343s ### Debug: inferred invariants ### (((forall w2:int. ((((w2 < 0 /\ length (make x1 2) <= x1) /\ x1 <= length (make x1 2)) /\ length (make x1 2) <= length a1) /\ length a1 <= length (make x1 2)) /\ length (make x1 2) = length a1 \/ ((((((length (make x1 2) <= w2 /\ length (make x1 2) <= x1) /\ x1 <= length (make x1 2)) /\ x1 <= w2) /\ length (make x1 2) <= length a1) /\ length a1 <= length (make x1 2)) /\ length a1 <= w2) /\ length (make x1 2) = length a1 \/ ((((2 <= (elts a1 @ w2) /\ (elts a1 @ w2) <= 2) /\ x1 <= x1) /\ x1 <= x1) /\ length (make x1 (elts a1 @ w2)) = length a1) /\ (elts a1 @ w2) = 2) /\ x1 = length a1) /\ length a1 <= x1) /\ x1 <= length a1 ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.001032s ### Debug: inferred invariants ### length (make x2 2) = length a2 /\ x2 = length a2 ### CFG size: 20 nodes, 20 hyperedges Time elapsed 0.079420s ### Debug: inferred invariants ### (((((forall w4:int. (((length (make n 10) = length a3 /\ length (make n 10) = n) /\ w4 < 0) /\ 0 <= length (make n 10)) /\ length (make n 10) = length a3 \/ (((length (make n 10) = length a3 /\ length (make n 10) = n) /\ length (make n 10) <= w4) /\ 0 <= length (make n 10)) /\ length (make n 10) = length a3 \/ (10 = (elts a3 @ w4) /\ length (make n (elts a3 @ w4)) = length a3) /\ (elts a3 @ w4) = 10) /\ (elts a3 @ 5) = b) /\ n = length a3) /\ 0 <= n) /\ n = length a3) /\ (elts a3 @ 5) = b ### CFG size: 20 nodes, 20 hyperedges Time elapsed 0.218369s ### Debug: inferred invariants ### (((((((((forall w5:int. ((((((((((0 <= length (make n1 10) /\ w5 < length (make n1 10)) /\ w5 < 0) /\ length (make n1 10) <= n1) /\ 0 <= (length (make n1 10) + n1)) /\ w5 < n1) /\ n1 <= length (make n1 10)) /\ length (make n1 10) <= length a4) /\ 0 <= (length (make n1 10) + length a4)) /\ w5 < length a4) /\ length a4 <= length (make n1 10)) /\ length (make n1 10) = length a4 \/ (((((((((((((0 <= length (make n1 10) /\ length (make n1 10) <= w5) /\ 0 <= (length (make n1 10) + w5)) /\ 0 <= w5) /\ length (make n1 10) <= n1) /\ 0 <= (length (make n1 10) + n1)) /\ 0 <= (w5 + n1)) /\ n1 <= length (make n1 10)) /\ n1 <= w5) /\ length (make n1 10) <= length a4) /\ 0 <= (length (make n1 10) + length a4)) /\ 0 <= (w5 + length a4)) /\ length a4 <= length (make n1 10)) /\ length a4 <= w5) /\ length (make n1 10) = length a4 \/ (((((((((((10 <= (n1 + (elts a4 @ w5)) /\ 10 <= (elts a4 @ w5)) /\ (elts a4 @ w5) <= (10 + n1)) /\ (elts a4 @ w5) <= 10) /\ n1 <= n1) /\ 0 <= (n1 + n1)) /\ (elts a4 @ w5) <= (10 + n1)) /\ 10 <= ((elts a4 @ w5) + n1)) /\ n1 <= n1) /\ (elts a4 @ w5) <= (10 + length a4)) /\ 10 <= ((elts a4 @ w5) + length a4)) /\ length (make n1 (elts a4 @ w5)) = length a4) /\ (elts a4 @ w5) = 10) /\ (elts a4 @ 5) = b1) /\ n1 = length a4) /\ length a4 <= n1) /\ 0 <= length a4) /\ 0 <= (n1 + length a4)) /\ n1 <= length a4) /\ b1 <= (elts a4 @ 5)) /\ (elts a4 @ 5) <= b1) /\ 0 <= n1 ### CFG size: 20 nodes, 20 hyperedges Time elapsed 0.009677s ### Debug: inferred invariants ### ((((forall w6:int. w6 < 0 /\ length (make n2 10) = length a5 \/ 0 <= w6 /\ length (make n2 10) = length a5 \/ (10 = (elts a5 @ w6) /\ length (make n2 (elts a5 @ w6)) = length a5) /\ (elts a5 @ w6) = 10) /\ (elts a5 @ 5) = b2) /\ n2 = length a5) /\ 0 <= length a5) /\ 0 <= n2 ### File bench/infer/auto_array1.mlw: Goal basic'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_array1.mlw: Goal basic1'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array1.mlw: Goal basic2'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_array1.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array1.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array1.mlw: Goal c'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal d_basic'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal d'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal e'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal f'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal cond'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal cond2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init1'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init3'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init5'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal init_non_lin'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array1.mlw: Goal instantiation3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/infer-oracles/auto_array_false.oracle000066400000000000000000000033361440160026300240330ustar00rootroot00000000000000CFG size: 8 nodes, 8 hyperedges Time elapsed 0.001244s ### Debug: inferred invariants ### forall w1:int. 2 <= x ### CFG size: 8 nodes, 8 hyperedges Time elapsed 0.002115s ### Debug: inferred invariants ### forall w2:int. 2 <= x1 ### CFG size: 8 nodes, 8 hyperedges Time elapsed 0.000788s ### Debug: inferred invariants ### forall w3:int. 2 <= x2 ### File bench/infer/auto_array_false.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array_false.mlw: Goal c'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array_false.mlw: Goal c2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array_false.mlw: Goal c3'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_array_false.mlw: Goal dd'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal d'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal e'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal ee'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal f'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal g'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond2'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal h'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond3'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal cond4'vc. Prover result is: Timeout (1.00s). File bench/infer/auto_array_false.mlw: Goal fe'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/infer-oracles/auto_cst1.oracle000066400000000000000000000025741440160026300224200ustar00rootroot00000000000000CFG size: 11 nodes, 11 hyperedges Time elapsed 0.000603s ### Debug: inferred invariants ### y = 10 /\ 10 = y ### CFG size: 11 nodes, 11 hyperedges Time elapsed 0.000000s ### Debug: inferred invariants ### (y1 = 10 /\ y1 <= 10) /\ 10 <= y1 ### CFG size: 11 nodes, 11 hyperedges Time elapsed 0.000000s ### Debug: inferred invariants ### y2 = 10 /\ 10 = y2 ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.000000s ### Debug: inferred invariants ### ((k = 42 /\ y3 = 10) /\ 10 = y3) /\ 42 = k ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.001806s ### Debug: inferred invariants ### ((((((((k1 = 42 /\ y4 = 10) /\ k1 <= 42) /\ k1 <= (32 + y4)) /\ (y4 + k1) <= 52) /\ 42 <= k1) /\ 52 <= (y4 + k1)) /\ (y4 + 32) <= k1) /\ y4 <= 10) /\ 10 <= y4 ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.000299s ### Debug: inferred invariants ### ((k2 = 42 /\ y5 = 10) /\ 42 = k2) /\ 10 = y5 ### File bench/infer/auto_cst1.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_cst1.mlw: Goal b2'vc. Prover result is: Unknown () (0.03s). File bench/infer/auto_cst1.mlw: Goal b3'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_cst1.mlw: Goal c'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_cst1.mlw: Goal c2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_cst1.mlw: Goal c3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/infer-oracles/auto_ref0.oracle000066400000000000000000000012261440160026300223730ustar00rootroot00000000000000CFG size: 14 nodes, 14 hyperedges Time elapsed 0.001512s ### Debug: inferred invariants ### contents k = 0 /\ 0 = contents k ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.002180s ### Debug: inferred invariants ### (contents k1 = 0 /\ contents k1 <= 0) /\ 0 <= contents k1 ### CFG size: 14 nodes, 14 hyperedges Time elapsed 0.000745s ### Debug: inferred invariants ### contents k2 = 0 /\ 0 = contents k2 ### File bench/infer/auto_ref0.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/auto_ref0.mlw: Goal b2'vc. Prover result is: Unknown () (0.03s). File bench/infer/auto_ref0.mlw: Goal b3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/infer-oracles/auto_ref1.oracle000066400000000000000000000011641440160026300223750ustar00rootroot00000000000000CFG size: 17 nodes, 17 hyperedges Time elapsed 0.002302s ### Debug: inferred invariants ### forall w1:int. 1 = contents k ### CFG size: 17 nodes, 17 hyperedges Time elapsed 0.001482s ### Debug: inferred invariants ### forall w2:int. 1 = contents k1 ### CFG size: 17 nodes, 17 hyperedges Time elapsed 0.001968s ### Debug: inferred invariants ### forall w3:int. 1 = contents k2 ### File bench/infer/auto_ref1.mlw: Goal b'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_ref1.mlw: Goal b2'vc. Prover result is: Unknown () (0.01s). File bench/infer/auto_ref1.mlw: Goal b3'vc. Prover result is: Unknown () (0.01s). why3-1.6.0/bench/infer/infer-oracles/auto_ref2.oracle000066400000000000000000000011721440160026300223750ustar00rootroot00000000000000CFG size: 20 nodes, 20 hyperedges Time elapsed 0.003142s ### Debug: inferred invariants ### forall w1:int. 2 = contents k ### CFG size: 20 nodes, 20 hyperedges Time elapsed 0.004328s ### Debug: inferred invariants ### contents k1 <= 2 /\ 2 <= contents k1 ### CFG size: 20 nodes, 20 hyperedges Time elapsed 0.001625s ### Debug: inferred invariants ### forall w3:int. 2 = contents k2 ### File bench/infer/auto_ref2.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref2.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref2.mlw: Goal b3'vc. Prover result is: Unknown () (0.03s). why3-1.6.0/bench/infer/infer-oracles/auto_ref3.oracle000066400000000000000000000031761440160026300224040ustar00rootroot00000000000000CFG size: 17 nodes, 17 hyperedges Time elapsed 0.020471s ### Debug: inferred invariants ### (0 = contents k /\ contents k = 0 \/ 0 < contents k /\ contents k <= x) /\ 0 <= contents k ### CFG size: 17 nodes, 17 hyperedges Time elapsed 2.658197s ### Debug: inferred invariants ### (0 = contents k1 /\ contents k1 = 0 \/ 0 < x1 /\ 0 < contents k1) /\ 0 <= contents k1 ### CFG size: 35 nodes, 35 hyperedges Time elapsed 0.050266s ### Debug: inferred invariants ### ((((0 = contents j /\ 0 = contents k2) /\ contents k2 = 0) /\ contents j = 0 \/ 0 < contents k2 /\ contents k2 <= x2) /\ 0 <= contents k2) /\ (2 * contents k2) = contents j ### CFG size: 17 nodes, 17 hyperedges Time elapsed 0.001292s ### Debug: inferred invariants ### (x3 = contents k3 /\ 0 < x3) /\ x3 = contents k3 ### CFG size: 17 nodes, 17 hyperedges Time elapsed 0.003158s ### Debug: inferred invariants ### ((((x4 = contents k4 /\ contents k4 <= x4) /\ 0 < contents k4) /\ 2 <= (x4 + contents k4)) /\ x4 <= contents k4) /\ 0 < x4 ### CFG size: 17 nodes, 17 hyperedges Time elapsed 0.000425s ### Debug: inferred invariants ### (x5 = contents k5 /\ 0 < contents k5) /\ 0 < x5 ### File bench/infer/auto_ref3.mlw: Goal b'vc. Prover result is: Valid (0.01s, 10 steps). File bench/infer/auto_ref3.mlw: Goal b3'vc. Prover result is: Valid (0.01s, 13 steps). File bench/infer/auto_ref3.mlw: Goal c'vc. Prover result is: Valid (0.01s, 13 steps). File bench/infer/auto_ref3.mlw: Goal e'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_ref3.mlw: Goal e2'vc. Prover result is: Unknown () (0.00s). File bench/infer/auto_ref3.mlw: Goal e3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/infer-oracles/auto_ref_false.oracle000066400000000000000000000025051440160026300234660ustar00rootroot00000000000000CFG size: 17 nodes, 17 hyperedges Time elapsed 0.009156s ### Debug: inferred invariants ### (0 < x /\ contents k <= x) /\ 0 <= contents k ### CFG size: 17 nodes, 17 hyperedges Time elapsed 2.634018s ### Debug: inferred invariants ### ((0 = contents k1 /\ contents k1 = 0 \/ 0 < contents k1) /\ 0 <= contents k1) /\ 0 < x1 ### CFG size: 35 nodes, 35 hyperedges Time elapsed 0.023992s ### Debug: inferred invariants ### ((2 <= x2 /\ contents k2 <= x2) /\ 0 <= contents k2) /\ (2 * contents k2) = contents j ### CFG size: 35 nodes, 35 hyperedges Time elapsed 132.162689s ### Debug: inferred invariants ### contents k3 <= x3 /\ 2 <= x3 ### CFG size: 35 nodes, 35 hyperedges Time elapsed 6.016813s ### Debug: inferred invariants ### (((((0 = contents k4 /\ 0 = contents j2) /\ contents k4 = 0) /\ contents j2 = 0 \/ 0 < contents k4 /\ 2 <= contents j2) /\ 0 <= contents j2) /\ 0 <= contents k4) /\ 2 <= x4 ### File bench/infer/auto_ref_false.mlw: Goal b'vc. Prover result is: Unknown () (0.03s). File bench/infer/auto_ref_false.mlw: Goal b3'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref_false.mlw: Goal c'vc. Prover result is: Unknown () (0.25s). File bench/infer/auto_ref_false.mlw: Goal c2'vc. Prover result is: Unknown () (0.02s). File bench/infer/auto_ref_false.mlw: Goal c3'vc. Prover result is: Unknown () (0.04s). why3-1.6.0/bench/infer/infer-oracles/binary_search.oracle000066400000000000000000000044751440160026300233310ustar00rootroot00000000000000CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i1:int, i2:int. 0 <= i1 /\ i1 <= i2 /\ i2 < length a -> (elts a @ i1) <= (elts a @ i2) Time elapsed 2.879051s ### Debug: inferred invariants ### forall w1:int. ((length a = (1 + contents u) /\ 0 = contents l) /\ (length a - 1) = contents u) /\ contents l = 0 \/ contents l <= (1 + contents u) ### CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i11:int, i2:int. 0 <= i11 /\ i11 <= i2 /\ i2 < length a1 -> (elts a1 @ i11) <= (elts a1 @ i2) Time elapsed 2.361208s ### Debug: inferred invariants ### (((contents l1 <= 0 /\ length a1 <= (1 + contents u1)) /\ contents l1 = 0 \/ (((((((2 <= length a1 /\ 3 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 < length a1) /\ 2 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ (contents u1 + 2) <= length a1 \/ ((((((((0 < length a1 /\ 0 < (length a1 + contents l1)) /\ contents l1 < length a1) /\ contents l1 <= 0) /\ 0 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 <= (1 + (contents l1 + contents u1))) /\ 0 <= (1 + contents u1)) /\ (contents u1 + 2) <= length a1) /\ contents l1 = 0 \/ (((((((0 < length a1 /\ 2 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 <= length a1) /\ length a1 <= (1 + contents u1)) /\ 0 < (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ contents u1 < length a1) /\ 0 <= contents l1 ### CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i11:int, i21:int. 0 <= i11 /\ i11 <= i21 /\ i21 < length a2 -> (elts a2 @ i11) <= (elts a2 @ i21) Time elapsed 0.021712s ### Debug: inferred invariants ### (0 = contents l2 /\ contents l2 = 0 \/ 0 < contents l2 /\ 0 <= contents u2) /\ 0 <= contents l2 ### File bench/infer/binary_search.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search.mlw: Goal binary_search2'vc. Prover result is: Valid (0.06s, 200 steps). File bench/infer/binary_search.mlw: Goal binary_search3'vc. Prover result is: Valid (0.03s, 118 steps). why3-1.6.0/bench/infer/infer-oracles/binary_search1.oracle000066400000000000000000000045001440160026300233770ustar00rootroot00000000000000CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i1:int, i2:int. 0 <= i1 /\ i1 <= i2 /\ i2 < length a -> (elts a @ i1) <= (elts a @ i2) Time elapsed 2.705678s ### Debug: inferred invariants ### forall w1:int. ((length a = (1 + contents u) /\ 0 = contents l) /\ (length a - 1) = contents u) /\ contents l = 0 \/ contents l <= (1 + contents u) ### CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i11:int, i2:int. 0 <= i11 /\ i11 <= i2 /\ i2 < length a1 -> (elts a1 @ i11) <= (elts a1 @ i2) Time elapsed 1.814285s ### Debug: inferred invariants ### (((contents l1 <= 0 /\ length a1 <= (1 + contents u1)) /\ contents l1 = 0 \/ (((((((2 <= length a1 /\ 3 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 < length a1) /\ 2 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ (contents u1 + 2) <= length a1 \/ ((((((((0 < length a1 /\ 0 < (length a1 + contents l1)) /\ contents l1 < length a1) /\ contents l1 <= 0) /\ 0 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 <= (1 + (contents l1 + contents u1))) /\ 0 <= (1 + contents u1)) /\ (contents u1 + 2) <= length a1) /\ contents l1 = 0 \/ (((((((0 < length a1 /\ 2 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 <= length a1) /\ length a1 <= (1 + contents u1)) /\ 0 < (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ contents u1 < length a1) /\ 0 <= contents l1 ### CFG size: 81 nodes, 82 hyperedges Couldn't understand entirely the post condition: forall i11:int, i21:int. 0 <= i11 /\ i11 <= i21 /\ i21 < length a2 -> (elts a2 @ i11) <= (elts a2 @ i21) Time elapsed 0.018070s ### Debug: inferred invariants ### (0 = contents l2 /\ contents l2 = 0 \/ 0 < contents l2 /\ 0 <= contents u2) /\ 0 <= contents l2 ### File bench/infer/binary_search1.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search1.mlw: Goal binary_search2'vc. Prover result is: Valid (0.07s, 200 steps). File bench/infer/binary_search1.mlw: Goal binary_search3'vc. Prover result is: Valid (0.04s, 118 steps). why3-1.6.0/bench/infer/infer-oracles/binary_search2.oracle000066400000000000000000000052021440160026300234000ustar00rootroot00000000000000CFG size: 69 nodes, 70 hyperedges Couldn't understand entirely the post condition: forall i1:int, i2:int. 0 <= i1 /\ i1 <= i2 /\ i2 < length a -> (elts a @ i1) <= (elts a @ i2) Time elapsed 0.299043s ### Debug: inferred invariants ### ((((length a = (1 + contents u) /\ 0 = contents l) /\ (length a - 1) = contents u) /\ contents l = 0 \/ contents l <= (1 + contents u) /\ (contents u + 3) <= (length a + contents l) \/ ((0 = contents l /\ 0 <= (1 + contents u)) /\ (contents u + 2) <= length a) /\ contents l = 0 \/ ((length a = (1 + contents u) /\ 0 < contents l) /\ contents l <= length a) /\ (length a - 1) = contents u) /\ contents u < (length a + contents l)) /\ contents u < length a ### CFG size: 69 nodes, 70 hyperedges Couldn't understand entirely the post condition: forall i11:int, i2:int. 0 <= i11 /\ i11 <= i2 /\ i2 < length a1 -> (elts a1 @ i11) <= (elts a1 @ i2) Time elapsed 1.336411s ### Debug: inferred invariants ### (((contents l1 <= 0 /\ length a1 <= (1 + contents u1)) /\ contents l1 = 0 \/ (((((((2 <= length a1 /\ 3 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 < length a1) /\ 2 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ (contents u1 + 2) <= length a1 \/ ((((((((0 < length a1 /\ 0 < (length a1 + contents l1)) /\ contents l1 < length a1) /\ contents l1 <= 0) /\ 0 <= (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 <= (1 + (contents l1 + contents u1))) /\ 0 <= (1 + contents u1)) /\ (contents u1 + 2) <= length a1) /\ contents l1 = 0 \/ (((((((0 < length a1 /\ 2 <= (length a1 + contents l1)) /\ 0 < contents l1) /\ contents l1 <= length a1) /\ length a1 <= (1 + contents u1)) /\ 0 < (length a1 + contents u1)) /\ contents l1 <= (1 + contents u1)) /\ 0 < (contents l1 + contents u1)) /\ 0 <= contents u1) /\ contents u1 < length a1) /\ 0 <= contents l1 ### CFG size: 69 nodes, 70 hyperedges Couldn't understand entirely the post condition: forall i11:int, i21:int. 0 <= i11 /\ i11 <= i21 /\ i21 < length a2 -> (elts a2 @ i11) <= (elts a2 @ i21) Time elapsed 0.010433s ### Debug: inferred invariants ### (0 = contents l2 /\ contents l2 = 0 \/ 0 < contents l2 /\ 0 <= contents u2) /\ 0 <= contents l2 ### File bench/infer/binary_search2.mlw: Goal binary_search'vc. Prover result is: Timeout (1.00s). File bench/infer/binary_search2.mlw: Goal binary_search2'vc. Prover result is: Valid (0.04s, 154 steps). File bench/infer/binary_search2.mlw: Goal binary_search3'vc. Prover result is: Valid (0.03s, 102 steps). why3-1.6.0/bench/infer/infer-oracles/bool_ops.oracle000066400000000000000000000007061440160026300223250ustar00rootroot00000000000000CFG size: 65 nodes, 65 hyperedges Time elapsed 0.103039s ### Debug: inferred invariants ### (((contents x = True /\ contents y = True) /\ contents z = True) /\ contents a = True \/ (contents z = contents x /\ contents a = contents x) /\ False = contents x \/ (contents z = contents y /\ contents a = contents y) /\ False = contents y) /\ contents a = contents z ### File bench/infer/bool_ops.mlw: Goal f'vc. Prover result is: Valid (0.00s, 6 steps). why3-1.6.0/bench/infer/infer-oracles/bools.oracle000066400000000000000000000017741440160026300216350ustar00rootroot00000000000000CFG size: 44 nodes, 44 hyperedges Time elapsed 0.216798s ### Debug: inferred invariants ### (((((x = contents x1 /\ x <= 0) /\ contents y = True) /\ ref'mk x = x1) /\ x = contents x1 \/ ((1 + x) = contents x1 /\ x < 0) /\ (1 + x) = contents x1 \/ (x + 2) <= contents x1) /\ contents x1 <= 0) /\ x <= contents x1 ### CFG size: 44 nodes, 44 hyperedges Time elapsed 0.540180s ### Debug: inferred invariants ### ((((((contents x3 <= x2 /\ contents y1 = True) /\ ref'mk x2 = x3) /\ x2 = contents x3 \/ (x2 < 0 /\ x2 < contents x3) /\ (x2 + contents x3) < 0) /\ contents x3 <= 0) /\ (x2 + contents x3) <= 0) /\ x2 <= contents x3) /\ x2 <= 0 ### CFG size: 44 nodes, 44 hyperedges Time elapsed 0.009295s ### Debug: inferred invariants ### contents x5 <= 0 /\ x4 <= 0 ### File bench/infer/bools.mlw: Goal f'vc. Prover result is: Unknown () (0.04s). File bench/infer/bools.mlw: Goal f2'vc. Prover result is: Unknown () (0.02s). File bench/infer/bools.mlw: Goal f3'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/infer-oracles/disjunction1.oracle000066400000000000000000000011061440160026300231160ustar00rootroot00000000000000CFG size: 42 nodes, 43 hyperedges Time elapsed 0.080783s ### Debug: inferred invariants ### ((((((0 = contents j /\ 0 = contents i) /\ contents i = 0) /\ contents j = 0 \/ ((6 = contents j /\ 7 <= contents i) /\ contents i <= x) /\ 6 = contents j \/ (((3 = contents j /\ contents i <= 6) /\ 0 < contents i) /\ contents i <= x) /\ 3 = contents j) /\ contents j <= (3 * contents i)) /\ (2 * contents j) <= (5 + contents i)) /\ 0 <= contents j) /\ contents j <= 6 ### File bench/infer/disjunction1.mlw: Goal a'vc. Prover result is: Valid (0.02s, 31 steps). why3-1.6.0/bench/infer/infer-oracles/if.oracle000066400000000000000000000013361440160026300211070ustar00rootroot00000000000000CFG size: 42 nodes, 43 hyperedges Time elapsed 0.064820s ### Debug: inferred invariants ### (((((0 = contents j /\ 0 = contents i) /\ contents i = 0) /\ contents j = 0 \/ ((1 + contents i) = contents j /\ contents i <= 9) /\ (1 + contents i) = contents j \/ 0 < contents i) /\ 0 <= contents i) /\ contents i <= contents j) /\ contents i <= 10 ### CFG size: 42 nodes, 43 hyperedges Time elapsed 0.122655s ### Debug: inferred invariants ### (((contents i1 <= 9 \/ contents i1 = (1 + contents j1)) /\ contents j1 <= contents i1) /\ contents j1 <= 9) /\ contents i1 <= 10 ### File bench/infer/if.mlw: Goal b'vc. Prover result is: Unknown () (0.15s). File bench/infer/if.mlw: Goal c'vc. Prover result is: Unknown () (0.08s). why3-1.6.0/bench/infer/infer-oracles/ifbool.oracle000066400000000000000000000010141440160026300217540ustar00rootroot00000000000000CFG size: 45 nodes, 46 hyperedges Time elapsed 0.024223 ### Debug: inferred invariants ### ((contents y = contents x /\ 0 <= contents x) /\ contents x <= 11) /\ contents x = contents y ### CFG size: 51 nodes, 52 hyperedges Time elapsed 0.035546 ### Debug: inferred invariants ### (((contents y = contents x /\ contents b = True) /\ 0 <= contents x) /\ contents x <= 11) /\ contents x = contents y ### bench/infer/ifbool.mlw Top test1'vc: Valid (0.00s, 12 steps) bench/infer/ifbool.mlw Top test2'vc: Valid (0.00s, 14 steps) why3-1.6.0/bench/infer/infer-oracles/ifint.oracle000066400000000000000000000004251440160026300216200ustar00rootroot00000000000000CFG size: 45 nodes, 46 hyperedges Time elapsed 0.029325s ### Debug: inferred invariants ### ((contents y = contents x /\ 0 <= contents x) /\ contents x <= 11) /\ contents x = contents y ### File bench/infer/ifint.mlw: Goal test1'vc. Prover result is: Valid (0.00s, 12 steps). why3-1.6.0/bench/infer/infer-oracles/incr.oracle000066400000000000000000000010251440160026300214370ustar00rootroot00000000000000CFG size: 14 nodes, 14 hyperedges Time elapsed 0.031699s ### Debug: inferred invariants ### (0 = contents i /\ contents i = 0 \/ 0 < contents i /\ contents i <= x) /\ 0 <= contents i ### CFG size: 14 nodes, 14 hyperedges Time elapsed 3.467742s ### Debug: inferred invariants ### (0 = contents i1 /\ contents i1 = 0 \/ 0 < x1 /\ 0 < contents i1) /\ 0 <= contents i1 ### File bench/infer/incr.mlw: Goal incr1'vc. Prover result is: Valid (0.02s, 20 steps). File bench/infer/incr.mlw: Goal incr3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/infer-oracles/junjie.oracle000066400000000000000000000005171440160026300217750ustar00rootroot00000000000000CFG size: 54 nodes, 55 hyperedges Time elapsed 26.212145s ### Debug: inferred invariants ### (((0 = contents y /\ 0 = contents x) /\ contents x = 0) /\ contents y = 0 \/ 52 <= contents x \/ contents x <= 51 /\ 0 < contents y) /\ 0 <= (1 + contents y) ### File bench/infer/junjie.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/infer-oracles/mccarthy.oracle000066400000000000000000000073251440160026300223270ustar00rootroot00000000000000CFG size: 63 nodes, 64 hyperedges Time elapsed 0.041185s ### Debug: inferred invariants ### ((101 <= n0 /\ 0 <= contents e) /\ contents e <= 1) /\ (n0 + (10 * contents e)) = (10 + contents n) ### CFG size: 63 nodes, 64 hyperedges Time elapsed 0.160930s ### Debug: inferred invariants ### (((((((((((((((((((102 <= (n01 + contents e1) /\ 0 < contents e1) /\ n01 <= contents n1) /\ 202 <= (n01 + contents n1)) /\ (contents e1 + 100) <= contents n1) /\ 102 <= (contents e1 + contents n1)) /\ 101 <= contents n1) /\ ref'mk n01 = n1) /\ n01 = contents n1) /\ contents e1 = 1 \/ ((contents e1 + 101) <= n01 /\ contents e1 <= 0) /\ (contents n1 + 10) <= n01) /\ contents n1 <= n01) /\ 91 <= contents n1) /\ 91 <= (contents e1 + contents n1)) /\ (contents e1 + 91) <= contents n1) /\ 192 <= (n01 + contents n1)) /\ n01 <= (10 + contents n1)) /\ contents e1 <= 1) /\ (contents e1 + 100) <= n01) /\ 0 <= contents e1) /\ 101 <= (n01 + contents e1)) /\ 101 <= n01 ### CFG size: 63 nodes, 64 hyperedges Time elapsed 3.099792s ### Debug: inferred invariants ### ((2 <= contents e2 /\ contents n2 <= 111 \/ 91 <= contents n2) /\ 0 <= contents e2) /\ 101 <= n02 ### CFG size: 63 nodes, 64 hyperedges Time elapsed 0.220538s ### Debug: inferred invariants ### ((((((n03 + (11 * contents e3)) <= (10 + contents n3) /\ 91 <= contents n3 \/ ((n03 + (11 * contents e3)) = (11 + contents n3) /\ (n03 + (11 * contents e3)) <= 122) /\ 0 < contents e3) /\ 0 <= contents e3) /\ n03 <= (9 + contents n3)) /\ n03 <= 100) /\ (n03 + (11 * contents e3)) <= (11 + contents n3)) /\ ((10 * n03) + (99 * contents e3)) <= (99 + (10 * contents n3)) ### CFG size: 63 nodes, 64 hyperedges Time elapsed 1.057787s ### Debug: inferred invariants ### ((((((n04 = contents n4 /\ 1 = contents e4) /\ ref'mk n04 = n4) /\ n04 = contents n4) /\ contents e4 = 1 \/ (((n04 = (10 + contents n4) /\ 0 = contents e4) /\ 101 <= n04) /\ 0 = contents e4) /\ (n04 - 10) = contents n4 \/ (((n04 + (11 * contents e4)) = (10 + contents n4) /\ (n04 + (11 * contents e4)) <= 111) /\ 0 < contents e4) /\ 101 <= (n04 + (11 * contents e4)) \/ ((n04 + (11 * contents e4)) = (11 + contents n4) /\ (n04 + (11 * contents e4)) <= 122) /\ 2 <= contents e4 \/ (((n04 + (11 * contents e4)) <= (10 + contents n4) /\ contents n4 <= 111) /\ 102 <= contents n4) /\ 2 <= contents e4 \/ (n04 + (11 * contents e4)) <= (9 + contents n4) /\ 91 <= contents n4) /\ 0 <= contents e4) /\ (n04 + (10 * contents e4)) <= (10 + contents n4)) /\ (n04 + (11 * contents e4)) <= (11 + contents n4) ### CFG size: 63 nodes, 64 hyperedges Time elapsed 2.997888s ### Debug: inferred invariants ### (((1 = contents e5 /\ ref'mk n05 = n5) /\ n05 = contents n5) /\ contents e5 = 1 \/ 2 <= contents e5 /\ contents n5 <= 111 \/ 91 <= contents n5) /\ 0 <= contents e5 ### File bench/infer/mccarthy.mlw: Goal f91'vc. Prover result is: Valid (0.02s, 40 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec'vc. Prover result is: Valid (0.02s, 22 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec_oct'vc. Prover result is: Valid (0.02s, 52 steps). File bench/infer/mccarthy.mlw: Goal f91_nonrec_box'vc. Prover result is: Timeout (1.00s). File bench/infer/mccarthy.mlw: Goal f91_nonrec2'vc. Prover result is: Unknown () (0.80s). File bench/infer/mccarthy.mlw: Goal f91_nonrec_hard'vc. Prover result is: Timeout (1.00s). File bench/infer/mccarthy.mlw: Goal f91_nonrec_hard_box'vc. Prover result is: Timeout (1.00s). File bench/infer/mccarthy.mlw: Goal f91_pseudorec'vc. Prover result is: Valid (0.02s, 57 steps). why3-1.6.0/bench/infer/infer-oracles/merge_sort.oracle000066400000000000000000000315041440160026300226570ustar00rootroot00000000000000CFG size: 17 nodes, 17 hyperedges Couldn't understand entirely the post condition: le (elts a @ (contents i + (- 1))) (elts a @ contents i) Couldn't understand entirely the post condition: le (elts a @ (contents i + (- 1))) (elts a @ contents i) Couldn't understand entirely the post condition: le (elts a @ (contents i + (- 1))) (elts a @ contents i) Time elapsed 0.013102s ### Debug: inferred invariants ### (0 <= lo /\ contents i <= length a) /\ lo < contents i ### CFG size: 17 nodes, 17 hyperedges Couldn't understand entirely the post condition: le (elts a1 @ (contents i1 + (- 1))) (elts a1 @ contents i1) Couldn't understand entirely the post condition: le (elts a1 @ (contents i1 + (- 1))) (elts a1 @ contents i1) Time elapsed 0.001383s ### Debug: inferred invariants ### (0 < contents i1 /\ 0 < length a1) /\ 0 <= lo1 ### Multiple constructors exception, not handled by AI.Multiple constructors exception, not handled by AI.CFG size: 77 nodes, 82 hyperedges Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: sorted_sub a3 result mid Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: not le (elts a3 @ (mid + (- 1))) (elts a3 @ mid) Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: sorted_sub a3 mid hi Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: not le (elts a3 @ (hi + (- 1))) (elts a3 @ hi) Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: sorted_sub a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Couldn't understand entirely the post condition: permut a2 a3 result1 hi Time elapsed 6.834312s ### Debug: inferred invariants ### (((((((((n = length tmp /\ n = length a3) /\ 0 = contents lo2) /\ 0 = contents first_run) /\ 2 <= n) /\ contents first_run = 0) /\ contents lo2 = 0) /\ length a3 = n) /\ length tmp = n \/ ((contents first_run + 2) <= contents lo2 /\ 2 <= contents first_run) /\ (contents first_run + 2) <= n \/ (0 = contents lo2 /\ 2 <= contents first_run) /\ contents lo2 = 0 \/ ((contents first_run = contents lo2 /\ 2 <= contents first_run) /\ 2 <= n) /\ contents lo2 = contents first_run) /\ 0 <= contents first_run) /\ 0 <= contents lo2 ((((((n = length tmp /\ n = length a3) /\ 0 = contents first_run) /\ 2 <= n) /\ contents first_run = 0) /\ length a3 = n) /\ length tmp = n \/ 2 <= contents first_run) /\ 0 <= contents first_run ### File bench/infer/merge_sort.mlw: Goal merge'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal merge_using'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal mergesort_rec'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal mergesort'vc. Prover result is: Valid (0.02s, 91 steps). File bench/infer/merge_sort.mlw: Goal bottom_up_mergesort'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal find_run'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal find_run2'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal natural_mergesort'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal naturalrec'vc. Prover result is: Timeout (1.00s). File bench/infer/merge_sort.mlw: Goal natural_mergesort2'vc. Prover result is: Valid (0.02s, 60 steps). why3-1.6.0/bench/infer/infer-oracles/minus1.oracle000066400000000000000000000074731440160026300217350ustar00rootroot00000000000000CFG size: 53 nodes, 53 hyperedges Time elapsed 0.033310s ### Debug: inferred invariants ### (0 < contents i /\ contents i <= 10) /\ 20 = ((2 * contents i) + contents j) ### CFG size: 53 nodes, 53 hyperedges Time elapsed 8.919189s ### Debug: inferred invariants ### ((((((((((((contents i1 <= 1 /\ (contents i1 + 17) <= contents j1) /\ 19 <= (contents i1 + contents j1)) /\ 18 <= contents j1) /\ 1 = contents i1) /\ 18 = contents j1 \/ ((((((4 <= contents i1 /\ contents i1 <= 4) /\ (contents i1 + 8) <= contents j1) /\ 16 <= (contents i1 + contents j1)) /\ 12 <= contents j1) /\ (contents i1 + contents j1) <= 16) /\ contents j1 <= (8 + contents i1)) /\ contents j1 <= 12 \/ ((((((7 <= contents i1 /\ contents i1 <= 7) /\ contents i1 <= (1 + contents j1)) /\ 13 <= (contents i1 + contents j1)) /\ 6 <= contents j1) /\ (contents i1 + contents j1) <= 13) /\ contents j1 < contents i1) /\ contents j1 <= 6 \/ ((((((9 <= contents i1 /\ contents i1 <= 9) /\ contents i1 <= (7 + contents j1)) /\ 11 <= (contents i1 + contents j1)) /\ 2 <= contents j1) /\ (contents i1 + contents j1) <= 11) /\ (contents j1 + 7) <= contents i1) /\ contents j1 <= 2 \/ ((((((6 <= contents i1 /\ contents i1 <= 6) /\ (contents i1 + 2) <= contents j1) /\ 14 <= (contents i1 + contents j1)) /\ 8 <= contents j1) /\ (contents i1 + contents j1) <= 14) /\ contents j1 <= (2 + contents i1)) /\ contents j1 <= 8 \/ ((((((2 <= contents i1 /\ contents i1 <= 2) /\ (contents i1 + 14) <= contents j1) /\ 18 <= (contents i1 + contents j1)) /\ 16 <= contents j1) /\ (contents i1 + contents j1) <= 18) /\ contents j1 <= (14 + contents i1)) /\ contents j1 <= 16 \/ ((((((3 <= contents i1 /\ contents i1 <= 3) /\ (contents i1 + 11) <= contents j1) /\ 17 <= (contents i1 + contents j1)) /\ 14 <= contents j1) /\ (contents i1 + contents j1) <= 17) /\ contents j1 <= (11 + contents i1)) /\ contents j1 <= 14 \/ ((((((5 <= contents i1 /\ contents i1 <= 5) /\ (contents i1 + 5) <= contents j1) /\ 15 <= (contents i1 + contents j1)) /\ 10 <= contents j1) /\ (contents i1 + contents j1) <= 15) /\ contents j1 <= (5 + contents i1)) /\ contents j1 <= 10 \/ ((((((8 <= contents i1 /\ contents i1 <= 8) /\ contents i1 <= (4 + contents j1)) /\ 12 <= (contents i1 + contents j1)) /\ 4 <= contents j1) /\ (contents i1 + contents j1) <= 12) /\ (contents j1 + 4) <= contents i1) /\ contents j1 <= 4 \/ ((10 <= contents i1 /\ (contents i1 + contents j1) <= 10) /\ (contents j1 + 10) <= contents i1) /\ contents j1 <= 0) /\ contents j1 <= 18) /\ contents j1 <= (17 + contents i1)) /\ (contents i1 + contents j1) <= 19) /\ 0 <= contents j1) /\ 10 <= (contents i1 + contents j1)) /\ contents i1 <= (10 + contents j1)) /\ contents i1 <= 10) /\ 0 < contents i1 ### CFG size: 53 nodes, 53 hyperedges Time elapsed 7.183389s ### Debug: inferred invariants ### (((((1 = contents i2 /\ 18 = contents j2) /\ 1 = contents i2) /\ 18 = contents j2 \/ 2 <= contents i2 /\ contents j2 <= 16) /\ contents j2 <= 18) /\ contents i2 <= 10) /\ 0 < contents i2 ### File bench/infer/minus1.mlw: Goal b'vc. Prover result is: Valid (0.02s, 14 steps). File bench/infer/minus1.mlw: Goal b2'vc. Prover result is: Valid (0.06s, 112 steps). File bench/infer/minus1.mlw: Goal b3'vc. Prover result is: Unknown () (0.04s). why3-1.6.0/bench/infer/infer-oracles/mult.oracle000066400000000000000000000021751440160026300214740ustar00rootroot00000000000000CFG size: 23 nodes, 23 hyperedges Time elapsed 0.211171s ### Debug: inferred invariants ### forall w1:int. 0 = contents i /\ contents i = 0 \/ (2 * 0) <= 9 /\ (2 * (2 * 0)) <= 9 \/ (2 * 0) = contents i \/ ((2 * (2 * 0)) = contents i /\ (2 * 0) <= 9) /\ (2 * (2 * 0)) = contents i ### CFG size: 23 nodes, 23 hyperedges Time elapsed 0.702336s ### Debug: inferred invariants ### forall w2:int. (0 <= contents i1 /\ contents i1 <= 0) /\ contents i1 = 0 \/ ((((2 * 0) <= 9 /\ ((2 * 0) + (2 * (2 * 0))) <= 18) /\ (2 * (2 * 0)) <= 9) /\ contents i1 <= contents i1) /\ contents i1 <= contents i1 \/ ((2 * 0) <= contents i1 /\ contents i1 <= (2 * 0)) /\ (2 * 0) = contents i1 \/ (((2 * 0) <= 9 /\ (2 * (2 * 0)) <= contents i1) /\ contents i1 <= (2 * (2 * 0))) /\ (2 * (2 * 0)) = contents i1 ### CFG size: 23 nodes, 23 hyperedges Time elapsed 0.007095s ### Debug: inferred invariants ### forall w3:int. true ### File bench/infer/mult.mlw: Goal b'vc. Prover result is: Unknown () (0.39s). File bench/infer/mult.mlw: Goal b2'vc. Prover result is: Unknown () (0.02s). File bench/infer/mult.mlw: Goal b3'vc. Prover result is: Unknown () (0.02s). why3-1.6.0/bench/infer/infer-oracles/neg1.oracle000066400000000000000000000007761440160026300213520ustar00rootroot00000000000000CFG size: 23 nodes, 23 hyperedges Time elapsed 0.021012s ### Debug: inferred invariants ### ((12 = contents i \/ contents i <= 10) /\ 0 <= contents i) /\ contents i <= 12 ### CFG size: 23 nodes, 23 hyperedges Time elapsed 0.099081s ### Debug: inferred invariants ### ((12 <= contents i1 \/ contents i1 <= 10) /\ contents i1 <= 12) /\ 0 <= contents i1 ### File bench/infer/neg1.mlw: Goal b'vc. Prover result is: Unknown () (0.04s). File bench/infer/neg1.mlw: Goal b2'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/infer-oracles/pbinfer2.oracle000066400000000000000000000011441440160026300222150ustar00rootroot00000000000000CFG size: 101 nodes, 107 hyperedges Time elapsed 1.590225s ### Debug: inferred invariants ### (((contents a2 = False /\ contents b = False \/ (((contents x1 = False /\ contents x2 = False) /\ contents b = contents a2) /\ contents x3 = contents a2) /\ True = contents a2 \/ (True = contents x3 /\ contents x1 = False) /\ contents x2 = False) /\ contents e = False) /\ contents d = False) /\ contents c = False ### File bench/infer/pbinfer2.mlw: Goal to_true'vc. Prover result is: Valid (0.00s, 0 steps). File bench/infer/pbinfer2.mlw: Goal pgmtest'vc. Prover result is: Valid (0.01s, 22 steps). why3-1.6.0/bench/infer/infer-oracles/pbinfer2_simplified.oracle000066400000000000000000000003721440160026300244240ustar00rootroot00000000000000CFG size: 20 nodes, 20 hyperedges Time elapsed 0.025969s ### Debug: inferred invariants ### forall w1:int. contents a = False \/ x = contents a ### File bench/infer/pbinfer2_simplified.mlw: Goal pgmtest'vc. Prover result is: Valid (0.01s, 2 steps). why3-1.6.0/bench/infer/infer-oracles/ref3.oracle000066400000000000000000000010141440160026300213410ustar00rootroot00000000000000CFG size: 17 nodes, 17 hyperedges Time elapsed 0.027792s ### Debug: inferred invariants ### (0 = contents k /\ contents k = 0 \/ 0 < contents k /\ contents k <= x) /\ 0 <= contents k ### CFG size: 17 nodes, 17 hyperedges Time elapsed 3.429263s ### Debug: inferred invariants ### (0 = contents k1 /\ contents k1 = 0 \/ 0 < x1 /\ 0 < contents k1) /\ 0 <= contents k1 ### File bench/infer/ref3.mlw: Goal b'vc. Prover result is: Unknown () (0.02s). File bench/infer/ref3.mlw: Goal b3'vc. Prover result is: Unknown () (0.00s). why3-1.6.0/bench/infer/infer-oracles/try1.oracle000066400000000000000000000011501440160026300214020ustar00rootroot00000000000000CFG size: 44 nodes, 44 hyperedges Time elapsed 0.090185s ### Debug: inferred invariants ### ((0 = contents i /\ contents i = 0 \/ 12 = contents i \/ 6 = contents i) /\ 0 <= contents i) /\ contents i <= 12 ### CFG size: 44 nodes, 44 hyperedges Time elapsed 0.266775s ### Debug: inferred invariants ### ((contents i1 <= 0 /\ contents i1 = 0 \/ 12 <= contents i1 \/ 6 <= contents i1 /\ contents i1 <= 6) /\ contents i1 <= 12) /\ 0 <= contents i1 ### File bench/infer/try1.mlw: Goal b'vc. Prover result is: Valid (0.01s, 14 steps). File bench/infer/try1.mlw: Goal b2'vc. Prover result is: Valid (0.01s, 18 steps). why3-1.6.0/bench/infer/infer-oracles/try3.oracle000066400000000000000000000006571440160026300214170ustar00rootroot00000000000000CFG size: 44 nodes, 44 hyperedges Time elapsed 0.022385s ### Debug: inferred invariants ### 0 <= contents i /\ contents i <= 10 ### CFG size: 44 nodes, 44 hyperedges Time elapsed 0.096545s ### Debug: inferred invariants ### contents i1 <= 10 /\ 0 <= contents i1 ### File bench/infer/try3.mlw: Goal b'vc. Prover result is: Valid (0.01s, 10 steps). File bench/infer/try3.mlw: Goal b2'vc. Prover result is: Valid (0.01s, 10 steps). why3-1.6.0/bench/infer/infer-oracles/tuple1.oracle000066400000000000000000000102251440160026300217200ustar00rootroot00000000000000CFG size: 56 nodes, 56 hyperedges Time elapsed 0.065201s ### Debug: inferred invariants ### (0 <= contents i /\ contents i <= 10) /\ (2 * contents i) = contents j ### CFG size: 56 nodes, 56 hyperedges Time elapsed 16.017256s ### Debug: inferred invariants ### ((((((((((((contents i1 <= 0 /\ (contents i1 + contents j1) <= 0) /\ contents j1 <= contents i1) /\ contents j1 <= 0) /\ contents i1 = 0) /\ contents j1 = 0 \/ ((((((7 <= contents i1 /\ contents i1 <= 7) /\ (contents i1 + 7) <= contents j1) /\ 21 <= (contents i1 + contents j1)) /\ 14 <= contents j1) /\ (contents i1 + contents j1) <= 21) /\ contents j1 <= (7 + contents i1)) /\ contents j1 <= 14 \/ ((((((4 <= contents i1 /\ contents i1 <= 4) /\ (contents i1 + 4) <= contents j1) /\ 12 <= (contents i1 + contents j1)) /\ 8 <= contents j1) /\ (contents i1 + contents j1) <= 12) /\ contents j1 <= (4 + contents i1)) /\ contents j1 <= 8 \/ ((((((8 <= contents i1 /\ contents i1 <= 8) /\ (contents i1 + 8) <= contents j1) /\ 24 <= (contents i1 + contents j1)) /\ 16 <= contents j1) /\ (contents i1 + contents j1) <= 24) /\ contents j1 <= (8 + contents i1)) /\ contents j1 <= 16 \/ ((((((6 <= contents i1 /\ contents i1 <= 6) /\ (contents i1 + 6) <= contents j1) /\ 18 <= (contents i1 + contents j1)) /\ 12 <= contents j1) /\ (contents i1 + contents j1) <= 18) /\ contents j1 <= (6 + contents i1)) /\ contents j1 <= 12 \/ ((((((2 <= contents i1 /\ contents i1 <= 2) /\ (contents i1 + 2) <= contents j1) /\ 6 <= (contents i1 + contents j1)) /\ 4 <= contents j1) /\ (contents i1 + contents j1) <= 6) /\ contents j1 <= (2 + contents i1)) /\ contents j1 <= 4 \/ ((10 <= contents i1 /\ (contents i1 + 10) <= contents j1) /\ 30 <= (contents i1 + contents j1)) /\ 20 <= contents j1 \/ ((((((9 <= contents i1 /\ contents i1 <= 9) /\ (contents i1 + 9) <= contents j1) /\ 27 <= (contents i1 + contents j1)) /\ 18 <= contents j1) /\ (contents i1 + contents j1) <= 27) /\ contents j1 <= (9 + contents i1)) /\ contents j1 <= 18 \/ ((((((3 <= contents i1 /\ contents i1 <= 3) /\ (contents i1 + 3) <= contents j1) /\ 9 <= (contents i1 + contents j1)) /\ 6 <= contents j1) /\ (contents i1 + contents j1) <= 9) /\ contents j1 <= (3 + contents i1)) /\ contents j1 <= 6 \/ ((((((((0 < contents i1 /\ contents i1 <= 1) /\ contents i1 < contents j1) /\ 3 <= (contents i1 + contents j1)) /\ 2 <= contents j1) /\ (contents i1 + contents j1) <= 3) /\ contents j1 <= (1 + contents i1)) /\ contents j1 <= 2) /\ 1 = contents i1) /\ 2 = contents j1 \/ ((((((5 <= contents i1 /\ contents i1 <= 5) /\ (contents i1 + 5) <= contents j1) /\ 15 <= (contents i1 + contents j1)) /\ 10 <= contents j1) /\ (contents i1 + contents j1) <= 15) /\ contents j1 <= (5 + contents i1)) /\ contents j1 <= 10) /\ contents j1 <= 20) /\ contents j1 <= (10 + contents i1)) /\ (contents i1 + contents j1) <= 30) /\ 0 <= contents j1) /\ 0 <= (contents i1 + contents j1)) /\ contents i1 <= contents j1) /\ contents i1 <= 10) /\ 0 <= contents i1 ### CFG size: 56 nodes, 56 hyperedges Time elapsed 7.287416s ### Debug: inferred invariants ### (((((0 = contents i2 /\ 0 = contents j2) /\ contents i2 = 0) /\ contents j2 = 0 \/ 0 < contents i2 /\ 2 <= contents j2) /\ 0 <= contents j2) /\ contents i2 <= 10) /\ 0 <= contents i2 ### File bench/infer/tuple1.mlw: Goal b'vc. Prover result is: Valid (0.01s, 12 steps). File bench/infer/tuple1.mlw: Goal b2'vc. Prover result is: Valid (0.08s, 124 steps). File bench/infer/tuple1.mlw: Goal b3'vc. Prover result is: Unknown () (0.06s). why3-1.6.0/bench/infer/infer-oracles/tuple2.oracle000066400000000000000000001527741440160026300217410ustar00rootroot00000000000000CFG size: 65 nodes, 65 hyperedges Time elapsed 0.073544s ### Debug: inferred invariants ### ((((((1 = match _1 with | $pat, _ -> $pat end /\ 2 = match _1 with | _, $pat -> $pat end) /\ (1, 2) = _1) /\ 0 <= contents i) /\ contents i <= 10) /\ 1 = match _1 with | $pat, _ -> $pat end) /\ 2 = match _1 with | _, $pat -> $pat end) /\ (2 * contents i) = contents j ### CFG size: 65 nodes, 65 hyperedges Time elapsed 46.429428s ### Debug: inferred invariants ### ((((((((((((((((((((((((((((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + contents i1) <= 1 /\ contents i1 < match _8 with | $pat, _ -> $pat end) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 2) /\ (contents i1 + 2) <= match _8 with | _, $pat -> $pat end) /\ contents i1 <= 0) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 1) /\ contents j1 < match _8 with | $pat, _ -> $pat end) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 2) /\ (contents j1 + 2) <= match _8 with | _, $pat -> $pat end) /\ (contents i1 + contents j1) <= 0) /\ contents j1 <= contents i1) /\ contents j1 <= 0) /\ contents i1 = 0) /\ contents j1 = 0 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 6) <= contents i1 /\ 8 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 5) <= contents i1) /\ 9 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 7 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 8) /\ contents i1 <= (6 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 9) /\ contents i1 <= (5 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 7) /\ (match _8 with | $pat, _ -> $pat end + 13) <= contents j1) /\ 15 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 12) <= contents j1) /\ 16 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 7) <= contents j1) /\ 21 <= (contents i1 + contents j1)) /\ 14 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 15) /\ contents j1 <= (13 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 16) /\ contents j1 <= (12 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 21) /\ contents j1 <= (7 + contents i1)) /\ contents j1 <= 14 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 3) <= contents i1 /\ 5 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 2) <= contents i1) /\ 6 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 4 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 5) /\ contents i1 <= (3 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 6) /\ contents i1 <= (2 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 4) /\ (match _8 with | $pat, _ -> $pat end + 7) <= contents j1) /\ 9 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 6) <= contents j1) /\ 10 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 4) <= contents j1) /\ 12 <= (contents i1 + contents j1)) /\ 8 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 9) /\ contents j1 <= (7 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 10) /\ contents j1 <= (6 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 12) /\ contents j1 <= (4 + contents i1)) /\ contents j1 <= 8 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 7) <= contents i1 /\ 9 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 6) <= contents i1) /\ 10 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 8 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 9) /\ contents i1 <= (7 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 10) /\ contents i1 <= (6 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 8) /\ (match _8 with | $pat, _ -> $pat end + 15) <= contents j1) /\ 17 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 14) <= contents j1) /\ 18 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 8) <= contents j1) /\ 24 <= (contents i1 + contents j1)) /\ 16 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 17) /\ contents j1 <= (15 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 18) /\ contents j1 <= (14 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 24) /\ contents j1 <= (8 + contents i1)) /\ contents j1 <= 16 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 5) <= contents i1 /\ 7 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 4) <= contents i1) /\ 8 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 6 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 7) /\ contents i1 <= (5 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 8) /\ contents i1 <= (4 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 6) /\ (match _8 with | $pat, _ -> $pat end + 11) <= contents j1) /\ 13 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 10) <= contents j1) /\ 14 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 6) <= contents j1) /\ 18 <= (contents i1 + contents j1)) /\ 12 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 13) /\ contents j1 <= (11 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 14) /\ contents j1 <= (10 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 18) /\ contents j1 <= (6 + contents i1)) /\ contents j1 <= 12 \/ ((((((((((((((((((((((match _8 with | $pat, _ -> $pat end < contents i1 /\ 3 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ match _8 with | _, $pat -> $pat end <= contents i1) /\ 4 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 2 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 3) /\ contents i1 <= (1 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 4) /\ contents i1 <= match _8 with | _, $pat -> $pat end) /\ contents i1 <= 2) /\ (match _8 with | $pat, _ -> $pat end + 3) <= contents j1) /\ 5 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 2) <= contents j1) /\ 6 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 2) <= contents j1) /\ 6 <= (contents i1 + contents j1)) /\ 4 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 5) /\ contents j1 <= (3 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 6) /\ contents j1 <= (2 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 6) /\ contents j1 <= (2 + contents i1)) /\ contents j1 <= 4 \/ (((((((((((match _8 with | $pat, _ -> $pat end + 9) <= contents i1 /\ 11 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 8) <= contents i1) /\ 12 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 10 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + 19) <= contents j1) /\ 21 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 18) <= contents j1) /\ 22 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 10) <= contents j1) /\ 30 <= (contents i1 + contents j1)) /\ 20 <= contents j1 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 8) <= contents i1 /\ 10 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 7) <= contents i1) /\ 11 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 9 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 10) /\ contents i1 <= (8 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 11) /\ contents i1 <= (7 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 9) /\ (match _8 with | $pat, _ -> $pat end + 17) <= contents j1) /\ 19 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 16) <= contents j1) /\ 20 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 9) <= contents j1) /\ 27 <= (contents i1 + contents j1)) /\ 18 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 19) /\ contents j1 <= (17 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 20) /\ contents j1 <= (16 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 27) /\ contents j1 <= (9 + contents i1)) /\ contents j1 <= 18 \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 2) <= contents i1 /\ 4 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ match _8 with | _, $pat -> $pat end < contents i1) /\ 5 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 3 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 4) /\ contents i1 <= (2 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 5) /\ contents i1 <= (1 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 3) /\ (match _8 with | $pat, _ -> $pat end + 5) <= contents j1) /\ 7 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 4) <= contents j1) /\ 8 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 3) <= contents j1) /\ 9 <= (contents i1 + contents j1)) /\ 6 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 7) /\ contents j1 <= (5 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 8) /\ contents j1 <= (4 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 9) /\ contents j1 <= (3 + contents i1)) /\ contents j1 <= 6 \/ ((((((((((((((((((((((((match _8 with | $pat, _ -> $pat end <= contents i1 /\ 2 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ match _8 with | _, $pat -> $pat end <= (1 + contents i1)) /\ 3 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 0 < contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 2) /\ contents i1 <= match _8 with | $pat, _ -> $pat end) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 3) /\ contents i1 < match _8 with | _, $pat -> $pat end) /\ contents i1 <= 1) /\ match _8 with | $pat, _ -> $pat end < contents j1) /\ 3 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ match _8 with | _, $pat -> $pat end <= contents j1) /\ 4 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ contents i1 < contents j1) /\ 3 <= (contents i1 + contents j1)) /\ 2 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 3) /\ contents j1 <= (1 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 4) /\ contents j1 <= match _8 with | _, $pat -> $pat end) /\ (contents i1 + contents j1) <= 3) /\ contents j1 <= (1 + contents i1)) /\ contents j1 <= 2) /\ contents i1 = match _8 with | $pat, _ -> $pat end) /\ contents j1 = match _8 with | _, $pat -> $pat end \/ (((((((((((((((((((((((match _8 with | $pat, _ -> $pat end + 4) <= contents i1 /\ 6 <= (match _8 with | $pat, _ -> $pat end + contents i1)) /\ (match _8 with | _, $pat -> $pat end + 3) <= contents i1) /\ 7 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ 5 <= contents i1) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 6) /\ contents i1 <= (4 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 7) /\ contents i1 <= (3 + match _8 with | _, $pat -> $pat end)) /\ contents i1 <= 5) /\ (match _8 with | $pat, _ -> $pat end + 9) <= contents j1) /\ 11 <= (match _8 with | $pat, _ -> $pat end + contents j1)) /\ (match _8 with | _, $pat -> $pat end + 8) <= contents j1) /\ 12 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ (contents i1 + 5) <= contents j1) /\ 15 <= (contents i1 + contents j1)) /\ 10 <= contents j1) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 11) /\ contents j1 <= (9 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 12) /\ contents j1 <= (8 + match _8 with | _, $pat -> $pat end)) /\ (contents i1 + contents j1) <= 15) /\ contents j1 <= (5 + contents i1)) /\ contents j1 <= 10) /\ 2 = match _8 with | _, $pat -> $pat end) /\ 1 = match _8 with | $pat, _ -> $pat end) /\ (1, 2) = _8) /\ contents j1 <= 20) /\ contents j1 <= (10 + contents i1)) /\ (contents i1 + contents j1) <= 30) /\ contents j1 <= (18 + match _8 with | _, $pat -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents j1) <= 22) /\ contents j1 <= (19 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | $pat, _ -> $pat end + contents j1) <= 21) /\ 0 <= contents j1) /\ 0 <= (contents i1 + contents j1)) /\ contents i1 <= contents j1) /\ 2 <= (match _8 with | _, $pat -> $pat end + contents j1)) /\ match _8 with | _, $pat -> $pat end <= (2 + contents j1)) /\ 0 < (match _8 with | $pat, _ -> $pat end + contents j1)) /\ match _8 with | $pat, _ -> $pat end <= (1 + contents j1)) /\ contents i1 <= 10) /\ contents i1 <= (8 + match _8 with | _, $pat -> $pat end)) /\ (match _8 with | _, $pat -> $pat end + contents i1) <= 12) /\ contents i1 <= (9 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | $pat, _ -> $pat end + contents i1) <= 11) /\ 0 <= contents i1) /\ 2 <= (match _8 with | _, $pat -> $pat end + contents i1)) /\ match _8 with | _, $pat -> $pat end <= (2 + contents i1)) /\ 0 < (match _8 with | $pat, _ -> $pat end + contents i1)) /\ match _8 with | $pat, _ -> $pat end <= (1 + contents i1)) /\ match _8 with | _, $pat -> $pat end <= 2) /\ match _8 with | _, $pat -> $pat end <= (1 + match _8 with | $pat, _ -> $pat end)) /\ (match _8 with | $pat, _ -> $pat end + match _8 with | _, $pat -> $pat end) <= 3) /\ 2 <= match _8 with | _, $pat -> $pat end) /\ 3 <= (match _8 with | $pat, _ -> $pat end + match _8 with | _, $pat -> $pat end)) /\ match _8 with | $pat, _ -> $pat end < match _8 with | _, $pat -> $pat end) /\ match _8 with | $pat, _ -> $pat end <= 1) /\ 0 < match _8 with | $pat, _ -> $pat end ### CFG size: 65 nodes, 65 hyperedges Time elapsed 8.506086s ### Debug: inferred invariants ### ((((((((((0 = contents i2 /\ 0 = contents j2) /\ contents i2 = 0) /\ contents j2 = 0 \/ 0 < contents i2 /\ 2 <= contents j2) /\ 2 = match _15 with | _, $pat -> $pat end) /\ (1, 2) = _15) /\ 1 = match _15 with | $pat, _ -> $pat end) /\ 0 <= contents j2) /\ contents i2 <= 10) /\ 0 <= contents i2) /\ 2 = match _15 with | _, $pat -> $pat end) /\ 1 = match _15 with | $pat, _ -> $pat end ### File bench/infer/tuple2.mlw: Goal b'vc. Prover result is: Valid (0.01s, 12 steps). File bench/infer/tuple2.mlw: Goal b2'vc. Prover result is: Valid (0.14s, 321 steps). File bench/infer/tuple2.mlw: Goal b3'vc. Prover result is: Unknown () (0.04s). why3-1.6.0/bench/infer/infer-oracles/twoway.oracle000066400000000000000000000677471440160026300220650ustar00rootroot00000000000000CFG size: 79 nodes, 81 hyperedges Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Couldn't understand entirely the post condition: exchange a a1 result4 result3 Time elapsed 0.722369s ### Debug: inferred invariants ### (((((length a1 = (1 + contents j) /\ 0 = contents i) /\ 0 <= length a1) /\ (length a1 - 1) = contents j) /\ contents i = 0 \/ (((0 = contents i /\ 0 <= contents j) /\ (contents j + 2) <= length a1) /\ True = (elts a1 @ contents i)) /\ contents i = 0 \/ 0 < contents i) /\ 0 <= contents i) /\ contents i <= (1 + contents j) ### CFG size: 79 nodes, 81 hyperedges Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Couldn't understand entirely the post condition: exchange a2 a3 result11 result10 Time elapsed 12.379412s ### Debug: inferred invariants ### forall w2:int. true ### File bench/infer/twoway.mlw: Goal two_way_sort'vc. Prover result is: Timeout (1.00s). File bench/infer/twoway.mlw: Goal two_way_sort3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/infer-oracles/uf6.oracle000066400000000000000000000076111440160026300212130ustar00rootroot00000000000000-- warning: Recursive types is not supported in abstract interpretation. -- triggered by _1 of type list 'xi -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret1 of type list int CFG size: 23 nodes, 23 hyperedges -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret1 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by _1 of type list 'xi Time elapsed 0.019195s ### Debug: inferred invariants ### ((((_2 = 5 /\ ll _1 = 0) /\ 0 <= contents k) /\ contents k <= 3) /\ 0 = ll _1) /\ 5 = _2 ### -- warning: Recursive types is not supported in abstract interpretation. -- triggered by _5 of type list 'xi1 -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret3 of type list int CFG size: 23 nodes, 23 hyperedges -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret3 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by _5 of type list 'xi1 Time elapsed 0.138151s ### Debug: inferred invariants ### ((((((((((((((((((_6 = 5 /\ ll _5 = 0) /\ contents k1 <= 3) /\ (contents k1 + 2) <= _6) /\ (_6 + contents k1) <= 8) /\ contents k1 <= (3 + ll _5)) /\ (ll _5 + contents k1) <= 3) /\ 0 <= contents k1) /\ 5 <= (_6 + contents k1)) /\ _6 <= (5 + contents k1)) /\ 0 <= (ll _5 + contents k1)) /\ ll _5 <= contents k1) /\ _6 <= 5) /\ _6 <= (5 + ll _5)) /\ (ll _5 + _6) <= 5) /\ 5 <= _6) /\ 5 <= (ll _5 + _6)) /\ (ll _5 + 5) <= _6) /\ ll _5 <= 0) /\ 0 <= ll _5 ### -- warning: Recursive types is not supported in abstract interpretation. -- triggered by _9 of type list 'xi2 -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret5 of type list int CFG size: 23 nodes, 23 hyperedges -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret5 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret5 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret5 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by $ret5 of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by Nil: list int of type list int -- warning: Recursive types is not supported in abstract interpretation. -- triggered by _9 of type list 'xi2 Time elapsed 0.014599s ### Debug: inferred invariants ### ((((((0 = contents k2 /\ contents k2 = 0 \/ 3 = contents k2 \/ 1 = contents k2 \/ 2 = contents k2) /\ _10 = 5) /\ ll _9 = 0) /\ contents k2 <= 3) /\ 0 <= contents k2) /\ 5 = _10) /\ 0 = ll _9 ### File bench/infer/uf6.mlw: Goal cons'vc. Prover result is: Unknown () (0.17s). File "bench/infer/uf6.mlw", line 20, characters 11-24: Goal nil'vc. Prover result is: Unknown () (0.02s). File bench/infer/uf6.mlw: Goal b'vc. Prover result is: Timeout (1.00s). File bench/infer/uf6.mlw: Goal b2'vc. Prover result is: Timeout (1.00s). File bench/infer/uf6.mlw: Goal b3'vc. Prover result is: Timeout (1.00s). why3-1.6.0/bench/infer/infer-oracles/while1.oracle000066400000000000000000000074661440160026300217140ustar00rootroot00000000000000CFG size: 41 nodes, 41 hyperedges Time elapsed 0.030485s ### Debug: inferred invariants ### (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) ### CFG size: 41 nodes, 41 hyperedges Time elapsed 8.566708s ### Debug: inferred invariants ### ((((((((((((contents i1 <= 1 /\ (contents i1 + contents j1) <= 1) /\ contents j1 < contents i1) /\ contents j1 <= 0) /\ contents j1 = 0) /\ contents i1 = 1 \/ ((((((9 <= contents i1 /\ contents i1 <= 9) /\ (contents i1 + 7) <= contents j1) /\ 25 <= (contents i1 + contents j1)) /\ 16 <= contents j1) /\ (contents i1 + contents j1) <= 25) /\ contents j1 <= (7 + contents i1)) /\ contents j1 <= 16 \/ ((10 <= contents i1 /\ (contents i1 + 8) <= contents j1) /\ 28 <= (contents i1 + contents j1)) /\ 18 <= contents j1 \/ ((((((7 <= contents i1 /\ contents i1 <= 7) /\ (contents i1 + 5) <= contents j1) /\ 19 <= (contents i1 + contents j1)) /\ 12 <= contents j1) /\ (contents i1 + contents j1) <= 19) /\ contents j1 <= (5 + contents i1)) /\ contents j1 <= 12 \/ ((((((5 <= contents i1 /\ contents i1 <= 5) /\ (contents i1 + 3) <= contents j1) /\ 13 <= (contents i1 + contents j1)) /\ 8 <= contents j1) /\ (contents i1 + contents j1) <= 13) /\ contents j1 <= (3 + contents i1)) /\ contents j1 <= 8 \/ ((((((3 <= contents i1 /\ contents i1 <= 3) /\ contents i1 < contents j1) /\ 7 <= (contents i1 + contents j1)) /\ 4 <= contents j1) /\ (contents i1 + contents j1) <= 7) /\ contents j1 <= (1 + contents i1)) /\ contents j1 <= 4 \/ (((((((2 <= contents i1 /\ contents i1 <= 2) /\ contents i1 <= contents j1) /\ 4 <= (contents i1 + contents j1)) /\ 2 <= contents j1) /\ (contents i1 + contents j1) <= 4) /\ contents j1 <= contents i1) /\ contents j1 <= 2) /\ 2 = contents j1 \/ ((((((4 <= contents i1 /\ contents i1 <= 4) /\ (contents i1 + 2) <= contents j1) /\ 10 <= (contents i1 + contents j1)) /\ 6 <= contents j1) /\ (contents i1 + contents j1) <= 10) /\ contents j1 <= (2 + contents i1)) /\ contents j1 <= 6 \/ ((((((8 <= contents i1 /\ contents i1 <= 8) /\ (contents i1 + 6) <= contents j1) /\ 22 <= (contents i1 + contents j1)) /\ 14 <= contents j1) /\ (contents i1 + contents j1) <= 22) /\ contents j1 <= (6 + contents i1)) /\ contents j1 <= 14 \/ ((((((6 <= contents i1 /\ contents i1 <= 6) /\ (contents i1 + 4) <= contents j1) /\ 16 <= (contents i1 + contents j1)) /\ 10 <= contents j1) /\ (contents i1 + contents j1) <= 16) /\ contents j1 <= (4 + contents i1)) /\ contents j1 <= 10) /\ contents j1 <= 18) /\ contents j1 <= (8 + contents i1)) /\ (contents i1 + contents j1) <= 28) /\ 0 <= contents j1) /\ 0 < (contents i1 + contents j1)) /\ contents i1 <= (1 + contents j1)) /\ contents i1 <= 10) /\ 0 < contents i1 ### CFG size: 41 nodes, 41 hyperedges Time elapsed 6.931622s ### Debug: inferred invariants ### (((((1 = contents i2 /\ 0 = contents j2) /\ contents j2 = 0) /\ contents i2 = 1 \/ 2 <= contents i2 /\ 2 <= contents j2) /\ 0 <= contents j2) /\ contents i2 <= 10) /\ 0 < contents i2 ### File bench/infer/while1.mlw: Goal b'vc. Prover result is: Valid (0.01s, 10 steps). File bench/infer/while1.mlw: Goal b2'vc. Prover result is: Valid (0.06s, 110 steps). File bench/infer/while1.mlw: Goal b3'vc. Prover result is: Unknown () (0.04s). why3-1.6.0/bench/infer/infer-oracles/while2.oracle000066400000000000000000000005141440160026300217000ustar00rootroot00000000000000CFG size: 79 nodes, 80 hyperedges Time elapsed 0.069985s ### Debug: inferred invariants ### (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) ### File bench/infer/while2.mlw: Goal b'vc. Prover result is: Valid (0.00s, 22 steps). why3-1.6.0/bench/infer/infer-oracles/while3.oracle000066400000000000000000000005141440160026300217010ustar00rootroot00000000000000CFG size: 79 nodes, 80 hyperedges Time elapsed 0.073803s ### Debug: inferred invariants ### (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) ### File bench/infer/while3.mlw: Goal b'vc. Prover result is: Valid (0.02s, 22 steps). why3-1.6.0/bench/infer/infer-oracles/while4.oracle000066400000000000000000000006321440160026300217030ustar00rootroot00000000000000CFG size: 105 nodes, 107 hyperedges Time elapsed 0.129052s ### Debug: inferred invariants ### (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) (0 < contents i /\ contents i <= 10) /\ (2 * contents i) = (2 + contents j) ### File bench/infer/while4.mlw: Goal b'vc. Prover result is: Valid (0.02s, 29 steps). why3-1.6.0/bench/infer/infer-oracles/while5.oracle000066400000000000000000000012271440160026300217050ustar00rootroot00000000000000CFG size: 29 nodes, 29 hyperedges Time elapsed 0.034797s ### Debug: inferred invariants ### ((0 = contents i /\ contents i = 0 \/ 6 = contents i /\ 6 = contents i \/ 12 = contents i) /\ 0 <= contents i) /\ contents i <= 12 ### CFG size: 29 nodes, 29 hyperedges Time elapsed 0.158591s ### Debug: inferred invariants ### ((contents i1 <= 0 /\ contents i1 = 0 \/ (6 <= contents i1 /\ contents i1 <= 6) /\ 6 = contents i1 \/ 12 <= contents i1) /\ contents i1 <= 12) /\ 0 <= contents i1 ### File bench/infer/while5.mlw: Goal b'vc. Prover result is: Valid (0.01s, 14 steps). File bench/infer/while5.mlw: Goal b2'vc. Prover result is: Valid (0.00s, 18 steps). why3-1.6.0/bench/infer/infer-oracles/while6.oracle000066400000000000000000000011561440160026300217070ustar00rootroot00000000000000CFG size: 29 nodes, 29 hyperedges Time elapsed 5.234097s ### Debug: inferred invariants ### ((0 = contents i /\ contents i = 0 \/ 42 = contents i \/ 96 = contents i \/ 60 = contents i \/ 90 = contents i \/ 84 = contents i \/ 54 = contents i \/ 18 = contents i \/ 30 = contents i \/ 6 = contents i /\ 6 = contents i \/ 72 = contents i \/ 12 = contents i \/ 102 = contents i \/ 48 = contents i \/ 78 = contents i \/ 24 = contents i \/ 36 = contents i \/ 66 = contents i) /\ 0 <= contents i) /\ contents i <= 102 ### File bench/infer/while6.mlw: Goal b'vc. Prover result is: Unknown () (0.04s). why3-1.6.0/bench/infer/infer-oracles/while7.oracle000066400000000000000000000015541440160026300217120ustar00rootroot00000000000000CFG size: 33 nodes, 34 hyperedges Time elapsed 0.031673s ### Debug: inferred invariants ### ((102 = contents i \/ contents i <= 99) /\ 0 <= contents i) /\ contents i <= 102 ### CFG size: 33 nodes, 34 hyperedges Time elapsed 0.097892s ### Debug: inferred invariants ### ((102 <= contents i1 /\ 102 = contents i1 \/ contents i1 <= 99) /\ contents i1 <= 102) /\ 0 <= contents i1 ### CFG size: 33 nodes, 34 hyperedges Time elapsed 3.934302s ### Debug: inferred invariants ### ((0 = contents i2 /\ contents i2 = 0 \/ 0 < contents i2 /\ contents i2 <= 99 \/ 102 = contents i2) /\ contents i2 <= 102) /\ 0 <= contents i2 ### File bench/infer/while7.mlw: Goal b'vc. Prover result is: Valid (0.01s, 10 steps). File bench/infer/while7.mlw: Goal b2'vc. Prover result is: Valid (0.02s, 10 steps). File bench/infer/while7.mlw: Goal b3'vc. Prover result is: Valid (0.02s, 17 steps). why3-1.6.0/bench/infer/junjie.mlw000066400000000000000000000004241440160026300165730ustar00rootroot00000000000000module Junjie use ref.Ref use int.Int let b [@bddinfer] [@infer](_:int):int ensures { result = 102 } = let x = ref 0 in let y = ref 0 in while !y >= 0 do variant { 0 } if !x <= 50 then y := !y + 1 else y := !y - 1; x := !x + 1; done; !y end why3-1.6.0/bench/infer/logic_def.mlw000066400000000000000000000004201440160026300172160ustar00rootroot00000000000000 use int.Int function succ (n : int) : int = n + 1 val incr (ref x : int) : unit writes { x } ensures { x = succ (old x) } let f [@bddinfer] [@infer] () : unit = let ref a = 0 in while a <= 100 do variant { 100 - a } incr a done; assert { a = 101 } why3-1.6.0/bench/infer/mccarthy.mlw000066400000000000000000000075411440160026300171300ustar00rootroot00000000000000 (* McCarthy's ``91'' function. *) module McCarthy91 use int.Int function spec (x: int) : int = if x <= 100 then 91 else x-10 (* traditional recursive implementation *) let rec f91 (n:int) : int variant { 101-n } ensures { result = spec n } = if n <= 100 then f91 (f91 (n + 11)) else n - 10 (* non-recursive implementation using a while loop *) use ref.Ref use int.Iter let f91_nonrec [@bddinfer] [@infer](n0: int) requires { n0 > 100 } ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { true } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n let f91_nonrec_oct [@bddinfer] [@infer:oct](n0: int) requires { n0 > 100 } ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { true } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n let f91_nonrec_box [@bddinfer] [@infer:box](n0: int) requires { n0 > 100 } ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { true } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n let f91_nonrec2 [@bddinfer] [@infer](n0: int) requires { n0 <= 100 } ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { !e = 0 -> !n > 90 } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n let f91_nonrec_hard [@bddinfer] [@infer](n0: int) ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { true } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n let f91_nonrec_hard_box [@bddinfer] [@infer:box](n0: int) ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do variant { 101 - !n + 10 * !e, !e } invariant { true } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n (* Use a 'morally' irrelevant control flow from a recursive function to ease proof (the recursive structure does not contribute to the program execution). This is a technique for proving derecursified programs. See verifythis_2016_tree_traversal for a more complex example. *) exception Stop let f91_pseudorec(n0:int) : int ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in let bloc () : unit requires { !e >= 0 } ensures { !(old e) > 0 } ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1 else !n = !(old n) + 11 /\ !e = !(old e) + 1 } raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) } = if not (!e > 0) then raise Stop; if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end in let rec aux () : unit requires { !e > 0 } variant { 101 - !n } ensures { !e = !(old e) - 1 /\ !n = spec !(old n) } raises { Stop -> false } = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in try aux (); bloc (); absurd with Stop -> !n end end why3-1.6.0/bench/infer/merge_sort.mlw000066400000000000000000000153551440160026300174660ustar00rootroot00000000000000 (** {1 Sorting arrays using mergesort} Author: Jean-Christophe Filliâtre (CNRS) *) (** {2 Parameters} *) module Elt use export int.Int use export array.Array type elt val predicate le elt elt clone relations.TotalPreOrder with type t = elt, predicate rel = le, axiom . clone export array.Sorted with type elt = elt, predicate le = le, axiom . end (** {2 Merging} It is well-known than merging sub-arrays in-place is extremely difficult (we don't even know how to do it in linear time). So we use some extra storage i.e. we merge two segments of a first array into a second array. *) module Merge clone export Elt with axiom . use export ref.Refint use export array.Array use map.Occ use export array.ArrayPermut (* merges tmp[l..m[ and tmp[m..r[ into a[l..r[ *) let merge (tmp a: array elt) (l m r: int) : unit requires { 0 <= l <= m <= r <= length tmp = length a } requires { sorted_sub tmp l m } requires { sorted_sub tmp m r } ensures { sorted_sub a l r } ensures { permut tmp a l r } ensures { forall i: int. (0 <= i < l \/ r <= i < length a) -> a[i] = (old a)[i] } = let i = ref l in let j = ref m in for k = l to r - 1 do if !i < m && (!j = r || le tmp[!i] tmp[!j]) then begin a[k] <- tmp[!i]; i := !i + 1 end else begin a[k] <- tmp[!j]; j := !j + 1 end done (* merges a[l..m[ and a[m..r[ into a[l..r[, using tmp as a temporary *) let merge_using (tmp a: array elt) (l m r: int) : unit requires { 0 <= l <= m <= r <= length tmp = length a } requires { sorted_sub a l m } requires { sorted_sub a m r } ensures { sorted_sub a l r } ensures { permut (old a) a l r } ensures { forall i: int. (0 <= i < l \/ r <= i < length a) -> a[i] = (old a)[i] } = if l < m && m < r then (* both sides are non empty *) if le a[m-1] a[m] then (* OPTIM: already sorted *) () else begin label N in blit a l tmp l (r - l); merge tmp a l m r; end end (** {2 Top-down, recursive mergesort} Split in equal halves, recursively sort the two, and then merge. *) module TopDownMergesort clone Merge with axiom . use mach.int.Int let rec mergesort_rec (a tmp: array elt) (l r: int) : unit requires { 0 <= l <= r <= length a = length tmp } ensures { sorted_sub a l r } ensures { permut_sub (old a) a l r } variant { r - l } = if l < r-1 then begin let m = l + (r - l) / 2 in mergesort_rec a tmp l m; label M in mergesort_rec a tmp m r; merge_using tmp a l m r; end let mergesort (a: array elt) : unit ensures { sorted a } ensures { permut_all (old a) a } = let tmp = Array.copy a in mergesort_rec a tmp 0 (length a) end (** {2 Bottom-up, iterative mergesort} First sort segments of length 1, then of length 2, then of length 4, etc. until the array is sorted. Surprisingly, the proof is much more complex than for natural mergesort (see below). *) module BottomUpMergesort clone Merge with axiom . use mach.int.Int use int.MinMax let bottom_up_mergesort(a: array elt) : unit ensures { sorted a } ensures { permut_all (old a) a } = let n = length a in let tmp = Array.copy a in let len = ref 1 in while !len < n do variant { 2 * n - !len } label L in let lo = ref 0 in let ghost i = ref 0 in while !lo < n - !len do variant { n + !len - !lo } let mid = !lo + !len in let hi = min n (mid + !len) in label M in merge_using tmp a !lo mid hi; lo := mid + !len; ghost incr i done; len := 2 * !len; done; end (** {2 Natural mergesort} This is a mere variant of bottom-up mergesort above, where we start with ascending runs (i.e. segments that are already sorted) instead of starting with single elements. *) module NaturalMergesort clone Merge with axiom . use mach.int.Int use int.MinMax (* returns the maximal hi such that a[lo..hi[ is sorted *) let find_run [@bddinfer] [@infer] (a: array elt) (lo: int) : int requires { 0 <= lo < length a } ensures { lo < result <= length a } ensures { sorted_sub a lo result } ensures { result < length a -> not (le a[result-1] a[result]) } = let i = ref (lo + 1) in while !i < length a && le a[!i - 1] a[!i] do variant { length a - !i } incr i done; !i let find_run2 [@bddinfer] [@infer:box] (a: array elt) (lo: int) : int requires { 0 <= lo < length a } ensures { lo < result <= length a } ensures { sorted_sub a lo result } ensures { result < length a -> not (le a[result-1] a[result]) } = let i = ref (lo + 1) in while !i < length a && le a[!i - 1] a[!i] do variant { length a - !i } incr i done; !i exception Break exception Return let natural_mergesort [@bddinfer] [@infer](a: array elt) : unit ensures { sorted a } ensures { permut_all (old a) a } = let n = length a in if n >= 2 then let tmp = Array.copy a in let ghost first_run = ref 0 in try while true do variant { n - !first_run } let lo = ref 0 in try while !lo < n - 1 do variant { n - !lo } let mid = find_run a !lo in if mid = n then begin if !lo = 0 then raise Return; raise Break end; let hi = find_run a mid in label M in merge_using tmp a !lo mid hi; ghost if !lo = 0 then first_run := hi; lo := hi; done with Break -> () end done with Return -> () end (** an alternative implementation suggested by Martin Clochard, mixing top-down recursive and natural mergesort the purpose is to avoid unnecessary calls to [find_run] in the code above *) let rec naturalrec (tmp a: array elt) (lo k: int) : int requires { 0 <= lo <= length a = length tmp } requires { 0 <= k } ensures { result = length a \/ lo + k < result < length a } ensures { sorted_sub a lo result } ensures { permut_sub (old a) a lo (length a) } ensures { forall j: int. 0 <= j < lo -> a[j] = (old a)[j] } variant { k } = let n = length a in if lo >= n-1 then n else try let mid = ref (find_run a lo) in if !mid = n then raise Break; let o = k-1 in for i = 0 to o do let hi = naturalrec tmp a !mid i in label M in merge_using tmp a lo !mid hi; mid := hi; if !mid = n then raise Break done; !mid with Break -> n end let natural_mergesort2 (a: array elt) : unit ensures { sorted a } ensures { permut_all (old a) a } = let tmp = Array.copy a in let _ = naturalrec tmp a 0 (length a) in () end why3-1.6.0/bench/infer/minus1.mlw000066400000000000000000000013001440160026300165150ustar00rootroot00000000000000module Minus1 use int.Int use ref.Ref let b[@infer] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 18; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j - 2; done; !j let b2[@infer:oct] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 18; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j - 2; done; !j let b3[@infer:box] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 18; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j - 2; done; !j end why3-1.6.0/bench/infer/mult.mlw000066400000000000000000000010321440160026300162640ustar00rootroot00000000000000module Mult1 use int.Int use ref.Ref let b [@bddinfer] [@infer](_:int) : int ensures { result = 18 } = let i = ref 0 in while !i < 10 do variant { 10 - !i } i := 2 * !i; done; !i let b2 [@bddinfer] [@infer:oct](_:int) : int ensures { result = 18 } = let i = ref 0 in while !i < 10 do variant { 10 - !i } i := 2 * !i; done; !i let b3 [@bddinfer] [@infer:box](_:int) : int ensures { result = 18 } = let i = ref 0 in while !i < 10 do variant { 10 - !i } i := 2 * !i; done; !i end why3-1.6.0/bench/infer/neg1.mlw000066400000000000000000000006071440160026300161440ustar00rootroot00000000000000module Neg1 use int.Int use ref.Ref let b [@bddinfer] [@infer](_:unit): int ensures { result = 10 } = let i = ref 0 in while !i <> 10 && !i < 12 do variant { 15 - !i } i := !i + 1; done; !i let b2 [@bddinfer] [@infer:oct](_:unit): int ensures { result = 10 } = let i = ref 0 in while !i <> 10 && !i < 12 do variant { 15 - !i } i := !i + 1; done; !i end why3-1.6.0/bench/infer/pbinfer2.mlw000066400000000000000000000017131440160026300170200ustar00rootroot00000000000000 module Test2 use int.Int use bool.Bool use ref.Ref let to_true (ii : bool) (arg : bool) : bool writes { } ensures { if ii then result = true else result = arg} = if ii then true else arg val x0 : ref bool val x1 : ref bool val x2 : ref bool val x3 : ref bool let pgmtest [@infer] [@bddinfer] () : unit = [@vc:divergent] let a = ref false in let b = ref false in let c = ref false in let d = ref false in let e = ref false in while (!x3 && not !x1 && not !x2) do label Init in (* ****** *) let tmp1 = (!x0 || !a) && not !e in let a1 = tmp1 in let tmp2 = tmp1 && !x1 && !x3 in let d1 = tmp2 in let b1 = to_true tmp1 !b in let tmp3 = tmp1 && !b && !x2 in let c1 = to_true tmp3 !c in (* ****** *) a := a1 ; b := b1 ; c := c1 ; d := d1 ; (* ****** *) [@bddinfer:Assert] assert { !x0 \/ (!a at Init) -> !a } ; done ; end why3-1.6.0/bench/infer/pbinfer2_simplified.mlw000066400000000000000000000004341440160026300212240ustar00rootroot00000000000000 use int.Int use ref.Ref val to_true (ii : bool) : int ensures { if ii then result = 1 else result = 100 } let pgmtest [@bddinfer] [@infer](x: bool) : unit = [@vc:divergent] let a = ref false in while true do let _ = to_true false in let _ = to_true x in a := x donewhy3-1.6.0/bench/infer/precision0.mlw000066400000000000000000000006241440160026300173640ustar00rootroot00000000000000 use int.Int val randomb () : bool val id (input:bool) (src: int) (ref tgt: int) : unit writes { tgt } ensures { (input = True /\ tgt = src) \/ (input = False /\ tgt = old tgt) } val ref d0 : int val ref d1 : int let s [@bddinfer] () diverges requires { d0 = 0 } requires { d1 = 0 } = (* gives d1 in [0], that's OK (see precision1.mlw) *) while true do id (randomb()) d0 d1; done why3-1.6.0/bench/infer/precision1.mlw000066400000000000000000000006421440160026300173650ustar00rootroot00000000000000 use int.Int val randomb () : bool val id (input: bool) (src: int) (ref tgt: int) : unit writes { tgt } ensures { input = True -> tgt = src } ensures { input = False -> tgt = old tgt } val ref d0 : int val ref d1 : int let s [@bddinfer] () diverges requires { d0 = 0 } requires { d1 = 0 } = while true do (* gives d1 \in ]-oo,+oo[ instead of the more precise [0] *) id (randomb()) d0 d1; done why3-1.6.0/bench/infer/precision2.mlw000066400000000000000000000002321440160026300173610ustar00rootroot00000000000000 use int.Int val ref d : int let e [@bddinfer] () diverges requires { d = 0 } = while True do d <- d+1; if 0 < d then d <- 0 done why3-1.6.0/bench/infer/precision3.mlw000066400000000000000000000005521440160026300173670ustar00rootroot00000000000000 use int.Int val cp (input : bool) (src : int) (ref tgt : int) : unit writes { tgt } ensures { (input = True /\ tgt = src) \/ ((input = False) /\ tgt = old tgt)} val ref d : int let e [@bddinfer] () diverges requires { d = 0 } = while True do d <- d+1; cp (1 < d) 0 d (* This gives [0;+oo[ as domain for d, we would like [0;1] *) done why3-1.6.0/bench/infer/ref3.mlw000066400000000000000000000006161440160026300161510ustar00rootroot00000000000000 module Test use array.Array use ref.Ref use ref.Refint use int.Int let b [@bddinfer] [@infer](x:int): unit = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { 0 <= !k < x} incr k; () done; () let b3 [@bddinfer] [@infer:box](x:int): unit = let k = ref 0 in while (!k < x) do variant { x - !k } invariant { 0 <= !k < x} incr k; () done; () end why3-1.6.0/bench/infer/return_function.mlw000066400000000000000000000002201440160026300205250ustar00rootroot00000000000000use int.Int val ref x : int let f (a : int) : int = a + a let main [@bddinfer] () = let temp = f 6 in x <- temp; assert { x = 12 } why3-1.6.0/bench/infer/support1.mlw000066400000000000000000000014121440160026300171020ustar00rootroot00000000000000module Example_scan use export ref.Ref use export bool.Bool use export int.Int val foo (input : bool) (src : int) (tgt : ref int) : unit writes { tgt } (* This does not work *) ensures { orb input (!tgt = src) } (* This does not work either ensures { orb (andb input (!tgt = src)) (andb (notb input) (!tgt= old !tgt)) } *) (* This works ensures { input \/ (!tgt = src) } ensures { input -> (!tgt = src) } ensures { input || (!tgt = src) } *) (**********************************************************************************) val d0 [@model] [@model_trace:D0] : ref int val d1 [@model] [@model_trace:D1] : ref int let example_scan [@bddinfer] () diverges requires { ((!d0) = 0) } requires { ((!d1) = 0) } = while True do foo true !d0 d1 done end why3-1.6.0/bench/infer/support2.mlw000066400000000000000000000014171440160026300171100ustar00rootroot00000000000000module Example_scan use export ref.Ref use export bool.Bool use export int.Int val foo (input : bool) (src : int) (tgt : ref int) : unit writes { tgt } (* This does not work *) (* ensures { orb input (!tgt = src) } *) (* This does not work either *) ensures { orb (andb input (!tgt = src)) (andb (notb input) (!tgt= old !tgt)) } (* This works ensures { input \/ (!tgt = src) } ensures { input -> (!tgt = src) } ensures { input || (!tgt = src) } *) (**********************************************************************************) val d0 [@model] [@model_trace:D0] : ref int val d1 [@model] [@model_trace:D1] : ref int let example_scan [@bddinfer] () diverges requires { ((!d0) = 0) } requires { ((!d1) = 0) } = while True do foo true !d0 d1 done end why3-1.6.0/bench/infer/support3.mlw000066400000000000000000000010721440160026300171060ustar00rootroot00000000000000module Example_scan use export ref.Ref use export bool.Bool use export int.Int val foo (input : bool) (tgt : ref int) : unit writes { tgt } (* This does not work *) ensures { andb input (old !tgt = 42) -> (!tgt = 0) } (* But this is OK ensures { (old !tgt = 42) -> (!tgt = 0) } and this also ensures { input && (old !tgt = 42) -> (!tgt = 0) } *) (**********************************************************************************) val d0 [@model] [@model_trace:D0] : ref int let example_scan [@bddinfer] () diverges = while True do foo true d0 done end why3-1.6.0/bench/infer/support4.mlw000066400000000000000000000006511440160026300171110ustar00rootroot00000000000000module Example_scan use export ref.Ref use export bool.Bool use export int.Int function id_compute (b : int) : int = b + 1 val id (src : int) (tgt : ref int) : unit writes { tgt } ensures { !tgt = id_compute src } (**********************************************************************************) val d : ref int let example_scan [@bddinfer] () diverges = d := 0; while !d <= 100 do id !d d done end why3-1.6.0/bench/infer/support5.mlw000066400000000000000000000004521440160026300171110ustar00rootroot00000000000000 use int.Int val randomb () : bool val ref d0 : int val ref d1 : int let s [@bddinfer] () diverges requires { d0 = 0 } requires { d1 = 0 } = while true do (* this does not work with "unsupported feature: simple_expr_to_why1_expr: SEseq" *) if (randomb()) then d1 <- d0; done why3-1.6.0/bench/infer/try1.mlw000066400000000000000000000010541440160026300162060ustar00rootroot00000000000000module Try1 use int.Int use ref.Ref exception Myexc int let b [@bddinfer] [@infer](_:int) : int ensures { result = 12 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } try i := !i + 1; raise (Myexc (!i + 5)) with | Myexc(a) -> i := a end done; !i let b2 [@bddinfer] [@infer:oct](_:int) : int ensures { result = 12 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } try i := !i + 1; raise (Myexc (!i + 5)) with | Myexc(a) -> i := a end done; !i end why3-1.6.0/bench/infer/try3.mlw000066400000000000000000000010561440160026300162120ustar00rootroot00000000000000module Try1 use int.Int use ref.Ref exception Myexc int let b [@bddinfer] [@infer](_:int) : int ensures { result = 10 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } try raise (Myexc (!i + 1)); i := !i - 1; with | Myexc(a) -> i := a end done; !i let b2 [@bddinfer] [@infer:oct](_:int) : int ensures { result = 10 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } try raise (Myexc (!i + 1)); i := !i - 1; with | Myexc(a) -> i := a end done; !i end why3-1.6.0/bench/infer/tuple1.mlw000066400000000000000000000014131440160026300165200ustar00rootroot00000000000000module Tuple1 use int.Int use ref.Ref let b [@bddinfer] [@infer](_:int) : int ensures { result = 20 } = let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j let b2 [@bddinfer] [@infer:oct](_:int) : int ensures { result = 20 } = let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j let b3 [@bddinfer] [@infer:box](_:int) : int ensures { result = 20 } = let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j end why3-1.6.0/bench/infer/tuple2.mlw000066400000000000000000000016361440160026300165300ustar00rootroot00000000000000module Tuple2 use int.Int use ref.Ref val c(_:int) : (int, int) ensures { result = (1, 2) } let b [@bddinfer] [@infer](_:int) : int ensures { result = 20 } = let _ = () in let _= c 4 in let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j let b2 [@bddinfer] [@infer:oct](_:int) : int ensures { result = 20 } = let _ = () in let _= c 4 in let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j let b3 [@bddinfer] [@infer:box](_:int) : int ensures { result = 20 } = let _ = () in let _= c 4 in let i = ref 0 in let j = ref 0 in i := 0; j := 0; while !i < 10 do variant { 10 - !i } let (a, b) = (!i + 1, !j + 2) in i := a; j := b; done; !j end why3-1.6.0/bench/infer/twoway.mlw000066400000000000000000000041421440160026300166420ustar00rootroot00000000000000(* Two Way Sort The following program sorts an array of Boolean values, with False a[i1] << a[i2] let two_way_sort [@bddinfer] [@infer](a: array bool) : unit requires { length a >= 0 } writes { a } ensures { sorted a } = let i = ref 0 in let j = ref (length a - 1) in while !i < !j do variant { !j - !i } invariant { forall k:int. 0 <= k < !i -> not a[k] } invariant { forall k:int. !j < k < length a -> a[k] } if not a[!i] then i := !i + 1 else if a[!j] then j := !j - 1 else begin swap a !i !j; i := !i + 1; j := !j - 1 end done let two_way_sort3 [@bddinfer] [@infer:box](a: array bool) : unit requires { length a >= 0 } writes { a } ensures { sorted a } = let i = ref 0 in let j = ref (length a - 1) in while !i < !j do variant { !j - !i } invariant { forall k:int. 0 <= k < !i -> not a[k] } invariant { forall k:int. !j < k < length a -> a[k] } if not a[!i] then i := !i + 1 else if a[!j] then j := !j - 1 else begin swap a !i !j; i := !i + 1; j := !j - 1 end done end why3-1.6.0/bench/infer/uf6.mlw000066400000000000000000000016721440160026300160150ustar00rootroot00000000000000 module Uf1 use array.Array use ref.Ref use ref.Refint use int.Int use list.List function ll (l: list 'a) : int let cons(x:'a) (l: list 'a): list 'a ensures { ll result = ll l + 1 }= Cons x l val test(u: list int) : unit ensures { ll u = 0 } let nil(_:unit) : list 'a ensures { ll result = 0 } = Nil let b [@bddinfer] [@infer](_:int): list int ensures { ll result = 4 } = let k = ref 0 in let _ = nil () in let _ = 5 in while (!k < 3 && !k >= 0) do variant { 10- !k } incr k; done; Nil let b2 [@bddinfer] [@infer:oct](_:int): list int ensures { ll result = 4 } = let k = ref 0 in let _ = nil () in let _ = 5 in while (!k < 3 && !k >= 0) do variant { 10- !k } incr k; done; Nil let b3 [@bddinfer] [@infer:box](_:int): list int ensures { ll result = 4 } = let k = ref 0 in let _ = nil () in let _ = 5 in while (!k < 3 && !k >= 0) do variant { 10- !k } incr k; done; Nil end why3-1.6.0/bench/infer/val_call.mlw000066400000000000000000000003541440160026300170660ustar00rootroot00000000000000use int.Int val ref x : int val ref y : int val ref z : int val test (n:int) : unit reads { x,y,z } writes { x,y } ensures { x = old y } ensures { y = n+z } let main [@bddinfer] () = x <- 42; y <- 37; z <- 1; test(2) why3-1.6.0/bench/infer/val_call_unit_arg.mlw000066400000000000000000000003051440160026300207520ustar00rootroot00000000000000use int.Int val ref x : int val ref y : int val test () : unit writes { x, y } ensures { x + (old y) = 0 } ensures { y = (old x) } let main [@bddinfer] () = x <- 42; y <- 37; test() why3-1.6.0/bench/infer/val_writes_param.mlw000066400000000000000000000002361440160026300206470ustar00rootroot00000000000000use int.Int val ref x : int val test (n:int) (ref a:int) : unit writes { a } ensures { a = old a + n } let main [@bddinfer] () = x <- 42; test 2 x why3-1.6.0/bench/infer/while1.mlw000066400000000000000000000012071440160026300165000ustar00rootroot00000000000000module While1 use int.Int use ref.Ref let b [@infer] [@bddinfer] (_:int) : int ensures { result = 18 } = let i = ref 1 in let j = ref 0 in while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; !j let b2 [@infer:oct] [@bddinfer] (_:int) : int ensures { result = 18 } = let i = ref 1 in let j = ref 0 in while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; !j let b3 [@infer:box] [@bddinfer] (_:int) : int ensures { result = 18 } = let i = ref 1 in let j = ref 0 in while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; !j end why3-1.6.0/bench/infer/while2.mlw000066400000000000000000000005231440160026300165010ustar00rootroot00000000000000module While2 use int.Int use ref.Ref let b [@infer] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 0; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; while 1 < !i do variant { !i } i := !i - 1; j := !j - 2; done; !j end why3-1.6.0/bench/infer/while3.mlw000066400000000000000000000005241440160026300165030ustar00rootroot00000000000000module While3 use int.Int use ref.Ref let b [@infer] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 0; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; while !i > 1 do variant { !i } i := !i - 1; j := !j - 2; done; !j end why3-1.6.0/bench/infer/while4.mlw000066400000000000000000000006401440160026300165030ustar00rootroot00000000000000module While3 use int.Int use ref.Ref let b [@infer] [@bddinfer] (_:int) : int ensures { result = 0 } = let i = ref 0 in let j = ref 0 in j := 0; i := 1; while !i < 10 do variant { 10 - !i } i := !i + 1; j := !j + 2; done; while 1 < !i do variant { !i } i := !i - 1; j := !j - 2; done; while 1 < !i do variant { !i } i := !i - 1; j := !j - 2; done; !j end why3-1.6.0/bench/infer/while5.mlw000066400000000000000000000006411440160026300165050ustar00rootroot00000000000000module While5 use int.Int use ref.Ref exception Myexc int let b [@infer] [@bddinfer] (_:int) : int ensures { result = 12 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } i := !i + 6; done; !i let b2 [@infer:oct] [@bddinfer] (_:int) : int ensures { result = 12 } = let i = ref 0 in i := 0; while !i < 10 do variant { 10 - !i } i := !i + 6; done; !i end why3-1.6.0/bench/infer/while6.mlw000066400000000000000000000004111440160026300165010ustar00rootroot00000000000000module While6 use int.Int use ref.Ref exception Myexc int let b [@infer] [@bddinfer] (_:int) : int ensures { result = 102 } = let i = ref 0 in i := 0; while !i < 100 do variant { 10 - !i } i := !i + 6; done; !i end why3-1.6.0/bench/infer/while7.mlw000066400000000000000000000012201440160026300165010ustar00rootroot00000000000000module While7 use int.Int use ref.Ref exception Myexc int let b[@infer] [@bddinfer] (_:int) : int ensures { result = 102 } = let i = ref 0 in while !i < 100 do variant { 100 - !i } i := !i + 1; if !i >= 100 then i := 102; done; !i let b2[@infer:oct] [@bddinfer] (_:int) : int ensures { result = 102 } = let i = ref 0 in while !i < 100 do variant { 100 - !i } i := !i + 1; if !i >= 100 then i := 102; done; !i let b3[@infer:box] [@bddinfer] (_:int) : int ensures { result = 102 } = let i = ref 0 in while !i < 100 do variant { 100 - !i } i := !i + 1; if !i >= 100 then i := 102; done; !i end why3-1.6.0/bench/infer/while_and_int.mlw000066400000000000000000000003351440160026300201140ustar00rootroot00000000000000 use int.Int val ref x : int val ref y : int let main [@bddinfer] () diverges = x <- 0; y <- 60; while x <= 100 && y >= 0 do (* while (if x <= 100 then y >= 0 else False) do *) x <- x + 1; y <- y - 1; done why3-1.6.0/bench/infer/while_break.mlw000066400000000000000000000003331440160026300175620ustar00rootroot00000000000000 use int.Int val ref x : int let f [@infer] [@bddinfer] () : int ensures { result = 100 } = x <- 0; while true do variant { 100 - x } if x >= 100 then break; x <- x + 1; done; x why3-1.6.0/bench/infer/while_break_bool.mlw000066400000000000000000000003621440160026300205770ustar00rootroot00000000000000 use bool.Bool val randomb () : bool val ref x : bool let f [@infer] [@bddinfer] () : bool diverges ensures { notb result } = x <- True; while true do assert { x }; x <- randomb(); if notb x then break; done; x why3-1.6.0/bench/infer/while_inv_loc_var.mlw000066400000000000000000000003201440160026300207730ustar00rootroot00000000000000use int.Int val ref x : int let main [@bddinfer] () = [@vc:divergent] begin x <- 0; while x <= 100 do let y = x+1 in x <- y done; [@assert: 101?] assert { x = 101 } endwhy3-1.6.0/bench/infer/while_loop.mlw000066400000000000000000000002451440160026300174510ustar00rootroot00000000000000 use int.Int val ref x : int let main [@infer] [@bddinfer] () diverges = x <- 0; while x <= 100 do x <- x + 1; done; [@bddinfer:check0] assert { x = 101 } why3-1.6.0/bench/infer/while_loop_bis.mlw000066400000000000000000000002621440160026300203050ustar00rootroot00000000000000 use int.Int use ref.Ref val ref x : int let main [@bddinfer] () diverges = x <- 0; while x <= 100 do x <- x * x + 1; done; assert { x >= 101 }; assert { x <= 10001 } why3-1.6.0/bench/infer/while_loop_bool.mlw000066400000000000000000000004421440160026300204630ustar00rootroot00000000000000 use int.Int use bool.Bool val ref x : int val ref a : bool val ref b : bool let main [@bddinfer] () diverges = x <- 0; a <- True; b <- True; while x <= 100 do x <- x + 1; a <- notb a; b <- notb b; done; [@bddinfer:A1] assert { x = 101 }; [@bddinfer:A2] assert { a = b } why3-1.6.0/bench/infer/while_loop_count.mlw000066400000000000000000000004671440160026300206670ustar00rootroot00000000000000 use int.Int use bool.Bool val ref exit : bool val ref c : int let test [@bddinfer] () diverges = exit <- false; c <- 0; [@bddinfer:myloop] while (not exit) do [@bddinfer:myassert] assert { c <= 42 }; c <- c + 1; if c >= 42 then begin exit <- true; (* break*) end done why3-1.6.0/bench/infer/while_loop_ref.mlw000066400000000000000000000002671440160026300203110ustar00rootroot00000000000000 use int.Int use ref.Ref val x : ref int let main [@bddinfer] () diverges = x := 0; while !x <= 100 do (* invariant {100 >= x } *) x := !x + 1; done; assert { !x = 101 } why3-1.6.0/bench/interp/000077500000000000000000000000001440160026300147645ustar00rootroot00000000000000why3-1.6.0/bench/interp/float32.mlw000066400000000000000000000035101440160026300167560ustar00rootroot00000000000000module N use ieee_float.Float32 let f (x: t) = add RNE x (1.0: t) let g () = add RNE (24.0: t) (1.0: t) exception BenchFailure let bench1 () raises { BenchFailure -> false } = let x = f (1.0: t) in if not (eq x (2.0: t)) then raise BenchFailure; x let bench2 () raises { BenchFailure -> false } = let o = (0x1p-23: t) in let x = sqrt RNE ((1.0: t) .+ o .- (1.0: t) .- o) in (* Expected result: 0.0 *) if not (eq x (0.0: t)) then raise BenchFailure; let o = (0x1p-24: t) in let x = sqrt RNE ((1.0: t) .+ o .- (1.0: t) .- o) in (* Expected result: Nan *) if eq x x then raise BenchFailure; x let bench3 () raises { BenchFailure -> false } ensures { eq result (0.0: t)} = let o = (0x1p-129: t) in let v = o .* o in if not (eq v (0.0:t)) then raise BenchFailure; v let bench4 () raises { BenchFailure -> false } ensures { is_infinite result } = let o = (0x1p+64: t) in let res = o .* o in if not (is_infinite res) then raise BenchFailure; res let bench5 () raises { BenchFailure -> false } ensures { eq result (1.0:t) } = let o = add RNE (1.0:t) (0x1p-24:t) in if not (eq o (1.0:t)) then raise BenchFailure; o let bench6 () raises { BenchFailure -> false } ensures { not (eq result (1.0:t)) } = let o = add RNE (1.0:t) (0x1p-23:t) in if eq o (1.0:t) then raise BenchFailure; o let bench7 () raises { BenchFailure -> false } ensures { eq result (0.0: t)} = let o = (0x1p-149: t) in let o2 = o ./ (2.0: t) in if not (eq o2 (0.0:t)) then raise BenchFailure; o2 let bench8 () raises { BenchFailure -> false } ensures { not (eq result (0.0: t))} = let o = (0x1p-148: t) in let o2 = o ./ (2.0: t) in if (eq o2 (0.0:t)) then raise BenchFailure; o2 end why3-1.6.0/bench/interp/float64.mlw000066400000000000000000000035151440160026300167700ustar00rootroot00000000000000module N use ieee_float.Float64 let f (x: t) = add RNE x (1.0: t) let g () = add RNE (24.0: t) (1.0: t) exception BenchFailure let bench1 () raises { BenchFailure -> false } = let x = f (1.0: t) in if not (eq x (2.0: t)) then raise BenchFailure; x let bench2 () raises { BenchFailure -> false } = let o = (0x1p-52: t) in let x = sqrt RNE ((1.0: t) .+ o .- (1.0: t) .- o) in (* Expected result: 0.0 *) if not (eq x (0.0: t)) then raise BenchFailure; let o = (0x1p-53: t) in let x = sqrt RNE ((1.0: t) .+ o .- (1.0: t) .- o) in (* Expected result: Nan *) if eq x x then raise BenchFailure; x let bench3 () raises { BenchFailure -> false } ensures { eq result (0.0: t)} = let o = (0x1p-1023: t) in let v = o .* o in if not (eq v (0.0:t)) then raise BenchFailure; v let bench4 () raises { BenchFailure -> false } ensures { is_infinite result } = let o = (0x1p+1023: t) in let res = o .* o in if not (is_infinite res) then raise BenchFailure; res let bench5 () raises { BenchFailure -> false } ensures { eq result (1.0:t) } = let o = add RNE (1.0:t) (0x1p-53:t) in if not (eq o (1.0:t)) then raise BenchFailure; o let bench6 () raises { BenchFailure -> false } ensures { not (eq result (1.0:t)) } = let o = add RNE (1.0:t) (0x1p-52:t) in if eq o (1.0:t) then raise BenchFailure; o let bench7 () raises { BenchFailure -> false } ensures { eq result (0.0: t)} = let o = (0x1p-1074: t) in let o2 = o ./ (2.0: t) in if not (eq o2 (0.0:t)) then raise BenchFailure; o2 let bench8 () raises { BenchFailure -> false } ensures { not (eq result (0.0: t))} = let o = (0x1p-1073: t) in let o2 = o ./ (2.0: t) in if (eq o2 (0.0:t)) then raise BenchFailure; o2 end why3-1.6.0/bench/interp/real.mlw000066400000000000000000000041061440160026300164310ustar00rootroot00000000000000module R use int.Int use real.Real use ref.Ref use real.Square use real.ExpLog exception BenchFailure let test0 () raises { BenchFailure -> false } = let x:real = 42.0 in let y:real = 1.5 in let z:real = 0.1 in if z < 0.099999 || z > 0.100001 then raise BenchFailure; (x,y,z) let test1 () raises { BenchFailure -> false } = let x : real = 0.1 in let y : real = 10.0 * x in if y < 0.99999 || y > 1.00001 then raise BenchFailure; (x, y) let test2 () raises { BenchFailure -> false } = let x : real = 3.0 in let y : real = 1.0 / x in let z : real = 3.0 * y in if z < 0.99999 || z > 1.00001 then raise BenchFailure; (x, y, z) let test3 () raises { BenchFailure -> false } = let ref x : real = 2.0 in for i=1 to 14 do x <- x * x done; let y : real = 0.0 * x in if y <> 0.0 then raise BenchFailure; (x,y) let test_exp () raises { BenchFailure -> false } = let x : real = 1.0 in let y : real = exp x in if y < 2.71828182845 || y > 2.71828182846 then raise BenchFailure; y let test_log () raises { BenchFailure -> false } = let x : real = 1.0 in let y : real = log x in if y <> 0.0 then raise BenchFailure; y let test_exp_log () raises { BenchFailure -> false } = let x : real = 42.0 in let y : real = exp (log x) in if y < 41.99999 || y > 42.00001 then raise BenchFailure; log x, exp x, y let bench1 () (* Tries to calculate sqrt(2) *) diverges raises { BenchFailure -> false } = let incr = 0x1p-8 in let ref i : real = 0.0 in while (i * i <= 2.0) do i <- i + incr; done; if i < 1.41 || i > 1.42 then raise BenchFailure; i let bench2 () raises { BenchFailure -> false } ensures { result = 4.0 } = let r = sqrt 16.0 in if r <> 4.0 then raise BenchFailure; r use real.Trigonometry let bench3 () raises { BenchFailure -> false } = let y = sqrt pi in if y < 1.77245385090551 || y > 1.77245385090552 then raise BenchFailure; y end why3-1.6.0/bench/invalid/000077500000000000000000000000001440160026300151115ustar00rootroot00000000000000why3-1.6.0/bench/invalid/arith.mlw000066400000000000000000000001561440160026300167430ustar00rootroot00000000000000 module Arith use int.Int goal G1: 0 = 1 use int.ComputerDivision goal G2: div 1 0 = div 2 0 end why3-1.6.0/bench/invalid/false.mlw000066400000000000000000000000441440160026300167220ustar00rootroot00000000000000 module False goal F: false end why3-1.6.0/bench/invalid/induction.mlw000066400000000000000000000002041440160026300176220ustar00rootroot00000000000000 module M coinductive p unit = | C: p () -> p () (* should not be proved using induction_pr *) goal G: p () -> false end why3-1.6.0/bench/memlimit/000077500000000000000000000000001440160026300153005ustar00rootroot00000000000000why3-1.6.0/bench/memlimit/ackermann.mlw000066400000000000000000000005221440160026300177570ustar00rootroot00000000000000type nat = Z | S nat function ack (m n:nat) : nat = match m with | Z -> S n | S m' -> match n with | Z -> ack m' (S Z) | S n' -> ack m' (ack m n') end end predicate even (x:nat) = match x with | Z -> true | S Z -> false | S (S z) -> even z end goal a4 : even (ack (S (S (S (S Z)))) (S (S (S (S Z))))) why3-1.6.0/bench/memlimit/is_prime.mlw000066400000000000000000000020141440160026300176250ustar00rootroot00000000000000module User_lemma__is_prime use int.Int use int.EuclideanDivision as EuclideanDivision (* We express mod via Euclidean mod, as this is what is used in SMT *) function mod (x y : int) : int = let r = EuclideanDivision.mod x y in if y >= 0 then r else if r = 0 then 0 else r + y val mod (x:int) (y:int) : int ensures { result = mod x y } function is_prime (n: int) : bool = if (forall j : int. (((2 <= j) /\ (j <= (n - 1))) -> ((mod n j) <> 0))) then True else False val is_prime (n: int) : bool requires { true } ensures { (result = is_prime n) /\ (result = (forall j : int. (((2 <= j) /\ (j <= (n - 1))) -> ((mod n j) <> 0)))) } end module User_lemma__test use int.Int use User_lemma__is_prime as User_lemma__is_prime let def (__void_param : unit) = assert { User_lemma__is_prime.is_prime 15487001 = True }; assert { User_lemma__is_prime.is_prime 15487469 = True }; assert { User_lemma__is_prime.is_prime 239854447900000 = False }; end why3-1.6.0/bench/memlimit/syracuse.mlw000066400000000000000000000002261440160026300176570ustar00rootroot00000000000000use int.Int predicate f int axiom a1 : f 1 axiom a2 : forall x [f x]. f x -> f (x+x) axiom a3 : forall x [f x]. f (x+x+x+1) -> f x goal g7 : f 7 why3-1.6.0/bench/memlimit/syracuse_peano.mlw000066400000000000000000000004461440160026300210450ustar00rootroot00000000000000type nat = Z | S nat function plus (x y:nat) : nat = match x with | Z -> y | S z -> S (plus z y) end predicate f nat axiom a1 : f (S Z) axiom a2 : forall x [f x]. f x -> f (plus x x) axiom a3 : forall x [f x]. f (plus (plus x x) (plus x (S Z))) -> f x goal g3 : f (S (S (S Z))) why3-1.6.0/bench/parsing-bench000077500000000000000000000022361440160026300161340ustar00rootroot00000000000000#!/bin/sh # This checks specifically error messages dir=`dirname $0` updateoracle=false files="" while test $# != 0; do case "$1" in "-update-oracle") updateoracle=true;; "-"*) printf "unknown option: %s\n" "$1" printf "usage: parsing-bench [-update-oracle] \n" printf " must be given without the '.mlw' suffix\n" printf " if empty, use all files from directory 'parsing/bad'\n" exit 2;; *) files="$files $1" esac shift done if test "$files" = "" ; then files="$dir/parsing/bad/*.mlw" fi run () { printf " $1... " f="$1" $dir/../bin/why3.opt prove --parse-only "$1.mlw" 2> "$f.out" if cmp "$f.oracle" "$f.out" > /dev/null 2>&1 ; then echo "ok" else if $updateoracle; then echo "Updating oracle for $1" mv "$f.out" "$f.oracle" else echo "failed!" echo "diff is the following:" touch "$f.oracle" diff -u "$f.oracle" "$f.out" exit 1 fi fi } for file in $files; do filedir=`dirname $file` filebase=`basename $file .mlw` run $filedir/$filebase done why3-1.6.0/bench/parsing/000077500000000000000000000000001440160026300151265ustar00rootroot00000000000000why3-1.6.0/bench/parsing/bad/000077500000000000000000000000001440160026300156545ustar00rootroot00000000000000why3-1.6.0/bench/parsing/bad/498.mlw000066400000000000000000000000241440160026300167150ustar00rootroot00000000000000let val () : () = 1 why3-1.6.0/bench/parsing/bad/498.oracle000066400000000000000000000002571440160026300173730ustar00rootroot00000000000000File "bench/parsing/bad/498.mlw", line 1, characters 4-7: syntax error: expected function name must be a non-reserved uncapitalized identifier (token LIDENT_NQ), found "val" why3-1.6.0/bench/parsing/bad/498_function.mlw000066400000000000000000000000271440160026300206250ustar00rootroot00000000000000function let int : int why3-1.6.0/bench/parsing/bad/498_function.oracle000066400000000000000000000002711440160026300212740ustar00rootroot00000000000000File "bench/parsing/bad/498_function.mlw", line 1, characters 9-12: syntax error: expected function name must be a non-reserved uncapitalized identifier (token LIDENT_NQ), found "let" why3-1.6.0/bench/parsing/bad/decl_after_module.mlw000066400000000000000000000000311440160026300220240ustar00rootroot00000000000000module M end let x = x why3-1.6.0/bench/parsing/bad/decl_after_module.oracle000066400000000000000000000001661440160026300225030ustar00rootroot00000000000000File "bench/parsing/bad/decl_after_module.mlw", line 5, characters 0-9: trying to open a module inside another module why3-1.6.0/bench/parsing/bad/func_lit1.mlw000066400000000000000000000000701440160026300202560ustar00rootroot00000000000000 function f (x: int) : int -> int = [|_ => 1; _ => "a"|]why3-1.6.0/bench/parsing/bad/func_lit1.oracle000066400000000000000000000001171440160026300207260ustar00rootroot00000000000000File "bench/parsing/bad/func_lit1.mlw", line 2, characters 45-46: syntax error why3-1.6.0/bench/parsing/bad/func_lit2.mlw000066400000000000000000000000421440160026300202560ustar00rootroot00000000000000 function f () : int -> int = [||]why3-1.6.0/bench/parsing/bad/func_lit2.oracle000066400000000000000000000001171440160026300207270ustar00rootroot00000000000000File "bench/parsing/bad/func_lit2.mlw", line 2, characters 31-33: syntax error why3-1.6.0/bench/parsing/bad/func_lit3.mlw000066400000000000000000000000171440160026300202610ustar00rootroot00000000000000let f () = [||]why3-1.6.0/bench/parsing/bad/func_lit3.oracle000066400000000000000000000001171440160026300207300ustar00rootroot00000000000000File "bench/parsing/bad/func_lit3.mlw", line 1, characters 13-15: syntax error why3-1.6.0/bench/parsing/bad/issue_172.mlw000066400000000000000000000001221440160026300201110ustar00rootroot00000000000000module Unknown lemma err: x1 = (fun x2 -> let x3 = x4 in let x5 x6) -> true end why3-1.6.0/bench/parsing/bad/issue_172.oracle000066400000000000000000000001171440160026300205630ustar00rootroot00000000000000File "bench/parsing/bad/issue_172.mlw", line 2, characters 53-54: syntax error why3-1.6.0/bench/parsing/bad/module_in_module1.mlw000066400000000000000000000000261440160026300217740ustar00rootroot00000000000000type t module M end why3-1.6.0/bench/parsing/bad/module_in_module1.oracle000066400000000000000000000001661440160026300224470ustar00rootroot00000000000000File "bench/parsing/bad/module_in_module1.mlw", line 3, characters 0-6: trying to open a module inside another module why3-1.6.0/bench/parsing/bad/module_in_module2.mlw000066400000000000000000000000311440160026300217710ustar00rootroot00000000000000let x = x module M end why3-1.6.0/bench/parsing/bad/module_in_module2.oracle000066400000000000000000000001661440160026300224500ustar00rootroot00000000000000File "bench/parsing/bad/module_in_module2.mlw", line 3, characters 0-6: trying to open a module inside another module why3-1.6.0/bench/parsing/bad/module_name.mlw000066400000000000000000000000211440160026300206530ustar00rootroot00000000000000module name end why3-1.6.0/bench/parsing/bad/module_name.oracle000066400000000000000000000002511440160026300213260ustar00rootroot00000000000000File "bench/parsing/bad/module_name.mlw", line 1, characters 7-11: syntax error: expected module name must be an capitalized identifier (token UIDENT_NQ), found "name" why3-1.6.0/bench/parsing/bad/ref_while.mlw000066400000000000000000000000221440160026300203330ustar00rootroot00000000000000let x = ref while why3-1.6.0/bench/parsing/bad/ref_while.oracle000066400000000000000000000001171440160026300210060ustar00rootroot00000000000000File "bench/parsing/bad/ref_while.mlw", line 1, characters 12-17: syntax error why3-1.6.0/bench/plugins/000077500000000000000000000000001440160026300151445ustar00rootroot00000000000000why3-1.6.0/bench/plugins/helloworld.drv000066400000000000000000000002011440160026300200250ustar00rootroot00000000000000plugin "helloworld.cmo" "helloworld.cmxs" printer "helloworld" filename "%f-%t-%s.hw" transformations "helloworld" endwhy3-1.6.0/bench/plugins/helloworld.ml000066400000000000000000000031421440160026300176510ustar00rootroot00000000000000(**************************************************************************) (* *) (* Copyright (C) 2010- *) (* François Bobot *) (* Jean-Christophe Filliâtre *) (* Claude Marché *) (* Andrei Paskevich *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Library General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) open Why let print_context _ _ _ ?old:_ fmt _ = Format.fprintf fmt "helloworld@\n" let transform_context = Trans.identity let () = Printer.register_printer "helloworld" print_context; Trans.register_transform "helloworld" transform_context why3-1.6.0/bench/plugins/mlcfg/000077500000000000000000000000001440160026300162345ustar00rootroot00000000000000why3-1.6.0/bench/plugins/mlcfg/absurd_and_return.mlcfg000066400000000000000000000004731440160026300227530ustar00rootroot00000000000000(* Regression test which verifies that return and absurd are usuable in CFG modules in normal declarations. *) module AbsurdAndReturnInMlCfg let uses_return () = return () let not_true () = absurd let cfg uses_absurd (b : bool) : () = { switch (b) | True -> absurd | False -> return () end } end why3-1.6.0/bench/plugins/mlcfg/bad/000077500000000000000000000000001440160026300167625ustar00rootroot00000000000000why3-1.6.0/bench/plugins/mlcfg/bad/bad.mlcfg000066400000000000000000000001321440160026300205160ustar00rootroot00000000000000 module M let cfg f () : unit = { goto L } L { goto L } end why3-1.6.0/bench/plugins/simplify_array.drv000066400000000000000000000004431440160026300207140ustar00rootroot00000000000000plugin "simplify_array.cmo" "simplify_array.cmxs" printer "why3" filename "%f-%t-%s.why" transformations "simplify_array" end theory BuiltIn syntax type int "int" syntax type real "real" syntax logic (_=_) "(%1 = %2)" syntax logic (_<>_) "(%1 <> %2)" end why3-1.6.0/bench/programs/000077500000000000000000000000001440160026300153155ustar00rootroot00000000000000why3-1.6.0/bench/programs/bad-to-keep/000077500000000000000000000000001440160026300174055ustar00rootroot00000000000000why3-1.6.0/bench/programs/bad-to-keep/at1.mlw000066400000000000000000000002401440160026300206070ustar00rootroot00000000000000module M use int.Int use ref.Ref let test (a: (ref int, int)) ensures { let (x, _) = a in !x = (old !x) + 1 } = let (r,_) = a in r := !r + 1 end why3-1.6.0/bench/programs/bad-to-keep/old2.mlw000066400000000000000000000002451440160026300207670ustar00rootroot00000000000000module M use int.Int use ref.Ref let test1 (x: ref int) ensures { !x >= old !x } requires { !x >= 0} = x := !x - 1; assert { !x >= old !x } end why3-1.6.0/bench/programs/bad-to-keep/old3.mlw000066400000000000000000000002021440160026300207610ustar00rootroot00000000000000(* old not allowed in programs *) module Test use ref.Refint let test (x: ref int) = if !x = old !x then 1 else 2 end why3-1.6.0/bench/programs/bad-typing/000077500000000000000000000000001440160026300173535ustar00rootroot00000000000000why3-1.6.0/bench/programs/bad-typing/166_non_val_constants.mlw000066400000000000000000000001401440160026300242130ustar00rootroot00000000000000type t constant a : t val function f t : int use ref.Ref let test (x:ref int) : unit = x := f a why3-1.6.0/bench/programs/bad-typing/60_at_in_tasks.mlw000066400000000000000000000000661440160026300227020ustar00rootroot00000000000000 module T goal g : forall x:int. x = (x at L) end why3-1.6.0/bench/programs/bad-typing/alias1.mlw000066400000000000000000000002151440160026300212440ustar00rootroot00000000000000module M use ref.Ref let foo (x : ref int) (y : ref int) = x := 1; y := 2 val r : ref int let test () = foo r r end why3-1.6.0/bench/programs/bad-typing/alias2.mlw000066400000000000000000000002051440160026300212440ustar00rootroot00000000000000module M use ref.Ref let foo (x : ref int) (y : ref int) = x := 1; y := 2 let test (x : ref int) = foo x x end why3-1.6.0/bench/programs/bad-typing/alias3.mlw000066400000000000000000000002171440160026300212500ustar00rootroot00000000000000module M use ref.Ref let foo (x : ref int) (y : ref int) = x := 1; y := 2 let test () = let x = ref 0 in foo x x end why3-1.6.0/bench/programs/bad-typing/alias4.mlw000066400000000000000000000001751440160026300212540ustar00rootroot00000000000000module M use ref.Ref val r : ref int let foo (x : ref int) = x := 1; r := 2 let test () = foo r end why3-1.6.0/bench/programs/bad-typing/alias5.mlw000066400000000000000000000002201440160026300212440ustar00rootroot00000000000000module M use ref.Ref let foo (x : ref int) (y: ref int) = x := 1; y := 2 val r : ref int let rec test () = foo r r end why3-1.6.0/bench/programs/bad-typing/alias6.mlw000066400000000000000000000002651440160026300212560ustar00rootroot00000000000000module Bad use ref.Ref let f (r: ref int) (x: 'a) : unit ensures { x = old x /\ !r = 0 } = r := 0 let bad () ensures { false } = let r = ref 1 in f r r end why3-1.6.0/bench/programs/bad-typing/effect1.mlw000066400000000000000000000001121440160026300214030ustar00rootroot00000000000000 module M use ref.Ref val f (x:int) : unit writes {a.contents} end why3-1.6.0/bench/programs/bad-typing/effect2.mlw000066400000000000000000000001141440160026300214060ustar00rootroot00000000000000 module M use ref.Ref val f (x:int) : unit writes { x.contents } end why3-1.6.0/bench/programs/bad-typing/effect3.mlw000066400000000000000000000001331440160026300214100ustar00rootroot00000000000000 module M use ref.Ref val a : int val f (x:int) : unit writes { a.contents } end why3-1.6.0/bench/programs/bad-typing/effect4.mlw000066400000000000000000000001521440160026300214120ustar00rootroot00000000000000 module M use ref.Ref val foo (_x : int) : int val f (x:int) : unit writes { foo.contents } end why3-1.6.0/bench/programs/bad-typing/effect5.mlw000066400000000000000000000000641440160026300214150ustar00rootroot00000000000000 module M val f (x:int) : unit writes { 1 } end why3-1.6.0/bench/programs/bad-typing/effect6.mlw000066400000000000000000000000621440160026300214140ustar00rootroot00000000000000 module M val f (x:int) : unit writes {x} end why3-1.6.0/bench/programs/bad-typing/effect7.mlw000066400000000000000000000003231440160026300214150ustar00rootroot00000000000000module Bad use int.Int use ref.Ref let f (x y : ref int) : unit requires { !x = !y } ensures { !x = !y + 1 } = x := !x + 1 let g () : unit = let r = ref 0 in f r r; absurd end why3-1.6.0/bench/programs/bad-typing/escape1.mlw000066400000000000000000000002351440160026300214150ustar00rootroot00000000000000module M use ref.Ref (* reference would escape its scope *) let test () = let x = ref 0 in fun y -> ensures { result = !x } x := y; !x end why3-1.6.0/bench/programs/bad-typing/escape2.mlw000066400000000000000000000001751440160026300214210ustar00rootroot00000000000000module M use ref.Ref (* reference would escape its scope *) let test () = let x = ref 0 in fun y -> !x end why3-1.6.0/bench/programs/bad-typing/false_alias.mlw000066400000000000000000000007151440160026300223420ustar00rootroot00000000000000 use int.Int use ref.Ref exception Exit let funny () = exception FixRegion (ref int) in let fixed_ref (i : int) : unit ensures { false } raises { FixRegion r -> !r = i } = raise FixRegion (ref i) in let r1 = try fixed_ref 42; absurd with FixRegion r -> r end in try begin ensures { false } let r2 = try fixed_ref 17; absurd with FixRegion r -> r end in r2 := !r2 + 1; raise Exit end with Exit -> () end; assert { !r1 = 18 } why3-1.6.0/bench/programs/bad-typing/false_alias2.mlw000066400000000000000000000006241440160026300224230ustar00rootroot00000000000000 use int.Int use ref.Ref let funny () = exception FixRegion (ref int) in let fixed_ref (i : int) : unit ensures { false } raises { FixRegion r -> !r = i } = raise FixRegion (ref i) in let r1 = try fixed_ref 42; absurd with FixRegion r -> r end in begin let r2 = try fixed_ref 17; absurd with FixRegion r -> r end in r2 := !r2 + 1 end ensures { true }; assert { !r1 = 18 } why3-1.6.0/bench/programs/bad-typing/for2.mlw000066400000000000000000000001061440160026300207410ustar00rootroot00000000000000 module M use int.Int let foo () = for i = 1 to () do () done end why3-1.6.0/bench/programs/bad-typing/ghost1.mlw000066400000000000000000000004601440160026300213010ustar00rootroot00000000000000module TestGhost use int.Int use list.List use ref.Ref type t = { f1 : int; ghost f2 : (int,list int) } let test1 (x: int) (y: t) = ensures { result = y.f1 } let r1 = ref x in let _ = match y with | { f1 = i; f2 = (_,Nil) } -> r1 := i | _ -> () end in !r1 end why3-1.6.0/bench/programs/bad-typing/ghost2.mlw000066400000000000000000000003761440160026300213100ustar00rootroot00000000000000module TestGhost use int.Int use list.List use ref.Ref type t = { f1 : int; ghost f2 : int } exception Found int let test1 (x: int) (y: t) ensures { result = y.f1 } = try raise (Found y.f2) with Found _ -> y.f1 end end why3-1.6.0/bench/programs/bad-typing/ghost3.mlw000066400000000000000000000003241440160026300213020ustar00rootroot00000000000000module Horror use ref.Ref let bad (ghost i : int) : ref int ensures { !result = i } = let r = ref 0 in r := i; r let good (ghost i : int) : int ensures { result = i } = !(bad i) end why3-1.6.0/bench/programs/bad-typing/ghost4.mlw000066400000000000000000000003311440160026300213010ustar00rootroot00000000000000module M type t = { ghost a : bool; b : int; c : int } let bad (z : t) : int ensures { result = if z.a then z.b else z.c } = match z with | { a = True; b = x } | { a = False; c = x } -> x end end why3-1.6.0/bench/programs/bad-typing/polyrec1.mlw000066400000000000000000000012011440160026300216240ustar00rootroot00000000000000module Bad use ref.Ref val function comp 'a 'a : int let test () = let rec f x y = (* the arguments of [g] share the region, but we don't know it yet, and specialize [g] as fully region polymorpic. Since we do not compute the fixed point during type inference, the type of [f] will be erroneously over-generalized, the types of [x] and [y] won't be unified, and we will have a region mismatch on [g x y] when building the expression. This is why recursive functions must be completely alias-free. *) g x y with g u v = u := comp u v in () end why3-1.6.0/bench/programs/bad-typing/polyrec2.mlw000066400000000000000000000012271440160026300216350ustar00rootroot00000000000000module Bad use ref.Ref val function comp 'a 'a : int let test () = let r = ref 0 in let rec f x = (* the argument of [g] shares the region with [r], but we don't know it yet, and specialize [g] as fully region polymorpic. Since we do not compute the fixed point during type inference, the type of [f] will be erroneously over-generalized, the types of [x] and [r] won't be unified, and we will have a region mismatch on [g x] when building the expression. This is why recursive functions must be completely alias-free. *) g x with g u = u := comp u r in () end why3-1.6.0/bench/programs/bad-typing/polyrec3.mlw000066400000000000000000000015621440160026300216400ustar00rootroot00000000000000module Bad use ref.Ref val function comp 'a 'a : () let test z = let rec f x = (* the argument of [g] shares the type variable with [z], but we don't know it yet, and specialize [g] as fully type polymorphic, because of its explicit type signature. Since we do not compute the fixed point during type inference, the type of [f] will be erroneously over-generalized, the types of [x] and [z] won't be unified, and we will have a type mismatch on [g x] when building the expression. This is why recursive functions with explicit signatures must either be polymorphic in a given type variable or that type variable must appear explicitly in the context of the recursive definition (here, in the type of [z]). *) g x with g (u : 'a) : unit = comp u z in () end why3-1.6.0/bench/programs/bad-typing/polyref1.mlw000066400000000000000000000000571440160026300216370ustar00rootroot00000000000000module M use ref.Ref val r : ref 'a end why3-1.6.0/bench/programs/bad-typing/polyref3.mlw000066400000000000000000000001061440160026300216340ustar00rootroot00000000000000module M use ref.Ref use list.List val r : ref (list 'a) end why3-1.6.0/bench/programs/bad-typing/reset1.mlw000066400000000000000000000003121440160026300212730ustar00rootroot00000000000000module Bad use int.Int use ref.Ref type dref 'a = { mutable dcontents : ref 'a } let one (x : dref 'a) (y : ref 'a) ensures { !(x.dcontents) = !(old y) } = x.dcontents <- y; y end why3-1.6.0/bench/programs/bad-typing/reset2.mlw000066400000000000000000000002751440160026300213040ustar00rootroot00000000000000module Bad use int.Int use ref.Ref type dref 'a = { mutable dcontents : ref 'a } let one (x : dref 'a) (y : ref 'a) ensures { !(x.dcontents) = !y } = x.dcontents <- y end why3-1.6.0/bench/programs/bad-typing/unbound_label.mlw000066400000000000000000000000671440160026300227100ustar00rootroot00000000000000 module T let f () = assert { 42 = 42 at Foo } end why3-1.6.0/bench/programs/bad-typing/unbound_var.mlw000066400000000000000000000000431440160026300224130ustar00rootroot00000000000000module M let p (x:int) = y end why3-1.6.0/bench/programs/bad-typing/variant1.mlw000066400000000000000000000002331440160026300216170ustar00rootroot00000000000000 module M use int.Int (* missing variant *) let rec even (x:int) : int variant {x} = odd (x-1) with odd (x:int) : int = even (x-1) end why3-1.6.0/bench/programs/bad-typing/variant2.mlw000066400000000000000000000003131440160026300216170ustar00rootroot00000000000000 (* different relations *) module M use int.Int predicate rel int int let rec even (x:int) : int variant {x with rel} = odd (x-1) with odd (x:int) : int variant {x} = even (x-1) end why3-1.6.0/bench/programs/bad-typing/variant3.mlw000066400000000000000000000004241440160026300216230ustar00rootroot00000000000000 (* Different instances of a polymorphic relation. *) module M use list.List predicate rel (a b:list 'a) let rec aux (a:list int) : unit variant { a with rel } = aux2 Nil with aux2 (a:list unit) : unit variant { a with rel } = aux Nil end why3-1.6.0/bench/programs/bad-typing/with1.mlw000066400000000000000000000001671440160026300211340ustar00rootroot00000000000000module M use int.Int type t 'a = { a: 'a; b: bool; c: 'a } let test1 (x: t bool) = { x with a = 0 } end why3-1.6.0/bench/programs/bad-typing/with2.mlw000066400000000000000000000002011440160026300211220ustar00rootroot00000000000000module M use int.Int type t 'a = { a: 'a; b: bool; c: 'a } let test1 (x: t bool) = { x with a = 0; c = True } end why3-1.6.0/bench/programs/good/000077500000000000000000000000001440160026300162455ustar00rootroot00000000000000why3-1.6.0/bench/programs/good/346_unused_variables_2.mlw000066400000000000000000000002111440160026300231300ustar00rootroot00000000000000use int.Int (* Should not output any unused variable *) val v (x : int) (y : int) : bool ensures {x = y <-> result} ensures {x = y} why3-1.6.0/bench/programs/good/346_unused_variables_9.mlw000066400000000000000000000004511440160026300231450ustar00rootroot00000000000000use int.Int exception E exception F exception G exception H int val f (x y z: int) : int ensures { x = 42 } ensures { result = 43 } ensures { x = 45 } raises { F -> x = -42 } raises { E -> x <> x } raises { G -> x = z } raises { H res -> y = 42 } why3-1.6.0/bench/programs/good/booleans.mlw000066400000000000000000000022571440160026300205760ustar00rootroot00000000000000 use int.Int use ref.Ref val incr (x:ref int) : unit writes {x} ensures { !x = old !x + 1 } val x : ref int val id_not_0 (x:int) : int requires { x <> 0 } ensures { result = x } val id (x:int) : int ensures { result = x } let test_and_1 () ensures { result = 1 } = if (incr x; !x > 0) && id !x = 1 then !x else 0+1 let test_and_2 () requires { !x <> 0 } ensures { result = 1 } = if id_not_0 !x >= 1 && !x <= 1 then !x else 0+1 let test_or_1 () ensures { result = 1 -> !x <> 0 } = if (incr x; !x > 0) || !x < 0 then 1 else 2 let test_or_2 () ensures { 0 <= result <= 1 } = if !x = 0 || !x = 1 then !x else 1 let test_not_1 () ensures { !x = 0 } = if not (!x = 0) then x := 0 let test_not_2 () requires { !x <= 0 } ensures { !x = 0 } diverges = while not (!x = 0) do invariant { !x <= 0 } incr x done let test_all_1 () ensures { result=True <-> !x>=1 } = (!x >= 0 && not (!x = 0) || !x >= 1) (* from Cesar Munoz's CD3D *) val constant d : int val vx : ref int val vy : ref int val sq (x:int) : int ensures { result = x*x } let test_cd3d () ensures { result=1 -> !vx=0 /\ !vy=0 } = if !vx=0 && !vy=0 && sq !vx + sq !vy < sq d then 1 else 2 why3-1.6.0/bench/programs/good/complex_arg_1.mlw000066400000000000000000000002251440160026300215050ustar00rootroot00000000000000 exception Exception val f0 (tt:unit) : unit val f1 (_tt:unit) : unit raises { Exception } let f () raises { Exception -> true } = f0 (f1 ()) why3-1.6.0/bench/programs/good/complex_arg_2.mlw000066400000000000000000000002551440160026300215110ustar00rootroot00000000000000 exception Exception int use ref.Ref val t : ref int val m (_a:int) (_b:int) : unit raises { Exception } let test () raises { Exception } = (m ( assert { true } ; 0) 0) why3-1.6.0/bench/programs/good/exceptions.mlw000066400000000000000000000004461440160026300211530ustar00rootroot00000000000000module M use int.Int use ref.Ref exception Break let f (n : int) : int ensures { result <= 10 } = let i = ref n in try while (!i > 0) do invariant { true } variant { !i } if (!i <= 10) then raise Break; i := !i - 1 done with Break -> () end; !i end why3-1.6.0/bench/programs/good/exns.mlw000066400000000000000000000046361440160026300177540ustar00rootroot00000000000000module M (* exception without argument *) exception E let p1 () ensures { false } raises { E -> true } = raise E : unit (* exception with an argument *) exception F int let p2 () ensures { false } raises { F result -> result = 1 } = raise (F 1) : unit let p2a () ensures { false } raises { E -> true | F _ -> false } = raise (F (raise E : int)) : unit (* composition of exceptions with other constructs *) let p3 () ensures { false } raises { F result -> result = 1 } = begin raise (F 1); raise (F 2) : unit end let p4 () ensures { false } raises { F result -> result = 1 } = (if True then raise (F 1) else raise (F 2)) : unit let p5 () ensures { false } raises { E -> false | F result -> result = 1 } = begin if True then raise (F 1); raise E : unit end let p6 () ensures { false } raises { E -> true | F _ -> false } = begin if False then raise (F 1); raise E : unit end (* composition of exceptions with side-effect on a reference *) use int.Int use ref.Ref val x : ref int let p7 () ensures { false } raises { E -> !x = 1 } = begin x := 1; raise E; x := 2 end let p8 () ensures { false } raises { F result -> !x = 1 /\ result = 1 } = begin x := 1; raise (F !x); x := 2 end let p9 () ensures { false } raises { F result -> !x = 1 /\ result = 1 } = (raise (F begin x := 1; !x end) : unit) (* try / with *) let p10 () ensures { result = 0 } = (try raise E : int with E -> 0 end) let p11 () ensures { result = 1 } = (try raise (F 1) : int with F x -> x end) let p12 () ensures { result = 2 } = try begin raise E; raise (F 1); 1 end with E -> 2 | F _ -> 3 end let p13 () ensures { !x = 2 } = try begin raise E; raise (F 1); x := 1 end with E -> x := 2 | F _ -> x := 3 end let p13a () ensures { !x <> 1 } = try (if !x = 1 then raise E) (*{ true | E => x = 1 }*) with E -> x := 0 end exception E1 exception E2 exception E3 let p14 () ensures { false } raises { | E1 -> !x = 1 | E2 -> !x = 2 | E3 -> !x = 3 | E -> !x <> 1 /\ !x <> 2 /\ !x <> 3 } = begin if !x = 1 then raise E1; if !x = 2 then raise E2; if !x = 3 then raise E3; raise E : unit end let p15 () ensures { false } raises { E -> !x=0 | F result -> result=0 } = if !x = 0 then raise E else (x := 0; raise (F !x)) : unit let p16 () ensures { !x<>0 } raises { E -> !x=1 } = if !x = 0 then (x:=1; raise E) let p17 () ensures { false } raises { E -> !x=0 } = (x := 0; (raise E; x := 1)) end why3-1.6.0/bench/programs/good/for.mlw000066400000000000000000000025701440160026300175600ustar00rootroot00000000000000module M use int.Int use ref.Ref (* for loop with invariant *) let test1 () = let x = ref 0 in for i = 1 to 10 do invariant { !x = i-1 } x := !x + 1 done; assert { !x = 10 } (* we don't even enter *) let test2 () = let x = ref 0 in for i = 2 to 1 do invariant { !x = 0 } x := 1 done; assert { !x = 0 } exception E (* the body raises an exception (for sure) subtle: the invariant is required *) let test3 () ensures { false } raises { E -> true } = for i = 1 to 10 do invariant { i >= 2 -> false } raise E done (* the body may raise an exception *) let test4 x ensures { result=True <-> 0 <= x <= 10 } = try for i = 0 to 10 do invariant { x < 0 \/ x >= i } if i = x then raise E done; False with E -> True end (* and now downto *) let test1d () = let x = ref 11 in for i = 10 downto 1 do invariant { !x = i+1 } x := !x - 1 done; assert { !x = 1 } let test2d () = let x = ref 0 in for i = 1 downto 2 do invariant { !x = 0 } x := 1 done; assert { !x = 0 } let test3d () ensures { false } raises { E -> true } = for i = 10 downto 1 do invariant { i < 10 -> false } raise E done let test4d x ensures { result=True <-> 0 <= x <= 10 } = try for i = 10 downto 0 do invariant { x > 10 \/ x <= i } if i = x then raise E done; False with E -> True end end why3-1.6.0/bench/programs/good/labels.mlw000066400000000000000000000003341440160026300202300ustar00rootroot00000000000000module Labels use int.Int use ref.Ref function fst (x: ('a, 'b)) : 'a = let (x1, _) = x in x1 let test (a: (ref int, int)) ensures { !(fst a) = (old !(fst a)) + 1 } = let (r,_) = a in r := !r + 1 end why3-1.6.0/bench/programs/good/list.mlw000066400000000000000000000004141440160026300177400ustar00rootroot00000000000000module M use int.Int use list.List use list.Length let rec append (l1 : list 'a) (l2 : list 'a) variant { length l1 } ensures { length result = length l1 + length l2 } = match l1 with | Nil -> l2 | Cons x r -> Cons x (append r l2) end end why3-1.6.0/bench/programs/good/loops.mlw000066400000000000000000000011461440160026300201240ustar00rootroot00000000000000module M use int.Int use ref.Ref (** 1. A loop increasing [i] up to 10. *) val i : ref int let loop1 (_u:unit) requires { !i <= 10 } ensures { !i = 10 } = while !i < 10 do invariant { !i <= 10 } variant { 10 - !i } i := !i + 1 done (** 2. The same loop, followed by a function call. *) val x: ref int let negate (_u:unit) ensures { !x = - (old !x) } = x := - !x let loop2 (_u:unit) requires { !x <= 10 } = begin while !x < 10 do invariant { !x <= 10 } variant { 10 - !x } x := !x + 1 done; assert { !x = 10 }; if !x > 0 then (negate ()); assert { !x = -10 } end end why3-1.6.0/bench/programs/good/mutual.mlw000066400000000000000000000006611440160026300203000ustar00rootroot00000000000000module M use int.Int use int.EuclideanDivision predicate even (x : int) = x = 2 * (div x 2) predicate odd (x : int) = x = 2 * (div x 2) + 1 let rec is_even x : bool variant {x} requires { 0 <= x } ensures { result = even x } = if x = 0 then True else is_odd (x-1) with is_odd x : bool variant {x} requires { 0 <= x } ensures { result = odd x } = if x = 0 then False else is_even (x-1) end why3-1.6.0/bench/programs/good/mutual_exns.mlw000066400000000000000000000002661440160026300213360ustar00rootroot00000000000000module T use int.Int exception MyExc (* g can raise MyExc *) let rec f (_x: int) : int raises {MyExc} = raise MyExc with g (x : int) : int raises {MyExc} = f x end why3-1.6.0/bench/programs/good/oldify.mlw000066400000000000000000000006261440160026300202600ustar00rootroot00000000000000module M use ref.Ref predicate q1 int int int val r : ref int val f1 (y:int) : unit writes {r} ensures { q1 !r (old !r) y } let g1 () ensures { q1 !r (old !r) (old !r) } = f1 !r val function foo int : int predicate q int int int val f (t:ref int) (x:int) : unit writes {t} ensures { q !t (old !t) x } let g (t:ref int) ensures { q !t (old !t) (foo (old !t)) } = f t (foo !t) end why3-1.6.0/bench/programs/good/po.mlw000066400000000000000000000032411440160026300174040ustar00rootroot00000000000000module M use int.Int use ref.Ref (* Tests for proof obligations. *) val x : ref int predicate q int (* basic stuff: assignment, sequence and local variables *) let p1 () requires { q (!x+1) } ensures { q !x } = x := !x + 1 let p2 () requires { q 7 } ensures { q !x } = x := 3 + 4 let p3 () ensures { !x = (old !x) + 3 } = x := !x + 1; x := !x + 2 let p4 () ensures { !x = 14 } = x := 7; x := 2 * !x let p5 () ensures { result = 7 } = 3 + 4 let p6 () ensures { result = 7 } = let a = 3 in a + 4 let p7 () ensures { result = 11 } = 3 + (let a = 4 in a + a) (* side effects in function arguments *) let p8 () requires { q (!x+1) } ensures { q !x /\ result = (old !x) + 4 } = 3 + begin x := !x + 1; !x end (* evaluation order (argument first) *) let p9 () ensures { result = 2 /\ !x = 2 } = begin x := 1; 1 end + begin x := 2; 1 end let p9a () ensures { result = 2 /\ !x = 1 } = begin x := 1; 1 end + 1 (* function with a post-condition *) val fsucc (x:int) : int ensures { result = x + 1 } let p10 () ensures { result = 1 } = fsucc 0 let p11 () ensures { result = 5 } = (fsucc 0) + (fsucc 3) let p11a () ensures { result = 4 } = let a = (fsucc 1) in a + a (* function with a post-condition and side-effects *) val incrx () : unit writes {x} ensures { !x = (old !x) + 1 } let p12 () requires { !x = 0 } ensures { !x = 1 } = incrx () let p13 () ensures { !x = (old !x) + 2 } = incrx (); incrx () let p13a () ensures { !x = (old !x) + 2 } = incrx (incrx ()) (* function with side-effects, result and post-condition *) val incrx2 () : int writes {x} ensures { !x = old !x + 1 /\ result = !x } let p14 () requires { !x = 0 } ensures { result = 1 } = incrx2 () end why3-1.6.0/bench/programs/good/poly.mlw000066400000000000000000000001661440160026300177540ustar00rootroot00000000000000module M let f (x:'a) ensures { result=x } = x let p () ensures { result = 1 } = if f True then f 1 else f 2 end why3-1.6.0/bench/programs/good/rec_oldies.mlw000066400000000000000000000003461440160026300211010ustar00rootroot00000000000000use int.Int use ref.Ref let rec test (m n: ref int) : unit variant { !m } requires { !m >= 0 } ensures { !m = 0 /\ !n = !(old m) + !(old n) } = if !m > 0 then begin m := !m - 1; test m n; n := !n + 1 end why3-1.6.0/bench/programs/good/recfun.mlw000066400000000000000000000023121440160026300202460ustar00rootroot00000000000000module M use int.Int use ref.Ref (** Recursive functions *) (** 1. Pure function *) let rec f1 (x:int) : int variant { x } requires { x >= 0 } ensures { result = 0 } = if x > 0 then (f1 (x-1)) else x (** 2. With effects but no argument *) val x : ref int let rec f2 (_u:unit) : unit variant { !x } requires { !x >= 0 } ensures { !x = 0 } = if !x > 0 then begin x := !x - 1; f2 () end (** 3. With effects and a pure argument *) let rec f3 (a:int) : unit variant { a } requires { a >= 0 } ensures { !x = old !x + a } = if a > 0 then begin x := !x + 1; (f3 (a-1)) end (** 4. With effects and a reference as argument *) let rec f4 (a:ref int) : unit variant { !a } requires { !a >= 0 } ensures { !x = old !x + old !a } = if !a > 0 then begin x := !x + 1; a := !a - 1; f4 a end (** 5. The acid test: partial application of a recursive function with effects *) let rec f5 (a b:ref int) variant { !a } requires { !a >= 0 } ensures { result = old !a + old !b } = if !a = 0 then !b else begin a := !a - 1; b := !b + 1; f5 a b end let test_f5 () requires { !x >= 0 } ensures { result = old !x } = let b = ref 0 in let f = f5 x in f b end why3-1.6.0/bench/programs/good/scopes.mlw000066400000000000000000000005641440160026300202670ustar00rootroot00000000000000 module LocalFunctions use int.Int use ref.Ref (* local function (f) accessing a local reference (x) *) let test1 () = let x = ref 0 in let f (y: int) ensures { !x = old !x + y } = x := !x + y in f 2; assert { !x = 2 } val r: ref int (* recursive function accessing a global reference *) let rec test2 () ensures { !r = 0 } = r := 0 end why3-1.6.0/bench/programs/good/see.mlw000066400000000000000000000006301440160026300175410ustar00rootroot00000000000000module M use int.Int use ref.Ref (* Side effect in expressions (Bart Jacobs' tricky example) *) val b : ref int val b1 : ref int val b2 : ref int let f () ensures { result = !b /\ !b = 1 - old !b } = b := 1 - !b; !b let k () ensures { !b1 = 0 /\ !b2 = 1 } = begin b := 1; (* b := 0 for the left-to-right evaluation *) b1 := (1 - (f ())) + (f ()); b2 := (f ()) * (1 - (f ())) end end why3-1.6.0/bench/programs/good/set.mlw000066400000000000000000000017011440160026300175600ustar00rootroot00000000000000module M use int.Int use ref.Ref (* side effects in tests *) val x : ref int val set_and_test_zero (v:int) : bool writes {x} ensures { !x = v /\ if result=True then !x = 0 else !x <> 0 } let p () ensures { result = 1 } = if set_and_test_zero 0 then 1 else 2 val set_and_test_nzero (v:int) : bool writes {x} ensures { !x = v /\ if result=True then !x <> 0 else !x = 0 } let p2 (y:ref int) requires { !y >= 0 } ensures { !y = 0 } = while set_and_test_nzero !y do invariant { !y >= 0 } variant { !y } y := !y - 1 done let p3 (y:ref int) requires { !y >= 0 } ensures { !y = 0 } = while let b = set_and_test_nzero !y in b do invariant { !y >= 0 } variant { !y } y := !y - 1 done let p4 (y:ref int) requires { !y >= 1 } ensures { !y = 0 } = while begin y := !y - 1; (set_and_test_nzero !y) end do invariant { !y >= 1 } variant { !y } () done end why3-1.6.0/bench/programs/good/tuples.mlw000066400000000000000000000001041440160026300202750ustar00rootroot00000000000000 module T let test () = let _a,_b,_c,_d = (1,2,3,4) in () end why3-1.6.0/bench/programs/good/wpcalls.mlw000066400000000000000000000003301440160026300204270ustar00rootroot00000000000000module M use int.Int use ref.Ref val x : ref int val f () : unit writes {x} ensures { !x = 1 - old !x } let p () = label Init in let _t = () in (); (f ()); (f ()); assert { !x = !x at Init }; () end why3-1.6.0/bench/programs/warn-typing/000077500000000000000000000000001440160026300175745ustar00rootroot00000000000000why3-1.6.0/bench/programs/warn-typing/346_unused_warning.mlw000066400000000000000000000001271440160026300237410ustar00rootroot00000000000000use int.Int (* result unused *) val eq (x: int) (y: int) : bool ensures { x = y } why3-1.6.0/bench/programs/warn-typing/346_unused_warning_1.mlw000066400000000000000000000001301440160026300241530ustar00rootroot00000000000000use int.Int (* z unused *) function f (x : int) (y : int) : bool = forall z:int. x = y why3-1.6.0/bench/programs/warn-typing/346_unused_warning_3.mlw000066400000000000000000000001261440160026300241620ustar00rootroot00000000000000use int.Int (* y unused *) function g (x: int) (y: int) : bool = forall z:int. x = z why3-1.6.0/bench/programs/warn-typing/346_unused_warning_4.mlw000066400000000000000000000001411440160026300241600ustar00rootroot00000000000000use int.Int (* result unused *) let eq1 (x : int) (y : int) : bool ensures { x = y } = true why3-1.6.0/bench/programs/warn-typing/346_unused_warning_5.mlw000066400000000000000000000001501440160026300241610ustar00rootroot00000000000000use int.Int (* y unused *) let eq2 (x: int) (y : int) : bool ensures { result <-> (x = x) } = true why3-1.6.0/bench/programs/warn-typing/346_unused_warning_6.mlw000066400000000000000000000001001440160026300241550ustar00rootroot00000000000000use int.Int (* y is unused *) goal h : forall y x: int. x = 42 why3-1.6.0/bench/programs/warn-typing/346_unused_warning_7.mlw000066400000000000000000000001051440160026300241630ustar00rootroot00000000000000use int.Int (* x is unused *) predicate p (x: int) (y: int) = y = 0 why3-1.6.0/bench/programs/warn-typing/346_unused_warning_8.mlw000066400000000000000000000003441440160026300241710ustar00rootroot00000000000000use int.Int exception E exception F exception G exception H val f (x: int) : int ensures { x = 42 } raises { F -> x = -42 } raises { E -> x <> x } raises { G -> x = x } raises { H -> false } why3-1.6.0/bench/programs/warn-typing/label_scope.mlw000066400000000000000000000002271440160026300225660ustar00rootroot00000000000000 module T use ref.Ref let f () = label Foo in let x = ref 0 in assert { 42 = !x at Foo } (* variable x does not exist at Foo *) end why3-1.6.0/bench/replay/000077500000000000000000000000001440160026300147575ustar00rootroot00000000000000why3-1.6.0/bench/replay/11244.why000066400000000000000000000000601440160026300161570ustar00rootroot00000000000000theory T1 use int.Int goal G: 1 = 2 end why3-1.6.0/bench/replay/11244/000077500000000000000000000000001440160026300154325ustar00rootroot00000000000000why3-1.6.0/bench/replay/11244/why3session.xml000066400000000000000000000005771440160026300204630ustar00rootroot00000000000000 why3-1.6.0/bench/replay/13_compute_in.mlw000066400000000000000000000001511440160026300201420ustar00rootroot00000000000000 module Test use int.Int constant c : int axiom a : c * 0 + 15 = 2 + 3 + 6 goal g: True end why3-1.6.0/bench/replay/13_compute_in/000077500000000000000000000000001440160026300174245ustar00rootroot00000000000000why3-1.6.0/bench/replay/13_compute_in/why3session.xml000066400000000000000000000006331440160026300224460ustar00rootroot00000000000000 why3-1.6.0/bench/replay/14_simpl.mlw000066400000000000000000000001241440160026300171250ustar00rootroot00000000000000theory Test goal g10: if true then 1=1 else 3=4 goal g11: let x=1 in x=1 end why3-1.6.0/bench/replay/14_simpl/000077500000000000000000000000001440160026300164075ustar00rootroot00000000000000why3-1.6.0/bench/replay/14_simpl/why3session.xml000066400000000000000000000012531440160026300214300ustar00rootroot00000000000000 why3-1.6.0/bench/replay/15_destruct_alg.mlw000066400000000000000000000001071440160026300204630ustar00rootroot00000000000000 module Issue15 use list.List goal g: forall l:list 'a. l = Nil endwhy3-1.6.0/bench/replay/15_destruct_alg/000077500000000000000000000000001440160026300177445ustar00rootroot00000000000000why3-1.6.0/bench/replay/15_destruct_alg/why3session.xml000066400000000000000000000012111440160026300227570ustar00rootroot00000000000000 why3-1.6.0/bench/replay/17181.mlw000066400000000000000000000003621440160026300161620ustar00rootroot00000000000000 theory T scope A goal g:true end scope B goal g:false end end module A predicate p predicate q scope B let f () : unit ensures { p } = () end scope C let f () : unit ensures { q <-> p } = () end end why3-1.6.0/bench/replay/17181/000077500000000000000000000000001440160026300154405ustar00rootroot00000000000000why3-1.6.0/bench/replay/17181/why3session.xml000066400000000000000000000007271440160026300204660ustar00rootroot00000000000000 why3-1.6.0/bench/replay/33_reload_trans.mlw000066400000000000000000000000371440160026300204620ustar00rootroot00000000000000module T goal G: False end why3-1.6.0/bench/replay/33_reload_trans/000077500000000000000000000000001440160026300177415ustar00rootroot00000000000000why3-1.6.0/bench/replay/33_reload_trans/why3session.xml000066400000000000000000000011151440160026300227570ustar00rootroot00000000000000 why3-1.6.0/bench/steplimit/000077500000000000000000000000001440160026300154755ustar00rootroot00000000000000why3-1.6.0/bench/steplimit/step-limits.mlw000066400000000000000000000001421440160026300204650ustar00rootroot00000000000000 use int.Int goal g : forall x,y,z. x >= 1 -> y >= 1 -> z >= 1 -> x*x*x + y*y*y = z*z*z -> false why3-1.6.0/bench/test_mlw_printer000077500000000000000000000143371440160026300170220ustar00rootroot00000000000000#!/usr/bin/env python3 import sys import sexpdata import math import os from subprocess import Popen, PIPE, DEVNULL debug = os.environ.get("DEBUG") != None loads_kwargs = dict(nil=None, true=None) # Don't convert nil or #t in s-exp class CommandFailed(Exception): def __init__(self, msg): self.msg = msg class NotEqual(Exception): def __init__(self, path, sexp0, sexp1): self.path = path self.sexp0 = sexp0 self.sexp1 = sexp1 # Read a whyml file as a s-exp def read(why3, filename): p = Popen([why3, "pp", "--output=sexp", filename], stdout=PIPE, stderr=DEVNULL, encoding='utf8') s, _ = p.communicate() if p.returncode == 0: return sexpdata.loads(s, **loads_kwargs) if s else None else: raise CommandFailed("cannot print s-expr for original file (returncode={})" .format(p.returncode)) # Pretty-print a whyml file and read the result as a s-exp def print_and_read(why3, filename): p1 = Popen([why3, "pp", "--output=mlw", filename], stdout=PIPE, stderr=DEVNULL, encoding='utf8') p2 = Popen([why3, "pp", "--output=sexp", "-"], stdin=p1.stdout, stdout=PIPE, stderr=DEVNULL, encoding='utf8') s, _ = p2.communicate() if p2.returncode == 0: return sexpdata.loads(s, **loads_kwargs) if s else None else: raise CommandFailed("cannot print s-expr for pretty-printed output (returncode={})" .format(p2.returncode)) def is_location(sexp): try: return [type(x) for x in sexp] == [str, int, int, int] except: return False IGNORE_ID_ATTRS = [ "W:unused_variable:N", "extraction:array_make", "extraction:array", "induction", "mlw:reference_var", "infer", "useraxiom", "W:non_conservative_extension:N", "model_trace:flag", "model_trace:first_val", "model_trace:sec_val", "model_trace:TEMP_NAME", "model", "W:unmodified_variable:N" ] def keep_id_attr(at): try: # (ATstr ((attr_string "...") (attr_tag N))) variant, fields = at field0, field1 = fields field, value = field0 if variant.value() == 'ATstr' and field.value() == 'attr_string': return value not in IGNORE_ID_ATTRS else: return True except: return True def ignore_id_attrs(sexp): try: # (id_ats (at ...)) field, value = sexp if field.value() == 'id_ats': ats = [at for at in value if keep_id_attr(at)] return [sexp[0], ats] else: return sexp except: return sexp # Test for sexp ( _) def is_field(sexp, field_name): try: return len(sexp) == 2 and sexp[0].value() == field_name except: return False def assert_equal(path, sexp0, sexp1): if sexp0 == sexp1: return if is_location(sexp0) and is_location(sexp1): return # Don't bother with locations if is_field(sexp0, "attr_tag") and is_field(sexp1, "attr_tag"): return # Don't bother with tags if type(sexp0) == float and math.isnan(sexp0) and type(sexp1) == float and math.isnan(sexp1): return # nan != nan if type(sexp0) == list and type(sexp1) == list: while True: # Ignore additional parentheses try: if sexp0[0].value() == "PTparen" and sexp1[0].value() != "PTparen": path = path+[1] sexp0 = sexp0[1] elif sexp1[0].value() == "PTparen" and sexp0[0].value() != "PTparen": sexp1 = sexp1[1] elif sexp0[0].value() == "Pparen" and sexp1[0].value() != "Pparen": path = path+[1] sexp0 = sexp0[1][0][1] elif sexp1[0].value() == "Pparen" and sexp0[0].value() != "Pparen": sexp1 = sexp1[1][0][1] elif sexp0[0].value() == "Ptuple" and len(sexp0[1]) == 1 and sexp1[0].value() != "Ptuple": path = path+[1] sexp0 = sexp0[1][0][1] elif sexp1[0].value() == "Ptuple" and len(sexp1[1]) == 1 and sexp0[0].value() != "Ptuple": sexp1 = sexp1[1][0][1] elif ((sexp0[0].value() == "Tinfix" and sexp1[0].value() == "Tinnfix") or (sexp0[0].value() == "Tinnfix" and sexp1[0].value() == "Tinfix") or (sexp0[0].value() == "Tbinop" and sexp1[0].value() == "Tbinnop") or (sexp0[0].value() == "Tbinnop" and sexp1[0].value() == "Tbinop") or (sexp0[0].value() == "Einfix" and sexp1[0].value() == "Einnfix") or (sexp0[0].value() == "Einnfix" and sexp1[0].value() == "Einfix")): sexp0 = sexp0[1:] sexp1 = sexp1[1:] else: break except AttributeError: break sexp0 = ignore_id_attrs(sexp0) sexp1 = ignore_id_attrs(sexp1) if len(sexp0) > len(sexp1): raise NotEqual(path, sexp0, sexp1) if len(sexp0) < len(sexp1): raise NotEqual(path, sexp0, sexp1) for i, (s0, s1) in enumerate(zip(sexp0, sexp1)): assert_equal(path+[i], s0, s1) else: raise NotEqual(path, sexp0, sexp1) def trace(path, sexp, sexp1): if path == []: return [sexpdata.Symbol("ERROR"), [sexpdata.Symbol("EXPECTED"), sexp], [sexpdata.Symbol("FOUND"), sexp1]] elif type(sexp) == list: return [trace(path[1:], sexp[i], sexp1) if i == path[0] else sexp[i] for i, x in enumerate(sexp)] def test(why3, filename): print(" {}: ".format(filename), end='', flush=True) try: sexp0 = read(why3, filename) sexp1 = print_and_read(why3, filename) assert_equal([], sexp0, sexp1) print("ok") return True except NotEqual as e: print("FAILED") if debug: sexpdata.dump(trace(e.path, sexp0, e.sexp1) or "NO TRACE", sys.stdout) return False except CommandFailed as e: print("COMMAND FAILED:", e.msg) return False def main(): why3 = sys.argv[1] files = sys.argv[2:] res = all(test(why3, f) for f in files) exit(0 if res else 1) if __name__ == "__main__": main() why3-1.6.0/bench/true_goal.why000066400000000000000000000000421440160026300161710ustar00rootroot00000000000000theory True goal True : true endwhy3-1.6.0/bench/typing/000077500000000000000000000000001440160026300147755ustar00rootroot00000000000000why3-1.6.0/bench/typing/bad/000077500000000000000000000000001440160026300155235ustar00rootroot00000000000000why3-1.6.0/bench/typing/bad/213_construct_record.mlw000066400000000000000000000003301440160026300222070ustar00rootroot00000000000000use int.Int type t = { mutable contents : int} invariant {true} let error (v: int) : t (* Cannot deconstruct type with invariant *) ensures { match result with {contents = v } -> v = 3 end } = {contents = v} why3-1.6.0/bench/typing/bad/213_construct_record2.mlw000066400000000000000000000003011440160026300222670ustar00rootroot00000000000000use int.Int type t = { mutable contents : int} invariant {true} let error (v: int) : t (* Cannot construct type with invariant *) ensures { { contents = v } = result } = {contents = v} why3-1.6.0/bench/typing/bad/213_construct_record3.mlw000066400000000000000000000002511440160026300222740ustar00rootroot00000000000000use int.Int type t = A (contents: int) int let error (v: int) : t (* Contains unnamed fields *) ensures { match result with {contents = v } -> v = 3 end } = A 3 v why3-1.6.0/bench/typing/bad/213_construct_record4.mlw000066400000000000000000000002761440160026300223040ustar00rootroot00000000000000use int.Int type t = A (contents: int) int | B (contents:int) int let error (v: int) : t (* Several constructors *) ensures { match result with { contents = v } -> v = 3 end } = A 3 v why3-1.6.0/bench/typing/bad/42_ghost_subst.mlw000066400000000000000000000002111440160026300211070ustar00rootroot00000000000000module A type a val constant x : a end module B type b val ghost constant y : b clone export A with type a = b, val x = y end why3-1.6.0/bench/typing/bad/492.mlw000066400000000000000000000000611440160026300165570ustar00rootroot00000000000000module Foo use mach.int.Int63 let c = 1 end why3-1.6.0/bench/typing/bad/7.why000066400000000000000000000002211440160026300164150ustar00rootroot00000000000000 (* Issue #7: https://gitlab.inria.fr/why3/why3/issues/7 *) theory T use ieee_float.Float32 as B32 goal g : (1.:B32.t) = (1:B32.t) end why3-1.6.0/bench/typing/bad/alias_caller_reset.mlw000066400000000000000000000006031440160026300220600ustar00rootroot00000000000000use map.Map use array.Array use mach.c.C use int.Int use mach.int.UInt64 val f (p1 p2: ptr uint64) : unit requires { valid p1 2 } requires { valid p2 2 } requires { offset p1 = 0 } requires { offset p2 = 1 } alias { p1.data with p2.data } writes { p1.data.elts,p2.data.elts } let g () : unit = let p1 = malloc 5 in let p2 = malloc 5 in let p3 = incr p2 1 in f p1 p3why3-1.6.0/bench/typing/bad/alias_out.mlw000066400000000000000000000007771440160026300202370ustar00rootroot00000000000000use map.Map use array.Array use mach.c.C use int.Int use mach.int.UInt64 val alloc2 () : (r1:ptr uint64, r2:ptr uint64) ensures { offset r1 = 0 /\ offset r2 = 0 } ensures { valid r1 0 /\ valid r2 0 } alias { r1.data with r2.data } let free2_sep (p1 p2:ptr uint64) : unit requires { offset p1 = 0 } requires { offset p2 = 0 } requires { valid p1 0 } requires { valid p2 0 } writes { p1, p1.data, p2, p2.data } = free p1; free p2 let bad () = let r1, r2 = alloc2 () in free2_sep r1 r2why3-1.6.0/bench/typing/bad/alias_reset.mlw000066400000000000000000000004421440160026300205370ustar00rootroot00000000000000use map.Map use array.Array use mach.c.C use int.Int use mach.int.UInt64 let double_free (p1 p2:ptr uint64) requires { offset p1 = 0 } requires { offset p2 = 0 } alias { p1.data with p2.data } requires { valid p1 0 } requires { valid p2 0 } = free p1; (* resets p2 *) free p2why3-1.6.0/bench/typing/bad/bad_type_arity1.why000066400000000000000000000000511440160026300213300ustar00rootroot00000000000000theory Test type t 'a type u = t end why3-1.6.0/bench/typing/bad/bad_type_arity2.why000066400000000000000000000000611440160026300213320ustar00rootroot00000000000000theory Test type t 'a type u = t int int end why3-1.6.0/bench/typing/bad/cast1.why000066400000000000000000000000711440160026300172650ustar00rootroot00000000000000theory Test axiom A : forall x:int. (x : real) = x end why3-1.6.0/bench/typing/bad/clash1.why000066400000000000000000000000331440160026300174230ustar00rootroot00000000000000theory A end theory A end why3-1.6.0/bench/typing/bad/clash_axiom1.why000066400000000000000000000002001440160026300206140ustar00rootroot00000000000000 (* test file *) theory A type t axiom Ax: forall x: t. x=x end theory B use export A axiom Ax: forall x: t. x=x end why3-1.6.0/bench/typing/bad/clash_builtin1.why000066400000000000000000000000331440160026300211510ustar00rootroot00000000000000theory Test type int end why3-1.6.0/bench/typing/bad/clash_logic1.why000066400000000000000000000000661440160026300206060ustar00rootroot00000000000000theory Test function c : int function c : int end why3-1.6.0/bench/typing/bad/clash_type1.why000066400000000000000000000000371440160026300204700ustar00rootroot00000000000000theory A type t type t end why3-1.6.0/bench/typing/bad/clash_type2.why000066400000000000000000000000631440160026300204700ustar00rootroot00000000000000theory A scope S type t type t end end why3-1.6.0/bench/typing/bad/clash_type3.why000066400000000000000000000001161440160026300204700ustar00rootroot00000000000000 (* test file *) theory A type t end theory B use export A type t end why3-1.6.0/bench/typing/bad/clash_type4.why000066400000000000000000000001161440160026300204710ustar00rootroot00000000000000 (* test file *) theory A type t end theory B type t use export A end why3-1.6.0/bench/typing/bad/clausal1.why000066400000000000000000000000721440160026300177600ustar00rootroot00000000000000theory Test inductive p(int) = | A : p(0) -> true end why3-1.6.0/bench/typing/bad/clausal2.why000066400000000000000000000001041440160026300177550ustar00rootroot00000000000000theory Test inductive p(int) = | A : (p(0) -> true) -> p(0) end why3-1.6.0/bench/typing/bad/clausal3.why000066400000000000000000000000611440160026300177600ustar00rootroot00000000000000theory Test inductive p(int) = | A : 0=0 end why3-1.6.0/bench/typing/bad/clone_defined_inductive1.mlw000066400000000000000000000007131440160026300231560ustar00rootroot00000000000000module M type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w end module N type vertex predicate edge vertex vertex coinductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w clone M with type vertex, predicate edge, predicate path end why3-1.6.0/bench/typing/bad/clone_defined_inductive2.mlw000066400000000000000000000007721440160026300231640ustar00rootroot00000000000000module M type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w end module N type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w | path_edge : forall u v. edge u v -> path u v clone M with type vertex, predicate edge, predicate path end why3-1.6.0/bench/typing/bad/clone_defined_inductive3.mlw000066400000000000000000000007211440160026300231570ustar00rootroot00000000000000module M type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w end module N type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. true -> path v v | path_cons : forall u v w. path u v -> edge v w -> path u w clone M with type vertex, predicate edge, predicate path end why3-1.6.0/bench/typing/bad/clone_defined_inductive4.mlw000066400000000000000000000005771440160026300231710ustar00rootroot00000000000000module M type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w end module N type vertex predicate edge vertex vertex predicate path (x y : vertex) = x = y \/ edge x y clone M with type vertex, predicate edge, predicate path end why3-1.6.0/bench/typing/bad/clone_defined_inductive5.mlw000066400000000000000000000006301440160026300231600ustar00rootroot00000000000000module M use int.Int inductive even int = | even_zero : even 0 | even_succ : forall n. odd n -> even (n + 1) with odd int = | odd_succ : forall n. even n -> odd (n + 1) end module N use int.Int inductive even int = | even_zero : even 0 | even_succ : forall n. odd n -> even (n + 1) with odd int = | odd_succ : forall n. even n -> odd (n + 1) clone M with predicate even end why3-1.6.0/bench/typing/bad/clone_defined_inductive6.mlw000066400000000000000000000002721440160026300231630ustar00rootroot00000000000000module M inductive ind int real = | case : forall a b. ind a b end module N type t inductive ind int int = | case : forall a b. ind a b clone M with predicate ind end why3-1.6.0/bench/typing/bad/clone_defined_logic1.mlw000066400000000000000000000002021440160026300222520ustar00rootroot00000000000000module M type t function f (x : int) : int = x end module N function f (x : int) : int clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_logic2.mlw000066400000000000000000000002641440160026300222630ustar00rootroot00000000000000module M type t (* avoid a warning *) function f () : bool = true end module N (* Ok but wrong message *) function f () : bool = false clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_logic3.mlw000066400000000000000000000002511440160026300222600ustar00rootroot00000000000000module M type t (* avoid a warning *) function f () : bool = true end module N (* Ok-ish message *) function f () : int = 0 clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_logic4.mlw000066400000000000000000000002641440160026300222650ustar00rootroot00000000000000module M type t (* avoid a warning *) function f () : bool = true end module N (* Ok-ish message *) function f (_ : int) : bool = true clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_logic5.mlw000066400000000000000000000002671440160026300222710ustar00rootroot00000000000000module M type t (* avoid a warning *) function f () : bool = true end module N (* Ok-ish message *) function f () (_ : int) : bool = true clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_logic6.mlw000066400000000000000000000002101440160026300222560ustar00rootroot00000000000000module M type t function f (x : t) : t = x end module N type t function f (x : t) : t = x clone M with function f end why3-1.6.0/bench/typing/bad/clone_defined_nonvariant.mlw000066400000000000000000000002021440160026300232530ustar00rootroot00000000000000module M type t = { f : int; g : int } end module N type t = { mutable f : int; g : int } clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant10.mlw000066400000000000000000000002521440160026300227060ustar00rootroot00000000000000module M type t = | A string (x : int) | B (x : int) int end module N type t = | A string (x : int) | B int (x : int) clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant11.mlw000066400000000000000000000001371440160026300227110ustar00rootroot00000000000000module M type u 'a = C int end module N type t = C int clone M with type u = t end why3-1.6.0/bench/typing/bad/clone_defined_variant12.mlw000066400000000000000000000001371440160026300227120ustar00rootroot00000000000000module M type u = C int end module N type t 'a = C int clone M with type u = t end why3-1.6.0/bench/typing/bad/clone_defined_variant13.mlw000066400000000000000000000005121440160026300227100ustar00rootroot00000000000000module A use int.Int type t = { a : int; b : string } let f x = { x with a = x.a + 1 } end module B use int.Int type t = { b : int; a : string } let g x = { x with b = x.b + 3 } clone A with type t let main () = let x = { b = 0; a = "a" } in let x = f x in let _ = g x in () end why3-1.6.0/bench/typing/bad/clone_defined_variant14.mlw000066400000000000000000000006541440160026300227200ustar00rootroot00000000000000module M type t 'a = Nil | Cons 'a (t 'a) function map (f : 'a -> 'b) (xs : t 'a) : t 'b = match xs with | Nil -> Nil | Cons x xs -> Cons (f x) (map f xs) end end module N type t 'a = N | C 'a (t 'a) (* A bit strange *) clone M with type t end module O type t = { f : int; g : string } end module P type t = Cons (f : int) (g : string) (* even stranger *) clone O with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant15.mlw000066400000000000000000000002511440160026300227120ustar00rootroot00000000000000module M type t = | C int int | D int int end module N type t = | D int int | C int int (* A bit dangerous ?*) clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant2.mlw000066400000000000000000000001721440160026300226300ustar00rootroot00000000000000module M type t = N | D u with u = C t end module N type t = N | D u with u = C t clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant3.mlw000066400000000000000000000002151440160026300226270ustar00rootroot00000000000000module M type t = | A string int | B t real end module N type t = | A int int | B t real clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant4.mlw000066400000000000000000000002141440160026300226270ustar00rootroot00000000000000module M type t = | A string int | B t real end module N type t = | A string | B t real clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant5.mlw000066400000000000000000000002201440160026300226250ustar00rootroot00000000000000module M type t = | A string int | B t real end module N type t = | B t real | A string int clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant6.mlw000066400000000000000000000002301440160026300226270ustar00rootroot00000000000000module M type t = | A (ghost string) int | B t real end module N type t = | A string int | B t real clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant7.mlw000066400000000000000000000002301440160026300226300ustar00rootroot00000000000000module M type t = | A string int | B t real end module N type t = | A string int | B t (ghost real) clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant8.mlw000066400000000000000000000002401440160026300226320ustar00rootroot00000000000000module M type t = | A string int | B int real end module N type t = | A string (x : int) | B (x : int) real clone M with type t end why3-1.6.0/bench/typing/bad/clone_defined_variant9.mlw000066400000000000000000000002401440160026300226330ustar00rootroot00000000000000module M type t = | A string (x : int) | B (x : int) real end module N type t = | A string int | B int real clone M with type t end why3-1.6.0/bench/typing/bad/clone_record1.mlw000066400000000000000000000002001440160026300207530ustar00rootroot00000000000000 module S type t = private { a: int } end module M type t = { a: bool } (* bad type for a *) clone S with type t = t end why3-1.6.0/bench/typing/bad/clone_record2.mlw000066400000000000000000000001731440160026300207650ustar00rootroot00000000000000 module S type t = private { a: int } end module M type t = { b: int } (* no field a *) clone S with type t = t end why3-1.6.0/bench/typing/bad/coercion_already.mlw000066400000000000000000000002621440160026300215460ustar00rootroot00000000000000type a type b type c function b_to_c b : c meta coercion function b_to_c function a_to_b a : b meta coercion function a_to_b function a_to_c a : c meta coercion function a_to_c why3-1.6.0/bench/typing/bad/coercion_already1.mlw000066400000000000000000000001451440160026300216270ustar00rootroot00000000000000type a type b function f a : b meta coercion function f function g a : b meta coercion function g why3-1.6.0/bench/typing/bad/coercion_already3.mlw000066400000000000000000000002251440160026300216300ustar00rootroot00000000000000type a type b type c function f a : c meta coercion function f function g b : c meta coercion function g function h a : b meta coercion function h why3-1.6.0/bench/typing/bad/coercion_cycle1.mlw000066400000000000000000000001451440160026300213050ustar00rootroot00000000000000type a type b function f a : b meta coercion function f function g b : a meta coercion function g why3-1.6.0/bench/typing/bad/coercion_cycle2.mlw000066400000000000000000000002271440160026300213070ustar00rootroot00000000000000type a type b type c function f a : b meta coercion function f function g b : c meta coercion function g function h c : a meta coercion function h why3-1.6.0/bench/typing/bad/coercion_cycle3.mlw000066400000000000000000000002251440160026300213060ustar00rootroot00000000000000type a type b type c function g b : c meta coercion function g function f a : b meta coercion function f function h c : a meta coercion function h why3-1.6.0/bench/typing/bad/coercion_type_args1.mlw000066400000000000000000000001421440160026300222000ustar00rootroot00000000000000 type t 'a function f (t int) : int meta coercion function f goal G: forall x: t bool. x = 42 why3-1.6.0/bench/typing/bad/coercion_type_args2.mlw000066400000000000000000000001401440160026300221770ustar00rootroot00000000000000 type t 'a function f int : t int meta coercion function f goal G: forall x: t bool. 42 = x why3-1.6.0/bench/typing/bad/coercion_type_args3.mlw000066400000000000000000000004221440160026300222030ustar00rootroot00000000000000 type t1 'a type t2 'a type t3 'a function t2_of_t1 (t1 'a) : t2 ('a,'a) meta coercion function t2_of_t1 function bool_of_int bool : int meta coercion function bool_of_int function h (x: t1 'a) (b: int) : t1 int goal G: forall x: t1 (int,int), y: t2 int. h x true = y why3-1.6.0/bench/typing/bad/coercion_type_args4.mlw000066400000000000000000000003031440160026300222020ustar00rootroot00000000000000 use list.List function to_list bool : list bool meta coercion function to_list goal G: forall x: bool, y: list int. x = y (*This term has type list int, but is expected to have type bool *)why3-1.6.0/bench/typing/bad/coercion_type_args5.mlw000066400000000000000000000003051440160026300222050ustar00rootroot00000000000000 use list.List function to_bool (list bool) : bool meta coercion function to_bool goal G: forall x: list int, y: bool. x = y (*This term has type bool, but is expected to have type list int *) why3-1.6.0/bench/typing/bad/cyclic_type1.why000066400000000000000000000000351440160026300206420ustar00rootroot00000000000000theory Test type t = t end why3-1.6.0/bench/typing/bad/cyclic_type2.why000066400000000000000000000000521440160026300206420ustar00rootroot00000000000000theory Test type t = u with u = t end why3-1.6.0/bench/typing/bad/duplicate_type_parameter1.why000066400000000000000000000000371440160026300234100ustar00rootroot00000000000000theory Test type t 'a 'a end why3-1.6.0/bench/typing/bad/func_lit1.mlw000066400000000000000000000000531440160026300201260ustar00rootroot00000000000000 use int.Int let f (x y: int) = [|0;true|]why3-1.6.0/bench/typing/bad/func_lit2.mlw000066400000000000000000000000321440160026300201240ustar00rootroot00000000000000 let f (x y: int) = [|0|]why3-1.6.0/bench/typing/bad/func_lit3.mlw000066400000000000000000000000531440160026300201300ustar00rootroot00000000000000 use string.OCaml let f (x y: int) = [|0|]why3-1.6.0/bench/typing/bad/func_lit4.mlw000066400000000000000000000000711440160026300201310ustar00rootroot00000000000000 function f (x: int) : int -> int = [|0 => 1; 1 => "a"|]why3-1.6.0/bench/typing/bad/func_lit5.mlw000066400000000000000000000000701440160026300201310ustar00rootroot00000000000000function f (x: int) : int -> int = [|0 => 1; 1.0 => x|] why3-1.6.0/bench/typing/bad/func_lit6.mlw000066400000000000000000000001241440160026300201320ustar00rootroot00000000000000use string.OCaml use array.Init let f () : array string = init 1 [| 0 => "zero" |] why3-1.6.0/bench/typing/bad/func_lit7.mlw000066400000000000000000000000561440160026300201370ustar00rootroot00000000000000use string.OCaml let f () = [| "bar" => 1 |] why3-1.6.0/bench/typing/bad/invariant.mlw000066400000000000000000000002711440160026300202370ustar00rootroot00000000000000module T use int.Int type t2 = { x2 : int; y2 : int; } invariant { x2 < y2 } by (if true then { x2 = 1; y2 = 0 } else { y2 = 1 }) end why3-1.6.0/bench/typing/bad/invariant2.mlw000066400000000000000000000007271440160026300203270ustar00rootroot00000000000000module T2 type set 'a = abstract { mutable mem: 'a -> bool } val empty (): set 'a ensures { forall x. not (result.mem x) } val add (s:set 'a) (v:'a) : unit ensures { forall x. s.mem x <-> (old s.mem x \/ x = v) } writes { s.mem } type t 'a = { set : set 'a; ele : 'a; } invariant { set.mem ele } by let a = { set = set; ele = ele } in a end why3-1.6.0/bench/typing/bad/invariant3.mlw000066400000000000000000000011441440160026300203220ustar00rootroot00000000000000module T3 type var = private { id: int } type set = abstract { mutable mem: int -> bool } val all_var: set val new_var () : var ensures { old (not (all_var.mem result.id)) } ensures { forall x. all_var.mem x <-> (old (all_var.mem x) \/ x = result.id) } writes { all_var.mem } type t = { v1: var; v2: var; } invariant { v1.id <> v2.id } by let v1 = new_var () in let v2 = new_var () in if v1.id = 0 then () else { v1 = v1; v2 = v2 } end why3-1.6.0/bench/typing/bad/linearity1.why000066400000000000000000000000621440160026300203330ustar00rootroot00000000000000theory Test axiom A : forall x x : int. x=x end why3-1.6.0/bench/typing/bad/partial_function.mlw000066400000000000000000000000461440160026300216050ustar00rootroot00000000000000val partial function f (x:int) : unit why3-1.6.0/bench/typing/bad/partial_ghost_fun.ml000066400000000000000000000000671440160026300215700ustar00rootroot00000000000000val partial random () : int let ghost f () = random () why3-1.6.0/bench/typing/bad/partial_ghost_fun.mlw000066400000000000000000000000661440160026300217560ustar00rootroot00000000000000val partial random () : int let ghost f () = random ()why3-1.6.0/bench/typing/bad/partial_ghostvar.mlw000066400000000000000000000001141440160026300216110ustar00rootroot00000000000000val partial f (x:int) : unit let main () = let ghost s = 3 in f s; 42why3-1.6.0/bench/typing/bad/partial_lemma.mlw000066400000000000000000000000641440160026300210530ustar00rootroot00000000000000let partial lemma f (x:int) ensures { true } = () why3-1.6.0/bench/typing/bad/partial_refine.mlw000066400000000000000000000002061440160026300212260ustar00rootroot00000000000000module S val constant c : int val f () : int end module I2 val partial random () : int clone export S with val f = random endwhy3-1.6.0/bench/typing/bad/partial_terminates.mlw000066400000000000000000000000241440160026300221270ustar00rootroot00000000000000let partial f () = 2why3-1.6.0/bench/typing/bad/partial_witness.mlw000066400000000000000000000001311440160026300214470ustar00rootroot00000000000000val partial random () : int type t = { x: int } invariant { x = 0 } by { x = random () }why3-1.6.0/bench/typing/bad/pat_linearity1.why000066400000000000000000000002071440160026300212000ustar00rootroot00000000000000theory A type list 'a = Nil | Cons 'a (list 'a) axiom A : forall l: list int. match l with Cons x x -> true | Nil -> false end end why3-1.6.0/bench/typing/bad/pat_linearity2.why000066400000000000000000000002051440160026300211770ustar00rootroot00000000000000theory A type list 'a = Nil | Cons 'a (list 'a) axiom A : forall l:list int. (match l with Cons x x -> 0 | Nil -> 1 end) = 2 end why3-1.6.0/bench/typing/bad/pat_linearity3.why000066400000000000000000000001751440160026300212060ustar00rootroot00000000000000theory A type list 'a = Nil | Cons 'a (list 'a) let f (l:list int) : int = match l with Cons x x -> 0 | Nil -> 1 end end why3-1.6.0/bench/typing/bad/record2.why000066400000000000000000000001121440160026300176060ustar00rootroot00000000000000theory T function f int : int goal g1 : let t = { f = 1 } in true end why3-1.6.0/bench/typing/bad/record3.why000066400000000000000000000001701440160026300176130ustar00rootroot00000000000000theory T type t = { a: int; b: int; } type u = { c: int; d: int; } goal g1 : let t = { a = 1; c = 2 } in true end why3-1.6.0/bench/typing/bad/record4.why000066400000000000000000000001561440160026300176200ustar00rootroot00000000000000theory Records use bool.Bool type t = { a:int; b:bool; } goal g1 : let t = { a = 1; b = 2 } in true end why3-1.6.0/bench/typing/bad/record5.why000066400000000000000000000002331440160026300176150ustar00rootroot00000000000000theory T use list.List use bool.Bool type t 'a = { a : list 'a; b : list 'a; } goal g1 : let t = { a = Cons 1 Nil; b = Cons True Nil } in true end why3-1.6.0/bench/typing/bad/record6.why000066400000000000000000000001251440160026300176160ustar00rootroot00000000000000theory Records type t = { a:int } goal g1 : let t = { a = 1; a = 2 } in true end why3-1.6.0/bench/typing/bad/record7.why000066400000000000000000000001251440160026300176170ustar00rootroot00000000000000theory Records type t = { a:int; b:int } goal g1 : let t = { a = 1 } in true end why3-1.6.0/bench/typing/bad/record8.why000066400000000000000000000002051440160026300176170ustar00rootroot00000000000000theory Records type t = { a:int; b:int } goal g1 : let t = { a = 1; b = 2 } in let t = { t with a = () } in true end why3-1.6.0/bench/typing/bad/record9.why000066400000000000000000000002421440160026300176210ustar00rootroot00000000000000theory Records type t = { a:int; b:int } type t2 = { c:int; d:int } goal g1 : let t = { a = 1; b = 2 } in let t = { t with d = 3 } in true end why3-1.6.0/bench/typing/bad/stdlib_c1.mlw000066400000000000000000000002111440160026300201020ustar00rootroot00000000000000use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let q = incr p 0_ in free q; set p (42:int)why3-1.6.0/bench/typing/bad/stdlib_c2.mlw000066400000000000000000000003051440160026300201070ustar00rootroot00000000000000use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let q = incr p 0 in let r = realloc p 27 in c_assert (is_not_null r); set r (3:int); set q (42:int)why3-1.6.0/bench/typing/bad/stdlib_c3.mlw000066400000000000000000000002631440160026300201130ustar00rootroot00000000000000use map.Map use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let q = incr_split p 5 in let r = C.incr q 1 in join p q; set r (0:int)why3-1.6.0/bench/typing/bad/stdlib_c4.mlw000066400000000000000000000002471440160026300201160ustar00rootroot00000000000000use map.Map use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let r = C.incr p 1 in let _ = incr_split p 5 in set r (0:int)why3-1.6.0/bench/typing/bad/stdlib_c5.mlw000066400000000000000000000002471440160026300201170ustar00rootroot00000000000000use map.Map use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let r = C.incr p 1 in let _ = decr_split r 1 in set p (0:int)why3-1.6.0/bench/typing/bad/stdlib_c6.mlw000066400000000000000000000002651440160026300201200ustar00rootroot00000000000000use map.Map use mach.c.C let main () diverges = let p = malloc 10 in c_assert (is_not_null p); let q = incr_split p 5 in let r = C.incr p 1 in join_r p q; set r (0:int)why3-1.6.0/bench/typing/bad/unbound_namespace1.why000066400000000000000000000001301440160026300220150ustar00rootroot00000000000000 (* test file *) theory A type t end theory B use export A function c : A.t end why3-1.6.0/bench/typing/bad/unbound_theory1.why000066400000000000000000000000321440160026300213740ustar00rootroot00000000000000theory A use export B end why3-1.6.0/bench/typing/bad/unbound_type1.why000066400000000000000000000000611440160026300210450ustar00rootroot00000000000000 (* test file *) theory A function c : t end why3-1.6.0/bench/typing/bad/unbound_type_var1.why000066400000000000000000000000411440160026300217130ustar00rootroot00000000000000theory Test type t 'a = 'b end why3-1.6.0/bench/typing/bad/undefined_type_var1.why000066400000000000000000000000721440160026300222060ustar00rootroot00000000000000theory Test type list 'a = Nil axiom Ax : Nil=Nil end why3-1.6.0/bench/typing/bad/undefined_type_var2.why000066400000000000000000000001311440160026300222030ustar00rootroot00000000000000theory Test type list 'a = Nil | Cons 'a (list 'a) axiom Ax : Cons Nil Nil = Nil end why3-1.6.0/bench/typing/bad/wf_types1.why000066400000000000000000000001101440160026300201650ustar00rootroot00000000000000theory Main type t 'a type test1 'a = Test1 (t (test1 'a)) end why3-1.6.0/bench/typing/bad/wf_types2.why000066400000000000000000000001171440160026300201750ustar00rootroot00000000000000theory Main type id 'a = 'a type test2 'a = Test2 (id (test2 'a)) end why3-1.6.0/bench/typing/bad/wf_types3.why000066400000000000000000000001331440160026300201740ustar00rootroot00000000000000theory Main type shell 'a = Shell 'a type test3 'a = Test3 (shell (test3 'a)) end why3-1.6.0/bench/typing/good/000077500000000000000000000000001440160026300157255ustar00rootroot00000000000000why3-1.6.0/bench/typing/good/20610.mlw000066400000000000000000000006601440160026300171200ustar00rootroot00000000000000module M use bool.Bool use option.Option exception A let rec foo (x: option bool) : unit diverges raises { A -> true } = match x with | None -> () | Some b -> if b then ( let rec aux (_x: unit) : unit diverges raises { A -> true } = foo (Some false) in aux () ) else raise A end end why3-1.6.0/bench/typing/good/24_coercions.mlw000066400000000000000000000006041440160026300207370ustar00rootroot00000000000000module Issue24 use int.Int type byte = < range 0 255 > meta coercion function byte'int (* (42:byte) is coerced to (byte'int (42:byte)) *) goal g : (42:byte) = 2 * 21 (* we should be able to do: replace 2 (3:byte) that is (3:byte) should be coerced to (byte'int (3:byte)) *) goal g2: (3:byte) = 4 (* goal g1: (if true then 2 else (3:byte)) = 4 *) end why3-1.6.0/bench/typing/good/43_range_module.mlw000066400000000000000000000001151440160026300214120ustar00rootroot00000000000000module Issue43 type t = < range 0 1 > constant c : int = t'minInt end why3-1.6.0/bench/typing/good/496.mlw000066400000000000000000000001371440160026300167710ustar00rootroot00000000000000use mach.int.Int63 let f (x: int63): int63 = if x = (0:int63) then (0:int63) else (1:int63) why3-1.6.0/bench/typing/good/597_let_pred.mlw000066400000000000000000000001711440160026300206470ustar00rootroot00000000000000use list.List let predicate f (l: list 'a) requires { l = Nil } = match l with | Nil -> False | _ -> absurd end why3-1.6.0/bench/typing/good/72_coercions_ho.mlw000066400000000000000000000001501440160026300214240ustar00rootroot00000000000000type t type u function f t : u meta coercion function f constant g : u -> bool goal G : forall x:t. g x why3-1.6.0/bench/typing/good/72_coercions_ho2.mlw000066400000000000000000000001361440160026300215120ustar00rootroot00000000000000type t type u function f t : u -> u meta coercion function f goal G : forall x:t,y:u. x y = y why3-1.6.0/bench/typing/good/algebraic1.why000066400000000000000000000014721440160026300204540ustar00rootroot00000000000000theory TreeForest type list 'a = Nil | Cons 'a (list 'a) type tree 'a = Leaf 'a | Node (tree 'a) (forest 'a) with forest 'a = list (tree 'a) use int.Int function count_forest (f : forest int) : int = match f, 10 with | Nil, i -> i | Cons t' f', _ -> count_tree t' + count_forest f' end with count_tree (t : tree int) : int = match t with | Leaf i -> i | Node t' f' -> count_tree t' + count_forest f' end type nat = Zero | Succ nat function ack (m n : nat) : nat = match m, n with | Zero, _ -> Succ n | Succ m', Zero -> ack' m' (Succ Zero) | Succ m', Succ n' -> ack' m' (ack' m n') end with ack' (m n : nat) : nat = match m, n with | Zero, _ -> Succ n | Succ m', Zero -> ack m' (Succ Zero) | Succ m', Succ n' -> ack m' (ack m n') end end why3-1.6.0/bench/typing/good/alias1.why000066400000000000000000000001741440160026300176320ustar00rootroot00000000000000theory Test type t1 = t2 with t5 with t2 = t5 function f (x : t1) (y : t2) : t5 function g (x : t1) : t5 = f x x end why3-1.6.0/bench/typing/good/already_theory1.why000066400000000000000000000000461440160026300215520ustar00rootroot00000000000000theory A end theory B use A use A end why3-1.6.0/bench/typing/good/already_theory2.why000066400000000000000000000000751440160026300215550ustar00rootroot00000000000000theory A end theory B end theory C use A as A use B as A end why3-1.6.0/bench/typing/good/clash_namespace1.why000066400000000000000000000001601440160026300216420ustar00rootroot00000000000000 (* test file *) theory A type t axiom Ax : forall _x:t. true end theory B use A as A use A as A end why3-1.6.0/bench/typing/good/clash_type6.why000066400000000000000000000001071440160026300206750ustar00rootroot00000000000000 (* test file *) theory A type t end theory B use A type t end why3-1.6.0/bench/typing/good/clash_type7.why000066400000000000000000000000671440160026300207030ustar00rootroot00000000000000theory A type t end theory B clone A type t end why3-1.6.0/bench/typing/good/clone_defined_float.mlw000066400000000000000000000003041440160026300224060ustar00rootroot00000000000000module M type f = function f (x : f) : bool = x = (0.5 : f) predicate finite (x : f) = f'isFinite x end module N type f = clone M with type f end why3-1.6.0/bench/typing/good/clone_defined_inductive1.mlw000066400000000000000000000014011440160026300233530ustar00rootroot00000000000000module M type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w coinductive copath vertex vertex = | copath_nil : forall v. copath v v | copath_cons : forall u v w. copath u v -> edge v w -> copath u w end module N type vertex predicate edge vertex vertex inductive path vertex vertex = | path_nil : forall v. path v v | path_cons : forall u v w. path u v -> edge v w -> path u w coinductive copath vertex vertex = | copath_nil : forall v. copath v v | copath_cons : forall u v w. copath u v -> edge v w -> copath u w clone M with type vertex, predicate edge, predicate path, predicate copath end why3-1.6.0/bench/typing/good/clone_defined_inductive2.mlw000066400000000000000000000006471440160026300233670ustar00rootroot00000000000000module M use int.Int inductive even int = | even_zero : even 0 | even_succ : forall n. odd n -> even (n + 1) with odd int = | odd_succ : forall n. even n -> odd (n + 1) end module N use int.Int inductive even int = | even_zero : even 0 | even_succ : forall n. odd n -> even (n + 1) with odd int = | odd_succ : forall n. even n -> odd (n + 1) clone M with predicate even, predicate odd end why3-1.6.0/bench/typing/good/clone_defined_logic1.mlw000066400000000000000000000002261440160026300224620ustar00rootroot00000000000000module M type t function f (x : int) : t(* = x*) end module N function f (x : int) : int = x clone M with type t = int, function f end why3-1.6.0/bench/typing/good/clone_defined_logic2.mlw000066400000000000000000000002201440160026300224550ustar00rootroot00000000000000module M type t function f (x : t) : t = x end module N function f (x : int) : int = x clone M with type t = int, function f end why3-1.6.0/bench/typing/good/clone_defined_logic3.mlw000066400000000000000000000002201440160026300224560ustar00rootroot00000000000000module M type t function f (x : t) : t = x end module N function f (x : int) : int = x clone M with function f, type t = int end why3-1.6.0/bench/typing/good/clone_defined_logic4.mlw000066400000000000000000000002261440160026300224650ustar00rootroot00000000000000module M type t function f (x : t) : t = x end module N type t = int function f (x : t) : t = x clone M with type t, function f end why3-1.6.0/bench/typing/good/clone_defined_logic5.mlw000066400000000000000000000002201440160026300224600ustar00rootroot00000000000000module M type t function f (x : t) : t = x end module N type t function f (x : t) : t = x clone M with type t, function f end why3-1.6.0/bench/typing/good/clone_defined_range.mlw000066400000000000000000000003501440160026300223760ustar00rootroot00000000000000module M use int.Int type r = function f (x : r) : bool = x = (0 : r) predicate in_range (x : int) = r'minInt <= x <= r'maxInt end module N type r = clone M with type r end why3-1.6.0/bench/typing/good/clone_defined_variant.mlw000066400000000000000000000031141440160026300227470ustar00rootroot00000000000000module EnumType type t = Left | Right end module Enum type t = Left | Right clone EnumType with type t end module RecordType type t = { f : int; g : int } end module Record type t = { f : int; g : int } clone RecordType with type t end module RecursiveType type t = Nil | Cons t end module Recursive type t = Nil | Cons t clone RecursiveType with type t end module MutuallyRecursiveType type forest 'a = Nil | Cons (tree 'a) (forest 'a) with tree 'a = Node 'a (forest 'a) function map (f : 'a -> 'b) (ts : forest 'a) : forest 'b = match ts with | Nil -> Nil | Cons t ts -> Cons (map_tree f t) (map f ts) end with map_tree (f : 'a -> 'b) (t : tree 'a) : tree 'b = match t with | Node x ts -> Node (f x) (map f ts) end end module MutuallyRecursive use int.Int type forest 'a = Nil | Cons (tree 'a) (forest 'a) with tree 'a = Node 'a (forest 'a) function size (f : forest 'a) : int = match f with | Nil -> 0 | Cons t f -> size_tree t + size f end with size_tree (t : tree 'a) : int = match t with | Node _ f -> size f + 1 end clone MutuallyRecursiveType with type forest, type tree function map_size (f : forest 'a) : int = size (map (fun _ -> 42) f) end module MutuallyRecursiveWithAliasType use list.List type forest 'a = list (tree 'a) with tree 'a = Node 'a (forest 'a) end module MutuallyRecursiveWithAlias use list.List type forest 'a = list (tree 'a) with tree 'a = Node 'a (forest 'a) clone MutuallyRecursiveWithAliasType with type tree end why3-1.6.0/bench/typing/good/clone_defined_variant4.mlw000066400000000000000000000002541440160026300230350ustar00rootroot00000000000000module M type t = | A string (x : int) | B (x : int) real end module N type t = | A string (x : int) | B (x : int) real clone M with type t end why3-1.6.0/bench/typing/good/clone_defined_variant5.mlw000066400000000000000000000001711440160026300230340ustar00rootroot00000000000000module M type t type u = C t end module N type t = N | D u with u = C t clone M with type t, type u end why3-1.6.0/bench/typing/good/clone_defined_variant6.mlw000066400000000000000000000001341440160026300230340ustar00rootroot00000000000000module M type t 'a = C 'a end module N type t 'b = C 'b clone M with type t end why3-1.6.0/bench/typing/good/clone_defined_variant7.mlw000066400000000000000000000010011440160026300230270ustar00rootroot00000000000000module M use int.Int type t 'a = Nil | Cons 'a (t 'a) let rec function length (xs : t 'a) : int = match xs with | Nil -> 0 | Cons _ xs -> length xs + 1 end let rec function map (f : 'a -> 'b) (xs : t 'a) : t 'b = match xs with | Nil -> Nil | Cons x xs -> Cons (f x) (map f xs) end end module N use int.Int type t 'a = Nil | Cons 'a (t 'a) clone M with type t let f (xs : t 'a) = if length xs > 0 then map (fun _ -> 3) xs else Cons 42 Nil end why3-1.6.0/bench/typing/good/clone_defined_variant8.mlw000066400000000000000000000005441440160026300230430ustar00rootroot00000000000000module M use int.Int type t 'a = Nil | Cons 'a (int -> t 'a) let rec height_0 (xs : t 'a) : int diverges = match xs with | Nil -> 0 | Cons _ g -> height_0 (g 0) end end module N use int.Int type t 'a = Nil | Cons 'a (int -> t 'a) clone M with type t let f (xs : t 'a) diverges = height_0 xs + 42 end why3-1.6.0/bench/typing/good/clone_defined_variant9.mlw000066400000000000000000000002141440160026300230360ustar00rootroot00000000000000module M use list.List type t 'a = C (list 'a) end module N use list.List type t 'b = C (list 'b) clone M with type t end why3-1.6.0/bench/typing/good/coercions.mlw000066400000000000000000000034501440160026300204340ustar00rootroot00000000000000 module Binary use int.Int use mach.int.Int63 goal G: forall x: int63, y: int. x = y /\ y = x end module Simple type t function f t : int meta coercion function f goal G: forall x: t. x = 42 end module SameOne use Simple end module Same use Simple use SameOne goal G: forall x: t. x = 42 end module SimplePolymorphic type t 'a function f (t 'a) : int meta coercion function f goal G: forall x: t (bool,bool). x = 42 end module Transitivity type a type b type c function b_to_c b : c meta coercion function b_to_c function a_to_b a : b meta coercion function a_to_b predicate is_c c goal G2: forall x: a. is_c x end module SameTransitivity use Transitivity end module SameTransitivityCheck use Transitivity use SameTransitivity goal G2: forall x: a. is_c x end module CoercionIf function is_zero int : bool meta coercion function is_zero goal G3: if 42 then 1=2 else 3=4 end module TrickyPolymorphicAlpha use list.List type t 'a type t1 'a type t2 'a function f (t 'a) : t1 (list 'a) meta coercion function f function g (t1 'a) : t2 (list 'a) meta coercion function g goal a : forall x:t int, y:t2 (list (list int)). x = y end module TrickyPolymorphicBeta use list.List type t 'a type t1 'a type t2 'a function f (t 'a) : t1 (list 'b) meta coercion function f function g (t1 'a) : t2 (list 'a) meta coercion function g goal a : forall x:t int, y:t2 (list (list int)). x = y end module InTypeArgs type t1 'a type t2 'a type t3 'a function t2_of_t1 (t1 'a) : t2 'a meta coercion function t2_of_t1 function bool_of_int bool : int meta coercion function bool_of_int function h (x: t1 'a) (b: int) : t1 int goal G: forall x: t1 'a, y: t2 int. h x true = y endwhy3-1.6.0/bench/typing/good/func_literals.mlw000066400000000000000000000067261440160026300213130ustar00rootroot00000000000000 constant a2 : int -> int = [|1|] constant a3 : int -> int = [|1;2|] constant a4 : int -> int = [|1;2;3;4;5;6;7|] constant b1 : int -> int = [|0 => 1|] constant b2 : int -> int = [|0 => 1; 1 => 2|] constant b3 : int -> int = [|5 => 50; 1 => 10|] constant b4 : int -> int = [|0 => 1; 1 => 2; 2 => 3; 3 => 4|] constant c1 : int -> int = [|_ => 1|] constant c2 : int -> int = [|0 => 1; _ => 2|] constant c3 : int -> int = [|5 => 50; _ => 10|] constant c4 : int -> int = [|0 => 1; 1 => 2; 2 => 3; _ => 4|] use int.Int function z (x: int) : int = x + x function d2 (x: int) : int -> int = [|1; x|] function d3 (x: int) : int -> int = [|1; x; x + 1|] function d4 (x: int) : int -> int = [|1; x; x + 1; z x |] function d5 (x: int) : int -> int = d4 (x+1) function e1 (x: int) : int -> int = [|0 => 1; 1 => x|] function e2 (x: int) : int -> int = [|0 => 1; 1 => x; 2 => x + 1|] function e3 (x: int) : int -> int = [|5 => 1; 1 => x; 10 => x + 1; _ => z x |] function e4 (x: int) : int -> int = e3 (x+1) constant f1 : int -> int = [|1;|] constant f2 : int -> int = [|1 => 1;|] constant f3 : int -> int = [|1 => 1;1 => 1;|] constant f4 : int -> int = [|_ => 1;|] constant f5 : int -> int = [|1 => 1;2 => 2;_ => -1;|] constant f6 : int -> real -> string = [|[|0. => "zero"|];[|1. => "one"; 2. => "two"|]|] let w (x: int) = x + x let f1 () = [| _ => 1 |] let f2 () = [| _ => "foo" |] let f3 (x: int) = [| _ => x|] let f4 (x: string) = [| _ => x |] let f5 () = [| 0 => 1 |] let f6 () = [| 0 => "foo" |] use string.OCaml (* required for '=' *) let f7 (): string -> int = [| "bar" => 1 |] (* type required, or *) let f8 () = [| "bar" => (1:int) |] (* type required *) let f9 () = [| "bar" => "foo" |] let f10 (): string -> int = [| "bar" => 1; _ => 0 |] (* type required, or *) let f11 () = [| "bar" => (1:int); _ => 0 |] (* type required *) let f12 () = [| "bar" => "foo"; _ => "baz" |] let f13 (x: int) = [| "a" => 1; "b" => x; "c" => x + 1; _ => w x |] use int.Int (* required for '=' *) let f14 (x: int) : int -> int = [| 2 => 1; 3 => x; -1 => x + 1; _ => 0 |] let f15 (x: int) = f13 (x+1) let function f17 () : int -> int = [|1|] use real.Real let f18 () :int -> real -> string = [|[|0. => "zero"|];[|1. => "one"; 2. => "two"|]|] use seq.Seq function s1 : seq int = create 10 [|1;2;3;4|] let s2 : seq int = create 10 [|1;2;3;4|] function s3 : seq string = create 10 [|"a";"ab";"abc";"abcd"|] let s4 : seq string = create 10 [|"a";"ab";"abc";"abcd"|] use string.String function s5 : seq string = create 10 [|"a";"ab";concat s3[2] s3[0];"abcd"|] let s6 : seq string = create 10 [|"a";"ab";concat s4[11] s4[1];"abcd"|] function s7 : seq string = create 10 [|2 => "a";0 => "abc"; -1 => "abcd"|] let s8 : seq string = create 10 [|2 => "a";0 => "abc"; -1 => "abcd"|] function s9 : seq string = create 10 [|2 => "a";0 => "abc"; -1 => "abcd"; _ => ""|] let s10 : seq string = create 10 [|2 => "a";0 => "abc"; -1 => "abcd"; _ => ""|] use array.Init let aa1 : array int = init 10 [|1;2;3;4|] let aa2 : array string = init 10 [|"a";"ab";"abc";"abcd"|] (* let aa3 : array string = init 10 [|"a";"ab";concat aa2[11] aa2[1];"abcd"|] *) let aa4 : array string = init 10 [|2 => "a";0 => "abc"; -1 => "abcd"|] let aa5 : array string = init 10 [|2 => "a";0 => "abc"; -1 => "abcd"; _ => ""|]why3-1.6.0/bench/typing/good/invariant.mlw000066400000000000000000000026571440160026300204530ustar00rootroot00000000000000module T use int.Int type t1 = { x1 : int; y1 : int; } invariant { x1 < y1 } by { y1 = 1; x1 = 0 } type t2 = { x2 : int; y2 : int; } invariant { x2 < y2 } by (if true then { x2 = 1; y2 = 0 } else { y2 = 1; x2 = 0 }) end module T2 type set 'a = abstract { mutable mem: 'a -> bool } val empty (): set 'a ensures { forall x. not (result.mem x) } val add (s:set 'a) (v:'a) : unit ensures { forall x. s.mem x <-> (old s.mem x \/ x = v) } writes { s.mem } type t 'a = { set : set 'a; ele : 'a; } invariant { set.mem ele } by let set = empty () in let ele = any (r:'a) ensures { true } in add set ele; { set = set; ele = ele } end module T3 type var = private { id: int } type set = abstract { mutable mem: int -> bool } val all_var: set val new_var () : var ensures { old (not (all_var.mem result.id)) } ensures { forall x. all_var.mem x <-> (old (all_var.mem x) \/ x = result.id) } writes { all_var.mem } type t = { v1: var; v2: var; } invariant { v1.id <> v2.id } by let v1 = new_var () in let v2 = new_var () in { v1 = v1; v2 = v2 } end why3-1.6.0/bench/typing/good/partial.mlw000066400000000000000000000002641440160026300201040ustar00rootroot00000000000000val partial random () : int val f (x:int) : unit use int.Int let main () = let r = random () in let s = random () in let ghost x = random () in f x; f r; f x; r * swhy3-1.6.0/bench/typing/good/type_vc_no_name_clash.mlw000066400000000000000000000003021440160026300227600ustar00rootroot00000000000000module A use int.Int type pos = abstract { x : int } invariant { x >= 0 } end module B use int.Int type pos = { x : int } invariant { x >= 0 } clone export A with type pos end why3-1.6.0/bench/typing/good/uses1.why000066400000000000000000000000511440160026300175120ustar00rootroot00000000000000 theory A end theory B use A as A end why3-1.6.0/bench/typing/good/wf_types1.why000066400000000000000000000001431440160026300203750ustar00rootroot00000000000000theory Main type option 'a = Some 'a | None type test4 'a = Test4 (option (test4 'a)) end why3-1.6.0/bench/typing/x-bad/000077500000000000000000000000001440160026300157705ustar00rootroot00000000000000why3-1.6.0/bench/typing/x-bad/.keepme000066400000000000000000000000001440160026300172250ustar00rootroot00000000000000why3-1.6.0/bench/typing/x-good/000077500000000000000000000000001440160026300161725ustar00rootroot00000000000000why3-1.6.0/bench/typing/x-good/.keepme000066400000000000000000000000001440160026300174270ustar00rootroot00000000000000why3-1.6.0/bench/valid/000077500000000000000000000000001440160026300145625ustar00rootroot00000000000000why3-1.6.0/bench/valid/booleans.mlw000077700000000000000000000000001440160026300244202../programs/good/booleans.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/complex_arg_1.mlw000077700000000000000000000000001440160026300262542../programs/good/complex_arg_1.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/complex_arg_2.mlw000077700000000000000000000000001440160026300262562../programs/good/complex_arg_2.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/division.mlw000066400000000000000000000032011440160026300171230ustar00rootroot00000000000000 (* Division and modulo *) theory Euclidean use int.Int use int.EuclideanDivision (* -2,-1,0,1,2 div/mod 2 *) goal div_m2_2: div (-2) 2 = -1 goal div_m1_2: div (-1) 2 = -1 goal div__0_2: div 0 2 = 0 goal div__1_2: div 1 2 = 0 goal div__2_2: div 2 2 = 1 goal mod_m2_2: mod (-2) 2 = 0 goal mod_m1_2: mod (-1) 2 = 1 goal mod__0_2: mod 0 2 = 0 goal mod__1_2: mod 1 2 = 1 goal mod__2_2: mod 2 2 = 0 (* -2,-1,0,1,2 div/mod -2 *) goal div_m2_m2: div (-2) (-2) = 1 goal div_m1_m2: div (-1) (-2) = 1 goal div__0_m2: div 0 (-2) = 0 goal div__1_m2: div 1 (-2) = 0 goal div__2_m2: div 2 (-2) = -1 goal mod_m2_m2: mod (-2) (-2) = 0 goal mod_m1_m2: mod (-1) (-2) = 1 goal mod__0_m2: mod 0 (-2) = 0 goal mod__1_m2: mod 1 (-2) = 1 goal mod__2_m2: mod 2 (-2) = 0 end theory Computer use int.Int use int.ComputerDivision (* -2,-1,0,1,2 div/mod 2 *) goal div_m2_2: div (-2) 2 = -1 goal div_m1_2: div (-1) 2 = 0 goal div__0_2: div 0 2 = 0 goal div__1_2: div 1 2 = 0 goal div__2_2: div 2 2 = 1 goal mod_m2_2: mod (-2) 2 = 0 goal mod_m1_2: mod (-1) 2 = -1 goal mod__0_2: mod 0 2 = 0 goal mod__1_2: mod 1 2 = 1 goal mod__2_2: mod 2 2 = 0 (* -2,-1,0,1,2 div/mod -2 *) goal div_m2_m2: div (-2) (-2) = 1 goal div_m1_m2: div (-1) (-2) = 0 goal div__0_m2: div 0 (-2) = 0 goal div__1_m2: div 1 (-2) = 0 goal div__2_m2: div 2 (-2) = -1 goal mod_m2_m2: mod (-2) (-2) = 0 goal mod_m1_m2: mod (-1) (-2) = -1 goal mod__0_m2: mod 0 (-2) = 0 goal mod__1_m2: mod 1 (-2) = 1 goal mod__2_m2: mod 2 (-2) = 0 end why3-1.6.0/bench/valid/exns.mlw000077700000000000000000000000001440160026300227462../programs/good/exns.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/for.mlw000077700000000000000000000000001440160026300223702../programs/good/for.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/list.mlw000077700000000000000000000000001440160026300227422../programs/good/list.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/loops.mlw000077700000000000000000000000001440160026300233042../programs/good/loops.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/misfix.why000066400000000000000000000004531440160026300166140ustar00rootroot00000000000000 theory Misfix type t function ([]) (a: t) (i: int) : int function ([<-]) (a: t) (i: int) (v: int) : t axiom a1 : forall a: t, i v: int. a[i <- v][i] = v axiom a2 : forall a: t, i j v: int. i<>j -> a[i <- v][j] = a[j] goal g1 : forall a: t, i j v: int. a[a[i] <- i][a[i]] = i end why3-1.6.0/bench/valid/numbers.why000066400000000000000000000003511440160026300167650ustar00rootroot00000000000000theory Number use int.Int use real.RealInfix goal dec : 123 = 100 + 23 goal hex : 0x7b = 100 + 23 goal oct : 0o173 = 100 + 23 goal bin : 0b1111011 = 100 + 23 goal real : 1.23e2 = 100. +. 23. goal hexa : 0x7.bp4 = 100. +. 23. end why3-1.6.0/bench/valid/oldify.mlw000077700000000000000000000000001440160026300235702../programs/good/oldify.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/poly.mlw000077700000000000000000000000001440160026300227622../programs/good/poly.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/recfun.mlw000077700000000000000000000000001440160026300235602../programs/good/recfun.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/see.mlw000077700000000000000000000000001440160026300223442../programs/good/see.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/set.mlw000077700000000000000000000000001440160026300224022../programs/good/set.mlwustar00rootroot00000000000000why3-1.6.0/bench/valid/split_vc/000077500000000000000000000000001440160026300164055ustar00rootroot00000000000000why3-1.6.0/bench/valid/split_vc/mccarthy.mlw000066400000000000000000000167771440160026300207620ustar00rootroot00000000000000 (** {1 McCarthy's "91" function} authors: Jean-Christophe Filliâtre, Martin Clochard, Claude Marché witness: Andrei Paskevich *) module McCarthy91 use int.Int (** {2 Specification} *) function spec (x: int) : int = if x <= 100 then 91 else x-10 (** {2 traditional recursive implementation} *) let rec f91 (n:int) : int variant { 101-n } ensures { result = spec n } = if n <= 100 then f91 (f91 (n + 11)) else n - 10 (** {2 non-recursive implementation using a while loop} *) use ref.Ref use int.Iter let f91_nonrec (n0: int) ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in while !e > 0 do invariant { !e >= 0 /\ iter spec !e !n = spec n0 } variant { 101 - !n + 10 * !e, !e } if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end done; !n (** {2 irrelevance of control flow} We use a 'morally' irrelevant control flow from a recursive function to ease proof (the recursive structure does not contribute to the program execution). This is a technique for proving derecursified programs. See [verifythis_2016_tree_traversal] for a more complex example. *) exception Stop let f91_pseudorec (n0:int) : int ensures { result = spec n0 } = let e = ref 1 in let n = ref n0 in let bloc () : unit requires { !e >= 0 } ensures { !(old e) > 0 } ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1 else !n = !(old n) + 11 /\ !e = !(old e) + 1 } raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) } = if not (!e > 0) then raise Stop; if !n > 100 then begin n := !n - 10; e := !e - 1 end else begin n := !n + 11; e := !e + 1 end in let rec aux () : unit requires { !e > 0 } variant { 101 - !n } ensures { !e = !(old e) - 1 /\ !n = spec !(old n) } raises { Stop -> false } = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in try aux (); bloc (); absurd with Stop -> !n end end module McCarthyWithCoroutines use int.Int use ref.Ref function spec (x: int) : int = if x <= 100 then 91 else x-10 (** {2 Variant using a general 'ghost coroutine' approach} Assume we want to prove the imperative code: {h 

e <- 1; r <- n;
loop
  if r > 100 { r <- r - 10; e <- e - 1; if e = 0 break }
        else { r <- r + 11; e <- e + 1 }
end-loop
} we annotate the various program points: {h 
{ 0 } e <- 1;
{ 1 } r <- n;
      loop
{ 2 } if r > 100 then { 3 } r <- r - 10; { 4 } e <- e - 1; { 5 } if e=0 then break;
                 else { 6 } r <- r + 11; { 7 } e <- e + 1;
end-loop
{ 8 }
} we define the small-step semantics of this code by the following [step] function *) val pc : ref int val n : ref int val e : ref int val r : ref int val step () : unit requires { 0 <= !pc < 8 } writes { pc, e, r } ensures { old !pc = 0 -> !pc = 1 /\ !e = 1 /\ !r = old !r } ensures { old !pc = 1 -> !pc = 2 /\ !e = old !e /\ !r = !n } ensures { old !pc = 2 /\ old !r > 100 -> !pc = 3 /\ !e = old !e /\ !r = old !r } ensures { old !pc = 2 /\ old !r <= 100 -> !pc = 6 /\ !e = old !e /\ !r = old !r } ensures { old !pc = 3 -> !pc = 4 /\ !e = old !e /\ !r = old !r - 10 } ensures { old !pc = 4 -> !pc = 5 /\ !e = old !e - 1 /\ !r = old !r } ensures { old !pc = 5 /\ old !e = 0 -> !pc = 8 /\ !e = old !e /\ !r = old !r } ensures { old !pc = 5 /\ old !e <> 0 -> !pc = 2 /\ !e = old !e /\ !r = old !r } ensures { old !pc = 6 -> !pc = 7 /\ !e = old !e /\ !r = old !r + 11 } ensures { old !pc = 7 -> !pc = 2 /\ !e = old !e + 1 /\ !r = old !r } let rec aux1 () : unit requires { !pc = 2 /\ !e > 0 } variant { 101 - !r } ensures { !pc = 5 /\ !r = spec(old !r) /\ !e = old !e - 1 } = step (); (* execution of 'if r > 100' *) if !pc = 3 then begin step (); (* assignment r <- r - 10 *) step (); (* assignment e <- e - 1 *) end else begin step (); (* assignment r <- r + 11 *) step (); (* assignment e <- e + 1 *) aux1 (); step (); (* 'if e=0' must be false *) aux1 () end let mccarthy1 () requires { !pc = 0 /\ !n >= 0 } ensures { !pc = 8 /\ !r = spec !n } = step (); (* assignment e <- 1 *) step (); (* assignment r <- n *) aux1 (); (* loop *) step() (* loop exit *) (** {2 a variant with not-so-small steps} we annotate the important program points: {h 
{ 0 } e <- 1;
      r <- n;
      loop
{ 1 }   if r > 100 { r <- r - 10; e <- e - 1; { 2 } if e = 0 break; }
              else { r <- r + 11; e <- e + 1; }
      end-loop
end-while
{ 3 }
return r
} we define the not-so-small-step semantics of this code by the following [next] function *) val next () : unit requires { 0 <= !pc < 3 } writes { pc, e, r } ensures { old !pc = 0 -> !pc = 1 /\ !e = 1 /\ !r = !n } ensures { old !pc = 1 /\ old !r > 100 -> !pc = 2 /\ !r = old !r - 10 /\ !e = old !e - 1 } ensures { old !pc = 1 /\ old !r <= 100 -> !pc = 1 /\ !r = old !r + 11 /\ !e = old !e + 1 } ensures { old !pc = 2 /\ old !e = 0 -> !pc = 3 /\ !r = old !r /\ !e = old !e } ensures { old !pc = 2 /\ old !e <> 0 -> !pc = 1 /\ !r = old !r /\ !e = old !e } (* [aux2] performs as may loop iterations as needed so as to reach program point 2 from program point 1 *) let rec aux2 () : unit requires { !pc = 1 /\ !e > 0 } variant { 101 - !r } ensures { !pc = 2 /\ !r = spec(old !r) /\ !e = old !e - 1 } = next (); if !pc <> 2 then begin aux2 (); next (); aux2 () end let mccarthy2 () requires { !pc = 0 /\ !n >= 0 } ensures { !pc = 3 /\ !r = spec !n } = next (); (* assignments e <- 1; r <- n *) aux2 (); (* loop *) next () end module McCarthy91Mach use int.Int use mach.int.Int63 function spec (x: int) : int = if x <= 100 then 91 else x-10 let rec f91 (n: int63) : int63 variant { 101 - n } ensures { result = spec n } = if n <= 100 then f91 (f91 (n + 11)) else n - 10 use mach.peano.Peano use mach.int.Refint63 use int.Iter let f91_nonrec (n0: int63) : int63 ensures { result = spec n0 } = let e = ref one in let n = ref n0 in while gt !e zero do invariant { !e >= 0 /\ iter spec !e !n = spec n0 } variant { 101 - !n + 10 * !e, !e:int } if !n > 100 then begin n := !n - 10; e := pred !e end else begin assert { spec !n = spec (spec (!n + 11)) }; n := !n + 11; e := succ !e end done; !n exception Stop let f91_pseudorec (n0: int63) : int63 ensures { result = spec n0 } = let e = ref one in let n = ref n0 in let bloc () : unit requires { !e >= 0 } ensures { !(old e) > 0 } ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1 else !n = !(old n) + 11 /\ !e = !(old e) + 1 } raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) } = if not (gt !e zero) then raise Stop; if !n > 100 then begin n := !n - 10; e := pred !e end else begin n := !n + 11; e := succ !e end in let rec aux () : unit requires { !e > 0 } variant { 101 - !n } ensures { !e = !(old e) - 1 /\ !n = spec !(old n) } raises { Stop -> false } = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in try aux (); bloc (); absurd with Stop -> !n end end why3-1.6.0/bench/valid/type_invariant.mlw000066400000000000000000000003351440160026300203400ustar00rootroot00000000000000module A use int.Int type t = private { a: int } invariant { a >= 0 } by { a = 0 } end module B use int.Int type t = { a: int; b: int } invariant { a >= b >= 0 } by { a = 0; b = 0 } clone A with type t = t end why3-1.6.0/bench/valid/wpcalls.mlw000077700000000000000000000000001440160026300241262../programs/good/wpcalls.mlwustar00rootroot00000000000000why3-1.6.0/bin/000077500000000000000000000000001440160026300131545ustar00rootroot00000000000000why3-1.6.0/bin/.keepme000066400000000000000000000000001440160026300144110ustar00rootroot00000000000000why3-1.6.0/configure.in000066400000000000000000001125601440160026300147220ustar00rootroot00000000000000#################################################################### # # # The Why3 Verification Platform / The Why3 Development Team # # Copyright 2010-2023 -- Inria - CNRS - Paris-Saclay University # # # # This software is distributed under the terms of the GNU Lesser # # General Public License version 2.1, with the special exception # # on linking described in file LICENSE. # # # #################################################################### AC_INIT([Why3], [1.6.0]) # verbosemake AC_ARG_ENABLE(verbose-make, AS_HELP_STRING([--enable-verbose-make], [verbose makefile recipes]),, enable_verbose_make=no) # LOCAL_CONF AC_ARG_ENABLE(local, AS_HELP_STRING([--enable-local], [use Why3 in the build directory (no installation)]),, enable_local=no) # RELOCATABLE INSTALLATION AC_ARG_ENABLE(relocation, AS_HELP_STRING([--enable-relocation], [allow for later relocation of Why3 installation]),, enable_relocation=no) # NATIVE AC_ARG_ENABLE(native-code, AS_HELP_STRING([--disable-native-code], [use only the byte-code compiler]),, enable_native_code=yes) # WHY3LIB AC_ARG_ENABLE(why3-lib, AS_HELP_STRING([--disable-why3-lib], [use an already installed Why3]),, enable_why3_lib=yes) # Zarith AC_ARG_ENABLE(zarith, AS_HELP_STRING([--disable-zarith], [use Nums instead of Zarith for computations]),, enable_zarith=check) # ocamlfind AC_ARG_ENABLE(ocamlfind, AS_HELP_STRING([--disable-ocamlfind], [do not use Ocamlfind]),, enable_ocamlfind=check) # camlzip AC_ARG_ENABLE(zip, AS_HELP_STRING([--disable-zip], [do not use LZ compression to store session files]),, enable_zip=check) # infer AC_ARG_ENABLE(infer, AS_HELP_STRING([--enable-infer], [use apron and fixpoint to infer loop invariants]),, enable_infer=no) # bddinfer AC_ARG_ENABLE(bddinfer, AS_HELP_STRING([--enable-bddinfer], [use apron and BDDs to infer loop invariants]),, enable_bddinfer=no) # js_of_ocaml AC_ARG_ENABLE(js_of_ocaml, AS_HELP_STRING([--disable-js-of-ocaml], [do not use js-of-ocaml]),, enable_js_of_ocaml=check) # re AC_ARG_ENABLE(re, AS_HELP_STRING([--disable-re], [use Str instead of Re for regular expressions]),, enable_re=check) # pp_sexp AC_ARG_ENABLE(pp-sexp, AS_HELP_STRING([--disable-pp-sexp], [disable S-expression output for why3pp]),, enable_pp_sexp=yes) # IDE AC_ARG_ENABLE(ide, AS_HELP_STRING([--disable-ide], [do not build Why3 IDE]),, enable_ide=check) AC_ARG_ENABLE(web_ide, AS_HELP_STRING([--disable-web-ide], [do not build Why3 Web IDE]),, enable_web_ide=check) # Coq libraries AC_ARG_ENABLE(coq-libs, AS_HELP_STRING([--disable-coq-libs], [do not build Coq realizations]),, enable_coq_libs=yes) # PVS libraries AC_ARG_ENABLE(pvs-libs, AS_HELP_STRING([--disable-pvs-libs], [do not build PVS realizations]),, enable_pvs_libs=yes) # Isabelle libraries AC_ARG_ENABLE(isabelle-libs, AS_HELP_STRING([--disable-isabelle-libs], [do not build Isabelle realizations]),, enable_isabelle_libs=yes) # MLMPFR AC_ARG_ENABLE(mpfr, AS_HELP_STRING([--disable-mpfr], [disable support for MPFR]),, enable_mpfr=check) # hypothesis selection AC_ARG_ENABLE(hypothesis-selection, AS_HELP_STRING([--disable-hypothesis-selection], [do not support hypothesis selection]),, enable_hypothesis_selection=check) # stackify AC_ARG_ENABLE(stackify, AS_HELP_STRING([--disable-stackify], [disable structure reconstruction algorithm for MLCFG]),, enable_stackify=check) # documentation AC_ARG_ENABLE(doc, AS_HELP_STRING([--disable-doc], [do not build documentation]),, enable_doc=yes) AC_ARG_ENABLE(html-pdf, AS_HELP_STRING([--disable-pdf-doc], [do not build PDF documentation]),, enable_pdf_doc=yes) # Experimental Jessie3 Frama-C plugin, disabled by default AC_ARG_ENABLE(frama-c, AS_HELP_STRING([--enable-frama-c], [enable Frama-C plugin]),, [enable_frama_c=no reason_frama_c=" (disabled by default)"]) # profiling with statememprof AC_ARG_ENABLE(statmemprof, AS_HELP_STRING([--enable-statmemprof], [enable statistical memory profiling]),, [enable_statmemprof=no reason_statmemprof=" (disabled by default)"]) # Emacs compilation AC_ARG_ENABLE(emacs-compilation, AS_HELP_STRING([--disable-emacs-compilation], [do not compile why3.elc]),, enable_emacs_compilation=yes) # default editor AC_ARG_VAR(EDITOR, [default editor]) # either relocation or local, not both if test "$enable_relocation" = yes -a "$enable_local" = yes ; then AC_MSG_ERROR([cannot use --enable-relocation and --enable-local at the same time.]) fi # Check for arch/OS AC_MSG_CHECKING([executable suffix]) if uname -s | grep -q CYGWIN ; then EXE=.exe STRIP='echo "no strip "' AC_MSG_RESULT([.exe ]) elif uname -s | grep -q MINGW ; then EXE=.exe STRIP=strip AC_MSG_RESULT([.exe ]) else EXE= STRIP=strip AC_MSG_RESULT([]) fi AC_PROG_CC AC_PROG_MKDIR_P AC_PROG_INSTALL AC_DEFUN([AX_VERSION_GE], [AS_VERSION_COMPARE([$1],[$2],[$4],[$3],[$3])]) # Check for Ocaml compilers # we first look for ocamlc in the path; if not present, we fail AC_CHECK_PROG(OCAMLC,ocamlc,ocamlc,no) if test "$OCAMLC" = no ; then AC_MSG_ERROR([cannot find ocamlc.]) fi # we extract Ocaml version number OCAMLVERSION=`$OCAMLC -v | sed -n -e 's|.*version *\(.*\)$|\1|p'` AC_MSG_NOTICE([ocaml version is $OCAMLVERSION]) AX_VERSION_GE([$OCAMLVERSION], 4.08.0, [], [AC_MSG_ERROR([You need Objective Caml 4.08.0 or higher.])]) # Ocaml library path # old way: OCAMLLIB=`$OCAMLC -v | tail -1 | cut -f 4 -d ' ' | tr -d '\\r'` OCAMLLIB=`$OCAMLC -where | tr -d '\\r'` AC_MSG_NOTICE([ocaml library path is $OCAMLLIB]) # then we look for ocamlopt; if not present, we issue a warning # if the version is not the same, we also discard it # we set OCAMLBEST to "opt" or "byte", whether ocamlopt is available or not AC_CHECK_PROG(OCAMLOPT,ocamlopt,ocamlopt,no) OCAMLBEST=byte if test "$OCAMLOPT" = no ; then AC_MSG_WARN([cannot find ocamlopt; bytecode compilation only.]) else AC_MSG_CHECKING([ocamlopt version]) TMPVERSION=`$OCAMLOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'` if test "$TMPVERSION" != "$OCAMLVERSION" ; then AC_MSG_RESULT([differs from ocamlc; ocamlopt discarded.]) OCAMLOPT=no else AC_MSG_RESULT(ok) OCAMLBEST=opt fi fi # checking for native-code if test "$enable_native_code" != yes || test "$OCAMLBEST" = byte ; then enable_native_code=no OCAMLBEST=byte OCAMLOPT=no fi # checking for ocamlc.opt AC_CHECK_PROG(OCAMLCDOTOPT,ocamlc.opt,ocamlc.opt,no) if test "$OCAMLCDOTOPT" != no ; then AC_MSG_CHECKING([ocamlc.opt version]) TMPVERSION=`$OCAMLCDOTOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'` if test "$TMPVERSION" != "$OCAMLVERSION" ; then AC_MSG_RESULT([differs from ocamlc; ocamlc.opt discarded.]) else AC_MSG_RESULT(ok) OCAMLC=$OCAMLCDOTOPT fi fi # checking for ocamlopt.opt if test "$OCAMLOPT" != no ; then AC_CHECK_PROG(OCAMLOPTDOTOPT,ocamlopt.opt,ocamlopt.opt,no) if test "$OCAMLOPTDOTOPT" != no ; then AC_MSG_CHECKING([ocamlc.opt version]) TMPVER=`$OCAMLOPTDOTOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'` if test "$TMPVER" != "$OCAMLVERSION" ; then AC_MSG_RESULT([differs from ocamlc; ocamlopt.opt discarded.]) else AC_MSG_RESULT(ok) OCAMLOPT=$OCAMLOPTDOTOPT fi fi fi # ocamldep, ocamllex and ocamlyacc should also be present in the path AC_CHECK_PROG(OCAMLDEP,ocamldep,ocamldep,no) if test "$OCAMLDEP" = no ; then AC_MSG_ERROR([cannot find ocamldep.]) else AC_CHECK_PROG(OCAMLDEPDOTOPT,ocamldep.opt,ocamldep.opt,no) if test "$OCAMLDEPDOTOPT" != no ; then OCAMLDEP=$OCAMLDEPDOTOPT fi fi AC_CHECK_PROG(OCAMLLEX,ocamllex,ocamllex,no) if test "$OCAMLLEX" = no ; then AC_MSG_ERROR([cannot find ocamllex.]) else AC_CHECK_PROG(OCAMLLEXDOTOPT,ocamllex.opt,ocamllex.opt,no) if test "$OCAMLLEXDOTOPT" != no ; then OCAMLLEX=$OCAMLLEXDOTOPT fi fi AC_CHECK_PROG(OCAMLYACC,ocamlyacc,ocamlyacc,no) if test "$OCAMLYACC" = no ; then AC_MSG_ERROR([cannot find ocamlyacc.]) fi AC_CHECK_PROG(OCAMLDOC,ocamldoc,ocamldoc,true) if test "$OCAMLDOC" != true ; then AC_CHECK_PROG(OCAMLDOCOPT,ocamldoc.opt,ocamldoc.opt,no) if test "$OCAMLDOCOPT" != no ; then OCAMLDOC=$OCAMLDOCOPT fi fi AC_CHECK_PROG(MENHIR,menhir,menhir,no) if test "$MENHIR" = no ; then AC_MSG_ERROR([cannot find menhir.]) fi MENHIRVERSION=`$MENHIR --version | sed -n -e 's,.*version *\(.*\)$,\1,p'` AX_VERSION_GE([$MENHIRVERSION], 20170418, [], [AC_MSG_ERROR([You need Menhir 20170418 or higher.])]) found_ocamlfind=no if test "$enable_ocamlfind" != no; then AC_CHECK_PROG(OCAMLFIND,ocamlfind,ocamlfind,no) if test "$OCAMLFIND" = no; then reason_ocamlfind=" (not found)" else OCAMLFINDLIB=$(ocamlfind printconf stdlib) if test "$OCAMLFINDLIB" != "$OCAMLLIB"; then found_ocamlfind=no reason_ocamlfind=" (incompatible with OCaml)" echo "but your ocamlfind is not compatible with your ocamlc:" echo "ocamlfind: $OCAMLFINDLIB, ocamlc: $OCAMLLIB" else found_ocamlfind=yes fi fi fi if test "$found_ocamlfind" = no; then if test "$enable_ocamlfind" = yes; then AC_MSG_ERROR([cannot use ocamlfind.]) fi enable_ocamlfind=no fi if test "$enable_ocamlfind" != no; then #if ocamlfind is used it gives the install path for ocaml library OCAMLINSTALLLIB=$($OCAMLFIND printconf destdir) enable_ocamlfind=yes else OCAMLINSTALLLIB=$OCAMLLIB OCAMLFIND=no fi if test "$enable_why3_lib" = yes ; then WHY3LIB= else if test "$enable_ocamlfind" = no; then AC_MSG_ERROR([cannot use --disable-why3-lib without ocamlfind.]) fi WHY3LIB=why3 AC_MSG_CHECKING([for Why3 using ocamlfind]) DIR=$($OCAMLFIND query why3 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) WHY3INCLUDE="-I $DIR" else AC_MSG_RESULT([no]) AC_MSG_ERROR([cannot use --disable-why3-lib without an installed Why3.]) fi fi if test "$enable_local" = no; then LOCALDIR='' else LOCALDIR="${PWD}" fi # ppx if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for compiler-libs using ocamlfind]) COMPILERLIBS=$($OCAMLFIND query compiler-libs 2> /dev/null) if test -n "$COMPILERLIBS"; then AC_MSG_RESULT([yes]) enable_ppx=yes else AC_MSG_RESULT([no]) enable_ppx=no reason_ppx=" (compiler-libs not found)" fi else enable_ppx=no fi # checking for sphinx if test "$enable_doc" = yes; then AC_CHECK_PROG(SPHINX,sphinx-build,sphinx-build,no) if test "$SPHINX" = no; then enable_doc=no enable_pdf_doc=no reason_doc=" (sphinx-build not found)" AC_MSG_WARN([cannot find sphinx-build, documentation disabled.]) fi else enable_pdf_doc=no fi # checking for rubber or latexmk or pdflatex if test "$enable_pdf_doc" = yes; then AC_CHECK_PROGS(LATEX,latexmk rubber pdflatex,no) if test "$LATEX" = no; then enable_pdf_doc=no reason_pdf_doc=" ((rubber|latexmk|pdflatex) not found)" AC_MSG_WARN([cannot find any latex compiler, PDF documentation disabled.]) fi fi # checking for emacs if test "$enable_emacs_compilation" = yes ; then AC_CHECK_PROG(EMACS,emacs,emacs,no) if test "$EMACS" = no ; then enable_emacs_compilation=no AC_MSG_WARN([cannot find emacs, compilation of why3.elc disabled.]) fi fi # checking for Num # (ocamlfind cannot be trusted here, since the default installation path is $OCAMLLIB) found_num=no if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for num using ocamlfind]) DIR=$($OCAMLFIND query num 2> /dev/null) if test -z "$DIR"; then AC_MSG_RESULT([no]) AC_MSG_ERROR([cannot find library Num using ocamlfind.]) fi AC_MSG_RESULT([yes]) NUMPKG=num NUMINCLUDE="-I $DIR" found_num=yes AC_CHECK_FILE($DIR/nums.cma,,found_num=no) AC_CHECK_FILE($DIR/num.cmi,,found_num=no) fi if test "$found_num" = no; then DIR="$OCAMLLIB" NUMINCLUDE= found_num=yes AC_CHECK_FILE($DIR/nums.cma,,found_num=no) AC_CHECK_FILE($DIR/num.cmi,,found_num=no) fi if test "$found_num" = no; then AC_MSG_ERROR([cannot find library Num.]) fi # checking for Zarith if test "$enable_zarith" = no; then reason_zarith=" (disabled by user)" else DIR= found_zarith=yes if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for zarith using ocamlfind]) DIR=$($OCAMLFIND query zarith 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) BIGINTINCLUDE="-I $DIR" else AC_MSG_RESULT([no]) found_zarith=no fi else BIGINTINCLUDE="-I +zarith" DIR="$OCAMLLIB/zarith" AC_CHECK_FILE($DIR/zarith.cma,,found_zarith=no) fi if test -n "$DIR"; then AC_CHECK_FILE($DIR/z.cmi,,found_zarith=no) fi if test "$found_zarith" = no; then if test "$enable_zarith" = yes; then AC_MSG_ERROR([cannot find library zarith.]) fi AC_MSG_WARN([cannot find library zarith, using Nums instead.]) enable_zarith=no reason_zarith=" (zarith not found)" fi fi if test "$enable_zarith" != no; then BIGINTLIB=zarith BIGINTPKG=zarith enable_zarith=yes else BIGINTLIB=nums BIGINTPKG=num BIGINTINCLUDE="$NUMINCLUDE" fi # checking for apron for bddinfer if test "$enable_bddinfer" = yes; then if test "$enable_ocamlfind" = yes; then # gmp is a dependency of apron INFERINCLUDE=$($OCAMLFIND query -separator ' ' -i-format apron 2> /dev/null) fi if test -n "$INFERINCLUDE"; then echo "ocamlfind found apron in $INFERINCLUDE" INFERLIB="apron" INFERPKG="zarith apron apron.polkaMPQ" else enable_bddinfer=no reason_bddinfer=" (apron not found)" AC_MSG_WARN([Lib apron not found, bddinfer will not be built.]) fi else reason_bddinfer=" (disabled by default)" fi # checking for apron and fixpoint if test "$enable_infer" = yes; then if test "$enable_ocamlfind" = yes; then # gmp is a dependency of apron INFERINCLUDE=$($OCAMLFIND query apron camllib 2> /dev/null) fi if test -n "$INFERINCLUDE"; then echo "ocamlfind found apron, camllib in $INFERINCLUDE" INFERINCLUDE=$($OCAMLFIND query fixpoint 2> /dev/null) if test -n "$INFERINCLUDE"; then echo "ocamlfind found fixpoint in $INFERINCLUDE" INFERINCLUDE="$($OCAMLFIND query -separator ' ' -i-format apron fixpoint camllib gmp 2> /dev/null)" INFERLIB="apron fixpoint" INFERPKG="apron fixpoint apron.boxMPQ apron.octMPQ apron.polkaMPQ" else enable_infer=no AC_MSG_WARN([Lib fixpoint not found, infer will not be built.]) reason_infer=" (fixpoint not found)" fi else enable_infer=no reason_infer=" (apron or camllib not found)" AC_MSG_WARN([Lib apron or camllib not found, infer will not be built.]) fi else reason_infer=" (disabled by default)" fi # checking for camlzip if test "$enable_zip" = no; then reason_zip=" (disabled by user)" else DIR= found_zip=yes if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for camlzip using ocamlfind]) DIR=$($OCAMLFIND query zip 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) ZIPINCLUDE="-I $DIR" else AC_MSG_RESULT([no]) found_zip=no fi else ZIPINCLUDE="-I +zip" DIR="$OCAMLLIB/zip" AC_CHECK_FILE($DIR/zip.cma,,found_zip=no) fi if test -n "$DIR"; then AC_CHECK_FILE($DIR/zip.cmi,,found_zip=no) fi if test "$found_zip" = no; then if test "$enable_zip" = yes; then AC_MSG_ERROR([cannot find library camlzip.]) fi AC_MSG_WARN([cannot find library camlzip; sessions files will not be compressed.]) enable_zip=no reason_zip=" (camlzip not found)" fi fi if test "$enable_zip" != no; then ZIPLIB=zip enable_zip=yes else ZIPLIB= ZIPINCLUDE= fi # checking for menhirlib found_menhirlib=yes DIR= if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for menhirLib using ocamlfind]) DIR=$($OCAMLFIND query menhirLib 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) MENHIRINCLUDE="-I $DIR" else AC_MSG_RESULT([no]) found_menhirlib=no fi else MENHIRINCLUDE="-I +menhirLib" DIR="$OCAMLLIB/menhirLib" menhirlib_cmo= AC_CHECK_FILE($DIR/menhirLib.cmo,menhirlib_cmo=yes,) AC_CHECK_FILE($DIR/menhirLib.cma,menhirlib_cmo=no,) if test -z "$menhirlib_cmo"; then found_menhirlib=no; fi fi if test -n "$DIR"; then AC_CHECK_FILE($DIR/menhirLib.cmi,,found_menhirlib=no) fi if test "$found_menhirlib" = no; then AC_MSG_ERROR([cannot find library menhirLib.]) fi AC_SUBST(menhirlib_cmo) # checking for re if test "$enable_re" = no; then reason_re=" (disabled by user)" else found_re=yes DIR= if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for re using ocamlfind]) DIR=$($OCAMLFIND query re 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) REINCLUDE="-I $DIR" else AC_MSG_RESULT([no]) found_re=no fi else REINCLUDE="-I +re" DIR="$OCAMLLIB/re" AC_CHECK_FILE($DIR/re.cmx,,found_re=no) fi if test -n "$DIR"; then AC_CHECK_FILE($DIR/re.cmi,,found_re=no) fi if test "$found_re" = no; then if test "$enable_re" = yes; then AC_MSG_ERROR([cannot find library re.]) fi AC_MSG_WARN([cannot find library re, using Str instead.]) enable_re=no reason_re=" (re not found)" fi fi if test "$enable_re" != no; then RELIB=re enable_re=yes else REINCLUDE= RELIB=str fi # checking for lablgtk3 if test "$enable_ide" = no ; then reason_ide=" (disabled by user)" fi if test "$enable_ide" != no -a "$enable_ocamlfind" = no; then if test "$enable_ide" = yes; then AC_MSG_ERROR([cannot build IDE without ocamlfind.]) fi enable_ide=no reason_ide=" (ocamlfind not available)" fi found_lablgtk=no if test "$enable_ide" != no; then AC_MSG_CHECKING([for lablgtk3 using ocamlfind]) DIR=$($OCAMLFIND query lablgtk3 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) found_lablgtk=yes AC_CHECK_FILE($DIR/gtkButton.cmi,,found_lablgtk=no) else AC_MSG_RESULT([no]) found_lablgtk=no fi if test "$found_lablgtk" = yes; then GTKVERSION=3 PKGS_SOURCEVIEW="lablgtk3-sourceview3 lablgtk3.sourceview3 lablgtksourceview3" fi fi # checking for lablgtksourceview found_lablgtksourceview=no if test "$found_lablgtk" = yes; then for p in $PKGS_SOURCEVIEW; do AC_MSG_CHECKING([for $p using ocamlfind]) DIR=$($OCAMLFIND query $p 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) AC_CHECK_FILE($DIR/gSourceView$GTKVERSION.cmi,,p=) if test -n "$p"; then PKG_SOURCEVIEW=$p break fi else AC_MSG_RESULT([no]) fi done if test -n "$PKG_SOURCEVIEW"; then found_lablgtksourceview=yes fi fi if test "$enable_ide" != no -a "$found_lablgtk" = no; then if test "$enable_ide" = yes; then AC_MSG_ERROR([cannot build IDE without lablgtk3.]) fi AC_MSG_WARN([cannot find library lablgtk3, IDE disabled.]) enable_ide=no reason_ide=" (lablgtk3 not found)" fi if test "$enable_ide" != no -a "$found_lablgtksourceview" = no; then if test "$enable_ide" = yes; then AC_MSG_ERROR([cannot build IDE without lablgtksourceview.]) fi AC_MSG_WARN([cannot find library lablgtksourceview, IDE disabled.]) enable_ide=no reason_ide=" (lablgtksourceview not found)" fi if test "$enable_ide" != no; then enable_ide=yes LABLGTKPKG="lablgtk$GTKVERSION $PKG_SOURCEVIEW" fi if test "$enable_hypothesis_selection" != no -o "$enable_stackify" != no; then found_ocamlgraph=yes DIR= if test "$enable_ocamlfind" = yes; then AC_MSG_CHECKING([for ocamlgraph using ocamlfind]) DIR=$($OCAMLFIND query ocamlgraph 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) OCAMLGRAPHLIB="$DIR" else AC_MSG_RESULT([no]) found_ocamlgraph=no fi else OCAMLGRAPHLIB="+ocamlgraph" DIR="$OCAMLLIB/ocamlgraph" AC_CHECK_FILE($DIR/graph.cma,,found_ocamlgraph=no) fi if test -n "$DIR"; then AC_CHECK_FILE($DIR/graph.cmi,,found_ocamlgraph=no) fi fi if test "$enable_hypothesis_selection" = no; then reason_hypothesis_selection=" (disabled by user)" elif test "$found_ocamlgraph" = no; then if test "$enable_hypothesis_selection" = yes; then AC_MSG_ERROR([cannot enable hypothesis selection without ocamlgraph.]) fi enable_hypothesis_selection=no reason_hypothesis_selection=" (ocamlgraph not found)" AC_MSG_WARN([cannot find library ocamlgraph, hypothesis selection disabled.]) fi if test "$enable_hypothesis_selection" != no; then META_OCAMLGRAPH="ocamlgraph" enable_hypothesis_selection=yes else META_OCAMLGRAPH= OCAMLGRAPHLIB= fi if test "$enable_stackify" = no; then reason_stackify=" (disabled by user)" elif test "$found_ocamlgraph" = no; then if test "$enable_stackify" = yes; then AC_MSG_ERROR([cannot enable stackify without ocamlgraph.]) fi enable_stackify=no reason_stackify=" (ocamlgraph not found)" AC_MSG_WARN([cannot find library ocamlgraph, stackify disabled.]) fi if test "$enable_stackify" != no; then META_OCAMLGRAPH="ocamlgraph" enable_stackify=yes else META_OCAMLGRAPH= OCAMLGRAPHLIB= fi # MLMPFR found_mlmpfr=no if test "$enable_mpfr" = no; then reason_mpfr=" (disabled by user)" elif test "$enable_ocamlfind" != yes; then reason_mpfr=" (ocamlfind not available)" elif test "$enable_js_of_ocaml" = yes -o "$enable_web_ide" = yes; then if test "$enable_mpfr" = yes; then AC_MSG_ERROR([cannot enable support for both MPFR and Javascript.]) fi reason_mpfr=" (incompatible with js_of_ocaml) " else found_mlmpfr=yes AC_MSG_CHECKING([for mlmpfr]) DIR=$($OCAMLFIND query mlmpfr 2> /dev/null) if test -n "$DIR"; then AC_MSG_RESULT([yes]) old_mpfr=no echo "ocamlfind found mlmpfr in $DIR" # Test that MPFR version is higher than 4.0.0 (because of # Faithful constructor incompatibility). MPFRVERSION=$($OCAMLFIND query -format "%v" mlmpfr 2> /dev/null) AX_VERSION_GE([$MPFRVERSION], 4.0.0, [], [ found_mlmpfr=no reason_mpfr=" (mlmpfr >= 4.0.0 not found)"]) AC_CHECK_FILE($DIR/mpfr.cmi, [old_mpfr=yes], ) AC_CHECK_FILE($DIR/mlmpfr.cma,, [ found_mlmpfr=no reason_mpfr=" (mlmpfr not found)"]) else AC_MSG_RESULT([no]) reason_mpfr=" (mlmpfr not found)" found_mlmpfr=no fi fi if test "$enable_mpfr" != no -a "$found_mlmpfr" = no; then if test "$enable_mpfr" = yes; then AC_MSG_ERROR([cannot enable MPFR support without mlmpfr.]) fi enable_mpfr=no fi if test "$enable_mpfr" != no; then enable_mpfr=yes MLMPFR=mlmpfr fi # checking for js_of_ocaml found_js_of_ocaml=no if test "$enable_js_of_ocaml" = no; then reason_js_of_ocaml=" (disabled by user)" elif test "$enable_mpfr" = yes; then reason_js_of_ocaml=" (incompatible with MPFR support)" elif test "$enable_ocamlfind" != yes; then reason_js_of_ocaml=" (ocamlfind not available)" else found_js_of_ocaml=yes for p in js_of_ocaml js_of_ocaml-ppx; do AC_MSG_CHECKING([for $p]) DIR=$($OCAMLFIND query $p 2> /dev/null) if test -z "$DIR"; then AC_MSG_RESULT([no]) found_js_of_ocaml=no reason_js_of_ocaml=" ($p not found)" break else AC_MSG_RESULT([yes]) fi done fi if test "$enable_js_of_ocaml" != no -a "$found_js_of_ocaml" = no; then if test "$enable_js_of_ocaml" = yes; then AC_MSG_ERROR([cannot enable Javascript support without ocamlfind.]) fi enable_js_of_ocaml=no fi if test "$enable_js_of_ocaml" != no; then enable_js_of_ocaml=yes JSOFOCAMLPKG="js_of_ocaml js_of_ocaml-ppx" fi # Web IDE if test "$enable_web_ide" = no; then reason_web_ide=" (disabled by user)" elif test "$enable_js_of_ocaml" != yes; then if test "$enable_web_ide" = yes; then AC_MSG_ERROR([cannot enable web IDE without Javascript support.]) fi enable_web_ide=no reason_web_ide=" (Javascript support not available)" else enable_web_ide=yes fi # checking for statmemprof if test "$enable_statmemprof" = yes; then if test "$enable_ocamlfind" != yes; then enable_statmemprof=no reason_statmemprof=" (ocamlfind not available)" else DIR=$($OCAMLFIND query statmemprof-emacs 2> /dev/null) if test -z "$DIR"; then enable_statmemprof=no reason_statmemprof=" (statmemprof-emacs not found)" fi STATMEMPROFPKG=statmemprof-emacs fi fi # ppx_sexp_conv (only with ocamlfind) SEXPLIBPPX= SEXPLIB= if test "$enable_pp_sexp" = no; then reason_pp_sexp=" (disabled by user)" else if test "$enable_ocamlfind" != yes; then enable_pp_sexp=no reason_pp_sexp=" (ocamlfind not available)" elif test "$enable_ppx" != yes; then enable_pp_sexp=no reason_pp_sexp=" (requires ppx)" else for p in ppx_sexp_conv sexplib ppx_deriving; do AC_MSG_CHECKING([for $p using ocamlfind]) DIR=$($OCAMLFIND query $p 2> /dev/null) if test -z "$DIR"; then AC_MSG_RESULT([no]) enable_pp_sexp=no reason_pp_sexp=" ($p not found)" break else AC_MSG_RESULT([yes]) fi done fi if test "$enable_pp_sexp" = yes; then SEXPLIBPPX="ppx_sexp_conv" SEXPLIB="sexplib sexplib.num" fi fi # Coq enable_coq_support=yes enable_coq_fp_libs=yes coq_compat_version= if test "$enable_coq_libs" = no; then enable_coq_support=no reason_coq_support=" (disabled by user)" fi if test "$enable_coq_support" = yes; then AC_CHECK_PROG(COQC,coqc,coqc,no) if test "$COQC" = no ; then enable_coq_support=no reason_coq_support=" (coqc not found)" fi fi if test "$enable_coq_support" = yes; then COQLIB=`$COQC -where | sed -e 's|\\\|/|g' -e 's| |\\ |g'` AC_MSG_CHECKING(Coq version) COQVERSION=[`$COQC -v | sed -n -e 's|.*version *\([^ ]*\).*|\1|p'`] AC_MSG_RESULT($COQVERSION) case $COQVERSION in 8.7*) coq_compat_version="COQ87" enable_coq_fp_libs=no ;; 8.8*) coq_compat_version="COQ88" enable_coq_fp_libs=no ;; 8.9*) coq_compat_version="COQ89" enable_coq_fp_libs=no ;; 8.10*) coq_compat_version="COQ810" enable_coq_fp_libs=no ;; 8.11*) coq_compat_version="COQ811" ;; 8.12*) coq_compat_version="COQ812" ;; 8.13*) coq_compat_version="COQ813" ;; 8.14*) coq_compat_version="COQ814" ;; 8.15*) coq_compat_version="COQ815" ;; 8.16*) coq_compat_version="COQ816" ;; *) enable_coq_support=no AC_MSG_WARN([You need Coq 8.7 or later; Coq discarded.]) reason_coq_support=" (need version >= 8.7)" ;; esac if test "$enable_coq_fp_libs" = no; then reason_coq_fp_libs= " (Coq < 8.11)" fi fi if test "$enable_coq_support" = yes; then AC_CHECK_PROG(COQDEP,coqdep,coqdep,no) if test "$COQDEP" = no; then enable_coq_support=no reason_coq_support=" (coqdep not found)" fi fi if test "$enable_coq_support" = no; then enable_coq_libs=no enable_coq_fp_libs=no COQVERSION= fi if test "$enable_coq_fp_libs" = yes; then AC_MSG_CHECKING([for Flocq]) AS_IF( [ echo "Require Import Flocq.Version BinNat." \ "Goal (30400 <= Flocq_version)%N. easy. Qed." > conftest.v "$COQC" conftest.v > conftest.err ], [ AC_MSG_RESULT(yes) ], [ AC_MSG_RESULT(no) enable_coq_fp_libs=no reason_coq_fp_libs=" (Flocq >= 3.4 not found)" ]) rm -f conftest.v conftest.vo conftest.err fi # PVS if test "$enable_pvs_libs" = no; then enable_pvs_support=no reason_pvs_support=" (disabled by user)" else AC_CHECK_PROG(PVS,pvs,pvs,no) if test "$PVS" = no ; then enable_pvs_support=no reason_pvs_support=" (pvs not found)" else PVSLIB=`$PVS -where` AC_MSG_CHECKING(PVS version) PVSVERSION=[`$PVS -version | sed -n -e 's|.*Version *\([^ ]*\)$|\1|p'`] AC_MSG_RESULT($PVSVERSION) case $PVSVERSION in 6.*|7.*) enable_pvs_support=yes ;; *) enable_pvs_support=no AC_MSG_WARN([You need PVS 6.0 or higher; PVS discarded.]) reason_pvs_support=" (need version 6.0 or higher)" ;; esac fi fi if test "$enable_pvs_support" = no; then enable_pvs_libs=no PVSVERSION= fi # Isabelle # Default version used for generation of realization in the case Isabelle is not # detected or Why3 is compiled with disable-isabelle. ISABELLEVERSION=2021-1 if test "$enable_isabelle_libs" = no; then enable_isabelle_support=no reason_isabelle_support=" (disabled by user)" else AC_CHECK_PROG(ISABELLE,isabelle,isabelle,no) if test "$ISABELLE" = no ; then enable_isabelle_support=no reason_isabelle_support=" (isabelle not found)" else AC_MSG_CHECKING(Isabelle version) ISABELLEDETECTEDVERSION=[`$ISABELLE version | sed -n -e 's|Isabelle\([^:]*\).*$|\1|p'`] AC_MSG_RESULT($ISABELLEDETECTEDVERSION) case $ISABELLEDETECTEDVERSION in 2019*) enable_isabelle_support=yes ISABELLEVERSION=2019 ;; 2021-1*) enable_isabelle_support=yes ISABELLEVERSION=2021-1 ;; 2022*) enable_isabelle_support=yes ISABELLEVERSION=2021-1 ;; *) enable_isabelle_support=no AC_MSG_WARN([You need Isabelle 2019 or later; Isabelle discarded.]) reason_isabelle_support=" (need version >= 2019)" ;; esac fi fi if test "$enable_isabelle_support" = no; then enable_isabelle_libs=no fi if test "$enable_pvs_libs" = yes; then AC_MSG_CHECKING([for NASA PVS library]) enable_pvs_libs=no reason_pvs_libs=" (no NASA PVS library in PVS_LIBRARY_PATH)" for dir in `echo $PVS_LIBRARY_PATH | tr ':' ' '`; do if test -f $dir/nasalib-version; then enable_pvs_libs=yes reason_pvs_libs="" fi done AC_MSG_RESULT($enable_pvs_libs) fi #check frama-c FRAMAC_SUPPORTED=Sulfur if test "$enable_frama_c" = yes ; then AC_CHECK_PROG(FRAMAC,frama-c,frama-c,no) if test "$FRAMAC" = no ; then enable_frama_c="no" reason_frama_c=" (frama-c not found)" else AC_MSG_CHECKING(Frama-C version) FRAMAC_VERSION=`$FRAMAC -version | sed -n -e 's|\(Version: \)\?\(.*\)$|\2|p'` AC_MSG_RESULT($FRAMAC_VERSION) case $FRAMAC_VERSION in $FRAMAC_SUPPORTED-*) ;; *) AC_MSG_WARN(Version $FRAMAC_SUPPORTED required.) enable_frama_c=no reason_frama_c=" (version $FRAMAC_SUPPORTED required)" ;; esac fi fi if test "$enable_frama_c" = yes; then FRAMAC_SHARE=`$FRAMAC -print-path` FRAMAC_LIBDIR=`$FRAMAC -print-libpath` FRAMAC_INCLUDE="-I $FRAMAC_LIBDIR" fi VERSION=$PACKAGE_VERSION # default editor if test -z "$EDITOR"; then case `uname -s` in Darwin) EDITOR=open ;; MINGW*) EDITOR="cmd.exe -c start" ;; *) EDITOR=xdg-open ;; esac fi # substitutions to perform AC_SUBST(VERSION) AC_SUBST(enable_verbose_make) AC_SUBST(EXE) AC_SUBST(STRIP) AC_SUBST(OCAMLC) AC_SUBST(OCAMLOPT) AC_SUBST(OCAMLDEP) AC_SUBST(OCAMLLEX) AC_SUBST(OCAMLYACC) AC_SUBST(OCAMLDOC) AC_SUBST(OCAMLBEST) AC_SUBST(OCAMLVERSION) AC_SUBST(OCAMLLIB) AC_SUBST(OCAMLINSTALLLIB) AC_SUBST(OCAMLGRAPHLIB) AC_SUBST(MENHIR) AC_SUBST(enable_ocamlfind) AC_SUBST(OCAMLFIND) AC_SUBST(enable_statmemprof) AC_SUBST(STATMEMPROFPKG) AC_SUBST(enable_ide) AC_SUBST(LABLGTKPKG) AC_SUBST(GTKVERSION) AC_SUBST(enable_web_ide) AC_SUBST(enable_js_of_ocaml) AC_SUBST(JSOFOCAMLPKG) AC_SUBST(META_OCAMLGRAPH) AC_SUBST(enable_ppx) AC_SUBST(enable_pp_sexp) AC_SUBST(SEXPLIB) AC_SUBST(SEXPLIBPPX) AC_SUBST(NUMINCLUDE) AC_SUBST(MLMPFR) AC_SUBST(enable_mpfr) AC_SUBST(old_mpfr) AC_SUBST(enable_zarith) AC_SUBST(BIGINTINCLUDE) AC_SUBST(BIGINTLIB) AC_SUBST(BIGINTPKG) AC_SUBST(enable_infer) AC_SUBST(enable_bddinfer) AC_SUBST(INFERINCLUDE) AC_SUBST(INFERLIB) AC_SUBST(INFERPKG) AC_SUBST(enable_zip) AC_SUBST(ZIPINCLUDE) AC_SUBST(ZIPLIB) AC_SUBST(MENHIRINCLUDE) AC_SUBST(enable_re) AC_SUBST(REINCLUDE) AC_SUBST(RELIB) AC_SUBST(enable_coq_libs) AC_SUBST(enable_coq_fp_libs) AC_SUBST(coq_compat_version) AC_SUBST(COQC) AC_SUBST(COQDEP) AC_SUBST(COQLIB) AC_SUBST(COQVERSION) AC_SUBST(enable_pvs_libs) AC_SUBST(PVS) AC_SUBST(PVSVERSION) AC_SUBST(enable_isabelle_libs) AC_SUBST(ISABELLE) AC_SUBST(ISABELLEVERSION) AC_SUBST(enable_hypothesis_selection) AC_SUBST(enable_stackify) AC_SUBST(enable_doc) AC_SUBST(enable_pdf_doc) AC_SUBST(LATEX) AC_SUBST(SPHINX) AC_SUBST(enable_emacs_compilation) AC_SUBST(EMACS) AC_SUBST(enable_frama_c) AC_SUBST(FRAMAC) AC_SUBST(FRAMAC_VERSION) AC_SUBST(FRAMAC_SHARE) AC_SUBST(FRAMAC_LIBDIR) AC_SUBST(FRAMAC_INCLUDE) AC_SUBST(enable_local) AC_SUBST(LOCALDIR) AC_SUBST(enable_why3_lib) AC_SUBST(WHY3LIB) AC_SUBST(WHY3INCLUDE) AC_SUBST(enable_relocation) # Finally create the Makefile from Makefile.in AC_CONFIG_FILES(Makefile) AC_CONFIG_FILES(src/config.sh) AC_CONFIG_FILES(lib/why3/META) AC_CONFIG_FILES(.merlin) AC_CONFIG_FILES(src/jessie/Makefile) AC_CONFIG_FILES(src/jessie/.merlin) AC_CONFIG_FILES(lib/coq/version lib/pvs/version) AC_CONFIG_COMMANDS([chmod], chmod a-w Makefile src/jessie/Makefile; chmod a-w src/config.sh; chmod a-w lib/why3/META; chmod a-w .merlin; chmod a-w src/jessie/Makefile; chmod a-w src/jessie/.merlin; chmod a-w lib/coq/version lib/pvs/version; chmod u+x src/config.sh) AC_OUTPUT # Summary echo echo " Summary" echo "-----------------------------------------" echo "Verbose make : $enable_verbose_make" echo "OCaml compiler : yes" echo " Version : $OCAMLVERSION" echo " Library path : $OCAMLLIB" echo " Ocamlfind : $enable_ocamlfind$reason_ocamlfind" echo " Native compilation : $enable_native_code" echo " Memory profiling : $enable_statmemprof$reason_statmemprof" echo " PPX : $enable_ppx$reason_ppx" echo " S-expr for why3pp : $enable_pp_sexp$reason_pp_sexp" echo " Javascript support : $enable_js_of_ocaml$reason_js_of_ocaml" echo " MPFR support : $enable_mpfr$reason_mpfr" echo " Re support : $enable_re$reason_re" echo "Components" echo " Why3 library : $enable_why3_lib" echo " GTK IDE : $enable_ide$reason_ide" echo " Web IDE : $enable_web_ide$reason_web_ide" echo " GMP arithmetic : $enable_zarith$reason_zarith" echo " Compressed sessions : $enable_zip$reason_zip" echo " Hypothesis selection : $enable_hypothesis_selection$reason_hypothesis_selection" echo " Stackify : $enable_stackify$reason_stackify" echo " Invariant inference(exp): $enable_infer$reason_infer" echo " Inference with BDDs(exp): $enable_bddinfer$reason_bddinfer" echo " Frama-C support : $enable_frama_c$reason_frama_c" if test "$enable_frama_c" = yes ; then echo " Version : $FRAMAC_VERSION" echo " Share path : $FRAMAC_SHARE" echo " Library path : $FRAMAC_LIBDIR" fi echo "Documentation : $enable_doc$reason_doc" if test "$enable_doc" = yes ; then echo " HTML : yes" echo " PDF : $enable_pdf_doc$reason_pdf_doc" fi echo "Support for interactive proof assistants" echo " Coq : $enable_coq_support$reason_coq_support" if test "$enable_coq_support" = yes ; then echo " Version : $COQVERSION" echo " Library path : $COQLIB" echo " Realization support : $enable_coq_libs$reason_coq_libs" if test "$enable_coq_libs" = yes ; then echo " FP arithmetic : $enable_coq_fp_libs$reason_coq_fp_libs" fi fi echo " PVS : $enable_pvs_support$reason_pvs_support" if test "$enable_pvs_support" = yes ; then echo " Version : $PVSVERSION" echo " Library path : $PVSLIB" echo " Realization support : $enable_pvs_libs$reason_pvs_libs" fi echo " Isabelle : $enable_isabelle_support$reason_isabelle_support" if test "$enable_isabelle_support" = yes ; then echo " Version : $ISABELLEVERSION ($ISABELLEDETECTEDVERSION)" echo " Realization support : $enable_isabelle_libs$reason_isabelle_libs" fi if test "$enable_local" = yes ; then echo "Installable : no" echo " OCaml library path : $OCAMLINSTALLLIB/why3" else echo "Installable : yes" echo " Binary path : $bindir" echo " Library path : $libdir/why3" echo " Data path : $datarootdir/why3" echo " OCaml library path : $OCAMLINSTALLLIB/why3" echo " Relocatable : $enable_relocation" fi why3-1.6.0/doc/000077500000000000000000000000001440160026300131515ustar00rootroot00000000000000why3-1.6.0/doc/HelloProof-style2.tex000066400000000000000000000010071440160026300171620ustar00rootroot00000000000000\begin{tabular}{|l|l|l|l|c|c|} \hline Proof obligations & \provername{Alt-Ergo 0.99.1} & \provername{Coq 8.7.1} \\ \hline \explanation{G1} & \valid{0.00} & \noresult\\ \hline \explanation{G2} & \unknown{0.00} & \noresult\\ \cline{2-3} \quad\transformation{split\_goal\_right} & \multicolumn{2}{|c|}{}\\ \cline{2-3} \quad\subgoal{G2.0}{1} & \unknown{0.00} & \unknown{0.29} \\ \cline{2-3} \quad\subgoal{G2.1}{2} & \valid{0.00} & \noresult\\ \hline \explanation{G3} & \valid{0.00} & \noresult\\ \hline \end{tabular} why3-1.6.0/doc/HelloProof.tex000066400000000000000000000007221440160026300157450ustar00rootroot00000000000000\begin{tabular}{|l|l|l|l|c|c|} \hline \multicolumn{2}{|c|}{Proof obligations } & \provername{Alt-Ergo 0.99.1} & \provername{Coq 8.7.1} \\ \hline \explanation{G1} & & \valid{0.00} & \noresult\\ \hline \explanation{G2} & & \unknown{0.00} & \noresult\\ \cline{2-3} & \explanation{G2.0} & \unknown{0.00} & \unknown{0.29} \\ \cline{2-4} & \explanation{G2.1} & \valid{0.00} & \noresult\\ \hline \explanation{G3} & & \valid{0.00} & \noresult\\ \hline \end{tabular} why3-1.6.0/doc/api.rst000066400000000000000000000747701440160026300144730ustar00rootroot00000000000000.. _chap.api: The Why3 API ============ This chapter is a tutorial for the users who want to link their own OCaml code with the Why3 library. We progressively introduce the way one can use the library to build terms, formulas, theories, proof tasks, call external provers on tasks, and apply transformations on tasks. The complete documentation for API calls is given at URL |apiurl|. We assume the reader has a fair knowledge of the OCaml language. Notice that the Why3 library must be installed, see :numref:`sec.installlib`. The OCaml code given below is available in the source distribution in directory :file:`examples/use_api/` together with a few other examples. .. _sec.prop_form: Building Propositional Formulas ------------------------------- The first step is to know how to build propositional formulas. The module ``Term`` gives a few functions for building these. Here is a piece of OCaml code for building the formula ``true \/ false``. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{opening} :end-before: END{opening} The library uses the common type ``term`` both for terms (i.e., expressions that produce a value of some particular type) and formulas (i.e., Boolean-valued expressions). Such a formula can be printed using the module ``Pretty`` providing pretty-printers. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{printformula} :end-before: END{printformula} Assuming the lines above are written in a file :file:`f.ml`, it can be compiled using :: ocamlfind ocamlc -package why3 -linkpkg f.ml -o f Running the generated executable :file:`f` results in the following output. :: formula 1 is: true \/ false Let us now build a formula with propositional variables: ``A /\ B -> A``. Propositional variables must be declared first before using them in formulas. This is done as follows. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{declarepropvars} :end-before: END{declarepropvars} The type ``lsymbol`` is the type of function and predicate symbols (which we call logic symbols for brevity). Then the atoms ``A`` and ``B`` must be built by the general function for applying a predicate symbol to a list of terms. Here we just need the empty list of arguments. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{declarepropatoms} :end-before: END{declarepropatoms} As expected, the output is as follows. :: formula 2 is: A /\ B -> A Notice that the concrete syntax of Why3 forbids function and predicate names to start with a capital letter (except for the algebraic type constructors which must start with one). This constraint is not enforced when building those directly using library calls. Building Tasks -------------- Let us see how we can call a prover to prove a formula. As said in previous chapters, a prover must be given a task, so we need to build tasks from our formulas. Task can be build incrementally from an empty task by adding declaration to it, using the functions ``add_*_decl`` of module ``Task``. For the formula ``true \/ false`` above, this is done as follows. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildtask} :end-before: END{buildtask} To make the formula a goal, we must give a name to it, here “goal1”. A goal name has type ``prsymbol``, for identifiers denoting propositions in a theory or a task. Notice again that the concrete syntax of Why3 requires these symbols to be capitalized, but it is not mandatory when using the library. The second argument of ``add_prop_decl`` is the kind of the proposition: ``Paxiom``, ``Plemma`` or ``Pgoal``. Notice that lemmas are not allowed in tasks and can only be used in theories. Once a task is built, it can be printed. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{printtask} :end-before: END{printtask} The task for our second formula is a bit more complex to build, because the variables A and B must be added as abstract (*i.e.*, not defined) propositional symbols in the task. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildtask2} :end-before: END{buildtask2} Execution of our OCaml program now outputs: :: task 1 is: theory Task goal Goal1 : true \/ false end task 2 is: theory Task predicate A predicate B goal Goal2 : A /\ B -> A end .. _sec.api.callingprovers: Calling External Provers ------------------------ To call an external prover, we need to access the Why3 configuration file :file:`why3.conf`, as it was built using the :why3:tool:`why3 config` command line tool or the *Detect Provers* menu of the graphical IDE. The following API calls make it possible to access the content of this configuration file. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{getconf} :end-before: END{getconf} The type ``'a Whyconf.Mprover.t`` is a map indexed by provers. A prover is a record with a name, a version, and an alternative description (to differentiate between various configurations of a given prover). Its definition is in the module ``Whyconf``: .. literalinclude:: ../src/driver/whyconf.ml :language: ocaml :start-after: BEGIN{provertype} :end-before: END{provertype} The map ``provers`` provides the set of existing provers. In the following, we directly attempt to access a prover named “Alt-Ergo”, any version. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{getanyaltergo} :end-before: END{getanyaltergo} We could also get a specific version with .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{getaltergo200} :end-before: END{getaltergo200} The next step is to obtain the driver associated to this prover. A driver typically depends on the standard theories so these should be loaded first. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{getdriver} :end-before: END{getdriver} We are now ready to call the prover on the tasks. This is done by a function call that launches the external executable and waits for its termination. Here is a simple way to proceed: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{callprover} :end-before: END{callprover} This way to call a prover is in general too naive, since it may never return if the prover runs without time limit. The function ``prove_task`` has an optional parameter ``limit``, a record defined in module ``Call_provers``: .. literalinclude:: ../src/driver/call_provers.ml :language: ocaml :start-after: BEGIN{resourcelimit} :end-before: END{resourcelimit} where the field ``limit_time`` is the maximum allowed running time in seconds, and ``limit_mem`` is the maximum allowed memory in megabytes. The type ``prover_result`` is a record defined in module ``Call_provers``: .. literalinclude:: ../src/driver/call_provers.ml :language: ocaml :start-after: BEGIN{proverresult} :end-before: END{proverresult} with in particular the fields: - ``pr_answer``: the prover answer, explained below; - ``pr_time``: the time taken by the prover, in seconds. A ``pr_answer`` is the sum type defined in module ``Call_provers``: .. literalinclude:: ../src/driver/call_provers.ml :language: ocaml :start-after: BEGIN{proveranswer} :end-before: END{proveranswer} corresponding to these kinds of answers: - ``Valid``: the task is valid according to the prover. - ``Invalid``: the task is invalid. - ``Timeout``: the prover exceeds the time limit. - ``OutOfMemory``: the prover exceeds the memory limit. - :samp:`Unknown {msg}`: the prover cannot determine if the task is valid; the string parameter *msg* indicates some extra information. - :samp:`Failure {msg}`: the prover reports a failure, it was unable to read correctly its input task. - ``HighFailure``: an error occurred while trying to call the prover, or the prover answer was not understood (none of the given regular expressions in the driver file matches the output of the prover). Here is thus another way of calling the Alt-Ergo prover, on our second task. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{calltimelimit} :end-before: END{calltimelimit} The output of our program is now as follows. :: On task 1, alt-ergo answers Valid (0.01s) On task 2, alt-ergo answers Valid in 0.01 seconds Building Terms -------------- An important feature of the functions for building terms and formulas is that they statically guarantee that only well-typed terms can be constructed. Here is the way we build the formula ``2+2=4``. The main difficulty is to access the internal identifier for addition: it must be retrieved from the standard theory ``Int`` of the file :file:`int.why`. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildfmla} :end-before: END{buildfmla} An important point to notice as that when building the application of ``+`` to the arguments, it is checked that the types are correct. Indeed the constructor ``t_app_infer`` infers the type of the resulting term. One could also provide the expected type as follows. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildtermalt} :end-before: END{buildtermalt} When building a task with this formula, we need to declare that we use theory ``Int``: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildtaskimport} :end-before: END{buildtaskimport} Building Quantified Formulas ---------------------------- To illustrate how to build quantified formulas, let us consider the formula :math:`\forall x:int. x \cdot x \geq 0`. The first step is to obtain the symbols from ``Int``. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{quantfmla1} :end-before: END{quantfmla1} The next step is to introduce the variable *x* with the type ``int``. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{quantfmla2} :end-before: END{quantfmla2} The formula :math:`x \cdot x \geq 0` is obtained as in the previous example. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{quantfmla3} :end-before: END{quantfmla3} To quantify on *x*, we use the appropriate smart constructor as follows. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{quantfmla4} :end-before: END{quantfmla4} Building Theories ----------------- We illustrate now how one can build theories. Building a theory must be done by a sequence of calls: - creating a theory “under construction”, of type ``Theory.theory_uc``; - adding declarations, one at a time; - closing the theory under construction, obtaining something of type ``Theory.theory``. Creation of a theory named ``My_theory`` is done by .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth1} :end-before: END{buildth1} First let us add formula 1 above as a goal: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth1} :end-before: END{buildth1} Note that we reused the goal identifier ``goal_id1`` that we already defined to create task 1 above. Adding formula 2 needs to add the declarations of predicate variables A and B first: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth3} :end-before: END{buildth3} Adding formula 3 is a bit more complex since it uses integers, thus it requires to “use” the theory ``int.Int``. Using a theory is indeed not a primitive operation in the API: it must be done by a combination of an “export” and the creation of a namespace. We provide a helper function for that: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth4} :end-before: END{buildth4} Addition of formula 3 is then .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth5} :end-before: END{buildth5} Addition of goal 4 is nothing more complex: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth6} :end-before: END{buildth6} Finally, we close our theory under construction as follows. .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{buildth7} :end-before: END{buildth7} We can inspect what we did by printing that theory: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{printtheory} :end-before: END{printtheory} which outputs :: my new theory is as follows: theory My_theory (* use BuiltIn *) goal goal1 : true \/ false predicate A predicate B goal goal2 : A /\ B -> A (* use int.Int *) goal goal3 : (2 + 2) = 4 goal goal4 : forall x:int. (x * x) >= 0 end From a theory, one can compute at once all the proof tasks it contains as follows: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{splittheory} :end-before: END{splittheory} Note that the tasks are returned in reverse order, so we reverse the list above. We can check our generated tasks by printing them: .. literalinclude:: ../examples/use_api/logic.ml :language: ocaml :start-after: BEGIN{printalltasks} :end-before: END{printalltasks} One can run provers on those tasks exactly as we did above. Operations on Terms and Formulas, Transformations ------------------------------------------------- The following code illustrates a simple recursive functions of formulas. It explores the formula and when a negation is found, it tries to push it down below a conjunction, a disjunction or a quantifier. .. literalinclude:: ../examples/use_api/transform.ml :language: ocaml :start-after: BEGIN{negate} :end-before: END{negate} The following illustrates how to turn such an OCaml function into a transformation in the sense of the Why3 API. Moreover, it registers that transformation to make it available for example in Why3 IDE. .. literalinclude:: ../examples/use_api/transform.ml :language: ocaml :start-after: BEGIN{register} :end-before: END{register} The directory :file:`src/transform` contains the code for the many transformations that are already available in Why3. Proof Sessions -------------- See the example :file:`examples/use_api/create_session.ml` of the distribution for an illustration on how to manipulate proof sessions from an OCaml program. ML Programs ----------- One can build WhyML programs starting at different steps of the WhyML pipeline (parsing, typing, VC generation). We present here two choices. The first is to build an untyped syntax trees, and then call the Why3 typing procedure to build typed declarations. The second choice is to directly build the typed declaration. The first choice use concepts similar to the WhyML language but errors in the generation are harder to debug since they are lost inside the typing phase, the second choice use more internal notions but it is easier to pinpoint the functions wrongly used. :numref:`sec.build_untyped` and :numref:`sec.build_untyped_attr` follow choice one and :numref:`sec.build_typed` choice two. .. _sec.build_untyped: Untyped syntax tree ~~~~~~~~~~~~~~~~~~~ The examples of this section are available in the file :file:`examples/use_api/mlw_tree.ml` of the distribution. The first step is to build an environment as already illustrated in :numref:`sec.api.callingprovers`, open the OCaml module ``Ptree`` (“parse tree”) which contains the type constructors for the parsing trees, and finally the OCaml module ``Ptree_helpers`` which contains helpers for building those trees and a more concise and friendly manner than the low-level constructors. The latter two OCaml modules are documented in the online API documentation, respectively for `Ptree `_ and `Ptree_helpers `_. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{buildenv} :end-before: END{buildenv} Each of our example programs will build a module. Let us consider the Why3 code. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: whyml :start-after: BEGIN{source1} :end-before: END{source1} The Ocaml code that programmatically builds it is as follows. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{code1} :end-before: END{code1} Most of the code is not using directly the ``Ptree`` constructors but instead makes uses of the helper functions that are given in the ``Ptree_helpers`` module. Notice ``ident`` which builds an identifier (type ``Ptree.ident``) optionally with attributes and location and ``use`` which lets us import some other modules and in particular the ones from the standard library. At the end, our module is no more than the identifier and a list of two declarations (``Ptree.decl list``). We want now to build a program equivalent to the following code in concrete Why3 syntax. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: whyml :start-after: BEGIN{source2} :end-before: END{source2} The OCaml code that programmatically build this Why3 function is as follows. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{code2} :end-before: END{code2} We want now to build a program equivalent to the following code in concrete Why3 syntax. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: whyml :start-after: BEGIN{source3} :end-before: END{source3} We need to import the ``ref.Ref`` module first. The rest is similar to the first example, the code is as follows. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{code3} :end-before: END{code3} The next example makes use of arrays. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: whyml :start-after: BEGIN{source4} :end-before: END{source4} The corresponding OCaml code is as follows. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{code4} :end-before: END{code4} Having declared all the programs we wanted to write, we can now close the module and the file, and get as a result the set of modules of our file. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{getmodules} :end-before: END{getmodules} Alternative, top-down, construction of parsing trees ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The way we build our modules above is somehow bottom-up: builds the terms and the program expressions, then the declarations that contain them, then the modules containing the latter declarations. An alternative provided by other helpers is to build those modules in a top-down way, which may be more natural since this the order they occur in the concrete syntax. We show below how to construct a similar list of module as above, with only the last module for conciseness: .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{topdownf} :end-before: END{topdownf} The construction above is functional, in the sense that the ``uc`` variable holds the necessary data for the modules under construction. For simplicity it is also possible to use an imperative variant which transparently handles the state of modules under construction. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{topdowni} :end-before: END{topdowni} Beware though that the latter approach is not thread-safe and cannot be used in re-entrant manner. Using the parsing trees ~~~~~~~~~~~~~~~~~~~~~~~ Module ``Mlw_printer`` provides functions to print elements of ``Ptree`` in concrete whyml syntax. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{mlwprinter} :end-before: END{mlwprinter} The typing of the modules is carried out by function ``Typing.type_mlw_file``, which produces a mapping of module names to typed modules. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{typemodules} :end-before: END{typemodules} Typing errors are reported by exceptions ``Located of position * exn`` from module ``Loc``. However, the positions in our declarations, which are provided by the exception, cannot be used to identify the position in the (printed) program, because the locations do not correspond to any concrete syntax. Alternatively, we can give every ``Ptree`` element in our declarations above a unique location (for example using the function ``Mlw_printer.next_pos``). When a located error is encountered, the function ``Mlw_printer.with_marker`` can then be used to instruct ``Mlw_printer`` to insert the error as a comment just before the syntactic element with the given location. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{typemoduleserror} :end-before: END{typemoduleserror} Finally, we can then construct the proofs tasks for our typed module, and then try to call the Alt-Ergo prover. The rest of that code is using OCaml functions that were already introduced before. .. literalinclude:: ../examples/use_api/mlw_tree.ml :language: ocaml :start-after: BEGIN{checkingvcs} :end-before: END{checkingvcs} .. _sec.build_untyped_attr: Use attributes to infer loop invariants ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In this section we build a module containing a let declaration with a while loop and an attribute that triggers the inference of loop invariants during VC generation. For more information about the inference of loop invariants refer to :numref:`sec.installinferloop` and :numref:`sec.runwithinferloop`. The examples shown below are available in the file :file:`examples/use_api/mlw_tree_infer_invs.ml`. We build an environment and define the some helper functions exactly as in :numref:`sec.build_untyped`. Additionally we create two other helper functions as follows: .. literalinclude:: ../examples/use_api/mlw_tree_infer_invs.ml :language: ocaml :start-after: BEGIN{helper2} :end-before: END{helper2} Our goal is now to build a program equivalent to the following. Note that the let declaration contains an attribute :why3:attribute:`[@infer]` which will trigger the inference of loop invariants during VC generation (make sure that the why3 library was compiled with support for `infer-loop`, see :numref:`sec.installinferloop` for more information). .. literalinclude:: ../examples/use_api/mlw_tree_infer_invs.ml :language: ocaml :start-after: BEGIN{source1} :end-before: END{source1} The OCaml code that builds such a module is shown below. .. literalinclude:: ../examples/use_api/mlw_tree_infer_invs.ml :language: ocaml :start-after: BEGIN{code1} :end-before: END{code1} Optionally, the debugging flags mentioned in :numref:`sec.runwithinferloop` can be enabled by using the API as follows (the line(s) corresponding to the desired flag(s) should be uncommented). .. literalinclude:: ../examples/use_api/mlw_tree_infer_invs.ml :language: ocaml :start-after: BEGIN{flags} :end-before: END{flags} Another option is to register a function to be executed immediately after the invariants are inferred. The function should have type ``(expr * term) list -> unit``, where ``expr`` corresponds to a while loop and ``term`` to the respective inferred invariant. The function can be registered using the function ``Infer_loop.register_hook``. In the following example a sequence of three functions are registered. The first function will write the invariants to the standard output, the second to a file named `inferred_invs.out`, and the third will save the inferred invariants in ``inv_terms``. .. literalinclude:: ../examples/use_api/mlw_tree_infer_invs.ml :language: ocaml :start-after: BEGIN{inv_hook} :end-before: END{inv_hook} Finally the code for closing the modules, printing it to the standard output, typing it, and so on is exactly the same as in the previous section, thus we omit it in here. Note that in practice, the invariants are only inferred when invoking ``Typing.type_mlw_file``. .. _sec.build_typed: Typed declaration ~~~~~~~~~~~~~~~~~ The examples of this section are available in the file :file:`examples/use_api/mlw_expr.ml` of the distribution. The first step to build an environment as already illustrated in :numref:`sec.api.callingprovers`. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: ocaml :start-after: BEGIN{buildenv} :end-before: END{buildenv} To write our programs, we need to import some other modules from the standard library integers and references. The only subtleties is to get logic functions from the logical part of the modules ``mod_theory.Theory.th_export`` and the program functions from ``mod_export``. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: ocaml :start-after: BEGIN{code2_import} :end-before: END{code2_import} We want now to build a program equivalent to the following code in concrete Why3 syntax. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: whyml :start-after: BEGIN{source2} :end-before: END{source2} The OCaml code that programmatically build this Why3 function is as follows. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: ocaml :start-after: BEGIN{code2} :end-before: END{code2} Having declared all the programs we wanted to write, we can now create the module and generate the VCs. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: ocaml :start-after: BEGIN{createmodule} :end-before: END{createmodule} We can then construct the proofs tasks for our module, and then try to call the Alt-Ergo prover. The rest of that code is using OCaml functions that were already introduced before. .. literalinclude:: ../examples/use_api/mlw_expr.ml :language: ocaml :start-after: BEGIN{checkingvcs} :end-before: END{checkingvcs} .. _sec.ce_api: Generating Counterexamples -------------------------- That feature is presented in details in :numref:`sec.idece`, which should be read first. The counterexamples can also be generated using the API. The following explains how to change the source code (mainly adding attributes) in order to display counterexamples and how to parse the result given by Why3. To illustrate this, we will adapt the examples from :numref:`sec.prop_form` to display counterexamples. Attributes and locations on identifiers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ For variables to be used for counterexamples they need to contain an attribute called :why3:attribute:`model_trace` and a location. This attribute states the name the user wants the variable to be named in the output of the counterexamples pass. Usually, people put a reference to their program AST node in this attribute; this helps them to parse and display the results given by Why3. The locations are also necessary as every counterexamples values with no location will not be displayed. For example, an assignment of the source language such as the following will probably trigger the creation of an identifier (for the left value) in a user subsequent tasks: :: x := !y + 1 This means that the ident generated for ``x`` will hold both a ``model_trace`` and a location. The example becomes the following: .. literalinclude:: ../examples/use_api/counterexample.ml :language: ocaml :start-after: BEGIN{ce_declarepropvars} :end-before: END{ce_declarepropvars} In the above, we defined a proposition identifier with a location and a ``model_trace``. Attributes in formulas ~~~~~~~~~~~~~~~~~~~~~~ Now that variables are tagged, we can define formulas. To define a goal formula for counterexamples, we need to tag it with the :why3:attribute:`[@vc:annotation]` attribute. This attribute is automatically added when using the VC generation of Why3, but on a user-built task, this needs to be added. We also need to add a location for this goal. The following is obtained for the simple formula linking ``A`` and ``B``: .. literalinclude:: ../examples/use_api/counterexample.ml :language: ocaml :start-after: BEGIN{ce_adaptgoals} :end-before: END{ce_adaptgoals} Note: the transformations used for counterexamples will create new variables for each variable occurring inside the formula tagged by :why3:attribute:`vc:annotation`. These variables are duplicates located at the VC line. They allow giving all counterexample values located at that VC line. Counterexamples output formats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Several output formats are available for counterexamples. For users who want to pretty-print their counterexamples values, we recommend to use the JSON output as follows: .. literalinclude:: ../examples/use_api/counterexample.ml :language: ocaml :start-after: BEGIN{ce_callprover} :end-before: END{ce_callprover} The structure of JSON output is described in :numref:`sec.jsonce`. In the code above, the variable ``m`` has type ``Model_parser.model``. This type is described in `Model_parser `_. Checking counterexamples ~~~~~~~~~~~~~~~~~~~~~~~~ Counterexamples can be checked using the API, too. Here is an example for the selecting a counterexample from the result ``pr`` of proving a sub-goal of pmodule ``pm``: .. literalinclude:: ../examples/use_api/counterexample.ml :language: ocaml :start-after: BEGIN{check_ce} :end-before: END{check_ce} Optionally, the API also permits running only the giant-step RAC execution with the function ``Check_ce.get_rac_results`` and optional parameter ``only_giant_step`` set to ``true``. By default, ``Check_ce.select_model_from_giant_step_rac_results`` selects the last non empty model. But another strategy can be given via the optional parameter ``strategy``, like the predefined ``Check_ce.best_non_empty_giant_step_rac_result`` or any other strategy implemented by the user. .. literalinclude:: ../examples/use_api/counterexample.ml :language: ocaml :start-after: BEGIN{check_ce_giant_step} :end-before: END{check_ce_giant_step} .. The following is supposed to be a comment for Sphinx Local Variables: mode: flyspell ispell-local-dictionary: "american" End: LocalWords: prover provers untyped disjunction programmatically invariants LocalWords: uncommented OCaml AST why3-1.6.0/doc/cedoc.mlw000066400000000000000000000002141440160026300147440ustar00rootroot00000000000000use int.Int let test_ce (ref x : int) (y:int) requires { 0 <= x <= 10 /\ 3 <= y <= 17 } ensures { 17 <= x <= 42 } = x <- x + y; why3-1.6.0/doc/changes.rst000066400000000000000000000335011440160026300153150ustar00rootroot00000000000000Release Notes ============= .. _auto-dereference: Release Notes for Version 1.2: New Syntax for “Auto-dereference” ---------------------------------------------------------------- .. index:: auto-dereference Version 1.2 introduces a simplified syntax for reference variables, to avoid the somehow heavy OCaml syntax using bang character. In short, this is syntactic sugar summarized in the following table. An example using this new syntax is in :file:`examples/isqrt.mlw`. +-------------------------+-------------------------------+ | auto-dereference syntax | desugared to | +=========================+===============================+ | ``let &x = ... in`` | ``let (x: ref ...) = ... in`` | +-------------------------+-------------------------------+ | ``f x`` | ``f x.contents`` | +-------------------------+-------------------------------+ | ``x <- ...`` | ``x.contents <- ...`` | +-------------------------+-------------------------------+ | ``let ref x = ...`` | ``let &x = ref ...`` | +-------------------------+-------------------------------+ Notice that - the ``&`` marker adds the typing constraint ``(x: ref ...)``; - top-level ``let/val ref`` and ``let/val &`` are allowed; - auto-dereferencing works in logic, but such variables cannot be introduced inside logical terms. That syntactic sugar is further extended to pattern matching, function parameters, and reference passing, as follows. +----------------------------------+-----------------------------------------------------+ | auto-dereference syntax | desugared to | +==================================+=====================================================+ | ``match e with (x,&y) -> y end`` | ``match e with (x,(y: ref ...)) -> y.contents end`` | +----------------------------------+-----------------------------------------------------+ | .. code-block:: whyml | .. code-block:: whyml | | | | | let incr (&x: ref int) = | let incr (x: ref int) = | | x <- x + 1 | x.contents <- x.contents + 1 | | | | | let f () = | let f () = | | let ref x = 0 in | let x = ref 0 in | | incr x; | incr x; | | x | x.contents | +----------------------------------+-----------------------------------------------------+ | ``let incr (ref x: int) ...`` | ``let incr (&x: ref int) ...`` | +----------------------------------+-----------------------------------------------------+ The type annotation is not required. Let-functions with such formal parameters also prevent the actual argument from auto-dereferencing when used in logic. Pure logical symbols cannot be declared with such parameters. Auto-dereference suppression does not work in the middle of a relation chain: in ``0 < x :< 17``, ``x`` will be dereferenced even if ``(:<)`` expects a ref-parameter on the left. Finally, that syntactic sugar applies to the caller side: +-------------------------+-----------------------+ | auto-dereference syntax | desugared to | +=========================+=======================+ | .. code-block:: whyml | .. code-block:: whyml | | | | | let f () = | let f () = | | let ref x = 0 in | let x = ref 0 in | | g &x | g x | +-------------------------+-----------------------+ The ``&`` marker can only be attached to a variable. Works in logic. Ref-binders and ``&``-binders in variable declarations, patterns, and function parameters do not require importing ``ref.Ref``. Any example that does not use references inside data structures can be rewritten by using ref-binders, without importing ``ref.Ref``. Explicit use of type symbol ``ref``, program function ``ref``, or field ``contents`` require importing ``ref.Ref`` or ``why3.Ref.Ref``. Operations ``(:=)`` and ``(!)`` require importing ``ref.Ref``. Operation ``(:=)`` is fully subsumed by direct assignment ``(<-)``. Release Notes for Version 1.0: Syntax Changes w.r.t. 0.88 --------------------------------------------------------- The syntax of WhyML programs changed in release 1.0. The following table summarizes the changes. +---------------------------------------------+---------------------------------------------------------------+ | version 0.88 | version 1.0 | +=============================================+===============================================================+ | ``function f ...`` | ``let function f ...`` if called in programs | +---------------------------------------------+---------------------------------------------------------------+ | ``'L:`` | ``label L in`` | +---------------------------------------------+---------------------------------------------------------------+ | ``at x 'L`` | ``x at L`` | +---------------------------------------------+---------------------------------------------------------------+ | ``\ x. e`` | ``fun x -> e`` | +---------------------------------------------+---------------------------------------------------------------+ | ``use HighOrd`` | not needed anymore | +---------------------------------------------+---------------------------------------------------------------+ | ``HighOrd.pred ty`` | ``ty -> bool`` | +---------------------------------------------+---------------------------------------------------------------+ | ``type t model ...`` | ``type t = abstract ...`` | +---------------------------------------------+---------------------------------------------------------------+ | ``abstract e ensures { Q }`` | ``begin ensures { Q } e end`` | +---------------------------------------------+---------------------------------------------------------------+ | ``namespace N`` | ``scope N`` | +---------------------------------------------+---------------------------------------------------------------+ | ``use import M`` | ``use M`` | +---------------------------------------------+---------------------------------------------------------------+ | ``"attribute"`` | ``[@attribute]`` | +---------------------------------------------+---------------------------------------------------------------+ | ``meta M prop P`` | ``meta M lemma P`` or ``meta M axiom P`` or ``meta M goal P`` | +---------------------------------------------+---------------------------------------------------------------+ | ``loop ... end`` | ``while true do ... done`` | +---------------------------------------------+---------------------------------------------------------------+ | ``type ... invariant { ... self.foo ... }`` | ``type ... invariant { ... foo ... }`` | +---------------------------------------------+---------------------------------------------------------------+ Note also that logical symbols can no longer be used in non-ghost code; in particular, there is no polymorphic equality in programs anymore, so equality functions must be declared/defined on a per-type basis (already done for type ``int`` in the standard library). The :file:`CHANGES.md` file describes other potential sources of incompatibility. Here are a few more semantic changes. Proving only partial correctness: In versions 0.xx of Why3, when a program function is recursive but not given a variant, or contains a while loop not given a variant, then it was assumed that the user wants to prove partial correctness only. A warning was issued, recommending to add an extra ``diverges`` clause to that function's contract. It was also possible to disable that warning by adding the label ``"W:diverges:N"`` to the function's name. Version 1.0 of Why3 is more aggressively requiring the user to prove the termination of functions which are not given the ``diverges`` clause, and the previous warning is now an error. The possibility of proving only partial correctness is now given on a more fine-grain basis: any expression for which one wants to prove partial correctness only, must by annotated with the attribute :why3:attribute:`[@vc:divergent]`. In other words, if one was using the following structure in Why3 0.xx: :: let f "W:diverges:N" = then in 1.0 it should be written as :: let f = [@vc:divergent] Semantics of the ``any`` construct: The ``any`` construct in Why3 0.xx was introducing an arbitrary value satisfying the associated post-condition. In some sense, this construct was introducing some form of an axiom stating that such a value exists. In Why3 1.0, it is now mandatory to prove the existence of such a value, and a VC is generated for that purpose. To obtain the effect of the former semantics of the ``any`` construct, one should use instead a local ``val`` function. In other words, if one was using the following structure in Why3 0.xx: :: any t ensures { P } then in 1.0 it should be written as :: val x:t ensures { P } in x Release Notes for Version 0.80: Syntax Changes w.r.t. 0.73 ---------------------------------------------------------- The syntax of WhyML programs changed in release 0.80. The following table summarizes the changes. +---------------------------------+---------------------------------+ | version 0.73 | version 0.80 | +=================================+=================================+ | ``type t = {| field: int |}`` | ``type t = { field~:~int }`` | +---------------------------------+---------------------------------+ | ``{| field = 5 |}`` | ``{ field = 5 }`` | +---------------------------------+---------------------------------+ | ``use import module M`` | ``use import M`` | +---------------------------------+---------------------------------+ | .. code-block:: whyml | .. code-block:: whyml | | | | | let rec f (x:int) (y:int): t | let rec f (x:int) (y:int): t | | variant { t } with rel = | variant { t with rel } | | { P } | requires { P } | | e | ensures { Q } | | { Q } | raises { Exc1 -> R1 | | | Exc1 -> { R1 } | | Exc2 n -> R2 } | | | Exc2 n -> { R2 } | = e | +---------------------------------+---------------------------------+ | .. code-block:: whyml | .. code-block:: whyml | | | | | val f (x:int) (y:int): | val f (x:int) (y:int): t | | { P } | requires { P } | | t | writes { a, b } | | writes a b | ensures { Q } | | { Q } | raises { Exc1 -> R1 | | | Exc1 -> { R1 } | | Exc2 n -> R2 } | | | Exc2 n -> { R2 } | | +---------------------------------+---------------------------------+ | ``abstract e { Q }`` | ``abstract e ensures { Q }`` | +---------------------------------+---------------------------------+ Summary of Changes w.r.t. Why 2 ------------------------------- The main new features with respect to Why 2.xx are the following. 1. Completely redesigned input syntax for logic declarations - new syntax for terms and formulas - enumerated and algebraic data types, pattern matching - recursive definitions of logic functions and predicates, with termination checking - inductive definitions of predicates - declarations are structured in components called “theories”, which can be reused and instantiated 2. More generic handling of goals and lemmas to prove - concept of proof task - generic concept of task transformation - generic approach for communicating with external provers 3. Source code organized as a library with a documented API, to allow access to Why3 features programmatically. 4. GUI with new features with respect to the former GWhy - session save and restore - prover calls in parallel - splitting, and more generally applying task transformations, on demand - ability to edit proofs for interactive provers (Coq only for the moment) on any subtask 5. Extensible architecture via plugins - users can define new transformations - users can add connections to additional provers why3-1.6.0/doc/conf.py000066400000000000000000000121031440160026300144450ustar00rootroot00000000000000#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # Why3 documentation build configuration file, created by # sphinx-quickstart on Fri Mar 1 17:36:15 2019. # # This file is execfile()d with the current directory set to its # containing dir. # # Note that not all possible configuration values are present in this # autogenerated file. # # All configuration values have a default; values that are commented out # serve to show the default. import os import sys sys.path.append(os.path.abspath('./ext')) # -- General configuration ------------------------------------------------ # If your documentation needs a minimal Sphinx version, state it here. # # needs_sphinx = '1.0' # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. extensions = [ 'sphinx.ext.mathjax', 'sphinx.ext.graphviz', 'sphinx.ext.todo', 'sphinxcontrib.bibtex', 'why3' ] bibtex_bibfiles = ['manual.bib'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # The suffix(es) of source filenames. # You can specify multiple suffix as a list of string: # # source_suffix = ['.rst', '.md'] source_suffix = '.rst' # The master toctree document. master_doc = 'index' # General information about the project. project = 'Why3' copyright = '2023, The Why3 Development Team' author = 'The Why3 Development Team' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. # # The short X.Y version. version = '1.6' # The full version, including alpha/beta/rc tags. release = '1.6.0' # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. # # This is also used if you do content translation via gettext catalogs. # Usually you set "language" from the command line for these cases. language = None # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. # This patterns also effect to html_static_path and html_extra_path exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store'] # If true, `todo` and `todoList` produce output, else they produce nothing. todo_include_todos = False # -- Options for HTML output ---------------------------------------------- # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = 'alabaster' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. # Alabaster's documentation: https://alabaster.readthedocs.io/en/latest/customization.html html_theme_options = { 'page_width': 'max(940px,90%)', 'sidebar_width': 'max(220px,20%)', 'body_max_width': 'auto', 'body_text_align': 'justify', # 'logo': 'logo-why.png', # 'logo_name': True, # 'fixed_sidebar': 'true', } # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". #html_static_path = ['_static'] # -- Options for HTMLHelp output ------------------------------------------ # Output file base name for HTML help builder. htmlhelp_basename = 'Why3doc' # -- Options for LaTeX output --------------------------------------------- latex_elements = { # The paper size ('letterpaper' or 'a4paper'). # # 'papersize': 'letterpaper', # The font size ('10pt', '11pt' or '12pt'). # # 'pointsize': '10pt', # Additional stuff for the LaTeX preamble. # # 'preamble': '', # Latex figure (float) alignment # # 'figure_align': 'htbp', } # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, # author, documentclass [howto, manual, or own class]). latex_documents = [ (master_doc, 'manual.tex', 'Why3 Documentation', 'The Why3 Development Team', 'manual'), ] # -- Options for manual page output --------------------------------------- # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). man_pages = [ (master_doc, 'why3', 'Why3 Documentation', [author], 1) ] # -- Options for Texinfo output ------------------------------------------- # Grouping the document tree into Texinfo files. List of tuples # (source start file, target name, title, author, # dir menu entry, description, category) texinfo_documents = [ (master_doc, 'Why3', 'Why3 Documentation', author, 'Why3', 'One line description of project.', 'Miscellaneous'), ] # -- Specific options ----------------------------------------------------- nitpicky = True nitpick_ignore = [('envvar','PATH')] bibtex_bibfiles = ['manual.bib'] highlight_language = 'none' numfig = True rst_prolog = ''' .. |whypath| replace:: ``why3-{v}`` .. |apiurl| replace:: http://why3.lri.fr/api-{v}/ '''.format(v=version) why3-1.6.0/doc/drv_depgraph000077500000000000000000000005251440160026300155460ustar00rootroot00000000000000#!/bin/sh cat < \"$d\";" fi done done echo "}" why3-1.6.0/doc/exec.rst000066400000000000000000000271661440160026300146430ustar00rootroot00000000000000.. _chap.exec: Executing WhyML Programs ======================== This chapter shows how WhyML code can be executed, either by being interpreted or compiled to some existing programming language. .. _sec.execute: Interpreting WhyML Code ----------------------- Consider the program of :numref:`sec.maxandsum` that computes the maximum and the sum of an array of integers. Let us assume it is contained in a file :file:`maxsum.mlw`. To test function ``max_sum``, we can introduce a WhyML test function in module ``MaxAndSum`` .. code-block:: whyml let test () = let n = 10 in let a = make n 0 in a[0] <- 9; a[1] <- 5; a[2] <- 0; a[3] <- 2; a[4] <- 7; a[5] <- 3; a[6] <- 2; a[7] <- 1; a[8] <- 10; a[9] <- 6; max_sum a n and then we use the :why3:tool:`execute` command to interpret this function, as follows: .. code-block:: console $ why3 execute maxsum.mlw --use=MaxAndSum 'test ()' result: (int, int) = (45, 10) globals: We get the expected output, namely the pair ``(45, 10)``. .. _sec.extract: Compiling WhyML to OCaml ------------------------ .. program:: why3 extract An alternative to interpretation is to compile WhyML to OCaml. We do so using the :why3:tool:`extract` command, as follows: :: why3 extract -D ocaml64 maxsum.mlw -o max_sum.ml The :why3:tool:`extract` command requires the name of a driver, which indicates how theories/modules from the Why3 standard library are translated to OCaml. Here we assume a 64-bit architecture and thus we pass ``ocaml64``. We also specify an output file using option :option:`-o`, namely :file:`max_sum.ml`. After this command, the file :file:`max_sum.ml` contains an OCaml code for function ``max_sum``. To compile it, we create a file :file:`main.ml` containing a call to ``max_sum``, *e.g.*, .. code-block:: ocaml let a = Array.map Z.of_int [| 9; 5; 0; 2; 7; 3; 2; 1; 10; 6 |] let s, m = Max_sum.max_sum a (Z.of_int 10) let () = Format.printf "sum=%s, max=%s@." (Z.to_string s) (Z.to_string m) It is convenient to use :program:`ocamlbuild` to compile and link both files :file:`max_sum.ml` and :file:`main.ml`: :: ocamlbuild -pkg zarith main.native Since Why3’s type ``int`` is translated to OCaml arbitrary precision integers using the ``ZArith`` library, we have to pass option ``-pkg zarith`` to :program:`ocamlbuild`. In order to get extracted code that uses OCaml’s native integers instead, one has to use Why3’s types for 63-bit integers from libraries ``mach.int.Int63`` and ``mach.array.Array63``. Examples '''''''' We illustrate different ways of using the :why3:tool:`extract` command through some examples. Consider the program of :numref:`sec.aqueue`. If we are only interested in extracting function ``enqueue``, we can proceed as follows: :: why3 extract -D ocaml64 -L . aqueue.AmortizedQueue.enqueue -o aqueue.ml Here we assume that file :file:`aqueue.mlw` contains this program, and that we invoke the :why3:tool:`extract` command from the directory where this file is stored. File :file:`aqueue.ml` now contains the following OCaml code: .. code-block:: ocaml let enqueue (x: 'a) (q: 'a queue) : 'a queue = create (q.front) (q.lenf) (x :: (q.rear)) (Z.add (q.lenr) (Z.of_string "1")) Choosing a function symbol as the entry point of extraction allows us to focus only on specific parts of the program. However, the generated code cannot be type-checked by the OCaml compiler, as it depends on function ``create`` and on type ``'a queue``, whose definitions are not given. In order to obtain a *complete* OCaml implementation, we can perform a recursive extraction: :: why3 extract --recursive -D ocaml64 -L . aqueue.AmortizedQueue.enqueue -o aqueue.ml This updates the contents of file :file:`aqueue.ml` as follows: .. code-block:: ocaml type 'a queue = { front: 'a list; lenf: Z.t; rear: 'a list; lenr: Z.t; } let create (f: 'a list) (lf: Z.t) (r: 'a list) (lr: Z.t) : 'a queue = if Z.geq lf lr then { front = f; lenf = lf; rear = r; lenr = lr } else let f1 = List.append f (List.rev r) in { front = f1; lenf = Z.add lf lr; rear = []; lenr = (Z.of_string "0") } let enqueue (x: 'a) (q: 'a queue) : 'a queue = create (q.front) (q.lenf) (x :: (q.rear)) (Z.add (q.lenr) (Z.of_string "1")) This new version of the code is now accepted by the OCaml compiler (provided the ``ZArith`` library is available, as above). Extraction of functors '''''''''''''''''''''' WhyML and OCaml are both dialects of the ML-family, sharing many syntactic and semantics traits. Yet their module systems differ significantly. A WhyML program is a list of modules, a module is a list of top-level declarations, and declarations can be organized within *scopes*, the WhyML unit for namespaces management. In particular, there is no support for sub-modules in Why3, nor a dedicated syntactic construction for functors. The latter are represented, instead, as modules containing only abstract symbols :cite:`paskevich20isola`. One must follow exactly this programming pattern when it comes to extract an OCaml functor from a Why3 proof. Let us consider the following (excerpt) of a WhyML module implementing binary search trees: .. code-block:: whyml module BST scope Make scope Ord type t val compare : t -> t -> int end type elt = Ord.t type t = E | N t elt t use int.Int let rec insert (x: elt) (t: t) = match t with | E -> N E x E | N l y r -> if Ord.compare x y > 0 then N l y (insert x r) else N (insert x l) y r end end end For the sake of simplicity, we omit here behavioral specification. Assuming the above example is contained in a file named :file:`bst.mlw`, one can readily extract it into OCaml, as follows: :: why3 extract -D ocaml64 bst.mlw --modular -o . This produces the following functorial implementation: .. code-block:: ocaml module Make (Ord: sig type t val compare : t -> t -> Z.t end) = struct type elt = Ord.t type t = | E | N of t * Ord.t * t let rec insert (x: Ord.t) (t: t) : t = match t with | E -> N (E, x, E) | N (l, y, r) -> if Z.gt (Ord.compare x y) Z.zero then N (l, y, insert x r) else N (insert x l, y, r) end The extracted code features the functor ``Make`` parameterized with a module containing the abstract type ``t`` and function ``compare``. This is similar to the OCaml standard library when it comes to data structures parameterized by an order relation, *e.g.*, the ``Set`` and ``Map`` modules. From the result of the extraction, one understands that scope ``Make`` is turned into a functor, while the nested scope ``Ord`` is extracted as the functor argument. In summary, for a WhyML implementation of the form .. code-block:: whyml module M scope A scope X ... end scope Y ... end scope Z ... end end ... end contained in file :file:`f.mlw`, the Why3 extraction engine produces the following OCaml code: .. code-block:: ocaml module A (X: ...) (Y: ...) (Z: ...) = struct ... end and prints it into file :file:`f__M.ml`. In order for functor extraction to succeed, scopes ``X``, ``Y``, and ``Z`` can only contain non-defined programming symbols, *i.e.*, abstract type declarations, function signatures, and exception declarations. If ever a scope mixes non-defined and defined symbols, or if there is no surrounding scope such as ``Make``, the extraction will complain about the presence of non-defined symbols that cannot be extracted. It is worth noting that extraction of functors only works for *modular* extraction (*i.e.* with command-line option :option:`--modular`). Custom extraction drivers ''''''''''''''''''''''''' Several OCaml drivers can be specified on the command line, using option :option:`-D` several times. In particular, one can provide a custom driver to map some symbols of a Why3 development to existing OCaml code. Suppose for instance we have a file :file:`file.mlw` containing a proof parameterized with some type ``elt`` and some binary function ``f``: .. code-block:: whyml module M type elt val f (x y: elt) : elt let double (x: elt) : elt = f x x ... When it comes to extract this module to OCaml, we may want to instantiate type ``elt`` with OCaml’s type ``int`` and function ``f`` with OCaml’s addition. For this purpose, we provide the following in a file :file:`mydriver.drv`: :: module file.M syntax type elt "int" syntax val f "%1 + %2" end OCaml fragments to be substituted for Why3 symbols are given as arbitrary strings, where ``%1``, ``%2``, etc., will be replaced with actual arguments. Here is the extraction command line and its output: .. code-block:: console $ why3 extract -D ocaml64 -D mydriver.drv -L . file.M let double (x: int) : int = x + x ... When using such custom drivers, it is not possible to pass Why3 file names on the command line; one has to specify module names to be extracted, as done above. Compiling to Other Languages ---------------------------- The :why3:tool:`extract` command can produce code for languages other than just OCaml. This is a matter of choosing a suitable driver. Compiling to C '''''''''''''' Consider the following example. It defines a function that returns the position of the maximum element in an array ``a`` of size ``n``. .. code-block:: whyml use int.Int use map.Map as Map use mach.c.C use mach.int.Int32 use mach.int.Int64 function ([]) (a: ptr 'a) (i: int): 'a = Map.get a.data.Array.elts (a.offset + i) let locate_max (a: ptr int64) (n: int32): int32 requires { 0 < n } requires { valid a n } ensures { 0 <= result < n } ensures { forall i. 0 <= i < n -> a[i] <= a[result] } = let ref idx = 0 in for j = 1 to n - 1 do invariant { 0 <= idx < n } invariant { forall i. 0 <= i < j -> a[i] <= a[idx] } if get_ofs a idx < get_ofs a j then idx <- j done; idx There are a few differences with a standard WhyML program. The main one is that the array is described by a value of type ``ptr int64``, which models a C pointer of type ``int64_t *``. Among other things, the type ``ptr 'a`` has two fields: ``data`` and ``offset``. The ``data`` field is of type ``array 'a``; its value represents the content of the memory block (as allocated by ``malloc``) the pointer points into. The ``offset`` field indicates the actual position of the pointer into that block, as it might not point at the start of the block. The WhyML expression ``get_ofs a j`` in the example corresponds to the C expression ``a[j]``. The assignment ``a[j] = v`` could be expressed as ``set_ofs a j v``. To access just ``*a`` (i.e., ``a[0]``), one could use ``get a`` and ``set a v``. For the access ``a[j]`` to have a well-defined behavior, the memory block needs to have been allocated and not yet freed, and it needs to be large enough to accommodate the offset ``j``. This is expressed using the precondition ``valid a n``, which means that the block extends at least until ``a.offset + n``. The code can be extracted to C using the following command: :: why3 extract -D c locate_max.mlw This gives the following C code. .. code-block:: C #include int32_t locate_max(int64_t * a, int32_t n) { int32_t idx; int32_t j, o; idx = 0; o = n - 1; if (1 <= o) { for (j = 1; ; ++j) { if (a[idx] < a[j]) { idx = j; } if (j == o) break; } } return idx; } why3-1.6.0/doc/ext/000077500000000000000000000000001440160026300137515ustar00rootroot00000000000000why3-1.6.0/doc/ext/why3.py000066400000000000000000000147271440160026300152300ustar00rootroot00000000000000from pygments.lexer import RegexLexer, words from pygments.token import Text, Comment, Operator, Keyword, Name, String, Number, Punctuation, Error class WhyMLLexer(RegexLexer): name = 'WhyML' aliases = 'whyml' keywords = ( 'abstract', 'absurd', 'alias', 'any', 'as', 'assert', 'assume', 'at', 'axiom', 'begin', 'break', 'by', 'check', 'clone', 'coinductive', 'constant', 'continue', 'diverges', 'do', 'done', 'downto', 'else', 'end', 'ensures', 'epsilon', 'exception', 'exists', 'export', 'false', 'float', 'for', 'forall', 'fun', 'function', 'ghost', 'goal', 'if', 'import', 'in', 'inductive', 'invariant', 'label', 'lemma', 'let', 'match', 'meta', 'module', 'mutable', 'not', 'old', 'partial', 'predicate', 'private', 'pure', 'raise', 'raises', 'range', 'reads', 'rec', 'ref', 'requires', 'return', 'returns', 'scope', 'so', 'then', 'theory', 'to', 'true', 'try', 'type', 'use', 'val', 'variant', 'while', 'with', 'writes', ) tokens = { 'root': [ (r'\s+', Text), (r'\(\*\)', Operator), (r'\(\*', Comment, 'comment'), (r'\[@[^]]*\]', Comment), (words(keywords, suffix=r'\b'), Keyword), (r'[-~!%^&*+=|?<>/\\]', Operator), (r'[][{};:.,()]', Punctuation), (r"[^\W\d][\w']*", Name), (r'\bresult\b', Name.Builtin.Pseudo), (r'-?\d\d*([.]\d*)?([eE][+-]?\d\d*)', Number.Float), (r'-?0[xX][\da-fA-F][\da-fA-F]*([.][\da-fA-F]*)?([pP][+-]?\d\d*)', Number.Float), (r'0[xX][\da-fA-F][\da-fA-F_]*', Number.Hex), (r'0[oO][0-7][0-7_]*', Number.Oct), (r'0[bB][01][01_]*', Number.Bin), (r'\d[\d_]*', Number.Integer), (r"'", Keyword), (r'"', String.Double, 'string'), ], 'comment': [ (r'[^(*)]+', Comment), (r'\(\*', Comment, '#push'), (r'\*\)', Comment, '#pop'), (r'[(*)]', Comment), ], 'string': [ (r'[^\\"]+', String.Double), (r'\\[\\"\'ntbr]', String.Escape), (r'\\[0-9]{3}', String.Escape), (r'\\x[0-9a-fA-F]{2}', String.Escape), (r'\\\n', String.Double), (r'"', String.Double, '#pop'), ], } from sphinx.highlighting import lexers lexers['whyml'] = WhyMLLexer(startinline=True) import re from docutils import nodes from sphinx import addnodes from sphinx.directives import ObjectDescription from sphinx.domains import Domain from sphinx.roles import XRefRole from sphinx.util.docutils import SphinxDirective from sphinx.util.nodes import make_refnode ws_re = re.compile(r'\s+') class Why3ToolRole(XRefRole): def process_link(self, env, refnode, has_explicit_title, title, target): target = ws_re.sub(' ', target) if target.startswith('why3 '): target = target[5:] return title, target attr_re = re.compile(r'\[@(.*)\]') class Why3AttributeRole(XRefRole): def process_link(self, env, refnode, has_explicit_title, title, target): target = ws_re.sub(' ', target) m = attr_re.match(target) if m: target = m.group(1) return title, target class Why3ToolDirective(SphinxDirective): has_content = False required_arguments = 1 optional_arguments = 0 final_argument_whitespace = True option_spec = {} def run(self): fullname = ws_re.sub(' ', self.arguments[0].strip()) targetname = '%s-%s' % (self.name, fullname) node = nodes.target('', '', ids = [targetname]) self.state.document.note_explicit_target(node) indexentry = '%s; command' % (fullname,) inode = addnodes.index(entries = [('pair', indexentry, targetname, '', None)]) domain = self.env.get_domain('why3') domain.add_object('tool', fullname, targetname) return [inode, node] class Why3Thing(ObjectDescription): has_content = True required_arguments = 1 optional_arguments = 0 final_argument_whitespace = True option_spec = {} thing_index = '' thing_kind = '' def handle_signature(self, sig, signode): signode += addnodes.desc_name(text = sig) return sig def add_target_and_index(self, name, sig, signode): targetname = '%s-%s' % (self.name, name) signode['ids'].append(targetname) indexentry = '%s; %s' % (name, self.thing_index) self.indexnode['entries'].append(('pair', indexentry, targetname, '', None)) domain = self.env.get_domain('why3') domain.add_object(self.thing_kind, name, targetname) class Why3Attribute(Why3Thing): thing_index = 'attribute' thing_kind = 'attribute' class Why3Debug(Why3Thing): thing_index = 'debug flag' thing_kind = 'debug' class Why3Meta(Why3Thing): thing_index = 'meta' thing_kind = 'meta' class Why3Transform(Why3Thing): thing_index = 'transformation' thing_kind = 'transform' class Why3Domain(Domain): name = 'why3' label = 'Why3' roles = { 'attribute': Why3AttributeRole(), 'debug': XRefRole(), 'meta': XRefRole(), 'tool': Why3ToolRole(), 'transform': XRefRole(), } directives = { 'attribute': Why3Attribute, 'debug': Why3Debug, 'meta': Why3Meta, 'tool': Why3ToolDirective, 'transform': Why3Transform, } indices = { } initial_data = {} initial_data['objects'] = { 'attribute': {}, 'debug': {}, 'meta': {}, 'tool': {}, 'transform': {}, } def get_objects(self): for role, objects in self.data['objects'].items(): prio = 0 # self.object_types[role].attrs['searchprio'] for name, (docname, targetname) in objects.items(): yield (name, name, role, docname, targetname, prio) def resolve_xref(self, env, fromdocname, builder, role, targetname, node, contnode): resolved = self.data['objects'][role].get(targetname) if resolved: (todocname, targetname) = resolved return make_refnode(builder, fromdocname, todocname, targetname, contnode, targetname) return None def add_object(self, role, name, targetname): self.data['objects'][role][name] = (self.env.docname, targetname) def setup(app): app.add_domain(Why3Domain) return { 'version': '0.1', 'parallel_read_safe': True, 'parallel_write_safe': True, } why3-1.6.0/doc/foreword.rst000066400000000000000000000045441440160026300155410ustar00rootroot00000000000000Foreword ======== Why3 is a platform for deductive program verification. It provides a rich language for specification and programming, called WhyML, and relies on external theorem provers, both automated and interactive, to discharge verification conditions. Why3 comes with a standard library of logical theories (integer and real arithmetic, Boolean operations, sets and maps, etc.) and basic programming data structures (arrays, queues, hash tables, etc.). A user can write WhyML programs directly and get correct-by-construction OCaml programs through an automated extraction mechanism. WhyML is also used as an intermediate language for the verification of C, Java, or Ada programs. Why3 is a complete reimplementation of the former Why platform :cite:`filliatre07cav`. Among the new features are: numerous extensions to the input language, a new architecture for calling external provers, and a well-designed API, allowing to use Why3 as a software library. An important emphasis is put on modularity and genericity, giving the end user a possibility to easily reuse Why3 formalizations or to add support for a new external prover if wanted. Availability ~~~~~~~~~~~~ Why3 project page is http://why3.lri.fr/. The last distribution is available there, in source format, together with this documentation and several examples. Why3 is also distributed under the form of an OPAM package and a Debian package. Why3 is distributed as open source and freely available under the terms of the GNU LGPL 2.1. See the file :file:`LICENSE`. See the file :file:`INSTALL.md` for quick installation instructions, and :numref:`sec.install` of this document for more detailed instructions. Contact ~~~~~~~ There is a public mailing list for users’ discussions: https://groupes.renater.fr/sympa/info/why3-club. Report any bug to the Why3 Bug Tracking System: https://gitlab.inria.fr/why3/why3/issues. Acknowledgements ~~~~~~~~~~~~~~~~ We gratefully thank the people who contributed to Why3, directly or indirectly: Stefan Berghofer, Sylvie Boldo, Martin Clochard, Simon Cruanes, Sylvain Dailler, Xavier Denis, Clément Fumex, Léon Gondelman, David Hauzar, Daisuke Ishii, Jacques-Henri Jourdan, Johannes Kanig, Mikhail Mandrykin, David Mentré, Benjamin Monate, Kim Nguyen, Thi-Minh-Tuyen Nguyen, Mário Pereira, Raphaël Rieu-Helft, Simāo Melo de Sousa, Asma Tafat, Piotr Trojanek, Makarius Wenzel. why3-1.6.0/doc/generated/000077500000000000000000000000001440160026300151075ustar00rootroot00000000000000why3-1.6.0/doc/generated/.keepme000066400000000000000000000000001440160026300163440ustar00rootroot00000000000000why3-1.6.0/doc/genindex.rst000066400000000000000000000001531440160026300155030ustar00rootroot00000000000000:orphan: .. dummy file so that an "index" entry appears in the sidebar .. only:: html Index ===== why3-1.6.0/doc/images/000077500000000000000000000000001440160026300144165ustar00rootroot00000000000000why3-1.6.0/doc/images/ce_example0_p1.png000066400000000000000000001122321440160026300177070ustar00rootroot00000000000000PNG  IHDRXsrtIDATxgXW3e;K#]{=[,Ѩ1Xc/޻ްDz l`=?`v;gfw3C !B!H B!BB!4&!BiLB! B!Aj6d"f=[zOF!B#~ek+ ~AJΦ\߷B&&?y'#4]8>B!FsK^ b#++#5xzi{U55It?D}o#;1QS|~{:ξ%=? 1Ӻy&8?/|ϫR8̢ӊ/,k~Ԉ!BwX_ARJ}Z=7zfujI:kz >pobCҏݗ%MH]oueB!gж>}؉g9΅zknum~t&lI]$55Q/(g$ ]&t[pdqAuj9zk|"ƸAÆ%fپ~ћQلc@q%l֝Wybo;t-N=T6H'.񹫙F- ߉Cw{ŐOί'ܾ! \N7J 6[nDǧ)([~B!އzYfJll5DQฟ֯4n뮥֟>w}% Uy.پ7N Q'̚#aUg <{?zٿhMo\Ǭ\ jvimszprEn*;?)"\L$R xk-QxXBJVgEϰpnɻz-Q*r"BP^[ܾⒿ);ƵCڮcSWnC8OK )My5h/[R7}6.lۨ-}vփr>.з3C\mǚhe)>nǞA?k%yո {wjg};%Ewȳىn<.\aXx Rԋ y(ذFy (/~xmo@Hl|Pq=`n31~AB!Ze4fho`KsF&ٳ”e_XV2cԄ K΁n F|Ƭqi LXq+22IRh",| ϴt.-mߎo׭Oέtregs:u{T[k5u^SUX{.K`=xC,Z,#W}rlx(!Gg !BnUv ťJB8ҠKG굑"^ezj8X⪵g&߻Ѹ={G/]=EP7wՙ [=sf-+)*ouM֟Q ~b08tٻ[&mk&nnnM@A[EZE!z?x:r@YrYskkҗΎSVNw+N(ȗmrv߿RzI })tp*z"KSGC'p;aТ[K'?z_ں[PYIVn!}W5jlahu+OZ8uyUUpe^U&?z%!BAz|6zfeSˠ]wNnƼ|jv .7/".͆0 I|O,]{ӁKmνIH m=iKD_vOoKZP['|p8w02BbASHwg e6XAZhe A(hd;X_A3^rMgec;usY ZD!zj#M; m5Ǜwk4ar>ͅ 1vl5U&Gۧ}U+Gn4}ߵ7ud[YWKw'|oZpM-h2ڵ{_1zr ;& G:a^OKISRsT#ܴs޾W=îRҢCg￟n@Y.D08C4-gӔR+ P!B= 1Ud B!TiK!BiLB! 8!B! gB! B!ATB!BMO( B!!h l^(?%Ւ? Mp5!BFfZ ^B!!B! B!BB!4) ʦ~aЯ6Qkќv"<B!TOw=M-b@kdG:ܶbڡݗmlJ̵&]y:+-ʶPz^OMwrpgEĦdʊ_,52wpl`$-i!BS^PubxHU(;Qj`Y$AR:nHO-Dl^SףIE~nQ~nfmldCPݫ!BrujlB1<=tySPCp:ܦhʲ堖⇗ ;zje<=وbҪŠ.B`.8QLڴٙʎ &MV̐|D֧*ҼAʨv_J`H#~˒~͘M|ķAHl4jԮɕ'Iw˖&|J!4g&I"YVNP9G 2e hH-$9r˜T秧d< 51v/<Vڤ '+1)Kg%Ҳ$UҷHtIQ0^p0jeֳzF_>q.Z]sKCEfrËl߶G^<~1#R])#MN(ѣqR_K/#Ź,:5!YfMp#[6%UP-CkUBgDeQ}T/[s֣+AjuV􍳙29PZ{璮YC ^$B!(' bge]<FPBm#3+'w/W31Ih?lܻtX?8[H j&7ܩ9qپ~e&ĕB)e2H= 0_ˮNJ;wojzr|d&'%e#9ҠQiq²qE!kѻDvYOyt+-9td'&X#!KLF|BR6/7 l йA˵bdÎ>޳vٝT|ң˰@(䜡 G!BL3NHJMKK;ȂWkg:xHUX=LTpTUZKڻXR`/$JRdeuп^)alm%JQLǖ&$:t,d¬%e3$6V$vRUiA+}H]#>::B"AEHmMꉉ( 7x.ƶ08eT>3GCd\VΝ!&6d! t8eNą7bcb3ZϤ^"sOWc:)jD6Wa\ZŔHHv= IN|Ug;8vךHyؼ#%ttyO JWV/)/6"!!U&gMiҤQ NVlmaW; x4%<JlLEݽؽ>!P9I);Gc=GRW T*5-n6:1k;gy\2)>Ub^eo1v}D:dB6NJ-,lQZLG m2!M;9Iԙq O@ڔ\Jd y S еw6~ zIyͩTUBuE+M#SpYN+\tu3;|B!1cV%G< @R$ǰ66$MB6xpS }-")Owʝt^H9j3j`f"x_4qqFVዞ)~X+I ZG=?4p#{r@eg[54p~z1(]DL^%^R 1>6*MRN]){v$Eð"d-dURQŽ>?}S @h7r`bϬ_W[[WB C_261%[&/TiywZpXj,+1c|/ߏώd-{ÕߞYm7*ZXPP|Ygg% '}D Sn<{2/Ҷpr1лrdP͘.N)U-%- O Z_AtC uf.$B Vʛ(aG J CAcn٤V/(@EIͽۀ_ؾLmxo[sO3Z|z64&w.<`2ܹjX\6cgbT)voy%m$|-W]eض n@~^Vi$, gODmnnIe=p=HP>ÜDAZYqqo &{.\8āWN-{S&tDز'жnM-!6m`W[gt+pxڙu&YMk_B6~Kz!>Yi)O z51#Tk+$qsE&3/qnn.v7>dkR}gaz򐃧lMw >3f@)0&ޔC"F:;~%y;&t?#CgSu'siQCB{Mm,)w̜Slzv}hx|ueXD:jnΰq '<"M(!?g|]!QDM 7B x}~5(Two9z;"9WAKx,ڹmϻ[6;jb\M}hƿc+L^3)qn(2jRSĤ' 88&9&FfRML= }4+DqL@{zm;D݅ǂ&.tأ F>&!'gM8쏳daSG)y UY+]=qOϽvk>3yv1ǖqo.BY_v'zZDyrYNh8e)0z~taQH&'/?hM?3l8ΊB6| B3ǹtB3cSWӗ^Doc}/Ys1lyaaiyTܲef(&)s;;~ÇIw1g^Ϥ>ؙSeWQc/ ҢMfx44񱊹s̭B5lO+#ЧB!ʮ9Bj9Hun$&c&v޸бO`ެcv{yam͚+ݽҶ@o8I '1]~tώ= gyZf Xˀ۷^wQ6 ב_^q\K o3ԉ&MZj3:Y5&>cZ!Tm@im@B!T%i)Ľ+b! J!`JB3!xklZy1 877oLG!B#@fφnimܨC)Mr*5M;;_I7 C!B㨛 ;xD%e,5t0s~=:2`V_W > oq~_ 8E#n+!B3P a7ySgcr#Hy%3ħ'f؛k78yq'q ey.yZ$1Z"' P*y`AN B&UizVܓ"ipD+Vs*)G"RݝLdF| uQ0JLĹd+$s ZXk )#/Yʓ']|bֵ6--!B@m:f?iL%:8 .3 4'9q"z=}~]" R *P9hI /Tr x=\5>XՄe'MGW .?~xD[qKhA[v1˚쾵磟bl;F|3[Mgo\i]phl듏4==d즎Bjሕx}@) T`" B},M |XI@l(^')#MǰGEʏ$_vU6T/;m'p0+Z(_y._Tk>_db}h ywדȨaemN$rQo\IY[ԡ.wy~:iXV==GjYGK^ы7oFNy]>{Z/-.`7B!4Bmj Mdjam, KE*#K' P3,qu$SN:t[޽}UV9u>-YX /qpՖ"{;.s몭ז r?9hm:&uj 6oS(ps572 5cZ|?bM5Ol >{'L4ij7MTWopTFpjá]@! (J5C/ݼ Sq‣HBf|I&MhѢvoٲeΜ969%Ar1=eu'MxG{Gyg(#}% }{@y+- 0O}4OŕQõDRЀg@R>'c߼(|58(<8Q͢6w`fMLH@cLK׬tjhB!@$Y>bZQ_ eAPju$NNNK.ӇNāΜ9xb 2><UG1lkue9A+' S7j^AQ"^+~d+޻!<⫷n*H'ҀK> 4նm}($(//Rte9 xyi2P mu0K,駟֬Yqqq˗/ywN`):OB`YU\ݩojAhgo7r #Ўnܕ'Ϙ>0ϟDq q潢amD&޾lETFFFXw0&h>ϾY;[~3G(e<!DͫPY"3t4+yQ`|sӯl D%$t$OMtR/2L&/eKPL4OP嗐p=aa_XqaL\TMLmpt}鱚05sڦ[wCa^ӦnԢqC<ǎ Y8 jgbME6mb́OP\u@UwG!PS@$ hj4"6/_ioCS&4(Xa8$1)XW*ef if"NBy͛' ˛ J,֋xB3;66}gn졉gfttlŬi$&~oechąfzQW/0}fx=sAbͻ<V܇Ҁ Ohc> H(>OF!T6Mr|>T6uЖT q/$ Eh 1yMn3T;хV]O$Ļg+n%2iw_uyߊؾq*>yxhaV04Bu=tge%]بasΫiH?G!JvupX,P>}=µaj5I|f^Xj|\pI --]x}[R׉aw3"tuuqAcTE4ZGKm]K#}Z!憆R-}I/BUg㸜+!ndEVfFR ,PRst# 9:GHU @ 9^?( VbgK̹%i{z1 lŇx~;V AVD^ /TiIuЋSG`0yuȽ}HcՐǙ]c6;x1a{ʯ'ÆeGؠ?&NjY2gݖBHS BOO}7䰘QSJEdLnghc.HиE® s0ΊsA9}BV+vRm7+曖;D0h1͍}~)XΛL],?k{iʼ{,!G׬i{S I9X'}BH3 H$nrt)HE"EQ)$jWnZ 8y >BBO<>ݴcyI+O_)# mw;F^f9,X4mӴФ y&gr.!f@Q%H$IB3Eٛ5 |~VOe'E2 $59NKI ZSM}sRoݍY+%꺬E{jt A7|BG/PL)|u/Py~1Ppf1n2$ԕBR8UܓBmEQ U^Jr.蚛K!P8M+q52/&Srrq 9I1 "gE+YyR2yG#3Qv<pEZ gf.ft@qrﷳ8J)Ya|]t˹`Id۶,Զ0αRmC-~ϼ"G}}N%Cgk{/dݻn?ۏ?**ۿ_=ܠF#Be@fφnimܨC)Mr*5M;;_I7 /FUΝ6$+{,}xiÛ'ݔIoJphJZMoRbI>~sH)sY}U{1JSrϜ*ByEa@r~c+:/>#i]T8^F͚;;"#;iIrRZXYdS>B!TwDTH ۽CTR֍'2y h[SmO э;%˞_eկvIKm qKBj|'#BR=@Ͱ<)umevڳ19 $HťČ{s6w'=9#rbyr=FMi HTgB!tA&Uг[qObsh$HPY5EH"65RL݈lfeoX(.teMhv?4^iB!>훪m:f?iL%:8 .3 4'9q"z=N ҸR>u#%dFTJ4vݕ6_aB!޻v:Tw?8Sħ>E.ao-8P|8nkHM__k= PoȦߴ21@!B5WۧpVAhI&<##Z}Rr.%XiG$jO♕SN{޽;u2>@0,e({N+V;h t-NƋ-&hq~Vȥpꑁv]5RTf{̦$̻,Ը"Ħ\X9s#{c_c1BPET3IiO/_z\.:R(x&)POd'Mf͚SN>W?~|Y` 2eZ&z&^^^HG 42]T3.Hλt}XF<hG8뻹$G64:1˶oi]° BW$" P7 h-=hXņfW,JmSX~''KÇ'gΜYxŻs(Ezf{y%@6#H0'2jīEk5VVSO B/[̗w8Bjom\FST/S"N\$j"M"_sʆDK,y5kV^}ƍ˗XFɁ'$ %)>I*x|<-= @;o+*M};ٴ}\wZ:k6J@!OkS]Qde@f:M 21Tt>MH6Bm(W;A~Y{>k`kWb"(BK(I{$~r+og Cw *?=CVV\iYrȡsY'Q3+c* ҠÃvp[}_gp8BfX,P>}=µaj5I|f^Xj|\pI --I [xTD[Ć 0%BuA_l^~vegBT$A ijƳa"+3]S#)IjS( y9N 9>u՟`@Q@ :<2}A.!0vp1`~BUq/o`q\aa䰘QLþH.ZvF6# ՗{5 dn/̆zmeͅ'˛.]vB!W󭳋J H$nrt)HE"QH+ÀB^U(D"!!B}J:B!4&!Bi:Vp-,jd^L8 5w3r0bBXD=A~!Pg J͞ M9p'ڸQ#6R$Tj6=[wfwDnF_ $5okHRvH eBU$]#89zg}o?Bި ;xD%e,5t0s~=:2`V_Wf M_< ċϳtEڸ"TelGfx&δdݨrȯL † Yփb5 3{ ?nUB1ZؠƞiR?5_ҢkUu#!Y5n8Sg{.T>wuڞ> }r˻0ոúyW*OnIIU2'bo߬H~a~g,MecPll۠矨 6gjղS#VN<_zQbٯ+>jB BjGe4&=CwJ5H[@ӤO=Oeϒ4-yJ=T,WKP achG̎w7vM2u^s7:M w~ۍ7q{ڢ](8XQcT`#/'Ju$&>rcQ{;Vn_ZyA&BN9oUWn?pþCF0$aq< BaV>G.[I9/ anp0mXH*\֭V t߭I?qSfJ\cK KMw7ǟ{`[v0՘Rԥa޾"t,04ljOZ%*DbgʿE>m蔵:,_ѧaV$fte9}l*x7;Xzʾ.:蔿\! T^T&_"I)PY>Q$Mɹá.%u%nTG Q<$(T xw4n{X)ԥSԦ9z}8:sꕂScf um #HZqĎ8"}~<`"j{y 2z3=%Mm-uE[@jiYACl ijr¾kùs:@[~7o^z5!5`\la hGRR.`aͻP.{fkg@#z+sfe-'2eO+:|9si$ 䟻/Xk yaԦI ƶ5M{ 1?ms';pzu:Lr?Femcmߧ9,;i$g3 H޳ڎժk%,͸*B/#CA~a_N؄xn'Bwmye|qy0p;ņO]>Љ] eleE6=?tq>F~i))|vC{]q 4HA},H.+D<87x d7f8J(ج CM vQčMQi3U77n#}ua={e?튼8/t 冢T=3;7uku"` \p2Bjo'h >_eM(iQ`쨪[NTWH9J=@$ Yƶ+z:N v aU+]F*u]2tg-MKI Z<UU.;"|(UMOҺQ3 $V/{n?BH6ǩ,A<$t`XhuB%RrȒI q3uԡC5ݻ۷o_jU+պBAy}_9$ ڂ7wbyhVkQ`ktV?TnP[_;3- ;j.-woE v.\2k8͏(iU~s6x :mj#.+$j1YMΙrN8tÈulT,g3V6˔S(ps5ce FmcK> 5"E'n7fe}YJn4 $߳CcĞuy=ǃu`%>p4\ n8ڷ^j[Q !/7+cF?6 cͤfqS% Iylxex j}*2I?מfO! T_j")>M)KOBw6+E'S $Ez~I֬Ysԩ'?~Ǐ/# DeJx*S˗KŲ4I(zJdD ࢴ Qw0ۥ[/ȫ8ȇOMU卾.i٫@ܡ&|Z+2= pvwֹ#ᑜw?fF<h{WJPpY!ѲpE1@%e?,"83$ Oo8}{߶&z%$*ߑk+hKpevс{⥰{ \ ESW'H1ovV\oy([7IʗWoaJ4i1hc#iM'1ȉIK,_7:U;q I@ͨߍYxӞy< $wu\u~m- |H@hE$UlXjaFZȧ^%Q, *R[T.]z-[8p={/^ܠA2?0LL#ԬzB)Vva#r.dWwfR|E3yֹE==O;W^AgcʫǼGC/;MuJRntPe{m@:qa򚬧W7CU8 0q;GzY:x6jsc4ԫi`Av/Ӓ{˶p{' }7nG{ϏK+I(9dhIʣL e.IbX~b%v&\Q O$Hx n=*(|>}!(\![ !LEVDشcskH`!T&uwkz- EU<\9לQ~fc+|?[ɩ^ },x& ޶enLTP`3ܖWFyzF~U[It!uC*^~mmhJ^>& W0I.'"_sʆK,y5kV^}ƍ˗[XX7?0 V̧̫W0p-/6z4IQÔ+hgo7Ι e]-J麴:}7׵OܽϖvvB/cb2&3n_[`e(ׁC|n߻suC0ܷ9wfao fUeg*hB<&޾lQǟnfӟ>HfC]9?`hYmOwgsYQ_Af:0yq%Ooo2"n]W+n`}AgR;Ma z/$s"$<8ZvƼyYf9~Ca_Qp\%ʫ2KֱO*=gt-uҢ;ecFoXL @0wcUuS%\=#\w>]q">ɔ=} /τ9qxw*(/:vl{}Gi^5|AA;Mmt#KOsjv"X|616("t7'i+}#Xf̘!V43-G:f}8Pk;k{9Ka_-P\u5 /N~9l9ӥ1ta_G{;śqk^<\(h7jV\?]]~Nt};QZ5jCb7tl0]duE/x{Nh+U$?:k~%Vzm έcҌ]}epģn6l.:S "5==,$w0\NjO;>R܍ܼoF,}&DԓuѠRuaKC׵|[Wm]gd_WVeƓM۟C~jHGiomDMMF+th$&9+W2 KS8!U&D,M y͛7o>y:fBcO|u>r]p,PbZGnQh9ؤ*hpfFO'ϖ_ڛfjoHZ ˾lmo}YjMNvlYM$tگ7rY3yv~ڵ}!>%;:h>A #\X9ZHV,$haǥ rҠ>$| ~7 P8M"+4a˻~R/7t< Xzbꈃx5˧`tyMLBSUg㸜+!ndEVfFR ,PRst# 9jÞ}b2G@h &~ϳ~k7O<2 ;A 3ӊý13kuvk"9,&bDz㔒}8Sc:i9ژK$P( ts4dي@Ӵoq0ȨND 1!X5'B"9[7o'!@D"D?3&D"nm*W>t5dڿ7OĬoDÃPͨMsiWu߶/nw\@~$BuItu{CVu:ZgR16 flP8W?r}> oN-xa1d]ā^Bɲ 0+4YG999d+=]bM?HxAgkEO-=c;@(p@ 0 n@7~VN>b!)t4("Yw[cceb жڞz,:5EK4N5V&ss@ҋ )8FY$S+mL&`6N^#y 妴7 a`1.!`G Ap'Cб3, fjOhfFMsn*N>*V*Ld[ o=;3hRu QY??P pgR>kv0~casʐ}V׼JÀ؂c6û6?w}Ƽ8yFv$4 {_N C])1&nOgbnWH#Aq<'A懯={0AT\uOO(7n`˿gJmZ![q;N?4 i0U$dZ$_Wr#M58 w*nk#7898@1i i䳒_VfQluZTz ?|]m?Hx/fw3wWmTpE/͎Y$u ˽R?̀Æc9 cٺ a!% (ΣvmC ٖg_ɄUǦǂgHzٓmMxq 721~FU<8<4w˓ K;Xp4S$jE!䭸'94E$(լa"IMP$OSI|X_ V--v;>:sI8 ĠBeN{Ncذa7'r2Q)H؟]b@ "jATHd^ /|tZWdRdѺOkO"PIgc(ݻDtMdHc\s &\h0CApk,7.i!޺nƘr1j *D}82 7#A,+_B{[!iU0Qa[{H6X o'19B>qdZg1ev&qR&¦ - Z1J <}T1-']v8N #W|IU. iuY \ p"NSչ}忚hcpؿ1\ߑ2ŝt(eV'B3ڌZ!cW;m"3&~vtz_ʂH"!t79udrC4lo1rn1HQ0WńɥoU88Y|*o&6Wi#hpL ?6fЪC  .b2{9p6,5<}?`^k7*^=Ckog@eJeG=y/Mڷ]J'|0BP/01^VXw-/lOVBQ!/Ҙb% MeQr~eY}{ܠǔ{W6 HٝndX:.02!0EC媝~]'*B8JMp,2dMT PŻ)@"7 IW^?v5\V'k)/ A] c <ߕ1*O$F0g86.)*.W3RCBsUz j;`Uc Y Nf$IT9eMk%%y`zXWIաpl)+-!\mo@ݙ=Dmi{My7φpng[V-k ]*ĉӋd'OK^v.]@v|~lrj5CG @\f礗SR|q@Sdr28ZRa- DJ6#܇p2lB(7OV)ALQd?)H6e1م#HPU';$\'J{U_#ww5)XƼ| T/&&hd8ϊP$ (h5 ~ԥG ݄f&Idf D}x4YbR 3 Bl, r$[E8V* ie4_eDR|R2lܭ۷>v3Oˈ$߾N$v$u8Uy!r fxO(+ߔ#h1Ū^Wr{ghU"&%/o\[y@FZ'86$\6¨vHn#lf/hd0|;8[1X9dᓅx !T;'biJ4M^W0I.ཚHӤH@*seE|_ъmc@OD$- (kfڧXx֭VIpeN^|!HmQ鬱a:ήNVJEeRF +}Ȧ!҇/}!c䩢."%M,/R= #xk3WŢoľ 1E)a+38%e+]0dMk'rdwV~5[84TJ^Bk젾lܮ&u]%ϕz0Cb /v%_wBDNFEH%Xs&>>\ =Z{_wDHF 2}m`zz¶M%"pQIEZBALb^ph,Z@ѯ QӎrÚ6mjljz*4'ɰGcf>>&F+ /?φ("c74<{WKW#h^k[߻ZzpP%h#H(A֘` !ŏ?6v[Oi+mU8ZHf09k2dopkF'!7m|IHK<'[~|XT|XG-⋅XHki]P Kz'T3=3/PKEt,3;t]oݾK2(08裋!0KƎ^^n?$. V{}h{gUr9 f:!?Hm+`UfZ ۆ04pQ@I%mUl 41 CWoytXz2 cәr܇FD{8XFaJW谫ywQG8-|z㯿ZR4F;B 8<-z9A mT ';O>8%+8?_LN_ uG1"Z"wXE5 tΔdȠO:s(25ז7bG'/k" ^G7׹pkXz lŒ [aU꠫Caf _vZ\yִrכRE<ֿOpepG +^o)x@Nv ),ZIkac<0 0i _t{XzH < 0LhRB}y-ԑt,Q>G J(ӴDH 5&ybסknuK5`}(s/o`a8] k\>-~@^@ÔM0R{cD[@qqՎ+0 @z{״2pɗ_t¹v {Ac|8uוЧ LnqE{Aσ.iE'^\ u&<(g V™)t!uVA|PJ 5f8 )h kZJ &h{Zf9}|2|:l|Rj(> fu b^  prPr4t >3 @틋hr˫CumsUqɇ&APÝ4xA? ¾vG<p}*,  tRoZ["䴇o=I΄0fm=:[i:Lla#PMu[AR_LxӇDP WY Z7`A8wg"N0|}A;T޲˯c^3gΩe@`+iG_6/0'x$<5 ׾$*B2hA os!G9zg-; Wqd&lu/O&,`)X!T6CoTQ8?~NQ)H؟ ;@#]`5x|>py&[v59@,ZimIj17=*+6!_Ð\`x٥C@CF_86h+;|&uFk@7L=a*bž B Z` BXU>Ӽ660]4CZࢁ<`b3~66[9`ak_A e$ .b2S״^rʯ)V*t3BK7Xc`%!C$wCUZ l+p6^k Nf$c7I zJmr(H8uD@TC^:'WUjZB@_Jq|NjC&8~(rY(z &p6 vΫǀMX(a?ñp8LVpf_~L$0Lnh6Xz{@߄A`Hp?վ+^TvM0z4]'/a\Jf 0`r>Ʃ Ab!6@ >gƒ* l-7[; CG`'F*|*V]xxm#1!كB}HA8=Vr9%Q]feكzpBRie.@|hߟ+~8 ><B!3!±!>qx!B! B!BP}QkF7o+]iVߝa(!P 5z<6{As<̄KL5Uڽ#WcB;P}Xy=L٢q`n|QqywX`odթ*`eQgN3X;sWdOe~j"ŌEg2| |5n!Y!Tܾ.@{s &^Lck](xoMYahҏ7>S3yuK:WyOOװMqm [zrbף}K (ˠ:o3Qku=Bج\<Ø-or`Eb&7ifwXXUPv˟6hwx؁;w׫Eڼuۮ+M,5kk6ʡ x:cUxyIO[)nw!y"_ l@}`!7۫Q`3o5XT;:2ҨLx5i2 H(ε VT[FV'm0wvg:p1mN:dNꝃy_{5}¹Ay^VN V~~0>͌_]yZ`)9j.E B> dշk/?}䯿/lѻam ɨ^qC6s֏W^QMry쵕݅7\N[=AR/>ۻ }M`n!9!T/w{;"mVlR i殟}/ F>g߮ _AUj[;e{c?B}&0@!<[s^]_vMtzf]#B}>0@!G9ϼq@!̀t!B!A0@!BH`B!!TiyW/EB"`P=@|Wp'*o/3\A! P}34,[~fM !P Pv66!<W#[Jzo)X B5gB `~Bf0@#ӝ X B5 BPl1p;^D!j PQtm)B!TS sf c?\!PytP}! B!T;x !B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BHGM B!aB!4&!Bi\|1r#OU)9B 73@[ B#T<_bX 2@U <BXbV DKI) BgN>*u[~Q B{)tNaZ BUg$F4=8!TUtCBx3)*<BCUZ8!PMIB x0B!BB!4&!BiLB! B!A0@7Lڕ 3޹e^MV;vDZi~B!Tq~]xpE=,Ǽ5*3?B!TaWgN==nH#[}&:u.:wiu2?B!TaOI$iE;5*{5|rm=g~B!Tpy >? \٫ɑC w$!P} B>zFZ&s1m{%!PGcB!с)kTe]}gmk̏B} B>! ,)3ut*+9׻~G!> ʾcg# }ph́XN).}Sw#B_Hsd6r^  M<}Yg~B3 BM[M\jOIU00?B!!9`s̺NRx?#B LBҤ!q~B賁#B!A0@!BH`B!!B! B!BD|B'2  BgR'0@͌go;CBN<,t00@ _Au`|<B27w.,`4B~]_,|PbLBUD@]`CaBƗ<73r=q BUqBLo+nlC&)aZ:8b$BUS?!aB#3-/F!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!P=<<`h.71+xǚSX E]!P=f>qz|LԶ'l WW4~BW?,(G9ѣߕʭ$^5]u^΋{/,]x1zMyϡxL‘F1Q*Mq;k*? ^@$y==|E , $0WRo+Q=YCL?:q.(kZu#WI  C'U8)ؑc7Dy{ I}0@k\^v#vv\ 7MmK'E{(WA{C'vm;,Y9v9U?~sٱ1yM΃-dte֠ۧ,T)voy%l5ؗnځ0n7 ML/oϑ#;oe2noGl?j &O Eyol޸'$!5@"S=_~52rR)Q7-}yQa8Y^iw˽|~åʔ)hEeKo1m͛V4Y9' 57aqC=6/@`ʘ@躴9kٮ &@oc #:p77o4nze?&Z8Š劅 8ܥ)-&j3`8K*}QYiӦ2  P W8<˲v|Exˏjwh #u Z[@0 5Bj*$PQ 2]^V[Mo VS yOtD/{au}Os;֎HsdV,Viī_J)gN!cp_Koޝ5ij>2Kf;p[^A-{68`ܐCwo|+]UVNp|S`TbZKߧ[g>4هwt^륁f7|$Dr|(%dܛrZoLI lKJd˘@HN<\d2H?t*ѢuSCMםIE s 5wbmji1 <`ם p\^6V&%֋cU YySІ=&@Gi* @kX[Y~c**N ?\A%*-TQ>wwiM("1 xhu#﷋ҦXa__VV{f'%66j}+,SdiO~FkbFU])d֯+_+$w =y,isC7{ So9bخ  Hg]I*+I<@Շ B> @/" <4;Gϥ{hW>AA`SbE'P1Q"y>wgAm:whN˘Jsxɹ Z+fIg0I^o2թbcbn&)SzB'3Y> (-S Agv[/5)g{dQڕG:aȐ -ȎFU]q wr݇!.tq5j>_/Ą(+`s՘G˩ޣ74)9Y[7%KOʒ𤰐*Iؚ0@g\"!.f޺UlnS=rEBBY_ zZO~8~' |ջ鄓8K6u.rz7KgY(݁ժc>YKabC;[ׇJ rk@J\U;qn}- udu[NHyݺ+ӹpK@F9_ȫI0 *J{/WSm S MTN\ErX) ɟ)D"xvvz&$[[((f9)`򶨲Y4 `# 1B@PvRUB(@̬yTܲef(&W1s~NKj(s2yҹsoK;{;ܜ̌zkoU?Ύ^zI}#3]2g=|TIry[zjc""sVVT5Z[ )1uvrp0_A oA+W/c!* TSBͥ')+[Rn-= z/c];'k5?flۦ)l?57$*gBW\Oݤo^ 8?g]vP\`{14ȥ@pLt 'Gf4V6S#]h)$`N)XJMJ/c0\AKqv{!"0|^9s9;s}ܺ)3O(Uֺ{o{ѳ~Gf[ߪ1A~뷴ڿzOnk-KE[KwV 2{WnSr/ύ˗VOޥ(<z+&O>yeTW姩+\=‹eяnʳsfNj_ZsϼpKu},3}5{Zr!?xp :~yҳ̔k߱OPf}pTN{^կ^lu{h]}]|~۟ݲrOѻ N_[]-U6O\YR9?\_nQ]ׯaԠRQ_zݹvm[{1TQQ*l7߼&_u\sc%?]W~CY?f٣o}qa]w޷kZ۪6Xsyu]tSZzkM`G5v8/ZaQOX|j?17]nT8w=zӛ[Ƭq5e_|ߠc`Ga:Qo%X=mUOQ BmtoX=~]~Ӈh<ҳvŪ'nd/]4p_;xʂ]DQ~ğظa”i86ozj6]и߼td7B}t8Ligv>vm k+vo{l'NGJ{ZÚGxeO[uc6G)@ۣ[ǹ-]> " {5ᐕ1)|Aq 6ٲ̒a]#g=kM'߄) 6oz?E@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@AD@A/y~mgjIENDB`why3-1.6.0/doc/images/ce_example0_p2.png000066400000000000000000001562261440160026300177230ustar00rootroot00000000000000PNG  IHDRXsrtIDATxgXW3e;һ *{1h4cO3%={ ({/ [fv?`Ιٝ{ޙ!EB!$!B! B!BZB!&!BiLB!"uKd2;۹F!B=y@6(ˋqAZ ΦطbLkMRݺxMz;ϋq=!BHѕ;w/bFlu ݦFH$~=fb{g^@ -O{~;M=Yis^?X7MkpDO_+]ןf^5F !BB!>R$ŗ&M;ۮ+Kk2nl﹐lVߩ8Kjk^P%_>HV-\rWq4GYQ&5h|"ĥiSײdsش\oF%l]Nub/;gLfoz^y+-_+Uk:_Cwg9z'NC߱ \ ^wj 6U[o$f()[N!B!ކzYaʱlK5o?lZMiЯ 7*rŷ<ϱ ,;GTWi[ٹY~z^ysv&_vռQ_O=_Nyۼݝ k`wҧzpJennm;?%2&ѣBu(:21%UxXRZþ^QxwWv'B!P.Nٌ߉ w,oO/3Gn:?R]C~'{fMX5o9 ^'n?+;[zh(pmC^;[9~nq6n Hps{5sJf?|&!DiZ5!ukZT7Vt⥗x>U_)xuZ8g{gb"Bշh:aeMac 72O(Vmbj1 =q-t-i`c5&=L&)*ZiҶӤ2VT"Ωhc|ӈνQUK({&0? ɚnhi!AF\zB2,[[.N}6Ju/UWTom+qڙB!T@j\Y!iHn-1uppx^ ǽFVQqijb[gݿt򞽟X7YP4w홋Y;s w()ls-m7YTorGqһӷcLf7eZ= P.EUUG!BeegˏNf-mL$vjϸw/@("yqv FN̐&%aɚ_/Y߆: öI>qi%YoҺm̛g]߬]G>6 hDU^UxU (GO#Buz\z[V5kR{{J2䖽6@\~BHHȳŹ聍v1eS8YArjI!=-'YUc=fnSa U9Hnޕe=b=E{'h4Wь `3oboc3?t"Buf5l*ٟ}HLOjߥ :tǗ_xJ[>aůyd7[,_ĪI;׊'t;N"d-[Ե{_UMwE:1jB|b/>>@EK-Z}1ocpN}_"ts]{x8C{{ tr'mr/9 X%C%m=h瓛!Bާ*,B!>m !B!- B!BZ!B!Ep!B!- B!BZNKO( B!%TB!BZ6 ݑ.޸j[~125#BFvF^B!!B!- B!BZB!-+f,4ShеhO;~B!T*OTّgh@,32sw'@s~8gi|T5Uu\u:_TΣ4Rqz h9S< Oϑ/[ڻ{ qF|,,BUD_=}%hJSR(,9pЧ*>oe94i1x|sөPeJb:gRD]8u#VpAQDC;[.>Bw@_nz<)-LJ*\C9W enD;+ KU,ɗY{{7%+Zx{u=&]y6i7}7a\FA)CE]|kҳ -ڌ>r"C)# UˋqޓJOvnF<` C?I)VB= {/fvzeĆ yА]knfB6v y|Cqw^Qiɚ*Tz[I0Z`J׮EfR0⼌TV<*JnWQ*H4;U~2oϳ7('M}9>N(]klK] O)F^z1!{SI|Q-7e(H|dBBYLZjyfZvlȥ|=+?k] -uҢܔo#qօ -E\IOKe._aVʉu"ʉ -i /eA$P}8TSy+=of&k^":BAjU&=)UfKpQj[ێfe[Y;=Rl_c>Î>~5d j97* fun2!͍HB$AK#Jklѣ$t];~.Z/(ɏ8a^~|Bo I ear#vna'\ɯЌġ{VVGNer2JY6~\1G܈ >p'#Ax]3."(AB۶:J4wyնɬȾK[1 /V^rqkd%t` 9ofaL<-:*VQyؑauՍ?jt9_?¾ qŒbHQB!ދFxf{6IJI)*H+HH1 WCJg %%Uz043G'!XػyHq} =[g+A DZjZ]9{9y)d(glH'4PS'$^9d¼5eJ6 IFE*r+on 7;61LIjB=}1T*5*'dronM᳻Y5j>16[]d\N]A?`!PCWm@yF8U^7K٭,*g҂/݋DI qWeg~.!qԇ(".5;???/IvJB;N}6Y6yϘknГJ'"AՍהMJ*ZY@t fkS4mֳK]7R_yz kQ~ؑ!h>Mpdpj{İ'm`ج;'NEti$lA}RBUKۘKE<*Ke$IXNPʫ INBY. J"tcJ^oTqw_|mD22)eV^~|$#.ҧ.f%;:J4 IEm`(#.%W¤BEs3 гs2y. zYͩ̋UTBMUe#H !p9ǾgyMflU;0B!TFTO$$eXR! @ʤ2Iۺ{e_8K;؛ BygfHJb "d t";E[~imu)0, #8?/@e~Tc#CWq 3,FMmu,٠5劒si&!hvf|Qcn rO'PPSFy{ ;r+< k)nO7.3>ejKXbBU0rSs J -X84([4pk.ggi,㦝$=f,]{WQyua5oܢMŭ EQskO:+1;?#/SC$FvO8v{p?IJvJROkjl ${Q{!1yPf̈́'5-5UD$efm-%s:@lj9RJ捝HUl^Ž!Rx]  \oŦ[tohFZ44b/C+wYsjg)oayt|Jg۵lp\>#47Ýyd=kϵ\Vf;pbiwou5"D`h/dy!Gvn?W@41r@=*p- JJ-R̭]+rUbf=O,}@:b~~ښ.OWx [x~;8B}ȈW}4vGxzt4잫߈.n~^tZ/Fu. V{pʼnaBC1䄝sc/spaMقTafx&ힷr%_Ӗ..L;Kyrw?W=UKn ׯaq-;,Z3PϢ:Ɗy|e`ɐz߷ NF n߈K{ F*Ucv[|tyE1' T46w++a~С?Nw^j+ L9?nݰƥ7~t†dp`ּC9gA|S;G !>Xi4F©MZ 3Bbl% G2~ /,$Mܜm_z}Ka u[މLW^)K:v4~$c[>{46}JÁKǵ{G4qJ?7LZB$sӌA^` )+a4- _o4s3-Sf.Ǧ2-l+rQ*/TaI'Wv4fx;="oרϼվN?dž};>g|߇vc+4kټ!vNB}H!LѼ^-?7<<*&=,2O`ckAU\E=&HmPۻQgn5oaa,-3D%d(_g3O^ 8<4t/2i=˾&;WFRMb]sG!wNPR߾M[}G_?v%Z!i6e+_(aHdjr$v3;~ÙGA}_e>ޒJ~|gHLzt;( [>}䎎 E6yrc֭2B}!l{}iޟwxJB=s'S Oy2jJbj3qZ/[ꥻ h6v[ =FH߮sGEZƠɘy }oQ ||'ݳ쎟<#s",Or}1|OA VTV #HLG"b0Sչ!Q`wB!p5M+PT-@"3 T>&?p-DCĦY$$OR \ jN;RGf(BMSW~aKJURuaA<< %ƺ B lDWְ|q@Sdj*0p5ZxT-WfX&(X (*\4< RB'cK|,Vom+c?| ٤wkli@py7LlhE ?RIVu|nt?k>x4ӸS/xܤv,ngҕEF6o}2ly ;#OMŇG7p<< T_ad !ޗ&r/*JU 4Iq&'S܍d)Ah 88,*QX {ů[OFyw?+]9׃)@~inIzEk3e& bwii併8RH.gg=IϞ0xTB*] 8Ȫ' u)+{G/nѦiʮIl [սkDn>9^G! uM8hX x4Ig9wR؍SK,G-OaXwMf͚5zh__W^wގ;֮]h@dM`)==q\[woS vmkIf\_9o~Xsu=1ɄS+6,[xnn>L=naџ{_+(u>߭V ͸֛<<.vٽ0iڲk g5v`ԴM7ӛn!B!Vm@ Pi4EpweTd:]*|/8$dK.>|x=x…[.XfSL @Pe7Gszgk?N/zϷO*&"h%ASoDDq^c|$,=.Psp-+402zH26 7y][DrB?*ȶuKSz_3>ղ-}!&"(Q!4˖x4YfYE!~XJHZkbŊ>33sرA8p̙3˖- 8a/YrKȆPC SB5<>mRDqqsa{ZJx%jg "tf.N`?j]$3blLMn}W]v PÓfE 4ׅH9F[n&%|Bڭ[J7"]]9XDѰ,$ha'&m.`#y+oи90ov3"pA}E%Ci2ž|+% lBNlad$1"_0] ~3;X\XJ*MRzArjf|QG_{CCCIi7(I*P_~zkwywI:^`Bzbī@"h<{W@~pQ"ji^󾰱V^?|iքY,Gj-psd+&/0m^U0n^y mveKo!UA]Z[e]̌K+{I 5D"?B] 73ްXSLbς:~릤_~sJp`YS #˶ˁ ?ض]5{ǒ[u1ev!C DdggmѦiAqq1[>H$"B}`3RJ@h7'QEWDe@!^ܖOn6V4EӐyN'W+HH]'MԽt^r" V*#8dRyuG!PEI$D0HQvml· cS>.IT11WXtQ89ImNRH8Z]kG! =:_n?6NKzJp@={ٷ0yĞDCow.!V!1Yxo|Bg]ϺUd9`98;C~6nR8BvL[ABTc=[ nuFg '&tݴ<@ttCn:H4iQ9|7ѫ%u7X&>߻}e$kuC 'F:E%|m˦3O6Yt$8haq Z㛍: jU>B!TzKlpځV&͚w$A0,ְԂ3#nn)7G),~~kx~+^m if;sj7e\9' Vo'QbIӁ I)u^Ka#}M+>sꤋnǧ#4|':Tu_`gG!O8^f8V2+7qSIȼI!P=Ail)97eŧ nliohi(=#` z'҂k iMkI=2I!PTo0_g)xڛ$,.a8x)O*m^XQ;7+ 8(O`XcHpWC!BzH2 /Gzv£<" TVð@&(OTzGC7ں63jpRHdYx x2_2VKDajL?4^iB!>uj4̺1Z9>i$_vq2@BN/gR4!ח ݜ,~;gtNaR>2ƅJzg6hm?5<!BuutƦ(XJ i OKڙ e*l8LQXbS,'. /`hS8+)(x~>4))Pd>XhhGR8)25_Sra ] EV ]:oۤl#,hԔN6p2y,i`V9ᗖ6K ]~6( BkRPRE &)`9nD|,%#MǰGE%.8(Z]֨Te9  lErY>=AON}7$@Ύ/F˨F7})B!>-8%G4M4QA0YVx9Dx$M<$ 0,}Ϭ5kֽ{^޽{fͪ 2\NbSjlRPR/-d + `͇`sџC22 g9v_,Nl5S{43I l|-9! B:?.HOS||/{{+٥'"B$Ej ׯ_ԩ_pºuNZ;BS;}SNO?MO?]O?M$E{ -)TMLDW\=,#p<nn)QE"pw'_6㏑1,!Л|]U EeOs<,U銬"YR+~bŊ>33sرA8p̙3˖-|}yeq!@] PVQx>xjc4s A ^;tC}{,Bx誋 iJe3|~P0X{"M"-Wi"33˗?|p֭yU*,@xU|=ynEܜ&߹j,#4w|^H71'1!LFFFeٛ4 1`nc(4e,ͨu?B!T uPRjk>7g'-|2 J SbHǣ( Ӥysw6t~1z{l?BH5|*:NվO\O-$Hy:bMS.'inn80Zk$s7*aٰty\LWx3.wP1@*5u8k l'z&7׭?ݯn$li~ 2~nNQlž?9uhJkm<_BZ Fì;өcx|.dչ[*XѰ}y/p4 i1!W.\{g}oPeQ#:goSV$ĕ{}OKﰠ]?w]ͿNra {Яœ W%d䁂뽶!}Ħ(XJ iMyK9ew;Dc]M>'ROR - jX232d@+Bݍ;͝{}Gp@q@c=m<~3J_nMwnܶSWao?|]sSHW/#֩+ewBAİpP+0W< ӹ< _òms =r*_6a:UUo۷b5mzLٵar)VDagZxj*B˭pwWHcϦ]{U>u\ytxab$vݫDik׈?eaޝZ*xLDY{{KR+)PvȀ0ýX>ocx;F':^'O)?_.Qԋq]eK=3?hPgroegJ#w~HL훏1S{+?dHkci,TV3lڶ:^>xv&VZ`/<|[Ҙd5gά7˯[_B/hh"4=H  _¿k˳tl!|O5v<u 寕kOnv.\Ф E|ׯbX-͠5H@Z:V,-MO^u>m`g.0{4 Lb\"gneVzR3'|k3 . c%|̠ ;M5 ٤NwYe>?ƥ?yi߼~N"9 iL_v fdI_uؖDH_td9y&kV\R\bNWO~}3$I!*(U$hϣ8VMs/CRK9(dX#ɢ?MM)54M)LY_)@iz|@wkڶ:m1IX׎'4Ǥv_y폾9NٝαI~>ӏ-xq:|3tGwg*1idC6:V~)}hgJ vH, yM -oۉYgcr.δ> 쾼Z\Zwj]ޯtSYwD3ܛ7J+֚d/5pH?8 Cӕ-PԶh0i TMRǫhW^ETSipգMc@V_n:nvu̐ K;j\SxѤRQ#RYTE$l@ŗ^\zGi8%G$YNp ?hP/Y,[$@ð׀{9f=z+߻woǎk׮]*PPa^\gA&"൘gZM2nXǚ<3IJ:a;9 Mj.ڭỷ);[\ k>h薰eoop]ԛKNq(.$j;zy]LډN 5"EVf|zͭ n%1*h/Hg/&OcK=B{/g&.񆛧5|OCKڞzޠުBh`d\yFOLIj7u KTux|y``_ Uacz~&&"j+~L??mXm 2.'2(,2\ bIK"h-}^Bq a즳g7NNe$ߑ +h+pvсg{8\%SWG|q/wV]oen1կҌ%xP/ڎ툉[KkT=Z7Ǭ GNLW*F7ꂴzUkq I@h^IDӎ}< >#:w^~k+ !'<,iGSj6<]Ug(R+j_L+V8z֭[ˆ28gϞe˖Ta U2!Oa W+Qqم.ldYN,|Wd=[_ϳŗ j+p4Z^,O=fPGﻼu]dzYW^ܶ9*ʆR]#yϢ[W]|iV][krǓ05ke U^!SFW]\HST§y4I݄)bb rϩ6n(433[|Çׯ_nݺ7oZҲWb>dဃROO1Lvr#Xբsѳo9{kc{_yohg/w*MK/VQˋ-;UN==C哰w];oFiAm3i2:7n[O;l;f.U:p4X8A X)|>6'a$x\9 ? dO>w-'߽ .)OxU wDwM^]w0%doz{0`%X@#@ƒӛ]op }S'v aЫxLj(TYUA1=s~Tm@X7"btHX!ٹm 8JWNZQ%u~ 7}uOPO8uS;gSD<>3ܪ3ufL;Cş8r$>5,n{ɸ>#q?Z]b3w3]w@,;SJ 2͐$7]OիW9sªxf~s&YE|sp@8LswC?wSQc=dM">sm_}s4נ45ơUg&d|5޵/WRoOy~An7󄮺W*e+pr1ɪǛ:*/yAsoAQf*6ys7yC>ˏ2l]s#<-rc25˖^:kn+(.B{oknIԶY >σZӭ^|pAf–6o83x0tڳߛ4ci4<4!l JuwC3Wo,((Lɶ;?+'gДۏeߺDaLGUv2"x4ɧIHe)DO^X3X1M E-Z/=u+)oGGs!jc`<PfZ&~(q߶ZĴjfxfNWOGvC03" Qŕt2_p^{oEM$d]֜911ŷ]* Z^i!mr=3$@Te!-+[.>PVo#@~nqY"3EhBMnk`c!HBʈeM:::oWK] zs.%go3` g6ל DdggmѦiAqq1[>H$"[}D"H$½ !TC7c0NF}q:? T;_:wSn7X罟(DbaahaaP}R?^ňec2>1ޱ -=8yr33  ~5Pc֌~g~+GGؘm[|LMʙ:-8>>k!_ᨯjc ?vV9^1 {dmyg `j@ԏ7]lu<~ie3ӳHVLԤ C{&U$Ry͑B⠼iSd8Q@95揍Kj^oZu G}sf\w|HFic jlLSH Bߢ~i6~9<}5v.p VwMA:?"~ A _a @%;dAf'lSaLR'C \xxpKh`9֫N%ae0sQaij/X j<=Mkq#">u( Sk6T 7Bͮf ?dπӀ w t^y3wơkv0# 0&0?sԒA/j;&%Sw 㯷wɷpxC+G(N\ sd^ܽy  8/FZ7VK uj1% 8PxB]Q$oX-Yo{o&%AA.Rc`P28tp( F!ЅcT X@f[}0M Oل:+ÊSb4|j сp;P4W}7R`+}o&S-U!Cc/j)ēiH;Sq%SrN܉O-,.UBLpL_מĤY yR:5?t$ǨJ 5J9_KBR Ä i&s/ 1'CܔvNvO!?5Pz_8&Aи @;A%M}24t~ް:s_:_ pq3V)M !eUO=k#LdzoIs1{AP~{q9GdFl°Q;ME&`(jpA6-0G'eHu%#|MM'.oͦǻ]!T DZy| ;8|IX\p Rq=1SUdg1?$%<>MGߌ Z NU<&2u!iZ!gU%ɪ ɗH(C&.F渚yp9 880es bžSjX/@r [8a`~9?tZPMd8?7Qԥ"QTzQws"4 &k3M XHM[Y=e'[ם{aS–Mu4 > <2K}g͟a3X[am~h O0SqvO7_ 7j>9H;CQ*m|ONxGS$AJj(ErJq5OTbF0($";>٫KI8 İlXcŷ_OXoaޭ25xi'nkdc aĭ0D }&9IM?D XS,I?#@ =Bl#Z <\L:$3\/P a3 ;ÎU=.Yvhˣ( T7 }f/uDtһLb^ i߁H=w~ih\Tܞ 0R&0|:d}[qM:1 HIpg[Q VUE}/n-sh'~ꈽp,SZ5Wx|,Or}USs^áp ACp L ,kZ{-OHVBq/ʄb%M rbǁ>n'gaߙn2ӏ.ofY{/:>.^`?ǀ @H84#iFe5wS U~KF\rRtQݍ [UO)z))pUG>|֮e}O/դWI+hGKՆUSeԉd@{qSF25ZA@΃Gc5à.,iSrh:˨ j E'tؒ"35AwgtpyZh# Ra %*mK_>_%IᅿPee6G^qkϿre(>{&5؉ yżߣY6ޕoBqqſߒS/-(z$QcƙͿm3ԧɶk:ۚ nuhچ jForM/u`O q&!&tOos_[ cgv_i@Wnj}}X(J!`F:+?o5MRܺ6i?Nug5jX(U$hϣ8VMs/CRK9(dX)||TlFU5O7P*sۨQ)Qɳ5/y!v/?+,8cȴOyD KU oN2)l^ U%ݬxz~ ΝGWI {ζbٝ9dkeARhow;{1v=dEգks?/bfhv){Y9z^WoqwrNvh1Pҽ^oF: W\-BH0/N#cylY1g_i=79Օov^>}YM_]r-gcvog~4oWEx `4wj[k8;/}-+ i:0Ii|R!˨Xt*!>T+bpQ$]]P]\@Q*2tjIƱ7ojժhWPĈ7ϨNU˗ts9%1<4YВ۾8r7ݝN|T_)P?me#^ңA}*EPVkgHUg==8Ak;FDTyTq̹'TSl^#/:HZ2BO'Y겳\)[jbrWPr|Rtqٌ-~Nz5}Tr4]2wi'wJG*SfiOV7Y ?pQ8 5H";P$٧5Gj6<]Up eXI8Vհ*㳬tIOʬݾsE} yB䫷c 4i֐׳3a"@CP8箪w24˹O7%$Z#JMO?i96t$@ub *:<BSc\@Ϟ,I[(5ʝ_H_R˾r/z\"^[ʛkg ak;AO[RpW @ H-|:[䲤Y _2&ˠwZ}p!T7uE)4EI%>e?AM(zR,=I+T%|_Ն]@b@D$- (ga6Tp̜\57(z'^LbۗR-BWTh|"R&*ވRV.UL?3G9Q˿\$H4o"KV˫ŚPe'\u,ziuMx"y:4*\PL0ٔsCMΧ)cѓLZѯ AKX52]z֭,,. C u t;<ğ1P>"旜Jzwz䗜N}d1?BulJ?RMRQbZa\|Lj@DE:'AѴM6˔S޽sϿg!ǒM2*E32@gxOTEs)L9VsK]ɶ uF31wfL=ٸ%Uq%W(Y{}.gR6TN]RO:MabBcXBnyH}VeǪMmypm3xi _Z!p(-Dŗ[<tu`n+f)Wohlή쒵v19م+P[$wȻE[RtYL4Ii,]O (WyDޞB$Hsr53 ͛+< Z2 <4l2x ^Z؄p/]LՌQ=Fo( 'ہ 9t]/ޒ@?6>_ |zl'0c-n`0` L? U=kL;yԞ_;Y[E:]]`UX}}aV^fAa8l$ . 08Ɣ@ѯ Ѩ L2[jebfv*8/Ũ/GnKD:y/G'&2/b!#$B1w?<RH)7@͓YeP޾s'#-[]Sh1^,OtC/////&n/%.֎;{rX5uB'}6w 07P7L0N0T \QqFn>@ =7[Y_ەcY(9ZkyK{:C%\BB{ذ >=orr W~Ӏ` NzNCO`kʻ{Y dNP8/Euq\E:F6j%sڣ]'CUjFNƉHRjԈWt[9ٮْ;gn=c 6$FAks,tv-G^v 6 v `lO8W*}* ~^q,;?f̙~R^&mAIږ_gNyz90qV5ذ*|1l_RwZ[i eLL_C@w[@?NϗӠQZ GkTjBo[==ț hLb̧噪м(Qǧi@jBGݻj=Ck-OPCP6XIm!Pp4hÀl"|&dp擓I+Zc"BU ut읏)J]dLyhH4jrG0B ;C:\L:$3ks2Yvhˣ( -4cn0`TW m>QS9}'0{*S@ C 8!vh.*=b.,t?ǁk@:abß#Bo wZb BXЭؚ/aQMV.f-ޜt;Oh_f_V͠}~ w ,l\6 2,RᾦWR~m=3pQ396CAUtÝ0`֯<+t&kf$ajt0aZ)',Ʈ0im]O7Ck1$ ,mv뭔9\ 6_i4 Ab!@ ޱglܯ>rUNjT 0u{cB-!(6#}nyzdcΫ0v:փ}6BoNB!T4BwkWBB! zCUeG!B!&!BiLB "9I\}" B .،3,hkS.3*_ h\eZoaB! B saoe-;?+8դ' ÔS5` lrij^&n¹EUd_&'_.XrvJ# _#LIɔkp?D&΍0[?c,,Z\q)slVTV4!tD=}I쐍˻TOM1%8tln߼(Û;X`#DikB}p B`s2JvUm=uT,t4IJQqM?|.UtقS[6q e.>砖ڵ}co=x7JqeIO')w!q"^o@cA=I3fcmd14,[4!?Do\ y4c}y& ARYuƜתnUN~_ocWX{å %hY}z?zE~׿,aS9Ŷ'8Nб BV!BfO m-ʾx̸:b7v^!XSu{A4/;^I!+;cW3~=,zI߂‚6k:v|bh: Ң߈q_Zxk#G !BaOgФdu#:ߵQT8NH/"PÇ#n:|Kگ6\yv+lTi›E}3a]7-;7`K cߒ@5!1! |E |D/V~yIkMmE W{꥛/{׀^!6kr62#B}"`FW)pJM_ # m B}x B! 3koOXʁAtĽB LBH1Ou\i9Qqc|(!> ֣R8 vKB!" B!E0@!BH`j䍝u<ј%BE4g`kytUw\n# Bo PC34*̦[\z}B7SB fQN Bp!ԠpG N@!jGB x`U#ZBv0@5 ]X B BP1|;^D!j PQr}Ǟ$ߑC(B!T[  sF/.Bp!PH/)ÀB HC!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!" B!E0@!BH`B!!B!- B!BZB!&!BiLB!"4!= B8B!!B!-SBk  RFKF!PMxo18B ȿԿWBPj`EſԀ#!P܊gw-d`,0&!j"KΜ Uwxh B5 {+eT['B3RZIjT %NB!"MD@!T ==145 PPvկA!TRJ/F!BH`.\QIDATB!!B!- B!BZB!&ɸy>=;cõTKp)--Y:tw). 6ߝ&|iҾ‹˗K`^YD~HY!j0@5(LSLլmӁ3D:R+q4qh=,//b(ֱWmtĖ hO,B*H-oeTѾ!B aesԐw{NҫɕBC B!Q)bWk4wqM.zʦǢo?/YK#~NG~ W.=="CO,htѿE2@̻Է: WqWzrQU La=|G7.3HSM!>L fЂ%5O7oDvF~o.gӜORғ{Ni?`ήgٰ%YhY݂%#'* ! Z88y%fLlW.+s29a~ٕyP{-BU-z[f">w>}ơ&x_B!>N?] BZ8!B!- B!BZB!&!BiLBa.b0!j!KΈO`B ޘwCB?T\y P0G[]9;ob(&!86ΉS7K8`ϙٶpCJnq%q'7~'MqVnz/c {hD߻TPO_6腗#?Cmq_cT+8'4x /QNVg^+Bdhnni(&9+bni@ɷ]}ڛ*HZ 5tjzT X}lp)ǎ(&CZػ;|hS} Hajи|5}~י?pyۏƨ8BHWUv~_İkҪWlsvxD)*,b?K)K|!`67uqH33'c:?1Q; BAc(쾻ꨓGKOw|^LpwqNt5k1rW+~ؔs (RSR&FLU NLBgȡ}l7G1/B }=FWɮl!R! uw]H+:ZW.I-tɆv&rgXWgv]KfAAQ,5bhX{MDEcĚb];"Xi[a, m9gޙ=33C#y(e֞KHJ͖;yh٩SKoK|r͒ߏ\mbk҈Q/1;+[sgv[XGFҥ)_U.keRf'|6FWMU -#SrU z3Z; s?*M\ͤ!u ~p\ _vrk6g|Z{R3XM=7JKz|,jMUM'n,jfQ|xhOݺ0- |_Svnn>6sѢ-hR1 "&>NIe׷ n[A 1ڿSkrբY ua#z g%?\8wmAoJkRnV/w[ؙm~_KYk ȾvĭY=xZIGDiҿ}Sv :ڣxseӿ͚8 Z׮Sѿ}݁R: k5qo=t{vs{=i7]|PaɳLM1N>6W?X :_$iYN(lB=B!:[TQpQvq Yjś+&ֱ/es}:=ں$r>&˺w|_f\g!{ahY2k1/Y}Zxx|ڰ#W]Q++wi|jQ{}ۻޛLK8)_AS>N4 lgϦ-g kgtClT ̅z{\dxr1=?||@ŧ%jRsxTr3yx_okU2I?qGS>o[Sm %>9qS6s2nٸ5퐚Z֮eסg2NWE-o8U(mTo\}ݥ 3zU tAWTt`bX\"ͱDuR)(&\k_7啛W~ګk 5ę ԕ;UxskT{XvEyC{3WH!Y:D "2`bFZ: 4hx߿5 SS2dhs7j\]>q7`ߴ詓[Z_Er|1;MѻyzR77 0T=HQEu튝M̙\'rhq~F`7ϼQ='R "v;:3+I~>^;=' 7q{w8@D6qG8;ۚKnW~ߊ̷ػvDDF [3]>P m߆ܖ^;""c)@DT<)@DDD%\ҽ;}a@DDDDdD&DDDDDF a@DDDDdD"""R BIK&DDDDDFS%ݻ ѻ!(i-&&DDDD#uJ>&DTke &2HDD۩#kN}>.2DDdplIWJ0DDdp8 CyCYA3=EJu )K5Wf:aɣf?$)򉈈iF+7qREe- dmo'w,[ZؚqQNW=ADEuHOh&74+ql69 4ba^|ՊþVcf̼b²F˪#?f~u!Nw5E N""#ILKȀJ}},:  l|"MZwrMe̶.v0ps-Iyu镹=uoB>N&]Q|eB?k\^t[)F."2Rwz.,9~:KN"|>jf'jQo܆/j$FعXJ 1AT*]>&DҼ|NS|]ݣ'n,8z禴0!Yy_jgI4pvDDdѻD&ALMS*!&IWx]LW6mۼ7=rЍǒae<̥U* ai@T* -l|#Qs5 \sw;tdsu6ZnulH=qrٌUٰO*h`ieo!hY<6ܽmzOꫯk]mz'n[?/rEv _Dd'7\қYgTeԯ/$qrE'5ʼ8.X ;zs\R Hݼ,Ѿ"dܑnOvLVCLxiS;7zUtR'tѮ Q0 "~v掜ODD_LaILN>_2 (xx;sQ1 "CybǙ֝i9mCCDD7Lw\#@DD8Ȉ0 """"2"L "[umEDDp [7pt Dd0;Cվ+}}WQ=7joUHօSs:.w͞9<xջ5oQԐ*J-xcȸ0 "Cjp`ﲶVB:Mr#덅wwnny4ms5=;3uoNUN>hbL^Sipj)Eo^β !5y$O,^xijODƆ!=ϩ*|rMtgs!//$ȪwNYxiAuEgkV]vMf(?i;7mvY.EphݭѰF~ߑk?!LεӇZY C;:JMLHHLUJ=gFVYfV?_+w6gڋ^D76sP_<0S? nua^|T_Nyl١~M=QĴZKΝ:ZH#uDZP/3Ed.G211 @h|׶bIhr)G'?6B4%A|pȵr6oVN=\j%φm_7꿽_|t]j{;4]Wc.>ѧq[g`u">'_ru:iHRΫH?~mu2ڬ4(kY:Jqh72kĹxF .g9SAI4|4}he m?!&Dd($C=,#i;LC}ʫEq{ɓ" DžX^$"7C`ԩ!0WLܤի ,U}k/l9wZ(*b@D@}sez:Ulv$UN9\$ѷgS'c%s՝.=WE.Ѥ|8mtv(ڋ 00ǀ ;bv&8X?Ӱ*4BG9Fh&fuS6mGTVh =EUXSN͌_}陚q:uRyYfGL X֬ϴf&(V:u'O]ڃnhԱI e3b$Ve>=vf،Jruy>ۡԗJ3$TZ9Sk%lpo$ӽ^~"2>$" qiת*R (mi9IܣjeV|{+Nyf;:<{Ge\D/yFZ9lO'3iW ضMsMҥͨ~61\9}ۻ~M<qdF3QC-ZcW=Dw8`bK;WڹCUo=:v+Oz͛Aϑmli-VlQ]VODG8yx_z SGݿF[f"+HrnT1qz&_KM=9SϏ`RODF/Gڰ1 TWEpzϯSr7fӔ9|?gRODF#DT<8P* PJ}yFVW-ȩDTr&DdP6[4&XL^_n ]oC(ªcĺi Gfh9n60-Lޗ~*?DTQ^,1Cי_q>8>[ipY+:;_X8V%BRZa;̆U&Bӱs?ͅfN9s?Э~DG L`(/-c:f{~*l܄zqK|Wp㟘U6O |= a-LMDB^0@`T4N5&cPSY-\NCSL[Qax|K^륾 ̼ -.ݸI|(~zР&uÍ#m?l q2&Dd  ^\v&65|1 .e4~Q`0 B}ƣ|4ͭjnḨ}mH f|~ۉSH+X6GeEdn՟:A[TLEUԨ )b0lc_rKH,qJ߇m*t{gkX ΁=<{?XM䧝 oJDAyiii/eQuDsz%;F`#Q hfj= 䈍(&ѳ2}[qjxKVc$m5wzG| VEK5-p!`ǦKAgL GkVhlL *ui:Lm?8Yč8y"*DL,و;8Kb6 ZI&zG]"ls;݃1Sk`O_'0Wٙx33 y"טJ [:xW3/ krqsutߎĐ2K9d@V w>N""uz݃|-,-K7FUʴ[tn-lW^,9 28u$+ҕ^N65a=~>dSw֩,-쀤dm2Zn`"C=eb _?4&7د{?$#+O<.(lӓTgs_񼼴"|qE*16:F^(rS$.9P/HE(Okש,%=8 nÊIxs/ ;cT̹ vQf׈"4iH#ж)OD ʇegYk-3SôPwf>– 6}rZc'OOZAk;Z eR Ĝ0.ZJ1j. D؉XhGݮ%kWMS U\q< !7~A ;G@x{;hja(gBAPy$vIA97r[-'c`k6z;K{0~낅`Űr'0qu+bEDT/-[&1fBP?c}7#C8BѻM8yx_z SGݿF[f"{C80o- š IEc-Q<؋Xz 5 _ w âP)-[QOdy|W?310>~Qf Dn ư`!~17cck|G7Z'"*LH1F0DD%""ʛe#rqƟkJk_p4 "9:}>E]fwPwSsFoa8Ș1 "[i\.{cZBWH_$Y*Tk]~޾~%AmZl9A?䆤 ⠹6~3.v q +d(FVw7״`kwϹ5EaqGCg9\VUXQYܲc}LTJfd̘AVl>ȚU ~oԸ>bzϼ-P`>  b4Y3N]h`aZ{EK[sxD`nV9гަpP >@ffbM+/C)XhV=ȑZcrycQL,sp،1^Ӏ$V vD˧+UA錽!i8h7bK59VY,}Xs&ݴ'v)JƉ _j q S`7AĪ/o[$kPL`ⅺ8~(U 91M`p<0976;Y#SSapk7$(cܪ/?8D5Plog[~X۵u\GT֩Ou.3fxA]qnrcq"p~;*/fj{]wHihR_}et+6݉EL+WsOJ⥿D"P&z7v`HyO'管&/S; d&ce[ {JYR5y1Q}%m2`k V$ths~FVFQTM<܃Tqp[)ris666~3TU: U3t-?'_}zރI}1Um5=l)^ IƉ 啋WE s (/E}SWg lHהpS ]ī ^HIE`'T$G (7#tGk3nOKsU)Hڄ#P!v [`}Q]'c)@DDĩ匿[` )}62>|S"W@'^_#Y'1 "*&zS2\RA(@dQLa t2ǧX Oh@ &DDH) u75wj%_"z0 "C~qVX8U~m9 inDŽ7R4R Bè Urw ETy'x%2 r=+ ~ m1}(u_Vw7״`kj#/^@DAL:ՠu%QL|׎/ &}O:eg^@z)8WcXPqa\(cJM]-q8oV$P :;rڡUe&jyh[7(MY}6k4habysz 6Ǫ*1 )LWiXV}Ϻʛ 0@ @6zCj@:IU) P 3Xzߕh4J}= 8]M}OiTioUob7x=: FL[ίC8vz\WT~.kP0~q1r?/HE G1 "Cv9Z6[rwqe{1UZyrjs <ރ[V1D;P!?E-KW]KP5o(&2YA|1y\ڇBtJ(@xίZ;%yX- ƣu ʘR[M=oDd@DShܹC]?oEs:kўPEc>5?$~ޅm&FWX} WTp }Lλ(0uxJQ[[~{7TW|1 M͚ۢ*F}2j;ǫ6/kլ-"#NX]GC+y Eߏ1g#!RO_χnړP;մXH0 "C 1ӻ$<ÞEMJX2.'wHQ,`ksO-&ooè@C61Wd7Az[z7w>0vOV^ʾu$C2нf*{6"7?cZSGM>j1G>]~?:uDD `m[ZbZiGKZI5SIipyIn8hGvIAz/;_W3_[ʖ ]"*U+ՠPMHJuɲ2K@)@ܑN xX~gUhS ]ī_orR 7_r oj`uEnء@tjM0ڴ (1wG`"l_oϰe/_,* 0ٮ, Wm|݈"*dLDFV7y_u6/i&A4N 48;G0G4XEr4$`VŴs'UK&:,[s\@Z*fW-[ ̼W`1 L}-*A'<gj!t K \ Y"oVRLeOD +~~4pBd͑ /ף\џ&bzHFbl+GtBC o X)jT>{) {`w^ HV gglj>@86MU0;"jc&b[|]_nZe@Yd BA^);;6QR  'R "vyLd2G1k^=^#B˗ )I#RѢl<0ݢ?6N""g$N-grQdug_Ϛ8QιDDTqȈ0 "ʏ}C4%JKa{<_ϸ秢r"2M,27e_{b1y kOM]Qr~4a=:oK*v60-zr}w_ᄈ!8v\tOΏp,ݸU=bkϙ_q>8>[ipY+:;⏛S ,bkzO6Uh;Djt5ϿBUܫEDŎ _g*=>sz*akNMDB^0@`T4N5&cPSY-\NCSL[ 2$h>}?@Zhyg=&DdX]˶4*!FxDLpЩq,ʣL"2^ σBOϘG5@8J^+qˉЪcq4"cۀAm^ۼݺuDszU13a0J,G X6S U,쁈O'Gl$V7Eg8Gm1gĩg:FxVs\N)%, djP Mw=㖇J,FC Qc@DD~2]|!f#|ሬdw%6ֺ=3ؽtc}ߺ.xq532)+2[Z~$ްc'v$,Ɩ/z1nrm rȀ~*"*|DDD}in:Wc#$S^y#䀼*:@~xU=Ȓp"H/iׄ0AOYLe1toqo7qA~IF `WG"c"2SW^Rb=tI+KQ ],%s~/lSCoE"7A2BI$P*Z,/"4iH{G*88i?͸7m퇪f<;&Dd02,VАSôPzf>– 6}rƼ֘+H]Qص-[Caβvy(YS U\q< !/:"wŧ1*7w#Bx,!2vDD"eҾ|q[q>ŠF8 ,r6>Zp-TaG"m7$s#r86nS`i(p/fԈHMkWjlތP7 &mVիɀnT]Wu+ĔW)6ף9T㡞~ 7ut&tɛ~i`cOCS_ ttЭL^أN'b#WnZZG+4)1;qY?}QDmW5OA~[ihi޵jqcKvDD&&Ddg ]}ٞΕ|ԐȁszQLՙ4D*&t~o5uu5~ؙ/V]ҼۦL$lfKcPo&d?|y|%`>n{nYًJ>=;!ѻS6Ϝw|}kELoWj71ƬkUƟ8uD}".[3~LcVfo>Y-?uܹsΝ>g1'^/ǣ Ko[w.yϺfm#CMADD(&+!{ RDL.]sLk6 ;&@uY2A]'.: ?5l̗WezevvTJGSygY eZwn4|s.l!5Iwl GH\5z7qSV&5j&}bev頣uf'Sh~Y3L;k5rq{`VkCEe hӮC+ xyW VrO$"z0 "C >__շ^BkFɊ3LqP ֘|}4]up0jK^o_]W8YG+;ĴTĹ1 c :5B޲4̰Qh5S^*`Iԅ5c ѻ/ ""MfJbSW>dk"'"zG0 "2zsƸzէ^_Y!o4?,cDD`@Dd^#d`/"""""2"L""7A]yi:,qO,٭̣SQeR &Dd2.տըͱP*M,&x`+v1JN]~  "FpF/p%SO>݄W&DdT}۵kO\<~Ö\T\g~řho[aÕg]Ռz*h? N-p8~"$=;c\hVd':)8[#+Tω"2R~$ףP ;^sj"fӗXA< p7@rjr:B`I8!AB 7ඎ)x6h8 H0 " Tjϟ+W(4; #O[bP]h< 㴻`0 B}ƣ|4ͭb5~hp3@1l\N @ZDz< / ̈́("s;쵯@<(y^Ê]pXMNDT"2 !iw-$CjuՇXY uDsz%;F`#Q hfj= 䈍(y:ѳ2}[qjxKVc$7wQxB`4W&O3E܈\:&Ddu,bHŢN_l@Bc#V@Qhܪ;݃1Sk`O_'0肧~33 y#Jr";x]$]ķ#1d1 |j)!J=DDAoΫw.ތ H8.#@r+/vWE}xYNmh^N65?~>dSwV.SLlDuvuS4s""23{W3 RLҊ1ǥkRTC=K> a{M)w 80 ȭ%(B4=rmT]5S v.NDTA$옿.J қ;\踺s4Ex=L;UXgfa#lP mCi7!15&q2+ek(LОdoS U\q< !7~Ap Anlm?߀涴-l[q>̌F8 ,r6>Zpkx?*Dn8I (0Fncqllaݦ o*1fBP?c=ؼ¡؟o@DdU@Q;udkei&D$N&2E-c/c1T0DD/GER E#?QQ5DD`a C1hDDT8@DDDDdD&DDDDDF a@D%Ky}֫l)h87Ӫⶌjdm>bS,CDD/LDiFo]=z.|ѵ}Eƈm6DTw wʥ'G X̐y #""#SϞfY=K A5lo>,22DDDy {;6# #CDDW>'""t,W x"2Bi{; IDATxgxՀߙ&V]\dɽw\cz  _@B @Bz5b`lظUVj{XYdYL`^?Ȼ3;̹{m#?r jLLLLLLLLLLL~8ɀa &&&&&&&&&&&F\U4y۸iPE111]M;v/?B5M v UKfpvV5Kۣ1ǝ*`XLr0`ijat?dSGQܟnPl@~ M:m PQ5KO\<I@Lf¼9LvПFOruQ#Y1x cҍȾ[EQ9Gu`ojd ~a9ۦ@+Jzރx;@unf7n^?o]oM'?[ܭ45D0C*aw>Ñu=45v{cTsP@7ߠ.7!3k[;PXu:hN./+"=n$;#ߒ"X)%~;j%w%G^ ͎?-B== Ru .D-V7%_jz1:A?u="sփWSM<~Y zwQˁd?=T/bp)NB P}-6_UILLyYUL."{-oO+ 8DL?_xz1}(jlZ ~E|So,Z'H;2дG!k<{|}/1z5n}܉*Jm$%%@ffz5 @0"+hj!ə9x8p+E' 2HY٣OvàݱlDp/^,LZ0LϷ*C j%+άhiiE>˾gq:n}h.1 ׇ躎(v (׻[֘5b:峇Ba"Q]EIl$&8VNy2`0D4*:BbĦ bLnM/{"+mǗhk>**nŃϲu{*!ARZ#0 0HA٬XwkHv% ^$ԔMAA4`˺g h n') Ĝ`0i6aZHLL|tgYY=֝qg>=3z,2e\,&=t7mQu?.+ "J"iʯiPEQm] ٵM zaW@0ߺ~O/x+4f)i%bKa$;DQ@?к{gG*¶eliȏC8_0mFD]a#cRPjcѓEQͷlXQo9K}jW"b.?=,XOSr~K~rd3DkygY$  ;9k N/@Mh.`a/࿿PyrGe+\÷y~d^ TTgtZVİ8:,Y>˽sЀ dz560pB岫m([p)7WoW A{#'M#eCװy-Qrmd`q9w_-L_kH5hG/Kv4=y6 !|#o?+U,}]@]%avSm:yؔVV.>G17ݶfM? Tnx@n "ont HL=WHi.a_cIu?xor1&ӎc ^Y?˺=g18= au)BY#1Mw1`N>C\ uEK/|W{ew;}rGugTOF*)畻擦3tau {4~ҞO/jUzS~|?`C+ /o=/ ]> *^Cx}nϹWua!]Ts@hP}8C?z:E2j , tWEѣңu_{?rTqq\@.:ӗE/K'z:zXC„n嶣x_Ÿ/;.)&頄O].$Ap2뗿A/ԁsdС*=j>c^J16 ;,} XO:۱Q;4 гG3e!ch/wVMPFeߍVoKK~dziT'I}"W_5V1#$j?+#,tFlhwd<`W2>FPbz7ퟵ%R+,<9O }@$<}G}ⲃl?O48&/K_F1Oɸ){ꨫƒ٥BUԜvGM@E;f6X]g™Yg[S̏4Z䛝)ǓbP}3;eD*?~@-|__ɖ̗3_ U[YQAtM ?!N? h3[Ջ597DQ6Yb+;٧pryV]ERn^PMӆPMUQHb=,\8e(`tpvv ellLg'P\mApf `A+,`sfOs:EQ.AuݽdT0*߸ٳpГ^e۔ÒK~6$$Temmsõ;Yڂ.Y9u7RdK Cg13q|Uoet[;8Y|6}7I6!:EBMCU媅뺯{ζDЛ#dsҩZR9R0$Qu?Յ.+=T]?X:˜6f iZ1Uz>Gb.:j QǨ%h8{k{CzS<^^ e[OOevg#ʲɡwk@W ѤXj(^$[Ƅy9i/"E'bET½/oGڦ`i$d27En a_ç?ͫ[fqܜvaicгl%|[jc70{pv.хG2i6eSٴa9p>y'9; UoΝiؕjZ8ܬqᳰ|aL ysSSb Ho7עvo=[aܛt'`͚h},3Q5o旋a엟ʏ3էzuOGt/Q>Diw~ty TVzh(%pXFXߧ"g.]Ge;W_|VymD/?}okn}_DG/?e&ez$Dծk-z*J?r/K׉z='6SS]I.-!7}AZX.hf:`06~D{ҙ(zذn0aSS|M'i/5Hq{ͤh4s3s挷i뜒}2t*ϗh39_3@M_9I}+}~QP9f#^ibۏEILGxv ތzL,hd2+W=`r+zҝ(ɾ^dۘ9I\)qi]xҗGS5$`Mkh(Jt6ۓB?S5Q0n, {[]7P'ϪQW MIc%tjU =tGo^/?ʇk."2aH;P0,D{zJyhmLNgln6i҉дѩCK Lc&saCٵf gOTҙ<%?,+DQp=B0Cw;Fe 0 BHnILFAsWIЧ(b׭d,XȂ4 ,˄Z}Nx6z$i dmkYDKBћwKG;S^Â4@,h@0DknJgvRNbgq<5_$*ؔ|-;,Bm{?w}?aoz.}7qR-bO`Ќ^:,{ϹwYV،lKgXb-ku bJ.xPee-u yj?F~|m Cاi76r39J> krp"6,0T'KO]ڣlM(=KK杻$Sy'+hݤ7 ,'kN U%jN:(ͦW>pŨmowYӍ+kwXiSujjf7oV~OĸSo>| Wq1#5%n\fx:LYXbXm5.)*y=k8Blx鿧7uGol'덉$Bữb\}3֕5\ ˠ%[PЏuae3?XŚ>N?,}eM!ʶ/,N:>Ne[zCzpy؛*Rѯs6bDcCA $÷K2r)?zQ]m$@Uuc\2a!~aղ׸Ώ1 'w"*kwqvt{.d;[~%TW(w4XF0~|ٴﴙp:iϷsVEÁS3ZZΪ]@+_y M^{g4.9yz"!Zƽ&S(b%e.ĺ=fٍE's9E00{LkyctܛbȻBײu掮X4:COt/Vo[9"T(႓~mѼ5zqﱭy; 9.ZϨ&>\rյޡdyWq~`6>~e2c:s\&o'e>-m?9_r|IQQ5)+mN˲y,'k8*IDX]!kߵλOa7Uoꎞl')?x?Stɜp8*=Q RŬd,bKxοHnc6]ְ8JT-vg;?cm ?wmQo*U@oP龬jwDzc#&_GMLz0  VI4`)rM]ۻ't]M+Dr.=r߼'6 ̾&{*8{{C'rmt//,/41^Y19PL11[ f=D&[m;swȭ_΋u?E$1+/G ydS[WbeuҥTW0lDbDv[Ӱ } ؏8!.j.U(ސ @Jt;Ǥ2ot IvKjbbbb2"BUUYZƍ,0bRRRki<|@gƧĢM8F4 ]眍f뿧(_5s:иndq̀b:?B2OPUVF4nB~q+IÆ Ymk&qdxe`/{1ؒb_Q^^ߵ#$XYL~ǑK`̩4m،uϺܲu+nw+#GDb6aeee\IL6 C||bs8Ǎ6d0R м~:B;K \x!s`$k;a|X uԽǽdk!w742*+IrX@TGYg rK>51111?z\FZ@qq1f"'' CY0ޭi7 IDATRRReAp8C=uWWcGalU[-]JIcdNw͇n U{D9x#1e;/݃*k_cV1qv IRH:LмGQ7nxQZJbGC!цBDkŎDݵȮ"+6!1nc]&baPdLwG^Mm-M9Z^/^jFJUUujKudBgDtԪ"!Z jU<{&~uP_4 z$Hs6<uaM:蟜OZ^ ތ XE/m2?ggJn&&R^fC ~LΚ2?{+́LLLLLD#{tp8$'' |h]* l6Ng N0Fex?a<}6o޼k7lOcF?_ =4͙EVV&sW_a=ahF̙UtEA m7-ב283nG6#(Z$TCƄ8T%i|2O'MJ,ϴ`+fL!mXg܃1ᑯ}&hMŐU EUǁljjb8\.>oϛKQQNQGEKK ד8z ֡46e@E (z Q oX## qTݼ]M4]+_di!uM}}=Lt,=2T>v%ٳ;H&,Dtlg, #U#&4p+ZkJ3)`q"X8u!B$mC- "I`)G z|Z6f&REWTĶMWutECm&}d*r ZA,UCUڦOrXt)J~~>_X+V0rH, ~?ݎ(ƪkߥߥvʤԿ)#G.)AFZCb]RJA FQQB6]"QBŤKdrC%oaZ!Xx9܂=;/imPC~;?^! @kcر {~"/c›58?imUMCѴ(d]=ﮩ壍۸DF?f7e"j411119Hv=]PQY˕ iSO嘩4`Q5 &1kXJkY0DSp:h˜1c,ysٰa55^Z#6- e/ټe SN& vۯ4z9>> ic+U :~MI+w8ъ-IU"u0p45$d#%9Q''!Y4YMQg==DPUtMEkG& H?^ !5AQA0Q K 1R͋wm#mL•;,(* F$kD ݂%1t 5L˺oI{rI3-]֝duE;f .wl';;t Bnn.iii(¶mۘ2e2)$$$Py3vcƌaӦM5f*+w>G)+LDmߍl'et+V`QUƔ f?GO5=LT6RI<3z4Dcב3w*\[5k l i֙}n:Py$AKAԼ&ha˷Ա%әH'(:5u xQ ;E#)($EF$MFCOk@ڦ`1tPf8c_W O˫+dw NeٸGۃx=^|>/'M`ҤXv^SuZqJ`Fm *:\b$!(@ wˣV$ԊaON TNBLGp1/?P] EؓDK:n1 Bߒ2z4ѪmDC UKWmJ5D}AD !wݳMoJlCo˳AgxpV:A@Yz5C P8-[Xdfd43#e}-[ì^-O>LBnhBW5tEGS4x ݂=-9~,]iǿbOKGzhy 4%]Րpi)0y^RqoC'ҺÙO鿌_Z}$_"e \^-%!N3җTLLA5T]Gu4=f63o\[|Zp#&&&&&- @t]':uuu:NaΈsy(Z"*D(*i.]'q0 ICC$!2Ybȸ1ciuZ{^5/3OwAk؁MBd;K1m۝ [7<{"C3ȿ4m_VXՐ8jJ\d]$;y<Aı31tCQ0(Ղ\[ +H.Ubj8o_7%%BLΆXahF~lȐo nf̘#dÆ Ȳ,lܸ9s`۱L6ٳg3w\FEii)5s2{lMn[RnGzWTR}Mni{1qTr#Q<^|[WK+'ep%[%;Z7 BG 0;5j[,6兤Ch.?/-z7 6+1tT]AVvݩ,:HN7&6rǮ;dV[&wn[H$j%Ǒeܠ`&4=EP0t|GrO{=EJUUv;8 DEL4 LJi|>|>_}^?'LફE;( oDO0lLLY޳Mܱ9B v-/B`Ul!0t k@C0T! rKCZ]Cni?|EwRK;rC r=FcA#5_lnm-wynbvA71W JJJ ˖->j7LZZZHii)D"";wQ g9B" EPTex=Vl)RR=J~{=24Em^WtPo y+wGCQz}1!)n,bB==C0ZQB4}RB e}݇04.:q* &a) 8:]iaYA M>N#-xVUUs .%Yi GMAೂ"fp옋]Q}1\~Q+Xt (Qͺ5i$"qK6Pb%[I̟K5H]OKx1ɽz1cMD}l[s- ƨ۟K#TފdQFƜk H"z$Bh3ތ[~8o]HˆɌ_3֔LQ%¸?ڌ55(Nh׍UCS rq,oTA'6S/%?Wr, BuTU B7JEE999ΠA,j D!v5 ZAF5AҢ vA0h~ {)5=pA3uT=&wC1 9!uDc;\iIbS>\Oǫ7@AU0}} dEE͗|v$ #;;}. N *dՎ Rc9u5AF B\ݍ(<ȣl6F$IF=t]GEJZz {I' m?\NrgGRHN9B-fףw]Zlj<%z^M`4gcDMkIuW5Xd! @c׏ IҲĘw:8-#_hͤ,ΟEsy췠r[~(fPvd2|~nvoŊ{$%%T D"a6mDjjj$y=Xѷm_%WQmCCUBAQ=T{j*O3(hڶDCG$ai[@2N BףV_BaNl~S%Yo:amk;ڊ# CS% 6|(Es{ւĦkCRT21111ߦ$ !rlp8ڃ C78{ $ZHq0tNtv;iiib!0eY:R[[۾fe#RUL"~"A7#{HLM!9?x~{/%{$ CJqK4QVڝ Ҵ "!*F7{QVh*DeDAe؄t"[b WC֍UB޵!Ȱ-@'э HC'gఁ܂M`@t 'ԩSD"8N`Μ̙= q:D"N '@cc+cR[  (Y,xI(Vu E_܌##}~c~qɠ/F<wQ5t g${ʿn@:#AwrINXɴ5 F_-,^I4104ƲƶF >T]o%^Yߝl&&&&&$ IRh,N'999ddd+)KzKzWR2)))dee1tP ca bNX7w}x P8Ծ<*GrgY%5-Yx}ƃ ʛXCB&8(0dtZođdC7Y}A9~.; ňVF"mA!"f1н~$we+IS߇*@kӍg., N"Āg-MO]4<>D f^1aX_fai'}1h̹NPZ]~%"B%e]y5JGz:v۞QEÐ,*CN;1^*A WJ|1< |uoP?P+ב14Ct8 6@\ʟ4sa+H55y5AntwAf|&&&&& @, ;v@UUt]' R__{"33$990pTWW1 UUt,t ! JScH}9** $:Q瞸^v70ފf.Mgҏ?!77]IHHIWEh4 r}{ M7B$!9E 谥(h-7߄j?<$X{ "p8ӃI_$#?ɂ n+`zx >Ϟ#c~O{7z8HAr3&-Wb:joF]-k"GܝxT.a $$Pe%3?w=)fL m=Ӎ9!ny:t(D"DQ$%%!CP__ϩλ̚5 ͆aB!ZZZtZ~=.<^FS%t1B>` #`+*Yg/.`//컒f9U^O|$* V*{Wp ؞HuwQ?3R   4D`^ț_ݧ 0Ft$D;op<+VpnAd$r".w:YR2o]@gQ1*b5Xr+RH H;R(-&۝ IeH+bfۚj n| 58H![-+Ők܌^Į]4i#F &k.#lP"55݌O3Lx~E>if|6ʰ I uƥXl6$S8Hz-i;W1d?&Kp-U;0KD E^@]>Z?@1KuI3mTSA9l93ϏL9o}HII!11Gs%.iHkDlY|>m̑MPUo!C ,ytd[TSN93ft: {lZؾiNd}m5znd" >_dвLJ~uNd$IäP˸p}Hgɉ2! ? b]BTW=r;ݍH[H&hoɭ1Sɻo\|:t(͕kri/XzJ @uNglyz^j Lng^#bV MGbH`RZNz!3091t w^id#`ղjJ˶ۑ%'dT fe?q QhUU)auav%֚ZåȫMDy6+ԢxsLK% }SSk-rsDA'^NUUjk8]9m^| Pdvټ$I8*~¡0{ӏ<°7΀[e?n`벹DZ C([Uy4wde+#F1Q &L{ؐ0زn҂RGG'I1 Bqjg÷7?y*򥠩`;fYF0 o6zwCQTUm`nXt*)'|ʊ+"墸8˗x@HLLD ):Sau<Δw/۪H-%"Lz `T-ɄuĔބX,{WH̀gէcQEru8-p.z[))vv7v]Z/Y+gp3Qٕ $EhZT$uAzt޾\p!;wbpG0fp\8M̃ `@ FC9MA'U7!33`0ئ Bm6IJ?si2v̘*,ᄒ4(ص`1 n3fe]=I3ɿir7oq:M2? GEú=,@:0tBKsU\n{Z}k,ی$u&6~v,nɇ}zV[˷oUE"FAme0nغ}ԆdsIðn:kj9r$$BNNwdRHLLDQ#^Tĉw0 V\KRRP? s0670dc&UV+A(aC!%4ZA&cs'&4wmzuU-V'Le¥,7farwoE]<]?.|"0.^e1)Q b:p82M:[CSsIt9x o];Yxq8s]1SoūOoKLfffͫ+/n;_?AٗyΥ]a=y?U0 R>˯S{`@'ﲮm# hYSew4]>deeQUUECC,@NN;v`WCvDXz 3;G~6Pb6=w̪gMtEX $y]tZ:?oe(UBHp7#Fd$x )o" bq5i3M8rKu`YY5kپ};%%IJDjzMȍIι=K/AV@AAAEjAAۈ   FT@AAA6"  BAAA  mDDAAn#*   tS75Ul-ۂA Qr#9%"  HMu֮fѤ#ˢqDfSUU˖2` +4W@ʶlb`XA$ˤex(֯]#*  CrJ*!Л.`  DEEDzEŘ-AAz6ÈAAAiOBB^   Bta`W"K:?jih^ϟ7&p>߱kYBVr:R1d730{F&R7 $  &}%ߔŨ\$ YPQCWd%lY_0_oV㜫oeX"F-uXwG\m*DO9%Na##G-gŠ~MF݋?d*B4o~s4W[>HG^UAAv#us޴I[Ξ62Z?:CK: R'^ŌqmcbϣkӊGjx_/UQcf̝KqӬ1*zt6v}ޑƸO岂4vaODŽ_{/}wL.;%c3]߿/ƺ-᛼bvd5"r  m+ 1'W_-0l߶̄Mn]U_?̵_TQ0<^]`;߬`KNbxN=Ёd-w ^/KR'; ' On7ХF5 ^.Bye!E{[莄Ϩek)]OؔKSуC:;߿PtsroT;n匁ۑjg[1(jM0Kxpjvj#g"s4;6=,u{dcWMp\?^K'! B/fjd&hƳ ~"͹|_3Wxf™,Ud˼d={Fك~^I^% %=-ӭ {ClM^>BřCيR5cf][q 0^EٕqdN͋Fv3dLgGI}}/5BpBvX[W7oP[jÂJ0aq\wt!3mˊҪ硦V7dWo{m<6CBRXxړ!av%+O#'UyJEF?AAMT@$*՞<q, 8G]?у2ioE*Ũ8m{@•?%Q!I閯YIB>iDZ~Wk1e-m;DyrrOef#EC2o?XČw~!Gi.bTq$|ţrn}a,v $9#=|`shm*|0/_‹kp@tG6P CQy}Je(G 5Cz} D)JeǗOΦz\RZⳣnVTP,Y^G$"KYRQp#" Bo vZ!CIr[YyO~3GV̦$J7o'ՆI {t) x:*cpobK02ZZL I᭥١X@Y+7Sˀv^4;BirH,> -{m n/‹LsJ8㺋92]8ܳ;hOmsw3[Y(G1HEL=˪E, ̱  ~JO{6\ݦy7103ι߁bŦL~mutD ~_R2^q3'H$cKv!Qu@tI ]8xpY*\q(lftӃq('gǪfVThYO 4PWGmDeǜs׋w-\4&kf܌\,OK ؤmM4 {l8(s4f/7U#D7.cA~ݵA ѹ@d\:}n~eh ^'R]-7ٵƚOfgfwfm v/ oTCk%Pl,WrFf.&.Xk)|5,=e ! /c@ړe99^SƯ> CbJt[53 Y\LrcƴxH>#a Tӗ`]$ *Vh>s ''mgrX?`l$ʇT-2'18ʿ{G3mGL:8w89B&z6ϘNɀTlueV!g2%-o&13d6FBGhv{1&%p/cr{mc@AAMہ0 4M!e24ǂY ^-"'@ ((,RSt-\~oJ!2pKzL=/{_nK6aќ|o8iP%C {*88rfYv4t!~gPJUwPڏfrAA$IZ!ޗmi+89'Zaȩ~6A#  T_WkfӏI(l2 *if3i9iI.U[4-A(djL&Lҍ;ooG;-bXtԞ  ~iaD$38vvU;X5H?)~a4MCӴ ^>AAWgc@f3",c2ubsOlGƮW =Aݨ{|eq-w{o\10Þ>NAAAZ.XGw` hn0 %I4:]*w4ӏTAX>tGqZm|  BԷe%Ij(.z:>tG$ BAA_6a VAD  mڌ H{}޲ ` 2qol@AAq '1)6N p`qROAA OC=UYUJa͕ A7AA8ؘLfRRhlټQ "  B0[,$$&z?AAA$I^T@AAA6"  Bj-]AAzH~. bo֢|^2pAAy6~{]VA؛X%4 m߾c  Z}|-r=Wܨ׺ AAA  m$t#wp&Rst4,u4LGr$~"0NBy忤HG2Gz݋tLAa(szL$LP}s-ncْO Fckb| k}{g'͟G-5?_n,+7P^x7S=%vq1RuCeO 3o}2P.vLPFZ F0O8qRsa :z|o-~p:ъr]6efObCQ\/דE跞g{g/μYv5Z>W ۄ9$mөczO?$ /xOoZ:E/?tL7s)IO$P2Yg~  ݻ^MJ䘛g11Ǹ t8U@BX__2W]L![aij\ϗbPgb,ۑЇ6`23ѿݝNrh_(~酄 I).4 H衂EOş$;ѲH<:}Űζw _|zQgA}c9Eiнϥ)ȒweZnwq$W}/IuO w!—vpOB1G 0͞G{ukiu"q@g[eC#'ShFkMKӽhWc^AR, 3 Q1Ky忤gw' u'mXXARh%CP1}6`}D!|ۣ xϬR8DF|i)m^; zPOlߌR,˫P*CrN({y1}o}§#?xu`rèPJ/Fn}i''Y 7O3?]bʢvyQhEqO²6'!C^UL8EjNEXyQ0 ǃ =pX+51hQ45$-%gP{veo;55Gˌ< q~τr&qHS#}+~POqǤ3i){.~Z{2&7ֹp ˘\] H6]LNc~{XP1?5ep<LBS|U| ԗmPE$^RT3`¹t CYDC#%Ʉ: ͷ$޿ }' -[r$'x6|˧a{z!UJ\99Hbn*SUO IDATlºH'|(+ZA L^$K4|s hHjy:\oWL&Էʇ@#g9?t5>.@OUI'%4ܗQSIIёHIgC06zdͺ Eo(Pr.1q}bcY srZ;G+$<ʍV|B;}6ǝ&EgڕNUv bzy]rda sCÂW pu:OB]=_X6 ͍~DCɉ\wgUpuڮ26qENs4l7ƛ<lQ!(,461Pf/D#9(|cق2ׅЕS2QC;W@t˄]W̦ݘN0r* #ٰ9hN dT:]h2|0X]6'L"\99Љ1Vqz"t/7ף䏤憢Ht7Ir@Be 9h^:ܿ?4nf|?f cZ PRk6b4@L}]lEpb_݃ nX$FC$iھ7 d`'s: l?'< (saVLmNJc@%Uu]^Dk} ;q!]H ڔIu@N5j cDa,obJ,Bv,)ľd L@0Rws1!0&r7ɯ;NhCдlwM9&4޻"G3K-?SiAh`̣mPfu4S "%%w +LR.`Qܷ՗_Z|{*?NgyM<,= oBsowÍGݣ[I?ͦ( %1C[ =` =KZ #audV>,i@n H hw韊f;ǀvO!Cj=19pӪ0Fgxi!\akNFkFmzTɄ99C˾05Fϒ6ҮY򛽉6|Z5ڨǶ#sB#ZCE8MǴ՝!oA6g%+M"W1 ![i]e?}R4X§j:b,nt UO_:LkCE*cF50nh^μ61,Uw"ut'gbTO>~@BJ6^j [Z5"GsK#ŁaxQ*{_JvSo7PGX)N7l[J:Qm>W)5Zm +bD,0k+hZ-K~~gN<y8/إzH%>]T c'^I}IhW123̡p=+`a QQwYZɣ# =aha%ZݭN$b_G:n^:=ioC5|D:&P?.*!mYAm!tmRg$XAtX,Hf 'HpKȉffxx-ʁ*a ~;gZR^i4[Vч&]g4X'YІfD 2% |8S]xن(A?2Cޖ3HH>joV+Oe9/v9-Q;Й|w &amބu-|1\/ ]3 y/?8?^N Ԗ,v\dO\.G;6si& ?؝'6{# S\NC/8"&o@ /D* R G+Lu00p<8K:po[bdө?-iمcr]bOm ۙI콭Q:h8UhjHci:(JSzb95;6d&P܉ӑFˊ2$*&ԢTewvtg|iL[P{ߙEW`5e/If H r(rܚkom:^:b!YM}#ᄾڄV|޹F􅐱b8{oq@sF>.#,G104ubxB:'GɁhӹPrCm:>i(-GEF=z Z;"Z`AZ ei6Lݲ\ssyH7XuU1. XA4M<܃$'Ͱ$q8&NpBC)TmN]GFhi׶ayBAaNҟe)ky/C9ZɲbYRIsvPXjRfU%604x{w ".- 4`^WIudB@рr#HH&xx&Zvcc$.y$5ы2Ѥ%؟^~lbA+HB7ѨW/"F?Q]:?n#X{$d32+poWR{}J/V`;P9 q} " JtO13zC!|8n] N@i)ΏHRs|Ez.ǔ6'6090L42Z !i}PA̾hY-'|8/(tzàQ~j> )[Ixc LHZ"{23liCQ.ui5۱?ip 1Ma&t/uii-tbf.H1''YH|k>JЕS,ut^p+d_};2ĮE-KO8`r *`BF\V}t̏K'vIT_ѯ kBtNO{,o8 w$S6f4?XLݣ}J' ul.X+=I(zn! H#ཨ?=mfy}5G|{dC5upܹ͘wwGSD>C^x;3Kޘ㤙kKlXG^4v o\B}~6`DžIrMK+)u?'}OI tdmk`&>~2 -~~l98fYyZ ư1ݫzf ,uX</Q4; \O,}yȕ8wZiW*Џ@X\0ZJLj>Y5W` 4cЊ(UVG$/Ռg"^xcǜIB_C['`E2\Qb!KHpr)NN݅}p&/xoL {z/ƸCh8%C$7;0?@F qW5 >82w2/)4dלC5=9w6z:^I~]\pm\_iWAAn#*   tQAAo r;Cmz5,u4l'ƗpRIp:Њr \2_'|c :JWzl$uYK{:?֮9{eGl+%Xn8y}|KkP AΦ(} O8?؅I.x%Z t+!^tL7SJLZQũ$U(K h_1j0V|)Ex&vrV7 r  cl|Oui K8 ݇#I~'l-^*a0 z:r/ٍ_8(UOc^/eԙCPX}p&&$AzT@ʰ~"|y.eW }p-4{!-a։xNI<{Dm{ _ڰS˱TZJ ];`.\~}w}3J,B ˍ:ńS5_D򥥨OxB_D+CixhRL0)\GbYT(0P^/)/%930rr_?߈g gt‰T_ާsÏ/o]L%1E* *AQwrM=$PcgW'|R_ O 9})]ŕhVaYx*&"Ş?u?^yIK't$yO^Kq u/pMX鄯s#7Ϙ@e+p>]d)yaj6g}\|wq,#;S5]ʼnj17420jʱ?#7>:c5oY2~<~۰Ha~C >kЃ ŲQ'W-D:&_F/l|?|OkB׫M%Դ8Nv^/e'Qnb#eu%-|hx$`~ >[p<[4:qwJ[>/k\̶?`@PΙфN.J+021}[Khim&)h31A(5nZЮmhSAE1 m`V k_TI]@IanٌaK ./!_񝑃r,jXЌAhx“̀2gf%4wlmoo@MuP`t:AvLne6 !يF;TcySbudvxHe%%#h`>t֦ݘN0WyZ/K~۾绵hLi$ncHQG:ȗK ?o&tO#t}s:=uz)'cx*1m3 M8k [%Si3#7#;WH}=_spmV`)~ B ~I8TZHE}нP_y$ eu%닚[͇I5R}iϐvJ-\Q eS}ڑ,N ՅXۇ՜גL$;NT ~U`ZH0֛ƟVi6*+RǦ<]bNWf!~-QML)蟊f;217yy9&=vanG+h%V>FjE8MǴe3}w:=uzi80 /JAsVAاtRuP}QO'wh3 MHBCm$p`t-ё?OnO4`%l[ymɽePmȫ0ES4|D:&P?.*!mYAm.=i/g _/d+z =* 6 /vz8ڭ$q\ @L}9LR9@:l/g񧅐`$/#  Nx0H>0ܖqoA4V<C|e{V w|KqQ7>$NrǣI42xłѺdp:t漶/NJ KE@MT@AP0u`'y _הI9ҖdtŊѦN=/xg3K:`pVbVvs89`^U#`Xb{ erq16|I=_ѱWL iG=N8dUBЅ-!mN (ك w"FR@m}@ԅ:A2c8?{w'Euuz٘f}vPP}%fnYDܛğ1ɍׯKbDc4*F@ ʎl,>U=qЙiÇtSU=|S߮AH$qO~ 5D7z` ` BIޏ.ud&d6iԯKc /8~%"Y @:@p߷Pe0PFr|:l߁{ˉ]t z Pjh,"1r/l-!9!J Gybwg1|?=:Ѻfҟֵd:{R+q^-yİ/ٚ$HWWU-"],|``-xa[rr:8?3WwgNLc 7\%ig.;hZ놫G,:{?koץR-I>j]^dq67`B}AJ/c>0 IDATI9jI' sƵ/Mdc$᤿=6|N1g.gpBp>ЀhpHU-4NtHN#2mΘJGॹĞkv'1_+ ݼp. Ǔz~|Dy{ԱGu?, rJ3nͻ,@xO/&n<~N> bbϖSZ!fB򟭇v ^SۀdfLpc1X1xCKϯ!\%ͣ#X7'b]*$yHү,&4^Pݵ`MyuGgY)z!q\^ym&v)w+>#h<%E}ď.&紳h;{_u~dtyI·4t^?-!P6vG]^\%1KD$;ӂ Dʳˏs׮c \Nh:cO2ۢD~ȍ^Ť@s՞Fћ wbLb찾$K7_MwO9^b&a4}oџ/)t~b,]G^ƒɿaD Ht o9 Cյ4'RCh.kWj^o7>uSR Jkkl7ys(gyy5 Yi\1ȭϐAt}쨉{.p>GPm|lߏγ}{ˈqή$|ϛ lj'ehQο:{?}]$6#| 6 ]^BhA>bjk,_>CV,{>}DV%,OSB8-n\z|s9FqF/Cyz\/g ٝG;K2|_ "އ}4752L9 kJOM ZK䅆..HfK5ݴ >DDͯ'سߧd\^t^%MM"oc#:1%|~Gg.""]W׈=h+%"dYAӸlQ~=9DR.yww,e#G1pRVʩ'ŇnPNo}q_N=ʩǽG*mh əOFRW[q2cq^dC8ܽP \?)*׎}yMxVwy?V`j;,.2)ƀ[ \ǔ no: PeZ^{dfpK3Cld5~!@~_ D8K9Jǘ1z}y&ٝ]a0:y{)e8WcV 9k[-B`0SYƼS8~?59F^< =Иyd0 Kh@uK`T8 Ce>`=ٓc!hI!co ppn!-/(#Y3}C QƐ_60iAW4 @AK4Ъ8"yZ"orΥ'ѧ,[3z^[ex["MG^5_FVüm @R_ګdMڏ1ά_D$'8L%p NQ:zZx e`Sr3G!zO e8Oث3} zAwx=|=3` W?bK0..>-r11U? s8"[A^X Fq.8 gV}elt! m,j 18wlI}KV'B稉+s!{_{PՍC'O } @,9qUa9 IyiVC""K}r.z9"<\?6U/??מa]ֿd/ξ4l;vl]6_`qx2 L-0Hr?{&~X="Hvz@ZfzVc Z(l5G>u*Ĥ6cW@b/c羇8R9yF6殝G:0 pRX')NZ۱Qfqfò@{p7*{.)rT g_rYG9i!'#P9|@CK$"҆ z@BꏈWÂaՖzSַx^]u]ۏAY}G ``H:o-4S4h&a86T1`90~LUaMxhi1>0;tp4  MA)Br_ i~©݁F7 S?l3#-O= @>'&P9)$Sx)&pۏia4["P$K_{__L8_"r^7/R97/;?⸂L=F}jۍi   ޸?)6srl>P:`5Z?`/|kf`{r-tZΞǁЮ*fs@ *JR{!nwznvܟAAȥr$Wz ?2-""rHW7St\7m'HU[K䇇 ~-{O2| w<֜HI&";m#qll?&ӣ*V H}pRy<>3SsG lmת56`02EE<)$[cn1G?5l-eQ X+ܥ1wezO6y4X] 6>pݳw=Ҳ)m=hK= &ailSvG> KS݇sC@ܒuS_ækY76ɔ!3Ŋ˨W$N|9y=/gt2q\lŭ`@+SyJ5sJld'G;{ǖy/b/e$p c~8},iz0)gp?[ gG)s& em0 w,=Ns0lz]9}\ ݂Ws8fn ՙ`up.y`,gRʜCAzgw0og?]0gnۻfx )'b([8uڞix!>{ǃ76rP6%WϚl{̯(ۦ+Щ xCX6}D)WpsSv^>Ω.D(k/JNWF>U;w,d1Q@D.injdr @Vs@DDDDDD>ə,dۈݟmMJDDDDnw"ux,əOFRW[q2cq^dC8lt8k'%?|O<˼ƀ[ \ǔ >ί(/Yk~=uw۞&/R5w5]r|w!""""hvF0/̉ v~*Ǟ 4x?L^D]wzgf>Mp]?%X`ΣQ!{_{Pյ` ~|h^7o3X>2s豯㪌ä1r(@.ӬZkEDDD`V؂+J0[ `O< 1KX'ΦԲsN޸'ܵup<ȅ SNeMqࠤC== ,gdYv7*}q - fvvFc–x)(rX轗\ΞGCЫNvHLi_t_io?d:|/EDDD䐒Qbm0,)&PJ al ^+ I.OgnNagc_\*@r`9b kFae-vFl <ؒ0&ӣ*V ;fff0rw@v1٘i/*nwIgc_|Sm;46)Vԣa{ ˹! nI:੯aӌ[c~Yji͸E1\ىN^)DZe` gr>K@Y59 ܇˜Nn1 mLg*V;řQm\6 BtL`+;ٲytmYb&: H0saoȤ}34îrqV$yOƴ R;}kiu-6С)8nHR:!0u=# P4!%!=6Ͳ2 ֤!!'lf!Vz3Ko[JQDP&""" {&]0*poR%x$Y4cډ=g}޸ y*,j} JE#qǬpY?i`qQfZs`YQfWL+isEv['p"%S홆7xꜚa\^Wrty9U!>]uqIs7OW ~: /Źi/ / pTI.L]m~g77ЊeoSѧ/Hp577=k:B"ѳtDD iw,Yc:|6H{]7f3怈|8 """""3Y2"""""n /"""""]!X"""""3 @DDDDD$gH(Q""""""9DDDDDDrF """""3 @DDDDD$gH(Q""""""9DDDDDDrF """""3 @DDDDD$g榧Y} """"z@DDDDD$gHd/ B7<@ű{+a ;FjE(8.zܼgB(սõeq_yg'MمQxǻl?GF"WEϩw Y>Щs5~ؼd*""""# @VMKy4aiw+[h'Ju]8[W f[cANmN~]}'X;1_;"zWt39'Jg9}5.r{ l?CEDDDcIm% ? w4I$yGˉݳ4La| fM\&'I}SԶ~aG(Ρ4fN IDATa쎮_#H?1O f""""qvIR@;۪UY?MÐPdz7h8l]B%o,;on1x}ZwXޢ%$|4m9vZ /z9fZmL޵Qm@þ"_Gqz:uy)%;p+ =i8#UպuV7o@F& f#DDDD䐓!XfBbRlbGHL"d7x M 8 `T0.@b5Bg&6VKA*HG(U[%l_KxOa 4 _K=R?a]oΡUÎ7xD=wǴkeoRS3r(v<~@-;pX~wu׌!q1E,h[.ۺz|R`o$言.߁ yc.yMCM'|4ZOWq};xElpNBz}P^ +NПt}BLh%g {ry"uL0SVtpR|b1b>HS{C3ݼ|җ&ofR>¶9.0i=kSD $T=U䭋N'r< IJQ7> ]Hf$ba04eʵK8a1POIY6oS_BNfu E"k `Մ_q &UU7t~`kmJCDDD$+Hz@4>^C`$v#0^p[؟aONfg#&1H8Kxe]<[Fjps0RnohEBw#شi=^=%nM6hk\ܷ6,SHKU`x #>)kK|!n;ވLwy/xE=@xO/&ᔢ/,I -/8ג&z#x)(%zb 73zҷɟnW0H򂑤_YLik? @Ėe$'6ygL%#\b5c+"w?:yAcIϱCZvC跄är ~V!^> @[ ">-$yr/"ybKI}c$NBbKs/O- V!vDjopݽkB8#xһ3!={<ÆQD Cյ4'RC-I;p/뫈ȡ*;[JD7Iv1 &~Wia.9헴)|eJ;^o̱1@}}kgN̩--OB~^q'Mn҄]aovNxޏԜ}|Mf*B͕4O,l>5xh-rP̖jWi)ne͓B{75l&Ƿ F`/IA,=c>L""""rhJDFubJރO)~~6Tyw5OǩsN˽?8{ԟW~螣UVӍq#h=C껟gw4\>䡣w|G"]qsS  """"kHDDDDDrFL` 뿞Gx/Ķh2"6 :Κ"~׹뛣:y]Oe+D 9?iR˔?X:c6V +eٵKqRj;Gqu;Fͬ,\grߎo7H/\fG,7? rZVg% C$u39~8#k)]ٍcϠՐf0PCЉQ3t$o_pGZ7"Mћ38ѹP.bI̝v2z:md~)|NsĬ57@dltYw[WIϥ`,<'Cxd+k4k[=?a'F8GU9<..31tKvHC ֐*AB'nZw&|J& dԗYҝ[`kn3i7Hsmiz޷ޮ');Q_MrE""""!X7$#k#([~%e̼ 6HcJ꼝/_GuW<ܺұBRTzsVV/?ϚYK̿sjڥQ%Ho2K\"Pn#IY=͆P|KqM#_-3ԞU59eĶLyXNخӗ7~u549Մt)kh8~YJ3?ʘngyt>4sOMZR)2!8=}ftA7n~yVO 4Ve7m,-?yGR2kݰ].FmKW2M$LT|1+^A#]>[ -1>TǠrO(8Vѷ,E᜹-[4am;kgzeє2F;k(5m5s'1PD^3۟\WQ%A:c}$[YtSDap}șUSXlo[N>?孃2zYɑBLqnf65aD~xH 4`نil$Cۖ!QpFUǿ`RĆ|iY7mlMgĒy\0B:$tb>2BBaW3w#x3pԏ}>79ru#ǴtyIMK+v1)| H4hQ37}:57Pד_g$6O֤5ﯳT[`z kx2孎M^k AD:W{:i*G^ÒuCd|WqFaKo9=0Eb >H|4?}ЀO-#BpKq[>M2wٱsqp=.q.`g]$/%e<&2WD8F^| 3j!,;C Ԓn-ˮm`s0ABoXV 8:H;2`Qu=.W {-1x=)6KY}:O*$RHğ^r3aؾO9M>F0 ֋O|K;wT&Li1u9xjN/3[mj8)H'<:j {ȣŧSfcIUɪ;w,d1Q@D.injdr A""""""> """""3 @DDDDD$g$;H(,¹WZbׇ$vl kk9T* .7<("""" Q&3+qr!8+qI5.."""""Y$t _ZL]δ8KB;{cۀ= fc,0~ZZDDDD,X廰i%6 i  ESqfpcjf†sq~[Yh{?]׺Ǣ3> 9,!&ыPnbGc1[z'0(zgG0 Ɲ{a)gWYR{1& , {0gmv޸{M~m 6 qix H68wdl9,xϾxQ?&޳ ?کHd!1p'8j28{lΔ[[h Јl@vUPNDDDDD:!χv.㟘젠=IilQ{^l."""""eg,̂ՙ{ JR v3jzgˉAi܅o! <`sOG#Nݕ ^:[ !pXfы>,Xÿne1%L B뎺0fcIHkO[wZa h @{xO.oZ+DDDDD`+tj)3e}nXuo7:K閃DDDDDDu @DDDDD$gHt;O?3bUDDDDDP """""3 @DDDDD$gH(Q""""""9DDDDDDrF """""3 @DDDDD$gH(Q""""""9DDDDDDrF """""3@^qO!"""""Q""""""9DDDDDDrF """""3 @DDDDD$gH(Q""""""9DDDDDDrF """""3 @DDDDD$gH(Q""""""9DDDDDDrFə}@^K38wh}Mu0i( Aj~BDD;N);lқ`QccLyb֠9_ƑGJ{ U͋'J2F۠wgBh͍ q)ITK$SfTHuσ1bt,V>#iKJ9F_h˪<ЗqίJhW6ꥹ=>ѾF)v:I>[cnbΠV:R/z@d)ƖjQ}y*+U[)IQA>PQLUlK ͥK̖D = vh*#iIƨdE(xGJF>Ѥ$ZYR1j/ɑ+zZBMϯb+xIF66*ЧIܳl%cm hAU7 sH mJj08/b? j֎P@-jG_ |m^}n@{?h z'z5mVXqGTɃ z俖Hۍ뤸5:Ilm~~RRGU^k:F[QCc?h%t>OG[,[_xuܔONUl6r-e}ɫ)_C,JЯ cG*XpW:L?wZ}C2^Ѥqiut&'F}7Nu{bHH|:HZjĨ<2AYrWn p k \C@5!p 5=j>* HMvJpFA:] ,"@$`pH"ppHxVbRz/H}]*uWEq @RCX @oc%ttiͪ| tk \C4j t7\ tj߾=ڲi8N__0B(~#ۻGkV-IS1`l}qۻG?]QcBp!m޸^'3%Iq ˲5``M k4r*ڡZިnSΠJNNiF=6k~ztR (c@}cIREyn٨C󕒒ꩲ8*/+54@)c꧷@@l?ٶiN΢m<4Oii  ۶&G;+99z^ڱ{H0e?!uuuJIIU0B8ST_W'z^z@@Zu] IDATMޥҒ}jll^$ϧխm+pK0mPګ@"?c֯[-ϯ# dcjkjTT]׭шxs~ k/Ż=>PƘ G.b4|D֯]];r֏ye\@`zԴC\:;]ToO{J̬{B]@@XP{Fec^ c,˒1F9kl@Z?j3w1F;oSLL F'i6m߾Umv!ukVQc'(!!T?YMH5ںy֭Yc@3j JHHvG$p'!!Q ]3QRO>OGjIj]W]d{\|kWd3ZCw,ըc8UaBВzB/5רcz nu:y:ǑeE{eiR}?cNu*+٧CZNo6#B=ICTZZrK;_`0<4ʹHYQ?C 54/_ŻwRnz@@7|'&$1MS5ZH30:F=0Т'uQtGKឤvz!ROLPA2Eod,E qz3-+Q|bir@@X47-琷]eg{p0-MhSѿ{=?NM J=Ȓ%D‡! u^5Z&r%K`w@@!$H|Hu9NB-JqyڤC}wi6"Dmddvc~X1i:!> #'2k$ջ(BpL70t UޤZAmbs'\ß[#57tmOd1/{}'> 9ZѩԆ5_G1q9o9wh?82& ~z= SiTzu渙ꉺtf?N &WAև<5M,UVhW:k )< QQ[M>z!jG[NI7D7SRp}扴>e)riDmowr?yntn\Dljp,YvY,KN*X:k[G,|еGe%eRF2v9n5js,>Wuj 9wkKt5L6/xXX˛Hfbr"dH2 n>#)y ]~yJ7*Y_pt Ԡ OZ~^G̼^?"w}p kq:k<}GtSOoשF Z9ҌnT}gU{c+.CCZuo;+FOFsfM퓒d9ڸUzFjigaݟ[FyU8+xrjAiѣ~[z=q/rVګMŵUcGЪ]QPl0M~NjApϘ0rKSoa-, (wEd5K _Ws SmykTeUxyٺq_[_Q/GK+(AVՇz& aN4 8vF4LeINґ[Ç%h?[k=ROmү dwE{aP8<"zV~ S}kz!t6ߨՊb.DKgnjTfJOE US++#Q9[/4~ƅ:-S*--z;<ܗ) u$}KIs@cy u}1s~uk'!XŐnIx@ ?O'&]l/aL9Nӄ×5 k7NH#ɖcٶB= ~zS*)>=N :ütqa^z}_z Z'UWVi;7kk}\SWݳ1!XNsÓeY2NPFV;cܙ9Z^s :VCL ϴרV眮?N?ǥRbcjjjC4͟‚϶beuՔ+^?D_T ohyӽzYktӵÕjkIF8rdl)W'593mLCSsN6zs7tdJP>FWβ _(|Bi-ߗ֍lOt]}9 'NivrFI;۝;1EҚ_!z{}G+j#tܰ5zU4M6Y㻜}A.~vZv-`$M%*i(8A,8,9jP걥:jV/  MJwP]O/ cjU]#ccdIsok_IQlT[ < ]N~ĊU3tēt#?/_^5h nV3Z_ɚhI&N9 s;{rWv^YmZinGRhӋ~v%; AMV[3Ӗ-'w|_KNLWic 4_ɩi.74-9(spWLs0vxuӪݶ[j@47qdz\?^$+< \=,]~BjOFeM޺~ztSz)6&@d%苿5U:ԜY[bcrUg#us}E>zu*KTO GC(&W+WKIJ$gwys*ϼ(S⚨'3}Zx/OL3H*dq(Wg" ghn<[Ѻ/kj`0'j@={ӇD jXS^l5,BIq5>!FFUuu45%ZT`(xD~DzLd} Ǵg[cPE^Ї|,j>^MA*/Xݭ=[aS|2mYPKʲt9FN O>P5;lyLWF 0HI&jx_hz"jZ ЅV}G;ru&]놳1R}}ƘsoIV j8NE:A]323vy{,.ۋ:ntc@u,H jc=\39RVХ1s=?`BA1Ш@ :5M O>fv>T{zqqD ;VΘT92;u׀!~}NA;Ni#4ғ55+4\<,8kST[W@)5-h$K|ڶ5Ϧ p jےWUvzmږyDt#nK Dlj#˶C{FFS/KD&]=M!yow$%(lc=G벯ݶ] qxnԵ%jUa4ݎ)iYօ.OO%O]I g\>=Ȱ{CQyE6RSH#Zu}68|Y-ڦ22T}3U=~ 4 6FiߎL9sԋҹvׇHHshGs=2-3&T_CݍIRϙBG71F,< Щ6%V:*wiuȈ*EZ<2 &r]$cd+BBjCҽImL%Mveg#-57C8B)\ _휏ַzl1Dʘ>4DŽDᬖᬫ ^TVZ85OLxMi^<6SLLLiu^ȡ˶*+)Q\BBHm.2d^_:jgC=^JKucd"+zl>|.7t ;@ƐZrй^˲dv Wv'tjf{+9y^\ yV#kfF?ʕHd[vxmK#nfٖl_?6C'';GV,#Ȳ-E] }"/KǖǶC!8RgVh׊)wР.7FyS/zOǎSF^^"}iժ Q8'5-IrriՊZ;;n3KӪ埩NQ;z|/㕞Ѧ~:eJJJؠ!C󺮟^@eG'2C֬/TmMMbY5`FݭF,i̸qYC|%߯lZ9:Ѷ-1ul٬%￧zeYՠOo NғeY*=F㷼v!GN :Lqxs +oh $pChPҺΨǖF]@ ÇVB::i:6WB߫O8~{Ғ,!z\~ړ#1["Nũvy}]|UUVhߞ=ZbF߭B8D ׼^3h1ڼqC+1߯UWWukz@@566()fo_@?QJ {cy,z@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \C@5!p k \Co__m\^_Uq7ƘnKPBBQcCC_@?Рʊ %&&ukn$&+Z Fh咤Y%ПcTQQ h zLȺ+z\0phckZl[ =v3t1 ƌ?CWF@ed b8L0k \C״^{,#C&)H 6_+f{,KW tNow;s@5!p k \C@5!p k \Co˶UUY.Iڴ~}V(cLM$!!A{(;g\/OeEn7YR ˲/Â1Fڰ~F״ݪ(/k)/+ՖMUUU'pxl[ ?L)iۣL\ kvu8d" SK%F6W~b╞x<}]jll@/"طwn٤D%&%~І% QUaJK+IDATu8Hvm׾{#!^ŻwiLf=ޮw*--QiIrruqpӠCkg┚E5^8A*ڮ||Ν;*><ux ~TqvuQzMSWWT6h|b U}KϾdkM;\'~MUjXHAL+E}!cG7inϟYƾ.KG}|}>;Of*GʦF%2L?cmq*1cFN>I_pF&}V鷬8('=%:SW_|N,^M{$htź<*=K_SϿeK#WxƝ!˔k]ꡘo=Nw;@Ult*=i*v4e{yrm.RЗq:Ku Mu[__ яgȒdռSKK_{Y >^m{&+3PG~^/LelVqJ˵.^'9W;~WL'ZƯI7=8^{yP5U @]6IZ\=;WO~y >{NtA:Y'G+CSO@׏̐LZ#$խ )g/ )z_xy~ivu_hq^ԮszPi gt4Vh禵n8Hj蔯_!Am{>Z}M"u_Nv3QK&fn:~xk7h%媰pd(񌙨ѻk/Vxܫs׳ Wj[aSuWjFA,9Ɵg>מFyr5tIJiܥO>g[u18|Ց4hn=[НPClIr;t{֘ޔsl}Uj5rΘuN/L oSeGsӶ=jj5зOLj ˴RI:+t޸Tjҿߪ{6;uQ\FoV>9_~3-t~wiOJmںhtyc_=o?u-j_VyԽvYA+suwo9COIN>ݜrz}wWXJ52$gsE[t8Eq/.̓mm3+˴Aޤx7u1-g*|zMڱJo&_pL`>^`v9Jʛ3fIyqh_ުFy4 uy-G?yKiO_Wmڠ?|v~㳕nt\8B/L5mRڌ3F'Wt.+hxD/YɷM:DobbԠIך'~U_M=A,NWn:GiF+_O=yзej٣_Y7yGm>0JWjunIRoԅ2UڶbJMaVkC{%S,UqźQJpegR?{.2hۻ艻V?׬FM#ZUzdXjz&y i[Tk5*2Kߺ~| O?VoФm{5^S.F"wfc65R~ԱV譅J:JSG>V:}wPd8A{佩VSbBSB02]zїfWLҊS@=B^Kح1UrxlٙIs?JיҪ'(gWh|tWg(5N*[xa==~J,SO߯cοVxT}ߤ61#h֖4K2ڸaV^?x;38*4kHחdc-Ym3z'HiUij;*NFzdpPB{Ւ5jdL!'h"9G]^}Dgݥ rtLk$IOhCZyN;9EVFdi䥅F7h&O(GĉCeKoYSSeV*E>]S& *2j=*-sݟӭ?MxvzXn@R gWWI6iJodhkO :s2=}߯e :4eHbmxv4i#?͏489AK:jߧ5եڸB xy냲 Ю`&wM㟮Pձ(~:mSF޿)#?%7pF%NPM\yN ^^9Y1_qC4zp HVm`XGVljy/ʞ~qURzqd7˒d:e%jq?4b >J[T&˲ԝt)ǎUNS0MM5̲=q$9A9ƿ:;-Kc۲Mmq"P_:h7ѴoݦZ\3Oʯ~M]܅A]|)_gGj5*͝i5JNS*T^TZe)%5Msvśt:v7Tyoԕdg`_rܦljܺQLND/!ʎc+ϿO+>ߡdl):&a^BKiд$jg֮+PeuUի6 Ҫ5+)׉R[hIӴW =_ enK875I¢7wv~OG4)ir_;(JMJ=~$qӒUﻎtqS/QTzowjg `_֭rv}(˖Ajƒ_ˊQ易t?wNMiC7j;sr^l4 ;KM?Jոcpt!CիvuMpƯӢ%kʝV#ҥܭuI%X Su9s?cgҶwsk4?6vN9&Yw>=[ޤ=:Sd%OiGѽ>Gb.Q-֠4:⒫tS[:UG PSۢo4U:jN(-3fO)ٹJVYѲTlˣLJjN?9Kz4<cc<3G3.8IJG/==KӲ=*[XugwgrѠiJfgn6Iq+_t4yKUT=P=LA[zoJDO6G%+~8%[|щ#ߨuN:n~c[S7't{oN;=_Mݭ7g/RØ+tj+;9Jz ;ڟua|~ ?*7z uNog~TΩ5t R\R=£9X%hxVBFnK|BO[-ǗQ:rPtcޣSԸҊ[PcYy깽 oJtF}|U! ~prpN>Uc{ڨuĵ?15jgkٲ[GLSsǴVAoRdkÕjI lӆ _~` ]_`4쪢uoۧ)~p>K\oLK+X;1:RfH=e;h}XiQwo=Kj;\lTW<]C:[9\G'#tj˯jgaYoR5azUpMRJВvNux]**95գ?W{.n=>hBJ=VAByӷ5Z!)9ER#ozT]U%#cjU^ܨ~q֟cvF)8`ԝӾsn׍G m#` iqu㝱Wj /gHjО-UkGN׈nܼAӏэ=z/Zg f>gkÅ}":l<mSc B74h5Sz?zDd{F nӒv*}ڵR2_$XkUuwװ]TcV{{w@G|%ku6BE߭=^yv)5B!t=&ߔ_śV%>t@ EmOFUY/<{dVMi\x Bum\Ъ-थ*Q|:V`s:5_.UhvL,Yϭ}#'ױwt¹^^_?%pݯy3mՏ]Zm9̅x{k74>> {~ᆏC!BWZ~[ޏQ+ ewl]_cKZƻòh=_/<9yD婼mY?Ё>#B|aރ%#Y!B6uܻu&kJ\У~~~{֒kVw|F 0Ǧ)~w_~t~5O\KEMgzf@_ӧChTz(w?%>x Y%޷/Ndzuw˜^h-F)5`ӧgDx z3"1f:Yp#5Sp<=zwgI6Tk$+6wtK|xɘ;\JY+T з?/OxyAB!:ڵynmBv,@37a [:z"\xeUnVǡ7gfrBPE_u,5[+:|¼ȃ˞y y䄩wa+'AuzH=ɴp@_m8u2/>6;l,/{O ~nW}pžVZY<_tsy B!PǺ3JV {T Z PJoָ-uyN_ߩݿml|`ɲA6fb>۵l]Ǡ# ;_;&?\vwLxSE&JK[<+JZLB!tctt*P`}}DiQaYqILL5Tںm@?r_'[ܣ&/ϧk6oO^n!-gr؄MYs #=pJ۫ChߴC8pq@O S%B ^G!#*?}nxuvn"CiVQ7 Ήx\̝غ_{$Omr)=ON՚#:`N0gck@1>4c?e{\m-ը~[⨯R] Js=}C|s=MfX` i2YXB uG:B69 G᎐3\&.k!B7@|{/^ >Hw;|zP8}hXά}rOvOU~~*GCJ?T}!ܭ!#:dI$zw;{[0/DrO}~)]?xF_'MS&4sUÆ2hDЪ~8qɽl4>sK@N#S!B uzt30B!h8B!B]!Bu!!B. B!ԅ`B!Pc- B!EpեX !BuDFtN9-S=vᅽ B!(/)gB!B0@!B !B.B!T(=_59TS+!B5SbN.1XH"Wj;o7{]iv ߙlM{wr$gR+j "+l4n~aR<B!6g(XQWQײ]~@(8voo auT[Qn2&3ky @˲&}s tp.\"B!-ZoDwpƚҼ<SϷYCgʩ7x"Qh\zDGx6ViwH5=#}5 ucɌO/2gpTPg)Q)boلjq+z4 yw3f rV7U 6k!DSz]T)= %G6nK%NCu q95ǘxXRA-Qyt2 !B\ۄa]E^nK.j\k֗טH*10j1WԱnR[Z\&L%ibZӪ{&SSU(yBm2ʰ,{*аPw?,VsEZIͬT^szoNkmۓUDQcI{92({í[ !e4pa!٧+*nJ&D-YUȰs}<߭7CX NwGBeuvNedT y {!W6hVD0xdg1kMm~6!Mo*t(U,u:&lhmޞ_4K꨽j!BVs ӜS3 K5YgJrrN*jj{KEʡCg'+`hqW9;r&Yjst O0;[))ԃl1U@N]RWQś :z{*lZY7SÐ+.O4[R"/ c+/VTwQ|<(7oD &HTN͖7`pG|iJڽjhVV]>uڂa.L׷M{[!P=Y檔=ێdj6c=]Ke"Cւ)R⾩@zK#& ˫ r*icl:r4K.m3IV楹h^6\L*&Sn27_/ut`QUKqaӉczcbrr6@DbP0"P:>-=ΙvhVm-ԤŜJHx}kV!k?Uab-X JOVZBQ3P?r*e"|hB?a!jXsMMDޣwk/:(+7ET_@j.)x\['6I7WWS-QɫܽG_71`(*aة*,+. @a-S "[;5Iْ*ty5b(gh|*-Tl8jw\-݌jt B+dEݟX( n&>uW%}tqLb"|kkR0 @0Joφ DV9YfkטscƔr%R]r\$gj UgT,7WBM)Vc#e ̔<c᝶7K{SZW]UUcv:.$+uOV}M?5upa=$LVtI>?s~y_ AE;dkqa h.enJ~Z:0A^|{an pIO?Bjf&ёlv~a`r2׆=J&֖yWޡ爾Yx=ȁ؋}TB}u?\bA=n 2'ܲR+}ntK(iOŧUd6* gXML|zaeH!QCƊim͕>9q* 5\™s9FJ[ wϡc lޔjp"Edl1"ȳ ?? Pw6)[XkÎ=kWn9VnT}f?:?~nEӕV\ߊ2#g9{' '7`RNzܱ~-+TnY5Ds9S5vUG|܂Z3p5~ƌAJ9SZk4-i!ޢfY(ƔYo:%|YK~RFd}ym*|Kjqcg.>+#PQ^qK:y*aޑM֐7joUHͥldIy~!>frbfj|>3x$}]ZqM@4A{r*n旯پr-xV)\bvfOw.\KjKc'>y̔%GG7NjiYZ XS3P4Q-NJˎ=R$':B]7{+K~v^Yv# a"}VA>>főϾ>-俛iJO|T埪_$~zr{{uo曣.v"=>ƕl{yָ;i[[hTw_"zzoW¤'z#<*ܗVkS9yz_1G<4<6M5-JN)*ȹL>2Τ{ j"#¸O$SsfR& ':B] n%D-`)>?OV8(0GL;/>v~>Ʀ{d7{hnN7ɑk_m2~]+x+#24_et*;-Xs\f!'mŎE^a͉|/?҆}ZoUH4ݢ|lIȴDy=8qtфB!K:S+‰&z g>:Hl]':B] B!!ofF[xc o<&.^u඿v|ⶭ3^x{/O 7aGfȂ}/v'R |Fh{%Mįk>2czClS~-ʆqs{`؃艚AgΖ{GBz,+ې973>kAԥ[թ;]DT1W/73󬋧HU,8_\翮Ϡ5#LJ*=?_|6JʶnBIJjù[Hz˸UۉuxO'ۈvϴǷe䰁&- B'B6$rt~?SR~P}OٌsIgFl|zcҺOdo^2jp?-PLbSORmChנ5uK֦/{&1v7_6qbDo 1~usFIKkc>|6DθS6QQ^,q핾}9qWZ2fS_mv綛!+!tb}?@7[־^6@'Vs%V}F߹pz_VmL )>o ?[oD78@NNw=?+bA3Uv{u9w[qXfV{jޜ0i3[O\^6 94xhў,81<܋9Ƕq?B]'rA.)gyYJg{` {'azl_eޒOK} !GyI)g:c;i*3fScG[!t8OGl=V Ekww/}pw7rN!CZ4"P;SGB7keՀB PjG+H+v";PWgvVu7)l"+['p4̎d \A!B(ꪊDڍP٬*\԰Anim~U58 )FL-q RtbvI] Pf@jsۼG̓tA!B]­z{2(e*e8SbRZ±ckG8EFV(|7rnj'ʫLMSST;8krZYl\w/m>3D,4R}_ؑU{Rw㠜3NalT'ܼ{f;*&xrGJ!J}\"^]BŸƆ0@d0otm(޵L "[+-Jp9wa 4d{iP1m=z|m+!ko X- h& p Kw J0h_uA"XBafc)S5S0bsI aŭoizRڸ΂z+:,t׼1N}:o5eW㧿ל04U*w503t"'GJc-ܸWצ [/򩝿;m*[])TqF17f[Q/TQ ДwWAb5  ( #/JisOJ}(ڔ J?j6B!n>IV"c8XJO ݭ]`D"0E4!.MC\ċFiZM$2Vڅ'lj?5WX=HNe_*XP#47)Qʦ*^(05j вt<Ѥng)k-@Riiu_B9E ;Ob;bSJz,fDX S,B!t{Pf+2cF+dB:rTty_ eϙrw"s4xqeoo6uDm(GzQueHڊ%-hT4,;ο+g*_;BisRŝU;sr0@Abiv_MI "qMfY)&6<]S^Rt;v,`!t;ho2.N& )c!Lo/CՙCUZWٞPOˢ$_)7oHey@x]j|Wt:myGm^ K./к4۰/gQ|JeOWȕ5Q YveňLB,r8T ( 3$"_ S[o6^:=5TMmjvٿ5zcMO #+ +L*fJZ嫬 w!۳)0*q \A[: L+[oo]6K_`JEyO($OĖ5l[ۓ8lu&QjHՈB,Ah3"Mr&E-Q2.j#e'kL1buP+K)FJol$FB5o@ȉHEJD_ }0XܤSth~{a9wz+ 2~kaKe[LUEEk9[:c[f+qrG T#Ib>/=gv yy(h\'dp!B T"Sp-BЛOc`鲲KJ[Ft3Cטi! }z\{{zGݫ$:kjᇖƠP<4ё3^Zb{9>_(ӛrmՅh.h-)Y Ls|1s9[ӣ/3,Q>h44tYOM\<|ϼ:$6? ??;'7~| _ k6,ZZ74ـW+,>W-b+>bXl2Ϭ[<ˉV|wK1np쟅B.@\bD2[תM+Skyj`"f9N%'+(=X>zSme*еJ.c)ǰ7S:5s߯6luDlF=&d;믕 twR }X4y@0VWX)k?xS?Bz: B8ƞ1T=xRq:;(B5y59UVC\*ۺq2-JlB`6+竻]jX jf1޲y~Y`7J0:x['v=UOբv[?rAwxeW\UF [|G=<Oͽkk@˷l_af>8J^Di<,{p^2tYO4=BGͬٓ\. b<|YG[ a)ˆRDțjys=P0XJl'% vA@w|ϗ}B>K^!?;E=;;OK;q[EN~[WCCC^hǤ;=Ć̔^GX*؋QyE-->/Sx&t5: _|gSكwPqZb3H/~5 l9o`(J)Q֧8X̗jY*h2l3;9 w])ɕ^!t:69°D,gr| !t"Im5 :^ōx&M3^Rur9We0^}Ϸ ػ=|`ovo5ZW<8W Ԕrҕbj27[ ݂8pa$ TNͭaEJW̾6|Y15m&}7BuAVB` WKwZVMEX|yHsWo)3(su\eTV9謸hf ͭo dž4!Э/aE c2oL„0,̖kn*S!OޫZrZ_:uǎ,)GRZA^T;~Mc&bus&q%]{2@2J@db ZY`׸Wzx3GSΜyqoͥ#b;&}B7E.J*;ZUn(RJ}ăB\X!{ONu5 }@!ڶeW]h'b7W1#њRyS4ͤJ¦Dl=針֢Ԋ$qϿu͉J2xqLߠ(] $HFP\׸n,_?ouB{i}mь9?*cIΎ_!I02z3wѵL^L)o5j# m@i&I!Pga*+dc^~ÕC/PU(4ڐ2ӄnH Tq&!aXY,LH\*ˏ) 'lHO4g}>[I>,m,"Ўr%){bK[g"_q>1n2{zpg_/26' lNAA\&Dn_ ܞsLoif7]:) ;Oi.J!@N==PJܖ[$LVPq$,PWgvVusSs8d]!sj)e^8\ 6hLh&wNfA!a3[y]YC]J?U00Pnim~U5W¯/:}N  +!|! HRjh鑔-;̢kB:g*D/My*e8SbRZ±ck8m-Oɭꌕe2Dat{}l>VWT)Mnj%GX GmZ;`BgWL q_.ZKAvƛX!ne`˶e]U%sPgӣSaxWcrKjJih2V.r&P+ M; p=(ulƕ_? ͯ?_cgwroa8b H>ypE{׽NMhd68B%<BSh̢zUڈebN16Rk|bK>^=A%8F"f3 YY^X)+Z pa a 5CMP_QK՗xQ"!9m[W.߀76)3a{jT2B!B3jop*\PW-VA,bD,ñLayK\ي}(9%2+b1[@V9kJ,a LYf쭷\Zj%gei[9{+S"URƫ=lyjZ!~2-b꛻ .8b!=Yyw&Ym+k4>N6կ(v4ä́=!BP{zX"7 "XJ`_bJ$bvZSH qcYJFo] PXb z`zCENFT࠻;]x@=k>?}rp夊SP|@6/hϤvJL X\Cά&?t67<믜 0!BΤj!"8 >>* A$b8q C [ .z}LL… VVx_d1Zlr; FH8ymE!qU8AJ.ܱ!>?[xgEzzwO^EVlat}>ƽ͋gݍU ?}&U= D@p1u5V%L(#c{:^QwW6>B]vw&`,Ê9iRJ&3 .7J/LE X[=;3s̱c^\O/RS:'_b@JlBxP 5ZƫU [;:3Sq\X5LUf$ 2}'Ɋ5 H\<@K8ߐq%tXSݣzçs_{v]cEBΦJsb;` EH*/[KY%S XdɛoYZZz=B~]vnnnWoO7v # 49~a*֡)8[={^ܞ:*}_<=2FkV5iwHDr{/džayG%jͯG{a_dOm#qbqBRXV7iX!'s uѥ$\mYL=o?/bٲeG裏l7S !ÊVBĚmfp=BTc#8QnhZ f&%jE`ӛŎ.Zo !j~z:kLjZ|1`At5L&1:!"O'ͭS jwt:wUBx^P3 XpH-Jʡ Nw=ݟ g)&=7m+_x۳N%F<|e לNc=thL͒[`Q)B!v$fwznCm:TG @opJH*0Dr1;%Ô(TZ_'/l#1ujϏvre!B!nی5G7&<\4J@Mfk^qM~aUXQ~vvvMul ,J$8_BoND!jMjw s+L*ۛRva/@#0/WBys|Bmw՜_5`ړQBQ5g ! "4uPϚ:| FPT*LƲ8d7B(ި!jͲBP(:eB!n{$B!B]!Bu!(D(`jMVI PJ)  usQb#B!tuX` ~?Yثp% bJ+Mq56L4DԥN,Y[Pi4tFw8B!XPJWL-& O+v";PWgvVupFj~]!]][7+xnB6zum\ Q(B<| rzeYN#eu@`owgՋur(lVS€R~~2jPo_mK?_u_&9kd܆%p6M-=UBJ[O$_䍻H(hTм@97ug[) ?|_Zfv|UP"j)KGus~<'1cNhp,#)aNcSr`] PPk sVozRz4\T]h*W5D.c?nۻO 7ݓ[%sD9+b󡃝[OKSW>TZ?P"|AB7H{Xm#&eW&fUI4Y(@'9T?ޕ}@/ܒZR \ Pk4YB a uƇ:hRe7Mٻ]'K=ߘY>_y[_cd$eB v1O->O,vÈG^>M'_,7LkEjRh5!,R?X'@mCE.AK-į;RSj!AϿԣ+>_LI߽ī?f--сQy 5|UPV0X@`x `@5tDέ?E5ŧĜcl&;7Ŗ|Q%~{JqDfVk5z!uMY+E-,u&ZH.ݶ7'}ug҃Zɘ,_8T﵏vm|Nwl_k=ɋL<<+ չjm `QE' H}qeͻ1U<#{_@W6W.>q>>?M毵`3q#~7@6@@XI 3sx@!ԩrBQ\X8)6ЭW`w[0;5GM`O.UuFXd wo*Fx8x[Dѳ XOC F/`帐o[,kw4uW93 xx'eL~ @3ЎI=;wz‰ )ww8}Zn)ysb y{Ϥue0jWO8GGu" lV ` Xg#Bub jbh& p Kw J0h_uA"XB@(e_ћ[xlZF^ВdƮ~0䊶ԕ0NWPQ^[C͏, WFĥ/[ dxF֫V Q.g򪳌bʉ^ LBeٙ# "Iص.!/Ř_ꐺhM̒P 0qJ1@έ HJ*BDq 1bK )}|U,Hp#(]VTl^\ O)RU%"feS@yßI88-]QWzGEYա_Fx L\sb!i7^`@/]>o|+܈Α0 ÉIqzZ{Ҹbza^ }ʳ +X1\\ nB:z»2br}HyO++DZbXcdʯ _q{^fx˅QP B]?!gS:+вҬ_M V̙1ŔHy04;B}N.ޯMH-+_s: " (p pϢ /|CJ{d>^*I8Bk8hVRs*uy>_g.Y5کTf\ywIꠇ@LK0 ݔ]m >oU}a)1i{1c豈kN\oVI-=Njg"`&lKۯU]jm4# 1 K]m濔#G.qVj07Vn۹RqOD=o𯜊y[k:vō{x@J%OH6pB{RXV7iX!'s uѥ$\mYL=\Pmb_򿉧@hse8:ժ.B d=5{̐aS~?-YhcJ>m aCq`yp(4O̐fذ@B~v?zg]]f"}o_q͹u;+k d4 8^9ϣOչr kUu|2ux1m `:FaPg:dB79u@d^sZ&%oJY%~c ㅞA-?2} %Uv>&Lo-J)O<ɯ&9jtv'=SS۱|g9'}-g-g?7}7Mj7Э-ngj.JSkQ*0=9ᴪ!}.P *~|H&܆lP_unP$0xJ([,H+3O.w>[.x<ŭ+f#G{WJ8\zu"'<ٻ|gK{Xmhv=wFX:R2&P;Y?v,V<^T, qT` 7`Y6eVTƘ>~Nufmy@D"eT_s:1v=Z~v^TS3*ȉ[uN}$A[jޒ0Of# >YNkG<)rBƵ? \>u|nᔐ`O &kh C,©ܜ{z+BW"+Ojb:`W-=G?jf}:fB.Bݜ!koLyh !VּªãB}\&n!n/PҼ?SB; /ۖ1@RvebVTq,nv~7žzDzXlnIm^ymh2Vu,f 0񂹙EPg_a={6){GiHlLzӝ^2\V*blt!J׀=""w pWwB ^`6rqT$_Gҟ;oOwPI8jFVV/t7kebdvUgI_=m>p2{&kҮUfׁg~+B!*t*\PW-VA,b(e G3t+XxV:*N&b f_(&<ӶKuyQ*BMv]0XxGYB _<]B?<- QKuaB+w$.w!0 jbh& p Kw J0h_uA"XB@(eZor[oB]tJjM1{E@Kv~+bPs}Ung$!B j!"8 >>* A$b8q C ҮVufF*6Zy O/. B쪒\XӲWHO$q郗Hk?,s!B50[ya+fVMa_gٞ\T/]xcXX<ϧ"@-pq1_X,1DojWW|=F3e |9sϮsOmB!Ԕ*E2 '☆-BRq}*ߒXAɬu;xיR*4h"6\,Mr՝[fӸ!qŌq'F!BMkoKeq,T |BN $"q` pf15Vvy$ŬtտOBeI_Jn CҊc^|pz+?B!jV{OgI-sQ/,㢖<2.^v2=^̱jEbziIӥ*ZgX`@/[@-<0$`^u<-b&>㇏7Eb15٣zISKMxn#߆aazsɭS݁ãވF]HP63=m.E@O=b1@9@ {wɅ>dXϷW==|  e±Cg,)'=Զ[8^8"t[iolˬ1}"ԥ5 «D,$+tbCz$fTO)\ua9 .Iu<>(RqW[|⩌}>Ս"2#Y|؜ĔjLA~[UGG\^քId۫g0=_q۫ c_2Y =9Wz!myVV9lkߨqD\.:or0pJznZdbK99QH"ѩ3YzɦBTF8J̯:WO)b9WWՙtF71?BĎ{ѣG636{ƨa\3sy]BKsw~*j-o>zS 9s+ȱ*3|o8̇"/q]!Pq鮡ʽX7o3z1@_=K&<<`% 4*+`,@BG&?l{JO484:;@_%k%U/@܅-fȘ~lNekYOLq @|r[M9}#B~ !vvvsFxf91IqvP2Xj2[k 4򳳳# =0ٷv3 8BuN{<;̹og& Ҁest :P+rdJ-_!,Ƣ;D:O.g싶v9g}QH<"W{q#gcgOb\7WNż֭eǏex `nodT䴘 `.~FkXjGx!S nVO<ŤV 8 \D#7{Rں_1>c>p\чz/1Vw5UyomcnBZB -j!>8&UPt?H0w{Ah"q666I퓋 z}˙}B!Wߙ6[z]9$Ԗ3+ܚvB;& '6d=Tjb͉-+ږZWQ&v`1Qzy J}\W&K])NxPx4w`  m9xoO};{?>L;X[@[[.݅eZU1Fщ_^~Эu[-#BFQ(z5wQ(*J&u~Wd2ΏP{pskH޷OKYĨ5$=j}9u#q˖Yi:ꯕs˙,#6rCf3duv'"T9m ]HVKshm4/RV'Mf3DmzR:uW6Z7Ls ?lĥzxޚ=!3~m[;yzhEI}3CMBFyzB}>K/g豈H[o{f=p6Ċ,?È0`6vN}hG?wOy3p'2 S?pO/uًO_M yJ+o}Hd>v(N`;Ǟ;J\XxiYm]K2BšM`}cnu?`R] @ j +  5l˶e]U%sK۬-~o*%21[RW^ -* jf1K(,:}׵Mٻ>zhtO[Dbgc4N|:m`B"Q:ت8jB!Z@fQM*mDi21'IM?/vTߞp#Z^H/ju]So`h KloV%K]I_=m>p2{&Ʈל׿|:sgvK!B)t*\PW-VA,b(e G3t+XxV:*N&b f_(&<ӶKuyQ*.2XxG5Y~዇;kQE={ 0 ŨFE9wl~l7njB!;fD\o4D+ݹĔH(h_uA"XDz, 2`ju7Y9^4HgԈ+Z b nv[Szxhm+în!uho@)ZBc88F,b)!<%Cw tBEcD]lHF+ozaR(՛]U+kvZ6 66H9NojWW|{/;l}Ź_=o 'C!{'[\^8  WB!t{ M%cRH&DӰp#XEH*/[b[+`1UG|Y-YB;A*bu*Ùs^$'\ean6ZD޽א/ѸةǓV's^__W~-VBRXVsZ"!'IDL@&jbjR|IY/+ x *댎6WNLMjUrkxn+BEQ1{z[>G`B]{y:kLj&%a%?2șyw~vB ⠖ uy:iTE C.oSJÐ*Bz?}wSS۱l8Ë,G\|fPdw (1Ϟ@[aWsvuC!ڦL& .R!(PI`9P JYnNW^1g\."U|"r]|aux~[M- d^hN-^$?+ْzFos[{$ZVv ?J+ 6w;aVVH~ w-En4R !j,ˆ̊'I]Zc,-HIJ,JkN'>1ԮG[ϹNҋ*{jF9Us Ts8I8"xոMð}x.Q{Zf X JB!ڌkr|@?܆)!Z LV 1p*87ފll]#+Ojb:`W-=B\ϙ3왯;.~H{ӅBY;;9#Cx_A#a9:|C|⃩ui3\3,q +tTjoBE6BOV '4IuquNf9plcY0yȾw\CO%G½ |y" g{ KpizOyq{L4o'Ϻ=[. o kʑV7zR|[C{}Ň?! [vl!n ?x!Թ]kfPȝg8`bԼYuE ⶦރ=,'yb} {3"FS7v檇1g; sd[ˀfvݓBuN!ԩВ?VVLm oP(@qá68~7?2+Ǔw =y]%=W7zaS.z.3vJbRBuN :5'}f|)ctJ^3*xQ;Q#6ޯ?+了N4ont!:% B%v{VuW[,@ˋK{Kl>h;A;6S'Q>~ @8{PKNbZ۱dXyUӆYj AݐBu  : áE-aְ<Ғm<멙A.\ɢ*J cO}{a'("Io5Ȓ#Y].ƜZa r5߿<ކ ^1ۊ}8(>o𯜊y~rb]6^2)+}B]~#:l8{g}q1>O>*(NjՉoqJg{Nzu`}>[kjT+1۱.vjh}bwnΫlyB`E|ZPo*9WVZ#PJ rR+*U趤B6 n)9B!ԕ<!Bu9 B!ԅ`B!PB!B]!Bu! B!ԅ`oMik={Nyuk! :ZJǬ/gߦ3GD!t]p j'| rzeYNȘrǿ;TSQ/p-UY,gVa;oVnr ! :ù DŽ9mn'G 7קm[ڻ <>{}'Zf|pOn[ӎrNrwU]sfWK .ÍFKގZ:g|?ww*SXxB@x!XO4?}5fk?<\υ(rVD$_26'u+H@ ;pܡ1xIY5"CMvry] jZ[f4R&`RīQG:5nӕl]r3# t-X <~ t! {N#8o<=gl:gf\۔/RB# dA=j:/r=ZWoy'~ݑʜR3/ zŠ(#JW>SnF`g 5|몪(\%:P99*QnIsxeۺ/].LXR4/":;zuCftHyAk<=3#;g\1R'V= q{L4o'ϺBڧ?.lNس咠-ﮰfio5H>l! gƮZyD?}n/4{3'GY =g 1T-!͗BƒRcPob0wTyCY1GW[{-s\l6Q^b6xFĈ~Mv檇1g; sd[ˀfF::M}B6ms驖[K_1}FkXhOGx~쳿׏p }Hs}|P'zEuzow߿tc8(MݕsLImٺ=/̭i!ࡡ?/cRΝpbCfC%ίl[+,jiޜزBޫmi]EՃN~"DG<`/N-+K)?܊l1 q͕B=V b<CՐV/d\me</4n=pTw^G=Ty';spԈ%qj,vg|YZ5E!yc7=fn)}YF-?\dי<g~{r@}phv ta=~ t!Hs]EEriONi-L!?N`d5 .}|ْT!+M3^Rur9WeSWNxEiVgjWww̑l$!MVL/sIlYM{"lK1ڳh؀~qOXheGj6_z^K-8m-/cdۈZ,8k~v'Ӻ}1ۦmK¥zxޚ=!"0p3DŽa[9W B] vBu ~;Ӌ RSsVD"I@4rV4g?~/0pyzA_Α0 ÉI$Wn!v7Սtiu5b1XcbK8Qy\L' s#jK>@> "{km*iO٫o_9GEW.@P 9: B? B#wsoUs@oys3)hYLi܌ V̙1ŔHy04;B'\ +_([V?t^h+SCARFIULtUk))A+Ws_WyPe]v_Gﵷ X!VzUDҖ[g$=f%Nߘ{yD__Oߞ‰i ?c4E!:`jCx9;?~q-{,v_ !<JLZeeL 9qpվY Z&/ĊhW-mVqvUj.]rfd26FCQrCxNב{8i+5UAwum\;@q&xTkݮ~sjn{u-OWu6xZ~=|$KژSk>LaTThކ ^1ۊ}8(ik}ЦC:5Ixukn9>,xu x!)֚+sFMpתmwlS%mLɧM!3}CY a0~,Ŗ扵 HώGO?lBk7QĘzW!o\snL0AE Uϡ}}_FA#}llحr5*oCKtxm _/|л۞ZXp5>u;7UGJ9qQx33~纸|W镙ӓ 0 `~ %SGDFŠ@b{vƉD9j3J%ƣ''YNkG<)rB趆B+c5>3 !PWB!B0@!B !B.ЭE [hwk/uVBG?%u!j Bj=D˾/o-Gbs?Obm!Bm!n)D;FdjO>|dP<a!PP'@kg(#{WT/ۜj5BNVU^SaE{-TU X3!P[sP'"R:yZ!j; BAUyO0UvZB|":ӷ66&sOVz{!PaP}Ar鄴RPW|tBz }Od7/}/9L>ovB[%f>޷:Q&`of}WwZ0!uPЭEBGb%I^/<B`XVw(D*J+ݽ|j-˲X!!Zښl #9B˲[{&%!V&3!9T{b!8˷*!uSi:=!9<`B, B!ԅ`B!PB!B]!Bu! -Q݉hO}C"BvBKxcL牯Zނ 67h[Pϗy2B!Թ9Nf_$^5bKE5Ɠ1#B(T];ιOY>7OL3o?iw?|i||ZsxN~4l+BwҢ}1d]!?}uZǮ41"q7i kRYn# ִ\xj??xg$v׶IET2pܘ^.bM.,ε_6@l㠙s9e5M$T%Hr~Ī܂UBO[vnwyܙ>v0 .ۏgְN?S;J.*G\5ejƱ):'.WGmF̻;ʖis}" wB L-x2Kp8-MߨP&ܘoI^}؉C믿ʜ9.,ܩ$)s%')U68kʣ&;iGbK[z|쁪?7o#P}e.Cg=ó5z ٙg?tT{?Y3fߝ؄F0{;Ƴrƿ3-\o7vgHu(.q SZ0w$9@Fؓ;9]zC*>mvL ӿF szGD8rB B ڦr3'wZj]뼉l5};scdpײ ,Ii+ix؄i/"*O,l)D瘱=5nG,MJj*ǝȵpZ~wve9gVmcҙ+qvrSI===m Zk^w j:6UQi/"6$T\T#5Ig‡ p:,tjI8zz?IaAzjfw J83SE\!_.@ΈkFtj;?ׇj پ!n{c d%1SEҞBZUCRRf<;G/%Qk.}sYi]sys*{ICԖ:qGDZ` iz=j*<V՛ @  @ʆNKD$bP]e5k(іl~ݎߥ{w^VDL,+PrQU\k{90@u&DVCm^5/XN@Qo ~9zn}笱p%uMNOO|[Rmgy7@i{~8d}w8>鷏5!M'Jȅ&8\j=DhVzfNfGS͟i4qm!n L/е>%9OSRu |揭QS&z07f[vE %;. s@* +*VEWoju'.?V#֕O\^V#hmF+*sh/U|9#jU4l$TW4ޜU87bʽӢ$Wp[B B ;zl`}zg#57-:(5j(H2YK-e";8=3d'H"D,k?[kꖢntUŭڪZkZ[Dl !"2s~$\HR$}=3'=C{b AJݿJLN:g\`?Ek6 ټfe.Rq[zc~IulǷ:Uǫo9+vu7/^c"7#C~Yѿcݽarxo'NMI<QsI/n}]Ox|x7旳&Zn1 !Uܻ.<}pVg~3%"OS om 5jk߿+zr,Ӹg:º/ڲ}3WPS4 {Tٺ}ܔ P:};ni®J`}B;m]\ymz>C\=n-֎Uk߽@wVj{=֧'@9oWhvdn!D3|8t*(c2Ա#%<]w/sWRpիC<GOSr{.lq/Լq_rߩ2>)@^xW[5^\Aƥ?\q ~)    h[d%g4Z-[;Ԕd(Ԕd;{.*_xG)%`Kxŕrs#7 (:1G+Ttspquxb2Z}voPN;BxFcꝔ;)%(e)OFRU$B$B$B$B$B$B$B$B$B$BsjWEVlJLo7_5QG(L7nLUa׿oHELO)rMMu;טuݽ^;'1 rr)3jp@m].޼TTɫ5<kvzk]ӄW&LjGr~C~jg_Ҥs#]mro__Oͱdǣ[WT,TCjNvYىitӇ7._ȠY /7wk}a?];aΊH/1Gx[ywGVӼӆײ*J\˽ee\kk[oU)M)&aZ5 8(B q{bݹڅoєZB!uÄB7~+ưVGWo\OGun%NB-K~d>=?<4B yi꟣=a9wv08=!oꛝ*+B GOu]*^nW%FQ԰VR~nʿQl=k7Z(B+G՞hR9JnƭS[ UUz~h`Ks(د}znPPX,SyL.ghjx|ئMZu|"36/࠘]clS\ }!Djk_[I'vOnE2](>LHK6=~^ׯ.縍HKMW0]y}[ɘ'gj[YƜkѦSg8j/d~_ucζ2isƄ΍VX-.㕸l UV1*{¬M\O/BW Ջ\rܸAk O^16SQU,r{yBX9x8jHGWESWm;;t,SG lXܓN-ѡXG}T^PG4nnJZJǿZ5FC_7;6i{/g JVj .Ɍ CfKeldLH"u;i"߭oVQm jFF*PUTh=bl{S*CE{ڱ7<{_~c>᫳|pեȩ_oѴ;C|+(W7͞?&IhN(KݓVDEh@H"WZZ|tXz*;5аy4t/"ny Bh4h4 x߽a;Z{W>>ǎ%I*!ZSzF*t ku3.:4jGm:Vr6:~9];8(”XBk+4tJ(ؾبSUWУyUq FQG8[|Lw.;~ާj:U }ܪofz?SM\~ !ݓpjɓP\k5Uǯ1UXu֙+Y֭[MJq m_AayhC{qU+] )tfblU-m/_,|a*z#ueŶQ?Ԧx̵ʝ,~)` M%s6y=v{,73dNꍓ\Ly D35;+K ÅΧk{L1 !Mӏ;O>M7mUŽ6-LLڹVP2rX5K>ݘa2WpwS}。_6M:.ZEQ(k?tY7zc~',Z3gQ+Aj脥{YkʻW_ ;#K,|eھ{`Ӫ6o>pȉ9˗}y(ƭA?U [+RBJ=7r<;/F5]Zzs렶{mR}oòUsw* s25, SKw&U \/ۖisװSE0*t|7Ujsl_.Xz>dJgzw>ݯokPPQ0_v6iI!eɦ{6m̱ :uˎ6vSGEC#ϗ9o߳#ݽ׸w0ꮃwR8\ (mJ5 FSW-cMƄ ־5kȽaBkNc^}XsjßwqZ/_P[r 6'f/} !vo׽{EngJL=+w]cuu3i} ( T5SKut뷩=+Ui<"<(0FOjhg g+Sƣq2q>>g1]7$wEWݐ>(^u銅C"&}w֬* (JOɗ.gdGkklj위KIUkEƾ ]GP <7uʼnuF~x1$1{>r"u5f[Z7;>0u._|0WssgfEXnaAwjѢٻlϷe ۿU򻖱+|C^GK7_v_ulaLijh/#ƫ_?\hS7} s̙CZx54'מ| Yݧ^M}ٻH8~ڠF~ N툥ʻYyViռV˦5n]Jޮ[:!p2 CzqѨF!~4_y()o[0wǔ0Ωf6|oֵJ%5:k{ uиCyP>>ߚW?~^!ǎZw<- 35/Kq,NWnQԛqՂg L;ߎB zEu";+;-BhyBdgBMXy(ҷGZ??ۂ4n{?; s0)Q8`W NJַwmol Tf[^|⦪̉:£87QyȴEUU(v #B(v5h5櫈o5d}ysýUEYf+s־]Tvw+HWOq|:r^JBipUcS'p)_F[tJVFժu?Q\||.Sp_nL%[ofOٮ9V-vb*w&!69פEUUՔwg۲'#U|oeַfkn7٠؄Z!:1u6;u`Q&w_hcLµLU!{)/K'Ι0H{;o4zظ#?4ұV]s;QSDmk5WK.;\;yu}Z !0%}keŮC&^7ݾp?.$L=z,. C9eľCJK:ѻ8}-2@VQ0VCu65i?\1DՖxwYW6Eqh^)Z&t[vs+kvN^Uة>;h蔈,uvPAo9:=CZ횭ENwqR .me;۾zo-{秌_ #93{&GL~>4 TیFkհ rx߮&-)'~,w '! /,2e\{~S:(̎^u4uP$`PHHPwtrXs"V*B?;a||<66Vmy8y8~[3F{rK܀$z{sǺ|}ڭ[l+*nrt圚/TAEcb6LZx($U'5ow'dnyճ)tqfk/-ˇ[M^0GֵV1k/e}ӭߦdkWxcIڷbQw4(Z{ҶQMJ;>m N^^6*U;]lm+v/q"(}sgfEm@u*r!NB!rn8j+WhЛ+B}t{gyn6똇QWVy-JzaўK|[(Yv +T/۷wդƄ9mtBz7-'\Ш^cLI/vBcX_@@PizhQ3(.>>OdZL%[oʚu@Y)6Gν7Dq2õWWѧ}/>)&}x\̖/>ZѾ_GgE8tzc뚑m<wMڕh}}pEc%&g[y襇b8H^[< eR|#Ա'ջ{'X73}r!F,=MB6,r݊W[ je ^0tq=w~9囀e}:coop5e̎^u4u%` Q)@Q;DDDDDDDDDDDDDDDDDDDa<=%̡DωZI( 1tyvcMOρyl^m4ڪS:?PmyU18Vospݤ82}ډ_y8:/L2?/:w [N}JW:?Pʬ(g:?g`ϯ5o~?mpIjf4U:Oۍ/:95_hWB5䋏5׾?2:܋&p0غ4f܂Ia}*]zϊʳ<{e?[(/S_Ҏ-xOEWJUBMѾ[!ɡJyCͷSƘ/방gEQ &o]^n[;|G-I?Eޑ ѷyd_?VG+<|2Q&6t~QRvw3hfƩjﯿl'jE3rOڶU5R0R?=}{,enyճ)tL`}6p5h>YYC+)WoT6gj}kߧ i2dU}nz }n\n:?{~熽mqw_6pظjSkyǝjM+L,gNMXy(ҷGZ??[8ºRpwX 6sL=y_B5d zr ]]nn9毖EQ'̱޹Z 6@J[֮u:ɋ}[ ɘ;gb/zV.FUrs)Hԍ#:a9qu:%+#h/`9U꯭^RܥyEBE1؈._~*ܮVm—?|?-ֹJn$D|?c&9J@iLaw[ѿ>ӪF8tzc뚑m<wMڕ+;<̴O\r7k腅f[y襇b8H^[kڪޞ"jsdܝ̬\K/Lk*?kgB1?|8.!mIlyayngmlҳT!_q@ǔY/犜e3#.?^sbW'7vӺx}>YǪZr _X—+.]v6w =4T޷K']y|0uP6:Ǫ!][q&` n787nuly֦NugkCECNɟafynԄkUQUUӝ#߾Qs {q뛮}1y%מk~g̵oQUU53[J;-a~ŵzzyg=|Gɹ-SIEkXOGxĭv V7׻5h/t}x:9WjWgbwi̺KFqO_):?dy]4I޷+Irc7G3g!HĔ0SЬG> #mQU(egQE1qI zx8l]kuBŵ+V`RylC'jU{eٹ{[6vͮoF&hPM|Ja}*]zϊ{H}̭ofqI;>m N^^6*U-a @9K5}yWMjLF'^3Ly1_4.RC&tC178l1.57<|-~s !z}Jcw\—ۮ2yV y]#F~-R3s^7h'v0i[rs1{>r"u5f[ZIx)\'^ϬG%W5vD뙟9׾nʦe9 ?cIsB*|Y$4=hCG'ꢱC2]tEֶ"z|H}̬osw/]qA75o-5]g}qxx#/xs[EQE⺴׮[5мW9atU/`M`/[nn/V![[ii:uhV {2R7L5oƥV t̿þVgzLji6sL=y_0?{(k>c֟3>5ϤfFUUU!!ZmVV-7]s뗀(gf=[TN\?K Mcf}#?!(u:%+#גV>u '~;RKS‘Gv t+s6.]m>V.=[p˪kn'T:_zqĠ-/pdLi1їl}+-}pEc%&gBNo w]3rNX?wԠIx\̮ BdJŎ:Z}9W.qdq];<̴O\r7k-f{;o4zظ#?4ұVT([ʰX+U؃i[^Q}qwAo_-rPOBE[jZAMz,+yΡ&6ZFW{],rYK'OlYz-7]hA٠Aϼ:mViv}3+ ;A۠g 111}B#wO@_$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$B$bE #wS +^@i(BIENDB`why3-1.6.0/doc/images/gui-2.png000066400000000000000000000760631440160026300160630ustar00rootroot00000000000000PNG  IHDR{IDATxe|sGVww` ZSBڿ-}j]-uREZ@iq!$wFWfyH aϾHfg̜;{̝;>p@`G$v i] n٫~咄%Uz.sCd'Ĺw<瀙c۶̫U?'/X#;\Up{}}G)[䔷XϚ$?:w@wy }TFȝJ_z)%,].\<Ο.x׷:3u/M{%e?=EwSf/_i>>#y"f 0\,3a濎%VuzȆ-Nnӵeu:u={ys ͛_N}o}Kk57\"dg߬;] UU*bëd;}>'"~k%K:*ѡkרK?v2װ^f8qh:M{o3'yrn)>w}:}b+_fwL.&"Mwخ;VxѰn5Uw}6en{-No6>BĔ?|9o>'~ GΚ3~d[~{f}圏g:YھC!7t,f~9ĸ}GDz/Z{s}u8@zקmTAlب߯Q:Ǫ]nrA=pqkc&ߢYaoQ(Y!"/$X,Oɖ}O9qC˝=Ph+8`<_CIV Z}ݯ:w+>$e77 BhݫBi9uP/N\k1Q߿ig_~SF-՗[Gwk *}G a9Aδ":!衟_znXs4H~/5z\_6N9Pwh_z%/}}F޻mӟipou?]Pp'R7.\iNE0DytK?-DGG{X)F67 ȻoF^S{ ӞP`1N|3j .VS](ē%iKv A ;+v ;!" vB n)Uگ};h7 pA`G$vD w@5F֮b?KqR:'waΌl'+MBsHEhVs6-XsVi->[;z=f6=uxH18r8)=Tgc*'4Sw `UZ6eMiu NjVk*1a=ÜyO Ȳq='C!:slWie6'(坂vH2ػDNI:vTꁄ'rKmLc #K(; ȡ21fݔid[[jʕ\cL8eJ8cH# "I겂\TT[CP4.=Ev]gW\}C3nP r 6Op;T1_;yޑM8#"TRVs34DD:gWcUɬ0ՠbQ,eՂg,+JO9M̧Z_ؼTʎl|HQ9sUYIvNY8msOŕO-ƍ“dع{\SM֟&87ІJy0=U'oX!V'd*Nڑ_T7vl7S[!RH*P*Ս+obKmYV#SS lD1z^nnTJww-5gW9.Ko.R'l%'+>l1U/l{6:yÍkWF'&5@II↥ݽc:Gy8f Hy7$W֧Sl֖KRB䲕eU:5#G #=[\^^^}8;D4<ơNGS}ZE)cӿaNEVR4+RQl-x g:$y[yp _)Aد(0"5XBJѻ)ՙG,Clxf-W$Mڴ?iɞ3Oo'[hF9T>8,٠9TWiӌFY*k"_с-;oYIL$D:T%ƒo;=Z'8,i}RZ\l\\REu""k xgA\\V\QgdU)D#G)-՛+Ծ=x""q8Ve|Xًhl mMUʹDد=MU7\&JɊc󧋝aH$)yo'2|{ڟƚ&֊cI'qFߐ^y/REyLkL@u+Kv15JUvf;綴VIL5&*W$מv$ 3jHJ_w'c/G}^YJqbpi䛙EҳJM5f1zuS??գKJSIa-t 4=YУ mޗw3[UPkv˯q׫fǮf"" (,./*1Q+rD>|heLRi"G -O8p2i|âz+%75Dz8>3epN;?x8)#,;("2̏#гJ9w5Hد=MHpA\$>A,װ訰S9}UVy-ŕ#RR)fst?{_Wj{NSzbtUJ|%EuKPܸ;ncD$Y`іČR1orفׁ ui::5ځ^)1_fWZ8WxQ'40"R.aΔJ+O tfM[lV<~f;uW3_MI!<Ч~?opf6s&4!GL9"3<~~j,zDzD615ҿٓ:Evkrf}`QS.Wk7JqÝMi<:ڡ4hR]O6 {{]rw3u8{39GFȪ}]O)Y?n,Wָ:_V:2څ',~pO79q;M],x~pO7UceX/z5l-dlmw/<-S8ro2kwodV`ʔ&ݑzqdMr9!<7ʟ#R;}XPm>R82)7%VfYMɩJ؄h-4tPmK~^nS_׊oo'8XUXx.)HR:0؇o䂤rWC7Q.#xߦU9v럶g]n=z4YfOl_0KO>>J%[eԜ._Ͼ#'OO<]MYz$t˕[yf>vgdkcn])F! J]j&} 7x-t}[gf䃷䒄UnH(aŗ-p:k g^Rf<'s=}C<# Uiu)+Yק5d 5e_-ڟ5qp3"[y?|WPi!q<8*?gT_M؍3o:])AWRy 8jI?ps4inwx^PiLnjrL*,zqE3b4̩jpU(g< dE<{ ]|B0$x^7˪o?%b{wl;p,`WiR7񟒳zacL [}ÂIo?zy%׾6`Wg(uk~[7h\:p~{geTlxoYϝ Ϛ6F 3ϨPt_h6^P5hKrEZYVHVEQB\U;8v6 P].;*?漡:ou::MXmyKxt: pIbɅk&M9ZlN+aM(5'cuL)Y;==T]geDe/8rɹU&F1v|.8VK!"Ry||:c_k@$6Iz퉴q [OI+$qdЉ3dVfUL8;gUa*᪸PvbSu/ɲ"9hJ1bDY,RuBDñ@{(g6TuzW2VgSlUfω_+)?&sپ̲aKS63rԔ;zz;˼*jJ&:w/'–4s>,%0dN̅95y|W|c4,\ыl,j2MaA!ZLm]@i2D w9^OaiNZ kVkԼ78vkU1R܋cC< V8Ƈ阩&Gdd'r+:\.Oߕ3Z^#j4 r6'9{1Ik,: /ݍ:,RZ\ɹ\C\48&iM*MVs'Ms7X%E3,U+_UR|TUEmTS<(Lر" b7 o.=\~`b@D>'sc]Jovg[]HH[9Xr$Ryk\ %7nЏO*e->my$brNJGjԠgVy4.SW} B@gugӁ귣r3q`&-^+Z/ƢRj,#QU"0zo]梄3>1NaLxQydEḪZlE$؊K%&_%l- vV1&?MSKJ Owcȓ%$'mrl{[4*E=sG 'mz|&{ĺ[w|3)ۺylԲ6` /a2' S)r?zm{LdNؒuwmMYmݥEl$,`9?:+ (6N8AT"0&)lPd󍹵VY9AD$YQݒ3g&$$\8=!!a̙LfdZ^ܗ֒(Ƽeʔ#F>셫MR58EPBhǨSwJva?bM>H&cNKVL~XίW/+nֱé2hϜcUԋH W5YUnlY,*_-Q|ΪG䈤@emg>`A*8ڠyҞW*2k4*WZS"Qrb~MQMs ,l1j۸CHxxٳ_yn1dɒk׾[ |@D5f,\s44E!eE=̕wۀs*y/zaDl3)6t 4,Kսw[n;eX/omٵӲG@D>^`}E̟Oy'N-5wh*Zt 4.ۗ.Aַ-"؞*ZҿJ*k,*5{{yyۯ꧟~JDcb$jMK:Aɲ\wFt\seAdw>DKDrݹ^"-i %܅{zG84L1bN|iV`]Đ'\+ToMcN8op-e"Lطs /@Gv8(Q%pbwA`QDat970L&7h_Q jQ없YX!9]9 '2S\ӏ}}ѻznyOot]j7;rRywucz7ye6oYNr߂{A}zXԫo(O~N$%_EU[oY{O9Dkh}<\YhbB QYI8b(bfL%FtPF7=#8{j$&]t~w-s'1%?':6U-bGz맅OtHjfYRg^5m.+WNܲ}ѢbnWM hN@H1b] b{wlߚ"CqFXXQk$E9ÜqwV :߸ub҉#PbYY6[-e۱f#GjGN~0L)nwXyș3/[\!":حľ!<)i߯SF?gi/O<G86i>cѡiE S?c3!&=,G_Տ {|k Ϊ P*9gZct˲pˤa3?Ǻ,Ee۟t8o7/&8"{Guw3'nyw1[,g6ɜߍ}x"Rukj}?%%0*w#l4jHc ]ŒYeN}s|/#R~sh׉?[bu.ÞkڦC&\'FV7gmͮ1z}tDHHO.@^7ZC.ٲ(SbX "kCٸos59^)e2#"ԪMUJ?9$wqnayZaw߬q'"".p{1->L\>:OYg/o\] ݄nd;;l[6w6$_s'X1A*"jhsm|p<}||######}||DI p L+32s)ݘ\pBrAJEC 3#ʤs'~v砹ُlDfHSs1pDR$rjJ2se&ˡMޭɓȜWQ.0QarU}q*;}#D| Wfz:5gKA$/o}т=L1奖Ktk^H!f7̵ ë^0PQH)K*,/!7LƎ0oDL+<D nGr㶘+D\Ty]=xR* l^ByAĠqU2v>ZRZmR" {^ko48Fdlg2_M7*#",5_c`Drw0:ıX$Grpct_%8H/ښX%",+$+(!Gzd $*')6"W;xdB`ݱ}]>8n[L?сJ(K[&%G)G+;sܭO| ~_T$LKΎ(O}p=W>6.y^Bqaί?-ʵiI F7&~},;X!XW'xL'q(e9f$zeL?yN1G:seg/̶:w:&hV9&1!CvZiX#"hM?Xv('P~MXA]5vtak* rM!4C룔=YG4*AY'?3:{{P #3,*xIMjSlī!A+W1;CAGr"b9\`UX?]҆kY`1ǫ ^1Hu+gi7,H.*I3 7_CMR*jd H)֪Q4cCIWi?5%EJ[:w9ۇi_={wVvw%;b*ieoV19-}+q:%iuGnFsJ๳4h.nf?3ҋ4A?RxY;z_}ʔ)#F83}ن>!Uo& ت,*ogh~x9:Eގ3 y;u_?@WmDS (1ꉂoa2L&oX_&VzG3/j%3uՠ57s5'vcW&L=s՗O?F%Ƽwf}2蟯xk_{>}\n֤_ahd-.@Zvr'Dx;fcBTe9F) y&Sqɴ: Fy盞1.,rbĸ= S76{-]闟6;Ǭ :gOҘ/V<;f[*m+rR?==KjD;6oM?ud!KϸP^,J:8x9hif<<1C VFAr]3B+r+~!ьp};s|D1zsͿvƂTQuu:݄~fے:8[%l2qS${33o롟/AC&EOMʴR0ezsg ZmЧS>8 cuuQ.'m?8QnɊbʯ- w8mHPWWv& sh xW, x۸W '|RdуDLG~ Bmӳ1|}PĴ I)G1 qA9UrLusS?zAj,cLGGZQ]]-zѨjyCv%߼t3zm|>y^׷.6f͖'|]+aW56O64ZaRQ =~U ƴA(ruY8ס=}o=q$LƑAwj좪^A9y^TXK,RWxFG+jbv'#8}~W>]\#L}'iX2~kvx-{%ο4j \yޕq4L9Ƒ&$xS Xz~Ey$Yk+U:G{Fhɍ=LXنE" I]ؐ9z0YZwN^C8{Vn/Nhݴ>-M}ԝ F6Pdh.G4*AQh/c#o`ɒZ#NPQ3ÈOc^jI3pMGo[~4rpἇ?:=cݶ#O gș,Pt=۹` FsJ๳F7h.nf?3ҋ4B 1*$7hEiFk Mm+zV-zj]R+>7c5>CTw>x׼#ugkD nGr㶘+D\Tu =׫Vur*5#ڤk3ztIkcťaZ R!*'U4,Sucv[]EhDHNίdSt!.DD6)HbzU}E욜7oǡڏ_Kݷ0(ٸ㗮ܾcì{\4 DĹ竩+P(9_noz' >/*κ;yc|6StkD-9\+ZM)xޠW '~1dTʩVNN*k,ZھȒZt*,U͒B T $JU݆,ֻ.bZwӆ:|/_[䌯FnTjjz>Hۍ#z2&D[y|o53Ƽ2wr_wܳc|f 3phQ`**>\蔔YZ?QQ˨#ֺӝn,E"A`WIF:[TQB#w#i_Ap,Hm(SNHDDLÇ:r '2&F2[7\;'upO"i§xm3;w{tq3G]/\Z0A%twYhbB QYI8b(bf  .h/#Yr,YKYq12jD*q tkU=~u`rclIBDk?vd[鷟 8_W; M&XXQk$E~aUV,$E /rNWw4,WYǕu?6~ؙZ'lZ&DqL $M?z @DRʗ{9" M^{"F5{G$Iatb EU!>=YLDbUkNp E (0mL7,je1,6&DsZ`<+>s];[eYΩ4O2ZlrcSx#X,5Ű?wv1&N_ݽ]h֎gI:9OxbzѴ2JxaN^޿=%.L3 *+#|>^uf-֕u"$[y21cpn!>gܜ{oWC{}5D$g5{ȸ@gJw6c|t0Ox)"y9"- 5F ⁔bJA#86$Ct_/=ƇՂU|jnF>[ao8kUDd&^fZ>YK}tý,ۼ'aDĵ:漵!=/ KYZhoJJ/d) <[nq4wcU\4b\"_ko5[%+ )\*uh74u*=)g~7mܵN<) Sg2GD{Y0wtkvwʹ6Ԇ: Hx"uUǜ:1Q#YQ$YQ8bo2J6.:f'^d 7{:.Xjm:WWZЀvRfc 'J$ t?|1*"'(p#$+bo؜4:d3/UR ,>Fy -=%] kdZAP>Mo@Z#M9^%*;r UWg˫ш8cVX*7h,yYN,pls֝G}B<'3PϦLa60jJԪQ__gkl-2Y־$)dqԈV|^FӊMFxg xZ;:ͧ#_{Ŏ km%h6 "<ؽ.\[&"=_;O$phmj'|raKtcf1F )DUfc$)JAg2LK7ݙ?-ە]̊f!@"Vg jQuG~Op~1GI "&mAL%6Nr_Fs8{Vn/Nhݴ>=9)'kǶUQpUZ_N/l9p[RTg$՚msS${33o롟/F|7Yҫ 307Sn{40?#s.M7Kl&2zz.Dԙ~4k#V~t"G"ѷD2D3 !z~&zh?@d%z[rD_a6Asuuv]yO,N{;y8lbز+sl/p=Օ1;O>.rVI 1bD(?Sr}>7nouuD)جRɚ'lrY\ zoSjW8pV?X!kR?=n- WK(8];DD#t ٤OGvyYz~o‹Vځd߈GNTNdQ/Eȇh6ѭDБZ$I)1gg{G&mH*L9W/Qp`@^oW"h4Q1~nr&"Ajh4ϦMs_x}T͎8$8na Zs{FDHVNe+|֛^tsh9%Vs&kځr%|"8G^:f.=?@uH Od 'jD-'KDDNE` mUcLGGZQ]]-zѨjyZVZCdI^=㽋b[;A.ggT˜[w/ HNK1I[g xu>UVGQake&sekS.-:=V!QsO<䣞M<&amY4r~gQ!kжT 9_,䤳nթ\tՃ,I4a#Ug2Q.k@cM9vB_ul%:yv:"Kj~B;klYzIAGi9eH+. qQ]xf׼YuDJ3r7"/##pDJn4`DZ#HC ])^}@>Ăm_0 )Q$,jX@ЏGx!CiBa0,dlxy|C\rqI?%$p=ЪM#&'ivL _Z]ws#㗮ܾcì{\4KUkVUYCJݟk+]>L҉9cwp=_""ZM4H jDk""wzLj4D-$bE@ @zAĢ-ifY!YQE qU?=>WS^{v~bҲwkm,v=ϳT bd28FO۟fNg_]tSy:7gn3"wnM(- H~ Ш֞٤OV'<1hZF%<0F}/rdyUYŕ>:iID[΢BddK#/Y\S#f -k߽..z=؇>\ZKDd~zsC7)\h&y52opkU(pű!a ٕaT6>ݨNSs˝E5 {uEY""46[\jZ?d= [~| ]g&"\M{%oۼIy|ME]*MVs'Ms7X%E3,U+_UR!Ůb]\]Qf\@AZ%7Hș|f[7wS7wsԙmt?5k)Z']ɮG[ @eEVYGD^a޺E j?g|cNy˜(<'ɊqU{u&|UJ.@y:'^d 7{:Ϋ?*ӽz F=5~ybt'WAO*BW7K@QMf' p*W6(ClZ, pql(v]m9iTu6*)g^/( VY|[zJ׺H }l˩ YTz9`߆kRw?^轻bpKQYl*ߠaU7H/Ӝ~B 1,IRJqU`4hls֝G}ו,y 'OԔ_s/JMo 0!bp `ۿ},R "\֞B3jJԪQ__gkl-2Y־Hm8jDM> Y/Y#i&FE{>zjD0G~MK*wtuh&Zvr'Dx;fcBTe9F) y&Sqɴ:NB;u˟Yq,{ҒQ+Έ$buVɠu Qw|䏝aDA {ē+?^$r3M3>nnD)ř8_}2c+im|T-K'XXQk$E~aU1Qy9hif><ȵKo^KN p)) ]11@Ήꎞ]==ՂphBFv0ί܉}i1cuGzL-?;c Z_N/l9p[RTg$՚m6Y&"c*^$yob~fFm=:8'ı/:Uzpa1?R`3m:p ")|or=㛿 x:7\h6HcӮw99oʼnZo'/wǘMV[V~EvnYnC2fG?B*o?l #FĈ31^H"v~oҔj 7v+-߿)RSSV!*H(܃_RDFľ[ݹ[kD!hZV1z}tDHHO.@^7Z~GjZsp m[z^.$v A`G@; ^%zo^TՏ;w8xnhӁZ wL'""lQSM@R8i`(+~Z]|&vd9}Ytp #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H숀whN࿁+v A :!-=MuX֪ ZE7ǩxvX%"`@12ji%\h/vK+ }{GL9*Շk~]p]}XLw@4 } D9n>3': #;N[Yq}=RB  #Hڽ.=z!LH;`ܧn3b%vJί^ 2Ў!EXk1/c5yX}О!vEJ]q3u :I)O9Tl[Frs'vYhߐ@{Ԥ&:DpDDwHc~JJrvE}yh@{TWѡt+SƽWL薣/v?!H9{:MVL[.ퟀ@; TYQeȧwd<|s.sN3?5W=acY2l so["1Z>ٿ>]>Hض/y؄~ti  8KT:xy""9{]ޣ<\#@{#x zA;rt9=eZrY tbg~kp='O\3p0Aܳ AfB`G$v @VŊ$.AQS3!h}Pwqա.C5nb}9N]Z--UʢJ\*~^pwUQ4hcQ$Ƭ &z5&E62F+Gn/F{q h6EQ4"=>T3'"$p%;Ah#ѽaDaP;D87OoQ\; #H; #H;9П/WRĒ?:gCP5$EW-V!")e?1 )uȪUZSKM[+wyǍSjTEuU\‡vEJB3R6' ЮYv}vG'=փgM~u"_S5o>jOѴsz$>bwy7zi]}]uI'~q]s9{냳bȬ]WmlG-2qѵutIڢ~XGOTDOhLSn̮5 kJEiU*^`ȘN7Z8iQL2 4B-UcZצ.^s~#id{ݝ7G,U_Ec-? _8[w9_Ϊ>6_7w<3h_VA\^VN^ny~sȚ:o KR mI(CO:ԥ3S͂ѫ'DsŇ [˩vRqd/?Q\˴NaxhL0߂%^(yH`΁]GL6өFvc[;t<5oy 6˫U{I<-Y gsDDy7v}f~LUDg(e;}̜J 6jQFDJ?,ڙQXiz婁ά6b1[/_Aц6DEk(s^\Ը^(/}3ߞR[Ĝz<EwE/z7uwx2"pͬV=TqFQ][fiԗrj׎;m×gT֑5(n ױ VJsjM8 ACRW_^|]ףR//2+z؞M;fZtFHk:Oc/hSE0n._@] |Ul2 D6w>[=E?n,Wָ:1"9D)rtQɑU_-⻠cdIW{LpGxs/ۚ+r|;aoyv%cofk~i"5uW9W&Xg1@ R* Ғ%^YJe'>Q^Y-[ƙ=l̲gM79U _➮{Wn.Fx0"֧mCaDVU6j]1 *G62sRBarGCݭ6kWlrϮbrɥ95\`XEcej}:ɥh[I"_X)k}>Uþ{̈S[=_3V #[>HL*|8jV5J"A!L"s8o69]&_RUeB$ek xxɒSNO7dİA<D"k?;),:s2ңy_RKxeIiif^ўN6^:8?5WĘoEMDDwI̲pmiszeGSsnQ n+t=Ȓ0wڴDDL0N}ݨ<~1܄C;`ݩN]1*b.G8wOOVUQ%7WZ0{5m>ݔa6xz:Se9'W':ZS4ʚZf$О)5յj;֚~2>ǙQV*D(Ĝ>0릐3]*ف1~x˪~̪~m|JpqCϼ#ĉ孙˲L<aG-J6Y[b:J#R ȚU/)6֕!DO|eZqpvpTs-]sf޷ծSwǝ1{91*jKqG$)T)]wZSH\<5l+E$g<)҂JitN":XYwɍ|=:YQ1^Iۣ:X%!vL!F͈8c6o< DLQSmuL{|M1wyWG9&xF Ndf(#n%/08'%k%^9Op41 C)HR:0؇ot8'8XUrPETjUWx6 )\ŷ0upzа _ZM93NܰyƽrY@wEbgRS`X7UM\HSEa,Ǻ\kuJ_j O<ѯKtU\MhϔZ3i*FD{#xqDDF5u ?>yb]Ifk*.[jr0 L}|kluoK jN-{%חLkc)#gFt:g~:G3iolqwꉨW2cgN2{Xh }[;4(7.9Orޡm .H)0h^tHrIª_{GR3ܯk=[Qm⭫[St] 5r.|λG/<:8ȁ 3Oua5^M/$2WfSH^O1{F*HOqG1/\FO[{d; c^3~dz}! =(o J]{7pI@{HNw=Ѩ"#i;Oa/[-\.gncwV^wσy64zY88yGx1w=tM'̕gLjZﯽyaS/ &r zSN SQS[߮p_Y~_!hoO ~^7%ղݡ~}qE Oi=M`HլBe_/.}bF>:}ZLcOTSE6զ޺5bЁA tp6K+?,XjY;yDŽ:r TqXB".{kKkeQ}U 4jB V-\O_$w 4%{߿ǖģ*cn&?-Qxؾ[pf6J6uzݻ¯\[׌? jTYT\+!e+Ivs5ٻ~_1ྠkW:;ڂ=˷gUO?53,u ]ʸ&\ 0|A`G$v A`GJMZEmj-mW;.@p5Nӌ( J 9$pG.};+H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H; #H;?2ٖ8IENDB`why3-1.6.0/doc/images/gui-3.png000066400000000000000000001233651440160026300160620ustar00rootroot00000000000000PNG  IHDRIDATxg|EgvzrwR WiRIdž`EDTP,(UQ_)4H${%v$$$!wfgffvJB!BEB!P B!Zl B!Ԋ`!BV!B"Mk}l_'\(s %`-|sX2!BHص/UҸ3V>B8'I9_J|I\>c9!BW;t׻^2ܶIo+m\\lLVZqD:ܖ$͟|!r{ Ϛ5E>}p 8ɤVo|͆5gx}-}~۴G?X=kۗi!B{p-W/Kj^1Φ1٪9YwW`[_qo$1}f.V |%7(]Mu]vfz:on5\?v*߼`ysB!zBݧ@ڵݾIH}u{WhcMk>|5H6G)\~@udU)uWPQI2Fu5|גYdȞT6;WS(y͚KwبNiŗ-2aͯ;AToҩ_w'DZ+N,j9'͉|Yåc?~~X3@̷_Ѭ} /9_cMyif8>!Ba_- F a[{퇹 ٚ?czeŇkk/Tss?Sn_/yojBg+=7eúYafڽ.ǹsdx`s'm/!+ϛ<=wͺル;yՃTpeCؔ9vY{3Y׎(u00@Ԡ! gǩ(11*CbLmA@#uBc U򕫅c>]쫏^%jμ_ D!zs@zS}T?g&yZRo3vD.zdO-kQsӹ^r(:&pK,==28eWreB;kRo܄Oz)~201A"0_{^ttl>\GxXvDiQTT܄\`ڞ^x@ПY6ewlwVt+p u&mqv!Bo @}Suo"rg꘸JJٞ_ToH5(h7:U:qgm{}$=C̄Dmώ7Sp'd|~+n;tJUg1g(%|\Yf Tvx+C~ CwWMvrVtJSp+^QWJu{Ynwc!B50ukP X |sy{{߾_#J飚77,M"ϱ6v|,'y0N>=#yjku8ep5ǫ5bæGn>7l6k) YFGE!z8z:(Ξ,խlh8?"">}ÉD*uy+ܚ|vdTוȜCGoZ܉UϡQ޳ikkd}8מ= eN6aញum\3^Q%BNtL /#B=ME8չ'lEUNOxihYիWo] '26~&r}'g:؉*c2j]Euo?^4̼[fv4͟/0ȃ&4Mn+pڮHe#3^ISFi:JkMYq痵[ ]'b s-|_O2n;s@(8mm!fNBiU>~Աnaŗf߯y*AaO=`6JajV(R!{=Q%Q%~2KKYu[`WKm=?.s]ߚ;psG2u"p0NwXOo/z18a\r#9ӥ T6!_o47wB!zHFzV@!B W[B!BB!BvB!B;!B"@!BrB!j%,B!Z {tGGi r]9B!(1!B"@!BB!B6B!jE֒Q_-'vaci$-z/'x!B5ieU<I&6l:s^_g Bh-o'oQǥ*ogA~r+N[X01q lFg:B!zJzzV\J/}6^H1ɩ>'3 rVZ}lr3G?{S:Mi~v`RS*u/vPji[`n?B{*]pooյ+i`ҳ6乘l5Q:wի!BU`*UqZnm*9VJuJGDie*&RJyɖ1VD-acB$y%-~dL!X:(8+X"oP^VmYl`XzPyo'?m0"ؼ25 1wtE+FV&؞ciU򪲬syClkr!E*L\KQRM]1ɩ1/3`$,%!@zmk_ Vbbg}su㠄0YGCNπ蓅0X|PQ^V0K.7wɚ$Q` !BA 10*jqq*m\|;MSyֹȚnnRPY3eq*-KK/ %^rwVT0=wB'njރuu6|_˩X ɚQ~-3EfTQ"9r˜q瞨☫mx(ȼ !'@(}gBI1k)_S8;p7P Rz:ԝB/]#*m=iT0mL I:Ya/B5; cWP\QZQ:hdw'Qm OGghJ5Lbeo/IL/޵1Nfjneߴ˘{9# 5 r/!Uť^(V l\LKTƒry`re`}1:s*edV)\ZYY 5(;^_ce#&`f&%bm'!`n!': $ -9駳vgt =жkʾm_Z|n+c^I;6XB5R=E..T_tٴԴN"*@.Vf̎<_BzM& Q&K)*+++J*J/c4hvuےȘ{u3w?̌@u_"'q\wNiIfVՆ܌"Sht!#r&7 ?(AZ"G(S=4X, A' j2_O?s?NtlmB cÇѻ?Z^J-ֱV=^]j,k\ j:B^T.bؚN̿} P*)ĹC7֘{"-UHyƛaKPW ЧHì-̘*ȝ;9|ւ+%Y*k||ƢL5YZ1Pޔ̩BU.qdsO_kEySǕ=}L8j0;(wzŎ:8E\lD=J|Ž8M~mn9Ď8!uU2 YqIg@QY3Did:8O϶&$\~Q ݁{rDWhKȗk +oLR([Y>U+ C:xMyII$wk+ ҪRO5ZƗi;IRuVF ؾf/=?.O:',2,^J9(wx$Ŏaྈ 5O;qb6_-ZWd>cx'<BqS/3 fҲrKTJ*ۇ9Vg,;u?W*.PMPp͉%i SNܛlb=W˫TWZv(Q*|51(;2S(| "#&N\]44rZY8tߊ10ƵgJ3S+w_?ogN]=d>bG=Xl2k&Z=:_m`MV զݼn"_-}1+ @UǾzqFV,\ XtB>f5@ƪ cD6%Mmm+z+ܺg~~Wum+fZs,0;W%R6aU.uĶu;i,z4#6ǿ+Cp&!~}9J~ۚܿ&)j̫K:Z9Vw 9]̾NՅkS!(bׯ?}i!2]/ۯXiv_O o_|~s.4}I^u#:z\/yuQw(Cq"#G~OkXG3R_O0[|}'ӌ9 jcqb~I ){T k):)}͊+':B=78}.nY&# ZoEIüB~;>~Oys>-GLfDBL!6'ԭ}Bwi//8H+0|jS @m¼NY31bf0,PP ļ׫szO&ΥoC:(!PgD@%._M`<,f׉>ܵt]:v9w_"`+BWYA=)o<<oH?5ş=mpID.}=K=?ij"Uj`\p\SZwsC\3ʟϻ_*qpd?!?>Lb_[z"2N;]9bYێvAA.bݩg}%}+9sJk'C?'Ց&ĴʚB~侣W'%݈ҀmM̷ֶnzW%k{?OG]|1531V۞"d@~wJt̕YNÆջPcQt~:9i~iE7oL+3{xIhKB;%qú[Wܕcgi];?qK #!@oT͟82>S~UyO{iY}3w|2QBO_oZG-=w#'ֽ џM߸>l޸k1uzwAD\՝?l/+5eR#7|_ٻn,u=׍?QOr?B= r-.ёmxY'X v'vX)!s܏wlK!9+,zFQ@|tdKL} M6 !xJM8|]B҉ݺZ~_1ܹ>5wm slݢmf!(-_}:TByjN PJ)hc#K!T =t:/: utjj5 Q8gWېC/PQ((E?&nh''u:E5w3b@!tiPJH+ 61xŴFk R nleo@i M&2"3PTQ0ӫFY B!ja|Duh;}cJ9D,OHFj2"I˫cJQ|Fcf2G3; r S^ɔV؛;Z*% G0EIﲄL^ϴW]aR~q_@jl! BGwF~~]}cJbRKbR`x{ҋ_LsLF~4^M3Ƣ+ b4RHLRTTeUHds %WKҷxY[>Z:pG™21~/B!XMmW "bxRJ <lHTUF %,<1=]H)oj]v!t&fV H*qKi0sS'^bqWBNzzOWK)~'B!hMm\N,+yjQJc2d^p*P=Wg H,z YuR*R]k@@q`nma<5k[}{}nzף9Ч۟l8[ ʙ],L+[Ke xjo?TqW]zn뗌p/G7N9 Y۾[GLڥ#N,;%9}K;sx.Nܗ@)hvMvvWk]Յy_<UcbBݮc**bR' 8V,b)2~ȗ1vfeZJcE˲ /P0*#6xˆƢH*_R(R3Ec\R#mD7xb Pq/|S/5c[;);_:G0b͘_FIܺ-G2"W{nW1ա m"}twq־/;UgxSK⛵w1L@q*Bf)\8k0D@ztQu̔^ٿzӲ[FLBG J(BDq 1bK )gF_g@Wϩ2"qcF^6oNf͚qYfݳQIdN"(L}+}u{Øs'hΕo~ńp_Wv-C[ו[c.vUχ{{2yA`;jZ2 r?ml 6cALr՞Zl.]=:c쩋^P|\ d=ױGgy@FL}䏭g@l9d6zRO9~B!&OJ@oYs,sR2F',ڟV\eb0͞_}…Ǐ{ ȁ(_ p{5j_i5WVP㍫Ѫ˻+@YkaJhMsXc^̍rͺdqmXe%! Ak_fuʿ{|é+q;buϫ'Nxtb!Szuer:>#'B=PXuFTl%pPs8Fkb* FmR AN5se˖-X`ԩ?K,qrr|%#i`YB]X=k )c VwV"7}oPhpנ8/qhPק.0 1S/)_)SFrS&ci_ˆZRB=y%cYSXSe[RBȥt5C@"b 1TTTѽ{/]>o ==/436H J ԷCђZ5Gv\5 sC1rcIKy]|Mȳ"fޑSKg0aOԡoPi)c͆o9+e}HxSDD!S1nf$:L18I^a?z!0Lj9LTo+r3233[hJRT-_I9)_!b7zKVgM\#")#u%#g?%kX ۗ1r3V/źwbsn_|X7/AC3ѿ{}[7.X~-tҳ^XG!zL4L&mi6f*BPj)s ,Me*UQ^r*Jϟ_0<+W4t%<^C;mt΀e:gǾ?ElFS[j7i[an/u~+`ōo` -OtZXemQoiXv.]P'Ll3I]aix-rάtkysȅO1p>Ȓo# ג+Fg7BJt!rMBl9|}{sR!*(2s^5chO~ 6m]&u!&NqR8iEǘ:;ɪrswhyIAЖ)ksS#BfhB&wLt6i{Ɣ!(PޘWScnxuP/+++B.Uvs~QҨc[i?^l}ou!l%Tߔ[,,gv#uS{B⊟?P*6߀ .@!%BS]rbS $^ϭ^!cNdaP(yxsZz?!?~s1kDx4R`%5aoH_LmP8]L5 _$wWftϏ9s_|Bj$]~X< &7/ q^k(ۊUU6+.8Z:dHS%fo<'ciͻ4o˾ʤ.K /$Os/uilڷ싔Ju u9n󛕢_ p'I*8½O]zPw[x*]7]< QLB ^>ӯ>=Cz 4&kg?˳NZZYq=_4nҒd,u!qiW׽Wo'6Ծݪ86LfDo6`-{C1u@#j `0 "sTjהcj0 %ȜDŽ $B Z-|="kQز㳽j=a^u8.}[ ycy]qo:beYDdb1h e^),-Sh @*L9U2w T[J9%+->3u&3 jJm%Gfn<2}?NF!4JF^`RjN']O-yJ0gTd==:E\noAb(M4zs@lIC0S j=h_[h0s=k!g7:mgBzLZ)2)H XF1iy}v^)(mV8¨يꘄ)5査QUp. ;W3Up-;te_ܧǯB7^I[vr܂X!gM`4&VZ*s{|^`lc2+,LM^o5+RSn溩PPFz=^#m4=%5[><}aczHI)l|F)8F"fSr,eBRNy,0j$,G# KXSU^UU^yQUYWUܨ,!#h ci_ޙK񜉣?z#B-MSJΨdNj@1ZWY6JCtzqȿϲe,XPPP0uTBȟy%K899TY[Pn.P=*KKYѝKq;v5 P5*SƞOȮ/ݶU9|ձ$"m<#H,ӧy`򮡇 #B.@ܔcYSOr)]qLUTThҥKUV={/^OA*2 +fXQ="6()7p]ηCsђָ9?ur>Bŋ9m̪[@?:%zE1`Ԩb[ \o !jڛB/38I^a?z!0Lj9LTo+r3|JlѢE*JR-Z̬.Rf V@$SҦ vd{;"2R߻^Rb~g ߞbrZӗ\ia QǛ-B!6PKl"B.@2l\WwXx:e!@uCT1@R4eTEœ{Ǫ RCh } ~`BC;mt΀e:gǾ?FlFS[j7iCZǛ-B-I oXOBNhJfۣ QAy)u0 ,1JRʯŤlB@SSWX;*t mST0^ӝ=Z%!WΟ}HxC>BUxvklwgӘM*B>|Ắ\.KLoW WFA!byrl^FzNQݽLL-8*hDs?Bͣ2 ntwB!p XYYMblX)CQ:13<+`뾡^VVV-Nlma XHp, Fį,Zz9(}B5R&XXX<%)'6X|Až>A&6n ^8 6blIݿu4ˮ!jfB EcF( R)XF=ųUb1 BM׳YU( EB!G!B!Ԋ`!BV喦\<{$>#"~S&{tlL_m7yN\@H-oX1Wo,⛔:<{Bݡ9%)qxXdn/zP"Tr.²!Bh_H"QY [ uKK6=v|Q¶F-\H As i/--JX7m_GKx˜s"t |v3?B]KCU Ӣj}f!T&ssnvqlZUBy0 asT]|m,̤RoZ惗5DeЄye ̿?y"4?1'wBOa[skw]̹\[Ov>yǥy+3RXa-M {+ UQKSN |ٮW-I/ry^~` Ϟϧ=]Frl\P']=1~XQ}~=T5! j~~L} 0|#@@/5x:"P?JCBn+NX % q2!n)國prmRf<˻mt{xwZRe?t_ʼuEFVPE<`+ȏbbbmZWoxx \wߞAmL`qy%@@@`Q}7h< jњz >>"e5z02l`" T'P)>nҋoɋ-Zx}iRHgz+9ʲ[f;f񅃳k :p,A`rŌ$i u\+H&Hʹ(rtĒ|#M;LYVLc.nK}~frCQAW&͜t5Jao6nB3GtC^qGe00p{U ,H)B%kjR[!PA ' KEj]Cb>JȮ\x"}&%:B( ڊ'BCC'O`/ܼjJo_3w5h?O17Nn0x&uꃏgikM/ YK8y Bjgd!]-iY]7yUc&FM :Af) YRߞl P $ZW.惆xﲔ(ؙLgOUqZ;RdSO=էO>LϤ$\*yOo=7R jRrWF}/ pqObD!8K=|Ag}w飀NP,Dpa 5W}9sRv-ByN&/=ûˣ͇B zA0(@"KY޿upfIK=2!G}e['Ǐ|zK+uUکTĦ;}ܼ` Mp@j9_3KG|zXǰ&w'\]w(Ӓ1sOMOx|BPpcEGڛxBqDŽmyY626BerS,2cw9{~,b}i)0+*jwY$y |w:|Ͽqt` 7pG6h 0 m)@m?/*B Qת*12m2gT @c>\f`۶Skjj9s |NYU/x J4Z[+5~Ȩ~k!@d6c+ߚ8WV9`_kmvEmu5] `0!8z-]<-{ Sl1^_3a>g9sbQf_\BHھƖ%B=СlRڻk3eƒZ,FaFVՃNc0uGV{@0`m<0 `[9F!(NxϫG.v{9!R^6SVgW`[-cB|מ (C_z`' w/I))kW~݈@;˻]_5{{kTo+">Z>D"ZVfiX?Ij7S obl.JSc15e@{IqB!V.@2ߝkcVimY!$2TH=E;CaV0nEnZr (Ĉ-[,^Ō-Ws4 Yeݵ L4= h 3KDv+X/s+3.{+":8'lc?qzퟔF!3sr!7OuebA!$kjeY/a-m*! hEnr3C&VVŦZ-q-͛?H-j>ώ[W4m2:I8"2!sk{K>qx2#O̥Tڢ+?)..!h\ӣ}ڏ+O&.*\RQ `X1aYəaok?(+W7Lt X!m0x[+rU72䈓#b'4!P+ BՐi M͹`enc±" ƌl>xaiE=lFxVl?mZᑚ2qv6@!B,B,,,ul훜70F q<۱BhUJւ w$8D"A!B\B wWHy_FS]eFP(JLd2L&نB!9ycYVP(8B0X5ۜsA+BFÿOP bMz?;B!ecA ck5#kfnZWB] :A2b!DhxHImM.`i BV#%fxh @* -;PU!TP*vJQuaɱGE)lЊ+W?n7.r씿zBjj V]8zxشR+k'bWӮg_aa* Ԅ0k]08u lrquD wǪb3&=E Bu|jeFaM'H0YsmD!>~5 %""q6@BFkj8[KMMDW=픒W t`GzO2r)9e&r֠L[UY Z :o+|V$`w,&V|9̻HˡRYw'S=MN$G3g)IlVgR<B!ݚjT>yjQJc2d^p*P=Wg-0RLguWj@7Ba:UWo2 7[t7h3 :OoduF9B!\R82J%bvDMYv"XBzec)ome :WTQD!BܬDkL1A(yRB!Pm<h!"anNOxzY׹R/>SeD"( #/*˽ NZ?% 2۲Nn+I!j1ѳ5cٶ)& `mKŮkEB!jY<˰benTJvEӊRQ%m eȷR=BbwC1̹d%OWl8#T9Z!2?R+2PmWcD&}#';b`z-!B6Mm )*x[$psl+q URYB@@1OYb˽L-̾J з,KBum*ĂTdsP*׳YrAU\*d _02 Y}LUOETw١w<@ <0$:eYVE[+`6OF$&"0ܰgg~:՚|DvEZbGKm[v%[y{$^^cߞ$ -b<DY;c?{'- )}iW^`3rW&]TKXN,j3iZ1Utp1Mo2)dg`;WZ/xg[Z"hl"(X g7}c!p$83XhǑOkPo׏}#BO&7Vbb*P:ЯYAyUz᣽AD"eTU~.2]&MmZ2Zm#;!"M[;兌2їi٣7tsU r_o a/lQ`|ݕ7r;MO\Ri+O r,dٖ) zZ:!hwUyg{nsh:n01.PE%|0maKaiu/۵؁;:m {7=PWj=5ԞvA{Ҡ3b ),M ;yy:w-)sqAX@Œo^%dX~+s Uz #j'B EP 9aBؗBCi!0.l7pK!ZO~ê0 tBݬ ֛^!D5f⣰Y7Lf/*i9>A'Ls~ d&LUIֱS1,<,mLB鍙yYƪJT&td@Z "ENf ײ@X`MP_^uъ5#!78AQ86XSmrzd;ԖI,ػDxLRl?gyVͱndWFh#z޽T`tJ[W)c$UN'~;çk@뇖 w[Us)D/?I30Uu-oٳ"l`zx6.F,!(8 dxɇR@b?3ؠ+fNy0vk\͗dy D%wY[Q:x}5I8$ЌNsxПL>2(lČk~ 8 ԮA 7so@ po5U,Y ®v|hT66Fxa XuWds/SL؀\UWam*|궄b%=-8֛ZDG<F,ZHLmy]*Y ᤭]I[gjo͸I/[䵣:C nZ @J,$\!ΓORU<# j!OP̲T-JϿtE5m>B^|OG{,/"~g߳[g?FܝrnY@ tnaS-|@f7Kl` 7 &}Nπ D@\]n6ogy+6$_D"]Z{ OH;6[I#ihHq;uГ{erCj%ZyLBAdamV#"< U9%BScx mI澷'.>tjo pJ$JLAbH{Tz&YS+K2^1KFO(H]F* p8R !O=\ wÕ0w;&]o ߃KnKj>08OKrݠ3`i>xu< vq;u #ZCQv~<}bDd_0EkUF7{xx+YR->%/"2.RcfFO./uzyS;*@mx2P*7iK=MW9?ߢ{nossxu9ȼw=8B?v|J%x(iע4ϛ/0mjW_bb.ʴ$ ;N>]7]< QLB ^>ӏQ{"jo `dmնOʥ/O%)등۹RF0|lY ⼐$αm?'}7AC`e0v]8}rWύ ISa5(ØBX ?O$}xQc{_K7¨M* p eB'}Wn`rPVp}ɠmWRCu2TA褥jLX6f`~Hxoo==@ZzXt }??s/}wyÑ\\wytZh}{ .] =}{5r⢶{@`ޖ˽R)N/Ǚ@^ 3Ȝ?w9Q1ގ0}Ӎ-J*dp^J*^g(doo*d}'0dXF\ ?_ok#Lҗw& }o*aONDpFѥ0mWR~o/C$$ sGbXNn>90{ P ahL߅i/:G4 9ku~`CZK=wm'|dpxGd0 "sTjl43BxBA.# hLNNh*IjM$=l|RFٕn=o8>GjԔKCg$z[wӇFV=9 qMUu =2߄߇];5D5dQ8ޞq>mjE|g JIWra&fxh @*{m>;ڟ@ةw_wU[,EE>V6blP!E+Ɯdi)\Dz*q0SX_G"G } pB(1ҀzkF)g@ތ mwiH~[qD wDk3SKyC[c.郼V[#H5]z) ƢO Iő_։+{{9IZ_.U}1hR3~RWyJ.ia_}[фL~,e<юͧ Kʞ&=Vkp~&2PJi72fYzKҿT|us>틎?Ȋ5cF]ߍVV:{Ûw6%LT^# \~bv.76 jau.mz B J(BDq 1bK )gF_g@Wϩ2"qcF^U65|_1{(66ŋ meCbj_mfbZWKƫ[cG*wo>~l*%7ίn1? &bYޟXNfm/X:ՕR;bX|G! :T~b\^zu@m0vOqb3U BfsBaPSE9#~[bvB!DA <˰b̭ZK˭n1,C F*zU:1hPWD.mM"D!eq CPy4TEo_m]M^>F^xO:~4uI}0;f=(!m׻ǷGkqV8%B!:@)cRL BM8Fkb* W" :RfrK?Fbh*^"7N/v),X9K.jRur)C?l L{+\L"1װjZu⪘,ܳuIL: zL=5}0e ExBm42 zpg{M=%l͉,έKWK!j}vpS4*eM>BȥtuTF"w#12 WQS}GwlG!tszwۗۙJRBX,y۵ pBAqi c,ֲr?1MWy|ӎ0,Ky 1umӦM6mܭP"#D_^ӷ{9G_z d]cVŮ?h~ɴ;dڀONGVw~ϞN tAJ(צmtOsҙ>0gg6,Ls`'6쇷?{l L{hYZTuMvիbA(ovc$<\ňB5ZS2l\WizO3%"s P)np,ck.S'uX aj0+&LpkL0r6mc\5-ܽ Dۋ 6_!0 uwT{f[B,@'=|9O+$ faqjW~sNۻ i:5{4T\:{-3EűofMؽS?=(ڑioӔ;?<>gбk+m1ܑ:@9aAAS6"?<`%ۍB,-coŞ-Bs'{4% FQ^JMXH%Ybe6_ɓP~`HKKۼys+]v7SNU(}^s.x!B ]QJ+++S2rbS ū ž>l/?@o7GBe0~O< =~ B!t_WP(|==]{t,h4 0 BTd2?v!Bե;,P(qX,â@!B.!B"@!Bi.@)2-3Z_iJP18Yb#Z>3%+gA@!5[.$﹒Cx{u*&0|gocE5xL^+%Uu.)޾-Θd):\!iPJxuTiE "U*vwz!\v˗vpTH$&6^@J1\}Sxj'-;i7:ü?F΍=U0@+EFq0ȿI`.ξeSqAVcdrb*?u"l;. Kn9;~B-SSd%VrǤ넅G(@_|-oe1/FV w^|fz|}4QyB&C7F411}>g?cުxZ2ꜸK>kFH Kn62M:L`S<ѓbzB: $.5y#!BvգP&m?0.cjU"e5z0@uŶ@xY.ko?+`@u O@`ɋ-Zx}iRHgzѭ+9ʲw^,2~5L:.Iy5ACCm y)o'Ɠc>p=b7\: }G0L Oh͠&A.3V 0rPx#jVTct CRZ)R.+&HIʰB (ɓ'/X/077?Zg80:s1{W3x4N3]Wxut?z"7n1nE)y{Ӏ?R9w!"uͅt/ ^moYy;v!~G!"5/ZW.惆xﲔ(ؙLgOUqZ36'SO=էO>LR7KZ#o魇SJ@wTJjӨosI88ۧj.vOqb3U<ѓpeָ6&"FT6VP)<- Ce<<,3gw=Gh\ C_ICynzznaŏBUhQA/F€ @"3`ߢ ~h7C!rRR>W9}{I?~|QQϟ_W!&rZg;{<-Ձ?M l ڞXSГ2Cgn;\.ty~ޒ[ (In~\٥RJ9 Q>Aۯ\3v cnBq?ڛב"CgΦ |ZPqyytzDL&DHq~=|I )?r5]٭e_m퓑G!:4W_)y^rh JWw&b }ډ̙UaZUA<қIEpTĦһ6pn$='m6N&!听5Pɍ8lQ}(櫮23_qpOք #&];/o1nOqTGLYo庐QYO- 3=Ԑy4r+Δ@+nrDI\ncϧz`K Ko RMvazBqI2ݘB=s'{<Ӯ;=)" T(wYj R'kN̿Â9"J$+uod֭[#""/^,9.j߱s);<bBƚ\8|k0ЂH {`. z]9!MZvq B_oS9X;+;r72,NdrjTꂪ, f}##vVOF9:t_|E=Pi yw^o)!U{a\_\hg1Q]؊˻Evb=e#b}.ӿI@B!P-d}}_^Jk; !Bj) o0nEnZr\}DDĖ-[/^\@3J\)h/d;FyR&@T™kiHH}{eN~%ce%\F3Eűof}L'B!T6Xr OƯҀ%7/v3DlneE\ljn_mBRl޼?⮮xJើW4m2:I8"2!sk9/|<B!P4,@rO:ceZ}[**ѓ"+62+098~'޵m˵r c+ܽ-ok|UJ{F曝!Bf BՐi M͹`enc±" ƌl>xaiET<lFxVl?m{Y!/hjo B!4j: n;[&DE/a9vP(ZURiG 7q&&&OJB!4rBRWTwQ(JR&=L&dx!|ΡEo}Hl|2̕bA!>YU( K!Ԝhޖ'*_환M~Uk=BF?OPK`LO|mPG'O3^O\BFB%t Sܓ2yha B!1>yll^iK\!j<j oNtc'VcgB56B--kwOcV&IDAT >{vޑ-BѰjV!,JM%ŒA! q+KDF}xҥEBA@<﷟4sY Xxu~",BѰjc !jB!P+ B!Zl B!Ԋ`!BV!Z>3sѸB=!H / "N#EªJ6xaJ~|yd):Z!hx!2T6kPSJ3<>I#"~S&{tlL}Wm7yN\haF:+oB>+PiI~ICF#?]>i,?wŖqXXߧ0`` cB=Dx!}9inEGp,gK&[xKDuWүV4#(aݴ=g"WXsNDԵ [Z.qp*OKF]BM+ Z hHjȃX,y)Hk1&'<%sqNM1lrzywѾtnS `P_J쇎Kcw_&u\D)ÞPH\X 'םy9ݭi>!Wcm3lP9 IJ zIH_*5jgowRoօ]vr%2vAjX;ԯKw4fOȦ*ێ8`%ҡ۸;w"͝> 3݁ƄC<ۮˋAmrO\YMYH~\gߧ $7_vH(|G[xpClNYo[R&@.҄7gFm3- $@SN/up}بRm oPTlЕI3']R[52 9|ԥo֦(p:y YںNy[Ehz7]Фu3lyL^{2ěoEe\|8yNun_0n>ͽukg}„M|7^|wUY' ':w[xnnƟp@~n܋="瘙c]4YHC' &xFB ѱeZוnq銊YI݅iUD8Kg!̝ڵ|Y S۬;T -iˤ'ktʡ}N2V 0rP֝{9[gYd/Cqt|6qcAfc 6f?1.!"HNOK\NsY[;x Hum!u ?\X}BM}=f-b@­ W'}! +[L^{wBl:d'kbmp9T3dE\DE&$Ü~1d,lⶣ rKc~3!G;'9/E뺻Y@7c6=j9\}b:ɛ.@ # Rks3JV|T OɋȣԘQK^mQkj 6]ЛueZ[VU]]ڴRX&U5禧>̠u嫮F>f˟+Mj,#o{EqlvS6ӀR @X(xY0}7rw0f4lWH1vTD/"D4{ڏWߕK;}442VoP= SVcii򿷜unMa]^[wSH1ڛȭk<8)i762V?S ы`ssVx6p+K?VjhܡmZVoBZM·_7DbLQ^=Ǽs͋nrp Gl֣96mgOٯjxQ+SJ(?]Fgy8Ծ̺EW/6oӺyS^]G/4NAW"w\o2h>y|XgyfC#"&ЯK]}{?!zQF'cݸq){BZ.lL0݈N|9g ?ۺ5RKsKQnGMQ~#YG$Mvs8~ZoP)2Ld"w<ɥe5 I])+lǦ?>1ob0"٬[o{`nN 7_;u9P-yM;C"l7g:w΃3-әL뷞ZU`3x0LkZ뭞wQN!@C\[6Oӿk` /W[>qA^q>E% Rփ׷៮OִGB7/|QwZIp5E1RJW6r&;FepبxEDD8 (g}D*V+a0^>8:pǶV;Άj#E)Rgڕ[vKa&;S3C8b6WvF~^svV}#}2bM+Ǜq@- ݣeV!OB-B4h!]}{8_zRyژ]]=ox/\[,E?;o?]T;c"0![Od^Xy'9OErWr{R3ǎv=Rsצh%opӤOeqs;i뱴'&/?4)F-7<ƩlI߰{rjӞwD|惌%`9`f#?Ҷ黌)ISgu&+~[_|a}ؗ&@GZŶkUFM y!@ 巴bj]3aQ /s)>}^ন6U8y¦hl]t(7*9e5 I])+lǦ+)@ 3f !X(OʹZ2F J\cR^'&˛J,VbjLJyO7YpZ]fS{S50 & .eqA:8˃ǘIk`֏d5ie v3CjPO;Br,F9o'3/)WB4NUPC@C8k֚OٷW}tړf,|mu>Nҿ~uJ]߉g/,L^eKԳn8;p#Z|􎰃߭:;t587gNpoڬNDD4Eְ-!noeprD-& xz{IA^n+.]|υp"[ 󋼺."-uݖ-!g4p&{m""S <ݠW^X}f}W̉3%ݵF9F/"G-i:[)@.lг/y |zfҝazۉ6qn p6.AzC^XF2:X>yo7n t 70!pzn"B4hAqsUrP مVw9ą40H)Z&IYbE6f2B eY$"0pIf֦PXRR@Mxu.FһCNI ݂?TU5"Bp5%E%ʗ. 0"pede!`@C !B4h!@CNNMnC5+"mrւMOV$t7_{H(e.8`Xe9YlIDǷo\ VСf;}cDD=kcypG*OjbqS*"&ٷ^vSZ%l4gD?:X"lYg p}ݕUvJkl;GN4IK^w[/]UQ=aև v?u\܂ko]g+܃{|_Y̺#pjjA~!߿dձvmZSa)(q)7w F<E>OZk_[Ev"O#]Y1sO§HS&./o7hsjΦY3ȱ3^mLyyF4Rj7'N vjO$ƛn gjzUȾO<_#`HH4ՠA(}OꙆw<9:µtʏ?IDD-<=TР'GzX!JUo\F:O+A=* ;տu3}{s+"{wTJmٚsWM5oqMw#MNc ~jL3D'4s'*N|}ä.͚1C<:ED<ޙj]}˴/ Q5m-4m|^i월~QhܰCuUu""ظQ+TkŢXJf*ݵijSjm)oRogm:gqեNluq5: XlwSc'JtaQaն,e^Ze'?nkbLMK;m:{Oӧ,ܑ0.T}y>iMl8PE_m3!"[(bNe\7c[Ja.;+bwҩ:k\MK.kj~iPۍ~=j0<^]~>JYAY-)Qkem5ֳN%ťbr3)b}S+?kK:*fRKJJUQUQ|?8)S1x׮wbg^jhtBNy]{dsoDtCxh]Y{@Dx؅S%*EDUkdԸ?5pU}p4ix+w7:o-Wm;ܼC:(mZt:Z%]*yG7F.+_PɖzE\/K.\K׋jS8kŇS-[Nwٹ<^D"RfSUE^l6{GTUgV5ZSKJh2*"n}[Y}ͷ0(&QJKm"ƍ GNقBCQL7/N[:R\XqpkpVMED O;sѫxC""\wS{"BvӇDDII)FW)..UԴ ٲ5 ;XU]-:&QAW9k_֬]ݖحR)(K=UW]\]7պ5[;pr*ja뼆8ឰfS屖.9ΥZQ#ZVZ.&""Wǁw,N1H'"72U\mݸlwSSCٙcE=6N^WmgՇ~>ˣCg.3{{{7 jlggtn~Fx?SL&]\"%n<ٯ}U*~IC;^wlòdZ ='B/*};s/Wbs1yz("x,]bא()"<Vy`//'CM/ k=EJu{we7xK^{3 ū_ M;]2ó{>X0mnCt _ŵF bp)ܹ/+ !@C !F1׍"apY0hr2<IqjP%Cp0E#RڎMkB4h!@C !B4h!@C !B4h!@C !B4h!@C !B4h!@C !B4h!@C !B4h!@C !B4h!@C djoIENDB`why3-1.6.0/doc/images/gui-4.png000066400000000000000000001510041440160026300160520ustar00rootroot00000000000000PNG  IHDRIDATxg|Egvz. @B ]iұcGTTT,(HA!{K!'!!AJ>${{w3SVB!P@a B!q`!B+!Bu X@!B B!BH*\ɱU_.ޓ ʣ^UHCs!Bi}~_yKp[kH ܅LHҝ9rA!ؘ&+w7qMon~uj丌˿dR=MJ\YSd}G/iFk|6e^k^ lY\i}4M_o?@rm[ݑ}14B!=K!(PcX>>'J+R$ʬ̥jM߾+!~0̅ g.yS'&,Րpdi!B!K(;u$yK~ kW~0.39Gq@wxVykxAI2^^1 쟅E9ʳ>%$־]՟'W~aO?bڦzz)?fpXY,30D|G>4r9N8y _$u?PjB.{t&1]^Ӌz[k+&6{5CB!j_w iQgn(xzz|\#Լei_[6o?c/#PCFl~4V)jrPn?=֜M_@t&*&{,qYFGE!?ڡ=xUyKZn8::.}ÉH,u} $._&v{ ǰQx{ﱗ;=,~Sv X%A9(9sB9XGωֽz{3|{5W* .'\!B>h[(L|Qsy={M|rì_|FOZP[Y {ʎ@N$v>=q}}glĜFW}<o_Tes`@;I=v~}ݗ$ qgY&[7OuiG,a%1dՀ\yȺҦ4:O{+c^P&y܏&&q3C BFuaNc?}cF Bh5j 5B!joB!BVB!@ B!B>@!B B!BSXTB!PT`. B!A0ȥ;ro`~1aos'!oB!: B!ԁ`!B+!Bu LG9Qܖ㪉M:+#}N!B ,9ZDRS+;O3Ckfw9D|þ+|#oѮv~K}NCC|<-rrVaHRG@'_+1fF!å @m}3xc\RIbr?\G<ԛHpRfb5O%>rҳ7e)q;) 5ZeikHdKij%1u7cuF\t\ZAHrgbrFpoJACh2fc3g/-`-e|Lz =<\NSY_4JS).J#U8g;r3D|qg6!6!}=UbAڻ[]≳jp ӧ[!BCSEW*TK-BK <#5PT:r!b,*06֔4#H*j$V;|eIAԕy0'i΅Pt}ٖHH#;4F}yڹSvBLwJ׀RWV;SfHn*gUUygJF n8 Hd%i*fiU3gj,-0;+_Rl JmAL,},M\0+=-o/( g]֫4@sFcEօcvZRMߐ2!BF>"3<$BVvN^Q{RxhLv6[?<)HL:#[uʪ슐FsG!:̻nBjkt,s][u|1SSFv[g_JpD{ /]qفb$Fr)(`\E1k>S4'Or4%UWUs ub=-NXt =L(Vu)F Sdp<נM0=L]uq5}Cvd!PGmlSsJk2s* h,<ԩ9u7'ImmmǾI,lmEٕw"ZXۻwR>B,Ť@ ]yY5~FHUy%Um,#+'*cEy5P~.R (4o:fbre92' =r MC‹r(S+!RLr Di#"`j&%: ސ+|ř`8#l?!ºEnc?~v?n&Vd BVj) )W&}&&3C#?6law cO&W3؆D=` JfAYUUUE^ZY^v9?nHI5G M}nJ"ebz8D$Pyퟦ/bnLܼTIAg(*(5:2MQI{֟.-oLa/? 0 ߢIHHc~CwtuBsթ"FpfjmlY-"_]j{V.[BR(xbm& (#2u?2`0*- r B nM=0@(*5b}~NZX}F-6NWUp?KBs %[sRǠp!W[YL1Bbr+lXJ sg*SURY:1Ed  ͇h*.ʭD^s7#/w~b}+MD 0!ã~Cuޕ䴤3M,pqB;uҫw ɯg_8qDPr5Er{=lDk*.V,+-^+rW̚Ŕ,_(JG_KʑLUvVVS]QQe7/Ѭ,a40]\Dm\꼜 ƾsx_ {OgNJ;C,ײj:f.-H^s#Z }ج?+(J/KRfȮ^8B=lf&!TV^aJγsX}}xܯkP٤UycDhTdp]DLᵎ6BniZs^ڳQi:"qs.)*-1+8<~D̫pŸJLN>6"7K/(TQbSO]fbiiMJn)e^x=gh.'gUu,-V(v>4Bf.ʭ| َ{*KG ϳa[./ ܾI#V8Zc&~:%L'/=('Wz1w 3#ز 6l:])<3uGrq_{0.t:yʘ@&;gŜ=% }r„'}t.5FϘFfțz\῟h)U}/R}x; `o}7^uƲ^WY-Buۇ}lj*k`kv#RaN7o ?>>tҥ6>%'%m(눧_M//p h)ݻpz"ljcS14zu%`p Dl>|i* nܚNvvt?f&V&acg| Sf!?o7ogK=k1Յ]̸-C|6p-r<ߜEo78|bDa3cy Mܶ?~YCMšiɗHI=g߲v׺?DݎWg'\)w nB]I-dԋEcyGjh{%i.K'(هj]I؂<5S?Lƴ sɖ|+r \M.laD[`gYڌȜ;Wk=dg?>R{BJ˺\oك-;ߊBf6[F%?>y1 qq2O&F Njgn?Lh&941!@g_܏Ԭn͌8uv! ]# S`X;}ȥw;.qvrmA7lNH *\,W2?ȽuoFƲ `8OIIw!t0!r Cх<\Pcd:6=`L֫A}]_/;2Řt3}0(+kVslav7ǮcqlAf<ߦkWlF͋n.!3 PҊݚ9nYHL;asNH1B·I\jlCAAB]"ǫFr\uV⍎B+gf=nJ soFYv]{p>r(|=NZ=qbmdBQ4@L:gnDlfBn]j&|['%2$iͱtmmLMK1-p"t|u eN!8T !z s2y#<]o:?G_}2e߱듈 K!ջp}휝"ޱeg)mi{77aERRI((!RfOx\qrJɶD~ǥuu)9|2ypSc2,vson_"Kv1B ! ~}"C{g{>eSqYچ\q#1 YiW.iD.j@[H?y6y;/z*:ʥ=(҄/M)odcen1c9[\yFG hxtkcƫ'ԯDNut+y0؄uuI۳ewy*-&u{t{@F vB=h'~ܫr[qٸړn-=5>Mn lt6cƿ]n˾㆝Czτ?[cQtԱfALM_6eޚ6%@DHaӑ [~\eӻ4t9߅8$hx'c!xDHD#˱p,zt؛9?,m6Oq|r˧?NvR~]EFR!t/ʊ H(M6Bx3#z<-_oa/c!ؔ]篭1ܺȟ3;s>o3"Psbғ)ՙe:ywFE[y1B }ǪʵMIhBj. F@l %֡ E#WR-޿1y\"!= fB۴Ob Sw*Pi @,b\m<,z;R3֏IS|E,C~uCܾ3+!B1#?-S+xݎSi , RA}R"KtBSf 2sʴ4)ϚHPH cYj]B!УQ.VKUuU#Y:#oCS*J. SS0|EQ]AIicg*5UTe hB\m,<^r䖝ٔ%&Zx0.yoҹ~8UӴ{ZRk3!B=hm}`4w᝔UY)2<m#og%䫅 S\c&{;}իf}PqX#"j` F#O(D&VFPWۀ[RNw3sB!jk ZrA2BtB-Dg r5WTF *>;K+u6P]wL$:L, C|0S9j:Z]Sr b¡}MYVU<*bL B=ZZ&Ɋ*#'P< MTϦV7xPD@:kAtjTg8tH@<An4 `043WV_bV>3mk̻>oǺ2?pRe蚟ƍήZ/{$%'/vמg&~XpnZ2@Fe7;cLޮ:3S>qkϕ_+[dgr9]h9u*`?ŇG Qb1{S ^Ih V~NHRծFl(=NS1y) *?srΜ-Md&QӟزLP[7BӀY M4\LYjt܂Yeuk1v?_}'N:t??; Ib,i6UƫqUw0so(@h+)|дh)pī|O&x6_IQC8%l6NԱMʯW1u-=SW<;ֳ 6 @̇M> TcQۧFӆPV\8;^YB BBsbDp\C37 `:T-U7 H%8 :BB/^“Qd1di)U?6qI?lCY9 3!é ,2P_!27*Bꅼk]h_|?@vv_T6Ҽ[ 㸺gw?ag[CvX; lC}MkL>2'\ޅ"&-SceD/+\3۟:uaw+Tkxȵ?:ENX =:FLLB.bΝp5uQ)vJ!C _4eir/; IB`2RVg-p1gT*,XRT*Ղ -#PČ@◘[!b3v ;gM-:-'#UKBz藟2y{Y{XÛ+,~k#_$&iLlٱߍŽhݭn A0Wh~"wæN=o饰)O{`!B!'dB6fY)sJTP8B<rINJUV>eTzƄs6!KKe--KػWv>=hqNjޥԏ,h?*χx?f6wYonol{>f@ْc\ ?EFȾ,yxN=\[Pg&MfS:ÂRiW<ћ/Duͩ?p>3R]xQbP !gODD% F`x}LPR]k`YÜP412/%fG9i@\nO;K[Xت(J`4޹Sn6eIϐ}Ӓu'x*{խS,ݩ)dtRG'2j–&zˇ.@vΏ1m CV<ۚ˖;Bwil^pՂ{ 47UwHg+ PoHI/yڴ߆n?k?E4@쟅B_I162]&FC l/-"MVSluX>avj(UmV0@Ul)Gh &'&Pŧ,Z|ȕZܬﴐ9ӭyk _\3-8"+uuuaOv/>PVtA_{u3KXc&5z.m5k2xw \Kc_Ckyݤܪ-͡w] 7'$} i"R?*9Mct0vB .B̞PYz4$5~/57+O{LK?S6?' [7?G#<&Rd^( uWa }G|Os;깄w9݄Iy I@WE~ѵg^ы~b+-H5B0k*d!?O2P]+15Wkk aCX|H;], x:8=[5g`4/ory'nCťQi{?j0}e;,^UXWֽ5nnORɁe5K ib;1 4*Hҕ2o7Nw>B=\"ݝ#Tk4 % D"i !t'|ƌ;_VW_x%%licyW2ȻR]2Kcjn3~܅2'wi䦬bԊHΪ {`gɀ-pǭ_^[\ip'S ߓ9f44ϫtXlߚiW*/ x !a7:e2L&{4s!Xc\YM_x0hX=ɶO䕲T$=nfw9)*(p[dž=iKa1OM0;Zad 4[cs `myN2V XZ(I:*r8bɇp'˕iz๪jZ m7 MMSx tOhA;Bc9An2V99!;Q4<ʋg+YPEEVINfCFXQ@{,Za\8HL gn6ݐ'ܵO b m8O!ub#`"ZeB0꣰EW\(/.CJH-~5kҮ^>~SĽI"MN#za%`ySc (rDZ&22 >i-SWTBhO+a((23jG2x#B^ hB3@jWҖ\Ֆ\XP2JR… ֬{qܓ`zqryT@dogsSgE!zp1L(U FN(4TA~Glc?ȏR*E-)!C@Zh昑P iB3_/ĭ\";?F#Z{⯟w=/Ȧ,0#;9F~jlbƢUo-:f8 ,ۭOB!#^(jC 4O`遜M"!=.&]_U"`hC4r蚟ƍX"έZKfȨ,?|g73=\.L!BQ F#G0P C 4O˓>fow4rcN 0Er7Y:+ |ekdodRk!|ہʛ)p?iܟ? [+\6EO@]ޢhqG}ehRn6]Y8 !'mM@odi24u0X {⁧)b0ϟ8qСCo<|G5.Sظ˭x^W@FՖf7oV\~h^I Q |[`wYuqg3F`A؈R&ޘ~%&r /JZ8Nd?P_ y 5?01&>{q۝͟Ξ<9~??B!ik@!9ZB"b8%iKFl?ǁAWH{yy-^x޼y%%%ӧO'lݺu .tpp3<NSkfk\P @VVV[(b;wr}2K4qho95>.s 7ˏ#H-\%gnݛގ!`W{w ?x$`O\X!jv rQ4*2a}!B:>_#0DhB^E˗9s믿n8VσX (ZHтf^DhZSQmbf{ w?uaOb>\>;mfĢDM.h6ZFZ/3Bk麟\N)S WhN)z%^v. %dh+,1ZlcR\`JRT ,P*BZ@(`Ϳ8"U Al~bEd$۽ꃷIhr)1b; kޞ|zV3tzhj6FfH_nRBH"La,+sw;eN<jG`y^P@\.)Tʧ JUFs6ДZz%"Lmu-%-N[}AuR.~dt%XiWo}>$0Oo+1;嗴-B_v)K on[8@BgODD% F`x}LPR]k`YuP412/%fG9i@\neVv˿:t \] QP3o[%!1N^shDKvUQ_zN+/jsk՘C*B.|ۡ]W*_x::fXT]4lL/٣ehS"S۸`ak>B\;T!S9=9Idgjk%1rNo-+25~:Բ#Z&q4vn 4MD^Bsy%c~̧*RY{ɰ~BR&=á )hrIjBab_/k!&nV.2mg Y]~֑į{`Bڭ8Kd]5 d B"4Nٍ'7l@!ڮ۳id2#!BC!B B!BH;w*̸{8pa[g`FVo se78B!BPU!*}WL>.vDB+#鵵:Mni/]]5 =3fbQZCS( ,Ol;@!B}*[uuiΦoᲜ tTR]L*>e+Gf}̙neFت֟.ѳRo? \3yisus.'=&עピq^}3݌5%*PX ~QP= @ X0`@`="XU}~p!mm/KdRcQU^<A l̫]} o֬Y)))- \՛I`f^\TD7FK~|*bԲ4ߗo?q!?+f:uZp|nGO9b=ؚvbM2ˌjə;2-ذ+Hŝ]toJa;|0o>iġ >,]RgCd"g`bS6+w 0-3[YF MB6/2)Fo4 댬寿^y(Q*Ƭ,[Z{>"aFI㑍c{ǿ}|f> cy 011u _VWn+|NzX".e}~~dzy柞|B|xk}!#Zu= <@sI硞~"bۮ3gp\+ؽo%Fu>(tч2lڏ#>g^SK:M04 >km6 `#w !íO_O01{){۳=;RB^LKۼ}5\3'd3X)JȹofzJU9WKs8U9WKsju[F5=ҷ'#o>Yf˓cBxDHD=VWya$g9rS5_"fER&/9X|퉟rcزe]W>؟Rr<@,M^tQ6GKX>I|֘tM|,{#|U*Cc_4~)bK?G|@n1N^shDcc(kԔ\N@ _N×B!t߶vH$_n+ƽKx. r,30/vY*>~qUMݶ D0#XQJwF" ߭zZJ}{~%BgOZ?y铡K)eO0Bq͹"Nг !㬭=t,s4B 3gMI,1%qu}/VXt w>'O+(rو"v6as{K:aK_|B!'4JFK B(RiuFu2'@^P'eZ[QFp۷tlbbxd߲e&ZbL(2w(B<-e ŪBUovѦ2 !PBŰeR,0R:1t12߄ F` B:Pt7;Q5\6l#HE9̄g[+ BiX!fff= uN//ޝ\ 8>K&u??GK㚻 cbb":L Bi!23#F/R% D"y<D"HnC!BӾ4-d2D!t.se_sr!P'BbzB!"?\1oN).sBݫvU>Tz2:L<H_H+;\]!t W㧇.@!YU F@l %֡ E#WR-޿1y\"A \/zML~E'tefLBi?#OZ( B޵Ob Sw*Pi @,b\m<,z;R3֯Ökյbi)6F3;Qf*V=Av0;B6h ~ٟ@NIM^^%:)3x rGؚJ=4JR|& +ŝ>~X|3gJl i{:k &b땦M&8dnŋ۷UB!PZp5uQ)vJ M)EDھB ۅ m%Y mLS* ,PT*jJ:"-/ ,q7Q:D0#XQJwF" ߭zZJ}{~%Bv=Ђ 5c+X9ͣ'.c iudŵ\A,Ks9*>]<'t{bKͳꄼ&;m8I"u͋VsO} (gi }iAyMA}nUnmx\a;gȮ[G?O뾟?93&+v`@?w6%qw?˅]QPP `__?q#ԊOBinRXn!6ʒZ˪'s4M(3RbΛ}-8I+,l:džyW+.?Lhʩf#b/}؜_͹ j⭌:"ndD2)8^ @Yac\y^**YL!y<*EIo3.\V7 uZ/"7*{ڍ9 (`VPVTngQӊO?%l7 ٙ]qf1{2tK:Lo?V#go,}8Zzڡ+JK?SeZ+ P*fbDʘRbRQi1)Dl ?K+|lՎy-xchϝS>z鞺SA'v 7.~]=O. >Gx!7 ƚc BdVUyՍsx0!*˩Dh[l^> F~av]0c1 ! v¨' Xp   iZi0P߭\sOCZ) [ʵ`sVDV&(;c'9ڊ|jv1qn*oI`h`fxX 0|`  uzM `.@[/9LbmoL x# aCbaa1ey3i$NvVr#ܢ꼂J/SC-yXXXҁYr|沁e|(a&8ZamNk'}9^)W|q{uNL+56yg5Z{rᐟ'PՉ$vx!9wΘ-m/Wg!0YJ٦כGxjo4? {1N- I]b".@̄#+6gwa`իRXZY'3 #PkSH0m>R ôK0 &]x2tJ]',M6 W@l r4Z~5ubSjZ8ΊM_|ی^Uq^[ /:ԵN_}]Pl``*qh:%wo`?`7U0+@l6gU΋(BܳE!8m!IGKR xY/1 ptdb8-ђkbD$uAۆˉ=s# hlb|zrߍ3Jgz ^, *%a3/gRj(+7ĹSbcJ XK֕|yJZDQW1 EV]lQ+~^'Py”L(l| yDV0e"|N=^; p΂^~ ADfse=8HK;XN|kwb1jO,17rUK*w^U#E1 M[hf+ͤmh.hxZO `( =ns*! ۄiLfooeooobbaK 0T݆ `‚ r,KRw}<⸚v57_y07 ߟ{0i pZy. v>4Ƴ?^|:1 .EH@Ƴ-  Ŷof`b pu8(ϗ|=l8b̩_[6HSWnԶ``r `jjwm)k T^3f,x-9/35=|#Bs Xh˫-8?}q/q8#k*0-4H bJ\8\c2v=_1i{s\MtW.&@(B=Ɣ ͆ &4"f1e^z{v|}[FR!/t}&\ƥm^{uz(Y]98B%ZFV=|[W 8zh_-4P~!~vƻG eՋr1Cufׯ_w;vt!/{RG6[2!KǮЬss[roϔ9U7uuH?3 +r#>UXĸ*:yXrYw:=@=g_G jgL̾B,ƥŦy9[8[يXB˾w.ݜˈ*,=X?N ܔ,; 1u9)kcAVSv<ҤSzq._|i٤:cW/u翛/QWKԔgw,|>XAZnMF>O F Z%ieS~b +m-eVk9Zn"K-Ctn)+Z!rB0HHgTJJ\ZA5~qsu~\em4idǎb8Yb򷭿ͩ.-!D1r9{?OcӿZ^w٨K#>"tg?o=|Ď1;_{ (׽8t~ ic[%"BCkkbjP&+TP@ h*ҕ>U$Z@SB5 : sk9w7w;{ /)e:.%o.sľ>1ʸe;KtuB}rM2xc3@3\e%6eIIW4Tc:Ȥfk4k׏[=D$w3oᠥ^2k>F뢱+nkM CF钗+/d(`o ֊=SW|EaZ/B!:VjzH  -<r6E0we~UO Mj檡O3&ph=kV6_ 0 H.HL9a1~^-lT)4!+)|P)pՍ&N~y/.ՙؘG7}5N{ [V[%>`ӯo-",p=Bu VhB Ḇ `:T-Uo^80 ͵v|7#WTޖ."e„ ǝ?k׮Gc8V$GugWްd-7ݺ㊇~DluL[VMaeύbZĕͯk盝X: ܦO!C2KJYWV\ }aZJ}t[:ǸygBVkg Q14- {Կ!F$"F.XhL"T8b1!D(zyy=J+;Ԧiŕk}kbv~lP4ͳl3"wq4wbBCcZOb.[_iMZ9q܊o˷5I-.Tl}G+̩4󰮷fh*LK}4quY?փ;E~3B!zm8ۚ(R;z씢W"m_eb!_LPBRJ6ͨ/tvks}@ ptt2eJhHs JZ}[~r]6W:;~Cs;y{`HN-3.RVsY rp6eaOô?q?6w+l8Tla#Js3Ja_%ppJ*B!j!mBѬ?9^-C!TX&4MLĢ̼KoQN ?}L&{ic,zC9bmԤs'94.>2ttGYxKF8(d B">>&ٹ[n'!B)YiL0CPBfB!jvE!B B!BH;w*VJ*=RYxxyw aY#,R]]}iZ}}y/BC]ba':67#gA@![`nPl_Po0r%؂Dž PKII4:T&h*vƿVJӔ\ګaQ= cn>mRNRD!Ob Sw*Pi @,b\m<,z;R3g+ј"\ d#ܸҔ2t]>"_/ u\ފAol! s>%yΕ/d^7Dm1m.?R gèv!*FeZVd_2+Y'ȥ r䕪]] ~ܝ2cf渹֖\FvrEC $bQ#/mjHQ ?YP՟_4f.7K|;(AʲI:Y.4o` YNy6'WcM%]{;ί=E>N'l&QpjV<e('s ] &uvz!УO2 -7ĝ- OG(DbJt/G{XsEUkd2 "j_gswիWm]3jlnj5NKA;wG_Clnn._gbU1C(g-}z\:D~NϾm: |h5'VCҧ;;J =~wݞgUw2yK/*.2/Go Q'c6ѿ#z4bjP&+TP@ h*ҕ>U$Z@SB5 : s%%IiYs\mB\`,/ tqu:tо}JKKoݵ.y-Bƣ_lʒ`XOg''x!=I@NNOr a\f7ܙ@.sYo.]E{U?l*(xB|ڈٺIo.҅71/CZ'>!ˁ߳xVWz( {9Dek'A]۲rC;ೕ˯j#ꆵ&|"hb ؒqTQTtOQK(a'=Y_8CK;) o?BGR[+<!DPקXQV+5pU"`d9>_͚5kԩaaOnݺe˖ݹ ˲W^6 @(C^ޕ!C"DUZ~BӴϕIB(w/b1{S>kњ.tFѪ?̀{!_mٟډ׼?Ln>]nÕkm %Fm0_VQE5"/}=fU k7}B+ސUYEoICuaA)%~BBE ,MBn_.&Ã,5:n쬲:ſxi:_}'N:t??FwjkRI DB98{)4}cp!EQIüLχFN 0pc5Rf<}Os+)j POǭ{[?CJ|"t\S6nЮnp6%+3qeoMLc.V򤓃 97Ɵ Sʓ^mlD >ɱYe@MŵK)ͤ&Kun^^+lڏ#>g^Sl?9iJSc`IF{!Po}VhBD0 \RTm o4ǁAWH:ܴs^^^/޹sYd֭6mZp Cuu5E3 M B<0 s@(4B ;s0%nӇCթۇxx76R#Gl&)QIDATo9>z2g5n+5ysW)[sjBY_oW'&= 7zeWeL'4lUQż' fCFX5ސ{$vXW[o{nEaD# e['IWZ}y^_R^I&~B!r쉐{?)-Y}tN* EL(jõ& d(!$%dwS/~vv~T* YZZz%W75ɥ^ j+ ykLP)|1ndꟵgNohNe}~$qύ8wK'ivM𗡾B=]u)IGx~bʯ!jD̹BmkC\N)S 5 hN)z%^v.n.dh+,1Zlc1]T.X@RT 4U8.**H$ԫW+JK- C3[,6]J/̼$ӹ`<2S|g62wt9\XV^16؎3o[DƼ5MgN9y8 B!Ѓ D"jrVuNDPB:NgY04em*-RʧJ;rbxܹsmfBBP( e榦iahٻȒXR/S_yuJ7qف zȔÜm|xyWMF%MķOֽ7l;R(B!.@hL⡐ Jk , EM(3Rb}&8|Um̙3}za5*>@n-]n`S 7-z B!mR^:Ս|< ,[39(ieIE9Eӻ01=wqqM]4,1 uykәJ\g^uKN8!j%D= u!_k=Ƥ BcF c+&4#\e/z]{/[|΃B^;~tu: r!ϳZV$+" 8B^q?n͞:> 8>_IsP!jvV*{9+r"x+eW_H(RsBa& 82% =xo^U7mIYp?h[:A!Z*<_* _|VVJSg bja1mdiE&Xgґ-e¦¨uuyg2USk3 =XOdž }qf˓+}95\!jv<,b1Si , ҆YrJjJ~¸B3[Bg~jC=L%m M &Rdr> +衾Uij< B!ZP0N$2nOTvbV%CS3%bM. O6J9dHsrဥH/7= A!ZcԥcG%eU$fV xH Y j!Cט=8<# 7+бM tzygrNPn _]Wu Yу&pow{qyzGaB!zmci-rA\jDD,tt[L_QE ᗣ="DB:Tb" :-qFK18WN Vb9an[u2[*{dX/}GQqfw %TP^XTAi"Hh $@zwɕ} % %s3{yvgf&ezCYM ƇcU1F_c_ZeHJ9rLorgN|zJ<8"2EG;Uѿv,YmH&Q2GiɠwτQ"͕G#0ih biUHx"dyLIUJט 13Fw^M#J`-RC *W^}L\?/KH+@+2"1' pJ/3&ʬ},h{nYR(8A17ʳC{1?!K4h Ye LU]9,Y,1ǚMmCWbd<+hu[5(GFzqZq4L21EDiM|>[sN\x{H{+|,S%YNԂPVmIr*6k579V\Q 'e"՘|CQEIFabidX>bz?['L4&&Xz(YR(%{\Z)T-H[0IKz!fe:P I &knRjsJ:\K,1dTqT ,(`*ٸ tV/~O>vc=U5%QbZ%` >#d"R bxPDaߊ9p-.Y6;g 7f {v-|4᛹УC*є`O{)j⾍7c? {?RZqګ5߫õ&$`DFq#)@-D/99=Gt}j&U=]:ygV0H&(qDYV 1erdU:q 4&Qvwʤ2h*>[3FP?1q\ӋuxnXiK Lـro |{M^gINa;^hsenv˗Hl[%~[ 1ޒ#a=|̴rkguyzrʺqu+ʕE552:a"WG=|7*:Q_?Z%N9&\NSV D܉^ @U6.[v n_X^m ꦬ" FJ.ߗQ PSS(;;x|2KĜSveJKcK&"p2+● (wf_3wiBf}ywkӉR:tui{?*;?jɱfNvudDb-(4Zm~/ l{zYW>#cj {_=_{z3_-ڡ/-|`,, ;w7o'gDDInT~; kLzjt/,7ޫEr?Onj?? I< [<%+WL6c">|ދ'"R?+"&P:tX,iKV{+wMLqˇO<9oswWؼF/M)d\K/.}Ѹ?>eh;f#DDDO}Ol 78)46N^%NJ,s׺k4JZЪSkI,ѓWjkA%?Ɉ.=YTu]ޔS^450=u-JŹ*U*f+$|LR'\|R陏xXiVUIDdG) s|09iYK>jBJ/9mꈈT~]y"b sþYW2;]  (ǹ5>h-O̩s a۫Xu~ÒW&/umtPVmjI9s[r"Ό] :x:^u^6g*}kGL]]se\!;Gzκa1nJ1z{;54sQ:0_sT˨zpޱODzowt2}-3&hm\mpvpHd/.Tj[8ú ׄB혛8V:n1"xf$$J1=\Ֆ 份رLS8ib_c~BD$5uONr3rl#qΜ7ךϚeꬉ rERg$|yȁOge:x?% )E9fR8^27ϣ/{(=ƳYDD+vv<ɢȈkm]7L}C2KǯXucV{}W.7d4ŧ?\)-O]{V{1>N'.(=ٻdte[w6pIk:{g͸9ydS=_zOL#lWnl۷ޏ-!""D""m] ]cLP\BehiËHH晬֍Shv8AVInhxNcVCg/$Oyjlē\X);C/q1ϞA|A Z!rގj" 7qėF_3Fdk.-w1NU;xٻ;98;888;z8kޢ B碰qm!h8AXA\T~Nʉ1r @]IJ*vю*9,p .oS~}a:g7,Qwq#z]dJw᣽"pu\F䛿C-svAQijA]˿0MNUI8.:F >X4igόUY_~8'w`2>?ȉʈ>!'}-<q<*l΁j`K9Pa)u i]]U;Y͞Lyj9 Eiss!vT}p_i L~|:-Y"z=}ګ/H).ϵiKإj.ܱ[I*5I1FqWk.ȻAۯ_6!DDNhMO{?xkZ<1"h"#iJ mgT&eSn ~hEQ~=~`Sb(Wȡ:~{M;uǾII\t=NӮXhg Ĭmm3pRϚ'"b囊m\uCYFfy¤S 4tׇ?iw|=JSSٛ&Qe|<Nڹ0o^qR7kj<Фn!n_3:⡜ H|@D}xO@*D73M)x˙_y-q)ELj3f/N>?>)q^.̟Cgux0l?LM]^9oe\OI_s({uw֎X_?%9}w|IA׿Oh1|pHҖܜRvx|ZpXK}UV^6>5 M_obCD=g覡u5Y$܅CyB g;,JMۜxJV􎺥ohk[?=!Q=D2D *vvRեTN*ڕRVlddY gev};{ڶXYF'[&nph ifmBqU-U-GD5pji? oE|[R"mI@[TT@[cLdE*,1&ĘwvV)0&U\^S չ,˛b3l6C[e)hDo 'Ll^aeYo>u(OkHԜs+5fFV v/s:%j=N)|v%fxOJ@D(&.N8]CDm s kvqHˣ=i-XD?Ow\ԱRQGs'3 +v?pSCCC7~:ҫolyiקԨ مٽI&HÄN@Uѝ<~8^*EXls Kϯ=PR:d`LL.Rة=]^6P\R3Hu 8k@M&,dн:jn`n:=whRzRRxfCuhN-FgTfWvdiEDoΎvo٩*oKlAny1ܦ9V;Z݈[r#uIui?[?I'Z1J.jAkCû;[&-qYRzD7 Քi'v}q] e^bM$FZQ Q+^]{pelQ!v*ATJLn -Go 8KuѾMkgxfjopF"]~pW\݆05t djFhIsKio9??uE}s׿=;4F]m2WKY6mohUWۇL,ӘUknp0XV-R)xN2sܙ^a(x)fLbDR^-@.+G{mQy=o)mݖ]4niΪ]3yvunZp rAPW%)+#:88 rv1:cȠgW.m&"+~_Feu?sBCyE;J.;wo;O[̀O/\d8vnq}:m\&R4ԘG W*xт-?h 1+9Qeiɛ˶Ĝ>>>'=%v߾|s4Xxb3ͥؑvU_^@5⇣j4Q-kºK[ΔIݚGϹ}? ou9c_諿=Q_ ]ME쬭whXײ=zSi ⎫{V{Oνwibc47;\U2IL|˸a꩓>IY47ebc N8e?>I^=,) p YDI66BO7㧤-)лvh~ .>5 I.;U:$XwA$t;n㲿fCJS}a S{jye@O%Sj7}O捊8bd伵?􁘐N_rVף_[Yb|[n}!u-n8Q!(G6WY*H%Etsuw"e,xM9z9Owkrlŏ~ف'qdMU,"JW܅N({FrA83cͤh;Qxa\ZR<4B]t޻wOAAJM[d*+=;0T̽)va!"Q./$z6 C9^aBPڳT)㹍PDDEjYN'ȝ{Ek>={z8Y^6T|}+^1m]+ۛp(nOwOzuܝuMmL"tqWnJƼU+&='"2<@5>v*ӠV:kT$c,),%,=1$2Mv[D&!f䊞a.>*ܸq$u޽gm { CT^QGekiݹ'$Iע1\{C""v=?~v#"~V_d? "lmmBlNOO_lYC{v0k&Ont'>惓̡.;2*¿媜g}vGY>o[v!J1A1ۿû'^؞/ uj@IՎ|w;nǞ2nZ;RjF+8Z`R~Ѵ4#4Bܭkw^ztKD">or\,盥3 @ӵ"etK5cI6,Yٹ vvvc)fsvv7|sȑ^z5t%^Wi5JN?:ә<>]:j4Ƙm:{&m;Qz,f_P7~P@/N+uaN Dv ![b;`Is"W.3t:] ?]z$IDqNh4<[ szヘ.-2|5U+r^SWhY@M7sUؗΙwr=@Ӵ@ J ّ^>/*?EHD@D$Xe՛*폥s*x%Ȳ&1`:W{ӊMq"ˁw}VW(K8ނmmg>&'P,ڶkw>mG$,?"[M?}-p =LrvNdzV$G=d&yPC)Ir*v&d~Xdy_F,Xbk2&)>k*p9nGϯ:9.cO '$"ė埞ɑBhXDETp<129h:+'9W1{Wǽf-SYcRL&2$QnE%*[__0$:Iũ~&)U|}^̇O9Nџ{oƜs֑~R$֜"ؠ5~9N%h:%㉱{1oaCVw"3fd{8:ל.>7Ɍ3RRRY`r(, eWvXew\.:ׯ=t< &IM&ui >Vm;ogW?~8nt̳ڿId"Q"*ܫˏ`Xg͛7? L/H(0]m/e,ŎׇDh4:^{)G<Cw!_svJI֛%DiHf$:/s½&ef$NxxPS7IttIΝ[VVA fvC*j<'in \m%I|Y懶2ns/zS+73&D$kdvۀx㍚KM"EraeY* Uie@f$YGD1o۫‡t.ƴҦw_D?xJ}eDQL- 1Kr}ZG-GvCdo!cRƄ_RhuTMSh;QT"Ql\9N-o)}GSջ8^f#qHUأ1Q+Lj"]|ࢇVivjЊ|H"4cd'5SF)NUW˂N#SU&bwMo+cJ~;-X`jhrʴy5PF2Ug +2"I&D_fㄐߎȲ<'W[\F)?jXW둚\sOiX$Uwd?iEջy3U8 :Qh-[l߾S 1%$˲E&Fq,IWG=rY2sJQ$'&V]|# Ӂ5T=)s%])5?467h4æ/ܽT)rVLl8bKA0Z$˗/7oC}e2K'kbfz(^z/FvC1D,ڪ{m @K,wD-zf%J73\᝴$Cx9nt'9!b!)-o`vQ{T˖-={v78wÐpwQĜSve=UPs8S;?p5\myQYHovzt%&V,8╲+gq.(:uӃ"ﳱ&LW7:N)\pTU8dw/MK $1ggtA[S?Kˍtvpx%KfYq~imD=;̰ŵzwPG͢xbnÐ)ppE`m1xKa>.as)t$1S:kGVǴq$VJX*btzqNh4h4F8@yNY@k#\w w'ʵ\YBYmʐQyV .R/loPkk2ˊ~ِ}P?ڔhZxP^Y;<,֘EE4yصS"">M 1{l #|:kRuk"cOv(cMgLJjMFڨ*ڟKG'lBgx(\_("=a$Ȇ3)9v8""γ]wUr;_)F,ꬺ6ZIdYpJK~ӋJ/LZ,"18^vSRi^?=Ȕ_{zEB B\tT-9 q1 p1lmJ}jIvtBt 벢]] %˺ّ^>?\% $3ʘ[?VX?7&+,kp&Q!JұʴRzoZ1PzZGW7g_]lIy֯䖜I.X?We)#vEZ!d0i?'>7$ԫZJv&$SFپbEYѨ  pfkoOUv}9!uߥ?ڔh{"Z~>0/*<",qD߇HAY!8̹S:5huKU֘<7$QnE%*|t*kpL511}::T*[&Bơ myN$gIDDR _3G]mAsT9]c<1vy_"0lHتnSd lG'@f̘FIDfIn7<\UgKSn][DDs׿=;4F]mı mt _LH?_C{V% <-Wmhq2W7Y40F'kDD>Npq I6T'ph4io=oi:ˆSkou $\m%I|Y懶2ns/zS+73&D$mdm6`7xzAfQEYe,ô5{!\% u~ƍ.x*y>lcTZyǓ9kShe@f$YG2QNa!?u}{2»˜̄ܪ?yoSA?~|`` (#bjqNad$]x?̒$phq^\F%&j '^XNH9`ބCq~z{ҫ4`2{q+Uy6 VE(2N`՛sT}|߲QVwd=UPeƈ1b'dZUZ ZaH_!|Zq.2N_ѱc;&a>;FF;g*p&Q ٯZ8 U۲ޜWƔx@2# $[\Bܺ \2--o(eFIg/>oeD_fsM} InDY%W͝c#-] 31j'9M>Rz7_6(14,DAvs@ۈ-[o{UԘq\K^e"#8QZoGomgzztg2UGEE'%y3w@;~h@ p&W{{PRZ3k8Fo_&K-´^k6˗ϛ7%2K'kbfz(^#;"VcmUDBC>~%O|5_~$FA{]OfW!xu3^3Mx9nt'9!b!)-o`vQ sm--[6{op*lo?!,s9b3zFQ ua?Bj"-jteEKd!"xY Ngll*^r0Q)+3ݱ'uDDj%cDRԪ-0ƜGOsmM,-7WDd,e96b!Op3cV4@%{E+!?SSaЦ#)1lCB)D@D1GG[ q ;{HE%LDqC}xu tV'"Z>0ED$J umU2RT)n:jXWRgi1C"}.q:NѴqWAh4|1_TNao~QtjP)ذu^hyt:hqT~:h$td zv?ODn#&#BH@S"$pù{"GqA"H+ "H+ "Hh#6Li+&ݷ$!VN*Ǟjԥ?&"k N&$fUͩ~_4=0"^x]mx%m587]0ЈT j'}|w\?S>yu+CΑ7{+C_n=߿۳WLHß{}xk=]b=zy*Бs'vV[KOaի@72ko}Ksje)ǫ jRYi9{mYs`16ȜƃZOϚkW+)D=eҰ`-klb`Z$[Ty[A\?T.?i?NW3oȐ+o'(&nXĴre}Gwt8ɮo#Ƴ]/YvZbgr^=O'Ź}Z5]^[x_ODd9KH{Ɨz+n*@.ݷ53s+M#4qeD$\OS3 +MCԹ/sd Dd$:gԯ:Z0¶^CDk[[OKwGpD$/|ί@]Cr?srgDrǏ_Ľ6S+魼!7%\^i\йC;斁W{_SBvR9t)wjY:3>Iܩ$c:?zGֺ~咽/PV~I48c3je ~.Sߗ jrEywσ^~kfpg-=˟6{jR׼7Wc{j/~]f:{onf&<6W̙zF ?nq?ß=cMt3wft.(u#*2%상Jcᑿ}v~$WLug Fs;|9"ǩTJMf;5K{㥣Qi\1iY]V]Ymc\ 4S+֌Yd{ uS}'|>7=Pa,8aշ*?h_GS1?j}ycm~U~3z:1Xa_|4@Quz?-^pϏWZdޟ^htճItU@fl9ö }"ccƖO+:Ժ'tVVTȺ.:jk*x"{QH.c)blo>7O 6r{Hn'Xк-y=1ԋ#lQ5{ݯ #gճwי±.< ~1Kv{an:Ҷ'&v{m/v 5#xş͜##0o莵`s]s,Y4l(I޺rkݰvFSF>O'uΗWۨCͿIjW5&d8e ֩n߭SO:9%`FdW^=_V6>y0ϰ.x sɏ;;fpQ8a҉BGj7IAtH5 UUupG߲ sڸۂDR^F'Y\6Ipjѝ}S}ҿWO$$96Ɲ-3 :EąH9}=S)xciiFϝl=:s\p&WT]gqoO"""x$efY{97V_\M n뎟YXK7z)~ĉ`ݕ؝-?Rٿ*P)htUW\L7ٯ#v-*ǿ܄ f}}O|#{^ìrrv`5.rt`d mMֲhd5#U37ٽiԲP-,s̱AT0 S5sA]~Y~қ +~-ܠg<6/|KD<@&}b}}zbZJX#, . /6ҍ!tgZ^5u˙m-/c+'#t`TTWʯP$q(_Ѥ ԜJZᮖӳA"A$Kr:ޒDLrQSqqsR=?Fe"FxY l\A@+&WWHV1"Ϋ]]*vn?{UDLVQZ"=iϹ#"bjۦ<;S6oOPO2duH9{_&{*K ϝ0(Uz {*9cJjڥ^L*8R_Q8GXhpHGCvSm~@EbvraN鿚fJZCv%7n5@}+V~njWI<^+YUQ\L6ZdDzw>fGDīU7Ȥ1p㜍.Fn笨9Y>Pua㲟Rr4[O6:Txyn޾v|I3z}E_GMԉ53"cVմ2vϗ~P=\&ꈨ\sxL5zGooIɭ띜g=  uVwhux w=kWg6K#.ި6ͭt+x۾t2"+9}VmX(< 3ϭueL$Wf5iׯuf@'TU6쁾MB}_4ز݁~ܴQ^yɶ.ؤoy=Mfko#=YUAl!v|8)=טZ";D?sۗs5ic5T(ܻqf^mcwdIx3~~ٛ$AmcDlzL}q k>۬Wz8QS>:O񅯎{Uղ/VA]ƾ8%5wwO3w |{_c-6.zykas}[ӊ-q}¼l-)U!1PE&WQՔEnr là~[Zt먩'WW?x3*_zIsphѕ]%̩猷ۭW,:gaf*Pg4RTiV "m3r)u<6%u7s?fxW|wTIM?ܷ[L_Cwݳ씔wt6xCw0h&@Jybf_'$OO'gȎݰ9և_wV @3).*NdT6,u;k!@pc!@7<,`EX$V A`EXnRcVh ~A+V  y%iD ܤ: 8$pu \k"*H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+ "H+T3.)IENDB`why3-1.6.0/doc/images/gui-5.png000066400000000000000000001562551440160026300160700ustar00rootroot00000000000000PNG  IHDRIDATxwxwvzK $%tETׂ]bAEH@!\۝ HIB Ayy86{wN!u:@!B=B! B!!B!B=@0@!BҾ@(=곅 [W'.9B!t|`NZSV%8~.}0٬;pH|;!BƵZ㭩 ΚX$xoFm]]mP3傞qt\qH?(푟y-](<{.uc- AvG3>Ib !⿛:q/Mk>,L_foZ4B!E!LEE.xZ+2vHW>coxg; @n;]%Cz;P񥥦CJ, wd> B vܹEBϼg׬m.9nf ~}fxŭ//KŵT!W?c Yd,]S8r 2&sܶ0uY<đ? `: Xah^&GCz藓%5VgSOO!BÍJYT0M ?ywCĬO[êo_y㎔EߜwUu~X`jx8 ֯qÚU{;h缹!{{K͙ᑽ~L1O|rԜV-vַRh[u9úpHaA6]qPh %YKILԚS4 4DvK# ڌ2I/XO]滿ÉB!t; o|ϺO_Ӂ-TS_wZɩkĿ+Bt e<6o`yQF/zrќ D]hasSV!ړv<ûn]\2gmԴ+ZjPW {">]T4=pk_#"[IЏɕ$BwW5-%`]\B&Dl0p#P_#l\@y3TQV@ЧWԣiڙ>?3l7i祦uTa!6?N+3GÎ-}!'<mѫ_]]2wD>, Bu>*G6 w>oYo PJԸm$pmsl6?pL-<|L;X6_E-]F+=Stuz$?~tp.*þX&*砠G*VеzW!Bt*P`]tKoSGmӏؙ;ۉJjG ahuNll r"s 3sNj>{8^T,Rx󁍿}wDgx@4cOd{LVtED0v^޶2SYLv-4>ۣ̍ow6{/o/+7M[ҧי/vtøqok\u֮p|O%~:B!nM>e|._.|zv>-ߣy ~r7c; bK%Oԃ}5v>@!BB!Bs!BW]ZB!{StsX{G BFyI@!BB!B B!z`B!{PNT(=eWl q8{ypC!PGk90DK.n0Dq $`8L^=A vqS+PpdYz 垺. {;PCEzB|JvqEm wp[)fF!ݥ!#Y qY(H}zXTA cc)mW eBM='2ky @˲]uCmUy%gMDu!BB`.S"r9nX' 5yyz 8[!)2X㏞˩7x"QX8zDzV\mq7mGigOeyV,=BRa"=ϦùiTg SN=q4:xE ͎=^P^gbN>!a^ycɌM/73[@x ) >4ҫ6!.Z?Έ.Mk~iũc&=?Бv9j}قB&Wq p ƪOf7fgvjdž/:\v-9u KVM K\h7-!nR PrH&noDŽ0Bƚz%{;k/"kWETW@j,)\Cm c?+˫)ΒZURAY 4dX*,+Wa.Q "+k55I3UhkN,򳋫(6iVGF+9j2W#4vQv'Z!Qbǯlv+͝ħn[:y s- v>E!thXxa@ Qy56 j@%wzdƷ_ɯ1F.J._Q)uz;KkV,7WѦi&yB)e Vy#:0#P6i2'8`u`{~5up6]%LJR]~n%ԥ/MȈ='u5'vedXxA.Z:BIe+*w$[ |~~ p΢I6ώL!ݦofbfVh fNrԸ>c=Trqmmywm;[uwB\nr&*٥TrIҿOSQ"t/-..5Ha3vDw(*Lv tw5M/'0{H,mM3O+c9/Xou1.bNqE^jDžЮraޑlGVn{#gEg4 P7ǗLʩi/Lf>U;Τ8Co{_\XL`J+x@Ec|6v,)RxOx|Vbذجbu:Y؀VZr kۨ)SFsv:-YD<-I+'j4 ߌ565~Z8ɋ0-{I|>̒5WOh.[~=tɂ 9[v `ۊB7@fjfDsk+u4ӿ ^z]o!M{vޓ }e]#OF_S}#lGX9 ~kliaK)+=S}A^)tz_" 1(GKװ#]TvHofbcSb>qVxn+#P߾7{i_tzZ 5WM-+ks#Hy_zOw6~_{κ.vۚon0^^xܕٲn"n! I?)6yu|0S6b?X' i-zQ "`?ь40-UgH29=5LAA3TPHDRbhŔ"x@[f&$u"nD֥1TzBjT5(Sq|7TGiҫ[d lQzc0T>~+ۏ<ޭK u1yNN @<9wb!8;ƾM@䮝;y7J\~rj{7WkHu a%U)%RɇB^|J{ K7-BX`n͙8툁bL$}FG[݄:b6 Lgw癔j F شK >ŝi]Nr ߽$~˂] r3gqxݻ|Slzzߵz{Ȅa)b9.7'RK%z+JD+~MXñ 1a{w+]ȱ:˕m1[*oݩ35]{YcW%8 B>d̡#&Gx{z9]9(:vyt&u˃]3a5,;TɃgDڬbɥh#onA2)?_R%qtb۶?$%Z$~e{tw/9LSW{P׬EetڶD6"cgb zts_0%ܜh꾭cӲ3rJꛖ %:~1)>*k%mzGi9qo_ 33="=qFmhӧ JKO۵zgK!_&@9굧߱='UZ8+:{*5 {_^5ٓ_m>q!e]jӯr+ψʉ̀I#pBg\H֯ݱ,ܻN~{Dq "6vˌ >:#Xš}WMC1O xoN rgo|a ٽ:gT',#-"N ;%|Ef9}񍍽#)!oӜwpt/;xSo~S2i83B݊"RߋG6Bx3#tTwza!nX]~nZsVǘ^JT͙cwϝ _xhռM}`W_WB: PvxRٱԚr@ARe- vTa#aێW_3T'av62@GTSa2 m=[f׭  dJ+ kmJ~twgktBVl@!t (+ cvJ+}&;P[7pPwDFjn@Bʧd]nWMCqvs7SWB!}3//=^4j YU~][+(@Gk4qQc7ZA6`jn%=>ƵMW#gVU|Ygi6/ړonSR="8'EˬIfS(32DB&I/׳V۰[4n`,#By (f@q 1LjE,%dK\]q$D 1"ayRڱg2{GGGϞ=:N"cm}qup@u:惷0^0K*^i~n7hliѶ;ǾYDgs74~QOXV F~fߤ֞3Is(&bvWi^=ւ9/ 8yXrO*Cb&q=TeI=Њ]k&'ǏB!Нa@ <˰be_%%Cl ¼=9zɿ(P!&3g/~SN1b_{:V"6c|=XλS`SyBWTKc (|LfS5g$ҐGÛe\zt*NXCشpXO T}ŭiZڗ]9|kOI[itD>Lb5ѳxdအ5;6rx ~P K+7Bݝe.^*I8Ah"ћ2YzETB@d0e w…|Iiic=Fٺu}ϟ|=#isgYB5X(*SY_] ZKuo`f󥕨_ހ6yGk>vDrRОN:mk%COM@S  =PVL@!twjoͱJ!k05-)!l! 1&@1F15v ,O-[999-hަ@@г4A b6;Xd`!eގ1Lj_,㨑<l_GwkYD`"sF^h'rgh͛jZy-7"DRN$iKJ@o^O|)?gOd[tznfݫy퇄{>lZug2|>k~LgZQ|p᫫Og\1x׶4۶/o&zvc^G^6͂8o-[Fhn݈gNs 3?B!]Od2ٔomʶ rj !@ CT1@RRr#'T*Ν;u\ꁋo}7.,0Mˁݮ7^xx|eCN]QW TW3L}\NmL-5gO^YFvwDdT=vfц=1ѭ&F]Ώ}4xPK9iGH4p/>ԊimgH z3'%wq!rѰ$QWWqaj^naNX( 9/LR)i,7ÈC&upǎOOGSy(Sp'ΰtƧHEfֆ/N8U+ >1lwӽwB_O6f3u^_\ޡOPud}B|'$'6/n:fi,0Drh3pq 3JyKY zOthrƠK"z퍤m7܋6%d=|=i!Ҿ5U@o PlBwCR!XZZ>+۹0)PJiZBQd_ _;`O[w'BqKw? o4O޾O@R]~ϤiyF֭Ƹtpi*qshToCfjj<8+;W ԐjUbjT#}Sen@l\;sfeIIzlP[ÊTN=XM2tLl {C,!,@=0X5R`ĝGywV$_]'# lID܆B7@Ԏ}'Z^*3vKIaI/ؿu@!> 30,*VGŁ><r5LSuT5Y]Lw-DGL0[WGa@ΗrcUeKUNK~Ճ9L *(s[JGvL!KtǓʎd R/kqded;B.Gu) iF )Ƕ2';;f˧jHA^h!M<7ts̹O>a0V$}wougxxZ%ZzGLoMqd? v`-: a#M(M1 @lmIrv쪷E{.#/7cϧ;_XEJcK-ۊi!ZH!нYhR7nݼ8^&PZi8_XoSʤ;KD#i#,kQυq_nq'l/h8z/YEYv\~YZko`y”17ޝr62뻺vžiw~H9J ]c'SkTZx[, 5dQ3a9°^aXr@Kb}E7J4W%'%հO{x4œ|&8Z#"B݋K++U:Yp,SXmqlDgk4c`M N+7sL,a/J"CgmM{+H;;sQKTeSճ{[$* +q  7c'M2_F(z._[ؼduǫ"n$#vӃB!tjoP[oKz#a@ıbK ,ޟ[tDN T)!"q,2@)&(,g2 ]CAk)QZmkmm_6ZjG^`hcCox[[SS[x³[hG>_)'_ݤt@2)L& `:j?˪?ݼdӷkO飚UO0!B{I{J,BDq 1bK )o @W.l0 "qcf^ ?{GGGϞ= /"{̞쭴[[j% '(_gkFKeV5|rZG| {+Z)Zmo>y _s͍Uq|.U'P@l'}]nަd E~nD7/;=|⇻:B!tKݐ̳ +Xn*)bSg.K/ME 1_|?|ԩ#F{\RRj( 2:!uCCݕcIAMQFV`=g07ߕEcP7{ThKϞNʼnkh)eb Y0F Ih)Y ~`cN9pPuq27ܑB{M{K2 'M` IH*/әG!LZw…|Iiic=Fٺu}ϟ|xC]5͎҄C&z"ʫK׮G*JFW'v䊣bzC6vÒWJ-/Gk`>a>~N,Bݤ6 qW˪>/B]\ADBcd(ƮwE ,[lҥKO~sޫ렙ٴxՏw7Z>kKKۉΌŦ?B!t ȹSG""ۓD]]݆6{yҚSz8a`YJk.$_3mpJ2+'z[m=oCrZ{W5# th&TŸG~rߒWƜR!B7r|B_o)>n&o0͂ C,¹ܜǺ+&V*bq6A SrMЦ1LBme:F}ܲiu[kK!j!3Ze;9Ih`b1 `4VZ?a3(-ۻXڹ}e%/ gظOJ'|uj"wT`|BݤiM|WsaRV١ҴɾvÕ>N ޭ8 :>z~L\ B7ÊBٵNhj( Z-XF#`6 B,* lB!}{!B!!BH7*ʼw @QMכz3otP{L>s!B;3o󻿻cDG C]^YO_\5;}&zd⚵1 V`N0@!BcJ֚c']wvym]aR/Zgr\k+t F!ni| O QzBO@d?wߠi#ku@^0o? 9k(,, :Cae`B-Q MkJy,d}P\UU*K>x8IPX5]tgW)sS7KG d&W#K vBW23dGUbjCD*06O_? l߄yg" :~mUO@I%/(̅GO/;u$1G!t 7o9E7mTiu*5?Z@J3՛ U2tcYukF1K(ZZ!lVl/?[KT*O}K}~:v 5| o<7KBΏ^'*:>)Gf{N8uNMO*f3}wIn&k1fUʲԤНXƥ.X|0ZYx4lcy솓9F^.!ޫ*o 0f$50]pd&v/'^D j{; =S4v5j"~0<`GjxBx՛rsqua+^bPMvSBV5={vjjjW7Z`h+:JH$6&-8bܒgn?z6+fp~PC=8Gv?6/pծ7<<̤M82=ܴ\(̘?] UykN*0zH?g̻M7[A]3Oy*$nޡ,FyiFzz&-QJ= n5 `&!iO)[`}||&sR4 F>$SOi꾜FMXm88n~fL;Q u50srܙM)t 8kFn*0y3bǔ6LFqg]cx97*Wh^-;BO !e 3 !rNgf\-Fs_"ӎBʰB>Ⱦ3g~'_~E+ fcMYh PIB^В=[1#>xMـa=HɫN(O>|_lgyYϩY Ǟ^lI*YޖRrwOʫCj3k^gv} e'($7Zgߋ6!y Ж% PB[@Z^@bHVn& ~=Hs^ɯKmj@)?r8pয়~`P:B*֛yO/̗^&R :ZrM`N˦~N/8$ޯ3وP[pVAMzCO.\~P,!jIﯾ 톻% k;<^4`gGiɕg (^BA6`& PyV.#|~0 ֐7sZn0KU&N:sŭ|ZF!2 $_K/ p ̖kk+&"^r6Z]U feѥYMuΝ3)j)56Tg&y<(ʞpr/~VPB&*DL5E99E5mz+p .DB6sj X3HҢΎϮ6%|; ,ts]E35Ntk\cT*Ύ~6*ݝkf#fEWI8\z}"NygɼoV˛%%׈v~.B 9ukcţ-f_'s@}fo&u2Qv B,zzp cce_@*ɥg +K*I{+֯_> @zQEo7 !B^-*rոr 9@ɇyg0kkkB鞎j77|3HŹܔ`{7[ B!uH*KK>]GeŕN)K a q pU(TRiDg ] S*B!tp!DPxwTWWXeFPjLv2L&݆B!8ccYVP(8B0]\:ϛB{!B7 >Bŕ3WB!tW!t0]ޟ-iB[MKtǓʎd R/kqded#ήU߽ˇX|Bݲ LfagK]uBxBi|a;M)zڏ,=]%׬)l0tJ!vڈItWz(Bݺ (+ cvJ+}&;P[7pPwDFjn\[kx>6 qK eVxZ|x"|ڪ>0ّfB!y}YQwOOȪyJPE+鼜ԑݣ N5G=p( vqF9X ŵYUɬr jd=v*`@F}3)d!M D{8M7nh_Q9Uf 2#,Ck9xnx"H6Ofs1$=gZb!Yl7)21J*8tvQ9^1bHeL9};l,^0(7k`n^NWnn޷a!nV Dicl!F[J2k>38ݟDU B@mQ,Q덄a@t\Rl)SBDK k0>hy397f&:% 1{M@Kl=ƌXt5C1uOp,yB!PsRj6 pqXRBxJ[4, LHp#(n͞=;::ѳgni:B*֛yO/̗^&R :ZrM`N˦~N/8$ޯjDDZs>P!B ̳ +X1\~Y*!6urꥢK!{/lٲ={\K.}݄rBdI.^&A3-u}cWLD0U 5:I9!B9mzZ&KQ IH*/ә `TTn.\O>)--}![nݷo󝝝݄|qTdjq P*Yھ.k/YtB42`ZzZye3ĕSF~eן/wፍ-&#C5| t`

IW"e>#"ʎm{- ^~F'!bm77]οYeTTx,v$:x5GQ %XD/8BLpܑuu=n*2 mod,uo>Ą\ `r|j[Y p@ ny51@9@ KO zடڠ> tk'˲+6Gה4x^k>؝D$bY( /sn$P{Rׁ5 :*㚿(Rs~9?hf0oe rG?[ p vKDaBU19mʋ?^B\RG܇ե, _ۻ^D褬.U1>qT^\ϬpRՏ+CK>\渟8;Q`rW#@> cl;f|ynsr#'Rs4r;\-˥\)圅B*%g=M6RRj'=^x6b.rX7ǦB<%*\t-/uH-#6ɏӺn hRߛGDئCKYUcюöԭϟ3޻xᖚ Pͩn%`?;t2= ~slA5= )Pi--((5q/Dak#VT>IKMeXؿC7=D@w2eC== lKE&,j! f--dO0s+=/B+UD9Vt=?ï`~]f!1l1@O+x mkKU`K+l x>pnN_}- 08&@[z(sP8iyk?Ẁ}\B!VNoN:Z8تB5y5UG &h;Ϋvx_PM wsg3O/s;o>9e& R߮ѕe9Œ9ϟ;Z+ cJw/>R!4%cSEFRvod)WEFGf_^G(c$ ViF|=aD?"Z8CJ`/x)~US,tNCg| ,΀n9i6Iv:pa'O7`ի2Xn2V P 3Hh=;u^V/PKzΊ{~YKפ>f@"tk.[m%ljVSo8\uu x+T @w=ol5'XC΋C¼G0'N:1!^A΅IYeRJ'bڱOW{;)R4"3FZ8NTJ$&cIDfg/?ϲ5D;}9^,pp3ܙv|lk&5a32S$q8T^a2TKfĞ)+moK 2 ֕a2z,(!>'4Gڒu|o+HR0RlG޾>U}N#pNlZ\7^0#`K x/2o>.`.O|usb=LXcn4۶}h4H$6={o|oR4g(7@##z0MEb ۘJ5[,P(|}}}}}J[GuKD9bh0G +*4=dnxR8CԊ#:9_}\ѹq{z:`"# ԫa@3}G'#˗[SٮL&3׆Ra^oA$77*C3Chx,luo<3# $Wt3Ҩ OHb>+:^ a0h|="ԦYk 5z9Im jkn@5QW$(bjfp-o&[nTi/M%TWՀ%6E?BSyAIS1g?If"wrj7*gsZ3вҬ fsbʸZxJy 2,'rrG EŌn.!2{+@ urmVP\lX_m:/szr4W{sVoAt{yo3C=8  I?-.Tn!^c}{[@ڏ=upS IT/V`;ܕRS.X^.8ڒzoO% \>ʰSG=rtؔ6-ꅚjѴaTtYg'`s*Jwc8 aO$8p{`Rv@8<>*0 > N[yFj+kp]hK7-CǾ2uiFi<}< n/6]P4k{vlSDq~me8)_W ZK  p -_4E@u];Tv,& P(zY#,#lUf.555'NtRsBsb7AD~fN>b:M|W?]QstO 0KKF*C SƔ V#{wz*ͼ?Z2bS糙W?ʄ=c7'S6D>u}8>th^\3=3fJMmiyO,l(Udt'F‚s\#`eyzؠ ![9#A|t `Wp%?ppbG7y2 M_je4im4 b5ёo}#î!W;x`*p%x+@'擄dLlc5m 0 +#'! @ 06挱;u4," E[ϖٹ85*!,Vr kJ'Y"‡k7vYR`4=< 27m:rDβJ1н+thgjFZR1?uviU{^q++RnpsACgNU< t7^:Tt |L>)l~:O$-2iӂ߳זрLGh#ٜƛJ$Kic/ X}C{EtB=o&u2QvDT(hǃ"E6HJj 11YXmi!+ k0ۂRzEk{džÄ˖ryȟ޻Pw.堷Wn5B!? Υ*,Ee8)68_pG LĊXF1`0&EcEMML&++/`˫OHڳg:{xDEE?{-++zS}ʆ2w?^/#]Ȯ>nGεcH +z!;>;6ۓ%sH3@ YK)C>p9r] `p7 L[; BcqHqXR]"#4zJcE˲ /P0}]EE/f'Ԟ>]lYmTTҜlDRb-[ӸK/pobvz?5RIөUds_SJli_SF.)5,L7K}[;e0!j51tzGh.O'W CvasBl!"< o zpaIf^={̙3ï?::zK,~/^g609!D[VBS:˲Jln* es0OG XV ȏ`7y1&uor;:A*ۖR?uڷGӿ;~P;lwM*(Ⱦ 9U-QhX? TRGzϨ#_" A!nU{2VW[/dN1/cD7 Ie:T^D  Fw…/d֭Kd20,DZH$",1rxXlq5Z-<p>׹kjPl|0Nc'Gng=^v !tgN$xў^N~/؝D$bY( /s*^JJdΟ߯_`2 7hxqӉW7K7fA!by\RqnNcz+ ˲qqq]CBlmmx^8Rb4YÌB ԩ˗˼Q|ClpjBu@!zƐr7MN(֚j%ubr7ʂGX>9<ښپĝ;H$cd2#!Z˜ҿ+!8 gBQ6~XCBsED?!Ji}}}fnaRV١]Z8C׎ qwR(Xo Vh6(奥xNhJ'8QQѽ*tkHYBǷF<: P(jL&vmG)5L4 UUUfY,[[[j(t!5vp#re BMۋ"\0fB!e؄!B=`F c+c Bw@72&V)1C@)/z=4T-0B>/Y;GA@!tuX@j҈uvwRkTC/PY(4dԜM(i2a FgKe1d O2֣B@!tuP@i8G1~phZA3م:H%cK(.RZ8aY? .> vQ[ZGg0?2K bi%0%D=es޺NJ]1%B7? Q'™J!Jaփ{88U07ʗ[Z_rR!-H.RZ:;5g{y[8#@BqmVU}LJ5n?>M̂ sё{#^7,r+ʴTdcRZ'!P: 0]mHd_Q9Uf 2#,Ck98,! P+k0oJB6:,9^4qĘm.&lnwoGXQ/f?wGg5c8 }ml#(dn<^ |ʗS%כn:yݳ@?h NM'Rͽ6xFѱr#grQV v$38Q_zyPK?wfؿq͎J!xlؐĬ*9(^g/ W tb-TI{wuTH$ .5;i80-w lFEuD*\{ȼe0~jYzߺ?Ήhys\y{sp% ʫ?mow!M uZO_*,E LaTv/XI[DlQhk0jI^Y ]e __grs &Ŗ/O66aYܭkMzmz9F'9;qE߮&oF:G?KrueRX;`JPgqG!tojo M ^o$ p  J`/MA"XBqfc)oܿ}xRMYh PIA[Km%҄MeAgb;LYlEw}q㺳S u|W}X%QYE尣J(0Σ{]*[mDCvB>f@q si 0A.Fa 1@)eyk{듋#:˿_V`%<"WcHΨk`ҫ02֒/WփF2 boLDĈL&E6u3%V#4rֹ3P;Oo{^*)'^cٱg2 0%M5E`ݖB=+JhYs,s*)bSg.KEM([Ѻ''22vXsR&T9F!2 W`]? =٧`=,VbF6|1!sEعi|@cgG-Bo}!uRH&D8FızT\_3K?ID @]&lP`5淡H,h"Y0񴹗  5,6J<8aPSc? n[E:8x򜣓PsnC.׫E⒨?&JgN``=6!LR~.cEbcm[<j;x~φ'ynٻ=m|콱{7kPVsFVTo&}B!rxj-!XBmladә 1?PHxH)%OUaW-h &ʦlk @B쯱2?s>np^FR|`K vFnthgjHtogB!tŜ> )ku2oGR5e5"n-ئb(K)DנtzV)!J Yq?8iGzQx*aH|Q=\75=gPj^H SuߑBD{N*NDgZurj !@ CT1@RRrY٥#a#O:^{uZ6 ;Z&@&^if߲o ,EoIB!VіjO^SZ`yQ`w^*"˲D)dל:#K*[vk>4:ȁa_c :٫rF fp!(NBPLjdJ+]wuu4|8=1p.8b@aʊgמȱSKb!FP-r2K JBpBKG M'T0 %x:[:تB5y59UzT&rdC"ean+xof*Jq B!04!TsFmu|6(K#ca8L,6jm0,#VN9B!4F,ZJTv7ÊDI8)0")#b>_ޫ>TN<ٷq0[B?aXΈ8"7B# /\Z캓taW0.|[!B7 <BsxC89 yqfOsRB&PB<μŜμ=[Jص'nȳB!tBkRI6[sfN};~ew&B!t WyMCtQ 3Σ_JCiX2 B!t jr,6?e 8y>6|FbHT8;VxyɨN)ӓ[Fٸ\!9ۉʵΪյ Z_Zk)jHwQ`u+cRs4‡\hIDAT 3!0lbDj潟ʞ^نl< ]DZ^O2B9hy~>``U2;2ΑK6}6W\VV/?X9h'>B!nZ<ϟ={vŊ_|1-[vYɄy}7T{4JW?*_j7oٸ&"Q]`JF}Y{<9L"p ·<0Zyj"}ebڹ92KQ^VF$몢f]Ƅ8erKuA$w/<=ޞɦmugXlǎR4 S0&k/u2:j7zo|뫓hWωywGGiWϜ$ߩ#{_\^3cKG^ᝫ秼6iq;J(XO3}s™M8/uڲ-iV 9k>/xׅ݋B݂.''****++lYM>ЮӧNa~KBUV7ZuIy>۷䅱}C;:5 gITΡ>W`n܈V{w{CWUs1ΏDdO:KM1_ogg?xqZ?Udķ;Wp=}dÝ0ni;O߰|_ϟ<sMe[3؞uKht@k4qQnyagكHEfռ?ud#zX]2)m>%<{ۚ}w יִ74;b꼿 ycc$J{F?TF۲N[ڳ'lC5~[@s.L-gN*, µnȥ;bl`4b}B8::dT,JxR+f݉0ENRpww2eJXh3g rN>2U I 9I)u-B7]kѢ/nHh`ޏ|v/]ԦdNQQQUB2,{x~Ho꤫:*+O?;}qLCF'\8si zcXԨwwj2/M\ݴcsvF6upvƽG?ߘBVݯuڲ-)2751.0_<5C(3< ^HRIJޑ**MEAHBG:RNz!Nz/'[gGMuؽsw=3DZ9kk\ 'БpE48s'#.[.v٘8qEo6JʂP[>+ٗ,{1;W\:to.B-!@о}^zTYiQYiE0={رH$pZZZ^V&r&L /,3ص{wMMs? JZogoޏ ]zMpbeƟ_9kutٰۙi+w|{'}7Bk鱯?vRƃSߜ`կ;1F@C؊̸ػ)26/16nBn OƊ/lOHSے;uZ˾^ㄏW|Ԅ欼4cf7<ʨ\I8* T_T~egB3R]S'A/v7- #њj4pyW|~?\s#I>4נŧ2ߠYEץˤv͹<;}s;oeys+ ;/uT^ml:b|%ooE1064է YF'J/  d=4DT U1 SSSUSS0 ϷL&KJJ/;عe˖FSzi|]KwYeb/ [~>W]7׌hk,ulo>WL+FX9\-SkYeWZ$+YekxKZ<&nn{yf,zֺq~Z|K߅\E?L/BR& w[Pw#!_׮YV笾>FbWƽ$MTBnaV DVQ!7r"Z &:pWD7ף:{+ 81%ɛӸ-smay9I?o:fȭW͊ë9F1!9+ӫWRSN;xcv:7xAү) >gYSP%~I&tɕeiȵ˗]iTmM.g-{l{(hevbe%Hl}\(a `%7?߱=&kX..6q7+ݘ!/tm.b{eК.|2SEHŦ_6ּی8~46;?vN^:[4\Bx~{阫E0@LBs Iݰ{* 7]7RՊ'N?g3I_UW};:?qub鸶Dxvsw}J_Z=q~@$Pzp'R)q{YYcV"LNI\}zB%ʚAD1ifG4nc!+?jPT8_N8<ЙM8x[iGM054) k'[;P@[e v8ktmHωCElǍs]OޮG+x0d^ykm*nϕ['x%ǜoGm^o#KYtӫnc]x:Bnw 7@xw Y1>}Ƕ Z{=c/)SR(z_0Zu~= coƳ ar7w\rS5 PGH}#<sΰ:I$׮]߿?$-Z_&(;.M[7Mŭ_vߡiϲ ^(r1+YN8}Ч%H I]N3gHܟ8*.Pzh/w鲿 A΄ؘ|Ȧyڇ% V, v?Ț”<p ڴd<=ia9{Eʿ#f=ҡ|jCKMݶ)GZۗ9>Mn/iu/?U 4 j.ͪ_>f1Dܽm링?;=;":U?'V*zch%4C$B8L p8^ZV1H%~ۿH6~'ُtTd/a2Y ) ahbO0U4)/{S{ 9RpYVuTVޝL \G}w~_<}۔ےH2U0 4llYko:/}R@u.yn/ihM)ϞT#8ob,znxqz&, W?Qw!|;]9CxLf!@\øq zoFݿ0/%)3+fk[@1 f;Pa[װvVt\ك˫Bl؆2?v;|H%x&߷0Uw^kx<ŷW8SFFq1/8(aKҜ$MyA)20\?~һS [4nTؒ⌆ܤHBʥBҳ(s%4Av0sm7Sc HHK{ (.lc%y +L(g {ʂTv*ߢmFf~_2Թ9ukf+{zIJZ\FҜZOƌAk/M9ݔVxq&93SL&cwD<#ɪi8DZ2\C#B0@UEP~)B/&4ӂΞa$BJo܆0!4B$4bK:]3%ªjJƮvKgѣA{QXSiܜB ByZ?Pل/z&Ȕ4Mfäv5rzbg{\L{kJWSS#@@\`!z 7v_2Utk Orߑɽf@_}OhhiګW/ 063ggLے2/}x V:Bq_P4:2cќ|B!yZ9&8*Dr9+0rAhx2bT6I7ñr$p'X{]eV)Gr $ʄ='w]s,#ۃ# &,?o0sz[RÿKC&!Zfu:u߶;GZ@BHr 2$VBΓ* j!ZR/$^~9MV)alVOAرC_Wl]R))d}YC?({)mݨ9ώ"ͧ;71~1~,J,ROTÛkFzE2r`c@׶yż^u];o nA.neϜO^<{̀A}v{YdD&2-E?ؿތWuٖeR~]Vu:ԉx~F1eju/Ne)It6&w&ӠV@yfp_K@ϦdU 471E9zoܶmN^f﵌ZP3{UQ<8;^lo3@dUkBHCrb )+8ͣy!y47M+ dT{2e[}KS-f̘1>1wܭtm,MRWږn^~F-PӲ2-M<Ô1FoOFĭkË?rh󸦦+a?pW)>Ҭ%AH{ aI9Z!jVN̍Fr3 Va(y-dAYcLb!bXw齬mM񜜜M#,,ayO IUhS蝑D[`mgg$E4=%-]]]]]]]l y-܋0D'aBąF5L=`rM]]t]WIֱ8qm5JrM34e'm! S?)s끁3 TQgYC?;%~ WqS&GD7\` " -ݜs5q{.n{HBs۹-{0qM,u_WBh@ ؕC>LKHKHS=c+0oU\ |}BCC u v]S̩n|Y1>x4.dѧoOXZ\M*(}X^meYz4"nb^3E|ʶ[z^NN_&t{?/<-3YΜp%͋[b(nlllݔb(c6\@qk|;"=K-<{otOmʴq+v|xLjMsVv1PUFO uWtWV+4#/1uDnr͡kw 2"\N`)uOX8+G>Nzy{!V?gPQZFx#SBBna䬬aX6xd2YRRW_}9xЕ?-[WU7pV'*YV~u?pMewmc(q6~C썫bXV2 ֍ ].+>RO2*fڸ~"kXѸ)ؿrk,LsV_[#1+jI&*j}V}a ;}Od`rK!?^$>EN]RA1R\!$n/t*NjB?DT ߠ.&(Ȩ;*dɓ'׾ntꠀ$]j ʄ5]'/5HDt zo&/)Trƍ8m1N+h?H]Y:yyǷ}xjB5/rO .,( 9܃Iײ>5N/(Ή;휍i] 2=Y8s7!˓+\3}@ԽY؟w`_ @9sX1#6WعoM\}BMW EnnΝ;uбN"ܱC_T_]>lΎȌR)Ϥmk6-e G+!gА p8^^˚hXO lB5upp7nu---1&!BoLPx< B!GN#B!A0@!BH9$SP NIMumGz0pƈ#Ptas;]bK`<BZ-PҊYG]l̂HQE2M̋%:E)r7i}f} K0L^TGdt/%ˆdr+e9:xMcΤmZ)šG*³B -9YފjK^fLv<CB VXb[TV\BR@_,4 zv\A"_(1 FI+1/OTΣ@F3r/*γzxٛ?Z9|ecۄM:YCu^gڠt`yܮmru[o?VMsJ^ Cz~'0x !лE:EX,OP@ ,u>f Ku\S}Jirni2FY͛f: mU+gf:%,q%z(Ҭ==xx_ڝɲܒ~=e*6 V!gXV/gHq@6(mPCB<"*oP/1ψM֏&ah,uv#ȲǹtxQ9 _uժUY8*(nx[ ~"P2 |G;ϳ<ѡ71!Ы}:i5*C,$)miJoP7D\Ji꿙 HC1uj~O8qŊYFp:]?ܿ!@UR=EQx!BHh+W 0Xx@`DkukYV_ atXfӧO=;TtZRO*i>~)4˲P\#7cB!QZ62a A?]8+mkQ%˸1֓LرcKKK׭[l2UehN-R0DKȔ"LkAh;hYbB#)B!9w/?Ȗ 4_& CVwlRgU-ϼi&II4(W%i:J+*̓Wx1.QZ#bzURUA!EL `MHXXBuZ!9[fӦVw9kJQM`4rlmXjUeh1"N|/`Xjm 0-B3 ]?00w!RRM}`x{RwSE3#[K'ldEй5u5WXr7(@ Qo3C[ltҵk֮]+(V%U( O}IJ$rz؊{bS[%0rpfdfTWg -B!kSS:jhً&BͷW3$dTM:J@ZMy3Ç"Y"##߿j*===Ue³WJr+O?Ƌ!wV !U|@rqaؿg{oi=x^ 5#BVN5/<(+KeKF.u S hiME)'! W?{\K.m! vbB,<7? `lރZO&|@4d 7N_#-ދdK)kzn}%i.TWtvЩ=^<n>lX[)BZ?Pل/z&Ȕ8R u~ΠRX@Ol[yezBwC+wR*Crk%_RHl$ uM&LAye}-u=[|Բ_8yɉ_mC0 9BwD+' GYSz/U x2 ws]Kέ;qwXHHAaHgϟWcg4U:^=|󹻇yocW.3hUfm֌9myG#tg]?}Ö=h^Kcx#Gt V)24qAd\;ӴCG;Eʼ]|y?Q"#2huʨ,TGI0nզ7M"5$;0qx%{}s!>A]_4W0"Snn!vcg/8ܮa hxK(B+Z9RJOi)m>#JA&W`eٌM;p)?xKDxxQQ1Iq'5j㩄~> v%+Rgʲ>arO`+}ō]'s9<aLWZ[epLYq mQBCiQ FCZjxoҹ-%/+$:3p6z{JfKOl+dqAֶmK+ǭ\b'3/cw;wn.=0pf̘1 Ä[\ӹ KS>\GnxagJFNn{6DB`hLJz{c~z'^Bh[yZx&zai-(# LPKh.SZTFݍI5pXH}#},: S_Nys_95N:0 + Co/!zZ H;^N~&* =B`~"ʼ{7Xʘ #z~x Pm='/ߎ}~q OS[2oq+v|xLjMsVv1੍UUFO uWtɯlWhF^?1c$?CdD9ZS44a2btƯ8 ;~9#BE+"B_OMD"@`hh(xdjeos\qI 6裏dtE]L(l?4w_eRYr3'i NZ!`]J~%eŽݟP**y*ӥ_}<-G!^="*oP [GPdffGFEwT!N${!TZ֧&4x9q1˸Aw8s7!˓c(&B.!5oBJi좽Ş43;ڵkeeXIꑅ|-=oӭqz}/@M͹squ B-p6fG\ p8^^˚hXO l^Ѿ_ak+2~ tBu(ݫ;^{0x=lmmݾ}{KKK B [*Mpftϝ:R!Z|ވ=6&₡@Aݔ<-#R˲.,%joCA!%1.,:31!0@vF&fB(-*h_ء9.KdFvv2ڦ}쌩[#BFhWZ ?ހ·La NkoP)M-M~7o޼5 W<P0lZ@WWliyaAC7>pčțοOd߄FrNB5!B/: )?%j堠ٔ#WXK~v&^ΰ2>eļP[=|'NVZeaaKkWd'4:Gu8,EQOd몰No~tM3M;t?B!jċ&,y@C^' D~ L]WP+ϻin`F;2LO>=zRi%kJ=O4|R,Bq\LLdmܜEU|p8 t2]uj}o-ܷB!P#Z.@2a ,@BMss-d\(q رc֭[DSKk\*K`IȔggp fEc՝𫇗$|=y lyc*7BPK~Cjhm/8:4͗h$寨U:[YU3|Z$IR,AAA4 J%Gը@4[%pJ+O(pYchKd%$6_hj4B˯ۨ{~jpFi $} ?7Q(9&6G¾H+{ˊL6~#kq#^-mV] kiWFF%0ou/: ؏l-Crn!M"r֔ڛi/Vi& 322VZD+dG=??`Xjm tjai\A ?)aM{ %naj/_1GjF^403iQxVI&P[sz\Wq[%{O**063}7"xҥk׮]V hiT`$@=}`Y% IYs6p}e/TuvChn[onjuuЃ]~ޟ=qF,PХW\1Q-w:MΚW1`sn|t1l5i9po\Xj'+JvbB;RR^C_z3ԵV0BEEvJ| Vy#P(saQkag( J]q_ZPhw&xF(CSKG#z/ HtLZ]x> ]q YeS&p4m'SKe.f]޴Ƚmkǣ5CTB̬N3؎j7(ǞڿrlF%o=`=:٪"\]]=2* nwFbodͫѓLΡE__fx{ @o}8o⎼ۥ cCm?WZ-'ŦN~6lEԑ=CSi+O4UUr)83:Z1n.Njo͕+J(QmI`.yPw9x>h&[|agml\wULWґC.O8|˿c߰ku WٳpLnj) m}N2ID7(VoKfWLswoOOY{ɕlٝ=G@hmH{!w"3S q&e=CՏ5ߋ&E9Xy_r-[420vL`eNvO l*J9 =V5=mtҦaGk.&4ss=(4 ˮhopoE;.j =>~ܗb*kH/tJv0 ؊УT2Y*@p`;F#|am=;0yO߿19{>S_gG09 @@C<nw0PDu19,׏ƋrywCW՞'PB&~CˑdqO!vcVF?ELRDQU&=g/}ϊ<$Zߨan[ m I e@XWή؄fRMFn)=9f'&WXZ0ӎ++8uh\gqi%& Z~ɎFiPלy6zx_1۱_ζ֤ƌ]8VP}bۡQTojV(zx)nL=Yn(e@ $P<֘T< 4x-w.7n2>mۢ<1|@~QUAzr'!EUe3hՓͺr!Fǚ Ӑ^Ỳ[uFs!]q-6Q<=SQ ^xx=}6n'=BdY١8ptL,_irPԕ%^9x%:WF W=!KL]xj6jvV֮?4LU1eyu Y&ZAI̲[Q󍢲Nɓ:.}jߙs:~̜)p6* 8eԻ9!q3'A&SJ\@ Ag_I5#?PX׊Cq@(+J h!s]33j_}=M?G#fsxXcP3u55 2w:1ǁ''Z)ʔIdZI%T^﷍ܵ{۽qnMEa?O'W8b!@祥 ,9׋Ȑ4z(Ӷc*zaJ;>)tAvҰasjTȵ;O9͈ꏜ^Fy m+ 3&Qw D;{[#㪻w'F]ѱ-Z^z,guuM*a-Vh:AX9K*gXi&߲y;[+'XQAnvF }l9ǝf`j%  { m޽:NK;P!uuXn`}-3x:{7ϝ=sg|p{799kҼzDͿ?0@QϧDU}2[j"#;['J( BIj -y@%A쨾ḏX1+7j'愶*ǘ@=JT"$IMsM ٧xL/RI" LMLbfy'KQlci%,PË 0!gPaYCèڣe5J֪ XacWٳKX, Ƹ B!RC%`%5u Ҽ`믕8Z 5^(dLX>{#f^}fxu%%oiM,Q]i ѡLI)Y6OengǻP8@O*ؙS*xMyP[+a&ۅU'1EI)|++S ?YTTUqGAV]sB%ꍛzQt]@Oiɮ[W$sAMd3VssKs_4/7<13yܽ>*-dА4uPE1(J,b,BU`<UӔ|7#v5Jfט$(ZerkAK[7ŋ2hC5|?0m! C3ih @4_1*7wԵ~ْnn 7͵:G *Upu^||KOn\ s3JS-I9p>}֩-[ZŹvի玚up1Ǐd&]]8wN_UT&3>~ώEcov}>|1B/:Z!E?)O}G/=jxrG4uvN~rlGl}_}}xU2\-#3uhu?G*&~c:;[4."U!\NuGJbsMT,EUT Ěs{ut\ٽWۆPE[V?e7t=~L<tFرfR>039pLpņt ;h;t-d>__tS?<6'7a}gS(:Q!7|` BXt3Z4no6&{+ztv$@L冝ݦ뇶_w{BHCaB/D[R)a6=~4-u!pBx'!BoҢ|B!BB!4&!BiLB! B!A0@!BHsBoǎ`B B!!B! CBYiQO18jD !jLBo1!P!u B/[tM9!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4&!BiLB! B!A0@!BH`B!!B! B!BB!4 \0ęIENDB`why3-1.6.0/doc/images/gui-infer.png000066400000000000000000002003341440160026300170130ustar00rootroot00000000000000PNG  IHDRVNzTXtRaw profile type exifxU 0 C5EFeA d_9Nk}HaSsu <,ͰDDƮ9yP)^6Oahbaݚvp),QHQ#Wݡξ C,+T2 iTXtXML:com.adobe.xmp ! sBIT|d IDATxw|U{Snz!H'!RD@+kYv-꺺"6Tؐ&B RHHInyHIHAҞswͽS93̙!B! 2)" B!8ࢤ\JA!BqT)!B!B!B .B!\rSQQ.n g;l",BnK)+0 ܺ?Ì1]CI\餦9xSy7/ϳ|^ !B1颸ՏMnPH20ONnKW9 IW0<ΊG֡эnAFPYYG:Σ~5^jz.'.|qk!B3_?. ~/?7(=ρr'(խo?ע K5$q b³s3</23~.M[9/`s.w<-V^|es:AgfC.B!'?Jٟƥjo+j8|1aBBZ\0 l8Nn7& 7fRj耮l BiS]`PVAɷs~Ģ9s&ˎ>x(4w=m.$1q3jB7v=C(YL j&婷y?-LB8IH؇ f.nN?ܺ/n s/w)ώGB!9\AeE%52t||NCxxx1}9e$]Lo &_PYC||(Fik96Q9\KY=kk10):)nCuxeʼ3Λȍ?YTbP]樐&|?GQ-Kd3~E F9id`82ܑcT<1n H5=eNOFӚv|Bp<^JWpSb}/,)wOB!Y\X/m۽S} iw2y\^{9?U`[|5{N,!`}Gu\6p v4.c5;HJR;t@<e͕Fxw ؙQwLI-f!Bo}S­lr 5Kh=tߛMT4N8:}rWQY +]L%^+t#<R(FnA2u` ȗkB!$hn+foަsa؇)`KOʑ&n{}a;}ҥEЏ Jz+4vQj1-LϊWc{Ax,sXCe)wDoB;Brs'VqnTè;6&W!B:xOmp8Q#=ݻddfSb눇ֽhъroju]mVojkl'D^aتUQK ٙ+1-ӼkQ#Wy9Iǐ'\ε:Kf%=-_6gC{6ҟ 'G-쬨f<%'ppj6-熧5uC@9(\!BfR)Po Vڭ|]]&S#!n)xh _w%[ Nxlb}t̼j81I$ Z{E+!=IS'n=10J;)/MX()sؾ$dʮfNj嘖i^޵~=ph atN_Ta7{_}_@sUL>?E[p{-9+K jz ME^o:ڼ ]TBLbtO3%?F&s !n[on2~!\mef&ry/.!{m*<'fMnk<zl Ӷ \s Llp~8[`4`+9gAY&Sy坱1aS.!9¬ #ZX=[D_|D 5{,qY.7Xʶ,*XUd_{tt7?SJ)wqu||-B!]ʰ )!ىCz*B!U!B!B5&B!@E !B!:\!B!$B!B>? âB}8TZ޼\mU~G/Q1I-8!&#FUصnS !IrُgM`^}[SRR̶-] !ĉYC#LUeEEkkO뱧' /7^}R TWwcIQUBBٻ/%BtLp!Bt KT u&u]}y9t_?lUU RAT6+80z6I!Et& 0˅<-ҥ*`4^hzM'!?r'BZp9 0 iR]42\N9qLfB\s!MEcc2#:qENZ!Dg×_'~V\u~Y]MF##3bV7͑qHy24n9*]^p8 '8qjK1}j wgKtñmKbyVIM[.޿Fy{ܮQƚO,;>o̵kYXۗ|#s 79*uY;}%5Lͷe:￷5p Jr} pgϑ}}{rz'0edc2wpM5MPd$(o:V찐zo,kz?s7`9 Y/'s:v p\%8rBt`pq¨XO rTT Sª4nǻމUk(~w_o^1DCg7M[#j.3\ܡvCkW˳>l@0]ɝ!kQsSUB.FE5f!6n'V"("`Y;iji-};'FNH7Ms{rx? 5h E4.3;I%Hmcq3d_"0?|A' Vy_?}#;5_ZlfbzT;!H!^;\)%^f%1۟ouqa\>YF^ &|3~Kٺ_rIeܴ+R2ћ_ @:FTɟdyY4=}5F kW3 ;;?OQkZs? !;Wita(JzWuRg4nʸ?>}*y[!:k.Ir Y"7ۂ+[߳s}nRd{-af0+-g6 F9Sq53nOGB*}-j8QǯYzg'tJVk:km~,NH%D/=[gya}ƣ%mKaI%v< IeMpI(%.sϥ)66}N')A<}6iZ=5>ۘGAiB.dfϫؖ[;ʝWtɖ7飘5hs 9 `Pӳ=[eX$[z}g/32`ąh=.W]=0+pNDkm=בw6tizE9=R6 ڨfG6M0 Z{Y=.D%) Ebo+fӌOXV&y3*=?ŗ!xûk/R{P~8uiҫWoK+Ѩծh/dX3n%ȷiDwFPf؎!wUQ^zgz4¢񫿽Ww؟蘺a/͢څBlE  6~;/wYH=}P3OJ$jtd]u?^/>`r96_f;&סJL`TaW1X6H{9繅6~fNhz3ܸŤpgja7`Q onqoj&Zܧ kƎŠX?&y:\OHRw󭄆TRQƽ?\{ ůirṪq"07j8A|1$(G}/ex;aL|R'l16.OJz79=b欫=|hx%B 61ͮ]S3i~P Z{2,JoDnJŨ*ߧӟ tW1>u`NN%X5Z)մBQ>Y^{зW<)lv7z_};7u[ڛԞm^"ӫG<If]4f0}L@Xv'w>j.wtCv3Ѓ;)dН<益"BtTpѸpb &iD^ş? S]T|7Wݫ/F˶(*.'a4L]䡗m^k}ŢkIq<<5x_ cuEEŨ P @_U<( joe;vKj j6Cd$ӑr`_V.Nd\Q! cGpz|B\7\ڽVd_IN]G Ω} ЗͨWlϝ8yfk2hw.L NtèKb¤/PFҍdWW9=S3Vl-fi!ܵGz.\n_ZSb @Ϧ?o1& %(3V| E?]N]SK)H|+띗A.|dD~=wFa5*W ilO;-OFGw;9ȥ~^_$F&`doU#'ݟFԂU y>}Tmig_EmW0`*c%9׫y)/M<*sI1qǠxj6 !|) 0agP]"𡔍_~n귣0;߳uk~ak64c5i]ةz:MWbv(ݭo:H9hQ|ai<,~QGW8X*8ő!DNk~k+^Dat(0x|#>:^a:w72˹<O@ au[WZY/J3r*@hB 1 \| VԬt w]F^ ӢV&#zc#KOk;1h'3xy_ DŽ?] ޗFya_>pӁ$.5M^D;58|1M o{? y?!\zk^΂|.\2'1^a&K/o" Ť;n3{(B0|">ܗ{Lv;EGL7P|2~fW2[ Zu1NCصZr-y?7"_| –BR"x:`Q>K# ǶȔ !DAxE_\-ޯ_ÆrۓC11nQ 0E0ƇN'?&cyY•ʟ=-5>Ϥҁ8^[IgKhխpwS%rэ3{l{/ !ΊBo+6uPBd#VlÚZIYFv,6v$<8;Խ/K'?Ū0vӣw^(}dיd@6hB>e<? D45a#{qVCDa9/~{# n .вCϚLؿ踄*Or#eeGxaz"2Aqmٴ}ێ'$b׶\| '\pRG_΁r;fGĀ` IDATK<_e5TO8j`r{l.GEdG2SjO2ѳ7/eq8nύ}/󇏔[q&tu0έw)ְ ġ2Hqs/ 4uF [eu p5729BI!:00zg[TpFOṷ] !΀T٭0)!DGo>r-0ΔB!Dxxx]9;$gXpiiB.}Xڶrt$ ֣hO=*2@@сŤ;2{n !Irُƙ\|)!D'CNa+v/^[{<~5&e"Ept,tO%3ׄ(uKΦr)?3fMBE]6JomM3 !0 ^_:I!'[0G`&,xdlp'UykU ;7QBH{CBHp"[o3ɮ6s>_IZ!nE_osòyE+".ҏYϫ ӹ,ӣPv}0p` pE_pTL&rV !D#DK !iH V4Y&90i*&PuԺ IS1Tr *Yna,x]yNB) {w{՟@t͛*rJyʡJ]&4`aaar-,Y={6|رc , й ړ1 $@=)߿B/fXrۼzmgT}/} |l^ Qf\,`Wx{z |"{0Gj} K=L{ׯvxCe9r\f_ϙ-,{s"Y3(_0Sfd .)0}f2ɿ&! 2p:¤|24O9:)FrOFpA$lSaxOr!ࢲځ×Z &nXn$0hLH eH?j1ICQsRUM> Opp0%%%8NOrQT (Fs@_\.1fWK4E>eh3k$Y<*g 9[uw|OGpۛOqt>^ĎOӏS(|i{oxG }H(mE:.voمΎ9%bdne=;A !Dܬ[{ƞ* M[X4Ǜ-P^K[Iq'5F#' Tɹvt \ꑿ' \tV A:l{vRe|^c=_WbLwo⯯?z*N==|g"i,ߘA$n>bd_槼jkKm;|% Oz"nl ?F;bȧw0sDkt50 \.EQ0TLYP܆Ȥ@n|j:fsrf=q0˜lf̙RSSCNN3gl6Zf9 \U+7rm4D\x)Mْ(3Gz^Q$7+67rCj0fnVsCo}Ni])3)5~|E[Q n5(^{غ9lEQ-R]0->${?$!)th+e$`ʮW~;# VTOCwmҩC _?ͣJl+kϩg>Gw 1Čsy : ;XΨio쯯lyq_AdzXmlڵ}ͪ)w^J$ۅL@s:Bj䬀FS5,& *|= fy\ryt;/?-(}TWa3ZȮCOmI;d\pl&W AҬ%85Yq~展lOGظj K|G2v;#?`5Wu<캚e߳XGy߽9A5cgB6O&ݜd|q֎ّԱsfCӡVҍث{2x,^ CG]õaz`]uBK*OK0^&th8٤RQPMq OKӧA) :8|;<3g䪫b̙Sj.&pտ.6;C/NMmV5(*R9=-ޖKN@z[vlǵˋ1ȻՅbA1.3قnwggPV>q`ێeǡX jM옔93ӱ 㳞5c`'KDzc QВ-W ?Lapz!Up'ڏs0iV gҨy^[Yn|XLjݼ Aߘ.Ù7om(עyxr#ttCҭE%.ej.>TLSIMU,^7gWW.Yݝed7&S}eBm벦ÍD-4 Xz]FN ^~ZUiwif,r!N#6@¶b#ϣ0T̚Jw aD{5DlR4Bl,"Ν;8?(*.qgpu ^[B&G(jxOR ;b&W.eoLoR|iBӸMOө j `] Eձg0t5fF5Q[ FG&o/@`i_̱X5%?<@rh#>ȌbNeY 9?C04/РEWTQ7ܧUvUa`15zw%L$oSp=Euy[ḃڍnq7+:`]ZoUNeCϐx2U }՝.^)WQғp5Bt J*pv%ƓpR⮠v[,n+j:EX\K\Z3ΡE=oW:ՎZ fX ;x¢\xuylޞtzR&ӭl\+hg`{_/+lc#Ͼ 寓G%Å= Sb'r}Hq:uJx}&R 󧨼MC籅{nf MS {_9[1cd0};;0ҷ8q5'U5֧K ?2%Lj+SS~7G6G2 Ƃk}cGo[ KK&6ي,{f %"~nxǫ_ù|}Oi}?ZSaњFp=,~HD$k۝T?EAt5eo'GboRwxNK-Q|72 }}4cIz(|6/[ܕ ,Xc4 /ѳ؆jOf)Dkx~2~Bq?#FxkaPRR‡?f&;ݻU?NUU, [g"r a[.N&88ͿݻIJJUVVRVV}bO4|}} BV.}۪Kwل69~r4aqE!88icŻ2x]#EU\boA9-㗄0j@|'TYJ@ B!ĩ.\t^;#vv  tq>Ćj=偅B!4 .VqEE2o96 aXj//S:B!BqijjJ) !Bq !B!$B!B>Nڰ*V(fyz9膁a[==B3 !C-VlcOAnk)#pTBMRmmnX6}UE1|`4yua:w\tfMYl7#An(=/GUZ U_<(ұ:1#BBs+-`iF&hM.saT.=aRTJLZ`U:#z;.(8{m VGP"?ߐE[_YQϢ똧0d BĽŰ?bB!ΝrY>?9l>ńarhü낐ZmiT + Gb$//wb:Cz/0\yru[0Gz*86{r^y9BsQ|[!9\9PNcf/@qy"NxzRwIE '!="/{ToZL2ϟOXXXi AM>hSm!rv7qo>8`6f!iXd?_g{<2)O)!8 XұU LJ~_*x}~n.AM ˬQZN7N̬8aaar-,Y={6|رc[,p&PԺh[x>BqwH})uFh1{[eП=/7cJ`=2YʹdD`]ry̻V>{>&_-/:B^y,~eL/_, .*X<|u`RZu%y膁EcBJ(C_V(MR[70T))ӧpB [YC g`(@eQ>xTabL®c*lj fG-y{^}d_5_'VrWc&٤QQPMq Od6M͜9]י9sfj c͌IChi!(i àW MB!i\iiZ-ő(˭b~fT7op7Hxx8#<<| <1{(YP51}KFvȻ.b 6oZ!BETx ҋ8T"=kx8w : vwI#"; 8ҹscXJ]SꏪA3r]鋗_hY y?Y(Gozm1B!L .0vʡA\?&MT ʮcsqFCaT:x%LQpbBP47قj6Vկde%inϯ|^<J!BF+~:b ofwi|xfkpsv)xz-sq?׍NӲ{nNjmoy֟jȯD.q=ZG!~w-jR]6eNYVn.g][!ęarݻ¥ QUfٰnhex||gNTv9i2u_ qaX!lOfqu-B(3mL2]xwU&kD᡾K7;\-(g_!xF '88@`~/ixxx(lM>]j$yDnj0f)6 M]$ {t91z|9tvw1ovԓ!\t^;#vv  tq>Ćj=ZM&SÂQ]Ͻ@O;v2z>t/ѱǐ7~[6?O ^dfd}xg"i,ߘA$n>bŕ_|e;W̤ PCyjU>i6ݛʃ;BHpq4MjbZBJ:[Xm 9br _O|ͿPe#ٴNgbSӻˁǧ3JB:=K󎯢J33wnMBBDTe)ȢtW׶oźkE"VAJ5@()^n Ig>{{fSPz. ̒g]f#]GW;tR) 5!vd%/y q*}qm0_6KyfX|tڶ$ػ-(嚷`\Ͳ9 9n&!k`ij,fQs 9 w2+O IDAT:4˃Cɢ%GģM1r-q`ꢊ+!_ g Q ^x.m0K>Z ᗧ5L"s6DȐi{ǵx[u @[$ =yZZq$;Ҁ/ASu)p ߖy6z5l g tYA7 MeU];c$\-!z o3fм%]ҋvmƊ\둊E-ƱdH̳H{kNdx  Fu5&{*e\`gSV᪴7b~#AJ~y?(Ʈ܆&8VwS wd59j?7 @+qXoxr8gpSiYTTD/G3`0n΁xAx* oo`$qIGXw(ݳĝ+>!Qy_g!0?+5G˝XMLSZ(-TaENB Oz>ڗPLś.2ڇ!?_5e]Gpwv fb?Ozz]rzRu|(cK\^+,br<%;fDU ~(FOz& df7go]iG?~^xV-gчK+{]'n(9Y LΉ>1jt[}Ik"W$r$UBo7Xdmsb֟4ٷ=ȄݘӰ--n`fLڟʒm0>t۟z$0}'6ѫ 3نpWU?| yOݓl?P"hԸuǂhE$vTL7"i=xkE@F:B3 ^'C"IR,&E͕{a6^FOi;/.jTm݁r,_@Tքm1}st8Rr^| krQ'}ܛ~\Ub#!:tz֯YXss18EH rnUoJrZ!SMA;3"h\|SzA5/Ʈr&2|V;}xM]1Qث\7aÐz{-dI!+۴dd0t}*9UMsݒ1FՖM=o"U; N/T|;L(#'*vޥo7̃Ǡ .fB6̾T0Zܛp>?O \\\;A18F%TW9[G/9Q!YHdZF9s۞{^~(qj7/3s( cZf0&j7b˿9twfJz4fq^AbglY:u?@qQTMYaVbB5'IF5)TtVWjVN;Ǣ*:*qHUKuF :_t!x[U\nfqXUCGq5"=g9lyuh>}PC&\Αϴ2;FP;uG F_OPvg44*q4Ѥ Y,~N&N~BԍAN?6k"~9~4fd pm7qD&nB|5mJD#?śrXS8v3UC| @$6#K`Qe\qZ[$SVY8vJERZ$JEj=̀?fʚs䖎ź4*g+[0Q"l{ΚNEjҾnn{^:zo=І܀ڡ ev7J kȻ柱7 ÌQYYMэ>(jUWamƂeF k8\7z.]&s/&h՟@ Ŷ@5SiV)ao BL?!*Q muW5ޥji Ɇ,K m YHzlk>WKSG'R`< I8oj]؆ ;O.ZW)yg^);^*\iT-US"zا\wQxEvZemOekq wM37C^PklQZd-cAӚ֘k5 TF1psKYk&2tc@Z^Ц4jckю3I~~i'YCGב{A"" RI+ļ)ƿaA}?~w3ʚȷ1?sW3;w`^ {>L }yҐT"Գ-P@@yQ#ϣA& 2JpPg&P;zb#N<=富0ヷYħ`@p% "A-he OoH_?B-EqWSGjw6d86a##bڌU.:?F#\ScUKS;J$E:~7γm'M^DKS!0bĿ?HF9l=,ڌ,=M-y5BSFՕ[;3ù5 kLw?>s_ (Oa`y6Q{TuV[Ɖx_L͂Ǒ!+h/jFqo)!.W`=1I{Qט6+(۶ RfCfϞhsY?WOYodO@nՋI; Z]KfIFF`.[#̫c:oE;Mx{},em:G LEʦF߈c5W]kJ>)m᧧  WEhlfۉ!7k@ I{HveڈOCO Wc^f@?9PF߹/cwǖmd86籿6l$?~5)rېQċN 5ffa˕Е t KnY'l7Ik(צ6bNA#-}μC;qJ-af8ޕLIa0>*g R04ܚ܇bWxh&MΘKB|-_э[H}{# #_J@~$=NɟG{F̯ܔfuSoAuo7vΑ+~+jK@;6g)E-Dk"5B|,&Ҳb!)Gװ6hDo$g)%ʮ㡚s6,ʢHtӺf=z fYC`syű'w|IɀGfhQVF~6upUZ1 Ӡ|%Mk EFcWVSinCqksNe$Q(ȧ v~/وjٗ(@i # (g轲ft~_G?-޲xh+U\4vjSZyDK\MKxgUa1a5(BcJ5b1XL @ = Y} ;kvLPjGh%>*l@ӳ]HB'qPx3ERp<$ &ұN LgSOk?_[OelIK{e%pWL<+OI0GGΪeX'%cN4K'P{`4n݊C$w^}+9*7 ?7\9i1OJ[dBnLQt70]&oOeɶjOVs !7۴7OE ÷9?S[}ƬW_D@p5]߯:X p)w3t߭_#GnلR]C,:tw@ nM? RePY{]Eh$e+'*̋#ز+7p׵1MHʨ[1L&s2E蚆j;F!!b @ "RV/[mLgwZ&EƤ*hD۠m%LjI;ZƽG (H`` ={w 6ceLei%UU#f4)z_?=2@ .N޾//m;/xcAiErZ!SMA;3"h\6lzA5/Ʈr&2|Vڶ y_L EQ>bii);w&YsBݻmJV@Mݽ[zEzw0X9#"[?wɭ$o<:ڛ{µm$E oD?X/Is>c2f-B1iFZ+B\C%T OmM Yy(,,ؚӥ3K)>Cip(^mHO9UB~Wssrr[ >ao>[PU5!cnƯGO:~?yuV ]&.9btfh )8Ăb Jf^s˖P:*IeO2-}˗ƾ@ 4c9ZT˭cVe LLVq L\N3?+ Ts. *[_5"88StRڵkw]vPeim6yNTzٓ͛к];"Zdƍdk׮#җ+U4~O>~=-8̧Le}? Pi{~!zzD7ɼ cXrͼ>t:]ܾ3o#1 y<9?|h am> =#Z1y%2^Rf,em%d=k;{CҨE;Z',RV剣H=  kK18"bG2G\6zzw F'+?Ӄj4o֗cߙStlpjysP:=eaQ0ǎ{~)l/3h-a\@(lqPY]$It` tbVH(o21$ դ Ii!˔W\U4i .$++  p\L4:nj(.ѮY'@zZݎi,]BnF"""Nr+Μţ]K2ٷAc׷|΃ 3㙧~M&Fԕ[~9 %<`0U IDAT[{T''wQ7gHx? ji$m1C z1(\*w/jFa\#%yn#ڿm(8XI e=$m9^]1k|$! 7.嵲 LWg:y.G|ؠybʅ?[csm\*/9Q8,$T&.}@ avHjO[4rߐfT輵2*'~/K+N5LUU~a{9<<>>DW?wz6l/9w1-k<MkaH2}|Vf+(ǔ!1~b#ybJt$Q~J$ݸԷ70 dG#!ދjWԓ ;ԡ^i56c7o}z^2@[0) *׉A|XTv0yF Z^"$$yR躎$ɘ*`h +Jދ =i5]Än<79y:]h'hyWH`|sl  b 1|rG7a$i E JޢB q43; \*e\`gSy+̅҂߈i+e&nXK (2JsbT[wS{ѹ"%~#Tq|po?k/[c<`e3-z4f_ qq![bgJ1>(<) 23\zjN`ô Ris:;<A+eQu?,xd 듙OKpƇ/#?2'j$@fqk`2/@Dz[zl(Om\ԑ% IQ>9lddR_xx[$ HQ];)+I6 [?>;LAx65[&t+čOL~3Rn+A˴1/ SR'ťotx6:F3唯te7'W*ޖ{'W L6_ηTտ%]ny M)B|ZuRA?&D<IO,Fi Ik"W$r$UBo7˜0oȫ<=@{xE 䆮=}d-K6Q_Z._'!PEE,;j%/JnI.M:rUdEj!H ws@o۷dOHUU%ׯg~RQZv\IR sQz>ʫcDπ@ uCgn 9s.(@ 15VBfMĴťiT9ݸ e bBt~ۻ/OO@t]GuEaǎtؑ@*M1Lǖqk'x @ W$ &kCs]/m4!$Ё,IugGK8UDF0[4'[=BR6$nu\qqqL&Bom/vT2Rb}f,7^|x@ !.%0|}}w[óHNc\ʮ݁Y izHLDv]cDDDP^^&>>͆aď/,{*tOOb'{:m‹Bn΄w1En6~' U @ vjFN%TTT%cf5\A5aO-Inn7fp@ Qݎ.Q83Ϳ\eNo k\j!6=h@ @ W(Ns܉g+bΤOɖP:*IeO2-}ˍeur(*@YWsi"]0!Knr:I*y{g0wǢ.`>ښIa 0CbĊ]2k<,܌Ϩg~]BltA(|0c)k{D.y Y+ڔF vl-r?$4{ty:v>HDay";GPD6_HFANHUd'|z0\̓rq3W?;sjM!sƼ9(kX0ǎ{~)l/3h-a\}fjb:m_cuߗ3ʚȷ1?sW3;w`6ݳa:I+:W0 w`k ؟YMieRQB-ChO8>^wrn/*>M/c=#8T@ /D@p>ȾAM?ȞBw {_'GI^cۈl V`C2HyIu<{W&GWe,_=IgMiKy%bՙNQ}"/6hޢ#yl<ǿr3V}6q|[,׶KnNK2 F/>[bdC.>%΂=xo*F0vRڇkBJ4"dnqtR+UF 囵ؕZH28<fq$0/w`ˮ,\]`6f v_n;̨|l&j4V* v-#po+S=VVL+=1r 8rY{/&\3҆SӶМ l)G,׼5"hYȁu3 ~+&*q<0q&փc|GFcױ u{ ~=:rD#p'Ӽ? KC3<89I,:\BpM<*\W4|甲r9ڇhc:ӊ0)2&UA3$n.aRdTL26=J|l0_ogoF( t2'!^Ըu\Z݇0ؐZ301^Pkk{Aߟ67 3/FN>~dWc8/Sxd+'#k!E,j<!sYPO!eq!^T`.†΍Z<]QvD?z3nc?K)wV)ThO]g1>ޥ UH[6<96V7Ɔ|mylH ?>9;yO}'}ȴK!=K*`eKx];U?8c. 9|-G7n!d+|)sD:Rhu~rV0 ǘ澧2A!F{vX0:%<[a~<y샄,9 B\Pv Seۆ|lfH`Vd1`/ t?nᮏPZ*W0udк(|)V[-ݠYCHu/ <QΆ>?SiՐ_re_+1?9N^/:.qow..F.|竭3:o#C/hl4؟WA R'^MbQVF~6ک߻pUZ1 Ӡ|%Mk EFcWVSinCqjcTz^ 'DJ"GiFBMG<|po?k/[c<`e3-z4fPd pknD@;1-*12&E& Kyge&.MxlBU9N -󅸸+UnDE]/*@Q%3Y`#7݃ZMf9|mwo@,o G=S/tOw۲0'7??v=Ϯ`^#^zn^HZ_~z X>HC_x[6;EYיryn/ZvJ>|êCTG_Y̵IyM_<:?s< 0p͜ǓZ*oȞ-|;wQVNr&e֠4ΞG6M!/GKpƇ/#?2'H|n=FZ%q./j]1 8tU1ݯ?b@p(eYe f$TYU0$4Ϸ`1+-^QdWcHIA5)(LyU( dRti'UqdVcV)$i۱VX~h߬{/bT"{ `ͿbekG ,|7*l}a^J c?O/}KSq" >_7Ɔ}sŬ~^ݜ)O+*'>ր2,_ӯKb=;WRt>e#<`0V1Vѓ쀁Sd;gS"ai=&=!t/Yf !,_rۆV8[.0&{5^{<_؆qߝo&r9Sj]:WVħOw9It6{~8i ݞ(Ľ.]tȑek(6{6B+1ak8|*m*U@{DR 7t?,ٸ .ξ:IdRk`Tg>ٺ6b Xm $mH0 nIPM2,*à8_ҌVfQO [1 Y]q0BqcP8Ӆid¼,u b݋>T ~>PRXNS|=z (Y͗Kֲ֟b~K72txy>&s{T@gyy`߮2" 4NbY948b姇=EؗT+hkG娓U]9@ Oef ',yh5Mzڲs,]$b8L1imk*E}EY^lS(U*,٦ g Kr24'<wW`-[^4aKGso^v =  "((@+Jߔ@9kg!&ۍ@P'cb)P3x\Wv'$ؑSɩT芧> G4}[ge'}iW-lia p6&$SqbfPNNFS@ ?>.9K<K!z:^㙴"JX( $\RMEQTdYbL5,Lx ~χHI˚9K9, IDAT?]Yɭ7:mޫ,|Si8zً[zYY7o돤c!73$\[cygxrtÊ`lQ-;Cs֫%M2=!k\G߶؝MƳ,l9e!;aG}$%7FU=C-"@";:QEFFuUxLRf^4r 6UEAU7G#IyeۋR%&a4r Kؕ3?\ :&u $J,68jԞbf{̝0_m{Ͽ>W`;QaB>`:˳-\0q.\"klޟ˧3Ƒeq$ӭB45+Z>87[< cB*wM=[b':BwUõ{_"b0z#Sf O[֟~q4z#fcqV g-moj^Qaa!7bR:Gdґ[V{z9eh$ v$L̘"ptthpZbcciѢVCcgd@ olJUs$ VOѠg<ޭjHP*g#wGP<˧TX>};"MF2>ikCT\}7:xDPi؎8jiN΢ UHy\˪Gi2@W,6f+VG]%-6ž Nf0ѡ88SmB{/jckQP$aЩ8 >@psd2<@?z˥+2& '''Fc jh4b4! [6V\C`20: @ U[זbU Ć2@ E.qk@ ą@ D!mV⽺=XLk6-*Tbz,l3 *!zztg'@p[[![\X K2CP9j% b*d1/-r[ovjN|A|73Ŗ*"}رK \Ǝn#zhq+<5qD(, ;-M}hNtp ϱJ8 tA1+D0ƤAab჋QKs/4'lM HB \0>kFq>y*Mqtl/Nr8,ZVJXUJ*EBie3u4f|7IgEEQH7DUb*;OfIÜLS#ڎ}ٳ'o{V@GTY ь2Z;K?%&!G/gr"V3w}Ģv2L)'9K~pF1ZG:("ƷA(#E"ɠj4k_>^mLjN $ji5h426EEe KEԃVCv~]Ei5Wz^ .zM 2坧{8{ZEOҫ;~'lơ7`7~.+OY`z{K˴-lcJm };I^e+Y2kGsa%!1/̼۽.?4z_#N`[ ؔ%Lkkؼu+\*,PϲXڎG|gG3s ػqf>f<#ϽogTP c^싏 *!J/;gfWgQޛQCZ'7,RE!.jUUA$tZmU&0$lDLUQY)bNWvN+#Ke;Nx)Ca MV,6ÛR쮸POo-2>|C1ɻi~'~~^wsgk'dxt1.KW4}Zebj~tjxtnE7н=߱>Na_8$čxiCfnxyo Ξy36><9YIv?洊@pP(Z9U`ED;~[y_I2==]qq46W~]ƞvi#a=g7EZ]-g+Z J64V* CzPhVxcIK0T84OEE#KX6Q"iVm6 EQkhW+/.l'I&-/, = 8CBR!Vp5@C Ο!9Ѵ+Y')&ԅ'7Ќ=KQ˝k`).=>I-{N^ םhķ{j48[jSd t2Cmk*E}EY^tQi+2T8SXÕ_8oJ [9kf`TYul7ZU.8Kꏓ(Y=gD@h?G4}[/df +Xp P8H[{78YbS4iJ7 ) CI30 7}/,ob"ujVy0Ύ 3na<&zn}[d"*" v$ex!xtr<}/|K|YƏvX틉v')Of'gDZJxeh[[jT{*j^>I#pdҾ{I|xz$EgP 7W ν}?ʽ{:$oƎ~w(q%>ˋ:=D] Q&&,o~'1,#Ang!\1ĹX0Wwޗy8"/h\odʌޘ?aqi˰sN'?b6nE+oƫz vD+DCs鲐O?l W?: `NSE|C|'$;W)ϒю½˙2ӅIad\sZ/;}Yrt/кGH z.@* Y~{>ۧ3pLx:}X5`z/dVN)9Ƕr+%e pi;hq9ʀ!Sn9&[9]O /J'ZQ&<ݼ_3ۂsDwCv֝M!It4  )}8}iۼɕxi076U+r SP1]}*n.Gf zjG.4L5W&){T Zq?aj&Ryǿ3 weqЁjy*IE>o`@J\3":si,U]lXuYkl {b2H:N&FD`%R{X' W^Z%0N呞WdvCoDBXMx8o/J[('A])G2kG)0-rME{ZүjvvL˹ й *eAEFf* mࡏRo@SKvrƉB TlṢ;A) Q!FϠ@c*ℳ ם$ wwwn,q1F|]tD$JrF.)igib{%#ד[CY ʑ ώd$iMg M &.DQ4ab qQjƬBQzg6xrT ;>Hh퍀BI|.8f EVMLnXNBNJT+m#I g8O;OM kHJADbI` o›+8]/&GM#HfSgK9I)7?+$,~?IܡU%hAD{d¢  &E 4Vvvvfʧkɣ}4]K/MLLB)("=.7Bز%FnVȶ84k{۷fš~1z\C7C/+y y\.L_Dnb3Sf5Odм~5Z`"*la!,˿Y:Fr֝3Eޟ™J*ʶl})~4.F¼@ ܌ IDATt[m ƑPcH|8_nV('sk.F-6˦('l>Nv$d # (gv1 ߏr-$hzNnTyAClVI'qqT Ƈ_vpYNM(XU,V#$fhͼvo6GΊo(曉qԪ`UYU'aL&̩TQ>={m (Y|\Jm _FzyҴ,8&Ä͕NB-.z=5q,ϼ]\[BSҒMVQu е7GPȴDNk^Gw,ې&k(jcн91g8p^xl@ͽDYȡZS:oܟY+ZXQWKJk$TV'KJx[s<]1 :#\PiJ4:&ʭ*]? k=/ Y~μrv+[ *gkquqvv )յl4(X3m,zμ}߽+CcZr NI~1F1}fG\ 77{_ը=Դ5m\uAX|Wuxb)xbjؠsnM`-[OE_W9R>'s)R48:QEq0x¼fo&+weax:١5HHV\Q* Wc: *4ᆳ3vvvu sgFuyRjKD㻸cܖvN8쨻TX %e=jɀWGXit`4\2=_/Zه9AiwތB$]ţixo<D G-ds K«[RVIxf(:֕½_J3aml.U;ügM 0M_MϯPTd̶Or /~_Ӛ1vG:fCY͎ߵbP۔m+bFr#7 fpUuc:]rqx͔ &ML`~sɽk-3 ]Cy06 NKh42*_ 4Şl&g X:UF&-y,ڔŦf`@;FRskt˦e(:]XAlUΏ\T@[l8iU4j\w]g۹DLW`H]j(Y|]m n${ :%i8yvfCyuk)<7lp&= %㓵{H̑pkͨ)ӸRy;:\ !n'uu}t2  s T,.}|ŊFwI;Yy9.7byw0f}l'R %R62xO?Kj$TIE)2;J:xNYa J֟} (^JJԤ~݆ۋx8ֿߔ j*7瞦8YL9}]w`00ql&}an󽁾T 0Mnx=խC`X:E)*)EA+}U_PT;[#<LjN $jl*Rf+Z" Rsw̩|3.zM⢒RR!}6+_× 6^.ˌr9E]8vekBE[.y]a^×sfaXNa;O1x4ɬ?ײhXB¥g~Q粢=gvW^yOq`".aWKV6}{?=5+d&PxG`ŬxW膜7kY29,QN%٬sqMU2TmEUcS>\egww<厒Jђך-ON޶J uoR vn٣͜Ꮝ{w;bY@A Wߘu|GO@w؅ HVBBdO0|<YЗcj6+OԚ71R-rPO)aq9ʀ!n@;_o0x޷i_e ^:v{%0weN(9`j#y~YSNi+Z >8N>0}(@GȭK O/[ٗ՚Nz1*Qfgժ I:4M•)** 6QlQiedl)1U? KXmXlEe*ddW'qgx F'CCR+yxFvA߾7E{+_nuF>7FBq_+|/KrG'0_[dM}tcܓwOc1νNhz/c"y]쥣J UtWٲDy\.`_=2![M@,S<|#r6y"5?ndbA"VY^Aym=(4+$%*%,b+le!( Z-f+u|+$׆i d/nI&9]Eg-)XG-"/2͔hsNj8SOL[^ȉN *ՇeB Ο("9Ѵ+Y')&V,ֲ)UNS]FWp>fܼwIt{: oy,< Ee(9JsU*6qԭT VΚ|c?wǏgc.t؃~}k{-/Fu FjmScغn<;w(g CY넋Tղ 5tr^w,>o#,{C+Wi!v`WU^ϯw[8~CS*V9x\d=¾>ׄ-wcVtȀtM+6&kSçEU*[8`G2r&ޖܼzb=<j&u@ AxG 纬-SH#[IE'(zRtXJ A!!;h=w/=xsHBIJUߍgּMMPr:O?lZW]c]jWlmU%9XwT粑qїk?%wiv9_dH (0%ESNjU.JgMuJοvglf-B:s"1l]g{ (]StH;ǖ;4+4͏$ڭY͇ j/A+zPs!lbkUZ'cE(~IHFFs4E|9UO:ҹ[!( 頴T.gsutV1[~Od$yN1-v,ǁc  SYB XTse`Ϛɉ-mS^XO'iV|4!5z>u&. M$JF)ANX j48:$I⯓H-NwqV+cӖPKiT^٦PT~YLa ^59^y73s] G4}[ge'}iWb+jÐ;:l@#)MH$ߏ!#kTlJMWT:(;a&?˜lֹ6kVJrfz~yccرf>m6;WkmGxl`ԝpS4GZuH ӞÆl\ȶn ìተڈuiuZlKm8È|ٜLgs?o[3)+w;qⴞ7~?ǧq|gitftd3EEZ7&f(- e !eE<~sQ7s :`eڠk=M0 8fiZE\,qX+ {@/A2zOggKG(:Wb,K:qJz EQegq30ɖ/Lg^l ]q;+8Qrl*K6%T'񄭞q^V͛#d$糿X ~D{3ägwV3x`JL-;Cs֫%M2=!k\G߶aMƳ,l9e8dG߳ K`SUZl nF>]CRKL:i+%g~<)08uLHXl8iqA\İuW,?Bi-+50i"9tYȧLgya0Υ B{.GőNڳc}[>87[< cB*": "zdޚ\E$V Wn"cd7AjܶǭC&܋dIdɼ=_ߗ dxvPbJ5moj^Qaa!7bR:Gdґ[f+VݐAp0ؑ߇O23cnѡiE[+-[WY!Kr* HDhvͳgDt(XVm?Jb(6[ϟ zMaOLI'3ĈPLD@{/jckQP$aЩwbU?T#d$iMg M &.DQ4UchF̈́>9e+$,~?IܡU%hAD{d¢>~@VD{{Eq?[6=J*EH&"Q_sĆb;cDDDTDTzQtHh i$7~U) 5|Hfvws mSx2, O 1܉ȉkz׭9p8h8؆\*_łoo-퍷 BDD䄹(Z:^ړ`5b?Պ8 9)|3mZvGHAga\7)Fp窾Lۏs3@9Wga[IVQ{gL~h: .DDDl&X¦dbe(zRta|4v#wԎZm`oғ&CS{vqU>0^N(^LKCN5|x9:(YY (x}v 0qxdj8" ""r~3qUՑMCrZ_*?z2Ѵcf@$OG6hE{HlΠe!ӭtn~2ey4=Wte"xX{Of& *O*R{E,ژ|v)m41M.i%B맳 "`H˰pmOµE ~h4H_-XLJ9Wf+cIu%N_!½Ig:y|chPոPnHnQ #QL]T7.͛1J0i$>߶, wnwx$w_~j__C fr|}3D5엯b  h:amY)=M ًH_"g"\8+YWgQamφ0pMnrYϏS6s]p]O LXFNZ0p&7FaKD*l;w{WwBcc*S&{C*i'yz'Т+ćan|;\ANdɈ R34Wp77O'qE.@ '{^O|ѫMm}/>݆s 8ڄnz[R=/RK񊹛^F*Y3$;өI(;ʥ?u&rr[ r?^=E_>.Qf=\Xd34y$y6 ](\pQr[Qbϥuh+wr9qJV!EFsI(VOxeUU3.*+]6.1waG.^6LӤYzF8ܧ*-w>݅yѬq${aSEUa50ḭJzA;5&4(//#՜4Yޜy~kލNFG(x홙<.fCmo\Y7Ѓ1>Ues>'_ʗ~Os#9jHtX)g⾰>پ49S- )ۓD.L@I@Ё+`p?0V͵]Rsw߃57KVXjZ9g|JV|t60j~{2}UN7״ =a؀ytlIr4m3SC%yW3rV6). N0Gd7m}ij,ǜ1:/,? IGk7N..YC?Pત <&V<"2ϊp2iE8+x-&ج*XwtE!xۭV$;]8"i S\Jc*uX!4={Slt1ܻY>o{)<.X$yȮ']?Fs(C@sf?!_“O"?xcM)b,y&5b#:`#ic 3H;^np=_KSqIϝR UV)%G:7e1K\g swd֘Q̲3xS P=ܓ!>/`w}WիuK;h7,_"u&Lt3A14y=^'ו04 ~vM$OYݛ.\I|x]|ݵu [r7Yn5"_XLm% |}iҤ+\0X f neI~>($g$rNy誣on^O1X׋uhx|~-ցvE|*4M*+fn4 \M{}*&Knn`1f2M<zyPV2<21M* ߳Z¹yz_ڍzȿ~fKqw͎/- Nǂ:ogP˝|7{ { W קnl'>z ⻍yP['zqާ#GyC9?4≬ې :_P־j㦄@ة{Utm`ͶJ̽ v7}"ƈ=>y$"""rޅ taXYZ r{a<}22J͂bt錜EҞ"88&NC~n76AQy%A> 6yxgNǬ)IJبDGdvOBӃ-hV'b,1d3 ϿŤ٫(;FYw#Zq^/~ ק}7i`3=9OdIDDD V Kiþ5b+ffcf ExyXngyE~""/;J_Z.qecO^eGPbh2<:f`uhp4qyFz\qd>~v17YypSY&6lXI;&㔌0ʟWfyd\O<aT0+hr"܍%Gm@բ?&{N\nfVrq Ef} ͦ-96oor [Ƴ%7qO0MKö=iض'7 'nx_6m[ }0XcJyc khkؑ۾$Cd?_$IDl>m5]攴\4$*`]b6qu8UnP7D0K]BYnY pakiRCeNnXO?6X sK vg-|$~X;6mbݲxY`lZתITVM[bݫ Z7MidXƄW>#1j4 L[ޛ+鎤~,~$}jR_X;eL%[6q^xK1o?MjPOd3<&9onQkMCDY͍3rNB[7fU܍iaQՃ%ϛ qh-%IW\<ʏv9]y9N0x7&ko1w[^cFAD-yƧQ܂>eP#Px>zd(N?" noOWMɻ[ [qmC EnsWpdWyM>z^>(0׌^#ڃqxs#fW 5dŌ<7OS1HV);NQ'(gX>/ $)|3mWQ?}PYX evKܼ)f|6x6AlHLyDNŢ?v?'*..fO뙺mw/rU 7~AY,`zy#55[.oI˖-[hҤy>_ӛMq摺WHJB?;sJ]Nqf)BuUS}+t_?ezb)gвU#n[p>e[0a6%%U-cG;Ԩ΍Bv(a]X2/fѦ 0q9;)[=;($Tݢ,,8nĞ{$g]C>Lޞ8jLME)\vf.qWla\д p\WX{b1pܬܘIJr&C9%__H ⽕9D?} u"³z-RBb9C0 BBB hK2u7 0tWT+3\VT:t(#̈#S7L]uԖ b4=ڄ>fz>?*9'82,\ȫZ2՞\PIץ,XԃKvțWJq$\TU̝VnmpHE5f+cIu%N_!:5osUSz[rͷ2$Eg$]ʎ٢m2&\a }~3QOlc5m df~-8|,XKK/M]:6%4Hu. ztjF\t6Y$ϨZ¬y/cBp(X///:^CupWlyfҀt̕YEDI(-vQ3)L-ňy|w u"KFTՓD|Ocm63c.NIL)l#"a7:;U!Yx7omθo-tNgE;eYoH7]tҝζaBQD3/_)X5bkLOx{qj6&joOy M{mkr =WoZ0ٕk9ܤ"= GҨaag_ؑD˂wۋ %⢺۸eLuZ.DDDob2R0=ogܾņ X1p^ԿkҨTV|9/&IYʏwǃ[ uj/ l!Tkzǧoj2YDDDDD.DDDDDDBDDDDD3-""wuYИZG-""">Y* Qmnv;g)<8=38ϫ7H}!=_80rTޣ/|{ KnQ""rƔmÄKؔLVY,E}][\.Z\4zC!TWZ-mߞ/f܉LӁvAvέO}؁gI|7b3K /qj{Q&t םaQWYQ4/ٕvLX1u⛌>F5Nap-lÈN9,'E #[#  po.n.Gm3Зa_I Bs ֌7@&Hd7u'} y_@^:l9Oશ>XV .ƿ:U]ߪ=6  ] . `=o Jxx(,8*W@µp`+ uG>j=L.x kq/ڭ+TXǪ[æ&V]CȞ7Yp}e7賈vc{}1-<"6 -JDDj%WZM8OÅQz¢ ց-\^OϷ`GfB~)oâd'?w-q-|>$k |oaH 7\|>7j<¤b,XG j8dhv[lgUUaVgR?>/duvB=0!Z.DD1 3YA oE={/尼 zAC `EևFiȊ\~H넭:V_2`V@)^5R3ݗ>WoW~$5y5 V~o' Lv5Qe}>]}{i… [ڻlhr <=σ!={UX w< [MLq?W=LD5{~i1T͆4gX6f7ɜ\_ LlE6ԴzӠ?*&+a:yS!xdh`^-jP˰m\XS<K2y'@!CodLHX]1gjc~lp?~G⓴wǃ[ Տ\n CBj?c]$DDF/qےէ19~:7Sg7x(w7DVɺ+?->"""r֫#W:y lHck߼=ɢkG*nR[x܉{w^aմOUr.*9%XDDDΎɘE/r!""""" """D\nQ""rƔmÄKؔLVY,E}]|VOm#mo ErAkz}"{ɘ˥Qz~;OD.DDoUVgTG4 iyoezR/؁w-3'˫:xcy n:>QGB_%k[ Fz;{|4;ܖ$r8Bʼn:`oifvf) ?Gl㲐 wi,IO)-;%3r@ξ2Ὕ{Q)J>~ nϿ_YS2f=HzSt|;F L%٭OߙZ.DD1əi'[y JHtzG1(kbYnw -6,˦58Cwu-Wi 9tQ|Ʉyq_z Ip`ŁF^.kEPlAUh8s7,:>'Ő}E.T""RX}C i_asH;_C/94BDDj-rp.ꕑݏ:MY~69E8uRD.DDDHX(!-%f9i$dRP fr&4y+6}|ͻ_óE+~ոK-´P6fy3"H8? q9KEsu1_L\ÖMBNݢDDD<—DD-"""""rBDDli9vE QU\XsuK>o}*!"?%""gL9LMIdrQ=Bt~xi>Kfظ3Ds r!""gϨ G .BWxyJ-""r82,\;rHODp v&YS df~-8`-/̦_6Qjt<> *װ6eR4{q W=>o5_K⯛(q׶ ?HTa$7b`ՇMD\HJg'|9x<i;K xlOsNgr:*#ZV2 o$/ X?~FvW o0_At8Ȓc,:Ty7<2d>F"p!""J ?^MmΉk撖ƒp/9+`Ӆ[A۹tGt! ,T6]ڔ&3és6 ]`nN"]q't9 Ҿcb}dDQ(|<ۓ~:hIEz:n v𳃥Q'> wϾ#KEuYqy;ʠp# V?fin[)v<'|fc a(Wc$" """LL޵$| `tL|n>G ͶlXNj-Xhчa+>-xwQ9VCyߩȵsFdžsyV <"#)NJϜDrzoܕK-kOe;+21-Q6 1q8 (g  Ů(\,!=f9i$zWu#V]Elau --/^t-ǂg-+^]~4x"-ydI$k 7 Ygh>Fj̹~1*3ٻуF2p߼PfsFȫ?埴]D@DD'x ɬ1רwYZ0|Eo !VK$q/C~ 2V˃ۘ|msJRZ Gx!cRR֐0ueX4gs*  ~eGܶd2S!"/ 3l&X¦dbe(zߨK-g٢_,zjxG&"p!""R#& <:2i_N;> V¬{VFvҧ@D.DDDNGB_%k[yG071wZ?aE+d…g%->AKI5<]x{{iT5ME+""6lD6(#]/޾||.DoM-""RKLۍw1."p!""r&e9gRQ,'7-R/"#+[W_PUcZ _O;QևJO7V;`ש ˵}&/0*ճƌb5co7F2 eM@^]Pa=\I|x]|ݵu [r7z'X4gs*  ~eGܶd+yqCe({LJ<. a٪3y%Ac"xX'nlgN"Ys!"p!""YCzV!8rrӒI."(2[4_ɜ?ǨiłS~M;r0Q멬Z*s_LxʌDni=XZ^Nl[8$[vW("p!""kL^|aڳƌb5cocx|(>nw{WBԅ5&$]ُjY{ ^N3n &}\c]$DDF/qےէ19~:"" Q  QL\Suf,aSR2Ye2vC0??\_]^rN^VuW;tO,lXyciLu׿swX@oehwfV7/R!jV[:~d][_q7|6*zu ׽i쏣1_e9r}uuj1]tl6f\nL֑9{nMdfsWsR]2bWʻuNO-oթʖ[-lޥ͞WvwU>uXT0tv.;9XM!y:9xן}6}buNj\e1^e3Iu}# jεZPU K J.u͝dtM%%UU wPUUUIjƠ~ֽw%EQJV>^1ҷVzZ'/˦8BIUUMӎfE~r7X2\ 8ςcV D3ŒJ>]k1 7'j!=l.sғlN''ZJ. zZK_drcݫwbbbB t '%(I)*b5U)J׮r%]a1bvB:{D]*υ|c;_}j qb& L=p"SlӹW)9G-xbBp_`.'3bZ57Kwn{,!5rLLLLC{oASo[:XdžpP *0ײC5:94\SB=S*caO=kLtQӦeҲ=Np SI[]C/j?G]0eVX7geZvv0G;{γYE{}SG ^檭`kyP64,>ղ/U_mZg6{~ ت޺2pp/n6WvMR %ea{o_.u]].2nKg@EGmUl5o,ͫ\*SGb 7bW!{#xJJq76[ b.oB dSa7Џ?wGM8>ڪV"]s sNؽ33^sg5.qشvDC£FPGݜtl.%ӳ3:][5гMղ6mޕA;}=m7#c%)[۲U6nXюQ}vcOه.N5ٌ0=[5]w{[:~u<(9=`CZ[|MӴeC JhQE`{}cq wيZV_.YD*3p +tpgcmmmu)pN/.,zg[Ҏic=llY]08BNY7 \E{KN<5o6`GpVk:ښ)Mv{gV?9tsVaUPsVݺ?6)<0Fp1[G]]Un9ÝXsX֭4y9M;XVKtA]<[}|M7=ϦG۳o_e+a[א\˺p\'p_[vSgƈV}4V=qï>&oCی&Zh.o+|clӦhVx.:t.ߩǀ[gxTV`wsT6uxc>G5?l 8cYw~$uAu[Yc`i]s8bz>VoWA:[C!=[SenMԜkv/[ 킭ڽ Z n^-//Nk:-ǻjzxf^JQyU옇v,-.5~nuhz&Z>?,[3_ݵrS<]RElYsM/o|Jssӱ|=@o>o^W|tT6=kVYW~4uA}[]c`koծk<g0*3Hѵ@0jHfުŢb\VCQ;a髓\*_ 3j16;ә"S釀}.uGdo0ͩ{HS^d E!Bɼes>j :>M'ގ6;sP*$ 6 +H># ͛T؛;O髓|FV 8Y\Igr Z3ySSaa R@2N97}H"Upqƾ-#cmX>`1HW0?vrT 1=]e)a9dc1.)yI/[m-8aszMjpc(P)2ݜ;_̤`m3:S`HƟPC>sɔ9~nx8#[SKr!]|#LzTTg?RRΪ9ɃZ˰X)>2}ݗ])IPBU4;?7gDnף7mMkwP 7+- E7,g49p"F@$2JE\m=Hel!` /! T?JŲ%(ci{DZi5uڔIpՒ:KLܢsŦuV 5%Knt|EUgȘeDuA1v;`1H;{`'a dYl;%lu gbS!@)27}L$[{JDL/9O+3v n}TAh:Ԧ6;eO#H[U<|?ljMk5WW`1,n,6u7\W~ݶtձ:wkГƈ0bqhaElu bܻ74=x-4E[|B~wąhSíDlQsvl:ζ*.>AwE# >D\WEͷ!J=DPҎv6V]m!ʶֱ:7r"IcPgxi]&[Eu"_:[VmXZJE?|:wc!c&B}`i%y7bm#J鹻s~YKAnűw(_m;c!?'MWN[\7Jd4DWQD"YMCυtNVg%fXls1*imXFg1H&B"fmpr;368rl 5Xĸ&.~z ?D)tи$ !Nu=r:→O|_2$糎) 5_Ǔ_2'7V6cY4Icr/uQұiO,H/_:4hmجbhvǩk9 u M-o5ҕv[6vN }ZoZmuvO݈Z*kz)wy1,eykSk~}W?Lћ}-v{ʔ>5WMCW">ک sj~yeue݈ߍx.[ [eS.17L-6Ր69}n8-Sl6ݻbbkyz7MS`;cZ|{[Svr#m6fw-?&fsZ7`kyڰV?_nz;f],(C!xyTL+Mgv+sPI6Zpe`Z7a]i<oeU8ƶXk׏=(Z9l7Wobcm2o-s3kvU'G`Wދ#{Sz/lMol.6 +լ`j0kvZJhj-@:޶yO7w6WgnSewӳKj'huAposuiv-tO.nv~Iwp/ Mw{-izODpwsuqfʭ?k[g;`w{smei~f2V鞚_^o[[6gٜޙ#WTן/7,~-V]?:~vliZ50̔esf׷[_⻩C7LoE͑ѭiһ-=7Wf9==tK_,Lh~璒|;\ړ; љį\׆6SxCr6 ՇnȟC\"oHDDDԵ lbQ6yR6 =DD炪CNw]&!ؒS^R0迊"s{饗 ,j/DE*'AB|s)>wF%"ۃTuPfNOq.-ƞ&wq-H巙Dz J!DJw{tf L.s=Td@+ @,}JNC] )R0.rx6b@Eȁ L8WIF]>B巙DT$x~`zo##7-@lu\xPI= XF~wn8ֱV"iDX}ČB퓜ĩi@ "~$QÏzm&Q3%wU XCfX[ExX֋"@2 >טqv~|w:;vAF.{pw~;? ƞ=DEЁ۵ngb\N jXTSGm("$Uˆpk%߭.`9Lle4$3Ճ,ꨳHtz RC> 4F"Q@EN8EgQX2[(Zx~H9޻ KF[jOƬM$xG1FaAMIƭ d,l]V<]?SH|q]Ea,hPD) &uOL@<0e TKZV[]ݦ/{(BjqzCs||nuuV]V{;ZVJM6u/fҁ`a:ڞր?WnrH^Ҧl+\ڮqMU]׵ywmʼm[[}Z[[֖5n<ϘW]oWuI龙Z6vK8V5745muEm~^[\*6ym~Y;8/߻KӚnبi lƍhwZvp[[[fLikkZa\Қl5Ulב6e6m|~cT㼷 PكR957oڨ']ִ5m}]ڗަ9u]ٯ5mղnTη{ꢡ:ͯh%ՖVִCMmJxmM[-mf=K|ڪn@3idͬiV>4کF]-S4wjF61rslͫmkohy-Z1lNyGC\D]ih}](Ύ)mhY{vYv:c*ÖA ̬6k7b):;ujsMth;]d:Ɨ*s5cM+k3mi jW&cve1E lU2?ȰRjUujM;-Ylà CZ4M%㹅Y5`˫A?5O7jϪ[W5ka_x"[՝&L'C*\.]mLHG,Gvfh{ں[5x?+ˆ7\[8f 2aժխrh63:FWI7A=zZѵM'=tÀ  s\= % Bվ?F>m">e IDATc5_ ꅍZαYTs e JɎ>9^^o|j!fWq1r#H6̬!.c1>c|<6>oQL=Loi _6`W1xFhUV+5cߺ.]}c.3ֳoC$ @pBzX{c*?|celPjɡB!%}!;ak_"Ʊ@ ʧUHU T+VdX∧<#83"DqpK`Nzn|J%K!=/} @B[r;W++G!ݛo߇+<׏T>qVι !EzpNo~}RpEѣ2 Q\4R فѝ?TFvϷH#\;)BɦpX +LU岾|cD~%)duUF-"Sxm8P Gȵ& ]K}eE@$b"}ʧ?-U2P1?Z֕qC^=̌'2w?Bb@_&T";ȇ9/Bmcңhz=Ĝ f"槐pX  SQUlǠᅬb-'fG}$>g?<>ݸPU!1)O't }'?GOQņ:[x1. yQ e~{GWϿ֚mN!mLvWu+LZNCR햊iʏA<wyݤJ[F^my0a;Xg\ZeX+MNuE M#%>;;vAڴ.wylZ( rVemkXOvyk*4]{SMjj6v1;5ae=o[TcMk;7v@J(:&4MwwfHȎ?DF)X3IĄ$eKIH(JPD-D}+<AoCF7֦IO/τlGӡa$$I/jtnB2'Eج w@iC?@/b)d"TSh]MJĝ{`N}/x(mUgT9[TO@q&UP;MS)M]inuӀmf}H[Kn;zejyw^ޭ,1cl5~[1.pk|w`cb5[Ã57`N/m-{|%e'\{[ܛ`PY.5hoxwʻ ]֋ejvu{oosi.wSmڜeVNM5߹FS[j{]oh˪iYv8ʚN\i ٞ7mE2""wJ|8$ CJA<G"1K-;itNcw'> HsdЦ[/ūQB|;ޱR}xx|AA %cG? W $D8b2E@{'V!sdlN:`\@G.O䗯_7PwX<ƒON׾otL<{'sT"D͑3P@' م&?bi,j$ 8D9@Ʌ}$RRbsT~j?UZnnoZm"Bw,%c`'L|ɷj!W96"":Z[/a|wB-f{Z'gt_Cr%E76.fzW]Nkz?ڼojp>Dr&%$Ju?[ janS i1I狊"|&| \=q=kSK\6W,uDU2 uu!y8[d@|N՝j+ýElSM+.#Mӎv{鍸1mmf}iioK.@? iG[3N{vZV{g|lNƮ!xlVej4vڝNn7.i4M+t%"4M͛7nvY6 18 'nOKig9iDDp~O)Z Ŝܦ4QlJ>U[|UqOm y IDQZٰ4 Q SQAQ|p2u P2J1 Yeaܙ "qh ?ѩay"Scqg+p#p ̱"w3 ƝӓJƝ"Kdm.<[DDDD#4`|=_ )FDDDӡ7[ /jWZRE> \φ'}URo*]3qO"""jwgKI`RGVk_~;z?N=V>هoXy-!Ϣ]=-e\Iu/ToY]}so`ӥ_aS2T'_{A0鋿e{OEе PEsy-O Gq!Qxb]j_8^~Ճ,ĵOӢhZ[(6O|9|J/>x(]ţO,"{Z@`('C<* L)^?/En'}=O?ya'?I4=a$:NNgm?'DDthç%1\VzJ_·P#t9P۰?QY+Zz?O篾W_MSh4*~6;R1 ⋁ѝ^ .>O~MW`q2ᅯjps׊(>IUmSh:FyoK2y=%8^~=׭LкMy*Rw#рl-"""bEDDD4Bfhk}qeN͍7Ɲ"¢7XԳAp3ظsqD, ;'J; DD#-"""bEDDD4B-@j $@|@v4T$nA)ti=-]%2 @poZ82 (@*i/}\ʷzo$yWEDDD2R1eD V1?  3O۸}EDDDC2 4MJq $v@b/\'ǣߡ=-e&J18[S~LB &9VR=-Fe%&l@t )ppOQ_=-bVT(1 MO@pHtJNNgm?'DDt $>PENPP Ld `lE}O m 67딸E]r'wr/ީ~w?_<;<2 򺞆mȀH C%v)KdGa{Zԥg~x|dEDD]jy . ,XuHԓ.R9 i.j#'-dJ?P=҈j OqQ]f#QWZ6\mbZ,%~@0,_VE$> ܾj+*qDDD4joH Ā Pŋ=.m݌l:<+ |@uMV' pdW;L%""0Ih$UL@uD8$(nwJDDDEDDDD4[DDDD#`hlЄi7oWVܸqcY ",,z#ވN=7cP(4\\FTR|*w.>F$"""![DDDD#4`8 `n ̡fJKM 8*{Ԝ^5oQ+"޶i[DDDt FQ$@}T*G̴EADDDux7 ?EDDD4R-l@k7rBjm@(Z-h > 6gyL j˵XBl@P-*]Y)}S-(d@@(Zp(5-h( XTԶ |#@d>J(p ૺxB-J%p2&`j>4 lHADDDW`+&c 5lI@n \r U,؞ @VBf\wڈjl{@*` <H5[9Bm-YT>a kђv[K+Z`|VHH.Vd/g1Jp{uF屚x'Ih;j9RsVVr!DDDt!>0|`\Z7_ܑ*;ʍJōjO"""" "qȃ.tE5 Ǻgs_8@p,KވDDDT`+ $jM}Jq@ |{IDATX G"mG[٥ Dw]w- <AamP>u_DDDt~ b@6Z@-V8ڛڨTA$jaxqd(ޜ#q`֦&E/ň> ՔV˹C_iڢ6/DJ@8 "" m VT4j~7uSzXZ @x( ->V߷gBrMv_DDDtN݈}+KVBǔ6K>h\hiݭ6H; K>h\z{u! [=Y|B * y㨪C&]N%DDDt~Mh|qeN͍7Ɲ"Vdz͛7ob#v3Q}7\%2m,؝DDDD-"""bEDDD4BF U{͟kW(I U{`;--[/@x9,8MӢ*)HEJz EăN6(2"YWsyΖ H@bԽ$'ĀL-9@RJ_"OO!o#ELA?SZB=-z++)! #&W'x4ğT"9<ѥ3P1qS@wLB- soGƗ=_x4:3^|Wxx E׸G.o'iQWqɿ?D Iס|\JȒ'"t u1. t us)k *2{*ҿi+;.z*y C7hPR0\h[U-X}Qk.ZT_^VDm96]sx*"Qm$ _LwIO%/[1TB_թ%tmӧHe"""AoH Ā=.m݌5Blݺ  1W{J%L H]%0L/}GƊ]+<%1IBӰ&ڈ\V:D;D^.%mSɤ˒T]DdCCl-"""bEDDD4B}6 5Tuqgbшln  v,r7sPhܹ8=TjY "Dhl w{v|"6ފ}~O\_x9WC*a6<炯ڗ[g"@*}r+އ\\+>("""Al),X P~k|\IهsK? Jxǩ*[ .ZB/E=o5&qO"""a(zRqN$:w>^ /x_ƣl*z?̽}rzy}/u_|=Y)I_/wߋ=-n`[ ^E^4GFעɯ o1IsEEx\H}ץ_t3l("""-l \_h}5r(rW/sBIQGXDH("""qٔ?:.¶|¤Wǟ[4tkE 7ޓ~'$LO|ޏKu:ksro''?m>kkqqEγtsۏDDD]hןHg׏ߊ|)0)]OJ{|‚I.MU}i:՗39ʭ7Dp[jDk*O%""QU1ô؇ߑO_ \j@T~"0)6:5>O~MW`Nr5^DJk_%6qDDD4bCx[Wj5Yx9ZE[>B3|q=yxO^TbwJDDD4 [DDDD#`hlЄZ߼ys\Y!Ssƍqg貰8lnXc BIR%LjDDDD#`hlPފ}~O\_x9WC+/{"߽o>'ǐ| >7_tOn09o~Uj>{Z U;[J /?B??_,d+߹%W|WK/J?ۻc68,GBA漸4 Ņ`BhƃjkAd0*`L!ƒ p3\Ob\`<]("p"ي-VHlǟ[ǽwskUZ? s&w + ZװT7ROvr/>cwjf)P4{D32>1+[̯*gg|hFv~Үfk3l⾦-lY{)x*p~)8Y%އŤ~v֮;"ZPsaUsUxBѠԷJGv}MKزk#_sZ(>\<.a/ҏٳu Y=^y!!.k*.y,ѯ0wg!_;nZ3EEWDzC|Y5>>=Qgk܅ϘũQ~3mXfC䶗A3עbJr5ϋ /·[빊{EO_Y|Y['''RdH͌r?r<v7'/-- }|"l":lV+n Ɯ[ \Dpa E-\Dpa EtCOIENDB`why3-1.6.0/doc/images/max_array.dot000066400000000000000000000012011440160026300171030ustar00rootroot00000000000000digraph G { graph [bgcolor=lightgray; rankdir="TB"]; node [margin=0.05,shape=ellipse,style=filled,fillcolor="cyan"]; "entry" [pos="2,3!"]; "L" [pos="2,2!"]; "invariant" [pos="2,1!"]; "cond" [pos="2,0!"]; "do" [pos="0,1!"]; "exit" [pos="4,0!"]; "entry" -> "L" [label=" i <- 0"]; "L" -> "invariant" [label=" m <- a[i]"]; "invariant" -> "cond" [label=" i <- i+1"]; "cond" -> "exit" [label=" i >= n"]; "cond" -> "do" [label=" i < n"]; "do" -> "L" [label=" a[i] > m"; headport=e]; "do" -> "invariant" [label=" a[i] <= m"]; } why3-1.6.0/doc/index.rst000066400000000000000000000021731440160026300150150ustar00rootroot00000000000000The Why3 Platform ================= :Authors: François Bobot, Jean-Christophe Filliâtre, Claude Marché, Guillaume Melquiond, Andrei Paskevich :Version: |version|, March 2023 :Copyright: 2010--2023 University Paris-Saclay, CNRS, Inria .. _U3CAT: http://frama-c.com/u3cat/ .. _Hi-Lite: http://www.open-do.org/projects/hi-lite/ .. _BWare: http://bware.lri.fr/ .. _ProofInUse: http://www.spark-2014.org/proofinuse .. _CoLiS: http://colis.irif.univ-paris-diderot.fr/ .. _VOCal: https://vocal.lri.fr/ This work has been partly supported by the `U3CAT`_ national ANR project (ANR-08-SEGI-021-08), the `Hi-Lite`_ FUI project of the System\@tic competitivity cluster, the `BWare`_ ANR project (ANR-12-INSE-0010), the Joint Laboratory `ProofInUse`_ (ANR-13-LAB3-0007), the `CoLiS`_ ANR project (ANR-15-CE25-0001), and the `VOCaL`_ ANR project (ANR-15-CE25-008). .. toctree:: :maxdepth: 3 :numbered: foreword starting whyml install manpages syntaxref input_formats vcgen exec itp api technical changes zebibliography genindex .. * :ref:`genindex` .. * :ref:`search` .. * :ref:`modindex` why3-1.6.0/doc/input_formats.rst000066400000000000000000000451141440160026300166020ustar00rootroot00000000000000Other Input Formats =================== Why3 can be used to verify programs written in languages other than WhyML. Currently, Why3 supports tiny subsets of C and Python, respectively coined micro-C and micro-Python below. These were designed for teaching purposes. They come with their own specification languages, written in special comments. These input formats are described below. Why3 also supports the format MLCFG, which is an extension of WhyML allowing to define function bodies in an unstructured style, with goto statements. Any Why3 tool (:why3:tool:`why3 prove`, :why3:tool:`why3 ide`, etc.) can be passed a file with a suffix :file:`.c`, :file:`.py` or :file:`.mlcfg`, which triggers the corresponding input format. The input formats for C and Python can also be used in on-line versions of Why3, at http://why3.lri.fr/micro-C/ and http://why3.lri.fr/python/, respectively. .. index:: micro-C .. _format.micro-C: micro-C ------- Micro-C is a valid subset of ANSI C. Hence, micro-C files can be passed to a C compiler. Syntax of micro-C ~~~~~~~~~~~~~~~~~ Logical annotations are inserted in special comments starting with ``//@`` or ``/*@``. In the following grammar, we only use the former kind, for simplicity, but both kinds are allowed. .. productionlist:: micro-C file: `decl`* decl: `c_include` | `c_function` | `logic_declaration` c_include: "#include" "<" file-name ">" Directives ``#include`` are ignored during the translation to Why3. They are allowed anyway, such that a C source code using functions such as ``printf`` (see below) is accepted by a C compiler. .. rubric:: Function definition .. productionlist:: micro-C c_function: `return_type` identifier "(" `params`? ")" `spec`* `block` return_type: "void" | "int" params: `param` ("," `param`)* param: "int" identifier | "int" identifier "[]" .. rubric:: Function specification .. productionlist:: micro-C spec: "//@" "requires" `term` ";" : | "//@" "ensures" `term` ";" : | "//@" "variant" `term` ("," `term`)* ";" .. rubric:: C expression .. productionlist:: micro-C expr: integer-literal | string-literal : | identifier | identifier ( "++" | "--" ) | ( "++" | "--" ) identifier : | identifier "[" `expr` "]" : | identifier "[" `expr` "]" ( "++" | "--") : | ( "++" | "--") identifier "[" `expr` "]" : | "-" `expr` | "!" `expr` : | `expr` ( "+" | "-" | "*" | "/" | "%" | "==" | "!=" | "<" | "<=" | ">" | ">=" | "&&" | "||" ) `expr` : | identifier "(" (`expr` ("," `expr`)*)? ")" : | "scanf" "(" '"%d"' "," "&" identifier ")" : | "(" `expr` ")" .. rubric:: C statement .. productionlist:: micro-C stmt: ";" : | "return" `expr` ";" : | "int" identifier ";" : | "int" identifier "[" `expr` "]" ";" : | "break" ";" : | "if" "(" `expr` ")" `stmt` : | "if" "(" `expr` ")" `stmt` "else" `stmt` : | "while" "(" `expr` ")" `loop_body` : | "for" "(" `expr_stmt` ";" `expr` ";" `expr_stmt` ")" `loop_body` : | `expr_stmt` ";" : | `block` : | "//@" "label" identifier ";" : | "//@" ( "assert" | "assume" | "check" ) `term` ";" block: "{" `stmt`* "}" expr_stmt: "int" identifier "=" `expr` : | identifier `assignop` `expr` : | identifier "[" `expr` "]" `assignop` `expr` : | `expr` assignop: "=" | "+=" | "-=" | "*=" | "/=" loop_body: `loop_annot`* `stmt` : | "{" `loop_annot`* `stmt`* "}" loop_annot: "//@" "invariant" `term` ";" : | "//@" "variant" `term` ("," `term`)* ";" Note that the syntax for loop bodies allows the loop annotations to be placed either before the block or right at the beginning of the block. .. rubric:: Logic declarations .. productionlist:: micro-C logic_declaration: "//@" "function" "int" identifier "(" `params` ")" ";" : | "//@" "function" "int" identifier "(" `params` ")" "=" `term` ";" : | "//@" "predicate" identifier "(" `params` ")" ";" : | "//@" "predicate" identifier "(" `params` ")" "=" `term` ";" : | "//@" "axiom" identifier ":" `term` ";" : | "//@" "lemma" identifier ":" `term` ";" : | "//@" "goal" identifier ":" `term` ";" Logic functions are limited to a return type ``int``. .. rubric:: Logical term .. productionlist:: micro-C term: identifier : | integer-literal : | "true" : | "false" : | "(" `term` ")" : | `term` "[" `term` "]" : | `term` "[" `term` "<-" `term` "]" : | "!" `term` : | "old" "(" `term` ")" : | "at" "(" `term` "," identifier ")" : | "-" `term` : | `term` ( "->" | "<->" | "||" | "&&" ) `term` : | `term` ( "==" | "!=" | "<" | "<=" | ">" | ">=" ) `term` : | `term` ( "+" | "-" | "*" | "/" | "% ) `term` : | "if" `term` "then" `term` "else `term` : | "let" identifier "=" `term` "in" `term` : | ( "forall" | "exists" ) `binder` ("," `binder`)* "." `term` : | identifier "(" (`term` ("," `term`)*)? ")" binder: identifier : | identifier "[]" Built-in functions and predicates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. rubric:: C code * ``scanf`` is limited to the syntax ``scanf("%d", &x)``. * ``printf`` is limited to ``printf(string-literal, expr1, ..., exprn)``. The string literal should contain exactly ``n`` occurrences of ``%d`` (not checked by Why3). * ``rand()`` returns a pseudo-random integer in the range ``0`` to ``RAND_MAX`` inclusive. .. rubric:: Logic * ``int length(int a[])`` returns the length of array ``a``. * ``int occurrence(int v, int a[])`` returns the number of occurrences of the value ``v`` in array ``a``. .. index:: Python .. _format.micro-Python: micro-Python ------------ Micro-Python is a valid subset of Python 3. Hence, micro-Python files can be passed to a Python interpreter. Syntax of micro-Python ~~~~~~~~~~~~~~~~~~~~~~ Notation: In the grammar of micro-Python given below, special symbols ``NEWLINE``, ``INDENT``, and ``DEDENT`` mark an end of line, the beginning of a new indentation block, and its end, respectively. Logical annotations are inserted in special comments starting with ``#@``. .. productionlist:: microPython file: `decl`* decl: `py_import` | `py_constant` | `py_function` | `stmt` | `logic_declaration` py_import: "from" identifier "import" identifier ("," identifier)* NEWLINE Directives ``import`` are ignored during the translation to Why3. They are allowed anyway, such that a Python source code using functions such as ``randint`` is accepted by a Python interpreter (see below). .. rubric:: Constant definition .. productionlist:: microPython py_constant: "#@" "constant" NEWLINE identifier "=" `expr` NEWLINE .. rubric:: Function definition .. productionlist:: microPython py_function: `logic_def`? "def" identifier "(" `params`? ")" `return_type`? ":" NEWLINE INDENT `spec`* `stmt`* DEDENT params: `param` ("," `param`)* param: identifier (":" `py_type`)? return_type: "->" `py_type` py_type: identifier ("[" `py_type` ("," `py_type`)* "]")? : | "'" identifier .. rubric:: Function specification .. productionlist:: microPython logic_def: "#@" "function" NEWLINE spec: "#@" "requires" `term` NEWLINE : | "#@" "ensures" `term` NEWLINE : | "#@" "variant" `term` ("," `term`)* NEWLINE .. rubric:: Python expression .. productionlist:: microPython expr: "None" | "True" | "False" | integer-literal | string-literal : | identifier : | identifier "[" `expr` "]" : | "-" `expr` | "not" `expr` : | `expr` ( "+" | "-" | "*" | "//" | "%" | "==" | "!=" | "<" | "<=" | ">" | ">=" | "and" | "or" ) `expr` : | identifier "(" (`expr` ("," `expr`)*)? ")" : | `expr` ("," `expr`)+ : | "[" (`expr` ("," `expr`)*)? "]" : | `expr` "if" `expr` "else" `expr` : | "(" `expr` ")" .. rubric:: Python statement .. productionlist:: microPython stmt: `simple_stmt` NEWLINE : | "if" `expr` ":" `suite` `else_branch` : | "while" `expr` ":" `loop_body` : | "for" identifier "in" `expr` ":" `loop_body` else_branch: /* nothing */ : | "else:" `suite` : | "elif" `expr` ":" `suite` `else_branch` suite: `simple_stmt` NEWLINE : | NEWLINE INDENT `stmt` `stmt`* DEDENT simple_stmt: `expr` : | "return" `expr` : | identifier "=" `expr` : | identifier "[" `expr` "]" "=" `expr` : | "break" : | "#@" "label" identifier : | "#@" ( "assert" | "assume" | "check" ) `term` loop_body: `simple_stmt` NEWLINE : | NEWLINE INDENT `loop_annot`* `stmt` `stmt`* DEDENT loop_annot: "#@" "invariant" `term` NEWLINE : | "#@" "variant" `term` ("," `term`)* NEWLINE .. rubric:: Logic declaration .. productionlist:: microPython logic_declaration: "#@" "function" identifier "(" `params` ")" `return_type`? ("variant" "{" `term` "}")? ("=" `term`)? NEWLINE : | "#@" "predicate" identifier "(" `params` ")" ("=" `term`)? NEWLINE : | "#@" "axiom" identifier ":" `term` NEWLINE : | "#@" "lemma" identifier ":" `term` NEWLINE Note that logic functions and predicates cannot be given definitions. Yet, they can be axiomatized, using toplevel ``assume`` statements. .. rubric:: Logical term .. productionlist:: microPython term: identifier : | integer-literal : | "None" : | "True" : | "False" : | "(" `term` ")" : | `term` "[" `term` "]" : | `term` "[" `term` "<-" `term` "]" : | "not" `term` : | "old" "(" `term` ")" : | "at" "(" `term` "," identifier ")" : | "-" `term` : | `term` ( "->" | "<->" | "or" | "and" | "by" | "so" ) `term` : | `term` ( "==" | "!=" | "<" | "<=" | ">" | ">=" ) `term` : | `term` ( "+" | "-" | "*" | "//" | "%" ) `term` : | "if" `term` "then" `term` "else `term` : | "let" identifier "=" `term` "in" `term` : | ( "forall" | "exists" ) param ("," param)* "." `term` : | identifier "(" (`term` ("," `term`)*)? ")" Built-in functions and predicates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. rubric:: Python code * built-in function ``pow`` over integers * ``len(l)`` returns the length of list ``l``. * ``int(input())`` reads an integer from standard input. * ``range(l, u)`` returns the list of integers from ``l`` inclusive to ``u`` exclusive. In particular, ``for x in range(l, u):`` is supported. * ``randint(l, u)`` returns a pseudo-random integer in the range ``l`` to ``u`` inclusive. .. rubric:: Logic * ``len(l)`` returns the length of list ``l``. * ``occurrence(v, l)`` returns the number of occurrences of the value ``v`` in list ``l``. Limitations ~~~~~~~~~~~ Python lists are modeled as arrays, whose size cannot be modified. .. index:: CFG .. _format.CFG: MLCFG ----- The MLCFG language is an experimental extension of the regular WhyML language, in which the body of program functions can be coded using labelled blocks and goto statements. MLCFG can be used to encode algorithms which are presented in an unstructured fashion. It can also be used as a target for encoding unstructured programming languages in Why3, for example assembly code. Syntax of the MLCFG language ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The MLCFG syntax is an extension of the regular WhyML syntax. Every WhyML declaration is allowed, plus an additional declaration of program function of the following form, introduced by keywords ``let cfg``: .. parsed-literal:: let cfg *f* (*x*:sub:`1`: *t*:sub:`1`) ... (*x*:sub:`n`: *t*:sub:`n`): *t* requires { *Pre* } ensures { *Post* } = var *y*:sub:`1`: *u*:sub:`1`; ... var *y*:sub:`k`: *u*:sub:`k`; { *instructions*; *terminator* } *L*:sub:`1` { *instructions*:sub:`1`; *terminator*:sub:`1` } ... *L*:sub:`j` { *instructions*:sub:`j`; *terminator*:sub:`j` } It defines a program function *f*, with the usual syntax for its contract. The difference is the body, which is made of a sequence of declarations of mutable variables with their types, an initial block, composed of a zero or more instructions followed by a terminator, and a sequence of other blocks, each denoted by a label (:math:`L_1 \ldots L_j` above). The instructions are semi-colon separated sequences of regular WhyML expressions of type ``unit``, excluding ``return`` or ``absurd`` expressions, or code invariants: - a code invariant: :samp:`invariant {I} \\{ {t} }` where *I* is a name and *t* a predicate. It is similar to an assert expression, meaning that *t* must hold when execution reaches this statement. Additionally, it acts as a cut in the generation of VC, similarly to a loop invariant. See example below. Each block is ended by one of the following terminators: - a ``goto`` statement: :samp:`goto {L}` where *L* is one of the labels of the other blocks. It instructs to continue execution at the given block. - a ``switch`` statement, of the form .. parsed-literal:: switch (*e*) | *pat*:sub:`1` -> *terminator*:sub:`1` ... | *pat*:sub:`k` -> *terminator*:sub:`k` end - a ``return`` statement: :samp:`return {expr}` - an ``absurd`` statement: indicating that this block should be unreachable. The extension of syntax is described by the following rules. .. productionlist:: CFG file: `module`* module: "module" `:ident` `decl`* "end" decl: "let" "cfg" `cfg_fundef` : | "let" "rec" "cfg" `cfg_fundef` ("with" `cfg_fundef`)* : | "scope" `:ident` `decl`* "end" cfg_fundef: `:ident` `:binder`+ : `:type` `:spec` "=" `vardecl`* "{" `block` "}" `labelblock`* vardecl: "var" `:ident`* ":" `:type` ";" | "ghost" "var" `:ident`* ":" `:type` ";" block: (`instruction` ";")* `terminator` labelblock: `:ident` "{" `block` "}" instruction: `:expr` : | "invariant" `:ident` "{" `:term` "}" terminator: : | "return" `:expr` : | "absurd" : | "goto" `:ident` : | "switch" "(" `:expr` ")" `switch_case`* "end" switch_case: "|" `:pattern` "->" `terminator` An example ~~~~~~~~~~ The following example is directly inspired from the documentation of the ANSI C Specification Language (See :cite:`baudin18acsl`, Section 2.4.2 Loop invariants, Example 2.27). It is itself inspired from the first example of Knuth's MIX language, for which formal proofs were first investigated by J.-C. Filliâtre in 2007 (:cite:`filliatre07mix`), and also revisited by T.-M.-T. Nguyen in her PhD thesis in 2012 (:cite:`nguyen12phd`, Section 9.5 Translation from a CFG to Why, page 115). This example aims at computing the maximum value of an array of integers. Its code in C is given below. .. code-block:: C /*@ requires n >= 0 && \valid(a,0,n); @ ensures \forall integer j ; 0 <= j < n ==> \result >= a[j]); @*/ int max_array(int a[], int n) { int m, i = 0; goto L; do { if (a[i] > m) { L: m = a[i]; } /*@ invariant @ 0 <= i < n && \forall integer j ; 0 <= j <= i ==> m >= a[j]); @*/ i++; } while (i < n); return m; } The code can be viewed as a control-flow graph as shown in :numref:`fig.cfg.max_array`. .. graphviz:: images/max_array.dot :caption: Control-flow graph of the ``max_array`` function. :name: fig.cfg.max_array Below is a version of this code in the MLCFG language, where label ``L`` corresponds to node ``L``, label ``L1`` to node ``invariant``, label ``L2`` to node ``do``. .. code-block:: whyml let cfg max_array (a:array int) : (max: int, ghost ind:int) requires { length a > 0 } ensures { 0 <= ind < length a } ensures { forall j. 0 <= j < length a -> a[ind] >= a[j] } = var i m: int; ghost var ind: int; { i <- 0; goto L } L { m <- a[i]; ind <- i; goto L1 } L1 { invariant i_bounds { 0 <= i < length a }; invariant ind_bounds { 0 <= ind < length a }; invariant m_and_ind { m = a[ind] }; invariant m_is_max { forall j. 0 <= j <= i -> m >= a[j] }; (* yes, j <= i, not j < i ! *) i <- i + 1; switch (i < length a) | True -> goto L2 | False -> return (m, ind) end } L2 { switch (a[i] > m) | True -> goto L | False -> goto L1 end } The consecutive invariants act as a single cut in the generation of VCs. Error messages ~~~~~~~~~~~~~~ The translation from the MLCFG language to regular WhyML code may raise the following errors. - “cycle without invariant”: in order to perform the translation, any cycle on the control-flow graph must contain at least one ``invariant`` clause. It corresponds to the idea that any loop must contain a loop invariant. - “cycle without invariant (starting from `I`)”: same error as above, except that the cycle was not reachable from the start of the function body, but from the other ``invariant`` clause named :math:`I`. - “label `L` not found for goto”: there is a ``goto`` instruction to a non-existent label. - “unreachable code after goto”: any code occurring after a ``goto`` statement is unreachable and is not allowed. - “unsupported: trailing code after switch”: see limitations below. Current limitations ~~~~~~~~~~~~~~~~~~~ - There is no way to prove termination. - New keywords ``cfg``, ``goto``, ``switch``, and ``var`` cannot be used as regular identifiers anymore. - Trailing code after ``switch`` is not supported. In principle, it should be possible to have a ``switch`` with type ``unit`` and to transfer the execution to the instructions after the ``switch`` for branches not containing ``goto``. This is not yet supported. A workaround is to place the trailing instructions in another block and pose an extra ``goto`` to this block in all the branches that do not end with a ``goto``. - Conditional statements ``if e then i1 else i2`` are not yet supported, but can be simulated with ``switch (e) | True -> i1 | False -> i2 end``. Alternative translation scheme: Stackify ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ An alternative translation scheme from MLCFG to regular WhyML can be triggered by putting the attribute :why3:attribute:`[@cfg:stackify]` on a function. This method attempts to recover a more structured program body, reconstructing loops when possible. Subregion analysis ~~~~~~~~~~~~~~~~~~ Additional invariants on the generated WhyML code can be inferred by putting the attribute :why3:attribute:`[@cfg:subregion_analysis]` on a function. These invariants are derived by a static analysis of the subregions that are never modified in a loop. why3-1.6.0/doc/install.rst000066400000000000000000000320131440160026300153500ustar00rootroot00000000000000.. _sec.install: Compilation, Installation ========================= .. program:: why3 Installing Why3 --------------- Installation via Opam ~~~~~~~~~~~~~~~~~~~~~ The simplest way to install Why3 is via Opam, the OCaml package manager. It is as simple as :: opam install why3 Then jump to :numref:`sec.provers` to install external provers. Why3 also provides a graphical user interface (see :numref:`sec.gui` and :numref:`sec.ideref`), which can be installed using :: opam install why3-ide Finally, the Opam package ``why3-coq`` provides realizations of Why3's standard library, which are useful for doing interactive proofs using the Coq formal system (see :numref:`chap.itp`). Installation via Docker ~~~~~~~~~~~~~~~~~~~~~~~ Instead of compiling Why3, one can also execute a precompiled version (for *amd64* architecture) using Docker. The image containing Why3 as well as a few provers can be recovered using .. parsed-literal:: docker pull registry.gitlab.inria.fr/why3/why3:|release| docker tag registry.gitlab.inria.fr/why3/why3:|release| why3 Let us suppose that there is a file :file:`foo.mlw` in your current directory. If you want to verify it using Z3, you can type .. code-block:: shell docker run --rm --volume `pwd`:/data --workdir /data why3 prove foo.mlw -P z3 If you want to verify :file:`foo.mlw` using the graphical user interface, the invocation is slightly more complicated as the containerized application needs to access your X server: .. code-block:: shell docker run --rm --network host --user `id -u` --volume $HOME/.Xauthority:/home/guest/.Xauthority --env DISPLAY=$DISPLAY --volume `pwd`:/data --workdir /data why3 ide foo.mlw It certainly makes sense to turn this command line into a shell script for easier use: .. code-block:: shell #!/bin/sh exec docker run --rm --network host --user `id -u` --volume $HOME/.Xauthority:/home/guest/.Xauthority --env DISPLAY=$DISPLAY --volume `pwd`:/data --workdir /data why3 "$@" It is also possible to run the graphical user interface from within a web browser, thus alleviating the need for a X server. To do so, just set the environment variable ``WHY3IDE`` to ``web`` and publish port 8080: .. code-block:: shell docker run --rm -p 8080:8080 --env WHY3IDE=web --user `id -u` --volume `pwd`:/data --workdir /data why3 ide foo.mlw You can now point your web browser to http://localhost:8080/. As before, this can be turned into a shell script for easier use: .. code-block:: shell #!/bin/sh exec docker --rm -p 8080:8080 --env WHY3IDE=web --user `id -u` --volume `pwd`:/data --workdir /data why3 "$@" Installation from sources ~~~~~~~~~~~~~~~~~~~~~~~~~ In short, installation from sources proceeds as follows. :: ./configure make make install After unpacking the distribution, go to the newly created directory |whypath|. Compilation must start with a configuration phase which is run as :: ./configure This analyzes your current configuration and checks if requirements hold. Compilation requires: - The Objective Caml compiler. It is available as a binary package for most Unix distributions. For Debian-based Linux distributions, you can install the packages :: ocaml ocaml-native-compilers It is also installable from sources, downloadable from the site http://caml.inria.fr/ocaml/ For some of the Why3 tools, additional OCaml libraries are needed: - For the graphical interface, the LablGtk3 library is needed. It provides OCaml bindings of the GTK3 graphical library. For Debian-based Linux distributions, you can install the packages :: liblablgtk3-ocaml-dev liblablgtksourceview3-ocaml-dev It is also installable from sources, available from the site https://garrigue.github.io/lablgtk/ If you want to use the Coq realizations (:numref:`sec.realizations`), then Coq has to be installed before Why3. Look at the summary printed at the end of the configuration script to check if Coq has been detected properly. Similarly, in order to use PVS (:numref:`sec.pvs`) or Isabelle (:numref:`sec.isabelle`) to discharge proofs, PVS and Isabelle must be installed before Why3. You should check that those proof assistants are correctly detected by the :file:`configure` script. When configuration is finished, you can compile Why3. :: make Installation is performed (as super-user if needed) using :: make install Installation can be tested as follows: #. install some external provers (see :numref:`sec.provers` below) #. run :why3:tool:`why3 config` #. run some examples from the distribution, e.g., you should obtain the following (provided the required provers are installed on your machine): .. code-block:: console $ cd examples $ why3 replay logic/scottish-private-club 1/1 (replay OK) $ why3 replay same_fringe 18/18 (replay OK) Local use, without installation ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Installing Why3 is not mandatory. It can be configured in a way such that it can be used from its compilation directory: :: ./configure --enable-local make The Why3 executable files are then available in the subdirectory :file:`bin/`. This directory can be added to your :envvar:`PATH`. .. _sec.installlib: Installation of the Why3 API ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ By default, the Why3 API is not installed. It can be installed using :: make byte opt make install-lib Beware that if your OCaml installation relies on Opam installed in your own user space, then ``make install-lib`` should *not* be run as super-user. Removing installation ^^^^^^^^^^^^^^^^^^^^^ Removing installation can be done using :: make uninstall make uninstall-lib .. _sec.provers: Installing External Provers --------------------------- Why3 can use a wide range of external theorem provers. These need to be installed separately, and then Why3 needs to be configured to use them. There is no need to install automatic provers, e.g., SMT solvers, before compiling and installing Why3. For installation of external provers, please refer to the specific section about provers from http://why3.lri.fr/. (If you have installed Why3 via Opam, note that you can install the SMT solver Alt-Ergo via Opam as well.) Once you have installed a prover, or a new version of a prover, you have to run the following command: :: why3 config It scans your :envvar:`PATH` for provers and updates your configuration file (see :numref:`sec.why3config`) accordingly. Multiple versions of the same prover ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Why3 is able to use several versions of the same prover, e.g., it can use both CVC4 1.4 and CVC4 1.5 at the same time. The automatic detection of provers looks for typical names for their executable command, e.g., :program:`cvc4` for CVC3. However, if you install several versions of the same prover it is likely that you would use specialized executable names, such as :program:`cvc4-1.4` or :program:`cvc4-1.5`. If needed, the command :why3:tool:`why3 config add-prover` can be used to specify names of prover executables: :: why3 config add-prover CVC4 /usr/local/bin/cvc4-dev cvc4-dev The first argument (here ``CVC4``) must be one of the known provers. The list of these names can be obtained using :why3:tool:`why3 config list-supported-provers`. They can also be found in the file :file:`provers-detection-data.conf`, typically located in :file:`/usr/local/share/why3` after installation. See :numref:`sec.proverdetectiondata` for details. .. _sec.uninstalledprovers: Session update after prover upgrade ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you happen to upgrade a prover, e.g., installing CVC4 1.5 in place of CVC4 1.4, then the proof sessions formerly recorded will still refer to the old version of the prover. If you open one such a session with the GUI, and replay the proofs, a popup window will show up for asking you to choose between three options: - Keep the former proof attempts as they are, with the old prover version. They will not be replayed. - Remove the former proof attempts. - Upgrade the former proof attempts to an installed prover (typically an upgraded version). The corresponding proof attempts will become attached to this new prover, and marked as obsolete, to make their replay mandatory. If a proof attempt with this installed prover is already present the old proof attempt is just removed. Note that you need to invoke again the replay command to replay those proof attempts. - Copy the former proofs to an installed prover. This is a combination of the actions above: each proof attempt is duplicated, one with the former prover version, and one for the new version marked as obsolete. Notice that if the prover under consideration is an interactive one, then the copy option will duplicate also the edited proof scripts, whereas the upgrade-without-copy option will just reuse the former proof scripts. Your choice between the three options above will be recorded, one for each prover, in the Why3 configuration file. Within the GUI, you can discard these choices via the :menuselection:`Files --> Preferences` dialog: just click on one choice to remove it. Outside the GUI, the prover upgrades are handled as follows. The :why3:tool:`replay` command will take into account any prover upgrade policy stored in the configuration. The :why3:tool:`session` command performs move or copy operations on proof attempts in a fine-grained way, using filters, as detailed in :numref:`sec.why3session`. .. _sec.installeditormodes: Editing WhyML Sources --------------------- The Why3 distributions come with some configuration files for Emacs and for Vim. These files are typically installed in the shared data directory, which is given by :option:`why3 --print-datadir`. Emacs ~~~~~ The Why3 distributions come with a mode for Emacs in a file :file:`why3.el`. That file is typically found in sub-directory :file:`emacs`. Under OPAM, this file is installed in a shared directory :file:`emacs/site-lisp` for all OPAM packages. Here is a sample Emacs-Lisp code that can be added to your :file:`.emacs` configuration file. .. code-block:: lisp (setq why3-share (if (boundp 'why3-share) why3-share (ignore-errors (car (process-lines "why3" "--print-datadir"))))) (setq why3el (let ((f (expand-file-name "emacs/why3.elc" why3-share))) (if (file-readable-p f) f (let ((f (expand-file-name "emacs/site-lisp/why3.elc" opam-share))) (if (file-readable-p f) f nil))))) (when why3el (require 'why3) (autoload 'why3-mode why3el "Major mode for Why3." t) (setq auto-mode-alist (cons '("\\.mlw$" . why3-mode) auto-mode-alist))) Vim ~~~ Some configuration files are present in the share data directory, under sub-directory :file:`vim`. .. _sec.installshellmodes: Shells Auto-completion for Why3 ------------------------------- Some configuration files for shells are distributed in the shared data directory, which is given by :option:`why3 --print-datadir`. There are configuration files for ``bash`` and ``zsh``. The configuration for ``bash`` can be made from Why3 sources using :: sudo make install-bash or directly doing :: sudo /usr/bin/install -c `why3 --print-datadir`/bash/why3 /etc/bash_completion.d .. _sec.installinferloop: Inference of Loop Invariants ---------------------------- This section shows how to install *infer-loop*, an utility based on *abstract interpretation* to infer loop invariants :cite:`baudin17`. This is still work in progress and many features are still very limited. The ``infer-loop`` utility has the following OCaml dependencies. - ``apron``: can be installed using ``opam``. - ``camllib``: can be installed using ``opam``. - ``fixpoint``: follow instructions below. The ``apron`` and ``camllib`` libraries can be installed using ``opam``. The ``fixpoint`` library is not available in ``opam``, but it can be easily compiled and installed using the source code. The following commands are just an example of how the library can be compiled and installed, and can be performed in any directory. .. code-block:: shell svn co svn://scm.gforge.inria.fr/svnroot/bjeannet/pkg/fixpoint cd fixpoint/trunk/ cp Makefile.config.model Makefile.config # if required make modifications to Makefile.config make all # compiles make install # uses ocamlfind to install the library By default the *infer-loop* mechanism is not compiled and integrated with Why3. So, once the dependencies above are installed, the configuration script of Why3 should enable the compilation of the ``infer-loop`` utility. This can be done by passing to the Why3 configure script the ``--enable-infer`` flag, as follows: .. code-block:: console $ ./configure --enable-infer ... Summary ----------------------------------------- Components Invariant inference(exp): yes ... The line ``Invariant inference(exp)`` indicates whether the dependencies are correctly installed and whether the flag mentioned above was selected. After the compilation, the loop inference mechanism should be available. See :numref:`sec.runwithinferloop` for more details. why3-1.6.0/doc/itp.rst000066400000000000000000000265711440160026300145120ustar00rootroot00000000000000.. _chap.itp: Interactive Proof Assistants ============================ Using an Interactive Proof Assistant to Discharge Goals ------------------------------------------------------- Instead of calling an automated theorem prover to discharge a goal, Why3 offers the possibility to call an interactive theorem prover instead. In that case, the interaction is decomposed into two distinct phases: - Edition of a proof script for the goal, typically inside a proof editor provided by the external interactive theorem prover; - Replay of an existing proof script. An example of such an interaction is given in the :ref:`tutorial section `. Some proof assistants offer more than one possible editor, e.g., a choice between the use of a dedicated editor and the use of the Emacs editor and the ProofGeneral mode. Selection of the preferred mode can be made in :menuselection:`File --> Preferences`, under the :guilabel:`Editors` tab. .. _sec.realizations: Theory Realizations ------------------- Given a Why3 theory, one can use a proof assistant to make a *realization* of this theory, that is to provide definitions for some of its uninterpreted symbols and proofs for some of its axioms. This way, one can show the consistency of an axiomatized theory and/or make a connection to an existing library (of the proof assistant) to ease some proofs. Generating a realization ~~~~~~~~~~~~~~~~~~~~~~~~ Generating the skeleton for a theory is done by passing to the :why3:tool:`realize` command a driver suitable for realizations, the names of the theories to realize, and a target directory. :: why3 realize -D path/to/drivers/prover-realize.drv -T env_path.theory_name -o path/to/target/dir/ The theory is looked into the files from the environment, e.g., the standard library. If the theory is stored in a different location, option :option:`why3 -L` should be used. The name of the generated file is inferred from the theory name. If the target directory already contains a file with the same name, Why3 extracts all the parts that it assumes to be user-edited and merges them in the generated file. Note that Why3 does not track dependencies between realizations and theories, so a realization will become outdated if the corresponding theory is modified. It is up to the user to handle such dependencies, for instance using a :file:`Makefile`. .. index:: driver file Using realizations inside proofs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If a theory has been realized, the Why3 printer for the corresponding prover will no longer output declarations for that theory but instead simply put a directive to load the realization. In order to tell the printer that a given theory is realized, one has to add a :why3:meta:`realized_theory` meta declaration in the corresponding theory section of the driver. :: theory env_path.theory_name meta "realized_theory" "env_path.theory_name", "optional_naming" end The first parameter is the theory name for Why3. The second parameter, if not empty, provides a name to be used inside generated scripts to point to the realization, in case the default name is not suitable for the interactive prover. .. index:: configuration file Shipping libraries of realizations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While modifying an existing driver file might be sufficient for local use, it does not scale well when the realizations are to be shipped to other users. Instead, one should create two additional files: a configuration file that indicates how to modify paths, provers, and editors, and a driver file that contains only the needed :why3:meta:`realized_theory` meta declarations. The configuration file should be as follows. :: [main] loadpath="path/to/theories" [prover_modifiers] name="Coq" option="-R path/to/vo/files Logical_directory" driver="path/to/file/with/meta.drv" [editor_modifiers coqide] option="-R path/to/vo/files Logical_directory" [editor_modifiers proofgeneral-coq] option="--eval \"(setq coq-load-path (cons '(\\\"path/to/vo/files\\\" \ \\\"Logical_directory\\\") coq-load-path))\"" This configuration file can be passed to Why3 thanks to the :option:`why3 --extra-config` option. .. index:: Coq proof assistant, proof assistant; Coq .. _sec.coq: Coq --- This section describes the content of the Coq files generated by Why3 for both proof obligations and theory realizations. When reading a Coq script, Why3 is guided by the presence of empty lines to split the script, so the user should refrain from removing empty lines around generated blocks or adding empty lines inside them. #. The header of the file contains all the library inclusions required by the driver file. Any user-made changes to this block will be lost when the file is regenerated by Why3. This part starts with ``(* This file is generated by ... *)``. #. Abstract logic symbols are assumed with the vernacular directive ``Parameter``. Axioms are assumed with the ``Axiom`` directive. When regenerating a script, Why3 assumes that all such symbols have been generated by a previous run. As a consequence, the user should not introduce new symbols with these two directives, as they would be lost. #. Definitions of functions and inductive types in theories are printed in a block that starts with ``(* Why3 assumption *)``. This comment should not be removed; otherwise Why3 will assume that the definition is a user-defined block. #. Proof obligations and symbols to be realized are introduced by ``(* Why3 goal *)``. The user is supposed to fill the script after the statement. Why3 assumes that the user-made part extends up to ``Qed``, ``Admitted``, ``Save``, or ``Defined``, whichever comes first. In the case of definitions, the original statement can be replaced by a ``Notation`` directive, in order to ease the usage of predefined symbols. Why3 also recognizes ``Variable`` and ``Hypothesis`` and preserves them; they should be used in conjunction with Coq’s ``Section`` mechanism to realize theories that still need some abstract symbols and axioms. Why3 preserves any block from the script that does not fall into one of the previous categories. Such blocks can be used to import other libraries than the ones from the prelude. They can also be used to state and prove auxiliary lemmas. Why3 tries to preserve the position of these user-defined blocks relatively to the generated ones. Currently, the parser for Coq scripts is rather naive and does not know much about comments. For instance, Why3 can easily be confused by some terminating directive like ``Qed`` that would be present in a comment. .. index:: Isabelle proof assistant, proof assistant; Isabelle .. _sec.isabelle: Isabelle/HOL ------------ When using Isabelle from Why3, files generated from Why3 theories and goals are stored in a dedicated XML format. Those files should not be edited. Instead, the proofs must be completed in a file with the same name and extension ``.thy``. This is the file that is opened when using the :menuselection:`Tools --> Edit` action in the Why3 IDE. Installation ~~~~~~~~~~~~ You need version Isabelle2018 or Isabelle2019. Former or later versions are not supported. We assume below that your version is 2019, please replace 2019 by 2018 otherwise. Isabelle must be installed before compiling Why3. After compilation and installation of Why3, you must manually add the path :: /isabelle into either the user file :: .isabelle/Isabelle2019/etc/components or the system-wide file :: /etc/components Usage ~~~~~ The most convenient way to call Isabelle for discharging a Why3 goal is to start the Isabelle/jedit interface in server mode. In this mode, one must start the server once, before launching :why3:tool:`why3 ide`, using :: isabelle why3_jedit Then, inside a Why3 interactive session, any use of :menuselection:`Tools --> Edit` will transfer the file to the already opened instance of :program:`jEdit`. When the proof is completed, the user must send back the edited proof to Why3 IDE by closing the opened buffer, typically by hitting :kbd:`Control-w`. Using Isabelle server ~~~~~~~~~~~~~~~~~~~~~ Starting from Isabelle version 2018, Why3 is able to exploit the server features of Isabelle to speed up the processing of proofs in batch mode, e.g., when replaying them from within Why3 IDE. Currently, when replaying proofs using the :program:`isabelle why3` tool, an Isabelle process including a rather heavyweight Java/Scala and PolyML runtime environment has to be started, and a suitable heap image has to be loaded for each proof obligation, which can take several seconds. To avoid this overhead, an Isabelle server and a suitable session can be started once, and then :program:`isabelle why3` can just connect to it and request the server to process theories. In order to allow a tool such as Why3 IDE to use the Isabelle server, it has to be started via the wrapper tool :program:`isabelle use_server`. For example, to process the proofs in :file:`examples/logic/genealogy` using Why3 IDE and the Isabelle server, do the following: #. Start an Isabelle server using :: isabelle server & #. Start Why3 IDE using :: isabelle use_server why3 ide genealogy Realizations ~~~~~~~~~~~~ Realizations must be designed in some :file:`.thy` as follows. The realization file corresponding to some Why3 file :file:`f.why` should have the following form. :: theory Why3_f imports Why3_Setup begin section {* realization of theory T *} why3_open "f/T.xml" why3_vc why3_vc by proof [...] why3_end See directory :file:`lib/isabelle` for examples. .. index:: PVS proof assistant, proof assistant; PVS .. _sec.pvs: PVS --- Installation ~~~~~~~~~~~~ You need version 6.0. Usage ~~~~~ When a PVS file is regenerated, the old version is split into chunks, according to blank lines. Chunks corresponding to Why3 declarations are identified with a comment starting with ``% Why3``, e.g., :: % Why3 f f(x: int) : int Other chunks are considered to be user PVS declarations. Thus a comment such as ``% Why3 f`` must not be removed; otherwise, there will be two declarations for ``f`` in the next version of the file (one being regenerated and another one considered to be a user-edited chunk). Realization ~~~~~~~~~~~ The user is allowed to perform the following actions on a PVS realization: - give a definition to an uninterpreted symbol (type, function, or predicate symbol), by adding an equal sign (``=``) and a right-hand side to the definition. When the declaration is regenerated, the left-hand side is updated and the right-hand side is reprinted as is. In particular, the names of a function or predicate arguments should not be modified. In addition, the ``MACRO`` keyword may be inserted and it will be kept in further generations. - turn an axiom into a lemma, that is to replace the PVS keyword ``AXIOM`` with either ``LEMMA`` or ``THEOREM``. - insert anything between generated declarations, such as a lemma, an extra definition for the purpose of a proof, an extra ``IMPORTING`` command, etc. Do not forget to surround these extra declarations with blank lines. Why3 makes some effort to merge new declarations with old ones and with user chunks. If it happens that some chunks could not be merged, they are appended at the end of the file, in comments. why3-1.6.0/doc/manpages.rst000066400000000000000000001700771440160026300155120ustar00rootroot00000000000000.. _chap.manpages: The Why3 Tools ============== .. program:: why3 This chapter details the usage of each of the command-line tools provided by the Why3 environment. The main command is :program:`why3`; it acts as an entry-point to all the features of Why3. It is invoked as follows: :: why3 [general options...] [specific options...] The following commands are available: :why3:tool:`config` Manage the user's configuration, including the detection of installed provers. :why3:tool:`doc` Render a WhyML file as HTML. :why3:tool:`execute` Perform a symbolic execution of a WhyML file. :why3:tool:`extract` Generate an OCaml program corresponding to a WhyML file. :why3:tool:`ide` Provide a graphical interface to display goals and to run provers and transformations on them. :why3:tool:`pp` Pretty-print WhyML definitions (formatting :file:`.mlw` files or printing inductive definitions to LaTeX). :why3:tool:`prove` Read a WhyML input file and call provers, on the command-line. :why3:tool:`realize` Generate the skeleton of an interactive proof for a WhyML file. :why3:tool:`replay` Replay the proofs stored in a session, for regression test purposes. :why3:tool:`session` Dump various information from a proof session, and possibly modify it. :why3:tool:`show` Show all the currently registered formats, printers, transformations, etc. :why3:tool:`wc` Give some token statistics about a WhyML file. The commands accept a common subset of command-line options. In particular, option :option:`--help` displays the usage and options. .. option:: -L

, --library= Add ```` in the load path, to search for theories. .. option:: --no-stdlib Do not add the standard library to the loadpath. .. option:: --no-load-default-plugins Do not load the plugins from the standard path. .. option:: -C , --config= Read the configuration from the given file. See :numref:`sec.whyconffile`. .. option:: --extra-config= Read additional configuration from the given file. See :numref:`sec.whyconffile`. .. option:: --list-debug-flags List all the known debug flags. Flags marked by a star are those enabled by option :option:`--debug-all`. .. option:: --debug-all Enable all the debug flags that do not change the behavior. .. option:: --debug=,... Set some specific debug flags. See also :numref:`sec.debug` for a description of some of those flags. .. option:: --print-datadir Print the location of non-binary data (modules, etc). .. option:: --print-libdir Print the location of binary components (plugins, etc). .. option:: --help Display the usage and the exact list of options for the given tool. The following environment variables are recognized. .. envvar:: WHY3CONFIG Indicate where to find the :file:`why3.conf` file. Can be overwritten using the :option:`--config` option. .. envvar:: WHY3LIB Indicate where to find the Why3 library, which contains the dynamically loaded libraries and plugins for Why3. Setting this environment variable overrides the default value, or any other value set on the :file:`why3.conf` file (field `libdir` of section `[main]`). The default value is set at the compilation time of Why3 (see :file:`src/config.sh.in` in Why3 sources), typically :file:`/usr/local/lib/why3` on Unix operating systems, unless Why3 was compiled in relocatable mode (option `--enable-relocation` of script `configure`) when in that case it will be the directory where Why3 binary lies, concatenated with `lib/why3`. See also the option :option:`--print-libdir`. .. envvar:: WHY3DATA Indicate where to find the Why3 architecture-independent data, which contains in particular the standard library. Setting this environment variable overrides the default value, or any other value set on the :file:`why3.conf` file (field `datadir` of section `[main]`). The default value is set at the compilation time of Why3 (see :file:`src/config.sh.in` in Why3 sources), typically :file:`/usr/local/share/why3` on Unix operating systems, unless Why3 was compiled in relocatable mode (option `--enable-relocation` of script `configure`) when in that case it will be the directory where Why3 binary lies, concatenated with `share/why3`. See also the option :option:`--print-datadir`. .. index:: configuration file .. why3:tool:: config .. _sec.why3config: The ``config`` Command ---------------------- .. program:: why3 config Why3 must be configured to access external provers. Typically, this is done by running :why3:tool:`why3 config detect`. This command must be run every time a new prover is installed. The provers known by Why3 are described in the configuration file :file:`provers-detection-data.conf` of the Why3 data directory (e.g., :file:`/usr/local/share/why3`). Advanced users may try to modify this file to add support for detection of other provers. (In that case, please consider submitting a new prover configuration on the bug tracking system.) The result of prover detection is stored in the user's configuration file (see :numref:`sec.whyconffile`). Only the version of the provers is stored; the actual configuration of the provers, shortcuts, strategies, and editors, are regenerated at each startup of a Why3. This configuration can be inspected with the command :why3:tool:`why3 config show`. If a supported prover is not automatically recognized by :why3:tool:`why3 config detect`, the command :why3:tool:`why3 config add-prover` can be used to add it. Advanced users may also manually insert extra `[prover]` sections in their configuration file. Notice that in such a case, if a detected prover has exactly the same name, version and alternative as a user-defined prover, then the user-defined prover is taken and the detected one is ignored. Similarly, if a user-defined shortcut clahes with a shortcut of a detected prover, then the shortcut is chsen to denote the user-defined prover and not the detect one. The available subcommands are as follows: :why3:tool:`config add-prover` Manually register a prover. :why3:tool:`config detect` Automatically detect installed provers and register them. :why3:tool:`config list-provers` List the provers registered in :file:`why3.conf`. :why3:tool:`config list-supported-provers` List the names of all supported provers. :why3:tool:`config show` Show the expanded version of the configuration file. Only the first two commands modify the configuration file. .. why3:tool:: config add-prover Command ``add-prover`` ~~~~~~~~~~~~~~~~~~~~~~ This commands adds a prover to the configuration. It is invoked as follows. :: why3 config add-prover [] Argument *name* is the name of the prover, as listed by command :why3:tool:`why3 config list-supported-provers` and as found in file :file:`provers-detection-data.conf`. If the argument *shortcut* is present, it is used as the shortcut for invoking the prover. For example, to add an Alt-Ergo executable :file:`/home/me/bin/alt-ergo-trunk` with shortcut ``new-ae``, one can type :: why3 config add-prover Alt-Ergo /home/me/bin/alt-ergo-trunk new-ae Manually added provers are stored in the configuration file under ``[partial_prover]`` sections with a field ``manual = true``. .. why3:tool:: config detect Command ``detect`` ~~~~~~~~~~~~~~~~~~ This command automatically detects the installed provers that are supported by Why3. It also creates a configuration file if none exists. Automatically detected provers are stored in the configuration file under ``[partial_prover]`` sections. .. why3:tool:: config list-provers Command ``list-provers`` ~~~~~~~~~~~~~~~~~~~~~~~~ This command lists the names, versions, and alternatives of all the provers present in :file:`why3.conf`. Those are the values expected by :option:`why3 prove --prover`. .. why3:tool:: config list-supported-provers Command ``list-supported-provers`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This command lists the names of all supported provers, as used for command :why3:tool:`why3 config add-prover`. .. why3:tool:: config show Command ``show`` ~~~~~~~~~~~~~~~~ This command shows the expanded version of the configuration file. In particular, all the ``[partial_prover]`` sections are expanded into complete ``[prover]`` sections. Automatically generated ``[strategy]`` sections are also shown. .. why3:tool:: prove .. _sec.why3prove: The ``prove`` Command --------------------- .. program:: why3 prove Why3 is primarily used to call provers on goals contained in an input file. By default, such a file must be written in WhyML language (extension :file:`.mlw`). However, a dynamically loaded plugin can register a parser for some other format of logical problems, e.g., TPTP or SMT-LIB. The :why3:tool:`prove` command executes the following steps: #. Parse the command line and report errors if needed. #. Read the configuration file using the priority defined in :numref:`sec.whyconffile`. #. Load the plugins mentioned in the configuration. It will not stop if some plugin fails to load. #. Parse and typecheck the given files using the correct parser in order to obtain a set of Why3 theories for each file. It uses the filename extension or the :option:`--format` option to choose among the available parsers. Command :why3:tool:`why3 show formats` lists the registered parsers. WhyML modules are turned into theories containing verification conditions as goals. #. Extract the selected goals inside each of the selected theories into tasks. The goals and theories are selected using options :option:`--goal` and :option:`--theory`. Option :option:`--theory` applies to the previous file appearing on the command line. Option :option:`--goal` applies to the previous theory appearing on the command line. If no theories are selected in a file, then every theory is considered as selected. If no goals are selected in a theory, then every goal is considered as selected. #. Apply the transformations requested with :option:`--apply-transform` in their order of appearance on the command line. Command :why3:tool:`why3 show transformations` lists the known transformations; plugins can register more of them. #. If the option :option:`--sub-goal` is provided, only the sub-goals that correspond to the given line number (and explanation) are retained after applying the transformations. #. Apply the driver selected with the :option:`--driver` option, or the driver of the prover selected with the :option:`--prover` option. Command :why3:tool:`why3 config list-provers` lists the provers that appear in the configuration file. #. If option :option:`--prover` is given, call the selected prover on each generated task and print the results. If option :option:`--driver` is given, print each generated task using the format specified in the selected driver. #. Derive a validated counterexample using runtime-assertion checking, if option :option:`--check-ce` is given and the selected prover generated a counterexample. Prover Results ~~~~~~~~~~~~~~ The provers can give the following output: Valid The goal is proved in the given context. Unknown The prover has stopped its search. Timeout The prover has reached the time limit. OutOfMemory The prover has reached the memory limit. StepLimitExceeded The prover has reached the steps limit. Failure The prover has reported a failure. HighFailure An error occurred during the call to the prover, or no other answer match the output of the prover. Invalid The prover knows the goal cannot be proved. .. _sec.proveoptions: Options ~~~~~~~ .. option:: -F , --format= Select the given input format. .. option:: -T , --theory= Focus on the given theory. If the argument is not qualified, the theory is searched in the input file. .. option:: -G , --goal= Focus on the given goal. The goal is searched in the theory given by :option:`--theory`, if any. Otherwise, it is searched in the toplevel namespace of the input file. .. option:: -a , --apply-transform= Apply the given transformation to the goals. .. option:: -g [][:][@], --sub-goal=[][:][@] Retain only sub-goals at the given location (and with the given explanation) after applying the transformations. The file can be omitted and defaults to the input file. E.g., ``why3 prove --sub-goal=:123@Precondition file.mlw`` to prove only the preconditions in line 123 in file ``file.mlw``.The explanation of a goal is shown the normal output of ``why3 prove``: :: File "file.mlw", line 123, characters 0-1: Sub-goal from goal f'vc. .. option:: -P , --prover= Execute the given prover on the goals. .. option:: -D , --driver= Output the tasks obtained by applying the given driver to the goals. should be either a file path with extension :file:`.drv` or a single name :file:`d` without extension. Names without extensions are meant to denote the file :file:`d.drv` from the driver directory of Why3. File names with extension are search both from the current directory and in the driver directory of Why3. This option conflicts with :option:`--prover`. .. option:: --extra-expl-prefix= Specify *s* as an additional prefix for labels that denotes VC explanations. The option can be used several times to specify several prefixes. .. option:: --timelimit= Set the prover's time limit. By default, the limit is set to 10 seconds. Setting this option to 0 second disables the time limit. .. option:: --stepslimit= Set the prover's step limit. By default, there is no limit. .. option:: --memlimit= Set the prover's memory limit. By default, there is no limit. .. option:: --meta=[=] Add a meta to every task. .. option:: --print-theory Print selected theories. .. option:: --print-namespace Print namespaces of selected theories. .. option:: --check-ce Validate and categorize the counterexample using runtime-assertion checking, as proposed by Becker et al :cite:`becker21fide`. Only applicable when the prover selected by :option:`--prover` is configured to generate counterexamples. .. option:: --rac-prover=

Use prover *p* for the runtime-assertion checking (with :option:`--check-ce`) during the validation of counterexamples, as described for :why3:tool:`execute`. .. option:: --rac-timelimit= Time limit in seconds for RAC prover (with :option:`--check-ce`). .. option:: --rac-steplimit= Step limit for RAC prover (with :option:`--check-ce`). .. option:: --rac-try-negate Same option as for :why3:tool:`execute` (with :option:`--check-ce`) .. option:: --parse-only Stop after parsing (same as ``--debug=parse_only``). .. option:: --type-only Stop after type checking (same as ``--debug=type_only``). .. option:: --ce-log-verbosity= Verbosity level for interpretation log of counterexample model returned by the prover. By default, the level is set to 4. - When level = 1, print only imported values. - When level = 2, also print log information about execution of function calls. - When level = 3, also print log information about execution of loops. - When level = 4, also print log information about termination of executions. - When level = 5, also print log information about initialization of global variables. .. option:: --json Print output in JSON format. .. option:: --json-model-values Print values of prover model in JSON format (backwards compatibility with :option:`--json`). .. option:: --color Print output with colors. Generating potential counterexamples ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When the selected prover has alternative `counterexample`, the prover is instructed to generate a model, and Why3 elaborates the model into a potential counterexample. The potential counterexample associates source locations and variables to values. The generation and display of potential counterexamples is presented in details in :numref:`sec.idece`. Generating validated and categorized counterexamples ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A validated counterexample can be requested using option :option:`--check-ce`. The validated counterexample is derived by executing the relevant function using runtime assertion checking (RAC) [#ce-split]_. The potential counterexample serves as an oracle for values that are not or cannot be computed in the RAC execution (e.g., arguments to the relevant function or ``any``-expressions). The validated counterexample is a trace of the RAC execution, with one of the following categorizations (see :cite:`becker21fide` for details): *The program does not comply to the verification goal:* The validated counterexample is the trace of an execution that resulted in the violation of an assertion. *The contracts of some function or loop are underspecified:* The validated counterexample is the trace of an abstract execution, which resulted in the violation of an assertion. In an abstract execution, function calls and loops are not executed. Their results and assignments are instead chosen according to the contracts (function postcondition or loop invariants) by picking them from the potential counterexample. *The program does not comply to the verification goal, or the contracts of some loop or function are too weak:* Either of the above cases. *Sorry, we don't have a good counterexample for you :(* The RAC execution did not violate any assertions. The execution trace does not constitute a validated counterexample, and the potential counterexample is invalid, so no counterexample is shown. *The counterexample model could not be verified:* The validated counterexample could not be derived because RAC execution was incomplete. The potential counterexample is instead shown with a warning. .. [#ce-split] The relevant function is generally only defined, when the counterexample is not generated for the VC of the complete program, for example by applying a split transformation using ``--apply-transform=split_vc``. .. why3:tool:: ide .. _sec.ideref: The ``ide`` Command ------------------- .. program:: why3 ide The basic usage of the GUI is described by the tutorial of :numref:`sec.gui`. The command-line options are the common options detailed in introduction to this chapter, plus the specific option already described for the :why3:tool:`prove` command in :numref:`sec.proveoptions`. .. .. option:: --extra-expl-prefix= At least one anonymous argument must be specified on the command line. More precisely, the first anonymous argument must be the directory of the session. If the directory does not exist, it is created. The other arguments should be existing files that are going to be added to the session. For convenience, if there is only one anonymous argument, it can be an existing file and in this case the session directory is obtained by removing the extension from the file name. .. _sec.ideref.session: Session ~~~~~~~ The session stores the transformations you performed on each verification condition, as well as the provers you ran. Such a proof attempt records the complete name of a prover (name, version, optional attribute), the time limit and memory limit given, and the result of the prover. The result of the prover is the same as when you run the :why3:tool:`prove` command. It contains the time taken and the state of the proof: Valid The task is valid according to the prover. The goal is considered proved. Invalid The task is invalid. Timeout the prover exceeded the time limit. OufOfMemory The prover exceeded the memory limit. Unknown The prover cannot determine if the task is valid. Some additional information can be provided. Failure The prover reported a failure. HighFailure An error occurred while trying to call the prover, or the prover answer was not understood. Additionally, a proof attempt can have the following attributes: :index:`obsolete` The prover associated to that proof attempt has not been run on the current task, but on an earlier version of that task. You need to replay the proof attempt, run the prover with the current task of the proof attempt, in order to update the answer of the prover and remove this attribute. :index:`detached` The proof attempt is not associated to a proof task anymore. The reason might be that a proof goal disappeared, or that there is a syntax or typing error in the current file, that makes all nodes temporarily detached until the parsing error is fixed. Detached nodes of the session tree are kept until they are explicitly removed, either using a remove command or the clean command. They can be reused, as any other nodes, using the copy/paste operation. Generally, proof attempts are marked obsolete just after the start of the user interface. Indeed, when you load a session in order to modify it (not with :why3:tool:`why3 session info` for instance), Why3 rebuilds the goals to prove by using the information provided in the session. If you modify the original file (:file:`.mlw`) or if the transformations have changed (new version of Why3), Why3 will detect that. Since the provers might answer differently on these new proof obligations, the corresponding proof attempts are marked obsolete. Context Menu ~~~~~~~~~~~~ The left toolbar that was present in former versions of Why3 is now replaced by a context menu activited by clicking the right mouse button, while cursor is on a given row of the proof session tree. *Prover list* List the detected provers. Note that you can hide some provers of that list using :menuselection:`File --> Preferences`, tab :guilabel:`Provers`. *Strategy list* List the set of known strategies. :guilabel:`Edit` Start an editor on the selected task. :guilabel:`Replay valid obsolete proofs` All proof nodes below the selected nodes that are obsolete but whose former status was Valid are replayed. :guilabel:`Replay all obsolete proofs` All proof nodes below the selected nodes that are obsolete are replayed. :guilabel:`Clean node` Remove any unsuccessful proof attempt for which there is another successful proof attempt for the same goal. :guilabel:`Remove node` Remove a proof attempt or a transformation. :guilabel:`Interrupt` Cancel all the proof attempts currently scheduled or running. Global Menus ~~~~~~~~~~~~ Menu :menuselection:`File` :menuselection:`--> Add File to session` Add a file to the current proof session. :menuselection:`--> Preferences` Open a window for modifying preferred configuration parameters, see details below. :menuselection:`--> Save session` Save current session state on disk. The policy to decide when to save the session is configurable, as described in the preferences below. :menuselection:`--> Save files` Save edited source files on disk. :menuselection:`--> Save session and files` Save both current session state and edited files on disk. :menuselection:`--> Save all and Refresh session` Save session and edited files, and refresh the current session tree. :menuselection:`--> Quit` Exit the GUI. Menu :menuselection:`Tools` :menuselection:`--> Strategies` Provide a set of actions that are performed on the selected goals: :menuselection:`--> Split VC` Split the current goal into subgoals. :menuselection:`--> Auto level 0` Perform a basic proof search strategy that applies a few provers on the goal with a short time limit. :menuselection:`--> Auto level 1` This is the same as level 0 but with a longer time limit. :menuselection:`--> Auto level 2` This strategy first applies a few provers on the goal with a short time limit, then splits the goal and tries again on the subgoals. :menuselection:`--> Auto level 3` This strategy is more elaborate than level 2. It attempts to apply a few transformations that are typically useful. It also tries the provers with a larger time limit. It also tries more provers. A more detailed description of strategies is given in :numref:`sec.strategies`, as well as a description on how to design strategies of your own. :menuselection:`--> Provers` Provide a menu item for each detected prover. Clicking on such an item starts the corresponding prover on the selected goals. To start a prover with a different time limit, you may either change the default time limit in the Preferences, or using the text command field and type the prover name followed by the time limit. :menuselection:`--> Transformations` Give access to all the known transformations. :menuselection:`--> Edit` Start an editor on the selected task. For automatic provers, this shows the file sent to the prover. For interactive provers, this also makes it possible to add or modify the corresponding proof script. The modifications are saved, and can be retrieved later even if the goal was modified. :menuselection:`--> Replay valid obsolete proofs` Replay all the obsolete proofs below the current node whose former state was Valid. :menuselection:`--> Replay all obsolete proofs` Replay all the obsolete proofs below the current node. :menuselection:`--> Clean node` Remove any unsuccessful proof attempt for which there is another successful proof attempt for the same goal. :menuselection:`--> Remove node` Remove a proof attempt or a transformation. :menuselection:`--> Mark obsolete` Mark all the proof as obsolete. This makes it possible to replay every proof. :menuselection:`--> Interrupt` Cancel all the proof attempts currently scheduled or running. :menuselection:`--> Bisect` Reduce the size of the context for the the selected proof attempt, which must be a Valid one. :menuselection:`--> Focus` Focus the tree session view to the current node. :menuselection:`--> Unfocus` Undo the Focus action. :menuselection:`--> Copy` Mark the proof sub-tree for copy/past action. :menuselection:`--> Paste` Paste the previously selected sub-tree under the current node. Menu :menuselection:`View` :menuselection:`--> Enlarge font` Select a large font. :menuselection:`--> Reduce font` Select a smaller font. :menuselection:`--> Collapse proved goals` Close all the rows of the tree view that are proved. :menuselection:`--> Expand all` Expand all the rows of the tree view. :menuselection:`--> Collapse under node` Close all the rows of the tree view under the given node that are proved. :menuselection:`--> Expand below node` Expand the children below the current node. :menuselection:`--> Expand all below node` Expand the whole subtree of the current node. :menuselection:`--> Go to parent node` Move to the parent of the current node. :menuselection:`--> Go to first child` Move to the first child of the current node. :menuselection:`--> Select next unproven goal` Move to the next unproven goal after the current node. Menu :menuselection:`Help` :menuselection:`--> Legend` Explain the meaning of the various icons. :menuselection:`--> About` Give some information about this software. Command-line interface ~~~~~~~~~~~~~~~~~~~~~~ Between the top-right zone containing source files and task, and the bottom-right zone containing various messages, a text input field allows the user to invoke commands using a textual interface (see :numref:`fig.gui1`). The ``help`` command displays a basic list of available commands. All commands available in the menus are also available as a textual command. However the textual interface allows for much more possibilities, including the ability to invoke transformations with arguments. Key shortcuts ~~~~~~~~~~~~~ - Save session and files: :kbd:`Control-s` - Save all and refresh session: :kbd:`Control-r` - Quit: :kbd:`Control-q` - Enlarge font: :kbd:`Control-plus` - Reduce font: :kbd:`Control-minus` - Collapse proved goals: :kbd:`!` - Collapse current node: :kbd:`-` - Expand current node: :kbd:`+` - Copy: :kbd:`Control-c` - Paste: :kbd:`Control-v` - Select parent node: :kbd:`Control-up` - Select next unproven goal: :kbd:`Control-down` - Change focus to command line: :kbd:`Return` - Edit: :kbd:`e` - Replay: :kbd:`r` - Clean: :kbd:`c` - Remove: :kbd:`Delete` - Mark obsolete : :kbd:`o` Preferences Dialog ~~~~~~~~~~~~~~~~~~ The preferences dialog allows you to customize various settings. They are grouped together under several tabs. Note that there are to different buttons to close that dialog. The :guilabel:`Close` button will make modifications of any of these settings effective only for the current run of the GUI. The :guilabel:`Save&Close` button will save the modified settings in Why3 configuration file, to make them permanent. Tab :guilabel:`General` allows one to set various general settings. - the limits set on resource usages: - the time limit given to provers, in seconds - the memory given to provers, in megabytes - the maximal number of simultaneous provers allowed to run in parallel - option to disallow source editing within the GUI - the policy for saving sessions: - always save on exit (default): the current state of the proof session is saving on exit - never save on exit: the current state of the session is never saved automatically, you must use menu :menuselection:`File --> Save session` - ask whether to save: on exit, a popup window asks whether you want to save or not. Tab :guilabel:`Appearance` - show full task context: by default, only the local context of formulas is shown, that is only the declarations comming from the same module - show attributes in formulas - show coercions in formulas - show source locations in formulas - show time and memory limits for each proof Finally, it is possible to choose an alternative icon set, provided, one is installed first. Tab :guilabel:`Editors` allows one to customize the use of external editors for proof scripts. - The default editor to use when the button is pressed. - For each installed prover, a specific editor can be selected to override the default. Typically if you install the Coq prover, then the editor to use will be set to “CoqIDE” by default, and this dialog allows you to select the Emacs editor and its `Proof General `_ mode instead. Tab :guilabel:`Provers` allows to select which of the installed provers one wants to see in the context menu. Tab :guilabel:`Uninstalled provers policies` presents all the decision previously taken for missing provers, as described in :numref:`sec.uninstalledprovers`. You can remove any recorded decision by clicking on it. .. _sec.idece: Displaying Counterexamples ~~~~~~~~~~~~~~~~~~~~~~~~~~ Why3 provides some support for extracting a potential counterexample from failing proof attempts, for provers that are able to produce a *counter-model* of the proof task. Why3 attempts to turn this counter-model into values for the free variables of the original Why3 input. Currently, this is supported for CVC4 prover version at least 1.5, CVC5, and Z3 prover version at least 4.4.0. The generation of counterexamples is fully integrated in Why3 IDE. The recommended usage is to first start a prover normally, as shown in :numref:`fig.ce_example0_p1`, and then click on the status icon for the corresponding proof attempt in the tree. Alternatively, one can use the key shortcut :kbd:`G` or type ``get-ce`` in the command entry. The result can be seen on :numref:`fig.ce_example0_p2`: the same prover but with the alternative *counterexamples* is run. The resulting counterexample is displayed in two different ways. First, it is displayed in the :guilabel:`Task` tab of the top-right window, at the end of the text of the task, under the form of a list of pairs “variable = value”, ordered by the line number of the source code in which that variable takes that value. Second, it is displayed in the *Counterexample* tab of the bottom right window, this time interleaved with the code, as shown in :numref:`fig.ce_example0_p2`. .. %EXECUTE bin/why3 ide --batch="down;down;type cvc4;wait 2;down;snap -crop 1024x600+0+0 doc/images/ce_example0_p1.png" doc/cedoc.mlw .. %EXECUTE bin/why3 ide --batch="down;down;type cvc4;wait 2;down;type get-ce;wait 2;down;faketype get-ce;snap -crop 1024x600+0+0 doc/images/ce_example0_p2.png" doc/cedoc.mlw .. _fig.ce_example0_p1: .. figure:: images/ce_example0_p1.png :alt: Failing execution of CVC4 Failing execution of CVC4 .. _fig.ce_example0_p2: .. figure:: images/ce_example0_p2.png :alt: Counterexamples display for CVC4 Counterexamples display for CVC4 Notes on format of displayed values ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The counterexamples can contain values of various types. - Integer or real variables are displayed in decimal. - Bitvectors are displayed in decimal and binary notations. - Integer range types are displayed in a specific notation showing their projection to integers. - Floating-point numbers are displayed both under a bitvector representation and an hexadecimal value. The special values ``+oo``, ``-oo``, and ``NaN`` may occur too. - Values from algebraic types and record types are displayed as in the Why3 syntax. - Map values are displayed in a specific syntax detailed below. To detail the display of map values, consider the following code with a trivially false postcondition: .. code-block:: whyml use int.Int use map.Map let ghost test_map (ghost x : (map int int)) : map int int ensures { result[0] <> result[1] } = Map.set x 0 3 Executing CVC4 with the “counterexamples” alternative on goal will trigger counterexamples: .. code-block:: whyml let ghost test_map (ghost x : (map int int)) : map int int (* x : int -> int = [|1 => 3; _ => 0|]; *) ensures { result[0] <> result[1] } (* result : int -> int = [|0 => 3; 1 => 3; _ => 0|] *) = Map.set x 0 3 (* result : int -> int = [|0 => 3; 1 => 3; _ => 0|]; result of call at line 7, characters 5-18 : int -> int = [|0 => 3; 1 => 3; _ => 0|] *) The notation for map is the one for function literals presented in :numref:`sec.functionliterals`. This shows that setting the parameter ``x`` to a map that has value 3 for index 1 and zero for all other indices is a counterexample. We can check that this negates the ``ensures`` clause. Known limitations ^^^^^^^^^^^^^^^^^ The counterexamples are known not to work on the following non-exhaustive list (which is undergoing active development): - Code containing type polymorphism is often a problem due to the bad interaction between monomorphisation techniques and counterexamples. This is current an issue in particular for the ``Array`` module of the standard library. .. todo:: complete this list More information on the implementation of counterexamples in Why3 can be found in :cite:`hauzar16sefm` and in :cite:`dailler18jlamp`. For the producing counterexamples using the Why3 API, see :numref:`sec.ce_api`. .. why3:tool:: replay .. _sec.why3replay: The ``replay`` Command ---------------------- .. program:: why3 replay The :program:`why3 replay` command is meant to execute the proofs stored in a Why3 session file, as produced by the IDE. Its main purpose is to play non-regression tests. For instance, :file:`examples/regtests.sh` is a script that runs regression tests on all the examples. The tool is invoked in a terminal or a script using :: why3 replay [options] The session file :file:`why3session.xml` stored in the given directory is loaded and all the proofs it contains are rerun. Then, all the differences between the information stored in the session file and the new run are shown. Nothing is shown when there is no change in the results, whether the considered goal is proved or not. When all the proof are done, a summary of what is proved or not is displayed using a tree-shape pretty print, similar to the IDE tree view after doing :menuselection:`View --> Collapse proved goals`. In other words, when a goal, a theory, or a file is fully proved, the subtree is not shown. Obsolete proofs ~~~~~~~~~~~~~~~ When some proof attempts stored in the session file are :index:`obsolete`, the replay is run anyway, as with the replay button in the IDE. Then, the session file will be updated if both - all the replayed proof attempts give the same result as what is stored in the session, - all the goals are proved. In other cases, you can use the IDE to update the session, or use the option :option:`--force` described below. Exit code and options ~~~~~~~~~~~~~~~~~~~~~ The exit code is 0 if no difference was detected, 1 if there was. Other exit codes mean some failure in running the replay. Options are: .. option:: -s Suppress the output of the final tree view. .. option:: -q Run quietly (no progress info). .. option:: --force Enforce saving the session, if all proof attempts replayed correctly, even if some goals are not proved. .. option:: --obsolete-only Replay the proofs only if the session contains obsolete proof attempts. .. option:: --smoke-detector[=none|top|deep] Try to detect if the context is self-contradicting (default: top). .. option:: --prover= Restrict the replay to the selected provers only. Smoke detector ~~~~~~~~~~~~~~ The smoke detector tries to detect if the context is self-contradicting and, thus, that anything can be proved in this context. The smoke detector can’t be run on an outdated session and does not modify the session. It has three possible configurations: ``none`` Do not run the smoke detector. ``top`` The negation of each proved goal is sent with the same timeout to the prover that proved the original goal. :: Goal G : forall x:int. q x -> (p1 x \/ p2 x) becomes :: Goal G : ~ (forall x:int. q x -> (p1 x \/ p2 x)) In other words, if the smoke detector is triggered, it means that the context of the goal ``G`` is self-contradicting. ``deep`` This is the same technique as ``top`` but the negation is pushed under the universal quantification (without changing them) and under the implication. The previous example becomes :: Goal G : forall x:int. q x /\ ~ (p1 x \/ p2 x) In other words, the premises of goal ``G`` are pushed in the context, so that if the smoke detector is triggered, it means that the context of the goal ``G`` and its premises are self-contradicting. It should be clear that detecting smoke in that case does not necessarily means that there is a mistake: for example, this could occur in the WP of a program with an unfeasible path. At the end of the replay, the name of the goals that triggered the smoke detector are printed: :: goal 'G', prover 'Alt-Ergo 0.93.1': Smoke detected!!! Moreover ``Smoke detected`` (exit code 1) is printed at the end if the smoke detector has been triggered, or ``No smoke detected`` (exit code 0) otherwise. .. why3:tool:: session .. _sec.why3session: The ``session`` Command ----------------------- .. program:: why3 session The :program:`why3 session` command makes it possible to extract information from proof sessions on the command line, or even modify them to some extent. The invocation of this program is done under the form :: why3 session [options] The available subcommands are as follows: :why3:tool:`session info` Print information and statistics about sessions. :why3:tool:`session latex` Output session contents in LaTeX format. :why3:tool:`session html` Output session contents in HTML format. :why3:tool:`session update` Update session contents. The first three commands do not modify the sessions, whereas the last modify them. .. why3:tool:: session info Command ``info`` ~~~~~~~~~~~~~~~~ .. program:: why3 session info The :program:`why3 session info` command reports various informations about the session, depending on the following specific options. .. option:: --provers Print the provers that appear inside the session, one by line. .. option:: --edited-files Print all the files that appear in the session as edited proofs. .. option:: --stats Print various proofs statistics, as detailed below. .. option:: --print0 Separate the results of the options :option:`--provers` and :option:`--edited-files` by the null character ``\0`` instead of end of line ``\n``. That allows you to safely use (even if the filename contains space or carriage return) the result with other commands. For example you can count the number of proof line in all the coq edited files in a session with: .. code-block:: shell why3 session info --edited-files vstte12_bfs --print0 | xargs -0 coqwc or you can add all the edited files in your favorite repository with: .. code-block:: shell why3 session info --edited-files --print0 vstte12_bfs.mlw | \ xargs -0 git add Session Statistics ^^^^^^^^^^^^^^^^^^ The proof statistics given by option :option:`--stats` are as follows: - Number of goals: give both the total number of goals, and the number of those that are proved (possibly after a transformation). - Goals not proved: list of goals of the session which are not proved by any prover, even after a transformation. - Goals proved by only one prover: the goals for which there is only one successful proof. For each of these, the prover which was successful is printed. This also includes the sub-goals generated by transformations. - Statistics per prover: for each of the prover used in the session, the number of proved goals is given. This also includes the sub-goals generated by transformations. The respective minimum, maximum and average time and on average running time is shown. Beware that these time data are computed on the goals *where the prover was successful*. For example, here are the session statistics produced on the “hello proof” example of :numref:`chap.starting`. :: == Number of root goals == total: 3 proved: 2 == Number of sub goals == total: 2 proved: 1 == Goals not proved == +-- file ../hello_proof.why +-- theory HelloProof +-- goal G2 +-- transformation split_goal_right +-- goal G2.0 == Goals proved by only one prover == +-- file ../hello_proof.why +-- theory HelloProof +-- goal G1: Alt-Ergo 0.99.1 +-- goal G2 +-- transformation split_goal_right +-- goal G2.1: Alt-Ergo 0.99.1 +-- goal G3: Alt-Ergo 0.99.1 == Statistics per prover: number of proofs, time (minimum/maximum/average) in seconds == Alt-Ergo 0.99.1 : 3 0.00 0.00 0.00 .. why3:tool:: session latex Command ``latex`` ~~~~~~~~~~~~~~~~~ .. program:: why3 session latex The :program:`why3 session latex` command produces a summary of the replay under the form of a tabular environment in LaTeX, one tabular for each theory, one per file. The specific options are .. option:: --style= Set output style (1 or 2, default 1). Option ``--style=2`` produces an alternate version of LaTeX output, with a different layout of the tables. .. option:: -o

Indicate where to produce LaTeX files (default: the session directory). .. option:: --longtable Use the ``longtable`` environment instead of ``tabular``. .. option:: -e Produce a table for the given element, which is either a file, a theory or a root goal. The element must be specified using its path in dot notation, e.g., ``file.theory.goal``. The file produced is named accordingly, e.g., :file:`file.theory.goal.tex`. This option can be given several times to produce several tables in one run. When this option is given at least once, the default behavior that is to produce one table per theory is disabled. Customizing LaTeX output ^^^^^^^^^^^^^^^^^^^^^^^^ The generated LaTeX files contain some macros that must be defined externally. Various definitions can be given to them to customize the output. ``\provername`` macro with one parameter, a prover name. ``\valid`` macro with one parameter, used where the corresponding prover answers that the goal is valid. The parameter is the time in seconds. ``\noresult`` macro without parameter, used where no result exists for the corresponding prover. ``\timeout`` macro without parameter, used where the corresponding prover reached the time limit. ``\explanation`` macro with one parameter, the goal name or its explanation. Here are some examples of macro definitions: .. code-block:: latex \usepackage{xcolor} \usepackage{colortbl} \usepackage{rotating} \newcommand{\provername}[1]{\cellcolor{yellow!25} \begin{sideways}\textbf{#1}~~\end{sideways}} \newcommand{\explanation}[1]{\cellcolor{yellow!13}lemma \texttt{#1}} \newcommand{\transformation}[1]{\cellcolor{yellow!13}transformation \texttt{#1}} \newcommand{\subgoal}[2]{\cellcolor{yellow!13}subgoal #2} \newcommand{\valid}[1]{\cellcolor{green!13}#1} \newcommand{\unknown}[1]{\cellcolor{red!20}#1} \newcommand{\invalid}[1]{\cellcolor{red!50}#1} \newcommand{\timeout}[1]{\cellcolor{red!20}(#1)} \newcommand{\outofmemory}[1]{\cellcolor{red!20}(#1)} \newcommand{\noresult}{\multicolumn{1}{>{\columncolor[gray]{0.8}}c|}{~}} \newcommand{\failure}{\cellcolor{red!20}failure} \newcommand{\highfailure}{\cellcolor{red!50}FAILURE} .. TODO: Restore screenshots of HelloProof.tex (style 1 and style 2) .. why3:tool:: session html Command ``html`` ~~~~~~~~~~~~~~~~ .. program:: why3 session html The :program:`why3 session html` command produces a summary of the proof session in HTML syntax. There are two styles of output: ``table`` and ``simpletree``. The default is ``table``. The file generated is named :file:`why3session.html` and is written in the session directory by default (see option :option:`-o` to override this default). .. _fig.html: .. figure:: images/hello_proof.png :alt: HTML table produced for the HelloProof example HTML table produced for the HelloProof example The style ``table`` outputs the contents of the session as a table, similar to the LaTeX output above. :numref:`fig.html` is the HTML table produced for the ‘HelloProof’ example, as typically shown in a Web browser. The gray cells filled with ``---`` just mean that the prover was not run on the corresponding goal. Green background means the result was “Valid”, other cases are in orange background. The red background for a goal means that the goal was not proved. The style ``simpletree`` displays the contents of the session under the form of tree, similar to the tree view in the IDE. It uses only basic HTML tags such as ``
    `` and ``
  • ``. Specific options for this command are as follows. .. option:: --style=[simpletree|table] Set the style to use, among ``simpletree`` and ``table`` (default: ``table``). .. option:: -o Set the directory where to output the produced files (``-`` for stdout). The default is to output in the same directory as the session itself. .. option:: --context Add context around the generated code in order to allow direct visualization (header, css, etc.). It also adds in the output directory all the needed external files. It is incompatible with stdout output. .. option:: --add_pp=,, Set a specific pretty-printer for files with the given suffix. Produced files use ** as suffix. ** must contain ``%i`` which will be replaced by the input file and ``%o`` which will be replaced by the output file. .. option:: --coqdoc use the :program:`coqdoc` command to display Coq proof scripts. This is equivalent to ``--add_pp=.v,coqdoc --no-index --html -o %o %i,.html`` .. why3:tool:: session update Command ``update`` ~~~~~~~~~~~~~~~~~~ .. program:: why3 session update The :program:`why3 session update` command permits to modify the session contents, depending on the following specific options. .. option:: --rename-file=: rename the file ** to ** in the session. The file ** itself is also renamed to ** in your filesystem. .. why3:tool:: doc .. _sec.why3doc: The ``doc`` Command ------------------- .. program:: why3 doc The :program:`why3 doc` command can produce HTML pages from Why3 source code. Why3 code for theories or modules is output in preformatted HTML code. Comments are interpreted in three different ways. - Comments starting with at least three stars are completed ignored. - Comments starting with two stars are interpreted as textual documentation. Special constructs are interpreted as described below. When the previous line is not empty, the comment is indented to the right, so as to be displayed as a description of that line. - Comments starting with one star only are interpreted as code comments, and are typeset as the code Additionally, all the Why3 identifiers are typeset with links so that one can navigate through the HTML documentation, going from some identifier use to its definition. Options ~~~~~~~ .. option:: -o , --output= Define the directory where to output the HTML files. .. option:: --index Generate an index file :file:`index.html`. This is the default behavior if more than one file is passed on the command line. .. option:: --no-index Prevent the generation of an index file. .. option:: --title= Set title of the index page. .. option:: --stdlib-url=<url> Set a URL for files found in load path, so that links to definitions can be added. Typesetting textual comments ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Some constructs are interpreted: - :samp:`\\{{c} {text}}` interprets character *c* as some typesetting command: ``1``-``6`` a heading of level 1 to 6 respectively ``h`` raw HTML - :samp:`\`{code}\`` is a code escape: the text *code* is typeset as Why3 code. A CSS file :file:`style.css` suitable for rendering is generated in the same directory as output files. This CSS style can be modified manually, since regenerating the HTML documentation will not overwrite an existing :file:`style.css` file. .. why3:tool:: pp .. _sec.why3pp: The ``pp`` Command ------------------ .. program:: why3 pp This tool pretty-prints Why3 declarations into various forms. The kind of output is specified using the ``--output`` option. :: why3 pp [--output=mlw|sexp|latex|dep] [--kind=inductive] [--prefix=<prefix>] \ <filename> <file>[[.<Module>].<ind_type>] ... .. option:: --output=<output> Set the output format, among the following: - ``mlw``: reformat WhyML source code. - ``sexp``: print the abstract syntax tree of a WhyML file (data-type from API module ``Ptree``) as a S-expression (enabled only when package ``ppx_sexp_conv`` is available at configuration time of Why3). - ``latex``: currently can be used to print WhyML inductive definitions to LaTeX, using the ``mathpartir`` package. - ``dep``: display module dependencies, under the form of a digraph using the ``dot`` syntax from the `GraphViz <https://www.graphviz.org/>`_ visualisation software. .. option:: --kind=<kind> Set the syntactic kind to be pretty printed. Currently, the only supported kind are inductive types (``--kind=inductive``) when using the LaTeX output (``--output=latex``). .. option:: --prefix=<prefix> Set the prefix for LaTeX commands when using ``--output=latex``. The default prefix is ``WHY``. For the LaTeX output, the typesetting of variables, record fields, and functions can be configured by LaTeX commands. Dummy definitions of these commands are printed in comments and have to be defined by the user. Trailing digits and quotes are removed from the command names to reduce the number of commands. .. why3:tool:: execute .. _sec.why3execute: The ``execute`` Command ----------------------- .. program:: why3 execute Why3 can execute expressions in the context of a WhyML program (extension :file:`.mlw`). :: why3 execute [options] <file> <expr> `file` is a WhyML file, and `expr` is a WhyML expression. Using option ``--use=<M>`` the definitions from module `M` are added to the context for executing `expr`. For example, the following command executes ``Mod1.f 42`` defined in ``myfile.mlw``: .. code-block:: shell why3 execute myfile.mlw --use=Mod1 'f 42' Upon completion of the execution, the value of the result is displayed on the standard input. Additionally, values of the global mutable variables modified by that function are displayed too. See more details and examples of use in :numref:`sec.execute`. Runtime assertion checking (RAC) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The execution can be instructed using option :option:`--rac` to check the validity of the program annotations that are encountered during the execution. This includes the validation of assertions, function contracts, and loop invariants [#no-function-invars]_. There are two strategies to check the validity of an annotation: First, the term is reduced using the Why3 transformation ``compute_in_goal``. The annotation is valid when the result of the reduction is `true` and invalid when the result is `false`. When the transformation cannot reduce the term to a trivial term, and when a RAC prover is given using option :option:`--rac-prover`, the prover is used to verify the term. When a program annotation is found to be wrong during the execution, the execution stops and reports the contradiction. Normally, the execution continues when an annotation cannot be checked (when the term can neither be reduced nor proven), but fails when option `--rac-fail-cannot-check` is given. Options ~~~~~~~ .. option:: --use=<Mod> Add the definitions from `Mod` to the execution context. .. option:: --real=<emin>,<emax>,<prec> The interpreter handles real numbers using interval arithmetic with floating-point bounds. This option sets the precision of those bounds using three parameters, respectively the minimal and maximal exponent, and the number of bits of mantissa. For example, the standard single-precision binary representation (32 bits) is set by parameters -148,128,24. The default is using long double-precision (128-bits) with parameters -16493,16384,113. .. option:: --rac Check the validity of program annotations encountered during the execution. .. option:: --rac-prover=<p> Use prover *p* for the checking formulas, when term reduction is insufficient (which is always tried first). The prover *p* is the name or shortcut of a prover, with optional, comma-separated time limit and memory limit, e.g. ``cvc4,2,1000``. .. option:: --rac-timelimit=<sec> Time limit in seconds for RAC prover. .. option:: --rac-steplimit=<steps> Step limit for RAC prover. .. option:: --rac-try-negate Try to decide the validity of a formula by negating the formula and the prover answer (if any), when the RAC prover is unable to decide the validity of the un-negated formula (see :cite:`becker21fide`). .. option:: --rac-fail-cannot-check Instruct the RAC execution to fail when an annotation cannot be checked. Normally the execution continues normally when an annotation cannot be checked. .. [#no-function-invars] RAC for function invariants aren't supported yet. .. why3:tool:: extract .. _sec.why3extract: The ``extract`` Command ----------------------- .. program:: why3 extract The :program:`why3 extract` command can extract programs written using the WhyML language (extension :file:`.mlw`) to some other programming language. See also :numref:`sec.extract`. The command accepts three different targets for extraction: a WhyML file, a module, or a symbol (function, type, exception). To extract all the symbols from every module of a file named :file:`f.mlw`, one should write :: why3 extract -D <driver> f.mlw To extract only the symbols from module ``M`` of file :file:`f.mlw` in directory ``<dir>``, one should write :: why3 extract -D <driver> -L <dir> f.M To extract only the symbol ``s`` (a function, a type, or an exception) from module ``M`` of file :file:`f.mlw`, one should write :: why3 extract -D <driver> -L <dir> f.M.s Note the use of :option:`why3 -L`, when extracting either a module or a symbol, in order to state where to look for file :file:`f.mlw`. .. option:: -o <file|dir> Output extracted code to the given file (for :option:`--flat`) or directory (for :option:`--modular`). .. option:: -D <driver>, --driver=<driver> Use the given driver. .. option:: --flat Perform a flat extraction, *i.e.*, everything is extracted into a single file. This is the default behavior. If option :option:`-o` is omitted, the result of extraction is printed to the standard output. .. option:: --modular Extract each module in its own, separate file. Option :option:`-o` is mandatory; it should be given the name of an existing directory. This directory will be populated with the resulting OCaml files. .. option:: --recursive Recursively extract all the dependencies of the chosen entry point. This option is valid for both :option:`--modular` and :option:`--flat` options. .. why3:tool:: realize .. _sec.why3realize: The ``realize`` Command ----------------------- .. program:: why3 realize Why3 can produce skeleton files for proof assistants that, once filled, realize the given theories. If the output files already exist, Why3 tries to update them instead of overwriting them, so as to preserve existing realizations. See also :numref:`sec.realizations`. .. option:: -D <driver>, --driver=<driver> Use the given prover driver to produce realizations. .. option:: -F <format>, --format=<format> Select the given input format. .. option:: -o <dir>, --output=<directory> Write the realizations to the given directory. .. option:: -T <theory>, --theory=<theory> Select the given theory in the input file or in the library. .. why3:tool:: show .. _sec.why3show: The ``show`` Command -------------------- The :program:`why3 show` command can display various information about Why3. Specific information is selected by the given subcommand: :: why3 show <subcommand> .. why3:tool:: show attributes Command ``attributes`` ~~~~~~~~~~~~~~~~~~~~~~ This command lists the currently registered WhyML attributes. See also :numref:`sec.attributes`. .. why3:tool:: show formats Command ``formats`` ~~~~~~~~~~~~~~~~~~~ This command lists the currently registered input formats. See also :option:`why3 prove --format`. .. why3:tool:: show metas Command ``metas`` ~~~~~~~~~~~~~~~~~ This command lists the currently registered meta directives. See also :numref:`sec.metas`. .. why3:tool:: show printers Command ``printers`` ~~~~~~~~~~~~~~~~~~~~ This command lists the currently registered printers, which can be used inside prover drivers. See also :numref:`sec.drivers`. .. why3:tool:: show transformations Command ``transformations`` ~~~~~~~~~~~~~~~~~~~~~~~~~~~ This command lists the currently registered transformations. See also :option:`why3 prove --apply-transform` and :numref:`sec.transformations`. .. why3:tool:: wc .. _sec.why3wc: The ``wc`` Command ------------------ .. program:: why3 wc Why3 can give some token statistics about WhyML source files. .. option:: -l, --lines Count lines (default). .. option:: -t, --tokens Count tokens. .. option:: -f, --factor Print ratio of specification over code. .. option:: -a, --do-not-skip-header Count heading comments as well. �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/doc/manual.bib���������������������������������������������������������������������������0000664�0000000�0000000�00000025010�14401600263�0015102�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������@comment{{This file has been generated by bib2bib 1.98}} @comment{{Command line: bib2bib -c '$key="ergo" or $key="dailler18jlamp" or $key="ieee754-2008" or $key="barrett11cade" or $key="okasaki98" or $key="CoqArt" or $key="paskevich09rr" or $key="vstte10comp" or $key="hauzar16sefm" or $key="conchon08smt" or $key="filliatre07cav" or 1=2' /home/cmarche/biblio/abbrevs.bib /home/cmarche/biblio/demons.bib /home/cmarche/biblio/demons2.bib /home/cmarche/biblio/demons3.bib /home/cmarche/biblio/team.bib /home/cmarche/biblio/crossrefs.bib}} @string{sv = {Springer}} @string{lncs = {Lecture Notes in Computer Science}} @string{eptcs = "Electronic Proceedings in Theoretical Computer Science"} @techreport{baudin17, topics = {team}, TITLE = {Deductive Verification with the Help of Abstract Interpretation}, AUTHOR = {Lucas Baudin}, url = {https://hal.inria.fr/hal-01634318}, TYPE = {Technical Report}, INSTITUTION = {Univ Paris-Sud}, YEAR = 2017, MONTH = nov } @book{CoqArt, author = {Yves Bertot and Pierre Castéran}, title = {Interactive Theorem Proving and Program Development}, subtitle = {Coq'Art: The Calculus of Inductive Constructions}, publisher = {Springer-Verlag}, series = {Texts in Theoretical Computer Science}, year = 2004, doi = {10.1007/978-3-662-07964-5} } @misc{ieee754-2008, key = {IEEE754}, abstract = {This standard specifies interchange and arithmetic formats and methods for binary and decimal floating-point arithmetic in computer programming environments. This standard specifies exception conditions and their default handling. An implementation of a floating-point system conforming to this standard may be realized entirely in software, entirely in hardware, or in any combination of software and hardware. For operations specified in the normative part of this standard, numerical results and exceptions are uniquely determined by the values of the input data, sequence of operations, and destination formats, all under user control.}, booktitle = {{IEEE} Std 754-2008}, doi = {10.1109/IEEESTD.2008.4610935}, journal = {IEEE Std 754-2008}, pages = {1--58}, title = {{IEEE} Standard for Floating-Point Arithmetic}, year = {2008}, } @misc{vstte10comp, author = {Natarajan Shankar and Peter Mueller}, title = {{Verified Software: Theories, Tools and Experiments (VSTTE'10). Software Verification Competition}}, month = {August}, year = 2010, address = {Edinburgh, Scotland}, url = {http://www.macs.hw.ac.uk/vstte10/Competition.html} } @book{okasaki98, author = {Chris Okasaki}, title = {Purely Functional Data Structures}, publisher = {Cambridge University Press}, year = 1998 } @inproceedings{barrett11cade, author = {Barrett, Clark and Conway, Christopher L. and Deters, Morgan and Hadarean, Liana and Jovanović, Dejan and King, Tim and Reynolds, Andrew and Tinelli, Cesare}, title = {{CVC4}}, booktitle = {23rd International Conference on Computer Aided Verification}, year = 2011, isbn = {978-3-642-22109-5}, address = {Snowbird, UT}, pages = {171--177}, numpages = 7, url = {http://dl.acm.org/citation.cfm?id=2032305.2032319}, acmid = 2032319, publisher = {Springer-Verlag}, } @inproceedings{conchon08smt, author = {François Bobot and Sylvain Conchon and Évelyne Contejean and Stéphane Lescuyer}, title = {{Implementing Polymorphism in SMT solvers}}, booktitle = {SMT 2008: 6th International Workshop on Satisfiability Modulo}, pages = {1--5}, year = 2008, editor = {Clark Barrett and Leonardo de Moura}, volume = 367, series = {ACM International Conference Proceedings Series}, topics = {team,lri}, type_digiteo = {conf_autre}, type_publi = {colloque}, x-equipes = {demons PROVAL}, x-type = {article}, x-support = {actes_aux}, x-cle-support = {SMT}, x-pdf = {http://www.lri.fr/~conchon/publis/conchon-smt08.pdf}, url = {http://www.lri.fr/~conchon/publis/conchon-smt08.pdf}, x-editorial-board = {yes}, x-international-audience = {yes}, x-proceedings = {yes}, isbn = {978-1-60558-440-9}, doi = {10.1145/1512464.1512466}, abstract = {http://www.lri.fr/~contejea/publis/2008smt/abstract.html} } @misc{ergo, author = {Sylvain Conchon and Évelyne Contejean}, title = {The {Alt-Ergo} automatic Theorem Prover}, url = {http://alt-ergo.lri.fr/}, topics = {team,lri}, year = 2008, x-equipes = {demons PROVAL}, x-type = {manuel}, x-support = {diffusion} } @inproceedings{filliatre07cav, author = {Jean-Christophe Filliâtre and Claude Marché}, title = {The {Why/Krakatoa/Caduceus} Platform for Deductive Program Verification}, booktitle = {19th International Conference on Computer Aided Verification}, editor = {Werner Damm and Holger Hermanns}, series = lncs, volume = 4590, address = {Berlin, Germany}, month = jul, year = {2007}, pages = {173--177}, topics = {team, lri}, url = {https://hal.inria.fr/inria-00270820v1}, type_digiteo = {conf_isbn}, type_publi = {icolcomlec}, x-pdf = {http://www.lri.fr/~filliatr/ftp/publis/cav07.pdf}, x-equipes = {demons PROVAL EXT}, x-type = {articlecourt}, x-support = {actes}, x-cle-support = {CAV}, doi = {10.1007/978-3-540-73368-3_21} } @techreport{paskevich09rr, author = {Andrei Paskevich}, title = {Algebraic types and pattern matching in the logical language of the {Why} verification platform}, institution = {INRIA}, year = 2009, topics = {team}, url = {http://hal.inria.fr/inria-00439232}, number = 7128 } @inproceedings{hauzar16sefm, topics = {team}, author = {Hauzar, David and Marché, Claude and Moy, Yannick}, title = {Counterexamples from Proof Failures in {SPARK}}, booktitle = {Software Engineering and Formal Methods}, year = 2016, pages = {215--233}, doi = {10.1007/978-3-319-41591-8_15}, editor = {De Nicola, Rocco and Eva Kühn}, series = lncs, address = {Vienna, Austria}, url = {https://hal.inria.fr/hal-01314885} } @article{dailler18jlamp, topics = {team}, title = {Instrumenting a Weakest Precondition Calculus for Counterexample Generation}, author = {Dailler, Sylvain and Hauzar, David and Marché, Claude and Moy, Yannick}, url = {https://hal.inria.fr/hal-01802488}, journal = {Journal of Logical and Algebraic Methods in Programming}, publisher = {Elsevier}, volume = 99, pages = {97--113}, year = 2018, keywords = {Deductive Program Verification ; Weakest Precondition Calculus ; Satisfiability Modulo Theories ; Counterexamples} } @Manual{baudin18acsl, title = {{ACSL}: {ANSI/ISO C} Specification Language}, author = {Patrick Baudin and Jean-Christophe Filliâtre and Claude Marché and Benjamin Monate and Yannick Moy and Virgile Prevosto}, year = 2018, note = {\url{https://frama-c.com/acsl.html}}, url = {https://frama-c.com/acsl.html}, x-pdf = {https://frama-c.com/download/acsl_1.14.pdf} } @inproceedings{filliatre07mix, author = {Jean-Christophe Filli\^atre}, title = {{Formal Verification of MIX Programs}}, booktitle = {{Journ{\'e}es en l'honneur de Donald E. Knuth}}, year = 2007, note = {\url{http://knuth07.labri.fr/exposes.php}}, address = {Bordeaux, France}, month = {October}, url = {http://www.lri.fr/~filliatr/publis/verifmix.pdf} } @phdthesis{nguyen12phd, author = {Nguyen, Thi Minh Tuyen}, title = {Taking architecture and compiler into account in formal proofs of numerical programs}, school = {Universit{\'e} Paris-Sud}, type = {Th{\`e}se de Doctorat}, url = {http://tel.archives-ouvertes.fr/tel-00710193}, year = 2012, month = jun } @inproceedings{paskevich20isola, author = {Jean-Christophe Filli\^atre and Andrei Paskevich}, title = {Abstraction and Genericity in Why3}, booktitle = {9th International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (ISoLA)}, month = oct, year = 2020, publisher = {Springer}, series = {Lecture Notes in Computer Science}, volume = 12476, pages = {122--142}, editor = {Tiziana Margaria and Bernhard Steffen}, address = {Rhodes, Greece}, topics = {team}, note = "See also \url{http://why3.lri.fr/isola-2020/}", url = {https://hal.inria.fr/hal-02696246} } @inproceedings{becker21fide, topics={team}, TITLE = {Explaining Counterexamples with Giant-Step Assertion Checking}, AUTHOR = {Becker, Benedikt and Belo Louren\c{c}o, Cl{\'a}udio and March{\'e}, Claude}, URL = {https://hal.inria.fr/hal-03217393}, BOOKTITLE = {6th Workshop on Formal Integrated Development Environments (F-IDE 2021)}, EDITOR = {Creissac Campos, Jos{\'e} and Paskevich, Andrei}, series = eptcs, doi = {10.4204/EPTCS.338.10}, YEAR = 2021, MONTH = may } @TechReport{gondelman16reg, topics = {team}, author = {Jean-Christophe Filli\^atre and L\'eon Gondelman and Andrei Paskevich}, title = {A Pragmatic Type System for Deductive Verification}, type = {Research report}, institution = {Universit\'e Paris Sud}, year = 2016, abstract = { In the context of deductive verication, it is customary today to handle programs with pointers using either separation logic, dynamic frames, or explicit memory models. Yet we can observe that in numerous programs, a large amount of code ts within the scope of Hoare logic, provided we can statically control aliasing. When this is the case, the code correctness can be reduced to simpler verication conditions which do not require any explicit memory model. This makes verication conditions more amenable both to automated theorem proving and to manual inspection and debugging. In this paper, we devise a method of such static aliasing control for a programming language featuring nested data structures with mutable components. Our solution is based on a type system with singleton regions and eects, which we prove to be sound.}, url = {https://hal.archives-ouvertes.fr/hal-01256434v3} } @INPROCEEDINGS{flanagan01popl, author = {Cormac Flanagan and James B. Saxe}, title = {Avoiding Exponential Explosion: Generating Compact Verification Conditions}, booktitle = {Principles Of Programming Languages}, year = 2001, pages = {193--205}, publisher = {ACM} } ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/doc/starting.rst�������������������������������������������������������������������������0000664�0000000�0000000�00000026665�14401600263�0015555�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.. _chap.starting: Getting Started =============== Hello Proofs ------------ The first step in using Why3 is to write a suitable input file. When one wants to learn a programming language, one starts by writing a basic program. Here is our first Why3 file, which is the file :file:`examples/logic/hello_proof.why` of the distribution. It contains a small set of goals. .. literalinclude:: ../examples/logic/hello_proof.why :language: whyml Any declaration must occur inside a theory, which is in that example called ``HelloProof``. It contains three goals named ``G1``, ``G2``, ``G3``. The first two are basic propositional goals, whereas the third involves some integer arithmetic, and thus it requires to import the theory of integer arithmetic from the Why3 standard library, which is done by the ``use`` declaration above. We don’t give more details here about the syntax and refer to :numref:`chap.whyml` for detailed explanations. In the following, we show how this file is handled in the Why3 GUI (:numref:`sec.gui`) then in batch mode using the :program:`why3` executable (:numref:`sec.batch`). But before running any Why3 command, you should proceed with the automated detection of external provers (see also :numref:`sec.provers`). This is done by running the :why3:tool:`config` tool on the command line, as follows: :: why3 config .. %EXECUTE rm -rf doc/hello_proof/ .. %EXECUTE cp examples/logic/hello_proof.why doc/ .. _sec.gui: Getting Started with the GUI ---------------------------- The graphical interface makes it possible to browse into a file or a set of files, and check the validity of goals with external provers, in a friendly way. This section presents the basic use of this GUI. Please refer to :numref:`sec.ideref` for a more complete description. .. %EXECUTE bin/why3 ide --batch="wait 1;snap doc/images/gui-1.png" doc/hello_proof.why .. _fig.gui1: .. figure:: images/gui-1.png :alt: The GUI when started the very first time. The GUI when started the very first time. The GUI is launched on the file above as follows: :: why3 ide hello_proof.why When the GUI is started for the first time, you should get a window that looks like the screenshot of :numref:`fig.gui1`. The left part is a tree view that makes it possible to browse inside the files and their theories. The tree view shows that the example is made of a single file containing a single theory containing three goals. The top-right pane displays the content of this file. Now click on the row corresponding to goal ``G1``, and then click on the “Task” tab of the top-right pane, so that it displays the corresponding *task*, as show on :numref:`fig.gui2`. .. %EXECUTE bin/why3 ide --batch="type next;view task;snap -crop 1024x384+0+0 doc/images/gui-2.png" doc/hello_proof.why .. _fig.gui2: .. figure:: images/gui-2.png :alt: The GUI with goal ``G1`` selected. The GUI with goal ``G1`` selected. Calling provers on goals ~~~~~~~~~~~~~~~~~~~~~~~~ You are now ready to call provers on the goals. (If not done yet, you must perform prover autodetection using :why3:tool:`why3 config`.) A prover is selected using the context menu (right-click). This prover is then called on the goal selected in the tree view. You can select several goals at a time, either by using multi-selection (typically by clicking while pressing the :kbd:`Shift` or :kbd:`Control` key) or by selecting the parent theory or the parent file. Let us now select the theory “HelloProof” and run the Alt-Ergo prover. After a short time, you should get the display of :numref:`fig.gui3`. .. %EXECUTE bin/why3 ide --batch="type alt-ergo;view source;wait 3;type next;snap -crop 1024x384+0+0 doc/images/gui-3.png" doc/hello_proof.why .. _fig.gui3: .. figure:: images/gui-3.png :alt: The GUI after running the Alt-Ergo prover on each goal. The GUI after running the Alt-Ergo prover on each goal. Goals ``G1`` and ``G3`` are now marked with a green “checked” icon in the status column. This means that these goals have been proved by Alt-Ergo. On the contrary, goal ``G2`` is not proved; it remains marked with a question mark. You could attempt to prove ``G2`` using another prover, though it is obvious here it will not succeed. Applying transformations ~~~~~~~~~~~~~~~~~~~~~~~~ Instead of calling a prover on a goal, you can apply a transformation to it. Since ``G2`` is a conjunction, a possibility is to split it into subgoals. You can do that by selecting :guilabel:`Split VC` in the context menu. Now you have two subgoals, and you can try again a prover on them, for example Alt-Ergo. We already have a lot of goals and proof attempts, so it is a good idea to close the sub-trees which are already proved. This can be done by the menu :menuselection:`View --> Collapse proved goals`, or even better by its shortcut :kbd:`!`. You should now see what is displayed on :numref:`fig.gui4`. .. %EXECUTE bin/why3 ide --batch="type alt-ergo;wait 3;type next;type split_vc;wait 1;type up;type alt-ergo;wait 3;type next;snap -crop 1024x384+0+0 doc/images/gui-4.png;save;wait 1" doc/hello_proof.why .. _fig.gui4: .. figure:: images/gui-4.png :alt: The GUI after splitting goal ``G2``. The GUI after splitting goal ``G2``. The first part of goal ``G2`` is still unproved. As a last resort, you can try to call the Coq proof assistant, by selecting it in the context menu. A new sub-row appear for Coq, and the Coq proof editor is launched. (It is ``coqide`` by default; see :numref:`sec.ideref` for details on how to configure this). You get now a regular Coq file to fill in, as shown on :numref:`fig.coqide`. Please be mindful of the comments of this file. They indicate where Why3 expects you to fill the blanks. Note that the comments themselves should not be removed, as they are needed to properly regenerate the file when the goal is changed. See :numref:`sec.coq` for more details. .. %EXECUTE bin/why3 ide --batch="type next;type coq;wait 1;save;wait 1" doc/hello_proof.why .. _fig.coqide: .. figure:: images/coqide.png :alt: CoqIDE on subgoal 1 of ``G2``. CoqIDE on subgoal 1 of ``G2``. Of course, in that particular case, the goal cannot be proved since it is not valid. The only thing to do is to fix the input file, as explained below. Modifying the input ~~~~~~~~~~~~~~~~~~~ You can edit the source file, using the corresponding tab in the top-right pane of the GUI. Change the goal ``G2`` by replacing the first occurrence of ``true`` by ``false``, e.g., .. code-block:: whyml goal G2 : (false -> false) /\ (true \/ false) You can refresh the goals using menu :menuselection:`File --> Save all and Refresh session`, or the shortcut :kbd:`Control-r`. You get the tree view shown on :numref:`fig.gui5`. .. %EXECUTE sed -i -e 's/true -> false/false -> false/' doc/hello_proof.why .. %EXECUTE bin/why3 ide --batch="type next;type expand;snap -crop 1024x384+0+0 doc/images/gui-5.png" doc/hello_proof.why .. _fig.gui5: .. figure:: images/gui-5.png :alt: File reloaded after modifying goal ``G2``. File reloaded after modifying goal ``G2``. The important feature to notice first is that all the previous proof attempts and transformations were saved in a database — an XML file created when the Why3 file was opened in the GUI for the first time. Then, for all the goals that remain unchanged, the previous proofs are shown again. For the parts that changed, the previous proofs attempts are shown but marked with “(:index:`obsolete`)” so that you know the results are not accurate. You can now retry to prove all the goals not yet proved using any prover. Replaying obsolete proofs ~~~~~~~~~~~~~~~~~~~~~~~~~ Instead of pushing a prover's button to rerun its proofs, you can *replay* the existing but obsolete proof attempts, using menu :menuselection:`Tools --> Replay valid obsolete proofs`. Notice that replaying can be done in batch mode, using the :why3:tool:`why3 replay` command (see :numref:`sec.why3replay`) For example, running the replayer on the ``hello_proof`` example is as follows (assuming ``G2`` still is ``(true -> false) /\ (true \/ false)``). .. code-block:: console $ why3 replay hello_proof 2/3 (replay OK) +--file ../hello_proof.why: 2/3 +--theory HelloProof: 2/3 +--goal G2 not proved The last line tells us that no differences were detected between the current run and the run stored in the XML file. The tree above reminds us that ``G2`` is not proved. Cleaning ~~~~~~~~ You may want to clean some of the proof attempts, e.g., removing the unsuccessful ones when a project is finally fully proved. A proof or a transformation can be removed by selecting it and using menu :menuselection:`Tools --> Remove node` or the :kbd:`Delete` key. Menu :menuselection:`Tools --> Clean node` or shortcut :kbd:`C` perform an automatic removal of all proofs attempts that are unsuccessful, while there exists a successful proof attempt for the same goal. Beware that there is no way to undo such a removal. .. _sec.batch: Getting Started with the Why3 Command ------------------------------------- The :why3:tool:`why3 prove` command makes it possible to check the validity of goals with external provers, in batch mode. This section presents the basic use of this tool. Refer to :numref:`sec.why3prove` for a more complete description of this tool and all its command-line options. This prints some information messages on what detections are attempted. To know which provers have been successfully detected, you can do as follows. .. code-block:: console $ why3 config list-provers Alt-Ergo 1.30 CVC4 1.5 Coq 8.6 The first word of each line is a unique identifier for the associated prover. We thus have now the three provers Alt-Ergo :cite:`ergo`, CVC4 :cite:`barrett11cade`, and Coq :cite:`CoqArt`. Let us assume that we want to run Alt-Ergo on the HelloProof example. The command to type and its output are as follows, where the :option:`why3 prove -P` option is followed by the unique prover identifier (as shown by :why3:tool:`why3 config list-provers`). .. code-block:: console $ why3 prove -P Alt-Ergo hello_proof.why hello_proof.why HelloProof G1: Valid (0.00s, 1 steps) hello_proof.why HelloProof G2: Unknown (other) (0.01s) hello_proof.why HelloProof G3: Valid (0.00s, 1 steps) Unlike the Why3 GUI, the command-line tool does not save the proof attempts or applied transformations in a database. We can also specify which goal or goals to prove. This is done by giving first a theory identifier, then goal identifier(s). Here is the way to call Alt-Ergo on goals ``G2`` and ``G3``. .. code-block:: console $ why3 prove -P Alt-Ergo hello_proof.why -T HelloProof -G G2 -G G3 hello_proof.why HelloProof G2 : Unknown: Unknown (0.01s) hello_proof.why HelloProof G3 : Valid (0.01s) Finally, a transformation to apply to goals before proving them can be specified. To know the unique identifier associated to a transformation, do as follows. .. code-block:: console $ why3 show transformations Known non-splitting transformations: [...] Known splitting transformations: [...] split_goal_right Here is how you can split the goal ``G2`` before calling Simplify on the resulting subgoals. .. code-block:: console $ why3 prove -P Alt-Ergo hello_proof.why -a split_goal_right -T HelloProof -G G2 hello_proof.why HelloProof G2: Unknown (other) (0.01s) hello_proof.why HelloProof G2: Valid (0.00s, 1 steps) :numref:`sec.transformations` gives the description of the various transformations available. .. %EXECUTE rm -r doc/hello_proof.why doc/hello_proof/ ���������������������������������������������������������������������������why3-1.6.0/doc/syntaxref.rst������������������������������������������������������������������������0000664�0000000�0000000�00000207202�14401600263�0015731�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������The WhyML Language Reference ============================ In this chapter, we describe the syntax and semantics of WhyML. Lexical Conventions ------------------- Blank characters are space, horizontal tab, carriage return, and line feed. Blanks separate lexemes but are otherwise ignored. Comments are enclosed by ``(*`` and ``*)`` and can be nested. Note that ``(*)`` does not start a comment. Strings are enclosed in double quotes (``"``). The backslash character ``\``, is used for escaping purposes. The following escape sequences are allowed: - ``\`` followed by a *new line* allows for multi-line strings. The leading spaces immediately after the new line are ignored. - ``\\`` and ``\"`` for the backslash and double quote respectively. - ``\n``, ``\r``, and ``\t`` for the new line feed, carriage return, and horizontal tab character. - ``\DDD``, ``\oOOO``, and ``\xXX``, where ``DDD`` is a decimal value in the interval 0-255, ``OOO`` an octal value in the interval 0-377, and ``XX`` an hexadecimal value. Sequences of this form can be used to encode Unicode characters, in particular non printable ASCII characters. - any other escape sequence results in a parsing error. The syntax for numerical constants is given by the following rules: .. productionlist:: digit: "0" - "9" hex_digit: "0" - "9" | "a" - "f" | "A" - "F" oct_digit: "0" - "7" bin_digit: "0" | "1" integer: `digit` (`digit` | "_")* : | ("0x" | "0X") `hex_digit` (`hex_digit` | "_")* : | ("0o" | "0O") `oct_digit` (`oct_digit` | "_")* : | ("0b" | "0B") `bin_digit` (`bin_digit` | "_")* real: `digit`+ `exponent` : | `digit`+ "." `digit`* `exponent`? : | `digit`* "." `digit`+ `exponent`? : | ("0x" | "0X") `hex_digit`+ `h_exponent` : | ("0x" | "0X") `hex_digit`+ "." `hex_digit`* `h_exponent`? : | ("0x" | "0X") `hex_digit`* "." `hex_digit`+ `h_exponent`? exponent: ("e" | "E") ("-" | "+")? `digit`+ h_exponent: ("p" | "P") ("-" | "+")? `digit`+ char: "a" - "z" | "A" - "Z" | "0" - "9" : | " " | "!" | "#" | "$" | "%" | "&" | "'" | "(" : | ")" | "*" | "+" | "," | "-" | "." | "/" | ":" : | ";" | "<" | "=" | ">" | "?" | "@" | "[" | "]" : | "^" | "_" | "`" | "\\" | "\n" | "\r" | "\t" | '\"' : | "\" ("0" | "1") `digit` `digit` : | "\" "2" ("0" - "4") `digit` : | "\" "2" "5" ("0" - "5") : | "\x" `hex_digit` `hex_digit` : | "\o" ("0" - "3" ) `oct_digit` `oct_digit` string: '"' `char`* '"' Integer and real constants have arbitrary precision. Integer constants can be given in base 10, 16, 8 or 2. Real constants can be given in base 10 or 16. Notice that the exponent in hexadecimal real constants is written in base 10. Identifiers are composed of letters, digits, underscores, and primes. The syntax distinguishes identifiers that start with a lowercase letter or an underscore (:token:`lident_nq`), identifiers that start with an uppercase letter (:token:`uident_nq`), and identifiers that start with a prime (:token:`qident`, used exclusively for type variables): .. productionlist:: alpha: "a" - "z" | "A" - "Z" suffix: (`alpha` | "'"* ("0" - "9" | "_")*)* "'"* lident_nq: ("a" - "z") `suffix`* | "_" `suffix`+ uident_nq: ("A" - "Z") `suffix`* ident_nq: `lident_nq` | `uident_nq` qident: "'" ("a" - "z") `suffix`* Identifiers that contain a prime followed by a letter, such as ``int32'max``, are reserved for symbols introduced by Why3 and cannot be used for user-defined symbols. .. productionlist:: lident: `lident_nq` ("'" `alpha` `suffix`)* uident: `lident_nq` ("'" `alpha` `suffix`)* ident: `lident` | `uident` In order to refer to symbols introduced in different namespaces (*scopes*), we can put a dot-separated “qualifier prefix” in front of an identifier (e.g., ``Map.S.get``). This allows us to use the symbol ``get`` from the scope ``Map.S`` without importing it in the current namespace: .. productionlist:: qualifier: (`uident` ".")+ lqualid: `qualifier`? `lident` uqualid: `qualifier`? `uident` All parenthesised expressions in WhyML (types, patterns, logical terms, program expressions) admit a qualifier before the opening parenthesis, e.g., ``Map.S.(get m i)``. This imports the indicated scope into the current namespace during the parsing of the expression under the qualifier. For the sake of convenience, the parentheses can be omitted when the expression itself is enclosed in parentheses, square brackets or curly braces. Prefix and infix operators are built from characters organized in four precedence groups (:token:`op_char_1` to :token:`op_char_4`), with optional primes at the end: .. productionlist:: op_char_1: "=" | "<" | ">" | "~" op_char_2: "+" | "-" op_char_3: "*" | "/" | "\" | "%" op_char_4: "!" | "$" | "&" | "?" | "@" | "^" | "." | ":" | "|" | "#" op_char_1234: `op_char_1` | `op_char_2` | `op_char_3` | `op_char_4` op_char_234: `op_char_2` | `op_char_3` | `op_char_4` op_char_34: `op_char_3` | `op_char_4` infix_op_1: `op_char_1234`* `op_char_1` `op_char_1234`* "'"* infix_op_2: `op_char_234`* `op_char_2` `op_char_234`* "'"* infix_op_3: `op_char_34`* `op_char_3` `op_char_34`* "'"* infix_op_4: `op_char_4`+ "'"* prefix_op: `op_char_1234`+ "'"* tight_op: ("!" | "?") `op_char_4`* "'"* Infix operators from a high-numbered group bind stronger than the infix operators from a low-numbered group. For example, infix operator ``.*.`` from group 3 would have a higher precedence than infix operator ``->-`` from group 1. Prefix operators always bind stronger than infix operators. The so-called “tight operators” are prefix operators that have even higher precedence than the juxtaposition (application) operator, allowing us to write expressions like ``inv !x`` without parentheses. Finally, any identifier, term, formula, or expression in a WhyML source can be tagged either with a string :token:`attribute` or a location: .. productionlist:: attribute: "[@" ... "]" : | "[#" `string` `digit`+ `digit`+ `digit`+ "]" An attribute cannot contain newlines or closing square brackets; leading and trailing spaces are ignored. A location consists of a file name in double quotes, a line number, and starting and ending character positions. Type Expressions ---------------- WhyML features an ML-style type system with polymorphic types, variants (sum types), and records that can have mutable fields. The syntax for type expressions is the following: .. productionlist:: type: `lqualid` `type_arg`+ ; polymorphic type symbol : | `type` "->" `type` ; mapping type (right-associative) : | `type_arg` type_arg: `lqualid` ; monomorphic type symbol (sort) : | `qident` ; type variable : | "()" ; unit type : | "(" `type` ("," `type`)+ ")" ; tuple type : | "{" `type` "}" ; snapshot type : | `qualifier`? "(" `type` ")" ; type in a scope .. index:: mapping type Built-in types are ``int`` (arbitrary precision integers), ``real`` (real numbers), ``bool``, the arrow type (also called the *mapping type*), and the tuple types. The empty tuple type is also called the *unit type* and can be written as ``unit``. Note that the syntax for type expressions notably differs from the usual ML syntax. In particular, the type of polymorphic lists is written ``list 'a``, and not ``'a list``. .. index:: snapshot type *Snapshot types* are specific to WhyML, they denote the types of ghost values produced by pure logical functions in WhyML programs. A snapshot of an immutable type is the type itself; thus, ``{int}`` is the same as ``int`` and ``{list 'a}`` is the same as ``list 'a``. A snapshot of a mutable type, however, represents a snapshot value which cannot be modified anymore. Thus, a snapshot array ``a`` of type ``{array int}`` can be read from (``a[42]`` is accepted) but not written into (``a[42] <- 0`` is rejected). Generally speaking, a program function that expects an argument of a mutable type will accept an argument of the corresponding snapshot type as long as it is not modified by the function. Logical Expressions ------------------- A significant part of a typical WhyML source file is occupied by non-executable logical content intended for specification and proof: function contracts, assertions, definitions of logical functions and predicates, axioms, lemmas, etc. Terms and formulas ^^^^^^^^^^^^^^^^^^ Logical expressions are called *terms*. Boolean terms are called *formulas*. Internally, Why3 distinguishes the proper formulas (produced by predicate symbols, propositional connectives and quantifiers) and the terms of type ``bool`` (produced by Boolean variables and logical functions that return ``bool``). However, this distinction is not enforced on the syntactical level, and Why3 will perform the necessary conversions behind the scenes. The syntax of WhyML terms is given in :token:`term`. .. productionlist:: term0: `integer` ; integer constant : | `real` ; real constant : | "true" | "false" ; Boolean constant : | "()" ; empty tuple : | `string` ; string constant : | `qualid` ; qualified identifier : | `qualifier`? "(" `term` ")" ; term in a scope : | `qualifier`? "begin" `term` "end" ; idem : | `tight_op` `term` ; tight operator : | "{" `term_field`+ "}" ; record : | "{" `term` "with" `term_field`+ "}" ; record update : | `term` "." `lqualid` ; record field access : | `term` "[" `term` "]" "'"* ; collection access : | `term` "[" `term` "<-" `term` "]" "'"* ; collection update : | `term` "[" `term` ".." `term` "]" "'"* ; collection slice : | `term` "[" `term` ".." "]" "'"* ; right-open slice : | `term` "[" ".." `term` "]" "'"* ; left-open slice : | "[|" (`term` "=>" `term` ";")* ("_" "=>" `term`)? "|]" ; function literal : | "[|" (`term` ";")+ "|]" ; function literal (domain over nat) : | `term` `term`+ ; application : | `prefix_op` `term` ; prefix operator : | `term` `infix_op_4` `term` ; infix operator 4 : | `term` `infix_op_3` `term` ; infix operator 3 : | `term` `infix_op_2` `term` ; infix operator 2 : | `term` "at" `uident` ; past value : | "old" `term` ; initial value : | `term` `infix_op_1` `term` ; infix operator 1 : | "not" `term` ; negation : | `term` "/\" `term` ; conjunction : | `term` "&&" `term` ; asymmetric conjunction : | `term` "\/" `term` ; disjunction : | `term` "||" `term` ; asymmetric disjunction : | `term` "by" `term` ; proof indication : | `term` "so" `term` ; consequence indication : | `term` "->" `term` ; implication : | `term` "<->" `term` ; equivalence : | `term` ":" `type` ; type cast : | `attribute`+ `term` ; attributes : | `term` ("," `term`)+ ; tuple : | `quantifier` `quant_vars` `triggers`? "." `term` ; quantifier : | ... ; (to be continued in `term`) formula: `term` ; no distinction as far as syntax is concerned term_field: `lqualid` "=" `term` ";" ; field = value qualid: `qualifier`? (`lident_ext` | `uident`) ; qualified identifier lident_ext: `lident` ; lowercase identifier : | "(" `ident_op` ")" ; operator identifier : | "(" `ident_op` ")" ("_" | "'") alpha suffix* ; associated identifier ident_op: `infix_op_1` ; infix operator 1 : | `infix_op_2` ; infix operator 2 : | `infix_op_3` ; infix operator 3 : | `infix_op_4` ; infix operator 4 : | `prefix_op` "_" ; prefix operator : | `tight_op` "_"? ; tight operator : | "[" "]" "'" * ; collection access : | "[" "<-" "]" "'"* ; collection update : | "[" "]" "'"* "<-" ; in-place update : | "[" ".." "]" "'"* ; collection slice : | "[" "_" ".." "]" "'"* ; right-open slice : | "[" ".." "_" "]" "'"* ; left-open slice quantifier: "forall" | "exists" quant_vars: `quant_cast` ("," `quant_cast`)* quant_cast: `binder`+ (":" `type`)? binder: "_" | `bound_var` bound_var: `lident` `attribute`* triggers: "[" `trigger` ("|" `trigger`)* "]" trigger: `term` ("," `term`)* The various constructs have the following priorities and associativities, from lowest to greatest priority: +------------------------------------+-----------------+ | construct | associativity | +====================================+=================+ | ``if then else`` / ``let in`` | – | +------------------------------------+-----------------+ | attribute | – | +------------------------------------+-----------------+ | cast | – | +------------------------------------+-----------------+ | ``->`` / ``<->`` / ``by`` / ``so`` | right | +------------------------------------+-----------------+ | ``\/`` / ``||`` | right | +------------------------------------+-----------------+ | ``/\`` / ``&&`` | right | +------------------------------------+-----------------+ | ``not`` | – | +------------------------------------+-----------------+ | infix-op level 1 | right | +------------------------------------+-----------------+ | ``at`` / ``old`` | – | +------------------------------------+-----------------+ | infix-op level 2 | left | +------------------------------------+-----------------+ | infix-op level 3 | left | +------------------------------------+-----------------+ | infix-op level 4 | left | +------------------------------------+-----------------+ | prefix-op | – | +------------------------------------+-----------------+ | function application | left | +------------------------------------+-----------------+ | brackets / ternary brackets | – | +------------------------------------+-----------------+ | bang-op | – | +------------------------------------+-----------------+ For example, as was mentioned above, tight operators have the highest precedence of all operators, so that ``-p.x`` denotes the negation of the record field ``p.x``, whereas ``!p.x`` denotes the field ``x`` of a record stored in the reference ``p``. Infix operators from groups 2-4 are left-associative. Infix operators from group 1 are right-associative and can be chained. For example, the term ``0 <= i < j < length a`` is parsed as the conjunction of three inequalities ``0 <= i``, ``i < j``, and ``j < length a``. Note that infix symbols of level 1 include equality (``=``) and disequality (``<>``). An operator in parentheses acts as an identifier referring to that operator, for example, in a definition. To distinguish between prefix and infix operators, an underscore symbol is appended at the end: for example, ``(-)`` refers to the binary subtraction and ``(-_)`` to the unary negation. Tight operators cannot be used as infix operators, and thus do not require disambiguation. As with normal identifiers, we can put a qualifier over a parenthesised operator, e.g., ``Map.S.([]) m i``. Also, as noted above, a qualifier can be put over a parenthesised term, and the parentheses can be omitted if the term is a record or a record update. Note the curryfied syntax for function application, though partial application is not allowed (rejected at typing). .. _rubric.collections_syntax: .. index:: bracket .. index:: collections .. index:: function literals Specific syntax for collections ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ In addition to prefix and infix operators, WhyML supports several mixfix bracket operators to manipulate various collection types: dictionaries, arrays, sequences, etc. Bracket operators do not have any predefined meaning and may be used to denote access and update operations for various user-defined collection types. We can introduce multiple bracket operations in the same scope by disambiguating them with primes after the closing bracket: for example, ``a[i]`` may denote array access and ``s[i]'`` sequence access. Notice that the in-place update operator ``a[i] <- v`` cannot be used inside logical terms: all effectful operations are restricted to program expressions. To represent the result of a collection update, we should use a pure logical update operator ``a[i <- v]`` instead. WhyML supports “associated” names for operators, obtained by adding a suffix after the parenthesised operator name. For example, an axiom that represents the specification of the infix operator ``(+)`` may be called ``(+)'spec`` or ``(+)_spec``. As with normal identifiers, names with a letter after a prime, such as ``(+)'spec``, can only be introduced by Why3, and not by the user in a WhyML source. WhyML provides a special syntax for `function literals`. The term ``[|t1 => u1; ...; tn => un; _ => default|]``, where ``t1, ..., tn`` have some type ``t`` and ``u1, ..., un, default`` some type ``u``, represents a total function of the form ``fun x -> if x = t1 then u1 else if ... else if x = tn then un else default``. The default value can be omitted in which case the last value will be taken as the default value. For instance, the function literal ``[|t1 => u1|]`` represents the term ``fun x -> if x = t1 then u1 else u1``. When the domain of the function ranges over an initial sequence of the natural numbers it is possible to write ``[|t1;t2;t3|]`` as a shortcut for ``[|0 => t1; 1 => t2; 2 => t3|]``. Function literals cannot be empty. .. index:: pair: keyword; at .. index:: pair: keyword; old .. index:: pair: keyword; label The "at" and "old" operators ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``at`` and ``old`` operators are used inside postconditions and assertions to refer to the value of a mutable program variable at some past moment of execution. These operators have higher precedence than the infix operators from group 1 (:token:`infix_op_1`): ``old i > j`` is parsed as ``(old i) > j`` and not as ``old (i > j)``. Within a postcondition, ``old t`` refers to the value of term ``t`` in the pre-state. Within the scope of a code label ``L``, introduced with ``label L in ...``, the term ``t at L`` refers to the value of term ``t`` at the program point corresponding to ``L``. Note that ``old`` can be used in annotations contained in the function body as well (assertions, loop invariants), with the exact same meaning: it refers to the pre-state of the function. In particular, ``old t`` in a loop invariant does not refer to the program point right before the loop but to the function entry. Whenever ``old t`` or ``t at L`` refers to a program point at which none of the variables in ``t`` is defined, Why3 emits a warning "this \`at'/\`old' operator is never used" and the operator is ignored. For instance, the following code .. code-block:: whyml let x = ref 0 in assert { old !x = !x } emits a warning and is provable, as it amounts to proving `0=0`. Similarly, if ``old t`` or ``t at L`` refers to a term ``t`` that is immutable, Why3 emits the same warning and ignores the operator. Caveat: Whenever the term ``t`` contains several variables, some of them being meaningful at the corresponding program point but others not being in scope or being immutable, there is *no warning* and the operator ``old``/``at`` is applied where it is defined and ignored elsewhere. This is convenient when writing terms such as ``old a[i]`` where ``a`` makes sense in the pre-state but ``i`` does not. .. index:: &&, || .. index:: pair: keyword; by .. index:: pair: keyword; so Non-standard connectives ^^^^^^^^^^^^^^^^^^^^^^^^ The propositional connectives in WhyML formulas are listed in :token:`term`. The non-standard connectives — asymmetric conjunction (``&&``), asymmetric disjunction (``||``), proof indication (``by``), and consequence indication (``so``) — are used to control the goal-splitting transformations of Why3 and provide integrated proofs for WhyML assertions, postconditions, lemmas, etc. The semantics of these connectives follows the rules below: - A proof task for ``A && B`` is split into separate tasks for ``A`` and ``A -> B``. If ``A && B`` occurs as a premise, it behaves as a normal conjunction. - A case analysis over ``A || B`` is split into disjoint cases ``A`` and ``not A /\ B``. If ``A || B`` occurs as a goal, it behaves as a normal disjunction. - An occurrence of ``A by B`` generates a side condition ``B -> A`` (the proof justifies the affirmation). When ``A by B`` occurs as a premise, it is reduced to ``A`` (the proof is discarded). When ``A by B`` occurs as a goal, it is reduced to ``B`` (the proof is verified). - An occurrence of ``A so B`` generates a side condition ``A -> B`` (the premise justifies the conclusion). When ``A so B`` occurs as a premise, it is reduced to the conjunction (we use both the premise and the conclusion). When ``A so B`` occurs as a goal, it is reduced to ``A`` (the premise is verified). For example, full splitting of the goal ``(A by (exists x. B so C)) && D`` produces four subgoals: ``exists x. B`` (the premise is verified), ``forall x. B -> C`` (the premise justifies the conclusion), ``(exists x. B /\ C) -> A`` (the proof justifies the affirmation), and finally, ``A -> D`` (the proof of ``A`` is discarded and ``A`` is used to prove ``D``). The behavior of the splitting transformations is further controlled by attributes :why3:attribute:`[@stop_split]` and :why3:attribute:`[@case_split]`. Consult the documentation of transformation :why3:transform:`split_goal` in :numref:`sec.transformations` for details. Among the propositional connectives, ``not`` has the highest precedence, ``&&`` has the same precedence as ``/\`` (weaker than negation), ``||`` has the same precedence as ``\/`` (weaker than conjunction), ``by``, ``so``, ``->``, and ``<->`` all have the same precedence (weaker than disjunction). All binary connectives except equivalence are right-associative. Equivalence is non-associative and is chained instead: ``A <-> B <-> C`` is transformed into a conjunction of ``A <-> B`` and ``B <-> C``. To reduce ambiguity, WhyML forbids to place a non-parenthesised implication at the right-hand side of an equivalence: ``A <-> B -> C`` is rejected. .. index:: conditional .. index:: pair: keyword; if .. index:: pair: keyword; then .. index:: pair: keyword; else .. index:: pair: keyword; let .. index:: pattern-matching Conditionals, "let" bindings and pattern-matching ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ .. productionlist:: term: `term0` : | "if" `term` "then" `term` "else" `term` ; conditional : | "match" `term` "with" `term_case`+ "end" ; pattern matching : | "let" `pattern` "=" `term` "in" `term` ; let-binding : | "let" `symbol` `param`+ "=" `term` "in" `term` ; mapping definition : | "fun" `param`+ "->" `term` ; unnamed mapping term_case: "|" `pattern` "->" `term` pattern: `binder` ; variable or "_" : | "()" ; empty tuple : | "{" (`lqualid` "=" `pattern` ";")+ "}" ; record pattern : | `uqualid` `pattern`* ; constructor : | "ghost" `pattern` ; ghost sub-pattern : | `pattern` "as" "ghost"? `bound_var` ; named sub-pattern : | `pattern` "," `pattern` ; tuple pattern : | `pattern` "|" `pattern` ; "or" pattern : | `qualifier`? "(" `pattern` ")" ; pattern in a scope symbol: `lident_ext` `attribute`* ; user-defined symbol param: `type_arg` ; unnamed typed : | `binder` ; (un)named untyped : | "(" "ghost"? `type` ")" ; unnamed typed : | "(" "ghost"? `binder` ")" ; (un)named untyped : | "(" "ghost"? `binder`+ ":" `type` ")" ; multi-variable typed Above, we find the more advanced term constructions: conditionals, let-bindings, pattern matching, and local function definitions, either via the ``let-in`` construction or the ``fun`` keyword. The pure logical functions defined in this way are called *mappings*; they are first-class values of “arrow” type ``t -> u``. The patterns are similar to those of OCaml, though the ``when`` clauses and numerical constants are not supported. Unlike in OCaml, ``as`` binds stronger than the comma: in the pattern ``(p,q as x)``, variable ``x`` is bound to the value matched by pattern ``q``. Also notice the closing ``end`` after the ``match with`` term. A ``let in`` construction with a non-trivial pattern is translated as a ``match with`` term with a single branch. Inside logical terms, pattern matching must be exhaustive: WhyML rejects a term like ``let Some x = o in e``, where ``o`` is a variable of an option type. In program expressions, non-exhaustive pattern matching is accepted and a proof obligation is generated to show that the values not covered cannot occur in execution. The syntax of parameters in user-defined operations—first-class mappings, top-level logical functions and predicates, and program functions—is rather flexible in WhyML. Like in OCaml, the user can specify the name of a parameter without its type and let the type be inferred from the definition. Unlike in OCaml, the user can also specify the type of the parameter without giving its name. This is convenient when the symbol declaration does not provide the actual definition or specification of the symbol, and thus only the type signature is of relevance. For example, one can declare an abstract binary function that adds an element to a set simply by writing ``function add 'a (set 'a): set 'a``. A standalone non-qualified lowercase identifier without attributes is treated as a type name when the definition is not provided, and as a parameter name otherwise. Ghost patterns, ghost variables after ``as``, and ghost parameters in function definitions are only used in program code, and not allowed in logical terms. Program Expressions ------------------- The syntax of program expressions is given below. As before, the constructions are listed in the order of decreasing precedence. The rules for tight, prefix, infix, and bracket operators are the same as for logical terms. In particular, the infix operators from group 1 (:token:`infix_op_1`) can be chained. Notice that binary operators ``&&`` and ``||`` denote here the usual lazy conjunction and disjunction, respectively. .. productionlist:: expr: `integer` ; integer constant : | `real` ; real constant : | "true" | "false" ; Boolean constant : | "()" ; empty tuple : | `string` ; string constant : | `qualid` ; identifier in a scope : | `qualifier`? "(" `expr` ")" ; expression in a scope : | `qualifier`? "begin" `expr` "end" ; idem : | `tight_op` `expr` ; tight operator : | "{" (`lqualid` "=" `expr` ";")+ "}" ; record : | "{" `expr` "with" (`lqualid` "=" `expr` ";")+ "}" ; record update : | `expr` "." `lqualid` ; record field access : | `expr` "[" `expr` "]" "'"* ; collection access : | `expr` "[" `expr` "<-" `expr` "]" "'"* ; collection update : | `expr` "[" `expr` ".." `expr` "]" "'"* ; collection slice : | `expr` "[" `expr` ".." "]" "'"* ; right-open slice : | `expr` "[" ".." `expr` "]" "'"* ; left-open slice : | "[|" (`expr` "=>" `expr` ";")* ("_" "=>" `expr`)? "|]" ; function literal : | "[|" (`expr` ";")+ "|]" ; function literal (domain over nat) : | `expr` `expr`+ ; application : | `prefix_op` `expr` ; prefix operator : | `expr` `infix_op_4` `expr` ; infix operator 4 : | `expr` `infix_op_3` `expr` ; infix operator 3 : | `expr` `infix_op_2` `expr` ; infix operator 2 : | `expr` `infix_op_1` `expr` ; infix operator 1 : | "not" `expr` ; negation : | `expr` "&&" `expr` ; lazy conjunction : | `expr` "||" `expr` ; lazy disjunction : | `expr` ":" `type` ; type cast : | `attribute`+ `expr` ; attributes : | "ghost" `expr` ; ghost expression : | `expr` ("," `expr`)+ ; tuple : | `expr` "<-" `expr` ; assignment : | `expr` `spec`+ ; added specification : | "if" `expr` "then" `expr` ("else" `expr`)? ; conditional : | "match" `expr` "with" ("|" `pattern` "->" `expr`)+ "end" ; pattern matching : | `qualifier`? "begin" `spec`+ `expr` "end" ; abstract block : | `expr` ";" `expr` ; sequence : | "let" `pattern` "=" `expr` "in" `expr` ; let-binding : | "let" `fun_defn` "in" `expr` ; local function : | "let" "rec" `fun_defn` ("with" `fun_defn`)* "in" `expr` ; recursive function : | "fun" `param`+ `spec`* "->" `spec`* `expr` ; unnamed function : | "any" `result` `spec`* ; arbitrary value : | "while" `expr` "do" `invariant`* `variant`? `expr` "done" ; while loop : | "for" `lident` "=" `expr` ("to" | "downto") `expr` "do" `invariant`* `expr` "done" ; for loop : | "for" `pattern` "in" `expr` "with" `uident` ("as" `lident_nq`)? "do" `invariant`* `variant`? `expr` "done" ; for each loop : | "break" `lident`? ; loop break : | "continue" `lident`? ; loop continue : | ("assert" | "assume" | "check") "{" `term` "}" ; assertion : | "raise" `uqualid` `expr`? ; exception raising : | "raise" "(" `uqualid` `expr`? ")" : | "try" `expr` "with" ("|" `handler`)+ "end" ; exception catching : | "(" `expr` ")" ; parentheses : | "label" `uident` "in" `expr` ; label handler: `uqualid` `pattern`? "->" `expr` ; exception handler fun_defn: `fun_head` `spec`* "=" `spec`* `expr` ; function definition fun_head: "ghost"? `kind`? `symbol` `param`+ (":" `result`)? ; function header kind: "function" | "predicate" | "lemma" ; function kind result: `ret_type` : | "(" `ret_type` ("," `ret_type`)* ")" : | "(" `ret_name` ("," `ret_name`)* ")" ret_type: "ghost"? `type` ; unnamed result ret_name: "ghost"? `binder` ":" `type` ; named result spec: "requires" "{" `term` "}" ; pre-condition : | "ensures" "{" `term` "}" ; post-condition : | "returns" "{" ("|" `pattern` "->" `term`)+ "}" ; post-condition : | "raises" "{" ("|" `pattern` "->" `term`)+ "}" ; exceptional post-c. : | "raises" "{" `uqualid` ("," `uqualid`)* "}" ; raised exceptions : | "reads" "{" `lqualid` ("," `lqualid`)* "}" ; external reads : | "writes" "{" `path` ("," `path`)* "}" ; memory writes : | "alias" "{" `alias` ("," `alias`)* "}" ; memory aliases : | `variant` : | "diverges" ; may not terminate : | ("reads" | "writes" | "alias") "{" "}" ; empty effect path: `lqualid` ("." `lqualid`)* ; v.field1.field2 alias: `path` "with" `path` ; arg1 with result invariant: "invariant" "{" `term` "}" ; loop and type invariant variant: "variant" "{" `variant_term` ("," `variant_term`)* "}" ; termination variant variant_term: `term` ("with" `lqualid`)? ; variant term + WF-order .. index:: pair: keyword; ghost Ghost expressions ^^^^^^^^^^^^^^^^^ Keyword ``ghost`` marks the expression as ghost code added for verification purposes. Ghost code is removed from the final code intended for execution, and thus cannot affect the computation of the program results nor the content of the observable memory. .. index:: assignment expressions Assignment expressions ^^^^^^^^^^^^^^^^^^^^^^ Assignment updates in place a mutable record field or an element of a collection. The former can be done simultaneously on a tuple of values: ``x.f, y.g <- a, b``. The latter form, ``a[i] <- v``, amounts to a call of the ternary bracket operator ``([]<-)`` and cannot be used in a multiple assignment. .. index:: auto-dereference .. index:: reference .. index:: pair: keyword; ref .. index:: & Auto-dereference: simplified usage of mutable variables ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Some syntactic sugar is provided to ease the use of mutable variables (aka references), in such a way that the bang character is no more needed to access the value of a reference, in both logic and programs. This syntactic sugar summarized in the following table. +-------------------------+-------------------------------+ | auto-dereference syntax | desugared to | +=========================+===============================+ | ``let &x = ... in`` | ``let (x: ref ...) = ... in`` | +-------------------------+-------------------------------+ | ``f x`` | ``f x.contents`` | +-------------------------+-------------------------------+ | ``x <- ...`` | ``x.contents <- ...`` | +-------------------------+-------------------------------+ | ``let ref x = ...`` | ``let &x = ref ...`` | +-------------------------+-------------------------------+ Notice that - the ``&`` marker adds the typing constraint ``(x: ref ...)``; - top-level ``let/val ref`` and ``let/val &`` are allowed; - auto-dereferencing works in logic, but such variables cannot be introduced inside logical terms. Here is an example: .. code-block:: whyml let ref x = 0 in while x < 100 do invariant { 0 <= x <= 100 } x <- x + 1 done That syntactic sugar is further extended to pattern matching, function parameters, and reference passing, as follows. +----------------------------------+-----------------------------------------------------+ | auto-dereference syntax | desugared to | +==================================+=====================================================+ | ``match e with (x,&y) -> y end`` | ``match e with (x,(y: ref ...)) -> y.contents end`` | +----------------------------------+-----------------------------------------------------+ | .. code-block:: whyml | .. code-block:: whyml | | | | | let incr (&x: ref int) = | let incr (x: ref int) = | | x <- x + 1 | x.contents <- x.contents + 1 | | | | | let f () = | let f () = | | let ref x = 0 in | let x = ref 0 in | | incr x; | incr x; | | x | x.contents | +----------------------------------+-----------------------------------------------------+ | ``let incr (ref x: int) ...`` | ``let incr (&x: ref int) ...`` | +----------------------------------+-----------------------------------------------------+ The type annotation is not required. Let-functions with such formal parameters also prevent the actual argument from auto-dereferencing when used in logic. Pure logical symbols cannot be declared with such parameters. Auto-dereference suppression does not work in the middle of a relation chain: in ``0 < x :< 17``, ``x`` will be dereferenced even if ``(:<)`` expects a ref-parameter on the left. Finally, that syntactic sugar applies to the caller side: +-------------------------+-----------------------+ | auto-dereference syntax | desugared to | +=========================+=======================+ | .. code-block:: whyml | .. code-block:: whyml | | | | | let f () = | let f () = | | let ref x = 0 in | let x = ref 0 in | | g &x | g x | +-------------------------+-----------------------+ The ``&`` marker can only be attached to a variable. Works in logic. Ref-binders and ``&``-binders in variable declarations, patterns, and function parameters do not require importing ``ref.Ref``. Any example that does not use references inside data structures can be rewritten by using ref-binders, without importing ``ref.Ref``. Explicit use of type symbol ``ref``, program function ``ref``, or field ``contents`` requires importing ``ref.Ref`` or ``why3.Ref.Ref``. Operations ``(:=)`` and ``(!)`` require importing ``ref.Ref``. Note that operation ``(:=)`` is fully subsumed by direct assignment ``(<-)``. .. index:: evaluation order Evaluation order ^^^^^^^^^^^^^^^^ In applications, arguments are evaluated from right to left. This includes applications of infix operators, with the only exception of lazy operators ``&&`` and ``||`` which evaluate from left to right, lazily. .. index:: pair: keyword; for .. index:: pair: keyword; downto .. index:: pair: keyword; invariant .. index:: invariant; for loop The “for” loop ^^^^^^^^^^^^^^ The “for” loop of Why3 has the following general form: .. code-block:: whyml for v=e1 to e2 do invariant { i } e3 done Here, ``v`` is a variable identifier, that is bound by the loop statement and of type ``int`` ; ``e1`` and ``e2`` are program expressions of type ``int``, and ``e3`` is an expression of type ``unit``. The variable ``v`` may occur both in ``i`` and ``e3``, and is not mutable. The execution of such a loop amounts to first evaluate ``e1`` and ``e2`` to values ``n1`` and ``n2``. If ``n1 >= n2`` then the loop is not executed at all, otherwise it is executed iteratively for ``v`` taking all the values between ``n1`` and ``n2`` included. Regarding verification conditions, one must prove that ``i[v <- n1]`` holds (invariant initialization) ; and that ``forall n. n1 <= n <= n2 /\ i[v <- n] -> i[v <- n+1]`` (invariant preservation). At loop exit, the property which is known is ``i[v <- n2+1]`` (notice the index ``n2+1``). A special case occurs when the initial value ``n1`` is larger than ``n2+1``: in that case the VC generator does not produce any VC to prove, the loop just acts as a no-op instruction. Yet in the case when ``n1 = n2+1``, the formula ``i[v <- n2+1]`` is asserted and thus need to be proved as a VC. The variant with keyword ``downto`` instead of ``to`` iterates backwards. It is also possible for ``v`` to be an integer range type (see :numref:`sec.range_types`) instead of an integer. .. index:: pair: keyword; for .. index:: pair: keyword; variant .. index:: pair: keyword; invariant .. index:: for each loop, invariant; for each loop The “for each” loop ^^^^^^^^^^^^^^^^^^^ The “for each” loop of Why3 has the following syntax: .. code-block:: whyml for p in e1 with S do invariant/variant... e2 done Here, ``p`` is a pattern, ``S`` is a namespace, and ``e1`` and ``e2`` are program expressions. Such a for each loop is syntactic sugar for the following: .. code-block:: whyml let it = S.create e1 in try while true do invariant/variant... let p = S.next it in e2 done with S.Done -> () That is, namespace ``S`` is assumed to declare at least a function ``create`` and a function ``next``, and an exception ``Done``. The latter is used to signal the end of the iteration. As shown above, the iterator is named ``it``. It can be referred to within annotations. A different name can be specified, using syntax ``with S as x do``. .. index:: pair: keyword; while .. index:: pair: keyword; break .. index:: pair: keyword; continue Break & Continue ^^^^^^^^^^^^^^^^ The ``break`` and ``continue`` statements can be used in ``while``, ``for`` and ``for-each`` loops, with the expected semantics. The statements take an optional identifier which can be used to break out of nested loops. This identifier can be defined using ``label`` like in the following example: .. code-block:: whyml label A in while true do variant... while true do variant... break A (* abort the outer loop *) done done .. index:: collections .. index:: function literals .. _sec.functionliterals: Function literals ^^^^^^^^^^^^^^^^^ Function literals can be written in expressions the same way as they are in terms but there are a few subtleties that one must bear in mind. First of all, if the domain of the literal is of type ``t`` then an equality infix operator ``=`` should exist. For instance, the literal ``[|t1 => u1|]`` with ``t1`` of type ``t``, is only considered well typed if the infix operator ``=`` of type ``t -> t -> bool`` is visible in the current scope. This problem does not exist in terms because the equality in terms is polymorphic. Second, the function literal expression ``[|t1 => u1; t2 => u2; _ => u3|]`` will be translated into the following expression: .. code-block:: whyml let def'e = u3 in let d'i1 = t2 in let r'i1 = u2 in let d'i0 = t1 in let r'i0 = u1 in fun x'x -> if x'x = d'i0 then r'i0 else if x'x = d'i1 then r'i1 else def'e .. index:: pair: keyword; any The ``any`` expression ^^^^^^^^^^^^^^^^^^^^^^ The general form of the ``any`` expression is the following. .. code-block:: whyml any <type> <contract> This expression non-deterministically evaluates to a value of the given type that satisfies the contract. For example, the code .. code-block:: whyml let x = any int ensures { 0 <= result < 100 } in ... will give to ``x`` any non-negative integer value smaller than 100. As for contracts on functions, it is allowed to name the result or even give a pattern for it. For example the following expression returns a pair of integers which first component is smaller than the second. .. code-block:: whyml any (int,int) returns { (a,b) -> a <= b } Notice that an ``any`` expression is not supposed to have side effects nor raise exceptions, hence its contract cannot include any ``writes`` or ``raises`` clauses. To ensure that this construction is safe, it is mandatory to show that there is always at least one possible value to return. It means that the VC generator produces a proof obligation of form .. code-block:: whyml exists result:<type>. <post-condition> In that respect, notice the difference with the construct .. code-block:: whyml val x:<type> <contract> in x which will not generate any proof obligation, meaning that the existence of the value ``x`` is taken for granted. Modules ------- A WhyML input file is a (possibly empty) list of modules .. productionlist:: file: `module`* module: "module" `uident_nq` `attribute`* `decl`* "end" decl: "type" `type_decl` ("with" `type_decl`)* : | "constant" `constant_decl` : | "function" `function_decl` ("with" `logic_decl`)* : | "predicate" `predicate_decl` ("with" `logic_decl`)* : | "inductive" `inductive_decl` ("with" `inductive_decl`)* : | "coinductive" `inductive_decl` ("with" `inductive_decl`)* : | "axiom" `ident_nq` ":" `formula` : | "lemma" `ident_nq` ":" `formula` : | "goal" `ident_nq` ":" `formula` : | "use" `imp_exp` `tqualid` ("as" `uident`)? : | "clone" `imp_exp` `tqualid` ("as" `uident`)? `subst`? : | "scope" "import"? `uident_nq` `decl`* "end" : | "import" `uident` : | "let" "ghost"? `lident_nq` `attribute`* `fun_defn` : | "let" "rec" `fun_defn` : | "val" "ghost"? `lident_nq` `attribute`* `pgm_decl` : | "exception" `lident_nq` `attribute`* `type`? type_decl: `lident_nq` `attribute`* ("'" `lident_nq` `attribute`*)* `type_defn` type_defn: ; abstract type : | "=" `type` ; alias type : | "=" "|"? `type_case` ("|" `type_case`)* ; algebraic type : | "=" `vis_mut` "{" `record_field` (";" `record_field`)* "}" `invariant`* `type_witness` ; record type : | "<" "range" `integer` `integer` ">" ; range type : | "<" "float" `integer` `integer` ">" ; float type type_case: `uident` `attribute`* `type_param`* record_field: "ghost"? "mutable"? `lident_nq` `attribute`* ":" `type` type_witness: "by" `expr` vis_mut: ("abstract" | "private")? "mutable"? pgm_decl: ":" `type` ; global variable : | `param` (`spec`* `param`)+ ":" `type` `spec`* ; abstract function logic_decl: `function_decl` : | `predicate_decl` constant_decl: `lident_nq` `attribute`* ":" `type` : | `lident_nq` `attribute`* ":" `type` "=" `term` function_decl: `lident_nq` `attribute`* `type_param`* ":" `type` : | `lident_nq` `attribute`* `type_param`* ":" `type` "=" `term` predicate_decl: `lident_nq` `attribute`* `type_param`* : | `lident_nq` `attribute`* `type_param`* "=" `formula` inductive_decl: `lident_nq` `attribute`* `type_param`* "=" "|"? `ind_case` ("|" `ind_case`)* ind_case: `ident_nq` `attribute`* ":" `formula` imp_exp: ("import" | "export")? subst: "with" ("," `subst_elt`)+ subst_elt: "type" `lqualid` "=" `lqualid` : | "function" `lqualid` "=" `lqualid` : | "predicate" `lqualid` "=" `lqualid` : | "scope" (`uqualid` | ".") "=" (`uqualid` | ".") : | "lemma" `qualid` : | "goal" `qualid` tqualid: `uident` | `ident` ("." `ident`)* "." `uident` type_param: "'" `lident` : | `lqualid` : | "(" `lident`+ ":" `type` ")" : | "(" `type` ("," `type`)* ")" : | "()" .. index:: record type .. _Record Types: Record types ^^^^^^^^^^^^ A record type declaration introduces a new type, with named and typed fields, as follows: .. code-block:: whyml type t = { a: int; b: bool } Such a type can be used both in logic and programs. A new record is built using curly braces and a value for each field, such as ``{ a = 42; b = true }``. If ``x`` is a value of type ``t``, its fields are accessed using the dot notation, such as ``x.a``. Each field happens to be a projection function, so that we can also write ``a x``. A field can be declared ``mutable``, as follows: .. code-block:: whyml type t = { mutable a: int; b: bool } A mutable field can be modified using notation ``x.a <- 42``. The ``writes`` clause of a function contract can list mutable fields, e.g., ``writes { x.a }``. .. index:: pair: keyword; invariant .. index:: type invariant, invariant; type .. rubric:: Type invariants Invariants can be attached to record types, as follows: .. code-block:: whyml type t = { mutable a: int; b: bool } invariant { b = true -> a >= 0 } The semantics of type invariants is as follows. In the logic, a type invariant always holds. Consequently, it is no more possible to build a value using the curly braces (in the logic). To prevent the introduction of a logical inconsistency, Why3 generates a VC to show the existence of at least one record instance satisfying the invariant. It is named ``t'vc`` and has the form ``exists a:int, b:bool. b = true -> a >= 0``. To ease the verification of this VC, one can provide an explicit witness using the keyword ``by``, as follows: .. code-block:: whyml type t = { mutable a: int; b: bool } invariant { b = true -> a >= 0 } by { a = 42; b = true } It generates a simpler VC, where fields are instantiated accordingly. For more complicated case, the witness can be more general than just a record, but the record can be used only as the resulting expression. Indeed the record does not exists yet, so the witness is in fact a tuple with the fields in the same order than in the definition. The record is just syntaxic sugar. In programs, a type invariant is assumed to hold at function entry and must be restored at function exit. In the middle, the invariant can be temporarily broken. For instance, the following function can be verified: .. code-block:: whyml let f (x: t) = x.a <- x.a - 1; x.a <- 0 After the first assignment, the invariant does not necessarily hold anymore. But it is restored before function exit with the second assignment. If the record is passed to another function, then the invariant must be reestablished (so as to honor the contract of the callee). For instance, the following function cannot be verified: .. code-block:: whyml let f1 (x: t) = x.a <- x.a - 1; f x; x.a <- 0 Indeed, passing ``x`` to function ``f`` requires checking the invariant first, which does not hold in this example. Similarly, the invariant must be reestablished if the record is passed to a logical function or predicate. For instance, the following function cannot be verified: .. code-block:: whyml predicate p (x: t) = x.b let f2 (x: t) = x.a <- x.a - 1; assert { p x }; x.a <- 0 Accessing the record fields, however, does not require restoring the invariant, both in logic and programs. For instance, the following function can be verified: .. code-block:: whyml let f2 (x: t) = x.a <- x.a - 1; assert { x.a < old x.a }; x.a <- 0 Indeed, the invariant may not hold after the first assignment, but the assertion is only making use of field access, so there is no need to reestablish the invariant. .. index:: private type .. rubric:: Private types A record type can be declared ``private``, as follows: .. code-block:: whyml type t = private { mutable a: int; b: bool } The meaning of such a declaration is that one cannot build a record instance, neither in the logic, nor in programs. For instance, the following function cannot be defined: .. code-block:: whyml let create () = { a = 42; b = true } One cannot modify mutable fields of private types either. One may wonder what is the purpose of private types, if one cannot build values in those types. The purpose is to build interfaces, to be later refined with actual implementations (see section :ref:`Module cloning` below). Indeed, if we cannot build record instances, we can still *declare* operations that return such records. For instance, we can declare the following two functions: .. code-block:: whyml val create (n: int) : t ensures { result.a = n } val incr (x: t) : unit writes { x.a } ensures { x.a = old x.a + 1 } Later, we can *refine* type ``t`` with a type that is not private anymore, and then implement operations ``create`` and ``incr``. Private types are often used in conjunction with ghost fields, that are used to model the contents of data structures. For instance, we can conveniently model a queue containing integers as follows: .. code-block:: whyml type queue = private { mutable ghost s: seq int } If needed, we could even add invariants (e.g., the sequence ``s`` is sorted in a priority queue). .. index:: abstract type When a private record type only has ghost fields, one can use ``abstract`` as a convenient shortcut: .. code-block:: whyml type queue = abstract { mutable s: seq int } This is equivalent to the previous declaration. .. rubric:: Recursive record types Record types can be recursive, e.g, .. code-block:: whyml type t = { a: int; next: option t } Recursive record types cannot have invariants, cannot have mutable fields, and cannot be private. .. index:: algebraic data type Algebraic data types ^^^^^^^^^^^^^^^^^^^^ Algebraic data types combine sum and product types. A simple example of a sum type is that of an option type: .. code-block:: whyml type maybe = No | Yes int Such a declaration introduces a new type ``maybe``, with two constructors ``No`` and ``Yes``. Constructor ``No`` has no argument and thus can be used as a constant value. Constructor ``Yes`` has an argument of type ``int`` and thus can be used to build values such as ``Yes 42``. Algebraic data types can be polymorphic, e.g., .. code-block:: whyml type option 'a = None | Some 'a (This type is already part of Why3 standard library, in module `option.Option <http://why3.lri.fr/stdlib/option.html>`_.) A data type can be recursive. The archetypal example is the type of polymorphic lists: .. code-block:: whyml type list 'a = Nil | Cons 'a (list 'a) (This type is already part of Why3 standard library, in module `list.List <http://why3.lri.fr/stdlib/list.html>`_.) Mutually recursive type definitions are supported. .. code-block:: whyml type tree = Node elt forest with forest = Empty | Cons tree forest When a field is common to all constructors, with the same type, it can be named: .. code-block:: whyml type t = | MayBe (size: int) (option int) | Many (size: int) (list int) Such a named field introduces a projection function. Here, we get a function ``size`` of type ``t -> int``. Constructor arguments can be ghost, e.g., .. code-block:: whyml type answer = | Yes (ghost int) | No Non-uniform data types are allowed, such as the following type for `random access lists <http://toccata.lri.fr/gallery/random_access_list.fr.html>`_: .. code-block:: whyml type ral 'a = | Empty | Zero (ral ('a, 'a)) | One 'a (ral ('a, 'a)) Why3 supports polymorphic recursion, both in logic and programs, so that we can define and verify operations on such types. .. index:: tuples .. rubric:: Tuples A tuple type is a particular case of algebraic data types, with a single constructor. A tuple type need not be declared by the user; it is generated on the fly. The syntax for a tuple type is ``(type1, type2, ...)``. Note: Record types, introduced in the previous section, also constitute a particular case of algebraic data types with a single constructor. There are differences, though. Record types may have mutable fields, invariants, or private status, while algebraic data types cannot. .. index:: range type .. index:: pair: keyword; range .. _sec.range_types: Range types ^^^^^^^^^^^ A declaration of the form ``type r = <range a b>`` defines a type that projects into the integer range ``[a,b]``. Note that in order to make such a declaration the theory ``int.Int`` must be imported. Why3 let you cast an integer literal in a range type (e.g., ``(42:r)``) and will check at typing that the literal is in range. Defining such a range type :math:`r` automatically introduces the following: .. code-block:: whyml function r'int r : int constant r'maxInt : int constant r'minInt : int The function ``r'int`` projects a term of type ``r`` to its integer value. The two constants represent the high bound and low bound of the range respectively. Unless specified otherwise with the meta :why3:meta:`keep:literal` on ``r``, the transformation :why3:transform:`eliminate_literal` introduces an axiom .. code-block:: whyml axiom r'axiom : forall i:r. r'minInt <= r'int i <= r'maxInt and replaces all casts of the form ``(42:r)`` with a constant and an axiom as in: .. code-block:: whyml constant rliteral7 : r axiom rliteral7_axiom : r'int rliteral7 = 42 This type is used in the standard library in the theories ``bv.BV8``, ``bv.BV16``, ``bv.BV32``, ``bv.BV64``. .. index:: pair: keyword; float Floating-point types ^^^^^^^^^^^^^^^^^^^^ A declaration of the form ``type f = <float eb sb>`` defines a type of floating-point numbers as specified by the IEEE-754 standard :cite:`ieee754-2008`. Here the literal ``eb`` represents the number of bits in the exponent and the literal ``sb`` the number of bits in the significand (including the hidden bit). Note that in order to make such a declaration the theory ``real.Real`` must be imported. Why3 let you cast a real literal in a float type (e.g., ``(0.5:f)``) and will check at typing that the literal is representable in the format. Note that Why3 do not implicitly round a real literal when casting to a float type, it refuses the cast if the literal is not representable. Defining such a type ``f`` automatically introduces the following: .. code-block:: whyml predicate f'isFinite f function f'real f : real constant f'eb : int constant f'sb : int As specified by the IEEE standard, float formats includes infinite values and also a special NaN value (Not-a-Number) to represent results of undefined operations such as :math:`0/0`. The predicate ``f'isFinite`` indicates whether its argument is neither infinite nor NaN. The function ``f'real`` projects a finite term of type ``f`` to its real value, its result is not specified for non finite terms. Unless specified otherwise with the meta :why3:meta:`keep:literal` on ``f``, the transformation :why3:transform:`eliminate_literal` will introduce an axiom .. code-block:: whyml axiom f'axiom : forall x:f. f'isFinite x -> -. max_real <=. f'real x <=. max_real where ``max_real`` is the value of the biggest finite float in the specified format. The transformation also replaces all casts of the form ``(0.5:f)`` with a constant and an axiom as in: .. code-block:: whyml constant fliteral42 : f axiom fliteral42_axiom : f'real fliteral42 = 0.5 /\ f'isFinite fliteral42 This type is used in the standard library in the theories ``ieee_float.Float32`` and ``ieee_float.Float64``. Function declarations ^^^^^^^^^^^^^^^^^^^^^ ``let`` Definition of a program function, with prototype, contract, and body ``val`` Declaration of a program function, with prototype and contract only ``let function`` Definition of a pure (that is, side-effect free) program function which can also be used in specifications as a logical function symbol ``let predicate`` Definition of a pure Boolean program function which can also be used in specifications as a logical predicate symbol ``val function`` Declaration of a pure program function which can also be used in specifications as a logical function symbol ``val predicate`` Declaration of a pure Boolean program function which can also be used in specifications as a logical predicate symbol ``function`` Definition or declaration of a logical function symbol which can also be used as a program function in ghost code ``predicate`` Definition or declaration of a logical predicate symbol which can also be used as a Boolean program function in ghost code ``let lemma`` definition of a special pure program function which serves not as an actual code to execute but to prove the function's contract as a lemma: “for all values of parameters, the precondition implies the postcondition”. This lemma is then added to the logical context and is made available to provers. If this “lemma-function” produces a result, the lemma is “for all values of parameters, the precondition implies the existence of a result that satisfies the postcondition”. Lemma-functions are mostly used to prove some property by induction directly in Why3, without resorting to an external higher-order proof assistant. Program functions (defined with ``let`` or declared with ``val``) can additionally be marked ``ghost``, meaning that they can only be used in the ghost code and never translated into executable code ; or ``partial``, meaning that their execution can produce observable effects unaccounted by their specification, and thus they cannot be used in the ghost code. Recursive program functions must be defined using ``let rec``. .. code-block:: whyml let rec size_tree (t: tree) : int = variant { t } match t with | Node _ f -> 1 + size_forest f end with size_forest (f: forest) : int = variant { f } match f with | Empty -> 0 | Cons t f -> size_tree t + size_forest f end .. index:: pair: keyword; clone .. index:: module cloning .. _Module cloning: Module cloning ^^^^^^^^^^^^^^ Why3 features a mechanism to make an instance of a module, by substituting some of its declarations with other symbols. It is called *module cloning*. Let us consider the example of a module implementing `exponentiation by squaring <https://en.wikipedia.org/wiki/Exponentiation_by_squaring>`_. We want to make it as general as possible, so that we can implement it and verify it only once and then reuse it in various different contexts, e.g., with integers, floating-point numbers, matrices, etc. We start our module with the introduction of a monoid: .. code-block:: whyml module Exp use int.Int use int.ComputerDivision type t val constant one : t val function mul t t : t axiom one_neutral: forall x. mul one x = x = mul x one axiom mul_assoc: forall x y z. mul x (mul y z) = mul (mul x y) z Then we define a simple exponentiation function, mostly for the purpose of specification: .. code-block:: whyml :dedent: 0 let rec function exp (x: t) (n: int) : t requires { n >= 0 } variant { n } = if n = 0 then one else mul x (exp x (n - 1)) In anticipation of the forthcoming verification of exponentiation by squaring, we prove two lemmas. As they require induction, we use lemma functions: .. code-block:: whyml :dedent: 0 let rec lemma exp_add (x: t) (n m: int) requires { 0 <= n /\ 0 <= m } variant { n } ensures { exp x (n + m) = mul (exp x n) (exp x m) } = if n > 0 then exp_add x (n - 1) m let rec lemma exp_mul (x: t) (n m: int) requires { 0 <= n /\ 0 <= m } variant { m } ensures { exp x (n * m) = exp (exp x n) m } = if m > 0 then exp_mul x n (m - 1) Finally, we implement and verify exponentiation by squaring, which completes our module. .. code-block:: whyml :dedent: 0 let fast_exp (x: t) (n: int) : t requires { n >= 0 } ensures { result = exp x n } = let ref p = x in let ref q = n in let ref r = one in while q > 0 do invariant { 0 <= q } invariant { mul r (exp p q) = exp x n } variant { q } if mod q 2 = 1 then r <- mul r p; p <- mul p p; q <- div q 2 done; r end Note that module ``Exp`` mixes declared symbols (type ``t``, constant ``one``, function ``mul``) and defined symbols (function ``exp``, program function ``fast_exp``). We can now make an instance of module ``Exp``, by substituting some of its declared symbols (not necessarily all of them) with some other symbols. For instance, we get exponentiation by squaring on integers by substituting ``int`` for type ``t``, integer ``1`` for constant ``one``, and integer multiplication for function ``mul``. .. code-block:: whyml module ExponentiationBySquaring use int.Int clone Exp with type t = int, val one = one, val mul = (*) end In a substitution such as ``val one = one``, the left-hand side refers to the namespace of the module being cloned, while the right-hand side refers to the current namespace (which here contains a constant ``one`` of type ``int``). When a module is cloned, any axiom is automatically turned into a lemma. Thus, the ``clone`` command above generates two VCs, one for lemma ``one_neutral`` and another for lemma ``mul_assoc``. If an axiom should instead remain an axiom, it should be explicitly indicated in the substitution (using ``axiom mul_assoc`` for instance). Why3 cannot figure out by itself whether an axiom should be turned into a lemma, so it goes for the safe path (all axioms are to be proved) by default. Lemmas that were proved in the module being cloned (such as ``exp_add`` and ``exp_mul`` here) are not reproved. They are part of the resulting namespace, the substitution being applied to their statements. Similarly, functions that were defined in the module being cloned (such as ``exp`` and ``fast_exp`` here) are not reproved and are part of the resulting module, the substitution being applied to their argument types, return type, and definition. For instance, we get a fresh function ``fast_exp`` of type ``int->int->int``. We can make plenty other instances of our module ``Exp``. For instance, we get `Russian multiplication <https://en.wikipedia.org/wiki/Ancient_Egyptian_multiplication>`_ for free by instantiating ``Exp`` with zero and addition instead. .. code-block:: whyml module Multiplication use int.Int clone Exp with type t = int, val one = zero, val mul = (+) goal G: exp 2 3 = 6 end It is also possible to substitute certain types of defined symbols : logical functions and predicates, (co)inductives, algebraic data types, immutable records without invariants, range and floating-point types can all be substituted by symbols with the exact same definition. .. code-block:: whyml module A use int.Int predicate pos (n : int) = n >= 0 function abs (n : int) = if pos n then n else -n type 'a list = | Nil | Cons 'a (list 'a) type r = { a : int; b : string; } end module B use int.Int (* logical functions and predicates must be syntactically equal. *) predicate pos (n : int) = n >= 0 (* The substitution of pos is taken into account when checking * that the definitions are identical. *) function abs (n : int) = if pos n then n else -n (* For algebraic types, same definition means same constructors * in the same order. *) type 'a list = | Nil | Cons 'a (list 'a) (* Similarly records' fields must be in the exact same order. *) type r = { a : int; b : string; } clone A with predicate pos, function abs, type list, type r end .. index:: standard library The Why3 Standard Library ------------------------- The Why3 standard library provides general-purpose modules, to be used in logic and/or programs. It can be browsed on-line at http://why3.lri.fr/stdlib/. Each file contains one or several modules. To ``use`` or ``clone`` a module ``M`` from file :file:`file.mlw`, use the syntax ``file.M``, since :file:`file.mlw` is available in Why3’s default load path. For instance, the module of integers and the module of arrays indexed by integers are imported as follows: .. code-block:: whyml use int.Int use array.Array A sub-directory :file:`mach/` provides various modules to model machine arithmetic. For instance, the module of 63-bit integers and the module of arrays indexed by 63-bit integers are imported as follows: .. code-block:: whyml use mach.int.Int63 use mach.array.Array63 In particular, the types and operations from these modules are mapped to native OCaml’s types and operations when Why3 code is extracted to OCaml (see :numref:`sec.extract`). Library ``int``: mathematical integers ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``int`` library contains several modules whose dependencies are displayed on Figure :numref:`fig.lib.int`. .. graphviz:: generated/library-int.dot :caption: Module dependencies in library ``int``. :name: fig.lib.int The main module is ``Int`` which provides basic operations like addition and multiplication, and comparisons. The division of modulo operations are defined in other modules. They indeed come into two flavors: the module ``EuclideanDivision`` proposes a version where the result of the modulo is always non-negative, whereas the module ``ComputerDivision`` provides a version which matches the standard definition available in programming languages like C, Java or OCaml. Note that these modules do not provide any divsion or modulo operations to be used in programs. For those, you must use the module ``mach.int.Int`` instead, which provides these operations, including proper pre-conditions, and with the usual infix syntax ``x / y`` and ``x % y``. The detailed documentation of the library is available on-line at http://why3.lri.fr/stdlib/int.html Library ``array``: array data structure ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The ``array`` library contains several modules whose dependencies are displayed on Figure :numref:`fig.lib.array`. .. graphviz:: generated/library-array.dot :caption: Module dependencies in library ``array``. :name: fig.lib.array The main module is ``Array``, providing the operations for accessing and updating an array element, with respective syntax ``a[i]`` and ``a[i] <- e``, and proper pre-conditions for the indexes. The length of an array is denoted as ``a.length``. A fresh array can be created using ``make l v`` where ``l`` is the desired length and ``v`` is the initial value of each cell. The detailed documentation of the library is available on-line at http://why3.lri.fr/stdlib/array.html ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/doc/technical.rst������������������������������������������������������������������������0000664�0000000�0000000�00000140212�14401600263�0015635�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������Technical Informations ====================== .. _sec.proverdetectiondata: Prover Detection ---------------- The data configuration for the automatic detection of installed provers is stored in the file :file:`provers-detection-data.conf` typically located in directory :file:`/usr/local/share/why3` after installation. .. _sec.whyconffile: The :file:`why3.conf` Configuration File ---------------------------------------- One can use a custom configuration file. The Why3 tools look for it in the following order: #. the file specified by the :option:`why3 --config` option, #. the file specified by the environment variable :envvar:`WHY3CONFIG` if set, #. the file :file:`$HOME/.why3.conf` (:file:`$USERPROFILE/.why3.conf` under Windows) or, in the case of local installation, :file:`why3.conf` in the top directory of Why3 sources. If none of these files exist, a built-in default configuration is used. A section begins with a header inside square brackets and ends at the beginning of the next section. The header of a section can be a single identifier, e.g., ``[main]``, or it can be composed by a family name and a single family argument, e.g., ``[prover alt-ergo]``. Sections contain associations ``key=value``. A value is either an integer (e.g., ``-555``), a boolean (``true``, ``false``), or a string (e.g., ``"emacs"``). Some specific keys can be attributed multiple values and are thus allowed to occur several times inside a given section. In that case, the relative order of these associations matters. Extra configuration files ~~~~~~~~~~~~~~~~~~~~~~~~~ In addition to the main configuration file, Why3 commands accept the option :option:`why3 --extra-config` to read one or more files containing additional configuration option. It allows the user to pass extra declarations in prover drivers, as illustrated in :numref:`sec.userdrivers`, including declarations for realizations, as illustrated in :numref:`sec.realizations`. .. _sec.drivers: Drivers for External Provers ---------------------------- Drivers for external provers are readable files from directory ``drivers``. They describe how Why3 should interact with external provers. Files with :file:`.drv` extension represent drivers that might be associated to a specific solver in the :file:`why3.conf` configuration file (see :numref:`sec.whyconffile` for more information); files with :file:`.gen` extension are intended to be imported by other drivers; finally, files with :file:`.aux` extension are automatically generated from the main :file:`Makefile`. .. graphviz:: generated/drivers-smt.dot :caption: Driver dependencies for SMT solvers :name: fig.drv.smt .. graphviz:: generated/drivers-tptp.dot :caption: Driver dependencies for TPTP solvers :name: fig.drv.tptp .. graphviz:: generated/drivers-coq.dot :caption: Driver dependencies for Coq :name: fig.drv.coq .. graphviz:: generated/drivers-isabelle.dot :caption: Driver dependencies for Isabelle/HOL :name: fig.drv.isabelle .. graphviz:: generated/drivers-pvs.dot :caption: Driver dependencies for PVS :name: fig.drv.pvs The most important drivers dependencies are shown in the following figures: :numref:`fig.drv.smt` shows the drivers files for SMT solvers, :numref:`fig.drv.tptp` for TPTP solvers, :numref:`fig.drv.coq` for Coq, :numref:`fig.drv.isabelle` for Isabelle/HOL, and :numref:`fig.drv.pvs` for PVS. .. _sec.userdrivers: Drivers for User Theories ------------------------- It is possible for the users to augment the system drivers with extra information for their own declared theories. The processus is described by the following example. First, we define a new theory in a file :file:`bvmisc.mlw`, containing .. code-block:: whyml theory T use bv.BV8 use bv.BV16 function lsb BV16.t : BV8.t (** least significant bits *) function msb BV16.t : BV8.t (** most significant bits *) end For such a theory, it is a good idea to declare specific translation rules for provers that have a built-in bit-vector support, such as Z3 and CVC4 in this example. To do so, we write a extension driver file, :file:`my.drv`, containing .. code-block:: whyml theory bvmisc.T syntax function lsb "((_ extract 7 0) %1)" syntax function msb "((_ extract 15 8) %1)" end Now to tell Why3 that we would like this driver extension when calling Z3 or CVC4, we write an extra configuration file, :file:`my.conf`, containing .. code-block:: [prover_modifiers] prover = "CVC4" driver = "my.drv" [prover_modifiers] prover = "Z3" driver = "my.drv" Finally, to make the whole thing work, we have to call any Why3 command with the additional option :option:`why3 --extra-config`, such as :: why3 --extra-config=my.conf prove myfile.mlw .. _sec.transformations: Transformations --------------- This section documents the available transformations. Note that the set of available transformations in your own installation is given by :why3:tool:`why3 show transformations`. .. why3:transform:: apply Apply an hypothesis to the goal of the task using a *modus ponens* rule. The hypothesis should be an implication whose conclusion can be matched with the goal. The intuitive behavior of :why3:transform:`apply` can be translated as follows. Given :math:`\Gamma, h: f_1 \rightarrow f_2 \vdash G: f_2`, ``apply h`` generates a new task :math:`\Gamma, h: f_1 \rightarrow f_2 \vdash G: f_1`. In practice, the transformation also manages to instantiate some variables with the appropriate terms. For example, applying the transformation ``apply zero_is_even`` on the following goal .. code-block:: whyml predicate is_even int predicate is_zero int axiom zero_is_even: forall x: int. is_zero x -> is_even x goal G: is_even 0 produces the following goal: .. code-block:: whyml predicate is_even int predicate is_zero int axiom zero_is_even: forall x:int. is_zero x -> is_even x goal G: is_zero 0 The transformation first matched the goal against the hypothesis and instantiated ``x`` with ``0``. It then applied the *modus ponens* rule to generate the new goal. This transformation helps automated provers when they do not know which hypothesis to use in order to prove a goal. .. why3:transform:: apply with Variant of :why3:transform:`apply` intended to be used in contexts where the latter cannot infer what terms to use for variables given in the applied hypothesis. For example, applying the transformation ``apply transitivity`` on the following goal .. code-block:: whyml axiom ac: a = c axiom cb: c = b axiom transitivity : forall x y z:int. x = y -> y = z -> x = z goal G1 : a = b raises the following error: :: apply: Unable to infer arguments (try using "with") for: y It means that the tool is not able to infer the right term to instantiate symbol ``y``. In our case, the user knows that the term ``c`` should work. So, it can be specified as follows: ``apply transitivity with c`` This generates two goals which are easily provable with hypotheses ``ac`` and ``cb``. When multiple variables are needed, they should be provided as a list in the transformation. For the sake of the example, we complicate the ``transitivity`` hypothesis: .. code-block:: whyml axiom t : forall x y z k:int. k = k -> x = y -> y = z -> x = z A value can be provided for ``k`` as follows: ``apply t with c,0``. .. why3:transform:: assert Create an intermediate subgoal. This is comparable to ``assert`` written in WhyML code. Here, the intent is only to help provers by specifying one key argument of the reasoning they should use. Example: From a goal of the form :math:`\Gamma \vdash G`, the transformation ``assert (n = 0)`` produces the following two tasks: :math:`\Gamma \vdash h: n = 0` and :math:`\Gamma, h: n = 0 \vdash G`. This effectively adds ``h`` as an intermediate goal to prove. .. why3:transform:: assert as Same as :why3:transform:`assert`, except that a name can be given to the new hypothesis. Example: ``assert (x = 0) as x0``. .. why3:transform:: case Split a goal into two subgoal, using the *excluded middle* on a given formula. On the task :math:`\Gamma \vdash G`, the transformation ``case f`` produces two tasks: :math:`\Gamma, h: f \vdash G` and :math:`\Gamma, h: \neg f \vdash G`. For example, applying ``case (x = 0)`` on the following goals .. code-block:: whyml constant x : int constant y : int goal G: if x = 0 then y = 2 else y = 3 produces the following goals: .. code-block:: whyml constant x : int constant y : int axiom h : x = 0 goal G : if x = 0 then y = 2 else y = 3 .. code-block:: whyml constant x : int constant y : int axiom h : not x = 0 goal G : if x = 0 then y = 2 else y = 3 The intent is again to simplify the job of automated provers by giving them a key argument of the reasoning behind the proof of a subgoal. .. why3:transform:: case as Same as :why3:transform:`case`, except that a name can be given to the new hypothesis. Example: ``case (x = 0) as x0``. .. why3:transform:: clear_but Remove all the hypotheses except those specified in the arguments. This is useful when a prover fails to find relevant hypotheses in a very large context. Example: ``clear_but h23,h25``. .. why3:transform:: compute_hyp Apply the transformation :why3:transform:`compute_in_goal` on the given hypothesis. .. why3:transform:: compute_hyp_specified Apply the transformation :why3:transform:`compute_specified` on the given hypothesis. .. why3:transform:: compute_in_goal Aggressively apply all known computation/simplification rules. The kinds of simplification are as follows. - Computations with built-in symbols, e.g., operations on integers, when applied to explicit constants, are evaluated. This includes evaluation of equality when a decision can be made (on integer constants, on constructors of algebraic data types), Boolean evaluation, simplification of pattern-matching/conditional expression, extraction of record fields, and beta-reduction. At best, these computations reduce the goal to ``true`` and the transformations thus does not produce any sub-goal. For example, a goal like ``6*7=42`` is solved by those transformations. - Unfolding of definitions, as done by :why3:transform:`inline_goal`. Transformation :why3:transform:`compute_in_goal` unfolds all definitions, including recursive ones. For :why3:transform:`compute_specified`, the user can enable unfolding of a specific logic symbol by attaching the meta :why3:meta:`rewrite_def` to the symbol. .. code-block:: whyml function sqr (x:int) : int = x * x meta "rewrite_def" function sqr - Rewriting using axioms or lemmas declared as rewrite rules. When an axiom (or a lemma) has one of the forms .. code-block:: whyml axiom a: forall ... t1 = t2 or .. code-block:: whyml axiom a: forall ... f1 <-> f2 then the user can declare .. code-block:: whyml meta "rewrite" prop a to turn this axiom into a rewrite rule. Rewriting is always done from left to right. Beware that there is no check for termination nor for confluence of the set of rewrite rules declared. Instead of using a meta, it is possible to declare an axiom as a rewrite rule by adding the :why3:attribute:`[@rewrite]` attribute on the axiom name or on the axiom itself, e.g., .. code-block:: whyml axiom a [@rewrite]: forall ... t1 = t2 lemma b: [@rewrite] forall ... f1 <-> f2 The second form allows some form of local rewriting, e.g., .. code-block:: whyml lemma l: forall x y. ([@rewrite] x = y) -> f x = f y can be proved by :why3:transform:`introduce_premises` followed by :why3:transform:`compute_specified`. The computations performed by this transformation can take an arbitrarily large number of steps, or even not terminate. For this reason, the number of steps is bounded by a maximal value, which is set by default to 1000. This value can be increased by another meta, e.g., .. code-block:: whyml meta "compute_max_steps" 1_000_000 When this upper limit is reached, a warning is issued, and the partly-reduced goal is returned as the result of the transformation. .. why3:transform:: compute_specified Same as :why3:transform:`compute_in_goal`, but perform rewriting using only built-in operators and user-provided rules. .. why3:transform:: cut Same as :why3:transform:`assert`, but the order of generated subgoals is reversed. .. why3:transform:: destruct Eliminate the head symbol of a hypothesis. For example, applying ``destruct h`` on the following goal .. code-block:: whyml constant p1 : bool predicate p2 int axiom h : p1 = True /\ (forall x:int. p2 x) goal G : p2 0 removes the logical connective ``/\`` and produces .. code-block:: whyml constant p1 : bool predicate p2 int axiom h1 : p1 = True axiom h : forall x:int. p2 x goal G : p2 0 :why3:transform:`destruct` can be applied on the following constructions: - ``false``, ``true``, - ``/\``, ``\/``, ``->``, ``not``, - ``exists``, - ``if ... then ... else ...``, - ``match ... with ... end``, - (in)equality on constructors of the same type. .. why3:transform:: destruct_rec Recursively call :why3:transform:`destruct` on the generated hypotheses. The recursion on implication and ``match`` stops after the first occurence of a different symbol. For example, applying ``destruct_rec H`` on the following goal .. code-block:: whyml predicate a predicate b predicate c axiom H : (a -> b) /\ (b /\ c) goal G : false does not destruct the implication symbol because it occurs as a subterm of an already destructed symbol. This restriction applies only to implication and ``match`` Other symbols are destructed recursively. Thus, in the generated task, the second ``/\`` is simplified: .. code-block:: whyml predicate a predicate b predicate c axiom H2 : a -> b axiom H1 : b axiom H: c goal G : false .. why3:transform:: destruct_term Destruct an expression according to the type of the expression. The transformation produces all possible outcomes of a destruction of the algebraic type. For example, applying ``destruct_term a`` on the following goal .. code-block:: whyml type t = A | B int constant a : t goal G : a = A produces the following two goals: .. code-block:: whyml type t = A | B int constant a : t constant x : int axiom h : a = B x goal G : a = A .. code-block:: whyml type t = A | B int constant a : t axiom h : a = A goal G : a = A The term was destructed according to all the possible outcomes in the type. Note that, during destruction, a new constant ``x`` has been introduced for the argument of constructor ``B``. .. why3:transform:: destruct_term using Same as :why3:transform:`destruct_term`, except that names can be given to the constants that were generated. .. why3:transform:: destruct_term_subst Same as :why3:transform:`destruct_term`, except that it also substitutes the created term. .. why3:transform:: eliminate_algebraic Replace algebraic data types by first-order definitions :cite:`paskevich09rr`. .. why3:transform:: eliminate_builtin Remove definitions of symbols that are declared as builtin in the driver, with a “syntax” rule. .. why3:transform:: eliminate_definition_func Replace all function definitions with axioms. .. why3:transform:: eliminate_definition_pred Replace all predicate definitions with axioms. .. why3:transform:: eliminate_definition Apply both :why3:transform:`eliminate_definition_func` and :why3:transform:`eliminate_definition_pred`. .. why3:transform:: eliminate_if Apply both :why3:transform:`eliminate_if_term` and :why3:transform:`eliminate_if_fmla`. .. why3:transform:: eliminate_if_fmla Replace formulas of the form ``if f1 then f2 else f3`` by an equivalent formula using implications and other connectives. .. why3:transform:: eliminate_if_term Replace terms of the form ``if formula then t2 else t3`` by lifting them at the level of formulas. This may introduce ``if then else`` in formulas. .. why3:transform:: eliminate_inductive Replace inductive predicates by (incomplete) axiomatic definitions, construction axioms and an inversion axiom. .. why3:transform:: eliminate_let Apply both :why3:transform:`eliminate_let_fmla` and :why3:transform:`eliminate_let_term`. .. why3:transform:: eliminate_let_fmla Eliminate ``let`` by substitution, at the predicate level. .. why3:transform:: eliminate_let_term Eliminate ``let`` by substitution, at the term level. .. why3:transform:: eliminate_literal .. why3:transform:: eliminate_mutual_recursion Replace mutually recursive definitions with axioms. .. why3:transform:: eliminate_recursion Replace all recursive definitions with axioms. .. why3:transform:: encoding_smt Encode polymorphic types into monomorphic types :cite:`conchon08smt`. .. why3:transform:: encoding_tptp Encode theories into unsorted logic. .. why3:transform:: exists Instantiate an existential quantification with a witness. For example, applying ``exists 0`` on the following goal .. code-block:: whyml goal G : exists x:int. x = 0 instantiates the symbol ``x`` with ``0``. Thus, the goal becomes .. code-block:: whyml goal G : 0 = 0 .. why3:transform:: hide Hide a given term, by creating a new constant equal to the term and then replacing all occurences of the term in the context by this constant. For example, applying ``hide t (1 + 1)`` on the goal .. code-block:: whyml constant y : int axiom h : forall x:int. x = (1 + 1) goal G : (y - (1 + 1)) = ((1 + 1) - (1 + 1)) replaces all the occurrences of ``(1 + 1)`` with ``t``, which gives the following goal: .. code-block:: whyml constant y : int constant t : int axiom H : t = (1 + 1) axiom h : forall x:int. x = t goal G : (y - t) = (t - t) .. why3:transform:: hide_and_clear First apply :why3:transform:`hide` and then remove the equality between the hidden term and the introduced constant. This means that the hidden term completely disappears and cannot be recovered. .. why3:transform:: induction Perform a reasoning by induction for the current goal. For example, applying ``induction n`` on the following goal .. code-block:: whyml constant n : int predicate p int predicate p1 int axiom h : p1 n goal G : p n performs an induction on ``n`` starting at ``0``. The goal for the base case is .. code-block:: whyml constant n : int predicate p int predicate p1 int axiom h : p1 n axiom Init : n <= 0 goal G : p n while the recursive case is .. code-block:: whyml constant n : int predicate p int predicate p1 int axiom h : p1 n axiom Init : 0 < n axiom Hrec : forall n1:int. n1 < n -> p1 n1 -> p n1 goal G : p n .. why3:transform:: induction from Same as :why3:transform:`induction`, but it starts the induction from a given integer instead of ``0``. .. why3:transform:: induction_arg_pr Apply :why3:transform:`induction_pr` on the given hypothesis/goal symbol. .. why3:transform:: induction_arg_ty_lex Apply :why3:transform:`induction_ty_lex` on the given symbol. .. why3:transform:: induction_pr .. why3:transform:: induction_ty_lex Perform structural, lexicographic induction on goals involving universally quantified variables of algebraic data types, such as lists, trees, etc. For instance, it transforms the following goal .. code-block:: whyml goal G: forall l: list 'a. length l >= 0 into this one: .. code-block:: whyml goal G : forall l:list 'a. match l with | Nil -> length l >= 0 | Cons a l1 -> length l1 >= 0 -> length l >= 0 end When induction can be applied to several variables, the transformation picks one heuristically. The :why3:attribute:`[@induction]` attribute can be used to force induction over one particular variable, with .. code-block:: whyml goal G: forall l1 [@induction] l2 l3: list 'a. l1 ++ (l2 ++ l3) = (l1 ++ l2) ++ l3 induction will be applied on ``l1``. If this attribute is attached to several variables, a lexicographic induction is performed on these variables, from left to right. .. why3:transform:: inline_trivial Expand and remove definitions of the form .. code-block:: whyml function f x1 ... xn = g e1 ... ek predicate p x1 ... xn = q e1 ... ek when each :samp:`e{i}` is either a ground term or one of the :samp:`x{j}`, and each ``x1 ... xn`` occurs at most once in all the :samp:`e{i}`. The attribute :why3:attribute:`[@inline:trivial]` can be used to tag functions, so that the transformation forcefully expands them (not using the conditions above). This can be used to ensure that some specific functions are inlined for automatic provers (:why3:transform:`inline_trivial` is used in many drivers). .. why3:transform:: inline_goal Expand all outermost symbols of the goal that have a non-recursive definition. .. why3:transform:: inline_all Expand all non-recursive definitions. .. why3:transform:: instantiate Generate a new hypothesis with quantified variables replaced by the given terms. For example, applying ``instantiate h 0, 1`` on the following goal .. code-block:: whyml predicate p int axiom h : forall x:int, y:int. x <= y -> p x /\ p y goal G : p 0 generates a new hypothesis: .. code-block:: whyml predicate p int axiom h : forall x:int, y:int. x <= y -> p x /\ p y axiom Hinst : 0 <= 1 -> p 0 /\ p 1 goal G : p 0 This is used to help automatic provers that are generally better at working on instantiated hypothesis. .. why3:transform:: inst_rem Apply :why3:transform:`instantiate` then remove the original instantiated hypothesis. .. why3:transform:: introduce_premises Move antecedents of implications and universal quantifications of the goal into the premises of the task. .. why3:transform:: intros Introduce universal quantifiers in the context. For example, applying ``intros n, m`` on the following goal .. code-block:: whyml predicate p int int int goal G : forall x:int, y:int, z:int. p x y z produces the following goal: .. code-block:: whyml predicate p int int int constant n : int constant m : int goal G : forall z:int. p n m z .. why3:transform:: intros_n Same as :why3:transform:`intros`, but stops after the nth quantified variable or premise. For example, applying ``intros_n 2`` on the following goal .. code-block:: whyml predicate p int int int goal G : forall x:int, y:int, z:int. p x y z produces the following goal: .. code-block:: whyml predicate p int int int constant x : int constant y : int goal G : forall z:int. p x y z .. why3:transform:: inversion_arg_pr Apply :why3:transform:`inversion_pr` on the given hypothesis/goal symbol. .. why3:transform:: inversion_pr .. why3:transform:: left Remove the right part of the head disjunction of the goal. For example, applying ``left`` on the following goal .. code-block:: whyml constant x : int goal G : x = 0 \/ x = 1 produces the following goal: .. code-block:: whyml constant x : int goal G : x = 0 .. why3:transform:: pose Add a new constant equal to the given term. For example, applying ``pose t (x + 2)`` to the following goal .. code-block:: whyml constant x : int goal G : true produces the following goal: .. code-block:: whyml constant x : int constant t : int axiom H : t = (x + 2) goal G : true .. why3:transform:: remove Remove a hypothesis from the context. For example, applying ``remove h`` on the following goal .. code-block:: whyml axiom h : true goal G : true produces the following goal: .. code-block:: whyml goal G : true .. why3:transform:: replace Replace a term with another one in a hypothesis or in the goal. This generates a new goal which asks for the proof of the equality. For example, applying ``replace (y + 1) (x + 2) in h`` on the following goal .. code-block:: whyml constant x : int constant y : int axiom h : x >= (y + 1) goal G : true produces the following two goals: .. code-block:: whyml constant x : int constant y : int axiom h : x >= (x + 2) goal G : true .. code-block:: whyml constant x : int constant y : int axiom h : x >= (y + 1) goal G : (y + 1) = (x + 2) It can be seen as the combination of :why3:transform:`assert` and :why3:transform:`rewrite`. .. why3:transform:: revert Opposite of :why3:transform:`intros`. It takes hypotheses/constants and quantifies them in the goal. For example, applying ``revert x`` on the following goal .. code-block:: whyml constant x : int constant y : int axiom h : x = y goal G : true produces the following goal: .. code-block:: whyml constant y : int goal G : forall x:int. x = y -> true .. why3:transform:: rewrite Rewrite using the given equality hypothesis. For example, applying ``rewrite eq`` on the following goal .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int. not x = 0 -> a x = b x goal G : a y = True produces the following goal: .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int. not x = 0 -> a x = b x goal G : b y = True It also produces a goal for the premise of the equality hypothesis (as would :why3:transform:`apply`): .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int. not x = 0 -> a x = b x goal G : not y = 0 .. why3:transform:: rewrite with Variant of :why3:transform:`rewrite` intended to be used in contexts where the latter cannot infer what terms to use for the variables of the given hypotheses (see also :why3:transform:`apply with`). For example, the transformation ``rewrite eq with 0`` can be applied to the following goal: .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int, z:int. z = 0 -> not x = 0 -> a x = b x goal G : a y = True Here, a value is provided for the symbol ``z``. This leads to the following three goals. One is the rewritten one, while the other two are for the premises of the equality hypothesis. .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int, z:int. z = 0 -> not x = 0 -> a x = b x goal G : b y = True .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int, z:int. z = 0 -> not x = 0 -> a x = b x goal G : 0 = 0 .. code-block:: whyml function a int : bool function b int : bool constant y : int axiom eq : forall x:int, z:int. z = 0 -> not x = 0 -> a x = b x goal G : not y = 0 .. why3:transform:: rewrite_list Variant of :why3:transform:`rewrite` that allows simultaneous rewriting in a list of hypothesis/goals. .. why3:transform:: right Remove the left part of the head disjunction of the goal. For example, applying ``right`` on the following goal .. code-block:: whyml constant x : int goal G : x = 0 \/ x = 1 produces the following goal: .. code-block:: whyml constant x : int goal G : x = 1 .. why3:transform:: simplify_array Automatically rewrite the task using the lemma ``Select_eq`` of theory ``map.Map``. .. why3:transform:: simplify_formula Reduce trivial equalities ``t=t`` to true and then simplify propositional structure: removes ``true``, ``false``, simplifies ``f /\ f`` to ``f``, etc. .. why3:transform:: simplify_formula_and_task Apply :why3:transform:`simplify_formula` and remove the goal if it is equivalent to true. .. why3:transform:: simplify_recursive_definition Reduce mutually recursive definitions if they are not really mutually recursive, e.g., :: function f : ... = ... g ... with g : ... = e becomes :: function g : ... = e function f : ... = ... g ... if ``f`` does not occur in ``e``. .. why3:transform:: simplify_trivial_quantification Simplify quantifications of the form :: forall x, x = t -> P(x) into :: P(t) when ``x`` does not occur in ``t``. More generally, this simplification is applied whenever ``x=t`` or ``t=x`` appears in negative position. .. why3:transform:: simplify_trivial_quantification_in_goal Apply :why3:transform:`simplify_trivial_quantification`, but only in the goal. .. why3:transform:: split_all Perform both :why3:transform:`split_premise` and :why3:transform:`split_goal`. .. why3:transform:: split_all_full Perform both :why3:transform:`split_premise` and :why3:transform:`split_goal_full`. .. why3:transform:: split_goal Change conjunctive goals into the corresponding set of subgoals. In absence of case analysis attributes, the number of subgoals generated is linear in the size of the initial goal. The transformation treats specially asymmetric and ``by``/``so`` connectives. Asymmetric conjunction ``A && B`` in goal position is handled as syntactic sugar for ``A /\ (A -> B)``. The conclusion of the first subgoal can then be used to prove the second one. Asymmetric disjunction ``A || B`` in hypothesis position is handled as syntactic sugar for ``A \/ ((not A) /\ B)``. In particular, a case analysis on such hypothesis would give the negation of the first hypothesis in the second case. The ``by`` connective is treated as a proof indication. In hypothesis position, ``A by B`` is treated as if it were syntactic sugar for its regular interpretation ``A``. In goal position, it is treated as if ``B`` was an intermediate step for proving ``A``. ``A by B`` is then replaced by ``B`` and the transformation also generates a side-condition subgoal ``B -> A`` representing the logical cut. Although splitting stops at disjunctive points like symmetric disjunction and left-hand sides of implications, the occurrences of the ``by`` connective are not restricted. For instance: - Splitting :: goal G : (A by B) && C generates the subgoals :: goal G1 : B goal G2 : A -> C goal G3 : B -> A (* side-condition *) - Splitting :: goal G : (A by B) \/ (C by D) generates :: goal G1 : B \/ D goal G2 : B -> A (* side-condition *) goal G3 : D -> C (* side-condition *) - Splitting :: goal G : (A by B) || (C by D) generates :: goal G1 : B || D goal G2 : B -> A (* side-condition *) goal G3 : B || (D -> C) (* side-condition *) Note that due to the asymmetric disjunction, the disjunction is kept in the second side-condition subgoal. - Splitting :: goal G : exists x. P x by x = 42 generates :: goal G1 : exists x. x = 42 goal G2 : forall x. x = 42 -> P x (* side-condition *) Note that in the side-condition subgoal, the context is universally closed. The ``so`` connective plays a similar role in hypothesis position, as it serves as a consequence indication. In goal position, ``A so B`` is treated as if it were syntactic sugar for its regular interpretation ``A``. In hypothesis position, it is treated as if both ``A`` and ``B`` were true because ``B`` is a consequence of ``A``. ``A so B`` is replaced by ``A /\ B`` and the transformation also generates a side-condition subgoal ``A -> B`` corresponding to the consequence relation between formula. As with the ``by`` connective, occurrences of ``so`` are unrestricted. Examples: - Splitting :: goal G : (((A so B) \/ C) -> D) && E generates :: goal G1 : ((A /\ B) \/ C) -> D goal G2 : (A \/ C -> D) -> E goal G3 : A -> B (* side-condition *) - Splitting :: goal G : A by exists x. P x so Q x so R x by T x (* reads: A by (exists x. P x so (Q x so (R x by T x))) *) generates :: goal G1 : exists x. P x goal G2 : forall x. P x -> Q x (* side-condition *) goal G3 : forall x. P x -> Q x -> T x (* side-condition *) goal G4 : forall x. P x -> Q x -> T x -> R x (* side-condition *) goal G5 : (exists x. P x /\ Q x /\ R x) -> A (* side-condition *) In natural language, this corresponds to the following proof scheme for ``A``: There exists a ``x`` for which ``P`` holds. Then, for that witness ``Q`` and ``R`` also holds. The last one holds because ``T`` holds as well. And from those three conditions on ``x``, we can deduce ``A``. The transformations in the “split” family can be controlled by using attributes on formulas. The :why3:attribute:`[@stop_split]` attribute can be used to block the splitting of a formula. The attribute is removed after blocking, so applying the transformation a second time will split the formula. This is can be used to decompose the splitting process in several steps. Also, if a formula with this attribute is found in non-goal position, its ``by``/``so`` proof indication will be erased by the transformation. In a sense, formulas tagged by :why3:attribute:`[@stop_split]` are handled as if they were local lemmas. The :why3:attribute:`[@case_split]` attribute can be used to force case analysis on hypotheses. For instance, applying :why3:transform:`split_goal` on :: goal G : ([@case_split] A \/ B) -> C generates the subgoals :: goal G1 : A -> C goal G2 : B -> C Without the attribute, the transformation does nothing because undesired case analysis may easily lead to an exponential blow-up. Note that the precise behavior of splitting transformations in presence of the :why3:attribute:`[@case_split]` attribute is not yet specified and is likely to change in future versions. .. why3:transform:: split_goal_full Behave similarly to :why3:transform:`split_goal`, but also convert the goal to conjunctive normal form. The number of subgoals generated may be exponential in the size of the initial goal. .. why3:transform:: split_intro Perform both :why3:transform:`split_goal` and :why3:transform:`introduce_premises`. .. why3:transform:: split_premise Replace axioms in conjunctive form by an equivalent collection of axioms. In absence of case analysis attributes (see :why3:transform:`split_goal` for details), the number of axiom generated per initial axiom is linear in the size of that initial axiom. .. why3:transform:: split_premise_full Behave similarly to :why3:transform:`split_premise`, but also convert the axioms to conjunctive normal form. The number of axioms generated per initial axiom may be exponential in the size of the initial axiom. .. why3:transform:: subst Substitute a given constant using an equality found in the context. The constant is removed. For example, when applying ``subst x`` on the following goal .. code-block:: whyml constant x : int constant y : int constant z : int axiom h : x = y + 1 axiom h1 : z = (x + y) goal G : x = z the transformation first finds the hypothesis ``h`` that can be used to rewrite ``x``. Then, it replaces every occurrences of ``x`` with ``y + 1``. Finally, it removes ``h`` and ``x``. The resulting goal is as follows: .. code-block:: whyml constant y : int constant z : int axiom h1 : z = ((y + 1) + y) goal G : (y + 1) = z This transformation is used to make the task more easily readable by a human during debugging. This transformation should not help automatic provers at all as they generally implement substitution rules in their logic. .. why3:transform: subst_all Substitute all the variables that can be substituted. For example, applying ``subst_all`` on the following goal .. code-block:: whyml constant x : int constant x1 : int constant y : int constant z : int axiom h : x = (y + 1) axiom hx1 : x = x1 axiom h1 : z = (x + y) goal G : x = z produces the following goal, where ``x``, ``x1``, and ``z`` have been removed: .. code-block:: whyml constant y : int goal G : (y + 1) = ((y + 1) + y) The order in which constants are substituted is not specified. .. why3:transform:: unfold Unfold the definition of a logical symbol in the given hypothesis. For example, applying ``unfold p`` on the following goal .. code-block:: whyml predicate p (x:int) = x <= 22 axiom h : forall x:int. p x -> p (x - 1) goal G : p 21 produces the following goal: .. code-block:: whyml predicate p (x:int) = x <= 22 axiom h : forall x:int. p x -> p (x - 1) goal G : 21 <= 22 One can also unfold in the hypothesis, using ``unfold p in h``, which gives the following goal: .. code-block:: whyml predicate p (x:int) = x <= 22 axiom h : forall x:int. x <= 22 -> (x - 1) <= 22 goal G : 21 <= 22 .. why3:transform:: use_th Import a theory inside the current context. This is used, in some rare case, to reduced the size of the context in other goals, since importing a theory in the WhyML code would the theory available in all goals whereas the theory is only needed in one specific goal. For example, applying ``use_th int.Int`` on the following goal .. code-block:: whyml predicate p int goal G : p 5 imports the ``Int`` theory. So, one is able to use the addition over integers, e.g., ``replace 5 (2 + 3)``. Any lemma appearing in the imported theory can also be used. Note that axioms are also imported. So, this transformation should be used with care. We recommend to use only theories that do not contain any axiom because this transformation could easily make the context inconsistent. .. _sec.strategies: Proof Strategies ---------------- As seen in :numref:`sec.ideref`, the IDE provides a few buttons that trigger the run of simple proof strategies on the selected goals. Proof strategies can be defined using a basic assembly-style language, and put into the Why3 configuration file. The commands of this basic language are: - :samp:`c {p} {t} {m}` calls the prover *p* with a time limit *t* and memory limit *m*. On success, the strategy ends, it continues to next line otherwise. - :samp:`t {n} {lab}` applies the transformation *n*. On success, the strategy continues to label *lab*, and is applied to each generated sub-goals. It continues to next line otherwise. - :samp:`g {lab}` unconditionally jumps to label *lab*. - :samp:`{lab}:` declares the label *lab*. The default label ``exit`` stops the program. To examplify this basic programming language, we give below the default strategies that are attached to the default buttons of the IDE, assuming that the provers Alt-Ergo 2.3.0, CVC4 1.7 and Z3 4.8.4 were detected by the :why3:tool:`why3 config` command. Split_VC is bound to the 1-line strategy :: t split_vc exit Auto_level_0 is bound to :: c Z3,4.8.4, 1 1000 c Alt-Ergo,2.3.0, 1 1000 c CVC4,1.7, 1 1000 The three provers are tried for a time limit of 1 second and memory limit of 1 Gb, each in turn. This is a perfect strategy for a first attempt to discharge a new goal. Auto_level_1 is bound to :: c Z3,4.8.4, 5 1000 c Alt-Ergo,2.3.0, 5 1000 c CVC4,1.7, 5 1000 Same as Auto_level_0 but with 5 seconds instead of 1. Auto_level_2 is bound to :: start: c Z3,4.8.4, 1 1000 c Alt-Ergo,2.3.0, 1 1000 c CVC4,1.7, 1 1000 t split_vc start c Z3,4.8.4, 10 4000 c Alt-Ergo,2.3.0, 10 4000 c CVC4,1.7, 10 4000 The three provers are first tried for a time limit of 1 second and memory limit of 1 Gb, each in turn. If none of them succeed, a split is attempted. If the split works then the same strategy is retried on each sub-goals. If the split does not succeed, the provers are tried again with larger limits. Auto level 3 is bound to :: start: c Z3,4.8.4, 1 1000 c Eprover,2.0, 1 1000 c Spass,3.7, 1 1000 c Alt-Ergo,2.3.0, 1 1000 c CVC4,1.7, 1 1000 t split_vc start c Z3,4.8.4, 5 2000 c Eprover,2.0, 5 2000 c Spass,3.7, 5 2000 c Alt-Ergo,2.3.0, 5 2000 c CVC4,1.7, 5 2000 t introduce_premises afterintro afterintro: t inline_goal afterinline g trylongertime afterinline: t split_all_full start trylongertime: c Z3,4.8.4, 30 4000 c Eprover,2.0, 30 4000 c Spass,3.7, 30 4000 c Alt-Ergo,2.3.0, 30 4000 c CVC4,1.7, 30 4000 Notice that now 5 provers are used. The provers are first tried for a time limit of 1 second and memory limit of 1 Gb, each in turn. If none of them succeed, a split is attempted. If the split works then the same strategy is retried on each sub-goals. If the split does not succeed, the prover are tried again with limits of 5 s and 2 Gb. If all fail, we attempt the transformation of introduction of premises in the context, followed by an inlining of the definitions in the goals. We then attempt a split again, if the split succeeds, we restart from the beginning, if it fails then provers are tried again with 30s and 4 Gb. .. _sec.attributes: WhyML Attributes ---------------- .. why3:attribute:: case_split .. why3:attribute:: cfg:stackify .. why3:attribute:: cfg:subregion_analysis .. why3:attribute:: extraction:inline If the name of a function is labeled with this attribute, its body will be inlined at every call site during extraction (see :numref:`sec.extract`). This is especially useful for trivial wrapper functions whose only purpose is to provide a slightly different specification from the original function. .. why3:attribute:: extraction:likely This attribute can be applied to a Boolean expression to indicate whether it is likely to be true. This is used at extraction time (see :numref:`sec.extract`), assuming the target language supports it. For example, when extracting to C, the extracted expression will be tagged with ``__builtin_expect``. .. why3:attribute:: extraction:unlikely This attribute can be applied to a Boolean expression to indicate whether it is likely to be false. This is the opposite of :why3:attribute:`extraction:likely`. .. why3:attribute:: induction .. why3:attribute:: infer .. why3:attribute:: inline:trivial .. why3:attribute:: model_trace .. why3:attribute:: rewrite .. why3:attribute:: stop_split .. why3:attribute:: vc:annotation This attribute is added by the VC generator, on the user input formulas which become goals to prove in the resulting VC. It should not be added manually. .. why3:attribute:: vc:divergent This attribute indicates whether VCs for termination should be generated. See :numref:`sec.terminationvc` for details. .. why3:attribute:: vc:keep_precondition This attribute indicates whether preconditions of calls should be kept as assumptions for the program after the call. See :numref:`sec.keeppreconditions` for details. .. why3:attribute:: vc:sp This attribute, put on a WhyML expression, locally switches the VC generator to the SP mode, for that expression. See :numref:`sec.strongestpostconditions` for details. .. why3:attribute:: vc:white_box This attribute is added by the Why3 parser for contract attached to an expression in WhyML code. Such a contract is indeed encoded by a local function with this attribute. It is for internal use only and should never be added manually. .. why3:attribute:: vc:wp This attribute, put on a WhyML expression, locally switches the VC generator to the WP mode, for that expression. See :numref:`sec.strongestpostconditions` for details. .. _sec.metas: Why3 Metas ---------- .. why3:meta:: compute_max_steps .. why3:meta:: keep:literal .. why3:meta:: realized_theory .. why3:meta:: rewrite .. why3:meta:: rewrite_def .. why3:meta:: vc:proved_wf Declares an hypothesis as a proof of well-foundness of a binary relation. See section :numref:`sec.custom_wf`. .. _sec.debug: Debug Flags ----------- The list of debug flags can be obtained using :file:`why3 --list-debug-flags`. The following excerpt is the list of flags mentioned in this manual. .. why3:debug:: infer:loop .. why3:debug:: infer:print_ai_result .. why3:debug:: infer:print_cfg .. why3:debug:: print:inferred_invs .. why3:debug:: print:domains_loop .. why3:debug:: stack_trace Structure of Session Files -------------------------- The proof session state is stored in an XML file named :file:`{dir}/why3session.xml`, where *dir* is the directory of the project. The XML file follows the DTD given in :file:`share/why3session.dtd` and reproduced below. .. literalinclude:: ../share/why3session.dtd :language: dtd .. _sec.jsonce: Structure of Counterexamples ---------------------------- Generated counterexamples can be exported in JSON format. The JSON output follows the JSON Schema given in :file:`share/ce-models.json` and reproduced below. .. literalinclude:: ../share/ce-models.json :language: json Developer Documentation ----------------------- Updating messages for syntax errors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here is the developer's recipe to update a syntax error message. We do it on the following illustrative example. .. code-block:: whyml function let int : int If such a file is passed to Why3, one obtains: :: File "bench/parsing/bad/498_function.mlw", line 1, characters 9-12: syntax error The recipe given here provides a way to produce a more informative message. It is based on handcrafted error messages provided by the `Menhir <http://gallium.inria.fr/~fpottier/menhir/>`_ parser generator. The first step is to call :program:`menhir` with option ``--interpret-error`` while giving as input the erroneous input, under the form of a sequence of tokens as generated by :file:`src/parser/lexer.mll`. .. code-block:: console $ echo "decl_eof: FUNCTION LET" | menhir --base src/parser/parser --interpret-error src/parser/parser_common.mly src/parser/parser.mly decl_eof: FUNCTION LET ## ## Ends in an error in state: 1113. ## ## pure_decl -> FUNCTION . function_decl list(with_logic_decl) [ VAL USE TYPE THEORY SCOPE PREDICATE MODULE META LET LEMMA INDUCTIVE IMPORT GOAL FUNCTION EXCEPTION EOF END CONSTANT COINDUCTIVE CLONE AXIOM ] ## ## The known suffix of the stack is as follows: ## FUNCTION ## <YOUR SYNTAX ERROR MESSAGE HERE> The text returned by that command should be appended to :file:`src/parser/handcrafted.messages`, with of course an appropriate error message, such as this one: :: expected function name must be a non-reserved uncapitalized identifier (token LIDENT_NQ), found "$0" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/doc/vcgen.rst����������������������������������������������������������������������������0000664�0000000�0000000�00000031163�14401600263�0015011�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.. _chap.vcgen: The VC Generators ================= This chapter gives information about the various processes that generate the so-called verification conditions, VC for short, from WhyML code. Program Functions ----------------- For each program function of the form .. parsed-literal:: let *f* (*x*:sub:`1`: *t*:sub:`1`) ... (*x*:sub:`n`: *t*:sub:`n`): *t* requires { *Pre* } ensures { *Post* } = *body* a new logic goal called ``f'VC`` is generated. Its shape is .. math:: \forall x_1,\dots,x_n,\quad \mathit{Pre} \Rightarrow \mathit{WP}(\mathit{body},\mathit{Post}) where :math:`\mathit{WP}(e,Q)` is a formula computed automatically using rules defined recursively on :math:`e`. The name :math:`\mathit{WP}` stands for Weakest Precondition, and its computation rules are directly inspired from the original Weakest Precondition Calculus of Dijkstra. Yet, due to the particular nature of the WhyML expression language, and the underlying concept of regions to identify side effects, the computation rules for :math:`\mathit{WP}` are specific to WhyML, and described in detail in a report by Filliâtre, Gondelman and Paskevich :cite:`gondelman16reg`. Controlling the VC generation ----------------------------- The generation of VCs can be controlled by the user, in particular using attributes put inside the WhyML source code. These attributes are :why3:attribute:`[@vc:divergent]`, :why3:attribute:`[@vc:sp]`, :why3:attribute:`[@vc:wp]` and :why3:attribute:`[@vc:keep_precondition]`. Their effects are detailed below. .. _sec.strongestpostconditions: Reducing size of VCs using Strongest Postconditions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It is known that the original form of WP calculi can possibly generate formulas that are of exponential size in function of the size of the corresponding program. Yet, there are known techniques to avoid this exponential explosion :cite:`flanagan01popl`. Why3 implements its own specific variation, which can be invoked on a per-expression basis. In other words, this variant calculus can be activated locally on any program expression, by putting the :why3:attribute:`[@vc:sp]` attribute on that expression. Yet, the simplest usage is to pose this attribute on the whole body of a program function. The usage of the SP variant is in particular recommended in presence of sequence of if statements. As an example, consider the simple code below. .. code-block:: whyml predicate p int let f (x:int) (y:int) : int ensures { p result } = let ref r = 0 in if 0 < x then r <- r + 1 else r <- r + 2; if 0 < y then r <- r + 3 else r <- r + 4; r With the default calculus, the VC for :code:`f` is .. code-block:: whyml forall x:int, y:int. if 0 < x then forall r:int. r = (0 + 1) -> (if 0 < y then forall r1:int. r1 = (r + 3) -> p r1 else forall r1:int. r1 = (r + 4) -> p r1) else forall r:int. r = (0 + 2) -> (if 0 < y then forall r1:int. r1 = (r + 3) -> p r1 else forall r1:int. r1 = (r + 4) -> p r1) which contains 4 occurrences of the post-condition :code:`p r1`. With the :why3:attribute:`[@vc:sp]` attribute just before the line :code:`let ref r = 0 in`, the VC is now .. code-block:: whyml forall x:int, y:int. forall r:int. (if 0 < x then r = (0 + 1) else r = (0 + 2)) -> (forall r1:int. (if 0 < y then r1 = (r + 3) else r1 = (r + 4)) -> p r1) which has only one occurrence of the post-condition :code:`p r1`. The idea is that the strongest post-condition of each if statement was computed and used as an assumption for the rest of the VC. Note that inside an expression annotated with :why3:attribute:`[@vc:sp]`, it is possible to switch back to the default WP mode for a given sub-expression by annotating it with the attribute :why3:attribute:`[@vc:wp]` .. _sec.terminationvc: Ignoring checks for termination ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By default, Why3 generates VCs for ensuring the termination of loops and recursive calls. For example, on the program .. code-block:: whyml let f1 (x:int) : int = let ref r = 100 in while r > 0 do r <- r - x done; r Why3 issues a warning saying that the termination of the loop cannot be proved, and the generated VC indeed contains the formula :code:`false` to prove. On the one hand, if the loop is effectively terminating, it is expected to have a :code:`variant`. On the other hand, if a program like this is indeed intentionally not terminating, it is expected that its contract contains the clause :code:`diverges` that makes the non-termination explicit. This exposition of potential non-termination is propagated to callers, e.g., if continuing the same example one writes .. code-block:: whyml let f1 (x:int) : int diverges = let ref r = 100 in while r > 0 do r <- r - x done; r let g1 () = f 3 then no warning is issued for :code:`f1`, and its VC does not contain :code:`false` to be proved, but the warning will be issued for :code:`g1`, and the VC for :code:`g1` contains :code:`false` to be proved. The :code:`diverges` clause must be added in the contract of :code:`g1` too. Note that putting the :code:`diverges` clause in the contract of a function triggers an error when the function contains neither variant-free loops nor variant-free recursive calls nor calls to diverging functions. This behavior might be annoying for code generators, so they can put the attribute :why3:attribute:`[@vc:divergent]` on the body of the function, in place of the :code:`diverges` clause: .. code-block:: whyml let f2 (x:int) : int = [@vc:divergent] 100 - x Note that :why3:attribute:`[@vc:divergent]` has the same effect as :code:`diverges`, which means that :code:`f2` is now assumed to be diverging for functions that call it. As a consequence, the following code will again trigger a warning about the potentially non-terminating call to :code:`f2`. .. code-block:: whyml let g2 () = f2 7 .. _sec.custom_wf: Using a custom well-founded relation for termination ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Variants for termination can be associated to a specific ordering relation, thanks to the keyword :code:`with`. The following example illustrates this feature on a loop on bitvectors. .. code-block:: whyml use bv.BV32 let f () = let ref b = (42 : BV32.t) in while BV32.sgt b (0:BV32.t) do variant { b with BV32.slt } b <- BV32.sub b (1:BV32.t) done For the termination proof to be complete, the given ordering :math:`r` must be proved well-founded. In fact, it suffices to prove that, whenever proving :math:`r~x~y`, the term :math:`y` is accessible by :math:`r`. The VC generator introduces a proof obligation for that. A binary relation may be proved well-founded once and for all. In that case, one should add the meta :why3:meta:`vc:proved_wf` to the goal proving this fact. It will prevent the VC generator to introduce any accessibility obligation whenever this relation is used in a variant clause. The default orderings used in variant clause (on integers, range types, or algebraic types) are known to be well-founded by Why3, and so are the strict ordering relations on bitvectors, as in the example above. .. _sec.keeppreconditions: Keeping preconditions of calls in the logical context ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When calling a function :code:`f` in a WhyML expression, a VC is generated to check that the precondition of :code:`f` holds, for the given values of its parameters. Meanwhile, the VCs generated for the subsequent parts of the WhyML are not explicitly given the assumption that this precondition was valid. An example is as follows .. code-block:: whyml let f (x:int) : int requires { x > 7 } = x-1 let g1 (y:int) = let _ = f y in assert { y > 0 } On this code, after splitting the VC for :code:`g1`, none of the two subgoals generated are provable: the pre-condition of the call to :code:`f` is naturally not provable, neither is the assertion. On the contrary, if one writes .. code-block:: whyml let g2 (y:int) = let _ = [@vc:keep_precondition] f y in assert { y > 0 } then the pre-condition of the call to :code:`f` is known to hold after the call, making the assertion provable. Type Invariants --------------- When a record type is given an invariant, that invariant must hold on any value of that type occurring in the considered program. It means that when a value of this type is a parameter of a function, its invariant is assumed to hold. When a value of this type is constructed in the program, a check is inserted in the VC to ensure the validity of the invariant. Additionally, a verification condition is generated from the type declaration itself, to ensure that the type is inhabited, that is to ensure that there exist values for the record fields for which the invariant holds. Proving the existence of such values might be a difficult task for an automated prover. To help the proof of this VC, the user can provide a witness for a possible inhabitant, using the :code:`by` keyword. Lemma Functions --------------- A useful facility to state and prove logical statements is provided by the so-called lemma function mechanism. The principle is to add the keyword :code:`lemma` to a program function, under the following general shape. .. parsed-literal:: let lemma f (*x*:sub:`1`: *t*:sub:`1`) ... (*x*:sub:`n`: *t*:sub:`n`): unit requires { *Pre* } ensures { *Post* } = *body* In that case, the VC generated for :code:`f` is inserted as known logical fact in the context of the remaining goals of the considered WhyML module. For this to work, the function must have no side effects, be provably terminating, and return :code:`unit`. The generated fact is then .. math:: \forall x_1,\dots,x_n,\quad \mathit{Pre} \Rightarrow \mathit{Post} In particular, when the code of the function is recursive, it simulates a proof by induction. .. _sec.runwithinferloop: Automatic Inference of Loop Invariants -------------------------------------- Why3 can be executed with support for inferring loop invariants :cite:`baudin17` (see :numref:`sec.installinferloop` for information about the compilation of Why3 with support for `infer-loop`). There are two ways of enabling the inference of loop invariants: by passing the debug flag :why3:debug:`infer:loop` to Why3 or by annotating ``let`` declarations with the :why3:attribute:`[@infer]` attribute. Below is an example on how to invoke Why3 such that invariants are inferred for all the loops in the given file. :: why3 ide tests/infer/incr.mlw --debug=infer:loop In this case, the *Polyhedra* default domain will be used together with the default widening value of *3*. Why3 GUI will not display the inferred invariants in the source code, but the VCs corresponding to those invariants will be displayed and labeled with the ``infer-loop`` keyword as shown in :numref:`fig.gui.infer`. .. _fig.gui.infer: .. figure:: images/gui-infer.png :alt: The GUI with inferred invariants (after split). The GUI with inferred invariants (after split). Alternatively, attributes can be used in ``let`` declarations so that invariants are inferred for all the loops in that declaration. In this case, it is possible to select the desired domain and widening value. In the example below, invariants will be inferred using the *Polyhedra* domain and a widening value of *4*. These two arguments of the attribute can swapped, for instance, ``[@infer:Polyhedra:4]`` will produce exactly the same invariants. .. code-block:: whyml module Incr use int.Int use int.MinMax use ref.Ref use ref.Refint let incr[@infer:4:Polyhedra](x:int) : int ensures { result = max x 0 } = let i = ref 0 in while !i < x do variant { x - !i } incr i; done; !i end There are a few debugging flags that can be passed to Why3 to output additional information about the inference of loop invariants. Flag :why3:debug:`infer:print_cfg` will print the Control Flow Graph (CFG) used for abstract interpretation in a file with the name :file:`inferdbg.dot`; :why3:debug:`infer:print_ai_result` will print to the standard output the computed abstract values at each point of the CFG; :why3:debug:`print:inferred_invs` will print the inferred invariants to the standard output (note that the displayed identifiers names might not be consistent with those in the initial program); finally, :why3:debug:`print:domains_loop` will print for each loop the loop expression, the domain at that point, and its translation into a Why3 term. Current limitations ~~~~~~~~~~~~~~~~~~~ 1. Loop invariants can only be inferred for loops inside (non-recursive) ``let`` declarations. �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/doc/why3ide-doc.conf���������������������������������������������������������������������0000664�0000000�0000000�00000001665�14401600263�0016147�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������[partial_prover] name = "Alt-Ergo" path = "alt-ergo-2.3.3" version = "2.3.3" [partial_prover] name = "Coq" path = "coqtop" version = "8.16.1" [partial_prover] name = "CVC4" path = "cvc4-1.7" version = "1.7" [editor coqide] command = "true %f" name = "CoqIDE" [ide] allow_source_editing = true auto_next = true current_tab = 0 error_color_bg = "white" error_color_fg = "red" error_color_msg_zone_bg = "yellow" error_color_msg_zone_fg = "red" error_line_color = "yellow" font_size = 10 goal_color = "gold" iconset = "fatcow" max_boxes = 16 neg_premise_color = "pink" premise_color = "chartreuse" print_attributes = false print_coercions = true print_locs = false print_time_limit = false saving_policy = 2 search_color = "lightblue" show_full_context = false task_height = 220 tree_width = 384 verbose = 0 window_height = 768 window_width = 1024 [main] default_editor = "emacs %f" magic = 14 memlimit = 1000 running_provers_max = 2 timelimit = 5 ���������������������������������������������������������������������������why3-1.6.0/doc/whyml.rst����������������������������������������������������������������������������0000664�0000000�0000000�00000115715�14401600263�0015055�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.. _chap.whyml: Why3 by Examples ================ This chapter describes the WhyML specification and programming language. A WhyML source file has suffix :file:`.mlw`. It contains a list of modules. Each module contains a list of declarations. These include - Logical declarations: - types (abstract, record, or algebraic data types); - functions and predicates; - axioms, lemmas, and goals. - Program data types. In a record type declaration, some fields can be declared ``mutable`` and/or ``ghost``. Additionally, a record type can be declared ``abstract`` (its fields are only visible in ghost code / specification). - Program declarations and definitions. Programs include many constructs with no counterpart in the logic: - mutable field assignment; - sequence; - loops; - exceptions; - local and anonymous functions; - ghost parameters and ghost code; - annotations: pre- and postconditions, assertions, loop invariants. A program may be non-terminating. (But termination can be proved if we wish.) Command-line tools described in the previous chapter also apply to files containing programs. For instance :: why3 prove myfile.mlw displays the verification conditions for programs contained in file :file:`myfile.mlw`, and :: why3 prove -P alt-ergo myfile.mlw runs the SMT solver Alt-Ergo on these verification conditions. All this can be performed within the GUI tool :why3:tool:`why3 ide` as well. See :numref:`chap.manpages` for more details regarding command lines. As an introduction to WhyML, we use a small logical puzzle (:numref:`sec.einstein`) and then the five problems from the VSTTE 2010 verification competition :cite:`vstte10comp`. The source code for all these examples is contained in Why3’s distribution, in sub-directory :file:`examples/`. Look for files :file:`logic/einstein.why` and :file:`vstte10_xxx.mlw`. .. index:: Einstein’s problem .. _sec.einstein: Problem 0: Einstein’s Problem ----------------------------- Let us use Why3 to solve a little puzzle known as “Einstein’s logic problem”. (This Why3 example was contributed by Stéphane Lescuyer.) The problem is stated as follows. Five persons, of five different nationalities, live in five houses in a row, all painted with different colors. These five persons own different pets, drink different beverages, and smoke different brands of cigars. We are given the following information: - The Englishman lives in a red house; - The Swede has dogs; - The Dane drinks tea; - The green house is on the left of the white one; - The green house’s owner drinks coffee; - The person who smokes Pall Mall has birds; - The yellow house’s owner smokes Dunhill; - In the house in the center lives someone who drinks milk; - The Norwegian lives in the first house; - The man who smokes Blends lives next to the one who has cats; - The man who owns a horse lives next to the one who smokes Dunhills; - The man who smokes Blue Masters drinks beer; - The German smokes Prince; - The Norwegian lives next to the blue house; - The man who smokes Blends has a neighbour who drinks water. The question is: What is the nationality of the fish’s owner? We start by introducing a general-purpose theory defining the notion of *bijection*, as two abstract types together with two functions from one to the other and two axioms stating that these functions are inverse of each other. .. code-block:: whyml theory Bijection type t type u function of t : u function to_ u : t axiom To_of : forall x : t. to_ (of x) = x axiom Of_to : forall y : u. of (to_ y) = y end We now start a new theory, ``Einstein``, which will contain all the individuals of the problem. .. code-block:: whyml theory Einstein First, we introduce enumeration types for houses, colors, persons, drinks, cigars, and pets. .. code-block:: whyml type house = H1 | H2 | H3 | H4 | H5 type color = Blue | Green | Red | White | Yellow type person = Dane | Englishman | German | Norwegian | Swede type drink = Beer | Coffee | Milk | Tea | Water type cigar = Blend | BlueMaster | Dunhill | PallMall | Prince type pet = Birds | Cats | Dogs | Fish | Horse We now express that each house is associated bijectively to a color, by *cloning* the ``Bijection`` theory appropriately. .. code-block:: whyml clone Bijection as Color with type t = house, type u = color Cloning a theory makes a copy of all its declarations, possibly in combination with a user-provided substitution (see :numref:`Module Cloning`). Here we substitute type ``house`` for type ``t`` and type ``color`` for type ``u``. As a result, we get two new functions, namely ``Color.of`` and ``Color.to_``, from houses to colors and colors to houses, respectively, and two new axioms relating them. Similarly, we express that each house is associated bijectively to a person .. code-block:: whyml clone Bijection as Owner with type t = house, type u = person and that drinks, cigars, and pets are all associated bijectively to persons: .. code-block:: whyml clone Bijection as Drink with type t = person, type u = drink clone Bijection as Cigar with type t = person, type u = cigar clone Bijection as Pet with type t = person, type u = pet Next, we need a way to state that a person lives next to another. We first define a predicate ``leftof`` over two houses. .. code-block:: whyml predicate leftof (h1 h2 : house) = match h1, h2 with | H1, H2 | H2, H3 | H3, H4 | H4, H5 -> true | _ -> false end Note how we advantageously used pattern matching, with an or-pattern for the four positive cases and a universal pattern for the remaining 21 cases. It is then immediate to define a ``neighbour`` predicate over two houses, which completes theory ``Einstein``. .. code-block:: whyml predicate rightof (h1 h2 : house) = leftof h2 h1 predicate neighbour (h1 h2 : house) = leftof h1 h2 \/ rightof h1 h2 end The next theory contains the 15 hypotheses. It starts by importing theory ``Einstein``. .. code-block:: whyml theory EinsteinHints use Einstein Then each hypothesis is stated in terms of ``to_`` and ``of`` functions. For instance, the hypothesis “The Englishman lives in a red house” is declared as the following axiom. .. code-block:: whyml axiom Hint1: Color.of (Owner.to_ Englishman) = Red And so on for all other hypotheses, up to “The man who smokes Blends has a neighbour who drinks water”, which completes this theory. .. code-block:: whyml ... axiom Hint15: neighbour (Owner.to_ (Cigar.to_ Blend)) (Owner.to_ (Drink.to_ Water)) end Finally, we declare the goal in a fourth theory: .. code-block:: whyml theory Problem use Einstein use EinsteinHints goal G: Pet.to_ Fish = German end and we can use Why3 to discharge this goal with any prover of our choice. .. code-block:: console $ why3 prove -P alt-ergo einstein.why einstein.why Goals G: Valid (1.27s, 989 steps) The source code for this puzzle is available in the source distribution of Why3, in file :file:`examples/logic/einstein.why`. .. _sec.maxandsum: Problem 1: Sum and Maximum -------------------------- Let us now move to the problems of the VSTTE 2010 verification competition :cite:`vstte10comp`. The first problem is stated as follows: Given an :math:`N`-element array of natural numbers, write a program to compute the sum and the maximum of the elements in the array. We assume :math:`N \ge 0` and :math:`a[i] \ge 0` for :math:`0 \le i < N`, as precondition, and we have to prove the following postcondition: .. math:: sum \le N \times max. In a file :file:`max_sum.mlw`, we start a new module: .. code-block:: whyml module MaxAndSum We are obviously needing arithmetic, so we import the corresponding theory, exactly as we would do within a theory definition: .. code-block:: whyml use int.Int We are also going to use references and arrays from Why3 standard library, so we import the corresponding modules: .. code-block:: whyml use ref.Ref use array.Array Modules ``Ref`` and ``Array`` respectively provide a type ``ref ’a`` for references and a type ``array ’a`` for arrays, together with useful operations and traditional syntax. They are loaded from the WhyML files :file:`ref.mlw` and :file:`array.mlw` in the standard library. We are now in position to define a program function ``max_sum``. A function definition is introduced with the keyword ``let``. In our case, it introduces a function with two arguments, an array ``a`` and its size ``n``: .. code-block:: whyml let max_sum (a: array int) (n: int) : (int, int) = ... (There is a function ``length`` to get the size of an array but we add this extra parameter ``n`` to stay close to the original problem statement.) The function body is a Hoare triple, that is a precondition, a program expression, and a postcondition. .. code-block:: whyml let max_sum (a: array int) (n: int) : (int, int) requires { n = length a } requires { forall i. 0 <= i < n -> a[i] >= 0 } ensures { let (sum, max) = result in sum <= n * max } = ... expression ... The first precondition expresses that ``n`` is equal to the length of ``a`` (this will be needed for verification conditions related to array bound checking). The second precondition expresses that all elements of ``a`` are non-negative. The postcondition decomposes the value returned by the function as a pair of integers ``(sum, max)`` and states the required property. .. code-block:: whyml returns { sum, max -> sum <= n * max } We are now left with the function body itself, that is a code computing the sum and the maximum of all elements in ``a``. With no surprise, it is as simple as introducing two local references .. code-block:: whyml let sum = ref 0 in let max = ref 0 in scanning the array with a ``for`` loop, updating ``max`` and ``sum`` .. code-block:: whyml for i = 0 to n - 1 do if !max < a[i] then max := a[i]; sum := !sum + a[i] done; and finally returning the pair of the values contained in ``sum`` and ``max``: .. code-block:: whyml !sum, !max This completes the code for function ``max_sum``. As such, it cannot be proved correct, since the loop is still lacking a loop invariant. In this case, the loop invariant is as simple as ``!sum <= i * !max``, since the postcondition only requires us to prove ``sum <= n * max``. The loop invariant is introduced with the keyword ``invariant``, immediately after the keyword ``do``: .. code-block:: whyml for i = 0 to n - 1 do invariant { !sum <= i * !max } ... done There is no need to introduce a variant, as the termination of a ``for`` loop is automatically guaranteed. This completes module ``MaxAndSum``, shown below. .. code-block:: whyml module MaxAndSum use int.Int use ref.Ref use array.Array let max_sum (a: array int) (n: int) : (int, int) requires { n = length a } requires { forall i. 0 <= i < n -> a[i] >= 0 } returns { sum, max -> sum <= n * max } = let sum = ref 0 in let max = ref 0 in for i = 0 to n - 1 do invariant { !sum <= i * !max } if !max < a[i] then max := a[i]; sum := !sum + a[i] done; !sum, !max end We can now proceed to its verification. Running :program:`why3`, or better :why3:tool:`why3 ide`, on file :file:`max_sum.mlw` shows a single verification condition with name ``WP max_sum``. Discharging this verification condition requires a little bit of non-linear arithmetic. Thus some SMT solvers may fail at proving it, but other succeed, *e.g.*, CVC4. Note: It is of course possible to *execute* the code to test it, before or after you prove it correct. This is detailed in :numref:`sec.execute`. .. index:: auto-dereference .. rubric:: Auto-dereference Why3 features an auto-dereferencing mechanism, which simplifies the use of references. When a reference is introduced using ``let ref x`` (instead of ``let x = ref``), the use of operator ``!`` to access its value is not needed anymore. For instance, we can rewrite the program above as follows (the contract being unchanged and omitted): .. code-block:: whyml let max_sum (a: array int) (n: int) : (sum: int, max: int) = let ref sum = 0 in let ref max = 0 in for i = 0 to n - 1 do invariant { sum <= i * max } if max < a[i] then max <- a[i]; sum <- sum + a[i] done; sum, max Note that use of operator ``<-`` for assignment (instead of ``:=``) and the absence of ``!`` both in the loop invariant and in the program. See :numref:`auto-dereference` for more details about the auto-dereferencing mechanism. Problem 2: Inverting an Injection --------------------------------- The second problem is stated as follows: Invert an injective array :math:`A` on :math:`N` elements in the subrange from :math:`0` to :math:`N - 1`, the output array :math:`B` must be such that :math:`B[A[i]] = i` for :math:`0 \le i < N`. The code is immediate, since it is as simple as .. code-block:: whyml for i = 0 to n - 1 do b[a[i]] <- i done so it is more a matter of specification and of getting the proof done with as much automation as possible. In a new file, we start a new module and we import arithmetic and arrays: .. code-block:: whyml module InvertingAnInjection use int.Int use array.Array It is convenient to introduce predicate definitions for the properties of being injective and surjective. These are purely logical declarations: .. code-block:: whyml predicate injective (a: array int) (n: int) = forall i j. 0 <= i < n -> 0 <= j < n -> i <> j -> a[i] <> a[j] predicate surjective (a: array int) (n: int) = forall i. 0 <= i < n -> exists j: int. (0 <= j < n /\ a[j] = i) It is also convenient to introduce the predicate “being in the subrange from 0 to :math:`n-1`”: .. code-block:: whyml predicate range (a: array int) (n: int) = forall i. 0 <= i < n -> 0 <= a[i] < n Using these predicates, we can formulate the assumption that any injective array of size :math:`n` within the range :math:`0..n-1` is also surjective: .. code-block:: whyml lemma injective_surjective: forall a: array int, n: int. injective a n -> range a n -> surjective a n We declare it as a lemma rather than as an axiom, since it is actually provable. It requires induction and can be proved using the Coq proof assistant for instance. Finally we can give the code a specification, with a loop invariant which simply expresses the values assigned to array ``b`` so far: .. code-block:: whyml let inverting (a: array int) (b: array int) (n: int) requires { n = length a = length b } requires { injective a n /\ range a n } ensures { injective b n } = for i = 0 to n - 1 do invariant { forall j. 0 <= j < i -> b[a[j]] = j } b[a[i]] <- i done Here we chose to have array ``b`` as argument; returning a freshly allocated array would be equally simple. The whole module is given below. The verification conditions for function ``inverting`` are easily discharged automatically, thanks to the lemma. .. code-block:: whyml module InvertingAnInjection use int.Int use array.Array predicate injective (a: array int) (n: int) = forall i j. 0 <= i < n -> 0 <= j < n -> i <> j -> a[i] <> a[j] predicate surjective (a: array int) (n: int) = forall i. 0 <= i < n -> exists j: int. (0 <= j < n /\ a[j] = i) predicate range (a: array int) (n: int) = forall i. 0 <= i < n -> 0 <= a[i] < n lemma injective_surjective: forall a: array int, n: int. injective a n -> range a n -> surjective a n let inverting (a: array int) (b: array int) (n: int) requires { n = length a = length b } requires { injective a n /\ range a n } ensures { injective b n } = for i = 0 to n - 1 do invariant { forall j. 0 <= j < i -> b[a[j]] = j } b[a[i]] <- i done end Problem 3: Searching a Linked List ---------------------------------- The third problem is stated as follows: Given a linked list representation of a list of integers, find the index of the first element that is equal to 0. More precisely, the specification says You have to show that the program returns an index *i* equal to the length of the list if there is no such element. Otherwise, the *i*-th element of the list must be equal to 0, and all the preceding elements must be non-zero. Since the list is not mutated, we can use the algebraic data type of polymorphic lists from Why3’s standard library, defined in theory ``list.List``. It comes with other handy theories: ``list.Length``, which provides a function ``length``, and ``list.Nth``, which provides a function ``nth`` for the nth element of a list. The latter returns an option type, depending on whether the index is meaningful or not. .. code-block:: whyml module SearchingALinkedList use int.Int use option.Option use export list.List use export list.Length use export list.Nth It is helpful to introduce two predicates: a first one for a successful search, .. code-block:: whyml predicate zero_at (l: list int) (i: int) = nth i l = Some 0 /\ forall j. 0 <= j < i -> nth j l <> Some 0 and a second one for a non-successful search, .. code-block:: whyml predicate no_zero (l: list int) = forall j. 0 <= j < length l -> nth j l <> Some 0 We are now in position to give the code for the search function. We write it as a recursive function ``search`` that scans a list for the first zero value: .. code-block:: whyml let rec search (i: int) (l: list int) : int = match l with | Nil -> i | Cons x r -> if x = 0 then i else search (i+1) r end Passing an index ``i`` as first argument allows to perform a tail call. A simpler code (yet less efficient) would return 0 in the first branch and ``1 + search ...`` in the second one, avoiding the extra argument ``i``. We first prove the termination of this recursive function. It amounts to giving it a *variant*, that is a value that strictly decreases at each recursive call with respect to some well-founded ordering. Here it is as simple as the list ``l`` itself: .. code-block:: whyml let rec search (i: int) (l: list int) : int variant { l } = ... It is worth pointing out that variants are not limited to values of algebraic types. A non-negative integer term (for example, ``length l``) can be used, or a term of any other type equipped with a well-founded order relation. Several terms can be given, separated with commas, for lexicographic ordering. There is no precondition for function ``search``. The postcondition expresses that either a zero value is found, and consequently the value returned is bounded accordingly, .. code-block:: whyml i <= result < i + length l /\ zero_at l (result - i) or no zero value was found, and thus the returned value is exactly ``i`` plus the length of ``l``: .. code-block:: whyml result = i + length l /\ no_zero l Solving the problem is simply a matter of calling ``search`` with 0 as first argument. The code is given below. The verification conditions are all discharged automatically. .. code-block:: whyml module SearchingALinkedList use int.Int use export list.List use export list.Length use export list.Nth predicate zero_at (l: list int) (i: int) = nth i l = Some 0 /\ forall j. 0 <= j < i -> nth j l <> Some 0 predicate no_zero (l: list int) = forall j. 0 <= j < length l -> nth j l <> Some 0 let rec search (i: int) (l: list int) : int variant { l } ensures { (i <= result < i + length l /\ zero_at l (result - i)) \/ (result = i + length l /\ no_zero l) } = match l with | Nil -> i | Cons x r -> if x = 0 then i else search (i+1) r end let search_list (l: list int) : int ensures { (0 <= result < length l /\ zero_at l result) \/ (result = length l /\ no_zero l) } = search 0 l end Alternatively, we can implement the search with a ``while`` loop. To do this, we need to import references from the standard library, together with theory ``list.HdTl`` which defines functions ``hd`` and ``tl`` over lists. .. code-block:: whyml use ref.Ref use list.HdTl Being partial functions, ``hd`` and ``tl`` return options. For the purpose of our code, though, it is simpler to have functions which do not return options, but have preconditions instead. Such a function ``head`` is defined as follows: .. code-block:: whyml let head (l: list 'a) : 'a requires { l <> Nil } ensures { hd l = Some result } = match l with Nil -> absurd | Cons h _ -> h end The program construct ``absurd`` denotes an unreachable piece of code. It generates the verification condition ``false``, which is here provable using the precondition (the list cannot be ``Nil``). Function ``tail`` is defined similarly: .. code-block:: whyml let tail (l: list 'a) : list 'a requires { l <> Nil } ensures { tl l = Some result } = match l with Nil -> absurd | Cons _ t -> t end Using ``head`` and ``tail``, it is straightforward to implement the search as a ``while`` loop. It uses a local reference ``i`` to store the index and another local reference ``s`` to store the list being scanned. As long as ``s`` is not empty and its head is not zero, it increments ``i`` and advances in ``s`` using function ``tail``. .. code-block:: whyml let search_loop (l: list int) : int ensures { ... same postcondition as in search_list ... } = let i = ref 0 in let s = ref l in while !s <> Nil && head !s <> 0 do invariant { ... } variant { !s } i := !i + 1; s := tail !s done; !i The postcondition is exactly the same as for function ``search_list``. The termination of the ``while`` loop is ensured using a variant, exactly as for a recursive function. Such a variant must strictly decrease at each execution of the loop body. The reader is invited to figure out the loop invariant. Problem 4: N-Queens ------------------- The fourth problem is probably the most challenging one. We have to verify the implementation of a program which solves the *N*-queens puzzle: place *N* queens on an *N*×*N* chess board so that no queen can capture another one with a legal move. The program should return a placement if there is a solution and indicates that there is no solution otherwise. A placement is a *N*-element array which assigns the queen on row *i* to its column. Thus we start our module by importing arithmetic and arrays: .. code-block:: whyml module NQueens use int.Int use array.Array The code is a simple backtracking algorithm, which tries to put a queen on each row of the chess board, one by one (there is basically no better way to solve the *N*-queens puzzle). A building block is a function which checks whether the queen on a given row may attack another queen on a previous row. To verify this function, we first define a more elementary predicate, which expresses that queens on row ``pos`` and ``q`` do no attack each other: .. code-block:: whyml predicate consistent_row (board: array int) (pos: int) (q: int) = board[q] <> board[pos] /\ board[q] - board[pos] <> pos - q /\ board[pos] - board[q] <> pos - q Then it is possible to define the consistency of row ``pos`` with respect to all previous rows: .. code-block:: whyml predicate is_consistent (board: array int) (pos: int) = forall q. 0 <= q < pos -> consistent_row board pos q Implementing a function which decides this predicate is another matter. In order for it to be efficient, we want to return ``False`` as soon as a queen attacks the queen on row ``pos``. We use an exception for this purpose and it carries the row of the attacking queen: .. code-block:: whyml exception Inconsistent int The check is implemented by a function ``check_is_consistent``, which takes the board and the row ``pos`` as arguments, and scans rows from 0 to ``pos - 1`` looking for an attacking queen. As soon as one is found, the exception is raised. It is caught immediately outside the loop and ``False`` is returned. Whenever the end of the loop is reached, ``True`` is returned. .. code-block:: whyml let check_is_consistent (board: array int) (pos: int) : bool requires { 0 <= pos < length board } ensures { result <-> is_consistent board pos } = try for q = 0 to pos - 1 do invariant { forall j:int. 0 <= j < q -> consistent_row board pos j } let bq = board[q] in let bpos = board[pos] in if bq = bpos then raise (Inconsistent q); if bq - bpos = pos - q then raise (Inconsistent q); if bpos - bq = pos - q then raise (Inconsistent q) done; True with Inconsistent q -> assert { not (consistent_row board pos q) }; False end The assertion in the exception handler is a cut for SMT solvers. This first part of the solution is given below. .. code-block:: whyml module NQueens use int.Int use array.Array predicate consistent_row (board: array int) (pos: int) (q: int) = board[q] <> board[pos] /\ board[q] - board[pos] <> pos - q /\ board[pos] - board[q] <> pos - q predicate is_consistent (board: array int) (pos: int) = forall q. 0 <= q < pos -> consistent_row board pos q exception Inconsistent int let check_is_consistent (board: array int) (pos: int) requires { 0 <= pos < length board } ensures { result <-> is_consistent board pos } = try for q = 0 to pos - 1 do invariant { forall j:int. 0 <= j < q -> consistent_row board pos j } let bq = board[q] in let bpos = board[pos] in if bq = bpos then raise (Inconsistent q); if bq - bpos = pos - q then raise (Inconsistent q); if bpos - bq = pos - q then raise (Inconsistent q) done; True with Inconsistent q -> assert { not (consistent_row board pos q) }; False end We now proceed with the verification of the backtracking algorithm. The specification requires us to define the notion of solution, which is straightforward using the predicate ``is_consistent`` above. However, since the algorithm will try to complete a given partial solution, it is more convenient to define the notion of partial solution, up to a given row. It is even more convenient to split it in two predicates, one related to legal column values and another to consistency of rows: .. code-block:: whyml predicate is_board (board: array int) (pos: int) = forall q. 0 <= q < pos -> 0 <= board[q] < length board predicate solution (board: array int) (pos: int) = is_board board pos /\ forall q. 0 <= q < pos -> is_consistent board q The algorithm will not mutate the partial solution it is given and, in case of a search failure, will claim that there is no solution extending this prefix. For this reason, we introduce a predicate comparing two chess boards for equality up to a given row: .. code-block:: whyml predicate eq_board (b1 b2: array int) (pos: int) = forall q. 0 <= q < pos -> b1[q] = b2[q] The search itself makes use of an exception to signal a successful search: .. code-block:: whyml exception Solution The backtracking code is a recursive function ``bt_queens`` which takes the chess board, its size, and the starting row for the search. The termination is ensured by the obvious variant ``n - pos``. .. code-block:: whyml let rec bt_queens (board: array int) (n: int) (pos: int) : unit variant { n - pos } The precondition relates ``board``, ``pos``, and ``n`` and requires ``board`` to be a solution up to ``pos``: .. code-block:: whyml requires { 0 <= pos <= n = length board } requires { solution board pos } The postcondition is twofold: either the function exits normally and then there is no solution extending the prefix in ``board``, which has not been modified; or the function raises ``Solution`` and we have a solution in ``board``. .. code-block:: whyml ensures { eq_board board (old board) pos } ensures { forall b:array int. length b = n -> is_board b n -> eq_board board b pos -> not (solution b n) } raises { Solution -> solution board n } = Whenever we reach the end of the chess board, we have found a solution and we signal it using exception ``Solution``: .. code-block:: whyml if pos = n then raise Solution; Otherwise we scan all possible positions for the queen on row ``pos`` with a ``for`` loop: .. code-block:: whyml for i = 0 to n - 1 do The loop invariant states that we have not modified the solution prefix so far, and that we have not found any solution that would extend this prefix with a queen on row ``pos`` at a column below ``i``: .. code-block:: whyml invariant { eq_board board (old board) pos } invariant { forall b:array int. length b = n -> is_board b n -> eq_board board b pos -> 0 <= b[pos] < i -> not (solution b n) } Then we assign column ``i`` to the queen on row ``pos`` and we check for a possible attack with ``check_is_consistent``. If not, we call ``bt_queens`` recursively on the next row. .. code-block:: whyml board[pos] <- i; if check_is_consistent board pos then bt_queens board n (pos + 1) done This completes the loop and function ``bt_queens`` as well. Solving the puzzle is a simple call to ``bt_queens``, starting the search on row 0. The postcondition is also twofold, as for ``bt_queens``, yet slightly simpler. .. code-block:: whyml let queens (board: array int) (n: int) : unit requires { length board = n } ensures { forall b:array int. length b = n -> is_board b n -> not (solution b n) } raises { Solution -> solution board n } = bt_queens board n 0 This second part of the solution is given below. With the help of a few auxiliary lemmas — not given here but available from Why3’s sources — the verification conditions are all discharged automatically, including the verification of the lemmas themselves. .. code-block:: whyml predicate is_board (board: array int) (pos: int) = forall q. 0 <= q < pos -> 0 <= board[q] < length board predicate solution (board: array int) (pos: int) = is_board board pos /\ forall q. 0 <= q < pos -> is_consistent board q predicate eq_board (b1 b2: array int) (pos: int) = forall q. 0 <= q < pos -> b1[q] = b2[q] exception Solution let rec bt_queens (board: array int) (n: int) (pos: int) : unit variant { n - pos } requires { 0 <= pos <= n = length board } requires { solution board pos } ensures { eq_board board (old board) pos } ensures { forall b:array int. length b = n -> is_board b n -> eq_board board b pos -> not (solution b n) } raises { Solution -> solution board n } = if pos = n then raise Solution; for i = 0 to n - 1 do invariant { eq_board board (old board) pos } invariant { forall b:array int. length b = n -> is_board b n -> eq_board board b pos -> 0 <= b[pos] < i -> not (solution b n) } board[pos] <- i; if check_is_consistent board pos then bt_queens board n (pos + 1) done let queens (board: array int) (n: int) : unit requires { length board = n } ensures { forall b:array int. length b = n -> is_board b n -> not (solution b n) } raises { Solution -> solution board n } = bt_queens board n 0 end .. _sec.aqueue: Problem 5: Amortized Queue -------------------------- The last problem consists in verifying the implementation of a well-known purely applicative data structure for queues. A queue is composed of two lists, *front* and *rear*. We push elements at the head of list *rear* and pop them off the head of list *front*. We maintain that the length of *front* is always greater or equal to the length of *rear*. (See for instance Okasaki’s *Purely Functional Data Structures* :cite:`okasaki98` for more details.) We have to implement operations ``empty``, ``head``, ``tail``, and ``enqueue`` over this data type, to show that the invariant over lengths is maintained, and finally to show that a client invoking these operations observes an abstract queue given by a sequence. In a new module, we import arithmetic and theory ``list.ListRich``, a combo theory that imports all list operations we will require: length, reversal, and concatenation. .. code-block:: whyml module AmortizedQueue use int.Int use option.Option use export list.ListRich The queue data type is naturally introduced as a polymorphic record type. The two list lengths are explicitly stored, for greater efficiency. .. code-block:: whyml type queue 'a = { front: list 'a; lenf: int; rear : list 'a; lenr: int; } invariant { length front = lenf >= length rear = lenr } by { front = Nil; lenf = 0; rear = Nil; lenr = 0 } The type definition is accompanied with an invariant — a logical property imposed on any value of the type. Why3 assumes that any queue satisfies the invariant at any function entry and it requires that any queue satisfies the invariant at function exit (be the queue created or modified). The ``by`` clause ensures the non-vacuity of this type with invariant. If you omit it, a goal with an existential statement is generated. (See :numref:`Record Types` for more details about record types with invariants.) For the purpose of the specification, it is convenient to introduce a function ``sequence`` which builds the sequence of elements of a queue, that is the front list concatenated to the reversed rear list. .. code-block:: whyml function sequence (q: queue 'a) : list 'a = q.front ++ reverse q.rear It is worth pointing out that this function can only be used in specifications. We start with the easiest operation: building the empty queue. .. code-block:: whyml let empty () : queue 'a ensures { sequence result = Nil } = { front = Nil; lenf = 0; rear = Nil; lenr = 0 } The postcondition states that the returned queue represents the empty sequence. Another postcondition, saying that the returned queue satisfies the type invariant, is implicit. Note the cast to type ``queue 'a``. It is required, for the type checker not to complain about an undefined type variable. The next operation is ``head``, which returns the first element from a given queue ``q``. It naturally requires the queue to be non empty, which is conveniently expressed as ``sequence q`` not being ``Nil``. .. code-block:: whyml let head (q: queue 'a) : 'a requires { sequence q <> Nil } ensures { hd (sequence q) = Some result } = let Cons x _ = q.front in x The fact that the argument ``q`` satisfies the type invariant is implicitly assumed. The type invariant is required to prove the absurdity of ``q.front`` being ``Nil`` (otherwise, ``sequence q`` would be ``Nil`` as well). The next operation is ``tail``, which removes the first element from a given queue. This is more subtle than ``head``, since we may have to re-structure the queue to maintain the invariant. Since we will have to perform a similar operation when implementing operation ``enqueue`` later, it is a good idea to introduce a smart constructor ``create`` that builds a queue from two lists while ensuring the invariant. The list lengths are also passed as arguments, to avoid unnecessary computations. .. code-block:: whyml let create (f: list 'a) (lf: int) (r: list 'a) (lr: int) : queue 'a requires { lf = length f /\ lr = length r } ensures { sequence result = f ++ reverse r } = if lf >= lr then { front = f; lenf = lf; rear = r; lenr = lr } else let f = f ++ reverse r in { front = f; lenf = lf + lr; rear = Nil; lenr = 0 } If the invariant already holds, it is simply a matter of building the record. Otherwise, we empty the rear list and build a new front list as the concatenation of list ``f`` and the reversal of list ``r``. The principle of this implementation is that the cost of this reversal will be amortized over all queue operations. Implementing function ``tail`` is now straightforward and follows the structure of function ``head``. .. code-block:: whyml let tail (q: queue 'a) : queue 'a requires { sequence q <> Nil } ensures { tl (sequence q) = Some (sequence result) } = let Cons _ r = q.front in create r (q.lenf - 1) q.rear q.lenr The last operation is ``enqueue``, which pushes a new element in a given queue. Reusing the smart constructor ``create`` makes it a one line code. .. code-block:: whyml let enqueue (x: 'a) (q: queue 'a) : queue 'a ensures { sequence result = sequence q ++ Cons x Nil } = create q.front q.lenf (Cons x q.rear) (q.lenr + 1) The code is given below. The verification conditions are all discharged automatically. .. code-block:: whyml module AmortizedQueue use int.Int use option.Option use list.ListRich type queue 'a = { front: list 'a; lenf: int; rear : list 'a; lenr: int; } invariant { length front = lenf >= length rear = lenr } by { front = Nil; lenf = 0; rear = Nil; lenr = 0 } function sequence (q: queue 'a) : list 'a = q.front ++ reverse q.rear let empty () : queue 'a ensures { sequence result = Nil } = { front = Nil; lenf = 0; rear = Nil; lenr = 0 } let head (q: queue 'a) : 'a requires { sequence q <> Nil } ensures { hd (sequence q) = Some result } = let Cons x _ = q.front in x let create (f: list 'a) (lf: int) (r: list 'a) (lr: int) : queue 'a requires { lf = length f /\ lr = length r } ensures { sequence result = f ++ reverse r } = if lf >= lr then { front = f; lenf = lf; rear = r; lenr = lr } else let f = f ++ reverse r in { front = f; lenf = lf + lr; rear = Nil; lenr = 0 } let tail (q: queue 'a) : queue 'a requires { sequence q <> Nil } ensures { tl (sequence q) = Some (sequence result) } = let Cons _ r = q.front in create r (q.lenf - 1) q.rear q.lenr let enqueue (x: 'a) (q: queue 'a) : queue 'a ensures { sequence result = sequence q ++ Cons x Nil } = create q.front q.lenf (Cons x q.rear) (q.lenr + 1) end ���������������������������������������������������why3-1.6.0/doc/zebibliography.rst�������������������������������������������������������������������0000664�0000000�0000000�00000000116�14401600263�0016713�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.. only:: html Bibliography ============ .. bibliography:: manual.bib ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/���������������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0014062�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo.drv���������������������������������������������������������������������0000664�0000000�0000000�00000001050�14401600263�0016367�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Driver for Alt-Ergo versions >= 2.4.0 *) prelude "(* this is the prelude for Alt-Ergo, version >= 2.4.0 *)" filename "%f-%t-%g.ae" transformation "inline_trivial" transformation "eliminate_builtin" transformation "remove_unused_keep_constants" transformation "eliminate_recursion" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "split_premise_right" transformation "simplify_formula" import "alt_ergo_common.drv" import "no-bv.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo_2_2_0.drv���������������������������������������������������������������0000664�0000000�0000000�00000001272�14401600263�0017256�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Driver for Alt-Ergo versions >= 0.95.2 *) prelude "(* this is the prelude for Alt-Ergo, version >= 0.95.2 and <= 2.2.0 *)" filename "%f-%t-%g.why" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_recursion" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "split_premise_right" transformation "simplify_formula" import "alt_ergo_common.drv" import "no-bv.gen" (* additional regexp for detection of answers, needed for alt-ergo <= 0.99 *) valid "^Inconsistent assumption$" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo_2_3.drv�����������������������������������������������������������������0000664�0000000�0000000�00000001214�14401600263�0017034�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Driver for Alt-Ergo versions 2.3.x *) prelude "(* this is the prelude for Alt-Ergo, versions 2.3.x *)" filename "%f-%t-%g.why" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_recursion" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let_term" transformation "split_premise_right" transformation "simplify_formula" import "alt_ergo_common.drv" import "no-bv.gen" (* additional regexp for detection of answers, needed for alt-ergo <= 0.99 *) valid "^Inconsistent assumption$" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo_common.drv��������������������������������������������������������������0000664�0000000�0000000�00000011101�14401600263�0017735�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why drivers for Alt-Ergo: common part *) printer "alt-ergo" valid "^File \".*\", line [0-9]+, characters [0-9]+-[0-9]+: ?Valid" invalid "^File \".*\", line [0-9]+, characters [0-9]+-[0-9]+: ?Invalid" unknown "^File \".*\", line [0-9]+, characters [0-9]+-[0-9]+: ?I don't know" "" timeout "^File \".*\", line [0-9]+, characters [0-9]+-[0-9]+: ?Timeout" timeout "^Timeout$" steplimitexceeded "^File \".*\", line [0-9]+, characters [0-9]+-[0-9]+: ?Steps limit reached" steplimitexceeded "^Steps limit reached" steplimitexceeded "^\\[Error\\]Fatal Error: Steps limit reached" outofmemory "Fatal error: out of memory" outofmemory "Fatal error: Out of memory" outofmemory "Fatal error: exception Stack_overflow" outofmemory "Fatal error: exception Out of memory" fail "typing error:\\(.*\\)$" "Failure : File generation error : \\1" time "Valid (%s)" time "Valid (%s)" steps "Valid (\\([0-9]+.?[0-9]*\\)) (\\([0-9]+.?[0-9]*\\))" 2 steps "Valid (\\([0-9]+.?[0-9]*\\)) (\\([0-9]+.?[0-9]*\\) steps)" 2 steps "^Steps limit reached: \\([0-9]+.?[0-9]*\\)" 1 steps "^\\[Error\\]Fatal Error: Steps limit reached: \\([0-9]+.?[0-9]*\\)" 1 time "why3cpulimit time : %s s" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "(%1 = %2)" meta "eliminate_algebraic" "keep_enums" meta "eliminate_algebraic" "keep_recs" end theory int.Int prelude "(* this is a prelude for Alt-Ergo integer arithmetic *)" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (-_) "(-%1)" meta "invalid trigger" predicate (<=) meta "invalid trigger" predicate (<) meta "invalid trigger" predicate (>=) meta "invalid trigger" predicate (>) syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Total remove prop Antisymm remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "(%1 / %2)" syntax function mod "(%1 % %2)" end theory int.ComputerDivision use for_drivers.ComputerOfEuclideanDivision end theory real.Real prelude "(* this is a prelude for Alt-Ergo real arithmetic *)" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (/) "(%1 / %2)" syntax function (-_) "(-%1)" syntax function inv "(1.0 / %1)" meta "invalid trigger" predicate (<=) meta "invalid trigger" predicate (<) meta "invalid trigger" predicate (>=) meta "invalid trigger" predicate (>) syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Total remove prop Antisymm remove prop Inverse remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.RealInfix syntax function (+.) "(%1 + %2)" syntax function (-.) "(%1 - %2)" syntax function ( *.) "(%1 * %2)" syntax function (/.) "(%1 / %2)" syntax function (-._) "(-%1)" meta "invalid trigger" predicate (<=.) meta "invalid trigger" predicate (<.) meta "invalid trigger" predicate (>=.) meta "invalid trigger" predicate (>.) syntax predicate (<=.) "(%1 <= %2)" syntax predicate (<.) "(%1 < %2)" syntax predicate (>=.) "(%1 >= %2)" syntax predicate (>.) "(%1 > %2)" end theory Bool syntax type bool "bool" syntax function True "true" syntax function False "false" end theory Tuple0 syntax type tuple0 "unit" syntax function Tuple0 "void" end theory algebra.AC meta AC function op remove prop Comm remove prop Assoc end theory HighOrd syntax type (->) "(%1,%2) farray" syntax function (@) "(%1[%2])" end theory map.Map syntax function get "(%1[%2])" syntax function set "(%1[%2 <- %3])" end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo_fp.drv������������������������������������������������������������������0000664�0000000�0000000�00000002751�14401600263�0017065�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������filename "%f-%t-%g.ae" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_recursion" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "split_premise_right" transformation "simplify_formula" import "alt_ergo_common.drv" import "no-bv.gen" theory int.Abs syntax function abs "abs_int(%1)" remove prop Abs_le remove prop Abs_pos end theory real.Abs syntax function abs "abs_real(%1)" end theory real.FromInt syntax function from_int "real_of_int(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.MinMax syntax function min "min_real(%1, %2)" syntax function max "max_real(%1, %2)" end theory real.PowerInt syntax function power "(%1 **. %2)" end theory real.PowerReal syntax function pow "(%1 **. %2)" end theory real.Square syntax function sqrt "sqrt_real(%1)" end theory ieee_float.GenericFloat remove prop Round_monotonic remove prop Round_idempotent end theory ieee_float.RoundingMode syntax type mode "fpa_rounding_mode" syntax function RNE "NearestTiesToEven" syntax function RNA "NearestTiesToAway" syntax function RTN "Down" syntax function RTP "Up" syntax function RTZ "ToZero" end theory ieee_float.Float32 syntax function round "float32(%1,%2)" end theory ieee_float.Float64 syntax function round "float64(%1,%2)" end �����������������������why3-1.6.0/drivers/alt_ergo_model.drv���������������������������������������������������������������0000664�0000000�0000000�00000000216�14401600263�0017552�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Driver for the current version of Alt-Ergo with models *) import "alt_ergo.drv" theory BuiltIn meta "printer_option" "show_labels" end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/alt_ergo_smt2.drv����������������������������������������������������������������0000664�0000000�0000000�00000005002�14401600263�0017335�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Alt-Ergo with SMT-lib2 input format *) prelude ";;; this is a prelude for Alt-Ergo" printer "smtv2" filename "%f-%t-%g.smt2" valid "^unsat" unknown "^\\(unknown\\|sat\\|Fail\\)" "" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_let" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "encoding_smt" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int end theory int.Int prelude ";;; this is a prelude for Alt-Ergo integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Total remove prop Antisymm remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude ";;; this is a prelude for Alt-Ergo real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Total remove prop Antisymm remove prop Inverse remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/beagle.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000017066�14401600263�0016030�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for beagle see http://users.cecs.anu.edu.au/~baumgart/systems/beagle/ *) printer "tptp-tff0" filename "%f-%t-%g.p" valid "Proof found" invalid "Completion found" valid "^% SZS status Theorem" valid "^SZS status Theorem" valid "^% SZS status Unsatisfiable" unknown "^% SZS status CounterSatisfiable" "" unknown "^% SZS status Satisfiable" "" unknown "^Cannot normalize into a linear term:" "" timeout "^% SZS status Timeout" unknown "^% SZS status GaveUp" "" fail "^% SZS status Error" "" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" (* transformations *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" (* currently, princess does not support $let and $ite *) transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "discriminate" transformation "encoding_smt" import "discrimination.gen" theory BuiltIn syntax predicate (=) "(%1 = %2)" syntax type int "$int" syntax type real "$real" meta "encoding:kept" type int meta "encoding:kept" type real meta "eliminate_algebraic" "no_index" end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne (* Beagle fails on non-linear axioms *) remove prop CompatOrderMult end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1.0,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 remove prop Div_inf remove prop Div_inf_neg remove prop Mod_0 remove prop Div_1_left remove prop Div_minus1_left remove prop Mod_1_left remove prop Mod_minus1_left end theory tptp.Univ syntax type iType "$i" meta "encoding:kept" type iType end theory tptp.IntTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.IntDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.IntDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Rat syntax type rat "$rat" syntax function zero "0/1" syntax function one "1/1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1/1,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" syntax function to_rat "$to_rat(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type rat end theory tptp.RatTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" end theory tptp.RatDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RatDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RatDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Real syntax function to_real "$to_real(%1)" end theory real.FromInt syntax function from_int "$to_real(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Truncate syntax function floor "$to_int(%1)" syntax function ceil "$to_int($ceiling(%1))" syntax function truncate "$to_int($truncate(%1))" remove prop Truncate_int remove prop Truncate_down_pos remove prop Truncate_up_neg remove prop Real_of_truncate remove prop Truncate_monotonic remove prop Truncate_monotonic_int1 remove prop Truncate_monotonic_int2 remove prop Floor_int remove prop Ceil_int remove prop Floor_down remove prop Ceil_up remove prop Floor_monotonic remove prop Ceil_monotonic end theory tptp.RealTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.RealDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RealDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RealDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.IntToRat syntax function to_rat "$to_rat(%1)" end theory tptp.IntToReal syntax function to_real "$to_real(%1)" end theory tptp.RealToRat syntax function to_rat "$to_rat(%1)" end theory tptp.RatToReal syntax function to_real "$to_real(%1)" end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/colibri.drv����������������������������������������������������������������������0000664�0000000�0000000�00000005131�14401600263�0016222�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for COLIBRI (with floating point support) *) prelude ";; produced by colibri.drv ;;" prelude "(set-logic ALL)" prelude "(set-info :smt-lib-version 2.6)" import "smt-libv2.gen" printer "smtv2.6par" import "smt-libv2-bv.gen" import "cvc4_bv.gen" import "smt-libv2-floats.gen" (* import "discrimination.gen" *) steps "Steps : \\([0-9]+.?[0-9]*\\)" 1 steplimitexceeded "(Step limit reached)" theory bool.Bool meta "inline:no" function andb meta "inline:no" function orb meta "inline:no" function notb meta "inline:no" function xorb meta "inline:no" function implb end theory bool.Ite meta "inline:no" function ite end theory int.Int remove prop CompatOrderMult end transformation "monomorphise_goal" transformation "compile_match" transformation "inline_trivial" transformation "simplify_formula" transformation "eliminate_builtin" transformation "eliminate_recursion" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "instantiate_predicate" (** Extra theories supported by COLIBRI *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory int.ComputerDivision syntax function div "(colibri_cdiv %1 %2)" syntax function mod "(colibri_crem %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory real.Truncate syntax function floor "(to_int %1)" overriding syntax function truncate "(to_int (colibri_truncate %1))" overriding syntax function ceil "(to_int (colibri_ceil %1))" remove prop Floor_down remove prop Floor_monotonic end theory real.FromInt syntax function from_int "(to_real %1)" end theory real.Abs overriding syntax function abs "(colibri_abs_real %1)" end theory int.Abs syntax function abs "(colibri_abs_int %1)" end theory real.PowerInt syntax function power "(colibri_pow_real_int %1 %2)" end theory int.Power syntax function power "(colibri_pow_int_int %1 %2)" end theory real.ExpLog syntax function exp "(colibri_exp %1)" (* syntax function log "(colibri_ln %1)" *) end theory real.MinMax syntax function min "(colibri_min_real %1 %2)" syntax function max "(colibri_max_real %1 %2)" end theory int.MinMax syntax function min "(colibri_min_int %1 %2)" syntax function max "(colibri_max_int %1 %2)" end (** TODO *) (** - colibri_floor - colibri_abs_int - colibri_abs_real - colibri_pow_real_int - colibri_max - colibri_min - is_int - to_real *) ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/colibri2.drv���������������������������������������������������������������������0000664�0000000�0000000�00000007256�14401600263�0016316�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Colibri (with floating point support) *) prelude ";; produced by local colibri2.drv ;;" prelude "(set-logic ALL)" prelude "(set-info :smt-lib-version 2.6)" filename "%f-%t-%g.psmt2" unknown "^\\(unknown\\|sat\\|Fail\\)$" "\\1" unknown "^(:reason-unknown \\([^)]*\\))$" "\\1" time "why3cpulimit time : %s s" valid "^unsat$" steplimitexceeded "steplimitreached" steps "^(steps \\([0-9]+.?[0-9]*\\))" 1 printer "smtv2.6par" transformation "monomorphise_goal" transformation "eliminate_builtin" transformation "compile_match" (* transformation "inline_trivial" *) transformation "simplify_formula" transformation "eliminate_inductive" transformation "eliminate_literal" transformation "eliminate_epsilon" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" end theory int.Int prelude ";;; SMT-LIB2: integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory real.Real prelude ";;; SMT-LIB2: real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory real.Square syntax function sqrt "(colibri_sqrt %1)" end theory real.FromInt syntax function from_int "(to_real %1)" (* remove allprops *) end theory real.Abs syntax function abs "(colibri_abs_real %1)" end theory int.Abs syntax function abs "(colibri_abs_int %1)" end theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" end theory int.ComputerDivision syntax function div "(colibri_cdiv %1 %2)" syntax function mod "(colibri_crem %1 %2)" end (* theory real.MinMax remove allprops end *) theory real.Truncate syntax function floor "(to_int %1)" syntax function ceil "(- (to_int (- %1)))" (* remove allprops *) end theory Bool syntax type bool "Bool" syntax function True "true" syntax function False "false" end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function xorb "(xor %1 %2)" syntax function notb "(not %1)" syntax function implb "(=> %1 %2)" end theory bool.Ite syntax function ite "(ite %1 %2 %3)" end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/coq-common.gen�������������������������������������������������������������������0000664�0000000�0000000�00000016151�14401600263�0016631�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ valid 0 unknown "Error: \\(.*\\)$" "\\1" fail "Syntax error: \\(.*\\)$" "\\1" time "why3cpulimit time : %s s" transformation "eliminate_non_struct_recursion" transformation "eliminate_if" transformation "eliminate_literal" transformation "eliminate_non_lambda_set_epsilon" transformation "eliminate_projections" transformation "simplify_formula" (*transformation "simplify_trivial_quantification_in_goal"*) theory BuiltIn prelude "Require Import BuiltIn." syntax type int "Numbers.BinNums.Z" syntax type real "Reals.Rdefinitions.R" syntax predicate (=) "(%1 = %2)" end theory Unit syntax type unit "Init.Datatypes.unit" end theory Bool syntax type bool "Init.Datatypes.bool" syntax function True "Init.Datatypes.true" syntax function False "Init.Datatypes.false" end theory bool.Bool syntax function andb "Init.Datatypes.andb" syntax function orb "Init.Datatypes.orb" syntax function xorb "Init.Datatypes.xorb" syntax function notb "Init.Datatypes.negb" syntax function implb "Init.Datatypes.implb" end theory int.Int syntax function zero "0%Z" syntax function one "1%Z" syntax function (+) "(%1 + %2)%Z" syntax function (-) "(%1 - %2)%Z" syntax function (*) "(%1 * %2)%Z" syntax function (-_) "(-%1)%Z" syntax predicate (<=) "(%1 <= %2)%Z" syntax predicate (<) "(%1 < %2)%Z" syntax predicate (>=) "(%1 >= %2)%Z" syntax predicate (>) "(%1 > %2)%Z" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory int.Abs syntax function abs "ZArith.BinInt.Z.abs" remove prop Abs_pos end theory int.MinMax syntax function min "ZArith.BinInt.Z.min" syntax function max "ZArith.BinInt.Z.max" end (* removed: Coq Zdiv is NOT true Euclidean division: Zmod can be negative, in fact (Zmod x y) has the same sign as y, which is not the usual convention of programming language either. theory int.EuclideanDivision syntax function div "ZArith.BinInt.Z.div" syntax function mod "ZArith.BinInt.Z.modulo" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 end *) theory int.ComputerDivision (* Coq provides the division and modulo operators with the same convention as mainstream programming language such C, Java, OCaml *) syntax function div "ZArith.BinInt.Z.quot" syntax function mod "ZArith.BinInt.Z.rem" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Div_sign_pos remove prop Div_sign_neg remove prop Mod_sign_pos remove prop Mod_sign_neg remove prop Rounds_toward_zero remove prop Div_1 remove prop Mod_1 remove prop Div_inf remove prop Mod_inf remove prop Div_mult remove prop Mod_mult end theory real.Real syntax function zero "0%R" syntax function one "1%R" syntax function (+) "(%1 + %2)%R" syntax function (-) "(%1 - %2)%R" syntax function (-_) "(-%1)%R" syntax function (*) "(%1 * %2)%R" syntax function (/) "(%1 / %2)%R" syntax function inv "(/ %1)%R" syntax predicate (<=) "(%1 <= %2)%R" syntax predicate (<) "(%1 < %2)%R" syntax predicate (>=) "(%1 >= %2)%R" syntax predicate (>) "(%1 > %2)%R" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop assoc_mul_div remove prop assoc_div_mul remove prop assoc_div_div end theory real.RealInfix syntax function (+.) "(%1 + %2)%R" syntax function (-.) "(%1 - %2)%R" syntax function (-._) "(-%1)%R" syntax function ( *.) "(%1 * %2)%R" syntax function (/.) "(%1 / %2)%R" syntax predicate (<=.) "(%1 <= %2)%R" syntax predicate (<.) "(%1 < %2)%R" syntax predicate (>=.) "(%1 >= %2)%R" syntax predicate (>.) "(%1 > %2)%R" end theory real.Abs prelude "Require Reals.Rbasic_fun." syntax function abs "Reals.Rbasic_fun.Rabs" remove prop Abs_le remove prop Abs_pos end theory real.MinMax syntax function min "Reals.Rbasic_fun.Rmin" syntax function max "Reals.Rbasic_fun.Rmax" end theory real.FromInt syntax function from_int "BuiltIn.IZR" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Square prelude "Require Reals.R_sqrt." syntax function sqr "Reals.RIneq.Rsqr" syntax function sqrt "Reals.R_sqrt.sqrt" (* and not Rsqrt *) remove prop Sqrt_positive remove prop Sqrt_square remove prop Square_sqrt end theory real.ExpLog prelude "Require Reals.Rtrigo_def." prelude "Require Reals.Rpower." syntax function exp "Reals.Rtrigo_def.exp" syntax function log "Reals.Rpower.ln" remove prop Exp_zero remove prop Exp_sum remove prop Log_one remove prop Log_mul remove prop Log_exp remove prop Exp_log end theory real.PowerInt prelude "Require Reals.Rfunctions." syntax function power "Reals.Rfunctions.powerRZ" remove prop Power_0 (* already as powerRZ_O *) (* remove prop Power_s *) remove prop Power_1 (* already as powerRZ_1 *) (* remove prop Power_sum *) (* not the same as powerRZ_add *) (* remove prop Power_mult *) end theory real.PowerReal syntax function pow "Reals.Rpower.Rpower" end theory real.Trigonometry prelude "Require Reals.Rtrigo_def." prelude "Require Reals.Rtrigo1." prelude "Require Reals.Ratan." syntax function cos "Reals.Rtrigo_def.cos" syntax function sin "Reals.Rtrigo_def.sin" syntax function pi "Reals.Rtrigo1.PI" syntax function tan "Reals.Rtrigo1.tan" syntax function atan "Reals.Ratan.atan" remove prop Pythagorean_identity remove prop Cos_le_one remove prop Sin_le_one remove prop Cos_0 remove prop Sin_0 remove prop Cos_pi remove prop Sin_pi remove prop Cos_pi2 remove prop Sin_pi2 end theory list.List syntax type list "Init.Datatypes.list" syntax function Nil "Init.Datatypes.nil" syntax function Cons "Init.Datatypes.cons" end theory list.Append syntax function (++) "Init.Datatypes.app" end theory list.Reverse syntax function reverse "Lists.List.rev" end theory list.RevAppend syntax function rev_append "Lists.List.rev_append" end theory list.Combine syntax function combine "Lists.List.combine" end theory option.Option syntax type option "Init.Datatypes.option" syntax function None "Init.Datatypes.None" syntax function Some "Init.Datatypes.Some" end (* this file has an extension .aux rather than .gen since it should not be distributed *) import "coq-realizations.aux" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/coq-realize.drv������������������������������������������������������������������0000664�0000000�0000000�00000000343�14401600263�0017012�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude "(* This file is generated by Why3's Coq-realize driver *)" prelude "(* Beware! Only edit allowed sections below *)" printer "coq-realize" filename "%t.v" transformation "inline_trivial" import "coq-common.gen" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/coq-ssreflect.drv����������������������������������������������������������������0000664�0000000�0000000�00000005547�14401600263�0017364�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude "(* This file is generated by Why3's coq-ssreflect driver *)" prelude "(* Beware! Only edit allowed sections below *)" printer "coq-ssr" filename "%t.v" valid 0 unknown "Error: \\(.*\\)$" "\\1" fail "Syntax error: \\(.*\\)$" "\\1" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_non_struct_recursion" transformation "eliminate_if" transformation "eliminate_literal" transformation "eliminate_non_lambda_set_epsilon" transformation "eliminate_projections" transformation "simplify_formula" theory BuiltIn prelude "\n\ Require Import ssreflect ssrbool ssrfun ssrnat seq eqtype ssrint.\n\ Require Import ssrint ssrwhy3.\n\ Set Implicit Arguments.\n\ Unset Strict Implicit.\n\ Unset Printing Implicit Defensive.\n\ " syntax type int "int" syntax type real "R" syntax predicate (=) "(%1 = %2)" end theory Unit syntax type unit "unit" end theory HighOrd syntax type (->) "(%1 -> %2)" syntax function (@) "(%1 %2)" end theory Bool syntax type bool "bool" syntax function True "true" syntax function False "false" end theory bool.Bool syntax function andb "(Init.Datatypes.andb %1 %2)" syntax function orb "(Init.Datatypes.orb %1 %2)" syntax function xorb "(Init.Datatypes.xorb %1 %2)" syntax function notb "(Init.Datatypes.negb %1)" syntax function implb "(Init.Datatypes.implb %1 %2)" end theory map.Map syntax function get "(%1 %2)" end theory int.Int prelude "\n\ Require Import ssralg ssrnum.\n\ Import GRing.Theory Num.Theory.\n\ Local Open Scope ring_scope." syntax function zero "0%:Z" syntax function one "1%:Z" syntax function (+) "(%1 + %2)%R" syntax function (-) "(%1 - %2)%R" syntax function ( * ) "(%1 * %2)%R" syntax function (-_) "(-%1)%R" syntax predicate (<=) "(%1 <= %2)%R" syntax predicate (<) "(%1 < %2)%R" syntax predicate (>=) "(%1 >= %2)%R" syntax predicate (>) "(%1 > %2)%R" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory array.Array syntax type array "(array %1)" syntax function ([]) "(get %1 %2)" syntax function length "(size %1 : int)" syntax function elts "(get %1)" (* does not exist anymore syntax function make "(make %1 %2)" *) end theory matrix.Matrix syntax type matrix "(matrix %1)" syntax function rows "(nrows %1 : int)" syntax function columns "(ncols %1 : int)" syntax function elts "(matrix_get_curry %1)" (* does not exist anymore syntax function make "(matrix_make %1 %2)" *) end ���������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/coq.drv��������������������������������������������������������������������������0000664�0000000�0000000�00000000373�14401600263�0015364�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude "(* This file is generated by Why3's Coq driver *)" prelude "(* Beware! Only edit allowed sections below *)" printer "coq" filename "%f_%t_%g.v" transformation "inline_trivial" transformation "eliminate_builtin" import "coq-common.gen" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc3.drv�������������������������������������������������������������������������0000664�0000000�0000000�00000007216�14401600263�0015443�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (* Why3 driver for CVC3 *) prelude "%%% this is a prelude for CVC3 " printer "cvc3" filename "%f-%t-%g.cvc" (* 'fail' must be before 'valid'; otherwise it is ignored *) fail "Parse Error: \\(.*\\)" "\\1" valid "Valid\\." unknown "Unknown\\." "" outofmemory "Out of memory\\|std::bad_alloc\\|GNU MP: Cannot allocate memory" timeout "self-timeout" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate" transformation "encoding_smt" theory BuiltIn syntax type int "INT" syntax type real "REAL" syntax predicate (=) "(%1 = %2)" meta "encoding:kept" type int end theory int.Int prelude "%%% this is a prelude for CVC3 integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude "%%% this is a prelude for CVC3 real arithmetic" prelude "div_by_zero: (REAL) -> REAL;" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (/) "(IF (%2 = 0) THEN (div_by_zero(%1)) ELSE (%1 / %2) ENDIF)" syntax function (-_) "(- %1)" syntax function inv "(IF (%1 = 0) THEN (div_by_zero(1)) ELSE (1 / %1) ENDIF)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end theory real.FromInt syntax function from_int "%1" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory Bool syntax type bool "BITVECTOR(1)" syntax function True "0bin1" syntax function False "0bin0" meta "encoding:kept" type bool end theory bool.Bool syntax function andb "(%1 & %2)" syntax function orb "(%1 | %2)" syntax function xorb "(BVXOR(%1,%2))" syntax function notb "(~ %1)" end theory HighOrd syntax type (->) "(ARRAY %1 OF %2)" syntax function (@) "(%1[%2])" meta "encoding:lskept" function (@) end theory map.Map syntax function get "(%1[%2])" syntax function set "(%1 WITH [%2] := %3)" meta "encoding:lskept" function get meta "encoding:lskept" function set end import "discrimination.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4-realize.drv�����������������������������������������������������������������0000664�0000000�0000000�00000003510�14401600263�0017066�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver specific for checking BV theory consistency with CVC4 *) prelude "(set-logic AUFBVDTNIRA)" (* A : Array UF : Uninterpreted Function BV : BitVectors DT : Datatypes NIRA : NonLinear Integer Reals Arithmetic *) (* prelude "(set-logic ALL_SUPPORTED)" does not seem to include DT *) import "smt-libv2.gen" printer "smtv2" import "smt-libv2-bv-realization.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition" (* We could keep more definitions by using transformation "eliminate_definition_conditionally" instead, but some proofs are lost (examples/logic/triangle_inequality.why) *) transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" steps "smt::SmtEngine::resourceUnitsUsed, \\([0-9]+.?[0-9]*\\)" 1 (** Unfortunately, there is no specific output message when CVC4 reaches its resource limit steplimitexceeded "??" *) (** Extra theories supported by CVC4 *) (* Disabled: CVC4 seems less efficient with its built-in implementation than with the axiomatic version *) (* theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) import "cvc4_bv.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4.drv�������������������������������������������������������������������������0000664�0000000�0000000�00000002367�14401600263�0015446�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 <= 1.3 *) prelude "(set-logic AUFNIRA)" (* A : Array UF : Uninterpreted Function NIRA : NonLinear Integer Reals Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "no-bv.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate" transformation "encoding_smt" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" (** Extra theories supported by CVC4 *) (* Disabled: CVC4 seems less efficient with its built-in implementation than with the axiomatic version theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_14.drv����������������������������������������������������������������������0000664�0000000�0000000�00000003441�14401600263�0015744�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 1.4 *) prelude ";; produced by cvc4_14.drv ;;" prelude "(set-logic AUFBVDTNIRA)" (* A : Array UF : Uninterpreted Function BV : BitVectors DT : Datatypes NIRA : NonLinear Integer+Real Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "smt-libv2-bv.gen" import "cvc4_bv.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition" (* We could keep more definitions by using transformation "eliminate_definition_conditionally" instead, but some proofs are lost (examples/logic/triangle_inequality.why) *) transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" steps "smt::SmtEngine::resourceUnitsUsed, \\([0-9]+.?[0-9]*\\)" 1 (** Unfortunately, there is no specific output message when CVC4 (<1.6) reaches its resource limit steplimitexceeded "??" *) (** Extra theories supported by CVC4 *) (* Disabled: CVC4 seems less efficient with its built-in implementation than with the axiomatic version *) (* theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_15.drv����������������������������������������������������������������������0000664�0000000�0000000�00000003763�14401600263�0015754�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 1.5 *) prelude ";; produced by cvc4_15.drv ;;" prelude "(set-logic AUFBVDTNIRA)" (* A : Array UF : Uninterpreted Function BV : BitVectors DT : Datatypes NIRA : NonLinear Integer+Real Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "smt-libv2-bv.gen" import "cvc4_bv.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections. Note: does nothing if meta get_counterexmp is not set *) transformation "prepare_for_counterexmp" transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" steps "smt::SmtEngine::resourceUnitsUsed, \\([0-9]+.?[0-9]*\\)" 1 (** Unfortunately, there is no specific output message when CVC4 reaches its resource limit steplimitexceeded "??" *) (** Extra theories supported by CVC4 *) (* CVC4 division seems to be the Euclidean one, not the Computer one *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end (* theory int.ComputerDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) �������������why3-1.6.0/drivers/cvc4_15_counterexample.drv�������������������������������������������������������0000664�0000000�0000000�00000000243�14401600263�0021055�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "cvc4_15.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_16.drv����������������������������������������������������������������������0000664�0000000�0000000�00000000456�14401600263�0015751�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 1.6 *) prelude ";; produced by cvc4_16.drv ;;" prelude "(set-logic AUFBVFPDTNIRA)" (* A : Array UF : Uninterpreted Function BV : BitVectors FP : FloatingPoint DT : Datatypes NIRA : NonLinear Integer+Real Arithmetic *) import "cvc4_16.gen" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_16.gen����������������������������������������������������������������������0000664�0000000�0000000�00000003651�14401600263�0015727�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 >= 1.6 (with floating point support) *) prelude "(set-info :smt-lib-version 2.6)" import "smt-libv2.gen" printer "smtv2.6" import "smt-libv2-bv.gen" import "cvc4_bv.gen" import "smt-libv2-floats.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "remove_unused_keep_constants" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections. Note: does nothing if meta get_counterexmp is not set *) transformation "prepare_for_counterexmp" transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" steps "smt::SmtEngine::resourceUnitsUsed, \\([0-9]+.?[0-9]*\\)" 1 (* specific output message when CVC4 reaches its resource limit *) steplimitexceeded "unknown (RESOURCEOUT)" (** Extra theories supported by CVC4 *) (* CVC4 division seems to be the Euclidean one, not the Computer one *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end (* theory int.ComputerDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) ���������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_16_counterexample.drv�������������������������������������������������������0000664�0000000�0000000�00000000243�14401600263�0021056�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "cvc4_16.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_17.drv����������������������������������������������������������������������0000664�0000000�0000000�00000000470�14401600263�0015746�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 1.7 *) prelude ";; produced by cvc4_17.drv ;;" prelude "(set-logic ALL_SUPPORTED)" unknown "^(error \"Can't get-info :reason-unknown when the last result wasn't unknown!\")$" "(not unknown!)" import "cvc4_16.gen" theory BuiltIn meta "supports_smt_get_info_unknown_reason" "" end��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_17_counterexample.drv�������������������������������������������������������0000664�0000000�0000000�00000000333�14401600263�0021057�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude ";; produced by cvc4_17_counterexample.drv ;;" import "cvc4_17.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_18_strings.drv��������������������������������������������������������������0000664�0000000�0000000�00000002157�14401600263�0017524�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC4 1.8 with string support *) prelude ";; produced by cvc4_18_strings.drv ;;" import "cvc4_17.drv" import "smtlib-strings.gen" theory string.String remove prop lt_empty remove prop lt_not_com remove prop lt_ref remove prop lt_ref remove prop lt_trans remove prop le_empty remove prop le_ref remove prop lt_le remove prop lt_le_eq remove prop le_trans remove prop replaceall_empty1 remove prop not_contains_replaceall end theory string.RegExpr syntax type re "RegLan" syntax function to_re "(str.to_re %1)" syntax predicate in_re "(str.in_re %1 %2)" syntax function concat "(re.++ %1 %2)" syntax function union "(re.union %1 %2)" syntax function inter "(re.inter %1 %2)" syntax function star "(re.* %1)" syntax function plus "(re.+ %1)" syntax function none "re.none" syntax function allchar "re.allchar" syntax function opt "(re.opt %1)" syntax function range "(re.range %1 %2)" syntax function power "((_ re.^ %1) %2)" syntax function loop "((_ re.loop %1 %2) %3)" end�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_18_strings_counterexample.drv�����������������������������������������������0000664�0000000�0000000�00000000352�14401600263�0022632�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude ";; produced by cvc4_18_strings_counterexample.drv ;;" import "cvc4_18_strings.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc4_bv.gen����������������������������������������������������������������������0000664�0000000�0000000�00000002024�14401600263�0016101�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* bitvector modules, is not in smt-libv2.gen since cvc4 and z3 don't have the same name for the function to_int *) theory bv.BV_Gen syntax function to_uint "(bv2nat %1)" end theory bv.BV256 (* mapping of_int to int2bv is disabled because it breaks proofs in examples/bitcount, examples/esterel, examples/isqrt_von_neumann, examples/rightmostbittrick, examples/bitwalker *) (* syntax function of_int "((_ int2bv 256) %1)" *) syntax function t'int "(bv2nat %1)" end theory bv.BV128 (* syntax function of_int "((_ int2bv 128) %1)" *) syntax function t'int "(bv2nat %1)" end theory bv.BV64 (* syntax function of_int "((_ int2bv 64) %1)" *) syntax function t'int "(bv2nat %1)" end theory bv.BV32 (* syntax function of_int "((_ int2bv 32) %1)" *) syntax function t'int "(bv2nat %1)" end theory bv.BV16 (* syntax function of_int "((_ int2bv 16) %1)" *) syntax function t'int "(bv2nat %1)" end theory bv.BV8 (* syntax function of_int "((_ int2bv 8) %1)" *) syntax function t'int "(bv2nat %1)" end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc5.drv�������������������������������������������������������������������������0000664�0000000�0000000�00000004647�14401600263�0015452�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC5 1.0.0 *) prelude ";; produced by cvc5.drv ;;" prelude "(set-logic ALL)" prelude "(set-info :smt-lib-version 2.6)" unknown "^(error \"Can't get-info :reason-unknown when the last result wasn't unknown!\")$" "(not unknown!)" outofmemory "cvc5 suffered a segfault" outofmemory "cvc5::internal::Minisat::OutOfMemoryException" steps "resource::resourceUnitsUsed = \\([0-9]+\\)" 1 theory BuiltIn meta "supports_smt_get_info_unknown_reason" "" end import "smt-libv2.gen" printer "smtv2.6" import "smt-libv2-bv.gen" import "cvc4_bv.gen" import "smt-libv2-floats.gen" import "discrimination.gen" theory BuiltIn meta "select_alginst_default" "local" meta "eliminate_algebraic" "keep_mono" end transformation "inline_trivial" transformation "eliminate_builtin" transformation "remove_unused_keep_constants" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_literal" transformation "simplify_formula" (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections. Note: does nothing if meta get_counterexmp is not set *) transformation "prepare_for_counterexmp" transformation "eliminate_projections_sums" transformation "discriminate_if_poly" transformation "eliminate_algebraic_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to CVC4 *) outofmemory "(error \".*out of memory\")" outofmemory "CVC4 suffered a segfault" outofmemory "CVC4::BVMinisat::OutOfMemoryException" outofmemory "std::bad_alloc" outofmemory "Cannot allocate memory" timeout "interrupted by timeout" steps "smt::SmtEngine::resourceUnitsUsed, \\([0-9]+.?[0-9]*\\)" 1 (* specific output message when CVC4 reaches its resource limit *) steplimitexceeded "unknown (RESOURCEOUT)" (** Extra theories supported by CVC4 *) (* CVC4 division seems to be the Euclidean one, not the Computer one *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end (* theory int.ComputerDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) �����������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc5_counterexample.drv����������������������������������������������������������0000664�0000000�0000000�00000000325�14401600263�0020552�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude ";; produced by cvc5_counterexample.drv ;;" import "cvc5.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc5_strings.drv�����������������������������������������������������������������0000664�0000000�0000000�00000002154�14401600263�0017212�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for CVC5 1.0.0 with string support *) prelude ";; produced by cvc5_strings.drv ;;" import "cvc5.drv" import "smtlib-strings.gen" theory string.String remove prop lt_empty remove prop lt_not_com remove prop lt_ref remove prop lt_ref remove prop lt_trans remove prop le_empty remove prop le_ref remove prop lt_le remove prop lt_le_eq remove prop le_trans remove prop replaceall_empty1 remove prop not_contains_replaceall end theory string.RegExpr syntax type re "RegLan" syntax function to_re "(str.to_re %1)" syntax predicate in_re "(str.in_re %1 %2)" syntax function concat "(re.++ %1 %2)" syntax function union "(re.union %1 %2)" syntax function inter "(re.inter %1 %2)" syntax function star "(re.* %1)" syntax function plus "(re.+ %1)" syntax function none "re.none" syntax function allchar "re.allchar" syntax function opt "(re.opt %1)" syntax function range "(re.range %1 %2)" syntax function power "((_ re.^ %1) %2)" syntax function loop "((_ re.loop %1 %2) %3)" end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/cvc5_strings_counterexample.drv��������������������������������������������������0000664�0000000�0000000�00000000345�14401600263�0022325�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude ";; produced by cvc5_strings_counterexample.drv ;;" import "cvc5_strings.drv" (* Counterexamples: set model parser *) model_parser "smtv2" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/discrimination.gen���������������������������������������������������������������0000664�0000000�0000000�00000000251�14401600263�0017567�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������theory BuiltIn meta "select_inst_default" "local" meta "select_lskept_default" "local" meta "select_lsinst_default" "local" meta "select_kept_default" "all" end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/dreal.drv������������������������������������������������������������������������0000664�0000000�0000000�00000007011�14401600263�0015665�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for dreal 21.4.06.2* *) prelude ";; produced by dreal.drv ;;" printer "smtv2" filename "%f-%t-%g.smt2" unknown "delta-sat with delta = .*" "" time "why3cpulimit time : %s s" valid "^unsat$" transformation "inline_trivial" transformation "eliminate_definition" transformation "eliminate_builtin" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" transformation "simplify_trivial_quantification" transformation "encoding_smt" transformation "simplify_computations" transformation "introduce_premises" transformation "instantiate_predicate" transformation "keep_only_arithmetic" transformation "abstract_unknown_lsymbols" transformation "eliminate_unknown_lsymbols" transformation "eliminate_unknown_types" prelude "(set-logic QF_NRA)" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int meta "encoding:ignore_polymorphism_ls" predicate (=) end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove allprops end theory int.Abs syntax function abs "(ite (>= %1 0.0) %1 (- %1))" remove allprops end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove allprops meta "encoding:kept" type real end theory real.Abs syntax function abs "(ite (>= %1 0.0) %1 (- %1))" remove allprops end theory real.MinMax syntax function min "(min %1 %2)" syntax function max "(max %1 %2)" remove allprops end theory real.FromInt remove allprops end theory real.Truncate syntax function truncate "(ite (>= %1 0.0) \ (to_int %1) \ (- (to_int (- %1))))" syntax function floor "(to_int %1)" syntax function ceil "(- (to_int (- %1)))" remove allprops end theory real.Square syntax function sqrt "(sqrt %1)" syntax function sqr "(pow %1 2)" remove allprops end theory real.ExpLog syntax function exp "(exp %1)" syntax function log "(log %1)" remove allprops end theory real.PowerReal syntax function pow "(^ %1 %2)" remove allprops end theory real.Trigonometry syntax function cos "(cos %1)" syntax function sin "(sin %1)" syntax function tan "(tan %1)" syntax function atan "(atan %1)" remove prop Pythagorean_identity remove prop Cos_le_one remove prop Sin_le_one remove prop Cos_0 remove prop Sin_0 remove prop Cos_neg remove prop Sin_neg remove prop Cos_sum remove prop Sin_sum remove prop Tan_atan end theory real.Hyperbolic syntax function cosh "(cosh %1)" syntax function sinh "(sinh %1)" syntax function tanh "(tanh %1)" end theory ieee_float.GenericFloat remove allprops end theory ieee_float.Float64 remove prop max_int_def remove prop max_real_def end theory bv.Pow2int remove allprops remove allprops end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/eprover.drv����������������������������������������������������������������������0000664�0000000�0000000�00000000502�14401600263�0016256�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Eprover *) valid "Proof found" invalid "Completion found" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No proof found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" import "tptp.gen" import "discrimination.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/gappa.drv������������������������������������������������������������������������0000664�0000000�0000000�00000011504�14401600263�0015670�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Gappa *) prelude "# this is a prelude for Gappa" printer "gappa" filename "%f-%t-%g.gappa" valid 0 unknown "no contradiction was found\\|some enclosures were not satisfied\\|some properties were not satisfied" "" time "why3cpulimit time : %s s" fail "Error: \\(.*\\)" "\\1" transformation "inline_trivial" transformation "eliminate_builtin" transformation "inline_all" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "simplify_formula" transformation "simplify_unknown_lsymbols" transformation "simplify_trivial_quantification" transformation "simplify_computations" transformation "introduce_premises" transformation "instantiate_predicate" transformation "abstract_unknown_lsymbols" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "dummy" meta "eliminate_algebraic" "keep_enums" end theory int.Int prelude "# this is a prelude for Gappa integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (-_) "(-%1)" syntax predicate (<=) "dummy" syntax predicate (>=) "dummy" syntax predicate (<) "dummy" syntax predicate (>) "dummy" meta "gappa arith" predicate (<=), "", "<=", ">=" meta "gappa arith" predicate (>=), "", ">=", "<=" meta "gappa arith" predicate (<), "not ", ">=", "<=" meta "gappa arith" predicate (>), "not ", "<=", ">=" meta "inline:no" function (-) meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) remove prop NonTrivialRing remove prop ZeroLessOne end theory int.Abs syntax function abs "| %1 |" end theory int.ComputerDivision syntax function div "int<zr>(%1 / %2)" syntax function mod "(%1 - int<zr>(%1 / %2) * %2)" end theory real.Real prelude "# this is a prelude for Gappa real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (/) "(%1 / %2)" syntax function (-_) "(-%1)" syntax function inv "(1.0 / %1)" syntax predicate (<=) "dummy" syntax predicate (>=) "dummy" syntax predicate (<) "dummy" syntax predicate (>) "dummy" meta "gappa arith" predicate (<=), "", "<=", ">=" meta "gappa arith" predicate (>=), "", ">=", "<=" meta "gappa arith" predicate (<), "not ", ">=", "<=" meta "gappa arith" predicate (>), "not ", "<=", ">=" meta "inline:no" function (-) meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) remove prop NonTrivialRing remove prop ZeroLessOne end theory real.Abs syntax function abs "| %1 |" end theory real.Square syntax function sqrt "sqrt(%1)" end theory real.Truncate syntax function truncate "int<zr>(%1)" syntax function floor "int<dn>(%1)" syntax function ceil "int<up>(%1)" end theory real.FromInt syntax function from_int "%1" remove prop Zero remove prop One end theory floating_point.Rounding syntax function NearestTiesToEven "ne" syntax function ToZero "zr" syntax function Up "up" syntax function Down "dn" syntax function NearestTiesToAway "na" end theory floating_point.Single syntax function round "float<ieee_32,%1>(%2)" meta "instantiate:auto" prop Bounded_value end theory floating_point.Double syntax function round "float<ieee_64,%1>(%2)" meta "instantiate:auto" prop Bounded_value end theory ieee_float.RoundingMode syntax function RNE "ne" syntax function RTZ "zr" syntax function RTP "up" syntax function RTN "dn" syntax function RNA "na" end theory ieee_float.GenericFloat meta "instantiate:auto" prop zero_to_real meta "instantiate:auto" prop is_finite meta "instantiate:auto" prop lt_finite meta "instantiate:auto" prop le_finite meta "instantiate:auto" prop neg_finite meta "instantiate:auto" prop add_finite meta "instantiate:auto" prop sub_finite meta "instantiate:auto" prop mul_finite meta "instantiate:auto" prop div_finite remove prop max_int_spec remove prop max_real_int end theory ieee_float.Float32 syntax function round "float<ieee_32,%1>(%2)" end theory ieee_float.Float64 syntax function round "float<ieee_64,%1>(%2)" end (* theory floating_point.SingleMultiRounding syntax function round "float<ieee_32,%1>(%2)" meta "instantiate:auto" prop Bounded_value end *) theory floating_point.DoubleMultiRounding syntax function round "float<ieee_64,%1>(%2)" meta "instantiate:auto" prop Bounded_value end theory mach.fxp.Fxp syntax function trunc_at "fixed<%2,dn>(%1)" end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/iprover.drv����������������������������������������������������������������������0000664�0000000�0000000�00000000171�14401600263�0016264�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for first-order tptp provers *) timeout "Time Out Virtual" import "tptp.gen" import "discrimination.gen" �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/isabelle-common.gen��������������������������������������������������������������0000664�0000000�0000000�00000017566�14401600263�0017642�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* driver for Isabelle/HOL *) (* main author: Stefan Berghofer <stefan.berghofer@secunet.com> *) valid "Finished Why3 theory" valid "All verification conditions have been proved" unknown "The following verification conditions remain to be proved" "incomplete proof" (* fail "\\*\\*\\* \\(.*\\)$" "\\1" *) time "why3cpulimit time : %s s" transformation "eliminate_negative_constants" transformation "eliminate_literal" transformation "eliminate_if_fmla" transformation "eliminate_epsilon" transformation "eliminate_let_fmla" transformation "simplify_formula" theory BuiltIn syntax type int "<type name=\"Int.int\"/>" syntax type real "<type name=\"Real.real\"/>" syntax predicate (=) "<app><const name=\"HOL.eq\"/>%1%2</app>" end theory HighOrd syntax type (->) "<fun>%1%2</fun>" syntax function (@) "<app>%1%2</app>" end theory Bool syntax type bool "<type name=\"HOL.bool\"/>" syntax function True "<const name=\"HOL.True\"/>" syntax function False "<const name=\"HOL.False\"/>" end theory bool.Bool syntax function andb "<app><const name=\"HOL.conj\"/>%1%2</app>" syntax function orb "<app><const name=\"HOL.disj\"/>%1%2</app>" syntax function xorb "<app><const name=\"HOL.Not\"/><app><const name=\"HOL.eq\"/>%1%2</app></app>" syntax function notb "<app><const name=\"HOL.Not\"/>%1</app>" syntax function implb "<app><const name=\"HOL.implies\"/>%1%2</app>" end theory int.Int syntax function zero "<number val=\"0\"><type name=\"Int.int\"/></number>" syntax function one "<number val=\"1\"><type name=\"Int.int\"/></number>" syntax function (+) "<app><const name=\"Groups.plus_class.plus\"/>%1%2</app>" syntax function (-) "<app><const name=\"Groups.minus_class.minus\"/>%1%2</app>" syntax function (*) "<app><const name=\"Groups.times_class.times\"/>%1%2</app>" syntax function (-_) "<app><const name=\"Groups.uminus_class.uminus\"/>%1</app>" syntax predicate (<=) "<app><const name=\"Orderings.ord_class.less_eq\"/>%1%2</app>" syntax predicate (<) "<app><const name=\"Orderings.ord_class.less\"/>%1%2</app>" syntax predicate (>=) "<app><const name=\"Orderings.ord_class.less_eq\"/>%2%1</app>" syntax predicate (>) "<app><const name=\"Orderings.ord_class.less\"/>%2%1</app>" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory int.Abs syntax function abs "<app><const name=\"Groups.abs_class.abs\"/>%1</app>" remove prop Abs_pos end theory int.MinMax syntax function min "<app><const name=\"Orderings.ord_class.min\"/>%1%2</app>" syntax function max "<app><const name=\"Orderings.ord_class.max\"/>%1%2</app>" end theory int.Exponentiation syntax function power "<app><const name=\"Power.power_class.power\"/>%1<app><const name=\"Int.nat\"/>%2</app></app>" end theory list.List syntax type list "<type name=\"List.list\">%1</type>" syntax function Nil "<const name=\"List.list.Nil\">%t0</const>" syntax function Cons "<app><const name=\"List.list.Cons\"/>%1%2</app>" end theory list.Length syntax function length "<app><const name=\"Nat.semiring_1_class.of_nat\"><fun><type name=\"Nat.nat\"/><type name=\"Int.int\"/></fun></const><app><const name=\"List.length\"/>%1</app></app>" end theory list.Append syntax function (++) "<app><const name=\"List.append\"/>%1%2</app>" end theory list.Reverse syntax function reverse "<app><const name=\"List.rev\"/>%1</app>" end theory list.Mem syntax predicate mem "<app><const name=\"Set.member\"/>%1<app><const name=\"List.list.set\"/>%2</app></app>" end theory list.NthNoOpt syntax function nth "<app><const name=\"List.nth\"/>%2<app><const name=\"Int.nat\"/>%1</app></app>" end theory list.HdTlNoOpt syntax function hd "<app><const name=\"List.list.hd\"/>%1</app>" syntax function tl "<app><const name=\"List.list.tl\"/>%1</app>" end theory list.Distinct syntax predicate distinct "<app><const name=\"List.distinct\"/>%1</app>" end theory option.Option syntax type option "<type name=\"Option.option\">%1</type>" syntax function None "<const name=\"Option.option.None\">%t0</const>" syntax function Some "<app><const name=\"Option.option.Some\"/>%1</app>" end theory map.Map syntax function get "<app>%1%2</app>" syntax function ([]) "<app>%1%2</app>" syntax function set "<app><const name=\"Fun.fun_upd\"/>%1%2%3</app>" syntax function ([<-]) "<app><const name=\"Fun.fun_upd\"/>%1%2%3</app>" end theory set.Fset syntax function cardinal "<app><const name=\"Nat.semiring_1_class.of_nat\"><fun><type name=\"Nat.nat\"/><type name=\"Int.int\"/></fun></const><app><const name=\"FSet.fcard\"/>%1</app></app>" end theory number.Parity syntax predicate even "<app><const name=\"Parity.semiring_parity_class.even\"/>%1</app>" syntax predicate odd "<app><const name=\"Parity.semiring_parity_class.odd\"/>%1</app>" end theory number.Divisibility syntax predicate divides "<app><const name=\"Rings.dvd_class.dvd\"/>%1%2</app>" end theory number.Gcd syntax function gcd "<app><const name=\"GCD.gcd_class.gcd\"/>%1%2</app>" end theory number.Prime syntax predicate prime "<app><const name=\"Factorial_Ring.normalization_semidom_class.prime\"/>%1</app>" end theory number.Coprime syntax predicate coprime "<app><const name=\"Rings.algebraic_semidom_class.coprime\"/>%1%2</app>" end theory algebra.Field syntax function inv "<app><const name=\"Fields.inverse_class.inverse\"/>%1</app>" syntax function (/) "<app><const name=\"Rings.divide_class.divide\"/>%1%2</app>" end theory real.Real syntax function zero "<number val=\"0\"><type name=\"Real.real\"/></number>" syntax function one "<number val=\"1\"><type name=\"Real.real\"/></number>" syntax function (+) "<app><const name=\"Groups.plus_class.plus\"/>%1%2</app>" syntax function (-) "<app><const name=\"Groups.minus_class.minus\"/>%1%2</app>" syntax function (*) "<app><const name=\"Groups.times_class.times\"/>%1%2</app>" syntax function (-_) "<app><const name=\"Groups.uminus_class.uminus\"/>%1</app>" syntax predicate (<=) "<app><const name=\"Orderings.ord_class.less_eq\"/>%1%2</app>" syntax predicate (<) "<app><const name=\"Orderings.ord_class.less\"/>%1%2</app>" syntax predicate (>=) "<app><const name=\"Orderings.ord_class.less_eq\"/>%2%1</app>" syntax predicate (>) "<app><const name=\"Orderings.ord_class.less\"/>%2%1</app>" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory real.Abs syntax function abs "<app><const name=\"Groups.abs_class.abs\"/>%1</app>" remove prop Abs_pos end theory real.MinMax syntax function min "<app><const name=\"Orderings.ord_class.min\"/>%1%2</app>" syntax function max "<app><const name=\"Orderings.ord_class.max\"/>%1%2</app>" end theory real.Trigonometry syntax function tan "<app><const name=\"Transcendental.tan\"/>%1</app>" end theory bv.BV_Gen meta "literal:keep" type t syntax function to_int "<app><const name=\"Word.sint\"/>%1</app>" end theory bv.BV64 meta "literal:keep" type t end theory bv.BV32 meta "literal:keep" type t end theory bv.BV16 meta "literal:keep" type t end theory bv.BV8 meta "literal:keep" type t end (* this file has an extension .aux rather than .gen since it should not be distributed *) import "isabelle-realizations.aux" ������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/isabelle-realize.drv�������������������������������������������������������������0000664�0000000�0000000�00000000316�14401600263�0020010�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* driver for Isabelle/HOL *) (* main author: Stefan Berghofer <stefan.berghofer@secunet.com> *) printer "isabelle-realize" filename "%t.xml" transformation "inline_trivial" import "isabelle-common.gen" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/isabelle.drv���������������������������������������������������������������������0000664�0000000�0000000�00000000452�14401600263�0016360�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* driver for Isabelle/HOL *) (* main author: Stefan Berghofer <stefan.berghofer@secunet.com> *) printer "isabelle" filename "%f_%t_%g.xml" transformation "inline_trivial" transformation "eliminate_builtin" import "isabelle-common.gen" transformation "simplify_trivial_quantification_in_goal" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/mathematica.drv������������������������������������������������������������������0000664�0000000�0000000�00000012405�14401600263�0017056�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (* Why driver for Mathematica *) prelude "(* this is a prelude for Mathematica *)" printer "mathematica" filename "%f-%t-%g.m" valid "\\bTrue\\b" unknown "\\bFalse\\b" "\\bFalse\\b" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "inline_all" transformation "eliminate_builtin" (*transformation "eliminate_definition"*) (*transformation "eliminate_recursion"*) (*transformation "eliminate_inductive"*) (*transformation "eliminate_if"*) transformation "eliminate_epsilon" (*transformation "eliminate_algebraic"*) (*transformation "eliminate_algebraic_math"*) transformation "eliminate_literal" transformation "eliminate_let" (*transformation "split_premise"*) transformation "simplify_formula" (*transformation "simplify_unknown_lsymbols"*) transformation "simplify_trivial_quantification" (*transformation "introduce_premises"*) (*transformation "instantiate_predicate"*) (*transformation "abstract_unknown_lsymbols"*) theory BuiltIn syntax type int "Integers" syntax type real "Reals" syntax predicate (=) "(%1 == %2)" meta "encoding:kept" type int end (* int *) theory int.Int prelude "(* this is a prelude for Mathematica integer arithmetic *)" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 %2)" syntax function (-_) "(-%1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne meta "encoding:kept" type int end theory int.Abs syntax function abs "Abs[%1]" end theory int.EuclideanDivision syntax function div "Quotient[%1, %2]" syntax function mod "Mod[%1, %2]" remove prop Mod_bound remove prop Div_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 meta "encoding:kept" type int end (* real *) theory real.Real prelude "(* this is a prelude for Mathematica real arithmetic *)" syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (/) "(%1 / %2)" syntax function (-_) "(-%1)" syntax function inv "(1 / %1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne remove prop add_div remove prop sub_div remove prop neg_div remove prop assoc_mul_div remove prop assoc_div_mul remove prop assoc_div_div remove prop CompatOrderMult (*meta "encoding:kept" type real*) end theory real.Abs syntax function abs "Abs[%1]" end theory real.MinMax syntax function min "Min[%1, %2]" syntax function max "Max[%1, %2]" end theory real.Square syntax function sqr "Power[%1,2]" syntax function sqrt "Sqrt[%1]" end theory real.ExpLog syntax function exp "Exp[%1]" syntax function e "E" syntax function log "Log[%1]" syntax function log2 "Log[2, %1]" syntax function log10 "Log[10, %1]" remove prop Exp_zero remove prop Exp_sum remove prop Log_one remove prop Log_mul remove prop Log_exp remove prop Exp_log end theory real.PowerInt syntax function power "Power[%1, %2]" end theory real.PowerReal syntax function pow "Power[%1, %2]" end theory real.Trigonometry syntax function cos "Cos[%1]" syntax function sin "Sin[%1]" syntax function tan "Tan[%1]" syntax function atan "ArcTan[%1]" syntax function pi "Pi" end theory real.Hyperbolic syntax function sinh "Sinh[%1]" syntax function cosh "Cosh[%1]" syntax function tanh "Tanh[%1]" syntax function asinh "ArcSinh[%1]" syntax function acosh "ArcCosh[%1]" syntax function atanh "ArcTanh[%1]" end theory real.FromInt remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory Bool syntax type bool "Bool" syntax function True "True" syntax function False "False" meta "encoding:kept" type bool end theory bool.Bool syntax function andb "(%1 && %2)" syntax function orb "(%1 || %2)" syntax function xorb "Xor[%1, %2]" syntax function notb "(! %1)" syntax function implb "Implies[%1, %2]" end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/mathsat.drv����������������������������������������������������������������������0000664�0000000�0000000�00000007763�14401600263�0016255�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for SMT2 syntax *) prelude ";;; this is a prelude for MathSAT5" prelude "(set-logic AUFNIRA)" printer "smtv2" filename "%f-%t-%g.smt2" valid "^unsat" unknown "^\\(unknown\\|sat\\|Fail\\)" "" outofmemory "(error \".*out of memory\")\\|Cannot allocate memory" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate" transformation "encoding_smt" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int end theory int.Int prelude ";;; this is a prelude for Z3 integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude ";;; this is a prelude for Z3 real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end theory Bool syntax type bool "Bool" syntax function True "true" syntax function False "false" meta "encoding:kept" type bool end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function xorb "(xor %1 %2)" syntax function notb "(not %1)" syntax function implb "(=> %1 %2)" end theory bool.Ite syntax function ite "(ite %1 %2 %3)" meta "encoding:lskept" function ite end (* needs to be checked theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) theory real.FromInt syntax function from_int "(to_real %1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end (* theory real.Truncate syntax function floor "(to_int %1)" remove prop Floor_down remove prop Floor_monotonic end *) theory HighOrd syntax type (->) "(Array %1 %2)" syntax function (@) "(select %1 %2)" meta "encoding:lskept" function (@) end theory map.Map syntax function get "(select %1 %2)" syntax function set "(store %1 %2 %3)" meta "encoding:lskept" function get meta "encoding:lskept" function set end theory map.Const meta "encoding:lskept" function const (* syntax function const "(const[%t0] %1)" *) end �������������why3-1.6.0/drivers/metis.drv������������������������������������������������������������������������0000664�0000000�0000000�00000000524�14401600263�0015721�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Metis *) valid "SZS status Theorem" valid "SZS status Unsatisfiable" unknown "SZS status CounterSatisfiable" "" unknown "SZS status Satisfiable" "" unknown "SZS status Unknown" "" timeout "SZS status Timeout" unknown "SZS status GaveUp" "" fail "SZS status Error" "" import "tptp.gen" import "discrimination.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/metitarski.drv�������������������������������������������������������������������0000664�0000000�0000000�00000014245�14401600263�0016761�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for MetiTarski *) (* main author: Piotr Trojanek <piotr.trojanek@gmail.com> *) (* TODO: * real.FromInt * real.Truncate * real.PowerInt (incomplete) * real.Hyperbolic * real.Polar (should work as is) *) printer "metitarski" filename "%f-%t-%g.tptp" valid "^SZS status Theorem" valid "^SZS status Unsatisfiable" unknown "^SZS status CounterSatisfiable" "" unknown "^SZS status Satisfiable" "" timeout "^SZS status Timeout" unknown "^SZS status GaveUp" "" fail "^SZS status Error" "" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "inline_all" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "eliminate_negative_constants" (* due to integers, see below *) transformation "simplify_formula" transformation "simplify_unknown_lsymbols" transformation "simplify_trivial_quantification" transformation "introduce_premises" transformation "instantiate_predicate" transformation "abstract_unknown_lsymbols" transformation "discriminate" transformation "encoding_tptp" theory BuiltIn (* support for integers disabled because may be inconsistent meta "encoding:kept" type int *) meta "encoding:base" type real syntax predicate (=) "(%1 = %2)" meta "eliminate_algebraic" "no_index" end import "discrimination.gen" theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (-_) "(-%1)" syntax function (*) "(%1 * %2)" syntax function (/) "(%1 / %2)" syntax function inv "(1/ %1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) (* These follow from Metitarski's axioms. *) remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne remove prop add_div remove prop sub_div remove prop neg_div remove prop assoc_mul_div remove prop assoc_div_mul remove prop assoc_div_div remove prop CompatOrderMult end prelude "%%% this is a prelude for Metitarski" prelude "include('Axioms/general.ax')." theory real.Abs prelude "%%% this is a prelude for Metitarski absolute value" syntax function abs "abs(%1)" prelude "include('Axioms/abs.ax')." prelude "include('Axioms/abs2.ax')." (* These follow from Metitarski's axioms. *) remove prop Abs_le remove prop Abs_pos remove prop Abs_sum remove prop Abs_prod remove prop triangular_inequality end theory real.Square prelude "%%% this is a prelude for Metitarski square" prelude "include('Axioms/sqrt-general.ax')." syntax function sqr "(%1)^2" syntax function sqrt "sqrt(%1)" (* This follows from Metitarski's general axioms. *) remove prop Sqrt_positive remove prop Sqrt_le end theory real.Trigonometry prelude "%%% this is a prelude for Metitarski trigonometry" remove allprops prelude "include('Axioms/pi.ax')." syntax function atan "arctan(%1)" syntax function tan "tan(%1)" prelude "include('Axioms/tan.ax')." prelude "include('Axioms/arctan-lower.ax')." prelude "include('Axioms/arctan-upper.ax')." syntax function cos "cos(%1)" syntax function sin "sin(%1)" prelude "include('Axioms/cos.ax')." prelude "include('Axioms/sin.ax')." (* The following files "greatly increase the search space" and thus cause failures. Do not include them! *) (* prelude "include('Axioms/cos-constant.ax')." prelude "include('Axioms/sin-constant.ax')." *) end theory real.MinMax prelude "%%% this is a prelude for Metitarski min-max" prelude "include('Axioms/minmax.ax')." syntax function min "min(%1,%2)" syntax function max "max(%1,%2)" remove prop Max_l remove prop Min_r remove prop Max_comm remove prop Min_comm remove prop Max_assoc remove prop Min_assoc end (* support for integers disabled because may be inconsistent theory real.PowerInt syntax function power "%1^%2" prelude "%%% this is a prelude for Metitarski power function" prelude "include('Axioms/pow.ax')." (* These follow from Metitarski's axioms. *) end *) theory real.ExpLog syntax function exp "exp(%1)" syntax function log "ln(%1)" prelude "%%% this is a prelude for Metitarski exp/log" prelude "include('Axioms/exp-general.ax')." prelude "include('Axioms/ln-general.ax')." (* These follow from Metitarski's axioms. *) remove prop Log_one remove prop Exp_zero end theory real.PowerReal syntax function pow "pow(%1,%2)" prelude "include('Axioms/pow.ax')." (* These follow from Metitarski's axioms. *) remove prop Pow_def remove prop Pow_one_y end (* support for integers disabled because may be inconsistent theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (*) "(%1 * %2)" syntax function (-_) "(-%1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" (* These follow from Metitarski's axioms. *) remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end *) �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/no-bv.gen������������������������������������������������������������������������0000664�0000000�0000000�00000000330�14401600263�0015572�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for noBV alternatives on bit-vector theories *) theory bv.BV_Gen remove prop nth_bv_def remove prop eq_sub_bv_def remove prop to_uint_add remove prop to_uint_sub remove prop to_uint_mul end��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/polypaver.drv��������������������������������������������������������������������0000664�0000000�0000000�00000004105�14401600263�0016620�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for PolyPaver *) (* http://michalkonecny.github.io/polypaver/_site/ *) printer "metitarski" filename "%f-%t-%g.tptp" valid 0 invalid 111 timeout "Gave up on deciding conjecture: TIMED OUT" time "why3cpulimit time : %s s" unknown 1 "toto" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "inline_all" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "simplify_formula" transformation "simplify_unknown_lsymbols" transformation "simplify_trivial_quantification" transformation "introduce_premises" transformation "instantiate_predicate" transformation "abstract_unknown_lsymbols" transformation "discriminate" transformation "encoding_tptp" theory BuiltIn meta "encoding:base" type real syntax predicate (=) "(%1 = %2)" meta "eliminate_algebraic" "no_index" end import "discrimination.gen" theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(%1 + %2)" syntax function (-) "(%1 - %2)" syntax function (-_) "(-%1)" syntax function ( * ) "(%1 * %2)" syntax function (/) "(%1 / %2)" syntax function inv "(1/ %1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" meta "inline:no" predicate (<=) meta "inline:no" predicate (>=) meta "inline:no" predicate (>) remove allprops end theory real.Abs syntax function abs "abs(%1)" remove allprops end theory real.Square syntax function sqr "(%1)^2" syntax function sqrt "sqrt(%1)" remove allprops end theory real.MinMax syntax function min "min(%1,%2)" syntax function max "max(%1,%2)" remove allprops end theory real.ExpLog syntax function exp "exp(%1)" syntax function log "ln(%1)" remove allprops end theory real.PowerReal syntax function pow "pow(%1,%2)" remove allprops end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/princess.drv���������������������������������������������������������������������0000664�0000000�0000000�00000016776�14401600263�0016446�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for princess see http://www.philipp.ruemmer.org/princess.shtml *) printer "tptp-tff0" filename "%f-%t-%g.p" valid "Proof found" invalid "Completion found" valid "^No countermodel exists, formula is valid" invalid "^Formula is invalid, found a countermodel:" valid "^% SZS status Theorem" valid "^% SZS status Unsatisfiable" unknown "^% SZS status CounterSatisfiable" "" unknown "^% SZS status Satisfiable" "" timeout "^% SZS status Timeout" unknown "^% SZS status GaveUp" "" fail "^% SZS status Error" "" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" (* transformations *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" (* currently, princess does not support $let and $ite *) transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "discriminate" transformation "encoding_smt" import "discrimination.gen" theory BuiltIn syntax predicate (=) "(%1 = %2)" syntax type int "$int" syntax type real "$real" meta "encoding:kept" type int meta "encoding:kept" type real meta "eliminate_algebraic" "no_index" end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1.0,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 remove prop Div_inf remove prop Div_inf_neg remove prop Mod_0 remove prop Div_1_left remove prop Div_minus1_left remove prop Mod_1_left remove prop Mod_minus1_left end theory tptp.Univ syntax type iType "$i" meta "encoding:kept" type iType end theory tptp.IntTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.IntDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.IntDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Rat syntax type rat "$rat" syntax function zero "0/1" syntax function one "1/1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1/1,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" syntax function to_rat "$to_rat(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type rat end theory tptp.RatTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" end theory tptp.RatDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RatDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RatDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Real syntax function to_real "$to_real(%1)" end theory real.FromInt syntax function from_int "$to_real(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Truncate syntax function floor "$to_int(%1)" syntax function ceil "$to_int($ceiling(%1))" syntax function truncate "$to_int($truncate(%1))" remove prop Truncate_int remove prop Truncate_down_pos remove prop Truncate_up_neg remove prop Real_of_truncate remove prop Truncate_monotonic remove prop Truncate_monotonic_int1 remove prop Truncate_monotonic_int2 remove prop Floor_int remove prop Ceil_int remove prop Floor_down remove prop Ceil_up remove prop Floor_monotonic remove prop Ceil_monotonic end theory tptp.RealTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.RealDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RealDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RealDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.IntToRat syntax function to_rat "$to_rat(%1)" end theory tptp.IntToReal syntax function to_real "$to_real(%1)" end theory tptp.RealToRat syntax function to_rat "$to_rat(%1)" end theory tptp.RatToReal syntax function to_real "$to_real(%1)" end ��why3-1.6.0/drivers/psyche.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000004230�14401600263�0016071�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Psyche *) prelude "(set-logic FO)" printer "smtv2" filename "%f-%t-%g.smt2" valid "^PROVABLE" invalid "^NOT PROVABLE" timeout "interrupted by timeout" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate" transformation "encoding_smt" theory BuiltIn syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "eliminate_algebraic" "no_index" end theory real.Real prelude ";;; this is a prelude for smt-lib v2 real arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function ( * ) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end (* theory Bool syntax type bool "Bool" syntax function True "true" syntax function False "false" meta "encoding:kept" type bool end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function xorb "(xor %1 %2)" syntax function notb "(not %1)" syntax function implb "(=> %1 %2)" end theory bool.Ite syntax function ite "(ite %1 %2 %3)" meta "encoding:lskept" function ite end *) import "discrimination.gen" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/pvs-common.gen�������������������������������������������������������������������0000664�0000000�0000000�00000016462�14401600263�0016664�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ unknown "unfinished" "\"\\0\"" unknown "untried" "\"\\0\"" valid "succeeded" time "why3cpulimit time : %s s" (*transformation "inline_trivial"*) transformation "eliminate_builtin" (* PVS does not support mutual recursion *) transformation "eliminate_mutual_recursion" (* though we could do better, we only use recursion on one argument *) transformation "eliminate_non_struct_recursion" transformation "eliminate_literal" transformation "eliminate_epsilon" (* PVS only has simple patterns *) transformation "compile_match" transformation "eliminate_projections" transformation "simplify_formula" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "(%1 = %2)" end theory HighOrd syntax type (->) "[%1 -> %2]" syntax function (@) "%1(%2)" end theory map.Map syntax function get "%1(%2)" syntax function ([]) "%1(%2)" syntax function set "(%1 WITH [(%2) |-> %3])" syntax function ([<-]) "(%1 WITH [(%2) |-> %3])" end theory Bool syntax type bool "bool" syntax function True "TRUE" syntax function False "FALSE" end theory bool.Bool syntax function andb "(%1 AND %2)" syntax function orb "(%1 OR %2)" syntax function xorb "(%1 XOR %2)" syntax function notb "(NOT %1)" syntax function implb "(%1 => %2)" end theory int.Int syntax function zero "0" syntax function one "1" syntax function ( + ) "(%1 + %2)" syntax function ( - ) "(%1 - %2)" syntax function ( * ) "(%1 * %2)" syntax function (-_) "(-%1)" syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne end theory int.Abs syntax function abs "abs(%1)" remove prop Abs_pos end theory int.MinMax syntax function min "min(%1, %2)" syntax function max "max(%1, %2)" end theory real.Real syntax function zero "0" syntax function one "1" syntax function ( + ) "(%1 + %2)" syntax function ( - ) "(%1 - %2)" syntax function (-_) "(-%1)" syntax function ( * ) "(%1 * %2)" (* / and inv are defined in the realization *) syntax predicate (<=) "(%1 <= %2)" syntax predicate (<) "(%1 < %2)" syntax predicate (>=) "(%1 >= %2)" syntax predicate (>) "(%1 > %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop NonTrivialRing remove prop CompatOrderAdd remove prop CompatOrderMult remove prop ZeroLessOne remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop assoc_mul_div remove prop assoc_div_mul remove prop assoc_div_div end theory real.MinMax syntax function min "min(%1, %2)" syntax function max "max(%1, %2)" remove prop Max_l remove prop Min_r remove prop Max_comm remove prop Min_comm remove prop Max_assoc remove prop Min_assoc end theory real.RealInfix syntax function (+.) "(%1 + %2)" syntax function (-.) "(%1 - %2)" syntax function (-._) "(-%1)" syntax function ( *.) "(%1 * %2)" syntax function (/.) "real@Real.infix_sl(%1, %2)" syntax function inv "real@Real.inv(%1)" syntax predicate (<=.) "(%1 <= %2)" syntax predicate (<.) "(%1 < %2)" syntax predicate (>=.) "(%1 >= %2)" syntax predicate (>.) "(%1 > %2)" end theory real.Abs syntax function abs "abs(%1)" remove prop Abs_le remove prop Abs_pos end theory real.FromInt syntax function from_int "(%1 :: real)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.PowerReal syntax function pow "(%1 ^ %2)" remove prop Pow_x_zero remove prop Pow_x_one remove prop Pow_one_y end (*** theory real.Square syntax function sqrt "SQRT(%1)" end theory real.ExpLog syntax function exp "EXP(%1)" syntax function log "LOG(%1)" end theory real.Trigonometry syntax function cos "COS(%1)" syntax function sin "SIN(%1)" syntax function pi "PI" syntax function tan "TAN(%1)" end ***) theory option.Option syntax type option "lift[%1]" syntax function None "bottom" syntax function Some "up(%1)" end theory list.List syntax type list "list[%1]" syntax function Nil "(null :: %t0)" syntax function Cons "cons(%1, %2)" end theory list.Length syntax function length "length(%1)" remove prop Length_nonnegative remove prop Length_nil end theory list.Mem syntax predicate mem "member(%1, %2)" end theory list.Nth syntax function nth "IF 0 <= %1 AND %1 < length(%2) THEN up(nth(%2, %1)) ELSE bottom ENDIF" end theory list.Append syntax function (++) "append(%1, %2)" remove prop Append_assoc remove prop Append_l_nil remove prop Append_length (* FIXME? the following are not part of PVS prelude *) remove prop mem_append remove prop mem_decomp end theory list.Reverse syntax function reverse "reverse(%1)" end theory set.Set syntax type set "set[%1]" syntax predicate mem "member(%1, %2)" remove prop extensionality syntax predicate subset "subset?(%1, %2)" remove prop subset_trans syntax function empty "(emptyset :: %t0)" syntax predicate is_empty "empty?(%1)" remove prop is_empty_empty syntax function add "add(%1, %2)" syntax function singleton "singleton(%1)" syntax function remove "remove(%1, %2)" remove prop subset_remove syntax function union "union(%1, %2)" syntax function inter "intersection(%1, %2)" syntax function diff "difference(%1, %2)" remove prop subset_diff (* TODO: choose *) syntax function all "fullset" end theory set.Fset syntax type fset "finite_set[%1]" syntax predicate mem "member(%1, %2)" remove prop extensionality syntax predicate subset "subset?(%1, %2)" remove prop subset_trans syntax function empty "(emptyset :: %t0)" syntax predicate is_empty "empty?(%1)" remove prop is_empty_empty remove prop empty_is_empty syntax function add "add(%1, %2)" remove prop add_def syntax function singleton "singleton(%1)" syntax function remove "remove(%1, %2)" remove prop remove_def remove prop subset_remove syntax function union "union(%1, %2)" remove prop union_def syntax function inter "intersection(%1, %2)" remove prop inter_def syntax function diff "difference(%1, %2)" remove prop diff_def remove prop subset_diff (* TODO: choose *) syntax function cardinal "Card(%1)" remove prop cardinal_nonneg remove prop cardinal_empty remove prop cardinal_add remove prop cardinal_remove remove prop cardinal_subset remove prop cardinal1 (* TODO: nth *) end (* this file has an extension .aux rather than .gen since it should not be distributed *) import "pvs-realizations.aux" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/pvs-realize.drv������������������������������������������������������������������0000664�0000000�0000000�00000000272�14401600263�0017041�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (* prelude "% This file is generated by Why3's PVS driver" prelude "% Beware! Only edit allowed sections below " *) printer "pvs-realize" filename "%t.pvs" import "pvs-common.gen" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/pvs.drv��������������������������������������������������������������������������0000664�0000000�0000000�00000000267�14401600263�0015414�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (* prelude "% This file is generated by Why3's PVS driver" prelude "% Beware! Only edit allowed sections below " *) printer "pvs" filename "%f_%t_%g.pvs" import "pvs-common.gen" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/safeprover.drv�������������������������������������������������������������������0000664�0000000�0000000�00000000507�14401600263�0016755�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for safe prover *) valid "Unsat" (* invalid "Completion found" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" *) time "why3cpulimit time : %s s" import "tptp.gen" import "discrimination.gen" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/simplify.drv���������������������������������������������������������������������0000664�0000000�0000000�00000003667�14401600263�0016447�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Simplify *) prelude ";;; this is a prelude for Simplify" printer "simplify" filename "%f-%t-%g.sx" valid "\\bValid\\b" unknown "\\bInvalid\\b" "" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" (*_func*) transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "remove_triggers" (*transformation "filter_trigger_no_predicate"*) (* predicate are *currently* translated to P(\x) = true, thus in a trigger they can't appear since = can't appear *) (*transformation "filter_trigger_builtin"*) (* this is sound as long as int is the only kept type *) transformation "encoding_tptp" theory BuiltIn syntax predicate (=) "(EQ %1 %2)" meta "encoding:base" type int end theory int.Int prelude ";;; this is a prelude for Simplify integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- 0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real remove prop ZeroLessOne remove prop NonTrivialRing end �������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-bv-realization.gen�����������������������������������������������������0000664�0000000�0000000�00000016124�14401600263�0021324�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver checking compatibility of BV theories with SMT-LIB2 *) theory bv.BV_Gen syntax function bw_and "(bvand %1 %2)" syntax function bw_or "(bvor %1 %2)" syntax function bw_xor "(bvxor %1 %2)" syntax function bw_not "(bvnot %1)" syntax function add "(bvadd %1 %2)" syntax function sub "(bvsub %1 %2)" syntax function neg "(bvneg %1)" syntax function mul "(bvmul %1 %2)" syntax function udiv "(bvudiv %1 %2)" syntax function urem "(bvurem %1 %2)" syntax function lsr_bv "(bvlshr %1 %2)" syntax function lsl_bv "(bvshl %1 %2)" syntax function asr_bv "(bvashr %1 %2)" syntax predicate (==) "(= %1 %2)" syntax predicate ult "(bvult %1 %2)" syntax predicate ule "(bvule %1 %2)" syntax predicate ugt "(bvugt %1 %2)" syntax predicate uge "(bvuge %1 %2)" syntax predicate slt "(bvslt %1 %2)" syntax predicate sle "(bvsle %1 %2)" syntax predicate sgt "(bvsgt %1 %2)" syntax predicate sge "(bvsge %1 %2)" (** Removing the axioms that should be proved instead the one that are commented out are instead kept *) remove prop size_pos remove prop nth_out_of_bound remove prop Nth_zeros remove prop Nth_ones remove prop Nth_bw_and remove prop Nth_bw_or remove prop Nth_bw_xor remove prop Nth_bw_not remove prop Lsr_nth_low remove prop Lsr_nth_high remove prop lsr_zeros remove prop Asr_nth_low remove prop Asr_nth_high remove prop asr_zeros remove prop Lsl_nth_high remove prop Lsl_nth_low remove prop lsl_zeros remove prop Nth_rotate_right remove prop Nth_rotate_left (* Conversions from/to integers *) remove prop two_power_size_val remove prop max_int_val remove prop to_uint_extensionality remove prop to_int_extensionality remove prop to_uint_bounds remove prop to_uint_of_int remove prop to_uint_size_bv remove prop to_uint_zeros remove prop to_uint_ones remove prop to_uint_one (** Arithmetic operators *) remove prop to_uint_add remove prop to_uint_add_bounded remove prop to_uint_sub remove prop to_uint_sub_bounded remove prop to_uint_neg remove prop to_uint_mul remove prop to_uint_mul_bounded remove prop to_uint_udiv remove prop to_uint_urem (* kept: Nth_bv_is_nth *) (* kept: Nth_bv_is_nth2 *) (* kept: lsr_bv_is_lsr *) remove prop to_uint_lsr (* kept: asr_bv_is_asr *) (* kept: lsl_bv_is_lsl *) remove prop to_uint_lsl (* kept: rotate_left_bv_is_rotate_left *) (* kept: rotate_right_bv_is_rotate_right *) remove prop eq_sub_equiv remove prop Extensionality end theory bv.BV256 syntax type t "(_ BitVec 256)" syntax function zeros "#x0000000000000000000000000000000000000000000000000000000000000000" syntax function ones "#xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 256)) (_ bv0 256)))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv256 256))) (bvlshr %1 (bvsub (_ bv256 256) (bvurem %2 (_ bv256 256)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv256 256))) (bvshl %1 (bvsub (_ bv256 256) (bvurem %2 (_ bv256 256)))))" end theory bv.BV128 syntax type t "(_ BitVec 128)" syntax function zeros "#x00000000000000000000000000000000" syntax function ones "#xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 128)) (_ bv0 128)))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv128 128))) (bvlshr %1 (bvsub (_ bv128 128) (bvurem %2 (_ bv128 128)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv128 128))) (bvshl %1 (bvsub (_ bv128 128) (bvurem %2 (_ bv128 128)))))" end theory bv.BV64 syntax type t "(_ BitVec 64)" syntax function zeros "#x0000000000000000" syntax function ones "#xFFFFFFFFFFFFFFFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 64)) (_ bv0 64)))" (* possible alternative definition : "(= ((_ extract 0 0) (bvlshr %1 %2)) (_ bv1 1))" *) syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv64 64))) (bvlshr %1 (bvsub (_ bv64 64) (bvurem %2 (_ bv64 64)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv64 64))) (bvshl %1 (bvsub (_ bv64 64) (bvurem %2 (_ bv64 64)))))" end theory bv.BV32 syntax type t "(_ BitVec 32)" syntax function zeros "#x00000000" syntax function ones "#xFFFFFFFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 32)) (_ bv0 32)))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv32 32))) (bvlshr %1 (bvsub (_ bv32 32) (bvurem %2 (_ bv32 32)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv32 32))) (bvshl %1 (bvsub (_ bv32 32) (bvurem %2 (_ bv32 32)))))" end theory bv.BV16 syntax type t "(_ BitVec 16)" syntax function zeros "#x0000" syntax function ones "#xFFFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 16)) (_ bv0 16)))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv16 16))) (bvlshr %1 (bvsub (_ bv16 16) (bvurem %2 (_ bv16 16)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv16 16))) (bvshl %1 (bvsub (_ bv16 16) (bvurem %2 (_ bv16 16)))))" end theory bv.BV8 syntax type t "(_ BitVec 8)" syntax function zeros "#x00" syntax function ones "#xFF" syntax function nth_bv "(not (= (bvand (bvlshr %1 %2) (_ bv1 8)) (_ bv0 8)))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv8 8))) (bvlshr %1 (bvsub (_ bv8 8) (bvurem %2 (_ bv8 8)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv8 8))) (bvshl %1 (bvsub (_ bv8 8) (bvurem %2 (_ bv8 8)))))" end theory bv.BVConverter_Gen remove allprops end theory bv.BVConverter_128_256 syntax function toBig "((_ zero_extend 128) %1)" syntax function toSmall "((_ extract 127 0) %1)" end theory bv.BVConverter_64_128 syntax function toBig "((_ zero_extend 64) %1)" syntax function toSmall "((_ extract 63 0) %1)" end theory bv.BVConverter_32_128 syntax function toBig "((_ zero_extend 96) %1)" syntax function toSmall "((_ extract 31 0) %1)" end theory bv.BVConverter_16_128 syntax function toBig "((_ zero_extend 112) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_128 syntax function toBig "((_ zero_extend 120) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_32_64 syntax function toBig "((_ zero_extend 32) %1)" syntax function toSmall "((_ extract 31 0) %1)" end theory bv.BVConverter_16_64 syntax function toBig "((_ zero_extend 48) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_64 syntax function toBig "((_ zero_extend 56) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_16_32 syntax function toBig "((_ zero_extend 16) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_32 syntax function toBig "((_ zero_extend 24) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_8_16 syntax function toBig "((_ zero_extend 8) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.Pow2int remove allprops end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-bv.gen�����������������������������������������������������������������0000664�0000000�0000000�00000021352�14401600263�0017004�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for SMT-LIB2, common part of bit-vector theories *) prelude ";;; SMT-LIB2 driver: bit-vectors, common part" theory bv.BV_Gen remove prop size_pos remove prop nth_out_of_bound remove prop Nth_zeros remove prop Nth_ones syntax function bw_and "(bvand %1 %2)" syntax function bw_or "(bvor %1 %2)" syntax function bw_xor "(bvxor %1 %2)" syntax function bw_not "(bvnot %1)" (* Warning: we should NOT remove all the axioms using "allprops" *) remove prop Nth_bw_and remove prop Nth_bw_or remove prop Nth_bw_xor remove prop Nth_bw_not (** Shift operators *) remove prop Lsr_nth_low remove prop Lsr_nth_high remove prop lsr_zeros remove prop Asr_nth_low remove prop Asr_nth_high remove prop asr_zeros remove prop Lsl_nth_low remove prop Lsl_nth_high remove prop lsl_zeros remove prop Nth_rotate_left remove prop Nth_rotate_right (* Conversions from/to integers *) remove prop two_power_size_val remove prop max_int_val (* function to_int - solver specific *) (* function to_uint - solver specific *) (* function of_int - solver specific *) remove prop to_uint_extensionality remove prop to_int_extensionality remove prop to_uint_bounds (*remove prop to_uint_of_int*) remove prop to_uint_size_bv remove prop to_uint_zeros remove prop to_uint_ones remove prop to_uint_one (* comparison operators *) syntax predicate ult "(bvult %1 %2)" syntax predicate ule "(bvule %1 %2)" syntax predicate ugt "(bvugt %1 %2)" syntax predicate uge "(bvuge %1 %2)" syntax predicate slt "(bvslt %1 %2)" syntax predicate sle "(bvsle %1 %2)" syntax predicate sgt "(bvsgt %1 %2)" syntax predicate sge "(bvsge %1 %2)" (** Arithmetic operators *) syntax function add "(bvadd %1 %2)" remove prop to_uint_add remove prop to_uint_add_bounded syntax function sub "(bvsub %1 %2)" remove prop to_uint_sub remove prop to_uint_sub_bounded syntax function neg "(bvneg %1)" remove prop to_uint_neg syntax function mul "(bvmul %1 %2)" remove prop to_uint_mul remove prop to_uint_mul_bounded syntax function udiv "(bvudiv %1 %2)" remove prop to_uint_udiv syntax function urem "(bvurem %1 %2)" remove prop to_uint_urem syntax function sdiv "(bvsdiv %1 %2)" (*remove prop to_int_sdiv*) syntax function srem "(bvsrem %1 %2)" (*remove prop to_int_srem*) (** Bitvector alternatives for shifts, rotations and nth *) syntax function lsr_bv "(bvlshr %1 %2)" (* remove prop lsr_bv_is_lsr *) remove prop to_uint_lsr syntax function asr_bv "(bvashr %1 %2)" (* remove prop asr_bv_is_asr *) syntax function lsl_bv "(bvshl %1 %2)" (* remove prop lsl_bv_is_lsl *) remove prop to_uint_lsl (** rotations *) (* remove prop rotate_left_bv_is_rotate_left *) (* remove prop rotate_right_bv_is_rotate_right *) (** nth_bv *) (* remove prop nth_bv_def *) (* remove prop Nth_bv_is_nth *) (* remove prop Nth_bv_is_nth2 *) remove prop Extensionality end theory bv.BV256 meta "literal:keep" type t syntax literal t "#x%64x" syntax type t "(_ BitVec 256)" syntax function zeros "#x0000000000000000000000000000000000000000000000000000000000000000" syntax function one "#x0000000000000000000000000000000000000000000000000000000000000001" syntax function ones "#xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" syntax function size_bv "(_ bv256 256)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 256))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv256 256))) (bvlshr %1 (bvsub (_ bv256 256) (bvurem %2 (_ bv256 256)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv256 256))) (bvshl %1 (bvsub (_ bv256 256) (bvurem %2 (_ bv256 256)))))" end theory bv.BV128 meta "literal:keep" type t syntax literal t "#x%32x" syntax type t "(_ BitVec 128)" syntax function zeros "#x00000000000000000000000000000000" syntax function one "#x00000000000000000000000000000001" syntax function ones "#xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" syntax function size_bv "(_ bv128 128)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 128))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv128 128))) (bvlshr %1 (bvsub (_ bv128 128) (bvurem %2 (_ bv128 128)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv128 128))) (bvshl %1 (bvsub (_ bv128 128) (bvurem %2 (_ bv128 128)))))" end theory bv.BV64 meta "literal:keep" type t syntax literal t "#x%16x" syntax type t "(_ BitVec 64)" syntax function zeros "#x0000000000000000" syntax function one "#x0000000000000001" syntax function ones "#xFFFFFFFFFFFFFFFF" syntax function size_bv "(_ bv64 64)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 64))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv64 64))) (bvlshr %1 (bvsub (_ bv64 64) (bvurem %2 (_ bv64 64)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv64 64))) (bvshl %1 (bvsub (_ bv64 64) (bvurem %2 (_ bv64 64)))))" end theory bv.BV32 meta "literal:keep" type t syntax literal t "#x%8x" syntax type t "(_ BitVec 32)" syntax function zeros "#x00000000" syntax function one "#x00000001" syntax function ones "#xFFFFFFFF" syntax function size_bv "(_ bv32 32)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 32))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv32 32))) (bvlshr %1 (bvsub (_ bv32 32) (bvurem %2 (_ bv32 32)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv32 32))) (bvshl %1 (bvsub (_ bv32 32) (bvurem %2 (_ bv32 32)))))" end theory bv.BV16 meta "literal:keep" type t syntax literal t "#x%4x" syntax type t "(_ BitVec 16)" syntax function zeros "#x0000" syntax function one "#x0001" syntax function ones "#xFFFF" syntax function size_bv "(_ bv16 16)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 16))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv16 16))) (bvlshr %1 (bvsub (_ bv16 16) (bvurem %2 (_ bv16 16)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv16 16))) (bvshl %1 (bvsub (_ bv16 16) (bvurem %2 (_ bv16 16)))))" end theory bv.BV8 meta "literal:keep" type t syntax literal t (* "#b%8b" *) "#x%2x" syntax type t "(_ BitVec 8)" syntax function zeros "#x00" syntax function one "#x01" syntax function ones "#xFF" syntax function size_bv "(_ bv8 8)" syntax predicate is_signed_positive "(bvsge %1 (_ bv0 8))" syntax function rotate_left_bv "(bvor (bvshl %1 (bvurem %2 (_ bv8 8))) (bvlshr %1 (bvsub (_ bv8 8) (bvurem %2 (_ bv8 8)))))" syntax function rotate_right_bv "(bvor (bvlshr %1 (bvurem %2 (_ bv8 8))) (bvshl %1 (bvsub (_ bv8 8) (bvurem %2 (_ bv8 8)))))" end theory bv.BVConverter_Gen remove allprops end theory bv.BVConverter_128_256 syntax function toBig "((_ zero_extend 128) %1)" syntax function stoBig "((_ sign_extend 128) %1)" syntax function toSmall "((_ extract 127 0) %1)" end theory bv.BVConverter_64_128 syntax function toBig "((_ zero_extend 64) %1)" syntax function stoBig "((_ sign_extend 64) %1)" syntax function toSmall "((_ extract 63 0) %1)" end theory bv.BVConverter_32_128 syntax function toBig "((_ zero_extend 96) %1)" syntax function stoBig "((_ sign_extend 96) %1)" syntax function toSmall "((_ extract 31 0) %1)" end theory bv.BVConverter_16_128 syntax function toBig "((_ zero_extend 112) %1)" syntax function stoBig "((_ sign_extend 112) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_128 syntax function toBig "((_ zero_extend 120) %1)" syntax function stoBig "((_ sign_extend 120) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_32_64 syntax function toBig "((_ zero_extend 32) %1)" syntax function stoBig "((_ sign_extend 32) %1)" syntax function toSmall "((_ extract 31 0) %1)" end theory bv.BVConverter_16_64 syntax function toBig "((_ zero_extend 48) %1)" syntax function stoBig "((_ sign_extend 48) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_64 syntax function toBig "((_ zero_extend 56) %1)" syntax function stoBig "((_ sign_extend 56) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_16_32 syntax function toBig "((_ zero_extend 16) %1)" syntax function stoBig "((_ sign_extend 16) %1)" syntax function toSmall "((_ extract 15 0) %1)" end theory bv.BVConverter_8_32 syntax function toBig "((_ zero_extend 24) %1)" syntax function stoBig "((_ sign_extend 24) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.BVConverter_8_16 syntax function toBig "((_ zero_extend 8) %1)" syntax function stoBig "((_ sign_extend 8) %1)" syntax function toSmall "((_ extract 7 0) %1)" end theory bv.Pow2int remove allprops end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-floats-gnatprove.gen���������������������������������������������������0000664�0000000�0000000�00000003427�14401600263�0021673�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(********************************************************************** *** gnat2why theories *** **********************************************************************) theory _gnatprove_standard_th.Floating_Func syntax predicate neq "(not (fp.eq %1 %2))" syntax function bool_lt "(fp.lt %1 %2)" syntax function bool_le "(fp.leq %1 %2)" syntax function bool_gt "(fp.gt %1 %2)" syntax function bool_ge "(fp.geq %1 %2)" syntax function bool_eq "(fp.eq %1 %2)" syntax function bool_neq "(not (fp.eq %1 %2))" remove allprops end (*************************************************************************) theory "_gnatprove_standard".Floating syntax function rem "(fp.rem %1 %2)" syntax function div_rne "(fp.div RNE %1 %2)" remove allprops end theory "_gnatprove_standard".Float32_next_prev syntax function max_value "(fp #b0 #b11111110 #b11111111111111111111111)" end theory "_gnatprove_standard".Float64_next_prev syntax function max_value "(fp #b0 #b11111111110 #b1111111111111111111111111111111111111111111111111111)" end theory "_gnatprove_standard".Float32 syntax function one "(fb #b0 #b01111111 #b00000000000000000000000)" remove allprops end theory "_gnatprove_standard".Float64 syntax function one "(fb #b0 #b01111111111 #b0000000000000000000000000000000000000000000000000000)" remove allprops end (*************************************************************************) theory ada__model.Floating_Point_Base syntax function bool_eq "(fp.eq %1 %2)" remove allprops end (*************************************************************************) theory ieee_float.Float64 (* function to_int *) end theory ieee_float.Float32 (* function to_int *) end theory real.Square remove allprops end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-floats-int_via_bv.gen��������������������������������������������������0000664�0000000�0000000�00000001431�14401600263�0021777�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This is a encoding for int/float conversions via bitvectors. *) (* we do not translate of_int since z3 will not prove anything if it * appears in its context, see PC07-014 *) theory ieee_float.Float32 (* check the sign bit; if pos |%1| else |%1| - 2^129 *) syntax function to_int "(ite (= ((_ extract 128 128) ((_ fp.to_sbv 129) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 129) %1 %2)) (- (bv2int ((_ fp.to_sbv 129) %1 %2)) (bv2int (bvshl (_ bv1 130) (_ bv129 130)))))" end theory ieee_float.Float64 (* check the sign bit; if pos |%1| else |%1| - 2^1025 *) syntax function to_int "(ite (= ((_ extract 1024 1024) ((_ fp.to_sbv 1025) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 1025) %1 %2)) (- (bv2int ((_ fp.to_sbv 1025) %1 %2)) (bv2int (bvshl (_ bv1 1026) (_ bv1025 1026)))))" end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-floats-int_via_real.gen������������������������������������������������0000664�0000000�0000000�00000000545�14401600263�0022320�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This is a encoding for int/float conversions via reals. *) theory ieee_float.GenericFloat syntax function to_int "(to_int (fp.to_real (fp.roundToIntegral %1 %2)))" end theory ieee_float.Float32 syntax function of_int "((_ to_fp 8 24) %1 (to_real %2))" end theory ieee_float.Float64 syntax function of_int "((_ to_fp 11 53) %1 (to_real %2))" end �����������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-floats.gen�������������������������������������������������������������0000664�0000000�0000000�00000013005�14401600263�0017661�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������theory ieee_float.RoundingMode syntax type mode "RoundingMode" syntax function RNE "RNE" syntax function RNA "RNA" syntax function RTP "RTP" syntax function RTN "RTN" syntax function RTZ "RTZ" syntax predicate to_nearest "(or (= %1 RNE) (= %1 RNA))" end theory ieee_float.GenericFloat (* Part I *) syntax function abs "(fp.abs %1)" syntax function neg "(fp.neg %1)" syntax function add "(fp.add %1 %2 %3)" syntax function sub "(fp.sub %1 %2 %3)" syntax function mul "(fp.mul %1 %2 %3)" syntax function div "(fp.div %1 %2 %3)" syntax function fma "(fp.fma %1 %2 %3 %4)" syntax function sqrt "(fp.sqrt %1 %2)" syntax function roundToIntegral "(fp.roundToIntegral %1 %2)" syntax function min "(fp.min %1 %2)" syntax function max "(fp.max %1 %2)" syntax predicate le "(fp.leq %1 %2)" syntax predicate lt "(fp.lt %1 %2)" syntax predicate ge "(fp.geq %1 %2)" syntax predicate gt "(fp.gt %1 %2)" syntax predicate eq "(fp.eq %1 %2)" syntax predicate is_normal "(fp.isNormal %1)" syntax predicate is_subnormal "(fp.isSubnormal %1)" syntax predicate is_zero "(fp.isZero %1)" syntax predicate is_infinite "(fp.isInfinite %1)" syntax predicate is_nan "(fp.isNaN %1)" syntax predicate is_positive "(fp.isPositive %1)" syntax predicate is_negative "(fp.isNegative %1)" (* We could do this here, but we get slightly slimmer VCs and avoid issues with Z3 if we do specialised versions of this for Float32 and Float64 *) (* The proposed fp.isFinite would fix all this. *) (* syntax predicate is_finite "(not (or (fp.isInfinite %1) (fp.isNaN %1)))" *) syntax predicate is_not_nan "(not (fp.isNaN %1))" syntax function to_real "(fp.to_real %1)" syntax predicate overflow_value "true" syntax predicate sign_zero_result "true" (* Part II *) remove allprops end theory ieee_float.Float32 (* Part I *) syntax type t "Float32" meta "literal:keep" type t syntax literal t "(fp #b%s1b #b%e8b #b%m23b)" syntax function zeroF "((_ to_fp 8 24) #x00000000)" prelude "(define-fun fp.isFinite32 ((x Float32)) Bool (not (or (fp.isInfinite x) (fp.isNaN x))))" prelude "(define-fun fp.isIntegral32 ((x Float32)) Bool (or (fp.isZero x) (and (fp.isNormal x) (= x (fp.roundToIntegral RNE x)))))" syntax predicate t'isFinite "(fp.isFinite32 %1)" syntax predicate is_int "(fp.isIntegral32 %1)" (* Faithful translations of the axiomatisation, mainly to remove this crud from the smtlib output of SPARK. *) syntax function round "(fp.to_real ((_ to_fp 8 24) %1 %2))" syntax predicate in_range "\ (and (<= (fp.to_real (fp #b1 #b11111110 #b11111111111111111111111)) %1) \ (<= %1 (fp.to_real (fp #b0 #b11111110 #b11111111111111111111111))))" syntax predicate no_overflow "\ (and (<= (fp.to_real (fp #b1 #b11111110 #b11111111111111111111111)) \ (fp.to_real ((_ to_fp 8 24) %1 %2))) \ (<= (fp.to_real ((_ to_fp 8 24) %1 %2)) \ (fp.to_real (fp #b0 #b11111110 #b11111111111111111111111))))" remove allprops end theory ieee_float.Float64 (* Part I *) syntax type t "Float64" meta "literal:keep" type t syntax literal t "(fp #b%s1b #b%e11b #b%m52b)" syntax function zeroF "((_ to_fp 11 53) #x0000000000000000)" prelude "(define-fun fp.isFinite64 ((x Float64)) Bool (not (or (fp.isInfinite x) (fp.isNaN x))))" prelude "(define-fun fp.isIntegral64 ((x Float64)) Bool (or (fp.isZero x) (and (fp.isNormal x) (= x (fp.roundToIntegral RNE x)))))" syntax predicate t'isFinite "(fp.isFinite64 %1)" syntax predicate is_int "(fp.isIntegral64 %1)" (* Faithful translations of the axiomatisation, mainly to remove this crud from the smtlib output of SPARK. *) syntax function round "(fp.to_real ((_ to_fp 11 53) %1 %2))" syntax predicate in_range "\ (and \ (<= \ (fp.to_real (fp #b1 #b11111111110 #b1111111111111111111111111111111111111111111111111111)) \ %1) \ (<= %1 \ (fp.to_real (fp #b0 #b11111111110 #b1111111111111111111111111111111111111111111111111111))))" syntax predicate no_overflow "\ (and \ (<= \ (fp.to_real (fp #b1 #b11111111110 #b1111111111111111111111111111111111111111111111111111)) \ (fp.to_real ((_ to_fp 11 53) %1 %2))) \ (<= \ (fp.to_real ((_ to_fp 11 53) %1 %2)) \ (fp.to_real (fp #b0 #b11111111110 #b1111111111111111111111111111111111111111111111111111))))" remove allprops end theory ieee_float.FloatConverter (* Part I *) syntax function to_float32 "((_ to_fp 8 24) %1 %2)" syntax function to_float64 "((_ to_fp 11 53) %1 %2)" remove allprops end theory ieee_float.Float_BV_Converter (* Part I *) syntax function to_ubv8 "((_ fp.to_ubv 8) %1 %2)" syntax function to_ubv16 "((_ fp.to_ubv 16) %1 %2)" syntax function to_ubv32 "((_ fp.to_ubv 32) %1 %2)" syntax function to_ubv64 "((_ fp.to_ubv 64) %1 %2)" remove allprops end theory ieee_float.Float32_BV_Converter (* Part I *) syntax function of_ubv8 "((_ to_fp_unsigned 8 24) %1 %2)" syntax function of_ubv16 "((_ to_fp_unsigned 8 24) %1 %2)" syntax function of_ubv32 "((_ to_fp_unsigned 8 24) %1 %2)" syntax function of_ubv64 "((_ to_fp_unsigned 8 24) %1 %2)" remove allprops end theory ieee_float.Float64_BV_Converter (* Part I *) syntax function of_ubv8 "((_ to_fp_unsigned 11 53) %1 %2)" syntax function of_ubv16 "((_ to_fp_unsigned 11 53) %1 %2)" syntax function of_ubv32 "((_ to_fp_unsigned 11 53) %1 %2)" syntax function of_ubv64 "((_ to_fp_unsigned 11 53) %1 %2)" remove allprops end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2-gnatprove.gen����������������������������������������������������������0000664�0000000�0000000�00000002661�14401600263�0020404�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(********************************************************************** *** gnat2why theories *** **********************************************************************) theory _gnatprove_standard_th.Integer syntax function bool_eq "(= %1 %2)" syntax function bool_ne "(not (= %1 %2))" syntax function bool_lt "(< %1 %2)" syntax function bool_le "(<= %1 %2)" syntax function bool_gt "(> %1 %2)" syntax function bool_ge "(>= %1 %2)" remove allprops end theory _gnatprove_standard_th.Boolean_Func syntax function bool_eq "(= %1 %2)" syntax function to_int "(ite %1 1 0)" syntax function of_int "(distinct %1 0)" remove allprops end (*************************************************************************) theory _gnatprove_standard.BVAda syntax function bool_eq "(= %1 %2)" syntax function bool_ne "(not (= %1 %2))" syntax function bool_lt "(bvult %1 %2)" syntax function bool_le "(bvule %1 %2)" syntax function bool_gt "(bvugt %1 %2)" syntax function bool_ge "(bvuge %1 %2)" remove allprops end (*************************************************************************) theory ada__model.Discrete_Base syntax function bool_eq "(= %1 %2)" remove allprops end (*************************************************************************) theory ada__model_th.Discrete_Base_Theory syntax function bool_eq "(= %1 %2)" remove allprops end �������������������������������������������������������������������������������why3-1.6.0/drivers/smt-libv2.gen��������������������������������������������������������������������0000664�0000000�0000000�00000011131�14401600263�0016371�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for SMT-LIB2 syntax, excluding bit-vectors *) prelude ";;; generated by SMT-LIB2 driver" (* Note: we do not insert any command "set-logic" because its interpretation is specific to provers prelude "(set-logic AUFNIRA)" A : Array UF : Uninterpreted Function DT : Datatypes (not needed at the end ...) NIRA : NonLinear Integer Reals Arithmetic *) filename "%f-%t-%g.smt2" unknown "^\\(unknown\\|sat\\|Fail\\)$" "\\1" unknown "^(:reason-unknown \\([^)]*\\))$" "\\1" time "why3cpulimit time : %s s" valid "^unsat$" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int meta "encoding:ignore_polymorphism_ls" predicate (=) end theory int.Int prelude ";;; SMT-LIB2: integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude ";;; SMT-LIB2: real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end theory real.Abs syntax function abs "(ite (>= %1 0.0) %1 (- %1))" remove allprops end theory real.MinMax remove allprops end theory real.FromInt syntax function from_int "(to_real %1)" remove allprops end theory real.Truncate syntax function truncate "(ite (>= %1 0.0) \ (to_int %1) \ (- (to_int (- %1))))" syntax function floor "(to_int %1)" syntax function ceil "(- (to_int (- %1)))" remove allprops end theory Bool syntax type bool "Bool" syntax function True "true" syntax function False "false" meta "algebraic:kept" type bool end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function xorb "(xor %1 %2)" syntax function notb "(not %1)" syntax function implb "(=> %1 %2)" end theory bool.Ite syntax function ite "(ite %1 %2 %3)" meta "encoding:lskept" function ite meta "encoding:ignore_polymorphism_ls" function ite end (* not uniformly interpreted by provers theory real.Truncate syntax function floor "(to_int %1)" remove prop Floor_down remove prop Floor_monotonic end *) theory HighOrd syntax type (->) "(Array %1 %2)" syntax function (@) "(select %1 %2)" meta "encoding:lskept" function (@) meta "encoding:ignore_polymorphism_ts" type (->) meta "encoding:ignore_polymorphism_ls" function (@) end theory bv.BV_Gen (* removing well-founded properties, they cannot be useful for SMT solvers, and they imply polymorphism *) remove prop ult_wf remove prop ugt_wf remove prop slt_wf remove prop sgt_wf end theory map.Map syntax function get "(select %1 %2)" syntax function set "(store %1 %2 %3)" meta "encoding:lskept" function get meta "encoding:lskept" function set meta "encoding:ignore_polymorphism_ls" function get meta "encoding:ignore_polymorphism_ls" function ([]) meta "encoding:ignore_polymorphism_ls" function set meta "encoding:ignore_polymorphism_ls" function ([<-]) end theory map.Const meta "encoding:lskept" function const (* syntax function const "(const[%t0] %1)" *) end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/smtlib-strings.gen���������������������������������������������������������������0000664�0000000�0000000�00000006205�14401600263�0017541�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ prelude ";;; generated by SMT-LIB strings" theory BuiltIn syntax type string "String" meta "literal:keep" type string end theory string.String remove prop concat_assoc remove prop concat_empty remove prop length_empty remove prop length_concat remove prop at_out_of_range remove prop at_empty remove prop at_length remove prop concat_at remove prop substring_out_of_range remove prop substring_of_length_zero_or_less remove prop substring_of_empty remove prop substring_smaller remove prop substring_smaller_x remove prop substring_length remove prop substring_at remove prop prefixof_substring remove prop prefixof_concat remove prop prefixof_empty remove prop prefixof_empty2 remove prop suffixof_substring remove prop suffixof_concat remove prop suffixof_empty remove prop suffixof_empty2 remove prop contains_prefixof remove prop contains_suffixof remove prop contains_empty remove prop contains_empty2 remove prop contains_substring remove prop contains_concat remove prop contains_at remove prop indexof_empty remove prop indexof_empty1 remove prop indexof_contains remove prop contains_indexof remove prop not_contains_indexof remove prop substring_indexof remove prop indexof_out_of_range remove prop indexof_in_range remove prop indexof_contains_substring remove prop replace_empty remove prop replace_not_contains remove prop replace_empty2 remove prop replace_substring_indexof remove prop to_int_gt_minus_1 remove prop to_int_empty remove prop from_int_negative remove prop from_int_to_int syntax function concat "(str.++ %1 %2)" syntax function length "(str.len %1)" syntax function indexof "(str.indexof %1 %2 %3)" syntax function replace "(str.replace %1 %2 %3)" syntax function substring "(str.substr %1 %2 %3)" syntax function s_at "(str.at %1 %2)" syntax predicate contains "(str.contains %1 %2)" syntax predicate prefixof "(str.prefixof %1 %2)" syntax predicate suffixof "(str.suffixof %1 %2)" (* syntax function is_digit "(str.is_digit %1)" *) syntax function to_int "(str.to_int %1)" syntax function from_int "(str.from_int %1)" syntax predicate lt "(str.< %1 %2)" syntax predicate le "(str.<= %1 %2)" syntax function replaceall "(str.replace_all %1 %2 %3)" end theory string.StringRealization prelude ";;; SMT-LIB2: string theory" syntax function concat "(str.++ %1 %2)" syntax function length "(str.len %1)" syntax function indexof "(str.indexof %1 %2 %3)" syntax function replace "(str.replace %1 %2 %3)" syntax function substring "(str.substr %1 %2 %3)" syntax function s_at "(str.at %1 %2)" syntax predicate contains "(str.contains %1 %2)" syntax predicate prefixof "(str.prefixof %1 %2)" syntax predicate suffixof "(str.suffixof %1 %2)" (* syntax function is_digit "(str.is_digit %1)" *) syntax function to_int "(str.to_int %1)" syntax function from_int "(str.from_int %1)" syntax predicate lt "(str.< %1 %2)" syntax predicate le "(str.<= %1 %2)" syntax function replaceall "(str.replace_all %1 %2 %3)" end�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/spass.drv������������������������������������������������������������������������0000664�0000000�0000000�00000000416�14401600263�0015731�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for SPASS *) valid "Proof found" invalid "Completion found" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" import "tptp.gen" import "discrimination.gen" ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/spass_types.drv������������������������������������������������������������������0000664�0000000�0000000�00000001451�14401600263�0017155�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for SPASS with types (>= 3.8) *) printer "dfg" filename "%f-%t-%g.dfg" valid "Proof found" invalid "Completion found" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "discriminate" theory BuiltIn syntax predicate (=) "equal(%1, %2)" meta "eliminate_algebraic" "no_index" end import "discrimination.gen" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/tptp-tff0.drv��������������������������������������������������������������������0000664�0000000�0000000�00000016412�14401600263�0016427�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for first-order tptp provers supporting TFF0 *) printer "tptp-tff0" filename "%f-%t-%g.p" valid "Proof found" invalid "Completion found" valid "^% SZS status Theorem" valid "^% SZS status Unsatisfiable" unknown "^% SZS status CounterSatisfiable" "" unknown "^% SZS status Satisfiable" "" timeout "^% SZS status Timeout" unknown "^% SZS status GaveUp" "" fail "^% SZS status Error" "" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "discriminate" transformation "encoding_smt" import "discrimination.gen" theory BuiltIn syntax predicate (=) "(%1 = %2)" syntax type int "$int" syntax type real "$real" meta "encoding:kept" type int meta "encoding:kept" type real meta "eliminate_algebraic" "no_index" end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1.0,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 remove prop Div_inf remove prop Div_inf_neg remove prop Mod_0 remove prop Div_1_left remove prop Div_minus1_left remove prop Mod_1_left remove prop Mod_minus1_left end theory tptp.Univ syntax type iType "$i" meta "encoding:kept" type iType end theory tptp.IntTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.IntDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.IntDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Rat syntax type rat "$rat" syntax function zero "0/1" syntax function one "1/1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1/1,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" syntax function to_rat "$to_rat(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type rat end theory tptp.RatTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" end theory tptp.RatDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RatDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RatDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Real syntax function to_real "$to_real(%1)" end theory real.FromInt syntax function from_int "$to_real(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Truncate syntax function floor "$to_int(%1)" syntax function ceil "$to_int($ceiling(%1))" syntax function truncate "$to_int($truncate(%1))" remove prop Truncate_int remove prop Truncate_down_pos remove prop Truncate_up_neg remove prop Real_of_truncate remove prop Truncate_monotonic remove prop Truncate_monotonic_int1 remove prop Truncate_monotonic_int2 remove prop Floor_int remove prop Ceil_int remove prop Floor_down remove prop Ceil_up remove prop Floor_monotonic remove prop Ceil_monotonic end theory tptp.RealTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.RealDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RealDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RealDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.IntToRat syntax function to_rat "$to_rat(%1)" end theory tptp.IntToReal syntax function to_real "$to_real(%1)" end theory tptp.RealToRat syntax function to_rat "$to_rat(%1)" end theory tptp.RatToReal syntax function to_real "$to_real(%1)" end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/tptp-tff1.drv��������������������������������������������������������������������0000664�0000000�0000000�00000016053�14401600263�0016431�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for first-order tptp provers supporting TFF1 *) printer "tptp-tff1" filename "%f-%t-%g.p" valid "Proof found" invalid "Completion found" valid "^% SZS status Theorem" valid "^% SZS status Unsatisfiable" unknown "^% SZS status CounterSatisfiable" "" unknown "^% SZS status Satisfiable" "" timeout "^% SZS status Timeout" unknown "^% SZS status GaveUp" "" fail "^% SZS status Error" "" timeout "Ran out of time" timeout "CPU time limit exceeded" outofmemory "Out of Memory" unknown "No Proof Found" "" fail "Failure.*" "\"\\0\"" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" theory BuiltIn syntax predicate (=) "(%1 = %2)" syntax type int "$int" syntax type real "$real" meta "eliminate_algebraic" "no_index" end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1.0,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 remove prop Div_inf remove prop Div_inf_neg remove prop Mod_0 remove prop Div_1_left remove prop Div_minus1_left remove prop Mod_1_left remove prop Mod_minus1_left end theory tptp.Univ syntax type iType "$i" end theory tptp.IntTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.IntDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.IntDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Rat syntax type rat "$rat" syntax function zero "0/1" syntax function one "1/1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1/1,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" syntax function to_rat "$to_rat(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory tptp.RatTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" end theory tptp.RatDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RatDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RatDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Real syntax function to_real "$to_real(%1)" end theory real.FromInt syntax function from_int "$to_real(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Truncate syntax function floor "$to_int(%1)" syntax function ceil "$to_int($ceiling(%1))" syntax function truncate "$to_int($truncate(%1))" remove prop Truncate_int remove prop Truncate_down_pos remove prop Truncate_up_neg remove prop Real_of_truncate remove prop Truncate_monotonic remove prop Truncate_monotonic_int1 remove prop Truncate_monotonic_int2 remove prop Floor_int remove prop Ceil_int remove prop Floor_down remove prop Ceil_up remove prop Floor_monotonic remove prop Ceil_monotonic end theory tptp.RealTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.RealDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RealDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RealDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.IntToRat syntax function to_rat "$to_rat(%1)" end theory tptp.IntToReal syntax function to_real "$to_real(%1)" end theory tptp.RealToRat syntax function to_rat "$to_rat(%1)" end theory tptp.RatToReal syntax function to_real "$to_real(%1)" end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/tptp.gen�������������������������������������������������������������������������0000664�0000000�0000000�00000001674�14401600263�0015554�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why common driver for first-order tptp provers *) printer "tptp-fof" filename "%f-%t-%g.p" valid "^% SZS status Theorem" valid "^% SZS status Unsatisfiable" unknown "^% SZS status CounterSatisfiable" "" unknown "^% SZS status Satisfiable" "" timeout "^% SZS status Timeout" unknown "^% SZS status GaveUp" "" fail "^% SZS status Error" "" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_negative_constants" transformation "eliminate_let" transformation "simplify_formula" transformation "discriminate" transformation "encoding_tptp" theory BuiltIn syntax predicate (=) "(%1 = %2)" meta "eliminate_algebraic" "no_index" end ��������������������������������������������������������������������why3-1.6.0/drivers/vampire.drv����������������������������������������������������������������������0000664�0000000�0000000�00000000326�14401600263�0016243�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Vampire *) valid "Refutation found" unknown "Time limit reached" "Time out" unknown "Refutation not found" "" outofmemory "Memory limit exceeded" import "tptp.gen" import "discrimination.gen" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/vampire_4_2_2.drv����������������������������������������������������������������0000664�0000000�0000000�00000001222�14401600263�0017124�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Vampire *) valid "Refutation found" unknown "Time limit reached" "Time out" unknown "Refutation not found" "" outofmemory "Memory limit exceeded" import "smt-libv2.gen" printer "smtv2.6" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/vampire_4_5_1.drv����������������������������������������������������������������0000664�0000000�0000000�00000001443�14401600263�0017133�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Vampire *) valid "Refutation found" unknown "Time limit reached" "Time out" unknown "Refutation not found" "" outofmemory "Memory limit exceeded" import "smt-libv2.gen" printer "smtv2.6" import "discrimination.gen" theory BuiltIn meta "select_alginst_default" "local" meta "eliminate_algebraic" "keep_mono" end transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_literal" transformation "simplify_formula" transformation "eliminate_projections_sums" transformation "discriminate_if_poly" transformation "eliminate_algebraic_if_poly" transformation "encoding_smt_if_poly" �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/verit.drv������������������������������������������������������������������������0000664�0000000�0000000�00000002161�14401600263�0015730�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for veriT solver *) prelude ";;; this is a prelude for veriT" prelude "(set-logic AUFLIRA)" (* A : Array UF : Uninterpreted Function LIRA : Linear Integer Reals Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "discrimination.gen" (* specific message from veriT 201310 *) unknown "non-linear reasoning desactivated" "" (* specific message from veriT 201410 *) unknown "error : Non linear expression with non-linear reasoning disabled" "" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "encoding_smt" transformation "encoding_sort" (* disabled: veriT seems more efficient with the axiomatic version theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end *) ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/why3.drv�������������������������������������������������������������������������0000664�0000000�0000000�00000000355�14401600263�0015474�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Why3 syntax *) printer "why3" filename "%f-%t-%g.why" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "(%1 = %2)" meta "encoding:ignore_polymorphism_ls" predicate (=) end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/why3_smt.drv���������������������������������������������������������������������0000664�0000000�0000000�00000003214�14401600263�0016354�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Why3 syntax *) printer "why3" filename "%f-%t-%g.why" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition" (* We could keep more definitions by using transformation "eliminate_definition_conditionally" instead, but some proofs are lost (examples/logic/triangle_inequality.why) *) transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "eliminate_projections_sums" transformation "discriminate_if_poly" transformation "eliminate_algebraic_if_poly" transformation "encoding_smt_if_poly" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "(%1 = %2)" meta "encoding:kept" type int meta "encoding:kept" type real meta "encoding:ignore_polymorphism_ls" predicate (=) end theory bool.Ite meta "encoding:lskept" function ite meta "encoding:ignore_polymorphism_ls" function ite end theory HighOrd meta "encoding:lskept" function (@) meta "encoding:ignore_polymorphism_ts" type (->) meta "encoding:ignore_polymorphism_ls" function (@) end theory map.Map meta "encoding:lskept" function get meta "encoding:lskept" function set meta "encoding:ignore_polymorphism_ls" function get meta "encoding:ignore_polymorphism_ls" function ([]) meta "encoding:ignore_polymorphism_ls" function set meta "encoding:ignore_polymorphism_ls" function ([<-]) end import "discrimination.gen" theory BuiltIn meta "select_alginst_default" "local" meta "eliminate_algebraic" "keep_mono" end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/why3_tptp.drv��������������������������������������������������������������������0000664�0000000�0000000�00000000767�14401600263�0016552�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for Why3 syntax *) printer "why3" filename "%f-%t-%g.why" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "discriminate" transformation "encoding_tptp" theory BuiltIn syntax predicate (=) "(%1 = %2)" end ���������why3-1.6.0/drivers/yices-smt2.drv�������������������������������������������������������������������0000664�0000000�0000000�00000001430�14401600263�0016574�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why3 driver for Yices-smt2 solver *) prelude ";;; this is a prelude for Yices-smt2" prelude "(set-logic QF_AUFLIRA)" (* A : Array UF : Uninterpreted Function LIRA : Linear Integer Reals Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "discrimination.gen" (* specific messages from Yices-smt2 *) unknown "feature not supported: non linear problem" "non linear arith" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "encoding_smt" transformation "encoding_sort" ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/yices.drv������������������������������������������������������������������������0000664�0000000�0000000�00000007110�14401600263�0015712�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (* Why3 driver for Yices (SMT-like syntax) *) prelude ";;; this is a prelude for Yices " printer "yices" filename "%f-%t-%g.ycs" valid "\\bunsat\\b" unknown "\\bunknown\\b\\|\\bsat\\b" "" unknown "feature not supported: non linear problem" "non linear arith" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "discriminate" transformation "encoding_smt" import "discrimination.gen" theory BuiltIn syntax type int "int" syntax type real "real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int (* could we do this? *) (* meta "eliminate_algebraic" "keep_enums" *) end theory int.Int prelude ";;; this is a prelude for Yices integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- 0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude ";;; this is a prelude for Yices real arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" (* Yices division doesn't accept anything else than constant on denominator so we don't use it (except for constant cf printer) *) (* syntax function (/) "(/ %1 %2)" *) syntax function (-_) "(- 0 %1)" (* syntax function inv "(/ 1 %1)" *) syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end theory Bool syntax type bool "bool" syntax function True "true" syntax function False "false" meta "encoding:kept" type bool end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function notb "(not %1)" end theory HighOrd syntax type (->) "(-> %1 %2)" syntax function (@) "(%1 %2)" meta "encoding:lskept" function (@) end theory map.Map syntax function get "(%1 %2)" syntax function ([]) "(%1 %2)" syntax function set "(update %1 (%2) %3)" syntax function ([<-]) "(update %1 (%2) %3)" meta "encoding:lskept" function get meta "encoding:lskept" function set end theory map.Const meta "encoding:lskept" function const end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3.drv���������������������������������������������������������������������������0000664�0000000�0000000�00000003377�14401600263�0015145�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Z3 <= 4.3.1 *) prelude ";; produced by z3.drv ;;" prelude "(set-logic AUFNIRA)" (* A : Array UF : Uninterpreted Function NIRA : NonLinear Integer Reals Arithmetic *) import "smt-libv2.gen" printer "smtv2" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (* transformation "simplify_trivial_quantification" *) transformation "discriminate" transformation "encoding_smt" (** Error messages specific to Z3 *) outofmemory "(error \".*out of memory\")\\|Cannot allocate memory" steplimitexceeded "Maximal allocation counts .* have been exceeded\\|(error \".*number of configured allocations exceeded\")" timeout "interrupted by timeout" (* stop reporting Z3 2.19 warnings as errors *) fail "^(error \"\\(\\(W\\(A\\(R\\(N\\(I\\(N[^G]\\|[^N]\\)\\|[^I]\\)\\|[^N]\\)\\|[^R]\\)\\|[^A]\\)\\|[^W]\\).*\\)\")" "Error: \\1" (** Extra theories supported by Z3 *) (* div/mod of Z3 seems to be Euclidean Division *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory real.FromInt syntax function from_int "(to_real %1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end (* does not work: Z3 segfaults theory real.Trigonometry syntax function cos "(cos %1)" syntax function sin "(sin %1)" syntax function pi "pi" syntax function tan "(tan %1)" syntax function atan "(atan %1)" end *) �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_432.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000004374�14401600263�0015533�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Z3 >= 4.3.2 *) (* Do not set any logic, let z3 choose by itself prelude "(set-logic AUFNIRA)" *) prelude ";; produced by z3_432.drv ;;" (* Counterexamples: set model parser *) model_parser "smtv2" import "smt-libv2.gen" printer "smtv2" import "no-bv.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "detect_polymorphism" transformation "eliminate_definition" (* We could keep more definitions by using transformation "eliminate_definition_conditionally" instead, but some proofs are lost (examples/logic/triangle_inequality.why) *) transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections *) transformation "prepare_for_counterexmp" transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to Z3 *) outofmemory "(error \".*out of memory\")" outofmemory "Failed to verify: pthread_create" outofmemory "std::bad_alloc" outofmemory "Resource temporarily unavailable" outofmemory "Cannot allocate memory" steplimitexceeded "Maximal allocation counts .* have been exceeded" steplimitexceeded "(error \".*number of configured allocations exceeded\")" timeout "^timeout$" timeout "interrupted by timeout" (** Extra theories supported by Z3 *) (* div/mod of Z3 seems to be Euclidean Division *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory real.FromInt syntax function from_int "(to_real %1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end (* does not work: Z3 segfaults theory real.Trigonometry syntax function cos "(cos %1)" syntax function sin "(sin %1)" syntax function pi "pi" syntax function tan "(tan %1)" syntax function atan "(atan %1)" end *) ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_440.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000006174�14401600263�0015532�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Z3 >= 4.3.2 *) (* Do not set any logic, let z3 choose by itself prelude "(set-logic AUFNIRA)" *) (* Counterexamples: set model parser *) model_parser "smtv2" import "smt-libv2.gen" printer "smtv2" import "smt-libv2-bv.gen" import "z3_bv.gen" import "smt-libv2-floats.gen" import "discrimination.gen" transformation "inline_trivial" transformation "eliminate_builtin" transformation "remove_unused_keep_constants" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic_if_poly" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections *) transformation "prepare_for_counterexmp" transformation "discriminate_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to Z3 *) outofmemory "(error \".*out of memory\")" outofmemory "Failed to verify: pthread_create" outofmemory "std::bad_alloc" outofmemory "Resource temporarily unavailable" outofmemory "Cannot allocate memory" (* not convenient: is more a problem of fork outofmemory "error while loading shared libraries:.*failed to map segment from shared object" *) timeout "^timeout$" timeout "interrupted by timeout" steps ":rlimit-count +\\([0-9]+\\)" 1 steplimitexceeded "Maximal allocation counts [0-9]+ have been exceeded" (** Z3 needs "(push)" to provide models *) theory BuiltIn meta "counterexample_need_smtlib_push" "" end (** Extra theories supported by Z3 *) (* div/mod of Z3 seems to be Euclidean Division *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory int.MinMax remove allprops end theory real.FromInt syntax function from_int "(to_real %1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end (* does not work: Z3 segfaults theory real.Trigonometry syntax function cos "(cos %1)" syntax function sin "(sin %1)" syntax function pi "pi" syntax function tan "(tan %1)" syntax function atan "(atan %1)" end *) theory ieee_float.Float64 (* check the sign bit; if pos |%1| else |%1| - 2^1025 *) syntax function to_int "(ite (= ((_ extract 1024 1024) ((_ fp.to_sbv 1025) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 1025) %1 %2)) (- (bv2int ((_ fp.to_sbv 1025) %1 %2)) (bv2int (bvshl (_ bv1 1026) (_ bv1025 1026)))))" (* we do not define of_int since z3 will not prove anything if it appears (05/01/2017) *) end theory ieee_float.Float32 (* check the sign bit; if pos |%1| else |%1| - 2^129 *) syntax function to_int "(ite (= ((_ extract 128 128) ((_ fp.to_sbv 129) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 129) %1 %2)) (- (bv2int ((_ fp.to_sbv 129) %1 %2)) (bv2int (bvshl (_ bv1 130) (_ bv129 130)))))" end theory real.Square remove allprops end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_440_counterexample.drv��������������������������������������������������������0000664�0000000�0000000�00000000144�14401600263�0020634�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "z3_440.drv" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_471.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000001361�14401600263�0015527�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Z3 >= 4.7.1 *) import "z3_440.drv" import "smtlib-strings.gen" theory string.RegExpr syntax type re "(RegEx String)" syntax function to_re "(str.to.re %1)" syntax predicate in_re "(str.in.re %1 %2)" syntax function concat "(re.++ %1 %2)" syntax function union "(re.union %1 %2)" syntax function inter "(re.inter %1 %2)" syntax function star "(re.* %1)" syntax function plus "(re.+ %1)" syntax function none "re.nostr" syntax function allchar "re.allchar" syntax function opt "(re.opt %1)" syntax function range "(re.range %1 %2)" syntax function power "(re.loop %2 %1 %1)" syntax function loop "(re.loop %3 %1 %2)" end�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_471_counterexample.drv��������������������������������������������������������0000664�0000000�0000000�00000000144�14401600263�0020640�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "z3_471.drv" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_471_nobv.drv������������������������������������������������������������������0000664�0000000�0000000�00000000060�14401600263�0016546�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "z3_432.drv" import "smtlib-strings.gen"��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_487.drv�����������������������������������������������������������������������0000664�0000000�0000000�00000007710�14401600263�0015542�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** Why3 driver for Z3 >= 4.8.7 *) (* Do not set any logic, let z3 choose by itself prelude "(set-logic AUFNIRA)" *) (* Counterexamples: set model parser *) model_parser "smtv2" import "smt-libv2.gen" printer "smtv2.6" import "smt-libv2-bv.gen" import "z3_bv.gen" import "smt-libv2-floats.gen" import "discrimination.gen" theory BuiltIn meta "select_alginst_default" "local" meta "eliminate_algebraic" "keep_mono" end transformation "inline_trivial" transformation "eliminate_builtin" transformation "remove_unused_keep_constants" transformation "detect_polymorphism" transformation "eliminate_definition_conditionally" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) (* Prepare for counter-example query: get rid of some quantifiers (makes it possible to query model values of the variables in premises) and introduce counter-example projections *) transformation "prepare_for_counterexmp" transformation "eliminate_projections_sums" transformation "discriminate_if_poly" transformation "eliminate_algebraic_if_poly" transformation "encoding_smt_if_poly" (** Error messages specific to Z3 *) outofmemory "(error \".*out of memory\")" outofmemory "Failed to verify: pthread_create" outofmemory "std::bad_alloc" outofmemory "Resource temporarily unavailable" outofmemory "Cannot allocate memory" (* not convenient: is more a problem of fork outofmemory "error while loading shared libraries:.*failed to map segment from shared object" *) timeout "^timeout$" timeout "interrupted by timeout" steps ":rlimit-count +\\([0-9]+\\)" 1 steplimitexceeded "Maximal allocation counts [0-9]+ have been exceeded" (** Z3 needs "(push)" to provide models *) theory BuiltIn meta "counterexample_need_smtlib_push" "" end (** Extra theories supported by Z3 *) (* div/mod of Z3 seems to be Euclidean Division *) theory int.EuclideanDivision syntax function div "(div %1 %2)" syntax function mod "(mod %1 %2)" remove prop Mod_bound remove prop Div_mod remove prop Mod_1 remove prop Div_1 end theory int.MinMax remove allprops end theory real.FromInt syntax function from_int "(to_real %1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end (* does not work: Z3 segfaults theory real.Trigonometry syntax function cos "(cos %1)" syntax function sin "(sin %1)" syntax function pi "pi" syntax function tan "(tan %1)" syntax function atan "(atan %1)" end *) theory ieee_float.Float64 (* check the sign bit; if pos |%1| else |%1| - 2^1025 *) syntax function to_int "(ite (= ((_ extract 1024 1024) ((_ fp.to_sbv 1025) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 1025) %1 %2)) (- (bv2int ((_ fp.to_sbv 1025) %1 %2)) (bv2int (bvshl (_ bv1 1026) (_ bv1025 1026)))))" (* we do not define of_int since z3 will not prove anything if it appears (05/01/2017) *) end theory ieee_float.Float32 (* check the sign bit; if pos |%1| else |%1| - 2^129 *) syntax function to_int "(ite (= ((_ extract 128 128) ((_ fp.to_sbv 129) %1 %2)) #b0) (bv2int ((_ fp.to_sbv 129) %1 %2)) (- (bv2int ((_ fp.to_sbv 129) %1 %2)) (bv2int (bvshl (_ bv1 130) (_ bv129 130)))))" end theory real.Square remove allprops end import "smtlib-strings.gen" theory string.RegExpr syntax type re "(RegEx String)" syntax function to_re "(str.to.re %1)" syntax predicate in_re "(str.in.re %1 %2)" syntax function concat "(re.++ %1 %2)" syntax function union "(re.union %1 %2)" syntax function inter "(re.inter %1 %2)" syntax function star "(re.* %1)" syntax function plus "(re.+ %1)" syntax function none "re.nostr" syntax function allchar "re.allchar" syntax function opt "(re.opt %1)" syntax function range "(re.range %1 %2)" syntax function power "(re.loop %2 %1 %1)" syntax function loop "(re.loop %3 %1 %2)" end��������������������������������������������������������why3-1.6.0/drivers/z3_487_counterexample.drv��������������������������������������������������������0000664�0000000�0000000�00000000144�14401600263�0020647�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ import "z3_487.drv" theory BuiltIn meta "get_counterexmp" "" meta "meta_incremental" "" end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_bv.gen������������������������������������������������������������������������0000664�0000000�0000000�00000002437�14401600263�0015606�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* bitvector modules, is not in smt-libv2.gen since cvc4 and z3 don't have the same name for the function to_uint *) theory bv.BV_Gen syntax function to_uint "(bv2int %1)" end theory bv.BV256 (* mapping of_int to int2bv is disabled because it breaks proofs in examples/queens_bv, examples/bitwalker *) (* syntax function of_int "((_ int2bv 256) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end theory bv.BV128 (* syntax function of_int "((_ int2bv 128) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end theory bv.BV64 (* syntax function of_int "((_ int2bv 64) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end theory bv.BV32 (* syntax function of_int "((_ int2bv 32) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end theory bv.BV16 (* syntax function of_int "((_ int2bv 16) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end theory bv.BV8 (* syntax function of_int "((_ int2bv 8) %1)" *) syntax function t'int "(bv2int %1)" remove prop Nth_bv_is_nth remove prop Nth_bv_is_nth2 end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/z3_smtv1.drv���������������������������������������������������������������������0000664�0000000�0000000�00000005607�14401600263�0016275�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for SMT syntax *) prelude ";;; this is a prelude for Z3" printer "smtv1" filename "%f-%t-%g.smt" valid "^unsat" unknown "^\\(unknown\\|sat\\|Fail\\)" "" time "why3cpulimit time : %s s" transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "simplify_formula" (*transformation "simplify_trivial_quantification"*) transformation "encoding_smt" theory BuiltIn syntax type int "Int" syntax type real "Real" syntax predicate (=) "(= %1 %2)" meta "encoding:kept" type int end theory int.Int prelude ";;; this is a prelude for Z3 integer arithmetic" syntax function zero "0" syntax function one "1" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (-_) "(- %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real prelude ";;; this is a prelude for Z3 real arithmetic" syntax function zero "0.0" syntax function one "1.0" syntax function (+) "(+ %1 %2)" syntax function (-) "(- %1 %2)" syntax function (*) "(* %1 %2)" syntax function (/) "(/ %1 %2)" syntax function (-_) "(- %1)" syntax function inv "(/ 1.0 %1)" syntax predicate (<=) "(<= %1 %2)" syntax predicate (<) "(< %1 %2)" syntax predicate (>=) "(>= %1 %2)" syntax predicate (>) "(> %1 %2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne meta "encoding:kept" type real end (* (* L'encodage des types sommes bloquent cette théorie builtin *) theory Bool syntax type bool "bool" syntax function True "true" syntax function False "false" meta "encoding_decorate:kept" type bool end theory bool.Bool syntax function andb "(and %1 %2)" syntax function orb "(or %1 %2)" syntax function xorb "(xor %1 %2)" syntax function notb "(not %1)" end *) �������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/zenon.drv������������������������������������������������������������������������0000664�0000000�0000000�00000001517�14401600263�0015734�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for first-order tptp provers *) printer "tptp-fof" filename "%f-%t-%g.p" valid "PROOF-FOUND" timeout "Zenon error: could not find a proof within the time limit" outofmemory "Zenon error: could not find a proof within the memory size limit" unknown "NO-PROOF" "no proof found" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" transformation "discriminate" transformation "encoding_tptp" theory BuiltIn syntax predicate (=) "(%1 = %2)" meta "eliminate_algebraic" "no_index" end import "discrimination.gen" ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/drivers/zenon_modulo.drv�����������������������������������������������������������������0000664�0000000�0000000�00000015506�14401600263�0017316�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Why driver for first-order tptp provers *) printer "tptp-tff1" filename "%f-%t-%g.p" valid "PROOF-FOUND" timeout "Zenon error: could not find a proof within the time limit" outofmemory "Zenon error: could not find a proof within the memory size limit" unknown "NO-PROOF" "no proof found" time "why3cpulimit time : %s s" (* to be improved *) transformation "inline_trivial" transformation "eliminate_builtin" transformation "eliminate_definition" transformation "eliminate_inductive" transformation "eliminate_if" transformation "eliminate_epsilon" transformation "eliminate_algebraic" transformation "eliminate_literal" transformation "eliminate_let" theory BuiltIn syntax predicate (=) "(%1 = %2)" syntax type int "$int" syntax type real "$real" meta "eliminate_algebraic" "no_index" end theory int.Int syntax function zero "0" syntax function one "1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory real.Real syntax function zero "0.0" syntax function one "1.0" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1.0,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Inverse remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory int.EuclideanDivision syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" remove prop Div_mod remove prop Div_bound remove prop Mod_bound remove prop Mod_1 remove prop Div_1 remove prop Div_inf remove prop Div_inf_neg remove prop Mod_0 remove prop Div_1_left remove prop Div_minus1_left remove prop Mod_1_left remove prop Mod_minus1_left end theory tptp.Univ syntax type iType "$i" end theory tptp.IntTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.IntDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.IntDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Rat syntax type rat "$rat" syntax function zero "0/1" syntax function one "1/1" syntax function (+) "$sum(%1,%2)" syntax function (-) "$difference(%1,%2)" syntax function (*) "$product(%1,%2)" syntax function (-_) "$uminus(%1)" syntax function (/) "$quotient(%1,%2)" syntax function inv "$quotient(1/1,%1)" syntax predicate (<=) "$lesseq(%1,%2)" syntax predicate (<) "$less(%1,%2)" syntax predicate (>=) "$greatereq(%1,%2)" syntax predicate (>) "$greater(%1,%2)" syntax function to_rat "$to_rat(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" remove prop MulComm.Comm remove prop MulAssoc.Assoc remove prop Unit_def_l remove prop Unit_def_r remove prop Inv_def_l remove prop Inv_def_r remove prop Assoc remove prop Mul_distr_l remove prop Mul_distr_r remove prop Comm remove prop Unitary remove prop Refl remove prop Trans remove prop Antisymm remove prop Total remove prop NonTrivialRing remove prop CompatOrderAdd remove prop ZeroLessOne end theory tptp.RatTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" end theory tptp.RatDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RatDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RatDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.Real syntax function to_real "$to_real(%1)" end theory real.FromInt syntax function from_int "$to_real(%1)" remove prop Zero remove prop One remove prop Add remove prop Sub remove prop Mul remove prop Neg end theory real.Truncate syntax function floor "$to_int(%1)" syntax function ceil "$to_int($ceiling(%1))" syntax function truncate "$to_int($truncate(%1))" remove prop Truncate_int remove prop Truncate_down_pos remove prop Truncate_up_neg remove prop Real_of_truncate remove prop Truncate_monotonic remove prop Truncate_monotonic_int1 remove prop Truncate_monotonic_int2 remove prop Floor_int remove prop Ceil_int remove prop Floor_down remove prop Ceil_up remove prop Floor_monotonic remove prop Ceil_monotonic end theory tptp.RealTrunc syntax function floor "$floor(%1)" syntax function ceiling "$ceiling(%1)" syntax function truncate "$truncate(%1)" syntax function round "$round(%1)" syntax function to_int "$to_int(%1)" syntax predicate is_int "$is_int(%1)" syntax predicate is_rat "$is_rat(%1)" end theory tptp.RealDivE syntax function div "$quotient_e(%1,%2)" syntax function mod "$remainder_e(%1,%2)" end theory tptp.RealDivT syntax function div_t "$quotient_t(%1,%2)" syntax function mod_t "$remainder_t(%1,%2)" end theory tptp.RealDivF syntax function div_f "$quotient_f(%1,%2)" syntax function mod_f "$remainder_f(%1,%2)" end theory tptp.IntToRat syntax function to_rat "$to_rat(%1)" end theory tptp.IntToReal syntax function to_real "$to_real(%1)" end theory tptp.RealToRat syntax function to_rat "$to_rat(%1)" end theory tptp.RatToReal syntax function to_real "$to_real(%1)" end ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/��������������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0014222�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/TODO����������������������������������������������������������������������������0000664�0000000�0000000�00000000711�14401600263�0014711�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������bag.mlw bellman_ford.mlw bignum.mlw counting_sort.mlw cursor.mlw dijkstra.mlw find.mlw gcd.mlw hashtbl_impl.mlw kmp.mlw knuth_prime_numbers.mlw koda_ruskey.mlw linked_list_rev.mlw optimal_replay.mlw queens.mlw random_access_list.mlw sum_of_digits.mlw topological_sorting.mlw tortoise_and_hare.mlw tree_height.mlw verifythis_fm2012_treedel.mlw verifythis_PrefixSumRec.mlw vstte10_inverting.mlw vstte10_search_list.mlw vstte12_bfs.mlw vstte12_combinators.mlw �������������������������������������������������������why3-1.6.0/examples/WP_revisited/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016626�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5.mlw��������������������������������������������0000664�0000000�0000000�00000051574�14401600263�0023306�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 A certified WP calculus} *) (** {2 Formalisation d’un langage impératif jouet} *) (** {3 Syntaxe} *) theory Syntax use export bool.Bool use export int.Int (** types and values *) type datatype = TYunit | TYint | TYbool type value = Vvoid | Vint int | Vbool bool (** terms and formulas *) type operator = Oplus | Ominus | Omult | Ole (** ident for mutable variables *) type mident lemma mident_decide : forall m1 m2: mident. m1 = m2 \/ m1 <> m2 (** ident for immutable variables *) type ident lemma ident_decide : forall m1 m2: ident. m1 = m2 \/ m1 <> m2 (** Terms *) type term = | Tvalue value | Tvar ident | Tderef mident | Tbin term operator term (** Formulas *) type fmla = | Fterm term | Fand fmla fmla | Fnot fmla | Fimplies fmla fmla | Flet ident term fmla (* let id = term in fmla *) | Fforall ident datatype fmla (* forall id : ty, fmla *) (** Statements *) type stmt = | Sskip | Sassign mident term | Sseq stmt stmt | Sif term stmt stmt | Sassert fmla | Swhile term fmla stmt (* while cond invariant inv body *) lemma decide_is_skip: forall s:stmt. s = Sskip \/ s <> Sskip end (** {3 Semantique Operationnelle} *) theory SemOp use export Syntax use map.Map as IdMap use export list.List (** Operational semantic *) type env = IdMap.map mident value (* map global mutable variables to their value *) function get_env (i:mident) (e:env) : value = IdMap.get e i type stack = list (ident, value) (* map local immutable variables to their value *) function get_stack (i:ident) (pi:stack) : value = match pi with | Nil -> Vvoid | Cons (x,v) r -> if x=i then v else get_stack i r end lemma get_stack_eq: forall x:ident, v:value, r:stack. get_stack x (Cons (x,v) r) = v lemma get_stack_neq: forall x i:ident, v:value, r:stack. x <> i -> get_stack i (Cons (x,v) r) = get_stack i r (** semantics of formulas *) function eval_bin (x:value) (op:operator) (y:value) : value = match x,y with | Vint x,Vint y -> match op with | Oplus -> Vint (x+y) | Ominus -> Vint (x-y) | Omult -> Vint (x*y) | Ole -> Vbool (if x <= y then True else False) end | _,_ -> Vvoid end function eval_term (sigma:env) (pi:stack) (t:term) : value = match t with | Tvalue v -> v | Tvar id -> get_stack id pi | Tderef id -> get_env id sigma | Tbin t1 op t2 -> eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end predicate eval_fmla (sigma:env) (pi:stack) (f:fmla) = match f with | Fterm t -> eval_term sigma pi t = Vbool True | Fand f1 f2 -> eval_fmla sigma pi f1 /\ eval_fmla sigma pi f2 | Fnot f -> not (eval_fmla sigma pi f) | Fimplies f1 f2 -> eval_fmla sigma pi f1 -> eval_fmla sigma pi f2 | Flet x t f -> eval_fmla sigma (Cons (x,eval_term sigma pi t) pi) f | Fforall x TYint f -> forall n:int. eval_fmla sigma (Cons (x,Vint n) pi) f | Fforall x TYbool f -> forall b:bool. eval_fmla sigma (Cons (x,Vbool b) pi) f | Fforall x TYunit f -> eval_fmla sigma (Cons (x,Vvoid) pi) f end (** `valid_fmla f` is true when `f` is valid in any environment *) predicate valid_fmla (p:fmla) = forall sigma:env, pi:stack. eval_fmla sigma pi p (** small-steps semantics for statements *) inductive one_step env stack stmt env stack stmt = | one_step_assign : forall sigma sigma':env, pi:stack, x:mident, t:term. sigma' = IdMap.set sigma x (eval_term sigma pi t) -> one_step sigma pi (Sassign x t) sigma' pi Sskip | one_step_seq_noskip: forall sigma sigma':env, pi pi':stack, s1 s1' s2:stmt. one_step sigma pi s1 sigma' pi' s1' -> one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2) | one_step_seq_skip: forall sigma:env, pi:stack, s:stmt. one_step sigma pi (Sseq Sskip s) sigma pi s | one_step_if_true: forall sigma:env, pi:stack, t:term, s1 s2:stmt. eval_term sigma pi t = Vbool True -> one_step sigma pi (Sif t s1 s2) sigma pi s1 | one_step_if_false: forall sigma:env, pi:stack, t:term, s1 s2:stmt. eval_term sigma pi t = Vbool False -> one_step sigma pi (Sif t s1 s2) sigma pi s2 | one_step_assert: forall sigma:env, pi:stack, f:fmla. eval_fmla sigma pi f -> (** blocking semantics *) one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true: forall sigma:env, pi:stack, cond:term, inv:fmla, body:stmt. eval_fmla sigma pi inv /\ (** blocking semantics *) eval_term sigma pi cond = Vbool True -> one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body)) | one_step_while_false: forall sigma:env, pi:stack, cond:term, inv:fmla, body:stmt. eval_fmla sigma pi inv /\ (** blocking semantics *) eval_term sigma pi cond = Vbool False -> one_step sigma pi (Swhile cond inv body) sigma pi Sskip (** many steps of execution *) inductive many_steps env stack stmt env stack stmt int = | many_steps_refl: forall sigma:env, pi:stack, s:stmt. many_steps sigma pi s sigma pi s 0 | many_steps_trans: forall sigma1 sigma2 sigma3:env, pi1 pi2 pi3:stack, s1 s2 s3:stmt, n:int. one_step sigma1 pi1 s1 sigma2 pi2 s2 -> many_steps sigma2 pi2 s2 sigma3 pi3 s3 n -> many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n+1) lemma steps_non_neg: forall sigma1 sigma2:env, pi1 pi2:stack, s1 s2:stmt, n:int. many_steps sigma1 pi1 s1 sigma2 pi2 s2 n -> n >= 0 predicate reductible (sigma:env) (pi:stack) (s:stmt) = exists sigma':env, pi':stack, s':stmt. one_step sigma pi s sigma' pi' s' end theory TestSemantics use SemOp use map.Const function my_sigma : env = Const.const (Vint 0) constant x : ident constant y : mident function my_pi : stack = Cons (x, Vint 42) Nil goal Test13 : eval_term my_sigma my_pi (Tvalue (Vint 13)) = Vint 13 goal Test42 : eval_term my_sigma my_pi (Tvar x) = Vint 42 goal Test0 : eval_term my_sigma my_pi (Tderef y) = Vint 0 goal Test55 : eval_term my_sigma my_pi (Tbin (Tvar x) Oplus (Tvalue (Vint 13))) = Vint 55 goal Ass42 : forall sigma':env, pi':stack. one_step my_sigma my_pi (Sassign y (Tvalue (Vint 42))) sigma' pi' Sskip -> IdMap.get sigma' y = Vint 42 goal If42 : forall sigma1 sigma2:env, pi1 pi2:stack, s:stmt. one_step my_sigma my_pi (Sif (Tbin (Tderef y) Ole (Tvalue (Vint 10))) (Sassign y (Tvalue (Vint 13))) (Sassign y (Tvalue (Vint 42)))) sigma1 pi1 s -> one_step sigma1 pi1 s sigma2 pi2 Sskip -> IdMap.get sigma2 y = Vint 13 end (** {3 Typage} *) theory Typing use export Syntax use map.Map as IdMap use export list.List function type_value (v:value) : datatype = match v with | Vvoid -> TYunit | Vint _ -> TYint | Vbool _ -> TYbool end inductive type_operator (op:operator) (ty1 ty2 ty: datatype) = | Type_plus : type_operator Oplus TYint TYint TYint | Type_minus : type_operator Ominus TYint TYint TYint | Type_mult : type_operator Omult TYint TYint TYint | Type_le : type_operator Ole TYint TYint TYbool type type_stack = list (ident, datatype) (* map local immutable variables to their type *) function get_vartype (i:ident) (pi:type_stack) : datatype = match pi with | Nil -> TYunit | Cons (x,ty) r -> if x=i then ty else get_vartype i r end type type_env = IdMap.map mident datatype (* map global mutable variables to their type *) function get_reftype (i:mident) (e:type_env) : datatype = IdMap.get e i inductive type_term type_env type_stack term datatype = | Type_value : forall sigma: type_env, pi:type_stack, v:value. type_term sigma pi (Tvalue v) (type_value v) | Type_var : forall sigma: type_env, pi:type_stack, v: ident, ty:datatype. (get_vartype v pi = ty) -> type_term sigma pi (Tvar v) ty | Type_deref : forall sigma: type_env, pi:type_stack, v: mident, ty:datatype. (get_reftype v sigma = ty) -> type_term sigma pi (Tderef v) ty | Type_bin : forall sigma: type_env, pi:type_stack, t1 t2 : term, op:operator, ty1 ty2 ty:datatype. type_term sigma pi t1 ty1 /\ type_term sigma pi t2 ty2 /\ type_operator op ty1 ty2 ty -> type_term sigma pi (Tbin t1 op t2) ty inductive type_fmla type_env type_stack fmla = | Type_term : forall sigma: type_env, pi:type_stack, t:term. type_term sigma pi t TYbool -> type_fmla sigma pi (Fterm t) | Type_conj : forall sigma: type_env, pi:type_stack, f1 f2:fmla. type_fmla sigma pi f1 /\ type_fmla sigma pi f2 -> type_fmla sigma pi (Fand f1 f2) | Type_neg : forall sigma: type_env, pi:type_stack, f:fmla. type_fmla sigma pi f -> type_fmla sigma pi (Fnot f) | Type_implies : forall sigma: type_env, pi:type_stack, f1 f2:fmla. type_fmla sigma pi f1 -> type_fmla sigma pi f2 -> type_fmla sigma pi (Fimplies f1 f2) | Type_let : forall sigma: type_env, pi:type_stack, x:ident, t:term, f:fmla, ty:datatype. type_term sigma pi t ty -> type_fmla sigma (Cons (x,ty) pi) f -> type_fmla sigma pi (Flet x t f) | Type_forall : forall sigma: type_env, pi:type_stack, x:ident, f:fmla, ty:datatype. type_fmla sigma (Cons (x,ty) pi) f -> type_fmla sigma pi (Fforall x ty f) inductive type_stmt type_env type_stack stmt = | Type_skip : forall sigma: type_env, pi:type_stack. type_stmt sigma pi Sskip | Type_seq : forall sigma: type_env, pi:type_stack, s1 s2:stmt. type_stmt sigma pi s1 -> type_stmt sigma pi s2 -> type_stmt sigma pi (Sseq s1 s2) | Type_assigns : forall sigma: type_env, pi:type_stack, x:mident, t:term, ty:datatype. (get_reftype x sigma = ty) -> type_term sigma pi t ty -> type_stmt sigma pi (Sassign x t) | Type_if : forall sigma: type_env, pi:type_stack, t:term, s1 s2:stmt. type_term sigma pi t TYbool -> type_stmt sigma pi s1 -> type_stmt sigma pi s2 -> type_stmt sigma pi (Sif t s1 s2) | Type_assert : forall sigma: type_env, pi:type_stack, p:fmla. type_fmla sigma pi p -> type_stmt sigma pi (Sassert p) | Type_while : forall sigma: type_env, pi:type_stack, cond:term, body:stmt, inv:fmla. type_fmla sigma pi inv -> type_term sigma pi cond TYbool -> type_stmt sigma pi body -> type_stmt sigma pi (Swhile cond inv body) end (** {3 Relations entre typage et semantique operationnelle} *) theory TypingAndSemantics use SemOp use Typing (* inductive compatible datatype value = | Compatible_bool : forall b: bool. compatible TYbool (Vbool b) | Compatible_int : forall n: int. compatible TYint (Vint n) | Compatible_void : compatible TYunit Vvoid *) predicate compatible_env (sigma:env) (sigmat:type_env) (pi:stack) (pit: type_stack) = (forall id: mident. type_value (get_env id sigma) = get_reftype id sigmat) /\ (forall id: ident. type_value (get_stack id pi) = get_vartype id pit) lemma type_inversion : forall v [@induction]:value. match (type_value v) with | TYbool -> exists b: bool. v = Vbool b | TYint -> exists n: int. v = Vint n | TYunit -> v = Vvoid end lemma eval_type_term: forall t:term, sigma:env, pi:stack, sigmat:type_env, pit:type_stack, ty:datatype. compatible_env sigma sigmat pi pit -> type_term sigmat pit t ty -> type_value (eval_term sigma pi t) = ty lemma type_preservation : forall s1 s2:stmt, sigma1 sigma2:env, pi1 pi2:stack, sigmat:type_env, pit:type_stack. type_stmt sigmat pit s1 -> compatible_env sigma1 sigmat pi1 pit -> ([@induction] one_step sigma1 pi1 s1 sigma2 pi2 s2) -> type_stmt sigmat pit s2 /\ compatible_env sigma2 sigmat pi2 pit end (** {2 Problématique des variables fraîches} *) theory FreshVariables use SemOp use list.Append lemma Cons_append: forall a: 'a, l1 l2: list 'a. Cons a (l1 ++ l2) = (Cons a l1) ++ l2 lemma Append_nil_l: forall l: list 'a. Nil ++ l = l (** substitution of a reference `x` by a logic variable `v` warning: proper behavior only guaranted if `v` is fresh *) function msubst_term (t:term) (x:mident) (v:ident) : term = match t with | Tvalue _ | Tvar _ -> t | Tderef y -> if x = y then Tvar v else t | Tbin t1 op t2 -> Tbin (msubst_term t1 x v) op (msubst_term t2 x v) end function msubst (f:fmla) (x:mident) (v:ident) : fmla = match f with | Fterm e -> Fterm (msubst_term e x v) | Fand f1 f2 -> Fand (msubst f1 x v) (msubst f2 x v) | Fnot f -> Fnot (msubst f x v) | Fimplies f1 f2 -> Fimplies (msubst f1 x v) (msubst f2 x v) | Flet y t f -> Flet y (msubst_term t x v) (msubst f x v) | Fforall y ty f -> Fforall y ty (msubst f x v) end (** `fresh_in_term id t` is true when `id` does not occur in `t` *) predicate fresh_in_term (id:ident) (t:term) = match t with | Tvalue _ | Tderef _ -> true | Tvar i -> id <> i | Tbin t1 _ t2 -> fresh_in_term id t1 /\ fresh_in_term id t2 end predicate fresh_in_fmla (id:ident) (f:fmla) = match f with | Fterm e -> fresh_in_term id e | Fand f1 f2 | Fimplies f1 f2 -> fresh_in_fmla id f1 /\ fresh_in_fmla id f2 | Fnot f -> fresh_in_fmla id f | Flet y t f -> id <> y /\ fresh_in_term id t /\ fresh_in_fmla id f | Fforall y _ f -> id <> y /\ fresh_in_fmla id f end (* Needed for monotonicity and wp_reduction *) lemma eval_msubst_term: forall e [@induction]:term, sigma:env, pi:stack, x:mident, v:ident. fresh_in_term v e -> eval_term sigma pi (msubst_term e x v) = eval_term (IdMap.set sigma x (get_stack v pi)) pi e lemma eval_msubst: forall f [@induction]:fmla, sigma:env, pi:stack, x:mident, v:ident. fresh_in_fmla v f -> (eval_fmla sigma pi (msubst f x v) <-> eval_fmla (IdMap.set sigma x (get_stack v pi)) pi f) lemma eval_swap_term: forall t [@induction]:term, sigma:env, pi l:stack, id1 id2:ident, v1 v2:value. id1 <> id2 -> (eval_term sigma (l++(Cons (id1,v1) (Cons (id2,v2) pi))) t = eval_term sigma (l++(Cons (id2,v2) (Cons (id1,v1) pi))) t) lemma eval_swap_gen: forall f [@induction]:fmla, sigma:env, pi l:stack, id1 id2:ident, v1 v2:value. id1 <> id2 -> (eval_fmla sigma (l++(Cons (id1,v1) (Cons (id2,v2) pi))) f <-> eval_fmla sigma (l++(Cons (id2,v2) (Cons (id1,v1) pi))) f) lemma eval_swap: forall f:fmla, sigma:env, pi:stack, id1 id2:ident, v1 v2:value. id1 <> id2 -> (eval_fmla sigma (Cons (id1,v1) (Cons (id2,v2) pi)) f <-> eval_fmla sigma (Cons (id2,v2) (Cons (id1,v1) pi)) f) lemma eval_term_change_free : forall t [@induction]:term, sigma:env, pi:stack, id:ident, v:value. fresh_in_term id t -> eval_term sigma (Cons (id,v) pi) t = eval_term sigma pi t (* Need it for monotonicity*) lemma eval_change_free : forall f [@induction]:fmla, sigma:env, pi:stack, id:ident, v:value. fresh_in_fmla id f -> (eval_fmla sigma (Cons (id,v) pi) f <-> eval_fmla sigma pi f) end (** {2 Hoare logic} *) theory HoareLogic use Syntax use SemOp use FreshVariables (* Used by Hoare_logic/seq_rule*) lemma many_steps_seq: forall n:int, sigma1 sigma3:env, pi1 pi3:stack, s1 s2:stmt. many_steps sigma1 pi1 (Sseq s1 s2) sigma3 pi3 Sskip n -> exists sigma2:env, pi2:stack, n1 n2:int. many_steps sigma1 pi1 s1 sigma2 pi2 Sskip n1 /\ many_steps sigma2 pi2 s2 sigma3 pi3 Sskip n2 /\ n = 1 + n1 + n2 (** partial correctness *) predicate valid_triple (p:fmla) (s:stmt) (q:fmla) = forall sigma:env, pi:stack. eval_fmla sigma pi p -> forall sigma':env, pi':stack, n:int. many_steps sigma pi s sigma' pi' Sskip n -> eval_fmla sigma' pi' q (*** total correctness *) predicate total_valid_triple (p:fmla) (s:stmt) (q:fmla) = forall sigma:env, pi:stack. eval_fmla sigma pi p -> exists sigma':env, pi':stack, n:int. many_steps sigma pi s sigma' pi' Sskip n /\ eval_fmla sigma' pi' q (** Hoare logic rules (partial correctness) *) lemma consequence_rule: forall p p' q q':fmla, s:stmt. valid_fmla (Fimplies p' p) -> valid_triple p s q -> valid_fmla (Fimplies q q') -> valid_triple p' s q' lemma skip_rule: forall q:fmla. valid_triple q Sskip q lemma assign_rule: forall p:fmla, x:mident, id:ident, t:term. fresh_in_fmla id p -> valid_triple (Flet id t (msubst p x id)) (Sassign x t) p lemma seq_rule: forall p q r:fmla, s1 s2:stmt. valid_triple p s1 r /\ valid_triple r s2 q -> valid_triple p (Sseq s1 s2) q lemma if_rule: forall t:term, p q:fmla, s1 s2:stmt. valid_triple (Fand p (Fterm t)) s1 q /\ valid_triple (Fand p (Fnot (Fterm t))) s2 q -> valid_triple p (Sif t s1 s2) q lemma assert_rule: forall f p:fmla. valid_fmla (Fimplies p f) -> valid_triple p (Sassert f) p lemma assert_rule_ext: forall f p:fmla. valid_triple (Fimplies f p) (Sassert f) p lemma while_rule: forall e:term, inv:fmla, i:stmt. valid_triple (Fand (Fterm e) inv) i inv -> valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv) end (** {2 WP calculus} *) theory WP use SemOp use Typing use TypingAndSemantics use FreshVariables function fresh_from (f:fmla) : ident (* Need it for monotonicity*) axiom fresh_from_fmla: forall f:fmla. fresh_in_fmla (fresh_from f) f (* intention: abstract_effects s f = "forall w. f" avec w = writes(s) *) function abstract_effects (s:stmt) (f:fmla) : fmla (* hypothese 1: si sigma, pi |= forall w. f alors sigma, pi |= f *) axiom abstract_effects_specialize : forall sigma:env, pi:stack, s:stmt, f:fmla. eval_fmla sigma pi (abstract_effects s f) -> eval_fmla sigma pi f (* hypothese 2: si sigma, pi |= (forall w, p) /\ (forall w, q) alors sigma, pi |= forall w, (f /\ q) *) axiom abstract_effects_distrib_conj : forall s:stmt, p q:fmla, sigma:env, pi:stack. eval_fmla sigma pi (abstract_effects s p) /\ eval_fmla sigma pi (abstract_effects s q) -> eval_fmla sigma pi (abstract_effects s (Fand p q)) (* hypothese 3: si |= p -> q alors |= (forall w, p) -> (forall w, q) remarque : il est essentiel de parler de validité dans tous les etats: on n'a pas sigma,pi |= p -> q implique sigma,pi |= (forall w, p) -> (forall w, q) contre-exemple: sigma(x) = 42 alors true -> x=42 mais on n'a (forall x, true) -> (forall x, x=42) *) axiom abstract_effects_monotonic : forall s:stmt, p q:fmla. valid_fmla (Fimplies p q) -> forall sigma:env, pi:stack. eval_fmla sigma pi (abstract_effects s p) -> eval_fmla sigma pi (abstract_effects s q) function wp (s:stmt) (q:fmla) : fmla = match s with | Sskip -> q | Sassert f -> (* asymmetric and *) Fand f (Fimplies f q) | Sseq s1 s2 -> wp s1 (wp s2 q) | Sassign x t -> let id = fresh_from q in Flet id t (msubst q x id) | Sif t s1 s2 -> Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q)) | Swhile cond inv body -> Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) end axiom abstract_effects_writes : forall sigma:env, pi:stack, body:stmt, cond:term, inv q:fmla. let f = (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) in eval_fmla sigma pi f -> eval_fmla sigma pi (wp body f) lemma monotonicity: forall s [@induction]:stmt, p q:fmla. valid_fmla (Fimplies p q) -> valid_fmla (Fimplies (wp s p) (wp s q) ) (* remarque l'ordre des quantifications est essentiel, on n'a pas sigma,pi |= p -> q implique sigma,pi |= (wp s p) -> (wp s q) meme contre-exemple: sigma(x) = 42 alors true -> x=42 mais wp (x := 7) true = true wp (x := 7) x=42 = 7=42 *) lemma distrib_conj: forall s [@induction]:stmt, sigma:env, pi:stack, p q:fmla. (eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q)) -> eval_fmla sigma pi (wp s (Fand p q)) lemma wp_preserved_by_reduction: forall sigma sigma':env, pi pi':stack, s s':stmt. one_step sigma pi s sigma' pi' s' -> forall q:fmla. eval_fmla sigma pi (wp s q) -> eval_fmla sigma' pi' (wp s' q) lemma progress: forall s [@induction]:stmt, sigma:env, pi:stack, sigmat: type_env, pit: type_stack, q:fmla. compatible_env sigma sigmat pi pit -> type_stmt sigmat pit s -> eval_fmla sigma pi (wp s q) -> s <> Sskip -> reductible sigma pi s (** {3 main soundness result} *) lemma wp_soundness: forall n:int, sigma sigma':env, pi pi':stack, s s':stmt, sigmat: type_env, pit: type_stack, q:fmla. compatible_env sigma sigmat pi pit -> type_stmt sigmat pit s -> many_steps sigma pi s sigma' pi' s' n /\ not (reductible sigma' pi' s') /\ eval_fmla sigma pi (wp s q) -> s' = Sskip /\ eval_fmla sigma' pi' q end (*** Local Variables: compile-command: "why3ide blocking_semantics5.mlw" End: *) ������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/�����������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0022551�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_HoareLogic_while_rule_1.v��0000664�0000000�0000000�00000034232�14401600263�0033422�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Nil => ((get_stack i pi) = Vvoid) | (Cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term(sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla(sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (sigma3:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible(sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Fixpoint fresh_in_term(x:ident) (t:term) {struct t}: Prop := match t with | (Tvalue _) => True | (Tvar i) => ~ (x = i) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term x t1) /\ (fresh_in_term x t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla(id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (r:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t r v) = t) | (Tderef x) => ((r = x) -> ((msubst_term t r v) = (Tvar v))) /\ ((~ (r = x)) -> ((msubst_term t r v) = t)) | (Tbin t1 op t2) => ((msubst_term t r v) = (Tbin (msubst_term t1 r v) op (msubst_term t2 r v))) end. (* Why3 assumption *) Fixpoint msubst(f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (infix_plpl l (Cons (id1, v1) (Cons (id2, v2) pi))) t) = (eval_term sigma (infix_plpl l (Cons (id2, v2) (Cons (id1, v1) pi))) t)). Axiom eval_swap : forall (f:fmla) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (infix_plpl l (Cons (id1, v1) (Cons (id2, v2) pi))) f) <-> (eval_fmla sigma (infix_plpl l (Cons (id2, v2) (Cons (id1, v1) pi))) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (id:ident) (v:value), (fresh_in_fmla id f) -> forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma (Cons (id, v) pi) f) <-> (eval_fmla sigma pi f). Axiom many_steps_seq : forall (sigma1:(map mident value)) (sigma3:(map mident value)) (pi1:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 (Sseq s1 s2) sigma3 pi3 Sskip n) -> exists sigma2:(map mident value), exists pi2:(list (ident* value)%type), exists n1:Z, exists n2:Z, (many_steps sigma1 pi1 s1 sigma2 pi2 Sskip n1) /\ ((many_steps sigma2 pi2 s2 sigma3 pi3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). (* Why3 assumption *) Definition valid_triple(p:fmla) (s:stmt) (q:fmla): Prop := forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p) -> forall (sigma':(map mident value)) (pi':(list (ident* value)%type)) (n:Z), (many_steps sigma pi s sigma' pi' Sskip n) -> (eval_fmla sigma' pi' q). (* Why3 assumption *) Definition total_valid_triple(p:fmla) (s:stmt) (q:fmla): Prop := forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p) -> exists sigma':(map mident value), exists pi':(list (ident* value)%type), exists n:Z, (many_steps sigma pi s sigma' pi' Sskip n) /\ (eval_fmla sigma' pi' q). Axiom consequence_rule : forall (p:fmla) (p':fmla) (q:fmla) (q':fmla) (s:stmt), (valid_fmla (Fimplies p' p)) -> ((valid_triple p s q) -> ((valid_fmla (Fimplies q q')) -> (valid_triple p' s q'))). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (p:fmla) (x:mident) (id:ident) (t:term), (fresh_in_fmla id p) -> (valid_triple (Flet id t (msubst p x id)) (Sassign x t) p). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (s1:stmt) (s2:stmt), ((valid_triple p s1 r) /\ (valid_triple r s2 q)) -> (valid_triple p (Sseq s1 s2) q). Axiom if_rule : forall (t:term) (p:fmla) (q:fmla) (s1:stmt) (s2:stmt), ((valid_triple (Fand p (Fterm t)) s1 q) /\ (valid_triple (Fand p (Fnot (Fterm t))) s2 q)) -> (valid_triple p (Sif t s1 s2) q). Axiom assert_rule : forall (f:fmla) (p:fmla), (valid_fmla (Fimplies p f)) -> (valid_triple p (Sassert f) p). Axiom assert_rule_ext : forall (f:fmla) (p:fmla), (valid_triple (Fimplies f p) (Sassert f) p). (* Why3 goal *) Theorem while_rule : forall (e:term) (inv:fmla) (i:stmt), (valid_triple (Fand (Fterm e) inv) i inv) -> (valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv)). unfold valid_triple. intros e inv i Hinv_preserved. intros s p Hinv_init s' p' n Hred. generalize (steps_non_neg _ _ _ _ _ _ _ Hred); intro Hn_pos. generalize Hred; clear Hred. generalize s p Hinv_init; clear s p Hinv_init. apply Z_lt_induction with (P := fun n => forall s p, eval_fmla s p inv -> many_steps s p (Swhile e inv i) s' p' Sskip n -> eval_fmla s' p' (Fand (Fnot (Fterm e)) inv) ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. destruct H11 as (H4 & H5). (* case cond true *) generalize (many_steps_seq _ _ _ _ _ _ _ H3). intros (s3 & p3 & n1 & n2 & h1 & h2 & h3). apply H with (3:=h2); auto. generalize (steps_non_neg _ _ _ _ _ _ _ h1). generalize (steps_non_neg _ _ _ _ _ _ _ h2). now (auto with zarith). apply Hinv_preserved with (2:=h1); simpl; auto. (* case cond false *) inversion H3; subst. destruct H11 as (H4 & H5). simpl; rewrite H5; intuition. discriminate. now inversion H1. Qed. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_SemOp_steps_non_neg_1.v����0000664�0000000�0000000�00000021605�14401600263�0033133�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype . Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value . Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term . Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla . Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt . Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). Axiom map : forall (a:Type) {a_WT:WhyType a} (b:Type) {b_WT:WhyType b}, Type. Parameter map_WhyType : forall (a:Type) {a_WT:WhyType a} (b:Type) {b_WT:WhyType b}, WhyType (map a b). Existing Instance map_WhyType. Parameter get: forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, (map a b) -> a -> b. Parameter set: forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, (map a b) -> a -> b -> (map a b). Axiom Select_eq : forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, b -> (map a b). Axiom Const : forall {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b}, forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Inductive list (a:Type) {a_WT:WhyType a} := | Nil : list a | Cons : a -> (list a) -> list a. Axiom list_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (list a). Existing Instance list_WhyType. Implicit Arguments Nil [[a] [a_WT]]. Implicit Arguments Cons [[a] [a_WT]]. (* Why3 assumption *) Definition env := (map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Nil => ((get_stack i pi) = Vvoid) | (Cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term(sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla(sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (sigma3:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). (* Why3 goal *) Theorem steps_non_neg : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. induction 1; auto with zarith. Qed. ���������������������������������������������������������������������������������������������������������������������������blocking_semantics5_TypingAndSemantics_eval_type_term_1.v�������������������������������������������0000664�0000000�0000000�00000037657�14401600263�0035771�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000�why3-1.6.0/examples/WP_revisited/blocking_semantics5�������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require map.Map. Require bool.Bool. Require list.List. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Numbers.BinNums.Z -> value | Vbool : Init.Datatypes.bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := mident -> value. (* Why3 assumption *) Definition stack := Init.Datatypes.list (ident* value)%type. Parameter get_stack: ident -> Init.Datatypes.list (ident* value)%type -> value. Axiom get_stack'def : forall (i:ident) (pi:Init.Datatypes.list (ident* value)%type), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | Init.Datatypes.cons (x, v) r => ((x = i) -> ((get_stack i pi) = v)) /\ (~ (x = i) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:Init.Datatypes.list (ident* value)%type), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:Init.Datatypes.list (ident* value)%type), ~ (x = i) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin'def : forall (x:value) (op:operator) (y:value), match (x, y) with | (Vint x1, Vint y1) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.true))) /\ (~ (x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (t:term) {struct t}: value := match t with | Tvalue v => v | Tvar id => get_stack id pi | Tderef id => sigma id | Tbin t1 op t2 => eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (f:fmla) {struct f}: Prop := match f with | Fterm t => ((eval_term sigma pi t) = (Vbool Init.Datatypes.true)) | Fand f1 f2 => eval_fmla sigma pi f1 /\ eval_fmla sigma pi f2 | Fnot f1 => ~ eval_fmla sigma pi f1 | Fimplies f1 f2 => eval_fmla sigma pi f1 -> eval_fmla sigma pi f2 | Flet x t f1 => eval_fmla sigma (Init.Datatypes.cons (x, eval_term sigma pi t) pi) f1 | Fforall x TYint f1 => forall (n:Numbers.BinNums.Z), eval_fmla sigma (Init.Datatypes.cons (x, Vint n) pi) f1 | Fforall x TYbool f1 => forall (b:Init.Datatypes.bool), eval_fmla sigma (Init.Datatypes.cons (x, Vbool b) pi) f1 | Fforall x TYunit f1 => eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1 end. (* Why3 assumption *) Definition valid_fmla (p:fmla) : Prop := forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type), eval_fmla sigma pi p. (* Why3 assumption *) Inductive one_step: (mident -> value) -> Init.Datatypes.list (ident* value)%type -> stmt -> (mident -> value) -> Init.Datatypes.list (ident* value)%type -> stmt -> Prop := | one_step_assign : forall (sigma:mident -> value) (sigma':mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> one_step sigma pi (Sassign x t) sigma' pi Sskip | one_step_seq_noskip : forall (sigma:mident -> value) (sigma':mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (pi':Init.Datatypes.list (ident* value)%type) (s1:stmt) (s1':stmt) (s2:stmt), one_step sigma pi s1 sigma' pi' s1' -> one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2) | one_step_seq_skip : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (s:stmt), one_step sigma pi (Sseq Sskip s) sigma pi s | one_step_if_true : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Sif t s1 s2) sigma pi s1 | one_step_if_false : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Sif t s1 s2) sigma pi s2 | one_step_assert : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (f:fmla), eval_fmla sigma pi f -> one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (cond:term) (inv:fmla) (body:stmt), eval_fmla sigma pi inv /\ ((eval_term sigma pi cond) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body)) | one_step_while_false : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (cond:term) (inv:fmla) (body:stmt), eval_fmla sigma pi inv /\ ((eval_term sigma pi cond) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Swhile cond inv body) sigma pi Sskip. (* Why3 assumption *) Inductive many_steps: (mident -> value) -> Init.Datatypes.list (ident* value)%type -> stmt -> (mident -> value) -> Init.Datatypes.list (ident* value)%type -> stmt -> Numbers.BinNums.Z -> Prop := | many_steps_refl : forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (s:stmt), many_steps sigma pi s sigma pi s 0%Z | many_steps_trans : forall (sigma1:mident -> value) (sigma2:mident -> value) (sigma3:mident -> value) (pi1:Init.Datatypes.list (ident* value)%type) (pi2:Init.Datatypes.list (ident* value)%type) (pi3:Init.Datatypes.list (ident* value)%type) (s1:stmt) (s2:stmt) (s3:stmt) (n:Numbers.BinNums.Z), one_step sigma1 pi1 s1 sigma2 pi2 s2 -> many_steps sigma2 pi2 s2 sigma3 pi3 s3 n -> many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z. Axiom steps_non_neg : forall (sigma1:mident -> value) (sigma2:mident -> value) (pi1:Init.Datatypes.list (ident* value)%type) (pi2:Init.Datatypes.list (ident* value)%type) (s1:stmt) (s2:stmt) (n:Numbers.BinNums.Z), many_steps sigma1 pi1 s1 sigma2 pi2 s2 n -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (s:stmt) : Prop := exists sigma':mident -> value, exists pi': Init.Datatypes.list (ident* value)%type, exists s':stmt, one_step sigma pi s sigma' pi' s'. (* Why3 assumption *) Definition type_value (v:value) : datatype := match v with | Vvoid => TYunit | Vint _ => TYint | Vbool _ => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : type_operator Oplus TYint TYint TYint | Type_minus : type_operator Ominus TYint TYint TYint | Type_mult : type_operator Omult TYint TYint TYint | Type_le : type_operator Ole TYint TYint TYbool. (* Why3 assumption *) Definition type_stack := Init.Datatypes.list (ident* datatype)%type. Parameter get_vartype: ident -> Init.Datatypes.list (ident* datatype)%type -> datatype. Axiom get_vartype'def : forall (i:ident) (pi:Init.Datatypes.list (ident* datatype)%type), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | Init.Datatypes.cons (x, ty) r => ((x = i) -> ((get_vartype i pi) = ty)) /\ (~ (x = i) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := mident -> datatype. (* Why3 assumption *) Inductive type_term: (mident -> datatype) -> Init.Datatypes.list (ident* datatype)%type -> term -> datatype -> Prop := | Type_value : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (v:value), type_term sigma pi (Tvalue v) (type_value v) | Type_var : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> type_term sigma pi (Tvar v) ty | Type_deref : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (v:mident) (ty:datatype), ((sigma v) = ty) -> type_term sigma pi (Tderef v) ty | Type_bin : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), type_term sigma pi t1 ty1 /\ type_term sigma pi t2 ty2 /\ type_operator op ty1 ty2 ty -> type_term sigma pi (Tbin t1 op t2) ty. (* Why3 assumption *) Inductive type_fmla: (mident -> datatype) -> Init.Datatypes.list (ident* datatype)%type -> fmla -> Prop := | Type_term : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (t:term), type_term sigma pi t TYbool -> type_fmla sigma pi (Fterm t) | Type_conj : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (f1:fmla) (f2:fmla), type_fmla sigma pi f1 /\ type_fmla sigma pi f2 -> type_fmla sigma pi (Fand f1 f2) | Type_neg : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (f:fmla), type_fmla sigma pi f -> type_fmla sigma pi (Fnot f) | Type_implies : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (f1:fmla) (f2:fmla), type_fmla sigma pi f1 -> type_fmla sigma pi f2 -> type_fmla sigma pi (Fimplies f1 f2) | Type_let : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (x:ident) (t:term) (f:fmla) (ty:datatype), type_term sigma pi t ty -> type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f -> type_fmla sigma pi (Flet x t f) | Type_forall : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (x:ident) (f:fmla) (ty:datatype), type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f -> type_fmla sigma pi (Fforall x ty f). (* Why3 assumption *) Inductive type_stmt: (mident -> datatype) -> Init.Datatypes.list (ident* datatype)%type -> stmt -> Prop := | Type_skip : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type), type_stmt sigma pi Sskip | Type_seq : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (s1:stmt) (s2:stmt), type_stmt sigma pi s1 -> type_stmt sigma pi s2 -> type_stmt sigma pi (Sseq s1 s2) | Type_assigns : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (x:mident) (t:term) (ty:datatype), ((sigma x) = ty) -> type_term sigma pi t ty -> type_stmt sigma pi (Sassign x t) | Type_if : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (t:term) (s1:stmt) (s2:stmt), type_term sigma pi t TYbool -> type_stmt sigma pi s1 -> type_stmt sigma pi s2 -> type_stmt sigma pi (Sif t s1 s2) | Type_assert : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (p:fmla), type_fmla sigma pi p -> type_stmt sigma pi (Sassert p) | Type_while : forall (sigma:mident -> datatype) (pi:Init.Datatypes.list (ident* datatype)%type) (cond:term) (body:stmt) (inv:fmla), type_fmla sigma pi inv -> type_term sigma pi cond TYbool -> type_stmt sigma pi body -> type_stmt sigma pi (Swhile cond inv body). (* Why3 assumption *) Definition compatible_env (sigma:mident -> value) (sigmat:mident -> datatype) (pi:Init.Datatypes.list (ident* value)%type) (pit:Init.Datatypes.list (ident* datatype)%type) : Prop := (forall (id:mident), ((type_value (sigma id)) = (sigmat id))) /\ (forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit))). Axiom type_inversion : forall (v:value), match type_value v with | TYbool => exists b:Init.Datatypes.bool, (v = (Vbool b)) | TYint => exists n:Numbers.BinNums.Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. (* Why3 goal *) Theorem eval_type_term : forall (t:term), forall (x:term) (x1:operator) (x2:term), (t = (Tbin x x1 x2)) -> (forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (sigmat:mident -> datatype) (pit:Init.Datatypes.list (ident* datatype)%type) (ty:datatype), compatible_env sigma sigmat pi pit -> type_term sigmat pit x2 ty -> ((type_value (eval_term sigma pi x2)) = ty)) -> (forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (sigmat:mident -> datatype) (pit:Init.Datatypes.list (ident* datatype)%type) (ty:datatype), compatible_env sigma sigmat pi pit -> type_term sigmat pit x ty -> ((type_value (eval_term sigma pi x)) = ty)) -> forall (sigma:mident -> value) (pi:Init.Datatypes.list (ident* value)%type) (sigmat:mident -> datatype) (pit:Init.Datatypes.list (ident* datatype)%type) (ty:datatype), compatible_env sigma sigmat pi pit -> type_term sigmat pit t ty -> ((type_value (eval_term sigma pi t)) = ty). (* Why3 intros t x x1 x2 h1 h2 h3 sigma pi sigmat pit ty h4 h5. *) intros t x x1 x2 H;rewrite H in *;clear H. simpl; intros. inversion H2; subst; clear H2. destruct H9 as (h1 & h2 & h3). generalize (type_inversion (eval_term sigma pi x)). rewrite (H0 sigma pi sigmat pit ty1 H1 h1). generalize (type_inversion (eval_term sigma pi x2)). rewrite (H sigma pi sigmat pit ty2 H1 h2). destruct h3; intros (n2 & hh2) (n1 & hh1); rewrite hh1 ; rewrite hh2. now rewrite (eval_bin'def (Vint n1) Oplus (Vint n2)). now rewrite (eval_bin'def (Vint n1) Ominus (Vint n2)). now rewrite (eval_bin'def (Vint n1) Omult (Vint n2)). generalize (eval_bin'def (Vint n1) Ole (Vint n2)). intros (ha,hb). destruct (Z_le_dec n1 n2) as [ l | l]. now rewrite (ha l). now rewrite (hb l). Qed. ���������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_distrib_conj_3.v��������0000664�0000000�0000000�00000051542�14401600263�0032253�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require map.Map. Require bool.Bool. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := mident -> value. (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | (Init.Datatypes.cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ (~ (x = i) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), ~ (x = i) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | (Vint x1, Vint y1) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ (~ (x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:mident -> value) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | Tvalue v => v | Tvar id => get_stack id pi | Tderef id => sigma id | Tbin t1 op t2 => eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:mident -> value) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | Fterm t => ((eval_term sigma pi t) = (Vbool true)) | Fand f1 f2 => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | Fnot f1 => ~ (eval_fmla sigma pi f1) | Fimplies f1 f2 => (eval_fmla sigma pi f1) -> eval_fmla sigma pi f2 | Flet x t f1 => eval_fmla sigma (Init.Datatypes.cons (x, eval_term sigma pi t) pi) f1 | Fforall x TYint f1 => forall (n:Z), eval_fmla sigma (Init.Datatypes.cons (x, Vint n) pi) f1 | Fforall x TYbool f1 => forall (b:bool), eval_fmla sigma (Init.Datatypes.cons (x, Vbool b) pi) f1 | Fforall x TYunit f1 => eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1 end. (* Why3 assumption *) Definition valid_fmla (p:fmla) : Prop := forall (sigma:mident -> value) (pi:(list (ident* value)%type)), eval_fmla sigma pi p. (* Why3 assumption *) Inductive one_step: (mident -> value) -> (list (ident* value)%type) -> stmt -> (mident -> value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:mident -> value) (sigma':mident -> value) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> one_step sigma pi (Sassign x t) sigma' pi Sskip | one_step_seq_noskip : forall (sigma:mident -> value) (sigma':mident -> value) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2) | one_step_seq_skip : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (s:stmt), one_step sigma pi (Sseq Sskip s) sigma pi s | one_step_if_true : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> one_step sigma pi (Sif t s1 s2) sigma pi s1 | one_step_if_false : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> one_step sigma pi (Sif t s1 s2) sigma pi s2 | one_step_assert : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body)) | one_step_while_false : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> one_step sigma pi (Swhile cond inv body) sigma pi Sskip. (* Why3 assumption *) Inductive many_steps: (mident -> value) -> (list (ident* value)%type) -> stmt -> (mident -> value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (s:stmt), many_steps sigma pi s sigma pi s 0%Z | many_steps_trans : forall (sigma1:mident -> value) (sigma2:mident -> value) (sigma3:mident -> value) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> (many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z. Axiom steps_non_neg : forall (sigma1:mident -> value) (sigma2:mident -> value) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:mident -> value) (pi:(list (ident* value)%type)) (s:stmt) : Prop := exists sigma':mident -> value, exists pi':(list (ident* value)%type), exists s':stmt, one_step sigma pi s sigma' pi' s'. (* Why3 assumption *) Definition type_value (v:value) : datatype := match v with | Vvoid => TYunit | Vint _ => TYint | Vbool _ => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : type_operator Oplus TYint TYint TYint | Type_minus : type_operator Ominus TYint TYint TYint | Type_mult : type_operator Omult TYint TYint TYint | Type_le : type_operator Ole TYint TYint TYbool. (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | (Init.Datatypes.cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ (~ (x = i) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := mident -> datatype. (* Why3 assumption *) Inductive type_term: (mident -> datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (v:value), type_term sigma pi (Tvalue v) (type_value v) | Type_var : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> type_term sigma pi (Tvar v) ty | Type_deref : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((sigma v) = ty) -> type_term sigma pi (Tderef v) ty | Type_bin : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), ((type_term sigma pi t1 ty1) /\ ((type_term sigma pi t2 ty2) /\ (type_operator op ty1 ty2 ty))) -> type_term sigma pi (Tbin t1 op t2) ty. (* Why3 assumption *) Inductive type_fmla: (mident -> datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> type_fmla sigma pi (Fterm t) | Type_conj : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), ((type_fmla sigma pi f1) /\ (type_fmla sigma pi f2)) -> type_fmla sigma pi (Fand f1 f2) | Type_neg : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> type_fmla sigma pi (Fnot f) | Type_implies : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> (type_fmla sigma pi f2) -> type_fmla sigma pi (Fimplies f1 f2) | Type_let : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> type_fmla sigma pi (Flet x t f) | Type_forall : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla) (ty:datatype), (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> type_fmla sigma pi (Fforall x ty f). (* Why3 assumption *) Inductive type_stmt: (mident -> datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)), type_stmt sigma pi Sskip | Type_seq : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> (type_stmt sigma pi s2) -> type_stmt sigma pi (Sseq s1 s2) | Type_assigns : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((sigma x) = ty) -> (type_term sigma pi t ty) -> type_stmt sigma pi (Sassign x t) | Type_if : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> (type_stmt sigma pi s1) -> (type_stmt sigma pi s2) -> type_stmt sigma pi (Sif t s1 s2) | Type_assert : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> type_stmt sigma pi (Sassert p) | Type_while : forall (sigma:mident -> datatype) (pi:(list (ident* datatype)%type)) (cond:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> (type_term sigma pi cond TYbool) -> (type_stmt sigma pi body) -> type_stmt sigma pi (Swhile cond inv body). (* Why3 assumption *) Definition compatible_env (sigma:mident -> value) (sigmat:mident -> datatype) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)) : Prop := (forall (id:mident), ((type_value (sigma id)) = (sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom type_inversion : forall (v:value), match type_value v with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. Axiom eval_type_term : forall (t:term) (sigma:mident -> value) (pi:(list (ident* value)%type)) (sigmat:mident -> datatype) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> (type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:mident -> value) (sigma2:mident -> value) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:mident -> datatype) (pit:(list (ident* datatype)%type)), (type_stmt sigmat pit s1) -> (compatible_env sigma1 sigmat pi1 pit) -> (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> (type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit). Axiom Cons_append : forall {a:Type} {a_WT:WhyType a}, forall (a1:a) (l1:(list a)) (l2:(list a)), ((Init.Datatypes.cons a1 (Init.Datatypes.app l1 l2)) = (Init.Datatypes.app (Init.Datatypes.cons a1 l1) l2)). Axiom Append_nil_l : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((Init.Datatypes.app Init.Datatypes.nil l) = l). Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (x:mident) (v:ident), match t with | (Tvalue _)|(Tvar _) => ((msubst_term t x v) = t) | Tderef y => ((x = y) -> ((msubst_term t x v) = (Tvar v))) /\ (~ (x = y) -> ((msubst_term t x v) = t)) | Tbin t1 op t2 => ((msubst_term t x v) = (Tbin (msubst_term t1 x v) op (msubst_term t2 x v))) end. (* Why3 assumption *) Fixpoint msubst (f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | Fterm e => Fterm (msubst_term e x v) | Fand f1 f2 => Fand (msubst f1 x v) (msubst f2 x v) | Fnot f1 => Fnot (msubst f1 x v) | Fimplies f1 f2 => Fimplies (msubst f1 x v) (msubst f2 x v) | Flet y t f1 => Flet y (msubst_term t x v) (msubst f1 x v) | Fforall y ty f1 => Fforall y ty (msubst f1 x v) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:ident) (t:term) {struct t}: Prop := match t with | (Tvalue _)|(Tderef _) => True | Tvar i => ~ (id = i) | Tbin t1 _ t2 => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla (id:ident) (f:fmla) {struct f}: Prop := match f with | Fterm e => fresh_in_term id e | (Fand f1 f2)|(Fimplies f1 f2) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | Fnot f1 => fresh_in_fmla id f1 | Flet y t f1 => ~ (id = y) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | Fforall y _ f1 => ~ (id = y) /\ (fresh_in_fmla id f1) end. Axiom eval_msubst_term : forall (e:term) (sigma:mident -> value) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (map.Map.set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:mident -> value) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> (eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (map.Map.set sigma x (get_stack v pi)) pi f). Axiom eval_swap_term : forall (t:term) (sigma:mident -> value) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), ~ (id1 = id2) -> ((eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi))) t) = (eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi))) t)). Axiom eval_swap_gen : forall (f:fmla) (sigma:mident -> value) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), ~ (id1 = id2) -> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi))) f) <-> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi))) f). Axiom eval_swap : forall (f:fmla) (sigma:mident -> value) (pi:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), ~ (id1 = id2) -> (eval_fmla sigma (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi)) f) <-> (eval_fmla sigma (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi)) f). Axiom eval_term_change_free : forall (t:term) (sigma:mident -> value) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Init.Datatypes.cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (sigma:mident -> value) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) -> (eval_fmla sigma (Init.Datatypes.cons (id, v) pi) f) <-> (eval_fmla sigma pi f). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), fresh_in_fmla (fresh_from f) f. Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_specialize : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> eval_fmla sigma pi f. Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:mident -> value) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> eval_fmla sigma pi (abstract_effects s (Fand p q)). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:mident -> value) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> eval_fmla sigma pi (abstract_effects s q). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | Sassert f => Fand f (Fimplies f q) | Sseq s1 s2 => wp s1 (wp s2 q) | Sassign x t => let id := fresh_from q in Flet id t (msubst q x id) | Sif t s1 s2 => Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q)) | Swhile cond inv body => Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) end. Axiom abstract_effects_writes : forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (body:stmt) (cond:term) (inv:fmla) (q:fmla), let f := abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)) in (eval_fmla sigma pi f) -> eval_fmla sigma pi (wp body f). Axiom monotonicity : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> valid_fmla (Fimplies (wp s p) (wp s q)). (* Why3 goal *) Theorem distrib_conj : forall (s:stmt), forall (x:term) (x1:fmla) (x2:stmt), (s = (Swhile x x1 x2)) -> (forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp x2 p)) /\ (eval_fmla sigma pi (wp x2 q))) -> eval_fmla sigma pi (wp x2 (Fand p q))) -> forall (sigma:mident -> value) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q))) -> eval_fmla sigma pi (wp s (Fand p q)). (* Why3 intros s x x1 x2 h1 h2 sigma pi p q (h3,h4). *) intros s x x1 x2 H_;rewrite H_ in *. simpl. intros H sigma pi p q ((h1 & h2) & (h3 & h4)). split; auto. apply abstract_effects_monotonic with (p:= (Fand (Fand (Fimplies (Fand (Fterm x) x1) (wp x2 x1)) (Fimplies (Fand (Fnot (Fterm x)) x1) p)) (Fand (Fimplies (Fand (Fterm x) x1) (wp x2 x1)) (Fimplies (Fand (Fnot (Fterm x)) x1) q)))). unfold valid_fmla; simpl. intuition. apply abstract_effects_distrib_conj; auto. Qed. ��������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_monotonicity_3.v��������0000664�0000000�0000000�00000051461�14401600263�0032335�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | (Init.Datatypes.cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (map.Map.get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Init.Datatypes.cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Init.Datatypes.cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Init.Datatypes.cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla (p:fmla): Prop := forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (sigma3:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map.Map.map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Definition type_value (v:value): datatype := match v with | Vvoid => TYunit | (Vint _) => TYint | (Vbool _) => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : (type_operator Oplus TYint TYint TYint) | Type_minus : (type_operator Ominus TYint TYint TYint) | Type_mult : (type_operator Omult TYint TYint TYint) | Type_le : (type_operator Ole TYint TYint TYbool). (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | (Init.Datatypes.cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ ((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := (map.Map.map mident datatype). (* Why3 assumption *) Inductive type_term: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:value), (type_term sigma pi (Tvalue v) (type_value v)) | Type_var : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> (type_term sigma pi (Tvar v) ty) | Type_deref : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((map.Map.get sigma v) = ty) -> (type_term sigma pi (Tderef v) ty) | Type_bin : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), ((type_term sigma pi t1 ty1) /\ ((type_term sigma pi t2 ty2) /\ (type_operator op ty1 ty2 ty))) -> (type_term sigma pi (Tbin t1 op t2) ty). (* Why3 assumption *) Inductive type_fmla: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> (type_fmla sigma pi (Fterm t)) | Type_conj : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), ((type_fmla sigma pi f1) /\ (type_fmla sigma pi f2)) -> (type_fmla sigma pi (Fand f1 f2)) | Type_neg : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma pi (Fnot f)) | Type_implies : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2))) | Type_let : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> ((type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Flet x t f))) | Type_forall : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla) (ty:datatype), (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Fforall x ty f)). (* Why3 assumption *) Inductive type_stmt: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)), (type_stmt sigma pi Sskip) | Type_seq : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sseq s1 s2))) | Type_assigns : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((map.Map.get sigma x) = ty) -> ((type_term sigma pi t ty) -> (type_stmt sigma pi (Sassign x t))) | Type_if : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> ((type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sif t s1 s2)))) | Type_assert : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_stmt sigma pi (Sassert p)) | Type_while : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (cond:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> ((type_term sigma pi cond TYbool) -> ((type_stmt sigma pi body) -> (type_stmt sigma pi (Swhile cond inv body)))). (* Why3 assumption *) Definition compatible_env (sigma:(map.Map.map mident value)) (sigmat:(map.Map.map mident datatype)) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)): Prop := (forall (id:mident), ((type_value (map.Map.get sigma id)) = (map.Map.get sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom type_inversion : forall (v:value), match (type_value v) with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. Axiom eval_type_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> ((type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty)). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)), ((type_stmt sigmat pit s1) /\ ((compatible_env sigma1 sigmat pi1 pit) /\ (one_step sigma1 pi1 s1 sigma2 pi2 s2))) -> ((type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit)). Axiom Cons_append : forall {a:Type} {a_WT:WhyType a}, forall (a1:a) (l1:(list a)) (l2:(list a)), ((Init.Datatypes.cons a1 (Init.Datatypes.app l1 l2)) = (Init.Datatypes.app (Init.Datatypes.cons a1 l1) l2)). Axiom Append_nil_l : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((Init.Datatypes.app Init.Datatypes.nil l) = l). Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (x:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t x v) = t) | (Tderef y) => ((x = y) -> ((msubst_term t x v) = (Tvar v))) /\ ((~ (x = y)) -> ((msubst_term t x v) = t)) | (Tbin t1 op t2) => ((msubst_term t x v) = (Tbin (msubst_term t1 x v) op (msubst_term t2 x v))) end. (* Why3 assumption *) Fixpoint msubst (f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:ident) (t:term) {struct t}: Prop := match t with | ((Tvalue _)|(Tderef _)) => True | (Tvar i) => ~ (id = i) | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla (id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y _ f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (map.Map.set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (map.Map.set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) t) = (eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) t)). Axiom eval_swap_gen : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) f) <-> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) f)). Axiom eval_swap : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi)) f) <-> (eval_fmla sigma (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi)) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Init.Datatypes.cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (Init.Datatypes.cons (id, v) pi) f) <-> (eval_fmla sigma pi f)). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), (fresh_in_fmla (fresh_from f) f). Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_specialize : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> (eval_fmla sigma pi f). Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> (eval_fmla sigma pi (abstract_effects s (Fand p q))). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> (eval_fmla sigma pi (abstract_effects s q)). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | (Sassert f) => (Fand f (Fimplies f q)) | (Sseq s1 s2) => (wp s1 (wp s2 q)) | (Sassign x t) => let id := (fresh_from q) in (Flet id t (msubst q x id)) | (Sif t s1 s2) => (Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q))) | (Swhile cond inv body) => (Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)))) end. Axiom abstract_effects_writes : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (body:stmt) (cond:term) (inv:fmla) (q:fmla), let f := (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) in ((eval_fmla sigma pi f) -> (eval_fmla sigma pi (wp body f))). (* Why3 goal *) Theorem monotonicity : forall (s:stmt), forall (x:term) (x1:fmla) (x2:stmt), (s = (Swhile x x1 x2)) -> ((forall (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp x2 p) (wp x2 q)))) -> forall (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp s p) (wp s q)))). (* Why3 intros s x x1 x2 h1 h2 p q h3. *) intros s x x1 x2 H_;rewrite H_ in *. unfold valid_fmla; simpl. intros H1 p q H2; intuition. apply abstract_effects_monotonic with (2:=H3). unfold valid_fmla; simpl. intuition. Qed. ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_progress_1.v������������0000664�0000000�0000000�00000052771�14401600263�0031451�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | (Init.Datatypes.cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (map.Map.get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Init.Datatypes.cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Init.Datatypes.cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Init.Datatypes.cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla (p:fmla): Prop := forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (sigma3:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map.Map.map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Definition type_value (v:value): datatype := match v with | Vvoid => TYunit | (Vint _) => TYint | (Vbool _) => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : (type_operator Oplus TYint TYint TYint) | Type_minus : (type_operator Ominus TYint TYint TYint) | Type_mult : (type_operator Omult TYint TYint TYint) | Type_le : (type_operator Ole TYint TYint TYbool). (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | (Init.Datatypes.cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ ((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := (map.Map.map mident datatype). (* Why3 assumption *) Inductive type_term: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:value), (type_term sigma pi (Tvalue v) (type_value v)) | Type_var : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> (type_term sigma pi (Tvar v) ty) | Type_deref : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((map.Map.get sigma v) = ty) -> (type_term sigma pi (Tderef v) ty) | Type_bin : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), ((type_term sigma pi t1 ty1) /\ ((type_term sigma pi t2 ty2) /\ (type_operator op ty1 ty2 ty))) -> (type_term sigma pi (Tbin t1 op t2) ty). (* Why3 assumption *) Inductive type_fmla: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> (type_fmla sigma pi (Fterm t)) | Type_conj : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), ((type_fmla sigma pi f1) /\ (type_fmla sigma pi f2)) -> (type_fmla sigma pi (Fand f1 f2)) | Type_neg : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma pi (Fnot f)) | Type_implies : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2))) | Type_let : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> ((type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Flet x t f))) | Type_forall : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla) (ty:datatype), (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Fforall x ty f)). (* Why3 assumption *) Inductive type_stmt: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)), (type_stmt sigma pi Sskip) | Type_seq : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sseq s1 s2))) | Type_assigns : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((map.Map.get sigma x) = ty) -> ((type_term sigma pi t ty) -> (type_stmt sigma pi (Sassign x t))) | Type_if : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> ((type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sif t s1 s2)))) | Type_assert : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_stmt sigma pi (Sassert p)) | Type_while : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (cond:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> ((type_term sigma pi cond TYbool) -> ((type_stmt sigma pi body) -> (type_stmt sigma pi (Swhile cond inv body)))). (* Why3 assumption *) Definition compatible_env (sigma:(map.Map.map mident value)) (sigmat:(map.Map.map mident datatype)) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)): Prop := (forall (id:mident), ((type_value (map.Map.get sigma id)) = (map.Map.get sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom type_inversion : forall (v:value), match (type_value v) with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. Axiom eval_type_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> ((type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty)). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)), ((type_stmt sigmat pit s1) /\ ((compatible_env sigma1 sigmat pi1 pit) /\ (one_step sigma1 pi1 s1 sigma2 pi2 s2))) -> ((type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit)). Axiom Cons_append : forall {a:Type} {a_WT:WhyType a}, forall (a1:a) (l1:(list a)) (l2:(list a)), ((Init.Datatypes.cons a1 (Init.Datatypes.app l1 l2)) = (Init.Datatypes.app (Init.Datatypes.cons a1 l1) l2)). Axiom Append_nil_l : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((Init.Datatypes.app Init.Datatypes.nil l) = l). Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (x:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t x v) = t) | (Tderef y) => ((x = y) -> ((msubst_term t x v) = (Tvar v))) /\ ((~ (x = y)) -> ((msubst_term t x v) = t)) | (Tbin t1 op t2) => ((msubst_term t x v) = (Tbin (msubst_term t1 x v) op (msubst_term t2 x v))) end. (* Why3 assumption *) Fixpoint msubst (f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:ident) (t:term) {struct t}: Prop := match t with | ((Tvalue _)|(Tderef _)) => True | (Tvar i) => ~ (id = i) | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla (id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y _ f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (map.Map.set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (map.Map.set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) t) = (eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) t)). Axiom eval_swap_gen : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) f) <-> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) f)). Axiom eval_swap : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi)) f) <-> (eval_fmla sigma (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi)) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Init.Datatypes.cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (Init.Datatypes.cons (id, v) pi) f) <-> (eval_fmla sigma pi f)). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), (fresh_in_fmla (fresh_from f) f). Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_specialize : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> (eval_fmla sigma pi f). Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> (eval_fmla sigma pi (abstract_effects s (Fand p q))). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> (eval_fmla sigma pi (abstract_effects s q)). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | (Sassert f) => (Fand f (Fimplies f q)) | (Sseq s1 s2) => (wp s1 (wp s2 q)) | (Sassign x t) => let id := (fresh_from q) in (Flet id t (msubst q x id)) | (Sif t s1 s2) => (Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q))) | (Swhile cond inv body) => (Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)))) end. Axiom abstract_effects_writes : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (body:stmt) (cond:term) (inv:fmla) (q:fmla), let f := (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) in ((eval_fmla sigma pi f) -> (eval_fmla sigma pi (wp body f))). Axiom monotonicity : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp s p) (wp s q))). Axiom distrib_conj : forall (s:stmt) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q))) -> (eval_fmla sigma pi (wp s (Fand p q))). Axiom wp_preserved_by_reduction : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s:stmt) (s':stmt), (one_step sigma pi s sigma' pi' s') -> forall (q:fmla), (eval_fmla sigma pi (wp s q)) -> (eval_fmla sigma' pi' (wp s' q)). (* Why3 goal *) Theorem progress : forall (s:stmt), forall (x:mident) (x1:term), (s = (Sassign x x1)) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit s) -> ((eval_fmla sigma pi (wp s q)) -> ((~ (s = Sskip)) -> (reductible sigma pi s)))). (* Why3 intros s x x1 h1 sigma pi sigmat pit q h2 h3 h4 h5. *) intros s x x1 H_;rewrite H_ in *. intros. do 3 eexists; econstructor; eauto. Qed. �������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_progress_3.v������������0000664�0000000�0000000�00000055064�14401600263�0031451�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | (Init.Datatypes.cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (map.Map.get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Init.Datatypes.cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Init.Datatypes.cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Init.Datatypes.cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla (p:fmla): Prop := forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (sigma3:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map.Map.map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Definition type_value (v:value): datatype := match v with | Vvoid => TYunit | (Vint _) => TYint | (Vbool _) => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : (type_operator Oplus TYint TYint TYint) | Type_minus : (type_operator Ominus TYint TYint TYint) | Type_mult : (type_operator Omult TYint TYint TYint) | Type_le : (type_operator Ole TYint TYint TYbool). (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | (Init.Datatypes.cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ ((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := (map.Map.map mident datatype). (* Why3 assumption *) Inductive type_term: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:value), (type_term sigma pi (Tvalue v) (type_value v)) | Type_var : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> (type_term sigma pi (Tvar v) ty) | Type_deref : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((map.Map.get sigma v) = ty) -> (type_term sigma pi (Tderef v) ty) | Type_bin : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), ((type_term sigma pi t1 ty1) /\ ((type_term sigma pi t2 ty2) /\ (type_operator op ty1 ty2 ty))) -> (type_term sigma pi (Tbin t1 op t2) ty). (* Why3 assumption *) Inductive type_fmla: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> (type_fmla sigma pi (Fterm t)) | Type_conj : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), ((type_fmla sigma pi f1) /\ (type_fmla sigma pi f2)) -> (type_fmla sigma pi (Fand f1 f2)) | Type_neg : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma pi (Fnot f)) | Type_implies : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2))) | Type_let : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> ((type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Flet x t f))) | Type_forall : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla) (ty:datatype), (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Fforall x ty f)). (* Why3 assumption *) Inductive type_stmt: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)), (type_stmt sigma pi Sskip) | Type_seq : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sseq s1 s2))) | Type_assigns : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((map.Map.get sigma x) = ty) -> ((type_term sigma pi t ty) -> (type_stmt sigma pi (Sassign x t))) | Type_if : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> ((type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sif t s1 s2)))) | Type_assert : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_stmt sigma pi (Sassert p)) | Type_while : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (cond:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> ((type_term sigma pi cond TYbool) -> ((type_stmt sigma pi body) -> (type_stmt sigma pi (Swhile cond inv body)))). (* Why3 assumption *) Definition compatible_env (sigma:(map.Map.map mident value)) (sigmat:(map.Map.map mident datatype)) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)): Prop := (forall (id:mident), ((type_value (map.Map.get sigma id)) = (map.Map.get sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom type_inversion : forall (v:value), match (type_value v) with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. Axiom eval_type_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> ((type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty)). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)), ((type_stmt sigmat pit s1) /\ ((compatible_env sigma1 sigmat pi1 pit) /\ (one_step sigma1 pi1 s1 sigma2 pi2 s2))) -> ((type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit)). Axiom Cons_append : forall {a:Type} {a_WT:WhyType a}, forall (a1:a) (l1:(list a)) (l2:(list a)), ((Init.Datatypes.cons a1 (Init.Datatypes.app l1 l2)) = (Init.Datatypes.app (Init.Datatypes.cons a1 l1) l2)). Axiom Append_nil_l : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((Init.Datatypes.app Init.Datatypes.nil l) = l). Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (x:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t x v) = t) | (Tderef y) => ((x = y) -> ((msubst_term t x v) = (Tvar v))) /\ ((~ (x = y)) -> ((msubst_term t x v) = t)) | (Tbin t1 op t2) => ((msubst_term t x v) = (Tbin (msubst_term t1 x v) op (msubst_term t2 x v))) end. (* Why3 assumption *) Fixpoint msubst (f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:ident) (t:term) {struct t}: Prop := match t with | ((Tvalue _)|(Tderef _)) => True | (Tvar i) => ~ (id = i) | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla (id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y _ f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (map.Map.set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (map.Map.set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) t) = (eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) t)). Axiom eval_swap_gen : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) f) <-> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) f)). Axiom eval_swap : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi)) f) <-> (eval_fmla sigma (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi)) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Init.Datatypes.cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (Init.Datatypes.cons (id, v) pi) f) <-> (eval_fmla sigma pi f)). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), (fresh_in_fmla (fresh_from f) f). Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_specialize : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> (eval_fmla sigma pi f). Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> (eval_fmla sigma pi (abstract_effects s (Fand p q))). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> (eval_fmla sigma pi (abstract_effects s q)). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | (Sassert f) => (Fand f (Fimplies f q)) | (Sseq s1 s2) => (wp s1 (wp s2 q)) | (Sassign x t) => let id := (fresh_from q) in (Flet id t (msubst q x id)) | (Sif t s1 s2) => (Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q))) | (Swhile cond inv body) => (Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)))) end. Axiom abstract_effects_writes : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (body:stmt) (cond:term) (inv:fmla) (q:fmla), let f := (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) in ((eval_fmla sigma pi f) -> (eval_fmla sigma pi (wp body f))). Axiom monotonicity : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp s p) (wp s q))). Axiom distrib_conj : forall (s:stmt) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q))) -> (eval_fmla sigma pi (wp s (Fand p q))). Axiom wp_preserved_by_reduction : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s:stmt) (s':stmt), (one_step sigma pi s sigma' pi' s') -> forall (q:fmla), (eval_fmla sigma pi (wp s q)) -> (eval_fmla sigma' pi' (wp s' q)). (* Why3 goal *) Theorem progress : forall (s:stmt), forall (x:term) (x1:stmt) (x2:stmt), (s = (Sif x x1 x2)) -> ((forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit x2) -> ((eval_fmla sigma pi (wp x2 q)) -> ((~ (x2 = Sskip)) -> (reductible sigma pi x2))))) -> ((forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit x1) -> ((eval_fmla sigma pi (wp x1 q)) -> ((~ (x1 = Sskip)) -> (reductible sigma pi x1))))) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit s) -> ((eval_fmla sigma pi (wp s q)) -> ((~ (s = Sskip)) -> (reductible sigma pi s)))))). (* Why3 intros s x x1 x2 h1 h2 h3 sigma pi sigmat pit q h4 h5 h6 h7. *) intros s x x1 x2 H_;rewrite H_ in *. intros. inversion H2; subst; clear H2. unfold reductible. apply eval_type_term with (sigma := sigma) (pi := pi) in H10 ; auto. assert (eval_term sigma pi x = Vbool true \/ eval_term sigma pi x = Vbool false). generalize (type_inversion (eval_term sigma pi x)). destruct (eval_term sigma pi x); simpl; try discriminate. destruct b; auto. destruct H2. do 3 eexists. apply one_step_if_true; auto. do 3 eexists. apply one_step_if_false; auto. Qed. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_progress_5.v������������0000664�0000000�0000000�00000054444�14401600263�0031454�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Init.Datatypes.nil => ((get_stack i pi) = Vvoid) | (Init.Datatypes.cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Init.Datatypes.cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Init.Datatypes.cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (map.Map.get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Init.Datatypes.cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Init.Datatypes.cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Init.Datatypes.cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Init.Datatypes.cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla (p:fmla): Prop := forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (map.Map.set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool true))) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body))) | one_step_while_false : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), ((eval_fmla sigma pi inv) /\ ((eval_term sigma pi cond) = (Vbool false))) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip). (* Why3 assumption *) Inductive many_steps: (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> (map.Map.map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (sigma3:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map.Map.map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Definition type_value (v:value): datatype := match v with | Vvoid => TYunit | (Vint _) => TYint | (Vbool _) => TYbool end. (* Why3 assumption *) Inductive type_operator: operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : (type_operator Oplus TYint TYint TYint) | Type_minus : (type_operator Ominus TYint TYint TYint) | Type_mult : (type_operator Omult TYint TYint TYint) | Type_le : (type_operator Ole TYint TYint TYbool). (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Init.Datatypes.nil => ((get_vartype i pi) = TYunit) | (Init.Datatypes.cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ ((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := (map.Map.map mident datatype). (* Why3 assumption *) Inductive type_term: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:value), (type_term sigma pi (Tvalue v) (type_value v)) | Type_var : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> (type_term sigma pi (Tvar v) ty) | Type_deref : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((map.Map.get sigma v) = ty) -> (type_term sigma pi (Tderef v) ty) | Type_bin : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), ((type_term sigma pi t1 ty1) /\ ((type_term sigma pi t2 ty2) /\ (type_operator op ty1 ty2 ty))) -> (type_term sigma pi (Tbin t1 op t2) ty). (* Why3 assumption *) Inductive type_fmla: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> (type_fmla sigma pi (Fterm t)) | Type_conj : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), ((type_fmla sigma pi f1) /\ (type_fmla sigma pi f2)) -> (type_fmla sigma pi (Fand f1 f2)) | Type_neg : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma pi (Fnot f)) | Type_implies : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2))) | Type_let : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> ((type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Flet x t f))) | Type_forall : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla) (ty:datatype), (type_fmla sigma (Init.Datatypes.cons (x, ty) pi) f) -> (type_fmla sigma pi (Fforall x ty f)). (* Why3 assumption *) Inductive type_stmt: (map.Map.map mident datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)), (type_stmt sigma pi Sskip) | Type_seq : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sseq s1 s2))) | Type_assigns : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((map.Map.get sigma x) = ty) -> ((type_term sigma pi t ty) -> (type_stmt sigma pi (Sassign x t))) | Type_if : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> ((type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sif t s1 s2)))) | Type_assert : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_stmt sigma pi (Sassert p)) | Type_while : forall (sigma:(map.Map.map mident datatype)) (pi:(list (ident* datatype)%type)) (cond:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> ((type_term sigma pi cond TYbool) -> ((type_stmt sigma pi body) -> (type_stmt sigma pi (Swhile cond inv body)))). (* Why3 assumption *) Definition compatible_env (sigma:(map.Map.map mident value)) (sigmat:(map.Map.map mident datatype)) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)): Prop := (forall (id:mident), ((type_value (map.Map.get sigma id)) = (map.Map.get sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom type_inversion : forall (v:value), match (type_value v) with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. Axiom eval_type_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> ((type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty)). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:(map.Map.map mident value)) (sigma2:(map.Map.map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)), ((type_stmt sigmat pit s1) /\ ((compatible_env sigma1 sigmat pi1 pit) /\ (one_step sigma1 pi1 s1 sigma2 pi2 s2))) -> ((type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit)). Axiom Cons_append : forall {a:Type} {a_WT:WhyType a}, forall (a1:a) (l1:(list a)) (l2:(list a)), ((Init.Datatypes.cons a1 (Init.Datatypes.app l1 l2)) = (Init.Datatypes.app (Init.Datatypes.cons a1 l1) l2)). Axiom Append_nil_l : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((Init.Datatypes.app Init.Datatypes.nil l) = l). Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (x:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t x v) = t) | (Tderef y) => ((x = y) -> ((msubst_term t x v) = (Tvar v))) /\ ((~ (x = y)) -> ((msubst_term t x v) = t)) | (Tbin t1 op t2) => ((msubst_term t x v) = (Tbin (msubst_term t1 x v) op (msubst_term t2 x v))) end. (* Why3 assumption *) Fixpoint msubst (f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:ident) (t:term) {struct t}: Prop := match t with | ((Tvalue _)|(Tderef _)) => True | (Tvar i) => ~ (id = i) | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla (id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y _ f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (map.Map.set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (map.Map.set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) t) = (eval_term sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) t)). Axiom eval_swap_gen : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons ( id2, v2) pi))) f) <-> (eval_fmla sigma (Init.Datatypes.app l (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons ( id1, v1) pi))) f)). Axiom eval_swap : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (Init.Datatypes.cons (id1, v1) (Init.Datatypes.cons (id2, v2) pi)) f) <-> (eval_fmla sigma (Init.Datatypes.cons (id2, v2) (Init.Datatypes.cons (id1, v1) pi)) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Init.Datatypes.cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (Init.Datatypes.cons (id, v) pi) f) <-> (eval_fmla sigma pi f)). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), (fresh_in_fmla (fresh_from f) f). Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_specialize : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> (eval_fmla sigma pi f). Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> (eval_fmla sigma pi (abstract_effects s (Fand p q))). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> (eval_fmla sigma pi (abstract_effects s q)). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | (Sassert f) => (Fand f (Fimplies f q)) | (Sseq s1 s2) => (wp s1 (wp s2 q)) | (Sassign x t) => let id := (fresh_from q) in (Flet id t (msubst q x id)) | (Sif t s1 s2) => (Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q))) | (Swhile cond inv body) => (Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)))) end. Axiom abstract_effects_writes : forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (body:stmt) (cond:term) (inv:fmla) (q:fmla), let f := (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q))) in ((eval_fmla sigma pi f) -> (eval_fmla sigma pi (wp body f))). Axiom monotonicity : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp s p) (wp s q))). Axiom distrib_conj : forall (s:stmt) (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q))) -> (eval_fmla sigma pi (wp s (Fand p q))). Axiom wp_preserved_by_reduction : forall (sigma:(map.Map.map mident value)) (sigma':(map.Map.map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s:stmt) (s':stmt), (one_step sigma pi s sigma' pi' s') -> forall (q:fmla), (eval_fmla sigma pi (wp s q)) -> (eval_fmla sigma' pi' (wp s' q)). (* Why3 goal *) Theorem progress : forall (s:stmt), forall (x:term) (x1:fmla) (x2:stmt), (s = (Swhile x x1 x2)) -> ((forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit x2) -> ((eval_fmla sigma pi (wp x2 q)) -> ((~ (x2 = Sskip)) -> (reductible sigma pi x2))))) -> forall (sigma:(map.Map.map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map.Map.map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit s) -> ((eval_fmla sigma pi (wp s q)) -> ((~ (s = Sskip)) -> (reductible sigma pi s))))). (* Why3 intros s x x1 x2 h1 h2 sigma pi sigmat pit q h3 h4 h5 h6. *) intros s x x1 x2 H_;rewrite H_ in *. simpl. intros H sigma pi sigmat pit q H1 H2 (H3 & H4) H5. inversion H2; subst; clear H2. unfold reductible. apply eval_type_term with (sigma := sigma) (pi := pi) in H11 ; auto. assert (eval_term sigma pi x = Vbool true \/ eval_term sigma pi x = Vbool false). generalize (type_inversion (eval_term sigma pi x)). destruct (eval_term sigma pi x); simpl; try discriminate. destruct b; auto. destruct H0. do 3 eexists. apply one_step_while_true; auto. do 3 eexists. apply one_step_while_false; auto. Qed. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/blocking_semantics5_WP_wp_soundness_1.v��������0000664�0000000�0000000�00000052266�14401600263�0032333�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require bool.Bool. Require int.Int. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. (* Why3 assumption *) Inductive datatype := | TYunit : datatype | TYint : datatype | TYbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive value := | Vvoid : value | Vint : Z -> value | Vbool : bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. Axiom mident : Type. Parameter mident_WhyType : WhyType mident. Existing Instance mident_WhyType. Axiom mident_decide : forall (m1:mident) (m2:mident), (m1 = m2) \/ ~ (m1 = m2). Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_decide : forall (m1:ident) (m2:ident), (m1 = m2) \/ ~ (m1 = m2). (* Why3 assumption *) Inductive term := | Tvalue : value -> term | Tvar : ident -> term | Tderef : mident -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : ident -> term -> fmla -> fmla | Fforall : ident -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : mident -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom decide_is_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition env := (map.Map.map mident value). (* Why3 assumption *) Definition stack := (list (ident* value)%type). Parameter get_stack: ident -> (list (ident* value)%type) -> value. Axiom get_stack_def : forall (i:ident) (pi:(list (ident* value)%type)), match pi with | Nil => ((get_stack i pi) = Vvoid) | (Cons (x, v) r) => ((x = i) -> ((get_stack i pi) = v)) /\ ((~ (x = i)) -> ((get_stack i pi) = (get_stack i r))) end. Axiom get_stack_eq : forall (x:ident) (v:value) (r:(list (ident* value)%type)), ((get_stack x (Cons (x, v) r)) = v). Axiom get_stack_neq : forall (x:ident) (i:ident) (v:value) (r:(list (ident* value)%type)), (~ (x = i)) -> ((get_stack i (Cons (x, v) r)) = (get_stack i r)). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = Vvoid) end. (* Why3 assumption *) Fixpoint eval_term(sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) {struct t}: value := match t with | (Tvalue v) => v | (Tvar id) => (get_stack id pi) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. (* Why3 assumption *) Fixpoint eval_fmla(sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (Cons (x, (eval_term sigma pi t)) pi) f1) | (Fforall x TYint f1) => forall (n:Z), (eval_fmla sigma (Cons (x, (Vint n)) pi) f1) | (Fforall x TYbool f1) => forall (b:bool), (eval_fmla sigma (Cons (x, (Vbool b)) pi) f1) | (Fforall x TYunit f1) => (eval_fmla sigma (Cons (x, Vvoid) pi) f1) end. (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi p). (* Why3 assumption *) Inductive one_step : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Prop := | one_step_assign : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (t:term), (sigma' = (set sigma x (eval_term sigma pi t))) -> (one_step sigma pi (Sassign x t) sigma' pi Sskip) | one_step_seq_noskip : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s1:stmt) (s1':stmt) (s2:stmt), (one_step sigma pi s1 sigma' pi' s1') -> (one_step sigma pi (Sseq s1 s2) sigma' pi' (Sseq s1' s2)) | one_step_seq_skip : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (one_step sigma pi (Sseq Sskip s) sigma pi s) | one_step_if_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool true)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s1) | one_step_if_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (t:term) (s1:stmt) (s2:stmt), ((eval_term sigma pi t) = (Vbool false)) -> (one_step sigma pi (Sif t s1 s2) sigma pi s2) | one_step_assert : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi cond) = (Vbool true)) -> (one_step sigma pi (Swhile cond inv body) sigma pi (Sseq body (Swhile cond inv body)))) | one_step_while_false : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (cond:term) (inv:fmla) (body:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi cond) = (Vbool false)) -> (one_step sigma pi (Swhile cond inv body) sigma pi Sskip)). (* Why3 assumption *) Inductive many_steps : (map mident value) -> (list (ident* value)%type) -> stmt -> (map mident value) -> (list (ident* value)%type) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt), (many_steps sigma pi s sigma pi s 0%Z) | many_steps_trans : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (sigma3:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (pi3:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (s3:stmt) (n:Z), (one_step sigma1 pi1 s1 sigma2 pi2 s2) -> ((many_steps sigma2 pi2 s2 sigma3 pi3 s3 n) -> (many_steps sigma1 pi1 s1 sigma3 pi3 s3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map mident value)) (sigma2:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (s1:stmt) (s2:stmt) (n:Z), (many_steps sigma1 pi1 s1 sigma2 pi2 s2 n) -> (0%Z <= n)%Z. (* Why3 assumption *) Definition reductible(sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt): Prop := exists sigma':(map mident value), exists pi':(list (ident* value)%type), exists s':stmt, (one_step sigma pi s sigma' pi' s'). (* Why3 assumption *) Definition type_value(v:value): datatype := match v with | Vvoid => TYunit | (Vint int) => TYint | (Vbool bool1) => TYbool end. (* Why3 assumption *) Inductive type_operator : operator -> datatype -> datatype -> datatype -> Prop := | Type_plus : (type_operator Oplus TYint TYint TYint) | Type_minus : (type_operator Ominus TYint TYint TYint) | Type_mult : (type_operator Omult TYint TYint TYint) | Type_le : (type_operator Ole TYint TYint TYbool). (* Why3 assumption *) Definition type_stack := (list (ident* datatype)%type). Parameter get_vartype: ident -> (list (ident* datatype)%type) -> datatype. Axiom get_vartype_def : forall (i:ident) (pi:(list (ident* datatype)%type)), match pi with | Nil => ((get_vartype i pi) = TYunit) | (Cons (x, ty) r) => ((x = i) -> ((get_vartype i pi) = ty)) /\ ((~ (x = i)) -> ((get_vartype i pi) = (get_vartype i r))) end. (* Why3 assumption *) Definition type_env := (map mident datatype). (* Why3 assumption *) Inductive type_term : (map mident datatype) -> (list (ident* datatype)%type) -> term -> datatype -> Prop := | Type_value : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (v:value), (type_term sigma pi (Tvalue v) (type_value v)) | Type_var : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (v:ident) (ty:datatype), ((get_vartype v pi) = ty) -> (type_term sigma pi (Tvar v) ty) | Type_deref : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (v:mident) (ty:datatype), ((get sigma v) = ty) -> (type_term sigma pi (Tderef v) ty) | Type_bin : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (t1:term) (t2:term) (op:operator) (ty1:datatype) (ty2:datatype) (ty:datatype), (type_term sigma pi t1 ty1) -> ((type_term sigma pi t2 ty2) -> ((type_operator op ty1 ty2 ty) -> (type_term sigma pi (Tbin t1 op t2) ty))). (* Why3 assumption *) Inductive type_fmla : (map mident datatype) -> (list (ident* datatype)%type) -> fmla -> Prop := | Type_term : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term), (type_term sigma pi t TYbool) -> (type_fmla sigma pi (Fterm t)) | Type_conj : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fand f1 f2))) | Type_neg : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (f:fmla), (type_fmla sigma pi f) -> (type_fmla sigma pi (Fnot f)) | Type_implies : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (f1:fmla) (f2:fmla), (type_fmla sigma pi f1) -> ((type_fmla sigma pi f2) -> (type_fmla sigma pi (Fimplies f1 f2))) | Type_let : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (t:term) (f:fmla) (ty:datatype), (type_term sigma pi t ty) -> ((type_fmla sigma (Cons (x, ty) pi) f) -> (type_fmla sigma pi (Flet x t f))) | Type_forall1 : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYint) pi) f) -> (type_fmla sigma pi (Fforall x TYint f)) | Type_forall2 : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYbool) pi) f) -> (type_fmla sigma pi (Fforall x TYbool f)) | Type_forall3 : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (x:ident) (f:fmla), (type_fmla sigma (Cons (x, TYunit) pi) f) -> (type_fmla sigma pi (Fforall x TYunit f)). (* Why3 assumption *) Inductive type_stmt : (map mident datatype) -> (list (ident* datatype)%type) -> stmt -> Prop := | Type_skip : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)), (type_stmt sigma pi Sskip) | Type_seq : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (s1:stmt) (s2:stmt), (type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sseq s1 s2))) | Type_assigns : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (x:mident) (t:term) (ty:datatype), ((get sigma x) = ty) -> ((type_term sigma pi t ty) -> (type_stmt sigma pi (Sassign x t))) | Type_if : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (t:term) (s1:stmt) (s2:stmt), (type_term sigma pi t TYbool) -> ((type_stmt sigma pi s1) -> ((type_stmt sigma pi s2) -> (type_stmt sigma pi (Sif t s1 s2)))) | Type_assert : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (p:fmla), (type_fmla sigma pi p) -> (type_stmt sigma pi (Sassert p)) | Type_while : forall (sigma:(map mident datatype)) (pi:(list (ident* datatype)%type)) (guard:term) (body:stmt) (inv:fmla), (type_fmla sigma pi inv) -> ((type_term sigma pi guard TYbool) -> ((type_stmt sigma pi body) -> (type_stmt sigma pi (Swhile guard inv body)))). Axiom type_inversion : forall (v:value), match (type_value v) with | TYbool => exists b:bool, (v = (Vbool b)) | TYint => exists n:Z, (v = (Vint n)) | TYunit => (v = Vvoid) end. (* Why3 assumption *) Definition compatible_env(sigma:(map mident value)) (sigmat:(map mident datatype)) (pi:(list (ident* value)%type)) (pit:(list (ident* datatype)%type)): Prop := (forall (id:mident), ((type_value (get sigma id)) = (get sigmat id))) /\ forall (id:ident), ((type_value (get_stack id pi)) = (get_vartype id pit)). Axiom eval_type_term : forall (t:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map mident datatype)) (pit:(list (ident* datatype)%type)) (ty:datatype), (compatible_env sigma sigmat pi pit) -> ((type_term sigmat pit t ty) -> ((type_value (eval_term sigma pi t)) = ty)). Axiom type_preservation : forall (s1:stmt) (s2:stmt) (sigma1:(map mident value)) (sigma2:(map mident value)) (pi1:(list (ident* value)%type)) (pi2:(list (ident* value)%type)) (sigmat:(map mident datatype)) (pit:(list (ident* datatype)%type)), ((type_stmt sigmat pit s1) /\ ((compatible_env sigma1 sigmat pi1 pit) /\ (one_step sigma1 pi1 s1 sigma2 pi2 s2))) -> ((type_stmt sigmat pit s2) /\ (compatible_env sigma2 sigmat pi2 pit)). (* Why3 assumption *) Fixpoint fresh_in_term(x:ident) (t:term) {struct t}: Prop := match t with | (Tvalue _) => True | (Tvar i) => ~ (x = i) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term x t1) /\ (fresh_in_term x t2) end. (* Why3 assumption *) Fixpoint fresh_in_fmla(id:ident) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Parameter msubst_term: term -> mident -> ident -> term. Axiom msubst_term_def : forall (t:term) (r:mident) (v:ident), match t with | ((Tvalue _)|(Tvar _)) => ((msubst_term t r v) = t) | (Tderef x) => ((r = x) -> ((msubst_term t r v) = (Tvar v))) /\ ((~ (r = x)) -> ((msubst_term t r v) = t)) | (Tbin t1 op t2) => ((msubst_term t r v) = (Tbin (msubst_term t1 r v) op (msubst_term t2 r v))) end. (* Why3 assumption *) Fixpoint msubst(f:fmla) (x:mident) (v:ident) {struct f}: fmla := match f with | (Fterm e) => (Fterm (msubst_term e x v)) | (Fand f1 f2) => (Fand (msubst f1 x v) (msubst f2 x v)) | (Fnot f1) => (Fnot (msubst f1 x v)) | (Fimplies f1 f2) => (Fimplies (msubst f1 x v) (msubst f2 x v)) | (Flet y t f1) => (Flet y (msubst_term t x v) (msubst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (msubst f1 x v)) end. Axiom eval_msubst_term : forall (e:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_term v e) -> ((eval_term sigma pi (msubst_term e x v)) = (eval_term (set sigma x (get_stack v pi)) pi e)). Axiom eval_msubst : forall (f:fmla) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (x:mident) (v:ident), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (msubst f x v)) <-> (eval_fmla (set sigma x (get_stack v pi)) pi f)). Axiom eval_swap_term : forall (t:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_term sigma (infix_plpl l (Cons (id1, v1) (Cons (id2, v2) pi))) t) = (eval_term sigma (infix_plpl l (Cons (id2, v2) (Cons (id1, v1) pi))) t)). Axiom eval_swap : forall (f:fmla) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (l:(list (ident* value)%type)) (id1:ident) (id2:ident) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (infix_plpl l (Cons (id1, v1) (Cons (id2, v2) pi))) f) <-> (eval_fmla sigma (infix_plpl l (Cons (id2, v2) (Cons (id1, v1) pi))) f)). Axiom eval_term_change_free : forall (t:term) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (id:ident) (v:value), (fresh_in_term id t) -> ((eval_term sigma (Cons (id, v) pi) t) = (eval_term sigma pi t)). Axiom eval_change_free : forall (f:fmla) (id:ident) (v:value), (fresh_in_fmla id f) -> forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma (Cons (id, v) pi) f) <-> (eval_fmla sigma pi f). Parameter fresh_from: fmla -> ident. Axiom fresh_from_fmla : forall (f:fmla), (fresh_in_fmla (fresh_from f) f). Parameter abstract_effects: stmt -> fmla -> fmla. Axiom abstract_effects_generalize : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (f:fmla), (eval_fmla sigma pi (abstract_effects s f)) -> (eval_fmla sigma pi f). Axiom abstract_effects_monotonic : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> forall (sigma:(map mident value)) (pi:(list (ident* value)%type)), (eval_fmla sigma pi (abstract_effects s p)) -> (eval_fmla sigma pi (abstract_effects s q)). Axiom abstract_effects_distrib_conj : forall (s:stmt) (p:fmla) (q:fmla) (sigma:(map mident value)) (pi:(list (ident* value)%type)), ((eval_fmla sigma pi (abstract_effects s p)) /\ (eval_fmla sigma pi (abstract_effects s q))) -> (eval_fmla sigma pi (abstract_effects s (Fand p q))). (* Why3 assumption *) Fixpoint wp (s:stmt) (q:fmla) {struct s}: fmla := match s with | Sskip => q | (Sassert f) => (Fand f (Fimplies f q)) | (Sseq s1 s2) => (wp s1 (wp s2 q)) | (Sassign x t) => let id := (fresh_from q) in (Flet id t (msubst q x id)) | (Sif t s1 s2) => (Fand (Fimplies (Fterm t) (wp s1 q)) (Fimplies (Fnot (Fterm t)) (wp s2 q))) | (Swhile cond inv body) => (Fand inv (abstract_effects body (Fand (Fimplies (Fand (Fterm cond) inv) (wp body inv)) (Fimplies (Fand (Fnot (Fterm cond)) inv) q)))) end. Axiom abstract_effects_writes : forall (sigma:(map mident value)) (pi:(list (ident* value)%type)) (s:stmt) (q:fmla), (eval_fmla sigma pi (abstract_effects s q)) -> (eval_fmla sigma pi (wp s (abstract_effects s q))). Axiom monotonicity : forall (s:stmt) (p:fmla) (q:fmla), (valid_fmla (Fimplies p q)) -> (valid_fmla (Fimplies (wp s p) (wp s q))). Axiom distrib_conj : forall (s:stmt) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (p:fmla) (q:fmla), ((eval_fmla sigma pi (wp s p)) /\ (eval_fmla sigma pi (wp s q))) -> (eval_fmla sigma pi (wp s (Fand p q))). Axiom wp_preserved_by_reduction : forall (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s:stmt) (s':stmt), (one_step sigma pi s sigma' pi' s') -> forall (q:fmla), (eval_fmla sigma pi (wp s q)) -> (eval_fmla sigma' pi' (wp s' q)). Axiom progress : forall (s:stmt) (sigma:(map mident value)) (pi:(list (ident* value)%type)) (sigmat:(map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit s) -> ((eval_fmla sigma pi (wp s q)) -> ((~ (s = Sskip)) -> (reductible sigma pi s)))). (* Why3 goal *) Theorem wp_soundness : forall (n:Z) (sigma:(map mident value)) (sigma':(map mident value)) (pi:(list (ident* value)%type)) (pi':(list (ident* value)%type)) (s:stmt) (s':stmt) (sigmat:(map mident datatype)) (pit:(list (ident* datatype)%type)) (q:fmla), (compatible_env sigma sigmat pi pit) -> ((type_stmt sigmat pit s) -> (((many_steps sigma pi s sigma' pi' s' n) /\ ((~ (reductible sigma' pi' s')) /\ (eval_fmla sigma pi (wp s q)))) -> ((s' = Sskip) /\ (eval_fmla sigma' pi' q)))). intros n sigma sigma' pi pi' s s' sigmat pit q. intros Hcomp Htype (h1,(h2,h3)). generalize (steps_non_neg _ _ _ _ _ _ _ h1). intros Hnpos. generalize sigma sigma' pi pi' s s' sigmat pit q Hcomp Htype h1 h2 h3. clear sigma sigma' pi pi' s s' sigmat pit q Hcomp Htype h1 h2 h3. generalize Hnpos. pattern n; apply Z_lt_induction; auto. intros x Hind Hxpos. intros. inversion h1; subst; clear h1. (* cas zero etapes *) destruct (decide_is_skip s'). subst s'. split; auto. contradiction h2; clear h2. apply progress with (q:=q) (1:=Hcomp); auto. (* cas au moins une etape *) generalize (steps_non_neg _ _ _ _ _ _ _ H0). intro. generalize (type_preservation s s2 sigma sigma2 pi pi2 sigmat pit). intros h. apply Hind with (y:=n0) (sigmat:=sigmat) (pit:=pit) (5:=H0); intuition. apply wp_preserved_by_reduction with (1:=H); auto. Qed. ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/why3session.xml��������������������������������0000664�0000000�0000000�00000072135�14401600263�0025601�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Coq" version="8.11.2" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="3" name="CVC3" version="2.4.1" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="4" name="Eprover" version="2.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="5" name="Eprover" version="1.8-001" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="7" name="CVC4" version="1.5" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="10" name="CVC4" version="1.4" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="blocking_semantics5.mlw"/> <theory name="Syntax" proved="true"> <goal name="mident_decide" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="2"/></proof> </goal> <goal name="ident_decide" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="2"/></proof> </goal> <goal name="decide_is_skip" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="3"/></proof> </goal> </theory> <theory name="SemOp" proved="true"> <goal name="get_stack_eq" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="get_stack_neq" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="9"/></proof> </goal> <goal name="steps_non_neg" proved="true"> <proof prover="1"><path name="blocking_semantics5_SemOp_steps_non_neg_1.v"/><result status="valid" time="0.31"/></proof> </goal> </theory> <theory name="TestSemantics" proved="true"> <goal name="Test13" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Test42" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="Test0" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="18"/></proof> </goal> <goal name="Test55" proved="true"> <proof prover="10"><result status="valid" time="0.04"/></proof> </goal> <goal name="Ass42" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="124"/></proof> </goal> <goal name="If42" proved="true"> <transf name="induction_pr" proved="true" > <goal name="If42.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="If42.1" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="13"/></proof> </goal> <goal name="If42.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="11"/></proof> </goal> <goal name="If42.3" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="199"/></proof> </goal> <goal name="If42.4" proved="true"> <proof prover="10"><result status="valid" time="0.08"/></proof> </goal> <goal name="If42.5" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="12"/></proof> </goal> <goal name="If42.6" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="15"/></proof> </goal> <goal name="If42.7" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="15"/></proof> </goal> </transf> </goal> </theory> <theory name="TypingAndSemantics" proved="true"> <goal name="type_inversion" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="type_inversion.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="68"/></proof> </goal> </transf> </goal> <goal name="eval_type_term" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_type_term.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_type_term.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.06" steps="212"/></proof> </goal> <goal name="eval_type_term.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="69"/></proof> </goal> <goal name="eval_type_term.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.06" steps="143"/></proof> </goal> <goal name="eval_type_term.0.3" proved="true"> <proof prover="1"><path name="blocking_semantics5_TypingAndSemantics_eval_type_term_1.v"/><result status="valid" time="0.36"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="type_preservation" proved="true"> <transf name="induction_pr" proved="true" > <goal name="type_preservation.0" proved="true"> <proof prover="2"><result status="valid" time="0.10" steps="278"/></proof> </goal> <goal name="type_preservation.1" proved="true"> <proof prover="2"><result status="valid" time="0.11" steps="160"/></proof> </goal> <goal name="type_preservation.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="61"/></proof> </goal> <goal name="type_preservation.3" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="72"/></proof> </goal> <goal name="type_preservation.4" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="81"/></proof> </goal> <goal name="type_preservation.5" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="17"/></proof> </goal> <goal name="type_preservation.6" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="123"/></proof> </goal> <goal name="type_preservation.7" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="18"/></proof> </goal> </transf> </goal> </theory> <theory name="FreshVariables" proved="true"> <goal name="Cons_append" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="Append_nil_l" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="eval_msubst_term" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_msubst_term.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_msubst_term.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="eval_msubst_term.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="eval_msubst_term.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="32"/></proof> </goal> <goal name="eval_msubst_term.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="33"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_msubst" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_msubst.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_msubst.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="34"/></proof> </goal> <goal name="eval_msubst.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="35"/></proof> </goal> <goal name="eval_msubst.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="84"/></proof> </goal> <goal name="eval_msubst.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="92"/></proof> </goal> <goal name="eval_msubst.0.4" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="35"/></proof> </goal> <goal name="eval_msubst.0.5" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="37"/></proof> </goal> <goal name="eval_msubst.0.6" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="57"/></proof> </goal> <goal name="eval_msubst.0.7" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="90"/></proof> </goal> <goal name="eval_msubst.0.8" proved="true"> <proof prover="2"><result status="valid" time="0.11" steps="424"/></proof> </goal> <goal name="eval_msubst.0.9" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="114"/></proof> </goal> <goal name="eval_msubst.0.10" proved="true"> <proof prover="2"><result status="valid" time="0.23" steps="1050"/></proof> </goal> <goal name="eval_msubst.0.11" proved="true"> <proof prover="2"><result status="valid" time="0.06" steps="300"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_swap_term" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_swap_term.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_swap_term.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="6"/></proof> </goal> <goal name="eval_swap_term.0.1" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="eval_swap_term.0.1.0" proved="true"> <transf name="induction_arg_ty_lex" proved="true" arg1="l"> <goal name="eval_swap_term.0.1.0.0" proved="true"> <proof prover="2" timelimit="1"><result status="valid" time="0.18" steps="676"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_swap_term.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="eval_swap_term.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="66"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_swap_gen" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_swap_gen.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_swap_gen.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="48"/></proof> </goal> <goal name="eval_swap_gen.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="48"/></proof> </goal> <goal name="eval_swap_gen.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="131"/></proof> </goal> <goal name="eval_swap_gen.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="131"/></proof> </goal> <goal name="eval_swap_gen.0.4" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="52"/></proof> </goal> <goal name="eval_swap_gen.0.5" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="52"/></proof> </goal> <goal name="eval_swap_gen.0.6" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="63"/></proof> </goal> <goal name="eval_swap_gen.0.7" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="63"/></proof> </goal> <goal name="eval_swap_gen.0.8" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="170"/></proof> </goal> <goal name="eval_swap_gen.0.9" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="170"/></proof> </goal> <goal name="eval_swap_gen.0.10" proved="true"> <proof prover="2"><result status="valid" time="3.34" steps="1591"/></proof> </goal> <goal name="eval_swap_gen.0.11" proved="true"> <proof prover="2"><result status="valid" time="3.31" steps="1591"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_swap" proved="true"> <proof prover="10"><result status="valid" time="0.10"/></proof> </goal> <goal name="eval_term_change_free" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_term_change_free.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_term_change_free.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="eval_term_change_free.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="27"/></proof> </goal> <goal name="eval_term_change_free.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="eval_term_change_free.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="34"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="eval_change_free" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_change_free.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="eval_change_free.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="37"/></proof> </goal> <goal name="eval_change_free.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="31"/></proof> </goal> <goal name="eval_change_free.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="136"/></proof> </goal> <goal name="eval_change_free.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="78"/></proof> </goal> <goal name="eval_change_free.0.4" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="41"/></proof> </goal> <goal name="eval_change_free.0.5" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="30"/></proof> </goal> <goal name="eval_change_free.0.6" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="114"/></proof> </goal> <goal name="eval_change_free.0.7" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="36"/></proof> </goal> <goal name="eval_change_free.0.8" proved="true"> <proof prover="2"><result status="valid" time="0.05" steps="176"/></proof> </goal> <goal name="eval_change_free.0.9" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="110"/></proof> </goal> <goal name="eval_change_free.0.10" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="eval_change_free.0.10.0" proved="true"> <transf name="subst" proved="true" arg1="f"> <goal name="eval_change_free.0.10.0.0" proved="true"> <transf name="compute_in_goal" proved="true" > <goal name="eval_change_free.0.10.0.0.0" proved="true"> <transf name="destruct_term" proved="true" arg1="x1"> <goal name="eval_change_free.0.10.0.0.0.0" proved="true"> <proof prover="7"><result status="valid" time="0.18" steps="30352"/></proof> </goal> <goal name="eval_change_free.0.10.0.0.0.1" proved="true"> <proof prover="7"><result status="valid" time="0.13" steps="30056"/></proof> </goal> <goal name="eval_change_free.0.10.0.0.0.2" proved="true"> <proof prover="7"><result status="valid" time="0.15" steps="21930"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="eval_change_free.0.11" proved="true"> <proof prover="2"><result status="valid" time="0.09" steps="445"/></proof> </goal> </transf> </goal> </transf> </goal> </theory> <theory name="HoareLogic" proved="true"> <goal name="many_steps_seq" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="many_steps_seq.0" proved="true"> <transf name="induction" proved="true" arg1="n"> <goal name="many_steps_seq.0.0" expl="base case" proved="true"> <proof prover="7"><result status="valid" time="0.08" steps="18957"/></proof> </goal> <goal name="many_steps_seq.0.1" expl="recursive case" proved="true"> <transf name="inversion_arg_pr" proved="true" arg1="H"> <goal name="many_steps_seq.0.1.0" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.06" steps="18984"/></proof> </goal> <goal name="many_steps_seq.0.1.1" expl="recursive case" proved="true"> <transf name="simplify_trivial_quantification_in_goal" proved="true" > <goal name="many_steps_seq.0.1.1.0" expl="recursive case" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="many_steps_seq.0.1.1.0.0" expl="recursive case" proved="true"> <transf name="inversion_arg_pr" proved="true" arg1="H2"> <goal name="many_steps_seq.0.1.1.0.0.0" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.06" steps="19667"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.1" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.08" steps="21549"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.2" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.08" steps="19296"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.3" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.06" steps="19370"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.4" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.06" steps="19393"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.5" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.09" steps="19575"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.6" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.09" steps="19700"/></proof> </goal> <goal name="many_steps_seq.0.1.1.0.0.7" expl="recursive case" proved="true"> <proof prover="7"><result status="valid" time="0.07" steps="19824"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="consequence_rule" proved="true"> <proof prover="3" timelimit="30"><result status="valid" time="0.24"/></proof> </goal> <goal name="skip_rule" proved="true"> <proof prover="2"><result status="valid" time="0.07" steps="267"/></proof> </goal> <goal name="assign_rule" proved="true"> <proof prover="2"><result status="valid" time="0.53" steps="1797"/></proof> </goal> <goal name="seq_rule" proved="true"> <proof prover="2"><result status="valid" time="0.12" steps="408"/></proof> </goal> <goal name="if_rule" proved="true"> <transf name="inline_all" proved="true" > <goal name="if_rule.0" proved="true"> <transf name="induction_pr" proved="true" > <goal name="if_rule.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="13"/></proof> </goal> <goal name="if_rule.0.1" proved="true"> <proof prover="10" timelimit="10" memlimit="4000"><result status="valid" time="3.10"/></proof> <transf name="inversion_pr" proved="true" > <goal name="if_rule.0.1.0" proved="true"> <proof prover="10"><result status="valid" time="0.08"/></proof> </goal> <goal name="if_rule.0.1.1" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="21"/></proof> </goal> <goal name="if_rule.0.1.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="if_rule.0.1.3" proved="true"> <proof prover="7"><result status="valid" time="0.11" steps="24534"/></proof> </goal> <goal name="if_rule.0.1.4" proved="true"> <proof prover="7"><result status="valid" time="0.10" steps="24563"/></proof> </goal> <goal name="if_rule.0.1.5" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="21"/></proof> </goal> <goal name="if_rule.0.1.6" proved="true"> <proof prover="10"><result status="valid" time="0.06"/></proof> </goal> <goal name="if_rule.0.1.7" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="24"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="assert_rule" proved="true"> <proof prover="2"><result status="valid" time="0.15" steps="516"/></proof> </goal> <goal name="assert_rule_ext" proved="true"> <proof prover="2"><result status="valid" time="0.17" steps="833"/></proof> </goal> <goal name="while_rule" proved="true"> <proof prover="1"><path name="blocking_semantics5_HoareLogic_while_rule_1.v"/><result status="valid" time="0.52"/></proof> </goal> </theory> <theory name="WP" proved="true"> <goal name="monotonicity" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="monotonicity.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="monotonicity.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="16"/></proof> </goal> <goal name="monotonicity.0.1" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="monotonicity.0.1.0" proved="true"> <transf name="subst" proved="true" arg1="s"> <goal name="monotonicity.0.1.0.0" proved="true"> <transf name="unfold" proved="true" arg1="wp"> <goal name="monotonicity.0.1.0.0.0" proved="true"> <transf name="compute_specified" proved="true" > <goal name="monotonicity.0.1.0.0.0.0" proved="true"> <transf name="unfold" proved="true" arg1="valid_fmla"> <goal name="monotonicity.0.1.0.0.0.0.0" proved="true"> <transf name="unfold" proved="true" arg1="valid_fmla" arg2="in" arg3="H"> <goal name="monotonicity.0.1.0.0.0.0.0.0" proved="true"> <transf name="unfold" proved="true" arg1="eval_fmla" arg2="in" arg3="H"> <goal name="monotonicity.0.1.0.0.0.0.0.0.0" proved="true"> <transf name="unfold" proved="true" arg1="eval_fmla"> <goal name="monotonicity.0.1.0.0.0.0.0.0.0.0" proved="true"> <transf name="compute_specified" proved="true" > <goal name="monotonicity.0.1.0.0.0.0.0.0.0.0.0" proved="true"> <proof prover="7"><result status="valid" time="0.14" steps="33014"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="monotonicity.0.2" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="67"/></proof> </goal> <goal name="monotonicity.0.3" proved="true"> <proof prover="3"><result status="valid" time="0.24"/></proof> </goal> <goal name="monotonicity.0.4" proved="true"> <proof prover="3"><result status="valid" time="0.09"/></proof> </goal> <goal name="monotonicity.0.5" proved="true"> <proof prover="1"><path name="blocking_semantics5_WP_monotonicity_3.v"/><result status="valid" time="0.36"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="distrib_conj" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="distrib_conj.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="distrib_conj.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="28"/></proof> </goal> <goal name="distrib_conj.0.1" proved="true"> <proof prover="2"><result status="valid" time="0.23" steps="1153"/></proof> </goal> <goal name="distrib_conj.0.2" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="distrib_conj.0.2.0" proved="true"> <transf name="assert" proved="true" arg1="(valid_fmla (Fimplies (Fand (wp x p) (wp x q)) (wp x (Fand p q))))"> <goal name="distrib_conj.0.2.0.0" expl="asserted formula" proved="true"> <proof prover="7"><result status="valid" time="0.13" steps="28780"/></proof> </goal> <goal name="distrib_conj.0.2.0.1" proved="true"> <transf name="instantiate" proved="true" arg1="monotonicity" arg2="x1,(Fand (wp x p) (wp x q)),(wp x (Fand p q))"> <goal name="distrib_conj.0.2.0.1.0" proved="true"> <proof prover="4"><result status="valid" time="0.35"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="distrib_conj.0.3" proved="true"> <proof prover="2"><result status="valid" time="0.06" steps="303"/></proof> </goal> <goal name="distrib_conj.0.4" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="175"/></proof> </goal> <goal name="distrib_conj.0.5" proved="true"> <proof prover="1"><path name="blocking_semantics5_WP_distrib_conj_3.v"/><result status="valid" time="0.41"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="wp_preserved_by_reduction" proved="true"> <transf name="induction_pr" proved="true" > <goal name="wp_preserved_by_reduction.0" proved="true"> <proof prover="2" timelimit="10" memlimit="4000"><result status="valid" time="2.92" steps="3551"/></proof> </goal> <goal name="wp_preserved_by_reduction.1" proved="true"> <proof prover="7"><result status="valid" time="0.09" steps="26480"/></proof> </goal> <goal name="wp_preserved_by_reduction.2" proved="true"> <proof prover="7"><result status="valid" time="0.10" steps="25225"/></proof> </goal> <goal name="wp_preserved_by_reduction.3" proved="true"> <proof prover="7"><result status="valid" time="0.10" steps="26676"/></proof> </goal> <goal name="wp_preserved_by_reduction.4" proved="true"> <proof prover="7"><result status="valid" time="0.11" steps="26733"/></proof> </goal> <goal name="wp_preserved_by_reduction.5" proved="true"> <proof prover="7"><result status="valid" time="0.12" steps="26920"/></proof> </goal> <goal name="wp_preserved_by_reduction.6" proved="true"> <proof prover="7"><result status="valid" time="0.46" steps="81415"/></proof> </goal> <goal name="wp_preserved_by_reduction.7" proved="true"> <proof prover="7"><result status="valid" time="0.42" steps="73140"/></proof> </goal> </transf> </goal> <goal name="progress" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="progress.0" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="progress.0.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="11"/></proof> </goal> <goal name="progress.0.1" proved="true"> <proof prover="1"><path name="blocking_semantics5_WP_progress_1.v"/><result status="valid" time="0.34"/></proof> <proof prover="10"><result status="valid" time="0.20"/></proof> </goal> <goal name="progress.0.2" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="progress.0.2.0" proved="true"> <transf name="case" proved="true" arg1="(x1 = Sskip)"> <goal name="progress.0.2.0.0" expl="true case" proved="true"> <proof prover="5"><result status="valid" time="0.15"/></proof> </goal> <goal name="progress.0.2.0.1" expl="false case" proved="true"> <transf name="inversion_arg_pr" proved="true" arg1="H2"> <goal name="progress.0.2.0.1.0" expl="false case" proved="true"> <proof prover="7"><result status="valid" time="0.07" steps="23529"/></proof> </goal> <goal name="progress.0.2.0.1.1" expl="false case" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="progress.0.2.0.1.1.0" expl="false case" proved="true"> <transf name="instantiate" proved="true" arg1="H8" arg2="sigma1,pi1,sigmat,pit,(wp s2 q)"> <goal name="progress.0.2.0.1.1.0.0" expl="false case" proved="true"> <proof prover="4"><result status="valid" time="1.98"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="progress.0.2.0.1.2" expl="false case" proved="true"> <proof prover="7"><result status="valid" time="0.08" steps="25727"/></proof> </goal> <goal name="progress.0.2.0.1.3" expl="false case" proved="true"> <proof prover="7"><result status="valid" time="0.10" steps="26234"/></proof> </goal> <goal name="progress.0.2.0.1.4" expl="false case" proved="true"> <proof prover="7"><result status="valid" time="0.11" steps="25610"/></proof> </goal> <goal name="progress.0.2.0.1.5" expl="false case" proved="true"> <proof prover="7"><result status="valid" time="0.10" steps="26418"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="progress.0.3" proved="true"> <proof prover="1"><path name="blocking_semantics5_WP_progress_3.v"/><result status="valid" time="0.45"/></proof> <proof prover="10" timelimit="10" memlimit="4000"><result status="valid" time="4.62"/></proof> </goal> <goal name="progress.0.4" proved="true"> <proof prover="2"><result status="valid" time="0.05" steps="179"/></proof> </goal> <goal name="progress.0.5" proved="true"> <proof prover="1"><path name="blocking_semantics5_WP_progress_5.v"/><result status="valid" time="0.42"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="wp_soundness" proved="true"> <proof prover="1" timelimit="30"><path name="blocking_semantics5_WP_wp_soundness_1.v"/><result status="valid" time="0.44"/></proof> </goal> </theory> </file> </why3session> �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/blocking_semantics5/why3shapes.gz����������������������������������0000664�0000000�0000000�00000031660�14401600263�0025217�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}[ ?` " pvd`K;?_k5kFlɱ5jVbfM~+o'q+WoAM_woM:#?~9x2+1 >ٓ[ J 'G"J1O$)$G?=w+�U_ܧᇜNGBy~*F]< ;ܿ^ۛ?<.0e/3w_| ug.2ԥ?)bI�^87X_sb!o/sK8;Ҁ /X :+MÜ$0p "!3ʇ_RV BD}RJU*@n/UjCY6i쯼4e"sƼDrw!Zq?gZSOj5dvO߿LCw^><O-hwElTH=ۿy2.] zq[p:kB7kÈ_Sw7|CJN43@=/ɏOowҲl`]mW]1ȈA%J ʏ L7~x˯daˢ`!~J=$^t$sî{Ja)[(֧]`G+¯yxR>{ %^@5E6.F&~[/wE8EE?ŖE::W'ӮsBJj )-bj<_BQ~Icd'}A#-"UGtOu]SNf�⼶WU˸~&Jt&mrήVSFn_IT(z(Zl  I ߓCڧ&u$rCy dZ,챱Rg�<ۘ<S.XOL0ӮBm(!,1u"(vv }Jo:))('NvP_xXiR~nӜ=a)F!t&VIR ỶݘPŦ>Jڈ'*yxKۮZMN8zaxx\t@6x!CGmO.?KkS%wP~J:n"`FzFM/4#,;!hJAjBZ$y*vԊqbC |M~uZe]/2R5e9vȜV5vB9X%M7'XgWc)g3Zz\bȈq5 2$9GPơԤ]"׈s83q7̗tJKU{HSѐƢm볧.J VYȺcN송wE"zN?i[Y-aO gy#->f#NP1\yι)1kGPSL#2ѣ{BfF1֚inG$QOGKpU_yyXǸB|ה9f$û -gM]nqTZU?ai̙,U hB\8LFݹ>ϒZ߿K/_.זo퀚pk\!y-itIcgKB]nڧY8"Wی2+fw% 6lGs$[FЅQԏ-(yZ{KT??%(+B7'蓑VT*lsxi?:4LF҆TnCͮdץG[ i<~jzfY{kѲџf(rfYHaY6\u1d._JZE5)迮Uuyk9{V-XS% tW/{w.JZ{aXq$~T[Jx ܜfeHUzs~C|{sNjIDUfpT {I/?l:kDY?yuCe7OTOfL 2ό]}_ڴܕo6'O[~L rG 'ٕ>i t}B,ȍK$2n+:q^)*w*Z>xNgy]A.Fa^|ҙѴ=R(N@T3}dvWy:oןԕmO۹ xO"趻n϶�hĉSB2n+el:.iD"|�fO#\N] rQ'_F]ú{ƼaT=w^iyYU*{O'ҍXu*jZ)kU28Ci2oVӣٶv14J,su[/Sڟ9af~vNTM93%^:TZq:pzg|V{۵*/"l^+:J2I3[в=nӑOboW+e}fzjT~]x􇔣EޗM|P8Ig n[2vZmW@o޺!.Zڭ<6m0E%'pc`R`Mv)Շ^m*X->6U{Ρmε`>ٹ Im|>6n+< pדܷɷysUǒ}lWy.l<Cɀ?-A>yp86vF٧4q׫>b=*G1׽Y&2#>o/EsW4 m+ tˣx2ip1�%u]:Ļ_wRY 3Ca;p{ Tm:G xo�G}t@@fr2ıͦG`�h9lʣMnF9Jk,v½XכsG%~p7lN v@Qߡ١ Py3׮}q΍hXt׼ C4chf)si�@5� - 5|s>Y7.k">,ϖ0£u,8&wQ,(r |eA(#c[<cjQp -[ipMƆ"-]Z!lT!l6`8OjX5HgGۧzSCſ6 lP`}7OkO $ӣ|n5�HGzo{vc_䥍=t{BdCkʒ=Յ7yFlu]O`z"TB :\w^Fwv5. v.{:kvY'}WODS* Ѳ2y<,wS=K>$t~LuO?kY:_4,!t%-:ozw0|5+P@gWELvԣ,P}h2qOuQ蒋jӫHuhEp>ZNrZ TߩL䛘Sj/"f~q} @Q1]ht bGyh=S9xĿmSj(w[OuۤG U7/! U fBubQӶ=`�xV@Hg+=SZ&uuSH_.зЅ;-zy|3Ո`QРtl}~倯 ]7Kp]R_tb1t"/bwkjvh#U@g�k;IOq"[g8}ktw.?{qf?zH/\h~-GO'[ %w1*`8`n /b+ *,�= kz]pyq9.덴4m�-}|;.}-dO_8߸^M_sg%~;ę3qmt[ves^S'ԩBO$tۙz+s;7ݕeޥwJJY:벶|6 U/|Z-Fdhn`~\0.D�p%6Z<[+TkQF[럛1螊v _iwpm F[TW c`^|!C‹'X|!\GƦV>xc] ]nwŅJ(Wr5rMH QMO=C*V}Qs!r^5- Z gYr]S8udsu':DI]PKh>J۬t{Nmo̗ Lyl9׵rKמ0mίҞ#|\&r|e=H`tnS<iX.SYֲ(-5sY*@W4J˴WRd:kv }Cd+Kz[{*v֗UoeBi]>έtZrM F6uAA5H%nÆD0,j}ѫ`OҐץub Miq|6տ[bD^ժO |@<Li~\)OgԑTkR.&]*Y0 Ϣ?Ű#q2@+Y ,x t@AUUȬxה(ʟnM 1IAw@Z)c9Ό=J!x$f3_T+s<Vc& ÅBdz*}K/Y*]k2 $_O^eHTn.(LS zObeGR|_bOjJ$4 l( mvWS\) ۏ/pܢGGBV9镅?[Y,Kv,|4/:DbWAג**Ų@lks9;e)+; yU(:[`,HY3ɪkM <`+)*P_4izBg7` yj2̮BKYD1tuv ׆~aq#:XuSGâ` 2*‘IaݍĀ+c ϪV�sUMYQ}". lxn KHa (7m:9aO�Q/GPy]@_BoT7 㟝o-z|{OPvTrK?.n'|)~Q?lHb=)WEdi]v[Z1.1{9Փ+(C O=+=Y[pQgI 3z-kIsd n܍l#1UebB]D*b#"WHÞrV[Q"~ݲ-ڍM-g}X:YdǷt6-[K\-"TZv~PZ]j[vM,}o&xf�7)_t'!R"�rcB?V稗k6~^cZ�, aab"AӁ&v]7ۼT5Iᕕrs̓wi|.sAAILhɒñO0큄 -_xR3oVw-xם!Et)؃Po˿ٛ)u_\[~98qT$㴜o^:+oI.@vnߏ\Ŝ|%> /tXbj>k&=.oCj$tm j}(PʫXރ$L#vރ\Mz۞�ˋ+MoO*Ob`7QWe3#md6 lB>aG6L,_,e5Qm X߲eGU63^Y=m-P o3=K\o=_mA'u  +j { Pr|*/)k;Ω7=UP o8 ?/-*4ձ[.po ߤk~!ػ~VҖ/+Wk~af6+g/){/~{lU(i[: Á/]~q>GRuηm@WuaH}/t@yzp 3hs/WWNW_X8zQt"26W7_Μ`jJ$HW ~EمgIknaZ+嗫2e}iruQ²Hr@VI /\?U19/ʇ̅X~9xod8QZo@MBβ`;ʪtA?~~>؇@QKx]25\Xlz2OcsW=,u./Z<c5߅zAK{) n2�n<%8n:8)]Q^<}tA$qw]qߩ&0h=ji+åJMo4@eV,򾕧 _Dߕ±�. (]toITh=h̗ZYgrƟC]6;7x “k eu~[|ů+ԘkOWzfr%`U؇@QKkJI5 d/,[W] EIy1�-G-]�R5+5h=jy ,[ZnZoUHomU�-G-�.5+x>ZnZ1jB\w_BVoiWZ6 jMhDEխjK5?7HyZ}a>aA]�+ݐ?dO;'-:p|dgzF.Kog{Ĕ͈xcԒD&‹ݱ-L72i!^◯.l"63){%u(~;+vBiv6獱zSLG7z#ղP;`}t6OpjQu?ۃa{+sކ9Nj௶cYf~/vQsX%?_=._&q??V#яF.7AԑM3rgb;ӕG\ϹOQ1Idrذu=iĂrok'-Xni-0PX3i#%oJszm`B7~In]o~ܥ7]]:\t;xw3{ .W5Ua7ф֛eGє"ȱn+-4o{f/zQ< uG~]ޤl/^|DzXM.h8L^_=*X`˷ľ]`X`ϫX(~0>6~(&Gf }_b;\v0<g+b=JnS%_7w_!oTo.!y̍gC,|o FʺI e,bY&1ל9Kqp]vaĺD N6rXoç_+>-{gmwݮmA]m&߷;L^YUo-EG-w|QmUwFef&_VO v.o]`IHwm+׃[j~oš= WCSWYf3;$/tޥ/xrj{ ޥ~ `1nBCY})`kpZr̹Ľ(F0PWuˠi^f n3Subumo8Jm{}eY^mB Na�&5f? <lf ~D+qc a>0&9g�R�11nV޺> qJh5~� i ~L^ rp2;[X hn<$,vJ:5od6MV~0Rdl�c@3$쨬G$-0٫(7>IYaM�=01h\6'=x?y9g! (pliA7 z2L7QAY7ÜI iKy#LG0sk�H⿸`eBda(p1MӀus#;r2S*Ũ5Ί^֒2H QfCM2k�7G *ensEvatPAARfgUy FH{&3 ϕO#AaZA#A 9if,\ƤӨs*q"aO "68kDPI|D 2orBR.9~ZAQ!G3UuH"'lz0"7<6&o'h`9*PwJΘXL X pQC g{&N� X #2R'TC`@C>''�85;BqGG,<A+;J S-X59(#8fƪ! 1ZJU&5+LYNN uVF烟<9L8xxEtyX)넎4AA|. ǜ #k;AC`d`m<ߤ)fE- -nS yzC%GK25�(�F)9qH9@˒. >ʣD'`D<ӮҒAY!Jz3m ~6$ I0dcLvgDf$lTc$@u!x1C&(nMg aqГԜ$89l؜ ;jz=X͐BNb!3‚ʨ)F0 Af7YZ6[xl0 cj-Q:>&fyX0f1KvvOio. R!V@uFEKL<X3y:6\sPAH>)(!d(q8I+,K;D'I(Sdg蹟G :;80‚ Ly;9\`V`x2+RAJ a"_>`+RSF4d0]#)|] ?jH滺D!0B$IrqN X}Ldy]HQ^8+|f{l3fĂhjf$% R^e)Al9U_n CKQHVxe0j'a!8s[L0ڤ4iV֐;'`$F_0xbv08DD+<`awD#i  a.W),rH#b3Yg_\bI#4ygs9㔂@k4aAC 9!&ZD�AP 0b e@* 7#G)8=Q_AeA\LQ4LP=\Ȉ%B!@eיA;o͊HLc;Î 2EE< Z"Lj%$ ~3=}-*.MD0b%j3b"kH3"q:1N)SHb "I=1v3=9 �VrB�8xa =ǤuHIGPNr0}Jȃ{DHF(f`nMs#Ya àF?#iCiRQMJ2a#2JdMf|# X.-BH`l= @ 0̎#* @tCj btQ죊8[  s"P1D6 6Q!N5TAV}I$3*"4M#uAG Neqf xaF ^߀`z"D.�D)4Ja- 5JM biN obV)BffEʐ3DF3k1H[ |*J3TxR!^tX^)3DTؒԃ,5R٨A?Upa("<65 +Tb[d7)鳙Lt7Cl>e-<ZI<0!U;ĆIzGOA#F\|R䅰!6"<@U%``f\B&( 6*G ;H/uLv!A9ŠHZ HH9X idF$[>W7hN!_4q9JccsE4 4ࣤPb rw ?DE nܦ9�ܴ Q̈ќ"#/|VW#"rDM3>나X"@�qB3̈́4HЅupNջnW!RI0sZr+J!SB%E4xcq0TDŽM'9)D{Ր#nMD<v!ax%y-C6陥 FFyP 75@AŞI=E$Ge0p $ʁ,z#1yβk3Rq(&$$P�T JZ1=dBQa2HI*B0q] "�IZ B#q3,F礟) J?⌬$rCF2 A`&aa+tE 9W6)@z{/CPgG&t<Op9UDA#G݄ K!zJ ~j"[B9 : =ǠĘhlUAmE6sVzq6To73Ղ|2A TİAA !&<RNe9qƬđ̀ N4"Fab!zOu 怼�mq"{D1#À ԟ7MM&Yo?# #p)\IlPF (CS�wldAC`agyбfpڸrmwQs0,ݬ`LQxqQ!Rh!̖JQr9Pq")ZAƐpU}587"ZFdR0ӻv@1!IAǀuuws.]THDg%}1!+dsjfT?jF@H[~dHf^zwQox?X=sDȟtpUNN1& Ï s0н9v {H.Db@0� EvQLy:# 1#GG5 qZ]3?3f!)&xS|0;'vQ=0#SXJh0;cd�Ǫ`F,\!JvAU̴&p27X<AyD “a)99RCx0\FHZ3AJd..*R!@4 /8*MfQ'oB!&X=*>3La㽪*|iiH`1p}R"}ļv@ af~�!71F,5b$–.vГQ~>#`IȺA5?)etsNIhg&eBn IQD v>#2y`< +>"XXёq#I9'5$<e�qݤB;Tי[\nFgrḣIiSбC ZOrӠ(ka*чe#$3!y&3|5RְOv 蚡܈U@68xD1P;GQzC4H`hlF:z XDN6 ]P4('ޛ=6 zF8L逐f %ekW#F)ƚ*k ]Ξ?('d~,&H'pWkSnBДp"h4yq B%X$+EC 22ap4b/fy=$Cg:5 =D {�Ǩy׭&frBtiiyݚ)2bHR9R%G!SV_93 d z8DOvByҞgѮ:3z<FprJjM8a >,fnJZeE^5#TIQ3 ;ifJ]A�1k{ }ǧ)F:AAQqD/ AY]x*#:"HM$ WZ`"z6Udc Sy 2R$\zdCDQN| .lq2BO0'iᣔ*WbB%cʌ N-.i&Ȣhb@By\QY/btN72:0=d7J 3I5d#\`G{+<mԓ$t^Db2ay4oF6 DVEt0Pdz!buK4['g:j4H :SjaJ$|@sl>;@H2x.` ]=0Z!L; @Ȍw"?e : ~жՀ(k*dER F| k9#2Y"sQIbֆNf!:mD>`` zYga DV"6f] yA#m @'1R%yZ37kgMaF&>gmSÄDa�G�n ƨЯMuAf+L) .'q@T56٦EE5F"acܓx9"P`i 蜟|B<=dqri6cAKksmt8LR;-R50#m?7%\����������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/formula.why��������������������������������������������������������0000664�0000000�0000000�00000002017�14401600263�0021024�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������theory Formula type ident function mk_ident int : ident type fmla 'a = | Ffalse | Ftrue | Fatom 'a | Fnot (fmla 'a) | Fand (fmla 'a) (fmla 'a) | For (fmla 'a) (fmla 'a) | Fimp (fmla 'a) (fmla 'a) | Fiff (fmla 'a) (fmla 'a) | Fforall ident (fmla 'a) | Fexists ident (fmla 'a) end theory PropositionalCalculus use bool.Bool use Formula type prop_fmla = fmla ident use map.Map as IdMap type idmap 'a = IdMap.map ident 'a function eval (f:prop_fmla) (v:idmap bool) : bool = match f with | Ffalse -> False | Ftrue -> True | Fatom x -> IdMap.get v x | Fnot p -> notb (eval p v) | Fand p q -> andb (eval p v) (eval q v) | For p q -> orb (eval p v) (eval q v) | Fimp p q -> orb (notb (eval p v)) (eval q v) | Fiff p q -> notb (xorb (eval p v) (eval q v)) | Fforall _ _ -> False | Fexists _ _ -> False end use map.Const goal Test1 : let x = mk_ident 0 in let v = IdMap.set (Const.const False) x True in eval (For (Fnot (Fatom x)) (Ffalse)) v = False end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/formula/�����������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0020273�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/formula/why3session.xml��������������������������������������������0000664�0000000�0000000�00000001515�14401600263�0023315�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="0"/> <prover id="1" name="CVC3" version="2.4.1" timelimit="5" steplimit="0" memlimit="0"/> <prover id="2" name="Vampire" version="0.6" timelimit="5" steplimit="0" memlimit="0"/> <file format="whyml" proved="true"> <path name=".."/><path name="formula.why"/> <theory name="PropositionalCalculus" proved="true"> <goal name="Test1" proved="true"> <proof prover="0"><result status="valid" time="0.05" steps="38"/></proof> <proof prover="1"><result status="valid" time="0.01"/></proof> <proof prover="2"><result status="valid" time="0.19"/></proof> </goal> </theory> </file> </why3session> �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/formula/why3shapes.gz����������������������������������������������0000664�0000000�0000000�00000000225�14401600263�0022732�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������%ͱ 0=OQ;hk&7Xl\ A]'WrRn/6)3ZG@p4moXTq/5͞;WLZ.<v8�GJ&h 1-P������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n.why����������������������������������������������������������0000664�0000000�0000000�00000013403�14401600263�0020462�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ theory Imp (* identifiers *) type ident lemma ident_eq_dec : forall i1 i2:ident. i1=i2 \/ i1 <> i2 function mk_ident int : ident axiom mk_ident_inj: forall i j:int. mk_ident i = mk_ident j -> i=j (* expressions *) type operator = Oplus | Ominus | Omult type expr = | Econst int | Evar ident | Ebin expr operator expr (* statements *) type stmt = | Sskip | Sassign ident expr | Sseq stmt stmt | Sif expr stmt stmt | Swhile expr stmt lemma check_skip: forall s:stmt. s=Sskip \/ s<>Sskip (* program states *) use map.Map as IdMap use int.Int type state = IdMap.map ident int (* semantics of expressions *) function eval_bin (x:int) (op:operator) (y:int) : int = match op with | Oplus -> x+y | Ominus -> x-y | Omult -> x*y end function eval_expr (s:state) (e:expr) : int = match e with | Econst n -> n | Evar x -> IdMap.get s x | Ebin e1 op e2 -> eval_bin (eval_expr s e1) op (eval_expr s e2) end use map.Const goal Test13 : let s = Const.const 0 in eval_expr s (Econst 13) = 13 goal Test42 : let x = mk_ident 0 in let s = IdMap.set (Const.const 0) x 42 in eval_expr s (Evar x) = 42 goal Test55 : let x = mk_ident 0 in let s = IdMap.set (Const.const 0) x 42 in eval_expr s (Ebin (Evar x) Oplus (Econst 13)) = 55 (* small-steps semantics for statements *) inductive one_step state stmt state stmt = | one_step_assign: forall s:state, x:ident, e:expr. one_step s (Sassign x e) (IdMap.set s x (eval_expr s e)) Sskip | one_step_seq: forall s s':state, i1 i1' i2:stmt. one_step s i1 s' i1' -> one_step s (Sseq i1 i2) s' (Sseq i1' i2) | one_step_seq_skip: forall s:state, i:stmt. one_step s (Sseq Sskip i) s i | one_step_if_true: forall s:state, e:expr, i1 i2:stmt. eval_expr s e <> 0 -> one_step s (Sif e i1 i2) s i1 | one_step_if_false: forall s:state, e:expr, i1 i2:stmt. eval_expr s e = 0 -> one_step s (Sif e i1 i2) s i2 | one_step_while_true: forall s:state, e:expr, i:stmt. eval_expr s e <> 0 -> one_step s (Swhile e i) s (Sseq i (Swhile e i)) | one_step_while_false: forall s:state, e:expr, i:stmt. eval_expr s e = 0 -> one_step s (Swhile e i) s Sskip goal Ass42 : let x = mk_ident 0 in let s = Const.const 0 in forall s':state. one_step s (Sassign x (Econst 42)) s' Sskip -> IdMap.get s' x = 42 goal If42 : let x = mk_ident 0 in let s = Const.const 0 in forall s1 s2:state, i:stmt. one_step s (Sif (Evar x) (Sassign x (Econst 13)) (Sassign x (Econst 42))) s1 i -> one_step s1 i s2 Sskip -> IdMap.get s2 x = 42 lemma progress: forall s:state, i:stmt. i <> Sskip -> exists s':state, i':stmt. one_step s i s' i' (* many steps of execution *) inductive many_steps state stmt state stmt int = | many_steps_refl: forall s:state, i:stmt. many_steps s i s i 0 | many_steps_trans: forall s1 s2 s3:state, i1 i2 i3:stmt, n:int. one_step s1 i1 s2 i2 -> many_steps s2 i2 s3 i3 n -> many_steps s1 i1 s3 i3 (n+1) lemma steps_non_neg: forall s1 s2:state, i1 i2:stmt, n:int. many_steps s1 i1 s2 i2 n -> n >= 0 lemma many_steps_seq: forall s1 s3:state, i1 i2:stmt, n:int. many_steps s1 (Sseq i1 i2) s3 Sskip n -> exists s2:state, n1 n2:int. many_steps s1 i1 s2 Sskip n1 /\ many_steps s2 i2 s3 Sskip n2 /\ n = 1 + n1 + n2 (* formulas *) type fmla = | Fterm expr | Fand fmla fmla | Fnot fmla | Fimplies fmla fmla predicate eval_fmla (s:state) (f:fmla) = match f with | Fterm e -> eval_expr s e <> 0 | Fand f1 f2 -> eval_fmla s f1 /\ eval_fmla s f2 | Fnot f -> not (eval_fmla s f) | Fimplies f1 f2 -> eval_fmla s f1 -> eval_fmla s f2 end (* substitution *) function subst_expr (e:expr) (x:ident) (t:expr) : expr = match e with | Econst _ -> e | Evar y -> if x=y then t else e | Ebin e1 op e2 -> Ebin (subst_expr e1 x t) op (subst_expr e2 x t) end lemma eval_subst_expr: forall s:state, e [@induction]:expr, x:ident, t:expr. eval_expr s (subst_expr e x t) = eval_expr (IdMap.set s x (eval_expr s t)) e function subst (f:fmla) (x:ident) (t:expr) : fmla = match f with | Fterm e -> Fterm (subst_expr e x t) | Fand f1 f2 -> Fand (subst f1 x t) (subst f2 x t) | Fnot f -> Fnot (subst f x t) | Fimplies f1 f2 -> Fimplies (subst f1 x t) (subst f2 x t) end lemma eval_subst: forall s:state, f:fmla, x:ident, t:expr. eval_fmla s (subst f x t) <-> eval_fmla (IdMap.set s x (eval_expr s t)) f predicate valid_fmla (p:fmla) = forall s:state. eval_fmla s p (* Hoare triples *) predicate valid_triple (p:fmla) (i:stmt) (q:fmla) = forall s:state. eval_fmla s p -> forall s':state, n:int. many_steps s i s' Sskip n -> eval_fmla s' q (* Hoare logic rules *) lemma skip_rule: forall q:fmla. valid_triple q Sskip q lemma assign_rule: forall q:fmla, x:ident, e:expr. valid_triple (subst q x e) (Sassign x e) q lemma seq_rule: forall p q r:fmla, i1 i2:stmt. valid_triple p i1 r /\ valid_triple r i2 q -> valid_triple p (Sseq i1 i2) q lemma if_rule: forall e:expr, p q:fmla, i1 i2:stmt. valid_triple (Fand p (Fterm e)) i1 q /\ valid_triple (Fand p (Fnot (Fterm e))) i2 q -> valid_triple p (Sif e i1 i2) q lemma while_rule: forall e:expr, inv:fmla, i:stmt. valid_triple (Fand (Fterm e) inv) i inv -> valid_triple inv (Swhile e i) (Fand (Fnot (Fterm e)) inv) lemma consequence_rule: forall p p' q q':fmla, i:stmt. valid_fmla (Fimplies p' p) -> valid_triple p i q -> valid_fmla (Fimplies q q') -> valid_triple p' i q' end (* Local Variables: compile-command: "why3ide imp_n.why" End: *) �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/�������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0017730�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_eval_subst_1.v�������������������������������������0000664�0000000�0000000�00000013606�14401600263�0024503�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Parameter ident : Type. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Z -> ident. Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) -> (i = j). Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator . Inductive expr := | Econst : Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr . Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const( b1):(map a b)) a1) = b1). Definition state := (map ident Z). Definition eval_bin(x:Z) (op:operator) (y:Z): Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. Set Implicit Arguments. Fixpoint eval_expr(s:(map ident Z)) (e:expr) {struct e}: Z := match e with | (Econst n) => n | (Evar x) => (get s x) | (Ebin e1 op e2) => (eval_bin (eval_expr s e1) op (eval_expr s e2)) end. Unset Implicit Arguments. Inductive one_step : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Prop := | one_step_assign : forall (s:(map ident Z)) (x:ident) (e:expr), (one_step s (Sassign x e) (set s x (eval_expr s e)) Sskip) | one_step_seq : forall (s:(map ident Z)) (sqt:(map ident Z)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step s i1 sqt i1qt) -> (one_step s (Sseq i1 i2) sqt (Sseq i1qt i2)) | one_step_seq_skip : forall (s:(map ident Z)) (i:stmt), (one_step s (Sseq Sskip i) s i) | one_step_if_true : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Sif e i1 i2) s i1) | one_step_if_false : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Sif e i1 i2) s i2) | one_step_while_true : forall (s:(map ident Z)) (e:expr) (i:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Swhile e i) s (Sseq i (Swhile e i))) | one_step_while_false : forall (s:(map ident Z)) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Swhile e i) s Sskip). Axiom progress : forall (s:(map ident Z)) (i:stmt), (~ (i = Sskip)) -> exists sqt:(map ident Z), exists iqt:stmt, (one_step s i sqt iqt). Inductive many_steps : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Z -> Prop := | many_steps_refl : forall (s:(map ident Z)) (i:stmt), (many_steps s i s i 0%Z) | many_steps_trans : forall (s1:(map ident Z)) (s2:(map ident Z)) (s3:(map ident Z)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step s1 i1 s2 i2) -> ((many_steps s2 i2 s3 i3 n) -> (many_steps s1 i1 s3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (s1:(map ident Z)) (s2:(map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 i1 s2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (s1:(map ident Z)) (s3:(map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 (Sseq i1 i2) s3 Sskip n) -> exists s2:(map ident Z), exists n1:Z, exists n2:Z, (many_steps s1 i1 s2 Sskip n1) /\ ((many_steps s2 i2 s3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). Inductive fmla := | Fterm : expr -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla . Set Implicit Arguments. Fixpoint eval_fmla(s:(map ident Z)) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => ~ ((eval_expr s e) = 0%Z) | (Fand f1 f2) => (eval_fmla s f1) /\ (eval_fmla s f2) | (Fnot f1) => ~ (eval_fmla s f1) | (Fimplies f1 f2) => (eval_fmla s f1) -> (eval_fmla s f2) end. Unset Implicit Arguments. Parameter subst_expr: expr -> ident -> expr -> expr. Axiom subst_expr_def : forall (e:expr) (x:ident) (t:expr), match e with | (Econst _) => ((subst_expr e x t) = e) | (Evar y) => ((x = y) -> ((subst_expr e x t) = t)) /\ ((~ (x = y)) -> ((subst_expr e x t) = e)) | (Ebin e1 op e2) => ((subst_expr e x t) = (Ebin (subst_expr e1 x t) op (subst_expr e2 x t))) end. Axiom eval_subst_expr : forall (s:(map ident Z)) (e:expr) (x:ident) (t:expr), ((eval_expr s (subst_expr e x t)) = (eval_expr (set s x (eval_expr s t)) e)). Set Implicit Arguments. Fixpoint subst(f:fmla) (x:ident) (t:expr) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_expr e x t)) | (Fand f1 f2) => (Fand (subst f1 x t) (subst f2 x t)) | (Fnot f1) => (Fnot (subst f1 x t)) | (Fimplies f1 f2) => (Fimplies (subst f1 x t) (subst f2 x t)) end. Unset Implicit Arguments. (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem eval_subst : forall (s:(map ident Z)) (f:fmla) (x:ident) (t:expr), (eval_fmla s (subst f x t)) <-> (eval_fmla (set s x (eval_expr s t)) f). (* YOU MAY EDIT THE PROOF BELOW *) induction f. unfold eval_fmla, subst in *. intros x t. rewrite <- eval_subst_expr; tauto. simpl. intros x t. rewrite IHf1. rewrite IHf2. tauto. simpl. intros x t. rewrite IHf. tauto. simpl. intros x t. rewrite IHf1. rewrite IHf2. tauto. Qed. (* DO NOT EDIT BELOW *) ��������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_if_rule_1.v����������������������������������������0000664�0000000�0000000�00000015172�14401600263�0023761�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Parameter ident : Type. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Z -> ident. Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) -> (i = j). Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator . Inductive expr := | Econst : Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr . Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const( b1):(map a b)) a1) = b1). Definition state := (map ident Z). Definition eval_bin(x:Z) (op:operator) (y:Z): Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. Set Implicit Arguments. Fixpoint eval_expr(s:(map ident Z)) (e:expr) {struct e}: Z := match e with | (Econst n) => n | (Evar x) => (get s x) | (Ebin e1 op e2) => (eval_bin (eval_expr s e1) op (eval_expr s e2)) end. Unset Implicit Arguments. Inductive one_step : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Prop := | one_step_assign : forall (s:(map ident Z)) (x:ident) (e:expr), (one_step s (Sassign x e) (set s x (eval_expr s e)) Sskip) | one_step_seq : forall (s:(map ident Z)) (sqt:(map ident Z)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step s i1 sqt i1qt) -> (one_step s (Sseq i1 i2) sqt (Sseq i1qt i2)) | one_step_seq_skip : forall (s:(map ident Z)) (i:stmt), (one_step s (Sseq Sskip i) s i) | one_step_if_true : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Sif e i1 i2) s i1) | one_step_if_false : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Sif e i1 i2) s i2) | one_step_while_true : forall (s:(map ident Z)) (e:expr) (i:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Swhile e i) s (Sseq i (Swhile e i))) | one_step_while_false : forall (s:(map ident Z)) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Swhile e i) s Sskip). Axiom progress : forall (s:(map ident Z)) (i:stmt), (~ (i = Sskip)) -> exists sqt:(map ident Z), exists iqt:stmt, (one_step s i sqt iqt). Inductive many_steps : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Z -> Prop := | many_steps_refl : forall (s:(map ident Z)) (i:stmt), (many_steps s i s i 0%Z) | many_steps_trans : forall (s1:(map ident Z)) (s2:(map ident Z)) (s3:(map ident Z)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step s1 i1 s2 i2) -> ((many_steps s2 i2 s3 i3 n) -> (many_steps s1 i1 s3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (s1:(map ident Z)) (s2:(map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 i1 s2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (s1:(map ident Z)) (s3:(map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 (Sseq i1 i2) s3 Sskip n) -> exists s2:(map ident Z), exists n1:Z, exists n2:Z, (many_steps s1 i1 s2 Sskip n1) /\ ((many_steps s2 i2 s3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). Inductive fmla := | Fterm : expr -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla . Set Implicit Arguments. Fixpoint eval_fmla(s:(map ident Z)) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => ~ ((eval_expr s e) = 0%Z) | (Fand f1 f2) => (eval_fmla s f1) /\ (eval_fmla s f2) | (Fnot f1) => ~ (eval_fmla s f1) | (Fimplies f1 f2) => (eval_fmla s f1) -> (eval_fmla s f2) end. Unset Implicit Arguments. Parameter subst_expr: expr -> ident -> expr -> expr. Axiom subst_expr_def : forall (e:expr) (x:ident) (t:expr), match e with | (Econst _) => ((subst_expr e x t) = e) | (Evar y) => ((x = y) -> ((subst_expr e x t) = t)) /\ ((~ (x = y)) -> ((subst_expr e x t) = e)) | (Ebin e1 op e2) => ((subst_expr e x t) = (Ebin (subst_expr e1 x t) op (subst_expr e2 x t))) end. Axiom eval_subst_expr : forall (s:(map ident Z)) (e:expr) (x:ident) (t:expr), ((eval_expr s (subst_expr e x t)) = (eval_expr (set s x (eval_expr s t)) e)). Set Implicit Arguments. Fixpoint subst(f:fmla) (x:ident) (t:expr) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_expr e x t)) | (Fand f1 f2) => (Fand (subst f1 x t) (subst f2 x t)) | (Fnot f1) => (Fnot (subst f1 x t)) | (Fimplies f1 f2) => (Fimplies (subst f1 x t) (subst f2 x t)) end. Unset Implicit Arguments. Axiom eval_subst : forall (s:(map ident Z)) (f:fmla) (x:ident) (t:expr), (eval_fmla s (subst f x t)) <-> (eval_fmla (set s x (eval_expr s t)) f). Definition valid_fmla(p:fmla): Prop := forall (s:(map ident Z)), (eval_fmla s p). Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (s:(map ident Z)), (eval_fmla s p) -> forall (sqt:(map ident Z)) (n:Z), (many_steps s i sqt Sskip n) -> (eval_fmla sqt q). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (q:fmla) (x:ident) (e:expr), (valid_triple (subst q x e) (Sassign x e) q). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), ((valid_triple p i1 r) /\ (valid_triple r i2 q)) -> (valid_triple p (Sseq i1 i2) q). (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem if_rule : forall (e:expr) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), ((valid_triple (Fand p (Fterm e)) i1 q) /\ (valid_triple (Fand p (Fnot (Fterm e))) i2 q)) -> (valid_triple p (Sif e i1 i2) q). (* YOU MAY EDIT THE PROOF BELOW *) unfold valid_triple. intros e p q i1 i2 (H1,H2). intros s H s' n H'. inversion H'; subst; auto. inversion H0; subst; auto. eapply H1; eauto. simpl; auto. eapply H2; eauto. simpl; auto. Qed. (* DO NOT EDIT BELOW *) ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_many_steps_seq_1.v���������������������������������0000664�0000000�0000000�00000011474�14401600263�0025367�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require map.Map. Require int.Int. Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Z -> ident. Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) -> (i = j). (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator . Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. (* Why3 assumption *) Inductive expr := | Econst : Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr . Axiom expr_WhyType : WhyType expr. Existing Instance expr_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt . Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition state := (map.Map.map ident Z). (* Why3 assumption *) Definition eval_bin(x:Z) (op:operator) (y:Z): Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. (* Why3 assumption *) Fixpoint eval_expr(s:(map.Map.map ident Z)) (e:expr) {struct e}: Z := match e with | (Econst n) => n | (Evar x) => (map.Map.get s x) | (Ebin e1 op e2) => (eval_bin (eval_expr s e1) op (eval_expr s e2)) end. (* Why3 assumption *) Inductive one_step : (map.Map.map ident Z) -> stmt -> (map.Map.map ident Z) -> stmt -> Prop := | one_step_assign : forall (s:(map.Map.map ident Z)) (x:ident) (e:expr), (one_step s (Sassign x e) (map.Map.set s x (eval_expr s e)) Sskip) | one_step_seq : forall (s:(map.Map.map ident Z)) (s':(map.Map.map ident Z)) (i1:stmt) (i1':stmt) (i2:stmt), (one_step s i1 s' i1') -> (one_step s (Sseq i1 i2) s' (Sseq i1' i2)) | one_step_seq_skip : forall (s:(map.Map.map ident Z)) (i:stmt), (one_step s (Sseq Sskip i) s i) | one_step_if_true : forall (s:(map.Map.map ident Z)) (e:expr) (i1:stmt) (i2:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Sif e i1 i2) s i1) | one_step_if_false : forall (s:(map.Map.map ident Z)) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Sif e i1 i2) s i2) | one_step_while_true : forall (s:(map.Map.map ident Z)) (e:expr) (i:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Swhile e i) s (Sseq i (Swhile e i))) | one_step_while_false : forall (s:(map.Map.map ident Z)) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Swhile e i) s Sskip). Axiom progress : forall (s:(map.Map.map ident Z)) (i:stmt), (~ (i = Sskip)) -> exists s':(map.Map.map ident Z), exists i':stmt, (one_step s i s' i'). (* Why3 assumption *) Inductive many_steps : (map.Map.map ident Z) -> stmt -> (map.Map.map ident Z) -> stmt -> Z -> Prop := | many_steps_refl : forall (s:(map.Map.map ident Z)) (i:stmt), (many_steps s i s i 0%Z) | many_steps_trans : forall (s1:(map.Map.map ident Z)) (s2:(map.Map.map ident Z)) (s3:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step s1 i1 s2 i2) -> ((many_steps s2 i2 s3 i3 n) -> (many_steps s1 i1 s3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (s1:(map.Map.map ident Z)) (s2:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 i1 s2 i2 n) -> (0%Z <= n)%Z. (* Why3 goal *) Theorem many_steps_seq : forall (s1:(map.Map.map ident Z)) (s3:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 (Sseq i1 i2) s3 Sskip n) -> exists s2:(map.Map.map ident Z), exists n1:Z, exists n2:Z, (many_steps s1 i1 s2 Sskip n1) /\ ((many_steps s2 i2 s3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). Proof. intros s1 s3 i1 i2 n Hred. generalize Hred. generalize (steps_non_neg _ _ _ _ _ Hred). clear Hred. intros H. generalize s1 i1; clear s1 i1. apply Z_lt_induction with (P := fun n => forall (s1 : Map.map ident Z) (i1 : stmt), many_steps s1 (Sseq i1 i2) s3 Sskip n -> exists s2 : Map.map ident Z, exists n1 : Z, exists n2 : Z, many_steps s1 i1 s2 Sskip n1 /\ many_steps s2 i2 s3 Sskip n2 /\ n = (1 + n1 + n2)%Z ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. (* case i1 <> Sskip *) assert (h:(0 <= n0 < n0+1)%Z). generalize (steps_non_neg _ _ _ _ _ H3); omega. generalize (H0 n0 h _ _ H3). intros (s4,(n4,(n5,(h1,(h2,h3))))). exists s4. exists (n4+1)%Z. exists n5. split. apply many_steps_trans with (1:=H8); auto. split; auto with zarith. (* case i1 = Sskip *) exists s2. exists 0%Z. exists n0. split. constructor. split; auto with zarith. Qed. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_progress_1.v���������������������������������������0000664�0000000�0000000�00000007611�14401600263�0024177�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require map.Map. Require map.Const. Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Numbers.BinNums.Z -> ident. Axiom mk_ident_inj : forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z), ((mk_ident i) = (mk_ident j)) -> (i = j). (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. (* Why3 assumption *) Inductive expr := | Econst : Numbers.BinNums.Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr. Axiom expr_WhyType : WhyType expr. Existing Instance expr_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition state := ident -> Numbers.BinNums.Z. (* Why3 assumption *) Definition eval_bin (x:Numbers.BinNums.Z) (op:operator) (y:Numbers.BinNums.Z) : Numbers.BinNums.Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. (* Why3 assumption *) Fixpoint eval_expr (s:ident -> Numbers.BinNums.Z) (e:expr) {struct e}: Numbers.BinNums.Z := match e with | Econst n => n | Evar x => s x | Ebin e1 op e2 => eval_bin (eval_expr s e1) op (eval_expr s e2) end. (* Why3 assumption *) Inductive one_step: (ident -> Numbers.BinNums.Z) -> stmt -> (ident -> Numbers.BinNums.Z) -> stmt -> Prop := | one_step_assign : forall (s:ident -> Numbers.BinNums.Z) (x:ident) (e:expr), one_step s (Sassign x e) (map.Map.set s x (eval_expr s e)) Sskip | one_step_seq : forall (s:ident -> Numbers.BinNums.Z) (s':ident -> Numbers.BinNums.Z) (i1:stmt) (i1':stmt) (i2:stmt), one_step s i1 s' i1' -> one_step s (Sseq i1 i2) s' (Sseq i1' i2) | one_step_seq_skip : forall (s:ident -> Numbers.BinNums.Z) (i:stmt), one_step s (Sseq Sskip i) s i | one_step_if_true : forall (s:ident -> Numbers.BinNums.Z) (e:expr) (i1:stmt) (i2:stmt), ~ ((eval_expr s e) = 0%Z) -> one_step s (Sif e i1 i2) s i1 | one_step_if_false : forall (s:ident -> Numbers.BinNums.Z) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> one_step s (Sif e i1 i2) s i2 | one_step_while_true : forall (s:ident -> Numbers.BinNums.Z) (e:expr) (i:stmt), ~ ((eval_expr s e) = 0%Z) -> one_step s (Swhile e i) s (Sseq i (Swhile e i)) | one_step_while_false : forall (s:ident -> Numbers.BinNums.Z) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> one_step s (Swhile e i) s Sskip. (* Why3 goal *) Theorem progress : forall (s:ident -> Numbers.BinNums.Z) (i:stmt), ~ (i = Sskip) -> exists s':ident -> Numbers.BinNums.Z, exists i':stmt, one_step s i s' i'. (* Why3 intros s i h1. *) Proof. intros s i Hskip. induction i. (* case i=skip *) intuition. (* case i=assign *) exists (Map.set s i (eval_expr s e)). exists Sskip. constructor. (* case i=seq *) destruct (check_skip i1). subst i1. exists s. exists i2. constructor. elim (IHi1 H); clear H IHi1 IHi2. intros s1 H2; elim H2; clear H2. intros i1' Hind. exists s1. exists (Sseq i1' i2). constructor; auto. (* case i=if *) destruct (Z.eq_dec (eval_expr s e) 0%Z). exists s. exists i2. constructor. auto. exists s. exists i1. constructor. auto. (* case i=while *) destruct (Z.eq_dec (eval_expr s e) 0%Z). exists s. exists Sskip. constructor. auto. exists s. eexists. econstructor. auto. Qed. �����������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_steps_non_neg_1.v����������������������������������0000664�0000000�0000000�00000007644�14401600263�0025202�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Parameter ident : Type. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Z -> ident. Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) -> (i = j). Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator . Inductive expr := | Econst : Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr . Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const( b1):(map a b)) a1) = b1). Definition state := (map ident Z). Definition eval_bin(x:Z) (op:operator) (y:Z): Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. Set Implicit Arguments. Fixpoint eval_expr(s:(map ident Z)) (e:expr) {struct e}: Z := match e with | (Econst n) => n | (Evar x) => (get s x) | (Ebin e1 op e2) => (eval_bin (eval_expr s e1) op (eval_expr s e2)) end. Unset Implicit Arguments. Inductive one_step : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Prop := | one_step_assign : forall (s:(map ident Z)) (x:ident) (e:expr), (one_step s (Sassign x e) (set s x (eval_expr s e)) Sskip) | one_step_seq : forall (s:(map ident Z)) (sqt:(map ident Z)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step s i1 sqt i1qt) -> (one_step s (Sseq i1 i2) sqt (Sseq i1qt i2)) | one_step_seq_skip : forall (s:(map ident Z)) (i:stmt), (one_step s (Sseq Sskip i) s i) | one_step_if_true : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Sif e i1 i2) s i1) | one_step_if_false : forall (s:(map ident Z)) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Sif e i1 i2) s i2) | one_step_while_true : forall (s:(map ident Z)) (e:expr) (i:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Swhile e i) s (Sseq i (Swhile e i))) | one_step_while_false : forall (s:(map ident Z)) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Swhile e i) s Sskip). Axiom progress : forall (s:(map ident Z)) (i:stmt), (~ (i = Sskip)) -> exists sqt:(map ident Z), exists iqt:stmt, (one_step s i sqt iqt). Inductive many_steps : (map ident Z) -> stmt -> (map ident Z) -> stmt -> Z -> Prop := | many_steps_refl : forall (s:(map ident Z)) (i:stmt), (many_steps s i s i 0%Z) | many_steps_trans : forall (s1:(map ident Z)) (s2:(map ident Z)) (s3:(map ident Z)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step s1 i1 s2 i2) -> ((many_steps s2 i2 s3 i3 n) -> (many_steps s1 i1 s3 i3 (n + 1%Z)%Z)). (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem steps_non_neg : forall (s1:(map ident Z)) (s2:(map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 i1 s2 i2 n) -> (0%Z <= n)%Z. (* YOU MAY EDIT THE PROOF BELOW *) induction 1; auto with zarith. Qed. (* DO NOT EDIT BELOW *) ��������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/imp_n_Imp_while_rule_1.v�������������������������������������0000664�0000000�0000000�00000016505�14401600263�0024474�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require map.Map. Require int.Int. Axiom ident : Type. Parameter ident_WhyType : WhyType ident. Existing Instance ident_WhyType. Axiom ident_eq_dec : forall (i1:ident) (i2:ident), (i1 = i2) \/ ~ (i1 = i2). Parameter mk_ident: Z -> ident. Axiom mk_ident_inj : forall (i:Z) (j:Z), ((mk_ident i) = (mk_ident j)) -> (i = j). (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator . Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. (* Why3 assumption *) Inductive expr := | Econst : Z -> expr | Evar : ident -> expr | Ebin : expr -> operator -> expr -> expr . Axiom expr_WhyType : WhyType expr. Existing Instance expr_WhyType. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : ident -> expr -> stmt | Sseq : stmt -> stmt -> stmt | Sif : expr -> stmt -> stmt -> stmt | Swhile : expr -> stmt -> stmt . Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Definition state := (map.Map.map ident Z). (* Why3 assumption *) Definition eval_bin(x:Z) (op:operator) (y:Z): Z := match op with | Oplus => (x + y)%Z | Ominus => (x - y)%Z | Omult => (x * y)%Z end. (* Why3 assumption *) Fixpoint eval_expr(s:(map.Map.map ident Z)) (e:expr) {struct e}: Z := match e with | (Econst n) => n | (Evar x) => (map.Map.get s x) | (Ebin e1 op e2) => (eval_bin (eval_expr s e1) op (eval_expr s e2)) end. (* Why3 assumption *) Inductive one_step : (map.Map.map ident Z) -> stmt -> (map.Map.map ident Z) -> stmt -> Prop := | one_step_assign : forall (s:(map.Map.map ident Z)) (x:ident) (e:expr), (one_step s (Sassign x e) (map.Map.set s x (eval_expr s e)) Sskip) | one_step_seq : forall (s:(map.Map.map ident Z)) (s':(map.Map.map ident Z)) (i1:stmt) (i1':stmt) (i2:stmt), (one_step s i1 s' i1') -> (one_step s (Sseq i1 i2) s' (Sseq i1' i2)) | one_step_seq_skip : forall (s:(map.Map.map ident Z)) (i:stmt), (one_step s (Sseq Sskip i) s i) | one_step_if_true : forall (s:(map.Map.map ident Z)) (e:expr) (i1:stmt) (i2:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Sif e i1 i2) s i1) | one_step_if_false : forall (s:(map.Map.map ident Z)) (e:expr) (i1:stmt) (i2:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Sif e i1 i2) s i2) | one_step_while_true : forall (s:(map.Map.map ident Z)) (e:expr) (i:stmt), (~ ((eval_expr s e) = 0%Z)) -> (one_step s (Swhile e i) s (Sseq i (Swhile e i))) | one_step_while_false : forall (s:(map.Map.map ident Z)) (e:expr) (i:stmt), ((eval_expr s e) = 0%Z) -> (one_step s (Swhile e i) s Sskip). Axiom progress : forall (s:(map.Map.map ident Z)) (i:stmt), (~ (i = Sskip)) -> exists s':(map.Map.map ident Z), exists i':stmt, (one_step s i s' i'). (* Why3 assumption *) Inductive many_steps : (map.Map.map ident Z) -> stmt -> (map.Map.map ident Z) -> stmt -> Z -> Prop := | many_steps_refl : forall (s:(map.Map.map ident Z)) (i:stmt), (many_steps s i s i 0%Z) | many_steps_trans : forall (s1:(map.Map.map ident Z)) (s2:(map.Map.map ident Z)) (s3:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step s1 i1 s2 i2) -> ((many_steps s2 i2 s3 i3 n) -> (many_steps s1 i1 s3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (s1:(map.Map.map ident Z)) (s2:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 i1 s2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (s1:(map.Map.map ident Z)) (s3:(map.Map.map ident Z)) (i1:stmt) (i2:stmt) (n:Z), (many_steps s1 (Sseq i1 i2) s3 Sskip n) -> exists s2:(map.Map.map ident Z), exists n1:Z, exists n2:Z, (many_steps s1 i1 s2 Sskip n1) /\ ((many_steps s2 i2 s3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). (* Why3 assumption *) Inductive fmla := | Fterm : expr -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla . Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Fixpoint eval_fmla(s:(map.Map.map ident Z)) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => ~ ((eval_expr s e) = 0%Z) | (Fand f1 f2) => (eval_fmla s f1) /\ (eval_fmla s f2) | (Fnot f1) => ~ (eval_fmla s f1) | (Fimplies f1 f2) => (eval_fmla s f1) -> (eval_fmla s f2) end. Parameter subst_expr: expr -> ident -> expr -> expr. Axiom subst_expr_def : forall (e:expr) (x:ident) (t:expr), match e with | (Econst _) => ((subst_expr e x t) = e) | (Evar y) => ((x = y) -> ((subst_expr e x t) = t)) /\ ((~ (x = y)) -> ((subst_expr e x t) = e)) | (Ebin e1 op e2) => ((subst_expr e x t) = (Ebin (subst_expr e1 x t) op (subst_expr e2 x t))) end. Axiom eval_subst_expr : forall (s:(map.Map.map ident Z)) (e:expr) (x:ident) (t:expr), ((eval_expr s (subst_expr e x t)) = (eval_expr (map.Map.set s x (eval_expr s t)) e)). (* Why3 assumption *) Fixpoint subst(f:fmla) (x:ident) (t:expr) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_expr e x t)) | (Fand f1 f2) => (Fand (subst f1 x t) (subst f2 x t)) | (Fnot f1) => (Fnot (subst f1 x t)) | (Fimplies f1 f2) => (Fimplies (subst f1 x t) (subst f2 x t)) end. Axiom eval_subst : forall (s:(map.Map.map ident Z)) (f:fmla) (x:ident) (t:expr), (eval_fmla s (subst f x t)) <-> (eval_fmla (map.Map.set s x (eval_expr s t)) f). (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (s:(map.Map.map ident Z)), (eval_fmla s p). (* Why3 assumption *) Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (s:(map.Map.map ident Z)), (eval_fmla s p) -> forall (s':(map.Map.map ident Z)) (n:Z), (many_steps s i s' Sskip n) -> (eval_fmla s' q). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (q:fmla) (x:ident) (e:expr), (valid_triple (subst q x e) (Sassign x e) q). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), ((valid_triple p i1 r) /\ (valid_triple r i2 q)) -> (valid_triple p (Sseq i1 i2) q). Axiom if_rule : forall (e:expr) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), ((valid_triple (Fand p (Fterm e)) i1 q) /\ (valid_triple (Fand p (Fnot (Fterm e))) i2 q)) -> (valid_triple p (Sif e i1 i2) q). (* Why3 goal *) Theorem while_rule : forall (e:expr) (inv:fmla) (i:stmt), (valid_triple (Fand (Fterm e) inv) i inv) -> (valid_triple inv (Swhile e i) (Fand (Fnot (Fterm e)) inv)). Proof. unfold valid_triple. intros e inv i Hinv_preserved. intros s Hinv_init s' n Hred. generalize (steps_non_neg _ _ _ _ _ Hred); intro Hn_pos. generalize Hred; clear Hred. generalize s Hinv_init; clear s Hinv_init. apply Z_lt_induction with (P := fun n => forall s : Map.map ident Z, eval_fmla s inv -> many_steps s (Swhile e i) s' Sskip n -> eval_fmla s' (Fand (Fnot (Fterm e)) inv) ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. (* case cond true *) generalize (many_steps_seq _ _ _ _ _ H3). intros (s3&n1&n2&h1&h2&h3). apply H with (y:=n2) (s:=s3); auto. generalize (steps_non_neg _ _ _ _ _ h1). generalize (steps_non_neg _ _ _ _ _ h2). now (auto with zarith). apply Hinv_preserved with (s:=s2) (n:=n1); simpl; auto. (* case cond false *) inversion H3; subst. simpl; auto. now inversion H1. Qed. �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/why3session.xml����������������������������������������������0000664�0000000�0000000�00000006013�14401600263�0022750�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Coq" version="8.11.2" timelimit="3" steplimit="0" memlimit="0"/> <prover id="1" name="CVC3" version="2.4.1" timelimit="3" steplimit="0" memlimit="0"/> <prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="imp_n.why"/> <theory name="Imp" proved="true"> <goal name="ident_eq_dec" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="1"/></proof> </goal> <goal name="check_skip" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="2"/></proof> </goal> <goal name="Test13" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="3"/></proof> </goal> <goal name="Test42" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="3"/></proof> </goal> <goal name="Test55" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="16"/></proof> </goal> <goal name="Ass42" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="91"/></proof> </goal> <goal name="If42" proved="true"> <proof prover="2"><result status="valid" time="0.13" steps="328"/></proof> </goal> <goal name="progress" proved="true"> <proof prover="0"><path name="imp_n_Imp_progress_1.v"/><result status="valid" time="0.30"/></proof> </goal> <goal name="steps_non_neg" proved="true"> <proof prover="0"><path name="imp_n_Imp_steps_non_neg_1.v"/><result status="valid" time="0.28"/></proof> </goal> <goal name="many_steps_seq" proved="true"> <proof prover="0"><path name="imp_n_Imp_many_steps_seq_1.v"/><result status="valid" time="0.40"/></proof> </goal> <goal name="eval_subst_expr" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_subst_expr.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="107"/></proof> </goal> </transf> </goal> <goal name="eval_subst" proved="true"> <proof prover="0"><path name="imp_n_Imp_eval_subst_1.v"/><result status="valid" time="0.33"/></proof> </goal> <goal name="skip_rule" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="149"/></proof> </goal> <goal name="assign_rule" proved="true"> <proof prover="2"><result status="valid" time="0.70" steps="1641"/></proof> </goal> <goal name="seq_rule" proved="true"> <proof prover="2"><result status="valid" time="0.84" steps="3015"/></proof> </goal> <goal name="if_rule" proved="true"> <proof prover="0"><path name="imp_n_Imp_if_rule_1.v"/><result status="valid" time="0.34"/></proof> </goal> <goal name="while_rule" proved="true"> <proof prover="0"><path name="imp_n_Imp_while_rule_1.v"/><result status="valid" time="0.37"/></proof> </goal> <goal name="consequence_rule" proved="true"> <proof prover="1"><result status="valid" time="0.05"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/imp_n/why3shapes.gz������������������������������������������������0000664�0000000�0000000�00000002022�14401600263�0022364�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������UnF}WM^vfZBC}5foKVLmC$J+"sΙ;ۇojw\+{|Ue>�FZ5/K]o#ni>5/7w۹>}w u@̻u |̂?sW{xwzwݑ7cZ ?}]>11.i!ò>st9^s"l]/ :JAԂW5 ; t7-1CDn hϬ:ުnf1H|I?DMD{�#X.HdI-z[NI7HE2.K| m-HhyχEAyI_ '4;ᰭxJۡw|(ǻn~<T} )©i$ 8$gJd2/&f;iկue[5E z<uQ= HײJ|[w:j;Ss!cLY^dړΗòvQ#Ӟz0�泙-΅T Z;jmUPD6ToT(E.epR) >�[!\hR/찱sY�GQ[l V'MI)ŵrTL3*. P;B) X<BHT]S $-PRs=HaVPUg#Tސj5m O� ljʈH*2dU2ЫzAgHV3s H9B'2,ęS'Є#1M؄Yk7ֆ` c̀ f%moYi)8r9ܕrx E^Lt[[hȔBR3Y:HtXr13kdee \Ƴ L]=ٽg:ת 6/V%5DeTKI  ]Z-{T(7$(gmD1J_ ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2.mlw������������������������������������������������������������0000664�0000000�0000000�00000030245�14401600263�0020063�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 A certified WP calculus} *) (** {2 A simple imperative language, syntax and semantics} *) theory Imp (** terms and formulas *) type datatype = Tint | Tbool type operator = Oplus | Ominus | Omult | Ole type ident = int type term = | Tconst int | Tvar ident | Tderef ident | Tbin term operator term type fmla = | Fterm term | Fand fmla fmla | Fnot fmla | Fimplies fmla fmla | Flet ident term fmla | Fforall ident datatype fmla use int.Int use bool.Bool type value = | Vint int | Vbool bool use map.Map as IdMap type env = IdMap.map ident value (** semantics of formulas *) function eval_bin (x:value) (op:operator) (y:value) : value = match x,y with | Vint x,Vint y -> match op with | Oplus -> Vint (x+y) | Ominus -> Vint (x-y) | Omult -> Vint (x*y) | Ole -> Vbool (if x <= y then True else False) end | _,_ -> Vbool False end function get_env (i:ident) (e:env) : value = IdMap.get e i function eval_term (sigma:env) (pi:env) (t:term) : value = match t with | Tconst n -> Vint n | Tvar id -> get_env id pi | Tderef id -> get_env id sigma | Tbin t1 op t2 -> eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end predicate eval_fmla (sigma:env) (pi:env) (f:fmla) = match f with | Fterm t -> eval_term sigma pi t = Vbool True | Fand f1 f2 -> eval_fmla sigma pi f1 /\ eval_fmla sigma pi f2 | Fnot f -> not (eval_fmla sigma pi f) | Fimplies f1 f2 -> eval_fmla sigma pi f1 -> eval_fmla sigma pi f2 | Flet x t f -> eval_fmla sigma (IdMap.set pi x (eval_term sigma pi t)) f | Fforall x Tint f -> forall n:int. eval_fmla sigma (IdMap.set pi x (Vint n)) f | Fforall x Tbool f -> forall b:bool. eval_fmla sigma (IdMap.set pi x (Vbool b)) f end (** substitution of a reference `r` by a logic variable `v` warning: proper behavior only guaranted if `v` is fresh *) let rec function subst_term (e:term) (r:ident) (v:ident) : term = match e with | Tconst _ -> e | Tvar _ -> e | Tderef x -> if r=x then Tvar v else e | Tbin e1 op e2 -> Tbin (subst_term e1 r v) op (subst_term e2 r v) end predicate fresh_in_term (id:ident) (t:term) = match t with | Tconst _ -> true | Tvar v -> id <> v | Tderef _ -> true | Tbin t1 _ t2 -> fresh_in_term id t1 /\ fresh_in_term id t2 end lemma eval_subst_term: forall sigma pi:env, e:term, x:ident, v:ident. fresh_in_term v e -> eval_term sigma pi (subst_term e x v) = eval_term (IdMap.set sigma x (IdMap.get pi v)) pi e lemma eval_term_change_free : forall t:term, sigma pi:env, id:ident, v:value. fresh_in_term id t -> eval_term sigma (IdMap.set pi id v) t = eval_term sigma pi t predicate fresh_in_fmla (id:ident) (f:fmla) = match f with | Fterm e -> fresh_in_term id e | Fand f1 f2 | Fimplies f1 f2 -> fresh_in_fmla id f1 /\ fresh_in_fmla id f2 | Fnot f -> fresh_in_fmla id f | Flet y t f -> id <> y /\ fresh_in_term id t /\ fresh_in_fmla id f | Fforall y _ f -> id <> y /\ fresh_in_fmla id f end let rec function subst (f:fmla) (x:ident) (v:ident) : fmla = match f with | Fterm e -> Fterm (subst_term e x v) | Fand f1 f2 -> Fand (subst f1 x v) (subst f2 x v) | Fnot f -> Fnot (subst f x v) | Fimplies f1 f2 -> Fimplies (subst f1 x v) (subst f2 x v) | Flet y t f -> Flet y (subst_term t x v) (subst f x v) | Fforall y ty f -> Fforall y ty (subst f x v) end lemma eval_subst: forall f:fmla, sigma pi:env, x:ident, v:ident. fresh_in_fmla v f -> (eval_fmla sigma pi (subst f x v) <-> eval_fmla (IdMap.set sigma x (IdMap.get pi v)) pi f) lemma eval_swap: forall f:fmla, sigma pi:env, id1 id2:ident, v1 v2:value. id1 <> id2 -> (eval_fmla sigma (IdMap.set (IdMap.set pi id1 v1) id2 v2) f <-> eval_fmla sigma (IdMap.set (IdMap.set pi id2 v2) id1 v1) f) lemma eval_change_free : forall f:fmla, sigma pi:env, id:ident, v:value. fresh_in_fmla id f -> (eval_fmla sigma (IdMap.set pi id v) f <-> eval_fmla sigma pi f) (* statements *) type stmt = | Sskip | Sassign ident term | Sseq stmt stmt | Sif term stmt stmt | Sassert fmla | Swhile term fmla stmt lemma check_skip: forall s:stmt. s=Sskip \/s<>Sskip (** small-steps semantics for statements *) inductive one_step env env stmt env env stmt = | one_step_assign: forall sigma pi:env, x:ident, e:term. one_step sigma pi (Sassign x e) (IdMap.set sigma x (eval_term sigma pi e)) pi Sskip | one_step_seq: forall sigma pi sigma' pi':env, i1 i1' i2:stmt. one_step sigma pi i1 sigma' pi' i1' -> one_step sigma pi (Sseq i1 i2) sigma' pi' (Sseq i1' i2) | one_step_seq_skip: forall sigma pi:env, i:stmt. one_step sigma pi (Sseq Sskip i) sigma pi i | one_step_if_true: forall sigma pi:env, e:term, i1 i2:stmt. eval_term sigma pi e = (Vbool True) -> one_step sigma pi (Sif e i1 i2) sigma pi i1 | one_step_if_false: forall sigma pi:env, e:term, i1 i2:stmt. eval_term sigma pi e = (Vbool False) -> one_step sigma pi (Sif e i1 i2) sigma pi i2 | one_step_assert: forall sigma pi:env, f:fmla. eval_fmla sigma pi f -> one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true: forall sigma pi:env, e:term, inv:fmla, i:stmt. eval_fmla sigma pi inv -> eval_term sigma pi e = (Vbool True) -> one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)) | one_step_while_false: forall sigma pi:env, e:term, inv:fmla, i:stmt. eval_fmla sigma pi inv -> eval_term sigma pi e = (Vbool False) -> one_step sigma pi (Swhile e inv i) sigma pi Sskip (*** lemma progress: forall s:state, i:stmt. i <> Sskip -> exists s':state, i':stmt. one_step s i s' i' *) (** many steps of execution *) inductive many_steps env env stmt env env stmt int = | many_steps_refl: forall sigma pi:env, i:stmt. many_steps sigma pi i sigma pi i 0 | many_steps_trans: forall sigma1 pi1 sigma2 pi2 sigma3 pi3:env, i1 i2 i3:stmt, n:int. one_step sigma1 pi1 i1 sigma2 pi2 i2 -> many_steps sigma2 pi2 i2 sigma3 pi3 i3 n -> many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n+1) lemma steps_non_neg: forall sigma1 pi1 sigma2 pi2:env, i1 i2:stmt, n:int. many_steps sigma1 pi1 i1 sigma2 pi2 i2 n -> n >= 0 lemma many_steps_seq: forall sigma1 pi1 sigma3 pi3:env, i1 i2:stmt, n:int. many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n -> exists sigma2 pi2:env, n1 n2:int. many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1 /\ many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2 /\ n = 1 + n1 + n2 predicate valid_fmla (p:fmla) = forall sigma pi:env. eval_fmla sigma pi p (** {3 Hoare triples} *) (** partial correctness *) predicate valid_triple (p:fmla) (i:stmt) (q:fmla) = forall sigma pi:env. eval_fmla sigma pi p -> forall sigma' pi':env, n:int. many_steps sigma pi i sigma' pi' Sskip n -> eval_fmla sigma' pi' q (*** total correctness *) (*** predicate total_valid_triple (p:fmla) (i:stmt) (q:fmla) = forall s:state. eval_fmla s p -> exists s':state, n:int. many_steps s i s' Sskip n /\ eval_fmla s' q *) end theory TestSemantics use Imp use map.Const function my_sigma : env = Const.const (Vint 0) function my_pi : env = Const.const (Vint 42) goal Test13 : eval_term my_sigma my_pi (Tconst 13) = Vint 13 goal Test42 : eval_term my_sigma my_pi (Tvar 0) = Vint 42 goal Test0 : eval_term my_sigma my_pi (Tderef 0) = Vint 0 goal Test55 : eval_term my_sigma my_pi (Tbin (Tvar 0) Oplus (Tconst 13)) = Vint 55 goal Ass42 : let x = 0 in forall sigma' pi':env. one_step my_sigma my_pi (Sassign x (Tconst 42)) sigma' pi' Sskip -> IdMap.get sigma' x = Vint 42 goal If42 : let x = 0 in forall sigma1 pi1 sigma2 pi2:env, i:stmt. one_step my_sigma my_pi (Sif (Tbin (Tderef x) Ole (Tconst 10)) (Sassign x (Tconst 13)) (Sassign x (Tconst 42))) sigma1 pi1 i -> one_step sigma1 pi1 i sigma2 pi2 Sskip -> IdMap.get sigma2 x = Vint 13 end (** {2 Hoare logic} *) theory HoareLogic use Imp (** Hoare logic rules (partial correctness) *) lemma consequence_rule: forall p p' q q':fmla, i:stmt. valid_fmla (Fimplies p' p) -> valid_triple p i q -> valid_fmla (Fimplies q q') -> valid_triple p' i q' lemma skip_rule: forall q:fmla. valid_triple q Sskip q lemma assign_rule: forall q:fmla, x id:ident, e:term. fresh_in_fmla id q -> valid_triple (Flet id e (subst q x id)) (Sassign x e) q lemma seq_rule: forall p q r:fmla, i1 i2:stmt. valid_triple p i1 r /\ valid_triple r i2 q -> valid_triple p (Sseq i1 i2) q lemma if_rule: forall e:term, p q:fmla, i1 i2:stmt. valid_triple (Fand p (Fterm e)) i1 q /\ valid_triple (Fand p (Fnot (Fterm e))) i2 q -> valid_triple p (Sif e i1 i2) q lemma assert_rule: forall f p:fmla. valid_fmla (Fimplies p f) -> valid_triple p (Sassert f) p lemma assert_rule_ext: forall f p:fmla. valid_triple (Fimplies f p) (Sassert f) p lemma while_rule: forall e:term, inv:fmla, i:stmt. valid_triple (Fand (Fterm e) inv) i inv -> valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv) lemma while_rule_ext: forall e:term, inv inv':fmla, i:stmt. valid_fmla (Fimplies inv' inv) -> valid_triple (Fand (Fterm e) inv') i inv' -> valid_triple inv' (Swhile e inv i) (Fand (Fnot (Fterm e)) inv') (*** frame rule ? *) end (** {2 WP calculus} *) module WP use Imp use set.Fset as Set clone set.SetApp as S with type elt = ident, val eq = Int.(=) predicate assigns (sigma:env) (a:Set.fset ident) (sigma':env) = forall i:ident. not (Set.mem i a) -> IdMap.get sigma i = IdMap.get sigma' i lemma assigns_refl: forall sigma:env, a:Set.fset ident. assigns sigma a sigma lemma assigns_trans: forall sigma1 sigma2 sigma3:env, a:Set.fset ident. assigns sigma1 a sigma2 /\ assigns sigma2 a sigma3 -> assigns sigma1 a sigma3 lemma assigns_union_left: forall sigma sigma':env, s1 s2:Set.fset ident. assigns sigma s1 sigma' -> assigns sigma (Set.union s1 s2) sigma' lemma assigns_union_right: forall sigma sigma':env, s1 s2:Set.fset ident. assigns sigma s2 sigma' -> assigns sigma (Set.union s1 s2) sigma' predicate stmt_writes (i:stmt) (w:Set.fset ident) = match i with | Sskip | Sassert _ -> true | Sassign id _ -> Set.mem id w | Sseq s1 s2 | Sif _ s1 s2 -> stmt_writes s1 w /\ stmt_writes s2 w | Swhile _ _ s -> stmt_writes s w end let rec compute_writes (s:stmt) : S.set ensures { forall sigma pi sigma' pi':env, n:int. many_steps sigma pi s sigma' pi' Sskip n -> assigns sigma result sigma' } variant { s } = match s with | Sskip -> S.empty () | Sassign i _ -> S.singleton i | Sseq s1 s2 -> S.union (compute_writes s1) (compute_writes s2) | Sif _ s1 s2 -> S.union (compute_writes s1) (compute_writes s2) | Swhile _ _ s -> compute_writes s | Sassert _ -> S.empty () end val fresh_from_fmla (q:fmla) : ident ensures { fresh_in_fmla result q } val abstract_effects (i:stmt) (f:fmla) : fmla ensures { forall sigma pi:env. eval_fmla sigma pi result -> eval_fmla sigma pi f /\ (*** forall sigma':env, w:Set.set ident. stmt_writes i w /\ assigns sigma w sigma' -> eval_fmla sigma' pi result *) forall sigma' pi':env, n:int. many_steps sigma pi i sigma' pi' Sskip n -> eval_fmla sigma' pi' result } use HoareLogic let rec wp (i:stmt) (q:fmla) ensures { valid_triple result i q } variant { i } = match i with | Sskip -> q | Sseq i1 i2 -> wp i1 (wp i2 q) | Sassign x e -> let id = fresh_from_fmla q in Flet id e (subst q x id) | Sif e i1 i2 -> Fand (Fimplies (Fterm e) (wp i1 q)) (Fimplies (Fnot (Fterm e)) (wp i2 q)) | Sassert f -> Fimplies f q (* liberal wp, no termination required *) (* Fand f q *) (* strict wp, termination required *) | Swhile e inv i -> Fand inv (abstract_effects i (Fand (Fimplies (Fand (Fterm e) inv) (wp i inv)) (Fimplies (Fand (Fnot (Fterm e)) inv) q))) end end (*** Local Variables: compile-command: "why3ide wp2.mlw" End: *) �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/���������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0017336�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/why3session.xml������������������������������������������������0000664�0000000�0000000�00000025007�14401600263�0022362�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="CVC4" version="1.7" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="1" name="CVC4" version="1.4" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="3" name="CVC4" version="1.6" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="5" name="Coq" version="8.11.2" timelimit="3" steplimit="0" memlimit="0"/> <prover id="8" name="Eprover" version="1.8-001" timelimit="30" steplimit="0" memlimit="4000"/> <prover id="10" name="Z3" version="4.5.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="wp2.mlw"/> <theory name="Imp" proved="true"> <goal name="eval_subst_term" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_subst_term.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="95"/></proof> </goal> </transf> </goal> <goal name="eval_term_change_free" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_term_change_free.0" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="41"/></proof> </goal> </transf> </goal> <goal name="eval_subst" proved="true"> <transf name="induction_ty_lex" proved="true" > <goal name="eval_subst.0" proved="true"> <proof prover="2"><result status="valid" time="0.12" steps="1078"/></proof> </goal> </transf> </goal> <goal name="eval_swap" proved="true"> <proof prover="10"><result status="valid" time="0.02" steps="18456"/></proof> </goal> <goal name="eval_change_free" proved="true"> <proof prover="5" timelimit="5"><path name="wp2_Imp_eval_change_free_1.v"/><result status="valid" time="0.38"/></proof> </goal> <goal name="check_skip" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="2"/></proof> </goal> <goal name="steps_non_neg" proved="true"> <transf name="induction_pr" proved="true" > <goal name="steps_non_neg.0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="9"/></proof> </goal> <goal name="steps_non_neg.1" proved="true"> <proof prover="1"><result status="valid" time="0.04"/></proof> </goal> </transf> </goal> <goal name="many_steps_seq" proved="true"> <proof prover="5"><path name="wp2_Imp_many_steps_seq_1.v"/><result status="valid" time="0.40"/></proof> </goal> </theory> <theory name="TestSemantics" proved="true"> <goal name="Test13" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="3"/></proof> </goal> <goal name="Test42" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="Test0" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="Test55" proved="true"> <proof prover="1"><result status="valid" time="0.05"/></proof> </goal> <goal name="Ass42" proved="true"> <proof prover="2"><result status="valid" time="0.05" steps="103"/></proof> </goal> <goal name="If42" proved="true"> <transf name="inversion_pr" proved="true" > <goal name="If42.0" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="13"/></proof> </goal> <goal name="If42.1" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="14"/></proof> </goal> <goal name="If42.2" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="13"/></proof> </goal> <goal name="If42.3" proved="true"> <proof prover="2"><result status="valid" time="0.09" steps="215"/></proof> </goal> <goal name="If42.4" proved="true"> <proof prover="1"><result status="valid" time="0.13"/></proof> </goal> <goal name="If42.5" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="14"/></proof> </goal> <goal name="If42.6" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="17"/></proof> </goal> <goal name="If42.7" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="17"/></proof> </goal> </transf> </goal> </theory> <theory name="HoareLogic" proved="true"> <goal name="consequence_rule" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="consequence_rule.0" proved="true"> <transf name="inline_goal" proved="true" > <goal name="consequence_rule.0.0" proved="true"> <proof prover="8"><result status="valid" time="0.08"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="skip_rule" proved="true"> <proof prover="2"><result status="valid" time="0.08" steps="267"/></proof> </goal> <goal name="assign_rule" proved="true"> <proof prover="2"><result status="valid" time="0.70" steps="1816"/></proof> </goal> <goal name="seq_rule" proved="true"> <proof prover="2"><result status="valid" time="0.14" steps="407"/></proof> </goal> <goal name="if_rule" proved="true"> <proof prover="5"><path name="wp2_HoareLogic_if_rule_1.v"/><result status="valid" time="0.48"/></proof> </goal> <goal name="assert_rule" proved="true"> <proof prover="2"><result status="valid" time="0.22" steps="518"/></proof> </goal> <goal name="assert_rule_ext" proved="true"> <proof prover="2"><result status="valid" time="0.17" steps="836"/></proof> </goal> <goal name="while_rule" proved="true"> <proof prover="5"><path name="wp2_HoareLogic_while_rule_1.v"/><result status="valid" time="0.48"/></proof> </goal> <goal name="while_rule_ext" proved="true"> <proof prover="5"><path name="wp2_HoareLogic_while_rule_ext_1.v"/><result status="valid" time="0.50"/></proof> </goal> </theory> <theory name="WP" proved="true"> <goal name="S.eq'refn'vc" expl="VC for eq'refn" proved="true"> <proof prover="3"><result status="valid" time="0.05" steps="17661"/></proof> </goal> <goal name="assigns_refl" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="3"/></proof> </goal> <goal name="assigns_trans" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="9"/></proof> </goal> <goal name="assigns_union_left" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="14"/></proof> </goal> <goal name="assigns_union_right" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="compute_writes'vc" expl="VC for compute_writes" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="compute_writes'vc.0" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="44"/></proof> </goal> <goal name="compute_writes'vc.1" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="44"/></proof> </goal> <goal name="compute_writes'vc.2" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="49"/></proof> </goal> <goal name="compute_writes'vc.3" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="49"/></proof> </goal> <goal name="compute_writes'vc.4" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="49"/></proof> </goal> <goal name="compute_writes'vc.5" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="compute_writes'vc.5.0" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.09" steps="123"/></proof> </goal> <goal name="compute_writes'vc.5.1" expl="postcondition" proved="true"> <proof prover="10"><result status="valid" time="0.24" steps="524747"/></proof> </goal> <goal name="compute_writes'vc.5.2" expl="postcondition" proved="true"> <proof prover="2" timelimit="1"><result status="valid" time="0.13" steps="69"/></proof> </goal> <goal name="compute_writes'vc.5.3" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.13" steps="27166"/></proof> </goal> <goal name="compute_writes'vc.5.4" expl="postcondition" proved="true"> <proof prover="5" timelimit="0"><path name="wp2_WP_VC_compute_writes_2.v"/><result status="valid" time="0.42"/></proof> </goal> <goal name="compute_writes'vc.5.5" expl="postcondition" proved="true"> <proof prover="10" timelimit="5"><result status="valid" time="0.10" steps="138295"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="wp'vc" expl="VC for wp" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="wp'vc.0" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="44"/></proof> </goal> <goal name="wp'vc.1" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="45"/></proof> </goal> <goal name="wp'vc.2" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="49"/></proof> </goal> <goal name="wp'vc.3" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="50"/></proof> </goal> <goal name="wp'vc.4" expl="variant decrease" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="49"/></proof> </goal> <goal name="wp'vc.5" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="wp'vc.5.0" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="8"/></proof> </goal> <goal name="wp'vc.5.1" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="12"/></proof> </goal> <goal name="wp'vc.5.2" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="40"/></proof> </goal> <goal name="wp'vc.5.3" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.58" steps="3077"/></proof> </goal> <goal name="wp'vc.5.4" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="21"/></proof> </goal> <goal name="wp'vc.5.5" expl="postcondition" proved="true"> <proof prover="5" timelimit="0"><path name="wp2_WP_VC_wp_1.v"/><result status="valid" time="0.48"/></proof> </goal> </transf> </goal> </transf> </goal> </theory> </file> </why3session> �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/why3shapes.gz��������������������������������������������������0000664�0000000�0000000�00000011337�14401600263�0022003�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Z[G~_7_~B#H 3䫈]n[DdVEfeIVU[d^<Ӌ_/̋U>_‡&~OԤϏSy ?_>i/ކX~z[$n?evrv/+9Vkfޜ1*qԯ撿^]~1g;K*/Yck$%o?x-oZVK<MOLJ{߰t$=Oǩ=)mɫz|Ee'>..%]^ރ"ɢkVV]l ՘ D aW̄ f g ׹I0,_=oT #$$$!\=B^0 }i,m᨞څrTM 9G_L=رׂ\<p4nm;f{h�r�l4kB͐݌$N`M 璵!7ֶ+@` U-5 ${], 6o,YMIwffM`}һ P]N Bt+ғ+3)G_ItbP]5"7yE_lf@,OU>ӅW5GF�z6 سi4b6ưɈHȚ"' Ֆmxr LÓ.d90j`w⭄uNogkuXEQl9ZG$<'Đ[<"�QzD?b#}{9)9!:9#]8酓Y8Fw�ZBL'QX9MZ< Z ҞL7+%R^PP;|K:r�ki[KsO]5C#qc?/SQI*eֈ,˴ >KkߛgGm#<Hg>'1#]4Lރ۩IZ 9=>Xg-zI v ]V,k[X34 4,=Y۳VLBV[7*jEҍ,B9U $2ZGZ9+F9LM +kak7JHw,.EHvӼGLǟ_W3nÇgF.tvH?>tP;k+�s}E~Ae͕ʨ Yu''sS1{ I^g<cO)|zO/W.*,/ȗvA߮]28Y8Cs:@4jV9x[)uvvW .U鞣]Mqv#3yy!bBy"rtK9PS/Dv]@W;=m'62:5F5K my 쒹m&WL1�U&8Sݱ.W/%B2J| ' `y:q̥ǧtz�Z@v]x/'G-Jt37woG}0K}LS"; GDb^o:a4Cml_?!<31=%=4Ġ[8;uw ;r6�|r ad=`lp - I{\.2-.=1 %;_x\=W.ke]]s:,fO=F�&KR8.g* 6e8�4uG۷Z>Q? L9' _K7 f0zxGɿgDUx#*'򁐋PslWfG Ƕt΀" snT2lVd�Lݾ=vvqkA߾4řXs|jwzԠE L1 ipad" _@v6uGտ1vR zu*YE/os]�uX35PgM[V'<-0_X uՙ|դdz $V]cl<#Wط5#K/q6f$=b$˘<fL Yֲ%([|f[ο2? l@ګ!EW ŶxCBwȃ-E)-(`7d+Kn*p^PJJ{vCӛI:% j/H�y*cnoGgBͫT+pageZY >EYfouԟ:r[\E[[jV=H7'?'鮋9I,˺eM~~.??رq~D<ԢyN9\9]=W~eH[ڟw \\K!}흙?dߨl"2\L*I5ݥ *ХZCESg63Y]k2/\Tw^'37\ 'M_=귤ӯC/Gu>ry[-XR}U3ڏ�&Nx64TYGWO6hY\+!mw,V<KI o~mگHSQfp!O.yŒPjHU!0xYL5n9S䶁zyٹQ-a4Y1-չz"BL6N+O7ӣۏvBj~pYݩdRx{J@4e\Zf]ڊy%NäaZml4\Yf�ld4@ '{jliў5%H7wগal=>W~Ơ+S Ƈ`aqCED_7m}gjqrb bqT~N#[x;0y _y)~koi?"e~ Kqb|¹ZCD3",m0V F2wVZ)Krq,R֙jAsKuI!DaZdJ RbHH!]QYRe2 22m,/J øvR/Z&' %K5f $ Tfh:V\^gg\&_҃O*XeTcD켵Bh^7ZfxYbFGrcYV-O{KC"b bC8&T5Y*!C`]\jB9hΔZZc#$IJ k2L>*#lgȭ`&2Tr<fjKڤ"rTJ(mtqJv $VJÏk^,+p|YAN@EflA2(ZW%z|*c,F<0s٨25=d$a%ՙXT*U4.FF NW㱌#x)�63b]@"Ŕ&Jk&*~`hZ� : Қ\DE!.EZ|rIy]%C.)hTU!*uPJάAZ W&U\Qwk5 :8-Ep6ZJd2PL � ."xIy*꼑H>:s1"Eb%FCL�RYBDYus,0y*R#0R`Rd!9iN&@zE<˥,`*Pњ3!c9(@ =]@�jȃG/#m7!Eg$+7ibҲ2Nj$\e)SJlk@\ p< kPJQ뻭ASH+rtP+|әY ҕWK$HG9UBBfWNNHA\!%4grDYmAt#+; %IEPkʅj=@1AQ)DDyHRpFJ0Q; ' <w#cZl9I-W6XPH4q,K(v6zc<@YdqhX*j:ܪ2?&C.ꞎa:fPQ@JT'-iF#UANHYѫZ[//4Ӟtbrjn^<z ]9mfoEŵyJ2CWa(WD'nϏ afI@@(@@)#虜uN(^ir!-{�UH[u\D iE}fS߸U^sp8h_EAcGV{$#+oX._X'T 6j4u]zBd5 f2G>mCH=BGdL(jm6=#\#Q#"Qй{b01CPh>�YE0+zHqϏZKY$ }iEkFGDIHhKL"{-$Nr}/ q B61\7]�$%Y5:\)Ao=3m�b@tbMQ&tH]ԽxT }Qh# [ 4\'~^@3T(!\Pȕq/u2V Iֱxa]�C}@���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_HoareLogic_if_rule_1.v�������������������������������������0000664�0000000�0000000�00000025226�14401600263�0024265�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype . (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . (* Why3 assumption *) Definition ident := Z. (* Why3 assumption *) Inductive term := | Tconst : Z -> term | Tvar : Z -> term | Tderef : Z -> term | Tbin : term -> operator -> term -> term . (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Z -> term -> fmla -> fmla | Fforall : Z -> datatype -> fmla -> fmla . (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. (* Why3 assumption *) Inductive value := | Vint : Z -> value | Vbool : bool -> value . Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Definition env := (map Z value). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = (Vbool false)) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_term(sigma:(map Z value)) (pi:(map Z value)) (t:term) {struct t}: value := match t with | (Tconst n) => (Vint n) | (Tvar id) => (get pi id) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_fmla(sigma:(map Z value)) (pi:(map Z value)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (set pi x (eval_term sigma pi t)) f1) | (Fforall x Tint f1) => forall (n:Z), (eval_fmla sigma (set pi x (Vint n)) f1) | (Fforall x Tbool f1) => forall (b:bool), (eval_fmla sigma (set pi x (Vbool b)) f1) end. Unset Implicit Arguments. Parameter subst_term: term -> Z -> Z -> term. Axiom subst_term_def : forall (e:term) (r:Z) (v:Z), match e with | (Tconst _) => ((subst_term e r v) = e) | (Tvar _) => ((subst_term e r v) = e) | (Tderef x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ ((~ (r = x)) -> ((subst_term e r v) = e)) | (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_term(id:Z) (t:term) {struct t}: Prop := match t with | (Tconst _) => True | (Tvar v) => ~ (id = v) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. Unset Implicit Arguments. Axiom eval_subst_term : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (x:Z) (v:Z), (fresh_in_term v e) -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (set sigma x (get pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_term id t) -> ((eval_term sigma (set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_fmla(id:Z) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint subst(f:fmla) (x:Z) (v:Z) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_term e x v)) | (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v)) | (Fnot f1) => (Fnot (subst f1 x v)) | (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v)) | (Flet y t f1) => (Flet y (subst_term t x v) (subst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (subst f1 x v)) end. Unset Implicit Arguments. Axiom eval_subst : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (v:Z), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla (set sigma x (get pi v)) pi f)). Axiom eval_swap : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id1:Z) (id2:Z) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (set (set pi id1 v1) id2 v2) f) <-> (eval_fmla sigma (set (set pi id2 v2) id1 v1) f)). Axiom eval_change_free : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (set pi id v) f) <-> (eval_fmla sigma pi f)). (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Prop := | one_step_assign : forall (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (e:term), (one_step sigma pi (Sassign x e) (set sigma x (eval_term sigma pi e)) pi Sskip) | one_step_seq : forall (sigma:(map Z value)) (pi:(map Z value)) (sigmaqt:(map Z value)) (piqt:(map Z value)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step sigma pi i1 sigmaqt piqt i1qt) -> (one_step sigma pi (Sseq i1 i2) sigmaqt piqt (Sseq i1qt i2)) | one_step_seq_skip : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (one_step sigma pi (Sseq Sskip i) sigma pi i) | one_step_if_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i1) | one_step_if_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i2) | one_step_assert : forall (sigma:(map Z value)) (pi:(map Z value)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)))) | one_step_while_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Swhile e inv i) sigma pi Sskip)). (* Why3 assumption *) Inductive many_steps : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (many_steps sigma pi i sigma pi i 0%Z) | many_steps_trans : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step sigma1 pi1 i1 sigma2 pi2 i2) -> ((many_steps sigma2 pi2 i2 sigma3 pi3 i3 n) -> (many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 i1 sigma2 pi2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n) -> exists sigma2:(map Z value), exists pi2:(map Z value), exists n1:Z, exists n2:Z, (many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1) /\ ((many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p). (* Why3 assumption *) Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p) -> forall (sigmaqt:(map Z value)) (piqt:(map Z value)) (n:Z), (many_steps sigma pi i sigmaqt piqt Sskip n) -> (eval_fmla sigmaqt piqt q). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (q:fmla) (x:Z) (id:Z) (e:term), (fresh_in_fmla id q) -> (valid_triple (Flet id e (subst q x id)) (Sassign x e) q). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), ((valid_triple p i1 r) /\ (valid_triple r i2 q)) -> (valid_triple p (Sseq i1 i2) q). (* Why3 goal *) Theorem if_rule : forall (e:term) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), ((valid_triple (Fand p (Fterm e)) i1 q) /\ (valid_triple (Fand p (Fnot (Fterm e))) i2 q)) -> (valid_triple p (Sif e i1 i2) q). unfold valid_triple. intros e p q i1 i2 (H1,H2). intros s pi H s' pi' n H'. inversion H'; subst; auto. inversion H0; subst; auto. eapply H1; eauto. simpl; auto. eapply H2; eauto. simpl; rewrite H12; intuition. discriminate. Qed. ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_HoareLogic_while_rule_1.v����������������������������������0000664�0000000�0000000�00000027567�14401600263�0025011�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype . (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . (* Why3 assumption *) Definition ident := Z. (* Why3 assumption *) Inductive term := | Tconst : Z -> term | Tvar : Z -> term | Tderef : Z -> term | Tbin : term -> operator -> term -> term . (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Z -> term -> fmla -> fmla | Fforall : Z -> datatype -> fmla -> fmla . (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. (* Why3 assumption *) Inductive value := | Vint : Z -> value | Vbool : bool -> value . Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Definition env := (map Z value). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = (Vbool false)) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_term(sigma:(map Z value)) (pi:(map Z value)) (t:term) {struct t}: value := match t with | (Tconst n) => (Vint n) | (Tvar id) => (get pi id) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_fmla(sigma:(map Z value)) (pi:(map Z value)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (set pi x (eval_term sigma pi t)) f1) | (Fforall x Tint f1) => forall (n:Z), (eval_fmla sigma (set pi x (Vint n)) f1) | (Fforall x Tbool f1) => forall (b:bool), (eval_fmla sigma (set pi x (Vbool b)) f1) end. Unset Implicit Arguments. Parameter subst_term: term -> Z -> Z -> term. Axiom subst_term_def : forall (e:term) (r:Z) (v:Z), match e with | (Tconst _) => ((subst_term e r v) = e) | (Tvar _) => ((subst_term e r v) = e) | (Tderef x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ ((~ (r = x)) -> ((subst_term e r v) = e)) | (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_term(id:Z) (t:term) {struct t}: Prop := match t with | (Tconst _) => True | (Tvar v) => ~ (id = v) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. Unset Implicit Arguments. Axiom eval_subst_term : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (x:Z) (v:Z), (fresh_in_term v e) -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (set sigma x (get pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_term id t) -> ((eval_term sigma (set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_fmla(id:Z) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint subst(f:fmla) (x:Z) (v:Z) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_term e x v)) | (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v)) | (Fnot f1) => (Fnot (subst f1 x v)) | (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v)) | (Flet y t f1) => (Flet y (subst_term t x v) (subst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (subst f1 x v)) end. Unset Implicit Arguments. Axiom eval_subst : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (v:Z), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla (set sigma x (get pi v)) pi f)). Axiom eval_swap : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id1:Z) (id2:Z) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (set (set pi id1 v1) id2 v2) f) <-> (eval_fmla sigma (set (set pi id2 v2) id1 v1) f)). Axiom eval_change_free : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (set pi id v) f) <-> (eval_fmla sigma pi f)). (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Prop := | one_step_assign : forall (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (e:term), (one_step sigma pi (Sassign x e) (set sigma x (eval_term sigma pi e)) pi Sskip) | one_step_seq : forall (sigma:(map Z value)) (pi:(map Z value)) (sigmaqt:(map Z value)) (piqt:(map Z value)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step sigma pi i1 sigmaqt piqt i1qt) -> (one_step sigma pi (Sseq i1 i2) sigmaqt piqt (Sseq i1qt i2)) | one_step_seq_skip : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (one_step sigma pi (Sseq Sskip i) sigma pi i) | one_step_if_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i1) | one_step_if_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i2) | one_step_assert : forall (sigma:(map Z value)) (pi:(map Z value)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)))) | one_step_while_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Swhile e inv i) sigma pi Sskip)). (* Why3 assumption *) Inductive many_steps : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (many_steps sigma pi i sigma pi i 0%Z) | many_steps_trans : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step sigma1 pi1 i1 sigma2 pi2 i2) -> ((many_steps sigma2 pi2 i2 sigma3 pi3 i3 n) -> (many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 i1 sigma2 pi2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n) -> exists sigma2:(map Z value), exists pi2:(map Z value), exists n1:Z, exists n2:Z, (many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1) /\ ((many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p). (* Why3 assumption *) Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p) -> forall (sigmaqt:(map Z value)) (piqt:(map Z value)) (n:Z), (many_steps sigma pi i sigmaqt piqt Sskip n) -> (eval_fmla sigmaqt piqt q). Axiom consequence_rule : forall (p:fmla) (pqt:fmla) (q:fmla) (qqt:fmla) (i:stmt), (valid_fmla (Fimplies pqt p)) -> ((valid_triple p i q) -> ((valid_fmla (Fimplies q qqt)) -> (valid_triple pqt i qqt))). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (q:fmla) (x:Z) (id:Z) (e:term), (fresh_in_fmla id q) -> (valid_triple (Flet id e (subst q x id)) (Sassign x e) q). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), ((valid_triple p i1 r) /\ (valid_triple r i2 q)) -> (valid_triple p (Sseq i1 i2) q). Axiom if_rule : forall (e:term) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), ((valid_triple (Fand p (Fterm e)) i1 q) /\ (valid_triple (Fand p (Fnot (Fterm e))) i2 q)) -> (valid_triple p (Sif e i1 i2) q). Axiom assert_rule : forall (f:fmla) (p:fmla), (valid_fmla (Fimplies p f)) -> (valid_triple p (Sassert f) p). Axiom assert_rule_ext : forall (f:fmla) (p:fmla), (valid_triple (Fimplies f p) (Sassert f) p). (* Why3 goal *) Theorem while_rule : forall (e:term) (inv:fmla) (i:stmt), (valid_triple (Fand (Fterm e) inv) i inv) -> (valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv)). unfold valid_triple. intros e inv i Hinv_preserved. intros s p Hinv_init s' p' n Hred. generalize (steps_non_neg _ _ _ _ _ _ _ Hred); intro Hn_pos. generalize Hred; clear Hred. generalize s p Hinv_init; clear s p Hinv_init. apply Z_lt_induction with (P := fun n => forall s p, eval_fmla s p inv -> many_steps s p (Swhile e inv i) s' p' Sskip n -> eval_fmla s' p' (Fand (Fnot (Fterm e)) inv) ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. (* case cond true *) generalize (many_steps_seq _ _ _ _ _ _ _ H3). intros (s3 & p3 & n1 & n2 & h1 & h2 & h3). apply H with (3:=h2); auto. generalize (steps_non_neg _ _ _ _ _ _ _ h1). generalize (steps_non_neg _ _ _ _ _ _ _ h2). now (auto with zarith). apply Hinv_preserved with (2:=h1); simpl; auto. (* case cond false *) inversion H3; subst. simpl; rewrite H12; intuition. discriminate. now inversion H1. Qed. �����������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_HoareLogic_while_rule_ext_1.v������������������������������0000664�0000000�0000000�00000030220�14401600263�0025645�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype . (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . (* Why3 assumption *) Definition ident := Z. (* Why3 assumption *) Inductive term := | Tconst : Z -> term | Tvar : Z -> term | Tderef : Z -> term | Tbin : term -> operator -> term -> term . (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Z -> term -> fmla -> fmla | Fforall : Z -> datatype -> fmla -> fmla . (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. (* Why3 assumption *) Inductive value := | Vint : Z -> value | Vbool : bool -> value . Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Definition env := (map Z value). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = (Vbool false)) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_term(sigma:(map Z value)) (pi:(map Z value)) (t:term) {struct t}: value := match t with | (Tconst n) => (Vint n) | (Tvar id) => (get pi id) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_fmla(sigma:(map Z value)) (pi:(map Z value)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (set pi x (eval_term sigma pi t)) f1) | (Fforall x Tint f1) => forall (n:Z), (eval_fmla sigma (set pi x (Vint n)) f1) | (Fforall x Tbool f1) => forall (b:bool), (eval_fmla sigma (set pi x (Vbool b)) f1) end. Unset Implicit Arguments. Parameter subst_term: term -> Z -> Z -> term. Axiom subst_term_def : forall (e:term) (r:Z) (v:Z), match e with | (Tconst _) => ((subst_term e r v) = e) | (Tvar _) => ((subst_term e r v) = e) | (Tderef x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ ((~ (r = x)) -> ((subst_term e r v) = e)) | (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_term(id:Z) (t:term) {struct t}: Prop := match t with | (Tconst _) => True | (Tvar v) => ~ (id = v) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. Unset Implicit Arguments. Axiom eval_subst_term : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (x:Z) (v:Z), (fresh_in_term v e) -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (set sigma x (get pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_term id t) -> ((eval_term sigma (set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_fmla(id:Z) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint subst(f:fmla) (x:Z) (v:Z) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_term e x v)) | (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v)) | (Fnot f1) => (Fnot (subst f1 x v)) | (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v)) | (Flet y t f1) => (Flet y (subst_term t x v) (subst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (subst f1 x v)) end. Unset Implicit Arguments. Axiom eval_subst : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (v:Z), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla (set sigma x (get pi v)) pi f)). Axiom eval_swap : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id1:Z) (id2:Z) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (set (set pi id1 v1) id2 v2) f) <-> (eval_fmla sigma (set (set pi id2 v2) id1 v1) f)). Axiom eval_change_free : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (set pi id v) f) <-> (eval_fmla sigma pi f)). (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Prop := | one_step_assign : forall (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (e:term), (one_step sigma pi (Sassign x e) (set sigma x (eval_term sigma pi e)) pi Sskip) | one_step_seq : forall (sigma:(map Z value)) (pi:(map Z value)) (sigmaqt:(map Z value)) (piqt:(map Z value)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step sigma pi i1 sigmaqt piqt i1qt) -> (one_step sigma pi (Sseq i1 i2) sigmaqt piqt (Sseq i1qt i2)) | one_step_seq_skip : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (one_step sigma pi (Sseq Sskip i) sigma pi i) | one_step_if_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i1) | one_step_if_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i2) | one_step_assert : forall (sigma:(map Z value)) (pi:(map Z value)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)))) | one_step_while_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Swhile e inv i) sigma pi Sskip)). (* Why3 assumption *) Inductive many_steps : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (many_steps sigma pi i sigma pi i 0%Z) | many_steps_trans : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step sigma1 pi1 i1 sigma2 pi2 i2) -> ((many_steps sigma2 pi2 i2 sigma3 pi3 i3 n) -> (many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 i1 sigma2 pi2 i2 n) -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n) -> exists sigma2:(map Z value), exists pi2:(map Z value), exists n1:Z, exists n2:Z, (many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1) /\ ((many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). (* Why3 assumption *) Definition valid_fmla(p:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p). (* Why3 assumption *) Definition valid_triple(p:fmla) (i:stmt) (q:fmla): Prop := forall (sigma:(map Z value)) (pi:(map Z value)), (eval_fmla sigma pi p) -> forall (sigmaqt:(map Z value)) (piqt:(map Z value)) (n:Z), (many_steps sigma pi i sigmaqt piqt Sskip n) -> (eval_fmla sigmaqt piqt q). Axiom consequence_rule : forall (p:fmla) (pqt:fmla) (q:fmla) (qqt:fmla) (i:stmt), (valid_fmla (Fimplies pqt p)) -> ((valid_triple p i q) -> ((valid_fmla (Fimplies q qqt)) -> (valid_triple pqt i qqt))). Axiom skip_rule : forall (q:fmla), (valid_triple q Sskip q). Axiom assign_rule : forall (q:fmla) (x:Z) (id:Z) (e:term), (fresh_in_fmla id q) -> (valid_triple (Flet id e (subst q x id)) (Sassign x e) q). Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), ((valid_triple p i1 r) /\ (valid_triple r i2 q)) -> (valid_triple p (Sseq i1 i2) q). Axiom if_rule : forall (e:term) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), ((valid_triple (Fand p (Fterm e)) i1 q) /\ (valid_triple (Fand p (Fnot (Fterm e))) i2 q)) -> (valid_triple p (Sif e i1 i2) q). Axiom assert_rule : forall (f:fmla) (p:fmla), (valid_fmla (Fimplies p f)) -> (valid_triple p (Sassert f) p). Axiom assert_rule_ext : forall (f:fmla) (p:fmla), (valid_triple (Fimplies f p) (Sassert f) p). Axiom while_rule : forall (e:term) (inv:fmla) (i:stmt), (valid_triple (Fand (Fterm e) inv) i inv) -> (valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv)). (* Why3 goal *) Theorem while_rule_ext : forall (e:term) (inv:fmla) (invqt:fmla) (i:stmt), (valid_fmla (Fimplies invqt inv)) -> ((valid_triple (Fand (Fterm e) invqt) i invqt) -> (valid_triple invqt (Swhile e inv i) (Fand (Fnot (Fterm e)) invqt))). unfold valid_triple. intros e inv inv' i Himpl Hinv'_preserved. intros s p Hinv'_init s' p' n Hred. generalize (steps_non_neg _ _ _ _ _ _ _ Hred); intro Hn_pos. generalize Hred; clear Hred. generalize s p Hinv'_init; clear s p Hinv'_init. apply Z_lt_induction with (P := fun n => forall s p, eval_fmla s p inv' -> many_steps s p (Swhile e inv i) s' p' Sskip n -> eval_fmla s' p' (Fand (Fnot (Fterm e)) inv') ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. (* case cond true *) generalize (many_steps_seq _ _ _ _ _ _ _ H3). intros (s3 & p3 & n1 & n2 & h1 & h2 & h3). apply H with (3:=h2); auto. generalize (steps_non_neg _ _ _ _ _ _ _ h1). generalize (steps_non_neg _ _ _ _ _ _ _ h2). now (auto with zarith). apply Hinv'_preserved with (sigma:=sigma2) (pi:=pi2) (n:=n1); simpl; auto. (* case cond false *) inversion H3; subst. simpl; rewrite H12; intuition. discriminate. now inversion H1. Qed. ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_Imp_eval_change_free_1.v�����������������������������������0000664�0000000�0000000�00000015455�14401600263�0024611�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype . (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . (* Why3 assumption *) Definition ident := Z. (* Why3 assumption *) Inductive term := | Tconst : Z -> term | Tvar : Z -> term | Tderef : Z -> term | Tbin : term -> operator -> term -> term . (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Z -> term -> fmla -> fmla | Fforall : Z -> datatype -> fmla -> fmla . (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. (* Why3 assumption *) Inductive value := | Vint : Z -> value | Vbool : bool -> value . Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Definition env := (map Z value). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = (Vbool false)) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_term(sigma:(map Z value)) (pi:(map Z value)) (t:term) {struct t}: value := match t with | (Tconst n) => (Vint n) | (Tvar id) => (get pi id) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_fmla(sigma:(map Z value)) (pi:(map Z value)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (set pi x (eval_term sigma pi t)) f1) | (Fforall x Tint f1) => forall (n:Z), (eval_fmla sigma (set pi x (Vint n)) f1) | (Fforall x Tbool f1) => forall (b:bool), (eval_fmla sigma (set pi x (Vbool b)) f1) end. Unset Implicit Arguments. Parameter subst_term: term -> Z -> Z -> term. Axiom subst_term_def : forall (e:term) (r:Z) (v:Z), match e with | (Tconst _) => ((subst_term e r v) = e) | (Tvar _) => ((subst_term e r v) = e) | (Tderef x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ ((~ (r = x)) -> ((subst_term e r v) = e)) | (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_term(id:Z) (t:term) {struct t}: Prop := match t with | (Tconst _) => True | (Tvar v) => ~ (id = v) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. Unset Implicit Arguments. Axiom eval_subst_term : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (x:Z) (v:Z), (fresh_in_term v e) -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (set sigma x (get pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_term id t) -> ((eval_term sigma (set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_fmla(id:Z) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint subst(f:fmla) (x:Z) (v:Z) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_term e x v)) | (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v)) | (Fnot f1) => (Fnot (subst f1 x v)) | (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v)) | (Flet y t f1) => (Flet y t (subst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (subst f1 x v)) end. Unset Implicit Arguments. Axiom eval_subst : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (v:Z), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla (set sigma x (get pi v)) pi f)). Axiom eval_swap : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id1:Z) (id2:Z) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (set (set pi id1 v1) id2 v2) f) <-> (eval_fmla sigma (set (set pi id2 v2) id1 v1) f)). (* Why3 goal *) Theorem eval_change_free : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (set pi id v) f) <-> (eval_fmla sigma pi f)). induction f; intros sigma pi id v; simpl; auto. intro h. rewrite eval_term_change_free; tauto. intros (h1,h2). rewrite IHf1; auto. rewrite IHf2; tauto. intros h. rewrite IHf; tauto. intros (h1,h2). rewrite IHf1; auto. rewrite IHf2; tauto. intros (hdiff & h1 & h2). rewrite eval_term_change_free; auto. rewrite eval_swap; auto. intros (hdiff & h). destruct d. split; intros h1 n. generalize (h1 n); intro h2; clear h1. rewrite eval_swap in h2; auto. rewrite IHf in h2; auto. rewrite eval_swap; auto. rewrite IHf; auto. split; intros h1 n. generalize (h1 n); intro h2; clear h1. rewrite eval_swap in h2; auto. rewrite IHf in h2; auto. rewrite eval_swap; auto. rewrite IHf; auto. Qed. �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_Imp_many_steps_seq_1.v�������������������������������������0000664�0000000�0000000�00000024573�14401600263�0024407�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype . (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator . (* Why3 assumption *) Definition ident := Z. (* Why3 assumption *) Inductive term := | Tconst : Z -> term | Tvar : Z -> term | Tderef : Z -> term | Tbin : term -> operator -> term -> term . (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Z -> term -> fmla -> fmla | Fforall : Z -> datatype -> fmla -> fmla . (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. (* Why3 assumption *) Inductive value := | Vint : Z -> value | Vbool : bool -> value . Parameter map : forall (a:Type) (b:Type), Type. Parameter get: forall (a:Type) (b:Type), (map a b) -> a -> b. Implicit Arguments get. Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b -> (map a b). Implicit Arguments set. Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1) a2) = b1). Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)), forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1) a2) = (get m a2)). Parameter const: forall (b:Type) (a:Type), b -> (map a b). Set Contextual Implicit. Implicit Arguments const. Unset Contextual Implicit. Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const b1:(map a b)) a1) = b1). (* Why3 assumption *) Definition env := (map Z value). Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin_def : forall (x:value) (op:operator) (y:value), match (x, y) with | ((Vint x1), (Vint y1)) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool true))) /\ ((~ (x1 <= y1)%Z) -> ((eval_bin x op y) = (Vbool false))) end | (_, _) => ((eval_bin x op y) = (Vbool false)) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_term(sigma:(map Z value)) (pi:(map Z value)) (t:term) {struct t}: value := match t with | (Tconst n) => (Vint n) | (Tvar id) => (get pi id) | (Tderef id) => (get sigma id) | (Tbin t1 op t2) => (eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2)) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint eval_fmla(sigma:(map Z value)) (pi:(map Z value)) (f:fmla) {struct f}: Prop := match f with | (Fterm t) => ((eval_term sigma pi t) = (Vbool true)) | (Fand f1 f2) => (eval_fmla sigma pi f1) /\ (eval_fmla sigma pi f2) | (Fnot f1) => ~ (eval_fmla sigma pi f1) | (Fimplies f1 f2) => (eval_fmla sigma pi f1) -> (eval_fmla sigma pi f2) | (Flet x t f1) => (eval_fmla sigma (set pi x (eval_term sigma pi t)) f1) | (Fforall x Tint f1) => forall (n:Z), (eval_fmla sigma (set pi x (Vint n)) f1) | (Fforall x Tbool f1) => forall (b:bool), (eval_fmla sigma (set pi x (Vbool b)) f1) end. Unset Implicit Arguments. Parameter subst_term: term -> Z -> Z -> term. Axiom subst_term_def : forall (e:term) (r:Z) (v:Z), match e with | (Tconst _) => ((subst_term e r v) = e) | (Tvar _) => ((subst_term e r v) = e) | (Tderef x) => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ ((~ (r = x)) -> ((subst_term e r v) = e)) | (Tbin e1 op e2) => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_term(id:Z) (t:term) {struct t}: Prop := match t with | (Tconst _) => True | (Tvar v) => ~ (id = v) | (Tderef _) => True | (Tbin t1 _ t2) => (fresh_in_term id t1) /\ (fresh_in_term id t2) end. Unset Implicit Arguments. Axiom eval_subst_term : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (x:Z) (v:Z), (fresh_in_term v e) -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (set sigma x (get pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_term id t) -> ((eval_term sigma (set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Set Implicit Arguments. Fixpoint fresh_in_fmla(id:Z) (f:fmla) {struct f}: Prop := match f with | (Fterm e) => (fresh_in_term id e) | ((Fand f1 f2)|(Fimplies f1 f2)) => (fresh_in_fmla id f1) /\ (fresh_in_fmla id f2) | (Fnot f1) => (fresh_in_fmla id f1) | (Flet y t f1) => (~ (id = y)) /\ ((fresh_in_term id t) /\ (fresh_in_fmla id f1)) | (Fforall y ty f1) => (~ (id = y)) /\ (fresh_in_fmla id f1) end. Unset Implicit Arguments. (* Why3 assumption *) Set Implicit Arguments. Fixpoint subst(f:fmla) (x:Z) (v:Z) {struct f}: fmla := match f with | (Fterm e) => (Fterm (subst_term e x v)) | (Fand f1 f2) => (Fand (subst f1 x v) (subst f2 x v)) | (Fnot f1) => (Fnot (subst f1 x v)) | (Fimplies f1 f2) => (Fimplies (subst f1 x v) (subst f2 x v)) | (Flet y t f1) => (Flet y t (subst f1 x v)) | (Fforall y ty f1) => (Fforall y ty (subst f1 x v)) end. Unset Implicit Arguments. Axiom eval_subst : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (v:Z), (fresh_in_fmla v f) -> ((eval_fmla sigma pi (subst f x v)) <-> (eval_fmla (set sigma x (get pi v)) pi f)). Axiom eval_swap : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id1:Z) (id2:Z) (v1:value) (v2:value), (~ (id1 = id2)) -> ((eval_fmla sigma (set (set pi id1 v1) id2 v2) f) <-> (eval_fmla sigma (set (set pi id2 v2) id1 v1) f)). Axiom eval_change_free : forall (f:fmla) (sigma:(map Z value)) (pi:(map Z value)) (id:Z) (v:value), (fresh_in_fmla id f) -> ((eval_fmla sigma (set pi id v) f) <-> (eval_fmla sigma pi f)). (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt . Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Prop := | one_step_assign : forall (sigma:(map Z value)) (pi:(map Z value)) (x:Z) (e:term), (one_step sigma pi (Sassign x e) (set sigma x (eval_term sigma pi e)) pi Sskip) | one_step_seq : forall (sigma:(map Z value)) (pi:(map Z value)) (sigmaqt:(map Z value)) (piqt:(map Z value)) (i1:stmt) (i1qt:stmt) (i2:stmt), (one_step sigma pi i1 sigmaqt piqt i1qt) -> (one_step sigma pi (Sseq i1 i2) sigmaqt piqt (Sseq i1qt i2)) | one_step_seq_skip : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (one_step sigma pi (Sseq Sskip i) sigma pi i) | one_step_if_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i1) | one_step_if_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Sif e i1 i2) sigma pi i2) | one_step_assert : forall (sigma:(map Z value)) (pi:(map Z value)) (f:fmla), (eval_fmla sigma pi f) -> (one_step sigma pi (Sassert f) sigma pi Sskip) | one_step_while_true : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool true)) -> (one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)))) | one_step_while_false : forall (sigma:(map Z value)) (pi:(map Z value)) (e:term) (inv:fmla) (i:stmt), (eval_fmla sigma pi inv) -> (((eval_term sigma pi e) = (Vbool false)) -> (one_step sigma pi (Swhile e inv i) sigma pi Sskip)). (* Why3 assumption *) Inductive many_steps : (map Z value) -> (map Z value) -> stmt -> (map Z value) -> (map Z value) -> stmt -> Z -> Prop := | many_steps_refl : forall (sigma:(map Z value)) (pi:(map Z value)) (i:stmt), (many_steps sigma pi i sigma pi i 0%Z) | many_steps_trans : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (i3:stmt) (n:Z), (one_step sigma1 pi1 i1 sigma2 pi2 i2) -> ((many_steps sigma2 pi2 i2 sigma3 pi3 i3 n) -> (many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z)). Axiom steps_non_neg : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma2:(map Z value)) (pi2:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 i1 sigma2 pi2 i2 n) -> (0%Z <= n)%Z. (* Why3 goal *) Theorem many_steps_seq : forall (sigma1:(map Z value)) (pi1:(map Z value)) (sigma3:(map Z value)) (pi3:(map Z value)) (i1:stmt) (i2:stmt) (n:Z), (many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n) -> exists sigma2:(map Z value), exists pi2:(map Z value), exists n1:Z, exists n2:Z, (many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1) /\ ((many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2) /\ (n = ((1%Z + n1)%Z + n2)%Z)). intros s1 p1 s3 p3 i1 i2 n Hred. generalize Hred. generalize (steps_non_neg _ _ _ _ _ _ _ Hred). clear Hred. intros H. generalize s1 p1 i1; clear s1 p1 i1. apply Z_lt_induction with (P := fun n => forall (s1 p1: env) (i1 : stmt), many_steps s1 p1 (Sseq i1 i2) s3 p3 Sskip n -> exists s2 : env, exists p2 : env, exists n1 : Z, exists n2 : Z, many_steps s1 p1 i1 s2 p2 Sskip n1 /\ many_steps s2 p2 i2 s3 p3 Sskip n2 /\ n = (1 + n1 + n2)%Z ); auto. intros. inversion H1; subst; clear H1. inversion H2; subst; clear H2. (* case i1 <> Sskip *) assert (h:(0 <= n0 < n0+1)%Z). generalize (steps_non_neg _ _ _ _ _ _ _ H3); omega. generalize (H0 n0 h _ _ _ H3). intros (s4 & p4 & n4 & n5 & h1 & h2 & h3). exists s4. exists p4. exists (n4+1)%Z. exists n5. split. apply many_steps_trans with (1:=H10); auto. split; auto with zarith. (* case i1 = Sskip *) exists sigma2. exists pi2. exists 0%Z. exists n0. split. constructor. split; auto with zarith. Qed. �������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_WP_VC_compute_writes_2.v�����������������������������������0000664�0000000�0000000�00000034152�14401600263�0024612�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require map.Map. Require bool.Bool. Require set.Fset. Require set.SetApp. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. (* Why3 assumption *) Definition ident := Numbers.BinNums.Z. (* Why3 assumption *) Inductive term := | Tconst : Numbers.BinNums.Z -> term | Tvar : Numbers.BinNums.Z -> term | Tderef : Numbers.BinNums.Z -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Numbers.BinNums.Z -> term -> fmla -> fmla | Fforall : Numbers.BinNums.Z -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive value := | Vint : Numbers.BinNums.Z -> value | Vbool : Init.Datatypes.bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Definition env := Numbers.BinNums.Z -> value. Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin'def : forall (x:value) (op:operator) (y:value), match (x, y) with | (Vint x1, Vint y1) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.true))) /\ (~ (x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.false))) end | (_, _) => ((eval_bin x op y) = (Vbool Init.Datatypes.false)) end. (* Why3 assumption *) Fixpoint eval_term (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (t:term) {struct t}: value := match t with | Tconst n => Vint n | Tvar id => pi id | Tderef id => sigma id | Tbin t1 op t2 => eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (f:fmla) {struct f}: Prop := match f with | Fterm t => ((eval_term sigma pi t) = (Vbool Init.Datatypes.true)) | Fand f1 f2 => eval_fmla sigma pi f1 /\ eval_fmla sigma pi f2 | Fnot f1 => ~ eval_fmla sigma pi f1 | Fimplies f1 f2 => eval_fmla sigma pi f1 -> eval_fmla sigma pi f2 | Flet x t f1 => eval_fmla sigma (map.Map.set pi x (eval_term sigma pi t)) f1 | Fforall x Tint f1 => forall (n:Numbers.BinNums.Z), eval_fmla sigma (map.Map.set pi x (Vint n)) f1 | Fforall x Tbool f1 => forall (b:Init.Datatypes.bool), eval_fmla sigma (map.Map.set pi x (Vbool b)) f1 end. Parameter subst_term: term -> Numbers.BinNums.Z -> Numbers.BinNums.Z -> term. Axiom subst_term'def : forall (e:term) (r:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), match e with | Tconst _ => ((subst_term e r v) = e) | Tvar _ => ((subst_term e r v) = e) | Tderef x => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ (~ (r = x) -> ((subst_term e r v) = e)) | Tbin e1 op e2 => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:Numbers.BinNums.Z) (t:term) {struct t}: Prop := match t with | Tconst _ => True | Tvar v => ~ (id = v) | Tderef _ => True | Tbin t1 _ t2 => fresh_in_term id t1 /\ fresh_in_term id t2 end. Axiom eval_subst_term : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), fresh_in_term v e -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (map.Map.set sigma x (pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id:Numbers.BinNums.Z) (v:value), fresh_in_term id t -> ((eval_term sigma (map.Map.set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Fixpoint fresh_in_fmla (id:Numbers.BinNums.Z) (f:fmla) {struct f}: Prop := match f with | Fterm e => fresh_in_term id e | (Fand f1 f2)|(Fimplies f1 f2) => fresh_in_fmla id f1 /\ fresh_in_fmla id f2 | Fnot f1 => fresh_in_fmla id f1 | Flet y t f1 => ~ (id = y) /\ fresh_in_term id t /\ fresh_in_fmla id f1 | Fforall y _ f1 => ~ (id = y) /\ fresh_in_fmla id f1 end. (* Why3 assumption *) Fixpoint subst (f:fmla) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) {struct f}: fmla := match f with | Fterm e => Fterm (subst_term e x v) | Fand f1 f2 => Fand (subst f1 x v) (subst f2 x v) | Fnot f1 => Fnot (subst f1 x v) | Fimplies f1 f2 => Fimplies (subst f1 x v) (subst f2 x v) | Flet y t f1 => Flet y (subst_term t x v) (subst f1 x v) | Fforall y ty f1 => Fforall y ty (subst f1 x v) end. Axiom eval_subst : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), fresh_in_fmla v f -> eval_fmla sigma pi (subst f x v) <-> eval_fmla (map.Map.set sigma x (pi v)) pi f. Axiom eval_swap : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id1:Numbers.BinNums.Z) (id2:Numbers.BinNums.Z) (v1:value) (v2:value), ~ (id1 = id2) -> eval_fmla sigma (map.Map.set (map.Map.set pi id1 v1) id2 v2) f <-> eval_fmla sigma (map.Map.set (map.Map.set pi id2 v2) id1 v1) f. Axiom eval_change_free : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id:Numbers.BinNums.Z) (v:value), fresh_in_fmla id f -> eval_fmla sigma (map.Map.set pi id v) f <-> eval_fmla sigma pi f. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Numbers.BinNums.Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step: (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> Prop := | one_step_assign : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (x:Numbers.BinNums.Z) (e:term), one_step sigma pi (Sassign x e) (map.Map.set sigma x (eval_term sigma pi e)) pi Sskip | one_step_seq : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (i1:stmt) (i1':stmt) (i2:stmt), one_step sigma pi i1 sigma' pi' i1' -> one_step sigma pi (Sseq i1 i2) sigma' pi' (Sseq i1' i2) | one_step_seq_skip : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (i:stmt), one_step sigma pi (Sseq Sskip i) sigma pi i | one_step_if_true : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Sif e i1 i2) sigma pi i1 | one_step_if_false : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Sif e i1 i2) sigma pi i2 | one_step_assert : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (f:fmla), eval_fmla sigma pi f -> one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (inv:fmla) (i:stmt), eval_fmla sigma pi inv -> ((eval_term sigma pi e) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)) | one_step_while_false : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (inv:fmla) (i:stmt), eval_fmla sigma pi inv -> ((eval_term sigma pi e) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Swhile e inv i) sigma pi Sskip. (* Why3 assumption *) Inductive many_steps: (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> Numbers.BinNums.Z -> Prop := | many_steps_refl : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (i:stmt), many_steps sigma pi i sigma pi i 0%Z | many_steps_trans : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (pi2:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (pi3:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (i3:stmt) (n:Numbers.BinNums.Z), one_step sigma1 pi1 i1 sigma2 pi2 i2 -> many_steps sigma2 pi2 i2 sigma3 pi3 i3 n -> many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z. Axiom steps_non_neg : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (pi2:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (n:Numbers.BinNums.Z), many_steps sigma1 pi1 i1 sigma2 pi2 i2 n -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (pi3:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (n:Numbers.BinNums.Z), many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n -> exists sigma2:Numbers.BinNums.Z -> value, exists pi2: Numbers.BinNums.Z -> value, exists n1:Numbers.BinNums.Z, exists n2: Numbers.BinNums.Z, many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1 /\ many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2 /\ (n = ((1%Z + n1)%Z + n2)%Z). (* Why3 assumption *) Definition valid_fmla (p:fmla) : Prop := forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value), eval_fmla sigma pi p. (* Why3 assumption *) Definition valid_triple (p:fmla) (i:stmt) (q:fmla) : Prop := forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value), eval_fmla sigma pi p -> forall (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (n:Numbers.BinNums.Z), many_steps sigma pi i sigma' pi' Sskip n -> eval_fmla sigma' pi' q. Axiom set : Type. Parameter set_WhyType : WhyType set. Existing Instance set_WhyType. Parameter to_fset: set -> set.Fset.fset Numbers.BinNums.Z. Parameter mk: set.Fset.fset Numbers.BinNums.Z -> set. Axiom mk'spec : forall (s:set.Fset.fset Numbers.BinNums.Z), ((to_fset (mk s)) = s). Parameter choose: set -> Numbers.BinNums.Z. Axiom choose'spec : forall (s:set), ~ set.Fset.is_empty (to_fset s) -> set.Fset.mem (choose s) (to_fset s). (* Why3 assumption *) Definition assigns (sigma:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z) (sigma':Numbers.BinNums.Z -> value) : Prop := forall (i:Numbers.BinNums.Z), ~ set.Fset.mem i a -> ((sigma i) = (sigma' i)). Axiom assigns_refl : forall (sigma:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z), assigns sigma a sigma. Axiom assigns_trans : forall (sigma1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z), assigns sigma1 a sigma2 /\ assigns sigma2 a sigma3 -> assigns sigma1 a sigma3. Axiom assigns_union_left : forall (sigma:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (s1:set.Fset.fset Numbers.BinNums.Z) (s2:set.Fset.fset Numbers.BinNums.Z), assigns sigma s1 sigma' -> assigns sigma (set.Fset.union s1 s2) sigma'. Axiom assigns_union_right : forall (sigma:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (s1:set.Fset.fset Numbers.BinNums.Z) (s2:set.Fset.fset Numbers.BinNums.Z), assigns sigma s2 sigma' -> assigns sigma (set.Fset.union s1 s2) sigma'. (* Why3 assumption *) Fixpoint stmt_writes (i:stmt) (w:set.Fset.fset Numbers.BinNums.Z) {struct i}: Prop := match i with | Sskip|(Sassert _) => True | Sassign id _ => set.Fset.mem id w | (Sseq s1 s2)|(Sif _ s1 s2) => stmt_writes s1 w /\ stmt_writes s2 w | Swhile _ _ s => stmt_writes s w end. (* Why3 goal *) Theorem compute_writes'vc : forall (s:stmt), forall (result:set), (exists x:term, exists x1:fmla, exists x2:stmt, (s = (Swhile x x1 x2)) /\ (forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (n:Numbers.BinNums.Z), many_steps sigma pi x2 sigma' pi' Sskip n -> assigns sigma (to_fset result) sigma')) -> forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (n:Numbers.BinNums.Z), many_steps sigma pi s sigma' pi' Sskip n -> assigns sigma (to_fset result) sigma'. (* Why3 intros s result (x,(x1,(x2,(h1,h2)))) sigma pi sigma' pi' n h3. *) Proof. intros s result (x,(x1,(x2,(h1,h2)))); rewrite h1 in *. intros. generalize sigma pi sigma' pi' H. generalize (steps_non_neg _ _ _ _ _ _ _ H). clear sigma pi sigma' pi' H. intro H_n_pos. pattern n. apply Z_lt_induction; auto. intros x3 Hind sigma pi sigma' qt' Hsteps. inversion Hsteps; subst; clear Hsteps. inversion H; subst; clear H. generalize (many_steps_seq _ _ _ _ _ _ _ H0). intros (sigma3&pi3&n1&n2&h3&h4&h5). apply assigns_trans with sigma3; split. eapply h2; eauto. eapply Hind; eauto. generalize (steps_non_neg _ _ _ _ _ _ _ h3). generalize (steps_non_neg _ _ _ _ _ _ _ h4). omega. inversion H0; subst; clear H0. apply assigns_refl. inversion H. Qed. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/WP_revisited/wp2/wp2_WP_VC_wp_1.v�����������������������������������������������0000664�0000000�0000000�00000040435�14401600263�0022167�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require map.Map. Require bool.Bool. Require set.Fset. Require set.SetApp. (* Why3 assumption *) Inductive datatype := | Tint : datatype | Tbool : datatype. Axiom datatype_WhyType : WhyType datatype. Existing Instance datatype_WhyType. (* Why3 assumption *) Inductive operator := | Oplus : operator | Ominus : operator | Omult : operator | Ole : operator. Axiom operator_WhyType : WhyType operator. Existing Instance operator_WhyType. (* Why3 assumption *) Definition ident := Numbers.BinNums.Z. (* Why3 assumption *) Inductive term := | Tconst : Numbers.BinNums.Z -> term | Tvar : Numbers.BinNums.Z -> term | Tderef : Numbers.BinNums.Z -> term | Tbin : term -> operator -> term -> term. Axiom term_WhyType : WhyType term. Existing Instance term_WhyType. (* Why3 assumption *) Inductive fmla := | Fterm : term -> fmla | Fand : fmla -> fmla -> fmla | Fnot : fmla -> fmla | Fimplies : fmla -> fmla -> fmla | Flet : Numbers.BinNums.Z -> term -> fmla -> fmla | Fforall : Numbers.BinNums.Z -> datatype -> fmla -> fmla. Axiom fmla_WhyType : WhyType fmla. Existing Instance fmla_WhyType. (* Why3 assumption *) Inductive value := | Vint : Numbers.BinNums.Z -> value | Vbool : Init.Datatypes.bool -> value. Axiom value_WhyType : WhyType value. Existing Instance value_WhyType. (* Why3 assumption *) Definition env := Numbers.BinNums.Z -> value. Parameter eval_bin: value -> operator -> value -> value. Axiom eval_bin'def : forall (x:value) (op:operator) (y:value), match (x, y) with | (Vint x1, Vint y1) => match op with | Oplus => ((eval_bin x op y) = (Vint (x1 + y1)%Z)) | Ominus => ((eval_bin x op y) = (Vint (x1 - y1)%Z)) | Omult => ((eval_bin x op y) = (Vint (x1 * y1)%Z)) | Ole => ((x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.true))) /\ (~ (x1 <= y1)%Z -> ((eval_bin x op y) = (Vbool Init.Datatypes.false))) end | (_, _) => ((eval_bin x op y) = (Vbool Init.Datatypes.false)) end. (* Why3 assumption *) Fixpoint eval_term (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (t:term) {struct t}: value := match t with | Tconst n => Vint n | Tvar id => pi id | Tderef id => sigma id | Tbin t1 op t2 => eval_bin (eval_term sigma pi t1) op (eval_term sigma pi t2) end. (* Why3 assumption *) Fixpoint eval_fmla (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (f:fmla) {struct f}: Prop := match f with | Fterm t => ((eval_term sigma pi t) = (Vbool Init.Datatypes.true)) | Fand f1 f2 => eval_fmla sigma pi f1 /\ eval_fmla sigma pi f2 | Fnot f1 => ~ eval_fmla sigma pi f1 | Fimplies f1 f2 => eval_fmla sigma pi f1 -> eval_fmla sigma pi f2 | Flet x t f1 => eval_fmla sigma (map.Map.set pi x (eval_term sigma pi t)) f1 | Fforall x Tint f1 => forall (n:Numbers.BinNums.Z), eval_fmla sigma (map.Map.set pi x (Vint n)) f1 | Fforall x Tbool f1 => forall (b:Init.Datatypes.bool), eval_fmla sigma (map.Map.set pi x (Vbool b)) f1 end. Parameter subst_term: term -> Numbers.BinNums.Z -> Numbers.BinNums.Z -> term. Axiom subst_term'def : forall (e:term) (r:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), match e with | Tconst _ => ((subst_term e r v) = e) | Tvar _ => ((subst_term e r v) = e) | Tderef x => ((r = x) -> ((subst_term e r v) = (Tvar v))) /\ (~ (r = x) -> ((subst_term e r v) = e)) | Tbin e1 op e2 => ((subst_term e r v) = (Tbin (subst_term e1 r v) op (subst_term e2 r v))) end. (* Why3 assumption *) Fixpoint fresh_in_term (id:Numbers.BinNums.Z) (t:term) {struct t}: Prop := match t with | Tconst _ => True | Tvar v => ~ (id = v) | Tderef _ => True | Tbin t1 _ t2 => fresh_in_term id t1 /\ fresh_in_term id t2 end. Axiom eval_subst_term : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), fresh_in_term v e -> ((eval_term sigma pi (subst_term e x v)) = (eval_term (map.Map.set sigma x (pi v)) pi e)). Axiom eval_term_change_free : forall (t:term) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id:Numbers.BinNums.Z) (v:value), fresh_in_term id t -> ((eval_term sigma (map.Map.set pi id v) t) = (eval_term sigma pi t)). (* Why3 assumption *) Fixpoint fresh_in_fmla (id:Numbers.BinNums.Z) (f:fmla) {struct f}: Prop := match f with | Fterm e => fresh_in_term id e | (Fand f1 f2)|(Fimplies f1 f2) => fresh_in_fmla id f1 /\ fresh_in_fmla id f2 | Fnot f1 => fresh_in_fmla id f1 | Flet y t f1 => ~ (id = y) /\ fresh_in_term id t /\ fresh_in_fmla id f1 | Fforall y _ f1 => ~ (id = y) /\ fresh_in_fmla id f1 end. (* Why3 assumption *) Fixpoint subst (f:fmla) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) {struct f}: fmla := match f with | Fterm e => Fterm (subst_term e x v) | Fand f1 f2 => Fand (subst f1 x v) (subst f2 x v) | Fnot f1 => Fnot (subst f1 x v) | Fimplies f1 f2 => Fimplies (subst f1 x v) (subst f2 x v) | Flet y t f1 => Flet y (subst_term t x v) (subst f1 x v) | Fforall y ty f1 => Fforall y ty (subst f1 x v) end. Axiom eval_subst : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z), fresh_in_fmla v f -> eval_fmla sigma pi (subst f x v) <-> eval_fmla (map.Map.set sigma x (pi v)) pi f. Axiom eval_swap : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id1:Numbers.BinNums.Z) (id2:Numbers.BinNums.Z) (v1:value) (v2:value), ~ (id1 = id2) -> eval_fmla sigma (map.Map.set (map.Map.set pi id1 v1) id2 v2) f <-> eval_fmla sigma (map.Map.set (map.Map.set pi id2 v2) id1 v1) f. Axiom eval_change_free : forall (f:fmla) (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (id:Numbers.BinNums.Z) (v:value), fresh_in_fmla id f -> eval_fmla sigma (map.Map.set pi id v) f <-> eval_fmla sigma pi f. (* Why3 assumption *) Inductive stmt := | Sskip : stmt | Sassign : Numbers.BinNums.Z -> term -> stmt | Sseq : stmt -> stmt -> stmt | Sif : term -> stmt -> stmt -> stmt | Sassert : fmla -> stmt | Swhile : term -> fmla -> stmt -> stmt. Axiom stmt_WhyType : WhyType stmt. Existing Instance stmt_WhyType. Axiom check_skip : forall (s:stmt), (s = Sskip) \/ ~ (s = Sskip). (* Why3 assumption *) Inductive one_step: (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> Prop := | one_step_assign : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (x:Numbers.BinNums.Z) (e:term), one_step sigma pi (Sassign x e) (map.Map.set sigma x (eval_term sigma pi e)) pi Sskip | one_step_seq : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (i1:stmt) (i1':stmt) (i2:stmt), one_step sigma pi i1 sigma' pi' i1' -> one_step sigma pi (Sseq i1 i2) sigma' pi' (Sseq i1' i2) | one_step_seq_skip : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (i:stmt), one_step sigma pi (Sseq Sskip i) sigma pi i | one_step_if_true : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Sif e i1 i2) sigma pi i1 | one_step_if_false : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (i1:stmt) (i2:stmt), ((eval_term sigma pi e) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Sif e i1 i2) sigma pi i2 | one_step_assert : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (f:fmla), eval_fmla sigma pi f -> one_step sigma pi (Sassert f) sigma pi Sskip | one_step_while_true : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (inv:fmla) (i:stmt), eval_fmla sigma pi inv -> ((eval_term sigma pi e) = (Vbool Init.Datatypes.true)) -> one_step sigma pi (Swhile e inv i) sigma pi (Sseq i (Swhile e inv i)) | one_step_while_false : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (e:term) (inv:fmla) (i:stmt), eval_fmla sigma pi inv -> ((eval_term sigma pi e) = (Vbool Init.Datatypes.false)) -> one_step sigma pi (Swhile e inv i) sigma pi Sskip. (* Why3 assumption *) Inductive many_steps: (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> (Numbers.BinNums.Z -> value) -> (Numbers.BinNums.Z -> value) -> stmt -> Numbers.BinNums.Z -> Prop := | many_steps_refl : forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value) (i:stmt), many_steps sigma pi i sigma pi i 0%Z | many_steps_trans : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (pi2:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (pi3:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (i3:stmt) (n:Numbers.BinNums.Z), one_step sigma1 pi1 i1 sigma2 pi2 i2 -> many_steps sigma2 pi2 i2 sigma3 pi3 i3 n -> many_steps sigma1 pi1 i1 sigma3 pi3 i3 (n + 1%Z)%Z. Axiom steps_non_neg : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (pi2:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (n:Numbers.BinNums.Z), many_steps sigma1 pi1 i1 sigma2 pi2 i2 n -> (0%Z <= n)%Z. Axiom many_steps_seq : forall (sigma1:Numbers.BinNums.Z -> value) (pi1:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (pi3:Numbers.BinNums.Z -> value) (i1:stmt) (i2:stmt) (n:Numbers.BinNums.Z), many_steps sigma1 pi1 (Sseq i1 i2) sigma3 pi3 Sskip n -> exists sigma2:Numbers.BinNums.Z -> value, exists pi2: Numbers.BinNums.Z -> value, exists n1:Numbers.BinNums.Z, exists n2: Numbers.BinNums.Z, many_steps sigma1 pi1 i1 sigma2 pi2 Sskip n1 /\ many_steps sigma2 pi2 i2 sigma3 pi3 Sskip n2 /\ (n = ((1%Z + n1)%Z + n2)%Z). (* Why3 assumption *) Definition valid_fmla (p:fmla) : Prop := forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value), eval_fmla sigma pi p. (* Why3 assumption *) Definition valid_triple (p:fmla) (i:stmt) (q:fmla) : Prop := forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value), eval_fmla sigma pi p -> forall (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (n:Numbers.BinNums.Z), many_steps sigma pi i sigma' pi' Sskip n -> eval_fmla sigma' pi' q. Axiom set : Type. Parameter set_WhyType : WhyType set. Existing Instance set_WhyType. Parameter to_fset: set -> set.Fset.fset Numbers.BinNums.Z. Parameter mk: set.Fset.fset Numbers.BinNums.Z -> set. Axiom mk'spec : forall (s:set.Fset.fset Numbers.BinNums.Z), ((to_fset (mk s)) = s). Parameter choose: set -> Numbers.BinNums.Z. Axiom choose'spec : forall (s:set), ~ set.Fset.is_empty (to_fset s) -> set.Fset.mem (choose s) (to_fset s). (* Why3 assumption *) Definition assigns (sigma:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z) (sigma':Numbers.BinNums.Z -> value) : Prop := forall (i:Numbers.BinNums.Z), ~ set.Fset.mem i a -> ((sigma i) = (sigma' i)). Axiom assigns_refl : forall (sigma:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z), assigns sigma a sigma. Axiom assigns_trans : forall (sigma1:Numbers.BinNums.Z -> value) (sigma2:Numbers.BinNums.Z -> value) (sigma3:Numbers.BinNums.Z -> value) (a:set.Fset.fset Numbers.BinNums.Z), assigns sigma1 a sigma2 /\ assigns sigma2 a sigma3 -> assigns sigma1 a sigma3. Axiom assigns_union_left : forall (sigma:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (s1:set.Fset.fset Numbers.BinNums.Z) (s2:set.Fset.fset Numbers.BinNums.Z), assigns sigma s1 sigma' -> assigns sigma (set.Fset.union s1 s2) sigma'. Axiom assigns_union_right : forall (sigma:Numbers.BinNums.Z -> value) (sigma':Numbers.BinNums.Z -> value) (s1:set.Fset.fset Numbers.BinNums.Z) (s2:set.Fset.fset Numbers.BinNums.Z), assigns sigma s2 sigma' -> assigns sigma (set.Fset.union s1 s2) sigma'. (* Why3 assumption *) Fixpoint stmt_writes (i:stmt) (w:set.Fset.fset Numbers.BinNums.Z) {struct i}: Prop := match i with | Sskip|(Sassert _) => True | Sassign id _ => set.Fset.mem id w | (Sseq s1 s2)|(Sif _ s1 s2) => stmt_writes s1 w /\ stmt_writes s2 w | Swhile _ _ s => stmt_writes s w end. Axiom consequence_rule : forall (p:fmla) (p':fmla) (q:fmla) (q':fmla) (i:stmt), valid_fmla (Fimplies p' p) -> valid_triple p i q -> valid_fmla (Fimplies q q') -> valid_triple p' i q'. Axiom skip_rule : forall (q:fmla), valid_triple q Sskip q. Axiom assign_rule : forall (q:fmla) (x:Numbers.BinNums.Z) (id:Numbers.BinNums.Z) (e:term), fresh_in_fmla id q -> valid_triple (Flet id e (subst q x id)) (Sassign x e) q. Axiom seq_rule : forall (p:fmla) (q:fmla) (r:fmla) (i1:stmt) (i2:stmt), valid_triple p i1 r /\ valid_triple r i2 q -> valid_triple p (Sseq i1 i2) q. Axiom if_rule : forall (e:term) (p:fmla) (q:fmla) (i1:stmt) (i2:stmt), valid_triple (Fand p (Fterm e)) i1 q /\ valid_triple (Fand p (Fnot (Fterm e))) i2 q -> valid_triple p (Sif e i1 i2) q. Axiom assert_rule : forall (f:fmla) (p:fmla), valid_fmla (Fimplies p f) -> valid_triple p (Sassert f) p. Axiom assert_rule_ext : forall (f:fmla) (p:fmla), valid_triple (Fimplies f p) (Sassert f) p. Axiom while_rule : forall (e:term) (inv:fmla) (i:stmt), valid_triple (Fand (Fterm e) inv) i inv -> valid_triple inv (Swhile e inv i) (Fand (Fnot (Fterm e)) inv). Axiom while_rule_ext : forall (e:term) (inv:fmla) (inv':fmla) (i:stmt), valid_fmla (Fimplies inv' inv) -> valid_triple (Fand (Fterm e) inv') i inv' -> valid_triple inv' (Swhile e inv i) (Fand (Fnot (Fterm e)) inv'). (* Why3 goal *) Theorem wp'vc : forall (i:stmt) (q:fmla), forall (result:fmla), (exists x:term, exists x1:fmla, exists x2:stmt, (i = (Swhile x x1 x2)) /\ (exists o:fmla, valid_triple o x2 x1 /\ (exists o1:fmla, (forall (sigma:Numbers.BinNums.Z -> value) (pi:Numbers.BinNums.Z -> value), eval_fmla sigma pi o1 -> eval_fmla sigma pi (Fand (Fimplies (Fand (Fterm x) x1) o) (Fimplies (Fand (Fnot (Fterm x)) x1) q)) /\ (forall (sigma':Numbers.BinNums.Z -> value) (pi':Numbers.BinNums.Z -> value) (n:Numbers.BinNums.Z), many_steps sigma pi x2 sigma' pi' Sskip n -> eval_fmla sigma' pi' o1)) /\ (result = (Fand x1 o1))))) -> valid_triple result i q. (* Why3 intros i q result (x,(x1,(x2,(h1,(o,(h2,(o1,(h3,h4)))))))). *) Proof. (* intros i q result (x,(x1,(x2,(h1,(o,(h2,(o1,(h3,h4)))))))). *) intros i Post result. intros (cond, (inv, (body, (h1,h2)))). rewrite h1 in *;clear h1 i. destruct h2 as (WP_body & H_WP_body & abstracted_fmla & H_abstracted & h3). subst result. red. intros s1 p1 H1 s2 p2 n Hsteps. assert (H_n_pos := steps_non_neg _ _ _ _ _ _ _ Hsteps). generalize s1 p1 H1 Hsteps; clear s1 p1 H1 Hsteps. apply (Z_lt_induction ( fun n => forall s1 p1 : Map.map Z value, eval_fmla s1 p1 (Fand inv abstracted_fmla) -> many_steps s1 p1 (Swhile cond inv body) s2 p2 Sskip n -> eval_fmla s2 p2 Post)); auto. intros. elim H0; clear H0; intros H_inv_in_s2 H_abstr_in_s2. inversion H1; subst; clear H1. inversion H0; subst; clear H0. (* case cond = true *) destruct (many_steps_seq _ _ _ _ _ _ _ H2) as (s3 & p3 & n1 & n2 & First_iter & Next_iter & Hn1n2). clear H2. apply H with (3:=Next_iter). assert (Hn1_pos := steps_non_neg _ _ _ _ _ _ _ First_iter). assert (Hn2_pos := steps_non_neg _ _ _ _ _ _ _ Next_iter). omega. destruct (H_abstracted sigma2 pi2 H_abstr_in_s2) as ((Htrue,_) & Hnext). clear H_abstracted. assert (H_abstr_in_s3 := Hnext s3 p3 n1 First_iter); clear Hnext. split; auto. red in H_WP_body. apply H_WP_body with (2:=First_iter). apply Htrue; auto. (* case cond = false *) inversion H2; [subst; clear H2 | inversion H0]. destruct (H_abstracted s2 p2 H_abstr_in_s2) as ((_,Hfalse) & Hnext). clear H_abstracted. apply Hfalse; split; auto. rewrite H11; discriminate. Qed. �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list.mlw��������������������������������������������������������������������0000664�0000000�0000000�00000003375�14401600263�0016536�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������theory SumList use export int.Int use export real.RealInfix use export list.List type or_integer_float = Integer int | Real real (* sum integers in a list *) function add_int (e: list or_integer_float) : int = match e with | Nil -> 0 | Cons (Integer n) t -> n + add_int t | Cons _ t -> add_int t end (* sum reals in a list *) function add_real (e: list or_integer_float) : real = match e with | Nil -> 0.0 | Cons (Real x) t -> x +. add_real t | Cons _ t -> add_real t end end module AddListRec use SumList let rec sum (l: list or_integer_float) : (si: int, sf: real) = variant { l } ensures { si = add_int l /\ sf = add_real l } match l with | Nil -> 0, 0.0 | Cons h t -> let a,b = sum t in match h with | Integer n -> n + a, b | Real x -> a, x +. b end end let main () = let l = Cons (Integer 5) (Cons (Real 3.3) (Cons (Integer 8) (Cons (Real 1.4) (Cons (Integer 9) Nil)))) in let s,f = sum l in assert { s = 22 }; assert { f = 4.7 } end module AddListImp use SumList use ref.Ref let sum (l: list or_integer_float) : (si: int, sf: real) = ensures { si = add_int l /\ sf = add_real l } let si = ref 0 in let sf = ref 0.0 in let ll = ref l in while True do invariant { !si + add_int !ll = add_int l /\ !sf +. add_real !ll = add_real l } variant { !ll } match !ll with | Nil -> return !si, !sf | Cons (Integer n) t -> si := !si + n; ll := t | Cons (Real x) t -> sf := !sf +. x; ll := t end done; absurd let main () = let l = Cons (Integer 5) (Cons (Real 3.3) (Cons (Integer 8) (Cons (Real 1.4) (Cons (Integer 9) Nil)))) in let s,f = sum l in assert { s = 22 }; assert { f = 4.7 } end �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list/�����������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016005�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list/why3session.xml��������������������������������������������������������0000664�0000000�0000000�00000002161�14401600263�0021025�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Z3" version="4.6.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="add_list.mlw"/> <theory name="AddListRec" proved="true"> <goal name="sum'vc" expl="VC for sum" proved="true"> <proof prover="2"><result status="valid" time="0.02" steps="92"/></proof> </goal> <goal name="main'vc" expl="VC for main" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="19475"/></proof> </goal> </theory> <theory name="AddListImp" proved="true"> <goal name="sum'vc" expl="VC for sum" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="23617"/></proof> </goal> <goal name="main'vc" expl="VC for main" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="19475"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list/why3shapes.gz����������������������������������������������������������0000664�0000000�0000000�00000001122�14401600263�0020441�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}Sˎ0+M뷑XTTX tIKm~_;3e@j%9>pe{<|u{- 6+wlqb!:?owɍ&yXCj9\pƔ"!b!/ą_OQg(S($D}ႈl*\33_yvUjMtoH-X3P32IbpUs}yާaB'1 ZyL͉E]&FͭN5<o"Pci&:rH"oh%©Ѵ+u~{ rGS.TiE2^BRń2Fl/^LBp?g)⨋SM7 $)!LǃYE[[iP*M ̥ HY(4AȦ 4-1&nz7Cf˭Sbg]9V +fykl3Lֺ =B߂C O }% I4o-S5Z<011tZ*Ѓr$u^ ΍W {eR&?|@J������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list_vc_sp.mlw��������������������������������������������������������������0000664�0000000�0000000�00000003451�14401600263�0017723�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������theory SumList use export int.Int use export real.RealInfix use export list.List type or_integer_float = Integer int | Real real (* sum integers in a list *) function add_int (e: list or_integer_float) : int = match e with | Nil -> 0 | Cons (Integer n) t -> n + add_int t | Cons _ t -> add_int t end (* sum reals in a list *) function add_real (e: list or_integer_float) : real = match e with | Nil -> 0.0 | Cons (Real x) t -> x +. add_real t | Cons _ t -> add_real t end end module AddListRec use SumList let rec sum (l: list or_integer_float) : (si: int, sf: real) = variant { l } ensures { si = add_int l /\ sf = add_real l } [@vc:sp] match l with | Nil -> 0, 0.0 | Cons h t -> let a,b = sum t in match h with | Integer n -> n + a, b | Real x -> a, x +. b end end let main () = [@vc:sp] let l = Cons (Integer 5) (Cons (Real 3.3) (Cons (Integer 8) (Cons (Real 1.4) (Cons (Integer 9) Nil)))) in let s,f = sum l in assert { s = 22 }; assert { f = 4.7 } end module AddListImp use SumList use ref.Ref let sum (l: list or_integer_float) : (si: int, sf: real) = ensures { si = add_int l /\ sf = add_real l } [@vc:sp] let si = ref 0 in let sf = ref 0.0 in let ll = ref l in while True do invariant { !si + add_int !ll = add_int l /\ !sf +. add_real !ll = add_real l } variant { !ll } match !ll with | Nil -> return !si, !sf | Cons (Integer n) t -> si := !si + n; ll := t | Cons (Real x) t -> sf := !sf +. x; ll := t end done; absurd let main () = [@vc:sp] let l = Cons (Integer 5) (Cons (Real 3.3) (Cons (Integer 8) (Cons (Real 1.4) (Cons (Integer 9) Nil)))) in let s,f = sum l in assert { s = 22 }; assert { f = 4.7 } end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list_vc_sp/�����������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0017177�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list_vc_sp/why3session.xml��������������������������������������������������0000664�0000000�0000000�00000002031�14401600263�0022213�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="CVC4" version="1.5" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="add_list_vc_sp.mlw"/> <theory name="AddListRec" proved="true"> <goal name="sum'vc" expl="VC for sum" proved="true"> <proof prover="0"><result status="valid" time="0.04" steps="8062"/></proof> </goal> <goal name="main'vc" expl="VC for main" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="6319"/></proof> </goal> </theory> <theory name="AddListImp" proved="true"> <goal name="sum'vc" expl="VC for sum" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="8593"/></proof> </goal> <goal name="main'vc" expl="VC for main" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="6542"/></proof> </goal> </theory> </file> </why3session> �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/add_list_vc_sp/why3shapes.gz����������������������������������������������������0000664�0000000�0000000�00000001204�14401600263�0021634�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SKk0W6%AѳCXdPEviYvw$˖(9`<o?1t?>ժPώ{O9vM>$mbcWGX]zv:8`MGg~KS +TF,'xSS+]諅9ǖ"p|{1s@/cg2Ry * *("@FX! m6pϏi }up XW>aELL3r W<d'|R@b1rLT”z7QT౒hR۟K<8fI9'C~Dڢ_-w û_dRtS>Aw5ʄUf/O-6թ}hbYP` D@0mQ;A3'N=픇,Wʩq%$iD$Ȁ6612㌧x|_ʎEv|Mv\ʊ>G �{MUu-y`3!-X5p˪w\~AXo&Ax+9Px#zAz[нVITBε{iVBЦNQF����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo63.mlw����������������������������������������������������������������������0000664�0000000�0000000�00000005546�14401600263�0016050�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(*** Algorithm 63 C. A. R. Hoare Elliott Brothers Ltd., Hertfordshire, England, U.K. Communications of the ACM archive Volume 4 , Issue 7 (July 1961) table of contents Pages: 321 - 322 ***) module Algo63 use int.Int use ref.Refint use array.Array use array.ArrayPermut (* we pass m and n (as ghost arguments) to ensure [permut_sub]; this will help solvers in the proof of partition *) let exchange (a: array int) (ghost m n: int) (i j: int) = requires { 0 <= m <= i <= n < length a /\ m <= j <= n } ensures { exchange (old a) a i j } ensures { permut_sub (old a) a m (n+1) } let v = a[i] in a[i] <- a[j]; a[j] <- v; assert { exchange (old a) a i j } val random (m n: int) : int ensures { m <= result <= n } let partition_ (a: array int) (m n: int) (i j: ref int) (ghost ghx: ref int) requires { 0 <= m < n < length a } ensures { m <= !j < !i <= n } ensures { permut_sub (old a) a m (n+1) } ensures { forall r:int. m <= r <= !j -> a[r] <= !ghx } ensures { forall r:int. !j < r < !i -> a[r] = !ghx } ensures { forall r:int. !i <= r <= n -> a[r] >= !ghx } = let f = random m n in let x = a[f] in ghx := x; i := m; j := n; let rec up_down () variant { 1 + !j - !i } = requires { m <= !j <= n /\ m <= !i <= n } requires { permut_sub (old a) a m (n+1) } requires { forall r:int. m <= r < !i -> a[r] <= x } requires { forall r:int. !j < r <= n -> a[r] >= x } requires { a[f] = x } ensures { m <= !j <= !i <= n } ensures { permut_sub (old a) a m (n+1) } ensures { !i = n \/ a[!i] > x } ensures { !j = m \/ a[!j] < x } ensures { a[f] = x } ensures { forall r:int. m <= r < !i -> a[r] <= x } ensures { forall r:int. !j < r <= n -> a[r] >= x } while !i < n && a[!i] <= x do invariant { m <= !i <= n } invariant {forall r: int. m <= r < !i -> a[r] <= x } variant { n - !i } incr i done; while m < !j && a[!j] >= x do invariant { m <= !j <= n } invariant { forall r: int. !j < r <= n -> a[r] >= x } variant { !j } decr j done; if !i < !j then begin exchange a m n !i !j; incr i; decr j; up_down () end in up_down (); assert { !j < !i \/ !j = !i = m \/ !j = !i = n }; if !i < f then begin exchange a m n !i f; incr i end else if f < !j then begin exchange a m n f !j; decr j end let partition (a: array int) (m n: int) (i j: ref int) = requires { 0 <= m < n < length a } ensures { m <= !j < !i <= n } ensures { permut_sub (old a) a m (n+1) } ensures { exists x: int. (forall r:int. m <= r <= !j -> a[r] <= x) /\ (forall r:int. !j < r < !i -> a[r] = x) /\ (forall r:int. !i <= r <= n -> a[r] >= x) } partition_ a m n i j (ref 0) end ����������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo63/�������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015315�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo63/why3session.xml����������������������������������������������������������0000664�0000000�0000000�00000023362�14401600263�0020343�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="algo63.mlw"/> <theory name="Algo63" proved="true"> <goal name="exchange'vc" expl="VC for exchange" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="63"/></proof> </goal> <goal name="partition_'vc" expl="VC for partition_" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="partition_'vc.0" expl="index in array bounds" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="6"/></proof> </goal> <goal name="partition_'vc.1" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="16"/></proof> </goal> <goal name="partition_'vc.2" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="26"/></proof> </goal> <goal name="partition_'vc.3" expl="index in array bounds" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="partition_'vc.4" expl="loop variant decrease" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="20"/></proof> </goal> <goal name="partition_'vc.5" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="27"/></proof> </goal> <goal name="partition_'vc.6" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="partition_'vc.7" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="partition_'vc.8" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="29"/></proof> </goal> <goal name="partition_'vc.9" expl="index in array bounds" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="22"/></proof> </goal> <goal name="partition_'vc.10" expl="loop variant decrease" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="23"/></proof> </goal> <goal name="partition_'vc.11" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="31"/></proof> </goal> <goal name="partition_'vc.12" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="39"/></proof> </goal> <goal name="partition_'vc.13" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="23"/></proof> </goal> <goal name="partition_'vc.14" expl="variant decrease" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="115"/></proof> </goal> <goal name="partition_'vc.15" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="42"/></proof> </goal> <goal name="partition_'vc.16" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.04" steps="60"/></proof> </goal> <goal name="partition_'vc.17" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.08" steps="298"/></proof> </goal> <goal name="partition_'vc.18" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.08" steps="302"/></proof> </goal> <goal name="partition_'vc.19" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="157"/></proof> </goal> <goal name="partition_'vc.20" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="34"/></proof> </goal> <goal name="partition_'vc.21" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.05" steps="71"/></proof> </goal> <goal name="partition_'vc.22" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="partition_'vc.23" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="partition_'vc.24" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="partition_'vc.25" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="65"/></proof> </goal> <goal name="partition_'vc.26" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="65"/></proof> </goal> <goal name="partition_'vc.27" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="23"/></proof> </goal> <goal name="partition_'vc.28" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="41"/></proof> </goal> <goal name="partition_'vc.29" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="46"/></proof> </goal> <goal name="partition_'vc.30" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="43"/></proof> </goal> <goal name="partition_'vc.31" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="25"/></proof> </goal> <goal name="partition_'vc.32" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="41"/></proof> </goal> <goal name="partition_'vc.33" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="41"/></proof> </goal> <goal name="partition_'vc.34" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="9"/></proof> </goal> <goal name="partition_'vc.35" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="partition_'vc.36" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="14"/></proof> </goal> <goal name="partition_'vc.37" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="14"/></proof> </goal> <goal name="partition_'vc.38" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="1"/></proof> </goal> <goal name="partition_'vc.39" expl="assertion" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="18"/></proof> </goal> <goal name="partition_'vc.40" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="22"/></proof> </goal> <goal name="partition_'vc.41" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="20"/></proof> </goal> <goal name="partition_'vc.42" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.04" steps="50"/></proof> </goal> <goal name="partition_'vc.43" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.15" steps="478"/></proof> </goal> <goal name="partition_'vc.44" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.31" steps="658"/></proof> </goal> <goal name="partition_'vc.45" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.11" steps="507"/></proof> </goal> <goal name="partition_'vc.46" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="23"/></proof> </goal> <goal name="partition_'vc.47" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="partition_'vc.48" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="51"/></proof> </goal> <goal name="partition_'vc.49" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.11" steps="449"/></proof> </goal> <goal name="partition_'vc.50" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.30" steps="607"/></proof> </goal> <goal name="partition_'vc.51" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.12" steps="476"/></proof> </goal> <goal name="partition_'vc.52" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="18"/></proof> </goal> <goal name="partition_'vc.53" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="18"/></proof> </goal> <goal name="partition_'vc.54" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="28"/></proof> </goal> <goal name="partition_'vc.55" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="29"/></proof> </goal> <goal name="partition_'vc.56" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="28"/></proof> </goal> </transf> </goal> <goal name="partition'vc" expl="VC for partition" proved="true"> <proof prover="0"><result status="valid" time="3.54" steps="552"/></proof> </goal> </theory> </file> </why3session> ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo63/why3shapes.gz������������������������������������������������������������0000664�0000000�0000000�00000010464�14401600263�0017762�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������][#~_$0K/`xgw136r}lIIsU4zՀiRd},^Dϟ6?Oak7j?t<˸c;.wy'<r_'a-wĭ{GWnvʽsLJt!<DJ_?W{;ʳwɝi92WswXy3顰ښ ;sf[*tk爽T*&~Tϼ=s ڣ>L_w3~0 dl}?v%&#RmUT(q6˜>9wIR Q/ZU9TK}.u=zk=k57'?uw#]=UD謒:CVg 9k{-\3[9KqsvK<rJ&4ĕ3_Ћz6/E"E.Ë%F)TesG:{v{7_g_?R7OLo c *? *AEY"U ]THAE"*շj}`XMoWЬyt閼X'Z_oZ2CK-UJ:hBKWh-A٠e.Z!"JCĝRt@AeAe. !w)DRpH*NH%-T@tim`^DR⸛bCf;g6^%69ϙVL\a7\ Mefm7{V+Ơ7` oPthС [ 4Gew[")<Cʫ|cRMGj<rͻtQ}sn C Jx]x W++(t\Lx%[E$@^s=)B7oǐt -p:@G#}^XZz~^pc}/?:n7k;QN@lo%9ДqP3g@7e> O0ݕFɧ 5$iI%#ч&􀃁Ge౳7:˟guL:C퉘.8=ua-.QuaQ֘[ԅ]ԅE "''Y hu+W3 ܫavŕΙKz+W?y NH:m b @ >Ryp)XR `7e {\mc9魧߸lV.1BX [ aFqBX a7 ʀE BT+WZn߹v! %`Ҝ^!cZ3'gG|?_RȆ{˥ NDDgg XYlqHk\]%PNWC$o"*~BMEUEc(\TDa"e\>_EOٞ}A*X|b1<AC(ª ߪ* Omª *\* bU V-XҴ`XW~uIxzWA)Dm&}_BdPg- [(D$CIFof$CM2T$CudAud/$cxe޾2Q;hZA*_@ŃxAUxPAvw.Tu^^Ń[<ʄ'{eVlV`XzN0gUݩ~jYq9I>V.\ .|_�VP;&+?V~WڮTYR=jۮqz-Pi݀TZ7ҝV&|oF5MPmT[yig֊=›ٹ*n.-sB#gxt}ӷIUZP Tj\&>55Z~xau2>U'IsEq85uv^MIM)lbLe<z#])λr <]-8d/Ȫۋ ~B]@}=>nٍf|(!'x&No{7-OB5UrAmER՟ӟ]v<N~3 R4ـbW4GoW@T;=zG0\ĎN;w]|>nQ c mE`7E`11.bNj\#槻"WԌ=f«S\y^7QB£~_v05K?EXWQ l.�+BuZ2lO2}Gt G Q}u VM:SS+V쵧k&K;OSbn8Bu7R4dQBL֚eativ2yaQ/: /afNo{7/^^TߤY,7*p˽VomT{F_3"!E jBmG0S�s^kLcoLY-tx@BxV=<bI.v5 Q\(!,RޏWD"5L]0Y;0o`>o+ݔ^!RN$WLG^2'ʴ?L/az/36{o &^ad6L?)YH>?}+^څK2E2�楜{_`=cN6Ӱ^ܛ7ߟ)d=:AϠTB*Tp$!vďO1o'pe^֜TGf-ܳyT`VX˸Ӌ�++m-L $/e)KQt+J]FKI~zA,c={̮^ܚճ9`*sVkX Lh�o ĉOWBb Zd Ǎ27JNZ`69 y#Z)0dL{) $@o`ГuAq( bԒd)1зa.`GIb$(0�ȍ34qṚQj΄iHdlgDG_`rns61 =B 6ɁCi #x`D0 i|>傁SY&M3H5 'D2ךqUsVZFq)Ji7'mF[z i'bs0V;hX^1g#4&tR3E΃nvdA2ґ]#jr1!n^ qv[R &F$Ǥ 9L(!D%9g&Kr2+Bld5oSZ0ёD:%l8xG"Q[$cS11gSG'l*j?G.g#ENy% =3zњJ4"yQdHS6$h2-G@ ='ɚ ań<J@QۜM Eh%S Q`&71v+FMp"9#E0T-+eǠ]K9,Xn9 ] &TߜM (�=ܬXPdM>T2j\$zܸ=Sf5}*T]b09fAs6;h()'`W8l ^S6`A%ۅqr�LQ=t JG '!`-'&@ !c*D�hY\$ֆTL:“&ty; )+Xz驷y> K /L $lDZ8HU<5@ #DI^3@p^'�ea@_bTS3�Jj=q%o#sِ c $eH l@"|PRG2'IIG}hFO=�/NO6�&K9bܨR];M|Ɔ H <P39$"Åx9"  HȢD"\Gi5% !}u:b5hUf6h9?MjF�I*1&-UI#f`SE 5&RM2.g5cH/ـ.e%}\PllE&3Α&DˀqHRS(6D ǩvS2AQ<Zk 4g �q䊠䒉2  S*Ԕ3 )^p6MmHb\)d(FyHNΝRb!(hCٍÿ M@k��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo64.mlw����������������������������������������������������������������������0000664�0000000�0000000�00000003232�14401600263�0016037�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(*** Algorithm 64 C. A. R. Hoare Elliott Brothers Ltd., Hertfordshire, England, U.K. Communications of the ACM archive Volume 4 , Issue 7 (July 1961) table of contents Pages: 321 - 322 ***) module Algo64 use int.Int use ref.Ref use array.Array use array.ArrayPermut use array.IntArraySorted (* Algorithm 63 *) val partition (a: array int) (m n: int) (i j: ref int) (ghost x: ref int) : unit requires { 0 <= m < n < length a } writes { a, i, j } ensures { m <= !j < !i <= n } ensures { permut_sub (old a) a m (n+1) } ensures { forall r:int. m <= r <= !j -> a[r] <= !x } ensures { forall r:int. !j < r < !i -> a[r] = !x } ensures { forall r:int. !i <= r <= n -> a[r] >= !x } (* Algorithm 64 *) predicate qs_partition (t1 t2: array int) (m n i j: int) (x: int) = permut_sub t1 t2 m (n+1) /\ (forall k:int. m <= k <= j -> t2[k] <= x) /\ (forall k:int. j < k < i -> t2[k] = x) /\ (forall k:int. i <= k <= n -> t2[k] >= x) let rec quicksort (a:array int) (m n:int) : unit requires { 0 <= m <= n < length a } variant { n - m } ensures { permut_sub (old a) a m (n+1) } ensures { sorted_sub a m (n+1) } = if m < n then begin let i = ref 0 in let j = ref 0 in let ghost x = ref 42 in partition a m n i j x; label L1 in quicksort a m !j; assert { qs_partition (a at L1) a m n !i !j !x }; label L2 in quicksort a !i n; assert { qs_partition (a at L2) a m n !i !j !x } end let qs (a:array int) : unit ensures { permut_all (old a) a } ensures { sorted a } = if length a > 0 then quicksort a 0 (length a - 1) end ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo64/�������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015316�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo64/why3session.xml����������������������������������������������������������0000664�0000000�0000000�00000001305�14401600263�0020335�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="algo64.mlw"/> <theory name="Algo64" proved="true"> <goal name="quicksort'vc" expl="VC for quicksort" proved="true"> <proof prover="1"><result status="valid" time="0.67" steps="1643"/></proof> </goal> <goal name="qs'vc" expl="VC for qs" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="57"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo64/why3shapes.gz������������������������������������������������������������0000664�0000000�0000000�00000000726�14401600263�0017763�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}Mo0 nj dv*VB*@hQ>: ~l'oM5]ߞ4؟ԏLsP)B | @5ͅPI8n+o>t=L`i}5!c}rguIV\ZlCKh6Y\4t䚨4'`~cd$ $ u2@lfHs+u2(OaWf|y#=,a[4^_,|0Mc뛴wd\O?xfmnqsK[kc~*x:٫26pFHZ}>s`9pj4&%NԳVA,s PoEU)vM]fP픐SL&,Re0Z ʬdBe,  $��������������������������������������������why3-1.6.0/examples/algo65.mlw����������������������������������������������������������������������0000664�0000000�0000000�00000003373�14401600263�0016046�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(*** Algorithm 65 C. A. R. Hoare Elliott Brothers Ltd., Hertfordshire, England, U.K. Communications of the ACM archive Volume 4 , Issue 7 (July 1961) table of contents Pages: 321 - 322 ***) module Algo65 use int.Int use ref.Ref use array.Array use array.ArrayPermut (* algorithm 63 *) val partition (a: array int) (m n: int) (i j: ref int) (ghost x: ref int) : unit requires { 0 <= m < n < length a } writes { a, i, j } ensures { m <= !j < !i <= n } ensures { permut_sub (old a) a m (n+1) } ensures { forall r:int. m <= r <= !j -> a[r] <= !x } ensures { forall r:int. !j < r < !i -> a[r] = !x } ensures { forall r:int. !i <= r <= n -> a[r] >= !x } (* Algorithm 65 (fixed version) *) let rec find (a: array int) (m n: int) (k: int) : unit requires { 0 <= m <= k <= n < length a } variant { n - m } ensures { permut_sub (old a) a m (n+1) } ensures { forall r:int. m <= r <= k -> a[r] <= a[k] } ensures { forall r:int. k <= r <= n -> a[k] <= a[r] } = if m < n then begin let i = ref 0 in let j = ref 0 in let ghost x = ref 42 in partition a m n i j x; label L1 in if k <= !j then find a m !j k; assert { permut_sub (a at L1) a m (n+1) }; assert { forall r:int. !j < r <= n -> a[r] = (a at L1)[r] }; assert { forall r:int. m <= r <= !j -> (exists s:int. m <= s <= !j /\ a[r] = (a at L1)[s]) && a[r] <= a[!j+1] }; label L2 in if !i <= k then find a !i n k; assert { permut_sub (a at L2) a m (n+1) }; assert { forall r:int. m <= r < !i -> a[r] = (a at L2)[r] }; assert { forall r:int. !i <= r <= n -> (exists s:int. !i <= s <= n /\ a[r] = (a at L2)[s]) && a[r] >= a[!i-1] } end end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo65/�������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015317�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo65/why3session.xml����������������������������������������������������������0000664�0000000�0000000�00000001057�14401600263�0020342�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="algo65.mlw"/> <theory name="Algo65" proved="true"> <goal name="find'vc" expl="VC for find" proved="true"> <proof prover="1"><result status="valid" time="0.52" steps="1769"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/algo65/why3shapes.gz������������������������������������������������������������0000664�0000000�0000000�00000000704�14401600263�0017760�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}SMO@WֈIcl$hjJ҂ߙ-h o>޾az7K?}]w}{?&'ZxǜDc' ҙijB:YH|k(`oi,8b-.1kjTE? p :$GZ+d,+N]#^.%CHuREuFꤾUUWˠ HKꤙ`HkYMfĎYި͉"Z&j5Ia. -ʍ Lpb.4àlJ(A ذj}w}߻s=`#ݐt qJ` Pz0 Qw VЭٰk1˩jpY^T]]6 t>q/isҦoDl]o<kgZiֶJol^ɔ{K��������������������������������������������������������������why3-1.6.0/examples/all_distinct.mlw����������������������������������������������������������������0000664�0000000�0000000�00000002044�14401600263�0017414�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** Check an array of integers for duplicate values, using the fact that values are in interval [0,m-1]. Authors: Jean-Christophe Filliâtre (CNRS) Martin Clochard (École Normale Supérieure) *) module AllDistinct use int.Int use ref.Ref use array.Array exception Duplicate let all_distinct (a: array int) (m: int) : bool requires { 0 <= m } requires { forall i: int. 0 <= i < length a -> 0 <= a[i] < m } ensures { result <-> forall i j: int. 0 <= i < length a -> 0 <= j < length a -> i <> j -> a[i] <> a[j] } = let dejavu = Array.make m False in try for k = 0 to Array.length a - 1 do invariant { forall i j: int. 0 <= i < k -> 0 <= j < k -> i <> j -> a[i] <> a[j] } invariant { forall x: int. 0 <= x < m -> dejavu[x] <-> exists i: int. 0 <= i < k /\ a[i] = x } let v = a[k] in if dejavu[v] then raise Duplicate; dejavu[v] <- True done; True with Duplicate -> False end end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/all_distinct/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016673�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/all_distinct/why3session.xml����������������������������������������������������0000664�0000000�0000000�00000001111�14401600263�0021705�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="all_distinct.mlw"/> <theory name="AllDistinct" proved="true"> <goal name="all_distinct'vc" expl="VC for all_distinct" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="263"/></proof> </goal> </theory> </file> </why3session> �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/all_distinct/why3shapes.gz������������������������������������������������������0000664�0000000�0000000�00000000723�14401600263�0021335�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������uRn0+tl (�BQ ^ [j$CzY.?<KxtYϭj>6S[*[kӯų><>EVx/myi# /\*5[n3/6qώ'*R}=s</?UйJjr*M0Ԯ?f04۪BAM&]@ȣK;f}_*]=NLk42^<.s7`I`W˳/i*RZ(fk | 2QrH9RښM<Cn48uDȺ!NJU[*B7nQ7rr7ۤ6 v\cSTy)BիJ0LD(?i6S\f("tBDƨ4@c_mޠ\S�����������������������������������������������why3-1.6.0/examples/amortization.mlw����������������������������������������������������������������0000664�0000000�0000000�00000003512�14401600263�0017464�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** A simple example of amortization. From Chris Okasaki's "Purely Functional Data Structures" Chapter 5 -- Fundamentals of Amortization This is an abstraction where - we do not implement the operations and we do not model the contents of the queue (irrelevant here); - we assume that push is O(1) (contrary to Okasaki's code, which has an internal invariant |f|>=|r|). *) use int.Int use list.ListRich (** Global clock. Function `tick` is unused below but one must imagine that it would be called at each function call and each loop iteration. *) val ghost ref clock: int val ghost tick () : unit writes { clock } ensures { clock = old clock + 1 } (** Queue abstraction. *) type elt = int type queue = abstract { ghost size: int; ghost credits: int; } invariant { size >= 0 } invariant { 0 <= credits <= size } val empty () : (q: queue) ensures { q.size = 0 } ensures { q.credits = 0 } val push (_: elt) (q: queue) : (r: queue) writes { clock } ensures { r.size = q.size + 1 } ensures { clock = old clock + 1 } ensures { r.credits = q.credits + 1 } val pop (q: queue) : (_: elt, r: queue) requires { q.size > 0 } writes { clock } ensures { r.size = q.size - 1 } ensures { r.credits <= q.credits } ensures { clock = old clock + 1 + r.credits - q.credits } (** Test client: Let us show that if we insert n values in a queue, then remove all of them, the total cost is O(n). *) let client (n: int) : unit requires { n >= 0 } ensures { clock <= old clock + 2*n } = let ref q = empty () in for k = 0 to n-1 do invariant { q.size = q.credits = k } invariant { clock = old clock + k } q <- push 42 q done; for k = 0 to n-1 do invariant { q.size = n-k } invariant { clock = old clock + q.credits + k } let _, r = pop q in q <- r done ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/amortization/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016742�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/amortization/why3session.xml����������������������������������������������������0000664�0000000�0000000�00000005104�14401600263�0021762�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="CVC4" version="1.7" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="amortization.mlw"/> <theory name="Top" proved="true"> <goal name="queue'vc" expl="VC for queue" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6206"/></proof> </goal> <goal name="client'vc" expl="VC for client" proved="true"> <transf name="split_vc" proved="true" > <goal name="client'vc.0" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="6476"/></proof> </goal> <goal name="client'vc.1" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6494"/></proof> </goal> <goal name="client'vc.2" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="7027"/></proof> </goal> <goal name="client'vc.3" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6688"/></proof> </goal> <goal name="client'vc.4" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6817"/></proof> </goal> <goal name="client'vc.5" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6575"/></proof> </goal> <goal name="client'vc.6" expl="precondition" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="6984"/></proof> </goal> <goal name="client'vc.7" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="7128"/></proof> </goal> <goal name="client'vc.8" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.04" steps="7266"/></proof> </goal> <goal name="client'vc.9" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.04" steps="7769"/></proof> </goal> <goal name="client'vc.10" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.02" steps="6691"/></proof> </goal> <goal name="client'vc.11" expl="out of loop bounds" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="8285"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/amortization/why3shapes.gz������������������������������������������������������0000664�0000000�0000000�00000002213�14401600263�0021400�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������VMo6Wv8WQ4P )~FR;=wMX̼7H&?.tp:V/;k3FǮʧsSW99&c*]>~U4ug̅`%{9^?ok{9gf3s??/m{+;u&(br/z}bc}%+{xj=Z<(ɧv^& s6Aσӑ CF2TR*S3 q,D8-X.U圷b~4oQ֧OAt*|[o/7v \m)6ͼo=(5čwē?|}Iqxi{?,Y'b7 anfWwWehzUT-VX'?`~N{{z?p;0 70 T&>2s466ٓÑcK%5R.b<@RK[ٺL+Ƃ+iokhG: k1,v `⡗jêW-j/>qsӹ4k[7Qc{ C}VB6hVyh[ [\Mf (K[8Ex H'f-F[Qh*X7v ?hoȖ\כ&$5Tu鿰rHnGA'yWI;[A-vz I僖"*C}Ԓ,"IrgB0dVVter,'lmj]jrB+yHrOAF[r !x|2[r´)Tj5t k5@ "r*^/&BGRHƅ(H1ԚVt"1^B,P+"%TbK}NGhTƛ .L>Lh2r3Uᦖ V6xJik�V!xvbjt?& <y?'/sH߾bO3SHX([ԨkT5}&٦ (UDބxal3lB Y -/&ɪjxB e( ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/arm.mlw�������������������������������������������������������������������������0000664�0000000�0000000�00000005515�14401600263�0015530�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* experiments related to ARM program verification *) module M use int.Int use ref.Refint use array.Array val a : array int predicate inv (a : array int) = a[0] = 0 /\ length a = 11 /\ forall k:int. 1 <= k <= 10 -> 0 < a[k] val ghost loop1 : ref int val ghost loop2 : ref int let insertion_sort () requires { inv a /\ !loop1 = 0 /\ !loop2 = 0 } ensures { !loop1 = 9 /\ !loop2 <= 45 } = let i = ref 2 in while !i <= 10 do invariant { 2 <= !i <= 11 /\ inv a /\ !loop1 = !i - 2 /\ 2 * !loop2 <= (!i-2) * (!i-1) } variant { 10 - !i } ghost incr loop1; let j = ref !i in while a[!j] < a[!j - 1] do invariant { 1 <= !j <= !i /\ inv a /\ 2 * !loop2 <= (!i-2) * (!i-1) + 2*(!i - !j) } variant { !j } ghost incr loop2; let temp = a[!j] in a[!j] <- a[!j - 1]; a[!j - 1] <- temp; decr j done; incr i done end module ARM use export int.Int use export map.Map use export ref.Ref (* memory *) val mem : ref (map int int) val mem_ldr (a:int) : int ensures { result = !mem[a] } val mem_str (a:int) (v:int) : (_r: int) writes { mem } ensures { !mem = (old !mem)[a <- v] } (* data segment *) (* val data : ref (t int int) val data_ldr (a:int) : int ensures { result = data[a] } val data_str (a:int) (v:int) : int writes { data } ensures { data = (old data)[a <- v] } *) (* registers *) val r0 : ref int val r1 : ref int val r2 : ref int val r3 : ref int (* ... *) val fp : ref int val pc : ref int (* pc *) val ldr (r : ref int) (a : int) : unit writes {r} ensures { !r = !mem[a] } val str (r : ref int) (a : int) : unit writes {mem} ensures { !mem = (old !mem)[a <- !r] } (* condition flags *) val le : ref bool val cmp (r : ref int) (v : int) : unit writes {le} ensures { !le=True <-> !r <= v } end (* @@ logic separation (fp : int) = a+10 < fp-24 main: @@ assume separation fp .L2:@@ invariant ... .L3: .L4:@@ invariant ... *) module InsertionSortExample use ARM (* i = fp-16 j = fp-20 temp = fp-24 *) val l4 : ref int val l7 : ref int function a : int (* stack and data segment do not overlap *) predicate separation (fp : int) = a+10 < fp-24 predicate inv (mem: map int int) = mem[a] = 0 /\ forall k:int. 1 <= k <= 10 -> 0 < mem[a + k] predicate inv_l2 (mem: map int int) (fp : int) (l4 : int) = 2 <= mem[fp - 16] <= 11 /\ l4 = mem[fp-16] - 2 /\ inv mem let path_init_l2 () requires { separation !fp /\ inv !mem } ensures { inv_l2 !mem !fp !l4 } = l4 := 0; l7 := 0; r3 := 2; str r3 (!fp - 16) let path_l2_exit () requires { separation !fp /\ inv_l2 !mem !fp !l4 } ensures { !l4 = 9 } = ldr r3 (!fp - 16); cmp r3 10; assume { !le = False } end �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/arm/����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015001�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/arm/why3session.xml�������������������������������������������������������������0000664�0000000�0000000�00000001665�14401600263�0020031�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="arm.mlw"/> <theory name="M" proved="true"> <goal name="insertion_sort'vc" expl="VC for insertion_sort" proved="true"> <proof prover="1"><result status="valid" time="0.11" steps="137"/></proof> </goal> </theory> <theory name="InsertionSortExample" proved="true"> <goal name="path_init_l2'vc" expl="VC for path_init_l2" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="24"/></proof> </goal> <goal name="path_l2_exit'vc" expl="VC for path_l2_exit" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="7"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������why3-1.6.0/examples/arm/why3shapes.gz���������������������������������������������������������������0000664�0000000�0000000�00000001204�14401600263�0017436�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������TMo0 W-E}C0 h]FcY^?R#EQL%Ct\rWA-{a 6p b8Ejm;x=rthm i͇Gpm5;:vrWnMInv 9=O7wrD LJB G4h^+O@<98|po㑮Ka"Wᵩi-3�uÃ,#\b MIv KuZ DU7iY3f`$Ubwu^__j NQdo%i]A67{}DثFŗ>J%f,(W Z.8KXe/y4#8j78Yb^e]ʃJII|ĮhQ)ۧCG/쇧~,$0^%:<4̄ǶviK YL3@,<_e0ݹcDp#ĠI:sr69 Ok?+5{oj!I>ƢuA+J Z#nvhŒ?`l3́cm`XtϚF5cJYLTM*u����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/array_most_frequent.mlw���������������������������������������������������������0000664�0000000�0000000�00000001736�14401600263�0021043�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** A simple programming exercise: find out the most frequent value in an array Using an external table (e.g. a hash table), we can easily do it in linear time and space. However, if the array is sorted, we can do it in linear time and constant space. Author: Jean-Christophe Filliâtre (CNRS) *) use int.Int use ref.Refint use array.Array use array.NumOfEq let most_frequent (a: array int) : int requires { length a > 0 } requires { forall i j. 0 <= i <= j < length a -> a[i] <= a[j] } ensures { numof a result 0 (length a) > 0 } ensures { forall x. numof a x 0 (length a) <= numof a result 0 (length a) } = let ref r = a[0] in let ref c = 1 in let ref m = 1 in for i = 1 to length a - 1 do invariant { c = numof a a[i-1] 0 i } invariant { m = numof a r 0 i } invariant { forall x. numof a x 0 i <= m } if a[i] = a[i-1] then begin incr c; if c > m then begin m <- c; r <- a[i] end end else c <- 1 done; r ����������������������������������why3-1.6.0/examples/array_most_frequent/������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0020313�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/array_most_frequent/why3session.xml���������������������������������������������0000664�0000000�0000000�00000007652�14401600263�0023345�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Z3" version="4.6.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.2.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="2" name="CVC4" version="1.6" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="array_most_frequent.mlw"/> <theory name="Top" proved="true"> <goal name="most_frequent'vc" expl="VC for most_frequent" proved="true"> <transf name="split_vc" proved="true" > <goal name="most_frequent'vc.0" expl="index in array bounds" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="4900"/></proof> </goal> <goal name="most_frequent'vc.1" expl="loop invariant init" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="7403"/></proof> </goal> <goal name="most_frequent'vc.2" expl="loop invariant init" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="5555"/></proof> </goal> <goal name="most_frequent'vc.3" expl="loop invariant init" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="8208"/></proof> </goal> <goal name="most_frequent'vc.4" expl="index in array bounds" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="5974"/></proof> </goal> <goal name="most_frequent'vc.5" expl="index in array bounds" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="5976"/></proof> </goal> <goal name="most_frequent'vc.6" expl="index in array bounds" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="6181"/></proof> </goal> <goal name="most_frequent'vc.7" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.07" steps="9580"/></proof> </goal> <goal name="most_frequent'vc.8" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="6247"/></proof> </goal> <goal name="most_frequent'vc.9" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.17" steps="34251"/></proof> </goal> <goal name="most_frequent'vc.10" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.07" steps="10869"/></proof> </goal> <goal name="most_frequent'vc.11" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.06" steps="11961"/></proof> </goal> <goal name="most_frequent'vc.12" expl="loop invariant preservation" proved="true"> <proof prover="2"><result status="valid" time="0.29" steps="53954"/></proof> </goal> <goal name="most_frequent'vc.13" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="104580"/></proof> </goal> <goal name="most_frequent'vc.14" expl="loop invariant preservation" proved="true"> <proof prover="1"><result status="valid" time="0.46" steps="836"/></proof> </goal> <goal name="most_frequent'vc.15" expl="loop invariant preservation" proved="true"> <proof prover="0"><result status="valid" time="0.09" steps="208326"/></proof> </goal> <goal name="most_frequent'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.26" steps="1059"/></proof> </goal> <goal name="most_frequent'vc.17" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="6547"/></proof> </goal> <goal name="most_frequent'vc.18" expl="out of loop bounds" proved="true"> <proof prover="2"><result status="valid" time="0.03" steps="5570"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> ��������������������������������������������������������������������������������������why3-1.6.0/examples/array_most_frequent/why3shapes.gz�����������������������������������������������0000664�0000000�0000000�00000002247�14401600263�0022760�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Un7}W[8V0T5ޚEcɕ ֲ,]j̙+_uw׼ ;?EDa'G֭ 7X28 uL1S 뎶[ uUn ‚t)Ԟ*eX|l+mZy5rpG*e np$/\P]V-=4Qt^*ǚh4}V04n~F-H뻺~l!-4"-s[KͻJ{nhVQşh.!]MjspHp`ghݺ fuJ:Z3qcړ|qLnݦt}4ԭ'8ؓt"<Q<ݒXqJ,Ub*S >U{@-.Q59h AÔ[aSH|jF9w"<6_?KwgܽHenʌ̌1?\A\<e|hkCSfiX 8χes> p7fZ7<+W^NT A ~?9$?mt9}1tc56^OӓKMK?vl<x1󎂚]lG>>m9E(wAǠ'T:XI ; cP' PtZR(NN1N^,Du9G^!qz0-B [͵Y&k-C I(D4 0(*&p=1֚ʅ#V/06 z$ 5Fb}dLj-j8$r9RQ 7>H'`{p=U'DJFHT)iic%R|M. E0H[CC1$s#(Rd̙LJ�OL /S&S$CR!8Y@4I#dq*.X|hgX*]0矄Vx%@jZL>&"C<YJ]%(eׁ%hѫ!uZK(h@(.tޠ%3RQʜ:R^�S+*:!("V>oPCvςO:dN^^N($ �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/assigning_meanings_to_programs.mlw����������������������������������������������0000664�0000000�0000000�00000002137�14401600263�0023225�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(* Program proofs from Floyd's "Assigning Meanings to Programs" (1967) *) module Sum (* computes the sum a[1] + ... + a[n] *) use int.Int use ref.Ref use array.Array use array.ArraySum let sum (a: array int) (n: int) requires { 0 <= n < a.length } ensures { result = sum a 1 (n+1) } = let i = ref 1 in let s = ref 0 in while !i <= n do invariant { 1 <= !i <= n+1 /\ !s = sum a 1 !i } variant { n - !i } s := !s + a[!i]; i := !i + 1 done; !s end module Division (* Quotient and remainder of X div Y Floyd's lexicographic variant is unnecessarily complex here, since we do not seek for a variant which decreases at each statement, but only at each execution of the loop body. *) use int.Int use ref.Ref let division (x: int) (y: int) : (q: int, r: int) requires { 0 <= x /\ 0 < y } ensures { 0 <= r < y /\ x = q * y + r } = let q = ref 0 in let r = ref x in while !r >= y do invariant { 0 <= !r /\ x = !q * y + !r } variant { !r } r := !r - y; q := !q + 1 done; !q, !r end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/assigning_meanings_to_programs/�������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0022501�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/assigning_meanings_to_programs/why3session.xml����������������������������������0000664�0000000�0000000�00000001547�14401600263�0025530�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.0.0" timelimit="10" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="assigning_meanings_to_programs.mlw"/> <theory name="Sum" proved="true"> <goal name="sum'vc" expl="VC for sum" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="210"/></proof> </goal> </theory> <theory name="Division" proved="true"> <goal name="division'vc" expl="VC for division" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="10"/></proof> </goal> </theory> </file> </why3session> ���������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/assigning_meanings_to_programs/why3shapes.gz������������������������������������0000664�0000000�0000000�00000000613�14401600263�0025141�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������mRj@}W[[]- G[CaߙM33yzgϾ7]h1zK*@ml5=W%Pn tQ;FĄl5Ш^|x9Opa?E,(cq4v߿;M+4TG3Ees\6~ZT<ZEokšv;@$Ҧv#KRPks=「ʐ슲AX!R*5AA0烐?)"Zb;b5 `y^^gֽ$*;ZnI;LUr:+7N҄-LDJ&he0SRtܕڻfbR!I�����������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015004�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/avl.mlw���������������������������������������������������������������������0000664�0000000�0000000�00000061005�14401600263�0016311�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������(** {1 Base implementation of AVL trees} Author: Martin Clochard *) (** {2 Preliminary definitions} *) theory SelectionTypes use seq.Seq use option.Option (** Describe a position in the sequence `left ++ middle ++ right` (see `rebuild`) *) type split 'a = { left : seq 'a; middle : option 'a; right : seq 'a; } (** Describe reduced problem for selection (see `selected_part`) *) type part_base 'a = Left 'a | Right 'a | Here let ghost function option_to_seq (o:option 'a) : seq 'a = match o with | Some x -> singleton x | None -> empty end (** Reconstruct the sequence associated to a split. *) let ghost function rebuild (p:split 'a) : seq 'a = p.left ++ option_to_seq p.middle ++ p.right (** Shortcuts for extending a split on the left/right. *) let ghost function left_extend (l:seq 'a) (d:'a) (e:split 'a) : split 'a = { e with left = l ++ cons d e.left } let ghost function right_extend (e:split 'a) (d:'a) (r:seq 'a) : split 'a = { e with right = e.right ++ cons d r } end (** {2 AVL trees} *) module AVL (** {3 Rebalancing code} The first part of the module implements the rebalancing code. It can also be seen as an implementation of logarithmic-time catenable dequeues with a constant-time nearly-fair splitting operation (derived from tree pattern-matching). (About the time complexity bounds: a call to an abstract routine (monoid operations, element measure,...) is assumed to take constant time) *) use int.Int use bool.Bool use import seq.Seq as S use seq.FreeMonoid use option.Option use ref.Ref use mach.peano.Peano as I (** The implementation is parameterized by an abstract monoid. The elements of the monoid will be used as summaries of sequence of elements, obtained by aggregation of the elements of the sequence. In other words, `M.sum f [a_1;...;a_n]` is the monoidal summary of sequence `[a_1;...;a_n]` with respect to measure `f`. *) clone monoid.ComputableMonoid as M with axiom . clone monoid.MonoidSum as M with (* scope M = M *) type M.t = M.t, constant M.zero = M.zero, function M.op = M.op, goal M.assoc, goal M.neutral, axiom . (** Abstract description of the data stored in the tree: measurable elements. *) scope D type t 'a (** Elements can be measured. *) val function measure (t 'a) : M.t end (** Actual height difference permitted between subtrees. The balancing can be any positive integer. This is a trade-off between the cost of balancing and the cost of finding: the bigger the balancing constant is, the lesser is the need for balancing the tree, but the deeper the trees may be. *) val constant balancing : I.t ensures { result > 0 } (** tree representation. Height and monoidal summary are cached at every node. *) type tree 'a = | Empty | Node (tree 'a) (D.t 'a) (tree 'a) I.t M.t (** Logical model of an AVL tree. An AVL tree is intended to represent a sequence of elements, which we model using a list. It corresponds to the sequence of elements obtained by left-to-right infix order (note that this sequence is invariant by rebalancing). However, in order to specify rebalancing, the tree structure cannot be completely abstracted away because of the height requirements, so we add the height to the model. *) type m 'a = { seq : seq (D.t 'a); hgt : int; } meta coercion function seq let ghost function node_model (l:seq 'a) (d:'a) (r:seq 'a) : seq 'a = l ++ cons d r (** Sequence of elements obtained by infix-order traversal. *) let rec ghost function seq_model (t:tree 'a) : seq (D.t 'a) = match t with | Empty -> empty | Node l d r _ _ -> node_model (seq_model l) d (seq_model r) end (** Height of the tree. *) let rec function real_height (t:tree 'a): int = match t with | Empty -> 0 | Node l _ r _ _ -> let hl = real_height l in let hr = real_height r in 1 + if hl < hr then hr else hl end (** Height is non-negative. *) let rec lemma real_height_nonnegative (t:tree 'a) : unit ensures { real_height t >= 0 } variant { t } = let ghost rc = real_height_nonnegative in match t with Empty -> () | Node l _ r _ _ -> rc l; rc r end (** Balanced tree + correctness of cached annotations: at every node, 1) The additional integer is the height of the corresponding subtree 2) The monoidal value corresponds to the summary of the sequence of elements associated with the subtree associated with the node 3) Left and right subtrees are `balancing`-height-balanced *) predicate balanced (t:tree 'a) = match t with | Empty -> true | Node l _ r h m -> h = real_height t /\ m = M.agg D.measure (seq_model t) /\ -balancing <= real_height r - real_height l <= balancing /\ balanced l /\ balanced r end (** Tree rotations preserve the in-order sequence of element *) lemma rotation_preserve_model : forall ld rd:'a,fl fm fr. let a = node_model (node_model fl ld fm) rd fr in let b = node_model fl ld (node_model fm rd fr) in a = b by a == b (** Actual program type for AVL trees *) type t 'a = { (* Representation as a binary tree. *) repr : tree 'a; (* Model. *) ghost m : m 'a; } invariant { balanced repr /\ m = seq_model repr /\ m.hgt = real_height repr } by { repr = Empty; m = { seq = empty; hgt = 0 } } meta coercion function m (** Compute the height of the tree. O(1) since the height is cached. *) let height (t:t 'a) : I.t ensures { result = t.m.hgt } = match t.repr with | Empty -> I.zero | Node _ _ _ h _ -> h end (** Compute the monoidal summary of the elements stored in the structure. constant-time. *) let total (t:t 'a) : M.t ensures { result = M.agg D.measure t.m.seq } = match t.repr with | Empty -> M.zero () | Node _ _ _ _ m -> m end (** Create an empty AVL tree. *) (* TODO: top-level let. *) let empty () : t 'a ensures { result = empty /\ result.hgt = 0 } = { repr = Empty; m = { seq = empty; hgt = 0 } } (** re-specify the node constructor in terms of the logical model. *) let node (l:t 'a) (d:D.t 'a) (r:t 'a) : t 'a requires { -balancing <= l.hgt - r.hgt <= balancing } ensures { result = node_model l d r } ensures { result.hgt = 1 + if l.hgt < r.hgt then r.hgt else l.hgt } = let hl = height l in let hr = height r in let h = I.succ (if I.lt hl hr then hr else hl) in let s = M.op (total l) (M.op (D.measure d) (total r)) in assert { M.agg D.measure (node_model l d r) = s }; { repr = Node l.repr d r.repr h s; m = { seq = node_model l.m.seq d r.m.seq; hgt = h.I.v } } (** Create a one-element AVL tree. *) let singleton (d:D.t 'a) : t 'a ensures { result = singleton d /\ result.hgt = 1 } = { repr = Node Empty d Empty (I.succ I.zero) (D.measure d); m = { seq = singleton d; hgt = 1 } } (** Emptyness test. constant-time. *) let is_empty (t:t 'a) : bool ensures { length t = 0 -> result } ensures { result -> t = empty } = match t.repr with | Empty -> true | _ -> false end (** View of an AVL tree for pattern-matching. *) type view 'a = | AEmpty | ANode (t 'a) (D.t 'a) (t 'a) I.t M.t (** Specification wrapper around pattern-matching, in terms of the logical model only. In terms of the model, it corresponds to an operation splitting a non-empty list into three parts, with left and right part of similar heights. *) let view (t:t 'a) : view 'a ensures { match result with | AEmpty -> t.hgt = 0 /\ t = empty | ANode l d r h s -> t = node_model l d r /\ s = M.agg D.measure t /\ let hl = l.hgt in let hr = r.hgt in -balancing <= hl - hr <= balancing /\ t.hgt = h = 1 + if hl < hr then hr else hl end } = match t.repr with | Empty -> AEmpty | Node l d r h s -> ANode { repr = l; m = { seq = seq_model l; hgt = real_height l } } d { repr = r; m = { seq = seq_model r; hgt = real_height r } } h s end (** First re-balancing constructor: `balance l d r` build the same sequence as `node l d r`, but permit slightly unbalanced input, and might decrement the expected height by one. Also, if the expected input node was already balanced, it is specified to return a value indistinguishable from a value returned by `node l d r`. This constructor is constant-time. *) let balance (l:t 'a) (d:D.t 'a) (r:t 'a) : t 'a requires { -balancing-1 <= l.hgt - r.hgt <= balancing+1 } ensures { result = node_model l d r } ensures { let hl = l.hgt in let hr = r.hgt in let he = 1 + if hl < hr then hr else hl in let hres = result.hgt in 0 <= he - hres <= 1 /\ (-balancing <= hl - hr <= balancing -> he = hres) } = (* Wonderful case of automatic proof ! *) let hl = height l in let hr = height r in let df = I.sub hl hr (I.neg hr) hl in if I.gt df balancing then match view l with | AEmpty -> absurd | ANode ll ld lr _ _ -> if I.ge (height ll) (height lr) then node ll ld (node lr d r) else match view lr with | AEmpty -> absurd | ANode lrl lrd lrr _ _ -> node (node ll ld lrl) lrd (node lrr d r) end end else if I.lt df (I.neg balancing) then match view r with | AEmpty -> absurd | ANode rl rd rr _ _ -> if I.ge (height rr) (height rl) then node (node l d rl) rd rr else match view rl with | AEmpty -> absurd | ANode rll rld rlr _ _ -> node (node l d rll) rld (node rlr rd rr) end end else node l d r (** Internal routine. Decompose `l ++ [d] ++ r` as `[head]++tail`, with sequences represented by AVL trees. *) let rec decompose_front_node (l:t 'a) (d:D.t 'a) (r:t 'a) : (D.t 'a,t 'a) requires { -balancing <= l.hgt - r.hgt <= balancing } returns { (d2,res:t 'a) -> node_model l d r = cons d2 res /\ let hl = l.hgt in let hr = r.hgt in let he = 1 + if hl < hr then hr else hl in 0 <= he - res.hgt <= 1 } variant { l.hgt } = match view l with | AEmpty -> (d,r) | ANode l d2 r2 _ _ -> let (d3,left) = decompose_front_node l d2 r2 in (d3,balance left d r) end (** Pattern-matching over the front of the sequence. Time proportional to the height (logarithmic in the size of the tree). *) let decompose_front (t:t 'a) : option (D.t 'a,t 'a) returns { None -> t = empty | Some (hd,tl:t 'a) -> t = cons hd tl } = match view t with | AEmpty -> None | ANode l d r _ _ -> Some (decompose_front_node l d r) end (** Internal routine, mirror of `decompose_front_node`. *) let rec decompose_back_node (l:t 'a) (d:D.t 'a) (r:t 'a) : (t 'a,D.t 'a) requires { -balancing <= l.hgt - r.hgt <= balancing } returns { (res:t 'a,d2) -> node_model l d r = snoc res d2 /\ let hl = l.hgt in let hr = r.hgt in let he = 1 + if hl < hr then hr else hl in 0 <= he - res.hgt <= 1 } variant { r.m.hgt } = match view r with | AEmpty -> (l,d) | ANode l2 d2 r _ _ -> let (right,d3) = decompose_back_node l2 d2 r in (balance l d right,d3) end (** Pattern-matching over the back of the sequence. Time proportional to the height (logarithmic in the size of the tree). *) let decompose_back (t:t 'a) : option (t 'a,D.t 'a) returns { None -> t = empty | Some (lt:t 'a,dh) -> t = snoc lt dh } = match view t with | AEmpty -> None | ANode l d r _ _ -> Some (decompose_back_node l d r) end (** Internal routine. *) let rec front_node (l:t 'a) (d:D.t 'a) : D.t 'a ensures { result = (snoc l d)[0] } variant { l.hgt } = match view l with | AEmpty -> d | ANode l d2 _ _ _ -> front_node l d2 end (** Get the first element of a non-empty sequence. logarithmic-time. *) let front (t:t 'a) : D.t 'a requires { length t <> 0 } ensures { result = t[0] } = match view t with | AEmpty -> absurd | ANode l d2 _ _ _ -> front_node l d2 end (** Internal routine. *) let rec back_node (d:D.t 'a) (r:t 'a) : D.t 'a ensures { result = (cons d r)[length r] } variant { r.hgt } = match view r with | AEmpty -> d | ANode _ d2 r _ _ -> back_node d2 r end (** Get the back of a non-empty sequence. logarithmic-time. *) let back (t:t 'a) : D.t 'a requires { length t <> 0 } ensures { result = t[length t - 1] } = match view t with | AEmpty -> absurd | ANode _ d2 r _ _ -> back_node d2 r end (** Catenation with balanced inputs (like sibling subtrees). logarithmic-time. *) let fuse (l r:t 'a) : t 'a requires { -balancing <= l.hgt - r.hgt <= balancing } ensures { result = l ++ r } ensures { let hl = l.hgt in let hr = r.hgt in let he = 1 + if hl < hr then hr else hl in 1 >= he - result.hgt >= 0 } = match view l with | AEmpty -> r | ANode _ _ _ _ _ -> match view r with | AEmpty -> l | ANode rl rd rr _ _ -> let (d0,r') = decompose_front_node rl rd rr in balance l d0 r' end end (** List cons: build the sequence `cons d t`. logarithmic-time. *) let rec cons (d:D.t 'a) (t:t 'a) : t 'a ensures { result = cons d t } ensures { 1 >= result.hgt - t.hgt >= 0 } variant { t.hgt } = match view t with | AEmpty -> singleton d | ANode l d2 r _ _ -> balance (cons d l) d2 r end (** Reverse cons: build `snoc t d`. logarithmic-time. *) let rec snoc (t:t 'a) (d:D.t 'a) : t 'a ensures { result = snoc t d } ensures { 1 >= result.hgt - t.hgt >= 0 } variant { t.hgt } = match view t with | AEmpty -> singleton d | ANode l d2 r _ _ -> balance l d2 (snoc r d) end (** Variant of the node constructor without any height hypothesis. The time complexity is proportional to the height difference between `l` and `r` (O(|l.m.hgt-r.m.hgt|)) (in particular, it is logarithmic) *) let rec join (l:t 'a) (d:D.t 'a) (r:t 'a) : t 'a ensures { result = node_model l d r } ensures { let hl = l.hgt in let hr = r.hgt in let he = 1 + if hl < hr then hr else hl in let hres = result.hgt in 0 <= he - hres <= 1 } variant { if l.hgt > r.hgt then l.hgt - r.hgt else r.hgt - l.hgt } = match view l with | AEmpty -> cons d r | ANode ll ld lr lh _ -> match view r with | AEmpty -> snoc l d | ANode rl rd rr rh _ -> let df = I.sub lh rh (I.neg rh) lh in if I.gt df balancing then balance ll ld (join lr d r) else if I.lt df (I.neg balancing) then balance (join l d rl) rd rr else node l d r end end (** Catenation, without height hypothesis. logarithmic-time. *) let concat (l r:t 'a) : t 'a ensures { result = l ++ r } = match view l with | AEmpty -> r | ANode _ _ _ _ _ -> match view r with | AEmpty -> l | ANode rl rd rr _ _ -> let (d0,r') = decompose_front_node rl rd rr in join l d0 r' end end (* FIXME: with real refinement, this should be done in a separate module, so that a single structure may feature several selection mecanisms. *) (** {3 Selection of elements} This part of the module provide an implementation of a generalisation of the usual insertion/removal/lookup/spliting/etc algorithms on AVL trees. The generalisation is done with respect to an abstract binary search mechanism. It is based on the observation that all those algorithms have the shame shape: 1) find a particular position in the tree by binary search (either a node, or an empty leaf if finding nothing) 2) extract some piece of information from this position/recompute another tree (which is either trivial or done only using rebalancing) By using different search mechanisms in step 1), we can get a variety of data structures. Note that thanks to monoidal annotations, efficient search mechanisms other than comparison-based exists. For example, using the integer monoid we can keep track of the size of every subtrees, which can be used to implement efficient random access. The positions found in step 1) corresponds readily to splits of the sequence, as defined in the `SelectionTypes` module. We consider that the objective of the search is to find a split with particular properties. *) use SelectionTypes (** Parameter: selector type. The elements of that type are intended to describe the class of splits we wish to find. *) type selector (** Parameter: interpretation of the selector. *) predicate selected selector (split (D.t 'a)) (** Parameter: correctness predicate for a selector with respect to a list. It is intended to mean that we can actually find such a split in the list using binary search. *) predicate selection_possible selector (seq (D.t 'a)) (** Parameter: a correct selector for the empty list always select its only possible split. *) axiom selection_empty : forall s. let nil = (empty:seq (D.t 'a)) in selection_possible s nil -> selected s { left = nil ; middle = None ; right = nil } (** On nodes, binary search works by reducing the problem of selecting of a split on the whole tree to either: 1) The problem of selecting a split on the left subtree 2) The problem of selecting a split on the right subtree 3) Taking the split induced by the node *) type part = part_base selector (** Parameter: `selected_part llis rlis s l d r` effectively compute the reduction of the selection to one of the three part of a node. It uses the monoidal summaries to get informations about the left and right subtrees. *) val selected_part (ghost lseq rseq:seq (D.t 'a)) (s:selector) (l:M.t) (d:D.t 'a) (r:M.t) : part requires { selection_possible s (node_model lseq d rseq) } requires { l = M.agg D.measure lseq /\ r = M.agg D.measure rseq } returns { Here -> let e2 = { left = lseq; middle = Some d; right = rseq } in selected s e2 | Left sl -> selection_possible sl lseq /\ forall e. selected sl e /\ rebuild e = lseq -> selected s (right_extend e d rseq) | Right sr -> selection_possible sr rseq /\ forall e. selected sr e /\ rebuild e = rseq -> selected s (left_extend lseq d e) } use ref.Ref (** Create a reference over a dummy split. All the binary-search-based routines take a ghost reference to explicitly return the existential witness corresponding to the found split, this is a shortcut for creating such a reference. *) let ghost default_split () : ref (split 'a) = ref { left = S.empty; middle = None; right = S.empty } (** Insertion of an element into the sequence. `insert r s d t` split the sequence `t` using `s` as `lf ++ o ++ rg`, and rebuild it with `d` in the middle, potentially erasing whatever was there before, as `lf ++ [d] ++ rg`. The reference `r` is assigned to the selected position. It is logarithmic-time. Note: the procedure described above match only the specification, not what the actual code does. *) let rec insert (ghost r:ref (split (D.t 'a))) (s:selector) (d:D.t 'a) (t:t 'a) : t 'a requires { selection_possible s t } ensures { result = node_model !r.left d !r.right } ensures { selected s !r /\ rebuild !r = t } writes { r } ensures { 1 >= result.hgt - t.hgt >= 0 } variant { t.hgt } = match view t with | AEmpty -> r := { left = S.empty; middle = None; right = S.empty }; singleton d | ANode tl td tr _ _ -> match selected_part tl.m.seq tr.m.seq s (total tl) td (total tr) with | Left sl -> let nl = insert r sl d tl in r := right_extend !r td tr.m.seq; balance nl td tr | Right sr -> let nr = insert r sr d tr in r := left_extend tl.m.seq td !r; balance tl td nr | Here -> r := { left = tl.m.seq; middle = Some td; right = tr.m.seq }; node tl d tr end end (** Remove an element from the sequence. `remove r s t` Split the sequence `t` using `s` into `lf ++ o ++ rg`, and erase whatever may be in the middle, as `lf++rg`. logarithmic-time. *) let rec remove (ghost r:ref (split (D.t 'a))) (s:selector) (t:t 'a) : t 'a requires { selection_possible s t } ensures { result = !r.left ++ !r.right } ensures { selected s !r /\ rebuild !r = t } ensures { 1 >= t.hgt - result.hgt >= 0 } writes { r } variant { t.hgt } = match view t with | AEmpty -> r := { left = S.empty; middle = None; right = S.empty }; t | ANode tl td tr _ _ -> match selected_part tl.m.seq tr.m.seq s (total tl) td (total tr) with | Left sl -> let nl = remove r sl tl in r := right_extend !r td tr.m.seq; balance nl td tr | Right sr -> let nr = remove r sr tr in r := left_extend tl.m.seq td !r; balance tl td nr | Here -> r := { left = tl.m.seq; middle = Some td; right = tr.m.seq }; fuse tl tr end end (** Attempt to find an element in the sequence. `find r s t` return the middle value obtained by splitting the sequence `t` with respect to the `s`. logarithmic-time. *) let rec get (ghost r:ref (split (D.t 'a))) (s:selector) (t:t 'a) : option (D.t 'a) requires { selection_possible s t } ensures { selected s !r /\ rebuild !r = t } returns { None -> !r.middle = None | Some d -> !r.middle = Some d } writes { r } variant { t.hgt } = match view t with | AEmpty -> r := { left = S.empty; middle = None; right = S.empty }; None | ANode tl td tr _ _ -> match selected_part tl.m.seq tr.m.seq s (total tl) td (total tr) with | Left sl -> let res = get r sl tl in r := right_extend !r td tr.m.seq; res | Right sr -> let res = get r sr tr in r := left_extend tl.m.seq td !r; res | Here -> r := { left = tl.m.seq; middle = Some td; right = tr.m.seq }; Some td end end (** Combine `get` and `remove` *) let rec extract (ghost r:ref (split (D.t 'a))) (s:selector) (t:t 'a) : (option (D.t 'a),t 'a) requires { selection_possible s t } ensures { selected s !r /\ rebuild !r = t } ensures { let (d,t2:t 'a) = result in t2 = !r.left ++ !r.right /\ 1 >= t.hgt - t2.hgt >= 0 /\ match d with | None -> !r.middle = None | Some d2 -> !r.middle = Some d2 end } variant { t.hgt } = match view t with | AEmpty -> r := { left = S.empty; middle = None; right = S.empty }; (None,t) | ANode tl td tr _ _ -> match selected_part tl.m.seq tr.m.seq s (total tl) td (total tr) with | Left sl -> let (ol,nl) = extract r sl tl in r := right_extend !r td tr.m.seq; (ol,balance nl td tr) | Right sr -> let (or,nr) = extract r sr tr in r := left_extend tl.m.seq td !r; (or,balance tl td nr) | Here -> r := { left = tl.m.seq; middle = Some td; right = tr.m.seq }; (Some td,fuse tl tr) end end (** Split a sequence. `split r s t` return a program version of a split found by `s`, using AVL trees for the sequence. It is logarithmic-time. Note: As their specification suggest, all the binary-search-based routines can be directly implemented in term of a split followed by catenations. Although a constant time factor, the rebalancing work would be much heavier. *) let rec split (ghost r:ref (split (D.t 'a))) (s:selector) (t:t 'a) : (t 'a,option (D.t 'a),t 'a) requires { selection_possible s t } ensures { selected s !r /\ rebuild !r = t } returns { (lf:t 'a,o,rg:t 'a) -> lf = !r.left /\ rg = !r.right /\ match o with | None -> !r.middle = None | Some d -> !r.middle = Some d end } writes { r } variant { t.hgt } = match view t with | AEmpty -> r := { left = S.empty; middle = None; right = S.empty }; (t,None,t) | ANode tl td tr _ _ -> match selected_part tl.m.seq tr.m.seq s (total tl) td (total tr) with | Left sl -> let (tll,tlo,tlr) = split r sl tl in r := right_extend !r td tr.m.seq; (tll,tlo,join tlr td tr) | Right sr -> let (trl,tro,trr) = split r sr tr in r := left_extend tl.m.seq td !r; (join tl td trl,tro,trr) | Here -> r := { left = tl.m.seq; middle = Some td; right = tr.m.seq }; (tl,Some td,tr) end end end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/avl/������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015566�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/avl/why3session.xml���������������������������������������������������������0000664�0000000�0000000�00000054424�14401600263�0020617�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="avl.mlw"/> <theory name="SelectionTypes" proved="true"> <goal name="rebuild'vc" expl="VC for rebuild" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="0"/></proof> </goal> <goal name="left_extend'vc" expl="VC for left_extend" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="0"/></proof> </goal> <goal name="right_extend'vc" expl="VC for right_extend" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="0"/></proof> </goal> </theory> <theory name="AVL" proved="true"> <goal name="M.M.assoc" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="M.M.neutral" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="0"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="node_model'vc" expl="VC for node_model" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="6"/></proof> </goal> <goal name="real_height_nonnegative'vc" expl="VC for real_height_nonnegative" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="56"/></proof> </goal> <goal name="rotation_preserve_model" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="rotation_preserve_model.0" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="90"/></proof> </goal> <goal name="rotation_preserve_model.1" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="10"/></proof> </goal> </transf> </goal> <goal name="t'vc" expl="VC for t" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="0.01" steps="11"/></proof> </goal> <goal name="height'vc" expl="VC for height" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="31"/></proof> </goal> <goal name="total'vc" expl="VC for total" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="37"/></proof> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="13"/></proof> </goal> <goal name="node'vc" expl="VC for node" proved="true"> <proof prover="1"><result status="valid" time="0.19" steps="495"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="112"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="79"/></proof> </goal> <goal name="view'vc" expl="VC for view" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="649"/></proof> </goal> <goal name="balance'vc" expl="VC for balance" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="balance'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="26"/></proof> </goal> <goal name="balance'vc.1" expl="unreachable point" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="41"/></proof> </goal> <goal name="balance'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="145"/></proof> </goal> <goal name="balance'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.17" steps="203"/></proof> </goal> <goal name="balance'vc.4" expl="unreachable point" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="182"/></proof> </goal> <goal name="balance'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="525"/></proof> </goal> <goal name="balance'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.19" steps="512"/></proof> </goal> <goal name="balance'vc.7" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.47" steps="1522"/></proof> </goal> <goal name="balance'vc.8" expl="unreachable point" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="44"/></proof> </goal> <goal name="balance'vc.9" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="186"/></proof> </goal> <goal name="balance'vc.10" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="223"/></proof> </goal> <goal name="balance'vc.11" expl="unreachable point" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="176"/></proof> </goal> <goal name="balance'vc.12" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.16" steps="339"/></proof> </goal> <goal name="balance'vc.13" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.18" steps="733"/></proof> </goal> <goal name="balance'vc.14" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.32" steps="961"/></proof> </goal> <goal name="balance'vc.15" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="13"/></proof> </goal> <goal name="balance'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.67" steps="3291"/></proof> </goal> <goal name="balance'vc.17" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="balance'vc.17.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.59" steps="2616"/></proof> </goal> <goal name="balance'vc.17.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.76" steps="3310"/></proof> </goal> <goal name="balance'vc.17.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="24"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="decompose_front_node'vc" expl="VC for decompose_front_node" proved="true"> <proof prover="1"><result status="valid" time="1.21" steps="5894"/></proof> </goal> <goal name="decompose_front'vc" expl="VC for decompose_front" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="286"/></proof> </goal> <goal name="decompose_back_node'vc" expl="VC for decompose_back_node" proved="true"> <proof prover="1"><result status="valid" time="1.41" steps="6608"/></proof> </goal> <goal name="decompose_back'vc" expl="VC for decompose_back" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="286"/></proof> </goal> <goal name="front_node'vc" expl="VC for front_node" proved="true"> <proof prover="1"><result status="valid" time="0.26" steps="897"/></proof> </goal> <goal name="front'vc" expl="VC for front" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="364"/></proof> </goal> <goal name="back_node'vc" expl="VC for back_node" proved="true"> <proof prover="1"><result status="valid" time="0.18" steps="718"/></proof> </goal> <goal name="back'vc" expl="VC for back" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="296"/></proof> </goal> <goal name="fuse'vc" expl="VC for fuse" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="fuse'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="120"/></proof> </goal> <goal name="fuse'vc.1" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.22" steps="809"/></proof> </goal> <goal name="fuse'vc.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.14" steps="286"/></proof> </goal> <goal name="fuse'vc.3" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="fuse'vc.3.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.82" steps="3698"/></proof> </goal> <goal name="fuse'vc.3.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.70" steps="3398"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="cons'vc" expl="VC for cons" proved="true"> <proof prover="1"><result status="valid" time="0.52" steps="1582"/></proof> </goal> <goal name="snoc'vc" expl="VC for snoc" proved="true"> <proof prover="1"><result status="valid" time="0.55" steps="1890"/></proof> </goal> <goal name="join'vc" expl="VC for join" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="join'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="497"/></proof> </goal> <goal name="join'vc.1" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="556"/></proof> </goal> <goal name="join'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.20" steps="848"/></proof> </goal> <goal name="join'vc.3" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="589"/></proof> </goal> <goal name="join'vc.4" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.23" steps="702"/></proof> </goal> <goal name="join'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="201"/></proof> </goal> <goal name="join'vc.6" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="478"/></proof> </goal> <goal name="join'vc.7" expl="postcondition" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="2.00" steps="6830"/></proof> </goal> </transf> </goal> <goal name="concat'vc" expl="VC for concat" proved="true"> <proof prover="1"><result status="valid" time="0.24" steps="712"/></proof> </goal> <goal name="insert'vc" expl="VC for insert" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="insert'vc.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="37"/></proof> </goal> <goal name="insert'vc.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="162"/></proof> </goal> <goal name="insert'vc.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="60"/></proof> </goal> <goal name="insert'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="48"/></proof> </goal> <goal name="insert'vc.4" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="insert'vc.5" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="197"/></proof> </goal> <goal name="insert'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="76"/></proof> </goal> <goal name="insert'vc.7" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="115"/></proof> </goal> <goal name="insert'vc.8" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.16" steps="303"/></proof> </goal> <goal name="insert'vc.9" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.17" steps="581"/></proof> </goal> <goal name="insert'vc.10" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.21" steps="690"/></proof> </goal> <goal name="insert'vc.11" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="200"/></proof> </goal> <goal name="insert'vc.12" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="68"/></proof> </goal> <goal name="insert'vc.13" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="117"/></proof> </goal> <goal name="insert'vc.14" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="194"/></proof> </goal> <goal name="insert'vc.15" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="400"/></proof> </goal> <goal name="insert'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.23" steps="857"/></proof> </goal> <goal name="insert'vc.17" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="91"/></proof> </goal> <goal name="insert'vc.18" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="9"/></proof> </goal> <goal name="insert'vc.19" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.11" steps="182"/></proof> </goal> <goal name="insert'vc.20" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="370"/></proof> </goal> </transf> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove'vc.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="22"/></proof> </goal> <goal name="remove'vc.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="92"/></proof> </goal> <goal name="remove'vc.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10"/></proof> </goal> <goal name="remove'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="48"/></proof> </goal> <goal name="remove'vc.4" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="remove'vc.5" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="197"/></proof> </goal> <goal name="remove'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="76"/></proof> </goal> <goal name="remove'vc.7" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="121"/></proof> </goal> <goal name="remove'vc.8" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="136"/></proof> </goal> <goal name="remove'vc.9" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.14" steps="421"/></proof> </goal> <goal name="remove'vc.10" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.21" steps="864"/></proof> </goal> <goal name="remove'vc.11" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="200"/></proof> </goal> <goal name="remove'vc.12" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="68"/></proof> </goal> <goal name="remove'vc.13" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="123"/></proof> </goal> <goal name="remove'vc.14" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="364"/></proof> </goal> <goal name="remove'vc.15" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.12" steps="606"/></proof> </goal> <goal name="remove'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.26" steps="944"/></proof> </goal> <goal name="remove'vc.17" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="91"/></proof> </goal> <goal name="remove'vc.18" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.12" steps="11"/></proof> </goal> <goal name="remove'vc.19" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="199"/></proof> </goal> <goal name="remove'vc.20" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="390"/></proof> </goal> </transf> </goal> <goal name="get'vc" expl="VC for get" proved="true"> <proof prover="1"><result status="valid" time="0.60" steps="3211"/></proof> </goal> <goal name="extract'vc" expl="VC for extract" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="extract'vc.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="130"/></proof> </goal> <goal name="extract'vc.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="70"/></proof> </goal> <goal name="extract'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="48"/></proof> </goal> <goal name="extract'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="extract'vc.4" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="197"/></proof> </goal> <goal name="extract'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="76"/></proof> </goal> <goal name="extract'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="129"/></proof> </goal> <goal name="extract'vc.7" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="345"/></proof> </goal> <goal name="extract'vc.8" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.37" steps="1316"/></proof> </goal> <goal name="extract'vc.9" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="200"/></proof> </goal> <goal name="extract'vc.10" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="68"/></proof> </goal> <goal name="extract'vc.11" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="131"/></proof> </goal> <goal name="extract'vc.12" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.11" steps="561"/></proof> </goal> <goal name="extract'vc.13" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.53" steps="1756"/></proof> </goal> <goal name="extract'vc.14" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="91"/></proof> </goal> <goal name="extract'vc.15" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="204"/></proof> </goal> <goal name="extract'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="385"/></proof> </goal> </transf> </goal> <goal name="split'vc" expl="VC for split" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="split'vc.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="130"/></proof> </goal> <goal name="split'vc.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="39"/></proof> </goal> <goal name="split'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="48"/></proof> </goal> <goal name="split'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="split'vc.4" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="197"/></proof> </goal> <goal name="split'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="76"/></proof> </goal> <goal name="split'vc.6" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="335"/></proof> </goal> <goal name="split'vc.7" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="231"/></proof> </goal> <goal name="split'vc.8" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="200"/></proof> </goal> <goal name="split'vc.9" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="68"/></proof> </goal> <goal name="split'vc.10" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="427"/></proof> </goal> <goal name="split'vc.11" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="272"/></proof> </goal> <goal name="split'vc.12" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="161"/></proof> </goal> <goal name="split'vc.13" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="10"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/avl/why3shapes.gz�����������������������������������������������������������0000664�0000000�0000000�00000034664�14401600263�0020243�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}i7w6c},/a 4vYJm{vFL2+*$YΪ,2G7~ٽ{17_=?9~r.x}ݽףWoGv*JE|LK%i:jl Yz.~Bs&Zc1v1G7#{Ļos_S۾�/BWonuO[ﯟXqz# /ʮSR߱.ttv> Fz:Nxodϵqs9 OeG 84H~{s23q|>E:die1`NkixK]ozM 4b~E9r22iFzEz0P00wo6]>XUWo?ߟ k1*=FWzL/pto0fGӰᩈat@_~tנ??ڌXW7ӛ_^oU0iNFB8/XUtQ7LG2 y | BCB At B4 /'2 ۶7]W׎(G'鏢NoU:P>>`@F;~(>'Nuܢ-dotTOv}Er Dž&7t:JS>&/P >Z 0:3/o5ٳ�~O^4ܹD^~a=<G/ =Ÿ)Ux`O7{Z ;οNǬs|>W1ďÈ+i &x'=7&*ܴ4J3<7ulaCOi&pzoTˈsW>zgQ;F{Te4Qo:$(u(Q&M|Q B0dx#|g)R>=⫏<ԡG%H $`bDoFLfQ(^<>PG~TM%*-ز;cƎw xс (;wO4\EO]}Wǻ?xOSd*/e em(ݙQˑ%k2r0PuMH߈6A2G)r9i #H30|& `p54:j:lU@]H߀/,bĠXEHFݎG.Gb,c0~zsO~;JxAu`Yx2"b J :铤ۑ?`%Os fyN9ȗYWL(>^b 5@<*y9U}5,%~Љ~T"V1#H�LFtOg[Ow*|&ϔ(^x&"<3j$^Yy`7裶V^vl"oS!PF١Cu5E4(urHP2ڗU 5O6yC`ƌ¡:|ECpN!yU$^Q:}Dkwi#}_ޝu`дOy#�FDKAFp :9C(TjA8 (#8A" p� 1ܬQX=o8o~o<_qj'*TZ |ޡJ}7'M\@dUEjR!uBjPhZ@*Q+A;ZA#곩@ꛣւ6esis!ʹi8?PMtn7yx)PDv8 lȺxD4 :LM8<OԷy.p%w1m{ucCN6K .4r2?1Ĺ<gXH u4|Ddpw1j #,u mґΩGOHeȺ\ ?uwhȃ5"y(5TjhpS{a7pu Aˬ;*|rZУ { {;�@"^"tbCN!BA6!|CI`Aa2 KΆ AAz)D"&DE#XD "Ґs!"h|QQ�#�Y \�@6b,{�uw_'Ьh>N 4:4]SU&8rGxi-;]evW?wUaчa> ^A~Tx͋S+H6V#Y$a*M\\}K>l5.�=8E+Y!aAY? 9e5bpҘ~i'K?ҍ.(y7s�(sw1uHݚh:넺@ݡ&nrTQ" y6u>q \oXm2 H9 H"KmC7"#EuE\D6H( El.-\A~w3M0\D2(l>;l)grd-ƈw 6(ThSa=ꌖlFnqi K?Fd+k!.ghiz)[(.di2tf(g1 V.2?^?xBCMRFNkj2O`02;jgq\j<g."<$G%7wSVCMg &aDԟ 2  ) ^PhsȱT3 LhG/g i&yQ SJ=�3�гr`[ i+ s՛@W@v:m m 9J25䶳wn;{.uϟm7|f%x׌GJ 73g %mg~Տ}dizXNRnvo+) CFD: @IuPcSZV{{I \҉T$zm&'܉pЊj2BrB:_fx`%91ƫerp Z,#*:ٽu:/ba7bf,~vSm+^%F4Ѝ?@~y;Dpǎ`$0@i_2.8Mypb�=6Ȁg I-#3^F=Ը0wFd28D4'EVha#28Qb 'J\dl:g7Bd@Ɩpbg|qc+1cd3FFäWq[w�`o �~8~k <bG-Z-ݘaG6�p WࣝicՙXYn:'źsRavo9௿fv�;'�|f&�,:'5;9f��V�sLEHܒvv75`.YKN@x?lÀS=wiaSIM9N*IYД*ON]FCCTzXޜnl8pM wag]ԼA1W^l Ndd 4퓧X`Y/˝(oO]erCPvw[DZV37.LAӨ\i`sk(8A5o7EfV|f ܌tQő )7YR-q*i8" (8acÒ9X" yӳ'Ӟsl.'$R!3IQtf^(jq4,Xf@?ƶPjܳ>֮2=lJAggRQ &~.v8jVnko6rɢ|rS r|q9iom5[rSMyM ;둛^?!7'Qot YnVnklÖkͺjl󲼚tb]Sl wWnVlk͜.6?Dsd!ϐ"[xMgYQ.pHA"[⑏w(nW;dG'>cze=/Ǽ:vg-%]>| B Oyd)' M& _0'/f(ӂs'CE'C$t([1sF MF,zHqvZ0))Lbr jDⵤ.6LjǍfr^lTvYX+P>"> ,It Ƅ S ybi)ee[VޙviDUydswi :b' SELp2m0K 1m)ǎ<Jm/F C")(@wdj,@w04%4~/9#>s>^:t5^S1?aȢs 0gXԘ>}' $sy-cS7f9u7.Խ69Q..L4dU-j~@X;&7.& U1˘ (w1ٻBK z ˴=/ϟ@L,ӭuzBƵuF qKQ�4!Y? $:e7 mF�l?˚'T)@C0g)YxO،T~Vኰ)X(ۄ 33T6蹇pM$.lV O{g -!j?k?yPaca3&e. l|fR~ 6h߂�;�|�pk;(mµz�/>vP =z��N%S FFذr�`lQIaadE�qvf*~37 gg_'+ìu?8hIAKhM:$Y>d ӼXAT9.A⑌(H8`Ï7‹'��Y�� �@=L8[�W2|>i}Z[7C]pNŪ_:^HYp?z,s~|.ǣ]c!\8%sprq ?0inilE%�~\9ϖ,DnM#.aX/ǖcг`<Э]aK[$ɖz r–~+2[1f4,[ĽΖa3YlĘ?1O>GZrSj0?Ksy/|ƞ͋Sa7OMb=34[Oà>atϖ~qe16&>&.;xkH@9#?NT�U.vB#F|#™`r#i쵌>=wmV/[urlŵeV wY{<c;xvW#,YqժR5OKG/͐NoqH[1 K4lJLÕe8L\.rFȿt;D9I3M*F$k9u?#Y̧͟m@?=~K"d;m ]�\*v-Y5Z_b]oȴe  KCVe۷&n O\eԵ<v&rt KOs[0'!5S|cɆ=L{Y?tz gx(; AqiM~p\Aj,v[.ՖY$R\;j̱Z~"DUt Knb~JO'<}RS.U\/ܜbn 0{,Vw4>H燷<{$?GknK?e"2NCLp=}mɵ$@I=G8cq5$O9ÒSuqI;3'z&B :I!B$~^dN6divz9E^B̬8<�p e�p!�|X#�̥ cM,]X\Q97;�l�:�@!.S� S>Td�P�}j:_�<E�6O?G7Oo96ľryd}Acc_yIPHWcP:EHCK(!\gp|L)4[T(o8K:=i; leW>`H &s!2N} oV#E)><wTϯUk ~/'3!Oo]Џ<͂P^w3!z˯&xlpլr'b2 RBu=59}hfD>Rǒ1GIv=yq*3 xsɰI%6#ćrC.nvO{<nDǓ]Jg8dٸL,vxT1_`| [5IG;G~\bi!<6nۏ^]<[Q7KDlJyF򌄘"dg%]^hU* &T$Cl!\o*I/XjAcE酖R2Qr/r(YnlA#G%aT30j`!PZ@ B$5~{˅FPL⡱;PHWj6+<ü|SNTP}*p30,(BHow|a%ʳ9񳽊dLkԿSK<.tWV!.kkvH BaEH,|XTgl|9fnsI[LN݃:6Y3غ(E ?W�<v. 4"υWB'&Ћdve@qSGlN�&<*5@v 'mJ٦4vT˭9h12~ @ye\1rb/(@~0Urb|CN=j#i KvI0Ü Kx+`FV䋰DKcA`)FtZt\A), *^ᴩea(vx@Q,יE췇4vAeƫϻ+lw4Wت#俓&<A5 5WaFaHQto~]҉܊Nu"we ='8߰?˶Z̭Vmv[o(v؁bWqY~ =p q#S$ ylӾ$Ujv^2Я+LL j9ćp-3$Z 6n,5ZYj`'.Sgl٢x'bRgbf1Hg+Y4?_޴BM {){vڧ-nMagw 6<;H xd_=6+ _6BufLYȓ"Xfٔ|X;4Z zN=\Fa(. j8pm4xD0}/\ SsibOMtAGG]-TS61 (8g,glt?.!eI'‰8ƈY yu ;$[zz{^{-Rjd@Kg cDOds$IL7E0 ^T&O$O7wH)'Me\9|Ӑ$͓2RDf, 6[اNWSd2M9O53 KJa΢^K爒^n[t8%->7F̌lt@*8vؠ\ύxI>g5x//lI+|(#g79S /G^T9g$:Rd� B}Motue%N٠Sn΢H'mR#|V"nFTX0agoPķZuTjpSob [Hr p؋? >YҥSq#?!-"O !!wvxM I.q6ѓU$Rivߩ%S( ƚ6.8:JB0,Cx1ӡ-|"IDCߊ9uƓdd@w)*aό�:s Z碀) 9t|(@4#WC#aOP SAP4!CPhG^ҘJjV[}. t/@,%.�@tY - 7 ^{#) t<捝K*Rہ@dfȔ@Dll r+^aDy?1[ ODDJPhTZ q3&bI<H#Ŏ/)tC;h2@#'C~ w"펰an`N/ǥƚ+Q3W!@D=+P5ԣφx~dZ8a{5CmP #Ŏ;R~4vA~/<vq"Zh?mV Dq4reH|Sx8:fOJڝ&f* p^0ل&6~A6stb/Y%L<]pH33d6^,5e7YVŔ_[8&cC6%^jM>8JnvCzҎ9yӻ@RFNjZsY)9^K Nקjo{kBCNUaoM(X*io56[c-[0%~]Ze,Tc;Ͽ5O~{qblj'^N)LP$ZNP4 8hLһ]>Gvǐ7XOMX;wiC\;0L K 5 Q=Y5 *}X&9>)ɫ(R謱 Y-g 06<呝l(2iӆ fJVTjfTF*ZRGT TT:d$zoOmz%;ǰsj`5wI>_@YWӬ@C3r+1k1]j<FJ\Z.Eq|zda ^ƅ)~e5zplcNwUiư J6Kʂ=_?P z~tc6{RJ7o1szFύpQ -1n:/Yם@GU3ES3sf% σw8XadAqiq8CfEr|F<hfe-[0vs gn?ۋČQ/&FjlF*^&F=Z 3ꗢbOzMݧ2E4)S~8;*4FɨQodm?oHjp87K[gA6[`blfseLK{17f㭧(:ͣA'?AՃD'[tdyNȚeWC+SL @Ԑ禺SM>}&gؠ&ોyF(}Pdu(3d-@lNQ]o9c {s+==2ƆN鸲 `W(~$e~mldgu[D_tvAEBmc|Pd|;P�dhѥl)φߍwgҋ|wjF j=fjZ}/TQK'S-}Ц.G}t1"mBM]g޸Y~z/py9;iP;xgēٸG|3Q�s^/]ɏώy-ta**C"` oZ0B [0.ϵ$ {י8`^4Kǚ4 ux/}1RGH#)ticϏlBPӨL/9 c$>eyrM7#_sO;(VAċCR%郝dPa3Ktڑ=hx7}YK>+;O9śvpHK_#NROŔNA܇p R^B[D>朣6>rzO v>Na/8 !v_9/|_x/a,^!'ka ×|YZ,2/kKU�0̧}cѹo,ZXbuX�_ ^z�s*׍/W�f�_`sL0/(L$DQ4gG"L"()\^$XdL+Vˑ`TSO fb$XXU>4ӤVΘe X3L~?+P4e;sGs|*VA.[Uh>'Ţ֒ĨחR&LDk6%G2=M.+:N,&bVu)NZń$}fUUȠOCϴ`aόl9_x6ϵfsHBC@.e7 ] <Τw.ƣHJ^}$↓8z:9}%Hֺ)) Kw^YֵqVJ*靴Rew٫8mnyۚZ;)٬611}ڪLř07=>F߫Wڸ{ѸΉZ9!Mk/n敩k_7sWme\ZmZBAΨ hLkN V1\u}=W\sq9qծм RK=ܔz&k\ Q\pj):vI5!w7lۮS/B ~R0~M]oYFw¶FpT'A_tS x W·57FU]ճ鱢ش�e5or{e9f9̮7 ܮpp0Eҵ7;*kݽKmUyiV bF{ɖu%1Yj7gUJX#-Bmڶjyc H}/rֶL 3x Wv@PozH{/rVq6mjʘSt͍re$s� +WEw5-|wZ˵5 @oL^Im ZiWuum7z 0]{ڦ7Jޫ}(!ya({HɼQ�!+oTW�s-=`;W/TvYYBˆγS}\^[hx塽]Sn ]oe=ef:iZZfVf Ixoj^;ƼWu [PUl[y*[ YwC^՝ u^ �@:^`N; r?< ~9B  2V o20CQگWnaVunz ෰4z@~AiC{`+ЯTo q�ڮ@JJ[u1 B׀ �@a0 附(o5+ktӁRn$n 7+᪩Tߨ ao+ԠH%HSP`�(?Z ֜П[oZCXXn;І.Q|5:�}_׵\YHnfe|/;Av0 Ʈjn,[j g-`뀇{2~ZF+e5c2JvՍvc4Z<CȠ֖rb{?TwV׍c"6C*)8h@~ h? O`�Ljġ5ƻC! J#\@uޭtԃ9`d4`2E+~_yniF6@i5i㌅u+UA@äXWWb2 *,0 u cmåj 8ՌIޚO WU[fR/0xTFW,* #_ beΚBX&tXХ p 3/3;Wi C*d !R5{2 x4T�,�5 1Q4dyTT%Pw$ U4Ps08SxwWf�muX8LZ WyKW(B%P;i,%؂~VXa+AD8+5C , R9[с\hb-ݽJ+`"B0 أX� <ւali9[BHM(bU`;;OTT.o;CT�?`�)� kP #ŕi m" f `pn8a\b;V&*LU79 \.:pP\m f`hj?XKUiB74P3xk{/,uxAo g�:zxi�R$kB ڙH�j:h !j!tRhW߸ڪ]K޵%5Y펄k) dZTkИ쯻nգ Wq!v! 8CK|10 ++a@߮Qkla !CCӳ0`�9`l- .6(j<MCAځٳ-gGlPwHvvd` F9ЦSk@Pz mك\ala`s0& f]0Rmn[?<dbYӴ ,ojb$XQ*Vԯ-w۲XhW[ T A.[9XTiAl4`lQ,UVqFyG!C6(p0DEPo "7(iey �頨LȺ]D�s1ǶAV GkczA�)&H8/a�iП <h �u55�>Lܠ`%kmke�̵D(r:9`t�ش`cM8PnP[Phoi�EnP[q^ia-p=kivc6rrPfܯ )^BP/%X$[U(L�;EgA$ |d ; h֪}Aa :Q{=0ABC6(@1&N*UH4;jb H'.mUuAmm4 :P$ﭭAZ; ?; R@'L*5 皠 mj0tN`gô�R ٠W0VR8X`lPlehW`v@cԠD+Apك)fy:jޢL*Tj) @+ *πC6(MXu^1h$+2zK݃f`yP@`i8�Uk_A( ~ցYv2�np%mc <0 �*%N2*؎MPC* h(Wwܪ J~!xG$Pȑ ,!ɡ (#`}fԖh .m jh؁rSlqAt6 ȬG F0o^K \+ĠAV3mŁUPKJ$( m3 k@|hX� w7 : FԸpXwNx r-0@x%&yksFAou`iqw^ 2&o@2P(I-AXMuLl8P.z(sm,c0-x$(ozn{0nڳg`h FOSop89 tHDD6US Un�,*XUCˆZU f bc`Y^yx8Nfdt!<gR45)Fނ^EeS,Yc &[gVf8^FGh&È`lDJL/‚%V9z^hq93U|D�����������������������������������������������������������������������������why3-1.6.0/examples/avl/key_type.mlw����������������������������������������������������������������0000664�0000000�0000000�00000000647�14401600263�0017365�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Values equiped with keys} Author: Martin Clochard This file describe types for values equiped with keys, a priori in the purpose of identification. It is mostly intended to factor the representations for sets/map-like structures, as it can be used both for elements and key-value pairs. *) (** {2 Keyed type.} *) module KeyType type t 'a type key val function key (t:t 'a) : key end �����������������������������������������������������������������������������������������why3-1.6.0/examples/avl/key_type/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016635�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/key_type/why3session.xml����������������������������������������������������0000664�0000000�0000000�00000000422�14401600263�0021653�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <file format="whyml" proved="true"> <path name=".."/><path name="key_type.mlw"/> </file> </why3session> ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/key_type/why3shapes.gz������������������������������������������������������0000664�0000000�0000000�00000000055�14401600263�0021275�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������R(H,H-V(K-*ϳR0S�&��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/monoid.mlw������������������������������������������������������������������0000664�0000000�0000000�00000003543�14401600263�0017017�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Abstract monoids} Author: Martin Clochard *) (** {2 Abstract logic monoid} *) module Monoid (** Elements of the monoid. *) type t (** Neutral element. *) constant zero : t (** Composition law. *) function op (a b:t) : t (** Monoid properties. *) axiom assoc : forall a b c:t. op a (op b c) = op (op a b) c axiom neutral : forall x:t. op x zero = x = op zero x end (** {2 Abstract monoid with aggregation} *) module MonoidSum use seq.Seq clone import Monoid as M with axiom . function agg (f:'a -> t) (s:seq 'a) : t axiom agg_empty : forall f:'a -> t. agg f empty = zero axiom agg_sing : forall f,s:seq 'a. length s = 1 -> agg f s = f s[0] axiom agg_cat : forall f,s1 s2:seq 'a. agg f (s1 ++ s2) = op (agg f s1) (agg f s2) end (** {2 Definition of aggregation (refinement of MonoidSum} *) module MonoidSumDef use seq.Seq use seq.FreeMonoid (* TODO: do that refinement correctly ! *) clone import Monoid as M with axiom . let rec ghost function agg (f:'a -> t) (s:seq 'a) : M.t variant { length s } = if length s = 0 then zero else op (f s[0]) (agg f s[1 ..]) lemma agg_sing_core : forall s:seq 'a. length s = 1 -> s[1 ..] == empty let rec lemma agg_cat (f:'a -> t) (s1 s2:seq 'a) ensures { agg f (s1++s2) = op (agg f s1) (agg f s2) } variant { length s1 } = if length s1 <> 0 then let s3 = s1[1 ..] in agg_cat f s3 s2 clone MonoidSum as MS with type M.t = M.t, constant M.zero = M.zero, function M.op = M.op, goal M.assoc, goal M.neutral, function agg = agg, goal agg_empty, goal agg_sing, goal agg_cat end (** {2 Computable monoid} *) module ComputableMonoid clone export Monoid with axiom . (** Abstract routines computing operations in the monoid. *) val zero () : t ensures { result = zero } val op (a b:t) : t ensures { result = op a b } end �������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/monoid/���������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016271�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/monoid/why3session.xml������������������������������������������������������0000664�0000000�0000000�00000003015�14401600263�0021310�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="CVC4" version="1.5" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="2" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="monoid.mlw"/> <theory name="MonoidSumDef" proved="true"> <goal name="agg'vc" expl="VC for agg" proved="true"> <proof prover="2"><result status="valid" time="0.01" steps="15"/></proof> </goal> <goal name="agg_sing_core" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="22"/></proof> </goal> <goal name="agg_cat'vc" expl="VC for agg_cat" proved="true"> <proof prover="2"><result status="valid" time="0.07" steps="378"/></proof> </goal> <goal name="MS.M.assoc" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="2"/></proof> </goal> <goal name="MS.M.neutral" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="3"/></proof> </goal> <goal name="MS.agg_empty" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="3"/></proof> </goal> <goal name="MS.agg_sing" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="14595"/></proof> </goal> <goal name="MS.agg_cat" proved="true"> <proof prover="2"><result status="valid" time="0.00" steps="2"/></proof> </goal> </theory> </file> </why3session> �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/monoid/why3shapes.gz��������������������������������������������������������0000664�0000000�0000000�00000001060�14401600263�0020726�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������SMo0 W5 ; $&HۯةSȧǯgM{zC>ۿ|im{;*/-v/w /7*nߜ5[t�ܖJ,7)0Euu8E!XI㞟O v{MNcˏNSz2ei6uj$(2Kp{z+XTJy)Zͧߝ$5 pQ20VY,z+]/ao7tZ‡ K-�uey@m!3/֋*ʭQ>..=.Ҡ&ңcOz"0 [$&84e#Fot R1Ϛn:xJη4+L!6q'^1uv"wz1鑜b̖ Vg01z(cGGҗ-nGTvURF..2X>i2Gt9b&6$ʨTz2O}����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/preorder.mlw����������������������������������������������������������������0000664�0000000�0000000�00000002554�14401600263�0017355�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Preorders} Author: Martin Clochard *) (** {2 Extended preorder theory} *) theory Full (** Standard preorder theory. *) type t predicate le t t clone export relations.PreOrder with type t = t, predicate rel = le, axiom . (** Definable symbols for equality and strict ordering. *) predicate eq t t axiom eq_def : forall x y. eq x y <-> le x y /\ le y x predicate lt t t axiom lt_def : forall x y. lt x y <-> le x y /\ not le y x (** Equality is provably an equivalence relation. *) clone relations.Equivalence as Eq with type t = t, predicate rel = eq, lemma Trans, lemma Refl, lemma Symm (** Strict ordering is indeed a strict partial order. *) clone relations.PartialStrictOrder as Lt with type t = t, predicate rel = lt, lemma Trans, lemma Asymm end (** {2 Total preorder} *) theory TotalFull clone export Full with axiom . clone export relations.Total with type t = t, predicate rel = le, axiom Total clone relations.Total as Lt with type t = t, predicate rel = le, goal Total lemma lt_def2 : forall x y. lt x y <-> not le y x end (** {2 Computable total preorder} *) module Computable use int.Int clone export TotalFull with axiom . (** Comparison is computable. *) val compare (x y:t) : int ensures { result > 0 <-> lt y x } ensures { result < 0 <-> lt x y } ensures { result = 0 <-> eq x y } end ����������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/preorder/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016626�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/preorder/why3session.xml����������������������������������������������������0000664�0000000�0000000�00000002436�14401600263�0021653�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="preorder.mlw"/> <theory name="Full" proved="true"> <goal name="Eq.Refl" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="3"/></proof> </goal> <goal name="Eq.Trans" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="48"/></proof> </goal> <goal name="Eq.Symm" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="Lt.Trans" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="49"/></proof> </goal> <goal name="Lt.Asymm" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="5"/></proof> </goal> </theory> <theory name="TotalFull" proved="true"> <goal name="Lt.Total" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="11"/></proof> </goal> <goal name="lt_def2" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="13"/></proof> </goal> </theory> </file> </why3session> ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/preorder/why3shapes.gz������������������������������������������������������0000664�0000000�0000000�00000000556�14401600263�0021274�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������mT1 lljmFgҢ\l;'9g@\|y^?wkX.I3d8;H8#g)z񴼟WBKy8s<-x7SF<OK ]F:43o5c18a nR&M/ T(t6UL,L7FnT)BнUM5t4?SF+.Aj@ڜ-I@U EKUA!zmRD@X-Qq͗p`n@kh޵n9:I*e:Qz ����������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/priority_queue.mlw����������������������������������������������������������0000664�0000000�0000000�00000027713�14401600263�0020624�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Logarithmic-time mergeable priority queues implementation on top of AVL trees} Author: Martin Clochard *) module PQueue use int.Int use avl.SelectionTypes use option.Option use ref.Ref use import seq.Seq as S use seq.FreeMonoid use mach.peano.Peano as I (** {2 Implementation parameters} *) (** Balancing level is kept abstract. *) val constant balancing : I.t ensures { result > 0 } (** The Elements of the priority queue are indexed by totally ordered keys. Moreover, this order can be effectively decided. *) scope D type t 'a end scope K type t end clone export key_type.KeyType with type t = D.t, type key = K.t clone preorder.Computable as CO with type t = K.t, axiom . (** {2 Instantiation of the AVL tree module} *) (** Use the minimum monoid to measure sequence of elements by their minimum value. We extend it with a minimum element in order to measure empty sequences. *) scope M type t = option K.t constant zero : t = None function op (x y:t) : t = match x with | None -> y | Some a -> match y with | None -> x | Some b -> if CO.lt b a then y else x end end let lemma assoc_m (x y z:t) : unit ensures { op x (op y z) = op (op x y) z } = match x , y , z with | None , _ , _ -> assert { true } | _ , None , _ -> assert { true } | _ , _ , None -> assert { true } | _ -> () end let lemma neutral_m (x:t) : unit ensures { op x zero = x = op zero x } = match x with None -> () | _ -> assert { true } end clone export monoid.Monoid with type t = t, constant zero = zero,function op = op,lemma assoc,lemma neutral clone export monoid.MonoidSumDef with type M.t = t, constant M.zero = zero,function M.op = op,goal M.assoc,goal M.neutral let zero () : t ensures { result = None } = None let op (x y:t) : t ensures { result = op x y } = match x with | None -> y | Some a -> match y with | None -> x | Some b -> if CO.compare b a < 0 then y else x end end end (** Elements are measured by their keys. *) scope D let function measure (d:D.t 'a) : M.t = Some d.key end (** In priority queue, we are looking for the minimum element. No outside information is required to perform such search. *) type selector = unit (** We can only select the minimum in a non-empty sequence. *) predicate selection_possible 'e (s:seq 'g) = length s <> 0 predicate lower_bound (x:K.t) (s:seq (D.t 'a)) = forall i. 0 <= i < length s -> CO.le x s[i].key predicate lower_bound_strict (x:K.t) (s:seq (D.t 'a)) = forall i. 0 <= i < length s -> CO.lt x s[i].key (** We are interested in split where the middle element is the minimum of the sequence. In order to make sure that the same element is returned at each search, we enforce that such split corresponds exactly to the first occurrence. *) predicate selected 'e (e:split (D.t 'a)) = match e.middle with | None -> false | Some d -> lower_bound d.key e.right /\ lower_bound_strict d.key e.left end (** The summary of a sequence is indeed its minimum element. *) let rec lemma monoid_sum_is_min (s:seq (D.t 'a)) : unit ensures { match M.agg D.measure s with | None -> length s = 0 | Some a -> lower_bound a s /\ exists i. 0 <= i < length s /\ CO.eq s[i].key a end } variant { length s } = if length s <> 0 then begin let q = s[1 ..] in monoid_sum_is_min q; assert { M.agg D.measure s = M.op (D.measure s[0]) (M.agg D.measure q) }; assert { forall i. 0 <= i < length q -> q[i] = s[i+1] } end (** The middle element of a selected split is indeed the minimum. *) let lemma selected_is_min (s:'d) (e:split (D.t 'a)) : unit requires { selected s e } ensures { let s = rebuild e in match e.middle with | None -> false | Some d -> M.agg D.measure s = Some d.key end } = match e.middle with | None -> absurd | Some d -> monoid_sum_is_min e.left; monoid_sum_is_min e.right; assert { let l = M.agg D.measure e.left in let r = M.agg D.measure e.right in let t = M.agg D.measure (rebuild e) in let v0 = Some d.key in t = v0 by t = M.op l (M.op v0 r) /\ M.op l v0 = v0 = M.op v0 r } end let selected_part (ghost lseq rseq:seq (D.t 'a)) (s:unit) (sl:M.t) (d:D.t 'a) (sr:M.t) : part_base unit requires { sl = M.agg D.measure lseq /\ sr = M.agg D.measure rseq } returns { Here -> let e2 = { left = lseq; middle = Some d; right = rseq } in selected s e2 | Left rsl -> selection_possible rsl lseq /\ forall e. selected rsl e /\ rebuild e = lseq -> selected s (right_extend e d rseq) by match e.middle with | None -> false | Some d2 -> M.agg D.measure lseq = Some d2.key so lower_bound d2.key (cons d rseq) /\ lower_bound d2.key e.right end | Right rsr -> selection_possible rsr rseq /\ forall e. selected rsr e /\ rebuild e = rseq -> selected s (left_extend lseq d e) by match e.middle with | None -> false | Some d2 -> M.agg D.measure rseq = Some d2.key so lower_bound_strict d2.key (snoc lseq d) /\ lower_bound_strict d2.key e.left end } = let kd = d.key in monoid_sum_is_min lseq; monoid_sum_is_min rseq; match sl , sr with | None , None -> Here | None , Some a -> if CO.compare kd a <= 0 then Here else Right () | Some a , None -> if CO.compare kd a < 0 then Here else Left () | Some a , Some b -> if CO.compare kd b <= 0 then if CO.compare a kd <= 0 then Left () else Here else if CO.compare a b <= 0 then Left () else Right () end (** Full instantiation of the avl module. *) clone avl.AVL as Sel with type selector = selector, predicate selection_possible = selection_possible, predicate selected = selected, val selected_part = selected_part, goal selection_empty, val balancing = balancing, type D.t = D.t, val D.measure = D.measure, type M.t = M.t, constant M.zero = M.zero, function M.op = M.op, goal M.assoc, goal M.neutral, function M.agg = M.agg, goal M.agg_empty, goal M.agg_sing, goal M.agg_cat, val M.zero = M.zero, val M.op = M.op (** {2 Adaptation of specification to priority queues} *) type t 'a = Sel.t 'a (** Model: a bag of data with a minimum element. The point of the minimum is that we want the returned minimum element to be always the same, modulo preorder equivalence is not enough. *) type m 'a = { bag : D.t 'a -> int; minimum : D.t 'a; card : int; } (** Conversion from sequences to bags: from number of occurences. *) use seq.Occ let ghost function to_bag (s:seq 'a) : 'a -> int = fun x -> occ x s 0 (length s) let lemma to_bag_mem (x:'a) (s:seq 'a) ensures { s.to_bag x > 0 <-> exists i. 0 <= i < length s /\ s[i] = x} = assert { forall i. 0 <= i < length s /\ s[i] = x -> to_bag s x > 0 by to_bag s x = to_bag s[.. i] x + to_bag s[i ..] x /\ to_bag s[i ..] x = to_bag s[i ..][1 ..] x + to_bag s[i ..][.. 1] x /\ to_bag s[i ..][.. 1] x = 1 } (** Minimum extraction from a sequence. Partial function. *) let ghost function get_minimum_index (s:seq (D.t 'a)) : int requires { length s <> 0 } ensures { 0 <= result < length s } ensures { M.agg D.measure s = Some s[result].key } ensures { lower_bound_strict s[result].key s[.. result] } ensures { lower_bound s[result].key s[result ..] } = let r = ref 0 in for i = 0 to length s - 1 do invariant { lower_bound_strict s[!r].key s[.. !r] } invariant { lower_bound s[!r].key s[!r .. i] } invariant { 0 <= !r <= i /\ !r < length s } assert { s[.. i] == s[.. !r] ++ s[!r .. i] }; if CO.compare s[i].key s[!r].key < 0 then r := i; done; assert { let e = { left = s[.. !r]; middle = Some s[!r]; right = s[!r+1 ..] } in selected () e /\ rebuild e == s }; !r let lemma split_gives_minimum (e:split (D.t 'a)) requires { selected () e } ensures { e.middle = Some (rebuild e)[get_minimum_index (rebuild e)] } = let i = length e.left in let s = rebuild e in let j = get_minimum_index s in let ki = match e.middle with None -> absurd | Some d -> d.key end in assert { ki = s[i].key }; let kj = s[j].key in if i <> j then let (ki,kj) = if i < j then (ki,kj) else (assert { s[j] = e.left[j] }; (kj,ki)) in assert { CO.lt kj ki /\ CO.le ki kj } (** Convert the avl tree to logical model. *) function m (t:t 'a) : m 'a = { bag = to_bag t; card = length t; minimum = t[get_minimum_index t] } meta coercion function m (** Invariant over the logical model. *) let lemma correction (t:t 'a) : unit ensures { forall d. 0 <= t.bag d <= t.card } ensures { t.card >= 0 /\ (t.card > 0 -> t.bag t.minimum > 0) } ensures { forall d. 0 < t.bag d -> CO.le t.minimum.key d.key } = if t.m.card > 0 then let r0 = Sel.default_split () in let _ = Sel.split r0 () t in () (** Create an empty priority queue. *) let empty () : t 'a ensures { forall d:D.t 'a. result.m.bag d = 0 } ensures { result.m.card = 0 } = Sel.empty () (** Create a one-element priority queue. *) let singleton (d:D.t 'a) : t 'a ensures { result.m.bag d = 1 /\ forall d2:D.t 'a. d2 <> d -> result.m.bag d2 = 0 } ensures { result.m.card = 1 } = Sel.singleton d (** Test emptyness of a priority queue. *) let is_empty (ghost rd:ref (D.t 'a)) (t:t 'a) : bool ensures { result -> forall d:D.t 'a. t.bag d = 0 } ensures { not result -> t.bag !rd > 0 } ensures { result <-> t.card = 0 } = let res = Sel.is_empty t in ghost if not res then rd := t.Sel.m.Sel.seq[0]; res (** Merge two priority queues. *) let merge (l r:t 'a) : t 'a ensures { forall d. result.bag d = l.bag d + r.bag d } ensures { result.card = l.card + r.card } = Sel.concat l r (** Additional lemma about bag created from a sequence (removal in the middle). *) let lemma remove_count (l:seq 'a) (d:'a) (r:seq 'a) : unit ensures { to_bag (l ++ singleton d ++ r) d = to_bag (l++r) d + 1 } ensures { forall e. e <> d -> to_bag (l ++ singleton d ++ r) e = to_bag (l++r) e } = assert { forall e. to_bag (singleton d) e = if d = e then 1 else 0 } (** Get and remove minimum element. *) let extract_min (t:t 'a) : option (D.t 'a,t 'a) returns { None -> t.card = 0 /\ (forall d. t.bag d = 0) | Some (d,e:t 'a) -> t.card = e.card + 1 /\ t.bag d = e.bag d + 1 /\ d = t.minimum /\ forall d2. d2 <> d -> t.bag d2 = e.bag d2 } = if Sel.is_empty t then None else let (o,e) = Sel.extract (Sel.default_split ()) () t in match o with | None -> absurd | Some d -> Some (d,e) end (** Get minimum element. *) let min (t:t 'a) : D.t 'a requires { t.card > 0 } ensures { t.bag result > 0 /\ result = t.minimum } = match Sel.get (Sel.default_split ()) () t with | None -> absurd | Some d -> d end (** Pop minimum element. *) let pop_min (t:t 'a) : t 'a requires { t.card > 0 } ensures { t.card = result.card + 1 /\ t.bag t.minimum = result.bag t.minimum + 1 /\ (forall d2. d2 <> t.minimum -> t.bag d2 = result.bag d2) } = let r = Sel.default_split () in let res = Sel.remove r () t in ghost match !r.middle with | None -> absurd | Some _ -> split_gives_minimum !r end; res let add (d:D.t 'a) (t:t 'a) : t 'a ensures { result.bag d = t.bag d + 1 /\ (forall d2. d2 <> d -> result.bag d2 = t.bag d2) } ensures { result.card = t.card + 1 } = assert { forall d2. (singleton d).to_bag d2 = if d2 = d then 1 else 0 }; Sel.cons d t end �����������������������������������������������������why3-1.6.0/examples/avl/priority_queue/�������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0020071�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/priority_queue/why3session.xml����������������������������������������������0000664�0000000�0000000�00000062642�14401600263�0023123�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="1" name="CVC4" version="1.5" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="2" name="Z3" version="4.11.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="3" name="Z3" version="4.4.1" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="4" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="5" name="CVC5" version="1.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="6" name="Alt-Ergo" version="2.4.2" timelimit="5" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="priority_queue.mlw"/> <theory name="PQueue" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.assoc_m'vc" expl="VC for assoc_m" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="assoc_m'vc.0" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.2" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.3" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.4" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.5" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.6" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="10856"/></proof> </goal> <goal name="assoc_m'vc.7" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="assoc_m'vc.7.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="11785"/></proof> </goal> <goal name="assoc_m'vc.7.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="12040"/></proof> </goal> <goal name="assoc_m'vc.7.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="12056"/></proof> </goal> <goal name="assoc_m'vc.7.3" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="12624"/></proof> </goal> <goal name="assoc_m'vc.7.4" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="12049"/></proof> </goal> <goal name="assoc_m'vc.7.5" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="12080"/></proof> </goal> <goal name="assoc_m'vc.7.6" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="12110"/></proof> </goal> <goal name="assoc_m'vc.7.7" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="17596"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="M.neutral_m'vc" expl="VC for neutral_m" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="12066"/></proof> </goal> <goal name="M.assoc" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="M.M.assoc" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="M.M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="M.zero'vc" expl="VC for zero" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.op'vc" expl="VC for op" proved="true"> <proof prover="4" timelimit="5"><result status="valid" time="0.01" steps="56"/></proof> </goal> <goal name="monoid_sum_is_min'vc" expl="VC for monoid_sum_is_min" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="monoid_sum_is_min'vc.0" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="monoid_sum_is_min'vc.1" expl="variant decrease" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="monoid_sum_is_min'vc.2" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="9"/></proof> </goal> <goal name="monoid_sum_is_min'vc.3" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="46"/></proof> </goal> <goal name="monoid_sum_is_min'vc.4" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="monoid_sum_is_min'vc.4.0" expl="VC for monoid_sum_is_min" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="27014"/></proof> </goal> <goal name="monoid_sum_is_min'vc.4.1" expl="VC for monoid_sum_is_min" proved="true"> <proof prover="1"><result status="valid" time="2.46" steps="173284"/></proof> </goal> <goal name="monoid_sum_is_min'vc.4.2" expl="VC for monoid_sum_is_min" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="28664"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="selected_is_min'vc" expl="VC for selected_is_min" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_is_min'vc.0" expl="unreachable point" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="6"/></proof> </goal> <goal name="selected_is_min'vc.1" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_is_min'vc.1.0" expl="assertion" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.15" steps="39966"/></proof> </goal> <goal name="selected_is_min'vc.1.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.84" steps="131971"/></proof> </goal> <goal name="selected_is_min'vc.1.2" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.27" steps="58352"/></proof> </goal> <goal name="selected_is_min'vc.1.3" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="9"/></proof> </goal> </transf> </goal> <goal name="selected_is_min'vc.2" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="24"/></proof> </goal> </transf> </goal> <goal name="selected_part'vc" expl="VC for selected_part" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_part'vc.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_part'vc.0.0" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.20" steps="1341"/></proof> </goal> <goal name="selected_part'vc.0.1" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="194"/></proof> </goal> <goal name="selected_part'vc.0.2" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="10"/></proof> </goal> <goal name="selected_part'vc.0.3" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.06" steps="190"/></proof> </goal> <goal name="selected_part'vc.0.4" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="156"/></proof> </goal> <goal name="selected_part'vc.0.5" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="10"/></proof> </goal> <goal name="selected_part'vc.0.6" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.09" steps="289"/></proof> </goal> <goal name="selected_part'vc.0.7" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.91" steps="2750"/></proof> </goal> <goal name="selected_part'vc.0.8" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="33"/></proof> </goal> <goal name="selected_part'vc.0.9" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.21" steps="1140"/></proof> </goal> <goal name="selected_part'vc.0.10" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.17" steps="1195"/></proof> </goal> <goal name="selected_part'vc.0.11" expl="VC for selected_part" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="23"/></proof> </goal> <goal name="selected_part'vc.0.12" expl="VC for selected_part" proved="true"> <transf name="split_vc" proved="true" > <goal name="selected_part'vc.0.12.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="14474"/></proof> </goal> <goal name="selected_part'vc.0.12.1" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="15225"/></proof> </goal> <goal name="selected_part'vc.0.12.2" expl="VC for selected_part" proved="true"> <transf name="split_vc" proved="true" > <goal name="selected_part'vc.0.12.2.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="14468"/></proof> </goal> <goal name="selected_part'vc.0.12.2.1" expl="VC for selected_part" proved="true"> <proof prover="6" memlimit="2000"><result status="valid" time="3.00" steps="44349"/></proof> </goal> </transf> </goal> <goal name="selected_part'vc.0.12.3" expl="VC for selected_part" proved="true"> <transf name="split_vc" proved="true" > <goal name="selected_part'vc.0.12.3.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="15254"/></proof> </goal> <goal name="selected_part'vc.0.12.3.1" expl="VC for selected_part" proved="true"> <transf name="split_vc" proved="true" > <goal name="selected_part'vc.0.12.3.1.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="14565"/></proof> </goal> <goal name="selected_part'vc.0.12.3.1.1" expl="VC for selected_part" proved="true"> <transf name="inline_goal" proved="true" > <goal name="selected_part'vc.0.12.3.1.1.0" expl="VC for selected_part" proved="true"> <transf name="split_all_full" proved="true" > <goal name="selected_part'vc.0.12.3.1.1.0.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="22907"/></proof> </goal> <goal name="selected_part'vc.0.12.3.1.1.0.1" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="23228"/></proof> </goal> <goal name="selected_part'vc.0.12.3.1.1.0.2" expl="VC for selected_part" proved="true"> <proof prover="6" timelimit="1"><result status="valid" time="0.31" steps="3884"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="Sel.M.assoc" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="5"/></proof> </goal> <goal name="Sel.M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="Sel.M.zero'refn'vc" expl="VC for zero'refn" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.op'refn'vc" expl="VC for op'refn" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.agg_empty" proved="true"> <proof prover="4"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="Sel.M.agg_sing" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="19774"/></proof> </goal> <goal name="Sel.M.agg_cat" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="5"/></proof> </goal> <goal name="Sel.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="Sel.selection_empty" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="9"/></proof> </goal> <goal name="Sel.selected_part'refn'vc" expl="VC for selected_part'refn" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="257"/></proof> </goal> <goal name="to_bag'vc" expl="VC for to_bag" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="6"/></proof> </goal> <goal name="to_bag_mem'vc" expl="VC for to_bag_mem" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="to_bag_mem'vc.0" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="to_bag_mem'vc.0.0" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="39"/></proof> </goal> <goal name="to_bag_mem'vc.0.1" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="69"/></proof> </goal> <goal name="to_bag_mem'vc.0.2" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="189"/></proof> </goal> <goal name="to_bag_mem'vc.0.3" expl="VC for to_bag_mem" proved="true"> <proof prover="4"><result status="valid" time="0.24" steps="559"/></proof> </goal> </transf> </goal> <goal name="to_bag_mem'vc.1" expl="postcondition" proved="true"> <proof prover="4" timelimit="10"><result status="valid" time="0.04" steps="189"/></proof> </goal> </transf> </goal> <goal name="get_minimum_index'vc" expl="VC for get_minimum_index" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="get_minimum_index'vc.0" expl="loop invariant init" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="134"/></proof> </goal> <goal name="get_minimum_index'vc.1" expl="loop invariant init" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="35"/></proof> </goal> <goal name="get_minimum_index'vc.2" expl="loop invariant init" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="8"/></proof> </goal> <goal name="get_minimum_index'vc.3" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.17" steps="203"/></proof> </goal> <goal name="get_minimum_index'vc.4" expl="loop invariant preservation" proved="true"> <proof prover="6"><result status="valid" time="0.27" steps="5255"/></proof> </goal> <goal name="get_minimum_index'vc.5" expl="loop invariant preservation" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="165"/></proof> </goal> <goal name="get_minimum_index'vc.6" expl="loop invariant preservation" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="get_minimum_index'vc.7" expl="loop invariant preservation" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="16"/></proof> </goal> <goal name="get_minimum_index'vc.8" expl="loop invariant preservation" proved="true"> <proof prover="6"><result status="valid" time="0.12" steps="2249"/></proof> </goal> <goal name="get_minimum_index'vc.9" expl="loop invariant preservation" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="17"/></proof> </goal> <goal name="get_minimum_index'vc.10" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.97" steps="1692"/></proof> </goal> <goal name="get_minimum_index'vc.11" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="13"/></proof> </goal> <goal name="get_minimum_index'vc.12" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.05" steps="68"/></proof> </goal> <goal name="get_minimum_index'vc.13" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="14"/></proof> </goal> <goal name="get_minimum_index'vc.14" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="40"/></proof> </goal> <goal name="get_minimum_index'vc.15" expl="out of loop bounds" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="28"/></proof> </goal> </transf> </goal> <goal name="split_gives_minimum'vc" expl="VC for split_gives_minimum" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="split_gives_minimum'vc.0" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="47"/></proof> </goal> <goal name="split_gives_minimum'vc.1" expl="unreachable point" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="11"/></proof> </goal> <goal name="split_gives_minimum'vc.2" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.11" steps="247"/></proof> </goal> <goal name="split_gives_minimum'vc.3" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.15" steps="158"/></proof> </goal> <goal name="split_gives_minimum'vc.4" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.52" steps="117053"/></proof> </goal> <goal name="split_gives_minimum'vc.5" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.31" steps="641"/></proof> </goal> </transf> </goal> <goal name="correction'vc" expl="VC for correction" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="correction'vc.0" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="13"/></proof> </goal> <goal name="correction'vc.1" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.26" steps="418"/></proof> </goal> <goal name="correction'vc.2" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="84"/></proof> </goal> <goal name="correction'vc.3" expl="postcondition" proved="true"> <proof prover="2"><result status="valid" time="0.04" steps="174788"/></proof> </goal> <goal name="correction'vc.4" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.05" steps="38"/></proof> </goal> <goal name="correction'vc.5" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="7"/></proof> </goal> <goal name="correction'vc.6" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="20"/></proof> </goal> </transf> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="85"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="125"/></proof> </goal> <goal name="merge'vc" expl="VC for merge" proved="true"> <proof prover="4"><result status="valid" time="0.48" steps="1014"/></proof> </goal> <goal name="remove_count'vc" expl="VC for remove_count" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove_count'vc.0" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="72"/></proof> </goal> <goal name="remove_count'vc.1" expl="postcondition" proved="true"> <proof prover="1" timelimit="10"><result status="valid" time="0.83" steps="194892"/></proof> </goal> <goal name="remove_count'vc.2" expl="postcondition" proved="true"> <proof prover="1" timelimit="10"><result status="valid" time="0.22" steps="49370"/></proof> </goal> </transf> </goal> <goal name="extract_min'vc" expl="VC for extract_min" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="extract_min'vc.0" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="21"/></proof> </goal> <goal name="extract_min'vc.1" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="extract_min'vc.2" expl="unreachable point" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="15"/></proof> </goal> <goal name="extract_min'vc.3" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="extract_min'vc.3.0" expl="VC for extract_min" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="22"/></proof> </goal> <goal name="extract_min'vc.3.1" expl="VC for extract_min" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="24"/></proof> </goal> <goal name="extract_min'vc.3.2" expl="VC for extract_min" proved="true"> <proof prover="4"><result status="valid" time="0.12" steps="106"/></proof> </goal> <goal name="extract_min'vc.3.3" expl="VC for extract_min" proved="true"> <proof prover="3"><result status="valid" time="0.06"/></proof> </goal> <goal name="extract_min'vc.3.4" expl="VC for extract_min" proved="true"> <proof prover="4"><result status="valid" time="0.06" steps="55"/></proof> </goal> <goal name="extract_min'vc.3.5" expl="VC for extract_min" proved="true"> <proof prover="3"><result status="valid" time="0.06"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="min'vc" expl="VC for min" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="min'vc.0" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="13"/></proof> </goal> <goal name="min'vc.1" expl="unreachable point" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="11"/></proof> </goal> <goal name="min'vc.2" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.15" steps="166"/></proof> </goal> </transf> </goal> <goal name="pop_min'vc" expl="VC for pop_min" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="pop_min'vc.0" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="13"/></proof> </goal> <goal name="pop_min'vc.1" expl="unreachable point" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="11"/></proof> </goal> <goal name="pop_min'vc.2" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="11"/></proof> </goal> <goal name="pop_min'vc.3" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="pop_min'vc.3.0" expl="VC for pop_min" proved="true"> <proof prover="4"><result status="valid" time="0.12" steps="77"/></proof> </goal> <goal name="pop_min'vc.3.1" expl="VC for pop_min" proved="true"> <proof prover="4" timelimit="5"><result status="valid" time="0.71" steps="688"/></proof> </goal> <goal name="pop_min'vc.3.2" expl="VC for pop_min" proved="true"> <proof prover="4" timelimit="20"><result status="valid" time="4.76" steps="3557"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="add'vc" expl="VC for add" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add'vc.0" expl="assertion" proved="true"> <proof prover="4"><result status="valid" time="0.03" steps="81"/></proof> </goal> <goal name="add'vc.1" expl="postcondition" proved="true"> <proof prover="4" timelimit="20"><result status="valid" time="0.54" steps="1513"/></proof> </goal> <goal name="add'vc.2" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="11"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> ����������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/priority_queue/why3shapes.gz������������������������������������������������0000664�0000000�0000000�00000026162�14401600263�0022540�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������}[ofw~Y؍-Hԫd±%$ӳ~ ZU%w�U)Ɍƍ§ptpswٿ7v~ ذ.l~:wgMnoQn#{> ۠*]7>uNF/Tb7<1{H ~]p_Շ\nOnㆫ 7WJW(8q6RJ�tBMG aAk»ᗻT.x%=<G0u>y+PglۂWozuJ{;a.ڟCX7 w2}+zv  m{SL=A٢gR4i(/ϗnG/O=O?X{gO}ϏMO6 9PKw<^1}9 n{a[F$[o/ޤ}d@:( zoE(y-m,wJWpE_KT?1# UQ![KޡDҌsj �~a#Fv"WuueV v#OWU%;[nۍ7"|xH? 祫~TzN=aWvRP{\wג^YmhKOFkI " S0bcϣOow`~s{N,_ n]wݧIO{4_CoY} Sԇ*Q*|D{T J >6N EJ26�I&|{PsN?mą Zl@=Xr@%uj-Oq fy`J_㷹VF[K5E6cEn %qcFɾQ|vLvĩ S&%.5_У5)‚bdIhS"wM7?3d> pЩE/E tB0CU/%K:vO aij&*,EbAB䨶�IK+B{M0P[(Sb!'=4t' =h%jŠBP!=Zn Ao ք>᧹S`ΗJVuIJ*)Q6l]e",mznh16 F1c'ok3c3<A1ci Dl34ncJi3xX7vleoGhom:%|J2E~a>r;n|(_GTk/miU^!/cjkPq-d ͇tRC]}]RaRUq]0 'Jp7!,iPͯ͡=nUVX0%SY(Է`^m{6 V>3"De1F]4&8m",@b1E٠QZsl:)C }Ovg!e0WsaxrI߇ʕ}D` 'Ul@Wc)B@=O^ AWpR.Z^g tFb`e4^GeDx2-",\ k& AZt'ԍuuZ297KL8^eJ�w2n>b-Ldjrpb!d'wԩ%^37;yE~o߸:?3^pmzd\gh6^n|rGo�2rkO?c_GrIM!P�x> e0Մt~ifqCb o;å ebBGӴTZ&ex'EӴTO *ɟ:ĽB; ]!{ Jގ%s* TsmNSn�e+B| ȹ 3c "2YM%?Lsե=NjQ-qR۱PqV7; ͸iܴ nڙD qdimuXĝnY-\2ߴckiкi']ﱶ' iE2S:^^Mq[=0br>ݾtpJ '?Yd tqv2!<qQ ƀvE_df ߃%lb^-񽖰C^i*4ASeAM4U#{힯 /6ȫ ڎ*lGXlϱVVݫggS>TżV_-n7݂PՖI@v= 'bX^ v/v=KV=if=7vougHUL$O|DWnghfѣyff=ē6K# ff]fAe>'Z] }U#OLᴝx <,>?Q}OtZU꥟h՚X G%C}?Q}<%z>Oq)?t\_׿8ؿR`?Azw )?UP8hw2l|Ot[F"=| qO2_Tɇ|ɇE�ocowq*8ɎY;>8�:dJhþC-=UjV)[9ע>٢<~lJ愀 tC!NlCp"|ǁʧr^ely>x,f4ǘ?Bxː:.68Ԡxgd-V}{W97PPv9c<M/coѪB$?mVoo?? 2x:$R:m܏|f̬JorSr0n}yIV6paL;_ u0d[~;^+I'= s)5e.+g҇=[:SUn^{&;wV5%Sݡ伳î|f[0[c>ls== rT7=-ӄ+ߧsj'+&dR09ܗSwǞ׃<q&>׸+)ݥp_6wUw^9.<rV MOǕ{՗saʉtٻtƹ[N>/'vK@Ⲝr[ɧtpn9W۝+P;WzOߵCUb=Wo;WtZYE$zNڥ Pr/wLwowSN^4!tx_*;:ķ[cJQy~Jd/lu rɞހ:Q]ڌ;װQ+g lYNRP&[Yj'vn-\36$t;荿Sa;0"+\ǎtDb -zޱrV?dI|aɺk0{g{|Ǒm2󗷗1M_VvZX0}}zl^^l=S^'Ə1W0�NNQ6^ҕUk6(\wngs8grCNa_w>_b}GWC? {}wiZESlӴV! vC� 2 CR҉Vgff;L]Mat.v rf1v}tinr'`v>*绑,bQ{wj2d*p楐#4BÃCX?w�}}T|,#5/J|JI?/s|S&Os\ ܽLw˄9ǿ-{ /+۹ThM m Kws[Kh|u+#*ˇFjw[.UvyK6۹4[35mQsoY36V3_AW6nrYgoe㦙l4ePb損Ooa$?!f[F{qnmf),^(pD(pٸZ]  m4UJICVnr+]A_nFbO~ G}S ˩䧏T*'#V4%y_T~zY<dG2oZO,uM?C Li CҢ~} lן7 E s\t�K.zHnэw9KHN,|v#~x[]ޟuemvОo2|˹{�tPcw�\ 0 gڮEe,`fbİoX1©Pʩãg f% ]͋z'Xf;kkI=f3ElЍρ2 ]6Z}<53ٹgs\-^qMkǸUWx=bxL,yUвVUU Yܗ񍁨ǻM|z]8~ B pYDrnʂU(s ,]i3D҃pMD|?n1v;u/LWIϪB^|?sfwΜ}g °](-_/}Z+pdo(GQ:[ѵa4mBtה_;pw͛ۛ{d4.#K~^_ %imޜ!@v3'u2Cb^t !ؕĿỬw%}ߕH%4WפZ~H.^9u̯rCG֠AD $?gtD;7iO҄琄N9x$v=0q$ƕe::Vz~4'Ad5o !=ѡ'85T=^[[*HǾGM?MoOZk^u^'k$&6֙.sYʸpu;?[lS)P~n=x<&}~<ge0ۺ[۫Zv,ٖMV,ي3o[o۲f@҆FZQy̬ye~XȒ8Z98oc[^qLcL4Ե2|fK+y;)(,˫j㺤!q]̨ו]LV듞Y%ZQ)MbV?kze6¢z/w�v疁VZiAwd-1{Vth{˘fCCv&/d3H$(%Z{X=w-dg_M?hˬ}9r�cuw( 2I}nYZ3p}#)QiD,|_,5}ʸ+}dʒY.Z$CY9u<-ųŪjqYM&xuʯ- oA'8'nWu2a YRTTEzIuzg|SWh)vً#hѣ~-Gz~r]pn: bk5u?FiFO׸!++CS1ܷÂߏ R@IUw]0~ѭ^5XS6 K+IߏL~7 k&KBխH/ee+C bA8'E_< ԻtyYnVpu҇fҩ.,:XbuʿOnL 7aGnUg+Ύ?6~hn^ܸ/lMK"?>N<l٘:<4s6jtGi;5@٨QZP6q6[_#:H?3WXK]0`~]0*:/6ֱeE7mu<f׎nWz*y }a/4/% 7~Hw| /œ3`"r<J?:- ݭ@/$niz@ G.[YWO~Y�b87#Yz~)R~̈́yr? 3-ZtР[=E#=io Y74Jͣ�Z|;JZ\we+h,WOiǣKi>͝.ܧwHoG;47rNWƻs<wp>^.L ^<cLV!<r\ N -xtev2[�EERZlXi MtYWb}R;T{׳gpvq({d|xb ܶm:^y2I J"\@,{##KgfدIJ߂H2Ҟ en:rn8ࣙP~eRZ{XW9|_8<Nq]ưa(:X[̷-O0?'}ۙdwկU3Uvv|@|.# [| s(hxaܟi cU/l?1%Cq`JƏpUq~պ;3{ܙY+[|m|jMfH( p`حi0mimϝ?tien8ҶS= ?ĔtR n\' %p~5N$gKų` p `-Y̦S t:o>JJ[dm}G*BX a|6lw;wb(b"3 -! +MsM6cjs/7{R˄1XoFBF3~4Z[0'') (<jy&\^r|K.R_Ky)/(^3mhO ח\cΥ&z<weo\V6( ^>:`kۤt nфP@ؽ Vp*F9٬]Ӛp{A3_jN<1kcҩſ! ۔U}V5t5"x-l?e!԰%oT"), ^,x'b-/IVg#]L ~t8o-smmlWFZ*!++SPF U$LER*UȨhJ[T+&ZY@ 4:H&[-NA ~QK6Iia %tJDdkjw B`*3GP66د Q6+킄E�̶ʤ3MٔkB6Ҋ3i.xNVZ m%" ONI)ݥO&f404BZ'l W0-KHM,0E aZЯjkX`.L{2R06@x68NǖiB^E8G豲\*WJ>զ,GA Jn`A9ÙpCE?EI3ywm<gfP\1DF[*;uf/ ktN.shm�W^jrnV(<Drr` 4ܹV/@a…Aj \r=O9lvP�X#Mp<.@IAςܜb`s$}/""ddmdZs59SYɦIU1?Rؤ6pK1!|&(-^-7Z*͙_T-J\UM)t9P�( VuiAC& [$2[V-}BtcLBdcF~am뭒ъn hshgaD !S5`#D2ZaFdl) 1gz[hJcg6QTD.!^²ĨE<`#"zSygguiS@$рϡUQ,s @8iY id)Ht"Q mhZZEۃ'y!v&BI!3.CB3eZ0b)Q%*@Hcn4HEC|B'$> WRպCg>I}<.)CLK8 @{m@"wݱC#N6;c!R .,:@Bv@~"H/baB{P"(xj Xk/ЅeG9Xﭣa/d .)"1!,G:&_Y>̌\%qNfDZl:e[ie,i]bR%f<e"|A^6 FT޻Ko/V@ť痞]:s`_3D cE:!Nș =gAs2@e�.�#Q�3԰va~:E4`3$th*C4$� &N /0e9Ci$Ȩd(u8WVmaY BAl))`(NciLӦ&E4 !p pr 5'E#w4�H4I+r =  5gCܔ6H4:Flb]G%YKNs<#ph "Jt[F6ȓMRP M28K*\2'>,geGaD>웡Wd|kZ=eAd$C9#'ŇPvDc%GDrDq(\4#v&CĎ#oDΎ#h7oP_F=z4iӨQOF=z )S4ׂz`WPOx, 0 2X5 yPX>q�Cub*YIDU͉q[,69JJ4E Rӱa"(m8b6Z!%s5ٵ:4"0H<4cY iD)]c,€\3XG*ȋFF ݴS挓!a*LȪt&u]o19+i@7i2%G\`IԀF#s&_"a@;+! _NeМI~CM0#uN:0_(dFg]6$ Pr*w>feLJ3׳^e}&`4:`ifA7?*8W(2'B7LIhI7]E6jB$H"@0n~(L5G77jh.V1P!lVZaZmTl-:JI萹1P'c L{է12k> *=mKY;r!^pshrڇ iYƶ<ĺŴ #XLƵIt.&CYmbXW$+1Ƶmf>2CkDY!/%2G&#l cEkAx6RO J6%@g.ХQ( h]'Gki|Ϊ &q,|Yy{ YSK4 AZ8cU]%i!b&j+>G'[ )ӆ-,q-<5RohLw46"FjA)6@Oгypd@YnLN&>y4~Jx~XIXXthmHQ1y4ke4-�,3, ٕ@!f8L0 EWL<'Qu4�V4aZMl]OZG#;mBi+:w4)h_!&THV(RL@hŸFXQg-IÙ@f, u4s@"vLqG$)BΗJ2i$4 Bi`h PZGzL5sw< ycE4I\^cD߃6am.+C|REi*K%-@*"RW(Ҋ[ݴEݵRզeYd@ NOs#v2kX+M M6^"gLE8l W1hthDjbuleM#VhEDKk܃I[䅱F &$)C!"QT*K]]&F1M6ƴF dhЇ9x ]"{}jwZq[۴!0;R8^cEZE@D#RxM&oPЏ^%�FE-)5r;75pH`@L#9A4-2d "65pDrEcq|C)=Y8J_7‰Fkf f  t Fdoo^7$׍MTxR$h\ -UӮ|i"A�-4՗X9ABdQ!&U ̴LkMa-BxݚZI&ƀdDm,7k_ =b,rhsi(iНjω xŤUh@C -Ii25rNw՘\F6(PgHV$~BSt~(L]dݩ:vk.#h2T-Gh]mO~Ci#Ӓum]nm@*IoЭy?fZeWyd$ï_ ?Ӱ)xDUm4zzAc#~joy!Fw>�ISF0ң5SI#͒6_Ӛ^S{=Ü2Q؀j )7׳~Y ro3!ݒz ̔9Qph"- 0za&|*hLEFS*"|j/sLZOC D$VWῚG`)a9#W#z1QmY>̰VeHmSqƚPȾ\%]I(Gl{¿ZǯQ,; D<2HĐ`QkdMWs=Tna 5r6Ld~7"ҞD5Aܧsc(˒6VO榅7AF U_0Lb}.oB"MVp&]ѿxM���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/ral.mlw���������������������������������������������������������������������0000664�0000000�0000000�00000021576�14401600263�0016316�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Logarithmic-time Random-access list implementation on top of AVL trees} Author: Martin Clochard *) module RAL (** {2 Instantiation of the AVL tree module} *) use int.Int use import mach.peano.Peano as I use seq.Seq use seq.FreeMonoid use option.Option use avl.SelectionTypes use ref.Ref (** Remaining parameters. A fully concrete implementation would have to provide an explicit positive integer. *) val constant balancing : I.t ensures { result > 0 } (** Use the integer monoid in order to measure sequence of elements by their length. *) scope M type m = int type t = int constant zero : int = 0 function op (x y:int) : int = x + y clone export monoid.Monoid with type t = m, constant zero = zero,function op = op,lemma assoc,lemma neutral clone export monoid.MonoidSumDef with type M.t = m, constant M.zero = zero,function M.op = op,goal M.assoc,goal M.neutral function m (x:'a) : 'a = x predicate c (_:'a) = true let zero () : int ensures { result = 0 } = 0 let op (x y:int) : int ensures { result = x + y } = x + y end (** The stored elements are measured by 1. *) scope D type t 'a = 'a let function measure 'a : int = 1 meta "inline:no" function measure end (** The monoidal summary of a list is indeed its length. *) let rec lemma agg_measure_is_length (s:seq 'a) : unit ensures { M.agg D.measure s = length s } variant { length s } = if length s <> 0 then agg_measure_is_length s[1 ..] else assert { s = empty } (** Select either an element or the hole before him: the n-th hole is the position between (n-1)-th element (if any) and n-th element (if any). *) type selector = { index : int; hole : bool } (** Selection is possible iff the index is between the sequence bounds. *) predicate selection_possible (s:selector) (l:seq 'a) = 0 <= s.index && (if s.hole then s.index <= length l else s.index < length l) (** Selection predicate: We are exactly at the `index`-th position of the rebuild sequence, and there is an element in the middle iff we are not trying to select a hole. *) predicate selected (s:selector) (e:split 'a) = s.index = length e.left /\ (s.hole <-> e.middle = None) (** Reduction of positional search using the size information. *) let selected_part (ghost lseq:seq 'a) (ghost rseq:seq 'a) (s:selector) (sl:int) (d:'a) (sr:int) : part_base selector requires { selection_possible s (lseq ++ cons d rseq) } requires { sl = length lseq /\ sr = length rseq } returns { Here -> let e2 = { left = lseq; middle = Some d; right = rseq } in selected s e2 | Left rsl -> selection_possible rsl lseq /\ forall e. selected rsl e /\ rebuild e = lseq -> selected s (right_extend e d rseq) | Right rsr -> selection_possible rsr rseq /\ forall e. selected rsr e /\ rebuild e = rseq -> selected s (left_extend lseq d e) } = let ind = s.index in if ind > sl then Right { s with index = ind - sl - 1 } else if ind < sl then Left s else if s.hole then Left s else Here (** Full instantiation of the AVL module. *) clone avl.AVL as Sel with type selector = selector, predicate selection_possible = selection_possible, predicate selected = selected, val selected_part = selected_part, goal selection_empty, val balancing = balancing, type D.t = D.t, val D.measure = D.measure, type M.t = M.t, constant M.zero = M.zero, function M.op = M.op, goal M.assoc, goal M.neutral, function M.agg = M.agg, goal M.agg_empty, goal M.agg_sing, goal M.agg_cat, val M.zero = M.zero, val M.op = M.op (** {2 Adaptation of specification to random-access lists} A priori, the specification expected for random-access lists is different from the one obtained from the raw instance. *) (** Adapt the logical model to random-access lists, i.e strip the height from the accessible information. *) type t 'a = Sel.t 'a type m 'a = seq 'a (** Create an empty random-access list. *) let empty () : t 'a ensures { result = empty } = Sel.empty () (** Create a list with a single element. *) let singleton (d:'a) : t 'a ensures { result = singleton d } = Sel.singleton d (** Emptyness test. *) let is_empty (r:t 'a) : bool ensures { length r = 0 -> result } ensures { result -> r = empty } = Sel.is_empty r (** Pattern-matching over the list front. *) let decompose_front (r:t 'a) : option ('a,t 'a) returns { None -> r = empty | Some (hd,tl:t 'a) -> r = cons hd tl } = Sel.decompose_front r (** Pattern-matching over the list back. *) let decompose_back (r:t 'a) : option (t 'a,'a) returns { None -> r = empty | Some (lt:t 'a,dh) -> r = snoc lt dh } = Sel.decompose_back r (** Get the first element of a non-empty list. *) let front (r:t 'a) : 'a requires { length r <> 0 } ensures { result = r[0] } = Sel.front r (** Get the last element of a non-empty list. *) let back (r:t 'a) : 'a requires { length r <> 0 } ensures { result = r[length r - 1] } = Sel.back r (** Add an element at the list front. *) let cons (d:'a) (r:t 'a) : t 'a ensures { result = cons d r } = Sel.cons d r (** Add an element at the list back. *) let snoc (r:t 'a) (d:'a) : t 'a ensures { result = snoc r d } = Sel.snoc r d (** Append two lists. *) let concat (l:t 'a) (r:t 'a) : t 'a ensures { result = l ++ r } = Sel.concat l r (** Get the length of a list. *) let length (l:t 'a) : int ensures { result = length l } = Sel.total l (** Set the n-th element. *) let set (n:int) (d:'a) (l:t 'a) : t 'a requires { 0 <= n < length l } ensures { result = l[n <- d] } ensures { length result = length l } ensures { forall i:int. 0 <= i < length l /\ i <> n -> result[i] = l[i] } ensures { result[n] = d } = let ghost r = Sel.default_split () in let res = Sel.insert r { index = n; hole = false } d l in assert { res == l[n <- d] }; res (** Get the n-th element. *) let get (n:int) (l:t 'a) : 'a requires { 0 <= n < length l } ensures { result = l[n] } = let ghost r = Sel.default_split () in match Sel.get r { index = n; hole = false } l with | None -> absurd | Some d -> d end (** Insert an element in the n-th position of the list, i.e between the (n-1)-th and n-th elements of the initial list. *) let insert (n:int) (d:'a) (l:t 'a) : t 'a requires { 0 <= n <= length l } ensures { result = l[.. n] ++ cons d l[n ..] } ensures { length result = 1 + length l } ensures { forall i:int. 0 <= i < n -> result[i] = l[i] } ensures { forall i:int. n < i < length result -> result[i] = l[i-1] } ensures { result[n] = d } = let ghost r = Sel.default_split () in Sel.insert r { index = n; hole = true } d l (** Remove the n-th element. *) let remove (n:int) (l:t 'a) : t 'a requires { 0 <= n < length l } ensures { result = l[.. n] ++ l[(n+1) ..] } ensures { length result = length l - 1 } ensures { forall i:int. 0 <= i < n -> result[i] = l[i] } ensures { forall i:int. n <= i < length result -> result[i] = l[i+1] } = let ghost r = Sel.default_split () in Sel.remove r { index = n; hole = false } l (** Cut the list between the (n-1)-th and n-th elements. *) let cut (n:int) (l:t 'a) : (t 'a,t 'a) requires { 0 <= n <= length l } returns { (lf:t 'a,rg:t 'a) -> l = lf ++ rg /\ lf = l[.. n] /\ rg = l[n ..] } = let ghost r = Sel.default_split () in let sel = { index = n; hole = true } in let (lf,_,rg) = Sel.split r sel l in (lf,rg) (** Split the list on the n-th element. *) let split (n:int) (l:t 'a) : (t 'a,'a,t 'a) requires { 0 <= n < length l } returns { (lf:t 'a,md,rg:t 'a) -> l = lf ++ cons md rg /\ lf = l[.. n] /\ rg = l[(n+1) ..] } = let ghost r = Sel.default_split () in let sel = { index = n; hole = false } in let (lf,md,rg) = Sel.split r sel l in match md with None -> absurd | Some md -> (lf,md,rg) end (** tests *) let harness (a b:t int) : unit requires { length a > 43 /\ length b > 43 } requires { forall n. 0 <= n < length a -> a[n] = 0 } requires { forall n. 0 <= n < length b -> b[n] = 1 } = let a = set 1 1 a in let b = set 1 10 b in let a = set 2 2 a in let b = set 2 20 b in check { a[1] = 1 /\ a[42] = 0 }; check { b[1] = 10 /\ b[42] = 1 }; let a = remove 1 a in let b = remove 2 b in check { a[1] = 2 /\ a[42] = 0 }; check { b[2] = 1 /\ b[42] = 1 } let harness2 () : unit = (* [] *) let a = empty () in (* [2] *) let a = cons 2 a in (* [2;3] *) let a = snoc a 3 in (* [3] *) let b = match decompose_front a with | None -> absurd | Some (d,tl) -> check { d = 2 }; tl end in (* [3;2;3] *) let a = concat b a in check { a[1] = 2 } end ����������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/ral/������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015562�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/ral/why3session.xml���������������������������������������������������������0000664�0000000�0000000�00000016575�14401600263�0020620�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="ral.mlw"/> <theory name="RAL" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="0"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.assoc" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.neutral" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.M.assoc" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.M.neutral" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.zero'vc" expl="VC for zero" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.op'vc" expl="VC for op" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="agg_measure_is_length'vc" expl="VC for agg_measure_is_length" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="51"/></proof> </goal> <goal name="selected_part'vc" expl="VC for selected_part" proved="true"> <proof prover="1"><result status="valid" time="0.12" steps="729"/></proof> </goal> <goal name="Sel.M.assoc" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.neutral" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.zero'refn'vc" expl="VC for zero'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.op'refn'vc" expl="VC for op'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.agg_empty" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="Sel.M.agg_sing" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="Sel.M.agg_cat" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="Sel.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.selection_empty" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="35"/></proof> </goal> <goal name="Sel.selected_part'refn'vc" expl="VC for selected_part'refn" proved="true"> <proof prover="1"><result status="valid" time="0.10" steps="397"/></proof> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="decompose_front'vc" expl="VC for decompose_front" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="59"/></proof> </goal> <goal name="decompose_back'vc" expl="VC for decompose_back" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="59"/></proof> </goal> <goal name="front'vc" expl="VC for front" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="back'vc" expl="VC for back" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="cons'vc" expl="VC for cons" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="snoc'vc" expl="VC for snoc" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="concat'vc" expl="VC for concat" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="4"/></proof> </goal> <goal name="length'vc" expl="VC for length" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="set'vc" expl="VC for set" proved="true"> <proof prover="1"><result status="valid" time="0.20" steps="492"/></proof> </goal> <goal name="get'vc" expl="VC for get" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="106"/></proof> </goal> <goal name="insert'vc" expl="VC for insert" proved="true"> <proof prover="1"><result status="valid" time="0.28" steps="533"/></proof> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <proof prover="1"><result status="valid" time="0.21" steps="392"/></proof> </goal> <goal name="cut'vc" expl="VC for cut" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="181"/></proof> </goal> <goal name="split'vc" expl="VC for split" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="355"/></proof> </goal> <goal name="harness'vc" expl="VC for harness" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="harness'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="6"/></proof> </goal> <goal name="harness'vc.1" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="9"/></proof> </goal> <goal name="harness'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="12"/></proof> </goal> <goal name="harness'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="15"/></proof> </goal> <goal name="harness'vc.4" expl="check" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="142"/></proof> </goal> <goal name="harness'vc.5" expl="check" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="142"/></proof> </goal> <goal name="harness'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="18"/></proof> </goal> <goal name="harness'vc.7" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="harness'vc.8" expl="check" proved="true"> <proof prover="1"><result status="valid" time="0.58" steps="536"/></proof> </goal> <goal name="harness'vc.9" expl="check" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="1.02" steps="501"/></proof> </goal> </transf> </goal> <goal name="harness2'vc" expl="VC for harness2" proved="true"> <proof prover="1"><result status="valid" time="0.11" steps="223"/></proof> </goal> </theory> </file> </why3session> �����������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/ral/why3shapes.gz�����������������������������������������������������������0000664�0000000�0000000�00000007475�14401600263�0020237�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������[io9_o{,$c�Ay݅<am+)o[g1&v7bxW9V?ixJvG{ӎxJOn_=yGcy|} +;-dоmx!v݆<L[Z^7{>y8H_ӇǼ,o$jĽfq,*NLмt۬QiVUA2fGQtW:w侮ў>#>qy'%w#)􎚁 6HyhZV1o}..v>SƲ ^xV,f-cco~9ǿ(ؿ@VW&|qOaDYݧCCiǡu7!t|8!)䶍x̳̂f!q O,n~-X9XGb%~<<vxX'{Ȁ`YYXDcV,v�>?C~.[ɞ2ݟٟܸqnkn|mm7v? [u]eP6@ hix:ݻ=[xlB \vڀ�vIK0,q~wCE;Pux6(Ȼ\Y|E|պF݁)l1,a?(vcyk!?4W\A0fujFЯj>DzENe ruSvSE5@ w̶hxW{l-`{e|xH?<`eYFyUh.Nu`2QkXS1T�):ӈeK*D]P(sq 1#fCWXB3:4gW2U`y> sڧaN <*YuQ6XmNwC2,jfk j'ęx><mkv+uѹhI3〞\ֿxA 1׀K=Z,v.Yo=h/DxDxx:Dwo׈Yo^*o7Em/hϥ`nFA'.-ExkIֻ=2F]|0w<3_-g ҦÜ7t3FgD;,!%~a[ &sZMXΧyr,/ZI�:_n F%fnNT C،d*Zq:↩IW`X/Icnn䤟]qF.2)6~*|Cj-Wev; vIu!mqm@#ՕR޴$ s~h341oؼ=4Vn8^& K8.|<ux k)>k{QN8r2>적0 HM@3Y8_9Cl$dS'tV'9̽0Н?š@85\_3,ɕ|+3 .weg~oɝ+0[u]0Sk_6/:Wx oYg_ٙm{ʛ%r鯰<'lpcR(0q7r69/8Φq7a< "_~Q&_�`|mSg^:ѻO]_2EM/&BTrzT:Ut:խN5 +uj}nd-g DGq*%RN8UzWȰ~M8S$3dg0!W4 ʾ²%֞yV UiNJL|锧c'P,%WuϐF2Z <SҮW-V1zòzWA0u=޺C*׫=֯; Yi]Ԧ\](eX$6^;F2h%//?6rj=Z fˉ"h%V*!ظpONcC1Mսꕱ?r<>g#e)"B"J|=ߢ[TF]jQj{|۶SSBv6ߊX3^/ΥũZF/ nY{mi<%c|Vת"j%wݬCi֡mZ_YYҬC۬õf>of_kYmί5zzӎ)wMwrW0 F TWg 4&C%DwmB|TzT=TzTB.8A*^4ɱ}YܠO.mu/T>/ooPm~s#�JơlK'٥R�g a���`\/ uvc|x~p|oM uįԿ.I?^)NoЦ+^|?3v[V[6[O"T^J\|t_+q}OR`=b 7 ?_OTnnhxRQQ$"3 B يnM`A9=w1!KlS+ p+%^8YqbeYH!S͍lJLށ6plZ9KI51IA%TK%Dx<qɊ J6f[o HÍL!W^9!F_Q0.P*($0M rCń:^G8z" Ҙ d(d[jdJDB1cOȌ \Ti뤠\[mbI30ҪJxTz#MRm2Ȋ!^1\dx,Bν!()W!jK[1a|Fu.GyҒ] ٥Q@l&“E%"t4GؙJͨ4gBxblRk ܦL5׽"(z-L@>s)J Ȇp:%t"� %R#" `[!z@jڠWiaє+MRʄPIn(pN@o@]g  "A0!Vl\Y"�]ɨ�JyglDcN+F([" >D1+7炖 XTHOЯ/X�AK% sd$nz'XdYC4t :JJ _П 6{,2ZGrKl%F,DWZx H FLb^Ktz%\g'DQb "#Ad)@+.REd%pC+U$$ (!1.I6bŃu܂�j3a5:uJ\KxdD3#_!"I =T8 ;k"f%Y$rˍ\ПDJ&0 00?00X9 ÌX)KM)ϨDRcr pF/?&"1/jh;C1!+LH.xVmԂQR] 54a(aȰhKS@ Å:Zg a!� b-J9l@H1ԝH./؏J<Ji1e#;EZ)Qr~Qa9td"*cgze #C#d(  @y2\QL1k_K%MH"Y~_hv#0SGu  EƚO%z,Hdc]S z[i #F�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/tables.mlw������������������������������������������������������������������0000664�0000000�0000000�00000102402�14401600263�0016776�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Implementation of logarithmic-time ordered associative tables on top of AVL trees} Author: Martin Clochard *) (** {2 Shared base implementation between set and map structures} *) module MapBase use int.Int use avl.SelectionTypes use option.Option use ref.Ref use seq.Seq use mach.peano.Peano as I (** {3 Implementation parameters *) (** The level of balancing is left abstract. *) val constant balancing : I.t ensures { result > 0 } (** Stored elements are identified by totally ordered keys *) scope D type t 'a end scope K type t end clone export key_type.KeyType with type t = D.t, type key = K.t clone preorder.Computable as CO with type t = K.t, axiom . scope D let function measure 'a : unit = () end (** As we do not need any extra information in order to perform search for this particular instance, we instantiate the monoid by unit. *) scope M type t = unit constant zero : unit = () function op (_x _y:unit) : unit = () let lemma neutral_ (x:unit) : unit ensures { op zero x = x = op x zero } = match x with _ -> () end clone export monoid.Monoid with type t = t, constant zero = zero,function op = op,lemma assoc,lemma neutral clone export monoid.MonoidSumDef with type M.t = t, constant M.zero = zero,function M.op = op,goal M.assoc,goal M.neutral let zero () : unit ensures { result = () } = () let op (_x _y:unit) : unit ensures { result = () } = () end (** In associative tables, elements are selected with respect to their keys. *) type selector = K.t (** Efficient search for ordered keys can be carried out efficiently only in strictly increasing sequences. *) predicate selection_possible (_:'b) (s:seq (D.t 'a)) = forall i j. 0 <= i < j < length s -> CO.lt s[i].key s[j].key predicate upper_bound_s (k:K.t) (s:seq (D.t 'a)) = forall i. 0 <= i < length s -> CO.lt s[i].key k predicate lower_bound_s (k:K.t) (s:seq (D.t 'a)) = forall i. 0 <= i < length s -> CO.lt k s[i].key (** Selected splits correspond to sorted sequence, in which: 1) the left part precede the selector key 2) the selector key precede the right part 3) If it exists, the middle element has key equivalent to the selector *) predicate selected (k:K.t) (e:split (D.t 'a)) = let _s = rebuild e in upper_bound_s k e.left /\ lower_bound_s k e.right /\ match e.middle with None -> true | Some d -> CO.eq k d.key end (** Comparison-based binary search *) let selected_part (ghost lseq rseq:seq (D.t 'a)) (k:K.t) (_l:'e) (d:D.t 'a) (_r:'f) : part_base K.t requires { selection_possible k (lseq ++ cons d rseq) } returns { Here -> let e2 = { left = lseq; middle = Some d; right = rseq } in selected k e2 | Left sl -> selection_possible sl lseq /\ forall e. selected sl e /\ rebuild e = lseq -> selected k (right_extend e d rseq) | Right sr -> selection_possible sr rseq /\ forall e. selected sr e /\ rebuild e = rseq -> selected k (left_extend lseq d e) } = let kd = d.key in let ghost s = (lseq ++ cons d rseq) in assert { forall i. 0 <= i < length rseq -> rseq[i] = s[i+length lseq+1] }; assert { d = s[length lseq] }; let cmp = CO.compare k kd in if cmp < 0 then Left k else if cmp > 0 then Right k else Here (** Full instantiation of the avl module. *) clone avl.AVL as Sel with type selector = selector, predicate selection_possible = selection_possible, predicate selected = selected, val selected_part = selected_part, goal selection_empty, val balancing = balancing, type D.t = D.t, val D.measure = D.measure, type M.t = M.t, constant M.zero = M.zero, function M.op = M.op, goal M.assoc, goal M.neutral, function M.agg = M.agg, goal M.agg_empty, goal M.agg_sing, goal M.agg_cat, val M.zero = M.zero, val M.op = M.op (** {3 Adaptation of the specification to associative tables} *) (** Extra invariant: sequence sorted *) type t 'a = { field : Sel.t 'a } invariant { selection_possible () field } by { field = Sel.empty () } type m 'a = { domn : K.t -> bool; func : K.t -> D.t 'a; card : int; } predicate domain (s:seq (D.t 'a)) (k:K.t) = exists i. 0 <= i < length s /\ CO.eq s[i].key k let ghost function make_func (s:seq (D.t 'a)) (k:K.t) : D.t 'a requires { selection_possible () s /\ domain s k } ensures { forall i. 0 <= i < length s /\ CO.eq s[i].key k -> result = s[i] } = let j = ref 0 in while not CO.eq s[!j].key k do invariant { 0 <= !j < length s } invariant { CO.le s[!j].key k } variant { length s - !j } j := !j + 1 done; s[!j] function m (t:t 'a) : m 'a = { domn = fun y -> domain t.field y; func = fun y -> make_func t.field y; card = length t.field } meta coercion function m let lemma correction (t:t 'a) ensures { forall k1 k2. CO.eq k1 k2 -> t.domn k1 <-> t.domn k2 } ensures { forall k1 k2. CO.eq k1 k2 /\ t.domn k1 -> t.func k1 = t.func k2 } ensures { forall k. t.domn k -> CO.eq k (t.func k).key } ensures { t.card >= 0 } = () (* Link model and selection. *) let lemma selected_model (k0:K.t) (e:split (D.t 'a)) requires { selection_possible k0 (rebuild e) } requires { selected k0 e } ensures { let s = rebuild e in match e.middle with | None -> forall k. CO.eq k k0 -> not domain s k | Some d -> forall k. CO.eq k k0 -> domain s k /\ make_func s k = d by s[length e.left] = d so CO.eq d.key k end /\ (forall k. CO.le k k0 -> not domain e.right k) /\ (forall k. CO.le k0 k -> not domain e.left k) /\ (forall k. CO.lt k0 k -> domain e.right k <-> domain s k) /\ (forall k. CO.lt k k0 -> domain e.left k <-> domain s k) /\ (forall k. CO.lt k0 k /\ domain e.right k -> make_func e.right k = make_func s k) /\ (forall k. CO.lt k k0 /\ domain e.left k -> make_func e.left k = make_func s k) } = () (* Link selection and sortedness. *) let lemma selected_sorted (k0:K.t) (e:split (D.t 'a)) requires { selected k0 e } ensures { selection_possible k0 (rebuild e) <-> selection_possible k0 e.left /\ selection_possible k0 e.right } = () (** Create an empty associative table. *) let empty () : t 'a ensures { result.card = 0 /\ forall k. not result.domn k } = { field = Sel.empty () } (** Create an associative table with a single element. *) let singleton (d:D.t 'a) : t 'a ensures { forall k. result.domn k <-> CO.eq k d.key } ensures { forall k. CO.eq k d.key -> result.func k = d } ensures { result.card = 1 } = { field = Sel.singleton d } (** Check emptyness of an associative table. *) let is_empty (ghost rk:ref K.t) (t:t 'a) : bool ensures { result -> forall k. not t.domn k } ensures { not result -> t.domn !rk } ensures { result <-> t.card = 0 } = let res = Sel.is_empty t.field in ghost if not res then rk := t.field.Sel.m.Sel.seq[0].key; res let min (t:t 'a) : D.t 'a requires { t.card > 0 } ensures { t.domn result.key /\ t.func result.key = result } ensures { forall k. t.domn k -> CO.le result.key k } = Sel.front t.field let max (t:t 'a) : D.t 'a requires { t.card > 0 } ensures { t.domn result.key /\ t.func result.key = result } ensures { forall k. t.domn k -> CO.le k result.key } = Sel.back t.field (** Get and extract the element with minimum key from the table. *) let decompose_min (t:t 'a) : option (D.t 'a,t 'a) returns { None -> t.card = 0 /\ forall k. not t.domn k | Some (d,r:t 'a) -> t.card = r.card + 1 /\ t.domn d.key /\ t.func d.key = d /\ not r.domn d.key /\ (forall k. CO.lt k d.key -> not t.domn k) /\ (forall k. CO.eq k d.key -> t.func k = d) /\ (forall k. CO.le k d.key -> not r.domn k) /\ (forall k. CO.lt d.key k -> r.domn k <-> t.domn k) /\ (forall k. CO.lt d.key k /\ r.domn k -> r.func k = t.func k) } = match Sel.decompose_front t.field with | None -> None | Some (d,r) -> Some (d,{ field = r }) end (** Get and extract the element with maximum key from the table. *) let decompose_max (t:t 'a) : option (t 'a,D.t 'a) returns { None -> t.card = 0 /\ forall k. not t.domn k | Some (l:t 'a,d) -> t.card = l.card + 1 /\ t.domn d.key /\ t.func d.key = d /\ not l.domn d.key /\ (forall k. CO.lt d.key k -> not t.domn k) /\ (forall k. CO.eq k d.key -> t.func k = d) /\ (forall k. CO.le d.key k -> not l.domn k) /\ (forall k. CO.lt k d.key -> l.domn k <-> t.domn k) /\ (forall k. CO.lt k d.key /\ l.domn k -> l.func k = t.func k) } = match Sel.decompose_back t.field with | None -> None | Some (l,d) -> Some ({ field = l },d) end (** Optimized insertion of an element with minimum key. *) let add_min (d:D.t 'a) (t:t 'a) : t 'a requires { forall k. t.domn k -> CO.lt d.key k } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt k d.key -> not result.domn k } ensures { forall k. CO.eq k d.key -> result.domn k /\ result.func k = d } ensures { forall k. CO.lt d.key k -> result.domn k <-> t.domn k } ensures { forall k. CO.lt d.key k /\ result.domn k -> result.func k = t.func k } = { field = Sel.cons d t.field } (** Optimized insertion of an element with maximal key. *) let add_max (t:t 'a) (d:D.t 'a) : t 'a requires { forall k. t.domn k -> CO.lt k d.key } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt d.key k -> not result.domn k } ensures { forall k. CO.eq k d.key -> result.domn k /\ result.func k = d } ensures { forall k. CO.lt k d.key -> result.domn k <-> t.domn k } ensures { forall k. CO.lt k d.key /\ result.domn k -> result.func k = t.func k } = { field = Sel.snoc t.field d } (** Ordered union of two associative tables. *) let ordered_union (l r:t 'a) : t 'a requires { forall k1 k2. l.domn k1 /\ r.domn k2 -> CO.lt k1 k2 } ensures { forall k. result.domn k <-> l.domn k \/ r.domn k } ensures { forall k. result.domn k /\ l.domn k -> result.func k = l.func k } ensures { forall k. result.domn k /\ r.domn k -> result.func k = r.func k } ensures { result.card = l.card + r.card } = { field = Sel.concat l.field r.field } (** Get the value associated to a key in the table, if it exists. *) let get (k:K.t) (t:t 'a) : option (D.t 'a) returns { None -> not t.domn k | Some d -> t.card > 0 /\ CO.eq d.key k /\ t.domn k /\ t.func k = d } = Sel.get (Sel.default_split ()) k t.field (** Insert a value in the table. Erase binding if the key was already present. *) let insert (d:D.t 'a) (t:t 'a) : t 'a ensures { result.card = if t.domn d.key then t.card else t.card + 1 } ensures { forall k. CO.eq k d.key -> result.domn k /\ result.func k = d } ensures { result.domn d.key /\ result.func d.key = d } ensures { forall k. not CO.eq k d.key -> result.domn k <-> t.domn k } ensures { forall k. not CO.eq k d.key /\ result.domn k -> result.func k = t.func k } = let r0 = Sel.default_split () in let t2 = Sel.insert r0 d.key d t.field in selected_model d.key !r0; let r1 = { !r0 with middle = Some d } in assert { rebuild r1 = t2 }; selected_model d.key r1; { field = t2 } (** Erase any binding associated to the given key. *) let remove (k0:K.t) (t:t 'a) : t 'a ensures { result.card = if t.domn k0 then t.card - 1 else t.card } ensures { forall k. CO.eq k k0 -> not result.domn k } ensures { not result.domn k0 } ensures { forall k. not CO.eq k k0 -> result.domn k <-> t.domn k } ensures { forall k. not CO.eq k k0 /\ result.domn k -> result.func k = t.func k } = { field = Sel.remove (Sel.default_split ()) k0 t.field } (** Split the table in three: elements before the key, element associated to the key (if exists), elements after the key. *) let split (k0:K.t) (t:t 'a) : (t 'a,option (D.t 'a),t 'a) returns { (lf:t 'a,o,rg:t 'a) -> (forall k. CO.lt k k0 -> lf.domn k <-> t.domn k) /\ (forall k. CO.lt k k0 /\ lf.domn k -> lf.func k = t.func k) /\ (forall k. CO.le k0 k -> not lf.domn k) /\ (forall k. CO.lt k0 k -> rg.domn k <-> t.domn k) /\ (forall k. CO.lt k0 k /\ rg.domn k -> rg.func k = t.func k) /\ (forall k. CO.le k k0 -> not rg.domn k) /\ match o with | None -> t.card = lf.card + rg.card /\ (forall k. CO.eq k k0 -> not t.domn k) /\ not t.domn k0 | Some d -> t.card = lf.card + rg.card + 1 /\ CO.eq d.key k0 /\ (forall k. CO.eq k k0 -> t.domn k /\ t.func k = d) /\ t.domn k0 /\ t.func k0 = d end } = let lf,o,rg = Sel.split (Sel.default_split ()) k0 t.field in ({ field = lf }, o, { field = rg }) (** {3 Extension with set-theoretic routines } Those routines go beyond single-call to the AVL trees function. Also, unlike previous routines they are not logarithmic-time but linear-time instead. *) (** Internal specification wrappers over the AVL view and join routines. *) type view 'a = | AEmpty | ANode (t 'a) (D.t 'a) (t 'a) I.t let view (t:t 'a) : view 'a returns { AEmpty -> t.card = 0 /\ forall k:K.t. not t.domn k | ANode l d r h -> t.card = 1 + l.card + r.card /\ h = t.field.Sel.hgt /\ let k0 = d.key in (forall k. CO.lt k k0 -> l.domn k <-> t.domn k) /\ (forall k. CO.lt k k0 /\ l.domn k -> l.func k = t.func k) /\ (forall k. CO.le k0 k -> not l.domn k) /\ (forall k. CO.lt k0 k -> r.domn k <-> t.domn k) /\ (forall k. CO.lt k0 k /\ r.domn k -> r.func k = t.func k) /\ (forall k. CO.le k k0 -> not r.domn k) /\ (forall k. CO.eq k k0 -> t.domn k /\ t.func k = d) /\ t.domn k0 /\ t.func k0 = d } = match Sel.view t.field with | Sel.AEmpty -> AEmpty | Sel.ANode l d r h _ -> ANode { field = l } d { field = r } h end let join (l:t 'a) (d:D.t 'a) (r:t 'a) : t 'a requires { forall k. l.domn k -> CO.lt k d.key } requires { forall k. r.domn k -> CO.lt d.key k } ensures { forall k. CO.lt k d.key -> result.domn k <-> l.domn k } ensures { forall k. CO.lt k d.key /\ result.domn k -> result.func k = l.func k } ensures { forall k. CO.lt d.key k -> result.domn k <-> r.domn k } ensures { forall k. CO.lt d.key k /\ result.domn k -> result.func k = r.func k } ensures { forall k. CO.eq k d.key -> result.domn k /\ result.func k = d } ensures { result.card = 1 + l.card + r.card } = let ghost s = { left = l.field.Sel.m.Sel.seq; middle = Some d; right = r.field.Sel.m.Sel.seq } in assert { selected d.key s }; { field = Sel.join l.field d r.field } (** Add every element from `a` into `t`. *) let rec add_all (a:t 'a) (t:t 'a) : t 'a ensures { forall k. result.domn k <-> a.domn k \/ t.domn k } ensures { forall k. a.domn k -> result.func k = a.func k } ensures { forall k. t.domn k /\ not a.domn k -> result.func k = t.func k } ensures { result.card >= a.card /\ result.card >= t.card } ensures { result.card <= a.card + t.card } variant { a.m.card + t.m.card } = match view a with | AEmpty -> t | ANode al ad ar ah -> match view t with | AEmpty -> a | ANode tl td tr th -> if I.le ah th then let (al,ad,ar) = split td.key a in let ul = add_all al tl in let ur = add_all ar tr in let ud = match ad with | None -> td | Some ad -> ad end in join ul ud ur else let (tl,_,tr) = split ad.key t in let ul = add_all al tl in let ur = add_all ar tr in join ul ad ur end end (** Create the table with the elements of `a` whose key appear in `p`. *) let rec filter (p:t 'b) (a:t 'a) : t 'a ensures { forall k. result.domn k <-> a.domn k /\ p.domn k } ensures { forall k. result.domn k -> result.func k = a.func k } ensures { result.m.card <= a.m.card /\ result.m.card <= p.m.card } variant { a.m.card + p.m.card } = match view a with | AEmpty -> a | ANode al ad ar ah -> match view p with | AEmpty -> empty () | ANode pl pd pr ph -> if I.le ah ph then let (al,ad,ar) = split pd.key a in let fl = filter pl al in let fr = filter pr ar in match ad with | None -> ordered_union fl fr | Some ad -> join fl ad fr end else let (pl,pd,pr) = split ad.key p in let fl = filter pl al in let fr = filter pr ar in match pd with | None -> ordered_union fl fr | _ -> join fl ad fr end end end (** Complement of `filter`: remove from `a` every element whose key appear in `p`. *) let rec remove_all (p:t 'b) (a:t 'a) : t 'a ensures { forall k. result.domn k <-> a.domn k /\ not p.domn k } ensures { forall k. result.domn k -> result.func k = a.func k } ensures { result.m.card <= a.m.card } variant { a.m.card + p.m.card } = match view a with | AEmpty -> a | ANode al ad ar ah -> match view p with | AEmpty -> a | ANode pl pd pr ph -> if I.le ah ph then let (al,_,ar) = split pd.key a in let fl = remove_all pl al in let fr = remove_all pr ar in ordered_union fl fr else let (pl,pd,pr) = split ad.key p in let fl = remove_all pl al in let fr = remove_all pr ar in match pd with | None -> join fl ad fr | _ -> ordered_union fl fr end end end (** Create a table with the elements that appear exactly in one of `a` and `b`, but not both. *) let rec symdiff (a b:t 'a) : t 'a ensures { forall k. result.domn k <-> not (a.domn k <-> b.domn k) } ensures { forall k. result.domn k /\ a.domn k -> result.func k = a.func k } ensures { forall k. result.domn k /\ b.domn k -> result.func k = b.func k } ensures { result.m.card <= a.m.card + b.m.card } variant { a.m.card + b.m.card } = match view a with | AEmpty -> b | ANode al ad ar ah -> match view b with | AEmpty -> a | ANode bl bd br bh -> if I.le ah bh then let (al,ad,ar) = split bd.key a in let sl = symdiff al bl in let sr = symdiff ar br in match ad with | None -> join sl bd sr | _ -> ordered_union sl sr end else let (bl,bd,br) = split ad.key b in let sl = symdiff al bl in let sr = symdiff ar br in match bd with | None -> join sl ad sr | _ -> ordered_union sl sr end end end end (** {2 Instantiation of the base to key-value ordered associative tables} *) module Map use int.Int use option.Option use ref.Ref use mach.peano.Peano as I val constant balancing : I.t ensures { result > 0 } (** Parameter: key type with computable total preorder. *) scope K type t end clone preorder.Computable as CO with type t = K.t, axiom . (** Elements are key-value pairs *) scope D type t 'a = (K.t,'a) let function key (t:t 'a) : K.t = let (a,_) = t in a end (** Direct instantiation. *) clone MapBase as MB with val balancing = balancing, type K.t = K.t, type D.t = D.t, val key = D.key, predicate CO.le = CO.le, goal CO.Refl, goal CO.Trans, goal CO.Total, predicate CO.lt = CO.lt, goal CO.lt_def, predicate CO.eq = CO.eq, goal CO.eq_def, val CO.compare = CO.compare (** Slight adaptation of the logical model (get rid of keys in the output) *) type t 'a = MB.t 'a type m 'a = { domn : K.t -> bool; func : K.t -> 'a; card : int; } function m (t:t 'a) : m 'a = { domn = t.MB.domn; func = fun k -> let (_,v) = t.MB.func k in v; card = t.MB.m.MB.card } meta coercion function m let lemma correction (t:t 'a) ensures { forall k1 k2. CO.eq k1 k2 -> t.domn k1 <-> t.domn k2 } ensures { forall k1 k2. CO.eq k1 k2 /\ t.domn k1 -> t.func k1 = t.func k2 } = () let empty () : t 'a ensures { forall k. not result.domn k } ensures { result.card = 0 } = MB.empty () (** Create a table with a single key->value binding. *) let singleton (k0:K.t) (v:'a) : t 'a ensures { forall k. result.domn k <-> CO.eq k k0 } ensures { forall k. CO.eq k k0 -> result.func k = v } ensures { result.domn k0 /\ result.func k0 = v } ensures { result.card = 1 } = MB.singleton (k0,v) (** Check emptyness of a table. *) let is_empty (ghost rk:ref K.t) (t:t 'a) : bool ensures { result -> forall k. not t.domn k } ensures { not result -> t.domn !rk } ensures { result <-> t.m.card = 0 } = MB.is_empty rk t let min_binding (t:t 'a) : (K.t,'a) requires { t.card > 0 } returns { (k,v) -> t.domn k /\ t.func k = v /\ forall k2. t.domn k2 -> CO.le k k2 } = MB.min t let max_binding (t:t 'a) : (K.t,'a) requires { t.card > 0 } returns { (k,v) -> t.domn k /\ t.func k = v /\ forall k2. t.domn k2 -> CO.le k2 k } = MB.max t (** Get and extract the (key->value) binding with minimum key. *) let decompose_min (t:t 'a) : option ((K.t,'a),t 'a) returns { None -> t.card = 0 /\ forall k. not t.domn k | Some ((k0,v),r:t 'a) -> t.card = r.card + 1 /\ t.domn k0 /\ t.func k0 = v /\ not r.domn k0 /\ (forall k. CO.lt k k0 -> not t.domn k) /\ (forall k. CO.eq k k0 -> t.func k = v) /\ (forall k. CO.le k k0 -> not r.domn k) /\ (forall k. CO.lt k0 k -> r.domn k <-> t.domn k) /\ (forall k. CO.lt k0 k /\ r.domn k -> r.func k = t.func k) } = MB.decompose_min t (** Get and extract the (key->value) binding with maximum key. *) let decompose_max (t:t 'a) : option (t 'a,(K.t,'a)) returns { None -> t.card = 0 /\ forall k. not t.domn k | Some (l:t 'a,(k0,v)) -> t.card = l.card + 1 /\ t.domn k0 /\ t.func k0 = v /\ not l.domn k0 /\ (forall k. CO.lt k0 k -> not t.domn k) /\ (forall k. CO.eq k k0 -> t.func k = v) /\ (forall k. CO.le k0 k -> not l.domn k) /\ (forall k. CO.lt k k0 -> l.domn k <-> t.domn k) /\ (forall k. CO.lt k k0 /\ l.domn k -> l.func k = t.func k) } = MB.decompose_max t (** Add a key->value binding with minimal key. *) let add_min_binding (k0:K.t) (v:'a) (t:t 'a) : t 'a requires { forall k. t.domn k -> CO.lt k0 k } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt k k0 -> not result.domn k } ensures { forall k. CO.eq k k0 -> result.domn k /\ result.func k = v } ensures { forall k. CO.lt k0 k -> result.domn k <-> t.domn k } ensures { forall k. CO.lt k0 k /\ result.domn k -> result.func k = t.func k } ensures { result.domn k0 /\ result.func k0 = v } = MB.add_min (k0,v) t (** Add a key->value binding with maximal key. *) let add_max_binding (k0:K.t) (v:'a) (t:t 'a) : t 'a requires { forall k. t.domn k -> CO.lt k k0 } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt k0 k -> not result.domn k } ensures { forall k. CO.eq k k0 -> result.domn k /\ result.func k = v } ensures { forall k. CO.lt k k0 -> result.domn k <-> t.domn k } ensures { forall k. CO.lt k k0 /\ result.domn k -> result.func k = t.func k } ensures { result.domn k0 /\ result.func k0 = v } = MB.add_max t (k0,v) (** Ordered fusion of two associative tables. *) let ordered_join (l r:t 'a) : t 'a requires { forall k1 k2. l.domn k1 /\ r.domn k2 -> CO.lt k1 k2 } ensures { forall k. result.domn k <-> l.domn k \/ r.domn k } ensures { forall k. result.domn k /\ l.domn k -> result.func k = l.func k } ensures { forall k. result.domn k /\ r.domn k -> result.func k = r.func k } ensures { result.card = l.card + r.card } = MB.ordered_union l r (** Extract the value associated to some key. *) let get (k:K.t) (t:t 'a) : option 'a returns { None -> not t.domn k | Some v -> t.card > 0 /\ t.domn k /\ t.func k = v } = match MB.get k t with | None -> None | Some (_,v) -> Some v end (** Set the binding for key `k`, erasing any such previous binding. *) let insert (k0:K.t) (v:'a) (t:t 'a) : t 'a ensures { result.card = if t.domn k0 then t.card else t.card + 1 } ensures { forall k. CO.eq k k0 -> result.domn k /\ result.func k = v } ensures { result.domn k0 /\ result.func k0 = v } ensures { forall k. not CO.eq k k0 -> result.domn k <-> t.domn k } ensures { forall k. not CO.eq k k0 /\ result.domn k -> result.func k = t.func k } = MB.insert (k0,v) t (** Erase any potential binding for key `k`. *) let remove (k0:K.t) (t:t 'a) : t 'a ensures { result.card = if t.domn k0 then t.card - 1 else t.card } ensures { forall k. CO.eq k k0 -> not result.domn k } ensures { not result.domn k0 } ensures { forall k. not CO.eq k k0 -> result.domn k <-> t.domn k } ensures { forall k. not CO.eq k k0 /\ result.domn k -> result.func k = t.func k } = MB.remove k0 t (** Split the table in three parts: Bindings with key lower than `k`, value associated to `k`, and bindings with key greater than `k`. *) let split (k0:K.t) (t:t 'a) : (t 'a,option 'a,t 'a) returns { (lf:t 'a,o,rg:t 'a) -> (forall k. CO.lt k k0 -> lf.domn k <-> t.domn k) /\ (forall k. CO.lt k k0 /\ lf.domn k -> lf.func k = t.func k) /\ (forall k. CO.le k0 k -> not lf.domn k) /\ (forall k. CO.lt k0 k -> rg.domn k <-> t.domn k) /\ (forall k. CO.lt k0 k /\ rg.domn k -> rg.func k = t.func k) /\ (forall k. CO.le k k0 -> not rg.domn k) /\ match o with | None -> t.card = lf.card + rg.card /\ (forall k. CO.eq k k0 -> not t.domn k) /\ not t.domn k0 | Some v -> t.card = lf.card + rg.card + 1 /\ (forall k. CO.eq k k0 -> t.domn k /\ t.func k = v) /\ t.domn k0 /\ t.func k0 = v end } = let (lf,o,rg) = MB.split k0 t in let o = match o with None -> None | Some (_,v) -> Some v end in (lf,o,rg) end (** {2 Instantiation of the base to ordered sets} *) module Set use int.Int use option.Option use ref.Ref use import mach.peano.Peano as I (** The balancing level is left abstract. *) val constant balancing : I.t ensures { result > 0 } (** Parameter: comparable elements. *) scope K type t end clone preorder.Computable as CO with type t = K.t, axiom . (** Elements are themselves the keys. *) scope D type t 'a = K.t let function key (x:'a) : 'a = x end (** Actual instantiation. *) clone MapBase as MB with val balancing = balancing, type K.t = K.t, type D.t = D.t, val key = D.key, predicate CO.le = CO.le, goal CO.Refl, goal CO.Trans, goal CO.Total, predicate CO.lt = CO.lt, goal CO.lt_def, predicate CO.eq = CO.eq, goal CO.eq_def, val CO.compare = CO.compare (** Minor adaptation of the logical model: only keep the set of elements. In fact, the functions from MapBase can been used as-is (but may be over-specifications) The following specifications wrappers are only given for demonstration. *) type t = MB.t unit function set (m:MB.m unit) : K.t -> bool = m.MB.domn function card (m:MB.m unit) : int = m.MB.card (** Invariant on the logical model. *) let lemma correction (t:t) : unit ensures { forall k1 k2:K.t. CO.eq k1 k2 -> t.set k1 <-> t.set k2 } ensures { t.card >= 0 } = () (** Create an empty set. *) let empty () : t ensures { forall k. not result.set k } ensures { result.card = 0 } = MB.empty () (** Create a singleton set. *) let singleton (k0:K.t) : t ensures { forall k. result.set k <-> CO.eq k k0 } ensures { result.set k0 } ensures { result.card = 1 } = MB.singleton k0 (** Test emptyness of a set. *) let is_empty (ghost rk:ref K.t) (t:t) : bool ensures { result -> forall k. not t.set k } ensures { not result -> t.set !rk } ensures { result <-> t.card = 0 } = MB.is_empty rk t (** Minimum element of a set. *) let min_elt (t:t) : K.t requires { t.card > 0 } ensures { t.set result } ensures { forall k. t.set k -> CO.le result k } = MB.min t (** Maximum element of a set. *) let max_elt (t:t) : K.t requires { t.card > 0 } ensures { t.set result } ensures { forall k. t.set k -> CO.le k result } = MB.max t (** Get and remove minimum element from a set. *) let decompose_min (t:t) : option (K.t,t) returns { None -> t.card = 0 /\ forall k. not t.set k | Some (k0,r:t) -> t.card = r.card + 1 /\ t.set k0 /\ not r.set k0 /\ (forall k. CO.lt k k0 -> not t.set k) /\ (forall k. CO.le k k0 -> not r.set k) /\ (forall k. CO.lt k0 k -> r.set k <-> t.set k) } = MB.decompose_min t (** Get and remove maximum element from a set. *) let decompose_max (t:t) : option (t,K.t) returns { None -> t.card = 0 /\ forall k. not t.set k | Some (l:t,k0) -> t.card = l.card + 1 /\ t.set k0 /\ not l.set k0 /\ (forall k. CO.lt k0 k -> not t.set k) /\ (forall k. CO.le k0 k -> not l.set k) /\ (forall k. CO.lt k0 k -> l.set k <-> t.set k) } = MB.decompose_max t (** Add minimal element to a set. *) let add_min_elt (k0:K.t) (t:t) : t requires { forall k. t.set k -> CO.lt k0 k } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt k k0 -> not result.set k } ensures { forall k. CO.lt k0 k -> result.set k <-> t.set k } = MB.add_min k0 t (** Add maximal element to a set. *) let add_max_elt (t:t) (k0:K.t) : t requires { forall k. t.set k -> CO.lt k k0 } ensures { result.card = t.card + 1 } ensures { forall k. CO.lt k0 k -> not result.set k } ensures { forall k. CO.lt k k0 -> result.set k <-> t.set k } = MB.add_max t k0 (** Ordered union of two sets. *) let ordered_union (l r:t) : t requires { forall k1 k2. l.set k1 /\ r.set k2 -> CO.lt k1 k2 } ensures { forall k. result.set k <-> l.set k \/ r.set k } ensures { result.card = l.card + r.card } = MB.ordered_union l r (** Test membership of an element. *) let mem (k0:K.t) (t:t) : bool ensures { result <-> t.set k0 } ensures { result -> forall k. CO.eq k k0 -> t.set k } ensures { forall k. CO.eq k k0 /\ t.set k -> result } ensures { result -> t.card > 0 } = match MB.get k0 t with None -> false | _ -> true end (** Add an element to a set. *) let add (k0:K.t) (t:t) : t ensures { result.card = if t.set k0 then t.card else t.card + 1 } ensures { forall k. CO.eq k k0 -> result.set k } ensures { result.set k0 } ensures { forall k. not CO.eq k k0 -> result.set k <-> t.set k } = MB.insert k0 t (** Remove an element from a set. *) let remove (k0:K.t) (t:t) : t ensures { result.card = if t.set k0 then t.card - 1 else t.card } ensures { forall k. CO.eq k k0 -> not result.set k } ensures { not result.set k0 } ensures { forall k. not CO.eq k k0 -> result.set k <-> t.set k } = MB.remove k0 t (** Split the set into three parts: elements lower than `k`, elements equal to `k`, and elements bigger than `k` *) let split (k0:K.t) (t:t) : (t,bool,t) returns { (lf:t,b,rg:t) -> (forall k. CO.lt k k0 -> lf.set k <-> t.set k) /\ (forall k. CO.le k0 k -> not lf.set k) /\ (forall k. CO.lt k0 k -> rg.set k <-> t.set k) /\ (forall k. CO.le k k0 -> not rg.set k) /\ t.card = lf.card + rg.card + (if b then 1 else 0) /\ (b <-> t.set k0) /\ (b -> forall k. CO.eq k k0 -> t.set k) /\ (forall k. CO.eq k k0 /\ t.set k -> b) } = let (lf,o,rg) = MB.split k0 t in let b = match o with None -> false | _ -> true end in (lf,b,rg) (** Extension: set-theoretic routines. *) (** Compute the union of two sets. *) let union (a b:t) : t ensures { forall k. result.set k <-> a.set k \/ b.set k } ensures { result.card >= a.card /\ result.card >= b.card } ensures { result.card <= a.card + b.card } = MB.add_all a b (** Compute the intersection of two sets. *) let inter (a b:t) : t ensures { forall k. result.set k <-> a.set k /\ b.set k } ensures { result.card <= a.card /\ result.card <= b.card } = MB.filter a b (** Compute the difference of two sets. *) let diff (a b:t) : t ensures { forall k. result.set k <-> a.set k /\ not b.set k } ensures { result.card <= a.card } = MB.remove_all b a (** Compute the symmetrical difference of two sets. *) let symdiff (a b:t) : t ensures { forall k. result.set k <-> not (a.set k <-> b.set k) } ensures { result.card <= a.card + b.card } = MB.symdiff a b end (** Example instances: integer keys/elements *) module IMapAndSet use int.Int use mach.peano.Peano as I scope K type t = int end let constant balancing : I.t = I.succ I.zero predicate le (x y:int) = x <= y predicate eq (x y:int) = x = y predicate lt (x y:int) = x < y let compare (x y:int) : int ensures { result = x - y } = x - y clone Map as M with val balancing = balancing, type K.t = K.t, predicate CO.le = le, predicate CO.lt = lt, predicate CO.eq = eq, goal CO.lt_def, goal CO.eq_def, goal CO.Refl, goal CO.Trans, goal CO.Total, val CO.compare = compare clone Set as S with val balancing = balancing, type K.t = K.t, predicate CO.le = le, predicate CO.lt = lt, predicate CO.eq = eq, goal CO.lt_def, goal CO.eq_def, goal CO.Refl, goal CO.Trans, goal CO.Total, val CO.compare = compare end ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/tables/���������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016256�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/tables/why3session.xml������������������������������������������������������0000664�0000000�0000000�00000141345�14401600263�0021306�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="CVC4" version="1.7" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="4" name="CVC4" version="1.5" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="5" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="tables.mlw"/> <theory name="MapBase" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.neutral_'vc" expl="VC for neutral_" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.assoc" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="9472"/></proof> </goal> <goal name="M.M.assoc" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.02" steps="10938"/></proof> </goal> <goal name="M.zero'vc" expl="VC for zero" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.op'vc" expl="VC for op" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="selected_part'vc" expl="VC for selected_part" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_part'vc.0" expl="assertion" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="25"/></proof> </goal> <goal name="selected_part'vc.1" expl="assertion" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="10"/></proof> </goal> <goal name="selected_part'vc.2" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_part'vc.2.0" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.12" steps="408"/></proof> </goal> <goal name="selected_part'vc.2.1" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="52"/></proof> </goal> <goal name="selected_part'vc.2.2" expl="VC for selected_part" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_part'vc.2.2.0" expl="VC for selected_part" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.54" steps="2671"/></proof> </goal> <goal name="selected_part'vc.2.2.1" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="34"/></proof> </goal> <goal name="selected_part'vc.2.2.2" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="30"/></proof> </goal> </transf> </goal> <goal name="selected_part'vc.2.3" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="51"/></proof> </goal> <goal name="selected_part'vc.2.4" expl="VC for selected_part" proved="true"> <proof prover="5"><result status="valid" time="0.52" steps="1483"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="Sel.M.assoc" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="Sel.M.neutral" proved="true"> <proof prover="4"><result status="valid" time="0.04" steps="11994"/></proof> </goal> <goal name="Sel.M.zero'refn'vc" expl="VC for zero'refn" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="Sel.M.op'refn'vc" expl="VC for op'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.M.agg_empty" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="Sel.M.agg_sing" proved="true"> <proof prover="4"><result status="valid" time="0.05" steps="17493"/></proof> </goal> <goal name="Sel.M.agg_cat" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="Sel.selection_empty" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="23"/></proof> </goal> <goal name="Sel.selected_part'refn'vc" expl="VC for selected_part'refn" proved="true"> <proof prover="5"><result status="valid" time="0.07" steps="289"/></proof> </goal> <goal name="t'vc" expl="VC for t" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="make_func'vc" expl="VC for make_func" proved="true"> <proof prover="5"><result status="valid" time="0.29" steps="992"/></proof> </goal> <goal name="correction'vc" expl="VC for correction" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="167"/></proof> </goal> <goal name="selected_model'vc" expl="VC for selected_model" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_model'vc.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_model'vc.0.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="280"/></proof> </goal> <goal name="selected_model'vc.0.1" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="71"/></proof> </goal> <goal name="selected_model'vc.0.2" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="156"/></proof> </goal> <goal name="selected_model'vc.0.3" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="54"/></proof> </goal> <goal name="selected_model'vc.0.4" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.40" steps="6054"/></proof> </goal> <goal name="selected_model'vc.0.5" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="336"/></proof> </goal> <goal name="selected_model'vc.0.6" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.34" steps="5983"/></proof> </goal> <goal name="selected_model'vc.0.7" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.17" steps="294"/></proof> </goal> <goal name="selected_model'vc.0.8" expl="postcondition" proved="true"> <proof prover="5" timelimit="20"><result status="valid" time="9.03" steps="15210"/></proof> </goal> <goal name="selected_model'vc.0.9" expl="postcondition" proved="true"> <proof prover="5" timelimit="20"><result status="valid" time="5.90" steps="8946"/></proof> </goal> <goal name="selected_model'vc.0.10" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="34"/></proof> </goal> <goal name="selected_model'vc.0.11" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="58"/></proof> </goal> <goal name="selected_model'vc.0.12" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="191"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="selected_sorted'vc" expl="VC for selected_sorted" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_sorted'vc.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="selected_sorted'vc.0.0" expl="VC for selected_sorted" proved="true"> <proof prover="5"><result status="valid" time="1.28" steps="1843"/></proof> </goal> <goal name="selected_sorted'vc.0.1" expl="VC for selected_sorted" proved="true"> <proof prover="5"><result status="valid" time="0.79" steps="1378"/></proof> </goal> <goal name="selected_sorted'vc.0.2" expl="VC for selected_sorted" proved="true"> <proof prover="5"><result status="valid" time="0.46" steps="779"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="43"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="124"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="61"/></proof> </goal> <goal name="min'vc" expl="VC for min" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="219"/></proof> </goal> <goal name="max'vc" expl="VC for max" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="110"/></proof> </goal> <goal name="decompose_min'vc" expl="VC for decompose_min" proved="true"> <proof prover="5"><result status="valid" time="0.79" steps="1898"/></proof> </goal> <goal name="decompose_max'vc" expl="VC for decompose_max" proved="true"> <proof prover="5"><result status="valid" time="1.06" steps="2502"/></proof> </goal> <goal name="add_min'vc" expl="VC for add_min" proved="true"> <proof prover="5"><result status="valid" time="0.52" steps="1174"/></proof> </goal> <goal name="add_max'vc" expl="VC for add_max" proved="true"> <proof prover="5"><result status="valid" time="0.54" steps="1159"/></proof> </goal> <goal name="ordered_union'vc" expl="VC for ordered_union" proved="true"> <proof prover="5"><result status="valid" time="0.40" steps="775"/></proof> </goal> <goal name="get'vc" expl="VC for get" proved="true"> <proof prover="5"><result status="valid" time="0.07" steps="315"/></proof> </goal> <goal name="insert'vc" expl="VC for insert" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="insert'vc.0" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="22"/></proof> </goal> <goal name="insert'vc.1" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="93"/></proof> </goal> <goal name="insert'vc.2" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="10"/></proof> </goal> <goal name="insert'vc.3" expl="assertion" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="44"/></proof> </goal> <goal name="insert'vc.4" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.19" steps="50843"/></proof> </goal> <goal name="insert'vc.5" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="59"/></proof> </goal> <goal name="insert'vc.6" expl="precondition" proved="true"> <proof prover="4"><result status="valid" time="0.18" steps="49863"/></proof> </goal> <goal name="insert'vc.7" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.16" steps="583"/></proof> </goal> <goal name="insert'vc.8" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.10" steps="209"/></proof> </goal> <goal name="insert'vc.9" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="22"/></proof> </goal> <goal name="insert'vc.10" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="insert'vc.10.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.47" steps="1435"/></proof> </goal> <goal name="insert'vc.10.1" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.52" steps="1740"/></proof> </goal> </transf> </goal> <goal name="insert'vc.11" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.77" steps="2237"/></proof> </goal> </transf> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove'vc.0" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="22"/></proof> </goal> <goal name="remove'vc.1" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="2.81" steps="2213"/></proof> </goal> <goal name="remove'vc.2" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.22" steps="373"/></proof> </goal> <goal name="remove'vc.3" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.49" steps="790"/></proof> </goal> <goal name="remove'vc.4" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="14"/></proof> </goal> <goal name="remove'vc.5" expl="postcondition" proved="true"> <proof prover="5" timelimit="20"><result status="valid" time="5.68" steps="6667"/></proof> </goal> <goal name="remove'vc.6" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="4.66" steps="5622"/></proof> </goal> </transf> </goal> <goal name="split'vc" expl="VC for split" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="split'vc.0" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="22"/></proof> </goal> <goal name="split'vc.1" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="148"/></proof> </goal> <goal name="split'vc.2" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.07" steps="160"/></proof> </goal> <goal name="split'vc.3" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="split'vc.3.0" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="138"/></proof> </goal> <goal name="split'vc.3.1" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="133"/></proof> </goal> <goal name="split'vc.3.2" expl="VC for split" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.07" steps="141"/></proof> </goal> <goal name="split'vc.3.3" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.12" steps="142"/></proof> </goal> <goal name="split'vc.3.4" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="138"/></proof> </goal> <goal name="split'vc.3.5" expl="VC for split" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.06" steps="133"/></proof> </goal> <goal name="split'vc.3.6" expl="VC for split" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.08" steps="141"/></proof> </goal> <goal name="split'vc.3.7" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="142"/></proof> </goal> <goal name="split'vc.3.8" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="157"/></proof> </goal> <goal name="split'vc.3.9" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="162"/></proof> </goal> <goal name="split'vc.3.10" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.09" steps="168"/></proof> </goal> <goal name="split'vc.3.11" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="165"/></proof> </goal> <goal name="split'vc.3.12" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="22"/></proof> </goal> <goal name="split'vc.3.13" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="168"/></proof> </goal> <goal name="split'vc.3.14" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.09" steps="189"/></proof> </goal> <goal name="split'vc.3.15" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.07" steps="167"/></proof> </goal> <goal name="split'vc.3.16" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.06" steps="169"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="view'vc" expl="VC for view" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="view'vc.0" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.25" steps="1375"/></proof> </goal> <goal name="view'vc.1" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.55" steps="941"/></proof> </goal> <goal name="view'vc.2" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="view'vc.2.0" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.03" steps="67"/></proof> </goal> <goal name="view'vc.2.1" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.05" steps="70"/></proof> </goal> <goal name="view'vc.2.2" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.06" steps="142"/></proof> </goal> <goal name="view'vc.2.3" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.04" steps="62"/></proof> </goal> <goal name="view'vc.2.4" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.82" steps="1210"/></proof> </goal> <goal name="view'vc.2.5" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.58" steps="1865"/></proof> </goal> <goal name="view'vc.2.6" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.26" steps="1941"/></proof> </goal> <goal name="view'vc.2.7" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.50" steps="968"/></proof> </goal> <goal name="view'vc.2.8" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.12" steps="1781"/></proof> </goal> <goal name="view'vc.2.9" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.84" steps="2458"/></proof> </goal> <goal name="view'vc.2.10" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="2.52" steps="3553"/></proof> </goal> <goal name="view'vc.2.11" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.06" steps="1826"/></proof> </goal> <goal name="view'vc.2.12" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.49" steps="623"/></proof> </goal> <goal name="view'vc.2.13" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.20" steps="1874"/></proof> </goal> <goal name="view'vc.2.14" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.66" steps="1283"/></proof> </goal> <goal name="view'vc.2.15" expl="VC for view" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="2.23" steps="2196"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="join'vc" expl="VC for join" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="join'vc.0" expl="assertion" proved="true"> <proof prover="5"><result status="valid" time="0.29" steps="569"/></proof> </goal> <goal name="join'vc.1" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="2.11" steps="3052"/></proof> </goal> <goal name="join'vc.2" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.80" steps="880"/></proof> </goal> <goal name="join'vc.3" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="1.05" steps="963"/></proof> </goal> <goal name="join'vc.4" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.89" steps="1073"/></proof> </goal> <goal name="join'vc.5" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.90" steps="929"/></proof> </goal> <goal name="join'vc.6" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.68" steps="772"/></proof> </goal> <goal name="join'vc.7" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="52"/></proof> </goal> </transf> </goal> <goal name="add_all'vc" expl="VC for add_all" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.0" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.12" steps="204"/></proof> </goal> <goal name="add_all'vc.1" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.10" steps="142"/></proof> </goal> <goal name="add_all'vc.2" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.40" steps="1246"/></proof> </goal> <goal name="add_all'vc.3" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.34" steps="1124"/></proof> </goal> <goal name="add_all'vc.4" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.13" steps="138"/></proof> </goal> <goal name="add_all'vc.5" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.16" steps="212"/></proof> </goal> <goal name="add_all'vc.6" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.08" steps="247"/></proof> </goal> <goal name="add_all'vc.7" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="250"/></proof> </goal> <goal name="add_all'vc.8" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.8.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.8.0.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="add_all'vc.8.0.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.95" steps="5537"/></proof> </goal> </transf> </goal> <goal name="add_all'vc.8.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.8.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.03" steps="28"/></proof> </goal> <goal name="add_all'vc.8.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.8.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.04" steps="46"/></proof> </goal> <goal name="add_all'vc.8.1.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="2.16" steps="6272"/></proof> </goal> <goal name="add_all'vc.8.1.1.2" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.8.1.1.2.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.15" steps="599"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="add_all'vc.9" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.9.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.05" steps="28"/></proof> </goal> <goal name="add_all'vc.9.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add_all'vc.9.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.03" steps="8"/></proof> </goal> <goal name="add_all'vc.9.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.34" steps="4274"/></proof> </goal> <goal name="add_all'vc.9.1.2" expl="postcondition" proved="true"> <proof prover="0"><result status="valid" time="0.22" steps="52182"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="add_all'vc.10" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="4.31" steps="12254"/></proof> </goal> <goal name="add_all'vc.11" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="271"/></proof> </goal> <goal name="add_all'vc.12" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.28" steps="416"/></proof> </goal> </transf> </goal> <goal name="filter'vc" expl="VC for filter" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="filter'vc.0" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.09" steps="159"/></proof> </goal> <goal name="filter'vc.1" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.10" steps="143"/></proof> </goal> <goal name="filter'vc.2" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.23" steps="716"/></proof> </goal> <goal name="filter'vc.3" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.20" steps="822"/></proof> </goal> <goal name="filter'vc.4" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.20" steps="662"/></proof> </goal> <goal name="filter'vc.5" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.10" steps="159"/></proof> </goal> <goal name="filter'vc.6" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.12" steps="214"/></proof> </goal> <goal name="filter'vc.7" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.20" steps="709"/></proof> </goal> <goal name="filter'vc.8" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="17"/></proof> </goal> <goal name="filter'vc.9" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="17"/></proof> </goal> <goal name="filter'vc.10" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="filter'vc.10.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.44" steps="9863"/></proof> </goal> <goal name="filter'vc.10.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.17" steps="9471"/></proof> </goal> <goal name="filter'vc.10.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="4.02" steps="13490"/></proof> </goal> </transf> </goal> <goal name="filter'vc.11" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="filter'vc.11.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="filter'vc.11.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="filter'vc.11.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.03" steps="9"/></proof> </goal> <goal name="filter'vc.11.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="filter'vc.11.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.59" steps="2117"/></proof> </goal> <goal name="filter'vc.11.1.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.71" steps="2575"/></proof> </goal> </transf> </goal> <goal name="filter'vc.11.1.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.09" steps="3825"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="filter'vc.12" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.35" steps="899"/></proof> </goal> </transf> </goal> <goal name="remove_all'vc" expl="VC for remove_all" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove_all'vc.0" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.09" steps="159"/></proof> </goal> <goal name="remove_all'vc.1" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.11" steps="138"/></proof> </goal> <goal name="remove_all'vc.2" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.19" steps="630"/></proof> </goal> <goal name="remove_all'vc.3" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.13" steps="159"/></proof> </goal> <goal name="remove_all'vc.4" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="213"/></proof> </goal> <goal name="remove_all'vc.5" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.07" steps="201"/></proof> </goal> <goal name="remove_all'vc.6" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="250"/></proof> </goal> <goal name="remove_all'vc.7" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="649"/></proof> </goal> <goal name="remove_all'vc.8" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove_all'vc.8.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.81" steps="5732"/></proof> </goal> <goal name="remove_all'vc.8.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.49" steps="8704"/></proof> </goal> <goal name="remove_all'vc.8.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.98" steps="6607"/></proof> </goal> </transf> </goal> <goal name="remove_all'vc.9" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.48" steps="9639"/></proof> </goal> <goal name="remove_all'vc.10" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.12" steps="379"/></proof> </goal> </transf> </goal> <goal name="symdiff'vc" expl="VC for symdiff" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.0" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.10" steps="204"/></proof> </goal> <goal name="symdiff'vc.1" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.09" steps="140"/></proof> </goal> <goal name="symdiff'vc.2" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.08" steps="244"/></proof> </goal> <goal name="symdiff'vc.3" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.14" steps="242"/></proof> </goal> <goal name="symdiff'vc.4" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.60" steps="1588"/></proof> </goal> <goal name="symdiff'vc.5" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.13" steps="138"/></proof> </goal> <goal name="symdiff'vc.6" expl="variant decrease" proved="true"> <proof prover="5"><result status="valid" time="0.15" steps="210"/></proof> </goal> <goal name="symdiff'vc.7" expl="precondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.10" steps="382"/></proof> </goal> <goal name="symdiff'vc.8" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.11" steps="382"/></proof> </goal> <goal name="symdiff'vc.9" expl="precondition" proved="true"> <proof prover="5"><result status="valid" time="0.52" steps="1404"/></proof> </goal> <goal name="symdiff'vc.10" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.0.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="35"/></proof> </goal> <goal name="symdiff'vc.10.0.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.0.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.05" steps="45"/></proof> </goal> <goal name="symdiff'vc.10.0.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.0.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.20" steps="661"/></proof> </goal> <goal name="symdiff'vc.10.0.1.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.06" steps="3048"/></proof> </goal> </transf> </goal> <goal name="symdiff'vc.10.0.1.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.54" steps="4890"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="symdiff'vc.10.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.1.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="7"/></proof> </goal> <goal name="symdiff'vc.10.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.03" steps="8"/></proof> </goal> <goal name="symdiff'vc.10.1.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.10.1.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.17" steps="513"/></proof> </goal> <goal name="symdiff'vc.10.1.1.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.82" steps="2012"/></proof> </goal> </transf> </goal> <goal name="symdiff'vc.10.1.1.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.76" steps="2359"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="symdiff'vc.10.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="3.77" steps="14954"/></proof> </goal> </transf> </goal> <goal name="symdiff'vc.11" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.11.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="21"/></proof> </goal> <goal name="symdiff'vc.11.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.11.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.04" steps="9"/></proof> </goal> <goal name="symdiff'vc.11.1.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="symdiff'vc.11.1.1.0" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="0.27" steps="937"/></proof> </goal> <goal name="symdiff'vc.11.1.1.1" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.15" steps="3532"/></proof> </goal> </transf> </goal> <goal name="symdiff'vc.11.1.2" expl="postcondition" proved="true"> <proof prover="5" timelimit="5"><result status="valid" time="1.37" steps="4867"/></proof> </goal> </transf> </goal> </transf> </goal> <goal name="symdiff'vc.12" expl="postcondition" proved="true"> <proof prover="4" timelimit="1"><result status="valid" time="0.64" steps="114186"/></proof> </goal> <goal name="symdiff'vc.13" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.26" steps="601"/></proof> </goal> </transf> </goal> </theory> <theory name="Map" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="MB.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="MB.CO.Refl" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="MB.CO.Trans" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="MB.CO.eq_def" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="MB.CO.lt_def" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="MB.CO.Total" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="10"/></proof> </goal> <goal name="MB.CO.compare'refn'vc" expl="VC for compare'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="correction'vc" expl="VC for correction" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="correction'vc.0" expl="postcondition" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="25"/></proof> </goal> <goal name="correction'vc.1" expl="postcondition" proved="true"> <proof prover="4"><result status="valid" time="0.09" steps="27585"/></proof> </goal> </transf> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="7"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="45"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="16"/></proof> </goal> <goal name="min_binding'vc" expl="VC for min_binding" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="51"/></proof> </goal> <goal name="max_binding'vc" expl="VC for max_binding" proved="true"> <proof prover="5"><result status="valid" time="0.04" steps="51"/></proof> </goal> <goal name="decompose_min'vc" expl="VC for decompose_min" proved="true"> <proof prover="5"><result status="valid" time="0.39" steps="660"/></proof> </goal> <goal name="decompose_max'vc" expl="VC for decompose_max" proved="true"> <proof prover="5"><result status="valid" time="0.40" steps="643"/></proof> </goal> <goal name="add_min_binding'vc" expl="VC for add_min_binding" proved="true"> <proof prover="5"><result status="valid" time="0.17" steps="341"/></proof> </goal> <goal name="add_max_binding'vc" expl="VC for add_max_binding" proved="true"> <proof prover="5"><result status="valid" time="0.18" steps="343"/></proof> </goal> <goal name="ordered_join'vc" expl="VC for ordered_join" proved="true"> <proof prover="5"><result status="valid" time="0.11" steps="329"/></proof> </goal> <goal name="get'vc" expl="VC for get" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="108"/></proof> </goal> <goal name="insert'vc" expl="VC for insert" proved="true"> <proof prover="5"><result status="valid" time="0.38" steps="775"/></proof> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <proof prover="5"><result status="valid" time="0.20" steps="378"/></proof> </goal> <goal name="split'vc" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.53" steps="1070"/></proof> </goal> </theory> <theory name="Set" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="MB.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="MB.CO.Refl" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="MB.CO.Trans" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="MB.CO.eq_def" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="MB.CO.lt_def" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="MB.CO.Total" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="10"/></proof> </goal> <goal name="MB.CO.compare'refn'vc" expl="VC for compare'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="correction'vc" expl="VC for correction" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="29"/></proof> </goal> <goal name="empty'vc" expl="VC for empty" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="6"/></proof> </goal> <goal name="singleton'vc" expl="VC for singleton" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="17"/></proof> </goal> <goal name="is_empty'vc" expl="VC for is_empty" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="min_elt'vc" expl="VC for min_elt" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="9"/></proof> </goal> <goal name="max_elt'vc" expl="VC for max_elt" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="9"/></proof> </goal> <goal name="decompose_min'vc" expl="VC for decompose_min" proved="true"> <proof prover="5"><result status="valid" time="0.10" steps="339"/></proof> </goal> <goal name="decompose_max'vc" expl="VC for decompose_max" proved="true"> <proof prover="5"><result status="valid" time="0.08" steps="316"/></proof> </goal> <goal name="add_min_elt'vc" expl="VC for add_min_elt" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="26"/></proof> </goal> <goal name="add_max_elt'vc" expl="VC for add_max_elt" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="26"/></proof> </goal> <goal name="ordered_union'vc" expl="VC for ordered_union" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="25"/></proof> </goal> <goal name="mem'vc" expl="VC for mem" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="98"/></proof> </goal> <goal name="add'vc" expl="VC for add" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="40"/></proof> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="30"/></proof> </goal> <goal name="split'vc" expl="VC for split" proved="true"> <proof prover="5"><result status="valid" time="0.11" steps="485"/></proof> </goal> <goal name="union'vc" expl="VC for union" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="10"/></proof> </goal> <goal name="inter'vc" expl="VC for inter" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="8"/></proof> </goal> <goal name="diff'vc" expl="VC for diff" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="9"/></proof> </goal> <goal name="symdiff'vc" expl="VC for symdiff" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="8"/></proof> </goal> </theory> <theory name="IMapAndSet" proved="true"> <goal name="balancing'vc" expl="VC for balancing" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="compare'vc" expl="VC for compare" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="M.CO.Refl" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="M.CO.Trans" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="6"/></proof> </goal> <goal name="M.CO.eq_def" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="M.CO.lt_def" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="M.CO.Total" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="4"/></proof> </goal> <goal name="M.CO.compare'refn'vc" expl="VC for compare'refn" proved="true"> <proof prover="5"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="S.balancing'refn'vc" expl="VC for balancing'refn" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="S.CO.Refl" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="S.CO.Trans" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="6"/></proof> </goal> <goal name="S.CO.eq_def" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="5"/></proof> </goal> <goal name="S.CO.lt_def" proved="true"> <proof prover="5"><result status="valid" time="0.02" steps="5"/></proof> </goal> <goal name="S.CO.Total" proved="true"> <proof prover="5"><result status="valid" time="0.03" steps="4"/></proof> </goal> <goal name="S.CO.compare'refn'vc" expl="VC for compare'refn" proved="true"> <proof prover="5"><result status="valid" time="0.01" steps="5"/></proof> </goal> </theory> </file> </why3session> �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/avl/tables/why3shapes.gz��������������������������������������������������������0000664�0000000�0000000�00000064502�14401600263�0020725�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Y7._}8 ۸ ÉL !Ո{4XRuCPZrE$Ŏ` rk?^gOk߯@:rçmy=>jyռurxAey78ȏ޾zwA'?6o_x @=^P2]-R~,<e[{:Pq_ 6w5]dP{c15?o>Mp ?~4vO~+υ[NyʽS+Kf|]O7 8*4gTbnWX.:[ߠX_MNWPi|;Vq Xs/F8`ֿ:nsj1?b~ٿ:_]£ۛu;¿"BSkk~E+G] $~ vMğnQ[QP\=4~7[=?ϟ[ a.Bw`>v�~أ!ۧ㥧t=>ǧxX΍܇O߹Oqӑy5n >߻M 0j7?M2P)̔TfR*ٌ:ٙ$T& "IAe<$Lґ$ͩLҗo'ZӫB C۝v:>!eɽBH|ro=8osKf'|A>J7qمlA\$.$.IRZ~5REs?D\l".V;.@<;e픵e}Nr/KrΓ%]+-L]s ȔC_ovz! CWT[⦊4<MH s[kW~�6yE.6aY؄eiMXN6aلMX.6alۄeiW؄dMX6a6axGo9pSmX7ƺ/ %cX"c,Xba,KWdX RcTXᄛ72)ǟ)hxWMsfJ~K*U_rSH|4*?t *?,? Gص]B"`~i~z;: YCǥRS -j9\OW~s;Er b ּyA'a9FPW_~?Ccx?Ec%h h &,~l-Ccp]Ex3Bc 9 &$zz4~@D"E9 x/z4jMd@V&#BW<_4B)dRix j6r\Nh@v#N _*X8r}YuSȥyN\26Q1&56ãC2+\q*\oǟQ 5@Z$, XP('.5󫊍*Vr ? %(-C [̋aaNAAbH1߅J&A?b[Ǡ ?FcnoaXt y|[52wگ;G"]$S4>E"n/Z]oQ�Ĉ3 v$< s-?/^I)(/gE$E>ZߋASWoap KqTؚw}Xya4zïtjTz8 05nV}I%O۶֞u[w%C*/j"h1Չppn,ڋ͆c&2Z':C6rlkܳfdV3+͟XBAmFeDzb=)q̸m6<S?+k8~g9wP1PvA\Q/-V\u|~ivs ; mhjz9RD}Dx<հ6|(OZCaxٯ5ZeOx^}o^郲N1%J!YykPy`t*J{rQo%3zl:j74uj?3UY zc0Ud_RWЫiooӇؕDhX>Iu@ZR8(^zy,|R/o31 4`謶omOsОn~:h#fA)Vϻx.\݋R<+X!jHQd|El$'SC3Ӆ</wͳ&l^/R^^3� 6kwh~".A(S>nʫ3m XNM^Mz.Tz9gSe)Zny0g"Lilnf5`Ye d|%OP\.kԭ)QTxj7Z=Udʾ<Sl;W佫h].^.i :vRڝ+3e# :˞GP 2.6~~jϤ]ݔ=D3D'Fa' F5u҅Ȱ'7%{9aTDjJ.�4]fPugd& ,g B?�VE H;'t /:{LgWieQ5gwB*C8Ugw,4T}v_<Bٕa)V2|oD{A&pYғ OzR|Z3MDpT@LÃ?i=Sh#̕\ kVy\ç}rq5j} ៕+dA`1�9gnRFw Z/bAX"t9"^�\Ye&,qOn n,ʭYzk&`)&z =?6z $QȒ y H ;^Ai<v޸-7j!*I#d>x7枏33'ߩ"^ʯݡ%i5dfw_fQKS:6-kih3*> -8$Ǽ0R·ݱ`d;$t4x^Ljy KēdA719eհ g'b¼ 8'eE3r Y 8Ce%d^pk9qYUWϝSvN9(Ӆ[!tW+J OtF}3y54)a M&;35BPb9CJ)!i=p9a \F3KT$M}p 7k)%| 5p$Ho/M?*_;̒L(WPK%jxdg☥obQCd5ML1g'H@#@Megj$ 5rZ,Z� xߛWuUy34<R$ BI(_K zTE`=r$@f5Yw#^0&wqFX6_ C  cޕ CF, 0Q1`1Dgbf 1� 6VdOE끑iQFQE]#|M`ai\0"2#rYÈaD0q@!a#. �]#9�Lbac6.*ΌoJDxDx"A$�`R.rQٻ*ui3Ą֐3 DL"vOj#M #"#)별R7#+:g,Tx,YyUˆ^`DaČsk a.ju^�v� � %�v�wDO*-[nXc _c KDKD%$f]`3$"*f,3K&0/E:R\ m h"祖}=h"�O *uXVDuCj)O!5"`*C 54 Vl�Ep,ߺnm_Q@$3S39%& ޯ[ϼ=Xϫpք;䩠ٙ.@ %&F>G1P#Vopʭ\Gj(w>\mj7^0*~:l\fMJ,YT,KgQGYx˝b/D ś/0 gm}ӝ!Ms}p $+M,T>_ǟKQ2 ;\3�rvQdEC߃Eât!0@Pr1yFk _N̰\}M1F7?Oa:Gp {xWWi\ c|9W2+}Q%O'2ppoNU g07:$"d0w<s00+! ) q=[7dGC"|Ǔ.a3+e9>Qg,,> jʉ uea?s҆FN~4d :O(D, ynX$<mz:bҷM%봩%bDናn vRVNUuj [9f:ֆMw<Tq;ٜ,n绝w7O~?8gyU_ӷrqÃln|SV[Op"Ͼ?1w}D>ectp?3z&|%=pl_`pl`¹7Dɰ]k=_合J�v lP B'KCkAIZY ̓,dL\0]S s #0O2Gr {iM8F<!fsx:{bh1Όÿ̈if|3X(h0z{˦k^!)>Lyyބs& =(&09N?"o>ar0_iK`&1_e¬O=N%gOZ&;h犎.}2>;Ƴ*yeE[Lܣ0|':5<m D \L ˎϘ? ߋL}٪R#33<J!]"EXζ`f(Q>ͬdPby>26Il؏?2I^4 >4=yZ27$+|4T} )<om)3l<}fZ[y LCwU [36f0AV?Y}Ks)yi!R;Ehƙ- ~v6߇s:9mXjҮhڸ>M8{ڼ_f6I'-Y\WJ{\GIErKj4.OrSVG]/}X܇%SW?-_ëdKN ;ØtdyB%>-w2N~OYνblZs3atp)@ FM,X!ȵxA' N2/6Ukkyr:y;^yw+x5yPi([ʼBiֆ$C>I\'j ,Y'n᠙ɬ{C @@*C5T&XD,>bcJC}C2FT%^ Q g}<@>,H,6_# c5R3&Ps0m1s*#ߞLSNB ?80?>*D0ÿK@Qgr 4 )+1Šg!? `Y`YȟFh:eU8B>ŃxP' HIxꤩdҦ5)LNFIlL?;(ӏ鏍UFN>gIM>mJ=Q]zعԃS$z}-[%z*C�⮜uZLΗnRBZ[ʎD8CwI^>ø-rMLv:r09}nb>a1 [JGxFļHajrjs'(&b]2ϠoKĶ|1ZV-d<jيtI*;7&k|sy.F ,5|eLqaqgU}۰xcwUNQㄬ<O0`4v;a#yJWl~7^3oE.KC&tȍ;"ygW.(s HD$6tK*,\UyDb/Wi|Â54ְ kO=3,|6p@ mᱹm~v?gCx|J2 bs8?tf)z(Bp!kop,`N<f՟ͧu`Q " <H0}Saf~"":sb2}A#cgω[!&nlAFKAUS^6"!f_ h*K&`jV`aSV`*S0-2pLU 9򖀩:iJ05:0R*[pZ,4jICH1㑂܌2^O`.S}Le"#Q*eJQZN|ˆiPO,,iVsqꌢuIz 1 b4 fXs9 2E(_H1lsXx5ioNc8BN Nk8!3X]T*8VpĘŷ83+8pd8Up®DuSA*'HA/@ V-ptjHU�eR_*ֆ[ |uU*VZU2z)zU@U@=*i �OYyfC8k{+@1Ve[ƟU֭�u�+v h/l`8'�gׯg .<</nXZPs�+�t: nWzzܳWX+ZExy<lFu/ zN bj`ڃXTS{e"'\dˀQ,<"*@X J׬ �qQYH@rchr$6pe8*8Vpp"O0M3Cb$8qܯpBVpB\ D!\'K6j='"%oYW {6Nxm,^7;LPaQd,OJr_̨!iJ:˾EBxƂ+<HaO#.F v,Z{,Ɉ 7 SJ1mr,\H)ifʹ}z~PAt[x+IRV$c ǒdUbLpb(:V%V *3LǕPP ߘ|gza(iI)A)j +F:`v@� K_ K_\B:9:Ӫܔ \LofjĩUJG ٬0vc>-|1GXn'ZӼXU!Y%,-X$ț",4˧ƝY䵉O&ⴁ8{Tg$ΰ"p.OwM31cT"@IKR:c Y:yCҬ$+/?IiyCgFRZPXj T#l7}p/fL/Gg Բ]o֘s+ȇ0K"BښZ $M4f~݇1d){F#rLDí ĨBD.%+ fxX8|AaτbV!dJmo%n?h*ЕAMR5�vtWAw ۤ½�`7J툰#7nao.uTC;|z䑓?<VtNH9Ʌ|J'B.LrrOeʵwOllu=U4/'Gh[?$'tv`,YCIV<UZ(mgL~1:EN:28TAf*}AԁkkR:c ^8 'ˤicٺ4c Ǩ\W5 _-o0: eLN6"-Rz"u3yx(=o3{a%d"Y<Mcdw =g˂СUJP�*ӭ &#D3fMU"YP@"\sΐ|ɶ8Er#GXwPΘ c5\M8/"İe[:MI3غSi׽ fYFei*ػ#Ou*sd-;R^Țxgi&::3ş1'4F6e6 lxbdؑ_b7�QF^U}2>rԤ 9=G>r{\ |,.\YٸDU`\{R6aįr'Ԉ.)̌<+lr9!nJ/\5�<#Ž;"\_�\ca' @tLu (?)6ĕf?iZ ]ÕZpb.qm+'Dz 4ASv >)Oc}5xi+q:&~-;b2.%p*E߲h[/AKoe=V/|۫}Q^ ?%&hSI ~(vř�G�-�|�(+`w�k3S Y{"ZDsL$<QC<9$i#_=MÌ1a!AxJ3QQ5=\29|t!GRײZkCn˛/D3u_"!M3~Rӿ/Wbe<Wq&,K.>yHץ_Xqy9k#~܌[?`-Ro-}$Y.UZ YR}? *9F&x2$.c2ky}'L沑e2W*j- {e93oDd*BBsoGs ˝wdbR )^DbE<yHQ_c)jg{.R~_{Z&jϧ*X3(l@`< Y ni<r~ ;ŧ7kv@y'^lϲʗgWv࿝!p@m N T|Cb+|kT}x1u�eņ@,C|YC|!P>%Q_NV9o.Pb&GaVJ|\c8YcBW. / <. "i 5CE3; _Vl{hlC8q!0/sxR8wH%R\o< #En;C\x!w!p-etk-"9s^`HjZ/;?ՃhhcSGi\'Sq]Xc_GzN:V&<4]ClA8%�-1ҵ¸ԐB᠊JsG5]TG?u0w,`kO<9[t_,T[ЮW#m_MMuD_n+�93���XKv`؁5 `/H�;�|� he'*Qs.96I?oVsג᫕d _}dY&WJ?gY:OB  ޜ̙?ȹI<KS)<=Y/A&I2O=>L55cJby\"NRthVK |=mdߵ1g> qa&WW XE,!9&NMxsc3[m~΁Ue>~M�&Ξp&-̖]\f5T<RL9fS-!LG9Y}ROi"kKPd|&]ŠlX)A Y{Rfɔa�s$K Ǽe�]9eZExHl/^}�J~ zk׌�i$41!.WxdatPrŒԳBjN$;2MhR�N5kQX�Ne3MZ'ɖ1fUV 2=ϤeuͤEWf54i<ϤesE<bLZP|LІPl]kjעk�0ճ� �l6¶MlI"-vܷ5DyJF槫G"O,^=OU}Z}^z!;"*�8 x3,rџ+~*Sg]uVn;KQ,v$(UcW/aUHw_BgRC? &'GP?DsQz#.έ*J \ ;$쐰1$买ړ5vqcǍn<1� ;Bx|>h6+s^f{nԡ=T4z ,W]d/{J|{ez1smutE O/dw* @d[.˂uJ/z,vX}ג$k;QpxIucʅ_lCI0·!]+]K3 LCC6m@,XyZN,"Ceѧ aNde./洒˪* 'yrf!/98qA>թĉk+ޕ8}y^ wWf+K2ݚD3`)7b_mu q6H^% 6XRzx5GiAPD b^8AC⛵a7E}s!Gx]M̀o|G|ygF0c9J祾t4wm_BKY׉_EN(yHdR{cl_Etp!>zMG,G(jv�iրفaU`X�<x;���\_fe| v,_NkpQ6Ol^~<p#{u쉰( ~xӹ]ħ}5pmākL_ĭŮ'_a8v n ;4-@:�#z&�v��qs'ß37+i^<W[+ܹz>>$$>%:V/W:>Z% ӟJ6 w5 Pf8DSpq5Ո cs\FĉI-DgSe\r\|gYbKv&% )i.";FAEv# qF�X *]n2y!kqQOzW F=- N|6N$fV]u:y:fE0Jz"(VR<' 1傷Y1?73qVYqw'j~e,qBo�pž>{Y<ώB*h t*M _6:lOt]p.pN~ k+|ZJ[p|̝~.9wu&Vvt V8ƹ&_Yx` XV˗GD<0`#g1ӳ?M[Y"sr+�~qa0 z+|�ǭ�CbPYR+z@@= i8;ym+ r [*+י* ];<Of)Yْ|)]gXSt .G\?3@qq3s9f�,3 l>'60W4= wkXSWlwTx`M_טq388Q5K�χ��'8~#Q3gʒ/3Xuf@&8 x�8b/c,_3N<nx>_nȲ[36^p/tnr#̕ݺy*UJG2$(9<H6JE'b8X$KE3B(2 [J*S3h1ݿ_5E͢/g"![>5dUbl5vO<~udiכ'ş=E-+Gi]Cq*XtdRA, q]sE2C&<YMc,^-"jB&=0ƛ,A*~bÖq'k|5>0#u@>e@%Y BB7:GrCt. #έN3MۚB,K`Òy֥cjlÒ>u !`-j)E-?[u[̖[pg<؁],ܗ$%Em Rv!|ા-AUl+p ]-k>\jjҺ4i}F[J*;S"RjJ;1?p.gTG꒺` Tgu f11hPW1i`R+ fxuI'aŏN3~uʊ%b+94וCý5NBGL_i ё"]r_�6٨KϕmT?]㶵]Ye~m{&.Vw|e'x*�N`g\bWc@da 91`2lvPA/��v@kWoV|Rde}z{ݝֻzwZG�vcJW˺ �;k̾;R)`7D.]_�n�Nm`M툰#7_�vg; |#pkɝwj_~��;��@>#!K<diY_,-s|M\IDKj(ЕzphE莏\KCrUvQl[x䓿(tRAPX$kJ3|$dJ'W RK1xI¢ƿ}$"QWzD~gG1SR5W޻X)K%xacS,\VLR񎖴<i&b2E0>F+ ZbB'LX6Ь :<Ǚ9!UBëà,yID]u*0n5@b+CJ 1UJSTVD9̝XBE@BF"_9�lq` ; q">8A{qv !dGMuIy֌iV fEX$@ ˕ `X F<ԊQ;6I4%iO7YtY$!fzUt砀GPUx(<:U<2ѵלu4WW~%&Q~ӋF]zk?sY.WYyC& RsP.?T\VkR~[WW$E��Tm@ N��‘�<#Ž;"�\Pa�9%)1:S5-Qee.f,(Q:r徝}㛠%%�C)cU=cÄ蘱I?y}z<F#ɡ'eG1@ßr? DYܟ)vQJ^VE63/e]5c ;?1U웾i*~5w؁bPŇnec@yݎ;p?>|z cΗ11_=1>HO7?"ݎT,NEx %{&+lr|lL~Q=p) :s?B<pc쨿7Ŧ:p {#;Gw4<zvûߛO?>}P;ܧH~F:X ?A5AB%xoE~hz97طoO7}#oPwB`}p^߼>|I? A=}$.U0]QOp?3pcӶ;OwnW[==~x>~lߺZXE 4]a`hp UtH6p1ȫ[ ,O7C7a'Ѐ{)*[5Ldi񮚖{hN(!g˒ Oh+ ',JOcA%f'F,cj\MT&# g� ۏE# J")ǢbB'cB: q̷ӛ5b9>M>T#zE7?b 8h(J\:&Bcw}%>8~$Pћ O7nk1UL]y}lAO@W.?i$y8`À_1BxCVRSYr :üنݸ8�9o0|{Yݓk(Zv!y>2~k}b>,+1s 26s}vn‡YS(~ ~8x-SqA<Ֆ9T"$ ? v s|od75\SU}<"11<Ioc?&E?U.c繂\poIe#a9h{[q~9/'B60[vlk\$eE6T@dDрXx8x@`8@9ta^&lֱCwZ{kvT<-v,Y%W2%M`:_ ňQ+>XE5cl 2TkZ&/~"<%�_˰ ggX0:aXV [&eXrcmư1ͧ'VfX273JL[lB*a؜Y=;0^cآasfFJU96E O1>ΰͩ[:?0M&bJG5~ r+*^[A'd?UϠJ%üv2< mdlzBNI7$)&<D*MQE~T`TA"Hvth2󾢹:' 9'ОeMݗN5:_:ԉ"juuRi搷iUP!N"ǩ3NRA2<5;Ar%} -y#B.Az1ͼCs]ub݈g)J"2$'|fXX,eIS;lO;Q,3:FI L2i]gfw\5A]Jű~/@V]$ttv JC?dr)(WW6?,o'?؛(RHKK%eJa&6 S /*hu(Q[rxS)o#kMҏ"�_|2+l!ҧY vJͤKQ\TcȥkU rMkQ٧ >$ dAtg-0~&orXXߕ';cVcPh@]Òi luy`hf @RBԌ0;8GŶ"VgBdʙ}o_{[@XJ4ޯ՞*=eC `b $J4]abKrF(u*Uxf!.6~9L8)GW Ex-opFJ~o?3hiVpc}(]HCɒ=>2mODSM0@\┨j{5a^FݕKЛ9C/S+N*Cg˲?r*<ԩ wʜefsF?0K4VEÚCrS?3dg=2WKpi=XC6+sѡQJ<ątNeGμI*˜uaXy+Tdzd0"?DAӽ}2SF.i4姂d2>_]**K6s)s-zٱ"j97{s}²㻥a&{<7K9ėsriKt!IX8pEagmM6? cP&.ˁ):wVI8zk]*3Ƞ[L XUX"g +&(jQuV' X~ <.=kL7EBe푀YBߴ;FgGD::†PQhVpvkF3 0o~.F�(V& |=O IY*}IE[qFpTalnf?[쨹K 5<yfSܵyg3=1xϘgN^9<|$#Ry`<<JT"B O>Nn]ڈˁW.SvX "h.*z(H)/~U7ͼdNUWhpGB> =0x6H{MqªD7i5cOyyrgBӀ\xk*Xr}:@c 3/Lνp1 FaY_:0G/ _xhMKW5XL'5a7l]~dw +X-i4r%3*$%\Cui(e4yH^] <#SsK#ʙ(WD .cG#7SNBW**TiX9D7"[Uq$Qdž`pT@?7@ CdgdCWh318 XdP)jz8Aa.J(kE2(;w,r %.4K!w-T-[G=gY8C1-y޳҄y?T cI ܥ%*q-$ %y|'lmWb< +OzIfˑH>r$/5\Gr `TBde>~A\Frn<~?=F'Us&9x|[%B@!\[ro C_ z[/TCط*2�*6z̬AAR\]EQ6uw}V Ssaw1-uC踑KWpoÁF4F큍 Ct!$a( LdLM3s#ƘiU g<&S~j8YSN;c^C,ozS $$!I n1wXM_KE7D%o"(oxC׹7ĜxCd7"( 0o)o %Y 1%y YmVjH$~]%ސJd1x?-%Ô'>CID&}LL7ɪo2(o`ـ@҆6*OUH">7qxU̷$*7fH:&2p0CLx U<o8^=jJ7ԘxCo%o|-y̬2+Ph&rC.9+A;)+< /!ρr?\-zq̳$Ws\2ǢJ%ՔIe&g++ ?Jaa}2d AbaBaޯ\xw`3�|*\qx 3`p; 7􎼒X6@QB /md׷Z4;(ޙ;}䝸w=J;I) kej�,vwT3Zt-abPЎa1'EkgTdIXKQcZz7tX#504p-c*Ms uEc�jU:͕c:Z98i)w ʲjT֨Z /4D ^sz'%5JJ[Dom/`\F so}`%5h)ohuRM7I^R#n8aP/[q֩mEǤkAE5jc''|�mtǔڅV8\RcӷmKl* @XH_#F R$4m+W쭯Q]Dr2UmSBZ MHz3r:H[ .Zj/pzjy:A@g;x+E<^k ι`5 �L}Q8# dF= ¶h.Ѩm '( tP >P48&.60=m89}t x\7Js7 u�Vm5 esMz{,s! nkrQ8`m"'eP8hqv|`dJ\=Bw>\h`q VڡQ^=h�#s ZFכV+^Kv'/ZZqSZ xC>>Bqy'ŝ 2V)Xt� n : UgUM`,Mj{遶l^+r'%!-ZHBJBKSNg` G{vB^ uSN6�Brh J _kkC m*}m v hXjy/[)A?RbJ_>, &M[km !-L>t ַakc|X{k$LRD6J_;簤vp!Y-Wo^&q Xڀ-'RIo[56ؕmth9YHVw +I ~%’KtGzށt͌V6ĕtBq; t}o^ L)oC^7086SX umxբlwFЃ;FХ:AxWdq0<j4+v޷q-s3uʹF) :PYASu6s[ia5;qa;s-jf4)ZK{F yN꾗b`k4! 5 ف`;@;⛑W7c[hgQ@`[T+ߌ7�Ci ۀ\ۚA�*sbao-v ѡa}k53tⵥwvBCàFs@i;K@Kk,ۢ%*{,6= žnC0D0pꬂUd VujyRh;iV(PF_[{g7Xf8&V|a$J!kJMhBvlZ(M؛qZS $¡-xlB0WL^4t�٬%4 ׃fx mIxoph"Sj 6lN-lB˘vЦP kPTC6e w-5_5eP[`cL^~TGG7C(lHjSʴƶ6C׈6�sZ6T} ʘ- iɌ%:еށ"XUtK&$?N5*z:0ke@3ނ2 &a5|a6Wyg"܁= {)ݻ7�T9`e1T-E[(MRAQdF 8I"p2p D@5;)@!4e7(XBPHM0fPw-eqNLt@Fzi&e,k:a zZ$MM5-P8$2Ma@5�jJCS-RX¥=u?nࠪtZMa�ASBk!x{5z7ih:Ju 1�Oul& ЁrӲr9 m#ڄqVVchvp�CK� vCu 9XF,Hhe2D&\Ld#�X ׃6HXhjQ9X6Z`g&ރ M#u ڄZt~44C:m9kmoM tD pii`t� (ZP܄_8|GZh-֍l@!Z=Qt⛬zA4t)W詭M % FZe$([Qge;Pw3h 2AD@|t2-dHu�>2CB[ۘ�\ pvL4eX0EKnM@[ RQe3 @t@5i@u8#5.6ѓE%�)wZPbi7Ɋ6FHK &;(I{M�;>6Q@<vhQ@_S\i,Z%F4j�E&aq:ݶ� mKAAO /KP�a@kmAA'FmD}޼XC]@W p6( `1޵u�@G>7_uFr(?Kp97ЃXQ bSֈk6 ^8BVA<AbSnjkܐ-L�xt [XD0ҷ nО"A6R@/V}BTo_@\k�AKav;xMj@v@7J4F`F7c[r?8Ea `ߦ .ӺrA֛�a Ӎz0!ma6*JamjQZi~lkV5.FǴwB@7Vmm#`"`d�c)[RҋlMXe-eU8&,AyG 1.y6`H4\jU~CH׷MO }Qt1gVmmcgi ;2i(ʀL }dlkh5XV ء`D,8_z^ĮW�h iAc[�uv FZXc@w1#;޴JI1p1,=kHz0HX,a f+Ƙ֢8Eh^o# ޖH!iz pte nPNXȂmlҩV*ߋq掚Mp*4ٴ51 0$SXw MXقAD Fڶ&D w mmy -hZ Aw]G|mdPPdbCρ[P- 6N6ad%8,R70tR 5�v՘MxВtӰFTp-AS5l CS1h ;& 0i �оR&\l+;(:`)XY()TБxhj&3(}c@PXv (L01oX0Bڶz ʊ@@k.fhJ0 -PTD􃅶&u Y �vpJ F MdUçf@h9+c[0k*Uh`Kp8p ֶuYF3ڄUx0C2܊ r8)rhzg@`}d@ sAq!)j\ w; FaԸF+P${%id pF]o@u-OHc*M(n{APG^0;΀A SNhP-,T?b0ۄ\B,˸%Ӡ%E&HO &$( rcAy'MXiX9V %Z<)@6Jcxoj11R;SB}6PCǐl:'-nshANHĂ\S^�tmhkt2M˝1H T!6d XCz7-CDWm=i@14F"5r[x=64M (?D1�$iô \j`ٱ\p[t`I)Cah _c52Rmt=$۾hA7&7 Z`B:tHX<iԒ oX@<"m5\#iQ-blBˬAvvH(љ6>nkN@-5ͼE!5Kiz` sl$dAM*G[(O'=j 6~ hYYZ8".4ü,ȶS פu^JG{97|[۬MY,Qu�8l 2c[,kaUhk|mlsx�yjlkV6h^V2 :܍/p^֤=bI[ cʶ I]SAX\5 Mmmcm3 ,&pZ{D&8ځ"܁d4R5 [Љ MmȈ1>R8(`> flmK.+25ɒd5XfHP#aliNF]> "6EN.$68@Uo|c@|Dhj =o[G�"-)E;6(<" RaqG:*�Vm uַRM`l( Uba)iAjo LR ޵c#&6cN㖂pcp 61 =ap�@6ax00Pz(hb;m"a@![Gie8�mmVqip#FSo9D w v\ +|Iѩ@2f-U v-;~ 7A>t: udM vك\na-m7Vg/ALs/ YakMq+�}= mc D9Z,Ŗn|,!-&X# xJE+zADsuXI(fo- 8n@ӘK",\ۄJ6P.%WX)ṖfF(9(�Hrz*w A &y;n삑¯wlgK:"z͜˥7.FQ&P 0�hcP&(P:#5{Nm=`0ƌKP:0zlk :={XF,@8 4/m2]GFH$isH~dTķʤkU(b@9Q@j}[Vw ]lgQkЋICA `xbҵM` #րRkqSq 5M,j a È AsӛMkm|PS-`D!3L2tw[6ф�`]9(&H3P=P UݵpA w% KJ߉ѽM'oyz)6nbAn؍Ơmg�w0) @mDhtNH" לS,5c7M@kրDg{ZbS-%!&Mi."dDP: lVU kV\ CYXxEѴ~gb L�f }^49 }njf�6vC%z'f;p Y`X !+rY&Z Iw9C{+vtSh N`6jBpjF*f0b 0p Dȶ /ǵ!-c"Md WGZj4 d&ǀ([>ZmC8H8KMf3nklpa^t&J 4sC.Mf8;! Jw9µmuA .mfAA 0U] ְ1tfw z ` $Rf5T FSm%GCWd ӣ F&UF8UF(v`]MMmgxSk{PSϾ#@{ ܩA2PP3jL`}Tw ȠD*X23{B<(a-~hTӋHt0+}*[FA ,Jaek۱sܷdZ FNB;tj]Þ)U +XY@jx͉?Ppz@KA�X0nANZל`+wzPn0Mӳ7 16HS wh! 94¡phpk:ȸ#략m}-NxAX.F.-AI 9a*X,& @- HzΙhl5q{7E�X ,9,K<SRrFx1)gEq+n( �X{3<󢝒TI(97[L\L#Jȋv UDAL,C ̥ J5U12ۡ$@ YWa_S SmST C]3<C\,B-:ǗeBOg :  LDb>LӾknj)BzY31PpLn0�zNބ̰\, .m9o5_K�Rh)TSrA_U%bhqǔtGAd xYH� Hx`>ҶL;~H[:KխqǏmѭA=Fݎ -=CoJn hJ;3�JB4rZq z6`U=fVi�X<}_1 18kEԶP)`%;G0h6n /XfR0 YP @6-ډe =ȝBv� 9@wt5iN`)i(x9%@0=F* n[w-y0lS6Gd.b| ?�6۟b'˜ ՖАh].fZJͅ 4.xi1o�oƚ C egWJ[!p%fB{/F7n'OA15p}N)O8MƖď~%­zι_aBc3?z)(PNVL͸!ywj56 ݞ20;7Llƥ7=@!\'ɣ3wd4=1d7'A5܆ \^n˅9I;h roo[ m4JJ*&8,p�>K9 ܙpm?z[Z�mw㹖qr\;ޖ@uwtG|*hddϬ}t*-o)έM`9ܡӎg^^=ZL<4j%jThB` ǜ}ŀ?{1[뫼t̉_ŋzW[0:PE>ݮa\Ć%vW+àU;+4P>? EA'zژed<xO#r%1Xƌ[t&氼[.9-+f-LQ'Y#-^W6nYwndM CTŢTP 2K4P*Ss糹_f8 h漼,L?Q9LD6t9oE1<O1u5&Ж~6sFQ(p?R+97;<ZRm-X$r$A@*M P\"piR} i@'A`,:r:H>;t\{ b& `B4@c3x6S桗0}r3%;;8fž0~+m<6�����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bag.mlw�������������������������������������������������������������������������0000664�0000000�0000000�00000011605�14401600263�0015477�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ module Bag use int.Int type bag 'a = 'a -> int predicate (==) (b1 b2: bag 'a) = forall x: 'a. b1 x = b2 x let constant empty : bag 'a = fun _ -> 0 let ghost function add (e: 'a) (b: bag 'a): bag 'a = fun x -> if pure {x = e} then b x + 1 else b x let ghost function remove (e: 'a) (b: bag 'a): bag 'a = fun x -> if pure {x = e} then b x - 1 else b x end module BagSpec use int.Int use Bag type t 'a = private { mutable size: int; ghost mutable contents: bag 'a; } invariant { 0 <= size } val create () : t 'a ensures { result.size = 0 } ensures { result.contents == Bag.empty } val clear (t: t 'a) : unit writes { t.size, t.contents } ensures { t.size = 0 } ensures { t.contents == Bag.empty } val add (t: t 'a) (x: 'a) : unit writes { t.size, t.contents } ensures { t.size = old t.size + 1 } ensures { t.contents == Bag.add x (old t.contents) } end module ResizableArraySpec use int.Int use map.Map use map.Const type rarray 'a = private { ghost mutable len: int; ghost mutable data: map int 'a; } invariant { 0 <= len } function ([]) (r: rarray 'a) (i: int) : 'a = Map.get r.data i val function ([<-]) (r: rarray 'a) (i: int) (v: 'a) : rarray 'a ensures { result.len = r.len } ensures { result.data = Map.set r.data i v } val length (r: rarray 'a) : int ensures { result = r.len } val make (len: int) (dummy: 'a) : rarray 'a requires { 0 <= len } ensures { result.len = len } ensures { result.data = Const.const dummy } val ([]) (r: rarray 'a) (i: int) : 'a requires { 0 <= i < r.len } ensures { result = r[i] } val ([]<-) (r: rarray 'a) (i: int) (v: 'a) : unit requires { 0 <= i < r.len } writes { r.data } ensures { r = (old r)[i <- v] } val resize (r: rarray 'a) (len: int) : unit requires { 0 <= len } writes { r.len, r.data } ensures { r.len = len } ensures { forall i: int. 0 <= i < old r.len -> i < len -> r[i] = (old r)[i] } end module BagImpl use int.Int use Bag use import ResizableArraySpec as R use map.Map as Map use int.NumOf as NumOf use null.Null as Null function numof (r: rarray (Null.t 'a)) (x: 'a) (l u: int) : int = NumOf.numof (fun i -> (Map.get r.R.data i).Null.v = Null.Value x) l u type t 'a = { mutable size: int; data: rarray (Null.t 'a); mutable ghost contents: bag 'a; } invariant { 0 <= size = data.len } invariant { forall i: int. 0 <= i < size -> not (Null.is_null data[i]) } invariant { forall x: 'a. contents x = numof data x 0 size } by { size = 0; data = R.make 0 (Null.create_null ()); contents = empty } let create () : t 'a ensures { result.size = 0 } ensures { result.contents == Bag.empty } = let null = Null.create_null () : Null.t 'a in { size = 0; data = make 0 null; contents = Bag.empty } let clear (t: t 'a) : unit ensures { t.size = 0 } ensures { t.contents == Bag.empty } = resize t.data 0; t.size <- 0; t.contents <- Bag.empty let add (t: t 'a) (x: 'a) : unit ensures { t.size = old t.size + 1 } ensures { t.contents == Bag.add x (old t.contents) } = let n = t.size in t.size <- n + 1; resize t.data (n + 1); assert { forall v: 'a. t.contents v = numof t.data v 0 n by forall i: int. 0 <= i < n -> (t.data[i].Null.v = Null.Value v <-> (old t.data)[i].Null.v = Null.Value v) }; t.data[n] <- Null.create x; assert { forall v: 'a. t.contents v = numof t.data v 0 n }; t.contents <- Bag.add x t.contents let get (t: t 'a) (i: int) : 'a requires { 0 <= i < t.size } ensures { Null.Value result = t.data[i].Null.v } = Null.get t.data[i] let remove (t: t 'a) (i: int) : unit requires { 0 <= i < t.size } ensures { t.size = old t.size - 1 } ensures { forall x: 'a. Null.Value x = old t.data[i].Null.v -> t.contents == Bag.remove x (old t.contents) } = let n = t.size - 1 in let ghost x = Null.get t.data[i] in t.contents <- Bag.remove x t.contents; if i < n then t.data[i] <- t.data[n]; assert { forall v: 'a. t.contents v = numof t.data v 0 n by numof t.data v 0 n = numof (old t.data) v 0 i + numof (old t.data) v (i+1) (n+1) by numof t.data v 0 i = numof (old t.data) v 0 i /\ numof t.data v i n = numof (old t.data) v (i+1) (n+1) by numof t.data v (i+1) n = numof (old t.data) v (i+1) n }; resize t.data n; t.size <- n clone BagSpec with type t = t, val create = create, val clear = clear, val add = add end module Harness use int.Int use Bag use BagImpl let test1 () = let b = create () in add b 17; add b 42; assert { b.contents 42 = 1 }; add b 55; add b 89; add b 42; assert { b.contents 42 = 2 }; () end ���������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bag/����������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0014753�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bag/why3session.xml�������������������������������������������������������������0000664�0000000�0000000�00000020751�14401600263�0020000�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Z3" version="4.5.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="2" name="Z3" version="3.2" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="3" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="bag.mlw"/> <theory name="Bag" proved="true"> <goal name="add'vc" expl="VC for add" proved="true"> <proof prover="3"><result status="valid" time="0.00" steps="0"/></proof> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <proof prover="3"><result status="valid" time="0.00" steps="0"/></proof> </goal> </theory> <theory name="BagSpec" proved="true"> <goal name="t'vc" expl="VC for t" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof> </goal> </theory> <theory name="ResizableArraySpec" proved="true"> <goal name="rarray'vc" expl="VC for rarray" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="1"/></proof> </goal> </theory> <theory name="BagImpl" proved="true"> <goal name="t'vc" expl="VC for t" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="10"/></proof> </goal> <goal name="create'vc" expl="VC for create" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="21"/></proof> </goal> <goal name="clear'vc" expl="VC for clear" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="49"/></proof> </goal> <goal name="add'vc" expl="VC for add" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="8"/></proof> </goal> <goal name="add'vc.1" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="add'vc.1.0" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="28"/></proof> </goal> <goal name="add'vc.1.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="22"/></proof> </goal> <goal name="add'vc.1.2" expl="VC for add" proved="true"> <proof prover="0"><result status="valid" time="0.03" steps="31805"/></proof> </goal> </transf> </goal> <goal name="add'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="12"/></proof> </goal> <goal name="add'vc.3" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.24" steps="401"/></proof> </goal> <goal name="add'vc.4" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="add'vc.5" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="47"/></proof> </goal> <goal name="add'vc.6" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.19" steps="242"/></proof> </goal> <goal name="add'vc.7" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="21"/></proof> </goal> <goal name="add'vc.8" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="23"/></proof> </goal> </transf> </goal> <goal name="get'vc" expl="VC for get" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="16"/></proof> </goal> <goal name="remove'vc" expl="VC for remove" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove'vc.0" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="8"/></proof> </goal> <goal name="remove'vc.1" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="7"/></proof> </goal> <goal name="remove'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="13"/></proof> </goal> <goal name="remove'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="13"/></proof> </goal> <goal name="remove'vc.4" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="remove'vc.4.0" expl="assertion" proved="true"> <proof prover="1" timelimit="15"><result status="valid" time="10.20" steps="3605"/></proof> </goal> <goal name="remove'vc.4.1" expl="VC for remove" proved="true"> <proof prover="1"><result status="valid" time="0.50" steps="542"/></proof> </goal> <goal name="remove'vc.4.2" expl="VC for remove" proved="true"> <proof prover="1"><result status="valid" time="1.31" steps="580"/></proof> </goal> <goal name="remove'vc.4.3" expl="VC for remove" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="163"/></proof> </goal> <goal name="remove'vc.4.4" expl="VC for remove" proved="true"> <proof prover="0"><result status="valid" time="0.07" steps="73119"/></proof> </goal> </transf> </goal> <goal name="remove'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="15"/></proof> </goal> <goal name="remove'vc.6" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="21"/></proof> </goal> <goal name="remove'vc.7" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="87"/></proof> </goal> <goal name="remove'vc.8" expl="type invariant" proved="true"> <proof prover="2"><result status="valid" time="0.53"/></proof> </goal> <goal name="remove'vc.9" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="24"/></proof> </goal> <goal name="remove'vc.10" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="35"/></proof> </goal> <goal name="remove'vc.11" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.27" steps="283"/></proof> </goal> <goal name="remove'vc.12" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="11"/></proof> </goal> <goal name="remove'vc.13" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="17"/></proof> </goal> <goal name="remove'vc.14" expl="type invariant" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="49"/></proof> </goal> <goal name="remove'vc.15" expl="type invariant" proved="true"> <proof prover="2"><result status="valid" time="0.03"/></proof> </goal> <goal name="remove'vc.16" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="20"/></proof> </goal> <goal name="remove'vc.17" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="31"/></proof> </goal> </transf> </goal> <goal name="BagSpec.t'vc" expl="VC for t" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="2"/></proof> </goal> <goal name="BagSpec.create'refn'vc" expl="VC for create'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="12"/></proof> </goal> <goal name="BagSpec.clear'refn'vc" expl="VC for clear'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="15"/></proof> </goal> <goal name="BagSpec.add'refn'vc" expl="VC for add'refn" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="1"/></proof> </goal> </theory> <theory name="Harness" proved="true"> <goal name="test1'vc" expl="VC for test1" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="test1'vc.0" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="244"/></proof> </goal> <goal name="test1'vc.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.90" steps="484"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> �����������������������why3-1.6.0/examples/bag/why3shapes.gz���������������������������������������������������������������0000664�0000000�0000000�00000007126�14401600263�0017421�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������\]}ׯ[H^~YBQa,җb^ r. =Px_qaKC!=rHqooxwz͟6Ǜ_9[|Aoՠz0T - ,vǛ\doo-~3u;iw_wu{|sF6_6S6hpPldzʣpJkf;ڞ_׃,eA a'D#~|8+8CoUǷ_ecI=%.crՊ5OU-Z_kR\\5Ҿ; .a5] 7W].__ 3x6Daf/Ts_3 !1ZF9NUk;H tRx1#MiAAڂIAvpzev#A=1~H*YUM2Kr׊)LU8;xyCBADe@\0 LFdnD6}rG^Ȟ%b|Y, QAdjy.^EW "K K8뾩k/ /+rS;yo".#{?בLI$S`" xN+I>q (ۀ U`A .݂ȃEtލt%^D?7</ UGB= \x/O-nB,R+,EdJiF3-D\(]'h[$k FI&.lm=l]5l [b;ȎΒHS=1(?aH@`NA7D 7D 7$ϸ!L snH}ywq='ʙhP);:Suts:uSuS_*9DbP,fֿ8j#:r$WwsrM!7/:4r͊\͐7IBPi^u4d/ɷoJP^Zջ@&&N0 잺x=>1i~w^]a62Q,Eyۘlӥ]>Ip *œCƠ ;wZJػ?ؼ 7նeC.U5/JɞM>ߝF͇M sqS,EM>:F۶qƗN 3B)oE!Fs#%rk %Aߦ_@r3u%Ar(OOOz5N MLe?1)p&>Ӄ?wѸ{x{j=x̾pau3i=h%~ѫ6 O,Iam 9P> Bm] O[q;au "V($PH.v}1Bja4Bs|wByHhd}JE4`.6 iup/xoI$V+X[(WԵ!^rW=y9qCSw$9ˑK=$cIbF:>X# k)7sa$.Z_Ik$~W4IjGDFpqߖ'SI'H/x:\hu),pꎝJ ?avxoRx!%EV/)ytQ=\DM9zX1Ϙ(wHTĊ1<ƺX9ءWVV뉏r;/Ys<7.?7͟ܗl~~yy=ϿJ-| h"Z"vTe cy)\rYʪvz}UCk㱶rjʑrP|Q9R#mj5z RM;ef̠8*W*g]Vw.NA ˰M9AJ:իz`A-S)ϭA&J9du:hSZ9ԬSNn&)gӽL*)/"z[أsb=St`~vSKp}Yy")..C) {=>n].S5{ǘJ`'bQם}od(+7_>q(OQG>Ob)ҋUr ^U+twPSWJOu"ӅMݜBd音nXUY~ELw@PhZ7B'a={k`?w+E!v/cR&dTՙAi/)Փqj25zevli|nHiABwTA>\|#E3D%I-f<Ym5lՖ&hlfR[F#s| 22Znf99mё!DsOzad4>ы 'D^Q3"Z2G,4d2D ]kj q6giіkΓc*^iV.$ŽŒH B*R+Vİ\^se|ZX.49.XTZJn\_Ԣĝ!pTi֚[4>*kT6T0Tfl8Eeafsq wNJO*5OOҎa6:xmӤq,8aG47q(R,qEu2P[xY$Oф9ĐBl+v 4Vy*/JY;&@$4LZϣaB;%ТQ' ~H,Zg\ C1JHd'ϜE'3Vlh3դ0 XS@aF 3T[ה^G&Q ȏ,n1@TrQ!BTl<Y c`%)g;8y UVQ4 %a'0¨0f&eS.L0l`4.oI3-F l}Q!HCFz4ADZ&'A9(rl:Gt2vQv€adӘv+gHt(vR`UXyDD>"@QdhJB'vWМ"kLiX'<R!gOxHy?=q=Ɛ%DaH P X1V:I4( 3X$EY!N Z-1,D3T +<+)aZ �yFzˆ&,a8-h�fdI'Cs-ؤ-2LUQbhHe.NA /eiݜ&ٙT W#$䐂I~H Q .S0*n1́cz1L1@ @gaYod w4 CFs(}ZQεl88i9! 3# &NW)zD cn$r2pN1pd(Df}?[eUIs\4�6{>vf8&TG )&[-uBGc3^q5I#Yr,j}&I4p0bbChhMyL 7�vށ̳iP��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/balance.mlw���������������������������������������������������������������������0000664�0000000�0000000�00000013175�14401600263�0016337�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 Two puzzles involving a Roberval balance} Note: Ghost code is used to get elegant specifications. Jean-Christophe Filliâtre (CNRS), December 2013 Léon Gondelman (Université Paris-Sud), April 2014 *) module Roberval use export int.Int use export ref.Refint type outcome = Left | Equal | Right (** the side of the heaviest mass i.e. where the balance leans *) val ghost counter: ref int (** how many times can we use the balance *) val balance (left right: int) : outcome requires { !counter > 0 } ensures { match result with | Left -> left > right | Equal -> left = right | Right -> left < right end } writes { counter } ensures { !counter = old !counter - 1 } end (** You are given 8 balls and a Roberval balance. All balls have the same weight, apart from one, which is lighter. Using the balance at most twice, determine the lighter ball. Though this problem is not that difficult (though, you may want to think about it before reading any further), it is an interesting exercise in program specification. The index of the lighter ball is passed as a ghost argument to the program. Thus it cannot be used to compute the answer, but only to write the specification. *) module Puzzle8 use Roberval use array.Array (** All values in `balls[lo..hi-1]` are equal to `w`, apart from `balls[lb]` which is smaller. *) predicate spec (balls: array int) (lo hi: int) (lb w: int) = 0 <= lo <= lb < hi <= length balls && (forall i: int. lo <= i < hi -> i <> lb -> balls[i] = w) && balls[lb] < w (** Solve the problem for 3 balls, using exactly one weighing. The solution `lb` is passed as a ghost argument. *) let solve3 (balls: array int) (lo: int) (ghost lb: int) (ghost w: int) : int requires { !counter >= 1 } requires { spec balls lo (lo + 3) lb w } ensures { result = lb } ensures { !counter = old !counter - 1 } = match balance balls[lo] balls[lo+1] with | Right -> lo | Left -> lo+1 | Equal -> lo+2 end (** Solve the problem for 8 balls, using exactly two weighings. The solution `lb` is passed as a ghost argument. *) let solve8 (balls: array int) (ghost lb: int) (ghost w: int) : int requires { !counter = 2 } requires { spec balls 0 8 lb w } ensures { result = lb } = (* first, compare balls 0,1,2 with balls 3,4,5 *) match balance (balls[0] + balls[1] + balls[2]) (balls[3] + balls[4] + balls[5]) with | Right -> solve3 balls 0 lb w | Left -> solve3 balls 3 lb w (* 0,1,2 = 3,4,5 thus lb must be 6 or 7 *) | Equal -> match balance balls[6] balls[7] with Right -> 6 | _ -> 7 end end end (** You are given 12 balls, all of the same weight except one (for which you don't knwo whether it is lighter or heavier) Given a Roberval balance, you have to find the intruder, and determine whether it is lighter or heavier, using the balance at most three times. *) module Puzzle12 use Roberval use array.Array (** The index `j` of the intruder, its status `b` (whether it is lighter or heavier), and the weight `w` of the other balls are all passed as ghost arguments. *) let solve12 (balls: array int) (ghost w j: int) (ghost b: bool) : (int, bool) requires { !counter = 3 } requires { 0 <= j < 12 = length balls } requires { forall i: int. 0 <= i < 12 -> i <> j -> balls[i] = w } requires { if b then balls[j] < w else balls[j] > w } ensures { result = (j, b) } = match balance (balls[0] + balls[1] + balls[2] + balls[3]) (balls[4] + balls[5] + balls[6] + balls[7]) with | Equal -> (* 0,1,2,3 = 4,5,6,7 *) match balance (balls[0] + balls[8]) (balls[9] + balls[10]) with | Equal -> (* 0,8 = 9,10 *) match balance balls[0] balls[11] with | Right -> 11, False | _ -> 11, True end | Right -> (* 0,8 < 9,10 *) match balance balls[9] balls[10] with | Equal -> 8, True | Right -> 10, False | Left -> 9, False end | Left -> (* 0,8 > 9,10 *) match balance balls[9] balls[10] with | Equal -> 8, False | Right -> 9, True | Left -> 10, True end end | Right -> (* 0,1,2,3 < 4,5,6,7 *) match balance (balls[0] + balls[1] + balls[4]) (balls[2] + balls[5] + balls[8]) with | Equal -> (* 0,1,4 = 2,5,8 *) match balance balls[6] balls[7] with | Equal -> 3, True | Right -> 7, False | Left -> 6, False end | Right -> (* 0,1,4 < 2,5,8 *) match balance balls[0] balls[1] with | Equal -> 5, False | Right -> 0, True | Left -> 1, True end | Left -> (* 0,1,4 > 2,5,8 *) match balance balls[4] balls[8] with | Equal -> 2, True | _ -> 4, False end end | Left -> (* 0,1,2,3 > 4,5,6,7 *) match balance (balls[0] + balls[1] + balls[4]) (balls[2] + balls[5] + balls[8]) with | Equal -> (* 0,1,4 = 2,5,8 *) match balance balls[6] balls[7] with | Equal -> 3, False | Right -> 6, True | Left -> 7, True end | Right -> (* 0,1,4 < 2,5,8 *) match balance balls[2] balls[5] with | Equal -> 4, True | Right -> 5, False | Left -> 2, False end | Left -> (* 0,1,4 > 2,5,8 *) match balance balls[0] balls[1] with | Equal -> 5, True | Right -> 1, False | Left -> 0, False end end end end ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/balance/������������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0015607�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/balance/why3session.xml���������������������������������������������������������0000664�0000000�0000000�00000001620�14401600263�0020626�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="5" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="balance.mlw"/> <theory name="Puzzle8" proved="true"> <goal name="solve3'vc" expl="VC for solve3" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="52"/></proof> </goal> <goal name="solve8'vc" expl="VC for solve8" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="267"/></proof> </goal> </theory> <theory name="Puzzle12" proved="true"> <goal name="solve12'vc" expl="VC for solve12" proved="true"> <proof prover="1"><result status="valid" time="0.53" steps="1204"/></proof> </goal> </theory> </file> </why3session> ����������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/balance/why3shapes.gz�����������������������������������������������������������0000664�0000000�0000000�00000001531�14401600263�0020247�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������UN1}߯طJ]5HQԈHyPSIgw,"HHxng'_/]zjK??>m}J:}"Ü}ԫx\X*CZw2vr8o&0]/U\'RӾ~g" u29zknwQ5"u v)cU:<b#u4fFҋeq_w/ȋ`WR,%JHY`@ Yҥi5b1YM};EEȖ^&Zu iCbŔW"Z"y-g|<XcPOUI;TT_}QlqQҟ!GJ`�2 DICQBTGBra>L%=%%3ְ(/c qVg3?5z u䜆`3jWҪPZX!]=|k2-fAJOkrnv$kP#V8-nGcyϓ-$2h|S0) <,LצC3d?xjCTtj�c;!N)!ZSFO[LSS ,K&Pa`@jޑ4;ێN y;�<s ]z`�C{ i3q xq?ci MF~Z,ưu}zI_UTJ0 pyj~ƞp?q!:4Di8߼ 5_);�@ʢ7�dU!�ɑa Mmn$./SD עr77I©666ZVFV'7)Ƅ`\?Q�������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bellman_ford.mlw����������������������������������������������������������������0000664�0000000�0000000�00000030610�14401600263�0017367�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ (** {1 A proof of Bellman-Ford algorithm} By Yuto Takei (University of Tokyo, Japan) and Jean-Christophe Filliâtre (CNRS, France). *) theory Graph use export list.List use export list.Append use export list.Length use export int.Int use export set.Fset (* the graph is defined by a set of vertices and a set of edges *) type vertex constant vertices: fset vertex constant edges: fset (vertex, vertex) predicate edge (x y: vertex) = mem (x,y) edges (* edges are well-formed *) axiom edges_def: forall x y: vertex. mem (x, y) edges -> mem x vertices /\ mem y vertices (* a single source vertex s is given *) val constant s: vertex ensures { mem result vertices } (* hence vertices is non empty *) lemma vertices_cardinal_pos: cardinal vertices > 0 val constant nb_vertices: int ensures { result = cardinal vertices } (* paths *) clone export graph.IntPathWeight with type vertex = vertex, predicate edge = edge lemma path_in_vertices: forall v1 v2: vertex, l: list vertex. mem v1 vertices -> path v1 l v2 -> mem v2 vertices (* A key idea behind Bellman-Ford's correctness is that of simple path: if there is a path from s to v, there is a path with less than |V| edges. We formulate this in a slightly more precise way: if there a path from s to v with at least |V| edges, then there must be a duplicate vertex along this path. There is a subtlety here: since the last vertex of a path is not part of the vertex list, we distinguish the case where the duplicate vertex is the final vertex v. Proof: Assume [path s l v] with length l >= |V|. Consider the function f mapping i in {0..|V|} to the i-th element of the list l ++ [v]. Since all elements of the path (those in l and v) belong to V, then by the pigeon hole principle, f cannot be injective from 0..|V| to V. Thus there exist two distinct i and j in 0..|V| such that f(i)=f(j), which means that l ++ [v] = l1 ++ [u] ++ l2 ++ [u] ++ l3 Two cases depending on l3=[] (and thus u=v) conclude the proof. Qed. *) clone pigeon.ListAndSet with type t = vertex predicate cyc_decomp (v: vertex) (l: list vertex) (vi: vertex) (l1 l2 l3: list vertex) = l = l1 ++ l2 ++ l3 /\ length l2 > 0 /\ path s l1 vi /\ path vi l2 vi /\ path vi l3 v lemma long_path_decomposition: forall l v. path s l v /\ length l >= cardinal vertices -> (exists vi l1 l2 l3. cyc_decomp v l vi l1 l2 l3) by exists n l1 l2 l3. Cons v l = l1 ++ Cons n (l2 ++ Cons n l3) so match l1 with | Nil -> cyc_decomp v l v l2 (Cons n l3) Nil | Cons v l1 -> cyc_decomp v l n l1 (Cons n l2) (Cons n l3) end lemma long_path_reduction: forall l v. path s l v /\ length l >= cardinal vertices -> exists l'. path s l' v /\ length l' < length l by exists vi l1 l2 l3. cyc_decomp v l vi l1 l2 l3 /\ l' = l1 ++ l3 let lemma simple_path (v: vertex) (l: list vertex) : unit requires { path s l v } ensures { exists l'. path s l' v /\ length l' < cardinal vertices } = let rec aux (n: int) : unit ensures { forall l. length l <= n /\ path s l v -> exists l'. path s l' v /\ length l' < cardinal vertices } variant { n } = if n > 0 then aux (n-1) in aux (length l) (* negative cycle [v] -> [v] reachable from [s] *) predicate negative_cycle (v: vertex) = mem v vertices /\ (exists l1: list vertex. path s l1 v) /\ (exists l2: list vertex. path v l2 v /\ path_weight l2 v < 0) (* key lemma for existence of a negative cycle Proof: by induction on the (list) length of the shorter path l If length l < cardinal vertices, then it contradicts hypothesis 1 thus length l >= cardinal vertices and thus the path contains a cycle s ----> n ----> n ----> v If the weight of the cycle n--->n is negative, we are done. Otherwise, we can remove this cycle from the path and we get an even shorter path, with a stricltly shorter (list) length, thus we can apply the induction hypothesis. Qed. *) predicate all_path_gt (v: vertex) (n: int) = forall l. path s l v /\ length l < cardinal vertices -> path_weight l v >= n let lemma key_lemma_1 (v: vertex) (l: list vertex) (n: int) : unit (* if any simple path has weight at least n *) requires { all_path_gt v n } (* and if there exists a shorter path *) requires { path s l v /\ path_weight l v < n } (* then there exists a negative cycle. *) ensures { exists u. negative_cycle u } = let rec aux (m: int) : (_a: 'a) requires { forall u. not negative_cycle u } requires { exists l. path s l v /\ path_weight l v < n /\ length l <= m } ensures { false } variant { m } = assert { (exists l'. path s l' v /\ path_weight l' v < n /\ length l' < m) by exists l. path s l v /\ path_weight l v < n /\ length l <= m so exists vi l1 l2 l3. cyc_decomp v l vi l1 l2 l3 so let res = l1 ++ l3 in path s res v /\ length res < length l /\ path_weight res v < n by path_weight l v = path_weight l1 vi + path_weight l2 vi + path_weight l3 v so path_weight l2 vi >= 0 by not negative_cycle vi }; aux (m-1) in if pure { forall u. not negative_cycle u } then aux (length l) end module ImpmapNoDom use map.Map use map.Const type key type t 'a = abstract { mutable contents: map key 'a } val function create (x: 'a): t 'a ensures { result.contents = const x } val function ([]) (m: t 'a) (k: key): 'a ensures { result = m.contents[k] } val ghost function ([<-]) (m: t 'a) (k: key) (v: 'a): t 'a ensures { result.contents = m.contents[k <- v] } val ([]<-) (m: t 'a) (k: key) (v: 'a): unit writes { m } ensures { m = (old m)[k <- v] } end module BellmanFord use Graph use int.IntInf as D use ref.Ref clone set.SetImp as S with type elt = (vertex, vertex) clone ImpmapNoDom with type key = vertex type distmap = ImpmapNoDom.t D.t let initialize_single_source (s: vertex): distmap ensures { result = (create D.Infinite)[s <- D.Finite 0] } = let m = create D.Infinite in m[s] <- D.Finite 0; m (* [inv1 m pass via] means that we already performed [pass-1] steps of the main loop, and, in step [pass], we already processed edges in [via] *) predicate inv1 (m: distmap) (pass: int) (via: fset (vertex, vertex)) = forall v: vertex. mem v vertices -> match m[v] with | D.Finite n -> (* there exists a path of weight [n] *) (exists l: list vertex. path s l v /\ path_weight l v = n) /\ (* there is no shorter path in less than [pass] steps *) (forall l: list vertex. path s l v -> length l < pass -> path_weight l v >= n) /\ (* and no shorter path in i steps with last edge in [via] *) (forall u: vertex, l: list vertex. path s l u -> length l < pass -> mem (u,v) via -> path_weight l u + weight u v >= n) | D.Infinite -> (* any path has at least [pass] steps *) (forall l: list vertex. path s l v -> length l >= pass) /\ (* [v] cannot be reached by [(u,v)] in [via] *) (forall u: vertex. mem (u,v) via -> (*m[u] = D.Infinite*) forall lu: list vertex. path s lu u -> length lu >= pass) end predicate inv2 (m: distmap) (via: fset (vertex, vertex)) = forall u v: vertex. mem (u, v) via -> D.le m[v] (D.add m[u] (D.Finite (weight u v))) let rec lemma inv2_path (m: distmap) (y z: vertex) (l:list vertex) : unit requires { inv2 m edges } requires { path y l z } ensures { D.le m[z] (D.add m[y] (D.Finite (path_weight l z))) } variant { length l } = match l with | Nil -> () | Cons _ q -> let hd = match q with | Nil -> z | Cons h _ -> assert { path_weight l z = weight y h + path_weight q z }; assert { D.le m[h] (D.add m[y] (D.Finite (weight y h))) }; h end in inv2_path m hd z q end (* key lemma for non-existence of a negative cycle Proof: let us assume a negative cycle reachable from s, that is s --...--> x0 --w1--> x1 --w2--> x2 ... xn-1 --wn--> x0 with w1+w2+...+wn < 0. Let di be the distance from s to xi as given by map m. By [inv2 m edges] we have di-1 + wi >= di for all i. Summing all such inequalities over the cycle, we get w1+w2+...+wn >= 0 hence a contradiction. Qed. *) lemma key_lemma_2: forall m: distmap. inv1 m (cardinal vertices) empty -> inv2 m edges -> forall v: vertex. not (negative_cycle v so exists l1. path s l1 v so exists l2. path v l2 v /\ path_weight l2 v < 0 so D.le m[v] (D.add m[v] (D.Finite (path_weight l2 v))) ) let relax (m: distmap) (u v: vertex) (pass: int) (ghost via: fset (vertex, vertex)) requires { 1 <= pass /\ mem (u, v) edges /\ not (mem (u, v) via) } requires { inv1 m pass via } ensures { inv1 m pass (add (u, v) via) } = label I in let n = D.add m[u] (D.Finite (weight u v)) in if D.lt n m[v] then begin m[v] <- n; assert { match (m at I)[u] with | D.Infinite -> false | D.Finite w0 -> let w1 = w0 + weight u v in n = D.Finite w1 && (exists l. path s l v /\ path_weight l v = w1 by exists l2. path s l2 u /\ path_weight l2 u = w0 /\ l = l2 ++ Cons u Nil ) && (forall l. path s l v /\ length l < pass -> path_weight l v >= w1 by match (m at I)[v] with | D.Infinite -> false | D.Finite w2 -> path_weight l v >= w2 end ) && (forall z l. path s l z /\ length l < pass -> mem (z,v) (add (u,v) via) -> path_weight l z + weight z v >= w1 by if z = u then path_weight l z >= w0 else match (m at I)[v] with | D.Infinite -> false | D.Finite w2 -> path_weight l z + weight z v >= w2 end ) end } end else begin assert { forall l w1. path s l u /\ length l < pass /\ m[v] = D.Finite w1 -> path_weight l u + weight u v >= w1 by match m[u] with | D.Infinite -> false | D.Finite w0 -> path_weight l u >= w0 end } end val get_edges (): S.set ensures { result = edges } exception NegativeCycle let bellman_ford () ensures { forall v: vertex. mem v vertices -> match result[v] with | D.Finite n -> (exists l: list vertex. path s l v /\ path_weight l v = n) /\ (forall l: list vertex. path s l v -> path_weight l v >= n by all_path_gt v n) | D.Infinite -> (forall l: list vertex. not (path s l v)) end } raises { NegativeCycle -> exists v: vertex. negative_cycle v } = let m = initialize_single_source s in for i = 1 to nb_vertices - 1 do invariant { inv1 m i empty } let es = get_edges () in while not (S.is_empty es) do invariant { subset es.S.to_fset edges /\ inv1 m i (diff edges es.S.to_fset) } variant { S.cardinal es } let ghost via = diff edges es.S.to_fset in let (u, v) = S.choose_and_remove es in relax m u v i via done; assert { inv1 m i edges } done; assert { inv1 m (cardinal vertices) empty }; let es = get_edges () in while not (S.is_empty es) do invariant { subset es.S.to_fset edges /\ inv2 m (diff edges es.S.to_fset) } variant { S.cardinal es } let (u, v) = S.choose_and_remove es in if D.lt (D.add m[u] (D.Finite (weight u v))) m[v] then begin assert { match m[u], m[v] with | D.Infinite, _ -> false | D.Finite _, D.Infinite -> false by exists l2. path s l2 u so let l = l2 ++ Cons u Nil in path s l v so exists l. path s l v /\ length l < cardinal vertices | D.Finite wu, D.Finite wv -> (exists w. negative_cycle w) by all_path_gt v wv so exists l2. path s l2 u /\ path_weight l2 u = wu so let l = l2 ++ Cons u Nil in path s l v /\ path_weight l v < wv end }; raise NegativeCycle end done; assert { inv2 m edges }; assert { forall u. not (negative_cycle u) }; m end ������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bellman_ford/�������������������������������������������������������������������0000775�0000000�0000000�00000000000�14401600263�0016646�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bellman_ford/why3session.xml����������������������������������������������������0000664�0000000�0000000�00000051610�14401600263�0021671�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE why3session PUBLIC "-//Why3//proof session v5//EN" "http://why3.lri.fr/why3session.dtd"> <why3session shape_version="6"> <prover id="0" name="Eprover" version="2.0" timelimit="5" steplimit="0" memlimit="1000"/> <prover id="1" name="Alt-Ergo" version="2.0.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="2" name="Alt-Ergo" version="2.2.0" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="3" name="CVC4" version="1.6" timelimit="1" steplimit="0" memlimit="1000"/> <prover id="4" name="Alt-Ergo" version="2.3.0" timelimit="1" steplimit="0" memlimit="1000"/> <file format="whyml" proved="true"> <path name=".."/><path name="bellman_ford.mlw"/> <theory name="Graph" proved="true"> <goal name="s'vc" expl="VC for s" proved="true"> <proof prover="4"><result status="valid" time="0.00" steps="0"/></proof> </goal> <goal name="vertices_cardinal_pos" proved="true"> <proof prover="1"><result status="valid" time="0.00" steps="5"/></proof> </goal> <goal name="path_in_vertices" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="31"/></proof> </goal> <goal name="long_path_decomposition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="long_path_decomposition.0" proved="true"> <proof prover="1"><result status="valid" time="0.17" steps="797"/></proof> </goal> <goal name="long_path_decomposition.1" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="541"/></proof> </goal> <goal name="long_path_decomposition.2" proved="true"> <proof prover="1"><result status="valid" time="0.17" steps="488"/></proof> </goal> <goal name="long_path_decomposition.3" proved="true"> <proof prover="1"><result status="valid" time="0.16" steps="454"/></proof> </goal> </transf> </goal> <goal name="long_path_reduction" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="long_path_reduction.0" proved="true"> <proof prover="0"><result status="valid" time="0.04"/></proof> </goal> <goal name="long_path_reduction.1" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="19"/></proof> </goal> <goal name="long_path_reduction.2" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="30"/></proof> </goal> </transf> </goal> <goal name="simple_path'vc" expl="VC for simple_path" proved="true"> <proof prover="1"><result status="valid" time="0.87" steps="2569"/></proof> </goal> <goal name="key_lemma_1'vc" expl="VC for key_lemma_1" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="key_lemma_1'vc.0" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="key_lemma_1'vc.0.0" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="13"/></proof> </goal> <goal name="key_lemma_1'vc.0.1" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="247"/></proof> </goal> <goal name="key_lemma_1'vc.0.2" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.33" steps="733"/></proof> </goal> <goal name="key_lemma_1'vc.0.3" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="25"/></proof> </goal> <goal name="key_lemma_1'vc.0.4" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="100"/></proof> </goal> <goal name="key_lemma_1'vc.0.5" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="28"/></proof> </goal> <goal name="key_lemma_1'vc.0.6" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="39"/></proof> </goal> <goal name="key_lemma_1'vc.0.7" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.27" steps="726"/></proof> </goal> <goal name="key_lemma_1'vc.0.8" expl="VC for key_lemma_1" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="47"/></proof> </goal> </transf> </goal> <goal name="key_lemma_1'vc.1" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="17"/></proof> </goal> <goal name="key_lemma_1'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="18"/></proof> </goal> <goal name="key_lemma_1'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="16"/></proof> </goal> <goal name="key_lemma_1'vc.4" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="4"/></proof> </goal> <goal name="key_lemma_1'vc.5" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="4"/></proof> </goal> <goal name="key_lemma_1'vc.6" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="29"/></proof> </goal> <goal name="key_lemma_1'vc.7" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="12"/></proof> </goal> </transf> </goal> </theory> <theory name="BellmanFord" proved="true"> <goal name="initialize_single_source'vc" expl="VC for initialize_single_source" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="inv2_path'vc" expl="VC for inv2_path" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="inv2_path'vc.0" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="87"/></proof> </goal> <goal name="inv2_path'vc.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="345"/></proof> </goal> <goal name="inv2_path'vc.2" expl="variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="32"/></proof> </goal> <goal name="inv2_path'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="8"/></proof> </goal> <goal name="inv2_path'vc.4" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.22" steps="595"/></proof> </goal> <goal name="inv2_path'vc.5" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="inv2_path'vc.5.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="130"/></proof> </goal> <goal name="inv2_path'vc.5.1" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="inv2_path'vc.5.1.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="323"/></proof> </goal> <goal name="inv2_path'vc.5.1.1" expl="postcondition" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="1.65" steps="5571"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="key_lemma_2" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="key_lemma_2.0" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="0.62" steps="1604"/></proof> </goal> <goal name="key_lemma_2.1" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="12"/></proof> </goal> <goal name="key_lemma_2.2" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="20"/></proof> </goal> <goal name="key_lemma_2.3" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="18"/></proof> </goal> </transf> </goal> <goal name="relax'vc" expl="VC for relax" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="relax'vc.0" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="relax'vc.0.0" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="61"/></proof> </goal> <goal name="relax'vc.0.1" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="72"/></proof> </goal> <goal name="relax'vc.0.2" expl="VC for relax" proved="true"> <proof prover="0"><result status="valid" time="1.54"/></proof> </goal> <goal name="relax'vc.0.3" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="120"/></proof> </goal> <goal name="relax'vc.0.4" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="224"/></proof> </goal> <goal name="relax'vc.0.5" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="268"/></proof> </goal> <goal name="relax'vc.0.6" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.12" steps="489"/></proof> </goal> <goal name="relax'vc.0.7" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.13" steps="396"/></proof> </goal> <goal name="relax'vc.0.8" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="23"/></proof> </goal> <goal name="relax'vc.0.9" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="27"/></proof> </goal> <goal name="relax'vc.0.10" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="161"/></proof> </goal> <goal name="relax'vc.0.11" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="236"/></proof> </goal> </transf> </goal> <goal name="relax'vc.1" expl="postcondition" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="relax'vc.1.0" expl="postcondition" proved="true"> <transf name="inline_goal" proved="true" > <goal name="relax'vc.1.0.0" expl="postcondition" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="relax'vc.1.0.0.0" expl="postcondition" proved="true"> <transf name="case" proved="true" arg1="(v=v1)"> <goal name="relax'vc.1.0.0.0.0" expl="true case (postcondition)" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="relax'vc.1.0.0.0.0.0" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="109"/></proof> </goal> <goal name="relax'vc.1.0.0.0.0.1" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.15" steps="449"/></proof> </goal> <goal name="relax'vc.1.0.0.0.0.2" expl="VC for relax" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="1.25" steps="3181"/></proof> </goal> <goal name="relax'vc.1.0.0.0.0.3" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="100"/></proof> </goal> <goal name="relax'vc.1.0.0.0.0.4" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="108"/></proof> </goal> </transf> </goal> <goal name="relax'vc.1.0.0.0.1" expl="false case (postcondition)" proved="true"> <proof prover="1"><result status="valid" time="0.36" steps="1194"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="relax'vc.2" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="relax'vc.2.0" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="104"/></proof> </goal> <goal name="relax'vc.2.1" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="273"/></proof> </goal> <goal name="relax'vc.2.2" expl="VC for relax" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="187"/></proof> </goal> </transf> </goal> <goal name="relax'vc.3" expl="postcondition" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="relax'vc.3.0" expl="postcondition" proved="true"> <transf name="inline_goal" proved="true" > <goal name="relax'vc.3.0.0" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="relax'vc.3.0.0.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="90"/></proof> </goal> <goal name="relax'vc.3.0.0.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="182"/></proof> </goal> <goal name="relax'vc.3.0.0.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.09" steps="391"/></proof> </goal> <goal name="relax'vc.3.0.0.3" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="125"/></proof> </goal> <goal name="relax'vc.3.0.0.4" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.69" steps="2242"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="bellman_ford'vc" expl="VC for bellman_ford" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="bellman_ford'vc.0" expl="loop invariant init" proved="true"> <transf name="introduce_premises" proved="true" > <goal name="bellman_ford'vc.0.0" expl="loop invariant init" proved="true"> <transf name="inline_goal" proved="true" > <goal name="bellman_ford'vc.0.0.0" expl="loop invariant init" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="bellman_ford'vc.0.0.0.0" expl="loop invariant init" proved="true"> <proof prover="0"><result status="valid" time="0.58"/></proof> </goal> <goal name="bellman_ford'vc.0.0.0.1" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="76"/></proof> </goal> <goal name="bellman_ford'vc.0.0.0.2" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="100"/></proof> </goal> <goal name="bellman_ford'vc.0.0.0.3" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="78"/></proof> </goal> <goal name="bellman_ford'vc.0.0.0.4" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="82"/></proof> </goal> </transf> </goal> </transf> </goal> </transf> </goal> <goal name="bellman_ford'vc.1" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="161"/></proof> </goal> <goal name="bellman_ford'vc.2" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="5"/></proof> </goal> <goal name="bellman_ford'vc.3" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="25"/></proof> </goal> <goal name="bellman_ford'vc.4" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="18"/></proof> </goal> <goal name="bellman_ford'vc.5" expl="loop variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="41"/></proof> </goal> <goal name="bellman_ford'vc.6" expl="loop invariant preservation" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="bellman_ford'vc.6.0" expl="VC for bellman_ford" proved="true"> <proof prover="3"><result status="valid" time="0.10" steps="27087"/></proof> </goal> <goal name="bellman_ford'vc.6.1" expl="VC for bellman_ford" proved="true"> <proof prover="2"><result status="valid" time="0.99" steps="6653"/></proof> </goal> </transf> </goal> <goal name="bellman_ford'vc.7" expl="assertion" proved="true"> <proof prover="1" timelimit="5"><result status="valid" time="0.04" steps="147"/></proof> </goal> <goal name="bellman_ford'vc.8" expl="loop invariant preservation" proved="true"> <proof prover="1"><result status="valid" time="0.34" steps="1061"/></proof> </goal> <goal name="bellman_ford'vc.9" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="7"/></proof> </goal> <goal name="bellman_ford'vc.10" expl="loop invariant init" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="29"/></proof> </goal> <goal name="bellman_ford'vc.11" expl="precondition" proved="true"> <proof prover="1"><result status="valid" time="0.02" steps="5"/></proof> </goal> <goal name="bellman_ford'vc.12" expl="assertion" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="bellman_ford'vc.12.0" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="115"/></proof> </goal> <goal name="bellman_ford'vc.12.1" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.07" steps="199"/></proof> </goal> <goal name="bellman_ford'vc.12.2" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="123"/></proof> </goal> <goal name="bellman_ford'vc.12.3" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.32" steps="1024"/></proof> </goal> <goal name="bellman_ford'vc.12.4" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="27"/></proof> </goal> <goal name="bellman_ford'vc.12.5" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="181"/></proof> </goal> <goal name="bellman_ford'vc.12.6" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.20" steps="703"/></proof> </goal> <goal name="bellman_ford'vc.12.7" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.14" steps="211"/></proof> </goal> <goal name="bellman_ford'vc.12.8" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.08" steps="29"/></proof> </goal> <goal name="bellman_ford'vc.12.9" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.21" steps="734"/></proof> </goal> <goal name="bellman_ford'vc.12.10" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="205"/></proof> </goal> </transf> </goal> <goal name="bellman_ford'vc.13" expl="exceptional postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="27"/></proof> </goal> <goal name="bellman_ford'vc.14" expl="loop variant decrease" proved="true"> <proof prover="1"><result status="valid" time="0.03" steps="46"/></proof> </goal> <goal name="bellman_ford'vc.15" expl="loop invariant preservation" proved="true"> <proof prover="1"><result status="valid" time="0.27" steps="1023"/></proof> </goal> <goal name="bellman_ford'vc.16" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.06" steps="20"/></proof> </goal> <goal name="bellman_ford'vc.17" expl="assertion" proved="true"> <proof prover="1"><result status="valid" time="0.04" steps="160"/></proof> </goal> <goal name="bellman_ford'vc.18" expl="postcondition" proved="true"> <transf name="split_goal_right" proved="true" > <goal name="bellman_ford'vc.18.0" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="117"/></proof> </goal> <goal name="bellman_ford'vc.18.1" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.32" steps="1179"/></proof> </goal> <goal name="bellman_ford'vc.18.2" expl="postcondition" proved="true"> <proof prover="1"><result status="valid" time="0.05" steps="118"/></proof> </goal> <goal name="bellman_ford'vc.18.3" expl="VC for bellman_ford" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="28"/></proof> </goal> </transf> </goal> <goal name="bellman_ford'vc.19" expl="out of loop bounds" proved="true"> <proof prover="1"><result status="valid" time="0.01" steps="5"/></proof> </goal> </transf> </goal> </theory> </file> </why3session> ������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bellman_ford/why3shapes.gz������������������������������������������������������0000664�0000000�0000000�00000017223�14401600263�0021313�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������������][oG~ׯ r " $/ ==݉pdɰ竞!֔Dڎ8gcNn]Usf\>ާˏ\"K<`&Uf ]6-[QۊepP7Ç.#H?m"?lux}ۭڔ5>usz+lκ鞦~kWd/ev cvm_NmrbzQ`M|'[!pwdEs{ͯ=9UDg)]HLrq=XΙ@:3^w"(>mxb"5߽}H[)כump /&<-тN ~+]">59Yޠ+*P }vXUMw:nwC(R\̵PfTj\OW%{uPV? UG^>uqtl.{?k[jkkًEjt `߶)޿{-P;fI ѪݧKi /#,'{�&MÿA@E,i&}mq V v1%M>G${?(eZr5mZV̈́Opq}iKmZk}Z?g,^래mQ)@{bc1 ZрY_?!1WO1WNΘcq)՜s~v4u:#??@)?nG>`Mo:>~l=Fc ޼x|Kߍcr7d1v~0 :Qs:x9ܥ_yz3#UE巿>v߷ݻO)fZZ3S_zBgjtfNghl?I)BNRWLGb`)_lynb7[s:{n'6g[?Z$Ɵ49`ٺ'Zw(fPloZ<˅q(;;qa>w,}:+Njtsq0.5h>ąb ^l Q@p\2]n0]Pֻj5j?ǥr.\jtjN?I͏M{#?*X)|uN')B];_꽥PꠑPi)3JcBڲTU,?jgDU${ỵk\͒B!Iz96xe+y(ZNݮ¸i| &MWablsfV[o98%әl80WsV`|W1<ՔILTitJٍT٧_oiLjIa!=LJ@d.nVmVohF~wW6wmX M7r11b[ߋwӎ薮n7w?4?;VSEYKȺ.# tԉV#<aH9I??'+7^v~6l_1n@k*6\vJ'R}PJ-xXd?NFIWT/K-|~#L DxkkI[7W/ǢʷoGe5U\ (zQ|VsXSio|ܥ^Mcf1UUF=^fyB.f?:Odvҳ-I;?a{Q7<ьnfl.lukFTto.9^Ymމ᧸|:ϴQ77uI_DҟO)?SV˾!,%e7jv_4M%OُD(W+{NtlG 5ꍶKNNEMTs~wtzE}.~A9C R:ɭhRM fMZp3i{c'1-jH .tS/~f 7ؗ8na GE츱X<FBqg|,[@<T@RcىzqKwc:7sU!1|v_{<L$dqq't ⨸ͧ!Gu5H>To^}U<]w2Q7Zfss]!7Ymu0y*Y=*9/\ϣG[u^2LxO7e`O0Cnr=|^<x<+tp?o~/C|2f w/K7/h.l8{GNQrW$]>!f,"XBD~дw"WHVG>z˫r9GB`0E$YH?!~ avH"Xp >!g2'dؑ B_b;kE QҔey$}XlfgfVcFnȑ`l{zC3+2C>[L0+*;QҔCLG88YؑT!{@C'&مnë2 TSJUDrBXe~~yFǝ6O~35ѝ>RL|B mEXP_v6G4uNo=[Dk?U,omF-ڍނ7%)L73#pסҚ amuܖf}cqخ~#jPq=Fi:( I.):34AE\,{$beX~0A/=#r t0~.�}a=Eڼyθo͔9(͔bM´mqϞNW8.4SثB1;gZFL YJd/61u<VZ45Nr:<%7+}}O4>/S} ,b;y,B{,+zo 1h؝|b% /\sZmQ2ee`ȰcbLT68bnٙ`#"mT9_׏Y,@c9` c:IBL,[;x4O;p\{s[Q {\SWf̳Ji@'K_y;=RaIÔS :gkGn1-ml\51ep33MDwH>w LQ^A?޽(AQ{-S?;OF^i7Ғc_y.^6?~x7&޾ wo;g~.}} [YCzH>#:Wj'>6g-C؋/?<Kӏ-Uؾgվ.�% +q]z8-SߢugOG;d<Ua趜K8�FOwKw?k:iR9=K&<w-}]8+u`wECdb;1ٕ9j6 C* a7!\z)>9`^QQs4D&o P+r}sTJQ5ub1tc=OQax/Ց:#s<JY+tFwWjZ?_~sD79ρeJ-2]< g9SO16Y9TϡzB=?,G&5{f. =˞=z{_R̞wA*l&{@7qsxK=ݓn/̴vc0 o ݃#IeR2}<qh߃z9EG27<>Io{({Yy1G, ƙ_,K^Xٝ|0q(?:{:_q{?4oL2<RwJ~v!w,i˻BŸep*OpݴIKğSOWKuM d7Z\~敳GZ<qD#Zd#Zs/8my+~( f*420?%sq'Q:&?]V!=sGGؓPcKMݻhz[ىԷ۾}!?|ȏ)/>jiWU{m1|Ykk..WJ6>߰|)dR\+v w)ʘ3*,EnWJb"'*)%d L+_+{ez, BVfגEQF@,W]q{;G- V$ֆVpmfR22D6đkx1ϛV3g#?#2ON;apS.JGqGU?,5mJ[6s5qGqleZ; MnULwMu!xx,[|+h7d'53 l`%K c:kٶdLbEK! 2bjeM$&9|lxf {)X"\Kɮ?K]QD<-DK)4x#?4b G"`dsNxnuFkd8S$<YmZ3ۚM xhơ*1]g- SR; Le5 'q&))ie(ꮔj@jM IcumO*1[|Cca^J!cNPf1xƂmH/1hUZa24˝/;F..Cxmr 4!q9rO-S.9 \pYh#]*T㛷j^IZ52?3Ep!^*{NA($2A 6Qm`Q{l}bH`FT؛ cuKIxfW8V  nyiHn}/QWQܙOoɄ Ā)'A�t/@2YWKE6D8r$!$@Şl:KJ+ ̕EC4b"_7�аҊ+'$]�:;b,k2T̔ MjD 7xY™ixL3eB! vPNƶ0O&!$h?9!^h4 <'HZ(ڒی @tT�ԣ)|+M!S[[2m- -w W>aAg"1fBҨe.LvwdJ ư,}O�j"0XiZg5Ą#gem!q$Qкdm NB+s3 7I4H(p0 uV͉,/`(2A`m3zzNĂnqi>epKۚJ Z)Т,#;9QYe$Š%н%Žtk րVZ7vh`?@h7xQ!D^yVBAlrTIKZ_!$ɒ,FzB-2w:B5㷈w(FEԛ aMTFYB^h �f 8)8 =n b !fFI�+qI(bBX Έ<эb{1�m=`K:SjF6#q N_1_m-�7<9ਠrìBm:!B* Y�/Yj̎,at~Յ�R[- +r("2*,k 7r/Y|Lflбk#UDZ8 ³rka6i:JAF%+﮼+|-,RFMc,!F{":Xi^)IS(`>O:)Qf,놡F^@(Kw)2cm u^7\6%1u*{t/1�:<tֈVvUʒg c"b 6Fop"掽9=@IH(MFMb"uAmny 07`V,vݩL%q^�O&QA.t <zbԨ|esԦ eq^D@ !~ H(Aut Дo�)CRQ-d2$@Id)KMAPsh G3 j g@ewIe }!=XaLvp0V G7C*ǓsѴh k;(<pZx-��a]#xzS QM -pOy)D*D!&0&QuoUdOuO }:&.CB)+`*G"4FG ]09+3aeDB^Ggc'Z(ítb5e�uTUy  @r#! -c-Xŀ[ۢ�6h=;@\HAl5CD" 57MO.As L&�M {ru< ,)Nögg ̂orAPMf9ب@o'7)(sdy~Ő"GMJ1i8|jv)ZRB@_2 Qd7ꇹ~Z,[$hx$7>7EwJe䄈nGgբ+QT@W-re3*X@T|([*+'GjJkO]Tau=x!nTBH'�Ek셶-Fz]ȩe]m ,lLT?]XFU� 4`�>U&Hd$Q{ATk$̈́&h w"H\ O vt@)<ڡfx5 JBA G_E9fZb `#XсjT~[k>d =-ƈHk: c$tæC:b�aI]rTZ1ȳ2x۔/7)UM@̡ji5-Fܐ[l3@>gʄmzZ"mY"(DH=i@Z:Zצ=tE_H.z(Тo֢rR8D'!j{ҹj*lNZDE+ѷ2T LNZ4 :I UճR7vK)[SE怞>@J{H鲡Am4Jc.ytxfak~m 5ZfTi$m:D ΜGj+{Vr%R*gD(k^xMECՃ0izh&�-QF(GAז ^zxe5+rlЇOAMأc Y#vւݹ@2 \<& ső2:75flP\YIn�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������why3-1.6.0/examples/bench.sh������������������������������������������������������������������������0000775�0000000�0000000�00000003154�14401600263�0015643�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh # bench for why3 TMP=$PWD/why3bench.out TMPERR=$PWD/why3bench.err cd `dirname $0` HTML=$PWD/why3bench.html res=0 export success=0 export total=0 echo '<html>' > $HTML echo '<head><title>Why3 Bench' >> $HTML echo '' >> $HTML echo '

    Why3 bench

    ' >> $HTML run_dir () { echo '

    Directory '$1'

    ' >> $HTML echo '
      ' >> $HTML for f in `ls $1/*/why3session.xml`; do d=`dirname $f` b=`basename $d` echo -n "Benchmarking $d ... " ../bin/why3replay.opt -bench $REPLAYOPT $2 $d 2> $TMPERR > $TMP ret=$? if test "$ret" != "0" ; then echo -n "FAILED (ret code=$ret):" out=`head -1 $TMP` if test -z "$out" ; then echo "standard error: (standard output empty)" cat $TMPERR else cat $TMP fi res=1 echo '
    • '$d' failed' >> $HTML else echo "OK" success=`expr $success + 1` ../bin/why3session html $d 2> $TMPERR > $TMP echo '
    • '$d'' >> $HTML fi total=`expr $total + 1` done echo '
    ' >> $HTML } echo "=== Tests ===" run_dir tests run_dir tests-provers echo "" echo "=== Check Builtin translation ===" run_dir check-builtin echo "" echo "=== BTS ===" run_dir bts echo "" echo "=== Logic ===" run_dir logic run_dir bitvectors "-I bitvectors" echo "" echo "=== Programs ===" run_dir . run_dir foveoos11-cm run_dir WP_revisited run_dir vacid_0_binary_heaps "-I vacid_0_binary_heaps" echo "" echo '' >> $HTML echo "Summary: $success/$total" exit $res why3-1.6.0/examples/bignum.mlw000066400000000000000000000041161440160026300162260ustar00rootroot00000000000000 (** Big numbers as little-endian lists of digits. This is borrowed from a PVS tutorial. (see for instance http://fm.csl.sri.com/SSFT11/ITPSummerFormal2011.pdf) In addition, we show that the representation is valid (all digits in 0..base-1) and canonical (no most significant 0 digits). *) module BigNum use int.Int use list.List val constant base: int ensures { result > 1 } type digit = int type num = list digit function value (n: num) : int = match n with | Nil -> 0 | Cons d r -> d + base * value r end predicate valid (n: num) = match n with | Nil -> true | Cons d Nil -> 0 < d < base | Cons d r -> 0 <= d < base && valid r end let rec lemma nonneg (n: num) : unit requires { valid n } ensures { value n >= 0 } variant { n } = match n with Nil -> () | Cons _ r -> nonneg r end let rec lemma msd (n: num) requires { valid n } ensures { value n = 0 <-> n = Nil } variant { n } = match n with Nil -> () | Cons _ r -> msd r end let rec add_digit (n: num) (d: digit) : num requires { valid n } requires { 0 <= d < base } ensures { valid result } ensures { value result = value n + d } variant { n } = match n with | Nil -> if d = 0 then Nil else Cons d Nil | Cons d0 r -> if d + d0 < base then Cons (d + d0) r else Cons (d + d0 - base) (add_digit r 1) end let rec add_cin (n1 n2: num) (cin: int) : num requires { valid n1 && valid n2 && 0 <= cin <= 1 } ensures { valid result } ensures { value result = value n1 + value n2 + cin } variant { n1 } = match n1, n2 with | Nil, _ -> add_digit n2 cin | Cons _ _, Nil -> add_digit n1 cin | Cons d1 r1, Cons d2 r2 -> let d = cin + d1 + d2 in if d < base then Cons d (add_cin r1 r2 0) else Cons (d - base) (add_cin r1 r2 1) end let add (n1 n2: num) : num requires { valid n1 && valid n2 } ensures { valid result } ensures { value result = value n1 + value n2 } = add_cin n1 n2 0 end why3-1.6.0/examples/bignum/000077500000000000000000000000001440160026300155035ustar00rootroot00000000000000why3-1.6.0/examples/bignum/why3session.xml000066400000000000000000000136341440160026300205320ustar00rootroot00000000000000 why3-1.6.0/examples/bignum/why3shapes.gz000066400000000000000000000034341440160026300201470ustar00rootroot00000000000000XN$G}+qJYuKhVj,؀ǿU0[;/TRq✈?'T7滍|ϳAJpu6\l&r좆@ۛ_ͻA 0>| yPWg!ܗ_J;11mw.ؚ6KJPj/?y\ZG8Hc)sfJIqUK0<ÿ !n. S~p򥟜HN$a1?Ì8+=/г?GUjҎIj2m_ˣeC0'8G}_9}W|_m ˤ^AF]A%Q<̯eX rr!~<<<ڙa?6Gti ^xxxD1-z0Woy=.U{W5J5W{>|B/Ju./T+z5 `uPOEk' \ABQ_69ifh0V@7Ze2u6N5c ˝Wme^\<9z.gf1/{Y.S eaLWZ]ȯ8 +*iK< Qɝ ,Y?{c3:vu.6,#|knuKI.^?? xE\ggIkPKXW*b6m`βPZؤJR@Lޘ٨䠨FrE5 ]f.R E`~cvZJ*l csL^ P`5$0Vffz 0qd' OY1AMfI[61 +$P#"6 )KGӀ6$BxJ0X4kAޡGDl#bn@5Z2 k>P\_AuZt΢z  '֨kWG+8A!TJ<%5JP1'#xM[:b2!'/@GI"aq77)UclEGUuؔAIٱ-$KcQkXY!%\u`hm;D54ZޑtͺcR TvsJJSqɳA$d)ͺC48LFj>I FZ'.4ѕTD Gg[u^'*N'em5Tw;x([؇"FY$mMCd0 R@%bŤ(S^ N~p;Y,ᥳ=&NJel~9YkgUeU f"'-"ʱ%uFEkTpե^kYTx% j-ZeU.A2i+P~D {J8/kZ Cd5(u%J3:9^СSJ䯵NN1~why3-1.6.0/examples/binary_multiplication.mlw000066400000000000000000000032501440160026300213440ustar00rootroot00000000000000 (** {1 Russian peasant multiplication} Multiply two integers a and b using only addition, multiplication by 2, and division by 2. Note: this is exactly the same algorithm as exponentiation by squaring with power/*/1 being replaced by */+/0. *) module BinaryMultiplication use mach.int.Int use ref.Ref let binary_mult (a b: int) : int requires { b >= 0 } ensures { result = a * b } = let x = ref a in let y = ref b in let z = ref 0 in while !y <> 0 do invariant { 0 <= !y } invariant { !z + !x * !y = a * b } variant { !y } if !y % 2 = 1 then z := !z + !x; x := 2 * !x; y := !y / 2 done; !z end (** Now using machine integers. Assuming that the product fits in machine integers, we can still verify the code. The only exception is when `a*b = min_int`. The code below makes no assumption on the sign of `b`. Instead, it uses the fact that `!y % 2` has the sign of `!y` so that `!x` is either added to or subtracted from the result. *) module BinaryMultiplication63 use int.Int use int.Abs use mach.int.Int63 use ref.Ref let binary_mult (a b: int63) : int63 requires { min_int < a * b <= max_int } ensures { result = a * b } = let x = ref a in let y = ref b in let z = ref 0 in while !y <> 0 do invariant { if a*b >= 0 then !x * !y >= 0 && !z >= 0 else !x * !y <= 0 && !z <= 0 } invariant { !z + !x * !y = a * b } variant { abs !y } z := !z + !x * (!y % 2); y := !y / 2; (* be careful not to make the very last multiplication *) if !y <> 0 then x := 2 * !x done; !z end why3-1.6.0/examples/binary_multiplication/000077500000000000000000000000001440160026300206235ustar00rootroot00000000000000why3-1.6.0/examples/binary_multiplication/why3session.xml000066400000000000000000000067541440160026300236570ustar00rootroot00000000000000 why3-1.6.0/examples/binary_multiplication/why3shapes.gz000066400000000000000000000023661440160026300232720ustar00rootroot00000000000000VKo6Wmz &@P ANEF+4CىEN|߼^Iq]z1,M}sE+Zm2i%le[=_{_2`a&E.& "` ,bT/-U*[W6W{)eʼ??0fa1?zd[c19,٢p_G}{KC?+>s/e3NW n36 ›Xd\]MVaUw%}}x3-OF~/=,_&/N53qf> dbW?;u]cXjA'^-mPZ}l?^'ogNy2:KƂYW]++nE~u[=9v_F)G\U~*tp2;3<)#,7%( I!Gcn~T8,1Cm `9Iv= NϥWؿLԭKff~i6cXEZǽ~C 3f-z}z'.ҽSN44 gy/?cm˫0qX?a/(/nt0/0HuL'b6suҲi?[<23"qDHWOնԁ7Rbc#]P*'4ΫE)ףŤJ]N JK=%tHIH^uѧkݨF6XudABTJ:e p &$bA՚N .)Rd4A6 @k> wwF<0Ha@b u7B(eQ)J؍HۀCP;Hثh;-@pqTʆݓV ⛟(!@3콓1(4#: [o @(Aq\9B'Vw('jk yt:u&r)JP?RQZrlPG\$ B~Ï0(1:d+&"^+\p@49s֩D4EKl^ P^V&KM>;}j{/6OSl_KEM m="why3-1.6.0/examples/binary_search.mlw000066400000000000000000000142731440160026300175630ustar00rootroot00000000000000(* Binary search A classical example. Searches a sorted array for a given value v. *) module BinarySearch use int.Int use int.ComputerDivision use ref.Ref use array.Array (* the code and its specification *) exception Not_found (* raised to signal a search failure *) let binary_search (a: array int) (v: int) : int requires { forall i1 i2. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i. 0 <= i < length a -> a[i] <> v } = let ref l = 0 in let ref u = length a - 1 in while l <= u do invariant { 0 <= l /\ u < length a } invariant { forall i. 0 <= i < length a -> a[i] = v -> l <= i <= u } variant { u - l } let m = l + div (u - l) 2 in assert { l <= m <= u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* A generalization: the midpoint is computed by some abstract function. The only requirement is that it lies between l and u. *) module BinarySearchAnyMidPoint use int.Int use ref.Ref use array.Array exception Not_found (* raised to signal a search failure *) val midpoint (l: int) (u: int) : int requires { l <= u } ensures { l <= result <= u } let binary_search (a: array int) (v: int) : int requires { forall i1 i2. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i. 0 <= i < length a -> a[i] <> v } = let ref l = 0 in let ref u = length a - 1 in while l <= u do invariant { 0 <= l /\ u < length a } invariant { forall i. 0 <= i < length a -> a[i] = v -> l <= i <= u } variant { u - l } let m = midpoint l u in if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* The following version of binary search is faster in practice, by being friendlier with the branch predictor of most processors. It also happens to be stable, since it always return the highest index. *) module BinarySearchBranchless use int.Int use int.ComputerDivision use ref.Ref use array.Array exception Not_found (* raised to signal a search failure *) let binary_search (a: array int) (v: int) : int requires { forall i1 i2. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } ensures { forall i. result < i < length a -> a[i] <> v } raises { Not_found -> forall i. 0 <= i < length a -> a[i] <> v } = let ref l = 0 in let ref s = length a in if s = 0 then raise Not_found; while s > 1 do invariant { 0 <= l /\ l + s <= length a /\ s >= 1 } invariant { forall i. 0 <= i < length a -> a[i] = v -> a[l] <= v /\ i < l + s } variant { s } let h = div s 2 in let m = l + h in l := if a[m] > v then l else m; s := s - h; done; if a[l] = v then l else raise Not_found end (* binary search using 32-bit integers *) module BinarySearchInt32 use int.Int use mach.int.Int32 use ref.Ref use mach.array.Array32 exception Not_found (* raised to signal a search failure *) let binary_search (a: array int32) (v: int32) : int32 requires { forall i1 i2. 0 <= i1 <= i2 < a.length -> a[i1] <= a[i2] } ensures { 0 <= result < a.length /\ a[result] = v } raises { Not_found -> forall i. 0 <= i < a.length -> a[i] <> v } = let ref l = 0 in let ref u = length a - 1 in while l <= u do invariant { 0 <= l /\ u < a.length } invariant { forall i. 0 <= i < a.length -> a[i] = v -> l <= i <= u } variant { u - l } let m = l + (u - l) / 2 in assert { l <= m <= u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* A particular case with Boolean values (0 or 1) and a sentinel 1 at the end. We look for the first position containing a 1. *) module BinarySearchBoolean use int.Int use int.ComputerDivision use ref.Ref use array.Array let binary_search (a: array int) : int requires { 0 < a.length } requires { forall i j. 0 <= i <= j < a.length -> 0 <= a[i] <= a[j] <= 1 } requires { a[a.length - 1] = 1 } ensures { 0 <= result < a.length } ensures { a[result] = 1 } ensures { forall i. 0 <= i < result -> a[i] = 0 } = let ref lo = 0 in let ref hi = length a - 1 in while lo < hi do invariant { 0 <= lo <= hi < a.length } invariant { a[hi] = 1 } invariant { forall i. 0 <= i < lo -> a[i] = 0 } variant { hi - lo } let mid = lo + div (hi - lo) 2 in if a[mid] = 1 then hi := mid else lo := mid + 1 done; lo end module Complexity use int.Int use int.ComputerDivision use ref.Ref use array.Array let rec function log2 (n: int) : int variant { n } = if n <= 1 then 0 else 1 + log2 (div n 2) let rec lemma log2_monotone (x y: int) requires { x <= y } ensures { log2 x <= log2 y } variant { y } = if y > 1 then log2_monotone (div x 2) (div y 2) let function f (n: int) : int = if n = 0 then 0 else 1 + log2 n lemma upper_bound: forall n. n >= 2 -> f n <= 2 * log2 n val ref time: int let binary_search (a: array int) (v: int) : int requires { forall i1 i2. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } requires { time = 0 } ensures { 0 <= result < length a && a[result] = v || result = -1 && forall i. 0 <= i < length a -> a[i] <> v } ensures { time - old time <= f (length a) } = let ref lo = 0 in let ref hi = length a in while lo < hi do invariant { 0 <= lo <= hi <= length a } invariant { forall i. 0 <= i < lo || hi <= i < length a -> a[i] <> v } invariant { (time - old time) + f (hi - lo) <= f (length a) } variant { hi - lo } let mid = lo + div (hi - lo) 2 in if a[mid] < v then lo <- mid + 1 else if a[mid] > v then hi <- mid else return mid; time <- time + 1 done; -1 end why3-1.6.0/examples/binary_search/000077500000000000000000000000001440160026300170335ustar00rootroot00000000000000why3-1.6.0/examples/binary_search/why3session.xml000066400000000000000000000130371440160026300220570ustar00rootroot00000000000000 why3-1.6.0/examples/binary_search/why3shapes.gz000066400000000000000000000052251440160026300214770ustar00rootroot00000000000000n8_ٝ c@FB &v Vart,.VQ}~K<=wÿj?7gդݷxTǕ]e$j Pxϑ#ǚ˚s֔1h"|';$/rCx~qӽ;n S@}vst9{eǢ_+|HTlo?JF>C~v0$erpU\"s>!!ѯIeYg~zqVJklT'A#`y]2"N)+RaN[SuZXWl Mw<Ţ4)Yʭ94F9su_ufnW̺.Ji܁mv̙pr|bݙ7}]NH: &9?Qv} mߺ|Rh,T=jړkM^2ɖYB)Ĩ E βZN6(UnxO[٤ ex31wpW/67X]n]x)Zl#'=ԗTB2e&hߔNhBZ L~@T'c!ţ rLc#N܏ۜ[ڜ/gF=2:3$ȰK)8aOmXd؊j%`Fcw`*DjS@y 3 ^6 9]Gr<^ahv΢_?R[s;Hcj=?p=Ǐi 9h!'!\!ڀI\.6 ^x/ԹFyGH~N^8v( .iwCã>N&cl]!퐚 &bc ԥhF{ꊹ`^ (R=^r/]Bm+ʒй10tTQ7Kgy-N.M {%iz@8>qb)Ι;{v:SX G1C_* ,R)00{Lv3kI27NKk!taQW uAE:U<~ƋyBާPj= Oll>~}>QDRe@ ;yN0xY֌DbD+Rt`cYu,jvdxx AAMq ,}Zi}2}#5Xp>]yC[=%{JWP"RRDIDJuI!"4 HI+Ik'A7:[ZMTˆ9#QHN$ё(ѦF$u^iv5z[\$0޴Xj@',^Q0Üd-*B ҩ`InЌxxm>Zb$"FkۭFSъFXQn-m#% T2ij@Ƈ\3W6ekVj4&HP2$F[B!đJi,JV0ʂb0ઊʊaJ6-( pA%h6يVkxh57Q0ZG UVކ1 F^(Fĕѫ[[9x{)^ wδbbb@CULVLTĖez,Xc`gQjE[*N_%#2MZ7QZFZC I2UzLDt7u\ *8IiVܼGIZbL9od0@;TӢ{yUixQScB, U*AEr&{yKu2%x㢅% Z[@"3AH"Wl "5r酈LR!ER{p$atm 5y/gPdqH h+@J.I%-1ab0B4JFix]i(WUMN" Ӷ{ jn"h޴DL(zK}CPbÈXH|MGUpI<0xP$θz#why3-1.6.0/examples/binary_search_vc_sp.mlw000066400000000000000000000077541440160026300207630ustar00rootroot00000000000000(* Binary search A classical example. Searches a sorted array for a given value v. *) module BinarySearch use int.Int use int.ComputerDivision use ref.Ref use array.Array (* the code and its specification *) exception Not_found (* raised to signal a search failure *) let binary_search (a : array int) (v : int) : int requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = [@vc:sp] let l = ref 0 in let u = ref (length a - 1) in while !l <= !u do invariant { 0 <= !l /\ !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + div (!u - !l) 2 in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* A generalization: the midpoint is computed by some abstract function. The only requirement is that it lies between l and u. *) module BinarySearchAnyMidPoint use int.Int use ref.Ref use array.Array exception Not_found (* raised to signal a search failure *) val midpoint (l:int) (u:int) : int requires { l <= u } ensures { l <= result <= u } let binary_search (a :array int) (v : int) : int requires { forall i1 i2 : int. 0 <= i1 <= i2 < length a -> a[i1] <= a[i2] } ensures { 0 <= result < length a /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < length a -> a[i] <> v } = [@vc:sp] let l = ref 0 in let u = ref (length a - 1) in while !l <= !u do invariant { 0 <= !l /\ !u < length a } invariant { forall i : int. 0 <= i < length a -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = midpoint !l !u in if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* binary search using 32-bit integers *) module BinarySearchInt32 use int.Int use mach.int.Int32 use ref.Ref use mach.array.Array32 (* the code and its specification *) exception Not_found (* raised to signal a search failure *) let binary_search (a : array int32) (v : int32) : int32 requires { forall i1 i2 : int. 0 <= i1 <= i2 < a.length -> a[i1] <= a[i2] } ensures { 0 <= result < a.length /\ a[result] = v } raises { Not_found -> forall i:int. 0 <= i < a.length -> a[i] <> v } = [@vc:sp] let l = ref 0 in let u = ref (length a - 1) in while !l <= !u do invariant { 0 <= !l /\ !u < a.length } invariant { forall i : int. 0 <= i < a.length -> a[i] = v -> !l <= i <= !u } variant { !u - !l } let m = !l + (!u - !l) / 2 in assert { !l <= m <= !u }; if a[m] < v then l := m + 1 else if a[m] > v then u := m - 1 else return m done; raise Not_found end (* A particular case with Boolean values (0 or 1) and a sentinel 1 at the end. We look for the first position containing a 1. *) module BinarySearchBoolean use int.Int use int.ComputerDivision use ref.Ref use array.Array let binary_search (a: array int) : int requires { 0 < a.length } requires { forall i j. 0 <= i <= j < a.length -> 0 <= a[i] <= a[j] <= 1 } requires { a[a.length - 1] = 1 } ensures { 0 <= result < a.length } ensures { a[result] = 1 } ensures { forall i. 0 <= i < result -> a[i] = 0 } = [@vc:sp] let lo = ref 0 in let hi = ref (length a - 1) in while !lo < !hi do invariant { 0 <= !lo <= !hi < a.length } invariant { a[!hi] = 1 } invariant { forall i. 0 <= i < !lo -> a[i] = 0 } variant { !hi - !lo } let mid = !lo + div (!hi - !lo) 2 in if a[mid] = 1 then hi := mid else lo := mid + 1 done; !lo end why3-1.6.0/examples/binary_search_vc_sp/000077500000000000000000000000001440160026300202255ustar00rootroot00000000000000why3-1.6.0/examples/binary_search_vc_sp/why3session.xml000066400000000000000000000023631440160026300232510ustar00rootroot00000000000000 why3-1.6.0/examples/binary_search_vc_sp/why3shapes.gz000066400000000000000000000023371440160026300226720ustar00rootroot00000000000000W_#7 ϧ۵w,q =ǙtC{%=路$&lKeYdY?6O_~XWq*mT2<6 }Pq~A_ϡٳ&>!H͔$=@COc<n%I`Vx~mB6^hBâ%|-k(0*v+>On`l0nšВmPB\6 07 0 Ҩ18¨]0axg2qR\u%Bns3{ t#kuplW" Y?;@:D YTy;`%HY&Hkz5 te`Uq}z^OO/h^4WBc8&UA|cA $3"2x̣KHµ'!Jm2\L.,|XOO/Zg)-cgmfCu3v] n8r1jM=[j"Wᾶ;M@ue`tD_\&fˊzC-Mhh]Kr]9 znSS~ҳ5FLewC-dvV$J__EAXTXL+hdUURYoEV`+#/eW%Zܪ.5Ihy\Q+&w&4">k͇2y@H_"6|X5j|)|cf㗆O6Z?CưC8CF%Eifb膈i|q 0FT@_t=)i/pؘ &]Z sYʗyahm"ƫPl1 S9ː>P0Jc`vvl?el!D?aaop)%AkBjjS1J:-AB*.u8һ!2,$]Bwhy3-1.6.0/examples/binary_sort.mlw000066400000000000000000000044661440160026300173100ustar00rootroot00000000000000 (** Binary sort Binary sort is a variant of insertion sort where binary search is used to find the insertion point. This lowers the number of comparisons (from N^2 to N log(N)) and thus is useful when comparisons are costly. For instance, Binary sort is used as an ingredient in Java 8's TimSort implementation (which is the library sort for Object[]). Author: Jean-Christophe Filliâtre (CNRS) *) module BinarySort use int.Int use int.ComputerDivision use ref.Ref use array.Array use array.ArrayPermut let lemma occ_shift (m1 m2: int -> 'a) (mid k: int) (x: 'a) : unit requires { 0 <= mid <= k } requires { forall i. mid < i <= k -> m2 i = m1 (i - 1) } requires { m2 mid = m1 k } ensures { M.Occ.occ x m1 mid (k+1) = M.Occ.occ x m2 mid (k+1) } = for i = mid to k - 1 do invariant { M.Occ.occ x m1 mid i = M.Occ.occ x m2 (mid+1) (i+1) } () done; assert { M.Occ.occ (m1 k) m1 mid (k+1) = 1 + M.Occ.occ (m1 k) m1 mid k }; assert { M.Occ.occ (m1 k) m2 mid (k+1) = 1 + M.Occ.occ (m1 k) m2 (mid+1) (k+1) }; assert { M.Occ.occ x m1 mid (k+1) = M.Occ.occ x m2 mid (k+1) by x = m1 k \/ x <> m1 k } let binary_sort (a: array int) : unit ensures { forall i j. 0 <= i <= j < length a -> a[i] <= a[j] } ensures { permut_sub (old a) a 0 (length a) } = for k = 1 to length a - 1 do (* a[0..k-1) is sorted; insert a[k] *) invariant { forall i j. 0 <= i <= j < k -> a[i] <= a[j] } invariant { permut_sub (old a) a 0 (length a) } let v = a[k] in let left = ref 0 in let right = ref k in while !left < !right do invariant { 0 <= !left <= !right <= k } invariant { forall i. 0 <= i < !left -> a[i] <= v } invariant { forall i. !right <= i < k -> v < a[i] } variant { !right - !left } let mid = !left + div (!right - !left) 2 in if v < a[mid] then right := mid else left := mid + 1 done; (* !left is the place where to insert value v so we move a[!left..k) one position to the right *) label L in self_blit a !left (!left + 1) (k - !left); a[!left] <- v; assert { permut_sub (a at L) a !left (k + 1) }; assert { permut_sub (a at L) a 0 (length a) }; done end why3-1.6.0/examples/binary_sort/000077500000000000000000000000001440160026300165555ustar00rootroot00000000000000why3-1.6.0/examples/binary_sort/why3session.xml000066400000000000000000000131041440160026300215740ustar00rootroot00000000000000 why3-1.6.0/examples/binary_sort/why3shapes.gz000066400000000000000000000040631440160026300212200ustar00rootroot00000000000000WMo9Wmw7`6`ln} 9QX^I1v>l#rrQŪW"ߺgwS֛vW8ȁ _"4y~c@G|<'qr#,Wݴ^1|.")3ud6#AUMU=A̹ZU? fP < [uG>wZ`GK!_ujvu=jY"ue/3TMnVn:i{?kb (?_n6oaz?i ;$Zf1o}} f5yL iyONɧOZ8 =LG#[?_ՅHZ7 nFYz:MjY7eg ~m4b#yƃk \q!U:=K dGm2Ҽn7lAD4\D)m|&G3.oƚ bc-ElF:`J$am;Bd  k%:?q^9+2붳yy%=p`Ry>2 μT|Vnn%cF"p:8jTqU.1q?ᗂoSOk9.G;Xc:'}M(2޼fՊv̊EODe| >~DO1BG'l|{=p3_u/\jyr=rn‹V{rZpEWzvJ}}mJz|YЃnА!wNr<߷#}x Mx>*d3|}\iƏm@f<<֧?mn PgWn&q)!8ZIέx{h?uy~Sn!raEQ u`1cWoV՚S>eL'ϊVKcK'֧YSʦe|aY>k]8uO ЭBFOqٵT=WvYwy"|0os۷{̐:_ #?y'093bWs&XͺsTCF~GFa}m+چh3# BBQϮMrnK)xTpEeq="Ϣ<3\fMTlqL;ۛ^ Zq8ɱ}(3U4:E]%)"+(ID/p;2=TO'F/&HऱAo^KTԉ[}{+%Yb w@)ط Ɯ"DF$9O*"PZoB.7 F¥IdBiȜy%ҐJKz#z."أF NzyaYeͭ)pOHAL$8N86M'TDJW r*"bRh9`VdgLI#)&S!o} =H2܂}#:gq,hdҔyRԫKOV^g6Eٰ.N"$dUj- aÒgx*O++q(,-'LM)!)gk ^^7\B[,Eb˟Eϡ`EAahy8ҦEgH͓,Yϖ hE'}I,E&_ jgq0\&rCI14X\ =[r_X\(C\gqJfR:jkn_revu̡2O+z~M 0.0 /\ Int.(>=) n 1 } requires { eps = (FromInt.from_int n) * eps0 } variant { Int.(-) (Truncate.ceil (MinMax.max r 1.0 / eps0)) n } ensures { result * result <= r < (result + eps) * (result + eps) } = if r < eps && 1.0 < eps then 0.0 else begin assert { FromInt.from_int n * eps0 <= MinMax.max r 1.0 }; assert { 1.0 / eps0 > 0.0 }; assert { FromInt.from_int n * eps0 * (1.0 / eps0) <= MinMax.max r 1.0 * (1.0 / eps0)}; assert { FromInt.from_int n * eps0 / eps0 <= MinMax.max r 1.0 / eps0}; assert { FromInt.from_int n <= MinMax.max r 1.0 / eps0 }; let r' = sqrt r (2.0 * eps) (Int.(*) 2 n) eps0 in if (r' + eps) * (r' + eps) <= r then r' + eps else r' end let sqrt_main (r:real) (eps:real) : real requires { 0.0 <= r } requires { eps > 0.0 } ensures { result * result <= r < (result + eps) * (result + eps) } = sqrt r eps 1 eps end why3-1.6.0/examples/binary_sqrt/000077500000000000000000000000001440160026300165575ustar00rootroot00000000000000why3-1.6.0/examples/binary_sqrt/why3session.xml000066400000000000000000000055361440160026300216100ustar00rootroot00000000000000 why3-1.6.0/examples/binary_sqrt/why3shapes.gz000066400000000000000000000017341440160026300212240ustar00rootroot00000000000000Xn7+fٺh7 n* \I ɶI4p$=3κxSVDz\׿v;ϰ.W +;‡8 -*|^UYς[six7,8رNjI d=VdZ`37J#.ꝑ[ؖw㬜{=S`E7ó ,A 'Zq9uKZ\;|"ː~,iq۷$$pNM۝e|NZW)` i( D+Mn;$-5Κ}8!{o'4qbcOh܆މ}jߺXv?kv))WʓK?K_''ҧWdjI~ëۡ_7Nju줲*\fFi־V%9Ih#!!?{'yk^~wyߎzЁI1 xݓ(A $hxh`ί˶*gy5Nbsk@xnd)xּZ* TQX '&+dt^#&  u5GCzh]DJ(U H6Z2-H1 I$͓>zJ(elYΈTT^Q9D()N +X[hN9$O"mFD1AdSBRfp\rc25b12'lE*a]Ё7^:))7˒up}1{j暓ϖQT_ऄVx Ӥe%X\bKKˍa,t-Dk5 gV.a! RbXwhy3-1.6.0/examples/binomial.mlw000066400000000000000000000026411440160026300165400ustar00rootroot00000000000000 (** Binomial coefficients The binomial coefficient C(n,k) is equal to n*(n-1)*(n-2)*...*(n-k+1) ------------------------- k*(k-1)*(k-2)*...*1 This can be readily computed with three lines of C: int c = 1; for (int i = 1; i <= k ; i++) c = c * (n - i + 1) / i; In the code above, it is not obvious that each division is exact. Below is a proof. Author: Jean-Christophe Filliâtre (CNRS) *) use int.Int use int.EuclideanDivision use int.MinMax let function (/) (x: int) (y: int) requires { [@expl:check division by zero] y <> 0 } = div x y let rec function comb (n k: int) : int requires { 0 <= k <= n } variant { n } ensures { result >= 1 } = if k = 0 || k = n then 1 else comb (n-1) k + comb (n-1) (k-1) let rec lemma prop1 (n k: int) requires { 0 <= k <= n } ensures { comb n (n - k) = comb n k } variant { n } = if 0 < k < n then (prop1 (n-1) k; prop1 (n-1) (k-1)) let rec lemma prop2 (n k: int) requires { 1 <= k <= n } ensures { k * comb n k = comb n (k - 1) * (n - k + 1) } variant { n } = if k < n then prop2 (n-1) k; if 1 < k then prop2 (n-1) (k-1) let compute (n k: int) : (r: int) requires { 0 <= k <= n } ensures { r = comb n k } = let k = min k (n - k) in let ref r = 1 in for i = 1 to k do invariant { 1 <= i <= k + 1 } invariant { r = comb n (i - 1) } r <- r * (n - i + 1) / i; prop2 n i; done; r why3-1.6.0/examples/binomial/000077500000000000000000000000001440160026300160145ustar00rootroot00000000000000why3-1.6.0/examples/binomial/why3session.xml000066400000000000000000000063111440160026300210350ustar00rootroot00000000000000 why3-1.6.0/examples/binomial/why3shapes.gz000066400000000000000000000030021440160026300204470ustar00rootroot00000000000000VKo7W- ÜỈE b|-P") |rkN_K:545uu޺8|X3=uf\׫?a7+OO N=W[}Χغmg .X_:3y!4!d}|x:N+:H0[`'$( 2cA//X9V~8eSnRa,ex~r~t8|; Ye3%l-y#gRPE')|.;1jҥH4E;3TiO$H.̤T 2M 3EblDdtȦRS0Ք] f6LQ.VKFٕPRsiV^U#)UcxSTչ/ 7Lܞiyp{:WQb}wML)" 0 | Cons { children = c } r -> 1 + size c + size r end let lemma size_nonnneg (l: list tree) ensures { size l >= 0 } = let rec auxl (l: list tree) ensures { size l >= 0 } variant { l } = match l with Nil -> () | Cons t r -> auxt t; auxl r end with auxt (t: tree) ensures { size t.children >= 0 } variant { t } = match t with { children = c } -> auxl c end in auxl l (** Heaps. *) (* `e` is no greater than the roots of the trees in `l` *) predicate le_roots (e: elt) (l: list tree) = match l with | Nil -> true | Cons t r -> le e t.elem && le_roots e r end lemma le_roots_trans: forall x y l. le x y -> le_roots y l -> le_roots x l predicate heaps (l: list tree) = match l with | Nil -> true | Cons { elem = e; children = c } r -> le_roots e c && heaps c && heaps r end lemma heaps_append: forall h1 [@induction] h2. heaps h1 -> heaps h2 -> heaps (h1 ++ h2) lemma heaps_reverse: forall h. heaps h -> heaps (reverse h) (** Number of occurrences of a given element in a list of trees. *) function occ (x: elt) (l: list tree) : int = match l with | Nil -> 0 | Cons { elem = y; children = c } r -> (if x = y then 1 else 0) + occ x c + occ x r end let rec lemma occ_nonneg (x: elt) (l: list tree) variant { size l } ensures { 0 <= occ x l } = match l with | Nil -> () | Cons { children = c } r -> occ_nonneg x c; occ_nonneg x r end lemma occ_append: forall l1 [@induction] l2 x. occ x (l1 ++ l2) = occ x l1 + occ x l2 lemma occ_reverse: forall x l. occ x l = occ x (reverse l) predicate mem (x: elt) (l: list tree) = occ x l > 0 let rec lemma heaps_mem (l: list tree) requires { heaps l } variant { size l } ensures { forall x. le_roots x l -> forall y. mem y l -> le x y } = match l with | Nil -> () | Cons { children = c } r -> heaps_mem c; heaps_mem r end (** Binomial tree of rank `k`. *) predicate has_order (k: int) (l: list tree) = match l with | Nil -> k = 0 | Cons { rank = k'; children = c } r -> k' = k - 1 && has_order (k-1) c && has_order (k-1) r end predicate binomial_tree (t: tree) = t.rank = length t.children && has_order t.rank t.children lemma has_order_length: forall l k. has_order k l -> length l = k (** Binomial heaps. *) type heap = list tree (** A heap `h` is a list of binomial trees in strict increasing order of ranks, those ranks being no smaller than `m`. *) predicate inv (m: int) (h: heap) = match h with | Nil -> true | Cons t r -> let k = t.rank in m <= k && binomial_tree t && inv (k + 1) r end lemma inv_trans: forall m1 m2 h. m1 <= m2 -> inv m2 h -> inv m1 h let lemma inv_reverse (t: tree) requires { binomial_tree t } ensures { inv 0 (reverse t.children) } = let rec aux (k: int) (l: list tree) (acc: list tree) requires { has_order k l } requires { inv k acc } variant { k } ensures { inv 0 (reverse l ++ acc) } = match l with | Nil -> () | Cons t r -> assert { binomial_tree t }; aux (k-1) r (Cons t acc) end in match t with | { rank = k; children = c } -> aux k c Nil end (** Heap operations. *) let empty : heap = Nil ensures { heaps result } ensures { inv 0 result } ensures { forall e. not (mem e result) } let is_empty (h: heap) : bool ensures { result <-> h = Nil } = match h with Nil -> true | _ -> false end let get_min (h: heap) : elt requires { heaps h } requires { h <> Nil } ensures { mem result h } ensures { forall x. mem x h -> le result x } = match h with | Nil -> absurd | Cons t l -> let rec aux (m: elt) (l: list tree) : elt requires { heaps l } variant { l } ensures { result = m || mem result l } ensures { le result m } ensures { forall x. mem x l -> le result x } = match l with | Nil -> m | Cons {elem=x} r -> aux (if le x m then x else m) r end in aux t.elem l end let function link (t1 t2: tree) : tree = if le t1.elem t2.elem then { elem = t1.elem; rank = t1.rank + 1; children = Cons t2 t1.children } else { elem = t2.elem; rank = t2.rank + 1; children = Cons t1 t2.children } let rec add_tree (t: tree) (h: heap) requires { heaps (Cons t Nil) } requires { binomial_tree t } requires { heaps h } requires { inv (rank t) h } variant { h } ensures { heaps result } ensures { inv (rank t) result } ensures { forall x. occ x result = occ x (Cons t Nil) + occ x h } = match h with | Nil -> Cons t Nil | Cons hd tl -> if rank t < rank hd then Cons t h else begin assert { rank t = rank hd }; add_tree (link t hd) tl end end let add (x: elt) (h: heap) : heap requires { heaps h } requires { inv 0 h } ensures { heaps result } ensures { inv 0 result } ensures { occ x result = occ x h + 1 } ensures { forall e. e <> x -> occ e result = occ e h } = add_tree { elem = x; rank = 0; children = Nil } h let rec merge (ghost k: int) (h1 h2: heap) requires { heaps h1 } requires { inv k h1 } requires { heaps h2 } requires { inv k h2 } variant { h1, h2 } ensures { heaps result } ensures { inv k result } ensures { forall x. occ x result = occ x h1 + occ x h2 } = match h1, h2 with | Nil, _ -> h2 | _, Nil -> h1 | Cons t1 tl1, Cons t2 tl2 -> if rank t1 < rank t2 then Cons t1 (merge (rank t1 + 1) tl1 h2) else if rank t2 < rank t1 then Cons t2 (merge (rank t2 + 1) h1 tl2) else add_tree (link t1 t2) (merge (rank t1 + 1) tl1 tl2) end let rec extract_min_tree (ghost k: int) (h: heap) : (tree, heap) requires { heaps h } requires { inv k h } requires { h <> Nil } variant { h } ensures { let t, h' = result in heaps (Cons t Nil) && heaps h' && inv k h' && le_roots t.elem h && binomial_tree t && forall x. occ x h = occ x (Cons t Nil) + occ x h' } = match h with | Nil -> absurd | Cons t Nil -> t, Nil | Cons t tl -> let t', tl' = extract_min_tree (rank t + 1) tl in if le t.elem t'.elem then t, tl else t', Cons t tl' end let rec extract_min (h: heap) : (elt, heap) requires { heaps h } requires { inv 0 h } requires { h <> Nil } variant { h } ensures { let e, h' = result in heaps h' && inv 0 h' && occ e h' = occ e h - 1 && forall x. x <> e -> occ x h' = occ x h } = let t, h' = extract_min_tree 0 h in t.elem, merge 0 (reverse t.children) h' (** Complexity analysis. *) use int.Power let rec lemma has_order_size (k: int) (l: list tree) requires { has_order k l } variant { size l } ensures { size l = power 2 k - 1 } = match l with | Nil -> () | Cons { children = c } r -> has_order_size (k-1) c; has_order_size (k-1) r end lemma binomial_tree_size: forall t. binomial_tree t -> size t.children = power 2 t.rank - 1 let rec lemma inv_size (k: int) (l: list tree) requires { 0 <= k } requires { inv k l } variant { l } ensures { size l >= power 2 (k + length l) - power 2 k } = match l with | Nil -> () | Cons _ r -> inv_size (k+1) r end (** Finally we prove that the number of binomial trees is O(log n) *) lemma heap_size: forall h. inv 0 h -> size h >= power 2 (length h) - 1 end why3-1.6.0/examples/binomial_heap/000077500000000000000000000000001440160026300170115ustar00rootroot00000000000000why3-1.6.0/examples/binomial_heap/why3session.xml000066400000000000000000000275241440160026300220430ustar00rootroot00000000000000 why3-1.6.0/examples/binomial_heap/why3shapes.gz000066400000000000000000000126231440160026300214550ustar00rootroot00000000000000\Yo7~̴҈~iWEm#)X)I#P.Es,Çts~|{ M)ѯh|/ W_רD[?\{ޢh" Ϗ9}۫zT< {ΉsR'ώ~vKWh\LK{J#/on^/ >pWLJ秽j]藛mUX5ͫ-3j}L9|x 4-Dn/G+y~i$j)N9Ր6pSTw\Hx͘ZMc&"RH|wU)`ZrJ;Ԑ\-^~cA:|ƶk=%Z;$eF{ùL1SCA d˜k.[ KbU}}-]dK4J|o{vMrS~!ihχAfn$ٙ>CC"NғJj)%_*D 9.^biVkC7 &|DŽ;}͠m\!)`Hx3j X8RbyWf!c2͖_]#'h.?"B-Qc< ec~nR{s|9>Ae<oSF /=RYyTkzP (ԣ;JZzrvߖFOOx$a(VkCiVulp8J/Rk/3/Bѿݗ-lOv%e ]Wv(m>*U]CU%AJCq!yTJ%~Z*K|HlR5󞦭d_kҵzqk~kҵ:յ<̉KeqM׵ՑXFNDQ$uFtU֠:jSٓ@I_Z,pJ`Tt7ZFR*iJkay f  ǜIB8Eh*>ͣ[$uC*Σ++ (i9,,Ik3J]0נ}+ jFiMPB](U߁6H; x,(h1M4F ИW{9jjB2yC t̩ɱZY3<e;L*@uMĽnаvo^-&PnLӄ#. r|zGipzD$sjݲ=@uHi=gvo\%dE<5QqÙVKW/HC\ m2țsE~83PqhهThT)QC_ul\noCgKmɚ*Yy'BRNM1?FQ`/Ub^#u ފ[K*ܣv%/7=-o[ɮtwct=7v4]=6:zJ!9k567̩q(\BXF.].ilD?7zK&N5mJ)-wdiDx]j\9&ԮeZqp*3%]2G>Wy"9+9hγMJ_[y+n-{53ϳ0\E3I][w[c's^ ] t<0gLIex1+@luf5Ls% F'=_!eC\d\iE{]$<3> 3q "*n4l՞GXd5+alm02 #9ڛC .fd>ɐ4ך7I8b95>(|N^O%.J ZFLHcF'*htd 2d4֊!乎XIN\H::[#;*TpWEqk(utY8U)e#|"ei_QcɔI]aue|B?'%d,saD!},B2l)ӱ y!ܭxalMRȆN;X(WYI4R i *9)!\eYل"9*]) l IL؋LJ\r \!L)tV4e80izE-z 4 `7\F 旔ijW9*IbѿD$P9ۜ39 |Ѳ.[Iz78BA g҅ⷊJI$̠ę3\3&-`/Ub- mvp S0Nj=8E)v-ػuV#$1a B/Uj->kK= nF+'.-̘(Ĭ,|F2 nFZvH@0ezFǧ,2U@G7|ǧeμ *0!ͣو/f)DRk2*ErBk#)Dm|:EcVڈ/9+' N*.h&Hڈ/ñG)1Ym2I۩ضو=[Je<,f\qܛ~5 i5 m̡RF'Rz J dY% !?PIzq›[Q&ǒÒ:%x"po7 O1}#J  ^SV _^/X|Y_(D^4= !Ƭf)s_0y$>p:qJ2۶TD4SĞm#Tt {~#r>(KG)(Xe {r6'DHAM hV(xPGl0MV|ۈ{ïE)\aCѯr)uNXD^9ica> 1) & 0x55555555) *) x := sub !x (bw_and (lsr_bv !x (1 : t)) (0x55555555 : t)); let ghost x1 = !x in (* x = (x & 0x33333333) + ((x >> 2) & 0x33333333) *) x := add (bw_and !x (0x33333333 : t)) (bw_and (lsr_bv !x (2 : t)) (0x33333333 : t)); let ghost x2 = !x in (* x = (x + (x >> 4)) & 0x0F0F0F0F *) x := bw_and (add !x (lsr_bv !x (4 : t))) (0x0F0F0F0F : t); let ghost x3 = !x in (* x = x + (x >> 8) *) x := add !x (lsr_bv !x (8 : t)); let ghost x4 = !x in (* x = x + (x >> 16) *) x := add !x (lsr_bv !x (16 : t)); prove n x1 x2 x3 x4 !x; (* return (x & 0x0000003F) *) bw_and !x (0x0000003F : t) end module Hamming use int.Int use int.NumOf use mach.bv.BVCheck32 use BitCounting32 predicate nth_diff (a b : t) (i : int) = nth a i <> nth b i function hammingD_logic (a b : t) : int = NumOf.numof (nth_diff a b) 0 32 let hammingD (a b : t) : t ensures { t'int result = hammingD_logic a b } = assert { forall i. 0 <= i < 32 -> nth (bw_xor a b) i <-> (nth_diff a b i) }; count (bw_xor a b) lemma symmetric: forall a b. hammingD_logic a b = hammingD_logic b a lemma numof_ytpmE : forall p : int -> bool, a b : int. numof p a b = 0 -> (forall n : int. a <= n < b -> not p n) let lemma separation (a b : t) ensures { hammingD_logic a b = 0 <-> a = b } = assert { hammingD_logic a b = 0 -> eq_sub a b 0 32 } function fun_or (f g : 'a -> bool) : 'a -> bool = fun x -> f x \/ g x let rec lemma numof_or (p q : int -> bool) (a b: int) : unit variant {b - a} ensures {numof (fun_or p q) a b <= numof p a b + numof q a b} = if a < b then numof_or p q a (b-1) let lemma triangleInequalityInt (a b c : t) : unit ensures {hammingD_logic a b + hammingD_logic b c >= hammingD_logic a c} = assert {numof (nth_diff a b) 0 32 + numof (nth_diff b c) 0 32 >= numof (fun_or (nth_diff a b) (nth_diff b c)) 0 32 >= numof (nth_diff a c) 0 32} lemma triangleInequality: forall a b c. (hammingD_logic a b) + (hammingD_logic b c) >= hammingD_logic a c end (** {2 ASCII checksum} In the beginning the encoding of an ascii character was done on 8 bits: the first 7 bits were used for the character itself while the 8th bit was used as a checksum, i.e. a mean to detect errors. The checksum value was the binary sum of the 7 other bits, allowing the detection of any change of an odd number of bits in the initial value. Let's prove it! *) module AsciiCode use int.Int use int.NumOf use number.Parity use bool.Bool use mach.bv.BVCheck32 use BitCounting32 constant one : t = 1 : t constant lastbit : t = sub size_bv one (* let lastbit () = (sub_check size_bv one) : t *) (** {4 Checksum computation and correctness} *) (** A ascii character is valid if its number of 1-bits is even. (Remember that a binary number is odd if and only if its first bit is 1.) *) predicate validAscii (b : t) = even (count_logic b) let lemma bv_even (b:t) ensures { even (t'int b) <-> not (nth b 0) } = assert { not (nth_bv b zeros) <-> b = mul (2 : t) (lsr_bv b one) }; assert { (exists k. b = mul (2 : t) k) -> not (nth_bv b zeros) }; assert { (exists k. t'int b = 2 * k) -> (exists k. b = mul (2 : t) k) }; assert { not (nth b 0) <-> t'int b = 2 * t'int (lsr b 1) } lemma bv_odd : forall b : t. odd (t'int b) <-> nth b 0 (* use Numofbit *) function fun_or (f g : 'a -> bool) : 'a -> bool = fun x -> f x \/ g x let rec lemma numof_or (p q : int -> bool) (a b: int) : unit requires { forall i. a <= i < b -> not (p i) \/ not (q i) } variant {b - a} ensures {numof (fun_or p q) a b = numof p a b + numof q a b} = if a < b then numof_or p q a (b-1) let lemma count_or (b c : t) requires { bw_and b c = zeros } ensures { count_logic (bw_or b c) = count_logic b + count_logic c } = assert { forall i. ult i size_bv -> not (nth_bv b i) \/ not (nth_bv c i) }; assert { forall i. not (nth_bv b (of_int i)) \/ not (nth_bv c (of_int i)) -> not (nth b i) \/ not (nth c i) }; assert { numof (fun_or (nth b) (nth c)) 0 32 = numof (nth b) 0 32 + numof (nth c) 0 32 }; assert { numof (nth (bw_or b c)) 0 32 = numof (fun_or (nth b) (nth c)) 0 32 } (** The `ascii` function makes any character valid in the sense that we just defined. One way to implement it is to count the number of 1-bits of a character encoded on 7 bits, and if this number is odd, set the 8th bit to 1 if not, do nothing. *) let ascii (b : t) = requires { not (nth_bv b lastbit) } ensures { eq_sub_bv result b zeros lastbit } ensures { validAscii result } let c = count b in let maskbit = u_lsl c (31:t) in assert { bw_and b maskbit = zeros }; assert { even (t'int c) -> not (nth_bv c zeros) && count_logic maskbit = 0 }; assert { odd (t'int c) -> nth_bv c zeros && nth maskbit 31 && (forall i. 0 <= i < 31 -> not (nth maskbit i)) && count_logic maskbit = 1 }; let code = bw_or b maskbit in assert { count_logic code = count_logic b + count_logic maskbit }; code (** Now, for the correctness of the checksum: We prove that two numbers differ by an odd number of bits, i.e. are of odd hamming distance, iff one is a valid ascii character while the other is not. This implies that if there is an odd number of changes on a valid ascii character, the result will be invalid, hence the validity of the encoding. *) use Hamming let rec lemma tmp (a b : t) (i j : int) requires { i < j } variant { j - i } ensures { (even (numof (nth a) i j) /\ odd (numof (nth b) i j)) \/ (odd (numof (nth a) i j) /\ even (numof (nth b) i j)) <-> odd (NumOf.numof (Hamming.nth_diff a b) i j) } = if i < j - 1 then tmp a b i (j-1) lemma asciiProp : forall a b. ((validAscii a /\ not validAscii b) \/ (validAscii b /\ not validAscii a)) <-> odd (Hamming.hammingD_logic a b) end (*** unfinished module GrayCode use int.Int use int.NumOf use number.Parity use bool.Bool use mach.bv.BVCheck32 use BitCounting32 use Hamming constant one : t = 1 : t constant lastbit : t = sub size_bv one (** {2 Gray code} Gray codes are bit-wise representations of integers with the property that every integer differs from its predecessor by only one bit. In this section we look at the "reflected binary Gray code" discussed in Chapter 13, p.311. *) (** {4 The two transformations, to and from Gray-coded integer} *) function toGray (bv : t) : t = bw_xor bv (lsr_bv bv one) function fromGray (gr : t) : t = let b = bw_xor gr (lsr_bv gr (1 : t)) in let b = bw_xor b (lsr_bv b (2 : t)) in let b = bw_xor b (lsr_bv b (4 : t)) in let b = bw_xor b (lsr_bv b (8 : t)) in bw_xor b (lsr_bv b (16 : t)) (** Which define an isomorphism. *) lemma iso: forall b. toGray (fromGray b) = b /\ fromGray (toGray b) = b (** {4 Some properties of the reflected binary Gray code} *) (** The first property that we want to check is that the reflected binary Gray code is indeed a Gray code. *) let lemma grayIsGray (b:t) ensures { Hamming.hammingD_logic (toGray b) (toGray (add b one)) = 1 } = assert { b <> ones -> toGray (add b one) = bw_xor (toGray b) (bw_and (bw_not b) (add b one)) }; assert { b <> ones -> exists k. (bw_and (bw_not b) (add b one)) = lsl one k }; assert { b <> ones -> count_logic (bw_and (bw_not b) (add b one)) = 1 }; assert { b = ones -> (toGray b) = 0x80000000 : t /\ (toGray (add b one)) = zeros } (** Now, a couple of property between the Gray code and the binary representation. Bit i of a Gray coded integer is the parity of the bit i and the bit to the left of i in the corresponding binary integer *) lemma nthGray: forall b i. ult i lastbit -> xorb (nth_bv b i) (nth_bv b (add i one)) <-> nth_bv (toGray b) i (** (using 0 if there is no bit to the left of i) *) lemma lastNthGray: forall b. nth_bv (toGray b) lastbit <-> nth_bv b lastbit (** Bit i of a binary integer is the parity of all the bits at and to the left of position i in the corresponding Gray coded integer. *) lemma nthBinary: forall b i. ult i size_bv -> nth_bv (fromGray b) i <-> even (count_logic (lsr_bv b i)) (** The last property that we check is that, if an integer is even, its encoding has an even number of 1-bits, and if it is odd, its encoding has an odd number of 1-bits. *) lemma evenOdd : forall b. nth_bv b zeros <-> even (count_logic (toGray b)) end *) why3-1.6.0/examples/bitcount/000077500000000000000000000000001440160026300160515ustar00rootroot00000000000000why3-1.6.0/examples/bitcount/why3session.xml000066400000000000000000001305231440160026300210750ustar00rootroot00000000000000 why3-1.6.0/examples/bitcount/why3shapes.gz000066400000000000000000000177001440160026300205160ustar00rootroot00000000000000]nI}Wmv@/#૑iaV%\~Od"YheqkĉYY/rwGyws.şs~ yw&ܽ,ْ>ƒK~9+v7&{&&r5%f~xDuZ2}(ݼH<9=?,URcbKu9 ww=泙԰}k.%S4U2kzML/Ҷ/Môzi)8Η\FT~-*?-*?!*'*RQv{wnoˤЦpbj/Y4VUZos)O_Ώ_[Lʋ0~5 -t~'Ahb咫Z! H !%L~ [pgV>4!I&Js[r'JWr6s,]rGAWѓZ 87lu )>BYV{Jl_)%nQm8 l 3@XP gRE@;?s"LH+$1F~VCG1C|! ABE /[_}̳)j(kl/c{뱗cpK1~''>'FUEzHD9f13츦{9.V=]]*mvAoh+DC<7u+ ꕡ[0In`՘:2[;T4'Wm!DŽȏ"Iϡ:wSxMW_}}ƣA?/CZ姓%QX:>!v׋>Pz)} ~)ux_~?|nWL 6xaIwݠAeG͢fEbՈDr I#}tgߺuG('zo& ;6qdaKrI&nGanv>a8gi?QҏM$8+%2D㵩c(S4#6OșO7k!̐;Bݞz!. 791hSSb[zՑls8k=eya-k?n) SݚjeʣWN'/pS¦\ o'SOr >J?SO;gQ5,8_3Qβ Ob ӱ'xߧwۚg=^݌A _rݗ1Oi~dZG-7wӋ`g*cj57zDܥwEW(qHQ ,䶢/Mv?#|,OhLj%Pj ^笒d*[5qx^`"1d{) *:)fgkدW shxX1GJoj˯vr,o/ӫg,/cy~Qh:JQ?jhϱ6}TKE9՝%ӵ8u^0;]?ź97}osJL-a5rJ7y5xxXEMU3~NN>8~~j|#"O-DˇT7g}gpx8]8L*_Ij:iUc8ZU󱯚}쫾:1VRR?oSlRzx&.GU7?+.Z\#7],a&aփ0ASbA WAf+Ny^7)R.% 4 [~C7K^ij?JC74އw11>T |l W ri?XUT[U3kg =F~OWZ7Ns/ nb\%omqDw4,ЃOz :Ԣ%9 xS(fz`P@^u\9?jG0?jϡm2X߾ukwV|m~:vձo# 56Wk|F?ũZ(I)5TT/a9_Fk;higQդu;;|_K߷aUv4(lPҦqw&zݾuUh@w&Iɚ=t4@[]l*Do&ESzKý 1!T!FBŇ#4`lWb”âuuMNydcΠ-:5KnefWL JI ѬˮY|xT!g@1bb>nK1&C6>{?noއ>7vz}D|wqMGj=z-k#ۓJ"o/Upz=l>}ۂ%X9|Hu;=omiS^]_$Zϒ\:Pm{V]. QvJtϔxGg'7 \Е{X4}x1|+ZStkP=n{n ؍H[Mߥ&B^B*dT5 h?M!gI*,(f}&7$Hv0a}P;xԨhE.} we62Onigrpҟ)=q`ʪ|`W yiu/OW&DϪ)ɥj=i8$ճScrG4돚{tu1)Hz:D*RkjԐh[&Ѯ=\ӿ/g` s7p=62ATn;S'Y= L? H? P c;OEd?y]r6˾dBw: Yx5.RDWl&)9'.Z0(QQ.8(WK*ZN´Yɹ&s!45MZXLd >Pa bŊ/%r%K-:ST̛WF;\J`c"*JʴN-X4& S)5s"Z3bL%ؑQ5~4%V _c!HhFϜv/z6 F Te vNX$\Rcxhb%j(6* _oeo악qKț\. V0 pL@dqQs  $Z+fP|U"_8cS]PhhTlȄS3س W("8 :sbzC0:8OD0m)EE4R[fal⺠~୘I[6f3qOTk.CmkS؃d<3!2_AJ0.l!/Qp䘋w2r* (9R gp X>dSQUT[RarH(dp3fQ  f{Cm X+f^R$&尠yK̤hش4JJ nj }+4;QNޕTTAVr8O:X$6B~ ϲ 0DGeh0:P,Zp\Xv.+ݕEdH" jjXAC DXh˙̒K VR#/$,ʂ)S3y0{Aد rVX5e@: H:T"1w ě i+ 2[dY<0Q=,H`Hc։<,r3d(0a1 Eo)T߬]GX !B i{Ws V pK4 DaR "pe((f EkЪĬ$ 29SrK^cAUm%b\!{,^5LO b21JHBaSDrvVAZܲL/ն#ACAm$B,']O%ZQ1)Oq;ƽ+rDMFKP0!BoG*L.TSr$C9GK ֆ|Bf B<-Dך@ALQIY`yP((zȈ@yO [!⹂E5{8=$[@ Hδ"D$_i䩐 (neek"Ċ" x'p?  ,>U\Њ^|`ƀ)1F@t'ެ(r< 2#΃A"DPx ?EҽUq8A2L &,K/@ibHVʼnA̘}BTBIw\X^W`U3&$ K8 HdD]WL D2qnC+KA-@]3VMUh_*:<837=B@(5 3s][EDPAn_wN K Xb_ -iA:>9&Mk2$PQ 81 902~!GQ wiwhy3-1.6.0/examples/bitvector_examples.mlw000066400000000000000000000235361440160026300206530ustar00rootroot00000000000000module Test_proofinuse use int.Int use int.Power use int.EuclideanDivision use bv.BV32 (* Shift is div example ------------------- *) let shift_is_div ( x : t ) ( y : t ) : t requires { 0 <= t'int y < 32 } = let res = lsr_bv x one in assert { res = udiv x (2:t) }; assert { t'int res = div (t'int x) 2 }; let res : t = lsr_bv res (2:t) in (* assert { res = udiv x (8:t) }; assert { t'int res = div (t'int x) 8 }; *) res (* Mask example --------------------- *) use bv.BV8 as BV8 use bv.BV64 as BV64 use bv.BVConverter_32_64 as C32_46 use bv.BVConverter_8_32 as C8_32 type bitvec8 = BV8.t type bitvec64 = BV64.t let mask ( x : t ) = ensures { result = BV8.one } (* ensures{ not ( BV8.eq result (BV8.of_int 1) ) } *) let res = C8_32.toSmall( bw_and (bw_or (bw_and x (0xFFFF_FF00:t)) one) (0x0000_00FF:t)) in res (* test invariant from frama-c ---------------- *) use ref.Ref let testVariant( n : t ) = let i = ref n in let two = 2:t in while uge !i two do variant{ t'int !i } i := lsr_bv !i two done (* testssss *) predicate in_range (n : t) = (ule (0:t) n) /\ (ule n (0x0000_00FF:t)) predicate add_over (x y : t) = (uge (add x y) x) /\ (uge (add x y) y) lemma ttt: forall x y. (add_over x y) -> (forall i. ult i x -> add_over i y) end (** {1 Examples from Hackers Delight} *) theory Hackers_delight use int.Int use bv.BV32 (** de morgan's laws *) goal DM1: forall x y. bw_not( bw_and x y ) = bw_or (bw_not x) (bw_not y) goal DM2: forall x y. bw_not( bw_or x y ) = bw_and (bw_not x) (bw_not y) goal DM3: forall x. bw_not (add x one) = sub (bw_not x) one goal DM4: forall x. bw_not (sub x one) = add (bw_not x) one goal DM5: forall x. bw_not (neg x) = sub x one goal DM6: forall x y. bw_not( bw_xor x y ) = bw_xor (bw_not x) y (* = eq x y *) goal DM7: forall x y. bw_not( add x y ) = sub (bw_not x) y goal DM8: forall x y. bw_not( sub x y ) = add (bw_not x) y goal DMtest: forall x. zeros = bw_not( bw_or x (neg( add x one))) (* inequality *) goal IE1: forall x y. ule (bw_xor x y) (bw_or x y) goal IE2: forall x y. ule (bw_and x y) (bw_not( bw_xor x y )) goal IE3: forall x y. ( ule x (add x y) /\ ule y (add x y) ) -> ule (bw_or x y) (add x y) goal IE4: forall x y. not ( ule x (add x y) /\ ule y (add x y) ) -> ugt (bw_or x y) (add x y) (* shift right and arithmetic shift right *) goal SR1: forall x n. ( ule zeros n /\ ule n (31:t)) -> bw_or (lsr_bv x n) (lsl_bv (neg( lsr_bv x (31:t) )) (sub (31:t) n)) = asr_bv x n (* rotate en shift *) goal RS_left: forall x. bw_or (lsl_bv x one) (lsr_bv x (31:t)) = rotate_left_bv x one goal RS_right: forall x. bw_or (lsr_bv x one) (lsl_bv x (31:t)) = rotate_right_bv x one (* bound propagation *) goal BP1: forall a b c d x y. ( ule a x /\ ule x b /\ ule c y /\ ule y d ) -> ( ule b (add b d) /\ ule d (add b d) ) -> (* no overflow in addition *) ule (bw_or x y) (add b d) /\ ule zeros (bw_and x y) goal BP2: forall a b c d x y. ( ule a x /\ ule x b /\ ule c y /\ ule y d ) -> ( ule b (add b d) /\ ule d (add b d) ) -> (* no overflow in addition *) ule zeros (bw_xor x y) /\ ule (bw_xor x y) (add b d) goal BP3: forall a b c d x y. ( ule a x /\ ule x b /\ ule c y /\ ule y d ) -> ule (bw_not b) (bw_not x) /\ ule (bw_not x) (bw_not a) end module Hackers_delight_mod use int.Int use bv.BV32 (* de morgan's laws *) let dm1 (x : t) (y : t) = ensures{ result = bw_or (bw_not x) (bw_not y) } bw_not( bw_and x y ) let dm2 (x : t) (y : t) = ensures{ result = bw_and (bw_not x) (bw_not y) } bw_not( bw_or x y ) let dm3 (x : t) = ensures{ result = sub (bw_not x) one } bw_not( add x one ) let dm4 (x : t) = ensures{ result = add (bw_not x) one } bw_not( sub x one ) let dm5 (x : t) = ensures{ result = sub x one } bw_not( neg x ) let dm6 (x : t) (y : t) = ensures{ result = bw_xor (bw_not x) y } bw_not( bw_xor x y ) let dm7 (x : t) (y : t) = ensures{ result = sub (bw_not x) y } bw_not( add x y ) let dm8 (x : t) (y : t) = ensures{ result = add (bw_not x) y } bw_not( sub x y ) let dmtest (x : t) = ensures{ result = zeros } bw_not( bw_or x (neg( add x one))) (* inequality *) let ie1 (x : t) (y : t) = ensures{ ule result (bw_or x y) } bw_xor x y let ie2 (x : t) (y : t) = ensures{ ule result (bw_not( bw_xor x y ))} bw_and x y let ie3 (x : t) (y : t) = requires{ ule x (add x y) /\ ule y (add x y) } ensures{ ule result (add x y) } bw_or x y let ie4 (x : t) (y : t) = requires{ not ( ule x (add x y) /\ ule y (add x y) ) } ensures{ ugt result (add x y) } bw_or x y (* shift right and arithmetic shift right *) let sr1 (x : t) (n : t) = requires{ ule zeros n /\ ule n (31:t) } ensures{ result = asr_bv x n } bw_or (lsr_bv x n) (lsl_bv (neg( lsr_bv x (31:t) )) (sub (31:t) n)) (* rotate en shift *) let rs_left (x : t) = ensures{ result = rotate_left_bv x one } bw_or (lsl_bv x one) (lsr_bv x (31:t)) let rs_right (x : t) = ensures{ result = rotate_right_bv x one } bw_or (lsr_bv x one) (lsl_bv x (31:t)) (* bound propagation *) let bp1 (a b c d x y : t) = requires{ ule a x /\ ule x b } requires{ ule c y /\ ule y d } requires{ ule b (add b d) /\ ule d (add b d) } (* no overflow in addition *) ensures{ ule result (add b d) } bw_or x y let bp1' (a b c d x y : t) = requires{ ule a x /\ ule x b } requires{ ule c y /\ ule y d } requires{ ule b (add b d) /\ ule d (add b d) } (* no overflow in addition *) ensures{ ule zeros result } bw_and x y let bp2 (a b c d x y : t) = requires{ ule a x /\ ule x b } requires{ ule c y /\ ule y d } requires{ ule b (add b d) /\ ule d (add b d) } (* no overflow in addition *) ensures{ ule zeros result } ensures{ ule result (add b d) } bw_xor x y let bp3 (a b c d x y : t) = requires{ ule a x /\ ule x b } requires{ ule c y /\ ule y d } ensures{ ule (bw_not b) result } ensures{ ule result (bw_not a) } bw_not x end module Test_imperial_violet use int.Int use int.EuclideanDivision use bv.BV32 use array.Array (* to_int and bounds *) lemma bv32_bounds_bv: forall b. ule zeros b /\ ule b ones lemma to_int_ule: forall b c. ule b c -> t'int b <= t'int c lemma to_int_ult: forall b c. ult b c -> t'int b < t'int c lemma bv32_bounds_0: forall b. 0 <= t'int b lemma bv32_bounds: forall b. 0 <= t'int b < 0x1_0000_0000 (* bounded add of array of t *) let add (a : array t ) (b : array t) = requires{ length a = length b } requires{ forall i. 0 <= i < length a -> ult a[i] (0x8000_0000:t) } requires{ forall i. 0 <= i < length b -> ult b[i] (0x8000_0000:t) } ensures{ forall i. 0 <= i < length result -> t'int result[i] = t'int a[i] + t'int b[i] } let sum = make (length a) zeros in for i = 0 to length a - 1 do invariant{ forall j. 0 <= j < i -> sum[j] = add a[j] b[j] } invariant{ forall j. 0 <= j < i -> t'int sum[j] = t'int a[j] + t'int b[j] } sum[i] <- add a[i] b[i] done; sum end module Test_from_bitvector_example use int.Int use bv.BV32 goal Test1: let b = bw_and zeros ones in nth_bv b one = False goal Test2: let b = lsr_bv ones (16:t) in nth_bv b (15:t) = True goal Test3: let b = lsr_bv ones (16:t) in nth_bv b (16:t) = False goal Test4: let b = asr_bv ones (16:t) in nth_bv b (15:t) = True goal Test5: let b = asr_bv ones (16:t) in nth_bv b (16:t) = True goal Test6: let b = asr_bv (lsr_bv ones one) (16:t) in nth_bv b (16:t) = False let lsr31 () = ensures{ result = one } lsr_bv ones (31:t) let lsr30 () = ensures{ result = (3:t) } lsr_bv ones (30:t) let lsr29 () = ensures{ t'int result = 7 } lsr_bv ones (29:t) let lsr28 () = ensures{ t'int result = 15 } lsr_bv ones (28:t) let lsr27 () = ensures{ t'int result = 31 } lsr_bv ones (27:t) let lsr26 () = ensures{ t'int result = 63 } lsr_bv ones (26:t) let lsr20 () = ensures{ t'int result = 4095 } lsr_bv ones (20:t) let lsr13 () = ensures{ t'int result = 524287 } lsr_bv ones (13:t) let lsr8 () = ensures{ t'int result = 16777215 } lsr_bv ones (8:t) goal to_int_0x00000001: t'int (lsr_bv ones (31:t)) = 1 goal to_int_0x00000003: t'int (lsr_bv ones (30:t)) = 3 goal to_int_0x00000007: t'int (lsr_bv ones (29:t)) = 7 goal to_int_0x0000000F: t'int (lsr_bv ones (28:t)) = 15 goal to_int_0x0000001F: t'int (lsr_bv ones (27:t)) = 31 goal to_int_0x0000003F: t'int (lsr_bv ones (26:t)) = 63 goal to_int_0x0000007F: t'int (lsr_bv ones (25:t)) = 127 goal to_int_0x000000FF: t'int (lsr_bv ones (24:t)) = 255 goal to_int_0x000001FF: t'int (lsr_bv ones (23:t)) = 511 goal to_int_0x000003FF: t'int (lsr_bv ones (22:t)) = 1023 goal to_int_0x000007FF: t'int (lsr_bv ones (21:t)) = 2047 goal to_int_0x00000FFF: t'int (lsr_bv ones (20:t)) = 4095 goal to_int_0x00001FFF: t'int (lsr_bv ones (19:t)) = 8191 goal to_int_0x00003FFF: t'int (lsr_bv ones (18:t)) = 16383 goal to_int_0x00007FFF: t'int (lsr_bv ones (17:t)) = 32767 goal to_int_0x0000FFFF: t'int (lsr_bv ones (16:t)) = 65535 goal to_int_0x0001FFFF: t'int (lsr_bv ones (15:t)) = 131071 goal to_int_0x0003FFFF: t'int (lsr_bv ones (14:t)) = 262143 goal to_int_0x0007FFFF: t'int (lsr_bv ones (13:t)) = 524287 goal to_int_0x000FFFFF: t'int (lsr_bv ones (12:t)) = 1048575 goal to_int_0x00FFFFFF: t'int (lsr_bv ones (8:t)) = 16777215 goal to_int_0xFFFFFFFF: t'int ones = 4294967295 end why3-1.6.0/examples/bitvector_examples/000077500000000000000000000000001440160026300201215ustar00rootroot00000000000000why3-1.6.0/examples/bitvector_examples/why3session.xml000066400000000000000000000333551440160026300231520ustar00rootroot00000000000000 why3-1.6.0/examples/bitvector_examples/why3shapes.gz000066400000000000000000000107041440160026300225630ustar00rootroot00000000000000Z]o7}_q߲;$xae#,̯Cq,vSUo:?ӗr>߇׻"g^g<.bYc4H0]dSyz!2+.O?<\1]( <=_x].|`Q '6Leo!(iY~xxzt)KD*FP\\8Ϲot{>O`Ɋpūs^֔L뻟njF_^/Szt_pl9?}+ 0}|z] 92=nNJ/jMV?zpTv1qZ42Y3??`Z燼;z{dZ<3oG6>?kٻ)sc_j<ԮAO#5k1oψ5`L?Yl?+/ꦃ[BixAUs1=&ŝ9sZr)ʛ1_wadhIMx\狓@g <[ӸxO׋;XeUnj x/oFUz\eK{. ͸pKH 'q趒l3w_Fn;#kHQ3(;-} m.nᡛO+⊳tkNFrUFg LI]6m8}~i~6燷<7Gc2s Ή7D`~LMS.v&;y㷹wL9 S /}H>Yׄ`/vǴ :F}ũmb$>3t\(o_(1]fdgrd}f Pu1t, $%섒OR (l0 )lm iF(hC u, ͅ 5^ &)=c^U2Ht6G]YB gMkY6О8+dHN I-XD۾:)yV4T|5"WI0eP;i<)G%o.DQЋ]O`S{VtaaJD/Q&N$;ivVnRh 8 8Z$ڥĭ"fOZ5 לR_q,zH*3]s M4(QK-Z!R z5tj]!q.#̢1 &#C1$0'amyM$dnf `BATA9̰G3=T- ,y $g%gv L!n*7D3f)Ah'Qi!QIAt-f~cUJr@FCXHZ i+s! ]aC1ȭ_UȄg脆)hФ{`%=4Aխ !4p1FCBRacF9CX&8 "VZ+w ##X(XݠCMО)T`%8Dڹp0h(065@Ɓ_ [ vE6ǡBYA5 fR] B  ĕB)J <|j*(DNi1h$ZȹvH(A[606JȡQ 4S*НzXQoc^P! ^);PlĐ.II(R5F1.g$ XջOa|SB lVAG!b} 1 type bv function nth bv int: bool function bvzero : bv axiom Nth_zero: forall n:int. 0 <= n < size -> nth bvzero n = False function bvone : bv axiom Nth_one: forall n:int. 0 <= n < size -> nth bvone n = True predicate eq (v1 v2 : bv) = forall n:int. 0 <= n < size -> nth v1 n = nth v2 n axiom extensionality: forall v1 v2 : bv. eq v1 v2 -> v1 = v2 function bw_and (v1 v2 : bv) : bv axiom Nth_bw_and: forall v1 v2:bv, n:int. 0 <= n < size -> nth (bw_and v1 v2) n = andb (nth v1 n) (nth v2 n) function bw_or (v1 v2 : bv) : bv axiom Nth_bw_or: forall v1 v2:bv, n:int. 0 <= n < size -> nth (bw_or v1 v2) n = orb (nth v1 n) (nth v2 n) function bw_xor (v1 v2 : bv) : bv axiom Nth_bw_xor: forall v1 v2:bv, n:int. 0 <= n < size -> nth (bw_xor v1 v2) n = xorb (nth v1 n) (nth v2 n) lemma Nth_bw_xor_v1true: forall v1 v2:bv, n:int. 0 <= n < size /\ nth v1 n = True -> nth (bw_xor v1 v2) n = notb (nth v2 n) lemma Nth_bw_xor_v1false: forall v1 v2:bv, n:int. 0 <= n < size /\ nth v1 n = False-> nth (bw_xor v1 v2) n = nth v2 n lemma Nth_bw_xor_v2true: forall v1 v2:bv, n:int. 0 <= n < size /\ nth v2 n = True-> nth (bw_xor v1 v2) n = notb (nth v1 n) lemma Nth_bw_xor_v2false: forall v1 v2:bv, n:int. 0 <= n < size /\ nth v2 n = False-> nth (bw_xor v1 v2) n = nth v1 n function bw_not (v : bv) : bv axiom Nth_bw_not: forall v:bv, n:int. 0 <= n < size -> nth (bw_not v) n = notb (nth v n) (* logical shift right *) function lsr bv int : bv (* axiom lsr_nth_low: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> n+s < size -> nth (lsr b s) n = nth b (n+s) axiom lsr_nth_high: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> n+s >= size -> nth (lsr b s) n = False *) axiom lsr_nth_low: forall b:bv, n s:int. 0 <= n < size /\ 0 <= s nth (lsr b s) n = nth b (n+s) axiom lsr_nth_high: forall b:bv, n s:int. 0 <= n < size /\ 0 <= s= size -> nth (lsr b s) n = False (* arithmetic shift right *) function asr bv int : bv axiom asr_nth_low: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> n+s < size -> nth (asr b s) n = nth b (n+s) axiom asr_nth_high: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> n+s >= size -> nth (asr b s) n = nth b (size-1) (* logical shift left *) function lsl bv int : bv axiom lsl_nth_high: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> 0 <= n-s -> nth (lsl b s) n = nth b (n-s) axiom lsl_nth_low: forall b:bv, n s:int. 0 <= n < size -> 0 <= s -> 0 > n-s -> nth (lsl b s) n = False (* conversion to/from integers *) (* function to_nat_aux bv int : int (* (to_nat_aux b i) returns the non-negative integer whose binary repr is b[size-1..i] *) axiom to_nat_aux_zero : forall b:bv, i:int. 0 <= i < size -> nth b i = False -> to_nat_aux b i = 2 * to_nat_aux b (i+1) axiom to_nat_aux_one : forall b:bv, i:int. 0 <= i < size -> nth b i = True -> to_nat_aux b i = 1 + 2 * to_nat_aux b (i+1) axiom to_nat_aux_high : forall b:bv, i:int. i >= size -> to_nat_aux b i = 0 *) (* generalization : (to_nat_sub b j i) returns the non-negative number represented by b[j..i] *) function to_nat_sub bv int int : int (* (to_nat_sub b j i) returns the non-negative integer whose binary repr is b[j..i] *) (* axiom to_nat_sub_zero : forall b:bv, j i:int. 0 <= i <= j -> nth b i = False -> to_nat_sub b j i = 2 * to_nat_sub b j (i+1) axiom to_nat_sub_one : forall b:bv, j i:int. 0 <= i <= j -> nth b i = True -> to_nat_sub b j i = 1 + 2 * to_nat_sub b j (i+1) axiom to_nat_sub_high : forall b:bv, j i:int. i > j -> to_nat_sub b j i = 0 *) axiom to_nat_sub_zero : forall b:bv, j i:int. 0 <= i <= j < size -> nth b j = False -> to_nat_sub b j i = to_nat_sub b (j-1) i axiom to_nat_sub_one : forall b:bv, j i:int. 0 <= i <= j < size -> nth b j = True -> to_nat_sub b j i = (pow2 (j-i)) + to_nat_sub b (j-1) i axiom to_nat_sub_high : forall b:bv, j i:int. i > j -> to_nat_sub b j i = 0 (* lemma to_nat_sub_low_true : forall b:bv, j:int.nth b j = True -> to_nat_sub b j j = 1 lemma to_nat_sub_low_false : forall b:bv, j:int.nth b j = False -> to_nat_sub b j j = 0 *) lemma to_nat_of_zero2: forall b:bv, i j:int. size > j >= i >= 0 -> (forall k:int. j >= k > i -> nth b k = False) -> to_nat_sub b j 0 = to_nat_sub b i 0 lemma to_nat_of_zero: forall b:bv, j i:int. size > j /\ i >= 0 -> (forall k:int. j >= k >= i -> nth b k = False) -> to_nat_sub b j i = 0 let rec lemma to_nat_of_one (b: bv) i j requires { size > j >= i >= 0 } requires { forall k:int. j >= k >= i -> nth b k = True } ensures { to_nat_sub b j i = pow2 (j-i+1) - 1 } variant { j - i } = if j > i then to_nat_of_one b i (j-1) lemma to_nat_sub_footprint: forall b1 b2:bv, j i:int. size > j /\ i >=0 -> (forall k:int. i <= k <= j -> nth b1 k = nth b2 k) -> to_nat_sub b1 j i = to_nat_sub b2 j i (* lemma to_nat_sub_of_zero_ij: forall b:bv, i j:int. (forall k:int. j >= k >= i -> nth b k = False) -> to_nat_sub b j i = 0 *) (* function to_nat (b:bv) : int = to_nat_aux b 0*) function to_nat (b:bv) : int = to_nat_sub b (size-1) 0 (* this lemma is for TestBv32*) (*false::: lemma lsr_to_nat_sub: forall b:bv, n s:int. 0 <= s to_nat_sub (lsr b s) (size -1) 0 = to_nat_sub b (size-1-s) 0*) (* lemma lsr_to_nat_sub: forall b:bv, n s:int. 0 <= s to_nat_sub (lsr b s) (size -1) 0 = to_nat_sub b (size-1) s *) (* 2-complement version *) (* function to_int_aux bv int : int (* (to_int_aux b i) returns the integer whose 2-complement binary repr is b[size-1..i] *) axiom to_int_aux_zero : forall b:bv, i:int. 0 <= i < size-1 -> nth b i = False -> to_int_aux b i = 2 * to_int_aux b (i+1) axiom to_int_aux_one : forall b:bv, i:int. 0 <= i < size-1 -> nth b i = True -> to_int_aux b i = 1 + 2 * to_int_aux b (i+1) axiom to_int_aux_pos : forall b:bv. nth b (size-1) = False -> to_int_aux b (size-1) = 0 axiom to_int_aux_neg : forall b:bv. nth b (size-1) = True -> to_int_aux b (size-1) = -1 lemma to_int_zero: forall b:bv. (forall i:int. 0 <= i nth b i = False) -> to_int_aux b 0 = 0 lemma to_int_one: forall b:bv. (forall i:int. 0 <= i nth b i = True) -> to_int_aux b 0 = -1 function to_int (b:bv) : int = to_int_aux b 0 *) (* (from_uint n) returns the bitvector representing the non-negative integer n on size bits. *) function from_int (n:int) : bv use int.EuclideanDivision (* axiom nth_from_int_high: forall n i:int. size>i > 0 -> nth (from_int n) i = nth (from_int (div n 2)) (i-1) *) (*Notice: replace 0 <= i =0 -> nth (from_int n) (size - 1) = False axiom from_int_sign_negative: forall n:int. n<0 -> nth (from_int n) (size - 1) = True *) axiom nth_from_int_high_even: forall n i:int. size > i >= 0 /\ mod (div n (pow2 i)) 2 = 0 -> nth (from_int n) i = False axiom nth_from_int_high_odd: forall n i:int. size > i >= 0 /\ mod (div n (pow2 i)) 2 <> 0 -> nth (from_int n) i = True lemma nth_from_int_low_even: forall n:int. mod n 2 = 0 -> nth (from_int n) 0 = False lemma nth_from_int_low_odd: forall n:int. mod n 2 <> 0 -> nth (from_int n) 0 = True lemma nth_from_int_0: forall i:int. size > i >= 0 -> nth (from_int 0) i = False (*********************************************************************) (*from_int2c: int -> bv *) (* Take an integer as input and returns a bv with 2-complement*) (* bit size-1:sign, false if n is non-negative, true otherwise*) (*********************************************************************) function from_int2c (n:int) : bv (*********************************************************************) (* axiom for n is non-negative *) (*********************************************************************) axiom nth_sign_positive: forall n :int. n>=0 -> nth (from_int2c n) (size-1) = False (*********************************************************************) (* axiom for n is negative *) (*********************************************************************) axiom nth_sign_negative: forall n:int. n<0 -> nth (from_int2c n) (size-1) = True (*********************************************************************) (* axioms for any n *) (*********************************************************************) axiom nth_from_int2c_high_even: forall n i:int. size-1 > i >= 0 /\ mod (div n (pow2 i)) 2 = 0 -> nth (from_int2c n) i = False axiom nth_from_int2c_high_odd: forall n i:int. size-1 > i >= 0 /\ mod (div n (pow2 i)) 2 <> 0 -> nth (from_int2c n) i = True lemma nth_from_int2c_low_even: forall n:int. mod n 2 = 0 -> nth (from_int2c n) 0 = False lemma nth_from_int2c_low_odd: forall n:int. mod n 2 <> 0 -> nth (from_int2c n) 0 = True lemma nth_from_int2c_0: forall i:int. size > i >= 0 -> nth (from_int2c 0) i = False lemma nth_from_int2c_plus_pow2: forall x k i:int. 0 <= k < i /\ k < size-1 -> nth (from_int2c (x+pow2 i)) k = nth (from_int2c x) k end theory BV32 function size : int = 32 clone export BitVector with function size, lemma size_positive, axiom . end theory BV64 function size : int = 64 clone export BitVector with function size, lemma size_positive, axiom . end theory BV32_64 use int.Int use BV32 as BV32 use BV64 as BV64 function concat BV32.bv BV32.bv : BV64.bv axiom concat_low: forall b1 b2:BV32.bv. forall i:int. 0 <= i < 32 -> BV64.nth (concat b1 b2) i = BV32.nth b2 i axiom concat_high: forall b1 b2:BV32.bv. forall i:int. 32 <= i < 64 -> BV64.nth (concat b1 b2) i = BV32.nth b1 (i-32) end theory TestBv32 use BV32 use int.Int goal Test1: let b = bw_and bvzero bvone in nth b 1 = False goal Test2: let b = lsr bvone 16 in nth b 15 = True goal Test3: let b = lsr bvone 16 in nth b 16 = False goal Test4: let b = asr bvone 16 in nth b 15 = True goal Test5: let b = asr bvone 16 in nth b 16 = True goal Test6: let b = asr (lsr bvone 1) 16 in nth b 16 = False goal to_nat_0x00000000: to_nat bvzero = 0 goal to_nat_0x00000001: to_nat (lsr bvone 31) = 1 goal to_nat_0x00000003: to_nat (lsr bvone 30) = 3 goal to_nat_0x00000007: to_nat (lsr bvone 29) = 7 goal to_nat_0x0000000F: to_nat (lsr bvone 28) = 15 goal to_nat_0x0000001F: to_nat (lsr bvone 27) = 31 goal to_nat_0x0000003F: to_nat (lsr bvone 26) = 63 goal to_nat_0x0000007F: to_nat (lsr bvone 25) = 127 goal to_nat_0x000000FF: to_nat (lsr bvone 24) = 255 goal to_nat_0x000001FF: to_nat (lsr bvone 23) = 511 goal to_nat_0x000003FF: to_nat (lsr bvone 22) = 1023 goal to_nat_0x000007FF: to_nat (lsr bvone 21) = 2047 goal to_nat_0x00000FFF: to_nat (lsr bvone 20) = 4095 goal to_nat_0x00001FFF: to_nat (lsr bvone 19) = 8191 goal to_nat_0x00003FFF: to_nat (lsr bvone 18) = 16383 goal to_nat_0x00007FFF: to_nat (lsr bvone 17) = 32767 goal to_nat_0x0000FFFF: to_nat (lsr bvone 16) = 65535 (* goal to_nat_smoke: to_nat (lsr bvone 16) = 65536 *) goal to_nat_0x0001FFFF: to_nat (lsr bvone 15) = 131071 goal to_nat_0x0003FFFF: to_nat (lsr bvone 14) = 262143 goal to_nat_0x0007FFFF: to_nat (lsr bvone 13) = 524287 goal to_nat_0x000FFFFF: to_nat (lsr bvone 12) = 1048575 goal to_nat_0x00FFFFFF: to_nat (lsr bvone 8) = 16777215 goal to_nat_0xFFFFFFFF: to_nat bvone = 4294967295 (* goal to_int_0x00000000: to_int bvzero = 0 goal to_int_0xFFFFFFFF: to_int bvone = -1 goal to_int_0x7FFFFFFF: to_int (lsr bvone 1) = 2147483647 goal to_int_0x80000000: to_int (lsl bvone 31) = -2147483648 goal to_int_0x0000FFFF: to_int (lsr bvone 16) = 65535 goal to_int_smoke: to_int (lsr bvone 16) = 65536 *) end (* Local Variables: compile-command: "why3 ide -L . bitvector.why" End: *) why3-1.6.0/examples/bitvectors/bitvector/000077500000000000000000000000001440160026300204075ustar00rootroot00000000000000why3-1.6.0/examples/bitvectors/bitvector/why3session.xml000066400000000000000000000302211440160026300234250ustar00rootroot00000000000000 why3-1.6.0/examples/bitvectors/bitvector/why3shapes.gz000066400000000000000000000061031440160026300230470ustar00rootroot00000000000000Xn7}[n0*Era0ZO~5xE8$;|vtK3YlM`ddթbU.p?v%W?Ƈk]|~?x?>ԛm|&Q]wuɨ̫ 'L{K`k5j&B7Ԅ#Ăioc0}2XzvԳ;|0N4[@%ZA] ҭqa445C ؙӮ>q= Do@?|NѸ^ u!&Sz2?0ZrGi:l4gNQ,qV=g£H?Cv{-ٿoNk|ʹ'A1FL^el8k IY!͢ͼoo{aэ׻?|9h*lO[t+NgEvVǽ~h!m4Z^8{,pz0tX AFBDUX,V 8`qh+>H߯j̾Go?˰+5.OO[Ǽk ]/}T4)򇩌fڭyo-%Y(("ʭRȔp3BM˅H"Dbc\a6K -VЬIR%9P/7>dvc;wo/=fpyq3PztfeNPf e@BV e/k}%:Ví3zΣuϠwp>^.j^ͦt4_gO)> hzvyoqW3[nF t=M䭷K돁?/-+9)s|IVr@p~`W93,ޔx'/B ttAgR|A^2lT8/B#C?/`vr^"( "aM]  an ;/_9G VzNm.X.T)fms7`3U)Ԓ-/ EkߜTH[ %(`"uOצՀۛ)E0,N|t;KY`*DsI5DŁU4( $7 d2"r&6W)ـ[Ѣn`;LVN@ J.p &|ų yYĦ`ɱHB-JS%bQBcCnU5rUSqwy99(K5mE*8y_yx%ULk6#/&9bl> r8RV7st|EZ)0*eSReW6r(IB)!SWF W)Fb*ETfRk+Ãh QѢ%aJ$ f0E#%PHEЕ 3HBPElbV-Eq)‘<℮&s9PU(.I ת\>bD AƊ,b|QI|5"˱}A KvHbZHʵƉC0W^Z  +#Z"#TRLȅx./=)KCèFcGQ'EWU"W1z e9 6 }0RH^8LTzWy_Z ы2F J["](W! 6E܃áKQ,^9 Jt.9B)t*oE3@ԩ#1GQQ@\E&Hfq`#|Tm,zoHKų@te4bN2}pvceY$why3-1.6.0/examples/bitvectors/double.why000066400000000000000000000041331440160026300204120ustar00rootroot00000000000000theory BV_double use int.Int use real.RealInfix use real.FromInt use power2.Pow2real use bitvector.BV64 function double_of_bv64 (b:bv) : real (* TODO: axioms real represented by bv = sign . exp . mantissa sign on bit 63 exp on bits 62..52 mantissa on bits 51..0 si exp = 0 : zero or denormalized, we specify only zero si exp = 2047 : infinities or nan, we don't specify anything si 1 <= exp <= 2046 : the number represented is (-1)^sign * 2^(exp - bias) * (1 + mantissa * 2^(1-prec)) where bias = 1023, prec = 53 (e.g. the largest representable number is 2^(2046-1023) * (1+ (2^52-1)* 2^(-52)) = 2^1023 * (1 + 1 - 2^-52) = 2^1024 - 2^(1023-52) = 2^1024 - 2^971 ) *) function exp (b:bv) : int = BV64.to_nat_sub b 62 52 function mantissa (b:bv) : int = BV64.to_nat_sub b 51 0 function sign (b:bv) : bool = BV64.nth b 63 function sign_value(s:bool):real axiom sign_value_false: sign_value(False) = 1.0 axiom sign_value_true: sign_value(True) = -.1.0 axiom zero : forall b:bv. exp(b) = 0 /\ mantissa(b) = 0 -> double_of_bv64(b) = 0.0 axiom sign_of_double_positive: forall b:bv. sign b = False -> double_of_bv64(b) >=. 0.0 axiom sign_of_double_negative: forall b:bv. sign b = True -> double_of_bv64(b) <=. 0.0 axiom double_of_bv64_value: forall b:bv. 0 < exp(b) < 2047 -> double_of_bv64(b) = sign_value(sign(b)) *. (pow2 ((exp b) - 1023)) *. (1.0 +. (FromInt.from_int (mantissa b)) *. (pow2 (-52))) end theory TestDouble use int.Int use bitvector.BV64 use BV_double function one:bv = from_int 4607182418800017408 (* 1.0 *) lemma nth_one1: forall i:int. 0 <= i <= 51 -> nth one i = False lemma nth_one2: forall i:int. 52 <= i <= 61 -> nth one i = True lemma nth_one3: forall i:int. 62 <= i <= 63 -> nth one i = False lemma sign_one: sign(one) = False lemma exp_one: exp(one) = 1023 lemma mantissa_one: mantissa(one) = 0 lemma double_value_of_1: double_of_bv64(one) = 1.0 end (* Local Variables: compile-command: "why3ide -L . double.why" End: *) why3-1.6.0/examples/bitvectors/double/000077500000000000000000000000001440160026300176605ustar00rootroot00000000000000why3-1.6.0/examples/bitvectors/double/double_TestDouble_exp_one_1.v000066400000000000000000000314131440160026300254120ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require real.Real. Require real.RealInfix. Require real.FromInt. (* Why3 assumption *) Definition implb(x:bool) (y:bool): bool := match (x, y) with | (true, false) => false | (_, _) => true end. Parameter pow2: Z -> Z. Axiom Power_0 : ((pow2 0%Z) = 1%Z). Axiom Power_s : forall (n:Z), (0%Z <= n)%Z -> ((pow2 (n + 1%Z)%Z) = (2%Z * (pow2 n))%Z). Axiom Power_1 : ((pow2 1%Z) = 2%Z). Axiom Power_sum : forall (n:Z) (m:Z), ((0%Z <= n)%Z /\ (0%Z <= m)%Z) -> ((pow2 (n + m)%Z) = ((pow2 n) * (pow2 m))%Z). Axiom pow2pos : forall (i:Z), (0%Z <= i)%Z -> (0%Z < (pow2 i))%Z. Axiom pow2_0 : ((pow2 0%Z) = 1%Z). Axiom pow2_1 : ((pow2 1%Z) = 2%Z). Axiom pow2_2 : ((pow2 2%Z) = 4%Z). Axiom pow2_3 : ((pow2 3%Z) = 8%Z). Axiom pow2_4 : ((pow2 4%Z) = 16%Z). Axiom pow2_5 : ((pow2 5%Z) = 32%Z). Axiom pow2_6 : ((pow2 6%Z) = 64%Z). Axiom pow2_7 : ((pow2 7%Z) = 128%Z). Axiom pow2_8 : ((pow2 8%Z) = 256%Z). Axiom pow2_9 : ((pow2 9%Z) = 512%Z). Axiom pow2_10 : ((pow2 10%Z) = 1024%Z). Axiom pow2_11 : ((pow2 11%Z) = 2048%Z). Axiom pow2_12 : ((pow2 12%Z) = 4096%Z). Axiom pow2_13 : ((pow2 13%Z) = 8192%Z). Axiom pow2_14 : ((pow2 14%Z) = 16384%Z). Axiom pow2_15 : ((pow2 15%Z) = 32768%Z). Axiom pow2_16 : ((pow2 16%Z) = 65536%Z). Axiom pow2_17 : ((pow2 17%Z) = 131072%Z). Axiom pow2_18 : ((pow2 18%Z) = 262144%Z). Axiom pow2_19 : ((pow2 19%Z) = 524288%Z). Axiom pow2_20 : ((pow2 20%Z) = 1048576%Z). Axiom pow2_21 : ((pow2 21%Z) = 2097152%Z). Axiom pow2_22 : ((pow2 22%Z) = 4194304%Z). Axiom pow2_23 : ((pow2 23%Z) = 8388608%Z). Axiom pow2_24 : ((pow2 24%Z) = 16777216%Z). Axiom pow2_25 : ((pow2 25%Z) = 33554432%Z). Axiom pow2_26 : ((pow2 26%Z) = 67108864%Z). Axiom pow2_27 : ((pow2 27%Z) = 134217728%Z). Axiom pow2_28 : ((pow2 28%Z) = 268435456%Z). Axiom pow2_29 : ((pow2 29%Z) = 536870912%Z). Axiom pow2_30 : ((pow2 30%Z) = 1073741824%Z). Axiom pow2_31 : ((pow2 31%Z) = 2147483648%Z). Axiom pow2_32 : ((pow2 32%Z) = 4294967296%Z). Axiom pow2_33 : ((pow2 33%Z) = 8589934592%Z). Axiom pow2_34 : ((pow2 34%Z) = 17179869184%Z). Axiom pow2_35 : ((pow2 35%Z) = 34359738368%Z). Axiom pow2_36 : ((pow2 36%Z) = 68719476736%Z). Axiom pow2_37 : ((pow2 37%Z) = 137438953472%Z). Axiom pow2_38 : ((pow2 38%Z) = 274877906944%Z). Axiom pow2_39 : ((pow2 39%Z) = 549755813888%Z). Axiom pow2_40 : ((pow2 40%Z) = 1099511627776%Z). Axiom pow2_41 : ((pow2 41%Z) = 2199023255552%Z). Axiom pow2_42 : ((pow2 42%Z) = 4398046511104%Z). Axiom pow2_43 : ((pow2 43%Z) = 8796093022208%Z). Axiom pow2_44 : ((pow2 44%Z) = 17592186044416%Z). Axiom pow2_45 : ((pow2 45%Z) = 35184372088832%Z). Axiom pow2_46 : ((pow2 46%Z) = 70368744177664%Z). Axiom pow2_47 : ((pow2 47%Z) = 140737488355328%Z). Axiom pow2_48 : ((pow2 48%Z) = 281474976710656%Z). Axiom pow2_49 : ((pow2 49%Z) = 562949953421312%Z). Axiom pow2_50 : ((pow2 50%Z) = 1125899906842624%Z). Axiom pow2_51 : ((pow2 51%Z) = 2251799813685248%Z). Axiom pow2_52 : ((pow2 52%Z) = 4503599627370496%Z). Axiom pow2_53 : ((pow2 53%Z) = 9007199254740992%Z). Axiom pow2_54 : ((pow2 54%Z) = 18014398509481984%Z). Axiom pow2_55 : ((pow2 55%Z) = 36028797018963968%Z). Axiom pow2_56 : ((pow2 56%Z) = 72057594037927936%Z). Axiom pow2_57 : ((pow2 57%Z) = 144115188075855872%Z). Axiom pow2_58 : ((pow2 58%Z) = 288230376151711744%Z). Axiom pow2_59 : ((pow2 59%Z) = 576460752303423488%Z). Axiom pow2_60 : ((pow2 60%Z) = 1152921504606846976%Z). Axiom pow2_61 : ((pow2 61%Z) = 2305843009213693952%Z). Axiom pow2_62 : ((pow2 62%Z) = 4611686018427387904%Z). Axiom pow2_63 : ((pow2 63%Z) = 9223372036854775808%Z). Axiom size_positive : (1%Z < 64%Z)%Z. Parameter bv : Type. Parameter nth: bv -> Z -> bool. Parameter bvzero: bv. Axiom Nth_zero : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth bvzero n) = false). Parameter bvone: bv. Axiom Nth_one : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth bvone n) = true). (* Why3 assumption *) Definition eq(v1:bv) (v2:bv): Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth v1 n) = (nth v2 n)). Axiom extensionality : forall (v1:bv) (v2:bv), (eq v1 v2) -> (v1 = v2). Parameter bw_and: bv -> bv -> bv. Axiom Nth_bw_and : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth (bw_and v1 v2) n) = (andb (nth v1 n) (nth v2 n))). Parameter bw_or: bv -> bv -> bv. Axiom Nth_bw_or : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth (bw_or v1 v2) n) = (orb (nth v1 n) (nth v2 n))). Parameter bw_xor: bv -> bv -> bv. Axiom Nth_bw_xor : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth (bw_xor v1 v2) n) = (xorb (nth v1 n) (nth v2 n))). Axiom Nth_bw_xor_v1true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth v1 n) = true)) -> ((nth (bw_xor v1 v2) n) = (negb (nth v2 n))). Axiom Nth_bw_xor_v1false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth v1 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v2 n)). Axiom Nth_bw_xor_v2true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth v2 n) = true)) -> ((nth (bw_xor v1 v2) n) = (negb (nth v1 n))). Axiom Nth_bw_xor_v2false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth v2 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v1 n)). Parameter bw_not: bv -> bv. Axiom Nth_bw_not : forall (v:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth (bw_not v) n) = (negb (nth v n))). Parameter lsr: bv -> Z -> bv. Axiom lsr_nth_low : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ ((n + s)%Z < 64%Z)%Z)) -> ((nth (lsr b s) n) = (nth b (n + s)%Z)). Axiom lsr_nth_high : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ (64%Z <= (n + s)%Z)%Z)) -> ((nth (lsr b s) n) = false). Parameter asr: bv -> Z -> bv. Axiom asr_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((0%Z <= s)%Z -> (((n + s)%Z < 64%Z)%Z -> ((nth (asr b s) n) = (nth b (n + s)%Z)))). Axiom asr_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((0%Z <= s)%Z -> ((64%Z <= (n + s)%Z)%Z -> ((nth (asr b s) n) = (nth b (64%Z - 1%Z)%Z)))). Parameter lsl: bv -> Z -> bv. Axiom lsl_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((0%Z <= s)%Z -> ((0%Z <= (n - s)%Z)%Z -> ((nth (lsl b s) n) = (nth b (n - s)%Z)))). Axiom lsl_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((0%Z <= s)%Z -> (((n - s)%Z < 0%Z)%Z -> ((nth (lsl b s) n) = false))). Parameter to_nat_sub: bv -> Z -> Z -> Z. Axiom to_nat_sub_zero : forall (b:bv) (j:Z) (i:Z), (((0%Z <= i)%Z /\ (i <= j)%Z) /\ (j < 64%Z)%Z) -> (((nth b j) = false) -> ((to_nat_sub b j i) = (to_nat_sub b (j - 1%Z)%Z i))). Axiom to_nat_sub_one : forall (b:bv) (j:Z) (i:Z), (((0%Z <= i)%Z /\ (i <= j)%Z) /\ (j < 64%Z)%Z) -> (((nth b j) = true) -> ((to_nat_sub b j i) = ((pow2 (j - i)%Z) + (to_nat_sub b (j - 1%Z)%Z i))%Z)). Axiom to_nat_sub_high : forall (b:bv) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_zero2 : forall (b:bv) (i:Z) (j:Z), (((j < 64%Z)%Z /\ (i <= j)%Z) /\ (0%Z <= i)%Z) -> ((forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j 0%Z) = (to_nat_sub b i 0%Z))). Axiom to_nat_of_zero : forall (b:bv) (i:Z) (j:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j i) = 0%Z)). Axiom to_nat_of_one : forall (b:bv) (i:Z) (j:Z), (((j < 64%Z)%Z /\ (i <= j)%Z) /\ (0%Z <= i)%Z) -> ((forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = true)) -> ((to_nat_sub b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z)). Axiom to_nat_sub_footprint : forall (b1:bv) (b2:bv) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth b1 k) = (nth b2 k))) -> ((to_nat_sub b1 j i) = (to_nat_sub b2 j i))). Parameter from_int: Z -> bv. Axiom nth_from_int_high_even : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = false). Axiom nth_from_int_high_odd : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = true). Axiom nth_from_int_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = false). Axiom nth_from_int_low_odd : forall (n:Z), (~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z)) -> ((nth (from_int n) 0%Z) = true). Axiom nth_from_int_0 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int 0%Z) i) = false). Parameter from_int2c: Z -> bv. Axiom nth_sign_positive : forall (n:Z), (0%Z <= n)%Z -> ((nth (from_int2c n) (64%Z - 1%Z)%Z) = false). Axiom nth_sign_negative : forall (n:Z), (n < 0%Z)%Z -> ((nth (from_int2c n) (64%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = false). Axiom nth_from_int2c_high_odd : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = true). Axiom nth_from_int2c_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = false). Axiom nth_from_int2c_low_odd : forall (n:Z), (~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z)) -> ((nth (from_int2c n) 0%Z) = true). Axiom nth_from_int2c_0 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int2c 0%Z) i) = false). Axiom nth_from_int2c_plus_pow2 : forall (x:Z) (k:Z) (i:Z), ((0%Z <= k)%Z /\ (k < i)%Z) -> ((nth (from_int2c (x + (pow2 i))%Z) k) = (nth (from_int2c x) k)). Parameter pow21: Z -> R. Axiom Power_01 : ((pow21 0%Z) = 1%R). Axiom Power_s1 : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p : forall (n:Z), (n <= 0%Z)%Z -> ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_s_all : forall (n:Z), ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p_all : forall (n:Z), ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_1_2 : ((05 / 10)%R = (Rdiv 1%R 2%R)%R). Axiom Power_11 : ((pow21 1%Z) = 2%R). Axiom Power_neg1 : ((pow21 (-1%Z)%Z) = (05 / 10)%R). Axiom Power_non_null_aux : forall (n:Z), (0%Z <= n)%Z -> ~ ((pow21 n) = 0%R). Axiom Power_neg_aux : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (-n)%Z) = (Rdiv 1%R (pow21 n))%R). Axiom Power_non_null : forall (n:Z), ~ ((pow21 n) = 0%R). Axiom Power_neg : forall (n:Z), ((pow21 (-n)%Z) = (Rdiv 1%R (pow21 n))%R). Axiom Power_sum_aux : forall (n:Z) (m:Z), (0%Z <= m)%Z -> ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Power_sum1 : forall (n:Z) (m:Z), ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Pow2_int_real : forall (x:Z), (0%Z <= x)%Z -> ((pow21 x) = (IZR (pow2 x))). Parameter double_of_bv64: bv -> R. Parameter sign_value: bool -> R. Axiom sign_value_false : ((sign_value false) = 1%R). Axiom sign_value_true : ((sign_value true) = (-1%R)%R). Axiom zero : forall (b:bv), (((to_nat_sub b 62%Z 52%Z) = 0%Z) /\ ((to_nat_sub b 51%Z 0%Z) = 0%Z)) -> ((double_of_bv64 b) = 0%R). Axiom sign_of_double_positive : forall (b:bv), ((nth b 63%Z) = false) -> (0%R <= (double_of_bv64 b))%R. Axiom sign_of_double_negative : forall (b:bv), ((nth b 63%Z) = true) -> ((double_of_bv64 b) <= 0%R)%R. Axiom double_of_bv64_value : forall (b:bv), ((0%Z < (to_nat_sub b 62%Z 52%Z))%Z /\ ((to_nat_sub b 62%Z 52%Z) < 2047%Z)%Z) -> ((double_of_bv64 b) = (((sign_value (nth b 63%Z)) * (pow21 ((to_nat_sub b 62%Z 52%Z) - 1023%Z)%Z))%R * (1%R + ((IZR (to_nat_sub b 51%Z 0%Z)) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom nth_one1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth (from_int 4607182418800017408%Z) i) = false). Axiom nth_one2 : forall (i:Z), ((52%Z <= i)%Z /\ (i <= 61%Z)%Z) -> ((nth (from_int 4607182418800017408%Z) i) = true). Axiom nth_one3 : forall (i:Z), ((62%Z <= i)%Z /\ (i <= 63%Z)%Z) -> ((nth (from_int 4607182418800017408%Z) i) = false). Axiom sign_one : ((nth (from_int 4607182418800017408%Z) 63%Z) = false). Open Scope Z_scope. (* Why3 goal *) Theorem exp_one : ((to_nat_sub (from_int 4607182418800017408%Z) 62%Z 52%Z) = 1023%Z). rewrite to_nat_sub_zero; auto with zarith. rewrite to_nat_of_one; auto with zarith. replace (62 - 1 - 52 + 1) with 10 by omega. rewrite pow2_10; auto. intros; rewrite nth_one2; intuition. rewrite nth_one3; intuition. Qed. why3-1.6.0/examples/bitvectors/double/why3session.xml000066400000000000000000000042101440160026300226750ustar00rootroot00000000000000 why3-1.6.0/examples/bitvectors/double/why3shapes.gz000066400000000000000000000005231440160026300223200ustar00rootroot00000000000000U1o1 ~ōm$J !%R6|Inw㼗]x?xsr:ٞf*Lwo (ϗWh-UV4ѪqaW$rKy5%Gyݩ'+ua@Բkܤ6,^ECG|řC/%MQkJX!I推3WX4cʚkbtVXU$ ڒP7m@chWYSɹr؁R̎B TJ"PV@]|ÉklPVےCmyFAOwhy3-1.6.0/examples/bitvectors/double_of_int.why000066400000000000000000000252411440160026300217530ustar00rootroot00000000000000 theory DoubleOfInt use int.Int use bool.Bool use real.RealInfix use real.FromInt use power2.Pow2int as Pow2int use power2.Pow2real as Pow2real use bitvector.BV32 as BV32 use bitvector.BV64 as BV64 use bitvector.BV32_64 as BV32_64 use double.BV_double (*********************************************************************) (* j = 0x43300000 *) (* j' = 0x80000000 *) (*********************************************************************) function j : BV32.bv = BV32.from_int 0x43300000 lemma nth_j1: forall i:int. 0 <= i <= 19 -> BV32.nth j i = False lemma nth_j2: forall i:int. 20 <= i <= 21 -> BV32.nth j i = True lemma nth_j3: forall i:int. 22 <= i <= 23 -> BV32.nth j i = False lemma nth_j4: forall i:int. 24 <= i <= 25 -> BV32.nth j i = True lemma nth_j5: forall i:int. 26 <= i <= 29 -> BV32.nth j i = False lemma nth_j6: BV32.nth j 30 = True lemma nth_j7: BV32.nth j 31 = False function j' : BV32.bv = BV32.from_int 0x80000000 lemma jp0_30: forall i:int. 0<=i<30 -> BV32.nth j' i = False (*********************************************************************) (* definitions: *) (* const : bv64 = concat j j' *) (* const_as_double : real = double_of_bv64(const) *) (*********************************************************************) function const : BV64.bv = BV32_64.concat j j' function const_as_double : real = double_of_bv64 const (*********************************************************************) (* next lemma: const_as_double = 2^52 + 2^31 *) (*********************************************************************) lemma nth_const1: forall i:int. 0 <= i <= 30 -> BV64.nth const i = False lemma nth_const2: BV64.nth const 31 = True lemma nth_const3: forall i:int. 32 <= i <= 51 -> BV64.nth const i = False lemma nth_const4: forall i:int. 52 <= i <= 53 -> BV64.nth const i = True lemma nth_const5: forall i:int. 54 <= i <= 55 -> BV64.nth const i = False lemma nth_const6: forall i:int. 56 <= i <= 57 -> BV64.nth const i = True lemma nth_const7: forall i:int. 58 <= i <= 61 -> BV64.nth const i = False lemma nth_const8: BV64.nth const 62 = True lemma nth_const9: BV64.nth const 63 = False lemma sign_const: sign(const) = False lemma exp_const: exp(const) = 1075 lemma to_nat_mantissa_1: (BV64.to_nat_sub const 30 0) = 0 lemma mantissa_const_nth2: forall i:int. 32 <= i <= 51 -> BV64.nth const i = False lemma mantissa_const_to_nat51: BV64.to_nat_sub const 51 0 = BV64.to_nat_sub const 31 0 lemma mantissa_const: mantissa(const) = Pow2int.pow2 31 lemma real1075m1023: from_int (1075 - 1023) = 52.0 lemma real1075m1023_2: 1075.0 -. 1023.0 = 52.0 lemma real52_a_m52: Pow2real.pow2 (1075 - 1023) *. Pow2real.pow2 31 *. Pow2real.pow2 (-52) = Pow2real.pow2 31 lemma const_value0: const_as_double = 1.0*.Pow2real.pow2 (1075 - 1023) *. (1.0 +. Pow2real.pow2 31 *. Pow2real.pow2 (-52)) lemma const_value: const_as_double = Pow2real.pow2 52 +. Pow2real.pow2 31 (*********************************************************************) (* definitions: *) (* var(x) : bv64 = concat j (j' xor x) *) (* var_as_double(x) : real = double_of_bv64(var(x)) *) (*********************************************************************) function jpxor(i:int): BV32.bv = (BV32.bw_xor j' (BV32.from_int2c i)) function var(i:int): BV64.bv = (BV32_64.concat j (jpxor i)) function var_as_double(x:int) : real = double_of_bv64 (var x) (*********************************************************************) (* lemma 1: for all integer x, to_nat(jpxor(x)) = 2^31 + x *) (*********************************************************************) predicate is_int32(x:int) = - Pow2int.pow2 31 <= x < Pow2int.pow2 31 (* lemma two_compl_pos: forall x:int. is_int32 x /\ x >= 0 -> BV32.to_nat_sub (BV32.from_int2c x) 31 0 = x lemma two_compl_neg: forall x:int. is_int32 x /\ x < 0 -> BV32.to_nat_sub (BV32.from_int2c x) 31 0 = Pow2int.pow2 32 + x *) (* bits of jpxor x *) lemma nth_0_30: forall x:int. forall i:int. is_int32(x) /\ 0<=i<=30 -> BV32.nth (BV32.bw_xor j' (BV32.from_int2c x)) i = BV32.nth (BV32.from_int2c x) i lemma nth_jpxor_0_30: forall x:int. forall i:int. is_int32(x) /\ 0<=i<=30 -> BV32.nth (jpxor x) i = BV32.nth (BV32.from_int2c x) i lemma nth_var31: forall x:int. (BV32.nth (jpxor x) 31) = notb (BV32.nth (BV32.from_int2c x) 31) lemma to_nat_sub_0_30: forall x:int. is_int32(x) -> (BV32.to_nat_sub (BV32.bw_xor j' (BV32.from_int2c x)) 30 0) = (BV32.to_nat_sub (BV32.from_int2c x) 30 0) (* case x >= 0 *) lemma jpxorx_pos: forall x:int. x>=0 -> BV32.nth (BV32.bw_xor j' (BV32.from_int2c x)) 31 = True lemma from_int2c_to_nat_sub_pos: forall i:int. 0 <= i <= 31 -> forall x:int. 0 <= x < Pow2int.pow2 i -> BV32.to_nat_sub (BV32.from_int2c x) (i-1) 0 = x lemma lemma1_pos : forall x:int. is_int32 x /\ x >= 0 -> BV32.to_nat_sub (jpxor x) 31 0 = Pow2int.pow2 31 + x (* case x < 0 *) lemma jpxorx_neg: forall x:int. x<0 -> BV32.nth (BV32.bw_xor j' (BV32.from_int2c x)) 31 = False lemma from_int2c_to_nat_sub_neg: forall i:int. 0 <= i <= 31 -> forall x:int. -Pow2int.pow2 i <= x < 0 -> BV32.to_nat_sub (BV32.from_int2c x) (i-1) 0 = Pow2int.pow2 i + x lemma lemma1_neg : forall x:int. is_int32 x /\ x < 0 -> BV32.to_nat_sub (jpxor x) 31 0 = Pow2int.pow2 31 + x (**** old (* case x >= 0 *) lemma jpxorx_pos: forall x:int. x>=0 -> BV32.nth (BV32.bw_xor j' (BV32.from_int2c x)) 31 = True (* lemma from_int2c_to_nat_sub31: forall x:int. x >= 0 -> BV32.to_nat_sub (BV32.from_int2c x) 31 0 = x *) lemma from_int2c_to_nat_sub_gen: forall i:int. 0 <= i <= 30 -> forall x:int. 0 <= x < Pow2int.pow2 i -> BV32.to_nat_sub (BV32.from_int2c x) (i-1) 0 = x lemma from_int2c_to_nat_sub: forall x:int. is_int32(x) /\ x >= 0 -> BV32.to_nat_sub (BV32.from_int2c x) 30 0 = x lemma lemma1_pos : forall x:int. is_int32 x /\ x >= 0 -> BV32.to_nat_sub (jpxor x) 31 0 = Pow2int.pow2 31 + x (* case x < 0 *) lemma to_nat_sub_0_30_neg: forall x:int. is_int32(x) /\ x<0 -> (BV32.to_nat_sub (BV32.bw_xor j' (BV32.from_int2c x)) 30 0) = (BV32.to_nat_sub (BV32.from_int2c x) 30 0) lemma to_nat_sub_0_30_neg1: forall x:int. is_int32(x) /\ x<0 -> (BV32.to_nat_sub (BV32.from_int2c x) 30 0) = Pow2int.pow2 31 + x lemma lemma1_neg : forall x:int. is_int32 x /\ x < 0 -> BV32.to_nat_sub (jpxor x) 31 0 = Pow2int.pow2 31 + x ****) (* final lemma *) lemma lemma1 : forall x:int. is_int32 x -> BV32.to_nat_sub (jpxor x) 31 0 = Pow2int.pow2 31 + x (*********************************************************************) (* lemma 2: for all integer x, mantissa(var(x)) = 2^31 + x *) (*********************************************************************) lemma nth_var_0_31: forall x:int. forall i:int. is_int32(x) /\ 0<=i<=31-> BV64.nth (var x) i = BV32.nth (jpxor x) i lemma to_nat_bv32_bv64_aux: forall b1:BV32.bv. forall b2:BV32.bv. forall j:int. 0<=j<32-> BV64.to_nat_sub (BV32_64.concat b1 b2) j 0 = BV32.to_nat_sub b2 j 0 lemma to_nat_bv32_bv64: forall b1:BV32.bv. forall b2:BV32.bv. BV64.to_nat_sub (BV32_64.concat b1 b2) 31 0 = BV32.to_nat_sub b2 31 0 lemma to_nat_var_0_31: forall x:int. is_int32(x) -> BV64.to_nat_sub (var x) 31 0 = BV32.to_nat_sub (jpxor x) 31 0 lemma nth_var32to63: forall x k:int. 32 <= k <= 63 -> BV64.nth (var x) k = BV32.nth j (k - 32) lemma nth_var3: forall x i:int. is_int32 x /\ 32 <= i <= 51 -> BV64.nth (var x) i = False lemma lemma2 : forall x:int. is_int32 x -> mantissa(var(x)) = Pow2int.pow2 31 + x (*********************************************************************) (* lemma 3: for all integer x, exp(var(x)) = 1075 *) (*********************************************************************) lemma nth_var4: forall x i:int. is_int32 x /\ 52 <= i <= 53 -> BV64.nth (var x) i = True lemma nth_var5: forall x i:int. is_int32 x /\ 54 <= i <= 55 -> BV64.nth (var x) i = False lemma nth_var6: forall x i:int. is_int32 x /\ 56 <= i <= 57 -> BV64.nth (var x) i = True lemma nth_var7: forall x i:int. is_int32 x /\ 58 <= i <= 61 -> BV64.nth (var x) i = False lemma nth_var8: forall x:int. is_int32 x -> BV64.nth (var x) 62 = True lemma lemma3 : forall x:int. is_int32 x -> exp(var(x)) = 1075 (*********************************************************************) (* lemma 4: for all integer x, sign(var(x)) = false *) (*********************************************************************) lemma nth_var9: forall x:int. is_int32 x -> BV64.nth (var x) 63 = False lemma lemma4 : forall x:int. is_int32 x -> sign(var(x)) = False (*********************************************************************) (* lemma 5: for all integer x, var_as_double(x) = 2^52 + 2^31 + x *) (*********************************************************************) lemma sign_var: forall x:int. is_int32 x -> sign(var(x)) = False (*proved by Coq*) lemma var_value0: forall x:int. is_int32(x) -> var_as_double(x) = Pow2real.pow2 (1075 - 1023) *. (1.0 +. (from_int (Pow2int.pow2 31 + x)) *. Pow2real.pow2 (-52)) lemma from_int_sum : forall x:int. is_int32(x)-> from_int (Pow2int.pow2 31 + x) = from_int (Pow2int.pow2 31) +. from_int x lemma var_value3: forall x:int. is_int32(x)->var_as_double(x) = Pow2real.pow2 52 +. Pow2real.pow2 52 *. (from_int (Pow2int.pow2 31) +. from_int x) *. Pow2real.pow2 (-52) lemma distr_pow52 : forall x:real. Pow2real.pow2 52 *. x *. Pow2real.pow2 (-52) = x lemma var_value4: forall x:int. is_int32(x)->var_as_double(x) = Pow2real.pow2 52 +. (from_int (Pow2int.pow2 31)) +. from_int x lemma pow31 : from_int (Pow2int.pow2 31) = Pow2real.pow2 31 lemma lemma5: forall x:int. is_int32(x)-> var_as_double(x) = Pow2real.pow2 52 +. Pow2real.pow2 31 +. (from_int x) (*********************************************************************) (* main result *) (*********************************************************************) function double_of_int32 (x:int) : real = var_as_double(x) -. const_as_double lemma MainResult: forall x:int. is_int32 x -> double_of_int32 x = from_int x end (* Local Variables: compile-command: "why3 ide -L . double_of_int.why" End: *) why3-1.6.0/examples/bitvectors/double_of_int/000077500000000000000000000000001440160026300212165ustar00rootroot00000000000000why3-1.6.0/examples/bitvectors/double_of_int/double_of_int_DoubleOfInt_exp_const_1.v000066400000000000000000000571141440160026300307610ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require real.Real. Require real.RealInfix. Require real.FromInt. Require bool.Bool. Parameter pow2: Z -> Z. Axiom Power_0 : ((pow2 0%Z) = 1%Z). Axiom Power_s : forall (n:Z), (0%Z <= n)%Z -> ((pow2 (n + 1%Z)%Z) = (2%Z * (pow2 n))%Z). Axiom Power_1 : ((pow2 1%Z) = 2%Z). Axiom Power_sum : forall (n:Z) (m:Z), ((0%Z <= n)%Z /\ (0%Z <= m)%Z) -> ((pow2 (n + m)%Z) = ((pow2 n) * (pow2 m))%Z). Axiom pow2pos : forall (i:Z), (0%Z <= i)%Z -> (0%Z < (pow2 i))%Z. Axiom pow2_0 : ((pow2 0%Z) = 1%Z). Axiom pow2_1 : ((pow2 1%Z) = 2%Z). Axiom pow2_2 : ((pow2 2%Z) = 4%Z). Axiom pow2_3 : ((pow2 3%Z) = 8%Z). Axiom pow2_4 : ((pow2 4%Z) = 16%Z). Axiom pow2_5 : ((pow2 5%Z) = 32%Z). Axiom pow2_6 : ((pow2 6%Z) = 64%Z). Axiom pow2_7 : ((pow2 7%Z) = 128%Z). Axiom pow2_8 : ((pow2 8%Z) = 256%Z). Axiom pow2_9 : ((pow2 9%Z) = 512%Z). Axiom pow2_10 : ((pow2 10%Z) = 1024%Z). Axiom pow2_11 : ((pow2 11%Z) = 2048%Z). Axiom pow2_12 : ((pow2 12%Z) = 4096%Z). Axiom pow2_13 : ((pow2 13%Z) = 8192%Z). Axiom pow2_14 : ((pow2 14%Z) = 16384%Z). Axiom pow2_15 : ((pow2 15%Z) = 32768%Z). Axiom pow2_16 : ((pow2 16%Z) = 65536%Z). Axiom pow2_17 : ((pow2 17%Z) = 131072%Z). Axiom pow2_18 : ((pow2 18%Z) = 262144%Z). Axiom pow2_19 : ((pow2 19%Z) = 524288%Z). Axiom pow2_20 : ((pow2 20%Z) = 1048576%Z). Axiom pow2_21 : ((pow2 21%Z) = 2097152%Z). Axiom pow2_22 : ((pow2 22%Z) = 4194304%Z). Axiom pow2_23 : ((pow2 23%Z) = 8388608%Z). Axiom pow2_24 : ((pow2 24%Z) = 16777216%Z). Axiom pow2_25 : ((pow2 25%Z) = 33554432%Z). Axiom pow2_26 : ((pow2 26%Z) = 67108864%Z). Axiom pow2_27 : ((pow2 27%Z) = 134217728%Z). Axiom pow2_28 : ((pow2 28%Z) = 268435456%Z). Axiom pow2_29 : ((pow2 29%Z) = 536870912%Z). Axiom pow2_30 : ((pow2 30%Z) = 1073741824%Z). Axiom pow2_31 : ((pow2 31%Z) = 2147483648%Z). Axiom pow2_32 : ((pow2 32%Z) = 4294967296%Z). Axiom pow2_33 : ((pow2 33%Z) = 8589934592%Z). Axiom pow2_34 : ((pow2 34%Z) = 17179869184%Z). Axiom pow2_35 : ((pow2 35%Z) = 34359738368%Z). Axiom pow2_36 : ((pow2 36%Z) = 68719476736%Z). Axiom pow2_37 : ((pow2 37%Z) = 137438953472%Z). Axiom pow2_38 : ((pow2 38%Z) = 274877906944%Z). Axiom pow2_39 : ((pow2 39%Z) = 549755813888%Z). Axiom pow2_40 : ((pow2 40%Z) = 1099511627776%Z). Axiom pow2_41 : ((pow2 41%Z) = 2199023255552%Z). Axiom pow2_42 : ((pow2 42%Z) = 4398046511104%Z). Axiom pow2_43 : ((pow2 43%Z) = 8796093022208%Z). Axiom pow2_44 : ((pow2 44%Z) = 17592186044416%Z). Axiom pow2_45 : ((pow2 45%Z) = 35184372088832%Z). Axiom pow2_46 : ((pow2 46%Z) = 70368744177664%Z). Axiom pow2_47 : ((pow2 47%Z) = 140737488355328%Z). Axiom pow2_48 : ((pow2 48%Z) = 281474976710656%Z). Axiom pow2_49 : ((pow2 49%Z) = 562949953421312%Z). Axiom pow2_50 : ((pow2 50%Z) = 1125899906842624%Z). Axiom pow2_51 : ((pow2 51%Z) = 2251799813685248%Z). Axiom pow2_52 : ((pow2 52%Z) = 4503599627370496%Z). Axiom pow2_53 : ((pow2 53%Z) = 9007199254740992%Z). Axiom pow2_54 : ((pow2 54%Z) = 18014398509481984%Z). Axiom pow2_55 : ((pow2 55%Z) = 36028797018963968%Z). Axiom pow2_56 : ((pow2 56%Z) = 72057594037927936%Z). Axiom pow2_57 : ((pow2 57%Z) = 144115188075855872%Z). Axiom pow2_58 : ((pow2 58%Z) = 288230376151711744%Z). Axiom pow2_59 : ((pow2 59%Z) = 576460752303423488%Z). Axiom pow2_60 : ((pow2 60%Z) = 1152921504606846976%Z). Axiom pow2_61 : ((pow2 61%Z) = 2305843009213693952%Z). Axiom pow2_62 : ((pow2 62%Z) = 4611686018427387904%Z). Axiom pow2_63 : ((pow2 63%Z) = 9223372036854775808%Z). Axiom Div_mult_inst : forall (x:Z) (z:Z), (0%Z < x)%Z -> ((int.EuclideanDivision.div ((x * 1%Z)%Z + z)%Z x) = (1%Z + (int.EuclideanDivision.div z x))%Z). Axiom Div_double : forall (x:Z) (y:Z), ((0%Z < y)%Z /\ ((y <= x)%Z /\ (x < (2%Z * y)%Z)%Z)) -> ((int.EuclideanDivision.div x y) = 1%Z). Axiom Div_pow : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((pow2 (i - 1%Z)%Z) <= x)%Z /\ (x < (pow2 i))%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = 1%Z). Axiom Div_double_neg : forall (x:Z) (y:Z), ((((-2%Z)%Z * y)%Z <= x)%Z /\ ((x < (-y)%Z)%Z /\ ((-y)%Z < 0%Z)%Z)) -> ((int.EuclideanDivision.div x y) = (-2%Z)%Z). Axiom Div_pow2 : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((-(pow2 i))%Z <= x)%Z /\ (x < (-(pow2 (i - 1%Z)%Z))%Z)%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = (-2%Z)%Z). Axiom Mod_pow2_gen : forall (x:Z) (i:Z) (k:Z), ((0%Z <= k)%Z /\ (k < i)%Z) -> ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div (x + (pow2 i))%Z (pow2 k)) 2%Z) = (int.EuclideanDivision.mod1 (int.EuclideanDivision.div x (pow2 k)) 2%Z)). Parameter pow21: Z -> R. Axiom Power_01 : ((pow21 0%Z) = 1%R). Axiom Power_s1 : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p : forall (n:Z), (n <= 0%Z)%Z -> ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_s_all : forall (n:Z), ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p_all : forall (n:Z), ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_1_2 : ((05 / 10)%R = (1%R / 2%R)%R). Axiom Power_11 : ((pow21 1%Z) = 2%R). Axiom Power_neg1 : ((pow21 (-1%Z)%Z) = (05 / 10)%R). Axiom Power_non_null_aux : forall (n:Z), (0%Z <= n)%Z -> ~ ((pow21 n) = 0%R). Axiom Power_neg_aux : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_non_null : forall (n:Z), ~ ((pow21 n) = 0%R). Axiom Power_neg : forall (n:Z), ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_sum_aux : forall (m:Z) (n:Z), (0%Z <= m)%Z -> ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Power_sum1 : forall (n:Z) (m:Z), ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Pow2_int_real : forall (x:Z), (0%Z <= x)%Z -> ((pow21 x) = (BuiltIn.IZR (pow2 x))). Axiom size_positive : (1%Z < 32%Z)%Z. Axiom bv : Type. Parameter bv_WhyType : WhyType bv. Existing Instance bv_WhyType. Parameter nth: bv -> Z -> bool. Parameter bvzero: bv. Axiom Nth_zero : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvzero n) = false). Parameter bvone: bv. Axiom Nth_one : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvone n) = true). (* Why3 assumption *) Definition eq (v1:bv) (v2:bv) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth v1 n) = (nth v2 n)). Axiom extensionality : forall (v1:bv) (v2:bv), (eq v1 v2) -> (v1 = v2). Parameter bw_and: bv -> bv -> bv. Axiom Nth_bw_and : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_and v1 v2) n) = (Init.Datatypes.andb (nth v1 n) (nth v2 n))). Parameter bw_or: bv -> bv -> bv. Axiom Nth_bw_or : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_or v1 v2) n) = (Init.Datatypes.orb (nth v1 n) (nth v2 n))). Parameter bw_xor: bv -> bv -> bv. Axiom Nth_bw_xor : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.xorb (nth v1 n) (nth v2 n))). Axiom Nth_bw_xor_v1true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v2 n))). Axiom Nth_bw_xor_v1false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v2 n)). Axiom Nth_bw_xor_v2true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v1 n))). Axiom Nth_bw_xor_v2false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v1 n)). Parameter bw_not: bv -> bv. Axiom Nth_bw_not : forall (v:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_not v) n) = (Init.Datatypes.negb (nth v n))). Parameter lsr: bv -> Z -> bv. Axiom lsr_nth_low : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ ((n + s)%Z < 32%Z)%Z)) -> ((nth (lsr b s) n) = (nth b (n + s)%Z)). Axiom lsr_nth_high : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ (32%Z <= (n + s)%Z)%Z)) -> ((nth (lsr b s) n) = false). Parameter asr: bv -> Z -> bv. Axiom asr_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 32%Z)%Z -> ((nth (asr b s) n) = (nth b (n + s)%Z)). Axiom asr_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (32%Z <= (n + s)%Z)%Z -> ((nth (asr b s) n) = (nth b (32%Z - 1%Z)%Z)). Parameter lsl: bv -> Z -> bv. Axiom lsl_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth (lsl b s) n) = (nth b (n - s)%Z)). Axiom lsl_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth (lsl b s) n) = false). Parameter to_nat_sub: bv -> Z -> Z -> Z. Axiom to_nat_sub_zero : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = false) -> ((to_nat_sub b j i) = (to_nat_sub b (j - 1%Z)%Z i)). Axiom to_nat_sub_one : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = true) -> ((to_nat_sub b j i) = ((pow2 (j - i)%Z) + (to_nat_sub b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high : forall (b:bv) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_zero2 : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j 0%Z) = (to_nat_sub b i 0%Z)). Axiom to_nat_of_zero : forall (b:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_one : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = true)) -> ((to_nat_sub b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint : forall (b1:bv) (b2:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth b1 k) = (nth b2 k))) -> ((to_nat_sub b1 j i) = (to_nat_sub b2 j i)). Parameter from_int: Z -> bv. Axiom nth_from_int_high_even : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = false). Axiom nth_from_int_high_odd : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = true). Axiom nth_from_int_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = false). Axiom nth_from_int_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = true). Axiom nth_from_int_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int 0%Z) i) = false). Parameter from_int2c: Z -> bv. Axiom nth_sign_positive : forall (n:Z), (0%Z <= n)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = false). Axiom nth_sign_negative : forall (n:Z), (n < 0%Z)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = false). Axiom nth_from_int2c_high_odd : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = true). Axiom nth_from_int2c_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = false). Axiom nth_from_int2c_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = true). Axiom nth_from_int2c_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int2c 0%Z) i) = false). Axiom nth_from_int2c_plus_pow2 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (32%Z - 1%Z)%Z)%Z) -> ((nth (from_int2c (x + (pow2 i))%Z) k) = (nth (from_int2c x) k)). Axiom size_positive1 : (1%Z < 64%Z)%Z. Axiom bv1 : Type. Parameter bv1_WhyType : WhyType bv1. Existing Instance bv1_WhyType. Parameter nth1: bv1 -> Z -> bool. Parameter bvzero1: bv1. Axiom Nth_zero1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvzero1 n) = false). Parameter bvone1: bv1. Axiom Nth_one1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvone1 n) = true). (* Why3 assumption *) Definition eq1 (v1:bv1) (v2:bv1) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 v1 n) = (nth1 v2 n)). Axiom extensionality1 : forall (v1:bv1) (v2:bv1), (eq1 v1 v2) -> (v1 = v2). Parameter bw_and1: bv1 -> bv1 -> bv1. Axiom Nth_bw_and1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_and1 v1 v2) n) = (Init.Datatypes.andb (nth1 v1 n) (nth1 v2 n))). Parameter bw_or1: bv1 -> bv1 -> bv1. Axiom Nth_bw_or1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_or1 v1 v2) n) = (Init.Datatypes.orb (nth1 v1 n) (nth1 v2 n))). Parameter bw_xor1: bv1 -> bv1 -> bv1. Axiom Nth_bw_xor1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.xorb (nth1 v1 n) (nth1 v2 n))). Axiom Nth_bw_xor_v1true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v2 n))). Axiom Nth_bw_xor_v1false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v2 n)). Axiom Nth_bw_xor_v2true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v1 n))). Axiom Nth_bw_xor_v2false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v1 n)). Parameter bw_not1: bv1 -> bv1. Axiom Nth_bw_not1 : forall (v:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_not1 v) n) = (Init.Datatypes.negb (nth1 v n))). Parameter lsr1: bv1 -> Z -> bv1. Axiom lsr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ ((n + s)%Z < 64%Z)%Z)) -> ((nth1 (lsr1 b s) n) = (nth1 b (n + s)%Z)). Axiom lsr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ (64%Z <= (n + s)%Z)%Z)) -> ((nth1 (lsr1 b s) n) = false). Parameter asr1: bv1 -> Z -> bv1. Axiom asr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 64%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (n + s)%Z)). Axiom asr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (64%Z <= (n + s)%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (64%Z - 1%Z)%Z)). Parameter lsl1: bv1 -> Z -> bv1. Axiom lsl_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth1 (lsl1 b s) n) = (nth1 b (n - s)%Z)). Axiom lsl_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth1 (lsl1 b s) n) = false). Parameter to_nat_sub1: bv1 -> Z -> Z -> Z. Axiom to_nat_sub_zero1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = false) -> ((to_nat_sub1 b j i) = (to_nat_sub1 b (j - 1%Z)%Z i)). Axiom to_nat_sub_one1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = true) -> ((to_nat_sub1 b j i) = ((pow2 (j - i)%Z) + (to_nat_sub1 b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high1 : forall (b:bv1) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_zero21 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j 0%Z) = (to_nat_sub1 b i 0%Z)). Axiom to_nat_of_zero1 : forall (b:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_one1 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = true)) -> ((to_nat_sub1 b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint1 : forall (b1:bv1) (b2:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth1 b1 k) = (nth1 b2 k))) -> ((to_nat_sub1 b1 j i) = (to_nat_sub1 b2 j i)). Parameter from_int1: Z -> bv1. Axiom nth_from_int_high_even1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = false). Axiom nth_from_int_high_odd1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = true). Axiom nth_from_int_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = false). Axiom nth_from_int_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = true). Axiom nth_from_int_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int1 0%Z) i) = false). Parameter from_int2c1: Z -> bv1. Axiom nth_sign_positive1 : forall (n:Z), (0%Z <= n)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = false). Axiom nth_sign_negative1 : forall (n:Z), (n < 0%Z)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = false). Axiom nth_from_int2c_high_odd1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = true). Axiom nth_from_int2c_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = false). Axiom nth_from_int2c_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = true). Axiom nth_from_int2c_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int2c1 0%Z) i) = false). Axiom nth_from_int2c_plus_pow21 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (64%Z - 1%Z)%Z)%Z) -> ((nth1 (from_int2c1 (x + (pow2 i))%Z) k) = (nth1 (from_int2c1 x) k)). Parameter concat: bv -> bv -> bv1. Axiom concat_low : forall (b1:bv) (b2:bv), forall (i:Z), ((0%Z <= i)%Z /\ (i < 32%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b2 i)). Axiom concat_high : forall (b1:bv) (b2:bv), forall (i:Z), ((32%Z <= i)%Z /\ (i < 64%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b1 (i - 32%Z)%Z)). Parameter double_of_bv64: bv1 -> R. Parameter sign_value: bool -> R. Axiom sign_value_false : ((sign_value false) = 1%R). Axiom sign_value_true : ((sign_value true) = (-1%R)%R). Axiom zero : forall (b:bv1), (((to_nat_sub1 b 62%Z 52%Z) = 0%Z) /\ ((to_nat_sub1 b 51%Z 0%Z) = 0%Z)) -> ((double_of_bv64 b) = 0%R). Axiom sign_of_double_positive : forall (b:bv1), ((nth1 b 63%Z) = false) -> (0%R <= (double_of_bv64 b))%R. Axiom sign_of_double_negative : forall (b:bv1), ((nth1 b 63%Z) = true) -> ((double_of_bv64 b) <= 0%R)%R. Axiom double_of_bv64_value : forall (b:bv1), ((0%Z < (to_nat_sub1 b 62%Z 52%Z))%Z /\ ((to_nat_sub1 b 62%Z 52%Z) < 2047%Z)%Z) -> ((double_of_bv64 b) = (((sign_value (nth1 b 63%Z)) * (pow21 ((to_nat_sub1 b 62%Z 52%Z) - 1023%Z)%Z))%R * (1%R + ((BuiltIn.IZR (to_nat_sub1 b 51%Z 0%Z)) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom nth_j1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 19%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j2 : forall (i:Z), ((20%Z <= i)%Z /\ (i <= 21%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j3 : forall (i:Z), ((22%Z <= i)%Z /\ (i <= 23%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j4 : forall (i:Z), ((24%Z <= i)%Z /\ (i <= 25%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j5 : forall (i:Z), ((26%Z <= i)%Z /\ (i <= 29%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j6 : ((nth (from_int 1127219200%Z) 30%Z) = true). Axiom nth_j7 : ((nth (from_int 1127219200%Z) 31%Z) = false). Axiom jp0_30 : forall (i:Z), ((0%Z <= i)%Z /\ (i < 30%Z)%Z) -> ((nth (from_int 2147483648%Z) i) = false). Axiom nth_const1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 30%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const2 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 31%Z) = true). Axiom nth_const3 : forall (i:Z), ((32%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const4 : forall (i:Z), ((52%Z <= i)%Z /\ (i <= 53%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const5 : forall (i:Z), ((54%Z <= i)%Z /\ (i <= 55%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const6 : forall (i:Z), ((56%Z <= i)%Z /\ (i <= 57%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const7 : forall (i:Z), ((58%Z <= i)%Z /\ (i <= 61%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const8 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z) = true). Axiom nth_const9 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Axiom sign_const : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Open Scope Z_scope. (* Why3 goal *) Theorem exp_const : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z 52%Z) = 1075%Z). rewrite to_nat_sub_one1; auto with zarith. 2: apply nth_const8. replace (62 - 52) with 10 by omega. rewrite pow2_10. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const7; auto with zarith. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const7; auto with zarith. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const7; auto with zarith. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const7; auto with zarith. rewrite to_nat_sub_one1; auto with zarith. 2: apply nth_const6; auto with zarith. replace (62 - 1 - 1 - 1 - 1 - 1 - 52) with 5 by omega. rewrite pow2_5. rewrite to_nat_sub_one1; auto with zarith. 2: apply nth_const6; auto with zarith. replace (62 - 1 - 1 - 1 - 1 - 1 - 1 - 52) with 4 by omega. rewrite pow2_4. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const5; auto with zarith. rewrite to_nat_sub_zero1; auto with zarith. 2: apply nth_const5; auto with zarith. rewrite to_nat_of_one1; auto with zarith. replace (62 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 1 - 52) with 1 by omega. replace (1+1) with 2 by omega. rewrite pow2_2; auto. intros. apply nth_const4; auto with zarith. Qed. why3-1.6.0/examples/bitvectors/double_of_int/double_of_int_DoubleOfInt_from_int2c_to_nat_sub_neg_1.v000066400000000000000000000655241440160026300340730ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require real.Real. Require real.RealInfix. Require real.FromInt. Require bool.Bool. Parameter pow2: Z -> Z. Axiom Power_0 : ((pow2 0%Z) = 1%Z). Axiom Power_s : forall (n:Z), (0%Z <= n)%Z -> ((pow2 (n + 1%Z)%Z) = (2%Z * (pow2 n))%Z). Axiom Power_1 : ((pow2 1%Z) = 2%Z). Axiom Power_sum : forall (n:Z) (m:Z), ((0%Z <= n)%Z /\ (0%Z <= m)%Z) -> ((pow2 (n + m)%Z) = ((pow2 n) * (pow2 m))%Z). Axiom pow2pos : forall (i:Z), (0%Z <= i)%Z -> (0%Z < (pow2 i))%Z. Axiom pow2_0 : ((pow2 0%Z) = 1%Z). Axiom pow2_1 : ((pow2 1%Z) = 2%Z). Axiom pow2_2 : ((pow2 2%Z) = 4%Z). Axiom pow2_3 : ((pow2 3%Z) = 8%Z). Axiom pow2_4 : ((pow2 4%Z) = 16%Z). Axiom pow2_5 : ((pow2 5%Z) = 32%Z). Axiom pow2_6 : ((pow2 6%Z) = 64%Z). Axiom pow2_7 : ((pow2 7%Z) = 128%Z). Axiom pow2_8 : ((pow2 8%Z) = 256%Z). Axiom pow2_9 : ((pow2 9%Z) = 512%Z). Axiom pow2_10 : ((pow2 10%Z) = 1024%Z). Axiom pow2_11 : ((pow2 11%Z) = 2048%Z). Axiom pow2_12 : ((pow2 12%Z) = 4096%Z). Axiom pow2_13 : ((pow2 13%Z) = 8192%Z). Axiom pow2_14 : ((pow2 14%Z) = 16384%Z). Axiom pow2_15 : ((pow2 15%Z) = 32768%Z). Axiom pow2_16 : ((pow2 16%Z) = 65536%Z). Axiom pow2_17 : ((pow2 17%Z) = 131072%Z). Axiom pow2_18 : ((pow2 18%Z) = 262144%Z). Axiom pow2_19 : ((pow2 19%Z) = 524288%Z). Axiom pow2_20 : ((pow2 20%Z) = 1048576%Z). Axiom pow2_21 : ((pow2 21%Z) = 2097152%Z). Axiom pow2_22 : ((pow2 22%Z) = 4194304%Z). Axiom pow2_23 : ((pow2 23%Z) = 8388608%Z). Axiom pow2_24 : ((pow2 24%Z) = 16777216%Z). Axiom pow2_25 : ((pow2 25%Z) = 33554432%Z). Axiom pow2_26 : ((pow2 26%Z) = 67108864%Z). Axiom pow2_27 : ((pow2 27%Z) = 134217728%Z). Axiom pow2_28 : ((pow2 28%Z) = 268435456%Z). Axiom pow2_29 : ((pow2 29%Z) = 536870912%Z). Axiom pow2_30 : ((pow2 30%Z) = 1073741824%Z). Axiom pow2_31 : ((pow2 31%Z) = 2147483648%Z). Axiom pow2_32 : ((pow2 32%Z) = 4294967296%Z). Axiom pow2_33 : ((pow2 33%Z) = 8589934592%Z). Axiom pow2_34 : ((pow2 34%Z) = 17179869184%Z). Axiom pow2_35 : ((pow2 35%Z) = 34359738368%Z). Axiom pow2_36 : ((pow2 36%Z) = 68719476736%Z). Axiom pow2_37 : ((pow2 37%Z) = 137438953472%Z). Axiom pow2_38 : ((pow2 38%Z) = 274877906944%Z). Axiom pow2_39 : ((pow2 39%Z) = 549755813888%Z). Axiom pow2_40 : ((pow2 40%Z) = 1099511627776%Z). Axiom pow2_41 : ((pow2 41%Z) = 2199023255552%Z). Axiom pow2_42 : ((pow2 42%Z) = 4398046511104%Z). Axiom pow2_43 : ((pow2 43%Z) = 8796093022208%Z). Axiom pow2_44 : ((pow2 44%Z) = 17592186044416%Z). Axiom pow2_45 : ((pow2 45%Z) = 35184372088832%Z). Axiom pow2_46 : ((pow2 46%Z) = 70368744177664%Z). Axiom pow2_47 : ((pow2 47%Z) = 140737488355328%Z). Axiom pow2_48 : ((pow2 48%Z) = 281474976710656%Z). Axiom pow2_49 : ((pow2 49%Z) = 562949953421312%Z). Axiom pow2_50 : ((pow2 50%Z) = 1125899906842624%Z). Axiom pow2_51 : ((pow2 51%Z) = 2251799813685248%Z). Axiom pow2_52 : ((pow2 52%Z) = 4503599627370496%Z). Axiom pow2_53 : ((pow2 53%Z) = 9007199254740992%Z). Axiom pow2_54 : ((pow2 54%Z) = 18014398509481984%Z). Axiom pow2_55 : ((pow2 55%Z) = 36028797018963968%Z). Axiom pow2_56 : ((pow2 56%Z) = 72057594037927936%Z). Axiom pow2_57 : ((pow2 57%Z) = 144115188075855872%Z). Axiom pow2_58 : ((pow2 58%Z) = 288230376151711744%Z). Axiom pow2_59 : ((pow2 59%Z) = 576460752303423488%Z). Axiom pow2_60 : ((pow2 60%Z) = 1152921504606846976%Z). Axiom pow2_61 : ((pow2 61%Z) = 2305843009213693952%Z). Axiom pow2_62 : ((pow2 62%Z) = 4611686018427387904%Z). Axiom pow2_63 : ((pow2 63%Z) = 9223372036854775808%Z). Axiom Div_mult_inst : forall (x:Z) (z:Z), (0%Z < x)%Z -> ((int.EuclideanDivision.div ((x * 1%Z)%Z + z)%Z x) = (1%Z + (int.EuclideanDivision.div z x))%Z). Axiom Div_double : forall (x:Z) (y:Z), ((0%Z < y)%Z /\ ((y <= x)%Z /\ (x < (2%Z * y)%Z)%Z)) -> ((int.EuclideanDivision.div x y) = 1%Z). Axiom Div_pow : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((pow2 (i - 1%Z)%Z) <= x)%Z /\ (x < (pow2 i))%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = 1%Z). Axiom Div_double_neg : forall (x:Z) (y:Z), ((((-2%Z)%Z * y)%Z <= x)%Z /\ ((x < (-y)%Z)%Z /\ ((-y)%Z < 0%Z)%Z)) -> ((int.EuclideanDivision.div x y) = (-2%Z)%Z). Axiom Div_pow2 : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((-(pow2 i))%Z <= x)%Z /\ (x < (-(pow2 (i - 1%Z)%Z))%Z)%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = (-2%Z)%Z). Axiom Mod_pow2_gen : forall (x:Z) (i:Z) (k:Z), ((0%Z <= k)%Z /\ (k < i)%Z) -> ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div (x + (pow2 i))%Z (pow2 k)) 2%Z) = (int.EuclideanDivision.mod1 (int.EuclideanDivision.div x (pow2 k)) 2%Z)). Parameter pow21: Z -> R. Axiom Power_01 : ((pow21 0%Z) = 1%R). Axiom Power_s1 : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p : forall (n:Z), (n <= 0%Z)%Z -> ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_s_all : forall (n:Z), ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p_all : forall (n:Z), ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_1_2 : ((05 / 10)%R = (1%R / 2%R)%R). Axiom Power_11 : ((pow21 1%Z) = 2%R). Axiom Power_neg1 : ((pow21 (-1%Z)%Z) = (05 / 10)%R). Axiom Power_non_null_aux : forall (n:Z), (0%Z <= n)%Z -> ~ ((pow21 n) = 0%R). Axiom Power_neg_aux : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_non_null : forall (n:Z), ~ ((pow21 n) = 0%R). Axiom Power_neg : forall (n:Z), ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_sum_aux : forall (m:Z) (n:Z), (0%Z <= m)%Z -> ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Power_sum1 : forall (n:Z) (m:Z), ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Pow2_int_real : forall (x:Z), (0%Z <= x)%Z -> ((pow21 x) = (BuiltIn.IZR (pow2 x))). Axiom size_positive : (1%Z < 32%Z)%Z. Axiom bv : Type. Parameter bv_WhyType : WhyType bv. Existing Instance bv_WhyType. Parameter nth: bv -> Z -> bool. Parameter bvzero: bv. Axiom Nth_zero : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvzero n) = false). Parameter bvone: bv. Axiom Nth_one : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvone n) = true). (* Why3 assumption *) Definition eq (v1:bv) (v2:bv) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth v1 n) = (nth v2 n)). Axiom extensionality : forall (v1:bv) (v2:bv), (eq v1 v2) -> (v1 = v2). Parameter bw_and: bv -> bv -> bv. Axiom Nth_bw_and : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_and v1 v2) n) = (Init.Datatypes.andb (nth v1 n) (nth v2 n))). Parameter bw_or: bv -> bv -> bv. Axiom Nth_bw_or : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_or v1 v2) n) = (Init.Datatypes.orb (nth v1 n) (nth v2 n))). Parameter bw_xor: bv -> bv -> bv. Axiom Nth_bw_xor : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.xorb (nth v1 n) (nth v2 n))). Axiom Nth_bw_xor_v1true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v2 n))). Axiom Nth_bw_xor_v1false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v2 n)). Axiom Nth_bw_xor_v2true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v1 n))). Axiom Nth_bw_xor_v2false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v1 n)). Parameter bw_not: bv -> bv. Axiom Nth_bw_not : forall (v:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_not v) n) = (Init.Datatypes.negb (nth v n))). Parameter lsr: bv -> Z -> bv. Axiom lsr_nth_low : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ ((n + s)%Z < 32%Z)%Z)) -> ((nth (lsr b s) n) = (nth b (n + s)%Z)). Axiom lsr_nth_high : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ (32%Z <= (n + s)%Z)%Z)) -> ((nth (lsr b s) n) = false). Parameter asr: bv -> Z -> bv. Axiom asr_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 32%Z)%Z -> ((nth (asr b s) n) = (nth b (n + s)%Z)). Axiom asr_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (32%Z <= (n + s)%Z)%Z -> ((nth (asr b s) n) = (nth b (32%Z - 1%Z)%Z)). Parameter lsl: bv -> Z -> bv. Axiom lsl_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth (lsl b s) n) = (nth b (n - s)%Z)). Axiom lsl_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth (lsl b s) n) = false). Parameter to_nat_sub: bv -> Z -> Z -> Z. Axiom to_nat_sub_zero : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = false) -> ((to_nat_sub b j i) = (to_nat_sub b (j - 1%Z)%Z i)). Axiom to_nat_sub_one : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = true) -> ((to_nat_sub b j i) = ((pow2 (j - i)%Z) + (to_nat_sub b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high : forall (b:bv) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_zero2 : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j 0%Z) = (to_nat_sub b i 0%Z)). Axiom to_nat_of_zero : forall (b:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_one : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = true)) -> ((to_nat_sub b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint : forall (b1:bv) (b2:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth b1 k) = (nth b2 k))) -> ((to_nat_sub b1 j i) = (to_nat_sub b2 j i)). Parameter from_int: Z -> bv. Axiom nth_from_int_high_even : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = false). Axiom nth_from_int_high_odd : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = true). Axiom nth_from_int_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = false). Axiom nth_from_int_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = true). Axiom nth_from_int_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int 0%Z) i) = false). Parameter from_int2c: Z -> bv. Axiom nth_sign_positive : forall (n:Z), (0%Z <= n)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = false). Axiom nth_sign_negative : forall (n:Z), (n < 0%Z)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = false). Axiom nth_from_int2c_high_odd : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = true). Axiom nth_from_int2c_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = false). Axiom nth_from_int2c_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = true). Axiom nth_from_int2c_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int2c 0%Z) i) = false). Axiom nth_from_int2c_plus_pow2 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (32%Z - 1%Z)%Z)%Z) -> ((nth (from_int2c (x + (pow2 i))%Z) k) = (nth (from_int2c x) k)). Axiom size_positive1 : (1%Z < 64%Z)%Z. Axiom bv1 : Type. Parameter bv1_WhyType : WhyType bv1. Existing Instance bv1_WhyType. Parameter nth1: bv1 -> Z -> bool. Parameter bvzero1: bv1. Axiom Nth_zero1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvzero1 n) = false). Parameter bvone1: bv1. Axiom Nth_one1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvone1 n) = true). (* Why3 assumption *) Definition eq1 (v1:bv1) (v2:bv1) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 v1 n) = (nth1 v2 n)). Axiom extensionality1 : forall (v1:bv1) (v2:bv1), (eq1 v1 v2) -> (v1 = v2). Parameter bw_and1: bv1 -> bv1 -> bv1. Axiom Nth_bw_and1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_and1 v1 v2) n) = (Init.Datatypes.andb (nth1 v1 n) (nth1 v2 n))). Parameter bw_or1: bv1 -> bv1 -> bv1. Axiom Nth_bw_or1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_or1 v1 v2) n) = (Init.Datatypes.orb (nth1 v1 n) (nth1 v2 n))). Parameter bw_xor1: bv1 -> bv1 -> bv1. Axiom Nth_bw_xor1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.xorb (nth1 v1 n) (nth1 v2 n))). Axiom Nth_bw_xor_v1true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v2 n))). Axiom Nth_bw_xor_v1false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v2 n)). Axiom Nth_bw_xor_v2true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v1 n))). Axiom Nth_bw_xor_v2false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v1 n)). Parameter bw_not1: bv1 -> bv1. Axiom Nth_bw_not1 : forall (v:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_not1 v) n) = (Init.Datatypes.negb (nth1 v n))). Parameter lsr1: bv1 -> Z -> bv1. Axiom lsr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ ((n + s)%Z < 64%Z)%Z)) -> ((nth1 (lsr1 b s) n) = (nth1 b (n + s)%Z)). Axiom lsr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ (64%Z <= (n + s)%Z)%Z)) -> ((nth1 (lsr1 b s) n) = false). Parameter asr1: bv1 -> Z -> bv1. Axiom asr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 64%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (n + s)%Z)). Axiom asr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (64%Z <= (n + s)%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (64%Z - 1%Z)%Z)). Parameter lsl1: bv1 -> Z -> bv1. Axiom lsl_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth1 (lsl1 b s) n) = (nth1 b (n - s)%Z)). Axiom lsl_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth1 (lsl1 b s) n) = false). Parameter to_nat_sub1: bv1 -> Z -> Z -> Z. Axiom to_nat_sub_zero1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = false) -> ((to_nat_sub1 b j i) = (to_nat_sub1 b (j - 1%Z)%Z i)). Axiom to_nat_sub_one1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = true) -> ((to_nat_sub1 b j i) = ((pow2 (j - i)%Z) + (to_nat_sub1 b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high1 : forall (b:bv1) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_zero21 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j 0%Z) = (to_nat_sub1 b i 0%Z)). Axiom to_nat_of_zero1 : forall (b:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_one1 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = true)) -> ((to_nat_sub1 b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint1 : forall (b1:bv1) (b2:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth1 b1 k) = (nth1 b2 k))) -> ((to_nat_sub1 b1 j i) = (to_nat_sub1 b2 j i)). Parameter from_int1: Z -> bv1. Axiom nth_from_int_high_even1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = false). Axiom nth_from_int_high_odd1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = true). Axiom nth_from_int_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = false). Axiom nth_from_int_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = true). Axiom nth_from_int_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int1 0%Z) i) = false). Parameter from_int2c1: Z -> bv1. Axiom nth_sign_positive1 : forall (n:Z), (0%Z <= n)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = false). Axiom nth_sign_negative1 : forall (n:Z), (n < 0%Z)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = false). Axiom nth_from_int2c_high_odd1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = true). Axiom nth_from_int2c_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = false). Axiom nth_from_int2c_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = true). Axiom nth_from_int2c_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int2c1 0%Z) i) = false). Axiom nth_from_int2c_plus_pow21 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (64%Z - 1%Z)%Z)%Z) -> ((nth1 (from_int2c1 (x + (pow2 i))%Z) k) = (nth1 (from_int2c1 x) k)). Parameter concat: bv -> bv -> bv1. Axiom concat_low : forall (b1:bv) (b2:bv), forall (i:Z), ((0%Z <= i)%Z /\ (i < 32%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b2 i)). Axiom concat_high : forall (b1:bv) (b2:bv), forall (i:Z), ((32%Z <= i)%Z /\ (i < 64%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b1 (i - 32%Z)%Z)). Parameter double_of_bv64: bv1 -> R. Parameter sign_value: bool -> R. Axiom sign_value_false : ((sign_value false) = 1%R). Axiom sign_value_true : ((sign_value true) = (-1%R)%R). Axiom zero : forall (b:bv1), (((to_nat_sub1 b 62%Z 52%Z) = 0%Z) /\ ((to_nat_sub1 b 51%Z 0%Z) = 0%Z)) -> ((double_of_bv64 b) = 0%R). Axiom sign_of_double_positive : forall (b:bv1), ((nth1 b 63%Z) = false) -> (0%R <= (double_of_bv64 b))%R. Axiom sign_of_double_negative : forall (b:bv1), ((nth1 b 63%Z) = true) -> ((double_of_bv64 b) <= 0%R)%R. Axiom double_of_bv64_value : forall (b:bv1), ((0%Z < (to_nat_sub1 b 62%Z 52%Z))%Z /\ ((to_nat_sub1 b 62%Z 52%Z) < 2047%Z)%Z) -> ((double_of_bv64 b) = (((sign_value (nth1 b 63%Z)) * (pow21 ((to_nat_sub1 b 62%Z 52%Z) - 1023%Z)%Z))%R * (1%R + ((BuiltIn.IZR (to_nat_sub1 b 51%Z 0%Z)) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom nth_j1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 19%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j2 : forall (i:Z), ((20%Z <= i)%Z /\ (i <= 21%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j3 : forall (i:Z), ((22%Z <= i)%Z /\ (i <= 23%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j4 : forall (i:Z), ((24%Z <= i)%Z /\ (i <= 25%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j5 : forall (i:Z), ((26%Z <= i)%Z /\ (i <= 29%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j6 : ((nth (from_int 1127219200%Z) 30%Z) = true). Axiom nth_j7 : ((nth (from_int 1127219200%Z) 31%Z) = false). Axiom jp0_30 : forall (i:Z), ((0%Z <= i)%Z /\ (i < 30%Z)%Z) -> ((nth (from_int 2147483648%Z) i) = false). Axiom nth_const1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 30%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const2 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 31%Z) = true). Axiom nth_const3 : forall (i:Z), ((32%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const4 : forall (i:Z), ((52%Z <= i)%Z /\ (i <= 53%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const5 : forall (i:Z), ((54%Z <= i)%Z /\ (i <= 55%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const6 : forall (i:Z), ((56%Z <= i)%Z /\ (i <= 57%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const7 : forall (i:Z), ((58%Z <= i)%Z /\ (i <= 61%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const8 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z) = true). Axiom nth_const9 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Axiom sign_const : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Axiom exp_const : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z 52%Z) = 1075%Z). Axiom to_nat_mantissa_1 : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 30%Z 0%Z) = 0%Z). Axiom mantissa_const_nth2 : forall (i:Z), ((32%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom mantissa_const_to_nat51 : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 51%Z 0%Z) = (to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 31%Z 0%Z)). Axiom mantissa_const : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 51%Z 0%Z) = (pow2 31%Z)). Axiom real1075m1023 : ((BuiltIn.IZR (1075%Z - 1023%Z)%Z) = 52%R). Axiom real1075m1023_2 : ((1075%R - 1023%R)%R = 52%R). Axiom real52_a_m52 : ((((pow21 (1075%Z - 1023%Z)%Z) * (pow21 31%Z))%R * (pow21 (-52%Z)%Z))%R = (pow21 31%Z)). Axiom const_value0 : ((double_of_bv64 (concat (from_int 1127219200%Z) (from_int 2147483648%Z))) = ((1%R * (pow21 (1075%Z - 1023%Z)%Z))%R * (1%R + ((pow21 31%Z) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom const_value : ((double_of_bv64 (concat (from_int 1127219200%Z) (from_int 2147483648%Z))) = ((pow21 52%Z) + (pow21 31%Z))%R). (* Why3 assumption *) Definition jpxor (i:Z) : bv := bw_xor (from_int 2147483648%Z) (from_int2c i). (* Why3 assumption *) Definition var (i:Z) : bv1 := concat (from_int 1127219200%Z) (jpxor i). (* Why3 assumption *) Definition var_as_double (x:Z) : R := double_of_bv64 (var x). (* Why3 assumption *) Definition is_int32 (x:Z) : Prop := ((-(pow2 31%Z))%Z <= x)%Z /\ (x < (pow2 31%Z))%Z. Axiom nth_0_30 : forall (x:Z), forall (i:Z), ((is_int32 x) /\ ((0%Z <= i)%Z /\ (i <= 30%Z)%Z)) -> ((nth (bw_xor (from_int 2147483648%Z) (from_int2c x)) i) = (nth (from_int2c x) i)). Axiom nth_jpxor_0_30 : forall (x:Z), forall (i:Z), ((is_int32 x) /\ ((0%Z <= i)%Z /\ (i <= 30%Z)%Z)) -> ((nth (jpxor x) i) = (nth (from_int2c x) i)). Axiom nth_var31 : forall (x:Z), ((nth (jpxor x) 31%Z) = (Init.Datatypes.negb (nth (from_int2c x) 31%Z))). Axiom to_nat_sub_0_30 : forall (x:Z), (is_int32 x) -> ((to_nat_sub (bw_xor (from_int 2147483648%Z) (from_int2c x)) 30%Z 0%Z) = (to_nat_sub (from_int2c x) 30%Z 0%Z)). Axiom jpxorx_pos : forall (x:Z), (0%Z <= x)%Z -> ((nth (bw_xor (from_int 2147483648%Z) (from_int2c x)) 31%Z) = true). Axiom from_int2c_to_nat_sub_pos : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 31%Z)%Z) -> forall (x:Z), ((0%Z <= x)%Z /\ (x < (pow2 i))%Z) -> ((to_nat_sub (from_int2c x) (i - 1%Z)%Z 0%Z) = x). Axiom lemma1_pos : forall (x:Z), ((is_int32 x) /\ (0%Z <= x)%Z) -> ((to_nat_sub (jpxor x) 31%Z 0%Z) = ((pow2 31%Z) + x)%Z). Axiom jpxorx_neg : forall (x:Z), (x < 0%Z)%Z -> ((nth (bw_xor (from_int 2147483648%Z) (from_int2c x)) 31%Z) = false). Open Scope Z_scope. (* Why3 goal *) Theorem from_int2c_to_nat_sub_neg : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 31%Z)%Z) -> forall (x:Z), (((-(pow2 i))%Z <= x)%Z /\ (x < 0%Z)%Z) -> ((to_nat_sub (from_int2c x) (i - 1%Z)%Z 0%Z) = ((pow2 i) + x)%Z). (* Why3 intros i (h1,h2) x (h3,h4). *) intros i (h1 & h2). generalize h1 h2. pattern i; apply Z_lt_induction; auto. clear i h1 h2. intros i Hind Hi_pos Hi j Hj. assert (h:(i=0 \/ 0 < i)) by omega. destruct h. (* case i = 0 *) rewrite to_nat_sub_high. subst i; simpl in Hj. rewrite pow2_0 in *. omega. omega. (* case i > 0 *) assert (h:(-pow2 (i-1) <= j < 0 )\/ (-pow2 i <= j < - pow2 (i-1))) by omega. destruct h. (* sub-case (-pow2 (i-1) <= j < 0*) rewrite to_nat_sub_one; auto with zarith. rewrite Hind with (x:= j)(y:=i-1);auto with zarith. replace (i-1-0) with (i-1) by omega. replace i with ((i-1)+1) at 3. rewrite (Power_s (i-1)). omega. omega. omega. apply nth_from_int2c_high_odd; split; auto with zarith. pose (j':= -j). replace (j) with (-j') by (subst j';omega). (* TODO *) rewrite EuclideanDivision.Div_inf_neg. rewrite EuclideanDivision.Mod_minus1_left;auto with zarith. subst j';omega. (* sub-case 2^(i0-1) <= x0 < 2^i0*) rewrite to_nat_sub_zero; auto with zarith. rewrite to_nat_sub_footprint with (b2 := (from_int2c (j + pow2 (i-1)))); auto with zarith. rewrite Hind; auto with zarith. replace i with ((i-1)+1) at 3. rewrite (Power_s (i-1)). omega. omega. omega. assert (pow2 i = 2 * pow2 (i-1)). replace i with ((i-1)+1) at 1. rewrite (Power_s (i-1)); omega. omega. omega. intros. symmetry. apply nth_from_int2c_plus_pow2. omega. rewrite nth_from_int2c_high_even; auto with zarith. split;auto with zarith. rewrite Div_pow2; auto. Qed. why3-1.6.0/examples/bitvectors/double_of_int/double_of_int_DoubleOfInt_from_int2c_to_nat_sub_pos_1.v000066400000000000000000000643361440160026300341230ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require real.Real. Require real.RealInfix. Require real.FromInt. Require bool.Bool. Parameter pow2: Z -> Z. Axiom Power_0 : ((pow2 0%Z) = 1%Z). Axiom Power_s : forall (n:Z), (0%Z <= n)%Z -> ((pow2 (n + 1%Z)%Z) = (2%Z * (pow2 n))%Z). Axiom Power_1 : ((pow2 1%Z) = 2%Z). Axiom Power_sum : forall (n:Z) (m:Z), ((0%Z <= n)%Z /\ (0%Z <= m)%Z) -> ((pow2 (n + m)%Z) = ((pow2 n) * (pow2 m))%Z). Axiom pow2pos : forall (i:Z), (0%Z <= i)%Z -> (0%Z < (pow2 i))%Z. Axiom pow2_0 : ((pow2 0%Z) = 1%Z). Axiom pow2_1 : ((pow2 1%Z) = 2%Z). Axiom pow2_2 : ((pow2 2%Z) = 4%Z). Axiom pow2_3 : ((pow2 3%Z) = 8%Z). Axiom pow2_4 : ((pow2 4%Z) = 16%Z). Axiom pow2_5 : ((pow2 5%Z) = 32%Z). Axiom pow2_6 : ((pow2 6%Z) = 64%Z). Axiom pow2_7 : ((pow2 7%Z) = 128%Z). Axiom pow2_8 : ((pow2 8%Z) = 256%Z). Axiom pow2_9 : ((pow2 9%Z) = 512%Z). Axiom pow2_10 : ((pow2 10%Z) = 1024%Z). Axiom pow2_11 : ((pow2 11%Z) = 2048%Z). Axiom pow2_12 : ((pow2 12%Z) = 4096%Z). Axiom pow2_13 : ((pow2 13%Z) = 8192%Z). Axiom pow2_14 : ((pow2 14%Z) = 16384%Z). Axiom pow2_15 : ((pow2 15%Z) = 32768%Z). Axiom pow2_16 : ((pow2 16%Z) = 65536%Z). Axiom pow2_17 : ((pow2 17%Z) = 131072%Z). Axiom pow2_18 : ((pow2 18%Z) = 262144%Z). Axiom pow2_19 : ((pow2 19%Z) = 524288%Z). Axiom pow2_20 : ((pow2 20%Z) = 1048576%Z). Axiom pow2_21 : ((pow2 21%Z) = 2097152%Z). Axiom pow2_22 : ((pow2 22%Z) = 4194304%Z). Axiom pow2_23 : ((pow2 23%Z) = 8388608%Z). Axiom pow2_24 : ((pow2 24%Z) = 16777216%Z). Axiom pow2_25 : ((pow2 25%Z) = 33554432%Z). Axiom pow2_26 : ((pow2 26%Z) = 67108864%Z). Axiom pow2_27 : ((pow2 27%Z) = 134217728%Z). Axiom pow2_28 : ((pow2 28%Z) = 268435456%Z). Axiom pow2_29 : ((pow2 29%Z) = 536870912%Z). Axiom pow2_30 : ((pow2 30%Z) = 1073741824%Z). Axiom pow2_31 : ((pow2 31%Z) = 2147483648%Z). Axiom pow2_32 : ((pow2 32%Z) = 4294967296%Z). Axiom pow2_33 : ((pow2 33%Z) = 8589934592%Z). Axiom pow2_34 : ((pow2 34%Z) = 17179869184%Z). Axiom pow2_35 : ((pow2 35%Z) = 34359738368%Z). Axiom pow2_36 : ((pow2 36%Z) = 68719476736%Z). Axiom pow2_37 : ((pow2 37%Z) = 137438953472%Z). Axiom pow2_38 : ((pow2 38%Z) = 274877906944%Z). Axiom pow2_39 : ((pow2 39%Z) = 549755813888%Z). Axiom pow2_40 : ((pow2 40%Z) = 1099511627776%Z). Axiom pow2_41 : ((pow2 41%Z) = 2199023255552%Z). Axiom pow2_42 : ((pow2 42%Z) = 4398046511104%Z). Axiom pow2_43 : ((pow2 43%Z) = 8796093022208%Z). Axiom pow2_44 : ((pow2 44%Z) = 17592186044416%Z). Axiom pow2_45 : ((pow2 45%Z) = 35184372088832%Z). Axiom pow2_46 : ((pow2 46%Z) = 70368744177664%Z). Axiom pow2_47 : ((pow2 47%Z) = 140737488355328%Z). Axiom pow2_48 : ((pow2 48%Z) = 281474976710656%Z). Axiom pow2_49 : ((pow2 49%Z) = 562949953421312%Z). Axiom pow2_50 : ((pow2 50%Z) = 1125899906842624%Z). Axiom pow2_51 : ((pow2 51%Z) = 2251799813685248%Z). Axiom pow2_52 : ((pow2 52%Z) = 4503599627370496%Z). Axiom pow2_53 : ((pow2 53%Z) = 9007199254740992%Z). Axiom pow2_54 : ((pow2 54%Z) = 18014398509481984%Z). Axiom pow2_55 : ((pow2 55%Z) = 36028797018963968%Z). Axiom pow2_56 : ((pow2 56%Z) = 72057594037927936%Z). Axiom pow2_57 : ((pow2 57%Z) = 144115188075855872%Z). Axiom pow2_58 : ((pow2 58%Z) = 288230376151711744%Z). Axiom pow2_59 : ((pow2 59%Z) = 576460752303423488%Z). Axiom pow2_60 : ((pow2 60%Z) = 1152921504606846976%Z). Axiom pow2_61 : ((pow2 61%Z) = 2305843009213693952%Z). Axiom pow2_62 : ((pow2 62%Z) = 4611686018427387904%Z). Axiom pow2_63 : ((pow2 63%Z) = 9223372036854775808%Z). Axiom Div_mult_inst : forall (x:Z) (z:Z), (0%Z < x)%Z -> ((int.EuclideanDivision.div ((x * 1%Z)%Z + z)%Z x) = (1%Z + (int.EuclideanDivision.div z x))%Z). Axiom Div_double : forall (x:Z) (y:Z), ((0%Z < y)%Z /\ ((y <= x)%Z /\ (x < (2%Z * y)%Z)%Z)) -> ((int.EuclideanDivision.div x y) = 1%Z). Axiom Div_pow : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((pow2 (i - 1%Z)%Z) <= x)%Z /\ (x < (pow2 i))%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = 1%Z). Axiom Div_double_neg : forall (x:Z) (y:Z), ((((-2%Z)%Z * y)%Z <= x)%Z /\ ((x < (-y)%Z)%Z /\ ((-y)%Z < 0%Z)%Z)) -> ((int.EuclideanDivision.div x y) = (-2%Z)%Z). Axiom Div_pow2 : forall (x:Z) (i:Z), (0%Z < i)%Z -> (((-(pow2 i))%Z <= x)%Z /\ (x < (-(pow2 (i - 1%Z)%Z))%Z)%Z) -> ((int.EuclideanDivision.div x (pow2 (i - 1%Z)%Z)) = (-2%Z)%Z). Axiom Mod_pow2_gen : forall (x:Z) (i:Z) (k:Z), ((0%Z <= k)%Z /\ (k < i)%Z) -> ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div (x + (pow2 i))%Z (pow2 k)) 2%Z) = (int.EuclideanDivision.mod1 (int.EuclideanDivision.div x (pow2 k)) 2%Z)). Parameter pow21: Z -> R. Axiom Power_01 : ((pow21 0%Z) = 1%R). Axiom Power_s1 : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p : forall (n:Z), (n <= 0%Z)%Z -> ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_s_all : forall (n:Z), ((pow21 (n + 1%Z)%Z) = (2%R * (pow21 n))%R). Axiom Power_p_all : forall (n:Z), ((pow21 (n - 1%Z)%Z) = ((05 / 10)%R * (pow21 n))%R). Axiom Power_1_2 : ((05 / 10)%R = (1%R / 2%R)%R). Axiom Power_11 : ((pow21 1%Z) = 2%R). Axiom Power_neg1 : ((pow21 (-1%Z)%Z) = (05 / 10)%R). Axiom Power_non_null_aux : forall (n:Z), (0%Z <= n)%Z -> ~ ((pow21 n) = 0%R). Axiom Power_neg_aux : forall (n:Z), (0%Z <= n)%Z -> ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_non_null : forall (n:Z), ~ ((pow21 n) = 0%R). Axiom Power_neg : forall (n:Z), ((pow21 (-n)%Z) = (1%R / (pow21 n))%R). Axiom Power_sum_aux : forall (m:Z) (n:Z), (0%Z <= m)%Z -> ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Power_sum1 : forall (n:Z) (m:Z), ((pow21 (n + m)%Z) = ((pow21 n) * (pow21 m))%R). Axiom Pow2_int_real : forall (x:Z), (0%Z <= x)%Z -> ((pow21 x) = (BuiltIn.IZR (pow2 x))). Axiom size_positive : (1%Z < 32%Z)%Z. Axiom bv : Type. Parameter bv_WhyType : WhyType bv. Existing Instance bv_WhyType. Parameter nth: bv -> Z -> bool. Parameter bvzero: bv. Axiom Nth_zero : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvzero n) = false). Parameter bvone: bv. Axiom Nth_one : forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth bvone n) = true). (* Why3 assumption *) Definition eq (v1:bv) (v2:bv) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth v1 n) = (nth v2 n)). Axiom extensionality : forall (v1:bv) (v2:bv), (eq v1 v2) -> (v1 = v2). Parameter bw_and: bv -> bv -> bv. Axiom Nth_bw_and : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_and v1 v2) n) = (Init.Datatypes.andb (nth v1 n) (nth v2 n))). Parameter bw_or: bv -> bv -> bv. Axiom Nth_bw_or : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_or v1 v2) n) = (Init.Datatypes.orb (nth v1 n) (nth v2 n))). Parameter bw_xor: bv -> bv -> bv. Axiom Nth_bw_xor : forall (v1:bv) (v2:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.xorb (nth v1 n) (nth v2 n))). Axiom Nth_bw_xor_v1true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v2 n))). Axiom Nth_bw_xor_v1false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v1 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v2 n)). Axiom Nth_bw_xor_v2true : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = true)) -> ((nth (bw_xor v1 v2) n) = (Init.Datatypes.negb (nth v1 n))). Axiom Nth_bw_xor_v2false : forall (v1:bv) (v2:bv) (n:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ ((nth v2 n) = false)) -> ((nth (bw_xor v1 v2) n) = (nth v1 n)). Parameter bw_not: bv -> bv. Axiom Nth_bw_not : forall (v:bv) (n:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> ((nth (bw_not v) n) = (Init.Datatypes.negb (nth v n))). Parameter lsr: bv -> Z -> bv. Axiom lsr_nth_low : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ ((n + s)%Z < 32%Z)%Z)) -> ((nth (lsr b s) n) = (nth b (n + s)%Z)). Axiom lsr_nth_high : forall (b:bv) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 32%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 32%Z)%Z) /\ (32%Z <= (n + s)%Z)%Z)) -> ((nth (lsr b s) n) = false). Parameter asr: bv -> Z -> bv. Axiom asr_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 32%Z)%Z -> ((nth (asr b s) n) = (nth b (n + s)%Z)). Axiom asr_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (32%Z <= (n + s)%Z)%Z -> ((nth (asr b s) n) = (nth b (32%Z - 1%Z)%Z)). Parameter lsl: bv -> Z -> bv. Axiom lsl_nth_high : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth (lsl b s) n) = (nth b (n - s)%Z)). Axiom lsl_nth_low : forall (b:bv) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 32%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth (lsl b s) n) = false). Parameter to_nat_sub: bv -> Z -> Z -> Z. Axiom to_nat_sub_zero : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = false) -> ((to_nat_sub b j i) = (to_nat_sub b (j - 1%Z)%Z i)). Axiom to_nat_sub_one : forall (b:bv) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 32%Z)%Z)) -> ((nth b j) = true) -> ((to_nat_sub b j i) = ((pow2 (j - i)%Z) + (to_nat_sub b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high : forall (b:bv) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_zero2 : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j 0%Z) = (to_nat_sub b i 0%Z)). Axiom to_nat_of_zero : forall (b:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = false)) -> ((to_nat_sub b j i) = 0%Z). Axiom to_nat_of_one : forall (b:bv) (i:Z) (j:Z), ((j < 32%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth b k) = true)) -> ((to_nat_sub b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint : forall (b1:bv) (b2:bv) (j:Z) (i:Z), ((j < 32%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth b1 k) = (nth b2 k))) -> ((to_nat_sub b1 j i) = (to_nat_sub b2 j i)). Parameter from_int: Z -> bv. Axiom nth_from_int_high_even : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = false). Axiom nth_from_int_high_odd : forall (n:Z) (i:Z), (((i < 32%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int n) i) = true). Axiom nth_from_int_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = false). Axiom nth_from_int_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int n) 0%Z) = true). Axiom nth_from_int_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int 0%Z) i) = false). Parameter from_int2c: Z -> bv. Axiom nth_sign_positive : forall (n:Z), (0%Z <= n)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = false). Axiom nth_sign_negative : forall (n:Z), (n < 0%Z)%Z -> ((nth (from_int2c n) (32%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = false). Axiom nth_from_int2c_high_odd : forall (n:Z) (i:Z), (((i < (32%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth (from_int2c n) i) = true). Axiom nth_from_int2c_low_even : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = false). Axiom nth_from_int2c_low_odd : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth (from_int2c n) 0%Z) = true). Axiom nth_from_int2c_0 : forall (i:Z), ((i < 32%Z)%Z /\ (0%Z <= i)%Z) -> ((nth (from_int2c 0%Z) i) = false). Axiom nth_from_int2c_plus_pow2 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (32%Z - 1%Z)%Z)%Z) -> ((nth (from_int2c (x + (pow2 i))%Z) k) = (nth (from_int2c x) k)). Axiom size_positive1 : (1%Z < 64%Z)%Z. Axiom bv1 : Type. Parameter bv1_WhyType : WhyType bv1. Existing Instance bv1_WhyType. Parameter nth1: bv1 -> Z -> bool. Parameter bvzero1: bv1. Axiom Nth_zero1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvzero1 n) = false). Parameter bvone1: bv1. Axiom Nth_one1 : forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 bvone1 n) = true). (* Why3 assumption *) Definition eq1 (v1:bv1) (v2:bv1) : Prop := forall (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 v1 n) = (nth1 v2 n)). Axiom extensionality1 : forall (v1:bv1) (v2:bv1), (eq1 v1 v2) -> (v1 = v2). Parameter bw_and1: bv1 -> bv1 -> bv1. Axiom Nth_bw_and1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_and1 v1 v2) n) = (Init.Datatypes.andb (nth1 v1 n) (nth1 v2 n))). Parameter bw_or1: bv1 -> bv1 -> bv1. Axiom Nth_bw_or1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_or1 v1 v2) n) = (Init.Datatypes.orb (nth1 v1 n) (nth1 v2 n))). Parameter bw_xor1: bv1 -> bv1 -> bv1. Axiom Nth_bw_xor1 : forall (v1:bv1) (v2:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.xorb (nth1 v1 n) (nth1 v2 n))). Axiom Nth_bw_xor_v1true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v2 n))). Axiom Nth_bw_xor_v1false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v1 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v2 n)). Axiom Nth_bw_xor_v2true1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = true)) -> ((nth1 (bw_xor1 v1 v2) n) = (Init.Datatypes.negb (nth1 v1 n))). Axiom Nth_bw_xor_v2false1 : forall (v1:bv1) (v2:bv1) (n:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ ((nth1 v2 n) = false)) -> ((nth1 (bw_xor1 v1 v2) n) = (nth1 v1 n)). Parameter bw_not1: bv1 -> bv1. Axiom Nth_bw_not1 : forall (v:bv1) (n:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> ((nth1 (bw_not1 v) n) = (Init.Datatypes.negb (nth1 v n))). Parameter lsr1: bv1 -> Z -> bv1. Axiom lsr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ ((n + s)%Z < 64%Z)%Z)) -> ((nth1 (lsr1 b s) n) = (nth1 b (n + s)%Z)). Axiom lsr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), (((0%Z <= n)%Z /\ (n < 64%Z)%Z) /\ (((0%Z <= s)%Z /\ (s < 64%Z)%Z) /\ (64%Z <= (n + s)%Z)%Z)) -> ((nth1 (lsr1 b s) n) = false). Parameter asr1: bv1 -> Z -> bv1. Axiom asr_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n + s)%Z < 64%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (n + s)%Z)). Axiom asr_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (64%Z <= (n + s)%Z)%Z -> ((nth1 (asr1 b s) n) = (nth1 b (64%Z - 1%Z)%Z)). Parameter lsl1: bv1 -> Z -> bv1. Axiom lsl_nth_high1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> (0%Z <= (n - s)%Z)%Z -> ((nth1 (lsl1 b s) n) = (nth1 b (n - s)%Z)). Axiom lsl_nth_low1 : forall (b:bv1) (n:Z) (s:Z), ((0%Z <= n)%Z /\ (n < 64%Z)%Z) -> (0%Z <= s)%Z -> ((n - s)%Z < 0%Z)%Z -> ((nth1 (lsl1 b s) n) = false). Parameter to_nat_sub1: bv1 -> Z -> Z -> Z. Axiom to_nat_sub_zero1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = false) -> ((to_nat_sub1 b j i) = (to_nat_sub1 b (j - 1%Z)%Z i)). Axiom to_nat_sub_one1 : forall (b:bv1) (j:Z) (i:Z), ((0%Z <= i)%Z /\ ((i <= j)%Z /\ (j < 64%Z)%Z)) -> ((nth1 b j) = true) -> ((to_nat_sub1 b j i) = ((pow2 (j - i)%Z) + (to_nat_sub1 b (j - 1%Z)%Z i))%Z). Axiom to_nat_sub_high1 : forall (b:bv1) (j:Z) (i:Z), (j < i)%Z -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_zero21 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i < k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j 0%Z) = (to_nat_sub1 b i 0%Z)). Axiom to_nat_of_zero1 : forall (b:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = false)) -> ((to_nat_sub1 b j i) = 0%Z). Axiom to_nat_of_one1 : forall (b:bv1) (i:Z) (j:Z), ((j < 64%Z)%Z /\ ((i <= j)%Z /\ (0%Z <= i)%Z)) -> (forall (k:Z), ((k <= j)%Z /\ (i <= k)%Z) -> ((nth1 b k) = true)) -> ((to_nat_sub1 b j i) = ((pow2 ((j - i)%Z + 1%Z)%Z) - 1%Z)%Z). Axiom to_nat_sub_footprint1 : forall (b1:bv1) (b2:bv1) (j:Z) (i:Z), ((j < 64%Z)%Z /\ (0%Z <= i)%Z) -> (forall (k:Z), ((i <= k)%Z /\ (k <= j)%Z) -> ((nth1 b1 k) = (nth1 b2 k))) -> ((to_nat_sub1 b1 j i) = (to_nat_sub1 b2 j i)). Parameter from_int1: Z -> bv1. Axiom nth_from_int_high_even1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = false). Axiom nth_from_int_high_odd1 : forall (n:Z) (i:Z), (((i < 64%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int1 n) i) = true). Axiom nth_from_int_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = false). Axiom nth_from_int_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int1 n) 0%Z) = true). Axiom nth_from_int_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int1 0%Z) i) = false). Parameter from_int2c1: Z -> bv1. Axiom nth_sign_positive1 : forall (n:Z), (0%Z <= n)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = false). Axiom nth_sign_negative1 : forall (n:Z), (n < 0%Z)%Z -> ((nth1 (from_int2c1 n) (64%Z - 1%Z)%Z) = true). Axiom nth_from_int2c_high_even1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = false). Axiom nth_from_int2c_high_odd1 : forall (n:Z) (i:Z), (((i < (64%Z - 1%Z)%Z)%Z /\ (0%Z <= i)%Z) /\ ~ ((int.EuclideanDivision.mod1 (int.EuclideanDivision.div n (pow2 i)) 2%Z) = 0%Z)) -> ((nth1 (from_int2c1 n) i) = true). Axiom nth_from_int2c_low_even1 : forall (n:Z), ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = false). Axiom nth_from_int2c_low_odd1 : forall (n:Z), ~ ((int.EuclideanDivision.mod1 n 2%Z) = 0%Z) -> ((nth1 (from_int2c1 n) 0%Z) = true). Axiom nth_from_int2c_01 : forall (i:Z), ((i < 64%Z)%Z /\ (0%Z <= i)%Z) -> ((nth1 (from_int2c1 0%Z) i) = false). Axiom nth_from_int2c_plus_pow21 : forall (x:Z) (k:Z) (i:Z), (((0%Z <= k)%Z /\ (k < i)%Z) /\ (k < (64%Z - 1%Z)%Z)%Z) -> ((nth1 (from_int2c1 (x + (pow2 i))%Z) k) = (nth1 (from_int2c1 x) k)). Parameter concat: bv -> bv -> bv1. Axiom concat_low : forall (b1:bv) (b2:bv), forall (i:Z), ((0%Z <= i)%Z /\ (i < 32%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b2 i)). Axiom concat_high : forall (b1:bv) (b2:bv), forall (i:Z), ((32%Z <= i)%Z /\ (i < 64%Z)%Z) -> ((nth1 (concat b1 b2) i) = (nth b1 (i - 32%Z)%Z)). Parameter double_of_bv64: bv1 -> R. Parameter sign_value: bool -> R. Axiom sign_value_false : ((sign_value false) = 1%R). Axiom sign_value_true : ((sign_value true) = (-1%R)%R). Axiom zero : forall (b:bv1), (((to_nat_sub1 b 62%Z 52%Z) = 0%Z) /\ ((to_nat_sub1 b 51%Z 0%Z) = 0%Z)) -> ((double_of_bv64 b) = 0%R). Axiom sign_of_double_positive : forall (b:bv1), ((nth1 b 63%Z) = false) -> (0%R <= (double_of_bv64 b))%R. Axiom sign_of_double_negative : forall (b:bv1), ((nth1 b 63%Z) = true) -> ((double_of_bv64 b) <= 0%R)%R. Axiom double_of_bv64_value : forall (b:bv1), ((0%Z < (to_nat_sub1 b 62%Z 52%Z))%Z /\ ((to_nat_sub1 b 62%Z 52%Z) < 2047%Z)%Z) -> ((double_of_bv64 b) = (((sign_value (nth1 b 63%Z)) * (pow21 ((to_nat_sub1 b 62%Z 52%Z) - 1023%Z)%Z))%R * (1%R + ((BuiltIn.IZR (to_nat_sub1 b 51%Z 0%Z)) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom nth_j1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 19%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j2 : forall (i:Z), ((20%Z <= i)%Z /\ (i <= 21%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j3 : forall (i:Z), ((22%Z <= i)%Z /\ (i <= 23%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j4 : forall (i:Z), ((24%Z <= i)%Z /\ (i <= 25%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = true). Axiom nth_j5 : forall (i:Z), ((26%Z <= i)%Z /\ (i <= 29%Z)%Z) -> ((nth (from_int 1127219200%Z) i) = false). Axiom nth_j6 : ((nth (from_int 1127219200%Z) 30%Z) = true). Axiom nth_j7 : ((nth (from_int 1127219200%Z) 31%Z) = false). Axiom jp0_30 : forall (i:Z), ((0%Z <= i)%Z /\ (i < 30%Z)%Z) -> ((nth (from_int 2147483648%Z) i) = false). Axiom nth_const1 : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 30%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const2 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 31%Z) = true). Axiom nth_const3 : forall (i:Z), ((32%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const4 : forall (i:Z), ((52%Z <= i)%Z /\ (i <= 53%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const5 : forall (i:Z), ((54%Z <= i)%Z /\ (i <= 55%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const6 : forall (i:Z), ((56%Z <= i)%Z /\ (i <= 57%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = true). Axiom nth_const7 : forall (i:Z), ((58%Z <= i)%Z /\ (i <= 61%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom nth_const8 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z) = true). Axiom nth_const9 : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Axiom sign_const : ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 63%Z) = false). Axiom exp_const : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 62%Z 52%Z) = 1075%Z). Axiom to_nat_mantissa_1 : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 30%Z 0%Z) = 0%Z). Axiom mantissa_const_nth2 : forall (i:Z), ((32%Z <= i)%Z /\ (i <= 51%Z)%Z) -> ((nth1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) i) = false). Axiom mantissa_const_to_nat51 : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 51%Z 0%Z) = (to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 31%Z 0%Z)). Axiom mantissa_const : ((to_nat_sub1 (concat (from_int 1127219200%Z) (from_int 2147483648%Z)) 51%Z 0%Z) = (pow2 31%Z)). Axiom real1075m1023 : ((BuiltIn.IZR (1075%Z - 1023%Z)%Z) = 52%R). Axiom real1075m1023_2 : ((1075%R - 1023%R)%R = 52%R). Axiom real52_a_m52 : ((((pow21 (1075%Z - 1023%Z)%Z) * (pow21 31%Z))%R * (pow21 (-52%Z)%Z))%R = (pow21 31%Z)). Axiom const_value0 : ((double_of_bv64 (concat (from_int 1127219200%Z) (from_int 2147483648%Z))) = ((1%R * (pow21 (1075%Z - 1023%Z)%Z))%R * (1%R + ((pow21 31%Z) * (pow21 (-52%Z)%Z))%R)%R)%R). Axiom const_value : ((double_of_bv64 (concat (from_int 1127219200%Z) (from_int 2147483648%Z))) = ((pow21 52%Z) + (pow21 31%Z))%R). (* Why3 assumption *) Definition jpxor (i:Z) : bv := bw_xor (from_int 2147483648%Z) (from_int2c i). (* Why3 assumption *) Definition var (i:Z) : bv1 := concat (from_int 1127219200%Z) (jpxor i). (* Why3 assumption *) Definition var_as_double (x:Z) : R := double_of_bv64 (var x). (* Why3 assumption *) Definition is_int32 (x:Z) : Prop := ((-(pow2 31%Z))%Z <= x)%Z /\ (x < (pow2 31%Z))%Z. Axiom nth_0_30 : forall (x:Z), forall (i:Z), ((is_int32 x) /\ ((0%Z <= i)%Z /\ (i <= 30%Z)%Z)) -> ((nth (bw_xor (from_int 2147483648%Z) (from_int2c x)) i) = (nth (from_int2c x) i)). Axiom nth_jpxor_0_30 : forall (x:Z), forall (i:Z), ((is_int32 x) /\ ((0%Z <= i)%Z /\ (i <= 30%Z)%Z)) -> ((nth (jpxor x) i) = (nth (from_int2c x) i)). Axiom nth_var31 : forall (x:Z), ((nth (jpxor x) 31%Z) = (Init.Datatypes.negb (nth (from_int2c x) 31%Z))). Axiom to_nat_sub_0_30 : forall (x:Z), (is_int32 x) -> ((to_nat_sub (bw_xor (from_int 2147483648%Z) (from_int2c x)) 30%Z 0%Z) = (to_nat_sub (from_int2c x) 30%Z 0%Z)). Axiom jpxorx_pos : forall (x:Z), (0%Z <= x)%Z -> ((nth (bw_xor (from_int 2147483648%Z) (from_int2c x)) 31%Z) = true). Open Scope Z_scope. (* Why3 goal *) Theorem from_int2c_to_nat_sub_pos : forall (i:Z), ((0%Z <= i)%Z /\ (i <= 31%Z)%Z) -> forall (x:Z), ((0%Z <= x)%Z /\ (x < (pow2 i))%Z) -> ((to_nat_sub (from_int2c x) (i - 1%Z)%Z 0%Z) = x). (* Why3 intros i (h1,h2) x (h3,h4). *) intros i (h1 & h2). generalize h1 h2. pattern i. apply Z_lt_induction; auto. clear i h1 h2. intros i Hind Hi_pos Hi j Hj. assert (h:(i=0 \/ 0 < i)) by omega. destruct h. (* case i = 0 *) rewrite to_nat_sub_high. subst i; simpl in Hj. rewrite pow2_0 in Hj. omega. omega. (* case i > 0 *) assert (h:(0 <= j < pow2 (i-1) \/ pow2 (i-1) <= j < pow2 i)) by omega. destruct h. (* sub-case j < 2^(i-1) *) rewrite to_nat_sub_zero; auto with zarith. apply nth_from_int2c_high_even; split; auto with zarith. rewrite EuclideanDivision.Div_inf; auto. (* sub-case 2^(i-1) <= j < 2^i *) rewrite to_nat_sub_one; auto with zarith. rewrite to_nat_sub_footprint with (b2 := (from_int2c (j - pow2 (i-1)))); auto with zarith. rewrite Hind; auto with zarith. replace (i-1-0) with (i-1); omega. assert (pow2 ((i-1)+1) = 2 * pow2 (i-1)). rewrite (Power_s (i-1)); omega. replace (i-1+1) with i in H1; omega. intros k Hk. replace j with (j - pow2 (i - 1) + pow2 (i - 1)) by omega. replace (j - pow2 (i - 1) + pow2 (i - 1) - pow2 (i - 1)) with (j - pow2 (i - 1)) by omega. apply nth_from_int2c_plus_pow2. omega. rewrite nth_from_int2c_high_odd;auto. split. split;auto with zarith. rewrite Div_pow; auto with zarith. rewrite EuclideanDivision.Mod_1_left;omega. Qed. why3-1.6.0/examples/bitvectors/double_of_int/why3session.xml000066400000000000000000000436611440160026300242500ustar00rootroot00000000000000 why3-1.6.0/examples/bitvectors/double_of_int/why3shapes.gz000066400000000000000000000060141440160026300236570ustar00rootroot00000000000000ZKo7W趻 XEr,#/*qX%;5֌$-C&b=ꙿuqc~ݯ/7/^.dz]~uciGEnGեCxy}yRnfڹpʲ74r`#u%;ِ _yUm4UhYp멻Nq>sq^FnJ؈ܟӡ]8Ǫow.m1͍PհRNH݆sV55L̬&^u{}K(\|o.ߖcͶ1x@F u`Vֿ|_{sg嫛|QXo^s_N>zrLjn^n`b-SS_+"ؠ;?l]`>~ fz'.g.盍[$>$[}}Pޔwqifmh͹B}(Gse~ӚTM(]מ|/j[; ۵&_Uk]]^A߯-QuTįpѺvrj^ l.Q%$pd.%dJ%mzl/\f?NϿM.VV|hw뷶z> Tڻ`-^NFmVmt/>|܊`[Wg"I  %[1 HYH:im]m_}{+y፣89<6oo^o//ܟ|zQS0mHiƊm.eygV.i>ϝb:qFJ:m/`fM#Uz@aɛ=1$Nq[e> :nSot,gD0Br]6:۶ԳnjH[Nc{` D>)r H J"dZo +GUd!t:kH]@ߒJ04-<4.@pR#Ի`7>n4{SOېO(!j)7`Iށz#K&xt+|!JΩRcעA*8NXkpba%:i4q=pB-BF;e܅Z?2Ͻ(3$ d#ӈ8~$vL<أ}F4OˇHgq5Ckв%OwxjGX(Ѡy4[gC:TFy$D7D㰨bS !̽x72'G H^,v(kj1"$=RqkY(i1 _'A5mKeG Cvu@~2A+"PT*cU{G1V=FZGFü!!sE ;(F3$}Kag8R\y#:ǂlq-e$@})Rf_rvuIU$)Ȝ { b3 0H%む"#ahjK`O#|-Њ¾G|JS9Iz܋Pǜo=!"-}JChH6Z͎Tqe/>L\0p2\w^7Y3-Xad .k-24{g > fPa ?"[80Q$ +`dX@~^#(ql,Ax7chC0D R̳7}v-"'zwh>(8.c(z2jhkK":5:lh ƟA]cL J1u6_f%P-!Ql66I0gЅOZ H%w==F#PsEZ1UR5cah[JK}44KxMpϩbabNH..ӨGhL!Z "A%]DL$t z` η+q'9Ih'BĀhY1^XDYvTwۃ$c-S*?vu6Ae4'!Mkhh'Obf)BW x3be:/HFs嚫3sqK۰Z;Ir)SΕOD `,wOfQ:\"jOBhs'ś/QBΊqS. xbMg& \w1|i e6sQ ĀzQ{*{NFQBΨl8 f(ԗKeJ̒inz&j_됳ӺK|#_ɣ'.feq`8g7gN0ԉk    (P?:cBy:v7*=Ƣ=8 U[o ms eX_\F)(F ldjRdhM␡6G݈KZj0ͼ(E$LtFpѵW,q%ձHňpFP7$AG Ji0I\"hjAt 6_raqmbq~JYh+ V:w+?ASK{"|}ɟ{:SC-j%^Y5b8ؗaJuAVh$Z)%Bbq%bhE7H-$cbSz`s1b!}a6YKsgN5bi?*Q]lZJ7why3-1.6.0/examples/bitvectors/neg_as_xor.why000066400000000000000000000022221440160026300212610ustar00rootroot00000000000000 theory TestNegAsXOR use int.Int use bool.Bool use real.RealInfix use bitvector.BV64 use double.BV_double function j : bv = from_int 0x8000000000000000 lemma Nth_j: forall i:int. 0 <= i <= 62 -> nth j i = False lemma sign_of_j: sign(j) = True lemma mantissa_of_j: mantissa(j) = 0 lemma exp_of_j: exp(j) = 0 lemma int_of_bv: double_of_bv64(j) = 0.0 lemma MainResultBits : forall x:bv. forall i:int. 0 <= i < 63 -> nth (bw_xor x j) i = nth x i lemma MainResultSign : forall x:bv. nth (bw_xor x j) 63 = notb (nth x 63) lemma Sign_of_xor_j : forall x:bv. sign(bw_xor x j) = notb (sign x) lemma Exp_of_xor_j : forall x:bv. exp(bw_xor x j) = exp(x) lemma Mantissa_of_xor_j : forall x:bv. mantissa(bw_xor x j) = mantissa(x) lemma MainResultZero : forall x:bv. 0 = exp(x) /\ mantissa(x) = 0 -> double_of_bv64 (bw_xor x j) = -. double_of_bv64 x lemma sign_neg: forall x:bv. sign_value(notb(sign(x))) = -.sign_value(sign(x)) lemma MainResult : forall x:bv. 0 < exp(x) < 2047 -> double_of_bv64 (bw_xor x j) = -. double_of_bv64 x end (* Local Variables: compile-command: "why3 ide -L . neg_as_xor.why" End: *) why3-1.6.0/examples/bitvectors/neg_as_xor/000077500000000000000000000000001440160026300205325ustar00rootroot00000000000000why3-1.6.0/examples/bitvectors/neg_as_xor/why3session.xml000066400000000000000000000074551440160026300235650ustar00rootroot00000000000000 why3-1.6.0/examples/bitvectors/neg_as_xor/why3shapes.gz000066400000000000000000000011011440160026300231630ustar00rootroot00000000000000}OOA 9HE=VeU^) ߾ސ@=h9ϷY>b}}G_$ܟ 6vLPS<  ڪg|s&__w/6/+g{Cպc i}77S wqm}jOK^|9Ѹϵ+8j]5yu7Av8MqT8>O^ՃdԹA]jz "+Dz-))Y-[YHU[O0sf$:k![cDN/Atq AU*[MEZBq`Aڡ(u@`:FUGn]i5ܰ09 ;٤Q4_GWh %Ɣ H tjޟ*&j@fߠKD5 pa9*| %5P 9N<>A(R̓A+ tAUԣ):8@Ь)j?泦Lwhy3-1.6.0/examples/bitvectors/power2.why000066400000000000000000000117571440160026300203700ustar00rootroot00000000000000theory Pow2int use int.Int function pow2 (i:int) : int axiom Power_0 : pow2 0 = 1 axiom Power_s : forall n: int. n >= 0 -> pow2 (n+1) = 2 * pow2 n lemma Power_1 : pow2 1 = 2 lemma Power_sum : forall n m: int. n >= 0 /\ m >= 0 -> pow2 (n+m) = pow2 n * pow2 m lemma pow2pos: forall i:int. i >= 0 -> pow2 i > 0 lemma pow2_0: pow2 0 = 1 lemma pow2_1: pow2 1 = 2 lemma pow2_2: pow2 2 = 4 lemma pow2_3: pow2 3 = 8 lemma pow2_4: pow2 4 = 16 lemma pow2_5: pow2 5 = 32 lemma pow2_6: pow2 6 = 64 lemma pow2_7: pow2 7 = 128 lemma pow2_8: pow2 8 = 256 lemma pow2_9: pow2 9 = 512 lemma pow2_10: pow2 10 = 1024 lemma pow2_11: pow2 11 = 2048 lemma pow2_12: pow2 12 = 4096 lemma pow2_13: pow2 13 = 8192 lemma pow2_14: pow2 14 = 16384 lemma pow2_15: pow2 15 = 32768 lemma pow2_16: pow2 16 = 65536 lemma pow2_17: pow2 17 = 131072 lemma pow2_18: pow2 18 = 262144 lemma pow2_19: pow2 19 = 524288 lemma pow2_20: pow2 20 = 1048576 lemma pow2_21: pow2 21 = 2097152 lemma pow2_22: pow2 22 = 4194304 lemma pow2_23: pow2 23 = 8388608 lemma pow2_24: pow2 24 = 16777216 lemma pow2_25: pow2 25 = 33554432 lemma pow2_26: pow2 26 = 67108864 lemma pow2_27: pow2 27 = 134217728 lemma pow2_28: pow2 28 = 268435456 lemma pow2_29: pow2 29 = 536870912 lemma pow2_30: pow2 30 = 1073741824 lemma pow2_31: pow2 31 = 2147483648 lemma pow2_32: pow2 32 = 4294967296 lemma pow2_33: pow2 33 = 8589934592 lemma pow2_34: pow2 34 = 17179869184 lemma pow2_35: pow2 35 = 34359738368 lemma pow2_36: pow2 36 = 68719476736 lemma pow2_37: pow2 37 = 137438953472 lemma pow2_38: pow2 38 = 274877906944 lemma pow2_39: pow2 39 = 549755813888 lemma pow2_40: pow2 40 = 1099511627776 lemma pow2_41: pow2 41 = 2199023255552 lemma pow2_42: pow2 42 = 4398046511104 lemma pow2_43: pow2 43 = 8796093022208 lemma pow2_44: pow2 44 = 17592186044416 lemma pow2_45: pow2 45 = 35184372088832 lemma pow2_46: pow2 46 = 70368744177664 lemma pow2_47: pow2 47 = 140737488355328 lemma pow2_48: pow2 48 = 281474976710656 lemma pow2_49: pow2 49 = 562949953421312 lemma pow2_50: pow2 50 = 1125899906842624 lemma pow2_51: pow2 51 = 2251799813685248 lemma pow2_52: pow2 52 = 4503599627370496 lemma pow2_53: pow2 53 = 9007199254740992 lemma pow2_54: pow2 54 = 18014398509481984 lemma pow2_55: pow2 55 = 36028797018963968 lemma pow2_56: pow2 56 = 72057594037927936 lemma pow2_57: pow2 57 = 144115188075855872 lemma pow2_58: pow2 58 = 288230376151711744 lemma pow2_59: pow2 59 = 576460752303423488 lemma pow2_60: pow2 60 = 1152921504606846976 lemma pow2_61: pow2 61 = 2305843009213693952 lemma pow2_62: pow2 62 = 4611686018427387904 lemma pow2_63: pow2 63 = 9223372036854775808 use int.EuclideanDivision lemma Div_mult_inst: forall x z:int. x > 0 -> div (x * 1 + z) x = 1 + div z x lemma Div_double: forall x y:int. 0 < y <= x < 2*y -> div x y = 1 lemma Div_pow: forall x i:int. i > 0 -> pow2 (i-1) <= x < pow2 i -> div x (pow2 (i-1)) = 1 lemma Div_double_neg: forall x y:int. -2*y <= x < -y < 0 -> div x y = -2 lemma Div_pow2: forall x i:int. i > 0 -> -pow2 i <= x < -pow2 (i-1) -> div x (pow2 (i-1)) = -2 (* lemma Mod_pow2: forall x i:int. mod (x + pow2 i) 2 = mod x 2 *) lemma Mod_pow2_gen: forall x i k :int. 0 <= k < i -> mod (div (x + pow2 i) (pow2 k)) 2 = mod (div x (pow2 k)) 2 end theory Pow2real use int.Int use real.RealInfix function pow2 (i:int) : real axiom Power_0 : pow2 0 = 1.0 axiom Power_s : forall n: int. n >= 0 -> pow2 (n+1) = 2.0 *. pow2 n axiom Power_p : forall n: int. n <= 0 -> pow2 (n-1) = 0.5 *. pow2 n lemma Power_s_all : forall n:int. pow2 (n+1) = 2.0 *. pow2 n lemma Power_p_all : forall n:int. pow2 (n-1) = 0.5 *. pow2 n lemma Power_1_2: 0.5 = 1.0 /. 2.0 lemma Power_1 : pow2 1 = 2.0 lemma Power_neg1 : pow2 (-1) = 0.5 lemma Power_non_null_aux: forall n:int.n>=0 -> pow2 n <> 0.0 lemma Power_neg_aux : forall n:int. n>=0 -> pow2 (-n) = 1.0 /. pow2 n lemma Power_non_null: forall n:int. pow2 n <> 0.0 lemma Power_neg : forall n:int. pow2 (-n) = 1.0 /. pow2 n lemma Power_sum_aux : forall m n. m >= 0 -> pow2 (n+m) = pow2 n *. pow2 m lemma Power_sum : forall n m: int. pow2 (n+m) = pow2 n *. pow2 m use Pow2int as P2I use real.FromInt lemma Pow2_int_real: forall x:int. x >= 0 -> pow2 x = from_int (P2I.pow2 x) end why3-1.6.0/examples/bitvectors/power2/000077500000000000000000000000001440160026300176245ustar00rootroot00000000000000why3-1.6.0/examples/bitvectors/power2/why3session.xml000066400000000000000000000735271440160026300226620ustar00rootroot00000000000000 why3-1.6.0/examples/bitvectors/power2/why3shapes.gz000066400000000000000000000102711440160026300222650ustar00rootroot00000000000000\[E~.lJJI0}׉t6,ff̿OuR6vw]ꤔ~Xsg# >Ylqz5.oFG?# hF:O-=m]N]O|=GjN ˁ) q$H|i/0+]L\2_U.8> +"k_գh{Ϗ)ͭr)oLyr!\o/ju9~r]CWx=#}Q>AvwCĆݓ '*{2B%$V9S&HCDI91N X@:'&И 3␵:='T{V K'^!ɘ E5M;%؅ '@ɢdhbS=[B TNVhBs;^ \>Zj'?TrZ Vug(Vrg$t,A8$0WW- 4Ua rYkba  Dt^^-UI|aags'Of08Ɨrg)\  ZOPsG0[x(& ?f%#'SXΪl'xt)<2jJp[e$ #jk XbjRO0 '-svDgI>Ņi COѡ[6Ő̒O1ba e8PSl$IŔ0FJ=ŋ3^p>< KAS,,a;]\Wz(q]AʿA-+&ߍ+7F^˕/JLQOSPBBQPUqrPo' u\| Rc;wQƀaq8jTbr;|^tWVװglr9~\O,o\y3"~{~&/Or7-|((^ovOt%.3 >ߣ,/H.˸N+ F ܍n`-cȿdgFF.ח7b09W.|ADvԋWb WToqhN N+_^B/'QF3JǢ@!Z>="܌C9(7߾3s7n#. }qE?~o~:)HHvD䠗\B/ƀ/ /"H^e|E }'ѣ=PUhzъ"@Uf5cyOIz)teϞpomb V'4 ^ ,J}TEc>7کLSOӨ̝?v"hk&R͵TdfPzRODh5 \^}9Ti4(KEXa'D?TzBIP~ʵX5학'e m@_ w{C%S25ξ'ذʩS{4j{BTǼ&l%n@##W@`v>az%63`G+Oڋe,pkD[oc i6@m뱼pG"NzٸLY,΂]xi>^&iyÆZ&/sHnsT/&p g阻ntW al6ɴ5tʎղ< +м!Rro-&7;h˛1%fKa`2堺'Pq S_?P36đ $ i <)݁%6M AN ZNH`d'n2gENfUhJ4ѰCK$`tO]kz'Iy;SXa(cSm4ѳ" ăJq_hSkNPզOl#VnԢUeXY -`ř m&Ym!E6:Me}^ynBC(beԖ2fwf6f~$t7%VPlg)f=)RgM56EY\6ܑsLü]*F~@ABch?{D -- HYS$idwn4>t`ċő4}uz@"GQZ2%Y){EOSfQh@+b~ƭ{FGQ*2֊$=Ddgd1K!IÄAKdER ag%@ǂ%H@{sNJU qAoxv= .՜ pe*0{ďtThq$s-`ܚsB̌b˶!RuZC jBj?nnNUZіU",b7#^̨mP1)SPVmKZC 4Q++esTOEGZez0R.{^q;Q' Eu2R43I  (oTԿrASSJu_;,O62x^?AX{Y`di5>F<'%}EG[zOļ6xJ[ՎJ=%m=%q𧬠c%=wK-2jUס৮ uf^A:O_\i5 1+&GcjTd[<}n}2lZ~z^Wb ۑ:lf:'sهsRٷEF*XK [R;Vn}pZOe QV;>4} hex[CT< X #]f+DR%WHRV>sB icDJ 4Э />^p7Bz{bMi XV_r?CA汓->}F;Hw\^KMūL.juBi}#XVGU1 xoe$ >찖E3eށU/by)3n"dDy~PDXm>hY![l5u~bu8͑9U0Q8nC3+,Ҍ;ߩn0Y1!g j-W[Qn&Zb7f{;TXd3C۸zl>R2Y9l:3!XX+HJy2E_eċ&>=j:ER}osSYW3MvԴ;^ < F-| H(#k:c5El3 :'n|H ;{.L:v$ *&K.p4/?9)woM~{O70F{5})7Mw+ȋAa,Be)1xpMs kۈq;2]6'_ >\N)c!RDk9籓!>\B%;Iwhy3-1.6.0/examples/bitwalker.mlw000066400000000000000000000303121440160026300167260ustar00rootroot00000000000000module Bitwalker use int.Int use int.EuclideanDivision use array.Array use ref.Ref (* use bv.BV32 *) (* use bv.BV8 *) (* use bv.BV64 *) use mach.bv.BVCheck8 as BV8 use mach.bv.BVCheck32 as BV32 use mach.bv.BVCheck64 as BV64 use bv.BVConverter_32_64 as C32_64 use bv.BVConverter_8_32 as C8_32 (* file missing in repository use mach.bv.BV *) function nth8_stream (stream : array BV8.t) (pos : int) : bool = BV8.nth stream[div pos 8] (7 - mod pos 8) lemma nth64: forall value:BV64.t, i:int. 0 <= i < 64 -> BV64.nth value i = BV64.nth_bv value (C32_64.toBig (BV32.of_int i)) lemma nth8: forall value:BV8.t, i:int. 0 <= i < 8 -> BV8.nth value i = BV8.nth_bv value (C8_32.toSmall (BV32.of_int i)) (* *) let function maxvalue (len : BV32.t) : BV64.t = BV64.lsl_bv (1:BV64.t) (C32_64.toBig len) let lemma nth_ultpre0 (x:BV64.t) (len:BV32.t) requires { BV32.t'int len < 64} ensures { BV64.eq_sub x BV64.zeros (BV32.t'int len) (64 - BV32.t'int len) <-> BV64.t'int x < BV64.t'int (maxvalue len) } = assert { BV32.ult len (64:BV32.t) }; assert { BV64.eq_sub_bv x BV64.zeros (C32_64.toBig len) (BV64.sub (64:BV64.t) (C32_64.toBig len)) <-> BV64.ult x (maxvalue len) } (** return `value` with the bit of index `left` from the left set to `flag` *) let poke_64bit_bv (value : BV64.t) (left : BV32.t) (flag : bool) : BV64.t requires { BV32.t'int left < 64 } ensures { forall i. 0 <= i < 64 /\ i <> 63 - BV32.t'int left -> BV64.nth result i = BV64.nth value i } ensures { flag = BV64.nth result (63 - BV32.t'int left) } = assert { BV32.ult left (64:BV32.t) }; begin ensures { forall i:BV32.t. i <> BV32.sub (63:BV32.t) left -> BV64.nth_bv result (C32_64.toBig i) = BV64.nth_bv value (C32_64.toBig i) } ensures { flag = BV64.nth_bv result (C32_64.toBig (BV32.sub (63:BV32.t) left)) } let mask = BV64.lsl_bv (1:BV64.t) (C32_64.toBig (BV32.u_sub (63:BV32.t) left)) in match flag with | True -> BV64.bw_or value mask | False -> BV64.bw_and value (BV64.bw_not mask) end end (** return `value` with the bit of index `left` from the left set to `flag` *) (* version where `left` is an int and not a bitvector, which is closer to the result of the SPARK translation from signed integers *) let poke_64bit (value : BV64.t) (left : int) (flag : bool) : BV64.t requires { 0 <= left < 64 } ensures { forall i. 0 <= i < 64 /\ i <> 63 - left -> BV64.nth result i = BV64.nth value i } ensures { flag = BV64.nth result (63 - left) } = let ghost left_bv = BV64.of_int left in assert { BV64.ult left_bv (64:BV64.t) }; assert { (BV64.sub (63:BV64.t) left_bv) = BV64.of_int (63 - left) }; begin ensures { forall i:BV64.t. BV64.ule i (63:BV64.t) -> i <> BV64.sub (63:BV64.t) left_bv -> BV64.nth_bv result i = BV64.nth_bv value i } ensures { flag = BV64.nth_bv result (BV64.sub (63:BV64.t) left_bv) } let mask = BV64.lsl_bv (1:BV64.t) (BV64.of_int (63 - left)) in match flag with | True -> BV64.bw_or value mask | False -> BV64.bw_and value (BV64.bw_not mask) end end (* return the bit of `byte` at position `left` starting from the left *) let peek_8bit_bv (byte : BV8.t) (left : BV32.t) : bool requires { 0 <= BV32.t'int left < 8 } ensures { result = BV8.nth byte (7 - BV32.t'int left) } = assert {BV32.ult left (8:BV32.t)}; begin ensures { result = BV8.nth_bv byte (BV8.sub (7:BV8.t) (C8_32.toSmall left))} let mask = BV32.lsl_bv (1:BV32.t) (BV32.u_sub (7:BV32.t) left) in not (BV32.eq (BV32.bw_and (C8_32.toBig byte) mask) BV32.zeros) end (* return the bit of the `left`/8 element of `addr` at position mod `left` 8 starting from the left *) let peek_8bit_array (addr : array BV8.t) (left : BV32.t) : bool requires { 8 * (length addr) < BV32.two_power_size } requires { BV32.t'int left < 8 * length addr } ensures { result = nth8_stream addr (BV32.t'int left) } = peek_8bit_bv (addr[ BV32.to_uint (BV32.u_div left (8:BV32.t)) ]) (BV32.u_rem left (8:BV32.t)) (* return a bitvector of 64 bits with its `len` bits of the right set to the bits between `start` and `start+len` of `addr` *) let peek (start : BV32.t) (len : BV32.t) (addr : array BV8.t) : BV64.t requires { BV32.t'int len <= 64 } requires { BV32.t'int start + BV32.t'int len < BV32.two_power_size } requires { 8 * length addr < BV32.two_power_size } ensures { BV32.t'int start + BV32.t'int len > (8 * length addr) -> result = BV64.zeros } ensures { BV32.t'int start + BV32.t'int len <= (8 * length addr) -> (forall i:int. 0 <= i < BV32.t'int len -> BV64.nth result i = nth8_stream addr (BV32.t'int start + BV32.t'int len - i - 1)) /\ (forall i:int. BV32.t'int len <= i < 64 -> BV64.nth result i = False) } = if (BV32.to_uint (BV32.u_add start len) > ( 8 *length addr )) then BV64.zeros else let retval = ref BV64.zeros in let i = ref BV32.zeros in let lstart = BV32.u_sub (64:BV32.t) len in while BV32.ult !i len do variant{ BV32.t'int len - BV32.t'int !i } invariant {0 <= BV32.t'int !i <= BV32.t'int len} invariant {forall j:int. BV32.t'int len - BV32.t'int !i <= j < BV32.t'int len -> BV64.nth !retval j = nth8_stream addr (BV32.t'int start + BV32.t'int len - j - 1)} invariant {forall j:int. 0 <= j < BV32.t'int len - BV32.t'int !i -> BV64.nth !retval j = False} invariant {forall j:int. BV32.t'int len <= j < 64 -> BV64.nth !retval j = False} let flag = peek_8bit_array addr (BV32.u_add start !i) in retval := poke_64bit_bv !retval (BV32.u_add lstart !i) flag; i := BV32.u_add !i (1:BV32.t); done; !retval let peek_64bit (value : BV64.t) (left : BV32.t) : bool requires {BV32.t'int left < 64} ensures {result = BV64.nth value (63 - BV32.t'int left)} = assert {BV32.ult left (64:BV32.t)}; begin ensures {result = BV64.nth_bv value (BV64.sub (63:BV64.t) (C32_64.toBig left))} let mask = BV64.lsl_bv (1:BV64.t) (C32_64.toBig (BV32.u_sub (63:BV32.t) left)) in not (BV64.eq (BV64.bw_and value mask) BV64.zeros) end (* static inline uint8_t PokeBit8(uint8_t byte, uint32_t left, int flag) { uint8_t mask = ((uint8_t) 1) << (7u - left); return (flag == 0) ? (byte & ~mask) : (byte | mask); } *) (* return `byte` with the bit at index `left` from the left set to `flag` *) let poke_8bit (byte : BV8.t) (left : BV32.t) (flag : bool) : BV8.t requires { BV32.t'int left < 8 } ensures { forall i:int. 0 <= i < 8 -> i <> 7 - BV32.t'int left -> BV8.nth result i = BV8.nth byte i } ensures { BV8.nth result (7 - BV32.t'int left) = flag } = assert { BV32.ult left (8:BV32.t) }; begin ensures { forall i:BV32.t. BV32.ult i (8:BV32.t) -> i <> BV32.sub (7:BV32.t) left -> BV8.nth_bv result (C8_32.toSmall i) = BV8.nth_bv byte (C8_32.toSmall i) } ensures { BV8.nth_bv result (BV8.sub (7:BV8.t) (C8_32.toSmall left)) = flag } let mask = BV8.lsl_bv (1:BV8.t) (BV8.u_sub (7:BV8.t) (C8_32.toSmall left)) in match flag with | True -> BV8.bw_or byte mask | False -> BV8.bw_and byte (BV8.bw_not mask) end end let poke_8bit_array (addr : array BV8.t) (left : BV32.t) (flag : bool) requires { 8 * (length addr) < BV32.two_power_size } requires { BV32.t'int left < 8 * length addr } writes { addr } ensures { forall i:int. 0 <= i < 8 * length addr -> i <> BV32.t'int left -> nth8_stream addr i = nth8_stream (old addr) i} ensures { nth8_stream addr (BV32.t'int left) = flag } = let i = BV32.u_div left (8:BV32.t) in let k = BV32.u_rem left (8:BV32.t) in addr[BV32.to_uint i] <- poke_8bit addr[BV32.to_uint i] k flag let poke (start : BV32.t) (len : BV32.t) (addr : array BV8.t) (value : BV64.t) : int writes { addr } requires{ BV32.t'int len < 64 } (* could be lower or equal if maxvalue and the condition to return -2 is corrected *) requires{ BV32.t'int start + BV32.t'int len < BV32.two_power_size } requires{ 8 * length addr < BV32.two_power_size } ensures { -2 <= result <= 0 } ensures { result = -1 <-> BV32.t'int start + BV32.t'int len > 8 * length addr } ensures { result = -2 <-> BV64.t'int (maxvalue len) <= BV64.t'int value /\ BV32.t'int start + BV32.t'int len <= 8 * length addr } ensures { result = 0 <-> BV64.t'int (maxvalue len) > BV64.t'int value /\ BV32.t'int start + BV32.t'int len <= 8 * length addr } ensures { result = 0 -> (forall i:int. 0 <= i < BV32.t'int start -> nth8_stream (old addr) i = nth8_stream addr i) /\ (forall i:int. BV32.t'int start <= i < BV32.t'int start + BV32.t'int len -> nth8_stream addr i = BV64.nth value (BV32.t'int len - i - 1 + BV32.t'int start)) /\ (forall i:int. BV32.t'int start + BV32.t'int len <= i < 8 * length addr -> nth8_stream addr i = nth8_stream (old addr) i) } = if BV32.to_uint (BV32.u_add start len) > 8 * length addr then -1 (*error: invalid_bit_sequence*) else if BV64.uge value (maxvalue len) (* should be len <> 64 && _..._ *) then -2 (*error: value_too_big*) else let lstart = BV32.u_sub (64:BV32.t) len in let i = ref BV32.zeros in while BV32.ult !i len do variant { BV32.t'int len - BV32.t'int !i } invariant {0 <= BV32.t'int !i <= BV32.t'int len} invariant {forall j:int. 0 <= j < BV32.t'int start -> nth8_stream (old addr) j = nth8_stream addr j} invariant {forall j:int. BV32.t'int start <= j < BV32.t'int start + BV32.t'int !i -> nth8_stream addr j = BV64.nth value (BV32.t'int len - j - 1 + BV32.t'int start) } invariant {forall j:int. BV32.t'int start + BV32.t'int !i <= j < 8 * length addr -> nth8_stream addr j = nth8_stream (old addr) j } let flag = peek_64bit value (BV32.u_add lstart !i) in poke_8bit_array addr (BV32.u_add start !i) flag; assert {nth8_stream addr (BV32.t'int start + BV32.t'int !i) = BV64.nth value ((BV32.t'int len - BV32.t'int !i - 1))}; assert { forall k. BV32.t'int start <= k < BV32.t'int start + BV32.t'int !i -> k <> BV32.t'int start + BV32.t'int !i && 0 <= k < 8 * length addr && nth8_stream addr k = BV64.nth value (BV32.t'int start + BV32.t'int len - k - 1)}; i := BV32.u_add !i (1:BV32.t); done; 0 let peekthenpoke (start len : BV32.t) (addr : array BV8.t) requires {8 * length addr < BV32.two_power_size} requires {0 <= BV32.t'int len < 64} requires {BV32.t'int start + BV32.t'int len <= 8 * length addr} ensures {result = 0} ensures {forall i. 0 <= i < 8 * length addr -> nth8_stream addr i = nth8_stream (old addr) i} = let value = peek start len addr in let res = poke start len addr value in assert {res = 0}; assert {forall i. BV32.t'int start <= i < BV32.t'int start + BV32.t'int len -> nth8_stream addr i = nth8_stream (old addr) i}; res let pokethenpeek (start len : BV32.t) (addr : array BV8.t) (value : BV64.t) writes {addr} requires {8 * length addr < BV32.two_power_size} requires {0 <= BV32.t'int len < 64} requires {BV32.t'int start + BV32.t'int len <= 8 * length addr} requires {BV64.t'int value < BV64.t'int (maxvalue len)} ensures {result = value} = assert { forall i:int. BV32.t'int len <= i < 64 -> BV64.nth value i = False }; let poke_result = poke start len addr value in assert { poke_result = 0 }; let peek_result = peek start len addr in assert { BV64.(==) peek_result value }; peek_result end why3-1.6.0/examples/bitwalker/000077500000000000000000000000001440160026300162065ustar00rootroot00000000000000why3-1.6.0/examples/bitwalker/why3session.xml000066400000000000000000000547431440160026300212430ustar00rootroot00000000000000 why3-1.6.0/examples/bitwalker/why3shapes.gz000066400000000000000000000217211440160026300206510ustar00rootroot00000000000000}[o8{x^e@ )RFelgHI!;N_ K/;}?S}ǁh'灸s?]}; ػ~PCݿ>x[~}S2m Q+K_q{oпp}tͧN ?A:\ݟY\hP_y*j/'m{w?=<箾%eכHDVr}5V>G{q37Ww=]Uk&YPَ*W.ndճ#tY:O7uoqr} 鞹L҅/w| %~F=Pzm˃@/ۑ$~GLG9x]H EBqmDsCgMD^ɏ5ͱ^~g46[Ed?B=vLe$׋ #E n5Ha2+H){5bLO=L d ̻_7[|-~R_ݡ [܇>/ !_SuFoۺuXG; *ZLi#UqY?,j@.ӿ9$99oXtGzZ~AY>fn)7mekkx' ʐPQ4Eٓ*c;!_Gނ-VȐ&2Vhx^[- A++n3 O&o4ĥnFe6zm(yY3EfFڴ\hS!=K>*y眜t90=4ѮYGpoog;e Fh2] 6;a}jBCWZz$Г^0"+߯~:{O  q˯PowO_o>^Os4ka FR7T1Ⰳ4$]}ٹ%~3S !~ dt{w󄰌,ȍ~?ߍ/e$w PoCO'wx5`T/ynQfAʓzf΅bV/KQJ#]l.nBR% m=۔h1 6+qlnfH  `WX,[0/NE7AS~ɨ\Bϱ͍oɸAh헱\u|}ҟ _)ˬ Vb-1PP[(I?,.T8?.ڂlmAnyj `I}yyvqvTk;jzn_gN\fg/܂4{kŤ &(5A} 898I_x@|&,Gme^2/?Ƽل6j=smlu$`lsbN鏡A z`z =q3(lņ=gböذ[a66^l΋Lpu6\!p2> 2 CtPAGϱ`!YiE iiGhV4^&#ebe2rV%=5BqLɵ 5#Y9}G.QH6-$ڸoeCp ؀1H`0~\ٓ-Fj"KD`D`;t9prȡˁC:t9rrCC[<9df [ .o`7>_!w|OilZpmډ qt"#q.Y&9/<]y$39Lɢ/%z[I$Ï\"~"$3&>MpEܺQ%9Dk#c!Dw7H#.ǔn rn[6 7a`8V `>4E -2VVsDvG-X-[[#}ᅍ{˭;*eRQB Hot0 46to`ý f[-JoC+}|׮Ƥ6m m晋b/hdu+BDgˇ0*x">OH:'sOOH:'SU';]Xcݏnٱ%K g?k lX=[*][y9hxr҄w=Q>V+2<,rz+>@2d1;ߦuԥ/\8W'<T9kDD!KGGQ6`tx k./TBb,OؿR DfR殮?ArʤWy m- ip!]TU2<|>Yਘ?_ӽt8m{6kSZNh&JcM@*\!*iezmWtv1rйݿШ:y&geiI1ށ p]>@ڷL:Iv.<-ne&p+{׋۩aIoO{Ǩ|Lrᓜi64 䡄Y/lc2aB+U K٥eEZ-ȵUg?.ޑ<6,u++xZ8?\/l˚I3dտ\~}Q/”˖EH$KW-Sn|oT"y*b'OG.6Ep-+rnvR5l0ךI?wmIٓPIOсXJt 'с좃RD[_)Şv|;׽o+YE{͆,b$SOZyB@|^Ez 773囓_$G.r}6]2I&c&cLLƞLFxul)b mҋPS3df./K bs6;ԈEsV% 6A&hChtTYSt|;Fۋv<#33!mmwvth6nbD]Y5ZxNnl n|(5rp{h3O@<'\BZ ˖Oai[S Zޞ"Xo2 tVFYyVF,ʈY1[feҬʈ٬x2?$>[o )g1K%tK{9l!K8gDMDm1ԙI%NmLt *KrɇΧ^'&xwLa!>q N\n`>-(vc9CNr!%}?NJ`)Qo>W/;(E} UJY5(E1}"xL)rYB< 1݆W6< OL-6<1ۆ'6<1ۆ7O".l}Gc5bL(gkbQi),4[}G!vfU3c ,*~-}1F]ZL P#tAɥ/&_7Msv2bc d]RI"O?x0qd1?A1-gߢmAoM4"CHA)hd Svu 0&L9݄)l”K0l+̛0l{ 4z\:\e `},#I߇}5Y51 XfKE1e 2l[oe9XOYf|{U+A",Խʒg2w0Cה!KzWh+kڷ\啍O㕥Wز{>5.+|+ͦ|(rY+N }Oq&'-C3ɶ#OP:AC鞓?ﶜy '8>56cOnI=Tim%V8߲ݚ~[@ޞhDD- !$ $ H`:#M%Y8O~Ĺ$䳘5mP*a`:70*٥'Ӛ}I$h,Mb-Obm /)Ꜹ~4nIc$'g&qXI.TO=/^xGf{$}0){d|՜hjnO.cPNt˗^DҠwiUZ&}c:z߀ը_7HV`N7KLF5F=mӣy-> aKvF6‡>lkvdULq ӄ&8J =]J解X穝5jў8X#P4###<ҭx-H}x||xc؜ +g#60YtW]ڭ3\p3q4ȘՐOcαIGd[Zlkw[ֱʧseMgK['`KgOBjtj'|=O%(d[SI֦lJWJ~7#UYw/C3\ 3Aؙl1]x]=+SLsq༩˪tO/ӼiqAN>Md,MMV716:zCeT6Eҭb5zKIV U U U|C^ dp2y Id?YѾjq'b:infVVԛ:9]7-Nƅ)-N֦ѵwR?C,.( i6Ӵ4#6`nu δuM:ӣGg_0#A倏c~#VG!GN}JbDCe'2惫v|ҁr54De*i JT iqrÈע/jmkͨΞ\0HA$'16h"JrLm9+-5whWq i2D !uj[%)R(bUGAV*pH- R{N9%UME_U( ڧ+*m!)#AXъE#>u r#C#4*c$r4Dscy! sag'![rz% SafsS)g5 .֑TXwaf3h d}T"TiƨV(QCx+ Z}LDޔsv=)GrR $Aʤ5U;ny_T$ن(lڬO(碈DxcwjVWD"ztY΢FVZǝ&窨Da+@R"Ԏ6V)EAؚ@bNGd̀i}%"WׄT@) ؚe+,.8,h*`\ (AQV`턨" <v2P4!54-I(_nŤ8 (~ KikD@61SY 0(*I2҃z9c,'ȪZ ՁZm2YtS1RPHM*mXSG}/JT1ZBF x }a:h'0tǥۈ3;p1R!SE;LDP.LJZ@bpN事vb뢪8tHNAY>=W <L38גU;UwU8 VTXضpľ"t7e D*Iಮ:c`ކE,yM|1F07g Kyp%(m2? $AXqsz*aڤp#H*\m`ĺ赇MCs],P+Ml.Ll¤@na S{^TVPx^(Dxڣ \8Ƴ.U+s~Duvip')A^9eɔ0V8쀐 Z! ?(%=7+K0``DP۵1Kў̀ Ո2SF[Z9s k"D@ [\w 1)1rru(OLFï5t1tdJ,ADQ,#O2x*DGpTz&,? KG"y zbh]T ޻&2ϥzRt 0W@*1 dh*[!h@#ۇ#WArKGBUC.uT" Q1[5(O*4^H&Dd06']Da_!%B/7ŋ:2U(lɌGMOD ibt< AxPB$O$i hWa0L@j(b4$4 7iHTM:)?0+% FjI\ E샘WIp>[ #`D:; - MU 0$M ^#0Ï>%}Xis5"+.\i$_ c!t9`r!BŜslI rcrb.0tTH9R(S#j].m]$0 l0%L.Ϟ8#6@' dMa8x@zՀz`\DQa0J9F0U,B $4)RDr >^xѾdXB Lq!i@O*pOXD (Qmgx_lEPBq)p/  !4<3Rs{¨9I@!J5#ȓϙ=S`\q&"<}/* )M k[LEE@~ e$ a}1EEAHI0zjFT-ھ BcX TDGW~kBkg+tNm] ݷިO 83Rj&?#!`ȏ;M >S1 why3-1.6.0/examples/braun_trees.mlw000066400000000000000000000153361440160026300172640ustar00rootroot00000000000000 (** Purely applicative heaps implemented with Braun trees. Braun trees are binary trees where, for each node, the left subtree has the same size of the right subtree or is one element larger (predicate [inv]). Consequently, a Braun tree has logarithmic height (lemma [inv_height]). The nice thing with Braun trees is that we do not need extra information to ensure logarithmic height. We also prove an algorithm from Okasaki to compute the size of a braun tree in time O(log^2(n)) (function [fast_size]). Author: Jean-Christophe Filliâtre (CNRS) *) module BraunHeaps use int.Int use bintree.Tree use export bintree.Size use export bintree.Occ type elt val predicate le elt elt clone relations.TotalPreOrder with type t = elt, predicate rel = le, axiom . (* [e] is no greater than the root of [t], if any *) let predicate le_root (e: elt) (t: tree elt) = match t with | Empty -> true | Node _ x _ -> le e x end predicate heap (t: tree elt) = match t with | Empty -> true | Node l x r -> le_root x l && heap l && le_root x r && heap r end function minimum (tree elt) : elt axiom minimum_def: forall l x r. minimum (Node l x r) = x predicate is_minimum (x: elt) (t: tree elt) = mem x t && forall e. mem e t -> le x e (* the root is the smallest element *) let rec lemma root_is_min (t: tree elt) : unit requires { heap t && 0 < size t } ensures { is_minimum (minimum t) t } variant { t } = let Node l _ r = t in if not is_empty l then root_is_min l; if not is_empty r then root_is_min r predicate inv (t: tree elt) = match t with | Empty -> true | Node l _ r -> (size l = size r || size l = size r + 1) && inv l && inv r end let constant empty : tree elt = Empty ensures { heap result } ensures { inv result } ensures { size result = 0 } ensures { forall e. not (mem e result) } let get_min (t: tree elt) : elt requires { heap t && 0 < size t } ensures { result = minimum t } = match t with | Empty -> absurd | Node _ x _ -> x end let rec add (x: elt) (t: tree elt) : tree elt requires { heap t } requires { inv t } variant { t } ensures { heap result } ensures { inv result } ensures { occ x result = occ x t + 1 } ensures { forall e. e <> x -> occ e result = occ e t } ensures { size result = size t + 1 } = match t with | Empty -> Node Empty x Empty | Node l y r -> if le x y then Node (add y r) x l else Node (add x r) y l end let rec extract (t: tree elt) : (elt, tree elt) requires { heap t } requires { inv t } requires { 0 < size t } variant { t } ensures { let e, t' = result in heap t' && inv t' && size t' = size t - 1 && occ e t' = occ e t - 1 && forall x. x <> e -> occ x t' = occ x t } = match t with | Empty -> absurd | Node Empty y r -> assert { r = Empty }; y, Empty | Node l y r -> let x, l = extract l in x, Node r y l end let rec replace_min (x: elt) (t: tree elt) : tree elt requires { heap t } requires { inv t } requires { 0 < size t } variant { t } ensures { heap result } ensures { inv result } ensures { if x = minimum t then occ x result = occ x t else occ x result = occ x t + 1 && occ (minimum t) result = occ (minimum t) t - 1 } ensures { forall e. e <> x -> e <> minimum t -> occ e result = occ e t } ensures { size result = size t } = match t with | Node l _ r -> if le_root x l && le_root x r then Node l x r else let lx = get_min l in if le_root lx r then (* lx <= x, rx necessarily *) Node (replace_min x l) lx r else (* rx <= x, lx necessarily *) Node l (get_min r) (replace_min x r) | Empty -> absurd end let rec merge (l r: tree elt) : tree elt requires { heap l && heap r } requires { inv l && inv r } requires { size r <= size l <= size r + 1 } ensures { heap result } ensures { inv result } ensures { forall e. occ e result = occ e l + occ e r } ensures { size result = size l + size r } variant { size l + size r } = match l, r with | _, Empty -> l | Node ll lx lr, Node _ ly _ -> if le lx ly then Node r lx (merge ll lr) else let x, l = extract l in Node (replace_min x r) ly l | Empty, _ -> absurd end let remove_min (t: tree elt) : tree elt requires { heap t } requires { inv t } requires { 0 < size t } ensures { heap result } ensures { inv result } ensures { occ (minimum t) result = occ (minimum t) t - 1 } ensures { forall e. e <> minimum t -> occ e result = occ e t } ensures { size result = size t - 1 } = match t with | Empty -> absurd | Node l _ r -> merge l r end (** The size of a Braun tree can be computed in time O(log^2(n)) from Three Algorithms on Braun Trees (Functional Pearl) Chris Okasaki J. Functional Programming 7 (6) 661–666, November 1997 *) use int.ComputerDivision let rec diff (m: int) (t: tree elt) : int requires { inv t } requires { 0 <= m <= size t <= m + 1 } variant { t } ensures { size t = m + result } = match t with | Empty -> 0 | Node l _ r -> if m = 0 then 1 else if mod m 2 = 1 then (* m = 2k + 1 *) diff (div m 2) l else (* m = 2k + 2 *) diff (div (m - 1) 2) r end let rec fast_size (t: tree elt) : int requires { inv t} variant { t } ensures { result = size t } = match t with | Empty -> 0 | Node l _ r -> let m = fast_size r in 1 + 2 * m + diff m l end (** A Braun tree has a logarithmic height *) use bintree.Height use int.Power let rec lemma size_height (t1 t2: tree elt) requires { inv t1 && inv t2 } variant { size t1 + size t2 } ensures { size t1 >= size t2 -> height t1 >= height t2 } = match t1, t2 with | Node l1 _ r1, Node l2 _ r2 -> size_height l1 l2; size_height r1 r2 | _ -> () end let rec lemma inv_height (t: tree elt) requires { inv t } variant { t } ensures { size t > 0 -> let h = height t in power 2 (h-1) <= size t < power 2 h } = match t with | Empty | Node Empty _ _ -> () | Node l _ r -> let h = height t in assert { height l = h-1 }; inv_height l; inv_height r end end why3-1.6.0/examples/braun_trees/000077500000000000000000000000001440160026300165335ustar00rootroot00000000000000why3-1.6.0/examples/braun_trees/why3session.xml000066400000000000000000000264331440160026300215630ustar00rootroot00000000000000 why3-1.6.0/examples/braun_trees/why3shapes.gz000066400000000000000000000120451440160026300211750ustar00rootroot00000000000000\[o7~0e` ݀ `XJr_Ū 3c{D,aȳy4B L_Xo>| cSʤ]7+L н#f<_|k8n^7Uvs Ak#ck d^!K1F^=qz su`Fg&,6RE%:O3h)wJTOIa8$Wѯ(̴c#}2}4=|mi.QMXy)08pr.CQ+ ug,yjC^vw?-q5&1Mf$yі['j'MAlzKJDZ. |2}KK6+UY:0uR[iScC)Q0 bj*.9FA1 6Qб* (AKC5LI-ԗ+͵Uc3wɁKLWh%y' iU<.#F(t;7;(hMŠ_`2DJ`MѵϷMzJ^R!4VVc^7~XRtvDr]K,Z2kLqIUɍb]Ge_дhi9uG9.~TM*9݇:p ws81?.feB| 6"XQ iZhWZV э_HI1D.QYJT&o?i&?B_.O;Wo2nZ4oIBR*G!eRBJAciDniqRԐRXӗ8n[DG-}us}SlN)ν{oa+xl%ZοО{]rt\L;l:QlʚV5Ўuz^JhZJ(؅7 X5 |w_QB:zI}Օ౲N3^ŋ>`ҽHL^A!3N=_LWЯ֑G_?5upq3&'2Q|-I , R2\xvuG_'*A2q=يibA|nϤ,O,̾:qRpTlkb=/_-VDƼ7 JNjŪZUkc3oW+O}:Tlaf_FG.,W<6f~񀹘-TYQhgUweFma #`X`X. 8lcnA_~=\P۴zwWxW5旕4ú\F;d{2n{YgTVddN2nnSN4Ul!fJRGVDwҼa'WMS)f߇_i[ap~HGŰ+HO1|T_9cI\*ajA0>^7 e|=x5|-X:B1`$YX'z|1]Eƾ: gxHC `u (9˅>%(%ReMGn0?tk4Ͽx#j^ëձux~{kQǽ-kƲ0kuZgG?6MPćk's&wbwlGwFAadMaJ2iI%4gfwu' KU؁K'pS08tGv nTťAbQ5x&N,A^L ʼn R 3jwԜhG  fL7BTub4Z-^S*4r?LӖ7<j􁆂)2Ĩs\d@VS#a d q1z2Pʦ3 X>2-Ґar*AXQUXca['3hdPҏ_o9eWnImH$*piRIB~ N'ŅMP- #@v&Ē Uv4QQA}PPCL8YpNr "BRP+aSX3A&)SA.T-Kʑ)=)P^UqNS'-Wr8ϩE rG/T/*8&ȓp1#Zj Bq^ < dAVQ4r'# PGOPQr&N,A fPpiinJ'3ea:Slґ682$7 ] S"!^In$ca ax+1=b KzEhIpùBZZ *%rB,9F4ɉqL fX p"A0<#)|ZG]Q& Sa0%g60 "p i= <&Bڂz5HTgDZbJr!,f[DbĊ S㫅^_y /B~&N.'ltK?Z%(*\ғf leOZ.E&}QJ #2Pr)J U<1MI3y(CPN<Кs-wuSdy W#Dºa4#26iKČ%02Z0V:- 4^R.̋?ÂXBDQ\yYFP@:l J!8rKFK \f(_;q x@dPOgpJ(KCŜJ&%DS8، G &R3ricEA F*dbze hM ȱrdbzipsNБ`B9:eRQ `]8`p2Jʁhbz)}xI( 4@BE&Z>kbEƢZ1Rpa8tpVL//d@?8RM! !,M&ҧ\ w>4ͳ,` 8J)b_q@63CwfebzШY@&3ƐѶ X* ߙU@n" P5e'lܙ%ǂ{H F;$_#r#Gc$>ӝYЮvf)Xȑj0F Tϙ%;cPdb##+S@`et<8Dp0ƀDpNA,[CAA  b"XBяJAW[xy{XB forall b': int. abs (a * b - c) <= abs (a * b' - c) let bresenham (x2 y2:int) requires { 0 <= y2 <= x2 } = let y = ref 0 in let e = ref (2 * y2 - x2) in for x = 0 to x2 do invariant { !e = 2 * (x + 1) * y2 - (2 * !y + 1) * x2 } invariant { 2 * (y2 - x2) <= !e <= 2 * y2 } (* here we would plot (x, y), so we assert this is the best possible row y for column x *) assert { best x2 y2 x !y }; if !e < 0 then e := !e + 2 * y2 else begin y := !y + 1; e := !e + 2 * (y2 - x2) end done end why3-1.6.0/examples/bresenham/000077500000000000000000000000001440160026300161665ustar00rootroot00000000000000why3-1.6.0/examples/bresenham/bresenham_M_closest_1.v000066400000000000000000000022531440160026300225530ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. (* Why3 assumption *) Definition unit := unit. (* Why3 assumption *) Inductive ref (a:Type) {a_WT:WhyType a} := | mk_ref : a -> ref a. Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a). Existing Instance ref_WhyType. Implicit Arguments mk_ref [[a] [a_WT]]. (* Why3 assumption *) Definition contents {a:Type} {a_WT:WhyType a} (v:(@ref a a_WT)): a := match v with | (mk_ref x) => x end. Parameter x2: Z. Parameter y2: Z. Axiom first_octant : (0%Z <= y2)%Z /\ (y2 <= x2)%Z. (* Why3 assumption *) Definition best (x:Z) (y:Z): Prop := forall (y':Z), ((Zabs ((x2 * y)%Z - (x * y2)%Z)%Z) <= (Zabs ((x2 * y')%Z - (x * y2)%Z)%Z))%Z. (* The following short and nice proof is due to Laurent Théry *) Require Import Psatz. (* Why3 goal *) Theorem closest : forall (a:Z) (b:Z) (c:Z), ((Zabs (((2%Z * a)%Z * b)%Z - (2%Z * c)%Z)%Z) <= a)%Z -> forall (b':Z), ((Zabs ((a * b)%Z - c)%Z) <= (Zabs ((a * b')%Z - c)%Z))%Z. intros a b c H b'. assert (H1: b = b' \/ b <> b') by nia. nia. Qed. why3-1.6.0/examples/bresenham/why3session.xml000066400000000000000000000014411440160026300212060ustar00rootroot00000000000000 why3-1.6.0/examples/bresenham/why3shapes.gz000066400000000000000000000006131440160026300206260ustar00rootroot00000000000000}Mk0 mk)ز;Ah!P$`~f}|!3Q3ЂfVXia) f" *-vJ"=ZX%e inqICJdMUuG[05:U6f` ͠9܌Nr/P-nj@/hviwi@Taevъc'U1xz?5ߒ?y#MΠő3Ra, ogF}"'Wqb,FzW0 ?d1ucSį:Xe%}~-wF0 :j]<U(l kuۥm\3mswhy3-1.6.0/examples/bts/000077500000000000000000000000001440160026300150125ustar00rootroot00000000000000why3-1.6.0/examples/bts/101_eprover_eliminate_range_literal.mlw000066400000000000000000000006171440160026300245210ustar00rootroot00000000000000module A use int.Int use mach.int.Int63 let test (x:int63) : int63 requires { x < 100 } = x+1 end (* module A use int.Int use mach.int.Int63 val add (x y:int63) : int63 requires { int63'minInt <= int63'int x + int63'int y <= int63'maxInt } ensures { int63'int result = int63'int x + int63'int y } let test (x:int63) : int63 requires { int63'int x < 100 } = add x (1:int63) end *) why3-1.6.0/examples/bts/114_infix.mlw000066400000000000000000000001421440160026300172320ustar00rootroot00000000000000module Test use int.Int use seq.Seq goal f: create 32 (fun x -> x) == empty -> false end why3-1.6.0/examples/bts/114_infix/000077500000000000000000000000001440160026300165145ustar00rootroot00000000000000why3-1.6.0/examples/bts/114_infix/why3session.xml000066400000000000000000000007021440160026300215330ustar00rootroot00000000000000 why3-1.6.0/examples/bts/114_infix/why3shapes.gz000066400000000000000000000003041440160026300211510ustar00rootroot00000000000000m 0E,ɣ5 )ʤNࣶE7{g5r'S9ҩn0ʫXlpӑE^_\vT*Iqx鄓N/m"/FyZk rӞd J6 F)Z1,!̀H@> L61why3-1.6.0/examples/bts/116_array_access.mlw000066400000000000000000000003041440160026300205560ustar00rootroot00000000000000module Test use array.Array use mach.array.Array63 constant d: Array.array int val e: Array63.array int goal a: d[1] = 5 let f i = e[i] <- 5; e[i] goal c: d[3] = 5 end why3-1.6.0/examples/bts/116_array_access/000077500000000000000000000000001440160026300200405ustar00rootroot00000000000000why3-1.6.0/examples/bts/116_array_access/why3session.xml000066400000000000000000000006201440160026300230560ustar00rootroot00000000000000 why3-1.6.0/examples/bts/116_array_access/why3shapes.gz000066400000000000000000000003501440160026300224760ustar00rootroot00000000000000OMKC1Wi6y/b"<*lvо bE~ s;ӆyү4mzvhA$lة?ַO+S7Fvy\M`&=7׳W/ߗU09mi8Fd$ >" ,A%KX vh0 L$ v9Wd jD4,M ;̚ƀwhy3-1.6.0/examples/bts/12445.mlw000066400000000000000000000001551440160026300162130ustar00rootroot00000000000000module M use int.Int let f () ensures { let (a,_b,_c) = result in a > 0 } = (1,2,3) end why3-1.6.0/examples/bts/12475.why000066400000000000000000000002271440160026300162260ustar00rootroot00000000000000theory Stmt use real.Real use floating_point.Rounding use floating_point.Single goal toto: forall x : real. x < round Up x + 1. end why3-1.6.0/examples/bts/12475/000077500000000000000000000000001440160026300154745ustar00rootroot00000000000000why3-1.6.0/examples/bts/12475/why3session.xml000066400000000000000000000017221440160026300205160ustar00rootroot00000000000000 why3-1.6.0/examples/bts/12475/why3shapes.gz000066400000000000000000000001651440160026300201360ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJ 3HN,/KI -3H6+0H5pJ-(kH2J152KLIL22MJMN03017L1I1K0V00"dwhy3-1.6.0/examples/bts/126_apply.mlw000066400000000000000000000002751440160026300172540ustar00rootroot00000000000000 module A use int.Int inductive even (n: int) = | Zero : even 0 | Pair : forall n. even n -> even (n+2) goal a: even 4 inductive unit = tt : unit goal g : unit endwhy3-1.6.0/examples/bts/126_apply/000077500000000000000000000000001440160026300165275ustar00rootroot00000000000000why3-1.6.0/examples/bts/126_apply/why3session.xml000066400000000000000000000024771440160026300215610ustar00rootroot00000000000000 why3-1.6.0/examples/bts/126_apply/why3shapes.gz000066400000000000000000000004671440160026300211760ustar00rootroot00000000000000-Mn[1:M?iHH<'o >xm#~DZ]_:[?u;wNvzHzv==;Н{ݯ qy?l7u"J1IeTIB ZZuttErK{ FDG< 8K})eBRƀ%$_dXm3'A܇ Ƭ4WI,ʉV8Ĝj- SHTBe>RvP9+)w9Twhy3-1.6.0/examples/bts/12934.why000066400000000000000000000001251440160026300162230ustar00rootroot00000000000000 theory BTS12934 type set 'a type rel 'a 'b = set ('a,'b) goal t: true end why3-1.6.0/examples/bts/12934/000077500000000000000000000000001440160026300154745ustar00rootroot00000000000000why3-1.6.0/examples/bts/12934/12934_BTS12934_t_1.v000066400000000000000000000004721440160026300202260ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Parameter set : forall (a:Type), Type. (* Why3 assumption *) Definition rel (a:Type) (b:Type) := (set (a* b)%type). (* Why3 goal *) Theorem t : True. trivial. Qed. why3-1.6.0/examples/bts/12934/why3session.xml000066400000000000000000000010421440160026300205110ustar00rootroot00000000000000 why3-1.6.0/examples/bts/12934/why3shapes.gz000066400000000000000000000001351440160026300201330ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S*J-(KrqYX$ZX%Y''$+zp4Lwhy3-1.6.0/examples/bts/13002.why000066400000000000000000000000531440160026300162060ustar00rootroot00000000000000theory T use real.Real goal toto: true end why3-1.6.0/examples/bts/130_extraction.mlw000066400000000000000000000001751440160026300203010ustar00rootroot00000000000000module UnitBug use io.StdIO let test () = print_int 1; print_int 2; print_int 3; print_newline () end why3-1.6.0/examples/bts/13375.mlw000066400000000000000000000017511440160026300162210ustar00rootroot00000000000000theory Signed use int.Int type signed_type function first : int function last : int predicate in_range (x : int) = (first <= x <= last) val function to_int (n : signed_type) : int function from_int (n : int) : signed_type predicate eq (left : signed_type) (right : signed_type) = (to_int left) = (to_int right) axiom range : forall x : signed_type. in_range (to_int x) axiom coerce : forall x : int [(in_range x), (from_int x)]. (in_range x) -> ((to_int (from_int x)) = x) axiom unicity : forall x y : signed_type. (to_int x) = (to_int y) -> x = y end module Spec use int.Int type my_type clone Signed as My_Type_T with type signed_type = my_type, axiom . axiom axiom_first : My_Type_T.first = 1 axiom axiom_last : My_Type_T.last = 100 val my_type_t_from___int_ (n : int) : my_type requires { (My_Type_T.in_range n) } ensures { (My_Type_T.to_int result) = n } let to_int_ (x : my_type) = (My_Type_T.to_int x) end why3-1.6.0/examples/bts/13375/000077500000000000000000000000001440160026300154745ustar00rootroot00000000000000why3-1.6.0/examples/bts/13375/why3session.xml000066400000000000000000000004171440160026300205160ustar00rootroot00000000000000 why3-1.6.0/examples/bts/13375/why3shapes.gz000066400000000000000000000000551440160026300201340ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/bts/13515.mlw000066400000000000000000000004341440160026300162120ustar00rootroot00000000000000(* BTS 13515 https://gforge.inria.fr/tracker/index.php?func=detail&aid=13515&group_id=2990 *) module ExcepAndRec use int.Int exception E let rec f (x:int) : int raises { E } diverges = if x = 42 then raise E else try let n = f (x-1) in n with E -> 42 end end why3-1.6.0/examples/bts/138.mlw000066400000000000000000000003461440160026300160510ustar00rootroot00000000000000module Test use int.Int type a = < range 22 46 > let f (b : a) = requires {a'int b = 42} ensures {a'int result = a'int b} (42:a) end module Test1 clone Test as T (* Replace with Test does not work *) end why3-1.6.0/examples/bts/138/000077500000000000000000000000001440160026300153255ustar00rootroot00000000000000why3-1.6.0/examples/bts/138/why3session.xml000066400000000000000000000010341440160026300203430ustar00rootroot00000000000000 why3-1.6.0/examples/bts/138/why3shapes.gz000066400000000000000000000001631440160026300177650ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJM61JLT+ 3=ma\ ύ+Y!-H!05"00402(,DÀ hwhy3-1.6.0/examples/bts/13849.why000066400000000000000000000004121440160026300162300ustar00rootroot00000000000000 (* BTS 13849 *) theory T type t = T type x 'a 'b = | X t 'a | Y t 'b type a = A0 | A1 type b = B function b1 : x a b = (X T A0) function b2 : x a b = (X T A1) goal x : b1 = b2 (* Theorem x1 : ((X(T, A0):(x a b)) = (X(T, A1):(x a b))).*) end why3-1.6.0/examples/bts/13849/000077500000000000000000000000001440160026300155025ustar00rootroot00000000000000why3-1.6.0/examples/bts/13849/13849_T_x_2.v000066400000000000000000000016071440160026300174200ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. (* Why3 assumption *) Inductive t := | T : t. Axiom t_WhyType : WhyType t. Existing Instance t_WhyType. (* Why3 assumption *) Inductive x (a:Type) (b:Type) := | X : t -> a -> x a b | Y : t -> b -> x a b. Axiom x_WhyType : forall (a:Type) {a_WT:WhyType a} (b:Type) {b_WT:WhyType b}, WhyType (x a b). Existing Instance x_WhyType. Implicit Arguments X [[a] [b]]. Implicit Arguments Y [[a] [b]]. (* Why3 assumption *) Inductive a1 := | A0 : a1 | A1 : a1. Axiom a1_WhyType : WhyType a1. Existing Instance a1_WhyType. (* Why3 assumption *) Inductive b := | B : b. Axiom b_WhyType : WhyType b. Existing Instance b_WhyType. (* Why3 goal *) Theorem x1 : ((X T A0: (x a1 b)) = (X T A1: (x a1 b))). (* YOU MAY EDIT THE PROOF BELOW *) admit. Admitted. why3-1.6.0/examples/bts/13849/why3session.xml000066400000000000000000000010241440160026300205170ustar00rootroot00000000000000 why3-1.6.0/examples/bts/13849/why3shapes.gz000066400000000000000000000001441440160026300201410ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJML2LL2J-(2HJ1K51OMN5J3M6306606654O504T00 Swhy3-1.6.0/examples/bts/13853.mlw000066400000000000000000000004251440160026300162170ustar00rootroot00000000000000 (* BTS 13853 https://gforge.inria.fr/tracker/?func=detail&atid=10293&aid=13853&group_id=2990 *) module T use int.Int exception MyExc let rec f (_x:int) : int variant { 0 } raises { MyExc } = raise MyExc with g (x:int) : int variant { 1 } raises { MyExc } = f x end why3-1.6.0/examples/bts/13853/000077500000000000000000000000001440160026300154755ustar00rootroot00000000000000why3-1.6.0/examples/bts/13853/why3session.xml000066400000000000000000000010371440160026300205160ustar00rootroot00000000000000 why3-1.6.0/examples/bts/13853/why3shapes.gz000066400000000000000000000001531440160026300201340ustar00rootroot00000000000000ű@0FLWZiA$b0XTT|? f%\qG%f)D}kk&_?Lp `cf+(ε̵*<[cJ^o\why3-1.6.0/examples/bts/13853a.mlw000066400000000000000000000004021440160026300163530ustar00rootroot00000000000000 (* BTS 13853 (follow-up) https://gforge.inria.fr/tracker/?func=detail&atid=10293&aid=13853&group_id=2990 *) module T type t exception MyExc let rec f (_a:t) : t raises { MyExc } = raise MyExc with g (a:t) : t = try (f a) with MyExc -> a end end why3-1.6.0/examples/bts/13853b.mlw000066400000000000000000000004261440160026300163620ustar00rootroot00000000000000 (* BTS 13853 (follow-up) https://gforge.inria.fr/tracker/?func=detail&atid=10293&aid=13853&group_id=2990 *) module T type t exception MyExc let rec f (_x:t) : t raises { MyExc } = raise MyExc with g (x:t) : (_r: t) raises { MyExc } ensures { true } = f x end why3-1.6.0/examples/bts/13854.why000066400000000000000000000002161440160026300162260ustar00rootroot00000000000000theory T type t 'a = A 'a | B function f () : () goal g : () = f () goal x : A () <> B (*Theorem x : ((A ) = (B :(t unit))). *) end why3-1.6.0/examples/bts/13854/000077500000000000000000000000001440160026300154765ustar00rootroot00000000000000why3-1.6.0/examples/bts/13854/13854_T_g_1.v000066400000000000000000000007701440160026300173660ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Inductive t (a:Type) := | A : a -> t a | B : t a. Implicit Arguments A. Set Contextual Implicit. Implicit Arguments B. Unset Contextual Implicit. Parameter f: unit -> unit. (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem g : (tt = (f tt)). (* YOU MAY EDIT THE PROOF BELOW *) destruct (f tt); auto. Qed. (* DO NOT EDIT BELOW *) why3-1.6.0/examples/bts/13854/13854_T_x_1.v000066400000000000000000000007741440160026300174130ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Inductive t (a:Type) := | A : a -> t a | B : t a. Implicit Arguments A. Set Contextual Implicit. Implicit Arguments B. Unset Contextual Implicit. Parameter f: unit -> unit. (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem x : ~ ((A tt) = (B :(t unit))). (* YOU MAY EDIT THE PROOF BELOW *) discriminate. Qed. (* DO NOT EDIT BELOW *) why3-1.6.0/examples/bts/13854/why3session.xml000066400000000000000000000012271440160026300205200ustar00rootroot00000000000000 why3-1.6.0/examples/bts/13854/why3shapes.gz000066400000000000000000000002151440160026300201340ustar00rootroot000000000000005ʱ 1 =OQojkztrrrMQ8x*ty}:߮+C[lZհ/Gvr`A%bw\r&)פC_b {ewhy3-1.6.0/examples/bts/14097.mlw000066400000000000000000000001411440160026300162130ustar00rootroot00000000000000 module M use ref.Ref val x : ref int let f () : int ensures { result = !x } = !x end why3-1.6.0/examples/bts/16972.mlw000066400000000000000000000004501440160026300162220ustar00rootroot00000000000000 module M type t = A | B type s = { field1 : t -> t ; field2 : t -> t } function const (x:'b) : 'a -> 'b = fun _ -> x predicate p (u:s) (a b:t) = u.field1 = const a /\ u.field2 = const b let fail (u:s) : unit requires { p u A A } ensures { u.field1 = u.field2 } = () end why3-1.6.0/examples/bts/16972/000077500000000000000000000000001440160026300155025ustar00rootroot00000000000000why3-1.6.0/examples/bts/16972/why3session.xml000066400000000000000000000010451440160026300205220ustar00rootroot00000000000000 why3-1.6.0/examples/bts/16972/why3shapes.gz000066400000000000000000000001671440160026300201460ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJMLLI1 30 < forall _y:int. x = 42 -> q x goal g1: forall x. p x -> forall y. x = f y -> q x end module More use int.Int function f int : int goal g3: forall x:int. forall z. z = x+1 -> forall y. y+1 = z -> x = f y -> y = f y + 1 predicate p int predicate q int goal g2: forall x. p x -> forall y:int. x = y -> q x end module Other use int.Int predicate p int constant x : int axiom H1 : p x constant y : int = 3 axiom H2 : x = y+1 goal g : x*y = 0 endwhy3-1.6.0/examples/bts/16_subst/000077500000000000000000000000001440160026300164605ustar00rootroot00000000000000why3-1.6.0/examples/bts/16_subst/why3session.xml000066400000000000000000000033301440160026300214770ustar00rootroot00000000000000 why3-1.6.0/examples/bts/16_subst/why3shapes.gz000066400000000000000000000012731440160026300211230ustar00rootroot00000000000000MRˎ#7 +|Lf/|H`5@rHY~}mgƍnDb~y9.?v˯}뙾Kiuq{؍yڮоv y3n cuknc\ܞ?w'>=ӞqG vP=>h>|xi_:˼ܧ=iz^s=I,Ԝ'嵚_m 2aWZg6H>yHpŔ Y3UFI&!hQM٦+AB/:+Ha"]46yZ,O#l=hA !qlbsTTMS-uUˊͫ0Xށz;V7Y cQŲaMm2Εޜ*8%.@Yq?ϕ$5Qyhk /V:Tw-R-+/}XHP3P,7֦!z/ \y|NKmAjYF$E7(=d ^+ ߅B*#OdȢ8)6 >7"TTҽkҍjtwFjoAJh谸x@᧰0Q(<Ǚy#NL+rTwhy3-1.6.0/examples/bts/17137.mlw000066400000000000000000000002741440160026300162200ustar00rootroot00000000000000 theory A type t 'a end theory B clone export A clone export A with type t 'a = t 'a end theory C clone export A clone export B with type t 'a = t 'a (* Error reported on this line *) end why3-1.6.0/examples/bts/17184.mlw000066400000000000000000000006101440160026300162140ustar00rootroot00000000000000 (* Error message: This expression has type t <> 'a 'b, but is expected to have type t 'a1 'a2 Clone substitute every occurence of the type by the logic version, while we expect to use the program version in add. *) module A type t val add t : unit end module B type t = { ghost a : unit } clone export A with type t = t (* FIXME ! let sub (x:t) : unit = A.add x *) end why3-1.6.0/examples/bts/185_apply.mlw000066400000000000000000000010531440160026300172540ustar00rootroot00000000000000 module Ex1 use int.Int function f int : int predicate p int axiom B: forall y. let x = f y in x >= 0 -> p y goal g : p 42 end module Ex2 function f int : int predicate p int int axiom A: forall x y. x = f y -> p x y axiom B: forall y. let x = f y in p x y goal g : p 17 42 end module Ex3 type a constant a0: a type b constant b0: b type c constant c0: c function f unit : b function g unit : c predicate p a b c axiom a : forall a. let b = f () in let c = g () in p a b c -> false goal g : false end why3-1.6.0/examples/bts/185_apply/000077500000000000000000000000001440160026300165345ustar00rootroot00000000000000why3-1.6.0/examples/bts/185_apply/why3session.xml000066400000000000000000000006551440160026300215620ustar00rootroot00000000000000 why3-1.6.0/examples/bts/185_apply/why3shapes.gz000066400000000000000000000003151440160026300211730ustar00rootroot00000000000000-̻N1 >_'A-WEN$XF $ޛݞe~~nf92VOgvqSNp2 O8"m$_뫎b1z$^\Y+%F J&0T|c1@) X;3ё4z94 P@:)_N޴why3-1.6.0/examples/bts/185_apply_let.mlw000066400000000000000000000002531440160026300201210ustar00rootroot00000000000000module Test function f int : int = 17 predicate p int int axiom A: forall x y. x = f y -> p x y axiom B: forall y. let x = f y in p x y goal g : p 17 42 end why3-1.6.0/examples/bts/185_apply_let/000077500000000000000000000000001440160026300174005ustar00rootroot00000000000000why3-1.6.0/examples/bts/185_apply_let/why3session.xml000066400000000000000000000010441440160026300224170ustar00rootroot00000000000000 why3-1.6.0/examples/bts/185_apply_let/why3shapes.gz000066400000000000000000000002461440160026300220420ustar00rootroot000000000000000|Eiw m1j0ܫY66Ԙ3oNONO<eT}8yxG]hOTh9OMU9K.X˒*0 YHI @ Еԙ.rQq0jaZ@G#why3-1.6.0/examples/bts/18953.why000066400000000000000000000003071440160026300162340ustar00rootroot00000000000000 theory T use int.Int constant x:int goal g1 : (=) x 42 goal g2 : (<) x 42 goal g3 : (>) x 42 goal g4 : (<=) x 42 goal g5 : (>=) x 42 (* does not parse goal g6 : (<>) x 42 *) end why3-1.6.0/examples/bts/19_apply_with.mlw000066400000000000000000000014131440160026300202230ustar00rootroot00000000000000module I19_simplint use int.Int axiom H [@W:non_conservative_extension:N] : forall x y z. x < y -> y < z -> x < z goal g: 0 < 2 end module I19_simplpoly type t predicate r t t axiom trans: forall x y z. r x y -> r y z -> r x z constant a:t constant b:t constant c:t axiom a1: r a b axiom a2: r b c goal test: r a c end module I19_simplpoly2 type t type t' predicate r 'a t t axiom trans: forall a:'a. forall a':'a. forall x y z. r a x y -> r a y z -> r a' x z constant a:t constant b:t constant c:t axiom trans_eq: forall x y z. r 4 x y -> r 5 y z -> a = z axiom a1: forall x:'a. r x a b axiom a2: forall x:'a. r x b c (* apply trans 1,b,b does not work *) goal test: r 1 a c (* apply trans with b *) end why3-1.6.0/examples/bts/19_apply_with/000077500000000000000000000000001440160026300175035ustar00rootroot00000000000000why3-1.6.0/examples/bts/19_apply_with/why3session.xml000066400000000000000000000014571440160026300225320ustar00rootroot00000000000000 why3-1.6.0/examples/bts/19_apply_with/why3shapes.gz000066400000000000000000000005231440160026300221430ustar00rootroot000000000000005n! sLdcFuE_kdQ"eLUi߾ü\7=^W^~,@1G@V}mǡb5Y= e?-Ӳ3"\,);B򋹄Ѫ32┕8uq"YύX1dZ $%l3,1H2ҀhFVqbb6:X:gAy`4XS3E]k`qa 8M9IԜH]W#0'Z;&ñ"!jij<;AlQ&lHǿ0#, why3-1.6.0/examples/bts/20445.mlw000066400000000000000000000001401440160026300162040ustar00rootroot00000000000000module A predicate p axiom G : p -> p end module B goal G : false clone A as A with goal G end why3-1.6.0/examples/bts/20445/000077500000000000000000000000001440160026300154705ustar00rootroot00000000000000why3-1.6.0/examples/bts/20445/why3session.xml000066400000000000000000000011301440160026300205030ustar00rootroot00000000000000 why3-1.6.0/examples/bts/20445/why3shapes.gz000066400000000000000000000001751440160026300201330ustar00rootroot0000000000000091 @ާH SxI Sl@Dg4yˣOy=NruGc4(>y͵R3b.N-$-c,(Ia<w9wwhy3-1.6.0/examples/bts/20618.mlw000066400000000000000000000001721440160026300162130ustar00rootroot00000000000000module Bug type foo = { a: unit -> unit ; b : unit } constant bar : foo = { a = fun _ -> () ; b = () } end why3-1.6.0/examples/bts/20619.mlw000066400000000000000000000001711440160026300162130ustar00rootroot00000000000000module Bug exception A (unit, unit) let foo (_: unit) : unit = try () with | A _ -> () end endwhy3-1.6.0/examples/bts/20881.why000066400000000000000000000007051440160026300162270ustar00rootroot00000000000000 theory OK type t 'a = A | B (t 'a) goal g : forall x: t 'a. A <> B x end theory Bug1 type t 'a = A int function f (t 'a) : 'a goal g : let p = (A 0: t int) in let q = (A 1: t int) in f p = f q end theory Bug use map.Map type t type p 'a = PTR t function load (p 'a) :'a goal bug: forall i. let p = ((PTR i):(p (map t t))) in let q = ((PTR i):(p t)) in (load p)[i] = (load q) end why3-1.6.0/examples/bts/231_destruct.mlw000066400000000000000000000033341440160026300177600ustar00rootroot00000000000000 module T predicate p1 predicate p2 predicate p3 axiom H: p1 -> p2 -> p3 axiom H1: p1 /\ p2 /\ p3 axiom H2: p1 \/ p2 \/ p3 goal G : (p1 \/ p2 \/ p3) -> 1 = 1 end module T2 use int.Int predicate p1 int predicate p2 int predicate p3 int axiom H: forall x. p1 x -> p2 x-> p3 x axiom H1: exists x y z. p1 x /\ p2 y /\ p3 z axiom H2: exists x. p1 x \/ exists y. p2 y \/ exists z. p3 z goal G : (forall x. p1 x \/ p2 x \/ p3 x) -> 1 = 1 end module Unsoundness predicate a predicate b predicate c (* Here if we do things badly we could use a on the right to prove the new hypothesis a on the left (and vice versa with b) This should not be provable. *) axiom H: (a -> (c /\ b)) /\ (b -> a) goal t1: c end module Incompleteness predicate a predicate b predicate c axiom H: (a -> (c /\ b)) /\ (b -> a) /\ a goal t1: c end module Imbrication predicate p1 predicate p2 predicate p3 predicate p4 predicate p5 predicate p6 predicate p7 axiom H: (p1 /\ p2) \/ (p3 /\ p4 /\ (p5 \/ p6 \/ p7)) goal G: True end (* TODO add more complex examples *) module Injection (* To avoid warning on axioms not containing local abstract symbol *) predicate p int constant z: int type t = | C int | D | E bool | F int axiom H: exists x. C x = D /\ p z axiom H1: C 1 = C 4 /\ p z axiom H2: E true = F 4 /\ p z goal G: True end module Injection2 (* To avoid warning on axioms not containing local abstract symbol *) predicate p int constant z: int type t = | C int | D | E bool | F int axiom H: exists x. C x <> D /\ p z axiom H1: C 1 <> C 4 /\ p z axiom H2: E true <> F 4 /\ p z goal G: True end why3-1.6.0/examples/bts/231_destruct/000077500000000000000000000000001440160026300172345ustar00rootroot00000000000000why3-1.6.0/examples/bts/231_destruct/why3session.xml000066400000000000000000000061201440160026300222530ustar00rootroot00000000000000 why3-1.6.0/examples/bts/231_destruct/why3shapes.gz000066400000000000000000000023151440160026300216750ustar00rootroot00000000000000U\7 WlER.~`Mm@Qbwݹr=Cӫf]5n>/Wϛ'O9k'''lZ[vOe=?_܎/ƃ{luxBطžc{:wX\~$O;VxЋy!Gy?`ộokNrퟞ-O?#`(FSXR}zO'{mo0q~:7ޮ^ϓL훽}{Z}|q}}ǗN 1SjT9ҕt[k-JNZFpj$S*縠Q=%Ҹzqk\GNGjCt3td)9"LJRԸf=O[sʣ{#M}yn2hghƳ0\ϩkdRSlCУ $mYJQP*gBrO\¨ި[Q8*lE!Z4½xomCR AZډ=)p]% pŪ1zo} M{pW9DTc^aT^tf$&}@PCn 4c$#-%EoƘ:Ffse}w„xM5؆*n$Ōx?:V, 2xOBɸy2U5 v ^Ѝ!" xuHﵪxFA7\hj> why3-1.6.0/examples/bts/244_destruct_rec.mlw000066400000000000000000000001441440160026300206110ustar00rootroot00000000000000 predicate a predicate b predicate c axiom H: (a -> (c /\ b)) /\ (b -> a) /\ a goal t1: c why3-1.6.0/examples/bts/244_destruct_rec/000077500000000000000000000000001440160026300200715ustar00rootroot00000000000000why3-1.6.0/examples/bts/244_destruct_rec/why3session.xml000066400000000000000000000014241440160026300231120ustar00rootroot00000000000000 why3-1.6.0/examples/bts/244_destruct_rec/why3shapes.gz000066400000000000000000000003161440160026300225310ustar00rootroot00000000000000==n0 FwBc͛s(4CZr ! p 4 | Cons x y -> p (x+length y) | Cons _ (Cons y Nil) -> p y | Cons x (Cons y z) -> p (x+y+length z) | Cons _ (Cons _ (Cons _ _)) -> p 5 end goal g1: p 1 (**********************) (* As and or patterns *) (**********************) axiom H2: match l with | Nil -> p 1 | Cons x Nil | Cons _ (Cons x Nil) -> p x | Cons _ (Cons _ _ as l1) -> p (length l1) end goal g2: p 2 axiom H3: match l with | Cons _ (Cons _ _ as l1) as l2 -> p (length l1+length l2) | _ -> p 0 end goal g3: p 3 (*************************) (* Recursive destruction *) (*************************) axiom H4: if p x then (if p (x+1) then p 1 else p 2) else p 3 goal g4: p 4 axiom H5: match l with | Cons x (Cons y _) -> if x = y then p 1 \/ p 2 else p 3 /\ p 4 | _ -> true end (*********************************************************************************) (* Interaction between recursive destruction of conditionals and of implications *) (*********************************************************************************) goal g5: p 5 axiom H6: p 1 -> if p 2 then p 3 else p 4 goal g6: p 6 axiom H7: if p 1 then p 2 -> p 3 else p 4 goal g7: p 7 axiom H8: if p 1 then if p 2 then (p 3 -> p 4) else p 5 else p 6 goal g8: p 8why3-1.6.0/examples/bts/264_destruct_if/000077500000000000000000000000001440160026300177205ustar00rootroot00000000000000why3-1.6.0/examples/bts/264_destruct_if/why3session.xml000066400000000000000000000046101440160026300227410ustar00rootroot00000000000000 why3-1.6.0/examples/bts/264_destruct_if/why3shapes.gz000066400000000000000000000026541440160026300223670ustar00rootroot00000000000000VrG +rJK(MYR%D:5%3LO7_^\ݽ~ww|߯Ջ_ҾVV8߮WÛtx?9?lGoIGlЖh=KެgSk~7F_4?gbzā_jysL1L/oOKWO$]yl9yTz]GZQSk!|[jsgr~ER#p^A Ш14W#QF3iKꥤȥr^pI1c(Xpj}(oEm 5h@ +,S!.u!Du~55cĶZe2R`iZSXt )Lb%(tmC4v Q6[ ݸ!"ƪ U# 6Xd7x*fՆQ50f n\3Q+kyr}F-}o"΃u %:~5FOj$%AaX발zFCجu'h0QttEZlO'Q(, Z*6YJmli cnt es0gAVŅ9\WPlmvo"gHCijj{ 9WҎY(!ԻSBiz-yQ<8U^ӈ>/Vu let z = f y in let a = f z in p a axiom H4: forall x. (let v = x in f v = x) -> let z = f x in let a = f z in p a goal g: p 17 end module Test2 inductive test int = | test_bad: forall x. let y = x in let z = y in test z | test_good: forall x. let z = let y = x in y in test z goal g: test 0 end module Test3 predicate test int function f int : int axiom H1 : forall x:int. let y = f x in test y goal g1: test 42 axiom H2 : forall x:int. let y = f x in let z = f y in test z goal g2: test 42 end why3-1.6.0/examples/bts/265_apply/000077500000000000000000000000001440160026300165335ustar00rootroot00000000000000why3-1.6.0/examples/bts/265_apply/why3session.xml000066400000000000000000000027531440160026300215620ustar00rootroot00000000000000 why3-1.6.0/examples/bts/265_apply/why3shapes.gz000066400000000000000000000010341440160026300211710ustar00rootroot00000000000000UAo! 9n=<雔sMZ&|b^p~ky=~~:C++>s=cwxF`Ook.KhA4xFZ1qjTV*J,raFNNbŗjUF2:YZ×XO%3!PSk"&IF-i,5J٭U7why3-1.6.0/examples/bts/269_replace_under_if.mlw000066400000000000000000000001521440160026300214170ustar00rootroot00000000000000 use int.Int constant a : int constant b : int axiom H : a = b goal G : if a > 0 then true else false why3-1.6.0/examples/bts/269_replace_under_if/000077500000000000000000000000001440160026300207005ustar00rootroot00000000000000why3-1.6.0/examples/bts/269_replace_under_if/why3session.xml000066400000000000000000000010401440160026300237130ustar00rootroot00000000000000 why3-1.6.0/examples/bts/269_replace_under_if/why3shapes.gz000066400000000000000000000002571440160026300233440ustar00rootroot00000000000000M @=`0uoaRUФ5vF7=[Gna1ܗ2zZeHU2ѐuEYodx.=5(Tb2ɤtE;PF%9BR[op5>why3-1.6.0/examples/bts/276_shape.mlw000066400000000000000000000001631440160026300172310ustar00rootroot00000000000000use int.Int constant x : int axiom h : x = 1 \/ x <> 1 axiom k : x + x + x + x + x = 985 goal g : x = 1 \/ x <> 1 why3-1.6.0/examples/bts/276_shape/000077500000000000000000000000001440160026300165105ustar00rootroot00000000000000why3-1.6.0/examples/bts/276_shape/why3session.xml000066400000000000000000000015351440160026300215340ustar00rootroot00000000000000 why3-1.6.0/examples/bts/276_shape/why3shapes.gz000066400000000000000000000003441440160026300211510ustar00rootroot000000000000005ͱNC1 =_b;q >9C+*T||^O;g^V7]ͽӷyay_c? P3RSL=6j\kB9(s1OӨM@oU$V+'O lQ%C$Z#t6+,J?9Pi 5>why3-1.6.0/examples/bts/311_destruct.mlw000066400000000000000000000002721440160026300177550ustar00rootroot00000000000000use list.List use list.Length use int.Int constant x: int predicate p int axiom H: not (p 0) axiom H1: p 0 goal g: false lemma H2: false goal g5: p 5 lemma H3: true goal g6: p 5 why3-1.6.0/examples/bts/311_destruct/000077500000000000000000000000001440160026300172335ustar00rootroot00000000000000why3-1.6.0/examples/bts/311_destruct/why3session.xml000066400000000000000000000026231440160026300222560ustar00rootroot00000000000000 why3-1.6.0/examples/bts/311_destruct/why3shapes.gz000066400000000000000000000004161440160026300216740ustar00rootroot00000000000000;n0 ]fŗKPH"fHkn޾ ?ȧӴٗ () | Exc7 -> () end; assert { false } end why3-1.6.0/examples/bts/380_doc_trans.mlw000066400000000000000000000057311440160026300201070ustar00rootroot00000000000000module Apply predicate is_even (x: int) predicate is_zero (x: int) axiom zero_is_even: forall x: int. is_zero x -> is_even x goal G: is_even 0 end module Transitivity (* Apply *) val constant a : int val constant b : int val constant c : int axiom ac: a = c axiom cb: c = b lemma transitivity : forall x y z:int. x = y -> y = z -> x = z goal G : a = b end module Transitivity2 (* Apply *) val constant a : int val constant b : int val constant c : int axiom ac: a = c axiom cb: c = b lemma t : forall x y z k:int. k = k -> x = y -> y = z -> x = z goal G : a = b end module Assert predicate is_prime int val constant n : int goal G: not (is_prime n) end module Case val constant y : int val constant x : int goal G: if x = 0 then y = 2 else y = 3 end module Destruct val constant p1 : bool predicate p2 int axiom h: p1 /\ forall x. p2 x goal G: p2 0 end module Destruct_rec predicate a predicate b predicate c axiom H: (a -> b) /\ (b /\ c) goal G: false end module Destruct_term type t = A | B int val constant a : t goal G: a = A end module Exists goal G: exists x. x = 0 end module Hide use int.Int val constant y : int lemma h: forall x. x = 1 + 1 goal G: y - (1 + 1) = (1+1) - (1+ 1) end module Induction use int.Int val constant n : int predicate p int predicate p1 int axiom h: p1 n goal G: p n end module Instantiate use int.Int predicate p int axiom h: forall x y. x <= y -> p x /\ p y goal G: p 0 end module Intros predicate p int int int goal G: forall x y z: int. p x y z end module Left val constant x: int goal G: x = 0 \/ x = 1 end module Pose use int.Int val constant x: int goal G : true end module Remove lemma h: true goal G: true end module Replace use int.Int val constant x: int val constant y: int axiom h : x >= y + 1 goal G: true end module Revert val constant x: int val constant y: int axiom h: x = y goal G: true end module Rewrite (* rewrite *) function a int : bool function b int : bool val constant y: int axiom eq: forall x. x <> 0 -> a x = b x goal G : a y = true end module Rewrite2 (* rewrite *) function a int : bool function b int : bool val constant y: int axiom eq: forall x z. z = 0 -> x <> 0 -> a x = b x goal G : a y = true end module Right val constant x: int goal G: x = 0 \/ x = 1 end module Subst use int.Int val constant x: int val constant y: int val constant z: int axiom h: x = y + 1 axiom h1 : z = x + y goal G: x = z end module Subst_all use int.Int val constant x: int val constant x1: int val constant y: int val constant z: int axiom h: x = y + 1 axiom hx1: x = x1 axiom h1 : z = x + y goal G: x = z end module Unfold use int.Int predicate p (x: int) = x <= 22 lemma h: forall x. p x -> p (x - 1) goal G: p 21 end module Use_th predicate p int goal G: p 5 end why3-1.6.0/examples/bts/380_doc_trans/000077500000000000000000000000001440160026300173605ustar00rootroot00000000000000why3-1.6.0/examples/bts/380_doc_trans/why3session.xml000066400000000000000000000143441440160026300224060ustar00rootroot00000000000000 why3-1.6.0/examples/bts/380_doc_trans/why3shapes.gz000066400000000000000000000042351440160026300220240ustar00rootroot00000000000000WɎ Wq 04dB"_XJrޏYՒ`=/y>?~ӡ~ypGe>|WӦӻa?f?]nvt5\.%\/t^]1_ɕAp>>NçyzۛWKߝ Oz=Ox{UwvWNA,yk{}[y}^q|C> y~t^nL=3 >f <݅W؋D?#U]5<5A_O]|r1 Jc؟v|~zn??<ߟ^J vao_g͞nzJqpop >}3դ8fs}W J=~cq~wS~>z6Ô1nB$)ܦґ^ʹl$VuE:clL*$V2s)%Vz,ǼEm%}D-g. Yg(O4'5M4lk|NS@k%s܉- VCܠ\+B:kK0@dJZ)SBo]і^c6brD3Rl j| TN4N 1p-ێ6Ga'ZeUEb ^c,[T@cPai^FagP6RRFK`G{&iACmf<߀8!Ÿǐ%ͻMt*JBȪ\J\ yk$-&-!5Gqڌ%4#=P)zӝ&ŁU̠b2 .%ˑ̀ RAO]!,4q즉k˄$ʣuTCvS8rJM-' 9 #98q\H̚RΎR1#Fmf3ɽAc*ԂPfe (xq2:ZG)4%@&q2\{e쵦9NGPma4P;q5Tl!Q,Fcr*S^!R0F2 %r'c1hѐgpC1anGcE ;bw1':VhI$0M*1Y* HdmuP\CJ+ FYo֜kKʼn@!t/t`nNyT800Q!c99CzUs+L xUUd ̩Ll 8XQg ZF1zGX'b)Hs[ʱčrdͺ/H2R-!*@,&37L^{HotۡȌbP\EfM7j;HQHY؂PUaM[ha"WCvX(I\:Pjm*^[`[%`"oZsqlJҜoYY0Q^|q+)dT鋰 `q6tl8VBxf8"g6r@N*}Z\V/3:VB?(΍4`/Mp!R?peXN ibaQ6Mh> !Kh#zN5n?6*ddLZn@:*eV07옊U3f b~KC.4ìsl/AEB+3V)^m:xHm-%IG&](why3-1.6.0/examples/bts/380_trans_space_args.mlw000066400000000000000000000002051440160026300214400ustar00rootroot00000000000000module Transitivity val constant b : int axiom H: forall x y z a: int. x = y -> y = z -> b = z -> z = a goal G: 3 = 22 end why3-1.6.0/examples/bts/380_trans_space_args/000077500000000000000000000000001440160026300207225ustar00rootroot00000000000000why3-1.6.0/examples/bts/380_trans_space_args/why3session.xml000066400000000000000000000010651440160026300237440ustar00rootroot00000000000000 why3-1.6.0/examples/bts/380_trans_space_args/why3shapes.gz000066400000000000000000000003271440160026300233640ustar00rootroot00000000000000%Kj1D:WS6L.0CO0QՃW6^vĆ fYB(.y2zp!r2~xML8f+"A6^װZʉ2ƹ\bliũB !I%րԦSSrL.ԉ%%FLZI why3-1.6.0/examples/bts/438.mlw000066400000000000000000000003161440160026300160510ustar00rootroot00000000000000use int.Int use real.FromInt use real.RealInfix use real.Abs goal g1 : from_int 100 = 100. goal g2: forall x. -5 <= x <= 5 -> abs (from_int x) <=. 5. goal g3: forall x. x <= 5 -> 10. *. from_int x <=. 50. why3-1.6.0/examples/bts/438/000077500000000000000000000000001440160026300153305ustar00rootroot00000000000000why3-1.6.0/examples/bts/438/why3session.xml000066400000000000000000000026361440160026300203570ustar00rootroot00000000000000 why3-1.6.0/examples/bts/438/why3shapes.gz000066400000000000000000000003141440160026300177660ustar00rootroot00000000000000]JA <u%͈=x)L6=]E+zB~/٣oخxI0.Qr /pwgὟR^o4Kd\lR*Z-C!g>k:Z&ͤY/jLoNmnjNHVp"Ꮀf(/Eހwhy3-1.6.0/examples/bts/450_abs.mlw000066400000000000000000000005011440160026300166640ustar00rootroot00000000000000module M32 use ieee_float.Float32 goal G1: in_range 0.0 goal G2: in_range 20.20 goal G3: no_overflow RNE 0.0 goal G4: no_overflow RNE 20.20 end module M64 use ieee_float.Float64 goal G1: in_range 0.0 goal G2: in_range 20.20 goal G3: no_overflow RNE 0.0 goal G4: no_overflow RNE 20.20 end why3-1.6.0/examples/bts/450_abs/000077500000000000000000000000001440160026300161475ustar00rootroot00000000000000why3-1.6.0/examples/bts/450_abs/why3session.xml000066400000000000000000000040471440160026300211740ustar00rootroot00000000000000 why3-1.6.0/examples/bts/450_abs/why3shapes.gz000066400000000000000000000004361440160026300206120ustar00rootroot00000000000000eJ1 }9ꂒL?.x ,I,QB͗_t~7?r3iwO why3-1.6.0/examples/bts/548-neg-float-lit/why3shapes.gz000066400000000000000000000001611440160026300224300ustar00rootroot00000000000000%DZ н_QMH\]npfڞ.7tX\#wcĀ] YD1}!9ќ[Hy,W7 [Ax A͗ kUpdwhy3-1.6.0/examples/bts/559.mlw000066400000000000000000000005221440160026300160540ustar00rootroot00000000000000module Pb_invariant_attribute use export ref.Ref use export bool.Bool val a : ref bool val b : ref bool val c : ref bool goal g : [@atr] forall x:bool. [@atr2] x let test () diverges = while (true) do invariant { [@expl:foo] (!a) } invariant { [@expl:bar] (not (!b)) } invariant { [@expl:bla] (not (not (!c))) } done end why3-1.6.0/examples/bts/612.mlw000066400000000000000000000003731440160026300160460ustar00rootroot00000000000000type option = None | Some int (* CE generation should not fail anymore because of eliminate_algebraic not losing attributes anymore *) let f (a: option) : unit ensures { match a with | None -> 1=2 | Some a -> 3=3 end } = () why3-1.6.0/examples/bts/612/000077500000000000000000000000001440160026300153225ustar00rootroot00000000000000why3-1.6.0/examples/bts/612/why3session.xml000066400000000000000000000010211440160026300203340ustar00rootroot00000000000000 why3-1.6.0/examples/bts/612/why3shapes.gz000066400000000000000000000001601440160026300177570ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SrNM6L6JK-I M 3p sVH/RHJLN34"Ӥd$#˴4#CD3#C.Q~^why3-1.6.0/examples/bts/626.mlw000066400000000000000000000004031440160026300160450ustar00rootroot00000000000000 use bv.BV32 type bv_ref = { mutable contents : BV32.t } let f () = let b : bv_ref = { contents = (42 : BV32.t) } in while BV32.sgt b.contents (0:BV32.t) do variant { b.contents with BV32.slt } b.contents <- BV32.sub b.contents (1:BV32.t) donewhy3-1.6.0/examples/bts/626/000077500000000000000000000000001440160026300153275ustar00rootroot00000000000000why3-1.6.0/examples/bts/626/why3session.xml000066400000000000000000000022311440160026300203450ustar00rootroot00000000000000 why3-1.6.0/examples/bts/626/why3shapes.gz000066400000000000000000000003351440160026300177700ustar00rootroot00000000000000Un0 @w}$YU S<Z JRnHr"Bp7*Q.r}Wb rDs`` 0) else (bag = 1 \/ bag <> 1)why3-1.6.0/examples/bts/690_reserved_keywords/000077500000000000000000000000001440160026300211565ustar00rootroot00000000000000why3-1.6.0/examples/bts/690_reserved_keywords/why3session.xml000066400000000000000000000010301440160026300241700ustar00rootroot00000000000000 why3-1.6.0/examples/bts/690_reserved_keywords/why3shapes.gz000066400000000000000000000001761440160026300236220ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SKMLJLO61@"PH$&rTƃ 4LN207JL51OL2J6L4M4L541N1IS00ܫ|K|why3-1.6.0/examples/bts/695_remove_unused.mlw000066400000000000000000000007421440160026300210210ustar00rootroot00000000000000 module M1 use int.Int function f int : int lemma l : forall x:int. f x > 0 axiom a : forall x:int. f x < 1 meta "remove_unused:dependency" axiom a, function f goal g : 1 <= 0 end module M2 use int.Int function g int : int axiom b : forall x. g x < 0 meta "remove_unused:dependency" axiom b, function g function f int : int lemma l : forall x:int. f x >= 0 axiom a : forall x:int. f x <= g x meta "remove_unused:dependency" axiom a, function f goal go : 1 <= 0 end why3-1.6.0/examples/bts/695_remove_unused/000077500000000000000000000000001440160026300202755ustar00rootroot00000000000000why3-1.6.0/examples/bts/695_remove_unused/why3session.xml000066400000000000000000000014431440160026300233170ustar00rootroot00000000000000 why3-1.6.0/examples/bts/695_remove_unused/why3shapes.gz000066400000000000000000000003411440160026300227330ustar00rootroot00000000000000==N1 >r;?r4'Ecb' {,ߜY/_-y9?x י~?'11Έs5S0Hً(K,]AnuTNMktpN60!͛rMb6TZbDFP@CJkiB($FLC|xP~W,why3-1.6.0/examples/bts/71_disambiguation.mlw000066400000000000000000000007111440160026300210400ustar00rootroot00000000000000module M use int.Int function (+) (x: int) (y : int) : int = x * y goal g: 2 + 3 = Int.(+) 3 3 end module M1 use real.RealInfix use int.Int constant x: int = 0 + 0 (* constant y: real = 0.0 + 0.0 typing error*) goal g: True end module M2 use real.RealInfix (* constant y: real = 0.0 + 0.0 typing error*) goal g: True end module M3 use real.RealInfix (*constant x: int = 0 + 0 'unbound symbol infix +' *) goal g: True end why3-1.6.0/examples/bts/71_disambiguation/000077500000000000000000000000001440160026300203205ustar00rootroot00000000000000why3-1.6.0/examples/bts/71_disambiguation/why3session.xml000066400000000000000000000021251440160026300233400ustar00rootroot00000000000000 why3-1.6.0/examples/bts/71_disambiguation/why3shapes.gz000066400000000000000000000004261440160026300227620ustar00rootroot00000000000000JC1 >ŹFҴi"xIQpnLBnYۯyeK})ry=Y>p٣c~-|=}} int) = f (-1) = 0 && forall n:int. f n = f 0 + (f 1 - f 0) * n lemma A : forall y z:int. p (fun x -> f0 x y z) <-> y = z meta rewrite lemma A (* compute_specified should not solve this goal. 0 = 0 was added so that compute_specified progress on this goal even when not unsound. *) lemma Fail : 0 = 0 /\ p (fun x -> f0 x x x) lemma Absurd : false end why3-1.6.0/examples/bts/79_compute_unsound/000077500000000000000000000000001440160026300205605ustar00rootroot00000000000000why3-1.6.0/examples/bts/79_compute_unsound/why3session.xml000066400000000000000000000013451440160026300236030ustar00rootroot00000000000000 why3-1.6.0/examples/bts/79_compute_unsound/why3shapes.gz000066400000000000000000000003201440160026300232130ustar00rootroot00000000000000m=N1 >r$H#-͈E-(Y!q{2+!w}wiۧo_?&N ZMݡ.K6 [OAZ\TФ`,)"`ݳEp,ޙ QUu, ;HF*I+Uj-1PT+why3-1.6.0/examples/bts/95_char_encoding_latin1.mlw000066400000000000000000000001011440160026300220730ustar00rootroot00000000000000(* This file is written in latin1: *) module M end why3-1.6.0/examples/bts/bts12244.ml000066400000000000000000000057441440160026300165430ustar00rootroot00000000000000(**************************************************************************) (* *) (* Copyright (C) 2010- *) (* François Bobot *) (* Jean-Christophe Filliâtre *) (* Claude Marché *) (* Andrei Paskevich *) (* *) (* This software is free software; you can redistribute it and/or *) (* modify it under the terms of the GNU Library General Public *) (* License version 2.1, with the special exception on linking *) (* described in file LICENSE. *) (* *) (* This software is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. *) (* *) (**************************************************************************) (******************* This file exposes bug 12244 directly using the API ******************) open Why open Format (* reads the config file *) let config : Whyconf.config = Whyconf.read_config None (* the [main] section of the config file *) let main : Whyconf.main = Whyconf.get_main config (* builds the environment from the [loadpath] *) let env : Env.env = Lexer.create_env (Whyconf.loadpath main) let int_theory : Theory.theory = Env.find_theory env ["int"] "Int" (* An arithmetic goal: 1 = 2 *) let one : Term.term = Term.t_const (Term.ConstInt "1") let two : Term.term = Term.t_const (Term.ConstInt "2") let fmla : Term.term = Term.t_equ one two let task = Task.use_export None int_theory let goal_id = Decl.create_prsymbol (Ident.id_fresh "G") let task = Task.add_prop_decl task Decl.Pgoal goal_id fmla (* let () = printf "@[task:@\n%a@]@." Pretty.print_task task *) let inline = Trans.lookup_transform "inline_goal" env let split = Trans.lookup_transform_l "split_goal_right" env let task_inline = Trans.apply inline task let task_split = match Trans.apply split task with | [t] -> t | _ -> assert false let task_checksum t = fprintf str_formatter "%a@." Pretty.print_task t; let s = flush_str_formatter () in Digest.to_hex (Digest.string s) let sum = task_checksum task let sum_inline = task_checksum task_inline let sum_split = task_checksum task_split let () = printf "@[task == task_inline ? %b same checksums ? %b@]@." (Task.task_equal task task_inline) (sum = sum_inline) let () = printf "@[task == task_split ? %b same checksums ? %b@]@." (Task.task_equal task task_split) (sum = sum_split) why3-1.6.0/examples/bts/destruct_term.mlw000066400000000000000000000003301440160026300204130ustar00rootroot00000000000000module T use int.Int use mach.array.Array31 use option.Option type t = { l : array (option int); l1: array (option int); } let f (x : t) : t ensures { result.l[5] = None } = x end why3-1.6.0/examples/bts/destruct_term/000077500000000000000000000000001440160026300176765ustar00rootroot00000000000000why3-1.6.0/examples/bts/destruct_term/why3session.xml000066400000000000000000000011531440160026300227160ustar00rootroot00000000000000 why3-1.6.0/examples/bts/destruct_term/why3shapes.gz000066400000000000000000000003031440160026300223320ustar00rootroot00000000000000M̱J1>OR$IF Lf@o_W-l>C^öi"m{7*nry=[X}IiI!AJ>0IQ䘏%mNll47]RW-'lZ*j}G '59d why3-1.6.0/examples/bts/fsetint/why3shapes.gz000066400000000000000000000003041440160026300211230ustar00rootroot000000000000001n0 ]d"PvZ R N8({Ob~^S4R,3&]bi#q?%}{omhH{nXF6a fp4Rf'鰡r0aЌkUuidXT@S+yk<?awhy3-1.6.0/examples/bts/simplify.mlw000066400000000000000000000001471440160026300173710ustar00rootroot00000000000000 module M use ref.Ref val x : ref int let f () : int ensures { result = !x } = !x endwhy3-1.6.0/examples/bubble_sort.mlw000066400000000000000000000031001440160026300172370ustar00rootroot00000000000000 (* {1 Bubble sort} *) module BubbleSort use int.Int use ref.Ref use array.Array use array.IntArraySorted use array.ArraySwap use array.ArrayPermut use array.ArrayEq let bubble_sort (a: array int) ensures { permut_all (old a) a } ensures { sorted a } = for i = length a - 1 downto 1 do invariant { permut_all (old a) a } invariant { sorted_sub a i (length a) } invariant { forall k1 k2: int. 0 <= k1 <= i < k2 < length a -> a[k1] <= a[k2] } for j = 0 to i - 1 do invariant { permut_all (old a) a } invariant { sorted_sub a i (length a) } invariant { forall k1 k2: int. 0 <= k1 <= i < k2 < length a -> a[k1] <= a[k2] } invariant { forall k. 0 <= k <= j -> a[k] <= a[j] } if a[j] > a[j+1] then swap a j (j+1); done; done let test1 () = let a = make 3 0 in a[0] <- 7; a[1] <- 3; a[2] <- 1; bubble_sort a; a let test2 () ensures { result.length = 8 } = let a = make 8 0 in a[0] <- 53; a[1] <- 91; a[2] <- 17; a[3] <- -5; a[4] <- 413; a[5] <- 42; a[6] <- 69; a[7] <- 6; bubble_sort a; a exception BenchFailure let bench () raises { BenchFailure -> true } = let a = test2 () in if a[0] <> -5 then raise BenchFailure; if a[1] <> 6 then raise BenchFailure; if a[2] <> 17 then raise BenchFailure; if a[3] <> 42 then raise BenchFailure; if a[4] <> 53 then raise BenchFailure; if a[5] <> 69 then raise BenchFailure; if a[6] <> 91 then raise BenchFailure; if a[7] <> 413 then raise BenchFailure; a end why3-1.6.0/examples/bubble_sort/000077500000000000000000000000001440160026300165245ustar00rootroot00000000000000why3-1.6.0/examples/bubble_sort/why3session.xml000066400000000000000000000121001440160026300215360ustar00rootroot00000000000000 why3-1.6.0/examples/bubble_sort/why3shapes.gz000066400000000000000000000050161440160026300211660ustar00rootroot00000000000000Zk9b́٧c^|va￿v/N65V}4iֿKώxAgpuW'7ۃ:Gt}1{f%g+e_(#5QQfuA\@Y >Ҳlx}vS!Qk5/WwE&:Ru/KE.RFGQ/ZEf,J9㖘q:fܳsSP ε ť eXdU&Th"8ڋ~@銚nhji-Wh *~k#k-kI9,?fXlllllU6*TXl\l*|C2VRt (ւSwuN B#K"Zѓ !*OBQIiFI~y쌏ZzER`㿤z-b:7x{ ab iDA`bhА^ŠfK"'Qzc@r`K$I+grtj0Icg!LIoRoSkcAayY5c]ND["bSސOFEH(~0 0 St`J$e@&C:1v 1Dc1% CdI(e<x`E0Bj=Z7A̋t XMH^ CodTQ7J]}3$ vT&;^ Xy%{ȱ"%n`B``}4:y&aMX.S^ 3Җa81%B:X ʰ{Y(Nꕲ-g<"\hyɓ%QHcR  %8'Ž<`" Z8PuqN%Uj 4why3-1.6.0/examples/c_cursor/000077500000000000000000000000001440160026300160415ustar00rootroot00000000000000why3-1.6.0/examples/c_cursor/Makefile000066400000000000000000000007301440160026300175010ustar00rootroot00000000000000BENCH ?= no ifeq ($(BENCH),yes) WHY3=../../bin/why3.opt else ifeq ($(BINDIR),) WHY3=why3 else WHY3=$(BINDIR)/why3 endif endif .PHONY: clean extract clean: rm -rf build extract: mkdir -p build $(WHY3) extract -D cursor.drv -D c -L . --recursive --modular \ --interface --debug=c_no_error_msgs -o build/ ccursor.PtrCursor build/tests: build/ptrcursor.c gcc -Wall -g -pedantic -Wno-unused-function -std=c11 build/ptrcursor.c -Ibuild -o build/tests why3-1.6.0/examples/c_cursor/ccursor.mlw000066400000000000000000000065351440160026300202530ustar00rootroot00000000000000module PtrCursor use int.Int use map.MapEq use mach.int.Int32 use mach.c.C use array.Array (* we assume that a non-null pointer exists *) val ghost dummy_nonnull () : ptr int32 ensures { is_not_null result /\ plength result = 1 /\ offset result = 0 } ensures { min result = 0 /\ max result = plength result } ensures { writable result } ensures { (data result)[0] = 0 } type cursor = { current : ptr int32; mutable new : bool; len : int32; ghost mutable freed : bool; bound : int32 } invariant { 0 < len } invariant { not freed -> (plength current = len /\ offset current = 0 /\ valid current len /\ min current = 0 /\ max current = len /\ is_not_null current /\ writable current /\ forall i. 0 <= i < len -> (data current)[i] < bound) } by { current = dummy_nonnull (); new = true; len = 1; freed = false; bound = 42 } val ([]) (a: array 'a) (i: int32) : 'a requires { [@expl:index in array bounds] 0 <= i < length a } ensures { result = ([]) a i } val ([]<-) (a: array 'a) (i: int32) (v: 'a) : unit writes {a} requires { [@expl:index in array bounds] 0 <= i < length a } ensures { a.elts = Map.set (old a).elts i v } ensures { a = ([<-]) (old a) i v } let partial create_cursor (l:int32) (b: int32) : cursor requires { 0 < l } requires { 0 < b } ensures { result.len = l } ensures { not result.freed } ensures { forall i. 0 <= i < l -> (data result.current)[i] = 0 } ensures { bound result = b } = let a = malloc (UInt32.of_int32 l) in c_assert (is_not_null a); for i = 0 to l-1 do invariant { forall j. 0 <= j < i -> (data a)[j] = 0 } set_ofs a i 0; done; { current = a; new = true; len = l; freed = false; bound = b } let free_cursor (c:cursor) : unit requires { not c.freed } ensures { c.freed } writes { c.freed } writes { c.current } writes { c.current.data } = free c.current; c.freed <- true val get_current (c:cursor) : array int32 requires { not c.freed } ensures { length result = plength c.current } ensures { map_eq_sub result.elts (pelts c.current) 0 c.len } alias { c.current.data with result } let next (c: cursor) : unit requires { not c.freed } requires { 0 < c.bound < max_int32 } = let a = get_current c in label L in let n = c.len in let b = c.bound in let ref r = (n-1) in while r >= 0 && a[r] = b - 1 do invariant { -1 <= r < n } invariant { forall s. r < s < c.len -> a[s] = b - 1 } variant { r } r <- r - 1 done; if (r < 0) then c.new <- false else begin a[r] <- a[r] + 1; assert { a[r] < b }; for i = r+1 to n-1 do invariant { forall j. r+1 <= j < i -> a[j] = 0 } invariant { forall j. 0 <= j < r -> a[j] = a[j] at L } invariant { a[r] = a[r] at L + 1 } a[i] <- 0 done; c.new <- true; end let main () : int32 = let c = create_cursor 4 4 in for i = 0:int32 to 255 do invariant { not c.freed } invariant { forall i. 0 <= i < c.len -> (data c.current)[i] < c.bound } c_assert c.new; next c; done; c_assert (not c.new); free_cursor c; 0 endwhy3-1.6.0/examples/c_cursor/ccursor/000077500000000000000000000000001440160026300175215ustar00rootroot00000000000000why3-1.6.0/examples/c_cursor/ccursor/why3session.xml000066400000000000000000000362401440160026300225460ustar00rootroot00000000000000 why3-1.6.0/examples/c_cursor/ccursor/why3shapes.gz000066400000000000000000000134121440160026300221620ustar00rootroot00000000000000ZIo%W dpT7 PH> e0(peʒmϯ}yRI(Az`0{??~'A'v(ֿ/マp|b>Ǐ'V!ybu?wiz.1?ORoblPĎ8L2,>\ʛm:u9?\y<{:X8OwXWl9 ;[p}ӟ3d=mb婷?<&!-h<~WCCtyx ?HW-H3WW3_<8;>B ~vo:\1mziɏȯϰAnB?~+[mgptT |d&g֬竉|nÝpf&U󬻁F/nn2r6 [fhXub W3hdW~K /j7*̓T<#>懟hIj -엯B*]be_: }aNb S7qأXDŽAn6d!n\yO= pnZC~y>^ *1W]mb?>6%vi&?m/ؙNWc#zbFĉN7s)M>n7=&"qG9/b\&p`@'ζ2 Yd@0Kֳ1%XfΟ>Bp IrvL7l|%ZL^[][У^|j0W{R&:d}'h[wG[wJDT"z,A_&ٍ5^+ mlF/H4HM+iZ4IҦi#mZHҮu'ҋo9 k/bZDȡ ɛMyQISIH䴨CiSž/O1S|)Kp~rch1ˠ:|ZҸkq iǹ~kNLߔ@~P,3^#Hdwտ)hF%o񠬟П ͡XqYyPOSe? vT',ǀ>xwиdsi}qFa8ӿ>!$Ӈ4yw[5WMOf:D=wYEw=ͮd=={6UQwzmm'wlcEma}w{n2'|N\KGf}kka19mڊvʳ;MjAU97=ѮTmyC#G7CP/JF~^ 6#ЏXkЂZ4VlA|cP#1Žq`+G S'BϵxClU}e>~i d[1EK3.pU-&Z'`[?ŭ[M)ל1?3@+B:/@gqOZ@8K}=CgSeivË> yNޕ=xS79e;uf:x?}~ڋy6ejy;(_یM=vkIM%cx\Q<#1G-ڿNz_ڵ̗%Q4ZD%qk eMՋVgf7.mO?X75' 0Ϳ#/5ǿ߭{ #{Vڃ\{vwuڃv!B{p7bz1xFj_r7Vo{SAR".XtE'91kaARUHNUdɵl![Rþƥp'$ږrEm\dJNBx㜒'0˓Cx֤vSr䜒$=甜9w2p9lSsT|*(ib/u#$kq2]]|8)1o+}v2CdĵJ?rbj~T#r5:!YȖN]"RmtPf5߬c 7|u|j([.yש1^rujuv?0RZi[/ᵀsi>yO^'ČgZYj=[Ĥ.7el`PX^(W`G࠰^<_X@ bt2I&%ZH bio^szj(-vu/ .(՟~b'`;D44o֟Gx-?4CgfXю6Fқɽ,"wz3^rd+.p[appo.h1Ǹc\1<8?-f Z6i8_se:_ۖ!M\/f/=ˮx̞)=x}lꖞw(z?4}0oZ__w6ꅅU᱿_$*Yy7W֐{õM텈wOk"Y,vkਕkkCVwnoquYKp1[]%RL($1J׼cW:NPN(H['^iѕs3 ZkCDI$y;Nt2U%lڸ]TܔSJxrQkn:;:.;.:NgP5̋%lMQ9FxGYt;5f>*|N ܱtG#%Kh#)r`K,A A~9溄Ud!ɜT|f[d'E勤NNNNNNu0_$W%DTX4,2ېzQI&F" } YAV  c5 ގL$c"1 UICVV vNYeE/Vj$UM 2 Pk-"#TUE #箢oGby`^2.$ig+ܚjBsT`g, ,8, ĜdT~3pRȭyOaWAUeDٷ/)Y)k07! ONNNlL[cFCeD,)&xxFJZ}.D>24g܁_xmm1hu)C"xb,e$XF5caҦg*órXs5>9b, CGMAFT\[Y0 鍙8-g$_ #|':KdzCi@j`x6³(+UŪTQrBru1SdHKH*%BEіg@D6y br9菕 ȥM4`D5ss99*}\`z"r+2kdlF]M$kF_H ONm6֝SϠaf87LIjnE AY}( Ȑz:R%)syi$`* `NL|5B!4UV?22#]2ΙCTYdR]sX7gPf c).ITا֌,]%o^ JH]YArym ]Uh:/jo_Chܲ=xyc+3b C(h#F|5ZY , ᅌ22DHMaW "KZ&0Y&jȵW%T>"lha-DAmlx2HLCxP|@\k2p_[XM^XUF(]{Q1u![L(_J[ %tҨHq@\2J :;dYKR00>+`6֘Py"&TevU#TW,{P11#T XYrz€ߌ*fRvkݑ-j|mqϻHQ$qTI\+8wGYPIImɇEd5 Na_Ikn(8{7hUG 2v"Zl Q6Q9H/PAe1,ͿѮ: oAΥTcAd# Q[…Hp `JL"7} Q y7GEՒ. *(}м(<跠;╪J ޑs(-- sңCw"SoDE. V*xcbP HP&W{FCo~'FgrÚo~ k ˳S F2)oYdCֶ2YTvUMo~ 1ĜdAdrU4(jmm5v$39i9E|g p[KB8P1Be^)8'E{^lrJD=CPQIQEԆPncBzɊ @JRk~M\+YDD9s/Q)a98`lʠ(0*`O*7я=0sl"E"fM!ij X$jbO+5DXbULqf\&L_BzK0CI*-eN0ObW~n ԆVB$"8L [{ؿf!3iM7Q'!\pZP kV*Ce`L3(!`1n\J> (\{dTB^Bxq,x]~>XqZ ..`ȉTjf%*j7گLu}mtpF,K?3Pԯ*KC &|^9UjW-H˼SjZ$xj"|QMIy- {)8G6,4Ζv=خ'8Ґu\why3-1.6.0/examples/c_cursor/cursor.drv000066400000000000000000000002021440160026300200650ustar00rootroot00000000000000module ccursor.PtrCursor syntax val ([]) "%1[%2]" syntax val ([]<-) "%1[%2] = %3" syntax val get_current "%1->current" endwhy3-1.6.0/examples/check-builtin/000077500000000000000000000000001440160026300167435ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/ac.why000066400000000000000000000003461440160026300200620ustar00rootroot00000000000000theory Test type t function f t t : t clone algebra.AC with type t = t, function op = f, axiom . goal G1 : forall x y : t. f x y = f y x goal G2 : forall x y z : t. f (f x y) z = f x (f y z) end why3-1.6.0/examples/check-builtin/ac/000077500000000000000000000000001440160026300173265ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/ac/why3session.xml000066400000000000000000000023741440160026300223540ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/ac/why3shapes.gz000066400000000000000000000002461440160026300217700ustar00rootroot0000000000000050 D|EF4"VI(BI#|wʫl- x -> get m z = y -> get (set m x t) z = y goal G3 : forall y t:int. forall m: map int int. get m 0 = y -> get (set m 1 t) 0 = y goal G4 : forall x y:int. forall m: map int int. get (set (set m 1 y) 0 x) 1 = y end why3-1.6.0/examples/check-builtin/array/000077500000000000000000000000001440160026300200615ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/array/why3session.xml000066400000000000000000000043051440160026300231030ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/array/why3shapes.gz000066400000000000000000000003341440160026300225210ustar00rootroot00000000000000U=O1 =Fl#u`åbNH{R;X_?a^ٶ>׏e]uu:9{;OH>#c=>.i(A}6\a]T($F:PdcIRʄ!6Ptj%ِjB]J2PrsiݘE j"cn}?why3-1.6.0/examples/check-builtin/bool.why000066400000000000000000000002731440160026300204310ustar00rootroot00000000000000theory Test use bool.Bool goal G1 : True <> False goal G2 : forall x:bool. x = True \/ x = False goal G3 : forall x y z:bool. x<>y /\ y<>z /\ z<>x -> false end why3-1.6.0/examples/check-builtin/bool/000077500000000000000000000000001440160026300176765ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/bool/why3session.xml000066400000000000000000000030631440160026300227200ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/bool/why3shapes.gz000066400000000000000000000002741440160026300223410ustar00rootroot00000000000000%n1D kwm+ҜB-ZkD%H{KF7ٚ$W]okgl_]FLrw\M1Ƨ6A/}}[i3NNH=*pt+|,{M Rl2 #j{_$\eP˥6ISu<<CuΏwhy3-1.6.0/examples/check-builtin/euclideandivision.why000066400000000000000000000001551440160026300231730ustar00rootroot00000000000000theory Test use int.EuclideanDivision goal G1 : mod 10 3 = 1 goal G2 : div 10 3 = 3 end why3-1.6.0/examples/check-builtin/euclideandivision/000077500000000000000000000000001440160026300224415ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/euclideandivision/why3session.xml000066400000000000000000000032721440160026300254650ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/euclideandivision/why3shapes.gz000066400000000000000000000002071440160026300251000ustar00rootroot00000000000000%10 @ݧ8 ;@qDҪA=ƯY>ϳKn8\d*+M}_02-xkN~/JawtEP&ChؘR| (e}Gba?why3-1.6.0/examples/check-builtin/floats.why000066400000000000000000000020651440160026300207670ustar00rootroot00000000000000 theory TestGappa use real.Real use real.Abs use real.Square use floating_point.Rounding use floating_point.Single as Single use floating_point.Double goal Round_single_01: Single.round NearestTiesToEven 0.1 = 0x1.99999ap-4 goal Round_double_01: Double.round NearestTiesToEven 0.1 = 0x1.999999999999ap-4 goal Test00: forall x:real. abs x <= 2.0 -> -3.0 <= x goal Test01: forall x:double. -2.0 <= value x <= 2.0 -> abs((value x) * (value x) - round NearestTiesToEven ((value x) * (value x))) <= 0x1p-52 goal Test02: forall x y:double. abs (value x) <= 2.0 -> y = x -> abs((value y) * (value y) - round NearestTiesToEven ((value x) * (value x))) <= 0x1p-52 goal Test03: forall x y z:double. abs (value x) <= 2.0 -> value y = round NearestTiesToEven ((value x) * (value x)) -> z = y -> sqrt ((value z - (value x)*(value x))*(value y - (value x)*(value x))) <= 0x1p-52 end why3-1.6.0/examples/check-builtin/floats/000077500000000000000000000000001440160026300202335ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/floats/why3session.xml000066400000000000000000000030071440160026300232530ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/floats/why3shapes.gz000066400000000000000000000005621440160026300226760ustar00rootroot00000000000000RMoSA _!]D@pT+zR4mRN^3ci_l_cW/Y~{doږm_& 'dv'6vw$}gL9țN] f;pD&YQnlK}O)F ;vcxcy%8-_.1= {K[ь{' 9V]UTZ"J#~!J1@Q4)k졺N|JQ-xTr1@NrCA/ZLI4_[$? chU ͒4 d JaFҔ\@K^b঵Iq']why3-1.6.0/examples/check-builtin/int.why000066400000000000000000000011731440160026300202700ustar00rootroot00000000000000theory Test use int.Int goal G1 : 5 * 10 = 50 goal G2 : forall x:int. x + x - x + x = 2 * x goal CompatOrderAdd : forall x y z : int. x <= y -> x + z <= y + z goal CompatOrderMult : forall x y z : int. x <= y -> 0 <= z -> x * z <= y * z goal InvMult : forall x y : int. (-x) * y = - (x * y) = x * (-y) goal InvSquare : forall x : int. x * x = (-x) * (-x) goal ZeroMult : forall x : int. x * 0 = 0 = 0 * x goal SquareNonNeg1 : forall x : int. x <= 0 -> 0 <= x * x goal SquareNonNeg : forall x : int. 0 <= x * x goal ZeroLessOne : 0 <= 1 end theory MinMax use int.MinMax goal G : min 1 (min 3 2) = 1 end why3-1.6.0/examples/check-builtin/int/000077500000000000000000000000001440160026300175355ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/int/why3session.xml000066400000000000000000000146441440160026300225660ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/int/why3shapes.gz000066400000000000000000000006451440160026300222020ustar00rootroot00000000000000]n1 y=T$zA{ENbZ*x{rE+37}/éIzL _6^.p[ |J|sx_ oq5Ƅs]/eKo;n ԇ=c]#[[1q7}z|x!%2Y-f<2Oh ZUEԺ)9J|1J1,sԪ,=@\1f*S)t6ŰIqrLeXv%/2{2iUeM8bG#G:V. k{@K[@ѐzCASyIR'_{ ޠr7POYKhR! !52bEqEf5W 11 why3-1.6.0/examples/check-builtin/intreal.why000066400000000000000000000005451440160026300211360ustar00rootroot00000000000000 theory IntReal use int.Int use real.RealInfix use real.FromInt use real.Truncate goal G1 : from_int 2 = 2.0 goal G2 : floor 1.5 = 1 goal G3 : ceil 1.5 = 2 goal G4 : floor (-. 1.5) = -2 goal G5 : ceil (-. 1.5) = -1 goal G6 : forall x : real. floor x <= ceil x goal G7 : forall x : real. floor x < ceil x -> from_int (floor x) <> x endwhy3-1.6.0/examples/check-builtin/intreal/000077500000000000000000000000001440160026300204015ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/intreal/why3session.xml000066400000000000000000000067661440160026300234400ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/intreal/why3shapes.gz000066400000000000000000000004531440160026300230430ustar00rootroot00000000000000eAKC1 {?;`ITUqWIc:P<54w.=aHɣqڿmV3wϟoi:ְUn ސ,WtW'?z/?_"¨)gcӱB-}<{Fͧ*zLTrBDF#$(5s&}cPr`"!*Eg q 4bKEj-kSR%&1(I}V%J#d2d0 why3-1.6.0/examples/check-builtin/minmax.why000066400000000000000000000003201440160026300207600ustar00rootroot00000000000000theory MinMax use relations.MinMax goal G : forall x y z : t. le y z -> le x z -> le x y -> min x (max (min z x) y) = x goal G2 : forall x y: t. max x y = x -> le y x end why3-1.6.0/examples/check-builtin/minmax/000077500000000000000000000000001440160026300202345ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/minmax/why3session.xml000066400000000000000000000024011440160026300232510ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/minmax/why3shapes.gz000066400000000000000000000002401440160026300226700ustar00rootroot00000000000000-;0D=KHe)mpۈH$D!=Ph*5d,z=ڃ4wCgMu4Q^'4[(3y,ft%m3s)g82G )yG\sd=jAq# a end why3-1.6.0/examples/check-builtin/propositional/000077500000000000000000000000001440160026300216455ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/propositional/why3session.xml000066400000000000000000000017211440160026300246660ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/propositional/why3shapes.gz000066400000000000000000000001441440160026300243040ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJLLLrLLJ-(260IJN62II5560LJ052MH676442R00s 9Swhy3-1.6.0/examples/check-builtin/real.why000066400000000000000000000017671440160026300204320ustar00rootroot00000000000000theory Test use real.Real goal G1 : 5.5 * 10. = 55. goal G2 : 9. / 3. = 3. goal G3 : inv 5. = 0.2 end theory TestInfix use real.RealInfix goal Add : 5.5 +. 10. = 15.5 goal Sub : 9. -. 3. = 6. goal Neg : -. 5. +. 3.5 = -. 1.5 goal Mul : 5.5 *. 10. = 55. goal Div : 9. /. 2. = 4.5 goal Inv : inv 5. = 0.2 end theory SquareTest use real.Square lemma Sqrt_zero: sqrt 0.0 = 0.0 lemma Sqrt_one: sqrt 1.0 = 1.0 lemma Sqrt_four: sqrt 4.0 = 2.0 end theory ExpLogTest use real.ExpLog lemma Log_e : log e = 1.0 end theory PowerIntTest use real.PowerInt lemma Pow_2_2 : power 2.0 2 = 4.0 end theory PowerRealTest use real.PowerReal lemma Pow_2_2 : pow 2.0 2.0 = 4.0 end theory TrigonometryTest use real.Real use real.Trigonometry use real.Square goal Cos_2_pi : cos (2.0 * pi) = 1.0 goal Sin_2_pi : sin (2.0 * pi) = 0.0 goal Tan_pi_4 : tan (pi / 4.0) = 1.0 goal Tan_pi_3 : tan (pi / 3.0) = sqrt 3.0 goal Atan_1 : atan 1.0 = pi / 4.0 end why3-1.6.0/examples/check-builtin/real/000077500000000000000000000000001440160026300176665ustar00rootroot00000000000000why3-1.6.0/examples/check-builtin/real/real_TrigonometryTest_Atan_1_1.v000066400000000000000000000047051440160026300260330ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require Reals.R_sqrt. Require Reals.Rbasic_fun. Require Reals.Rtrigo_def. Require Reals.Rtrigo1. Require Reals.Ratan. Require BuiltIn. Require real.Real. Require real.Abs. Require real.Square. Axiom Pi_interval : ((314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R < Reals.Rtrigo1.PI)%R /\ (Reals.Rtrigo1.PI < (314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038197 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R)%R. Axiom Cos_plus_pi : forall (x:R), ((Reals.Rtrigo_def.cos (x + Reals.Rtrigo1.PI)%R) = (-(Reals.Rtrigo_def.cos x))%R). Axiom Sin_plus_pi : forall (x:R), ((Reals.Rtrigo_def.sin (x + Reals.Rtrigo1.PI)%R) = (-(Reals.Rtrigo_def.sin x))%R). Axiom Cos_plus_pi2 : forall (x:R), ((Reals.Rtrigo_def.cos (x + ((05 / 10)%R * Reals.Rtrigo1.PI)%R)%R) = (-(Reals.Rtrigo_def.sin x))%R). Axiom Sin_plus_pi2 : forall (x:R), ((Reals.Rtrigo_def.sin (x + ((05 / 10)%R * Reals.Rtrigo1.PI)%R)%R) = (Reals.Rtrigo_def.cos x)). Axiom Cos_neg : forall (x:R), ((Reals.Rtrigo_def.cos (-x)%R) = (Reals.Rtrigo_def.cos x)). Axiom Sin_neg : forall (x:R), ((Reals.Rtrigo_def.sin (-x)%R) = (-(Reals.Rtrigo_def.sin x))%R). Axiom Cos_sum : forall (x:R) (y:R), ((Reals.Rtrigo_def.cos (x + y)%R) = (((Reals.Rtrigo_def.cos x) * (Reals.Rtrigo_def.cos y))%R - ((Reals.Rtrigo_def.sin x) * (Reals.Rtrigo_def.sin y))%R)%R). Axiom Sin_sum : forall (x:R) (y:R), ((Reals.Rtrigo_def.sin (x + y)%R) = (((Reals.Rtrigo_def.sin x) * (Reals.Rtrigo_def.cos y))%R + ((Reals.Rtrigo_def.cos x) * (Reals.Rtrigo_def.sin y))%R)%R). Axiom Tan_atan : forall (x:R), ((Reals.Rtrigo1.tan (Reals.Ratan.atan x)) = x). (* Why3 goal *) Theorem Atan_1 : ((Reals.Ratan.atan 1%R) = (Reals.Rtrigo1.PI / 4%R)%R). apply Ratan.atan_1. Qed. why3-1.6.0/examples/check-builtin/real/real_TrigonometryTest_Tan_pi_3_1.v000066400000000000000000000043421440160026300263610ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require Import R_sqrt. Require Import Rbasic_fun. Require Import Rtrigo. Require Import AltSeries. (* for def of pi *) Require BuiltIn. Require real.Real. Require real.Abs. Require real.Square. Axiom Pi_interval : ((314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R < PI)%R /\ (PI < (314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038197 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R)%R. Axiom Cos_plus_pi : forall (x:R), ((Rtrigo_def.cos (x + PI)%R) = (-(Rtrigo_def.cos x))%R). Axiom Sin_plus_pi : forall (x:R), ((Rtrigo_def.sin (x + PI)%R) = (-(Rtrigo_def.sin x))%R). Axiom Cos_plus_pi2 : forall (x:R), ((Rtrigo_def.cos (x + ((05 / 10)%R * PI)%R)%R) = (-(Rtrigo_def.sin x))%R). Axiom Sin_plus_pi2 : forall (x:R), ((Rtrigo_def.sin (x + ((05 / 10)%R * PI)%R)%R) = (Rtrigo_def.cos x)). Axiom Cos_neg : forall (x:R), ((Rtrigo_def.cos (-x)%R) = (Rtrigo_def.cos x)). Axiom Sin_neg : forall (x:R), ((Rtrigo_def.sin (-x)%R) = (-(Rtrigo_def.sin x))%R). Axiom Cos_sum : forall (x:R) (y:R), ((Rtrigo_def.cos (x + y)%R) = (((Rtrigo_def.cos x) * (Rtrigo_def.cos y))%R - ((Rtrigo_def.sin x) * (Rtrigo_def.sin y))%R)%R). Axiom Sin_sum : forall (x:R) (y:R), ((Rtrigo_def.sin (x + y)%R) = (((Rtrigo_def.sin x) * (Rtrigo_def.cos y))%R + ((Rtrigo_def.cos x) * (Rtrigo_def.sin y))%R)%R). Axiom Tan_atan : forall (x:R), ((Rtrigo1.tan (Ratan.atan x)) = x). (* Why3 goal *) Theorem Tan_pi_3 : ((Rtrigo1.tan (Rdiv PI 3%R)%R) = (sqrt 3%R)). apply Rtrigo_calc.tan_PI3. Qed. why3-1.6.0/examples/check-builtin/real/real_TrigonometryTest_Tan_pi_4_1.v000066400000000000000000000043331440160026300263620ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require Import R_sqrt. Require Import Rbasic_fun. Require Import Rtrigo. Require Import AltSeries. (* for def of pi *) Require BuiltIn. Require real.Real. Require real.Abs. Require real.Square. Axiom Pi_interval : ((314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R < PI)%R /\ (PI < (314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038197 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000)%R)%R. Axiom Cos_plus_pi : forall (x:R), ((Rtrigo_def.cos (x + PI)%R) = (-(Rtrigo_def.cos x))%R). Axiom Sin_plus_pi : forall (x:R), ((Rtrigo_def.sin (x + PI)%R) = (-(Rtrigo_def.sin x))%R). Axiom Cos_plus_pi2 : forall (x:R), ((Rtrigo_def.cos (x + ((05 / 10)%R * PI)%R)%R) = (-(Rtrigo_def.sin x))%R). Axiom Sin_plus_pi2 : forall (x:R), ((Rtrigo_def.sin (x + ((05 / 10)%R * PI)%R)%R) = (Rtrigo_def.cos x)). Axiom Cos_neg : forall (x:R), ((Rtrigo_def.cos (-x)%R) = (Rtrigo_def.cos x)). Axiom Sin_neg : forall (x:R), ((Rtrigo_def.sin (-x)%R) = (-(Rtrigo_def.sin x))%R). Axiom Cos_sum : forall (x:R) (y:R), ((Rtrigo_def.cos (x + y)%R) = (((Rtrigo_def.cos x) * (Rtrigo_def.cos y))%R - ((Rtrigo_def.sin x) * (Rtrigo_def.sin y))%R)%R). Axiom Sin_sum : forall (x:R) (y:R), ((Rtrigo_def.sin (x + y)%R) = (((Rtrigo_def.sin x) * (Rtrigo_def.cos y))%R + ((Rtrigo_def.cos x) * (Rtrigo_def.sin y))%R)%R). Axiom Tan_atan : forall (x:R), ((Rtrigo1.tan (Ratan.atan x)) = x). (* Why3 goal *) Theorem Tan_pi_4 : ((Rtrigo1.tan (Rdiv PI 4%R)%R) = 1%R). apply Rtrigo_calc.tan_PI4. Qed. why3-1.6.0/examples/check-builtin/real/why3session.xml000066400000000000000000000171321440160026300227120ustar00rootroot00000000000000 why3-1.6.0/examples/check-builtin/real/why3shapes.gz000066400000000000000000000012331440160026300223250ustar00rootroot00000000000000eSn1 SN;HJuqo.>}W;i<wwyw1j7kā; S޶cewO\s>qE?ݼc}omO7+1ʹdEK{רS9  (^j҅iE u3;цc˵uݛːvg zɜ<Я B`)vH'>m *:8Ψ+%f"s͑H][YDA,2u5Z,P c11Y r.Y# L,Tّ4bHݴNiЌ+yG @P" ͩ$gFVE$Tģ՚(\Ru]+F{(ͥeZ]RI eN,I S-;f'*LR\O2=`d!8XnGyz^O`1WUpm7/ȉ^w5r),k{]Guk&e](7)#aἘctR-dДݕO sGH(n6E:4E>G060tj2jXh3h %2rSgaw:bkߨ<장:M6Ts:OsWE why3-1.6.0/examples/checking_a_large_routine.mlw000066400000000000000000000030271440160026300217370ustar00rootroot00000000000000(* 'Checking a large routine' Alan Mathison Turing, 1949 One of the earliest proof of program. The routine computes n! using only additions, with two nested loops. *) module CheckingALargeRoutine use int.Int use int.Fact use ref.Ref (* using 'while' loops, to keep close to Turing's flowchart *) let routine (n: int) requires { n >= 0 } ensures { result = fact n } = let r = ref 0 in let u = ref 1 in while !r < n do invariant { 0 <= !r <= n /\ !u = fact !r } variant { n - !r } let s = ref 1 in let v = !u in while !s <= !r do invariant { 1 <= !s <= !r + 1 /\ !u = !s * fact !r } variant { !r - !s } u := !u + v; s := !s + 1 done; r := !r + 1 done; !u (* using 'for' loops, for clearer code and annotations *) let routine2 (n: int) requires { n >= 0 } ensures { result = fact n } = let u = ref 1 in for r = 0 to n-1 do invariant { !u = fact r } let v = !u in for s = 1 to r do invariant { !u = s * fact r } u := !u + v done done; !u let downward (n: int) requires { n >= 0 } ensures { result = fact n } = let r = ref n in let u = ref 1 in while !r <> 0 do invariant { 0 <= !r <= n /\ !u * fact !r = fact n } variant { !r } let s = ref 1 in let v = !u in while !s <> !r do invariant { 1 <= !s <= !r /\ !u = !s * v } variant { !r - !s } u := !u + v; s := !s + 1 done; r := !r - 1 done; !u end why3-1.6.0/examples/checking_a_large_routine/000077500000000000000000000000001440160026300212145ustar00rootroot00000000000000why3-1.6.0/examples/checking_a_large_routine/why3session.xml000066400000000000000000000017411440160026300242370ustar00rootroot00000000000000 why3-1.6.0/examples/checking_a_large_routine/why3shapes.gz000066400000000000000000000011171440160026300236540ustar00rootroot00000000000000SM0WeA/[eSX &S]m&Hdۜ !?E~~O?ç\Ňl6VGG01$؃aY;KV8t΅d^5nw~W7hjPq :Jcȡ9!,s$aT4(& eX(J!в'fjԻoSS=y.~7j]LS?^xX%D\~=. N-[V ӳkܲ_gK>|<>=}z#<,Ɩݕ Vd%)&7Y % 55$ ȹ%V.j=YijveAAx=_45++Eo!]^#_W;->]^=ސ [5|~Q_5& 7ެX f=#Yknn X]H}S˭}|xvceC5j0tP1JssزsޱA Z:Ŝ0%Vb)I0Sf@ pX[j+wwhy3-1.6.0/examples/coincidence_count.mlw000066400000000000000000000100521440160026300204140ustar00rootroot00000000000000 (** Coincidence count Exercise proposed by Rustan Leino at Dagstuhl seminar 14171, April 2014 You are given two sequences of integers, sorted in increasing order and without duplicate elements, and you count the number of elements that appear in both sequences (in linear time and constant space). Authors: Jean-Christophe Filliâtre (CNRS) Andrei Paskevich (Université Paris Sud) *) module CoincidenceCount use int.Int use array.Array use ref.Refint use set.FsetInt function setof (a: array 'a) : fset 'a = map (fun x -> a[x]) (interval 0 (length a)) function drop (a: array 'a) (n: int) : fset 'a = map (fun x -> a[x]) (interval n (length a)) lemma drop_left: forall a: array 'a, n: int. 0 <= n < length a -> drop a n == add a[n] (drop a (n+1)) predicate increasing (a: array int) = forall i j. 0 <= i < j < length a -> a[i] < a[j] function cc (a b: array int) : int = cardinal (inter (setof a) (setof b)) lemma not_mem_inter_r: forall a: array int, i: int, s: fset int. 0 <= i < length a -> not (mem a[i] s) -> inter (drop a i) s == inter (drop a (i+1)) s lemma not_mem_inter_l: forall a: array int, i: int, s: fset int. 0 <= i < length a -> not (mem a[i] s) -> inter s (drop a i) == inter s (drop a (i+1)) let coincidence_count (a b: array int) : int requires { increasing a } requires { increasing b } ensures { result = cc a b } = let ref i = 0 in let ref j = 0 in let ref c = 0 in while i < length a && j < length b do invariant { 0 <= i <= length a } invariant { 0 <= j <= length b } invariant { c + cardinal (inter (drop a i) (drop b j)) = cc a b } variant { length a - i + length b - j } if a[i] < b[j] then incr i else if a[i] > b[j] then incr j else begin assert { inter (drop a i) (drop b j) == add a[i] (inter (drop a (i+1)) (drop b (j+1))) }; assert { not (mem a[i] (drop a (i+1))) }; incr i; incr j; incr c end done; c end (** Variant using bags, from Rustan Leino's book "Program Proofs" *) module CoincidenceCountBag use int.Int use array.Array use ref.Refint use bag.Bag predicate increasing (a: array int) = forall i j. 0 <= i < j < length a -> a[i] <= a[j] let rec ghost function bagofsub (a: array 'a) (lo hi: int) : bag 'a requires { 0 <= lo <= hi <= length a } variant { hi - lo } = if lo >= hi then empty_bag else add a[lo] (bagofsub a (lo + 1) hi) function bagof (a: array 'a) : bag 'a = bagofsub a 0 (length a) function drop (a: array 'a) (i: int) : bag 'a = bagofsub a i (length a) lemma not_mem_inter_r: forall a: array int, i: int, s: bag int. 0 <= i < length a -> not (mem a[i] s) -> inter (drop a i) s == inter (drop a (i+1)) s lemma not_mem_inter_l: forall a: array int, i: int, s: bag int. 0 <= i < length a -> not (mem a[i] s) -> inter s (drop a i) == inter s (drop a (i+1)) let rec lemma bagofincreasing (a: array int) (i x: int) requires { increasing a } requires { 0 <= i < length a } requires { x < a[i] } ensures { not (mem x (drop a i)) } variant { length a - i } = if i < length a - 1 then bagofincreasing a (i+1) x let coincidence_count (a b: array int) : int requires { increasing a } requires { increasing b } ensures { result = card (inter (bagof a) (bagof b)) } = let ref i = 0 in let ref j = 0 in let ref c = 0 in while i < length a && j < length b do invariant { 0 <= i <= length a } invariant { 0 <= j <= length b } invariant { c + card (inter (drop a i) (drop b j)) = card (inter (bagof a) (bagof b)) } variant { length a - i + length b - j } if a[i] < b[j] then incr i else if a[i] > b[j] then incr j else begin assert { inter (drop a i) (drop b j) == add a[i] (inter (drop a (i+1)) (drop b (j+1))) }; incr i; incr j; incr c end done; c end why3-1.6.0/examples/coincidence_count/000077500000000000000000000000001440160026300176755ustar00rootroot00000000000000why3-1.6.0/examples/coincidence_count/why3session.xml000066400000000000000000000224471440160026300227260ustar00rootroot00000000000000 why3-1.6.0/examples/coincidence_count/why3shapes.gz000066400000000000000000000051341440160026300223400ustar00rootroot00000000000000Xn9+%/_c@^ j[ l1sȪJ%rU"/s疿qGT6ǧ_mȏO(CGO% o0< nÛ &nOA;<+>J4ݯcFfd9!wG`V38ڄ643 mKx=ɯxӍ5!k i<'w!`?fB8lkawx~߇6#8L;s ‡|߿w>?<}u~7.׾޾͌Ţ,p;_m@&<>6q!?ݜ= ;Dmg<|XҦx6_>;='etQ L?3k /;<)2-{?4Vo!HZ:^^o>D\1V#L#mHt=1uZ&5Yퟞ!:8@s=w? .]F,'?5گll'<&'l%w%{_g6w.܇R_;<6M.mA>4rRb$Z}בv%GvQfZ;M~h#4O@,j6~ΊcMˠܠIσɺm˅70;F^dQ7 /!/x4߆E^SSA|M?n=.T~KXG4?ۋ]=΍< _>vwa:lNvG ?ٱǝ1wfOyx5<{l1?v\3wD`wA>W^Zv閴hdž-["qXwpCx3B{}=YO8sV/T'!HW/6/k\CH/ͷES8T r}lGjj~v;u/t(|L o=/b^%}8 ) !ҴBҲMO"rҴIjg_ql›M;Yb`ܡǾsyxCֽdt80ge/q @kK,ktU/rqϷaFgII* HڑO:ˆJ^Pyfr&gEBоjT7l\1Z+*d#$mذٲ3ed"rluɪxSΒح-OU"H +eU㲇;Y WKY",sԂl᪱b,m2S!؂'7dd[R[[-NkKPtlK%eY^Hu$A(६[ ψ-$KnՂ\ZA[ў[^$fAAfa<Ve(؁밊NuI8pN-!Kvt,j8lжUAG\&(sVU3V$γ&]A)$Ej6I>E\Xs[*VT2RQ"iiR|h4)zZgJ9m3q*!QǒC%V$ /X* :A(HT}5e%[hVn5 ib;R ̹S:IUӁplg,)c*UQWq6h62^B"DSV~=nթl(XHi일w}$t5Ba!tC]B[$*gQwwFE0Ֆף!:wRjiٰ۲n8(-)]IJ B(.je͈-K[ۑ>ll*; ʄYYP|B6Zm.A1.OPIhq,X4xV"aL6AK5EWByVمf.1nSE?ū&7Jk% SCQA/͙@T&p},U3j3t9|pOk˂(cJ q(* ephM^s!UMuPM`Q WJ8Ҩ\ѣa[& WfBdU9EɈҜ5p`٩X)R"ψ8>+Xrѳ"qQ)%w ;QtˊCf E19\5$ g.ﵸ HuhεeYfMpHыZaJ_@k(z hִENԙBҠHkQeb0̒LE_ <:]7_+[>J^ү8xU!<m|k "6?؀T.I)̡ZZ˭uԈIN`b NY!why3-1.6.0/examples/coincidence_count_list.mlw000066400000000000000000000051531440160026300214550ustar00rootroot00000000000000 (** Coincidence count Exercise proposed by Rustan Leino at Dagstuhl seminar 16131, March 2016 You are given two sequences of integers, sorted in increasing order and without duplicate elements, and you count the number of elements that appear in both sequences (in linear time and constant space). See also coincidence_count.mlw for a version using arrays. Authors: Jean-Christophe Filliâtre (CNRS) *) module CoincidenceCount use list.List use set.SetAppInt use list.Elements use list.Mem as L use int.Int clone export list.Sorted with type t = int, predicate le = (<), goal Transitive.Trans let rec coincidence_count (a b: list int) : set requires { sorted a } requires { sorted b } ensures { result == inter (elements a) (elements b) } variant { a, b } = match a, b with | Cons ha ta, Cons hb tb -> if ha = hb then add ha (coincidence_count ta tb) else if ha < hb then coincidence_count ta b else coincidence_count a tb | _ -> empty () end end (* the same, with elements of any type *) module CoincidenceCountAnyType use list.List use list.Elements use list.Mem as L use int.Int type t val predicate eq (x y : t) ensures { result <-> x = y } clone set.SetApp with type elt = t, val eq = eq val predicate rel (x y : t) clone relations.TotalStrictOrder with type t, predicate rel, axiom . clone export list.Sorted with type t = t, predicate le = rel, goal Transitive.Trans let rec coincidence_count (a b: list t) : set requires { sorted a } requires { sorted b } ensures { result == inter (elements a) (elements b) } variant { a, b } = match a, b with | Cons ha ta, Cons hb tb -> if eq ha hb then add ha (coincidence_count ta tb) else if rel ha hb then coincidence_count ta b else coincidence_count a tb | _ -> empty () end end (* the same, using only lists *) module CoincidenceCountList use list.List use list.Mem use int.Int clone export list.Sorted with type t = int, predicate le = (<), goal Transitive.Trans let rec coincidence_count (a b: list int) : list int requires { sorted a } requires { sorted b } ensures { forall x. mem x result <-> mem x a /\ mem x b } variant { a, b } = match a, b with | Cons ha ta, Cons hb tb -> if ha = hb then Cons ha (coincidence_count ta tb) else if ha < hb then coincidence_count ta b else coincidence_count a tb | _ -> Nil end end why3-1.6.0/examples/coincidence_count_list/000077500000000000000000000000001440160026300207305ustar00rootroot00000000000000why3-1.6.0/examples/coincidence_count_list/why3session.xml000066400000000000000000000072741440160026300237620ustar00rootroot00000000000000 why3-1.6.0/examples/coincidence_count_list/why3shapes.gz000066400000000000000000000042061440160026300233720ustar00rootroot00000000000000XK6WIBߋhĠu@I$b?:3[,nXzQ?pn?8`#f韯Ya揻)4q=S~ /Po {NSl=UWٷ4f<=*h\xijddm :|wd~2 FfqȬv`.֘ >,![Ai Ǣ1f/^w21}K;&K_86#_1j:0vi<*,'¦LefkFe=xTOoCC_6Ũ\;n-xNE ӾJ{Tp'u G!itLnp<*NւeT'I%GX t~GUI1j"rIVdJMe:8ތJK{x}OÉB[v$;Z4r.;>P@!TAaG0f.hQqF洼{e.*~E2N-ol(zg//Her#B--RwE>Q%3n.jug߻s^0*z7SݨB┕xW(tѵmM%nINM$ OH`9CԌVdQyci33+vGEĀ x"^lS=* Oj鮿(A6d'h yY`^1zu ͇[x;+#]@6XF2Z$ӵ^=Cqw.j_¾}SJcmyEzaXqJ:N186OkDCxv<=R%Bt~f_2J"T~HGC3-xgck5kȺjƓy{,Kv?5zɏ(VRvO'(cKK#h*- tdy-ج$ 3~(=!۾Sb$?2K=;nڲr:37 nXP6cldErD)XNdx'dr^ZҦxfcF2ì8kZx2N.b$Vb"Ǝ/0 |Ϗ١E̺(( _)d'QpR;Ҭg `w -4>]y8UR~m< [GV47why3-1.6.0/examples/conjugate.mlw000066400000000000000000000122461440160026300167270ustar00rootroot00000000000000(* Conjugate of a partition. Author: Jean-Christophe Filliatre (CNRS) A partition of an integer n is a way of writing n as a sum of positive integers. For instance 7 = 3 + 2 + 2 + 1. Such a partition can be displayed as a Ferrer diagram: 3 * * * 2 * * 2 * * 1 * The conjugate of that a partition is another partition of 7, obtained by flipping the diagram above along its main diagonal. We get 4 * * * * 3 * * * 1 * Equivalently, this is the number of cells in each column of the original Ferrer diagram: 4 3 1 3 * * * 2 * * 2 * * 1 * The following program computes the conjugate of a partition. A partition is represented as an array of integers, sorted in non-increasing order, with a least a 0 at the end. This was inspired by this article: Franck Butelle, Florent Hivert, Micaela Mayero, and Frédéric Toumazet. Formal Proof of SCHUR Conjugate Function. In Proceedings of Calculemus 2010, pages 158-171. Springer-Verlag LNAI, 2010. *) module Conjugate use int.Int use ref.Refint use array.Array predicate is_partition (a: array int) = (* at least one element *) a.length > 0 && (* sorted in non-increasing order *) (forall i j. 0 <= i <= j < a.length -> a[i] >= a[j]) && (* at least one 0 sentinel *) a[a.length - 1] = 0 (* values in a[0..n[ are > v, and a[n] <= v *) predicate numofgt (a: array int) (n: int) (v: int) = 0 <= n < a.length && (forall j. 0 <= j < n -> v < a[j]) && v >= a[n] predicate is_conjugate (a b: array int) = b.length > a[0] && forall j. 0 <= j < b.length -> numofgt a b[j] j let conjugate (a: array int) : array int requires { is_partition a } ensures { is_conjugate a result } = let b = Array.make (a[0] + 1) 0 in let ref partc = 0 in while a[partc] <> 0 do invariant { 0 <= partc < a.length } invariant { forall j. a[partc] <= j < b.length -> numofgt a b[j] j } variant { a.length - partc } label L in let ghost start = partc in let edge = a[partc] in incr partc; while a[partc] = edge do invariant { start <= partc < a.length } invariant { forall j. start <= j < partc -> a[j] = edge } variant { a.length - partc } incr partc done; for i = a[partc] to edge - 1 do invariant { forall j. edge <= j < b.length -> b[j] = (b at L)[j] } invariant { forall j. a[partc] <= j < i -> b[j] = partc } b[i] <- partc done done; assert { a[partc] = 0 }; b end module Conjugate32 use int.Int use ref.Ref use mach.int.Int32 use mach.array.Array32 predicate is_partition (a: array int32) = (* at least one element *) a.length > 0 && (* sorted in non-increasing order *) (forall i j. 0 <= i <= j < a.length -> a[i] >= a[j]) && (* at least one 0 sentinel *) a[a.length - 1] = 0 (* values in a[0..n[ are > v, and a[n] <= v *) predicate numofgt (a: array int32) (n: int) (v: int) = 0 <= n < a.length && (forall j. 0 <= j < n -> v < a[j]) && v >= a[n] predicate is_conjugate (a b: array int32) = b.length > a[0] && forall j. 0 <= j < b.length -> numofgt a b[j] j let conjugate (a: array int32) (b: array int32) : unit requires { is_partition a } requires { length b = a[0] + 1 } requires { forall i. 0 <= i < b.length -> b[i] = 0 } ensures { is_conjugate a b } = let ref partc = 0 in while a[partc] <> 0 do invariant { 0 <= partc < a.length } invariant { forall j. a[partc] <= j < b.length -> numofgt a b[j] j } variant { a.length - partc } label L in let ghost start = partc in let edge = a[partc] in partc := partc + 1; while a[partc] = edge do invariant { start <= partc < a.length } invariant { forall j. start <= j < partc -> a[j] = edge } variant { a.length - partc } partc := partc + 1 done; for i = a[partc] to edge - 1 do invariant { forall j. edge <= j < b.length -> b[j] = (b at L)[j] } invariant { forall j. a[partc] <= j < i -> b[j] = partc } b[i] <- partc done done; assert { a[partc] = 0 } end module Test use int.Int use array.Array use Conjugate let test () ensures { result.length >= 4 } = let a = make 5 0 in a[0] <- 3; a[1] <- 2; a[2] <- 2; a[3] <- 1; conjugate a exception BenchFailure let bench () raises { BenchFailure -> true } = let a = test () in if a[0] <> 4 then raise BenchFailure; if a[1] <> 3 then raise BenchFailure; if a[2] <> 1 then raise BenchFailure; if a[3] <> 0 then raise BenchFailure; a end (* Original C code from SCHUR Note that arrays are one-based (that code was translated from Pascal code where arrays were one-based) #define MAX 100 void conjgte (int A[MAX], int B[MAX]) { int i, partc = 1, edge = 0; while (A[partc] != 0) { edge = A[partc]; do partc = partc + 1; while (A[partc] == edge); for (i = A[partc] + 1; i <= edge; i++) B[i] = partc - 1; } } *) why3-1.6.0/examples/conjugate/000077500000000000000000000000001440160026300162015ustar00rootroot00000000000000why3-1.6.0/examples/conjugate/why3session.xml000066400000000000000000000124561440160026300212310ustar00rootroot00000000000000 why3-1.6.0/examples/conjugate/why3shapes.gz000066400000000000000000000044041440160026300206430ustar00rootroot00000000000000XY~ׯ&k x# )Eh[Ȑd')[R͌2MUH_~]>׼[~zYŚֻ'VRGzOX?6ݧ}+'Z4wGOϕ]+~leq|O6-*z"DqlUC܁3 yL\uU'~qS=VJZ~BiJ 2UTɉLNtRxWl'&{_20Y: 9d $9Xmxtl9`{m3(U}ds*~Y,C{ʲ^p9X9|_'496ς!v쨺9e =e(%_ ~s5-'ʄ<5&de7F6wOȀ9,kZї]l }+oԢl(+m= S  EgJH%fsjA Q,l6_J~Q>N^kY&RC},"TA:B] Δn-NN|e6FuYa'}Kz;=گʕdUMZY>l F((۪xV5L6+yZa7m9jqʸjԩarꍨ0Q($̥cV@ӌpm q>#ETmw7 ozjmĂ?]'F;)3TZ7,Bu>Q=ɬ#ǦfD D9G)#^ 2[+DģQkL ˅ee٢bhz>}\ꇾ>5YО7VxݩcY;'A8Ey[ZW9a*xYZ]9wލ*)>pIȏba &eJI!Ug .e#d244KS'!gm@LD'mZLI }TZ,M` EAXho);Ō!D.*e5@!B) )R7R5 c`Tdf`DCiMHFHH3#`CaJ&lD#SlΠT o:cU:L&*4 ι 1S6ޑ\P maΓ 9;DG4 gAX@߀k6`nH#< T!IՑ%1+!4(ϕir)R T6r I..Q7Ȥ21Dk\8%Y#} K.6h^,61Cʜ2T1XW7Rjm3z@(NgϷlAXAdgNk6|sJcH24Pbə)꠲.&˝"K1p*(^!R^Jl-8Å+z8JfrvVP2%v2å)$[\X?Fcᕺ2I;d!## f712ֆK׊!F>prPQ m5r TRvZ;_Y@e]uV 7 \?n!J?)>yIϋ Kc ?U%4Z.+$YٟC4dјW^ F92iȕdTK &!Tqu!:l.4V*7/>qRV 7#ANE.\ȱfx$ƥwhy3-1.6.0/examples/counting_sort.mlw000066400000000000000000000104701440160026300176420ustar00rootroot00000000000000 (* Counting Sort. We sort an array of integers, assuming all elements are in the range 0..k-1 We simply count the elements equal to x, for each x in 0..k-1, and then (re)fill the array with two nested loops. TODO: Implement and prove a *stable* variant of counting sort, as proposed in Introduction to Algorithms Cormen, Leiserson, Rivest The MIT Press (2nd edition) Section 9.2, page 175 *) module Spec use export int.Int use int.NumOf as N use export array.Array use export array.IntArraySorted (* values of the array are in the range 0..k-1 *) val constant k: int ensures { 0 < result } predicate k_values (a: array int) = forall i: int. 0 <= i < length a -> 0 <= a[i] < k (* we introduce two predicates: - [numeq a v l u] is the number of values in a[l..u[ equal to v - [numlt a v l u] is the number of values in a[l..u[ less than v *) function numeq (a: array int) (v i j : int) : int = N.numof (fun k -> a[k] = v) i j function numlt (a: array int) (v i j : int) : int = N.numof (fun k -> a[k] < v) i j (* an ovious lemma relates numeq and numlt *) let rec lemma eqlt (a: array int) (v: int) (l u: int) requires { k_values a } requires { 0 <= v < k } requires { 0 <= l < u <= length a } ensures { numlt a v l u + numeq a v l u = numlt a (v+1) l u } variant { u - l } = if l < u-1 then eqlt a v (l+1) u (* permutation of two arrays is here conveniently defined using [numeq] i.e. as the equality of the two multi-sets *) predicate permut (a b: array int) = length a = length b /\ forall v: int. 0 <= v < k -> numeq a v 0 (length a) = numeq b v 0 (length b) end module CountingSort use Spec use ref.Refint (* sorts array a into array b *) let counting_sort (a: array int) (b: array int) requires { k_values a /\ length a = length b } ensures { sorted b /\ permut a b } = let c = Array.make k 0 in for i = 0 to length a - 1 do invariant { forall v: int. 0 <= v < k -> c[v] = numeq a v 0 i } let v = a[i] in c[v] <- c[v] + 1 done; let j = ref 0 in for v = 0 to k-1 do invariant { !j = numlt a v 0 (length a) } invariant { sorted_sub b 0 !j } invariant { forall e: int. 0 <= e < !j -> 0 <= b[e] < v } invariant { forall f: int. 0 <= f < v -> numeq b f 0 !j = numeq a f 0 (length a) } for i = 1 to c[v] do invariant { !j -i+1 = numlt a v 0 (length a) } invariant { sorted_sub b 0 !j } invariant { forall e: int. 0 <= e < !j -> 0 <= b[e] <= v } invariant { forall f: int. 0 <= f < v -> numeq b f 0 !j = numeq a f 0 (length a) } invariant { numeq b v 0 !j = i-1 } b[!j] <- v; incr j done done; assert { !j = length b } end module InPlaceCountingSort use Spec use ref.Refint (* sorts array a in place *) let in_place_counting_sort (a: array int) requires { k_values a } ensures { sorted a /\ permut (old a) a } = let c = make k 0 in for i = 0 to length a - 1 do invariant { forall v: int. 0 <= v < k -> c[v] = numeq a v 0 i } let v = a[i] in c[v] <- c[v] + 1 done; let j = ref 0 in for v = 0 to k-1 do invariant { !j = numlt (old a) v 0 (length a) } invariant { sorted_sub a 0 !j } invariant { forall e: int. 0 <= e < !j -> 0 <= a[e] < v } invariant { forall f: int. 0 <= f < v -> numeq a f 0 !j = numeq (old a) f 0 (length a) } for i = 1 to c[v] do invariant { !j -i+1 = numlt (old a) v 0 (length a) } invariant { sorted_sub a 0 !j } invariant { forall e: int. 0 <= e < !j -> 0 <= a[e] <= v } invariant { forall f: int. 0 <= f < v -> numeq a f 0 !j = numeq (old a) f 0 (length a) } invariant { numeq a v 0 !j = i-1 } a[!j] <- v; incr j; assert {forall f. 0 <= f < v -> numeq a f 0 !j = numeq a f 0 (!j - 1)} done done; assert { !j = length a } end module Harness use Spec use InPlaceCountingSort let harness () requires { k = 2 } = (* a is [0;1;0] *) let a = make 3 0 in a[1] <- 1; in_place_counting_sort a; (* a is now [0;0;1] *) assert { numeq a 0 0 3 = 2 }; assert { numeq a 1 0 3 = 1 }; assert { a[0] = 0 }; assert { a[1] = 0 }; assert { a[2] = 1 } end why3-1.6.0/examples/counting_sort/000077500000000000000000000000001440160026300171175ustar00rootroot00000000000000why3-1.6.0/examples/counting_sort/why3session.xml000066400000000000000000000327311440160026300221450ustar00rootroot00000000000000 why3-1.6.0/examples/counting_sort/why3shapes.gz000066400000000000000000000114061440160026300215610ustar00rootroot00000000000000\n9}ϯݝA$ׅ{aCkdӂݲG{ȼ0+%K%U*ᶫq9'm~t{w?7z/؅{]&|~7_xŮ-k~crq}ld܄+WD"_cW _ӕ3?/鮶\ѕʍ^ryw4^ŸҺYK f 6Lx7KV6}XoonmpRq@Ug2,wzbPW&j_T.W^3Mjd>>ZnO{og-6<< >A?+Wg[4yYR[jU>  wݠ$e_-m5Prl6ڪ2(V>G`L3iF01`F#p#oV(Ky)ԱE`"AxWݥu}aZXY*f $`-,7FϷ.Y#ٔJJT5 ?ࣿMPil.9F?3>ާ/IށU1oԑ-ޯTڲjS{m `ȶ0cVW[VWڻuXoY]7=X݌V7%lmk.2yu1r*?brh.{p9.r4< :L?I.>AWkhxXI./$G 6.~\40Za}\ 8]E EC$~Mr:b-!6B{!q$I>BZ+_+x7`tY zr!OEZ[-ܭꔗ7ꅿ#i*k^-H5|<>R G=pBYl*pBfYBxd#j+$ [V؈5#w,QCqq?~\bM7ԽKU_ҋ։XmzQF/I/Z%Z'Z$j V jE#N Px+PK Bc@fDN*)I͋IP"z~eAārAŊbv#8RҊV*S#\T^T1A2m-Q[ƣ=,ѸGm^WIY)s*WSm~+v?FvӊS2j#e\{޻@ؑjn5nunŴ\Lm\Lr1b}xNT8D.GlNmV=iSZM;ta{6@rZM3@%jp1Ӥj5M0-=O iR}mcmnӤmo0?bH+FZFڇp8 wh_ӚczZ{`\cX`bVhb^*bdC `찍vp#;\c{gš-##z,|^@}(zlYktEodqv|r7,tXr6ϖg*hfɻn4^Ḩv*?ΣhQDEpsK%l:8?O7gt{ /D0q.0l~!ٵC 5qi|ZңN(Ղ|gK)C=|bڔiw>yp[q9.R,$~8\I<ڵkVkcV:IRֳ~h˨Z Rb}e{ Yc4Dw_~M,QGAùL^@uK )LS̨F.ԨkkMWn] 5N=FI]QYc?ymj*ѕoeJʺLx(O^QHՍVjlm>oxϯq2}|~hÝM?$p Ƙۅ&W4b v4FeD7FՉ9ӵh܉W#ΤD43δ:LzLZ-!AG[=rqm{4oQhNN'q~ת1(CVL( q+N%N>'KμOԜ ZEg~ !:3pegI;ny7*3BJ.Qw[oEÔ)/2z[ꊌG^,]?<ɍF6{m=aow齏r/שRnr>Ue*Cɗ:5_WeT㵪H˸/mKS>1K!}<N%&Eb8qq TBd˺^DmMm_#`r~l/|&r^ʂcҗQ(}/ǍGz_/DU0b-4SߺggguҊ\ړH`$>hOEK%s< 0CZ* 1D/ T! xyt"D[}J"+,}D>%hL0*6*u*l@b`pe`Y㕵d{i\lPXi|>䊒uZ07W># Q:i!bΠV9,( VkART٠f;MwYďz G,왳iy) hS pBIK3ғ^ W6ӝd>XD(¸ )2dx%7XY<\)K^ Kœ .#ŐѻA$ n0$c+PTBV>Zϳ ƃE Cw``DJl/ <,Đ,.lF =̡#|SHl}}g Csg%%|}\^KC@Lu9^3;Y[Ð8z[kέAi@NAQϘΘX-u$D)+]^c;j؇7TВ978h*h9@Bp_EJeS0AoD iR`Z`2T'A"&Em*($2(f240+, bZwW}e(B['A(Ӏ6SwӜwhy3-1.6.0/examples/cubic_root.mlw000066400000000000000000000012731440160026300170760ustar00rootroot00000000000000 (** {1 Integer Cubic Root} Simple computation of the integer cubic root, using a loop and two auxiliary variables containing the square and the cube. See also isqrt.mlw *) module CubicRoot use int.Int use ref.Ref function cube (x: int) : int = x * x * x let cubic_root (x: int) : int requires { x >= 0 } ensures { cube (result - 1) <= x < cube result } = let ref a = 1 in let ref b = 1 in let ref y = 1 in while y <= x do invariant { cube (b - 1) <= x } invariant { y = cube b } invariant { a = b * b } variant { x - y } y <- y + 3 * a + 3 * b + 1; a <- a + 2 * b + 1; b <- b + 1 done; b end why3-1.6.0/examples/cubic_root/000077500000000000000000000000001440160026300163525ustar00rootroot00000000000000why3-1.6.0/examples/cubic_root/why3session.xml000066400000000000000000000035261440160026300214000ustar00rootroot00000000000000 why3-1.6.0/examples/cubic_root/why3shapes.gz000066400000000000000000000012551440160026300210150ustar00rootroot00000000000000VKk9[JRÐSu)dHcz&))KЏO]絛bnߏ~x3LrwLF:n䯫d&s=|,[=(jOGho!إK&뷰(5ztu뷉{v(5^ æZ&nvң:kkn}@L6zk@@wB)nCnQlZ|Zc^MĉW CeÏmm5[<"~D?$֑VNK}=#v2վ[.rOл#; 7/Syi2e.eZ?0n˶Q6"-yDI"!7sDx&&'F恤iI}B{"o$I}IuaHNO$$}΁N;g4;aw˨nwjŕ SiZ$¬25>" 6XTms>J80\uGL!<φQhj-yFH"Y( Bލnm\ˌ^: a"LM+cXuƂ`ٰyRAx+;$WѪ8Ԝ:q\2:.u&-10h4qX why3-1.6.0/examples/cursor_examples.mlw000066400000000000000000000140151440160026300201570ustar00rootroot00000000000000 (** {1 Cursors} Some implementations and clients of module `cursor.Cursor` from the standard library. Author: Mário Pereira (Université Paris Sud) *) module TestCursor use int.Int use int.Sum use seq.Seq use ref.Refint use cursor.Cursor (** sums all the remaining elements in the cursor *) let sum (c: cursor int) : int requires { permitted c } requires { c.visited = empty } ensures { result = sum (get c.visited) 0 (length c.visited) } diverges = let s = ref 0 in while has_next c do invariant { permitted c } invariant { !s = sum (get c.visited) 0 (length c.visited) } let x = next c in s += x done; !s end (** {2 Iteration over an immuable collection} here we choose a list *) module ListCursorImpl (* : ListCursor *) use int.Int use list.List use seq.Seq use seq.OfList type cursor 'a = { mutable ghost visited : seq 'a; ghost collection : list 'a; mutable to_visit : list 'a; } invariant { visited ++ to_visit = collection } by { visited = empty; collection = Nil; to_visit = Nil } predicate permitted (c: cursor 'a) = length c.visited <= length c.collection /\ forall i. 0 <= i < length c.visited -> c.visited[i] = c.collection[i] predicate complete (c: cursor 'a) = length c.visited = length c.collection let lemma snoc_Cons (s: seq 'a) (l: list 'a) (x: 'a) ensures { snoc s x ++ l == s ++ Cons x l } = () let next (c: cursor 'a) : 'a requires { not (complete c) } writes { c } ensures { c.visited = snoc (old c).visited result } ensures { match (old c).to_visit with | Nil -> false | Cons x r -> c.to_visit = r /\ x = result end } = match c.to_visit with | Nil -> absurd | Cons x r -> let ghost v0 = c.visited in c.visited <- snoc c.visited x; c.to_visit <- r; snoc_Cons v0 r x; assert { c.to_visit == c.collection [length c.visited ..] }; x end let has_next (c: cursor 'a) : bool ensures { result <-> not (complete c) } = match c.to_visit with (* could define a [val eq (l1 l2: list 'a) : bool] *) | Nil -> false | _ -> true end let create (t: list 'a) : cursor 'a ensures { result.visited = empty } ensures { result.collection = t } ensures { result.to_visit = t } = { visited = empty; collection = t; to_visit = t } clone cursor.ListCursor with type cursor = cursor, val create = create, val C.has_next = has_next, val C.next = next end module TestListCursor use int.Int use int.Sum as S use list.List use list.Length use list.Sum use ref.Refint use seq.Seq use seq.OfList clone cursor.ListCursor lemma sum_of_list: forall l: list int. sum l = S.sum (get (of_list l)) 0 (length l) let list_sum (l: list int) : int ensures { result = sum l } = let s = ref 0 in let c = create l in while C.has_next c do invariant { !s = S.sum (get c.visited) 0 (length c.visited) } invariant { permitted c } variant { length l - length c.visited } let x = C.next c in s += x done; !s end module TestListCursorLink use ListCursorImpl clone TestListCursor with type ListCursor.cursor = cursor, val ListCursor.C.next = next, val ListCursor.C.has_next = has_next, val ListCursor.create = create end (** {2 Iteration over a mutable collection} here we choose an array of integers *) module ArrayCursorImpl (* : ArrayCursor *) use int.Int use array.Array use array.ToSeq use list.List use list.Reverse use array.ToList use seq.Seq type cursor 'a = { mutable ghost visited : seq 'a; collection : seq 'a; (* FIXME : extraction of seq *) mutable index : int; (** index of next element *) } invariant { 0 <= index <= length collection /\ index = length visited /\ forall i. 0 <= i < index -> collection[i] = visited[i] } by { visited = empty; collection = empty; index = 0 } predicate permitted (c: cursor 'a) = length c.visited <= length c.collection /\ forall i. 0 <= i < length c.visited -> c.visited[i] = c.collection[i] predicate complete (c: cursor 'a) = length c.visited = length c.collection let create (a: array 'a) : cursor 'a ensures { result.visited = empty } ensures { result.index = 0 } ensures { result.collection = to_seq a } = { visited = empty; collection = to_seq a; index = 0; } let has_next (c: cursor 'a) : bool ensures { result <-> not (complete c) } = c.index < length c.collection let next (c: cursor 'a) : 'a requires { not (complete c) } writes { c } ensures { c.visited = snoc (old c).visited result } ensures { c.index = (old c).index + 1 } = if c.index >= length c.collection then absurd else begin let x = c.collection[c.index] in c.visited <- snoc c.visited x; c.index <- c.index + 1; x end clone cursor.ArrayCursor with type cursor = cursor, val C.next = next, val C.has_next = has_next, val create = create end module TestArrayCursor use int.Int use array.Array use array.ToSeq use seq.Seq use int.Sum use ref.Refint clone cursor.ArrayCursor let array_sum (a: array int) : int ensures { result = sum (Array.([]) a) 0 (length a) } = let s = ref 0 in let c = create a in while C.has_next c do invariant { !s = sum (get c.visited) 0 (length c.visited) } invariant { permitted c } variant { length c.collection - length c.visited } let x = C.next c in s += x done; !s let harness1 () : unit = let a = Array.make 42 0 in let c = create a in let x = C.next c in assert { x = 0 } end module TestArrayCursorLink use ArrayCursorImpl clone TestArrayCursor with type ArrayCursor.cursor = cursor, val ArrayCursor.C.next = next, val ArrayCursor.C.has_next = has_next, val ArrayCursor.create = create end why3-1.6.0/examples/cursor_examples/000077500000000000000000000000001440160026300174355ustar00rootroot00000000000000why3-1.6.0/examples/cursor_examples/why3session.xml000066400000000000000000000220621440160026300224570ustar00rootroot00000000000000 why3-1.6.0/examples/cursor_examples/why3shapes.gz000066400000000000000000000070031440160026300220750ustar00rootroot00000000000000[Yo#7~_fc1" HEx&z쉥dE&%fdM`âu|UEz| i{|B,{3w=5>o3ߚo{ccl2Zw!9dK۞/uOPO <a:|;oMO{̶)į>NcM&ãEj۳zθ!owfePh HHOhOXQ<[7*]e{"z" 4Y9kTFG֮m*{!>|< O){ЄYk Xg= |zW{|ba""t{/x<|NScU@LM! #2]h(װZfS'NheoVwӛ,y` 3L hiP$b-@PkS.I7>7m2Ҽ\åD:*8~Pm3箂Xߴ{:*'<_]GT95laJjF/) +E(q9,^l>ٞ'ixa(y8aN*`k|xц76%NS%#Dܯ g>tuAM*@jSSY*w=˜a]"V49 Ig5\OQ\klZRdM $s+np]*}.ĸZN.POPR29J_uJc 1|~qfA&,D/|,Ȝ)eFw׷@, ]SOXYs6|yf>e,K2Wv9O|㚷^Ǐig0&zMV$zVJfIK¦( 'Fq V/ǧ.nFC$Ӻ+"^!j-6jC56tY,BYV]NA-FR#0fuNXhj{/^tsIi ݛ1V\Lz6=%3g ALkG9p})*:'o@.n t|:B /) &躺/CهM5%o  V]NW7m{GӱR)| (^ >>Zww$5d9F:gQ3;|_"K, 5,\4,5,9eI7m۬^\F/S3Ѽz [jk~'ݨҷ{sx8kN#n`t;]\.RT睊=mPRf* 10sG 7SP AZT5獨اjk%<3+5VN5Nj!;/(w; IrSġc/d Q&f _3#LW*M_Fɿõ3·JYbu"ءkl?dA ަ=iX4z7 q:NIyG]eNҋ^݀3Ƕ-)٤&(R>~A3F$.V$ Їk?6-^~hIKۖ٠SoRc+4 SfztxX_I[g2sDH"Q4jDZ%]yqvu^W ݰۤO9Mô'sizVph' R޿1cUul(>/4z=b5baEkq&XRqsߪ8åc6Xfz-4X,X,X \9_{9m <W^C<=_I:GFYg1H^n498WJG峩*[`?w|s_ ~z= nn ,]47P{l[tD1< bVhQ[5hTHhhFȝОY!tM:Ǹ",h l\r.(Ÿ7|!|:G4*pq0-,SZ ,Be&$Z `i4`IA.0ZLI4'x A 93[5ƙSN @L؈y `tB0TcM| F" ,֘|J:#a \XqJs),+FH;f(3&p<^&LD,d &:Lpbatt>cp[Hw$2NKdXwib& .=>FV\gn!H\6XT$$,Ckx܂s $y@7s |MXdW"DP($:PDN੧FaJ8c 9 jMd1gq)-`jrlEAP)hg($ 9rH'J N Ttg$`9s>0YP8QZd Jha5[;'րOop.j)iT +wLXiBtHa=xP0`/(hDV_ Q#BEiCO:G 3qA5(F0EO0g 2"ŘAyH&̧- hP 0+õ1mA5c(8tV$0`GDH`Zl"@P@"b,d )%&:!U p@ WJBTPA"!f0(E'JL@4g32u2 RqiuJ D ,?9pQz+1<y*,FF a[i+1] >= a[i] - 1 let rec lemma decrease1_induction (a: array int) (i j: int) : unit requires { decrease1 a } requires { 0 <= i <= j < length a } ensures { a[j] >= a[i] + i - j } variant { j - i } = if i < j then decrease1_induction a (i+1) j let search (a: array int) requires { decrease1 a } ensures { (result = -1 /\ forall j: int. 0 <= j < length a -> a[j] <> 0) \/ (0 <= result < length a /\ a[result] = 0 /\ forall j: int. 0 <= j < result -> a[j] <> 0) } = let i = ref 0 in while !i < length a do invariant { 0 <= !i } invariant { forall j: int. 0 <= j < !i -> j < length a -> a[j] <> 0 } variant { length a - !i } if a[!i] = 0 then return !i; if a[!i] > 0 then i := !i + a[!i] else i := !i + 1 done; -1 let rec search_rec (a: array int) (i : int) requires { decrease1 a /\ 0 <= i } ensures { (result = -1 /\ forall j: int. i <= j < length a -> a[j] <> 0) \/ (i <= result < length a /\ a[result] = 0 /\ forall j: int. i <= j < result -> a[j] <> 0) } variant { length a - i } = if i < length a then if a[i] = 0 then i else if a[i] > 0 then search_rec a (i + a[i]) else search_rec a (i + 1) else -1 end why3-1.6.0/examples/decrease1/000077500000000000000000000000001440160026300160565ustar00rootroot00000000000000why3-1.6.0/examples/decrease1/why3session.xml000066400000000000000000000103461440160026300211020ustar00rootroot00000000000000 why3-1.6.0/examples/decrease1/why3shapes.gz000066400000000000000000000032441440160026300205210ustar00rootroot00000000000000Yn7}0uH,5u=##"{ m`arXl{1߮?kw1?KëA^7D?Us}~lm,A. ;Fj]j7m}%[j_SQKm4+ovt(IՇg;~ޭ~l]b0Qj\>BϤ1m*h*I{%MP ?A܎^NsFuA1E7 MН/lX*a o*Dg-%D}WW{ ,X~7i;2!:׉q3q }٥}sttZ&Ӌq6)Su=TG;l~S66G ^H,Px!ZOzzYs]ͻϾ'_ 2h!SԳJjM͈ aDbQ,f.;6tܽ,XgxLO+bDU==@tMcS[c_uje%d Ii &qV A~ b@$-!d^f.s./.pL+̈H,"+.;~buQ(YoY](X̦뢤d"墲7D9x!X6@"ň9aYb5kwaYL.X0}.@;@ѱD, I.{gvR+%iUƊ8.tk `\V(!iE,mH.UƜH P _K})L6q(t*E{E"5QloiS}iP(62 I٬bl+8DEF#a :D. :Tb+p%)HGVX l@`cE (OJj,b"1PpB != 7VF ^*H䤫\4-$1WIKr C*W D$ByMBteX# V0(o+Ha:KYFbhJ"wYLsc TTAGͤ*ME'04|<ԜP5Rcb11ehlv3`Se|6Hwhy3-1.6.0/examples/defunctionalization.mlw000066400000000000000000000634251440160026300210260ustar00rootroot00000000000000(** {1 Defunctionalization} This is inspired from student exercises proposed by {h Olivier Danvy} at the {h JFLA 2014 conference} *) (** {2 Simple Arithmetic Expressions} *) module Expr use export int.Int (** Grammar of expressions {h 
    n  :  int

e  :  expression
e ::= n | e - e

p  :  program
p ::= e
    } *) type expr = Cte int | Sub expr expr type prog = expr (** Examples: {h 
    p0 = 0
p1 = 10 - 6
p2 = (10 - 6) - (7 - 2)
p3 = (7 - 2) - (10 - 6)
p4 = 10 - (2 - 3)
    } *) let constant p0 : prog = Cte 0 let constant p1 : prog = Sub (Cte 10) (Cte 6) let constant p2 : prog = Sub (Sub (Cte 10) (Cte 6)) (Sub (Cte 7) (Cte 2)) let constant p3 : prog = Sub (Sub (Cte 7) (Cte 2)) (Sub (Cte 10) (Cte 6)) let constant p4 : prog = Sub (Cte 10) (Sub (Cte 2) (Cte 3)) end (** {2 Direct Semantics} *) module DirectSem use Expr (** Values: {h 
    v  :  value
v ::= n
    } Expressible Values: {h 
    ve  :  expressible_value
ve ::= v
    } Interpretation: {h 
    ------
n => n

e1 => n1   e2 => n2   n1 - n2 = n3
----------------------------------
      e1 - e2 => n3
    } A program e is interpreted into a value n if judgement {h 
      e => n
    } holds. *) (** {4 Exercise 0.0} Program the interpreter above and test it on the examples. {h 
      eval_0 : expression -> expressible_value
  interpret_0 : program -> expressible_value
    } *) (* Note: Why3 definitions introduced by "function" belong to the logic part of Why3 language *) let rec function eval_0 (e:expr) : int = match e with | Cte n -> n | Sub e1 e2 -> eval_0 e1 - eval_0 e2 end let function interpret_0 (p:prog) : int = eval_0 p (** Tests, can be replayed using {h 
      why3 defunctionalization.mlw --exec DirectSem.test
    } (Why3 version at least 0.82 required) *) let test () = interpret_0 p0, interpret_0 p1, interpret_0 p2, interpret_0 p3, interpret_0 p4 constant v3 : int = eval_0 p3 goal eval_p3 : v3 = 1 end (** {2 CPS: Continuation Passing Style} *) module CPS use Expr (** {4 Exercise 0.1} CPS-transform (call by value, left to right) the function `eval_0`, and call it from the main interpreter with the identity function as initial continuation {h 
          eval_1 : expression -> (expressible_value -> 'a) -> 'a
  interpret_1 : program -> expressible_value
    } *) use DirectSem let rec eval_1 (e:expr) (k: int->'a) : 'a variant { e } ensures { result = k (eval_0 e) } = match e with | Cte n -> k n | Sub e1 e2 -> eval_1 e1 (fun v1 -> eval_1 e2 (fun v2 -> k (v1 - v2))) end let interpret_1 (p : prog) : int ensures { result = eval_0 p } = eval_1 p (fun n -> n) end (** {2 Defunctionalization} *) module Defunctionalization use Expr use DirectSem (** {4 Exercise 0.2} De-functionalize the continuation of `eval_1`. {h 
             cont ::= ...

   continue_2 : cont -> value -> value
       eval_2 : expression -> cont -> value
  interpret_2 : program -> value
    } The data type `cont` represents the grammar of contexts. The two mutually recursive functions `eval_2` and `continue_2` implement an abstract machine, that is a state transition system. *) type cont = A1 expr cont | A2 int cont | I (** One would want to write in Why: {h 
    function eval_cont (c:cont) (v:int) : int =
  match c with
  | A1 e2 k ->
    let v2 = eval_0 e2 in
    eval_cont (A2 v k) v2
  | A2 v1 k -> eval_cont k (v1 - v)
  | I -> v
  end
    } But since the recursion is not structural, Why3 kernel rejects it (definitions in the logic part of the language must be total) We replace that with a relational definition, an inductive one. *) inductive eval_cont cont int int = | a1 : forall e2:expr, k:cont, v:int, r:int. eval_cont (A2 v k) (eval_0 e2) r -> eval_cont (A1 e2 k) v r | a2 : forall v1:int, k:cont, v:int, r:int. eval_cont k (v1 - v) r -> eval_cont (A2 v1 k) v r | a3 : forall v:int. eval_cont I v v (** Some functions to serve as measures for the termination proof *) function size_e (e:expr) : int = match e with | Cte _ -> 1 | Sub e1 e2 -> 3 + size_e e1 + size_e e2 end lemma size_e_pos: forall e: expr. size_e e >= 1 function size_c (c:cont) : int = match c with | I -> 0 | A1 e2 k -> 2 + size_e e2 + size_c k | A2 _ k -> 1 + size_c k end lemma size_c_pos: forall c: cont. size_c c >= 0 (** WhyML programs (declared with `let` instead of `function`), mutually recursive, resulting from de-functionalization *) let rec continue_2 (c:cont) (v:int) : int variant { size_c c } ensures { eval_cont c v result } = match c with | A1 e2 k -> eval_2 e2 (A2 v k) | A2 v1 k -> continue_2 k (v1 - v) | I -> v end with eval_2 (e:expr) (c:cont) : int variant { size_c c + size_e e } ensures { eval_cont c (eval_0 e) result } = match e with | Cte n -> continue_2 c n | Sub e1 e2 -> eval_2 e1 (A1 e2 c) end (** The interpreter. The post-condition specifies that this program computes the same thing as `eval_0` *) let interpret_2 (p:prog) : int ensures { result = eval_0 p } = eval_2 p I let test () = interpret_2 p0, interpret_2 p1, interpret_2 p2, interpret_2 p3, interpret_2 p4 end (** {2 Defunctionalization with an algebraic variant} *) module Defunctionalization2 use Expr use DirectSem (** {4 Exercise 0.2} De-functionalize the continuation of `eval_1`. {h 
             cont ::= ...

   continue_2 : cont -> value -> value
       eval_2 : expression -> cont -> value
  interpret_2 : program -> value
    } The data type `cont` represents the grammar of contexts. The two mutually recursive functions `eval_2` and `continue_2` implement an abstract machine, that is a state transition system. *) type cont = A1 expr cont | A2 int cont | I (** One would want to write in Why: {h 
    function eval_cont (c:cont) (v:int) : int =
  match c with
  | A1 e2 k ->
    let v2 = eval_0 e2 in
    eval_cont (A2 v k) v2
  | A2 v1 k -> eval_cont k (v1 - v)
  | I -> v
  end
    } But since the recursion is not structural, Why3 kernel rejects it (definitions in the logic part of the language must be total) We replace that with a relational definition, an inductive one. *) inductive eval_cont cont int int = | a1 : forall e2:expr, k:cont, v:int, r:int. eval_cont (A2 v k) (eval_0 e2) r -> eval_cont (A1 e2 k) v r | a2 : forall v1:int, k:cont, v:int, r:int. eval_cont k (v1 - v) r -> eval_cont (A2 v1 k) v r | a3 : forall v:int. eval_cont I v v (** Peano naturals to serve as the measure for the termination proof *) type nat = S nat | O function size_e (e:expr) (acc:nat) : nat = match e with | Cte _ -> S acc | Sub e1 e2 -> S (size_e e1 (S (size_e e2 (S acc)))) end function size_c (c:cont) (acc:nat) : nat = match c with | I -> acc | A1 e2 k -> S (size_e e2 (S (size_c k acc))) | A2 _ k -> S (size_c k acc) end (** WhyML programs (declared with `let` instead of `function`), mutually recursive, resulting from de-functionalization *) let rec continue_2 (c:cont) (v:int) : int variant { size_c c O } ensures { eval_cont c v result } = match c with | A1 e2 k -> eval_2 e2 (A2 v k) | A2 v1 k -> continue_2 k (v1 - v) | I -> v end with eval_2 (e:expr) (c:cont) : int variant { size_e e (size_c c O) } ensures { eval_cont c (eval_0 e) result } = match e with | Cte n -> continue_2 c n | Sub e1 e2 -> eval_2 e1 (A1 e2 c) end (** The interpreter. The post-condition specifies that this program computes the same thing as `eval_0` *) let interpret_2 (p:prog) : int ensures { result = eval_0 p } = eval_2 p I let test () = interpret_2 p0, interpret_2 p1, interpret_2 p2, interpret_2 p3, interpret_2 p4 end (** {2 Semantics with errors} *) module SemWithError use Expr (** Errors: {h 
    s  :  error
    } Expressible values: {h 
    ve  :  expressible_value
ve ::= v | s
    } *) type value = Vnum int | Underflow (* in (Vnum n), n should always be >= 0 *) (** Interpretation: {h 
    ------
n => n

     e1 => s
------------
e1 - e2 => s

e1 => n1   e2 => s
------------------
      e1 - e2 => s

e1 => n1   e2 => n2   n1 < n2
-----------------------------
      e1 - e2 => "underflow"

e1 => n1   e2 => n2   n1 >= n2   n1 - n2 = n3
---------------------------------------------
      e1 - e2 => n3
    } We interpret the program `e` into value `n` if the judgement {h 
      e => n
    } holds, and into error `s` if the judgement {h 
      e => s
    } holds. {4 Exercise 1.0} Program the interpreter above and test it on the examples. {h 
      eval_0 : expr -> expressible_value
  interpret_0 : program -> expressible_value
    } *) function eval_0 (e:expr) : value = match e with | Cte n -> if n >= 0 then Vnum n else Underflow | Sub e1 e2 -> match eval_0 e1 with | Underflow -> Underflow | Vnum v1 -> match eval_0 e2 with | Underflow -> Underflow | Vnum v2 -> if v1 >= v2 then Vnum (v1 - v2) else Underflow end end end function interpret_0 (p:prog) : value = eval_0 p (** {4 Exercise 1.1} CPS-transform (call by value, from left to right) the function `eval_0`, call it from the main interpreter with the identity function as initial continuation. {h 
          eval_1 : expr -> (expressible_value -> 'a) -> 'a
  interpret_1 : program -> expressible_value
    } *) function eval_1 (e:expr) (k:value -> 'a) : 'a = match e with | Cte n -> k (if n >= 0 then Vnum n else Underflow) | Sub e1 e2 -> eval_1 e1 (fun v1 -> match v1 with | Underflow -> k Underflow | Vnum v1 -> eval_1 e2 (fun v2 -> match v2 with | Underflow -> k Underflow | Vnum v2 -> k (if v1 >= v2 then Vnum (v1 - v2) else Underflow) end) end) end function interpret_1 (p : prog) : value = eval_1 p (fun n -> n) lemma cps_correct_expr: forall e: expr. forall k:value -> 'a. eval_1 e k = k (eval_0 e) lemma cps_correct: forall p. interpret_1 p = interpret_0 p (** {4 Exercise 1.2} Divide the continuation {h 
        expressible_value -> 'a
    } in two: {h 
        (value -> 'a) * (error -> 'a)
    } and adapt `eval_1` and `interpret_1` as {h 
           eval_2 : expr -> (value -> 'a) -> (error -> 'a) -> 'a
  interpret_2 : program -> expressible_value
    } *) (* function eval_2 (e:expr) (k:int -> 'a) (kerr: unit -> 'a) : 'a = match e with | Cte n -> if n >= 0 then k n else kerr () | Sub e1 e2 -> eval_2 e1 (fun v1 -> eval_2 e2 (fun v2 -> if v1 >= v2 then k (v1 - v2) else kerr ()) kerr) kerr end *) function eval_2 (e:expr) (k:int -> 'a) (kerr: unit -> 'a) : 'a = match e with | Cte n -> if n >= 0 then k n else kerr () | Sub e1 e2 -> eval_2 e1 (eval_2a e2 k kerr) kerr end with eval_2a (e2:expr) (k:int -> 'a) (kerr : unit -> 'a) : int -> 'a = (fun v1 -> eval_2 e2 (eval_2b v1 k kerr) kerr) with eval_2b (v1:int) (k:int -> 'a) (kerr : unit -> 'a) : int -> 'a = (fun v2 -> if v1 >= v2 then k (v1 - v2) else kerr ()) function interpret_2 (p : prog) : value = eval_2 p (fun n -> Vnum n) (fun _ -> Underflow) lemma cps2_correct_expr_aux: forall k: int -> 'a, e1 e2, kerr: unit -> 'a. eval_2 (Sub e1 e2) k kerr = eval_2 e1 (eval_2a e2 k kerr) kerr lemma cps2_correct_expr: forall e, kerr: unit->'a, k:int -> 'a. eval_2 e k kerr = match eval_0 e with Vnum n -> k n | Underflow -> kerr () end lemma cps2_correct: forall p. interpret_2 p = interpret_0 p (** {4 Exercise 1.3} Specialize the codomain of the continuations and of the evaluation function so that it is not polymorphic anymore but is `expressible_value`, and then short-circuit the second continuation to stop in case of error {h 
           eval_3 : expr -> (value -> expressible_value) -> expressible_value
  interpret_3 : program -> expressible_value
    } NB: Now there is only one continuation and it is applied only in absence of error. *) function eval_3 (e:expr) (k:int -> value) : value = match e with | Cte n -> if n >= 0 then k n else Underflow | Sub e1 e2 -> eval_3 e1 (eval_3a e2 k) end with eval_3a (e2:expr) (k:int -> value) : int -> value = (fun v1 -> eval_3 e2 (eval_3b v1 k)) with eval_3b (v1:int) (k:int -> value) : int -> value = (fun v2 -> if v1 >= v2 then k (v1 - v2) else Underflow) function interpret_3 (p : prog) : value = eval_3 p (fun n -> Vnum n) let rec lemma cps3_correct_expr (e:expr) : unit variant { e } ensures { forall k. eval_3 e k = match eval_0 e with Vnum n -> k n | Underflow -> Underflow end } = match e with | Cte _ -> () | Sub e1 e2 -> cps3_correct_expr e1; cps3_correct_expr e2; assert {forall k. eval_3 e k = eval_3 e1 (eval_3a e2 k) } end lemma cps3_correct: forall p. interpret_3 p = interpret_0 p (** {4 Exercise 1.4} De-functionalize the continuation of `eval_3`. {h 
             cont ::= ...

    continue_4 : cont -> value -> expressible_value
        eval_4 : expr -> cont -> expressible_value
  interprete_4 : program -> expressible_value
    } The data type `cont` represents the grammar of contexts. (NB. has it changed w.r.t to previous exercise?) The two mutually recursive functions `eval_4` and `continue_4` implement an abstract machine, that is a transition system that stops immediately in case of error, or and the end of computation. *) type cont = I | A expr cont | B int cont (** One would want to write in Why: {h 
    function eval_cont (c:cont) (v:value) : value =
  match v with
  | Underflow -> Underflow
  | Vnum v ->
  match c with
  | A e2 k -> eval_cont (B (Vnum v) k) (eval_0 e2)
  | B v1 k -> eval_cont k (if v1 >= v then Vnum (v1 - v) else Underflow)
  | I -> Vnum v (* v >= 0 by construction *)
  end
    } But since the recursion is not structural, Why3 kernel rejects it (definitions in the logic part of the language must be total) We replace that with a relational definition, an inductive one. *) inductive eval_cont cont value value = | underflow : forall k:cont. eval_cont k Underflow Underflow | a1 : forall e2:expr, k:cont, v:int, r:value. eval_cont (B v k) (eval_0 e2) r -> eval_cont (A e2 k) (Vnum v) r | a2 : forall v1:int, k:cont, v:int, r:value. eval_cont k (if v1 >= v then Vnum (v1 - v) else Underflow) r -> eval_cont (B v1 k) (Vnum v) r | a3 : forall v:int. eval_cont I (Vnum v) (Vnum v) (** Some functions to serve as measures for the termination proof *) function size_e (e:expr) : int = match e with | Cte _ -> 1 | Sub e1 e2 -> 3 + size_e e1 + size_e e2 end lemma size_e_pos: forall e: expr. size_e e >= 1 use Defunctionalization as D function size_c (c:cont) : int = match c with | I -> 0 | A e2 k -> 2 + D.size_e e2 + size_c k | B _ k -> 1 + size_c k end lemma size_c_pos: forall c: cont. size_c c >= 0 let rec continue_4 (c:cont) (v:int) : value requires { v >= 0 } variant { size_c c } ensures { eval_cont c (Vnum v) result } = match c with | A e2 k -> eval_4 e2 (B v k) | B v1 k -> if v1 >= v then continue_4 k (v1 - v) else Underflow | I -> Vnum v end with eval_4 (e:expr) (c:cont) : value variant { size_c c + D.size_e e } ensures { eval_cont c (eval_0 e) result } = match e with | Cte n -> if n >= 0 then continue_4 c n else Underflow | Sub e1 e2 -> eval_4 e1 (A e2 c) end (** The interpreter. The post-condition specifies that this program computes the same thing as `eval_0` *) let interpret_4 (p:prog) : value ensures { result = eval_0 p } = eval_4 p I let test () = interpret_4 p0, interpret_4 p1, interpret_4 p2, interpret_4 p3, interpret_4 p4 end (** {2 Reduction Semantics} *) module ReductionSemantics (** A small step semantics, defined iteratively with reduction contexts *) use Expr use DirectSem (** Expressions: {h 
    n  :  int

e  :  expression
e ::= n | e - e

p  :  program
p ::= e
    } Values: {h 
    v  :  value
v ::= n
    } Potential Redexes: {h 
      rp ::= n1 - n2
    } Reduction Rule: {h 
      n1 - n2 -> n3
    } (in the case of relative integers Z, all potential redexes are true redexes; but for natural numbers, not all of them are true ones: {h 
       n1 - n2 -> n3   if n1 >= n2
    } a potential redex that is not a true one is stuck.) Contraction Function: {h 
      contract : redex_potentiel -> expression + stuck
  contract (n1 - n2) = n3   si n3 = n1 - n2
    } and if there are only non-negative numbers: {h 
      contract (n1 - n2) = n3     if n1 >= n2 and n3 = n1 - n2
  contract (n1 - n2) = stuck  if n1 < n2
    } *) predicate is_a_redex (e:expr) = match e with | Sub (Cte _) (Cte _) -> true | _ -> false end let contract (e:expr) : expr requires { is_a_redex e } ensures { eval_0 result = eval_0 e } = match e with | Sub (Cte v1) (Cte v2) -> Cte (v1 - v2) | _ -> absurd end (** Reduction Contexts: {h 
    C  : cont
C ::= [] | [C e] | [v C]
    } *) type context = Empty | Left context expr | Right int context (** Recomposition: {h 
                 recompose : cont * expression -> expression
     recompose ([], e) = e
recompose ([C e2], e1) = recompose (C, e1 - e2)
recompose ([n1 C], e2) = recompose (C, n1 - e2)
    } *) let rec function recompose (c:context) (e:expr) : expr = match c with | Empty -> e | Left c e2 -> recompose c (Sub e e2) | Right n1 c -> recompose c (Sub (Cte n1) e) end let rec lemma recompose_values (c:context) (e1 e2:expr) : unit requires { eval_0 e1 = eval_0 e2 } variant { c } ensures { eval_0 (recompose c e1) = eval_0 (recompose c e2) } = match c with | Empty -> () | Left c e -> recompose_values c (Sub e1 e) (Sub e2 e) | Right n c -> recompose_values c (Sub (Cte n) e1) (Sub (Cte n) e2) end (* not needed anymore let rec lemma recompose_inversion (c:context) (e:expr) requires { match c with Empty -> false | _ -> true end \/ match e with Cte _ -> false | Sub _ _ -> true end } variant { c } ensures { match recompose c e with Cte _ -> false | Sub _ _ -> true end } = match c with | Empty -> () | Left c e2 -> recompose_inversion c (Sub e e2) | Right n1 c -> recompose_inversion c (Sub (Cte n1) e) end *) (** Decomposition: {h 
    dec_or_val = (C, rp) | v
    } Decomposition function: {h 
                 decompose_term : expression * cont -> dec_or_val
      decompose_term (n, C) = decompose_cont (C, n)
decompose_term (e1 - e2, C) = decompose_term (e1, [C e2])

             decompose_cont : cont * value -> dec_or_val
     decompose_cont ([], n) = n
  decompose_cont ([C e], n) = decompose_term (e, [n c])
decompose_term ([n1 C], n2) = (C, n1 - n2)

  decompose : expression -> dec_or_val
decompose e = decompose_term (e, [])
    } *) exception Stuck predicate is_a_value (e:expr) = match e with | Cte _ -> true | _ -> false end predicate is_empty_context (c:context) = match c with | Empty -> true | _ -> false end use Defunctionalization as D (* for size_e *) function size_e (e:expr) : int = D.size_e e function size_c (c:context) : int = match c with | Empty -> 0 | Left c e -> 2 + size_c c + size_e e | Right _ c -> 1 + size_c c end lemma size_c_pos: forall c: context. size_c c >= 0 let rec decompose_term (e:expr) (c:context) : (context, expr) variant { size_e e + size_c c } ensures { let c1,e1 = result in recompose c1 e1 = recompose c e /\ is_a_redex e1 } raises { Stuck -> is_empty_context c /\ is_a_value e } (* raises { Stuck -> is_a_value (recompose c e) } *) = match e with | Cte n -> decompose_cont c n | Sub e1 e2 -> decompose_term e1 (Left c e2) end with decompose_cont (c:context) (n:int) : (context, expr) variant { size_c c } ensures { let c1,e1 = result in recompose c1 e1 = recompose c (Cte n) /\ is_a_redex e1 } raises { Stuck -> is_empty_context c } (* raises { Stuck -> is_a_value (recompose c (Cte n)) } *) = match c with | Empty -> raise Stuck | Left c e -> decompose_term e (Right n c) | Right n1 c -> c, Sub (Cte n1) (Cte n) end let decompose (e:expr) : (context, expr) ensures { let c1,e1 = result in recompose c1 e1 = e /\ is_a_redex e1 } raises { Stuck -> is_a_value e } = decompose_term e Empty (** One reduction step: {h 
    reduce : expression -> expression + stuck

if decompose e = v
then reduce e = stuck

if decompose e = (C, rp)
and contract rp = stuck
then reduce e = stuck

if decompose e = (C, rp)
and contract rp = c
then reduce e = recompose (C, c)
    } *) (** {4 Exercise 2.0} Implement the reduction semantics above and test it *) let reduce (e:expr) : expr ensures { eval_0 result = eval_0 e } raises { Stuck -> is_a_value e } = let c,r = decompose e in recompose c (contract r) (** Evaluation based on iterated reduction: {h 
    itere : red_ou_val -> value + erreur

itere v = v

if contract rp = stuck
then itere (C, rp) = stuck

if contract rp = c
then itere (C, rp) = itere (decompose (recompose (C, c)))
    } *) let rec itere (e:expr) : int diverges (* termination could be proved but that's not the point *) ensures { eval_0 e = result } = match reduce e with | e' -> itere e' | exception Stuck -> match e with | Cte n -> n | _ -> absurd end end (** {4 Exercise 2.1} Optimize the step recomposition / decomposition into a single function `refocus`. *) let refocus c e ensures { let c1,e1 = result in recompose c1 e1 = recompose c e /\ is_a_redex e1 } raises { Stuck -> is_empty_context c /\ is_a_value e } = decompose_term e c let rec itere_opt (c:context) (e:expr) : int diverges ensures { result = eval_0 (recompose c e) } = match refocus c e with | c, r -> itere_opt c (contract r) | exception Stuck -> assert { is_empty_context c }; match e with | Cte n -> n | _ -> absurd end end let rec normalize (e:expr) diverges ensures { result = eval_0 e } = itere_opt Empty e (** {4 Exercise 2.2} Derive an abstract machine *) (** {h 
    (c,Cte n)_1 -> (c,n)_2
(c,Sub e1 e2)_1 -> (Left c e2,e1)_1
(Empty,n)_2 -> stop with result = n
(Left c e,n)_2 -> (Right n c,e)_1
(Right n1 c,n)_2 -> (c,Cte (n1 - n))_1
    } *) let rec eval_1 c e variant { 2 * (size_c c + size_e e) } ensures { result = eval_0 (recompose c e) } = match e with | Cte n -> eval_2 c n | Sub e1 e2 -> eval_1 (Left c e2) e1 end with eval_2 c n variant { 1 + 2 * size_c c } ensures { result = eval_0 (recompose c (Cte n)) } = match c with | Empty -> n | Left c e -> eval_1 (Right n c) e | Right n1 c -> eval_1 c (Cte (n1 - n)) end let interpret p ensures { result = eval_0 p } = eval_1 Empty p let test () = interpret p0, interpret p1, interpret p2, interpret p3, interpret p4 end module RWithError use Expr use SemWithError (** {4 Exercise 2.3} An abstract machine for the case with errors *) (** {h 
    (c,Cte n)_1 -> stop on Underflow if  n < 0
(c,Cte n)_1 -> (c,n)_2 if n >= 0
(c,Sub e1 e2)_1 -> (Left c e2,e1)_1
(Empty,n)_2 -> stop on Vnum n
(Left c e,n)_2 -> (Right n c,e)_1
(Right n1 c,n)_2 -> stop on Underflow if n1 < n
(Right n1 c,n)_2 -> (c,Cte (n1 - n))_1 if n1 >= n
    } *) type context = Empty | Left context expr | Right int context use Defunctionalization as D (* for size_e *) function size_e (e:expr) : int = D.size_e e function size_c (c:context) : int = match c with | Empty -> 0 | Left c e -> 2 + size_c c + size_e e | Right _ c -> 1 + size_c c end lemma size_c_pos: forall c: context. size_c c >= 0 function recompose (c:context) (e:expr) : expr = match c with | Empty -> e | Left c e2 -> recompose c (Sub e e2) | Right n1 c -> recompose c (Sub (Cte n1) e) end let rec lemma recompose_values (c:context) (e1 e2:expr) : unit requires { eval_0 e1 = eval_0 e2 } variant { c } ensures { eval_0 (recompose c e1) = eval_0 (recompose c e2) } = match c with | Empty -> () | Left c e -> recompose_values c (Sub e1 e) (Sub e2 e) | Right n c -> recompose_values c (Sub (Cte n) e1) (Sub (Cte n) e2) end let rec lemma recompose_underflow (c:context) (e:expr) : unit requires { eval_0 e = Underflow } variant { c } ensures { eval_0 (recompose c e) = Underflow } = match c with | Empty -> () | Left c e1 -> recompose_underflow c (Sub e e1) | Right n c -> recompose_underflow c (Sub (Cte n) e) end let rec eval_1 c e variant { 2 * (size_c c + size_e e) } ensures { result = eval_0 (recompose c e) } = match e with | Cte n -> if n >= 0 then eval_2 c n else Underflow | Sub e1 e2 -> eval_1 (Left c e2) e1 end with eval_2 c n variant { 1 + 2 * size_c c } requires { n >= 0 } ensures { result = eval_0 (recompose c (Cte n)) } = match c with | Empty -> Vnum n | Left c e -> eval_1 (Right n c) e | Right n1 c -> if n1 >= n then eval_1 c (Cte (n1 - n)) else Underflow end let interpret p ensures { result = eval_0 p } = eval_1 Empty p let test () = interpret p0, interpret p1, interpret p2, interpret p3, interpret p4 end why3-1.6.0/examples/defunctionalization/000077500000000000000000000000001440160026300202735ustar00rootroot00000000000000why3-1.6.0/examples/defunctionalization/Makefile000066400000000000000000000023411440160026300217330ustar00rootroot00000000000000 BENCH ?= no ifeq ($(BENCH),yes) WHY3=../../bin/why3.opt WHY3SHARE=../../share else ifeq ($(BINDIR),) WHY3=why3 else WHY3=$(BINDIR)/why3 endif WHY3SHARE=$(shell $(WHY3) --print-datadir) endif include $(WHY3SHARE)/Makefile.config ifeq ($(BENCH),yes) INCLUDE += -I ../../lib/why3 endif MAIN = main OBJ = defunctionalization ML = $(addsuffix .ml, $(OBJ)) CMO = $(addsuffix .cmo, $(OBJ)) CMX = $(addsuffix .cmx, $(OBJ)) OCAMLOPT = ocamlopt -noassert -inline 1000 all: $(MAIN).opt extract: $(ML) doc: $(WHY3) doc ../defunctionalization.mlw $(WHY3) session html ../defunctionalization.mlw @echo firefox ../defunctionalization.html why3session.html $(MAIN).byte: $(CMO) $(MAIN).cmo ocamlc -g $(INCLUDE) $(BIGINTLIB).cma -o $@ $^ $(MAIN).opt: $(CMX) $(MAIN).cmx $(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^ $(MAIN).cmx: $(CMX) $(ML): ../defunctionalization.mlw $(WHY3) extract -D ocaml64 --recursive -L .. -o $@ \ defunctionalization.DirectSem \ defunctionalization.CPS \ defunctionalization.Defunctionalization %.cmx: %.ml $(OCAMLOPT) $(INCLUDE) -annot -c $< %.cmo: %.ml ocamlc $(INCLUDE) -annot -g -c $< %.cmi: %.mli ocamlc $(INCLUDE) -annot -g -c $< clean:: rm -f $(ML) *.cm[xio] $(MAIN).opt why3-1.6.0/examples/defunctionalization/main.ml000066400000000000000000000032041440160026300215500ustar00rootroot00000000000000 open Format let usage () = eprintf "Exercises on CPS and de-functionalization@."; eprintf "Usage: %s" Sys.argv.(0); exit 2 let input = if Array.length Sys.argv <> 1 then usage () open Defunctionalization let rec p_expr fmt e = match e with | Cte n -> fprintf fmt "%s" (Z.to_string n) | Sub(e1,e2) -> fprintf fmt "(%a - %a)" p_expr e1 p_expr e2 let p_prog fmt p = p_expr fmt p let p_value fmt v = fprintf fmt "%s" (Z.to_string v) let run s f p = let v = f p in printf "%s %a : %a@." s p_prog p p_value v let () = printf "Exercise 0: direct semantics@."; let i = Defunctionalization.interpret_0 in run "interpret_0" i Defunctionalization.p0; run "interpret_0" i Defunctionalization.p1; run "interpret_0" i Defunctionalization.p2; run "interpret_0" i Defunctionalization.p3; run "interpret_0" i Defunctionalization.p4; printf "Done.@\n@." (* does not work because lambda is not extracted into OCaml (fun ... -> ...) *) let () = printf "Exercise 1: CPS@."; let i = Defunctionalization.interpret_1 in run "interpret_1" i Defunctionalization.p0; run "interpret_1" i Defunctionalization.p1; run "interpret_1" i Defunctionalization.p2; run "interpret_1" i Defunctionalization.p3; run "interpret_1" i Defunctionalization.p4; printf "Done.@\n@." let () = printf "Exercise 2: Defunctionalization@."; let i = Defunctionalization.interpret_2 in run "interpret_2" i Defunctionalization.p0; run "interpret_2" i Defunctionalization.p1; run "interpret_2" i Defunctionalization.p2; run "interpret_2" i Defunctionalization.p3; run "interpret_2" i Defunctionalization.p4; printf "Done.@\n@." why3-1.6.0/examples/defunctionalization/why3session.xml000066400000000000000000000315061440160026300233200ustar00rootroot00000000000000 why3-1.6.0/examples/defunctionalization/why3shapes.gz000066400000000000000000000116131440160026300227350ustar00rootroot00000000000000Z[od7r~_я _˘F ` 9^ba#Ax&ivA`sHub!?̏Owmo?.\?e Dx ?\?v4p`mgo3uw@t\V?a߇i9|c8xB _T 4̈́BvBM 3/={:^+%tv9WLJI=e=oaޗ}="m^#ug FÌs~|x@t~ Ow?E^Nݬ<]nVCYxϻ2&q n::a\َ;NUTWӋ vPTNaqAzʁ~?4؉m9XWwV˩X`]tGO*$R>}Ě$Ė$?g}DA#Ól#+Aťgq+i\hkC4fa3,[݉)-z! JhJ '!iAGCh5F++)aQbtur&h:Rvཫ@C§}1\E>F^U"Hnİ0v0$sa0|; kRVi :N^wo??X>Y}M$vwaxrUjc./@OE: 00N6[.qPӤI FP5οGaL7>"0¸5yk%r{Rn܀ SٸFAJp&:*T!K5^jV aoJI5U됰 M8>aˈ87OD!0 /:m|燏Z$ʑ*8[%'VQ6#mBਊ"Png"F"LE`*2#0lm'V* v*M4Ib3{ I.QUCjeХo0Ojw9Pz|qm%#MK ̛R:Q3!{jn}>A9#`jGCpB;~zʏCe0080zCz*#[@/44oivޭi,Krݿ&8 H;iC=&8g}ک?u%7{?/=~h3ѵmfs yX&jc+ R ANX-j;„쩗$qy|CYIzor>4]/n^4ntqw2s狛E;Oz_W'Suj~;f=iM pe˪X#,opGʬ"f!}ޅC_?y]a75459P.m vǸHT;"NXU6f$;uF~o[Hy]9dn!V))UU Bb]\I:ڤ&s !LhU7Io&LDBV\̿<^Gi_qUm}d[ռ1!HN5wJZI8) !VD 71ȁoނQ\nh'ňjkD\w;:r+ jjRxCccC3|S[!7·-ݦ>1NTbt2Svs_w#A>PqW(aJwsz_rdM̝Q+xE7̟*ܫ*1hBEd/ce.2A+rapKsC<ڊWo@{&7Ldm+~l\KOwA/41?(֧jDD=[1n6L.vZo `u#7 O9C1(\-ՊRO}+GnM MMZlVڬS]CU\%)C@]OQ/Bz.pwGip}f#?Տh2T\X~UvNeF8da;3|IC-YzA7ŽEKjC`VEBrT lK\eq&7*SMEp_蟮y:;?tnl?t&W[E&h.UlRN}[*v~񚯉ͥ n/ԜIS K5rxdLk%j16X]~u7.D0fms !7GP`s#$-UFst#N%VNWa ~=  9U.كZZ)Zo*Zm(nMo0+EןNZXٛzZa. 'ROR1V$/&ՊWh|^ 8eCUv0"ZSh2;zCL>Y'@X`,Gی(7ӎ{c1'#`' Es'u>scū0#gc1ш^Od匊!\R Ee̱N9#pt׌g\UО =J1͹}u.Jفʳeb'>9ϼ-6> %)swv'r ^3OFz-۞"rq<"LcJ){VJX* |RN:HB01[g)pQg`I'*1*2L@_*nQa)*GiLP}(Á9D'w$ 8LV%IhJuFmU< 1A$YĎh{]TC63|IG )ȑG-NwCV+>TL]0$gW0GSP)GmeNw!,cA:|Xp^d+g|ib "j^Xo}&p(N BX ]ʟh,,"Fq=S׳.ųK_ y dE3%h}tf!^eD}BE):lY}ְ """+Q!",)ȴޚ^R+alV=i]YF~8WwqG.M9V!Ad/) %)L f9QؽG#^`-A"g1#2pk07hK ē39V`,>D7h"why3-1.6.0/examples/dfa_example.mlw000066400000000000000000000050611440160026300172120ustar00rootroot00000000000000 module DfaExample (** regular expressions on alphabet {0,1} *) type char = Zero | One clone regexp.Regexp with type char = char (** mutable input stream *) use option.Option type stream = abstract { mutable state: list char } val input: stream use list.Length val get () : option char writes {input} ensures { match old input.state with | Cons c l -> input.state = l /\ result = Some c | Nil -> old input.state = input.state = Nil /\ result = None end } (** 2-state DFA to recognize words ending with a 1, that is (0|1)*1 --------- 1 --------> +- state 1 state 2-------+ | ^ <-------- 0 --------- ^ | +-0--/ \----- 1 --+ *) constant r0 : regexp = Star (Alt (Char Zero) (Char One)) constant r1 : regexp = Concat r0 (Char One) constant r2 : regexp = Alt Epsilon r1 lemma nil_notin_r1: not (mem Nil r1) let rec lemma all_in_r0 (w: list char) variant { w } ensures { mem w r0 } = match w with | Nil -> () | Cons c r -> assert { w = (Cons c Nil) ++ r } ; all_in_r0 r end lemma words_in_r1_end_with_one: forall w: list char. mem w r1 <-> exists w': list char. w = w' ++ Cons One Nil let lemma words_in_r1_suffix_in_r1 (c c':char) (w: list char) requires { mem (Cons c (Cons c' w)) r1 } ensures { mem (Cons c' w) r1 } = assert { exists w'. (Cons c (Cons c' w)) = w' ++ Cons One Nil } let lemma zero_w_in_r1 (w: list char) ensures { mem w r1 <-> mem (Cons Zero w) r1 } = assert { mem (Cons Zero w) r1 -> exists w'. (Cons Zero w) = w' ++ Cons One Nil } let lemma one_w_in_r1 (w: list char) ensures { mem w r2 <-> mem (Cons One w) r1 } = match w with | Nil -> () | Cons c r -> assert { mem w r2 -> mem w r1 }; assert { mem (Cons One (Cons c r)) r1 -> mem w r1 } end lemma zero_w_in_r2: forall w: list char. mem w r1 <-> mem (Cons Zero w) r2 lemma one_w_in_r2: forall w: list char. mem w r2 <-> mem (Cons One w) r2 let rec astate1 () : bool variant { length input.state } ensures { result = True <-> input.state = Nil /\ mem (old input.state) r1 } = match get () with | None -> False | Some Zero -> astate1 () | Some One -> astate2 () end with astate2 () : bool variant { length input.state } ensures { result = True <-> input.state = Nil /\ mem (old input.state) r2 } = match get () with | None -> True | Some Zero -> astate1 () | Some One -> astate2 () end end why3-1.6.0/examples/dfa_example/000077500000000000000000000000001440160026300164675ustar00rootroot00000000000000why3-1.6.0/examples/dfa_example/dfa_example_DfaExample_nil_notin_r1_1.v000066400000000000000000000101251440160026300261030ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. (* Why3 assumption *) Definition unit := unit. (* Why3 assumption *) Inductive option (a:Type) {a_WT:WhyType a} := | None : option a | Some : a -> option a. Axiom option_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (option a). Existing Instance option_WhyType. Implicit Arguments None [[a] [a_WT]]. Implicit Arguments Some [[a] [a_WT]]. (* Why3 assumption *) Inductive list (a:Type) {a_WT:WhyType a} := | Nil : list a | Cons : a -> (list a) -> list a. Axiom list_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (list a). Existing Instance list_WhyType. Implicit Arguments Nil [[a] [a_WT]]. Implicit Arguments Cons [[a] [a_WT]]. (* Why3 assumption *) Fixpoint length {a:Type} {a_WT:WhyType a}(l:(list a)) {struct l}: Z := match l with | Nil => 0%Z | (Cons _ r) => (1%Z + (length r))%Z end. Axiom Length_nonnegative : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), (0%Z <= (length l))%Z. Axiom Length_nil : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((length l) = 0%Z) <-> (l = (Nil :(list a))). (* Why3 assumption *) Inductive char := | Zero : char | One : char . Axiom char_WhyType : WhyType char. Existing Instance char_WhyType. (* Why3 assumption *) Inductive regexp := | Empty : regexp | Epsilon : regexp | Char : char -> regexp | Alt : regexp -> regexp -> regexp | Concat : regexp -> regexp -> regexp | Star : regexp -> regexp . Axiom regexp_WhyType : WhyType regexp. Existing Instance regexp_WhyType. (* Why3 assumption *) Fixpoint infix_plpl {a:Type} {a_WT:WhyType a}(l1:(list a)) (l2:(list a)) {struct l1}: (list a) := match l1 with | Nil => l2 | (Cons x1 r1) => (Cons x1 (infix_plpl r1 l2)) end. Axiom Append_assoc : forall {a:Type} {a_WT:WhyType a}, forall (l1:(list a)) (l2:(list a)) (l3:(list a)), ((infix_plpl l1 (infix_plpl l2 l3)) = (infix_plpl (infix_plpl l1 l2) l3)). Axiom Append_l_nil : forall {a:Type} {a_WT:WhyType a}, forall (l:(list a)), ((infix_plpl l (Nil :(list a))) = l). Axiom Append_length : forall {a:Type} {a_WT:WhyType a}, forall (l1:(list a)) (l2:(list a)), ((length (infix_plpl l1 l2)) = ((length l1) + (length l2))%Z). (* Why3 assumption *) Fixpoint mem {a:Type} {a_WT:WhyType a}(x:a) (l:(list a)) {struct l}: Prop := match l with | Nil => False | (Cons y r) => (x = y) \/ (mem x r) end. Axiom mem_append : forall {a:Type} {a_WT:WhyType a}, forall (x:a) (l1:(list a)) (l2:(list a)), (mem x (infix_plpl l1 l2)) <-> ((mem x l1) \/ (mem x l2)). Axiom mem_decomp : forall {a:Type} {a_WT:WhyType a}, forall (x:a) (l:(list a)), (mem x l) -> exists l1:(list a), exists l2:(list a), (l = (infix_plpl l1 (Cons x l2))). (* Why3 assumption *) Definition word := (list char). (* Why3 assumption *) Inductive mem1 : (list char) -> regexp -> Prop := | mem_eps : (mem1 (Nil :(list char)) Epsilon) | mem_char : forall (c:char), (mem1 (Cons c (Nil :(list char))) (Char c)) | mem_altl : forall (w:(list char)) (r1:regexp) (r2:regexp), (mem1 w r1) -> (mem1 w (Alt r1 r2)) | mem_altr : forall (w:(list char)) (r1:regexp) (r2:regexp), (mem1 w r2) -> (mem1 w (Alt r1 r2)) | mem_concat : forall (w1:(list char)) (w2:(list char)) (r1:regexp) (r2:regexp), (mem1 w1 r1) -> ((mem1 w2 r2) -> (mem1 (infix_plpl w1 w2) (Concat r1 r2))) | mems1 : forall (r:regexp), (mem1 (Nil :(list char)) (Star r)) | mems2 : forall (w1:(list char)) (w2:(list char)) (r:regexp), (mem1 w1 r) -> ((mem1 w2 (Star r)) -> (mem1 (infix_plpl w1 w2) (Star r))). (* Why3 assumption *) Inductive stream := | mk_stream : (list char) -> stream . Axiom stream_WhyType : WhyType stream. Existing Instance stream_WhyType. (* Why3 assumption *) Definition state(v:stream): (list char) := match v with | (mk_stream x) => x end. (* Why3 goal *) Theorem nil_notin_r1 : ~ (mem1 (Nil :(list char)) (Concat (Star (Alt (Char Zero) (Char One))) (Char One))). red; intro. inversion H. inversion H4. rewrite <- H5 in H0. destruct w1; simpl in H0; discriminate H0. Qed. why3-1.6.0/examples/dfa_example/why3session.xml000066400000000000000000000053061440160026300215130ustar00rootroot00000000000000 why3-1.6.0/examples/dfa_example/why3shapes.gz000066400000000000000000000014671440160026300211370ustar00rootroot00000000000000TMF W$|O=F -H-t|5Frm}vS{ z0!## ?C?RׯJWo>}Ǐ v0KV7 Î.v%?9xCwpnˣi|^¹iT#KrgLQr>-g͢mWfZoW{zhl@K9ZlEݱ MG9m"VלWtRRaqZߧnG Mu}~m\;[F7EVcjtš4u9f?Os66>_O X|4nӄkSˉX vb"n̺B^t]"ч]r%7=$v} o7iM_7]F>>o)~ Bv1|U 7\.p{Ȱ8y]z.y:=~uzX&.w/U.f,$Ã4![J`J"1a6K"$M hC%jN0ADy22oGxLJ@T- ^h4*!hǘ8R2>@I,: A`D}DC@ j{ BFdB{LFYv#A:k=ɱ2 #;N1r\ mbdSA 9ꜜ4>#FD`O9ƃB鄃aȜ&Ƚ'Q5g41K4#0a[hW+k>M%,(j+2L| QDZ# why3-1.6.0/examples/dfs.mlw000066400000000000000000000061071440160026300155230ustar00rootroot00000000000000 (* Depth-First Search (following François Pottier's lecture INF431 at École Polytechnique) We are given memory cells with two (possibly null) [left] and [right] neighbours and a mutable Boolean attribute [marked]. In Java, it would look like class Cell { Cell left, right; boolean marked; ... } We mark all cells that are reachable from a given cell [root] using depth-first search, that is using the following recursive function: static void dfs(Cell c) { if (c != null && !c.marked) { c.marked = true; dfs(c.left); dfs(c.right); } } We wish to prove that, assuming that all cells are initially unmarked, a call to dfs(root) will mark all cells reachable from root, and only those cells. *) module DFS use bool.Bool use map.Map use ref.Ref type loc val constant null: loc val constant root: loc val (==) (x y: loc) : bool ensures { result <-> x = y } val function left loc: loc val function right loc: loc type marks = map loc bool val marked: ref marks val ghost busy: ref marks let set (m: ref marks) (l: loc) (b: bool) : unit writes { m } ensures { !m = (old !m)[l <- b] } = let f = !m in m := fun x -> if x == l then b else f x predicate edge (x y: loc) = x <> null && (left x = y || right x = y) inductive path (x y: loc) = | path_nil: forall x: loc. path x x | path_cons: forall x y z: loc. path x y -> edge y z -> path x z predicate only_descendants_are_marked (marked: marks) = forall x: loc. x <> null && marked[x] = True -> path root x predicate well_colored (marked busy: marks) = forall x y: loc. edge x y -> y <> null -> busy[x] = True || (marked[x] = True -> marked[y] = True) let rec dfs (c: loc) : unit requires { well_colored !marked !busy } requires { only_descendants_are_marked !marked } requires { path root c } diverges ensures { well_colored !marked !busy } ensures { forall x: loc. (old !marked)[x] = True -> !marked[x] = True } ensures { c <> null -> !marked[c] = True } ensures { forall x: loc. !busy[x] = True -> (old !busy)[x] = True } ensures { only_descendants_are_marked !marked } = if not (c == null) && not !marked[c] then begin ghost set busy c True; set marked c True; dfs (left c); dfs (right c); set busy c False end predicate all_descendants_are_marked (marked: marks) = root <> null -> marked[root] = True && forall x y: loc. edge x y -> marked[x] = True -> y <> null -> marked[y] = True lemma reformulation: forall marked: marks. all_descendants_are_marked marked -> forall x: loc. x <> null -> path root x -> marked[x] = True /\ root <> null let traverse () : unit requires { forall x: loc. x <> null -> !marked[x] = False && !busy[x] = False } diverges ensures { only_descendants_are_marked !marked } ensures { all_descendants_are_marked !marked } ensures { forall x: loc. x <> null -> !busy[x] = False } = assert { well_colored !marked !busy }; dfs root end why3-1.6.0/examples/dfs/000077500000000000000000000000001440160026300147765ustar00rootroot00000000000000why3-1.6.0/examples/dfs/why3session.xml000066400000000000000000000032071440160026300200200ustar00rootroot00000000000000 why3-1.6.0/examples/dfs/why3shapes.gz000066400000000000000000000015461440160026300174440ustar00rootroot00000000000000VM7 ϯ[ۜD}5 րSIY#^{k;-K͇8797=[yy|mo6xOuHAWc[]6SXc;ܟ=,j56O9^/C<<\[ ܾS s`գK~;Sa}drq' { @ݢq2!sG)F: ]m?d[JSٽB`&+ݜ/U \VńOJM9aC(Dq/I ^$` d_# ܩŽ%bBVڬ/D*&P7 >.T5i xZ[ezzIX sCFN55"Q=v%^Y>#ESu1|ދjhoH]P2;3Sz8x7eN33 U`{)0+}dxKtRŻ+ZZ,Uhm=/I-Zszbx55SkwA]#i!RZHl"*3k ERN8#HXۊgH[0}P!A1Ra69Ӫg$@ib<wKIAqz\)c`4̊h9G&`0㠴a a(`* Pw%t= 0 } (** Data structures for the algorithm. *) (* The set of already visited vertices. *) val visited: set (* Map d holds the current distances from the source. There is no need to introduce infinite distances. *) val d: t int (* The priority queue. *) val q: set predicate min (m: vertex) (q: set) (d: t int) = mem m q /\ forall x: vertex. mem x q -> d[m] <= d[x] val q_extract_min () : vertex writes {q} requires { not is_empty q } ensures { min result (old q) d } ensures { q = remove result (old q) } (* Initialisation of visited, q, and d. *) val init (src: vertex) : unit writes { visited, q, d } ensures { is_empty visited } ensures { q = singleton src } ensures { d = (old d)[src <- 0] } (* Relaxation of edge u->v. *) let relax u v ensures { (mem v visited /\ q = old q /\ d = old d) \/ (mem v q /\ d[u] + weight u v >= d[v] /\ q = old q /\ d = old d) \/ (mem v q /\ (old d)[u] + weight u v < (old d)[v] /\ q = old q /\ d = (old d)[v <- (old d)[u] + weight u v]) \/ (not mem v visited /\ not mem v (old q) /\ q = add v (old q) /\ d = (old d)[v <- (old d)[u] + weight u v]) } = if not mem v visited then let x = d[u] + weight u v in if mem v q then begin if x < d[v] then d[v] <- x end else begin add v q; d[v] <- x end (* Paths and shortest paths. path x y d = there is a path from x to y of length d shortest_path x y d = there is a path from x to y of length d, and no shorter path *) inductive path vertex vertex int = | Path_nil : forall x: vertex. path x x 0 | Path_cons: forall x y z: vertex. forall d: int. path x y d -> mem z (g_succ y) -> path x z (d + weight y z) lemma Length_nonneg: forall x y: vertex. forall d: int. path x y d -> d >= 0 predicate shortest_path (x y: vertex) (d: int) = path x y d /\ forall d': int. path x y d' -> d <= d' lemma Path_inversion: forall src v:vertex. forall d:int. path src v d -> (v = src /\ d = 0) \/ (exists v':vertex. path src v' (d - weight v' v) /\ mem v (g_succ v')) lemma Path_shortest_path: forall src v: vertex. forall d: int. path src v d -> exists d': int. shortest_path src v d' /\ d' <= d (* Lemmas (requiring induction). *) lemma Main_lemma: forall src v: vertex. forall d: int. path src v d -> not (shortest_path src v d) -> v = src /\ d > 0 \/ exists v': vertex. exists d': int. shortest_path src v' d' /\ mem v (g_succ v') /\ d' + weight v' v < d lemma Completeness_lemma: forall s: set. (* if s is closed under g_succ *) (forall v: vertex. mem v s -> forall w: vertex. mem w (g_succ v) -> mem w s) -> (* and if s contains src *) forall src: vertex. mem src s -> (* then any vertex reachable from s is also in s *) forall dst: vertex. forall d: int. path src dst d -> mem dst s (* Definitions used in loop invariants. *) predicate inv_src (src: vertex) (s q: set) = mem src s \/ mem src q predicate inv (src: vertex) (s q: set) (d: t int) = inv_src src s q /\ d[src] = 0 /\ (* S and Q are contained in V *) subset s v /\ subset q v /\ (* S and Q are disjoint *) (forall v: vertex. mem v q -> mem v s -> false) /\ (* we already found the shortest paths for vertices in S *) (forall v: vertex. mem v s -> shortest_path src v d[v]) /\ (* there are paths for vertices in Q *) (forall v: vertex. mem v q -> path src v d[v]) predicate inv_succ (_src: vertex) (s q: set) (d: t int) = (* successors of vertices in S are either in S or in Q *) forall x: vertex. mem x s -> forall y: vertex. mem y (g_succ x) -> (mem y s \/ mem y q) /\ d[y] <= d[x] + weight x y predicate inv_succ2 (_src: vertex) (s q: set) (d: t int) (u: vertex) (su: set) = (* successors of vertices in S are either in S or in Q, unless they are successors of u still in su *) forall x: vertex. mem x s -> forall y: vertex. mem y (g_succ x) -> (x<>u \/ (x=u /\ not (mem y su))) -> (mem y s \/ mem y q) /\ d[y] <= d[x] + weight x y lemma inside_or_exit: forall s, src, v, d. mem src s -> path src v d -> mem v s \/ exists y. exists z. exists dy. mem y s /\ not (mem z s) /\ mem z (g_succ y) /\ path src y dy /\ (dy + weight y z <= d) (* Algorithm's code. *) let shortest_path_code (src dst: vertex) requires { mem src v /\ mem dst v } ensures { forall v: vertex. mem v visited -> shortest_path src v d[v] } ensures { forall v: vertex. not mem v visited -> forall dv: int. not path src v dv } = init src; while not is_empty q do invariant { inv src visited q d } invariant { inv_succ src visited q d } invariant { (* vertices at distance < min(Q) are already in S *) forall m: vertex. min m q d -> forall x: vertex. forall dx: int. path src x dx -> dx < d[m] -> mem x visited } variant { cardinal v - cardinal visited } let u = q_extract_min () in assert { shortest_path src u d[u] }; add u visited; let su = get_succs u in while not is_empty su do invariant { subset su (g_succ u) } invariant { inv src visited q d } invariant { inv_succ2 src visited q d u su } variant { cardinal su } let v = choose_and_remove su in relax u v; assert { d[v] <= d[u] + weight u v } done done end why3-1.6.0/examples/dijkstra/000077500000000000000000000000001440160026300160355ustar00rootroot00000000000000why3-1.6.0/examples/dijkstra/why3session.xml000066400000000000000000000331051440160026300210570ustar00rootroot00000000000000 why3-1.6.0/examples/dijkstra/why3shapes.gz000066400000000000000000000131611440160026300204770ustar00rootroot00000000000000][ܶ~_1'8Y,<eѯK2@οߏRZ$Qu%*q.]CZ3x9?5o>/^_>}}L_|O1yyx\tMk74IkVkCQᩁ 燧?c?|\۵ ߯9\q+H}t;rXt+nQ7j(cΚ7Px!=#2cHxI2ϥe`ͮ%kq{s[֩__m8)##}%$E!bW_2_ާ`j89+!,7EŰzmA^Gp7G&N7b<7g5V8i#>-O:K{-N.XYXE =~² {+BSßw!}hC kV̡IÍƿb@>'dTlNMxXl5v %ϓx%VcF2#i N|-]dn+K]QdvȻ1A/XtCT|wf'}ot\p&NrY\7"7-U`naȏg晍y*=bzwj+ҴRC|#r"[*׻JPU:%솟鰵wy҇/X])jHՐl-y۫QF:Arcd^aj+E`zCMۆPk)wtÈofJ릷]ݤ׭z#Y rfgIo!P;È>tf:g"RK!]avϷ)^lSnWzZ8Gɜo>.+v 9TA7+|5۱C}癿J{Cew^u[%Gt![\_~g=W o 6ՁCȥ},oG>v*P/$GIxGQK0; y8J^,`ۯ%b'ߐG>[Ӟz;[}rpgȢz*'"3nӈOj{a`sk<a+wd޽lQ[5PL\}I}W8@mU&Dq}daJ'@G3n-q}Ȑby4(jMz&i,7Iv7$>`$Sj!7?y]uq8.F8!y]ڨG']D`FNRI.Wmmqq<`h',ǷqX4y-jM"vs+6-+'C׶kw}aV-oOkЦCvSmU2I [֋~bŦ^z)ۮNn``m܊WߗZHNצinҴ"{=lF ujش*~45JZLML݆7[.;م; _5=; ziCyޛ#3aly}hF ,_1`\#[W+b{}1`II\{ Ug.b%\\WC;GO1L~)қH/,v?ǭ#ydɈezz~y8, ygP C{4O*V&gW{Na:=L|r7g#N<{ӱ|Ͱj>벹lc".^;h}<}98:qo9Ggxi9=}VM\68x9BvZ8}kgs[}/si7Oq傾y'{,,< wg`R_J[kOeX ]e0x9/&~fz?t1yc">ki7 GN7.O<3\4qdoy82d2߷⍉s2#ȃkLffiޘcvy?v Mwѩgө&OeĹ ͶTٛx ].#xc"82Gs<; G:ԉ{`)9l3\t/J 9E6uF65eFwUdA*Z]N d[BCzO៏'9xSbu&lt#˨-߇_Hv]o[.x%ۏݷZBڠ䵴+¯J1Lr klhymZj*ʵu++H{*(~,N|W:C髑G)߇h57zѩ~4֘7{$K7wɺkc}:IT5BMgot˾{ä%'rXr;q[* o hGz]>0?_Gh_UJn nb~gCBftq9z2s\LdcQiVzVr%V+vMĢBYFYddyVLεDƠE4iMRX6{EP-% @ pT.F@H$gb>VL֖8$n`Li|iUuK%oLv'd/ȺUVҭ=GON(΍T Gi3VK#WJM2<R rqx4֭9_?f ƐE$ß82Gibic)5JQ^]t(BwY x(h;HNZ*ר m)}PTlA 9kB3#!ö*l# 9Hv/ $x~++B ZPєj4đZLfiE/Tq$ňT 5ZnիQT5Q/iih,ua e`6M:)(*U"*W -,IK$G4L++Um9BU\^p͛`EdW[YMV,Ns(,O,D1a!'#Քmiy"wmp걄N6 Vƭ]pr F gQ d-C"( |jpÉP37ĭ,ձ1 f8I&sU,ntI񎯜XY[-g TiqH({5۪$FEd_aGg̳^ z[5dN^7sLYR8=aj9"~ɟ 2~Swά$,)TQQLQsFS21 ̟ tLE&2X6:T*N'iȢw^d[)dfipV5{Նqm8  ue@x%˥\^0y@&pkJ:QI GYb#ȊFc:_cN!RWϴH>9T%9STQ 0ţR $7(Lj!(:EUn$EHFA̤ TN79i{E8$LFK. 뾞p E/ئB*0p2t'ˬM"Yh hʻ;Q8BN6p(a-úpH//v 6LZ섀T"Hmy'\_+qwhy3-1.6.0/examples/disamb.mlw000066400000000000000000000047761440160026300162200ustar00rootroot00000000000000(** {1 Disambiguation of Plus Expressions } Author: Quentin Garchery (LRI, Université Paris-Sud) *) use int.Int use list.ListRich (** Consider the 'concrete' syntax of Plus Expressions containing only : integers, the symbol PLUS and parentheses. *) type token = INT | PLUS | LPAREN | RPAREN (** Plus Expressions are lists of tokens that satisfy the original following inductive predicate. *) inductive pe (e : list token) = | Plus : forall e1 e2. pe e1 -> pe e2 -> pe (e1 ++ Cons PLUS e2) | Paren : forall e. pe e -> pe (Cons LPAREN (e ++ (Cons RPAREN Nil))) | Int : pe (Cons INT Nil) goal pe1 : pe (Cons INT Nil) goal pe2 : pe (Cons INT (Cons PLUS (Cons INT (Cons PLUS (Cons INT Nil))))) (** Define another predicate to recognize Plus Expressions but that removes the ambiguity coming from the associativity of PLUS. *) inductive pe' (e : list token) = | Plus' : forall e1 e2. pe' e1 -> pt e2 -> pe' (e1 ++ Cons PLUS e2) | T' : forall t. pt t -> pe' t with pt (e : list token) = | Paren' : forall e. pe' e -> pt (Cons LPAREN (e ++ (Cons RPAREN Nil))) | Int' : pt (Cons INT Nil) goal pep1 : pe' (Cons INT Nil) goal pep2 : pe' (Cons INT (Cons PLUS (Cons INT (Cons PLUS (Cons INT Nil))))) (** Show that the two predicates recognize the same expressions. *) (** Strengthen the disambiguation_included formula, making sure the pt predicate appears. *) let rec lemma di_str (n : int) variant { n } ensures { forall e. (length e <= n /\ pt e) \/ (length e < n /\ pe' e) -> pe e } = if n <= 0 then () else di_str (n-1) let lemma disambiguation_included (e : list token) requires { pe' e } ensures { pe e } = di_str (length e + 1) (** Strengthen the original_included formula and prove it by using mutal recursion (showing that we can decompose an expression w.r.t its last toplevel PLUS symbol). *) let rec lemma oi_str (n : int) (ghost m : int) variant { n, m } requires { m > n } ensures { forall e. length e <= n -> pe e -> pe' e } = if n > 0 then (decomp_last_plus n (m-1); oi_str (n-1) m) with ghost decomp_last_plus (n : int) (ghost m : int) variant { n, m } requires { m >= n } ensures { forall e. length e <= n -> pe e -> not pt e -> exists e1 e2. pe e1 /\ pt e2 /\ e = e1 ++ Cons PLUS e2 } = if n > 0 then (decomp_last_plus (n-1) n; oi_str (n-1) n) lemma original_included : forall e. pe e -> pe' e lemma original_equiv_disambiguation : forall e. pe e <-> pe' e why3-1.6.0/examples/disamb/000077500000000000000000000000001440160026300154615ustar00rootroot00000000000000why3-1.6.0/examples/disamb/why3session.xml000066400000000000000000000035651440160026300205120ustar00rootroot00000000000000 why3-1.6.0/examples/disamb/why3shapes.gz000066400000000000000000000014621440160026300201240ustar00rootroot00000000000000TM#7&;T(I!^l ]MI5xȿOIwCKU^u|ss;Ӆ_p.o?~7TZpه"SR=B= ZcYp= *̬U+̼]P;)W>UpFPUAN ۇ)cw5/>)~<=a>WxLa΃:;:; 7; *Aɫf3Vzo/tet|Rr Yn#yYf71Wb* tw@ެ 䯬hCPv:}lȧ`dn\Wq W[񯸮c\FbUOXDjX-gz4M*`fg\%*/;/Uc U 3wؔ0JS/z๥:L`,_Q7] \ )z7~捬3!3!L6u&d l3s]pol0mxrݟ/m?Ky."o?ig殻ѓ'-"A\cL5N%qd38NݐQdLѨb2",T电&h88g0+s9IwNKc&r >1z#(qcF"XNo=fщzqe5(lt@;( 7+(rǜjfg(ҨF݃ހj&:4+TQ((" L˶q|l(zX|why3-1.6.0/examples/division.mlw000066400000000000000000000040531440160026300165710ustar00rootroot00000000000000 (** Euclidean division *) module Division use int.Int use ref.Refint let division (a b: int) : int requires { 0 <= a && 0 < b } ensures { exists r. result * b + r = a && 0 <= r < b } = let ref q = 0 in let ref r = a in while r >= b do invariant { q * b + r = a && 0 <= r } variant { r } incr q; r -= b done; q end (** Euclidean division from Hoare's seminal paper "An Axiomatic Basis for Computer Programming" (Communications of the ACM 12(10), 1969). Hoare's proof of Euclidean division is performed under the nine axioms for arithmetic given below, which are all valid for several models of machine arithmetic (infinite arithmetic, strict interpretation, firm boundary, modulo arithmetic). Notes: - Axioms A2 and A4 (commutativity and associativity of multiplication) are actually not needed for the proof. - Hoare is not proving termination. *) module Hoare type integer val constant zero: integer val constant one: integer val function (+) (x y: integer) : integer val function (-) (x y: integer) : integer val function (*) (x y: integer) : integer val predicate (<=) (x y: integer) axiom A1: forall x y. x + y = y + x axiom A2: forall x y. x * y = y * x axiom A3: forall x y z. (x + y) + z = x + (y + z) axiom A4: forall x y z. (x * y) * z = x * (y * z) axiom A5: forall x y z. x * (y + z) = x * y + x * z axiom A6: forall x y. y <= x -> (x - y) + y = x axiom A7: forall x. x + zero = x axiom A8: forall x. x * zero = zero axiom A9: forall x. x * one = x let division (x y: integer) : (q: integer, r: integer) ensures { not (y <= r) } ensures { x = r + y * q } diverges = let ref r = x in let ref q = zero in while y <= r do invariant { x = r + y * q } r <- r - y; q <- one + q done; q, r end module HoareSound use int.Int clone Hoare with type integer = int, val zero = zero, val one = one, val (+) = (+), val (-) = (-), val (*) = (*), val (<=) = (<=), lemma . end why3-1.6.0/examples/division/000077500000000000000000000000001440160026300160465ustar00rootroot00000000000000why3-1.6.0/examples/division/why3session.xml000066400000000000000000000037521440160026300210750ustar00rootroot00000000000000 why3-1.6.0/examples/division/why3shapes.gz000066400000000000000000000012261440160026300205070ustar00rootroot00000000000000uS]k[1 }"o ?d{40n!u^,mJ_?ٹIӭ_[|vΏ0{vqFnu_/GsK^<5_6M1AaU})nx)>_E}.zC Y^D7^l;ly[^!)jeN/D7’R5IJYgiuVQvqQE- h#S>ֺ5#T:U5~UiKWA1Z*Hm+ǻ,Z&f@ʬ6N1oﲒ ZMZS,&s2 "U%RO7vx4 |BV'_J|׷?`#ہ)^Y9@3sd6q4ʂ>w=7UJkc<`8 !Q`T@0q>d^rCU6c BA[%!Ôu.! ̔sP<(AUG.z$dR(%; (*yJ%O|Ɫ/Oq.Gd%Vf!L,b Zk,׌u$p<,LA%Dg!ٚxBj/why3-1.6.0/examples/doc_examples/000077500000000000000000000000001440160026300166655ustar00rootroot00000000000000why3-1.6.0/examples/doc_examples/digit_sum.tex000066400000000000000000000302011440160026300213670ustar00rootroot00000000000000\documentclass[12pt]{article} \usepackage{fullpage,amsmath} %\usepackage{isolatin1} \usepackage[latin1]{inputenc} \usepackage[T1]{fontenc} \usepackage{hyperref} \usepackage{xspace} \usepackage[french]{babel} \usepackage{hyperref} \usepackage{listings} \def\lstlanguagefiles{lstlang1.sty,lstlang2.sty,lstlang3.sty} \lstloadlanguages{[Objective]Caml} \lstset{% language=[Objective]Caml,% flexiblecolumns=false,% keywordstyle=\footnotesize\bfseries,% commentstyle=\it,% basicstyle=\footnotesize,% showstringspaces=false,% %extendedchar=true,% escapeinside={(*@}{@*)}% %numbers=left,% %numberstyle=\tiny,% %stepnumber=1,% %numbersep=15pt% } \lstset{literate=% {=>}{{$\Rightarrow$}}1% {>->}{{$\rightarrowtail$}}2% {->}{{$\to$}}1% {~}{{$\neg$}}1} \pagestyle{empty} \thispagestyle{empty} \sloppy \title{An exercise on proving programs with Why} \author{Jean-Christophe Fillitre and Simo Melo de Sousa} \date{November 2010} \begin{document} \maketitle \tableofcontents \section{Introduction} Programmer -- bien, c'est concevoir une solution informatique adquate, aussi systmatique et efficace que possible un problme soluble concret donn. Or, concevoir une telle solution n'est pas en gnrale une tache triviale. Une approche classique et rigoureuse voudrait que le processus de conception soit, dans le cadre de la conception d'algorithme, constitu des phases suivantes: %\begin{itemize} %\item Analyse du problme et de ces pr-requis %\item Modlisation de la solution %\item Codification de la solution dans un langage de programmation %\item Analyse de performance %\item Validation de la solution et de son code %\end{itemize} % %Si nous laissons le cadre gnral du gnie logiciel et nous nous % restreignons au cadre de la conception algorithmique, l'approche % prcdente peut se rcrire en \begin{itemize} \item Dfinition du problme et de ces contraintes \item Conception algorithmique de la solution \item Codification de la solution dans un langage de programmation \item Analyse la complexit algorithmique de la solution propose \item Preuve de correction (totale) et de compltude. \end{itemize} La pratique habituelle de la programmation ignore nanmoins ou minimise les activits lies aux deux dernire phases, de nature plus formelles ou mathmatiques, en les remplaant au mieux par une mesure exprimentale de performance et de validation par le biais d'une activit de test ou d'excution contrle. %%% j'aime pas trop la formulation commente qui suit, %%% mais l'ide est l %-- Si la situation semble moins critique sur le premier de ces deux derniers points, ce n'est pas encore vraiment le cas pour le deuxime. %De fait, la formation en complexit algorithmique est maintenant %rpandue et l'analyse de la complexit dans le pire des cas est un %bagage standard de tout informaticien. Reconnaitre une solution au %comportement exponentielle est accessible l'informaticien standard. %L'analyse de performance, essentiellement dans le pire des cas, %dispose aussi maintenant d'outils automatiques assez performants. %-- Nous allons ainsi montrer par la pratique qu'il est possible d'entreprendre l'approche rigoureuse jusqu' son terme en s'attaquant la dernire des phases: la vrification de la correction et de la compltude. Si cette tche est possible, elle n'est, bien entendu, pas forcment aise. La difficult de cet exercice est clairement lie la complexit ou subtilit de la solution algorithmique/programmatique propose. Une solution efficace se distancie en gnrale d'une solution naturelle souvent simples mais inefficace. Comprendre et accepter sa correction peux exiger une certaine rflexion. L'argumenter ne sera donc pas forcement une tche immdiate. Tout comme en programmation o il y a un foss entre la connaissance du langage de programmation et la matrise de la conception de programmes, si il y a une science de la preuve de programme, il existe galement tout un art, un savoir-faire, dans la construction d'une preuve, surtout si l'on vise une preuve lgante ou aussi automatique que possible. Comprendre quelle spcification rendra la preuve plus aise requiert une certaine exprience. Ce document s'attache donc explorer un exemple de cette catgorie et introduire l'exercice de dmonstration de correction et de compltude assiste par ordinateur. \section{Organisation du document} \section{Dfinition du problme} Le problme considr ici a t propos comme dfi au concours de programmation MIUP'2010 (Maratona Inter-Universitria de Programao, preuve nacional portugaise du circuit de concours ACM-ICPC) qui a eu lieu a l'Universit d'vora - Portugal le 16 Octobre 2010. The digit sum $d(x)$ of a natural number $x$ is the sum of its digits. For instance $d(10043827) = 25$. Given two natural numbers $y$ and $z$ such that $0 z_d\ldots z_0$). Dans ce cas notons aussi que $\Sigma_{i=d+1}^m x_i=\Sigma_{i=d+1}^m z_i$ (soit $a$ cette valeur). Soient $b_x=\Sigma_{i=0}^d x_i$ et $b_z = \Sigma_{i=0}^d z_i$, nous avons $b_x>b_z$. Il est facile de voir que $y=a+b_x$ et $d(z)=a+b_z$. Trouver le plus petit $x$ c'est donc, partant de $z$, trouver un indice $d$ plus droite possible dans $z$ tel qu'il soit possible de trouver la plus petite augmentation de $z_d$ ($x_d$) qui rende possible l'expression d'un nombre $x_{d-1}\ldots x_0$ ayant comme digit-sum $y-a-x_d$ (c'est dire, $\Sigma_{i=0}^{d-1}x_i = y-a-x_d$). Pour cela remarquons qu'il nous suffit de parcourir $z$ de $z_0$ $z_m$ et que pour chacun des $z_i$ essayer (dans l'ordre) les diffrents chiffres qui suivent $z_i$. Une tentative russi si l'on russi exprimer avec $i-1$ chiffres le plus petit nombre qui complte la digit-sum. Si aucune tentative russi alors $z_i$ n'est pas le bon chiffre ($i$ n'est pas $d$), il faut tenter $z_{i+1}$. \begin{lstlisting} (*reading the input*) let ys = Sys.argv.(1) let zs = Sys.argv.(2) (*n is the size of z*) let n = String.length zs let y = int_of_string ys (* bound for the size of x*) let max_digits = 1 + max n (y / 9) (* x is initialized as z (with the digit in reverse order)*) let x = Array.create max_digits 0 let () = for i = 0 to n - 1 do x.(n - 1 - i) <- Char.code zs.[i] - Char.code '0' done let () = (* let s be the digit-sum of x / z*) let s = ref 0 in for i = 0 to max_digits - 1 do s := !s + x.(i) done; (* we try for each digit, staring from the rightmost digit*) for d = 0 to max_digits - 1 do (* s is the sum of digits d..n-1 *) (* solution with digits > d intacts, and digit d increased by 1 or more *) for c = x.(d) + 1 to 9 do let delta = y - !s - c + x.(d) in if 0 <= delta && delta <= 9 * d then begin x.(d) <- c; let k = delta / 9 in for i = 0 to d-1 do x.(i) <- if i < k then 9 else if i = k then delta mod 9 else 0 done; for i = max d (n-1) downto 0 do Format.printf "%d" x.(i) done; Format.printf "@."; exit 0 end done; s := !s - x.(d) done \end{lstlisting} \section{Considrations sur la complexit de la solution} \section{Considrations sur la vrification formelle de la solution} \section{Un courte introduction la preuve de programmes avec l'outils Why} \section{Preuve incrmentale de correction et de compltude de la solution} \section{Conclusion} \end{document} %%% Local Variables: %%% mode: latex %%% ispell-local-dictionary: "francais" %%% End: % LocalWords: BNF q Orl\'{e}ans why3-1.6.0/examples/double_wp/000077500000000000000000000000001440160026300162025ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/compiler.mlw000066400000000000000000000207401440160026300205400ustar00rootroot00000000000000 (*Imp to Vm compiler *) (**************************************************************************) (* Compiler for arithmetic expressions *) module Compile_aexpr use int.Int use list.List use list.Length use list.Append use imp.Imp use vm.Vm use state.State use logic.Compiler_logic use specs.VM_instr_spec (* Compilation scheme: the generated code for arithmetic expressions put the result of the expression on the stack. *) function aexpr_post (a:aexpr) (len:pos) : post 'a = fun _ p ms ms' -> let VMS _ s m = ms in ms' = VMS (p+len) (push (aeval m a) s) m meta rewrite_def function aexpr_post let rec compile_aexpr (a:aexpr) : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> aexpr_post a result.code.length } variant { a } = let c = match a with | Anum n -> $ iconstf n | Avar x -> $ ivarf x | Aadd a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ iaddf () | Asub a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ isubf () | Amul a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ imulf () end in hoare trivial_pre c (aexpr_post a c.wcode.length) (* Check that the above specification indeed implies the natural one. *) let compile_aexpr_natural (a:aexpr) : code ensures { forall c p s m. codeseq_at c p result -> transition_star c (VMS p s m) (VMS (p + length result) (push (aeval m a) s) m) } = let res = compile_aexpr a : hl unit in assert { forall p s m. res.pre () p (VMS p s m) }; res.code end (* Compiler for boolean expressions. *) module Compile_bexpr use int.Int use list.List use list.Length use list.Append use imp.Imp use vm.Vm use state.State use logic.Compiler_logic use specs.VM_instr_spec use Compile_aexpr (* Compilation scheme: the generated code perform a jump iff the boolean expression evaluate to cond. *) function bexpr_post (b:bexpr) (cond: bool) (out_t:ofs) (out_f:ofs) : post 'a = fun _ p ms ms' -> let VMS _ s m = ms in if beval m b = cond then ms' = VMS (p + out_t) s m else ms' = VMS (p + out_f) s m meta rewrite_def function bexpr_post function exec_cond (b1:bexpr) (cond:bool) : pre 'a = fun _ _ ms -> let VMS _ _ m = ms in beval m b1 = cond meta rewrite_def function exec_cond let rec compile_bexpr (b:bexpr) (cond:bool) (ofs:ofs) : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> let len = result.code.length in bexpr_post b cond (len + ofs) len } variant { b } = let c = match b with | Btrue -> $ if cond then ibranchf ofs else inil () | Bfalse -> $ if cond then inil () else ibranchf ofs | Bnot b1 -> $ compile_bexpr b1 (not cond) ofs | Band b1 b2 -> let c2 = $ compile_bexpr b2 cond ofs % exec_cond b1 true in let ofs = if cond then length c2.wcode else ofs + length c2.wcode in $ compile_bexpr b1 false ofs -- c2 | Beq a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ if cond then ibeqf ofs else ibnef ofs | Ble a1 a2 -> $ compile_aexpr a1 -- $ compile_aexpr a2 -- $ if cond then iblef ofs else ibgtf ofs end in let ghost post = bexpr_post b cond (c.wcode.length + ofs) c.wcode.length in hoare trivial_pre c post (* Check that the above specification implies the natural one. *) let compile_bexpr_natural (b:bexpr) (cond:bool) (ofs:ofs) : code ensures { forall c p s m. codeseq_at c p result -> transition_star c (VMS p s m) (VMS (p + length result + if beval m b = cond then ofs else 0) s m) } = let res = compile_bexpr b cond ofs : hl unit in assert { forall p s m. res.pre () p (VMS p s m) }; res.code end module Compile_com use int.Int use list.List use list.Length use list.Append use imp.Imp use vm.Vm use state.State use logic.Compiler_logic use specs.VM_instr_spec use Compile_aexpr use Compile_bexpr (* Compilation scheme: the generated code for a command simulates the command on the memory part of the machine state. *) (* As we specify only terminating behavior, we have to require that the source program terminates in the initial conditions. *) function com_pre (cmd:com) : pre 'a = fun _ p ms -> let VMS p' _ m = ms in p = p' /\ exists m'. ceval m cmd m' meta rewrite_def function com_pre function com_post (cmd:com) (len:pos) : post 'a = fun _ _ ms ms' -> let VMS p s m = ms in let VMS p' s' m' = ms' in p' = p + len /\ s' = s /\ ceval m cmd m' meta rewrite_def function com_post function exec_cond_old (b1:bexpr) (cond:bool) : pre ('a,machine_state) = fun x _ _ -> let VMS _ _ m = snd x in beval m b1 = cond meta rewrite_def function exec_cond_old (* Invariant for loop compilation: any intermediate state would evaluate to the same final state as the initial state. *) function loop_invariant (c:com) : pre ('a,machine_state) = fun x p msi -> let VMS _ s0 m0 = snd x in let VMS pi si mi = msi in pi = p /\ s0 = si /\ exists mf. ceval m0 c mf /\ ceval mi c mf meta rewrite_def function loop_invariant function loop_variant (c:com) (test:bexpr) : post 'a = fun _ _ msj msi -> let VMS _pj _sj mj = msj in let VMS _pi _si mi = msi in ceval mi c mj /\ beval mi test lemma loop_variant_lemma : forall c test,x:'a,p msj msi. loop_variant c test x p msj msi = let VMS _pj _sj mj = msj in let VMS _pi _si mi = msi in ceval mi c mj /\ beval mi test meta rewrite lemma loop_variant_lemma (* Well-foundedness of the loop variant. *) lemma loop_variant_acc : forall c test,x:'a,p mi mj. let wh = Cwhile test c in let var = (loop_variant c test x p) in (ceval mi wh mj -> forall pi si. acc var (VMS pi si mi)) by forall pi si mi mj mf. ceval mi c mj /\ beval mi test -> ceval mj wh mf /\ (forall pj sj. acc var (VMS pj sj mj)) -> acc var (VMS pi si mi) by (forall pk sk mk. var (VMS pk sk mk) (VMS pi si mi) -> mk = mj) let rec compile_com (cmd: com) : hl 'a ensures { result.pre --> com_pre cmd } ensures { result.post --> let len = result.code.length in com_post cmd len } variant { cmd } = let res = match cmd with | Cskip -> $ inil () | Cassign x a -> $ compile_aexpr a -- $ isetvarf x | Cseq cmd1 cmd2 -> $ compile_com cmd1 -- $ compile_com cmd2 | Cif cond cmd1 cmd2 -> let code_false = compile_com cmd2 in let code_true = $ compile_com cmd1 -- $ ibranchf code_false.code.length in $ compile_bexpr cond false code_true.wcode.length -- (code_true % exec_cond cond true) -- ($ code_false % exec_cond_old cond false) | Cwhile test body -> let code_body = compile_com body in let body_length = length code_body.code + 1 in let code_test = compile_bexpr test false body_length in let ofs = length code_test.code + body_length in let wp_while = $ code_test -- ($ code_body -- $ ibranchf (- ofs)) % exec_cond test true in let ghost inv = loop_invariant cmd in let ghost var = loop_variant body test in $ inil () -- make_loop wp_while inv (exec_cond test true) var end in hoare (com_pre cmd) res (com_post cmd res.wcode.length) (* Get back to natural specification for the compiler. *) let compile_com_natural (com: com) : code ensures { forall c p s m m'. ceval m com m' -> codeseq_at c p result -> transition_star c (VMS p s m) (VMS (p + length result) s m') } = let res = compile_com com : hl unit in assert { forall c p s m m'. ceval m com m' -> codeseq_at c p res.code -> res.pre () p (VMS p s m) && (forall ms'. res.post () p (VMS p s m) ms' -> ms' = VMS (p + length res.code) s m') }; res.code (* Insert the final halting instruction. *) let compile_program (prog : com) : code ensures { forall mi mf: state. ceval mi prog mf -> vm_terminates result mi mf } = compile_com_natural prog ++ ihalt (* Execution test: compile a simple factorial program, e.g X := 1; WHILE NOT (Y <= 0) DO X := X * Y; Y := Y - 1 DONE (why3 execute -L . compiler.mlw Compile_com.test) *) let test () : code = let x = Id 0 in let y = Id 1 in let cond = Bnot (Ble (Avar y) (Anum 0)) in let body1 = Cassign x (Amul (Avar x) (Avar y)) in let body2 = Cassign y (Asub (Avar y) (Anum 1)) in let lp = Cwhile cond (Cseq body1 body2) in let code = Cseq (Cassign x (Anum 1)) lp in compile_program code let test2 () : code = compile_program (Cwhile Btrue Cskip) end why3-1.6.0/examples/double_wp/compiler/000077500000000000000000000000001440160026300200145ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/compiler/why3session.xml000066400000000000000000001031201440160026300230310ustar00rootroot00000000000000 why3-1.6.0/examples/double_wp/compiler/why3shapes.gz000066400000000000000000000426141440160026300224630ustar00rootroot00000000000000}[s7;vwejRH\ÞW6=TjIQeEQ@"/$݇w=p|qOSDxpCO?2"=䜞OÁ]?5|zwO~.{?dxǃ|i~ Ʒӌc$_^Tzw?![*߽_,t|ynބ7>;,@xSIOW.Tӕ ~o`v 6wcu>M)? Iwh>ደ=FYCw>%+2=J >*/s|9v&9<>WQΩI˵:T^zގzƶ}5wLD#)%A]_w$=!ʜŸ l?xݼ\uBa /ߥ'/_>P8}3|ژ+#94Qߨ$*q?ڶPƦL; "[r|FTj8^Su2 Ɏ"5y[!Kh-Mds~DI8^qHңF4TMTyI)ek^|< H0y~ĺbWJ^&`kCe5+|d,P7/765@?|Lq |UuaxZ!lNbʃ z}5Q@0=BQ%DUȤJ¯pA i|ɰKz8 $Kp<;JOVLEiqۘ#Ԑ-o>H(B*j5gzS5m_z,|Ⱥ,tA/QS'(&JeGQ(\{"PR(ůE+ʴ$6JOs';)AjTTNꮅIvRk0',,aٗO-FѾ~Pw7(*^ : *‚Js/1khPe?h+|UdoxI޵)DC彭{KB*[v]Dz޴ʹe8$Lp2/6 j(]ؙG7WkcbwSu*})Pv*𲩝hmO&T.u_,?o3Mi6AF?ž]U Lvx2{& !KuHOjTʓZ}}W@k4 AT)ҷX)Q = vm!Z/N(*{Ee]N7*Zq1G4gZ_IAL2"ݗ'0cF[brrgmNSoIh~{ D el${ITJB-/$Jbd:$z]^g(m8cp"w>tS>m6re*wjP%ZuY5]֮~LՂ\ӿ^3Ct9un5RbEk7{HqPUzJ~a ;k j#TE&ZI~{Y#l}FŽ][ޞ~RIDԞ/.j=`B`Z+ V )@:Z*&MLvGEYJ8}*:KG鸩O.WgSKYU9c*l;㊪v~soZgb#X\sz.ţݣЖzمθՏ ǎ(*GX.3h9ª ըʽh_NVJNQ#d9JvSs$PBL#H)QãZg+k;Tg͠(ط`\3E=C)ۺ|[Mescho 4~unTwV3֙c#VgSEIʓ}Vi#:ÛxMճ7 %^6JeP{+^\o;׈^;OkWYyzpG]\飆iX+NߟtBcy'J#2qE{7.*=idoc]u;FA>(zQK;ب6 QSq%Bup4 :jrzT)ЛQhvBUrJtOg^K\ķ%fYKk\"&.y,|_Ȟ>$߶?RcS%Ԟ&ޯup>Ԗ~cC mPJ~Җ!; ϵ%muiy.ήԈ=RX,Ht)^1XK[kvFĻ~eŠۯykctya,Xtz)߄7Ԉ״}?~gxGy*-1::q\Ņ*!_򄌇m{9BkZFĥ3 yDmu2u?@j$ϗZ-[1]ꇩ+5u\*P|v[r#7mGFn򌶢UѪb8!4npu%> _?"؞iۇp6CÇ7x[w:ꒊ]҉1 垀a\;F6]짯hG45mA Fowu3MBQ>/i{Ocۇqy\ح1+ W~ڬ孮57yw01'7y$2ʿLbxZZ@9踻!JmUI:bXD%,!1^CVS:r4E62 ɫ!GC#GYeu,"2D߭@x7@=G \N'4k(XIJD /o ډmN9h{jP+7쉦'^{!zVx(%'6Bl qFTe%zζV+WmdsLu)-U*c߁&r@f}q#k?\TT# ;[Sѭ7zȺWݩ-qkiVsmݼҌ;Q=]V|Hk*ɵ߭䒐 Wیه X=ƩfS&bR?5yrϝ#wx@b֣b/IO_R&_>}JV')9=GWf1L'h_j *srk3>*}ܚ־2eޔ)6evS|r4۔7?u f-53iy g;:1}y`#:V*%AF)='ܲ\rvUÜ'܂-7L7 ݖ.SMu 4%ZKD.Z,*0MS)ݍzW,%K 9..sXvBxv_)@Y-( f5[y7N䠲S^c͆Ta@ 6&Ydhj$c|#Kb-WP:Y<)-XǡisqVEJC,i%s$amJJm͵QWŌqk6vE5VЦ4cd|nG 55OһӮo/h,1c/_h=G#1I`bMxe+`6k]BX)qZPs {k#؞9趺pȽ۸ GVPy(Uy_IϿ V[l8E ?w E :|>;zs¾naQGiL^Ͻ0]|>k#zox UR "-amK=@:׏aNϚxvt0fy#d]$ֱ14  W;uuNm$ձ&ׂ YԎx .dN##H7C|ӾG+Yzۮ?E_Zbѫ\R&I[k V5_K 2ʪqIC3v 4=~mY_%!e׷9 ~)He#t Y3$fƽǘ`X5PY&Egt.+ۑjX} ^@QTf=d9<7KG4˳2E^[=c.nmx#;1Y1ߝ9qsS+۬Ig)S )nt\̾dҫs#lNQ05+o*:~M 8e/CS- %a_1uzVt>(ge:w;/՝jOиfMfT B[DZL,%e[:z\?x3T%^{kg 8z l|?x>&P[xN1T+?Z6 4Q%PԢJ+t YfĹB'=+'f ) s*o{@K `I˸Cu] Rb}( bYw#8 .&1FʄJ ȮDkOߜ4jSd6 xf}$/_i&Aľ 8U,:u}NQ链c8{pJ0Kgy woN)$vƮ#W7;s^CFPϑ߾ mCkPv/y>Cn<>~8 ZVTnnI/D:ɺjE8:sva(oߦm!*dz(l f# $5D7;g/)sȬ*27* k** J{OZq#Aɸ xR;!uA Wn.ؗbY|"jQBAZjq_\"p%n愸$n=HeO! *tMERFA}?)n{,[ DDjo qE3ڽDʞDL̳tE v(@(@ĩ(@>( C䃣JmQ<ޱnj\̦߬4/ճ,5UR9[LM1c[!ѽ#vl_9N8M[(l8mզ*p%N*<534OR㗷WnWG$ M5H31hE#eyՉx~+:&Uyb t"uTl5ұf/)GI9բm[w䚛s/O{̳Tn6S(腶__Lbr9~1m_ KqM1lJ< u4RY鐞f inZ/M iGjl9h#hX2|=6\[$$b;ը>ҨkQAEٓ)0=]V_0:BSW,$=4ЭVbmkcJue ĶX36eiGAU66n&I|Fgw7h뒶6*bQ1۞?U2Ψ <8}3̮th _Md* aO뺓\FS&ƑA&*61!ۡVh4uHB x@`v _x݂0>LJU7. eފ,{ϩt*Nx69Pz٩iБ-ӹh܎rhG% r.;#DCּ<&:MuN&<: Ĺҁ[rqRXjh7zJ[_eδDnmItpĶf@\)ƒۗTmypluNd>&׭:/H[b{G2iu9WIw&ny|}Q[_\<8!񯾠))f+Ƕ#;+T 6In ~MV*͞t]6'ΝL 991ĝmH#4lH2.!!7q]a؟4ƾY)h= ܯ3yMG/|(- k:p!,+bO46ol"> \wԂR.4֎2^ߝ9#+{pֳwqVnX,rdʣ딳L,ʭM.-^-gK@*nFvt6fU05-^% ÿhgĝV^(p1Mwq>7u9s;Hݶ,3_-¢Ŕd\$5}qx5hȶF..:}wlbll:6v4G\vvT;;ES} KK%orɸ˚Ϥ(ץ{Q_R*[x[I+D'&sGGti2iuYTVUꝳWo[e: ŧcjwfQl6c)XL.6OْtS:QRafg|Z/:0Z>a¢˵ƊY%xU99bKg{lҪ31NEcIõ'?(:u=[jZ~6ujWmYVLsB=|}&;8 ΄QK§]yS|glmȷ|^w*pfm /|f+ܼ)rz|*ǧuriJ9})42ǣHKuK_9oޔohƬ5,;gG5j:}Yvk4.V[Pw7IWdb`]`_mI=Eۉ!,VV{a[Y^Ɉ^-We~_# 0#ˁ(]KTxZeݼ;8'KN?;>6NG|1ĺ=V;ک|*y:WUۡ:w7`kvb-E-iGhtpaCcsrno.NoD;ʳtUR]e!5{BjZceXM_ _w7ǫמNebxkV+XDϱZ``_0dP{JTݕ[àv zaai~TW2ΞP~MMÆk0lKw+(uHjR1 5 YCr7YH͞vȧkMWaxy}>ý=x"VZ5;տ>-R\ RϿ x~ha Qt b-EK!J7 Qn%'/`{T`ٓ~BPonMMv)f-[=镽r4)ړF==)8(Ħ0{W~1&ڛ_Lҽ+s%M-Аϸ%VV]BqKKqYbCgj'߮bm1Z9lw+^3w:E,]EB!eB5Ye 0x9mWv1ͳ(Gլ+te 2-q o.UGoP%-UuDocEU@)(~yd*8jZ*Ygb 5[qJ*-ldЪ'Ch'2"X9616n']ˬvTnp.rۿW+G 'pע%|||! Ro) ⢕D޺IQɞ4inw4ySN7*&/:|wxGM{?q~ "mK<}gch b :2~!ہ^ↈܐ/I?އ>xOg *hzk_*8r4fT_~9MD\k覺\]躹K1,*bZEVfM i;)RRWD޼HB "ILւ&Y^O6ꣿXlFSH Bt1;ʟ7$<Nqul6Jj'f#(&2,, e7A[aXbye~bWVB-f&;& fcGBJ-Sw'AXcA{!'93Bʏ4K?/xn^LG hBjQȭVlܹ0^ŒBj#bQB#{1j蝍&5 NZ{9}+m e9:9h'0 &cfFK*uj6z(Yh!WV)7g fnc1W\g+^ 0x)^jGcmjBǤ'4j$ g^-A#(h-I=*'<;+0³O2$f'1M Cp'>y%3SH-WHDhC{6 I$W^e[&9)m& J]96B QrqliT2qW ^IJWҾԯz%+)^IH,{%l$ּ聺R,-!~bU$o~3w* .`)Q0==z }Z p/rCYV+ j{0p)2SDT{xzr]&f2L䆾 aZ0 a ([0 Y1yg aaG!, Er'&?b#X`\'bX8g>"~z,<A| L!N0eP{ƀ;` UFa*00.`yUUbXD2 wDsIC× O 4">pgHՌqY L5 z8o֑Ճ͸ !(i)""H TWhۍA)=b0xXN_-X,JDZ6}A)J9jH3TiFHcG#@ܱO<< sxV 9Y`FV {;Ce YayƓ{D 0#0d&8藑',͔ɰ0p`~K8+,UYd$k?f1Ryu.rqFQ@9 /‰ &#`XuɅM,٤5k0Rn S h>0 hdG&z@J|6NB>, V8NM.. wЄ`b ŐDDH,f0PkV[I@@u>tS,F0p0t[L BSg&N1d+6de>kk" 9$`Gd9Opip3 D-S0=-GspXKF +R3C0`v#$hX 0.,:9 :ത Ndf(گō?FQ>0jNeF @ܰځ4x M i 7b(xphB g+SMłF6%ѾdɈ= a 4{tonp@%dlNw[O@܈#4^&(9$ t i@ ]p@S SBRU' ^*ZFIVФ?X?Be?ZMB9 9剸T,`遝 ^Cd/}1 1 3guA+NU=y##q!urR dIB$M!d 8{7Oc>T PnD43}HyA>D4^M"矊>.Wt>-/B w[u_+t CkirMNsSˀpg*K>}4Gih9-#zXC'_6$P?eLσCO>}y!`hoӣ҈ᭃLz*4wb4 sI8#@2ܛE &E'3iGPX=ꬠ29 EжVpF1CD\%_dc /9X`i3=3B'' 4ä>F(Xv}h-8тHL`W'B!:K]|BvX{2ZJ.2 0 @`81dCĄpክ %PO?ԢRL7r`E Lߓ%nyRajn@ ͊ƠS}1(oPޠAyr4iZ;i^дNDk /-wVM@SuID% v O P#A Z:{Ĭ0,9GpK0B1SiZb(s״ƠPiJi n44)LḇuOKeȇ,v|@kh ټO,H0Pyؑ^kQM<ǞJc<҆ 8TrOg&,3idj`W!h% >%S)بO7 W4!Tx)H+ӴYόx#X T/!zJ/FhT> 3<#s~atD 3VuO{DZYn<{=(QD}w^Q5gh`I*2LA+ͳiqs]=2=Frpr q<\Q{= $|~l/=zxIM VqK܇|bߣEdA Kڛ6ɂ6AFiranedZR96O{2$;Zi'c٪'=])a0speğײ("S a~?AdT@Cs BA'=f-g1iHDb@\|bGO< t|vriW{'y.(O)8F;hmw̫=5, vFH6vsɒ= r~3m{fG; @T> 6 {R9mAPIJii#MJ53,Cܼ,yw3 H'Ej꾓6MW Ϥ#"码ˌ@In*ЫA0#P&G ڈc80wڏj_~hSG>4hRNi C!]YXM Ce n | Avar x -> st[x] | Aadd e1 e2 -> aeval st e1 + aeval st e2 | Asub e1 e2 -> aeval st e1 - aeval st e2 | Amul e1 e2 -> aeval st e1 * aeval st e2 end function beval (st:state) (b:bexpr) : bool = match b with | Btrue -> true | Bfalse -> false | Bnot b' -> notb (beval st b') | Band b1 b2 -> andb (beval st b1) (beval st b2) | Beq a1 a2 -> aeval st a1 = aeval st a2 | Ble a1 a2 -> aeval st a1 <= aeval st a2 end inductive ceval state com state = (* skip *) | E_Skip : forall m. ceval m Cskip m (* assignement *) | E_Ass : forall m a x. ceval m (Cassign x a) m[x <- aeval m a] (* sequence *) | E_Seq : forall cmd1 cmd2 m0 m1 m2. ceval m0 cmd1 m1 -> ceval m1 cmd2 m2 -> ceval m0 (Cseq cmd1 cmd2) m2 (* if then else *) | E_IfTrue : forall m0 m1 cond cmd1 cmd2. beval m0 cond -> ceval m0 cmd1 m1 -> ceval m0 (Cif cond cmd1 cmd2) m1 | E_IfFalse : forall m0 m1 cond cmd1 cmd2. not beval m0 cond -> ceval m0 cmd2 m1 -> ceval m0 (Cif cond cmd1 cmd2) m1 (* while *) | E_WhileEnd : forall cond m body. not beval m cond -> ceval m (Cwhile cond body) m | E_WhileLoop : forall mi mj mf cond body. beval mi cond -> ceval mi body mj -> ceval mj (Cwhile cond body) mf -> ceval mi (Cwhile cond body) mf (* Determinstic semantics *) lemma ceval_deterministic_aux : forall c mi mf1. ceval mi c mf1 -> forall mf2. ([@inversion] ceval mi c mf2) -> mf1 = mf2 lemma ceval_deterministic : forall c mi mf1 mf2. ceval mi c mf1 -> ceval mi c mf2 -> mf1 = mf2 end why3-1.6.0/examples/double_wp/imp/000077500000000000000000000000001440160026300167675ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/imp/why3session.xml000066400000000000000000000052741440160026300220170ustar00rootroot00000000000000 why3-1.6.0/examples/double_wp/imp/why3shapes.gz000066400000000000000000000014251440160026300214310ustar00rootroot00000000000000IE+>Ŗ,s"7˜ F{"z82ŋ_v|NSx:ỻp[ , _ ??ESŋ\T"ne VlIus5=ZtjëxK|l/f!8?;].$[xxU .`"]:>ʍtAX0yϋN ( ڗ ֮vg%&0ވO<1m7$;TZGҟ>_Bg*E JLe~?ǒόB݊:OmkKsXǘCOne7t7O?m~+\[l@_}C~VhRv;wWEw]WsUnĵ?s51 YsTS}5;)H5UĈ16iu% (}EK }x%bFC9F4&'%|[kBG 8EPs+BQ*@GHU4S2Qp%y\|CCKL =LU Z`"A{D+R%W%j C+8ZZ"EG $RjmS ɣ9 Ƙ(]:1s6TU$m aMbVT%Ҫlf7+=L躎c5AŚ%DZ5 Rt{JhuYQjrTwhy3-1.6.0/examples/double_wp/logic.mlw000066400000000000000000000151011440160026300200160ustar00rootroot00000000000000 (* Program logic (hoare logic + weakest preconditions) over Virtual Machine language. *) module Compiler_logic use int.Int use list.List use list.Length use list.Append use vm.Vm use state.State function fst (p: ('a,'b)) : 'a = let (x,_) = p in x meta rewrite_def function fst function snd (p: ('a,'b)) : 'b = let (_,y) = p in y meta rewrite_def function snd predicate (-->) (x y:'a) = [@rewrite] x = y meta rewrite_def predicate (-->) (* Unary predicates over machine states *) type pred = machine_state -> bool (* Binary predicates over machine states *) type rel = machine_state -> pred (* pre/post-conditions types, as parameterized unary/binary predicates. 'a represents auxiliary variables pos is an auxiliary variable representing the absolute position at which the code is loaded. *) type pre 'a = 'a -> pos -> pred type post 'a = 'a -> pos -> rel (* Machine transition valid whatever the global code is. *) predicate contextual_irrelevance (c:code) (p:pos) (ms1 ms2:machine_state) = forall c_glob. codeseq_at c_glob p c -> transition_star c_glob ms1 ms2 (* Hoare triples with explicit pre & post *) type hl 'a = { code: code; ghost pre : pre 'a; ghost post: post 'a } (* (Total) correctness for hoare triple. *) invariant { forall x:'a,p ms. pre x p ms -> exists ms'. post x p ms ms' /\ contextual_irrelevance code p ms ms' } by { code = Nil; pre = (fun _ _ _ -> false); post = fun _ _ _ _ -> true } (* Predicate transformer type. Same auxiliary variables as for Hoare triples. *) type wp_trans 'a = 'a -> pos -> pred -> pred (* Code with backward predicate transformer. *) type wp 'a = { wcode : code; ghost wp : wp_trans 'a } (* Similar invariant for backward predicate transformers *) invariant { forall x:'a,p post ms. wp x p post ms -> exists ms'. post ms' /\ contextual_irrelevance wcode p ms ms' } by { wcode = Nil; wp = fun _ _ _ _ -> false } (* WP combinator for sequence. Similar to the standard WP calculus for sequence. The initial machine state is memorized in auxiliary variables for potential use in the second code specification. *) function seq_wp (l1:int) (w1:wp_trans 'a) (w2:wp_trans ('a,machine_state)) : wp_trans 'a = fun x p q ms -> w1 x p (w2 (x,ms) (p+l1) q) ms lemma seq_wp_lemma : forall l1,w1: wp_trans 'a,w2 x p q ms. seq_wp l1 w1 w2 x p q ms = w1 x p (w2 (x,ms) (p+l1) q) ms meta rewrite lemma seq_wp_lemma (* Code combinator for sequence, with wp. *) let (--) (s1 : wp 'a) (s2 : wp ('a, machine_state)) : wp 'a ensures { result.wcode.length --> s1.wcode.length + s2.wcode.length } ensures { result.wp --> seq_wp s1.wcode.length s1.wp s2.wp } = let code = s1.wcode ++ s2.wcode in let res = { wcode = code; wp = seq_wp s1.wcode.length s1.wp s2.wp } in assert { forall x: 'a, p post ms. res.wp x p post ms -> not (exists ms'. post ms' /\ contextual_irrelevance res.wcode p ms ms') -> (forall ms'. s2.wp (x,ms) (p + s1.wcode.length) post ms' /\ contextual_irrelevance res.wcode p ms ms' -> false) && false }; res function fork_wp (w:wp_trans 'a) (cond:pre 'a) : wp_trans 'a = fun x p q ms -> if cond x p ms then w x p q ms else q ms lemma fork_wp_lemma: forall w:wp_trans 'a,cond x p q ms. fork_wp w cond x p q ms = ((not cond x p ms -> q ms) /\ (cond x p ms -> w x p q ms)) meta rewrite lemma fork_wp_lemma (* Code combinator for conditional execution. Similar to WP calculus for (if cond then s). *) let (%) (s:wp 'a) (ghost cond:pre 'a) : wp 'a ensures { result.wp --> fork_wp s.wp cond } ensures { result.wcode.length --> s.wcode.length } = { wcode = s.wcode; wp = fork_wp s.wp cond } (* WP transformer for hoare triples. *) function towp_wp (pr:pre 'a) (ps:post 'a) : wp_trans 'a = fun x p q ms -> pr x p ms && (forall ms'. ps x p ms ms' -> q ms') lemma towp_wp_lemma: forall pr ps, x:'a, p q ms. towp_wp pr ps x p q ms = (pr x p ms && (forall ms'. ps x p ms ms' -> q ms')) meta rewrite lemma towp_wp_lemma (* Unwrap code with hoare triple into code with wp. Analogous to procedure call/abstract block. *) let ($_) (c:hl 'a) : wp 'a ensures { result.wcode.length --> c.code.length } ensures { result.wp --> towp_wp c.pre c.post } = { wcode = c.code; wp = towp_wp c.pre c.post } (* Equip code with pre/post-condition. That is here that proof happen. (P -> wp (c,Q)). Anologous to checking function/abstract block specification. *) let hoare (ghost pre:pre 'a) (c:wp 'a) (ghost post:post 'a) : hl 'a requires { forall x p ms. pre x p ms -> (c.wp x p (post x p ms)) ms } ensures { result.pre --> pre } ensures { result.post --> post } ensures { result.code.length --> c.wcode.length } = { code = c.wcode ; pre = pre; post = post } function trivial_pre : pre 'a = fun _ p ms -> let VMS p' _ _ = ms in p = p' meta rewrite_def function trivial_pre (* Accessibility predicate. *) inductive acc ('a -> 'a -> bool) 'a = | Acc : forall r, x:'a. (forall y. r y x -> acc r y) -> acc r x (* Utility: some flavor of conjonction. *) function pconj (p1:pred) (x:machine_state) (p2:machine_state -> pred) : pred = fun y -> p1 y && p2 y x lemma pconj_lemma : forall p1 x p2 y. pconj p1 x p2 y <-> p1 y && p2 y x meta rewrite lemma pconj_lemma (* WP combinator for looping construction. Similar to weakest precondition for while loops. *) function loop_wp (w:wp_trans 'a) (inv cont:pre 'a) (var:post 'a) : wp_trans 'a = fun x p q ms -> inv x p ms && acc (var x p) ms && forall ms'. inv x p ms' -> if cont x p ms' then w x p (pconj (inv x p) ms' (var x p)) ms' else w x p q ms' lemma loop_wp_lemma : forall w:wp_trans 'a,inv cont var x p q ms. loop_wp w inv cont var x p q ms <-> inv x p ms && acc (var x p) ms && forall ms'. inv x p ms' -> (cont x p ms' -> w x p (pconj (inv x p) ms' (var x p)) ms') /\ (not cont x p ms' -> w x p q ms') meta rewrite lemma loop_wp_lemma (* Code combinator for looping construct. *) let make_loop (c:wp 'a) (ghost inv cont:pre 'a) (ghost var:post 'a) : wp 'a ensures { result.wp --> loop_wp c.wp inv cont var } ensures { result.wcode.length --> c.wcode.length } = let ghost wpt = loop_wp c.wp inv cont var in assert { forall x p q ms0. wpt x p q ms0 -> forall ms. inv x p ms -> acc (var x p) ms -> exists ms'. contextual_irrelevance c.wcode p ms ms' /\ q ms' }; { wcode = c.wcode; wp = wpt } end why3-1.6.0/examples/double_wp/logic/000077500000000000000000000000001440160026300172775ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/logic/why3session.xml000066400000000000000000000067701440160026300223310ustar00rootroot00000000000000 why3-1.6.0/examples/double_wp/logic/why3shapes.gz000066400000000000000000000034301440160026300217370ustar00rootroot00000000000000X[o#~ׯC 19HBQC}* 9d։c)7ь4rMHl9$jz_}5=?gՊ;y2iSz$7^5lي$7l@76y'{ck[\!ȢGݛ(DZoV"νѽtRv j *"NZ!r)qu/-[ۭ6KǙ N[tޢ^yѣ5,yHDY{&=*uJ&`%\'򦤂Hyʞo^{+z@1D 9[J= ‘oD圑GI?Vt::Q]#}3i1냵DK0aF"LT>%g;%X&pX" dTb)-|ۤ9)9ޢlMR&et>c d uj &QF嘏9r\0vjxqgT,eh"zCB{ dA R5lRaԫ')@Ji.)d ZnR*s) g4m@P<jm `_dwhy3-1.6.0/examples/double_wp/specs.mlw000066400000000000000000000175661440160026300200570ustar00rootroot00000000000000 module VM_instr_spec meta compute_max_steps 0x10000 use int.Int use list.List use list.Length use vm.Vm use state.State use logic.Compiler_logic function ifun_post (f:machine_state -> machine_state) : post 'a = fun _ _ ms ms' -> ms' = f ms meta rewrite_def function ifun_post (* General specification builder for determinstic machine instructions. *) let ifunf (ghost pre:pre 'a) (code_f:code) (ghost f:machine_state -> machine_state) : hl 'a requires { forall c p. codeseq_at c p code_f -> forall x ms. pre x p ms -> transition c ms (f ms) } ensures { result.pre --> pre } ensures { result.post --> ifun_post f } ensures { result.code --> code_f } = { pre = pre; code = code_f; post = ifun_post f } (* Iconst spec *) function iconst_post (n:int) : post 'a = fun _ p ms ms' -> forall s m. ms = VMS p s m -> ms' = VMS (p+1) (push n s) m meta rewrite_def function iconst_post function iconst_fun (n:int) : machine_state -> machine_state = fun ms -> let (VMS p s m) = ms in VMS (p+1) (push n s) m meta rewrite_def function iconst_fun let iconstf (n: int) : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> iconst_post n } ensures { result.code.length --> 1 } = hoare trivial_pre ($ ifunf trivial_pre n.iconst n.iconst_fun) n.iconst_post (* Ivar spec *) function ivar_post (x:id) : post 'a = fun _ p ms ms' -> forall s m. ms = VMS p s m -> ms' = VMS (p+1) (push m[x] s) m meta rewrite_def function ivar_post function ivar_fun (x:id) : machine_state -> machine_state = fun ms -> let (VMS p s m) = ms in VMS (p+1) (push m[x] s) m meta rewrite_def function ivar_fun let ivarf (x: id) : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> ivar_post x } ensures { result.code.length --> 1 } = hoare trivial_pre ($ ifunf trivial_pre x.ivar x.ivar_fun) x.ivar_post (* Binary arithmetic operators specification (Iadd, Isub, Imul) via a generic builder. *) type binop = int -> int -> int constant ibinop_pre : pre 'a = fun _ p ms -> exists n1 n2 s m. ms = VMS p (push n2 (push n1 s)) m meta rewrite_def function ibinop_pre function ibinop_post (op : binop) : post 'a = fun _ p ms ms' -> forall n1 n2 s m. ms = VMS p (push n2 (push n1 s)) m -> ms' = VMS (p+1) (push (op n1 n2) s) m meta rewrite_def function ibinop_post function ibinop_fun (op:binop) : machine_state -> machine_state = fun ms -> match ms with | VMS p (Cons n2 (Cons n1 s)) m -> VMS (p+1) (push (op n1 n2) s) m | _ -> ms end meta rewrite_def function ibinop_fun let create_binop (code_b:code) (ghost op:binop) : hl 'a requires { forall c p. codeseq_at c p code_b -> forall n1 n2 s m. transition c (VMS p (push n2 (push n1 s)) m) (VMS (p+1) (push (op n1 n2) s) m) } ensures { result.pre --> ibinop_pre } ensures { result.post --> ibinop_post op } ensures { result.code.length --> code_b.length } = hoare ibinop_pre ($ ifunf ibinop_pre code_b op.ibinop_fun) op.ibinop_post constant plus : binop = fun x y -> x + y meta rewrite_def function plus constant sub : binop = fun x y -> x - y meta rewrite_def function sub constant mul : binop = fun x y -> x * y meta rewrite_def function mul let iaddf () : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> ibinop_post plus } ensures { result.code.length --> 1 } = create_binop iadd plus let isubf () : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> ibinop_post sub } ensures { result.code.length --> 1 } = create_binop isub sub let imulf () : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> ibinop_post mul } ensures { result.code.length --> 1 } = create_binop imul mul (* Inil spec *) function inil_post : post 'a = fun _ _ ms ms' -> ms = ms' meta rewrite_def function inil_post let inil () : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> inil_post } ensures { result.code.length --> 0 } = { pre = trivial_pre; code = Nil; post = inil_post } (* Ibranch specification *) function ibranch_post (ofs: ofs) : post 'a = fun _ p ms ms' -> forall s m. ms = VMS p s m -> ms' = VMS (p + 1 + ofs) s m meta rewrite_def function ibranch_post function ibranch_fun (ofs:ofs) : machine_state -> machine_state = fun ms -> let (VMS p s m) = ms in VMS (p+1+ofs) s m meta rewrite_def function ibranch_fun let ibranchf (ofs:ofs) : hl 'a ensures { result.pre --> trivial_pre } ensures { result.post --> ibranch_post ofs } ensures { result.code.length --> 1 } = let cf = $ ifunf trivial_pre (ibranch ofs) (ibranch_fun ofs) in hoare trivial_pre cf (ibranch_post ofs) (* Conditional jump specification via a generic builder. *) type cond = int -> int -> bool function icjump_post (cond:cond) (ofs:ofs) : post 'a = fun _ p ms ms' -> forall n1 n2 s m. ms = VMS p (push n2 (push n1 s)) m -> (cond n1 n2 -> ms' = VMS (p + ofs + 1) s m) /\ (not cond n1 n2 -> ms' = VMS (p+1) s m) meta rewrite_def function icjump_post function icjump_fun (cond:cond) (ofs:ofs) : machine_state -> machine_state = fun ms -> match ms with | VMS p (Cons n2 (Cons n1 s)) m -> if cond n1 n2 then VMS (p+ofs+1) s m else VMS (p+1) s m | _ -> ms end meta rewrite_def function icjump_fun let create_cjump (code_cd:code) (ghost cond:cond) (ghost ofs:ofs) : hl 'a requires { forall c p1 n1 n2 s m. codeseq_at c p1 code_cd -> let p2 = (if cond n1 n2 then p1 + ofs + 1 else p1 + 1) in transition c (VMS p1 (push n2 (push n1 s)) m) (VMS p2 s m) } ensures { result.pre --> ibinop_pre } ensures { result.post --> icjump_post cond ofs } ensures { result.code.length --> code_cd.length } = let c = $ ifunf ibinop_pre code_cd (icjump_fun cond ofs) in hoare ibinop_pre c (icjump_post cond ofs) (* binary Boolean operators specification (Ibeq, Ibne, Ible, Ibgt) *) constant beq : cond = fun x y -> x = y meta rewrite_def function beq constant bne : cond = fun x y -> x <> y meta rewrite_def function bne constant ble : cond = fun x y -> x <= y meta rewrite_def function ble constant bgt : cond = fun x y -> x > y meta rewrite_def function bgt let ibeqf (ofs:ofs) : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> icjump_post beq ofs } ensures { result.code.length --> 1 } = create_cjump (ibeq ofs) beq ofs let ibnef (ofs:ofs) : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> icjump_post bne ofs } ensures { result.code.length --> 1 } = create_cjump (ibne ofs) bne ofs let iblef (ofs:ofs) : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> icjump_post ble ofs } ensures { result.code.length --> 1 } = create_cjump (ible ofs) ble ofs let ibgtf (ofs:ofs) : hl 'a ensures { result.pre --> ibinop_pre } ensures { result.post --> icjump_post bgt ofs } ensures { result.code.length --> 1 } = create_cjump (ibgt ofs) bgt ofs (* Isetvar specification *) constant isetvar_pre : pre 'a = fun _ p ms -> exists n s m. ms = VMS p (push n s) m meta rewrite_def function isetvar_pre function isetvar_post (x:id) : post 'a = fun _ p ms ms' -> forall s n m. ms = VMS p (push n s) m -> ms' = VMS (p+1) s m[x <- n] meta rewrite_def function isetvar_post function isetvar_fun (x:id) : machine_state -> machine_state = fun ms -> match ms with | VMS p (Cons n s) m -> VMS (p+1) s m[x <- n] | _ -> ms end meta rewrite_def function isetvar_fun let isetvarf (x: id) : hl 'a ensures { result.pre --> isetvar_pre } ensures { result.post --> isetvar_post x } ensures { result.code.length --> 1 } = let c = $ ifunf isetvar_pre (isetvar x) (isetvar_fun x) in hoare isetvar_pre c (isetvar_post x) end why3-1.6.0/examples/double_wp/specs/000077500000000000000000000000001440160026300173175ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/specs/why3session.xml000066400000000000000000000172141440160026300223440ustar00rootroot00000000000000 why3-1.6.0/examples/double_wp/specs/why3shapes.gz000066400000000000000000000064111440160026300217610ustar00rootroot00000000000000[n}F_80$Wx9==;=;IS%K0ݝU:]U]۷:n>˿o懿v.\]ޥśt>ːzګ^f~r}tjIm̝7Ww=;uw7k >)))M )+#rr]$y: &g,s ɞǖLriR"sloJñT40RAv/DAiӯJ#n9oc-`}/M !lyn6egJtä"-]!O0slToZy@=\{ Y$+ꌍ#d Ŗì`?S-j/wo`N? `N1 1~5(\/s|Lv6`UmNc [0ܛG"}Ev{kWז_=+vl| g5&1(kKJh4Ձl6YhTd"),`^ԯ8Ɵg4V:F˺>*X{uպ޴k-mg-&e)B)R||@UE| -mduϋ21Nl pfˎ_m*Bg``"X BUTm!!tjW3QEvKeTϐVB)kaI}TӞkhp:|d2=W=׿qQ7w]g1=F% Ԋzҧ8LM|e@HT5{i=7EiWikTL?)b؂4rhK7х Z(ގ-Upk,f G2]k1Q ?.b2ZD:]g"p{vYcw_; PG󣷔 R) wE[rڇtZﯗTSv8<= <خJ}achszM,Ń\"pU֚J*B+L eUh.OC^uVue&jMcnp+>o|Wtu7F=O#ؾ>Γn\:y}/LthsAG>}Am J7X{.wn:5gb84|GXR,|p^\{8gOtޮsJy9h/8T_TԜ?{^l^^֭9^ds:}h Tn2|4%~d\=x_njP@^q־gOwMw\7=bWS{^]ͽ.:?bW+=[Y b^GNknzozb{*@Ur%wRdv[:oNu2x!}iGښVhl#1)+ʩ^ƈ$qQ:V b* %B #1sIt^:T4Y ]9R덋dg= ꨧ!,%蚜I why3-1.6.0/examples/double_wp/state/why3shapes.gz000066400000000000000000000000551440160026300217620ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/double_wp/vm.mlw000066400000000000000000000143341440160026300173520ustar00rootroot00000000000000 (* Utility module: reflexive transitive closure of a parameterized relation. *) module ReflTransClosure type parameter type state predicate transition parameter state state inductive transition_star parameter (x y:state) = | Refl: forall p x. transition_star p x x | Step: forall p x y z. transition p x y -> transition_star p y z -> transition_star p x z lemma transition_star_one: forall p s1 s2. transition p s1 s2 -> transition_star p s1 s2 lemma transition_star_transitive: forall p s1 s2 s3. transition_star p s1 s2 -> transition_star p s2 s3 -> transition_star p s1 s3 end (******************************************************************************) (* The machine operates on a code c (a fixed list of instructions) and three variable components: - a program counter, denoting a position in c - a state assigning integer values to variables - an evaluation stack, containing integers. *) theory Vm use state.State use int.Int use list.List use list.Length use list.Append use int.EuclideanDivision type pos = int (* read position on stack *) type stack = list int (* stack contains just integers *) type machine_state = VMS pos stack state (* virtual machine configuration *) type ofs = int (* The instruction set of the machine. *) type instr = | Iconst int (* push n on stack *) | Ivar id (* push the value of variable *) | Isetvar id (* pop an integer, assign it to variable *) | Ibranch ofs (* skip ofs instructions *) | Iadd (* pop two values, push their sum *) | Isub (* pop two values, push their difference *) | Imul (* pop two values, push their product *) | Ibeq ofs (* pop n2, pop n1, skip ofs forward if n1 = n2 *) | Ibne ofs (* pop n2, pop n1, skip ofs forward if n1 <> n2 *) | Ible ofs (* pop n2, pop n1, skip ofs forward if n1 <= n2 *) | Ibgt ofs (* pop n2, pop n1, skip ofs forward if n1 > n2 *) | Ihalt (* end of program *) type code = list instr (* Read pointer to code *) inductive codeseq_at code pos code = | codeseq_at_intro : forall c1 c2 c3. codeseq_at (c1 ++ c2 ++ c3) (length c1) c2 lemma codeseq_at_app_right: forall c c1 c2 p. codeseq_at c p (c1 ++ c2) -> codeseq_at c (p + length c1) c2 lemma codeseq_at_app_left: forall c c1 c2 p. codeseq_at c p (c1 ++ c2) -> codeseq_at c p c1 let function push (n:int) (s:stack) : stack = Cons n s let function iconst (n:int) : code = Cons (Iconst n) Nil let function ivar (x:id) : code = Cons (Ivar x) Nil let function isetvar (x:id) : code = Cons (Isetvar x) Nil let constant iadd : code = Cons Iadd Nil let constant isub : code = Cons Isub Nil let constant imul : code = Cons Imul Nil let function ibeq (ofs:ofs) : code = Cons (Ibeq ofs) Nil let function ible (ofs:ofs) : code = Cons (Ible ofs) Nil let function ibne (ofs:ofs) : code = Cons (Ibne ofs) Nil let function ibgt (ofs:ofs) : code = Cons (Ibgt ofs) Nil let function ibranch (ofs:ofs) : code = Cons (Ibranch ofs) Nil let constant ihalt : code = (Cons Ihalt Nil) (* The semantics of the virtual machine is given in small-step style, as a transition relation between machine states: triples (program counter, evaluation stack, variable state). The transition relation is parameterized by the code c. There is one transition rule for each kind of instruction, except Ihalt, which has no transition. *) inductive transition code machine_state machine_state = | trans_const : forall c p n. codeseq_at c p (iconst n) -> forall s m. transition c (VMS p s m) (VMS (p + 1) (push n s) m) | trans_var : forall c p x. codeseq_at c p (ivar x) -> forall s m. transition c (VMS p s m) (VMS (p + 1) (push m[x] s) m) | trans_set_var: forall c p x. codeseq_at c p (isetvar x) -> forall n s m. transition c (VMS p (push n s) m) (VMS (p + 1) s m[x<-n]) | trans_add : forall c p. codeseq_at c p iadd -> forall n1 n2 s m. transition c (VMS p (push n2 (push n1 s)) m) (VMS (p + 1) (push (n1 + n2) s) m) | trans_sub : forall c p. codeseq_at c p isub -> forall n1 n2 s m. transition c (VMS p (push n2 (push n1 s)) m) (VMS (p + 1) (push (n1 - n2) s) m) | trans_mul : forall c p. codeseq_at c p imul -> forall n1 n2 s m. transition c (VMS p (push n2 (push n1 s)) m) (VMS (p + 1) (push (n1 * n2) s) m) | trans_beq: forall c p1 ofs. codeseq_at c p1 (ibeq ofs) -> forall s m n1 n2. transition c (VMS p1 (push n2 (push n1 s)) m) (VMS (if n1 = n2 then p1 + 1 + ofs else p1 + 1) s m) | trans_bne: forall c p1 ofs. codeseq_at c p1 (ibne ofs) -> forall s m n1 n2. transition c (VMS p1 (push n2 (push n1 s)) m) (VMS (if n1 = n2 then p1 + 1 else p1 + 1 + ofs) s m) | trans_ble: forall c p1 ofs. codeseq_at c p1 (ible ofs) -> forall s m n1 n2. transition c (VMS p1 (push n2 (push n1 s)) m) (VMS (if n1 <= n2 then p1 + 1 + ofs else p1 + 1) s m) | trans_bgt: forall c p1 ofs. codeseq_at c p1 (ibgt ofs) -> forall s m n1 n2. transition c (VMS p1 (push n2 (push n1 s)) m) (VMS (if n1 <= n2 then p1 + 1 else p1 + 1 + ofs) s m) | trans_branch: forall c p ofs. codeseq_at c p (ibranch ofs) -> forall s m. transition c (VMS p s m) (VMS (p + 1 + ofs) s m) (* As usual with small-step semantics, we form sequences of machine transitions to define the behavior of a code. We always start with pc = 0 and an empty evaluation stack. We stop successfully if pc points to an Ihalt instruction and the evaluation stack is empty. *) clone export ReflTransClosure with type parameter = code, type state = machine_state, predicate transition = transition predicate vm_terminates (c:code) (mi mf:state) = exists p. codeseq_at c p ihalt /\ transition_star c (VMS 0 Nil mi) (VMS p Nil mf) end why3-1.6.0/examples/double_wp/vm/000077500000000000000000000000001440160026300166245ustar00rootroot00000000000000why3-1.6.0/examples/double_wp/vm/why3session.xml000066400000000000000000000032071440160026300216460ustar00rootroot00000000000000 why3-1.6.0/examples/double_wp/vm/why3shapes.gz000066400000000000000000000006341440160026300212670ustar00rootroot00000000000000Mn1 sYH*E7~zzrIO><󣾶yLJ.g=O)ys_e1~[pygu낙i%^7/4\ڍc8x4F'M[srqYǎvg&βW{KKmy|뢕vϹ JZi8էR!cUh.vWP+@;ut%&uR1(4n'kJR#xհ`XlGvj+"#k'& !POl͚U"d+$NS CÚ*\ 5qR(!4Q$QdTdcTGWAbowhy3-1.6.0/examples/dyck.mlw000066400000000000000000000042171440160026300157010ustar00rootroot00000000000000 (** Checking that a word is a Dyck word Authors: Martin Clochard (École Normale Supérieure) Jean-Christophe Filliâtre (CNRS) *) theory Dyck use export list.List use export list.Append type paren = L | R type word = list paren (* D -> eps | L D R D *) inductive dyck word = | Dyck_nil: dyck Nil | Dyck_ind: forall w1 w2. dyck w1 -> dyck w2 -> dyck (Cons L (w1 ++ Cons R w2)) (* the first letter, if any, must be L *) lemma dyck_word_first: forall w: word. dyck w -> match w with Nil -> true | Cons c _ -> c = L end end module Check use Dyck use list.Length use ref.Ref exception Failure (* A fall of a word is a decomposition p ++ s with p a dyck word and s a word not starting by L. *) predicate fall (p s: word) = dyck p /\ match s with Cons L _ -> false | _ -> true end let rec lemma same_prefix (p s s2: word) : unit requires { p ++ s = p ++ s2 } ensures { s = s2 } variant { p } = match p with Nil -> () | Cons _ q -> same_prefix q s s2 end (* Compute the fall decomposition, if it exists. As a side-effect, prove its unicity. *) let rec is_dyck_rec (ghost p: ref word) (w: word) : word ensures { w = !p ++ result && fall !p result && (forall p2 s: word. w = p2 ++ s /\ fall p2 s -> p2 = !p && s = result) } writes { p } raises { Failure -> forall p s: word. w = p ++ s -> not fall p s } variant { length w } = match w with | Cons L w0 -> let ghost p0 = ref Nil in match is_dyck_rec p0 w0 with | Cons _ w1 -> assert { forall p s p1 p2: word. dyck p /\ w = p ++ s /\ dyck p1 /\ dyck p2 /\ p = Cons L (p1 ++ Cons R p2) -> w0 = p1 ++ (Cons R (p2 ++ s)) && p1 = !p0 && w1 = p2 ++ s }; let ghost p1 = ref Nil in let w = is_dyck_rec p1 w1 in p := Cons L (!p0 ++ Cons R !p1); w | _ -> raise Failure end | _ -> p := Nil; w end let is_dyck (w: word) : bool ensures { result <-> dyck w } = try match is_dyck_rec (ref Nil) w with | Nil -> true | _ -> false end with Failure -> false end end why3-1.6.0/examples/dyck/000077500000000000000000000000001440160026300151545ustar00rootroot00000000000000why3-1.6.0/examples/dyck/why3session.xml000066400000000000000000000075401440160026300202020ustar00rootroot00000000000000 why3-1.6.0/examples/dyck/why3shapes.gz000066400000000000000000000033761440160026300176250ustar00rootroot00000000000000YKo$5ϯ].FZ4Bl2l{hBhєˮ*Ͽܟ~5?nޫ_./nOɱ+~?96_jxrSWi2+K"\u}i.ao\v|NA7F ONm%r#Gi>G$7CjglOu[T\3zȮ>4lrjtq} oXg|77U:UGӡv{S>:G}}sy&:Clئf [k3VP,bu^[AfGk40u!p_7l;y)Pfd%m8#ĩ5fKƉV5b[5b[5ME[jlU#֪!תiIծOrO.=ħǧ}w\4t@5h"+M]p&`:u 3Ն@M9*-͝Ev\oy.L Dx3 >v&zV[6}>sNٴg>Iq93^H'V|b+ +X?f1ݦv{5u(|m4]6Gv`A;h'==UvIoq[]''G8UG/~- ?KDbJclwRa w efOcgeK$ex:Zj`BQ̙k֩%W@5Rbo궾3[/Φ3ˊ$C1!<3'iw1as";vub3{#"޲4WKOmQ!uC]oNFu"뮦M huV GW0j}sKQWVy{{ g}Fs|uRllLl*mG37DJClBַr%hboy<",9n)Yn| (h iVBI] Sאh$r`.jGr \PIoki~W8_?S~rb9|_Ðn;ӂPaQpڭi]oN;l£67_|DH^7 #.[yB%K"Exc%5l eB,fAJm1{/"E2hR:AӲȬ x 4Q/0RL XDi@ȍ&TF-D= 0[+")hM)Ѥ$KM+"]Qpa@Ρm 2H[=daT*3=TxJ%(,<rB+<<$ɄedRxXQKPfe78 &Q"i)Jj53P>+D5Jk/4CRR5ŊBRL %Q•I&"Lר-BfAbsH庴+)** c1 = c2 } type word = list char inductive dist word word int = | dist_eps : dist Nil Nil 0 | dist_add_left : forall w1 w2: word, n: int. dist w1 w2 n -> forall a: char. dist (Cons a w1) w2 (n + 1) | dist_add_right : forall w1 w2: word, n: int. dist w1 w2 n -> forall a: char. dist w1 (Cons a w2) (n + 1) | dist_context : forall w1 w2:word, n: int. dist w1 w2 n -> forall a: char. dist (Cons a w1) (Cons a w2) n predicate min_dist (w1 w2: word) (n: int) = dist w1 w2 n /\ forall m: int. dist w1 w2 m -> n <= m (* intermediate lemmas *) use export list.Append function last_char (a: char) (u: word) : char = match u with | Nil -> a | Cons c u' -> last_char c u' end function but_last (a: char) (u: word) : word = match u with | Nil -> Nil | Cons c u' -> Cons a (but_last c u') end lemma first_last_explicit: forall u: word, a: char. but_last a u ++ Cons (last_char a u) Nil = Cons a u lemma first_last: forall a: char, u: word. exists v: word, b: char. v ++ Cons b Nil = Cons a u /\ length v = length u lemma key_lemma_right: forall w1 w'2: word, m: int, a: char. dist w1 w'2 m -> forall w2: word. w'2 = Cons a w2 -> exists u1 v1: word, k: int. w1 = u1 ++ v1 /\ dist v1 w2 k /\ k + length u1 <= m + 1 lemma dist_symetry: forall w1 w2: word, n: int. dist w1 w2 n -> dist w2 w1 n lemma key_lemma_left: forall w1 w2: word, m: int, a: char. dist (Cons a w1) w2 m -> exists u2 v2: word, k: int. w2 = u2 ++ v2 /\ dist w1 v2 k /\ k + length u2 <= m + 1 lemma dist_concat_left: forall u v w: word, n: int. dist v w n -> dist (u ++ v) w (length u + n) lemma dist_concat_right: forall u v w: word, n: int. dist v w n -> dist v (u ++ w) (length u + n) (* main lemmas *) lemma min_dist_equal: forall w1 w2: word, a: char, n: int. min_dist w1 w2 n -> min_dist (Cons a w1) (Cons a w2) n lemma min_dist_diff: forall w1 w2: word, a b: char, m p: int. a <> b -> min_dist (Cons a w1) w2 p -> min_dist w1 (Cons b w2) m -> min_dist (Cons a w1) (Cons b w2) (min m p + 1) lemma min_dist_eps: forall w: word, a: char, n: int. min_dist w Nil n -> min_dist (Cons a w) Nil (n + 1) lemma min_dist_eps_length: forall w: word. min_dist Nil w (length w) end module EditDistance use Word use list.Length as L use ref.Ref use array.Array (* Auxiliary definitions for the program and its specification. *) function suffix (a: array char) (i: int) : word axiom suffix_nil: forall a: array char. suffix a a.length = Nil axiom suffix_cons: forall a: array char, i: int. 0 <= i < a.length -> suffix a i = Cons a[i] (suffix a (i+1)) lemma suffix_length: forall a: array char, i: int. 0 <= i <= a.length -> L.length (suffix a i) = (a.length - i) predicate min_suffix (a1 a2: array char) (i j n: int) = min_dist (suffix a1 i) (suffix a2 j) n function word_of (a: array char) : word = suffix a 0 (* The program. *) let distance (w1: array char) (w2: array char) ensures { min_dist (word_of w1) (word_of w2) result } = let n1 = length w1 in let n2 = length w2 in let t = Array.make (n2+1) 0 in (* initialization of t *) for i = 0 to n2 do invariant { forall j:int. 0 <= j < i -> t[j] = n2 - j } t[i] <- n2 - i done; (* loop over w1 *) for i = n1 - 1 downto 0 do invariant { forall j:int. 0 <= j <= n2 -> min_suffix w1 w2 (i+1) j t[j] } let oldt = ref t[n2] in t[n2] <- t[n2] + 1; (* loop over w2 *) for j = n2 - 1 downto 0 do invariant { forall k:int. j < k <= n2 -> min_suffix w1 w2 i k t[k] } invariant { forall k:int. 0 <= k <= j -> min_suffix w1 w2 (i+1) k t[k] } invariant { min_suffix w1 w2 (i+1) (j+1) !oldt } let temp = !oldt in oldt := t[j]; if eq w1[i] w2[j] then t[j] <- temp else t[j] <- (min t[j] t[j + 1]) + 1 done done; t[0] end why3-1.6.0/examples/edit_distance/000077500000000000000000000000001440160026300170215ustar00rootroot00000000000000why3-1.6.0/examples/edit_distance/edit_distance_WP_EditDistance_suffix_length_1.v000066400000000000000000000166141440160026300302120ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require HighOrd. Require int.Int. Require int.MinMax. Require map.Map. Require list.List. Require list.Length. Require list.Mem. Require list.Append. Axiom char : Type. Parameter char_WhyType : WhyType char. Existing Instance char_WhyType. (* Why3 assumption *) Definition word := Init.Datatypes.list char. (* Why3 assumption *) Inductive dist: Init.Datatypes.list char -> Init.Datatypes.list char -> Numbers.BinNums.Z -> Prop := | dist_eps : dist Init.Datatypes.nil Init.Datatypes.nil 0%Z | dist_add_left : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) w2 (n + 1%Z)%Z | dist_add_right : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist w1 (Init.Datatypes.cons a w2) (n + 1%Z)%Z | dist_context : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons a w2) n. (* Why3 assumption *) Definition min_dist (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z) : Prop := dist w1 w2 n /\ (forall (m:Numbers.BinNums.Z), dist w1 w2 m -> (n <= m)%Z). (* Why3 assumption *) Fixpoint last_char (a:char) (u:Init.Datatypes.list char) {struct u}: char := match u with | Init.Datatypes.nil => a | Init.Datatypes.cons c u' => last_char c u' end. (* Why3 assumption *) Fixpoint but_last (a:char) (u:Init.Datatypes.list char) {struct u}: Init.Datatypes.list char := match u with | Init.Datatypes.nil => Init.Datatypes.nil | Init.Datatypes.cons c u' => Init.Datatypes.cons a (but_last c u') end. Axiom first_last_explicit : forall (u:Init.Datatypes.list char) (a:char), ((Init.Datatypes.app (but_last a u) (Init.Datatypes.cons (last_char a u) Init.Datatypes.nil)) = (Init.Datatypes.cons a u)). Axiom first_last : forall (a:char) (u:Init.Datatypes.list char), exists v:Init.Datatypes.list char, exists b:char, ((Init.Datatypes.app v (Init.Datatypes.cons b Init.Datatypes.nil)) = (Init.Datatypes.cons a u)) /\ ((list.Length.length v) = (list.Length.length u)). Axiom key_lemma_right : forall (w1:Init.Datatypes.list char) (w'2:Init.Datatypes.list char) (m:Numbers.BinNums.Z) (a:char), dist w1 w'2 m -> forall (w2:Init.Datatypes.list char), (w'2 = (Init.Datatypes.cons a w2)) -> exists u1:Init.Datatypes.list char, exists v1:Init.Datatypes.list char, exists k:Numbers.BinNums.Z, (w1 = (Init.Datatypes.app u1 v1)) /\ dist v1 w2 k /\ ((k + (list.Length.length u1))%Z <= (m + 1%Z)%Z)%Z. Axiom dist_symetry : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> dist w2 w1 n. Axiom key_lemma_left : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (m:Numbers.BinNums.Z) (a:char), dist (Init.Datatypes.cons a w1) w2 m -> exists u2:Init.Datatypes.list char, exists v2:Init.Datatypes.list char, exists k:Numbers.BinNums.Z, (w2 = (Init.Datatypes.app u2 v2)) /\ dist w1 v2 k /\ ((k + (list.Length.length u2))%Z <= (m + 1%Z)%Z)%Z. Axiom dist_concat_left : forall (u:Init.Datatypes.list char) (v:Init.Datatypes.list char) (w:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist v w n -> dist (Init.Datatypes.app u v) w ((list.Length.length u) + n)%Z. Axiom dist_concat_right : forall (u:Init.Datatypes.list char) (v:Init.Datatypes.list char) (w:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist v w n -> dist v (Init.Datatypes.app u w) ((list.Length.length u) + n)%Z. Axiom min_dist_equal : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (a:char) (n:Numbers.BinNums.Z), min_dist w1 w2 n -> min_dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons a w2) n. Axiom min_dist_diff : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (a:char) (b:char) (m:Numbers.BinNums.Z) (p:Numbers.BinNums.Z), ~ (a = b) -> min_dist (Init.Datatypes.cons a w1) w2 p -> min_dist w1 (Init.Datatypes.cons b w2) m -> min_dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons b w2) ((ZArith.BinInt.Z.min m p) + 1%Z)%Z. Axiom min_dist_eps : forall (w:Init.Datatypes.list char) (a:char) (n:Numbers.BinNums.Z), min_dist w Init.Datatypes.nil n -> min_dist (Init.Datatypes.cons a w) Init.Datatypes.nil (n + 1%Z)%Z. Axiom min_dist_eps_length : forall (w:Init.Datatypes.list char), min_dist Init.Datatypes.nil w (list.Length.length w). (* Why3 assumption *) Inductive ref (a:Type) := | ref'mk : a -> ref a. Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a). Existing Instance ref_WhyType. Arguments ref'mk {a}. (* Why3 assumption *) Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a := match v with | ref'mk x => x end. Axiom array : forall (a:Type), Type. Parameter array_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (array a). Existing Instance array_WhyType. Parameter elts: forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a. Parameter length: forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z. Axiom array'invariant : forall {a:Type} {a_WT:WhyType a}, forall (self:array a), (0%Z <= (length self))%Z. (* Why3 assumption *) Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a) (i:Numbers.BinNums.Z) : a := elts a1 i. Parameter mixfix_lblsmnrb: forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a -> array a. Axiom mixfix_lblsmnrb'spec : forall {a:Type} {a_WT:WhyType a}, forall (a1:array a) (i:Numbers.BinNums.Z) (v:a), ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\ ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)). Parameter make: forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a. Axiom make_spec : forall {a:Type} {a_WT:WhyType a}, forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z -> (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z -> ((mixfix_lbrb (make n v) i) = v)) /\ ((length (make n v)) = n). Parameter suffix: array char -> Numbers.BinNums.Z -> Init.Datatypes.list char. Axiom suffix_nil : forall (a:array char), ((suffix a (length a)) = Init.Datatypes.nil). Axiom suffix_cons : forall (a:array char) (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (length a))%Z -> ((suffix a i) = (Init.Datatypes.cons (mixfix_lbrb a i) (suffix a (i + 1%Z)%Z))). Require Import Lia. (* Why3 goal *) Theorem suffix_length : forall (a:array char) (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i <= (length a))%Z -> ((list.Length.length (suffix a i)) = ((length a) - i)%Z). (* Why3 intros a i (h1,h2). *) Proof. intro a. pose (n := length a). intros i Hi. generalize Hi. replace i with (n - (n - i))%Z. replace (n - (n - (n - i)))%Z with (n - i)%Z. pattern (n - i)%Z; apply natlike_ind. (* base case *) intros; replace (n - 0)%Z with n. rewrite suffix_nil; simpl. subst n; lia. lia. (* induction case *) intros. rewrite suffix_cons. 2: subst n; lia. unfold mixfix_lbrb. unfold Length.length; fold @Length.length. unfold Z.succ; ring_simplify. replace (n - (x + 1) + 1)%Z with (n - x)%Z; [ idtac | ring ]. rewrite H0; subst n; lia. subst n; lia. subst n; lia. subst n; lia. Qed. why3-1.6.0/examples/edit_distance/edit_distance_Word_key_lemma_right_1.v000066400000000000000000000076121440160026300264500ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.MinMax. Require list.List. Require list.Length. Require list.Mem. Require list.Append. Axiom char : Type. Parameter char_WhyType : WhyType char. Existing Instance char_WhyType. (* Why3 assumption *) Definition word := Init.Datatypes.list char. (* Why3 assumption *) Inductive dist: Init.Datatypes.list char -> Init.Datatypes.list char -> Numbers.BinNums.Z -> Prop := | dist_eps : dist Init.Datatypes.nil Init.Datatypes.nil 0%Z | dist_add_left : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) w2 (n + 1%Z)%Z | dist_add_right : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist w1 (Init.Datatypes.cons a w2) (n + 1%Z)%Z | dist_context : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons a w2) n. (* Why3 assumption *) Definition min_dist (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z) : Prop := dist w1 w2 n /\ (forall (m:Numbers.BinNums.Z), dist w1 w2 m -> (n <= m)%Z). (* Why3 assumption *) Fixpoint last_char (a:char) (u:Init.Datatypes.list char) {struct u}: char := match u with | Init.Datatypes.nil => a | Init.Datatypes.cons c u' => last_char c u' end. (* Why3 assumption *) Fixpoint but_last (a:char) (u:Init.Datatypes.list char) {struct u}: Init.Datatypes.list char := match u with | Init.Datatypes.nil => Init.Datatypes.nil | Init.Datatypes.cons c u' => Init.Datatypes.cons a (but_last c u') end. Axiom first_last_explicit : forall (u:Init.Datatypes.list char) (a:char), ((Init.Datatypes.app (but_last a u) (Init.Datatypes.cons (last_char a u) Init.Datatypes.nil)) = (Init.Datatypes.cons a u)). Axiom first_last : forall (a:char) (u:Init.Datatypes.list char), exists v:Init.Datatypes.list char, exists b:char, ((Init.Datatypes.app v (Init.Datatypes.cons b Init.Datatypes.nil)) = (Init.Datatypes.cons a u)) /\ ((list.Length.length v) = (list.Length.length u)). Require Import Lia. Lemma app_comm_cons: forall {A:Type} {A_WT:WhyType A} (x y : list A) (a: A), cons a (app x y) = app (cons a x) y. Proof. simpl; auto. Qed. (* Why3 goal *) Theorem key_lemma_right : forall (w1:Init.Datatypes.list char) (w'2:Init.Datatypes.list char) (m:Numbers.BinNums.Z) (a:char), dist w1 w'2 m -> forall (w2:Init.Datatypes.list char), (w'2 = (Init.Datatypes.cons a w2)) -> exists u1:Init.Datatypes.list char, exists v1:Init.Datatypes.list char, exists k:Numbers.BinNums.Z, (w1 = (Init.Datatypes.app u1 v1)) /\ dist v1 w2 k /\ ((k + (list.Length.length u1))%Z <= (m + 1%Z)%Z)%Z. (* Why3 intros w1 w'2 m a h1 w2 h2. *) Proof. intros w1 w'2 m a H; elim H. (* 1. [dist_eps]: absurd *) intros; discriminate H0. (* 2. [dist_add_left]: we use induction hypothesis. *) intros w'1 w3 n Hdist Hrec b w2 Heq. elim (Hrec w2 Heq); intros u'1 Hex. elim Hex; clear Hex; intros v'1 Hex. elim Hex; clear Hex; intros k Hex. decompose [and] Hex; clear Hex. elim (first_last b u'1); intros u1 Hex. elim Hex; intros c [Hc Hlength]. exists u1; exists (cons c v'1); exists (k + 1)%Z. repeat split. rewrite H0. rewrite app_comm_cons. rewrite <- Hc. rewrite <- Append.Append_assoc; reflexivity. apply dist_add_left; assumption. lia. (* 3. [dist_add_right]: direct *) intros. exists nil; exists w0; exists n. repeat split. inversion H2. rewrite <- H5; assumption. simpl; lia. (* 4. [dist_context]: direct *) intros. inversion H2. exists (cons a nil); exists w0; exists n. repeat split. rewrite <- H5; assumption. simpl; lia. Qed. why3-1.6.0/examples/edit_distance/edit_distance_Word_min_dist_diff_1.v000066400000000000000000000112371440160026300261040ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.MinMax. Require list.List. Require list.Length. Require list.Mem. Require list.Append. Axiom char : Type. Parameter char_WhyType : WhyType char. Existing Instance char_WhyType. (* Why3 assumption *) Definition word := Init.Datatypes.list char. (* Why3 assumption *) Inductive dist: Init.Datatypes.list char -> Init.Datatypes.list char -> Numbers.BinNums.Z -> Prop := | dist_eps : dist Init.Datatypes.nil Init.Datatypes.nil 0%Z | dist_add_left : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) w2 (n + 1%Z)%Z | dist_add_right : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist w1 (Init.Datatypes.cons a w2) (n + 1%Z)%Z | dist_context : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> forall (a:char), dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons a w2) n. (* Why3 assumption *) Definition min_dist (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z) : Prop := dist w1 w2 n /\ (forall (m:Numbers.BinNums.Z), dist w1 w2 m -> (n <= m)%Z). (* Why3 assumption *) Fixpoint last_char (a:char) (u:Init.Datatypes.list char) {struct u}: char := match u with | Init.Datatypes.nil => a | Init.Datatypes.cons c u' => last_char c u' end. (* Why3 assumption *) Fixpoint but_last (a:char) (u:Init.Datatypes.list char) {struct u}: Init.Datatypes.list char := match u with | Init.Datatypes.nil => Init.Datatypes.nil | Init.Datatypes.cons c u' => Init.Datatypes.cons a (but_last c u') end. Axiom first_last_explicit : forall (u:Init.Datatypes.list char) (a:char), ((Init.Datatypes.app (but_last a u) (Init.Datatypes.cons (last_char a u) Init.Datatypes.nil)) = (Init.Datatypes.cons a u)). Axiom first_last : forall (a:char) (u:Init.Datatypes.list char), exists v:Init.Datatypes.list char, exists b:char, ((Init.Datatypes.app v (Init.Datatypes.cons b Init.Datatypes.nil)) = (Init.Datatypes.cons a u)) /\ ((list.Length.length v) = (list.Length.length u)). Axiom key_lemma_right : forall (w1:Init.Datatypes.list char) (w'2:Init.Datatypes.list char) (m:Numbers.BinNums.Z) (a:char), dist w1 w'2 m -> forall (w2:Init.Datatypes.list char), (w'2 = (Init.Datatypes.cons a w2)) -> exists u1:Init.Datatypes.list char, exists v1:Init.Datatypes.list char, exists k:Numbers.BinNums.Z, (w1 = (Init.Datatypes.app u1 v1)) /\ dist v1 w2 k /\ ((k + (list.Length.length u1))%Z <= (m + 1%Z)%Z)%Z. Axiom dist_symetry : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist w1 w2 n -> dist w2 w1 n. Axiom key_lemma_left : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (m:Numbers.BinNums.Z) (a:char), dist (Init.Datatypes.cons a w1) w2 m -> exists u2:Init.Datatypes.list char, exists v2:Init.Datatypes.list char, exists k:Numbers.BinNums.Z, (w2 = (Init.Datatypes.app u2 v2)) /\ dist w1 v2 k /\ ((k + (list.Length.length u2))%Z <= (m + 1%Z)%Z)%Z. Axiom dist_concat_left : forall (u:Init.Datatypes.list char) (v:Init.Datatypes.list char) (w:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist v w n -> dist (Init.Datatypes.app u v) w ((list.Length.length u) + n)%Z. Axiom dist_concat_right : forall (u:Init.Datatypes.list char) (v:Init.Datatypes.list char) (w:Init.Datatypes.list char) (n:Numbers.BinNums.Z), dist v w n -> dist v (Init.Datatypes.app u w) ((list.Length.length u) + n)%Z. Axiom min_dist_equal : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (a:char) (n:Numbers.BinNums.Z), min_dist w1 w2 n -> min_dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons a w2) n. (* Why3 goal *) Theorem min_dist_diff : forall (w1:Init.Datatypes.list char) (w2:Init.Datatypes.list char) (a:char) (b:char) (m:Numbers.BinNums.Z) (p:Numbers.BinNums.Z), ~ (a = b) -> min_dist (Init.Datatypes.cons a w1) w2 p -> min_dist w1 (Init.Datatypes.cons b w2) m -> min_dist (Init.Datatypes.cons a w1) (Init.Datatypes.cons b w2) ((ZArith.BinInt.Z.min m p) + 1%Z)%Z. (* Why3 intros w1 w2 a b m p h1 h2 h3. *) Proof. intros w1 w2 a b m p. unfold min_dist; intuition. unfold Z.min. case (m ?= p)%Z; generalize dist_add_left dist_add_right; intuition. generalize (Z.le_min_l m p) (Z.le_min_r m p) Zplus_le_compat_r Z.le_trans. inversion H1; intuition eauto. Qed. why3-1.6.0/examples/edit_distance/why3session.xml000066400000000000000000000252641440160026300220520ustar00rootroot00000000000000 why3-1.6.0/examples/edit_distance/why3shapes.gz000066400000000000000000000107241440160026300214650ustar00rootroot00000000000000\]o%7}_ݝ $YyZ@%6vځ#d~v("yoÏprp{߯O7qqw*~w!xnC]mf xxG<ƒuځM63<zqg z&av㝦^k }b˚VxYvR}\&nԲs;9;+iu/WBYΨvO;r`k7QUTIz^И;Cqs'P_;M"9Ժo./bfa5k6C^XP_O(RMb(0\ڃJhwwY&7o>°نԎ=pRHc; Pa8F>AI&4)6 !tڒuy^RgG5ȴ17봑|?_M>}5,@wyV y7v1\h$Xk(:m,&|EWi~HV\/xqxqg9=Xۏ?d3lPlM%ʳ: [fGVc<Κtp":9jA?x|Қ}rfG Ooة -nYaSww?_~[quͶ,ˤMZĖ~#4ꓙ<\׫*WX<{Fu1zno?wldc~hHVLy}==*LcͣCyZ\Sz4/nfգ1i#mHC[wwɥMiͭPt,zojbKՎ{d]gϠgX0QGP$߶B1+kz5 4nok:;Fs8e:3FgB2O ]l/۰ARmWj٨ڗUjצk ʗ+ufcbll6vRw]wG6#Noӛ}7;=MNOOp}ԣS%2i7Kj,fޚaH #?۞(3WKۘ=%r -6&zQm6 ؘ6Ƽ1ڙ洭03i8`@K=he-@:u-M6>!ОTNmZvŸ+rv4撒`?sӀqZzq*]?klۨ':CPŵ@<كG+CL|$5/۞ۖL^)L~R&"R@-pZi ִۆ b9XKCK b-}-1ڹø ec1u`P;Pb^4tPX^۱Xb= ^ ӇJoLԮA^ .7' B6^%/e?P/0wm`Nü!!֯0_ ̻HaayxQj0FV{0gu1Yw^aHU=T h"f,,ŠÍ֯NWLܳMV+Gź3aٕX%Ħ=!Y\˺uWxw%ܕJvJ.ԡ;MS B0 `h{'{k'_̶̽{ʾ^ ̛N0_ LӚ O%ꨯ{8͗ʺo]~?moȮZkӘ?(̫c~/E^ b9E:üӗqxe~q`T1sc3WvnWӹFZ /MzK{K7-9>ݒ&roڒ㯥%]$'+-9~ٖ40~KN.oԒMKN>%׾dhHZPIKsT̋q`l+/-4{欩C}  =IMOyH?Uv^vl;Pz;PZ;Pہry;Pvlځ_].-Owqǧ~`ZA<>|蒫.n>ҋGţţl(x=m߇//e*eS<uWGu/!lUOEOXG. U O'[ӯL[4~kٽCCn _'[(e_':Y{pdvzn^'::OV3K2[e]§4Ӊc 0[R4CK^J3"syLJiUiU}nr%-СaI驂Y?i֐ zS[,گŅf  IdzOQߌ3oFk Q/?꽄Ȟ ׄ5MBT_=/Nd["Sc7 3sgیUp"]jPrZM77Wȷ*֛P U]]@Tڅʹ::Q/GD||Zu4u9cwtnugtZYǴS:o}w5_5ʛ7RIDic9B͛8˜c4v$TB:H1ndGHV-xŁ0%Spڸ ŚHY@)!hF̠ W)*JP i$eVƖc1-RI<*?ѰY!юE甓7T&RÒ Ec 0M\`9{A.9sR?=S&E}@eg`rL<*&DxPʕl0$*CCVQyњMPքʰB-3҉y]=4,RV{8+C9fQ;FU>8qf8u)xS* Nb e*=f MP6^CY TiQc=D `$H2:Pul(40`|Vc@& P21/)zU6wVA\aqL**VI ŔneVt*Dա0˔hXR(%mֱ)9fCĶeВkDu&cOJ0f1UlŇʆ1qX^.iWf9a4;$UHFT@ujc1 5"Zh Gވb+YAM{ͪ(a=1xrICYΊ=B ~j aVi3y,P">ah( X`3",2N B 2`8r@@. Uxz j0H! @@iF&2O#mIJ9'@M*Tɽ'yO\(&3PήN%օ0#FIzJ+ ɯ􄐀@kb 8ra x = y } type char_string = seq char (** The specification uses a function `remove_spaces`. It is recursively defined over a string, from left to right. *) let rec function remove_spaces (s: char_string) : char_string variant { length s } = if length s = 0 then s else if eq s[0] space then remove_spaces s[1..] else cons s[0] (remove_spaces s[1..]) (** Code and proof. It would be natural to have a loop invariant such as remove_spaces x[..i] = remove_spaces y[..j] Unfortunately, since `remove_spaces` is defined recursively from left to right, we would have hard time proving such an invariant. So instead we use an invariant which refers to the *suffixes* of `x` and `y`. *) let rec compare_up_to_spaces (x y: char_string) : bool ensures { result <-> remove_spaces x = remove_spaces y } = let n = length x in let m = length y in let ref i = 0 in let ref j = 0 in while i < n || j < m do invariant { 0 <= i <= n } invariant { 0 <= j <= m } invariant { remove_spaces x = remove_spaces y <-> remove_spaces x[i..] = remove_spaces y[j..] } variant { n - i + m - j } if i < n && eq x[i] space then begin assert { remove_spaces x[i..] == remove_spaces x[i+1..] }; i <- i + 1 end else if j < m && eq y[j] space then begin assert { remove_spaces y[j..] == remove_spaces y[j+1..] }; j <- j + 1 end else begin assert { i < n -> remove_spaces x[i..] == cons x[i] (remove_spaces x[i+1..]) }; assert { j < m -> remove_spaces y[j..] == cons y[j] (remove_spaces y[j+1..]) }; if i = n || j = m then return false; if not (eq x[i] y[j]) then return false; i <- i + 1; j <- j + 1 end done; return true why3-1.6.0/examples/equality_up_to_spaces/000077500000000000000000000000001440160026300206235ustar00rootroot00000000000000why3-1.6.0/examples/equality_up_to_spaces/why3session.xml000066400000000000000000000166751440160026300236620ustar00rootroot00000000000000 why3-1.6.0/examples/equality_up_to_spaces/why3shapes.gz000066400000000000000000000031731440160026300232670ustar00rootroot00000000000000Wn#+$,V #.zs L4[ÃߧnI bT!/_)_j=_<6_~^>/koo'1󽌂[x{`ےlbeOhs abπ ׽k)zwVĖYo|w.ݹ_ֹ9g iY?|l2bip?锗BI׻ =ɗi:Ws|3<|av'㷃?#>=G[8cϗĚon맫?:W5q`kηU+\2ض^.͸o^QOǗcJ%{f͂WͶv} Z|1]oZ#׍B!PWjt>xL Uh7U9pQ6hK|afd2q@ڭ|#J@7rpM޳Wj9>ZrkHjNAy8< 8S:2Kj襴hȼCZ2X.aI˓k[+^[n& 1h}lFN_mۏxx>=?},Pc"+E*{㒊:ȐA[:5tbR@(|eԤ*p9:*vȮFJA#-Qt'HYBNUGQT! YBTQ;!<+@~ґ%`aWs$Q<$o)TvD:;X br2!ZAKv``ΤJJiTIN`11"%"e|ؐBS%hP  URv*2!292KLJ4*'$ZP%HqJLWr%HQ`4%cQiڅ. PDVRtS@PoH|0R9Hg#opFy9^F4 YSbR;215ґC?AVgJ` !"rCry,(C%kmv$;%x*mC\ kCX*oLGK )ĔyjUUp'^AEC2@yMI:FQxoUAI $%FiXO&>TDn$tm)hL‚ѧH Z[#ju g IP2why3-1.6.0/examples/esterel.mlw000066400000000000000000000046471440160026300164210ustar00rootroot00000000000000 (** {1 Challenge about the Esterel Compiler} This is a challenge given by Gérard Berry, extracted from Esterel compiler. 1. Each instruction returns an integer code between [1] and [N]. Parallel execution returns the maximum of codes of its branches. 2. Return codes are implemented as bitvectors. 3. During static analysis, each instruction [P] may return a set of codes [C(P)] instead of one code only. Hence [P||Q] must return [{max(p,q) | p in C(p), q in C(q)], to be computed on bitvectors. 4. A method given by Georges Gonthier is to write the result under the form [{ x in P U Q | x >= max (min(P), min(Q) }] that can be encoded as bitvector operation [(P|Q)&(P|-P)&(Q|-Q)]. *) module Esterel use int.Int use int.MinMax use set.FsetInt use bv.BV64 type s = { bv : BV64.t; (* a 64-bit bitvector *) ghost mdl: fset int; (* its interpretation as a set *) } invariant { forall i: int. (0 <= i < size /\ nth bv i) <-> mem i mdl } let union (a b: s) : s (* operator [a|b] *) ensures { result.mdl = union b.mdl a.mdl } = { bv = bw_or a.bv b.bv; mdl = union b.mdl a.mdl } let intersection (a b : s) : s (* operator [a&b] *) ensures { result.mdl = inter a.mdl b.mdl } = { bv = bw_and a.bv b.bv; mdl = inter a.mdl b.mdl } let aboveMin (a : s) : s (* operator [a|-a] *) requires { not is_empty a.mdl } ensures { result.mdl = interval (min_elt a.mdl) size } = let ghost p = min_elt a.mdl in let ghost p_bv = of_int p in assert { eq_sub_bv a.bv zeros zeros p_bv }; let res = bw_or a.bv (neg a.bv) in assert { eq_sub_bv res zeros zeros p_bv }; assert { eq_sub_bv res ones p_bv (sub size_bv p_bv) }; { bv = res; mdl = interval p size } let maxUnion (a b : s) : s (* operator [(a|b)&(a|-a)&(b|-b)] *) requires { not is_empty a.mdl /\ not is_empty b.mdl } ensures { forall x. mem x result.mdl <-> (mem x (union a.mdl b.mdl) /\ x >= max (min_elt a.mdl) (min_elt b.mdl)) } ensures { forall x. mem x result.mdl <-> exists y z. mem y a.mdl /\ mem z b.mdl /\ x = max y z } = let res = intersection (union a b) (intersection (aboveMin a) (aboveMin b)) in assert { forall x. mem x res.mdl -> let y,z = if mem x a.mdl then x, min_elt b.mdl else min_elt a.mdl, x in mem y a.mdl /\ mem z b.mdl /\ x = max y z }; res end why3-1.6.0/examples/esterel/000077500000000000000000000000001440160026300156655ustar00rootroot00000000000000why3-1.6.0/examples/esterel/why3session.xml000066400000000000000000000074441440160026300207160ustar00rootroot00000000000000 why3-1.6.0/examples/esterel/why3shapes.gz000066400000000000000000000021751440160026300203320ustar00rootroot00000000000000Xn#7+̉ŝ8  \3,Vd>Eb1,H$WUPUlxh7JV~m6k{aw ip'ytqyiRj;/pِӺ[tNa茋 = !2aָ7zc!ż˫=ӻzT/0k?4U\u2buH#^78@-ʋ *.|A2OGl_菥xnoݖkѣ5~v[c ](۶pq( kpeAmw)kA:EeqhW__B'ӀJ̤Ln(ʭlDyzL\x~!JLXaE65 &wvmn/U7Ynvf]~"97O_FL:,ʉ'ȓMNg@s/бy 3 \q|<._(¤rjodq}SOv"DP{UD7|B>9Oy ]jB]VgRG7GynNQ' { aZDTZ0Y`J/U6Ɓ2$@)j̠1X&K\rB #&ƧQ @AD"frљ8"`~Nu>H h}fv<") ;qD.HsNѳKG9VID14R'Z]GTN@!Cowhy3-1.6.0/examples/euler001.mlw000066400000000000000000000106541440160026300163060ustar00rootroot00000000000000(** {1 Euler Project, problem 1} If we list all the natural numbers below 10 that are multiples of 3 or 5, we get 3, 5, 6 and 9. The sum of these multiples is 23. Find the sum of all the multiples of 3 or 5 below 1000.*) theory DivModHints use int.Int use int.ComputerDivision lemma mod_div_unique : forall x y q r:int. x >= 0 /\ y > 0 /\ x = q*y + r /\ 0 <= r < y -> q = div x y /\ r = mod x y lemma mod_succ_1 : forall x y:int. x >= 0 /\ y > 0 -> mod (x+1) y <> 0 -> mod (x+1) y = (mod x y) + 1 lemma mod_succ_2 : forall x y:int. x >= 0 /\ y > 0 -> mod (x+1) y = 0 -> mod x y = y-1 lemma div_succ_1 : forall x y:int. x >= 0 /\ y > 0 -> mod (x+1) y = 0 -> div (x+1) y = (div x y) + 1 lemma div_succ_2 : forall x y:int. x >= 0 /\ y > 0 -> mod (x+1) y <> 0 -> div (x+1) y = (div x y) lemma mod2_mul2: forall x:int. mod (2 * x) 2 = 0 lemma mod2_mul2_aux: forall x y:int. mod (y * (2 * x)) 2 = 0 lemma mod2_mul2_aux2: forall x y z t:int. mod (y * (2 * x) + z * (2 * t)) 2 = 0 lemma div2_mul2: forall x:int. div (2 * x) 2 = x lemma div2_mul2_aux: forall x y:int. div (y * (2 * x)) 2 = y * x lemma div2_add: forall x y:int. mod x 2 = 0 /\ mod y 2 = 0 -> div (x+y) 2 = div x 2 + div y 2 lemma div2_sub: forall x y:int. mod x 2 = 0 /\ mod y 2 = 0 -> div (x-y) 2 = div x 2 - div y 2 end theory TriangularNumbers use int.Int use int.ComputerDivision use int.Div2 use DivModHints as DMH lemma tr_mod_2: forall n:int. n >= 0 -> mod (n*(n+1)) 2 = 0 function tr (n:int) : int = div (n*(n+1)) 2 lemma tr_repr: forall n:int. n >= 0 -> n*(n+1) = 2 * tr n lemma tr_succ: forall n:int. n >= 0 -> tr (n+1) = tr n + n + 1 end theory SumMultiple use int.Int use int.ComputerDivision (* [sum_multiple_3_5_lt n] is the sum of all the multiples of 3 or 5 below n] *) function sum_multiple_3_5_lt int : int axiom SumEmpty: sum_multiple_3_5_lt 0 = 0 axiom SumNo : forall n:int. n >= 0 -> mod n 3 <> 0 /\ mod n 5 <> 0 -> sum_multiple_3_5_lt (n+1) = sum_multiple_3_5_lt n axiom SumYes: forall n:int. n >= 0 -> mod n 3 = 0 \/ mod n 5 = 0 -> sum_multiple_3_5_lt (n+1) = sum_multiple_3_5_lt n + n use TriangularNumbers function closed_formula_aux (n:int) : int = let n3 = div n 3 in let n5 = div n 5 in let n15 = div n 15 in 3 * tr n3 + 5 * tr n5 - 15 * tr n15 predicate p (n:int) = sum_multiple_3_5_lt (n+1) = closed_formula_aux n use DivModHints as DMH lemma mod_15: forall n:int. mod n 15 = 0 <-> mod n 3 = 0 /\ mod n 5 = 0 lemma Closed_formula_0: p 0 lemma Closed_formula_n: forall n:int. n > 0 -> p (n-1) -> mod n 3 <> 0 /\ mod n 5 <> 0 -> p n lemma Closed_formula_n_3: forall n:int. n > 0 -> p (n-1) -> mod n 3 = 0 /\ mod n 5 <> 0 -> p n lemma Closed_formula_n_5: forall n:int. n > 0 -> p (n-1) -> mod n 3 <> 0 /\ mod n 5 = 0 -> p n lemma Closed_formula_n_15: forall n:int. n > 0 -> p (n-1) -> mod n 3 = 0 /\ mod n 5 = 0 -> p n constant b : int = 0 clone int.Induction as I with constant bound = b, predicate p = p lemma Closed_formula_ind: forall n:int. 0 <= n -> p n function closed_formula (n:int) : int = let n3 = div n 3 in let n5 = div n 5 in let n15 = div n 15 in div (3 * (n3 * (n3+1)) + 5 * (n5 * (n5+1)) - 15 * (n15 * (n15+1))) 2 lemma div_15: forall n:int. 0 <= n -> div n 15 >= 0 lemma div_5: forall n:int. 0 <= n -> div n 5 >= 0 lemma div_3: forall n:int. 0 <= n -> div n 3 >= 0 lemma Closed_Formula: forall n:int. 0 <= n -> sum_multiple_3_5_lt (n+1) = closed_formula n end module Euler001 use SumMultiple use int.Int use mach.int.Int let solve n requires { n >= 1 } ensures { result = sum_multiple_3_5_lt n } = let n3 = (n-1) / 3 in let n5 = (n-1) / 5 in let n15 = (n-1) / 15 in (3 * n3 * (n3+1) + 5 * n5 * (n5+1) - 15 * n15 * (n15+1)) / 2 (** Small test. Run it with `why3 execute examples/euler001.mlw --use=Euler001 "run ()"` Should return 233168. *) let run () = solve 1000 (** for the Why3 bench *) exception BenchFailure let bench () raises { BenchFailure -> true } = let x = run () in if x <> 233168 then raise BenchFailure; x (** for extraction *) (* use io.StdIO use ref.Ref let go () = print_string "GO: "; print_int (run ()); print_newline () *) end why3-1.6.0/examples/euler001/000077500000000000000000000000001440160026300155575ustar00rootroot00000000000000why3-1.6.0/examples/euler001/Makefile000066400000000000000000000020641440160026300172210ustar00rootroot00000000000000 BENCH ?= no ifeq ($(BENCH),yes) WHY3=../../bin/why3.opt WHY3SHARE=../../share else ifeq ($(BINDIR),) WHY3=why3 else WHY3=$(BINDIR)/why3 endif WHY3SHARE=$(shell $(WHY3) --print-datadir) endif include $(WHY3SHARE)/Makefile.config ifeq ($(BENCH),yes) INCLUDE += -I ../../lib/why3 endif MAIN=main OBJ=euler001 ML = $(addsuffix .ml, $(OBJ)) CMO = $(addsuffix .cmo, $(OBJ)) CMX = $(addsuffix .cmx, $(OBJ)) OCAMLOPT=ocamlopt -noassert -inline 1000 all: $(MAIN).$(OCAMLBEST) extract: $(ML) doc: $(WHY3) doc ../euler001.mlw $(WHY3) session html . $(MAIN).byte: $(CMO) $(MAIN).cmo ocamlc $(INCLUDE) $(BIGINTLIB).cma -o $@ $^ $(MAIN).opt: $(CMX) $(MAIN).cmx $(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^ $(MAIN).cmx: $(CMX) $(ML): ../euler001.mlw $(WHY3) extract -D ocaml64 $< -o $@ %.cmx: %.ml $(OCAMLOPT) $(INCLUDE) -annot -c $< %.cmo: %.ml ocamlc $(INCLUDE) -annot -c $< %.cmi: %.mli ocamlc $(INCLUDE) -annot -c $< clean:: rm -f $(ML) *.cm[xio] *.o *.annot $(MAIN).opt $(MAIN).byte rm -f why3__*.ml* euler001__*.ml* int__*.ml* why3-1.6.0/examples/euler001/euler001_DivModHints_mod_div_unique_1.v000066400000000000000000000013141440160026300250610ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.ComputerDivision. (* Why3 goal *) Theorem mod_div_unique : forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (q:Numbers.BinNums.Z) (r:Numbers.BinNums.Z), (0%Z <= x)%Z /\ (0%Z < y)%Z /\ (x = ((q * y)%Z + r)%Z) /\ (0%Z <= r)%Z /\ (r < y)%Z -> (q = (ZArith.BinInt.Z.quot x y)) /\ (r = (ZArith.BinInt.Z.rem x y)). (* Why3 intros x y q r (h1,(h2,(h3,(h4,h5)))). *) Proof. intros x y q r (H1,(H2,(H3,(H4,H5)))). apply Zquot.Zquot_mod_unique_full. 2: rewrite H3; ring. red. left. rewrite Z.abs_eq; auto with zarith. Qed. why3-1.6.0/examples/euler001/euler001_DivModHints_mod_succ_1_1.v000066400000000000000000000022101440160026300240620ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.ComputerDivision. Axiom mod_div_unique : forall (x:Z) (y:Z) (q:Z) (r:Z), ((0%Z <= x)%Z /\ ((0%Z < y)%Z /\ ((x = ((q * y)%Z + r)%Z) /\ ((0%Z <= r)%Z /\ (r < y)%Z)))) -> ((q = (ZArith.BinInt.Z.quot x y)) /\ (r = (ZArith.BinInt.Z.rem x y))). Import Zquot. Open Scope Z_scope. (* Why3 goal *) Theorem mod_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZArith.BinInt.Z.rem (x + 1%Z)%Z y) = 0%Z)) -> ((ZArith.BinInt.Z.rem (x + 1%Z)%Z y) = ((ZArith.BinInt.Z.rem x y) + 1%Z)%Z)). (* Why3 intros x y (h1,h2) h3. *) intros x y (Hx,Hy) H. assert (h: y>0) by omega. generalize (Z_quot_rem_eq x y); intro h1. generalize (Z_quot_rem_eq (x+1) y); intro h2. assert (h3:x = y * (Z.quot (x + 1) y) + (Z.rem (x + 1) y - 1)) by omega. generalize (mod_div_unique x y (Z.quot (x + 1) y) (Z.rem (x + 1) y - 1)). intuition. destruct H1 ; auto with zarith. rewrite h3 at 1. ring. assert (0 <= Z.rem (x + 1) y < y). apply Zrem_lt_pos_pos; omega. omega. Qed. why3-1.6.0/examples/euler001/euler001_DivModHints_mod_succ_2_1.v000066400000000000000000000023371440160026300240750ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.ComputerDivision. Axiom mod_div_unique : forall (x:Z) (y:Z) (q:Z) (r:Z), ((0%Z <= x)%Z /\ ((0%Z < y)%Z /\ ((x = ((q * y)%Z + r)%Z) /\ ((0%Z <= r)%Z /\ (r < y)%Z)))) -> ((q = (ZArith.BinInt.Z.quot x y)) /\ (r = (ZArith.BinInt.Z.rem x y))). Axiom mod_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZArith.BinInt.Z.rem (x + 1%Z)%Z y) = 0%Z)) -> ((ZArith.BinInt.Z.rem (x + 1%Z)%Z y) = ((ZArith.BinInt.Z.rem x y) + 1%Z)%Z)). Import Zquot. (* Why3 goal *) Theorem mod_succ_2 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> (((ZArith.BinInt.Z.rem (x + 1%Z)%Z y) = 0%Z) -> ((ZArith.BinInt.Z.rem x y) = (y - 1%Z)%Z)). (* Why3 intros x y (h1,h2) h3. *) intros x y (Hx,Hy) H. generalize (Z_quot_rem_eq x y); intro h1. generalize (Z_quot_rem_eq (x+1) y); intro h2. assert (h3: (x = y * (Z.quot (x + 1) y - 1) + (Z.rem (x + 1) y + y - 1))%Z). ring_simplify; omega. rewrite H in h3. generalize (mod_div_unique x y (Z.quot (x + 1) y - 1) (0 + y - 1)). intuition. destruct H1; auto with zarith. rewrite h3 at 1. ring. Qed. why3-1.6.0/examples/euler001/euler001_SumMultiple_Closed_Formula_1.v000066400000000000000000000117651440160026300250530ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Require Import ZOdiv. Require int.Int. Require int.Abs. Require int.ComputerDivision. Parameter sum_multiple_3_5_lt: Z -> Z. Axiom SumEmpty : ((sum_multiple_3_5_lt 0%Z) = 0%Z). Axiom SumNo : forall (n:Z), (0%Z <= n)%Z -> (((~ ((ZOmod n 3%Z) = 0%Z)) /\ ~ ((ZOmod n 5%Z) = 0%Z)) -> ((sum_multiple_3_5_lt (n + 1%Z)%Z) = (sum_multiple_3_5_lt n))). Axiom SumYes : forall (n:Z), (0%Z <= n)%Z -> ((((ZOmod n 3%Z) = 0%Z) \/ ((ZOmod n 5%Z) = 0%Z)) -> ((sum_multiple_3_5_lt (n + 1%Z)%Z) = ((sum_multiple_3_5_lt n) + n)%Z)). Axiom div2 : forall (x:Z), exists y:Z, (x = (2%Z * y)%Z) \/ (x = ((2%Z * y)%Z + 1%Z)%Z). Axiom mod_div_unique : forall (x:Z) (y:Z) (q:Z) (r:Z), ((0%Z <= x)%Z /\ ((0%Z < y)%Z /\ ((x = ((q * y)%Z + r)%Z) /\ ((0%Z <= r)%Z /\ (r < y)%Z)))) -> ((q = (ZOdiv x y)) /\ (r = (ZOmod x y))). Axiom mod_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZOmod (x + 1%Z)%Z y) = 0%Z)) -> ((ZOmod (x + 1%Z)%Z y) = ((ZOmod x y) + 1%Z)%Z)). Axiom mod_succ_2 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> (((ZOmod (x + 1%Z)%Z y) = 0%Z) -> ((ZOmod x y) = (y - 1%Z)%Z)). Axiom div_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> (((ZOmod (x + 1%Z)%Z y) = 0%Z) -> ((ZOdiv (x + 1%Z)%Z y) = ((ZOdiv x y) + 1%Z)%Z)). Axiom div_succ_2 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZOmod (x + 1%Z)%Z y) = 0%Z)) -> ((ZOdiv (x + 1%Z)%Z y) = (ZOdiv x y))). Axiom mod2_mul2 : forall (x:Z), ((ZOmod (2%Z * x)%Z 2%Z) = 0%Z). Axiom mod2_mul2_aux : forall (x:Z) (y:Z), ((ZOmod (y * (2%Z * x)%Z)%Z 2%Z) = 0%Z). Axiom mod2_mul2_aux2 : forall (x:Z) (y:Z) (z:Z) (t:Z), ((ZOmod ((y * (2%Z * x)%Z)%Z + (z * (2%Z * t)%Z)%Z)%Z 2%Z) = 0%Z). Axiom div2_mul2 : forall (x:Z), ((ZOdiv (2%Z * x)%Z 2%Z) = x). Axiom div2_mul2_aux : forall (x:Z) (y:Z), ((ZOdiv (y * (2%Z * x)%Z)%Z 2%Z) = (y * x)%Z). Axiom div2_add : forall (x:Z) (y:Z), (((ZOmod x 2%Z) = 0%Z) /\ ((ZOmod y 2%Z) = 0%Z)) -> ((ZOdiv (x + y)%Z 2%Z) = ((ZOdiv x 2%Z) + (ZOdiv y 2%Z))%Z). Axiom div2_sub : forall (x:Z) (y:Z), (((ZOmod x 2%Z) = 0%Z) /\ ((ZOmod y 2%Z) = 0%Z)) -> ((ZOdiv (x - y)%Z 2%Z) = ((ZOdiv x 2%Z) - (ZOdiv y 2%Z))%Z). Axiom tr_mod_2 : forall (n:Z), (0%Z <= n)%Z -> ((ZOmod (n * (n + 1%Z)%Z)%Z 2%Z) = 0%Z). (* Why3 assumption *) Definition tr(n:Z): Z := (ZOdiv (n * (n + 1%Z)%Z)%Z 2%Z). Axiom tr_repr : forall (n:Z), (0%Z <= n)%Z -> ((n * (n + 1%Z)%Z)%Z = (2%Z * (tr n))%Z). Axiom tr_succ : forall (n:Z), (0%Z <= n)%Z -> ((tr (n + 1%Z)%Z) = (((tr n) + n)%Z + 1%Z)%Z). (* Why3 assumption *) Definition closed_formula_aux(n:Z): Z := let n3 := (ZOdiv n 3%Z) in let n5 := (ZOdiv n 5%Z) in let n15 := (ZOdiv n 15%Z) in (((3%Z * (tr n3))%Z + (5%Z * (tr n5))%Z)%Z - (15%Z * (tr n15))%Z)%Z. (* Why3 assumption *) Definition p(n:Z): Prop := ((sum_multiple_3_5_lt (n + 1%Z)%Z) = (closed_formula_aux n)). Axiom mod_15 : forall (n:Z), ((ZOmod n 15%Z) = 0%Z) <-> (((ZOmod n 3%Z) = 0%Z) /\ ((ZOmod n 5%Z) = 0%Z)). Axiom Closed_formula_0 : (p 0%Z). Axiom Closed_formula_n : forall (n:Z), (0%Z < n)%Z -> ((p (n - 1%Z)%Z) -> (((~ ((ZOmod n 3%Z) = 0%Z)) /\ ~ ((ZOmod n 5%Z) = 0%Z)) -> (p n))). Axiom Closed_formula_n_3 : forall (n:Z), (0%Z < n)%Z -> ((p (n - 1%Z)%Z) -> ((((ZOmod n 3%Z) = 0%Z) /\ ~ ((ZOmod n 5%Z) = 0%Z)) -> (p n))). Axiom Closed_formula_n_5 : forall (n:Z), (0%Z < n)%Z -> ((p (n - 1%Z)%Z) -> (((~ ((ZOmod n 3%Z) = 0%Z)) /\ ((ZOmod n 5%Z) = 0%Z)) -> (p n))). Axiom Closed_formula_n_15 : forall (n:Z), (0%Z < n)%Z -> ((p (n - 1%Z)%Z) -> ((((ZOmod n 3%Z) = 0%Z) /\ ((ZOmod n 5%Z) = 0%Z)) -> (p n))). Axiom Induction : (forall (n:Z), (0%Z <= n)%Z -> ((forall (k:Z), ((0%Z <= k)%Z /\ (k < n)%Z) -> (p k)) -> (p n))) -> forall (n:Z), (0%Z <= n)%Z -> (p n). Axiom Induction_bound : (forall (n:Z), (0%Z <= n)%Z -> ((forall (k:Z), ((0%Z <= k)%Z /\ (k < n)%Z) -> (p k)) -> (p n))) -> forall (n:Z), (0%Z <= n)%Z -> (p n). Axiom Closed_formula_ind : forall (n:Z), (0%Z <= n)%Z -> (p n). (* Why3 assumption *) Definition closed_formula(n:Z): Z := let n3 := (ZOdiv n 3%Z) in let n5 := (ZOdiv n 5%Z) in let n15 := (ZOdiv n 15%Z) in (ZOdiv (((3%Z * (n3 * (n3 + 1%Z)%Z)%Z)%Z + (5%Z * (n5 * (n5 + 1%Z)%Z)%Z)%Z)%Z - (15%Z * (n15 * (n15 + 1%Z)%Z)%Z)%Z)%Z 2%Z). Axiom div_15 : forall (n:Z), (0%Z <= n)%Z -> (0%Z <= (ZOdiv n 15%Z))%Z. Axiom div_5 : forall (n:Z), (0%Z <= n)%Z -> (0%Z <= (ZOdiv n 5%Z))%Z. Axiom div_3 : forall (n:Z), (0%Z <= n)%Z -> (0%Z <= (ZOdiv n 3%Z))%Z. (* Why3 goal *) Theorem Closed_Formula : forall (n:Z), (0%Z <= n)%Z -> ((sum_multiple_3_5_lt (n + 1%Z)%Z) = (closed_formula n)). intros n Hn. rewrite Closed_formula_ind; auto. unfold closed_formula_aux, closed_formula. repeat rewrite tr_repr. rewrite div2_sub. rewrite div2_mul2_aux. rewrite div2_add. do 2 rewrite div2_mul2_aux. auto. repeat rewrite mod2_mul2_aux; auto. rewrite mod2_mul2_aux; auto. rewrite mod2_mul2_aux2; auto. apply div_15; auto. apply div_5; auto. apply div_3; auto. Qed. why3-1.6.0/examples/euler001/euler001_TriangularNumbers_tr_mod_2_1.v000066400000000000000000000042631440160026300250410ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require Import ZOdiv. Require BuiltIn. Require int.Int. Require int.Abs. Require int.Div2. Require int.ComputerDivision. Axiom mod_div_unique : forall (x:Z) (y:Z) (q:Z) (r:Z), ((0%Z <= x)%Z /\ ((0%Z < y)%Z /\ ((x = ((q * y)%Z + r)%Z) /\ ((0%Z <= r)%Z /\ (r < y)%Z)))) -> ((q = (ZOdiv x y)) /\ (r = (ZOmod x y))). Axiom mod_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZOmod (x + 1%Z)%Z y) = 0%Z)) -> ((ZOmod (x + 1%Z)%Z y) = ((ZOmod x y) + 1%Z)%Z)). Axiom mod_succ_2 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> (((ZOmod (x + 1%Z)%Z y) = 0%Z) -> ((ZOmod x y) = (y - 1%Z)%Z)). Axiom div_succ_1 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> (((ZOmod (x + 1%Z)%Z y) = 0%Z) -> ((ZOdiv (x + 1%Z)%Z y) = ((ZOdiv x y) + 1%Z)%Z)). Axiom div_succ_2 : forall (x:Z) (y:Z), ((0%Z <= x)%Z /\ (0%Z < y)%Z) -> ((~ ((ZOmod (x + 1%Z)%Z y) = 0%Z)) -> ((ZOdiv (x + 1%Z)%Z y) = (ZOdiv x y))). Axiom mod2_mul2 : forall (x:Z), ((ZOmod (2%Z * x)%Z 2%Z) = 0%Z). Axiom mod2_mul2_aux : forall (x:Z) (y:Z), ((ZOmod (y * (2%Z * x)%Z)%Z 2%Z) = 0%Z). Axiom mod2_mul2_aux2 : forall (x:Z) (y:Z) (z:Z) (t:Z), ((ZOmod ((y * (2%Z * x)%Z)%Z + (z * (2%Z * t)%Z)%Z)%Z 2%Z) = 0%Z). Axiom div2_mul2 : forall (x:Z), ((ZOdiv (2%Z * x)%Z 2%Z) = x). Axiom div2_mul2_aux : forall (x:Z) (y:Z), ((ZOdiv (y * (2%Z * x)%Z)%Z 2%Z) = (y * x)%Z). Axiom div2_add : forall (x:Z) (y:Z), (((ZOmod x 2%Z) = 0%Z) /\ ((ZOmod y 2%Z) = 0%Z)) -> ((ZOdiv (x + y)%Z 2%Z) = ((ZOdiv x 2%Z) + (ZOdiv y 2%Z))%Z). Axiom div2_sub : forall (x:Z) (y:Z), (((ZOmod x 2%Z) = 0%Z) /\ ((ZOmod y 2%Z) = 0%Z)) -> ((ZOdiv (x - y)%Z 2%Z) = ((ZOdiv x 2%Z) - (ZOdiv y 2%Z))%Z). (* Why3 goal *) Theorem tr_mod_2 : forall (n:Z), (0%Z <= n)%Z -> ((ZOmod (n * (n + 1%Z)%Z)%Z 2%Z) = 0%Z). (* Why3 intros n h1. *) intros n Hn. destruct (Div2.div2 n) as (x,[h1|h2]). rewrite h1. replace (2 * x * (2 * x + 1))%Z with (2 * (x * (2 * x + 1)))%Z by ring. apply mod2_mul2. rewrite h2. replace ((2 * x + 1) * (2 * x + 1 + 1))%Z with (2* ((2 * x + 1) * (x + 1)))%Z by ring. apply mod2_mul2. Qed. why3-1.6.0/examples/euler001/main.ml000066400000000000000000000010541440160026300170350ustar00rootroot00000000000000 open Format let usage () = eprintf "Euler001: sum of all the multiples of 3 or 5 below a given number@."; eprintf "Usage: %s @." Sys.argv.(0); exit 2 let input = if Array.length Sys.argv <> 2 then usage (); Sys.argv.(1) (* let () = if input = "go" then begin Euler001.go (); exit 0 end *) let input_num = try Z.of_string input with _ -> usage () let () = let a = Euler001.solve input_num in printf "The sum of all the multiples of 3 or 5 below %s is %s@." (Z.to_string input_num) (Z.to_string a) why3-1.6.0/examples/euler001/why3session.xml000066400000000000000000000150071440160026300206020ustar00rootroot00000000000000 why3-1.6.0/examples/euler001/why3shapes.gz000066400000000000000000000026621440160026300202250ustar00rootroot00000000000000Vj$I}nBR(.`P̾,jmnؿYrPP 2a{zhO?ny.fBTo:s1 IӇ ڵ/G氘>.Т vB׿s C XӧŃrf80m @ AX%wVnܸ DKM6wӇp˭/Gɭk5<[q-LS𔰺Y[ m&3?-lV>D{C̨sq@8G& =?IϏh?-a"N柾}ȍ=Gzf1bTދ$?]^eS> 'tQdf I[a/O/FГ}!J[܉.p/x݆ WP/a1b6H2CLIAG$B[4|uJ _?-mgNO{z؂Yg1S7_!oP(꒱R.v0|+/KgL"%gJ;b1R`a&=M@A%MM%"wƅv$ZLNY{у]w˾%cOg|t6 t %H why3-1.6.0/examples/euler002.mlw000066400000000000000000000053211440160026300163020ustar00rootroot00000000000000(* Euler Project, problem 2 Each new term in the Fibonacci sequence is generated by adding the previous two terms. By starting with 1 and 2, the first 10 terms will be: 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, ... By considering the terms in the Fibonacci sequence whose values do not exceed four million, find the sum of the even-valued terms. *) (** {2 Sum of even-valued Fibonacci numbers} *) theory FibSumEven use int.Int use int.Fibonacci use int.ComputerDivision (* [fib_sum_even m n] is the sum of even-valued terms of the Fibonacci sequence from index 0 to n-1, that do not exceed m *) function fib_sum_even int int : int axiom SumZero: forall m:int. fib_sum_even m 0 = 0 axiom SumEvenLe: forall n m:int. n >= 0 -> fib n <= m -> mod (fib n) 2 = 0 -> fib_sum_even m (n+1) = fib_sum_even m n + fib n axiom SumEvenGt: forall n m:int. n >= 0 -> fib n > m -> mod (fib n) 2 = 0 -> fib_sum_even m (n+1) = fib_sum_even m n axiom SumOdd: forall n m:int. n >= 0 -> mod (fib n) 2 <> 0 -> fib_sum_even m (n+1) = fib_sum_even m n predicate is_fib_sum_even (m:int) (sum:int) = exists n:int. sum = fib_sum_even m n /\ fib n > m (* Note: we take for granted that [fib] is an increasing sequence *) end module FibOnlyEven use int.Int use int.ComputerDivision use int.Fibonacci let rec lemma fib_even_3n (n:int) requires { n >= 0 } variant { n } ensures { mod (fib n) 2 = 0 <-> mod n 3 = 0 } = if n > 2 then fib_even_3n (n-3) function fib_even (n: int) : int = fib (3 * n) lemma fib_even0: fib_even 0 = 0 lemma fib_even1: fib_even 1 = 2 lemma fib_evenn: forall n:int [fib_even n]. n >= 2 -> fib_even n = 4 * fib_even (n-1) + fib_even (n-2) end module Solve use int.Int use ref.Ref use int.Fibonacci use FibSumEven use FibOnlyEven let f m : int requires { m >= 0 } ensures { exists n:int. result = fib_sum_even m n /\ fib n > m } = let x = ref 0 in let y = ref 2 in let sum = ref 0 in let ghost n = ref 0 in let ghost k = ref 0 in while !x <= m do invariant { !n >= 0 } invariant { !k >= 0 } invariant { !x = fib_even !n } invariant { !x = fib !k } invariant { !y = fib_even (!n+1) } invariant { !y = fib (!k+3) } invariant { !sum = fib_sum_even m !k } invariant { 0 <= !x < !y } variant { m - !x } let tmp = !x in x := !y; y := 4 * !y + tmp; sum := !sum + tmp; n := !n + 1; k := !k + 3 done; !sum let run () = f 4_000_000 (* should be 4613732 *) exception BenchFailure let bench () raises { BenchFailure -> true } = let x = run () in if x <> 4613732 then raise BenchFailure; x end why3-1.6.0/examples/euler002/000077500000000000000000000000001440160026300155605ustar00rootroot00000000000000why3-1.6.0/examples/euler002/why3session.xml000066400000000000000000000134321440160026300206030ustar00rootroot00000000000000 why3-1.6.0/examples/euler002/why3shapes.gz000066400000000000000000000027571440160026300202330ustar00rootroot00000000000000ZYo7~ط pfxN!F} x"B㣲C\IڜwI~s<,GpSn7ewe0ãD8qp$Q^x~eMx؆궄v#O)śۆ!+ᶈ6#J;vJ':7$ncHrۏqL'v?gjFTjYqrGeu׻(o zo%y C˛?_ꟌAqx6'y~$,]]?\#a{u j{wpdU l(o™3}n;s}r4KwY+އ^|mk)}]=Hr.oQ R   D~Y5M4i"((5Ҭ*Hvq[XB5 q@{~1 6wMPnݠ[gK^9ޯL{%5״a^p.ίs:WuW<) faN|-7a:7=z!Bw0^66 u|uG 9$V& lv-ji_n >LZh} ՒN4,\-tf}C BճRO_ǔsʓ>%ޗsq)ٓuN9iAF#@t|G=^#־QdQm*pT&4)UY5UUф"ʴg.8ɓUA{{|ﳺw_vVغ*PԞ{yxNjJlM:)dޗ fgoRJ1/NeJɅKT+T mr ]) M>8є,GMXKpNW(e4IA(H>4+62ddVHF0Z{16ƀȵ_;AF ֩|V8Ϳ[l8UZCuMgU4R9+`L)'g &%2PƂ$i`ULޚZ 2xK;J U!]iጕVCΫM+!-B3BF"$r8). fE`3JbAum0'b)%$dFI@Eja^$fl< {1hrG)[D:Js@LWI/symJ LE5 TA@s96PDMl޸>Fk9%q<ҹ| 8of4RLp)-t@5L DD/dL9qQL>.`Lڼ:ʅb +TԺ#)m _<ߖ4k tTj*pQ%1Kaȑi^#̹Бg)iycD"hugEHAJq &#؆5&=j70_"&why3-1.6.0/examples/euler011.mlw000066400000000000000000000164531440160026300163120ustar00rootroot00000000000000 (** {1 Euler Project, problem11} In the 20×20 grid below, four numbers along a diagonal line have been marked in red. {h 
    08 02 22 97 38 15 00 40 00 75 04 05 07 78 52 12 50 77 91 08
49 49 99 40 17 81 18 57 60 87 17 40 98 43 69 48 04 56 62 00
81 49 31 73 55 79 14 29 93 71 40 67 53 88 30 03 49 13 36 65
52 70 95 23 04 60 11 42 69 24 68 56 01 32 56 71 37 02 36 91
22 31 16 71 51 67 63 89 41 92 36 54 22 40 40 28 66 33 13 80
24 47 32 60 99 03 45 02 44 75 33 53 78 36 84 20 35 17 12 50
32 98 81 28 64 23 67 10 26 38 40 67 59 54 70 66 18 38 64 70
67 26 20 68 02 62 12 20 95 63 94 39 63 08 40 91 66 49 94 21
24 55 58 05 66 73 99 26 97 17 78 78 96 83 14 88 34 89 63 72
21 36 23 09 75 00 76 44 20 45 35 14 00 61 33 97 34 31 33 95
78 17 53 28 22 75 31 67 15 94 03 80 04 62 16 14 09 53 56 92
16 39 05 42 96 35 31 47 55 58 88 24 00 17 54 24 36 29 85 57
86 56 00 48 35 71 89 07 05 44 44 37 44 60 21 58 51 54 17 58
19 80 81 68 05 94 47 69 28 73 92 13 86 52 17 77 04 89 55 40
04 52 08 83 97 35 99 16 07 97 57 32 16 26 26 79 33 27 98 66
88 36 68 87 57 62 20 72 03 46 33 67 46 55 12 32 63 93 53 69
04 42 16 73 38 25 39 11 24 94 72 18 08 46 29 32 40 62 76 36
20 69 36 41 72 30 23 88 34 62 99 69 82 67 59 85 74 04 36 16
20 73 35 29 78 31 90 01 74 31 49 71 48 86 81 16 23 57 05 54
01 70 54 71 83 51 54 69 16 92 33 48 61 43 52 01 89 19 67 48
    } The product of these numbers is 26 × 63 × 78 × 14 = 1788696. What is the greatest product of four adjacent numbers in the same direction (up, down, left, right, or diagonally) in the 20×20 grid? *) module ProductFour use int.Int use ref.Ref use matrix.Matrix use option.Option (** Direction of the product checked *) type direction = | Left_bottom | Right_bottom | Bottom | Right (** Math functions about the result of a product. Incomplete product generate None *) function left_diag (m: matrix int) (i: int) (j: int) : option int = if (i < m.rows /\ j >= 0 /\ i >= 3 /\ j < m.columns - 3) then Some (((m.elts i j) * (m.elts (i - 1) (j + 1)) * (m.elts (i - 2) (j + 2)) * (m.elts (i-3) (j+3)))) else None function right_diag (m: matrix int) (i: int) (j: int) : option int = if (i < m.rows - 3 /\ i >= 0 /\ j < m.columns - 3 /\ j >= 0) then Some (((m.elts i j) * (m.elts (i + 1) (j + 1)) * (m.elts (i + 2) (j + 2)) * (m.elts (i+3) (j+3)))) else None function line (m: matrix int) (i: int) (j: int) : option int = if (0 <= j < m.columns /\ i >= 0 /\ i < m.rows - 3) then Some ((m.elts i j) * (m.elts (i+1) j) * (m.elts (i+2) j) * (m.elts (i+3) j)) else None function column (m: matrix int) (i: int) (j: int) : option int = if (0 <= i < m.rows /\ j >= 0 /\ j < m.columns - 3) then Some ((m.elts i j) * (m.elts i (j+1)) * (m.elts i (j+2)) * (m.elts i (j + 3))) else None (** Computational functions for the product in each direction *) let right_diag_c m i j : option int = ensures {result = right_diag m i j} if (i < m.rows - 3 && i >= 0 && j < m.columns - 3 && j >= 0) then Some (((get m i j) * (get m (i + 1) (j + 1)) * (get m (i + 2) (j + 2)) * (get m (i+3) (j+3)))) else None let left_diag_c m i j : option int = ensures {result = left_diag m i j} if (i < m.rows && j >= 0 && i >= 3 && j < m.columns - 3) then Some (((get m i j) * (get m (i - 1) (j + 1)) * (get m (i - 2) (j + 2)) * (get m (i-3) (j+3)))) else None let line_c m i j : option int = ensures {result = line m i j} if (0 <= j && j < m.columns && i >= 0 && i < m.rows - 3) then Some ((get m i j) * (get m (i+1) j) * (get m (i+2) j) * (get m (i+3) j)) else None let column_c m i j : option int = ensures {result = column m i j} if (0 <= i && i < m.rows && j >= 0 && j < m.columns - 3) then Some ((get m i j) * (get m i (j+1)) * (get m i (j+2)) * (get m i (j + 3))) else None (* function compute4 (m: matrix int) (i: int) (j: int) (d: direction) : option int = *) (* match d with *) (* | Left_bottom -> left_diag m i j *) (* | Right_bottom -> right_diag m i j *) (* | Bottom -> column m i j *) (* | Right -> line m i j *) (* end *) (* TODO Failed attempt at pattern matching above. Combination of mathematical product result functions *) function compute4 (m: matrix int) (i: int) (j: int) (d: direction) : option int = if (d = Left_bottom) then left_diag m i j else if (d = Right_bottom) then right_diag m i j else if (d = Bottom) then column m i j else if (d = Right) then line m i j else None (** A product is_valid if each elements of the product is in the matrix *) (* predicate is_valid (m: matrix int) (i: int) (j: int) (d: direction) = *) (* match d with *) (* | Left_bottom -> i < m.rows /\ j >= 0 /\ i >= 3 /\ j < m.columns - 3 *) (* | Right_bottom -> i >= 0 /\ j >= 0 /\ i < m.rows - 3 /\ j < m.columns - 3 *) (* | Bottom -> 0 <= i /\ i < m.rows /\ j >= 0 /\ j < m.columns - 3 *) (* | Right -> 0 <= j /\ j < m.columns /\ i >= 0 /\ i < m.rows - 3 *) (* end *) (** Return the maximum product of 4 for matrix m *) let find_max (m: matrix int) = requires {m.rows > 4 /\ m.columns > 4} ensures {forall i j d. match (compute4 m i j d) with | None -> true | Some v -> v <= result end} ensures {exists i j d. Some result = compute4 m i j d} (** Current max and element of the matrix for which it is attained *) let cur_max = ref ( match (line_c m 0 0) with | None -> 0 (* TODO should not happen *) | Some v -> v end) in let cur_i = ref 0 in let cur_j = ref 0 in let cur_d = ref Right in for i = 0 to (m.rows - 1) do (* Cur_max is greater than each product already seen *) invariant { forall i' j' d. (0 <= i' < i /\ 0 <= j' < m.columns) -> match (compute4 m i' j' d) with | None -> true | Some v -> v <= !cur_max end} (* cur_max is actually the product at (cur_i, cur_j, cur_d) *) invariant {Some !cur_max = compute4 m !cur_i !cur_j !cur_d} for j = 0 to (m.columns - 1) do (* cur_max is actually the product at (cur_i, cur_j, cur_d) *) invariant {Some !cur_max = compute4 m !cur_i !cur_j !cur_d} (* Cur_max is greater than each product already seen *) invariant { forall i' j' d. ((i' = i /\ 0 <= j' /\ j' < j) \/ (0 <= i' < i /\ 0 <= j' < m.columns)) -> match (compute4 m i' j' d) with | None -> true | Some v -> v <= !cur_max end} (* Computation of the product for each direction *) match (left_diag_c m i j) with | None -> () | Some v -> if (v > !cur_max) then begin cur_max := v; cur_i := i; cur_j := j; cur_d := Left_bottom; end end; match (right_diag_c m i j) with | None -> () | Some v -> if (v > !cur_max) then begin cur_max := v; cur_i := i; cur_j := j; cur_d := Right_bottom; end end; match (line_c m i j) with | None -> () | Some v -> if (v > !cur_max) then begin cur_max := v; cur_i := i; cur_j := j; cur_d := Right; end end; match (column_c m i j) with | None -> () | Some v -> if (v > !cur_max) then begin cur_max := v; cur_i := i; cur_j := j; cur_d := Bottom; end end; done; done; (** Assert implying directly the postcondition *) assert { Some !cur_max = compute4 m !cur_i !cur_j !cur_d}; !cur_max;; end why3-1.6.0/examples/euler011/000077500000000000000000000000001440160026300155605ustar00rootroot00000000000000why3-1.6.0/examples/euler011/why3session.xml000066400000000000000000001022731440160026300206050ustar00rootroot00000000000000 why3-1.6.0/examples/euler011/why3shapes.gz000066400000000000000000000173411440160026300202260ustar00rootroot00000000000000|k\7=60n1BE~mSjXr7߯L{RM^sHӷ_3yg}S!_~CK{|ӟo~_~7~KoW7A.vZuwgS?l}󗧿׿!<Z?hL;mfIKtyvrQ^|WvvIN|0ƥ?kVVT~[;5%Ws[܆S[}+m16 ܖ?ǩ-v>uq)h/2>ҡk'xK3Cf,%6.LWfI.lt v%S(WJ7 7ۯ9 _˥]zkުdTiꐖNue.e }8wzأ^Ǔn>Nii><,8yL)<}(qMU~Zҹw;WgλJ8s 'KKLP(s괋e޽e eΌiʼ{ Н̙A.y2?dPt kV;hbB+”k'ģx M-'x 28Õws[2*V.A`tqF+Ɋ}ň9N(KFb6}m1&&Go²\-Z9~ IeщԽ#t'PWv\x2zS IȲ ?<]Xt/ֹ\Ve|۷TOtN^/gB3Oo@3̳VW@k NꑗPq+rKZgr LV@<9`^=[Wiu@E s)8(N\&k'/ xsl0> nn/APNPcg ]%L%TN_q| Qvj1TLH8Y4 NFGLS֑czq黹xZKkk`O>ZyGjwV`O%K6a22MGa1F FXY @0KD^$v|F ʚ+]M5snNz0aμ [>O-Z8{}L Nə_Bk(X0^RE c~8O]D?7_&=QVQ׋iڿ=ۊq*1!i:VG•D'sL6L_It'%; n[: ەdGiѝ=&WwmXчA*w{pA@QxFyer4 /: ǝ9uXi:wtb:7]On݇D3XZFt4f`un2lan=iEy\IeXeqRYQYT+s 0{Ɩ#xNɻ{kGT\rZ|fj&Ԍѳ5l3ָԜЌ,XN% )81h&hV],VCrut4s gjlk9U[eoia\s!cJyD7jGkb )X+J) ĘM:W^}H`c.0Q(6Xm(0K%zZ=G-jC \ICۻ:J %4X;3zF'H4fŔ).(,?-& ;j!ѦEl2$RhRٖ-ЃF; )4}x|mv3H+i0 W!Cӆ ss S6ͷ,+;dP0 [5FHХ5椳aaºR{,;OPR#!rO !8,3a'x ;ZVg emhh*c#d mP}&uڰ5pQ̔8kS2w&ujq+̚VQ\|s"fC:0X`ĵG q n%-,8=dzDUt0F#.1'F۝YHڻ u]A$D"iKMA3-6Dd]CX8B? a8h#q#OڕA_xney“^qi⥞M9yMB5yT4*Sq/Hm }eBK?""EEtWaf HнDDN*0kz$Z}ȔɰVl \SbmyӶQK W'%] {:hk&blͶmbQ vZFޑSF\~0lZAݪePECr@E󈴣EǷ!CSl-7:=7:3UsU2Iu( t!r);Ym4\1hN \s^يv,&r 0E{q8Rg$I)c` k\@a",\-f{F;O&HvV85F2.N8Aow JB֬Qɟ7,һmyPYpM6"y.$WF*\cF@=(VgFe(ADi~@>R <0cgo*LX jF7" cp\EgJf*%XT>d[´"݂3gnڠ0I8DAL,EzCksFnK>fuFZ69]zQ$}c|὆hW *g$FK0<Ԣ .i"@NlGԦ ~#,\Dg{3̪pd:R^R2%X|䨶LMw{N[T, dG.%X`?/㽄:Ӑ=Ƙ:(B -1"(m4 @VDRwdE%K+;L V^0Q19Rr&Is5zA:BUԽ0vat9Ms$=€_苋[6`6l|,W]"şJ_H!%i`֢+s7n#]곕ب$̀d38:8 E«ErY{e;P+~8* "A+o0LO1bȚICUeSE/\Ҫu! 91U5@Z!yeǏ~H 3*wDBmUȎ%X+UFܪu|vKauĵ/zgLu0+,R(/xtz{4&56 F^˺X#gmKx6Cm9\:YTv7E (Q"Mx*ЛkzK=aEFw3! Pk`jnS7$V;+Ѡ]Un3P6-H)'/U`>bQs֍ݧ˳*3<*q vH'׷oP!\,\@͆|J"}\ y*nMY5*΍K (YCiTVˌ>o"r r6 Ķb p(\sX 2K+0QpOwvUYxaٶ ?ZC 1WԠa4b3P`#ED;\uh Q lO Xٙ1\~:yŤ<@pڨ ǯ;q_$(s P:ǨE=Qqe X#JbM>Uf2JM#vĔ_q6(L<*>^ё%w'ݏaP N{ܑW΁(zZg>JLƙ'-*-t>{F;5eJexӣVPo,,`8z;t)[*XK28d jCƚ~x Vi^n3ZG@QQ|s $l֥[Q@_luRu* פg.Bt*YvD4\rmJ$=}3W*]Oq,zFt[ZfɦHХdz0CP>p b"ب>TFo̓!7wR|(EC ;تKi& Bۣ(1qTFmj8څMBқ~H ei7CÈbŋOPx82џ"/='%vOMҧ{g f6:czEg ]B P:ĈXƸ؞؎ 1 qO 0sA+Rڕ۟ *ȔKd]ڹQE}ÙLNjhmjIwY_L1[ L_8z 2Cx#̳GsB]牂why3-1.6.0/examples/euler_sieve.mlw000066400000000000000000001243271440160026300172630ustar00rootroot00000000000000(** Euler's Sieve This is a variant of Eratosthenes's sieve with complexity O(N), where N is the upper limit of the sieve. Cf https://en.wikipedia.org/wiki/Sieve_of_Eratosthenes#Euler's_sieve Euler's Sieve makes use of a linked list of all integers, and marks composite numbers as in Eratosthenes's sieve. In the program below, the linked list is implemented with an array (where each integer is mapped to the next one) and negative values are used to represent marked integers. In addition, the list only contains the odd integers (to save half of space). Author: Josué Moreau (Université Paris-Saclay) *) module ArithmeticResults use int.Int use number.Divisibility use number.Prime use int.EuclideanDivision let lemma mult_croissance_locale (n a: int) requires { n > 0 /\ 0 <= a } ensures { n * a < n * (a + 1) } = () let rec lemma mult_croissance (n a b: int) requires { n > 0 /\ 0 <= a < b } ensures { n * a < n * b } variant { b - a } = if a + 1 = b then () else mult_croissance n (a + 1) b let lemma comp_mult_2 (n k: int) requires { n > 0 /\ k >= 2 } ensures { n * k >= n * 2 } = () let lemma div_croissance_locale1 (i n: int) requires { 0 <= i /\ n > 0 } ensures { div i n <= div (i + 1) n } = () let rec lemma div_croissance1 (i j n: int) requires { 0 <= i <= j /\ n > 0 } ensures { div i n <= div j n } variant { j - i } = if i < j then div_croissance1 i (j - 1) n let rec lemma div_croissance_locale2 (m i: int) requires { i > 0 /\ m >= 0 } ensures { div m (i + 1) <= div m i } variant { m } = if m > 0 then div_croissance_locale2 (m - 1) i let rec lemma div_croissance2 (m i j: int) requires { 0 < i <= j /\ m >= 0 } ensures { div m i >= div m j } variant { j - i } = if i < j then div_croissance2 m i (j - 1) let lemma div_mult_1 (n k max: int) requires { n > 0 /\ max >= n /\ n * k <= max } ensures { k = div (n * k) n <= div max n } = () let lemma mult_borne_sous_exp (n a b: int) requires { a >= 1 /\ b >= 1 /\ n >= 1 /\ a * b < n } ensures { a < n /\ b < n } = () let rec lemma sq_ineq (a b: int) requires { a >= 0 /\ b >= 0 } requires { a * a < b * b } ensures { a < b } variant { b * b - a * a } = if (b - 1) * (b - 1) > a * a then sq_ineq a (b - 1) end module DivisibilityResults use int.Int use int.EuclideanDivision use number.Divisibility use number.Prime let lemma divides_div (n m k: int) requires { 2 <= n /\ 2 <= m /\ 2 <= k < n /\ divides n m /\ not divides k m } ensures { not divides k (div m n) } = () let lemma divides_inf (n m: int) requires { 2 <= n /\ 2 <= m /\ divides n m /\ forall k. 2 <= k < n -> not divides k m } ensures { forall k. 2 <= k < n -> not divides k (div m n) } = () let lemma not_prime_divider_limits (n: int) requires { not prime n /\ 2 <= n } ensures { exists i. 2 <= i /\ i * i <= n /\ divides i n } = () let lemma no_prod_impl_no_divider (n: int) requires { n >= 0 } ensures { forall i. 2 <= i < n * n -> not (exists k l. 2 <= k < n /\ 2 <= l < i /\ k * l = i ) -> not (exists k. 2 <= k < n /\ k <> i /\ divides k i) } = () use ArithmeticResults let lemma not_prime_impl_divisor_under_sqrt (n: int) requires { n >= 2 } ensures { forall i. 2 <= i < n * n -> not prime i -> exists j. 2 <= j < i /\ ((j < n) by j * j < n * n /\ j >= 0) /\ divides j i } = () end module EulerSieveSpec use int.Int use number.Divisibility use number.Prime use seq.Seq use int.EuclideanDivision use ArithmeticResults use DivisibilityResults (*******************************************************************************) (* *) (* INVARIANTS SUR LES RELATIONS ENTRE STRUCTURES DE DONNEES *) (* *) (*******************************************************************************) (* Borne sur le suivant de chaque élément de la liste chaînée *) predicate inv_nexts (nexts: seq int) (n: int) = forall i. 0 <= i < n -> i < nexts[i] <= n (* Tous les éléments éliminés de la liste chaînée sont marqués *) predicate all_eliminated_marked (marked: seq bool) (nexts: seq int) = marked.length = nexts.length /\ forall i. 0 <= i < marked.length -> forall j. i < j < nexts[i] -> marked[j] (* Tous les éléments éliminés, à partir d'un certain indice, sont marqués *) predicate all_eliminated_marked_partial (marked: seq bool) (nexts: seq int) (min: int) = marked.length = nexts.length /\ forall i. min <= i < marked.length -> forall j. i < j < nexts[i] -> marked[j] (* L'élément suivant d'un élément non marqué inférieur à max / n est non marqué lorsqu'il est lui-même inférieur à max / n *) predicate not_marked_impl_next_not_marked (marked_old: seq bool) (nexts: seq int) (n: int) = marked_old.length = nexts.length /\ marked_old.length >= 2 /\ n >= 2 /\ forall i. 2 <= i <= div (marked_old.length - 1) n -> nexts[i] <= div (marked_old.length - 1) n -> not marked_old[i] -> not marked_old[nexts[i]] (* Les deux tableaux marked sont identiques *) predicate is_copy (marked: seq bool) (marked_old: seq bool) = marked.length = marked_old.length /\ forall i. 0 <= i < marked.length -> not marked[i] -> not marked_old[i] (* L'élément suivant d'un élément non marqué inférieur à p <= max / n est non marqué lorsqu'il est inférieur à max / n *) predicate not_marked_impl_next_not_marked_partial (marked: seq bool) (nexts: seq int) (n: int) (p: int) = marked.length = nexts.length /\ marked.length >= 2 /\ n >= 2 /\ p <= div (marked.length - 1) n /\ forall i. 2 <= i < p -> nexts[i] <= div (marked.length - 1) n -> not marked[i] -> not marked[nexts[i]] (*******************************************************************************) (* *) (* PROPRIETES LIEES AUX NOMBRES PREMIERS *) (* *) (*******************************************************************************) (* Tous les nombres jusqu'à n sont non marqués si et seulement si ils sont premiers *) predicate all_primes (marked: seq bool) (n: int) = forall i. 0 <= i < n -> not marked[i] <-> prime i (* Tous les multiples de i sont marqués *) predicate all_multiples_marked (marked: seq bool) (i max: int) = 2 <= i < marked.length /\ forall k. 2 <= k < max -> i * k < marked.length -> marked[i * k] (* Tous les multiples des 2 <= i < n sont marqués *) predicate previously_marked_multiples (marked: seq bool) (n: int) = forall i. 2 <= i < n -> all_multiples_marked marked i marked.length (* Les multiples des 2 <= i < n sont les uniques nombres marqués *) predicate only_multiples_marked (marked: seq bool) (n: int) = forall k. 2 <= k < marked.length -> marked[k] -> exists i j. 2 <= i < n /\ 2 <= j < marked.length /\ i * j = k (* Les multiples de n avec les éléments non marqués précédement sont marqués *) predicate prime_multiples_marked (marked_old: seq bool) (marked: seq bool) (n max: int) = marked_old.length = marked.length /\ n < max <= marked.length /\ forall i. n <= i < max -> not marked_old[i] -> n * i < marked_old.length -> marked[n * i] (* Invariants de base de remove_products *) predicate inv_remove_products (nexts: seq int) (marked: seq bool) (n: int) = nexts.length = marked.length /\ not marked[2] /\ all_primes marked n /\ prime n /\ not marked[n] /\ inv_nexts nexts nexts.length (*******************************************************************************) (* *) (* QUELQUES LEMMES DE CONSERVATION DES STRUCTURES *) (* *) (*******************************************************************************) let lemma conservation_all_eliminated_marked_on_marked_change (marked: seq bool) (nexts: seq int) (i: int) requires { marked.length = nexts.length } requires { inv_nexts nexts nexts.length } requires { all_eliminated_marked marked nexts } requires { 0 <= i < marked.length } ensures { all_eliminated_marked marked[i <- true] nexts } = () let lemma conservation_all_eliminated_marked_on_nexts_change (marked: seq bool) (nexts: seq int) (i v: int) requires { marked.length = nexts.length } requires { all_eliminated_marked marked nexts } requires { inv_nexts nexts marked.length } requires { 0 <= i < marked.length } requires { i < v <= marked.length } requires { forall j. i < j < v -> marked[j] } ensures { all_eliminated_marked marked nexts[i <- v] } = () (*******************************************************************************) (* *) (* QUELQUES PREDICATS UTILES *) (* *) (*******************************************************************************) predicate ordered (a: seq int) (n: int) = forall i j. 0 <= i < j < n -> a[i] < a[j] predicate all_inf_or_eq (a: seq int) (n k: int) = forall i. 0 <= i < n -> a[i] <= k end module EulerSieve use int.Int use number.Divisibility use number.Prime use seq.Seq use int.EuclideanDivision use ArithmeticResults use DivisibilityResults use EulerSieveSpec (*******************************************************************************) (* *) (* PROPRIETES LIEES AUX NOMBRES PREMIERS *) (* *) (*******************************************************************************) (* Si tous les multiples des nombres i < n sont marqués, alors les mutliples de ces multiples sont marqués *) let lemma multiples_of_marked_are_marked (marked: seq bool) (n: int) requires { 2 <= n <= marked.length } requires { previously_marked_multiples marked n } ensures { forall k i. 2 <= k < n -> 2 <= i < marked.length -> k * i < marked.length -> forall j. 1 <= j < marked.length -> k * i * j < marked.length -> (marked[k * i * j] by 1 <= i * j < marked.length by k >= 2 /\ i >= 2 /\ j >= 1 /\ k * (i * j) < marked.length) } = () (* Lemme essentiel : si tous les multiples des nombres i < n sont marqués et qu'on a marqué tous les produits de n avec les nombres non marqués alors tous les multiples de n sont marqués *) let lemma prev_and_new_impl_all_multiples_marked (marked_old marked: seq bool) (n max: int) requires { 2 <= n < marked.length /\ 2 <= max < marked.length /\ marked_old.length = marked.length } requires { is_copy marked marked_old } requires { previously_marked_multiples marked_old n } requires { previously_marked_multiples marked n } requires { only_multiples_marked marked_old n } requires { prime_multiples_marked marked_old marked n marked.length } ensures { all_multiples_marked marked n marked.length } = assert { forall i. 2 <= i < n /\ 2 <= i < marked.length -> not marked_old[i] -> i * n < marked.length -> marked[i * n] }; assert { forall k. 2 <= k < marked_old.length -> marked_old[k] -> n * k < marked_old.length -> exists i j. 2 <= i < n /\ 2 <= j < marked_old.length /\ i * j = k /\ marked_old[i * j] }; multiples_of_marked_are_marked marked_old n; multiples_of_marked_are_marked marked n; assert { marked.length = marked_old.length }; assert { forall k. 2 <= k < marked_old.length -> marked_old[k] -> n * k < marked_old.length -> marked[k * n] by forall k. 2 <= k < marked_old.length -> marked_old[k] -> n * k < marked_old.length -> marked_old[k * n] }; assert { prime_multiples_marked marked_old marked n marked.length }; assert { (forall k. 2 <= k < marked.length -> not marked_old[k] -> n * k < marked.length -> marked[n * k]) } (*******************************************************************************) (* *) (* LEMMES DE CONSERVATION LIES AUX NOMBRES PREMIERS *) (* *) (*******************************************************************************) let lemma conservation_only_multiples_marked (marked: seq bool) (n i j: int) requires { 2 <= i < n /\ 2 <= j < marked.length /\ i * j < marked.length } requires { only_multiples_marked marked n } ensures { only_multiples_marked marked[(i * j) <- true] n } = assert { forall k. 0 <= k < marked.length -> k <> i * j -> marked[(i * j) <- true][k] = marked[k] }; assert { forall k. 2 <= k < marked.length -> k <> i * j -> marked[(i * j) <- true][k] -> exists x y. 2 <= x < n /\ 2 <= y < marked.length /\ k = x * y }; assert { marked[i * j] -> 2 <= i < n -> 2 <= j < marked.length -> exists x y. 2 <= x < n /\ 2 <= y < marked.length /\ x * y = i * j } let lemma conservation_previously_marked_multiples (marked: seq bool) (nexts: seq int) (n: int) requires { 2 <= n < marked.length /\ marked.length = nexts.length /\ nexts[n] <= marked.length } requires { previously_marked_multiples marked n } requires { only_multiples_marked marked (n + 1) } requires { all_eliminated_marked marked nexts } requires { not_marked_impl_next_not_marked marked nexts nexts[n] } requires { all_multiples_marked marked n marked.length } ensures { previously_marked_multiples marked nexts[n] } = assert { previously_marked_multiples marked (n + 1) }; assert { forall i. n < i < nexts[n] -> marked[i] }; assert { forall i. n < i < nexts[n] -> ((exists k l. 2 <= k <= n /\ 2 <= l < marked.length /\ k * l = i) by marked[i]) }; multiples_of_marked_are_marked marked (n + 1); assert { forall i j. n < i < nexts[n] -> 2 <= j < marked.length -> i * j < marked.length -> (marked[i * j] by (exists k l. 2 <= k <= n /\ 2 <= l < marked.length /\ k * l = i)) }; assert { forall i. n < i < nexts[n] -> all_multiples_marked marked i marked.length } lemma conservation_previously_marked_multiples_on_marked_change: forall marked n. previously_marked_multiples marked n -> forall i. 0 <= i < marked.length -> previously_marked_multiples marked[i <- true] n (*******************************************************************************) (* *) (* INVARIANTS SIMPLES DE FONCTIONS *) (* *) (*******************************************************************************) let lemma conservation_not_marked_impl_next_not_marked (marked: seq bool) (nexts: seq int) (max n p: int) requires { not_marked_impl_next_not_marked marked nexts n /\ nexts[n] > n > 0 /\ div max nexts[n] <= div max n by forall i. p < i < nexts[p] -> marked[i] /\ not_marked_impl_next_not_marked_partial marked nexts n p } ensures { not_marked_impl_next_not_marked marked nexts nexts[n] } = () let lemma unchanged_other_elements (s1: seq 'a) (s2: seq 'a) (i: int) (v: 'a) requires { 0 <= i < length s1 /\ length s1 = length s2 } requires { s1 = s2[i <- v] } ensures { forall j. 0 <= j < length s1 -> i <> j -> s1[j] = s2[j] } = () (*******************************************************************************) (* *) (* DEFINITION DE LA STRUCTURE DE DONNEE ABSTRAITE *) (* *) (*******************************************************************************) use mach.int.Int63 type t = private { mutable ghost nexts: seq int; mutable ghost marked: seq bool; max: int63; } invariant { max_int > max >= 3 } invariant { nexts.length = marked.length = max + 1 } invariant { inv_nexts nexts nexts.length } invariant { all_eliminated_marked marked nexts } invariant { forall i. 3 <= i <= max -> mod i 2 = 0 -> marked[i] } invariant { forall i. 3 <= i < max - 1 -> mod i 2 = 1 -> mod (Seq.get nexts i) 2 = 1 \/ Seq.get nexts i = max + 1 } invariant { Seq.get nexts max = max + 1 /\ (mod (max - 1) 2 = 0 -> Seq.get nexts (max - 1) = max) /\ (mod (max - 1) 2 = 1 -> Seq.get nexts (max - 1) = max + 1) } by { nexts = Seq.create 4 (fun i -> i + 1); marked = Seq.create 4 (fun i -> i < 2); max = 3 } val create (max: int63) : t requires { max_int > max >= 3 } ensures { result.max = max } ensures { Seq.get result.marked 0 = Seq.get result.marked 1 = true /\ not Seq.get result.marked 2 } ensures { forall i. 3 <= i <= max -> mod i 2 = 0 <-> Seq.get result.marked i } ensures { forall i. 3 <= i < max - 1 -> mod i 2 = 0 -> Seq.get result.nexts i = i + 1 } ensures { forall i. 3 <= i < max - 1 -> mod i 2 = 1 -> Seq.get result.nexts i = i + 2 } ensures { forall i. 0 <= i <= max -> Seq.get result.marked i -> i < 2 \/ divides 2 i } val set_next (t: t) (i v: int63) : unit requires { 0 <= i <= t.max /\ i < v <= t.max + 1 } requires { mod i 2 = 1 } requires { forall j. i < j < v -> Seq.get t.marked j } requires { not Seq.get t.marked i } requires { mod v 2 = 1 \/ v = t.max + 1 } writes { t.nexts } ensures { t.nexts = (old t.nexts)[i <- v] } val get_next (t: t) (i: int63) : int63 requires { 3 <= i <= t.max } requires { mod i 2 = 1 } ensures { 3 <= result <= t.max + 1 } ensures { result = t.nexts[i] } ensures { mod result 2 = 1 \/ result = t.max + 1 } val set_mark (t: t) (i: int63) : unit requires { 0 <= i <= t.max } requires { mod i 2 = 1 } writes { t.marked } ensures { t.marked = (old t.marked)[i <- true] } val get_mark (t: t) (i: int63) : bool requires { 0 <= i <= t.max } requires { mod i 2 = 1 } ensures { result = t.marked[i] } val get_max (t: t) : int63 ensures { result = t.max /\ result >= 2 } (*******************************************************************************) (* *) (* PREUVE DE REMOVE_PRODUCTS DANS LA STRUCTURE DE DONNEE ABSTRAITE *) (* *) (*******************************************************************************) let remove_products (t: t) (n: int63) : unit requires { 3 <= n <= t.max /\ n * n <= t.max } requires { inv_remove_products t.nexts t.marked n } requires { previously_marked_multiples t.marked n } requires { only_multiples_marked t.marked n } requires { not_marked_impl_next_not_marked t.marked t.nexts n } ensures { inv_remove_products t.nexts t.marked n } ensures { not_marked_impl_next_not_marked t.marked t.nexts t.nexts[n] } ensures { previously_marked_multiples t.marked t.nexts[n] } ensures { only_multiples_marked t.marked t.nexts[n] } = let d = get_max t / n in let ghost max = t.max in let ghost marked_old = t.marked in let rec loop (p: int63) (ghost x: int) = requires { n <= p <= max /\ 3 <= n <= max /\ mod p 2 = 1 /\ p <= x < t.nexts[p] /\ t.nexts[x] = t.nexts[p] /\ t.marked[n * n] } requires { inv_remove_products t.nexts t.marked n } requires { previously_marked_multiples t.marked n } requires { not t.marked[p] } requires { is_copy t.marked marked_old } requires { all_eliminated_marked_partial marked_old t.nexts x } requires { not_marked_impl_next_not_marked marked_old t.nexts n } requires { prime_multiples_marked marked_old t.marked n t.nexts[x] } requires { not_marked_impl_next_not_marked_partial t.marked t.nexts n p } requires { only_multiples_marked t.marked (n + 1) } ensures { inv_remove_products t.nexts t.marked n } ensures { not_marked_impl_next_not_marked t.marked t.nexts t.nexts[n] } ensures { is_copy t.marked marked_old } ensures { previously_marked_multiples t.marked n } ensures { prime_multiples_marked marked_old t.marked n t.marked.length } ensures { only_multiples_marked t.marked (n + 1) } variant { max - t.nexts[p] } let next = get_next t p in if 0 <= next <= get_max t then if next <= d then begin assert { n * next <= max by n * next <= n * d by next <= d }; ghost (conservation_only_multiples_marked t.marked (to_int n + 1) (to_int n) t.nexts[to_int p]); let ghost marked_copy = t.marked in set_mark t (n * next); unchanged_other_elements t.marked marked_copy (to_int n * to_int next) true; assert { p < 2 * p < 2 * t.nexts[p] <= n * t.nexts[p] = n * next }; assert { not t.marked[p] by n * next > p /\ p <= length t.marked }; assert { not marked_old[t.nexts[p]] by 2 <= p < next <= div max n }; assert { prime_multiples_marked marked_old t.marked n t.nexts[next] by prime_multiples_marked marked_old t.marked n t.nexts[x] }; assert { forall i. 0 <= i < p -> t.nexts[i] <= p by forall i. 0 <= i < p -> forall j. i < j < t.nexts[i] -> t.marked[j] }; if get_mark t next then begin assert { t.nexts[p] <> t.marked.length }; let ghost nexts_copy = t.nexts in set_next t p (get_next t next); unchanged_other_elements t.nexts nexts_copy (to_int p) nexts_copy[to_int next]; assert { all_eliminated_marked_partial marked_old t.nexts next by p <= x < next /\ forall j. next <= j < length t.nexts -> t.nexts[j] = nexts_copy[j] }; loop p (to_int next) end else begin assert { forall i. p < i < t.nexts[p] -> t.marked[i] }; loop next (to_int next) end end else begin assert { n * next > max by n * (div max n + 1) > max >= n * div max n /\ n * next >= n * (d + 1) by next >= d + 1 }; ghost (conservation_not_marked_impl_next_not_marked t.marked t.nexts (to_int max) (to_int n) (to_int p)) end else ghost (conservation_not_marked_impl_next_not_marked t.marked t.nexts (to_int max) (to_int n) (to_int p)) in ghost (conservation_only_multiples_marked t.marked (to_int n + 1) (to_int n) (to_int n)); let ghost marked_copy = t.marked in set_mark t (n * n); unchanged_other_elements t.marked marked_copy (to_int n * to_int n) true; assert { forall i. 0 <= i < n -> t.nexts[i] <> n * n by forall i. 0 <= i < n -> t.nexts[i] <= n < n * n by not t.marked[n] /\ forall i. 0 <= i < n -> forall j. i < j < t.nexts[i] -> t.marked[j] }; loop n (to_int n); ghost (prev_and_new_impl_all_multiples_marked marked_old t.marked (to_int n) (to_int max)); ghost (conservation_previously_marked_multiples t.marked t.nexts (to_int n)) (*******************************************************************************) (* *) (* QUELQUES LEMMES NECESSAIRES A LA SUITE DE LA PREUVE *) (* *) (*******************************************************************************) let lemma previously_marked_multiples_impl_prime (marked: seq bool) (n: int) requires { 2 <= n < marked.length /\ not marked[n] } requires { previously_marked_multiples marked n } ensures { prime n } = assert { forall k. 2 <= k < n -> not divides k n by forall k. 2 <= k < n -> not (exists i. 2 <= i < marked.length /\ n = k * i) } let lemma only_multiples_marked_impl_not_marked (marked: seq bool) (nexts: seq int) (n: int) requires { 2 <= n < marked.length } requires { only_multiples_marked marked nexts[n] } requires { prime n } ensures { not marked[n] } = assert { forall i j. 2 <= i < n -> 2 <= j < marked.length -> i * j <> n } end module EulerSieveImpl use int.Int use seq.Seq use mach.int.Int63 use mach.array.ArrayInt63 use int.Abs use int.EuclideanDivision use number.Divisibility use number.Prime use DivisibilityResults use EulerSieveSpec (*******************************************************************************) (* *) (* LEMMES DE CONSERVATION LIES A L'IMPLEMENTATION *) (* *) (*******************************************************************************) let lemma conservation_inv_arr_on_mark (arr: seq int) (i: int) requires { forall j k. 0 <= j < length arr -> j < k < div (abs arr[j]) 2 -> arr[k] < 0 } requires { forall i. 0 <= i < length arr -> i < div (abs arr[i]) 2 <= length arr } requires { 0 <= i < length arr } requires { arr[i] >= 0 } ensures { forall j k. 0 <= j < length arr -> j < k < div (abs arr[i <- - arr[i]][j]) 2 -> arr[i <- - arr[i]][k] < 0 } = assert { forall j. 0 <= j < length arr -> arr[j] < i -> arr[j] = arr[i <- - arr[i]][j] }; assert { forall j. 0 <= j < length arr -> arr[i] < j -> arr[j] = arr[i <- - arr[i]][j] } let lemma conservation_inv_arr_on_jump (arr: seq int) (min i: int) requires { min >= 0 } requires { forall j k. min <= j < length arr -> j < k < div (abs arr[j]) 2 -> arr[k] < 0 } requires { forall i. min <= i < length arr -> i < div (abs arr[i]) 2 <= length arr } requires { min <= i < length arr } requires { 0 <= div arr[i] 2 < length arr } requires { arr[div arr[i] 2] < 0 } ensures { forall j k. min <= j < length arr -> j < k < div (abs arr[i <- - arr[div arr[i] 2]][j]) 2 -> arr[i <- - arr[div arr[i] 2]][k] < 0 } = let ghost next = div (Seq.get arr i) 2 in let ghost arr1 = arr[i <- - Seq.get arr next] in assert { forall j. min <= j < i -> arr[j] = arr1[j] }; assert { forall j. i < j < length arr -> arr[j] = arr1[j] } (*******************************************************************************) (* *) (* DEFINITION DE L'IMPLEMENTATION DE LA STRUCTURE DE DONNEE *) (* *) (*******************************************************************************) type t = { mutable ghost nexts: seq int; mutable ghost marked: seq bool; arr: array63; max: int63; max_arr: int63 } invariant { max_int > max >= 3 } invariant { Seq.length nexts = Seq.length marked = max + 1 } invariant { div (max - 1) 2 = max_arr } invariant { length arr = max_arr + 1 } invariant { inv_nexts nexts (Seq.length nexts) } invariant { all_eliminated_marked marked nexts } invariant { forall i. 3 <= i <= max -> mod i 2 = 0 -> Seq.get marked i } invariant { forall i. 3 <= i < max - 1 -> mod i 2 = 1 -> mod (Seq.get nexts i) 2 = 1 \/ Seq.get nexts i = max + 1 } invariant { Seq.get nexts max = max + 1 /\ (mod (max - 1) 2 = 0 -> Seq.get nexts (max - 1) = max) /\ (mod (max - 1) 2 = 1 -> Seq.get nexts (max - 1) = max + 1) } (* glueing invariant *) invariant { forall i. 0 <= i <= max_arr -> -(max + 1) <= arr[i] <= max + 1 } invariant { forall i. 0 <= i <= max_arr -> Seq.get marked (2 * i + 1) <-> arr[i] < 0 } invariant { forall i. 0 <= i <= max_arr -> not Seq.get marked (2 * i + 1) -> arr[i] = Seq.get nexts (2 * i + 1) } invariant { forall i. 0 <= i <= max_arr -> Seq.get marked (2 * i + 1) -> arr[i] = - Seq.get nexts (2 * i + 1) } invariant { forall i. 0 <= i <= max_arr -> i < div (abs arr[i]) 2 <= max_arr + 1 /\ abs arr[i] <= max + 1 } invariant { forall i j. 0 <= i <= max_arr -> i < j < div (abs arr[i]) 2 -> arr[j] < 0 } by { nexts = Seq.create 4 (fun i -> i + 1); marked = Seq.create 4 (fun i -> i < 2); arr = ArrayInt63.set (ArrayInt63.make 2 (-2)) 1 4; max = 3; max_arr = 1 } let create (max: int63) : t requires { max_int > max >= 3 } ensures { result.max = max } ensures { Seq.get result.marked 0 = Seq.get result.marked 1 = true /\ not Seq.get result.marked 2 } ensures { forall i. 1 <= i <= div (max - 1) 2 -> not Seq.get result.marked (2 * i + 1) } ensures { forall i. 2 <= i <= div (max + 1) 2 -> 2 * i <= max -> Seq.get result.marked (2 * i) } ensures { forall i. 1 <= i <= div (max - 1) 2 -> 2 * i + 1 < max - 1 -> Seq.get result.nexts (2 * i + 1) = 2 * i + 3 } ensures { forall i. 2 <= i <= div (max - 1) 2 -> 2 * i < max - 1 -> Seq.get result.nexts (2 * i) = 2 * i + 1 } ensures { forall i. 0 <= i <= max -> Seq.get result.marked i -> i < 2 \/ divides 2 i } = let ghost len = pure { max + 1 } in let len_arr = (max - 1) / 2 + 1 in let ghost nexts = Seq.create len (pure { fun (i: int) -> if i = max then max + 1 else if i = max - 1 then if mod i 2 = 0 then max else max + 1 else if i < 3 || mod i 2 = 0 then i + 1 else i + 2}) in let ghost marked = Seq.create len (fun i -> i = 0 || i = 1 || (i > 2 && mod i 2 = 0)) in let ghost f = pure { fun i -> if i = len_arr - 1 then max + 1 else if i = 0 then -2 else 2 * i + 3 } in let arr = ArrayInt63.make len_arr (-2) in for i = 1 to len_arr - 1 do invariant { forall j. 0 <= j < i -> arr[j] = f j } arr[i] <- if i = len_arr - 1 then max + 1 else 2 * i + 3 done; { nexts = nexts; marked = marked; arr = arr; max = max; max_arr = (max - 1) / 2 } let set_next (t: t) (i v: int63) : unit requires { 0 <= i <= t.max /\ i < v <= t.max + 1 } requires { mod i 2 = 1 } requires { forall j. i < j < v -> Seq.get t.marked j } requires { not Seq.get t.marked i } requires { mod v 2 = 1 \/ v = t.max + 1 } writes { t.nexts, t.arr } ensures { t.nexts = Seq.set (old t.nexts) i v } = ghost ( conservation_all_eliminated_marked_on_nexts_change t.marked t.nexts (to_int i) (to_int v) ); t.arr[i / 2] <- v; ghost (t.nexts <- Seq.set t.nexts (to_int i) (to_int v)) let get_next (t: t) (i: int63) : int63 requires { 3 <= i <= t.max } requires { mod i 2 = 1 } ensures { 3 <= result <= t.max + 1 } ensures { result = Seq.get t.nexts i } ensures { mod result 2 = 1 \/ result = t.max + 1 } = let x = i / 2 in if t.arr[x] < 0 then - t.arr[x] else t.arr[x] let set_mark (t: t) (i: int63) : unit requires { 0 <= i <= t.max } requires { mod i 2 = 1 } writes { t.marked, t.arr } ensures { t.marked = Seq.set (old t.marked) i true } = let x = i / 2 in ghost ( conservation_all_eliminated_marked_on_marked_change t.marked t.nexts (to_int i)); if t.arr[x] >= 0 then begin ghost ( conservation_inv_arr_on_mark t.arr.elts (to_int x) ); t.arr[x] <- - t.arr[x] end; ghost (t.marked <- Seq.set t.marked (to_int i) true) let get_mark (t: t) (i: int63) : bool requires { 0 <= i <= t.max } requires { mod i 2 = 1 } ensures { result = Seq.get t.marked i } = t.arr[i / 2] < 0 let get_max (t: t) : int63 ensures { result = t.max /\ result >= 2 } = t.max clone EulerSieve with type t = t, val create = create, val set_next = set_next, val get_next = get_next, val set_mark = set_mark, val get_mark = get_mark, val get_max = get_max predicate inv_count (arr: seq int) (min: int) = forall i. min <= i < arr.length -> (i < div (abs arr[i]) 2 <= arr.length /\ - max_int <= arr[i] <= max_int /\ (forall j. i < j < div (abs arr[i]) 2 -> arr[j] < 0) /\ (forall j. 2 * i + 1 < j < abs arr[i] -> not prime j)) (*******************************************************************************) (* *) (* PREUVE DU CRIBLE D'EULER *) (* *) (*******************************************************************************) let euler_sieve (max: int63) : array63 requires { max_int > max >= 3 } ensures { forall i j. 0 <= i < j < result.length -> result[i] < result[j] } ensures { forall i. 0 <= i < result.length -> 2 <= result[i] <= max } ensures { forall i. 0 <= i < result.length -> prime result[i] } ensures { forall i. 2 <= i <= max -> prime i -> exists j. 0 <= j < result.length /\ result[j] = i } = [@vc:do_not_keep_trace] (* traceability info breaks the proof with Vampire on sub goal 13.2 *) let t = create max in let rec loop (n: int63) = requires { 3 <= n <= max } requires { n * n <= max } requires { previously_marked_multiples t.marked n } requires { only_multiples_marked t.marked n } requires { not_marked_impl_next_not_marked t.marked t.nexts n } requires { inv_remove_products t.nexts t.marked n } ensures { forall i. 0 <= i < Seq.length t.marked -> not Seq.get t.marked i <-> prime i } variant { max + 1 - n } remove_products t n; let nn = get_next t n in if nn <= max / nn then begin assert { nn * nn <= max }; ghost (previously_marked_multiples_impl_prime t.marked (to_int nn)); assert { (forall i. n < i < nn -> not prime i) by (forall i. n < i < nn -> (exists j k. 2 <= j < nn /\ 2 <= k < Seq.length t.marked /\ j * k = i) by Seq.get t.marked i) }; loop (nn) end else begin ghost (not_prime_impl_divisor_under_sqrt (to_int nn)); assert { forall i. 2 <= i < Seq.length t.marked -> not Seq.get t.marked i -> not (exists k l. 2 <= k < nn /\ 2 <= l < i /\ k * l = i) }; ghost (no_prod_impl_no_divider (to_int nn)); assert { Seq.length t.marked <= nn * nn by nn * nn > max by nn * (div max nn + 1) > max >= nn * div max nn /\ nn * nn >= nn * (div max nn + 1) by nn >= div max nn + 1 }; assert { forall i. 2 <= i < Seq.length t.marked -> not Seq.get t.marked i -> prime i by forall i. 2 <= i < Seq.length t.marked -> not Seq.get t.marked i -> (not (exists k. 2 <= k < nn /\ k <> i /\ divides k i) by forall k. 2 <= k -> k <> i -> (divides k i <-> exists l. 2 <= l < i /\ k * l = i) by divides k i -> 2 <= div i k < i) } end in if max >= 9 then loop 3; assert { forall i. 1 <= i <= t.max_arr -> t.arr[i] >= 0 <-> prime (2 * i + 1) }; assert { forall p i. 1 <= p <= t.max_arr -> 2 * p + 1 < i < abs t.arr[p] -> not prime i by mod i 2 = 0 -> (Seq.get t.marked i by Seq.get t.nexts (2 * i + 1) = t.arr[i]) }; assert { forall j. 1 <= j <= t.max_arr -> t.arr[0 <- 2][j] = t.arr[j] }; let ref cnt = 1:int63 in let ref p = 1 in t.arr[0] <- 2; while 2 * p + 1 <= max do invariant { 1 <= p <= t.max_arr + 1 } invariant { 1 <= cnt <= p } invariant { 2 * p + 1 <= max -> t.arr[p] >= 0 } invariant { 2 * p + 1 <= max -> prime (2 * p + 1) } invariant { inv_count t.arr cnt } invariant { ordered t.arr cnt } invariant { all_inf_or_eq t.arr cnt (2 * p) } invariant { forall i. cnt <= i <= t.max_arr -> t.arr[i] >= 0 <-> prime (2 * i + 1) } invariant { forall i. 0 <= i < cnt -> prime t.arr[i] } invariant { forall i. 2 <= i < 2 * p + 1 -> prime i -> exists j. 0 <= j < cnt /\ t.arr[j] = i } variant { t.max_arr + 1 - p , max + 1 - t.arr[p] } let next = t.arr[p] / 2 in if next <= t.max_arr then begin assert { 1 <= p <= t.max_arr /\ t.arr[p] >= 0 /\ prime (2 * p + 1) }; if t.arr[next] < 0 then begin label BeforeAssign in t.arr[p] <- - t.arr[next]; unchanged_other_elements t.arr.elts (pure { t.arr.elts at BeforeAssign }) (to_int p) (- to_int t.arr[next]); assert { forall i. p < i < div t.arr[p] 2 -> t.arr[i] < 0 }; assert { t.arr[p] = abs (t.arr at BeforeAssign)[next] > (t.arr at BeforeAssign)[p] > p }; conservation_inv_arr_on_jump (pure { t.arr.elts at BeforeAssign }) (to_int cnt) (to_int p); assert { cnt <= next < length t.arr }; assert { (forall j. 2 * p + 1 < j < (t.arr at BeforeAssign)[p] -> not prime j) /\ (forall j. 2 * next + 1 < j < abs (t.arr at BeforeAssign)[next] -> not prime j) } end else begin label BeforeAssign in t.arr[cnt] <- 2 * p + 1; unchanged_other_elements t.arr.elts (pure { t.arr.elts at BeforeAssign }) (to_int cnt) (2 * to_int p + 1); cnt <- cnt + 1; p <- next; assert { forall k. cnt <= k < length (t.arr at BeforeAssign) -> t.arr[k] = (t.arr at BeforeAssign)[k] } end end else begin label BeforeAssign in t.arr[cnt] <- 2 * p + 1; unchanged_other_elements t.arr.elts (pure { t.arr.elts at BeforeAssign }) (to_int cnt) (2 * to_int p + 1); cnt <- cnt + 1; p <- t.max_arr + 1; assert { forall k. cnt <= k < length (t.arr at BeforeAssign) -> t.arr[k] = (t.arr at BeforeAssign)[k] } end done; sub t.arr 0 cnt end why3-1.6.0/examples/euler_sieve/000077500000000000000000000000001440160026300165315ustar00rootroot00000000000000why3-1.6.0/examples/euler_sieve/why3session.xml000066400000000000000000011300331440160026300215520ustar00rootroot00000000000000 why3-1.6.0/examples/euler_sieve/why3shapes.gz000066400000000000000000001644341440160026300212050ustar00rootroot00000000000000](_o3#Ëgf.)\eQ/Uu%[d_7&Y>3bՕd0 }}ߧϗw^|}xz{5^#3N?ӛRvOn?~a8_>4O^,~<<~?ٷr79b-QB6~gô~z/\\Qy C*ՑO;|MJO}5p@|?<08@=65(c Kqc̠+bl&AG;LG, v`Rݦ gcg.)v_;\eFCO#g;,o4ɡTK\6 DTsQ2$tҦdoڭqh]es _!;x% `⡬Tlki ovo @XfrwPdn?G;'yp }9u ~,`>pX?yL_?\hőK$YSӂ$HO5഼FHÒЎxpgp%S|P|%D};V=C~6[&_l&|zvJ!I3 h9LlRM7R,lQ tAWTU><^_ñYJo(4=.v}H|᷇o_q<+,:=az==N(/mӧWihr޾~|v9 b'̜~5ϧٌO& _K߀vДM|@AaTֵ؈V|G@G_+=4av巇,gc6h00P& LO_Oo ۫᦮1)ަm;H![ ys W>3JU?ƈ`^L0{]2= w1AOҞ~p .p7y n#ڲטjٿSBmZnW7SvM`Dlj2M|˷W.+I@2@LOC56V" 6}4?NI) yB C2܍ jv5Oܬ2HWO[`' xHCp222EL L"YdOi)D>ٮ2?M6UƪŒY 2q\}@ƛqk4e2mvmx-G29}w#|ihHMN2BA)0Mvv$p_S14V,iXĕry: s׭نHadwɸz Fwwẃ7t:;ńߙTl vҩȍMR_nNGl<:9>JKAh!  ߦL&]s ;U`yD/o%9U-(M.aO<ω~QѴ^ž]+J}h ][d[`i"Q0!wc\P X]Uٵ+yUǧd<xmO,ó\(6;!/+ MڥXR)r(2==%8E -X\QP@9I#Lw \K)cDzPr ٹб|u$$;$B<ŒD18f1 SHIR-Տa))e+u bq9RQ /t]Պr1gF/uJ+ؠ/r֚MSȉܞ8 5_jwd؀Vwr,  KAQ%dKvU.=뼬&ҕ @qbrKmS.Y8`QΒgXnQFl6rp}>2 3F؍#QETYQq99`]Ϳvw}#ʑ] Ȼd# W$h<&4a|y9L_rػu':m1l`m@fԖz 18AUdV)(^㲘<镽 Lc C8<U=5'5Wvm~v$qQf^[" ~.t".QU9(Zw@"OZa$@sqFq^BNa}er@].xBF {y֯#]nO-%j1ϰ5?`klBaiM,R2O.N@&-^ qDF4A冴JyF {c̡gH ɐ#1оţW@$kW }w@ֶ}{ Z^~*Q 3wn7wݐ!&fС1\#]T=fraPL=V1{@V)#oI XwUVYQ漴8SYuv1&Ȏ7(- xO@gq0-6нtM |M.pZXVMͣ]t+4KNh}GRuEOf+ͻ~.Ñdn-dqs, .6`H&e8];a[XWwa";dBSQ@5QkɉE3!I"*Ou,P*g)\ebc>= \(o*EHnrDY_UIBǔ(e[XL\\UW~o7Fȇ#GIu;e}2e2g3=y_b#Cj^̚bav 'h}*\6ǏKf{o2kj um7PFhY ;-1J[&"w=f^cbg|g׾F3nQ[ۆ䴺pֺ?Į7`-^]E~3ʹRh*MI,7|`fPd2&j!bGcM@"{!umG -0=F8}`Ń*j_5b뽕pu Ҝլ`CCvf)9K::nL{񸘃aBdX&ЂԘoԙoO3m 2pChAH'3ϣ&KH$Z(Κ(򎤅@M.W̯=;M0Q@*A]ev/8 nŔ.מh* A(KţV=6QfFGY~q,믰Kcl+-15*qq7|5npdU-۔)[= Q6*?gE(N!+ a}:Em0.UIk;o*ss.,[ۉ+jM!XH)^Q[A>*[ AxHq67ಹ8%_IGkIP|ȇKİ_Ql׍JKIf|3݆)ۤ228U:]N~Ęz}g'+ZDIG~'/fSZ4Qɍ\~DLכ25߭;iם4vXDJ*oӝiI+V%9k橾HܞlA&OyQ[w@'ֵdiT$Պ#J" ]x@t>V؈AX,efī'jPy@hJi>qa6)7Mi$1 "} |;*3f4M^$|~HQ~~9 xt6^Ƌ zp˻XwxGG3r>g*?G3#iD>iv&tf,L⨥Drlx21D ."2W'Xނ$c [ ?+.KLuyFv]?CkWPԛ+c3/8Ҋ՘|p<4V,9:hTIT2i@fEIRP@Y˗W񏯗=\?& of<_ALa[g/A+z#nGK^4IN `z;Q N.MLIZqo\|e=-3}*9SnQhynhxcВ0d0-Ze*.( M6n~Kvd^q}PMnʦ[7g< #mdƺ`~q=jD{qGbwֈ%Fw{[Gt}xY&mAV_u[{bj˜g$#dtQ+0ܒPjBwTtpgz R*M-βߒQNfݨ|-&shєTVkϤ{i6&6!=uߏ\9/Ѭ -镜)(D;CbiPv{G<9[GEeTýxC ՂM&lJB%}&omQyop5>lJ\OV6RwDV.8kn O|WnVm.e>FYpd}sbSȏWẕ ETN]HV I'+ޝ!ב̬|OKND¸>mZW]љq?m? 4d8Z4kE\'17`$Dh+=ڇ@_ejkY=6G{`aK("37Vj!]m8VUjR|A;? 95[k*2sE( Ӣ;č3M s.f&-, ;rvRQ,qƐRھՆ)l?Ju}f +gwwڂ mq_uxws[v{ Cy'nlK+&GE%|P䡁I̸mfr?X3exGwBW{krjn̄{כ/PQNʢaJiS0f?8)lZ_ S_&6P\=Fr!DV:'m& t9 U"&_*z4,QVhIA}hP Kj+}aN:[׎\9[V(d nnf &5-Xܺ,TKiYYO? k-^H(ɛ軵}qպۗ gĿYkb hFWbpSs!F1sN< /<~{܃p.ԇ[Іt>_ p25}28Je]eo]eH5;&;F,G!Ņ8TWh psT62a\-( s} | l*뜋GEPpQcX} d|}-a\%ѡv3wA^{R(iM֫eҁhTEG8<"9j]ѵE['ǣ;]kc/W1w jqY } Z󃰙 t\)fanޗ׫2 ܅\;{QėOdWjZ~z uU2:k.LIzVbֳ`S;6gt3[TQ #APSBK8_Dzʿz7evmjld-Er^lb ݄ߗh_~~+-XHk$c5pJ1K$TwWC Tnk]^^v Zyp8YGDWJ3!6,(.aT''6c`.UĽ.{Bxx"mh |֏ZwCdcĦ~hۉWP[IeuJ B@p`S+XÖǥKZ;M46=Ȧy,,8MM56>=8>=|&cMAW$Nv]szzsx@v=:BԌp @KrLWtb C-Yq0BJHq ݬ(jBuy=Fr>4 l3c?11{u$(Ţz] ^_@ AJ8%[DI +Lݐ 0T$ZT+h`${qg`7Mۛt{g6#)-_GuqDߔGǾG, $]/S[/'%#fǍuesZD|qH!k%dR,V{˼Ǭ)cNw\Df޵]]fUHm.WZ VTA1ka2͞j+Cʓ5_v [w5'æDט*`J-6yߚ~IFrװ&%^UongÕ?'1Z9몜>>FZ"e>R[hђN6x<9񲦤YM4ˊm准IqMO-7 t>Ui]& AҠ Em̆g,-LV5m1'ﲞrC@. qn<%V.#W!6fƨ*eljsl7I+V@f{kk 0U'p!MрzR h~m/jhIfsك]:I}T.9y4: 8/v.GVan^+Δ;|/))Z6(#yiS#_0z]*Dj&kAK1o զM(Ry'qzkIWd\+^nyѾ X\mbs:ک{uSlbVf.6ڗ M8neYGՐA`oO$$%?B'|fщɢovW>p֬\E(5tGz뺡 ?{SRB:ڇV<Շ}UpfQٙGl:`~8{.-9]2Xo5/Ox/X3nإb&lS`lb-͔ Z 4I -^;tӱޑ<]M'g1x>89E?@YL^cJx?/<{cCq0 @1@)^0ɗ1-8,ĔZ^6y"yatd>t<,H鲔0X:h e@>+ʣ=+B9aA{ Ot!JBHgȡ'}[h\HUyY K43~J20lڳ6khM6@ۆ:נq\lGMOL:T)n@ARZ}= ɩm2m5Q6C*9r7 Go1x{b& 8fh˗#sP'0n;*^},w7C(ģByp ]aWOd~L/c5` d{x]GτSy4>'n^<}ƆdO\Ǩl}Gۏ1m*I>Z![rK(L36@ʼ@I_N+,ͩM?aA6JkczZ}E!9,1iTZci˾,*^9b(~ ́C10Yd6&͐dlQ7&o {\vT#cP{+TSGМ=}rM4߮9[ߌv9/_XeXg.F# 7p֒Cblr>~^&&k4j 5_%qG<[h@pel9 )kGΧ#8BBήq=&#aU#Q#S oygpRf&R;3"I*.*Kr@ǜAdM-QZ0n st+lU`frM35`:0UQ?l9b/F2`Sq8 $lp٢B!Q^_}LMߞm\TZYhg|Vju*Ei3|-7J&Y^L3Y(X-tgx @8X0\ 8,@ {XPYNnB# Dfͥ2MhJ rEW ? q8Ydfy#9)Be$RJ4af/aÈ'+FRMKVH%7ƚ??X2$Rp7"&muڶK= occDLy9ysyt;EҒbN: f>A]%2۫+ԲzElS']PA"rw!x_a46JMpXIS4?ÆY'yYsHnOR-Y߰MGV"{ (DV$:ºqt"aY:4R%-<YL$X<>^le8ɂ6@NdDD'$ f#S'UVZh_TiֱvZEh,44k- ~7yyWDpG e L kw2 :+߆H% {!S$+ W]lh-[:EnW/6](dy4ٸXX;F%;{YɌUnJn4Kpg&vKna.Vv1ly)jeM,j/ e74Hzya٦4o1$"!.ô 5W]Fe>}ՅFeÃQHj3&p̰LrӽQ CEA̵im656i^_LV0sM=s}ږ~_{rAfL&PJe +6ԯ5|J 1=;ouקwN_ojˣꇬ 6 r5v1vWD,@˓}XCZ#x7vl\'YՒ?PΘ"<ĩW6 WjWPhwZtAW \l[kq] oˊ1'"Ee3&G 9~HYC~Ǣ%:/9V\j|}>#ibςҡhfA\D%'ײ> PsMr RDD '0SmYh)#8@*9`J"˚Cs"A/44;_t-ش7GFȤ$Jdc{o$?{}ꪛm֢4ϊP%pV~kQW鷟[ s`$S M%h xSezHW:7r͘ 6,z{)\ 6dFr6*mHߕCbѪ|HEVTeOx jcw^`QDӻng9i}a=|l2jۀ(vף/`tiH2>|1!ƏU:iRig|/W$34 Aacb<rFgI+, 6`idk foNupowO;Tx; Ee \J c5?r/ )U,Vxl ґ+LvjuE֏u%{8L8fЕK%7]rn )yAѓZ/qJ3NI>`L] ׷4 &K8Ca,0Y>?y,aÏՃcLZ`Kcg Y0Y95CIskҕ0&@bK{cn0l O p ZD[s[Ak0F3#lg <TAIl?W{⛏E4Bҝ.?ծ;}s/fa3ut6t9 ,'jz|ZCS b͑Vޘxc]ny*K?R׍\]=k"o 2"҇@)]9 lo,Gm]]lpN¨@ǬHHf.߳P:jekb1Y3nIv,7֋]/ڕ&)([F ޸!$^<"e AlE_`׊FcQ|ދl8#-)gcՍllB{0 SQXMX칊%*d°0t_7INVKf}+VIVWk#[`oZr}>PWBދ7E8<5H/&bW^:gM-U-`5:'J'KOA݇yFmDžZK/[=EM&}K7[UDKJX8 >%6Av.cV8!ٓJՁ1VU>-l–* 0C^inb>XXcC3:? 9Ol_ao}D J2aTl/R.,)`UG,ן\x5P:AsE|}Z}dU%z N *CUj/a-R6*k)vY9](aK_d׋Я9׬`rj&f~]hul+:+w7r/2Keno+OT=ƾ\kO,8w/X\7 a 1̱ZαN~óR#1simeuǪ[3+`oNDwf&_y`'q<5z=/P!Ijy 16*  *)Dcv)9?Viנx$۩q]qGI?pt 4贇3env'0gruX2a+n^ٷ4C3uNOe&ܯ-J5zzmRHjd). G!^W 9PQ"b) pc1ކ땗> Z=L XHQ DZ u)FWĦ*5P2?';7 "4ӑkS/HCy\2{Df{|e{ӽ+1jG̎и$*َ3$gLZUXK0e)|i"l*/tC8za炟 a2dZc΋羕 ,*Hޓ:HKr3O.FG0;z(cFc<ſ|\-B,2ѵh؄Ka}[:2udm:5 V>2! 6Z$L6mHx\N|yj(|ճC뒇cq۽cݾt R˭5{o 6>@~O7SLc3l/@?/b1-еuy),u_8F;捬]D^?dd'dk&cj<ŐA:=of_`/>~c|~/Zd4=ާW0bĿ\ K7lNf^ԌyQ.>8> ۸CG=R{3U\gTZ(([VVZBX Jq8RPhh_Q UjPيeg+ 9?hVՇHɁ7Y 훝1W*-]K+T 2-w5әے,} `f^4@WIx5cӱ<y;flX_4S.SK,!/(h^*祍8Eѕ0z|tMAP(ğ/CEP ('^ش 2咦sG}j^ eqhCWm^ Bav7g} ;]1J|j<`\|Auh 8{䷃—e6GELޥmz—:.UlyYn󘣃 Zn)|Hp"Iu ]y^trDeJRSUz* h٦oLKVr}KR2—m'c)kOk{Wg}2^])|=JgB0FxXܡ3 ƟAm<x2SMFtƔH=/G&l0dRް|Z;\;ϛ[zM;w5!{gۊaSGA^CS2ϩ5da4a$Øip440Q=>C8:{QImJM蚱7r#4:Le0z\+Vt5+n4ȱВ -9cqs)ƍm^{~1B+SgS0UF5^55RM.m9tey.8u(vGgXFvYԁȟX`ﶇnK:*d KR2;`u8LrBUJd%7 5AM f:qvXcsqi>vvY HYؕ z"ZQTL!zZakw33O7#GG K.ȃ{{Hy%`𳅛ƪ3|W܁,%1 ȤsĪ8GQC'z^|p!dz=]F@-MÙndS㶎&SMht=OݿuLdOX$>kx(TfTzo~uKQ@8 Q Z"v`4p {Fon+ x=-]%x_gU哱[>)-*hFY[xM+RF`/c.-+Z0W`nhV:zxG^Si$E)^hHAm ]c~ zijha`ZӟǜvGfhDj#Nlw-,DfOU@Z^*XDǗ KSNH53qeˡz6I#99e9a>+grA9w̐j/Y0I ټҐ8atbC]FxA^sۢQj&X?1w:RUxFmkTr~ =?{i7X6JWdJJ-oX@1,FgrbY(s#"A=oKSXz;O\խ]:8M Z=ES2's7 E(kFB2)$َffǻOY2w3yt۴47FX f$V`Mm~6*^4MӘ@2g ʄMم I=wC>;EvyǷ%zO-!Ep-2;|\` `8e["'o1U%-.m}ÉFG$'S'r`&'Z 4pV:rwj2s7EIKtLbo>sRre5WH R*h^*"_ 8ym?f)ziZlYV ,z4{Tl '+0|ͱj.h>9.PƜ-:z3ݿN_^XފaHMRI8aJ=f\*81.BƠg/,fHBq޾Xj>Q= gE.ެeՏ{0\|A}I+L<,I.)e;sc-EzfTctz.(ɣאhY靊o4}`,򉏶xU40a Q;]_ ltƾ'ƂiУW<l0^ѮאvbX̦:?ɖ(|_Η/d}}x~x{i~it,G̤v>4Ot4+R~;r2SU,boI-Ml/*Ώߊ/?,K_di9f I+5yU -R+DZy-*Jd)UuQt[1#b؃vszVc;VٱdJOanzŅ&-/8>q|/9IC6H,.],e6 KGOfgE\.x[e1sYBe#)qSLuC>oq6:C.y?Iq+^!QlEb؂Bk QlQjnVm㭍\z^olvml沸؜ȩMJCeTI76锫 "e+d7*[-r a!{68'jY]Lbbu9道3GLW-_:ۥf6c6f g/4C[F3-Hk{f;,-gh(njjpCJ"/ˤA#gLVNAQ66sMʪi^n=9ɩ䉢+6OFY !)bʜ /.\aϔհeLgȍ= NV *JwuSϮ d? nMӡbObXђ>UĬj~VGkֽ8Ԗ*-54颥z۞ݚ@i3M!]}Txq7'ʕ\E9.bQ)d$m:nC7!lڽJ?YvV1]7ꃗ;m~ Â>o{!6npM"(\ĊE(\ij.bA" VE ɲ/*E?F) 7s|-gMjywe]чlIm<$1FhKzFXֳ&m 78h)A57}csm l~?/㷻żZ,+x7rI*7@ܳ,m~-&7)j߮K}U}e#vi񬖘bxx˗?'g'[cFEbٖ}}[xm>oT¯\K?]%GRT RZ0 I"DKfp@[>K?O4v# JbSɢ-+&Y@}aY., KL֦`=u^-{SȢ/P/I1)/C(}rVg860GIΛrZ'>uXmDٖHVDxSҙl|avc QqmZ WH.)2:b 0WT.RST;-Ns~ '⌱PR$S F4}^9jPn樸S^\^KI^,2Ȉ /Y] y(O/4oqmgcW9$ĥ?3v>rf{ ͶVhIY'maIU#"l`teXS2 y_PŠ4Iao{]f; y x avF1܄bX zKc+jf;,1TXed?H9T5ƛ-++ǨLc niu$;v{k(z$8y؂ J5FhZ|NksPoSV] W0o So@RNUwc${JuW2҇ͪ;Sm՝ji $tw ϙͧBu$PX7QK?yϿ=K'7!/! nDBjR,(y`X@~G/o֤ ]߼GovND`^[K^#%t)A#(3,QmB~ptjy°r uSehmuz)V}u@Au E Cy@Yqb`cFQ<8vkcr` gu=%g fE4ZkCpۯ9Xy+Rs5ZY+KKU2Y*T+cU56.H_M&CE!;-Pͩ EVjE2+%2IEHHMa4kbf>6#ְ(WVD5CW|ȰeMy\)ꇕ>ڵ6~ІȢ_ - PR:!o!f"͖"or[Kеam1->f-ZPA{.{0A?4:7"qSIg4b-[4b<K 9 ! /IOd.v;sRKBb)R+lIK}%"0浕īEtb/5XLQ\Rx"jG*)A{V*VۑC2^BTHl3lU_mY +tR P\(UrA! }.O-e!yىdڕx22evA.nkቐ˚OubC7ʓ]':rlHV>!c&LL.~(z6Z$4˙뷢%amnicϏ%@7E>6viAގ!x;&UR6U& )uO7>Aܵjuy\Y⡾ؐ5e()k)!N(nIje.UV6ŀHǟ2)$V!jiH`!w5FȠC>90=8ORD"]Zhېv|}G &~>RO9'{ c[:qڋZ*#,Gщbs9v܈p˽}UL=#\c˷m!-㜄zt9>҃o_65QqA#!Jkǒ\PX:L=opG:ݑE!Sa $}myfQB7;ȍ;H?|ǹu^_M?o<lsLX؊ Zpڨ心ӽj=WD6r28yZsh 7.Vم#dkF^s-olsJ( 6"EL[EnEUa8bR' ~j֞*[WQ:]x;z8GRnnWIΐxɵM A ,p/)e5Gn,R#ݸ orA%SIk*g0'1JaUMtY+=7m-)و.Qݬ}wӢ?|yi ˪萆H^!El 4KAںOr.Z.;o=[Nn&m7 S{n/N^| f;(.}S{(Tѩ{ =eCEqӫ[zvn:ķĺ,źώubFאvEJLnrrMnn__@f{LTp8YR: / \vZ~qۇ9u47U>C;*YQFG >DgŖ.Tꐊn>G^شT,Q-6zWjO$j0Fܓ,[ K!V6*߳|8ȠL,C i+ T?LD<flLi6bS l2uOC_0H([f* (`v/*mgRhTU0wqFeD9#'AN4mA-XU]*&wfݲ^cjtBsXsv#FՓ]vd @wD*Smp"qR3 C{Zb^'!X:z/\ä7Iw]:~Å_YuR{Jq*;`s/d3PIji~I'6jyepfJ4`Tpxg C'~U؝FЏד).fOg3N@,cf5>|&Ɓ nS js? 9#6_KڰLZ:t``A"Yfg`GiC;q&?#`;Cr$>df ݠ ꕐE e<*0BD܀ ]|:su`3+0EZ8ay-02 W: x::p0<<#~8 p|`OA`3iDF 5')a]9zJ9bߍ0]ѡT@k2@A3QH]=g dY ~j ^@ޛ{`Ef`A{&N i>?5f~wf7:)y9p 뫒)YAS@V/d$=dY 0*v|SolzQ]8d #OW}X//̗ dSaO#AJM~v  ##l\'%a+ 9nkذj4mGMz2 t xհ#`%% vkodt5rt=PvB=Tyd%L8(3P  Vئ n2eЪW݉s5 t#3Fԧi4w o$d XpXL9c970ӠzE{sJ8|]]xcY \l8R=f&YAN=RQ{\`P$/;VdV5HpD9Mv_.b糡ް4k~8PdPK%a Py{ʮ 0Ah g7{0j_m-剝gN3^&>/yrPp0ce>+Do<s:< DFpiRFYa'dnY =@SpB@|U!*Za@^*:0Jcm1ăd5'tR~gU#̶!^ hxF>vLc>"P,nТ#/Yd"`K,.2r؍8'+1%.}Gw Ds᱀pԝ:Þ  Zy=*N98.qp2*e%_PYA Ds0p3Gi.вm>8mimGK-8 C{4ۮ§[bn 崨=?Fg 8%r"\0Q^s"0{5ʍ;֑yڽfr;5S(*A!g,q|#AQ7s۔?$\NTw_v m@[IǧЋTvsli4+bЦ_eAd,r+/^сʅd98QOՎ=ZT[Z L$vga x9թ t24F7!oݧA^#̢ n^ty,N7g*+º{2o:nUH3If0 B `{FPڵRލj P4iFxi-6Bɚj\]՝Vt9ǫ6>,o)4}Ls4MQ)v(xz,P۫6ЕGBddu<,#Rw+FG$XyE%r>KQ^vSPR*Y07jERxM-I^ix^֠W@)RIŒobSoqlS)޻&ާ*-W׷hU-OD %C:}gS jIyg+%mRY A75 U|nk1EF cbk*lr^h7*YMɇj~{CE)YJ%c>\Vtgٷ[fۢ8cqWZN{W}`f9җ2ĝJ(Wx}jfW{nyp䥅ufN!Pd?e̮ 3si΢$mp>4}3tsU9mZɪ,czgs]b[*J̝͊2bZ^wHswgfu;Yc;N/iϳi4mZ?yZV;¸̏cԖQMبgT]G?m7c%hdѳHt=X1c蹷pQٜo2嶾K!R6ܷβgF= _ u]zφ O]e ګy'qfHgzCsg! paՎ5:da, t k6q7ugR'拉/u`.>hf)lXqUC}%{(fL9X$̧ T}C]ᒏm#>;M1/ӖѻCZ:ygM &~.k9PO~oPA%}6J6|*>h˳7vc[J@nc:tQEu  l%~cKec 3)Э@IW ԣ з Jmi:hlO8+_V=(6(?qPv73/F>~V,^ Ai+E6&`[NYXxEF3mI2=l߭ORƔߟ@єS#' ,@@⁲UaYu[##l>߯zT?k T?w=끪b(>X(/24NtAA{`ZJ3Җ8oȵhQm Z 3JY1ץMw,\8mОà_#q< =m|e= Mg*f>V>|& \ #凫)e=Aw hk:,W=mAdeZZZ3N!QB @a^Z'DAco'^'[ǘbX`v#hf^VѼlN}}!'ruFSׂ%`y9o7) k:s!VH!V7#狘>N jYme4ѳf6񿢮 =@ʹ;u*[m>=^ňuޒ{I?}N4ovNuwʛWA[+ XJ˭ezě5} `]ZѪyآ7* % fa [̱hE4*0tNC\1Ayqfٷ?1xv% YցW)&}lCs+,n<>xk6e!q!zl6m~h!~x"=bZe$'\\yr~ʟ 4Wʏc(>q  vȏņ }*l_A *h쫰&xFicӿAC9?c`l$'r3H0F1~$'8I z<`$;=cϽtK6ιkUv;~  {\>uli7Zś޸B#o fNÉZ|͇klBc`j0P'١&ĮMe1bczbC-^o.~mO7!Bk"bQ[|k޻7 cjS;F/v_f+f}hӲMgyͣ^O\[< *y3B?r4o~8hG8hW^8Ta^uѨg!&;4i3&_W˧? L͠WAk+n ;-k]{`hkUgZݘ۸q|Zw-Sf" +aҞJDwƞ?1./^[^д'& Q9yr azv\E!:{=F]Rvo8'Zzt#o~Iy*^D} g[+aϿͦYgSƉfA127z6'?Q;:uZdY |։Ͷ}\i; E^`)jF_2hzz>Sc] A-WekEj aiuGEEw^ Qoofxx2[DW(E*#T!k_2w=ç:JOZXCQ,^q`}7A+yhw2t DD>! Nh}HWjNFç:5E<=u9Zi36M(yc6zak4kM܉2Q-aͪud)+j2J#ҎR)&L!ʔ)afvh3ѩ*b \kO78rJ.[壈zA劉ʝ袪֭{o7m~ HYcC|o034ov{ [/sG [Y2v0J ^+t6 ?n@:ҘCdVQAI;:FaCLK(j4;5Sۀ{ԹL8ʖ.;d:}`@mP~Ҡxđ|ۻz̩g;g˨S}WJޔ kƆY_Ÿ{U"q*>Ҍl o^M݄&A ?}W{2#YqȖC91me*L ]Z^Fɧ[-2j1j>EJ^ov܃L" ^h).1td-jmp=4>nw_M)| * 7 [VDnx6qƽDJ{eP"OcGO " @d( a.}Y]eGG\ 0OɗnTLV<uuxxތF=VJWdA1ű -=fy_5ͨmTRv붑ͨ_|x.&7,7nrm*Ӭf/@BѨΖ`?M ٔu,W"G?2k ן;y[Ayրp^W,1ߏۘ=1<I|TG .S|utJПyh@O^y^FaGuImKQǥfWуk^k+_9+Yl^Wэm;*7*[7m, rzޝ^Os}qtxr/8=g]'6[h|k>b\tIzqzkgvۀ kE:XCUŀR,| >dp S=K!~1 uR8~G)?{׍v%A\8h ]p;F[)yQJ5SUq$u+/JCyDWt,$a^Vn䞊/Cv&ϳc2ngX_{w#|J ;wh}yyqg>n[QKRJOg)nsCP.~ʵ5h%&Ћ OpZ#§(ņ8l:p)ks_bbH`a.[8V8ŎLʆw6YYcv$/ND@{-OVжH@^^?+PםktUY5uz:l!M|yXv(b_.Xd2aD~EK6sUIٸx=Y^d1ou= d>|zC4}7fxR<Սz4Y۫$kyAXקFRኑ\s4;# ]Psz9wۮ[s^oo⴨g\$a |M>0C?+ p&{i<~o6Gb LԼA 767 hƦ"cgy"]ek e0 WCT: b㐹7D,Lk[jy )h EөcU[/D1`P0RīR;b^H ._EE vȗ1i5-:g|mTmsˤQjƈ0>ނ|!J-ѣЪPnGΉ%_R-)fMUǠL_gG[/E'9nֹ Z:ځێ/E"V?EZ|g `eG*B*m SknU a(ΕÕʻEؙ{\d@1rLcIcv[]}Nm~2p`[qw;T,ʆqX 0#uk߽ߍ"νuSmMMŶ;Df&K.Cq8ѹ`^Iִ]neN9K0Qɬ -P!,ӂ[{̆ؑ{3g?5caŒ3떵u8ݎ<H.aF?G& i0"e L\{]?_%iE0]r2w~Uٻ Pu먧ll+d[QEiO6$~痢aP n -wۨPA0u Mly|]M3Q9n h/k\WzAA^тlkL|L-oapHГ{C췱L~7l\`9e]&+5BeսՊkeW-HpAό~ y T6FN} Bk>eLpGt7 Rf G%̗T&-:@/o-,2<]>+3ɡ pc.Rct4{&ԡʇp!$X<Bh1ob60ofj]3?aO:}^@#n\_>˂aElJ̉Vݼ> BؐB#w"|>$bS4?-NkZ϶ jkL]z#'#'rh+Cm%-4J1snC+̙Ra;!D)ֵP 4҉'S]{N2Msq9߸])_ +1&Xp[?ü2G +oTnO2vG Z9j.'Vf-ZQ!Xh4~CB7U`5{EJ!n6k8Ke*гէ'+K9fDw^~c ~Ά)s4,`b9)ͪy[ }JH$ S6ZV(%tvqfL57>{߃KR61l{t]|e7WǛ׬Axms++B>g# s MY (xL{_{Ϸ F|؈w6|-\Vq+ғe{Ld @˳Ooeh.}Y+e`I̓-涖Pp3Wd='Hg:SxDG#ANQxdp(5t0*MG/`ɬEAb:F 2!fԷe+k_ʨ}@΀Lg}+]zIrPoe\_8{t -a; {~.P2\2nys?QBFB]z RLLIF?uB8~j'N| RcW(F^ދ0M-~۟ܓtZt,.AQvٷY?^UiQ3XZ;~J'u+q)OZ7fT3 5t?THsVCcĥ۲`s7)yQS>T#EneڽjStYCR+tܟLT^ez<(v5u!k3eN ќs3/}s Z!iLGQl>륊3;W>PλՃ޽\Pvh/ܯSWN8 k:M0"X-℮1KuY+$MOܨJ9@9WsǬwIӋq0YQin6`v`>|Kȱ|˄0ݲǓ̟ӕF8A|3 y2IA߲#)ۡ 8wSgv@~15D{ay:KAc$.H.1)skcx2u>ho.SuhH2W2Sָ,A{m̽5[mC@[|̛ͮ3s7nK ΖUZ{ s[eń#z&nR28Ɨ|g%0ESC;VmPi)P&قS BVc@@V [W#7A{[dNRztCEpj^NUq̆߂ME1w1QȱbBˎu ? /`}NlH \hDؾQ:|}>QKtDa=CÕx?>&Ӈf.TGVw^P'9: @j\M޹ 3zezhh t3Dݮt] #T<$3UZ@X!P|p@~yvg?kC+*U Za/Gg?8ojg0mнO6ƫy7Vk jU/ht㡅 TVߢݍ7n*n̈l W5te5.cG#0[ SH&!Lsm0o$&£VcI3K6Nǀ;>K@PS̮oI`wǂO.V#lA১׹;4|[߳sXV JǢtDAW`jL1K3{!wNrk,r{8|{A^0C-N{;ߑ 3-s 3\` Vy =oa1Ņ cA>0{t&l `$s^ R,5nk]G4|eP8TG Bu9$l@usv,}`ݻg#uBH~Z0+%sc֊`v7)Z>V^ wl&(II50j|Yo#>RU|qڽRFA`)?BQ9yTJYA,wYFx>EǬ" 0@sfHPy#LV &.NWV̒/)`^ѿs5z(VXEfVoG9#sW I#Ue)kP_h +"s rsw(u`(?OŇ!|Yq;Y|㷘!4y&`-g,>yف'<8<72WF7<ǿTjt%p:eJ"B&Vk]NZ bxI LC%g었d5cv˺{]~Qo7Qe򎁱fv  S2 \-M4MWbLH_sq~MgKg0r/ -/UUB I!Q)P 99MqÎUV L18.O W5{9NLN`b2CpWjfi>4k34ݴ;o꤀W9FkmQb x~sGYS` u䅞ya5Ҍ%Ӌ&,U7==8cƑ] 6"I(7)r'j/J7|"I0KC9 =%{)4a|]gp>^{'cOf/g4:NAA1b Vg"X f;ym,@úKDoS;'@)tzcZ|"[-Z^;@#}<}pAe 8n]UFEa?䚩cRWB(ԖUxd4Kgb M?+w檘{ݖ2a!O08bAFy7{od[@| g D(ݢ9US@YD`rk] ! Q%fˢͱʽ IN~>'$=F .\GXZQQyݴEm8cpӁ>Zxz~ {)nd4v3F@6PzY1T'uwUȐafz3] |^xjv#Ʋ屋 .u{})5Kk,7Z~(]hu"S&b/2ANt8+_*cJ݄l`V@vo ȳ[,4y+'&Op\BnY;?}vޭNB?;h' L%t5в>?y>T4F4qdZSm T$-)xR 3&ׂ`$]/hU8Skbw OqYQ9q{(Ά*oj.+_5m?b"Ȃ}f^m@?WG9e]-LĺX0EYaqk:` uZT +omvE^2߹wgTh%mg|} C>0QU|}؆c!V17[&$^7mN_ (و @) lVay6ñ;] V*y'NQSD9|~?Zh,'BMM̂{h~YvO/95(%q|-u"~Sn E G?\SlWg zDڣG'}O tmמe:F+y}ק ?Y$8KǴe-}NOrGBPC_%}W"m[gr It~OӤnLPDOe[@y6D6B 9$tͿnYz `Y(gQ/_ztدC(+@ |H֣Yns*^_K|sXJ%[Y7[zޮgWAZk]ˡ'M*fT8j(&u"6߹cGx5O|o%k/PM,{?Yg+(b,ص'w'|m(t+O*K>V~4VcB0| Gѳ `aɛcή`wp32E&|~` s0uWT}Vlp= vmd.몝XcwbI?VP?IǴd9VlsO$A[kNDÇK;,9K9A3舝rVmJm $w1R,LK%_$1F ʦLD_*Q(2_/2홇BY&Sq1 8 egOdIX능_U]`| T˼zڮS,BP\?s?I@fc81 0m }idˊ4}WX(Ǔ_0Ǟn}.gj Gp|i>`s'Un:nOhO /g@ }jy*(_,qfُB]+2Z`bZO_<+k45d\}dKQK"#K~F9Y8Ek|M/DPY`AYA驗/ R4!el\,lމbcFvDT1}2LSa-æM69Aޟ勭 bV);PN}:c7_:5cgA|ɱHars4iv)RvCvղ<˾.׊= LݙVȧcLÛa?I$Ou-fIu_0ݭ,_/; WcUϒ;5`uN|}__Tdob]pgm1 ^ T>卿Dڒ8Qp4MV X5Ĕ(g*ex9Yi^P-%P~Q﹃9!j2}qZ !n;5cҚM&O=Y݉l"-`]9_fm(<:^ȹ@_Ir`굫yͧ uEmj-+gJ{Yo)`}@@xhyK5rZw1>(_S66eR*_YN'q{de7t?ߔwϰQV[_Ҹ7p"K~.7VdLR|Y@jfZ/{MYYyq^sQ_*s:O?r_etR&}r׿y=mY ]`HiHEͺ-+uz^YOc{$K/*W%+? h"nUR\Me5,?_W^Jͻm)5)`p^V]OYw;Y%EilWjW5N,@Υffo;62MaNr_yڴĴnzJ2X]kL@ӓF+}rrM$}c2S| `]J7m,<&vЧ'36vw=}oPHoFV/On34g]Yt:v@g2~^^U>r/R! }RVKKLLL0k<(<<KF()ſ[|9^JSvK'YXTq٦L"͙U&g:?٦|^q.ڀ3̂[iy8q8M_2r+>4gFc};sa]ySQdzA?c01 l NڀGRGR׍Y ׁvA=.+n3ti %WˆcZ/Y- mR&]~r0v}U^RY@jսBV;~YWюWC ^Iyv'|60?o``vPS3cu0ZOXF_[b3:hW~L5{o7ײ*{L:K:}]>R:wb^͓5)3Zg=l ې M#+VX'nk|5""Ķ]v`{`6KVd{(z ٨OYu? eZ %B[˩;o'Pݦa^ ,?pYQLqnrsc|݂+/쯞kǀKRiH;*{/O&_myER><|;rn^ Ӯ2*,TALgaY.LfA*clJ.c@9@oN"-}W3η84ˤsZZPdSֳ+G_Ѱ.?M`-:g2UZݻXjNڟ|%^J 7ʕŲR"g#Vۻ8rUb !Bpq2ל3=Nlw߇xHX- bA4zJu#HQN,=RUU|ҐVbX/K2h3VOdoٜq0|Ek+n} .`dJv|HP 8{7I9A]%z7cwԑ&k1jy䶠fF&(P6f(G!Ly>fe#-"L/>@b*H]imM.wp$zR^眲U) 켻|iЃ%>E(؄9Xw([# #yMH> / S7-4ήУ0 oY%ۼCVºg&n񭜮R"w\8a[U8F,i;a-t:֧Pc]^F茍\lys%w?*GF7nmV'> \91q)>y#X%[v]г4L&=o{x|RGΞeu6lBRY|(!oTqbcцGz>4Ѥ`f`FWVD̜G3 ͲhdEԫOuV8 ȩ\?C=&oy:"MY+vyx){{eͼh ixdZZXoǑڈ@k9=; c;$>,J%dEh\LA7Yn=?<q,iCFtcEVM!D(iLQZ9VH"{X^_4 ~Hv rCҳt^/:*o.LPDU9YILPrr.ΰ#KtPg8RQ'o9Ny;4,-'7T;(o"}g[4wvW;}"C8IdRV‘Gl?cd>Gm9 Iog:a7Z/]v„mM[n椲ieV߄ɆDm˦YjVFB}1'`*z=$֬/]#1i2;S6|}2tV<>>٢ޔɚyOB[wQ"t)gPL<|̽Y=gK<|u4/?߰OBRHRyՇEn'o LrS$csyݥǒEzJ!"[ e@i g$3De?HMԫщvM.9p,QRv( Drp77joŊI5`ֆؠyGB0QzY+hfo<ŜpLkyh`\dX\(bFwS^<@ʵȻ g@5  meN')eޗy)@Da&|ߓ>pu 8\cY`QyԗFd16Zj`&,G /Rpi9`F!k~p%-/6E2TaBHAۃ= ڋס.g9R-;5 3D<&ÛFכmtJQ(*+p|_VGf OciDXDCˍvQTxz.FQ}u ߜ3}n±KWHKy3oY?myN `Mٰ(=^n$bH;?h!_QoQ[D¹/&?0|+~@- TnV{8ڧ 5#nE[(u ZH>tX %uiVx1܃Xiɭ:lgzӬ+O 6Z/:Ӄk۝l;3`AY'K-d:i[f`;B!(sU6>.AB:/AEQkyu.J?:e r3'玺 ֓|;Iځ4HHMTyϢS7H7U¿TSʨrK’Cmssg=N:~PR(RwMpe+iYQ8#>HUe *Ủ#>4|fύ$q]RWFk%R6V14( 6<-{\I:QF{Au CF ŕwa(| c݊ME+a)^26 ħ:c;BYŭN2p9fGr`/LƔ MRǗSPhډi^)MzR;rOOs܃/U0ӚQn.fTh_̡lτٞ PD2\`'Uf¥I#[{^Fv*6[TOFo}~E6"ðq.3_8g+a_es0=mZN . \cPsӝR]O{[]9FC7"]8rxH8a/D |xu`4yt8o=E^' yo>d5lz} xa3 :zbN[WCfCay0Q0&&6wHJ{MmCW1վgS}(#gjtQec8DYz \PrA<%g t5r1 3լ/Y{U$&5IIzM$fFSњ֌ k55,jb[ۚ<y,f~ۮM17ZhyF7].mRaH.);4Ңٔ22> ,^RKV%〽Ga+!WҤKM[ G.J0R;tӥOO=<^ 81HD5e!<^7&ݔ({. y)xwӗYuGr>:rLL<:ȷ-Ņm(sFtЌK=yEРo ׂa㬭)Х+/$ ;.:e~b3>@cyՒ-nvV"-EFA2ҁlhS'- %NPQ{SOր%4Ӥ'K1~bYH=b)EHH8,`]u}BWnW\zVb%.XxGq 4l,5" 3)V`1\VE6n}cjNUL`}c*wg%iy1L=V[kxD5VݫSxD/4"0)Cr[Ki#C%,c ] r&\)L49r.[jxIosUkT} sWAVv窧 {/3˿vUtPq[H\d'oyb%~1cw;Lj|71jpB}B,2²azۤi؟šz.K@t5&U=z=^#=d)r̸mU }ksWBwa5Cל(VtX|'Ӿ/tntk0 p[cc 'Os:vnZS" BI^vpC^4QfqOJ#bsWDkmM?$+]>kهqe6PC_k֡5MLi]&;/<$v=Z ?{a{{[V&"is6sp#eʳtp~WslܺAPV'񇮫/oqK*.R`j;mv܀MU'a@Bk`x&iyL;ifm^4]:s7q=pԳ2h|Պua!kPr7%zi΋Ay"xOaD7^*w)S|+9gI9Q8ٵ/EMۜ=Oug^Um⺳Һs=^EdEʐWqr="%|!_;nL"i]+/\s4|{.˹veUpQGuڅ]e5D&#WYJWhwm.=z2m0Y53=,/eʢxK5\}J:oץҕϮ+}LR'48Y[4k3E^Wq'ldsIXj޺j4z}ko?H2Cx S_7iϨ%NY{gb8`V,iHrC}͜^jAw|\R89>l7pj#hzQ%2ٴOݴA׍0_Ҹޚ^ojt}>>׃mǂPoS]rCsoa/؟B[ϊ^--ospQBGOʗd~Xgř0j}l~]EP0{!( #:c{E˯d#+ܗ2լq%dp3#_C LZVg͒_#U9/QyWdie 5]iyc{3/9ZU~wq|0v2l:awpm\|#4 U*iqQ)Kf}@/F;z<) 4ÉҌqϋ& u ,&P;"繻Y=^ uh]c=[xy1]K0ё[#YhkG/ϋ璃v%VJHU)FhylwX/YrE@_7׭q:׿8XDQ#r5OlBf^"ʷCӞ5+B6 6XJk)JڎE?DzY\qWʘ2Z[Mm8Y3\絗.,) fگvNo",ߖyv}oҋQBϚ.uY߂I#*6y6ڋ &T}0&I(xw=9g 캍Z`UbgxOІ&u9Me0zsְL f2訿y cenIu9KcM sVeZA34FhoGA%߮fA d,ȯy[ĕNfGenj &CkkSxM'x c{F 5cjcIN: #k[oFI# cgH\;u8/4W6W& [Z=ҏxHSc"mH+|:cМ ,K1G}o;O+>B1-CPHe4G~f10eN,uɅ&b⧕-,U#enKSBZGL)>(,N }JyJdw9+F'UVA c"ޑ"y[=#:Tqe.#vVnC@>^>hhZɚ٭ϕ=YyݶgtDGڊPɊ04C&cgv16eMv d:)-~j}^ː{v |z~(7w;v1>J?#]cj-{uY{Ko{>A *+k+a{v,e`%/| y/k2HΎ*4} JPh8gģ)R#6LVTUvӥU qsʢ&ղ#!.WJtb"K&Es..>!d 1:Fi}%V暏}M UWEn!5Ԓ Uo~H|0|t,Ch XVذ2Zqx sxֱֲw@…s*91"=X[Reg~Ӳ6+MG~rE0hFhtKK6+Ԧ| ܄SnBӲeqX;&YS 埶9 kh`B9YcIl b| x?'~G?|]**/J lz6tVS JrJk0GF+pDL* IFҡl\eyxy~M˵&<;nv;| _iF,; bY F7` PҌ\u|#1"xYNnvhZt_BuM8oqE.pI6VAεtFۅI߅ > sȼ6_.-*r}ίY렉z2WwL._sgKc;{4'Lk{9chJJPr6V1)ۨcvBG 71.eqaYde 0 \ߜM„8 ,eӑFΧ 77CV|D&"=:ujKR[|4H˾4}1\9/u@R|;Q3tUӝ϶Iz!H夸7EK!haº2-Xekj%yh'0J` sNw|\%1l+:O'.=7,i ®EQH#<->aJuFW4*X ,wՖ}:R8-4x!5|Kx uF.>_ W2rdk쓯:\}"ge fi0t WJ?sP뎀qGVJ]B{␋DƾZw(݆ 2V߇/ HO)5W][PZg|TVƚa76aď}O6)Hxލ>~VBFeLxrw=җ؈ TIIqG.>Z]kMQwYA"9la!v'/e9,}??5\ Z3~c!.3Q=üo@![uDοM0/nbƂ_=UƤMBǘo6ꭡ秣=A-j3[aMy'6ys܋)3^ Ql C2in/ .Z[YBWxVvS-Iy/%~/{=akѹ'cK?}ܜ,w\;܏񪰍HFDp~ݏ EafFuHxemQ_C8F^1˹8ǔSi["L/ڜY#Ï> ƈP˾a9EX}Op{V ax?<./_5/:-dj<ĕt}lgaA&RtMX8wǢvrGnұq ?:d~CUzQvC?^d##3,h %󭥀nɒwd%ضv!kHJ5|o|aOki%@mdn7uwyZXaz/V8M(;^y|~ex|E+^)>Q^qr${5%BB\Q͇r1 G<D&5mMnkr[ۚ~x&_5rjW3,Y9WsG&5!IgMkk&/ڷ9 6PbkE{xC)Һc~$KMG^P-q}mY#Vmɥ,_^YZo}{* ]G.4Q|e,(RKan羡.Yɟ[N֮ٴl{~.枫v2!n}X^bPҧ~][_ږNR5QO@{z^W7)gJ-'ZG@&%wIDwVwty셆*bҚ+2(8O#&…[ ಺v{PgS-]"}.?3Gޟa9όh~|n}57oēf0.P OtaȔE:y[}]|גvV6,[Uæ9 7/UBN6շ`[=0¨ B9n\U/ۨY3 bHD*u }Grf0@vz Iv1|KzJd%,4Q0Kw=YH_| +ttx`2"1g.q?1+fiVMjg3;+xQ Z"&Ak0`P{ǡЕqט 7_>: n>7B=95=V{D;dYHh]6τo͔(;.kyBlEcV4PwCX;"ր {Kfk_B E4tq[}N2+hP){|^2nZ)>ɨƚS}D]*K$]f@+F'B ao@B\#|۟L aߦQlK=-.n~7E̴dK˅wcȁ'f apW^-6%UJmݱx)_ hԶK:!?F:$*Dibu#&mߵDL}aH-c^t:O&9RrG Y'JEùhhzx!wv91V0 A ab xIצ%]8ۛu찃aBQ޶˫">޵?:Ugo=b+Ty[F/@ϻE5sH$*a $Cn/M7nNƊ=)Z{O|I\C<'m* _ t@AМKL$OQZ]?Urby6U1im*z] = 0 } let s (x: ref int) (y: ref int) = requires { !x >= 0 /\ !y >= 0 } while !x > 0 || !y > 0 do invariant { !x >= 0 /\ !y >= 0 } variant { !x, !y } if !x > 0 then begin decr x; y := any_nat () end; (* else *) if !y > 0 then decr y done end why3-1.6.0/examples/ewd673/000077500000000000000000000000001440160026300152415ustar00rootroot00000000000000why3-1.6.0/examples/ewd673/why3session.xml000066400000000000000000000010461440160026300202620ustar00rootroot00000000000000 why3-1.6.0/examples/ewd673/why3shapes.gz000066400000000000000000000004651440160026300177060ustar00rootroot00000000000000RMk0+rkPL7B^JF*آN+L^ޛްo_w,gm~dŋXUN:IeWqgS#" )QoJ߅SGt?aLPF VtN  0&Up3HSu3(zS674A VNN5bl{,/rvy3wЛ>]2AwʩS&]HMy=б>˪Blzk _# =why3-1.6.0/examples/f_puzzle.mlw000066400000000000000000000023351440160026300166040ustar00rootroot00000000000000 (* Let f be a function over natural numbers such that, for all n f(f(n)) < f(n+1) Show that f(n)=n for all n. Inspired by a Dafny example (see http://searchco.de/codesearch/view/28108482) Original reference is Edsger W. Dijkstra: Heuristics for a Calculational Proof. Inf. Process. Lett. (IPL) 53(3):141-143 (1995) *) theory Puzzle use export int.Int function f int: int axiom H1: forall n: int. 0 <= n -> 0 <= f n axiom H2: forall n: int. 0 <= n -> f (f n) < f (n+1) end theory Step1 (* k <= f(n+k) by induction over k *) use Puzzle predicate p (k: int) = forall n: int. 0 <= n -> k <= f (n+k) clone int.SimpleInduction as I1 with predicate p = p, lemma base, lemma induction_step end theory Solution use Puzzle use Step1 lemma L3: forall n: int. 0 <= n -> n <= f n && f n <= f (f n) lemma L4: forall n: int. 0 <= n -> f n < f (n+1) (* so f is increasing *) predicate p' (k: int) = forall n m: int. 0 <= n <= m <= k -> f n <= f m clone int.SimpleInduction as I2 with predicate p = p', lemma base, lemma induction_step lemma L5: forall n m: int. 0 <= n <= m -> f n <= f m lemma L6: forall n: int. 0 <= n -> f n < n+1 goal G: forall n: int. 0 <= n -> f n = n end why3-1.6.0/examples/f_puzzle/000077500000000000000000000000001440160026300160605ustar00rootroot00000000000000why3-1.6.0/examples/f_puzzle/why3session.xml000066400000000000000000000076711440160026300211130ustar00rootroot00000000000000 why3-1.6.0/examples/f_puzzle/why3shapes.gz000066400000000000000000000005711440160026300205230ustar00rootroot00000000000000]n1 EoWh7qnfQY>Je+\[ɇE7^~zf/ޭ`Yg\A^SwkӇBnbC0{ial5JkykҹƜ'xSe\ "z(s(\,L94ZF9px@X 0!d!6uᖥi2= 2NekXQzgxOV+X3 T/M6T'J*oC$cgݝ>=>:RS\1u.4Z \1C37R3hC:eu*Umwhy3-1.6.0/examples/fact.mlw000066400000000000000000000015301440160026300156570ustar00rootroot00000000000000 (* Various programs computing the factorial. *) module FactRecursive use int.Int use int.Fact let rec fact_rec (x:int) : int requires { x >= 0 } variant { x } ensures { result = fact x } = if x = 0 then 1 else x * fact_rec (x-1) let test0 () = fact_rec 0 let test1 () = fact_rec 1 let test7 () = fact_rec 7 let test42 () = fact_rec 42 end module FactImperative use int.Int use int.Fact use ref.Ref let fact_imp (x:int) : int requires { x >= 0 } ensures { result = fact x } = let y = ref 0 in let r = ref 1 in while !y < x do invariant { 0 <= !y <= x } invariant { !r = fact !y } variant { x - !y } y := !y + 1; r := !r * !y done; !r let test0 () = fact_imp 0 let test1 () = fact_imp 1 let test7 () = fact_imp 7 let test42 () = fact_imp 42 end why3-1.6.0/examples/fact/000077500000000000000000000000001440160026300151375ustar00rootroot00000000000000why3-1.6.0/examples/fact/why3session.xml000066400000000000000000000036241440160026300201640ustar00rootroot00000000000000 why3-1.6.0/examples/fact/why3shapes.gz000066400000000000000000000010551440160026300176000ustar00rootroot00000000000000u[1WZfrX'ɫLnXxm;I=%I&\2כe]Η7o&A5t]u&@ q&.@vgH]",mp v!6A`|?D{q) ձ6S4\~=4]w$F\bx×ˎٗ]1%ExI*1VʥJ Vk9W]q0n\꫇/} MzcW-sm6.B0*PZ{" eL=G1{~' uh` z>OOOӤk**Y5Jo?H~eE VxdQ:|Tr1嘪f qr)eLR8냚J%92)lf JB%T& cU܄*hcT#'c]UҌx@lk*:TXVo{ʁ慄֚r:&:,<ۃHaTDHY#,S29JƖc*,lzp3$why3-1.6.0/examples/fact_vc_sp.mlw000066400000000000000000000015621440160026300170560ustar00rootroot00000000000000 (* Various programs computing the factorial. *) module FactRecursive use int.Int use int.Fact let rec fact_rec (x:int) : int requires { x >= 0 } variant { x } ensures { result = fact x } = [@vc:sp] if x = 0 then 1 else x * fact_rec (x-1) let test0 () = fact_rec 0 let test1 () = fact_rec 1 let test7 () = fact_rec 7 let test42 () = fact_rec 42 end module FactImperative use int.Int use int.Fact use ref.Ref let fact_imp (x:int) : int requires { x >= 0 } ensures { result = fact x } = [@vc:sp] let y = ref 0 in let r = ref 1 in while !y < x do invariant { 0 <= !y <= x } invariant { !r = fact !y } variant { x - !y } y := !y + 1; r := !r * !y done; !r let test0 () = fact_imp 0 let test1 () = fact_imp 1 let test7 () = fact_imp 7 let test42 () = fact_imp 42 end why3-1.6.0/examples/fact_vc_sp/000077500000000000000000000000001440160026300163315ustar00rootroot00000000000000why3-1.6.0/examples/fact_vc_sp/why3session.xml000066400000000000000000000036471440160026300213630ustar00rootroot00000000000000 why3-1.6.0/examples/fact_vc_sp/why3shapes.gz000066400000000000000000000010571440160026300207740ustar00rootroot00000000000000uߏ0 W B;!MH&U<"Iǝߏz⤴NvތoP/zݸy36!5k:%u&ANO]a:ў~\*}9kN]8Ϣ;MaGRL2$R=~~1qΡilq\y.EusV m9+ms̯Q릃F='N)9YPz񠟻 fmG]7vXǮMJ\۫rOIN$=hWpm҄de6ŕT=^ *Zwn/:e‹'`=ݾ00k\-[u0.dTgȣlj( U @G{0Cm% UVktbZV?!Vڔ2ёe1!\& o+†AJ$)r^-YajZ.xAMɪH{T%`Te%hݔjKEdB!ѹjF!17why3-1.6.0/examples/fenwick.mlw000066400000000000000000000104021440160026300163660ustar00rootroot00000000000000 (* Fenwick trees (or binary indexed tree) for prefix/interval sums. Represent an integer array over interval [0;n[ such that the following operations are both efficient: . incrementation of individual cell (O(log(n))) . Query sum of elements over interval [a;b[ (O(log(b-a))) Author: Martin Clochard (Université Paris Sud) *) (* Array-based implementation with i->(2i+1,2i+2) node encoding: . Integer represent nodes . 0 is the root . childs of node n are 2n+1 and 2n+2 . Leaves represent the model array cells. For n > 0 elements in the model, they are represented by the cells over the range [n-1;2n-1[ The structure manage queries by keeping for each node the sum of the values of all descendant leaves, which we call here 'node summary' *) module Fenwick use int.Int use int.ComputerDivision use ref.Ref use int.Sum use array.Array (* Encode fenwick trees within an array. The leaves field represent the actual number of element within the model. *) type fenwick = { t : array int; ghost leaves : int; } (* Invariant *) predicate valid (f:fenwick) = f.leaves >= 0 /\ f.t.length = (if f.leaves = 0 then 0 else 2 * f.leaves - 1) /\ forall i. 0 <= i /\ i < f.leaves - 1 -> f.t[i] = f.t[2*i+1] + f.t[2*i+2] (* Get the i-th elements of the model. *) function get (f:fenwick) (i:int) : int = f.t[i+f.leaves-1] (* Get the sum of elements over range [a;b[ *) function rget (f:fenwick) (a b:int) : int = sum (get f) a b (* Create a Fenwick tree initialized at 0 *) let make (lv:int) : fenwick requires { lv >= 0 } ensures { valid result } ensures { forall i. 0 <= i < lv -> get result i = 0 } ensures { result.leaves = lv } = { t = if lv = 0 then make 0 0 else make (2*lv-1) 0; leaves = lv } (* Add x to the l-th cell *) let add (f:fenwick) (l:int) (x:int) : unit requires { 0 <= l < f.leaves /\ valid f } ensures { valid f } ensures { forall i. 0 <= i < f.leaves /\ i <> l -> get f i = get (old f) i } ensures { get f l = get (old f) l + x } = let lc = ref (div f.t.length 2 + l) in f.t[!lc] <- f.t[!lc] + x; (* Update node summaries for all elements on the path from the updated leaf to the root. *) label I in while !lc <> 0 do invariant { 0 <= !lc < f.t.length } invariant { forall i. 0 <= i /\ i < f.leaves - 1 -> f.t[i] = f.t[2*i+1] + f.t[2*i+2] - if 2*i+1 <= !lc <= 2*i+2 then x else 0 } invariant { forall i. f.leaves - 1 <= i < f.t.length -> f.t[i] = (f at I).t[i] } variant { !lc } lc := div (!lc - 1) 2; f.t[!lc] <- f.t[!lc] + x done (* Lemma to shift dum indices. *) let rec ghost sum_dec (a b c:int) : unit requires { a <= b } ensures { forall f g. (forall i. a <= i < b -> f i = g (i+c)) -> sum f a b = sum g (a+c) (b+c) } variant { b - a } = if a < b then sum_dec (a+1) b c (* Crucial lemma for the query routine: Summing the node summaries over range [2a+1;2b+1[ is equivalent to summing node summaries over range [a;b[. This is because the elements of range [2a+1;2b+1[ are exactly the childs of elements of range [a;b[. *) let rec ghost fen_compact (f:fenwick) (a b:int) : unit requires { 0 <= a <= b /\ 2 * b < f.t.length /\ valid f } ensures { sum (([]) f.t) a b = sum (([]) f.t) (2*a+1) (2*b+1) } variant { b - a } = if a < b then fen_compact f (a+1) b (* Query sum of elements over interval [a,b[. *) let query (f:fenwick) (a b:int) : int requires { 0 <= a <= b <= f.leaves /\ valid f } ensures { result = rget f a b } = let lv = div f.t.length 2 in let ra = ref (a + lv) in let rb = ref (b + lv) in let acc = ref 0 in ghost sum_dec a b lv; (* If ra = rb, the sum is 0. Otherwise, adjust the range to odd boundaries in constant time and use compaction lemma to halve interval size. *) while !ra <> !rb do invariant { 0 <= !ra <= !rb <= f.t.length } invariant { !acc + sum (([]) f.t) !ra !rb = rget f a b } variant { !rb - !ra } if mod !ra 2 = 0 then acc := !acc + f.t[!ra]; ra := div !ra 2; rb := !rb - 1; if mod !rb 2 <> 0 then acc := !acc + f.t[!rb]; rb := div !rb 2; ghost fen_compact f !ra !rb done; !acc end why3-1.6.0/examples/fenwick/000077500000000000000000000000001440160026300156505ustar00rootroot00000000000000why3-1.6.0/examples/fenwick/why3session.xml000066400000000000000000000217141440160026300206750ustar00rootroot00000000000000 why3-1.6.0/examples/fenwick/why3shapes.gz000066400000000000000000000064341440160026300203170ustar00rootroot00000000000000Yn9}Bܗ iB i3-OIYL-L.'Xi<_f_w/&rT݇Q6\$6ywHoa|˿1f -g3j@=!<F~JB$6C uqnF@nF{/rI\NNXؗ?]x|.KO[51mxF=+zqkg]$ 4[Kפ5l>5 5UʅQiPf48i~HSwC# WL=X yPѥP';B1y 6_9]9FVWVt |aۗ\_ـ P'Nqlșr#PFW4`& ]i`ş@h'9GӦ8@h;6NZ54EG5}0z1n׆?Q_ ΪqZ SZ\/}`+_~.: ##ø6f%-EЌ͛Z)Lvt\ɠM|kv{{w:|ӗfZy !6)IOoW4Xڝ, M^c z75Ac$ _~bz!iֶ]y{2 !q@Jߖv/tL7SG{Z1JJܐ>IPw cBhߑ###hۯ3x'G>ዎ?=-c]Bl{U -J>)|~U(mzXE|[Mf8>m#zݦZ9tyߧU7dnߙfm\#DGHCb̕DY,=P f`F|ښv%rq\^d%-y SMZ*;nֱ Y^;  Y|iO9_&~CK|} O훨ZQ9%)FMFG'BoNDZfkJkheƔ|)Xk|Ŕ֜1GJwSƊ}㰖XUMٖ,oM:=-_5],ƿ صuk/YMhOI%(kߎRq~zj7%&=8GO0{g&(U V1dGa=Crs"F*i`ؠ.p.)RU#pI 8cbCVh$# VH)妤J@{!YOFG i8BO>h-T^Eˇ<&\T!&!bzl0~0n0v0f%mtzh+:8u9J*,6 J*,.o<&XObO]18(0>k*tQ߃QM۠S#afԉ*"|?7 T4FmQkB-Uۺ0q*\2Nw`8\(#uJhN˨\818؅ՠs`R5e)*E^1쪥C+6x(L=Ђjܰ'm[[J*A̞=b/Rg{aI=Tȼ+91-"\.9N.ua $lL5* .lusi(-U+i,5̏a\ E3Qaj&qADZ#bARaVXPn[>zd9QC-Շk[nX>S" ʡX$&j)@ 2Ze!*V bRkR%x$,^(ZA sNkv yCsMcĠs;` .sDA5D2w.y6H8 wiZ$"/EJ8+^ d]Шxu#!þ( 9Ɍ|>|g 4IJ<+AFLJ`b/[$ @7TL#^OŚ W0ljzoa?PI&why3-1.6.0/examples/fib_memo.mlw000066400000000000000000000016461440160026300165270ustar00rootroot00000000000000(* Fibonacci function with memoisation *) module FibMemo use option.Option use int.Int use int.Fibonacci use ref.Ref use map.Map type table = map int (option int) predicate inv (t : table) = forall x y : int. t[x] = Some y -> y = fib x val table : ref table val add (x:int) (y:int) : unit writes { table } ensures { !table = (old !table)[x <- Some y] } exception Not_found val find (x:int) : int ensures { !table[x] = Some result } raises { Not_found -> !table[x] = None } let rec fibo n = requires { 0 <= n /\ inv !table } ensures { result = fib n /\ inv !table } variant { 2*n } if n <= 1 then n else memo_fibo (n-1) + memo_fibo (n-2) with memo_fibo n = requires { 0 <= n /\ inv !table } ensures { result = fib n /\ inv !table } variant { 2*n+1 } try find n with Not_found -> let fn = fibo n in add n fn; fn end end why3-1.6.0/examples/fib_memo/000077500000000000000000000000001440160026300157775ustar00rootroot00000000000000why3-1.6.0/examples/fib_memo/why3session.xml000066400000000000000000000013121440160026300210140ustar00rootroot00000000000000 why3-1.6.0/examples/fib_memo/why3shapes.gz000066400000000000000000000005101440160026300204330ustar00rootroot00000000000000AO0 :RIPdi āۋO]>~4[e-Q΂0AZ[@1 ="tA;C/ZʉD!MDgNXPo(NLqYq"1kSc( x' >UW:WNV/}筚#2-M[B^MqRp_ 9NJKXO Gw1&@˦F%UE-sMR1l㵓 R⸭ J܋Ƣswhy3-1.6.0/examples/fibonacci.mlw000066400000000000000000000243011440160026300166600ustar00rootroot00000000000000 theory FibonacciTest use int.Fibonacci lemma isfib_2_1 : fib 2 = 1 lemma isfib_6_8 : fib 6 = 8 lemma not_isfib_2_2 : fib 2 <> 2 end module FibonacciLinear use int.Fibonacci use int.Int use ref.Ref let fib (n:int) : int requires { n >= 0 } ensures { fib n = result} = let y = ref 0 in let x = ref 1 in for i = 0 to n - 1 do invariant { 0 <= i <= n /\ fib (i+1) = !x /\ fib i = !y } let aux = !y in y := !x; x := !x + aux done; !y end module FibonacciTailRecList use int.Fibonacci use int.Int use int.Power use list.List use list.Mem let rec ghost function sum_fib (l:list int) : int requires { forall n. mem n l -> n >= 0 } = match l with | Nil -> 0 | Cons x r -> fib x + sum_fib r end let rec ghost function sum_pow (l:list int) : int requires { forall n. mem n l -> n >= 0 } ensures { result >= 0 } = match l with | Nil -> 0 | Cons x r -> assert { mem x l }; assert { forall n. mem n r -> mem n l }; power 2 x + sum_pow r end lemma pow_pos : forall x. x >= 0 -> power 3 x > 0 let rec sum_fib_acc (acc:int) (l:list int) : int requires { forall n. mem n l -> n >= 0 } variant { sum_pow l } ensures { result = acc + sum_fib l } = match l with | Nil -> acc | Cons n r -> assert { n >= 0 }; if n <= 1 then sum_fib_acc (acc + n) r else begin let l1 = Cons (n-2) r in assert { forall u. mem u l1 -> u >= 0 }; let l2 = Cons (n-1) l1 in assert { forall u. mem u l2 -> u >= 0 }; sum_fib_acc acc l2 end end let fib (n:int) : int requires { n >= 0 } ensures { result = fib n } = sum_fib_acc 0 (Cons n Nil) end (** {2 Recursive version, using ghost code} *) module FibRecGhost use int.Fibonacci use int.Int let rec fib_aux (ghost n: int) (a b k: int) : int requires { k >= 0 } requires { 0 <= n && a = fib n && b = fib (n+1) } variant { k } ensures { result = fib (n+k) } = if k = 0 then a else fib_aux (n+1) b (a+b) (k-1) let fib (n: int) : int requires { 0 <= n } ensures { result = fib n } = fib_aux 0 0 1 n let test42 () = fib 42 exception BenchFailure let bench () raises { BenchFailure } = if test42 () <> 267914296 then raise BenchFailure end (** {2 Recursive version, without ghost code} *) module FibRecNoGhost use int.Fibonacci use int.Int let rec fib_aux (a b k: int) : int requires { k >= 0 } requires { exists n: int. 0 <= n && a = fib n && b = fib (n+1) } variant { k } ensures { forall n: int. 0 <= n && a = fib n && b = fib (n+1) -> result = fib (n+k) } = if k = 0 then a else fib_aux b (a+b) (k-1) let fib (n: int) : int requires { 0 <= n } ensures { result = fib n } = fib_aux 0 1 n end module SmallestFibAbove use int.Fibonacci use int.Int use int.MinMax use ref.Ref let smallest_fib_above (x: int) : int requires { 0 <= x } ensures { exists k. 0 <= k /\ fib k <= x < fib (k+1) = result } = let a = ref 0 in let b = ref 1 in let ghost k = ref 0 in while !b <= x do invariant { 0 <= !k /\ !a = fib !k <= x /\ !b = fib (!k+1) } invariant { 0 <= !a /\ 1 <= !b } variant { 2*x - (!a + !b) } let f = !a + !b in a := !b; b := f; k := !k + 1 done; !b end (** Zeckendorf's theorem states that every positive integer can be represented uniquely as the sum of one or more distinct Fibonacci numbers in such a way that the sum does not include any two consecutive Fibonacci numbers. Cf https://en.wikipedia.org/wiki/Zeckendorf%27s_theorem *) module Zeckendorf use int.Fibonacci use int.Int use int.MinMax use ref.Ref use list.List use SmallestFibAbove function sum (l: list int) : int = match l with | Nil -> 0 | Cons k r -> fib k + sum r end (* sorted in increasing order, above min, and non consecutive *) predicate wf (min: int) (l: list int) = match l with | Nil -> true | Cons k r -> min <= k /\ wf (k + 2) r end let rec lemma fib_nonneg (n: int) : unit requires { 0 <= n } ensures { 0 <= fib n } variant { n } = if n > 1 then begin fib_nonneg (n-2); fib_nonneg (n-1) end let rec lemma fib_increasing (k1 k2: int) : unit requires { 0 <= k1 <= k2 } ensures { fib k1 <= fib k2 } variant { k2 - k1 } = if k1 < k2 then fib_increasing (k1+1) k2 let greatest_fib (x: int) : (int, int) requires { 0 < x } ensures { let k, fk = result in 2 <= k /\ 1 <= fk = fib k <= x < fib (k + 1) } = let a = ref 1 in let b = ref 1 in let k = ref 1 in while !b <= x do invariant { 1 <= !k /\ !a = fib !k <= x /\ !b = fib (!k + 1) } invariant { 1 <= !a /\ 1 <= !b } variant { 2*x - (!a + !b) } let f = !a + !b in a := !b; b := f; k := !k + 1 done; !k, !a let zeckendorf (n: int) : list int requires { 0 <= n } ensures { wf 2 result } ensures { n = sum result } = let x = ref n in let l = ref Nil in while !x > 0 do invariant { 0 <= !x <= n } invariant { wf 2 !l } invariant { !x + sum !l = n } invariant { match !l with Nil -> true | Cons k _ -> !x < fib (k-1) end } variant { !x } let k, fk = greatest_fib !x in x := !x - fk; l := Cons k !l done; !l (* a more efficient, linear implementation *) let zeckendorf_fast (n: int) : list int requires { 0 <= n } ensures { wf 2 result } ensures { n = sum result } = if n = 0 then Nil else let a = ref 1 in let b = ref 1 in let k = ref 1 in while !b <= n do invariant { 1 <= !k /\ !a = fib !k <= n /\ !b = fib (!k + 1) } invariant { 1 <= !a /\ 1 <= !b } variant { 2*n - (!a + !b) } let f = !a + !b in a := !b; b := f; k := !k + 1 done; assert { 2 <= !k /\ 1 <= !a = fib !k <= n < fib (!k + 1) = !b }; let l = ref (Cons !k Nil) in let x = ref (n - !a) in while !x > 0 do invariant { 1 <= !k /\ !a = fib !k <= n /\ !x < !b = fib (!k + 1) } invariant { 1 <= !a /\ 1 <= !b } invariant { 0 <= !x <= n } invariant { wf 2 !l } invariant { !x + sum !l = n } invariant { match !l with Nil -> true | Cons k _ -> !x < fib (k-1) end } variant { !k } if !a <= !x then begin x := !x - !a; l := Cons !k !l end; k := !k - 1; let tmp = !b - !a in b := !a; a := tmp done; !l (* unicity proof *) function snoc (l:list int) (x:int) : list int = match l with | Nil -> Cons x Nil | Cons y q -> Cons y (snoc q x) end let rec lemma zeckendorf_unique (l1 l2:list int) : unit requires { wf 2 l1 /\ wf 2 l2 } requires { sum l1 = sum l2 } ensures { l1 = l2 } variant { sum l1 } = let rec decomp (k acc:int) (lc lb:list int) : (x: int, p: list int) requires { wf k lc } requires { k >= 2 /\ lc <> Nil } requires { 0 <= acc = sum lb - sum lc < fib (k-1) } ensures { fib x <= sum lb = acc + fib x + sum p < fib (x+1) } ensures { wf k p /\ x >= k /\ lc = snoc p x } variant { lc } = match lc with | Nil -> absurd | Cons x Nil -> x,Nil | Cons x q -> let y,p = decomp (x+2) (acc+fib x) q lb in y,Cons x p end in match l1 , l2 with | Nil , Nil -> () | Nil , l | l , Nil -> let _ = decomp 2 0 l l in absurd | _ , _ -> let _,q1 = decomp 2 0 l1 l1 in let _,q2 = decomp 2 0 l2 l2 in zeckendorf_unique q1 q2 end end (** {2 2x2 integer matrices} *) theory Mat22 use int.Int type t = { a11: int; a12: int; a21: int; a22: int } constant id : t = { a11 = 1; a12 = 0; a21 = 0; a22 = 1 } function mult (x: t) (y: t) : t = { a11 = x.a11 * y.a11 + x.a12 * y.a21; a12 = x.a11 * y.a12 + x.a12 * y.a22; a21 = x.a21 * y.a11 + x.a22 * y.a21; a22 = x.a21 * y.a12 + x.a22 * y.a22; } clone export int.Exponentiation with type t = t, function one = id, function (*) = mult, goal Assoc, goal Unit_def_l, goal Unit_def_r, axiom . (* FIXME: replace with "goal" and prove *) end module FibonacciLogarithmic use int.Int use int.Fibonacci use int.ComputerDivision use Mat22 val constant m1110 : t ensures { result = { a11 = 1; a12 = 1; a21 = 1; a22 = 0 } } (* computes ((1 1) (1 0))^n in O(log(n)) time since it is a matrix of the shape ((a+b b) (b a)), we only return the pair (a, b) *) let rec logfib (n:int) variant { n } requires { n >= 0 } ensures { let a, b = result in power m1110 n = { a11 = a+b; a12 = b; a21 = b; a22 = a } } = if n = 0 then 1, 0 else begin assert { 0 <= div n 2 }; let a, b = logfib (div n 2) in let c = a + b in if mod n 2 = 0 then begin assert { 2 * (div n 2) = (div n 2) + (div n 2) }; a*a+ b*b, b*(a + c) end else begin assert { 2 * (div n 2) + 1 = (div n 2) + (div n 2) + 1 }; b*(a + c), c*c + b*b end end (* by induction, we easily prove that (1 1)^n = (F(n+1) F(n) ) (1 0) (F(n) F(n-1)) thus, we can compute F(n) in O(log(n)) using funtion logfib above *) let rec lemma fib_m (n: int) requires { n >= 0 } variant { n } ensures { let p = power m1110 n in fib (n+1) = p.a11 /\ fib n = p.a21 } = if n = 0 then () else fib_m (n-1) let fibo n requires { n >= 0 } ensures { result = fib n } = let _, b = logfib n in b let test0 () = fibo 0 let test1 () = fibo 1 let test7 () = fibo 7 let test42 () = fibo 42 let test2014 () = fibo 2014 exception BenchFailure let bench () raises { BenchFailure } = if test42 () <> 267914296 then raise BenchFailure; if test2014 () <> 3561413997540486142674781564382874188700994538849211456995042891654110985470076818421080236961243875711537543388676277339875963824466334432403730750376906026741819889036464401788232213002522934897299928844192803507157647764542466327613134605502785287441134627457615461304177503249289874066244145666889138852687147544158443155204157950294129177785119464446668374163746700969372438526182906768143740891051274219441912520127 then raise BenchFailure end why3-1.6.0/examples/fibonacci/000077500000000000000000000000001440160026300161375ustar00rootroot00000000000000why3-1.6.0/examples/fibonacci/why3session.xml000066400000000000000000000410261440160026300211620ustar00rootroot00000000000000 why3-1.6.0/examples/fibonacci/why3shapes.gz000066400000000000000000000144201440160026300206000ustar00rootroot00000000000000[[o7~_ok#aˠ_ #K^K;U$v$EbEbvKp{ysپM8 r"Mz>l4@D>.y1#gG.u~.:k]?@^\^' ft(E wr }`?=@nMz]MOڪ#zlPEHq` '̆Ļ/=︞bsFo+myxYړN)|zՏg:)\ϗw2 OWw$M}"-AQ˵당ؗucGwo g]VA7-y3y0+Lj*PWG/tGAվ0}GCڣ?mPESbb:Eާq% il1/L*JDc&Y^y1}.4VjP~w 4r'DS%둦KɎNV3hV[ ,,Fd06~Q~2}H[pr{S5U'COS`hע+ĠWUC 5ev<;$5:r;z%l_( tHy#W5PvYnpR>7 ç)>3Q[!oj$m4/e)~H_~f|aW-@T* v>\O:.!{^s+b0)n?xۯyO,o& ]|HWw!ĸ{I_CΗVAv}˰W)}-N5v]MKG|KA%@A`oMQNp'"Y7W-¡Ϯë3|pG58DRe֥ؗOuSiBTJjýt$^{o.zI"_Oe3 nu#*6P%wNQpBui,5eԹ'[ͣ&qvsXCX\7=GE R?8PqojqWt U]KvWm?z~jgw.\]kn~I* ^a[FH򬚞[bYs|LJѓMy^j48^\_OX`+ݕYpgF0Ŵ4B(ׅ2}`j4t^ ~y]h%lXD仄"!WlxG?N!wuv -u WUjGϞ>< 7C\^.@[z`WƯ R4yC0X,$wgӾ]Rp;]SAj)n;(O^(p_(͚.hqԋGk*[C(5xŪ*S=XUB1&%P; Zќ R_\mEyz*ًA8WZ(4BR*H֮R.kqm6%ɮѬ4EQT6Ŋ4y+ŊR3kq:0 ԶQy@xxp{S٩(s[u(~FG,]fho(?to.po( Tz_}뫚cVixD@b ")1n}{FC3CM7ݿ?U\s`Aκ%|4h%BCۊ긯WBάlӘ`tpz.R^wPW=$!`7ΣZn[#Q{ R,be:m.?zEi+QhJP-t{1 zpC57s2dK3Uz{3#BܯH'ց.:s-/kU=!_qhUOjU+t<Ҫ^/jU=Sһzk_ۯ{7PS^-[N;oZ!W ZΏ?V}'=ޫ-e+QDZd-;[?K#J:~K5}%z^h|w0TdDXލsPXyH=u.y3mA*w=*ut9?TLg|>8]3E[|XW|~Ka{Tt[_-?.hc t) hJ@B,HH-70ph"q[/Ľ#Ep0"904oGM_i=>>ֿj(5&)ط̤7C2bLAҘ GE_5Bs#6y.p_yY]LQ>֯ʳ/Ƌw73AԿ\99Cکk6 3'빁GD}Az7 Dw4E<#-Z%wX^mE]t?CdǢZLʩCGjMI2D7̶DI.\Q?v @z2-@t 뙔F`Q)İfIqd2%R4&2YxF˭#NyR|'bGO4O Gyƛd5=Κh;;H䍜QyJN;@zi=Z|]L3H,el6[o2 &Aݭ>3ݩ _K~^NL̓7tDO`rA"'EQI̗=e8.{-ԔZo%׀ d~Aɧu's0,P{̅ gqG* 1(:@C aL5 ; +YZ3I!.s&W0=T: dZ$aIC&" sg8ͬT@:_@2A^䘌H &gqdrI"T'4D7:h 0l#9=g`R;"`2,QA%Ig):j6HAi Nu+N0wYj.} jArEgAcE4aq8a?^Twhy3-1.6.0/examples/fill.mlw000066400000000000000000000016721440160026300156770ustar00rootroot00000000000000 (* Traversing a tree inorder, filling an array with the elements (from Rustan Leino's tutorial on Dafny at VSTTE 2012) Author: Jean-Christophe Filliatre (CNRS) *) module Fill use int.Int use array.Array type elt type tree = Null | Node tree elt tree predicate contains (t: tree) (x: elt) = match t with | Null -> false | Node l y r -> contains l x || x = y || contains r x end let rec fill (t: tree) (a: array elt) (start: int) : int requires { 0 <= start <= length a } ensures { start <= result <= length a } ensures { forall i: int. 0 <= i < start -> a[i] = (old a)[i] } ensures { forall i: int. start <= i < result -> contains t a[i] } variant { t } = match t with | Null -> start | Node l x r -> let res = fill l a start in if res <> length a then begin a[res] <- x; fill r a (res + 1) end else res end end why3-1.6.0/examples/fill/000077500000000000000000000000001440160026300151505ustar00rootroot00000000000000why3-1.6.0/examples/fill/why3session.xml000066400000000000000000000010521440160026300201660ustar00rootroot00000000000000 why3-1.6.0/examples/fill/why3shapes.gz000066400000000000000000000006451440160026300176150ustar00rootroot00000000000000}n0 <^6C2Pui4TާZ$4s4s^v@%8?}soڷCjӻdyp'#{)wDr - ;t]Ǡ|Koe&Yp-[DgqJ0j˔m!o&X,];MpԲ踣4"eB\Ӧ$Qilm (_oT*[ԕy"s Tu T why3-1.6.0/examples/find.mlw000066400000000000000000000051751440160026300156730ustar00rootroot00000000000000 (* C. A. R. Hoare. Proof of a program: Find. Commun. ACM, 14:39--45, January 1971. *) module FIND use int.Int use ref.Ref use array.Array use array.ArrayPermut val constant _N: int (* actually N in Hoare's notation *) val constant f: int axiom f_N_range: 1 <= f <= _N predicate found (a: array int) = forall p q:int. 1 <= p <= f <= q <= _N -> a[p] <= a[f] <= a[q] predicate m_invariant (m: int) (a: array int) = m <= f /\ forall p q:int. 1 <= p < m <= q <= _N -> a[p] <= a[q] predicate n_invariant (n: int) (a: array int) = f <= n /\ forall p q:int. 1 <= p <= n < q <= _N -> a[p] <= a[q] predicate i_invariant (m n i q r: int) (a: array int) = m <= i /\ (forall p:int. 1 <= p < i -> a[p] <= r) /\ (i <= n -> i <= q <= n /\ r <= a[q]) predicate j_invariant (m n j p r: int) (a: array int) = j <= n /\ (forall q:int. j < q <= _N -> r <= a[q]) /\ (m <= j -> m <= p <= j /\ a[p] <= r) predicate termination (i j i0 j0 r: int) (a:array int) = (i > i0 /\ j < j0) \/ (i <= f <= j /\ a[f] = r) let find (a: array int) = requires { length a = _N+1 } ensures { found a /\ permut_all a (old a) } let m = ref 1 in let n = ref _N in while !m < !n do invariant { m_invariant !m a /\ n_invariant !n a /\ permut_all a (old a) /\ 1 <= !m /\ !n <= _N } variant { !n - !m } let r = a[f] in let i = ref !m in let j = ref !n in let ghost p = ref f in let ghost q = ref f in while !i <= !j do invariant { i_invariant !m !n !i !q r a /\ j_invariant !m !n !j !p r a /\ m_invariant !m a /\ n_invariant !n a /\ 0 <= !j /\ !i <= _N + 1 /\ termination !i !j !m !n r a /\ permut_all a (old a) } variant { _N + 2 + !j - !i } label L in while a[!i] < r do invariant { i_invariant !m !n !i !q r a /\ !i at L <= !i <= !n /\ termination !i !j !m !n r a } variant { _N + 1 - !i } i := !i + 1 done; while r < a[!j] do invariant { j_invariant !m !n !j !p r a /\ !j <= !j at L /\ !m <= !j /\ termination !i !j !m !n r a } variant { !j } j := !j - 1 done; assert { a[!j] <= r <= a[!i] }; if !i <= !j then begin let w = a[!i] in begin a[!i] <- a[!j]; a[!j] <- w end; assert { exchange a (a at L) !i !j }; ghost begin p := if !i < !j then !i else !j - 1; q := if !i < !j then !j else !i + 1 end; i := !i + 1; j := !j - 1 end done; assert { !m < !i /\ !j < !n }; if f <= !j then n := !j else if !i <= f then m := !i else begin n := f; m := f end done end why3-1.6.0/examples/find/000077500000000000000000000000001440160026300151425ustar00rootroot00000000000000why3-1.6.0/examples/find/why3session.xml000066400000000000000000000144301440160026300201640ustar00rootroot00000000000000 why3-1.6.0/examples/find/why3shapes.gz000066400000000000000000000047051440160026300176100ustar00rootroot00000000000000]nH}Wmgg0@/AX#O }hב f~OP|٬DVX쮮:IO?7—+v,{jaF8jpsӱ-r-au?|>XuX3G]᦬~Ա ~Dky:nvrv\/Eٔײ5u?ZǼ~=̳34h܍"w)OrcI>M-9,Scv>0Qh_ My䇦h>})sŶ T:2mneN{ph@o@&_62tN}Jۿ`7 BN:Mfm0 *^nKZ)}zk}ڌk/)o=Rf@!>45MɥZ] PZ^45aMO:Zb6p_z"wTH}BH0ÍÍz?z)34yN_-[tS[Ӣ111`fSí> B|Bp~Y;\Qc7776OgAW'kˏt-! Vn6dܔ9 %)JS(?B#} KgՖ[2:_ȿ9&:fyS$MI~d%='Wt^w /1zLzl&f\x \98rh{8tjy?9~y7b =CXG]Y7 yd'Є IVMGXRic^o\I49hrF`rxxxyߝ1MhJД)TH4h6>i*T[T 7AڵA& _f!X<8X]?,vӇӲ>UޏP%|>("Y:+34AFV]r>XYjR"R]tɳDj6tJlRJr58GMu:f&φ!(IY-9eADJMrkgk*X] RNQG-z 2 =#cUV(ޑ¤P.*i%UB=99v2NW2/@efO"rfk/U YT%@r@gI hCc(Ys4jKؖFJy.E2X-.TB娸AZSYf-#0a WIøB#SJ~ƻ(N$@MGtT*ZxuҊY']@c{=JP PQy* 0HP݄ 撳DT*Jv(@Z 'ɹ"0-E/$*:oLPԀJiY*]srQ_[why3-1.6.0/examples/finger_trees.mlw000066400000000000000000000035611440160026300174240ustar00rootroot00000000000000 module FingerTrees use int.Int use list.List use list.Length use list.Append type digit 'a = | One 'a | Two 'a 'a | Three 'a 'a 'a | Four 'a 'a 'a 'a function d_m (b:digit 'a) : list 'a = match b with | One x -> Cons x Nil | Two y x -> Cons y (Cons x Nil) | Three z y x -> Cons z (Cons y (Cons x Nil)) | Four u z y x -> Cons u (Cons z (Cons y (Cons x Nil))) end type node 'a = | Node2 'a 'a | Node3 'a 'a 'a function node_cons (nd:node 'a) (l:list 'a) : list 'a = match nd with | Node2 x y -> Cons x (Cons y l) | Node3 x y z -> Cons x (Cons y (Cons z l)) end let lemma node_cons_app (nd:node 'a) (p q:list 'a) ensures { node_cons nd (p++q) = node_cons nd p ++ q } = match nd with Node2 _ _ -> [@keep_on_simp] () | _ -> () end function flatten (l:list (node 'a)) : list 'a = match l with | Nil -> Nil | Cons nd q -> node_cons nd (flatten q) end type t 'a = | Empty | Single (digit 'a) | Deep (digit 'a) (t (node 'a)) (digit 'a) function t_m (t:t 'a) : list 'a = match t with | Empty -> Nil | Single x -> d_m x | Deep l m r -> d_m l ++ flatten (t_m m) ++ d_m r end let d_cons (x:'a) (d:digit 'a) : (b: digit 'a, o: list (node 'a)) ensures { Cons x (d_m d) = d_m b ++ flatten o /\ length o <= 1 } = match d with | One y -> Two x y , Nil | Two y z -> Three x y z , Nil | Three y z t -> Four x y z t , Nil | Four y z t u -> Two x y , Cons (Node3 z t u) Nil end let rec cons (x:'a) (t:t 'a) : t 'a ensures { t_m result = Cons x (t_m t) } variant { t } = match t with | Empty -> Single (One x) | Single d -> Deep (One x) Empty d | Deep lf md rg -> let lf2 , rem = d_cons x lf in match rem with | Nil -> Deep lf2 md rg | Cons x q -> assert { q = Nil }; Deep lf2 (cons x md) rg end end end why3-1.6.0/examples/finger_trees/000077500000000000000000000000001440160026300166765ustar00rootroot00000000000000why3-1.6.0/examples/finger_trees/why3session.xml000066400000000000000000000015621440160026300217220ustar00rootroot00000000000000 why3-1.6.0/examples/finger_trees/why3shapes.gz000066400000000000000000000010141440160026300213320ustar00rootroot00000000000000n0<m{c0flDBVs0MPB&,MzX.ǿg1ˁ:s 6C>>̾l F_ V=p0 Ni{viR,yʪ;vH>QߛnE Tr rel e x function f t : t axiom range: forall x. mem x a -> mem (f x) a axiom monotone: forall x y. mem x a -> mem y a -> rel x y -> rel (f x) (f y) predicate fixpoint (x:t) = mem x a /\ f x = x end module Tarski_rec use set.Fset clone export Tarski with axiom . let lemma least_fix_point () : unit ensures {exists mu. fixpoint mu /\ forall x. fixpoint x -> rel mu x } = let rec ghost aux (x: t) (b: fset t) : t requires { mem x a /\ subset b a } requires { forall y. mem y a -> rel x y -> mem y b } requires { forall y. fixpoint y -> rel x y } requires { rel x (f x) } ensures { fixpoint result /\ forall x. fixpoint x -> rel result x } variant { cardinal b } = let y = f x in if x = y then x else aux y (remove x b) in let _witness = aux e a in () end module Tarski_while use set.Fset clone export Tarski with axiom . use ref.Ref let lemma least_fix_point () : unit ensures {exists mu. fixpoint mu /\ forall x. fixpoint x -> rel mu x } = let x = ref e in let b = ref a in while (f !x) <> !x do invariant { mem !x a /\ subset !b a} invariant { forall y. mem y a -> rel !x y -> mem y !b } invariant { forall y. fixpoint y -> rel !x y } invariant { rel !x (f !x) } variant { cardinal !b } b := remove !x !b; x := f !x done end why3-1.6.0/examples/finite_tarski/000077500000000000000000000000001440160026300170555ustar00rootroot00000000000000why3-1.6.0/examples/finite_tarski/why3session.xml000066400000000000000000000050341440160026300220770ustar00rootroot00000000000000 why3-1.6.0/examples/finite_tarski/why3shapes.gz000066400000000000000000000021121440160026300215110ustar00rootroot00000000000000WK6W6',aFNEQvJEI {h/Vo_ g̳DHݝ^M ˉI+]xCؽ.T6# azKDU&;彛,Az}i8^! '<([Qčb@;̌}n2c|IP!CCI[k.zEضv-| zp3)C8̌XP"ûF$9 p_^-4Ww+[{۽< a/8byJ9SVajmBQb&#krRWy{r}G&ߍ67U<*]`["?=Q js:=nS8x%jn-et0Wvگ؜]=ղ,{&۷ C#Y 0*uc=7:lOUd0tP^u,I)(+mWjn֫f#oVK7R 3p3 G^% a[k]=c (* We scan the array from left to right using [i] and we maintain the following invariant, using indices [b] and [r]: 0 b i r +---------+----------+-----------+-------+ | Blue | White | ? | Red | +---------+----------+-----------+-------+ *) let dutch_flag (a:array color) : unit ensures { exists b r: int. monochrome a 0 b Blue /\ monochrome a b r White /\ monochrome a r (length a) Red } ensures { permut_all (old a) a } = let b = ref 0 in let i = ref 0 in let r = ref (length a) in while !i < !r do invariant { 0 <= !b <= !i <= !r <= length a } invariant { monochrome a 0 !b Blue } invariant { monochrome a !b !i White } invariant { monochrome a !r (length a) Red } invariant { permut_all (old a) a } variant { !r - !i } match a[!i] with | Blue -> swap a !b !i; b := !b + 1; i := !i + 1 | White -> i := !i + 1 | Red -> r := !r - 1; swap a !r !i end done end why3-1.6.0/examples/flag/000077500000000000000000000000001440160026300151335ustar00rootroot00000000000000why3-1.6.0/examples/flag/why3session.xml000066400000000000000000000010661440160026300201560ustar00rootroot00000000000000 why3-1.6.0/examples/flag/why3shapes.gz000066400000000000000000000006461440160026300176010ustar00rootroot00000000000000SN@+S1&jpD#IW.%)%aJ1~wn鋂E{3'/SwE~Nɍ\NSKy&e :5J0Я&–%ʜ@!CP?nlP*q/kH6ڂ%3[$ -H[z0D c>D-xwٹy5ZS4Us@-!"+"E6a-fՊ%,KYE"?NNu~ҝrq 5nӌ^6ν66Cg$X#Aݮ) y0 !Hu5q5: /8_2 舵}G'}ݻnmlِS Vn\ntdz8Ghd z&/tQwhy3-1.6.0/examples/flag2.mlw000066400000000000000000000076271440160026300157520ustar00rootroot00000000000000(** {1 Dijkstra's "Dutch national flag"} Variant with number of occurrences instead of predicate [permut] *) module Flag use int.Int use map.Map use ref.Ref type color = Blue | White | Red let eq_color (c1 c2 :color) : bool ensures { result <-> c1 = c2 } = match c1,c2 with | Blue,Blue | Red,Red | White,White -> True | _,_ -> False end predicate monochrome (a: map int color) (i: int) (j: int) (c: color) = forall k: int. i <= k < j -> a[k]=c let rec function nb_occ (a: map int color) (i: int) (j: int) (c: color) : int variant { j - i } = if i >= j then 0 else if eq_color a[j-1] c then 1 + nb_occ a i (j-1) c else nb_occ a i (j-1) c let rec lemma nb_occ_split (a: map int color) (i j k: int) (c: color) requires { i <= j <= k } variant { k - j } ensures { nb_occ a i k c = nb_occ a i j c + nb_occ a j k c } = if k = j then () else nb_occ_split a i j (k-1) c let rec lemma nb_occ_ext (a1 a2: map int color) (i j: int) (c: color) requires { forall k: int. i <= k < j -> a1[k] = a2[k] } variant { j - i } ensures { nb_occ a1 i j c = nb_occ a2 i j c } = if i >= j then () else nb_occ_ext a1 a2 i (j-1) c lemma nb_occ_store_outside_up: forall a: map int color, i j k: int, c: color. i <= j <= k -> nb_occ (set a k c) i j c = nb_occ a i j c lemma nb_occ_store_outside_down: forall a: map int color, i j k: int, c: color. k < i <= j -> nb_occ (set a k c) i j c = nb_occ a i j c lemma nb_occ_store_eq_eq: forall a: map int color, i j k: int, c: color. i <= k < j -> a[k] = c -> nb_occ (set a k c) i j c = nb_occ a i j c let rec lemma nb_occ_store_eq_neq (a: map int color) (i j k: int) (c: color) requires { i <= k < j } requires { a[k] <> c } variant { j - k } ensures { nb_occ (set a k c) i j c = nb_occ a i j c + 1 } = if k = j - 1 then () else nb_occ_store_eq_neq a i (j-1) k c let lemma nb_occ_store_neq_eq (a: map int color) (i j k: int) (c c': color) requires { i <= k < j } requires { c <> c' } requires { a[k] = c } ensures { nb_occ (set a k c') i j c = nb_occ a i j c - 1 } = nb_occ_split a i k j c; nb_occ_split (set a k c') i k j c; nb_occ_split a k (k + 1) j c; nb_occ_split (set a k c') k (k+1) j c let lemma nb_occ_store_neq_neq (a: map int color) (i j k: int) (c c': color) requires { i <= k < j } requires { c <> c' } requires { a[k] <> c } ensures { nb_occ (set a k c') i j c = nb_occ a i j c } = nb_occ_split a i k j c; nb_occ_split (set a k c') i k j c; nb_occ_split a k (k + 1) j c; nb_occ_split (set a k c') k (k+1) j c use array.Array let swap (a:array color) (i: int) (j: int) : unit requires { 0 <= i < a.length } requires { 0 <= j < a.length } ensures { a[i] = old a[j] } ensures { a[j] = old a[i] } ensures { forall k: int. k <> i /\ k <> j -> a[k] = old a[k] } ensures { forall k1 k2: int, c: color. k1 <= i < k2 /\ k1 <= j < k2 -> nb_occ a.elts k1 k2 c = nb_occ (old a.elts) k1 k2 c } = let ai = a[i] in let aj = a[j] in a[i] <- aj; a[j] <- ai let dutch_flag (a:array color) ensures { (exists b: int. exists r: int. monochrome a.elts 0 b Blue /\ monochrome a.elts b r White /\ monochrome a.elts r a.length Red) } ensures { forall c: color. nb_occ a.elts 0 a.length c = nb_occ (old a.elts) 0 a.length c } = let b = ref 0 in let i = ref 0 in let r = ref a.length in while !i < !r do invariant { 0 <= !b <= !i <= !r <= a.length } invariant { monochrome a.elts 0 !b Blue } invariant { monochrome a.elts !b !i White } invariant { monochrome a.elts !r a.length Red } invariant { forall c: color. nb_occ a.elts 0 a.length c = nb_occ (old a.elts) 0 a.length c } variant { !r - !i } match a[!i] with | Blue -> swap a !b !i; b := !b + 1; i := !i + 1 | White -> i := !i + 1 | Red -> r := !r - 1; swap a !r !i end done end why3-1.6.0/examples/flag2/000077500000000000000000000000001440160026300152155ustar00rootroot00000000000000why3-1.6.0/examples/flag2/why3session.xml000066400000000000000000000043171440160026300202420ustar00rootroot00000000000000 why3-1.6.0/examples/flag2/why3shapes.gz000066400000000000000000000031631440160026300176600ustar00rootroot00000000000000Xn7}W[xq׈ B}4Xm9ҴߙWEpW]q|Xގυ)>DK:>~OLA׫p_4"}~O>~oC~?V,wpY.TڀTHQ@jpxL'ʏ {@rYUz~=@7L'$d*HӉ-D:isI:&t.ȗ ¢W{BNX"uJ R c ģRȹsrvv"" N KH6ChN- (靏hwD]b0-==>o&6lkLo{b݃xtX7oGi=A&dfwx|<ȑ=p?ؓc{XEyFC73ЍN;2A;F3`a4k6hZFmmo|{dNLPk(4JD'|$ ]ɅG&Qh ׂ~٣MgOnofkV;2a颙E6UhItm*|US/OLo{st a pR(P8OA1Jꌈ(m9bһRX>aA#u3ҮCSztzneЭ9~c`Z3XLRv=0'3uc a[i] <= a[result] } let x = ref 0 in let y = ref (length a - 1) in while !x <> !y do invariant { 0 <= !x <= !y < length a /\ forall i:int. 0 <= i < !x \/ !y < i < length a -> a[i] <= max a[!x] a[!y] } variant { !y - !x } if a[!x] <= a[!y] then x := !x+1 else y := !y-1 done; !x end why3-1.6.0/examples/foveoos11-cm/array_max/000077500000000000000000000000001440160026300204245ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11-cm/array_max/why3session.xml000066400000000000000000000015301440160026300234430ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11-cm/array_max/why3shapes.gz000066400000000000000000000006111440160026300230620ustar00rootroot00000000000000}RN0+r*8Q{@H, ס}zpS $}=Kۍ}mv{<ܥE:IvL`e!=]a@ϰs2YX$<m.ˮ6!:B#vqܨqOVvҶ RS ijex+&29TRMEri ;aOp%J[,o3&֖vz|Gw.J?[26)tɒjc"Z#'dc&s81gapFH}7LuĬ'v+wru@xiъs+DuTD!Kqthp'p=2. It is known that at least two values stored in the array appear twice (i.e., there are at least two duplets). Implement and verify a program finding such two values. You may assume that the array contains values between 0 and n-1. *) module Duplets use int.Int use option.Option use ref.Ref use array.Array (* duplet in array a is a pair of indexes (i,j) in the bounds of array a such that a[i] = a[j] *) predicate is_duplet (a:array int) (i:int) (j:int) = 0 <= i < j < length a /\ a[i] = a[j] let predicate eq_opt (x:int) (o:option int) = match o with | None -> false | Some v -> v=x end exception Break (* (duplet a) returns the indexes (i,j) of a duplet in a. *) let duplet (a:array int) (except:option int) requires { 2 <= length a /\ exists i j:int. is_duplet a i j /\ not (eq_opt a[i] except) } ensures { let (i,j) = result in is_duplet a i j /\ not (eq_opt a[i] except) } = let res = ref (0,0) in try for i=0 to length a - 2 do invariant { forall k l:int. 0 <= k < i /\ k < l < length a -> not (eq_opt a[k] except) -> not (is_duplet a k l) } let v = a[i] in if eq_opt v except then () else for j=i+1 to length a - 1 do invariant { forall l:int. i < l < j -> not (is_duplet a i l) } if a[j] = v then begin res := (i,j); raise Break end done done; assert { forall i j:int. not (is_duplet a i j) }; absurd with Break -> !res end let duplets (a: array int) requires { 4 <= length a /\ exists i j k l:int. is_duplet a i j /\ is_duplet a k l /\ a[i] <> a[k] } ensures { let ((i,j),(k,l)) = result in is_duplet a i j /\ is_duplet a k l /\ a[i] <> a[k] } = let (i,j) = duplet a None in let (k,l) = duplet a (Some a[j]) in ((i,j),(k,l)) end why3-1.6.0/examples/foveoos11-cm/duplets/000077500000000000000000000000001440160026300201215ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11-cm/duplets/why3session.xml000066400000000000000000000062311440160026300231430ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11-cm/duplets/why3shapes.gz000066400000000000000000000031631440160026300225640ustar00rootroot00000000000000Xێ6}Wm0^ؗz (lnlwHRrvlڢ=Gۇc.Z/{߇Ss׻ ZuaMtO_7Yp6úk]#=o]C_ҫd=esiqsYvz}=9UɷgoX!XdCPD[&2?_pZ l]ö;Nހ(C6)b=#`wzܫC(~uietA.҅8c3$\N+%?c8s'zGwsu sI) Y@FG|qv,=+9 ՎjR9ӇZrls KK]> h`FR x4 ޠn:vun3CtVٷBkҩ[H_9ת䬚KN؆O>-/6+XWq0+O~6W@'J^\'**,yÒ >h܄ZPXkV셲9g/[:mf4n[R7| 7A,S)r:bM<̦7f^9#'+ؑ| a{οq}Tŵ/2 N.y:*g=mxԏYBUc)|7`i )Ā%|ڳ~LMfsr6r,,9kHG}s{›|Ym~%<մ+}kY)ܛN"yJanm<9+=ϏR# dji^rg(i[ -JΊP,p9RzWUoHel Y&d[RM~{Z9Xz 21Kj0UcwfFmCjC7_T3t%?ˌ*nVpٰ4bW\~1qC7\ؐna;ϻt76Uߕ}t6_soENߓB/_  ˗}ō8D6"T%ݕWtYWqWjq0 Ȇ'")-ӎyT4H<'%({޾2NR08U%k)Dj gN.V ZFqa=DgYIa;#԰bFucJwFc!|Ns](t^Zr%*F;ȩ pNzΡ̩ʛV5:8"D-kӴ] ھ #10+SQiB(0u8C '`bhx%-$HicTmZ!ؤUS:[%8t <(UXlphǑhkP+M48%(  t teDȑ䱏s, Uҟ*AnCjBŌoQxgMhJD*J꤈J L*)~3Qq:J-"CcOųwhy3-1.6.0/examples/foveoos11-cm/tree_max.mlw000066400000000000000000000030271440160026300207700ustar00rootroot00000000000000(* COST Verification Competition. vladimir@cost-ic0701.org Challenge 2: Maximum in a tree Given: A non-empty binary tree, where every node carries an integer. Implement and verify a program that computes the maximum of the values in the tree. Please base your program on the following data structure signature: public class Tree { int value; Tree left; Tree right; } You may represent empty trees as null references or as you consider appropriate. *) theory BinTree use int.Int use int.MinMax type tree = Null | Tree int tree tree (* tests whether an integer v occurs in t *) predicate mem (v:int) (t:tree) = match t with | Null -> false | Tree x l r -> x=v \/ mem v l \/ mem v r end (* tests whether an integer is greater or equal to all values of a tree *) predicate ge_tree (v:int) (t:tree) = match t with | Null -> true | Tree x l r -> v >= x /\ ge_tree v l /\ ge_tree v r end lemma ge_trans : forall t:tree, x y:int. x >= y /\ ge_tree y t -> ge_tree x t end module TreeMax use int.Int use int.MinMax use BinTree let rec max_aux (t:tree) (acc:int) variant {t} ensures { ge_tree result t /\ result >= acc /\ (result = acc \/ mem result t) } = match t with | Null -> acc | Tree v l r -> max_aux l (max_aux r (MinMax.max v acc)) end let max (t: tree) requires { t <> Null } ensures { ge_tree result t /\ mem result t } = match t with | Null -> absurd | Tree v l r -> max_aux l (max_aux r v) end end why3-1.6.0/examples/foveoos11-cm/tree_max/000077500000000000000000000000001440160026300202455ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11-cm/tree_max/tree_max_BinTree_ge_trans_1.v000066400000000000000000000034011440160026300257500ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Axiom Max_is_ge : forall (x:Z) (y:Z), (x <= (Zmax x y))%Z /\ (y <= (Zmax x y))%Z. Axiom Max_is_some : forall (x:Z) (y:Z), ((Zmax x y) = x) \/ ((Zmax x y) = y). Axiom Min_is_le : forall (x:Z) (y:Z), ((Zmin x y) <= x)%Z /\ ((Zmin x y) <= y)%Z. Axiom Min_is_some : forall (x:Z) (y:Z), ((Zmin x y) = x) \/ ((Zmin x y) = y). Axiom Max_x : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmax x y) = x). Axiom Max_y : forall (x:Z) (y:Z), (x <= y)%Z -> ((Zmax x y) = y). Axiom Min_x : forall (x:Z) (y:Z), (x <= y)%Z -> ((Zmin x y) = x). Axiom Min_y : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmin x y) = y). Axiom Max_sym : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmax x y) = (Zmax y x)). Axiom Min_sym : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmin x y) = (Zmin y x)). Inductive tree := | Null : tree | Tree : Z -> tree -> tree -> tree . Set Implicit Arguments. Fixpoint mem(v:Z) (t:tree) {struct t}: Prop := match t with | Null => False | (Tree x l r) => (x = v) \/ ((mem v l) \/ (mem v r)) end. Unset Implicit Arguments. Set Implicit Arguments. Fixpoint ge_tree(v:Z) (t:tree) {struct t}: Prop := match t with | Null => True | (Tree x l r) => (x <= v)%Z /\ ((ge_tree v l) /\ (ge_tree v r)) end. Unset Implicit Arguments. (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem ge_trans : forall (t:tree) (x:Z) (y:Z), ((y <= x)%Z /\ (ge_tree y t)) -> (ge_tree x t). (* YOU MAY EDIT THE PROOF BELOW *) induction t. intros; simpl; auto. intros x y. simpl. intros (H,(I,(J,K))). split; auto with zarith. split. apply IHt1 with (y:=y); auto with zarith. apply IHt2 with (y:=y); auto with zarith. Qed. (* DO NOT EDIT BELOW *) why3-1.6.0/examples/foveoos11-cm/tree_max/why3session.xml000066400000000000000000000017421440160026300232710ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11-cm/tree_max/why3shapes.gz000066400000000000000000000005731440160026300227120ustar00rootroot00000000000000UQn1 +rl9y @ZK+I[ ҿo^l\l3cg4<3vj:z&6s,[$\qwn8 (s5M\_wKcy]X2La!K68cU.;. fEoazvIg>$A"Wih "!B"sֻAP(AT"vFDCk[vCˀ|DSU]xDž!P  IbZ,K*Çpn$wRmU'(,\u\r@;ĭ 5jCŒ*0[/wb,qۢccofbT-%qswhy3-1.6.0/examples/foveoos11_challenge1.mlw000066400000000000000000000012621440160026300206510ustar00rootroot00000000000000 (* FoVeOOS 2011 verification competition http://foveoos2011.cost-ic0701.org/verification-competition Challenge 1 *) module Max use int.Int use ref.Refint use array.Array let max (a: array int) : int requires { length a > 0 } ensures { 0 <= result < length a } ensures { forall i. 0 <= i < length a -> a[i] <= a[result] } = let ref x = 0 in let ref y = (length a - 1) in while x <> y do invariant { 0 <= x <= y < length a } invariant { forall i. (0 <= i < x \/ y < i < length a) -> (a[i] <= a[y] \/ a[i] <= a[x]) } variant { y - x } if a[x] <= a[y] then incr x else decr y done; x end why3-1.6.0/examples/foveoos11_challenge1/000077500000000000000000000000001440160026300201275ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11_challenge1/why3session.xml000066400000000000000000000010651440160026300231510ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11_challenge1/why3shapes.gz000066400000000000000000000006011440160026300225640ustar00rootroot00000000000000}QN0+|cS%/IlB }& JlnCߛ7׷{Ւiw=IM 5L0:~l ]bli"A ! 0 | Node l _ r -> 1 + size l + size r end lemma size_nonneg: forall t: tree. size t >= 0 predicate mem (x: int) (t: tree) = match t with | Empty -> false | Node l v r -> mem x l \/ x = v \/ mem x r end let rec maximum (t: tree) : int variant { size t } requires { t <> Empty } ensures { mem result t /\ forall x: int. mem x t -> x <= result } = match t with | Empty -> absurd | Node Empty v Empty -> v | Node Empty v s | Node s v Empty -> max (maximum s) v | Node l v r -> max (maximum l) (max v (maximum r)) end end why3-1.6.0/examples/foveoos11_challenge2/000077500000000000000000000000001440160026300201305ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11_challenge2/foveoos11_challenge2_WP_MaximumTree_size_nonneg_1.v000066400000000000000000000030741440160026300317720ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import ZArith. Require Import Rbase. Definition unit := unit. Parameter qtmark : Type. Parameter at1: forall (a:Type), a -> qtmark -> a. Implicit Arguments at1. Parameter old: forall (a:Type), a -> a. Implicit Arguments old. Axiom Max_is_ge : forall (x:Z) (y:Z), (x <= (Zmax x y))%Z /\ (y <= (Zmax x y))%Z. Axiom Max_is_some : forall (x:Z) (y:Z), ((Zmax x y) = x) \/ ((Zmax x y) = y). Axiom Min_is_le : forall (x:Z) (y:Z), ((Zmin x y) <= x)%Z /\ ((Zmin x y) <= y)%Z. Axiom Min_is_some : forall (x:Z) (y:Z), ((Zmin x y) = x) \/ ((Zmin x y) = y). Axiom Max_x : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmax x y) = x). Axiom Max_y : forall (x:Z) (y:Z), (x <= y)%Z -> ((Zmax x y) = y). Axiom Min_x : forall (x:Z) (y:Z), (x <= y)%Z -> ((Zmin x y) = x). Axiom Min_y : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmin x y) = y). Axiom Max_sym : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmax x y) = (Zmax y x)). Axiom Min_sym : forall (x:Z) (y:Z), (y <= x)%Z -> ((Zmin x y) = (Zmin y x)). Inductive tree := | Empty : tree | Node : tree -> Z -> tree -> tree . Set Implicit Arguments. Fixpoint size(t:tree) {struct t}: Z := match t with | Empty => 0%Z | (Node l _ r) => ((1%Z + (size l))%Z + (size r))%Z end. Unset Implicit Arguments. (* YOU MAY EDIT THE CONTEXT BELOW *) (* DO NOT EDIT BELOW *) Theorem size_nonneg : forall (t:tree), (0%Z <= (size t))%Z. (* YOU MAY EDIT THE PROOF BELOW *) induction t; intuition. unfold size; fold size; omega. Qed. (* DO NOT EDIT BELOW *) why3-1.6.0/examples/foveoos11_challenge2/why3session.xml000066400000000000000000000015241440160026300231520ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11_challenge2/why3shapes.gz000066400000000000000000000005641440160026300225750ustar00rootroot00000000000000}AO0 9NI&-bHӴiqem&v(ց_L|n޳}7k8A~p8=H'g"|ǢAH~ZφDntV쁣#5%j~FeÄӌIԙE4fQF!L"K< ii˭ 84dl\6Pd9͑NiVſ`tUlS KԤr0`P4P 9@3qug3:oT:rKSBTQѴv;\򡫤(PRіZWt 2u;/ac`why3-1.6.0/examples/foveoos11_challenge3.mlw000066400000000000000000000031271440160026300206550ustar00rootroot00000000000000 (* FoVeOOS 2011 verification competition http://foveoos2011.cost-ic0701.org/verification-competition Challenge 3 *) module TwoEqualElements use int.Int use ref.Refint use array.Array predicate appear_twice (a: array int) (v: int) (u: int) = exists i: int. 0 <= i < u /\ a[i] = v /\ exists j: int. 0 <= j < u /\ j <> i /\ a[j] = v let two_equal_elements (a: array int) (n: int) : (v1:int, v2:int) requires { length a = n+2 /\ n >= 2 } requires { forall i: int. 0 <= i < length a -> 0 <= a[i] < n } requires { exists v1: int. appear_twice a v1 (n+2) /\ exists v2: int. appear_twice a v2 (n+2) /\ v2 <> v1 } ensures { appear_twice a v1 (n+2) /\ appear_twice a v2 (n+2) /\ v1 <> v2 } = let deja_vu = make n False in let v1 = ref (-1) in let v2 = ref (-1) in for i = 0 to n+1 do invariant { !v1 = -1 -> !v2 = -1 } invariant { !v1 <> -1 -> appear_twice a !v1 i } invariant { !v2 <> -1 -> appear_twice a !v2 i /\ !v2 <> !v1 } invariant { forall v: int. 0 <= v < n -> if deja_vu[v]=True then exists j: int. 0 <= j < i /\ a[j] = v else forall j: int. 0 <= j < i -> a[j] <> v } invariant { !v1 = -1 -> forall v: int. 0 <= v < n -> not (appear_twice a v i) } invariant { !v2 = -1 -> forall v: int. 0 <= v < n -> v <> !v1 -> not (appear_twice a v i) } let v = a[i] in if deja_vu[v] then begin if !v1 = -1 then v1 := v else if !v2 = -1 && v <> !v1 then v2 := v end else deja_vu[v] <- True done; (!v1, !v2) end why3-1.6.0/examples/foveoos11_challenge3/000077500000000000000000000000001440160026300201315ustar00rootroot00000000000000why3-1.6.0/examples/foveoos11_challenge3/why3session.xml000066400000000000000000000232611440160026300231550ustar00rootroot00000000000000 why3-1.6.0/examples/foveoos11_challenge3/why3shapes.gz000066400000000000000000000126131440160026300225740ustar00rootroot00000000000000][o9r~_<{`/"ceq^nvVr$Yקxk}9=cǶ΃a5d}_XEvOœ{/O_@n~־ܑjUs+#ū WGnߺw#G~}Oy=j;{obw[wp{y|}so8}cs珸^^_Ѡ(BWݦ7 #BY=$PvrTݽ}doG}.`M9Έ+džpd:\B(p5w6zymiU`,kC)__hC6ڐ9r yRB17e9b4@N뛌XP1ar?LA4 {A/r) ]`s{F\Z80*X[][aK$?($cw24.2VN2oߍ r5Mco-YU:) PS0ŁGT!M8J!o~y|(> dg ]> 4> V> a/ }  p| ,iD{E+ VƉB4^D4UUaVeDk, U- de"T.LB4GF! hFZD3͂`hSR,拁FfqfĈ oi9sqdVȮH/0I2mj% ^B2 I*LŲAEtZI@`ՂYhˤ"bbF"?2&ߥ"[PQ4T e  M[Q?)n6y]lV 5Fش3F99ABK {~h&081Vb K)*JLc l71Xp*)?wu3d!=D5u@]du8I$2|*eWwW"Y*(RqueGקGUrw{hw]Ioo흿)f+߷&D{,s0I+2AR3"o4W)&/H)%fMyɒ)! K<6m*dg5W醐Ssc)^RysH2$s6˫76N^zkC8g6oRx,<{yߤ6xS[1\1;H18U;2XّJ_$[^/Nx)yn"N[liaRӽ{><1bӶ87(1t#%1<)Zrt!C?%i2]JJMI owMM>$uɹ9i@s{ILӺuM\Vl]A|l@_1 ـ9, ǽl>M?31toa/S.&W"8l+/[%~ȗ -4`:".:ɮjn(mЀNfH}\yi֛³7h GK6GKZbo4fe"5^dRe7?/ԀTGKZ(q- V}Lkc|oc| qәNg:=OSy~ؙ|gc8_,f6+YnѼjgHx! sUyU~.sx~}|c:ƅV?ƷO"~-ge9w,d˰ނZ?#ݬ-șfl6B-,CJ!6o3^;eNYYt<'?20;/U/;7E'yӣ? %Z$"w#Va$֑%fmd㙞O)΍ѩ`.)[6@jC]WV%.om$N´cDNSM"91!1ڬw$wsnNظW ǨH$/k]ԙm?3q@)r";I6n qZySa_`琙=vF_{_~ك8oIiٗ(|h_>)IIc V>~wKn _|p,\ e̯[>o)4G[\[U|BHs| iFXlaFV3t!53y!ɳ//>B"po*oo f#ʱ훝}e|=u*/MIe!R_EKm}bo߰߾z^jؾ#tE )ށEE -7.&՛ g▻/»9ڙy'|d3>G7 \#7m4?M[BnnLw\F4e9 5xL'Jv秕ɱ> z|qѹK-{m3e,Cn\_\PP Xs/ Ł)h#mE!yw}O0c0=e͛{`ΟN,÷Ȱ =$o<;Y8 Obh~GCM m~CF7kwm"6 ;16炌x w9wE~eP,e{F/ lkD?[l`$#s7Fzl#0lZg#IJؚ_@ 0sfCy>r<}8}^"=7!B'c Sae$8[}?ήotoךMx/'5kM5q_}ouoݻLJ#NP!0wi"E|[7 #wF=9b )L =k'p^2P4H3 ezc8hr8֤L?i nF5kG$eZSz2peĥA!lT9Ɇ15$rPHu=hfTpLjCo~"l]6LqRHӞS Pk蝑 4MKQQFb)vrӁ8z @+3v#z2(>~6 & ٛ`Fsk@M3|`tm!zz5r딜Q*T'fM  a;i̋ CF@ `9)@Ϭ1Z.){bb4Z!uŸ9pq890s`ԁ=0rs}uyq~!aTw*F8ÈeFy/Ypy4CX@{!{3{9!uA1ptY?($ acP tD"YsRCcG$N 3kGFF=X"z+FFIF сDЃ NHPTA,)6"} Ö$ #R h(mIb1p AB~ #ɝP!Fj@d)ӈ]}Gi`PBSG y 2^/AhP4AX+TBJ!v\0JRw$(q$qb`C!Vh 4 N 16XE:7`n콖IĪd`iE8ա{)0`͠'%XB6<4{h4[i.Q h\C#*vYG{:3LL1a4R h~q^c@r x7 ] !a⽯g%qpcoDZ qn&@Z 4ᔄ#F'$6NN#NJwH +ιN;|Q v!FEݨFq 24MYMN"-crY <' Bp2ALwFsXN 钁Ү E#BpmL#F2w~ܤFZW˃Q+ `)ho%G+; ;(~Bár?c8ݺlL "O4/DniJp:nӅC8 jƑ_}VԻ ~̥why3-1.6.0/examples/gcd.mlw000066400000000000000000000056531440160026300155110ustar00rootroot00000000000000 (* Greatest common divisor, using the Euclidean algorithm *) module EuclideanAlgorithm use mach.int.Int use number.Gcd let rec euclid (u v: int) : int variant { v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = if v = 0 then u else euclid v (u % v) end module EuclideanAlgorithmIterative use mach.int.Int use ref.Ref use number.Gcd let euclid (u0 v0: int) : int requires { u0 >= 0 /\ v0 >= 0 } ensures { result = gcd u0 v0 } = let ref u = u0 in let ref v = v0 in while v <> 0 do invariant { u >= 0 /\ v >= 0 } invariant { gcd u v = gcd u0 v0 } variant { v } let tmp = v in v <- u % v; u <- tmp done; u end module BinaryGcd use mach.int.Int use number.Parity use number.Gcd lemma even1: forall n: int. 0 <= n -> even n <-> n = 2 * div n 2 lemma odd1: forall n: int. 0 <= n -> not (even n) <-> n = 2 * div n 2 + 1 lemma div_nonneg: forall n: int. 0 <= n -> 0 <= div n 2 use number.Coprime lemma gcd_even_even: forall u v: int. 0 <= v -> 0 <= u -> gcd (2 * u) (2 * v) = 2 * gcd u v lemma gcd_even_odd: forall u v: int. 0 <= v -> 0 <= u -> gcd (2 * u) (2 * v + 1) = gcd u (2 * v + 1) lemma gcd_even_odd2: forall u v: int. 0 <= v -> 0 <= u -> even u -> odd v -> gcd u v = gcd (div u 2) v lemma odd_odd_div2: forall u v: int. 0 <= v -> 0 <= u -> div ((2*u+1) - (2*v+1)) 2 = u - v let lemma gcd_odd_odd (u v: int) requires { 0 <= v <= u } ensures { gcd (2 * u + 1) (2 * v + 1) = gcd (u - v) (2 * v + 1) } = assert { gcd (2 * u + 1) (2 * v + 1) = gcd ((2*u+1) - 1*(2*v+1)) (2 * v + 1) } lemma gcd_odd_odd2: forall u v: int. 0 <= v <= u -> odd u -> odd v -> gcd u v = gcd (div (u - v) 2) v let rec binary_gcd (u v: int) : int variant { v, u } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = if v > u then binary_gcd v u else if v = 0 then u else if mod u 2 = 0 then if mod v 2 = 0 then 2 * binary_gcd (u / 2) (v / 2) else binary_gcd (u / 2) v else if mod v 2 = 0 then binary_gcd u (v / 2) else binary_gcd ((u - v) / 2) v end (** With machine integers. Note that we assume parameters u, v to be nonnegative. Otherwise, for u = v = min_int, the gcd could not be represented. *) (* does not work with extraction driver ocaml64 module EuclideanAlgorithm31 use mach.int.Int31 use number.Gcd let rec euclid (u v: int31) : int31 variant { to_int v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = if v = 0 then u else euclid v (u % v) end *) module EuclideanAlgorithm63 use mach.int.Int63 use number.Gcd let rec euclid (u v: int63) : int63 variant { to_int v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = if v = 0 then u else euclid v (u % v) end why3-1.6.0/examples/gcd/000077500000000000000000000000001440160026300147575ustar00rootroot00000000000000why3-1.6.0/examples/gcd/Makefile000066400000000000000000000025611440160026300164230ustar00rootroot00000000000000 BENCH ?= no ifeq ($(BENCH),yes) WHY3=../../bin/why3.opt WHY3SHARE=../../share else ifeq ($(BINDIR),) WHY3=why3 else WHY3=$(BINDIR)/why3 endif WHY3SHARE=$(shell $(WHY3) --print-datadir) endif include $(WHY3SHARE)/Makefile.config ifeq ($(BENCH),yes) INCLUDE += -I ../../lib/why3 endif MAIN=main GEN=euclideanAlgorithm63 OBJ=$(GEN) GENML = $(addsuffix .ml, $(GEN)) ML = $(addsuffix .ml, $(OBJ)) CMO = $(addsuffix .cmo, $(OBJ)) CMX = $(addsuffix .cmx, $(OBJ)) OCAMLOPT=ocamlopt -noassert -inline 1000 all: $(MAIN).$(OCAMLBEST) extract: $(GENML) doc: $(WHY3) doc ../gcd.mlw $(WHY3) session html . $(MAIN).opt: $(CMX) $(MAIN).cmx $(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^ $(MAIN).cmx: $(CMX) $(GENML): ../gcd.mlw $(WHY3) extract -D ocaml64 -L .. -o $@ gcd.EuclideanAlgorithm63 %.cmx: %.ml $(OCAMLOPT) $(INCLUDE) -annot -c $< clean:: rm -f $(GENML) *.cm[xio] *.o *.annot $(MAIN).opt $(MAIN).byte rm -f gcd__*.ml* # javascript JSMAIN=jsmain JSOCAMLC=ocamlfind ocamlc -package js_of_ocaml -package js_of_ocaml-ppx -package js_of_ocaml-lwt $(JSMAIN).js: $(JSMAIN).byte js_of_ocaml --pretty --noinline $(JSMAIN).byte $(JSMAIN).byte: $(ML) jsmain.ml $(JSOCAMLC) $(INCLUDE) -o $@ -linkpkg $^ %.cmo: %.ml $(JSOCAMLC) $(INCLUDE) -annot -c $< %.cmi: %.mli $(JSOCAMLC) $(INCLUDE) -annot -c $< clean:: rm -f *.cm[io] $(NAME).byte $(NAME).js why3-1.6.0/examples/gcd/gcd_BinaryGcd_gcd_even_odd_2.v000066400000000000000000000031761440160026300225350ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require int.ComputerDivision. Require number.Parity. Require number.Divisibility. Require number.Gcd. Require number.Prime. Require number.Coprime. (* Why3 assumption *) Definition lt_nat (x:Z) (y:Z): Prop := (0%Z <= y)%Z /\ (x < y)%Z. (* Why3 assumption *) Inductive lex: (Z* Z)%type -> (Z* Z)%type -> Prop := | Lex_1 : forall (x1:Z) (x2:Z) (y1:Z) (y2:Z), (lt_nat x1 x2) -> (lex (x1, y1) (x2, y2)) | Lex_2 : forall (x:Z) (y1:Z) (y2:Z), (lt_nat y1 y2) -> (lex (x, y1) (x, y2)). Axiom even1 : forall (n:Z), (0%Z <= n)%Z -> ((number.Parity.even n) <-> (n = (2%Z * (ZArith.BinInt.Z.quot n 2%Z))%Z)). Axiom odd1 : forall (n:Z), (0%Z <= n)%Z -> ((~ (number.Parity.even n)) <-> (n = ((2%Z * (ZArith.BinInt.Z.quot n 2%Z))%Z + 1%Z)%Z)). Axiom div_nonneg : forall (n:Z), (0%Z <= n)%Z -> (0%Z <= (ZArith.BinInt.Z.quot n 2%Z))%Z. Axiom gcd_even_even : forall (u:Z) (v:Z), (0%Z <= v)%Z -> ((0%Z <= u)%Z -> ((number.Gcd.gcd (2%Z * u)%Z (2%Z * v)%Z) = (2%Z * (number.Gcd.gcd u v))%Z)). (* Why3 goal *) Theorem gcd_even_odd : forall (u:Z) (v:Z), (0%Z <= v)%Z -> ((0%Z <= u)%Z -> ((number.Gcd.gcd (2%Z * u)%Z ((2%Z * v)%Z + 1%Z)%Z) = (number.Gcd.gcd u ((2%Z * v)%Z + 1%Z)%Z))). (* Why3 intros u v h1 h2. *) intros u v h1 h2. rewrite Gcd.Comm. rewrite number.Coprime.gcd_coprime. now rewrite Gcd.Comm. unfold Coprime.coprime. rewrite <- Gcd.Gcd_computer_mod; auto with zarith. rewrite ComputerDivision.Mod_mult; auto with zarith. Qed. why3-1.6.0/examples/gcd/index.html000066400000000000000000000006011440160026300167510ustar00rootroot00000000000000 Gcd

    Gcd

    Enter numbers in the text area below

    why3-1.6.0/examples/gcd/jsmain.ml000066400000000000000000000035031440160026300165730ustar00rootroot00000000000000 (* computation part *) let compute_result text = try let a,b = Scanf.sscanf text "%d %d" (fun x y -> x,y) in string_of_int (EuclideanAlgorithm63.euclid a b) with _ -> "exception" (* HTML rendering *) module Html = Js_of_ocaml.Dom_html module Js = Js_of_ocaml.Js module Dom = Js_of_ocaml.Dom let node x = (x : #Dom.node Js.t :> Dom.node Js.t) let (<|) e l = List.iter (fun c -> Dom.appendChild e c) l; node e let html_of_string (d : Html.document Js.t) (s:string) = d##createElement (Js.string "p") <| [node (d##createTextNode (Js.string s))] let replace_child p n = Js.Opt.iter (p##.firstChild) (fun c -> Dom.removeChild p c); Dom.appendChild p n let onload (_event : #Html.event Js.t) : bool Js.t = let d = Html.document in let body = Js.Opt.get (d##getElementById(Js.string "test")) (fun () -> assert false) in let textbox = Html.createTextarea d in textbox##.rows := 20; textbox##.cols := 100; let preview = Html.createDiv d in preview##.style##.border := Js.string "1px black"; preview##.style##.padding := Js.string "5px"; Dom.appendChild body textbox; Dom.appendChild body (Html.createBr d); Dom.appendChild body preview; let rec dyn_preview old_text n = let text = Js.to_string (textbox##.value) in let n = if text <> old_text then begin begin try let rendered = html_of_string d (compute_result text) in replace_child preview rendered with _ -> () end; 20 end else max 0 (n - 1) in Lwt.bind (Js_of_ocaml_lwt.Lwt_js.sleep (if n = 0 then 0.5 else 0.1)) (fun () -> dyn_preview text n) in let (_ : 'a Lwt.t) = dyn_preview "" 0 in Js._false let (_ : unit) = Html.window##.onload := Html.handler onload why3-1.6.0/examples/gcd/main.ml000066400000000000000000000013631440160026300162400ustar00rootroot00000000000000 open Format let () = printf "%d@." (EuclideanAlgorithm63.euclid (int_of_string Sys.argv.(1)) (int_of_string Sys.argv.(2))) (* let usage () = eprintf "Reduction of combinator terms@."; eprintf "Usage: %s @." Sys.argv.(0); exit 2 let input = if Array.length Sys.argv <> 2 then usage (); Sys.argv.(1) let input_term = if input = "go" then let i = Vstte12_combinators__Combinators.i in Vstte12_combinators__Combinators.App(i,i) else try Parse.parse_term input with _ -> begin eprintf "syntax error@."; usage () end let () = let a = Vstte12_combinators__Combinators.reduction input_term in printf "The normal form of %a is %a@." Parse.pr input_term Parse.pr a *) why3-1.6.0/examples/gcd/why3session.xml000066400000000000000000000164731440160026300200120ustar00rootroot00000000000000 why3-1.6.0/examples/gcd/why3shapes.gz000066400000000000000000000046051440160026300174240ustar00rootroot00000000000000YYo~_1o:0Q$ B`^ z.`=4n n6YWŪ"[]?_ּ~Cx$O]nK}OiO*\/_u}rs ?nՖ6wIlr.(hp Ww\M eFDфj2;#nsgHnD oܖ/M~/|q| ,zd@뚹'f`x߲δgL"I2zBy(W;~سQSӞL# M,)dSlKj'f P?znuᰠuuډa~vdD֣9^G:ӁOxI͗yޜ JSR>gEjg6SR4Z6=]f3%{2hCHơd:ߟA=y"I.ó6 ևXQ"|*> N#vm߯ԓ@i.*4ۃL$N -9g؋6ѱNt#w6wHz6!/?jwiԾN׷^[F{Xt~yYTeZχ }UܔOwbꉻpG__ߖ<=&G!gO sr`\RFM,{'/%te5򌚇c5>/Z>CChKS4 ޏ'97`7uX^~NhxK:YH%7~a)6M{%}%xLNՎ4Δ K:'ʕncA=iBǛ#Q)އI'@8BzVu'k}> ھ}<'cdz]h_`&@w<M<ܟA}fKp?W7:y[?ǙY`;VpߎwqMћE:j=6}5cd|ь?"p;Y_>>7e;A?jwWU]kzev(+~}}c΋g ;?}r)WQȢxU)!n%zS5IY1!iMXL4SRl5N,dgV\)T7(DNY՞f+rQH^*LVV++ʺBivxDĪrbM.PE%ID+>UA*!:F6M6"'i)D,ȰAgu֛\.d'6lS vx֡dm)h$uz>adcU .B[r14k)\E'뒣V2訄b#sJw.wњ p%j2TՊ(@g=.ZR` kGEDJ$@ga|%RԀn̒# j †&)T YYr^K7HE c6BX#fHh:%% D,%ry(#C"̃KLdTIRfɒQ-3(Z"U:hVbDp٠1}T!ĂLF8)OEi6,RNE .U_)%@\T fb,1! cѤ"2Z%ECE9F Dg%ڝL1DbSq %SEDesb,)*eQ# 7LU׀l]m-:!eQK$E- J*Ԡ F5jgfIwCJ~QG z1IX౸z1Ez+ @6|ՑXb,J 2U鰺fQR(KиxЀ 0(OcͩFy#,ڂzIb7ɵ0RTE XL@ FF F~„X޼-fՠvOyeWLW`M`"$L`ʝXUEWG\(Q Eޫ4X1? m՘Ca, eJ.؛˚&why3-1.6.0/examples/gcd_bezout.mlw000066400000000000000000000017241440160026300170740ustar00rootroot00000000000000 (** {1 Greatest common divisor, with Bézout coefficients} *) module GcdBezout use int.Int use int.ComputerDivision use number.Gcd use ref.Ref let gcd (x y: int) : (result: int, ghost a: int, ghost b: int) requires { x >= 0 /\ y >= 0 } ensures { result = gcd x y } ensures { a*x + b*y = result } = let x = ref x in let y = ref y in label Pre in let ghost a = ref 1 in let ghost b = ref 0 in let ghost c = ref 0 in let ghost d = ref 1 in while !y > 0 do invariant { !x >= 0 /\ !y >= 0 } invariant { gcd !x !y = gcd (!x at Pre) (!y at Pre) } invariant { !a * (!x at Pre) + !b * (!y at Pre) = !x } invariant { !c * (!x at Pre) + !d * (!y at Pre) = !y } variant { !y } let r = mod !x !y in let ghost q = div !x !y in x := !y; y := r; let ghost ta = !a in let ghost tb = !b in a := !c; b := !d; c := ta - !c * q; d := tb - !d * q; done; !x, !a, !b end why3-1.6.0/examples/gcd_bezout/000077500000000000000000000000001440160026300163475ustar00rootroot00000000000000why3-1.6.0/examples/gcd_bezout/why3session.xml000066400000000000000000000052011440160026300213650ustar00rootroot00000000000000 why3-1.6.0/examples/gcd_bezout/why3shapes.gz000066400000000000000000000016561440160026300210170ustar00rootroot00000000000000SnG }W[[{a [S[+Ա\I1/9땜&.pxyΌc= Ou~pˊnoU_/zv[z8r=+_*W3) in\89$$%!%{ngyPG#2>EJ@YTd>pGEwaM7 fRҡbp:-cu(U dqgstޞ;]L{;A,a Y dRѧ/UsJ qt!t{.[d휵Nf=KKr1+|$5'&T0 wnsdddd4'@CdyxgL6 +9.w/'^D)иMOVqIF^R>ݕs!+o҆>%]od?_\=$!~TgWv2.W\&Y/>Ӛ`IAO[Rc /եuDk|wYRˆf5>~`sVl(\W!AaU$׌6[P(R{tZGaT+.بcI!+MTR4,ҪAd*ui\*i.bR!fJ%S #\^,UH,P1U'Kr\ #1a,GjO:7L1?HhBN5QƉk 1#ˆj8Ban]$[i^k)\RA[IY~_)` `JutዴчeM ![K K)JRӹalX.Ԝ"}uզjh3$ŌK,0`j1@!c-Ոq 2R*?I Zs:9 ( od(owhy3-1.6.0/examples/gcd_bezout_vc_sp.mlw000066400000000000000000000017351440160026300202700ustar00rootroot00000000000000 (** {1 Greatest common divisor, with Bézout coefficients} *) module GcdBezout use int.Int use int.ComputerDivision use number.Gcd use ref.Ref let gcd (x:int) (y:int) requires { x >= 0 /\ y >= 0 } ensures { result = gcd x y } ensures { exists a b:int. a*x+b*y = result } = [@vc:sp] let x = ref x in let y = ref y in label Pre in let ghost a = ref 1 in let ghost b = ref 0 in let ghost c = ref 0 in let ghost d = ref 1 in while (!y > 0) do invariant { !x >= 0 /\ !y >= 0 } invariant { gcd !x !y = gcd (!x at Pre) (!y at Pre) } invariant { !a * (!x at Pre) + !b * (!y at Pre) = !x } invariant { !c * (!x at Pre) + !d * (!y at Pre) = !y } variant { !y } let r = mod !x !y in let ghost q = div !x !y in assert { r = !x - q * !y }; x := !y; y := r; let ghost ta = !a in let ghost tb = !b in a := !c; b := !d; c := ta - !c * q; d := tb - !d * q; done; !x end why3-1.6.0/examples/gcd_bezout_vc_sp/000077500000000000000000000000001440160026300175415ustar00rootroot00000000000000why3-1.6.0/examples/gcd_bezout_vc_sp/why3session.xml000066400000000000000000000054451440160026300225710ustar00rootroot00000000000000 why3-1.6.0/examples/gcd_bezout_vc_sp/why3shapes.gz000066400000000000000000000020101440160026300221720ustar00rootroot00000000000000Xm#7 >b`[-Ґ@Oe ,I's})ڻۃ8#k%[zy!|<?C U}(vw$t;n&blupxg]A}Q%p6Yax4|)ߎI-[fuтmZpUXb&1"-(9̼,YtD_҇c? <\X`_Ap4#֜D?>z)g+锏@0W!]T4cDƏܠfc: +cCswvk2l[LnJq]%9f:Ťٟr;n^ \?ypkG8]zs/Vvʥ+@W+Ǹ+qҫoW+/|Mr8{ R68$58~.&zmM$=aFj,NDlC_SnYW3z` ΑkH0.Ǥg:ֲL<7ן3*ັDzdpz43.\ͤz\>_Wo|/ct`ZIKD|! .YAA%BdÇʨ 5=lDgBOP+8g g#ȕ(AaV;pBKl$;abBR*)@V Q!e W{#=@FuIX4j/y?}"89t&k #dJ* D6#BaF" f3xcU\؀,Dр)DRDrI )4E("$R\rq)43 rIJt2$@]*;-d dccYTET֘Mu' (H$Xt 15(0`7`:^ d## wG 43 M5why3-1.6.0/examples/gcd_vc_sp.mlw000066400000000000000000000057321440160026300167010ustar00rootroot00000000000000 (** Greatest common divisor, using the Euclidean algorithm *) module EuclideanAlgorithm use mach.int.Int use number.Gcd let rec euclid (u v: int) : int variant { v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = [@vc:sp] if v = 0 then u else euclid v (u % v) end module EuclideanAlgorithmIterative use mach.int.Int use ref.Ref use number.Gcd let euclid (u0 v0: int) : int requires { u0 >= 0 /\ v0 >= 0 } ensures { result = gcd u0 v0 } = [@vc:sp] let u = ref u0 in let v = ref v0 in while !v <> 0 do invariant { !u >= 0 /\ !v >= 0 } invariant { gcd !u !v = gcd u0 v0 } variant { !v } let tmp = !v in v := !u % !v; u := tmp done; !u end module BinaryGcd use mach.int.Int use number.Parity use number.Gcd lemma even1: forall n: int. 0 <= n -> even n <-> n = 2 * div n 2 lemma odd1: forall n: int. 0 <= n -> not (even n) <-> n = 2 * div n 2 + 1 lemma div_nonneg: forall n: int. 0 <= n -> 0 <= div n 2 use number.Coprime lemma gcd_even_even: forall u v: int. 0 <= v -> 0 <= u -> gcd (2 * u) (2 * v) = 2 * gcd u v lemma gcd_even_odd: forall u v: int. 0 <= v -> 0 <= u -> gcd (2 * u) (2 * v + 1) = gcd u (2 * v + 1) lemma gcd_even_odd2: forall u v: int. 0 <= v -> 0 <= u -> even u -> odd v -> gcd u v = gcd (div u 2) v lemma odd_odd_div2: forall u v: int. 0 <= v -> 0 <= u -> div ((2*u+1) - (2*v+1)) 2 = u - v let lemma gcd_odd_odd (u v: int) requires { 0 <= v <= u } ensures { gcd (2 * u + 1) (2 * v + 1) = gcd (u - v) (2 * v + 1) } = assert { gcd (2 * u + 1) (2 * v + 1) = gcd ((2*u+1) - 1*(2*v+1)) (2 * v + 1) } lemma gcd_odd_odd2: forall u v: int. 0 <= v <= u -> odd u -> odd v -> gcd u v = gcd (div (u - v) 2) v let rec binary_gcd (u v: int) : int variant { v, u } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = [@vc:sp] if v > u then binary_gcd v u else if v = 0 then u else if mod u 2 = 0 then if mod v 2 = 0 then 2 * binary_gcd (u / 2) (v / 2) else binary_gcd (u / 2) v else if mod v 2 = 0 then binary_gcd u (v / 2) else binary_gcd ((u - v) / 2) v end (** With machine integers. Note that we assume parameters u, v to be nonnegative. Otherwise, for u = v = min_int, the gcd could not be represented. *) (* does not work with extraction driver ocaml64 module EuclideanAlgorithm31 use mach.int.Int31 use number.Gcd let rec euclid (u v: int31) : int31 variant { to_int v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = if v = 0 then u else euclid v (u % v) end *) module EuclideanAlgorithm63 use mach.int.Int63 use number.Gcd let rec euclid (u v: int63) : int63 variant { to_int v } requires { u >= 0 /\ v >= 0 } ensures { result = gcd u v } = [@vc:sp] if v = 0 then u else euclid v (u % v) end why3-1.6.0/examples/gcd_vc_sp/000077500000000000000000000000001440160026300161515ustar00rootroot00000000000000why3-1.6.0/examples/gcd_vc_sp/gcd_vc_sp_BinaryGcd_gcd_even_odd_1.v000066400000000000000000000031411440160026300251100ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *) (* Beware! Only edit allowed sections below *) Require Import BuiltIn. Require BuiltIn. Require int.Int. Require int.Abs. Require int.EuclideanDivision. Require int.ComputerDivision. Require number.Parity. Require number.Divisibility. Require number.Gcd. Require number.Prime. Require number.Coprime. (* Why3 assumption *) Definition lt_nat (x:Z) (y:Z): Prop := (0%Z <= y)%Z /\ (x < y)%Z. (* Why3 assumption *) Inductive lex: (Z* Z)%type -> (Z* Z)%type -> Prop := | Lex_1 : forall (x1:Z) (x2:Z) (y1:Z) (y2:Z), (lt_nat x1 x2) -> (lex (x1, y1) (x2, y2)) | Lex_2 : forall (x:Z) (y1:Z) (y2:Z), (lt_nat y1 y2) -> (lex (x, y1) (x, y2)). Axiom even1 : forall (n:Z), (0%Z <= n)%Z -> ((number.Parity.even n) <-> (n = (2%Z * (ZArith.BinInt.Z.quot n 2%Z))%Z)). Axiom odd1 : forall (n:Z), (0%Z <= n)%Z -> ((~ (number.Parity.even n)) <-> (n = ((2%Z * (ZArith.BinInt.Z.quot n 2%Z))%Z + 1%Z)%Z)). Axiom div_nonneg : forall (n:Z), (0%Z <= n)%Z -> (0%Z <= (ZArith.BinInt.Z.quot n 2%Z))%Z. Axiom gcd_even_even : forall (u:Z) (v:Z), (0%Z <= v)%Z -> ((0%Z <= u)%Z -> ((number.Gcd.gcd (2%Z * u)%Z (2%Z * v)%Z) = (2%Z * (number.Gcd.gcd u v))%Z)). (* Why3 goal *) Theorem gcd_even_odd : forall (u:Z) (v:Z), (0%Z <= v)%Z -> ((0%Z <= u)%Z -> ((number.Gcd.gcd (2%Z * u)%Z ((2%Z * v)%Z + 1%Z)%Z) = (number.Gcd.gcd u ((2%Z * v)%Z + 1%Z)%Z))). intros u v h1 h2. rewrite Gcd.Comm. rewrite number.Coprime.gcd_coprime. now rewrite Gcd.Comm. unfold Coprime.coprime. rewrite <- Gcd.Gcd_computer_mod; auto with zarith. rewrite ComputerDivision.Mod_mult; auto with zarith. Qed. why3-1.6.0/examples/gcd_vc_sp/why3session.xml000066400000000000000000000151571440160026300212020ustar00rootroot00000000000000 why3-1.6.0/examples/gcd_vc_sp/why3shapes.gz000066400000000000000000000044421440160026300206150ustar00rootroot00000000000000YYo7~ׯ7;^*Er,byYs3H"9"nG,l+::X}η|s{ǎv;=ԋ.w=g?6]+Dqy>Q罍P{5]vֺ8_|?قw|jSm懈~8(48ڪnV^jW#G׃UɐȯǑ&Wy텿N Fٿ8:ۃ;䯘p/KW./,ޭ珷0״p^!\ McpAV\yw{Dҵ4OuJ4E\z=ġi69]&[qj?1\Ꮋ/p.kFۢ6Rڪmh >h|P]_ j9_v\|F/5XVVc6wZwi9b_C~cXhpOyZIЇJúZ>,_oj/Yn_Vqyy]j}(Ps__4kߟMùדWOL6J<go/8:hmL<#kȬx=ȩчYӜUq-A?a}+/ah\8ƙihlj.BE3Qew1?=i3yl3OKӌ7%K;0Gj8hT*.80eDHG$؀,dqlw =DgFd}ڷD g.p\/z̑f+^jJ gz* oH㤒=l48 Ly w&Zd|RZj '܌ 78(2bhpSO9F4SŦQ?ק׸lQXGopqVj qpuG _hbq%X]skP~ ->;7Ɂ.V5.KX k640wCvVt6}s|5k8-v^vbμ(SF.^%Ec(gfA'ΔTژX4HQ,ºb|LxVl)P6:b J8!Hvg.jdq}B9̤-)Q<b`lHI$]e(@ ^%T,bmȚL@gGgu$/ Bvff EfBʀ -س FaJWA IR1;хD:)EIb ౔61:l&"RZ{u1Ūr-4*T"b/9j3#-](v%l$wY@oJH$^9e! ;mYv!  CFa(3dO` Gaq\:97TY۲\7\M&"*i uhb!v'bES1.H?O4V4Y-KV~&y-(ZjD~u)eAͅ] $unQȘT$=U^)/EqAxf:\އ̫-ha# `xanO7EcqbD'[Œ =+r [ :f6!S!/"fe,&@|k+$wd0)#DmHU7$Qv]Qr\㪘Y ;B1["C"`u".(b(Dj-ʆTȐ*8O$-X'ꊸMYX D(І)W9J~+;:7pa1ǔ5G}TNAD']'*E@bQ" nfWt:;0HlzOit%= 4N&;tS戸%p %)eAA__42xS h.+ZyDe7r Oq'jc4"ԑ>:R[f$ ''6'\Ý &L$why3-1.6.0/examples/generate_all_trees.mlw000066400000000000000000000053011440160026300205660ustar00rootroot00000000000000 (* Generate all binary trees of size n. Given n, the program return an array a of size n+1 such that a[i] contains the list of all binary trees of size i. TODO: tail-recursive version of combine *) module GenerateAllTrees use int.Int use list.List use list.Mem use list.Append use list.Distinct use array.Array use list.Length type tree = Empty | Node tree tree function size (t: tree) : int = match t with | Empty -> 0 | Node l r -> 1 + size l + size r end lemma size_nonneg: forall t: tree. size t >= 0 lemma size_left: forall t: tree. size t > 0 -> exists l r: tree. t = Node l r /\ size l < size t predicate all_trees (n: int) (l: list tree) = distinct l /\ forall t: tree. size t = n <-> mem t l lemma all_trees_0: all_trees 0 (Cons Empty Nil) lemma tree_diff: forall l1 l2: tree. size l1 <> size l2 -> forall r1 r2: tree. Node l1 r1 <> Node l2 r2 (* combines two lists of trees l1 and l2 into the list of trees with a left sub-tree from l1 and a right sub-tree from l2 *) let combine (i1: int) (l1: list tree) (i2: int) (l2: list tree) requires { 0 <= i1 /\ all_trees i1 l1 /\ 0 <= i2 /\ all_trees i2 l2 } ensures { distinct result } ensures { forall t:tree. mem t result <-> (exists l r: tree. t = Node l r /\ size l = i1 /\ size r = i2) } = let rec loop1 (l1: list tree) : list tree variant { l1 } requires { distinct l1 } ensures { distinct result } ensures { forall t:tree. mem t result <-> (exists l r: tree. t = Node l r /\ mem l l1 /\ mem r l2) } = match l1 with | Nil -> Nil | Cons t1 l1 -> let rec loop2 (l2: list tree) : list tree variant { l2 } requires { distinct l2 } ensures { distinct result } ensures { forall t:tree. mem t result <-> (exists r: tree. t = Node t1 r /\ mem r l2) } = match l2 with | Nil -> Nil | Cons t2 l2 -> Cons (Node t1 t2) (loop2 l2) end in loop2 l2 ++ loop1 l1 end in loop1 l1 let all_trees (n: int) requires { n >= 0 } ensures { forall i: int. 0 <= i <= n -> all_trees i result[i] } = let a = make (n+1) Nil in a[0] <- Cons Empty Nil; for i = 1 to n do invariant { forall k: int. 0 <= k < i -> all_trees k a[k] } a[i] <- Nil; for j = 0 to i-1 do invariant { forall k: int. 0 <= k < i -> all_trees k a[k] } invariant { distinct a[i] } invariant { forall t: tree. mem t a[i] <-> (exists l r: tree. t = Node l r /\ size t = i /\ size l < j) } a[i] <- (combine j a[j] (i-1-j) a[i-1-j]) ++ a[i] done done; a end why3-1.6.0/examples/generate_all_trees/000077500000000000000000000000001440160026300200465ustar00rootroot00000000000000why3-1.6.0/examples/generate_all_trees/why3session.xml000066400000000000000000000146161440160026300230760ustar00rootroot00000000000000 why3-1.6.0/examples/generate_all_trees/why3shapes.gz000066400000000000000000000062171440160026300225140ustar00rootroot00000000000000Z[o~ׯ8mp $ pyiؒ+)i_!ʖ줱-~tHsf8$/nts{y}>|דW?iAo6\l 96ii&qvʬ*qى/~^՝N^ݎ;v{+uں 5*Ng-S" ;5b=_Q?]zU DW{@QTEE!]:J-QV} swQfڑcrYj5X4;.f"gE:GLkpFV#[G3_\;p xIWy[̖x}e'|` bMd:;W1pyuh׿\ۓQoq24aA9_/r+_6ӛrs򻍍bٱYKUڽU}s}5]QWw'ulo7_w|QQwJ[R *Z:0YU sM6}X`lZ ʹoLT&dk=ȝ]ep7% =3C?5;V_|ssz?Ex3J_Eꇼkwk^NMUkwmg]yuﺇ;nq]?z CW v"b7k.XZk`D-S-S [zf[ڶLշLЖYt}#8csW`Wo}\<IH|0j@ZOMroøۢ$LS>""S45T a`4G-5u}*DZpTMup |,V.V+DZ?-׫O?OC'O,Ӗz ߻}wnͯ~IeɷXSMQO%vwkWpBEw!V?/~ ? Gï]%RMw4;O>L zMõ6g~K$Hz%3IEZ{&Wڮ|'ӫ<}K Ff:/X{Ƶ@}5b/vPgI ^#ۻ~w_P#Buݥ|@WhMMF[魯OKNPLapf*UɖR<) j՞SeySKdyidhKr*gR\p9to3.E58Kr=th8-Psu:ZRy:E9TKU}}Z _oRůj~6RG3'i}m{OJdT_UvTm6WZR:[>ߠ6j| rzO6SZTK-ʦCmɉusJ2X႔g鍲2+pb&]`f+ @D$BYWR @:5 )Α y"+TTA&JIgcJ bTB* B'Q>kQBds䨳!5cr CS`d`u'" | bAJF8$3˔rG Ĭ"E+g67g-/%gb%)e2%91Ruhpi"$@jLD.qlIWsT98I l!(ԴQVǙh]sd݆):;K5n3|fa@nf1v`Ef kv2y# JeAdmyv4 FeACh'lXnsּk906j $K^ɡ(X)$;iٷ"ZV# Q<=.:&M4b`H4db "IkȀVMs669t-:efgc:z0@C& AYcSVg=T-ñ]"*$/8p9e HMh*w-c@A)G6{2U!x*# ʾ .]fcyVxSk aTk" 9;<- 4lrT%h08 ' L16JwK*6a @E>3X05rf#H+d^!IN}ș5jA1=GlG{! 8F@1A0`˛J޽d4 e֖sR%"qw/|!A.9˜7|HIlwԚbf#Zgl'6 ֗% ocʈu$NS>>fee;why3-1.6.0/examples/gnome_sort.mlw000066400000000000000000000012741440160026300171230ustar00rootroot00000000000000 (* Gnome sort https://en.wikipedia.org/wiki/Gnome_sort *) module GnomeSort use int.Int use ref.Refint use array.Array use array.ArrayPermut use array.IntArraySorted use array.ArraySwap use array.Inversions let gnome_sort (a: array int) : unit ensures { sorted a } ensures { permut_all (old a) a } = let ref pos = 0 in while pos < length a do invariant { 0 <= pos <= length a } invariant { sorted_sub a 0 pos } invariant { permut_all (old a) a } variant { inversions a, length a - pos } if pos = 0 || a[pos] >= a[pos - 1] then incr pos else begin swap a pos (pos - 1); decr pos end done end why3-1.6.0/examples/gnome_sort/000077500000000000000000000000001440160026300163765ustar00rootroot00000000000000why3-1.6.0/examples/gnome_sort/why3session.xml000066400000000000000000000063431440160026300214240ustar00rootroot00000000000000 why3-1.6.0/examples/gnome_sort/why3shapes.gz000066400000000000000000000020651440160026300210410ustar00rootroot00000000000000k#7W[+$S6Kk}%vwvNL;%+i4Fktv4~axv8ޔ:L|m?Y3 \mfحuɗ} ={Rr__M³ F\3TOxN|x/c *Z̃Nv|dUփ:tF|۷ lFPGc[,sBl[eۘc%l<ÏۙAݖw)Rޑ]Zמ#/(aHHfus2<pȫyr`3A lj@.-ؕ +>׻tkZxDʾىAA: Ĺ$"rS.|Ryex#THJ\"G!$r%]J3/4KJ&!Ĩb&Z 98˦@lƭh8U͵UʛA2O)`HD%5J#+A̱lT!N,23-|< 1Ϭ#whX0 fV/ B$why3-1.6.0/examples/hackers-delight.mlw000066400000000000000000000264751440160026300200170ustar00rootroot00000000000000(** {1 Examples from Hacker's Delight book*} *second edition *) (** {2 Utilitaries} We introduce in this theory two functions that will help us write properties on bit-manipulating procedures *) theory Utils use bv.BV32 let constant one : t = (1:t) let constant two : t = (2:t) let constant lastbit : t = (31:t) function max (x y : t) : t = (if ult x y then y else x) function min (x y : t) : t = (if ult x y then x else y) (** We start by introducing a function that returns the number of 1-bit in a bitvector (p.82) *) let function count (bv : t) : t = let x = sub bv (bw_and (lsr_bv bv one) (0x55555555:t)) in let x = add (bw_and x (0x33333333:t)) (bw_and (lsr_bv x two) (0x33333333:t)) in let x = bw_and (add x (lsr_bv x (4:t))) (0x0F0F0F0F:t) in let x = add x (lsr_bv x (8:t)) in let x = add x (lsr_bv x (16:t)) in bw_and x (0x0000003F:t) (** We then define the associated notion of distance, namely "Hamming distance", that counts the number of bits that differ between two bitvectors. *) function hammingD (a b : t) : t = count (bw_xor a b) end (** {2 Correctness of Utils} Before using our two functions let's first check that they are correct ! *) module Utils_Spec use int.Int use int.NumOf use bv.BV32 use Utils (** {6 count correctness } *) (** Let's start by checking that there are no 1-bits in the bitvector "zeros": *) lemma countZero: count zeros = zeros lemma numOfZero: NumOf.numof (fun i -> nth zeros i) 0 32 = 0 (** Now, for b a bitvector with n 1-bits, we check that if its first bit is 0 then shifting b by one on the right doesn't change the number of 1-bit. And if its first bit is one, then there are n-1 1-bits in the shifting of b by one on the right. *) lemma countStep: forall b. (not (nth_bv b zeros) <-> count (lsr_bv b one) = count b) /\ (nth_bv b zeros <-> count (lsr_bv b one) = sub (count b) one) let rec lemma numof_shift (p q : int -> bool) (a b k: int) : unit requires {forall i. q i = p (i + k)} variant {b - a} ensures {numof p (a+k) (b+k) = numof q a b} = if a < b then numof_shift p q a (b-1) k let rec lemma countSpec_Aux (bv : t) : unit variant {t'int bv} ensures {t'int (count bv) = NumOf.numof (nth bv) 0 32} = if pure { bv <> zeros } then begin countSpec_Aux (lsr_bv bv one); assert { let x = (if nth_bv bv zeros then 1 else 0) in let f = nth bv in let g = nth (lsr_bv bv one) in let h = fun i -> nth bv (i+1) in (forall i. 0 <= i < 31 -> g i = h i) && NumOf.numof f 0 32 - x = NumOf.numof f (0+1) 32 && NumOf.numof f (0+1) (31+1) = NumOf.numof h 0 31 && NumOf.numof g 0 (32-1) = NumOf.numof g 0 32 } end (** With these lemmas, we can now prove the correctness property of count: *) lemma countSpec: forall b. t'int (count b) = NumOf.numof (nth b) 0 32 (** {6 hammingD correctness } *) predicate nth_diff (a b : t) (i : int) = nth a i <> nth b i (** The correctness property can be express as the following: *) let lemma hamming_spec (a b : t) : unit ensures {t'int (hammingD a b) = NumOf.numof (nth_diff a b) 0 32} = assert { forall i. 0 <= i < 32 -> nth (bw_xor a b) i <-> (nth_diff a b i) } (** In addition we can prove that it is indeed a distance in the algebraic sens: *) lemma symmetric: forall a b. hammingD a b = hammingD b a lemma separation: forall a b. hammingD a b = zeros <-> a = b function fun_or (f g : 'a -> bool) : 'a -> bool = fun x -> f x \/ g x let rec lemma numof_or (p q : int -> bool) (a b: int) : unit variant {b - a} ensures {numof (fun_or p q) a b <= numof p a b + numof q a b} = if a < b then numof_or p q a (b-1) let lemma triangleInequalityInt (a b c : t) : unit ensures {t'int (hammingD a b) + t'int (hammingD b c) >= t'int (hammingD a c)} = assert {numof (fun_or (nth_diff a b) (nth_diff b c)) 0 32 >= numof (nth_diff a c) 0 32 by forall j:int. 0 <= j < 32 -> nth_diff a c j -> fun_or (nth_diff a b) (nth_diff b c) j} lemma triangleInequality: forall a b c. uge (add (hammingD a b) (hammingD b c)) (hammingD a c) end module Hackers_delight use int.Int use int.NumOf use bool.Bool use bv.BV32 use Utils (** {2 ASCII checksum } In the beginning the encoding of an ascii character was done on 8 bits: the first 7 bits were used for the carracter itself while the 8th bit was used as a checksum: a mean to detect errors. The checksum value was the binary sum of the 7 other bits, allowing the detections of any change of an odd number of bits in the initial value. Let's prove it! *) (** {6 Checksum computation and correctness } *) (** A ascii character is valid if its number of bits is even. (Remember that a binary number is odd if and only if its first bit is 1) *) predicate validAscii (b : t) = (nth_bv (count b) zeros) = False (** The ascii checksum aim is to make any character valid in the sens that we just defined. One way to implement it is to count the number of bit of a character encoded in 7 bits, and if this number is odd, set the 8th bit to 1 if not, do nothing:*) let ascii (b : t) = requires { not (nth_bv b lastbit) } ensures { validAscii result } let c = count b in bw_or b (lsl_bv c lastbit) (** Now, for the correctness of the checksum : We prove that two numbers differ by an odd number of bits, i.e. are of odd hamming distance, iff one is a valid ascii character while the other is not. This imply that if there is an odd number of changes on a valid ascii character, the result will be invalid, hence the validity of the encoding. *) lemma asciiProp: forall a b. ((validAscii a /\ not validAscii b) \/ (validAscii b /\ not validAscii a)) <-> nth_bv (hammingD a b) zeros (** {2 Gray code} Gray codes are bit-wise representations of integers with the property that every integer differs from its predecessor by only one bit. In this section we look at the "reflected binary Gray code" discussed in Chapter 13, p.311. *) (** {4 the two transformations, to and from Gray-coded integer } *) function toGray (bv : t) : t = bw_xor bv (lsr_bv bv one) function fromGray (gr : t) : t = let b = bw_xor gr (lsr_bv gr one) in let b = bw_xor b (lsr_bv b (2:t)) in let b = bw_xor b (lsr_bv b (4:t)) in let b = bw_xor b (lsr_bv b (8:t)) in bw_xor b (lsr_bv b (16:t)) (** Which define an isomorphism. *) lemma iso: forall b. toGray (fromGray b) = b /\ fromGray (toGray b) = b (** {4 Some properties of the reflected binary Gray code } *) (** The first property that we want to check is that the reflected binary Gray code is indeed a Gray code. *) lemma grayIsGray: forall b. ult b ones -> hammingD (toGray b) (toGray (add b one)) = one (** Now, a couple of property between the Gray code and the binary representation. Bit i of a Gray coded integer is the parity of the bit i and the bit to the left of i in the corresponding binary integer *) lemma nthGray: forall b i. ult i lastbit -> xorb (nth_bv b i) (nth_bv b (add i one)) <-> nth_bv (toGray b) i (** (using 0 if there is no bit to the left of i) *) lemma lastNthGray: forall b. nth_bv (toGray b) lastbit <-> nth_bv b lastbit (** Bit i of a binary integer is the parity of all the bits at and to the left of position i in the corresponding Gray coded integer *) lemma nthBinary: forall b i. ult i size_bv -> nth_bv (fromGray b) i <-> nth_bv (count (lsr_bv b i)) zeros (** The last property that we check is that if an integer is even its encoding has an even number of 1-bits, and if it is odd, its encoding has an odd number of 1-bits. *) lemma evenOdd : forall b. nth_bv b zeros <-> nth_bv (count (toGray b)) zeros (** {2 Various (in)equalities between bitvectors. } *) (** {6 De Morgan's laws (p.13)} Some variations on De Morgan's laws on bitvectors. *) lemma DM1: forall x y. bw_not( bw_and x y ) = bw_or (bw_not x) (bw_not y) lemma DM2: forall x y. bw_not( bw_or x y ) = bw_and (bw_not x) (bw_not y) lemma DM3: forall x. bw_not (add x one) = sub (bw_not x) one lemma DM4: forall x. bw_not( sub x one) = add (bw_not x) one lemma DM5: forall x. bw_not( neg x ) = sub x one lemma DM6: forall x y. bw_not( bw_xor x y ) = bw_xor (bw_not x) y lemma DM7: forall x y. bw_not( add x y ) = sub (bw_not x) y lemma DM8: forall x y. bw_not( sub x y ) = add (bw_not x) y lemma DMtest: forall x. zeros = bw_not( bw_or x (neg(add x one))) (** {6 Addition Combined with Logical Operations (p.16)} *) lemma Aa: forall x. neg x = add (bw_not x) one lemma Ac: forall x. bw_not x = sub (neg x) one lemma Ad: forall x. neg (bw_not x) = add x one lemma Ae: forall x. bw_not (neg x) = sub x one lemma Af: forall x y. add x y = sub x (add (bw_not y) one) lemma Aj: forall x y. sub x y = add x (add (bw_not y) one) lemma An: forall x y. bw_xor x y = sub (bw_or x y) (bw_and x y) lemma Ao: forall x y. bw_and x (bw_not y) = sub (bw_or x y) y lemma Aq: forall x y. bw_not (sub x y) = sub y (add x one) lemma At: forall x y. not (bw_xor x y) = add (bw_and x y) (bw_not (bw_or x y)) lemma Au: forall x y. bw_or x y = add (bw_and x (bw_not y)) y lemma Av: forall x y. bw_and x y = sub (bw_or (bw_not x) y) (bw_not x) (** {6 Inequalities (p. 17, 18)} *) lemma IE1: forall x y. ule (bw_xor x y) (bw_or x y) lemma IE2: forall x y. ule (bw_and x y) (bw_not( bw_xor x y )) lemma IEa: forall x y. uge (bw_or x y) (max x y) lemma IEb: forall x y. ule (bw_and x y) (min x y) lemma IE3: forall x y. ( ule x (add x y) /\ ule y (add x y) ) -> ule (bw_or x y) (add x y) lemma IE4: forall x y. not ( ule x (add x y) /\ ule y (add x y) ) -> ugt (bw_or x y) (add x y) (** {6 Shifts and rotates} *) (** shift right and arithmetic shift right (p.20)*) lemma SR1: forall x n. ult n size_bv -> bw_or (lsr_bv x n) (lsl_bv (neg( lsr_bv x (31:t) )) (sub (31:t) n)) = asr_bv x n (** rotate vs shift (p.37)*) lemma RS_left: forall x. bw_or (lsl_bv x one) (lsr_bv x (31:t)) = rotate_left_bv x one lemma RS_right: forall x. bw_or (lsr_bv x one) (lsl_bv x (31:t)) = rotate_right_bv x one (** {6 bound propagation (p.73)} *) (** Using a predicate to check if an addition of bitvector overflowed *) predicate addDontOverflow (a b : t) = ule b (add b a) /\ ule a (add b a) (** We have that. *) lemma BP: forall a b c d x y. ( ule a x /\ ule x b /\ ule c y /\ ule y d ) -> (* a <= x <= b and c <= y <= d *) addDontOverflow b d -> ule (max a c) (bw_or x y) /\ ule (bw_or x y) (add b d) /\ (* max a c <= x | y <= b + d *) ule zeros (bw_and x y) /\ ule (bw_and x y) (min b d) /\ (* 0 <= x & y <= min b d *) ule zeros (bw_xor x y) /\ ule (bw_xor x y) (add b d) /\ (* 0 <= x xor y <= b + d *) ule (bw_not b) (bw_not x) /\ ule (bw_not x) (bw_not a) (* not b <= not x <= not a *) end why3-1.6.0/examples/hackers-delight/000077500000000000000000000000001440160026300172605ustar00rootroot00000000000000why3-1.6.0/examples/hackers-delight/why3session.xml000066400000000000000000000241361440160026300223060ustar00rootroot00000000000000 why3-1.6.0/examples/hackers-delight/why3shapes.gz000066400000000000000000000070231440160026300217220ustar00rootroot00000000000000Y[o]ǭ~ׯ[i`89h"P%Hz5j Xr~u[[F:pf͐H_<?Is̷7zw{?=~3ûV1nśۑn,Yb^7u,dv\7z~Ο!$~ԦЏ=Ξ='4`P -s3jw(Wl'f:.)<@D4 8~I(U{ &vh9GX>I >-5!dCO*٬hsx@L35^ s)!rjz$9TM5'ڈ4tHc/Glo'ϓoė_^.iְjfl$HJ_/⌳sotWgIpmA#h;ޘM C'ݡ'QOǞI{I(=6 'WG'%{{?ɳCOG Hϡ O}O9])WsvvVBcP+HWW(3(O'BͮP~Paq b41IWh5h=h3Rѡ+}tɔs'ZEM>"NTFf-An6FjmLTSS_t{LOfo\oFݻ7sި+l/.QMSquTGjNU;>vg/ԴNG5XjV ##噵A#8t+P}3Aύ5N%fr?nt C_sg˙/n~Yցx!r 7c/8A)1=i@Tz xs]/ox}fww T(g30=x -W_VKCtr3g0r0j0z3L9Dѽyvu[~77;jp8Qߋ^gsE2<1Y`l^Ql;}_+=lJuߥWS*?#`dR?VkQ(6o"-ݾ]9n1[[VyzL ?W=\oT3Ƹp@fC<M8K4?|==0J֪+bXu%N;/vǏxS.hii#:[r;4r/tr-+L':,t|/f:sHwSp?^ISpkã *T!:mګYHq}nJ#g.4Eh]cOk#z͜3r2@A3o&zY;qSAgDS nf=!aYkۭ$G ((lX޼ݭ45ٹvY+h%9ۺֲ4+4,g[ HMSڀxBdhs$;P #*ũ"o gšqZ`Wr'6@MXLutaSy&DVI8 뼯-zѧD+}!AΗ819%;JEtF}N耒ph"B-Y$sC&m ^TP*߆ln5 fRGW =rSTnI`&28\ N$ YKUϬIn@&BeJSI5+3 Ȱ)'%?ZhBSY  F$y%ee_CVjR! gQsh4$"kr& #G 6c.4rC朅L-B)Vj?E^L ( 4nՆ.j&T9A( kDg.W>YR2JE {V0h¡cCTAATd{g~l(_M5% \[MЯ^<2") Zd 9$ + Żߴ@h(LA$Դ(ѕNǮp5IR{؇("> ip<82[9 9%5vDjHQWd(9톝KjPJlrR/М| : 3J%DBYz=c0ep;l+6%Q8d4Tc/.J)ͣDGjYvHUT.R!zaDָpsm4z7M u;:?砸¹ϸNqoPbPcW^Er?>h`y" AC T _B۸8@&NsFT=lKB.ň"(4< ծ+]0":͋:uF$ w;(XE5BnR@ԨQS9.Y#'.57why3-1.6.0/examples/hashtbl_impl.mlw000066400000000000000000000115761440160026300174230ustar00rootroot00000000000000 (* Hash table implementation Jean-Christophe Filliâtre (CNRS) Andrei Paskevich (Univ Paris Sud) *) module HashtblImpl use int.Int use int.ComputerDivision use option.Option use list.List use list.Mem use map.Map use map.Const use array.Array type key val eq (x y : key) : bool ensures { result <-> x = y } val function hash key : int ensures { 0 <= result } let function bucket (k: key) (n: int) : int requires { 0 < n } ensures { 0 <= result < n } = mod (hash k) n lemma bucket_bounds: forall n: int. 0 < n -> forall k: key. 0 <= bucket k n < n predicate in_data (k: key) (v: 'a) (d: array (list (key, 'a))) = mem (k,v) d[bucket k (length d)] predicate good_data (k: key) (v: 'a) (m: map key (option 'a)) (d: array (list (key, 'a))) = Map.get m k = Some v <-> in_data k v d predicate good_hash (d: array (list (key, 'a))) (i: int) = forall k: key, v: 'a. mem (k,v) d[i] -> bucket k (length d) = i type t 'a = { mutable size: int; (* total number of elements *) mutable data: array (list (key, 'a)); (* buckets *) ghost mutable view: map key (option 'a); (* pure model *) } invariant { 0 < length data } invariant { forall i: int. 0 <= i < length data -> good_hash data i } invariant { forall k: key, v: 'a. good_data k v view data } by { size = 0; data = make 1 Nil; view = Const.const None } let create (n: int) : t 'a requires { 1 <= n } ensures { result.view = Const.const None } = { size = 0; data = make n Nil; view = Const.const None } let clear (h: t 'a) : unit writes { h.size, h.data.elts, h.view } ensures { h.view = Const.const None } = h.size <- 0; fill h.data 0 (length h.data) Nil; h.view <- Const.const None let resize (h: t 'a) : unit writes { h.data } = let odata = h.data in let osize = length odata in let nsize = 2 * osize + 1 in let ndata = make nsize Nil in let rec rehash (ghost i : int) l requires { forall k: key, v: 'a. mem (k,v) l -> bucket k osize = i } requires { forall j: int. 0 <= j < nsize -> good_hash ndata j } requires { forall k: key, v: 'a. if 0 <= bucket k osize < i then good_data k v h.view ndata else if bucket k osize = i then (Map.get h.view k = Some v <-> mem (k,v) l \/ in_data k v ndata) else not in_data k v ndata } ensures { forall j: int. 0 <= j < nsize -> good_hash ndata j } ensures { forall k: key, v: 'a. if 0 <= bucket k osize <= i then good_data k v h.view ndata else not in_data k v ndata } variant { l } = match l with | Nil -> () | Cons (k, v) r -> let b = bucket k nsize in ndata[b] <- Cons (k, v) (ndata[b]); rehash i r end in for i = 0 to osize - 1 do invariant { forall j: int. 0 <= j < nsize -> good_hash ndata j } invariant { forall k: key, v: 'a. if 0 <= bucket k osize < i then good_data k v h.view ndata else not in_data k v ndata } rehash i odata[i] done; h.data <- ndata let rec list_find (k: key) (l: list (key, 'a)) : option 'a variant { l } ensures { match result with | None -> forall v: 'a. not (mem (k, v) l) | Some v -> mem (k, v) l end } = match l with | Nil -> None | Cons (k', v) r -> if eq k k' then Some v else list_find k r end let find (h: t 'a) (k: key) : option 'a ensures { result = Map.get h.view k } = let i = bucket k (length h.data) in list_find k h.data[i] let rec list_remove (k: key) (l: list (key, 'a)) : list (key, 'a) variant { l } ensures { forall k': key, v: 'a. mem (k',v) result <-> mem (k',v) l /\ k' <> k } = match l with | Nil -> Nil | Cons ((k', _) as p) r -> if eq k k' then list_remove k r else Cons p (list_remove k r) end let remove (h: t 'a) (k: key) : unit writes { h.data.elts, h.view, h.size } ensures { Map.get h.view k = None } ensures { forall k': key. k' <> k -> Map.get h.view k' = Map.get (old h.view) k' } = let i = bucket k (length h.data) in let l = h.data[i] in match list_find k l with | None -> () | Some _ -> h.data[i] <- list_remove k l; h.size <- h.size - 1; h.view <- Map.set h.view k None end let add (h: t 'a) (k: key) (v: 'a) : unit writes { h } ensures { Map.get h.view k = Some v } ensures { forall k': key. k' <> k -> Map.get h.view k' = Map.get (old h.view) k' } = if h.size = length h.data then resize h; remove h k; let i = bucket k (length h.data) in h.data[i] <- Cons (k, v) h.data[i]; h.size <- h.size + 1; h.view <- Map.set h.view k (Some v) (* let alias (h: t int) (k: key) : unit = let old_data = h.data in add h k 42; old_data[0] <- Nil *) end why3-1.6.0/examples/hashtbl_impl/000077500000000000000000000000001440160026300166705ustar00rootroot00000000000000why3-1.6.0/examples/hashtbl_impl/why3session.xml000066400000000000000000000257151440160026300217220ustar00rootroot00000000000000 why3-1.6.0/examples/hashtbl_impl/why3shapes.gz000066400000000000000000000142121440160026300213300ustar00rootroot00000000000000][o7~ׯ8,Ks` ىHJ_U$ʎ.,#KU}uax~??wzÿ7o{?)>AcA]? {=8Z^nQ][?Ŀo~4L <ҼES5.PbiR_>c$t}=8;~[Z܁5o1\t-v.O?͇.ۋ;GFL= ˏqHEi,umωWwUx{We~8Mt,2-)7O3r0$u6/oD^b8>=^+Sm|28@r xF6Udዋ(K""I"51 [H\*3*QT'S.""Sԩ$\!? I9EKQ.lǀ4-2. ̖rboy|ble 9녈#-I? @~IIXp~z?'){&PFً=͌P#tF`z2=C5O0MͲHL, aEIé{Cմe1hY_2& Q@,&ɢP//˫05~ rd8~ w׿l%JX/`4uެ?^}QX*H:4yp\#L\Ը*k\ҿ%p"S(IDոʬ%fV%S,ޜ>&L>]ޡZR/CM|򦀨r$ EA< ; є 5bcva vԽ ;hR-H.L v sͰs.u,쐓G(C_wZC"j H %${ Ղi(s ۂ%9RE8RX*7|hT&nuo4AeZr U-@ۂ ?7 *QJ<..˫] ߮ϡ]DTAI\|ca%Pa05n1͋Hs4+$7mL^m JR |1=q4/3)|zKZiS.Q Qhd1}6 iAdcT|C&$iJƊLSA24ZL?l%h>xSE*َf=pNRR_-=J*(TO] ?f)4`ʦTzt$ɂ7d# M4?rYvjOXY״ؙ 89BPneJR Ȝ FLk4N|ɜ ۧ|x~O6pZA讵=xA6 6F;;ҘnchCn;(/[ȫ&4 y9;!⏜R(#^޺C+.Yf!6.LݗNl Yjrk[BN|AJÄR)sÇV\Wp7 KyQRڦlC)kĥ; yaϭ*<`'u`/§6 _l}ڇ xժWj5JJcZ9JWcz"ڦTn'WuNb=vDZE'jUqf\EI@.44ʿ@w h@0U {=T*z@E֝> p(ߑ&gqd˅۟"ex_ 'b!d 7B佟5*jkO*9\\=<E!YH +T뇪!y/|DGk$y6^*v"6*M#܊XdendK7ir5 +UJ^nrn۳BNTt 01̶jdWd>!2F&$dDfY a;i/G:bO??G+nm~O Ws8_6Uً'?Heiϥ|Bw$VRۖufQ٘9ԩÏ+`[{p1Nvslqyƀ4F.Xwt-B]̱`(llcTXઇ4:gOw⌟v#F(S[:}Ih;\zѹn;{fwހԬ70ZAP#;8;ssfC/~(RrqyEzz~4bV~)y# z7i*n7 w\q(:t\/A2 C|Ǹgq]0qttbN3Qr; :o:fN 3^"Xk JB籃,4ud|gp!؁Iǝ }9 Fn45gεO*•0,fwؠ˔<Ix$^!Q݀aQQbUtB^rDD{m-CQ*w;*<[%; w[ 7TءS?0aċN2-]%<%w? ]a@ޱAvTS BA-*A;4*Bv3; .fxPsT`K*i䞣K"1Xskpzp 38;(f!}P^B81r@y%v`Π (->2.B0ӏB~=8:r!':T:Ax{i**9p:H:A0hN3Ua F2BFF()uJ;(;ޠ wvٙ*C l7i1#>rT%0t9#30BE NM͈Ђt.eghEHTV6z@ ^A9ޡ10 vMvZ Z뀄#Н24C.:3]5(W{1 ::@tCNy(A(Q(2Bc:!d]R}!+aDwJΘ3Ss4CRwd I ޏ^H#go!X=$]A+3NZ44!h;i(yr48' A>J]biDdΡSI0ncaadiI7=y tEaaz净 dJPAFO#GK*9c!O`;uP ΂ƕk8F)h>zc1D&M >ULtgLi@J6b;_W{-d`LȮK04V)7:+PX%d#)%C4A}e@o["~z*#׺åj:zf(B=]АJw#Xjn@vZEI4#71PJp÷X!PM JtږÐC?4SrXP$*F4r(&$B,~щ0˕!$+t1€.v(%-{$эAŀacȻAe.FQqBt'hFeB82S^ءRQt#(a4#[] ~D@>N1J{K9%WJ^Վwhy3-1.6.0/examples/hello-world.mlw000066400000000000000000000001461440160026300171740ustar00rootroot00000000000000module Test use string.String use io.StdIO let main = print_string ("\"Hello world!\"\n") endwhy3-1.6.0/examples/hillel_challenge.mlw000066400000000000000000000201551440160026300202210ustar00rootroot00000000000000 (** {1 Hillel challenge} See https://www.hillelwayne.com/post/theorem-prover-showdown/ The challenge proposed by Hillel Wayne was to provide purely functional implementations and proofs for three imperative programs he proved using Dafny (as an attempt to understand whether the proof of FP code is easier than the proof of imperative programs). Below are imperative implementations and proofs for the three Hillel challenges. Thus it is not really a response to the challenge, but rather an alternative to the Dafny proofs. Author: Jean-Christophe Filliâtre (CNRS) *) (** {2 Challenge 1: Lefpad} Takes a padding character, a string, and a total length, returns the string padded to that length with that character. If length is less than the length of the string, does nothing. *) module Leftpad use int.Int use int.MinMax use array.Array type char (* whatever it is *) type char_string = array char let leftpad (pad: char) (n: int) (s: char_string) : char_string ensures { length result = max n (length s) } ensures { forall i. 0 <= i < length result - length s -> result[i] = pad } ensures { forall i. 0 <= i < length s -> result[length result - 1 - i] = s[length s - 1 - i] } = let len = max n (length s) in let res = Array.make len pad in Array.blit s 0 res (len - length s) (length s); res end (** {2 Challenge 2: Unique} Takes a sequence of integers, returns the unique elements of that list. There is no requirement on the ordering of the returned values. *) module Unique use int.Int use ref.Refint use fmap.MapImpInt as H use array.Array predicate mem (x: int) (a: array int) (i: int) = exists j. 0 <= j < i /\ a[j] = x let unique (a: array int) : array int ensures { forall x. mem x result (length result) <-> mem x a (length a) } ensures { forall i j. 0 <= i < j < length result -> result[i] <> result[j] } = let n = length a in let h = H.create () in let res = Array.make n 0 in let len = ref 0 in for i = 0 to n - 1 do invariant { 0 <= !len <= i } invariant { forall x. mem x a i <-> H.mem x h } invariant { forall x. mem x a i <-> mem x res !len } invariant { forall i j. 0 <= i < j < !len -> res[i]<>res[j] } if not (H.mem a[i] h) then begin H.add a[i] () h; res[!len] <- a[i]; incr len end done; Array.sub res 0 !len end (** {2 Challenge 3: Fulcrum} Given a sequence of integers, returns the index `i` that minimizes `|sum(seq[..i]) - sum(seq[i..])|`. Does this in O(n) time and O(n) memory. We do it in O(n) time and O(1) space. A first loop computes the sum of the array. A second scans the array from left to right, while maintaining the left and right sums in two variables. Updating these variables is simply of matter of adding `a[i]` to `left` and subtracting `a[i]` to `right`. *) module Fulcrum use int.Int use int.Abs use ref.Refint use array.Array use array.ArraySum function diff (a: array int) (i: int) : int = abs (sum a 0 i - sum a i (length a)) let fulcrum (a: array int) : int ensures { 0 <= result <= length a } ensures { forall i. 0 <= i <= length a -> diff a result <= diff a i } = let n = length a in let right = ref 0 in for i = 0 to n - 1 do invariant { !right = sum a 0 i } right += a[i] done; let left = ref 0 in let besti = ref 0 in let bestd = ref (abs !right) in for i = 0 to n - 1 do invariant { !left = sum a 0 i } invariant { !right = sum a i n } invariant { 0 <= !besti <= i } invariant { !bestd = diff a !besti } invariant { forall j. 0 <= j <= i -> !bestd <= diff a j } left += a[i]; right -= a[i]; let d = abs (!left - !right) in if d < !bestd then begin bestd := d; besti := i+1 end done; !besti end (** Now, let's try to do the same with machine integers and avoiding overflows. Obviously, computing the sum of the array elements may overflow. We could limit the size of the array and the maximal value of the elements. Instead, we choose here to compute the various sums using "small big integers" implemented with pairs of machine integers (basically, the sum of all the array elements cannot exceed `max_int^2` so two digits are enough). For the purpose of illustration, we choose here 32-bit integers. *) module FulcrumNoOverflow use int.Int use int.Sum as Sum use int.Abs use ref.Ref use mach.int.Int32 use mach.array.Array32 constant m : int = max_int32 + 1 (* thus 2^31 *) (* small big integers, within the range -m^2 .. m^2-1 *) type big = { mutable q: int32; mutable r: int32; mutable ghost v: int; } invariant { -m <= q <= m - 1 /\ 0 <= r <= m - 1 /\ v = q * m + r } by { q = 0:int32; r = 0:int32; v = 0 } meta coercion function v predicate biginv (_b: big) = 89>55 (* used to enforce the type invariant *) constant min_big : int = -m*m constant max_big : int = m*m - 1 let constant big_zero () : big = { q = 0:int32; r = 0:int32; v = 0 } let constant min_int32: int32 = -0x8000_0000 let constant max_int32: int32 = 0x7fff_ffff let add_big (b: big) (x: int32) : unit requires { min_big <= b.v + x <= max_big } ensures { b.v = old b.v + x } = if x < 0 then begin let r' = b.r + x in if r' < 0 then begin b.q <- b.q - 1; b.r <- (r'+1) + max_int32 end else b.r <- r' end else begin let r' = b.r + (min_int32 + x) in if r' < 0 then begin b.r <- (r'+1) + max_int32 end else begin b.q <- b.q + 1; b.r <- r' end end; b.v <- b.v + to_int x let sub_big (b: big) (x: int32) : unit requires { min_big <= b.v - x <= max_big } ensures { b.v = old b.v - x } = if x = min_int32 then begin b.q <- b.q + 1; b.v <- b.v - to_int x end else add_big b (-x) let delta (x y: big) : big requires { min_big <= abs (x.v - y.v) <= max_big } ensures { result.v = abs (x.v - y.v) } = let r = y.r - x.r in let ghost v = abs (x.v - y.v) in if y.q < x.q then (* -qM-r *) if r > 0 then { q = (x.q - 1) - y.q; r = (-r + 1) + max_int32; v = v } else { q = x.q - y.q; r = -r; v = v } else if y.q = x.q then (* abs r *) if r < 0 then { q = 0; r = -r; v = v } else { q = 0; r = r; v = v } else (* qM+r *) if r < 0 then { q = (y.q - 1) - x.q; r = (r+1) + max_int32; v = v } else { q = y.q - x.q; r = r; v = v } let big_lt (x y: big) : bool requires { x.v >= 0 /\ y.v >= 0 } ensures { result <-> x.v < y.v } = x.q < y.q || x.q = y.q && x.r < y.r function sum (a: array int32) (l u: int) : int = Sum.sum (fun i -> to_int a[i]) l u let lemma sum_bounds (a: array int32) (l u: int) requires { 0 <= l <= u <= length a } ensures { (u-l) * min_int32 <= sum a l u <= (u-l) * max_int32 } = let s = ref 0 in for i = l to u - 1 do invariant { !s = sum a l i } invariant { (i-l) * min_int32 <= !s <= (i-l) * max_int32 } s := !s + to_int (a.elts i) done function diff (a: array int32) (i: int) : int = abs (sum a 0 i - sum a i (length a)) let fulcrum (a: array int32) : int32 requires { length a < max_int32 } (* the only (and small) compromise *) ensures { 0 <= result <= length a } ensures { forall i. 0 <= i <= length a -> diff a result <= diff a i } = let n = length a in let right = big_zero () in for i = 0 to n - 1 do invariant { biginv right } invariant { right = sum a 0 i } add_big right a[i] done; let left = big_zero () in let besti = ref (0: int32) in let bestd = delta left right in for i = 0 to n - 1 do invariant { biginv right /\ biginv left /\ biginv bestd } invariant { left = sum a 0 i } invariant { right = sum a i n } invariant { 0 <= !besti <= i } invariant { bestd = diff a !besti } invariant { forall j. 0 <= j <= i -> bestd <= diff a j } add_big left a[i]; sub_big right a[i]; let d = delta left right in if big_lt d bestd then begin (* bestd <- d *) bestd.q <- d.q; bestd.r <- d.r; bestd.v <- d.v; besti := i + 1 end done; !besti end why3-1.6.0/examples/hillel_challenge/000077500000000000000000000000001440160026300174755ustar00rootroot00000000000000why3-1.6.0/examples/hillel_challenge/why3session.xml000066400000000000000000001014131440160026300225150ustar00rootroot00000000000000 why3-1.6.0/examples/hillel_challenge/why3shapes.gz000066400000000000000000000213171440160026300221410ustar00rootroot00000000000000|[oG;4cC@/ Xb1B |^ȫMI(Jk__dֽMjΌ2##"EVO?ʧ/umU1 wï*=wa/u ?Э&cbys߳6/ Lm|}sϧQz;3= ̔DߣDMq|^.vвonv1u%&~+<6=[Hv&d]Gvӏ{MmW^⿉ޛJ}#d_G-\{lԇ$5p_]Ux_G 0M曫q$O`,OjFÞzK֮}P:_`+KkDlGg&w]Ѝ[6F q)(?"m`Ń 3]P{|\oOM M9%Sz]ݧX~P+wE5oè)n=Ө'=y9g3G?nKqt6KIGS3~ >.t 8bI]g/(rGQQyj堶PV_zZwzۢo4N7 )N9CRY[6 mw̴EPK Lw6璼giw4 D'JK>߅R¿#z/=˕q`}Mcq8o fNj})%W#=W= _>RMk>МB[LYh~.GaMـ3Bг7To<\)%._=9yëbsT9#Ͻ_I]jl}~CzcmqtG~A_w3N 僥qںvq?`|dtUOg  #ϫȾ{ɬmzu*\mGNrVAs)2 . r/̓k_ϴNϣcm4:ww- O 륧H-Cc)Cs%0x#9*┰v#bU& )P wx/e{?_u-N1nӍ%.<>Gͪݼ%m6+}\aH;Z+処iSZᘱT5qt'AmYFP((٪\Q.ݨT: 1m*Lz$ZҬ&Bfm;nq=`͒YS[ 6en;[\_;gX%{q!VR'I/F;m \xv_*[Jv r͛[of̷K۾zRh玈CL qah&u\bv4;2dho?v{Þ FQ}ASDSDè&SN⦈s"Oٷpnz%h;'[tDFÏ]L5+i@Pq٪?oZġIUbC|ݴ& 4UI^ӴΪg.m~n~\HZ;]?>ۻ'ASUǧcJYJ/|0J z'pHu+0n$##\-d܎; deS݃r|,uv9ms.nb/ȉϗ/uP@sCC?3nȿ:_; i|'ns^mQ[{ϟJ ݴC5/8/x?A.o;h7:/y_='@tP<>DF17g}QSz(En^x(pBMXL1[N;/ Z~X@hw4w/]-j*+8N'=>̓#bm9\[}y}Z^[קnn_UЧ0^UgpB޿m=3~|kH3K+6`ۆ۽K5q-.?^]k8*I[TQ 1 o'/PZ7SW/a^^w4A;Dm-|!7_t~V{8In/ޏ#FnfԺ!5~04O^/1Ra(1E,/?2tΟ141nRɺ_ eQfGЇfe öִ"-뾑c7c]o=}*Lܹ}76LƇ[׬Cq:Ө rE,c,X$X"Fb6du6E8&,?V4Bܐsi?x;8x?:D/$,>ňc?.zDG\?,2׋UD됸2Sd &4౗FNb?*HzcAm_~ %>Qm '7 ~>w܉ONןM[Ӈaӧ7'Y>YO?q _5q##N,sfR;vPnf,`ʎ@sfkh 67U6h%lKӫdjv \Iȧ1;JŇ}ԡ,T.BֲT Rð7n#q22T*1vdihen_ŒKFmEQdz~N6!4u2X~rjiyը7aU;"|q:IR)3Uah?G:kz  ,T\Iȧ(_w(TCY+G\O r|j`nÚTtll{j—֬[QpcX]x2^7NWlq*|wu)[S 98̵U;+d> H)I  ,W%NUB5,mn+:<~]ٝi vEbZ.\{[1b,xq593-:ebb S,^h}6M;nv\qlIYKTτ .ʓVN@avN@z|'؎Fk&cMnE2RZYdYJXxW0Pb C"b$S_\Hσ0&Eg_HLb1Y$sXNII|'٥*]ULtTk#l^Fۘ$2 D eWKBFtv;i_F>("&hj2`\T&[#J)Sl'bJ3+.xED'r.9nhK?uL=֠`rIy[g*n%s!1iK&Jr-RAN %Pp'"Z/XLk=w9II*oc`_x 9k旓t"F.dVk^, |հ4wNgd9Q!U0,g%VqryT&X)ə3< 6d3Pmw 3jVWb6:rƸFVXAF '2kdf'k*ZKmC6EEĖkcvF 'Tq3"MR;`YG*r&`] JI8eIQ][|g8 ;JrN[[PL^sZvd0t$*JHWV, T-(st2`pia[안J1xWdfjq5#`!]Nx`€~&m )vvG9+bt\ͥR?[7k$`.n&ak PVl 0 D:p F[zWXIjΉ#eYȞ%[a:5)vQP&T+́ F|+#~P -t'JDS5ESQ tܷR"R9zrL$LA 9)KőƣCńFI!%PuBJ-eO6!nP#¥EhFQB II]UēDe^F0 gY pda@& d  3(h9)G4EfL&Rm(fEЀR;nX!~$!'BP )`l{&ğ#Sƶ9pπJΨ;1*OE$XJPX PG. Dp!QhNzds9Jn)4pc%; j Yt!;h0)MbgWIB ;Pb~@ (D;' RJ@5JԃĖL &4'@E1 Xb- %'I|h&vzG=I+ rȻ"3"I")w u3C,;M H"+Ay!%VpmSuEQ&bj\!i] 1E$f-R<AP2"P9//A {B JQk0Qˋ cKn fT(}4Z鋉L0%$h P#cDmEWkQj)ѨSxq/]sLZ|ERLeE`G֒"T;CE=jE{,R]B-9 \(W6Ԇ_LQi %'pA-Qr4R(,}rpl5,T~TgD,Hsaf,*Bv"sCMCj1P[a%&%J$_5<*cRC`B6(WOct$:Ie":Fn0u%C:d/N+cVZ BȳX{1hPjTh,:tEzZd>5(;as!j&"Հ**Dr^~Pr'^D_ 8qT8ұ`:K iRQFF P2Xf22qwA&aL. 0T]zi.s.(_mF1VgsOKa(_DQv\ ,4FL>. >+.g^PY"V12tWy1谽0kd, K̎[3Jm:g [X(Ȓ5%PNamQ?8b#GL@"hXiy{ vNEhy&J6(U/\$Q-l~ VD'?qtgW#[DE Tг*uaf4 MYJhFy dtRZ |RO? Y0(C[(>f+bdgt`PAHťCF4QT/NPAPBO Ȑ42D #9*#+l;E$=1(LtΖi!)'~f51At$DsXUഞ;.U@Ajz!5cΟ&!iU$PEq -Lv>I̟"8IR &IWL ֣g_M3FbƠoF&C֎̖QɎČt}9iIՠղOdM*iQŽ"X-l(9@h)CoاTqYZFB 3F^Da) D@UNOօ$Tq9NB}ZodUH{1yfPk B UJ%{I5*7d(u &k@~/A.(G2"(($3J&bф7HȠAbC8js̰m0lT2ʨWdSxA%P _-EϾq_ <ω/`#-C / GPI:Ie&dȳez`P8Ls0.5k;XCw(``8EC\m,`QUF݄"*[ 8GRl,hdקPx(x]? COAz>7e5b{DRD#V)R"\i³3)V:G,]"/8jְ`/Pv AAi%[j0:[d]ggG2 0 -> sorted s -> last s <= x -> sorted (snoc s x) lemma sorted_tail: forall s. sorted s -> length s >= 1 -> sorted s[1 .. ] lemma sorted_tail_tail: forall s. sorted s -> length s >= 2 -> sorted s[2 .. ] let huffman_coding (s: seq int) : int requires { length s > 0 } requires { sorted s } ensures { result = sum s } = let ref x = s in let ref y = empty in while length x + length y >= 2 do invariant { length x + length y > 0 } invariant { sum x + sum y = sum s } invariant { sorted x } invariant { sorted y } invariant { length x >= 2 -> length y >= 1 -> last y <= x[0] + x[1] } invariant { length x >= 1 -> length y >= 2 -> last y <= x[0] + y[0] } invariant { length y >= 2 -> last y <= y[0] + y[1] } variant { length x + length y } if length y = 0 then begin y <- snoc y (x[0] + x[1]); x <- x[2 .. ] end else if length x = 0 then begin y <- snoc y[2 .. ] (y[0] + y[1]); end else begin (* both non-empty *) if x[0] <= y[0] then if length x >= 2 && x[1] <= y[0] then begin y <- snoc y (x[0] + x[1]); x <- x[2 .. ] end else begin y <- snoc y[1 .. ] (x[0] + y[0]); x <- x[1 .. ] end else if length y >= 2 && y[1] <= x[0] then begin y <- snoc y[2 .. ] (y[0] + y[1]); end else begin y <- snoc y[1 .. ] (x[0] + y[0]); x <- x[1 .. ] end end done; if length x > 0 then x[0] else y[0] why3-1.6.0/examples/huffman_with_two_queues/000077500000000000000000000000001440160026300211615ustar00rootroot00000000000000why3-1.6.0/examples/huffman_with_two_queues/why3session.xml000066400000000000000000000447071440160026300242150ustar00rootroot00000000000000 why3-1.6.0/examples/huffman_with_two_queues/why3shapes.gz000066400000000000000000000064521440160026300236300ustar00rootroot00000000000000Yn}Wmwbz!} % %C>=N"̥YCrj_._/?]ćZ]^]ǟOqy]KTocpQ?y|mԸQ3~yoW 􇭘zWl]CV6#qtwxoquxcϐ~u|v] R=]mR.SC/]uNԯ}z ! q?/F𵁟C>m0#SWo<};`Sz8y9iiM龩-_}|ZKNɬw]X,uaZϻ~Z}3ML;zl}w'?Q\YugҔ=ʦFR}uWv Q,[y-]}δ'OF-EN\>Դ'5?:r_`|^Ϥ_p8!H8"#فwGRSN8g3M,)nrT&x}Zˤ]jDۜ{qCPpA_o>ԲVn3.8:2ߍ&9)H+Mw}k݌J޲%ދuB~e7,uuψ֧X1 x޺ߛ+I{$i=S$S{5N^5~<1N2^>2˫1VNϡI*fl=,fs3o/:zmc[j m:M.3pX|Y>w>ZGۉ:6< ` p/W/nчvhaGcN}O5~؅⻅eܬ_SθOQ~,%G%w{9 :^v='ؿlOqSvSD/DmN\4N\xby|{{.x[+7_\DIנV.':(*V/iPZ*9D6TfBT^@HCKSPQ5CIRJK檪(6UmCx_ )w)(Nk1h+Q%VR7`W1G2.)PRs>BMȺ2+:>cʶkt,q )L /&bI dqlHDlIZSIL5s1(\In d&x嬊)JM`X@- @(aLIRҘՠàenSh 1H|E1C]|7W<0č3R%gPU6h ePr4U2yL?TQ"`33<`S_E켷~oL [hMǂgBƆMr=Y Z$ZП gAKz5HKA| F% Ƅ(n ֕SL<^k贛-w"7dq. TwfFnPL*L|q.R  psH> q 9zֈvaMb͉i5gPtNpҡA%88ɽ@*62ʿūF6H5kl\w`v*\R.bSY\^>88 rA*%S\mt6jJVPtV$7ij7!8EGq/VxIIMXz6*X8`t*"Ce5N1iG(<䍫YP&*Xxv# MC3Dq }rp~+>X}HаX :Ϗ bTC>lA6;O&IO"iLo5l9H,Y%dzSW8oM-ABQ,P=!*?pjUKc"h{r:ĹG95Ҕ1za ]@8l%)5GqU"QtΡ Ғ3if9-uwUK+P(w,GLS(=HjN<=-gN:狄ZQJHJ"3а7jѦ nQם-#OK@5aPGl tDe%{ _!y37,\)1Z[ᕀlYѿ۳~KH vŴ>AEm4; ZըzٹP5"8;ޜ}d.2 j@ ]LpOص)g|lH9juכ m?9ڊR#ZKRo۾?Ot2why3-1.6.0/examples/i_cant_believe_it_can_sort.mlw000066400000000000000000000026471440160026300222700ustar00rootroot00000000000000(** I Can't Believe It Can Sort https://arxiv.org/pdf/2110.01111.pdf Author: Paul Patault (Université Paris-Saclay) *) use int.Int use array.Array use array.ArraySwap use array.ArrayPermut type elt val predicate le elt elt val lt (x y: elt) : bool ensures { result <-> le x y /\ x <> y } clone relations.TotalPreOrder with type t = elt, predicate rel = le, axiom . clone export array.Sorted with type elt = elt, predicate le = le, axiom . predicate max_array (a: array elt) (lo hi i: int) = forall j. lo <= j < hi -> le a[j] a[i] (* The invariant for the outer loop is as follows: 0 i-1 n +-------------+-----+-------------+ | sorted | max | ??? | +-------------+-----+-------------+ *) let i_cant_believe_it_can_sort (a: array elt) : unit ensures { permut_all (old a) a } ensures { sorted a } = let n = length a in for i = 0 to n - 1 do invariant { permut_all (old a) a } invariant { sorted_sub a 0 (i-1) } invariant { i = 0 || max_array a 0 n (i-1) } for j = 0 to n - 1 do invariant { permut_all (old a) a } invariant { max_array a 0 j i } invariant { i = 0 || if j < i then max_array a 0 n (i-1) else max_array a 0 n i } invariant { if j < i then sorted_sub a 0 (i-1) else sorted_sub a 0 i } if lt a[i] a[j] then swap a i j done done why3-1.6.0/examples/i_cant_believe_it_can_sort/000077500000000000000000000000001440160026300215365ustar00rootroot00000000000000why3-1.6.0/examples/i_cant_believe_it_can_sort/why3session.xml000066400000000000000000000120501440160026300245540ustar00rootroot00000000000000 why3-1.6.0/examples/i_cant_believe_it_can_sort/why3shapes.gz000066400000000000000000000026231440160026300242010ustar00rootroot00000000000000Vn7}Wc9k kH^ [#lbiWc3]Fy<պ[.lL 癘O@>a3.Rjy(=A(0fNğrt'ZuLh\mr{EN?Zѿb;?2rG'u[Sr#&2/E1X9xǠ~ GGNaa BpP4Uñq^6tóOE?xÛ EZWndպwM> hm϶?7Z|͕W2H,˗yD[db8'8x(x=AlKe' 79xM3l)ʺr{i:;騍-7Ͳ4}1%孊<,כE~DaW߭63)j;+ 3 7 -{$MuzP *E=ĤistCkx{)6FrXȓ91{(rڽZ}JJ{^FP#u%@v'5$49=,نmoOG|l۰ir>ɒѥRRq.BI6KVu IXtě\AL/!f0uQ\Vru<*Qyp~ Bx|CM<%AW_i"7B.se(.UlU浨ΑYEYU@p3mrr7lٯpk6\H*W`{i:x/"6) 7ȱ*Y=5^p{fN*N7|c)UpP_K+why3-1.6.0/examples/incremental.mlw000066400000000000000000000007411440160026300172460ustar00rootroot00000000000000module Ce_int32 use ref.Ref use export mach.int.Int32 meta "meta_incremental" "" let dummy_update (r: ref int32) requires { to_int !r = 22} ensures {to_int !r = 42} = r := of_int 42; r := !r + !r; end module Ce_interesting use int.Int use ref.Ref use export mach.int.Int32 meta "meta_incremental" "" let dummy_update (r: ref int32) requires { to_int !r > 22} ensures {to_int !r <= 42} = r := of_int 42; r := !r + !r; end why3-1.6.0/examples/induction.mlw000066400000000000000000000035141440160026300167420ustar00rootroot00000000000000 (** Various ways of proving p 0 p 1 forall n: int. 0 <= n -> p n -> p (n+2) --------------------------------------- forall n: int. 0 <= n -> p n by induction using theories int.SimpleInduction or int.Induction or lemma functions. *) theory Hyps use export int.Int predicate p int axiom H0: p 0 axiom H1: p 1 axiom H2: forall n: int. 0 <= n -> p n -> p (n + 2) end (** {2 With a simple induction} *) module Induction1 use Hyps predicate pr (k: int) = p k && p (k+1) clone int.SimpleInduction with predicate p = pr, lemma base, lemma induction_step goal G: forall n: int. 0 <= n -> p n end (** {2 With a strong induction} *) module Induction2 use Hyps clone int.Induction with predicate p = p, constant bound = zero goal G: forall n: int. 0 <= n -> p n end (** {2 With a recursive lemma function} *) module LemmaFunction1 use Hyps let rec lemma ind (n: int) requires { 0 <= n} ensures { p n } variant { n } = if n >= 2 then ind (n-2) (** no need to write the following goal, that's just a check this is now proved *) goal G: forall n: int. 0 <= n -> p n end (** {2 With a while loop} *) module LemmaFunction2 use Hyps use ref.Ref let lemma ind (n: int) requires { 0 <= n} ensures { p n } = let k = ref n in while !k >= 2 do invariant { 0 <= !k && (p !k -> p n) } variant { !k } k := !k - 2 done goal G: forall n: int. 0 <= n -> p n end (** {2 With an ascending while loop} *) module LemmaFunction3 use Hyps use ref.Ref let lemma ind (n: int) requires { 0 <= n} ensures { p n } = let k = ref 0 in while !k <= n - 2 do invariant { 0 <= !k <= n && p !k && p (!k + 1) } variant { n - !k } k := !k + 2 done goal G: forall n: int. 0 <= n -> p n end why3-1.6.0/examples/induction/000077500000000000000000000000001440160026300162165ustar00rootroot00000000000000why3-1.6.0/examples/induction/why3session.xml000066400000000000000000000040521440160026300212370ustar00rootroot00000000000000 why3-1.6.0/examples/induction/why3shapes.gz000066400000000000000000000010661440160026300206610ustar00rootroot00000000000000Q˪0+k{F4P dY-z }گȖEH8s]˵Y.w|I+/Z /9>lb_Z 5erV(OVn݌cry8Ψz:-M_j4Ǵ痺_g2|֫T^yRq x:}~-Giոӥ??[dsvt .<|dG e j{nV/M=?=`: #-_ Xjxf5l7Z9ˍqzT4 Z7li= 2 } ensures { prime p } ensures { divides p n } = for p = 2 to n do invariant { forall d. 2 <= d < p -> not (divides d n) } if mod n p = 0 then return p done; return n use set.Fset let lemma infinity_of_primes (n: int) : (s: fset int) requires { n >= 0 } ensures { cardinal s = n } ensures { forall k. mem k s -> prime k } = let ref s = empty in let ref x = 1 in for i = 0 to n-1 do invariant { x >= 1 } invariant { cardinal s = i } invariant { forall k. mem k s -> prime k } invariant { forall k. mem k s -> divides k x } let p = prime_factor (x+1) in x <- x * (x+1); s <- add p s done; s why3-1.6.0/examples/infinity_of_primes/000077500000000000000000000000001440160026300201165ustar00rootroot00000000000000why3-1.6.0/examples/infinity_of_primes/why3session.xml000066400000000000000000000103161440160026300231370ustar00rootroot00000000000000 why3-1.6.0/examples/infinity_of_primes/why3shapes.gz000066400000000000000000000025131440160026300225570ustar00rootroot00000000000000VnF}W𭭍;"`h@S`%Ar ;KR$e; r3wF4K>47m#n]D3LOJ|OLoñ/ti̧y"듎}~ub˷bs|n|}:oWuaDu#ϝ0@_ n8ZծSt(v=m9ߧy2uzWkѨ{/#1z=:`Q&D0`0Z͇qOn?r85C_ i)!, g^1_ڡڣ/w"RoVS~Cp.~BP?Ly?"x}\1o΋u4 U.2Wz]@#Σy-8&zK0jشΌ%ބ*}?kօ*tQC@p7aTlf&yLid\R8rQOʺQWՙbh鳯MzsJ,Bp&AZW?dv}UaLJ3ֱ?tY*K0p9Y?TJ\)d D1'ϋDH$Ѫr]Y ) why3-1.6.0/examples/insertion_sort.mlw000066400000000000000000000110311440160026300200200ustar00rootroot00000000000000 (** Insertion sort. Surprinsingly, the verification of insertion sort is more difficult than the proof of other, more efficient, sorting algorithms. One reason is that insertion sort proceeds by shifting elements, which means that, within the inner loop, the array is *not* a permutation of the initial array. Below we make use of the functional array update a[j <- v] to state that, if ever we put back `v` at index `j`, we get an array that is a permutation of the original array. *) module InsertionSort use int.Int use array.Array use array.IntArraySorted use array.ArrayPermut use array.ArrayEq let insertion_sort (a: array int) : unit ensures { sorted a } ensures { permut_all (old a) a } = for i = 1 to length a - 1 do (* a[0..i[ is sorted; now insert a[i] *) invariant { sorted_sub a 0 i /\ permut_all (old a) a } let v = a[i] in let ref j = i in while j > 0 && a[j - 1] > v do invariant { 0 <= j <= i } invariant { permut_all (old a) a[j <- v] } invariant { forall k1 k2. 0 <= k1 <= k2 <= i -> k1 <> j -> k2 <> j -> a[k1] <= a[k2] } invariant { forall k. j+1 <= k <= i -> v < a[k] } variant { j } label L in a[j] <- a[j - 1]; assert { exchange (a at L)[j <- v] a[j-1 <- v] (j - 1) j }; j <- j - 1 done; assert { forall k. 0 <= k < j -> a[k] <= v }; a[j] <- v done let test1 () = let a = make 3 0 in a[0] <- 7; a[1] <- 3; a[2] <- 1; insertion_sort a; a let test2 () ensures { result.length = 8 } = let a = make 8 0 in a[0] <- 53; a[1] <- 91; a[2] <- 17; a[3] <- -5; a[4] <- 413; a[5] <- 42; a[6] <- 69; a[7] <- 6; insertion_sort a; a exception BenchFailure let bench () raises { BenchFailure -> true } = let a = test2 () in if a[0] <> -5 then raise BenchFailure; if a[1] <> 6 then raise BenchFailure; if a[2] <> 17 then raise BenchFailure; if a[3] <> 42 then raise BenchFailure; if a[4] <> 53 then raise BenchFailure; if a[5] <> 69 then raise BenchFailure; if a[6] <> 91 then raise BenchFailure; if a[7] <> 413 then raise BenchFailure; a end module InsertionSortGen use int.Int use array.Array use array.ArrayPermut use array.ArrayEq type elt val predicate le elt elt clone map.MapSorted as M with type elt = elt, predicate le = le axiom le_refl: forall x:elt. le x x axiom le_asym: forall x y:elt. not (le x y) -> le y x axiom le_trans: forall x y z:elt. le x y /\ le y z -> le x z predicate sorted_sub (a : array elt) (l u : int) = M.sorted_sub a.elts l u predicate sorted (a : array elt) = M.sorted_sub a.elts 0 a.length let insertion_sort (a: array elt) : unit ensures { sorted a } ensures { permut_all (old a) a } = for i = 1 to length a - 1 do (* a[0..i[ is sorted; now insert a[i] *) invariant { sorted_sub a 0 i } invariant { permut_all (old a) a } let v = a[i] in let ref j = i in while j > 0 && not (le a[j - 1] v) do invariant { 0 <= j <= i } invariant { permut_all (old a) a[j <- v] } invariant { forall k1 k2. 0 <= k1 <= k2 <= i -> k1 <> j -> k2 <> j -> le a[k1] a[k2] } invariant { forall k. j+1 <= k <= i -> le v a[k] } variant { j } label L in a[j] <- a[j - 1]; assert { exchange (a at L)[j <- v] a[j-1 <- v] (j - 1) j }; j <- j - 1 done; assert { forall k. 0 <= k < j -> le a[k] v }; a[j] <- v done end (** Using swaps (instead of shifting) is less efficient but at least we can expect the loop invariant for the inner loop to be simpler. And indeed it is. The invariant below was suggested by Xavier Leroy (Collège de France). Without surprise, the proof of the permutation property is also simpler. *) module InsertionSortSwaps use int.Int use array.Array use array.ArraySwap use array.ArrayPermut let insertion_sort (a: array int) : unit ensures { forall p q. 0 <= p <= q < length a -> a[p] <= a[q] } ensures { permut_all (old a) a } = for i = 1 to length a - 1 do invariant { forall p q. 0 <= p <= q < i -> a[p] <= a[q] } invariant { permut_all (old a) a } let ref j = i in while j > 0 && a[j - 1] > a[j] do invariant { 0 <= j <= i } invariant { permut_all (old a) a } invariant { forall p q. 0 <= p <= q <= i -> q <> j -> a[p] <= a[q] } variant { j } swap a (j - 1) j; j <- j - 1 done done end why3-1.6.0/examples/insertion_sort/000077500000000000000000000000001440160026300173035ustar00rootroot00000000000000why3-1.6.0/examples/insertion_sort/why3session.xml000066400000000000000000000275541440160026300223400ustar00rootroot00000000000000 why3-1.6.0/examples/insertion_sort/why3shapes.gz000066400000000000000000000122621440160026300217460ustar00rootroot00000000000000\n$7}Л=0e݀PyZ`a0XڞV[R'xˬ*I{l,U$dĉ`D$zrSnO~I7Ĝ/ݏ۱p{}so?M;YT;u~ }vb6ﯯ?\~%\wۄ7;kS"v|KץTsgw;{v2׳Ü'a.Mv"0v=7oc.ʷ<[x RnM-)6.ο \yP -95*'Tg,Q%%e # s2)ͧ O_ ~TEzᅳ_XdQ$x` dOZRyLlh5?((}(.HO ܑNKĤ}x~AF Wpm*R7kp]}}UUiunU[ ڗdE A.hY"ɺ tW)|Gs ; ݔуV,ېR!d\՘x`!d lpz&5:$[ $yTH!$PIр! mOVTc0k?( PSAj?]/ ?q_.JX؃9ś@ljmbW,6X\Rol/Z9 UWwJ},.%Q0{gs Xe X!ryHU5@7v ʖ6ˊVɻ0_\>r;+WWa^\٘ol+̷̻y߅p߅^2+k+{h,2ua X-B]Ys,vT$,^¼7v*(˞bjm @+`C9zws=WR׷w|y~ˡ<`ûtwrOJ?S{O/[?}hE95h.d:IFޙhjIUdWr (z ME%GjITXSz!W#1nh!\{lm'9jdۧrjJbW^^:D ӻT*v4繯UYgpٷJ.V\xFW[qUH>05i_겣n|}sr4s~=嶻d4tS:(6@TZ,i9ǁƁX 7JF堩7O0pKbhrYhV_|Z~(]`udxd{-㯲gŻQFpnfmբ(5VRve< 6ŖջDu̢)vP*V竕W,-,-jZUKl.L+$QZbVGd+/f⽹ay-,{\a7׵#B\Js\sԼR=<4w@aRVku(mu4MhKKޒWC{Ne)}?m߳r#v% °Z"wPY\iOF =՞^Ί+S GnᘤwC<ԛ<=nQ*UkqY!!>s%#4Z'dﶂYG~cx\Ԍ1gصTH-cpŕɴ 1Sv\R740_.rź𦕝6։20XmLt-rCn|pJ|G-l棎;YnI 6mD YI ~Y}G>ϲ믴* rθ*Z@KIs U.ua80$>Ja(tY);L~61~>v_yZ6gA tAeٷƾw t<%]|ix{i+<[,OETz W/x+>@ܟ(mA+n_q-1ЪeRv\ɟ۵}[_۪Jw #V#VҺcOn77dJ!xwiض=x*b4UE>VZZvfH>BE>+iUn,n*N"Uꪢ܌Wn|z:^ߠ>Q烔7g.Yg7:l棇_HGόU?Bz=P.5|o>Xjt.BRtе1]|+Ƭl qwNw_C+ p >3#,^.QPiHK]REՍ)jW[#EeoLHKZ:5%8[dh!fzZL`){=:Lyvޠ'Sَذ{Q%~Q\zZE(^nsk9*7l!`!|Yв/zl=N2aţ ٚCVG^YX~ ?~k苗Me;[Fߺ?E͖M!qqYh^uK?u.?o.kFg\rmt8gXxqU_Q~D#v||RvT]ep1jtQ)@ V#5_I}ç4Kw1\벑5)\mPZ>Jny!|(+N?Ê7iuo\꯶_;<otw^[I\CˆNY@$´'ȦP*aw-Ly|-&.ŵ`VC+6r(*ߔZfv#vv:{zS^oT^3/c6?joa7嘃/;3NyMW8:+]#Ln=HvfiOf E7_=sx޳KBKa/VU-B?g)qӕcqB#Os8mtI읬쯫ydYlInNFXkYqPU2zbG_y)|,߇!i%AN#!-4wTOEG J :oSyǂR=[eڳrHe0uVlnYGey5|){4}?*>&Fd5S(?;.&n3Mg6̼N;R*{eU &CǡvdMܞȭd%f;3k.IT7J8sVbAUbAͨ7<པs&C|C&4`)L)Cr͎Yr93Nـh;Q1pYēE3Lse 813mS^(k=&*q꠸WQ9Mղ\p|{4Yz-KI<nc'\mLY :sv9Iyf6ΟpzJy!Mf7(ω-d)jn#蕞Q~i U.&%Y k0sB%9Kf)G@f*XbfI;gA&NlbxdsZ4TH.)FfgqdF%.BnzfIZnc$g`qrT ѩɣ8IrKw"VV4E&L섈7Hl3 69$Ur٬՘*!SuTW!BXT`V%iM dRW;i$,9"E4U{,1 ",f@i];1Z %Y{u\AvJPuT6*gB$a"@XJZGnLR3j-5jWraY ϝIDRTk&+JZ+TxI[hK(&+#`t4n^*7bT+1%$ȡ9z,Bd\ о_6 at`csTY;f.X`ʰنd2a~nB JPUJBBW.&,"bJLٱ1N01;W5X`rD7$rcf%l,KaX *7=3+j1OkX/:'gng ep&GgP6[CXajƱ) $&i60ha8yj)Zrk'vf',|z@.ՌWS,`@7p\E795u[k!J +*VBX8NdFN&#zFl:>J? IBC!d-f^ ę'Q 5f JN'o:yRa0,Ed5 d`<%|ٓhmO=sPb!4xe4sArٙ7l?f(4f+n<xiD+ڭ7 Pыw$aMBJ] Cons x Nil | Cons y r -> if le x y then Cons x l else Cons y (insert x r) end let rec insertion_sort (l: list elt) : list elt ensures { sorted result } ensures { permut l result } variant { l } = match l with | Nil -> Nil | Cons x r -> insert x (insertion_sort r) end end why3-1.6.0/examples/insertion_sort_list/000077500000000000000000000000001440160026300203365ustar00rootroot00000000000000why3-1.6.0/examples/insertion_sort_list/why3session.xml000066400000000000000000000030561440160026300233620ustar00rootroot00000000000000 why3-1.6.0/examples/insertion_sort_list/why3shapes.gz000066400000000000000000000011661440160026300230020ustar00rootroot00000000000000Tn@2Z\Z 3(H;gx,r S]U]Х[һ c 8NOp8]H'~ pr*(gFOtKyPwniw>u\p:[pt&}:8cq~g jdWSs5؏; tlR1i~ چN}Cs_PO?]l ˙Gsic|}{|/! \3BpoorJ7gg3uFldQ AS CuĽҁ*VWf]/TٲS<~ 6;NZ%@JۥMSp[w~Ur)ttT˥~X!0Ƅ40_@o8G_q1~Ԝc Hhk aCɄRQ (XB҇2HŔ{|du(-7,@3A"bJKfckS$Ź2܈ SS 4ڊ@SRYIS`K歈0TT/!$'`K0䩔U j#oB)Hx[ib%g-C !?Dwhy3-1.6.0/examples/insertion_sort_naive.mlw000066400000000000000000000123361440160026300212130ustar00rootroot00000000000000(* "naive" version of insertion sort: makes too many assignments see insertion_sort.mlw for a better version *) module InsertionSortNaive use int.Int use ref.Ref use ref.Refint use array.Array use array.IntArraySorted use array.ArrayPermut let sort (a:array int) ensures { sorted a } ensures { permut_all (old a) a } = for i = 0 to a.length - 1 do invariant { permut_all (old a) a } invariant { sorted_sub a 0 i } let j = ref i in while !j > 0 && a[!j-1] > a[!j] do invariant { 0 <= !j <= i } invariant { permut_all (old a) a } invariant { sorted_sub a 0 !j } invariant { sorted_sub a !j (i+1) } invariant { forall k1 k2:int. 0 <= k1 < !j /\ !j+1 <= k2 <= i -> a[k1] <= a[k2] } variant { !j } label L in let b = !j - 1 in let t = a[!j] in a[!j] <- a[b]; a[b] <- t; assert { exchange (a at L) a (!j-1) !j }; decr j done done end module InsertionSortNaiveGen use int.Int use ref.Ref use ref.Refint use array.Array use array.ArrayPermut type elt val predicate le elt elt clone map.MapSorted as M with type elt = elt, predicate le = le axiom le_refl: forall x:elt. le x x axiom le_asym: forall x y:elt. not (le x y) -> le y x axiom le_trans: forall x y z:elt. le x y /\ le y z -> le x z predicate sorted_sub (a : array elt) (l u : int) = M.sorted_sub a.elts l u predicate sorted (a : array elt) = M.sorted_sub a.elts 0 a.length let sort (a:array elt) ensures { sorted a } ensures { permut_all (old a) a } = for i = 0 to a.length - 1 do invariant { permut_all (old a) a } invariant { sorted_sub a 0 i } let j = ref i in while !j > 0 && not (le a[!j-1] a[!j]) do invariant { 0 <= !j <= i } invariant { permut_all (old a) a } invariant { sorted_sub a 0 !j } invariant { sorted_sub a !j (i+1) } invariant { forall k1 k2:int. 0 <= k1 < !j /\ !j+1 <= k2 <= i -> le a[k1] a[k2] } variant { !j } label L in let b = !j - 1 in let t = a[!j] in a[!j] <- a[b]; a[b] <- t; assert { exchange (a at L) a (!j-1) !j }; decr j done done end module InsertionSortParam use int.Int use ref.Ref use ref.Refint use map.Map use array.Array use array.ArrayPermut type param type elt val predicate le param elt elt axiom le_refl: forall p:param, x:elt. le p x x axiom le_asym: forall p:param, x y:elt. not (le p x y) -> le p y x axiom le_trans: forall p:param, x y z:elt. le p x y /\ le p y z -> le p x z (* a[l..u) is sorted for le *) predicate sorted_sub (p:param) (a : Map.map int elt) (l u : int) = forall i1 i2 : int. l <= i1 <= i2 < u -> le p (Map.get a i1) (Map.get a i2) predicate sorted (p:param) (a : array elt) = sorted_sub p a.elts 0 a.length let sort (p:param) (a:array elt) ensures { sorted p a } ensures { permut_all (old a) a } = for i = 0 to a.length - 1 do invariant { permut_all (old a) a } invariant { sorted_sub p a.elts 0 i } let j = ref i in while !j > 0 && not (le p a[!j-1] a[!j]) do invariant { 0 <= !j <= i } invariant { permut_all (old a) a } invariant { sorted_sub p a.elts 0 !j } invariant { sorted_sub p a.elts !j (i+1) } invariant { forall k1 k2:int. 0 <= k1 < !j /\ !j+1 <= k2 <= i -> le p a[k1] a[k2] } variant { !j } label L in let b = !j - 1 in let t = a[!j] in a[!j] <- a[b]; a[b] <- t; assert { exchange (a at L) a (!j-1) !j }; assert { sorted_sub p a.elts (!j-1) (i+1) }; decr j done done end module InsertionSortParamBad (* this version is hard to prove because predicate sorted_sub applies to an array instead of a map *) use int.Int use ref.Ref use ref.Refint use map.Map use array.Array use array.ArrayPermut type param type elt val predicate le param elt elt axiom le_refl: forall p:param, x:elt. le p x x axiom le_asym: forall p:param, x y:elt. not (le p x y) -> le p y x axiom le_trans: forall p:param, x y z:elt. le p x y /\ le p y z -> le p x z (* a[l..u) is sorted for le *) predicate sorted_sub (p:param) (a : array elt) (l u : int) = forall i1 i2 : int. l <= i1 <= i2 < u -> le p a[i1] a[i2] predicate sorted (p:param) (a : array elt) = sorted_sub p a 0 a.length let sort (p:param) (a:array elt) ensures { sorted p a } ensures { permut_all (old a) a } = for i = 0 to a.length - 1 do invariant { permut_all (old a) a } invariant { sorted_sub p a 0 i } let j = ref i in while !j > 0 && not (le p a[!j-1] a[!j]) do invariant { 0 <= !j <= i } invariant { permut_all (old a) a } invariant { sorted_sub p a 0 !j } invariant { sorted_sub p a !j (i+1) } invariant { forall k1 k2:int. 0 <= k1 < !j /\ !j+1 <= k2 <= i -> le p a[k1] a[k2] } variant { !j } label L in let b = !j - 1 in let t = a[!j] in a[!j] <- a[b]; a[b] <- t; assert { exchange (a at L) a (!j-1) !j }; decr j done done end why3-1.6.0/examples/insertion_sort_naive/000077500000000000000000000000001440160026300204655ustar00rootroot00000000000000why3-1.6.0/examples/insertion_sort_naive/why3session.xml000066400000000000000000000022651440160026300235120ustar00rootroot00000000000000 why3-1.6.0/examples/insertion_sort_naive/why3shapes.gz000066400000000000000000000023141440160026300231250ustar00rootroot00000000000000WMo#7 W. Hh,`0l`SBlzv4_v`HHJ{|<=~^ǟh:}|cAtiAlFOA7r5dy _1LJƹ+>%i0[܊>5+27_!,;aW&C EH|_p:e]!>~k01TAr&㹽yDp<.gPa(#cIS""#P6Gp;ϤKH cOSAAo.o!mniGaő,_\C &^q?Ck<[bJRW5ƮrmPe[k}8 4r@#5ܨqqkk+:_d~]vO%Y`7ɢG뉊ة@$K(bMѳ/jKHutŚHlI/5PJXL6tlY$'U1wl- CE%fzBdXOz̰rF?0,EO94P23sb`8 0űD#=ɛK8k)&ÈTz ҽ:g7L6Go.dJpN;վtpEΛJJG Ӑm_ jT4UYÑڧ0OE}%p$@n :w.:2OW#nqMZ6.5ʛ#'/#XY&)0Flըu7 CS%!?~FAWw7iM ٹyjҐbOytm4v%GZ#AV$O7 Vfo|us}uW7<6'0$% "'KDAw%2QYD;eX=Tb!9ӵUƸ6/F,,N*N 4mT fsVwBjd4BؽavCTv^Lg*ش~ P)2~˃kIwhy3-1.6.0/examples/inverse_in_place.mlw000066400000000000000000000057151440160026300202600ustar00rootroot00000000000000 (* Inverse of a permutation, in place Algorithm I The Art of Computer Programming, volume 1, Sec. 1.3.3, page 176 The idea is to inverse each orbit at a time, using negative values to denote elements already inversed. The main loop scans the array and proceeds as follows: a negative value -x-1 is simply changed into x; a nonnegative value is the topmost element of a new orbit, which is inversed by the inner loop. Authors: Martin Clochard (École Normale Supérieure) Jean-Christophe Filliâtre (CNRS) Andrei Paskevich (Université Paris Sud) *) module InverseInPlace use int.Int use int.NumOf use ref.Ref use array.Array let function (~_) (x: int) : int = -x-1 function numof (m: int -> int) (l r: int) : int = NumOf.numof (fun n -> m n >= 0) l r predicate is_permutation (a: array int) = forall i. 0 <= i < length a -> 0 <= a[i] < length a /\ forall j. 0 <= j < length a -> i <> j -> a[i] <> a[j] lemma is_permutation_inverse: forall a b: array int. length a = length b -> is_permutation a -> (forall i. 0 <= i < length b -> 0 <= b[i] < length b) -> (forall i. 0 <= i < length b -> a[b[i]] = i) -> is_permutation b predicate loopinvariant (olda a: array int) (m m' n: int) = (forall e. 0 <= e < n -> -n <= a[e] < n) /\ (forall e. m < e < n -> 0 <= a[e]) /\ (forall e. m < e < n -> olda[a[e]] = e) /\ (forall e. 0 <= e <= m' -> a[e] >= 0 -> olda[e] = a[e]) /\ (forall e. 0 <= e <= m -> a[e] <= m) /\ (forall e. 0 <= e <= m' -> a[e] < 0 -> olda[~ a[e]] = e /\ (~a[e] <= m -> a[~a[e]] < 0)) let inverse_in_place (a: array int) requires { is_permutation a } ensures { is_permutation a } ensures { forall i. 0 <= i < length a -> (old a)[a[i]] = i } = let n = length a in for m = n - 1 downto 0 do invariant { loopinvariant (old a) a m m n } let ref i = a[m] in if i >= 0 then begin (* unrolled loop once *) a[m] <- -1; let ref j = (~m) in let ref k = i in i := a[i]; while i >= 0 do invariant { a[k] = i <= m /\ 0 <= k <= m /\ ~m <= j < 0 /\ (old a)[~ j] = k /\ a[~ j] < 0 /\ a[m] < 0 } invariant { forall e. 0 <= e < m -> a[e] < 0 -> a[e] <> j } invariant { loopinvariant (old a) a m (m-1) n } variant { numof a.elts 0 n } a[k] <- j; j := ~ k; k := i; i := a[k] done; assert { k = m }; i := j end; assert { (old a)[~ i] = m }; a[m] <- ~ i done end module Harness use array.Array use InverseInPlace (* (0 2) (1) *) let test1 () = let a = make 3 0 in a[0] <- 2; a[2] <- 0; a[1] <- 1; inverse_in_place a; a (* (0 1 2) *) let test2 () = let a = make 3 0 in a[0] <- 1; a[1] <- 2; a[2] <- 0; inverse_in_place a; a end (* Local Variables: compile-command: "why3 ide inverse_in_place.mlw" End: *) why3-1.6.0/examples/inverse_in_place/000077500000000000000000000000001440160026300175275ustar00rootroot00000000000000why3-1.6.0/examples/inverse_in_place/why3session.xml000066400000000000000000000117271440160026300225570ustar00rootroot00000000000000 why3-1.6.0/examples/inverse_in_place/why3shapes.gz000066400000000000000000000042031440160026300221660ustar00rootroot00000000000000[Ko#WdXd0`ueH {ߞ"E=;l ǯbWӜ(ʼ\/ ފ龊ltUԛ^Lfu?4Ob$X#&Q`1QL9g5 DSh)`,1NTo*q XBLk0w8 9PVRt6JƉԱUD^o@է'ɢ{OyGRՉE|a9aHFsNtO}}G$YI$٬|n3nƌ[11}/VaMXb y X4[GM`_R̫5&3i𖆷4'ORJR ͐hs7\h3ʡn3RJr薽e1{R޶ndwwSOU 5' o#lFx$ym9Llxy+^>U&7o^Zʼb iz⊌mZ(*?@B`8$ɷ-!yB ?l^9Gu <|g>kgn'TL/l5D}շ;)na/~>p-;-_4eO߾xڮInN^&,/*SƄMm68KB=4&.=)3+.ѡˆ)PQ74ѼWv9E'Ll9~fA7n?6|rC֎Π =1k")I5Qk"2#>?DĦ&4@9H0XH]-nwbԃvU{n ȳ f<@ʹRe. f}==)U-ʤEZbVfa'v2aM%\ a'SpWײ\){MEe˟>m>=?LJI]g-v^O/ҺͰI¥%!3?OO, D Ru$P5<>Q[.}N X7>4=8^݆ia^E%B'k$ZgW sU^k 1 "ղzSV/##ŧHAIHy)# #YZiYxsHY@J/l!Yv訲uQdO\sB'6s 9Mq/".ź G<}Zh$ȕԑ\#Y  d"ɝvR*MnPԙT 0#(MPY{k3Ko>eA :0dW͐ 鬳B5 &fKoAD S6XbONDR>08DA 4Z,k4FH=& օP u42BIy[ƀFXZAP$EnLɜ .E */AA AgD`J46GEu,rƢ#, QY: ћ!%gb@S$QXrB) xd.bL;]yaxF@EFŀ@L#hNxIń4z&g rrZԔ,yai G$̊ˑ 9ԑ\))8"H QF.,J*(Dj026%cu$d̙#E%7kk.[M&i(/pu,,RW(iҜ(&76 |iť(Zdܪc;-%xSǙXr-pP$y'I6/^ /H8why3-1.6.0/examples/isqrt.mlw000066400000000000000000000037411440160026300161120ustar00rootroot00000000000000 (** {1 Integer square root} *) module Square use int.Int function sqr (x:int) : int = x * x lemma sqr_non_neg: forall x:int. sqr x >= 0 lemma sqr_increasing: forall x y:int. 0 <= x <= y -> sqr x <= sqr y lemma sqr_sum : forall x y : int. sqr(x+y) = sqr x + 2*x*y + sqr y predicate isqrt_spec (x res:int) = res >= 0 /\ sqr res <= x < sqr (res + 1) end (** {2 Simple algorithm} *) module Simple use int.Int use ref.Refint use Square let isqrt (x:int) : int requires { x >= 0 } ensures { isqrt_spec x result } = let ref count = 0 in let ref sum = 1 in while sum <= x do invariant { count >= 0 } invariant { x >= sqr count } invariant { sum = sqr (count+1) } variant { x - count } count += 1; sum += 2 * count + 1 done; count let main () ensures { result = 4 } = isqrt 17 end (** {2 Another algorithm, in the style of Newton-Raphson} *) module NewtonMethod use int.Int use mach.int.Int use ref.Ref use Square let sqrt (x : int) : int requires { x >= 0 } ensures { isqrt_spec x result } = if x = 0 then 0 else if x <= 3 then 1 else let ref y = x in let ref z = (1 + x) / 2 in while z < y do variant { y } invariant { z > 0 } invariant { y > 0 } invariant { z = div (div x y + y) 2 } invariant { x < sqr (y + 1) } invariant { x < sqr (z + 1) } y <- z; z <- (x / z + z) / 2; (* A few hints to prove preservation of the last invariant *) assert { x < sqr (z + 1) by let a = div x y in x < a * y + y so a + y <= 2 * z + 1 so sqr (a + y + 1) <= sqr (2 * z + 2) so 4 * (sqr (z + 1) - x) = sqr (2 * z + 2) - 4 * x >= sqr (a + y + 1) - 4 * x > sqr (a + y + 1) - 4 * (a * y + y) = sqr (a + 1 - y) >= 0 } done; assert { y * y <= div x y * y by y <= div x y }; y end why3-1.6.0/examples/isqrt/000077500000000000000000000000001440160026300153645ustar00rootroot00000000000000why3-1.6.0/examples/isqrt/why3session.xml000066400000000000000000000137761440160026300204220ustar00rootroot00000000000000 why3-1.6.0/examples/isqrt/why3shapes.gz000066400000000000000000000034621440160026300200310ustar00rootroot00000000000000Zmk#9_.a@U*s`w_5ޯڎijejuIU4܍&܌(wA%Xԩ~ýU<TIԾ.lJ矸gw + aPz4ܿmQnm Fh&#Y.Mi\㚋إøEGSy6 a3th N`G&9 %'>uwt>>l}^?qIn,e| G-I?Ӑ_-yTnX~ l~~xx_f~jM2` ۦ3il8lqL=ޝM`*%\{਺es`|1Y=ٸ\coZNlO]eǖ`B=f_ oguv3rzDuXh~&Ьq}ӊW ^XWsOM_ό]c7;5}o<*g+_#| G37>td=`+ܴ N p[%G+9C%_r'b4Zm'o:d듞ofQc2v%)dSVs.HlRj+iI,,Vv΂Ӕ"&!'1I&C*3)Xv(LTEQ*tHq+#jDJAk!⊔@Dm/ h]U&.E;6ʔ9k0k^Ŗ\@ 6+LUf)d0x @U+bT:9G zc& @+Pk2ZyJ*+q@"@Ѳ!*X`<$[\$ J@pQKþT٢8YC"Ŭ0PDmdI MŜBXUa\sYr$ ZCS/,1A#"`l |l.R}ZX̶RV`}h %9TF$Q&)EXm)/R>h.Qddr2yg$MN(.F"H$q:xQJYD82eBV`b G~u AW Ō@2r.!O&WL"56 k)dĜ>fJ+r{Udm^xCi YCĉYCԘ̈AJ)A3$QN(3K{Ji9(p(: 1̜YA\Qr\ex. }sBqPQ j:ECZP)u1/ G)OJ u-Q  EʻRCsoBRf/ #s)rH%F1 ڟT1why3-1.6.0/examples/isqrt_von_neumann.mlw000066400000000000000000000177611440160026300205240ustar00rootroot00000000000000 (** {1 Integer Square Root: Hacker's version} We present certified version of programs for computing the square root of machine integers. This implementation is a very efficient one making use of low-level bitwise operations. The algorithm originated from Warren's book "Hacker's Delight", Figure 11.4. The reference C code is as follows {h 
    int isqrt4(unsigned x) {
     unsigned m, y, b;
     m = 0x40000000;
     y = 0;
     while(m != 0) {              // Do 16 times.
        b = y | m;
        y = y >> 1;
        if (x >= b) {
           x = x - b;
           y = y | m;
        }
        m = m >> 2;
     }
     return y;
  }

    }

We present 3 different implementations respectively for 16, 32 and 64
bits. The proofs become significantly more difficult when increasing
the number of bits, so a need for more manual steps shows up in the 64
bits version.

*)


(** {2 Version 16 bits} *)

module VonNeumann16

  use ref.Ref
  use bv.BV16

  function sqr (x:t) : t = mul x x
  function succ (x:t) : t = add x (1:t)
  function pred (x:t) : t = sub x (1:t)
  function pow2 (n:t) : t = lsl_bv (1:t) n
  predicate is_pow2 (x:t) (n:t) = bw_and x (pred (pow2 n)) = (0:t)

  lemma sqr_add2: forall x y.
    sqr (add x y) = add (sqr x) (mul y (add (mul (2:t) x) y))

  let isqrt16 (x:t) : t
    ensures { ule (sqr result) x }
    ensures { ule x (pred (sqr (succ result)))  }
  = let num = ref x in
    let bits = ref (0x4000:t) in
    let res = ref (0:t) in
    let ghost m = ref (8:t) in
    let ghost bits_g = ref (0x80:t) in   (* 2^{m-1} *)
    let ghost res_g = ref (0:t) in     (* res / 2^m *)
    while not (eq !bits (0:t)) do
      variant { !bits }
      (* 0 <= m <= 8 *)
      invariant { ule !m (8:t) }
      (* bits_g = 2^{m-1} ou 0 si m=0 *)
      invariant { !bits_g = if !m=(0:t) then (0:t) else pow2 (pred !m) }
      (* bits = bits_g^2 *)
      invariant { !bits = sqr !bits_g }
      (* res_g multiple de 2^m *)
      invariant { is_pow2 !res_g !m }
      (* res_g smaller than 2^8 *)
      invariant { ult !res_g (0x100:t) }
      (* res = res_g * 2^m *)
      invariant { !res = mul !res_g (pow2 !m) }
      (* num <= x *)
      invariant { ule !num x }
      (* (x - num) is the square of (res / 2^m) *)
      invariant { sub x !num = sqr !res_g }
      invariant {ule (add !res_g (pow2 !m)) (0x100:t)}
      (* x < (res_g + 2^m)^2 *)
      invariant { ule x (pred (sqr (add !res_g (pow2 !m)))) }

      (* m is not null, let's subtract 1 *)
      assert { !m <> (0:t) };
      label L1 in
      ghost m := pred !m;
      assert { (!m at L1) = succ !m };
      assert { !res = mul !res_g (pow2 (succ !m)) };
      assert { !bits_g = pow2 !m };
      let b = bw_or !res !bits in
      assert { b = add !res !bits };
      assert { b = mul (add (mul (2:t) !res_g) !bits_g) (pow2 !m) };
      res := lsr_bv !res (1:t);
      assert { !res = mul !res_g (pow2 !m) };
      if uge !num b then
        begin
        num := sub !num b;
        label L in
        res := bw_or !res !bits;
        assert { !res = add (!res at L) !bits };
        assert { !res = mul (add !res_g !bits_g) (pow2 !m) };
        res_g := add !res_g !bits_g
        end;
      bits := lsr_bv !bits (2:t);
      ghost bits_g := lsr_bv !bits_g (1:t)
    done;
    !res

end

(** {2 Version 32 bits} *)

module VonNeumann32

  use ref.Ref
  use bv.BV32

  function sqr (x:t) : t = mul x x
  function succ (x:t) : t = add x (1:t)
  function pred (x:t) : t = sub x (1:t)
  function pow2 (n:t) : t = lsl_bv (1:t) n
  predicate is_pow2 (x:t) (n:t) = bw_and x (pred (pow2 n)) = (0:t)

  lemma sqr_add2: forall x y.
    sqr (add x y) = add (sqr x) (mul y (add (mul (2:t) x) y))

  let isqrt32 (x:t) : t
    ensures { ule (sqr result) x }
    ensures { ule x (pred (sqr (succ result)))  }
  = let num = ref x in
    let bits = ref (0x4000_0000:t) in
    let res = ref (0:t) in
    let ghost m = ref (16:t) in
    let ghost bits_g = ref (0x8000:t) in   (* 2^{m-1} *)
    let ghost res_g = ref (0:t) in     (* res / 2^m *)
    while not (eq !bits (0:t)) do
      variant { !bits }
      (* 0 <= m <= 16 *)
      invariant { ule !m (16:t) }
      (* bits_g = 2^{m-1} ou 0 si m=0 *)
      invariant { !bits_g = if !m=(0:t) then (0:t) else pow2 (pred !m) }
      (* bits = bits_g^2 *)
      invariant { !bits = sqr !bits_g }
      (* res_g multiple de 2^m *)
      invariant { is_pow2 !res_g !m }
      (* res_g smaller than 2^16 *)
      invariant { ult !res_g (0x1_0000:t) }
      (* res = res_g * 2^m *)
      invariant { !res = mul !res_g (pow2 !m) }
      (* num <= x *)
      invariant { ule !num x }
      (* (x - num) est le carré de (res / 2^m) *)
      invariant { sub x !num = sqr !res_g }
      invariant {ule (add !res_g (pow2 !m)) (0x1_0000:t)}
      (* x < (res_g + 2^m)^2 *)
      invariant { ule x (pred (sqr (add !res_g (pow2 !m)))) }

      (* m is not null, let's subtract 1 *)
      assert { !m <> (0:t) };
      label L1 in
      ghost m := pred !m;
      assert { (!m at L1) = succ !m };
      assert { !res = mul !res_g (pow2 (succ !m)) };
      assert { !bits_g = pow2 !m };
      let b = bw_or !res !bits in
      assert { b = add !res !bits };
      assert { b = mul (add (mul (2:t) !res_g) !bits_g) (pow2 !m) };
      res := lsr_bv !res (1:t);
      assert { !res = mul !res_g (pow2 !m) };
      if uge !num b then
        begin
        num := sub !num b;
        label L in
        res := bw_or !res !bits;
        assert { !res = add (!res at L) !bits };
        assert { !res = mul (add !res_g !bits_g) (pow2 !m) };
        res_g := add !res_g !bits_g
        end;
      bits := lsr_bv !bits (2:t);
      ghost bits_g := lsr_bv !bits_g (1:t)
    done;
    !res

end


(** {2 Version 64 bits} *)

module VonNeumann64

  use ref.Ref
  use bv.BV64

  function sqr (x:t) : t = mul x x
  function succ (x:t) : t = add x (1:t)
  function pred (x:t) : t = sub x (1:t)
  function pow2 (n:t) : t = lsl_bv (1:t) n
  predicate is_pow2 (x:t) (n:t) = bw_and x (pred (pow2 n)) = (0:t)

  lemma sqr_add2: forall x y.
    sqr (add x y) = add (sqr x) (mul y (add (mul (2:t) x) y))

  let isqrt64 (x:t) : t
    ensures { ule (sqr result) x }
    ensures { ule x (pred (sqr (succ result))) }
  = let num = ref x in
    let bits = ref (0x4000_0000_0000_0000:t) in
    let res = ref (0:t) in
    let ghost m = ref (32:t) in
    let ghost bits_g = ref (0x8000_0000:t) in   (* 2^{m-1} *)
    let ghost res_g = ref (0:t) in     (* res / 2^m *)
    while not (eq !bits (0:t)) do
      variant { !bits }
      (* 0 <= m <= 32 *)
      invariant { ule !m (32:t) }
      (* bits_g = 2^{m-1} or 0 if m=0 *)
      invariant { !bits_g = if !m=(0:t) then (0:t) else pow2 (pred !m) }
      (* bits = bits_g^2 *)
      invariant { !bits = sqr !bits_g }
      (* res_g multiple of 2^m *)
      invariant { is_pow2 !res_g !m }
      (* res_g smaller than 2^32 *)
      invariant { ult !res_g (0x1_0000_0000:t) }
      (* res = res_g * 2^m *)
      invariant { !res = mul !res_g (pow2 !m) }
      (* num <= x *)
      invariant { ule !num x }
      (* (x - num) is the square of (res / 2^m) *)
      invariant { sub x !num = sqr !res_g }
      invariant {ule (add !res_g (pow2 !m)) (0x1_0000_0000:t)}
      (* x < (res_g + 2^m)^2 *)
      invariant { ule x (pred (sqr (add !res_g (pow2 !m)))) }

      (* m is not null, let's subtract 1 *)
      assert { !m <> (0:t) };
      label L1 in
      ghost m := pred !m;
      assert { (!m at L1) = succ !m };
      assert { !res = mul !res_g (pow2 (succ !m)) };
      assert { !bits_g = pow2 !m };
      let b = bw_or !res !bits in
      assert { b = add !res !bits };
      assert { b = mul (add (mul (2:t) !res_g) !bits_g) (pow2 !m) };
      res := lsr_bv !res (1:t);
      assert { !res = mul !res_g (pow2 !m) };
      if uge !num b then
        begin
        num := sub !num b;
        label L in
        res := bw_or !res !bits;
        assert { !res = add (!res at L) !bits };
        assert { !res = mul (add !res_g !bits_g) (pow2 !m) };
        res_g := add !res_g !bits_g
        end;
      bits := lsr_bv !bits (2:t);
      ghost bits_g := lsr_bv !bits_g (1:t)
    done;
    assert { !m = (0:t) };
    assert { !bits = (0:t) };
    !res

end
why3-1.6.0/examples/isqrt_von_neumann/000077500000000000000000000000001440160026300177675ustar00rootroot00000000000000why3-1.6.0/examples/isqrt_von_neumann/why3session.xml000066400000000000000000001332701440160026300230150ustar00rootroot00000000000000










 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
       
       
        
        
         
         
          
          
          
          
          
           
           
           
           
           
           
          
          
         
         
         
         
          
          
           
           
           
           
           
            
            
            
            
            
             
             
              
              
               
               
               
               
               
                
                
                 
                 
                 
                
                
                
                
                 
                 
                 
                 
                 
                  
                  
                   
                   
                    
                    
                     
                     
                      
                      
                      
                      
                      
                       
                       
                        
                        
                        
                        
                        
                         
                         
                          
                          
                          
                          
                          
                          
                         
                         
                         
                         
                         
                        
                        
                       
                       
                      
                      
                     
                     
                    
                    
                    
                    
                     
                     
                      
                      
                       
                       
                        
                        
                         
                         
                         
                         
                         
                          
                          
                           
                           
                            
                            
                             
                             
                             
                             
                             
                             
                            
                            
                            
                            
                            
                           
                           
                          
                          
                          
                          
                          
                         
                         
                        
                        
                        
                        
                        
                       
                       
                       
                       
                       
                      
                      
                      
                      
                       
                       
                        
                        
                         
                         
                         
                         
                         
                          
                          
                           
                           
                            
                            
                             
                             
                              
                              
                               
                               
                               
                               
                               
                                
                                
                                
                                
                               
                               
                              
                              
                              
                              
                              
                             
                             
                             
                             
                             
                            
                            
                            
                            
                            
                           
                           
                          
                          
                          
                          
                          
                         
                         
                        
                        
                        
                        
                        
                       
                       
                       
                       
                       
                      
                      
                     
                     
                     
                     
                     
                    
                    
                   
                   
                   
                   
                   
                  
                  
                  
                  
                   
                   
                   
                   
                   
                   
                  
                  
                 
                 
                
                
               
               
              
              
             
             
            
            
           
           
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/isqrt_von_neumann/why3shapes.gz000066400000000000000000000223301440160026300224270ustar00rootroot00000000000000}[oG;v׃?$`Cy!ֲ"5_ȬM$vKvUdD'??9gxc,e%V+myWY?׾鷚}?Ǐ+ׇ^=io[~?^os}^?>S?>s>Ӳ-odleyRAY|5S1wo|5+RocOۍ潡IIMZ7%f?߮k?gܼ{vgw[W}7$V^<+6mlqw2)Kھtۗ;c3WZo\՜W wc~q{t3/1}
o0h8iɀ376g뇏0D3L"j{e/_f443zW#F4]5ʒrfR뺇#W[CȬ>
itXl(ى^zl?&x&x^x4`XXXO_Ϳ]~"	mq,|?\v1߯GIHzEmoo3{sDDDF{_߱^QjXXxQۅ]u>+@
^+7t;}9`$7E&>թ&L2x;d=hm?a2d42W]N*T0QH;\@rr	o6@|BI&1Zb8t-TO~0v90ڕij Iefңjn!PPPyB.(A7q4q4qqҹOMM}^iˉcippo.
pppTyvN!?w?И[CjBw?n?mc?~5+:?,tXm{:HXtM~gvwʯk]
+wct/6ġZy#Xzt0>Jן\(2zwFZ;|y>9sqߓ92=KZ9g"Hy6keBؿ;|>+x'Y|<7腮<}`L:8n}[[W4￶O_D}ag"#l7vo~^9/Ƚ##6%NN[I!Ǽi!Bm} w0RCʍq_M.s<[Oew)vu7W8~OmuYZ_zi=[Oj0RS>aW3AO:A7Ԧ2MMM}%}DDDeO6PPP{XL'W}㩯7Uv=IjNy>~B~B~BeC~9f>T~ܧxxG?.?nX{>g:i>M<~Zgk (ijG;IIF9]1yֈb>?^vٗ;c;]~7l'ӇS8Ĩ`9<ݴgUg`=]{#ԧO$-Ym=D{;g<5uTu8$=.s;9x3]N']^ٜHH$LI7yz)\F133t	|nn(wi<L`[5o:b'ͽ2				7ߝ}ĤI&?bN}sa&%LJb)aѓ&'LNx地=_wq&+LVx0|y&%LJx0z}
;nbht6WŎox/ F<1v&Ly鴳U]=a&?f~خG77͞y9Nxn\ffffy>w=errY{*M|N|N|~כ럁6!;!;!7888~Q8^{T~Q~Ӈ'''_oEJ&Lx}pA>&Zj׿z/tx}]?UeT+6p_a(bصӲmƧw.
">*2_`.}˿&~jR旍/~Ycw}|x
}u]cI91t}c+Vϰ/syY8+oxWc\o
(ttv>7|n%ƻM=?{q&hKŝ3~v@|w[w?akC7{67v',?<4vOie(<~wEnʛݤg<ڠmRBϝBxs>^jVn5_om-wzGtϘ{bRે'm'wo'_({t}צ᫫~y$쮊yh'lOT+{vWl-[}(_!F7d
6I
OnwΛoОڽPr 1W~lW{N1^θslJ-
o4vCו̒%,'MLwK[w{Mݍ/
>y݃mh4zXhh4hyˑՃ>9}me#wCrv	](tw[r7Koo5͚?ܬyr[yn܁f
#an6lp6]m]
+"-mjc{fә޹۴4qrW#}\7F1Ǡ{L~=fxǤeN1,-0,`l9ɢ""q./YB%m*VM*٤ϭI2`M&h:s}0yI§FAZ+KUfX$i3b5ԐB-AB2+u5bŰh*k&cԢT@sZ)$l-	Ak^99!jEY	TQ0cX kK*cem

c0,eYjUxZT38`hk*)e81Y#F	Jz|2b_`Y_~{.ͅKuLb@)UD ,+T̡$!IrJe( x {ZX͡o&R&#*Sc Z9#l5D)4} {Yn]I.[TniEbsL!.V$
@ӷV)9BFP lG lE,r-!c6%>Y<csE|4[b	!G@c0Y8ԅSkZT@cUTE3@N"MVZ3} nJR5X-mF&⁚JnssJ< D~DYQ*ܙ2	@15]>蕌P7E">OvTfd~ȇnي,bXMEv0%Tյ@qjnDƞX	i$)QJ\jЎC{IZDȀBE[kD"U@bTS`rdrU\E9%Dݛj.f/SȑAX*պdYO*H`V#4Gs '=|o)ZÑq2jn}UX926JnV`Jpd$CsIV*RN&#sc-{3DZB|AHÂM%׸Yv"f* ChufVb*=s+
̓7c=2F4](SL8n	eK-HtF8qbN.!-Dav蟢+8ճIA=ة4\B7M@I1A#|,ٍF͔,$i8 PA)rH
&Jy2ku}Z#?EȶY(qOFM D	Y6HlP8xH:DZdwsȠ("a5Bj+	9PcCR@!3)c ue	v'G|EN"*)	j@*J2UP}gw@ui  _=uH@I'TKa`C($

ƒ^7E0(hʒ,$Q$\x',8	qE]".‡/t7Z[]xyPb4@l"0+M@@X̒
0$oB{DѸyM)"V猀▐3C$K.4dIMSL
)Z!GvuZT51$!4h+Md:]Ssh`AA!`Q{!\ad@NCBw5GGT.F-r Hxd{TjQ_-]|Gc-9䌏BD`$1H^@ǁ1Ws/D#,[d+-hG*`]Q80qf[Ɇ$U҈4 
Zb=൦e䨱huipH
S?VٰK8UZ&\pś(E0ˀʚ(w4c$HUPGI\S̹6@J,:ⵠ5$
5vL0GXu\`u5@BY+DH@[!j~	`do{"'
Z:`@a9r25EfPbC P0
5PD8@(=Fr<ZS#3!-9@7BZb	B5Q]ʮI1~A.#)kbn+ЗoՁ{BsK||HwT1(&BQTA`:Lhw1$$H7t0 m&>ZPjcX	kPǴkhpr-xr?WvBh)e"ZB/\Ch|M#pN&V>#*Z~pBӻʇjn=) AH1Yp)^)(#jⳗ`!x-EL,qr# ƕB&(2u3-i~.sz>頿AZr-U*K(`h3PPC1(
-fg6xT҇W#;
*젂7s{56
'B7	|(Ž45'6*d/"Y4}7M9U2W~1M4x#٫UB'
mKyaψ~8DBEa͐*DuZLG0
Q+Y[*e"	*
mê@z(#tP%tb	{tY%˨vCZ$zs[?aKchQp4ghY#(	5b
MJG!P@'EAȶkR'@Ğ̨&HƇN-%^׳Lt螹wB"	)+|Dh>*/
FVz#4YCHC1͔|4	5c	hN*2#ɂa
qAߣ
)fCde9("I߂)4X\ueG6Ӣ1O9׏"A_RVcJ,(&B>7%gɜKlz
U0oK 笯s̵1#}Ud͡4U|;B?s#wP2喤ħaZ̕'b2k@kڤX)mk=٠cQ񺬨ER5r6=R@
	[%3xw7F3:ȐuK&>&߼|pCmɓRB^q{.m)/|IjZЪ&W&'Č9`(TZx=i)1!j%]J*R[

n8!/PZWkB
)i	b52#?:C(l^b)igاub_DXUSRL^1Rl14R$GS2$oBր_
!7 I]ECUJm`RAu1["_bxM]mU(xsT'fv($H*MZ+U](mh|\HS^4%>lmIfvKl}Nq-^k\v'fvI[az~G@y"O'<5PYC)
ēV6hdt(0Ƅ4xB.)ւ.fM)ٶ|Jn`OډS>ijdNX9~G+}wmڟ>6^a:[^H⧦eY{%|mj(TF
=uJ^O$xykދ jT^>)amE>J.-̶ɸ
YXt+ކ%cmOEBQK
3)41Z3;e*T H5R̖&A$%*kSIokb<1r׽k.G&;c_;5T]WB.*oWW
556q(Mҁ>AV|[DW!'Չ]_^ͥY=I_7efNM+ւv
k^FpA
/Ͷ~>Ml5oN+]I=g!@&g L!+-,b	2h_o
	2ESJJ/xY{YdgkP26LJgŕ"ߩPv
|ΜR&KS
$F%ZnoBU|Jn6ñ8}W+Zk.6aĸɋ#-cUEת͇@eM`4\0Fτqv|{3c
q3߀A˩]"9[mx*fk?C/Y#why3-1.6.0/examples/kleene_algebra.mlw000066400000000000000000000202361440160026300176660ustar00rootroot00000000000000(** {1 Kleene Algebra Definition and Relational Kleene Algebra }

Author: Quentin Garchery (Université Paris-Saclay)
*)

module SemiRing

  use int.Int

  type t
  constant zero : t
  constant one : t
  function (+) t t : t
  function (*) t t : t

  clone export algebra.CommutativeMonoid with type t = t, constant unit = zero,
  function op = (+), axiom .

  clone algebra.Monoid with type t = t, constant unit = one,
  function op = (*), axiom .

  axiom Mul_zero_l : forall x. zero * x = zero
  axiom Mul_zero_r : forall x. x * zero = zero

  axiom Mul_distr_l : forall x y z : t. x * (y + z) = x * y + x * z
  axiom Mul_distr_r : forall x y z : t. (y + z) * x = y * x + z * x

  let rec ghost function (^) (x : t) (n : int) : t
    requires { n >= 0 }
    variant { n }
  =
    if n = 0 then pure{one} else let r = x ^ (n-1) in pure {x * r}

  clone int.Exponentiation with type t = t, constant one = one,
  function (*) = (*), function power = (^), lemma .
end


module Dioid

  clone export SemiRing with axiom .

  axiom Idem : forall x : t. x + x = x

  predicate (<=) (x : t) (y : t) = x + y = y

  lemma le_refl : forall x. x <= x

  lemma le_antisym : forall x y. x <= y -> y <= x -> x = y

  lemma le_trans : forall x y z. x <= y -> y <= z -> x <= z

  lemma zero_le : forall x. zero <= x

  lemma le_compat_add : forall x y z. x <= y -> x + z <= y + z

  lemma le_add : forall x y. x <= x + y

  lemma le_add_le : forall x y z. x <= z -> y <= z -> x + y <= z

  lemma add_le : forall x y z. x + y <= z -> x <= z

  lemma le_compat_add_left : forall x y z. x <= y -> z * x <= z * y

  lemma le_compat_add_right : forall x y z. x <= y -> x * z <= y * z
end


module KleeneAlgebra

  use int.Int

  clone export Dioid with axiom .

  (* We denote x^* as !x *)
  function (!_) t : t

  axiom Star_unfold_left : forall x. one + x * !x <= !x

  axiom Star_unfold_right : forall x. one + !x * x <= !x

  axiom Star_induct_left : forall x y z. z + x * y <= y -> !x * z <= y

  axiom Star_induct_right : forall x y z. z + y * x <= y -> z * !x <= y

  lemma one_le_star : forall x. one <= !x

  lemma mul_var_le_star : forall x. x * !x <= !x

  lemma var_mul_le_star : forall x. !x * x <= !x

  lemma power_le_star : forall i x. i >= 0 -> x ^ i <= !x

  lemma star_mul_star : forall x. !x * !x = !x
  by !x + x * !x <= ! x

  lemma star_star : forall x. !(!x) = !x

  lemma star_unfold_left : forall x. one + x * !x = !x
  by one + x * (one + x * !x) <= one + x * !x

  lemma star_unfold_right : forall x. one + !x * x = !x
  by one + (one + !x * x) * x <= one + !x * x

  lemma star_le : forall x y. x <= y -> !x <= !y
  by one + x * !y <= !y

  lemma le_star_left_right : forall x y z. z * x <= y * z -> z * !x <= !y * z
  by z + (!y * z) * x <= !y * z

  lemma le_star_right_left : forall x y z. x * z <= z * y -> !x * z <= z * !y
  by z + x * (z * !y) <= z * !y

  lemma slide_left : forall x y. !(x + y) = !x * !(y * !x)
  by !x <= !(x + y)
  so y * !x <= !(x + y)
  so !(y * !x) <= !(!(x + y)) <= !(x + y)
  so !x * !(y * !x) <= !(x + y)
  so one + (x + y) * (!x * !(y * !x)) <= !x * !(y * !x)
  so !(x + y) <= !x * !(y * !x)

  lemma slide_right : forall x y. !(x + y) = !(!x * y) * !x
  by !x <= !(x + y)
  so !x * y <= !(x + y)
  so !(!x * y) <= !(!(x + y)) <= !(x + y)
  so !(!x * y) * !x <= !(x + y)
  so one + (!(!x * y) * !x) * (x + y) <= !(!x * y) * !x
  so !(x + y) <= !(!x * y) * !x

  (** Conway's equality: a way to cut x^* in slices of size x^n *)

  let rec ghost function sum_pow (x : t) (a b: int) : t
    requires { b >= a >= 0 }
    variant { b - a }
  = if b = a then pure{zero} else
    let m1 = sum_pow x a (b - 1) in
    let m2 = x ^ (b - 1) in
    pure {m1 + m2}

  lemma sum_pow_left: forall x a b.
    b > a >= 0 ->
    sum_pow x a b = x^a + sum_pow x (Int.(+) a 1) b

  lemma mul_sum_pow: forall x a b.
    b >= a >= 0 ->
    sum_pow x a b * x = sum_pow x (Int.(+) a 1) (Int.(+) b 1)

  lemma sum_pow_le_star: forall x a b.
    b >= a >= 0 ->
    sum_pow x a b <= !x

  lemma Conway_equality: forall x n.
    n >= 1 ->
    !x = !(x^n) * sum_pow x 0 n
  by !(x^n) * sum_pow x 0 n <= !x
  so !(x^n) * sum_pow x 0 n * x = !(x^n) * sum_pow x 1 n + !(x^n) * x ^ n
                                <= !(x^n) * sum_pow x 0 n
  so one + !(x^n) * sum_pow x 0 n * x <= !(x^n) * sum_pow x 0 n
end


module RelAlgebra

  use int.Int

  use set.Set

  (* Relational Algebra: sets of pairs of the same type *)

  type a

  type t = set (a, a)

  (** Specify zero, one, +, * and ! in terms of membership *)

  constant zero : t = empty
  lemma zero_def : forall x. not mem x zero

  constant one : t = map (fun a -> (a, a)) all
  lemma one_def : forall x : a. mem (x, x) one

  let ghost function post (s : t) (x : a)
    ensures { forall y. mem y result <-> mem (x, y) s }
  =
    map (fun p -> let (_, a2) = p in a2)
    (filter s (fun p -> let (a1, _) = p in pure{a1 = x}))

  let ghost function pre (s : t) (y : a)
    ensures { forall x. mem x result <-> mem (x, y) s }
  =
    map (fun p -> let (a1, _) = p in a1)
    (filter s (fun p -> let (_, a2) = p in pure {a2 = y}))

  let ghost function (+) (s1 s2 : t)
    ensures { forall x. mem x result <-> mem x s1 \/ mem x s2 }
  =
    union s1 s2

  let ghost function (*) (s1 s2 : t)
    ensures { forall a1 a2. mem (a1, a2) result <->
                            exists x. mem (a1, x) s1 /\ mem (x, a2) s2 }
  =
    filter all
    (fun p -> let (a1, a2) = p in
    not (disjoint (post s1 a1) (pre s2 a2)))

  lemma unit_l : forall x. one * x = x
  by one * x == x

  lemma unit_r : forall x. x * one = x
  by x * one == x

  lemma assoc_mul : forall x y z. x * y * z = x * (y * z)
  by forall e. (mem e (x * y * z) -> mem e (x * (y * z))) /\
               (mem e (x * (y * z)) -> mem e (x * y * z))

  clone Dioid with type t = t, constant zero = zero,
  constant one = one, function (+) = (+), function (*) = (*), lemma .

  lemma le_mem : forall x y. x <= y <-> forall u. mem u x -> mem u y

  inductive in_star t (a, a) =
   | Star_0 : forall x s. in_star s (x, x)
   | Star_s : forall x y z s. in_star s (x, y) -> mem (y, z) s -> in_star s (x, z)

  let ghost function (!_) (s : t) =
      filter all (in_star s)

  lemma power_in_star : forall s : t, i, p : (a, a).
        i >= 0 -> mem p (s ^ i) -> mem p !s
        by i > 0 -> let (x, z) = p in
           exists y. (in_star s (x, y) by mem (x, y) (s ^ (i-1)))  /\ mem (y, z) s

  lemma star_in_power : forall s x y.
        in_star s (x, y) -> (exists i. i >= 0 /\ mem (x, y) (s ^ i))

  lemma star_spec : forall s : t, p : (a, a).
        mem p !s <-> exists i. i >= 0 /\ mem p (s ^ i)

  lemma star_unfold_l : forall x u. mem u (one + x * !x) -> mem u !x
  by mem u (x * !x) -> (exists i. i >= 0 /\ mem u (x * x ^ i))
     by let (u1, u2) = u in
        exists v. mem (u1, v) x /\ mem (v, u2) !x
                  so exists i. i >= 0 /\ mem u (x * x ^ i)

  lemma star_unfold_r : forall x u. mem u (one + !x * x) -> mem u !x
  by mem u (!x * x) -> (exists i. i >= 0 /\ mem u (x ^ i * x))
     by let (u1, u2) = u in
     exists v. mem (u1, v) !x /\ mem (v, u2) x
            so exists i. i >= 0 /\ mem u (x ^ i * x)

  lemma star_induct_left_ind : forall x y z i. i >= 0 ->
    z + x * y <= y -> x^i * z <= y

  lemma star_induct_left_lem : forall x y z i. i >= 0 ->
    z + x * y <= y -> forall u. mem u (x^i * z) -> mem u y

  lemma star_induct_left : forall x y z.
    z + x * y <= y -> !x * z <= y
  by forall u. mem u (!x * z) -> (exists i. i >= 0 /\ mem u (x^i * z))
     by let (u1, u2) = u in
        exists v. mem (u1, v) !x /\ mem (v, u2) z
                  so exists i. i >= 0 /\ mem u (x^i * z)

  lemma star_induct_right_ind : forall x y z i. i >= 0 ->
    z + y * x <= y -> z * x^i <= y

  lemma star_induct_right_lem : forall x y z i. i >= 0 ->
    z + y * x <= y -> forall u. mem u (z * x^i) -> mem u y

  lemma star_induct_right : forall x y z.
    z + y * x <= y -> z * !x <= y
  by forall u. mem u (z * !x) -> (exists i. i >= 0 /\ mem u (z * x^i))
     by let (u1, u2) = u in
        exists v. mem (u1, v) z /\ mem (v, u2) !x
                  so exists i. i >= 0 /\ mem u (z * x^i)

  (** Prove that this forms a Kleene Algebra *)

  clone KleeneAlgebra with type t = t, constant zero = zero,
  constant one = one, function (+) = (+), function (*) = (*),
  function (!_) = (!_), lemma .
end
why3-1.6.0/examples/kleene_algebra/000077500000000000000000000000001440160026300171425ustar00rootroot00000000000000why3-1.6.0/examples/kleene_algebra/why3session.xml000066400000000000000000000572371440160026300222000ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/kleene_algebra/why3shapes.gz000066400000000000000000000223541440160026300216100ustar00rootroot00000000000000}Y7~vO7aepՅ-/}U-yf_"ſ u97Zhd=zfbmbq_Ԅ._ 9{Rߵ
H3jfgvvrȰH7xN]/_ƿXe3~ʼnY r*	,_pBz/7j?	} qdiǧo޶7~xFѢ$VgKsWrJfq"`ړř'>*?`FrY0dzG>_/$$z0G-*,^ѳ_s=X{H赑ABgGf%dEEbjZ^^w0p@r9hZp됵{MEZE[EEws[uX1jRih}XX=`V#&-b@]p_G%gVӋ[Qr<>ցfqvŻxT[u뿀E|E/[_M|?.pka+:u?Fd[#2*`,cDNp@C3/AL/$(oo(7,Vu–Kh::\uֶ:`+B:
776e]wV{[Z++T]opѹ{gQC'I~qgݱ>V;fs!{h/7nOKmt)zNݡ;s}h	n	~-9{wşjyGmԍⓒ]Ó}Q
;a_O9s9K=ECZό.h받kɉu=קufm|tk{dH1pelڝOSݲӢKnh9ȘЄ+@6\v=dsFH8.w=1dN=%AW=N$83̦I	Yn<,oUsWewbE91Uwޙi3-:&b$p_1?9
S`H66-:|z`[H#\okz}Нd/~%2
cQJ8O.b T -!DԢ~aqɢU6~;|W.5W-gA|~+~u~}Xװ"$߽{^ґK1]b8(5 ƚ`U@NxA
uJLxNBMokfOo|vӎMgs5[sqLvyw\o?a>ޖ7qGَz;EUT1~

Wͻݛbe-^֏hZgǶSsa*6J/Ą~!èX5 69,7˓ɹ8]@f ׷Zϑ?"#DOx1wQ
.]//׀$0!,~>foa^,*lVz]Vj>HNz's+HN*q=[\stЫP)2-z6E#
08Quڞ/3CJN,qaֆ嘑=hmDX*4xQal`kh
*iSƟGCg9:~
kDaQmK.&V>͠sHnA]hN]sMEz4[7~o
b'nXc=rKXm).hpc˲>j-,eerxx㬍Bc08!D!bޒ+r{0GY|^0l㻗{DČQm>dX#}j\mְLFsAW#SX\*6Po[RYs^`+Y!6YCOQ*Oe9i!X#KVSNU3c=<ח{Ke9AzjdԬuS.yGf,JJj¶~8NFb'nbsUl,*yk#o)ɓ FW9y
./rb@6C!559)ZH'dgȮ'vU
A9ӎSOh{|iy68!B:98ҕJn(_4SW52}o@ctsv۰pGk.RLJO̶03nWTPo0,G;~aH{D+>hmt3C=}C*\_*Yo6,>L)n7_e4MaZ*PZ5^7ŀigmow@ad͘swm6ۻ&gmXк	zkպ
fygC"nm.($=qT1*[,ȍ*Gpeeclxnˁ@E/+87GEjq5z[UlQW
zeqFgn)h(
ٚ^jfMakh?3sS>%7w(}wa8[6m73
e#[C]TF,ˍ;e7۶Q,+G[Vi%wkk=1IG[̸at["HН?3."Zjat!s#׿{~Βg
z̓('pt^6nD:Dol@gfM+t=	覚#7\Ak8b6.'=GF3QpO.=;`8xE,R#t0|تW/!߯>!-SjkȲ
:doaXaYlfog=ma@%꽎}!5-zkLȖ?=.)_t
>a]~#Tr<$S|0Ntl1vƬ~ا̯âԪFN0dY
Ā3*PzrjVb]lb
}vcFj3TPmx>?.dz魲%z_>yI2v+9MT+)
W]+s
+а[rsDvN%uOJ}00Uۨʐ =S0%-z}dHiSs `@լrm>ٍs
u-Yv=1V`aaYJ">j
Y=5c,8MaKJYFQ\97W,R+y!$0σ`,`w0`;uL>v|
xENuQ>۴6!ö(F9 _rIJZct)uAG%a~WJ&5lЅ3Y	A{<	jVP4U	go&l$[кz-ր-L="Y/"F	T9[ȷׯW$|)tOF)yo-ݭ|UE%JK&{EXp
pPNJ.6՘CK5ze˾=7a
Ҟ4g$4
k_JC@eY&H؎*D:.bwώQ8B-1KUFXJDqlwp$1{l,`LAY)4xJTVۮ˽($gGqI}8+4k
I0cp"4	MtV('T6T)CG];ʞ
j"tfde
|Cʮ>CP`jQazU)QTFxm`Z)*0ɢrC(ϑ8
K1WFsVA^cQT;s"|Ihg2̘(nP#=,ϟEP|*1)'9	?
*sSOFf^DV%a<!repԹ!dR`4BD*g{U3D8*&7(ZK98X>dR`Mjl#2*%'jm%jfm!YHB͇~b ("P]ԔN*d(kj۠
%3_
q4d%Xj!Ab5}i0gM)je%i\Js໽Js;/)02yRFL
{"ŽOXSJ*5U#kdIA^'l+`k/G–6!fEd,y{@6,A) ư7dF-2l|
~\acr"CJ|g=)
f>kJ-` J=<,^ +Y	6m;𩳵Z(~	V00Ldz+u&
DbÝSPEJ9lC>@fp[A؋DE+gc}zҰ݃p!cr|q:&wUEɁ^{,>7M$pV`([Rm:øT
yUЇoQ]XT͟ꋼ)!gQ,6WGChPnɾ<`1U!@AkHX/&0$D$%nZp<Q,s◂m UkɥFl[q\FlFB8]R&9K|WplkGTʪyD9J!+aڎ>?o0-
b#?+$	>C_[UuHFCb[*&4,o/oUB;b^f!15!;)0!jӞdnWD搨R{q({x&65aeh\&_|)@(~|RO۫**@jM+|_6*;o콱78pQwFPpA=r
Μ:\M84@=J`]B`0t~P
TPPϳzX +̗$
NaDv#*?Dڰa)F3Y6wCTL*sd\#T!|Oi-]֡;W+"kDJI}B,K%dA+6zSxY]*9b-T7Qi49x&݌%o)Yi]c(trZ?lz!bω I^dRI
ݯb?b<;;Mm	Q'k	YZ6}1IUxot4
AP1~E )l'l!]^%	e<rQǂ7_i]65l a
A)֌#*eQKO)g~9JG8[v~]rVBmoM0h=kQ|?zÇ_!wQ ŴvfZa?ؤ&3!G~]V[(
F;WO[I&[T8壐-GEpTJ^\U3
ayP# 9TK*ʨޒ?&#&CuAӖ:xV(*$Cch~1L(4~8¸@cPeqP^KUkoAb@cWbB0ZT]IJ(!+|	b
QͱWR*UG]H[}K^R.czzp?bkQe8f
5$Z9J60CCNZRk6'j$4ҊHplj4GYZN-g
%VH2^4.o	m!6&A_?q*	ǯAע6xE
)+ݠM(yXaڹ2*I3o_4d?_b#r~OQ<
Q͑Lےp_,TPI.QB#*0QM2
3"fGa(||RoU6N&Ĕє^[5"`oqcsE5=*@[RIMoD=ɯΑwp
)Ԭs8
VSx¯xHw
Syſsb Loq5Ac.k>ܓRl*UbVd>1'gLZ1UQvL-^
1'y)Ҷwhy3-1.6.0/examples/kmp.mlw000066400000000000000000000115021440160026300155310ustar00rootroot00000000000000(**************************************************************************)
(*                                                                        *)
(* Proof of the Knuth-Morris-Pratt Algorithm.                             *)
(*                                                                        *)
(* Jean-Christophe Filliâtre (LRI, Université Paris Sud)                  *)
(* November 1998                                                          *)
(*                                                                        *)
(**************************************************************************)

module KnuthMorrisPratt

  use int.Int
  use ref.Ref
  use array.Array

  type char
  val eq (x y : char) : bool ensures { result = True <-> x = y }

  predicate matches (a1: array char) (i1: int)
                    (a2: array char) (i2: int) (n: int) =
    0 <= i1 <= length a1 - n /\
    0 <= i2 <= length a2 - n /\
    forall i: int. 0 <= i < n -> a1[i1 + i] = a2[i2 + i]

  lemma matches_empty:
    forall a1 a2: array char, i1 i2: int.
    0 <= i1 <= length a1 ->
    0 <= i2 <= length a2 ->
    matches a1 i1 a2 i2 0

  lemma matches_right_extension:
    forall a1 a2: array char, i1 i2 n: int.
    matches a1 i1 a2 i2 n ->
    i1 <= length a1 - n - 1 ->
    i2 <= length a2 - n - 1 ->
    a1[i1 + n] = a2[i2 + n] ->
    matches a1 i1 a2 i2 (n + 1)

  lemma matches_contradiction_at_first:
    forall a1 a2: array char, i1 i2 n: int.
    0 < n -> a1[i1] <> a2[i2] -> not (matches a1 i1 a2 i2 n)

  lemma matches_contradiction_at_i :
    forall a1 a2: array char, i1 i2 i n: int.
    0 < n ->
    0 <= i < n ->
    a1[i1 + i] <> a2[i2 + i] -> not (matches a1 i1 a2 i2 n)

  lemma matches_right_weakening:
    forall a1 a2: array char, i1 i2 n n': int.
    matches a1 i1 a2 i2 n -> n' < n -> matches a1 i1 a2 i2 n'

  lemma matches_left_weakening:
    forall a1 a2: array char, i1 i2 n n': int.
    matches a1 (i1 - (n - n')) a2 (i2 - (n - n')) n ->
    n' < n -> matches a1 i1 a2 i2 n'

  lemma matches_sym:
    forall a1 a2: array char, i1 i2 n: int.
    matches a1 i1 a2 i2 n -> matches a2 i2 a1 i1 n

  lemma matches_trans:
    forall a1 a2 a3: array char, i1 i2 i3 n: int.
    matches a1 i1 a2 i2 n -> matches a2 i2 a3 i3 n -> matches a1 i1 a3 i3 n

  predicate is_next (p: array char) (j n: int) =
    0 <= n < j /\
    matches p (j - n) p 0 n /\
    forall z: int. n < z < j -> not (matches p (j - z) p 0 z)

  lemma next_iteration:
    forall p a: array char, i j n: int.
    0 < j < length p ->
    j <= i <= length a ->
    matches a (i - j) p 0 j -> is_next p j n -> matches a (i - n) p 0 n

  lemma next_is_maximal:
    forall p a: array char, i j n k: int.
    0 < j < length p ->
    j <= i <= length a ->
    i - j < k < i - n ->
    matches a (i - j) p 0 j ->
    is_next p j n -> not (matches a k p 0 (length p))

  lemma next_1_0:
    forall p: array char. 1 <= length p -> is_next p 1 0

  (* We first compute a table next with the procedure initnext.
   * That table only depends on the pattern. *)

  let initnext (p: array char)
    requires { 1 <= length p }
    ensures  { length result = length p &&
      forall j:int. 0 < j < p.length -> is_next p j result[j] }
  = let m = length p in
    let next = make m 0 in
    if 1 < m then begin
      next[1] <- 0;
      let i = ref 1 in
      let j = ref 0 in
      while !i < m - 1 do
        invariant { 0 <= !j < !i <= m }
        invariant { matches p (!i - !j) p 0 !j }
        invariant { forall z:int.
          !j+1 < z < !i+1 -> not matches p (!i + 1 - z) p 0 z }
        invariant { forall k:int. 0 < k <= !i -> is_next p k next[k] }
        variant { m - !i, !j }
        if eq p[!i] p[!j] then begin
          i := !i + 1; j := !j + 1; next[!i] <- !j
        end else
          if !j = 0 then begin i := !i + 1; next[!i] <- 0 end else j := next[!j]
      done
    end;
    next


  (* The algorithm looks for an occurrence of the pattern p in a text a
   * which is an array of length N.
   * The function kmp returns an index i within 0..N-1 if there is an occurrence
   * at the position i and N otherwise. *)

  predicate first_occur (p a: array char) (r: int) =
    (0 <= r < length a -> matches a r p 0 (length p)) /\
    (forall k: int. 0 <= k < r -> not (matches a k p 0 (length p)))

  let kmp (p a: array char)
    requires { 1 <= length p }
    ensures  { first_occur p a result }
  = let m = length p in
    let n = length a in
    let i = ref 0 in
    let j = ref 0 in
    let next = initnext p in
    while !j < m && !i < n do
      invariant { 0 <= !j <= m /\ !j <= !i <= n }
      invariant { matches a (!i - !j) p 0 !j }
      invariant { forall k:int. 0 <= k < !i - !j -> not (matches a k p 0 m) }
      variant { n - !i, !j }
      if eq a[!i] p[!j] then begin
        i := !i+1; j := !j+1
      end else
        if !j = 0 then i := !i+1 else j := next[!j]
    done;
    if !j = m then !i - m else !i

end
why3-1.6.0/examples/kmp/000077500000000000000000000000001440160026300150115ustar00rootroot00000000000000why3-1.6.0/examples/kmp/kmp_KnuthMorrisPratt_VC_initnext_1.v000066400000000000000000000166261440160026300241140ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

Axiom char : Type.
Parameter char_WhyType : WhyType char.
Existing Instance char_WhyType.

(* Why3 assumption *)
Definition matches (a1:array char) (i1:Numbers.BinNums.Z) (a2:array char)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  ((0%Z <= i1)%Z /\ (i1 <= ((length a1) - n)%Z)%Z) /\
  ((0%Z <= i2)%Z /\ (i2 <= ((length a2) - n)%Z)%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb a1 (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z))).

Axiom matches_empty :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z),
  (0%Z <= i1)%Z /\ (i1 <= (length a1))%Z ->
  (0%Z <= i2)%Z /\ (i2 <= (length a2))%Z -> matches a1 i1 a2 i2 0%Z.

Axiom matches_right_extension :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> (i1 <= (((length a1) - n)%Z - 1%Z)%Z)%Z ->
  (i2 <= (((length a2) - n)%Z - 1%Z)%Z)%Z ->
  ((mixfix_lbrb a1 (i1 + n)%Z) = (mixfix_lbrb a2 (i2 + n)%Z)) ->
  matches a1 i1 a2 i2 (n + 1%Z)%Z.

Axiom matches_contradiction_at_first :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> ~ ((mixfix_lbrb a1 i1) = (mixfix_lbrb a2 i2)) ->
  ~ matches a1 i1 a2 i2 n.

Axiom matches_contradiction_at_i :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> (0%Z <= i)%Z /\ (i < n)%Z ->
  ~ ((mixfix_lbrb a1 (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z)) ->
  ~ matches a1 i1 a2 i2 n.

Axiom matches_right_weakening :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (n':Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> (n' < n)%Z -> matches a1 i1 a2 i2 n'.

Axiom matches_left_weakening :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (n':Numbers.BinNums.Z),
  matches a1 (i1 - (n - n')%Z)%Z a2 (i2 - (n - n')%Z)%Z n -> (n' < n)%Z ->
  matches a1 i1 a2 i2 n'.

Axiom matches_sym :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> matches a2 i2 a1 i1 n.

Axiom matches_trans :
  forall (a1:array char) (a2:array char) (a3:array char)
    (i1:Numbers.BinNums.Z) (i2:Numbers.BinNums.Z) (i3:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> matches a2 i2 a3 i3 n -> matches a1 i1 a3 i3 n.

(* Why3 assumption *)
Definition is_next (p:array char) (j:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) : Prop :=
  ((0%Z <= n)%Z /\ (n < j)%Z) /\
  matches p (j - n)%Z p 0%Z n /\
  (forall (z:Numbers.BinNums.Z), (n < z)%Z /\ (z < j)%Z ->
   ~ matches p (j - z)%Z p 0%Z z).

Axiom next_iteration :
  forall (p:array char) (a:array char) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < j)%Z /\ (j < (length p))%Z -> (j <= i)%Z /\ (i <= (length a))%Z ->
  matches a (i - j)%Z p 0%Z j -> is_next p j n -> matches a (i - n)%Z p 0%Z n.

Axiom next_is_maximal :
  forall (p:array char) (a:array char) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (k:Numbers.BinNums.Z),
  (0%Z < j)%Z /\ (j < (length p))%Z -> (j <= i)%Z /\ (i <= (length a))%Z ->
  ((i - j)%Z < k)%Z /\ (k < (i - n)%Z)%Z -> matches a (i - j)%Z p 0%Z j ->
  is_next p j n -> ~ matches a k p 0%Z (length p).

Axiom next_1_0 :
  forall (p:array char), (1%Z <= (length p))%Z -> is_next p 1%Z 0%Z.

(* Why3 goal *)
Theorem initnext'vc :
  forall (p:array char), (1%Z <= (length p))%Z ->
  let m := length p in
  let next := make m 0%Z in
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb next i) = 0%Z)) /\
  ((length next) = m) -> (1%Z < m)%Z ->
  forall (next1:array Numbers.BinNums.Z), ((length next1) = (length next)) ->
  ((elts next1) = (map.Map.set (elts next) 1%Z 0%Z)) /\
  (next1 = (mixfix_lblsmnrb next 1%Z 0%Z)) ->
  forall (j:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
    (next2:array Numbers.BinNums.Z),
  ((length next2) = (length next1)) ->
  ((0%Z <= j)%Z /\ (j < i)%Z /\ (i <= m)%Z) /\
  matches p (i - j)%Z p 0%Z j /\
  (forall (z:Numbers.BinNums.Z),
   ((j + 1%Z)%Z < z)%Z /\ (z < (i + 1%Z)%Z)%Z ->
   ~ matches p ((i + 1%Z)%Z - z)%Z p 0%Z z) /\
  (forall (k:Numbers.BinNums.Z), (0%Z < k)%Z /\ (k <= i)%Z ->
   is_next p k (mixfix_lbrb next2 k)) ->
  (i < (m - 1%Z)%Z)%Z -> ~ ((mixfix_lbrb p i) = (mixfix_lbrb p j)) ->
  (j = 0%Z) -> forall (i1:Numbers.BinNums.Z), (i1 = (i + 1%Z)%Z) ->
  forall (next3:array Numbers.BinNums.Z),
  ((length next3) = (length next2)) ->
  ((elts next3) = (map.Map.set (elts next2) i1 0%Z)) /\
  (next3 = (mixfix_lblsmnrb next2 i1 0%Z)) ->
  (0%Z <= j)%Z /\ (j < i1)%Z /\ (i1 <= m)%Z ->
  matches p (i1 - j)%Z p 0%Z j -> forall (z:Numbers.BinNums.Z),
  ((j + 1%Z)%Z < z)%Z /\ (z < (i1 + 1%Z)%Z)%Z ->
  ~ matches p ((i1 + 1%Z)%Z - z)%Z p 0%Z z.
Proof.
intros p h1 m next (h2,h3) h4 next1 h5 h6 j i next2 h7
((h8,(h9,h10)),(h11,(h12,h13))) h14 h15 h16 i1 h17 next3 h18 h19
(h20,(h21,h22)) h23 z (h24,h25).
(*
intros n p1.
intro p3. unfold p3. clear p3.
intros (_,hn) _ next next1 _ _ _ _ _.
intros j i next4 ((hj,hi),(h0,(h1,h2))).
intros hi' _ _ neq j0. subst j.
intros i1 hi1; subst i1.
intros _ _ _ z hz.
*)
red; intro h. unfold matches in h. simpl in h.
destruct h as (hy1, (hy2, hy3)).

assert (case: (z = 2 \/ 2 < z)%Z) by omega. destruct case.
subst.
absurd (elts p i = elts p 0%Z); auto.
generalize (hy3 0%Z).
ring_simplify (i + 1 + 1 - 2 + 0)%Z.
intuition.

apply h12 with (z-1)%Z.
omega.
red; simpl.
repeat split; try omega.
intros; subst i1.
replace (i + 1 - (z - 1) + i0)%Z with (i + 1 + 1 - z + i0)%Z by omega.
apply hy3.
omega.
Qed.
why3-1.6.0/examples/kmp/kmp_KnuthMorrisPratt_VC_initnext_2.v000066400000000000000000000175531440160026300241150ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

Axiom char : Type.
Parameter char_WhyType : WhyType char.
Existing Instance char_WhyType.

(* Why3 assumption *)
Definition matches (a1:array char) (i1:Numbers.BinNums.Z) (a2:array char)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  ((0%Z <= i1)%Z /\ (i1 <= ((length a1) - n)%Z)%Z) /\
  ((0%Z <= i2)%Z /\ (i2 <= ((length a2) - n)%Z)%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb a1 (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z))).

Axiom matches_empty :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z),
  (0%Z <= i1)%Z /\ (i1 <= (length a1))%Z ->
  (0%Z <= i2)%Z /\ (i2 <= (length a2))%Z -> matches a1 i1 a2 i2 0%Z.

Axiom matches_right_extension :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> (i1 <= (((length a1) - n)%Z - 1%Z)%Z)%Z ->
  (i2 <= (((length a2) - n)%Z - 1%Z)%Z)%Z ->
  ((mixfix_lbrb a1 (i1 + n)%Z) = (mixfix_lbrb a2 (i2 + n)%Z)) ->
  matches a1 i1 a2 i2 (n + 1%Z)%Z.

Axiom matches_contradiction_at_first :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> ~ ((mixfix_lbrb a1 i1) = (mixfix_lbrb a2 i2)) ->
  ~ matches a1 i1 a2 i2 n.

Axiom matches_contradiction_at_i :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> (0%Z <= i)%Z /\ (i < n)%Z ->
  ~ ((mixfix_lbrb a1 (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z)) ->
  ~ matches a1 i1 a2 i2 n.

Axiom matches_right_weakening :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (n':Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> (n' < n)%Z -> matches a1 i1 a2 i2 n'.

Axiom matches_left_weakening :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (n':Numbers.BinNums.Z),
  matches a1 (i1 - (n - n')%Z)%Z a2 (i2 - (n - n')%Z)%Z n -> (n' < n)%Z ->
  matches a1 i1 a2 i2 n'.

Axiom matches_sym :
  forall (a1:array char) (a2:array char) (i1:Numbers.BinNums.Z)
    (i2:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> matches a2 i2 a1 i1 n.

Axiom matches_trans :
  forall (a1:array char) (a2:array char) (a3:array char)
    (i1:Numbers.BinNums.Z) (i2:Numbers.BinNums.Z) (i3:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z),
  matches a1 i1 a2 i2 n -> matches a2 i2 a3 i3 n -> matches a1 i1 a3 i3 n.

(* Why3 assumption *)
Definition is_next (p:array char) (j:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) : Prop :=
  ((0%Z <= n)%Z /\ (n < j)%Z) /\
  matches p (j - n)%Z p 0%Z n /\
  (forall (z:Numbers.BinNums.Z), (n < z)%Z /\ (z < j)%Z ->
   ~ matches p (j - z)%Z p 0%Z z).

Axiom next_iteration :
  forall (p:array char) (a:array char) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (0%Z < j)%Z /\ (j < (length p))%Z -> (j <= i)%Z /\ (i <= (length a))%Z ->
  matches a (i - j)%Z p 0%Z j -> is_next p j n -> matches a (i - n)%Z p 0%Z n.

Axiom next_is_maximal :
  forall (p:array char) (a:array char) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (k:Numbers.BinNums.Z),
  (0%Z < j)%Z /\ (j < (length p))%Z -> (j <= i)%Z /\ (i <= (length a))%Z ->
  ((i - j)%Z < k)%Z /\ (k < (i - n)%Z)%Z -> matches a (i - j)%Z p 0%Z j ->
  is_next p j n -> ~ matches a k p 0%Z (length p).

Axiom next_1_0 :
  forall (p:array char), (1%Z <= (length p))%Z -> is_next p 1%Z 0%Z.

(* Why3 goal *)
Theorem initnext'vc :
  forall (p:array char), (1%Z <= (length p))%Z ->
  let m := length p in
  let next := make m 0%Z in
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb next i) = 0%Z)) /\
  ((length next) = m) -> (1%Z < m)%Z ->
  forall (next1:array Numbers.BinNums.Z), ((length next1) = (length next)) ->
  ((elts next1) = (map.Map.set (elts next) 1%Z 0%Z)) /\
  (next1 = (mixfix_lblsmnrb next 1%Z 0%Z)) ->
  forall (j:Numbers.BinNums.Z) (i:Numbers.BinNums.Z)
    (next2:array Numbers.BinNums.Z),
  ((length next2) = (length next1)) ->
  ((0%Z <= j)%Z /\ (j < i)%Z /\ (i <= m)%Z) /\
  matches p (i - j)%Z p 0%Z j /\
  (forall (z:Numbers.BinNums.Z),
   ((j + 1%Z)%Z < z)%Z /\ (z < (i + 1%Z)%Z)%Z ->
   ~ matches p ((i + 1%Z)%Z - z)%Z p 0%Z z) /\
  (forall (k:Numbers.BinNums.Z), (0%Z < k)%Z /\ (k <= i)%Z ->
   is_next p k (mixfix_lbrb next2 k)) ->
  (i < (m - 1%Z)%Z)%Z -> ~ ((mixfix_lbrb p i) = (mixfix_lbrb p j)) ->
  ~ (j = 0%Z) -> forall (j1:Numbers.BinNums.Z),
  (j1 = (mixfix_lbrb next2 j)) ->
  (0%Z <= j1)%Z /\ (j1 < i)%Z /\ (i <= m)%Z ->
  matches p (i - j1)%Z p 0%Z j1 -> forall (z:Numbers.BinNums.Z),
  ((j1 + 1%Z)%Z < z)%Z /\ (z < (i + 1%Z)%Z)%Z ->
  ~ matches p ((i + 1%Z)%Z - z)%Z p 0%Z z.
Proof.
intros p h1 m next (h2,h3) h4 next1 h5 h6 j i next2 h7
((h8,(h9,h10)),(h11,(h12,h13))) h14 h15 h16 j1 h17 (h18,(h19,h20)) h21 z
(h22,h23).
(*
intros n p1.
intro p3. unfold p3. clear p3.
intros (_,hn) _ next next1 _ _ _ _ _.
intros j i next4 ((hj,hi),(h0,(h1,h2))).
intros hi' _ _ neq j0 _.
intros j1 hji1; subst j1.
*)
assert (hji: (0 < j <= i)%Z) by omega.
generalize (h13 j hji); clear h13.
unfold is_next. intros (hn1, (hn2, hn3)).
(*
intros z hz.
*)
assert (casez: (j+1 < z \/ z <= j+1)%Z) by omega. destruct casez.

(* j+1 < z *)
apply h12; omega.

assert (casez: (z = j+1 \/ z < j+1)%Z) by omega. destruct casez.

(* z = j+1 *)
subst z.
red; intro h. unfold matches in h. simpl in h.
destruct h as (hy1, (hy2, hy3)).
generalize (hy3 j%Z).
ring_simplify (i + 1 - (j + 1)+ j)%Z.
intro. absurd (elts p i = elts p j); intuition. 

(* z < j+1 *)
clear H. red; intro h.
absurd (matches p (j - (z-1)) p 0 (z-1))%Z.
apply (hn3 (z-1)%Z); omega.
clear hn2 hn3.
apply matches_trans with p (i+1-z)%Z.

unfold matches; subst; simpl.
subst m.
repeat split; try omega. intros.
unfold matches in h11. simpl in h11.
destruct h11 as (hy1, (hy2, hy3)).
assert (hi0: (0 <= j+1-z+i0 < j)%Z) by omega.
generalize (hy3 (j+1-z+i0) hi0)%Z.
ring_simplify (i - j + (j + 1 - z + i0))%Z.
ring_simplify (j - (z - 1) + i0)%Z.
ring_simplify (j + 1 - z + i0)%Z. ring_simplify (i + 1 - z + i0)%Z.
auto.
apply  matches_right_weakening with z; auto.
omega.
Qed.
why3-1.6.0/examples/kmp/kmp_WP_KnuthMorrisPratt_matches_left_weakening_1.v000066400000000000000000000067141440160026300267530ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | mk_ref : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Implicit Arguments mk_ref [[a]].

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:(ref a)): a :=
  match v with
  | (mk_ref x) => x
  end.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType : forall (a:Type) {a_WT:WhyType a},
  WhyType (array a).
Existing Instance array_WhyType.

Parameter elts: forall {a:Type} {a_WT:WhyType a}, (array a) -> (Z -> a).

Parameter length: forall {a:Type} {a_WT:WhyType a}, (array a) -> Z.

Axiom array'invariant : forall {a:Type} {a_WT:WhyType a}, forall (self:(array
  a)), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:(array a)) (i:Z): a :=
  ((elts a1) i).

Parameter mixfix_lblsmnrb: forall {a:Type} {a_WT:WhyType a}, (array a) ->
  Z -> a -> (array a).

Axiom mixfix_lblsmnrb_spec : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(array a)) (i:Z) (v:a), ((length (mixfix_lblsmnrb a1 i
  v)) = (length a1)) /\ ((elts (mixfix_lblsmnrb a1 i
  v)) = (map.Map.set (elts a1) i v)).

Axiom char : Type.
Parameter char_WhyType : WhyType char.
Existing Instance char_WhyType.

(* Why3 assumption *)
Definition matches (a1:(array char)) (i1:Z) (a2:(array char)) (i2:Z)
  (n:Z): Prop := ((0%Z <= i1)%Z /\ (i1 <= ((length a1) - n)%Z)%Z) /\
  (((0%Z <= i2)%Z /\ (i2 <= ((length a2) - n)%Z)%Z) /\ forall (i:Z),
  ((0%Z <= i)%Z /\ (i < n)%Z) -> ((mixfix_lbrb a1
  (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z))).

Axiom matches_empty : forall (a1:(array char)) (a2:(array char)) (i1:Z)
  (i2:Z), ((0%Z <= i1)%Z /\ (i1 <= (length a1))%Z) -> (((0%Z <= i2)%Z /\
  (i2 <= (length a2))%Z) -> (matches a1 i1 a2 i2 0%Z)).

Axiom matches_right_extension : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z), (matches a1 i1 a2 i2 n) ->
  ((i1 <= (((length a1) - n)%Z - 1%Z)%Z)%Z ->
  ((i2 <= (((length a2) - n)%Z - 1%Z)%Z)%Z -> (((mixfix_lbrb a1
  (i1 + n)%Z) = (mixfix_lbrb a2 (i2 + n)%Z)) -> (matches a1 i1 a2 i2
  (n + 1%Z)%Z)))).

Axiom matches_contradiction_at_first : forall (a1:(array char)) (a2:(array
  char)) (i1:Z) (i2:Z) (n:Z), (0%Z < n)%Z -> ((~ ((mixfix_lbrb a1
  i1) = (mixfix_lbrb a2 i2))) -> ~ (matches a1 i1 a2 i2 n)).

Axiom matches_contradiction_at_i : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (i:Z) (n:Z), (0%Z < n)%Z -> (((0%Z <= i)%Z /\ (i < n)%Z) ->
  ((~ ((mixfix_lbrb a1 (i1 + i)%Z) = (mixfix_lbrb a2 (i2 + i)%Z))) ->
  ~ (matches a1 i1 a2 i2 n))).

Axiom matches_right_weakening : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z) (n':Z), (matches a1 i1 a2 i2 n) -> ((n' < n)%Z ->
  (matches a1 i1 a2 i2 n')).


(* Why3 goal *)
Theorem matches_left_weakening : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z) (n':Z), (matches a1 (i1 - (n - n')%Z)%Z a2
  (i2 - (n - n')%Z)%Z n) -> ((n' < n)%Z -> (matches a1 i1 a2 i2 n')).
(* Why3 intros a1 a2 i1 i2 n n' h1 h2. *)
(* YOU MAY EDIT THE PROOF BELOW *)
intros a1 a2 i1 i2 n n' Hmatch Hn.
destruct Hmatch. destruct H0.
red.
split.
 omega.
split.
 omega.
intros i Hi.
replace (i1 + i)%Z with (i1 - (n - n') + (i + (n - n')))%Z.
replace (i2 + i)%Z with (i2 - (n - n') + (i + (n - n')))%Z.
apply H1.
omega.
 omega.
 omega.
Qed.

why3-1.6.0/examples/kmp/kmp_WP_KnuthMorrisPratt_next_is_maximal_1.v000066400000000000000000000122471440160026300254440ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import ZArith.
Require Import Rbase.
Definition unit  := unit.

Parameter mark : Type.

Parameter at1: forall (a:Type), a -> mark  -> a.

Implicit Arguments at1.

Parameter old: forall (a:Type), a  -> a.

Implicit Arguments old.

Inductive ref (a:Type) :=
  | mk_ref : a -> ref a.
Implicit Arguments mk_ref.

Definition contents (a:Type)(u:(ref a)): a :=
  match u with
  | mk_ref contents1 => contents1
  end.
Implicit Arguments contents.

Parameter map : forall (a:Type) (b:Type), Type.

Parameter get: forall (a:Type) (b:Type), (map a b) -> a  -> b.

Implicit Arguments get.

Parameter set: forall (a:Type) (b:Type), (map a b) -> a -> b  -> (map a b).

Implicit Arguments set.

Axiom Select_eq : forall (a:Type) (b:Type), forall (m:(map a b)),
  forall (a1:a) (a2:a), forall (b1:b), (a1 = a2) -> ((get (set m a1 b1)
  a2) = b1).

Axiom Select_neq : forall (a:Type) (b:Type), forall (m:(map a b)),
  forall (a1:a) (a2:a), forall (b1:b), (~ (a1 = a2)) -> ((get (set m a1 b1)
  a2) = (get m a2)).

Parameter const: forall (b:Type) (a:Type), b  -> (map a b).

Set Contextual Implicit.
Implicit Arguments const.
Unset Contextual Implicit.

Axiom Const : forall (b:Type) (a:Type), forall (b1:b) (a1:a), ((get (const(
  b1):(map a b)) a1) = b1).

Inductive array (a:Type) :=
  | mk_array : Z -> (map Z a) -> array a.
Implicit Arguments mk_array.

Definition elts (a:Type)(u:(array a)): (map Z a) :=
  match u with
  | mk_array _ elts1 => elts1
  end.
Implicit Arguments elts.

Definition length (a:Type)(u:(array a)): Z :=
  match u with
  | mk_array length1 _ => length1
  end.
Implicit Arguments length.

Definition get1 (a:Type)(a1:(array a)) (i:Z): a := (get (elts a1) i).
Implicit Arguments get1.

Definition set1 (a:Type)(a1:(array a)) (i:Z) (v:a): (array a) :=
  match a1 with
  | mk_array xcl0 _ => (mk_array xcl0 (set (elts a1) i v))
  end.
Implicit Arguments set1.

Parameter char : Type.

Definition matches(a1:(array char)) (i1:Z) (a2:(array char)) (i2:Z)
  (n:Z): Prop := ((0%Z <= i1)%Z /\ (i1 <= ((length a1) - n)%Z)%Z) /\
  (((0%Z <= i2)%Z /\ (i2 <= ((length a2) - n)%Z)%Z) /\ forall (i:Z),
  ((0%Z <= i)%Z /\ (i <  n)%Z) -> ((get1 a1 (i1 + i)%Z) = (get1 a2
  (i2 + i)%Z))).

Axiom matches_empty : forall (a1:(array char)) (a2:(array char)) (i1:Z)
  (i2:Z), ((0%Z <= i1)%Z /\ (i1 <= (length a1))%Z) -> (((0%Z <= i2)%Z /\
  (i2 <= (length a2))%Z) -> (matches a1 i1 a2 i2 0%Z)).

Axiom matches_right_extension : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z), (matches a1 i1 a2 i2 n) ->
  ((i1 <= (((length a1) - n)%Z - 1%Z)%Z)%Z ->
  ((i2 <= (((length a2) - n)%Z - 1%Z)%Z)%Z -> (((get1 a1
  (i1 + n)%Z) = (get1 a2 (i2 + n)%Z)) -> (matches a1 i1 a2 i2
  (n + 1%Z)%Z)))).

Axiom matches_contradiction_at_first : forall (a1:(array char)) (a2:(array
  char)) (i1:Z) (i2:Z) (n:Z), (0%Z <  n)%Z -> ((~ ((get1 a1 i1) = (get1 a2
  i2))) -> ~ (matches a1 i1 a2 i2 n)).

Axiom matches_contradiction_at_i : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (i:Z) (n:Z), (0%Z <  n)%Z -> (((0%Z <= i)%Z /\ (i <  n)%Z) ->
  ((~ ((get1 a1 (i1 + i)%Z) = (get1 a2 (i2 + i)%Z))) -> ~ (matches a1 i1 a2
  i2 n))).

Axiom matches_right_weakening : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z) (nqt:Z), (matches a1 i1 a2 i2 n) -> ((nqt <  n)%Z ->
  (matches a1 i1 a2 i2 nqt)).

Axiom matches_left_weakening : forall (a1:(array char)) (a2:(array char))
  (i1:Z) (i2:Z) (n:Z) (nqt:Z), (matches a1 (i1 - (n - nqt)%Z)%Z a2
  (i2 - (n - nqt)%Z)%Z n) -> ((nqt <  n)%Z -> (matches a1 i1 a2 i2 nqt)).

Axiom matches_sym : forall (a1:(array char)) (a2:(array char)) (i1:Z) (i2:Z)
  (n:Z), (matches a1 i1 a2 i2 n) -> (matches a2 i2 a1 i1 n).

Axiom matches_trans : forall (a1:(array char)) (a2:(array char)) (a3:(array
  char)) (i1:Z) (i2:Z) (i3:Z) (n:Z), (matches a1 i1 a2 i2 n) -> ((matches a2
  i2 a3 i3 n) -> (matches a1 i1 a3 i3 n)).

Definition is_next(p:(array char)) (j:Z) (n:Z): Prop := ((0%Z <= n)%Z /\
  (n <  j)%Z) /\ ((matches p (j - n)%Z p 0%Z n) /\ forall (z:Z),
  ((n <  z)%Z /\ (z <  j)%Z) -> ~ (matches p (j - z)%Z p 0%Z z)).

Axiom next_iteration : forall (p:(array char)) (a:(array char)) (i:Z) (j:Z)
  (n:Z), ((0%Z <  j)%Z /\ (j <  (length p))%Z) -> (((j <= i)%Z /\
  (i <= (length a))%Z) -> ((matches a (i - j)%Z p 0%Z j) -> ((is_next p j
  n) -> (matches a (i - n)%Z p 0%Z n)))).

Theorem next_is_maximal : forall (p:(array char)) (a:(array char)) (i:Z)
  (j:Z) (n:Z) (k:Z), ((0%Z <  j)%Z /\ (j <  (length p))%Z) -> (((j <= i)%Z /\
  (i <= (length a))%Z) -> ((((i - j)%Z <  k)%Z /\ (k <  (i - n)%Z)%Z) ->
  ((matches a (i - j)%Z p 0%Z j) -> ((is_next p j n) -> ~ (matches a k p 0%Z
  (length p)))))).
(* YOU MAY EDIT THE PROOF BELOW *)
intros p a.
intros i j n k Hj Hi Hk Hmatch Hnext.
red.
 intro Hmax.
elim Hnext; intros h1 (h2, h3).
absurd (matches p (j - (i - k)) p 0 (i - k)).
apply h3; omega.
apply matches_trans with (a2 := a) (i2 := k).
apply matches_sym.
apply matches_left_weakening with (n := j).
replace (k - (j - (i - k)))%Z with (i-j)%Z by ring.
 ring_simplify (j - (i - k) - (j - (i - k)))%Z.
 assumption.
omega.
apply matches_right_weakening with (n := length p).
assumption.
omega.
Qed.
(* DO NOT EDIT BELOW *)


why3-1.6.0/examples/kmp/why3session.xml000066400000000000000000000354211440160026300200360ustar00rootroot00000000000000












 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
 
 



why3-1.6.0/examples/kmp/why3shapes.gz000066400000000000000000000120261440160026300174520ustar00rootroot00000000000000][6~}x'k/`,8ޗ^J6ǎFw{0__vcG0G*^DV}u!Ubttw}WƇt_JUҍx|^Kz?WnQLVYdu,}rSor|
|U!V
?O[dSȫpHJJJb+~bOUyi**i++I12޸QE&1SK̋򴢲x
5bGPeUegkz3
Y9"5?eY5=B1Ƨ[ȢWԅEB7{3UE]Us4+TYY}u>*@{ǕSyt?:6xTMKwoߜFY9c/LOͦ42Ȋг"X_no߃wWLJI=,G˿$^-eJ=s{~mz6Ҍ6N10¼,Ys`mhEsPVV<ƍuڰJk/y=Wx=`w
5Ҁi]Ow̛Ka]]Gv+Ȝ?C`}w#ȵ۲?vEg=39hA}?+akȷCMGϵ^-cf''jW|ͧ-w`i<[o_q5.j6z1w;;z-鸤m\`.FnB|m06,VvԆ-Ե6]f{m3m
/Zfb/(|hLf2_sBNg2ž7M,/<&Cs=/柹|fAD |oBύr(̨6EOԄõ***䅆F^ǍrD^hyassx)ulEe
CY֚523>qE!͹3d7
A_?02s'1ZNo$Ĉ&.$xpAkvS27˄-TN޼)|6:ȴtI*ELJWRbR{(f>’*XʊډP)ٿ$E$EeYW]>|건rb24lezfث3̀zwߘqCN,UfO\DT-a|?̦<
+#`֬3V`\6/:XdilxT-OG,EĸMs1wChx䷂")+cfesa/@~MN2\~iY,ZIei,Yֲ4_B,j'[8_Œ|9QË9Ė'v$NK"ۑ#3}+3`oYE;22~L,+q?l/\><|)|Q_mW:zuurp
/N(¹Hڑa|/w(!\Jx%OBIQi*T5*v]|؉N,=)6DK`cn/"f'D_X+|GϠʩUPڡ;f:f;-V/"u*C'}6YxN{o{0s߿K~yû-.cȍc1皏mW˹٪eR/$e>5_g.A;;kOEs.?xQ(&oJ\e_}~mwy]F4򻭛|_lK;y!P8%#U&ns1ہuf_ꓑKJ={^pnn]?),H0(2Šqdkb~]
'@T
w\eNfyH~gZΈP[UMr"F;Emx%!?
B]h㛎PIm1bp¸S1~t8麖7^#6ZYZZZjadVL"N8TceZ뺖]M^ZHiTvmj>499
&5))4%ԭU]+ѣlVkj4&䴫ShLQ7up
0y)ЄN*jKJ	+]Pu%mRi׊;TG6X[鵗uS+rF$vAh,pMFD)Zfs]
1JU׶sNAmtܕD[';<8oZuJEk	c(!qm]&%Z[7u:RT
,<.lKpR៴Q&gwo2,n2
(uXy$q0V0]NupJ,,4ΤsN:'h?:xKN"`t7n,>9s>AWIXB
+0QVFRn7=why3-1.6.0/examples/knuth_prime_numbers.mlw000066400000000000000000000076551440160026300210400ustar00rootroot00000000000000
(** {1 Knuth's algorithm for prime numbers}

   The Art of Computer Programming, vol 1, page 147.

   The following code computes a table of the first `m` prime numbers.
   Though there are more efficient ways of computing prime numbers,
   the nice thing about this code is that it requires not less than
   Bertrand's postulate (for `n > 1`, there is always a prime `p` such that
   `n < p < 2n`) to be proved correct.

   This program had been proved correct using Coq and an early version of
   Why back in 2003, by Laurent Théry (INRIA Sophia-Antipolis): Laurent Théry,
   Proving Pearl: Knuth's Algorithm for Prime Numbers, TPHOLs 2003.
   Truly a tour de force, this proof includes the full proof of Bertrand's
   postulate in Coq. Here, we simply focus on the program verification part,
   posing Bertrand's postulate as a lemma that we do not prove.

   Note: Knuth's code is entering the loop where a new prime number is
   added, thus resulting into the immediate addition of 3 as `prime[1]`.
   It allows subsequent division tests to start at `prime[1]=3`, thus
   saving the division by `prime[0]=2`. We did something similar in the
   code below, though the use of a while loop looks like we did a
   special case for 3 as well.  *)

module PrimeNumbers

  use int.Int
  use int.ComputerDivision
  use number.Parity
  use number.Divisibility
  use number.Prime
  use ref.Refint
  use map.Map

  predicate no_prime_in (l u: int) =
    forall x: int. l < x < u -> not (prime x)

  (** `p[0]..p[u-1]` are the first u prime numbers *)
  predicate first_primes (p: int -> int) (u: int) =
    p[0] = 2 /\
    (* sorted *)
    (forall i j: int. 0 <= i < j < u -> p[i] < p[j]) /\
    (* only primes *)
    (forall i: int. 0 <= i < u -> prime p[i]) /\
    (* all primes *)
    (forall i: int. 0 <= i < u-1 -> no_prime_in p[i] p[i+1])

  lemma exists_prime:
    forall p: int -> int, u: int. 1 <= u -> first_primes p u ->
    forall d: int. 2 <= d <= p[u-1] -> prime d ->
    exists i: int. 0 <= i < u /\ d = p[i]

  (** Bertrand's postulate, admitted as an axiom
   (the label is there to suppress the warning issued by Why3) *)
  axiom Bertrand_postulate [@W:non_conservative_extension:N] :
    forall p: int. prime p -> not (no_prime_in p (2*p))

  use array.Array

  (** `prime_numbers m` returns an array containing the first `m`
  prime numbers *)
  let prime_numbers (m: int) : array int
    requires { m >= 2 }
    ensures  { result.length = m }
    ensures  { first_primes result.elts m }
  = let p = make m 0 in
    p[0] <- 2;
    p[1] <- 3;
    let n = ref 5 in (* candidate for next prime *)
    for j = 2 to m - 1 do
      invariant { first_primes p.elts j }
      invariant { p[j-1] < !n < 2*p[j-1] }
      invariant { odd !n }
      invariant { no_prime_in p[j-1] !n }
      let rec test (k: int) variant { 2*p[j-1] - !n, j - k }
        requires { 1 <= k < j }
        requires { first_primes p.elts j }
        requires { p[j-1] < !n < 2*p[j-1] }
        requires { odd !n }
        requires { no_prime_in p[j-1] !n }
        requires { forall i: int. 0 <= i < k -> not (divides p[i] !n) }
        ensures  { p[j-1] < !n /\ prime !n /\ no_prime_in p[j-1] !n }
      = if mod !n p[k] = 0 then begin
          assert { not (prime !n) }; n += 2; test 1
        end else if div !n p[k] > p[k] then
          test (k + 1)
        else
          assert { prime !n }
      in
      test 1;
      p[j] <- !n;
      n += 2
    done;
    p

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
     let t = prime_numbers 100 in
     if t[0] <> 2 then raise BenchFailure;
     if t[1] <> 3 then raise BenchFailure;
     if t[2] <> 5 then raise BenchFailure;
     if t[3] <> 7 then raise BenchFailure;
     if t[4] <> 11 then raise BenchFailure;
     if t[5] <> 13 then raise BenchFailure;
     if t[6] <> 17 then raise BenchFailure;
     if t[7] <> 19 then raise BenchFailure;
     if t[8] <> 23 then raise BenchFailure;
     if t[9] <> 29 then raise BenchFailure;
     t

end

why3-1.6.0/examples/knuth_prime_numbers/000077500000000000000000000000001440160026300203025ustar00rootroot00000000000000why3-1.6.0/examples/knuth_prime_numbers/knuth_prime_numbers_PrimeNumbers_VC_prime_numbers_1.v000066400000000000000000000127221440160026300330040ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require map.Map.
Require number.Parity.
Require number.Divisibility.
Require number.Prime.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition no_prime_in (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) : Prop :=
  forall (x:Numbers.BinNums.Z), (l < x)%Z /\ (x < u)%Z ->
  ~ number.Prime.prime x.

(* Why3 assumption *)
Definition first_primes (p:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) : Prop :=
  ((p 0%Z) = 2%Z) /\
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   (0%Z <= i)%Z /\ (i < j)%Z /\ (j < u)%Z -> ((p i) < (p j))%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < u)%Z ->
   number.Prime.prime (p i)) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (u - 1%Z)%Z)%Z ->
   no_prime_in (p i) (p (i + 1%Z)%Z)).

Axiom exists_prime :
  forall (p:Numbers.BinNums.Z -> Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (1%Z <= u)%Z -> first_primes p u -> forall (d:Numbers.BinNums.Z),
  (2%Z <= d)%Z /\ (d <= (p (u - 1%Z)%Z))%Z -> number.Prime.prime d ->
  exists i:Numbers.BinNums.Z, ((0%Z <= i)%Z /\ (i < u)%Z) /\ (d = (p i)).

Axiom Bertrand_postulate :
  forall (p:Numbers.BinNums.Z), number.Prime.prime p ->
  ~ no_prime_in p (2%Z * p)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 goal *)
Theorem prime_numbers'vc :
  forall (m:Numbers.BinNums.Z), (2%Z <= m)%Z ->
  let p := make m 0%Z in
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb p i) = 0%Z)) /\
  ((length p) = m) -> forall (p1:array Numbers.BinNums.Z),
  ((length p1) = (length p)) ->
  ((elts p1) = (map.Map.set (elts p) 0%Z 2%Z)) /\
  (p1 = (mixfix_lblsmnrb p 0%Z 2%Z)) -> forall (p2:array Numbers.BinNums.Z),
  ((length p2) = (length p1)) ->
  ((elts p2) = (map.Map.set (elts p1) 1%Z 3%Z)) /\
  (p2 = (mixfix_lblsmnrb p1 1%Z 3%Z)) ->
  let o := (m - 1%Z)%Z in
  (2%Z <= (o + 1%Z)%Z)%Z ->
  forall (n:Numbers.BinNums.Z) (p3:array Numbers.BinNums.Z),
  ((length p3) = (length p2)) -> forall (j:Numbers.BinNums.Z),
  ((2%Z <= j)%Z /\ (j <= o)%Z) /\
  first_primes (elts p3) j /\
  (((mixfix_lbrb p3 (j - 1%Z)%Z) < n)%Z /\
   (n < (2%Z * (mixfix_lbrb p3 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n /\ no_prime_in (mixfix_lbrb p3 (j - 1%Z)%Z) n ->
  forall (n1:Numbers.BinNums.Z) (p4:array Numbers.BinNums.Z),
  ((length p4) = (length p3)) -> forall (k:Numbers.BinNums.Z),
  ((1%Z <= k)%Z /\ (k < j)%Z) /\
  first_primes (elts p4) j /\
  (((mixfix_lbrb p4 (j - 1%Z)%Z) < n1)%Z /\
   (n1 < (2%Z * (mixfix_lbrb p4 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n1 /\
  no_prime_in (mixfix_lbrb p4 (j - 1%Z)%Z) n1 /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < k)%Z ->
   ~ number.Divisibility.divides (mixfix_lbrb p4 i) n1) ->
  ((ZArith.BinInt.Z.rem n1 (mixfix_lbrb p4 k)) = 0%Z) ->
  ~ number.Prime.prime n1 -> forall (n2:Numbers.BinNums.Z),
  (n2 = (n1 + 2%Z)%Z) -> (1%Z <= 1%Z)%Z /\ (1%Z < j)%Z ->
  first_primes (elts p4) j -> (n2 < (2%Z * (mixfix_lbrb p4 (j - 1%Z)%Z))%Z)%Z.
Proof.
intros m h1 p (h2,h3) p1 h4 (h5,h6) p2 h7 (h8,h9) o h10 n p3 h11 j
        ((h12,h13),(h14,((h15,h16),(h17,h18)))) n1 p4 h19 k
        ((h20,h21),(h22,((h23,h24),(h25,(h26,h27))))) h28 h29 n2 h30
        (h31,h32) h33.
(*
intros m h1 p (h2,h3) p1 h4 h5 p2 h6 h7 o h8 n p3 h9 j
((h10,h11),(h12,((h13,h14),(h15,h16)))) n1 p4 h17 k
((h18,h19),(h20,((h21,h22),(h23,(h24,h25))))) h26 h27 n2 h28 (h29,h30) h31.
*)
assert (case: (n2 < 2 * elts p4 (j-1) \/ n2 >= 2 * elts p4 (j-1))%Z) by omega.
destruct case.
auto.
apply False_ind.
apply Bertrand_postulate with (elts p4 (j-1)%Z); intuition.
red in h22; decompose [and] h22; clear h22.
apply H1; omega.
red; intros.
assert (case: (x < n1 \/ x = n1 \/ x = n1+1)%Z) by omega. destruct case.
apply h26.
unfold mixfix_lbrb.
omega.
destruct H1; subst x.
intuition.
intro K.
apply Prime.even_prime in K.
omega.
now apply Parity.odd_even.
Qed.
knuth_prime_numbers_PrimeNumbers_WP_parameter_prime_numbers_2.v000066400000000000000000000127411440160026300350050ustar00rootroot00000000000000why3-1.6.0/examples/knuth_prime_numbers(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require map.Map.
Require number.Parity.
Require number.Divisibility.
Require number.Prime.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition no_prime_in (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) : Prop :=
  forall (x:Numbers.BinNums.Z), (l < x)%Z /\ (x < u)%Z ->
  ~ number.Prime.prime x.

(* Why3 assumption *)
Definition first_primes (p:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) : Prop :=
  ((p 0%Z) = 2%Z) /\
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   (0%Z <= i)%Z /\ (i < j)%Z /\ (j < u)%Z -> ((p i) < (p j))%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < u)%Z ->
   number.Prime.prime (p i)) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (u - 1%Z)%Z)%Z ->
   no_prime_in (p i) (p (i + 1%Z)%Z)).

Axiom exists_prime :
  forall (p:Numbers.BinNums.Z -> Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (1%Z <= u)%Z -> first_primes p u -> forall (d:Numbers.BinNums.Z),
  (2%Z <= d)%Z /\ (d <= (p (u - 1%Z)%Z))%Z -> number.Prime.prime d ->
  exists i:Numbers.BinNums.Z, ((0%Z <= i)%Z /\ (i < u)%Z) /\ (d = (p i)).

Axiom Bertrand_postulate :
  forall (p:Numbers.BinNums.Z), number.Prime.prime p ->
  ~ no_prime_in p (2%Z * p)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make_spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

Parameter if_term: Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom if_term'def :
  forall (o:Numbers.BinNums.Z),
  ((o = 0%Z) -> ((if_term o) = Init.Datatypes.true)) /\
  (~ (o = 0%Z) -> ((if_term o) = Init.Datatypes.false)).

Require Import Lia.

(* Why3 goal *)
Theorem prime_numbers'vc :
  forall (m:Numbers.BinNums.Z), (2%Z <= m)%Z ->
  forall (p:array Numbers.BinNums.Z),
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb p i) = 0%Z)) /\
  ((length p) = m) -> forall (p1:array Numbers.BinNums.Z),
  ((length p1) = (length p)) ->
  ((elts p1) = (map.Map.set (elts p) 0%Z 2%Z)) /\
  (p1 = (mixfix_lblsmnrb p 0%Z 2%Z)) -> forall (p2:array Numbers.BinNums.Z),
  ((length p2) = (length p1)) ->
  ((elts p2) = (map.Map.set (elts p1) 1%Z 3%Z)) /\
  (p2 = (mixfix_lblsmnrb p1 1%Z 3%Z)) ->
  let o := (m - 1%Z)%Z in
  (2%Z <= (o + 1%Z)%Z)%Z ->
  forall (n:Numbers.BinNums.Z) (p3:array Numbers.BinNums.Z),
  ((length p3) = (length p2)) -> forall (j:Numbers.BinNums.Z),
  ((2%Z <= j)%Z /\ (j <= o)%Z) /\
  first_primes (elts p3) j /\
  (((mixfix_lbrb p3 (j - 1%Z)%Z) < n)%Z /\
   (n < (2%Z * (mixfix_lbrb p3 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n /\ no_prime_in (mixfix_lbrb p3 (j - 1%Z)%Z) n ->
  forall (n1:Numbers.BinNums.Z) (p4:array Numbers.BinNums.Z),
  ((length p4) = (length p3)) -> forall (k:Numbers.BinNums.Z),
  ((1%Z <= k)%Z /\ (k < j)%Z) /\
  first_primes (elts p4) j /\
  (((mixfix_lbrb p4 (j - 1%Z)%Z) < n1)%Z /\
   (n1 < (2%Z * (mixfix_lbrb p4 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n1 /\
  no_prime_in (mixfix_lbrb p4 (j - 1%Z)%Z) n1 /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < k)%Z ->
   ~ number.Divisibility.divides (mixfix_lbrb p4 i) n1) ->
  ((ZArith.BinInt.Z.rem n1 (mixfix_lbrb p4 k)) = 0%Z) ->
  ~ number.Prime.prime n1.
(* Why3 intros m h1 p (h2,h3) p1 h4 (h5,h6) p2 h7 (h8,h9) o h10 n p3 h11 j
        ((h12,h13),(h14,((h15,h16),(h17,h18)))) n1 p4 h19 k
        ((h20,h21),(h22,((h23,h24),(h25,(h26,h27))))) h28. *)
Proof.
intros m h1 p (h2,h3) p1 h4 h5 p2 h6 h7 o h8 n p3 h9 j
((h10,h11),(h12,((h13,h14),(h15,h16)))) n1 p4 h17 k
((h18,h19),(h20,((h21,h22),(h23,(h24,h25))))) h26.
intro h0.
red in h0. destruct h0.
red in h20. decompose [and] h20. clear h20.
apply H0 with (elts p4 k).
assert (2 < elts p4 k)%Z.
rewrite <- H1.
apply H3; lia.
split. lia.
assert (case: (k ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition no_prime_in (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) : Prop :=
  forall (x:Numbers.BinNums.Z), (l < x)%Z /\ (x < u)%Z ->
  ~ number.Prime.prime x.

(* Why3 assumption *)
Definition first_primes (p:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) : Prop :=
  ((p 0%Z) = 2%Z) /\
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   (0%Z <= i)%Z /\ (i < j)%Z /\ (j < u)%Z -> ((p i) < (p j))%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < u)%Z ->
   number.Prime.prime (p i)) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (u - 1%Z)%Z)%Z ->
   no_prime_in (p i) (p (i + 1%Z)%Z)).

Axiom exists_prime :
  forall (p:Numbers.BinNums.Z -> Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (1%Z <= u)%Z -> first_primes p u -> forall (d:Numbers.BinNums.Z),
  (2%Z <= d)%Z /\ (d <= (p (u - 1%Z)%Z))%Z -> number.Prime.prime d ->
  exists i:Numbers.BinNums.Z, ((0%Z <= i)%Z /\ (i < u)%Z) /\ (d = (p i)).

Axiom Bertrand_postulate :
  forall (p:Numbers.BinNums.Z), number.Prime.prime p ->
  ~ no_prime_in p (2%Z * p)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make_spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

Parameter if_term: Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom if_term'def :
  forall (o:Numbers.BinNums.Z),
  ((o = 0%Z) -> ((if_term o) = Init.Datatypes.true)) /\
  (~ (o = 0%Z) -> ((if_term o) = Init.Datatypes.false)).

Import Zquot.

Lemma Zle_sqrt: forall x y, (0 <= x -> 0 <= y -> x*x < y*y -> x
  forall (p:array Numbers.BinNums.Z),
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb p i) = 0%Z)) /\
  ((length p) = m) -> forall (p1:array Numbers.BinNums.Z),
  ((length p1) = (length p)) ->
  ((elts p1) = (map.Map.set (elts p) 0%Z 2%Z)) /\
  (p1 = (mixfix_lblsmnrb p 0%Z 2%Z)) -> forall (p2:array Numbers.BinNums.Z),
  ((length p2) = (length p1)) ->
  ((elts p2) = (map.Map.set (elts p1) 1%Z 3%Z)) /\
  (p2 = (mixfix_lblsmnrb p1 1%Z 3%Z)) ->
  let o := (m - 1%Z)%Z in
  (2%Z <= (o + 1%Z)%Z)%Z ->
  forall (n:Numbers.BinNums.Z) (p3:array Numbers.BinNums.Z),
  ((length p3) = (length p2)) -> forall (j:Numbers.BinNums.Z),
  ((2%Z <= j)%Z /\ (j <= o)%Z) /\
  first_primes (elts p3) j /\
  (((mixfix_lbrb p3 (j - 1%Z)%Z) < n)%Z /\
   (n < (2%Z * (mixfix_lbrb p3 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n /\ no_prime_in (mixfix_lbrb p3 (j - 1%Z)%Z) n ->
  forall (n1:Numbers.BinNums.Z) (p4:array Numbers.BinNums.Z),
  ((length p4) = (length p3)) -> forall (k:Numbers.BinNums.Z),
  ((1%Z <= k)%Z /\ (k < j)%Z) /\
  first_primes (elts p4) j /\
  (((mixfix_lbrb p4 (j - 1%Z)%Z) < n1)%Z /\
   (n1 < (2%Z * (mixfix_lbrb p4 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n1 /\
  no_prime_in (mixfix_lbrb p4 (j - 1%Z)%Z) n1 /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < k)%Z ->
   ~ number.Divisibility.divides (mixfix_lbrb p4 i) n1) ->
  ~ ((ZArith.BinInt.Z.rem n1 (mixfix_lbrb p4 k)) = 0%Z) ->
  ~ ((mixfix_lbrb p4 k) < (ZArith.BinInt.Z.quot n1 (mixfix_lbrb p4 k)))%Z ->
  number.Prime.prime n1.
(* Why3 intros m h1 p (h2,h3) p1 h4 (h5,h6) p2 h7 (h8,h9) o h10 n p3 h11 j
        ((h12,h13),(h14,((h15,h16),(h17,h18)))) n1 p4 h19 k
        ((h20,h21),(h22,((h23,h24),(h25,(h26,h27))))) h28 h29. *)
Proof.
intros m h1 p (h2,h3) p1 h4 h5 p2 h6 h7 o h8 n p3 h9 j
((h10,h11),(h12,((h13,h14),(h15,h16)))) n1 p4 h17 k
((h18,h19),(h20,((h21,h22),(h23,(h24,h25))))) h26 h27.
destruct h20 as (p0, (sorted, (only_primes, all_primes))).
assert (H2: (2 < elts p4 k)%Z).
rewrite <- p0. apply sorted; lia.
apply Prime.small_divisors; auto.
lia.
intros.
generalize (Z_quot_rem_eq n1 (elts p4 k)). intro div.
assert (ne1: (0 <= n1 /\ elts p4 k <> 0)%Z) by lia.
assert (mod1: (0 <= Z.rem n1 (elts p4 k))%Z).
destruct (not_Zeq_inf _ _ (proj2 ne1)) as [Zm|Zm].
now apply Zrem_lt_pos_neg.
now apply Zrem_lt_pos_pos.
assert (mod2: (Z.rem n1 (elts p4 k) < elts p4 k)%Z).
apply Zrem_lt_pos_pos ; lia.
assert (d <= elts p4 k)%Z.
assert (d < elts p4 k + 1)%Z. 2: lia.
apply Zle_sqrt; try lia.
assert (2 < elts p4 k)%Z.
rewrite <- p0. apply sorted; lia.
apply Z.le_lt_trans with n1; try lia.
assert (elts p4 k * (Z.quot n1 (elts p4 k)) <= elts p4 k * elts p4 k)%Z.
unfold mixfix_lbrb in h27.
apply Zmult_le_compat_l; lia.
replace ((elts p4 k + 1) * (elts p4 k + 1))%Z with (elts p4 k * elts p4 k + 2 * elts p4 k + 1)%Z by ring.
lia.
destruct (exists_prime (elts p4) (k+1))%Z with (4 := H0) as (i, (hi1, hi2)); auto.
lia.
red; split; intros.
auto.
split; intros.
apply sorted; lia.
split; intros.
apply only_primes; lia.
apply all_primes; lia.
replace (k+1-1)%Z with k by ring.
auto.
subst d.
assert (case: (i < k \/i = k)%Z) by lia. destruct case.
red; intro. now apply h25 with i.
subst i.
intro. apply h26.
unfold mixfix_lbrb.
apply Divisibility.divides_mod_computer; auto; lia.
Qed.
knuth_prime_numbers_PrimeNumbers_WP_parameter_prime_numbers_5.v000066400000000000000000000125411440160026300350060ustar00rootroot00000000000000why3-1.6.0/examples/knuth_prime_numbers(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require map.Map.
Require number.Parity.
Require number.Divisibility.
Require number.Prime.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition no_prime_in (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) : Prop :=
  forall (x:Numbers.BinNums.Z), (l < x)%Z /\ (x < u)%Z ->
  ~ number.Prime.prime x.

(* Why3 assumption *)
Definition first_primes (p:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) : Prop :=
  ((p 0%Z) = 2%Z) /\
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   (0%Z <= i)%Z /\ (i < j)%Z /\ (j < u)%Z -> ((p i) < (p j))%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < u)%Z ->
   number.Prime.prime (p i)) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (u - 1%Z)%Z)%Z ->
   no_prime_in (p i) (p (i + 1%Z)%Z)).

Axiom exists_prime :
  forall (p:Numbers.BinNums.Z -> Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (1%Z <= u)%Z -> first_primes p u -> forall (d:Numbers.BinNums.Z),
  (2%Z <= d)%Z /\ (d <= (p (u - 1%Z)%Z))%Z -> number.Prime.prime d ->
  exists i:Numbers.BinNums.Z, ((0%Z <= i)%Z /\ (i < u)%Z) /\ (d = (p i)).

Axiom Bertrand_postulate :
  forall (p:Numbers.BinNums.Z), number.Prime.prime p ->
  ~ no_prime_in p (2%Z * p)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

Import Zquot.

(* Why3 goal *)
Theorem prime_numbers'vc :
  forall (m:Numbers.BinNums.Z), (2%Z <= m)%Z ->
  let p := make m 0%Z in
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < m)%Z ->
   ((mixfix_lbrb p i) = 0%Z)) /\
  ((length p) = m) -> forall (p1:array Numbers.BinNums.Z),
  ((length p1) = (length p)) ->
  ((elts p1) = (map.Map.set (elts p) 0%Z 2%Z)) /\
  (p1 = (mixfix_lblsmnrb p 0%Z 2%Z)) -> forall (p2:array Numbers.BinNums.Z),
  ((length p2) = (length p1)) ->
  ((elts p2) = (map.Map.set (elts p1) 1%Z 3%Z)) /\
  (p2 = (mixfix_lblsmnrb p1 1%Z 3%Z)) ->
  let o := (m - 1%Z)%Z in
  (2%Z <= (o + 1%Z)%Z)%Z ->
  forall (n:Numbers.BinNums.Z) (p3:array Numbers.BinNums.Z),
  ((length p3) = (length p2)) -> forall (j:Numbers.BinNums.Z),
  ((2%Z <= j)%Z /\ (j <= o)%Z) /\
  first_primes (elts p3) j /\
  (((mixfix_lbrb p3 (j - 1%Z)%Z) < n)%Z /\
   (n < (2%Z * (mixfix_lbrb p3 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n /\ no_prime_in (mixfix_lbrb p3 (j - 1%Z)%Z) n ->
  forall (n1:Numbers.BinNums.Z) (p4:array Numbers.BinNums.Z),
  ((length p4) = (length p3)) -> forall (k:Numbers.BinNums.Z),
  ((1%Z <= k)%Z /\ (k < j)%Z) /\
  first_primes (elts p4) j /\
  (((mixfix_lbrb p4 (j - 1%Z)%Z) < n1)%Z /\
   (n1 < (2%Z * (mixfix_lbrb p4 (j - 1%Z)%Z))%Z)%Z) /\
  number.Parity.odd n1 /\
  no_prime_in (mixfix_lbrb p4 (j - 1%Z)%Z) n1 /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < k)%Z ->
   ~ number.Divisibility.divides (mixfix_lbrb p4 i) n1) ->
  ~ ((ZArith.BinInt.Z.rem n1 (mixfix_lbrb p4 k)) = 0%Z) ->
  ((mixfix_lbrb p4 k) < (ZArith.BinInt.Z.quot n1 (mixfix_lbrb p4 k)))%Z ->
  ((k + 1%Z)%Z < j)%Z.
Proof.
intros m h1 p (h2,h3) p1 h4 h5 p2 h6 h7 o h8 n p3 h9 j
((h10,h11),(h12,((h13,h14),(h15,h16)))) n1 p4 h17 k
((h18,h19),(h20,((h21,h22),(h23,(h24,h25))))) h26 h27.
cut (k <> j - 1)%Z. omega.
intros ->.
assert (2 < elts p4 (j-1))%Z.
destruct h20 as (hh1, (hh2, _)).
rewrite <- hh1. apply hh2; omega.
generalize (Z_quot_rem_eq n1 (elts p4 (j-1))%Z). intro div.
assert (ne1: (0 <= n1 /\ elts p4 (j-1) <> 0)%Z) by omega.
assert (mod_: (0 <= Z.rem n1 (elts p4 (j-1)))%Z).
destruct (not_Zeq_inf _ _ (proj2 ne1)) as [Zm|Zm].
now apply Zrem_lt_pos_neg.
now apply Zrem_lt_pos_pos.
assert (elts p4 (j - 1) * elts p4 (j - 1) < elts p4 (j - 1) * (Z.quot n1 (elts p4 (j - 1))))%Z.
apply Zmult_lt_compat_l.
omega.
assumption.
assert (2 * elts p4 (j - 1) < elts p4 (j - 1) * elts p4 (j - 1))%Z.
apply Zmult_lt_compat_r; omega.
unfold mixfix_lbrb in h22.
omega.
Qed.
why3-1.6.0/examples/knuth_prime_numbers/knuth_prime_numbers_WP_PrimeNumbers_exists_prime_1.v000066400000000000000000000047541440160026300326740ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require map.Map.
Require number.Parity.
Require number.Divisibility.
Require number.Prime.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition no_prime_in (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) : Prop :=
  forall (x:Numbers.BinNums.Z), (l < x)%Z /\ (x < u)%Z ->
  ~ number.Prime.prime x.

(* Why3 assumption *)
Definition first_primes (p:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) : Prop :=
  ((p 0%Z) = 2%Z) /\
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   (0%Z <= i)%Z /\ (i < j)%Z /\ (j < u)%Z -> ((p i) < (p j))%Z) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < u)%Z ->
   number.Prime.prime (p i)) /\
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < (u - 1%Z)%Z)%Z ->
   no_prime_in (p i) (p (i + 1%Z)%Z)).

Require Import Lia.

(* Why3 goal *)
Theorem exists_prime :
  forall (p:Numbers.BinNums.Z -> Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (1%Z <= u)%Z -> first_primes p u -> forall (d:Numbers.BinNums.Z),
  (2%Z <= d)%Z /\ (d <= (p (u - 1%Z)%Z))%Z -> number.Prime.prime d ->
  exists i:Numbers.BinNums.Z, ((0%Z <= i)%Z /\ (i < u)%Z) /\ (d = (p i)).
(* Why3 intros p u h1 h2 d (h3,h4) h5. *)
Proof.
intros p u hu. generalize hu.
pattern u; apply natlike_ind; intros. 3: lia.
apply False_ind; lia.
assert (case: (x=0 \/ 0 < x)%Z) by lia. destruct case.
subst x.
exists Z0; split.
lia.
red in H1.
simpl in H2.
assert (d = 2)%Z by lia.
subst; lia.
ring_simplify (Z.succ x - 1)%Z in H2.
assert (case: (d <= p (x-1) \/ p (x-1) < d)%Z) by lia. destruct case.
destruct H0 with (d := d) as (i, (hi1, hi2)); intuition.
destruct H1 as (p0, (sorted, (only_primes, all_primes))).
red; split.
auto.
split; intros.
apply sorted; lia.
split; intros.
apply only_primes; lia.
apply all_primes; lia.
exists i; intuition.
assert (case: (d = p x \/ d < p x)%Z) by lia. destruct case.
exists x; intuition.
apply False_ind.
destruct H1 as (_, (_, (_, h))).
revert H3.
apply (h (x-1)%Z); try lia.
ring_simplify (x-1+1)%Z; now split.
Qed.

why3-1.6.0/examples/knuth_prime_numbers/why3session.xml000066400000000000000000000242421440160026300233260ustar00rootroot00000000000000








 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/knuth_prime_numbers/why3shapes.gz000066400000000000000000000077231440160026300227530ustar00rootroot00000000000000]Yo~ط$6}a"0A̫ċX@RF_HɲDr;SS}U=ݳns{6ۻ7jNi\G:~^w8
ӥ{w}:v"^u4TֱKoo)bwf@;z~޾/7
b]N;ed(u݄Ľukjԥ;;yo4םjT:lכڎyrtɶpAE8f
}=,'f]c_ѷcݣ{0lmP"+G$mANG町u}/gf]jKWK|ݺ{mkdF}|X%_51~l4@K^wzl_u?|m]cc|iu~t9!}P>E#K}_]j:9
1~>b6)
"Kp%jg6Ok)}#u@GK;:Fbzslɣ9UQl[v-bbAQ|1zwu1$$Y@now}ʽɀh|*9k*9[QQ*JȦww@֬,#ro22V89W_|H}hcLta`W/9G#WD(F|1ncʃ:zޱ0^a+/W8p~p~zz^{SwMs~֧F\yhyt:L9f[6-l<эt{tnbxHlX^/OeFӂOKÚ1[!5/KmMtŚiod4A~
t4}]وc+vwb/cl/cG:C[V'}='=İ_W[se5ң\=ҼztVL<=L-g;5cn{?ɵm
MS(l9yͦh
fxwo1CÊpմŹCv?v{~=P^q^w,jF2p[}ûq=vs,Aϛ?5-Zӏߗy<П
9Gp1\NՌLSb-4w{Iٱns7jh]eυ.-(xk&#P7 e%+TQrW oG
|>fYM:YJ
Wfe"lJ'霞6ٚqOO0X=)v}zzϦZS5zz\n09s;3|P3OK2"^dszJO\oɹFOܧfFDNl$ql]qvll9FFl6FFygba3pml%s?6
wFRH>yN~t3ظXS461LbKW<]yxzyoc͆М̎fC2Afxy)\ނ\pA,%Cp#	Y..E. cڦfkp(t	zT!hfmPAn	phDF\*hʨ**ilH荺E0Mb@T&	s$it#A6M}6r׽D%SHIˍ0UP1z9YОR^s,,y\¡Sj|RE2w je#ڎ.I!7NYSs ,kb%eEp=H	IX3N^DI]8*/(0]x̿/n4t%ƉT$b6
IbJ:"Z'5LTF\bKm'3BRvMFʬL(z}hpVp%5FRDDa{b]	f6TtpNӄ,YMsq\uſwpWU)%)MUORP`ֲ^,CЏqa\kOARk5åGGVH2F(e/Wx!
/蝌ҩàQE @	iҁSB"`X0-$KuBjD7($QX\n	|u}.Y4G4(DZ"Z|J
dB4)Kaz2XDY{@&\!:r wh0k5d2nD}"K8¹LiX.P!wnDA!fц0n٘F_`T%lP)Hin<r"Z-%XVYl@EmPe0޽ǵ*rH$\,sUuV4[/9A
Gm!4i.m
N}!"V{"{J)h>?$׊+I%I +|$"KZCEB 	$y3.YL6J00,ۢWr0*D^
!	 0""&x
$c49|Yz "灄@4GL"Ǟbl>wI9Y"LA,Z] ]
&9BG|]X7蜡ހ291dZD[tC#bH	U
d`I#~QQBUd%7why3-1.6.0/examples/koda_ruskey.mlw000066400000000000000000000460501440160026300172700ustar00rootroot00000000000000
(** Koda-Ruskey's algorithm

    Authors: Mário Pereira (Université Paris Sud)
             Jean-Christophe Filliâtre (CNRS)
*)

module KodaRuskey_Spec

  use map.Map
  use list.List
  use list.Append
  use int.Int

  type color = White | Black

  let eq_color (c1 c2:color) : bool
    ensures { result <-> c1 = c2 }
  = match c1,c2 with
    | White,White | Black,Black -> True
    | _ -> False
    end

  type forest =
    | E
    | N int forest forest

  type coloring = map int color

  function size_forest (f: forest) : int = match f with
    | E -> 0
    | N _ f1 f2 -> 1 + size_forest f1 + size_forest f2
    end

  lemma size_forest_nonneg : forall f.
    size_forest f >= 0

  predicate mem_forest (n: int) (f: forest) = match f with
    | E -> false
    | N i f1 f2 -> i = n || mem_forest n f1 || mem_forest n f2
    end

  predicate between_range_forest (i j: int) (f: forest) =
    forall n. mem_forest n f -> i <= n < j

  predicate disjoint (f1 f2: forest) =
    forall x. mem_forest x f1 -> mem_forest x f2 -> false

  predicate no_repeated_forest (f: forest) = match f with
    | E -> true
    | N i f1 f2 ->
      no_repeated_forest f1 && no_repeated_forest f2 &&
      not (mem_forest i f1) && not (mem_forest i f2) &&
      disjoint f1 f2
    end

  predicate valid_nums_forest (f: forest) (n: int) =
    between_range_forest 0 n f &&
    no_repeated_forest f

  predicate white_forest (f: forest) (c: coloring) = match f with
    | E -> true
    | N i f1 f2 ->
      c[i] = White && white_forest f1 c && white_forest f2 c
  end

  predicate valid_coloring (f: forest) (c: coloring) =
    match f with
    | E -> true
    | N i f1 f2 ->
      valid_coloring f2 c &&
      match c[i] with
      | White -> white_forest f1 c
      | Black -> valid_coloring f1 c
      end
    end

  function count_forest (f: forest) : int = match f with
    | E         -> 1
    | N _ f1 f2 -> (1 + count_forest f1) * count_forest f2
    end

  lemma count_forest_nonneg:
    forall f. count_forest f >= 1

  predicate eq_coloring (n: int) (c1 c2: coloring) =
    forall i. 0 <= i < n -> c1[i] = c2[i]

end

module Lemmas

  use map.Map
  use list.List
  use list.Append
  use int.Int
  use KodaRuskey_Spec

  type stack = list forest

  predicate mem_stack (n: int) (st: stack) = match st with
    | Nil       -> false
    | Cons f tl -> mem_forest n f || mem_stack n tl
    end

  lemma mem_app: forall n st1 [@induction] st2.
    mem_stack n (st1 ++ st2) -> mem_stack n st1 || mem_stack n st2

  function size_stack (st: stack) : int = match st with
    | Nil -> 0
    | Cons f st -> size_forest f + size_stack st
    end

  lemma size_stack_nonneg : forall st.
    size_stack st >= 0

  lemma white_forest_equiv:
    forall f c.
    white_forest f c <-> (forall i. mem_forest i f -> c[i] = White)

  predicate even_forest (f: forest) = match f with
    | E -> false
    | N _ f1 f2 -> not (even_forest f1) || even_forest f2
    end

  predicate final_forest (f: forest) (c: coloring) = match f with
    | E -> true
    | N i f1 f2 ->
      c[i] = Black && final_forest f1 c &&
      if not (even_forest f1) then white_forest f2 c
      else final_forest f2 c
    end

  predicate any_forest (f: forest) (c: coloring) =
    white_forest f c || final_forest f c

  lemma any_forest_frame:
    forall f c1 c2.
    (forall i. mem_forest i f -> c1[i] = c2[i]) ->
    (final_forest f c1 -> final_forest f c2) &&
    (white_forest f c1 -> white_forest f c2)

  predicate unchanged (st: stack) (c1 c2: coloring) =
    forall i. mem_stack i st -> c1[i] = c2[i]

  predicate inverse (st: stack) (c1 c2: coloring) =
    match st with
    | Nil -> true
    | Cons f st' ->
      (white_forest f c1 && final_forest f c2 ||
       final_forest f c1 && white_forest f c2) &&
      if even_forest f then
        unchanged st' c1 c2
      else
        inverse st' c1 c2
    end

  predicate any_stack (st: stack) (c: coloring) = match st with
    | Nil -> true
    | Cons f st -> (white_forest f c || final_forest f c) && any_stack st c
    end

  lemma any_stack_frame:
    forall st c1 c2.
    unchanged st c1 c2 ->
    any_stack st c1 -> any_stack st c2

  lemma inverse_frame:
    forall st c1 c2 c3.
    inverse   st c1 c2 ->
    unchanged st c2 c3 ->
    inverse   st c1 c3

  lemma inverse_frame2:
    forall st c1 c2 c3.
    unchanged st c1 c2 ->
    inverse   st c2 c3 ->
    inverse   st c1 c3

  let lemma inverse_any (st: stack) (c1 c2: coloring)
    requires { any_stack st c1 }
    requires { inverse st c1 c2 }
    ensures  { any_stack st c2 }
  = ()

  lemma inverse_final:
    forall f st c1 c2.
    final_forest f c1 ->
    inverse (Cons f st) c1 c2 ->
    white_forest f c2

  lemma inverse_white:
    forall f st c1 c2.
    white_forest f c1 ->
    inverse (Cons f st) c1 c2 ->
    final_forest f c2

  let lemma white_final_exclusive (f: forest) (c: coloring)
    requires { f <> E }
    ensures  { white_forest f c -> final_forest f c -> false }
  = match f with E -> () | N _ _ _ -> () end

  lemma final_unique:
    forall f c1 c2.
    final_forest f c1 ->
    final_forest f c2 ->
    forall i. mem_forest i f -> c1[i] = c2[i]

  let rec lemma inverse_inverse
    (st: stack) (c1 c2 c3: coloring)
    requires { inverse st c1 c2 }
    requires { inverse st c2 c3 }
    ensures  { unchanged st c1 c3 }
    variant  { st }
  = match st with
    | Nil -> ()
    | Cons E st' -> inverse_inverse st' c1 c2 c3
    | Cons f st' -> if even_forest f then () else inverse_inverse st' c1 c2 c3
    end

  inductive sub stack forest coloring =
  | Sub_reflex:
      forall f, c. sub (Cons f Nil) f c
  | Sub_brother:
      forall st i f1 f2 c.
      sub st f2 c -> sub st (N i f1 f2) c
  | Sub_append:
      forall st i f1 f2 c.
      sub st f1 c -> c[i] = Black ->
      sub (st ++ Cons f2 Nil) (N i f1 f2) c

  lemma sub_not_nil:
    forall st f c. sub st f c -> st <> Nil

  lemma sub_empty:
    forall st f0 c. st <> Nil -> sub (Cons E st) f0 c ->
    sub st f0 c

  lemma sub_mem:
    forall n st f c.
    mem_stack n st -> sub st f c -> mem_forest n f

  lemma sub_weaken1:
    forall st i f1 f2 f0 c.
    sub (Cons (N i f1 f2) st) f0 c ->
    sub (Cons         f2  st) f0 c

  lemma sub_weaken2:
    forall st i f1 f2 f0 c.
    sub (Cons (N i f1 f2) st) f0 c ->
    c[i] = Black ->
    sub (Cons f1 (Cons f2 st)) f0 c

  lemma not_mem_st: forall i f st c.
    not (mem_forest i f) -> sub st f c -> not (mem_stack i st)

  lemma sub_frame:
    forall st f0 c c'.
    no_repeated_forest f0 ->
    (forall i. not (mem_stack i st) -> mem_forest i f0 -> c'[i] = c[i]) ->
    sub st f0 c ->
    sub st f0 c'

  predicate disjoint_stack (f: forest) (st: stack) =
    forall i. mem_forest i f -> mem_stack i st -> false

  lemma sub_no_rep: forall f st' f0 c.
    sub (Cons f st') f0 c ->
    no_repeated_forest f0 ->
    no_repeated_forest f

  lemma sub_no_rep2: forall f st' f0 c.
    sub (Cons f st') f0 c ->
    no_repeated_forest f0 ->
    disjoint_stack f st'

  lemma white_valid: forall f c.
    white_forest f c -> valid_coloring f c

  lemma final_valid: forall f c.
    final_forest f c -> valid_coloring f c

  lemma valid_coloring_frame:
    forall f c1 c2.
    valid_coloring f c1 ->
    (forall i. mem_forest i f -> c2[i] = c1[i]) ->
    valid_coloring f c2

  lemma valid_coloring_set:
    forall f i c.
    valid_coloring f c ->
    not (mem_forest i f) ->
    valid_coloring f c[i <- Black]

  lemma head_and_tail:
    forall f1 f2: 'a, st1 st2: list 'a.
    Cons f1 st1 = st2 ++ Cons f2 Nil ->
    st2 <> Nil ->
    exists st. st1 = st ++ Cons f2 Nil /\ st2 = Cons f1 st

  lemma sub_valid_coloring_f1:
    forall i f1 f2 c i1.
    no_repeated_forest (N i f1 f2) ->
    valid_coloring (N i f1 f2) c ->
    c[i] = Black ->
    mem_forest i1 f1 ->
    valid_coloring f1 c[i1 <- Black] ->
    valid_coloring (N i f1 f2) c[i1 <- Black]

  lemma sub_valid_coloring:
    forall f0 i f1 f2 st c1.
    no_repeated_forest f0 ->
    valid_coloring f0 c1 ->
    sub (Cons (N i f1 f2) st) f0 c1 ->
    valid_coloring f0 c1[i <- Black]

  lemma sub_Cons_N:
    forall f st i f1 f2 c.
    sub (Cons f st) (N i f1 f2) c ->
    f = N i f1 f2 || (exists st'. sub (Cons f st') f1 c) || sub (Cons f st) f2 c

  lemma white_white:
    forall f c i.
    white_forest f c ->
    white_forest f c[i <- White]

  let rec lemma sub_valid_coloring_white
    (f0: forest) (i: int) (f1 f2: forest) (c1: coloring)
    requires { no_repeated_forest f0 }
    requires { valid_coloring f0 c1 }
    requires { white_forest f1 c1 }
    ensures  { forall st. sub (Cons (N i f1 f2) st) f0 c1 ->
               valid_coloring f0 c1[i <- White] }
    variant  { f0 }
  = match f0 with
    | E -> ()
    | N _ f10 f20 ->
       sub_valid_coloring_white f10 i f1 f2 c1;
       sub_valid_coloring_white f20 i f1 f2 c1
    end

  function count_stack (st: stack) : int = match st with
    | Nil        -> 1
    | Cons f st' -> count_forest f * count_stack st'
    end

  lemma count_stack_nonneg:
    forall st. count_stack st >= 1

  use seq.Seq as S

  type visited = S.seq coloring

  predicate stored_solutions
    (f0: forest) (bits: coloring) (st: stack) (v1 v2: visited) =
    let n = size_forest f0 in
    let start = S.length v1 in
    let stop  = S.length v2 in
    stop - start = count_stack st &&
    (forall j. 0 <= j < start ->
      eq_coloring n (S.get v2 j) (S.get v1 j)) &&
    forall j. start <= j < stop ->
      valid_coloring f0 (S.get v2 j) &&
      (forall i. 0 <= i < n -> not (mem_stack i st) ->
        (S.get v2 j)[i] = bits[i]) &&
      forall k. start <= k < stop -> j <> k ->
        not (eq_coloring n (S.get v2 j) (S.get v2 k))

  let lemma stored_trans1
      (f0: forest) (bits1 bits2: coloring) (i: int) (f1 f2: forest) (st: stack)
      (v1 v2 v3: visited)
    requires { valid_nums_forest f0 (size_forest f0) }
    requires { 0 <= i < size_forest f0 }
    requires { forall j. 0 <= j < size_forest f0 ->
               not (mem_stack j (Cons (N i f1 f2) st)) -> bits2[j] = bits1[j] }
    requires { forall j. S.length v1 <= j < S.length v2 ->
               (S.get v2 j)[i] = White }
    requires { forall j. S.length v2 <= j < S.length v3 ->
               (S.get v3 j)[i] = Black }
    requires { stored_solutions f0 bits1 (Cons f2 st) v1 v2 }
    requires { stored_solutions f0 bits2 (Cons f1 (Cons f2 st)) v2 v3 }
    ensures  { stored_solutions f0 bits2 (Cons (N i f1 f2) st) v1 v3 }
  = ()


  let lemma stored_trans2
      (f0: forest) (bits1 bits2: coloring) (i: int) (f1 f2: forest) (st: stack)
      (v1 v2 v3: visited)
    requires { valid_nums_forest f0 (size_forest f0) }
    requires { 0 <= i < size_forest f0 }
    requires { forall j. 0 <= j < size_forest f0 ->
       not (mem_stack j (Cons (N i f1 f2) st)) -> bits2[j] = bits1[j] }
    requires { forall j. S.length v1 <= j < S.length v2 ->
               (S.get v2 j)[i] = Black }
    requires { forall j. S.length v2 <= j < S.length v3 ->
               (S.get v3 j)[i] = White }
    requires { stored_solutions f0 bits1 (Cons f1 (Cons f2 st)) v1 v2 }
    requires { stored_solutions f0 bits2 (Cons f2 st) v2 v3 }
    ensures  { stored_solutions f0 bits2 (Cons (N i f1 f2) st) v1 v3 }
  = ()

end

module KodaRuskey

  use seq.Seq as S
  use list.List
  use KodaRuskey_Spec
  use Lemmas
  use map.Map as M
  use array.Array
  use int.Int
  use ref.Ref

  val ghost map_of_array (a: array 'a) : M.map int 'a
    ensures { result = a.elts }

  val ghost visited: ref visited

  let rec enum (bits: array color) (ghost f0: forest) (st: list forest) : unit
    requires { size_forest f0 = length bits }
    requires { valid_nums_forest f0 (length bits) }
    requires { sub st f0 bits.elts }
    requires { st <> Nil }
    requires { any_stack st bits.elts }
    requires { valid_coloring f0 bits.elts }
    variant  { size_stack st, st }
    ensures  { forall i.
                 not (mem_stack i st) -> bits[i] = (old bits)[i] }
    ensures  { inverse st (old bits).elts bits.elts }
    ensures  { valid_coloring f0 bits.elts }
    ensures  { stored_solutions f0 bits.elts st (old !visited) !visited }
  = match st with
    | Nil ->
        absurd
    | Cons E st' ->
       match st' with
       | Nil ->
           (* that's where we visit the next coloring *)
           assert { valid_coloring f0 bits.elts };
           ghost visited := S.snoc !visited (map_of_array bits);
           ()
       | _ ->
           enum bits f0 st'
       end
    | Cons (N i f1 f2 as f) st' ->
        assert { disjoint_stack f1 st' };
        assert { not (mem_stack i st') };
        let ghost visited1 = !visited in
        if eq_color bits[i] White then begin
          label A in
          enum bits f0 (Cons f2 st');
          assert { sub st f0 bits.elts };
          let ghost bits1 = map_of_array bits in
          let ghost visited2 = !visited in
          label B in
          bits[i] <- Black;
          assert { sub st f0 bits.elts };
          assert { white_forest f1 bits.elts };
          assert { unchanged (Cons f2 st') (bits at B).elts bits.elts};
          assert { inverse (Cons f2 st') (bits at A).elts bits.elts };
          label C in
          enum bits f0 (Cons f1 (Cons f2 st'));
          assert { bits[i] = Black };
          assert { final_forest f1 bits.elts };
          assert { if not (even_forest f1)
                   then inverse (Cons f2 st') (bits at C).elts bits.elts &&
                        white_forest f2 bits.elts
                   else unchanged (Cons f2 st') (bits at C).elts bits.elts &&
                        final_forest f2 bits.elts };
          ghost stored_trans1 f0 bits1 (map_of_array bits)
    i f1 f2 st' visited1 visited2 !visited
        end else begin
          assert { if not (even_forest f1) then white_forest f2 bits.elts
                   else final_forest f2 bits.elts };
          label A in
          enum bits f0 (Cons f1 (Cons f2 st'));
          assert { sub st f0 bits.elts };
          let ghost bits1 = map_of_array bits in
          let ghost visited2 = !visited in
          label B in
          bits[i] <- White;
          assert { unchanged (Cons f1 (Cons f2 st'))
                     (bits at B).elts bits.elts };
          assert { inverse (Cons f1 (Cons f2 st'))
                     (bits at A).elts bits.elts };
          assert { sub st f0 bits.elts };
          assert { if even_forest f1 || even_forest f2
                   then unchanged st' (bits at A).elts bits.elts
                   else inverse st' (bits at A).elts bits.elts };
          enum bits f0 (Cons f2 st');
          assert { bits[i] = White };
          assert { white_forest f  bits.elts };
          ghost stored_trans2 f0 bits1 (map_of_array bits)
    i f1 f2 st' visited1 visited2 !visited
       end
    end

  let main (bits: array color) (f0: forest)
    requires { white_forest f0 bits.elts }
    requires { size_forest f0 = length bits }
    requires { valid_nums_forest f0 (length bits) }
    ensures  { S.length !visited = count_forest f0 }
    ensures  { let n = S.length !visited  in
               forall j. 0 <= j < n ->
                 valid_coloring f0 (S.get !visited j) &&
                 forall k. 0 <= k < n -> j <> k ->
                   not (eq_coloring (length bits)
                         (S.get !visited j) (S.get !visited k)) }
  = visited := S.empty;
    enum bits f0 (Cons f0 Nil)

end

(** Independently, let's prove that count_forest is indeed the number
    of colorings. *)

(* wip
module CountCorrect

  use seq.Seq as S
  use map.Map as M
  use map.Const
  use list.List
  use int.Int
  use KodaRuskey_Spec
  use Lemmas
  use ref.Ref

  predicate id_forest (f: forest) (c1 c2: coloring) =
    forall j. mem_forest j f -> M.get c1 j = M.get c2 j

  (* valid coloring, all white outside of f *)
  predicate solution (f: forest) (c: coloring) =
    valid_coloring f c &&
    forall j. not (mem_forest j f) -> M.get c j = White

  lemma solution_eq:
    forall n f c1 c2.
    valid_nums_forest f n ->
    solution f c1 -> eq_coloring n c1 c2 -> solution f c2

  predicate is_product (i: int) (f1 f2: forest) (c1 c2 r: coloring) =
    solution (N i f1 f2) r &&
    M.get r i = Black &&
    id_forest f1 r c1 &&
    id_forest f2 r c2

  let product (n: int) (i: int) (f1 f2: forest) (c1 c2: coloring) : coloring
    requires { valid_nums_forest (N i f1 f2) n }
    requires { solution f1 c1 }
    requires { solution f2 c2 }
    ensures  { is_product i f1 f2 c1 c2 result }
  = let rec copy (acc: coloring) (f: forest)
      variant { f }
      ensures { forall i. M.get result i =
      	          if mem_forest i f then M.get c2 i else M.get acc i }
    = match f with
      | E -> acc
      | N i2 left2 right2 ->
      	  M.set (copy (copy acc left2) right2) i2 (M.get c2 i2)
      end
    in
    let c = copy c1 f2 in
    M.set c i Black

  lemma solution_product:
    forall n i f1 f2 c1 c2 c.
    valid_nums_forest (N i f1 f2) n ->
    solution f1 c1 -> solution f2 c2 ->
    is_product i f1 f2 c1 c2 c -> solution (N i f1 f2) c

  predicate solutions (n: int) (f: forest) (s: seq coloring) =
     (forall j. 0 <= j < length s -> solution f s[j]) &&
     (* colorings are disjoint *)
     (forall j. 0 <= j < length s ->
      	forall k. 0 <= k < length s -> j <> k ->
	not (eq_coloring n s[j] s[k]))

  let product_all (n: int) (i: int) (f1 f2: forest) (s1 s2: seq coloring)
    : seq coloring
    requires { valid_nums_forest (N i f1 f2) n }
    requires { solutions n f1 s1 }
    requires { solutions n f2 s2 }
    ensures  { solutions n (N i f1 f2) result }
    ensures  { forall j. 0 <= j < length s1 ->
               forall k. 0 <= k < length s2 ->
               is_product i f1 f2 s1[j] s2[k] result[j * length s2 + k] }
    ensures  { length result = length s1 * length s2 }
  = let s = ref empty in
    for j = 0 to length s1 - 1 do
      invariant { length !s = j * length s2 }
      invariant { solutions n (N i f1 f2) !s }
      invariant { forall j' k'. 0 <= j' < j -> 0 <= k' < length s2 ->
                  let c = !s[j' * length s2 + k'] in
                  is_product i f1 f2 s1[j'] s2[k'] c }
      for k = 0 to length s2 - 1 do
        invariant { length !s = j * length s2 + k }
        invariant { solutions n (N i f1 f2) !s }
        invariant { forall j' k'. 0 <= j' < j && 0 <= k' < length s2
                               || j' = j && 0 <= k' < k ->
                    let c = !s[j' * length s2 + k'] in
                    is_product i f1 f2 s1[j'] s2[k'] c }
        let p = product n i f1 f2 s1[j] s2[k] in
        assert { forall l. 0 <= l < length !s ->
                  not (eq_coloring n p !s[l]) };
        s := snoc !s p
      done
    done;
    !s

  lemma solution_white_or_black:
    forall n i f1 f2 c.
    valid_nums_forest (N i f1 f2) n ->
    solution (N i f1 f2) c ->
    match M.get c i with
    | White -> solution f2 c
    | Black -> exists c1 c2. is_product i f1 f2 c1 c2 c &&
                             solution f1 c1 && solution f2 c2
    end

  let rec enum (n: int) (f: forest) : seq coloring
    requires { valid_nums_forest f n }
    ensures  { length result = count_forest f }
    ensures  { solutions n f result }
    ensures  { forall c. solution f c <->
                 exists j. 0 <= j < length result && eq_coloring n c result[j] }
    variant  { f }
  = match f with
    | E ->
        cons (const White) empty
    | N i f1 f2 ->
        let s1 = enum n f1 in
        let s2 = enum n f2 in
        s2 ++ product_all n i f1 f2 s1 s2
   end

end
*)
why3-1.6.0/examples/koda_ruskey/000077500000000000000000000000001440160026300165425ustar00rootroot00000000000000why3-1.6.0/examples/koda_ruskey/why3session.xml000066400000000000000000001154211440160026300215660ustar00rootroot00000000000000









 
 
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 


 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/koda_ruskey/why3shapes.gz000066400000000000000000000263751440160026300212170ustar00rootroot00000000000000}YoGz_r_j" /3FݜkSnnY{*(J.2ɬXʪ?oٿʛ׷y)|fgO\{?/ϫ]̺%\3:xV_yVsz7>3%~h^6ί]ʯ6n'ލnh[
ņ=O?qg,«_dݽբl]Eu6W׷w-̐ݕf
H~zj GWKzb}8<W9?}4f+|[8Ҩ8sKݺuV/}^W(}'},_[Pon/Ukc
,Hl)7;+1cqu1QԨ'H-,449mՈ=E?0Uӓ.g7zЎAGC,_W-X$OCT!(Op)wQ׵Dߟb5\ɡU3H6")OP[uе-ƓCB.um=@DԌ׫1J@F\Λ-̺ՂJ7\6E79ф$2zsK} I_\35e?poœ%u2&Z/IBIag>Dt@24Nfn+ܥ+FLXYΒ+q\W#S~HXpSjm}ʥIv̞[3SH{Fҩ<~,if k0~Y\NR{,}[\tJW݇r;MWuژXC81],j4
? أ)vZ< <	[c 
~HDߚO>GIrKIrV-gN(Iz,U&'UXRʭf?t3գ@\4V;4X9[{OrYO٩^pMNs{$S[SSj6%\5.407w)g6v߬y6-f'#'k6/>BП#ys~GQ7{d0|ٮNL.z4u/7;2qsNkN-ZAKkR&$
R$~эK1ֶ5Cdb۳gkRj ugچJ1CӔMy4ֽ҃9.c쑡y^qn{2M#=7Y'!AtWG3H^t0wޜ~i
j40iͻMN9EeM0/9E/K;|iA y}N

}_Fopvh͜0㋉Mișp[>g7~!p“\X$MGRb2}G2`8cDnw$	Ql.653h㎓~!NYEHo\ē!mμz&NӽC`d";~#B?+MOߜ8Xп/:&́Wl7CWy`a#yIMzd&!	wD7޽ֹI2kIleq:
ׂ+`-$\ȮUL6#Qh=|-~Nմs.z(ĚU/=ĞĥiPO+zI.f洼[yQ:,JGȬX;zJh^-h
on\қF'?׷Fֶ6BO3$k0QAPJ~Drmeem)q~<ٚ@ق`/]t-f:9DI$AƴńY?~J0=1Ϻ{}zGzKΖݬѷ˩;bOdSw~-%3bdWd
g1CoxXf
rERARn{!#m%}OSB'>l5d6|	]zwL}21t{Ϯ<WiNgNQC゚լ?5	{vaٟtֻt[ta[Unp*J$"&"w;LMn~۶H^m?mevC3l
:UtvmgۊF>[u?N!JE=ʏz1ffhYRf:,ڇY4_4SU7_\HwM
z`Ìү;lgw?g񒞿^2_bD^
33K8A[7pwW޴b~)Xv+){N
m3|b\5+gO-ߊ7õu"uĕ$S9ߝa/ivcNpOpܥ(Uyf)|{A)z)9EAWQfD_τۛ.tkMFmEFt
3:֥LT8S	LTTKT"tsmߑ`ztXjg|1Kb*ho_Fyj(^vfFmnsXZt*	4:]WO~sy[Tg}>D|m.>}޼	~_~}jk*@ٽ2LXi֎^t|v٥:ɷLc[|xx_ׇuc{$ʶa/O_9C*6>g/^lzO,=:(7H+dÞ\ҥ;q!?rfGvryLNnZ6H4߽0J+e}{~9m'G\<qɟ;S8
QA	&:Ǹ?yდc~zqC`!/jC^woK3X%11E_F?"@r׼|p@~KAp7ē59GXâvG`@M<8.Grq|#@zsh7
Y4!雵;+6zӵn$%Zks}*y_aK,yz9GEQrAG(~P\|Kep0}C#F1z
R>ήN~wELw]~?tŁZ<ZlZKh(_ȱC?s Gېc]zc_9'?<ݰt8|CmB_zi?1Q-P(<J	7	@Niγ#A}a;X6rmr<r9.o|>Nv:'ď`Lz4Ap]p8޸
n8;k8O,cefQM,8[MPg@мdK/8kNj4]ع~袠GzǶt`S\p@
,4=B@
4a+)-XxqŁ_;^=. cD\'uK>x1}EE	zٜXYnesMq	_02.a'=ˤ~'=}]f(`Ö_-_<[IEE=wI5ՓcLtXzRmԓz'2_!RWz'̍ٯ^W؆%mffb\S͵|smj}AM.&Oiʗ.;yއ{uwQ?[ѤkBGA
CVl{R?d!+=3O1tw6|=*yWnm+U.R展dmW7Dh<1=w#><љ#B=")FcQz#n=IGDF4&=
I:põn$%C@o7g?>ɮ^&o?0cj,/St`RGvt8/|9D:'Ívqc5,n|n|l8/^Kcp*j*j~xb:<@ށ'*|X“Z83z_a/;е_|O7lVt';[`9>:a1Ez@8vqfǗ"ߓgcy8e/-&x} Ɓb|KU-9_:p'n}mˋ`dOc'[;{_ӚBhva<΁
6
bǴ(Z2:@-zþ=߁~"={T
ρqB(ghWߑyG84]{n_'ip^"̥nODwB/mB8}vov_,Oy@>~Nv:ntR?B/s
;^)G8x5S{@W`p0$fi#GÇQiwb'Srt'?ǩa=d1";x)B%|dШŌWчw)mh>K|1jwl38BCB+Ձդ	SW/g]bJ?>8͞OoLT1gĝo\Rd~ߓhW[1je|Wt2fmqfs||_0]ɲ*+;ᒶGu!Zv:J:sf8%YE2pRBZ2-O 2Ť..Uq$ȭIiL,EEM1&Edd!{\h2*J.FK=EkVţW\ZųيbMrfY9Tf`eRSe8$$à^PuBUUM`X؉#7,CpcyV0rl9yG%Ce#z)#TwF(iߗitD`p$r'D0JL2Zq^`*:!H(|M&hLW}Cd$xZ,tSjXgJH0G@(+Vb($9ӊ>W|#>oxWQk
ڱH5^QP,
.#=`3pDC|݇8\ ^Bf:T(T
aPS/`!	(MjZ6(U6jXYR6*\.ka=R
+UE}@H6N,,QeiPs?Jp6s&^#6Cr'Աdg݋

[i$	nA]P% No2YpT{Bm,"0bdeN}	E[	+H	4m}'/PcU4a/^4LtSMeT5'_A[dpB9g9+x*RQg(ت:	'Pj7(IR$xXZ\VG1'O:dL#:bU!#_|sys2t2eP99m=6O;dxNg.#(U<v^=EMH4`,ط:(6AFxWˆARXG|WkT*Faju4`bۇwcd$ʫQa\T£p"^xc|b^x«!ZT*$`
%7q̣㱴e`!-*"3im
xJI< f4-oDYG쌧O=h9uBQk
M49FNHd{-KSU%lV)bUlYXD:=$yF6鮏
H\tgnc}@fdy6R1:>tN)GgIMǔ
RTYժD5jn>d0L2"Buiɱ^_Hi|ya#g!EcnǕ,srx%[H(ZZ{Ǘ,a:pQ`5}_ML@m3gE0S3sP1IQm$yAՎ/Iy;B#ABD$m$SIQ7J%P#j2`Za=%S/YWՔ)XIߴ:ЭYCj5d	K!Zq1#z$rR\C'Z2%
H'sNK2VF<᫐
9cWK~vI@Ik8(tvu5!CYNJr΂EZx%=f*	kUGhE/6["C'A=.("t^[ȡ3(.8e}ҙ+I MB{	SpyeNI @^ 1#iHcL+:zp*01L&#
mf'h{VaqJoKp/Կ䔌pCxFla<·'.AuA	_`=<)fXttLѝPˆ#WREh#jw|EBX>ָگZDTܤLWE	_![qd{Bs24OQF,,DR'TУaU,b?B]TO;	RtFJw	c>
91EFɁiwaM{_ViL)cvz4dI!shDr9
/DFP(]KȾ(bs2%1
gWX:8.*mS,"0::%9+Gw2?}Vk!eH*}H4'4'ʾw9L&j!uЂb>g8-JǴŊ	(kB)e9{?eC%Pqi$ȱ;[vtjG;N"G7OСC{rj1l,ѹ Di{BA|aB"PF})II׀m:ȢL
N	Ih&nK6ܞS}D 8)$?ZIs*@rٴgJ		9AiÜ[CRcR23@m,)8BʦzBδsAёXSXP*KRbr@iwϙQp8XEe"Áj[I8Ť$9pxO*fwhy3-1.6.0/examples/largest_prime_factor.mlw000066400000000000000000000051321440160026300211370ustar00rootroot00000000000000(*
Euler project Problem 3: Largest prime factor

The prime factors of 13195 are 5, 7, 13 and 29.

What is the largest prime factor of the number 600851475143 ?

*)

module PrimeFactor

  use mach.int.Int
  use number.Divisibility
  use number.Prime
  use number.Coprime

  (** returns the smallest divisor of `n` greater than or equal to `d`,
      assuming no divisor between 2 and `d`. *)
  let rec smallest_divisor (d n:int) : int
    requires { 2 <= n }
    requires { 2 <= d <= n }
    requires { forall i:int. 2 <= i < d -> not divides i n }
    ensures { d <= result <= n }
    ensures { divides result n }
    ensures { forall i:int. 2 <= i < result -> not divides i n }
    variant { n - d }
  = if d * d > n then begin
      assert { forall i:int. 2 <= i < n /\ divides i n ->
        i >= d && let u = div n i in u * i = n && divides u n &&
        u * i = n && (u >= d -> n >= d * i >= d * d && false)
        && u >= 2 && u < n && false } ; n
    end else if d >= 2 && n % d = 0 then d else
  smallest_divisor (d+1) n

  use ref.Ref
  use list.List

  let largest_prime_factor (n:int) : int
    requires { 2 <= n }
    ensures { prime result }
    ensures { divides result n }
    ensures { forall i:int. result < i <= n -> not (prime i /\ divides i n) }
  = let d = smallest_divisor 2 n in
    let factor = ref d in
    let target = ref (n / d) in
    assert { !target * d = n && divides !target n } ;
    assert { forall i:int. prime i /\ divides i n /\ i > d ->
      coprime d i && divides i !target };
    while !target >= 2 do
      invariant { 1 <= !target <= n }
      invariant { 2 <= !factor <= n }
      invariant { divides !factor n }
      invariant { prime !factor }
      invariant { forall i:int. divides i !target /\ i >= 2 ->
        i >= !factor /\ divides i n }
      invariant { forall i:int. prime i /\ divides i n /\ i > !factor ->
        divides i !target }
      variant { !target }
      let oldt = ghost !target in
      let ghost oldf = !factor in
      assert { divides !target !target && !target >= 2 && !target >= !factor };
      let d = smallest_divisor !factor !target in
      assert { prime d };
      factor := d;
      target := !target / d;
      assert { !target * d = oldt && divides !target oldt } ;
      assert { forall i:int. prime i /\ divides i n /\ i > d ->
        i > oldf && divides i oldt && 1 <= d < i
        && coprime d i && divides i !target }
    done;
    !factor

  let test () =
    largest_prime_factor 13195 (* should be 29 *)

  let solve () =
    largest_prime_factor 600851475143

end


(***
Local Variables:
compile-command: "why3ide largest_prime_factor.mlw"
End:
*)
why3-1.6.0/examples/largest_prime_factor/000077500000000000000000000000001440160026300204155ustar00rootroot00000000000000why3-1.6.0/examples/largest_prime_factor/why3session.xml000066400000000000000000000275631440160026300234520ustar00rootroot00000000000000









 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/largest_prime_factor/why3shapes.gz000066400000000000000000000073041440160026300230610ustar00rootroot00000000000000\]oܸ}ׯ跽;XUHh,pAzAcq3q`[(j{vfzqnT"*դS}Nw7ӻu?=8x&{{}
xTW_?S;uw/-#}}UXjnrWOwrKt4u:A;3ig%̗=*tu61颋..'[3FޟuC޿:LZ߿z~2qL?jʾ7qom{”E>9n|C{
rv7-w'a1;wX+8UpSrSFٷG^sO/{R{'3`gw?>b
wߧ]y
}Kc*7o'O,8";;t=v^~oAAtjj }q\{;gnn]5(5mjFQ;_!UM=wwzS5Üaqr)Ò˽KoSMa&\zRt{Eg' }ux!dȶlOA6+f)TAlfdd=lM8Pb#bۨkAu|. Ll,I"LH[oTq/^'N,?_3t
t<>a#=ScݥScYl^VPH,E1w]?|H+޵j]N\
;yHz쿹3ng2.U:z?u]Ol\aD
։X􄖪DPQR EU7F{]_˺2Mv=*n3h4ڔF95NW3eއOp"}x.8vF[\{jZVk27{[fgt<44\aBD0=pc>1|>H%r^8m815jY%As.Bkq0)O@·91aGx~ƴS77~nLܘ1mt޹1̍΍i37nFS:7̍r
_Cռ_!.zjQ{9c].ݧ~ٻ6$~&;\0?xm%D.!r	'^%X.r	g|啣e0b-Qt]Tta.O?asѼέs$y;h9kiNC~ڊDz.v߷2Xzz_N
bTS1ETJ\պ2O6k2ίEsٌngR{5f7U;wS_P}Emut!t!t!7B#]tOo,9+T-Ķo[nrzI^wFKaûa0S	|MyMJOo	M|^w
?:m{qOݻ_\]ss ̉ƠMԣǨߡF9h
E씳Q!s8m
R@@-h0;XJ1J%YG_fqZHB8Qȁ{
6?)U#FC{
sqBEccC)bpB#:=*cv2[Bjua5V"dH9XHj6k+.%@
i)1	|"IlKKf0:s+[:\*޴G!N8c1xVM]M³&٘ɨ},.1*%(!JNGEe46`pI"Ze,*0RfS=wLd7Ds
z0$92*`#^GT16{L<:Ҍ
qdߎU
Ji٥L:e2i4^2mĠ̬9cH9I|C¨e!)-rN9)Iyn-3Q*FA4J11R2 w\k50~A0YhP̝3H&cNʨ&c3p;:+cSLαX6Ip$QɺIYVhiݰ7fiDR4ZQT(eeFD)7YBi! Ze1:˼`N8Td#{,!qb?8ES
Ƕ(a dҠ4p;ݖUx'}c
s 5Ł8鐓iF&ɣ
wJ^+1~(&y*MO'(CD#F%R'sRU!caQ(i8Y'0yVhGB|4COcJ'eyY7Jj1Gbv<ǩruff#N!䪘+g*)Ji<<Ȓcb lx@ϩ1P񺊱C#0&8F`5p|)ο J8p',Øg+uA'4K+pTT7Ƭ	Zthis web page}

   Authors: Jean-Christophe Filliâtre and Andrei Paskevich *)

module LCP

  use int.Int
  use ref.Refint
  use array.Array

  predicate eqseq (a: array int) (x y: int) (len: int) =
    0 <= len /\ x + len <= length a /\ y + len <= length a /\
    forall i: int. 0 <= i < len -> a[x + i] = a[y + i]

  lemma not_eqseq:
    forall a: array int, x y: int, i: int. 0 <= i ->
    a[x + i] <> a[y + i] ->
    forall len: int. i < len -> not (eqseq a x y len)

  let lcp (a: array int) (x: int) (y: int) : int
    requires { 0 <= x < length a /\ 0 <= y < length a }
    ensures  { eqseq a x y result }
    ensures  { forall len: int. result < len -> not (eqseq a x y len) }
    =
    let l = ref 0 in
    while x + !l < length a && y + !l < length a && a[x + !l] = a[y + !l] do
      invariant { eqseq a x y !l }
      variant   { length a - !l }
      incr l
    done;
    !l

end
why3-1.6.0/examples/lcp/000077500000000000000000000000001440160026300150005ustar00rootroot00000000000000why3-1.6.0/examples/lcp/why3session.xml000066400000000000000000000012371440160026300200230ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/lcp/why3shapes.gz000066400000000000000000000006141440160026300174410ustar00rootroot00000000000000eRKO0+zSטtJ=$'ӫ)	hw
Bu^4{
uS]DCj7C
fxn7&6<_j٭&"?]ƨr#2,Pt6? ROA&@Ӯ6?@ڗwOD2LyǙ=6~ôpXjtb8G0ZXέ,uƑʐYvEX
~GADti?:96).+D7o1i>t<ۃ拂p/:X_i:P!U].QE慔5S.RTpO	hw1SWEQH!$1H'^Mwhy3-1.6.0/examples/leftist_heap.mlw000066400000000000000000000133171440160026300174170ustar00rootroot00000000000000
(** Leftist heaps (Clark Allan Crane, 1972 && Donald E. Knuth, 1973).

    Purely applicative implementation, following Okasaki's implementation
    in his book "Purely Functional Data Structures" (Section 3.1).

    Author: Mário Pereira (Université Paris Sud)
*)

module Heap

  use int.Int

  type elt
  predicate le elt elt

  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  type heap

  val function size heap : int

  function occ elt heap : int

  predicate mem (x: elt) (h: heap) = occ x h > 0

  function minimum heap : elt

  predicate is_minimum (x: elt) (h: heap) =
    mem x h && forall e. mem e h -> le x e

  axiom min_def:
    forall h. 0 < size h -> is_minimum (minimum h) h

  val empty : heap
    ensures { size result = 0 }
    ensures { forall x. occ x result = 0 }

  val is_empty (h: heap) : bool
    ensures { result <-> size h = 0 }

  val merge (h1 h2: heap) : heap
    ensures { forall x. occ x result = occ x h1 + occ x h2 }
    ensures { size result = size h1 + size h2 }

  val insert (x: elt) (h: heap) : heap
    ensures { occ x result = occ x h + 1 }
    ensures { forall y. y <> x -> occ y h = occ y result }
    ensures { size result = size h + 1 }

  val find_min (h: heap) : elt
    requires { size h > 0 }
    ensures  { result = minimum h }

  val delete_min (h: heap) : heap
    requires { size h > 0 }
    ensures  { let x = minimum h in occ x result = occ x h - 1 }
    ensures  { forall y. y <> minimum h -> occ y result = occ y h }
    ensures  { size result = size h - 1 }

end

module TreeRank

  type tree 'a = E | N int (tree 'a) 'a (tree 'a)

end

module Size

  use TreeRank
  use int.Int

  let rec function size (t: tree 'a) : int = match t with
    | E -> 0
    | N _ l _ r -> 1 + size l + size r
    end

  lemma size_nonneg: forall t: tree 'a. 0 <= size t
  lemma size_empty: forall t: tree 'a. 0 = size t <-> t = E

end

module Occ

  use TreeRank
  use int.Int

  function occ (x: 'a) (t: tree 'a) : int = match t with
    | E -> 0
    | N _ l e r -> (if x = e then 1 else 0) + occ x l + occ x r
    end

  lemma occ_nonneg:
    forall x:'a, t. 0 <= occ x t

  predicate mem (x: 'a) (t: tree 'a) =
    0 < occ x t

end

module LeftistHeap

  type elt
  val predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  use TreeRank
  use export Size
  use export Occ
  use int.Int
  use int.MinMax

  type t = tree elt

  (* [e] is no greater than the root of [h], if any *)
  predicate le_root (e: elt) (h: t) = match h with
    | E -> true
    | N _ _ x _ -> le e x
    end

  lemma le_root_trans:
    forall x y h. le x y -> le_root y h -> le_root x h

  (* [h] is a heap *)
  predicate is_heap (h: t) = match h with
    | E -> true
    | N _ l x r -> le_root x l && is_heap l && le_root x r && is_heap r
    end

  function minimum t : elt
  axiom minimum_def: forall l x r s. minimum (N s l x r) = x

  predicate is_minimum (x: elt) (h: t) =
    mem x h && forall e. mem e h -> le x e

  let rec lemma root_is_miminum (h: t) : unit
    requires { is_heap h && 0 < size h }
    ensures  { is_minimum (minimum h) h }
    variant  { h }
  = match h with
    | E -> absurd
    | N _ l _ r ->
       match l with E -> () | _ -> root_is_miminum l end;
       match r with E -> () | _ -> root_is_miminum r end
    end

  function rank (h: t) : int = match h with
    | E -> 0
    | N _ l _ r -> 1 + min (rank l) (rank r)
    end

  predicate leftist (h: t) = match h with
    | E -> true
    | N s l _ r ->
       s = rank h &&
       leftist l && leftist r &&
       rank l >= rank r
    end

   predicate leftist_heap (h: t) =
    is_heap h && leftist h

  let empty : t = E
    ensures { size result = 0 }
    ensures { forall x. occ x result = 0 }
    ensures { leftist_heap result }

  let is_empty (h: t) : bool
    ensures { result <-> size h = 0 }
  = match h with E -> true | N _ _ _ _ -> false end

  let rank (h: t) : int
    requires { leftist_heap h }
    ensures  { result = rank h }
  = match h with
    | E -> 0
    | N r _ _ _ -> r
    end

  let make_n (x: elt) (l r: t) : t
    requires { leftist_heap r && leftist_heap l }
    requires { le_root x l && le_root x r }
    ensures  { leftist_heap result }
    ensures  { minimum result = x }
    ensures  { size result = 1 + size l + size r }
    ensures  { occ x result = 1 + occ x l + occ x r }
    ensures  { forall y. x <> y -> occ y result = occ y l + occ y r }
  = if rank l >= rank r then N (rank r + 1) l x r
    else N (rank l + 1) r x l

  let rec merge (h1 h2: t) : t
    requires { leftist_heap h1 && leftist_heap h2 }
    ensures  { size result = size h1 + size h2 }
    ensures  { forall x. occ x result = occ x h1 + occ x h2 }
    ensures  { leftist_heap result }
    variant  { size h1 + size h2 }
  = match h1, h2 with
    | h, E | E, h -> h
    | N _ l1 x1 r1, N _ l2 x2 r2 ->
       if le x1 x2 then make_n x1 l1 (merge r1 h2)
       else make_n x2 l2 (merge h1 r2)
    end

  let insert (x: elt) (h: t) : t
    requires { leftist_heap h }
    ensures  { leftist_heap result }
    ensures  { occ x result = occ x h + 1 }
    ensures  { forall y. x <> y -> occ y result = occ y h }
    ensures  { size result = size h + 1 }
  = merge (N 1 E x E) h

  let find_min (h: t) : elt
    requires { leftist_heap h }
    requires { 0 < size h }
    ensures  { result = minimum h }
  = match h with
    | E -> absurd
    | N _ _ x _ -> x
    end

  let delete_min (h: t) : t
    requires { 0 < size h }
    requires { leftist_heap h }
    ensures  { occ (minimum h) result = occ (minimum h) h - 1 }
    ensures  { forall x. x <> minimum h -> occ x result = occ x h }
    ensures  { size result = size h - 1 }
    ensures  { leftist_heap result }
  = match h with
    | E -> absurd
    | N _ l _ r -> merge l r
    end

end
why3-1.6.0/examples/leftist_heap/000077500000000000000000000000001440160026300166715ustar00rootroot00000000000000why3-1.6.0/examples/leftist_heap/why3session.xml000066400000000000000000000105761440160026300217220ustar00rootroot00000000000000







 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/leftist_heap/why3shapes.gz000066400000000000000000000040571440160026300213370ustar00rootroot00000000000000YY~ׯcFV`	f_xfx%yקfgvs:bU]$֗ܧtYΗjWwtd~J'N	mWj%rIԒ'a’7,;jia;‘U/Sr?
55;U!#P((j7{ -2//ף:}#tGStyGeww^B6oJ7VC)?$@3ŧ/COMw>$63jA
rWRH'F߮wr^B?X(OPʷMQt^4:wjR0|w㸫t[(9#mKl{ka~X^ ?"wØl#(Fۖ^T+CcI&HzM:R2*h⫃{wDЗAjpBz"vPO=~Wnxuë>Zn9?W4.}P$4=..}KBiVvM孝@MB.H6}X3+ӝx}]"r|ruL%\׍9xv kryk]6K3^B,qaY, +'9=^]^9,f9'9|˿__wʽRiFOmͧX._0vcݚ-HtMP(fPLydfTn$ǦS++?14(lѭGo}7|3h+`L5,{e:xv(b
V3͙
08ג9<	8)JgO3rNrE`
i'JH$Ʋ0	Sr`pJId1j!^HH൲"JԐ12`m;+R
fQ(Sb(pYJ&djǕ9f*ځ܁r$4rL"RHƈT=׊aIdV*`y"Hkd;s-|ou&Xʠd*!Za)A.(hAp"B&P20TњbWhHs-B PꜴA
Fy.j$s**CACb=e+2(^\KIk&R:GP5J^sM$ePAGy,8[eQ3	
&Ɣ	:m֢_:Sx>3F-2岔YLvp(S{iN΁fO2Ysmܚ_+%uN
y68i]fUk/TZB<^J/X\i`Ql2Ms/h U`Ikv|Qye\$Ei)3ck;aTHhPA{Zu|%BĢ{ why3-1.6.0/examples/linear_probing.mlw000066400000000000000000000260701440160026300177420ustar00rootroot00000000000000
(** Hash tables using linear probing

    Authors: Jean-Christophe Filliâtre (CNRS)
             Martin Clochard (École Normale Supérieure)
*)

module HashedTypeWithDummy

  use int.Int

  type key
  type keym (** the logic model of a key *)
  function keym key: keym

  val predicate eq (x y: key)
    ensures { result <-> keym x = keym y }
  let predicate neq (x y: key)
    ensures { result <-> keym x <> keym y }
  = not (eq x y)

  val function hash key : int
  axiom hash_nonneg: forall k: key. 0 <= hash k
  axiom hash_eq: forall x y: key. eq x y -> hash x = hash y

  val constant dummy: key
  constant dummym: keym = keym dummy

end

module LinearProbing

  clone HashedTypeWithDummy with axiom .

  use int.Int
  use int.ComputerDivision
  use option.Option
  use list.Mem
  use map.Map
  use map.Const
  use ref.Ref
  use array.Array

  let function bucket (k: key) (n: int) : int
    requires { 0 < n }
    ensures { 0 <= result < n }
  = mod (hash k) n

  (** `j` lies between `l` and `r`, cyclically *)
  predicate between (l j r: int) =
    l <= j < r || r < l <= j || j < r < l

  (** number of dummy values in array `a` between `l` and `u` *)
  scope NumOfDummy
    use int.NumOf

    function numof (a: array key) (l u: int) : int =
      NumOf.numof (fun i -> eq a[i] dummy) l u

    let rec lemma numof_eq (a1 a2: array key) (l u: int) : unit
      requires { 0 <= l <= u <= length a1 = length a2 }
      requires { forall i: int. l <= i < u -> eq a2[i] a1[i] }
      ensures  { numof a2 l u = numof a1 l u }
      variant  { u-l }
    = if l < u then numof_eq a1 a2 (l+1) u

    let rec lemma dummy_const (a: array key) (n: int)
      requires { 0 <= n } requires { forall i: int. 0 <= i < n -> a[i] = dummy }
      variant { n } ensures { numof a 0 n = n }
    = if n > 0 then dummy_const a (n-1)

  end
  function numofd (a: array key) (l u: int) : int = NumOfDummy.numof a l u

  let ghost numof_update (a1 a2: array key) (l i u: int)
    requires { 0 <= l <= i < u <= Array.length a1 = Array.length a2 }
    requires { forall j: int. l <= j < u -> j<>i -> a1[j] = a2[j] }
    requires { eq a1[i] dummy && neq a2[i] dummy }
    ensures  { numofd a1 l u = 1 + numofd a2 l u }
  =
     assert { numofd a1 l u
              = numofd a1 l i + numofd a1 i u
              = numofd a1 l i + numofd a1 i (i+1) + numofd a1 (i+1) u };
     assert { numofd a2 l u
              = numofd a2 l i + numofd a2 i u
              = numofd a2 l i + numofd a2 i (i+1) + numofd a2 (i+1) u }

  predicate valid (data: array key) (view: map keym bool) (loc : map keym int) =
    (* dummy not in the model *)
    not (Map.get view dummym)
    /\
    (* any value in the array is in the model *)
    (forall i: int. 0 <= i < Array.length data ->
       let x = data[i] in neq x dummy ->
       Map.get view (keym x) /\ Map.get loc (keym x) = i)
    /\
    (* any value in the model is in the array *)
    (let n = Array.length data in
     forall x: key. Map.get view (keym x) ->
        let i = Map.get loc (keym x) in
        0 <= i < n && eq data[i] x &&
        forall j: int. 0 <= j < n ->
          between (bucket x n) j i ->
          neq data[j] x /\ neq data[j] dummy)
          (* TODO ^^^^^^^^^^^^^^^^^^ is actually provable *)

  type t = { mutable size: int;   (* total number of elements *)
             mutable data: array key;    (* buckets *)
       ghost mutable view: map keym bool; (* pure model *)
       ghost mutable loc : map keym int;  (* index where it is stored *)
    }
    (* at least one empty slot *)
    invariant { 0 <= size < length data }
    invariant { let n = Array.length data in
                size + numofd data 0 n = n }
    invariant { valid data view loc }

  let create (n: int) : t
    requires { 0 < n }
    ensures  { forall x: key. not (Map.get result.view (keym x)) }
  =
    { size = 0; data = Array.make n dummy;
      view = Const.const false; loc = Const.const 0; }

  let clear (h: t) : unit
    writes  { h.size, h.data.elts, h.view }
    ensures { h.size = 0 }
    ensures { forall x: key. not (Map.get h.view (keym x)) }
  =
    h.size <- 0;
    Array.fill h.data 0 (Array.length h.data) dummy;
    h.view <- Const.const false

  let function next (n i: int) : int =
    let i = i+1 in if i = n then 0 else i

  let find (a: array key) (x: key) : int
    requires { neq x dummy }
    requires { let n = Array.length a in 0 < n /\ numofd a 0 n > 0 }
    ensures  { 0 <= result < Array.length a }
    ensures  { eq a[result] dummy || eq a[result] x }
    ensures  { forall j: int. 0 <= j < Array.length a ->
               between (bucket x (Array.length a)) j result ->
               neq a[j] x /\ neq a[j] dummy }
  =
    let n = Array.length a in
    let b = bucket x n in
    let rec find (i: int) : int
      requires { 0 <= i < n }
      requires { numofd a 0 n > 0 }
      requires { forall j: int. 0 <= j < n -> between b j i ->
                 neq a[j] x /\ neq a[j] dummy }
      requires { if i >= b then numofd a b i = 0
                 else numofd a b n = numofd a 0 i = 0 }
      variant  { if i >= b then n - i + b else b - i }
      ensures  { 0 <= result < n }
      ensures  { eq a[result] dummy || eq a[result] x }
      ensures  { forall j: int. 0 <= j < n -> between b j result ->
                 neq a[j] x /\ neq a[j] dummy }
    =
      if eq a[i] dummy || eq a[i] x then i else find (next n i)
    in
    find b

  let mem (h: t) (x: key) : bool
    requires { neq x dummy }
    ensures  { result <-> Map.get h.view (keym x) }
   =
    neq h.data[find h.data x] dummy

  let resize (h: t) : unit
    writes  { h.data, h.loc }
    ensures { Array.length h.data = 2 * old (Array.length h.data) }
  =
    let n = Array.length h.data in
    let n2 = 2 * n in
    let a = Array.make n2 dummy in
    let ghost l = ref (Const.const 0) in
    for i = 0 to n - 1 do
      invariant { numofd a 0 n2 = numofd h.data 0 i + n2 - i }
      invariant { forall j: int. 0 <= j < n2 -> neq a[j] dummy ->
                  Map.get h.view (keym a[j]) /\ Map.get !l (keym a[j]) = j }
      invariant { forall x: key. Map.get h.view (keym x) ->
                  let j = Map.get h.loc (keym x) in
                  if j < i then
                    let j2 = Map.get !l (keym x) in
                    0 <= j2 < n2 /\ eq a[j2] x /\
                    forall k: int. 0 <= k < n2 ->
                      between (bucket x n2) k j2 -> neq a[k] x /\ neq a[k] dummy
                  else
                    forall j2: int. 0 <= j2 < n2 -> neq a[j2] x }
      let x = h.data[i] in
      if neq x dummy then begin
        label L in
        let j = find a x in
        assert { eq a[j] dummy };
        a[j] <- x;
        assert { numofd a 0 (j+1) = numofd (a at L) 0 (j+1) - 1 };
        l := Map.set !l (keym x) j
      end
    done;
    h.loc <- !l;
    h.data <- a

  let add (h: t) (x: key) : unit
    requires { neq x dummy }
    writes   { h }
    ensures  { h.view = Map.set (old h.view) (keym x) True }
   =
    begin
      ensures { h.size + 1 < Array.length h.data }
      if 2 * (h.size + 1) >= Array.length h.data then resize h
    end;
    let i = find h.data x in
    if eq h.data[i] dummy then begin
      label L in
      h.size <- h.size + 1;
      h.data[i] <- x;
      assert { numofd h.data 0 (i+1) =
               numofd (h.data at L) 0 (i+1) - 1 }
    end;
    ghost (h.view <- Map.set h.view (keym x) True);
    ghost (h.loc <- Map.set h.loc (keym x) i)

  let copy (h: t) : t
    ensures { result.view = h.view }
   =
    { size = h.size; data = Array.copy h.data;
      view = h.view; loc = h.loc; }

  let rec ghost find_dummy (a: array key) (s: int) (i: int) : int
    requires { 0 <= s < Array.length a }
    requires { 0 <= i < Array.length a }
    requires { i <> s }
    requires { if i >= s then numofd a i (Array.length a) + numofd a 0 s >= 1
                         else numofd a i s >= 1}
    requires { forall k: int. 0 <= k < Array.length a ->
               between s k i -> k<>s -> neq a[k] dummy }
    variant  { if i >= s then Array.length a - i + s else s - i}
    ensures  { 0 <= result < Array.length a }
    ensures  { result <> s }
    ensures  { eq a[result] dummy }
    ensures  { forall k: int. 0 <= k < Array.length a ->
               between s k result -> k<>s -> neq a[k] dummy }
  =
    let n = Array.length a in
    if eq a[i] dummy then i else find_dummy a s (next n i)

  (* j is the hole just created by remove (see below) and this function
     restores the data structure invariant for elements
     to the right of j if needed, starting at index i *)
  let rec delete (a: array key)
                 (ghost loc: ref (map keym int)) (ghost view: map keym bool)
                 (ghost f0: int) (j i: int) : unit
    requires { 0 <= f0 < Array.length a }
    requires { 0 <= j < Array.length a }
    requires { 0 <= i < Array.length a }
    requires { j <> f0 }
    requires { eq a[j] dummy }
    requires { eq a[f0] dummy }
    requires { between j i f0 }
    requires { forall k: int. 0 <= k < Array.length a ->
               between i k f0 -> k<>i -> neq a[k] dummy }
    requires { not (Map.get view dummym) }
    requires { forall k: int. 0 <= k < Array.length a ->
               let x = a[k] in neq x dummy ->
               Map.get view (keym x) /\ Map.get !loc (keym x) = k }
    (* any value in the model is in the array *)
    requires { let n = Array.length a in
               forall x: key. Map.get view (keym x) ->
                 let k = Map.get !loc (keym x) in
                 0 <= k < n && eq a[k] x &&
                 forall l: int. 0 <= l < n -> between (bucket x n) l k ->
                   neq a[l] x /\
                   (neq a[l] dummy \/
                    l = j /\ between j i k) }
    variant  { if i >= f0 then Array.length a - i + f0 else f0 - i }
    ensures  { numofd a 0 (Array.length a) =
               numofd (old a) 0 (Array.length a) }
    ensures  { valid a view !loc }
   =
    let n = Array.length a in
    let i = next n i in
    let xi = a[i] in
    if neq xi dummy then begin
      let r = bucket xi n in
      if j < r && r <= i || i < j && j < r || r <= i && i < j then
        (* the hash index r lies cyclically between j and i *)
        delete a loc view f0 j i
      else begin
        let ghost a1 = Array.copy a in
        ghost NumOfDummy.numof_eq a a1 0 n;
        (* the hole j lies cyclically between hash index r and i *)
        a[j] <- xi;
        ghost numof_update a1 a 0 j n;
        let ghost a2 = Array.copy a in
        ghost NumOfDummy.numof_eq a a2 0 n;
        ghost loc := Map.set !loc (keym xi) j;
        a[i] <- dummy;
        ghost numof_update a a2 0 i n;
        delete a loc view f0 i i
      end
    end

  let remove (h: t) (x: key) : unit
    requires { neq x dummy }
    ensures  { h.view = Map.set (old h.view) (keym x) False }
  =
    let n = Array.length h.data in
    let j = find h.data x in
    if neq h.data[j] dummy then begin
      label L in
      h.data[j] <- dummy;
      assert { numofd h.data 0 (j+1) =
               numofd (h.data at L) 0 (j+1) + 1 };
      ghost (h.view <- Map.set h.view (keym x) False);
      let l = ref h.loc in
      let f0 = find_dummy h.data j (next n j) in
      delete h.data l h.view f0 j j;
      ghost (h.loc <- !l);
      h.size <- h.size - 1;
    end

end
why3-1.6.0/examples/linear_probing/000077500000000000000000000000001440160026300172145ustar00rootroot00000000000000why3-1.6.0/examples/linear_probing/why3session.xml000066400000000000000000000761211440160026300222430ustar00rootroot00000000000000












 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
      
      
      
     
     
     
     
      
      
       
       
        
        
        
        
        
         
         
         
        
        
       
       
      
      
     
     
     
     
      
      
      
     
     
     
     
      
      
      
     
     
     
     
      
      
      
     
     
     
     
      
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/linear_probing/why3shapes.gz000066400000000000000000000430601440160026300216570ustar00rootroot00000000000000k޸.E;ANnAhl@וؙ5ٿ _}swbIwi_ =} w~.оY½21
7?z;y/ԽQUB艽k@^P/
RٴQ'{p{>C9*DOHJLOhϭfY %^涊V/VVU%_POR=7In0S4I4iiXs*x%DU3-hjӿ^DTT%1-]sj\LL+zI۹ΙĜ7v1	$ƚ[Aչ\@@'@&Fa(gV<%lWJ͗Uy6aUuM=HHY|B2qdQ\K61Z^1ʲyt#оڟmk"0(zUwI7/ľqØRøˏĐ5ׄH')X?3,嗐S+E3v"KU, }g=eyo&NJ'=KToHݥ's{ak|K̀{{yYQRn=qdkDOMdHQQ7#*	2v5#BR K]hŸ	}ײވtǜ	}
	"VDU!U'4RٽVeQz~jFI%r 92**J4@{m7HQ7WņCML.?	hlyD;r3/^RHoGy/]cy
.o8df,EG̬.n|-MWԪ^cUd/ج%q4˂ſl7I=\(r;+FcPdiubʀR,IO7IK
n|?"Y~ܾ@'lmcneNu	&䅊o7/艢O;CS&ؐ<#v܎H)Z9Rj)H/^P")rC5^35
Ptmx3>c+dA#׬Ϣ5iK5a)0s(_q8gGQaG}zII쉓6#vi#>Wi&U.Ey8_+>{NU*0:4:ltG
8`l2Pzjsꮭk3٢.^E
zy	W]Y(b?"~َn㡛~#SW7~irKT'xu)]qLg.󸫾X}z><.*q9y\<.76OGjH3ؿ?b͙g+y1K\;2NS7x&qq	A0U˷yQW٥*KeKfjgL})HAH	hye٨ʲ}UX6f$yREIr.zj}aծZIJ*b%UŦ^]10}CZ[ik
{,mT.iV+:b%2Ubzx3\FXaKkbN̻U.ӥׁoA&@ ;IxK$&ojұʷ7+Ơ@e:{xN5UPVءӼ-6WB{~ 8K'*@_o^~cړQny*C`F '߾Û^}. H*˭ޏwU;ON幧@|bz?4|!KB
N"`;	fT	ZM1r3ӊ{cۛA̝'^p;䢴
s"]#@ѥk"S4
4xTLNO,n-Zhou}N">!wq:gT f"K|lC֌FMarnQulyWdcW:Ɨn-
Uںˢ+`,p\Tj
3ΙOsldC/)W[Xe(?40=v7KUSewȖV0VZHfc 7Ĥ{쾏iwhv7W~^)|r@lzބMH|KťORF*DeEkYK
JivUK߱TTs)c?Tlۂˉ}c!\	KqЯ
`$T?0Sҳde,
#3;c#z#rO0}a߱00ަ#{Xd6	mw_]!z)_d3;Rt-Sbh΂D%Y&$RCL 2wdvPMYLM~v8jV67b'Q$ydŠǓ(f;bISLg?bI[LO;A#p~1WC'].f2l_f+Wyql6py UƒjAk*.65-FN-׈cX8V"8Dkw8n~-pg8ɜ.FhGHߖ	Gv9!^݊=L<x`p[^AEE̮6}{<:㱅c#~6*}05$^EuVS	-@9cQ[)N8lى3,n4qFg5g3.ZL"[3eg̞}1cq!θf3Ѯюbd+6N%c-L^mܔLV/s2#I_HEKUbQfE1	M	Ez^eɿ"=1am1jC6 VwCJpH32PmuIqCZ20IG|97|,HYmL#ʴya3!9*0Ws Ԙ)*ڦx).[9aˆYjmx
*˻	jd>b~.JnJ>NiyožBRO;$f0An	CgO!`iU֥:Mܢd@z#9;PJ_CP76v_RUX{1r#1=#Y8̀̀eivN[+[`zeM\D̎j&ߡI&E1KiRu+?mRlRڤä(#*RIqtL0ZH>P"HN5)®ԄGL$BiRBzߢ%.wrG%sB؜[s8XY9;͉-O&6'31'R﷕2)RV@h߅|1'osɏ7'G	씷5cT-˵inhs5vn}phW~9~Wϫ.~I_ﮪ=һ>#5lA$.22'ݔk.CCۍ}pdnYtWZFCKض,3ٶkLm:aqGJn>GC).YaۤbKF%VS
׸=#1[c4,
=5l۸rob
wcY(]GPbň)lՖ؅'X+m%(.%CmՖy,wJݓ~Tol@6/KNmN[m
Q|rhnt3stMtީ{3(I0Oq~s*ᄟ=Ock~n/;EآfqtEDW'ɱ'?ck3\.CU~qhN1+ePc]{q~lJE)j{uQmp}ʽ=d

?73؛cOxTg<yb1_>)s'8^eDU1C_D?Dcr&]b<]GیM5Ƀ돛a~}rrL,Kinc(
7
	q\d+!%.n*Hړu,!j_B#B(!z;aY8$sSDNYSiG|~Es=
C|MN봺=k+0@` Q`/GщY`§*c	S^q=gaQ}Q_ݓ$3_׭ɕR"5Gjo6$Ħ9TOMv|#C$%>r@%Xp˭z)r\=UgX!r}&6JHB=Τ{IIHc,$1 	,ļ-8ƓމdXOBq
.$s;Ң=
<	ޣ#7	#c'f"*UAj[;'vC,ЏiSewl⺂l/(lFf,z.m1ޘ"V+W
eɵkѝQ1;?H7v+{)^%!m
D|Lί']TJ9P ~O7-U_u%OEn
cq)`|Sl\c;5ݡ}xzX.fYe/ΧUq}1b?>C~*뺠&Y^7lږ 3N8*KA|aS/󙀴cLٟ"|w)Gx7tiЙ7t䍫e@z_rS7} iv3Q򲝔0y[ˣ{bY_&SW܉Nd܉S~Ls>9OiBSOqf"aX"M3?H$ieBýhwYH'Da*_"y/R~C	<_|/Խ;eĽ22BY4ŊהB?ʭbf!2sI4?_ˆƪ芔]9lznoS8PES%ޜXi%[ۗH}FNkxk.)MSٞpOE2r`߻H()sb$fw];5xCυIU
h%'hu6t:-f#p4Xn(Ix5.hutͼ;~y$U|6^*XUGUXXaMPCkzH)gɿn=]r=EmfbDe6v,F-Mw]Hd'cI:[آH/*kI[;\<_*qvu8Ϧ]A,&pǥ*/](=Ah~XX%VɱS#RK/0p$6W2:btr_mOe/]NլoMC*$ltH{8ǥ2;S=E=3TK2!y>+“&-8/EGE/`pŨxCtURQ4
]E5l
nf̗ZfU0J(7IsMKQ$Y%@u.'g^L{֘\Tt7=\~"4 !SNJYhm~^6^t?Lѫ|Vj 00MQԜ]*֚te1d$.Yvnjg8)q*5릤
%ŕOq)_œ2Tʮs~R+MRREUJį4	X.֖bͲ۳Ii&;PW~22
ЉN|:yTB-t÷Й&8M	a[{V[BB-tV9t'7q]tx{
Gkm5ǫiDNztO~*Y7kLNoXw!~"rM]\pIٳUW_	
J$'D&D~
B
gD
FlލlZkJ#$*U4CkC͐t!)sŪz=LaXqYP*4NK7%`LLm	( pb	pQ6
n<4mVҙ;V΍lT;!脠8 4A E (_)‘%gH3$'/an[E.6%;;NP4v;=\Eອ93\'XffUmr4gd覅x,emB&%:XBBnZ>+
i&K>gy8T11Mm.=t3L>]$.?;-CŖi-C͖d|dӓMF6MFQ9Yr*)|ɳnHDLO&WO~&"o6LhLDo= 6Y=ǭ,}E⽳!y;{;>r"ݚxشoN-$&3BH`g܆6Qqx~y
V~Cv<{>~^ձ`(Jy*k6KtWpӬa	=]2Q;/A0d$QٜODM|ʧmS:#o3s.@=\W3w8bХΖ+ŨB],^7'Ͽ8.aBo
CݿG
eC1q)6ֶܫK'ޙF1
s5f|'Pj.$.4fi)`&Sf~W_sb2+@oejYv#gС,*y)$s@^+[0ƉK<̛珤\ :A\#ay0
jGۍ\A#HR%~{ުqYW&LPl6pЇ̊Bf7=lFj.t2==jGBTiqEH`˒O[/rAҎ.IR WHǜ!]a/sxAY>g[ks~ә?"?.
tS0^MG%)%Tk}^^>rr)"5(5prqz狟%qs%ҋͰZ̀DːdbH--C?лtE0{!CM1,sSdh6*O2$[Ԫ`|&6I]dH]1Y_-CrUyҝ:[a=Uٓyٙg/E]J8^pS"SAE'.ն/3+n8uGr
=ܢGڔA÷;GiMuᾰK_^9XiajE0D=BE=>4ˍ٢ĉZdquxyϏU/ПB
7+
N48GÅN,8[łm՗ND8Am՗ND8Ar^pb‰	
&,[mA(!-=B] ^}ZHHީ5
IID<ZFȢ0$n",ID$1;HAʕcY!I$%
IlF
0ԸąN\pjLI,YBzeHIt)e^
]2
Zصbm`H.ei
La!D[lMs	FfɟawM76,DEܨ3+
,
Ӱ ﭨ`ANlJnw>P"d<&j_&dKi&~+LXhm1Fͻ	zgY&(|n19#sMdSEL6OGL
88:1Gq]qD1r%q]ACt0'4g
~wg/X±0c9v,ڱcAԎݲkU
⍒_8|6C+2l[9vXn@[md,]wx@Wx_߮+S.ޕA't]kUnݒU-$@KHw"s&	'~0F//_3D2Q
ZcƗalإt|,f8aK^rI9rbĉ'F|qt'hK׬ffhpz|`}C(QJR+j(Q_J;rǜ吋31")=?gŀ*ipB÷

4cJ_/SF6 я"&3̢ϱUbT9C~>-AOIs!A@S7R.?k*˷YSWoNf#q@`kkb8mW@[\eUj%TQ/NlUYddf#o-Ud˭rJylNlb5b5bLynwF/' pwWk٤|HI&]E^DUG^Tw(S6vuyQ~y~6UyQ=y"˭UhUmlp-
B5z{īõ0+nVNHquRfm$YHy9yͯ76yZ?_xNDEg<汬÷xպhH//;clz?9沓_يKX>26Y>)0_
RWHϤ3GMuK3HHt/
Mm8;%d܏a]P$E"֑Y0rr.}rh>'oC7zedsX%/$G2'8oUP҄{=jo,5SN*O\|j@D(nҸ~# \|f!7P)9Grl5hmy`ljSN:E)kN|)uԝR94\bjU=Sγ\ry嗗BzJ)_1qJ%~fөq[cS]˧%^f˯_##6<f 5騞H(Ķ8'{
u'Xʡr(W.씪:rT)u7.4.uSlb[)|y{zƃ{EW7.HT@-ų͛rD0BM$E -Vnj̕rU\;N{F{4<0.7rAnNx$ wRcCw9A
FtFA[xKLʔ]3G4~	 b(2€[Q@J*vg(
If}2}Sd|!O78,.'LÄ/gI|5K,$%|0Q%|^KO{ZĄNL~0G<G
(.OO6ONO℃ߓRsAUVOVĴOLgpb'D웍9x!ifz}5Vl1;Vǜa3iu_O3蹐մ/jZ󴺯ս^{꾚VyZn	O$s;~3O͞?}9iu}V-zꪝLh'>hO}뼹īj0f4{*txMƉkʾ2+E,/E*';夆qBͫE1邟AAMLtY:5vBꕐR!mыnlZ\JWlJ/t/:kz
aM;Wm3k_ISl\j'еEx%N3aW:LZ:/UrASP˦m3ڂ@0Tzߵ(/:PFع[e]&P=cRb
B+8)1N`XQAjvBkAvgi%ZS͵Q/S0(80'۶sC6JR~Y9d'
0zc'k%C'u+uݮm'Xtte~Y}hZ2-􃴃B6WmS$u?A|h%,tfYٱ	!4w۱AnR\`,&R2ilzT;l8_g0uCSY}0FhL;uC04^JtU䵖/d-)GBoF
Xێ˪(n14=_ Q4?\;%{k5;PI:oZ2vA{r-uA0)DzxC0AUofl:#F95{Rvmt߁X#H|?u~`Z5B	c>8e'ƴK@-52@xFW)צ蚦BK/zk5Bt.}{m+s0I?5Z
qdJRR7"\J 2(f
B-bIG
&
Vu\@">E
oh8i&Jሡ?jb9Esca

ih6դ ͣ `#ˢ5-ACów
0!]Ri4N@e'ſ\敀?䅮)lTv2ŅBf6)`ki$yfb6y#RawT8K=.ec͞+
_'dPMORel4c-LFp
|VMj郘Am`a#Dj¿25F}@aRF**J[ǒ[cdl?|N-[Zg_h(Ul
i[0f0Ȥt	6d쒪E8&"sa	P`]Zj[}:;l=8<\t>r9^hD&D@[
C*m?NaixK"dB0aSO].Ҵ@&5Ní4dÒHEXYЀajdkhHQڀ_-Ñ~h = Uw
c5~Y{¶P	MoGŪԁ6=y CG	[=^R0chC{kV[#kEQ!SiV !c#{|ҵ𰌀>>RH)6]>TO0z3pҽhM*H!:^z{4R#<X
`OA7(
ѕG2
	lmHىvӍ<¥UIi,H92'	{ȫ`BeQMj(tUIpQ^GvZ8ŮrR׹6RrӋFM/auª^hq.IF=zT8-(u2-`fk9tR8}Z^z4
.>0`ڡqausy`lpdgzӶk=@|aă]˱0оQљ#~~zێhB7!j^Y$i
86] 32>2hDjTΑAP~aGYNђ@3tán$GK
miZ
m& P  ΌvFz|O$G5-ݍ5S,|Ğ^l'Z\Z7n,lo.6-H;u4|FjySC3.Iap5?ѾhaC|b@"WsO+ؽ
،i؃}3E{+V"R8Vc.	m.iER<4jay;Փ%7:Xpj1mo!Ic 
$
_Iĥv`,h~vᔒ[ftDU;T?7UI C7o8#N-c6jd	&&j=|u(9ZDŽn:cf0Szv1lpaȮX2mFisM6NiQ5Уn1IA;VP)ePryadaWƅA
n{6 qy&*Lޘl
?xqmCwhy3-1.6.0/examples/linked_list_rev.mlw000066400000000000000000000462141440160026300201270ustar00rootroot00000000000000

(**

{1 In-place linked list reversal }

Version designed for the {h MPRI lecture ``Proof of Programs''}

This is an improved version of {h this
one}: it does not use any Coq proofs, but lemma functions instead.

*)



module InPlaceRev

  use map.Map
  use ref.Ref
  use int.Int
  use list.List
  use list.Quant as Q
  use list.Append
  use list.Mem
  use list.Length
  use export list.Reverse

  type loc

  val function eq_loc (l1 l2:loc) : bool
    ensures { result <-> l1 = l2 }

  val constant null : loc

  predicate disjoint (l1:list loc) (l2:list loc) =
    forall x:loc. not (mem x l1 /\ mem x l2)

  predicate no_repet (l:list loc) =
    match l with
    | Nil -> true
    | Cons x r -> not (mem x r) /\ no_repet r
    end

  let rec ghost mem_decomp (x: loc) (l: list loc)
    : (l1: list loc, l2: list loc)
    requires { mem x l }
    variant  { l }
    ensures  { l = l1 ++ Cons x l2 }
  = match l with
    | Nil -> absurd
    | Cons h t -> if eq_loc h x then (Nil,t) else
       let (r1,r2) = mem_decomp x t in (Cons h r1,r2)
    end

  val acc (field: ref (map loc 'a)) (l:loc) : 'a
    requires { l <> null }
    reads { field }
    ensures { result = get !field l }

  val upd (field: ref (map loc 'a)) (l:loc) (v:'a):unit
    requires { l <> null }
    writes { field }
    ensures { !field = set (old !field) l v }


  inductive list_seg loc (map loc loc) (list loc) loc =
  | list_seg_nil: forall p:loc, next:map loc loc. list_seg p next Nil p
  | list_seg_cons: forall p q:loc, next:map loc loc, l:list loc.
      p <> null /\ list_seg (get next p) next l q ->
         list_seg p next (Cons p l) q

  let rec lemma list_seg_frame_ext (next1 next2:map loc loc)
    (p q r v: loc) (pM:list loc)
    requires { list_seg p next1 pM r }
    requires { next2 = set next1 q v }
    requires { not (mem q pM) }
    variant  { pM }
    ensures  { list_seg p next2 pM r }
  = match pM with
    | Nil -> ()
    | Cons h t ->
       assert { p = h };
       list_seg_frame_ext next1 next2 (get next1 p) q r v t
    end

  let rec lemma list_seg_functional (next:map loc loc) (l1 l2:list loc) (p: loc)
    requires { list_seg p next l1 null }
    requires { list_seg p next l2 null }
    variant  { l1 }
    ensures  { l1 = l2 }
  = match l1,l2 with
    | Nil, Nil -> ()
    | Cons _ r1, Cons _ r2 -> list_seg_functional next r1 r2 (get next p)
    | _ -> absurd
    end

  let rec lemma list_seg_sublistl (next:map loc loc) (l1 l2:list loc) (p q: loc)
    requires { list_seg p next (l1 ++ Cons q l2) null }
    variant { l1 }
    ensures { list_seg q next (Cons q l2) null }
  = match l1 with
    | Nil -> ()
    | Cons _ r -> list_seg_sublistl next r l2 (get next p) q
    end

  let rec lemma list_seg_no_repet (next:map loc loc) (p: loc) (pM:list loc)
    requires { list_seg p next pM null }
    variant  { pM }
    ensures  { no_repet pM }
  = match pM with
    | Nil -> ()
    | Cons h t ->
      if mem h t then
         (* absurd case *)
         let (l1,l2) = mem_decomp h t in
         list_seg_sublistl next (Cons h l1) l2 p h;
         list_seg_functional next pM (Cons h l2) p;
         assert { length pM > length (Cons h l2) }
      else
        list_seg_no_repet next (get next p) t
    end

  let rec lemma list_seg_append (next:map loc loc) (p q r: loc) (pM qM:list loc)
    requires { list_seg p next pM q }
    requires { list_seg q next qM r }
    variant  { pM }
    ensures  { list_seg p next (pM ++ qM) r }
  = match pM with
    | Nil -> ()
    | Cons _ t ->
      list_seg_append next (get next p) q r t qM
    end

  val next : ref (map loc loc)

  let app (l1 l2:loc) (ghost l1M l2M:list loc) : loc
    requires { list_seg l1 !next l1M null }
    requires { list_seg l2 !next l2M null }
    requires { disjoint l1M l2M }
    ensures { list_seg result !next (l1M ++ l2M) null }
  =
    if eq_loc l1 null then l2 else
    let p = ref l1 in
    let ghost pM = ref l1M in
    let ghost l1pM = ref (Nil : list loc) in
    while not (eq_loc (acc next !p) null) do
      invariant { !p <> null }
      invariant { list_seg l1 !next !l1pM !p }
      invariant { list_seg !p !next !pM null }
      invariant { !l1pM ++ !pM = l1M }
      invariant { disjoint !l1pM !pM }
      variant   { !pM }
        match !pM with
        | Nil -> absurd
        | Cons h t ->
          pM := t;
          assert { disjoint !l1pM !pM };
          assert { not (mem h !pM) };
          l1pM := !l1pM ++ Cons h Nil;
        end;
        p := acc next !p
    done;
    upd next !p l2;
    assert { list_seg l1 !next !l1pM !p };
    assert { list_seg !p !next (Cons !p Nil) l2 };
    assert { list_seg l2 !next l2M null };
    l1



  let in_place_reverse (l:loc) (ghost lM:list loc) : loc
    requires { list_seg l !next lM null }
    ensures  { list_seg result !next (reverse lM) null }
  = let p = ref l in
    let ghost pM = ref lM in
    let r = ref null in
    let ghost rM = ref (Nil : list loc) in
    while not (eq_loc !p null) do
      invariant { list_seg !p !next !pM null }
      invariant { list_seg !r !next !rM null }
      invariant { disjoint !pM !rM }
      invariant { (reverse !pM) ++ !rM = reverse lM }
      variant   { !pM }
      let n = get !next !p in
      upd next !p !r;
      assert { list_seg !r !next !rM null };
      r := !p;
      p := n;
      match !pM with
      | Nil -> absurd
      | Cons h t -> rM := Cons h !rM; pM := t
      end
      done;
    !r

end

(** Using sequences instead of lists *)

module InPlaceRevSeq

  use int.Int
  use map.Map as Map
  use seq.Seq
  use seq.Mem
  use seq.Reverse

  type loc

  val function null: loc

  val function eq_loc (l1 l2:loc) : bool
    ensures { result <-> l1 = l2 }

  predicate disjoint (s1: seq 'a) (s2: seq 'a) =
    (* forall x:'a. not (mem x s1 /\ mem x s2) *)
    forall i1. 0 <= i1 < length s1 ->
    forall i2. 0 <= i2 < length s2 ->
    s1[i1] <> s2[i2]

  predicate no_repet (s: seq loc) =
    forall i. 0 <= i < length s -> not (mem s[i] s[i+1..])

  lemma non_empty_seq:
    forall s: seq 'a. length s > 0 ->
    s == cons s[0] s[1..]

  let rec ghost mem_decomp (x: loc) (s: seq loc) : (s1: seq loc, s2: seq loc)
    requires { mem x s }
    variant  { length s }
    ensures  { s == s1 ++ cons x s2 }
  =
    if eq_loc s[0] x then (empty, s[1..])
    else begin
      assert { s == cons s[0] s[1..] };
      let (s1, s2) = mem_decomp x s[1..] in (cons s[0] s1, s2)
    end

  use ref.Ref

  type memory 'a = ref (Map.map loc 'a)

  val acc (field: memory 'a) (l:loc) : 'a
    requires { l <> null }
    reads    { field }
    ensures  { result = Map.get !field l }

  val upd (field: memory 'a) (l: loc) (v: 'a) : unit
    requires { l <> null }
    writes   { field }
    ensures  { !field = Map.set (old !field) l v }

  type next = Map.map loc loc

  predicate list_seg (next: next) (p: loc) (s: seq loc) (q: loc) =
    let n = length s in
    (forall i. 0 <= i < n -> s[i] <> null) /\
    (   (p = q /\ n = 0)
     \/ (1 <= n /\ s[0] = p /\ Map.get next s[n-1] = q /\
         forall i. 0 <= i < n-1 -> Map.get next s[i] = s[i+1]))

  lemma list_seg_frame_ext:
    forall next1 next2: next, p q r v: loc, pM: seq loc.
    list_seg next1 p pM r ->
    next2 = Map.set next1 q v ->
    not (mem q pM) ->
    list_seg next2 p pM r

  let rec lemma list_seg_functional (next: next) (l1 l2: seq loc) (p: loc)
    requires { list_seg next p l1 null }
    requires { list_seg next p l2 null }
    variant  { length l1 }
    ensures  { l1 == l2 }
  = if length l1 > 0 && length l2 > 0 then begin
      assert { l1[0] = l2[0] = p };
      list_seg_functional next l1[1..] l2[1..] (Map.get next p)
    end

  let rec lemma list_seg_tail (next: next) (l1: seq loc) (p q: loc)
    requires { list_seg next p l1 q }
    requires { length l1 > 0 }
    variant  { length l1 }
    ensures  { list_seg next (Map.get next p) l1[1..] q }
  = if length l1 > 1 then
      list_seg_tail next l1[1..] (Map.get next p) q

  let rec lemma list_seg_append (next: next) (p q r: loc) (pM qM: seq loc)
    requires { list_seg next p pM q }
    requires { list_seg next q qM r }
    variant  { length pM }
    ensures  { list_seg next p (pM ++ qM) r }
  =  if length pM > 0 then
      list_seg_append next (Map.get next p) q r pM[1..] qM

  lemma seq_tail_append:
    forall l1 l2: seq 'a.
    length l1 > 0 -> (l1 ++ l2)[1..] == l1[1..] ++ l2

  let rec lemma list_seg_prefix (next: next) (l1 l2: seq loc) (p q: loc)
    requires { list_seg next p (l1 ++ cons q l2) null }
    variant  { length l1 }
    ensures  { list_seg next p l1 q }
  = if length l1 > 0 then begin
      list_seg_tail next (l1 ++ cons q l2) p null;
      list_seg_prefix next l1[1..] l2 (Map.get next p) q
    end

  let rec lemma list_seg_sublistl (next: next) (l1 l2: seq loc) (p q: loc)
    requires { list_seg next p (l1 ++ cons q l2) null }
    variant  { length l1 }
    ensures  { list_seg next q (cons q l2) null }
  = assert { list_seg next p l1 q };
    if length l1 > 0 then begin
      list_seg_tail next l1 p q;
      list_seg_sublistl next l1[1..] l2 (Map.get next p) q
    end

  lemma get_tail:
    forall i: int, s: seq 'a. 0 <= i < length s - 1 -> s[1..][i] = s[i+1]
  lemma tail_suffix:
    forall i: int, s: seq 'a. 0 <= i < length s -> s[1..][i..] == s[i+1..]

  let rec lemma list_seg_no_repet (next: next) (p: loc) (pM: seq loc)
    requires { list_seg next p pM null }
    variant  { length pM }
    ensures  { no_repet pM }
  = if length pM > 0 then begin
      let h = pM[0] in
      let t = pM[1..] in
      if mem h t then
         (* absurd case *)
         let (l1,l2) = mem_decomp h t in
         list_seg_sublistl next (cons h l1) l2 p h;
         list_seg_functional next pM (cons h l2) p;
         assert { length pM > length (cons h l2) }
      else begin
        assert { not (mem pM[0] pM[0+1..]) };
        list_seg_no_repet next (Map.get next p) t;
        assert { forall i. 1 <= i < length pM -> not (mem pM[i] pM[i+1..]) }
      end
    end

  val next : ref next

  let app (l1 l2: loc) (ghost l1M l2M: seq loc) : loc
    requires { list_seg !next l1 l1M null }
    requires { list_seg !next l2 l2M null }
    requires { disjoint l1M l2M }
    ensures  { list_seg !next result (l1M ++ l2M) null }
  =
    if eq_loc l1 null then l2 else
    let p = ref l1 in
    let ghost pM = ref l1M in
    let ghost l1pM = ref (empty : seq loc) in
    ghost list_seg_no_repet !next l1 l1M;
    while not (eq_loc (acc next !p) null) do
      invariant { !p <> null }
      invariant { list_seg !next l1 !l1pM !p }
      invariant { list_seg !next !p !pM null }
      invariant { !l1pM ++ !pM == l1M }
      invariant { disjoint !l1pM !pM }
      variant   { length !pM }
      assert { length !pM > 0 };
      assert { not (mem !p !l1pM) };
      let ghost t = !pM[1..] in
      ghost l1pM := !l1pM ++ cons !p empty;
      ghost pM := t;
      p := acc next !p
    done;
    upd next !p l2;
    assert { list_seg !next l1 !l1pM !p };
    assert { list_seg !next !p (cons !p empty) l2 };
    assert { list_seg !next l2 l2M null };
    l1

  let in_place_reverse (l:loc) (ghost lM: seq loc) : loc
    requires { list_seg !next l lM null }
    ensures  { list_seg !next result (reverse lM) null }
  = let p = ref l in
    let ghost pM = ref lM in
    let r = ref null in
    let ghost rM = ref (empty: seq loc) in
    while not (eq_loc !p null) do
      invariant { list_seg !next !p !pM null }
      invariant { list_seg !next !r !rM null }
      invariant { disjoint !pM !rM }
      invariant { (reverse !pM) ++ !rM == reverse lM }
      variant   { length !pM }
      let n = acc next !p in
      upd next !p !r;
      assert { list_seg !next !r !rM null };
      r := !p;
      p := n;
      rM := cons !pM[0] !rM;
      pM := !pM[1..]
    done;
    !r

end

(** This time with a fully automated proof.

    The key to a fully automated proof is to introduce an array of
    cells, called `cell` below, and then to resort to arithmetic and
    universal quantifiers to define lists (predicates `listLR` and
    `listRL` below).

    This proof requires no lemma function and no transformation.
    A single call to Z3 completes the proof in no time (0.04 s).
*)

module YetAnotherInPlaceRev

  use int.Int
  use map.Map

  type loc

  val (=) (l1 l2: loc) : bool ensures { result <-> l1 = l2 }

  val constant null : loc

  type mem = { mutable next: loc -> loc }

  val mem: mem

  let cdr (p: loc) : loc
    requires { p <> null }
    ensures  { result = mem.next p }
  = mem.next p

  let set_cdr (p: loc) (v: loc) : unit
    requires { p <> null }
    ensures  { mem.next = (old mem.next)[p <- v] }
  = let m = mem.next in
    mem.next <- fun x -> if x = p then v else m x

  predicate valid_cells (s: int -> loc) (n: int) =
    (forall i. 0 <= i < n -> s i <> null) &&
    (forall i j. 0 <= i < n -> 0 <= j < n -> i <> j -> s i <> s j)

  predicate listLR (m: mem) (s: int -> loc) (l: loc) (lo hi: int) =
    0 <= lo <= hi &&
    if lo = hi then l = null else
      l = s lo && m.next (s (hi-1)) = null &&
      forall k. lo <= k < hi-1 -> m.next (s k) = s (k+1)

  predicate listRL (m: mem) (s: int -> loc) (l: loc) (lo hi: int) =
    0 <= lo <= hi &&
    if lo = hi then l = null else
      m.next (s lo) = null && l = s (hi-1) &&
      forall k. lo < k < hi -> m.next (s k) = s (k-1)

  predicate frame (m1 m2: mem) (s: int -> loc) (n: int) =
    forall p. (forall i. 0 <= i < n -> p <> s i) ->
      m1.next p = m2.next p

  let list_reversal (ghost s: int -> loc) (ghost n: int) (l: loc) : (r: loc)
    requires { valid_cells s n }
    requires { listLR mem s l 0 n }
    ensures  { listRL mem s r 0 n }
    ensures  { frame mem (old mem) s n }
  = let ref l = l in
    let ref p = null in
    let ghost ref i = 0 in
    while l <> null do
      invariant { if n = 0 then l = p = null else
                  i = 0     && p = null    && l = s 0
               || i = n     && p = s (n-1) && l = null
               || 0 < i < n && p = s (i-1) && l = s i }
      invariant { listRL mem s p 0 i }
      invariant { listLR mem s l i n }
      invariant { frame mem (old mem) s n }
      variant   { n - i }
      let tmp = l in
      l <- cdr l;
      set_cdr tmp p;
      p <- tmp;
      i <- i + 1
    done;
    return p

  let rec ghost predicate is_list (m: mem) (l: loc) (s: int -> loc) (n: int)
    requires { n >= 0 }
    variant  { n }
  = if n = 0 then l = null else
      l = s 0 <> null && is_list m (m.next l) (fun i -> s (i+1)) (n - 1)

  let rec lemma cells_of_list (l: loc) (s: int -> loc) (n: int)
    requires { n >= 0 }
    requires { is_list mem l s n }
    variant  { n }
    ensures  { valid_cells s n }
    ensures  { listLR mem s l 0 n }
  = if n <> 0 then cells_of_list (cdr l) (fun i -> s (i+1)) (n - 1)

  let rec lemma list_of_cells (r: loc) (s: int -> loc) (n: int)
    requires { n >= 0 }
    requires { valid_cells s n }
    requires { listRL mem s r 0 n }
    variant  { n }
    ensures  { is_list mem r (fun i -> s (n-1-i)) n }
  = if n <> 0 then list_of_cells (cdr r) s (n - 1)

  let list_reversal_final (ghost s) (ghost n: int) (l: loc) : (r: loc)
    requires { n >= 0 }
    requires { is_list mem l s n }
    ensures  { is_list mem r (fun i -> s (n-1-i)) n }
    ensures  { frame mem (old mem) s n }
  = cells_of_list l s n;
    let r = list_reversal s n l in
    list_of_cells r s n;
    r

end

(** On a null-terminated list, `list_reversal` terminates. We have shown it
    already e.g. in the previous module.

    But `list_reversal` actually terminates on *any* list, even when it
    contains a loop. Indeed, the code will reach the loop while reversing
    the initial segment, will reverse the loop, and then will restore the
    initial segment. So we end up with a list where only the loop has been
    reversed.

      before          +---o<--o<--+
                      v           |
          o-->o-->o-->o-->o-->o-->o

      after           +-->o-->o---+
                      |           V
          o-->o-->o-->o<--o<--o<--o

    In the module below, we show that `list_reversal` always terminates.
    This requires ruling out inifitely-long lists i.e. assuming a finite
    amount of memory.
*)
module Termination

  use int.Int
  use int.NumOf
  use map.Map

  type loc

  val (=) (l1 l2: loc) : bool ensures { result <-> l1 = l2 }

  val constant null : loc

  type mem = { mutable next: loc -> loc }

  val mem: mem

  let cdr (p: loc) : loc
    requires { p <> null }
    ensures  { result = mem.next p }
  = mem.next p

  let set_cdr (p: loc) (v: loc) : unit
    requires { p <> null }
    ensures  { mem.next = (old mem.next)[p <- v] }
  = let m = mem.next in
    mem.next <- fun x -> if x = p then v else m x

  (* Finite memory hypothesis: the list is entirely contained in a finite
     set `s` of `n` cells *)

  predicate valid_cells (s: int -> loc) (n: int) =
    (forall i. 0 <= i < n -> s i <> null) &&
    (forall i j. 0 <= i < n -> 0 <= j < n -> i <> j -> s i <> s j)

  predicate inside_memory (s: int -> loc) (n: int) (l: loc) =
    l = null || exists i. 0 <= i < n && l = s[i]

  predicate finite_memory (m: mem) (s: int -> loc) (n: int) =
    forall i. 0 <= i < n -> inside_memory s n (m.next s[i])

  (* The variant is lexicographic, as follows:

     - as long as we still discover new cells, we mark them with
       increasing numbers (with function `idx` below) and the number
       of unmarked cells decreases;

     - once we reach a marked cell, this means we are back in the initial
       segment and then the mark decreases.
  *)

  function seen (s: int -> loc) (idx: loc -> int) (lo hi: int) : int =
    numof (fun i -> idx s[i] > 0) lo hi

  let ghost set_idx (s: int -> loc) (n: int) (idx: loc -> int) (l: loc) (k: int)
    requires { valid_cells s n }
    requires { inside_memory s n l }
    requires { l <> null }
    requires { idx l = -1 }
    requires { k = seen s idx 0 n >= 0 }
    ensures  { seen s idx[l <- k+1] 0 n = 1 + seen s idx 0 n }
  = assert { seen s idx[l <- k+1] 0 n = 1 + seen s idx 0 n by
             exists il. 0 <= il < n && l = s[il] so
               seen s idx 0 n = seen s idx 0 il + seen s idx (il+1) n &&
               seen s idx[l <- k+1] 0 n =
                 seen s idx[l <- k+1] 0 il + 1 + seen s idx[l <- k+1] (il+1) n }

  let list_reversal (ghost s: int -> loc) (ghost n: int) (l: loc) : (r: loc)
    requires { n >= 0 }
    requires { valid_cells s n }
    requires { finite_memory mem s n }
    requires { inside_memory s n l }
  = let ref l = l in
    let ref r = null in
    (* marking function: -1 for unmarked / 0 for null / >0 for marked *)
    let ghost ref idx = fun p -> if p = null then 0 else -1 in
    let ghost ref k = 0 in (* last mark *)
    while l <> null do
      invariant { inside_memory s n l }
      invariant { inside_memory s n r }
      invariant { finite_memory mem s n }
      invariant { k = seen s idx 0 n >= 0 }
      invariant { forall i. 0 <= i < n -> -1 <= idx s[i] <= k }
      invariant { forall p. idx p = 0 <-> p = null }
      invariant { if idx l = -1 then
                    idx r = k && forall i. 0 <= i < n ->
                    0 < idx s[i] -> idx (mem.next s[i]) = idx s[i] - 1
                  else forall i. 0 <= i < n ->
                    0 < idx s[i] <= idx l -> idx (mem.next s[i]) = idx s[i] - 1 }
      variant { n - k, 1 + idx l }
      if idx l = -1 then (set_idx s n idx l k; k <- k + 1; idx <- idx[l <- k]);
      let tmp = l in
      l <- cdr l;
      set_cdr tmp r;
      r <- tmp;
    done;
    return r

end
why3-1.6.0/examples/linked_list_rev/000077500000000000000000000000001440160026300173775ustar00rootroot00000000000000why3-1.6.0/examples/linked_list_rev/why3session.xml000066400000000000000000001203461440160026300224250ustar00rootroot00000000000000













 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
 
 



why3-1.6.0/examples/linked_list_rev/why3shapes.gz000066400000000000000000000331151440160026300220420ustar00rootroot00000000000000}Yod7~ަg
p_.lB	(@c/mu\{z"ȳfJ{ƪ!#_һxt黃8_w!ӯ_HW&A؃TW4i^_RNۻw
F	TbD|FԯKDZAH^_5:;(qPФ'2P*()C=O42td`@75OQLm/_R]ǧ7/ _>HqpOe$\a?1.;Ƚ_Z9e2Lm"3	W8ʠs'>=x37O'0ý½=h?M:4U딷.}R^(EczծYּ%'J>{5#ɨUk|Ot04ȣ	ҥ;S<%0WJЕ-V\c.ʓrnWc=6Nۇ7;Qљuj* 龾/4; yPT|Mգ.N sܮF#IݥtX{-͓*q5MiAV;iGm]fSz-N$3tOG?Rӣr޶hfxdXSkŹ#,^MPwOmPp8?-\?<{	NL-.`l?~z+wĕa~LLzRYߵ)Q=z}]Лdݓe='\}_S%
џ<M}|;DP劜%z-f򚤅>I;-Q=5vصL$cpO/-IJ䦧*yNQ'M[\1Խܭ˵@sve=p@
d?npAϫ`D'Ś&3qo3gM`q嫹ڸYF6ybVWyD#Ԅ]
vzt;㯔_761thI6uOg3ڠY5t/x3iͱo6I퍫'׻#~*ä	d
ďv
0p-&
    w)7}ax;TDTY\_Կ{7|G2Xְ6~崘xE?Ek緅]zlq3vO?wGwa#|(}CӿZG{åL4q[ZJ6CSZz^AN
g(h$3.ѧ&Mi[r}7g+FqW$x;+Y[>VzqVLB1k%r#TKgXL
tINb/Er6D:eBFw'2_qt3dx@P#ۊt軳hEVeȽr1BCgճ1MGѝ&WsE:r}W\[̕a-5^viofcZ2kVNbG9l|zGڝ,n8 6>s9.rEs,ku>ʻZ{ʃkː"fK~Wf	{FqqPv ޱ{ְujvj7X~ﹲZh#OnIMxn/až{9=u}.c|)M-HY~C6oy"Fڳ$K_o!mwB-mG.xy-vwgUuNY_V]jB'\oɶH.nnU6pg*ጮVn6zR?NQ߽?Xae[_AaW2>VϓsC=QDُBlo8X~ڶfaoRozŸ2gzfvZZce[=DB='֏ |OZlѦh{+`Kuk.J=̚PrQZ'>#tl||ApA1bA{/NhfvpVg3M}K}XiH8]$~IO-#rގe@gh1AULAu_zL=SSfRN=?Wnɬ4DO;9f5S-OP}D	\rUO7_]x%NtHfyGV0fhe鎶3,Wz2	v%N$^]3{TW/_%>}T|_njyF9r>k(VA	eTj:$=rQ{[<I03Sgc+xjHoW骲[nlb>ohg1#Q(ojFu5jHDґo
n2S66[*(Jm=vw'Uj:cqǷ9Vzyf[yfÑb@՝mUȧx߅BwJ@7mVNRǧ#n򡸃DƋNk#ZVugXu6ǩsӣI#,\KrJ~v@Mq>9zaE/ۣF;ozP=V飅)3iXj]"PZV>mnÍҐ~Όc@}"b/yCϞV_xinžѲ(qrUle Alݖw{%sp
1PO$];Bgv'n=؈|LGZ25GGZe>!ī4]>D#@<
:a]Nl]yz_i1/ǀCcD]=?=D8HvƾF~_:uuX]}tʂوh'u>YY@BI-&GIkidؠ&\_L6td;
<ݩO7s|'ckɋC;on@|&fڌDVqEV
Cr'd~&݉)
quD&g$W68qoc@r¸P-.Ch!H꽏hv~wv0uF[OweXxŌ$W/ˬ=ˬ2:Kg,ݗl(d[4"Hu6Ԍvz+AIzh}ae;إ)s;N|Y1
C;Qxǀ%GuP|;{a"@Ia7D]0ϯ?L+!n̛wnWcOk{E;|G%AG>O۟[+k .]nc>@j!h;Mm|t0~'a䳣ev4:ziE݂4io/ UM`ݛNeyK8%IIҰV/p/sc?/7}3&""ZMgHx+iOx?_z)2nf'O ]eg*yVN}{mjvjG[y#넍[k9Q=ByݻX!gsW?bW/4ow
c'u:L=6>K&v=}@
1r-3Mi0ۿDsEbhc+뮻pn?)uTz&ԓ
IR
}zL*ߙs_8Bvwo@RjAG'|ht8yCޡk+f^Dq	#o}x{S67GOڐK[
-1~'^\6:ұ~aӒorD}7uf12
|un"m]|cёIO
m'#GTd
٨JPTb-ɽ-
GSz~ !"47	rK{D{|"x'_Xɋg!'!1tB	+z%팰B#9A)@c-˰$sm<yD-+֛_^y7)-aw"qZ)mjg)=XO-nq,,L]S{Rzm7\`]}Q:Ax`y2vf}O! QO^}Κ˨skb	z1&۟'Epɟ	?3U{KWU@izqt0OzOZ]hS(Nw/һfkQ){l!6[uMr
z:e;?s0o[ecm9ut?wk`>ns0Gê#
ض0A-NI+q՛3{g e|UFt3j{@U\:*'%/Kϰ9!w>-Jejsրnydfeu3|
mg2/~=y3vCqݕn"ub}d
e=1ԉ@v	ӓyY?ۭgl/^JØy@<@*17L!WvsOkЋT><h/{<NH&?*ڻw4y_۩h5Ͱ
_uH{>K~h@E7mxSmi+uR	Ţ2(i+^}*lQNDֱ{Jk?X^na.CM:XZ[cItק
|QDP/Z.IQ*xBuu?<{3p%#7dkGz/<1هLGfrJVu:׺UȻDQVMeލԴpS#7ƥuYnMD:!c3x
	ڙ~#f!,yw&ZБQ_9ڮfjow_= 5d3Ogni$V&3S@J)Ն^7'̍i 1tl*^zQZvzu2Zam{j[(zq	
]q_)třSX0X(nZ(ǝleu}@q(i[IL(B.kr%W\-5̥7ŒCvh9ep98뵿47݄
fEQF+
$aHitXtTwE(jʣ5	㋻&;f]eUC~TRx
C6cR	2e ɕ`TcH2!2RioYb*uNJyF)/q@7BaB{d>4!RoQFodzAꤋ
 9Kaȣpr7>4
evOvuFj0sm8_]JV`K@ZCbqLp%j&)2(.ZĎQe腲M(Ft@QQ'uݍ7hъ~>fD4UFj%&Ry7Fq7poI1Eg1I!1Ա$g/1ƨObRBljb(a"TǑO_a`AE Ds۸’Vrlu|0Vzi	7."RvRd5<\slG/ .7e<FR\/6n4R:a)8}`VV&øCO	Gh)jR8cǜQ#VTFg$4X(A!.FB}>Q1FIcMfY
3b2RUmk|>荰ѕ}vp#F	c%?xpZ0 ;_58D?PT=ƬlVx_?z7&̉BQGQci0d(|%AQtvshQu-tUEDNmEWvɢU]w~mrHPSmq0Τj23g=Hc
!9!cɈ<Оkp>h	Jр;;|I upū(Ocg!T֍AHc,ua4e[o"n\q(zeDZTcPP7/fN"")@rP^d%p{@vzIҒu"N`#z)$Nh$]DnL*(F@
E&'3
YG>f0(82OF,lep:!Ha%Bjy(T	Oyyd
w_ַ)C6H0H#G\Z9uPuT6FB%&BCRAn;UXX(EӐFUĀd$&-R`uQDy1"A;A)
(͒LȾ"ӛAc i\<#H50^. iQҩ4ByeE+Q2
>IWݘ"j6H]!$MAH Lc\&5dl@ASaI6Rqs(sQ(UV:X9XJYD#RQ#>Q
Fql1X*Q&!rQKOl@zupP=&FBdQĜrjy	0S۪ϱQJaYQ)S4a@`2u
yZNgي )0 9wE-E")X酤^mP>FiC4#r窇qTTA2ʩHҴ@,ZxH>j'tc% 0%Z<Q!`R!OKØRf&N@+D!;Xc2B[$dL<=A$djۤz$5D-t
y#dLd#RfxK#P||B07t=
qSIMdiZ2۠RF1Z!:P?~tUT,dp8RGPT$A1FC_Pd!nq㟃2#hu5 Or"%橍<$	e
"]FTVAx7^4%o`*jigJb(Õ8p_ADG1Y449z	(C7?#M 8$HpO2=r2+
[~-Cs2)7ı"k4[4"A]gæ8#?2 SD74KǬ3\	^yDBF(^N%4Pg"oHU[Q	ePTYP@J&"8
)TG+8ė1T	؊hCP FgƊf:!Sl3
LB*4X:dܠ1JXDbT=+/5wӠ,aJQ"ժ0,AB'C-.,Wl.wB]"+ 2`(1x:EN!)
),}@8d*HY%d^
fFZe: Bմ8!1lXiE\"^m+FM%` Aܧ!9gp&%(uJ=^?*r3Ca!Pɔ%g06S2"@)cV{+qJ:L1k%0	Z`0ǔ
4|iH3d >f֥hbIPsiEXcip	ZJ#:x5@gK#5
~#(	eh}]ui@B2_>O"IfDHl!ėE5JfQ#!FISڨG1ÂFpTEdچ< iݐa9I̓jg/քtx; [JYSZ/dԟCJA9bS:(Ro>T͗A]4QaHiE!L|9NeHRHQBGɤBeq$6&Ihr'بmHݗG{$H#.	
Hw8Vc#2fSNV`DfMF
%
3$D`M/OA)F7#x@E_2PQ9RXrQV(7U%h<|pN{
.A"
 𐂞߁\nRUtMi@	ȄDڅTO:eo%@*Ê#+ G|O+H
lSFBT9m2 V/C/RT>Pƨ#|}΅骤Y
h)Ifzt+j%@
#WV(.K?nHzP:צMPZkZ_iZQR]AՊ*?(il*Dٟ~!K$G006CEB-:qTׇ8zr(ڏHCAK#w ]tRF0Zty߇!uى6^*۪ɿm
Y;LYjP0(YڢCtʝ΄)ҞYڄ
9pJUqBi{N	脂(C@gSƿc
p4ຌ0!cuBX 2݂K)pؘR#G21El!:v酤S?ј!i3n:xdtd2"'9V$E|Qdeљ11#W,Q#F6,g#SzH*'R8=zS;eJAVIsT%%7mEZFs)=NY_늮҉2
儆3(p*'~r:k
툙JuV	iߓW*|z,aSMo#*[Q	'1J(1#?Z퍵cQYrmDNR8wD-MG&ssZjQf-"򆺅$M'	+(kV˄!A*iT6g.jRcAlеJOgO?[f6Ab@tZdDԀq(\+qDaz^Fq@1br.^%	kZ"@F3Ym"
gG0و:&s2}!lc҇H*"]":Rh=^i,)ӆQX"&jCCJ01K(KXڍ@NVc1Yzq>Q̉4qft"pt;RTN<EYTƊBю}(
&!85i,bhwf$,OB`hePcYB~h <^I{#n/I1Fe)"4/̮!Tgcl|ZOlCTϮ.d907|z.l:FYdhY(hr@7h5"|tPc"6Tr&cSa/?
CPMHuTpNUJ')H8F>
yP\H`rA
A*y_/ˉ<Q;PԔ$31J9!?C|"ʚͨw4*`1Z,jtŤR/e
;ȝQa2-]%)W$"ik)qΤ1![CʯftRfUEUZDF/Q$8SSC:$X)3*QVh5eZ#ЌP-Gi_`
N&imtEDDt< QY2KWfAI-i
0_ErwAYPV$[xt䭿why3-1.6.0/examples/list_removal.mlw000066400000000000000000000136041440160026300174470ustar00rootroot00000000000000
(** Removing an element from a singly-linked list.

    Authors: Jean-Christophe Filliâtre (CNRS)
             Andrei Paskevich (Univ Paris-Saclay)

  The following is inspired by this interview of Linus Torvalds:

    https://www.youtube.com/watch?v=o8NPllzkFhE

  Assume that you are given singly-linked lists in C, like this:

    typedef struct Entry *entry;
    struct Entry { entry next; };
    typedef struct List { entry head; } *list;

  That is, there is a header structure (struct List) with a 'head'
  field to the first element of a singly-linked list of list cells
  (struct Entry).

  You are given a list 'l' and some entry 'e' that belongs to the list,
  and you have to remove it from the list. There is a pedestrian way of
  doing it, like this:

    void remove(list l, entry e) {
      entry prev = NULL, curr = l->head;
      while (curr != e) {
        prev = curr;
        curr = curr->next;
      }
      if (prev)
        prev->next = curr->next;
      else
        l->head = curr->next;
    }

  But there is another one which avoids making a particular case for the
  first element, like this:

    void remove2(list l, entry e) {
      entry *ind = &l->head;
      while ( *ind != e )
        ind = &( *ind )->next;
      *ind = ( *ind )->next;
    }

  In the following, we explore the loop invariants involved in the
  verification of these two programs. We make the following two
  simplifications:

  - The memory model does not make a distinction between the two types of
    structures. In practice, this is an important point in the discussion.
    But here we are rather focusing on the loop invariants.

  - In the function contract, we underspecify the problem, using only
    the length of the list, not its contents.

*)

use int.Int
use map.Map

(** Minimal memory model *)

type loc
val (=) (x y: loc) : bool ensures { result <-> x=y }

type mem = loc -> loc
val ref mem: mem

val constant null: loc

val constant head: loc
val constant entry: loc (* the entry to be removed from the list *)

(** Program global variables *)

axiom head_is_not_null : head <> null
axiom entry_is_not_null: entry <> null
axiom head_is_not_entry: head <> entry

(** Chains of pointers. *)

(** When starting from `x` and dereferencing pointers `n` times we get `y` *)
let rec predicate list (mem: loc -> loc) (x: loc) (n :int) (y: loc)
  requires { n >= 0 }
  variant  { n }
= if n = 0 then x = y
  else x <> null && list mem mem[x] (n - 1) y

val get (x: loc) : loc
  requires { x <> null }
  ensures  { result = mem[x] }

val set (x y: loc) : unit
  requires { x <> null }
  writes   { mem }
  ensures  { mem = (old mem)[x <- y] }

let rec lemma list_concat
  (mem: mem) (x: loc) (n1: int) (y: loc) (n2: int) (z: loc)
  requires { n1 >= 0 } requires { n2 >= 0 }
  requires { list mem x n1 y }
  requires { y <> null }
  requires { list mem mem[y] n2 z }
  ensures  { list mem x (n1 + 1 + n2) z }
  variant  { n1 }
= if n1 > 0 then list_concat mem mem[x] (n1 - 1) y n2 z

lemma path_shorten:
  forall mem x n y. list mem x n y -> n > 0 -> list mem mem[x] (n - 1) y

lemma path_extend:
  forall mem x n y. n >= 0 -> list mem y n x -> x <> null ->
  list mem y (n + 1) mem[x]

let rec lemma no_cycle_to_null (mem: mem) (e: loc) (n n': int)
  requires { 0 < n } requires { 0 <= n' } requires { e <> null }
  requires { list mem e n e }
  requires { list mem e n' null } ensures { false }
  variant  { n' }
= if n' > 0 then begin
    list_concat mem mem[e] (n-1) e 0 mem[e];
    no_cycle_to_null mem mem[e] n (n' - 1)
  end

let lemma jump_over (mem: mem) (x: loc) (n1: int) (y: loc) (n2: int)
  requires { n1 >= 0   } requires { list mem x n1 y }
  requires { y <> null } requires { mem[y] <> null }
  requires { n2 > 0    } requires { list mem mem[y] n2 null }
  ensures  { list mem[y <- mem[mem[y]]] x (n1 + n2) null }
= assert { list mem mem[mem[y]] (n2 - 1) null };
  let mem' = mem[y <- mem[mem[y]]] in
  let rec frame_after (n': int) (z: loc) (n: int)
     requires { 0 <= n' } requires { list mem y n' z    } requires { z <> y }
     requires { 0 <= n  } requires { list mem z n  null }
     ensures  { list mem' z n null }
     variant  { n }
  = if n > 0 then frame_after (n' + 1) mem[z] (n - 1) in
  let rec frame_before (z: loc) (n: int)
    requires { n >= 0 }
    requires { list mem  z n y }
    ensures  { list mem' z n y }
    variant  { n }
  = if n > 0 then frame_before mem[z] (n - 1) in
  frame_after 1 mem[y] n2;
  assert { list mem' mem[mem[y]] (n2 - 1) null };
  assert { list mem' y n2 null };
  frame_before x n1;
  ()

(* Code 1 *)

let remove1 (ghost n1 n2: int) : unit
  requires { n1 > 0 } requires { n2 > 0 }
  requires { list mem head  n1 entry }
  requires { list mem entry n2 null }
  ensures  { list mem head  (n1 + n2 - 1) null }
= let ref prev = null in
  let ref curr = get head in
  let ghost ref n = 1 in
  while curr <> entry do
    invariant { 0 < n <= n1 }
    invariant { list mem head n curr }
    invariant { curr <> null }
    invariant { prev = null -> n = 1 }
    invariant { prev <> null -> mem[prev] = curr }
    invariant { prev <> null -> list mem head (n - 1) prev }
    invariant { list mem curr (n1 - n) entry }
    invariant { list mem entry n2 null }
    variant   { n1 - n }
    prev <- curr;
    curr <- get curr;
    n <- n + 1
  done;
  if prev = null then (
    jump_over mem head 0 head n2;
    set head (get curr);
  ) else
    set prev (get curr)

(* Code 2 *)

let remove2 (ghost n1 n2: int) : unit
  requires { n1 > 0 } requires { n2 > 0 }
  requires { list mem head  n1 entry }
  requires { list mem entry n2 null }
  ensures  { list mem head  (n1 + n2 - 1) null }
= let ref ind = head in
  let ghost ref n = 1 in
  while get ind <> entry do
    invariant { 0 < n <= n1 }
    invariant { ind <> null }
    invariant { list mem head (n - 1) ind }
    invariant { list mem mem[ind] (n1 - n) entry }
    invariant { list mem entry n2 null }
    variant   { n1 - n }
    ind <- get ind;
    n <- n + 1
  done;
  set ind (get entry)
why3-1.6.0/examples/list_removal/000077500000000000000000000000001440160026300167225ustar00rootroot00000000000000why3-1.6.0/examples/list_removal/why3session.xml000066400000000000000000000405501440160026300217460ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/list_removal/why3shapes.gz000066400000000000000000000113561440160026300213700ustar00rootroot00000000000000ZYk\ɒ~ׯЛƐ`7S>
2&Wfl#Mۿ~ȳ"-rt#թ\#>翷ϗWv7_-tÇ]|c,&]5?uz1JW2]ݞVnZ[?ݴr}U/o%fv(lݹv]ک۹wNBގwm;;ߺ	mE(>ߞ_ߜ|UcI\<h=1}g}M<<}Q:8[|?7~aTo:C+;bW=cv?w^Po_q>p՗ϭZgC+i,EE"۽Lv;Upڅ]zc̘ fa>x"q'2'OȬ

w;!Wd>'7Ąݯrx;>F6O$W|tQNel2G2*c&8eIz1̼=k?~}?2 o<(jAN*bS9
vż~b|SQ3i-SrU#^X=,xH-.op.r{+(}WςrYGhwőiQ_ƴYi#j@hà &QMcZK1Z$`<Жj9&hO1j2GS0|1H	RRԆ|d$c{Ǧ4LAX)ִtu|-k};킾]o}7G-/Wksהe
p)ʊSLCo{#,N0)bI/sx?T{t*_>_:{TvU-ׇֻ؋l}3FX*ts5r|̏nN2 fβziD(yXHRqN #ñ)ݔGͱ&,\w2eib$=}^),rd쎧i$ߙ=ô;3[=78kXV/X4o={&-,ew6LV;8OY'g=i`=h`8
ac>4/0/ƏͻeQC3lbx Yl84+:.۹Fn,E;_\brƇ "M)Qf6EX5'B
m(+\SKNK'Ss#}t~y4ܗW#燋y%A>G_ܞn6
ə3GLlo*cP_fI&}iccOF\7i|VrbyGleJ^XfXL|00O~O'|h2ZզRګ-7}ngygjd۞nc{3}=3f|9}%{?~lz9jL9rf@=
Ի3jMod)X
ERi r1?N0&	N=,sÎ*swc]9%'(eTwuu7jdRL͚҄MG[]<*0<^;礦ŝWӊƓ1(Nثdbiwb
JLH*'QZUV-fRv.;x"߯T}gIy~Xae]IɃV(Em\+K,zL{`eKYՎXYHqo^١Zj|ܴ5wر˫(ԼufͬB"^vo+oexO?8@ޙ>k?9nɊOfeANhT=)x8x]hf>
ư-}g|ɹg}=e|N#drdFy$c
$VG1Iџ
ТDY|Sl\h"M5NPo'=id;L8>dKn־wWJ@^31Š۸Ḡ3ꜳBeܳ"'%0~	n|׊r5OTl2q-{%!TCh=>XdԂ\)Y܈AgO|p=[`ӹ
"/-8KSIR}?
tQDTH#oTc2&m>yרda\ؐAQ,eWqQٷ䘸H?[k:Vw8wOIDV"8mJΣeEPTf!iyqEUO֡ Aɢ$-y+R#@H$
4֠sRV	MG
MHFR[7=
ԣ
yI9B,:5:_=$rrYAD~VҖ&I.fz+j ]ﭞվD}xapW0>)vEb!ה
m'~\3#^1>ЇI94J	
?:bчd?+M͎1(UK9}fI$h|b,CEA"
n̄Y3K)>>e4XʾoRK.hBȍ``dٜfk[	nZZg# \WVG?:eN%owȉ	$Ktk
!j
C	EAE$~NKAwhy3-1.6.0/examples/locate_max.mlw000066400000000000000000000011301440160026300170520ustar00rootroot00000000000000(** Simple example to illustrate the C memory model *)

use int.Int
use map.Map as Map
use mach.c.C
use mach.int.Int32
use mach.int.Int64

function ([]) (a: ptr 'a) (i: int): 'a = Map.get a.data.Array.elts (a.offset + i)

let locate_max (a: ptr int64) (n: int32): int32
  requires { 0 < n }
  requires { valid a n }
  ensures  { 0 <= result < n }
  ensures  { forall i. 0 <= i < n -> a[i] <= a[result] }
= let ref idx = 0 in
  for j = 1 to n - 1 do
    invariant { 0 <= idx < n }
    invariant { forall i. 0 <= i < j -> a[i] <= a[idx] }
    if get_ofs a idx < get_ofs a j then idx <- j
  done;
  idx
why3-1.6.0/examples/locate_max/000077500000000000000000000000001440160026300163365ustar00rootroot00000000000000why3-1.6.0/examples/locate_max/why3session.xml000066400000000000000000000010671440160026300213620ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/locate_max/why3shapes.gz000066400000000000000000000005231440160026300207760ustar00rootroot00000000000000Mk0uk.&a2(8|배I6''Dz_#-Yd߮("p\EjA'nNh>g`KW,vaP\[0lzЉ[suhjymm6@>&94p!
~qȓS<5P#SUi@j,\8}PkJ4Xq;Xwx,_nH	ǪCӴtUn<ڝdIW( '1 9CAdn\=&җl`X[$b:$<ʮ@D{uHdMR<kكRwhy3-1.6.0/examples/logic/000077500000000000000000000000001440160026300153175ustar00rootroot00000000000000why3-1.6.0/examples/logic/First.why000066400000000000000000000003611440160026300171370ustar00rootroot00000000000000theory First

  type t
  constant c : t
  predicate a
  predicate p t
  predicate q t
  function f (t) : t

  goal P1 : (forall x:t. p(x)) -> (exists x:t. p(x))
  goal P5 : (forall x:t. p(x) -> p(f(x))) -> forall x:t.p(x) -> p(f(f(x)))

end
why3-1.6.0/examples/logic/First/000077500000000000000000000000001440160026300164065ustar00rootroot00000000000000why3-1.6.0/examples/logic/First/why3session.xml000066400000000000000000000043151440160026300214310ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/First/why3shapes.gz000066400000000000000000000002171440160026300210460ustar00rootroot00000000000000-ʱ0=_:9nT$rߓ".jo}~{k-Fo9Xc%vn53<HQ)
FyBN`T x = Agatha \/ x = Charles \/ x = Butler

  axiom MURDER :
    exists x:person.
    lives x /\ killed x Agatha

  axiom Hate_and_killed :
    forall p1 p2:person. killed p1 p2 -> hates p1 p2

  axiom Killed_and_wealth :
    forall p1 p2:person. killed p1 p2 -> not (richer p1 p2)

  lemma Diff1 : Agatha <> Butler

  lemma Diff2 : Agatha <> Charles

  lemma Diff3 : Charles <> Butler

  axiom H1 :
    forall x:person. hates Agatha x -> not (hates Charles x)

  axiom H2 :
    forall x:person. x <> Butler -> hates Agatha x

  axiom H3 :
    forall x:person. not (richer x Agatha) -> hates Butler x

  axiom H4 :
    forall x:person. hates Agatha x -> hates Butler x

  axiom H5 :
    forall x:person. exists y:person. not (hates x y)

  goal Enigma: killed Agatha Agatha


end
why3-1.6.0/examples/logic/agatha/000077500000000000000000000000001440160026300165445ustar00rootroot00000000000000why3-1.6.0/examples/logic/agatha/why3session.xml000066400000000000000000000055221440160026300215700ustar00rootroot00000000000000












 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/agatha/why3shapes.gz000066400000000000000000000005261440160026300212070ustar00rootroot00000000000000m?O0|؎ԡFR6$"@J|{Ǝt{w~gn-0v7ُ{ũT=8~L!í&Q?_t[eC u}h[hTuv4|um\ro7E[Q'Z4ZFل-.WFz:S
DWJ?d`%#%㔚n)gP˒̥*P\1U(@p*{J<	[lzNH@@*$ȹ;FH4`3+
<dJAj9+`

ۛ~#_why3-1.6.0/examples/logic/bitvectors.why000066400000000000000000000036031440160026300202360ustar00rootroot00000000000000theory TestBV

  use int.Int
  use bv.BV32

  constant b0000  : t = (0b0000:t)
  constant b0001  : t = (0b0001:t)
  constant b0010  : t = (0b0010:t)
  constant b0011  : t = (0b0011:t)
  constant b0110  : t = (0b0110:t)
  constant b0101  : t = (0b0101:t)
  constant b0111  : t = (0b0111:t)
  constant b1100  : t = (0b1100:t)
  constant b11100 : t = (0b11100:t)

  constant bv2    : t = (2:t)
  constant bv31   : t = (31:t)

  goal g1 : bw_and b0011 b0110 = b0010
  goal f1 : bw_and b0011 b0110 = b0011

  goal g2 :  bw_or b0011 b0110 = b0111
  goal f2 :  bw_or b0011 b0110 = b0110

  goal g3 :  bw_xor b0011 b0110 = b0101
  goal g4 :  bw_not b0011 = (0xFFFFFFFC:t)

  goal g3a : lsr_bv b0111 bv2 = b0001
  goal g3b : lsr_bv ones bv31 = b0001
  goal f3c : lsr_bv ones (0x10000001:t) = (0x7FFFFFFF:t) (* should be false: we don't take the modulo of the second argument. *)

  goal g3aa : lsr b0111 2 = b0001
  goal g3bb : lsr ones 31 = b0001
  goal f3cc : lsr ones 0x10000001 = (0x7FFFFFFF:t) (* should be false: we don't take the modulo of the second argument. *)

  goal g4a : lsl_bv b0111 bv2 = b11100
  goal g4b : lsl_bv b0001 bv31 = (0x80000000:t)

  goal g4aa : lsl b0111 2 = b11100
  goal g4bb : lsl b0001 31 = (0x80000000:t)

  goal g5a : asr_bv b0111 bv2 = b0001
  goal g5b : asr_bv ones bv31 = ones

  goal g5aa : asr b0111 2 = b0001
  goal g5bb : asr ones 31 = ones

  goal g6a : t'int b11100 = 28
  goal g6b : t'int ones = 0xFFFFFFFF

  goal g7a : to_int b11100 = 28
  goal g7b : to_int ones = -1

  goal g8a : nth_bv b0110 bv2 = True
  goal g8b : nth_bv b0110 (3:t) = False

  goal g8aa : nth b0110 2 = True
  goal g8bb : nth b0110 3 = False

  goal gtt : t'int (lsl_bv (3:t) (30:t)) > 0 (* = 0xC0000000 *)
  goal gttt : t'int (lsl (3:t) 30) > 0 (* = 0xC0000000 *)

  goal not_not : forall v:t. bw_not (bw_not v) = v

  goal not_and : forall v1 v2:t.
    bw_not (bw_and v1 v2) = bw_or (bw_not v1) (bw_not v2)
end
why3-1.6.0/examples/logic/bitvectors/000077500000000000000000000000001440160026300175035ustar00rootroot00000000000000why3-1.6.0/examples/logic/bitvectors/why3session.xml000066400000000000000000000173411440160026300225310ustar00rootroot00000000000000











 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/bitvectors/why3shapes.gz000066400000000000000000000017531440160026300221510ustar00rootroot00000000000000Un5SdDZ VvhF;em`ܴ_8[WOWrb?ym71"
%~Y
^rw/R\R}ۇlu!z]?Xt}&53h#ng֛~<:X;,g$?%ŗU%O9%uEO<\h̪C'XL^
~[n>ow${-?/gؗ_.4	&<}6
ϣw/|]JZ::.k1+hDW5ѽvcLQ	pGC5DSO&;@"xc'e8<¶o#l0
#A\bW5eT
U@fXM-
u6vzrRӱ]PRTTe%u
1x*mQXLȜõcu۪}R'^|ת;W44Z׹Z܈M93Œ^ޣo^#߇	{	惒4E,;QfC嶓n*ƞ’b{fK[=P(ewhy3-1.6.0/examples/logic/bvsum.mlw000066400000000000000000000011141440160026300171710ustar00rootroot00000000000000
module PureBV

use bv.BV32

lemma add_bv : forall x y. add x y = add (bw_and x y) (bw_or x y)

goal g : forall x y z.
  add (add x y) z = add (bw_and (add (bw_and x y) (bw_or x y)) z) (bw_or (add (bw_and x y) (bw_or x y)) z)

end 

module Mixed

use bv.BV32
use int.Int

lemma add_bv : forall x y. add x y = add (bw_and x y) (bw_or x y)

lemma add_bv_int : forall x y. to_int x + to_int y = to_int (bw_and x y) + to_int (bw_or x y)

(*
goal g : forall x y z.
  to_int x + to_int y + to_int z = (bw_and (add (bw_and x y) (bw_or x y)) z) (bw_or (add (bw_and x y) (bw_or x y)) z)
*)

end 

why3-1.6.0/examples/logic/bvsum/000077500000000000000000000000001440160026300164535ustar00rootroot00000000000000why3-1.6.0/examples/logic/bvsum/why3session.xml000066400000000000000000000025431440160026300214770ustar00rootroot00000000000000









 
 
 
 
 
 


 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/bvsum/why3shapes.gz000066400000000000000000000003271440160026300211150ustar00rootroot000000000000001N0E{%,ؓd%ڈj=N@*D5f'=goeϚQH)h	1kmMoI.VcCvjZe/w~nGRsHI\-ƸO"-Xh}165T+)4C06"z"OW"x?Nj`q9[URxwhy3-1.6.0/examples/logic/distr.why000066400000000000000000000006031440160026300171740ustar00rootroot00000000000000

theory T

  use int.Int

  constant n : int

  constant a : int
  constant b : int
  constant c : int
  constant d : int
  constant e : int
  constant f : int

  goal G : (n * a + b) * (n * c + d) =
     n*n*a*c + n*(a*d+b*c) + b*d


  goal G3 : (n * n * a + n * b + c) * (n * n * d + n * e + f) =
     n*n*n*n*a*d + n*n*n*(a*e+b*d) + n*n*(a*f + b*e+c*d) +
     n*(b*f+c*e) + c*f

end
why3-1.6.0/examples/logic/distr/000077500000000000000000000000001440160026300164445ustar00rootroot00000000000000why3-1.6.0/examples/logic/distr/why3session.xml000066400000000000000000000020511440160026300214620ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/distr/why3shapes.gz000066400000000000000000000003041440160026300211010ustar00rootroot00000000000000UK0D9EnҤ-1{n&?(B$nH<~3WJG(>ZДwgZq_2Wl?t=^Y,k%\2ߩ?M?2N/ofW7&ij74{rDG)No$۽-zqp!k%dZQwhy3-1.6.0/examples/logic/drinker.mlw000066400000000000000000000001641440160026300174770ustar00rootroot00000000000000
type t

constant a : t

predicate b t

goal drinkers_paradox: exists i:t. b i -> forall j:t. b j

predicate c int

why3-1.6.0/examples/logic/drinker/000077500000000000000000000000001440160026300167555ustar00rootroot00000000000000why3-1.6.0/examples/logic/drinker/why3session.xml000066400000000000000000000041071440160026300217770ustar00rootroot00000000000000





 
 
  
  
   
   
    
    
     
     
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
    
    
   
   
  
  
 
 
  
  
   
   
    
    
    
    
   
   
  
  
  
  
   
   
  
  
 
 



why3-1.6.0/examples/logic/drinker/why3shapes.gz000066400000000000000000000007571440160026300214260ustar00rootroot00000000000000=n1~99
=^+AMմQ6Էgvda0?|./|N/_ŕ>1-8jvKRJLVإ
5	)e%
E!ɉOȉ+JG
T4k#p!0b4*H> ĞqwfCu'J>s8Q0(67ăb8MpIuH&ҳ}4(MgksbL՛i
AeZɱDloSO\NאdUrJ:C]G?PI&͠V(kLYa:$ kQcˣ<8C$$gm>q;\Hy9j
ڷ0R9=-AZlo*Tfnؑx!why3-1.6.0/examples/logic/einstein.why000066400000000000000000000076721440160026300177020ustar00rootroot00000000000000
(** {1 Einstein's Logic Problem} *)

(**
   This problem is usually referred to as Einstein's Logic Problem.
   see {h this page}
   (contribution by Stephane Lescuyer)
*)

theory Bijection
  type t
  type u

  function of t : u
  function to_ u : t

  axiom To_of : forall x : t. to_ (of x) = x
  axiom Of_to : forall y : u. of (to_ y) = y
end

(** {2 Einstein's problem} *)

theory Einstein

  (** Types *)

  type house  = H1 | H2 | H3 | H4 | H5
  type color  = Blue | Green | Red | White | Yellow
  type person = Dane | Englishman | German | Norwegian | Swede
  type drink  = Beer | Coffee | Milk | Tea | Water
  type cigar  = Blend | BlueMaster | Dunhill | PallMall | Prince
  type pet    = Birds | Cats | Dogs | Fish | Horse

  (** Each house is associated bijectively to a color and a person *)

  clone Bijection as Color with type t = house, type u = color, axiom .
  clone Bijection as Owner with type t = house, type u = person, axiom .

  (** Each drink, cigar brand and pet are associated bijectively to a person *)

  clone Bijection as Drink with type t = person, type u = drink, axiom .
  clone Bijection as Cigar with type t = person, type u = cigar, axiom .
  clone Bijection as Pet   with type t = person, type u = pet, axiom .

  (** Relative positions of the houses *)

  predicate leftof (h1 h2 : house) =
    match h1, h2 with
    | H1, H2
    | H2, H3
    | H3, H4
    | H4, H5 -> true
    | _      -> false
    end
  predicate rightof (h1 h2 : house) =
    leftof h2 h1
  predicate neighbour (h1 h2 : house) =
    leftof h1 h2 \/ rightof h1 h2

  (** {2 Clues} *)

  (** The Englishman lives in a red house *)
  axiom Clue1: Color.of (Owner.to_ Englishman) = Red

  (** The Swede has dogs *)
  axiom Clue2: Pet.of Swede = Dogs

  (** The Dane drinks tea *)
  axiom Clue3: Drink.of Dane = Tea

  (** The green house is on the left of the white one *)
  axiom Clue4: leftof (Color.to_ Green) (Color.to_ White)

  (** The green house's owner drinks coffee *)
  axiom Clue5: Drink.of (Owner.of (Color.to_ Green)) = Coffee

  (** The person who smokes Pall Mall has birds *)
  axiom Clue6: Pet.of (Cigar.to_ PallMall) = Birds

  (** The yellow house's owner smokes Dunhill *)
  axiom Clue7: Cigar.of (Owner.of (Color.to_ Yellow)) = Dunhill

  (** In the house in the center lives someone who drinks milk *)
  axiom Clue8: Drink.of (Owner.of H3) = Milk

  (** The Norwegian lives in the first house *)
  axiom Clue9: Owner.of H1 = Norwegian

  (** The man who smokes Blends lives next to the one who has cats *)
  axiom Clue10: neighbour
    (Owner.to_ (Cigar.to_ Blend)) (Owner.to_ (Pet.to_ Cats))

  (** The man who owns a horse lives next to the one who smokes Dunhills *)
  axiom Clue11: neighbour
    (Owner.to_ (Pet.to_ Horse)) (Owner.to_ (Cigar.to_ Dunhill))

  (** The man who smokes Blue Masters drinks beer *)
  axiom Clue12:
    Drink.of (Cigar.to_ BlueMaster) = Beer

  (** The German smokes Prince *)
  axiom Clue13:
    Cigar.of German = Prince

  (** The Norwegian lives next to the blue house *)
  axiom Clue14:
    neighbour (Owner.to_ Norwegian) (Color.to_ Blue)

  (** The man who smokes Blends has a neighbour who drinks water *)
  axiom Clue15:
    neighbour (Owner.to_ (Cigar.to_ Blend)) (Owner.to_ (Drink.to_ Water))

end

(** {2 Goals about Einstein's problem} *)

theory Goals
  use Einstein

(*
  lemma First_House_Not_White: Color.of H1 <> White
  lemma Last_House_Not_Green: Color.of H5 <> Green

  lemma Blue_not_Red: Blue <> Red
  lemma Englishman_not_H2: Owner.to_ Englishman <> H2
  lemma Englishman_not_H1: Owner.to_ Englishman <> H1

  lemma Second_House_Blue: Color.of H2 = Blue
  lemma Green_H4 : Color.of H4 = Green
  lemma White_H5 : Color.of H5 = White
  lemma Red_H3 : Color.of H3 = Red
  lemma Yellow_H1 : Color.of H1 = Yellow
*)
  goal G1: Pet.to_ Fish = German
  goal Wrong: Pet.to_ Cats = Swede
  goal G2: Pet.to_ Cats = Norwegian

end

(*
Local Variables:
compile-command: "why3 ide einstein.why"
End:
*)
why3-1.6.0/examples/logic/einstein/000077500000000000000000000000001440160026300171355ustar00rootroot00000000000000why3-1.6.0/examples/logic/einstein/why3session.xml000066400000000000000000000125461440160026300221650ustar00rootroot00000000000000






















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/einstein/why3shapes.gz000066400000000000000000000002611440160026300215740ustar00rootroot00000000000000U˽0WQ:x=U~D&}.ӓLqj <^0	O Var (S i)
  | Lambda l -> Lambda (shift l)
  end

  function subst (term 'a) nat (term 'b) : term 'a

(*
  axiom Subst_def : forall t1 : term 'a. forall i : nat.
  forall t2 : term 'b.
  subst t1 i t2 =
  match t1 with
  | Var j -> if i = j then t2 else t1
  | Lambda t -> Lambda (subst t (i+1) (shift t2))
  end
*)

  axiom Subst_def0 : forall i j : nat.
  forall t : term 'b.
  subst (Var j) i t = if i = j then t else (Var j)  (* correct ?*)

  axiom Subst_def1 : forall i : nat.
  forall t : term 'b. subst (Var i) i t = t

  axiom Subst_def2 : forall t1 : term 'a. forall i : nat.
  forall t2 : term 'b.
  subst (Lambda t1) i t2 = Lambda (subst t1 (S i) (shift t2))


  function app (t1 : term 'a) (t2 : term 'b) : term 'a

  axiom App_def :
  forall t1 : term 'a. forall t2 : term 'b.
  app (Lambda t1) t2 = subst t1 Zero t2

(* When we remove one of the following example the axiomatic is not anymore inconsistent *)
  axiom Subst_app :
  forall t1 : term 'a. forall i : nat. forall t2 : term 'b. forall t3 : term 'c.
  subst (app t1 t2) i t3 = app (subst t1 i t3) (subst t2 i t3)

  axiom Shift_app :
  forall t1 : term 'a. forall t2 : term 'b.
  shift (app t1 t2) = app (shift t1) (shift t2)

end

theory Example
  use LambdaCalc

  type tt
  type t =  term tt

  function a : t
  axiom Shift_a : shift a = a
  axiom Subst_a : forall t : term 'a. forall i : nat. subst a i t = a

  goal G1 : app (Lambda (Var Zero : t)) a = a

  function b : t
  axiom Shift_b : shift b = b
  axiom Subst_b : forall t : term 'a. forall i : nat. subst b i t = b

  goal G2 : app (Lambda (Var Zero : t)) a = b

  function id : term 'a = (Lambda (Var Zero))

  goal G5b :
  let t1 = Lambda (subst (Var (S Zero) : t) (S Zero) a) in
  let t2 = Lambda a in
  t1 = t2

  goal G5c :
  let t1 = subst (Lambda (Var (S Zero) : t)) Zero a in
  let t2 = Lambda a in
  t1 = t2

  goal G5 :
  let t1 = Lambda (Lambda (Var (S Zero) : t)) in
  let t2 = Lambda a in
  (app t1 a) = t2

  goal G3 :
  let t1 = Lambda (Lambda (app (Var Zero : t) (Var (S Zero) : t))) in
  app (app t1 a) (id : t) = a

  goal G4 :
  let t1 = Lambda (Lambda (app (Var Zero : t) (Var (S Zero) : t))) in
  let t2 = Lambda (app (Var Zero : t) a) in
  (app t1 a) = t2

end

(* Here term are not anymore 'a term but 'a, :)
its also inconsistent
*)
theory LambdaCalc2

  type nat =
  | Zero
  | S nat

  type app 'a 'b

  function var nat : 'a

  function lambda 'a : app 'b 'a

  function shift (x:'a) : 'a

  axiom Shift_var : forall i : nat. shift (var i : 'a) = var (S i)
  axiom Shift_lambda : forall t : 'b. shift (lambda t) : app 'a 'b = lambda (shift t)

  function subst ('a) nat ('b) : 'a

  axiom Subst_def0 : forall i j : nat.
  forall t : 'a.
  subst (var i : 'a) i t = if i = j then t else (var j) (* correct ?*)

  axiom Subst_def1 : forall t1 : 'b. forall i : nat.
  forall t2 : 'c.
  subst (lambda t1) i t2 : app 'a 'b = lambda (subst t1 (S i) (shift t2))


  function app (t1 : app 'b 'a) (t2 : 'b) : 'a

  axiom App_def :
  forall t1 : 'a. forall t2 : 'b.
  app (lambda t1) t2 = subst t1 Zero t2

  (* axiom Subst_app : *)
  (* forall t1 : app 'a 'b. forall i : nat. forall t2 : 'a. forall t3 : 'c. *)
  (* subst (app t1 t2) i t3 = app (subst t1 i t3) (subst t2 i t3) *)

  axiom Shift_app :
  forall t1 : app 'a 'b. forall t2 : 'a.
  shift (app t1 t2) = app (shift t1) (shift t2)

end


theory Example2
  use LambdaCalc2

  type t

  function a : t
  axiom Shift_a : shift a = a
  axiom Subst_a : forall t : 'a. forall i : nat. subst a i t = a

  goal G1 : app (lambda (var Zero : t)) a = a

  function b : t
  axiom Shift_b : shift b = b
  axiom Subst_b : forall t : 'a. forall i : nat. subst b i t = b

  goal G2 : app (lambda (var Zero : t)) a = b

  function id : app 'a 'a = (lambda (var Zero))

  goal G5b :
  let t1 = lambda (subst (var (S Zero) : t) (S Zero) a) in
  let t2 = lambda a : app t t in
  t1 = t2

  goal G5c :
  let t1 = subst (lambda (var (S Zero) : t)) Zero a in
  let t2 = lambda a : app t t in
  t1 = t2

  goal G5 :
  let t1 = lambda (lambda (var (S Zero) : t)) in
  let t2 = lambda a : app t t in
  (app t1 a) = t2

  goal G3 :
  let t1 = lambda (lambda (app (var Zero : app t t) (var (S Zero) : t))) in
  app (app t1 a) (id : app t t) = a

  goal G4 :
  let t1 = lambda (lambda (app (var Zero : app t t) (var (S Zero) : t))) in
  let t2 = lambda (app (var Zero : app t t) a) : app t t in
  (app t1 a) = t2

end
why3-1.6.0/examples/logic/explicit_subst/000077500000000000000000000000001440160026300203605ustar00rootroot00000000000000why3-1.6.0/examples/logic/explicit_subst/why3session.xml000066400000000000000000000201151440160026300233770ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/explicit_subst/why3shapes.gz000066400000000000000000000010621440160026300230170ustar00rootroot00000000000000?o1|
m&"'@C7t)(B8AN=O.W[n쏻W|_tw{ןtgݍ̈́^_G6QÞӯ{ףMzSHG63=$75]3@|Ɂ=a~Q{ә/"k\_9u
ni-,cnN} ͛@O?
ә@2șmS. tܓJʊ:k,*ik&eq7Ds96ƵyXǫqBoZsoNbؒt
[鹖1jfׄ$$^ .%
,pԜ$hUgx$TйԖ'hfZ $BkG6$Db>ӇB1I"4dX|h=;8(^ǘ 3mD
dU9IBH$%"@K7MyHjX!cb-YV<#4Q>{I\(g
ކ~why3-1.6.0/examples/logic/ffx.why000066400000000000000000000011041440160026300166270ustar00rootroot00000000000000

theory T

  type t

  predicate r t

  function f t : t

  axiom a : forall x:t. r x \/ r (f x)

  goal g1 : exists x:t. r x /\ r (f (f x))

  goal g2 : exists x:t. r x /\ r (f (f (f (f x))))

  goal g3 : exists x:t. r x /\ r (f (f (f (f (f (f x))))))

  goal g4 : exists x:t. r x /\ r (f (f (f (f (f (f (f (f x))))))))

  goal g5 : exists x:t. r x /\ r (f (f (f (f (f (f (f (f (f (f x))))))))))

  goal g6 : exists x:t. r x /\ r (f (f (f (f (f (f (f (f (f (f (f (f x))))))))))))

  goal g7 : exists x:t. r x /\ r (f (f (f (f (f (f (f (f (f (f (f (f (f (f x))))))))))))))



endwhy3-1.6.0/examples/logic/ffx/000077500000000000000000000000001440160026300161025ustar00rootroot00000000000000why3-1.6.0/examples/logic/ffx/why3session.xml000066400000000000000000000213061440160026300211240ustar00rootroot00000000000000





















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/ffx/why3shapes.gz000066400000000000000000000004141440160026300205410ustar00rootroot00000000000000ͽNC1>Sԍ+uT-Bq+$2f>>>Go73͛6vrrnwt~Y#'`"RxB
iEl-lj
jc1H,Jڛ+QEdV8pl91u!љw ڱ֠Z2# &Zϵ"ur(NK2JF"ڴJL;%QJ1!0bp˫|jd_Owhy3-1.6.0/examples/logic/genealogy.why000066400000000000000000000036441440160026300200310ustar00rootroot00000000000000
theory Genealogy

  type person

  type gender = Male | Female

  function gender person : gender

  function father person : person
  function mother person : person

  axiom Father_gender : forall p : person. gender (father p) = Male
  axiom Mother_gender : forall p : person. gender (mother p) = Female

  predicate parent (p : person) (c : person) = p = father c \/ p = mother c

  predicate son (s : person) (p : person) = gender s = Male /\ parent p s
  predicate daughter (d : person) (p : person) = gender d = Female /\ parent p d

  predicate child (c : person) (p : person) = parent p c

  goal Child_is_son_or_daughter:
    forall c p : person. child c p <-> son c p \/ daughter c p

  predicate sibling (p1 : person) (p2 : person) =
    p1 <> p2 /\ (father p1 = father p2 \/ mother p1 = mother p2)

  goal Sibling_sym : forall p1 p2 : person. sibling p1 p2 -> sibling p2 p1

  predicate brother (b : person) (p : person) = sibling b p /\ gender b = Male
  predicate sister  (s : person) (p : person) = sibling s p /\ gender s = Female

  goal Sibling_is_brother_or_sister:
    forall p1 p2 : person. sibling p1 p2 <-> brother p1 p2 \/ sister p1 p2

  predicate grandparent (g : person) ( p : person) =
    parent g (father p) \/ parent g (mother p)

  predicate grandfather (g : person) (p : person) =
    g = father (father p) \/ g = father (mother p)
  predicate grandmother (g : person) (p : person) =
    g = mother (father p) \/ g = mother (mother p)

  goal Grandparent_is_grandfather_or_grandmother:
    forall g p : person. grandparent g p <-> grandfather g p \/ grandmother g p

  goal Grandfather_male:
    forall g p : person. grandfather g p -> gender g = Male
  goal Grandmother_female:
    forall g p : person. grandmother g p -> gender g = Female

  goal Only_two_grandfathers:
     forall g1 g2 g3 p : person.
     grandfather g1 p ->
     grandfather g2 p ->
     grandfather g3 p ->
     (g1 = g2 \/ g2 = g3 \/ g1 = g3)

end
why3-1.6.0/examples/logic/genealogy/000077500000000000000000000000001440160026300172715ustar00rootroot00000000000000why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Child_is_son_or_daughter_1.prf000066400000000000000000000005671440160026300312360ustar00rootroot00000000000000(Child_is_son_or_daughter
 (child_is_son_or_daughter 0
  (child_is_son_or_daughter-1 nil 3594646471 ("" (grind) nil nil)
   ((parent const-decl "bool" Child_is_son_or_daughter nil)
    (child const-decl "bool" Child_is_son_or_daughter nil)
    (son const-decl "bool" Child_is_son_or_daughter nil)
    (daughter const-decl "bool" Child_is_son_or_daughter nil))
   shostak)))

why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Child_is_son_or_daughter_1.pvs000066400000000000000000000021571440160026300312540ustar00rootroot00000000000000Child_is_son_or_daughter: THEORY
 BEGIN
  % do not edit above this line
  % surround new declarations you insert below with blank lines
  
  % Why3 person
  person: TYPE+
  
  % Why3 gender
  gender: DATATYPE
   BEGIN
    male: male?
    female: female?
   END gender
  
  % Why3 gender1
  gender1(x:person): gender
  
  % Why3 father
  father(x:person): person
  
  % Why3 mother
  mother(x:person): person
  
  % Why3 father_gender
  father_gender: AXIOM FORALL (p:person): (gender1(father(p)) = male)
  
  % Why3 mother_gender
  mother_gender: AXIOM FORALL (p:person): (gender1(mother(p)) = female)
  
  % Why3 parent
  parent(p:person, c:person): bool = (p = father(c)) OR (p = mother(c))
  
  % Why3 son
  son(s:person, p:person): bool = (gender1(s) = male) AND parent(p, s)
  
  % Why3 daughter
  daughter(d:person, p:person): bool = (gender1(d) = female) AND parent(p, d)
  
  % Why3 child
  child(c:person, p:person): bool = parent(p, c)
  
  % Why3 child_is_son_or_daughter
  child_is_son_or_daughter: THEOREM FORALL (c:person, p:person): child(c,
    p) <=> (son(c, p) OR daughter(c, p))
  
  
 END Child_is_son_or_daughter
 why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Child_is_son_or_daughter_1.thy000066400000000000000000000006251440160026300312460ustar00rootroot00000000000000theory genealogy_Genealogy_Child_is_son_or_daughter_1
imports Why3.Why3
begin

why3_open "genealogy_Genealogy_Child_is_son_or_daughter_1.xml"

why3_vc Child_is_son_or_daughter
proof -
  have "parent p c \ son c p \ gender1 c = Female"
    using gender.exhaust son_def by auto
  thus "parent p c = (son c p \ daughter c p)"
    using daughter_def son_def by auto
qed

why3_end

end
why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Child_is_son_or_daughter_1.v000066400000000000000000000027671440160026300307200ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

Axiom person : Type.
Parameter person_WhyType : WhyType person.
Existing Instance person_WhyType.

(* Why3 assumption *)
Inductive gender :=
  | Male : gender
  | Female : gender.
Axiom gender_WhyType : WhyType gender.
Existing Instance gender_WhyType.

Parameter gender1: person -> gender.

Parameter father: person -> person.

Parameter mother: person -> person.

Axiom Father_gender : forall (p:person), ((gender1 (father p)) = Male).

Axiom Mother_gender : forall (p:person), ((gender1 (mother p)) = Female).

(* Why3 assumption *)
Definition parent (p:person) (c:person): Prop := (p = (father c)) \/
  (p = (mother c)).

(* Why3 assumption *)
Definition son (s:person) (p:person): Prop := ((gender1 s) = Male) /\ (parent
  p s).

(* Why3 assumption *)
Definition daughter (d:person) (p:person): Prop := ((gender1 d) = Female) /\
  (parent p d).

(* Why3 goal *)
Theorem Child_is_son_or_daughter : forall (c:person) (p:person), (parent p
  c) <-> ((son c p) \/ (daughter c p)).
(* Why3 intros c p. *)
intros c p.
unfold son, daughter, parent.
split.
intros [h|h].
subst p.
destruct (gender1 c).
  left.
  split.
  trivial.
  left.
  trivial.

  right.
  split.
  trivial.
  left.
  trivial.

subst p.
destruct (gender1 c).
  left.
  split.
  trivial.
  right.
  trivial.

  right.
  split.
  trivial.
  right.
  trivial.

intros [(h1,h2)|(h1,h2)].
  trivial.
  trivial.
Qed.


why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Child_is_son_or_daughter_1.xml000066400000000000000000000122271440160026300312430ustar00rootroot00000000000000genealogy_Genealogy_Grandparent_is_grandfather_or_grandmother_1.thy000066400000000000000000000004701440160026300346040ustar00rootroot00000000000000why3-1.6.0/examples/logic/genealogytheory genealogy_Genealogy_Grandparent_is_grandfather_or_grandmother_1
imports Why3.Why3
begin

why3_open "genealogy_Genealogy_Grandparent_is_grandfather_or_grandmother_1.xml"

why3_vc Grandparent_is_grandfather_or_grandmother
by (metis grandfather_def grandmother_def grandparent_def parent_def)

why3_end

end
genealogy_Genealogy_Grandparent_is_grandfather_or_grandmother_1.xml000066400000000000000000000272451440160026300346110ustar00rootroot00000000000000why3-1.6.0/examples/logic/genealogywhy3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Sibling_is_brother_or_sister_1.thy000066400000000000000000000003741440160026300321670ustar00rootroot00000000000000theory genealogy_Genealogy_Sibling_is_brother_or_sister_1
imports Why3.Why3
begin

why3_open "genealogy_Genealogy_Sibling_is_brother_or_sister_1.xml"

why3_vc Sibling_is_brother_or_sister
by (metis brother_def gender.exhaust sister_def)

why3_end

end
why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Sibling_is_brother_or_sister_1.xml000066400000000000000000000204541440160026300321640ustar00rootroot00000000000000why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Sibling_sym_1.thy000066400000000000000000000002651440160026300265450ustar00rootroot00000000000000theory genealogy_Genealogy_Sibling_sym_1
imports Why3.Why3
begin

why3_open "genealogy_Genealogy_Sibling_sym_1.xml"

why3_vc Sibling_sym
by (metis assms sibling_def)

why3_end

end
why3-1.6.0/examples/logic/genealogy/genealogy_Genealogy_Sibling_sym_1.xml000066400000000000000000000142351440160026300265430ustar00rootroot00000000000000why3-1.6.0/examples/logic/genealogy/why3session.xml000066400000000000000000000611641440160026300223210ustar00rootroot00000000000000























































 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/genealogy/why3shapes.gz000066400000000000000000000005711440160026300217340ustar00rootroot00000000000000]=A[殚n{	Eʿ0\P_{K[p>пuv:4u`u_tn
K+=[Bj0tK~QrKW.??cGˁi7GѰZ-=<ߍڮgl7$G{{.n|.4tw3rmtjt
YW:ɶ$x
d$G
akX۵bpR	@1-Ɍ@VMN3,1Y
hX0s1xfFq]YR(Ȉ6>P6h:6Pj+sPPbL
 j}R$8CB\7
0why3-1.6.0/examples/logic/hello_proof.why000066400000000000000000000002131440160026300203540ustar00rootroot00000000000000theory HelloProof

  goal G1: true

  goal G2: (true -> false) /\ (true \/ false)

  use int.Int

  goal G3: forall x:int. x * x >= 0

end
why3-1.6.0/examples/logic/hello_proof/000077500000000000000000000000001440160026300176275ustar00rootroot00000000000000why3-1.6.0/examples/logic/hello_proof/hello_proof_HelloProof_G2_1.v000066400000000000000000000002701440160026300252260ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 goal *)
Theorem G2 : False.
Qed.

why3-1.6.0/examples/logic/hello_proof/why3session.xml000066400000000000000000000023171440160026300226520ustar00rootroot00000000000000







 
 
 
 
 
 
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/logic/hello_proof/why3shapes.gz000066400000000000000000000003211440160026300222630ustar00rootroot00000000000000ͱN1E_8 Dn[ĶX1#$Gz7K[.մyޯ^wepߗpCxDZ3Rʭ	JẂ0L*NRӜ,T[UW9?why3-1.6.0/examples/logic/isa_planner.why000066400000000000000000000251011440160026300203420ustar00rootroot00000000000000
(** Benchmarks goals for proof by induction
    From http://dream.inf.ed.ac.uk/projects/isaplanner/
*)

theory Nat

  type nat = Zero | Suc nat

  function (+) (x y: nat) : nat = match x with
  | Zero -> y
  | Suc xs -> Suc (xs + y)
  end

  function ( * ) (x y: nat) : nat = match y with
  | Zero -> Zero
  | Suc ys -> x + x * ys
  end

  function (-) (x y: nat) : nat = match x with
  | Zero -> Zero
  | Suc xs -> match y with
              | Zero -> Suc xs
              | Suc ys -> xs - ys
	      end
  end

  predicate ( < ) (x y: nat) = match y with
  | Zero -> false
  | Suc ys -> match x with
              | Zero -> true
              | Suc xs -> xs < ys end
  end

  predicate ( <= ) (x y: nat) = match x with
  | Zero -> true
  | Suc xs -> match y with
              | Zero -> false
              | Suc ys -> xs <= ys
	     end
  end

  function max (x y: nat) : nat = match x with
  | Zero -> y
  | Suc xs -> match y with
              | Zero -> Suc xs
              | Suc ys -> Suc (max xs ys) end end

  function min (x y: nat) : nat = match x with
  | Zero -> Zero
  | Suc xs -> match y with
              | Zero -> y
              | Suc ys -> Suc (min xs ys) end end

end

theory List
  use Nat

  type list 'a = Nil | Cons 'a  (list 'a)

  function len (l : list 'a) : nat = match l with
  | Nil -> Zero
  | Cons _ s -> Suc (len s)
  end

  predicate mem (x: 'a) (l: list 'a) = match l with
  | Nil      -> false
  | Cons y ys -> if x = y then true else mem x ys
  end

  function (++) (l r : list 'a) : list 'a  = match l with
  | Nil -> r
  | Cons x ls -> Cons x (ls ++ r)
  end

  function rev (l: list 'a) : list 'a = match l with
  | Nil       -> Nil
  | Cons x xs -> rev xs ++ Cons x Nil
  end

  function insert (x : 'a) (l : list 'a) : list 'a = match l with
  | Nil -> Cons x Nil
  | Cons h t -> if x = h then Cons x t else Cons h (insert x t)
  end

  function delete (x: 'a) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons h t -> if x = h then delete x t else Cons h (delete x t)
  end

  function take (n: nat) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons h t -> match n with
                 | Zero -> Nil
                 | Suc m ->  Cons h (take m t)
                end
  end

  function drop (n: nat) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons h t -> match n with
                 | Zero -> Cons h t
                 | Suc m ->  drop m t
                end
  end

  function last (l : list 'a) : 'a
  axiom last_single :
  	forall x: 'a. last (Cons x Nil) = x
  axiom last_cons :
    	forall x: 'a, l : list 'a. l <> Nil -> last (Cons x l)  = last l

  function butlast (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons _ Nil -> Nil
  | Cons x xs -> Cons x (butlast xs)
  end

  function zip (l r : list 'a) : list ('a, 'a) = match r with
  | Nil -> Nil
  | Cons y rs -> match l with
                 | Nil -> Nil
                 | Cons x ls -> Cons (x,y) (zip ls rs)
                 end
  end

  function count (x: 'a) (l: list 'a) : nat = match l with
  | Nil -> Zero
  | Cons y ys -> if x = y then Suc (count x ys) else count x ys
  end

  function map (f: 'a -> 'b) (l: list 'a) : list 'b = match l with
  | Nil      -> Nil
  | Cons x xs -> Cons (f x) (map f xs)
  end

  function filter (p: 'a -> bool) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons x xs -> if p x then Cons x (filter p xs) else filter p xs
  end

  function takeWhile (p: 'a -> bool) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons x xs -> if p x then Cons x (takeWhile p xs) else Nil
  end

  function dropWhile (p: 'a -> bool) (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons x xs -> if p x then (dropWhile p xs) else (Cons x xs)
  end

  predicate pfalse (_x: 'a) = false

  function dropWhile_False (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons x xs -> if pfalse x then (dropWhile_False xs) else (Cons x xs)
  end

  predicate ptrue (_x: 'a) = true

 function takeWhile_True (l : list 'a) : list 'a = match l with
  | Nil -> Nil
  | Cons x xs -> if ptrue x then Cons x (takeWhile_True xs) else Nil
  end

 (******************** INSERTION SORT WITH NAT LIST ***************)

  predicate sorted (l : list nat) = match l with
  | Nil -> true
  | Cons x xs -> match xs with
                | Nil -> true
                | Cons y _ -> x <= y && sorted xs
                end
  end

  function insert_nat (n : nat) (l : list nat) : list nat = match l with
  | Nil -> Cons n Nil
  | Cons h t -> if n < h then Cons n (Cons h t) else Cons h (insert_nat n t)
  end

  function insertion_sort_aux (x : nat) (l : list nat) : list nat =
  match l with
  | Nil -> Cons x Nil
  | Cons y ys ->
    if x <= y then Cons x (Cons y ys) else Cons y (insertion_sort_aux x ys)
  end

  function insertion_sort (l : list nat) : list nat = match l with
  | Nil -> Nil
  | Cons x xs -> insertion_sort_aux x (insertion_sort xs)
  end

end

theory Tree

  use Nat

  type tree 'a =
  | Leaf
  | Node (tree 'a) 'a (tree 'a)

  function mirror (t: tree 'a) : tree 'a = match t with
  | Leaf -> Leaf
  | Node l x r -> Node (mirror r) x (mirror l)
  end

  function nodes (t: tree 'a) : nat = match t with
  | Leaf -> Zero
  | Node l _ r-> (Suc Zero) + nodes l + nodes r
  end

  function height (t: tree 'a) : nat = match t with
  | Leaf -> Zero
  | Node l _ r -> Suc (max (height l) (height r))
  end

end

(******************************************************************************)
(************************** ISAPLANNER THEOREMS *******************************)
(******************************************************************************)

(*Pas d'induction(13): 4, 5, 11, 13, 16, 17, 35, 39, 40, 42, 44, 45, 46 *)
(*Induction sur une variable(22): 2, 3, 6, 7, 8, 10, 12, 14, 15, 18, 19,
  21, 26, 27, 28, 29, 30, 32, 36, 37, 38, 43 *)
(*Induction sur plusieurs variables à cause de raisonnement par cas (9):
  1, 9, 22, 23, 24, 25, 31, 33, 34, *)
(*Problème résolu avec un lemme supplémentaire (2): 20(15), 47(23)  *)
(******************************************************************************)
theory IsaPlanner_all

  use Nat
  use List
  use Tree

  goal P1: forall l: list 'a, n : nat.
  take n l ++ drop n l = l

  goal P2: forall l m: list 'a, x: 'a.
  count x l + count x m =  count  x (l ++ m)

  goal P3: forall l m: list 'a, x: 'a.
  count x l <= count x (l ++ m)

  goal P4: forall l: list 'a, x: 'a.
  Suc Zero + count x l = count x (Cons x l)

  goal P5: forall l: list 'a, x y : 'a.
  x = y -> Suc Zero + count x l = count x (Cons y l)

  goal P6: forall n m: nat.
  n - (n + m) = Zero

  goal P7: forall n m: nat.
  (n + m) - n = m

  goal P8: forall  k [@induction] n m: nat.
  (k + m) - (k + n) = (m - n)

  goal P9: forall i j k: nat.
  (i - j) - k = i - (j + k)

  goal P10: forall m: nat.
  m - m = Zero

  goal P11: forall l: list 'a.
  drop Zero l = l

  goal P12: forall f: 'a -> 'b, l, n.
  drop n (map f l) = map f (drop n l)

  goal P13: forall n: nat, x: 'a, ls: list 'a.
  drop (Suc n) (Cons x ls) = drop n ls

  goal P14: forall p, xs ys: list 'a.
  filter p (xs ++ ys) = filter p xs ++ filter p ys

  goal P15: forall l: list nat, n: nat.
  len (insertion_sort_aux n l) = Suc (len l)

  goal P16: forall l: list 'a, x: 'a.
  l = Nil -> last (Cons x l) = x

  goal P17: forall n: nat.
  (n <= Zero) <-> (n = Zero)

  goal P18: forall i m: nat.
  i < (Suc (i + m))

  goal P19: forall l: list 'a, n: nat.
  len (drop n l) = (len l) - n

  (* requires the lemma
      forall l: list nat, n: nat. len (insertion_sort_aux n l) = Suc (len l) *)
  goal P20: forall l: list nat.
  len (insertion_sort l) = len l

  goal P21: forall n m: nat.
  n <= (n + m)

  goal P22: forall a [@induction] b [@induction] c [@induction]: nat .
  max (max a b) c = max a (max b c)

  goal P23: forall a b: nat.
  max a b = max b a

  goal P24: forall a b: nat.
  (max a b = a) <-> b <= a

  goal P25: forall a b: nat.
  (max a b = b) <-> a <= b

  goal P26: forall l t: list 'a, x: 'a.
  mem x l -> mem x (l ++ t)

  goal P27: forall l t: list 'a, x: 'a.
  mem x t -> mem x (l ++ t)

  goal P28: forall l: list 'a, x: 'a.
  mem x (l ++ Cons x Nil)

  goal P29: forall l : list nat, x : nat.
  mem x (insert_nat x l)

  goal P30: forall l: list 'a, x: 'a.
  mem x (insert x l)

  goal P31: forall a [@induction] b [@induction] c [@induction]: nat.
  min (min a b) c = min a (min b c)

  goal P32: forall a b: nat.
  min a b = min b a

  goal P33: forall a b: nat.
  (min a b = a) <-> a <= b

  goal P34: forall a b: nat.
  (min a b = b) <-> b <= a

  goal P35: forall xs : list 'a.
  dropWhile_False xs = xs

  goal P36: forall xs: list 'a.
  takeWhile_True xs = xs

  goal P37: forall l: list 'a, x: 'a.
  not mem x (delete x l)

  goal P38: forall l: list 'a, n: 'a.
  count n (l ++ Cons n Nil) = Suc (count n l)

  goal P39: forall t: list 'a, n h: 'a.
  count n (Cons h Nil) + count n t = count n (Cons h t)

  goal P40: forall xs: list 'a.
  take Zero xs = Nil

  goal P41: forall f, xs : list 'a, n: nat.
  take n (map f xs : list 'b) = map f (take n xs)

  goal P42: forall xs: list 'a, n: nat, x: 'a.
  take (Suc n) (Cons x xs) = Cons x (take n xs)

  goal P43: forall p, xs : list 'a.
  takeWhile p xs ++ dropWhile p xs = xs

  goal P44: forall xs ys: list 'a, x: 'a.
  zip (Cons x xs) ys =
      	      	  match ys with
      	      	    | Nil -> Nil
		    | Cons y ys -> Cons (x,y) (zip xs ys)
   		  end

  goal P45: forall xs ys: list 'a, x y: 'a .
  zip (Cons x xs) (Cons y ys) = Cons (x, y) (zip xs ys)

  goal P46: forall ys: list 'a.
  zip Nil ys = Nil

  (* requires P23: forall a b: nat. max a b = max b a *)
  goal P47: forall a : tree 'a.
  height (mirror a) = height a

end

theory IsaPlanner_beyond

  use Nat
  use List
  use Tree

  goal P48: forall xs : list 'a.
  xs <> Nil  -> butlast xs ++ (Cons (last xs) Nil) = xs

  goal P49: forall xs ys: list 'a .
  butlast (xs ++ ys) = (if ys = Nil then butlast xs else xs ++ butlast ys)

  goal P50: forall xs : list 'a.
  butlast xs = take ((len xs) - (Suc Zero)) xs

  goal P51: forall xs : list 'a, x: 'a.
  butlast (xs ++ Cons x Nil) = xs

  goal P52: forall l : list 'a, n: 'a.
  count n l = count n (rev l)

  goal P53: forall l : list nat, x : nat.
  count x l = count x (insertion_sort l)

  goal P54: forall m n: nat.
  (m + n) - n = m

  goal P55: forall i [@induction] k [@induction] j [@induction] : nat.
  (i - j) - k = i - (k - j)

  goal P56: forall xs ys: list 'a, n: nat.
  drop n (xs ++ ys) = drop n xs ++ drop (n - (len xs)) ys

  goal P57: forall n [@induction] m [@induction]: nat,
  xs [@induction]: list nat.
  drop n (drop m xs) = drop (n + m) xs

  goal P58: forall xs [@induction]: list 'a,
  m [@induction] n [@induction]: nat.
  drop n (take m xs) = take (m - n) (drop n xs)

end
why3-1.6.0/examples/logic/lagrange_inequality.why000066400000000000000000000037161440160026300221030ustar00rootroot00000000000000
(** {1 Lagrange Identity, Cauchy-Schwarz and Triangle Inequalities} *)

theory LagrangeInequality

(*

sum_squares a  \times sum_squares b = (scalar product a.b)^2 +

sum {1 <= i = 0.0


  lemma Lagrange :
    forall a1 a2 b1 b2 : real .
       norm2 a1 a2 * norm2 b1 b2 = sqr (dot a1 a2 b1 b2) + sqr (a1 * b2 - a2 * b1)

end


theory CauchySchwarzInequality


  use real.Real
  use real.Square
  use LagrangeInequality

  lemma CauchySchwarz_aux:
     forall x1 x2 y1 y2 : real.
        sqr (dot x1 x2 y1 y2) <= norm2 x1 x2 * norm2 y1 y2

  (** norm of a vector *)
  function norm (x1:real) (x2:real) : real = sqrt (norm2 x1 x2)

  (** norm is non-negative *)
  lemma norm_pos :
     forall x1 x2:real. norm x1 x2 >= 0.0

  (** 2 lemmas to help the next one *)
  lemma sqr_le_sqrt :
    forall x y:real. sqr x <= y -> x <= sqrt y

  lemma CauchySchwarz:
     forall x1 x2 y1 y2 : real.
        dot x1 x2 y1 y2 <= norm x1 x2 * norm y1 y2

end


theory TriangleInequality

  use real.Real
  use real.Square
  use LagrangeInequality
  use CauchySchwarzInequality

(** Triangle inequality, proved thanks to
  ||x+y||² = ||x||² + 2 + ||y||²
           <= ||x||² + 2||x||*||y|| + ||y||²
           = (||x|| + ||y||)²
*)

  lemma triangle_aux :
    forall x1 x2 y1 y2 : real.
      norm2 (x1+y1) (x2+y2) <= sqr (norm x1 x2 + norm y1 y2)

  (* lemma to help the next one *)
  lemma sqr_sqrt_le :
    forall x y:real. 0.0 <= y /\ 0.0 <= x <= sqr y -> sqrt x <= y

  lemma triangle :
    forall x1 x2 y1 y2 : real.
      norm (x1+y1) (x2+y2) <= norm x1 x2 + norm y1 y2

endwhy3-1.6.0/examples/logic/lagrange_inequality/000077500000000000000000000000001440160026300213435ustar00rootroot00000000000000why3-1.6.0/examples/logic/lagrange_inequality/lagrange_inequality_TriangleInequality_triangle_1.v000066400000000000000000000032201440160026300335520ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Import R_sqrt.
Require BuiltIn.
Require real.Real.
Require real.Square.

(* Why3 assumption *)
Definition dot (x1:R) (x2:R) (y1:R) (y2:R): R :=
  ((x1 * y1)%R + (x2 * y2)%R)%R.

(* Why3 assumption *)
Definition norm2 (x1:R) (x2:R): R := ((Rsqr x1) + (Rsqr x2))%R.

Axiom norm2_pos : forall (x1:R) (x2:R), (0%R <= (norm2 x1 x2))%R.

Axiom Lagrange : forall (a1:R) (a2:R) (b1:R) (b2:R), (((norm2 a1
  a2) * (norm2 b1 b2))%R = ((Rsqr (dot a1 a2 b1
  b2)) + (Rsqr ((a1 * b2)%R - (a2 * b1)%R)%R))%R).

Axiom CauchySchwarz_aux : forall (x1:R) (x2:R) (y1:R) (y2:R), ((Rsqr (dot x1
  x2 y1 y2)) <= ((norm2 x1 x2) * (norm2 y1 y2))%R)%R.

(* Why3 assumption *)
Definition norm (x1:R) (x2:R): R := (sqrt (norm2 x1 x2)).

Axiom norm_pos : forall (x1:R) (x2:R), (0%R <= (norm x1 x2))%R.

Axiom sqr_le_sqrt : forall (x:R) (y:R), ((Rsqr x) <= y)%R ->
  (x <= (sqrt y))%R.

Axiom CauchySchwarz : forall (x1:R) (x2:R) (y1:R) (y2:R), ((dot x1 x2 y1
  y2) <= ((norm x1 x2) * (norm y1 y2))%R)%R.

Axiom triangle_aux : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm2 (x1 + y1)%R
  (x2 + y2)%R) <= (Rsqr ((norm x1 x2) + (norm y1 y2))%R))%R.

Axiom sqr_sqrt_le : forall (x:R) (y:R), ((0%R <= y)%R /\ ((0%R <= x)%R /\
  (x <= (Rsqr y))%R)) -> ((sqrt x) <= y)%R.

(* Why3 goal *)
Theorem triangle : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm (x1 + y1)%R
  (x2 + y2)%R) <= ((norm x1 x2) + (norm y1 y2))%R)%R.
intros x1 x2 y1 y2.
apply sqr_sqrt_le.
split.
apply Rplus_le_le_0_compat; apply norm_pos.
split.
apply Rplus_le_le_0_compat; apply Rle_0_sqr.
apply triangle_aux.
Qed.


why3-1.6.0/examples/logic/lagrange_inequality/why3session.xml000066400000000000000000000052441440160026300243700ustar00rootroot00000000000000












 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/lagrange_inequality/why3shapes.gz000066400000000000000000000006561440160026300240120ustar00rootroot00000000000000M1EV ljQ$6@ȓ8z,ki+$g:l:$vEzi$_vb*|<0kX#vg2&vđp+}+=y(}NZ#{3!s<6{mhNjMXl[>6ʵB\y	'nRg
ڗ5y#ĪAhX |nB
5E;g0?	ZY"ԁO)$(ɵdP0ԂE9	 p y z -> p x z
  axiom q_trans: forall x y z: t. q x y -> q y z -> q x z

  (* q is symmetric *)
  axiom q_sym: forall x y: t. q x y -> q y x

  (* p\/q is universal *)
  axiom p_or_q: forall x y: t. p x y \/ q x y

  (* show that either p or q is universal *)
  goal los_problem: (forall x y: t. p x y) \/ (forall x y: t. q x y)

end
why3-1.6.0/examples/logic/los_problem/000077500000000000000000000000001440160026300176345ustar00rootroot00000000000000why3-1.6.0/examples/logic/los_problem/why3session.xml000066400000000000000000000021671440160026300226620ustar00rootroot00000000000000










 
 
 
 
 
 
 



why3-1.6.0/examples/logic/los_problem/why3shapes.gz000066400000000000000000000002271440160026300222750ustar00rootroot00000000000000%!E{Rb^	Fc˲ɹ=Lݸ&I:9WRءav zr:CtCEy2`h`s6I'HJ]԰why3-1.6.0/examples/logic/my_cosine.why000066400000000000000000000035761440160026300200500ustar00rootroot00000000000000theory CosineSingle

use real.Real
use real.Abs
use real.Trigonometry
use floating_point.Rounding
use floating_point.Single

(* approximation of cosine function by 1 - x^2 / 2 on interval [-1/32; 1/32] *)



lemma MethodError: forall x:real. abs x <= 0x1p-5 ->
  abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-24
(* this one is proved in Coq + interval tactics *)


(* computation in single precision *)

lemma TotalErrorFullyExpanded:
  forall x:single. abs (value x) <= 0x1p-5 ->
  (* total error as hypothesis, for Gappa *)
  abs (1.0 - 0.5 * (value x * value x) - cos (value x)) <= 0x1p-24 ->
  forall x2 x2o2 cos_x: real.
  x2 = round NearestTiesToEven (value x * value x) ->
  x2o2 = round NearestTiesToEven (0.5 * x2) ->
  cos_x = round NearestTiesToEven (1.0 - x2o2) ->
  abs (cos_x - cos (value x)) <= 0x1p-23
(* fully expanded version, proved by gappa *)

lemma TotalErrorExpanded:
  forall x:single. abs (value x) <= 0x1p-5 ->
  let x2 = round NearestTiesToEven (value x * value x) in
  let x2o2 = round NearestTiesToEven (0.5 * x2) in
  let cos_x = round NearestTiesToEven (1.0 - x2o2) in
  abs (cos_x - cos (value x)) <= 0x1p-23
(* same as above but with let, proved by SMT solvers *)

(* the same as above, under the form of a logic function *)

function round_single (m:mode) (x:real) : single

axiom RoundSingle: forall m:mode, x:real [value (round_single m x)].
  value (round_single m x) = round m x

function cos_single (x:single) : single =
  let x2 = round_single NearestTiesToEven (value x * value x) in
  let x2o2 = round_single NearestTiesToEven (0.5 * value x2) in
  round_single NearestTiesToEven (1.0 - value x2o2)

lemma TotalError: forall x:single. abs (value x) <= 0x1p-5 ->
  let cos_x = cos_single x in
  abs (value cos_x - cos (value x)) <= 0x1p-23
(* proved by SMT solvers from TotalErrorExpanded *)

end

(*
Local Variables:
compile-command: "../bin/why3ide.byte my_cosine.why"
End:
*)


why3-1.6.0/examples/logic/my_cosine/000077500000000000000000000000001440160026300173045ustar00rootroot00000000000000why3-1.6.0/examples/logic/my_cosine/my_cosine_CosineSingle_MethodError_1.v000066400000000000000000000014771440160026300266650ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rtrigo1.
Require Reals.Ratan.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.Abs.
Require real.FromInt.
Require real.Square.
Require real.Trigonometry.
Require floating_point.Rounding.
Require floating_point.SingleFormat.
Require floating_point.Single.

Require Import Interval.Tactic.

(* Why3 goal *)
Theorem MethodError :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs x) <= (1 / 32)%R)%R ->
  ((Reals.Rbasic_fun.Rabs
    ((1%R - ((1 / 2)%R * (x * x)%R)%R)%R - (Reals.Rtrigo_def.cos x))%R)
   <= (1 / 16777216)%R)%R.
Proof.
intros x H.
interval with (i_autodiff x, i_bisect x).
Qed.
why3-1.6.0/examples/logic/my_cosine/why3session.xml000066400000000000000000000024431440160026300223270ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/my_cosine/why3shapes.gz000066400000000000000000000005411440160026300217440ustar00rootroot00000000000000Mk@9ef?RғU&l+D\OM-;;>LI;aSϱ'̈@S4ʁʫ	Ű}K3#@%h{d^6Y}eAL{Նêz=qy^Ɇ7N4
|y5(_mHno34<:WѶZMe:Ӗ[9qZ82]%uz"H2+2UX%EmXxW6)jH4X)%%&#Ih
(Q:5&[PV=167%ωLe
Jwhy3-1.6.0/examples/logic/real.why000066400000000000000000000004711440160026300167750ustar00rootroot00000000000000theory CosineSingle

use real.Real
use real.Abs
use real.Trigonometry

(* approximation of cosine function by 1 - x^2 / 2 on interval [-1/32; 1/32] *)



lemma MethodError: forall x:real. abs x <= 0x1p-5 ->
  abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-24
(* this one is proved in Coq + interval tactics *)


end


why3-1.6.0/examples/logic/real/000077500000000000000000000000001440160026300162425ustar00rootroot00000000000000why3-1.6.0/examples/logic/real/real_CosineSingle_MethodError_1.v000066400000000000000000000012641440160026300245530ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rtrigo1.
Require Reals.Ratan.
Require BuiltIn.
Require real.Real.
Require real.Abs.
Require real.Square.
Require real.Trigonometry.

Require Import Interval.Tactic.

(* Why3 goal *)
Theorem MethodError :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs x) <= (1 / 32)%R)%R ->
  ((Reals.Rbasic_fun.Rabs
    ((1%R - ((1 / 2)%R * (x * x)%R)%R)%R - (Reals.Rtrigo_def.cos x))%R)
   <= (1 / 16777216)%R)%R.
Proof.
intros x h1.
interval with (i_autodiff x, i_bisect x).
Qed.
why3-1.6.0/examples/logic/real/why3session.xml000066400000000000000000000013331440160026300212620ustar00rootroot00000000000000







 
 
 
 



why3-1.6.0/examples/logic/real/why3shapes.gz000066400000000000000000000002101440160026300206730ustar00rootroot00000000000000-A
09EnE/_tQLt7nOW>5Of3Ɩmq
[(!VwVl*
.J:_(SLGHB/why3-1.6.0/examples/logic/scottish-private-club.why000066400000000000000000000016321440160026300223050ustar00rootroot00000000000000(** {1 The Scottish private club puzzle} *)

(* The club follows six rules:

 - every non-scottish members wear red socks

 - every member wears a kilt or doesn't wear socks

 - the married members don't go out on sunday

 - a member goes out on sunday if and only if he is scottish

 - every member who wears a kilt is scottish and married

 - every scottish member wears a kilt

Problem: prove that there is nobody in this club!

*)

theory ScottishClubProblem

  predicate is_scottish
  predicate wears_red_socks
  predicate wears_kilt
  predicate is_married
  predicate goes_out_on_sunday

  axiom R1: not is_scottish -> wears_red_socks

  axiom R2: wears_kilt \/ not wears_red_socks

  axiom R3: is_married -> not goes_out_on_sunday

  axiom R4: goes_out_on_sunday <-> is_scottish

  axiom R5: wears_kilt -> is_scottish /\ is_married

  axiom R6: is_scottish -> wears_kilt

  goal ThereIsNobodyInTheClub: false

end

why3-1.6.0/examples/logic/scottish-private-club/000077500000000000000000000000001440160026300215525ustar00rootroot00000000000000why3-1.6.0/examples/logic/scottish-private-club/why3session.xml000066400000000000000000000024701440160026300245750ustar00rootroot00000000000000











 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/scottish-private-club/why3shapes.gz000066400000000000000000000002671440160026300242170ustar00rootroot00000000000000m0










 
 
 
 
 
 
 



why3-1.6.0/examples/logic/simple/why3shapes.gz000066400000000000000000000002141440160026300212450ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJMOBdCT00

2J5qA`B@U`MZz-Pn\%`,RҌMRR@ڒ-
M,-,
,=i|why3-1.6.0/examples/logic/sorted_list.why000066400000000000000000000022361440160026300204060ustar00rootroot00000000000000theory Order
  type t
  predicate (<=) t t

  axiom le_refl : forall x : t. x <= x
  axiom le_asym : forall x y : t. x <= y -> y <= x -> x = y
  axiom le_trans: forall x y z : t. x <= y -> y <= z -> x <= z
end

theory List
  type list 'a = Nil | Cons 'a (list 'a)

  predicate mem (x: 'a) (l: list 'a) = match l with
    | Nil -> false
    | Cons y r -> x = y \/ mem x r
  end

end

theory SortedList
  use List
  clone import Order as O with axiom .

  inductive sorted (l : list t) =
    | sorted_nil :
        sorted Nil
    | sorted_one :
        forall x:t. sorted (Cons x Nil)
    | sorted_two :
        forall x y : t, l : list t.
        x <= y -> sorted (Cons y l) -> sorted (Cons x (Cons y l))

  lemma sorted_inf:
    forall x y: t, l: list t. x <= y -> sorted (Cons y l) ->
      sorted (Cons x l)


  lemma sorted_mem:
    forall x: t, l: list t. sorted (Cons x l) ->
    forall y: t. mem y l -> x <= y
    (* by induction on l *)

end

theory SortedIntList
  use int.Int
  use List
  clone SortedList with
    type O.t = int, predicate O.(<=) = (<=),
    lemma O.le_refl, lemma O.le_asym, lemma O.le_trans

  goal sorted123: sorted (Cons 1 (Cons 2 (Cons 3 Nil)))
end

why3-1.6.0/examples/logic/sorted_list/000077500000000000000000000000001440160026300176525ustar00rootroot00000000000000why3-1.6.0/examples/logic/sorted_list/sorted_list_SortedList_sorted_mem_1.v000066400000000000000000000031141440160026300272050ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import ZArith.
Require Import Rbase.
Inductive list (a:Type) :=
  | Nil : list a
  | Cons : a -> (list a) -> list a.
Set Contextual Implicit.
Implicit Arguments Nil.
Unset Contextual Implicit.
Implicit Arguments Cons.

Set Implicit Arguments.
Fixpoint mem (a:Type)(x:a) (l:(list a)) {struct l}: Prop :=
  match l with
  | Nil => False
  | (Cons y r) => (x = y) \/ (mem x r)
  end.
Unset Implicit Arguments.

Parameter t : Type.

Parameter infix_lseq: t -> t -> Prop.


Axiom le_refl : forall (x:t), (infix_lseq x x).

Axiom le_asym : forall (x:t) (y:t), (infix_lseq x y) -> ((infix_lseq y x) ->
  (x = y)).

Axiom le_trans : forall (x:t) (y:t) (z:t), (infix_lseq x y) -> ((infix_lseq y
  z) -> (infix_lseq x z)).

Inductive sorted : (list t) -> Prop :=
  | sorted_nil : (sorted (Nil:(list t)))
  | sorted_one : forall (x:t), (sorted (Cons x (Nil:(list t))))
  | sorted_two : forall (x:t) (y:t) (l:(list t)), (infix_lseq x y) ->
      ((sorted (Cons y l)) -> (sorted (Cons x (Cons y l)))).

Axiom sorted_inf : forall (x:t) (y:t) (l:(list t)), (infix_lseq x y) ->
  ((sorted (Cons y l)) -> (sorted (Cons x l))).

(* YOU MAY EDIT THE CONTEXT BELOW *)

(* DO NOT EDIT BELOW *)

Theorem sorted_mem : forall (x:t) (l:(list t)), (sorted (Cons x l)) ->
  forall (y:t), (mem y l) -> (infix_lseq x y).
(* YOU MAY EDIT THE PROOF BELOW *)
induction l.
simpl; tauto.
simpl.
intro H.
inversion H.
intros y0 [Heq | Hmem].
subst; auto.
apply IHl; auto.
apply sorted_inf with (y:=a); auto.
Qed.
(* DO NOT EDIT BELOW *)


why3-1.6.0/examples/logic/sorted_list/why3session.xml000066400000000000000000000034741440160026300227020ustar00rootroot00000000000000










 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/sorted_list/why3shapes.gz000066400000000000000000000004551440160026300223160ustar00rootroot00000000000000UN1{N'1'1WĉDԭx{-B4#2~;G7>=e!4M4Y
PհJr<_a.FG]PڿI4a_]T]|17Pz}C&j!W_vg3@a7d%X1I)u`@@$Z9+;LiiKT0Bf%Z!gܱ[iTԤDLXSTHZwhy3-1.6.0/examples/logic/triangle_inequality.why000066400000000000000000000072321440160026300221250ustar00rootroot00000000000000
(** {1 The Triangle Inequality}

  by Claude Marché, using suggestions from Guillaume Melquiond

  We first prove the Cauchy-Schwarz inequality.

  See also on Wikipedia: {h Cauchy-Schwarz
inequality} and {h Triangle
inequality}

*)

theory CauchySchwarzInequality

  use real.Real
  use real.Square

  (** dot product, a.k.a. scalar product, of two vectors *)
  function dot (x1:real) (x2:real) (y1:real) (y2:real) : real =
     x1*y1 + x2*y2

  (** square of the norm of a vector *)
  function norm2 (x1:real) (x2:real) : real =
     sqr x1 + sqr x2

  (** square of the norm is non-negative *)
  lemma norm2_pos :
     forall x1 x2:real. norm2 x1 x2 >= 0.0

  (** main Cauchy-Schwarz lemma *)
  (** paper proof:
  ||x||² + 2t + t²||y||² = P(t) = ||x+t*y||² >= 0
  but  P(-/||y||²) = ||x||² - ²/||y||²
  hence ² <= ||x||²*||y||²
  *)

  function p (x1:real) (x2:real) (y1:real) (y2:real) (t:real) : real =
    norm2 x1 x2 + 2.0 * t * dot x1 x2 y1 y2 + sqr t * norm2 y1 y2

  lemma p_expr :
    forall x1 x2 y1 y2 t:real.
      p x1 x2 y1 y2 t = norm2 (x1 + t * y1) (x2 + t * y2)

  lemma p_pos:
    forall x1 x2 y1 y2 t:real. p x1 x2 y1 y2 t >= 0.0

  lemma mul_div_simpl :
    forall x y:real. y <> 0.0 -> (x/y)*y = x

  lemma p_val_part:
    forall x1 x2 y1 y2:real.
      norm2 y1 y2 > 0.0 ->
        p x1 x2 y1 y2 (- (dot x1 x2 y1 y2 / norm2 y1 y2)) =
        norm2 x1 x2 - sqr (dot x1 x2 y1 y2) / norm2 y1 y2

  lemma p_val_part_pos:
    forall x1 x2 y1 y2:real.
      norm2 y1 y2 > 0.0 ->
        norm2 x1 x2 - sqr (dot x1 x2 y1 y2) / norm2 y1 y2 >= 0.0

  lemma p_val_part_pos_aux:
    forall x1 x2 y1 y2:real.
      norm2 y1 y2 > 0.0 ->
        norm2 y1 y2 * p x1 x2 y1 y2 (- dot x1 x2 y1 y2 / norm2 y1 y2) >= 0.0

  lemma CauchySchwarz_aux_non_null:
     forall x1 x2 y1 y2 : real.
       norm2 y1 y2 > 0.0 ->
        sqr (dot x1 x2 y1 y2) <= norm2 x1 x2 * norm2 y1 y2

  lemma norm_null:
     forall y1 y2 : real.
       norm2 y1 y2 = 0.0 -> y1 = 0.0 \/ y2 = 0.0

  lemma CauchySchwarz_aux_null:
     forall x1 x2 y1 y2 : real.
       norm2 y1 y2 = 0.0 ->
        sqr (dot x1 x2 y1 y2) <= norm2 x1 x2 * norm2 y1 y2

  lemma CauchySchwarz_aux:
     forall x1 x2 y1 y2 : real.
        sqr (dot x1 x2 y1 y2) <= norm2 x1 x2 * norm2 y1 y2

  (** norm of a vector *)
  function norm (x1:real) (x2:real) : real = sqrt (norm2 x1 x2)

  (** norm is non-negative *)
  lemma norm_pos :
     forall x1 x2:real. norm x1 x2 >= 0.0

  (** lemma to help the next one *)
  lemma sqr_le_sqrt :
    forall x y:real. 0.0 <= x /\ 0.0 <= sqr x <= y -> x <= sqrt y

  (** Cauchy-Schwarz inequality :  <= ||x||*||y|| *)
  lemma CauchySchwarz:
     forall x1 x2 y1 y2 : real.
        dot x1 x2 y1 y2 <= norm x1 x2 * norm y1 y2

end


theory TriangleInequality

  use real.Real
  use real.Square
  use CauchySchwarzInequality

(** Triangle inequality, proved thanks to
  ||x+y||² = ||x||² + 2 + ||y||²
           <= ||x||² + 2||x||*||y|| + ||y||²
           = (||x|| + ||y||)²
*)

  lemma triangle_aux :
    forall x1 x2 y1 y2 : real.
      norm2 (x1+y1) (x2+y2) <= sqr (norm x1 x2 + norm y1 y2)
      by x1*y1+x2*y2 <= (norm x1 x2)*(norm y1 y2)
      so norm2 (x1+y1) (x2+y2) = norm2 x1 x2 + 2.0*(x1*y1+x2*y2) + norm2 y1 y2
         <= norm2 x1 x2 + 2.0*(norm x1 x2)*(norm y1 y2) + norm2 y1 y2
         = sqr (norm x1 x2 + norm y1 y2)

  (* lemma to help the next one *)
  lemma sqr_sqrt_le :
    forall x y:real. 0.0 <= y /\ 0.0 <= x <= sqr y -> sqrt x <= y

  lemma triangle :
    forall x1 x2 y1 y2 : real.
      norm (x1+y1) (x2+y2) <= norm x1 x2 + norm y1 y2

endwhy3-1.6.0/examples/logic/triangle_inequality/000077500000000000000000000000001440160026300213705ustar00rootroot00000000000000triangle_inequality_CauchySchwarzInequality_CauchySchwarz_1.v000066400000000000000000000057341440160026300355430ustar00rootroot00000000000000why3-1.6.0/examples/logic/triangle_inequality(* This file is generated by Why3's Coq 8.4 driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require BuiltIn.
Require real.Real.
Require real.Square.

(* Why3 assumption *)
Definition dot (x1:R) (x2:R) (y1:R) (y2:R): R :=
  ((x1 * y1)%R + (x2 * y2)%R)%R.

(* Why3 assumption *)
Definition norm2 (x1:R) (x2:R): R :=
  ((Reals.RIneq.Rsqr x1) + (Reals.RIneq.Rsqr x2))%R.

Axiom norm2_pos : forall (x1:R) (x2:R), (0%R <= (norm2 x1 x2))%R.

(* Why3 assumption *)
Definition p (x1:R) (x2:R) (y1:R) (y2:R) (t:R): R := (((norm2 x1
  x2) + ((2%R * t)%R * (dot x1 x2 y1
  y2))%R)%R + ((Reals.RIneq.Rsqr t) * (norm2 y1 y2))%R)%R.

Axiom p_expr : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), ((p x1 x2 y1 y2
  t) = (norm2 (x1 + (t * y1)%R)%R (x2 + (t * y2)%R)%R)).

Axiom p_pos : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), (0%R <= (p x1 x2 y1
  y2 t))%R.

Axiom mul_div_simpl : forall (x:R) (y:R), (~ (y = 0%R)) ->
  (((x / y)%R * y)%R = x).

Axiom p_val_part : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> ((p x1 x2 y1 y2 (-((dot x1 x2 y1 y2) / (norm2 y1
  y2))%R)%R) = ((norm2 x1 x2) - ((Reals.RIneq.Rsqr (dot x1 x2 y1
  y2)) / (norm2 y1 y2))%R)%R).

Axiom p_val_part_pos : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> (0%R <= ((norm2 x1 x2) - ((Reals.RIneq.Rsqr (dot x1 x2 y1
  y2)) / (norm2 y1 y2))%R)%R)%R.

Axiom p_val_part_pos_aux : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> (0%R <= ((norm2 y1 y2) * (p x1 x2 y1 y2
  ((-(dot x1 x2 y1 y2))%R / (norm2 y1 y2))%R))%R)%R.

Axiom CauchySchwarz_aux_non_null : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> ((Reals.RIneq.Rsqr (dot x1 x2 y1
  y2)) <= ((norm2 x1 x2) * (norm2 y1 y2))%R)%R.

Axiom norm_null : forall (y1:R) (y2:R), ((norm2 y1 y2) = 0%R) ->
  ((y1 = 0%R) \/ (y2 = 0%R)).

Axiom CauchySchwarz_aux_null : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm2 y1
  y2) = 0%R) -> ((Reals.RIneq.Rsqr (dot x1 x2 y1 y2)) <= ((norm2 x1
  x2) * (norm2 y1 y2))%R)%R.

Axiom CauchySchwarz_aux : forall (x1:R) (x2:R) (y1:R) (y2:R),
  ((Reals.RIneq.Rsqr (dot x1 x2 y1 y2)) <= ((norm2 x1 x2) * (norm2 y1
  y2))%R)%R.

(* Why3 assumption *)
Definition norm (x1:R) (x2:R): R := (Reals.R_sqrt.sqrt (norm2 x1 x2)).

Axiom norm_pos : forall (x1:R) (x2:R), (0%R <= (norm x1 x2))%R.

Axiom sqr_le_sqrt : forall (x:R) (y:R), ((0%R <= x)%R /\
  ((0%R <= (Reals.RIneq.Rsqr x))%R /\ ((Reals.RIneq.Rsqr x) <= y)%R)) ->
  (x <= (Reals.R_sqrt.sqrt y))%R.

Import R_sqrt.

(* Why3 goal *)
Theorem CauchySchwarz : forall (x1:R) (x2:R) (y1:R) (y2:R), ((dot x1 x2 y1
  y2) <= ((norm x1 x2) * (norm y1 y2))%R)%R.
(* Why3 intros x1 x2 y1 y2. *)
intros x1 x2 y1 y2.
unfold norm.
rewrite <- sqrt_mult.
assert (Hdot: (0 <= dot x1 x2 y1 y2)%R \/ (0 > dot x1 x2 y1 y2)%R).
generalize (Rtotal_order 0 (dot x1 x2 y1 y2))%R; intuition.

destruct Hdot.
apply sqr_le_sqrt.
intuition.
apply CauchySchwarz_aux.

apply Rle_trans with 0%R.
intuition.

apply sqrt_pos.
apply norm2_pos.
apply norm2_pos.
Qed.

triangle_inequality_CauchySchwarzInequality_CauchySchwarz_aux_non_null_1.v000066400000000000000000000044751440160026300403250ustar00rootroot00000000000000why3-1.6.0/examples/logic/triangle_inequality(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Import R_sqrt.
Require BuiltIn.
Require real.Real.
Require real.Square.

(* Why3 assumption *)
Definition dot (x1:R) (x2:R) (y1:R) (y2:R): R :=
  ((x1 * y1)%R + (x2 * y2)%R)%R.

(* Why3 assumption *)
Definition norm2 (x1:R) (x2:R): R := ((Rsqr x1) + (Rsqr x2))%R.

Axiom norm2_pos : forall (x1:R) (x2:R), (0%R <= (norm2 x1 x2))%R.

(* Why3 assumption *)
Definition p (x1:R) (x2:R) (y1:R) (y2:R) (t:R): R := (((norm2 x1
  x2) + ((2%R * t)%R * (dot x1 x2 y1 y2))%R)%R + ((Rsqr t) * (norm2 y1
  y2))%R)%R.

Axiom p_expr : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), ((p x1 x2 y1 y2
  t) = (norm2 (x1 + (t * y1)%R)%R (x2 + (t * y2)%R)%R)).

Axiom p_pos : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), (0%R <= (p x1 x2 y1
  y2 t))%R.

Axiom mul_div_simpl : forall (x:R) (y:R), (~ (y = 0%R)) ->
  (((Rdiv x y)%R * y)%R = x).

Axiom p_val_part : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> ((p x1 x2 y1 y2 (-(Rdiv (dot x1 x2 y1 y2) (norm2 y1
  y2))%R)%R) = ((norm2 x1 x2) - (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1
  y2))%R)%R).

Axiom p_val_part_pos : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> (0%R <= ((norm2 x1 x2) - (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1
  y2))%R)%R)%R.

Axiom p_val_part_pos_aux : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> (0%R <= ((norm2 y1 y2) * (p x1 x2 y1 y2
  (Rdiv (-(dot x1 x2 y1 y2))%R (norm2 y1 y2))%R))%R)%R.

(* Why3 goal *)
Theorem CauchySchwarz_aux_non_null : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> ((Rsqr (dot x1 x2 y1 y2)) <= ((norm2 x1
  x2) * (norm2 y1 y2))%R)%R.
(* intros x1 x2 y1 y2 h1. *)
intros x1 x2 y1 y2 h1.
replace (Rsqr (dot x1 x2 y1 y2))%R with 
  ((Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1 y2)) * (norm2 y1 y2))%R.
apply Rmult_le_compat_r.
apply Rlt_le; assumption.
replace (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1 y2))%R with
   (0 + Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1 y2))%R by ring.
replace (norm2 x1 x2)%R with 
  (((((norm2 x1 x2) - (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1 y2)))))
   + (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1 y2)))%R by ring.
apply Rplus_le_compat_r.
apply p_val_part_pos; assumption.
unfold Rdiv.
rewrite Rmult_assoc.
rewrite Rinv_l.
ring.
apply Rgt_not_eq.
auto.
Qed.


why3-1.6.0/examples/logic/triangle_inequality/triangle_inequality_TriangleInequality_triangle_1.v000066400000000000000000000057561440160026300336440ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Import R_sqrt.
Require BuiltIn.
Require real.Real.
Require real.Square.

(* Why3 assumption *)
Definition dot (x1:R) (x2:R) (y1:R) (y2:R): R :=
  ((x1 * y1)%R + (x2 * y2)%R)%R.

(* Why3 assumption *)
Definition norm2 (x1:R) (x2:R): R := ((Rsqr x1) + (Rsqr x2))%R.

Axiom norm2_pos : forall (x1:R) (x2:R), (0%R <= (norm2 x1 x2))%R.

(* Why3 assumption *)
Definition p (x1:R) (x2:R) (y1:R) (y2:R) (t:R): R := (((norm2 x1
  x2) + ((2%R * t)%R * (dot x1 x2 y1 y2))%R)%R + ((Rsqr t) * (norm2 y1
  y2))%R)%R.

Axiom p_expr : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), ((p x1 x2 y1 y2
  t) = (norm2 (x1 + (t * y1)%R)%R (x2 + (t * y2)%R)%R)).

Axiom p_pos : forall (x1:R) (x2:R) (y1:R) (y2:R) (t:R), (0%R <= (p x1 x2 y1
  y2 t))%R.

Axiom mul_div_simpl : forall (x:R) (y:R), (~ (y = 0%R)) ->
  (((Rdiv x y)%R * y)%R = x).

Axiom p_val_part : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> ((p x1 x2 y1 y2 (-(Rdiv (dot x1 x2 y1 y2) (norm2 y1
  y2))%R)%R) = ((norm2 x1 x2) - (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1
  y2))%R)%R).

Axiom p_val_part_pos : forall (x1:R) (x2:R) (y1:R) (y2:R), (0%R < (norm2 y1
  y2))%R -> (0%R <= ((norm2 x1 x2) - (Rdiv (Rsqr (dot x1 x2 y1 y2)) (norm2 y1
  y2))%R)%R)%R.

Axiom p_val_part_pos_aux : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> (0%R <= ((norm2 y1 y2) * (p x1 x2 y1 y2
  (Rdiv (-(dot x1 x2 y1 y2))%R (norm2 y1 y2))%R))%R)%R.

Axiom CauchySchwarz_aux_non_null : forall (x1:R) (x2:R) (y1:R) (y2:R),
  (0%R < (norm2 y1 y2))%R -> ((Rsqr (dot x1 x2 y1 y2)) <= ((norm2 x1
  x2) * (norm2 y1 y2))%R)%R.

Axiom norm_null : forall (y1:R) (y2:R), ((norm2 y1 y2) = 0%R) ->
  ((y1 = 0%R) \/ (y2 = 0%R)).

Axiom CauchySchwarz_aux_null : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm2 y1
  y2) = 0%R) -> ((Rsqr (dot x1 x2 y1 y2)) <= ((norm2 x1 x2) * (norm2 y1
  y2))%R)%R.

Axiom CauchySchwarz_aux : forall (x1:R) (x2:R) (y1:R) (y2:R), ((Rsqr (dot x1
  x2 y1 y2)) <= ((norm2 x1 x2) * (norm2 y1 y2))%R)%R.

(* Why3 assumption *)
Definition norm (x1:R) (x2:R): R := (sqrt (norm2 x1 x2)).

Axiom norm_pos : forall (x1:R) (x2:R), (0%R <= (norm x1 x2))%R.

Axiom sqr_le_sqrt : forall (x:R) (y:R), ((0%R <= x)%R /\
  ((0%R <= (Rsqr x))%R /\ ((Rsqr x) <= y)%R)) -> (x <= (sqrt y))%R.

Axiom CauchySchwarz : forall (x1:R) (x2:R) (y1:R) (y2:R), ((dot x1 x2 y1
  y2) <= ((norm x1 x2) * (norm y1 y2))%R)%R.

Axiom triangle_aux : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm2 (x1 + y1)%R
  (x2 + y2)%R) <= (Rsqr ((norm x1 x2) + (norm y1 y2))%R))%R.

Axiom sqr_sqrt_le : forall (x:R) (y:R), ((0%R <= y)%R /\ ((0%R <= x)%R /\
  (x <= (Rsqr y))%R)) -> ((sqrt x) <= y)%R.

(* Why3 goal *)
Theorem triangle : forall (x1:R) (x2:R) (y1:R) (y2:R), ((norm (x1 + y1)%R
  (x2 + y2)%R) <= ((norm x1 x2) + (norm y1 y2))%R)%R.
intros x1 x2 y1 y2.
apply sqr_sqrt_le.
split.
apply Rplus_le_le_0_compat; apply norm_pos.
split.
apply Rplus_le_le_0_compat; apply Rle_0_sqr.
apply triangle_aux.
Qed.


why3-1.6.0/examples/logic/triangle_inequality/why3session.xml000066400000000000000000000146621440160026300244210ustar00rootroot00000000000000















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/logic/triangle_inequality/why3shapes.gz000066400000000000000000000024231440160026300240310ustar00rootroot00000000000000VKo7 DTr1Ksӵ^hI(_jfvwkg D}/ۋ]۾obF>\ɗ>C24sio6r%	K(,o6:rӈ')c+BnzfmE}ƛQmnm3V.xE{FI^*+4OݿTϰ}F>
OuϷanz(YϯSK/>=qrb;4{$zedx9͗y!}8qoׅZ~:~ø=9ϲΞ*$Tc$b/ƵtfV0#Pn]Ч+>'	ceE4'sӘݩrlKIј>MBr&n &AŇY|Q$Yy
|u>
u6UeVx([u7)[_AIߏ>a?~p-Y36yf_?1/қzq9h<ЂtP"8ص&\vr@#?Szm{js
܏SQ'tu̧._>gƸA^o66
\s.f=pra7PMB*"
u'A4\:46gA8UD9E(|˥K& .P¦x.
Fp`BbYJLDUZpp3dX2hiԡ
/+pЁfh,Z5-̣@mAf^ub/
>MC=t,I7zQlgS?w>hOdEZ$FsGL= i
   and columns in set c. Thus the solution is f(0,{0,1,...,n-1}).

   f is easily defined recursively, as we have

      f(i,c) = max{j in c} m[i][j] + f(i+1, C\{j})

   As such, it would still be a brute force approach (of complexity n!)
   but we can memoize f and then the search space decreases to n*2^n.

   The following code implements such a solution. Sets of integers are
   provided in theory Bitset. Hash tables for memoization are provided
   in module HashTable (see file hash_tables.mlw for an implementation).
   Code for f is in module MaxMatrixMemo (mutually recursive functions
   maximum and memo).
*)

theory Bitset

  use int.Int

  constant size : int (* elements belong to 0..size-1 *)

  type set

  (* membership
     [mem i s] can be implemented as [s land (1 lsl i) <> 0] *)
  val predicate mem int set

  (* removal
     [remove i s] can be implemented as [s - (1 lsl i)] *)
  val function remove (x: int) (s: set): set
    ensures { forall y: int. mem y result <-> y <> x /\ mem y s }

  (* the set {0,1,...,n-1}
     [below n] can be implemented as [1 lsl n - 1] *)
  val function below (n: int): set
    requires { 0 <= n <= size }
    ensures { forall x: int. mem x result <-> 0 <= x < n }

  val function cardinal set: int

  axiom cardinal_empty:
    forall s: set. cardinal s = 0 <-> (forall x: int. not (mem x s))

  axiom cardinal_remove:
    forall x: int. forall s: set.
    mem x s -> cardinal s = 1 + cardinal (remove x s)

  axiom cardinal_below:
    forall n: int.  0 <= n <= size ->
    cardinal (below n) = if n >= 0 then n else 0

end

module HashTable

  use option.Option
  use int.Int
  use map.Map

  type t 'a 'b = private { ghost mutable contents: map 'a (option 'b) }

  function ([]) (h: t 'a 'b) (k: 'a) : option 'b = Map.get h.contents k

  val create (n:int) : t 'a 'b
    requires { 0 < n } ensures { forall k: 'a. result[k] = None }

  val clear (h: t 'a 'b) : unit writes {h}
    ensures { forall k: 'a. h[k] = None }

  val add (h: t 'a 'b) (k: 'a) (v: 'b) : unit writes {h}
    ensures { h[k] = Some v /\ forall k': 'a. k' <> k -> h[k'] = (old h)[k'] }

  exception Not_found

  val find (h: t 'a 'b) (k: 'a) : 'b
    ensures { h[k] = Some result } raises { Not_found -> h[k] = None }

end

module Appmap

  use map.Map
  use map.Const

  type key

  type t 'a = abstract { contents: map key 'a }

  val function create (x: 'a): t 'a
    ensures { result.contents = const x }

  val function ([]) (m: t 'a) (k: key): 'a
    ensures { result = m.contents[k] }

  val function ([<-]) (m: t 'a) (k: key) (v: 'a): t 'a
    ensures { result.contents = m.contents[k <- v] }

end

module Sum

  use int.Int
  use map.Map

  type container

  function f container int : int
  (** `f c i` is the `i`-th element in the container `c` *)

  function sum container int int : int
  (** `sum c i j` is the sum `\sum_{i <= k < j} f c k` *)

  axiom Sum_def_empty :
    forall c : container, i j : int. j <= i -> sum c i j = 0

  axiom Sum_def_non_empty :
    forall c: container, i j : int. i < j -> sum c i j = f c i + sum c (i+1) j

  axiom Sum_right_extension:
    forall c : container, i j : int.
    i < j -> sum c i j = sum c i (j-1) + f c (j-1)

  axiom Sum_transitivity :
    forall c : container, i k j : int. i <= k <= j ->
    sum c i j = sum c i k + sum c k j

  axiom Sum_eq :
    forall c1 c2 : container, i j : int.
    (forall k : int. i <= k < j -> f c1 k = f c2 k) -> sum c1 i j = sum c2 i j

end

module MaxMatrixMemo

  use int.Int
  use int.MinMax
  use ref.Ref
  use Bitset
  use map.Map

  clone Appmap with type key = int, axiom .

  val constant n : int
    ensures { 0 <= result <= size }

  val constant m : t (t int)
    ensures { forall i j: int. 0 <= i < n -> 0 <= j < n -> 0 <= result[i][j] }

  type mapii = Map.map int int

  predicate solution (s: mapii) (i: int) =
    (forall k: int. i <= k < n -> 0 <= Map.get s k < n) /\
    (forall k1 k2: int. i <= k1 < k2 < n -> Map.get s k1 <> Map.get s k2)

  predicate permutation (s: mapii) = solution s 0

  function f (s: mapii) (i: int) : int = m[i][Map.get s i]
  clone Sum with type container = mapii, function f = f, axiom .

  lemma sum_ind:
    forall i: int. i < n -> forall j: int.
    forall s: mapii. sum (Map.set s i j) i n = m[i][j] + sum s (i+1) n

  use option.Option
  use HashTable as H

  type key = (int, set)
  type value = (int, t int)

  predicate pre (k: key) =
    let (i, c) = k in
    0 <= i <= n /\ cardinal c = n-i /\ (forall k: int. mem k c -> 0 <= k < n)

  predicate post (k: key) (v: value) =
    let (i, c) = k in
    let (r, sol) = v in
    0 <= r /\ solution sol.contents i /\
    (forall k: int. i <= k < n -> mem sol[k] c) /\
    r = sum sol.contents i n /\
    (forall s: mapii.
       solution s i -> (forall k: int. i <= k < n -> mem (Map.get s k) c) ->
       r >= sum s i n)

  type table = H.t key value

  val table: table

  predicate inv (t: table) =
    forall k: key, v: value. H.([]) t k = Some v -> post k v

  let rec maximum (i:int) (c: set) : (int, t int) variant {2*n-2*i}
    requires { pre (i, c) /\ inv table }
    ensures { post (i,c) result /\ inv table }
  = if i = n then
      (0, create 0)
    else begin
      let r = ref (-1) in
      let sol = ref (create 0) in
      for j = 0 to n-1 do
        invariant {
          inv table /\
          (  (!r = -1 /\ forall k: int. 0 <= k < j -> not (mem k c))
          \/
            (0 <= !r /\ solution !sol.contents i /\
              (forall k: int. i <= k < n -> mem !sol[k] c) /\
              !r = sum !sol.contents i n /\
              (forall s: mapii.
                 solution s i -> (forall k: int. i <= k < n -> mem (Map.get s k) c) ->
                 mem (Map.get s i) c -> Map.get s i < j -> !r >= sum s i n)))
        }
        if mem j c then
          let (r', sol') = memo (i+1) (remove j c) in
          let x = m[i][j] + r' in
          if x > !r then begin r := x; sol := sol'[i <- j] end
      done;
      assert { 0 <= !r };
      (!r, !sol)
    end

  with memo (i:int) (c: set) : (int, t int) variant {2*n-2*i+1}
    requires { pre (i,c) /\ inv table }
    ensures { post (i,c) result /\ inv table }
  = try  H.find table (i,c)
    with H.Not_found -> let r = maximum i c in H.add table (i,c) r; r end

  let maxmat ()
    ensures { exists s: mapii. permutation s /\ result =  sum s 0 n }
    ensures { forall s: mapii. permutation s -> result >= sum s 0 n }
  = H.clear table;
    assert { inv table };
    let (r, _) = maximum 0 (below n) in r

end
why3-1.6.0/examples/max_matrix/000077500000000000000000000000001440160026300163735ustar00rootroot00000000000000why3-1.6.0/examples/max_matrix/why3session.xml000066400000000000000000000141731440160026300214210ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/max_matrix/why3shapes.gz000066400000000000000000000061211440160026300210330ustar00rootroot00000000000000Zmo#_oms8/÷.QTX!~-H.7cIKN],)r 3K9Ç3){)?zR.~~=aoSВZo[2;j֩-jp[c+~prhwO5v[۱
n
Jۡ{(hn
vT%QL7qOD)PRRn>ھg
6S'hhNhߣh1:ꖑ1Ԍwy&=[Y`Yŗ}z%'jE	|lVbU}8![\w)I-ktEwUVtve~O.w3n+L!ʸDьޭ>9iPl]yn}@/{:t`Cϓلͤ@3
O
0~V7T%҈7`kƱsv9#
>iK|\n]ˍhsg->ڧeoJ8.nin>fF콷_yrAW+J,w.K"M!>(AOe܏Q}$AIV`jDY3Ӣ!E
#M2vJBk&NB(u.(a,$}x+0:ld<r5b&DG][!qE/BOH]WiBUhvm}=X8''eytkz&>"m$=LhI蘏Q*vbxyi X):)i
gCof@pƅYab,Sc$	iÏEw^l 5Vu$b74U6YSlDٲ>Y(#כM"ޤFxHI48W)xA6VxHHP39=1>	6Jk%[}-G"3sBg)lγ)>:ɝN
x
#(T`:-gQ|;tirr(~ҹ55XS5uU:Zx"C^ŏWẋq5󘫹ǭ̛CY;Gӊ^ԨUORˣM{VJ%WU%WpL+U)J/`1`CZz,gS*DoVъH5Xe(_9	e:IR'~b69-l$nGDݨi:,Nɑ_L!LJ%&ajvLf*kzv`@i򅲻'Ҷ}xB6I})9,}Xt\8SeA[HJJC/Ζ>c̉D"Tn[:,G|Mfu!e`bSFSFjاRM]ﺴ!KU!Kޑf^9NXAAA~uX&q^>^\YF+KU]YVq\L#1/|\}9p?^,w2y}\\A78[,_l7(hClC
&TJ,Gj(bPf]`N@ČT
5$tQ*1#UB_Y22؞dTY*4A&%]`L'M0@ǡsJj`тidXcNMKFF.YFIwRBf@t.Za,H\:ᙷq3j)X#8ңm'HZ{`𒚸\6
놫 lNNf&C9Ny)n#tD;H7x:5`i\4GDNchT,szrZ}=b5r!.':NUԮ&H!A{;Ī^ep4H"hK#z0j/|L	ˍcf)D#GYi%hZ`G#B0>	Fzר҈o2`}+4nэ	K#F`7];DA,LZc$J刴$p]E3D2#?h$Bw}qۼT1)wFrBH=.&[@ɸPKLA$.qHggyo0
?(`ug" eE~}9c8a	R,F:R`i2Xg$\I
>AH l <= h <= length a -> sum a l h <= s

  (* s is no smaller than sums of subarrays of a *)
  predicate maxsub (a: array int) (s: int) =
    forall l h: int. 0 <= l <= h <= length a -> sum a l h <= s

end

(* In all codes below, reference ms stands for the maximal sum found so far
   and ghost references lo and hi hold the bounds for this sum *)

(* Naive solution, in O(N^3) *)
module Algo1

  use int.Int
  use ref.Refint
  use Spec

  let maximum_subarray (a: array int) (ghost lo hi: ref int): int
    ensures { 0 <= !lo <= !hi <= length a && result = sum a !lo !hi }
    ensures { maxsub a result }
  = lo := 0;
    hi := 0;
    let n = length a in
    let ms = ref 0 in
    for l = 0 to n-1 do
      invariant { 0 <= !lo <= l && !lo <= !hi <= n && !ms = sum a !lo !hi }
      invariant { maxsublo a l !ms }
      for h = l to n do
        invariant { 0 <= !lo <= l && !lo <= !hi <= n && !ms = sum a !lo !hi }
        invariant { maxsublo a l !ms }
        invariant { forall h': int. l <= h' < h -> sum a l h' <= !ms }
        (* compute the sum of a[l..h[ *)
        let s = ref 0 in
        for i = l to h-1 do
          invariant { !s = sum a l i }
          invariant { 0 <= !lo <= l && !lo <= !hi <= n && !ms = sum a !lo !hi }
          s += a[i]
        done;
        assert { !s = sum a l h };
        if !s > !ms then begin ms := !s; lo := l; hi := h end
      done
    done;
    !ms

end

(* Slightly less naive solution, in O(N^2)
   Do not recompute the sum, simply update it *)

module Algo2

  use int.Int
  use ref.Refint
  use Spec

  let maximum_subarray (a: array int) (ghost lo hi: ref int): int
    ensures { 0 <= !lo <= !hi <= length a && result = sum a !lo !hi }
    ensures { maxsub a result }
  = lo := 0;
    hi := 0;
    let n = length a in
    let ms = ref 0 in
    for l = 0 to n-1 do
      invariant { 0 <= !lo <= l && !lo <= !hi <= n && 0 <= !ms = sum a !lo !hi }
      invariant { maxsublo a l !ms }
      let s = ref 0 in
      for h = l+1 to n do
        invariant
                { 0 <= !lo <= l && !lo <= !hi <= n && 0 <= !ms = sum a !lo !hi }
        invariant { maxsublo a l !ms }
        invariant { forall h': int. l <= h' < h -> sum a l h' <= !ms }
        invariant { !s = sum a l (h-1) }
        s += a[h-1]; (* update the sum *)
        assert { !s = sum a l h };
        if !s > !ms then begin ms := !s; lo := l; hi := h end
      done
    done;
    !ms

end

(* Divide-and-conqueer solution, in O(N log N) *)

module Algo3

  use int.Int
  use ref.Refint
  use int.ComputerDivision
  use Spec

  let rec maximum_subarray_rec (a: array int) (l h: int) (ghost lo hi: ref int)
    : int
    requires { 0 <= l <= h <= length a }
    ensures  { l <= !lo <= !hi <= h && result = sum a !lo !hi }
    ensures  { forall l' h': int. l <= l' <= h' <= h -> sum a l' h' <= result }
    variant  { h - l }
  = if h = l then begin
      (* base case: no element at all *)
      lo := l; hi := h; 0
    end else begin
      (* at least one element *)
      let mid = l + div (h - l) 2 in
      (* first consider all sums that include a[mid] *)
      lo := mid; hi := mid;
      let ms = ref 0 in
      let s  = ref !ms in
      for i = mid-1 downto l do
        invariant { l <= !lo <= mid = !hi && !ms = sum a !lo !hi }
        invariant { forall l': int. i < l' <= mid -> sum a l' mid <= !ms }
        invariant { !s = sum a (i+1) mid }
        s += a[i];
        assert { !s = sum a i mid };
        if !s > !ms then begin ms := !s; lo := i end
      done;
      assert { forall l': int. l <= l' <= mid ->
               sum a l' mid <= sum a !lo mid };
      s := !ms;
      for i = mid to h-1 do
        invariant { l <= !lo <= mid <= !hi <= h && !ms = sum a !lo !hi }
        invariant { forall l' h': int. l <= l' <= mid <= h' <= i ->
                    sum a l' h' <= !ms }
        invariant { !s = sum a !lo i }
        s += a[i];
        assert { !s = sum a !lo (i+1) };
        assert { !s = sum a !lo mid + sum a mid (i+1) };
        if !s > !ms then begin ms := !s; hi := (i+1) end
      done;
      (* then consider sums in a[l..mid[ and a[mid+1..h[, recursively *)
      begin
         let ghost lo' = ref 0 in
         let ghost hi' = ref 0 in
         let left = maximum_subarray_rec a l mid lo' hi' in
         if left > !ms then begin ms := left; lo := !lo'; hi := !hi' end
      end;
      begin
         let ghost lo' = ref 0 in
         let ghost hi' = ref 0 in
         let right = maximum_subarray_rec a (mid+1) h lo' hi' in
         if right > !ms then begin ms := right; lo := !lo'; hi := !hi' end
      end;
      !ms
    end

 let maximum_subarray (a: array int) (ghost lo hi: ref int): int
    ensures { 0 <= !lo <= !hi <= length a && result = sum a !lo !hi }
    ensures { maxsub a result }
  = maximum_subarray_rec a 0 (length a) lo hi

end

(* Optimal solution, in O(N)
   Known as Kadane's algorithm *)

module Algo4

  use int.Int
  use ref.Refint
  use Spec

  let maximum_subarray (a: array int) (ghost lo hi: ref int): int
    ensures { 0 <= !lo <= !hi <= length a && result = sum a !lo !hi }
    ensures { maxsub a result }
  = lo := 0;
    hi := 0;
    let n = length a in
    let ms = ref 0 in
    let ghost l = ref 0 in
    let s = ref 0 in
    for i = 0 to n-1 do
      invariant { 0 <= !lo <= !hi <= i && 0 <= !ms = sum a !lo !hi }
      invariant { forall l' h': int. 0 <= l' <= h' <= i -> sum a l' h' <= !ms }
      invariant { 0 <= !l <= i && !s = sum a !l i }
      invariant { forall l': int. 0 <= l' < i -> sum a l' i <= !s }
      if !s < 0 then begin s := a[i]; l := i end else s += a[i];
      if !s > !ms then begin ms := !s; lo := !l; hi := (i+1) end
    done;
    !ms

end

(* A slightly different variation of Kadane's algorithm *)

module Algo5

  use int.Int
  use ref.Refint
  use export array.Array
  use export array.ArraySum

(*
    [| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |]
     ......|###### maxsum #######|..............
     ............................. |## curmax ##
*)

  let maximum_subarray (a: array int): int
    ensures { forall l h: int. 0 <= l <= h <= length a -> sum a l h <= result }
    ensures { exists l h: int. 0 <= l <= h <= length a /\ sum a l h  = result }
  =
    let maxsum = ref 0 in
    let curmax = ref 0 in
    let ghost lo = ref 0 in
    let ghost hi = ref 0 in
    let ghost cl = ref 0 in
    for i = 0 to a.length - 1 do
      invariant { forall l : int. 0 <= l <= i -> sum a l i <= !curmax }
      invariant { 0 <= !cl <= i /\ sum a !cl i  = !curmax }
      invariant { forall l h: int. 0 <= l <= h <= i -> sum a l h <= !maxsum }
      invariant { 0 <= !lo <= !hi <= i /\ sum a !lo !hi = !maxsum }
      curmax += a[i];
      if !curmax < 0 then begin curmax := 0; cl := i+1 end;
      if !curmax > !maxsum then begin maxsum := !curmax; lo := !cl; hi := i+1 end
    done;
    !maxsum

end

(* Kadane's algorithm with 63-bit integers

   Interestingly, we only have to require all sums to be no greater
   than max_int.  There is no need to require the sums to be no
   smaller than min_int, since whenever the sum becomes negative it is
   replaced by the next element. *)

module BoundedIntegers

  use int.Int
  use mach.int.Int63
  use mach.int.Refint63
  use seq.Seq
  use mach.array.Array63
  use int.Sum

  function sum (a: array int63) (lo hi: int) : int =
    Sum.sum (fun i -> (a[i] : int)) lo hi

  let maximum_subarray (a: array int63) (ghost lo hi: ref int): int63
    requires { [@no overflow] forall l h. 0 <= l <= h <= length a ->
               sum a l h <= max_int }
    ensures { 0 <= !lo <= !hi <= length a && result  = sum a !lo !hi }
    ensures { forall l h. 0 <= l <= h <= length a -> result >= sum a !lo !hi }
  = lo := 0;
    hi := 0;
    let n = length a in
    let ms = ref zero in
    let ghost l = ref 0 in
    let s = ref zero in
    let i = ref zero in
    while !i < n do
      invariant { 0 <= !lo <= !hi <= !i <= n && 0 <= !ms = sum a !lo !hi }
      invariant { forall l' h': int. 0 <= l' <= h' <= !i -> sum a l' h' <= !ms }
      invariant { 0 <= !l <= !i && !s = sum a !l !i }
      invariant { forall l': int. 0 <= l' < !i -> sum a l' !i <= !s }
      variant   { n - !i }
      if !s < zero then begin s := a[!i]; l := to_int !i end
      else begin assert { sum a !l (!i + 1) <= max_int }; s += a[!i] end;
      if !s > !ms then begin
        ms := !s; lo := !l; hi := to_int !i + 1 end;
      incr i
    done;
    !ms

end
why3-1.6.0/examples/maximum_subarray/000077500000000000000000000000001440160026300176075ustar00rootroot00000000000000why3-1.6.0/examples/maximum_subarray/why3session.xml000066400000000000000000000543261440160026300226410ustar00rootroot00000000000000










 
 
 


 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/maximum_subarray/why3shapes.gz000066400000000000000000000245261440160026300222600ustar00rootroot00000000000000}Yoǒ{
6.2#KY[YeϝE.UY!)I`*3+Ȉ/"2?n	n~>^|W?	֞Yބ:n,߄8aߟ9x;x1{~3ߝ}LU9J,3WyP=߻\ӇszYJro	5SS6q׵Ak,=̵WIjYPpQD]!	Az2mǤ/jOLm^4*mnTZꝟ[	[]YzjSUJoڔڔ>?P(5JUT]>
~߸{؜c&[<]_g4>}
#C{-V;)ev<̚Mܖ<\@
3Mq{j1La`%HeYuN2_Y((j-r-D-r<"
I=ab9%rČX{ԏ
r"=W
&$2gJM%lb1S	V==L11E eѳ.Ru
)zmϛ3lf#,wr
|#	O ǧFUU\~(£}p:SW\7pu\'M
31"nC=ӌ??>]quY,Ax
BH]w=:?(|]DAwyT9&˼6䚆H)4$kGfg&oW/fld%(VU{!{RO6&| BŬC&Ny⤜&Nc,2çM̄k!PLR!RT1ğ	'=t|kDz"N33,YEYRc|V\$5iLT|&f>=(|ygeLv0٣tB3/b֥3;:)>cguD8)˃+'t
xg1a/9?7WNlIK;fؙmŅ_E|o}^#8I.wgG,$:wn͹qGdą3]q{ V#l=֚:մ		ғv}4WR/]hv&`KcYhŎtIh)MHg)f_It}0lVrAeViILPRY$UUK))*@,*s+qɠ4 F!N$HYnr0M'rbj1_j9 ҄ZnZ.Q˽Lr;frB-W[{vje%$\^`D(ː& P"`D+QցcR^`8~V^"`x?!᫸U׀,tUh,Kpa,K<9}EhU4l[1ߢ_݌W#f5&@@C.&fbxpOjֈP%:}A{mwhseK&$
CK2$a!ݐ0GT%bOe(
Mrf>u[
%E9(ZIit)e=Y%	zUjVXT;`0vm/5lt0FLz1[9lo_8?{qR1cb!p$GD@IMddӑM&@&<ᓔ|N1 &Q'a$p]5'a$Trf~q_p ?ƛOW]ۯ?/i蚀T$|-L`xHt%.:<jbK̂3ȂKc)2Bq>IbP!)Dp]BOMARV)my[c`:c@]|
%lŗ=.x
rt]ǸX="?m4Ď{c	|@4`wVq0QޔQpں˳"aJc%(Wn5W7T5O3b*&Ѩ~Zt9/8ޔyQ)~aRwiNˁ]Y;;	>M.Y-U,39v=&pe KP)y$;CqV/pӾ,Op!"u**>~6OU;u'}7/7=
{`44Vp!:ցthJn=<bViA=l4^eeKگ
Jj]/YSea]UGHu\r^4fe^Եj
x(l*X;#^1&q"U0b6	VܾYĤ.h}!Q/
i>.壐ff^ e[Yb2S{7'+&_X_"\:,Mٱ9K3!9f~ޒN鳞}sLXU
[{У̚7u2@>:m&Բwmfѥrgh޾ر;2]$Xm9Ɛ142*^c2/q1.;?SeK;|Q
=:m-K~wQ$؏e3Q#R:2)rM(`ץGlXC1a4.lϛ5k6p=OW#C-eK)i/H"cdSebL7?g2:bzw:2Q"{+M1[BQ}OXղbI}GAxlw<toϯ++VXA;l˴&-V<VNn.V4;ķk"bVa;
^]qmayc/K3yVQƟ~Unc|~AeV~Cm1
hq塥U1'2GGY(ّdbȧ^(Z;8P
pdi)ܦ<Ɂ#8qda\)b 
mm+DD= ̿(Ma bŢNoEOEJEjb6H.d("S[,Za^IWo[/9^dka1GG_|_xqExI=KjNaj+ʔz.3(olp|B'OSjZy{ys~悼]Oqw*EP<Au+~1iE\lŰrEI:]qvN-ŢwZ:`塰r[՗>8qJgL)-~32zٳ|kUV٫qk9z\U[~`Á
6lXEc2QƫHܩ9}uY&SvEHBNJ"KLխUWOMպijDKywגo標'.⦩aʬNAoxUuUuP^1jza:9I_oϱWm,/.{/A*C:O֩RSf70c_KZG}ȯ%mwkokIN.#0(eQiXn8HSX
7pFVuoQ"6«.W\,ci>>_|yRozC%M3oz$@da\)U'Ajv"@7Cv
cA
,=+ܷyǧWy,Iy~<5.y.̙C/GYa7'Vri9k8=8ٳt]zL8]?<7_,O׵Jmr+v^c=
`%|	)#hifWytfmϬA7nƝe:|H˵ŢkG
٫5[t[V3S8<1_ǣiDoLmЊA'8B7z̏SCnj
᱘hdpB
ӭ\{aմfJXtㆳ~h ,R``XL6V#sZmU#	³5A׎+.;	X̕M;H(8,3BmES){ߵ\A6vڣ
kԠb)`v襰k
U-7Q=ͻpЛAup};h[)褕btDci|VYO$k؏
t.ڜ,M<׽`:>6C,&0ユsNc<-MM#Fn
Dߍd)	\ˬN_Ϥa&	53QC`nhXZ_6?s2dȓ'O?iwI*ȓ?qO?)wRIR'Nҟ;It؜n/PQ+[	BvAr!ourdZu}Ӥ
W,`C:_@!X
!PV4Fw(uǐݷU[hL6866T-Xy@QeJJjK yy=8VC2͵\
P)
z	4F-Fk4!m vn@~B,Y^ڍw7#Ww\8 fNp5{r3dC)8D
[0HK@AlRvEkC7vyk=mK*9WT
Kۃ@s$5};
r*\P`I~-2+{5+gNN7 VUP	$΅82a,h-ǬWMegL<2n[^l+Ԉjr#E	}
Pgjp^qpQ2v* dàj[<8,<]ҩ\Gרs=0H
8ZAQ&688tUC(?tmT
]RN*tnv缒8GLl
~4%֏^C5#Q67&4h|>zMz0FBM{ [`"Y3|j׼thMVcꖰ1#0M/ٓoŸ3C+,4>(W-Tts]beu0v0X&a
*eP
j-AeQf0zx_@3KvPڰd6Yuq@j'/At
:%z^\s/eH@4H/1ˆX3vœExSpn,ݲfHy찥`JAؑ	Tn;52€a2`Bm2K8wdrxT.UV|0p·QkKc~mHuj`J+?a&	./r30>$0˭Ce`pъ氽G36p0 9Z7&҈
kƱm97-jhU{` A,
QjO` 5,!/XЊ8@5^	al ^%3pcQ_%-\T`m\3QШO9p,80p1p; >ǔbmG[]L
B]Kb2FJ+KS:Ԫ^@xmprfRb+ʊX:?
dX'
9hͻgi	T3(K^Z\408Z7Qc;mzTڣh{N5r ;atBjj65xQԢ(G{Q,Fp 2)`vgCmOĆrx8h%עc
^	%!Au
cr-,њ~ &-\	r֩Q*uf΀Cj#St8Sd-͡иܡUV׳07σbֵ6P`hw#hlɾK ՟V7$'\B/d0Ӌ0i>SCu1&h#
,Q6fEk|/Ms{-$Ag7ҹޥmjaMH!0يC!0Q3H (7IڏKop}*D	_[L->jDa^B5\<]`X[	[nhS*L&l=Ӄ^$zpePڭK/c7fGh&ڽqm6PM߷PqJ렊dx؋uG60X9`u:hM63i:>why3-1.6.0/examples/mccarthy.mlw000066400000000000000000000171131440160026300165600ustar00rootroot00000000000000
(** {1 McCarthy's "91" function}

authors: Jean-Christophe Filliâtre, Martin Clochard, Claude Marché
witness: Andrei Paskevich

*)

module McCarthy91

  use int.Int

  (** {2 Specification} *)

  function spec (x: int) : int = if x <= 100 then 91 else x-10

  (** {2 traditional recursive implementation} *)

  let rec f91 (n: int) : int
    ensures { result = spec n } variant { 101 - n }
  = if n <= 100 then
      f91 (f91 (n + 11))
    else
      n - 10

  (** {2 manually-optimized tail call} *)

  let rec f91_tco (n0: int) : int
    ensures { result = spec n0 } variant { 101 - n0 }
  = let ref n = n0 in
    while n <= 100 do
      invariant { n = n0 > 100 \/ n0 <= n <= 101 } variant { 101 - n }
      n <- f91_tco (n + 11)
    done;
    n - 10

  (** {2 non-recursive implementation using a while loop} *)

  use ref.Ref
  use int.Iter

  let f91_nonrec (n0: int): int
    ensures { result = spec n0 }
  = let ref e = 1 in
    let ref n = n0 in
    while e > 0 do
      invariant { e >= 0 /\ iter spec e n = spec n0 }
      variant   { 101 - n + 10 * e, e }
      if n > 100 then begin
        n <- n - 10;
        e <- e - 1
      end else begin
        n <- n + 11;
        e <- e + 1
      end
    done;
    n

  (** {2 irrelevance of control flow}

     We use a 'morally' irrelevant control flow from a recursive function
     to ease proof (the recursive structure does not contribute to the
     program execution). This is a technique for proving derecursified
     programs. See [verifythis_2016_tree_traversal] for a more
     complex example. *)

  exception Stop

  let f91_pseudorec (n0: int) : int
    ensures { result = spec n0 }
  = let ref e = 1 in
    let ref n = n0 in
    let bloc () : unit
      requires { e >= 0 }
      ensures { (old e) > 0 }
      ensures { if (old n) > 100 then n = (old n) - 10 /\ e = (old e) - 1
        else n = (old n) + 11 /\ e = (old e) + 1 }
      raises { Stop -> e = (old e) = 0 /\ n = (old n) }
    = if not (e > 0) then raise Stop;
      if n > 100 then begin
        n <- n - 10;
        e <- e - 1
      end else begin
        n <- n + 11;
        e <- e + 1
      end
    in
    let rec aux () : unit
      requires { e > 0 }
      variant { 101 - n }
      ensures { e = (old e) - 1 /\ n = spec (old n) }
      raises { Stop -> false }
    = let u = n in bloc (); if u <= 100 then (aux (); aux ()) in
    try aux (); bloc (); absurd
    with Stop -> n end


end

module McCarthyWithGhostMonitor


  use int.Int
  use ref.Ref

  function spec (x: int) : int = if x <= 100 then 91 else x-10

  (** {2 Variant using a general 'ghost coroutine' approach}

    Assume we want to prove the imperative code:
{h 
    e <- 1; r <- n;
loop
  if r > 100 { r <- r - 10; e <- e - 1; if e = 0 break }
        else { r <- r + 11; e <- e + 1 }
end-loop

    }
we annotate the various program points:
{h 
    { 0 } e <- 1;
{ 1 } r <- n;
      loop
{ 2 } if r > 100 then { 3 } r <- r - 10; { 4 } e <- e - 1; { 5 } if e=0 then break;
                 else { 6 } r <- r + 11; { 7 } e <- e + 1;
end-loop
{ 8 }

    }

we define the small-step semantics of this code by the following [step] function

*)


  val ref pc : int
  val ref n : int
  val ref e : int
  val ref r : int

  val step () : unit
    requires { 0 <= pc < 8 }
    writes   { pc, e, r }
    ensures { old pc = 0 -> pc = 1 /\ e = 1 /\ r = old r }
    ensures { old pc = 1 -> pc = 2 /\ e = old e /\ r = n }
    ensures { old pc = 2 /\ old r > 100 -> pc = 3 /\ e = old e /\ r = old r }
    ensures { old pc = 2 /\ old r <= 100 -> pc = 6 /\ e = old e /\ r = old r }
    ensures { old pc = 3 -> pc = 4 /\ e = old e /\ r = old r - 10 }
    ensures { old pc = 4 -> pc = 5 /\ e = old e - 1 /\ r = old r }
    ensures { old pc = 5 /\ old e = 0 -> pc = 8 /\ e = old e /\ r = old r }
    ensures { old pc = 5 /\ old e <> 0 -> pc = 2 /\ e = old e /\ r = old r }
    ensures { old pc = 6 -> pc = 7 /\ e = old e /\ r = old r + 11 }
    ensures { old pc = 7 -> pc = 2 /\ e = old e + 1 /\ r = old r }

  let rec monitor () : unit
    requires { pc = 2 /\ e > 0 }
    variant  { 101 - r }
    ensures  { pc = 5 /\ r = spec(old r) /\ e = old e - 1 }
  = step (); (* execution of 'if r > 100' *)
    if pc = 3 then begin
       step (); (* assignment r <- r - 10 *)
       step (); (* assignment e <- e - 1  *)
       end
    else begin
       step (); (* assignment r <- r + 11 *)
       step (); (* assignment e <- e + 1 *)
       monitor ();
       step (); (* 'if e=0' must be false *)
       monitor ()
       end

  let mccarthy ()
    requires { pc = 0 /\ n >= 0 }
    ensures { pc = 8 /\ r = spec n }
  = step (); (* assignment e <- 1 *)
    step (); (* assignment r <- n *)
    monitor (); (* loop *)
    step() (* loop exit *)

(** {2 a variant with not-so-small steps}

we annotate the important program points:
{h 
    { 0 } e <- 1;
      r <- n;
      loop
{ 1 }   if r > 100 { r <- r - 10; e <- e - 1; { 2 } if e = 0 break; }
              else { r <- r + 11; e <- e + 1; }
      end-loop
end-while
{ 3 }
return r

    }

we define the not-so-small-step semantics of this code by the following [next] function

*)

  val next () : unit
    requires { 0 <= pc < 3 }
    writes   { pc, e, r }
    ensures { old pc = 0 -> pc = 1 /\ e = 1 /\ r = n }
    ensures { old pc = 1 /\ old r > 100 ->
              pc = 2 /\ r = old r - 10 /\ e = old e - 1 }
    ensures { old pc = 1 /\ old r <= 100 ->
              pc = 1 /\ r = old r + 11 /\ e = old e + 1 }
    ensures { old pc = 2 /\ old e = 0 -> pc = 3 /\ r = old r /\ e = old e }
    ensures { old pc = 2 /\ old e <> 0 -> pc = 1 /\ r = old r /\ e = old e }

  (* [aux2] performs as may loop iterations as needed so as to reach program point 2
     from program point 1 *)
  let rec monitor2 () : unit
    requires { pc = 1 /\ e > 0 }
    variant  { 101 - r }
    ensures  { pc = 2 /\ r = spec(old r) /\ e = old e - 1 }
  = next ();
    if pc <> 2 then begin monitor2 (); next (); monitor2 () end


  let mccarthy2 ()
    requires { pc = 0 /\ n >= 0 }
    ensures { pc = 3 /\ r = spec n }
  = next (); (* assignments e <- 1; r <- n *)
    monitor2 (); (* loop *)
    next ()

end

module McCarthy91Mach

  use int.Int
  use mach.int.Int63

  function spec (x: int) : int = if x <= 100 then 91 else x-10

  let rec f91 (n: int63) : int63
    variant { 101 - n }
    ensures { result = spec n }
  = if n <= 100 then
      f91 (f91 (n + 11))
    else
      n - 10

  use mach.peano.Peano
  use mach.int.Refint63
  use int.Iter

  let f91_nonrec (n0: int63) : int63
    ensures { result = spec n0 }
  = let ref e = one in
    let ref n = n0 in
    while gt e zero do
      invariant { e >= 0 /\ iter spec e n = spec n0 }
      variant   { 101 - n + 10 * e, e:int }
      if n > 100 then begin
        n <- n - 10;
        e <- pred e
      end else begin
        n <- n + 11;
        e <- succ e
      end
    done;
    n

  exception Stop

  let f91_pseudorec (n0: int63) : int63
    ensures { result = spec n0 }
  = let ref e = one in
    let ref n = n0 in
    let bloc () : unit
      requires { e >= 0 }
      ensures { (old e) > 0 }
      ensures { if (old n) > 100 then n = (old n) - 10 /\ e = (old e) - 1
        else n = (old n) + 11 /\ e = (old e) + 1 }
      raises { Stop -> e = (old e) = 0 /\ n = (old n) }
    = if not (gt e zero) then raise Stop;
      if n > 100 then begin
        n := n - 10;
        e := pred e
      end else begin
        n := n + 11;
        e := succ e
      end
    in
    let rec aux () : unit
      requires { e > 0 }
      variant { 101 - n }
      ensures { e = (old e) - 1 /\ n = spec (old n) }
      raises { Stop -> false }
    = let u = n in bloc (); if u <= 100 then (aux (); aux ()) in
    try aux (); bloc (); absurd
    with Stop -> n end

end
why3-1.6.0/examples/mccarthy/000077500000000000000000000000001440160026300160345ustar00rootroot00000000000000why3-1.6.0/examples/mccarthy/why3session.xml000066400000000000000000000111631440160026300210560ustar00rootroot00000000000000







 
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/mccarthy/why3shapes.gz000066400000000000000000000062131440160026300204760ustar00rootroot00000000000000Y[o~iO`,j'p`R{⅓MΐDrv-E~3;)~޾t/۷r:?ik?q2|Q<^rfvGAL	a';FApaOFb!hh\he
.nO>to$ml{
<
UZ5G_/ܞDqdK=-	!
p(聄82	,>f$	?)=
*1%p5Z碓a?uM,Gjz׎y|(1/J|8J2)}H),"k&k)t8AiFVf(=ƍIqln!AM3ʋfwjDJG(4MJ1ae)b.)
),\\hlSXڇw f	ç/?/y.K%K=sU8
P%]0	+~-dWpRLѪ2Ȯgjq_"6 7ѧŘ*qE@	X`~lBO)d7)sAc&	uZ	wIBd
onkҕ(;˛`LZŮh`6j =:
pnXDDZ֪Xq0:jOۢJXe7C
߹"!i(u5#rKUBR-039Ԉs>LUh
wÓl$X2UCULoa+HfhY>|#+"(`
GM11'	ͦ,GgA벵*bT6gt㋇ș
NY`BX05s
oc֡ȶdxhuN1
SR]%oJqVo~!\F39		JQRW)AfPUp$K9`,PJ*8:ZQ(a8[@o-LXJTj8W@2q^ؖUOK-HXv~hs	*%eנ58l|.8xrCu.T)T2Ցk"YHgu;UaUnOV*aVC0|5X`Sմm"(A95~*Q7:O!Bk.[(u\)`)~5:Xqen7K.:1zLGfPQ&WUN(D/'R.J@]k
2J`?gU~Of$r7Q2
nîշ<)2oQ0U-9U[UUm+SFMZ;`儬r[9!:'FN@ɉWrVzI:Ȑbo72j'[9v5$͠8qh1KR~5
~|wn.ԯsr%&J5Fyn<΄XJ+W,]m3K7-	©>q9x͐$[ww9SSiiqCe{~.?gq_KD<3)^J?0?'iWa\op.y?a27<
}-vTH67|(
f~Zp僾Lhs7>*7E	.۬;4%ͷ)
Ļoylq1ywp(m߫;hX;@tr4/p@8`M}enc1sr&rpV~yHKh*ί&8 q	rԜa͹W?7Mb`?1C0ӑ7z<7ˎcn@o(w@7HRr"o:LĆ.BջX.3څdxfUY:حF%3Eg,CbfcwtXfӷZvZ5mGhqp[Ct+EGB#3\d4[p":':m#ZV?{hx
]Fi%
vJKp&6)[{}PVP5a>N$ n))YucصT!eEVHgoi΁  finZ1'$p@]g]/uԝnSARvI]G(;5{VAQ۠"6.>edOƑmZ뻭6Aޒ*xvhq+A`CujE]$wA*'JnqR ]6عH:HZ
ژ-sʓTРIO].MB!5t;Enn=$
C
n1W}Bmw
AS\]E@w@{@s@}@
Vdκ`ثBR@	bU.6CD
!ɢV`RBOk%AYղBEM$ECaBcm1( vm#:efA 
Yoz7EJO"@A+B"d3Eْ?"XO"BZroJbmOq[e gqjV'+why3-1.6.0/examples/mccarthy_vc_sp.mlw000066400000000000000000000072041440160026300177520ustar00rootroot00000000000000
(* McCarthy's ``91'' function. *)

module McCarthy91

  use int.Int

  function spec (x: int) : int = if x <= 100 then 91 else x-10

  (* traditional recursive implementation *)

  let rec f91 (n:int) : int variant { 101-n }
    ensures { result = spec n }
  = [@vc:sp]
    if n <= 100 then
      f91 (f91 (n + 11))
    else
      n - 10

  (* non-recursive implementation using a while loop *)

  use ref.Ref
  use int.Iter

  let f91_nonrec (n0: int) ensures { result = spec n0 }
  = [@vc:sp]
    let e = ref 1 in
    let n = ref n0 in
    while !e > 0 do
      invariant { !e >= 0 /\ iter spec !e !n = spec n0 }
      variant   { 101 - !n + 10 * !e, !e }
      if !n > 100 then begin
        n := !n - 10;
        e := !e - 1
      end else begin
        n := !n + 11;
        e := !e + 1
      end
    done;
    !n

  (* Use a 'morally' irrelevant control flow from a recursive function
     to ease proof (the recursive structure does not contribute to the
     program execution). This is a technique for proving derecursified
     programs. See verifythis_2016_tree_traversal for a more
     complex example. *)

  exception Stop

  let f91_pseudorec (n0:int) : int
    ensures { result = spec n0 }
  = [@vc:sp]
    let e = ref 1 in
    let n = ref n0 in
    let bloc () : unit
      requires { !e >= 0 }
      ensures { !(old e) > 0 }
      ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1
        else !n = !(old n) + 11 /\ !e = !(old e) + 1 }
      raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) }
    = if not (!e > 0) then raise Stop;
      if !n > 100 then begin
        n := !n - 10;
        e := !e - 1
      end else begin
        n := !n + 11;
        e := !e + 1
      end
    in
    let rec aux () : unit
      requires { !e > 0 }
      variant { 101 - !n }
      ensures { !e = !(old e) - 1 /\ !n = spec !(old n) }
      raises { Stop -> false }
    = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in
    try aux (); bloc (); absurd
    with Stop -> !n end

end

module McCarthy91Mach

  use int.Int
  use mach.int.Int63

  function spec (x: int) : int = if x <= 100 then 91 else x-10

  let rec f91 (n: int63) : int63
    variant { 101 - n }
    ensures { result = spec n }
  = [@vc:sp]
    if n <= 100 then
      f91 (f91 (n + 11))
    else
      n - 10

  use mach.peano.Peano
  use mach.int.Refint63
  use int.Iter

  let f91_nonrec (n0: int63) : int63
    ensures { result = spec n0 }
  = [@vc:sp]
    let e = ref one in
    let n = ref n0 in
    while gt !e zero do
      invariant { !e >= 0 /\ iter spec !e !n = spec n0 }
      variant   { 101 - !n + 10 * !e, !e:int }
      if !n > 100 then begin
        n := !n - 10;
        e := pred !e
      end else begin
        n := !n + 11;
        e := succ !e
      end
    done;
    !n

  exception Stop

  let f91_pseudorec (n0: int63) : int63
    ensures { result = spec n0 }
  = [@vc:sp]
    let e = ref one in
    let n = ref n0 in
    let bloc () : unit
      requires { !e >= 0 }
      ensures { !(old e) > 0 }
      ensures { if !(old n) > 100 then !n = !(old n) - 10 /\ !e = !(old e) - 1
        else !n = !(old n) + 11 /\ !e = !(old e) + 1 }
      raises { Stop -> !e = !(old e) = 0 /\ !n = !(old n) }
    = if not (gt !e zero) then raise Stop;
      if !n > 100 then begin
        n := !n - 10;
        e := pred !e
      end else begin
        n := !n + 11;
        e := succ !e
      end
    in
    let rec aux () : unit
      requires { !e > 0 }
      variant { 101 - !n }
      ensures { !e = !(old e) - 1 /\ !n = spec !(old n) }
      raises { Stop -> false }
    = let u = !n in bloc (); if u <= 100 then (aux (); aux ()) in
    try aux (); bloc (); absurd
    with Stop -> !n end

end
why3-1.6.0/examples/mccarthy_vc_sp/000077500000000000000000000000001440160026300172265ustar00rootroot00000000000000why3-1.6.0/examples/mccarthy_vc_sp/why3session.xml000066400000000000000000000030611440160026300222460ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/mccarthy_vc_sp/why3shapes.gz000066400000000000000000000025011440160026300216640ustar00rootroot00000000000000VKo6Wm|K*6A"0K낒(hkvC}gHJ")?A(gʑ`'VEl2}o!W05Q
}egMX{sxwYѳ(XM;3%7n!2+x̕)R[-Oo	H3m8$圐$d-6!EW,ndIJ03~cQҗB3!GB+;C4+E$r79\gIKqq1dQtdy5KȎUS~J-$<rVOdq@w6!74)sopf>H+I氷1t4˾0c׌K1nL^,XYaɻζkZۑfIE+"TDŽbUB4R2@
\K-jʈ%-+fJ+xmiڰ5R~ʚFRYPM/}/xvN-D5Ѷ(uI9Q\5i{#zٳVj5=/R45s"4why3-1.6.0/examples/mergesort_array.mlw000066400000000000000000000233651440160026300201610ustar00rootroot00000000000000
(** {1 Sorting arrays using mergesort}

    Author: Jean-Christophe Filliâtre (CNRS)
*)

(** {2 Parameters} *)

module Elt

  use export int.Int
  use export array.Array

  type elt

  val predicate le elt elt

  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  clone export array.Sorted with type
    elt = elt, predicate le = le, axiom .

end

(** {2 Merging}

    It is well-known than merging sub-arrays in-place is extremely difficult
    (we don't even know how to do it in linear time).
    So we use some extra storage i.e. we merge two segments of a first array
    into a second array. *)

module Merge

  clone export Elt with axiom .
  use export ref.Refint
  use export array.Array
  use map.Occ
  use export array.ArrayPermut

  (* merges tmp[l..m[ and tmp[m..r[ into a[l..r[ *)
  let merge (tmp a: array elt) (l m r: int) : unit
    requires { 0 <= l <= m <= r <= length tmp = length a }
    requires { sorted_sub tmp l m }
    requires { sorted_sub tmp m r }
    ensures  { sorted_sub a l r }
    ensures  { permut tmp a l r }
    ensures  { forall i: int.
               (0 <= i < l \/ r <= i < length a) -> a[i] = (old a)[i] }
  = let i = ref l in
    let j = ref m in
    for k = l to r-1 do
      invariant { l <= !i <= m <= !j <= r }
      invariant { !i - l + !j - m = k - l }
      invariant { sorted_sub a l k }
      invariant { forall x y: int. l <= x < k -> !i <= y < m -> le a[x] tmp[y] }
      invariant { forall x y: int. l <= x < k -> !j <= y < r -> le a[x] tmp[y] }
      invariant { forall v: elt.
                  occ v tmp.elts l !i + occ v tmp.elts m !j = occ v a.elts l k }
      invariant { forall i: int.
                  (0 <= i < l \/ r <= i < length a) -> a[i] = (old a)[i] }
      if !i < m && (!j = r || le tmp[!i] tmp[!j]) then begin
        a[k] <- tmp[!i];
        incr i
      end else begin
        a[k] <- tmp[!j];
        incr j
      end
    done

  (* merges a[l..m[ and a[m..r[ into a[l..r[, using tmp as a temporary *)
  let merge_using (tmp a: array elt) (l m r: int) : unit
    requires { 0 <= l <= m <= r <= length tmp = length a }
    requires { sorted_sub a l m }
    requires { sorted_sub a m r }
    ensures  { sorted_sub a l r }
    ensures  { permut (old a) a l r }
    ensures  { forall i: int.
               (0 <= i < l \/ r <= i < length a) -> a[i] = (old a)[i] }
  = if l < m && m < r then (* both sides are non empty *)
      if le a[m-1] a[m] then (* OPTIM: already sorted *)
        assert { forall i1 i2: int. l <= i1 < m -> m <= i2 < r ->
                 le a[i1] a[m-1] && le a[m] a[i2] }
      else begin
        label N in
        blit a l tmp l (r - l);
        merge tmp a l m r;
        assert { permut_sub (a at N) a l r }
      end

end

(** {2 Top-down, recursive mergesort}

    Split in equal halves, recursively sort the two, and then merge. *)

module TopDownMergesort

  clone Merge with axiom .
  use mach.int.Int

  let rec mergesort_rec (a tmp: array elt) (l r: int) : unit
    requires { 0 <= l <= r <= length a = length tmp }
    ensures { sorted_sub a l r }
    ensures { permut_sub (old a) a l r }
    variant { r - l }
  = if l >= r-1 then return;
    let m = l + (r - l) / 2 in
    assert { l <= m < r };
    mergesort_rec a tmp l m;
    assert { permut_sub (old a) a l r };
    label M in
    mergesort_rec a tmp m r;
    assert { permut_sub (a at M) a l r };
    merge_using tmp a l m r

  let mergesort (a: array elt) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  =
    let tmp = Array.copy a in
    mergesort_rec a tmp 0 (length a)

end

(** {2 Bottom-up, iterative mergesort}

    First sort segments of length 1, then of length 2, then of length 4, etc.
    until the array is sorted.

    Surprisingly, the proof is much more complex than for natural mergesort
    (see below). *)

module BottomUpMergesort

  clone Merge with axiom .
  use mach.int.Int
  use int.MinMax

  let bottom_up_mergesort (a: array elt) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  = let n = length a in
    let tmp = Array.copy a in
    let len = ref 1 in
    while !len < n do
      invariant { 1 <= !len }
      invariant { permut_all (old a) a }
      invariant { forall k: int. let l = k * !len in
                  0 <= l < n -> sorted_sub a l (min n (l + !len)) }
      variant   { 2 * n - !len }
      label L in
      let lo = ref 0 in
      let ghost i = ref 0 in
      while !lo < n - !len do
        invariant { 0 <= !lo /\ !lo = 2 * !i * !len }
        invariant { permut_all (a at L) a }
        invariant { forall k: int. let l = k * !len in
                    !lo <= l < n -> sorted_sub a l (min n (l + !len)) }
        invariant { forall k: int. let l = k * (2 * !len) in
                    0 <= l < !lo -> sorted_sub a l (min n (l + 2 * !len)) }
        variant   { n + !len - !lo }
        let mid = !lo + !len in
        assert { mid = (2 * !i + 1) * !len };
        assert { sorted_sub a !lo (min n (!lo + !len)) };
        let hi = min n (mid + !len) in
        assert { sorted_sub a mid (min n (mid + !len)) };
        label M in
        merge_using tmp a !lo mid hi;
        assert { permut_sub (a at M) a !lo hi };
        assert { permut_all (a at M) a };
        assert { hi = min n (!lo + 2 * !len) };
        assert { sorted_sub a !lo (min n (!lo + 2 * !len)) };
        assert { forall k: int. let l = k * !len in mid + !len <= l < n ->
                   sorted_sub (a at M) l (min n (l + !len)) &&
                   sorted_sub a        l (min n (l + !len)) };
        assert { forall k: int. let l = k * (2 * !len) in 0 <= l < mid + !len ->
                   k <= !i &&
                   (k < !i ->
                     min n (l + 2 * !len) <= !lo &&
                     sorted_sub (a at M) l (min n (l + 2 * !len)) &&
                     sorted_sub a        l (min n (l + 2 * !len)) )
                   &&
                   (k = !i ->
                     l = !lo /\ sorted_sub a l (min n (l + 2 * !len)))
               };
        lo := mid + !len;
        ghost incr i
      done;
      assert { forall k: int. let l = k * (2 * !len) in 0 <= l < n ->
               l = (k * 2) * !len &&
               (l < !lo ->
                 sorted_sub a l (min n (l + 2 * !len))) &&
               (l >= !lo ->
                 sorted_sub a l (min n (l + !len)) &&
                 min n (l + 2 * !len) = min n (l + !len) = n &&
                 sorted_sub a l (min n (l + 2 * !len))) };
      len := 2 * !len;
    done;
    assert { sorted_sub a (0 * !len) (min n (0 + !len)) }

end

(** {2 Natural mergesort}

    This is a mere variant of bottom-up mergesort above, where
    we start with ascending runs (i.e. segments that are already sorted)
    instead of starting with single elements. *)

module NaturalMergesort

  clone Merge with axiom .
  use mach.int.Int
  use int.MinMax

  (* returns the maximal hi such that a[lo..hi[ is sorted *)
  let find_run (a: array elt) (lo: int) : int
    requires { 0 <= lo < length a }
    ensures  { lo < result <= length a }
    ensures  { sorted_sub a lo result }
    ensures  { result < length a -> not (le a[result-1] a[result]) }
  =
    let i = ref (lo + 1) in
    while !i < length a && le a[!i - 1] a[!i] do
      invariant { lo < !i <= length a }
      invariant { sorted_sub a lo !i }
      variant   { length a - !i }
      incr i
    done;
    !i

  let natural_mergesort (a: array elt) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  = let n = length a in
    if n <= 1 then return;
    let tmp = Array.copy a in
    let ghost first_run = ref 0 in
    while true do
      invariant { 0 <= !first_run <= n && sorted_sub a 0 !first_run }
      invariant { permut_all (old a) a }
      variant   { n - !first_run }
      label L in
      let lo = ref 0 in
      while !lo < n - 1 do
        invariant { 0 <= !lo <= n }
        invariant { !first_run at L <= !first_run <= n }
        invariant { sorted_sub a 0 !first_run }
        invariant { !lo = 0 \/ !lo >= !first_run > !first_run at L }
        invariant { permut_all (a at L) a }
        variant   { n - !lo }
        let mid = find_run a !lo in
        if mid = n then begin if !lo = 0 then return; break end;
        let hi = find_run a mid in
        label M in
        merge_using tmp a !lo mid hi;
        assert { permut_sub (a at M) a !lo hi };
        assert { permut_all (a at M) a };
        ghost if !lo = 0 then first_run := hi;
        lo := hi;
      done
    done


  (** an alternative implementation suggested by Martin Clochard,
      mixing top-down recursive and natural mergesort

      the purpose is to avoid unnecessary calls to [find_run] in
      the code above *)

  let rec naturalrec (tmp a: array elt) (lo k: int) : int
    requires { 0 <= lo <= length a = length tmp }
    requires { 0 <= k }
    ensures  { result = length a \/ lo + k < result < length a }
    ensures  { sorted_sub a lo result }
    ensures  { permut_sub (old a) a lo (length a) }
    ensures  { forall j: int. 0 <= j < lo -> a[j] = (old a)[j] }
    variant  { k }
  = let n = length a in
    if lo >= n-1 then return n;
    let mid = ref (find_run a lo) in
    if !mid = n then return n;
    for i = 0 to k-1 do
      invariant { lo + i < !mid < n }
      invariant { sorted_sub a lo !mid }
      invariant { permut_sub (old a) a lo (length a) }
      invariant { forall j: int. 0 <= j < lo -> a[j] = (old a)[j] }
      let hi = naturalrec tmp a !mid i in
      assert { permut_sub (old a) a lo (length a) };
      label M in
      merge_using tmp a lo !mid hi;
      assert { permut_sub (a at M) a lo hi };
      assert { permut_sub (a at M) a lo (length a) };
      mid := hi;
      if !mid = n then return n
    done;
    !mid

  let natural_mergesort2 (a: array elt) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  =
    let tmp = Array.copy a in
    let _ = naturalrec tmp a 0 (length a) in
    ()

end
why3-1.6.0/examples/mergesort_array/000077500000000000000000000000001440160026300174275ustar00rootroot00000000000000why3-1.6.0/examples/mergesort_array/why3session.xml000066400000000000000000001003041440160026300224450ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/mergesort_array/why3shapes.gz000066400000000000000000000332171440160026300220750ustar00rootroot00000000000000}n9廿Boݝ8t`_zMX%\Wvڜ1K%ے@aD{@r_ӧO7?~g{?]+v+yI"}+W}+W/>|.g+nL?7W}ݧ7OW&nu(5:៟uezY|́]W?~ÿg|
ktQ+]>1}CGoG:	)
XJe+"8$Ons]	)>%y#PSQ_9"#9ZTzW
NH,` d#4"K/΋HC_"+vq>a+EƐ!8I0Wp
mTR-,Yԃb;D-tCX܂W_i
*+.V
Dl8_DgMg??eezC)ىſ(F*h.H#{#{#tmm[>MLhc*#GtunFDy1+aY]^Ю?pde{HcJm95ZL{&Vm0{`6]L&&&NxTL<2V}J,&Tx3o4q!FAXŠ]e_e )\GG6vHC!CaڇjvSan+s?6|Zp*ŽthҐK %:\3W#mxsG
&<(a3X_=.Δ"eLwњ3Δq8{S830)[,2bLuZШ
W8G\uk8{7ӧ*1Pe!	9D766~o/:::8:Iah˵̥sp]p-rkz\\kqtk."Ը{\=)\Z4Xtj:aY5\?i`Sm85(
L(}8@)A<2%@	.B̩ZfN6%=%=%bi'O3:LjYQB<"DS²AV!0>TuKmE!˥E!S~cۋѦXY2~?+$ژuRwe[*_DOY[M2|"fcG]ξyѯגG#|K__ȧUP+ɻ-|n/4SY2y:Nm3d@4h۩>vnKV'ÍpB$N3GMrdX'+D+PAƢ|P
@?W	^
9
9
9!'|nLL0C[lr'S@@@s+hn~32+k^tT#KQ_[a0$ޫMɒ,#ܙre!r* _-06ZNmS[U@#nsfl
=66!ۓ??}>)F~
`\7K.º]ܡ
N]]ܵ]|.Тl`3N;G2p˝2Aa!8[>TVCڍ+ܸCt7)y(u `?Z|H3RוN
z#vsƍW7ߒ@U$ÅTm-e!BPrCNRLvn
SЏ3B\P{X&Cl)7KȰb[hӚَ|8zE]	1+Jwlb
eyZ1˸08v.
^̄tW&ol׶H	A9bPoP؆/ҝ!6ZJ򦿢
b/$"O1!?^;"eJ)9ӧbC†W'\y.N.kNJdQ&jvAj>{?PzeTlTw5̦g߻?~.&SJo%dvĬ翗+	WMG2Tыӑ.OG/•4#"_~lH[̻F8x-?3UeΦ
/|Wz	ƥUYM{4HAS#K!Y/tcJӎDcyq=)pN$w|ITsyR{{.r!Mi:nS	"'< w`ʃzrvN+~ʾduq㔼\[vY{lܵ%*+͐!=Zc|#eeߊ`ddU%@c)@ck#l1°ͅN.UPɛ	&:HCmOš%/'[
>8J`JX ):twCydžؚ]E.2޿օ͗n\[b#]m$NjKVW	}*/)ro\Q,D۬ؾ:s7p[s՜E0B)wF(â,	yo7œ9w!HL\λC<;8+A]X8J;Fſr/MGFD~6	OއMIeϿkw3R#ƂٮKQ^
<}ㇳt}~nc~?}a*}4o|2Ucr=^I2\8tg?QZi<75r]l[~h
;)Vu-uޯ떲61:1y
	K8F
rحX3Y蠷⥮k;	Y?aN?K6p
vNH+]]">QAN~g
kJnJ4abvGz7XE\'N/No:-Vl	]q9}//V؍%KC.U*VDy2b[?e8
VO\ D+ٙ]8oë
{Zj)su.ӔIt_Sq6QNփu<ܪ̗o9
A=s_77zEYY~q)_VS,Y2=ϓ%K=zNPNK[t,K""T۩de(Ee戾^V7=t
uɣΚW_=˟GY~ϝiu<P߬,zQ6
K^|~}K^:-y|MG[0t	&t<'-ix[9ƃ>I(TU.72b[JzpIuYC7``T!Nc/Z-1_x1QGjA_<*oD?J_ҴY	Z߻f͊Ǩd{8;Woh?1| Ћ8tv/ } ṛ_*?i[N}2c,7U**SH/g j
Q֐MD2灨uRѡՏBT02TV=755=f
{
{
{z2G	Ý,Ws5Oñw]|iR1,QM/W\W}r*h&ٿ.]W8tUС¡OV8Rй¡
L+zp\KC
Q*:T8¡Sv
תn\N/O@a{b&/1QƖ="yg*9k"w[	(;1ENO]܍Svz\ѩh/ne|a?\5	畿#ϥ^?!QzirA=5??.B[VL°h,MM\:ب|
.dTz5fhu<ze
_YSZW"y潛z&onn~ޢ


}jBie3\JȌ8hrWZ)S3IZBֳêAY	H+ᅀfc=GVz-]fVa/:,|Q=|g0b֞/czko|qW^ę~/P:U1K,{"_U
&i&Oo('v;Nڰocek{aOE)`]W/Pkpuʜkq>W`M?O~i[jVބ}|yj>oB}UaaacqΟ_€'Lz>v_p4ɝ@#ຽ[qḇ7*?yyKDdˣ"J7>9=2J'̬Dez"ۅ{|ϳ?J]/:#]†ʸ^h6=HaL%/z1ܺ,Y>#Y,+z쌀ƷҪGYgmTT|hKw53RY]a
G[uj{	??myU?:ڮK6ݡ-ɯv*W3D|ZT{IzX	Yyt0YV.t%EaLWNݷG69dsE/O zdN	ǃuyHQx|#c+S;o.
$.vw\9Fv8~0v-ŇdcԺ+/7JdEBA)y:*'9(gQ3RK$,o	⫊"ZՃO5'CB$,yXב>t,V1iL/ʘP`p*Um}BFB>_Ze3f?f$:iVf?ޢpnݟvO͘1?=cZOJ6sl昊Y2 K9JPx hmE6 ((HG++J7[ru_/

5YB*,Rr%%j6q(&M֢Tйݠ:qj>Wd8.=p)]\q%6咋/Ҟ
s
ssaTus6Sz [_4nz>N\r9 !+loA1k]S苙e2/G:Xޛvע.͖]=8VHW鉯tw9Puzv{xJ,~HY"Zvx44>[%6[:'XEИ2S|3
1_w"#r~>et﫥IZ{/w7M'M48I/%B'̾BOV-Cozпs)W'ii"s/A:h/n_Wz_k"=5i]+o~.[jp( ~


+$4"hD6`Ģ.{`;4vx (QBD	oOVw8{ռʿ3U'T?EvFqu|LI:7,0}[|[Ӣg4>ndq!ss<0jyFL-<3L0sq@r
?YxN707070?10+nHoHoHH_c`jX3Zq).߮K1xoiϪX^zeæiI^	|A1>}ܦjAA2e|Ex͂u%
(Ю;f(yμ[?6[SN?XŔpR.;WpkSҕ4`6LҫeFWI8 {~MwC-wwOUԥE?!:iU}70!%½t{+ܢW[og̕&;!ux0Uޥa|ݯayn3[	.|zfSԻm6fYǒ6o+Z_PMK|6`Zѥ^]Cϛ4l`祮	(].	s^
6u~%=
~AU?9=/体9['yE{zK

kѫdU7.6B
[zWRi,w1gҼQx߰WFMbt2mqVG;K;;+$ٛA80	RC,\R$ala
<5V}?⎪WVA+o&k8B@5JJ0?
;HwJqbaWMzfn2.4B$F5xF5ϖ83":;94b`9/5ЍMdֆn,qɽfQ	oplhl f5=q:-HELFe&	3fp)c"T)4JzzGf{79 IBތg?9l\K1;>(?z.qVc)Xr1N]FV,&MOzn}ބ$rjO~1wb5Wy
jzc8k&=NGnMnHVDz1y>#W:1uިb;z=5(\0$5hҰI%`wʪYX:JaN(0z	ӳ*4f:$(	{S
	DhzyK,+'
|t`:i4㜱YsoL0u&D2CcWf	I3%7)5
tofsQRO
nLř&k#D3	`<4147ÖzkR*g\ߌ7#Ipe+Z`Gf͊D[̲7&p2M .Ԍs|/<7TYtBY(8d$5Uh\ S:;ieyg4:iq;n=0}x;o?B0a3QL7νqåKa3uyyy2Bs5"]JK
5q;
a8upsgQC~ޣW*L+d1rMH
eOZRD[TPx"zp~|rV&;I7yr'BDOÄtB%g=_+/G* m;;`fo8hln8B&E
<4|8@J-'$gQ/a;B@݃;D(RA
e	ƋP ;RG	I.Uj}%C9NCT{r)Ɉy0@AK:[p
|$bQD=и#2N-blg:I23- "Bꃰc@Kk,# ֐tʪHZ:dF,K7@2V'y¹:kr'䜳svv41DZBD$Մ1^Iyx8@zd5lf:F够,`\Y6%5zDUO45Ra#*HG;gG1
F	CƮcڙ#ˣRx*AYu	\-8q8w	`ueǨB1
Rc3̱uɏa˰!MK1!0AZ8:RZ4~bQ
V๧Ժpe'Iy*gzf5kS^kD(%zPG5J,\.u'P	3/p	J,5+q(͈atŇYQ˱S`&K	滁¯~ր#{/0$Sl]jxgWRI	ml]
RSf7z$'y*
L@1E T#"fuVٻGzDD9?I2
p
9&P'-
g	UpDKE^QF)jF:<
B~96@1,n4qÖ̪;dJ
fV#G0Hp I\tEnF0>4"Fwp,Jb6@U$!fd:Qa4
s|tbv,e K>x$3C:p&ewHf:,iTVZ:pGN1ÿHn@z	R:.,|Yw{$:*ms0^il󣝁cC=b
mK1&`Ⱦ!C3
7anI(ΐ dc|ՃaFܼgɲ65ORx`,$i<"CuTY#PD,)^!$IsqAc7;vZ " Bp?
$%Nf3#J^za*tl]BBQ"{-[Ձz!};$x3:k.ix(6HMcy[(M2PH`f9y*",xM"v2R)86(/3fݏ`YzJ	_X7Ժ.G
w@#u0L%QLq( #/؇ExfDeIzȯAgEq
CaI @6XYh\b襂`!Hd2]L0*R9qf/{hG@D9?p)>jVYrD<n3ł/h!>e3/KR
|쑻[xY	Ρu);plOǢ}`)/Ӄ(8%X}s>MI(	490+u֤G&Bƀls]" B, sn%nS
[g]0HjiVb[)"A)JPJ[why3-1.6.0/examples/mergesort_list.mlw000066400000000000000000000224621440160026300200130ustar00rootroot00000000000000
(** {1 Sorting lists using mergesort}

    Author: Jean-Christophe Filliâtre (CNRS)
*)

module Elt

  use export int.Int
  use export list.List
  use export list.Length
  use export list.Append
  use export list.Permut

  type elt
  val predicate le elt elt
  clone relations.TotalPreOrder
    with type t = elt, predicate rel = le, axiom .
  clone export list.Sorted with
    type t = elt, predicate le  = le, goal Transitive.Trans

end

(** recursive (and naive) merging of two sorted lists *)

module Merge (* : MergeSpec *)

  clone export Elt with axiom .

  let rec merge (l1 l2: list elt) : list elt
    requires { sorted l1 /\ sorted l2 }
    ensures  { sorted result }
    ensures  { permut result (l1 ++ l2) }
    variant  { length l1 + length l2 }
  = match l1, l2 with
    | Nil, _ -> l2
    | _, Nil -> l1
    | Cons x1 r1, Cons x2 r2 ->
       if le x1 x2 then Cons x1 (merge r1 l2) else Cons x2 (merge l1 r2)
    end

end

(** tail recursive implementation *)

module EfficientMerge (* : MergeSpec *)

  clone export Elt with axiom .
  use list.Mem
  use list.Reverse
  use list.RevAppend

  lemma sorted_reverse_cons:
    forall acc x1. sorted (reverse acc) ->
    (forall x. mem x acc -> le x x1) -> sorted (reverse (Cons x1 acc))

  let rec merge_aux (acc l1 l2: list elt) : list elt
    requires { sorted (reverse acc) /\ sorted l1 /\ sorted l2 }
    requires { forall x y: elt. mem x acc -> mem y l1 -> le x y }
    requires { forall x y: elt. mem x acc -> mem y l2 -> le x y }
    ensures  { sorted result }
    ensures  { permut result (acc ++ l1 ++ l2) }
    variant  { length l1 + length l2 }
  = match l1, l2 with
    | Nil, _ -> rev_append acc l2
    | _, Nil -> rev_append acc l1
    | Cons x1 r1, Cons x2 r2 ->
       if le x1 x2 then merge_aux (Cons x1 acc) r1 l2
                   else merge_aux (Cons x2 acc) l1 r2
    end

  let merge (l1 l2: list elt) : list elt
    requires { sorted l1 /\ sorted l2 }
    ensures  { sorted result /\ permut result (l1 ++ l2) }
  =
    merge_aux Nil l1 l2

end

(** Mergesort.

    This implementation splits the input list in two according to even- and
    odd-order elements (see function `split` below). Thus it is not stable.
    For a stable implementation, see below module `OCamlMergesort`. *)

module Mergesort

  clone Merge (* or EfficientMerge *) with axiom .

  let split (l0: list 'a) : (list 'a, list 'a)
    requires { length l0 >= 2 }
    ensures  { let l1, l2 = result in
      1 <= length l1 /\ 1 <= length l2 /\ permut l0 (l1 ++ l2) }
  = let rec split_aux (l1 l2 l: list 'a) : (list 'a, list 'a)
      requires { length l2 = length l1 \/ length l2 = length l1 + 1 }
      ensures  { let r1, r2 = result in
        (length r2 = length r1 \/ length r2 = length r1 + 1) /\
        permut (r1 ++ r2) (l1 ++ (l2 ++ l)) }
      variant { length l }
    = match l with
      | Nil -> l1, l2
      | Cons x r -> split_aux l2 (Cons x l1) r
      end
    in
    split_aux Nil Nil l0

  let rec mergesort (l: list elt) : list elt
    ensures { sorted result /\ permut result l }
    variant { length l }
  = match l with
      | Nil | Cons _ Nil -> l
      | _ -> let l1, l2 = split l in merge (mergesort l1) (mergesort l2)
    end

end

(** {2 OCaml's List.sort}

    There are several ideas here:

    - instead of splitting the list in two, sort takes the length of
      the prefix to be sorted; hence there is nothing to do to get the
      first half and the second half is obtained with chop (which does
      not allocate at all)

    - all functions are tail recursive. To avoid the extra cost of
      List.rev, sort is duplicated in two versions that respectively
      sort in order and in reverse order (`sort` and `sort_rev`) and
      merge is duplicated as well (`rev_merge` and `rev_merge_rev`).

    Note: this is a stable sort, but stability is not proved here.
*)

module OCamlMergesort

  clone export Elt with axiom .
  use list.Mem
  use list.Reverse
  use list.RevAppend

  lemma sorted_reverse_cons:
    forall acc x1. sorted (reverse acc) ->
    (forall x. mem x acc -> le x x1) -> sorted (reverse (Cons x1 acc))

  lemma sorted_rev_append: forall acc l: list elt.
    sorted (reverse acc) ->
    sorted l ->
    (forall x y. mem x acc -> mem y l -> le x y) ->
    sorted (reverse (rev_append l acc))

  let rec rev_merge (l1 l2 accu: list elt) : list elt
    requires { sorted (reverse accu) /\ sorted l1 /\ sorted l2 }
    requires { forall x y: elt. mem x accu -> mem y l1 -> le x y }
    requires { forall x y: elt. mem x accu -> mem y l2 -> le x y }
    ensures  { sorted (reverse result) }
    ensures  { permut result (accu ++ l1 ++ l2) }
    variant  { length l1 + length l2 }
  = match l1, l2 with
    | Nil, _ -> rev_append l2 accu
    | _, Nil -> rev_append l1 accu
    | Cons h1 t1, Cons h2 t2 ->
       if le h1 h2 then rev_merge t1 l2 (Cons h1 accu)
                   else rev_merge l1 t2 (Cons h2 accu)
    end

  lemma sorted_reverse_mem:
    forall x l. sorted (reverse (Cons x l)) -> forall y. mem y l -> le y x

  lemma sorted_reverse_cons2:
    forall x l. sorted (reverse (Cons x l)) -> sorted (reverse l)

  let rec rev_merge_rev (l1 l2 accu: list elt) : list elt
    requires { sorted accu /\ sorted (reverse l1) /\ sorted (reverse l2) }
    requires { forall x y: elt. mem x accu -> mem y l1 -> le y x }
    requires { forall x y: elt. mem x accu -> mem y l2 -> le y x }
    ensures  { sorted result }
    ensures  { permut result (accu ++ l1 ++ l2) }
    variant  { length l1 + length l2 }
  = match l1, l2 with
    | Nil, _ -> rev_append l2 accu
    | _, Nil -> rev_append l1 accu
    | Cons h1 t1, Cons h2 t2 ->
       if not (le h1 h2) then rev_merge_rev t1 l2 (Cons h1 accu)
                         else rev_merge_rev l1 t2 (Cons h2 accu)
    end

  function prefix int (list 'a) : list 'a

  axiom prefix_def1:
    forall l: list 'a. prefix 0 l = Nil
  axiom prefix_def2:
    forall n: int, x: 'a, l: list 'a. n > 0 ->
    prefix n (Cons x l) = Cons x (prefix (n-1) l)

  let rec lemma prefix_length (n: int) (l: list 'a)
    requires { 0 <= n <= length l } ensures { length (prefix n l) = n }
    variant { n } =
    if n > 0 then match l with Nil -> () | Cons _ r -> prefix_length (n-1) r end

  let rec lemma prefix_append (n: int) (l1 l2: list 'a)
    requires { length l1 <= n <= length l1 + length l2 }
    ensures  { prefix n (l1 ++ l2) =
               prefix (length l1) l1 ++ prefix (n - length l1) l2 }
    variant  { l1 }
  = match l1 with Nil -> () | Cons _ t -> prefix_append (n-1) t l2 end

  let rec chop (n: int) (l: list 'a) : list 'a
    requires { 0 <= n <= length l }
    ensures  { l = prefix n l ++ result }
    variant  { n }
  =
    if n = 0 then l else
    match l with
      | Cons _ t -> chop (n-1) t
      | Nil -> absurd
    end

  (** `sort n l` sorts `prefix n l`
      and `rev_sort n l`  sorts `prefix n l` in reverse order. *)

  use mach.int.Int

  let rec sort (n: int) (l: list elt) : list elt
    requires { 2 <= n <= length l }
    ensures  { sorted result }
    ensures  { permut result (prefix n l) }
    variant  { n }
  =
    if n = 2 then match l with
      | Cons x1 (Cons x2 _) ->
          if le x1 x2 then Cons x1 (Cons x2 Nil) else Cons x2 (Cons x1 Nil)
      | _ -> absurd
    end else if n = 3 then match l with
      | Cons x1 (Cons x2 (Cons x3 _)) ->
           if le x1 x2 then
             if le x2 x3 then Cons x1 (Cons x2 (Cons x3 Nil))
             else if le x1 x3 then Cons x1 (Cons x3 (Cons x2 Nil))
             else Cons x3 (Cons x1 (Cons x2 Nil))
           else
             if le x1 x3 then Cons x2 (Cons x1 (Cons x3 Nil))
             else if le x2 x3 then Cons x2 (Cons x3 (Cons x1 Nil))
             else Cons x3 (Cons x2 (Cons x1 Nil))
       | _ -> absurd
    end else begin
      let n1 = n / 2 in
      let n2 = n - n1 in
      let l2 = chop n1 l in
      assert { prefix n1 l ++ prefix n2 l2 = prefix n l };
      let s1 = rev_sort n1 l in
      let s2 = rev_sort n2 l2 in
      rev_merge_rev s1 s2 Nil
   end

  with rev_sort (n: int) (l: list elt) : list elt
    requires { 2 <= n <= length l }
    ensures  { sorted (reverse result) }
    ensures  { permut result (prefix n l) }
    variant  { n }
  =
    if n = 2 then match l with
      | Cons x1 (Cons x2 _) ->
          if not (le x1 x2) then Cons x1 (Cons x2 Nil)
          else Cons x2 (Cons x1 Nil)
      | _ -> absurd
    end else if n = 3 then match l with
      | Cons x1 (Cons x2 (Cons x3 _)) ->
           if not (le x1 x2) then
             if not (le x2 x3) then Cons x1 (Cons x2 (Cons x3 Nil))
             else if not (le x1 x3) then Cons x1 (Cons x3 (Cons x2 Nil))
             else Cons x3 (Cons x1 (Cons x2 Nil))
           else
             if not (le x1 x3) then Cons x2 (Cons x1 (Cons x3 Nil))
             else if not (le x2 x3) then Cons x2 (Cons x3 (Cons x1 Nil))
             else Cons x3 (Cons x2 (Cons x1 Nil))
       | _ -> absurd
    end else begin
      let n1 = n / 2 in
      let n2 = n - n1 in
      let l2 = chop n1 l in
      assert { prefix n1 l ++ prefix n2 l2 = prefix n l };
      let s1 = sort n1 l in
      let s2 = sort n2 l2 in
      rev_merge s1 s2 Nil
    end

  lemma permut_prefix: forall l: list elt. permut (prefix (length l) l) l

  let mergesort (l: list elt) : list elt
    ensures { sorted result /\ permut result l }
  =
    let n = length l in
    if n < 2 then begin
      assert { sorted l by match l with
               Nil | Cons _ Nil -> sorted l | _ -> false end }; l end
    else sort n l

end
why3-1.6.0/examples/mergesort_list/000077500000000000000000000000001440160026300172645ustar00rootroot00000000000000why3-1.6.0/examples/mergesort_list/why3session.xml000066400000000000000000000530011440160026300223030ustar00rootroot00000000000000











 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/mergesort_list/why3shapes.gz000066400000000000000000000170431440160026300217310ustar00rootroot00000000000000]YoG~ׯΌalD@sL,iDj__d]dipŬ8_ûr}91'؎S?Nt7NL?Nwf4;{?moJ/޾vt\[ml;_ms㢛Kg1K*??o~q7^٨FOO۾ם~uCG/sG~Dg_77'%\ZswKz&_BD` xmf_fǎn˫ק\뛙W9^Afs
oKu)x7xn;)^s1l.E϶pRLq6Le		w$4rwR#=q%\Rl-81zF}v/N'`BeE@6kԍPd9:[Sb1g٣|0]5+>7oBthYG.ay4 [|ߏ؇0rtIf(Bfv>}t^b$u˃bXnTQۏLM+fFQoCT{pKI}EӖۋ@Atw@m3J^On(+#Vm&R4]y[<|~s5y~==hJN{
v`%D+%VR)@Z-4:	^&[=AMz0;99iC5
4mkIC5DrۧnWNVzT,N0:Fg5[m%C@͵'El讧QCh}tr6amPSeQ
V$}\ugnBsVvמUOΪN*ӓ}u^~>Nyn5l|*.Ąx6ARvVϞLa_?3
\>|Ozz{ϋ[
,tC&z9g4n|):6]f?CO,k/ZO
<7"oi\ax}_QC1;bONuXjNBot@M`|:3\3i$BKs͒]{#57k;23B.h5h׌dKil{#CBn3)]6
Sc$4rȓ|3S[fy&>>]l)5?ý^dShXH7/_͢j/'wf~I-,L	N1iͳ{LDL3qu],[q=]\=E VO0İ06fmP~ʰ<fb^{sJAn004`Zk;w#r,[#!Z#CbT{luv}trvW|yU`z$Rkf7!$Rv(*s_QqB(.;:Nދm'+]mNJ'/,d)+8U=\ݼOF/,$rOx#Y-!QM|^ni/kuET.^?n'{$'7GG䋊W?x
#>i;4wVO+frMRhZv;՛1:O3'~9cAU2-U~e[M{Ʀ޶eVG.j<z&%C(z6e
ӽzrbv5}/ɊLڂ^?qoaՁ-/л=d=7xswA!Z6ωB^C,X		س7YonpBNt՞#Ex+fyr1}@3>KתBPl'HJۈ\ƧOCb{rGJگTXy9lZ?4:W=^^!
Hw|SjPaA!fzjrK	5.fMƧ2u\r惊!h妡68GQ&y:Ғc&#oF;oH+UI5t~./JK'IۖLN\4O	N(O:u?sm>
K	zr
z޵<.]
R=Mٛݻg&NFlc#nFto𨞛J8/mt8?HvWLnl:4:CxuwK=Ϧ)QX~[iwdWGCqu0"M:/Ou;5a]֏Y-5Ս]u1Fn{Gk]/݌[{Ied{u|͑t=ugڣ,ZzR[0fF膶	J>{KZN_hMvɁBaޢII0LvTH'lV
Qۋ+J_!t|p7AQMdDybJ/)5<]1DƎd/`
J{qS\|7\JN}^t'joiw &667KH{{FiWPݢja;fȌM4}Hnkۇd;'_g$ewI87I܁gև<,`ѾV?]z(7]b˝~`MyPTp@b"BATfMM]v	?x.\x}_|.3ΟM͕#}Ȁ&vs7ou3\wupgn9>y9I/zh|6X);=MWwM!}nձdŠ*6LL<._ckIVU{O.thRӬ}+ᙝqbZ,/>XNmdl`ކ!h=U_1]9N oKKXp'9>_kbHc|2\S#'\Kp
0&4p`p3#'^F&U0cfn2;`ۇ3v~۔Q+LdQ&U0$eGn ~=vx˯<}ݦy~?~[&F&NګGgߵi}==N47yScىqF
^pGœd?d7RPd)œ^ox,cW}꾻y`w.ZwIuԪ/g~u:SwtfǴS{
`vWx42/ݹ޸ۼ|tzT?~{ũi5vߘjͫs/PFۭ3.6}ӭfu5k_#>VW@)L$/;Bm9g<%Bӟ=ltgЛaݏ_*!,QhY$%,~x<:(;ϜtV3xԅsHZOԹ<=qZtBsr*'žsnu q˒vvĝ
rي‹*E".O8;^gp]Sb
Nh3[#\qJ&KʉX:is1[	,ֲJs>(+)𤔶R	ʈolƅp23K6
Yz.R	<朘&YRҘ]RsxDe2KE%	<s-tKqmYYJK-ps1*V(y.6aV8d@
捏\kVE4aֵl!ʡSSTI[D4g+Mb* W:.
QmNMbi(7\-%Gm.d1nXRz`9tE5`m-(&edZ㘐.Igb.լpz
c&$qع5C|aHBѵJ8["I
MBROH\
\dGp0ES[×kSlG8<+0FAF5b&U	yD/P`fq\.0^˶pg,W]ࣰoI"S^%W-m[	M^3Uz`Y:#%A
P7H!!}&fc-ijA5䭼,j	R婙t{20f1*ᘋلW
	
jO=za
3vW%BFpj%̵3_եD8.l5w0Ar)ek0eib;)&p̅0J6]SsDD(IfJ(R8`
Mjd
_Ã,Ղ\1;2g.֞hx
_W-=1hW`"I8sIAD9U:1X-e
s@T?\JFiOW ïhaE:etD0!1d,e-j̐t yG%Y.]kZr\
v*iG`ȑ'"hF uȞ
#m[k(cmv.F8-'t[WrgEDcpg!5lCTDŵmA
($G4Db{#ѬV}LX+P*SE
HZZ$``aMpI,GAXp2`qTxFXń7\$†O*9O3$K04du(*OTw`1fqn0c0ys
`L9,ǁ\q
ecu@V8CFC!YW:pKX9J␖9L˦׵04%h+,`W<6Ll0D87	=HbwH`ëR*JU(!iWHk3]#$5->dX"s`h*r(|NURLEVY'P^Qe@Mh0NTpEP34(
Q@?Ҝ8si`	THpŽк'Ο;wT:aj+DkP9kN8ܳ9d~	2Gdq M
ALV!ν<nA"ft 鴑#!}mTP(3CA աfGa]9r=
΀"mcGBA8Fd^H!
AH1^R @XSΎ%HWQk$,aS$AJA
cT#rzdyaB@᧺ؐ-:\a񄔀MZdQX"x-ESjG"V"P$F/bG	.1&iM8?sT\{pQ
bK-]Xq-DxSJTG%D2757DǍ⟘7UQA8RkeJ57t!hf DT:l+/ʔRI5I:NdI	.nʠDW܀׬|bnM%*fIii`8Z謁Q,Aƍh9Jn`PxU^`PQ+0-Y'HO	_AW
xT#
U!-@Fh,cdR"RR8_-u3:1R*V1kJXhШ(r:եM2ƚe/Rc#5
@W$&̰JL!w\Td2jd8)c{Q>S+ĄLš7
̆@y=xrPҰ6ǀn=1%a2Cd@WHY8?cM.&z>DIXP"qzp	-GYkNH"+n4IAu,O@12J1mr~Zu끟z3p${u.+Ncs mD@
H%FJE0 .!wTi)թbs$d"J}m'8Tɲji[`#GItR,p`R1ǏV|&F"@Mx25qQ=@@*
M8(K;jX[5%xս,i#/
="tI- dtv("Mgz?ëwhy3-1.6.0/examples/mergesort_queue.mlw000066400000000000000000000046021440160026300201600ustar00rootroot00000000000000
(** {1 Sorting a queue using mergesort}

    Author: Jean-Christophe Filliâtre (CNRS) *)

module MergesortQueue

  use int.Int
  use seq.Seq
  use seq.Mem
  use seq.FreeMonoid
  use seq.Occ
  use seq.Permut
  use queue.Queue

  type elt
  val predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .
  clone export seq.Sorted with
    type t = elt, predicate le = le, goal .

  let merge (q1: t elt) (q2: t elt) (q: t elt)
    requires { q = empty /\ sorted q1 /\ sorted q2 }
    ensures  { sorted q }
    ensures  { length q = length (old q1) + length (old q2) }
    ensures  { forall x. occ_all x q = occ_all x (old q1) + occ_all x (old q2) }
  = while not (is_empty q1 && is_empty q2) do
      invariant { sorted q1 /\ sorted q2 /\ sorted q }
      invariant { forall x y: elt. mem x q -> mem y q1 -> le x y }
      invariant { forall x y: elt. mem x q -> mem y q2 -> le x y }
      invariant { length q + length q1 + length q2 = length (old q1) + length (old q2) }
      invariant { forall x. occ_all x q + occ_all x q1 + occ_all x q2
                          = occ_all x (old q1) + occ_all x (old q2) }
      variant   { length q1 + length q2 }
      if is_empty q1 then
        push (safe_pop q2) q
      else if is_empty q2 then
        push (safe_pop q1) q
      else
        let x1 = safe_peek q1 in
        let x2 = safe_peek q2 in
        if le x1 x2 then
          push (safe_pop q1) q
        else
          push (safe_pop q2) q
    done

  let rec mergesort (q: t elt) : unit
    ensures { sorted q /\ permut_all q (old q) }
    variant { length q }
  = if Peano.gt (length q) Peano.one then begin
      let q1 = create () : t elt in
      let q2 = create () : t elt in
      while not (is_empty q) do
        invariant { forall x. occ_all x q1 + occ_all x q2 + occ_all x q = occ_all x (old q) }
        invariant { length (old q) = length q1 + length q2 + length q }
        invariant { length q1 = length q2 \/
                    length q = 0 /\ length q1 = length q2 + 1 }
        variant   { length q }
        let x = safe_pop q in push x q1;
        if not (is_empty q) then let x = safe_pop q in push x q2
      done;
      assert { q = empty };
      assert { forall x. occ_all x q1 + occ_all x q2 = occ_all x (old q) };
      mergesort q1;
      mergesort q2;
      merge q1 q2 q
    end else
      assert { q = empty \/ exists x: elt. q = cons x empty }

end
why3-1.6.0/examples/mergesort_queue/000077500000000000000000000000001440160026300174355ustar00rootroot00000000000000why3-1.6.0/examples/mergesort_queue/why3session.xml000066400000000000000000000247251440160026300224670ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/mergesort_queue/why3shapes.gz000066400000000000000000000062331440160026300221010ustar00rootroot00000000000000YKo7W"Y|,
m/|&lɖd{4چ5a5Wz~W\οۻ_y>؉ԻӓvrwC{	fg.ʧ1nd~ݙCk/ag/=af簼$vv~GV;Ibb%y^tW&HHJbTۨN>Գln}ʗ%zh\bcxs[
vu>O~~A=wّ}9mf\p=ۑŴt7[b+mnR#|8__SOk+zn壶IkA:ЫbSVQjz܄_cpr[~׻Gi[nn9%q4~g'->|uv/e%:PͳQYx[3*T{s]s6t[jkK>Wܕoao5`,;>-nbtץ>I=mi1_gu
UvAE*L:o'Çˠ|:(Ѡ
Ae6\^Zף~QuEwՋNuc-^S⌻xeޢ0i)Re|Gg)3.?>q{}
TmZI~#0ޘI۴䇍GVы̂إEϜ~UUנfTV=emOS	l?7cWP,{v=δ#Wϔfp[^fL'wBROf)NڦyxLK.ڭ\鷺lzs{9Bo(Gǥ,{s}>QDOgx;g,L+\QV˾:G?C,
ۻE_t[bzUw~kr_t%W5Չ{.dt1z>]w<#vy̎+~LY2"eEk(+_^ށ$$^Q^,u剐[K
槵OI(1?H'yH5}wfx.:,~x1/pʼnp8{zmrxC
ucZ<#jkT}~Ǿpv3&zX_VnƫCd/lmSc}~;Y +ʝǬU1g;^/!8wzwK5_Yޭn6Oipvv	lWZ]w

.B؞B沷`_1ׂ Fk,LS;Y*X(k8OZ*,
WZR~oijzbhvv,E2Ő0֚򆔳zPhgM%ʒpR\	"oV>l5rPښ±VH8AoRʹUB&Rֲ(pn`7؉%E:j*N:2N>H
4X$n6ksVt;V6nQ!
\(YeUcRY\rAB(=!6B*eҖpBūIO	Q%٘K^&YJ'q"eNJjN)Pe99
%Et;\	C6%ׂ%kUA}0
ȯU)gfJ”S\A+hǺ&c;'['K2Ȫɇ4"ȌF+s
ƙ`{b_R~V"~HsVD΁5qIDL6UKA*6%$r 
=
l̩}3rTd.
=U%cl
X*E[k7hZZSJ)F{k.m*y1ˁi`Q1zyJ0F3A8*6[!hQ/βTkCc<N*]V}-yu)ueF]
P}LcdF͖,C?AR`S(heX9OS7)Qjc쐵FNyp!$mjFovlJ5$+&&R1Dh󣆆lBȂA1N'7bl|yE1	6xAhP`"+7kLK1gPIRQf윭k
JAr:77^2SY uAͱ3HfP
8D-(HUݬhee/PyXOlahnw{(	,,X"jT2Q>K1[m)GGJd/f-dDemJP4d03%TЊld:}b:
6C–TUvTH+׊W58FTsZTJ>
{KII#5ɊlSt@/@k{40oC)]]ύj|-D1
k'JcZXH)U	ê77K#8Q2o	Tk*jMYFp%&Yj3!-gZ+\(:VMvPެ,
e-G@л}=&QG8ktEbY@(s4~FK#3:WYQfS֊VdkU4*&ՅP	JH'^$j?,D1=8y]yu@ZGBqTPՈ9E,%kvKfDPi%vpbV٠J.(e
s4jO8u2@0>F5{x̒#&T!$ֱy:RPuQ3~^^N,:&f%xI\؎a[$Skꆄ4ucfq޼ ldL1U*##
f29{y_*
hyǘU03Iƈ̋?'MR1z*S|8d|4>5&S
J Fe-Ble5[M*fRcHlRmڒUI`G٘P/5˂hCiFIIR=+dh%69de3RUcX6t0why3-1.6.0/examples/mex.mlw000066400000000000000000000105331440160026300155360ustar00rootroot00000000000000
(** {1 Minimum excludant, aka mex}

   Author: Jean-Christophe Filliâtre (CNRS)

   Given a finite set of integers, find the smallest nonnegative integer
   that does not belong to this set.

   In the following, the set is given as an array A.
   If N is the size of this array, it is clear that we have 0 <= mex <= N
   for we cannot have the N+1 first natural numbers in the N cells of
   array A (pigeon hole principle).
*)

(**
   A simple algorithm is thus to mark values that belong to [0..N[ in
   some external Boolean array of length N, ignoring any value that is
   negative or greater or equal than N. Then a second loop scans the
   marks until we find some unused value. If don't find any, then it means
   that A contains exactly the integers 0,...,N-1 and the answer is N.

   The very last step in this reasoning requires to invoke the pigeon hole
   principle (imported from the standard library).

   Time O(N) and space O(N).
*)
module MexArray

  use int.Int
  use map.Map
  use array.Array
  use ref.Refint
  use pigeon.Pigeonhole

  predicate mem (x: int) (a: array int) =
    exists i. 0 <= i < length a && a[i] = x

  let mex (a: array int) : int
    ensures { 0 <= result <= length a }
    ensures { not (mem result a) }
    ensures { forall x. 0 <= x < result -> mem x a }
  = let n = length a in
    let used = make n false in
    let ghost idx = ref (fun i -> i) in (* the position of each marked value *)
    for i = 0 to n - 1 do
      invariant { forall x. 0 <= x < n -> used[x] ->
                    mem x a && 0 <= !idx x < n && a[!idx x] = x }
      invariant { forall j. 0 <= j < i -> 0 <= a[j] < n ->
                    used[a[j]] && 0 <= !idx a[j] < n && a[!idx a[j]] = a[j] }
      let x = a[i] in
      if 0 <= x && x < n then begin used[x] <- true; idx := set !idx x i end
    done;
    let r = ref 0 in
    let ghost posn = ref (-1) in
    while !r < n && used[!r] do
      invariant { 0 <= !r <= n }
      invariant { forall j. 0 <= j < !r -> used[j] && 0 <= !idx j < n }
      invariant { if !posn >= 0 then 0 <= !posn < n && a[!posn] = n
                                else forall j. 0 <= j < !r -> a[j] <> n }
      variant   { n - !r }
      if a[!r] = n then posn := !r;
      incr r
    done;
    (* we cannot have !r=n (all values marked) and !posn>=0 at the same time *)
    if !r = n && !posn >= 0 then pigeonhole (n+1) n (set !idx n !posn);
    !r

end

(**
  In this second implementation, we assume we are free to mutate array A.

  The idea is then to scan the array from left to right, while
  swapping elements to put any value in 0..N-1 at its place in the
  array.  When we are done, a second loop looks for the mex, advancing
  as long as a[i]=i holds.

  Since we perform only swaps, it is obvious that the mex of the final
  array is equal to the mex of the original array.

  Time O(N) and space O(1). The argument for a linear time complexity is as
  follows: whenever we do not advance, we swap the element to its place,
  which is further and did not contain that element; so we can do this only
  N times.

  Surprinsingly, proving that N is the answer whenever array A contains a
  permutation of 0..N-1 is now easy (no need for a pigeon hole
  principle or any kind of proof by induction).
 *)
module MexArrayInPlace

  use int.Int
  use int.NumOf
  use array.Array
  use array.ArraySwap
  use ref.Refint

  predicate mem (x: int) (a: array int) =
    exists i. 0 <= i < length a && a[i] = x

  function placed (a: array int) : int -> bool =
    fun i -> a[i] = i

  let mex (a: array int) : int
    ensures { 0 <= result <= length a }
    ensures { not (mem result (old a)) }
    ensures { forall x. 0 <= x < result -> mem x (old a) }
  = let n = length a in
    let i = ref 0 in
    while !i < n do
      invariant { 0 <= !i <= n }
      invariant { forall x. mem x a <-> mem x (old a) }
      invariant { forall j. 0 <= j < !i -> 0 <= a[j] < n -> a[a[j]] = a[j] }
      variant   { n - !i, n - numof (placed a) 0 n }
      let x = a[!i] in
      if x < 0 || x >= n then
        incr i
      else if x < !i then begin
        swap a !i x; incr i
      end else if a[x] = x then
        incr i
      else
        swap a !i x
    done;
    assert { forall j. 0 <= j < n -> let x = (old a)[j] in
             0 <= x < n -> a[x] = x };
    for i = 0 to n - 1 do
      invariant { forall j. 0 <= j < i -> a[j] = j }
      if a[i] <> i then return i
    done;
    n

end

why3-1.6.0/examples/mex/000077500000000000000000000000001440160026300150135ustar00rootroot00000000000000why3-1.6.0/examples/mex/why3session.xml000066400000000000000000000303061440160026300200350ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/mex/why3shapes.gz000066400000000000000000000107041440160026300174550ustar00rootroot00000000000000YIoIrWɿcG7>U/'M'Iw3mz؅/czn/O~zV!+QG.>tD}Z0+&K=tfbkOYjMM+6uRPɡ#kۮiW*vỮN<#15r
('P(6X#ϑ-M]};W
X!07K}k>ol/M}/m^Z4}ֵ֪EUJ~y(>ωU]oK̾_}gU{Z>!Su77u
^Sͅ7R4a~ʛMōo\<QA_
8-˼[.Y:eLns5@o}I:͞9h~z;&-}N6Z\a4Gz&c>kœo:hC_goM_j\t14+s/U4qSE/_?jfL~Ql~
OXEXLe[tRNoZҵN 9[U
APL.haV`Mhfo·^Niі:ujdOr.zk[CuXW872p#ݯۜנpd:[	էi
ә7a~鹪}6eՇUWpk罭Rl&fUߥMI3kNꮮ$QXŃv+NRuR;++*[w%%#TGc;U	F(p2ɂ*`=AbWx頎.Fȁn
6H$@lښZ*d*0&_B488

"v 3TNk`U9W\<`ᙊ!zɤQh\
ٝAہ끫giz533$Kj4
*|eV.KXRlnVAˤ6-4dӡGLJz ǽ_d	o
E[lj))օ_˭I"2%Q
Bd33u|*FT)T\6fD	J2X*KgD(6J
W)VK6Rx!5(:fZK0ɉ\l$lPnPvPfPjdsJX"Z)
ACafVjbRdnt1.''>d}:YYV8	%$H;1)VV8c)NDD C3zU~"hyi1%ZQB.[.e\u*\öF;)QB[!>.(uwbp"191朚WJ"RdI*v

%R&)I* 1F
Ux%e`Bir8P
lxwx)3z0j0r0uj"e$b{tQ3 (Sz}xN6!KfJ
n>HA:H?0.:8sUj$MX(N̩~RHsX@N[q
鐖|&U_CDSTPPfU@+R;x,Iiӊe}WIHų%m,!np";gq֢ 	̠tC
ąe*Uws9	mDrAGۓ3p-pC6RH;ZDŽ{vfL0[eU6hiHDcr 2OUJ^iiyTBhBQa	81Yʬ-1,LU%&/3'Y[ٱXS.g^J8@Fo'9$y8(
WԟwuAS0%)Bf;pZ쁊=)mp6T6$i*RR:?hC,v,UiFr%6"4A砠ʶ}!}O8m'T\T^O	CFU@u5r]䦠+8Y
GBIp#ދCZKl4̶3\2s-`aԟK	u-f$*I')uC!μߺ盉V'>I͸|3M.	Y΋a)WhjT	

k-5why3-1.6.0/examples/micro-c/000077500000000000000000000000001440160026300155535ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/dicho.c000066400000000000000000000025221440160026300170060ustar00rootroot00000000000000
#include 
#include 

// recherche dichotomique dans un tableau trié

int dicho(int a[], int n, int v) {
  //@ requires length(a) == n;
  //@ requires forall i1, i2. 0 <= i1 <= i2 < n -> a[i1] <= a[i2];
  //@ ensures  -1 <= result < n;
  //@ ensures  result == -1 -> forall i. 0 <= i < n -> a[i] != v;
  //@ ensures  result >= 0  -> a[result] == v;
  int l = 0;
  int u = n-1;
  int r = -1;
  while (l <= u) {
    //@ invariant 0 <= l && u < n;
    //@ invariant r == -1;
    //@ invariant forall i. 0 <= i < n -> a[i] == v -> l <= i <= u;
    //@ variant   u - l;
    int m = (l + u) / 2;
    if (a[m] < v)
      l = m+1;
    else if (a[m] > v)
      u = m-1;
    else {
      r = m;
      break;
    }
  }
  return r;
}

int main() {
  int n = 42;
  int a[n];
  a[0] = rand() % 100;
  printf("%d, ", a[0]);
  for (int i = 1; i < n; i++) {
    //@ invariant 1 <= i <= n;
    //@ invariant forall i1, i2. 0 <= i1 <= i2 < i -> a[i1] <= a[i2];
    //@ variant  n - i;
    a[i] = a[i-1] + rand() % 10;
    printf("%d, ", a[i]);
  }
  printf("\n");
  //@ assert forall i1, i2. 0 <= i1 <= i2 < length(a) -> a[i1] <= a[i2];
  printf("quelle valeur cherchez-vous ? ");
  int v;
  scanf("%d", &v);
  int r = dicho(a, n, v);
  if (r == -1)
    printf("valeur absente\n");
  else
    printf("valeur présente à la position %d\n,", r);
  return 0;
}


why3-1.6.0/examples/micro-c/dicho/000077500000000000000000000000001440160026300166415ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/dicho/why3session.xml000066400000000000000000000012761440160026300216670ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/micro-c/dicho/why3shapes.gz000066400000000000000000000014751440160026300213100ustar00rootroot00000000000000Un0+|k"E( ĀS;#K$.47CҔ=H|rb}|u<]_|Y:&6\]RʖWD&^]궑vˁttHoθZd\-*6	jøZ\ZK}<ӧ_:l-C&Kв%b4,]LdmRaH@]%D	
yEOn)6D|<&ۇBAZR(FA(䤙4cބ"j(FP2PBͥQ)hކu'9n~
:bCC"hsEp%`(_dٜ9[c?ΜֽoKq4fwhy3-1.6.0/examples/micro-c/isqrt.c000066400000000000000000000004731440160026300170650ustar00rootroot00000000000000
int isqrt(int n)
//@ requires n >= 0;
//@ ensures  result * result <= n < (result + 1) * (result + 1);
{ int r = 0;
  int s = 1;
  while (s <= n) {
    //@ invariant 0 <= r;
    //@ invariant r * r <= n;
    //@ invariant s == (r+1) * (r+1);
    //@ variant   n - s;
    r++;
    s += 2 * r + 1;
  }
  return r;
}
why3-1.6.0/examples/micro-c/isqrt/000077500000000000000000000000001440160026300167155ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/isqrt/why3session.xml000066400000000000000000000010541440160026300217350ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/micro-c/isqrt/why3shapes.gz000066400000000000000000000004241440160026300213550ustar00rootroot00000000000000uj0ۖP;AX!C배nɶ7`Xwd]fz00N֔&Ip9攜,hr.B;Wi8
z Ro`CԇhhydPZi.=ƖSU
bEno6ڋvN)?yZڋy#FXYQB&5Mp໚n7i41~&I,m_ݶH~YA$&why3-1.6.0/examples/micro-c/loops.c000066400000000000000000000004431440160026300170540ustar00rootroot00000000000000
#include 

void loop1(int b)
//@ requires b > 0;
{
  while (--b) {
    //@ invariant b > 0;
    //@ variant b;
    ;
  }
  //@ assert b == 0;
}

void loop2(int b)
//@ requires b >= 0;
{
  while (b) {
    //@ invariant b >= 0;
    //@ variant b;
    b--;
  }
  //@ assert b == 0;
}
why3-1.6.0/examples/micro-c/loops/000077500000000000000000000000001440160026300167075ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/loops/why3session.xml000066400000000000000000000012741440160026300217330ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/micro-c/loops/why3shapes.gz000066400000000000000000000003721440160026300213510ustar00rootroot00000000000000}j!F}

Z%K܏ҥi7>5'4P||_enHuz(Q̏r_wH-HO{B2- zcz}AΧu2l9j>40MGqˡbWGDhJM׊ݥG]X6	Fa0`#孷X0b,z]'+d\	Zwhy3-1.6.0/examples/micro-c/mult.c000066400000000000000000000005271440160026300167040ustar00rootroot00000000000000
// la multiplication dite russe

int mult(int a, int b)
//@ ensures result == a * b;
{ int p = a;
  int q = b;
  if (q < 0) {
    p = -a;
    q = -b;
  }
  int r = 0;
  while (q) {
    //@ invariant 0 <= q;
    //@ invariant r + p * q == a * b;
    //@ variant   q;
    if (q % 2 == 1)
      r += p;
    p *= 2;
    q /= 2;
  }
  return r;
}
why3-1.6.0/examples/micro-c/mult/000077500000000000000000000000001440160026300165345ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/mult/why3session.xml000066400000000000000000000010501440160026300215500ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/micro-c/mult/why3shapes.gz000066400000000000000000000006731440160026300212020ustar00rootroot00000000000000mMo0mc'qLq@А)PV
?;|$Z9]?>WmkSѶaWfZx>Q8jGSneȇZ®Y=lYp?èֵ2M
0+$E.202Ȭz1e1i]9fr0k$MYlqr.Z~5mdsU:4k~})c5#\V98vYA-Vq؍:s
In
M^Rd#IuD$erYIce̘xWΧ,<4W5~V,#+soQѦ^4v:C0SMbkZeޖ墖M!fSY#Y({aW.8lԂT*XZD\@UҞϻLwhy3-1.6.0/examples/micro-c/sort.c000066400000000000000000000022441440160026300167100ustar00rootroot00000000000000
// tri par insertion

#include 
#include 

void sort(int a[], int n)
//@ requires length(a) == n >= 1;
//@ ensures  forall i,j. 0 <= i <= j < n -> a[i] <= a[j];
{
  for (int m = 1; m < n; m++) {
    //@ invariant 1 <= m <= n;
    //@ invariant forall i,j. 0 <= i <= j < m -> a[i] <= a[j];
    //@ variant   n - m;
    int x = a[m];
    int k;
    for (k = m; k > 0 && a[k-1] > x; k--) {
        //@ invariant 0 <= k <= m;
        //@ invariant forall i,j. 0 <= i <= j < k               -> a[i] <= a[j];
        //@ invariant forall i,j. 0 <= i      < k <      j <= m -> a[i] <= a[j];
        //@ invariant forall i,j.               k < i <= j <= m -> a[i] <= a[j];
        //@ invariant forall   j.               k <      j <= m -> x    <  a[j];
        //@ variant   k;
      a[k] = a[k-1];
    }
    a[k] = x;
  }
}

int main() {
  int n = 42;
  int a[n];
  for (int i = 0; i < n; i++) {
    //@ invariant 0 <= i <= n;    //@ variant n - i;
    a[i] = rand() % 100;
    printf("%d, ", a[i]);
  }
  printf("\n");
  sort(a, n);
  for (int i = 0; i < n; i++)
    //@ invariant 0 <= i <= n;    //@ variant n - i;
    printf("%d, ", a[i]);
  printf("\n");
  return 0;
}

why3-1.6.0/examples/micro-c/sort/000077500000000000000000000000001440160026300165425ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/sort/why3session.xml000066400000000000000000000012711440160026300215630ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/micro-c/sort/why3shapes.gz000066400000000000000000000014151440160026300212030ustar00rootroot00000000000000TKo0W=(
`48jm$)JЃMGCC=<vM.JzN(PeԎ'Qg¸(tzƊQ2+}ea&40a(!Ç_C#ST&*p矗RAHZBxIH 0DyWPLR2¨Wl0V@ѨnK4EN'T
{
rg]mRnlA#&#'C"@_	U!83}z

// la somme des n premiers entiers

int triangular(int n)
//@ requires n >= 0;
//@ ensures  result == n * (n + 1) / 2;
{
  int s = 0;
  for (int k = 0; k <= n; k++) {
    //@ invariant k <= n + 1;
    //@ invariant s == (k - 1) * k / 2;
    //@ variant   n - k;
    s += k;
  }
  return s;
}

int triangular2(int n)
/*@ requires n >= 0;
  @ ensures  result == n * (n + 1) / 2;
  @ variant  n; */
{
  if (n == 0) return 0;
  return n + triangular2(n - 1);
}

int main() {
  printf("somme 1 + .. + 100 = %d\n", triangular(100));
  printf("somme 1 + .. + 100 = %d\n", triangular2(100));
  return 0;
}
why3-1.6.0/examples/micro-c/triangular/000077500000000000000000000000001440160026300177235ustar00rootroot00000000000000why3-1.6.0/examples/micro-c/triangular/why3session.xml000066400000000000000000000036251440160026300227510ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/micro-c/triangular/why3shapes.gz000066400000000000000000000012331440160026300223620ustar00rootroot00000000000000Rj0}WmBA#
,ӧ2fbo;e7iC[
59oX0vSʛogxK1ñ3'S3G<♄W=ZT>-mg3S m <= a[i])

(** `m` is the maximum of `a[lo..hi[` *)
predicate is_max (m: int) (a: array int) (lo hi: int) =
  (exists i. lo <= i < hi <= length a /\ a[i] = m) /\
  (forall i. lo <= i < hi -> m >= a[i])

(** first, an obvious implementation *)

let min_max (a: array int) : (int, int)
  requires { 1 <= length a }
  returns  { x, y -> is_min x a 0 (length a) /\ is_max y a 0 (length a) }
= let ref min = a[0] in
  let ref max = a[0] in
  for i = 1 to length a - 1 do
    invariant { is_min min a 0 i /\ is_max max a 0 i }
    if a[i] < min then min <- a[i];
    if a[i] > max then max <- a[i]
  done;
  min, max

(* then a better implementation that considers the values two by two,
   to save 25% of comparisons *)

use mach.int.Int
use ref.Refint

let a_better_min_max (a: array int) : (int, int)
  requires { 1 <= length a }
  returns  { x, y -> is_min x a 0 (length a) /\ is_max y a 0 (length a) }
= [@vc:sp]
  let n = length a in
  let ref min = a[0] in
  let ref max = a[0] in
  let ref i = if n % 2 = 0 then 2 else 1 in
  if i = 2 then if a[0] < a[1] then max <- a[1] else min <- a[1];
  while i < n do
    variant   { n - i }
    invariant { mod i 2 = mod n 2 }
    invariant { is_min min a 0 i /\ is_max max a 0 i }
    let x, y = if a[i] < a[i+1] then a[i], a[i+1] else a[i+1], a[i] in
    if x < min then min <- x;
    if y > max then max <- y;
    i += 2
  done;
  min, max

(** Divide and conqueer is no better, but let's verify it for the fun of it *)

let rec divide_and_conquer (a: array int) (lo hi: int) : (int, int)
  requires { 0 <= lo < hi <= length a }
  returns  { x, y -> is_min x a lo hi /\ is_max y a lo hi }
  variant  { hi - lo }
= if hi - lo = 1 then
    a[lo], a[lo]
  else if hi - lo = 2 then
    if a[lo] < a[lo+1] then a[lo], a[lo+1] else a[lo+1], a[lo]
  else
    let mid = lo + (hi - lo) / 2 in
    let x1, y1 = divide_and_conquer a lo mid in
    let x2, y2 = divide_and_conquer a mid hi in
    (if x1 < x2 then x1 else x2),
    (if y1 > y2 then y1 else y2)

let a_similar_min_max (a: array int) : (int, int)
  requires { 1 <= length a }
  returns  { x, y -> is_min x a 0 (length a) /\ is_max y a 0 (length a) }
= divide_and_conquer a 0 (length a)
why3-1.6.0/examples/min_max/000077500000000000000000000000001440160026300156525ustar00rootroot00000000000000why3-1.6.0/examples/min_max/why3session.xml000066400000000000000000000104611440160026300206740ustar00rootroot00000000000000







 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/min_max/why3shapes.gz000066400000000000000000000041741440160026300203200ustar00rootroot00000000000000َ8_E2*ރ"
5`@/E0+kd~dH>}v_n-lwu?p^˚y^5[%pv}}
H`>zpj+l>HO<"6AGT4wQcDCvн'i]3Xz,{x>Iu.߷oap9/]hq=-9H$kr1e>H<;i+ȍ	(̙ʣD4$릩|ZهaY3V3$HXzp$)4s20#9h~3Hɇ+!>`\8ft
M&+deIUzuD(Βn2E!u2E'{&қ0L-pDǥ_:x{J|L̉YǿPA1ssZ>zHb_&Pr9s퍕
nʂUt
onO
0ubIwZ:;-ui$+}W%RhS2 4>Isd+"58<{Exnl,&vQ0'rxZ/$.V@
 *bb@+KeZal:tNDOL8 j!PD٠YNfPEwa$.w>4G%0)Er u1%_jMEv):$xJGj%3>
d^83$<y<&Ϋ`*7;4ˆOg
"W)y(HG2j"gq\GWRJGqUc~TtZӒxx%U[iϤMsk`<H;
/nӾP🷰+D
A-1,&}XqGqݽ/;j	RYht1fBͤma	[Kyk$$|AژBUB.Di!Z5-@9ə^W`i\p	hX[%Lz^7ZRU@u5HB',
Xe+Si&آNW"fڠiAEvgG4#Ds(Bf
p!HնTc`
 L!ZQ%*En
]@V@P5$!%7М!F'*sP75Jrtcri/Cr=VҴh-XE<(W@6%v4J0D
@7m@Eţ5k	,}.8/J( x = y }

  let mjrty (a: array candidate) : candidate
    requires { 1 <= length a }
    ensures  { 2 * numof a result 0 (length a) > length a }
    raises   { Not_found -> forall c. 2 * numof a c 0 (length a) <= length a }
  = let n = length a in
    let cand = ref a[0] in
    let k = ref 0 in
    for i = 0 to n - 1 do (* could start at 1 with k initialized to 1 *)
      invariant { 0 <= !k <= numof a !cand 0 i }
      invariant { 2 * (numof a !cand 0 i - !k) <= i - !k }
      invariant { forall c. c <> !cand -> 2 * numof a c 0 i <= i - !k }
      if !k = 0 then begin
        cand := a[i];
        k := 1
      end else if !cand = a[i] then
        incr k
      else
        decr k
    done;
    if !k = 0 then raise Not_found;
    if 2 * !k > n then return !cand;
    k := 0;
    for i = 0 to n - 1 do
      invariant { !k = numof a !cand 0 i /\ 2 * !k <= n }
      if a[i] = !cand then begin
        incr k;
        if 2 * !k > n then return !cand
      end
    done;
    raise Not_found

end
why3-1.6.0/examples/mjrty/000077500000000000000000000000001440160026300153675ustar00rootroot00000000000000why3-1.6.0/examples/mjrty/why3session.xml000066400000000000000000000010531440160026300204060ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/mjrty/why3shapes.gz000066400000000000000000000006161440160026300200320ustar00rootroot00000000000000SJ@}WM,[!GqMlIZwM^bL̙ٓדW^yU}&(KzŴ.ׅl.Ez퐤8x<:ǖ[V^,J0RE^
~hf`JJiQRmt8O	CU^\-?I75uGCLo\73Xot[,hzEYn8vQO:0"dqldn&8rwM]lޅmNuJ[WuZAK)rF{EeceG?TyYcLNuo19f~">ź
'P:oq"(!5ˌLwhy3-1.6.0/examples/mlcfg/000077500000000000000000000000001440160026300153125ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/arith.mlcfg000066400000000000000000000021701440160026300174330ustar00rootroot00000000000000
module Fib

  use int.Int
  use int.Fibonacci

  let cfg fib (n: int) : int
    requires { n >= 0 }
    ensures  { result = fib n }
  = var x: int;
    var y: int;
    var i: int;
    {
      x <- 0;
      y <- 1;
      i <- 0;
      goto L1
    }
    L1 {
      invariant I1 { 0 <= i <= n };
      invariant I2 { x = fib i /\ y = fib (i + 1) };
      switch (i = n)
      | True  -> return x
      | False -> goto L2
      end
    }
    L2 {
      y <- x + y; x <- y - x; i <- i + 1;
      goto L1
    }
end

module Fact

  (* Factorial computation, following Nielson and Nielson's implementation
     in their book "Formal Methods -- An Appetizer" (Section 1.1, page 1) *)

  use int.Int, int.Fact

  let cfg fact (x0: int) : int
    requires { x0 >= 0 }
    ensures  { result = fact x0 }
  = var y: int;
    var x: int;
    {
      y <- 1;
      x <- x0;
      goto L1
    }
    L1 {
      invariant I1 { 0 <= x <= x0 };
      invariant I2 { fact x * y = fact x0 };
      switch (x <= 0)
      | True  -> return y
      | False -> goto L2
      end
    }
    L2 { assert { fact x = fact (x - 1) * x }; y <- x * y; x <- x - 1; goto L1 }
end
why3-1.6.0/examples/mlcfg/arith/000077500000000000000000000000001440160026300164215ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/arith/why3session.xml000066400000000000000000000043741440160026300214510ustar00rootroot00000000000000






 
 
 


 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/mlcfg/arith/why3shapes.gz000066400000000000000000000015021440160026300210570ustar00rootroot00000000000000TKk$G[Y%CUa0
&wՋe>vw{ק-}x~z\/h8f,6/6/a~7iL5{F{R/?wz	l?[	4u7i)h$*k^|~-5V_;tɸ$_2'@g);3']pNsӗ)ty6XЬ/k"Y	
ˊv(Eܾ3Ci0
WJBJ
`\AWGl^jS7iXjxKv^eiw9
EKTJFUÙrQ
( (S
9_u>5#AErţLq zsehG3Gfɩ\#Չ!b*!JȒB)sp0F$*4N\.Xg|Q#(霄^Y~/z*<:f&E#2#pG&jM@rA{FÚrшJ}R1#+dMjB\VŅ79DlZPhd8*8U2EǨؔ1P)נsυ8rLVdJMlv10MVr(why3-1.6.0/examples/mlcfg/basic.mlcfg000066400000000000000000000021351440160026300174060ustar00rootroot00000000000000
module Basic

use int.Int

let cfg cfgassert (x:int) : int
  requires { x >= 10 }
  ensures { result >= x }
  =
  {
  assert { x >= 0 };
  return x+1
  }


let cfg cfggoto (x:int) : int
  requires { x >= 0 }
  ensures { result = x + 2 }
  =
  var y : int;
  {
  y <- x+1;
  goto L
  }
  L {
  y <- y+1;
  return y
  }

let cfg cfg_inv (x:int) : int
  requires { x >= 0 }
  ensures { result >= 2 }
  =
  var y:int;
  {
  y <- x;
  invariant I { y >= 0} ;
  y <- y + 1;
  invariant J { y >= 1} ;
  y <- y + 1;
  return y
  }


let cfg cfg_infinite_loop (x:int) : int
  requires { x >= 0 }
  ensures { result >= 2 }
  =
  var y:int;
  {
  y <- 0;
  goto L
  }
  L {
  y <- y + 1;
  invariant I { exists z. y = z+z+1 };
  y <- y + 1;
  goto L
  }


let cfg cfg_finite_loop (x:int) : int
  requires { x >= 0 }
  ensures { result >= 2 }
  =
  var y:int;
  {
  y <- 0;
  goto L
  }
  L {
  y <- y + 1;
  invariant I { exists z. y = z+z+1 };
  y <- y + 1;
  switch (y <= x)
  | True -> goto L
  | False -> return y
  end
  }

let main () =
  let _ = cfgassert 42 in
  let _ = cfggoto 43 in
  let _ = cfg_inv 44 in
  ()

end
why3-1.6.0/examples/mlcfg/basic/000077500000000000000000000000001440160026300163735ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/basic/why3session.xml000066400000000000000000000111221440160026300214100ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/mlcfg/basic/why3shapes.gz000066400000000000000000000022321440160026300210320ustar00rootroot00000000000000M6^DRTfAO>A6;MKzh(#xye\._}7_j1}Gq31<
c:Ӻ4sn&Ϩ6c7L?0n794)진^Lx̜$:t	({7?hw'h~r/^ݢWuw\S,D>\l}e2bdzA]07) }nAܷa,\6	6,8o@lq`h{}
ϝ`8ځvclK`_	꟱t;]o3HlMCԻ[N/OBZOsj\SlKgr"S,Nr5K뒽):q%~|g-%@^e^G=&+ETc>l
s
.2ك#pGPXHBKn3k5zIuQNWst']ұ\FP5Yh~sşT✲dp3bڣN7p ϐʶ$VQ.5;G2
֕"6郷lH4.蝭I,yn( 8V3(&H0VG0@JNRT Z"dW[w4Ū @APzȱHѴ-f#wbQU-mWpdBN̂_49{"7o[MQژ:3+ 79^IdV":_vsPо*d&+Ҍnn1RR*$iWTAJTRE3;F
Yw
why3-1.6.0/examples/mlcfg/break.mlcfg000066400000000000000000000010221440160026300174030ustar00rootroot00000000000000module NestedLoops
use int.Int
let cfg nested_loops x : () =
  var a : int;
  var b : int;
  var c : int;
  var d : int;
  {
    goto BB0
  }
  BB0 {
    switch (true)
    | True -> goto B
    | False -> goto A
    end
  }
  BB1 {
    switch (True)
    | True -> goto C
    | False -> goto D
    end
  }
  C { 
    c <- c + 1;
    goto A
  }
  D {
    d <- d + 1;
    goto BB0
  }
  B {
    b <- b + 1;
    goto BB1
  }
  A {
    a <- a + 1;
    return ()
  }
(*
  loop i {
    b
    if j {
      break;
    }
    d
  }
  a
*)
endwhy3-1.6.0/examples/mlcfg/break_continue.mlcfg000066400000000000000000000015041440160026300213140ustar00rootroot00000000000000
module BreakContinue

  use int.Int
  use int.ComputerDivision

  (* translation of

     x, i <- 0, 0;
     while true do
       if x > 20 then break;
       i <- i + 1;
       if i mod 2 = 0 then continue;
       x <- x + i
     done;
     x

  *)

  let cfg example () : int
    ensures { result = 25 }
  = var x: int;
    var i: int;
    {
      x <- 0;
      i <- 0;
      goto Loop
    }
    Loop {
      invariant I1 { 0 <= i <= 9 };
      invariant I2 { 4 * x = if mod i 2 = 0 then i * i else (i + 1) * (i + 1) };
      switch (x > 20)
      | True  -> goto Break
      | False -> goto L1
      end
    }
    L1 {
      i <- i + 1;
      switch (mod i 2 = 0)
      | True  -> goto Loop (* continue *)
      | False -> goto L2
      end
    }
    L2 {
     x <- x + i;
     goto Loop
    }
    Break {
      return x
    }

end
why3-1.6.0/examples/mlcfg/break_continue/000077500000000000000000000000001440160026300203025ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/break_continue/why3session.xml000066400000000000000000000013541440160026300233250ustar00rootroot00000000000000







 
 
 
 



why3-1.6.0/examples/mlcfg/break_continue/why3shapes.gz000066400000000000000000000004631440160026300227450ustar00rootroot00000000000000PMO0+zS2"FL	q>6ـ._7¼yzv_vVD|}F+vTPl-b֘ĆWt})iTp9A8[esuKFKç9KsD3Vs^@? V1~o;p';dCSB́Jy_LbK*pZm4ndtAH?~Sw<(JsI:ٸIźLLٛ&+QKʊwhy3-1.6.0/examples/mlcfg/nested_loops.mlcfg000066400000000000000000000010621440160026300210210ustar00rootroot00000000000000module NestedLoops
use int.Int
let cfg nested_loops  _x : () =
  var a : int;
  var b : int;
  var c : int;
  var d : int;
  {
    goto BB0
  }
  BB0 {
    switch (true)
    | True -> goto B
    | False -> goto A
    end
  }
  BB1 {
    invariant dummy { true };
    switch (True)
    | True -> goto C
    | False -> goto D
    end
  }
  C { 
    c <- c + 1;
    goto BB1
  }
  D {
    d <- d + 1;
    goto BB0
  }
  B {
    b <- b + 1;
    goto BB1
  }
  A {
    a <- a + 1;
    return ()
  }
(*
  loop i {
    b
    loop j {
      c
    }
    d
  }
  a
*)
end
why3-1.6.0/examples/mlcfg/nested_loops/000077500000000000000000000000001440160026300200105ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/nested_loops/why3session.xml000066400000000000000000000011101440160026300230210ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/mlcfg/nested_loops/why3shapes.gz000066400000000000000000000002301440160026300224430ustar00rootroot00000000000000M1 _qZ7c8tf5Ѩo.{}𥔟q>-מ_:y>DBaەdYc%=WbJqɌq=^	eLPcp¶Eqo~gG
why3-1.6.0/examples/mlcfg/rec.mlcfg000066400000000000000000000004231440160026300170740ustar00rootroot00000000000000
module M

use int.Int

let rec cfg f (x : int) : unit
  requires { x >= 0 }
  variant { 2 * x + 1 }
=
  {
  return g x
  }


with g (y:int) : unit
  requires { y >= 0 }
  variant { 2 * y }
=
  {
  switch (y=0)
  | True -> return ()
  | False -> return f (y-1)
  end
  }
end
why3-1.6.0/examples/mlcfg/rec/000077500000000000000000000000001440160026300160635ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/rec/why3session.xml000066400000000000000000000023151440160026300211040ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/mlcfg/rec/why3shapes.gz000066400000000000000000000005451440160026300205270ustar00rootroot00000000000000eJ,1y,=#BU.z@iap%TaFUt|g=::ͻR{5(:oZVo)ž'\8@{k[6BmvD#PtkȺ^4
8Z-РEm.\DX"`LzcD-/1UBJLb葉e̦y^0%c]9cMcK5^NOKʖ@why3-1.6.0/examples/mlcfg/scope.mlcfg000066400000000000000000000001641440160026300174360ustar00rootroot00000000000000(* check that scopes are allowed in MLCFG modules *)
module B
scope A
let cfg test () : ()  = { return () }
end
end
why3-1.6.0/examples/mlcfg/scope/000077500000000000000000000000001440160026300164235ustar00rootroot00000000000000why3-1.6.0/examples/mlcfg/scope/why3session.xml000066400000000000000000000004211440160026300214400ustar00rootroot00000000000000






why3-1.6.0/examples/mlcfg/scope/why3shapes.gz000066400000000000000000000000551440160026300210630ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/muller.mlw000066400000000000000000000014351440160026300162460ustar00rootroot00000000000000
(* A small verification challenge proposed by Peter Müller.

   Given an array of integers, we first count how many non-zero values
   it contains. Then we allocate a new array with exactly this size and
   we fill it with the non-zero values. *)

module Muller

  use int.Int
  use ref.Refint
  use array.Array
  use int.NumOf as N

  function numof (a: array int) (l u: int) : int =
    N.numof (fun i -> a[i] <> 0) l u

  let compact (a: array int) =
    let count = ref 0 in
    for i = 0 to length a - 1 do
      invariant { !count = numof a 0 i }
      if a[i] <> 0 then incr count
    done;
    let u = make !count 0 in
    count := 0;
    for i = 0 to length a - 1 do
      invariant { !count = numof a 0 i }
      if a[i] <> 0 then begin u[!count] <- a[i]; incr count end
    done

end
why3-1.6.0/examples/muller/000077500000000000000000000000001440160026300155225ustar00rootroot00000000000000why3-1.6.0/examples/muller/why3session.xml000066400000000000000000000010641440160026300205430ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/muller/why3shapes.gz000066400000000000000000000007321440160026300201640ustar00rootroot00000000000000Ko0mP@2װ3`T.,"NGя*I,RɟޕKx_ÏRwߊmXyimxEݨ(clé|%^li8/59uX~w8ўv%'K꺥e~U$UO<79=BvtzgO7WSIs^UgH=[6GNhxw#imýUb
f7(x XOŁUMSEN/fJߨ(tߡ#r@WbN}f
Px7D3qOԐkjt4Y`TҴGdfT6C(i:d&&*H^YDeGC;(rs<
\r;a]ZF8ĮE1Nwhy3-1.6.0/examples/multiprecision/000077500000000000000000000000001440160026300172705ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/Makefile000066400000000000000000000062521440160026300207350ustar00rootroot00000000000000BENCH ?= no
OVERLAY ?= no
LOCAL ?= $(BENCH)

ifeq ($(LOCAL),yes)
  WHY3=../../bin/why3.opt
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
endif

ifndef CFLAGS
  ifdef GMP_DIR
    CFLAGS = $(shell sed -n -e 's/^CFLAGS = \(.*\)/\1/p' $(GMP_DIR)/Makefile)
  else
    CFLAGS = -march=native -O2 -fomit-frame-pointer
  endif
endif

ifdef GMP_LIB
  GMPFLAGS = -I$(GMP_LIB)/include -L$(GMP_LIB)/lib
endif

CFLAGS += -Wall -Wno-unused -g -std=c11 -Wno-pedantic

.PHONY: all clean extract plots benchs why3benchs gmpbenchs minigmpbenchs

all: extract

clean:
	rm -rf build bench

why3:
	make -C ../..

MLWFILES = \
  mpz_get_str mpz_set_str mpz_div2exp mpz_mul2exp mpz_div mpz_mul mpz_sub mpz_add mpz_getset mpz_abs mpz_cmp mpz_cmpabs mpz_neg mpz_realloc2 mpz \
  set_str get_str base_info powm sqrtrem sqrt toom logical div mul sub add compare util

build/extracted: $(addsuffix .mlw, $(MLWFILES))
	mkdir -p build
	rm -f $@
	$(WHY3) extract -D wmpn.drv -D c -L . --recursive --modular --interface -o build/ \
	  --debug=c_no_error_msgs wmpn.mlw
	touch $@

build/sqrtinit.h: sqrtinit.ml
	mkdir -p build
	ocaml sqrtinit.ml > build/sqrtinit.h

build/binverttab.h: binverttab.ml
	mkdir -p build
	ocaml binverttab.ml > build/binverttab.h

EXTRACTED = build/extracted build/sqrtinit.h build/binverttab.h

extract: $(EXTRACTED)

CFILES = \
  zutil.c z.c zcmp.c zcmpabs.c zabs.c zneg.c zrealloc2.c \
  zadd.c zsub.c zmul.c zdiv.c zmul2exp.c zdiv2exp.c zget_str.c zset_str.c \
  set.c get_str.c set_str.c baseinfo.c powm.c sqrt.c sqrt1.c toom.c div.c \
  logical.c logicalold.c mul_basecase.c sub.c sub_1.c add.c add_1.c \
  compare.c util.c utilold.c

ifneq ($(OVERLAY),gmp)
CFILES += mul.c addold.c subold.c
endif

gmp_INCLUDES = mul.h add.h sub.h
mini_INCLUDES = uint64gmp.h
no_INCLUDES =
INCLUDES = $($(OVERLAY)_INCLUDES)

build/libwmp.a: $(EXTRACTED)
	cd build; $(CC) $(CFLAGS) $(INCLUDES:%=-include ../overlays/%) -c $(CFILES)
	ar rcs $@ $(addprefix build/,$(CFILES:.c=.o))

build/tests: tests.c build/libwmp.a
	$(CC) $(CFLAGS) tests.c -Irandom -Lbuild -lm -lwmp -lgmp -o $@

build/minitests: tests.c build/libwmp.a
	$(CC) $(CFLAGS) -DCOMPARE_MINI tests.c -Irandom -Imini-gmp -Lbuild -lm -lwmp -o $@

UPPER = $(shell echo $* | tr [:lower:] [:upper:])

build/why3%bench: tests.c build/libwmp.a
	$(CC) $(CFLAGS) -DTEST_WHY3 -DTEST_$(UPPER) tests.c -Iinclude -Irandom -Lbuild -lm -lwmp -lgmp -o $@

build/gmp%bench: tests.c build/libwmp.a
	$(CC) $(CFLAGS) $(GMPFLAGS) -DTEST_GMP -DTEST_$(UPPER) tests.c -Iinclude -Irandom -lm -lgmp -o $@

build/minigmp%bench: tests.c build/libwmp.a
	$(CC) $(CFLAGS) -DTEST_MINIGMP -DTEST_$(UPPER) tests.c -Iinclude -Imini-gmp -Irandom -lm -o $@

BENCHS = toomb sqrtrem millerrabin toomu add mul div powm toomm zgetset


WHY3BENCHFILES = $(addprefix bench/why3, $(BENCHS))
GMPBENCHFILES = $(addprefix bench/gmp, $(BENCHS))
MINIGMPBENCHFILES = $(addprefix bench/minigmp, $(BENCHS))
BENCHFILES = $(WHY3BENCHFILES) $(GMPBENCHFILES) $(MINIGMPBENCHFILES)

$(BENCHFILES): bench/%: build/%bench
	mkdir -p bench
	$< > $@

why3benchs: $(WHY3BENCHFILES)
gmpbenchs: $(GMPBENCHFILES)
minigmpbenchs: $(MINIGMPBENCHFILES)
benchs: why3benchs gmpbenchs minigmpbenchs

plots: $(BENCHFILES)
	make all -C plots
why3-1.6.0/examples/multiprecision/add.mlw000066400000000000000000000604451440160026300205520ustar00rootroot00000000000000module Add

  use mach.c.C
  use lemmas.Lemmas
  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use types.Types
  use array.Array
  use map.Map
  use int.Power
  use map.MapEq
  use ptralias.Alias

  (** `wmpn_add_n r x y sz` adds `x[0..sz-1]` and `y[0..sz-1]` and writes the
      result in `r`. Returns the carry, either `0` or `1`.
      Corresponds to the function `mpn_add_n`. *)
  let wmpn_add_n (r x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid r sz /\ valid x sz /\ valid y sz }
    requires { offset r = offset x
               \/ offset r + sz <= offset x
               \/ offset x + sz <= offset r }
    requires { offset r = offset y
               \/ offset r + sz <= offset y
               \/ offset y + sz <= offset r }
    requires { r.data = x.data = y.data }
    requires { writable r }
    alias    { r.data with x.data }
    alias    { r.data with y.data }
    alias    { x.data with y.data }
    ensures  { value r sz + power radix sz * result
               = old (value x sz + value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset r \/ offset r + sz <= j)
                         -> (pelts r)[j] = old (pelts r)[j] }
    ensures  { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                 (offset x) (offset x + sz) }
    ensures  { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                 (offset y) (offset y + sz) }
    writes { r.data.elts }
  =
    label Start in
    let ref lx = 0 in
    let ref ly = 0 in
    let ref c = 0 in
    let ref i = 0 in
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    while i < sz do
      variant { sz - i }
      invariant { 0 <= i <= sz }
      invariant { value r i + power radix i * c
                  = value ox i + value oy i }
      invariant { forall j. (j < offset r \/ offset r + i <= j)
                            -> (pelts r)[j] = old (pelts r)[j] }
      invariant { pelts x = pelts r }
      invariant { pelts y = pelts r }
      invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                    (offset x) (offset x + sz) }
      invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                    (offset y) (offset y + sz) }
      invariant { 0 <= c <= 1 }
      label StartLoop in
      lx <- get_ofs x i;
      ly <- get_ofs y i;
      let ghost olx = get_ofs ox i in
      let ghost oly = get_ofs oy i in
      assert { lx = olx /\ ly = oly };
      let res, carry = add_with_carry lx ly c in
      value_sub_update_no_change (pelts r) (offset r + int32'int i)
                                 (offset r) (offset r + int32'int i) res;
      set_ofs r i res;
      assert { value r i = value r i at StartLoop };
      assert { value r i + power radix i * c = value ox i + value oy i };
      c <- carry;
      value_tail r i;
      value_tail ox i;
      value_tail oy i;
      assert { value r (i+1) + power radix (i+1) * c
               = value ox (i+1) + value oy (i+1) };
      i <- i+1;
    done;
    c

  (** `wmpn_add r x sx y sy` adds `(x, sx)` to `(y, sy)` and writes the
      result in `(r, sx)`.  `sx` must be greater than or equal to
      `sy`. Returns carry, either 0 or 1. Corresponds to `mpn_add`. *)
  let wmpn_add (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid r sx /\ valid x sx /\ valid y sy }
    requires { offset r = offset x
               \/ offset r + sx <= offset x
               \/ offset x + sx <= offset r }
    requires { offset r = offset y
               \/ offset r + sx <= offset y
               \/ offset y + sy <= offset r }
    requires { r.data = x.data = y.data }
    requires { writable r }
    alias    { r.data with x.data }
    alias    { r.data with y.data }
    alias    { x.data with y.data }
    ensures  { value r sx + power radix sx * result
               = old (value x sx + value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset r \/ offset r + sx <= j)
                         -> (pelts r)[j] = old (pelts r)[j] }
    ensures  { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                 (offset x) (offset x + sx) }
    ensures  { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                 (offset y) (offset y + sy) }
    writes { r.data.elts }
  =
    label Start in
    let ref lx = 0 in
    let ox = pure { x } in
    let oy = pure { y } in
    let ref c = wmpn_add_n r x y sy in
    let ref i = sy in
    assert { offset r <> offset x ->
             forall j. offset x <= j < offset x + sx ->
                       (pelts x)[j] = (pelts ox)[j]
             by offset r + sy <= j \/ j < offset r };
    if (c <> 0)
    then begin
      while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { value r i + power radix i * c
                    = value ox i + value oy sy }
        invariant { forall j. (j < offset r \/ offset r + i <= j)
                              -> (pelts r)[j] = old (pelts r)[j] }
        invariant { pelts x = pelts r }
        invariant { pelts y = pelts r }
        invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                   (offset x) (offset x + sx) }
        invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                   (offset y) (offset y + sy) }
        invariant { 0 <= c <= 1 }
        invariant { i = sx \/ c = 1 }
        label StartLoop in
        assert { c = 1 };
        lx <- get_ofs x i;
        let ghost olx = get_ofs ox i in
        assert { lx = olx };
        let res = add_mod lx 1 in
        value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                   r.offset (r.offset + int32'int i) res;
        set_ofs r i res;
        assert { value r i = value r i at StartLoop };
        value_tail r i;
        value_tail ox i;
        i <- i+1;
        if res <> 0
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value r i = value ox i + value oy sy };
          break
        end
        else begin
          assert { lx + 1 = radix };
          assert { value r i + power radix i * c = value ox i + value oy sy };
        end
      done
    end;
    while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { i = sx \/ c = 0 }
        invariant { value r i + power radix i * c
                    = value ox i + value oy sy }
        invariant { forall j. (j < offset r \/ offset r + i <= j)
                              -> (pelts r)[j] = old (pelts r)[j] }
        invariant { pelts x = pelts r }
        invariant { pelts y = pelts r }
        invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                   (offset x) (offset x + sx) }
        invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                   (offset y) (offset y + sy) }
        invariant { 0 <= c <= 1 }
        label StartLoop2 in
        assert { c = 0 by i < sx };
        lx <- get_ofs x i;
        let ghost olx = get_ofs ox i in
        assert { olx = lx };
        value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                   r.offset (r.offset + int32'int i) lx;
        set_ofs r i lx;
        assert { value r i = value r i at StartLoop2 };
        value_tail r i;
        value_tail ox i;
        assert { value r (i+1) + power radix (i+1) * c
                 = value ox (i+1) + value oy sy };
        i <- i+1
     done;
     c

  let add_n [@extraction:inline] (r x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid r sz /\ valid x sz /\ valid y sz }
    requires { writable r }
    ensures  { value r sz + power radix sz * result
               = old (value x sz + value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures { value x sz = old value x sz }
    ensures { value y sz = old value y sz }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
    ensures  { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_sep r x sz y sz in
    label Add in
    let res = wmpn_add_n nr nx ny sz in
    let ghost onx = pure { nx } in
    let ghost ony = pure { ny } in
    close_sep r x sz y sz nr nx ny m;
    assert { forall j. 0 <= j < sz
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Add)[offset onx + j]
                = (pelts ox)[offset x + j] };
    assert { forall j. 0 <= j < sz
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Add)[offset ony + j]
                = (pelts oy)[offset y + j] };
    res

  let add_n_rx [@extraction:inline] (x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid x sz /\ valid y sz }
    requires { writable x }
    ensures  { value x sz + power radix sz * result
               = old (value x sz + value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sz <= j)
                      -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures  { value y sz = old value y sz }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  = let ghost oy = pure { y } in
    let nr, nx, ny, m = open_rx x sz y sz in
    label Add in
    let res = wmpn_add_n nr nx ny sz in
    let ghost ony = pure { ny } in
    close_rx x sz y sz nr nx ny m;
    assert { forall j. 0 <= j < sz
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Add)[offset ony + j]
                = (pelts oy)[offset y + j] };
    value_sub_frame_shift (pelts y) (pelts oy) (offset y) (offset y)
                          (int32'int sz);
    res

  let add [@extraction:inline] (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid r sx /\ valid x sx /\ valid y sy }
    requires { writable r }
    ensures  { value r sx + power radix sx * result
               = old (value x sx + value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures { forall j. (j < offset r \/ offset r + sx <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures { value x sx = old value x sx }
    ensures { value y sy = old value y sy }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
    ensures  { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_sep r x sx y sy in
    label Add in
    let res = wmpn_add nr nx sx ny sy in
    let ghost onx = pure { nx } in
    let ghost ony = pure { ny } in
    close_sep r x sx y sy nr nx ny m;
    assert { forall j. 0 <= j < sx
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Add)[offset onx + j]
                = (pelts ox)[offset x + j] };
    assert { forall j. 0 <= j < sy
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Add)[offset ony + j]
                = (pelts oy)[offset y + j] };
    res

  let add_rx [@extraction:inline] (x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx /\ valid y sy }
    requires { writable x }
    ensures  { value x sx + power radix sx * result
               = old (value x sx + value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sx <= j)
               -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { forall j. (pelts y)[j] = (old pelts y)[j] }
    ensures  { value y sy = old value y sy }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  =
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_rx x sx y sy in
    label Add in
    let res = wmpn_add nr nx sx ny sy in
    let ghost ony = pure { ny } in
    close_rx x sx y sy nr nx ny m;
    assert { forall j. 0 <= j < sy
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Add)[offset ony + j]
                = (pelts oy)[offset y + j] };
    value_sub_frame_shift (pelts y) (pelts oy)
                          (offset y) (offset oy) (int32'int sy);
    res

  let add_ry [@extraction:inline] (x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx /\ valid y sx }
    requires { writable y }
    ensures  { value y sx + power radix sx * result
               = old (value x sx + value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset y \/ offset y + sx <= j)
               -> (pelts y)[j] = old (pelts y)[j] }
    ensures  { forall j. (pelts x)[j] = (old pelts x)[j] }
    ensures  { value x sx = old value x sx }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, ny, nx, m = open_rx y sx x sx in
    label Add in
    value_sub_frame_shift (pelts ny) (pelts oy)
                          (offset ny) (offset y) (int32'int sy);
    assert { value ny sy = old (value y sy) };
    assert { value nx sx = old (value x sx) };
    let res = wmpn_add nr nx sx ny sy in
    let ghost onx = pure { nx } in
    close_rx y sx x sx nr ny nx m;
    assert { forall j. 0 <= j < sx
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Add)[offset onx + j]
                = (pelts ox)[offset x + j] };
    value_sub_frame_shift (pelts x) (pelts ox)
                          (offset x) (offset x) (int32'int sx);
    res

  let add_n_rxy [@extraction:inline] (x:ptr limb) (sx:int32) : limb
    requires { 0 <= sx }
    requires { writable x }
    requires { valid x sx }
    ensures  { value x sx + power radix sx * result
               = old (value x sx + value x sx) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sx <= j)
                      -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
  =
    wmpn_add_n x x x sx


end

(* TODO: Temporary, remove when new addition can be used everywhere instead *)
module AddOld

  use mach.c.C
  use lemmas.Lemmas
  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use types.Types
  use array.Array
  use map.Map
  use int.Power
  use map.MapEq
  use ptralias.Alias
  use ref.Ref

  let wmpn_add_n (r x y:t) (sz:int32) : limb
    requires { valid x sz }
    requires { valid y sz }
    requires { valid r sz }
    requires { writable r }
    ensures { 0 <= result <= 1 }
    ensures { value r sz + (power radix sz) * result =
            value x sz + value y sz }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    writes { r.data.elts }
    =
    let lx = ref 0 in
    let ly = ref 0 in
    let c = ref 0 in
    let i = ref 0 in
    while !i < sz do
      variant { sz - !i }
      invariant { 0 <= !i <= sz }
      invariant { value r !i + (power radix !i) * !c =
                value x !i + value y !i }
      invariant { 0 <= !c <= 1 }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      label StartLoop in
      lx := get_ofs x !i;
      ly := get_ofs y !i;
      let res, carry = add_with_carry !lx !ly !c in
      set_ofs r !i res;
      assert { value r !i + (power radix !i) * !c =
                value x !i + value y !i
               by value r !i = (value r !i at StartLoop) };
      c := carry;
      value_tail r !i;
      value_tail x !i;
      value_tail y !i;
      assert { value r (!i+1) + (power radix (!i+1)) * !c =
                value x (!i+1) + value y (!i+1) };
      i := !i + 1;
    done;
    !c

  (** `wmpn_add r x sx y sy` adds `(x, sx)` to `(y, sy)` and writes the
      result in `(r, sx)`.  `sx` must be greater than or equal to
      `sy`. Returns carry, either 0 or 1. Corresponds to `mpn_add`. *)
  let wmpn_add (r x:t) (sx:int32) (y:t) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid r sx }
    requires { writable r }
    ensures { value r sx + (power radix sx) * result =
              value x sx + value y sy }
    ensures { forall j. (j < offset r \/ offset r + sx <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { 0 <= result <= 1 }
    writes { r.data.elts }
 =
    let ref lx = 0 in
    let ref c = wmpn_add_n r x y sy in
    let ref i = sy in
    if (c <> 0)
    then begin
      while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { value r i + (power radix i) * c =
                    value x i + value y sy }
        invariant { 0 <= c <= 1 }
        invariant { i = sx \/ c = 1 }
        invariant { forall j. (j < offset r \/ offset r + sx <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
        assert { c = 1 };
        lx <- get_ofs x i;
        let res = add_mod lx (1:limb) in
        set_ofs r i res;
        assert { value r i + (power radix i) =
                 value x i + value y sy };
        value_tail r i;
        value_tail x i;
        i <- i + 1;
        if res <> 0
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value r i = value x i + value y sy };
          break
        end
        else begin
          assert { lx + 1 = radix };
          assert { value r i + power radix i = value x i + value y sy }
        end
      done
    end;
    while i < sx do
      variant { sx - i }
      invariant { sy <= i <= sx }
      invariant { i = sx \/ c = 0 }
      invariant { value r i + power radix i * c =
                value x i + value y sy }
      invariant { forall j. (j < offset r \/ offset r + sx <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      assert { c = 0 by i < sx };
      lx <- get_ofs x i;
      set_ofs r i lx;
      value_tail r i;
      value_tail x i;
      assert { value r i = value x i + value y sy }; (* true with this, should not be needed *)
      assert { value r (i+1) + power radix (i+1) * c
               = value x (i+1) + value y sy };
      i <- i + 1;
    done;
    c

  let wmpn_add_n_in_place (x y:t) (sz:int32) : limb
    requires { valid x sz }
    requires { valid y sz }
    requires { writable x }
    ensures  { 0 <= result <= 1 }
    ensures  { value x sz + (power radix sz) * result
               = value (old x) sz + value y sz }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = pure { x } in
    let ref lx = 0 in
    let ref ly = 0 in
    let ref c = 0 in
    let ref i = 0 in
    while i < sz do
      variant { sz - i }
      invariant { 0 <= i <= sz }
      invariant { value x i + (power radix i) * c =
                  value ox i + value y i }
      invariant { 0 <= c <= 1 }
      invariant { forall j. i <= j < sz ->
                  (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
      invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                  (pelts x)[j] = (pelts (old x))[j] }
      label StartLoop in
      lx <- get_ofs x i;
      assert { lx = (pelts ox)[ox.offset + i] };
      ly <- get_ofs y i;
      let res, carry = add_with_carry lx ly c in
      set_ofs x i res;
      assert { forall j. i < j < sz ->
                 (pelts x)[x.offset + j]
                 = (pelts ox)[x.offset + j]
                 by (pelts x)[x.offset + j]
                 = (pelts (x at StartLoop))[x.offset + j]
                 = (pelts ox)[x.offset + j]};
      assert { value x i + power radix i * c = value ox i + value y i };
      c <- carry;
      value_tail x i;
      value_tail ox i;
      value_tail y i;
      assert { value x (i+1) + power radix (i+1) * c
               = value ox (i+1) + value y (i+1) };
      i <- i+1;
    done;
    c

  let wmpn_add_in_place (x:t) (sx:int32) (y:t) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { writable x }
    ensures  { value x sx + (power radix sx) * result
               = value (old x) sx + value y sy }
    ensures  { 0 <= result <= 1 }
    ensures { forall j. j < x.offset \/ x.offset + sx <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = { x } in
    let ref lx = 0 in
    let ref c = wmpn_add_n_in_place x y sy in
    let ref i = sy in
    if (c <> 0)
    then begin
      while i < sx do
        variant   { sx - i }
        invariant { sy <= i <= sx }
        invariant { value x i + (power radix i) * c =
                    value ox i + value y sy }
        invariant { 0 <= c <= 1 }
        invariant { i = sx \/ c = 1 }
        invariant { forall j. i <= j < sx ->
                    (pelts x)[x.offset + j] = (pelts ox) [x.offset + j] }
        invariant { forall j. j < x.offset \/ x.offset + sx <= j ->
                    (pelts x)[j] = (pelts (old x))[j] }
        assert { c = 1 };
        lx <- get_ofs x i;
        assert { lx = (pelts ox)[ox.offset + i] };
        let res = add_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                   (x.offset + p2i i + 1)
                                   (x.offset + p2i sx) res;
        set_ofs x i res;
        assert { value x i + (power radix i) * c = value ox i + value y sy };
        assert { forall j. i < j < sx ->
                 (pelts x)[x.offset + j] = (pelts ox) [x.offset + j] };
        value_tail ox i;
        value_tail x i;
        i <- i + 1;
        if (res <> 0)
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value x i = value ox i + value y sy };
          break;
        end
        else begin
          assert { lx + 1 = radix };
          assert { value x i + power radix i = value ox i + value y sy }
        end
      done
    end;
    assert { forall j. x.offset + i <= j < x.offset + sx
               -> (pelts x)[j] = (pelts ox)[j]
               by i <= j - x.offset < sx
               so (pelts x)[x.offset + (j - x.offset)]
                  = (pelts ox)[x.offset + (j - x.offset)] };
    value_sub_frame (pelts x) (pelts ox) (x.offset + int32'int i)
                    (x.offset + int32'int sx);
    value_concat x i sx;
    value_concat ox i sx;
    c

endwhy3-1.6.0/examples/multiprecision/add/000077500000000000000000000000001440160026300200205ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/add/why3session.xml000066400000000000000000003227211440160026300230470ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/add/why3shapes.gz000066400000000000000000000740471440160026300224740ustar00rootroot00000000000000[90_4@u=8@4_>kCYϺ]ݻY!)#첫ӓL])H?^/{w7+s>|B}+?nWSw]s??O]c/MB_ߖĶonW'GIßÜp%''*nH+x|3$}w}D}*-Pp5@~tP*͹kvGM8?W^}zfT)?O?}o%7?, NZܠÌ#`!?>194Lۻ%i31O|/90C*@FG#PCa0u
[Xkvm;3*ngn'nO̻ߝP4ŚA~eJ5E7w@usfP3۫fZx:dA5`sr,]?Tm&HW'R1˻ˌ>2FWߦp!D oRiwKϛ[PYu9rFS`X7NLغyxV}L}n27eJjw0!zu7lL~ֻY+ufu
%FJble0KMʜZp6j~WzRɜ+nvxA<3k]>g8*^ŻU㋩mP.Q/OEP+FᓐU#>	V7ⵞ(G$-ѥjj41+H|ZUZ
Ң"t5g5Oset^3(´2a,3n_sMjT~=Չ|X8=M
=
l.=6;>qwjr;,`+T	̨~ch|Htk駴VUuzTkdjOK9Ф!oIT.ĩ(c7UcH1gtP?:0q{KF4U`UQd,5!UrE$ZecTh2&LyI(q -f⪅m*͌]mF
%Q-/0LslYki`l2%NzBipglcGy|kM3dhWu첻Mg,M]N#kG4ŕ%tkc0{vaFsnVzL?GZwl/d
N%2%1'cpu6Cl;lyaP3j	:(dx\ԣKA;Ԡe
3+uPq[q-O
438+_B#5qǀeo6
{ne-Wp"7q{?ede|3a7|MϠ1RnV0Չ=Ow+z
'%oON–,yǷz(&?^/[oS5OԄ闵}Xkv?T߷ԄE"$_ĉjc<:D $g=`+E--zїvA;yeDu+E--8nk8nE˨peq+jyhqgpVݚmcsK;WEiK?ME=M`5Mi*N؜5;wzW͚[t[b܉6$[^Cj@Z-ò3pֹ6~6:_ ӘM-N|uM73Z[4'֭3/ϏuQ-ùfZIZrDv^d=ch
j$E]d2-,U^㝃KRmrniec:	1vN팆߆Mq2n]F?To#z`@έ&hZ}4.md_"Ox%Sbu'7[}J?,:vIo9>^]>oAz7709\Ʊ\İ^͒_n{;:?6?oMwmSyVw$ghr(uPQV7n~+}v_ _/_qxҟJ߮۫+n[я+}ܿVԋf~0WWn,݂-kx0¼/mL_פ݊TݪT[wT?],zP<:LJiʻߎ1cFstS
ml[+<\
_]4pӋE;hf𗓐BvB-; t{wӽ8G+k^F`JvOtzz91uTLUZ\\}t+C$7`kử8mut-Zlq
QUZzo5ZEp`]Komk
׵,$k$c=4\riԚ=yz^hynI{9j~KrFF[
gE_|]&4EW}3OwO>؂V~=ekn_tMSkKG,>C 6kbm.W6__,ݼQ]?9;TF7W:bʦzw􇽩Too]
z8`OKl{tB沲̪RM
;UTgⵘozdkqkZM1CTYO|le]8Dر3z5ڑ.Ԫ]rIc׷6(QQ-Z.o+LzuK;im(x%[c=}6rb]pBJAb:랬=w4n/u=ԩvpU{)~<´̴;uP]Wn];ڡU'Aq{G'AQvjsöZذ]q':	isf~͛>d)5ZT^zF;S[Z>g6qzS
yR!_T~ꇸ~S[Vs=~FIuT7Vc^kpv^	u+&v*ݺJyX
`;S{*w*be%mR*Pgum7wsmWPϣ|:aOgFƄq>xh⮮yߢoѫd_⵸[VJ wg UM1Vw߻q୏OM&_n2m6&ނ]xZIɚKٸc]*)*qC{>U6pUѴl@ª6Dqe/\}v}5EF7~>Wkqqȟ7RA>]zT8;SF.o;hF9-8*F(/ceR.9B~-σ)ZjUio5+~z~6{?`صJ=*tЇΜܛCg];9;|+:'v}ac<_ګK:~uO{U~>>p;˻2ᗨ=62uͻc;Ҽi=&?#>C}3˜'dO莥DݭG=ęV18kw[Ϟ>|b;k5gN59Vwܨ}bu-=4\k0?To"n	Ʀ1zRJ=}֞NT=ϒ֞]m;Ѕ>Ɏ!хpAp6s8!0eN!.b>1q5p¶Lm\'0'XY??eۡ2KZIWbjzfU
LJNfZ`T$Klxt魭]ms{Vmkۍ:']IklG9/IAt[.`k/;ğ]La;O({`_dSa9DsArrǯԗy[~˿\TӫOo>
x?QLAOeOR+h)P=~:#	i㐶뷁u,-#]4n݇
<3*ӹ=Adže=۳uv}U:~u];Wjd9kCP]
I\ݪEc~rjW8 90q=_+[~?Q)qz8gR87V&v9&rIGmiXz5v-M-GQI_%qûDiN i`ZBUp,Jeh!RvUzdk*RX0>S1&C\3_WYʢUM*cW7fiQN@;[PcU닾]|nxals|N+	/ qz
.(b2Zٌvoz=hO֋QB5#}&U%ܘ;x*N%ehWkšҳ:?[
YӐJ4EQZol?\=ӥM3+I'Dzt٣^V6W]Lm%Qͩ_OKqWh[]m
	zBIh^|6:OcOlɺ'Pʼ4d}yw~
8o<5;HC3.+;mˮ'96"KǑH,bMekH&XS)쓝)!׺jXLnCb*BF$vIGǶ$~v).>ȟs
P,@wԾ5fo!},VɅ:R+myJAG\ob{:VWsmv2]iN~62Oq8nŴ{Kmu/zTlxn%_]KG1,1v,vtf~gOAv+,[]ak/k^]UŻh_bCl	KvA|lUmБ#3؟@inv	րޔ3^<o\OAj3OFfgv
FFfiE
sڀi'7Bw"~mnLTqʄ9U&z@?&J$tdb&wEvUx"LQ*ڌO1m2-Of#y!
G0
+laW!s#~$p~BCn֢~n<y B\$}mbrL8Acֈ~\zꃜg,lݿ+u
l־ﮡum#>Vݶ'TugX
ϰZ\ƝǮzىgX3,a3,gx]18\qJ&5.MjV0f(tvqT4@ɜ<:ԯaVr8g;y^5ߢ0'E6\yуjV޽&ϛ9v1oK#_w>x0{V7KVMfw(G3O,xOZ?*s
dÓ#v.3[-Kҝw{V;Ț(xC]H8hd7Ⱥb҇kenPYw&RT~lDXų`+~$77qř5p[lO5j@m'Yp/p7pzXzywxOͲt.U}Cy
gNnN;w~mv^9
pc4E
w֦c=&.Iz7W{ Uu-jx7]fN0wx#cEе6LCS>uY%fO;Y<'u˽9o?(7gQp/dys0q6!O&7oscGLsqB{C>w

x>XOo/s
6ewv=v'n6LpzvoWlr!	NSVG&+8lli`#H4<3B'm]"Z;|J=l*3cE$׎Y&
S`h<TFi3S%k.+hv!G@8Ekx
H)E˔5JI>3tLlh,GZSa3$i.;5%@\Y}eՕWV\YJW4GjGseQWF^qe+W]i{K}ՕO6F,8XJEMR̠R,ht$%)rcMa9
=hjtgFHS2T.K&aFRN+Ҙ^$fDH^`W1rK`&=
42gy#`]sY1 ;ґhIjqR"##PbeH_{7uF]0Q'z!pgac##C#!ld){#T% 4	Q@BCtDr/ @K9iI)GTtMPeʑZHK~@**G
lP9I@$#ZPB*GQo&@D",@t"eHD Q<@"HD# "Q	xzrD(eʕMkTʾѰqD=:*W@=DOC΁3ҒCT`0[(kNȡ3ΤO	jo$u(IW^CfKFJJ$SyܠE"1)Em+ʁ@:
6uȯ9U18{D#vXR|zŐr"kMze0@<@fFy6!k$Õ;LJd!
@-sdbHr"q.*9+
~9yUt^A
%Aa^B!"|6Һ HN/
)1it"737ȌsZӢF_bCdj뵒֐-T/9,ш9t.G]slKT(
g"G	D4<1z
2c C&aJirI4MHƨ'QKUi5"'Z=(
@DRh	v1IKܙ GC7J!Ts̼l5'TWQFGfʑboG/	8u˨D (PJ>MwRr4	MƖi1ى!:6,Iqlj@R7\9XL+<Ģ%6r"3iDMXSJԆ61)5,/4`!`!SYZ	-z-&{KpqYj YI‹74`s'%QUTS^T,fΞdI4##׳pP+uK62\c#cTQ9V+ ":A$`
BQvY
tNK@%Vym֤	UjD wJ|e[Ǥ\@KhpFFZ<΁ŧ+<A'g;%4&^nnHlX"xD>Noe2*ei8	$״$LOK&"OZqQXܰ,R{;T.r$u WQ[oi16g FʼnTyKA4p>MN$
1>K${>$#S]rF%C9oُ$tϊt8&l"Z9&T
枎%Z`AtϊtRJ| }5AFB!xO;'Բ@t,	:ִ
kw>c:[rId8#_{9I;7Cֲ* !XDAL98NOJIƝ KH2(+iph$qK*V	g(	.IF#A9%#D"a#8P!P9	$8-aqcr3``ZN(i&.Bp+H0'IsCd 3FvYfga+_0	J`!JIְFof;,_,[s$MFkap@:K2vgm_nmł"{Be.hfgYιtx:	ZM|B?+"M#mRta)d\[3^wY$  deŤId2nU*ox&,6'4"	HCF3Ҡі<(,JhHG=O,I*gMtYrg=Jwl"JXmq&rr>lw>IGEHDJˎ;ʻzQ>8yuէUf$ġ\Ã5ixQLJNjw~9+J:0!`bZf}b2JxJ؝ow}|]F
/5![S*.ow}6|Ry]*ȊYbH7@ķbݝwr6hKJGiʝw}Urdi!DQFb7Ȁ>dᝇ)[IkiєBDO|3c>s6PAriu97G6;d^QL,NCr{Dd*g|>i,hF^`"\h61I,$&ٝnϋn2m2	BI5V%&7YGry;w9>jCZ7`_*AA̱tEHx9	&HrNgKBZǍKr5jAr5RP;5:pĬNo(A9xg%c8ffȦE"qiʃ-7fҠTQҐ5<ؠŏ7mI(2aNbtg^i,7NN+H+.3OTPw/O%*ZR<+IEErƌL鸲I"!׸8vQy$P(1	˙68,5&3ROⲠh6
'^~SxhSqco2(dZ/u=dn%FKǷ	^U@yń&Q&F2t/PYl
3F'? -!!0v|{i#=Q*W%R]xy5Pf
DdJSͼu!:T~SP4)dy}6i!͔BSivx:Z3GK=إӅyINDԴlbGVNNMܩ\"͝9)e1ҜA4RNmTz
C(,9Dr*'2
ɑJfԓS&f"MeHKdpMPYt<'#v?heLpe.@Urg)T:Ep4s˰p._.| ^{d!N=c,FZU(BP=s!z%S$T$DjUB0	z@%>J3:\
d9#sy<%Izg!7DbAO!D1]NW`,BX"!sΎIbD3OrxjC//-rrl$)!X5
vxqA|IJAPLd>"/EZkUNq亮ZQhbќr("/EBP.nB{ 'rwbɋftHjT9{bN8*YŲ0>9cE'bv*
b;Tv!5j++i*a,ѹ1;\q`"^`i &)|4.TS;YYX!)4q&r@Q*K@;eN&1IiK\1H:+"MGʔR;Be

!Lk[΁i)e/Gz9bPB122hu`ғ*QEJxTx$M.pzT<hMtZ-XGNeĞ*.Hh5ڂ1&+[u1w"sS(ƍg=:)T!ʲ_2>pI>CKS$)5FD8GF;//e x2dPxu~chRs$i"rOkJU~88k9JE1 Z#-O1C !V4p]rZ|Ϟk>^tje4^٣,3$e>$͘:GBR4%yR8R0&Ò%T(q&E)&ń8X2;^yL5lDc").l(
4j1Bf8cs,%GGp	)ر5`+XT%4$rd/X%prF/S{ƹ7·LlchNy8$v"|]CʍRS)9$g"ȝ_wOO=1U6 c"}`ͥ;5feϔ!G
fC&A&
w8;IICbdg
^K&w|;Oex{*q0$UΙ!i@}Iw)RfCFOV%b.5S(6(Լ-9A&	2II[b'	2Y0DILd 4QmuQaUAOdYV;´$ORI%$iӒRjI$
]j*G9I+P9
u)M"8|{DҠ-K8Rd!{J*RGmd;vK)P軤:Ҍ+ԑTXeWS-IƖ%*%%UT3M
H&$J	EJ,}L1Vaf'דf0av"@NE3Q|`h|8J*	2;4}BHk[+ >Dž xTfZ$|Vjrc)oK1't-˙^j(4&Ig3F(~EiTD.#gYc	D}pd_7'\94LJ#$Hc&\Ӄ_sAp)ij
%3Ceqk@"+Je呦!m1i|os*ԑDID2F:˘֯T&#`ԁNyǒx**Iͩ<Ӫl$ q$[Y{8"ߟ"iE:{4)IN㍪Xs'}+ 	W<$XG Q1!_&@!g&ciP*]YiAH2$B+M,߽ٮ!0*7{sG
$-pl2.7iq-+Ա>ZjFtk9V+bK?z%ZI'JdN<Y29C0_"Kb>%D’OزOKX-萦*RHQ={j(QJ499?)&]C(\㎟PMrHecdoUsH&	qJ0VE_wdc`,YA;f	*A,v=7ҙDGiy9(Rf=<
5nIH2i&	p
Sҁǐ|8Nþ=/̕#l [䷓9ϑiSRNEme!r ӦNH>0)V9똭"/86NgFD2	xLy!iM啰qo9{NXT{4Z,n
Z<$|$$5%+%d%i.bMHVw2>g2Ș*d(BםϙHˡdjŗH@5{G;9394cpt*ۨT`.!W<,r0\ˬɨl&u],A$
}M۷il3LWIp$N5#pFc^	E8ԏXy:n1ﯞ%"Ė4*.Xasvjf(ڲ欟ݾ:Q#>2ɟ?J2g$1)qLڭ1yMO
(lH%P.ϨZ^JMC`1tslW1+bFvȀzJ;wUt~^V%~
6z[^owUn~fA]`:~^՞*,u}_*m>s,x:W^wzdW_:)G55@1YTu#Ķr
[ZX$m{-eTYcV2x	7Q{m'dĵ4+½ǚLرxUbd.gj.{503TLdy+W&mܽxd\)!nKb%y)xN&
}Yofۃ/6#>/ޏ!eaRHؙYfz:H8pYqId603~?}K3ټ̪y01sT^bT1UL}L=v_}ыZ3W{x
jSNӢ1x>BEdj^%(eopG>.eoPb۸F7Ik5D7x)S鋿qlپ㿠lˢϷab<[1Vk{SZ
,#
AWp'վzoe9m < ԵJ9c穸Рm <9sqYVE&^)jd9x+<3@
i%l?Y Ծ	͎=mU&=2yCףS~mgbUϒu*ZZjAx&v,.J̽LU GF(Zƞk
bRN
+#j#Y쀉kϴ
mꨛ|f5L]Vn[Έ.CjscĽU݌T' `pgnΔ,*&7F@]3!gE}TA@#!u97Ƨ*sg%qtb/u|3ɻWr
8d	ȗ9|_γ:1  _eA6Ȓ\(y	SH^	˂I2ECٝyyeOa*I~$}g\(
1R֕%KbGhåUX*3k4?ρy1er&&5cdj(?HZfhmٙ-]X^{zyzϿ霭Oi3%IS>P??WFV8LŜTwZ70LH9'pBPdrbm~V9:t'΄잎`mKQ=0	7bqL~mqPHJ!B
14H^N%=
S0MD
L0$p(i6I񽑷4ti{=|JA4((>(ix%m(bj.ZP,MA;
(Z)V)Bg
)PBopO$Rw
{{7
*bЪ&/@N3}\aWv 2K]Z09ohPpsѤ5@|L=j74;PRU22!CE!'0^Q^_H,i	Bv0fը^Y76,S 8:kJ.dO<	`
UOYg"X[PX/.ؾՔͶހ2ۙ:jSNaQ@Nqt޵N\Iڍ
쾚{#^z46(KlO:;d/ϼxCH
t+ժLF!V涊U|'1rDBW0(97{2SzT鶰wMtmX+cmB/7(kТ<Xs*`H"I}ޠUpO1`Ԋ	 fJgk%fiC&k,ywLbӬ+*>2&RϪf65amבK{[?AΧ%ƨ
6x|-4\*y%c뒵_ Uߚ^OT|NqLZei߳]f[m1Zwf39:ǬYF>w
r'^K.PDW9ۦG{Jy]y1̢.}*m&S
JB$0biA"Y'"xtEMs3.u?3k0xP~*Gqq8F~U,{+>6`BjK"#sE;v_OSslF6f[:%GT2jtiӨq+(:E7s̊Ehױug%:7wr҇VԪpű`FںM^4k^d槾>2iٺzD}[{ǹ-l~L^`"&:k*}LMPۻn1D6]X:OG&tA+*3F!9YΔw6tw}W}>=%Qb[;}i,fSxޛV}?ge3ࠀ5;آ,3=ςfNjBiN7 s3JZYdW/2lafg*Zg1^ }k;9Y|aJǙr߬	^]VuBe10'nw'kJr{6j#תH1*_-omkcfj{LsUzb$oO͇2f28<<<^HL[36@}qOwJwKj4-yS["%3]aː"_sJz"BQtM/aytlU$fMڻv1#
Ü8g־sߵmVmmYOfD\Q}+ƻV:]qc3˛௭,{1f^sIv*ȋWʺw˙4OKYfETq`]Mo-.O1>b(@t9Jgkk'f\x<9eQf@	2%0kxt{Lr?K19_^:hI/1$5L5[~	<1h^&0aYBce඿z#|iϙ]_hcdЮPyԽ5I)0Խ0C~^x̐Aca2Y
bNձLgL.7gs^Kc`Wj=s:A.cG'oYӥ%-4ѓKLu=T&SCX@"=
DsΰC
vj#k[`&1z]1
׳W#Sq,XsgL9<96	Yؗ2m'QNf
,c?/.^͂8sm*;)X;g	J̈og>d
@JNΞ99dÉR#f;X!ɢLI(y1e5!;וWZVf5MfPpW}??ޕuܺZa?:y[);oнTNo)^v
Z;{5s06,9;F1`asz&Č+N4ο7,DҴP>]dcShMAx$.0\).Y$3uPvqj0iF?5J0RKv-[ʝzgyܲLVyVւ6L[P9C3UGXڔ_e|,pYen+Ĕ>c ˣ#|dy:΋2q<.PڕAeV
y

rαfJ'`3LWs/+wןq2LCX+/uX}.-tbף\p.\])-%X,==L17KoW|WV\FϔxnÍ+x~'
߿ҎRĬ3މg,-T)Tf^#=Ӊ[&@5U.ZvM:C5	󉉅Bk`\`0t6bI?@G/hu99w
#Zi5L|G˄0qʟ囄!&j4fxyL=^E3lQO`T6k
rcbƕ	)8a`Ys@kڂTPCl}ܯ 4V4NRq,[΍xYK
_YnX:#8}@@y|[Ge8^o	Tz&Z6VYY3$`T+ԲjjXћ2|DcQW?fb⦿;`Xs/p0Zsq1Bv/$𴲛y11;˫)!u-=5kq<A*ԝy;"C&	\}6i߫_@*Qڻ.aR#ԌIUoS0?Ō<^q(XyYj޼Xܜ#.bs[^gWآ.G̟tO
$4"관}m, 8
0*PCY/ߞKe',i̓hU؄^z_lr!sƢ	tg1~Ա/3N{w[yўi,_h)MX`"fV곩U׾&7c7}-yfnE~>qVشUw*ݏy=kŦ5f幸*-FxZvWYשG]M
YP/1'gw=$ d-zuuU뱟߽&dUWk*T)k,`)Q{m@:X*nAccZ1znC-u"
>.8XyoKk)vJuf㏣obKO[CQ&d*SQ:jӨSHd<)	Ps{wfI]K$_.	G_>؜7(fHOeVuĪyv4	G/ KL'
2ye7_Fhks.L	T}=1z:gX-C;MwOK1?d̝>`K\tn/VK/x36H),f3s8]wO2]W?nJGmq:Xt5Zڮ?ɖU;qE9VEis]U&?Y}< 0 } (* ? GMP does the same for 0 and 1*)
    requires { writable r }
    ensures { value r sz + (power radix sz) * result =
              value x sz + y }
    ensures { 0 <= result <= 1 }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    writes { r.data.elts }
  =
    let ref lx = C.get x in
    let res = add_mod lx y in
    let ref i = 1 in
    let ref c = 0 in
    C.set r res;
    if (res < lx)
    then begin
      c <- 1;
      assert { radix + res = lx + y };
      while (i < sz) do
        invariant { 1 <= i <= sz }
        invariant { 0 <= c <= 1 }
        invariant { i = sz \/ c = 1 }
        invariant { value r i + (power radix i) * c =
                    value x i + y }
        invariant { forall j. (j < offset r \/ offset r + sz <= j)
                  -> (pelts r)[j] = old (pelts r)[j] }
        variant { sz - i }
        assert { c = 1 };
        lx <- get_ofs x i;
        let res = add_mod lx 1 in
        set_ofs r i res;
        assert { value r i + (power radix i) * c = value x i + y };
        value_tail r i;
        value_tail x i;
        i <- i + 1;
        if res <> 0
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value r i = value x i + y };
          break
        end
        else begin
          assert { radix + res = lx + 1 };
          assert { value r i + power radix i = value x i + y };
        end
     done;
    end;
    while i < sz do
      invariant { i = sz \/ c = 0 }
      invariant { 0 <= i <= sz }
      invariant { value r i + (power radix i) * c =
                  value x i + y }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      variant { sz - i }
      lx <- get_ofs x i;
      set_ofs r i lx;
      assert { value r i + (power radix i) * c =
                  value x i + y };
      value_tail r i;
      value_tail x i;
      i <- i + 1;
    done;
    c

  (** `wmpn_incr x sz y` adds to `x` the value of the limb `y` in place.
      `x` has size `sz`. The addition must not overflow. This corresponds
      to `mpn_incr` *)
  let wmpn_incr (x:t) (ghost sz:int32) (y:limb) : unit
    requires { valid x sz }
    requires { sz > 0 }
    requires { value x sz + y < power radix sz }
    requires { writable x }
    ensures  { value x sz = value (old x) sz + y }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = { x } in
    let ref c = 0:limb in
    let ref lx : limb = C.get x in
    let ref xp = C.incr x 1 in
    let ghost ref i : int32 = 1 in
    let res = add_mod lx y in
    C.set x res;
    if (res < lx)
    then begin
      c <- 1;
      assert { radix + res = lx + y };
      while (c <> 0) do
        invariant { 1 <= i <= sz }
        invariant { offset xp = offset x + i }
        invariant { pelts xp = pelts x }
        invariant { plength xp = plength x }
        invariant { min xp = min x /\ max xp = max x }
        invariant { i = sz -> c = 0 }
        invariant { 0 <= c <= 1 }
        invariant { writable xp }
        invariant { value x i + (power radix i) * c
                    = value ox i + y }
        invariant { forall j. i <= j < sz ->
                    (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
        invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                    (pelts x)[j] = (pelts ox)[j] }
        variant   { sz - i }
        assert { c = 1 };
        lx <- C.get xp;
        assert { lx = (pelts ox)[ox.offset + i] };
        let res = add_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                             (x.offset + p2i i + 1)
                                             (x.offset + p2i sz) res;
        C.set xp res;
        assert { forall j. i < j < sz ->
                   (pelts x)[x.offset + j]
                   = (pelts ox)[x.offset + j] };
        assert { value x i + (power radix i) * c = value ox i + y };
        value_tail x i;
        value_tail ox i;
        i <- i + 1;
        xp <- C.incr xp 1;
        if res <> 0
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value x i = value ox i + y };
          assert { forall j. j < x.offset \/ x.offset + sz <= j ->
                    (pelts x)[j] = (pelts ox)[j] };
          break
        end
        else begin
          assert { radix + res = lx + 1 };
          assert { value x i + power radix i = value ox i + y
                   by power radix (i-1) * res + power radix i
                      = power radix (i-1) * lx + power radix (i-1) * c };
        end;
        assert { i = sz -> c = 0
                 by value x sz + power radix sz * c = value ox sz + y
                 so value ox sz + y < power radix sz
                 so 0 <= c <= 1 };
        done
    end;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz)

  (** `wmpn_incr_1 x sz` adds 1 to `x` in place.
      `x` has size `sz`. The addition must not overflow.
      This corresponds to `mpn_incr_1` *)
  let wmpn_incr_1 (x:t) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
    requires { value x sz + 1 < power radix sz }
    requires { writable x }
    ensures  { value x sz = value (old x) sz + 1 }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = { x } in
    let ref r :limb = 0 in
    let ghost ref c : limb = 1 in
    let ref lx : limb = 0 in
    let ghost ref i : int32 = 0 in
    let ref xp = C.incr x 0 in
    while (r = 0) do
      invariant { 0 <= i <= sz }
      invariant { i = sz -> r <> 0 }
      invariant { offset xp = offset x + i }
      invariant { pelts xp = pelts x }
      invariant { plength xp = plength x }
      invariant { min xp = min x /\ max xp = max x }
      invariant { r <> 0 <-> c = 0 }
      invariant { 0 <= c <= 1 }
      invariant { writable xp }
      invariant { value x i + (power radix i) * c
                  = value ox i + 1 }
      invariant { forall j. i <= j < sz ->
                  (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
      invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                  (pelts x)[j] = (pelts ox)[j] }
      variant   { sz - i }
      label StartLoop in
      lx <- C.get xp;
      assert { lx = (pelts ox)[ox.offset + i] };
      let res = add_mod lx 1 in
      r <- res;
      ghost (if res = 0 then c <- 1 else c <- 0);
      assert { res + radix * c = lx + 1 };
      value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                           (x.offset + p2i i + 1)
                                           (x.offset + p2i sz) res;
      C.set xp res;
      assert { forall j. i < j < sz ->
                 (pelts x)[x.offset + j]
                 = (pelts ox)[x.offset + j] };
      assert { value x i + (power radix i) * (c at StartLoop)
               = value ox i + 1 };
      value_tail x i;
      value_tail ox i;
      assert { value x (i+1) + power radix (i+1) * c =
               value ox (i+1) + 1
               by power radix i * res + power radix (i+1) * c
                  = power radix i * lx + power radix i * (c at StartLoop)
               so value x (i+1) + power radix (i+1) * c
                  = value x i + power radix i * res + power radix (i+1) * c };
      i <- i + 1;
      xp <- C.incr xp 1;
      assert { i = sz -> c = 0
               by value x sz + power radix sz * c = value ox sz + 1
                  so value ox sz + 1 < power radix sz
                  so 0 <= c <= 1};
    done;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz)

  let wmpn_add_1_in_place (x:t) (sz:int32) (y:limb) : limb
    requires { valid x sz }
    requires { sz > 0 }
    requires { writable x }
    ensures  { value x sz + (power radix sz) * result = value (old x) sz + y }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sz <= j)
              -> (pelts x)[j] = old (pelts x)[j] }
    writes { x.data.elts }
  = let ghost ox = { x } in
    let ref c = 0 in
    let ref lx = C.get x in
    let ref i = 1 in
    let res = add_mod lx y in
    C.set x res;
    if (res < lx)
    then begin
      c <- 1;
      assert { radix + res = lx + y };
      while i < sz do
        invariant { 1 <= i <= sz }
        invariant { 0 <= c <= 1 }
        invariant { c = 1 \/ i = sz }
        invariant { value x i + (power radix i) * c =
                    value ox i + y }
        invariant { forall j. (j < offset x \/ offset x + i <= j)
                  -> (pelts x)[j] = old (pelts x)[j] }
        variant { sz - i }
        assert { c = 1 };
        lx <- get_ofs x i;
        assert { lx = (pelts ox)[offset ox + i] };
        let res = add_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                             (x.offset + p2i i + 1)
                                             (x.offset + p2i sz) res;
        set_ofs x i res;
        assert { forall j. i < j < sz ->
                   (pelts x)[x.offset + j]
                   = (pelts ox)[x.offset + j] };
        assert { value x i + (power radix i) * c = value ox i + y };
        value_tail x i;
        value_tail ox i;
        i <- i + 1;
        if (res <> 0)
        then begin
          c <- 0;
          assert { res = lx + 1 };
          assert { value x i = value ox i + y };
          break
        end
        else begin
          assert { radix + res = lx + 1 };
          assert { value x i + power radix i = value ox i + y };
        end;
      done;
    end;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz);
    c

end
why3-1.6.0/examples/multiprecision/add_1/000077500000000000000000000000001440160026300202405ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/add_1/why3session.xml000066400000000000000000001456161440160026300232750ustar00rootroot00000000000000
















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/add_1/why3shapes.gz000066400000000000000000000360401440160026300227030ustar00rootroot00000000000000}[{
9 xa3/:uxd{_ȺefUV.jўRWe2d\ Ë?ܽ?_C1mCx+eOowƛ[:)ǘ~"/Ż>*{KYܞ\]Ӌwk~[L 6}ƛ_or6p[X=-Ŀ-%3׿}ծ[3?@_?~x\WShIX~wLЄ[tWLӧWulܹmmD?vCr/;!	wFM;VonοUW??F5)^$Ç~.r_u.E׷o߽]#}dya(1]/o9Bvnu.}Ļ3q!E
~$Pt~GB܅Ixϔ[GaBɃs~+DW`qZdV~r(ێMTUhrnT9wD75AWTNF6#1kyyr/Vf-؉>n4`'|aT^
ҏ{se8pNL#ɳF0{GفE	ho߿K,9l8ё߻Wk;t
3ǿ[>Ia6lė?Æo3o|W7HHעgL*ǾN{ɕMoe,}*G4IDCT-1d-5t)MAcnaY[baABL0q{XvLߴ3kjbDV#y>vajq?*7&Mt7D?c}^|"fT|!׊UK PFwiKf
PԃtG.}:RgG)F<ѧeϰ.#CG2L1~<	h
^W+/)XsО6qpy"x;6M
b6ܛ}?g&gctXێ.CV `?n@NdJ~^eh@-
(Kzʇ#?\y?
Y$8qз?ۯo9qK-OH;00l_C#M*Fql	
:Xu`i`'z>=LzyRV:~tqXWhбc3džyR6ءr;`t|c5Y
̹~h:t8?7XnȦVۯVIՕCPqbܤr{PIp{62+y!rxIZm i;^x;keZoY=1ZDki0^؏	G^u|09lDkZebVD^Ŀ?C:~tcXHѢ
:(<_Px=>}|eA
+f&18{,g4{UB:uhm+Z2y?Y1cУcOqZ仱ھwsxns&7FiIG<y&3gcpoN۝]Wj~_UPh++C-߽as?a^`U!`jܺyeoG4i.i)>=c1NjU:t0`r`2yܜQ|ӣ.5R0.5]4SσXj0{c~[ۏ	E6z&F6"91ks*:T\!T,NFѡCG_
SϿt@Ӂf9yq{
_a&L:|s09EbW$wrgm%xo{
l9jJ9lt|W	i'*!
{W艫bGN\?bGM?bBL\~KZ'iO}oz|{?,<|{,bW<őxvuǚ5k.k(;,dyrw0`Md1qbtȝ!7!&g!PEsCF'煖pYunIn=5'ƀqu>cSx9
P	G^=.LqJI5wTɯ3XFkEaf
;3QG;.{?(\ǕkUV5zlK"rtXG12̲	tM/篼,ߗLzs&=Nn*m3(VԧGZn!/&j9.@q\B|W|>T8|V'NyLDŽ	LX=4"Nct0ad9n-'4Y1cУcйB@}zq̳lty:<ѓn}~[&WV@upW—_<,VhqTbXIU `uk煖i:tn>=gN)jU:t0`r`2z;c3f9~zs	e%dW=szb}>E,e}ڑ#EGgWԏo<䜤:LXl΃YlLy[3˚t?O	M{=%n_SI".B6gRj8
YӾ|"p$irtgϔ[9ID:ijH'lȸKbO6eEؾ&Ο{(wf9pKH3ݠ1"u=g5Q|[3gy[IvpN:ߴ/,7 GxzN(z8hzX-,ddPoa̎lKXawBn.a4 ϳ!{\sH5{rш9ʈd|{0bp4b|f\q2\,M֭S8v^:}W`wcF:&tL=`
9#h8΄=㫲Oo	?kϠ@ޏv:
u((tn%WoIϦ%Q@%A@4|u%PGH3͜8$;Hyw-DC/QKP8^Mqø)jєSatH
l5a:mԙ'n<--c
ByPKޙVl	lNiO޼߻Io==`rAߟ;څMh(2SJuLtOA!j׊~]#'*Pz5Ct*mCɍ!)_Z#0N"yǞM߹Uí^{&pհp
ND%3\hNe)[UKڧbn7gE[G&уmޑ%+u5R믧ho߿o=WLJ	?yՂD3:V9ӆIͷ[4Sڲ<̡ȟZvbvhWy%kN9Cx'ps9ӸIŻ~V/y}(:Iթ!{sѳB7k9pfsӧ"Rfsy>i'g2wzbPy:3W˴ݰZ_uqd?Vy,VQ'=˫q]($M`$.rp{cv}ɬ!TNdO~dhsCb7Ǜ}G6'n{I?no6$}Oo7۷t@6zZ:­f\ͧ.qz\ƅqnIf81mݼƣvbtQ@゠Y#vL[[;Ygᴞ߬:ܞ'5dLx\qo5	h6!x|~<g|$zp駸1"wY.<:qHFϚssӹ5cEc)|ņ-Rm>9[Γܗ6mӦδ~ϵ~Lr|ш?Q#9xybf,r4/Os׬zck9w۬vt?&ry-lf2Kyw&(fc2u{7OՙNzOnZ?yszΡҾթOē:g気+(ಥK5}PG#k[POkڗ	q4]YIA-Y!鴸yEBI4ArY]4%t&6x_>,V8qm2#B&+aq,M2?r.ܸ_<2w6
=xN%%og֓yY׻'C'2䩉EtՓN8Xq]0SF\O>z7>p*7fZơXFp#Q-ì+{ӫ͘N/ͥت_3KZ_v:^7x?)9)kri)tY|pVq쩓1
m;H-?嚜LX0Λf1-iKvsiq_fZ|]na
]oKxy	Ei(j&.lVt5Nӡ^.XUeM/$ @hĜf)tf!b"f}0p{ԇJl?
0=ulX8_s[cB?Q\U+"ty!$3h$o*)t7a_1T
c6֑6WQ2\H(DKZR!ePIjBj)-2(3cueHcN/̍jA
@,l.ڲd,/܍RU\IRA+аP
!iQ0A&aK(x07oP(BKiM쳗MeCiӢfCD!;ͥ TU,t<'i0%t
=1Lx]A*d#9A`ͪ`NJՒBqD#`Tq*k-":J&bN9*h~ډR.+WeWhhQFnQFn(0SP!C
7nn ndF.F+[Jt~F7#Ȇh^nfX!)*/*֓Bg\>4%b.V*!Z$r]F
mrHWDX-,8Aɼ(OMhPҽ0(4_Vi:R1$]R([bf,I.J08?K١ŕJRP"[Hb5n W`!@	
)WWFkKYPfb8FKATvKMi!m
:ŚNJM0M*v%Vi$dx单6uZ7X8 pE7TU*ǥD/0T"U&Tu`Z
lFwM+!M(BRxv(MT\)*VClP\<ۺAWTeS+hK_Ὦ6X?Pu䋨5RIʜJq/q+8E
fgx
Qb4bW 
M(@c15x \O&Ii!XL`P	%}&@u`-	}3^
:b!9ӈ%Kh-VԘc1?uˉCDKduSNBgف
<%G5XZ10e0OU]3*ydl"$ʈa5+Ѳ^+X,Jgm,6z<*T#PcBÃjE@]Zb@#3|D[)`%䄋QDk2{9C؝Zr.oN;֦'#wD@!D$IDAʪ&Az!7#y$3|cp 
/~@Ƕ٧kpf.
p@=qh>fh0#n5mON#PJ[69vZumU*NB N3zƶy[-*1haAj;pq0aэzdr&Ga*D.^X?Y}92Ql 歰pL4?4yD6kЀo	mv{
;Np͈__^-,#xʐk8Kpz~#2ێ>tK)TvHxvsѴ
:AO6\p=8-Eȱ<~ C	u@AUjs(*T{+B[p^^~O"AG6KO/	P8:Fu5{wN Tx<4tCh!AԄ(J
`ǑGϮ۶fH"n(#>g/*[\#d$x&<~h@<옗
F KͳϖܪT֋BOIjCAT?@={2xxB
m]966['5jٝ
qK>HSޤj2{29*畦ؘa"$x><>'f	őF/`\5 
4nLvF^#mpǠmC-ǐc $9,ՔLKVm'hY4is'vA|+%dǥpR$r)#vc"?_*Slٗz,h/c$[YÀ,b6i2(NIגTWt!kp㸢)ٲI!r$2(tJ"pӒM|z(xBЭYI"eyZ)Vd*94Dʩ,M7yNdWtRʆW_¯(x1_nUc}DOu]j%l9Fxfr
&CO:5AEQjxA?'wE<
Ulwq+VZEGepTj%-lMѩuE"aRԭsGk,EmYĜmHq7=;OYTTG״`p6[7nr<|`j.R:cv)y$Fܐ<Z2tM6Z]gz^1{r*!JTޥVAA<.Ao'SϏYd-*w4lQZIhVgi|N1'{9wNc:s%5o9ijCT	>fz3rT7J޹7ݩDʖaA> Q§("WxcfB(؄iybxx)ɷM2:I%ͫ
+aX(&WH֌`?1"*ʚ	9RA2j9=	׀-lOQ7喤F!
4%>~WOPwHUl|q>ĊK
1-0L7E+
юse|2+1OJQtUTC."0
ƍķA>}k#F5;$5Zyٿ:XJ&_-t̹*}	CRA(a]	)>D9"!\JJﵬ.khB޻&zN5M
HU"xgӆ^_i|,!/U̗wXnrhp"	=2
{zNCTl9|iټE
|ӳ6M>P%ɣ?+)c(VWST)@W'Sn;E|aK.&9 OXR:WmЅZ4貯QhD[^!R%k-j僁Ѿ))+O(^uO`Hl
!Aceī4۰Y(iMNS^te4ƫL"82E̡Qj!gt;?3ٓ BL%RfN'2KN(J*d<3|ZӉĶDעj=@c7Fd <MI}C	9ي[u-'!yHx`lCp݉U:S&y*!$33D̆i9-br28r< 	o;5P.tC}ī3j΀Gb@Y'F"KM(.QHi#3Q#`ӥ*Uj$r	ى-|gģh*Ή7OUS38By&hGt<>Di3Jq6
MJ*'0ҙ
\OUSU!u&I3rb<(d8R(6댨Si«:S+IGXj,z_<25`	RlFSHoy亖~\k)kT%]mPf5oF
Y0.%l".:ou-4GK=N2zŦ}j<[fv]45bpDi$e%ŧnǢQ"裉	kx,Zh+"jhW_&9)qnF?E׵.z/I]rr(mE%
	3&EƒlL8#4zlk
4giG|ȼbD'Rv!"M釲j=Y_WCC]ɬe\C-ms]z׵T獠L"9b_muJG׋Bt@xQ
&dav-YX|="BIój] V DoUXV&Zn(h[KGvR`#&Zb֧$Q8%m7>Q52DƔX3l7ѿ>]7Jt|1\HcJ!ml~ѽZnьڹu+B{{ze$b5CVƨ4>}V2@.󾷁w:6ې>3n@ۉ0Vejն,kC22;[FdHo͉«DCu![ܲ6euP#'ZIn4j߆1VK.x. N睵QԣMPӇ DLTCkFĻQ<>NGUy]_LVUStgi{EFI+ 
݌`(8o/~wtgZ7#ԍ)Pt%K(:hs=}(Z9iߤ7
ec\=wlw,Bjpi)=}k\jUXrD!us܊5JCZՖ@kt0Шf|맞xj-|Z|n-g
Wm"›(Rp-dG)mud+qwhy3-1.6.0/examples/multiprecision/base_info.mlw000066400000000000000000000064141440160026300217430ustar00rootroot00000000000000module BaseInfo

  use int.Int
  use int.Power
  use mach.int.UInt32
  use mach.int.UInt64
  use types.Types
  use logical.Logical
  use int.ComputerDivision

  let wmpn_base_power_of_two_p (b:limb) : uint32
    requires { 2 <= b <= 256 }
    ensures  { 0 <= result <= 8 }
    ensures  { result <> 0 -> power 2 result = b }
    ensures  { result = 0 -> forall n. 0 <= n -> power 2 n <> b }
  = assert { power 2 5 = 32 };
    assert { power 2 6 = 64 };
    assert { power 2 7 = 128 };
    assert { power 2 8 = 256 };
    assert { forall n. 9 <= n -> b <= 256 < power 2 n };
    if b = 2 then 1
    else if b = 4 then 2
    else if b = 8 then 3
    else if b = 16 then 4
    else if b = 32 then 5
    else if b = 64 then 6
    else if b = 128 then 7
    else if b = 256 then 8
    else 0

  type wmpn_base_info =
    {
      ghost b : int;
      exp : uint32;
      bb : limb;
    }
  invariant { 2 <= b <= 256 }
  invariant { bb < Limb.radix <= bb * b }
  invariant { 7 <= exp <= 63 }
  invariant { bb = power b exp }
  by { b = 2; exp = 63; bb = 0x8000_0000_0000_0000 }

  let rec lemma pow_compat (b1 b2 e:int)
    requires { 1 <= b1 <= b2 }
    requires { 1 <= e }
    ensures  { power b1 e <= power b2 e }
    variant  { e }
  = if e = 1 then ()
    else begin
      pow_compat b1 b2 (e-1);
      assert { power b1 e <= power b2 e
               by power b1 (e-1) <= power b2 (e-1)
               so power b1 e = power b1 (e-1) * b1
                  <= power b2 (e-1) * b1
                  <= power b2 (e-1) * b2
                  = power b2 e }
    end

  let wmpn_get_base_info (b:limb) : wmpn_base_info
    requires { 2 <= b <= 256 }
    ensures  { result.b = b }
  =
    let m = 0xffff_ffff_ffff_ffff / b in
    assert { m * b < radix };
    assert { m * b + b >= radix
             by let r = mod 0xffff_ffff_ffff_ffff b in
             0 <= r < b
             so 0xffff_ffff_ffff_ffff = m * b + r
             so radix = m * b + r + 1 <= m * b + b };
    let ref p = b in
    let ref exp = 1 in
    while (p <= m) do
      variant { m - p }
      invariant { power b exp = p }
      invariant { 1 <= exp <= 64 }
      assert { p * b < radix
               by p * b <= m * b
                  <= 0xffff_ffff_ffff_ffff
                  < radix };
      p <- p * b;
      exp <- exp + 1;
    done;
    assert { radix <= p * b
             by m + 1 <= p
             so radix <= m * b + b = (m+1) * b <= p * b };
    assert { exp >= 7
             by 256 = power 2 8
             so power b 7
             <= power 256 7
             = power (power 2 8) 7
             = power 2 56 < radix };
    { b = uint64'int b; exp = exp; bb = p }

  let wmpn_limb_size_in_base_2 (u:limb) : limb
    requires { u > 0 }
    ensures  { 1 <= result <= 64 }
    ensures  { power 2 (result - 1) <= u < power 2 result }
  = let shift = Limb.of_int32 (Limb.count_leading_zeros u) in
    let r = 64 - shift in
    assert { power 2 (r-1) <= u < power 2 r
             by power 2 shift * u <= radix - 1 < 2 * power 2 shift * u
             so power 2 shift * u < radix <= 2 * power 2 shift * u
             so power 2 shift * power 2 r = radix
             so power 2 shift * u < power 2 shift * power 2 r
             so u < power 2 r
             so power 2 shift * power 2 r <= power 2 shift * (2 * u)
             so power 2 r <= 2 * u };
    r

endwhy3-1.6.0/examples/multiprecision/base_info/000077500000000000000000000000001440160026300212155ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/base_info/why3session.xml000066400000000000000000000465611440160026300242510ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/base_info/why3shapes.gz000066400000000000000000000121621440160026300236570ustar00rootroot00000000000000\[o9~_I ,ְe׀c;a;URtd3NZI,sw(fOfٛv-G*
ZO7.Y$4CM:jxql\h5yfVu-FDMMOKSzuzqtuijy1~L7[;1de5eS5S67fpu&/3vw5ft|Ac_||]
Ds6V_Y昳kQϨ|u't7k{{$mg
GQGXt^+,԰lo>^6wLuoo=C9;
V/.].<w@qk:?~joÚ8,XýZAf`~C'G	:|
%hy5
5>	
0*I
5ZSKmN+So¶jxCbzeR,|~8ÿ3_s.aw	o@*V&&*F'Rb_G?OfoJw>{Ȯhp/xyQ}(}	KJ}j4NJ1/t?M~7J<o7Dv-^p_ZM.	ILf@B}sO~V_%_mZ3dͅ\c?ʚ3f~ZiڗgPc^EM~i&5-ԴȗdT Um>=?|>fRM!%W5ޖ2Ŧoi2Ad~tZV )4hXņGi-:[|eU\`-g~ۇ[f-}5#Ro6Ӡ>-$62ν%
#}p#98{"Kde8'=Y9xm]/?>}zk\ޠiAhWTIɡS.Zі4ljΘr1Nv&7vڏMl>Ga^mSv%oȋ͓6M尝A`EeZiw7[	\`H
&L
@&#e_(+f_{OPsVJmdFtw~|_~m|8Upt@	
_'N?t'ppS">ܦlg)_YZj#O8Ryɖs}-BNv-}wWd[nn$xut}6CXD]D>hcXh&ǡZ&cKy7tԢꑵl61%[zǟke ?".Q?%ho^'T'P5lgXq'Bh_<ŪNhO/m5?!nFjM!Ŭdfcv0e);(m~1bSt^ٝq:n$rRr7!z^Kߡ%mL;	Ef5oZj>㫾olGY`%kihں]
}	;aɑV)V{߾/p>9?n9>wr8<^i5ԙoH7[djYn-vUZ)yMyܘ7'L7	M*8z=7{ݴ~:$tΏȿ~Վc~J>t{N6cQ3nLϟBd0))M+YYwzpNա"~>uKfL9ҵ/|хOJJa|4ݣҷNߡ:tSjkKD]I&K5#ۦK3an;O-8ʂ&TWmd?oqơU?HV4kYombȮd/כehȼXa3l҈BRBs\Tʌ_NTrT‹!DT$oM_a.[Jv2D2!$:-Gg'(8BeB9[鋌.erIT)xY[Q.sN*{T1JNJTt+.{
mhrB:b)7q
Yjǒ̐*Ei(9x=Y%TYSJQM`K.,K	s)ɧ(Pc
	Yg*V)q/%\{SVVXˊEQЧZB)mn0IGikɻTu!MZA	d	hӝ@ejX2m&Ii#I0$N/fI)s@s^&qFDa;adRļBt@4SZ\3Ɛ(Džc;ng]K{-__Ku-el]_uT1GF8mϊ.B1TBqgSȬ~G͢=
&!U	vdgW.8fJl+YP2"
IG6v X`D%j>%E !lCB!Poss6 HZLDr@:k=(Ha.iPWpd\nBQ*.f*c6T8'͕n\nت @B+bqPd )iiQ8"@rUbZCH	?J-/4ʵֈo9L{hPTD2ؓݞUgX~4)!-%gRZɤB:+Dy
6dٞy.);AR'1.GdC]҄BQ/FiJp31>!,1'xgة"ls-N71`
}Fa5x)	%M40xņbVh|5
YCOSȡ14ds'v*aruc4IA6,][޴̭K)r(;|\犃QI$%"iPKR*UBR_[um~5f̀X^4.Z٧X Di]aE(-Rjj	M(d̟BFcOFBao*IîWN:ȓcXAtP($M U瓪`񖍵()[D
zp>'jOE`	eH&xklX>-	e)k34jgS1g>[ơIighDWT$J5hcJ*ЙskֺjF(\$,ωT*j_$L"2DhUAbAnhzLFB@χVJZ34Kay,d֋I93'=OHMPMmAM!j*G}%XJ+e_K[&X$J9Z:t1+OAa_T5QQaZo`wzhS}t}؇`W j-!,X?>	r-H=G8Q ْ`킑BzPwޘMpoE:uT3THeLzjAJ, Ӡ
jmEXi}4( )mU(=
A̞Ym"'y˃z%I<SENh%.jC.6?9WaNR_`zK)Sh\#C#VB˙FG[j@dV0Q/
}#ʀ4"&
yJ"'y&u@;Em+d0v/UM|why3-1.6.0/examples/multiprecision/binverttab.ml000066400000000000000000000012331440160026300217610ustar00rootroot00000000000000open Printf

let inverse x =
  let rec loop t t' r r' =
    if r' = 0 then
      if t < 0 then t + 256 else t
    else
      let q = r / r' in
      loop t' (t - q * t') r' (r - q * r')
  in
  loop 0 1 256 x

let () =
  printf "/* binverttab[i] is the multiplicative inverse of 2*i+1 mod 256,\
\n   ie. (binverttab[i] * (2*i+1)) %% 256 == 1 */\n";
  printf "const unsigned char binverttab[128] = {\n";
  for i1 = 0 to 15 do
    printf "  ";
    for i2 = 0 to 7 do
      let i = i1 * 8 + i2 in
      let inv = inverse (2*i+1) in
      assert (((2*i+1) * inv) mod 256 = 1);
      printf "0x%02x," (inverse (2*i+1));
    done;
    printf "\n";
  done;
  printf "};\n%!"
why3-1.6.0/examples/multiprecision/compare.mlw000066400000000000000000000055331440160026300214450ustar00rootroot00000000000000module Compare

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use map.Map
  use types.Types
  use lemmas.Lemmas

  function compare_int (x y:int) : int =
    if x < y then -1 else if x=y then 0 else 1

  (** `wmpn_cmp` compares `x[0..sz-1]` and `y[0..sz-1]` as unsigned integers.
      It corresponds to `GMPN_CMP`. *)
  let wmpn_cmp (x y:t) (sz:int32) : int32
    requires { valid x sz }
    requires { valid y sz }
    ensures { result = compare_int (value x sz) (value y sz) }
  =
   let ref i = sz in
   while i >= 1 do
     variant { i }
     invariant { 0 <= i <= sz }
     invariant { forall j. i <= j < sz ->
                 (pelts x)[x.offset+j] = (pelts y)[y.offset+j] }
     assert { forall j. 0 <= j < sz - i ->
              let k = i+j in
              i <= k < sz ->
              (pelts x)[x.offset+k] = (pelts y)[y.offset+k] /\
              (pelts x)[i+x.offset+j] = (pelts y)[i+y.offset+j] };
     value_sub_frame_shift (pelts x) (pelts y) (p2i i+x.offset)
                           (p2i i+y.offset) ((p2i sz) - (p2i i));
     let ghost k = p2i i in
     i <- i - 1;
     assert { 0 <= i < sz };
     let lx = get_ofs x i in
     let ly = get_ofs y i in
     if (not (lx = ly))
     then begin
          value_sub_concat (pelts x) x.offset (x.offset+k) (x.offset+p2i sz);
          value_sub_concat (pelts y) y.offset (y.offset+k) (y.offset+p2i sz);
          assert { compare_int (value x sz)
                     (value y sz)
                 = compare_int (value x k) (value y k) };
          value_sub_tail (pelts x) x.offset (x.offset+k-1);
          value_sub_tail (pelts y) y.offset (y.offset+k-1);
          if lx > ly
          then begin
           value_sub_upper_bound (pelts y) y.offset (y.offset+k-1);
           value_sub_lower_bound (pelts x) x.offset (x.offset+k-1);
           assert { value x k - value y k =
                    (lx - ly) * (power radix (k-1))
                  - ((value y (k-1)) - (value x (k-1))) };
           assert { (lx - ly) * (power radix (k-1))
                    >= power radix (k-1)
                    > ((value y (k-1)) - (value x (k-1))) };
           return 1
          end
          else begin
           assert { ly > lx };
           value_sub_upper_bound (pelts x) x.offset (x.offset+k-1);
           value_sub_lower_bound (pelts y) y.offset (y.offset+k-1);
           assert { value y k - value x k =
                  (ly - lx) * (power radix (k-1))
                  - ((value x (k-1)) - (value y (k-1)))
                   };
           assert { (ly - lx) * (power radix (k-1))
                    >= power radix (k-1)
                    > ((value x (k-1)) - (value y (k-1)))
                   };
          return -1
          end
       end
     else ()
   done;
   value_sub_frame_shift (pelts x) (pelts y) x.offset y.offset (p2i sz);
   0

end
why3-1.6.0/examples/multiprecision/compare/000077500000000000000000000000001440160026300207165ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/compare/why3session.xml000066400000000000000000000144011440160026300237360ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/compare/why3shapes.gz000066400000000000000000000053271440160026300233650ustar00rootroot00000000000000][o8~ׯ@:H,:clsY;m!Ē,ɞiZ$E}?m,>fusB.'vu}|mY)ymYuL\~WS{g5onnvwnuf}&MkI+Z鶕cq+.~O}w:ftmD((%9DC`䳌=Pk0tg&?އa&w
f*}s7C4^]n>ݢe2Bx|pF}Kc|5Hg=Cw'!}::,}!+~bZ@IZq(%>%>@9
9h1tv#Z.^pqO+gKaW랷fT"U"U"uDwDD-1˱T}oC&&&!*D+ 5qv.4}7hrdooĵ]۰D*L8R*&+bR*ˆJة+9*b\dEYa9m= _pRBm!=md=ƬG6^*SULe  ,[F]*/!U@Ta""ȑVJ3B% +KrQQ:z]bw{yW$UIT@V!E#v@2x2-Ёh^ʡ{XGWiVmJr}Gl`;l{axhz@!MئK6ƚ.񸣇ؐu2;9̣Խ
LV~ǃh"U{j)PG!'KdoM=;OϱunoiO nEՓ'UOޚ4fru{}nQDJJJ7Fമ#T)y''`)U%JH7.!˿
Ň7έ_	ŧƟm򣇌|TRM	H}h?40Cښ>4@+o:O^y;լPt>Hh
y]UγrF8պ*&UL1e222
2~t4¯.!TAyk8zGQ+-Ň7uKCvxNzw;;C
ϱ;᝗wx/+/!u8<<<<:nob?*W*2%S{I&! >{&ϡ"lV{oeQ9o){yUvoHtw]ixN_r<$/91,3W޿tobI&t~K_w~dN~)OIeKٴdA?.VT?<ݩTJö
ꇜشM!:ݩr=M~hru~FZ-[=jeҋӌWu$RIJ"~o'Os= Mc@&MEg-%^0zicl2(
!@ Z3QI#S,9i3^,p*:p)pkhqF(HJu4.@Ъ;.8b1NZspR"(
1 x-xa&pqQ@OL
y&i4!a|#/GIpA$$jL%J) &
ި<
T*@uyFFhS˜D ˭!K%(u\јtD7D٤%<̀9{C8g-"%pz0-J$ӑT%1L6Ij%t1J2z]Pr0_bc$gLC#Tgsx	@ڹhfIʣt#)èjgB/QfS?Tkfd2Ҹb'^cy/#Εa})S;t4QlB7$XRbJ<4@r	 %xV37pLbȘjG&AEn
8q2Mv[VFIÞL14
d5ATbMD \hL^y)$,wl!&01Gt
9#[ǨuS!hk0,_8\xvaq@Bl4:,A"-"uAlA*A\UΡjJ$engf2ZC#4@fLqI DΨwhӒ){ID}zwhy3-1.6.0/examples/multiprecision/div.mlw000066400000000000000000006254511440160026300206100ustar00rootroot00000000000000module Div

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas
  use compare.Compare
  use util.UtilOld
  use add.AddOld
  use sub.SubOld
  use logical.LogicalUtil
  use logical.LogicalOld
  use int.EuclideanDivision

  (** Based on Niels Möller and Torbjörn Granlund, “Improved
      division by invariant integers” 2010 *)

  use int.MinMax as MM

  predicate reciprocal (v d:limb) =
    v = (div (radix*radix - 1) (d)) - radix

  let lemma fact_div (x y z:int)
    requires { y > 0 }
    ensures { div (x + y * z) y = (div x y) + z }
  =
    assert { div (x + y * z) y = (div x y) + z
             by x + y * z = y * (div (x + y * z) y) + mod (x + y * z) y
             so mod (x + y * z) y = mod (y * z + x) y = mod x y
             so x + y * z = y * (div (x + y * z) y) + mod x y
             so x = y * div x y + mod x y
             so x + y * z = y * div x y + mod x y + y * z
             so y * (div (x + y * z) y) + mod x y
                = y * div x y + mod x y + y * z
             so y * (div (x + y * z) y) = y * div x y + y * z
                                        = y * ((div x y) + z)
             so y <> 0
             so div (x + y * z) y = div x y + z }

  let invert_limb (d:limb) : limb
    requires { d >= div radix 2 }
    ensures { reciprocal result d }
  =
    let v = div2by1 Limb.uint64_max
                    (Limb.uint64_max - d)
                    d in
    fact_div (radix * radix - 1) (l2i d) (- radix);
    assert { v = (div (radix*radix - 1) (d)) - radix
             by
             radix - 1 + radix * (radix - 1 - d)
             = radix - 1 + radix * (radix - 1) - radix * d
             = radix - 1 + radix * radix - radix - radix * d
             = radix * radix - 1 - radix * d
             so
             radix - 1 + radix * (radix - 1 - d)
             = radix * radix - 1 - radix * d
             so
             v
             = div ((radix - 1) + radix * (radix - 1 - d)) (d)
             = div (radix * radix - 1 - radix * d) (d)
             = div (radix * radix - 1) (d) - radix
           };
   v

  (** Divide a two-word integer by a one-word integer given the
  reciprocal of the divisor. *)
  let div2by1_inv (uh ul d v:limb) : (limb,limb)
    requires { d >= div radix 2 }
    requires { uh < d }
    requires { reciprocal v d }
    returns { q, r -> l2i q * d + l2i r = ul + radix * uh }
    returns { _q, r -> 0 <= l2i r < d }
  =
    let ghost k = radix * radix - (radix + l2i v) * l2i d in
    let ghost u = l2i ul + radix * l2i uh in
    assert { 1 <= k <= d };
    let l,h = mul_double v uh in
    let sl,c = add_with_carry l ul 0 in
    let (sh,ghost c') = add_with_carry uh h c in  (*  =  +  *)
    assert { sl + radix * sh + radix * radix * c'
             = l + radix * h + ul + radix * uh };
    assert { c' = 0
             by
             uh < d
             so v * uh <= v * d
             so k = radix * radix - (radix + v) * d
                  = radix * radix - radix * d - v * d
             so v * d = radix * radix - radix * d - k
                              = radix * (radix - d) - k
             so k > 0
             so v * d < radix * (radix - d)
             so v * uh < radix * (radix - d)
             so l + radix * h = v * uh
             so l + radix * h < radix * (radix - d)
             so uh <= d - 1
             so radix * uh <= radix * (d - 1) = radix * d - radix
             so l + radix * h + radix * uh
                < radix * (radix - d) + radix * uh
                <= radix * (radix - d) + radix * d - radix
                <= radix * (radix - d + d) - radix = radix * radix - radix
             so ul < radix
             so l + radix * h + ul + radix * uh
                = l + radix * h + radix * uh + ul
                < radix * radix - radix + ul
                < radix * radix - radix + radix = radix * radix
             so sl + radix * sh + radix * radix * c'
                = l + radix * h + ul + radix * uh
                < radix * radix
             so radix * radix * c' <= sl + radix * sh + radix * radix * c'
             so radix * radix * c' < radix * radix
     };
    assert { sl + radix * sh = l + radix * h + ul + radix * uh
             = v * uh + ul + radix * uh
             = ul + (radix + v) * uh };
    let qh = ref (sh:limb) in
    let ql = ref sl in
    let ghost q0 = l2i !ql in
    let ghost cq = l2i sh + 1 in (*candidate quotient*)
    let ghost cr = l2i ul - cq * l2i d + radix * l2i uh in (*candidate remainder*)
    assert { cq * d + cr = u};
    qh := add_mod !qh 1;
    assert { !qh = mod cq radix };
    let p = mul_mod !qh d in
    let r = ref (sub_mod ul p) in
    let ghost r' = !r in
    assert { r' = mod cr radix
             by
             let a = (- div (!qh * d) radix) in
             r' = !r
             = mod (ul - p) radix
             = mod (ul - mod (!qh * d) radix) radix
             = mod (radix * a
                   + ul - mod (!qh * d) radix) radix
             = mod (ul - mod (!qh * d) radix
                           - radix * div (!qh * d) radix) radix
             = mod (ul - !qh * d) radix
             = mod (ul - mod cq radix * d) radix
             = mod (radix * (- (div cq radix)) * d + ul - mod cq radix * d) radix
             = mod (ul - (mod cq radix + radix * div cq radix) * d) radix
             = mod (ul - cq * d) radix
             = mod (radix * uh + ul - cq * d) radix
             = mod (ul - cq * d + radix * uh) radix
             = mod cr radix };
    assert { radix * cr = uh * k + ul * (radix - d) + q0 * d - radix * d };
    prod_compat_strict_r (l2i ul) radix (radix - l2i d);
    prod_compat_strict_r (l2i d) radix (radix - q0);
    assert { (* Theorem 2 of Möller&Granlund 2010 *)
             (MM.max (radix - d) (q0 + 1)) - radix <= cr < MM.max (radix - d) q0
             by radix * cr = uh * k + ul * (radix - d) + q0 * d - radix * d
             so (uh * k + ul * (radix - d) >= 0
                by uh >= 0 /\ k >= 0 /\ ul >= 0 /\ radix - d >= 0)
             so radix * cr >= q0 * d - radix * d
             so radix * cr >= - radix * d
             so cr >= - d
             so radix * cr >= q0 * d - radix * d = (q0 - radix) * d
             so radix > d
             so radix - q0 > 0
             so d * (radix-q0) < radix * (radix - q0)
             so (q0 - radix) * d > (q0 - radix) * radix
             so radix * cr > (q0 - radix) * radix
             so cr > q0 - radix
             so (let m = MM.max (radix - d) (q0 +1) in
                cr >= m - radix
                by (cr + radix >= - d + radix
                   /\ (cr + radix > q0 so cr + radix >= q0 + 1))
                   so cr + radix >= m)
             so 0 < k <= d so 0 <= uh < d
             so k * uh < k * d <= d * d
             so radix * cr < d * d + ul * (radix - d) + q0 * d - radix * d
             so ul * (radix - d) < radix * (radix - d)
             so radix * cr < d * d + radix * (radix - d) + q0 * d - radix * d
             so (radix * cr < (radix - d) * (radix - d) + q0 * d
                by
                d * d + radix * (radix - d) + q0 * d - radix * d
                        = radix * (radix - d) + d * d - radix * d + q0 * d
                        = radix * (radix - d) + (d - radix) * d +  q0 * d
                        = radix * (radix - d) - d * (radix - d) + q0 * d
                        = (radix - d) * (radix - d) + q0 * d)
             so let m = MM.max (radix - d) q0 in
                radix - d <= m
             so (radix - d) * (radix - d) <= m* (radix - d)
             so (q0 * d <= m * d by 0 <= q0 <= m /\ 0 < d)
             so radix * cr < (radix - d) * (radix - d) + q0 * d
                           <= m* (radix - d) + q0 * d
                           <= m* (radix - d) + m * d
                           = m * radix
             so cr < m
                           };
    assert { cr >= 0 -> r' = cr };
    assert { cr < 0 ->
           ( r' = cr + radix
             by cr >= MM.max (radix - d) (q0 + 1) - radix
             so cr >= - d
             so cr + radix >= radix - d >= 0
             so 0 <= cr + radix < radix
             so mod (cr + radix) radix = mod cr radix
             so r' = mod (cr + radix) radix ) };
    assert { cr < 0 ->
                ( !r > !ql
                by MM.max (radix - d) (q0 + 1) >= q0 + 1 > q0
                so cr >= (MM.max (radix - d) (q0 +1)) - radix > q0 - radix
                so r' = cr + radix > q0 - radix + radix = q0 ) };
    assert { 1 <= cq <= radix };
    assert { (!qh = cq \/ (!qh = 0 /\ cq = radix)
              by (1 <= cq < radix -> !qh = mod cq radix = cq)
              so (cq = radix -> !qh = 0) ) };
    assert { cq = radix ->
             (cr < 0
                by cq * d + cr = u
                so uh <= d - 1
                so 1 + uh <= d
                so ul < radix
                so u = ul + radix * uh
                     < radix + radix * uh
                     = radix * (1 + uh)
                     <= radix * d
                so u < radix * d
                so radix * d + cr = u
                so radix * d + cr < radix * d
                so cr < 0) };
    assert { 1 <= cq < radix -> !qh = cq /\ !qh * d + cr = u };
    if !r > !ql
    then
    begin
      qh := sub_mod !qh 1;
      r := add_mod !r d;
      assert { cr >= 0 ->
                  (!r = cr + d
                  by r' = cr
                  so r' < MM.max (radix - d) q0
                  so r' > q0
                  so 0 <= r' < radix - d
                  so d <= r' + d < radix
                  so !r = mod (r' + d) radix = r' + d) };
      assert { cr >= 0 ->
                  ( !r >= d
                  by r' = cr >= 0
                  so !r = r' + d >= d ) };
      assert { cr < 0 ->
                  ( !r = r' + d - radix
                  by r' = cr + radix < radix
                  so cr >= MM.max (radix - d) (q0 + 1) - radix
                        >= radix - d - radix = - d
                  so r' = cr + radix >= radix - d
                  so !r = mod (r' + d) radix
                  so radix + radix >= r' + d >= radix
                  so !r = mod (r' + d) radix = r' + d - radix ) };
      assert { cr < 0 ->
                  ( 0 <= !r < d
                  by r' = cr + radix < radix
                  so !r = mod (r' + d) radix = r' + d - radix
                  so !r >= 0
                  so !r = r' + d - radix < d ) };
      assert { cq = radix ->
                ( !qh * d + !r = u
                by cq * d + cr = u
                so cr < 0
                so r' = cr + radix
                so u = radix * d + cr
                     = (radix - 1) * d + d + cr
                     = (radix - 1) * d + d + r' - radix
                so r' = cr + radix >= MM.max (radix - d) (q0 + 1)
                   >= radix - d
                so radix + radix >= d + r' >= radix
                so !r = mod (d + r') radix = d + r' - radix
                so (radix - 1) * d + !r = u
                so !qh = mod ((mod cq radix) - 1) radix
                           = mod (-1) radix
                           = radix - 1
                so !qh * d + !r = u
               ) };
      assert { !r = cr + d by [@case_split] cr >= 0 \/ cr < 0 };
      assert { 1 <= cq <= radix ->
               ( !qh * d + !r = u
               by cq * d + cr = u
               so !qh = cq - 1
               so !qh * d + cr + d = u
               so !r = cr + d ) };
    end
    else
    begin
       assert { cr >= 0 };
       assert { 1 <= cq < radix };
    end;
    assert { !qh * d + !r = ul + radix * uh
            by [@case_split] cq = radix \/ 1 <= cq < radix };
    if !r >= d
    then begin
      assert { cr >= 0 };
      assert { !qh < radix - 1
               by
               !qh * d = ul + radix * uh  - !r
               so uh <= d - 1
               so ul + radix * uh - !r
                  <= ul + radix * (d - 1) - !r
                  = ul + radix * d - radix - !r
                  = (ul - radix)  + radix * d - !r
                  <  radix * d - !r
                  <= radix * d - d
                  = (radix - 1) * d
               so !qh * d < (radix - 1) * d
               so d > 0
               so !qh < radix - 1 };
      qh := !qh + 1;
      r := !r - d;
      assert { 0 <= !r < d };
      assert { !qh * d + !r = ul + radix * uh };
    end;
    assert { 0 <= !r < d };
    assert { !qh * d + !r = ul + radix * uh };
    (!qh,!r)

(** `wmpn_divrem_1 q x sz y` divides `(x, sz)` by `y`, writes the quotient
    in `(q, sz)` and returns the remainder. Corresponds to
    `mpn_divrem_1`. *)
(* TODO develop further decimal points (qxn) *)
let wmpn_divrem_1 (q x:t) (sz:int32) (y:limb) : limb
    requires { valid x sz }
    requires { valid q sz }
    requires { writable q }
    requires { 0 < sz }
    requires { 0 < y }
    ensures { value x sz
              = value q sz * y + result }
    ensures { result < y }
  =
    let msb = sz - 1 in
    let lx = ref 0 in
    let i = ref msb in
    let r = ref 0 in
    (*normalize divisor*)
    let clz = count_leading_zeros y in
    if (clz > 0)
    then begin
      let ghost mult = power 2 (p2i clz) in
      let ry = lsl y (Limb.of_int32 clz) in
      assert { ry = mult * y };
      let ghost tlum = power 2 (Limb.length - p2i clz) in
      assert { tlum * mult = radix };
      let v = invert_limb ry in
      while (!i >= 0) do
        variant   { !i }
        invariant { -1 <= !i <= msb }
        invariant { !r < ry }
        invariant { mult * value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    = value_sub (pelts q) (q.offset + !i + 1)
                                          (q.offset + sz)
                      * ry
                      + !r }
        invariant { !r <= radix - mult }
        invariant { mod (!r) mult = 0 }
        assert { !i >= 0 };
        label StartLoop in
        lx := C.get_ofs x !i;
        (*TODO lshift in place would simplify things*)
        let l,h = lsld_ext !lx (Limb.of_int32 clz) in
        mod_mult mult (l2i y) 0;
        assert { !r + h < ry
                 by
                 let drm = div (!r) mult in
                 let dym = div (ry) mult in
                 mod (!r) mult = 0
                 so !r = mult * drm
                 so mod (ry) mult
                    = mod (mult * (y) + 0) mult
                    = mod 0 mult
                    = 0
                 so ry = mult * dym
                 so !r < ry
                 so 0 < ry - !r
                      = mult * dym - mult * drm
                      = mult * (dym - drm)
                 so mult > 0
                 so dym - drm > 0
                 so dym >= drm + 1
                 so h < mult
                 so !r + h = mult * drm + h
                    < mult * drm + mult
                    = mult * (drm + 1)
                    <= mult * dym = l2i ry };
        assert { !r + h < radix by
                 !r + h < ry < radix };
        let (qu,rem) = div2by1_inv (!r + h) l ry v in
        mod_mult mult (l2i y * l2i qu) (l2i rem);
        mod_mult mult (tlum * (l2i !r + l2i h)) (l2i l);
        assert { mod (rem) mult = 0
                 by
                 ry * qu + rem
                 = (radix * (!r + h) + l)
                 so
                 mult * y * qu + rem
                 = (mult * tlum * (!r + h) + l)
                 so mod (mult * y * qu + rem) mult
                    = mod (mult * tlum * (!r + h) + l) mult
                 so mult > 0
                 so mod (mult * (y * qu) + rem) mult
                    = mod (rem) mult
                 so mod (mult * tlum * (!r + h) + l) mult
                    = mod (l) mult
                    = 0
                 };
        let ghost mer = div (l2i rem) mult in
        assert { rem <= radix - mult
                 by
                 mod (rem) mult = 0
                 so mult * mer = l2i rem < radix = mult * tlum
                 so mult > 0
                 so 0 < mult * tlum - mult * mer = mult * (tlum - mer)
                 so tlum - mer > 0
                 so mer < tlum
                 so rem = mult * mer <= mult * (tlum - 1) = radix - mult
                 };
        r:=rem;
        assert { qu * ry + !r = l + radix * h + radix * (!r at StartLoop) };
               (* coerced div2by1 postcondition *)
        value_sub_update_no_change (pelts q) (q.offset + p2i !i)
                                   (q.offset + 1 + p2i !i)
                                   (q.offset + p2i sz) qu;
        C.set_ofs q !i qu;
        assert { mult * value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    = value_sub (pelts q) (q.offset + !i + 1)
                                          (q.offset + sz)
                      * ry
                      + (!r at StartLoop) }; (* previous invariant is still true *)
        value_sub_head (pelts x) (x.offset + int32'int !i) (x.offset + p2i sz);
        value_sub_head (pelts q) (q.offset + int32'int !i) (q.offset + p2i sz);
        assert { l + radix * h = mult * !lx }; (*lsld_ext postcondition *)
        assert { mult * value_sub (pelts x) (x.offset + !i)
                                            (x.offset + sz)
                 = mult * !lx
                   + radix * (mult * value_sub (pelts x) (x.offset + !i + 1)
                                              (x.offset + sz))
                 by (pelts x)[x.offset + !i] = !lx
                 so value_sub (pelts x) (x.offset + !i) (x.offset + sz)
                    = !lx + radix * value_sub (pelts x) (x.offset + !i + 1)
                                              (x.offset + sz) }; (*nonlinear*)
        assert { value_sub (pelts q) (q.offset + !i) (q.offset + sz) * ry
                 = qu * ry
                   + radix
                      * (value_sub (pelts q) (q.offset + !i + 1) (q.offset + sz)
                        * ry)
                 by (pelts q)[q.offset + !i] = qu
                 so value_sub (pelts q) (q.offset + !i) (q.offset + sz)
                    = qu + radix * value_sub (pelts q) (q.offset + !i + 1)
                                              (q.offset + sz) }; (*nonlinear*)
        assert { mult * value_sub (pelts x) (x.offset + !i)
                                            (x.offset + sz)
                = value_sub (pelts q) (q.offset + !i) (q.offset + sz) * ry
                  + !r };
        i := !i - 1;
      done;
      let ghost res = lsr !r (Limb.of_int32 clz) in
      assert { value x sz = value q sz * y + res
               by !r = res * mult
               so mult * value x sz
                  = value q sz * ry + !r
                  = value q sz * y * mult + !r
                  = value q sz * y * mult + res * mult
                  = (value q sz * y + res) * mult };
      lsr !r (Limb.of_int32 clz) end
    else begin
      let v = invert_limb y in
      while (!i >= 0) do
        variant   { !i }
        invariant { -1 <= !i <= msb }
        invariant { !r < y }
        invariant { value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    = value_sub (pelts q) (q.offset + !i + 1)
                                          (q.offset + sz)
                      * y
                      + !r }
        assert { !i >= 0 };
        label StartLoop in
        let ghost k = p2i !i in
        lx := C.get_ofs x !i;
        let (qu, rem) = div2by1_inv !r !lx y v in
        r := rem;
        value_sub_update_no_change (pelts q) (q.offset + p2i !i)
                                   (q.offset + 1 + p2i !i)
                                   (q.offset + p2i sz) qu;
        C.set_ofs q !i qu;
        i := !i - 1;
        value_sub_head (pelts x) (x.offset + k) (x.offset + p2i sz);
        value_sub_head (pelts q) (q.offset + k) (q.offset + p2i sz);
        assert { value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    = value_sub (pelts q) (q.offset + !i + 1)
                                          (q.offset + sz)
                      * y
                      + !r
                 by (pelts q)[q.offset + k] = qu
                 so (pelts x)[x.offset + k] = !lx
                 so value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    = value_sub (pelts x) (x.offset + k) (x.offset + sz)
                    = !lx + radix * value_sub (pelts x) (x.offset + k + 1)
                                                        (x.offset + sz)
                    = !lx + radix * (value_sub (pelts q) (q.offset + k + 1)
                                                         (q.offset + sz)
                                     * y + (!r at StartLoop))
                    = !lx + radix * (!r at StartLoop)
                          + radix * (value_sub (pelts q) (q.offset + k + 1)
                                                         (q.offset + sz)
                                     * y)
                    = qu * y + !r
                          + radix * (value_sub (pelts q) (q.offset + k + 1)
                                                         (q.offset + sz)
                                     * y)
                    = (qu + radix * value_sub (pelts q) (q.offset + k + 1)
                                                        (q.offset + sz))
                      * y
                      + !r
                    = value_sub (pelts q) (q.offset + !i + 1)
                                          (q.offset + sz)
                      * y
                      + !r };
      done;
      !r
    end


  predicate reciprocal_3by2 (v dh dl:limb) =
    v = div (radix*radix*radix -1) (dl + radix * dh) - radix

  let div3by2_inv (uh um ul dh dl v: limb) : (limb,limb,limb)
    requires { dh >= div radix 2 }
    requires { reciprocal_3by2 v dh dl }
    requires { um + radix * uh < dl + radix * dh }
    returns { q, rl, rh -> uint64'int q * dl + radix * q * dh
                           + uint64'int rl + radix * uint64'int rh
                  = ul + radix * um + radix * radix * uh }
    returns { _q, rl, rh -> 0 <= uint64'int rl + radix * uint64'int rh < dl + radix * dh }
  = [@vc:do_not_keep_trace] (* traceability info breaks the proof *)
    let ghost d = l2i dl + radix * l2i dh in
    let ghost u = l2i ul + radix * (l2i um + radix * l2i uh) in
    let q1 = ref 0 in
    let r0 = ref 0 in
    let r1 = ref 0 in
    let l,h = mul_double v uh in
    let sl, c = add_with_carry um l 0 in
    let sh, ghost c' = add_with_carry uh h c in
    assert { sl + radix * sh + radix * radix * c'
             = um + radix * uh + v * uh };
    assert { c' = 0
             by
             um + radix * uh < d
             so radix * uh < d
             so radix * radix * radix - 1
                = d * (div (radix * radix * radix - 1) d)
                  + mod (radix * radix * radix - 1) d
                >= d * (div (radix * radix * radix - 1) d)
             so radix * (um + radix * uh + v * uh)
                < radix * (d + v * uh)
                = radix * d + v * radix * uh
                <= radix * d + v * d
                = (div (radix * radix * radix - 1) d) * d
                <= radix * radix * radix - 1
                < radix * radix * radix
             so um + radix * uh + v * uh < radix * radix
             so sl + radix * sh + radix * radix * c' < radix * radix
             so radix * radix * c' < radix * radix
     };
    q1 := sh;
    let ghost q0 = l2i sl in
    let ghost cq = l2i !q1 + 1 in (*candidate quotient*)
    q1 := add_mod !q1 1;
    assert { !q1 = mod cq radix };
    let p = mul_mod dh sh in
    r1 := sub_mod um p;
    label CQuot in
    let ghost a = div (l2i um - l2i dh * l2i sh) radix in
    let tl, th = mul_double sh dl in
    let il, b = sub_with_borrow ul tl 0 in
    let (ih, ghost b') = sub_with_borrow !r1 th b in
    assert { il + radix * ih - radix * radix * b'
             = ul + radix * !r1 - sh * dl };
    let bl,b2 = sub_with_borrow il dl 0 in
    let bh, ghost b2' = sub_with_borrow ih dh b2 in
    assert { bl + radix * bh - radix * radix * b2'
             = il + radix * ih - dl - radix * dh };
    mod_mult (radix * radix) (uint64'int b')
             (uint64'int ul + radix * uint64'int !r1
                - uint64'int sh * uint64'int dl - uint64'int dl
                - radix * uint64'int dh);
    assert { bl + radix * bh
             = mod (ul + radix * !r1
                - sh * dl- dl
                - radix * dh) (radix * radix)
             by
             mod (il + radix * ih - dl - radix * dh) (radix * radix)
             = mod (radix * radix * (-b2') + bl + radix * bh) (radix * radix)
             = mod (bl + radix * bh) (radix * radix)
             = bl + radix * bh
             so
             bl + radix * bh
             = mod (il + radix * ih
                - dl - radix * dh) (radix * radix)
             so il + radix * ih
                = radix * radix * b' + ul + radix * !r1
                  - sh * dl
             so mod (il + radix * ih
                - dl - radix * dh) (radix * radix)
                = mod (radix * radix * b' + ul + radix * !r1
                      - sh * dl - dl - radix * dh)
                  (radix * radix)
                = mod (ul + radix * !r1
                - sh * dl - dl
                - radix * dh) (radix * radix) };
    r1 := bh;
    r0 := bl;
    let ghost r' = l2i !r0 + radix * l2i !r1 in
    let ghost cr = u - d * cq in
    assert {  r' = mod cr(radix * radix)
              by
              (!r1 at CQuot = mod (um - dh * sh) radix
                by let a' = div (dh * sh) radix in
                   dh * sh = p + radix * a'
                so !r1 at CQuot = mod (um - p) radix
                   = mod (radix * a' + um - dh * sh) radix
                   = mod (um - dh * sh) radix )
              so um - dh * sh = a * radix + !r1 at CQuot
              so !r0 + radix * !r1
                 = mod (ul + radix * (!r1 at CQuot)
                  - sh * dl - dl
                  - radix * dh) (radix * radix)
              so ul + radix * (!r1 at CQuot)
                   - sh * dl - dl - radix * dh
                 = ul + radix * (um - dh * sh - a * radix)
                   - sh * dl - dl - radix * dh
                 = ul + radix * um - radix * dh * sh
                   - radix * radix * a - sh * dl - dl
                   - radix * dh
                 = ul + radix * um - radix * dh * (sh + 1)
                   - radix * radix * a - sh * dl - dl
                 = ul + radix * um - radix * dh * (sh + 1)
                   - radix * radix * a - dl * (sh + 1)
                 = ul + radix * um
                   - (dl + radix * dh) * (sh + 1)
                   - radix * radix * a
                 = ul + radix * um - d * cq - radix * radix * a
                 = u - radix * radix * uh - d * cq - radix * radix * a
                 = cr + radix * radix * (- a - uh)
              so (*let y = - a - uh in*)
                 mod (ul + radix * (!r1 at CQuot)
                  - sh * dl - dl
                  - radix * dh) (radix * radix)
                 = mod (radix * radix * (-a - uh) + cr)
                       (radix * radix)
                 = mod cr (radix*radix)
               };
    let ghost m = MM.max (radix * radix - d) (q0 * radix) in
    assert { (* Theorem 3 of Moller&Granlund 2010 *)
             m - radix * radix <= cr < m
            by
            let k = radix * radix * radix - (radix + v) * d in
            reciprocal_3by2 v dh dl
            so let m3 = radix * radix * radix - 1 in
               (radix + v) * d = d * div m3 d = m3 - mod m3 d
            so (k = 1 + mod m3 d
                by k = radix * radix * radix - (radix + v) * d
                     = m3 + 1 - (radix + v) * d
                     = m3 + 1 - m3 + mod m3 d
                     = 1 + mod m3 d)
            so 1 <=  k <= d
            so q0 + radix * sh = (radix + v) * uh + um
            so cq = sh + 1
            so radix * cq = radix * sh + radix
               = (radix + v) * uh + um - q0 + radix
            so (radix * cr = k * uh + (radix * radix - d) * um
                 + radix * ul + d * q0 - d * radix
               by radix * cr = radix * (u - cq * d)
               = radix * u
                 - ((radix + v) * uh + um - q0 + radix) * d
               = radix * u - d * (radix + v) * uh
                 - d * um + d * q0 - d * radix
               = radix * u - (radix * radix * radix - k) * uh
                 - d * um + d * q0 - d * radix
               = (radix * radix * radix * uh + radix * radix * um
                 + radix * ul) - (radix * radix * radix - k) * uh
                 - d * um + d * q0 - d * radix
               = k * uh + radix * radix * um + radix * ul
                 - d * um + d * q0 - d * radix
               = k * uh + (radix * radix - d) * um + radix * ul
                 + d * q0 - d * radix )
            so (cr >= m - radix * radix
               by (
                  k >= 0 so radix * radix - d >= 0
               so uh >= 0 so um >= 0 so ul >= 0
               so  k * uh + (radix * radix - d) * um + radix * ul
                   >= 0
               so radix * cr >= d * q0 - d * radix
               so q0 >= 0 so d >= 0
               so d * q0 >= 0
               so radix * cr >= - d * radix
               so cr >= -d = radix * radix - d - radix * radix
               so radix * cr >= d * (q0 - radix)
               so (
                    (radix - q0) * d < (radix - q0) * radix * radix
                    by let rq = radix - q0 in let r2 = radix * radix in
                    rq > 0 /\ d < r2
                    so rq * d < rq * r2
                  )
               so d * (q0 - radix) > radix * radix * (q0 - radix)
               so radix * cr > radix * radix * (q0 - radix)
               so cr > radix * (q0 - radix) = radix * q0 - radix * radix
                  ))
            so cr < m
            by (
                let bbd = radix * radix - d in
                bbd > 0 /\ bbd <= m /\ q0 * radix <= m
                so (bbd * bbd <= bbd * m
                    by [@case_split]
                    (bbd = m \/ (bbd < m so bbd * bbd < bbd * m)))
                so (d*(radix * q0) <= d * m
                    by [@case_split]
                    (radix * q0 = m \/ (radix * q0 < m so d > 0 so d * (radix * q0) < d * m)))
                so if uh <= dh - 1
                then
                  let dm = dh - 1 in
                  uh <= dm
                  so
                  k * uh <= k * dm
                  so (k * dm <= d * dm
                     by k <= d /\ 0 <= dm
                     so [@case_split] (k = d \/ dm = 0 \/
                                     (k < d /\ dm > 0 so k * dm < d * dm)))
                  so k * uh <= d * dm
                  so
                  bbd * um <= bbd * (radix - 1)
                  so
                  radix * cr
                  = k * uh + (radix * radix - d) * um
                    + radix * ul + d * q0 - radix * d
                  <= d * dm + bbd * um
                    + radix * ul + d * q0 - radix * d
                  <= d * dm + bbd * (radix - 1)
                    + radix * ul + d * q0 - radix * d
                  < d * dm + bbd * (radix - 1)
                    + radix * radix + d * q0 - radix * d
                  so radix * radix * cr
                  < radix * (d * dm + bbd * (radix - 1)
                    + radix * radix + d * q0 - radix * d)
                  = d * radix * (dh - 1) + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * radix * dh - d * radix + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * (d - dl) - d * radix + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * d - d * radix + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d - d * dl
                  so (d * dl >= 0 by d >= 0 /\ dl >= 0)
                  so radix * radix * cr
                  < d * d - d * radix + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d - d * dl
                  <= d * d - d * radix + bbd * radix * (radix - 1)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * d - d * radix + bbd * (radix * radix - radix)
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * d - d * radix + bbd * radix * radix - (radix * radix - d) * radix
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * d - d * radix + bbd * radix * radix
                    + radix * d - radix * radix * radix
                    + radix * radix * radix + radix * d * q0 - radix * radix * d
                  = d * d + bbd * radix * radix - radix * radix * d + radix * d * q0
                  = bbd * radix * radix - d * (radix * radix - d) + radix * d * q0
                  = bbd * radix * radix - d * bbd + radix * d * q0
                  = bbd * bbd + d * (radix * q0)
                  <= bbd * m + d * (radix * q0)
                  <= bbd * m + d * m
                  = radix * radix * m
                  so cr < m
                 else
                  uh = dh
                  so
                  (um <= dl - 1
                  by um + radix * uh < dl + radix * dh)
                  so (radix * radix - d) * um <= (radix * radix - d) * (dl - 1)
                  so
                  ( radix * radix * cr
                    < radix * radix * m
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                 by radix * cr
                  = k * dh + (radix * radix - d) * um
                    + radix * ul + d * q0 - radix * d
                  <= d * dh + (radix * radix - d) * um
                    + radix * ul + d * q0 - radix * d
                  <= d * dh + (radix * radix - d) * (dl - 1)
                    + radix * ul + d * q0 - radix * d
                  < d * dh + (radix * radix - d) * (dl - 1)
                    + radix * radix + d * q0 - radix * d
                  so radix * radix * cr
                  < radix * (d * dh + (radix * radix - d) * (dl - 1)
                    + radix * radix + d * q0 - radix * d)
                  = d * radix * dh
                    + (radix * radix - d) * (dl - 1) * radix
                    + radix * radix * radix + d * q0 * radix - radix * radix * d
                  = d * (d - dl)
                    + (radix * radix - d) * (radix * dl - radix)
                    + radix * radix * radix + d * q0 * radix - radix * radix * d
                  = d * d - d * dl + radix * radix * radix * dl
                    - d * radix * dl + d * radix - radix * radix * radix
                    + radix * radix * radix + d * q0 * radix - radix * radix * d
                  = d * d - d * dl + radix * radix * radix * dl
                    - d * radix * dl + d * radix + d * q0 * radix
                    - radix * radix * d
                  = d * d - radix * radix * d + d * radix + d * q0 * radix
                    + dl * (radix * radix * radix - d - d * radix)
                  = d * (d - radix * radix) + d * radix + d * q0 * radix
                    + dl * (radix * radix * radix - d - d * radix)
                  = bbd * (-d) + d * radix + d * q0 * radix
                    + dl * (radix * radix * radix - d - d * radix)
                  = bbd * (bbd - radix * radix) + d * radix + d * q0 * radix
                    + dl * (radix * radix * radix - d - d * radix)
                  = bbd * bbd + d * q0 * radix
                    - bbd * radix * radix + d * radix
                    + dl * (radix * radix * radix - d * (1 + radix))
                  = bbd * bbd + d * q0 * radix
                    - (radix * radix - d) * radix * radix + d * radix
                    + dl * (radix * radix * radix - d * (1 + radix))
                  = bbd * bbd + d * q0 * radix
                    - radix * ((radix * radix - d) * radix - d)
                    + dl * (radix * radix * radix - d * (1 + radix))
                  = bbd * bbd + d * q0 * radix
                    - radix *  (radix * radix * radix - d * radix - d)
                    + dl * (radix * radix * radix - d * (1 + radix))
                  = bbd * bbd + d * q0 * radix
                    - radix * (radix * radix * radix - d * (1+ radix))
                    + dl * (radix * radix * radix - d * (1 + radix))
                  = bbd * bbd + d * q0 * radix
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                  <= bbd * m + d * q0 * radix
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                  <= bbd * m + d * m
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                  = (bbd + d) * m
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                  = radix * radix * m
                    - (radix - dl) * (radix * radix * radix - d * (1+ radix))
                  )
                  so
                    (cr < m by
                    if d <= radix * (radix - 1)
                    then (radix + 1) * d <= radix * (radix - 1) * (radix + 1)
                         = radix * (radix * radix - 1)
                         = radix * radix * radix - radix
                         < radix * radix * radix
                         so (radix * radix * radix - d * (1+ radix)) > 0
                         so radix - dl > 0
                         so (radix - dl) * (radix * radix * radix
                                               - d * (1+ radix))
                            > 0
                         so
                         radix * radix * cr
                         < radix * radix * m
                           - (radix - dl) * (radix * radix * radix
                           - d * (1+ radix))
                         < radix * radix * m
                         so radix * radix * cr < radix * radix * m
                    else
                        dl + radix * dh = d > radix * (radix - 1)
                        so dl < radix
                        so dl + radix * dh < radix * (1 + dh)
                        so radix - 1 < 1 + dh
                        so dh > radix - 2
                        so dh = radix - 1
                        so uh = dh
                        so d >= radix * (radix - 1) +1
                        so d * (radix + 1)
                           >= (radix * (radix - 1) + 1) * (radix +1)
                            = radix * (radix * radix - 1) + radix + 1
                            = radix * radix * radix - radix + radix + 1
                            = radix * radix * radix + 1
                        so
                        (d * div (radix * radix * radix - 1) d
                             <= d * (radix + 1)
                          by d * div (radix * radix * radix - 1) d
                             <= radix * radix * radix - 1
                             < radix * radix * radix + 1
                             <= d * (radix + 1))
                        so (let a = div (radix * radix * radix - 1) d in
                            a < radix + 1
                            by d > 0
                            so (forall x y z. x * z < y * z /\ z > 0 -> x < y)
                            so (forall x y. x * d < y * d -> x < y)
                            so let r = radix + 1 in
                               a * d < r * d
                               so a < r)
                        so v = div (radix * radix * radix - 1) d - radix
                                 < radix + 1 - radix = 1
                        so v = 0
                        so sh = uh = radix - 1
                        so cq = sh + 1 = radix
                        so cr = u - cq * d
                              = u - radix * d
                              = ul + radix * (um + radix * dh)
                                       - radix * (dl + radix * dh)
                              = ul + radix * (um - dl)
                        so um <= dl - 1
                        so 1 + um - dl <= 0
                        so ul < radix
                        so cr = ul + radix * (um - dl)
                              < radix + radix * (um - dl)
                              = radix * (1 + um - dl) <= 0
                        so cr < 0 <= m
                   )
                )
            };
    assert { cr >= 0 -> r' = cr };
    assert { cr < 0 -> r' = radix * radix + cr
             by
             m >= radix * radix - d
             so cr >= m - radix * radix >= -d
             so cr + radix * radix >= radix * radix - d >= 0
             so 0 <= cr + radix * radix < radix * radix
             so mod (radix * radix + cr) (radix*radix) = mod cr (radix*radix)
             so r' = mod (radix * radix + cr) (radix*radix) };
    assert { cr < 0 -> !r1 >= sl
             by m >= radix * q0
             so cr >= m - radix * radix >= radix * q0 - radix * radix
             so r' = radix * radix + cr >= radix * q0
             so r' = radix * !r1 + !r0 >= radix * q0
             so !r0 < radix
             so r' < radix * !r1 + radix = radix * (!r1 + 1)
             so radix * q0 < radix * (!r1 + 1)
             so sl = q0 < !r1 + 1 };
    assert { 1 <= cq <= radix };
    assert { 1 <= cq < radix -> !q1 = cq so !q1 * d + cr = u };
    assert { cq = radix ->
             (cr < 0
                by cq * d + cr = u
                so um + radix * uh <= d - 1
                so radix * d + cr = ul
                                    + radix * (um + radix * uh)
                                  <= ul + radix * (d - 1)
                                  = ul - radix + radix * d
                                  < radix * d
             )
           };
    label PreCorrections in
    if !r1 >= sl
    then begin
      q1 := sub_mod !q1 1;
      assert { !q1 = cq - 1
               by
               if cq = radix
               then
                 (!q1 at PreCorrections)
                 = mod cq radix = mod radix radix= 0
                 so !q1 = mod (0 - 1) radix = radix - 1 = cq - 1
               else
                 0 <= cq - 1 < radix - 1
                 so (!q1 at PreCorrections) = cq
                 so !q1 = mod (cq - 1) radix = cq - 1
                 };
      let rl, c = add_with_carry !r0 dl 0 in
      let rh, ghost c' = add_with_carry !r1 dh c in
      assert { rl + radix * rh = mod (r' + d) (radix * radix)
               by radix * radix * c' + rl + radix * rh
                  = r' + d
               so mod (r' + d) (radix * radix)
                  = mod (radix * radix * c' + rl + radix * rh)
                      (radix * radix)
                  = mod (rl + radix * rh) (radix * radix)  };
      assert { rl + radix * rh = cr + d
               by
               if cr >= 0
               then r' = cr
                    so rl + radix * rh = mod (cr + d) (radix * radix)
                    so cr < MM.max (radix * radix - d) (q0*radix)
                    so (cr >= q0 * radix
                       by
                          r' = radix * !r1 + !r0
                             >= radix * !r1
                             >= radix * q0)
                    so cr < radix * radix - d
                    so cr + d < radix * radix
                    so (cr + d >= 0  by cr + d >= cr)
                    so mod (cr + d) (radix * radix) = cr + d
               else
                    r' = cr + radix * radix
                    so cr >= m - radix * radix
                    so r' >= m >= radix * radix - d
                    so r' + d >= radix * radix
                    so r' < radix * radix
                    so d < radix * radix
                    so r' + d < radix * radix + radix * radix
                    so mod (r' + d) (radix * radix)
                       = r' + d - radix * radix
                       = cr + d
             };
      r1 := rh;
      r0 := rl;
      assert { !q1 * d + !r0 + radix * !r1 = u
               by
               cq * d + cr = u
               so !q1 = cq - 1
               so !r0 + radix * !r1 = cr + d
               so !q1 * d + !r0 + radix * !r1
                  = (cq - 1) * d + cr + d
                  = cq * d - d + cr + d
                  = cq * d + cr };
    end
    else assert { !q1 * d + r' = u
                  by cr >= 0
                  so r' = cr
                  so 1 <= cq < radix
                  so !q1 * d + cr = u };
    assert { !q1 * d + !r0 + radix * !r1 = u };
    label PreRemAdjust in
    if [@extraction:unlikely] (!r1 > dh) || (!r1 = dh && !r0 >= dl)
    then begin
      let bl, b = sub_with_borrow !r0 dl 0 in
      let bh, ghost b'= sub_with_borrow !r1 dh b in
      assert { b' = 0 };
      assert { bl + radix * bh = !r0 + radix * !r1 - d };
      assert { !q1 < radix - 1
               by !q1 * d + !r0 + radix * !r1 = u
               so !r0 + radix * !r1 >= d
               so um + radix * uh <= d - 1
               so u = ul + radix * (um + radix * uh)
                    <= ul + radix * (d - 1)
                    < radix + radix * (d-1)
                    = radix * d
               so (!q1 * d < (radix - 1) * d
                  by
                  !q1 * d = u - (!r0 + radix * !r1)
                              <= u - d
                              < radix * d - d
                              = (radix - 1) * d )
               };
      q1 := add_mod !q1 1;
      assert { !q1 = (!q1 at PreRemAdjust) + 1 };
      r1 := bh;
      r0 := bl;
      assert { !q1 * d + !r0 + radix * !r1 = u
               by
               !q1 * d + !r0 + radix * !r1
               = ((!q1 at PreRemAdjust) + 1) * d
                 + (!r0 + radix * !r1 at PreRemAdjust) - d
               = (!q1 * d + !r0 + radix * !r1 at PreRemAdjust)
                };
    end;
    assert { 0 <= !r0 + radix * !r1 < d };
    (!q1,!r0,!r1)

  let lemma bounds_imply_rec3by2 (v dh dl:limb)
    requires { radix * radix * radix - (dl + radix * dh)
               <= (radix + v) * (dl + radix * dh)
               < radix * radix * radix }
    ensures { reciprocal_3by2 v dh dl }
  = ()

  let reciprocal_word_3by2 (dh dl:limb) : limb
    requires { dh >= div radix 2 }
    ensures { reciprocal_3by2 result dh dl }
  =
    let ghost d = l2i dl + radix * l2i dh in
    let v = ref (invert_limb dh) in
    assert { radix * radix - dh
             <= (radix + !v) * dh
             < radix * radix
             by
             radix + !v = div (radix * radix - 1) (dh) };
    let p = ref (mul_mod dh !v) in
    assert { (radix + !v) * dh
             = radix * (radix-1)
               + !p
             by
             mod ((radix + !v) * dh) radix
             = mod (radix * dh + dh * !v) radix
             = mod (dh * !v) radix = l2i !p
             so
             div ((radix + !v) * dh) radix = radix - 1
             so
             (radix + !v) * dh
             = radix * div ((radix + !v) * dh) radix
               + mod (dh * !v) radix
             = radix * (radix - 1) + !p
             };
    label Estimate in
    p := add_mod !p dl;
    if !p < dl (* carry out *)
    then begin
      assert { (!p at Estimate) + dl >= radix };
      assert { (!p at Estimate) + dl = radix + !p };
      assert { !v >= 1
               by
               (!p at Estimate) + dl >= radix
               so (!p at Estimate) > 0
             };
      assert { (radix + !v) * dh + dl
               = radix * (radix - 1) + radix + !p };
      label Carry in
      if !p >= dh
      then begin
        v := !v - 1;
        p := !p - dh;
        assert { (radix + !v) * dh + dl
                 = radix * (radix - 1) + radix + !p
               };
      end;
      label Borrow in
      v := !v - 1;
      assert { !p < dh };
      p := sub_mod !p dh;
      assert { !p = radix + !p at Borrow - dh };
    end;
    assert { (radix + !v) * dh * radix + radix * dl
               = radix * radix * (radix - 1) + radix * !p
             by (radix + !v) * dh + dl
                 = radix * (radix - 1) + !p };
    assert { radix * radix - dh
             <= (radix + !v) * dh + dl
             < radix * radix };
    let tl, th = mul_double !v dl in
    label Adjust in
    p := add_mod !p th;
    if !p < th (* carry out *)
    then begin
      assert { (!p at Adjust) + th >= radix };
      assert { (!p at Adjust) + th = radix + !p
               by (!p at Adjust) + th < radix + radix
               so div ((!p at Adjust) + th) radix = 1
               so !p = mod ((!p at Adjust) + th) radix
               so (!p at Adjust) + th
                  = radix * div ((!p at Adjust) + th) radix
                    + mod ((!p at Adjust) + th) radix
                  = radix + !p
             };
      assert { !v >= 1
               by
               th <> 0
               so !v <> 0
             };
      if !p > dh || (!p = dh && tl >= dl)
      then begin
        assert { tl + radix * !p >= d };
        v := !v - 1;
        assert { (radix + !v) * dh * radix + radix * dl
                   + !v * dl
                 = radix * radix * radix
                   + radix * !p + tl - d
                 by
                 (radix + !v) * dh * radix + radix * dl
                   + !v * dl
                 = (radix + !v at Adjust - 1) * dh * radix
                   + radix * dl
                   + (!v at Adjust - 1) * dl
                 = (radix + !v at Adjust) * dh * radix
                   + radix *  dl
                   + (!v at Adjust) * dl - radix * dh
                   - dl
                 = radix * radix * (radix - 1) + radix * (!p at Adjust)
                   + (!v at Adjust) * dl - radix * dh
                   - dl
                 = radix * radix * (radix - 1) + radix * (!p at Adjust)
                   + radix * th + tl - d
                 = radix * radix * (radix - 1) + radix * (radix + !p)
                   + tl - d
                 = radix * radix * (radix - 1) + radix * radix + radix * !p
                   + tl - d
                 = radix * radix * radix + radix * !p + tl - d
            };
      end;
      assert { radix * radix * radix
               <= (radix + !v) * dh * radix + radix * dl
                   + !v * dl
               < radix * radix * radix + d };
      v := !v - 1;
    end;
    bounds_imply_rec3by2 !v dh dl;
    !v

  (* `(x, sz)` is normalized if its most significant bit is set. *)
  predicate normalized (x:t) (sz:int32) =
    valid x sz
    /\ (pelts x)[x.offset + sz - 1] >= div radix 2

  use mul.Mul

  let div_sb_qr (q x:t) (sx:int32) (y:t) (sy:int32) : limb
    requires { 3 <= sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid q (sx - sy) }
    requires { writable q }
    requires { writable x }
    requires { normalized y sy }
    ensures { value (old x) sx =
              (value q (sx - sy)
              + power radix (sx - sy) * result)
                * value y sy
              + value x sy }
    ensures { value x sy < value y sy }
    ensures { 0 <= result <= 1 }
  = [@vc:do_not_keep_trace] (* traceability info breaks the proof *)
    let xp = ref (C.incr x (sx - 2)) in
    let qp = ref (C.incr q (sx - sy)) in
    let dh = C.get_ofs y (sy - 1) in
    assert { dh >= div radix 2 by normalized y sy };
    let dl = C.get_ofs y (sy - 2) in
    let v = reciprocal_word_3by2 dh dl in
    let i = ref (sx - sy) in
    let mdn = 2 - sy in
    let ql = ref 0 in
    let xd = C.incr !xp mdn in
    let ghost vy = value y (p2i sy) in
    let x1 = ref 0 in
    let x0 = ref 0 in
    let r = wmpn_cmp xd y sy in
    let qh = (*begin
               ensures { r >= 0 -> result = 1 }
               ensures { r < 0 -> result = 0 }*)
               if (r >= 0)
               then 1
               else 0
             (*end*) in
    label PreAdjust in
    begin
      ensures { value (old x) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1 }
      ensures { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * !x1
                 < vy }
      ensures { dl + radix * dh
                  >= (pelts x)[(!xp).offset] + radix * !x1 }
    let ghost ox = pelts x in
    begin [@vc:sp]
    if (not (qh = 0))
    then begin
         assert { qh = 1 };
         let ghost b = wmpn_sub_n_in_place xd y sy in
         begin
             ensures { value (x at PreAdjust) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x sx }
             ensures { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy)
                 < vy }
           value_sub_upper_bound (pelts x) xd.offset (xd.offset + p2i sy);
           assert { b = 0 };
           assert { value (xd at PreAdjust) sy
                    = value xd sy + vy };
           value_sub_concat (pelts x) x.offset xd.offset (xd.offset + p2i sy);
           value_sub_concat ox x.offset xd.offset (xd.offset + p2i sy);
           value_sub_frame (pelts x) ox x.offset xd.offset;
           assert { value (x at PreAdjust) sx
             = value x sx
             + power radix (sx - sy) * vy
             by
             value_sub (pelts (x at PreAdjust)) x.offset xd.offset
             = value_sub (pelts x) x.offset xd.offset
             so pelts (xd at PreAdjust) = pelts (x at PreAdjust)
             so value_sub (pelts (x at PreAdjust)) xd.offset (xd.offset + sy)
                = value (xd at PreAdjust) sy
             so value (x at PreAdjust) sx
             = value_sub (pelts (x at PreAdjust)) x.offset xd.offset
               + power radix (sx - sy)
               * value_sub (pelts (x at PreAdjust)) xd.offset (xd.offset + sy)
             = value_sub (pelts x) x.offset xd.offset
               + power radix (sx - sy)
               * value (xd at PreAdjust) sy
             = value_sub (pelts x) x.offset xd.offset
               + power radix (sx - sy)
               * (value xd sy + vy)
             = value_sub (pelts x) x.offset xd.offset
               + power radix (sx - sy)
               * (value_sub (pelts x) (xd.offset) (xd.offset + sy) + vy)
             = value_sub (pelts x) x.offset xd.offset
               + power radix (sx - sy)
               * value_sub (pelts x) (xd.offset) (xd.offset + sy)
               + power radix (sx - sy) * vy
             = value x sx
               + power radix (sx - sy) * vy
           };
           value_sub_tail (pelts x) x.offset (x.offset + p2i sy + p2i !i - 1);
           assert { value (x at PreAdjust) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x sx
                 by
                   !i = sx - sy
                 so power radix (sx - sy - !i) = 1
                 so value !qp (sx - sy - !i) = 0 };
           value_sub_lower_bound_tight (pelts y) y.offset (y.offset + p2i sy);
           assert { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy)
                 < vy
                 by
                 value_sub (pelts x) (!xp.offset + mdn)
                           (!xp.offset + mdn + sy)
                 = value xd sy
                 = value (xd at PreAdjust) sy - vy
                 so value (xd at PreAdjust) sy
                    < power radix sy
                 so vy >= dh * power radix (sy - 1)
                 so 2 * vy >= 2 * dh * power radix (sy - 1)
                 so 2 * dh >= radix
                 so 2 * dh * power radix (sy - 1) >= radix * power radix (sy - 1)
                 so 2 * vy >= radix * power radix (sy - 1) = power radix sy
                 so value (xd at PreAdjust) sy < 2 * vy
                 so value (xd at PreAdjust) sy - vy < vy };
           end
         end
    else begin
         assert { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy)
                 < vy
                 by r < 0 };
         assert { value (x at PreAdjust) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                   * vy * power radix !i
                   + value x sx
                 by qh = 0
                 so sx - sy - !i = 0
                 so (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i)) = 0 };
         end
    end;
    let ghost gx1 = (C.get_ofs !xp 1) in
    value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
    value_sub_upper_bound_tight (pelts y) y.offset (y.offset + p2i sy - 1);
    value_sub_tail (pelts x) (!xp.offset) (!xp.offset + p2i sy - 1);
    value_sub_lower_bound_tight (pelts x) (!xp.offset) (!xp.offset + p2i sy - 1);
    assert { dl + radix * dh
             >= (pelts x)[(!xp).offset] + radix * gx1
             by value_sub (pelts x) (!xp.offset + mdn)
                                    (!xp.offset + mdn + sy)
                < vy
             so value y (sy - 1) < (dl + 1) * power radix (sy - 1 - 1)
             so vy = dh * power radix (sy - 1)
                     + value y (sy - 1)
                     < dh * power radix (sy - 1)
                     + (dl + 1) * power radix (sy - 1 - 1)
                   = power radix (sy - 2) * (dl+1 + radix * dh)
             so !xp.offset + mdn + sy - 1 = !xp.offset + 1
             so (pelts x)[!xp.offset + mdn + sy - 1]
                = (pelts x)[!xp.offset + 1] = gx1
             so value_sub (pelts x) (!xp.offset + mdn) (!xp.offset + mdn + sy)
                = gx1 * power radix (sy - 1)
                     + value_sub (pelts x) (!xp.offset + mdn)
                                           (!xp.offset + mdn + sy - 1)
                >= gx1 * power radix (sy - 1)
                   + (pelts x)[!xp.offset] * power radix (sy - 1 - 1)
                = power radix (sy - 2)
                  * ((pelts x) [!xp.offset] + radix * gx1)
             so power radix (sy - 2) * ((pelts x) [!xp.offset] + radix * gx1)
                < power radix (sy - 2) * (dl+1 + radix * dh)
             so (pelts x) [!xp.offset] + radix * gx1
                < dl + 1 + radix * dh
             };
    value_sub_tail (pelts x) (!xp.offset + p2i mdn)
                   (!xp.offset + p2i mdn + p2i sy - 1);
    value_sub_tail (pelts x) x.offset (x.offset + p2i sy + p2i !i - 1);
    x1 := (C.get_ofs !xp 1);
    assert { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * !x1
                 < vy
             by
             !xp.offset + mdn + sy - 1 = !xp.offset + 1
             so value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * !x1
             = value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * (pelts x)[!xp.offset + 1]
             = value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1)
                   * (pelts x)[!xp.offset + mdn + sy - 1]
             = value_sub (pelts x) (!xp.offset + mdn)
                         (!xp.offset + mdn + sy)
             < vy };
    assert { value (x at PreAdjust) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1
                by value (x at PreAdjust) sx =
                   (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                   * vy * power radix !i
                   + value x sx
                so sx = sy + !i
                so x.offset + sy + !i - 1 = !xp.offset + 1
                so (pelts x)[x.offset + sy + !i - 1] =
                   (pelts x)[!xp.offset + 1]= !x1
                so value x sx
                   = value x (sx - 1)
                     + power radix (sx -1) * (pelts x)[x.offset + sx - 1]
                   = value x (sy + !i - 1)
                     + power radix (sy + !i - 1) * (pelts x)[x.offset + sy + !i - 1]
                so value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1
                  = value x sx
           };
    end;
    while (!i > 0) do
      variant { !i }
      invariant { 0 <= !i <= sx - sy }
      invariant { (!qp).offset = q.offset + !i }
      invariant { (!xp).offset = x.offset + sy + !i - 2 }
      invariant { plength !qp = plength q }
      invariant { !qp.min = q.min }
      invariant { !qp.max = q.max }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { pelts !qp = pelts q }
      invariant { pelts !xp = pelts x }
      invariant { writable !qp /\ writable !xp }
      invariant { value (old x) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1 }
      invariant { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * !x1
                 < vy }
      invariant { dl + radix * dh
                  >= (pelts x)[(!xp).offset] + radix * !x1 }
      label StartLoop in
      let ghost k = int32'int !i in
      i := !i - 1;
      let ghost s = int32'int sy + int32'int !i - 1 in
      xp.contents <- C.incr !xp (-1);
      let xd = C.incr !xp mdn in
      let nx0 = C.get_ofs !xp 1 in
      if [@extraction:unlikely] (!x1 = dh && nx0 = dl)
      then begin
        ql := Limb.uint64_max;
        value_sub_concat (pelts x) x.offset xd.offset (xd.offset + p2i sy);
        value_sub_tail (pelts xd) xd.offset (xd.offset + p2i sy - 1);
        let ghost vlx = value xd (p2i sy - 1) in
        assert { value xd sy
                 = vlx + power radix (sy - 1) * dl
                 by value xd sy
                    = vlx + power radix (sy - 1)
                            * (pelts xd)[xd.offset + sy - 1]
                 so xd.offset + sy - 1 = !xp.offset + mdn + sy - 1
                                           = !xp.offset + 1
                 so pelts xd = pelts !xp
                 so (pelts xd)[xd.offset + sy - 1]
                    = (pelts !xp)[!xp.offset + 1] = dl
               };
        value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
        value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 2);
        let ghost vly = value y (p2i sy - 2) in
        assert { vy = vly + power radix (sy - 2) * dl
                          + power radix (sy - 1) * dh
                 by (pelts y)[y.offset + sy - 1] = dh
                 so (pelts y)[y.offset + sy - 2] = dl
                 so
                    vy = value y (sy - 1)
                          + power radix (sy - 1) * dh
                    = vly + power radix (sy - 2) * dl
                          + power radix (sy - 1) * dh };
        begin
          ensures { value_sub (pelts xd) (xd.offset+1) (xd.offset + p2i sy - 1)
                        + power radix (sy - 2) * dl
                        + power radix (sy - 1) * dh
                     < vy }
          value_sub_tail (pelts xd) (xd.offset + 1) (xd.offset + p2i sy - 2);
          assert { value_sub (pelts x) (!xp.offset at StartLoop + mdn)
                             (!xp.offset at StartLoop + mdn + sy - 1)
                   = value_sub (pelts xd) (xd.offset+1) (xd.offset + p2i sy - 1)
                        + power radix (sy - 2) * dl
                   by
                   pelts x = pelts xd
                   so !xp.offset at StartLoop + mdn = xd.offset + 1
                   so !xp.offset at StartLoop + mdn + sy - 1 = xd.offset + sy
                   so xd.offset + sy - 1 = !xp.offset + 1
                   so pelts xd = pelts !xp
                   so (pelts xd)[xd.offset + sy - 1] = (pelts !xp)[!xp.offset+1] = dl
                   so value_sub (pelts x) (!xp.offset at StartLoop + mdn)
                             (!xp.offset at StartLoop + mdn + sy - 1)
                    = value_sub (pelts xd) (xd.offset+1) (xd.offset + sy)
                    = value_sub (pelts xd) (xd.offset+1) (xd.offset + p2i sy - 1)
                      + power radix (sy - 2)
                        * (pelts xd)[xd.offset + p2i sy - 1]
                    = value_sub (pelts xd) (xd.offset+1) (xd.offset + p2i sy - 1)
                      + power radix (sy - 2) * dl
                 };
         assert { !x1 = dh };
        end;
        label SubMax in
        let ghost xc = Array.copy (x.data) in
        value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
        let ghost b = wmpn_submul_1 xd y sy !ql in
        begin
          ensures { value x !i
                 = value (x at SubMax) !i }
          assert { forall j. x.offset <= j < x.offset + !i
                          -> (pelts x)[j] = xc.elts[j]
                   by
                   (pelts x)[j] = (pelts x at SubMax)[j]
                   so
                   ((pelts x at SubMax)[j] = xc.elts[j]
                   by
                   0 <= j /\ j < xc.Array.length
                   ) };
          value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
        end;
        value_sub_upper_bound (pelts xd) xd.offset (xd.offset + p2i sy);
        value_sub_lower_bound (pelts xd) xd.offset (xd.offset + p2i sy);
        value_sub_head (pelts xd) xd.offset (xd.offset + p2i sy - 1);
        assert { vlx < radix * vly
                 by
                   vlx = value_sub (pelts xd at SubMax) xd.offset
                                   (xd.offset + sy - 1)
                       = (pelts xd at SubMax)[xd.offset]
                         + radix * value_sub (pelts xd at SubMax)
                                             (xd.offset + 1)
                                             (xd.offset + sy - 1)
                   so value_sub (pelts xd at SubMax) (xd.offset + 1)
                                           (xd.offset + sy - 1)
                      + power radix (sy - 2) * dl
                      + power radix (sy - 1) * dh
                      < vy
                      = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh
                   so value_sub (pelts xd at SubMax) (xd.offset + 1)
                                           (xd.offset + sy - 1)
                      < vly
                   so value_sub (pelts xd at SubMax) (xd.offset + 1)
                                           (xd.offset + sy - 1)
                      <= vly - 1
                   so vlx = (pelts xd at SubMax)[xd.offset]
                            + radix * value_sub (pelts xd at SubMax)
                                                (xd.offset + 1)
                                                (xd.offset + sy - 1)
                          <= (pelts xd at SubMax)[xd.offset]
                            + radix * (vly - 1)
                          < radix + radix * (vly - 1)
                          = radix * vly
               };
        assert { b = dh
                 by
                   value xd sy
                 = value (xd at SubMax) sy
                   - (!ql) * vy
                   + power radix sy * b
                 so !ql = radix - 1
                 so 0 <= value xd sy < power radix sy
                 so radix * power radix (sy - 2) = power radix (sy - 1)
                 so radix * power radix (sy - 1) = power radix sy
                 so value xd sy
                    = power radix (sy - 1) * dl + vlx
                      - (radix - 1) * vy
                      + power radix sy * b
                    = power radix (sy - 1) * dl + vlx
                      - radix * (vly + power radix (sy - 2) * dl
                                + power radix (sy - 1) * dh)
                      + vy + power radix sy * b
                    = power radix (sy - 1) * dl + vlx
                      - radix * vly - radix * power radix (sy - 2) * dl
                      - radix * power radix (sy - 1) * dh
                      + vy + power radix sy * b
                    = power radix (sy - 1) * dl + vlx
                      - radix * vly - power radix (sy - 1) * dl
                      - power radix sy * dh
                      + vy + power radix sy * b
                    = power radix sy * (b - dh)
                      + vlx - radix * vly + vy
                 so vlx < radix * vly
                 so (0 <= vlx - radix * vly + vy < power radix sy
                      by
                      vy - radix * vly
                      = vly + power radix (sy - 2) * dl
                          + power radix (sy - 1) * dh
                          - radix * vly
                      = power radix (sy - 2) * (dl + radix * dh)
                        - vly * (radix - 1)
                      so let pr2 = power radix (sy - 2) in
                      0 <= vly < pr2
                      so 0 <= vly * (radix - 1) < pr2 * (radix - 1)
                      so vy - radix * vly
                         >= pr2 * (dl + radix * dh)
                           - pr2 * (radix - 1)
                         = pr2 * (dl + radix * dh - (radix - 1))
                      so dh + radix * dh - (radix - 1) >= 0
                      so pr2 >= 0
                      so vy - radix * vly
                         >= pr2 * (dl + radix * dh - (radix - 1)) >= 0
                      so vlx - radix * vly < 0
                      so vlx - radix * vly + vy < vy < power radix sy
                    )
                 so - (power radix sy)
                    < power radix sy * (b - dh)
                    < power radix sy
                 so - 1 < b - dh < 1
               };
        value_sub_concat (pelts x) x.offset xd.offset (x.offset + s);
        x1 := C.get_ofs !xp 1;
        qp.contents <- C.incr !qp (-1);
        value_sub_update_no_change (pelts q) (!qp).offset
                            ((!qp).offset + 1)
                            ((!qp).offset + p2i sx - p2i sy - p2i !i)
                            !ql;
        label QUp in
        C.set !qp !ql;
        assert { value_sub (pelts q) ((!qp).offset + 1)
                              ((!qp).offset + sx - sy - !i)
                    = value (!qp at StartLoop)
                              (sx - sy - k)
                by value_sub (pelts q) ((!qp).offset + 1)
                              ((!qp).offset + sx - sy - !i)
                   = value_sub (pelts q at QUp) (!qp.offset + 1)
                              ((!qp).offset + sx - sy - !i)
                   = value (!qp at StartLoop) (sx - sy - k) };
        value_sub_head (pelts q) (!qp).offset
          ((!qp).offset + p2i sx - p2i sy - p2i !i);
        value_sub_tail (pelts x) x.offset (x.offset + p2i sy + p2i !i - 1);
        assert { value xd (sy - 1)
                 + power radix (sy - 1) * !x1
                 = value (xd at SubMax) sy
                   + power radix sy * (!x1 at StartLoop)
                   - !ql * vy
                 by
                 value xd sy
                 = value (xd at SubMax) sy
                   - (!ql) * vy
                   + power radix sy * b
                 so b = dh = !x1 at StartLoop
                 so pelts !xp = pelts x = pelts xd
                 so ((pelts xd)[xd.offset + sy - 1] = !x1
                    by
                    xd.offset = x.offset + !i
                    so (!xp).offset = x.offset + !i + sy - 2
                    so (!xp).offset + 1 = xd.offset + sy - 1
                    so (pelts xd)[xd.offset + sy - 1]
                       = (pelts !xp)[(!xp).offset + 1]
                       = !x1
                    )
                 so value xd sy
                    = value xd (sy - 1)
                      + power radix (sy - 1) * (pelts xd)[xd.offset + sy - 1]
                    = value xd (sy - 1)
                      + power radix (sy - 1) * !x1
               };
        (* refl *)
        assert { value (old x) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1
                 by
                 pelts !xp = pelts x = pelts xd
                 so
                 value xd sy
                 = value (xd at SubMax) sy
                   - (!ql) * vy
                   + power radix sy * b
                 = value (xd at SubMax) sy
                   - (!ql) * vy
                   + power radix sy * dh
                 so (value x s
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1)
                    by
                      xd.offset = x.offset + !i
                      so x.offset + s = xd.offset + sy - 1
                      so value_sub (pelts x) (x.offset + !i) (x.offset + s)
                         = value xd (sy - 1)
                      so value x s
                    = value x !i
                      + power radix !i
                        * value_sub (pelts x) (x.offset + !i)
                                              (x.offset + s)
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1))
                 so (power radix s
                    = power radix !i * power radix (sy - 1)
                    by
                    let n = !i in
                    let m = sy - 1 in
                    let x = radix in
                    power x s = power x (n + m)
                    so (power x (n + m) = power x n * power x m
                       by 0 <= n
                       so 0 <= m
                       so forall x:int, n:int, m:int.
                                 0 <= n -> 0 <= m ->
                                 power x (n + m) = (power x n * power x m)))
                 so (value x s + power radix s * !x1
                    = value x !i
                      + power radix !i * (value xd sy)
                    by
                    value x s + power radix s * !x1
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1)
                      + power radix (!i + sy - 1) * !x1
                    = value x !i
                      + power radix !i *
                        (value xd (sy - 1)
                         + power radix (sy - 1) * !x1)
                    = value x !i
                      + power radix !i * (value xd sy)
                    )
                 so (value (x at StartLoop) (sy + k - 1)
                    = value (x at SubMax) !i
                      + power radix !i
                        * value (xd at SubMax) sy
                    by
                    pelts xd at SubMax = pelts x at SubMax
                    so x.offset at SubMax + !i = xd.offset at SubMax
                    so
                    value (x at StartLoop) (sy + k - 1)
                    = value_sub (pelts x at SubMax) (x at SubMax).offset
                                (xd.offset at SubMax)
                      + power radix !i
                        * value_sub (pelts x at SubMax)
                           (xd.offset at SubMax)
                           (xd.offset at SubMax + sy)
                    so value_sub (pelts x at SubMax) (x at SubMax).offset
                                 (xd at SubMax).offset
                       = value (x at SubMax) !i
                    so value_sub (pelts x at SubMax) (xd.offset at SubMax)
                                                     (xd.offset at SubMax + sy)
                       = value (xd at SubMax) sy
                    )
                 so value x !i
                    = value (x at SubMax) !i
                 so value x s + power radix s * !x1
                    = value (x at StartLoop) (sy + k - 1)
                      + power radix !i
                        * (value xd sy
                           - value (xd at SubMax) sy)
                    = value (x at StartLoop) (sy + k - 1)
                      + power radix !i
                        * (- (!ql) * vy
                           + power radix sy * b)
                    = value (x at StartLoop) (sy + k - 1)
                      + power radix !i
                        * (- (!ql) * vy
                           + power radix sy * (!x1 at StartLoop))
                 so value !qp (sx - sy - !i)
                    = !ql + radix *
                          value_sub (pelts q) ((!qp).offset + 1)
                                    ((!qp).offset + sx - sy - !i)
                 so (value_sub (pelts q) ((!qp).offset + 1)
                              ((!qp).offset + sx - sy - !i)
                    = value (!qp at StartLoop)
                              (sx - sy - k)
                     by value (!qp at StartLoop) (sx - sy - k)
                      = value_sub (pelts q at StartLoop)
                                  (!qp.offset + 1) (!qp.offset + sx - sy - !i))
                 so value !qp (sx - sy - !i)
                    = !ql + radix * value (!qp at StartLoop)
                                    (sx - sy - k)
                 so power radix (sx - sy - !i)
                    = radix * power radix (sx - sy - k)
                 so radix * power radix !i = power radix k
                 so (power radix !i * power radix sy
                      = power radix (sy + k - 1)
                      by !i + sy = sy + k - 1
                      so power radix !i * power radix sy
                         = power radix (!i + sy))
                 so (value !qp (sx - sy - !i)
                      + qh * power radix (sx - sy - !i))
                      * vy * power radix !i
                      + value x (sy + !i - 1)
                      + power radix (sy + !i - 1) * !x1
                    = (!ql + radix * value (!qp at StartLoop)
                                    (sx - sy - k)
                      + qh * power radix (sx - sy - !i))
                      * vy * power radix !i
                      + value x (sy + !i - 1)
                      + power radix (sy + !i - 1) * !x1
                    = (!ql + radix * value (!qp at StartLoop)
                                    (sx - sy - k)
                      + radix * qh * power radix (sx - sy - k))
                      * vy * power radix !i
                      + value x (sy + !i - 1)
                      + power radix (sy + !i - 1) * !x1
                    = (!ql + radix * value (!qp at StartLoop)
                                    (sx - sy - k)
                      + radix * qh * power radix (sx - sy - k))
                      * vy * power radix !i
                      + value x s
                      + power radix s * !x1
                    = !ql * vy * power radix !i
                      + radix * (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix !i
                      + value x s
                      + power radix s * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * radix * power radix !i
                      + value x s
                      + power radix s * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value x s
                      + power radix s * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value (x at StartLoop) (sy + k - 1)
                      + power radix !i
                        * (- (!ql) * vy
                           + power radix sy * (!x1 at StartLoop))
                    = (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value (x at StartLoop) (sy + k - 1)
                      + power radix !i * power radix sy
                        * (!x1 at StartLoop)
                    = (value (!qp at StartLoop)
                                    (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value (x at StartLoop) (sy + k - 1)
                      + power radix (sy + k - 1) * (!x1 at StartLoop)
                    = value (old x) sx
                  };
        assert { value_sub (pelts x) (!xp.offset + mdn)
                   (!xp.offset + mdn + sy - 1)
                   + power radix (sy - 1) * !x1
                   < vy
                   by
                     pelts x = pelts xd
                   so xd.offset = !xp.offset + mdn
                   so !xp.offset + mdn + sy - 1 = xd.offset + sy - 1
                   so
                     value xd (sy - 1)
                     = value_sub (pelts xd) xd.offset (xd.offset + sy - 1)
                     = value_sub (pelts x) (!xp.offset + mdn)
                       (!xp.offset + mdn + sy - 1)
                   so value_sub (pelts x) (!xp.offset + mdn)
                                (!xp.offset + mdn + sy - 1)
                      + power radix (sy - 1) * !x1
                      = value (xd at SubMax) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy
                   so value (xd at SubMax) sy =
                      vlx + power radix (sy - 1) * dl
                   so vlx < radix * vly
                   so (value (xd at SubMax) sy
                        + power radix sy * (!x1 at StartLoop)
                      < radix * vy
                      by
                      !x1 at StartLoop = dh
                      so power radix sy = radix * power radix (sy - 1)
                      so power radix (sy - 1) = radix * power radix (sy - 2)
                      so value (xd at SubMax) sy
                          + power radix sy * (!x1 at StartLoop)
                         = vlx + power radix (sy - 1) * dl
                               + power radix sy * dh
                         < radix * vly + power radix (sy - 1) * dl
                                       + power radix sy * dh
                         = radix * vly + radix * power radix (sy - 2) * dl
                                       + radix * power radix (sy - 1) * dh
                         = radix * (vly + power radix (sy - 2) * dl
                                        + power radix (sy - 1) * dh)
                         = radix * vy
                      )
                   so !ql = radix - 1
                   so value (xd at SubMax) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy
                      < radix * vy - (radix - 1) * vy
                      = vy
               };
          value_sub_tail (pelts x) (!xp.offset + p2i mdn) (!xp.offset);
          value_sub_upper_bound (pelts y) (y.offset) (y.offset + p2i sy - 2);
          value_sub_lower_bound (pelts x) (!xp.offset + p2i mdn) (!xp.offset);
          assert { dl + radix * dh
                   >= (pelts x)[(!xp).offset] + radix * !x1
                   by
                   vy = vly + power radix (sy - 2)
                              * (dl + radix * dh)
                   so value_sub (pelts x) (!xp.offset + mdn)
                   (!xp.offset + mdn + sy - 1)
                   + power radix (sy - 1) * !x1
                   < vy
                   so !xp.offset + mdn + sy - 1 = !xp.offset + 1
                   so power radix (sy - 1) = power radix (sy - 2) * radix
                   so - mdn = sy - 2
                   so vy
                      > value_sub (pelts x) (!xp.offset + mdn)
                                            (!xp.offset + mdn + sy - 1)
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn)
                                            (!xp.offset + 1)
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (- mdn) * (pelts x)[(!xp).offset]
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2) * (pelts x)[(!xp).offset]
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2) * (pelts x)[(!xp).offset]
                        + power radix (sy - 2) * radix * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2)
                          * ((pelts x)[(!xp).offset] + radix * !x1)
                      >= power radix (sy - 2)
                          * ((pelts x)[(!xp).offset] + radix * !x1)
                   so vly < power radix (sy - 2)
                   so vy < power radix (sy - 2)
                           + power radix (sy - 2)
                              * (dl + radix * dh)
                           = power radix (sy - 2)
                             * (1 + dl + radix * dh)
                   so power radix (sy - 2)
                      * ((pelts x)[(!xp).offset] + radix * !x1)
                      < power radix (sy - 2) * (1 + dl + radix * dh)
                   so power radix (sy - 2)
                      * ((pelts x)[(!xp).offset] + radix * !x1
                        - (1 + dl + radix * dh))
                      < 0
                   so (pelts x)[(!xp).offset] + radix * !x1
                        - (1 + dl + radix * dh)
                      < 0
                 };
      end
      else begin
        assert { dl + radix * dh
                  > (pelts x)[(!xp).offset + 1] + radix * !x1
                  by
                  dl + radix * dh
                  >= (pelts x)[(!xp).offset + 1] + radix * !x1
                  so dh >= !x1
                  so [@case_split] dh <> !x1
                   \/ (dh = !x1
                      /\ dl <> (pelts x)[(!xp).offset + 1])
                  so
                   [@case_split] dh > !x1 \/
                   (dh = !x1 /\ dl > (pelts x)[(!xp).offset + 1])
        };
        label SmallDiv in
        let ghost vlx = value xd (p2i sy - 2) in
        let xp0 = C.get !xp in
        let xp1 = C.get_ofs !xp 1 in
        begin
          ensures { value xd sy =
                    vlx
                    + power radix (sy - 2) * (xp0 + radix * xp1) }
        value_sub_tail (pelts xd) xd.offset (xd.offset + p2i sy - 1);
        value_sub_tail (pelts xd) xd.offset (xd.offset + p2i sy - 2);
        value_sub_upper_bound (pelts xd) xd.offset (xd.offset + p2i sy - 2);
        assert { value xd sy
                 = vlx + power radix (sy - 2)
                         * (xp0 + radix * xp1)
                 by xd.offset + sy - 2 = !xp.offset
                 so (pelts xd)[xd.offset + sy - 1] = xp1
                 so (pelts xd)[xd.offset + sy - 2] = xp0
                 so pelts xd = pelts !xp
                 so value xd sy
                    = value xd (sy - 1)
                      + power radix (sy - 1)
                            * (pelts xd)[xd.offset + sy - 1]
                    = value xd (sy - 2)
                      + power radix (sy - 2)
                        * (pelts xd)[xd.offset + sy - 2]
                      + power radix (sy - 1)
                        * (pelts xd)[xd.offset + sy - 1]
                    = vlx
                      + power radix (sy - 2) * xp0
                      + power radix (sy - 1) * xp1
                    = value xd (sy - 2)
                      + power radix (sy - 2) * xp0
                      + power radix (sy - 2) * radix * xp1
                    = vlx + power radix (sy - 2)
                         * (xp0 + radix * xp1)
               };
        end;
        let qu, rl, rh =
            div3by2_inv !x1 xp1 xp0 dh dl v in
        ql := qu;
        x1 := rh;
        x0 := rl;
        label SubProd in
        value_sub_concat (pelts x) x.offset xd.offset
                           (x.offset + p2i sy + k - 1);
        let ghost xc = Array.copy (x.data) in
        value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
        let cy = wmpn_submul_1 xd y (sy - 2) !ql in
        label PostSub in
        begin
          ensures { value x !i
                 = value (x at SubProd) !i }
          assert { forall j. x.offset <= j < x.offset + !i
                          -> (pelts x)[j] = xc.elts[j]
                   by
                   (pelts x)[j] = (pelts x at SubProd)[j]
                   so
                   ((pelts x at SubProd)[j] = xc.elts[j]
                   by
                   0 <= j /\ j < xc.Array.length
                   ) };
          value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
        end;
        let (cy1:limb) = [@vc:sp] if (!x0 < cy) then 1 else 0 in
        x0 := sub_mod !x0 cy;
        let (cy2:limb) = [@vc:sp] if (!x1 < cy1) then 1 else 0 in
        x1 := sub_mod !x1 cy1;
        assert { 0 <= cy2 <= 1 };
        (* assert { cy2 = 1 -> rh = 0 }; (* and cy > rl *)*)
        value_sub_update (pelts x) (!xp).offset xd.offset
                                   (xd.offset + p2i sy - 1) !x0;
        value_sub_update_no_change (pelts x) (!xp).offset
                                   x.offset (x.offset + p2i !i) !x0;
        value_sub_update_no_change (pelts x) (!xp).offset
                                   xd.offset (xd.offset + p2i sy - 2) !x0;
        C.set !xp !x0;
        assert { value x !i
                 = value (x at SubProd) !i
                 by
                 value x !i
                 = value (x at PostSub) !i
                 = value (x at SubProd) !i };
        value_sub_tail (pelts x) xd.offset (xd.offset + p2i sy - 1);
        begin
          ensures { value xd (sy - 1)
                   + power radix (sy - 1) * !x1
                   - power radix sy * cy2
                 = value (xd at SubProd) sy
                   + power radix sy * (!x1 at StartLoop)
                   - !ql * vy }
          assert { value xd (sy - 2)
                   = value (xd at PostSub) (sy - 2) };
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 2);
          let ghost vly = value y (p2i sy - 2) in
          assert { vy = vly + power radix (sy - 2)
                              * (dl + radix * dh)
                   by (pelts y)[y.offset + sy - 1] = dh
                   so (pelts y)[y.offset + sy - 2] = dl
                   so
                      vy = value y (sy - 1)
                            + power radix (sy - 1) * dh
                         = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh
                   so power radix (sy - 1)
                      = power radix (sy - 2) * radix };
          assert { value xd (sy - 2)
                   - power radix (sy - 2) * cy
                   = vlx - !ql * vly
                   by
                   value xd (sy - 2)
                     - power radix (sy - 2) * cy
                   = value (xd at PostSub) (sy - 2)
                     - power radix (sy - 2) * cy
                   = vlx - !ql * vly
                 };
          assert { power radix sy
                   = power radix (sy - 2) * radix * radix };
          assert { xp0 + radix * xp1
                   + radix * radix * !x1 at StartLoop
                   - !ql * (dl + radix * dh)
                  = rl + radix * rh };
          begin ensures { value (xd at SubProd) sy
                     + power radix sy * (!x1 at StartLoop)
                     - !ql * vy
                   = value xd (sy - 2)
                     - power radix (sy - 2) * cy
                     + power radix (sy - 2) *
                       (rl + radix * rh) }
            assert { value (xd at SubProd) sy
                     = vlx + power radix (sy - 2) * xp0
                           + power radix (sy - 1) * xp1 }; (*nonlinear*)
            assert { !ql * vy = !ql * vly
                                + power radix (sy - 2)
                                  * (!ql * (dl + radix * dh)) }; (*nonlinear*)
           end;
           begin ensures { value xd (sy - 2)
                     - power radix (sy - 2) * cy
                     + power radix (sy - 2) * (rl + radix * rh)
                    =  value xd (sy - 1)
                    + power radix (sy - 1) * !x1
                    - power radix sy * cy2 }
           value_sub_tail (pelts xd) xd.offset (xd.offset + p2i sy - 2);
           assert { value xd (sy - 1)
                    = value xd (sy - 2)
                      + power radix (sy - 2) * !x0
                    by (pelts xd)[xd.offset + sy - 2] = !x0
                    so value xd (sy - 1)
                       = value_sub (pelts xd) xd.offset (xd.offset + sy - 1)
                       = value_sub (pelts xd) xd.offset (xd.offset + sy - 2)
                         + power radix (sy - 2) * !x0
                       = value xd (sy - 2)
                         + power radix (sy - 2) * !x0 };
           assert { rl + radix * rh - cy
                     = !x0 + radix * !x1 - power radix 2 * cy2
                     by
                        (!x0 - radix * cy1 = rl - cy
                         by
                         !x0 = mod (rl - cy) radix
                         so - radix < rl - cy < radix
                         so (if rl < cy
                             then cy1 = 1
                                  /\ (- radix < rl - cy < 0
                                     so
                                     div (rl - cy) radix = - 1
                                     so rl - cy
                                     = radix * div (rl - cy) radix
                                       + mod (rl - cy) radix
                                     = !x0 - radix
                                     = !x0 - radix * cy1)
                             else cy1 = 0 /\ rl - cy = l2i !x0)) }
                    (* nonlinear *)
           end;
        end;
        if [@extraction:unlikely] (not (cy2 = 0))
        then begin
          label Adjust in
          assert { cy2 = 1 };
          begin ensures { !ql > 0 }
            value_sub_lower_bound (pelts y) y.offset (y.offset + p2i sy - 1);
            value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
            value_sub_upper_bound (pelts xd) xd.offset (xd.offset + p2i sy - 1);
            assert { !ql > 0
                      by
                        (value xd (sy - 1)
                         + power radix (sy - 1) * !x1
                         - power radix sy * cy2
                         < 0
                         by
                         value xd (sy - 1) < power radix (sy - 1)
                         so !x1 <= radix - 1
                         so  value xd (sy - 1)
                             + power radix (sy - 1) * !x1
                           < power radix (sy - 1)
                             + power radix (sy - 1) * !x1
                           = power radix (sy - 1) * (1 + !x1)
                           <= power radix (sy - 1) * radix
                           = power radix sy
                         so  value xd (sy - 1)
                             + power radix (sy - 1) * !x1
                             - power radix sy * cy2
                           < power radix sy - power radix sy * cy2
                           = 0
                       )
                      so value (xd at SubProd) sy
                         + power radix sy * (!x1 at StartLoop)
                         - !ql * vy
                         < 0
                      so (value (xd at SubProd) sy
                         + power radix sy * (!x1 at StartLoop) >= 0
                         by value (xd at SubProd) sy >= 0
                         so !x1 at StartLoop >= 0
                         so power radix sy * (!x1 at StartLoop) >= 0
                         )
                      so !ql * vy > 0
                      so vy = value_sub (pelts y)
                                y.offset (y.offset + sy - 1)
                              + power radix (sy - 1) * dh
                      so dh > 0
                      so vy > 0
                   };
          end;
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 2);
          let ghost vly = value y (p2i sy - 2) in
          assert { vy = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh
                   by (pelts y)[y.offset + sy - 1] = dh
                   so (pelts y)[y.offset + sy - 2] = dl
                   so
                      vy = value y (sy - 1)
                            + power radix (sy - 1) * dh
                         = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh };
          begin
            ensures { value xd (sy - 1)
                      + power radix (sy - 1) * !x1
                      >= power radix sy - vy }
            assert { value xd (sy - 1)
                      + power radix (sy - 1) * !x1
                     = power radix sy + value (xd at SubProd) sy
                       + power radix sy * (!x1 at StartLoop)
                       - !ql * vy };
            assert {  value (xd at SubProd) sy
                       + power radix sy * (!x1 at StartLoop)
                       - !ql * vy
                      >= - vy
                      by
                         value (xd at SubProd) sy
                         = vlx + power radix (sy - 2) * (xp0 + radix * xp1)
                      so xp0 + radix * xp1 + radix * radix * (!x1 at StartLoop)
                         = !ql * (dl + radix * dh) + rl + radix * rh
                      so power radix (sy - 1) = power radix (sy - 2) * radix
                      so vy = vly + power radix (sy - 2) * (dl + radix * dh)
                      so (!ql * vly < vy
                           by
                          vly <= power radix (sy - 2)
                          so !ql < radix
                          so !ql * vly <= !ql * power radix (sy - 2)
                                       < radix * power radix (sy - 2)
                                       = power radix (sy - 1)
                          so vy = vly + power radix (sy - 2) * (dl + radix * dh)
                          so dh >= div radix 2 > 1
                          so vly >= 0
                          so dl >= 0
                          so vy >= power radix (sy - 2) * radix * dh
                                > power radix (sy - 2) * radix * 1
                                = power radix (sy - 1)
                          )
                      so - !ql * vly > - vy
                      so vlx >= 0
                      so power radix sy = power radix (sy - 2) * radix * radix
                      so value (xd at SubProd) sy
                       + power radix sy * (!x1 at StartLoop)
                       - !ql * vy
                         = vlx + power radix (sy - 2) * (xp0 + radix * xp1)
                           + power radix sy * (!x1 at StartLoop)
                           - !ql * vy
                         = vlx + power radix (sy - 2) * (xp0 + radix * xp1)
                           + power radix (sy - 2)
                             * radix * radix * (!x1 at StartLoop)
                           - !ql * vy
                         = vlx + power radix (sy - 2)
                                 * (xp0 + radix * xp1
                                     + radix * radix * (!x1 at StartLoop))
                           - !ql * vy
                         = vlx + power radix (sy - 2) *
                               (!ql * (dl + radix * dh) + rl + radix * rh)
                           - !ql * vy
                         = vlx + power radix (sy - 2) *
                               (!ql * (dl + radix * dh) + rl + radix * rh)
                           - !ql * (vly
                                    + power radix (sy - 2) * (dl + radix * dh))
                         = vlx + power radix (sy - 2) * (rl + radix * rh)
                           - !ql * vly
                         >= power radix (sy - 2) * (rl + radix * rh)
                            - !ql * vly
                         >= - !ql * vly > - vy
                   };
          end;
          let ghost xc = Array.copy (x.data) in
          assert { forall j. x.offset <= j < x.offset + !i
                          -> (pelts x)[j] = xc.elts[j]
                   by
                   0 <= x.offset <= j /\ j < x.offset + !i <= xc.Array.length
                   so 0 <= j < xc.Array.length
                 } ;
          value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
          let c = wmpn_add_n_in_place xd y (sy - 1) in
          begin
          ensures { value x !i
                 = value (x at Adjust) !i }
          assert { forall j. x.offset <= j < x.offset + !i
                          -> (pelts x)[j] = xc.elts[j]
                   by
                   pelts (xd at Adjust) = pelts (x at Adjust)
                   so pelts x = pelts xd
                   so (pelts x)[j] = (pelts x at Adjust)[j]
                   so
                   ((pelts x at Adjust)[j] = xc.elts[j]
                   by
                   0 <= j /\ j < xc.Array.length
                   ) } ;
          value_sub_frame (pelts x) xc.elts x.offset (x.offset + p2i !i);
          end;
          label MidAdd in
          begin
            ensures { value xd (sy - 1) + power radix (sy - 1) * !x1
                      = value (xd at Adjust) (sy - 1)
                      + power radix (sy - 1) * (!x1 at Adjust)
                      + vy
                      - power radix sy }
            assert { 0 <= c <= 1
                     by
                     value xd (sy - 1) + c * power radix (sy - 1)
                     = value (xd at Adjust) (sy - 1)
                       + value y (sy - 1)
                     so
                        value (xd at Adjust) (sy - 1)
                        < power radix (sy - 1)
                     so value y (sy - 1) < power radix (sy - 1)
                     so value xd (sy - 1) >= 0
                     so c * power radix (sy - 1) < 2 * power radix (sy - 1)
                     so let p = power radix (sy - 1) in
                        (c < 2 by c * p < 2 * p so p > 0)
                   };
            let ghost c' = div (l2i !x1 + l2i dh + l2i c) radix in
            x1 := add_mod !x1 (add_mod dh c);
            assert { !x1 + c' * radix = !x1 at Adjust + dh + c
                     by
                        (!x1 = mod (!x1 at Adjust + dh + c) radix
                        by
                        !x1 = mod (!x1 at Adjust + (mod (dh + c) radix)) radix
                        so mod (div (dh + c) radix * radix + !x1 at Adjust
                                + mod (dh + c) radix) radix
                           = mod (!x1 at Adjust + (mod (dh + c) radix)) radix
                        so !x1 = mod (div (dh + c) radix * radix + !x1 at Adjust
                                + mod (dh + c) radix) radix
                               = mod (!x1 at Adjust + dh + c) radix
                        )
                     so (!x1 at Adjust) + dh + c
                        = div (!x1 at Adjust + dh + c) radix * radix
                          + mod (!x1 at Adjust + dh + c) radix
                        = c' * radix + !x1
                     };
            assert { 0 <= c' <= 1 };
            value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
            assert { value xd (sy - 1) + power radix (sy - 1) * !x1
                     = value (xd at Adjust) (sy - 1)
                       + power radix (sy - 1) * (!x1 at Adjust)
                       + vy
                       - power radix sy
                     by
                     value xd (sy - 1) + power radix (sy - 1) * c
                     = value (xd at Adjust) (sy - 1)
                       + value y (sy - 1)
                     so vy = value y (sy - 1)
                             + power radix (sy - 1) * dh
                     so value xd (sy - 1) + power radix (sy - 1) * c
                         + power radix (sy - 1) * (!x1 at Adjust)
                         + power radix (sy - 1) * dh
                        = value (xd at Adjust) (sy - 1)
                           + value y (sy - 1)
                           + power radix (sy - 1) * (!x1 at Adjust)
                           + power radix (sy - 1) * dh
                        = value (xd at Adjust) (sy - 1)
                           + power radix (sy - 1) * (!x1 at Adjust)
                           + vy
                     so value xd (sy - 1) + power radix (sy - 1) * c
                         + power radix (sy - 1) * (!x1 at Adjust)
                         + power radix (sy - 1) * dh
                        = value xd (sy - 1)
                          + power radix (sy - 1) * (c + dh + !x1 at Adjust)
                        = value xd (sy - 1)
                          + power radix (sy - 1) * (!x1 + radix * c')
                        = value xd (sy - 1)
                          + power radix (sy - 1) * !x1
                          + power radix sy * c'
                      so  value xd (sy - 1)
                            + power radix (sy - 1) * !x1
                            + power radix sy * c'
                          = value (xd at Adjust) (sy - 1)
                            + power radix (sy - 1) * (!x1 at Adjust)
                            + vy
                      so value (xd at Adjust) (sy - 1)
                            + power radix (sy - 1) * (!x1 at Adjust)
                         >= power radix sy - vy
                      so value xd (sy - 1) < power radix (sy - 1)
                      so !x1 <= radix - 1
                      so power radix (sy - 1) * !x1
                         <= power radix (sy - 1) * (radix - 1)
                      so value xd (sy - 1)
                            + power radix (sy - 1) * !x1
                         <= value xd (sy - 1)
                            + power radix (sy - 1) * (radix - 1)
                         < power radix (sy - 1)
                           + power radix (sy - 1) * (radix - 1)
                         = power radix sy
                      so c' <> 0
                      so c' = 1
                      };
          end;
          ql := !ql - 1;
          (* todo refl *)
          assert { value xd (sy - 1) + power radix (sy - 1) * !x1
                   =  value (xd at SubProd) sy
                   + power radix sy * (!x1 at StartLoop)
                   - !ql * vy
                   by
                   value xd (sy - 1) + power radix (sy - 1) * !x1
                   = value (xd at Adjust) (sy - 1)
                       + power radix (sy - 1) * (!x1 at Adjust)
                       + vy
                       - power radix sy
                   = value (xd at SubProd) sy
                     + power radix sy * (!x1 at StartLoop)
                     - (!ql at Adjust) * vy
                     + vy
                   = value (xd at SubProd) sy
                     + power radix sy * (!x1 at StartLoop)
                     - (!ql + 1) * vy
                     + vy
                   = value (xd at SubProd) sy
                     + power radix sy * (!x1 at StartLoop)
                     - !ql * vy };
          qp.contents <- C.incr !qp (-1);
          value_sub_update_no_change (pelts q) (!qp).offset
                            ((!qp).offset + 1)
                            ((!qp).offset + p2i sx - p2i sy - p2i !i)
                            !ql;
          C.set !qp !ql;
          value_sub_head (pelts q) (!qp).offset
            ((!qp).offset + p2i sx - p2i sy - p2i !i);
          value_sub_tail (pelts x) x.offset (x.offset + p2i sy + p2i !i - 1);
          value_sub_concat (pelts x) x.offset xd.offset (x.offset + s);
          (* todo refl *)
          assert { value (old x) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1
                 by
                    value !qp (sx - sy - !i)
                    = !ql + radix *
                          value_sub (pelts q) ((!qp).offset + 1)
                                    ((!qp).offset + sx - sy - !i)
                 so (value_sub (pelts q) ((!qp).offset + 1)
                              ((!qp).offset + sx - sy - !i)
                    = value (!qp at StartLoop)
                              (sx - sy - k)
                     by
                     (!qp at StartLoop).offset = (!qp).offset + 1
                     so ((!qp).offset + sx - sy - !i)
                         - ((!qp).offset + 1)
                        = sx - sy - k
                     )
                 so value !qp (sx - sy - !i)
                    = !ql + radix * value (!qp at StartLoop)
                                    (sx - sy - k)
                 so (value x s
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1)
                     by
                        xd.offset = x.offset + !i
                     so x.offset + s = xd.offset + sy - 1
                     so pelts x = pelts xd
                     so x.offset + s - xd.offset = sy - 1
                     so value_sub (pelts x) xd.offset (x.offset + s)
                        = value xd (sy - 1)
                     so value x s
                        = value_sub (pelts x) x.offset xd.offset
                          + power radix !i * value_sub (pelts x) xd.offset (x.offset + s)
                        = value x !i
                          + power radix !i * value xd (sy - 1)
                        )
                 so (power radix s
                    = power radix !i * power radix (sy - 1)
                    by
                    let n = !i in
                    let m = sy - 1 in
                    let x = radix in
                    power x s = power x (n + m)
                    so (power x (n + m) = power x n * power x m
                       by 0 <= n
                       so 0 <= m
                       so forall x:int, n:int, m:int.
                                 0 <= n -> 0 <= m -> power x (n + m) = (power x n * power x m)))
                 so (value x s + power radix s * !x1
                    = value x !i
                      + power radix !i *
                        (value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy)
                    by  value xd (sy - 1)
                         + power radix (sy - 1) * !x1
                       = value (xd at SubProd) sy
                         + power radix sy * (!x1 at StartLoop)
                         - !ql * vy
                    so value x s + power radix s * !x1
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1)
                      + power radix (!i + sy - 1) * !x1
                    = value x !i
                      + power radix !i
                        * value xd (sy - 1)
                      + power radix !i
                        * power radix (sy - 1) * !x1
                    = value x !i
                      + power radix !i *
                        (value xd (sy - 1)
                         + power radix (sy - 1) * !x1)
                    = value x !i
                      + power radix !i *
                        (value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy)
                    )
                 so (value (x at StartLoop) (sy + k - 1)
                    = value (x at SubProd) !i
                      + power radix !i
                        * value (xd at SubProd) sy
                    by
                     value (x at StartLoop) (sy + k - 1)
                     = value_sub (pelts x at SubProd) (x at SubProd).offset
                                 ((x at SubProd).offset + sy + k - 1)
                     = value_sub (pelts x at SubProd) (x at SubProd).offset xd.offset
                       + power radix (xd.offset - (x at SubProd).offset)
                         * value_sub (pelts x at SubProd) xd.offset
                           ((x at SubProd).offset + sy + k - 1)
                     so (x at SubProd).offset = x.offset
                     so xd.offset = x.offset + !i
                     so value_sub (pelts x at SubProd) (x at SubProd).offset xd.offset
                        = value (x at SubProd) !i
                     so power radix (xd.offset - x.offset) = power radix !i
                     so x.offset + sy + k - 1 - xd.offset = p2i sy
                     so value_sub (pelts x at SubProd) xd.offset
                                  (x.offset + sy + k - 1)
                        = value (xd at SubProd) sy
                    )
                 so (value x !i
                    = value (x at SubProd) !i
                    by
                    value x !i
                    = value (x at Adjust) !i
                    = value (x at SubProd) !i
                    )
                 so power radix !i * power radix sy = power radix (!i + sy)
                 so value x s + power radix s * !x1
                    - value (x at StartLoop) (sy + k - 1)
                    = value x !i
                      + power radix !i *
                        (value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy)
                      - (value (x at SubProd) !i
                         + power radix !i
                         * value (xd at SubProd) sy)
                    = value x !i
                      + power radix !i *
                        (value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy)
                      - (value x !i
                         + power radix !i
                         * value (xd at SubProd) sy)
                    =  power radix !i
                       * (power radix sy * (!x1 at StartLoop)
                          - !ql * vy)
                    = power radix !i * power radix sy * (!x1 at StartLoop)
                      - power radix !i * !ql * vy
                    = power radix (!i + sy) * (!x1 at StartLoop)
                      - power radix !i * !ql * vy
                    = power radix (sy + k - 1) * (!x1 at StartLoop)
                      - power radix !i * !ql * vy
                 so value x s + power radix s * !x1
                    = value (x at StartLoop) (sy + k - 1)
                      + power radix (sy + k - 1) * (!x1 at StartLoop)
                      - power radix !i * !ql * vy
                 so power radix (sx - sy - !i)
                    = radix * power radix (sx - sy - k)
                 so radix * power radix !i = power radix k
                 so  (value !qp (sx - sy - !i)
                       + qh * power radix (sx - sy - !i))
                       * vy * power radix !i
                       + value x (sy + !i - 1)
                       + power radix (sy + !i - 1) * !x1
                    = (!ql + radix * value (!qp at StartLoop)
                                                      (sx - sy - k)
                       + qh * power radix (sx - sy - !i))
                       * vy * power radix !i
                       + value x (sy + !i - 1)
                       + power radix (sy + !i - 1) * !x1
                    = (!ql + radix * value (!qp at StartLoop)
                                                      (sx - sy - k)
                       + qh * radix * power radix (sx - sy - k))
                       * vy * power radix !i
                       + value x (sy + !i - 1)
                       + power radix (sy + !i - 1) * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                                 (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * radix * power radix !i
                      + value x (sy + !i - 1)
                      + power radix (sy + !i - 1) * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                                 (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value x (sy + !i - 1)
                      + power radix (sy + !i - 1) * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                                 (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      + value x s
                      + power radix s * !x1
                    = !ql * vy * power radix !i
                      + (value (!qp at StartLoop)
                                                 (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      +  value (x at StartLoop) (sy + k - 1)
                      + power radix (sy + k - 1) * (!x1 at StartLoop)
                      - power radix !i * !ql * vy
                    = (value (!qp at StartLoop)
                                                 (sx - sy - k)
                                 + qh * power radix (sx - sy - k))
                        * vy * power radix k
                      +  value (x at StartLoop) (sy + k - 1)
                      + power radix (sy + k - 1) * (!x1 at StartLoop)
                    = value (old x) sx
                };
        assert { value_sub (pelts x) (!xp.offset + mdn)
                 (!xp.offset + mdn + sy - 1)
                 + power radix (sy - 1) * !x1
                 < vy
                 by
                 (value xd (sy - 1) + power radix (sy - 1) * !x1 < vy
                   by
                   value xd (sy - 1) + power radix (sy - 1) * !x1
                   = value (xd at Adjust) (sy - 1)
                     + power radix (sy - 1) * (!x1 at Adjust)
                     + vy
                     - power radix sy
                   so value (xd at Adjust) (sy - 1)
                      < power radix (sy - 1)
                   so 1 + (!x1 at Adjust) <= radix
                   so value (xd at Adjust) (sy - 1)
                      + power radix (sy - 1) * (!x1 at Adjust)
                      + vy
                      - power radix sy
                    < power radix (sy - 1)
                      + power radix (sy - 1) * (!x1 at Adjust)
                      + vy
                      - power radix sy
                    = power radix (sy - 1) * (1 + !x1 at Adjust)
                      + vy
                      - power radix sy
                    <= power radix (sy - 1) * radix
                      + vy
                      - power radix sy
                    = vy
                 )
                 so pelts x = pelts xd
                 so xd.offset = !xp.offset + mdn
                 so value xd (sy - 1)
                    = value_sub (pelts x) (!xp.offset + mdn)
                                          (!xp.offset + mdn + sy - 1)
               };
        assert { dl + radix * dh
                 >= (pelts x)[(!xp).offset] + radix * !x1
                 by
                    vy = vly + power radix (sy - 2)
                             * (dl + radix * dh)
                 so value_sub (pelts x) (!xp.offset + mdn)
                              (!xp.offset + mdn + sy - 1)
                    + power radix (sy - 1) * !x1
                    < vy
                 so !xp.offset + mdn + sy - 1 = !xp.offset + 1
                 so power radix (sy - 1) = power radix (sy - 2) * radix
                 so - mdn = sy - 2
                 so vy
                    > value_sub (pelts x) (!xp.offset + mdn)
                                          (!xp.offset + mdn + sy - 1)
                      + power radix (sy - 1) * !x1
                    = value_sub (pelts x) (!xp.offset + mdn)
                                          (!xp.offset + 1)
                      + power radix (sy - 1) * !x1
                    = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                      + power radix (- mdn) * (pelts x)[(!xp).offset]
                      + power radix (sy - 1) * !x1
                    = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                      + power radix (sy - 2) * (pelts x)[(!xp).offset]
                      + power radix (sy - 1) * !x1
                    = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                      + power radix (sy - 2) * (pelts x)[(!xp).offset]
                      + power radix (sy - 2) * radix * !x1
                    = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                      + power radix (sy - 2)
                        * ((pelts x)[(!xp).offset] + radix * !x1)
                    >= power radix (sy - 2)
                        * ((pelts x)[(!xp).offset] + radix * !x1)
                 so vly < power radix (sy - 2)
                 so vy < power radix (sy - 2)
                         + power radix (sy - 2)
                           * (dl + radix * dh)
                         = power radix (sy - 2)
                           * (1 + dl + radix * dh)
                 so power radix (sy - 2)
                    * ((pelts x)[(!xp).offset] + radix * !x1)
                    < power radix (sy - 2) * (1 + dl + radix * dh)
                 so power radix (sy - 2)
                    * ((pelts x)[(!xp).offset] + radix * !x1
                      - (1 + dl + radix * dh))
                    < 0
                 so (pelts x)[(!xp).offset] + radix * !x1
                      - (1 + dl + radix * dh)
                    < 0
               };
        end
        else begin
          qp.contents <- C.incr !qp (-1);
          value_sub_update_no_change (pelts q) (!qp).offset
                            ((!qp).offset + 1)
                            ((!qp).offset + p2i sx - p2i sy - p2i !i)
                            !ql;
          C.set !qp !ql;
          value_sub_head (pelts q) (!qp).offset
            ((!qp).offset + p2i sx - p2i sy - p2i !i);
          assert { value !qp (sx - sy - !i) * vy
                    = !ql * vy + radix *
                          (value_sub (pelts q) ((!qp).offset + 1)
                                    ((!qp).offset + sx - sy - !i) * vy) }; (*nonlinear*)
          assert { value_sub (pelts q) ((!qp).offset + 1)
                                    ((!qp).offset + sx - sy - !i) * vy
                   =  (value !qp (sx - sy - !i) * vy at StartLoop) }; (*nonlinear*)
          value_tail x (sy + !i - 1);
          value_sub_concat (pelts x) x.offset xd.offset (x.offset + s);
          (* todo refl *)
          assert { cy2 = 0 };
          assert { value x !i = value (x at SubProd) !i };
          assert { value x s = value x !i + power radix !i * value xd (sy-1)
                     by xd.offset = x.offset + !i
                     so x.offset + s = xd.offset + sy - 1
                     so pelts x = pelts xd
                     so x.offset + s - xd.offset = sy - 1
                     so value_sub (pelts x) xd.offset (x.offset + s)
                        = value xd (sy - 1)
                     so value x s
                        = value_sub (pelts x) x.offset xd.offset
                          + power radix !i * value_sub (pelts x) xd.offset (x.offset + s)
                        = value x !i
                          + power radix !i * value xd (sy - 1)}; (*lifted from assertion*)
          assert { (value !qp (sx - sy - !i) + qh * power radix (sx - sy - !i))
                   * vy
                   = value !qp (sx - sy - !i) * vy
                     + qh * vy * power radix (sx - sy - !i)  }; (*nonlinear*)
          assert { ((value !qp (sx - sy - !i) + qh * power radix (sx - sy - !i))
                   * vy at StartLoop)
                   = (value !qp (sx - sy - !i) * vy
                     + qh * vy * power radix (sx - sy - !i) at StartLoop)  }; (*nonlinear*)
          assert { value x s = value x (sy + !i - 1) };
          assert { value (xd at SmallDiv) sy =
                    vlx + power radix (sy - 2) * xp0
                    + power radix (sy - 1) * xp1 };  (*nonlinear*)
          assert { value (x at SubProd) (sy + (!i at StartLoop) - 1)
                   = value (x at SubProd) !i + power radix !i * value (xd at SubProd) sy };
          assert { value (old x) sx =
                  (value !qp (sx - sy - !i)
                   + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1 };
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
          value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 2);
          let ghost vly = value y (p2i sy - 2) in
          assert { vy = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh
                   by (pelts y)[y.offset + sy - 1] = dh
                   so (pelts y)[y.offset + sy - 2] = dl
                   so
                      vy = value y (sy - 1)
                            + power radix (sy - 1) * dh
                         = vly + power radix (sy - 2) * dl
                            + power radix (sy - 1) * dh };
          assert { value_sub (pelts x) (!xp.offset + mdn)
                   (!xp.offset + mdn + sy - 1)
                   + power radix (sy - 1) * !x1
                   < vy
                   by
                     pelts x = pelts xd
                   so xd.offset = !xp.offset + mdn
                   so !xp.offset + mdn + sy - 1 = xd.offset + sy - 1
                   so
                     value xd (sy - 1)
                     = value_sub (pelts xd) xd.offset (xd.offset + sy - 1)
                     = value_sub (pelts x) (!xp.offset + mdn)
                       (!xp.offset + mdn + sy - 1)
                   so value xd (sy - 1)
                      + power radix (sy - 1) * !x1
                      - power radix sy * cy2
                      = value (xd at SubProd) sy
                      + power radix sy * (!x1 at StartLoop)
                      - !ql * vy
                   so cy2 = 0
                   so value xd (sy - 1)
                      + power radix (sy - 1) * !x1
                      = value (xd at SubProd) sy
                      + power radix sy * (!x1 at StartLoop)
                      - !ql * vy
                   so !ql * (dl + radix * dh)
                      + (rl + radix * rh)
                      = xp0
                        + radix * xp1
                        + radix * radix * (!x1 at StartLoop)
                   so vy = vly + power radix (sy - 2)
                                 * (dl + radix * dh)
                   so !ql * vy
                      = power radix (sy - 2) *
                          (xp0
                          + radix * xp1
                          + radix * radix * (!x1 at StartLoop))
                        - power radix (sy - 2) * (rl + radix * rh)
                        + !ql * vly
                   so value (xd at SubProd) sy
                       = vlx
                        + power radix (sy - 2) * (xp0 + radix * xp1)
                   so power radix sy
                      = power radix (sy - 2) * radix * radix
                   so (value (xd at SubProd) sy
                      + power radix sy * (!x1 at StartLoop)
                      - !ql * vy
                      < vy
                      by
                      (!ql * vly >= 0
                       by !ql >= 0 so vly >= 0)
                      so (power radix (sy - 2) * (rl + radix * rh)
                         <= power radix (sy - 2)
                            * (dl + radix * dh)
                            - power radix (sy - 2)
                         by
                         rl + radix * rh <= dl + radix * dh - 1
                         so power radix (sy - 2) >= 0
                         so power radix (sy - 2) * (rl + radix * rh)
                            <= power radix (sy - 2)
                               * (dl + radix * dh - 1)
                            = power radix (sy - 2)
                              * (dl + radix * dh)
                              - power radix (sy - 2)
                         )
                      so vlx < power radix (sy - 2)
                      so value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy
                      = vlx
                        + power radix (sy - 2) * (xp0 + radix * xp1)
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy
                      = vlx
                        + power radix (sy - 2) *
                                (xp0 + radix * xp1
                                  + radix * radix * (!x1 at StartLoop))
                        - !ql * vy
                      = vlx
                        + power radix (sy - 2) *
                                (xp0 + radix * xp1
                                  + radix * radix * (!x1 at StartLoop))
                        -  (power radix (sy - 2) *
                           (xp0
                            + radix * xp1
                            + radix * radix * (!x1 at StartLoop))
                          - power radix (sy - 2) * (rl + radix * rh)
                          + !ql * vly)
                      = vlx
                        + power radix (sy - 2) * (rl + radix * rh)
                        - !ql * vly
                      <= vlx
                        + power radix (sy - 2) * (rl + radix * rh)
                      <= vlx
                         +  power radix (sy - 2)
                            * (dl + radix * dh)
                         - power radix (sy - 2)
                      <  power radix (sy - 2)
                         +  power radix (sy - 2)
                            * (dl + radix * dh)
                         - power radix (sy - 2)
                      = power radix (sy - 2) * (dl + radix * dh)
                      = vy - vly <= vy
                      )
                    so value_sub (pelts x) (!xp.offset + mdn)
                       (!xp.offset + mdn + sy - 1)
                       + power radix (sy - 1) * !x1
                       = value xd (sy - 1)
                         + power radix (sy - 1) * !x1
                       = value (xd at SubProd) sy
                        + power radix sy * (!x1 at StartLoop)
                        - !ql * vy
                       < vy
                 };
          value_sub_tail (pelts x) (!xp.offset + p2i mdn) (!xp.offset);
          value_sub_upper_bound (pelts y) (y.offset) (y.offset + p2i sy - 2);
          value_sub_lower_bound (pelts x) (!xp.offset + p2i mdn) (!xp.offset);
          assert { dl + radix * dh
                   >= (pelts x)[(!xp).offset] + radix * !x1
                   by
                   vy = vly + power radix (sy - 2)
                              * (dl + radix * dh)
                   so value_sub (pelts x) (!xp.offset + mdn)
                   (!xp.offset + mdn + sy - 1)
                   + power radix (sy - 1) * !x1
                   < vy
                   so !xp.offset + mdn + sy - 1 = !xp.offset + 1
                   so power radix (sy - 1) = power radix (sy - 2) * radix
                   so - mdn = sy - 2
                   so vy
                      > value_sub (pelts x) (!xp.offset + mdn)
                                            (!xp.offset + mdn + sy - 1)
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn)
                                            (!xp.offset + 1)
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (- mdn) * (pelts x)[(!xp).offset]
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2) * (pelts x)[(!xp).offset]
                        + power radix (sy - 1) * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2) * (pelts x)[(!xp).offset]
                        + power radix (sy - 2) * radix * !x1
                      = value_sub (pelts x) (!xp.offset + mdn) (!xp.offset)
                        + power radix (sy - 2)
                          * ((pelts x)[(!xp).offset] + radix * !x1)
                      >= power radix (sy - 2)
                          * ((pelts x)[(!xp).offset] + radix * !x1)
                   so vly < power radix (sy - 2)
                   so vy < power radix (sy - 2)
                           + power radix (sy - 2)
                              * (dl + radix * dh)
                           = power radix (sy - 2)
                             * (1 + dl + radix * dh)
                   so power radix (sy - 2)
                      * ((pelts x)[(!xp).offset] + radix * !x1)
                      < power radix (sy - 2) * (1 + dl + radix * dh)
                   so power radix (sy - 2)
                      * ((pelts x)[(!xp).offset] + radix * !x1
                        - (1 + dl + radix * dh))
                      < 0
                   so (pelts x)[(!xp).offset] + radix * !x1
                        - (1 + dl + radix * dh)
                      < 0
                 };
        end;
      end;
    done;
    label EndLoop in
    assert { !i = 0 };
    assert { !xp.offset = x.offset + sy - 2 };
    value_sub_update_no_change (pelts x) (!xp.offset + 1)
                               x.offset (!xp.offset) !x1;
    C.set_ofs !xp 1 !x1;
    assert { value x (sy - 1) =
             value (x at EndLoop) (sy - 1)
             by pelts x = Map.set (pelts x at EndLoop) (x.offset + sy - 1) !x1 };
    value_sub_tail (pelts x) x.offset (!xp.offset+1);
    (* todo refl *)
    assert { value (old x) sx =
              (value q (sx - sy)
              + power radix (sx - sy) * qh)
                * value y sy
              + value x sy
             by
               value x sy
                = value x (sy - 1)
                  + power radix (sy - 1) * !x1
             so vy = value y sy
             so value (old x) sx
                = (value !qp (sx - sy - !i)
                  + qh * power radix (sx - sy - !i))
                  * vy * power radix !i
                  + value x (sy + !i - 1)
                  + power radix (sy + !i - 1) * !x1
                = (value !qp (sx - sy)
                  + qh * power radix (sx - sy))
                  * vy * 1
                  + value x (sy - 1)
                  + power radix (sy - 1) * !x1
                = (value !qp (sx - sy)
                  + qh * power radix (sx - sy))
                  * value y sy
                  + value x sy };
    qh

  let wmpn_divrem_2 (q x y:t) (sx:int32) : limb
    requires { 2 <= sx }
    requires { valid x sx }
    requires { valid y 2 }
    requires { valid q (sx - 2) }
    requires { (pelts y)[y.offset + 1] >= div radix 2 }
    requires { writable q /\ writable x }
    ensures { value (old x) sx =
              (value q (sx - 2)
               + power radix (sx - 2) * result)
              * value y 2
              + value x 2 }
    ensures { value x 2 < value y 2 }
    ensures { 0 <= result <= 1 }
  =
    let xp = ref (C.incr x (sx - 2)) in
    let dh = C.get_ofs y 1 in
    let dl = C.get y in
    let rh = ref (C.get_ofs !xp 1) in
    let rl = ref (C.get !xp) in
    let qh = ref 0 in
    let lx = ref 0 in
    assert { value y 2 = dl + radix * dh };
    let i = ref (sx - 2) in
    let dinv = reciprocal_word_3by2 dh dl in
    ([@vc:sp] if (!rh >= dh && ([@vc:sp] !rh > dh || !rl >= dl))
    then
      label Adjust in
      begin
        ensures { value x sx
                  = (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh) }
        ensures { !rl + radix * !rh < dl + radix * dh }
        ensures { !qh = 1 }
        let (r0, b) = sub_with_borrow !rl dl 0 in
        let (r1, ghost b') = sub_with_borrow !rh dh b in
        assert { b' = 0 };
        assert { r0 + radix * r1 = !rl + radix * !rh - (dl + radix * dh) };
        value_sub_tail (pelts x) x.offset (x.offset + p2i sx - 1);
        value_sub_tail (pelts x) x.offset (x.offset + p2i sx - 2);
        rh := r1;
        rl := r0;
        qh := 1;
        assert { value x sx
                  = (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
                 by
                 value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2) = 0
                 so (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
                  = value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
                  = value x !i
                    + power radix !i * (dl + radix * dh + !rl + radix * !rh)
                  = value x !i
                    + power radix !i * (!rl at Adjust + radix * !rh at Adjust)
                  = value x !i
                    + power radix !i * !rl at Adjust
                    + power radix (!i+1) * !rh at Adjust
                  = value x sx
               };
      end
    else
      begin
        ensures { value x sx
                  = (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh) }
        ensures { !rl + radix * !rh < dl + radix * dh }
        ensures { !qh = 0 }
        value_sub_tail (pelts x) x.offset (x.offset + p2i sx - 1);
        value_sub_tail (pelts x) x.offset (x.offset + p2i sx - 2);
      end);
    while (!i > 0) do
      variant { !i }
      invariant { 0 <= !i <= sx - 2 }
      invariant { !xp.offset = x.offset + !i }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { pelts !xp = pelts x }
      invariant { writable !xp }
      invariant { value x sx
                  = (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh) }
      invariant { !rl + radix * !rh < dl + radix * dh }
      label StartLoop in
      let ghost k = p2i !i in
      xp.contents <- C.incr !xp (-1);
      lx := C.get !xp;
      label Got in
      let (qu, r0, r1) = div3by2_inv !rh !rl !lx dh dl dinv in
      rh := r1;
      rl := r0;
      i := !i - 1;
      C.set_ofs q !i qu;
      assert { qu * (dl + radix * dh) + r0 + radix * r1
               = !lx + radix * (!rl at StartLoop)
                     + radix * radix * (!rh at StartLoop)
               by
                 radix * ((!rl at StartLoop) + radix * (!rh at StartLoop))
                 = radix * (!rl at StartLoop) + radix * radix * (!rh at StartLoop)
               so
                 qu * (dl + radix * dh) + r0 + radix * r1
               = !lx + radix * ((!rl at StartLoop) + radix * (!rh at StartLoop))
               = !lx + radix * (!rl at StartLoop)
                     + radix * radix * (!rh at StartLoop)
             };
      value_sub_head (pelts q) (q.offset + p2i !i) (q.offset + p2i sx - 2);
      value_sub_tail (pelts x) x.offset (x.offset + p2i !i);
      assert { value x sx
                  = (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
               by
                  value x k = value x !i + power radix !i * !lx
               so value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                 = qu + radix
                        * value_sub (pelts q) (q.offset + k) (q.offset + sx - 2)
               so power radix (sx - 2 - !i) = radix * power radix (sx - 2 - k)
               so
                 (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                        + !qh * power radix (sx - 2 - !i))
                 = qu + radix
                        * (value_sub (pelts q) (q.offset + k) (q.offset + sx - 2)
                           + !qh * power radix (sx - 2 - k))
               so power radix !i * radix  = power radix k
               so ((value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                  = power radix !i * qu * (dl + radix * dh)
                    + (value_sub (pelts q) (q.offset + k)
                                                   (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                  by
                  (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                  = (qu + radix
                         * (value_sub (pelts q) (q.offset + k)
                                                (q.offset + sx - 2)
                             + !qh * power radix (sx - 2 - k)))
                    * value y 2 * power radix !i
                  = power radix !i * qu * (dl + radix * dh)
                    + radix * (value_sub (pelts q) (q.offset + k)
                                                   (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix !i
                  = power radix !i * qu * (dl + radix * dh)
                    + (value_sub (pelts q) (q.offset + k)
                                                   (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k)
               so (value_sub (pelts q) (q.offset + !i) (q.offset + sx - 2)
                      + !qh * power radix (sx - 2 - !i))
                    * value y 2 * power radix !i
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
                  = power radix !i * qu * (dl + radix * dh)
                    + (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x !i
                    + power radix !i * (!rl + radix * !rh)
                  = (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x !i
                    + power radix !i * (qu * (dl + radix * dh)
                                        + !rl + radix * !rh)
                  = (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x !i
                    + power radix !i
                      * (!lx + radix * (!rl at StartLoop)
                         + radix * radix * (!rh at StartLoop))
                  = (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x !i
                    + power radix !i * !lx
                    + power radix !i * (radix * (!rl at StartLoop
                                                 + radix * !rh at StartLoop))
                  = (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x k
                    + power radix !i * (radix * (!rl at StartLoop
                                                 + radix * !rh at StartLoop))
                  = (value_sub (pelts q) (q.offset + k)
                                           (q.offset + sx - 2)
                               + !qh * power radix (sx - 2 - k))
                      * value y 2 * power radix k
                    + value x k
                    + power radix k * (!rl at StartLoop
                                       + radix * !rh at StartLoop)
                  = value x sx
          };
    done;
    assert { !i = 0 };
    assert { value x sx
             = (value_sub (pelts q) q.offset (q.offset + sx - 2)
                      + !qh * power radix (sx - 2))
                    * value y 2
                    + !rl + radix * !rh
             by power radix !i = 1 };
    C.set_ofs x 1 !rh;
    C.set x !rl;
    assert { value x 2 = !rl + radix * !rh
             by (pelts x)[x.offset] = !rl
                /\ (pelts x)[x.offset + 1] = !rh};
    !qh

  (** `div_qr q r x y sx sy` divides `(x, sx)` by `(y, sy)`, writes the quotient
    in `(q, (sx-sy))` and the remainder in `(r, sy)`. Corresponds to
    `mpn_tdiv_qr`. *)
  let div_qr (q r x y nx ny:t) (sx sy:int32) : unit
    requires { 1 <= sy <= sx <= (Int32.max_int32 - 1) }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid q (sx - sy + 1) }
    requires { valid r sy }
    requires { valid nx (sx + 1) }
    requires { valid ny sy }
    requires { writable nx /\ writable ny }
    requires { (pelts y)[y.offset + sy - 1] > 0 }
    requires { writable q /\ writable r }
    ensures { value x sx
              = value q (sx - sy + 1) * value y sy
                + value r sy }
    ensures { value r sy < value y sy }
  =
    label Start in
    value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
    value_sub_lower_bound (pelts y) y.offset (y.offset + p2i sy - 1);
    assert { value y sy >= power radix (sy - 1) };
    if (sy = 1)
    then
      let lr = wmpn_divrem_1 q x sx (C.get y) in
      C.set r lr
    else
    if (sy = 2)
    then
      let clz = clz_ext (C.get_ofs y (sy - 1)) in
      let ghost p = power 2 (p2i clz) in
      if clz = 0
      then begin
        wmpn_copyi nx x sx;
        value_sub_shift_no_change (pelts x) x.offset (p2i sx) (p2i sx) 0;
        C.set_ofs nx sx 0;
        value_sub_frame_shift (pelts x) (pelts nx) x.offset nx.offset (p2i sx);
        label Div2_ns in
        let ghost _qh = wmpn_divrem_2 q nx y (sx + 1) in
        wmpn_copyi r nx sy;
        assert { value x sx
                 = value q (sx - sy + 1) * value y sy
                 + value r sy
               by value r sy = value nx sy
               so value (nx at Div2_ns) (sx + 1) < power radix sx
               so value (nx at Div2_ns) (sx + 1)
                  = value (nx at Div2_ns) sx
               so (_qh = 0
                   by
                   power radix sx
                   > value (nx at Div2_ns) (sx + 1)
                   = (value q (sx - 1) + power radix (sx - 1) * _qh)
                    * value y 2
                    + value nx 2
                   so value nx 2 >= 0
                   so value y 2 >= radix
                   so value q (sx - 1) >= 0
                   so _qh >= 0
                   so (value q (sx - 1)
                           + power radix (sx - 1) * _qh) >= 0
                   so (value q (sx - 1) + power radix (sx - 1) * _qh)
                      * value y 2
                      + value nx 2
                      >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                         * value y 2
                      >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                         * radix
                      >= power radix (sx - 1) * _qh * radix
                      = power radix sx * _qh
                   so power radix sx > power radix sx * _qh
                  )
               so value x sx = value (nx at Div2_ns) sx
               };
        ()
      end
      else begin
        let ghost _c = wmpn_lshift ny y sy (Limb.of_int32 clz) in
        begin
          ensures { normalized ny sy }
          ensures { value ny sy = power 2 clz * value y sy }
          let ghost dh = (pelts y)[y.offset + p2i sy - 1] in
          assert { value y sy
                   = value y (sy - 1) + power radix (sy - 1) * dh };
          value_sub_upper_bound (pelts y) y.offset (y.offset + p2i sy - 1);
          value_sub_tail (pelts ny) ny.offset (ny.offset + p2i sy - 1);
          value_sub_upper_bound (pelts ny) ny.offset (ny.offset + p2i sy - 1);
          let ghost ndh = (pelts ny)[ny.offset + p2i sy - 1] in
          assert { normalized ny sy
                   /\ value ny sy = power 2 clz * value y sy
                   by
                   value y sy < (dh + 1) * power radix (sy - 1)
                   so value ny sy + (power radix sy) * _c
                      = power 2 clz * value y sy
                      = power 2 clz
                        * (value y (sy - 1)
                           + dh * power radix (sy - 1))
                   so power 2 clz * dh <= radix - power 2 clz
                   so value ny sy + (power radix sy) * _c
                      = power 2 clz * value y (sy - 1)
                        + power 2 clz * dh * power radix (sy - 1)
                      < power 2 clz * power radix (sy - 1)
                        + power 2 clz * dh * power radix (sy - 1)
                      <= power 2 clz * power radix (sy - 1)
                        + (radix - power 2 clz) * power radix (sy - 1)
                       = radix * power radix (sy - 1)
                       = power radix sy
                   so _c = 0
                   so value ny sy
                      = power 2 clz * value y sy
                   so value y sy >= dh * power radix (sy - 1)
                   so value ny sy
                      >= power 2  clz * dh * power radix (sy - 1)
                   so value ny sy =
                      value ny (sy - 1) + power radix (sy - 1) * ndh
                      < power radix (sy - 1) + power radix (sy - 1) * ndh
                      = power radix (sy - 1) * (ndh + 1)
                   so power radix (sy - 1) * (ndh + 1)
                      > power radix (sy - 1) * (power 2 clz * dh)
                   so ndh + 1 > power 2 clz * dh
                   so ndh >= power 2 clz * dh
                   so 2 * power 2 clz * dh >= radix
                   so 2 * ndh >= radix
                   so ndh >= div radix 2
                 };
        end;
        let h = wmpn_lshift nx x sx (Limb.of_int32 clz) in
        C.set_ofs nx sx h;
        begin
          ensures { value nx (sx + 1)
                    = p * value x sx  }
          value_sub_tail (pelts nx) nx.offset (nx.offset + p2i sx);
          assert { value nx (sx + 1)
                    = p * value x sx
                   by
                   value nx sx + power radix sx * h
                    = p * value x sx
                   so value nx (sx + 1)
                      = value nx sx + power radix sx * h
                 }
        end;
        label Div2_s in
        (* TODO don't add 1 when not needed, cf "adjust" in GMP algo *)
        let ghost _qh = wmpn_divrem_2 q nx ny (sx + 1) in
        let ghost _l = wmpn_rshift r nx sy (Limb.of_int32 clz) in
        begin ensures { value nx 2 = p * value r 2 }
          assert { _l = 0
                 by
                   (mod (value nx sy) p = 0
                    by
                      value (nx at Div2_s) (sx + 1)
                   = (value q (sx - 1) + power radix (sx - 1) * _qh)
                      * value ny sy
                      + value nx sy
                   so value (nx at Div2_s) (sx + 1)
                    = p * value x sx
                   so value ny sy = p * value y sy
                   so value nx sy
                      = value (nx at Div2_s) (sx + 1)
                        - (value q (sx - 1)
                          + power radix (sx - 1) * _qh)
                          * value ny sy
                      = p * value x sx
                        - p * (value q (sx - 1)
                               + power radix (sx - 1) * _qh)
                            * value y sy
                      = p * (value x sx
                             - (value q (sx - 1)
                               + power radix (sx - 1) * _qh)
                               * value y sy)
                   so let n = (value x sx
                                - (value q (sx - 1)
                                   + power radix (sx - 1) * _qh)
                                   * value y sy)
                      in
                      value nx sy = p * n
                      so value nx sy >= 0
                      so p > 0
                      so n >= 0
                      so mod (value nx sy) p
                         = mod (p * n) p
                         = mod ((p*n)+0) p
                         = mod 0 p
                         = 0
                 )
                 so _l + radix * value r sy
                    = power 2 (Limb.length - clz) * (value nx sy)
                 so let a = div (value nx sy) p in
                    value nx sy = p * a
                 so power 2 (Limb.length - clz) * p = radix
                 so power 2 (Limb.length - clz) * (value nx sy)
                    = power 2 (Limb.length - clz) * (p * a)
                    = (power 2 (Limb.length - clz) * p) * a
                    = radix * a
                 so mod (radix * value r sy + _l) radix
                    = mod _l radix
                 so mod (radix * value r sy + _l) radix
                    = mod (radix * a) radix = 0
                 so mod _l radix = 0
                 so 0 <= _l < radix
               };
          assert { value nx 2 = p * value r 2
                   by
                   radix * value r 2
                   = power 2 (Limb.length - clz) * value nx 2
                   so p * power 2 (Limb.length - clz)
                      = radix
                   so p * radix * value r 2
                      = p * power 2 (Limb.length - clz) * value nx 2
                      = radix * value nx 2
                   so p * value r 2 = value nx 2
                 }
        end;
        assert { value x sx
                 = value q (sx - sy + 1) * value y sy
                 + value r sy
                by
                 value (nx at Div2_s) (sx + 1)
                 = (value q (sx - 1) + power radix (sx - 1) * _qh)
                   * value ny 2
                   + value nx 2
                so value (nx at Div2_s) (sx + 1)
                    = p * value x sx
                so value ny 2 = p * value y 2
                so (_qh = 0
                    by
                    value x sx < power radix sx
                    so value y 2 >= radix
                    so value ny 2 >= p * radix
                    so value q (sx - 1) >= 0
                    so value nx 2 >= 0
                    so (value q (sx - 1) + power radix (sx - 1) * _qh)
                        >= 0
                    so (value q (sx - 1) + power radix (sx - 1) * _qh)
                         * value ny 2
                       + value nx 2
                       >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                          * value ny 2
                       >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                          * (p * radix)
                       >= power radix (sx - 1) * _qh * p * radix
                       = power radix sx * p * _qh
                    so power radix sx * p
                       > value (nx at Div2_s) (sx + 1)
                       >= power radix sx * p * _qh
                    )
                so value nx 2 = p * value r 2
                so p * value x sx
                   = value q (sx - 1) * p * value y 2
                     + p * value r 2
                   = p * (value q (sx - 1) * value y 2
                          + value r 2)
               };
        ()
      end
    else
     (* let qn = ref (Int32.(-) (Int32.(+) sx 1) sy) in
      if (Int32.(>=)  (Int32.(+) !qn !qn) sx)
      then*) begin
        let adjust =
          if (get_ofs x (sx - 1)) >= (get_ofs y (sy - 1))
          then 1
          else 0
        in
        let clz = clz_ext (C.get_ofs y (sy - 1)) in
        let ghost p = power 2 (p2i clz) in
        if clz = 0
        then begin
          wmpn_copyi nx x sx;
          value_sub_shift_no_change (pelts x) x.offset
                                    (p2i sx) (p2i sx) 0;
          C.set_ofs nx sx 0;
          value_sub_frame_shift (pelts x) (pelts nx) x.offset nx.offset (p2i sx);
          assert { value y sy * (power radix (sx - sy + adjust))
                   > value nx (sx + adjust)
                   by
                   let dh = (pelts y)[y.offset + sy - 1] in
                   value y sy >= dh * power radix (sy - 1)
                   so value nx (sx + adjust) = value nx sx = value x sx
                   so [@case_split]
                      ((adjust = 1
                           so value x sx < power radix sx
                           so value y sy * power radix (sx - sy + adjust)
                              >= dh * power radix (sy - 1)
                                    * power radix (sx - sy + adjust)
                              = dh * power radix ((sy - 1) + (sx - sy + adjust))
                              = dh * power radix sx
                           so dh >= div radix 2 > 1
                           so dh * power radix sx > power radix sx )
                      \/
                      (adjust = 0
                           so let ah = (pelts x)[x.offset + sx - 1] in
                              value x sx < (ah + 1) * power radix (sx - 1)
                              so ah + 1 <= dh
                              so value x sx < dh * power radix (sx - 1)
                              so value y sy * power radix (sx - sy + adjust)
                                 = value y sy * power radix (sx - sy)
                                 >= dh * power radix (sy - 1)
                                       * power radix (sx - sy)
                                 = dh * power radix (sy - 1 + sx - sy)
                                 = dh * power radix (sx - 1))) };
          label Div_ns in
          let ghost _qh = div_sb_qr q nx (sx + adjust) y sy in
          wmpn_copyi r nx sy;
          assert { value x sx
                   = value q (sx - sy + adjust) * value y sy
                   + value r sy
                 by value r sy = value nx sy
                 so value (nx at Div_ns) (sx + adjust) = value x sx < power radix sx
                 so value (nx at Div_ns) (sx + adjust)
                    = value (nx at Div_ns) sx
                 so (_qh = 0
                     by
                     value (nx at Div_ns) (sx + adjust)
                     = (value q (sx - sy + adjust)
                        + power radix (sx - sy + adjust) * _qh)
                      * value y sy
                      + value nx sy
                     so value nx sy >= 0
                     so value q (sx - sy + adjust) >= 0
                     so _qh >= 0
                     so (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh) >= 0
                     so (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value y sy
                        + value nx sy
                        >= (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh)
                           * value y sy
                        >= power radix (sx - sy + adjust) * _qh * value y sy
                     so _qh <> 1)
                 so value x sx = value (nx at Div_ns) sx
                 };
           label Ret_ns in
           begin
             ensures { value q (sx - sy + 1)
                       = value (q at Ret_ns) (sx - sy + adjust) }
             if (adjust = 0)
             then begin
               value_sub_shift_no_change (pelts x) x.offset
                                         (p2i sx) (p2i sx) 0;
               set_ofs q (sx - sy) 0;
               value_sub_tail (pelts q) q.offset (q.offset + p2i sx - p2i sy);
               ()
             end
           end
        end
        else begin
          let ghost _c = wmpn_lshift ny y sy (Limb.of_int32 clz) in
          begin
            ensures { normalized ny sy }
            ensures { value ny sy
                      = power 2 clz * value y sy }
            let ghost dh = (pelts y)[y.offset + p2i sy - 1] in
            assert { value y sy
                     = value y (sy - 1) + power radix (sy - 1) * dh };
            value_sub_upper_bound (pelts y) y.offset (y.offset + p2i sy - 1);
            value_sub_tail (pelts ny) ny.offset (ny.offset + p2i sy - 1);
            value_sub_upper_bound (pelts ny) ny.offset (ny.offset + p2i sy - 1);
            let ghost ndh = (pelts ny)[ny.offset + p2i sy - 1] in
            assert { normalized ny sy
                     /\ value ny sy
                        = power 2 clz * value y sy
                     by
                     value y sy < (dh + 1) * power radix (sy - 1)
                     so value ny sy + (power radix sy) * _c
                        = power 2 clz * value y sy
                        = power 2 clz
                          * (value y (sy - 1)
                             + dh * power radix (sy - 1))
                     so power 2 clz * dh <= radix - power 2 clz
                     so (_c = 0
                        by
                          value ny sy + (power radix sy) * _c
                          = power 2 clz * value y (sy - 1)
                            + power 2 clz * dh * power radix (sy - 1)
                          < power 2 clz * power radix (sy - 1)
                            + power 2 clz * dh * power radix (sy - 1)
                          <= power 2 clz * power radix (sy - 1)
                            + (radix - power 2 clz) * power radix (sy - 1)
                           = radix * power radix (sy - 1)
                           = power radix sy
                        so value ny sy >= 0
                        so power radix sy * _c < power radix sy
                        so power radix sy > 0
                        so _c >= 0
                        )
                     so value ny sy
                        = power 2 clz * value y sy
                     so value y sy >= dh * power radix (sy - 1)
                     so value ny sy
                        >= power 2  clz * dh * power radix (sy - 1)
                     so value ny sy =
                        value ny (sy - 1) + power radix (sy - 1) * ndh
                        < power radix (sy - 1) + power radix (sy - 1) * ndh
                        = power radix (sy - 1) * (ndh + 1)
                     so power radix (sy - 1) * (ndh + 1)
                        > power radix (sy - 1) * (power 2 clz * dh)
                     so ndh + 1 > power 2 clz * dh
                     so ndh >= power 2 clz * dh
                     so 2 * power 2 clz * dh >= radix
                     so 2 * ndh >= radix
                     so ndh >= div radix 2
                   };
          end;
          let h = wmpn_lshift nx x sx (Limb.of_int32 clz) in
          label Shifted in
          C.set_ofs nx sx h;
          begin
            ensures { value nx (sx + adjust)
                      = p * value x sx  }
            if (adjust = 1)
            then begin
              value_sub_tail (pelts nx) nx.offset (nx.offset + p2i sx);
              assert { value nx (sx + 1)
                        = p * value x sx
                       by
                       value nx sx + power radix sx * h
                        = p * value x sx
                       so value nx (sx + 1)
                          = value nx sx + power radix sx * h
                     } end
            else begin
              assert { adjust = 0 };
              assert { h = 0
                       by
                       let dh = (pelts y)[y.offset + sy - 1] in
                       let ah = (pelts x)[x.offset + sx - 1] in
                       p * dh < radix
                       so 0 <= ah <= dh
                       so p * ah < radix
                       so (p * ah <= radix - p
                           by
                           let q = power 2 (Limb.length - clz) in
                           radix = p * q
                           so p * ah < p * q
                           so ah < q
                           so ah <= q - 1
                           so p * ah <= p * (q - 1) = radix - p
                           )
                       so p * (ah + 1) <= radix
                       so let s = power radix (sx - 1) in
                          value x sx < (ah + 1) * s
                       so p * value x sx < p * (ah + 1) * s
                       so (p * (ah + 1) * s
                           <= radix * s
                           by
                           [@case_split]
                           (p * (ah + 1) = radix
                           \/ (p * (ah + 1) < radix
                               so s > 0
                               so p * (ah + 1) * s
                                 < radix * s)))
                       so radix * power radix (sx - 1) = power radix sx
                       so value (nx at Shifted) sx + power radix sx * h
                          < power radix sx
                       so power radix sx * h < power radix sx * 1
                       so (h < 1 by power radix sx > 0)
                      }
            end
          end;
          label Div_s in
          assert { value ny sy * (power radix (sx - sy + adjust))
                   > value nx (sx + adjust)
                   by
                   let dh = (pelts y)[y.offset + sy - 1] in
                   value ny sy >= p * dh * power radix (sy - 1)
                   so value nx (sx + adjust) = p * value x sx
                   so p > 0
                   so [@case_split]
                      ((adjust = 1
                           so value x sx < power radix sx
                           so p * value x sx < p * power radix sx
                           so value ny sy * power radix (sx - sy + adjust)
                              >= p * dh * power radix (sy - 1)
                                    * power radix (sx - sy + adjust)
                              = p * dh * power radix ((sy - 1) + (sx - sy + adjust))
                              = p * dh * power radix sx
                           so dh >= 1
                           so p * dh * power radix sx >= p * power radix sx )
                      \/
                      (adjust = 0
                           so let ah = (pelts x)[x.offset + sx - 1] in
                              value x sx < (ah + 1) * power radix (sx - 1)
                              so ah + 1 <= dh
                              so value x sx < dh * power radix (sx - 1)
                              so p * value x sx < p * dh * power radix (sx - 1)
                              so value ny sy * power radix (sx - sy + adjust)
                                 = value ny sy * power radix (sx - sy)
                                 >= p * dh * power radix (sy - 1)
                                       * power radix (sx - sy)
                                 = p * dh * power radix (sy - 1 + sx - sy)
                                 = p * dh * power radix (sx - 1))) };
          let ghost _qh = div_sb_qr q nx (sx + adjust) ny sy in
          let ghost _l = wmpn_rshift r nx sy (Limb.of_int32 clz) in
          begin ensures { value nx sy = p * value r sy }
            assert { _l = 0
                   by
                     (mod (value nx sy) p = 0
                      by
                        value (nx at Div_s) (sx + adjust)
                     = (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value ny sy
                        + value nx sy
                     so value (nx at Div_s) (sx + adjust)
                      = p * value x sx
                     so value ny sy = p * value y sy
                     so value nx sy
                        = value (nx at Div_s) (sx + adjust)
                          - (value q (sx - sy + adjust)
                            + power radix (sx - sy + adjust) * _qh)
                            * value ny sy
                        = p * value x sx
                          - p * (value q (sx - sy + adjust)
                                 + power radix (sx - sy + adjust) * _qh)
                              * value y sy
                        = p * (value x sx
                               - (value q (sx - sy + adjust)
                                 + power radix (sx - sy + adjust) * _qh)
                                 * value y sy)
                     so let n = (value x sx
                                  - (value q (sx - sy + adjust)
                                     + power radix (sx - sy + adjust) * _qh)
                                     * value y sy)
                        in
                        value nx sy = p * n
                        so value nx sy >= 0
                        so p > 0
                        so n >= 0
                        so mod (value nx sy) p
                           = mod (p * n) p
                           = mod ((p*n)+0) p
                           = mod 0 p
                           = 0
                   )
                   so _l + radix * value r sy
                      = power 2 (Limb.length - clz) * (value nx sy)
                   so let a = div (value nx sy) p in
                      value nx sy = p * a
                   so power 2 (Limb.length - clz) * p = radix
                   so power 2 (Limb.length - clz) * (value nx sy)
                      = power 2 (Limb.length - clz) * (p * a)
                      = (power 2 (Limb.length - clz) * p) * a
                      = radix * a
                   so mod (radix * value r sy + _l) radix
                      = mod _l radix
                   so mod (radix * value r sy + _l) radix
                      = mod (radix * a) radix = 0
                   so mod _l radix = 0
                   so 0 <= _l < radix
                 };
            assert { value nx sy = p * value r sy
                     by
                     radix * value r sy
                     = power 2 (Limb.length - clz) * value nx sy
                     so p * power 2 (Limb.length - clz)
                        = radix
                     so p * radix * value r sy
                        = p * power 2 (Limb.length - clz) * value nx sy
                        = radix * value nx sy
                     so p * value r sy = value nx sy
                   }
          end;
          assert { value x sx
                   = value q (sx - sy + adjust) * value y sy
                   + value r sy
                  by
                   value (nx at Div_s) (sx + adjust)
                   = (value q (sx - sy + adjust)
                       + power radix (sx - sy + adjust) * _qh)
                     * value ny sy
                     + value nx sy
                  so value (nx at Div_s) (sx + adjust)
                      = p * value x sx
                  so power radix (sx - sy + 1) * power radix (sy - 1)
                     = power radix sx
                  so value ny sy = p * value y sy
                  so (_qh = 0
                     by
                     value (nx at Div_s) (sx + adjust)
                     = (value q (sx - sy + adjust)
                        + power radix (sx - sy + adjust) * _qh)
                      * value ny sy
                      + value nx sy
                     so value nx sy >= 0
                     so value q (sx - sy + adjust) >= 0
                     so _qh >= 0
                     so (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh) >= 0
                     so (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value ny sy
                        + value nx sy
                        >= (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh)
                           * value ny sy
                        >= power radix (sx - sy + adjust) * _qh * value ny sy
                     so _qh <> 1)
                  so value nx sy = p * value r sy
                  so p * value x sx
                     = value q (sx - sy + adjust) * p * value y sy
                       + p * value r sy
                     = p * (value q (sx - sy + adjust)
                       * value y sy
                            + value r sy)
                 };
          label Ret_s in
          begin
            ensures { value q (sx - sy + 1)
                      = value (q at Ret_s) (sx - sy + adjust) }
            if (adjust = 0)
            then begin
              value_sub_shift_no_change (pelts x) x.offset
                                        (p2i sx) (p2i sx) 0;
              set_ofs q (sx - sy) 0;
              value_sub_tail (pelts q) q.offset (q.offset + p2i sx - p2i sy);
              assert { value q (sx - sy + 1) = value (q at Ret_s) (sx - sy)
                       by value q (sx - sy + 1)
                          = value (q at Ret_s) (sx - sy) + power radix (sx - sy) * 0
                          = value (q at Ret_s) (sx - sy) }
            end
          end;
          ()
        end
        end

  let wmpn_tdiv_qr (q r:t) (qxn:int32) (x:t) (sx:int32) (y:t) (sy:int32) : unit
    requires { 1 <= sy <= sx <= (Int32.max_int32 - 1) }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid q (sx - sy + 1) }
    requires { valid r sy }
    requires { writable q /\ writable r }
    requires { qxn = 0 }
    requires { (pelts y)[y.offset + sy - 1] > 0 }
    ensures { value x sx
              = value q (sx - sy + 1) * value y sy
                + value r sy }
    ensures { value r sy < value y sy }
  =
    let nx = malloc (UInt32.(+) (UInt32.of_int32 sx) 1) in
    c_assert (is_not_null nx);
    let ny = malloc (UInt32.of_int32 sy) in
    c_assert (is_not_null ny);
    div_qr q r x y nx ny sx sy;
    free nx;
    free ny

  let div_qr_in_place (q x y nx ny:t) (sx sy:int32) : unit
    requires { 1 <= sy <= sx <= (Int32.max_int32 - 1) }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid q (sx - sy + 1) }
    requires { valid nx (sx + 1) }
    requires { valid ny sy }
    requires { writable q /\ writable x }
    requires { writable nx /\ writable ny }
    requires { (pelts y)[y.offset + sy - 1] > 0 }
    ensures { value (old x) sx
              = value q (sx - sy + 1) * value y sy
                + value x sy }
    ensures { value x sy < value y sy }
  =
    label Start in
    value_sub_tail (pelts y) y.offset (y.offset + p2i sy - 1);
    value_sub_lower_bound (pelts y) y.offset (y.offset + p2i sy - 1);
    assert { value y sy >= power radix (sy - 1) };
    let ghost ox = pure { x } in
    if (sy = 1)
    then
      let lr = wmpn_divrem_1 q x sx (C.get y) in
      C.set x lr
    else
    if (sy = 2)
    then
      let clz = clz_ext (C.get_ofs y (sy - 1)) in
      let ghost p = power 2 (p2i clz) in
      if clz = 0
      then begin
        wmpn_copyi nx x sx;
        value_sub_shift_no_change (pelts x) x.offset (p2i sx) (p2i sx) 0;
        C.set_ofs nx sx 0;
        value_sub_frame_shift (pelts x) (pelts nx) x.offset nx.offset (p2i sx);
        label Div2_ns in
        let ghost _qh = wmpn_divrem_2 q nx y (sx + 1) in
        wmpn_copyi x nx sy;
        assert { value ox sx
                 = value q (sx - sy + 1) * value y sy
                 + value x sy
               by value x sy = value nx sy
               so value (nx at Div2_ns) (sx + 1) < power radix sx
               so value (nx at Div2_ns) (sx + 1)
                  = value (nx at Div2_ns) sx
               so (_qh = 0
                   by
                   power radix sx
                   > value (nx at Div2_ns) (sx + 1)
                   = (value q (sx - 1) + power radix (sx - 1) * _qh)
                    * value y 2
                    + value nx 2
                   so value nx 2 >= 0
                   so value y 2 >= radix
                   so value q (sx - 1) >= 0
                   so _qh >= 0
                   so (value q (sx - 1)
                           + power radix (sx - 1) * _qh) >= 0
                   so (value q (sx - 1) + power radix (sx - 1) * _qh)
                      * value y 2
                      + value nx 2
                      >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                         * value y 2
                      >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                         * radix
                      >= power radix (sx - 1) * _qh * radix
                      = power radix sx * _qh
                   so power radix sx > power radix sx * _qh
                  )
               so value ox sx = value (nx at Div2_ns) sx
               };
        ()
      end
      else begin
        let ghost _c = wmpn_lshift ny y sy (Limb.of_int32 clz) in
        begin
          ensures { normalized ny sy }
          ensures { value ny sy = power 2 clz * value y sy }
          let ghost dh = (pelts y)[y.offset + p2i sy - 1] in
          assert { value y sy
                   = value y (sy - 1) + power radix (sy - 1) * dh };
          value_sub_upper_bound (pelts y) y.offset (y.offset + p2i sy - 1);
          value_sub_tail (pelts ny) ny.offset (ny.offset + p2i sy - 1);
          value_sub_upper_bound (pelts ny) ny.offset (ny.offset + p2i sy - 1);
          let ghost ndh = (pelts ny)[ny.offset + p2i sy - 1] in
          assert { normalized ny sy
                   /\ value ny sy = power 2 clz * value y sy
                   by
                   value y sy < (dh + 1) * power radix (sy - 1)
                   so value ny sy + (power radix sy) * _c
                      = power 2 clz * value y sy
                      = power 2 clz
                        * (value y (sy - 1)
                           + dh * power radix (sy - 1))
                   so power 2 clz * dh <= radix - power 2 clz
                   so value ny sy + (power radix sy) * _c
                      = power 2 clz * value y (sy - 1)
                        + power 2 clz * dh * power radix (sy - 1)
                      < power 2 clz * power radix (sy - 1)
                        + power 2 clz * dh * power radix (sy - 1)
                      <= power 2 clz * power radix (sy - 1)
                        + (radix - power 2 clz) * power radix (sy - 1)
                       = radix * power radix (sy - 1)
                       = power radix sy
                   so _c = 0
                   so value ny sy
                      = power 2 clz * value y sy
                   so value y sy >= dh * power radix (sy - 1)
                   so value ny sy
                      >= power 2  clz * dh * power radix (sy - 1)
                   so value ny sy =
                      value ny (sy - 1) + power radix (sy - 1) * ndh
                      < power radix (sy - 1) + power radix (sy - 1) * ndh
                      = power radix (sy - 1) * (ndh + 1)
                   so power radix (sy - 1) * (ndh + 1)
                      > power radix (sy - 1) * (power 2 clz * dh)
                   so ndh + 1 > power 2 clz * dh
                   so ndh >= power 2 clz * dh
                   so 2 * power 2 clz * dh >= radix
                   so 2 * ndh >= radix
                   so ndh >= div radix 2
                 };
        end;
        let h = wmpn_lshift nx x sx (Limb.of_int32 clz) in
        C.set_ofs nx sx h;
        begin
          ensures { value nx (sx + 1)
                    = p * value ox sx  }
          value_sub_tail (pelts nx) nx.offset (nx.offset + p2i sx);
          assert { value nx (sx + 1)
                    = p * value ox sx
                   by
                   value nx sx + power radix sx * h
                    = p * value ox sx
                   so value nx (sx + 1)
                      = value nx sx + power radix sx * h
                 }
        end;
        label Div2_s in
        (* TODO don't add 1 when not needed, cf "adjust" in GMP algo *)
        let ghost _qh = wmpn_divrem_2 q nx ny (sx + 1) in
        let ghost _l = wmpn_rshift x nx sy (Limb.of_int32 clz) in
        begin ensures { value nx 2 = p * value x 2 }
          assert { _l = 0
                 by
                   (mod (value nx sy) p = 0
                    by
                      value (nx at Div2_s) (sx + 1)
                   = (value q (sx - 1) + power radix (sx - 1) * _qh)
                      * value ny sy
                      + value nx sy
                   so value (nx at Div2_s) (sx + 1)
                    = p * value ox sx
                   so value ny sy = p * value y sy
                   so value nx sy
                      = value (nx at Div2_s) (sx + 1)
                        - (value q (sx - 1)
                          + power radix (sx - 1) * _qh)
                          * value ny sy
                      = p * value ox sx
                        - p * (value q (sx - 1)
                               + power radix (sx - 1) * _qh)
                            * value y sy
                      = p * (value ox sx
                             - (value q (sx - 1)
                               + power radix (sx - 1) * _qh)
                               * value y sy)
                   so let n = (value ox sx
                                - (value q (sx - 1)
                                   + power radix (sx - 1) * _qh)
                                   * value y sy)
                      in
                      value nx sy = p * n
                      so value nx sy >= 0
                      so p > 0
                      so n >= 0
                      so mod (value nx sy) p
                         = mod (p * n) p
                         = mod ((p*n)+0) p
                         = mod 0 p
                         = 0
                 )
                 so _l + radix * value x sy
                    = power 2 (Limb.length - clz) * (value nx sy)
                 so let a = div (value nx sy) p in
                    value nx sy = p * a
                 so power 2 (Limb.length - clz) * p = radix
                 so power 2 (Limb.length - clz) * (value nx sy)
                    = power 2 (Limb.length - clz) * (p * a)
                    = (power 2 (Limb.length - clz) * p) * a
                    = radix * a
                 so mod (radix * value x sy + _l) radix
                    = mod _l radix
                 so mod (radix * value x sy + _l) radix
                    = mod (radix * a) radix = 0
                 so mod _l radix = 0
                 so 0 <= _l < radix
               };
          assert { value nx 2 = p * value x 2
                   by
                   radix * value x 2
                   = power 2 (Limb.length - clz) * value nx 2
                   so p * power 2 (Limb.length - clz)
                      = radix
                   so p * radix * value x 2
                      = p * power 2 (Limb.length - clz) * value nx 2
                      = radix * value nx 2
                   so p * value x 2 = value nx 2
                 }
        end;
        assert { value ox sx
                 = value q (sx - sy + 1) * value y sy
                 + value x sy
                by
                 value (nx at Div2_s) (sx + 1)
                 = (value q (sx - 1) + power radix (sx - 1) * _qh)
                   * value ny 2
                   + value nx 2
                so value (nx at Div2_s) (sx + 1)
                    = p * value ox sx
                so value ny 2 = p * value y 2
                so (_qh = 0
                    by
                    value ox sx < power radix sx
                    so value y 2 >= radix
                    so value ny 2 >= p * radix
                    so value q (sx - 1) >= 0
                    so value nx 2 >= 0
                    so (value q (sx - 1) + power radix (sx - 1) * _qh)
                        >= 0
                    so (value q (sx - 1) + power radix (sx - 1) * _qh)
                         * value ny 2
                       + value nx 2
                       >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                          * value ny 2
                       >= (value q (sx - 1)
                           + power radix (sx - 1) * _qh)
                          * (p * radix)
                       >= power radix (sx - 1) * _qh * p * radix
                       = power radix sx * p * _qh
                    so power radix sx * p
                       > value (nx at Div2_s) (sx + 1)
                       >= power radix sx * p * _qh
                    )
                so value nx 2 = p * value x 2
                so p * value ox sx
                   = value q (sx - 1) * p * value y 2
                     + p * value x 2
                   = p * (value q (sx - 1) * value y 2
                          + value x 2)
               };
        ()
      end
    else
     (* let qn = ref (Int32.(-) (Int32.(+) sx 1) sy) in
      if (Int32.(>=)  (Int32.(+) !qn !qn) sx)
      then*) begin
        let adjust =
          if (get_ofs x (sx - 1)) >= (get_ofs y (sy - 1))
          then 1
          else 0
        in
        let clz = clz_ext (C.get_ofs y (sy - 1)) in
        let ghost p = power 2 (p2i clz) in
        if clz = 0
        then begin
          wmpn_copyi nx x sx;
          value_sub_shift_no_change (pelts x) x.offset
                                    (p2i sx) (p2i sx) 0;
          C.set_ofs nx sx 0;
          value_sub_frame_shift (pelts x) (pelts nx) x.offset nx.offset (p2i sx);
          assert { value y sy * (power radix (sx - sy + adjust))
                   > value nx (sx + adjust)
                   by
                   let dh = (pelts y)[y.offset + sy - 1] in
                   value y sy >= dh * power radix (sy - 1)
                   so value nx (sx + adjust) = value nx sx = value ox sx
                   so [@case_split]
                      ((adjust = 1
                           so value ox sx < power radix sx
                           so value y sy * power radix (sx - sy + adjust)
                              >= dh * power radix (sy - 1)
                                    * power radix (sx - sy + adjust)
                              = dh * power radix ((sy - 1) + (sx - sy + adjust))
                              = dh * power radix sx
                           so dh >= div radix 2 > 1
                           so dh * power radix sx > power radix sx )
                      \/
                      (adjust = 0
                           so let ah = (pelts x)[x.offset + sx - 1] in
                              value ox sx < (ah + 1) * power radix (sx - 1)
                              so ah + 1 <= dh
                              so value ox sx < dh * power radix (sx - 1)
                              so value y sy * power radix (sx - sy + adjust)
                                 = value y sy * power radix (sx - sy)
                                 >= dh * power radix (sy - 1)
                                       * power radix (sx - sy)
                                 = dh * power radix (sy - 1 + sx - sy)
                                 = dh * power radix (sx - 1))) };
          label Div_ns in
          let ghost _qh = div_sb_qr q nx (sx + adjust) y sy in
          wmpn_copyi x nx sy;
          assert { value ox sx
                   = value q (sx - sy + adjust) * value y sy
                   + value x sy
                 by value x sy = value nx sy
                 so value (nx at Div_ns) (sx + adjust) = value ox sx < power radix sx
                 so value (nx at Div_ns) (sx + adjust)
                    = value (nx at Div_ns) sx
                 so (_qh = 0
                     by
                     value (nx at Div_ns) (sx + adjust)
                     = (value q (sx - sy + adjust)
                        + power radix (sx - sy + adjust) * _qh)
                      * value y sy
                      + value nx sy
                     so value nx sy >= 0
                     so value q (sx - sy + adjust) >= 0
                     so _qh >= 0
                     so (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh) >= 0
                     so (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value y sy
                        + value nx sy
                        >= (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh)
                           * value y sy
                        >= power radix (sx - sy + adjust) * _qh * value y sy
                     so _qh <> 1)
                 so value ox sx = value (nx at Div_ns) sx
                 };
           label Ret_ns in
           begin
             ensures { value q (sx - sy + 1)
                       = value (q at Ret_ns) (sx - sy + adjust) }
             if (adjust = 0)
             then begin
               value_sub_shift_no_change (pelts x) x.offset
                                         (p2i sx) (p2i sx) 0;
               set_ofs q (sx - sy) 0;
               value_sub_tail (pelts q) q.offset (q.offset + p2i sx - p2i sy);
               ()
             end
           end
        end
        else begin
          let ghost _c = wmpn_lshift ny y sy (Limb.of_int32 clz) in
          begin
            ensures { normalized ny sy }
            ensures { value ny sy
                      = power 2 clz * value y sy }
            let ghost dh = (pelts y)[y.offset + p2i sy - 1] in
            assert { value y sy
                     = value y (sy - 1) + power radix (sy - 1) * dh };
            value_sub_upper_bound (pelts y) y.offset (y.offset + p2i sy - 1);
            value_sub_tail (pelts ny) ny.offset (ny.offset + p2i sy - 1);
            value_sub_upper_bound (pelts ny) ny.offset (ny.offset + p2i sy - 1);
            let ghost ndh = (pelts ny)[ny.offset + p2i sy - 1] in
            assert { normalized ny sy
                     /\ value ny sy
                        = power 2 clz * value y sy
                     by
                     value y sy < (dh + 1) * power radix (sy - 1)
                     so value ny sy + (power radix sy) * _c
                        = power 2 clz * value y sy
                        = power 2 clz
                          * (value y (sy - 1)
                             + dh * power radix (sy - 1))
                     so power 2 clz * dh <= radix - power 2 clz
                     so (_c = 0
                        by
                          value ny sy + (power radix sy) * _c
                          = power 2 clz * value y (sy - 1)
                            + power 2 clz * dh * power radix (sy - 1)
                          < power 2 clz * power radix (sy - 1)
                            + power 2 clz * dh * power radix (sy - 1)
                          <= power 2 clz * power radix (sy - 1)
                            + (radix - power 2 clz) * power radix (sy - 1)
                           = radix * power radix (sy - 1)
                           = power radix sy
                        so value ny sy >= 0
                        so power radix sy * _c < power radix sy
                        so power radix sy > 0
                        so _c >= 0
                        )
                     so value ny sy
                        = power 2 clz * value y sy
                     so value y sy >= dh * power radix (sy - 1)
                     so value ny sy
                        >= power 2  clz * dh * power radix (sy - 1)
                     so value ny sy =
                        value ny (sy - 1) + power radix (sy - 1) * ndh
                        < power radix (sy - 1) + power radix (sy - 1) * ndh
                        = power radix (sy - 1) * (ndh + 1)
                     so power radix (sy - 1) * (ndh + 1)
                        > power radix (sy - 1) * (power 2 clz * dh)
                     so ndh + 1 > power 2 clz * dh
                     so ndh >= power 2 clz * dh
                     so 2 * power 2 clz * dh >= radix
                     so 2 * ndh >= radix
                     so ndh >= div radix 2
                   };
          end;
          let h = wmpn_lshift nx x sx (Limb.of_int32 clz) in
          label Shifted in
          C.set_ofs nx sx h;
          begin
            ensures { value nx (sx + adjust)
                      = p * value ox sx  }
            if (adjust = 1)
            then begin
              value_sub_tail (pelts nx) nx.offset (nx.offset + p2i sx);
              assert { value nx (sx + 1)
                        = p * value ox sx
                       by
                       value nx sx + power radix sx * h
                        = p * value ox sx
                       so value nx (sx + 1)
                          = value nx sx + power radix sx * h
                     } end
            else begin
              assert { adjust = 0 };
              assert { h = 0
                       by
                       let dh = (pelts y)[y.offset + sy - 1] in
                       let ah = (pelts x)[x.offset + sx - 1] in
                       p * dh < radix
                       so 0 <= ah <= dh
                       so p * ah < radix
                       so (p * ah <= radix - p
                           by
                           let q = power 2 (Limb.length - clz) in
                           radix = p * q
                           so p * ah < p * q
                           so ah < q
                           so ah <= q - 1
                           so p * ah <= p * (q - 1) = radix - p
                           )
                       so p * (ah + 1) <= radix
                       so let s = power radix (sx - 1) in
                          value ox sx < (ah + 1) * s
                       so p * value ox sx < p * (ah + 1) * s
                       so (p * (ah + 1) * s
                           <= radix * s
                           by
                           [@case_split]
                           (p * (ah + 1) = radix
                           \/ (p * (ah + 1) < radix
                               so s > 0
                               so p * (ah + 1) * s
                                 < radix * s)))
                       so radix * power radix (sx - 1) = power radix sx
                       so value (nx at Shifted) sx + power radix sx * h
                          < power radix sx
                       so power radix sx * h < power radix sx * 1
                       so (h < 1 by power radix sx > 0)
                      }
            end
          end;
          label Div_s in
          assert { value ny sy * (power radix (sx - sy + adjust))
                   > value nx (sx + adjust)
                   by
                   let dh = (pelts y)[y.offset + sy - 1] in
                   value ny sy >= p * dh * power radix (sy - 1)
                   so value nx (sx + adjust) = p * value ox sx
                   so p > 0
                   so [@case_split]
                      ((adjust = 1
                           so value ox sx < power radix sx
                           so p * value ox sx < p * power radix sx
                           so value ny sy * power radix (sx - sy + adjust)
                              >= p * dh * power radix (sy - 1)
                                    * power radix (sx - sy + adjust)
                              = p * dh * power radix ((sy - 1) + (sx - sy + adjust))
                              = p * dh * power radix sx
                           so dh >= 1
                           so p * dh * power radix sx >= p * power radix sx )
                      \/
                      (adjust = 0
                           so let ah = (pelts x)[x.offset + sx - 1] in
                              value ox sx < (ah + 1) * power radix (sx - 1)
                              so ah + 1 <= dh
                              so value ox sx < dh * power radix (sx - 1)
                              so p * value ox sx < p * dh * power radix (sx - 1)
                              so value ny sy * power radix (sx - sy + adjust)
                                 = value ny sy * power radix (sx - sy)
                                 >= p * dh * power radix (sy - 1)
                                       * power radix (sx - sy)
                                 = p * dh * power radix (sy - 1 + sx - sy)
                                 = p * dh * power radix (sx - 1))) };
          let ghost _qh = div_sb_qr q nx (sx + adjust) ny sy in
          let ghost _l = wmpn_rshift x nx sy (Limb.of_int32 clz) in
          begin ensures { value nx sy = p * value x sy }
            assert { _l = 0
                   by
                     (mod (value nx sy) p = 0
                      by
                        value (nx at Div_s) (sx + adjust)
                     = (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value ny sy
                        + value nx sy
                     so value (nx at Div_s) (sx + adjust)
                      = p * value ox sx
                     so value ny sy = p * value y sy
                     so value nx sy
                        = value (nx at Div_s) (sx + adjust)
                          - (value q (sx - sy + adjust)
                            + power radix (sx - sy + adjust) * _qh)
                            * value ny sy
                        = p * value ox sx
                          - p * (value q (sx - sy + adjust)
                                 + power radix (sx - sy + adjust) * _qh)
                              * value y sy
                        = p * (value ox sx
                               - (value q (sx - sy + adjust)
                                 + power radix (sx - sy + adjust) * _qh)
                                 * value y sy)
                     so let n = (value ox sx
                                  - (value q (sx - sy + adjust)
                                     + power radix (sx - sy + adjust) * _qh)
                                     * value y sy)
                        in
                        value nx sy = p * n
                        so value nx sy >= 0
                        so p > 0
                        so n >= 0
                        so mod (value nx sy) p
                           = mod (p * n) p
                           = mod ((p*n)+0) p
                           = mod 0 p
                           = 0
                   )
                   so _l + radix * value x sy
                      = power 2 (Limb.length - clz) * (value nx sy)
                   so let a = div (value nx sy) p in
                      value nx sy = p * a
                   so power 2 (Limb.length - clz) * p = radix
                   so power 2 (Limb.length - clz) * (value nx sy)
                      = power 2 (Limb.length - clz) * (p * a)
                      = (power 2 (Limb.length - clz) * p) * a
                      = radix * a
                   so mod (radix * value x sy + _l) radix
                      = mod _l radix
                   so mod (radix * value x sy + _l) radix
                      = mod (radix * a) radix = 0
                   so mod _l radix = 0
                   so 0 <= _l < radix
                 };
            assert { value nx sy = p * value x sy
                     by
                     radix * value x sy
                     = power 2 (Limb.length - clz) * value nx sy
                     so p * power 2 (Limb.length - clz)
                        = radix
                     so p * radix * value x sy
                        = p * power 2 (Limb.length - clz) * value nx sy
                        = radix * value nx sy
                     so p * value x sy = value nx sy
                   }
          end;
          assert { value ox sx
                   = value q (sx - sy + adjust) * value y sy
                   + value x sy
                  by
                   value (nx at Div_s) (sx + adjust)
                   = (value q (sx - sy + adjust)
                       + power radix (sx - sy + adjust) * _qh)
                     * value ny sy
                     + value nx sy
                  so value (nx at Div_s) (sx + adjust)
                      = p * value ox sx
                  so power radix (sx - sy + 1) * power radix (sy - 1)
                     = power radix sx
                  so value ny sy = p * value y sy
                  so (_qh = 0
                     by
                     value (nx at Div_s) (sx + adjust)
                     = (value q (sx - sy + adjust)
                        + power radix (sx - sy + adjust) * _qh)
                      * value ny sy
                      + value nx sy
                     so value nx sy >= 0
                     so value q (sx - sy + adjust) >= 0
                     so _qh >= 0
                     so (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh) >= 0
                     so (value q (sx - sy + adjust)
                         + power radix (sx - sy + adjust) * _qh)
                        * value ny sy
                        + value nx sy
                        >= (value q (sx - sy + adjust)
                             + power radix (sx - sy + adjust) * _qh)
                           * value ny sy
                        >= power radix (sx - sy + adjust) * _qh * value ny sy
                     so _qh <> 1)
                  so value nx sy = p * value x sy
                  so p * value ox sx
                     = value q (sx - sy + adjust) * p * value y sy
                       + p * value x sy
                     = p * (value q (sx - sy + adjust)
                       * value y sy
                            + value x sy)
                 };
          label Ret_s in
          begin
            ensures { value q (sx - sy + 1)
                      = value (q at Ret_s) (sx - sy + adjust) }
            if (adjust = 0)
            then begin
              value_sub_shift_no_change (pelts x) x.offset
                                        (p2i sx) (p2i sx) 0;
              set_ofs q (sx - sy) 0;
              value_sub_tail (pelts q) q.offset (q.offset + p2i sx - p2i sy);
              assert { value q (sx - sy + 1) = value (q at Ret_s) (sx - sy)
                       by value q (sx - sy + 1)
                          = value (q at Ret_s) (sx - sy) + power radix (sx - sy) * 0
                          = value (q at Ret_s) (sx - sy) }
            end
          end;
          ()
        end
        end

  let wmpn_tdiv_qr_in_place (q:t) (qxn:int32) (x:t) (sx:int32) (y:t) (sy:int32)
      : unit
    requires { 1 <= sy <= sx <= (Int32.max_int32 - 1) }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid q (sx - sy + 1) }
    requires { writable x /\ writable q }
    requires { qxn = 0 }
    requires { (pelts y)[y.offset + sy - 1] > 0 }
    ensures { value (old x) sx
              = value q (sx - sy + 1) * value y sy
                + value x sy }
    ensures { value x sy < value y sy }
  =
    let nx = malloc (UInt32.(+) (UInt32.of_int32 sx) 1) in
    c_assert (is_not_null nx);
    let ny = malloc (UInt32.of_int32 sy) in
    c_assert (is_not_null ny);
    div_qr_in_place q x y nx ny sx sy;
    free nx;
    free ny


endwhy3-1.6.0/examples/multiprecision/div/000077500000000000000000000000001440160026300200525ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/div/why3session.xml000066400000000000000000021571361440160026300231110ustar00rootroot00000000000000
















 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
      
      
      
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
      
      
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
    
    
     
     
     
     
     
      
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
      
      
      
      
      
      
      
      
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
   
   
    
    
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/div/why3shapes.gz000066400000000000000000005342201440160026300225200ustar00rootroot00000000000000YoȺ}_Qa@I2 H,4%v!Jj Y@R3EX+mXs}ȪCr=)?WŴXEX^2c(,fR\~pzrۇV|{:OC6NHO:".FҶu2e&He
tʧR%Lj3g~,k*}*m秪(P*|Vyh|6/(w6M/c?sԧէ~դ|n꽼.<~Xn/3y)yco&XiIm&Hx=|Iڂ {ڳTdAr[^Aoҁ/3
n˧Gl,dLfgŇuU_2{sRo3-}MS"E|"k%CkSgfkXf
3uyיqǿ5CٵyT$wA1g$`x/oeTd/fz[,WE!KsƷN~ptΛ3g<E"l9s6YvUy3=IY_,mR5?d.\ޖtaV39ͦ93W	gT{N)mP,5mr9EOWYԩ_90}6D1V̟,EL)_xRu*b>[u*v֩خSJ?~Qp
~Ե2w?'AP?M}YϬ:Cl,UTRNO)ס1SkWg"Z!Lgڌ]4~vkKJ£:^O2e.VÝ<}bY)..  /n0LcD<ж:'K
;]CNi{,&
5>^D 	)dCexIVD$ibf΢n&z1KF5ыEh\U"n^_v|?#(ʀPFᩫg`݌?y%QlI4{II˝Fs|WaC^!} \4oy!2Y3"
-{6Vll\ak|B;v	@2/^jH)_wՒFy>mmV0IEwx;SGn2FhJCQ2Y\$)r͙ޡ.a0c];PKn">ZH➚bMi@zsqӽWL;.8뙫ql:Fg	,MD磘e*S15!1YW	lX(_dsP.9:ppq8``XAP̒b`%;`*
/FqԐ=Y@`lzj%K=jne%xnff6Ʈ'Jשib[[Ը ⟟iTIaKJM?Gx\gT6O=ϩ\酡	Fܽ7H.I3l"H_52rG9,Nmg,yirY)Ija
}8-St[أ}tͲ֦U_Pz/h1~zGq>UYKK>ү#վ1#j7wZ>mm0޸߿}_Qiyj)	v,#YOnö.
Ҥ:,v3Co[euWC>ju`8ۂd#K6
 W=YWY2YoTP=hx	ޞ0oSUK̥(!1SU"Ix)z36o{om+˦6)ʮ bF3k;?0?ܗ=AbTcLbr#O\_hʹR*u;in|P/4KY"YN+w"fPQ"H$<Ǩ>IxjuO]/
E,cȟet?w:	@g{%mKKsUT+1 օ;SCk嫘P'
v
*J'yFӿQ:˩99"I/Y(O.NtP8Mj-x6ji^-&]t1=NK39TN|{м{)HRa&ּ$oB:MBa=[9^PT?*Fvm5y);Pw'ѸoL
u!u];@P\
Zapԛ<;fBgHzSUǡziln*
Q'f8úEuI01Ll#pám%`&	>ϸށhp4tl5ĸؖ?=@гL;‡#U~$t[=9%h\+YL.?@ݕ(}x
@4 X,bns5@F({тy-N]f1hKl$?6;<찏>;z]@x`veG{dˎm`_S	(
™BE݉;g[:Ѐ)x*@"燺s<8@;YF40 .z\M
@1t	&	`bĘreBqÞD7
pcKn2`SB]\A"ͅECGU7Z뛑ݭV@4
VHVZi	]>}X6mצ?@35Tr n&QŇ-'Lo-,:U@~;
UG5h[vq>-|nZGˀNI&:@@n4`Qe31rDR ePH1A0̆A0e")SY+Xn@d9Y+LzJѫ+
rX;Y\7d%2fNh^k-Z
:%TKǟAX_)wf+_gUOʹT{1?-<绑c4DfٲZ[U@3OB}3T[yDq,É	\Zj/,	~B->=*Є=1@PÇ^-
#*̽o=<=JWs8g*}hZA>!`3aK Mgw'E|_Ɨz2]$CB}<1"
(c|^(G#\V{˓BseEQ؝,:ÚF:ecj%џRl{SBB䕙3ḭfmU/isg,1Eɖn4ܲ?fE"(7@
)!Ώئ#SMfXWpe\q}-tOdAt(]C*5pX@P0fl9*
0IDTU.*ס'ӱb#%D|_×Pw^-	`%&e9((!)Iv|[/`~`@EvGtrb*C}Q0륐fvYPOjo@Pj7F@@rҳ8qL'.Vм욡h=uIgDD.Vkh+{dUUp*^z4P^'gY?ʗ_Zw&b8^$b'|((gpU)AJ[6BՒQG!,ڇc%7Qcfm*74ɱ[b8XQS"ye(Xbj9
v˼{ooXUx~&T⦒^WQd~>%i;v1@3%Ƥ?^o_W?|G@Ā(
N7@xaE*y5 HP7a<,,hAArxVgnI,A1˳xYpx#0ۏ`=!"姈i-\I>KhDeJE)ʮr*sӿ
)Z~SO?.Zo
{T]+(cXoAt,]ORq 8Nг&[ґ]1
jLl7!z~7
{BG(1@"y.CnW.g^ha|\#0bcV@D$4_3hGyg|BA^ Eހ	`pAL2~3[ p`&|@4\&f9QMjM r0ԕE=tݏE JүZP>SF_೮|%
.M1A>?J틙B96/h"!Fsª2}'-sr\X^A,?:yy bbئ,% O#oEib*	څ1tnG LX_?ەy[*ʡH!qM<[22g*
lPanĹ0^>Lu@ HƋuX:e9E5x~TIfΞjɤS;iZ<3rG
8΀3@6EU%EZ,8oſ̦A:c 1`38LUK9+6}5LU UoLx~c],rui'[hr[U^(q餩uA&nor S儰黕=O?;Q+7aK-_8i&yD3>
ߓ7M߉,'Z>bL,]$+dE
"'ZE7jk>>-3iBUľ/xud`OJ-ͮjPm-ב/D!t,[nb0=&Mn7x-[nԩەHV7թ(׉Q5aګ&KR°WVȀWԹ?;
\	KouqTG}ko	ڷaaUntmb3WygC6mH6|}dިqrcp	Z[	
[kld·NqIugzmz|7x֣6B1td#cوUfr상/l&fAEQM8f*0STh.~R_kfOiwjXm=(áご2[
\+5J
~hYPOfZ^s6BX8( U(o3Y[1s#"nF>ҝ,5jG U%--䊗rOKwkڔH|C41hbrDY"/l˔g懨uU1-XCtxҮ󴘱
L䦭sf+_B)<.L"8Xܘg?gL쟰#z "HofoD[xiP=‚fVXE3C:TW#eB6pb+!7۟Ɩ_`gsqa^=p)h0UEz|VoټfFCbD9'
G(ʜ2f,.l>wpBPy4ӽ>Oxf<޳냲Bڦd&ʉ|5xm>
~7?8fvQ
IN>ț~:dW7nJ:
GU!gj2othoP*}n~)?daik4	y=ɆteT=u?jY[}u7{;doxU}0n8AoK[ѫeGQ0HصV?HəԷzvxS7Z-we$nl[95- [25 j4XkYp'F	u&")_ef_l`7܄{;
,%@	P2hL?~oo==>f+Bb[
7zUo1;6yfoe|t|	:è=`T_`
@0r4[c6~Au~F7?RzOI"kWjFj0c*+%y%>f6ˤUC"I*&|PFRH2xZF-Qaؤf7O>+?Q3irkLIGeeZ=0(ӣZ@s'D5;n=?gYCP5T
U%
Dn`-"m/6H'
a@ bWJ$*b~E2g0IJ[4! ڏSg̗cu]33=qȲ?^"7(۱]YqiJrKYvDX7xv	<S&OLPT.
d>(*/0Z5CVc;n<a@q@2c*S~X
o.|b"ŌLsY
Diy̚\33y'>Y\dfv?T">+Mz>Fj:c坦t&3M-܀4 
Hs2pbb:oq']DlJͲ-K&K%WJz}0nTΪj/(>Hgq)%>~ҸW(Ź||6]<`UGJefElCOu{P>y`x1ܦ,'\y[3	6f?!!cGۻ7Qd6ݰKVMSWiϓmͣUMٴ]~5-q`=(pЏVUR,mCe8	eĦ̊8jB#3xO|O_QͳQ[ˈq*BDd.;LfC"l9rfbuPEO{Jk9Tjrz	o&'Cyjsmjg3-9iՀYRd*.7'mz_OL/dz#Njk䲵z%Q:=r`Q!!+S.S;ZO?3v?X!>дmlx!a;r/I?~1^('w͒ym%@@t#VĽ	-EߋO}Ӻ<[uvEvH+bʼnfkA{bV>zB_UuwԡwUi.uKXndݤ~ʴk
LȻJ}.o7^nX7s\E17b+:}ω̅#.?\͟ps/w)HU3ludf{3C#jWwFlՋH鑫|66x
{@><5ɪL_o9i..j-_8
Iy
2Wȁ"oWZhSjFqF

,
C0?8v}BϮX8y	e
!*0`0=ԕ,=9R3w&bl{U$`XErʜ-Y{H?)[jQ&tR&(9sHD0*lP=\cD.U|.!^;2ݹRX|'JHw-w6Gg`w4O4;v=w #mIcH×`wZq~BG#tofn2+pXm'N8$>~LQZe.ZߪFIR栨_-!iHll/C-2k9tF\JЍIKaX>FحEN:{]1!P=@	J^!
v;rP
T#P@P0)/oe5"-2>bV_O+bb~[>+=6p`*|&F5ι||4;t!?rmq`ܦp0y7
hR1_4p`U@~W5Qr-,§x: w+@|S#,`b&u>aC
h>^%< "rFt8_2I@d$?اڅkۏbPܖ03ad4P%DITSkx@PB`o:m*]AgbW%
l*"c"Mŀ
]JBjR힇196Kuc3CN1	7)r8>VF[}B9`=HH	`p9L01W@` &	`ˆ GmڼU@PeT uD@x!Y/0.x(,qǕn@4m
`0~6!Wl HƎ [WgxFk( RX?>I@Ա*왥h0#ˆI=IjfjLXoߗw 4ӋwzAy~p\͛QʻGE6KzR?$U\pGN8&j;xIPukkb)p?]ɠ9&=`1,mۥgb/V\|sTE̒p/ԚL8DGڸ*_$Db+):dV-nOUtT;r:!KG*݈<LtMR H!xh={bk^LQp!gqdJ~CF侞E&7G
|xX>*x:<
y
ӡ
|mxFmUFxH|Z9&d;мL H\6	@ˆʪW7=cp'qZ"`PLF9
0B:Tj:
7"~?s_|mPC^oK;)4>U>Crc_kW3ICꕬtQz6Td@1Pl+!h1+gqrT	Mx6|$p``+(JGt^4Uī85<&u-0<#}A40!eb_آȞߪk T#DEWX0!٢Ʌ8q.		hچ@5SDJ\eYۛ{_E0-֛.9rno6YSҬ.7V%A1Rrrjހ7px#z\"zA]Q&DCC"=HU{?U}(ʡ۲O|X}#:t!f\ctXY&^2Ok7ePVހ4 
Hi8&kflƁjԃ#(RH #W#飑$jԗ_ K6w+?\ĸ;X `ʁSC@-{;ASm>U5?V@b&#+C{Kt`¬ºAmd//0(LZcTjaSTU]ZՖC'mj]פt'l!}VKr"nq+>Vx(~P7N["	c򆼇&>[ĆC#{e:/'E>@u vCP_fB{ ߨǐo553~'9Ӯ(.MEQFc_AU	˅v/]y3ZԍX&̈́b	`)&;mAN00u]ofbsUgq=JcS})5Ka_elPVKͻccfrI0҂X(a}F`޼7``x()*?y^C!d^p}֛ePAsޕlvfpUNK@8%eoDvȹ%@(ApBF]GՈӒfG
X@EP~FcgNw%:;:Tp87qnX
$'7Nʼn<1TBآx?#*`X7ᡆĽ>5]w?yzH,M_yh捛!'t
CԇRD.2O5OSXIՖh`YBEv7
x388wk@.9$ t4"q*FTkgmL뉜=Dt/ /A$@{sxはQײ
`F'4
Gä- H\"	&XH6P5t@ҁ3@FDЗ{
p7&,ae66H5\h8;4	w[jف@(Cw-Ijh0eWN𖝈{AHHN@qPl95ŇzLUexJ?TCcP6=0Pv}c
:ı(J[l
*
k`"1(r*Fɔ7`&Ɖ	RsOLE85Q/8}&u/GPa.,1Tpp80#~u8D/ c_hpy40Ή!!CD@a8-d^vɮN	!T
UCCQSro`/͗Z
@P`]Kچv_iDBK_!H!~b`(
C	@p)H%&DHR31k$	.{%#6=`Ș!5+89j5ipsơ-/˩Ro:}\`t	@80$&}v/
z1*h*$6|	\Pu
&QbbB;0\5mz;=&4D/ހ Hq֤{YӪ]z:8!l76'	D{ ?L!?$Ǽi㽀9_@K"p<(ȫNA$t8t!!	9'$X{ew"Po+?ގA%(S%Q\*OW^s$OK5U-Yim테0-ᑪߺGf9r$갮uƵVU*KNSFP,./5f*l:|uٱ&L(#Ν}"e\ʩ_BfEocg;b3Y7Qk+pZ_+5N9jHhOĪVM;"EQtE1!HZI.JE
]q‹UzF,iH, IJ@giG["Hud
KX(Έ(k-8/Zc
+6487㸪ě:R7h>RQ~;Ww@<#XY1{Y8uC|F 	H$Xdg2x=
ZWHԽwcw~	GWuϮX[ܝ;kQ]$2g?BUĔKfE.JB״pʓgɝJp<䋠s8QVieOЛAF*z>9/e|1>	66pwUվ`ys85$s{72(;b$X`X
-8sk:;_`)ӍҾ|sY̷kO{;@=ءB8q'/o}gWbqۃ5eT"үV-O ԼCa_ocYd,4?qY(KzvS\}\r_$SP5)bi.)-+^)+|XW{,adNI<]}=wl3IBZ~/|z7F'Bs	{u0O$Rn!`T+hs^%g%NJ%e"ffE`%S߉s>W:bb6tC`&Qe@
P3$(}%}9	=⼪SSYi'U@UjXPՌG%ExՙX{\=1:baA֎ɚ7UV˻'(w;n;n`~õrDGaju%!0޶Y|EՇ[ "X܁Y3?QC(
ܽO!`+Ӳv,ݤmFۄۦtJ3*3oEv[.e7 ,GS#`XGԖ,@${6,tp|e]FzZgـ~=GV?K;Nu>u@PgCglfzui] q`rxvƝ)yj)S1%hZh..q0hCB%^F
,&͔s8uWz8/hڈCdoV#kĖ"C!PQ(
.T]N01.Lx94sH.浪r@$$h@aDpխ?+y[oA!
~~Vu?V;X{IlHlj.Q"/ŰcXg0"=D{5ie6Q,.E\>?<)[6Eȳ2X8ic]Qf]汏`
)dʷ\Ld/Ϊ|/˝['PBgf
2C-SK3	af8&󌆝+6:Xhڗ7;ǔov;w{gׅhϙky?WWK7G\`%gL|)Z>͗Ҵ|]g}bǶ3MiAZg.T.6}^]hVlY@%z
<#5VlC+SSߡ2my.`Z& HqtLYj'goY{E{ t疖oU1G'>r>tx4i@Ӱ=fi۱Wq@=S! ?;XSwy
`]νwl&m,Fw`d!_9۪
9uLwV__~e))Oլax[1j5gjv밊-x	f >:s#+=G#%e,K0Ka.#K;u
[j]UCZ!]Z=uSW䎨' 1&Ey5[#?x1+<>OQnm"U-jfggoNLJ(`U=`CZm2ErdYpkՉF^ Z
]b7"h/#Q>/l1FTuTAV3FٺWM-A
P0kx1iIo[LzA|.>rhVDihJZjB!)Gb4*IYDf1A+Hn@$?I-y4h鶥`q0B#P伈Uļ`b`?=n:>cb	!/I\$a$fqIBŰuIH-#0:.ZbwYIldY@AګcmUn핅ҋ҂c#`VUTQv-`#th6@pJtM5n);??)O;ؼE&|(̔Om+V.bu*4s&MXV	/4)R~&`(4@WXӄ&?^"ɘS+Q",KZ<_9&ء/"&yD:E(7lg\)=B3px^}4ͧaj.j.:|8S"y[dEA-Tbͬ(ĹPƹi*;W=;°{cZ֤2	z~af
?ݕ@Xgڣ-kWh[XF^{,_}Mbt2oŬ
OҞԝ;Or~%9f|~iom8KT3<yx!9H"hWiPơ"r[#
'\֒u`sGvAEHk4FZYrs}*xÏo?Wu?tzhºg%;|lsWZ YF^]^{z1zFWv5XeIX}fԌå9哝M亣政/RNkQ.ZVd6diFg~jLnP%g}px&g a"Smul77{s3қSC,C,Y!1!1'+HC@{[̸{í1exZgSְ4iMff6n@=P8ԛ]325S]#Ntu2&-0JQCp9.Jpw3:&55o!)^`lAE-fX"Z$%c/!D;80{@a>%C[#9۸4K2#fDR۟0ۀ
 0HŰ^bXд0u_	&HJ,;Dal']hYUU:Π3?ӻ8ȏ7GStqgpۂ>~nyQ- {g͸*Q)|MAiOyLjP4/"U"^"6D-~_z4]q.M̻4٥]AK,iT;,, 2dޞk`*q@A#@`-wep?k>mAs~,NIIB-deҤHxc܊+#Xӄ&f<ΘSX|jBqr?:Bpuk&ntb@!qـ{χc]M.Sd@\sR=yA5-{ؓ
vD8m~wن4Fˊ-/=D/I4-wZ-a)`6-aZ{|2tNh.;(썃|jOZM+JkfztFOgjtSjx4B@88$۲9-;uޖ
H
	wٔ-ӚMYâr5L5l݀zqKYZrvĥ}v*EAp \J*̾x(z>0"Fqiڶ$7
,%=,%t˒rRyRcekswf+-^;(U^}V=pG;R
o
cR{{r=60eA=Z@jYuF
6W tx>WӰP6
eX4Xoi@|{.!FAn֫-[/7=_M`iiȾ#5vZ_JonM|cu
ԜLK~bZh
JzדuY<Q"qRK-̲*;EuԠt~d4_XDX@Ć
zi=A	TMPGX3	LApNFp]w\P7cA5$*(:Xg1es Hm`z"9$	IglKHH"]	D6ezH.:aХPϱA 6RNФ66#R) 5t0h
ҡuHTuᰈUav7/NΎ7Cj[j=}Q cΌ=I.h{of$2_6]Ezd=Kg]{o=Kg3&,F>[v|zU1/եR
1Q=Y'$̝Nn|\7W7QCx%'9ۼ6#ZxoM„g*3Vf-9,/@&/O߹!͞aZUn[ZzMNɩϞ7QKRnPC)wJ;SekQWe˿iSFq][2eQe˿VFq#%e7?Sb_3,'f@"2{`ggdMbTdTWdsԮ/ljɺ-EFt+nzG
G
?d= 5HRTv	tr!:7i-yW0 %Hɒ24Nb j*כѐ?UCH҅t*]KHvˍܳ _Gs=k+r,ê"úTaSxzV~Z~Q@I2x.	R}x"볇Bynm)U3Ki+^Zr룸Z3@QC"R@m(>_NIlY	`0N&x.\6`adX]
sThpL-2Wg(9M>IW=̶aIŞ!0Ѧ<Ҏr6[&Ou)zʃ[e'LaK„>73`-=g@ELUԄ]S,R){%EW-iQU%-_Ek4i|IWH~5Ӥ^ĴҮQϫor4~T dT5Q9ȍZd!3jID֒:&M.2КkMٛݘqDPo)A]-P_"0'515S]{xvݐiCC?	`+x"b[Łx4TĦ١Q Hb#z]iXsVfE^?z)yeXo-YV=]yTu(M8M5Ա+PtDCgԼDE<5fQ34

1gQUԘ
ڝڝo0ʂUCU1F+m WW*/='xu^ދ9|F*>/QFEd
KM,_t9!O\7V}͆vWNǰi!xx)kZaEHyj"?jSk
ebdmߚ`
&
0c4hDшo#&ޕ?7]UW4
ր5`(X#	L.~jF÷RQ2Q2@Ld%	91S|sQ&@
$Ԑ63KNJ808bhzz*tGE.RsW
DP\ܧےu̶db%l>f[zR$&HYK]52;].)Tl)өפ/{6q8mɛfÖ]W^A#]m͒z20'ޜuN-Ӣn8/px.Hn -"kTy6$ޘ
J3hoOxע2brŁiqodÓik?qMUU'Hn8BĬL7cS	mͅRpJg,
b!yNGo>m3r6(jC^z4j(!N%؏@xǹãf!caw>ø @-t$Wڀh|A>[>$	gTbWFf)``ArB#%d}Th;В-В%-hg?1P@PaTϗ‡ӠJ
;,s𐣁The8e..d*Ɲz4οf#^N_\Fke#$SY2+c`H~(F[<6_q·F֓kB㚳P\s=x_Sudf<O6nOf'/Y!p(KkHQQ!5p[Gzo!q!!pCr6pKgd}`|ur^11<ۘo%+~e|B^Pfph.84Wm͜e[qh֟C7e֬9'maO$Lp"9e[OqsJ2c~b53<	>O<-b}#<_P7#$q:w#=8SS3gclC[cDT_PDQ%BTzo*vq膷=[8>
٬ER6+""fTt,k$h"s{^³M]}&i;ysk(}qur)(&ʤ,2/2	pNSv"1{BDl?x[_m~ޓ(p
_DzXuVϫߓc~g"6B Y(p5CPy~DOɬG
h[xy	
CFVEEcggÅ$ppuײUNW g8,8Rr%  Gh+o΀39SEuOaKSq*
â8AL\ZU˓a`V/߯0vߞ3jP\3Y⪗){ZIb<1*xcoz10”D@c;*;cNLegN3nl(;aAi|w0p_1>0a^ʵJmPzmhQ%^Cvo~vm;G-&#Y5ϫow$V,"ն^wg^Q
vkz(5A5	k0qwymyj<0G&<~77U}S$uG7wWQEzVq|9W"{ddb)+NWmΜ,F6JS8F3@VE'6;ob}˞[tǺh{t:S=>ޤopk\=9O!8/_Y6_*_.:ʼթ]/'4[
0~43w]4lIFLA)<\6	`Q鬺}rKmniݽǦgja=]IrdxB
H2QuGc
#YaڽoQݛQfpLacNgria
,aXh\>O@!3ku?]{$yM(Jj|PU Z.fڻֶa֮(	YjY 4k~D:.ھpjM1$S d?k4&|7Xo_t4GGс^@F #IڥuLk`uҗ=22?SiM DSj37ӷpw>jxf2{H {3L\E!3/,qȚɫHd4P%[!-7YmfؗOTJYmJ(
b4/f;F
[t4
@0bj#@¤
#`>૆OJ2 øpPc]|siSշ	UJT}rozP|$Z1\|>Y.	v`esB=t" eAtD%"?*
A.-@PT*L~qO\"f(%6fCyFG]?L+Ta@	3zmN0g~$EQ(t&iNR6Np~x/|.\}xD-jxDQYC@r݂˓ڬ*ð)L0 z
R>5NJ_M i~КyIRԒ[j^N	mDhᙷoJ8V&*6yP!TEx’-lnBmkāQ>"ӭ( sʀ2(MO1=nH?17|WfR3ʥyfnf"ZQ͛$9Dϔ
:@E{x
 G/$		rǸU@&q6ﴎW
*}3wR)HjL%_@(iw5cMܪ[%48P7Ze2HUGM~nisj6̏3?[҅2OãpNMs7 ]6HM$rv޺b.ꩯ
%51Ogf3zN)8)$ORU/
Vv!J2(Чy3.'dll	UjigŜ2v
!P8_!}:n(ԏ*	'?=xˍ_q9H8QyחD׀zdtg̥Wuk	̥&;T5UF69T9|-?e(rD#y2!n>Oq!k`E?Kr4:CL@ !J$vd眔.ݡ;n'7XI!Д46J8rcC1
%|h4=oՓE. 덫",
D.)bΘDWSә6VsFwN$\bA976ȕ1h!B@)	Wj;\DsET+_fpDz9\窋|#4kf7zQ|V8Ad+[猾b}lgbt; s$ -E
F%^0coHf#t=ǦGUny(8NӤ|._޿iR1n IUM-)}E"(㡊ꛕj2O5W&2}i_|\ȈC
u51.W4b
@P#E
#.\3*{*
EPA; YtE.ڏ2q	aj߲"z	{XLӌd#{-ToZNúQ$Vٴ,؏|DGJU¦51%O;$
ɧ<$NݙX@@5/VEW8v*^TաԼ;
#Pn>0[oqG=P^l]NZuEe6Tqaz߄fAx||i|vqj-k}Nhb|/en&woG؄Ҝ9gݛ/D$y$< YuVC7qs>Zwүe#IIE7fɇ"eպvoqMȺ>+UhhBx7crc+
Ы+QhV$-M@Yk"ȭmQ"1(%E<"^H^GEIp"	۴A|s7OQUP"N^oe2	0iL+<֓r|H}a	NtX&tP&'zi$a941*lYSs/Yh7 mB-4ipk> 2z%dʦ>3Ai`G7ogiw{
lzj
L{0z䉈tiV#2=.IQ3onAnU[`Ǒܐ[^r/
qE>-ov -Pzix#ip}
˴ nH?-tj+3`+V3htp@|ɘ:Auҿ;]'-2NڻzdFjT{6(̠>M u܅gK2faa9LHSgpNDXȄiw	C B0DDI@kw,THTtrF4#>(^'354Q͓tekaZmD[u֡	4Gj$zIlwl׈lFj}$dBխ`0cL`L`LLUgR;SGթ.5DVSJ```8 H7=rvcBpWeڳEfot`^2?4y}܇Ap@uABԧAqGLy}b*pק(#aK5?_h{'Ǵd
ԓZJDĜZyL^f5G5rHCѐޱ4C9<+;eU4:r&ތyw\S*3|qC'_6	vwm䨮zV\Ex>|^4ټI;&
rO^5B7VIw6p1A`ZP:]7FL|KCZ6snLbEp#u_j
|b-[gn*`1Lr{x`	c?mZg$ƭUIy_EWtˍAUyFtF1j.V .ܩy!B6CAȍ]/ǮcVCVg7Ӏ*شZIF<"[Qvok+wEqn)G./0^28UL}ۋP)n'8xu*?+ҷۧ:ilݳ|gB໹MP4ɐg
7,_;ºϯ+016ޠ	D*!Lx)
n,ʯm"U	i`aPUUzBTTU^ge^yRQ@2Z}!}gTr"XVvqVv.#G Ovݲ'}mX\+;/v(G'Jׅ8:"t$=	oA>G'#wOic+NSح,^μ= 5u?=摒^IDZMS>T:JҫHV$^:@|TF	g@ɩV-óϳ'J<'vgkɚ<|(i४u^ܛso.Ѹaf׈(h_ؕ^1.Ru魟n#ZfRbbwN	?([5VdȼZ%tXǰ|nje$^'?YξF}z88Z]П"^1[J2I2Kܝwo}q;^B=5j?`6E{N)XKr}U4ՏvG111ǽ`8?>E (Oڏ)BQgzF
_F5G4
[[S=NXHݻ7n(_mpBPӣ3yDOݘ%fd@[Zk].l}D'vʸNGZ
RH7Bu't3k=\qx}sF"-Іr^z͹Sj=/ý3@^LSkSIݪߺrZxysu)SE+]x{L:WGVןD/XmC{R>QZ|Ժ	wӶksl=[6rͼAR{w?Acd"ٳʰ.Qw*}a#n]F∿&m`$*.e}G]l{!ՆIǵ[`WUtJYrV/F&T=X,{Q6˦ٹ\LR CsmQth'7@7w5wG:LK|εfY`aVd2{Z5dׇˮWqhe[m*h2ǫLSW3-xigYЏ"™Epl[1eCkM$5b&
h5FLYP19XyTazg.u%pu\15Qe?#C'2-S},m[
 SerB_HŌ
5}_7ϙ100ru(+dCX¸¸ryGe9n_BBB!mZ)© ܔ^nB}zƠ  rn2Y|Җ7)K4CCC@H墒ະDxo§7caa9[	#1QQQ,QD=ۗqߓ̄O۴߽m 1I4+Q?SijdL3#e,^Wf~&NDPYPFYem*߅?x9%t"uJyk/<ʽUALV'Yn9٘@Rd>\IƳ
ՆJz	p}V{El,c_
TPȳ5ADBMɘ	o."{ICp0L~ 8;["Q=7j&83g}^K(M]=Xi;Z<|2M>s?Zhۼw2~xI^Kjca	O|b_	t՚)`&OdGCH)cFQAicoAa(,d??ƿ/
PZCPPP-L:n(R(чW^AڧV:Əؿ3[#F^J^,sz	KSҾsBGH`cw^oW{.a]"_p3QG4UVV֓R(s?(M1nv#tH8p;$^8N	CWfHˬ;^fySΛ{R<ճŒK,ٴ_g/vx*ޚ54Ʊj2-xTJTҀi
*djƞ`Ot
pě|?qUgDAES#U@1mdQG|KiC̱+duރ{<8:&q-I}(M9Ynj~*~jwhų}+ DWQ
sQIKu1{r݀={3_IC4mr&r|wI\ܽyڈ#DlY(qFdX,`Q`Cqcg``8oPO_<ﭶ;M k	0ڸEb3>0>0>>((y!ցowH$,n$x*B/eLHHHt8$P̋|}$rz7LCJ3f_ччH>a!h%s7\300<8{@sB'hH9ттb#<ܽ [eMN-yYܑ0cbb:'b싛[VVVIVƍ"mllcAZҮF;<[2[5Xs6QsĖΖΖU]ŀ
NS(Vd8`8`88)88(`Exۧ=>o/-\~]VKUS>QwQvuZ.d

ԚA;
Ϩ#7c@a@a@9#@q[ɭ9"N?yVb$8WTDrz7A34uvY̖aÏڳqUL 1626'/__ՂRt^y`P_oZe.?j!~RF[mVK	jtn:W)_:,ƖdXɰưưD
˿V?~v؀....&PLJ9~]3Pht(:!:[CD|%aɜ20(0(0(\( aeύsxׄLL粜PO()yz*xJ\‚[#{/$
P=P%E@7}eR6H,6T֮Q=GtzdAOQehG/Z+>Jo
uGp-s])㲬f
ݲV5tZ x5X+w'UBuzk?|ĸNT'EKܚoau92Uƚ|&cL>W&ɳ_qnƹU8έ6kUP1.p### VꮚP~Vyk[8*[|_=a%; uܩEY@?dR3^'AI̳7Td٨"_	G!L13şff	3PCi4`Ubs_ryL^1K%4
KƒDaQUD(,)*:D@oUe(V[ŒMGǦ:CTgTgMutؤjPM%T3&0&0&\	&A4͆S
@flal-Ɩj[*-cآA jmgWBmu	FqAKg&0{d4ӁQ6J~>3<W臊^]E/c!C|blPZ6!H}M~MaC,999y"Ckٷҕ ;RE0"Gj7LƓf@U]Zcd;b׵
ʉ^M;$˺CvxY7f9L=њUN0UUxKX]Ӧ|x&kQy,v!>J{G2)kU{V3>ﱬUxf
5X+kUIԆK#=]uE+4_7خٮٮOq]޹]E֤C7EBT^@L$25qHycrM55554T
%@3ߒ,K. سLfbb:Ԑ11e6!^ELJߢj2!سRf@b@b@: D̕b6d_x_Zxxxr>xڼ<200^ԩ>g<;#AAɂR;at#fLPedR@93)ƂSǂwtV!#g +5T.mT:pY.u*gץ(wfK]J%wdk?XL4\_o*knI)ӝdGvܭs=nH><nJr^.׼Tz+wt{%u|%*WЦ
|:pn:ܦ):;6$9mAwqJu\}V>dЇJZ*M9+4WqCLRJi-%%%˚Ɉ,UŘ~VY*o71n|	dj!y(#O2tQ"xet+WyadLeds<#t?z#u?-YTGt'Ѡ=_sHvk>Q3FRRډ?2Zo+ -*(hTM9X?~G)07/<GK5
p+ZaU9"pdShBӽT5jƓZ2]9$?}@),"uLAc9.h
.	bBC&*9 
d1a5bjL
YT܅焩
E"
ȶ="Z֣AU$
U*T)4+jLim*U9L5Ux~Վr'ˈbUMH%2,0(oUQT$b]C8JHL'?QTz*m(0[BCEG`6?eoRe(ѥHjP9R2'17	肊r|I4ˎ2d\rNK5:Sa/p*lHb-5dZwuޠ՟p.'^P&(oڇ!
X#zCZ=zfU'vOjifچjJ
u
)1
n9f-^4'RtXdcQ+7(SC3!,IszŹju5&1v*?e
3~xB1HLpV:lhxZ#HΉ
>MI4)QI6
%l+`&*ߞ|E楫n?7VֹcF(tr;vp$P:.0oZqM_*#}S8UAp܂N(i椝$t4<ҤH\1aHEsV1E&)
1a5FZ"^2]'jZ.eI߸ZǢOz$ZakXN(	BDћM
^'L`g.0PΤ1lmޯE!:QwA-Hm-^޽҆"6.-pꂱ]0t
]j,c JC$|X>	U5BVS:$^v5rY'(ז͘IMJ4AX
W[+&Eߒq+u|%KȻ]"Z^RwںK ]4z.o׈AUIfQbQ[F{f )z^0VuCI27x'w\фM@lsznT8:BZ!liRx폮VKkeRfۀzzhƋ1`Nd	s]y
9
6_+|t?aG5FU_6Z4
In韂/aؐ*P#GsP]d5vevwQg`{̈ɣԼhh4D#D[J˼
YUVWM[NaܕC*@WQLUـ99kVf!kqy!CSɭ|M"eC+13.N@0xeo7_>刲喙Fܘ*u["IaD&;
9&z
7גBG^ddwYv>d-=uQz|ja26Y0
z><S&{cg$my+b`<&Yʖ^VaLLߎ4UW}ϫuUg@P_&fdj}'07tQ|	3t$LeaQd(fTHNӅUg;eDǭp}Dz+T*DfуGU잙+d6{r¸ݥ06iL3f7sjZ	%^VءJÞ?GfkNN}Sv
ӥ$heԡ
X/sr74DA;G`̏<rZAYkeҬJV`cpU!k[>{i5.e!ƚS
:4^;.9@Is_IKs)T=%ejFFFV>9sfaa9=1,fC8vM7ס5cpbpbp?8c;ۡ7lll'4
QӀuv(ٺdff>	Ƙsg3,$P3Rm^ӽGZMym>=^"""iwALw3e<7М,A"g`GΨe/#Lw!!! B7BR1qA@` |)c	c	cɡD@]rrrO}_m7<ŀÀÀscbZWZc,`,`,6,PFT{b0n0a?L8EƄ
1!UU`¬>w7.xs=	Ap)WOnH<llc$|̃ؑHHOfbb;i)HׁDPWLBj:gJJJA0E=c``ĸ<Ġgn-ψˆˆrN]%ju&̩xgfc޳NGF52)׮``O000֕nǰ ƶƶvs	![蓮FNʴ8#%
rwR>-~}@V%BuR	ī/3p&$PV=	UݓpLL#Ƅ>P b_o4oԻW>$G\ZJgj
^'F?e/Z	EKᙰ_!zˎY{Y?Li{"&ih-Wm$Vǂ޵a	ObYmg^QX:v˥1
%ud6ao=9$k׍v[\W'+Uq|6R'aIjP	m/_^mʹr{>WUH(~: d<ϛEj"%BoyWb<7>ZZ
&[WD%`lo;X_e^Y,u#BI
TW"N.^ɡht%UtlTKyMErk:y6;
w^

@W%N{+»<-2
ObLT\aK[K5:f5[2[5Z҉O4:(d {|>p^e$  Q=$jMf@a`hhqqq*patWhG@H"Ŗ#RX$H#!iLkj/[R`8ZnL9Vܐ˖Miw$]Y*5# _M&dgUMך	Ul;{d.n>A Xiy@[nB7IӺ$
+dIr4&NJtx/7r4źuxXӱX]$,Z?luG%`B,6n;\ dAnUFzbJ0苵+Jm:\\-\_o=dew0C	eaa9$rؗ\Sta;~7/ߖif,wThYAњNCvOsRA3	Ƨ"̗̱Re%l|knٔ3lB)22|ɇX"9?Ǎa8iɩ[Ӂ}jI̓&4`%	gCd
}p6ԆR󼞬ͯ)={{yEH+hc:J/Tz~7ܦ!qTO4w6^6'۾G+\G͘(ZԲoj;d95u3!Q	[~sIY2|ȌC~E7exE+B-KizEJ`ckJ9Ͱqb&6d6Rڝ&W
$V7[l- ea	`A9QvTmT(kJvCO6*Xz)[ۂZmY!VXߐ#Z鋦yšJ۽u}㼏wXW~Ӛmw(mHavChqӟp/Ǭ5	mPDzD:.FU\M9\$ۜ].ONmpq Y㿟>H
5,PAԋHA#vwLf+psGjX}18d_gY``5*d/.A]u}n)E5PRr*K0N8'24©)\=W8qى_3FXcp8|_!1~DR[7p)eBgƢy=5SlKF]#0ѹJ%N$R9KA90c.z::K7\rAf9E30vZ]	CCCFoCeD~ uAvglllbbٲi1r%66Q''`[{Udddl=Vvg` ezO3鄦wB&n}0?0p}{{'D!QuG*fPpԀ(w ~,%=caa9:x`DDiHHgH
'^b%,Fqo?<D_xķzǖSߑ/ST7#x]^|_ms688]$D%{s>q^Ũ,*=#s:@@x7`zތ8.ׇ~:txxQz6͹2ioj$#nxrSGE+BͰ4,ӇC
R
{sN6cH6^Zkԡ[v'a,CI"Iz)M]:iC+%˚Y2;@Zu:'Dre"&&&&TԳt


r	ntq#zX`gl`l`lDl=>cL`L`LL[+2cT`T`TT p`'Rԧ6|Ƅk;Oc			W	e{`Ƹp,?c\`\`\\VR5WP3K~z=/݁`u<7S]P0ˍ:>;Xԅ*3
<=Z7ǃ<`aa9QQnTL,o?MֶJmДR Z[ɠ4)SI"m)CA6鼑Қ7u"dp1 SͺQuϢڟp:"ǰ!jGi5|Q蘺MXkeBJVX*ZY,kkc
YPj
kS0404\4̛jޔeU@ۣM4Ew%3o;2lr2PX!!ъH0E
lUe~/ya: |Ͱ|N펱M@9o?%`[Йy*h@k*Y0"U!!!, tl



W
==tR:}&ɀken_᱗$K‰u(yu\F_WLk(\9:
B鮨m$KX'ҭRXmĽ][[[`,z^;BENXzNR
R|I*apapap9%p,>Đq)1X	5odQf^
(A$%?Ml1W4,C4q!Uҋti*&C)#!#nB(c!["q!LCQZLe?v_C;xY
82ktX}.,N;4.CeZco{qvdbmi:VQgCQF&M?4'uFusrw7ihj}B!k7ONsE`vb	5;OfW	r<*vq!P}m=WS,\yh
LֽJo~nQ7\7bAKc|z9w'o~%w׮޴x(ujpa[+˲N9w#nr'D\yMo;;zmnc;}bU$8CB)YJTЄ`ipLzo+P-V_$A*ݥʝw[[V	3	
Oᛓd; z!ΓMYyt
瞼hs[ԂOP|7D.6:%.2zDEHf򤙁e,s+G_~>xQ#y{hr>]#\B$es"3y]DTٴ:A`IƼ~xvY.USzDOtX+NJrR^z[m٠3=4m
*f~h`H{3U|VxW嗟>[9(r8YF{Bb\e:AMQK.XE(Jv(&A1F6qxHO~léB-f6H%8s$(u>.I#V2>\
$<6|A];tq(C ;sat2E8X"jnZo, O #Xj!NE4zEZXLIFF^C64)gQآ)Im=hs+IhdXъ-sokM
}J0aXN C
WPܜ.n&ETar+Y;ƮSc7T]Ո@|Q'2NH$]`(`)֥eZ9sRs%9N"1VtVL;EZ`RGv.7塖ϐ3Rha
yPt*ښi2Y0-yp`[63904mݱM0g0AFd䐅io4K
Z:QKF1!H_ Df(rYA:N(U_F
Y->ݷs#"9<o|ۊr$222؞غLO	l/tmqAk~޸1E^Ipi*nG_ݳN52)``,888pJ8P6j9aNOzA?<ܨ]eq4,3Hfና[0sWB8uq_
o]SG].DbՊHCߝad<	ܡU؈؈N؈$/% bHpq1H7gm/;;&d։b(D1006L14_@"#[l: r_žF1+J`I!EM5FFFG^.140404\4P```p`` U-DL"""."i1
q;Yr$g=P```@_(((.(4e/1D2D^2D:u{MMM
FHl|p^ggS04{Ld)[yax(p䡀`}aj%C3;;*xvv%0Fpa6cpq(jc:\m4rW{8DCMʮȃ
ll'>0NvבOlcU( [~#ryWg{63>{W339ojxw?fFis3t^!1z~{Dj/Q{{=1 -|oiNnSBucuf^.<DHC$}:*h紨.(THB*Cv5u&fڙ{lPj&De#5#79`NJo	T\֧ծ{A/ԝ{2;)X|.C1(Qm`%%z,b$W^8]տ@tdNҶJc@~sJ~EM7"FALLE2aWHR D%iٻYE>-I%2rU'&jde9p@oʔw1ct`t`tpt,U*gL`L`LLP(x(>300000\0yc120202\<2)W)|43FFFA5PVi5Caaa*`=W:a`58c``@J3&GK6|BQ8
n #
r|
("F}ճG:sDg}(mʜ4()4sBgnu|٦kCP%UԊM6K*}/ԔVW%fP3јB"CCCEArh̞g˲{l0K16|qȡs?`.3,܈G4!t-5` cR	k0006L"b1*0*0*\*Lu,	hQoTEϜŪ^*X2Oh/fY4! \A|B"U#/kHDɥD5s4Hfyr&b;O<gh/(kT,Mv)3ɌXvc9OiᆇdAfl#j[i
oM6wj,c©>^ UW{GmY;qro#+_sTdӶj`m\!eZraCRfVYW]XFVqQOQإlb1@n52p6NyۦKeNlYG.UGYkê79tU(>־II
KgVDAYYXLڕV2RO*
=gXW-ӏST"BҊ4(.~'iSO)ޤO?M53Ǘr%G*d[;[Y;Vև)%JFߒ*y{`b111`rڵH팹B]{^i`Spcbb7k9R}TcwыV}CLlsampA17Ua&~xxrB^mWB&߿gn.r^m"F}99l[2G"ݰzjf;vؤr/Vl{8#a7]my\hN=c4mFH7F^5HQ5>-S2obXʼ~jyS)y*ԵӖR#(H.s_^W1J~y"{߿ļl[ZH?*..&N?mUk#
`}7xF6.iK9oH^3J0}DظfsYʼnҟEcO4אQ5WD* ;$QdX~=u^:Z&Ƙ:ڴ=?ݦ5I2՘fݗ$tpL閌mU
[ԫrK.0JWɼ2"dp1^V25oPl:***iJh##%pd󼼟Mg9PsB!UTo>s)涕BBA"!((
[l41^%ԭ.''ӡ)@J(VQ@LE jL  { n\D5MƁ+u/9ȖjTJV7>!2-LP'}7j7)K~/z;6QmQa!J[n=Bۓ)}w/d>#so߄?IJuW4p͇rfb9[Z%ul	C^?gy}mkvInժ־oO1~v.x<1e&D3Ɔdžܐl[/JsOֵŭ؆q	GƙV'I
wW֮k
px"vSf2d)1|k6V=;spxxxɪVJEJ
hW{E%\KF5WI'6(#>He\>>K!e~]'W1SeIxjMv]-}|=4g-8UJJu_/0=ZM._j@qmb*|q"̧a>'AUi? }8pU,lМ,QՏmSm]^S)a`M*Fˉ^>Pfiu+5j
&CT≫IJ=(W|jEZE69>u]}.I6%!6IE_(^Ǥ3ٍ'yN@,*Qqw"?=|5м!J"?#35=&R8N5t#e1@>jG}ԎT׆J-p؆4́DKNwcT`T`T"T ޔ{ᢑ
%*#|'q`ǪǀrzB| f\΋VytwK赔*Er7{\|*tVꋘi3$di//](KV`/}_&?~Ðs-VͽO[Q\qj9д9FLQ肌133s4VѸDޛ3CFFFD !U$%,rlHhD
Wii^ DiQAHKA[m[( ӊ;^fP`P`PP@!#%lFM,~:ݽš$ERWYmM2_t4[^\3h#!lSi[ܣc𳈗[86Ø	qwq˵nvƥ,ro	100G`iw360606\6(gPD7X%3

Hv@@w&pM+}Ŵk]&eVVkI"WIA,I"nނP 8)|PSKQסϰs^h}ԅ}:Y5gJ?<aVK^-VO0K7_i2<:=opP*	"?u&_d&b0A*I]'PcD횺7$$lph.RtTPR9<ڄM4{Mz
DJЏ΂KZ;;XݜHעɤ)L:OewfM!
ne!Û"2F{Dj55i{lU晖ؽ?~Jn+F*T+W660qqqL<s;;#By:hbgdhx&+k,,gdT4(w=^zdQ
͗b"E_?"bg334fz7ἴV`B30LvQPWΐ`dd'"u-Ш---PA{^(=o	
tw֐e:jMImFom‬ְXR]GyM
Rֺ/SGqR1\1\/\M\j
urA7$/{ֶ6	v*fR("?Zs
2^Yټ|

ǷnYBZ|Dһ*2TB2I_aUA:8SQ0>^>>cBʡ###!,XΤ]|^drUdnBE#cP*cS6###5 =_$zjn(6&K"Q/O!GyXyP-tQ*VIFhw*/EDD&[He撹
B_fx~~^pg{AOϥ?57_&HofL3/ݏ9^E+-Qw5F$Oݎ_*˖^ڈ@D)ĉ;m䝶r#Vn3y?QXPZP+b^R/dZ꼺dYU>QqKಓ=s:l(*}d 	{9-IT/{d9ylG,cLL:b:#.*;1U?FqQ.eZGxXTJm<,aJG
UT$:5;4gj2*C%BvizG67(vIwXf
g D9A>~T@|m ;lQ!/"E6T$z+L‚5]^S(XJŁfi2$0$0$\$nE;D`p`p`p\pPKARȬ4O:n.....ڹ@Ef*yWi*uWɲ}p{OW"7U4)ݕp+DXG'JPO<Vo*)%k̘`S<$Ɗ-bE9`#Y"uh#r/v0.0.0.\.Dndr s_Sw ko[Y{E+Af\zH^*ŨnIljh	>.=1	AP!қWŷ+oo~XfWw㘫㮕uwWNY/oXd5$8s-N=+߭W*z^CfM}Ko"O	L>x%U|~wT&|,X=ƻ	tOQ5Y]
@%
;8<3SyeOV;k2x58,]|^k$p{@B	pAP%T^0	xQ5e$ jd0_…)vЏ]D'2v}Z.~XBv.4(<0ʯGS1euIѶo<ٞVtc};333_9lZ\qN4Hhз,g2K-`}̼r[8}+W[
FVno
|+ׂ&gSeՋ%8D;Rk̵Z
RRR	RTռVְrpKFJ#20*CF7
„CO[斥faa9>(y-u2R{-S
4W9/
o^"c0/8Z1>1>1>
ԚN:UL`Kl=vlM<\7mG6$
22UZUɝxdr7*-LO&꧐F{gֲ^Rwy ;y|MnV
{^宅Jz'`OT^2+gh7O;yK! TgRc;y
y܌>F#`|j~T!;^YItWRގΰ?mgC$g_qF|(?}Ͽ?m}­ܸ_*xiܚܰlc3q.sf)tI{ܢi#|".!oFtwC.q"	‚7ErԢsn7;FK}&GM/ON}Wф=)89A>N&hϭςYf`c9A{NIL[S)&) )ϥWU
k}=p%=pF663rkxxVHT[&p%d 0h`4\ғd5CPt(,NU:L`&0	apfthr8oZ
'M^U*֪yL݉ԨU3WJEGy#۪xjƪǪw:l"P}Bi#4ՊZ
h i"35r7LaX(\`.\>W0k@Ofpl66B4en07LV7.keN0'ȉ1AP3W8'2zX<=gNt
t@1Q9I>J0Tf݋NIL!Ӄ c:1=KN%LO9Oz?!U~Dޫ||E6{27{(xP'o	@b@Ip``00{@1C4Čl7cq`H~l`60
3``00潺_nEMN;3?Ks&ArrjtWFËs(
b-?E4ޙ35fsT?mH1	ta܏[ܺzٺq!w7iCc0VwTN
QAyg|iy/F-/Z]FgT=yYIC6)W{YgU22eSljw~v=ߑ}
I~zɺ+o}y>]Cf,ӫ7/=vbύY~N9V^|R珍r[h+lt7ofmC@dur#l:3}a	ŒѱsY]lJ1>6%bLBysC9hicb?'ǎZH,D~ȹx8ΐJb*1fJ6օ{$P\>z%;8N3wbK7*;ormʷiPrFQQqW;~$ψd̊d?5 y9	M^#Q9Ezy=/qe^)eJh:w&({83EV
:*%O\wK)~>
<5hkj,j?%
TfBǻ:d'Inq7V>G.S)Y_|9^,5a}%1[a#l%6=B؀lXK#i,7󒇇IWWZ]w	%$njO/zlY8}h	Ax
zRt_
-^I(Oh51	:KSr9i;\ˡ}dr]r&`80ÊyrP`(0
tI*_QP1Ďc,ZYkR7|)OZ?D^}7UjԓͱwLJO/}vىˍqsma]\ct]UeLr6hx4B2	L#AJpGU"bz@|1m6LUC:p*mʵEIǚ/QIҔ]KбkkL|vv'кؔas/]h93ta}gQCBA&~!oTN?h@>9,EԇC(u2ȓA%k"S]m"!6,jv?tNpY\iV7WJҬmV_ӣ^{3qfތwoܽyV+|O8<>B2#';D^b,9_$g?wDSܿs:7z;c[Hۈ~X=z#\zG*CkX+^;"yn&fEO߅4mksIb[
D`"0.たLgڍVFKBHV8e|
{`ٹp3}1YY1O7arc GeNO9Kj7!5nDk\lRE6yp2m/nsp\H&Lb3	̄glc{^_rD35m\V9M#C~WrC6B/ìu;eSA3;Q1/o
^u}7~W3171a[ݸ#5v1y2,ŮH*yzlz[Ċ'Ԯf{~]DYx+v8+*
sz:~?/D8-L!ҟn?٭πh3'kEd'EٚoX)4VxPt~=,nNsn*;hh>ӨMAۘr̦4d3G|#^3wڬiT
?BzBA\.rM
g~Y:n~ͯYdDùuhmrZ15k5՚ejvjZz;f!p;xal!<	
̸IOyѳE<j|e=>N_gZ3[18DAjߗ*A@.7MXXpL|ML$;g?`h~{׌%6²Bļ0Eҕ[+!kuk>'e'S;|Un=)d5vNKw=?czIY[tvcƱXy*w~i;r-̗"&]!wo+|$gt`q?μ[:#`y3d-oǻ/#N#dk4>ގUyh 
BMtp}j%tfCήe5CO[F]3C^xv㵽@eg
uL0?cVo6z73R+oZawnÊܙBTD;;NJga}F;1q{zѺtW#^;3t1>P^4ǷdW.WʍS=wH~JG:9wYKY:Pj}qɈO/0g[Qf>3]*ǹx=oY>Zd,d>qzw둥=k~>9kwHf(4rvr^Bː{TC/J2@McOP*7nTj'Q@^H$T^9$ s)0*)ŠiX?<j(zՌsQLڹF1SQFǰd3%@ۈBbH0$:dp2„Vo\@ϴx3\⅘C01^`[Cp-PH	rf3pLHե33\u39*:C:9sgß
IϷU9ʓɔsx[qV8/ùw!,NHyqYgwf5~qVpҿS!/4S[_OYi72컑כoOo5fMlS8SԆ5Gr-]ӜljEc[-mޡtͣPay6?7s\ 3 nBdu/{Pqƺ0u#*(w+t
yyCڡx?ifuioYw5NJپa֕v~lBN+v*CF~r.;{Θd4MTE2Cl0A~b4MMO0Q[:[qÓYJvɬaXpYpLpyv4~び>gwf1į~Si<Ư9'7',4GF7(:qrY@9ƒ[D'+I{r2>BGזWw4놉DafH70
k@!2=(ӣw.?PKC?Et'gT3gy8LB|q6m	3\z%2!cA聇Y$fx6rm VpKϦ,`]o,j{5S{àrz<Pwxtf1]H~	7	\&SCh9>f}ܛU>cdw-4ژ_^K|m>֧/"==|ƭ_Pq+axvVHZSMkMG1uuT@sr0a40=ReHQe62Oyz=e0J-RN" 0":<ˆI90?'~Վn-m׬L\{XGYGYG_ޙ[VfVfV7fUEYYY/D=O/媎2
KaCx|ˠ`P0(.{K[X:c11qDn4Ttar;
R6H{6Gq]$Mxl߳Mx$v)9mFVvsr7&l7mSfʁ4͂c̃5d̄#΅d
Q>@4*&Ҙ3i̇yCM\ZC?aދQ;70ƘK/L*p	ps\.uuuTڱ3+aj1j4Lå0kd:\`.\6?62-LBy`^\/ɁogL
TVLf*N_~N/?GoGI]?_ǿ?ѶN‚@Li݄gOxO5<ƫLgjXd-ݹdzd֪d'R,Wqjĉ.{l9G vMŸux^tSI&wS44@*iht^;Ixy2<\xv.
b!q@bqn)9xy/38}%IJx}-4jezKz\ݬɪp٪#l///{ęBBBQ04(<zaIlzAf/zAʕO㞮{Ys.”GYY/_e0 (QÏF7uO\.C"yz8 wTZEڀC%X	S,2LvQ/C@Vjʅ]jE5;r7rsWS.6MS09 I$`\	`3ub|VMiJT¨ӂ3b0m6/@LNC*pXIOZ4ýI2P6RR*U~&d6<3*%lm);2,蘲EJns-Svt#ei#;h=4ӎihwE,
|~:qC1V#io?_@{L7`S#lI\,i6hf#;hf=,2i(comZZmta<\*L6dx0d7aQSs`<0fOfug,lA
cu᰾	N#6?MM?!py9F13X~˜`N0'.t}5Ga.'yzB3O?kg
Oz7DZYQ띓ԧLL'|!ty—	_{v'|iFlliDcDc&Dq.ĤNjl2{*2?*Jz53Is:ps%|>;_>}͇_zM.u~+zzퟮ%GltJʿ5
9E(>Ÿ%~4ð_w*>Cgt~~	}J:'S9ר}?MuX@l3ĝ
<ը
'3n#1Θu@GoϘ!lEDM""鰤\`.\8Fdx=Àa0*HciA`@\0 )ze[[cq)8̄:Y}ˠ`P0(.i/挏3yz<yJHGJ8ǺjAs3s|`42-4=HIAt$iz4=4Jڤ>B1Eq.I(fdts(@p$2&y(
X`,0.&KC̐!^b
x5ⅹ8E2
̆bCz"0G; mb
[~gHk:F(>U?$E{6A	sU|/4+'[y(P]D#ljڔf8v?oLs>zsYNfk%ji	 ;0⹉.;{%]ŝn6d~!Il-82Icz#3X4&,72AcEfaϘٝ憇ox(ptegÔE_
c?E,B@!?CvOA,1T9?e<_ɷJۙxS%Mw{S,Cs)֖c^UYJkǟ0ݹ[.֓)z\
"6\SQNoq?鯯↣v}==(8IE'J	{7'D8If廓@@ydHEL9WʛД7=}ZH'կjCUD;l6H"Yճfs?Ve$늿~ de~ <]@{v?
>q8%"?@*fAj7A7fBBLJȆi'RizVw3̅KB.3<:{8u&	roNLO\cD?_}R_}*bA5Ű{7i^LHu)W!fב߯L?Tz'}q)zW
sَ4(F.;9瘸VOGk8D39.9Y/tlc)9T?7|O'fLQQtSG?Q0)ڕxj=zJ,	
a\GpQ(*l_i`ѫW@g/i4aNe$;Oɳ=ab<."11"Fzi}lH`H0$.Cr_z"Hd٨A{2#>{gT52EL i9F̚eԗ=)4=j`?z<@- =97BrL'^<ߖF
rc <)uSpZs4h*`aލ\ّ0]̮k]e}zI-5]yv+_!pΊ`{.ԨF{_#Ԋ]O]N.;SkRk׺WC.;f!Qveڭ`:vھja3͜m3I[c161.\{yD{ɱf/B:ZGC!az1lHome80K-cX,$f3͆euH2O'̓kIrV.)T#p˜Ntkۦn%/ukvߊn<-ujff)K\Wjo
T0^󷅱on0ӖMDCᢡvZq23Jtq!~}Lq:3>xtuHF_Ƌ>b-"j, &aDd="5DlƈEa_WB]c׭$h7H)4BC,\^Ua7Awq俌K+zC˵2_iKΔgʿ-IgididMaD͋?μEP)u
т͈ҽuU-oTCȵdlGGHvcLJJU+e{cUedfC<IPdadK8Ds<+ow/n`@z5Ty+_b_w;c{1?.r\r[6_6He# q{ԵO;јe -7mg}Ľzg3twyz|Rzdi2#/ҽ"iflK,mZxP}ˮҾ+F2lp}{_Sw)GmUG-aRo.|w:#u}߽Βo
_K=9YG%3I+O#7&>ݪHnɢku?Urz"b*B#AMe.0WDžßTA%?=/;!/	ӄi
i\Soʲ]Z=a0Q((PW2
˅+23(3w.?PKK?etÌ3xF5s.U}ġ66iQ_̘EQғ-1<6 RF<"1ólg4F!O f{(Wѷw0uJfv#Iz4L-֑9.wij"<ާ4O'9g׍nR.n1< Ip'p~ra%c%{cJ-hUY} ~Qu_3%Zu&PgG{o#ZZuV-;B;B:Be/[1;d11LOǏŀ#3ypiB>Gf.([]j1e9-6e|KQcxisdKɢӥ+-Uzv0twZno8;;D}woԾZ'!n+xQ Suee}P=˪Ếo]O+|'a,o߿<377%=@?@>f/U)=xh13FC
Ohee7ˏi0`0	Y\g<0ìMCpPFȬ`V0+^+8Gyq!'[2)z?>}?u{8hglaj6pegdcQm/D䶨*-D
QHwE!S)jS粪3!K!UȲC[MɮʋmdeYw,KYkY\;Ӕy!;YTy뺢m*mZcU#ncMZӘdCy5UQXJOCOF21.3B9Gu.
 J REREпumfd%d㺺6˺&P*N_$|C
C)NJN+TY&k24Z'_#%*ٲ2*DR;)|ʺΚJTeQV袃Fۦq>s%p6?PVRm]ʂ|6"+QwBe[SEmQH\*YYe
uӲnڮ(*/<yK>Ѫxɤ
Sc3Yn/&e4̨3|$ZgPۨw)-jOBu?P!ttmZn:#W\QNʼ
UWlfU#"k]Lvdm|^DI*WVtitdK
";(r}_rKm~/%72ԃPUWz)k.TM0w"wD\[\W&Ee\wDb۲kkKsU)uW/]5I<ǐOW;djQ鮒E
,j$O/y;MI6D5hޔ6>x@2b4\Z獗Nģtȋ_WSy^<ȳVK	z/	̴ YT(0.+84-DWhٔ%.z>.PQ~g.v*wF Ѕ\+
ܣ:E`k2ZEMDh4R@OF5L2M̨@y-Jvӭȁ-(*PC7r}O٫pQJnԠ(Zե\Veȧmdҵd-Z ;D!
+|}jFxC{t
HDGW]`٢c>}QGΫ",6r(Ljk˼mԕujjr(EeVɧ	m"Bǫ
:#xT5OFF	i+=zQ\U*|>M8?YٕNtM:ctkp[F qJXTuC^Q6)O_*}5z܂B	Bߡr%]nԲ6ESBx/b/b)
@P*TiSWjtXR+Nʨ庆6uv70rK&XB[rThmbaWxݥ
N4zAɾh@|4]vCaBme=xFs%D!!P0w!>u/dEh!AW
Zת"yki`k+hr(	ٺTKqDA:(.ɰ'T1&{$;PƦ-rtrs^1W8X=A܅ZUe	c\^~l*h,
ęUunrJ<6t]{	Xj:\SM%	Bԇ9;CaJ&RSչǦ  04(}(+PdO{t#J`A/'Z@'WUHRd4EPjZ2GPԐ|-t]#aT
"FijHI%,FPɕy+aؑPc6U&[c#c0XاpHyd;j$^4
4lEGI?y˶Z+c萀~,T:*D]Z.{8X`;]!U.1a'(LTyӢFʐ
-C&ЩXM}SYq*;0Mu
mc"Ym2+h=
,#5B|l`tfY[j:[prCkMZݕm֋dn/A(a5_Qy†J]ڶFC,a[ԡcꥳ)T~yk'a\@,d/aoTaaDQ
}0
U>ٳ/=5-ɮXlYc,X-b	Q:Te-5O$W]al'L]ewvވwEI4+%auwFmcHi{4F
R*SgU[tm0WmFTՎQ-Fst޾6%2oHh}1LE%Y'\OKQ	|BJb\"t%F]+1l.G[6L")u]`),4Ȏ^+tsEWFxC%2VQkOgt!PD^ש
W*#\٠H(!3/U1¨M^wԚt]vAa]KYleCO-IoaJ/4UCgĖh3	KaJChbM7ٮM]~_t
6˚Ƞ4d_+j6sVR6YSNfWjkO*[e2Vy:ViVRotMFNݲj
hUQҲ&וNaUMB՘+mZ&b^UoQeV6,)iMBVy.Hfa^~SX]%aY!	M
sm_&Ӫtu]]UbܭS
QCb+5V=IZQI/i&|:;Fu	άQxM[״2M)èrPY?/h*S-la\VR׹m0 %=|…y'Le-[X?jmu*BJUYHE_}GcaׂZ`5ehB֔Z
\ǚC$}{* X(;*	4T)6vg-()cUaD[L80$c@cK:i4-ҕ(4 4Մy-RXjdvZ	NQEdbA:HG
C{iN	؏MiDUKBM*hVacٺ`F/$f^)+in<!h*؏HB"o.TM{ B1@c!FyVPCVJN"xUankq鬱Ѷ5̷PQ)/
+4~aEž,d('ehi YABZb&h;H*SMa{@s
^EP>gQtLG=PZL-1R0ARVU`)zM;^c4D.AZ{𚇅
kTdGvTTyim'Ν^}N6fh7U4mJ8A54\:؜8B+0dl&G)|o(%K|E/MҪLa+
K<{3偑
Hst]M[BSkTM[\^ҭi4/&{}r(ѣD[Wx;)#pLU0ZE@@i1*Lմ&9rKCzͯDC7f-]vm˧0ovzfUסqp,G}ni]:&j
ƍ^izYtгR3#m0r_0*h!Vy
!+X;dy3+Sw洩Fnj
sM@b(*D'U֪<CeyXQ?23hk5x
Fe@#곆QVќX Q`(+r4}8a鹪Ra+wCiZH4lBØqуjB|kuZE-z]#ƖFkʪ0#wi* C0TXoʰYX(,DPh69lVeYq-"K!ntHfmy0.ykZZ T8 !lo}w$(@mذ_F6(CgKLt0=d*TyYh$
.QM_^`G襈`!eR,W/yF+t0ڜ%;r
ѝJAA$p 쯾 
UѶ206x
k,zzUhE"d|ws])zeS\QEQi+`5^cvlk&WX?
ô9-{(q͐ߠm]JtCy[0AfL^im7(mZu_ Qvڲ>
s
&m+
[ѹ02@|.TUA]\iuP4IyMFAT{-¢:z0[FP)_7LVYTcNW}2!uWdjU.Ft‡pf!ttp5J%l~E55FxjPrdQr-!ӎz[-ѯc(6oOIx)]`"f%0%+ ݴAߢXyԥUuY2ЛBMDӗK3+."$:GOڴ5b0-m}8u`-{q4pSBR(`9L~	3-ưZȠ%M~:P1,RI:U<auY<
5+TJˍ#MI	PL-uYo0R
N{@Ei	Ţ=VPYNBTѤCPQ9b7P+XH¢e/@}`
`<Б4c`Ԡ:yXf`g0-l++tm~HXk1$VZk
#+Aj XCanWÊQ?lNǗt)^QmoJcUQ
F~o,om`p%0/YQ^.
J+z=z>[ԅ*P\FT-cr:3`.Dۚf?{W(Ij+#!n0`~DBeouw~=T	ZB |q2vm/Yѭ#+;BcIɷ2Zr}ӟ۾y=PN&|_8xL2&d;tdO>9-Tu
kx]blїNM`5f(9eʵmF0ۀjYؑ
2^w%yKW
V;x6T)9+2|,fqxTbkӵps"*fϳ^G#!HLcJmD[j̞&oVc!	UW1;+R5!xiLSq}uT>??<	~01o{ؤM*
|/B~HJ<* ?0Ff[qy9\tgmϺ>Wou)a>Q%,±DiNa7,\fhOl4)gmϺ>ñ<
סy
>M!Ky>u+w¾nY'ei=Q,85/#OUwS.3ٱH{6#.0X=s_aSٜ5@vȇݵ3W
sUG7lWQ5T-lq%uo]UFAyu6|yڑ/!.Ƥ"M.\Ա]&4aa!wNtV!{=}dT+S`mVYPl$VsZLd/x&ټdGL7d۸R)",7ǎճ~"uW'taK9Zjy;>nvkL}xг!T|/lQc\qR2+V%@Bۧ9f637Hwv7BgȉAC.TaNvu$v4G4;o!qtݹRK*P{Q=CwtLSa	vp2xC'kyPz&f_GUq
MW[S=10*$$UG+w?+ZYL
]%G(Jns݇u7/`D}W]Qv&tB#J-+{jW`ar<tℭ@Әqm+Jbv@i";ᩬcouc]Q,֢>HpU)k]R"#dU@Ң3vi&+p CR$ɴ3vX!/&okfql%&Bfjq,ދ֙_Ksիl&^o{]67ӉW3Wda
I(f#mvI@X<~^ij{Xdž$+
hV]QDzQja7eS'*Y/+ŀUyWDpEŌ W9VT1-6bRrؘYf,_v}tHئy=${΂Q
AdXkflS~;yc2V%J4"dzs^PI}BjZ]C+dad_a9%	jzGJ! \
({
Fh^y"Na:^6+>Mpzcy'*`uz d9c7D/"UC15ˊ5rft]Ub؍jg.#+ՆRl4[%5( *x>*xiNl7>GQZ]YH%.kWx]p{g ~-gu*B36lcE2F[oAp;Xm	;O΃BĊ#rXZPh;Dڧ^x&piD}{A` av}S(M_RYS2IX';V9ɚL=48&;
};caȹMr	{|wKzV/ϲx fca(!(0Vl_˕m~ƞ_,
y*9驪4~ŰٳZ
Qg:c$#/M;L-X́8'a#4A&TT;<>ЁQxdŒO[x,#zY=zR>0	yR0ڣz	[C-0A*'
bc=7^-DXǔz)VFM$AJ2<МQ|mpXNBUt-kn{f]h&Pd;D'wûh^9\o5Y5t#Eh|}pNVXMn%@'Z`QًC2+	
Sey}d͖cc~K	NEՇ,c71m@8+@{ڄA6n C[OOiEg{7J>@[^c_.emoZ1"dcWknDHZ/8y+Fg,???E??EPuo/wX ?WU"VǏbE<O'<%	IS8sC~kme[Jlҵ/IOs5Kat@/pw5O?D<""lB0imGɈr 	f6q[!5wIA4LŰcy$qVX!8C&_|v4@{7	p'V 9Kgc.lf[0u{tJ|G4<z3J2
/0q>~Gge<#	'XD&Y|-Sda3v;=8K
sM>
CyPmL}0:IReET?ح$
y$}|<>ﶯKg"Vh2.wrS<{c:kE`Snux%+1d]6B.{aytD(,!sX("bE}BTXĆ_XZ8Vb. TN_w޻Qk>׬!M]~뼑qR|ţ	#rs_(^W>ى7B>oB^ĜR`	+[!Vo/\ gҼG]!N#'FA\9y]>!vM#
 7c)v@/7@0/6tt?Vpm'r]
2HBB+{$sR
[{Ɖ7+Kx|nb4A1Qa@:d%~B6=R1al&r`Lb7pP>{ gU{87Y[4;@5/E4b&i[
CxRivQ^b+3k|n&M4.kCX8}X|v.M`=6(Yؤs;gy2JmA(_rp9c7
lqŻO_?a51&v.FX
-"Ng:L³5DƓ3v_!/<'Y89Ӂ
,[3[
c=/$Q]j,Ġ\^qה՞&kyU`Շ\uڭå\;yjzU=֮Uvg즤f@D0[䥟LY˔0)wi
8`ճ%%>coca'i9H*&i'јՕg*vu+\OiS'"sTf%7$
G=ˀBΝ*LHN,Y-m<&$vEΑ])!jO܊`
M
<|>ɳj&G&w!dS3CHf&nj0Ê^G,K1Bu1#jJm=g D`6oЀ#*#	`YHkT3k#vsXEHfաySB+3q)'d>CTllXʼU2h,.A!A	o>?	??=VXMKe~#dF<[Tbu1MRuOxX31CǜEC)Bkt|oؿ#ݳ_p/!/]g>H_%h<=cR|TVNXcƺJ䭘;7fm@;+V{ZY*UUԐ/9;\-tRS-=/fw}m_*xA,A~!]C"u.pLy:ɚbR)ԯI{O6#Z:v0=: 4s4V/]50c=;BGYIǮܟL`U
#׍Ţx氓b2x+D0e,e@繧R/P-6j&$ɝ;E`lIH{etī3ڷ
IC2yة.xc}%ֱi`g}bN6x!GFĜ=wK\DϢ@h+3'gΙ4(
(	HetT'9K$~-;˹\4/LWX͆0
7]tm2ewILg'U㙧+HEUDӡGHp<<+ y6Mi9Tkr+$6>6j1)u+0;&ba2{0w$tP lB.@!z#u繻+$_	6B%2W{>R@f
L+PFaJz̺r_K!ݍ;ź>0M}b5]}Xf`7*ۿ;TNXbquZ3̶0G xӦ@佞;Cx,y}pX|n\			 84{hsŸ~Ǯ\v%%c6)]AFh4?„Ng>φjF~!bl+suiLBkIfXg/vX*hzZ)<>$@{ad;y2
p>?$t!jY \v]vځl#NHs=Wf
\ţy ߋOlq	/NMN|p#"@s&1‚O7v5C^6At{0^G!o5`
v,)	oqt
`۝ns 򓂭od=w!HHa<҈>SּOaZDTF;}3vpad.cb
!{zG,0D|zC9b#@rJG/o)kVWW:'0}_`LDV\,an߮0Uw!H+/unaMW^ŝ9W3bWA(*a9BBD`F\QW vz@j_COJ i@IWGÑçb
yDI!P:FIScs9D+#Qj5tƾ>kx`=s״AYj=ٲ-)zqh40ֱ	'k`'ve5teC˥$3nI~}0Fbl"Y2Ђ0Ar $ιfÝc5m='uӱu	;Pv*~Fl@xt|Wao<2""8ɇBg
􏵶Ƴ]8xԳ.ZIx^,J-iւEwDe.z%K{}?[))<ӁI_
/M$JT
~5)wUSLjgeZ.S2moZ~ЫW=<&Sr=n$hԍ[%ܦV{bw8:I|Hubb'A5jXO~JY},,olKTɹq2+"coX	DzDbmd]fJ)c?uƐ jCg
+dl
1un`2L&*y:dlCxc<b\C%ZʋH7f,1s'C>3?yؓyΐ]<+dǂqq~I:	r iE dɞ>?YukBTw̉*ώc:"!u]i\C%H$LFD=xH%|r'e\deX81
NZlE5cB}֕
ԬJ^εs?i3DܫuϤpg.ǻyGpX9KzBkL'>0.I,KYebQKy{JcZOyI<6eFC".;I,4lHNѰt@Dc<Z@VtO7Ez0bNB/
ֈDB6RP|v1Sǽ+Ef/#='#e_}5(CCz9Z+3u4楗TFCHμ|`W(~|M_
1̦f)RFNb!(S_$~d7R@{Kbs_SDw6%D7SBɗ]s'{~2b,TJqbR=~_*
Z.
?m8/Z:JP.>azڅ%]U_T:x.*lJuZvi`㏴zs)^IԝвxBq"yCF;p(ou"729됿źj4NPFf+ɧcӐ6@ܛPgYo@0%pMw)++,a=<%]b#‚޾-A"^z}sqkdwKDipWG;,3g*3|.!Ed|BB4|ь{=wx h	UB#
VXk,߫Q sȇChK5P^mT%)a
}
̾~d"Ӹj3[e*rv7c=B9o32~j`ˏ@.
uRHޙƊ]nlW#OŶ9QN.̮F{.!`	b!Hq.5r'i\.3Ys-Ml[@)M]*if-ffL@g玽>50}cnl&4Qt3,sb9eOL.OdpDǬSU{|c#	b*l~^<)"7%0G-.Jg-!W.L@d	h@R^gV$/g5ˆ_*Wv"aC,L c|%<_:xٍc$Ȟ$BЈ]I6OZS?!|;8l݊jyĢ({;V	ll2O]6`O,yJ_yB6v9<`1[дqŀ^9!'K5Zke.x4ȱ*<r
CF'J9`J|tE6;SC4ޒΔb0M><߱XryAr|nnC#*wߖ9ճu}H2|$7퐔2׮
9+mDUS`e(uԞhla|V=r{fssɩw礱-잿OyLoīry[1
1d*{Y9Z*	i/=_Ϟ#(yM)h]*
"sۻgWeW[=$2.o#y#熽_](4N{_&*^;m'$ϱ2.d$Ē&hCȍ!tV\5CN%
'$adG+>
_E0e2ugs
={aPIɖt;[/N8):J#Is[پ$)<2|G?
,4d_iaYkƂd*bPzy2r;L1s83lR6+")‘	WEX:>
=s415c&jßzBT4[
ϙ/2S}`a "b 	<%%a5B`0S*@o0ωN|[e_:ALyVu2F6֯ftlsBHH$derdT:R7 E#'2?_!g>"n1=dJVb$o<!n1o`X=c,6F^1
3vc29gfUF`Ǘ ްḻI2Im\=>%nIJ2T}NuV|lYR
O{u
f"Ҭ|&{һo_iߒ_HNX+' <}}1Z_1jh	
w߾ҾE xmcc:v0}JMX3MKѴGʻo_iZJ*շZB}c>ֻo_gJO:"1;ߛWnyhK/xW-bs$ҵRx.ꚝ+VD[ba,ls@BSZs% Y/lZC`i_ۑ.>?_'rx#4MGM'sһo_iJmG^SIk-C7}7m^w5Ċw6b_5#wf%5ϞnL}<"+[	^7W#clYۓ>U*ŲS\IJ^5;N}xVna.VPn3dey߯\Œo98AecY=/ҧ
Y%ql#	;V/ߔ4A1Δ}(2k{qS+c5xj%!)!+D$ 
ɏv>QW9Vv="emɞ%XVȸb,^
.Z큟꥖dKBԯ=ql),wu
nM&e,=I"ƯapE0lň\ܥ{VI_nQBlnBem3Sx5	3Q)3#8 wFEO_Q!BA!BAa60I\`p[!4y^o_U#{߶ئ5jGӽuXfg_yga,N^1Gl'ViRbyLIZ$|mkj4j,g}YжW2/:8xS
OL9!y:%VƘ}B=sz'VpArìtk$3adMl+/65TDX_rx4$1|C[UT;c=7~ҌupD00y̫r\9LL'̙
2mrۮOħHk$<&!`aX?0eX#`Sپ#Mhր_	>#g$tl-|FER/FDq9oœ7!>Sqgqgqgqgqgqga?A,4B,4B,4B,4FYhFY`ӈ/$kk
#uUo0AICKH@uK\z%?C2W SAW%iޭ]@gѓ]1߇\
q!MLLߟxR"+9̮O~?%i]PPYk{<<B`vKL)W7s׌%GyV_U*I	ۇs->4e&
"=@]SSL3)![Y6wkQ0J)H>qzebitD2$oX1;ZVOl-or4DzhWg#`
gsj!.d=lH^0!{aGZ
d4L|E`.4<,cE[$al|"(2qrue$R9!.Fr}9L?k=z^	Vh[G-FD&lRr_1F+dŦuŇGs*R/
n
Xj4kw~&l b2	qɄu4c|Yd[S؍s12
THrk@e E7E~|ldHX"O[.OHi#-|goj7g7^v,/~2=ҲGZHi#-{e쑖=ҲGZHi#-{e쑖:ʏѴGi#{daGLNbs"/#/#/cL.}Eil	LVz14~~YW_6FfFspFa~PؓQ!)uLQAZs'zAOe0bL]~4^6[2
ON2I}j?k@H1lZ˧EȚ[W4gj3/Vvl-)ox?T6fwZ67X~n4z<%D,McV
[^ju1]mtC(1,h5B_xQ[4f_#[z<7C~uՍK7kmEJݕVr_#n:£ƫ?nԴ`g!OQ^xu
f: }ZH57$!V~OKbFnLC%.'/b-ʀx޺o)7zcW_~2}I#WW3N}M~U}˼daв;	[^yUR
kTnIM6
~aNzՃS
oI=|Xyfy*ë?2ȴڭa9cWQĸ$r+*݅8cUgKL`{YS['шGj.ڀW_!wie͸^xu
iHͱSQCV[ݯnBĕyUNAϘR[m/Ĺ<
)HcΕPI$_tvk*ȫ ?L,F({7{cMy}5UQAL-k6B48TwsMA^y'TY
gwዮy^Q\uiI׎K՜Qst`e`q4d2!lZV_yU"LЖ֦RO]Ӕ #=^yUMl_ROكոG.֡*?mAr徥UW^Eв*!7miZ:ەG֦7*Կ)K)aNO̎T{N+WKJW^zU7ww/]!>6r[[^*׫\0O{XZb(1W0`W^zyk릌G9M8rk^5{w|[e*}Zm{ګkQv^t6_UJ|UWs*ix|C(tΠQ*ܫp\luIū4q#l5Oֺ׽ޟpiRV$_{տ? e*zaaW^{OOalٲzVJyUW>BXz*JMPES:ߦX^yG'/?*ҫH"]t[K~vs=䢽Ok)D*ҫH"kE*本jv
޲(qwxk^zU0)Zjӻ/G< Lw[nRJ**y[qRfS6+sxzW^MWf+*Y[+H5(|ɟ\к9iPHI-3|hP.WB:/VC>WYfS<}/gm1Oi5kD33ѥb,G*=02M3^zذ|liA 6k(rXBa}
54oϲH3:2idPxlvzZ	;-f{FA^\#[?__S_h!h h.5'ZL
c0&
c0!DyMtuG&DYMDYMՔǶ?nn4gO:$
e}5WCeXL%!iSK]řj諡k
Ljej
:o
ͷ#}yS68	7XuBx}P4[j- ,vsU\mo	Bj=[ejf-!'i1DJ+lMUXsGmJ^׀,%ڜ%x^ru>>Wk_
Z;YH^E,fFDMYUSgNkȰtS(I+Ht@\v|tjwF!G!*썺k2yV~}G:!g*gc\-=Pn|?r44
M^#ڵ~rXk-Ehz@6Z62x+fMiwXcB9t{o
WGQGQGQM9u	y"a\u!{O}A/5Y.(泥`#CkՇʇv6eR[^<%?C}.T=Q|}d`0?6	YpZY`p?5L~*vh-q+
`+wkˉ<%G뱂
?t?Y-bTdz`
0S3ى"B|*輟yAq~9LLB3:إxD~gf{$]*m,'YU~l&4/-"1Jx?N6<Bml~fdo?u-SKddnѕ]R?t?Xء}ҧSÆڎбM~A\^tWq.w‚zA(7wJż<
?t?tMo劝!t)?t?.8,у-lvk?|pME
FkAtwP\rTCgK$pDxHvayC0=ˮջ68)EZ?ϋVwK;N=ܩ]H1wyj)}ZHWxNkXk{="2^=l2{vў6yŊ-Ue,ϻ}=-Em8pѨ亮+qڢL|!OCzU!r6jq}Ɣa{ӣGHj[E5:({5GQ%tDI5mG׳pxbVYpXh7i<ļѷ(YT.Ass6EVTN5엿n.Sb.vb󪂯ʳS&{ʳ_R)ŝR)ŝf,;v򳳯^gkyjcܝe]~ޏdbN&xa
=.E.Ӆ{vDώFa5/NNkH+BlSHltLY3X4FSXH%yZ߶Zc"c[uni4p?ipȯeG-A@ij66V+3>{AsqU	`	H""2)Wyr0gC\;W1+wq.~dL^ʥRz<;S]YsH2vn.?-+s3Q0fp>JyFsQ9xLYzD8}YR5X	5|uS#4-GWSQ5BgHD£ZKOn'['yJhmGOjfWny1q_?2w&1sL	{xd9яQ#`uhMʕڬjwy윩aCo"}Ih^խ{@P7{ܯnlQb>oC5H;yݔd|Ҫ6Va6i9Ρs:l*-~g>y':ΡS缧QU:Q{vf4{s:]u"DNRh:ddTwL޺q0
(fi:ĕkd?,~]crm3AG}>+pU5w޹)NX0˖ger3dX\$~w|ƣ1x]_TsO
vm\a-NMZV^ZRgGi
rL:MtkX=_[!+Tx>Gmy\
'fӾ<˥JfW[5t8_g\j\H}h_$̾v(zzϑQ4qieS\f˵
\e MwRܼ2-yR'*P(#22_E!9PKPK*FCaJRPpCK`I?W$vPe}V	 0nqZeݱdiTݾgyF9e:K@/f}~%N_tYkƻKKU?;^.utx`boۆn-ye咳o6}~ZoCiP*%v:
F.?,6tZ$d3?AdHd;rUU,hwO^+k%ݟ4Qg?{pfCVk|Rn+㬺,tKr˸sH<ҵ\Q
KS#ڭUŏOR~ѽ{kikN9q{Fܬ'dFW6Tzaϊ\D7>_cLDr$j2mjz}3e<-XO\̧R}{iղha8:[%l\NZ1hD)FoyElbEHx49%ƫ\Ǔc>Cb>"}O܈!U\gArIG*&1yZ<<-c5E[$.LP"ɏQn`1n9ƈl=;
dȔW{7X-LaS6O'Gl^L+eUo3o%'~7w0",=T:'$|?k1lb]"θvϺAhPxŧR>eߓs|>TFIBm6[s󉛴7F1'5q8}yO aʡnZK`2CA#:1mHxoYOZː.!SjKƈ}xŸ$}h]K"vxݟQ(E{jF7>Qٮq&Gc8GܣL,=)q\΍/YOpY"aDTG?~R{Q#54s,c5¶n
#]xYyQ|GK(+8Wc̔++9'?kɢ"WwYrm}O~899X?F+DNIz>I'$= D5?:oׁ<93<<ׁ0?w>QNRC9sYX!VbaZ|f(%_-dir1CC
O~]C_~*s_h5
_^b\A7gєjjk禖J%L)Oğ6|0-ZwtWa~~rp#b$&Y@v>gm8F<$ơwĨ΋ҏ:W}njsjzvGm91D&≂ӥ*7|A31qV1~6am%9-lZ^$61R㏩BRˍ_C1sMBs.D1wC_~ܞ˻@,,,|,,m",㭰*d2)̵,hn9^>~ggg:`Sz%g$㶖_(KpI"1j4y^Ok?#T#];1=QG8d-N8d-N8"Ӳ{ZvOi=-e잖Ӳ{ZvOi=-e잖Ӳ{ZvOi5-&lbf-fbf-Fbd-Fbd-F٢g-z٢g-z٢g-Zh٢e-Zh٢e-Zh٢f-jȐEG٢f-j(٢d-J(٢d-JȘ׌yɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘyɘ,7Ͳp,,U=,,U_1
gM;i7޴ÛefY/Hi7mjWMi7m
l6x_E2m
޴6xo PT3P,[u(S]3$f\
s+U*@
PTfЃ>V/EN{t7t
PTU*@O&Vk		k>=ZeDQeU*@
PT|U\TX\QeU*@
PT|b#ֽ쵸stUs57,
PTU*@Uf';9UZި*@
PTU>WZt_,h-oF$oT9@
PTU*اԣw$dώdvzDIFTU*@
PTbn;X!Ɋ]sD:
PTU*@_*Pty)BJ~YV
PTU*@OU1鍆a$j74
PTU*@J%߻GJYnQt;{@U*@
PT|UvUv,ƘCo5Xz%hU*@
PT|UGJt̻%G$JU*@
PTj9Vt뚓6ۛ*i@
PTU*U-ҨeXkBɸk{(~*TU*@
Pb!f|qs
߽QU*@
PT|
9BK(lkzoT@
PTU*,jzt?{:EE19U*@
PT@BsHE2Ggk+PU*PTU*@PŻD{,#MmbF[{ڴI
PTU*@_*ksFʥ[wZ{JU*@
PT4-r)L^*TU*@
Po-'|/1VU&PTU*@P&ѬQNQ vX̚npi@
PTU*UT˱ "vhT
{O
PTU*@_*ʌ$ɆyJEգUPTU*@'2?I"SeͺLࢷQU*@
PT|bgQ~X\N儾f_v
TU*@
PQ%2ub.{GY>.,}%}JU*@
PTHDܽq^q/*ïU*@
PTrT9ŊM}lCtN*ҼMTy}-PTU*@V1ȵ[>ծRD^9QU*@
PT|U?(J񙋪\ծFTU*@
P򉗕	ˢGU6_hF
TU*@
PTDbVn3:;yFTU*@
P@45h=mzmfF_+PTU*@PeIDVQ!K{ QoU*@
PTeQfC1pDfFkK~nTU*@
PbvM
m)KW7,
PTU*@O<[xGeeXި7*@
PT|dZ*&wIlUU*@
PTrTđmΩC*i<{a
PTU*@OJX'

3)#яaiwU*PTU*@Pz%, ڵA]TU*@
PTὩ6ʞJV}%TU*@
P嗣J}9i|NJqoT\
PTU*V+O[ǎ+Q.|T0hEn}YSl_V 
PTU*yT#E98e"ʮwV"TU*@
PQ񡷭dݭ3dU*@
PT|`gpTD^8ǘ]^ߨ*@
PTU>1W8LYaF:]st_oT@
PTU*@1^V2Ӳ-F:hUPTU*@PEl{1w+EW\~J@
PTU*Y6H3dH~
U*@
P@E)1·?Q}&yJU*@
PT}au0ʧQ_zoT@
PTU*XWEDi(BwX\ޮ0TU*@
Pף[k#sUOɄ=U*@
PTb;Rx֝wsz+D*TU*@
P#sUYc惠CUn+Wr;gQsU*@
PT|JmiJ5ʑ8:U*@
PTcҽih%7W-Q%RT@* 
H+q-e>WxY/漯jA* 
HRT>	5SYljdz"
RT@* 
H{*Kf5jeF'}RT@* 
HOaٷCcQkuv6U*@
PTl9>+
:j6O>M\7PTU*@OʑmeѣῧC_F<U*@
P	TC=FܬSмTz/UTU*@
PףTM]u*ǩb7
PTU*@Ott-!qC^
U&PTU*@PW;w*;`^:42~Y
 
PTU*V{kh]-s-#]7*UxTU*@
P#آit$'k6*@
PTU*YXZ(214<4eYC
U*@
PTjλf*Ͱ`7
PTU*@OU9Ǎ6o.vʱECg}?U*@
PT!"'bTk=XU.PTU*@'Veq2G[RP*[,~*Y*@
PTU~]#k)ҵ90&1Nt6ߨҁ*@
PTU>{clCg*xTU*@GV\%Yt9IܽymGQj*@
PT|
6O'*ڌi[ {z4(TU*@
PWUaYV6^iިi@
PTU>*M{W޺v"^U*@
PT|U{e.z+EYP%
TU*@
PUD֍Wc+:zoT\
PTU*@FպsYm|e}
U*@
PTnWX}f;{YzY_J+
PTU*@_**gK#!
52wd^FTU*@
P*W]dt؊
u,{U*@
PTpZX)mqm7,
PTU*@OU!vRq}s$2ʒ*xTU*@GK]]D7vxި7*@
PT|e6+hiLnhk4=
PTU*@_*6%fW+*PTU*@'QmmFD<]G\JuTU*@
PTiB|!a_
TU*@
PQe1CԻ6ydv@TU*@
P/+ˌudY&c52J'2*@
PTU>*D;=jŧޝwP
PTU*@<uXh>G**VTU*@
P2ʨغKV-Rdr[SNw/T٘VTU*@
P>J6%$‘MZ;>ިR*@
PTU>r6۪ÈS(U&PTU*@'"[[Q7E0KFTU*@
P*JrtZ/l֫}OTU*@
PQa06Eė1aU*@
PT%_%rG9[$
LU*@
P	Tyd3e*%YvߨҀ*@
PTU>*ѭ:4.({7t
PTU*@O<:f[U,G#@Y\*@
PTU~9̮p@XVuմvTU*@
P{
qOj4DV6jj*@
PT|䮊9vҚn޽׎R}WeU*@
PT|UjZiYJtU*@
PTp,֮hʚm1]TU*@
P*jUD3ܝwUPTU*@P%b}MVլG%qW7t
PTU*@,ϋB2]L:׍wUPTU*@'+?zuN+@7L
PTU*@O, dC{e'b5oU*@
PT,dA'TV:횮9~?Z@
PTU*خ0ʙG%WUmOQeU*@
PT|UXm5֋Eb-Z@FTU*@
PToď}tFs\TU*@
PTm\ng>~FG\
PTU*@`1\QJN_&TU*@
PQ̈g15)
*TU*@
PK-}4*EUSEs*TU*@
P{CM#}ڼ2&Y{N2mP%uTU*@
PQV71ޑ3LmE:fɼ_KTU*@
P7tmԭFg&;joT9@
PTU*b/<sFw31U.PTU*@PMy1(D/p9F:ϯij*@
PT|U
DA~rKoU*@
PTu{)gs֜mG
j*TU*@
Pծܛ\}=ϚfJ~UPTU*@
UU*@
PT*@
PTU~T*@
PTUuU*@
PTQNMtN/&qs9oU*@
PT|
^1Uc%*@
PTU~]>z1Wvە\ 3oζ܅JTU*@
PףJ*Ik1U3,at鼗@
PTU*@ZZ녜֪re`Z-PTU*@O
[
ŧq\+|AZ}
U*@
PTju	HK{}.2u56ިr*@
PTU>j[N56TU*@
PQ+
A(fa_g~YwU*@
PT|UjM((\L1WB*@
PTU>j|ޢ!@^l67T
PTU*@O쬬S-pˣ-;3vVTi@
PTU*XNݏI:ۺÅ2⤺7t
PTU*@OU"-dFÆ]lyQeU*@
PT|bʼơ-TLu-E5	TU*@
PTYjݯj:5C|U*@
PTzty07]gSc)r*TU*@
PwUYI&++GU*@
PTaz.ы4ɾZm
PTU*@_*.Qp^h$]WX׉bj-I;p
8NS)StB\l؞Hꢵ>)p
8NS~-t_ߣQ62ͳj/JyTtƢ>WɵmA;\Bgpȿ)[tsFI#ט#ˋ]+
9e7Y{WF^V/9)򕓉򲔓&'_&͙4#fdҜB:BwKtk/~$: tBM>7]*ޞj)oy[JZ,K䶩xyxY6^g>TF.O_e⇚!c?>ѿc1v`\"%z]"scȯ>vjծDJNYʭ)o[l~>vjmP-n7j?s.Z˹hoݣC.I'WW**{W!~c?|EMUډ!pĮK}hy!?J1]v=΢Q{%j&C% rwN}_!~慎K1{2l6?1
,dٍemNAyl?Fg`ޣEolxuwcH-.$Z?^0xݏJ/w&f[?aS0!;R8JFF{nPe^CPov\02íV3gTw?P;joV}ݼ襷e/Cf(o+e}-grIϳqltwZ?? ހO__veӤh0g%SF_ʽ(/z?	KFӝBC/{Z<1+DDw7KOQyκx55#M3?1Z$XˮӯDEڷ>y՟GFE4ZG[]8ȶ{OK3zZ:C;裈va躧*Mu%R"<"yrϳۣ|b<`/O_47+ihK
η؅w.'x5ײebsQ컷*+agxb]GhϴycfQ%Žòn~>qO`\
;RF}4v)O5l"䑱=k<q6T
"mxRF*PiQ=L$RfyjT#GUu="K,N	߮6K1|HDpĕso|Qu^?1şr
lnU'nl@}8yU~{vjdsD+x1t|=Nv@<$Hѡ\cw"H?F[PYpl6촵>"ws:3*xEcZƦ~LJjL}bȳ!`!eyά&DSy|A0Ÿo4X9[|]W4Ya>C!zw=:&zLZz:-L`0nr@>˲J[ΕA١(C!S5%hsay^xmY	C!lC>8z
Kz^N6C
a8LY^B"dBvy07%}r0-Gmr2C
!Ri½蘙,Cn
5xWxm|=x=|W,&=|kfQkɇ}^WM3Ə*lkٍ:3ξзI#y⡍h#_~>j3̅?,1[z/_cٲ=7-ai\kYLޢ4$۫~rZ8KPg6p6Sn:ѡsL/>9s>4L&
&<ۦe2o=n'	`B0AĤ=N4h;s1g섈BD!:>w=Cl-֌n:v:B&!IȤwE({kxu6LB&!I1YҼ56[d#'' &	G|({8%7Jqfa[j敽vq`q(
#ԧHُL5ʞm]p5<k|*RJ	}y,d_W㊶)b{z6[FE>\UNflLY-Qaw-4}}4DF"KeN]dfp#ܳ{[~ Q(DK!HYfTbNmbr
9OT]Di=\aI9'*r
9BNgrUKsN[rnņS?
Bb!XĒ"	kgUfxDݽ!ёXH,$?XTZ^mu6a^jc9 |k XH,$:͚aKei]X􉭎D[,|5 ٘qӑbH1RϘbnkmN5C^~?c(C!e(ڥWg_ս3b!ϐg3ٟ;Ϣ}SMh1OmB
PZ%%2RNe6ɆdC!23D}Ňt.3z'4 ِlH6$_%u8[϶"u?}IɆdC!*&CV3strWyNQߟCl/aACu;zH=:gQn':iCnpљ-rtƑ`F硵4ysW&Ekzznw3EW)]j5+EwY^|+捥xhݑʷ1r,ͷQ~ow]F;^g˷sP}۹#T';X?OsPҝ3.WۯJ;y}L6n~۠߱o;m~[̼Xs~'nCƐLLB&!I$d2Iεj[\38&3i#I$drSض-̖쬣kݜ~=(˝FDgq8̎숭*t,+-ipe.9!#xWG!CcLSZGK[;"棡
!C'Vo˜N!^VE"b1}ιH%>1RN?NĚ,h8^hB4!~h7#{ѥU>Rhu)4~j7	rE5s:YI'Ѷͩ&/Vb_1gr{ʰAN-^2\dVsQDߓ4uw2#
oYkn[/Q=.f4cjhOr+f(ß٬gΦڜH4V2S|{
qMFP#J_t>0%d-_zi]ܬ=Jo't	~BPӓysnɂfd0`ycMb׭LF[ZɉdhxW*ۇ!RJ-Dd˝v2R擵ϥI~JeDvdb)&?ʙʬ
9sh;IsRϏXVpcJNp~qvymݍOj6"IQbʏ66la[y~
;C5֗뷻­/kSp c|+:Ez.M54#|#/K;/Oؔ6$?h9M&BΜKg9Nj)wĞ\u!9HN$'}t5i:R.dDr"9HN$F~,gm:DDr"9HmqxRL*^ǎylgcO̠HN$'ɉ|/^dbl_*;ǜsDh"4ơisllD/:tX!΃Dr"9HX+=B;EINvkoD|">ߗji{U#-E"C<>+.>U+fR)A 甮;OU2z{^i4E"Mş},֔9OX6ZIӁHE"Rwߩ'J]BMQp3&
"HE"RH5*6);8|*pE'R;S<
7>d;[?lJX'D|ދzcs;BK)WPd(2PeRҶzl^YK5O)A E ҵaf]bV:g䘖(7HAU*r\ZgηSV?'l
߹z#n RTD*""Uƾiru056\yl#RTD*";Rڳz\Ξ[=HB}*2E"C?tnT5n]
^'
A E"HpB8cl1RV'H;A E"H^\D+a1ۖh{A E"Ht)7HJgY}R)Aojg]ʔ]ÇeV'H;M_6})pER6Pکh'.t5JX)A Es
*>mxF?n)A E -EH֌gG.37=4MTD*"Z]Xq$v(QU*r\{hxKoKhmW7<{A"\WWՌʚ3fkeQtHX$,	KتLۋ9KE928>Q1E"fIKJ;̕3Y9YE"k۬ekʝ!xE-q>OuYE"pjKvIRK9g+R};uHS)iizeׯQսdd4E"MH_JMi>ʲLƕp&}׈RU*rdzW?fVUIb)}TD*"HH=NumR,ee$jZJU*r\U_"!j=˥-H[I>U*r#Bs綁#WU*rjR+"v4,CNYm*r\E`v>-Nb*:~!r\E"WwzCn~R3;)>7iQ\E"W_s=12QsƅYf|F
ח\_^\_'pREUisٝ%aElu z^D/7ތ^ohrF.2E"@eslLH]^ӗra0B!ۇ0kYޣ Sx9WIUJ4mqoov4wZ82d̎Y}qWО]JU,tVܸ|FZ֪CspH5jث<-M~vؼꑟwXƉFXۖ#Uǝɬai[ٚC|e>[%ș=IĶЍ>kU0%ۉMn;_N[Xs)bﭪUtxőWY(i9r'k1]cƧzݤ)mYSsϹLI^s˟ǜjm|iws&̉#c|ی/n`duw1s6wōHN$'ɉBIHx䙉}OrD|">~x;:/R%R=3)Ώg CPd(2*}WJ|%;x1WlOA E"H5Fg89bK>'!MHS)/ Gܺz/V5揋i4E"M9M9Nf#vo\ui4E"M٣[L\fѣHS)i6qܿ_ExvZ?pq7i4E"MhS&*/ݭ@"MHS/:a]4]4e~Ҵ!MHS)ԴTM@uͶR_;cS3
E"p͡掣VD+DH].R
c\F6ej.!uH].R7.I2
[lYcϭTE" %֦`+A{ϞAa0B!E|{%{')7+I$F#$4Ov9Vf6Ko+[q8F#ǿgj#4dl^[umX?phޯL0jtI]OQ^yM1Y3]zQl8{yMZN>
|r2,Es./vlfdO½#u)-huF{uF]:2TuVA;{uXeu,oIՊؾW
kTmZ!)d989LZ笠lfZr:iQn?ߞM~w<)k|.4Z
-#ybM\|w=n{c+s,7=F,ۃWyt3T@a*
ޚ[`Fh2{~y9+O_Z#K쌙҇mk'({^ӗwk#ZoNj9>ԵNF-=c܉DMwz&	_#5W__,m/
AHQSl*(#c=ɓ$Ex-U]=֔*_Y=M97?Qyh{;jMh~i1皻쾤'ϦxO
=\>u.UKK듬r܍ZIzM]/L֚mO~s+^Ǟ-m]܍(\ro8wehgY~v[r{dBZkS44m[?ǔiВ;fw2(ZE_)F
]矽:v8xӞA!=睚{I+kguN+sʭFz}s8fY.޶NnK{/_;/{O3G~Ǻ?^w{kST:T:T:T:_S)ݩN_kMn!~'sVg;f3^j{T?.Wۯ.62:_}VvW51ǝBn}Ao8&WU3jF>8p0ڥ*Ω|vjؓ⚑qdYgI==m>ҶΞ:#mEіȒ,{/Q? 8W-<9Nh~>5IsO=2GG$r9vkg$~JsG.!r9L9`=N>va64H$
m,]LdLoN@?W8r!i;w؇FK!n\_T\I8k19;[9Ǐ|
{r>:cqlkyїyd(E-O;^s8a=;<=Jl駽xg6 ]|zO;[lCx87nǎU|\*^G8Fۚ)tн"a0B!~kѽb^JGV敿~P4*	DB"fdĘRm$b	XB,1TtZOg1iUۺKلlB6!lڎɻnvgҞ}5MB@!b2Zν<ŎːaV>E(
\AJX2KrHZv6O@OJR*Dꏎ[4"Fvev^粰u+9Fu5x9$cqy:UNLXCNz}-,u˚F\G=߯zv8u9?ò{b,g?.oWEuu3Y̅ZmDF:ڪ>ȹbz0>a㢬\_Xw(iԪˊ~}\ֶjk!:3{DB}n1ZߞU>
@_֦Bv:41<{NMaHhx-#1>cwdԟ?udԓ3jA%Ƭ;I[B*ZU]zzam\!TK_.=6r_Ɂ[Aګ|wy|+*T5TsL4Gx!^?gxŪ6,ĎSb/?ģ֟kpVS;N*0uZ}W`H0$O`Msjg6ˑDҘAfGo= ~
=΍sornvT;7;oz7;ow;vw}_V#ow;vGx#݃nw#~qvu=v?;_펯vWjsǟ]>Ng߇P}jCm}ql}HОwy׸¾ioF离};3ž3ž3Ŧ5kƽhˍhˍhˍhƝ`-辧]=wkFkFk[}QH>
o-߷~[}o-߷~Gzd5߷|ݚ[ukn#s֭5_|ݚ[ukn׭5_|ݚ[ukn׭5_|ݚ[ukn׭5_|ݚ[ukn׭5_|ݚ[ukn׭5_|ݚ[ukno\׻_z_V[un׭_V[un׭_V[un׭_V[un׭_V[y?o՟V[y?o՟V[y?o՟V[y?o՟s_7ˁ 02]b*(fLM|a^A`A`S01t=܂WtIA`A`| K,ryݖ
SYZ 0 0>1J1cmo0 0 0@̻aA׃A`A`| f:*w-s^i 0 0>\Z-%ֹhJhvn`A`A`w	히Wxnxc 0 0`>$:Kl 	M-Kk 0 00xBr@To-rz(ypM2oV`A`A`qB8=?H6 0 0>nesFr*>/N`A`A`So
kQv'uLs]o`A`A`e׈RZ\vS8q 0 00J[<2X"Cr-m7'0 0 0@ʐa{[cƧװ}_A`A`l՘d-e"F\L2A`A`| w֩:=`9be^ 0 0>Egèdey_30 0 04$-xY^y`A`A`AVSq帒m9Z}/ 0 0 nu,ibᕓv+sq~A`A`aֲ2x:}e7Z 0 018两R4һ-hvxcA`A`bP!R' r˙x~A`A`| 78;a]>MA`A`'bp	Ju]vL޽R6|cp 0 0`Tt=C8f`MᘉmA`A`AɅY:5}ZN
 0 008K|=N=Ӳ:
 0 0>k9ԶRyd<|c 0 0 r͹͢d=lؾ)3zY`A`A`yԡwUd䞭`A`A`s6s^k) 0 0>3|iRΝ#JhW[m}dp 0 0`iT'[SXgQe~cp 0 0 r܏eZrOZ{/
 0 0>J.Й
!Tr{~c 0 0`P,v7QnF 0 019]J]puI;7'0 0 0@ՋaAd)${q|_3A`A`b0g7Ѣs5wG/ހA`A`A5sMk}!4|2dgA`A`GbP-Wbl99Z1GqG+0 0 0@Vd9,m~R>28A`A`'b0MXZ!g5QpBDtZ#
A`A`| l̛+K֓IO"ib\3 0 0D.ѽ9xQǢT} 0 0OI:T:*.g]se$`A`A`,O:pW2IS[BEA`A`| V=fJn+/˖c 0 02K]U
n]:KS1fS410 01z<ؙZI9kOA`A`5Our|P)mbrJNoN`A`A`r2קEN:o.`A`A`z,`6xKU=OK
A`A`பeʑ坴ȶ/~!A`A`|mKnH;h6w
A`A`| 3ؗs&dw8>wI 0 0>DdΥ:3jYPoA`A`|G2$t0 0 00\T}%c*l7'A`A`|"Jtq0]c1kA`A`½RD%X\fA`A`flM)sLko[ ,‚ ,‚ϳ M
G5eMM`AXaAXaYf!|Bl뫅W`aAXaAXhƼ]fܵ)=RX_l ,‚ ,‚-6?qbhY=>r 0 0>GpY˲Ь}r&,%A`A`|"s=pőChm1 0 01rk~vYRg>Dov`A`A`!LJ%NJ70 0 0@OtFNd>8g|fo0 0 0@L5\W>7'0 0 0@#
klݱŹ3uWŀA`A`aPjʶnGr$[b*_
A`A`| INE0mF2 y̦ib`A`'b{d3Zrk$GA`A`A`jrT4]K.U5D׽A`A`'bPmHVNC'&1A`A`bpȚƝ7_Kk,|Gs410 0 0Dr(Zj.+"47L̕ 0 0>2XN*i2YaΩRħ 0 0Ġ&9}h.{"`A`A`ٳY%qPvdGw0 0 0@\de]VdZ{cp 0 0B(A2+o2/tj.xA`A`|iW)nse.o6`A`A`Ծ=Ñ&=}70 0 0@ȋ^U/PK0x'`A`A`q԰Bt4Jp΋l_FoA`A`'bpfhKW-5!34) A`A`|"g"6;}TqY8ghA`A`a$vXʳw+8o 0 0 +hԕbELKzdOw`A`A`,={&bZK[ 0 0>MVPvl&()AA`A`A6ыtMĠd~cp 0 0`ۢ%erx6yF4A`A`YOm}l:EwY
 0 0>9=ČNQ2d[W׭em 0 009h#2XDB,>A`A`|$;ƞcR!::Mx&> 0 01x,'q-_ܨZvD 0 0>S(ܬ[N}Vu~& 0 01dGPkͳCl,18A`A`b0{bͨ/?fT
+ҭ^|M<70 0 0@-2m c3(Brxc 0 0 vpkҲ+_>7A`A`aІZQR]W

>q1XA`A`bpNյ{^d~ċA`A`bޭuvfmH'Ԧ7'0 0 0@b
V$'ݲɏdfp 0 0 /t`-*:3	N
 0 0>Mp[f0wycpW`A`A`ܪFGs픝Εo6`A`A`3j.q;0 0 0@cd:۰/Xױ 0 01
99eUzD?}u?A`A`A
/I/<1iyg_GOA`A`ma֓Qv,&g
}dp 0 0`t%ٛ,t?QAT/pdA`A`zi{i:Yf;9尢 0 0>tZa}fmzɾv}d 0 0 gqu5εԢ+w|#4qA`A`=UsĘVrsoۻo`A`A`fXUYcSidoZA$`A`A`<C(kH~\?vOP\R|}&A`A`|$WtmF9Tܲtb~ 0 01ȧw͏&Lz-Y#C 0 0>-:Esnn
 0 0>çm*ZKJqy_3؀A`A`bpbqJkY}d 0 0Ġר3Vw/m>E'c|_3xA`A`|3t;GYO4ާQ{c 0 0=Gɍ٣ÖcR 0 01Wwupmum{}_A`A`|q1iDrHo&9A`A`AR6y0c7uhf+2
 0 0>mqLzYvA`A`T:>Fbp&fᄒ@R0 0 08&Q5%euuA`A`| EEwݕY_{z{cA`A`'b24;:ShU4۩x7'0 0 0@> 0 0c> 0 0g> 0 0_> 0 0cgP!a\	&$ 0 010Έ1m/7Ұ_ 0 0>
ٔdgRٙ%\7+0 0 0@՘mh	Xom{xc 0 0`&Ri%ۈj̤]{cp 0 0Ġd/,FXEY1U̖ÑA`A`'bpDdx
Z+D\D`A`A`AR16=Jmb 0 01[9zC9-ֵ$:2x20 0 0@4f)w5HNOgA`A`,׳éAA`A`|"Kgh~Q+eѭ7q 0 01(^3
OؤrNݸT$`A`A`~BцrݑpF`aAXaAXh[9AVveq"2ח;,‚ ,‚ ,D6+dT/[8u	K,‚ ,‚ ,@zyq3'gsv>_[+ׂt$A`A`|"kthS#޵Y7qA`A`lBF-m9Gefb+qA`A`a0ܚa[3e;a>3v7+0 0 0@KiD}5] 0 018H5QqBd?2j_7
 `A`A`q۾((*ճn4cp 0 0`uQ{%eX~q4"`A`A`qTNo.ًF9o-kA`A`ZUX1y#'o0 0 0@fs+*GS^Wۤ5҂F	 0 0>&m93ݬne7U9Ѿy 0 0>t/D
öwQ` 0 01ɇxZ63iW~zuA`A`aP^N6HDm=Ar5 0 0Oќ(#V_c\sP4wJu3؀A`A`b.>SQ򪅣Qe
7;0 0 0@6s1pΥT70 0 0@9%"N9__ A`A`9]Sd>w:<  0 0Ġ=Z[K-^Fѯ'# 0 0OĠR\NQ%%_X _w 0 00X'ŎdhA`A`| K[uYrH.cpxc 0 0`NZU4Lp[yc 0 0Ġר}Jܳ%Gycp 0 0`c%-vjċA`A`b'6rA`A`A1FT
Q4Xԧo\ 0 01#dO8y3ǭMA`A`q2@ɔJȲ&9uzc 0 09%`-#d>$#_&A`A`| y⤲é7ПZ9y:$	B $	B $0	.Er`>V=fl*	H!AH!AHY䠏*spr	!AH!AH|uZi1Ezq8CTkB^;f.N$B^9Oo2|%~KT	JebW)ȖNd_bՋ?6^0X;@e婘'z|gSKP񔙳ݦ52kdZFpEkrz1^GNU흰ods_?ԣ3˨xcaI&ٽS%\e`5I$D5Z{d(v7]2[˵{ppC!
VxܭVF~`oĔJ&b
XCbG{bLV)d}ZG!kFelf2re	۸
/r6Hށ2B*w_=2pU&qfR£+{&k׾HZH椕LW-6VnVcbAYG.4q_iWĴus\5>TʡC2e~fܣXqVo㟊t$^ƇB;	DbIYk&s֖+ۡCi}zJS]tJuAڒl'J;)-L:l,m4IJ;)MWlUvI3MKuCi}~JKi5}#$I$mʡCi}zJcֆ~lm%I&9YCi}rJ,8eCSPQڴܵM7ѡCi}zJKuU]bxfz6OLkw
CiJ߰ʅzqxkez@J;v(SZ&SҶA
w!	\TCiJ䔦UvyN-JUԻ8RJ;v(Pڧ4\VךZ3v7bpNoJJ;)vuq@J4[w<ߔJ;)-nc'Mekix^:z(PڡCiDس7ڨjuO0Zz8.E=v(PڡMi1r1'"Rit!e.J;v(P禴g<8;m6VJ;v(P4CpIIѺ壌	e;CiJ䔶KŸVcg7%2l&fRB$)MJ;v(S%o4L!eKWQݔJ;v(Sԥ;T8g>foQ0%ڛCi}zJc6>!lLm.oNx^
}(PڡCi$O<`.n!jVДo/CiJܔtnhy{妴r(PڡCiRA&p"vx[4@PZ=v(PڡOOi9Zh%֒TJ;v(Q{h3m.P
kMepTjkJ;v(P'44zAg+qCiJF%ҦmչN
Um/M?v(PڡMikV[ol^tYuPJ;v(PڧJg
bбWn<{MMiz(PڡCiҒnm-ٲCjv7kPڡCi>=Az1NX\h`&+#J;)ͷmPM]XegOJ;)NBQQ
ݽbƇJ;)ͫO-i@$;kBxƴJ;v(SZ{%p<|,u'qJ;v(P'4#V.-ʹX"&U)J;v(SրcuM5biVT.=T.Bkw\Aw4:Q.)~gfKɥ^OlMPwwNcHTz*PPhײEPj?p>wo{YδA5>r_	ldp\Pfn=
Y,w_>'YyRu6ݩ
M4`ѫe5kcQ}SGêD&yRo0\umryα{~xՅGWC(bn-)`{]О:zfڤ6Nq^赶64h"}/NTx_t9ړ]|AXuDeg(VbKڷKHs
^\٨lTG"&Wr*f5룼> 0-4`fqa}ory۸L.=Ǎ/
.O/j]{
^oty(A
<
WbAQx^ qtS	_(vkË/^_ˋ/^x!bjчBژ?[u"U csmBd#+w"VcO{c8̣	~-;Zf##ЬP|/gZ&Qj>J#ˈY"f,f]Nxﰃt~8k&؍Ae59Q23ֺIe&I=Pi*#ɓ"?OuT&#-%ģr]0?h7DI[\GX
Bj8bj%vZ6ӭ]hѮ߫]VNѴfvw-}ċ]G~v)jޭfڼz,̕1a!gT7p҇u:Vk`o\}Xw`0S~"8RͿW?,;eS4tZ=;z'R8vBR낳H4	4*ZrٟQ34{u흋
ts:;vO1F& 6[\4ݦr0G(۟TQd.A5mQhѸBkZ	mё$'Rr5NGꥵMF2qhѸq^5@̥>J0ocd~?
e:	gիVVt0V;tqy%Ğ?մʪG3HW,^G.}yS?R&nI|ʝ֘+TQLr>ꏧtwٶW6%7uKqD6ɛI*'fk+iq};m:`+DO@D99RDZ˼X!TrPJ{ב{Rk#Nxɮ~#}}/ރ3RZy!@EBɜdsUvUF0
aJc>O"el` ,fYn)mS>m׽䩷-fik.n䆕M`ʲ;WroVTgӨu#=Ρ|lqX4CYZm!Ft<Ɨ&U&3cf &TVKk7P]iT[l,
[u?s;ςH9L/_
qԟx}lP:X2ڍ/Zbn6IJYv1<9}C#=h
$qڥ)TbR$qßS!zP݂~[\ւ[\q#=-';_z{'8[C#M[Y𽌁޼g?4r[eBZҗ鶯7u>4oa
ؗ'A5͜{SO^+OP
޲^e-Q>4xh9p)i]
sʫuO~ijlRK4]y=
zұzk5xXlԦ&@J#,հh=G)2Ҟe7S[鳰\$6iͳDZx^iRܴ["4#g}&a!+60
íYD$gQŃao3pVu-pͩhLgx
/y>'I9tkZkmn^SkIҹ8u,
K.xͫ;noX`kWRм.T.=9|%1>pq=:#zZVvssވ]{ KL\	@m--wqfx?3-xpzPaQĻX'*ش-=6"i,g,!S1䊧iXopUa

kh*)
7<'X>GD%͛:¸=k
][k(E×Ɵŕw. QbRE2\=Ds5
:yq&8.ƛTog$4Ĝ5bGv{e+.,e	p6'CODM^֖)UAAya
4b'<
BDꑹ9#ӉX[]gVX@M(GH={E t%{PEy{'aE6:H XnBs]oPE@}:7gɎ&q L0^5 Q:VQ$:m
qGHսS
EYj#{mO9M-_R@)BpN9\-؎؈:T*pILq56jls5_bW.QN_'y_"jk]Կ9ILjV
83#D~~خ5WcpLqA!p-ZF}C|}>M8bQT'0-G~V|w%4E>f=ay|Uf+vNK(/1-Vh5toA ,ю|48|0J-|dBx{W9!ko
^Fxjy92^2?25*ٔ[#%I5y"Е-fd
}eNˡ
F(%
:E@Rq8y}ݓkfu81ː4^/$4G9C!
_?иG7Dj6;՗AnQY@4{܂oGWLlL
=LKds·w|SQ
;yTÆ{-ÿ9>O&pj;Ax|W࿫W4k̴gmQ,{ ?t߼s^ZMʓ4kȨDNΩ(Y0ޯFeQsש*.o2ͤ$7iur%ʷBQY}*KFw'A/;.%w
[("̠䱧/"BL@P[Ue{O}7	In[f˶oj5-Ǵ>ێtyR%Y[|žGrg>CXbJO2NV2sj=v Ly_5Tvn5;M,P
"x}VWj*x.āBt|_״mRpkmVBC'E3|חRGq*U|QeJ[9juSUE>e!T8Σ_qoN5|*ĦƊUDk7ڳezc\pX3_!`X":/R(D^"
%.΋8QrGv(|i@=Z\ز&$u`??v]DxԢQurx]/?HGW^tnV|>UJ@ZywLnO0o=췽pҕK60c_o{1J2%myP7iwXq+DONۊڵ|?sFJrM|}TV4Späܮ59G
%8*?6,5k&0"]S>+b`>S3EnL/Q3	PZTOG~tS#+FVr
x){
f9rRZz,v.ҫV/(ޝt-kgMhw:_{ɨeT7y#_EyJ}"BZYQ0FzjEW&"oF[#?+
ֈkD5*Po
&R/qdo`AG*bI7"[²YX}?Q:wB<_@"!":88i8jbUK"`ܳOD`|jj)VGInGꢓu.خȂHN1=}",ԩdxP'2ov;q^VjQ|
%(?9k2EFf5zI+
%x^c??;
kST?ʉLo
Dnq`U1蚸)T8*Dnb3#I栖g&'zU>AGL:ZYY-Jȇ+>mw<'Zkձ"|mAA6|eEʈN6C+G:j1_ٌaKS{Zw~Y'?l(YsU~A#H4m,_Cڧ%$CdF:r#yi%6Z"j48yQ
4Eq{VfՆU!:'j"='G9^fV^f^MN$ڢV~UW%Δu)eM{F$M}j2[JN:Uy}S뿬m9Ɠ%pyO%->4>$>8>ⷁ]x}M =u<70%J!QиP1ꯒ4i-6uGHa^d
8~ZYdy.O~][xWvI%vHo"+gt^*1U~N]kz/G}6/GqDec(}##Z@Ֆ:jDmN0_!WzF΢GIa,"-%oL2uhC›yE}(1v['6 3ϢlڿO6/iXN)ua#rH
+*>ؕy&km!8.rl0cHMkɜkjΔދpS"7%c)K볥e(%*#))wd^Z[c-:U֍+*qNO`kywc%l7%ZDL?Ywɦ,/o.%	lP
s;[1"^_%[>Zsh̾7| A Gt4ɵe)e3-Un@@>yz4"(y=

޸&8+
I*cрShokZ\i%>KyЏ0Ja$&	Z{KJ
:!}k(Dq&zwh-7DZ^cida5ư`=o/-:j'Ip
nrO:~PK; [keqf:yw_	YYM]M{1)mO]s -uɠLe8z͘=\nd/hs=Vް~5Ot@7h1ը{^3[ɭ8U;nR]g{ߨw1VyƸnp׍N6\/㕷6}B2LM`ҜS2y@"Ŝ"R-j[(s:jTjs4x<羑/oϽ6ly%Vw_V?@=EHd7&E3yK?^t@݄Dˬ*TYan?|/vh/BeCNVuUi((lEF[?l[;*,w}Z)w,\/?i']D3^'ZrҞ?WY)ueW焁Oy79p,MfZ/Wowډy%j{[Z
F07|_ `06qKΛ[Q	;68"ip8/+13./
ti}iukpEfstʇA/gm}軧`ɶ+|dUS*s͚bȥTFzeQKKRYd&սr>_K^KeK!~U/歗qFگ\O}qYj\V5ӐZ=+%͇rQr(H)*.ʠLjktjU]ཆNٺ4Іӭcg׵Vٗ-jpxǕ'A9uh-cƹlKsp}dmh\}}&kI:Z&w<9RS=zb4O4 6yd!Hgks֬-ΐ!ڊ~{		lδapډ^>ximnEK+k_Z~g"EwR2Rg|k|}Sheacn,RkonQXb窛U`^߼*;-T3N=7vkZ1j}a}mDR,
+^-\a_c)^_'.PEGck_q"b?1StƳYAm
L^"#Gdsa*9I}tWh%^4=4-Y6ɝ}Y<.JKFg/Rc	rHCx+7Mu=-;|GիV|Wpc侕ܤ4:6n]+v'^Q[p<P@[Bnkoor֤F~]m)F$?K'd>kﺥyo	u.-0{G!nϩB9SAۺql[tv9W"r+`}fOPJhbY6-kCuۊ|\:Owt:6O^”#o>̛9Vx[$/=#|usT;MU
y,uT1|̼j:sE9A~}?lJCJ@*mbg#_L0DPKQte2m]}44]Oc̒{QvVq?"%"ޖ2	\,@n?^wD+̵ū۱V.r2yx25gjWoY.RNe ˀ VVZ<{Q׆{{Bp}B&]N2yͺ{od»J&ˠi;Ez]~K/op$ųe,{
/u0h+4rłms/73OTm
7
e_mJ2c&&wM՛mG"u+ٽ)>^HP[>S/uW-X-IM2=57	˞mլmv_hJЗ(fɀA>_yj\tOkl:͚NEx_**0LD6q%5z۳Н!O:u։'`x$%%%f4>:|2;x_4tUpӚzƄk74=QJ9,@J[jn޴Gqt2M,i15	9x|Z
x*H/_J Q$\e@$|ƿ>S*J+6gh>/^s7ϑ*&;*(G
7 BeRM(?Lj/2z#Z;*Lw\J_O-$Xx,E1^֓wLˮ\3S=YU='W7r@æed+6gg&*
:Rer6\Ly:(5wRz?͜06ṟSSdCX=P	7wʴW*S.'O+
L3'()E=\mޮGe,nOAٸs4t
dL^^o|E|^/e.<.tFL/pVW'+
b-U
ﮂhQJgD:_f׳y9
2C,0nпU@*_ ̹(tWp
WxIeɅ-5cJG@rKߪK5e4HavPBzu%u5i"8
{EXq

i#41S~Տ>rzhûڈ|kp
|*#_?g7Q:M/2%G#/6nqNbs8QP0%.{	Ci|8aG%, f{#"-H=
AZcD0e=m#f;"Z6 G]1i?r][E,&*WV|[#?R .Qj1z;D.e-/	XܡEu@53ϨD#)^-z$sEN2hծe"cU	bBYj:}mig$J:G|)3kSVW`0PVoʑ/p+ZܙvQK67G$Cp{=ZIw͹?znAYڿ7GS437wgk~.FMJ#,J$qYimdpd-QE|	x'MxN|	\[G%kA+x6D1)wFq_l/de^d3Co1#?Į{DY	Sr:&ȌdP:0/Ȇ,eekG*	D(,=XjPEhOsգZ\,7fmW,kko50'iwB	bMuu&V;"vH
׼OmZlpdQ[5CP&wWS\}(:U5;w{k.>-|NX^ǖ[C"uN"R_[ԑёQW
4fͳ=W\T`
|Fq4mE+ySO#4շ-Lc#*uq,GZbyT1P[	)r5|+gE7i}Z%0ݻvc&w%'9e 4b;jwǛaجF=|mϗ+nUݰmsUJmwB3LR1
w>z]]O⠥
|'8eޢR[[rw8i1v#̩M-zx#*!u\V[I##G8dRfj9CR[u^iyL(BC&`ZީI*č-"Q[A-(kԴX{YJwMpD]Err^D;<߆X.X2UasLw.[n\wZtTxwcKd#f{ł{uOQ2MҒݿ1r[۩
Z2~{hq0{0yϢ6qF7&rcum(::Vk3WIEF70j%ڀtBjmY49:7:"Yq̴{쵍rCHqpQG5e*IL7Zc;ppH؄NibF~AN+r-IK&j"9zG)"|Z/n	1ߍN(\bQVVDneimNŖ'K>
^v5mNldRH%Ϥ
ֻ܁#.ItBegjSEv!*oD5 \޴Hu(9)Yn}Mmr<TFe':``FEaS$M5zJ3}g@O5(S[](!ۧZ
\>,ÊWaaQ$c3żpEXkhSYj)]F9Av#ݭ	͸JR2!9UpEW@uG\`}bfح(ta~+rd=gtgOG	[pd>t=,]J5-Җ;Nv=ii^j\,}H!;-}WwA'~6|Vwy5/Ϟ}VK4WQZo{%G(\ۂS:ӛJqV\3!L0HhD{2
m"`
Sɰt@"rAd厴	9sgR\W3	?j`F`m
x%:Z*,m#&ziD֓VMG\m\ށ1Mg(Za“<j)-_,.[!JI6|$K
CT*?H&)ԣWT^bPvWz[YaZ]\,$J7ww/%*2#7HVG҇o)HkGѸV-jhYJE3y+ըڦ&yjiwP=dU碿RP"3sĚI}ޢ^9gZklXd*sF#[nxiURvtA
Lj f]4DX8Vƹ^ik'3#$e
xH_:Qsx멁
wyk蝒[vt@$DO#(800v$sU/Mάʵ# ^gNeI2~Jiu%%Ek;-\W1	+TWHjy_վ3*Z7l,*duǔF"%7DidlGkյd)Sj0Sh_3id샢>SĔըeGS"#ԉY詏lVҔHT#; Zں\c?5Ƣ˕˛gἀk*TvPWg9tۂe^	g*ώOwH {h$6N]{屵սuB[4r8ܭDy? O܍^Wh+Z4uϹtQ=I]	$7ABs
GUcOeCP abGhj'+H$u5]8hF8=jY9^XC_
JGK
mB["/LTU͊J:Ko)YKn
E3D2_LHj+n*ZQvwYjں
j,cxV|}F=Z-geqmCmhT+ψg0u6YkyaezJRԙ
#*>6GuQݧ]폏Xז`8 8J!$sޤsq
بakELk7~2w'SvpkƀcCl~pZFZ8VQqlS.fөP
6t^
iF~[2}.&4;ՂY?EօϮ5DN]Ki)Ϩ\?ږ~e<^+JZ+[W\ƭ_J5{cQ}ER
U㋩FYS1֮Euq}]uK?~ZnMfZt"%gIoⶼtܛݛˡUT[1>b4Vs;
Hv	폏6!
:㴰ڳnRXtCI h@3V7[}+Ъ{oDS@Hgٔ+oMi|S!;VK+FfրϩwYgQO&~kW

\N3m]/CtYCum>kzGh{9t:<?"k;acL^%_h\So)N+^ehuNS@>zr6*UGτڀS%sڷQ6BQ.k(jAրϩuh,~īX(r~?vgV~a.N1\5'}ʭ]vJ1f\Ug,\&
%bJӶ"((~+il:+wuNiDXҊvkъSV|U,"Be@ЊqE艗sƗ,M8ӪipyA%s[I`كc0(!i~ưƕo[>4րORlb/(Sy/-VOfg`Qݴv*̞Ӫ+R3ӳٕw]§V/Zo&[C"6KWjl5vUʫ	iY؞|( !fײyƦqR<+5hyӥԯ_RYJ_ѯb=b^#5SH'{,_ŴKFhMk<ۏɫ]ҤY8`
j4٤&A]pIf/ܱ%G#[1.g{`.=ڑu3?we;O
*.<~rgܖCZIaugnDh
=C_ѱ4(_YQYCi1ć͜iRnu+>Gd."JpkW֔zFWQ^xe=ҔܬLUwW *B4do V-OŹ/F,͵J.9j`V[lg{xigjø\;(1c"E.LJ&>s|I(#!m31Bں,B
+U.;WQe.Lзݴ7]/W<
ùc'bKĦxm*W5q*^DP)k;/-]\y/oWMHu[E<e7v[KyE5Ͽv,nMfje"4nfx#r=>1sgvoNӱwy8%aK>4ór`Rl)/4C0
0"N<_#
X9-:9BYzĩb?:q"5+5c6_rl XSϚto۟/|{qT7fy;ES`D:ul(soRY֧60ls"۠K,{aGݴC+SGY9—Ypi	t_*B6,S`:|.|ΚO3Cf3l&{5V?scE~鼍	d'<,RR+/|;|Dw{_iH5ȓ=y	KC*@<նa?kU21ݱx]i;}ĸ=b66<vzi]\½{,~!Fx/X,	>ۙ[L.aP̥xgrGbWtA%K玡oSSAo[=zk`->vV	WlK
Z<_t=^j	w$3'Ω@(	fNsfCcbϞs1aG.a48!k3śFǵ5 xgj,lTV#Ti̎kzL7vMv~ElӔ)6nژ(;Xw#qUƚ_7keƒOZJ  f=Ɣ/㛕M-Z`@D5` N"aYiNgݮt~O+8'}G
:m{F
k KM|GU6(Z:/kxwVdv/cISq[#ǁB8B1қvd8OXo_+O}VDl(bbpJ'yX[Ű/IàGXa#}O0W[>a.[>ųx*C]$iluRqěo/+2F8q&`{fٟSEu_Q`q~ؽ(UDexʨ~e*4QQ3l\'UgAcn|Jܬc ^V*3X΍I3e$"~twSѺ|$`{>J MCdWȈ?z|䏕?W]=K!BU߂"/栅#/l{m<sK', 7D?O(+yq7L_ӽ~XYO2os)*u+`F'ADb9t)w?L0r!n~"!uCg&k]ɍφ32/zqn z(&i2vt2%(\&Q|_i^$OoZRb=36
 =&eBFgEQ{&[lsj;Sl}o^쮧es=-
71=((杬|h~cW>+bdE
wӖl[hF7/z@lԡ8LeRڰsޮ8Kkj^9+>ǿ8;Mޝ=[x+O:Ib3Z޼AXNv!žس~E?mF;=-eɼT>TZ#Hk+B~h
7^QCiD1*kN>Epy#T>Ϊ\bVXE4:q븰S"cY0.YXX ~UyխGƶc	׾⏴zҰRw
Ђ]UGתGZU̓ݩyF1GD7m.g=YH|lpwEY[񚾍Ϻ{rU2Z3-5ӥe$M'ހq
Ѓ$BܜV9}ثT@.U"R}߭rHW5-VY6fS`m7lpeҗDXVZW1+-\sߴأԜX֗&n;g4 }z4|)HJ^!pKOyCL֊cu.O;Ic.[joY*=&)묵|1ӭŜqɚn5cO9kiY'/InyY[t=~QJԷ,Wc1;wiKf5.|E zA]mCy"9yW۩hl.W!<2|t}] KCVOL
=|)0|c37Bo}=s*+UpPPs/1r}}]P=ϟO𤵳Lİt=z
|@i@
@/J[5s&3à*ߠ~PZ6X]y/~Pz|8ivduVd.}]YBok0uc27cqc@#ZD=M#9JAlM폏vqXC{IZ1b\hO,t\w+[Aa:^{[n_KW]4z
:R.|n]x0oӪ>gk	F
RB|z8(
mai@XF6QM5nx?~(>g*yU=[ʉJb|̺
[cfqKe`㏊:Ym"Xls^\ ~e}uk&|Fg|68lm׬o=^o9bNǷuVLD
'5_}ǔg|tOcfwX"1վZi	klbv`czl>NpF=}:/s~`m.؈]X`V׉gd)kG.'K:܊gS	X;iy0_"fmle|#g'uHOoMpRL}Tc{)=-ʺv$c36(
L/_uڑ=F|efSemÙI{/-G8R0ep=l=Re\;l؁`m&}SZco@'	f]ն!,xGzlizsfM'y;=,rDžG
HP[קcvJ}Hb$N&>xK5l0ڃB{z-Ζ҂Ae6(\3
oSuR$Y"xUd0\vɐD@xJNY†	sYo:]&8pSٳ182X/A-߾:mQu.Ld՛_aY$ojym6Vl4Ǚ58{C5{h7GmXX?X_?ȷXuץe8FR"6ێhB[o~K
G⁠ZKrIw4vN6,9t
iө<{uay,H{ձpL#Lf[_UsX_V|vu6e-inA2V!DKMxKF~?4;@縂t#dB{Htt
A-?RM"/-9<46 3U!n)_Ж]mmbZC_h""kU-ڰ"p$e
qvTK)>O#݂_&C1hxKXksCQ+1R;5UL|
}mnq`SZ=^եrD4Ư5Ꞷ-Ƣ,#OdGӱv:e"RYv]"kvk5x
#
5|^O*])akC}tH~pv}_k뮾Xܥۜ:h51\\|N3rk3Ok|yٞlV6@'}`-Rsa$N;1XsZ7	(b;e]dޚU|5,.-_,اW:{lLGȴ
?~$DH]~[K_)1bX+E?l:X }m?
vcزc\-O3y!NT|;e3
~n-ZFgEv"[&{ݢȦ)D/چ'ҼeQ"u#`YerڒWP~rdIzmva@W׺{VI$|od?e_>ω[V.dFc!z5"S;ͪ~E&q}!;.x0>b됙/<%3WLм@1RKׅݼEqwoBO]3>pA
EK7?5!}Γg<
8ŭr˾)&A['Pq%.ep&SI)F?.p6#~S|fS7_b''SYkTj[d3llG hk˩|Ɇ/}A
ߍamw͛_ݒݢ
31?H& 	"wբ,EE_onխ|yQ9hn	@$T4/.*L!6R>Nvo@[A|u~񱧼K.u@(C׃$k#k[;%[o@1E/A[ Ecٓ5Zuغk"
T-qReHq;$(W,8;_3WJTs
g@C'<ǿdU	F KlV1z3ɪ]IP;UqeGG,HڰT֯$(Pw>/تʹF˂}+0Y;kp&ߝ/ggyxh#w~[t'S@XN%ST,_0,TA^fB,}ڙ/ٳuRVׯ]2L֜g";g/Ono5OV;!hvqx)CW P]
cCmu`a\w
z9s1cYvUS	O6l1F	Gq޲YM;a[ZrIrPt+_T"?
GuK9zK:m^A{VCUVOs"X{)Xvh35O@}kf*Ϟ0\uQua+EYĕ
JVrMyiz|ZƠvu欔}K/ygP=`v\K_:+&X,D֮\keqn%*QKc}v,f9U,
r^UFRjʕwro$N$Se
#lWi!7OΣ	eقb~YucmPLy_;tUuF
Ou1B,)?">geYF̗Z6p3*j6B-ZC˽ϱ˅(A֚Q%-v̡=)b7: :eaoHB^h6<,_wntŏ"`dG1˅N!Q]*5./܎90tCL3||٬TP`7X?,uv"kjec9s,:|#s 6E=e1EZbr{,||汈WCOAuUEU-%g1TnՀ[JiC&
:b˵>r#rQej֊t]8½#&:ۚ̊C3˸j)ezMNߕz̶]OޏwF._]Ǟz&\W1=vu+WفGwHᆬK}u^`,#ʗc~)[m^6βzveOQrߒu1o<ѠK|o!7a\ئw='wysSwYmL@}Hb8UKϜxN^E6r?IqƑJz]l*)+[XeOjcM1K=e}/j!kli	5:gK< ޅs9Y4%.bz%f}-|c8չ},Nr#w"aK^ac"9!e+='p#w"KQcx2+b6XxS\HEcFxZ,t}eTn$N$(fߔ]"eeAB"CG
_JzY(VNs+j6},];eJ%ZK,eGRy%":wFMW2Ke
y(>m?_|ZtqOSD$UYRyf;S9-?I̝xz̥rW濽-U4'sz=eMAW%=(uxY̔uz/y/+O^'jкڳ߸^ficy8x$ZS|y1_pgl;}l|ƅ,[uxe:@KY9켥Ku\辴*5#c^F}lKmjeAYmz݋Y?~]j=rG>;jm̉Ɔd:IM=7[cwE~č}#fWɲQvtejD_ nT.ڗRhb:aP$esreo?:aQ9Kas(`\7<蕶3"J6T\zBa(|'?Jh(x0k'k{f_D@r'VvTs[
_E4퇯ޅy~օ(gG<*ST/]hB|	ǣeWضzF	tGС,q)DK(De)ﶳZ
euV.U,y&ye0rP[>:lq
.yκ,y+PQ4AY Ǡb/P*ͬ|:MeVᔺ;⑫j.7cG
`:cbCMpv||=l=yc(F-{M'{fYk)c_	>#ߐ
aV
#;)y!$OFVT5v	*ӭMEF@|G6K=j1#_tn;4TV
SMMVeҀq'VVu!w9/Ϸ|b5uvڱe3ktY!&KV%{fm\FvhOe[ r.[+V(cct39:2^G^Vcd>rXG;~uJUޮuUc&m0uw3#ou	̅6`.aݪe]n?4xzƆ!_һ[kU@$}3o?:ڈVJy
|i_g	zrIn?:Hxu1Ե63D]:>*
@o^I]X}ht*(?'r7[3dDoy7luZc7vwY1
[߸"k\m7i5U5qNq&YZ9@253j@;f6+6y	`"\ݺuJȬg._lRp_69[!B *`ǝ3,ƪ#BMju3(2ZK:	p/o1Zqۊh7oߔXR*G+
UG|N
*UF|k.g켶lSHnsϏpZ}bs
Oyk7p9w@'[a&Vhxl7p:6G]޺JXvc㼞[0`8:VB}^`BdsgrDgBOmnmoyvj6n‚=V$SJ[M5v{Nsy|Ǹw'q[i.`\)xJa_єU֭#_WGh𜘞eRyp}KCrkՔv
e@G,tx卬|Q%1DY^Z@xJ6z)I4f(_W] B ˷ۘ٪H]Gj6\׬yJcâ?_Z=7[bDmYWц>rtw-q9trƯaZA5JhܢQ"ܴu1Aq
|&܉Uumlxv.|F)޹ج1S@fY^6=xPFM7!,>e
]osr!l~f31q\%8t5Xj_&z	X\Vΐ[.9·e7i;7z!Xkh@	}:kLD^9{@l%a6o	l3@W^İ!aX1LeoPvc8@K.|B!
ux}~Jợ2c7kMs|-
{DAob_3(B['ZP_;+~߾qM|`X
9·@@_r89'rᛧYu,з235why3-1.6.0/examples/multiprecision/get_str.mlw000066400000000000000000001360631440160026300214710ustar00rootroot00000000000000module Get_str

  use int.Int
  use int.Abs
  use int.Power
  use array.Array
  use map.Map
  use mach.int.Int32
  use mach.int.UInt32
  use mach.c.UChar
  use import mach.int.UInt64GMP as Limb
  use mach.c.C
  use types.Types
  use lemmas.Lemmas
  use powm.Powm
  use stringlemmas.String_lemmas
  use logical.Logical
  use int.ComputerDivision as CD
  use int.EuclideanDivision
  use base_info.BaseInfo

  let wmpn_get_str_bits (sp:ptr uchar) (bits:uint32)
                        (up:ptr limb) (un:int32) (ghost ub:int32)
      : uint32
    requires { 1 <= un }
    requires { valid up un }
    requires { 1 <= bits <= 8 }
    requires { valid sp (div (ub + bits - 1) bits) }
    requires { 0 <= ub }
    requires { value up un < power 2 ub }
    requires { (pelts up)[offset up + un - 1] > 0 }
    requires { 64 * un + 7 <= max_int32 }
    requires { writable sp }
    ensures  { in_base (power 2 bits) (pelts sp)
                       (offset sp) (offset sp + result) }
    ensures  { svalue (power 2 bits) sp result = value up un }
    ensures  { 0 < result <= (div (ub + bits - 1) bits) }
    ensures  { (pelts sp)[offset sp] > 0 }
    ensures  { forall j. j < offset sp
               \/ offset sp + (div (ub + bits - 1) bits) <= j ->
               (pelts sp)[j] = old (pelts sp)[j] }
    writes   { sp.data.elts }
  =
    let um = C.get_ofs up (un - 1) in
    let sb = wmpn_limb_size_in_base_2 um in
    let e = 64 * (un-1) + Limb.to_int32 sb + UInt32.to_int32 bits - 1 in
    value_tail up (un-1);
    assert { power 2 (e-bits) <= value up un < power 2 (e-bits+1)
             by value up un
                = value up (un - 1)
                  + power radix (un - 1) * (pelts up)[offset up + (un - 1)]
                = value up (un - 1) + power radix (un - 1) * um
             so power 2 (sb-1) <= um < power 2 sb
             so power radix (un - 1) = power 2 (64 * (un - 1))
             so 0 <= value up (un - 1) < power radix (un - 1)
                                       = power 2 (64 * (un - 1))
             so power radix (un - 1) * um
                >= power radix (un - 1) * power 2 (sb - 1)
                = power 2 (64 * (un - 1)) * power 2 (sb - 1)
                = power 2 (64 * (un - 1) + sb - 1)
                = power 2 (e - bits)
             so power 2 (e - bits) <= value up un
             so value up un
                < power radix (un - 1) + power radix (un - 1) * um
                = power radix (un - 1) * (1 + um)
                = power 2 (64 * (un - 1)) * (1 + um)
                <= power 2 (64 * (un - 1)) * power 2 sb
                = power 2 (64 * (un - 1) + sb) };
    assert { e <= ub + bits - 1
             by power 2 (e - bits) <= value up un < power 2 ub
             so if ub <= e - bits
                then power 2 ub * 1 <= power 2 ub * power 2 (e - bits - ub)
                     = power 2 (e - bits) so false
                else e <= ub + bits - 1 };
    let sn = e / UInt32.to_int32 bits in
    assert { offset sp + sn <= max sp
             by offset sp + div (ub + bits - 1) bits <= max sp
             so sn = div e bits
             so e <= ub + bits - 1
             so let m' = mod e bits in
                let d = div (ub + bits - 1) bits in
                let m = mod (ub + bits - 1) bits in
                sn * bits + m' = e <= d * bits + m
             so m' <= bits - 1 so 0 <= m
             so bits * sn <= bits * d + (m-m')
             so - bits < m - m' < bits
             so sn <= d };
    let b = lsl 1 (Limb.of_uint32 bits) in
    assert { b = power 2 bits };
    assert { 2 <= b <= 256
             by 1 <= bits <= 8
             so power 2 2 = 4
             so power 2 4 = 16
             so power 2 5 = 32
             so power 2 6 = 64
             so power 2 7 = 128
             so power 2 8 = 256
            };
    assert { power b (sn - 1) <= value up un < power b sn
             by e = bits * sn + CD.mod e bits
             so 0 <= CD.mod e bits < bits
             so bits * sn <= e < bits * sn + bits
             so bits * (sn - 1) <= e - bits
             so e - bits + 1 <= bits * sn
             so let d = e - bits - (bits * (sn - 1)) in
                0 <= d
             so power b (sn - 1) = power (power 2 bits) (sn - 1)
                = power 2 (bits * (sn - 1))
                <= power 2 (bits * (sn - 1)) * power 2 d
                = power 2 (e - bits)
             so power b sn = power (power 2 bits) sn
                = power 2 (bits * sn)
                >= power 2 (e - bits + 1) };
    let ref i = 0 in
    let ref j = sn in
    let ref shift = 0 in
    let ghost ref udone : int = 0 in
    assert { sn = div e bits };
    assert { sn * bits <= sn * bits + mod e bits = e };
    while j > 0 do
      invariant { 0 <= i <= un }
      invariant { 0 <= j <= sn }
      invariant { (sn - j) * bits = udone }
      invariant { j > 0 -> udone = 64 * i + shift }
      invariant { 0 <= shift < Limb.length \/ i = un }
      invariant { in_base b (pelts sp) (offset sp + j) (offset sp + sn) }
      invariant { (svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
                   = valueb up udone /\ udone <= 64 * un)
                  \/ (j = 0 /\ svalue b sp sn = value up un) }
      invariant { forall k. k < offset sp
                  \/ offset sp + sn <= k ->
                     (pelts sp)[k] = old (pelts sp)[k] }
      variant   { j }
      assert { i < un
               by j > 0
               so sn = div e bits
               so sn * bits <= sn * bits + mod e bits = e
               so 64 * i + shift
                  = (sn - j) * bits
                  <= sn * bits - bits
                  <= e - bits
                  <= 64 * un
               so i < un };
      j <- j - 1;
      let lu = C.get_ofs up i in
      let ref digit = lsr_mod lu shift in
      let ghost low = mod (uint64'int lu) (power 2 (uint64'int shift)) in
      assert { lu = digit * power 2 shift + low
               by lu = power 2 shift * div lu (power 2 shift)
                       + mod lu (power 2 shift)
                     = power 2 shift * digit + low };
      assert { div udone 64 = i /\ udone - 64 * i = shift };
      let ghost oshift = shift in
      assert { power radix i * power 2 oshift = power b (sn - j - 1)
               by power radix i * power 2 oshift
                  = power (power 2 64) i * power 2 oshift
                  = power 2 (64 * i) * power 2 oshift
                  = power 2 (64 * i + oshift)
                  = power 2 ((sn - j - 1) * bits)
                  = power (power 2 bits) (sn - j - 1)
                  = power b (sn - j - 1) };
      shift <- shift + Limb.of_uint32 bits;
      if shift >= 64
      then begin
        value_tail up i;
        i <- i+1;
        assert { digit < power 2 (64 - oshift)
                 by digit * power 2 oshift + low < radix
                 so digit * power 2 oshift < radix
                    = power 2 (64 - oshift) * power 2 oshift };
        if i < un
        then begin
          shift <- shift - 64;
          let lu' = get_ofs up i in
          let ghost odigit = digit in
          let high = lsl_mod lu' (Limb.of_uint32 bits - shift) in
          assert { high = power 2 (bits - shift)
                          * mod lu' (power 2 (64 - (bits - shift)))
                        = power 2 (bits - shift) * mod lu' (power 2 oshift)
                   by high = mod (lu' * power 2 (bits - shift)) radix
                   so let d = div lu' (power 2 (64 - (bits - shift))) in
                      let m = mod lu' (power 2 (64 - (bits - shift))) in
                      lu' * power 2 (bits - shift)
                      = d * (power 2 (64 - (bits - shift))
                            * power 2 (bits - shift))
                        + m * power 2 (bits - shift)
                      = d * radix + m * power 2 (bits - shift)
                   so 0 <= m < abs (power 2 (64 - (bits - shift)))
                        = power 2 (64 - (bits - shift))
                   so power 2 (bits - shift) * m
                      < power 2 (bits - shift) * power 2 (64 - (bits - shift))
                      = power 2 64 = radix
                   so 0 <= m so 0 <= power 2 (bits - shift)
                   so 0 <= m * power 2 (bits - shift) < radix
                   so high = mod (radix * d + m * power 2 (bits - shift)) radix
                           = mod (m * power 2 (bits - shift)) radix
                           = m * power 2 (bits - shift) };
          assert { digit + high < radix
                   by digit < power 2 (64 - oshift)
                   so shift = oshift + bits - 64
                   so 64 - oshift = bits - shift
                   so digit + high < power 2 (bits - shift) + high
                      = power 2 (bits - shift) * (1 + mod lu' (power 2 oshift))
                      <= power 2 (bits - shift) * power 2 oshift
                      = power 2 (bits - shift + oshift)
                      = power 2 64 = radix };
          digit <- digit + high; (* TODO logical or *)
          assert { valueb up (udone + bits)
                   = valueb up udone + mod digit b * power b (sn - j - 1)
                   by valueb up udone = value up (i-1) + power radix (i-1) * low
                   so oshift + bits >= 64
                   so div (udone + bits) 64 = i
                   so udone = 64 * (i-1) + oshift
                   so udone + bits - (64 * i)
                      = 64 * (i-1) + oshift + bits - 64 * i
                      = oshift + bits - 64 = shift
                   so valueb up (udone + bits)
                      = value up i + power radix i * mod lu' (power 2 shift)
                   so value up i = value up (i-1) + power radix (i-1) * lu
                   so lu = low + power 2 oshift * odigit
                   so valueb up (udone + bits) - valueb up udone
                      = power radix (i-1) * power 2 oshift * odigit
                        + power radix i * mod lu' (power 2 shift)
                      = power radix (i-1) * power 2 oshift * odigit
                        + power radix (i-1) * radix * mod lu' (power 2 shift)
                      = power radix (i-1)
                        * (power 2 oshift * odigit
                          + radix * mod lu' (power 2 shift))
                      = power radix (i-1)
                        * (power 2 oshift * odigit
                          + power 2 oshift * power 2 (64 - oshift) *
                          mod lu' (power 2 shift))
                      = power radix (i-1) * power 2 oshift
                        * (odigit
                           + power 2 (64 - oshift) * mod lu' (power 2 shift))
                      = power b (sn - j - 1)
                        * (odigit
                           + power 2 (64 - oshift) * mod lu' (power 2 shift))
                   so power 2 (64 - oshift) * mod lu' (power 2 shift)
                      = power 2 (bits - shift) * mod lu' (power 2 shift)
                      = mod (lu' * power 2 (bits - shift))
                            (power 2 shift * power 2 (bits - shift))
                      = mod (lu' * power 2 (bits - shift))
                            (power 2 bits)
                   so high = mod (lu' * power 2 (bits - shift)) radix
                   so let d = div (lu' * power 2 (bits - shift)) radix in
                      lu' * power 2 (bits - shift)
                      = d * radix + high
                   so radix = power 2 bits * power 2 (64 - bits)
                   so mod (lu' * power 2 (bits - shift)) (power 2 bits)
                      = mod (power 2 bits * (power 2 (64 - bits) * d) + high)
                            (power 2 bits)
                      = mod high (power 2 bits) = mod high b
                   so odigit < power 2 (64 - oshift) = power 2 (bits - shift)
                   so high = power 2 (bits - shift)
                             * mod lu' (power 2 (64 - (bits - shift)))
                   so mod high (power 2 (bits - shift)) = 0
                   so let d = div high (power 2 (bits - shift)) in
                      high = d * power 2 (bits - shift)
                   so let d' = div d (power 2 shift) in
                      let m = mod d (power 2 shift) in
                      high = (d' * power 2 shift +  m) * power 2 (bits - shift)
                           = d' * (power 2 shift * power 2 (bits - shift))
                             + m * power 2 (bits - shift)
                           = d' * power 2 bits + power 2 (bits - shift) * m
                   so shift < bits
                   so 0 <= power 2 (bits - shift) so 0 <= m
                   so 0 <= power 2 (bits - shift) * m
                        < power 2 (bits - shift) * power 2 shift = b
                   so div high b = d'
                   so mod high b
                      = high - b * div high b
                      = m * power 2 (bits - shift)
                   so 0 <= mod odigit b + mod high b
                        = mod odigit b + m * power 2 (bits - shift)
                        < power 2 (bits - shift) + m * power 2 (bits - shift)
                        = power 2 (bits - shift) * (1 + m)
                        <= power 2 (bits - shift) * power 2 shift
                        = power 2 bits = b
                   so odigit + mod high b
                      = mod odigit b + mod high b
                      = mod (mod odigit b + mod high b) b
                      = mod (odigit + high) b
                      = mod digit b
                   so valueb up (udone + bits) - valueb up udone
                      = power b (sn - j - 1)
                        * (odigit
                           + power 2 (64 - oshift) * mod lu' (power 2 shift))
                      = power b (sn - j - 1) * mod digit b };
        end
        else begin
          assert { valueb up udone + mod digit b * power b (sn - j - 1)
                   = value up un
                   by i = un
                   so div udone 64 = i - 1
                   so valueb up udone = value up (i-1) + power radix (i-1) * low
                   so value up un = value up (i-1) + power radix (i-1) * lu
                   so lu = low + digit * power 2 oshift
                   so value up un
                      = value up (i-1)
                        + power radix (i-1) * (low + digit * power 2 oshift)
                      = valueb up udone
                        + power radix (i-1) * power 2 oshift * digit
                      = valueb up udone + power b (sn - j - 1) * digit
                   so digit < power 2 (64 - oshift) <= power 2 bits = b
                   so mod digit b = digit };
          assert { j = 0
                   by 64 * un <= udone + bits <= bits * (sn - j)
                   so e < 64 * un + bits
                   so sn = div e bits
                   so sn * bits = e - mod e bits <= e < 64 * un + bits
                   so bits * j <= sn * bits - 64 * un < bits
                   so bits * j < bits * 1 so 0 < bits
                   so j < 1 };
        end
      end
      else begin
        assert { valueb up (udone + bits)
                 = valueb up udone + mod digit b * power b (sn - j - 1)
                 by valueb up udone = value up i + power radix i * low
                 so oshift + bits = shift < 64
                 so div (udone + bits) 64 = i
                 so valueb up (udone + bits)
                    = value up i
                      + power radix i * mod lu (power 2 (oshift + bits))
                 so let d = div digit (power 2 bits) in
                    let m = mod digit (power 2 bits) in
                    digit = d * power 2 bits + m
                 so lu = digit * power 2 oshift + low
                       = ((d * power 2 bits) + m) * power 2 oshift + low
                       = d * power 2 (oshift + bits) + m * power 2 oshift + low
                 so 0 <= low < power 2 oshift
                 so 0 <= m < power 2 bits
                 so 0 <= m * power 2 oshift
                 so 0 <= m * power 2 oshift + low
                      < m * power 2 oshift + power 2 oshift
                      = power 2 oshift * (m+1)
                      <= power 2 oshift * power 2 bits
                      = power 2 (oshift + bits)
                 so mod lu (power 2 (oshift + bits))
                    = mod (power 2 (oshift + bits) * d
                             + (m * power 2 oshift + low))
                          (power 2 (oshift + bits))
                    = mod (m * power 2 oshift + low) (power 2 (oshift + bits))
                    = m * power 2 oshift + low
                 so valueb up (udone + bits)
                    = value up i + power radix i * (m * power 2 oshift + low)
                    = value up i + power radix i * low
                      + power radix i * (m * power 2 oshift)
                    = valueb up udone + power radix i * m * power 2 oshift
                 so 64 * i + oshift = (sn - j - 1) * bits
                 so power radix i * power 2 oshift = power b (sn - j - 1)
                 so valueb up (udone + bits)
                    = valueb up udone + power b (sn - j - 1) * m };
      end;
      (* TODO mask + logical and *)
      let sj = digit % b in
      assert { sj = mod digit b
               by div digit b = CD.div digit b
               so mod digit b = digit - b * div digit b
                  = digit - b * CD.div digit b = CD.mod digit b = sj };
      label Set in
      C.set_ofs sp j (UChar.of_uint64 sj);
      assert { forall i. offset sp + j < i ->
                         (pelts sp)[i] = (pelts sp at Set)[i] };
      assert { svalue_sub b (pelts sp) (offset sp + (j+1)) (offset sp + sn)
               = svalue_sub b (pelts sp at Set)
                              (offset sp + (j+1)) (offset sp + sn) };
      svalue_sub_tail (uint64'int b) (pelts sp) (offset sp + (int32'int j+1))
                                   (offset sp + int32'int sn);
      assert { svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
               = svalue_sub b (pelts sp) (offset sp + j + 1) (offset sp + sn)
                 + power b (sn - (j + 1)) * sj
               = valueb up udone + mod digit b * power b (sn - j - 1) };
(*               = valueb up (udone + bits) };*)
      udone <- udone + uint32'int bits;
    done;
    assert { udone <= 64 * un -> value up un = valueb up udone
             by udone = sn * bits = e - mod e bits
                = 64 * (un - 1) + sb + (bits - 1) - mod e bits
                >= 64 * (un - 1) + sb
             so un - 1 <= div udone 64 <= un
             so if div udone 64 = un - 1
                then
                  valueb up udone
                  = value up (un-1)
                    + power radix (un-1)
                      * mod um (power 2 (udone - 64 * (un - 1)))
                  so udone - 64 * (un - 1) >= sb
                  so um < power 2 sb <= power 2 (udone - 64 * (un - 1))
                  so mod um (power 2 (udone - (64 * (un - 1))))
                     = um
                  so valueb up udone
                     = value up (un - 1) + power radix (un-1) * um
                     = value up un
                else
                  div udone 64 = un
                  so udone = 64 * un
                  so valueb up udone
                     = value up un
                       + power radix un
                         * mod (pelts up)[offset up + un] (power 2 0)
                     = value up un
                       + power radix un * mod (pelts up)[offset up + un] 1
                     = value up un };
    assert { sn <= div (ub + bits - 1) bits
             by sn = div e bits
             so e <= ub + bits - 1
             so let m1 = mod e bits in
             let m2 = mod (ub + bits - 1) bits in
             let d = div (ub + bits - 1) bits in
             sn * bits + m1 = e <= d * bits + m2
             so sn * bits <= d * bits + m2 - m1
                < d * bits + bits
             so bits * sn < bits * (d + 1)
             so sn < d + 1 };
    svalue_sub_tail (uint64'int b) (pelts sp) (offset sp + 1)
                                   (offset sp + int32'int sn);
    assert { (pelts sp)[offset sp] > 0
             by value up un
                = svalue_sub b (pelts sp) (offset sp) (offset sp + sn)
                = power b (sn - 1) * (pelts sp)[offset sp]
                  + svalue_sub b (pelts sp) (offset sp + 1) (offset sp + sn)
             so svalue_sub b (pelts sp) (offset sp + 1) (offset sp + sn)
                < power b (sn - 1)
                <= value up un };
    UInt32.of_int32 sn

  use div.Div

  let wmpn_limb_get_str
     (sp: ptr uchar) (ghost sz:int32) (ref w:limb)
     (d1:limb) (di:limb) (shift:limb)
     (ghost binfo:wmpn_base_info) : uint32
    requires { 2 <= binfo.b <= 256 }
    requires { writable sp }
    requires { d1 >= div radix 2 }
    requires { 0 <= shift <= 63 }
    requires { binfo.b * power 2 shift = d1 }
    requires { reciprocal di d1 }
    requires { valid sp sz }
    requires { 0 < sz }
    requires { w < power binfo.b sz }
    ensures  { svalue_le binfo.b sp result = old w }
    ensures  { 0 <= result <= sz }
    ensures  { result > 0 -> (pelts sp)[offset sp + result - 1] > 0 }
    ensures  { forall i. i < offset sp \/ offset sp + result <= i ->
               (pelts sp)[i] = old (pelts sp)[i] }
    ensures  { in_base binfo.b (pelts sp)
                       (offset sp) (offset sp + result) }
  =
    let ref i = 0 in
    let ghost ow = pure { w } in
    let ghost base = binfo.b in
    assert { radix = power 2 shift * power 2 (64 - shift) };
    assert { shift > 0
             by base <= 256 so base * power 2 shift >= div radix 2 > 256
             so power 2 shift > 1 };
    while w > 0 do
      invariant { 0 <= w < radix }
      invariant { 0 <= i <= sz }
      invariant { w > 0 -> 0 <= i < sz }
      invariant { in_base base (pelts sp) (offset sp) (offset sp + i) }
      invariant { w = 0 -> i > 0 -> (pelts sp)[offset sp + i - 1] > 0 }
      invariant { ow = svalue_le base sp i + power base i * w }
      invariant { forall j. j < offset sp \/ offset sp + i <= j ->
                            (pelts sp)[j] = old (pelts sp)[j] }
      variant { w }
      label StartLoop in
      let h = lsr_mod w (64 - shift) in
      let l = lsl_mod w shift in
      assert { l + radix * h = power 2 shift * w
               by h = div w (power 2 (64 - shift))
               so l = mod (power 2 shift * w) radix
               = mod (power 2 shift * w) (power 2 shift * power 2 (64 - shift))
               = power 2 shift * mod w (power 2 (64 - shift))
               so radix * h = power 2 shift * power 2 (64-shift) * h
               so l + radix * h
                  = power 2 shift
                    * (power 2 (64 - shift) * h + mod w (power 2 (64 - shift)))
                  = power 2 shift * w };
      assert { h < d1
               by h = div w (power 2 (64 - shift))
               so shift <= 63 so power 2 (64 - shift) >= 2
               so w < radix
               so h * 2 <= h * power 2 (64 - shift)
                  = div w (power 2 (64 - shift)) * power 2 (64 - shift)
                  = w - mod w (power 2 (64 - shift)) <= w < radix
               so h <= div radix 2 };
      let q, r = div2by1_inv h l d1 di in
      assert { r = power 2 shift * (w - base * q)
               by q * d1 + r = power 2 shift * w
               so q * d1 + r = power 2 shift * base * q + r };
      assert { mod r (power 2 shift) = 0
               by r = power 2 shift * (w - base * q)
               so mod r (power 2 shift)
                  = mod (power 2 shift * (w - base * q) + 0) (power 2 shift)
                  = 0 };
      assert { ow = svalue_le base sp i + power base i * (w - base * q)
                    + power base (i+1) * q
               by ow = svalue_le base sp i + power base i * w
               so power base i * (w - base * q) + power base (i+1) * q
                  = power base i * (w - base * q)
                    + power base i * base * q
                  = power base i * w };
      let ghost osp = pure { sp } in
      let ghost nr = lsr r shift in
      assert { nr = w - base * q };
      assert { 0 <= nr < 256
               by r < d1
               so nr * power 2 shift = r
               so base * power 2 shift = d1
               so nr < base <= 256 };
      C.set_ofs sp i (UChar.of_uint64 (lsr r shift));
      svalue_le_sub_frame base (pelts sp) (pelts osp)
                          (offset sp) (offset sp + int32'int i);
      assert { in_base base (pelts sp) (offset sp) (offset sp + i + 1) };
      svalue_le_sub_tail base (pelts sp) (offset sp) (offset sp + int32'int i);
      assert { q < w
               by q * d1 <= power 2 shift * w
               so d1 = base * power 2 shift > power 2 shift > 0
               so w * power 2 shift < w * d1
               so d1 * q < d1 * w };
      assert { svalue_le base sp (i+1) + power base (i+1) * q = ow
               by svalue_le base sp (i+1)
               = svalue_le base sp i + power base i * (pelts sp)[offset sp + i]
               = svalue_le base sp i + power base i *  (w - base * q)
               = svalue_le base (sp at StartLoop) i
                 + power base i * (w - base * q) };
      assert { q > 0 -> i + 1 < sz
               by power base sz > ow
               so power base (i+1) <= power base (i+1) * q
                  = ow - svalue_le base sp (i+1) <= ow
               so power base (i+1) < power base sz };
      assert { q = 0 -> nr > 0
               by r = power 2 shift * w >= power 2 shift };
      w <- q;
      i <- i + 1;
    done;
    UInt32.of_int32 i

  use util.UtilOld

  let wmpn_get_str_other (sp: ptr uchar) (ghost sz:int32)
                         (base:int32) (info:wmpn_base_info)
                         (up: ptr limb) (un: int32) : uint32
    requires { valid up un }
    requires { 1 <= un }
    requires { info.b = base }
    requires { writable up }
    requires { writable sp }
    requires { (pelts up)[offset up + un - 1] > 0 }
    requires { 0 < sz }
    requires { valid sp sz }
    requires { value up un < power base (sz-1) }
    ensures  { 0 <= result < sz }
    ensures  { svalue base sp result = old value up un }
    ensures  { in_base base (pelts sp) (offset sp) (offset sp + result) }
    ensures  { (pelts sp)[offset sp] > 0 }
    ensures  { forall j. j < offset sp \/ offset sp + sz <= j ->
               (pelts sp)[j] = old (pelts sp)[j] }
  =
    let shift = Limb.of_int32
                  (Limb.count_leading_zeros (Limb.of_int32 base)) in
    let d1 = lsl (Limb.of_int32 base) shift in
    assert { d1 >= div radix 2
             by 2 * power 2 shift * base >= radix
             so d1 = power 2 shift * base
             so 2 * d1 >= radix };
    let di = invert_limb d1 in
    let ghost vu = value up (int32'int un) in
    let ref sn = 0 in
    let ref n = un in
    begin ensures { svalue_le base sp sn + power base sn * value up 1 = vu }
          ensures { in_base base (pelts sp) (offset sp) (offset sp + sn) }
          ensures { 0 <= sn < sz }
          ensures { 0 < value up 1 }
          ensures { forall j. j < offset sp \/ offset sp + sz <= j ->
                    (pelts sp)[j] = old (pelts sp)[j] }
    if n > 1
    then begin
      let tp = salloc (UInt32.of_int32 n) in
      let ghost ref loopi : int = 0 in
      while n > 1 do
        variant { value up n }
        invariant { svalue_le base sp sn + power base sn * value up n = vu }
        invariant { 1 <= n <= un }
        invariant { un - n <= loopi }
        invariant { 0 <= sn < sz }
        (*invariant { power radix n <= power base (sz - 1 - sn) }*)
        invariant { sn = loopi * info.exp }
        invariant { in_base base (pelts sp) (offset sp) (offset sp + sn) }
        invariant { (pelts up)[offset up + n - 1] > 0 }
        invariant { forall j. j < offset sp \/ offset sp + sz <= j ->
                    (pelts sp)[j] = old (pelts sp)[j] }
        label StartLoop in
        let ghost osn = sn in
        let ref w = wmpn_divrem_1 tp up n info.bb in
        value_tail up (n-1);
        assert { sn + info.exp < sz
                 by value up n
                    >= power radix (n-1) * (pelts up)[offset up + n - 1]
                    >= power radix (n-1)
                 so n - 1 >= 1
                 so power radix (n-1) >= radix
                 so vu < power base (sz - 1)
                 so power base sn * power base info.exp
                    < power base sn * radix
                    <= power base sn * value up n
                    <= vu
                    < power base (sz - 1)
                 so power base (sn + info.exp) < power base (sz - 1) };
        label Size in
        wmpn_copyi up tp n;
        value_sub_frame_shift (pelts up) (pelts tp)
                              (offset up) (offset tp) (int32'int n);
        n <- n - if C.get_ofs up (n-1) = 0 then 1 else 0;
        value_tail up n;
        assert { value up n = value tp n at Size
                 by if (pelts up)[offset up + n - 1 at Size] = 0
                    then n = n-1 at Size
                      so value up n = value up (n+1)
                         = value tp n at Size
                    else n = n at Size
                      so value up n = value tp n at Size };
        assert { (pelts up)[offset up + n - 1] > 0
                 by if (pelts up)[offset up + n - 1 at Size] = 0
                 then n = n-1 at Size
                      so value up n at StartLoop
                         = value up (n-1) at StartLoop
                           + (power radix (n-1)
                            * (pelts up)[offset up + (n - 1)] at StartLoop)
                         >= (power radix (n-1)
                            * (pelts up)[offset up + (n - 1)] at StartLoop)
                         >= power radix (n-1 at StartLoop)
                      so value up n at StartLoop = info.bb * value up n + w
                      so info.bb < radix
                      so value up n * info.bb < value up n * radix
                      so w < radix
                      so info.bb * value up n + w
                         < info.bb * value up n + radix
                         < value up n * radix + radix
                         = radix * (value up n + 1)
                      so radix * power radix (n-1)
                         = power radix n < radix * (value up n + 1)
                      so power radix (n-1) < value up n + 1
                      so power radix (n-1)
                         <= value up n
                         = value up (n-1)
                           + power radix (n-1) * (pelts up)[offset up + n - 1]
                         < power radix (n-1)
                           + power radix (n-1) * (pelts up)[offset up + n - 1]
                         = power radix (n-1)
                            * (1 + (pelts up)[offset up + n - 1])
                      so 1 < (1 + (pelts up)[offset up + n - 1])
                 else true };
        let spn = C.incr sp sn in
        let ghost osp = pure { sp } in
        let ref sdone = wmpn_limb_get_str spn (UInt32.to_int32 info.exp + 1)
                                              w d1 di shift info in
        svalue_le_sub_frame (int32'int base) (pelts sp) (pelts osp)
                            (offset sp) (offset sp + int32'int sn);
        assert { forall j. j < offset sp \/ offset sp + sz <= j ->
                 (pelts sp)[j] = (pelts osp)[j]
                 by j < offset sp <= offset spn
                      \/ offset spn + sdone <= offset sp + sz <= j};
        assert { svalue_le base sp sn = svalue_le base sp sn at StartLoop };
        in_base_concat (int32'int base) (pelts sp)
                       (offset sp) (offset sp + int32'int sn)
                       (offset sp + int32'int sn + uint32'int sdone);
        svalue_le_concat (int32'int base) sp sn (sn + UInt32.to_int32 sdone);
        ghost (if sdone > 0 then
               svalue_le_tail (int32'int base) spn (UInt32.to_int32 sdone - 1));
        assert { svalue_le base sp (sn + sdone)
                 + power base (sn + info.exp) * value up n = vu
                 by svalue_le base sp (sn + sdone)
                    = svalue_le base sp sn at StartLoop
                      + power base sn * (w at Size)
                 so power base sn * value up n at StartLoop
                    = power base sn
                      * (power base info.exp * value up n + (w at Size))
                    = power base (sn + info.exp) * value up n
                      + power base sn * (w at Size) };
        sn <- sn + UInt32.to_int32 sdone;
        assert { info.bb * value up n + (w at Size) = value up n at StartLoop };
        assert { 0 <= value up n < value up n at StartLoop
                 by info.bb * value up n <= value up n at StartLoop
                 so info.bb > 1
                 so if value up n = 0
                  then value up n at StartLoop
                    = value up (n-1)
                      + power radix (n-1) * (pelts up)[offset up + n - 1]
                      at StartLoop
                    >= power radix (n-1) * (pelts up)[offset up + n - 1]
                        at StartLoop
                    > 0
                 else value up n = value up n * 1 < value up n * info.bb };
        assert { sdone <= info.exp
                 by w at Size < info.bb = power base info.exp
                 so svalue_le base spn sdone = w at Size
                 so if sdone = 0 then true
                 else (pelts spn)[offset spn + sdone - 1] > 0
                 so svalue_le base spn sdone
                    = svalue_le base spn (sdone - 1)
                      + power base (sdone - 1)
                       * (pelts spn)[offset spn + sdone - 1]
                    >= power base (sdone - 1)
                       * (pelts spn)[offset spn + sdone - 1]
                    >= power base (sdone - 1)
                 so 0 <= power base (sdone - 1) < power base info.exp
                 so sdone - 1 < info.exp };
        while sdone < info.exp do
          variant { info.exp - sdone }
          invariant { sdone <= info.exp }
          invariant { sn = osn + sdone }
          invariant { in_base base (pelts sp) (offset sp)
                      (offset sp + sn) }
          invariant { svalue_le base sp sn
                      + power base (sn - sdone + info.exp) * value up n = vu }
          invariant { forall j. j < offset sp \/ offset sp + sz <= j ->
               (pelts sp)[j] = old (pelts sp)[j] }
          label Loop2 in
          let ghost osp = pure { sp } in
          C.set_ofs sp sn 0;
          svalue_le_sub_frame (int32'int base) (pelts sp) (pelts osp)
                              (offset sp) (offset sp + int32'int sn);
          svalue_le_tail (int32'int base) sp sn;
          assert { svalue_le base sp (sn+1) = svalue_le base sp sn at Loop2 };
          sn <- sn + 1;
          sdone <- sdone + 1;
        done;
        loopi <- loopi + 1;
      done;
    end
    end;
    let ref lu = C.get up in
    assert { value up 1 = lu };
    let ghost osp = pure { sp } in
    let spn = C.incr sp sn in
    assert { lu < power base (sz - 1 - sn)
             by svalue_le base sp sn + power base sn * lu = vu
             so svalue_le base sp sn + power base sn * lu
                >= power base sn * lu
             so vu < power base (sz-1)
                = power base sn * power base (sz - 1 - sn) };
    let sdone = wmpn_limb_get_str spn (sz - 1 - sn) lu d1 di shift info in
    assert { (pelts spn)[offset spn + sdone - 1] > 0 };
    assert { forall j. j < offset sp \/ offset sp + sz <= j ->
             (pelts sp)[j] = (pelts osp)[j]
              by j < offset sp <= offset spn
                 \/ offset spn + sdone <= offset sp + sz <= j };
    svalue_le_sub_frame (int32'int base) (pelts sp) (pelts osp)
                        (offset sp) (offset sp + int32'int sn);
    in_base_concat (int32'int base) (pelts sp)
                   (offset sp) (offset sp + int32'int sn)
                   (offset sp + int32'int sn + uint32'int sdone);
    svalue_le_concat (int32'int base) sp sn
                     (sn + UInt32.to_int32 sdone);
    sn <- sn + UInt32.to_int32 sdone;
    assert { (pelts sp)[offset sp + sn - 1] > 0 };
    assert { svalue_le base sp sn = vu };
    let ghost osp = pure { sp } in
    let ref i = 0 in
    assert { valid sp sn };
    while (2 * i + 1 < sn) do
      variant { sn - i }
      invariant { 0 <= 2 * i + 1 <= sn + 1 }
      invariant { forall j. offset sp + i <= j < offset sp + sn - i
                            -> (pelts sp)[j] = (pelts osp)[j] }
      invariant { in_base base (pelts sp) (offset sp) (offset sp + sn) }
      invariant { svalue_sub base (pelts sp) (offset sp) (offset sp + i)
                  = svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                   (offset sp + sn) }
      invariant { svalue_sub base (pelts sp) (offset sp + sn - i)
                                             (offset sp + sn)
                  = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i) }
      invariant { svalue_le_sub base (pelts sp) (offset sp + i)
                                                (offset sp + sn - i)
                  = svalue_le_sub base (pelts osp) (offset sp + i)
                                                   (offset sp + sn - i) }
      invariant { i > 0 -> (pelts sp)[offset sp] > 0 }
      invariant { forall j. j < offset sp \/ offset sp + sz <= j ->
                  (pelts sp)[j] = old (pelts sp)[j] }
      let ghost osp' = pure { sp } in
      assert { 0 <= i < sn };
      let t = C.get_ofs sp i in
      assert { t = (pelts osp)[offset sp + i] };
      assert { (pelts sp)[offset sp + sn - i - 1]
               = (pelts osp)[offset sp + sn - i - 1] };
      assert { forall j. offset sp <= j < offset sp + sn
                      -> 0 <= (pelts sp)[j] < base };
      C.set_ofs sp i (C.get_ofs sp (sn - i - 1));
      assert { forall j. offset sp <= j < offset sp + sn
                      -> 0 <= (pelts sp)[j] < base };
      C.set_ofs sp (sn - i - 1) t;
      assert inbase { forall j. offset sp <= j < offset sp + sn
                      -> 0 <= (pelts sp)[j] < base };
      svalue_sub_frame (int32'int base) (pelts sp) (pelts osp')
                          (offset sp) (offset sp + int32'int i);
      svalue_sub_frame (int32'int base) (pelts sp) (pelts osp')
                          (offset sp + int32'int i + 1)
                          (offset sp + int32'int sn -  int32'int i - 1);
      svalue_sub_frame (int32'int base) (pelts sp) (pelts osp')
                          (offset sp + int32'int sn -  int32'int i)
                          (offset sp + int32'int sn);
      svalue_le_sub_tail (int32'int base) (pelts osp)
                         (offset sp) (offset sp + int32'int i);
      svalue_le_sub_head (int32'int base) (pelts osp)
                              (offset sp + (int32'int sn - int32'int i - 1))
                              (offset sp + int32'int sn);
      svalue_sub_head (int32'int base) (pelts sp)
                      (offset sp) (offset sp + int32'int i + 1);
      svalue_sub_tail (int32'int base) (pelts sp)
                           (offset sp + int32'int sn - int32'int i)
                           (offset sp + int32'int sn);
      assert { svalue_sub base (pelts sp) (offset sp) (offset sp + i + 1)
               = base * svalue_sub base (pelts sp) (offset sp) (offset sp + i)
                 + (pelts sp)[offset sp + i]
               = base * svalue_sub base (pelts osp') (offset sp) (offset sp + i)
                 + (pelts sp)[offset sp + i]
               = base * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                  (offset sp + sn)
                 + (pelts sp)[offset sp + i]
               = base * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                  (offset sp + sn)
                 + (pelts osp)[offset sp + sn - i - 1]
               = svalue_le_sub base (pelts osp) (offset sp + sn - i - 1)
                                                (offset sp + sn) };
      assert { svalue_sub base (pelts sp) (offset sp + sn - i - 1)
                                          (offset sp + sn)
               = svalue_sub base (pelts sp) (offset sp + sn - i)
                                            (offset sp + sn)
                 + power base i * (pelts sp)[offset sp + sn - i - 1]
               = svalue_sub base (pelts osp') (offset sp + sn - i)
                                              (offset sp + sn)
                 + power base i * (pelts sp)[offset sp + sn - i - 1]
               = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i * (pelts sp)[offset sp + sn - i - 1]
               = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i * (pelts osp)[offset sp + i]
               = svalue_le_sub base (pelts osp) (offset sp)
                                                (offset sp + i + 1) };
      svalue_le_sub_frame (int32'int base) (pelts sp) (pelts osp)
                               (offset sp + int32'int i + 1)
                               (offset sp + int32'int sn - int32'int i - 1);
      i <- i + 1;
    done;
    assert { svalue_le_sub base (pelts sp) (offset sp + i)
                                           (offset sp + sn - i)
             = svalue_sub base (pelts sp) (offset sp + i)
                                          (offset sp + sn - i)
             by if 2 * i + 1 = sn
             then
               svalue_le_sub base (pelts sp) (offset sp + i)
                                             (offset sp + sn - i)
               = (pelts sp)[offset sp + i]
             so sn - i = i + 1
             so svalue_sub base (pelts sp) (offset sp + i)
                                           (offset sp + sn - i)
                = svalue_sub base (pelts sp) (offset sp + i)
                                             (offset sp + i + 1)
                = (pelts sp)[offset sp + i]
                   + base * svalue_sub base (pelts sp)
                                            (offset sp + i) (offset sp + i)
                = (pelts sp)[offset sp + i]
             else i = sn - i
               so svalue_le_sub base (pelts sp) (offset sp + i)
                                                (offset sp + sn - i)
                  = 0
                  = svalue_sub base (pelts sp) (offset sp + i)
                                               (offset sp + sn - i) };
    svalue_sub_concat (int32'int base) (pelts sp) (offset sp)
                      (offset sp + int32'int i) (offset sp + int32'int sn);
    svalue_sub_concat (int32'int base) (pelts sp) (offset sp + int32'int i)
                      (offset sp + (int32'int sn - int32'int i))
                      (offset sp + int32'int sn);
    svalue_le_sub_concat (int32'int base) (pelts osp) (offset sp)
                         (offset sp + int32'int i) (offset sp + int32'int sn);
    svalue_le_sub_concat (int32'int base) (pelts osp) (offset sp + int32'int i)
                         (offset sp + (int32'int sn - int32'int i))
                         (offset sp + int32'int sn);
    assert { vu = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i
                   * svalue_le_sub base (pelts osp) (offset sp + i)
                                                   (offset sp + sn - i)
                 + power base (sn - i)
                    * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                    (offset sp + sn)
             by vu = svalue_le_sub base (pelts osp) (offset sp) (offset sp + sn)
             = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i
                   * svalue_le_sub base (pelts osp) (offset sp + i)
                                                    (offset sp + sn)
             = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i
                   * (svalue_le_sub base (pelts osp) (offset sp + i)
                                                     (offset sp + sn - i)
                      + power base (sn - i - i)
                        * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                    (offset sp + sn))
             = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i
                   * svalue_le_sub base (pelts osp) (offset sp + i)
                                                    (offset sp + sn - i)
                 + power base i * power base (sn - i - i)
                   * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                    (offset sp + sn)
             = svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
                 + power base i
                   * svalue_le_sub base (pelts osp) (offset sp + i)
                                                   (offset sp + sn - i)
                 + power base (sn - i)
                    * svalue_le_sub base (pelts osp) (offset sp + sn - i)
                                                    (offset sp + sn) };
    assert { svalue base sp sn
               = svalue_sub base (pelts sp) (offset sp) (offset sp + sn)
               = power base (sn - i)
                   * svalue_sub base (pelts sp) (offset sp) (offset sp + i)
                 + power base i
                   * svalue_sub base (pelts sp) (offset sp + i)
                     (offset sp + sn - i)
                 + svalue_sub base (pelts sp) (offset sp + sn - i)
                                      (offset sp + sn)
               = power base (sn - i)
                   * svalue_le_sub base (pelts osp)
                                        (offset sp + sn - i) (offset sp + sn)
                 + power base i
                   * svalue_le_sub base (pelts osp) (offset sp + i)
                     (offset sp + sn - i)
                 + svalue_le_sub base (pelts osp) (offset sp) (offset sp + i)
               = vu };
    UInt32.of_int32 sn

  let wmpn_get_str (sp: ptr uchar) (ghost sz: int32) (base: int32)
                   (up: ptr limb) (un: int32) : uint32
    requires { 0 < sz }
    requires { 0 < un }
    requires { valid sp sz }
    requires { valid up un }
    requires { writable sp }
    requires { writable up }
    requires { power radix un <= power base (sz - 1) }
    requires { (pelts up)[offset up + un - 1] > 0 }
    requires { 2 <= base <= 256 }
    requires { 64 * un + 7 <= max_int32 }
    ensures  { in_base base (pelts sp) (offset sp) (offset sp + result) }
    ensures  { svalue base sp result = old (value up un) }
    ensures  { 0 < result < sz }
    ensures  { (pelts sp)[offset sp] > 0 }
  =
    let bits = wmpn_base_power_of_two_p (Limb.of_int32 base) in
    if (bits <> 0)
    then begin
      assert { div (64 * un + bits - 1) bits < sz
               by power 2 (64 * un) = power radix un <= power base (sz - 1)
                  = power (power 2 bits) (sz - 1)
                  = power 2 (bits * (sz - 1))
               so if bits * (sz - 1) < 64 * un
                  then power 2 (bits * (sz - 1)) * 1
                       < power 2 (bits * (sz - 1))
                         * power 2 (64 * un - (bits * (sz - 1)))
                       = power 2 (64 * un)
                       so false
               else 64 * un <= bits * (sz - 1)
               so 64 * un + bits - 1 < bits * sz
               so let d = div (64 * un + bits - 1) bits in
                  64 * un + bits - 1 >= bits * d
               so bits * d < bits * sz
               so d < sz };
      wmpn_get_str_bits sp bits up un (64 * un);
    end
    else begin
     let info = wmpn_get_base_info (Limb.of_int32 base) in
     wmpn_get_str_other sp sz base info up un
    end

endwhy3-1.6.0/examples/multiprecision/get_str/000077500000000000000000000000001440160026300207375ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/get_str/why3session.xml000066400000000000000000005741241440160026300237740ustar00rootroot00000000000000












 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/get_str/why3shapes.gz000066400000000000000000001313641440160026300234070ustar00rootroot00000000000000ُ98^f
vc6И~YkCLsg̐ΫpeH"%<|
o=oěƼహNݍ֛ǯᙽϜځxj;
v>Pa6	/w@˛߂߁5#m<}{f;+^l<{s~n¹!.7!{i5kqm޶x x~&>Lky7Ov@e-_iV(6IԺdyx=3~�׻od0f72 08fھ@>,TAݗ(p췻3޼h>aV6'*֥(
|ӭg1ށCtzPgmi8f=yaa]}-Kj?PpQ)̟]MfCݦDhS`)F)F	=;3vWQ0pubTpâq]sJʚ?dsQf`t޲f%wM}F#QH/3a.OSV1NBM%b81uL7'1/%hsV99+؜_X%Cy'.)o~9ݜcu
Ɩx[:O;\ep]-qݿ̷[sT(&V?b3p92x-f_<ށqU;\!Sux{a)x֛O%Ƅ#jl=?nߛE;z'}'}m;/ f{x-t`}7S)zKVD+wϛ?:sƷ7h{IVoF޶9=߿ׂu[ON͒y=1q8bﵘ79JԏA9nc69m>8xǾl_$V@M-}=,hfDŽW@Kә>[mhs~l.dpξs3w&s,e~(vvrMp؃ljG<UmۖۑV4\Wqu#/Ll,/eEXdۡ\eC4Լ-M[}~	U>YɇYb}o
Dw6,hl#-GNgvtc~qnf-܄FrQڜ"|8H(mvhCA/wsqȠ{K鬏u6<"?+$gzMFwv9|:ds>\O˒
_*9}]X8r"=/H,؇#+,l/C͂n~X*7Ij-xgԬ'p\G(fQ2wyzyE<Fo6vl1n6#;>>&!;j
ZJʥk!rntof[.C~SHc!3)rvŊ[ia"ݛW}3YQ!Ey̟Nذ^(=GU@,S`?4:+3dRx
ysz9e,q8I~me[3v8{
͊,V4TT^7.Ep0Hzm١bz;)wC;j;4]烸Ȏ״ώkKK^-P]$: Y}!^f	Y"4)D4"?Ύ%?I'Fڮk:6RivOP;t*b95%j{Zo&Ad<|x}S'EFE;ƇtDhZ)=tULK{1gn_ryUs-DI8%{۶UuV[4loBnN:UrGaWbT-׵煹w.tla@]N3䁠h(bg<}jz[gvY*[蓆4٭EOGG!ZX]ÙI;
ȑќovRv: ;;ЅDG-TG'ҡY.'cƠg&K\^y8B?|ȭXzědfs9.4{
i5Z3bC(o]Y63+jϷǐc_⒴8y%-U^CWr~3*J_m(RgEA1x-
[*ym|-顏Zou[c/+ӺoߍjOL?unIoYWx9#]A% RlftK>N&33vVi̟ܜš{a;BsdT
B^/
puycx=y?l芇*Sg&i}r
ܷP(vؽ`t|·w=EͻC>:<ʠ\`lWVtvhxľ)9"%(&i'\,cj{1t
˜nF

d
{3#ȁvΜ p
|ǩbcsI_ъ{w)wUij;sijbyhK"(z55Γx>ℨ`ڎ3q̣#9xS?Tg>E:Km*ե(עp6@{eW}AJq>O]81&{.{칡z>Z'.nzƜ	|{ZU:ZuUEq,N=a_wj|Iw(lƱ9vg`u'J9Z7g/:ngWzr8 4hA(;VRy`czW?Ds0fcMcB2P8^Kkf'sO`QA!}ٯ߂i{w5*=Jόz}<6/,zx-b~htAEp+Rmd\×:N0ꝢE!%v_vYW-i.W~(]F~Gp^~WlXg\l뿪NZ =-ޒtv]?waK8M^wW|_g	ڌVSMWtLޚ/<u/ hN9L^>bEu>4‹s:J	/76Fގ+pƹJקuqǤ!pGlr9Y#ϒyz&2{Eؒ#=ΓȜ\DlG.XFFmc]FO2k0[wMz9yvn6Cvގl}Waw63ץ>EϭH/ɶmFs]X`\d\\g}EWG^MĦfsl"6u4'x,v8m6⇭X~j>n:<>_رG7tσ$y;Ub"-?W`=M#rJ_z{;E.gddt#A}kO#Gsfw`p簊{)FhxWsPɿhY'=^ݩ5z'F`y<kBsq:AzR9nڜ|1[,[L; pNfmsU^4W5|0/v*(K{MX@#$~75Z4xD+{*&7،]D]{B˟|D-%9w_V\Ҳ6j}=c)klzdftf#)ˑtB1>9E,diFq)S]Lc5Czq=C0=V'RzCK9v$s)3r}઻>Ǘ]f4&vfI,k~NdsD0&묊4jwͷۃE
}FPP{ryN^e\	.>R-]-S[!w?be-y@'݃ 	Er$3o_qIf
@PȻn[G[ݴkKF/ik&̖|JE&6t4go)&am܏LGP*fڇ#ZB܎h.(N.|X5ŸLCTrp:u71?ųQxgxQx[gϟVN(7|ŵJx'jpn#SC#ҵ٪ʷ{H`>/#Ü
2dg'wo?
{D3kCW-Nڇ;uybߜZ8n[zyVIos9upٜ"mZ4=/5.m?0oO>>33ntѦ+g:xM1Bnmhom+(WVw
96"oǘ;J3֢3Ma0ڗ ]BO˞#a;PvYJ6S&="0W
iiQe0O
}w1]o0yqVdƇe'd13x]*2Қkl'?nގTN{R_wtf갥xWce~OZusOa]⢖_Y0nǾsߛyÞr؃co;.^S؜QoNft,Oܣji\2h,+uuB?71.ÅElzi`jfis(^RceZD;baA11U;y%?͔}.|ٜM6ev}ԣ%M?d3&I{%jtS	e	02FbHۺ9-=jO,vvDu*^Hi'H>1̞fYFZB'韜[H\e2w4_&"[bY^:كi&o3՛%\''pwn4tpAVtrœ?!T&o
ofC+p۶6#RoPər,9-b|l	;_B4dߠ?>|7N¸#HZsa+:]ZI1ϓ1VV!Q-<U8[v[VL[LK;-b )_(P8P}ve=ۯ鹽Nȏ!Z^ѫl*_`ſ}_deM&WNX-mE9tNŨ9u)Rw@~T;c:(yR/98_)sSJ._̿WȆ 	܄%~U5zPx$ǭAb=*=$?;$MKRp/7sv*~&9Kȸj:Od&›is6\Ǭ^̴{cs__VakM|
>m~~M*@A³y~Tgzn\	Ɣ0)ԥ4vJt	C7*~SwpGnHJ%=66l<6-,|!mTp$ml-#Yk5ɒKx66)&^7ٙ[вor6߅so#BچR1×]ǴEņ47,Z9C:}Q~;1
#ދDzȨ53|COU{U"ߧꘇ7C6asǛyshIǚlg$&%Xw9cִ4Lc4YWg1QvfDG9	֜%\]t$_6Jo똕:âϟfٱuAǶ)z6$$nlboiGm_]x;1)˼v%Anl}?nVtG9mmd*⁹Xʾ_Kx7
pN@=a'|	o^7?dWHM9^9.\6.Ks.Ct\rH[-U!
iUH/G!upK{ڜ5w{ѵwލe(w ڇOO?YCݾ{~k==k7Ӌ֏CuM
ѫW=ڙɮv<
M;xj|,6AH̖V]f!h־.G.բ8֬"	NJ
ҹkђ%$~E
*0,PwbAܑUAL"UwODz-iڒ2بvKv,!KhG3[mN2SP0!rvq^ yôCÁǛACIX>s]lYllRVc
nݼyM*(sTvSnKs5yp:_ˡa Pl>mJڲ}EnfVUxFo- ceVʍTOQݷQ}5T/y,ֻs]F󯍉*5%:5W.06P,U}z-,t.daˈF|uB>xƧk3F ==t<6|$\bg I'Z0zW.\uUZY1|gNXL`l}SQs;
]uwx_2IVvtO}2`[[iwEˌOf~#(4MY==>IOkw9U٬9	OMzfJpx7GXOۡV}Bh|M6ўO.vV۰{:bq>LXNͽ!u4HIs*8Æp=ܞ
HpH`Y(Qa\.ߌu$rrXwEg|1FU
~eV۰QnWUɐQ4γ:(f+vz6atsD7HyN\smm܅{=럗s팾}YutL4T`敂_1is
ǻ_'}M6fWЮx
Oߛ0]Y.?|s3LV^%?UwT	CTԐ}\k%;^u^d*_doUWg^=xU%ZЦ3T]z,!IgZ5[ԕasi

y}HUYAoډK5lj+aF8I*7VZ+_j8En3c晬tCy"BY+C*ePۖR&nIyռH_M*9󱧃--ǒrZF*h=d@=
BU<xlL1FfLOQeOre_HS[]8t2N{+ŝ_t9zJ,0E̞[zl3ZbXV.A$pOį L =S<(O֓ST>JSɓ:NRa4c9X$ңyHN֝ٹ"ֿvE>/H~NlGFIKḜc̢Sڤ:_qGBH>}s?`0~r	/e,Y[hÓ]pz9%AJ=YevCaK6eyhiU塻?:tacj2KI^87cp+3"M>F~T;qhRl&-}<|efBAHٮvE,á%l/6̤2J6hSŏ#n[wnn]^ywue&_Dԉ72)^d"_SP{,ΧU|FICDVJN%\sv
z8?mRVMYnrr}y)_;;=
BB38lmV??P;uJw͉n1}6r;e݀#ҁNQy*n*/=	X=GaՆ 5??K_
vu]ܭ[۔uǁ͡릱"\P0]\s, cV,̼ë3iy&T7?ذhLYͿ<[@cG=jؐuBڷq]`x2~<;`S	6-ai}[*˲vxD)=PBE/b"gRH8ߗ7li|4'v-yWqQ
ʬ[:N]kX'J%UŒ-Z.2r&]G(UFT%7su*s'GRE-:>2pGF7k	oUp
P)3MNkRY[v[mo𫾝{
gDoA}ՙvbr@Yc*`t^mFĻE}>pJX]
aN=N	N\ލĨ|Y;n:ou
v=/qw;a$RfQ&vWvҘ]DR!%hhh@ ڤ
8YoNHLeH%ã0/qͱݍ+m\(۾	yxF&l`^WT>6~[ӢeQ7-ԝg*"vX9߼d6πo-1QZ{dwu&bqWgmʕt)5!f/;I#!KCepQJSOca#`K(}Ep#33,HSVes?Xo̫۶tFF+]>G$a_fty)Wr郎$=M!7	-?(-E~lZ./t\H[|]-ph}~n[eLef5g
O4}
,u;>hMA(=m|Lhy֓As6P\1&v*K3x,qxUۼgãӥ}Sj!~zjs]6!sGUӳc6e	2G-cYkϰGbP#$MWA&j>
[\(2e\q0
L.JhdDžIˌ"E-Ol	flt-g^E*ќ=%LII?N>vj#QViU굒ߍ~5ȹHMu/զw5%䂥rgg2Ged>vō¡EzX-ekSĠ5;qůD2Ȣ3#'}~vN?'}^#{tm#^'ẀnوHkkѬeKY1WKA9`<'LH:rhp3m14e6J2Rs8ߖ_D
D822Lb:Ρsҕpq9@S~(krQ}VxAѸ{ĝaW`d̥LgI̎,`z,;rNFɺds*~ىg\34?댫2e8D:&2㸮rڒ3X#oT$aÚ窃n\d^+z8yU.{1\"縌^g+3fˠtccMovGPBĬJjH]*7u+`Nӯe+gSTzJ{u#t1)*Z3Qc7)JM1O,D472b9G#F8ϙ*/uy3jQ7pEϭ _pܿy=9NNLcg;$;g*1r9pr_^ؼNs3kʸȔU&D6S&^zMusYϪʻZɿ$S]%^ReݏvwS·'SO[=\I~5Hkgw4TY_i]߬~O+7=w}ۻ?WBPME	
.̺iܣAhƕl)Gyl.M{ҏxhp@ktscf㦧E
JrKzZf?zzC-鶫m7V_FhJ1hn{'6.ڶ~h:${0%V}8-EGl	9`b.8;禸>0 ؾ匕&>M!guSUj&l`ނj2$~|YE?~n?>ZVnD]"_j2]jXhեB~^|]fjo7~z?.
TdIǑe-6Uɓ=ߖ:@kêAi'{}m'G@oNPZ=R<ٜ7cQܬh/)'Hw&	:WU9tMϧ2>ΦΦ%ͅL.'v>N{:̧q̀ONțZWҞEM|ԱHm6HJc[o9Mgֵ[8,i>7c|‡&N4UC;S-d>m	bۛՆY'Wn;rC4Ro6llaa-i횒bw[0N"˴ϩHDquI'տՎtwwzAonnzں9jD٢_tS&vޢ f~nO!^/9%P5ճGtnq{ێ4kKƙˬOyt&)W_dMn_+pX3:F'q'.P}(,:
6hƃViO}ҟ'I|'|ŸЍ28Ε6TzGT3-Q
f0IH=
XP)$k>.:*1HV(͢T:IpOX0Dt^s
_A"ke-cl@
G&3iGZX}X3a#&&x"l>Hɥ
ELcI((D&(
D"A"@x8	1
&TQJHU"j)`Q+4:п\kXRP}R5	b+"$wiazW}Ҫ[rv"Ǩh
Dq(%DfE{<50`U!WuNS1B!a@!SUBK3HyPF1biMLs~cչ/Xñs!AAr"/AqҬQ:o-R^EDlZ[r-xhAH%܂a]%JҀYeK
>f\>	j<5Yao(5 lI%x9+	o!6xUb`cHdHdJJe5dlp9l$X#FNZ1H73>ݙ.c0*q	c/ydIB= W[G^&4RuI:ʠB\aXD@^pF=Q3
^V:g	Ӣ^ћ&BO[	5JH`B}8[zJTrLrVL,[}>)_V
!{@ăDI*I3)рB
$*#X`2`hէSI$#HI+&ijc@+m&<[k&zH{%mtɲE*lj
UŕFB0j^
E:"c
:gԔ-E]LƼ'2h17!ybOHr|>bzYj0R2
4XGs08:Bo@1mu"sJ
1ƪn@2,:`z(F<\
ŕ1ޯvAY,ŠLPΕXKB`]Fs*Pl)%v ta'鐂J$3H-cd%OVԳP&
bn2dxqZJEV}RuX!h0G	U!Z_."[XA|ڙD7V'ue"FO14$T\{@Pf"+;CEeh\5q9Mi
)6\p$TePU89	XA)WJ:@~$2*i&FQ,1+˃2_a®L$U(`lfR2"Z.4>`bpdсG"(	J*lc&-Qs:vKGoiյriy	M8"0CVFm0ઃAZoWD(p0OD^mibtq40pn#KX*;LeB	ymAQ!@%Xa`

Yk,OKڠsK&`86`P vMPf2+*A#K<Q
ZW2Vuf$asPx*8`naVoX`GɧD1`.LꭅRRQTO&K?KZS V1fL$ͧ&!X 7kAD!ppg/FO{_9&0GA	
12^IMɁNJfȀ%
^e:sRA#pڂUP6
aLM-:AŨ^pKGO&iqr5RpipMYMg;NIJ4ڂnjįSB[PK.'ںtgJ?/	6DV2J2ro16
L5aO:Ҕ"JqR#)pf0svɩr`@8Aao*SZ4#QF^"LgH؀@ȹ׎"FE#gEl#	T`j1;+2hnyp^aQ+bd0)kAXYPČH`=ؕY&T#)@ĭnO1)"Q8Hƍz|28M@	iFđ]
z`?Zy#
т-Jsrb𼊓HhRMcUpY3'ځN	Sa6@zTy 2OXO{Qȕp*#Ez&FNo0i1H3%̫l@ü&+RJ섵SV8F*x;amLɉ׼_|E>S
'qAQzB#6_D ɹ (b*DW2hKa"J;TUH2	)D?U($H#&:XZ$[%Se;`q+bJx*OWZQ{ƤTwZLT41RQcN{` H蕍נ
bAkG)5Lb+(*+u`&tQ
-%ڣ~5U^:5Tl`Q.
|^U;	[|eWD2A(M#]`XH+CXWJ$gry\Fp	BxM_-eBI
d˃@3E/A3V#jC^LxӒ
tܬ4Bw[ť?E(2QP0
O	)Jsc#B?tV+;)c܁QDj*#2J#N	tݣD1hL
	=JV1"c`5-̢TEU$TGҰD
+9)WA+PH%"
4N	B`mtNR~@Ҁ5RB9'u:)-K(Hf^f+փ񎤦 0nm@>5&?E3MhRpUt
WԲYEkpFD83V;΄KɜY^_0msKT~jʠyMW(
p%"1'`:Tw?4`<4
{-(xY]L&CD4*urXpT:_"-k!.*J%$8.*֟`R&zmǰ-Q3e]#`RqB"R¥k.,x҂H%P]+F:M
/4>hpʌ@}ڷ xS@)̈́9hiT>K.QL4R+nR2UqϬVp	J jjתjUnä#Uk)!yz];A+Z[1(u\P|~$R
h^+:UVҞѐI|*/xM1RS
dmmO[$2,gxt%^onH:ʄrsk'qGx=:@Sb8b7ZZя3xpPQ	L`*5V8Rxu>n(rr/V0`@96+=g*4	CVP0\9;gN8snL
|TXYS54]tn>D!XTihlae)&hMWubJ"D4)8Az'+]~@amKƑ4pYrM~+nP@u
E=$eTFzMGpL3\3)S|(7@P]э+Z+[OrFi)-BjK_[Rcb";yE1}dv+u+JYcXyM#`+b:!+l~tǬgV*b%J53ҖK+6^aTa4+GY$.pRN{LfLf3_8ൈ"Ea^(*l{951(MdGJEqp&kkXL(+Z)OSM՚BZhrX	&|5JzcJi[p|ޡ@+uI:ji{^^d֧w=N-S_""EVS=$LjW1rH
HtUS=)iO>GHe=erWsmQz
!6r)@;D	+uGbbOTPxVHm.[{fzITZ

gQ\{KZ
+ATCUN2dU6eIu-D4f;Bw^~^=MΈ(P#[4a\Bd?3ٹ!Ts#EϑMPVy$HhRP`6:z\~3KJ)DEGb(YN9r\S&ˑDc"ʅZ8xc2u1p嚪mʉWQIy@	)i_YHr:P04UuuBiS/G^xUXHu:F`rDVv\)Di@_j
MIFWn\(ԸhsѤd1_vQD^ݥ5G\oh<88؈&Fˀ22 \9sCBɵRHG*NQٗ)r;O3wHhIa8dĨfKO>:n%TG z+S{‚\16?mӁ:q=Z,[Bh`:	AQB}ʭg-
J#IUIaR(fC<+rYp)ƃUn*ʵeHOuѦʭg-ig00972+ ],e+G1k4hi8CvzJWb(bdsBaցUkB^]X9D5vi-'""3'	|WZ}s^ӂ(*J`BJ//X<2(ВKY`t]h
X*`iԦQ+3!ɅRi-RئZ"3"
o:AEE3X[
k%AK"{
"da1V'F.(Hӝ2uf	M[9zC$FE
b^	zk
ZjXAe*iAͦ{)+ifDY$NhM5R-OX1ڛTOr
0 rWݼLJVTi1OY8}T{M+
ID&hSy,V&A+)s|y)Rk
╂d)a0iH$b',	Y)8ZxjYp	}62HW
A܁㬈aB+,FL񚂬b4W8luG2K
W!°
N5UWM92	iq b$IבȊrR 2؊(36bN]zi:pqS) AYl3^[lMERq|hr,
!fT)GY3yd*!{mg>t(dV@7 QXYJrǁ\1]N+H0vUJ΀!V.]KcHpef{XXIG8#JtVyҲ0j
X|1Gt;h$S;~MRrbZۂ@i&9^4@PE[Di`>u)OGPMeRĪVY(T*1FZq!Vja4 :*"}5JhRi֞ÆLq0@p5Yu[@cly$Sbm^||a"EqEYi5R5YyXV"1/"\BbMmR hWOډSed	nO`02RL`ԺWsڤN Șq )M9B?*	IkJ=ah4rm)ipZY
n/W\.]>0m%9	j'4,+.$dĢb<\!EPK
vEె&;r(QdTm'VHgzN#x`bxC@RaAmaj_b_q6	f$^ 6`Bq盵BKegd6YQDJR{fC=O9+;.9cp.b+.tň:`p,ilL{鮚JKphצqZ!3x!4!P{rnrc;d*XC%6B-~#?j2>RiGN-h9z"_g|f`5|NR0uPa!!%(N*twھ^]i_;q%enxzi=xVωwΚki!D&n
ݙjlבq9X`̔CjX1B>3{7LI<@QmM&2k-n|JQ^cҜJ$Shs,d>2p&
Ȱ^VD͕yX']#ø>zEs=&Y~RN4,|g7*'CԞ{ГNT'm
 vjʼLo;=(]%0"+Şzlى6B뙐vf~65l {S{B31 :`U:uÙR]%:4g5eP:u`qX&Qy'ΈevBS&(̉!(VZ	hy:dމ;9kOeTp?
5w=\I0Xtп;qgg͝ư Tu2i-+8î#^vvV9w@ΰ)W%qm8FGYJ^GF	clj/.Ghlk]ذ!pz:(5>ZXZjoݗX3ԯBEx̭䔛jF?d$?$B24uȩzAǶZ$!-cJnC1kgzAĤ#MTϠ*W_Y1iʙ˴%cѱ6[I/եS3)tnU*|X]렮4u?&KUvj$wm\gW}XIc"I1\iU%25?&n+h9vG|K=Mj\EQϘ	1~f_;'jk{dPKXD<~\}6OV_yFEk+L4s'9 .=M6}^Tc"XHLg5:eK h7n= ,}C&H47O]gI^zشSP-ϞUHg:޺YhbS9tf^bI?^BJ_GrzuL+ǿ׺ej_fê,(Wc5]$ܛ_'<+_4mG2Ŗ窷dB[GBL>$#A2f@\kL!wf)䒀nwye\M[ _cV:ÛWZ$Az&WRYڦ$CUU]
MHNK\us1рnQ}ˀZ}}fB`JƔnk|~A"
cGct"GiGR%{6ІHOnD>*i0GyDr|ڡT\!ˇD34F[uoIUͰ$rL<.ܴ]nEmw
\ֻI}>%=2dd[ޥ]:n7:ufmqUY|Z| 2~L%{䃢>V2i3Q9%(?&: SR=89'̶UX|٠ U]W"GI[4(w0:^HɃԵꚉeVѓVxwa7eIX5tnjW=]^
~SK7884X)-|Ϲ,l FFڿkr?czh].β-;%XJ=@fN.ؤgSma9IFJuLx?4`pMkFU:enx
66mC5Ť·{e~D'LNpMxvk

|ȟu"jȾw&`pZ'PzEǜ}Ґ6ƳuAcu3Ms튶.hdRUoPɓs	O2%\{UmQEA۰9dB@cp&q>UXIE2	q7#Jl:ΙZI=L;= 4:w|[R<ڔt-w*'X\|8OęW	:+7?x
-cQETZ!?Ux|ۢXbHIou.w%)n>{N3r;YG%-b]49$"h:GBdClk'o4KA`L?eӉ6eMnot,n\ɜ$qfoOGƦLv#Nd2#XO_AT#'eVF{sUٖIb{lƔ20Q,Q	EcਠDH|iETX,(t/Y]RioVrpڨhvff:Dcm,AA믗S3"nF[lCW.} !ki/ϸp%D[̕zF4	ݐUkueXcw+|OŮG̯*hR=8Ӟ:-"oWFkN,.!
@-b6S~=2+ª^l㛊-j\xsLƂs1oڂjzŽ@/2EO^%Lqm9hi%4,/HɃϙIG8MbtsHgdkqVkԵ[ڼN07j|m%E
J`+ֵYcM~jS#ֵlpefo*u6=
3V|o;u4sRτAPgpL;@膋rIWSfo>0=63{j6_BIwv?BAh0kz[+]wfH
eIzԆUSYGpd*qV>/+OseLչ79]	J(hK[3l%spex	
i1TV+(R-+KHsx9!B0hjO753^.D"݀"㘟)e>.fl`Њ!2RF)S0ogaam|U֔NJ/IѸݤsuЮw`o~tNs̰en)uk
|74snmmhFƱ	#3nEkf:>ټMoO!gY5Q9a~APA=f:3> SB,1:fSrn@g*#t3sg
KߔoBf)X*}VIi){{ېyW7GN;Nq1zrZQy,>UxDYn:vQ	TgU*CNՈ"^X22{CE*}~ 347:J벽+!܃UhumĽ`bK)iNkuhhdTU!mwOy9*NuM4lsl%gd}tgtUp]rb`5Gb2-(8nF#sF+2ޖ[}cN*Sx6;FG25£/]Mm
ɀ*pɎgL_]EgNkgw:[ֱ)׵Wj,:t[_]ʕ{MH"@Ick:#K9ho/kǮrvbT8@[%HXvg:7Hϯ-`1{5pm2t
%%ʤ}m؇)n/iAf c(wY:'sѯ5|+3eNfV'Ir͸/&)|fG&1dwyUIk`՞Q2XWFNs2{SN
%zw’`;Ӈ7boq%5Ć1[fb_98(pFt[D?
vW3]nP̗`xS4r{LӌhQ/t֌Zt&Oa}p҄\KA9`u[ժTF&lW$`Ȓ,y,=!3*9]/u84	Uz叉ARfSO[7"h5VW:$>Gb|%GVS׌y~Mc>Vիkծ#7> 4L{ܐCLfut߰f%Q2[pɿQݴaȜ!1wA9ze^}چvU81yԦi-$CY$8Ϋ?KLY0_O"
Է?rnZ'(E`z~2#sY7d^"pX崫1>9WӅHߝuWɹ[ɻIb\@*]jd寏_1eec-g1=}R;zO_X!gH;'NLajJGed	J&-]~}y?pZU|&d}6EJD=}zkF9j|2[ҝ'k"!TԆ$å:+lA[=	Fypt321QFtUɑ
l12ˀ,^>/t'nZXtb:O?f{Fj?hd,^L8){ѦIFq&98p2۲ڎE\|wD6BHeekDY0æqyuR3Vyc]C3-%FmE2ψ6,N
ᗌk͝B9;s|(M~!` 	%
wxZ/FO6lľ#]·	=2s\?ŦW	h4f,_ tŚ|z
]'>̡PtSآ#+W'ŠQzZkiR]YO:G2l2_7aK5]
~XWzb2;u~
Y.dU>bjj?194p>he} '_S}VfB.zoN/h{OkLg4U=yj<^)/&ׁ6P=.@#}^%1s)dU;9.:c:\4#4V'lvNYlrQ!>-sFynJ$e8M"hyʕ-h㯍f$AZ"O#\&|ӻ\Fja206?0iV9(p\h''kxNk;{7Kipl'%uؖezCQO98J(Z ^GFkE!#[3ѻW(r1k֌*M&m셯xyk2}ܝ(#=8Q\-5=_lZv$HbB"vo?b=?0|f(
S2xQJQhsUvQ;am/QI_p\Bd)uܢ \ьiEz|;,Iq-*.g'Pãrej!]ɦKUv7
jYŝXunx]/ 	kaƦdXp-3%Ig:8:r͉]Sb=Xu.%&b֒8m.d#sKRd)jq@siՊOfET4vZ{2I$*L—TRBR1YZA[!4]U"c$K;o-gzm4],lt|Թu{
ץVvۇ/&uD=8T#öi\z}'b47kU156oJN߬ar2(hwۊ)]^~JiO;!y=ߕ'd@D2i
z踋"ݒ+dI:u26}蛣yv޼ꪳpL]WN#۫<֎[ʅ#?ge*4S^u(qB2SüǀC="]8휽dv18F|8lK=C%#^_5;t26ܡAB~A&gB[)6y-m?&<3u`O|5d./xCGNV=zuOKo7JoqZ7BtR[	6ݑ}w~NNp۝J-SO6lƂ5ae4;cW
lzה2N?)/?^ژWm]ך3{N7$I>1-BOƱnցn0H7B`G2au0	ȾoC䈇dp.m&)>#xhh.zmӾCȚ=mTgC_~@h<2?pۊsP%>#{3>S(B*ԸfZiI}RJʩcdԛP[v6ݫ9+:s]hϑ1k|]WR#U;;	 ~kU*~0X9UKCŢg> 4W!Yz0fI}PZf(%|M^?(D~:x!ozz:v'	<\hYը%2놫 G
DŽav:jcf9ZFG/R2_jMVvĢEښז2KkB9ksgXZXw[~xlصg&g
o5m<5	~Fg.*
N826NGMo|!oIU$A]x$Lz5_U`s0nT =&\Vz7+2\ˑws*E}!3b]~en14w{fWg Rs_Zw9ջfԅyD޸"7$USF4WzϼU_d0=%9\
J/cg8Rʸg.Q0v%?9MK	@H#/҉_(]}فs`5{^dկtু\'Va@sgfJ9~HnI==zKmfV#7fMa/L9ciGiV̐vdH;2ΎyW$=y}{\sas1*.{"\zӦQm[*do+?/8_-iIIv_I3	׫yjr\-tU=>wJwfNHj##RAKΌKxg#yGGao
VG39$ګ)$@wyOfюF[j
&#0(~J0Y ,׎[JcCHۇƨ^'lx&j	WmnCcp<N5n=ݸJ|h	
iTމ;d֧ե)2rsrFخzS-Y&Hq"ZbUwyT2OM/d;ᠡK8~gkTA<,ETC_HF?Ur=p7Ş#tx& 6|}wnpg̫Al_gd +3IRoRW?ϪEn:EM'&opEV[c.
ϲ^k7pżQ<^Lݜܽ6OV
kԑ0ccc}δqSsRɍ	/4]{[DiEc~~`)}|m"I($lrsj8>8~ccm,ʳQ̱|zu`߶,f5کC9$n7'5?KXNd,47jh3ils*n*&nןكml}\}}X{sW%vi+UΫBìpBn|+hxU/7UD<N=5i	d4k>.צy_-gۓNG-f7zƿ=8FP{oXx/Z֯P%|H=Hqnj85{c>*`&l-
s'7/cF˩3P0[y3<͵=rqzmS~>Qߣ	S,sz_cus'ࣄS	ڒSW:4Tm+sPpCE@f@8ЫQ@<Kz)=Gfu2?
 6)G'x^GNسϙ$Rړz'+JjG5x3WiD?M?9^ʐB1YRPUVc&ܥYMl/ŌG1bd1ÏJOїroYr-D+ ;{KA(G*Ӫ\2CC!Wx(n2؍Lܛy%0y)	%gi\N;m~<^L~kPWmh<4x%9KQ5.01
oRS8TWo#/g鱱k	dtUU7߶.9
cڴfaӸL|iʧ)|ӔC;>
6GcoeTM_IS&{cVHf]	t-|x_>.7"c&!8qz;r)
=6(ֻُu.Q'h8`EʭNWZcfh>Y={#1nȣ<{焙;*}]SgG7?`=+3{"vuTWګ[ڣ]Mڶ4zt&[?GR"̄\Woӏ^$2d4b:p=	tŵ/	u飶?3f*osjD_{5(pyD:
NMCeOjMUW\gTG?J51Lty7^M,5̨2?QG:*k؁ҬXqkM[_TioBڢ#SJVM]xxf:cgh]Z>j׳GwwgT9JD"km
_?~eg|S
uvZd:Y{CT}](sM>#dx)en1;ۘ*дM@#-vAs*L۬@5ُ)o>ղ?n6ޭs*N#a=mܱƖQVsw]RG~y]CL"*	
\Sڭ
tαXM-*ٷKG翾1ӯYF1	H"uH܀6v.4p"{;eJGot0CkXQ8zf	DL{tϘ}oyI\KYVG}np&(W/k"øn>=}kTv%Գvڮ~6`~ GJߖcsYǿn3=)k7]'Mk5+uŝDW>QTIf}dԉ6g[k=>١7n=NU;K9s"ᛙG6
'֙YN}4|wd|Pi26.t:{^YmW\>H9
{iǣ7Խ劻QDN:~y}w{4/	m	:ooҧT2L-T:|؍r`S罵ZG)q4O{x(6y6cLmnHw9.|!a:rL*h6Z/ȣ76k.^"gd`Rh:\M/
Z[9߉ڴ=/qV1ևL=s@UIcmoҏ4/t|H$R0ܛ}Ae	!׾փfC:.3V$LKf1>xceaBj8aؽ"zEOxdл6mB'>ޒ-z'2vڞz~x<@ajKzo|?+1[
mŅCU=8>7n]$ǖ{-J>|>1\9&#GX-G:>ycdKVQŇEpEf)؛uHt[[ˤxQ2Q:}Tŀu h]Y'v6^2ڧ
KW">dy?`s#3e۹o3?^SY$}l&!zF6oyY&>.!Ec"a3ݣupf蝠z<[w_CF\	E<;[4x"P@CL̥!9چNăE=Pf9Ðɐm7#
jyCE|$i/uy+[\_VW*CgM^Hzz׃.AXo/5
qcʢPBݱ@5OYX^zRjPHAoSR#Qe,岜ޖ,|hXS(eB**c`kyV
g)6D,{G?GtJC4;^hʇ4TN>4na0X)V<*K؄d+Ȟ9&ocUArRNP	^sErW/[TWU!և#Vd,Uzk%Xr{aî:!r&j@׮U+OZf(ɕW"%E,)bI٤[?Ğ]NdĵXa”m5\bBnN}XϚRGmΦl/h*9' ]-g_bg<|H/8L0Sc҉sNq
X/I/t;1GzŇ:46̨;jU\E̡;
>]-WE凔)4;M㈑'F@zymyP󟳗[iuvˍ=9٣F\Jמ56քbtGmIOԴ? W/B922dv絁!Cܖ&ӶtVI>$acg9{b49"ǮvyIiW8,'UꎤwgxΞgfd>S%HB< mj}.~)PTC^_zegL'aE72?&szUW&3b/䡞By곺j={8&l5
0P9	N
#?s=D{M,)~z:_
5p}nD4~ۗWC֌%S6ql3ĕ??{(ޘY8#:3Fl@GpGûѺ$zdZ0/qovxW{+tL?nVlߢOnvyXoI-'ךy-w[hG_ɢrѭ6} xcHhÝcwiZ0!Dx!:L~}?رih~zŎ?Q.X	J:RI3RNK(yL9g-W陉n[R-%N_.lZ]7hW$[cF1XMP5'oz\{4m|+SԜjz40n8qz,Ϝ5Ǒ3Ṟ*cU0Ǫ`WV;RmG皙.*{Aj׼l	,ř]*ݣ4msY[2yc"^gv9I84S܂	x&tS)N-4tt%8_#􈿶{֑T#AˉH-Lҁ;EV9_^n4H=hz6%t3\;JWom^ݚ!@93/q8 u75[+!?u"mF!"R+LX=1Zyq^FZCw>x7شdqś%mA	"fA{gHCz-T^2n'G8};~k=E|
1PGVjQIeMA;# =jхcN|`뙄wV/ɬ6?~Ŗ61]zb؃!NhiX$x0lbxUD^]+,/!lQR!:vCogĺSkS^]1~autؽg|:ݏK{+t#YI5i}kND,fi#lPϕ9'ʬnOtPDžiӘO/˃.&&a1G}ÏAjlF`5	'	%_|NY~`Xv1uqFsV1QjUDݞV  uZ8d&gڧRպ{ז%٭b{5	34щZݾvdVEY|G{6z/RIƿL舻M-bftջViO$]$sEUÕ_ꐁm~R굿t+7u4iڧ<::~펹:3@[ҵF3#`7!O3l#i>/=֖
An":8|<`FXL3 LnU[C=`|Y36TSCw%im[AK
Q}wVd2I@J'އE~Zu.)2w#"2sm{A+*Czfy9l*3}Dv!nM'KԿB$욭]f*6Z[
헶_p~R@LRR#,:P(¶6	lwaeaTO!rэȵsA/ۇo*r#i[
jMaպ
Rθi눴F:^lE.?1Efud	8XQ8]p4bjuÔjA^NE0ƅh26U9оX5"9NYȉX-foh7pp}ڣAgdh%Jc&97MCMX$˜E#zbXR܋?[@}dk*\DO$am˰ҕ8.^^vYz؀_]>+Oj}ɒ~J8:TuHp8<<?>BJvw$m?\`
yտWtܥ8 eb R<\lJJ]bdCtn	{ԆëëV-uF:_2#*2kgjC{/L`	EtMΩÂ1n)Krro-i
&)`W(_ڡ١_lJᘽ9iQ#iu1u%VMٮ*:Ɛ'xeZbl>4;44+	h5{3X./wy;TR lBO]/ۇpp.cjTɖL(+.(u'3--9ppA[|ko*5>I^afZ]BԤ׃fRNiOD䌳QKF<{ckpp F䳬Ƌ
֙~\3aa?m˩zX\ND=|{ŕsM(FUP~Gԍ?Qo^[E-VPv\;;{ގ>MYaDK0kCCy?'+'%(EW)>	8a;05\=;?j3SȎ^\GS.0y:{y^?-N}54,ʾ2q[CX^z+튮"+.93J^қuxXwX,vI'"ɑsGgYK
/vrP2JS~l~šXt(ueYzA/,Ȧcü>"WU*=ֽ5ՙC rw&ש_~z֝ybt^K1%"TuYoüü'kDd\ެ&3|ԛy00œz\gS.3ߥ$׾qfx3,#[]ޞE9;{JA 0ŭIn^S
[mͱԕ|x>}'="F$E+"3nJUj(J(c♣ܔl_tP1q7)I_PK+g҂Sxx1j$JJ~%WYif1ۘkM!HYׇ?m6\P: KW>ezE>A`ޙ%mѸh!~]ppǩжoZmoޕ}5pe6pqsu[mG(?rHLgpV]]zm<=UhգIƀګ8Ջme&ZٚGѩ4F଱rxōmI
6T1ZrC.Na4S7:yxv9UnTV|i+>M>
*$Җ-Gl~C.&uƩ?vJJEP
zcK;,l15O(Tv%'7͐6"
#Z	05BHN>F0ivضz˜y`)#0e;?m۷KuJŬFK"7vc`0i]fN=ͮ&6gh*VEk3mfo7Z,PN?[*(Iu~C
ᵶ֬lm=@Gq{q@6ж>25*lʫq/>bbkdB7TUbMO3:Ͷb29~6_ HS\VuYع/q[+f8RBW}l1]|};|aU֘X,q- =Zvr@~czHWvZ&(sd@D2+ZHYR]iV.$!@#FS.z{
tjndo> #Ȃ%ZgFU!Ś2LT׃#i3J1-t.:h?}	JTKyí+2JώīKX^z%Søƃ#m5jbV\f+ˌκlwpAku_ H(L﫢;i.E	ͫB{giwGZ
o|y
ʡz}+r~w3bvmqL>thO=&xbpF^jy=лԐa}#nYr4=H7ҺP9KzIu]~B#X.$ڿ7P+35[:??yp~kIGNT)@dyk=vG7sx&!Vgye۽}}e	5ma]jЁ{%@,:ב_*MiC$7|%6`|ȸZsgW~+dԞ218ƐXkj77u|,U˥v𠙢Ut'+V2gYV`Sz>~8e9@ǚإO2''BkRז?c
oAP_@	w;H~|'-R
)pg6X"fۥai0,ב^oEdIS6kj1"3e"&}
=鐉UB^ﴟ}th6#`i5zUxL];-ulf$~kMhLmG(1}m|e= WAW;kxܛU_fua-1JYY|V9+3NөH}qF*e&Q9&4>zPsi~wm$e9a|904C6A%WT:Ӝ[O6kT'jr#D;,e	
_;ssiK]W7HbBc0TjR 
Ao԰t-X4-	wGXGDҷi@
~X?D̄.^{4&*u=Vz:W&m2R/|eE/k
:}YPR:ܭB}yӴrSǩB&r~52jP1x:=k?'/+3U2T?fA轫%%VaB0<ӄd3l8hhT4ی%pcX5toMw݆j޶З460WYL)#3iCS_kMڬ8dUx1u+_mp^@
Loo#"+_oVHoJ
֘G),c#ko7̜/
?-?d,Ԍ!_dL]e6jF)x	h
RZ>֟vK%Qa̺QcUe|hMY +>nzÖL~L.\,rB:9poG`<3xbyYLAYSe_XeU	2hꖽR3hMw'`sNvˤOi{ŌFL:}ouj8@R]1IOi?$WJx%J-gFh|
-+gB`SNTX>
Ȥ+{|8`hV1k_9v-1WtY2S0K' S9<bM&d'3)w}S7$Y:dM6ce\\lӺbhfY
XD3y}CҤ;3j{?Opx՗kR`HOŶkO$v{:0#SND~g͌'X3;9+?K}܇why3-1.6.0/examples/multiprecision/lemmas.mlw000066400000000000000000000162101440160026300212670ustar00rootroot00000000000000module Lemmas

  use array.Array
  use map.Map
  use map.MapEq
  use map.Const
  use int.Int

  (** {3 Complements to map standard library} *)

  predicate map_eq_sub_shift (x y:map int 'a) (xi yi sz:int) =
    forall i. 0 <= i < sz -> x[xi+i] = y[yi+i]

  let lemma map_eq_shift (x y:map int 'a) (xi yi sz k:int)
    requires { map_eq_sub_shift x y xi yi sz }
    requires { 0 <= k < sz }
    ensures { x[xi+k] = y[yi+k] }
  = ()

  let rec lemma map_eq_shift_zero (x y: map int 'a) (n m: int)
    requires { map_eq_sub_shift x y n n (m-n) }
    variant { m - n }
    ensures { MapEq.map_eq_sub x y n m }
  =
    if n < m then
    begin
      assert { forall i. 0 <= i < m-n -> x[n+i] = y[n+i] };
      assert { forall i. n <= i < m ->
                 let j = i - n in 0 <= j < m-n ->
                     x[n+j] = y[n+j] -> x[i] = y[i]};
      map_eq_shift_zero x y (n+1) m;
    end
    else ()

  use mach.int.Int32
  use ref.Ref
  use import mach.int.UInt64GMP as Limb
  use int.Int
  use int.Power
  use mach.c.C
  use types.Types

  meta compute_max_steps 0x100000

  (** {3 Long integers as arrays of libs} *)

  lemma limb_max_bound: 1 <= max_uint64

  function l2i (x:limb) : int = Limb.to_int x

  function p2i (i:int32) : int = int32'int i

  let lemma prod_compat_strict_r (a b c:int)
    requires { 0 <= a < b }
    requires { 0 < c }
    ensures { c * a < c * b }
  = ()

  let lemma prod_compat_r (a b c:int)
    requires { 0 <= a <= b }
    requires { 0 <= c }
    ensures { c * a <= c * b }
  = ()

  let lemma prod_compat_strict_lr (a b c d:int)
    requires { 0 <= a < b }
    requires { 0 <= c < d }
    ensures  { a * c < b * d }
  = () (* assert { a * c < a * d = d * a < d * b = b * d } *)

  meta remove_prop axiom prod_compat_strict_lr

  let lemma prod_compat_lr (a b c d:int)
    requires { 0 <= a <= b }
    requires { 0 <= c <= d }
    ensures  { a * c <= b * d }
  = ()

  meta remove_prop axiom prod_compat_lr

  let lemma simp_compat_strict_l (a b c:int)
    requires { 0 <= a * b < a * c }
    requires { 0 < a }
    ensures  { b < c }
  = ()

  meta remove_prop axiom simp_compat_strict_l

  (** {3 Integer value of a natural number} *)

  (** `value_sub x n m` denotes the integer represented by
     the digits `x[n..m-1]` with lsb at index n *)
  let rec ghost function value_sub (x:map int limb) (n:int) (m:int) : int
     variant {m - n}
   =
     if n < m then
       l2i x[n] + radix * value_sub x (n+1) m
       else 0

  let rec lemma value_sub_frame (x y:map int limb) (n m:int)
    requires { MapEq.map_eq_sub x y n m }
    variant  { m - n }
    ensures  { value_sub x n m = value_sub y n m }
  =
    if n < m then value_sub_frame x y (n+1) m else ()

  let rec lemma value_sub_frame_shift (x y:map int limb) (xi yi sz:int)
    requires { map_eq_sub_shift x y xi yi sz }
    variant { sz }
    ensures { value_sub x xi (xi+sz) = value_sub y yi (yi+sz) }
 =
    if sz>0
    then begin
      map_eq_shift x y xi yi sz 0;
      assert { forall i. 0 <= i < sz-1 ->
                 let j = 1+i in x[xi+j] = y[yi+j] };
      value_sub_frame_shift x y (xi+1) (yi+1) (sz-1)
      end
    else assert { 1+2 = 3 }

  let rec lemma value_sub_tail (x:map int limb) (n m:int)
    requires { n <= m }
    variant  { m - n }
    ensures  {
      value_sub x n (m+1) =
        value_sub x n m + (Map.get x m) * power radix (m-n) }
  = [@vc:sp] if n < m then value_sub_tail x (n+1) m else ()

  let rec lemma value_sub_concat (x:map int limb) (n m l:int)
    requires { n <= m <= l}
    variant  { m - n }
    ensures  {
      value_sub x n l =
        value_sub x n m + value_sub x m l * power radix (m-n) }
  =
  if n < m then
     begin
     assert {n











 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/multiprecision/lemmas/why3shapes.gz000066400000000000000000000115671440160026300232200ustar00rootroot00000000000000[Yoǖ~ׯ0P2/B P2PkBt%9_?ߩj.$%jqn|c$r7OU}u:Kfr?ݯn{ff,|K/R%Ǎ\R/<1KeUlɱB.CΫ-gVof4-.݂ֹ%ai;KtDuK
}	{tҁ=bus_mǾ[iˀ0 b̀gΗs4=E&1|?n%q46ܩ
wqܩ&d[HFAi~U~J/g{+op>`蚔r>a1>\KisOخrUMx7ZH/6\ӈ
|7$Doglan_[?tKX	!?ŐB~d;lv>לȖ;gzfN_֓u<:Lj81oΡ{IL_g:. ["
輝-]n	 pel.bw)y`Smįbv65`TOP)P8k89_%>f;\b3	8Iv%^47 J`;bSVqa 8
Aq]
&	8SI%q1NuI@!urwsпN(	>&Y]}Y]?uV>>~*BJzVTVm6t6<\?ܭ#H(?kTW<Iն&:ݣ(P:5qk/$w\r!5<&@/v]y5mФaC|; ^
m&Hg@f8uT'{pOõ"R~>]bh8{{ǫh*ĔObR؎/ûp귥LA
yk<[!|l>u.0(Ѽ
ٳ/%dbԥjD_
}#d9n]y4xޟ:eFGj_^ջ.)2d'Lqo7MJN;Ƌ^pJOXPHEF?=)
8T3MZ|UC1iWpsToP˾ݳˁvG;Z&e&b'vU}yҿyk_@'V:F\n0XO5D?1﨓+M|}HW#EmbJKt}ZZ6^Ow%.GtRʍ[5Õm	iE
Hi֞!a|򑤞 8jJBoCPz?--wE.i#X~76G`Nm~r2}/Kvcz/9ui2߭pm&ʫT^(ELv:0b	t[q1:ߘT5|sΟs{|Wu>	
OSxx^$[\:}T6<-EÉF~&_
{/hDMJ^A^*#1k)pؾ}5o_PC"NI
TSt+(q(NA]6>}#5yXt9&˺A7}%=hZnw詞#YeFtw4z	/68F!|>VM]=~MTE)Kul~AD7mC`10`9?JoFcEc#n˧VGwQg^tr7qFDNbv-B>A&]xewy^:J>nŪ1.)n9Cg-S#/\z,܉~46h%V\nrsI-)Ew8GvX]{6{G<[yUL'.1:M3
+ZMRr郶2jQٙX'qL22>mf:y*$O)vlq	
)ɚDͬj_ٙjP2 $NȂ3vW/9\&U
KU0it\*"BTdqO.*<%Ct;UpdbQ#?!mFi%#/BF40YA'!4{#~!'NitF$cc}4>0FF&DMhl@2]){`hC
Kl~BN|(`"XDZ<
8|h3a3REր1\Xt=ThT+U+(8Uf{1\TSQe$W^QH"c`g.R6vZ"3S/2%Ju#TAj1TGUdQ(}WD#uP(zK덖Ttr^C<)"*-UIQ{ß`cck|J3jCJť,Y.kw>1X?Kf-~ڷ'kwAWO"&&28RYjJJ˽vЍ 'qq&k4Z9o^g8!$h'[T]Z I=]/)Sha/z+b?\uQMVK^J-	a	G7ڳ:Pe:':c04O}
&fQ\why3-1.6.0/examples/multiprecision/lineardecision.mlw000066400000000000000000001734741440160026300230210ustar00rootroot00000000000000module LinearEquationsCoeffs

type a
function (+) a a : a
function (*) a a : a
function (-_) a : a
function azero: a
function aone: a
predicate ale a a

clone algebra.OrderedUnitaryCommutativeRing as A with
  type t = a, function (+) = (+), function (*) = (*),
  function (-_) = (-_), constant zero = azero,
  constant one=aone, predicate (<=) = ale,
  axiom .

function (-) a a : a

axiom sub_def: forall a1 a2. a1 - a2 = a1 + (- a2)

type t
type vars = int -> a
type cvars
exception Unknown

function interp t cvars : a

val constant czero : t
val constant cone : t

axiom zero_def: forall y. interp czero y = azero
axiom one_def: forall y. interp cone y = aone

lemma neg_mul:
  forall x y: a. (-x) * y = - (x*y)

val add (a b: t) : t
  ensures { forall v: cvars. interp result v = interp a v + interp b v }
  raises  { Unknown -> true }

val mul (a b: t) : t
  ensures { forall v: cvars. interp result v = interp a v * interp b v }
  raises  { Unknown -> true }

val opp (a:t) : t
  ensures { forall v: cvars. interp result v = - (interp a v) }
  raises  { Unknown -> true }

val predicate eq (a b:t)
  ensures { result -> forall y:cvars. interp a y = interp b y }

val inv (a:t) : t
  requires { not (eq a czero) }
 (* ensures { forall v: cvars. interp result v * interp a v = aone } no proof needed, but had better be true *)
  ensures { not (eq result czero) }
  raises { Unknown -> true }

end

module LinearEquationsDecision

use int.Int
type coeff

clone LinearEquationsCoeffs as C with type t = coeff, axiom .
type vars = C.vars

type expr = Term coeff int | Add expr expr | Cst coeff

let rec predicate valid_expr (e:expr)
  variant { e }
= match e with
  | Term _ i -> 0 <= i
  | Cst _ -> true
  | Add e1 e2 -> valid_expr e1 && valid_expr e2
  end

let rec predicate expr_bound (e:expr) (b:int)
  variant { e }
= match e with
  | Term _ i -> 0 <= i <= b
  | Cst _ -> true
  | Add e1 e2 -> expr_bound e1 b && expr_bound e2 b
  end

function interp (e:expr) (y:vars) (z:C.cvars) : C.a
= match e with
  | Term c v -> C.(*) (C.interp c z) (y v)
  | Add e1 e2 -> C.(+) (interp e1 y z) (interp e2 y z)
  | Cst c -> C.interp c z
  end

use bool.Bool
use list.List

type equality = (expr, expr)
type context = list equality

let predicate valid_eq (eq:equality)
= match eq with (e1,e2) -> valid_expr e1 && valid_expr e2 end

let predicate eq_bound (eq:equality) (b:int)
= match eq with (e1,e2) -> expr_bound e1 b && expr_bound e2 b end

let rec predicate valid_ctx (ctx:context)
= match ctx with Nil -> true | Cons eq t -> valid_eq eq && valid_ctx t end

let rec predicate ctx_bound (ctx:context) (b:int)
= match ctx with Nil -> true | Cons eq t -> eq_bound eq b && ctx_bound t b end

let rec lemma expr_bound_w (e:expr) (b1 b2:int)
  requires { b1 <= b2 }
  requires { expr_bound e b1 }
  ensures  { expr_bound e b2 }
  variant  { e }
= match e with
  | Add e1 e2 -> expr_bound_w e1 b1 b2; expr_bound_w e2 b1 b2
  | Cst _ -> ()
  | Term _ _ -> ()
  end

lemma eq_bound_w: forall e:equality, b1 b2:int. eq_bound e b1 -> b1 <= b2 -> eq_bound e b2

let rec lemma ctx_bound_w (l:context) (b1 b2:int)
  requires { ctx_bound l b1 }
  requires { b1 <= b2 }
  ensures  { ctx_bound l b2 }
  variant  { l }
= match l with Nil -> () | Cons _ t -> ctx_bound_w t b1 b2 end

function interp_eq (g:equality) (y:vars) (z:C.cvars) : bool
  = match g with (g1, g2) -> interp g1 y z = interp g2 y z end

function interp_ctx (l: context) (g: equality) (y: vars) (z:C.cvars) : bool
= match l with
  | Nil -> interp_eq g y z
  | Cons h t -> (interp_eq h y z) -> (interp_ctx t g y z)
  end

use mach.int.Int63
use seq.Seq
use mach.array.Array63
use mach.matrix.Matrix63

let apply_r (m: matrix coeff) (v: array coeff) : array coeff
  requires { v.length = m.columns }
  ensures  { result.length = m.rows }
  raises   { C.Unknown -> true }
= let r = Array63.make m.rows C.czero in
  for i = 0 to m.rows - 1 do
    for j = 0 to m.columns - 1 do
      r[i] <- C.add r[i] (C.mul (get m i j) v[j]);
    done
  done;
  r

let apply_l (v: array coeff) (m: matrix coeff) : array coeff
  requires { v.length = m.rows }
  ensures  { result.length = m.columns }
  raises   { C.Unknown -> true }
= let r = Array63.make m.columns C.czero in
  for j = 0 to m.columns - 1 do
    for i = 0 to m.rows - 1 do
      r[j] <- C.add r[j] (C.mul (get m i j) v[i]);
    done
  done;
  r

use ref.Ref

let sprod (a b: array coeff) : coeff
  requires { a.length = b.length }
  raises   { C.Unknown -> true }
= let r = ref C.czero in
  for i = 0 to a.length - 1 do
    r := C.add !r (C.mul a[i] b[i]);
  done;
  !r

let m_append (m: matrix coeff) (v:array coeff) : matrix coeff
  requires { m.rows = v.length }
  requires { m.columns < int63'maxInt }
  ensures  { result.rows = m.rows }
  ensures  { result.columns = m.columns + 1 }
  ensures  { forall i j. 0 <= i < m.rows -> 0 <= j < m.columns ->
             result.elts i j = m.elts i j }
  ensures  { forall i. 0 <= i < m.rows -> result.elts i m.columns = v[i] }
= let r = Matrix63.make m.rows (m.columns + 1) C.czero in
  for i = 0 to m.rows - 1 do
    invariant { forall k j. 0 <= k < i -> 0 <= j < m.columns ->
                r.elts k j = m.elts k j }
    invariant { forall k. 0 <= k < i -> r.elts k m.columns = v[k] }
    for j = 0 to m.columns - 1 do
      invariant { forall k j. 0 <= k < i -> 0 <= j < m.columns ->
                r.elts k j = m.elts k j }
      invariant { forall k. 0 <= k < i -> r.elts k m.columns = v[k] }
      invariant { forall l. 0 <= l < j -> r.elts i l = m.elts i l }
      set r i j (get m i j)
    done;
    set r i m.columns v[i]
  done;
  r

let v_append (v: array coeff) (c: coeff) : array coeff
  requires { length v < int63'maxInt }
  ensures { length result = length v + 1 }
  ensures { forall k. 0 <= k < v.length -> result[k] = v[k] }
  ensures { result[v.length] = c }
= let r = Array63.make (v.length + 1) c in
  for i = 0 to v.length - 1 do
    invariant { forall k. 0 <= k < i -> r[k] = v[k] }
    invariant { r[v.length] = c }
    r[i] <- v[i]
  done;
  r

let predicate (==) (a b: array coeff)
  ensures { result = true -> length a = length b /\
            forall i. 0 <= i < length a -> C.eq a[i] b[i] }
=
  if length a <> length b then false
  else
    let r = ref true in
    for i = 0 to length a - 1 do
      invariant { !r = true -> forall j. 0 <= j < i -> C.eq a[j] b[j] }
      if not (C.eq a[i] b[i]) then r := false;
    done;
    !r

use int.MinMax
use list.Length

let rec function max_var (e:expr) : int
  variant { e }
  requires { valid_expr e }
  ensures { 0 <= result }
  ensures { expr_bound e result }
= match e with
  | Term _ i -> i
  | Cst _ -> 0
  | Add e1 e2 -> max (max_var e1) (max_var e2)
  end

let function max_var_e (e:equality) : int
  requires { valid_eq e }
  ensures { 0 <= result }
  ensures { eq_bound e result }
= match e with (e1,e2) -> max (max_var e1) (max_var e2) end

let rec function max_var_ctx (l:context) : int
  variant { l }
  requires { valid_ctx l }
  ensures { 0 <= result }
  ensures { ctx_bound l result }
= match l with
  | Nil -> 0
  | Cons e t -> max (max_var_e e) (max_var_ctx t)
  end

let rec opp_expr (e:expr) : expr
  ensures { forall y z. interp result y z = C.(-_) (interp e y z) }
  ensures { valid_expr e -> valid_expr result }
  ensures { forall b. expr_bound e b -> expr_bound result b }
  raises  { C.Unknown -> true }
  variant { e }
= match e with
  | Cst c -> Cst (C.opp c)
  | Term c j ->
    let oc = C.opp c in
    let r = Term oc j in
    assert { forall y z. interp r y z = C.(*) (C.interp oc z) (y j)
             = C.(*) (C.(-_) (C.interp c z)) (y j)
             = C.(-_) (C.(*) (C.interp c z) (y j))
             = C.(-_) (interp e y z) };
    r
  | Add e1 e2 ->
      let e1' = opp_expr e1 in
      let e2' = opp_expr e2 in
      assert { forall a1 a2. C.(+) (C.(-_) a1) (C.(-_) a2) = C.(-_) (C.(+) a1 a2) };
      assert { forall y z. interp (Add e1' e2') y z = C.(-_) (interp e y z) by
               interp (Add e1' e2') y z = C.(+) (interp e1' y z) (interp e2' y z)
               = C.(+) (C.(-_) (interp e1 y z)) (C.(-_) (interp e2 y z))
               = C.(-_) (C.(+) (interp e1 y z) (interp e2 y z))
               = C.(-_) (interp e y z) };
      Add e1' e2'
  end

predicate atom (e:expr)
= match e with
  | Add _ _ -> false | _ -> true
  end

(*TODO put this back in norm_eq*)
let rec norm_eq_aux (ex acc_e:expr) (acc_c:coeff) : (expr, coeff)
  returns { (rex, rc) -> forall y z.
              C.(+) (interp rex y z) (interp (Cst rc) y z)
            = C.(+) (interp ex y z)
                    (C.(+) (interp acc_e y z) (interp (Cst acc_c) y z)) }
  returns { (rex, _) -> forall b:int. expr_bound ex b /\ expr_bound acc_e b
                        -> expr_bound rex b }
  raises  { C.Unknown -> true }
  variant { ex }
= match ex with
  | Cst c -> acc_e, (C.add c acc_c)
  | Term _ _ -> (Add acc_e ex, acc_c)
  | Add e1 e2 -> let ae, ac = norm_eq_aux e1 acc_e acc_c in
                 norm_eq_aux e2 ae ac
  end

use debug.Debug

let norm_eq (e:equality) : (expr, coeff)
  returns { (ex, c) -> forall y z.
            interp_eq e y z <-> interp_eq (ex, Cst c) y z }
  returns { (ex, _) -> forall b:int. eq_bound e b -> expr_bound ex b }
  raises  { C.Unknown -> true }
= match e with
  | (e1, e2) ->
    let s = Add e1 (opp_expr e2) in
    assert { forall b. eq_bound e b -> expr_bound s b };
    match norm_eq_aux s (Cst C.czero) C.czero with
      (e, c) ->
        let ec = C.opp c in
        assert { forall a1 a2. C.(+) a1 a2 = C.azero -> a1 = C.(-_) a2 };
        assert { forall y z. interp_eq (e1,e2) y z -> interp_eq (e, Cst ec) y z
                 by interp_eq (s, Cst C.czero) y z so interp s y z = C.azero
                 so C.(+) (interp e y z) (interp (Cst c) y z) = C.azero
                 so interp e y z = C.(-_) (interp (Cst c) y z)
                    = interp (Cst ec) y z };
        e, ec
    end
  end


let rec lemma interp_ctx_impl (ctx: context) (g1 g2:equality)
  requires { forall y z. interp_eq g1 y z -> interp_eq g2 y z }
  ensures  { forall y z. interp_ctx ctx g1 y z -> interp_ctx ctx g2 y z }
  variant  { ctx }
= match ctx with Nil -> () | Cons _ t -> interp_ctx_impl t g1 g2 end

let rec lemma interp_ctx_valid (ctx:context) (g:equality)
  ensures { forall y z. interp_eq g y z -> interp_ctx ctx g y z }
  variant  { ctx }
= match ctx with Nil -> () | Cons _ t -> interp_ctx_valid t g end

use list.Append

let rec lemma interp_ctx_wr (ctx l:context) (g:equality)
  ensures { forall y z. interp_ctx ctx g y z -> interp_ctx (ctx ++ l) g y z }
  variant { ctx }
= match ctx with
  | Nil -> ()
  | Cons _ t -> interp_ctx_wr t l g  end

let rec lemma interp_ctx_wl (ctx l: context) (g:equality)
  ensures { forall y z. interp_ctx ctx g y z -> interp_ctx (l ++ ctx) g y z }
  variant { l }
= match l with Nil -> () | Cons _ t -> interp_ctx_wl ctx t g  end

let rec mul_expr (e:expr) (c:coeff) : expr
  ensures { forall y z. interp result y z
            = C.(*) (C.interp c z) (interp e y z) }
  ensures { valid_expr e -> valid_expr result }
  variant { e }
  raises  { C.Unknown -> true }
= if C.eq c C.czero then Cst C.czero
  else match e with
  | Cst c1 -> Cst (C.mul c c1)
  | Term c1 v -> Term (C.mul c c1) v
  | Add e1 e2 -> Add (mul_expr e1 c) (mul_expr e2 c)
  end

let rec add_expr (e1 e2: expr) : expr
  ensures { forall y z. interp result y z
                     = C.(+) (interp e1 y z) (interp e2 y z) }
  variant { e2 }
  raises  { C.Unknown -> true }
=
  let term_or_cst c i
    ensures { forall y z. interp result y z = interp (Term c i) y z }
  = if C.eq C.czero c then Cst C.czero else Term c i in
  let rec add_atom (e a:expr) : (expr, bool)
    requires { atom a }
    returns { r,_ -> forall y z. interp r y z
                     = C.(+) (interp e y z) (interp a y z) }
    variant { e }
    raises  { C.Unknown -> true }
  = match (e,a) with
    | Term ce ie, Term ca ia ->
      if ie = ia then (term_or_cst (C.add ce ca) ie, True)
      else if C.eq ce C.czero then (term_or_cst ca ia, True)
      else if C.eq ca C.czero then (e,True)
      else (Add e a, False)
    | Cst ce, Cst ca -> Cst (C.add ce ca), True
    | Cst ce, Term ca _ ->
      if C.eq ca C.czero then (e, True)
      else if C.eq ce C.czero then (a, True)
      else (Add e a, False)
    | Term ce _, Cst ca ->
      if C.eq ce C.czero then (a, True)
      else if C.eq ca C.czero then (e, True)
      else (Add e a, False)
    | Add e1 e2, _ ->
      let r, b = add_atom e1 a in
      if b
      then
        match r with
          | Cst c ->
            if C.eq c C.czero
            then begin
              assert { forall y z. C.(+) (interp e1 y z) (interp a y z) = C.azero };
              e2, True end
            else Add r e2, True
          | _ -> Add r e2, True
        end
      else
        let r,b = add_atom e2 a in
        match r with
          | Cst c ->
            if C.eq c C.czero
            then begin
              assert { forall y z. C.(+) (interp e2 y z) (interp a y z) = C.azero };
              e1, True end
            else Add e1 r, b
          | _ -> Add e1 r, b
        end
    | _, Add _ _ -> absurd
    end
  in
  match e2 with
    | Add e1' e2' -> add_expr (add_expr e1 e1') e2'
    | _ -> let r,_= add_atom e1 e2 in r
  end

let mul_eq (eq:equality) (c:coeff)
  ensures { forall y z. interp_eq eq y z -> interp_eq result y z }
  raises  { C.Unknown -> true }
= match eq with (e1,e2) -> (mul_expr e1 c, mul_expr e2 c) end

let add_eq (eq1 eq2:equality)
  ensures { forall y z. interp_eq eq1 y z -> interp_eq eq2 y z
            -> interp_eq result y z }
  ensures { forall y z ctx. interp_ctx ctx eq1 y z -> interp_ctx ctx eq2 y z
            -> interp_ctx ctx result y z }
  raises  { C.Unknown -> true }
= match eq1, eq2 with ((a1,b1), (a2,b2)) ->
  let a = add_expr a1 a2 in let b =  add_expr b1 b2 in
  let r = (a,b) in
  let rec lemma aux (l:context)
    ensures { forall y z. interp_ctx l eq1 y z -> interp_ctx l eq2 y z
              -> interp_ctx l r y z }
    variant { l }
  = match l with Nil -> () | Cons _ t -> aux t end in
  r
  end

let rec zero_expr (e:expr) : bool
  ensures { result -> forall y z. interp e y z = C.azero }
  variant { e }
  raises  { C.Unknown -> true }
=
  let rec all_zero (e:expr) : bool
    ensures { result -> forall y z. interp e y z = C.azero }
    variant { e }
    = match e with
    | Cst c -> C.eq c C.czero
    | Term c _ -> C.eq c C.czero
    | Add e1 e2 -> all_zero e1 && all_zero e2
    end
  in
  let e' = add_expr (Cst C.czero) e in (* simplifies expr *)
  all_zero e'

let sub_expr (e1 e2:expr)
  ensures { forall y z. C.(+) (interp result y z) (interp e2 y z)
                        = interp e1 y z }
  raises  { C.Unknown -> true }
= let r = add_expr e1 (mul_expr e2 (C.opp C.cone)) in
  assert { forall y z.
           let v1 = interp e1 y z in
           let v2 = interp e2 y z in
           let vr = interp r y z in
           C.(+) vr v2 = v1
           by C.(*) v2 (C.(-_) C.aone) = C.(-_) v2
           so C.(+) vr v2
           = C.(+) (C.(+) v1 (C.(*) v2 (C.(-_) C.aone))) v2
           = C.(+) (C.(+) v1 (C.(-_) v2)) v2 = v1 };
  r

let rec same_eq (eq1 eq2: equality) : bool
  ensures { result -> forall y z. interp_eq eq1 y z -> interp_eq eq2 y z }
  raises  { C.Unknown -> true }
= let (e1,c1) = norm_eq eq1 in
  let (e2,c2) = norm_eq eq2 in
  let e = sub_expr e1 e2 in
  if zero_expr e && C.eq c1 c2 then true
  else (print (add_expr (Cst C.czero) e); print c1; print c2; false)

use option.Option

let rec norm_context (l:context) : context
  ensures { forall g y z. interp_ctx result g y z -> interp_ctx l g y z }
  raises  { C.Unknown -> true }
  variant { l }
= match l with
  | Nil -> Nil
  | Cons h t ->
    let ex, c = norm_eq h in
    Cons (ex, Cst c) (norm_context t)
  end

let rec print_lc ctx v : unit variant { ctx }
= match ctx, v with
  | Nil, Nil -> ()
  | Cons l t, Cons v t2 ->
   (if C.eq C.czero v then ()
    else (print l; print v));
    print_lc t t2
  | _ -> ()
  end

let check_combination (ctx:context) (g:equality) (v:list coeff) : bool
  ensures  { result = true -> forall y z. interp_ctx ctx g y z}
  raises  { C.Unknown -> true }
=
  (*let ctx = norm_context ctx in
  let (g,c) = norm_eq g in*)
  (* normalize before for fewer Unknown exceptions in computations ? *)
  let rec aux (l:context) (ghost acc: context) (s:equality) (v:list coeff) : option equality
    requires { forall y z. interp_ctx acc s y z }
    requires { ctx = acc ++ l }
    returns  { Some r -> forall y z. interp_ctx ctx r y z | None -> true }
    raises  { C.Unknown -> true }
    variant { l }
  = match (l, v) with
    | Nil, Nil -> Some s
    | Cons eq te, Cons c tc ->
      let ghost nacc = acc ++ (Cons eq Nil) in
      if C.eq c C.czero then aux te nacc s tc
      else begin
        let ns = (add_eq s (mul_eq eq c)) in
        interp_ctx_wr ctx (Cons eq Nil) s;
        interp_ctx_wl ctx (Cons eq Nil) eq;
        assert { forall y z. interp_ctx nacc ns y z
                 by interp_ctx nacc s y z /\ interp_ctx nacc eq y z };
        aux te nacc ns tc end
    | _ -> None
    end
  in
  match aux ctx Nil (Cst C.czero, Cst C.czero) v with
  | Some sum -> if same_eq sum g then true else (print_lc ctx v; false)
  | None -> false
  end

let transpose (m:matrix coeff) : matrix coeff
  ensures { result.rows = m.columns /\ result.columns = m.rows }
=
  let r = Matrix63.make m.columns m.rows C.czero in
  for i = 0 to m.rows - 1 do
    for j = 0 to m.columns - 1 do
      set r j i (get m i j)
    done
  done;
  r

let swap_rows (m:matrix coeff) (i1 i2: int63) : unit
  requires { 0 <= i1 < m.rows /\ 0 <= i2 < m.rows }
= for j = 0 to m.columns - 1 do
    let c = get m i1 j in
    set m i1 j (get m i2 j);
    set m i2 j c
  done

let mul_row (m:matrix coeff) (i: int63) (c: coeff) : unit
  requires { 0 <= i < m.rows }
  requires { not (C.eq c C.czero) }
  raises  { C.Unknown -> true }
= if C.eq c C.cone then () else
  for j = 0 to m.columns - 1 do
    set m i j (C.mul c (get m i j))
  done

let addmul_row (m:matrix coeff) (src dst: int63) (c: coeff) : unit
  requires { 0 <= src < m.rows /\ 0 <= dst < m.rows }
  raises   { C.Unknown -> true }
= if C.eq c C.czero then () else
  for j = 0 to m.columns - 1 do
    set m dst j (C.add (get m dst j) (C.mul c (get m src j)))
  done

use ref.Ref

let gauss_jordan (a: matrix coeff) : option (array coeff)
  (*AX=B, a=(A|B), result=X*)
  returns { Some r -> Array63.length r = a.columns | None -> true }
  requires { 1 <= a.rows /\ 1 <= a.columns }
  raises { C.Unknown -> true }
=
  let n = a.rows in
  let m = a.columns in
  (* print n; print m; *)
  let rec find_nonz (i j:int63)
    requires { 0 <= i <= n }
    requires { 0 <= j < m }
    variant { n-i }
    ensures { i <= result <= n }
    ensures { result < n -> not (C.eq (a.elts result j) C.czero) }
    = if i >= n then n
    else
      if C.eq (get a i j) C.czero
      then find_nonz (i+1) j
      else i in
  let pivots = Array63.make n 0 in
  let r = ref (-1) in
  for j = 0 to m-2 do
    invariant { -1 <= !r < n }
    invariant { forall i. 0 <= i <= !r -> 0 <= pivots[i] }
    invariant { forall i1 i2: int. 0 <= i1 < i2 <= !r -> pivots[i1] < pivots[i2] }
    invariant { !r >= 0 -> pivots[!r] < j }
    label Start in
    let k = find_nonz (!r+1) j in
    if k < n
    then begin
      r := !r + 1;
      pivots[!r] <- j;
      mul_row a k (C.inv(get a k j));
      if k <> !r then swap_rows a k !r;
      for i = 0 to n-1 do
        if i <> !r
        then addmul_row a !r i (C.opp(get a i j))
      done;
    end;
    assert { forall i1 i2: int. 0 <= i1 < i2 <= !r -> pivots[i1] < pivots[i2]
             by pivots[i1] = pivots[i1] at Start
             so [@case_split]
                ((i2 < !r so pivots[i2] = pivots[i2] at Start)
                \/ (i2 = !r so pivots[i1] < j(* = pivots[i2])*))) };
  done;
  if !r < 0 then None (* matrix is all zeroes *)
  else begin
    let v = Array63.make m(*(m-1)*) C.czero in
    for i = 0 to !r do
      v[pivots[i]] <- get a i (m-1)
    done;
    Some v (*pivots[!r] < m-1*)  (*pivot on last column, no solution*)
  end

let rec function to_list (a: array 'a) (l u: int63) : list 'a
  requires { l >= 0 /\ u <= Array63.length a }
  variant  { u - l }
= if u <= l then Nil else Cons a[l] (to_list a (l+1) u)

exception Failure

let linear_decision (l: context) (g: equality) : bool
  requires { valid_ctx l }
  requires { valid_eq g }
  requires { length l < 100000 } (* integer overflows *)
  ensures { forall y z. result -> interp_ctx l g y z }
  raises  { C.Unknown -> true | Failure -> true }
=
  let nv = (max (max_var_e g) (max_var_ctx l)) in
  begin ensures { nv < 100000 }
    if nv >= 100000 then raise Failure
  end;
  let nv = Int63.of_int nv in
  let ll = Int63.of_int (length l) in
  let a = Matrix63.make ll (nv+1) C.czero in
  let b = Array63.make ll C.czero in            (* ax = b *)
  let v = Array63.make (nv+1) C.czero in          (* goal *)
  let rec fill_expr (ex: expr) (i:int63): unit
    variant { ex }
    raises  { C.Unknown -> true }
    requires { 0 <= i < length l }
    requires { expr_bound ex nv }
    raises  { Failure -> true }
  = match ex with
    | Cst c -> if C.eq c C.czero then () else raise Failure
    | Term c j ->
      let j = Int63.of_int j in
      set a i j (C.add (get a i j) c)
    | Add e1 e2 -> fill_expr e1 i; fill_expr e2 i
    end in
  let rec fill_ctx (ctx:context) (i:int63) : unit
    requires { ctx_bound ctx nv }
    variant { length l - i }
    requires { length l - i = length ctx }
    requires { 0 <= i <= length l }
    raises  { Failure -> true }
  = match ctx with
    | Nil -> ()
    | Cons e t ->
      assert { i < length l };
      try
        let ex, c = norm_eq e in
        if (not (C.eq c C.czero)) then b[i] <- C.add b[i] c;
        fill_expr ex i;
      with C.Unknown -> () (* some equalities are in the context but cannot be normalized, typically they are useless, ignore them *)
      end;
      fill_ctx t (i+1)
    end in
  let rec fill_goal (ex:expr) : unit
    requires { expr_bound ex nv }
    variant { ex }
    raises { C.Unknown -> true }
    raises  { Failure -> true }
  = match ex with
    | Cst c -> if C.eq c C.czero then () else raise Failure
    | Term c j ->
      let j = Int63.of_int j in
      v[j] <- C.add v[j] c
    | Add e1 e2 -> fill_goal e1; fill_goal e2
    end in
  fill_ctx l 0;
  let (ex, d) = norm_eq g in
  fill_goal ex;
  let ab = m_append a b in
  let cd = v_append v d in
  let ab' = transpose ab in
  match gauss_jordan (m_append ab' cd) with
    | Some r ->
      check_combination l g (to_list r 0 ll)
    | None -> false
  end

type expr' = | Sum expr' expr' | ProdL expr' cprod | ProdR cprod expr' | Diff expr' expr'
             | Var int | Coeff coeff

with cprod = | C coeff | Times cprod cprod

function interp_c (e:cprod) (y:vars) (z:C.cvars) : C.a
= match e with
  | C c -> C.interp c z
  | Times e1 e2 -> C.(*) (interp_c e1 y z) (interp_c e2 y z)
  end

function interp' (e:expr') (y:vars) (z:C.cvars) : C.a
= match e with
  | Sum e1 e2 -> C.(+) (interp' e1 y z) (interp' e2 y z)
  | ProdL e c -> C.(*) (interp' e y z) (interp_c c y z)
  | ProdR c e -> C.(*) (interp_c c y z) (interp' e y z)
  | Diff e1 e2 -> C.(-) (interp' e1 y z) (interp' e2 y z)
  | Var n -> y n
  | Coeff c -> C.interp c z
  end

(*exception NonLinear*)

type equality' = (expr', expr')
type context' = list equality'

function interp_eq' (g:equality') (y:vars) (z:C.cvars) : bool
= match g with (g1, g2) -> interp' g1 y z = interp' g2 y z end

function interp_ctx' (l: context') (g: equality') (y: vars) (z:C.cvars) : bool
= match l with
  | Nil -> interp_eq' g y z
  | Cons h t -> (interp_eq' h y z) -> (interp_ctx' t g y z)
  end

let rec predicate valid_expr' (e:expr')
  variant { e }
= match e with
  | Var i -> 0 <= i
  | Sum e1 e2 | Diff e1 e2 -> valid_expr' e1 && valid_expr' e2
  | Coeff _ -> true
  | ProdL e _ | ProdR _ e -> valid_expr' e
  end

let predicate valid_eq' (eq:equality')
= match eq with (e1,e2) -> valid_expr' e1 && valid_expr' e2 end

let rec predicate valid_ctx' (ctx:context')
= match ctx with Nil -> true | Cons eq t -> valid_eq' eq && valid_ctx' t end

let rec simp (e:expr') : expr
  ensures { forall y z. interp result y z = interp' e y z }
  ensures { valid_expr' e -> valid_expr result }
  raises  { C.Unknown -> true }
  variant { e }
=
  let rec simp_c (e:cprod) : coeff
    ensures { forall y z. C.interp result z = interp_c e y z }
    variant { e }
    raises  { C.Unknown -> true }
  =
    match e with
    | C c -> c
    | Times c1 c2 -> C.mul (simp_c c1) (simp_c c2)
    end
  in
  match e with
  | Sum e1 e2 -> Add (simp e1) (simp e2)
  | Diff e1 e2 -> Add (simp e1) (opp_expr (simp e2))
  | Var n -> Term C.cone n
  | Coeff c -> Cst c
  | ProdL e c | ProdR c e ->
    mul_expr (simp e) (simp_c c)
  end

let simp_eq (eq:equality') : equality
  ensures { forall y z. interp_eq result y z = interp_eq' eq y z }
  ensures { valid_eq' eq -> valid_eq result }
  raises  { (*NonLinear -> true | *)C.Unknown -> true }
= match eq with (g1, g2) -> (simp g1, simp g2) end

let rec simp_ctx (ctx: context') (g:equality') : (context, equality)
  returns { (rc, rg) ->
            (valid_ctx' ctx -> valid_eq' g -> valid_ctx rc /\ valid_eq rg) /\
            length rc = length ctx /\
            forall y z. interp_ctx rc rg y z = interp_ctx' ctx g y z }
  raises  { (*NonLinear -> true | *) C.Unknown -> true }
  variant { ctx }
= match ctx with
  | Nil -> Nil, simp_eq g
  | Cons eq t -> let rt, rg = simp_ctx t g in
                 Cons (simp_eq eq) rt, rg
  end

let decision (l:context') (g:equality')
  requires { valid_ctx' l }
  requires { valid_eq' g }
  requires { length l < 100000 }
  ensures { forall y z. result -> interp_ctx' l g y z }
  raises  { (* NonLinear -> true | *) C.Unknown -> true | Failure -> true }
= let sl, sg = simp_ctx l g in
  linear_decision sl sg

end

module RationalCoeffs

use int.Int
use real.RealInfix
use real.FromInt
use int.Abs

type t = (int, int)
type rvars = int -> real

exception QError

let constant rzero = (0,1)
let constant rone = (1,1)

function rinterp (t:t) (_v:rvars) : real
= match t with
  | (n,d) ->  from_int n /. from_int d
  end

let lemma prod_compat_eq (a b c:real)
  requires { c <> 0.0 }
  requires { a *. c = b *. c }
  ensures  { a = b }
= ()

let lemma cross_d (n1 d1 n2 d2:int)
  requires { d1 <> 0 /\ d2 <> 0 }
  requires { n1 * d2 = n2 * d1 }
  ensures { forall v. rinterp (n1,d1) v = rinterp (n2,d2) v }
= let d = from_int (d1 * d2) in
  assert { forall v. rinterp (n1, d1) v = rinterp (n2, d2) v
           by rinterp (n1, d1) v *. d = rinterp (n2,d2) v *. d }

let lemma cross_ind (n1 d1 n2 d2:int)
  requires { d1 <> 0 /\ d2 <> 0 }
  requires { forall v. rinterp (n1,d1) v = rinterp (n2,d2) v }
  ensures  { n1 * d2 = n2 * d1 }
= assert { from_int d1 <> 0.0 /\ from_int d2 <> 0.0 };
  assert { from_int n1 /. from_int d1 = from_int n2 /. from_int d2 };
  assert { from_int n1 *. from_int d2 = from_int n2 *. from_int d1
           by from_int n1 *. from_int d2
              = (from_int n1 /. from_int d1) *. from_int d1 *. from_int d2
              = (from_int n2 /. from_int d2) *. from_int d1 *. from_int d2
              = from_int n2 *. from_int d1 };
  assert { from_int (n1*d2) = from_int (n2 * d1) }


lemma cross: forall n1 d1 n2 d2: int. d1 <> 0 -> d2 <> 0 ->
             n1 * d2 = n2 * d1 <->
             forall v. rinterp (n1,d1) v = rinterp (n2,d2) v

use int.ComputerDivision
use ref.Ref
use number.Gcd

let gcd (x:int) (y:int)
  requires { x > 0 /\ y > 0 }
  ensures { result = gcd x y }
  ensures { result > 0 }
  =
  let ghost ox = x in
  let x = ref x in let y = ref y in
  label Pre in
  while (!y > 0) do
     invariant { !x >= 0 /\ !y >= 0 }
     invariant { gcd !x !y = gcd (!x at Pre) (!y at Pre) }
     variant { !y }
     invariant { ox > 0 -> !x > 0 }
     let r = mod !x !y in let ghost q = div !x !y in
     assert { r = !x - q * !y };
     x := !y; y := r;
  done;
  !x

let simp (t:t) : t
  ensures { forall v:rvars. rinterp result v = rinterp t v }
= match t with
  | (n,d) ->
    if d = 0 then t
    else if n = 0 then rzero
    else
    let g = gcd (abs n) (abs d) in
    let n', d' = (div n g, div d g) in
    assert { n = g * n' /\ d = g * d' };
    assert { n' * d = n * d' };
    (n', d')
  end

let radd (a b:t)
  ensures { forall y. rinterp result y = rinterp a y +. rinterp b y }
  raises  { QError -> true }
= [@vc:do_not_keep_trace] (* traceability info breaks the proof *)
  match (a,b) with
  | (n1,d1), (n2,d2) ->
  if d1 = 0 || d2 = 0 then raise QError
  else begin
    let r = (n1*d2 + n2*d1, d1*d2) in
    let ghost d = from_int d1 *. from_int d2 in
    assert { forall y.
             rinterp a y +. rinterp b y = rinterp r y
             by rinterp a y *. d = from_int n1 *. from_int d2
             so rinterp b y *. d = from_int n2 *. from_int d1
             so (rinterp a y +. rinterp b y) *. d
                = from_int (n1*d2 + n2*d1)
                = rinterp r y *. d };
    simp r end
 end

let rmul (a b:t)
  ensures { forall y. rinterp result y = rinterp a y *. rinterp b y }
  raises  { QError -> true }
= match (a,b) with
  | (n1,d1), (n2, d2) ->
    if d1 = 0 || d2 = 0 then raise QError
    else begin
      let r =  (n1*n2, d1*d2) in
      assert { forall y. rinterp r y = rinterp a y *. rinterp b y
               by rinterp r y = from_int (n1*n2) /. from_int(d1*d2)
                  = (from_int n1 *. from_int n2) /. (from_int d1 *. from_int d2)
                  = (from_int n1 /. from_int d1) *. (from_int n2 /. from_int d2)
                  = rinterp a y *. rinterp b y };
      r
    end
  end

let ropp (a:t)
  ensures { forall y. rinterp result y = -. rinterp a y }
= match a with
  | (n,d) -> (-n, d)
  end

let predicate req (a b:t)
  ensures { result -> forall y. rinterp a y = rinterp b y }
= match (a,b) with
  | (n1,d1), (n2,d2) -> n1 = n2 && d1 = d2 || (d1 <> 0 && d2 <> 0 && n1 * d2 = n2 * d1)
  end

let rinv (a:t)
  requires { not req a rzero }
  ensures { not req result rzero }
  ensures { forall y. rinterp result y *. rinterp a y = 1.0 }
  raises  { QError -> true }
= match a with
  | (n,d) -> if n = 0 || d = 0 then raise QError else (d,n)
  end

let is_zero (a:t)
  ensures { result <-> req a rzero }
= match a with
  | (n,d) -> n = 0 && d <> 0
  end

end

module LinearDecisionRational

use RationalCoeffs
use real.RealInfix
use real.FromInt

clone export LinearEquationsDecision with type  C.a = real, function C.(+) = (+.), function C.( * ) = ( *. ), function C.(-_) = (-._), function C.(-) = (-.), type coeff = t, type C.cvars=int -> real, function C.interp=rinterp, exception C.Unknown = QError, constant C.azero = Real.zero, constant C.aone = Real.one, predicate C.ale = (<=.), val C.czero=rzero, val C.cone=rone, lemma C.sub_def, lemma C.zero_def, lemma C.one_def, val C.add=radd, val C.mul=rmul, val C.opp=ropp, val C.eq=req, val C.inv=rinv, goal .

meta reflection val decision

end

module LinearDecisionInt

use int.Int

type t' =  IC int | Error

function interp_id (t:t') (_v:int -> int) : int
= match t with
  | IC i -> i
  | Error -> 0 (* never created *)
  end

let constant izero = IC 0

let constant ione = IC 1

let predicate ieq (_a _b:t') = false

exception NError

let iadd (a b:t') : t'
  ensures { forall z. interp_id result z = interp_id a z + interp_id b z }
  raises  { NError -> true }
= raise NError

let imul (a b:t') : t'
  ensures { forall z. interp_id result z = interp_id a z * interp_id b z }
  raises  { NError -> true }
= raise NError

let iopp (a:t') : t'
  ensures { forall z. interp_id result z = - interp_id a z }
  raises  { NError -> true }
= raise NError

let iinv (_t:t') : t'
  (*ensures { forall v: int -> int. id result v * id t v = one }*)
  ensures { not (ieq result izero) }
  raises { NError -> true }
= raise NError

clone export LinearEquationsDecision with type C.a = int, exception C.Unknown=NError, function C.(+)=(+), function C.(*) = (*), function C.(-_) = (-_), function C.(-) = (-), type coeff = t', type C.cvars = int->int,function C.interp = interp_id, constant C.azero = zero, constant C.aone = one, predicate C.ale= (<=), val C.czero = izero, val C.cone = ione, lemma C.sub_def, lemma C.zero_def, lemma C.one_def, val C.add = iadd, val C.mul = imul, val C.opp = iopp, val C.eq = ieq, val C.inv = iinv, goal .


use real.FromInt
use RationalCoeffs
use LinearDecisionRational as R
use list.List

let ghost function m_y (y:int -> int): (int -> real)
  ensures { forall i. result i = from_int (y i) }
= fun i -> from_int (y i)

let m (t:t') : (int, int)
  ensures { forall z. rinterp result (m_y z) = from_int (interp_id t z) }
  raises  { NError -> true }
= match t with
  | IC x -> (x,1)
  | _ -> raise NError
  end

let rec m_cprod (e:cprod) : R.cprod
  ensures { forall y z. R.interp_c result (m_y y) (m_y z)
            = from_int (interp_c e y z) }
  raises  { NError -> true }
  variant { e }
= match e with
  | C c -> R.C (m c)
  | Times c1 c2 -> R.Times (m_cprod c1) (m_cprod c2)
  end

let rec m_expr (e:expr') : R.expr'
  ensures { forall y z. R.interp' result (m_y y) (m_y z)
            = from_int (interp' e y z) }
  ensures { valid_expr' e -> R.valid_expr' result }
  raises  { NError -> true }
  variant { e }
= match e with
  | Var i -> R.Var i
  | Coeff c -> R.Coeff (m c)
  | Sum e1 e2 -> R.Sum (m_expr e1) (m_expr e2)
  | Diff e1 e2 -> R.Diff (m_expr e1) (m_expr e2)
  | ProdL e c -> R.ProdL (m_expr e) (m_cprod c)
  | ProdR c e -> R.ProdR (m_cprod c) (m_expr e)
  end

use list.Length
use debug.Debug

let m_eq (eq:equality') : R.equality'
  ensures { forall y z. R.interp_eq' result (m_y y) (m_y z)
                        <-> interp_eq' eq y z }
  ensures { valid_eq' eq -> R.valid_eq' result }
  raises  { NError -> true }
= match eq with (e1,e2) -> (m_expr e1, m_expr e2) end

let rec m_ctx (ctx:context') (g:equality') : (R.context', R.equality')
  returns { c',g' -> forall y z. R.interp_ctx' c' g' (m_y y) (m_y z) <->
                        interp_ctx' ctx g y z }
  returns { c', _ -> valid_ctx' ctx -> R.valid_ctx' c' }
  returns { c', _ -> length c' = length ctx }
  returns { _, g' -> valid_eq' g -> R.valid_eq' g' }
  raises  { NError -> true }
  variant { ctx }
= match ctx with
  | Nil -> Nil, m_eq g
  | Cons h t ->
    let c',g' = m_ctx t g in
    (Cons (m_eq h) c',g')
    end

let int_decision (l: context') (g: equality') : bool
  requires { valid_ctx' l }
  requires { valid_eq' g }
  requires { length l < 100000 }
  ensures { forall y z. result -> interp_ctx' l g y z }
  raises  { R.Failure -> true | QError -> true | NError -> true }
= let l',g' = m_ctx l g in
  R.decision l' g'

meta reflection val int_decision

end


module Test

use RationalCoeffs
use LinearDecisionRational
use int.Int
use real.RealInfix
use real.FromInt

meta "compute_max_steps" 0x10000
meta coercion function from_int

goal g: forall x y: real.
        (from_int 3 /. from_int 1) *. x +. (from_int 2/. from_int 1) *. y = (from_int 21/. from_int 1) ->
        (from_int 7 /. from_int 1) *. x +. (from_int 4/. from_int 1) *. y = (from_int 47/. from_int 1) ->
        x = (from_int 5 /. from_int 1)
end

module TestInt

use LinearDecisionInt
use int.Int

meta "compute_max_steps" 0x10000

goal g: forall x y:int.
     3 * x + 2 * y = 21 ->
     7 * x + 4 * y = 47 ->
     x = 5

end

module MP64Coeffs

use mach.int.UInt64 as M
use real.RealInfix
use real.FromInt
use real.PowerReal
use RationalCoeffs as Q
use int.Int

use debug.Debug

type evars = int -> int


type exp = Lit int | Var int | Plus exp exp | Minus exp | Sub exp exp
type t = (Q.t, exp)

let constant mzero = (Q.rzero, Lit 0)
let constant mone = (Q.rone, Lit 0)

constant rradix: real = from_int (M.radix)

function qinterp (q:Q.t) : real
= match q with (n,d) -> from_int n /. from_int d end

lemma qinterp_def: forall q v. qinterp q = Q.rinterp q v

function interp_exp (e:exp) (y:evars) : int
= match e with
  | Lit n -> n
  | Var v -> y v
  | Plus e1 e2 -> interp_exp e1 y + interp_exp e2 y
  | Sub e1 e2 -> interp_exp e1 y - interp_exp e2 y
  | Minus e' -> - (interp_exp e' y)
  end

function minterp (t:t) (y:evars) : real
= match t with
  (q,e) ->
  qinterp q *. pow rradix (from_int (interp_exp e y))
  end

let rec opp_exp (e:exp)
  ensures { forall y. interp_exp result y = - interp_exp e y }
  variant { e }
= match e with
  | Lit n -> Lit (-n)
  | Minus e' -> e'
  | Plus e1 e2 -> Plus (opp_exp e1) (opp_exp e2)
  | Sub e1 e2 -> Sub e2 e1
  | Var _ -> Minus e
  end

let rec add_sub_exp (e1 e2:exp) (s:bool) : exp
  ensures { forall y.
            if s
            then interp_exp result y = interp_exp e1 y + interp_exp e2 y
            else interp_exp result y = interp_exp e1 y - interp_exp e2 y }
  raises  { Q.QError -> true }
  variant { e2, e1 }
=
  let rec add_atom (e a:exp) (s:bool) : (exp, bool)
    returns { r, _ -> forall y.
              if s then interp_exp r y = interp_exp e y + interp_exp a y
                   else interp_exp r y = interp_exp e y - interp_exp a y }
    raises { Q.QError -> true }
    variant { e }
  = match (e,a) with
    | Lit n1, Lit n2 -> (if s then Lit (n1+n2) else Lit (n1-n2)), True
    | Lit n, Var i
      -> if n = 0 then (if s then Var i else Minus (Var i)), True
         else (if s then Plus e a else Sub e a), False
    | Var i, Lit n
      -> if n = 0 then Var i, true
      else (if s then Plus e a else Sub e a), False
    | Lit n, Minus e' ->
      if n = 0 then (if s then Minus e' else e'), True
      else (if s then Plus e a else Sub e a), False
    | Minus e', Lit n ->
      if n = 0 then Minus e', True
      else (if s then Plus e a else Sub e a), False
    | Var i, Minus (Var j) | Minus (Var j), Var i ->
      if s && (i = j) then (Lit 0, true)
      else (if s then Plus e a else Sub e a), False
    | Var i, Var j -> if s then Plus e a, False
                      else
                        if i = j then Lit 0, True
                        else Sub e a, False
    | Minus (Var i), Minus (Var j) ->
      if (not s) && (i=j) then Lit 0, true
      else (if s then Plus e a else Sub e a), False
    | Minus _, Minus _ -> (if s then Plus e a else Sub e a), False
    | Plus e1 e2, _ ->
      let r, b = add_atom e1 a s in
      if b then
        match r with
        | Lit n -> if n = 0 then e2, True else Plus r e2, True
        | _ -> Plus r e2, True
        end
      else let r, b = add_atom e2 a s in Plus e1 r, b
    | Sub e1 e2, _ ->
      let r, b = add_atom e1 a s in
      if b then
        match r with
        | Lit n -> if n = 0 then opp_exp e2, True else Sub r e2, True
        | _ -> Sub r e2, True
        end
      else let r, b = add_atom e2 a (not s) in
           if b then Sub e1 r, True
           else if s then Sub (Plus e1 a) e2, False
                else Sub e1 (Plus e2 a), False
    | _ -> raise Q.QError
    end
  in
  match e2 with
   | Plus e1' e2' ->
     let r = add_sub_exp e1 e1' s in
     match r with
     | Lit n -> if n = 0
                then (if s then e2' else opp_exp e2')
                else add_sub_exp r e2' s
     | _ -> add_sub_exp r e2' s
     end
   | Sub e1' e2' ->
     let r = add_sub_exp e1 e1' s in
     match r with
     | Lit n -> if n = 0
                then (if s then opp_exp e2' else e2')
                else add_sub_exp r e2' (not s)
     | _ -> add_sub_exp r e2' (not s)
     end
   | _ -> let r, _ = add_atom e1 e2 s in r
  end

let add_exp (e1 e2:exp) : exp
  ensures { forall y. interp_exp result y = interp_exp e1 y + interp_exp e2 y }
  raises  { Q.QError -> True }
= add_sub_exp e1 e2 True


let rec zero_exp (e:exp) : bool
  ensures { result -> forall y. interp_exp e y = 0 }
  variant { e }
  raises  { Q.QError -> true }
=
  let rec all_zero (e:exp) : bool
    ensures { result -> forall y. interp_exp e y = 0 }
    variant { e }
  = match e with
    | Lit n -> n = 0
    | Var _ -> false
    | Minus e -> all_zero e
    | Plus e1 e2 -> all_zero e1 && all_zero e2
    | Sub e1 e2 -> all_zero e1 && all_zero e2
    end
  in
  let e' = add_exp (Lit 0) e in (* simplifies exp *)
  all_zero e'

let rec same_exp (e1 e2: exp)
  ensures { result -> forall y. interp_exp e1 y = interp_exp e2 y }
  variant { e1, e2 }
  raises  { Q.QError -> true }
= match e1, e2 with
  | Lit n1, Lit n2 -> n1 = n2
  | Var v1, Var v2 -> v1 = v2
  | Minus e1', Minus e2' -> same_exp e1' e2'
  | _ -> zero_exp (add_exp e1 (opp_exp e2))
  end

let madd (a b:t)
  ensures { forall y. minterp result y = minterp a y +. minterp b y }
  raises  { Q.QError -> true }
= match a, b with
  | (q1, e1), (q2, e2) ->
    if Q.is_zero q1 then b
    else if Q.is_zero q2 then a
    else if same_exp e1 e2
    then begin
      let q = Q.radd q1 q2 in
      assert { forall y. minterp (q, e1) y = minterp a y +. minterp b y
               by let p = pow rradix (from_int (interp_exp e1 y)) in
                  minterp (q, e1) y = (qinterp q) *. p
                  = (qinterp q1 +. qinterp q2) *. p
                  = qinterp q1 *. p +. qinterp q2 *. p
                  = minterp a y +. minterp b y };
      (q,e1) end
    else raise Q.QError
  end

let mmul (a b:t)
  ensures { forall y. minterp result y = minterp a y *. minterp b y }
  raises  { Q.QError -> true }
= match a, b with
  | (q1,e1), (q2,e2) ->
    let q = Q.rmul q1 q2 in
    if Q.is_zero q then mzero
    else begin
      let e = add_exp e1 e2 in
      assert { forall y. minterp (q,e) y = minterp a y *. minterp b y
               by let p1 = pow rradix (from_int (interp_exp e1 y)) in
                  let p2 = pow rradix (from_int (interp_exp e2 y)) in
                  let p  = pow rradix (from_int (interp_exp e y)) in
                  interp_exp e y = interp_exp e1 y + interp_exp e2 y
                  so p = p1 *. p2
                  so minterp (q,e) y = qinterp q *. p
                     = (qinterp q1 *. qinterp q2) *. p
                     = (qinterp q1 *. qinterp q2) *. p1 *. p2
                     = minterp a y *. minterp b y };
      (q,e)
    end
  end

let mopp (a:t)
  ensures { forall y. minterp result y = -. minterp a y }
= match a with (q,e) -> (Q.ropp q, e) end

let rec predicate pure_same_exp (e1 e2: exp)
  ensures { result -> forall y. interp_exp e1 y = interp_exp e2 y }
  variant { e1, e2 }
= match e1, e2 with
  | Lit n1, Lit n2 -> n1 = n2
  | Var v1, Var v2 -> v1 = v2
  | Minus e1', Minus e2' -> pure_same_exp e1' e2'
  | Plus a1 a2, Plus b1 b2 ->
    (pure_same_exp a1 b1 && pure_same_exp a2 b2) ||
    (pure_same_exp a1 b2 && pure_same_exp a2 b1)
  | _ -> false
  end

let predicate meq (a b:t)
  ensures { result -> forall y. minterp a y = minterp b y }
= match (a,b) with
  | (q1,e1), (q2,e2) -> (Q.req q1 q2 && pure_same_exp e1 e2) || (Q.is_zero q1 && Q.is_zero q2)
  end

let minv (a:t)
  requires { not meq a mzero }
  ensures  { not meq result mzero }
(*  ensures  { forall y. minterp result y *. minterp a y = 1.0 } no need to prove this*)
  raises   { Q.QError -> true }
= match a with
  | (q,e) -> (Q.rinv q, opp_exp e)
  end

end

module LinearDecisionRationalMP

use MP64Coeffs
use real.RealInfix

type coeff = t

clone export LinearEquationsDecision with type C.a = real, function C.(+) = (+.), function C.(*) = ( *.), function C.(-_) = (-._), function C.(-) = (-.), type coeff = t, type C.cvars=evars, function C.interp=minterp, exception C.Unknown = Q.QError, constant C.azero = Real.zero, constant C.aone = Real.one, predicate C.ale = (<=.), val C.czero=mzero, val C.cone=mone, lemma C.sub_def, lemma C.zero_def, lemma C.one_def, val C.add=madd, val C.mul=mmul, val C.opp=mopp, val C.eq=meq, val C.inv=minv, goal .

end
module LinearDecisionIntMP

use int.Int
use int.Power
use MP64Coeffs

type t = | I int | E exp | R

let constant mpzero: t = I 0
let constant mpone: t = I 1

function mpinterp (t:t) (y:evars) : int
= match t with
  | I n -> n
  | E e -> power M.radix (interp_exp e y)
  | R -> M.radix
  end

(* TODO restructure stuff so that expr, eq, ctx, valid_ can be imported without having to implement these *)

let mpadd (a b:t) : t
  ensures { forall y. mpinterp result y = mpinterp a y + mpinterp b y }
  raises  { Q.QError -> true }
= raise Q.QError

let mpmul (a b:t) : t
  ensures { forall y. mpinterp result y = mpinterp a y * mpinterp b y }
  raises  { Q.QError -> true }
= raise Q.QError

let mpopp (a:t) : t
  ensures { forall y. mpinterp result y = - mpinterp a y }
  raises  { Q.QError -> true }
= raise Q.QError

let predicate mpeq (a b:t)
  ensures { result -> forall y. mpinterp a y = mpinterp b y }
= false (*match a, b with
  (n1, e1), (n2, e2) -> n1=n2 && (n1 = 0 || same_exp e1 e2)
  end*)

let mpinv (_a:t) : t
  ensures { not mpeq result mpzero }
  raises  { Q.QError -> true }
= raise Q.QError


clone export LinearEquationsDecision with type C.a = int, exception C.Unknown=Q.QError, function C.(+) = (+), function C.(*) = (*), function C.(-_) = (-_), function C.(-) = (-), type coeff = t, type C.cvars = int->int, function C.interp = mpinterp, constant C.azero = zero, constant C.aone = one, val C.czero = mpzero, val C.cone = mpone, predicate C.ale = (<=), lemma C.sub_def, lemma C.zero_def, lemma C.one_def, val C.add = mpadd, val C.mul = mpmul, val C.opp = mpopp, val C.eq = mpeq, val C.inv = mpinv, goal .

use LinearDecisionRationalMP as R
use real.FromInt
use real.PowerReal
use real.RealInfix
use int.Int

use list.List

predicate pos_exp (t:t) (y:evars)
= match t with
  | E e -> 0 <= interp_exp e y
  | I _ | R -> true
  end

predicate pos_cprod (e:cprod) (y:evars)
= match e with
  | C c -> pos_exp c y
  | Times c1 c2 -> pos_cprod c1 y && pos_cprod c2 y
  end

predicate pos_expr' (e:expr') (y:evars)
= match e with
  | Coeff c -> pos_exp c y
  | Var _ -> true
  | Sum e1 e2 | Diff e1 e2
    -> pos_expr' e1 y /\ pos_expr' e2 y
  | ProdL e c | ProdR c e -> pos_expr' e y && pos_cprod c y
  end

predicate pos_eq' (eq:equality') (y:evars)
= match eq with (e1, e2) -> pos_expr' e1 y /\ pos_expr' e2 y end

predicate pos_ctx' (l:context') (y:evars)
= match l with Nil -> true | Cons h t -> pos_eq' h y /\ pos_ctx' t y end

let rec function m (t:t) : R.coeff
  ensures { forall y. pos_exp t y -> minterp result y
            = from_int (mpinterp t y) }
= match t with
  | I n -> ((n,1), Lit 0)
  | E e -> ((1,1), e)
  | R -> ((1,1), Lit 1) (* or ((radix, 1), Lit 0) ? *)
  end

let ghost function m_y (y:int->int): (int -> real)
  ensures { forall i. result i = from_int (y i) }
= fun i -> from_int (y i)

let rec function m_cprod (e:cprod) : R.cprod
  ensures { forall y z. pos_cprod e z -> R.interp_c result (m_y y) z
            = from_int (interp_c e y z) }
= match e with
  | C c -> R.C (m c)
  | Times c1 c2 -> R.Times (m_cprod c1) (m_cprod c2)
  end

let rec function m_expr (e:expr') : R.expr'
  ensures { forall y z. pos_expr' e z -> R.interp' result (m_y y) z
            = from_int (interp' e y z) }
  ensures { valid_expr' e -> R.valid_expr' result}
= match e with
  | Var i -> R.Var i
  | Coeff c -> R.Coeff (m c)
  | Sum e1 e2 -> R.Sum (m_expr e1) (m_expr e2)
  | Diff e1 e2 -> R.Diff (m_expr e1) (m_expr e2)
  | ProdL e c -> R.ProdL (m_expr e) (m_cprod c)
  | ProdR c e -> R.ProdR (m_cprod c) (m_expr e)
  end

let function m_eq (eq:equality') : R.equality'
  ensures { forall y z. pos_eq' eq z -> (R.interp_eq' result (m_y y) z
                                      <-> interp_eq' eq y z) }
  ensures { valid_eq' eq -> R.valid_eq' result }
= match eq with (e1,e2) -> (m_expr e1, m_expr e2) end

use list.Length

let rec function m_ctx (ctx:context') : R.context'
  ensures { forall y z g. pos_ctx' ctx z -> pos_eq' g z ->
                   (R.interp_ctx' result (m_eq g) (m_y y) z
                    <-> interp_ctx' ctx g y z) }
  ensures { length result = length ctx }
  ensures { valid_ctx' ctx -> R.valid_ctx' result }
  variant { ctx }
= match ctx with
  | Nil -> Nil
  | Cons h t ->
    let r = Cons (m_eq h) (m_ctx t) in
    r
    end

let mp_decision (l: context') (g: equality') : bool
  requires { valid_ctx' l }
  requires { valid_eq' g }
  requires { length l < 100000 }
  ensures  { forall y z. result -> pos_ctx' l z -> pos_eq' g z
             -> interp_ctx' l g y z }
  raises  { R.Failure -> true | Q.QError -> true }
=
  R.decision (m_ctx l) (m_eq g)

meta reflection val mp_decision

end

module EqPropMP

use int.Int
use LinearDecisionIntMP
use array.Array
use int.MinMax
use option.Option
use list.List
use list.Append


use MP64Coeffs as E

let rec predicate expr_bound' (e:expr') (b:int)
  variant { e }
= match e with
  | Sum e1 e2 | Diff e1 e2 -> expr_bound' e1 b && expr_bound' e2 b
  | ProdL e _ | ProdR _ e -> expr_bound' e b
  | Var n -> 0 <= n <= b
  | Coeff _ -> true
  end

let predicate eq_bound' (eq:equality') (b:int)
= match eq with (e1,e2) -> expr_bound' e1 b && expr_bound' e2 b end

let rec predicate ctx_bound' (ctx:context') (b:int)
= match ctx with Nil -> true | Cons eq t -> eq_bound' eq b && ctx_bound' t b end

let rec lemma expr_bound_w' (e:expr') (b1 b2:int)
  requires { b1 <= b2 }
  requires { expr_bound' e b1 }
  ensures  { expr_bound' e b2 }
  variant  { e }
= match e with
  | Sum e1 e2 | Diff e1 e2 ->
    expr_bound_w' e1 b1 b2; expr_bound_w' e2 b1 b2
  | ProdL e _ | ProdR _ e -> expr_bound_w' e b1 b2
  | _ -> ()
  end

lemma eq_bound_w': forall e:equality', b1 b2:int. eq_bound' e b1 -> b1 <= b2 -> eq_bound' e b2

let rec lemma ctx_bound_w' (l:context') (b1 b2:int)
  requires { ctx_bound' l b1 }
  requires { b1 <= b2 }
  ensures  { ctx_bound' l b2 }
  variant  { l }
= match l with Nil -> () | Cons _ t -> ctx_bound_w' t b1 b2 end

let rec function max_var' (e:expr') : int
  variant { e }
  requires { valid_expr' e }
  ensures { 0 <= result }
  ensures { expr_bound' e result }
= match e with
  | Var i -> i
  | Coeff _ -> 0
  | Sum e1 e2 | Diff e1 e2 -> max (max_var' e1) (max_var' e2)
  | ProdL e _ | ProdR _ e -> max_var' e
  end

let function max_var_e' (e:equality') : int
  requires { valid_eq' e }
  ensures { 0 <= result }
  ensures { eq_bound' e result }
= match e with (e1,e2) -> max (max_var' e1) (max_var' e2) end

let rec function max_var_ctx' (l:context') : int
  variant { l }
  requires { valid_ctx' l }
  ensures { 0 <= result }
  ensures { ctx_bound' l result }
= match l with
  | Nil -> 0
  | Cons e t -> max (max_var_e' e) (max_var_ctx' t)
  end

let rec lemma interp_ctx_valid' (ctx:context') (g:equality')
  ensures { forall y z. interp_eq' g y z -> interp_ctx' ctx g y z }
  variant  { ctx }
= match ctx with Nil -> () | Cons _ t -> interp_ctx_valid' t g end

let rec lemma interp_ctx_wr' (ctx l:context') (g:equality')
  ensures { forall y z. interp_ctx' ctx g y z -> interp_ctx' (ctx ++ l) g y z }
  variant { ctx }
= match ctx with
  | Nil -> ()
  | Cons _ t -> interp_ctx_wr' t l g  end

let rec lemma interp_ctx_wl' (ctx l: context') (g:equality')
  ensures { forall y z. interp_ctx' ctx g y z -> interp_ctx' (l ++ ctx) g y z }
  variant { l }
= match l with Nil -> () | Cons _ t -> interp_ctx_wl' ctx t g  end


let lemma interp_ctx_cons' (e:equality') (l:context') (g:equality')
  requires { forall y z. (interp_eq' e y z -> interp_ctx' l g y z) }
  ensures { forall y z. interp_ctx' (Cons e l) g y z }
= ()

predicate ctx_impl_ctx' (c1 c2: context')
= match c2 with
  | Nil -> true
  | Cons eq t -> ctx_impl_ctx' c1 t /\ forall y z. y=z -> interp_ctx' c1 eq y z
  end

predicate ctx_holds' (c: context') (y z:vars)
= match c with
  | Nil -> true
  | Cons h t -> interp_eq' h y z /\ ctx_holds' t y z
  end

let rec lemma holds_interp_ctx' (l:context') (g:equality') (y z:vars)
  requires { ctx_holds' l y z -> interp_eq' g y z }
  ensures { interp_ctx' l g y z }
  variant { l }
= match l with
  | Nil -> ()
  | Cons h t ->
    if interp_eq' h y z then holds_interp_ctx' t g y z
  end

let rec lemma interp_holds' (l:context') (g:equality') (y z:vars)
  requires { interp_ctx' l g y z }
  requires { ctx_holds' l y z }
  ensures  { interp_eq' g y z }
  variant  { l }
= match l with
  | Nil -> ()
  | Cons _ t -> interp_holds' t g y z
  end

let rec lemma impl_holds' (c1 c2: context') (y z: vars)
  requires { ctx_impl_ctx' c1 c2 }
  requires { y=z }
  requires { ctx_holds' c1 y z }
  ensures  { ctx_holds' c2 y z }
  variant  { c2 }
= match c2 with
  | Nil -> ()
  | Cons h t -> interp_holds' c1 h y z; impl_holds' c1 t y z
  end

let rec lemma ctx_impl' (c1 c2: context') (g:equality') (y z: vars)
  requires { ctx_impl_ctx' c1 c2 }
  requires { y=z }
  requires { interp_ctx' c2 g y z }
  ensures  { interp_ctx' c1 g y z }
  variant  { c2 }
= if ctx_holds' c1 y z
  then begin
       impl_holds' c1 c2 y z;
       interp_holds' c2 g y z;
       holds_interp_ctx' c1 g y z
       end

let rec lemma interp_ctx_impl' (ctx: context') (g1 g2:equality')
  requires { forall y z. interp_eq' g1 y z -> interp_eq' g2 y z }
  ensures  { forall y z. interp_ctx' ctx g1 y z -> interp_ctx' ctx g2 y z }
  variant  { ctx }
= match ctx with Nil -> () | Cons _ t -> interp_ctx_impl' t g1 g2 end

let lemma impl_cons (c1 c2:context') (e:equality')
  requires { ctx_impl_ctx' c1 c2 }
  requires { forall y z. interp_ctx' c1 e y z }
  ensures  { ctx_impl_ctx' c1 (Cons e c2) }
= ()

let rec lemma impl_wl' (c1 c2:context') (e:equality')
  requires { ctx_impl_ctx' c1 c2 }
  ensures  { ctx_impl_ctx' (Cons e c1) c2 }
  variant  { c2 }
= match c2 with
  | Nil -> ()
  | Cons h t -> interp_ctx_wl' c1 (Cons e Nil) h; impl_wl' c1 t e
  end

let rec lemma impl_self (c:context')
  ensures { ctx_impl_ctx' c c }
  variant { c }
= match c with
  | Nil -> ()
  | Cons h t -> (impl_self t; impl_wl' c t h)
  end

predicate is_eq_tbl (a:array (option E.exp)) (l:context')
= forall i. 0 <= i < length a ->
  match a[i] with
  | None -> true
  | Some e -> forall y z. y=z -> ctx_holds' l y z
              -> E.interp_exp (E.Var i) z = E.interp_exp e z
  end
use int.NumOf
use array.NumOfEq
use list.Length

let prop_ctx (l:context') (g:equality') : (context', equality')
  requires { valid_ctx' l }
  requires { valid_eq' g }
  returns  { rl, _ -> length rl = length l }
  returns { rl, rg -> valid_ctx' rl /\ valid_eq' rg
                   /\ forall y z. y=z -> interp_ctx' rl rg y z
                   -> interp_ctx' l g y z }
  returns { rl, rg -> forall y z. y=z -> ctx_holds' l y z
                      -> pos_ctx' l z -> pos_eq' g z
                      -> (pos_ctx' rl z /\ pos_eq' rg z) }
  raises { OutOfBounds -> true }
=
  let m = max (max_var_ctx' l) (max_var_e' g) in
  let a : array (option E.exp) = Array.make (m+1) None in
  let rec exp_of_expr' (e:expr') : option E.exp
    returns { | None -> true
              | Some ex -> forall y z. y=z -> interp' e y z = E.interp_exp ex z }
    variant { e }
  = match e with
    | Var i -> Some (E.Var i)
    | Sum e1 e2 ->
      let r1,r2 = (exp_of_expr' e1, exp_of_expr' e2) in
      match r1,r2 with
      | Some ex1, Some ex2 -> Some (E.Plus ex1 ex2)
      | _ -> None
      end
    | Diff e1 e2 ->
      let r1,r2 = (exp_of_expr' e1, exp_of_expr' e2) in
      match r1,r2 with
      | Some ex1, Some ex2 -> Some (E.Sub ex1 ex2)
      | _ -> None
      end
    | Coeff (I n) -> Some (E.Lit n)
    | _ -> None
    end
  in
  let fill_tbl_eq (eq:equality') : unit
    requires { eq_bound' eq m }
    ensures { forall l. is_eq_tbl (old a) l ->
              is_eq_tbl a (Cons eq l) }
  = match eq with
    | Var i, e | e, Var i ->
      let r = exp_of_expr' e in
      match r with
        | None -> ()
        | Some ex ->
          assert { forall l y z. y=z -> ctx_holds' (Cons eq l) y z ->
                   E.interp_exp ex z = interp' e y z
                   = interp' (Var i) y z = y i };
          a[i] <- Some ex
      end
    | _ -> ()
    end
  in
  let rec fill_tbl_ctx (l:context') : unit
    requires { is_eq_tbl a Nil }
    ensures { is_eq_tbl a l }
    requires { ctx_bound' l m }
    variant { l }
  = match l with
    | Nil -> ()
    | Cons eq l -> fill_tbl_ctx l; fill_tbl_eq eq
    end
  in
  fill_tbl_ctx l;
  (* a contains equalities, let us propagate them so that
     only a single pass on the context is needed *)
  let seen = Array.make (m+1) false in
  let rec propagate_in_tbl (i:int) : unit
    requires { is_eq_tbl a l }
    ensures { is_eq_tbl a l }
    raises { OutOfBounds -> true }
    variant { numof seen false 0 (m+1) }
    requires { seen[i] = false }
    ensures { seen[i] = true }
    ensures { forall j. old seen[j] -> seen[j] }
  =
    label Start in
    let rec prop (e:E.exp) : E.exp
      requires { is_eq_tbl a l }
      ensures { is_eq_tbl a l }
      ensures { forall y z. y=z -> ctx_holds' l y z ->
                E.interp_exp e z = E.interp_exp result z }
      ensures { forall j. old seen[j] -> seen[j] }
      raises { OutOfBounds -> true }
      requires { numof seen false 0 (m+1) < numof (seen at Start) false 0 (m+1) }
      variant { e }
      = match e with
        | E.Lit _ -> e
        | E.Var j ->
          if (not (defensive_get seen j)) then propagate_in_tbl j;
          match (defensive_get a j) with
          | None -> e
          | Some e' -> e'
          end
        | E.Plus e1 e2 -> E.Plus (prop e1) (prop e2)
        | E.Sub e1 e2 -> E.Sub (prop e1) (prop e2)
        | E.Minus e -> E.Minus (prop e)
        end
    in
    defensive_set seen i true;
    assert { numof seen false 0 (m+1) < numof (old seen) false 0 (m+1)
             by ((old seen)[i] = False /\ seen[i] = True /\
                 forall j. 0 <= j < m+1 -> (old seen)[j] -> seen[j])
             so 
                numof seen false 0 (i+1) = numof seen false 0 i
                 <= numof (old seen) false 0 i = numof (old seen) false 0 (i+1) - 1
             so numof seen false 0 (m+1) = numof seen false 0 (i+1) + numof seen false (i+1) (m+1) <
                numof (old seen) false 0 (i+1) + numof (old seen)  false (i+1) (m+1) = numof (old seen) false 0 (m+1)
             }; 
    match a[i] with
    | None -> ()
    | Some e -> a[i] <- Some (prop e)
    end;
  in
  for i = 0 to m do
    invariant { is_eq_tbl a l }
    if not seen[i] then propagate_in_tbl i;
  done;
  let rec propagate_exp (e:E.exp)
    ensures { forall y z. y=z -> ctx_holds' l y z ->
              E.interp_exp e z = E.interp_exp result z }
    variant { e }
    raises { OutOfBounds -> true }
  = match e with
    | E.Lit _ -> e
    | E.Var i -> match (defensive_get a i) with Some e' -> e' | None -> e end
    | E.Plus e1 e2 -> E.Plus (propagate_exp e1) (propagate_exp e2)
    | E.Sub e1 e2 -> E.Sub (propagate_exp e1) (propagate_exp e2)
    | E.Minus e -> E.Minus (propagate_exp e)
    end
  in
  let propagate_coeff (c:t)
    ensures { forall y z. y=z -> ctx_holds' l y z ->
              interp_eq' (Coeff c, Coeff result) y z }
    ensures { forall y z. y = z -> ctx_holds' l y z ->
              pos_exp c z -> pos_exp result z }
    raises { OutOfBounds -> true }
  = match c with
    | I _ -> c
    | E e -> E (propagate_exp e)
    | R -> R
    end
  in
  let rec propagate_c (c:cprod)
    ensures { forall y z. y=z -> ctx_holds' l y z ->
              interp_c c y z = interp_c result y z }
    variant { c }
    raises { OutOfBounds -> true }
    ensures { forall y z. y = z -> ctx_holds' l y z ->
              pos_cprod c z -> pos_cprod result z }
  = match c with
    | C c -> C (propagate_coeff c)
    | Times c1 c2 -> Times (propagate_c c1) (propagate_c c2)
    end
  in
  let rec propagate_e (e:expr')
    requires { expr_bound' e m }
    ensures { expr_bound' result m }
    ensures { forall y z. y=z -> ctx_holds' l y z -> interp_eq' (e,result) y z }
    variant { e }
    raises { OutOfBounds -> true }
    requires { valid_expr' e }
    ensures { valid_expr' result }
    ensures { forall y z. y = z -> ctx_holds' l y z
              -> pos_expr' e z -> pos_expr' result z }
  = match e with
    | Var _ -> e
    | ProdL e c -> ProdL (propagate_e e) (propagate_c c)
    | ProdR c e -> ProdR (propagate_c c) (propagate_e e)
    | Sum e1 e2 -> Sum (propagate_e e1) (propagate_e e2)
    | Diff e1 e2 -> Diff (propagate_e e1) (propagate_e e2)
    | Coeff c -> Coeff (propagate_coeff c)
    end
  in
  let rec propagate_eq (eq:equality')
    requires { eq_bound' eq m }
    ensures { eq_bound' result m }
    ensures { forall y z. y=z -> interp_ctx' l eq y z <-> interp_ctx' l result y z }
    raises { OutOfBounds -> true }
    requires { valid_eq' eq }
    ensures { valid_eq' result }
    ensures { forall y z. y = z -> ctx_holds' l y z
              -> pos_eq' eq z -> pos_eq' result z }
  = match eq with (a,b) -> (propagate_e a, propagate_e b) end
  in
  let rec propagate (acc:context') : context'
    requires { ctx_bound' acc m }
    ensures { ctx_bound' result m }
    requires { ctx_impl_ctx' l acc }
    ensures { ctx_impl_ctx' l result }
    ensures { length result = length acc }
    variant { acc }
    requires { valid_ctx' acc }
    ensures  { valid_ctx' result }
    ensures { forall y z. y = z -> ctx_holds' l y z
              -> pos_ctx' acc z -> pos_ctx' result z }
    raises { OutOfBounds -> true }
  = match acc with
     | Nil -> Nil
     | Cons h t ->
       let h' = propagate_eq h in
       let t' = propagate t in
       Cons h' t'
    end
  in
  propagate l, propagate_eq g

  use LinearDecisionRationalMP as R

  let prop_mp_decision (l:context') (g:equality') : bool
    requires { valid_ctx' l }
    requires { valid_eq' g }
    requires { length l < 100000 }
    ensures { forall y z. result ->  pos_ctx' l z -> pos_eq' g z
                          -> y = z -> interp_ctx' l g y z }
    raises { | OutOfBounds -> true | E.Q.QError -> true | R.Failure -> true}
  = let l', g' = prop_ctx l g in
    mp_decision l' g'

  meta reflection val prop_mp_decision

end

module TestMP

use EqPropMP
use mach.int.UInt64
use int.Int
use int.Power

meta "compute_max_steps" 0x10000

goal g: forall i x c r: int.
  0 <= i ->
  x + (2 * (power radix i) * c) = r ->
  radix * x + (2 * (power radix (i+1)) * c) = radix * r

goal g': forall a b i j: int.
  0 <= i -> 0 <= j ->
  (power radix i) * a = b ->
  i+1 = j ->
  (power radix j) * a = radix*b

goal g'': forall r r' i c x x' y l: int.
  0 <= i ->
  c = 0 ->
  r + power radix i * c = x + y ->
  r' = r + power radix i * l ->
  x' = x + power radix i * l ->
  r' + power radix (i+1) * c = x' + y

(*tries to add power radix i and power radix (i+1), fails
  -> cst propagation ? *)

end
(*
module Test2

use int.Int
use LinearDecisionInt

meta "compute_max_steps" 0x10000

goal g: forall x y z: int.
  x + y = 0 ->
  y - z = 0 ->
  x = 0

end
*)
module Fmla

use map.Map
use int.Int

type value
constant dummy : value
predicate foo value
function add value value : value

type term = Val int | Add term term
type fmla = Forall fmla | Foo term

function interp_term (t:term) (b:int->value) : value =
  match t with
  | Val n -> b n
  | Add t1 t2 -> add (interp_term t1 b) (interp_term t2 b)
  end

function interp_fmla (f:fmla) (l:int) (b:int->value) : bool =
  match f with
  | Foo t -> foo (interp_term t b)
  | Forall f -> forall v. interp_fmla f (l-1) b[l <- v]
  end

function interp (f:fmla) (b: int -> value) : bool =
  interp_fmla f (-1) b

let f (f:fmla) : bool
  ensures { result -> forall b. interp f b }
= false

meta reflection val f

end
(*
module TestFmla

use Fmla

meta "compute_max_steps" 0x10000

goal g:
     forall a: value.
     ((forall x. forall y. foo (add x (add (add a dummy) y))) = True)

end
*)why3-1.6.0/examples/multiprecision/lineardecision/000077500000000000000000000000001440160026300222605ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/lineardecision/why3session.xml000066400000000000000000006421371440160026300253150ustar00rootroot00000000000000


















 
 
 


 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
     
     
      
      
      
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
    
    
     
     
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
   
   
   
  
  
 
 


 
 
  
  
   
   
   
  
  
 
 


 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
    
    
    
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
 
 


 
 
 



why3-1.6.0/examples/multiprecision/lineardecision/why3shapes.gz000066400000000000000000002356611440160026300247350ustar00rootroot00000000000000ksT9(ݿ9$fbWpG‰'+QmLgv1_e֪*lfMPKoKT*r_}q}sy>Y\?_?_U+c-)}?W+2]J_UCiDkZҭzwjX)۝_!(Rm>vm~RJ5T_(ŷүl;]狕'ol
SO6NFJקğ6J._'~QrکVFMeuؤUx2zej"=/VYZkϛ/s1qXX򰪫~-O.>})(]jUt}'[z9\/o.zy/?}[m֯n6^}om?l~x~VU=`Cgr!j֫ÚHjҧ#I(CZ`_3ꋢ]tm#%CqP3qqhFHzg~~돿Hft1
+j0KNAk`-wmQܵ{hj#9=tj68z\}rᗏWW_Fb.~kz,TSڂs5jj] ڨr9*DB.C7ӱO!tݘXkX3lւCXvFN!6$:T噻2#RKU@]%itXeg'(̓t'g+g}(26m]=EM/m59˗5*5oh8@6A{X4繒G=y՜gלhQ9o;
JV;9E;$0jc{ofݽ͑f|`pp7cS0m_p BϮh#mlw3=Lu4	ֹ\1;"ۓ)˺]s}c	yԦ}ʻY網}5u8tЄŇ_?'d_,n&v*YEff|‘Dٴ!ֱlA9tswRbŤ+{]>/P:	Θ>Y
؄jL]oJteڥł"!;FŽ]nf{>6W2tizw&;NZ<\mt#A
ɰĔVhjslqV@ˆUrWhmcPǍ?S0WR if%A	)hL*ӳ}fTxC\M1V͘08hG3~%
I3>]`IeQʏA99\6C3%zJ~P/-GGZ_2dTgS$Cha;)4sгˑ,o΄TcS,[v7&4[qoF֤h*7VKN@[!?VN=l
|ykR-
t[(EaVKߘz,vT-my CS79~,ʒGb;"Y2n%K Ϙmp2=ӳ>	cE7?FCl@gCx[PhbZJێf'M8I3Rj&aT)rP$,mE(sK㢎N16h,rcQwƢ蔵x)nzK
S¦Z9e\oNGȍ[=Y\KX)N*CѾwa]n;~[-t|XI8֙4;_ _4W~X$4yćiRߕfQf54Y4R(+LrŚR41\HįB"w_z@:uzg"EQwE+9H-GW}Tޔ^
R=2:n"Y(_&3,Rޭ|CtJ
˝q#G,l$*p^>apapiSLdŊ{I9vS:`%+ɠ,K[KP`)v!Fg -dp)<_ɃL/XP"
Q7|*0nX<ֆ"ֆ5\ Q(b;!*hlL*[DhW=>v!S%vam+-R3_sāPCxZE/1\i:5тyP{ZP?-l]fre^bhkLf
:X­}	'm{g1oQGrmэecnM]61(c$~W~7C1M`"KNLfPSgnBMMhtϯ.].eM'JBtw_-7<kZ-qI*0滯tB|YlZ]^|kűC]Oc?I~ HF
;7ӛpWͲp##c;eHS\dM*F˒9B{Pݔ(׆0nRJҋqŽ){^:xm[Vf2Cg}0v$z r[*$mj/Cdci<\'
UYVU9WkkQ;x۠=Za…jG=w$aϧ!|$dUJA_m^n9S$>uwrB&¥K6K4yeW{z*0 6
h;$hz5„LA
!L6vMv2Y8=0
;LBFLj2]s֪ޒȡD2y.VMk`U4.R)ֺ]v|8hdkUPMvM˳nًic94j_:yo`gR)$Rd6UMzZi8i(յݛ(ԙIun 8,R?#3K,*UUN	_&*{2(.Q.MRUP겳.ۀָKƽ |cDVIujriٿEiRUSDpOaaS:<"IBـi7MaFu.+&JHRŽ2@{K􏉒.ҤTU6.6[$6ُ
S'Pfhgb8lMl.TzUILT3\gVif6$&$P
!T1QL"Mk/Nz~HʲngS
cMW6XJe
i}6 i#'v{f|1ƽ(gf7)bl-nERmidV-$bGytVw[)-wSUкh)=
=aeDƷ[p&z
ėװ9>SYLe*K_;\?6JѽBVʐX?삱$JzcKc^B'j,6
эhu4z(
t4g4g407
`4ͫzАu
NډtFzO0Nh&hy:~.I9A+L]3uMOL/t:SLy2I_7S==N @{bwyckE.gFћL3e?FrF$hH8.7dh*"~p4*c4
[eIO3Q$kSm#ASl(f<86ĻI>aSM'Ku|`63%<Ðf؏҆In6Pb[.-%`~.?}X,^eNYVe-7<$&Zo'd*2KxVq;(-a7Αem#W:4PdfՍ=L ~L,3κE`So
:W)+y]ҷi24yvX-P>J$٣/
xS!;+#)ح71;B>N@d-!ilp/٢r'y&f˝K`֕~jSs2^ ly|#fc
|PuGܦmi<4g5~pNP\݅j*˴qbpv.)\#	*p4YɧpW-
NнV}#IʑSR;1)Q|{]_)i4&+ggbtDZ@C Y	 +nQ&7B>QJfSUSN:WuJY*jNe鷒=zzHt
Yˤ5H+mg>A%Z6aLm2ѾL6ri<J=c!a
'M!NDl0B3Em?cbQQNc#3^[nŲy;J䃯ׂ_5i(jCHY`?F_Y-_d<AXl>pq^Lυ@T%b:}GP'p`@2
>/ܧ^7'olwrh~6'MpNr;9;w
ۜOﮮߝl~q_o.޻l+PE_ak
_w%S^3t$j"IV{+j9#	|9T^气sG]:H"3NlIB^2ۖpgo%PGS)uk nWu(kmB@.5Lκx/kDxq&IcB[% C?7Zre%%IWo'œa"f7!v-w&x=Wر֫@v8%%xM0RxW*R]K5Q<=nB=V5U?&b%\s78y\أZ-dU+[a@$_(RX>!S^g1鄶f1jq޸I8w$kNvL_p'WNߊw5b`o_g}gÿLщm	#YS5&4
]DYȂTՂ&0iSd@(
s`Mw*T%
dq>6stgJTH¶^tYI$w0i)UAuxr yagK1!-CBZ@89)QGMZIP2L_ rsB& oL8كB-ieF'lF>lnOѱXhC]1tYq<)N?t{UւhGĤmJ*UIfqF{)]v1U>Pc44GWj_мbQWaJ]io@1FLNcFjbH6f'[c՘l$fo,,ak_	[6KvmULRD߻Bլͭ)lsft&Gv%jv2qMS;'.Ui2O	Љ5u`]Ke:a3Fg_a[]3J&3!Gf3ӦnfI{RKҝH/͔܋Ğtl2JnY1g/)$LQG8)Q[I	Li-%C}؉X,r'6;"5"f5L̏Oՙlũ3MAc٘.NϏ	aEVR
^b@x+u(ʐNt1i3pb/I{Q(dV̍wcՑZ6Gh/c[mPk2h62[@*[:#P^Ob}/~re/5+J vU4åZ&{Tkw׋rIA}/3oݡ-ڒ
_}G7&SǛ8M	H;p>Bq,Xт&R&*qHҤcg	gK6V1Xsd'f
@I3cPځe
tӭOw7}
859]|U=_;pS.׎T/jܧzaWF,Ԙ4[
XWHadV5vrS:_1nvӇ7ĭYi	.8Lr'cq1UJ*Xd(4V-fO>-oRNBOǎnGf@%A6&Jc_['B j6J{x"'SˏZU1βP7ɧA渻ׂnLLQ^3sw} "2buN?KLN^D!H1iYƙ_~PIʵ*
*F`Kz!Xn%QYVMhDC
lG
ݿK".R2^)ʷ:nwEJ8+B۟f&XZNdXqMLhD!#e23!;gܱ~PO_fD1<ao&.s%Qb|r`f"oh@{mOgu^)l4(,rᮜaԌ-JK4ܞƩŶ6]%BCv%)`GJ0\vN&JU'rDϕ?bk)~K-Сd vؼ#0*͌beKT-뻍b
n8ܴ%Ɠq	BVq׉ZQȱZTaoϡ:4(Pb.jڅj;Yk^QD+}օS5=㷑YQD&)[0HUfE"b,%V†P`+>騖S@=Lr#	*	'#Dj]Ni	JvyRy-=iĬ:YL>Jqa{bKpR 0@8i4dđ`}Mg`w[Au+6ϰC!3/$jRL$2g74C!=dhLFX[Rzs|󑚡W#*axd)Lb30TtpXX+3ǀRx9սL$T?gI@F\lxb@}vEñs<H`p{dHoE;W4xFӒ5Oݍ)5H>7u,X3du^C=Zyen.ZfeOMVf|>>ND,º@{63~amIdE[D,O5SbȓBnD/aՖ=m0xg	f`AK'{Q-#dS.
7"sJ8LG,syጰm)CQlIJ6=(4yR[2—)TBN[#2Rn
v
zNHt[Iِ'h;H&\cᒫ
䊙%WJ~+]82]̝pȓeҥaipNḙҥھ4=NG@ʤjvR#AʤjLb^F9h)mH6lG;MY:w)]liR
Cc^[\AwcՀ^$IOA5Hřs=:Ut	ۗ|Acl	`;&ܬ?]sBl
<7^h	2ed_ѝ#_ce	C0
Q/ v
h(HzT!ux9
f^:y`4gߎr!j}%):mVc@8J"yf-(m4d
rhjIT!YRstӗ\΢gPG:$˂yZHəpTS5#8ܰWAbacyP|u}s!B"iA	
}s=i4"?C Sџeo[OtОISxbSkS
Ebao>_>]NɡRNH(^̎֯Xnjb"!,kym-HL˜Io-*-
*9&f3Gi
9[ɮ:(hiJ&ݑԛ[iMwK'4"E]"23ODn;.܅A35F$M7iØ֠ѧX#؟5k{E"8vbTb
$QE=X.F=k5ڣ`
sm9#Lo)؟GFKyD;H.%<2*'=\[xA㑘{($tG#qPiffi~T䡁pzZNt'18mpnȞVJ	dWn$"\,IAB;X.3wZancn1p[]C\Ým4=oY/=H%w(v܋w(լ1tn~TwsSRa(!HRېslNnJ%zCKH(	LZB+$ҒKf cW\AL.	cޥݞzbw|o'+o{$5:> Mūrw*,:N|e`O|҃8^G :I2Å[**J{&1;r
18
b1@;6w
삛.7v&MqhRLzZoZ#-p}L5ַ8mn?ggJ_8K.7#ضgBCw-߅xPiI=ўt@N0UU@H"A\d?L.C[ Aޙ>E
	b>ZUJX9AN{2@nld͈M'(.m8.1˸^3_e#u2ㄔT.{(J+BIZP|j%:fo2Dy{%BQ+!”!Lb pOK@,=	wIP%DGcZFo4JEOo8:NN)3Bf`UUou戙#2GlSI@.x$*1HZS͡)كvSϖl@îHz똬Ļ	G	v\K]pXuwv=evd`W%՝_eKG_x"Y"qqQ%^bwqxq0kLSn}kjkv''Hz8Ӈ,>.!fEbw	y	0Jvߚ6@^V;Q/g1G;
:+@AGZ곖z?D
`5bFF́FGRdde̸+rM9|#	1NC3cychr@McC|l@͆)i|&& M@Yp1PR14`t:Dɽ,f3	d'6pWћ&	;R=L1[v(B))	d;YhBVBbj|9̗ėL9z虣Gݷ'%:KvD忯rҹ_tBTj˷gs}1\e(yhVa/OOIjcY_[|k~t.0JpQ븱jfYdL*|)a}}^%Q׀ߒ_I$R%
\5%&TBI:!'B(*ʹE2ԞjFqer/se=mwEuP^MkߕfyP!-M$9I_X(MrQ/Xyϫ:!Vzg$?4F(zѬRt,_iG&UI׌@Ҭf2mo?[h1kxz;:_tR҅ʭ:6ߘ8iERuv>+fPg~g>'vG[fL:3̤?`]8g7z1c&cȭML&.ʽy,?n!?nkY3Nջʙ~$}pJ·ÈYriəgj+v%,Af	h$ȝe@qQer҃y\K7p0d6i-,b;Ae20sP*FC1[)=73ŽaǩSk"gf$pܕ3'1ÙM\c7zd޶y.*zS%<x-t0e/0*.S$ˍYnt\n
tE[1}ַY͒	H.psVcv3fwMxw=g5˭Yn!='gyxu	3O<=A3Nވcm3^o3akIbIQOAM1JV720YBdLux\r̬:̪ky|OBIb\3vosY~cȏlZПYK{t%,Af	r=!l-VL"JFB&ciT=gI/̏ùr/ Ë.M\DՇ#v]K?E`fݙu籱$1WOLRL#{yɠHEVFtq34FJq՟*_%;Ҍņ K5dxj{ѧF'm>jTMOF'T?>58ѧF!dڤ̘{fπ!"Gi=qPNEV%	&>"DȈ]c75Դ]C9kٮJh2~,Z\xmP'ŋvp33M:žRj'S:.byPYyޛeʡ+gJ C
qCm'# . 7%,AWlo>_dr^M#fOpL*Cy.w\߅J OkΎ*TND
mpTan0
viob;*D#C喇0"̴#蓓Kv}g/T\r$>KD̊\
h&u0.	΄M	fGzdN5pt"
.Hyܖy=n^~Oǎ~VmUUq|ʜsN˜7?RKؓt9]9]`p<[է2y#h77pGuT\!7~;j{囪+
~v+nOP9T9q3G&1#iSb,9{Sxhs\rxp09$qfbŻ9&
i}l)yF
PMSm<5
a+Ś鹋VqeMoXJ90hpK=!K[ځgG3q
)JMfN9dv%[yBvzIbz(VtJd&CN
&	_֑	vt*H2SKQoAg_|V	Qׯ`22.0^pȔSuԺ#uφ):|j:W=b`MExL3/"3/4\'Cu^ބ͑'L߶>YN2+c9~&Tx[1%S!S)Zlj9Fg$~H[eH
bu3#^}@
[	XbfL~d2+3z/j~2[f~9Zj(5sM37*(kYYelI΋ϼܴC30A
)3G`uV^2#1Rtv2JFht旙_~ /FE]=&.q._?zE/fV&iϤi?]YZ=
8?yaD]fo?]9b*~\Z利.Gcڢ1j歘a^]:ճp{)綽r[gl,<
ޤ(C1c9&fx/];7y3q-MTݤaw!ެKY1o>c-Zۙ`PX.>JSRP"v6	S	~#¦>wPfҠ6mMpav"837Ma:ԌgY1ˊYV<:Y	i#.%,1f4$rYqfř}޷̱AϱA~*F1tx,x<33C?*;+@{WW-9N̮EG'gfעG+gz̬<ʏo2L:v8ޛE,*fQDEN q,1f1K'"1#`řg^Ѽl'T{6̽cB[b,3?5s-.YMʺ*FiXv~xfsu3\wp0'H;gs+)SM󡙡g2fffֺNM 	Z#׍Gc䆥<5ٙ]y`xg',/:+Huv@uI+G?f>f6R{Yɏ3e<	~\z$
~etAu)>珋6Ƿ;(]D?;HYP ]AD> ~$ހ?+-޿_>6а'tHUYzay׍i;Zo\EJ|;I.NcAt-ȘO+KD:EWG4l!F~h/x00">
X)\9q̗Sn`X=Xel8ue(2\1ejIbDזBT2hZ`²,c?@d5-5-3i)MqMֈBT!,&f1JS6k}}By\(0&66!Ҵu*Om}:	˻YFYj?2VG\>|*xvJ>s@hv-)n	MGLȿ(ی;dKh-eKhؖe
J[sRts++6YxKۃ2:ܬ\}@,{E.r< m娼iv77EyCj%2}FcJ椼9>fvcfJ3E}9uQ*Yo|)}>
}$
2:ALߐ8#*VpXLցKTƜWΨMX? G4N5ih͵.	SABfqdͺbft!Dn Ibͤ Ӆ. I{siθ-
}&H0W꺻 9܎Aa +}AJ_G۴utJߕJ
A8AW’ZXC2hqg0hrPBĠ:WwMcD
~AX./H$ˆ-ȶe:RЗ$\pd]#]`’w#ʷ=}-5[D>.VfL[RH$B^BCfEɡI.mNjSeWCMn4̺sŚ]0u&ٝZg2\zfAk6kv:-_Jk`50n@Sg7~v[t85vۨ?mPn0EUwe@LۅՆ/;fW˭lؗL>r^pU2fFWݢ1Wcjn,٫1S)+sN^LBq^L85+Y;ۜ-]3}zˇ_>^~WIwBjZ_,+YgE@:c_?V5zXI  )῾0AR^~l>_]]|ͽ0bђ+R[~VЭ>ۇdR+>8oֿ2!
@5zcCplɉwzV`D	_,4BR__b$WPO7-S4lD5<,5FWmu`#2H1jYEXMII~[U|IKQfk%P@is:ic	 hRO*C.jr	ЫAnB?儓ϟ\)r0$Mz7IPe VqGCUơHIK6RR,98NC# W톹
6gwk<G7܂5'H&pp(by<JzMMqr

(;.dNy7c"XpapA#%s;f	(6=n>PiϒZq
i
^o+ڬS	3mux$?:oya}E*SꔏTd}e'VFjdܶ`Y__|!Yk?yq~]\`tr?Vpj
Y__|ӿl	Lp?]WŚxbz܏SGRm[/Ӆ]Q64?4?0:6O88<4V.\^<əv6փ
'Tێ_[MUݬ{	)0GWnm6"Ql
/7(\:s;a&u>yŌ]&Cn6UttPִ.X#iZӡ~,v[>2HtĹA>p&ьk-g8-qmUPnlB{FB(s(dBZ%A<"51dKR?m:}A<
F6>I}m~lk9྄~K7nSլ!bb΋|DAt4kh
OJStg(;z3PR]q^A.@nP(b05yyd荬8.$Cu^xP"~uI+(ThocS|ṃUiRWD}?s,a
5t@/~9^1.jBGWݵ.LdNVh2tM/+i4LO#f'ָ;EE5[)9OuhD#[d ޥ;Ɣ6Ek/|	 y0)N)~LZɈJh'y٧m層aylTO_?J&aѡ͡t6_/@-]\}RMlH_dnݐ	:Hws$9&7ـ*zuhS\toPêZ?)-״uke6u_-Z\0Gf/e{Fz@8&=m323#ft;zKR<%H@e9YZlUFy4tyPVSu)1yiJQ손~./ڧr2X QUlA}iU
6^7;o[.5gL9qIoeݨP;YJ}jD[r|D;ddzPU:3Ob5af'6~a_iRK+uR7pW-\Ё[4g߳ÎKh|#a̪ӤTbOQA4(}S]b*Wb !9N#Zhvha+|.{j"Xak)T|g}
BۭbaJ89IR*NFG*{uXP@Q*2 NKӰD55ג]"Ȕ?.߯/sfkD^@N=) V<Ri-%k)|Sٳ[ulκUE}wxH<>16'`o!a8"a>[yㆵ!t+8DIҬ*oI(_2v0frK3
ȿ8WlxPUdk[7?bEK=XU
_l4>N5TSnx<Z/iP=DU8]r/&4
ǒ݋Z?&Nܸ(R
2t'
SZ`DހDa2ʿ(gkdvP].
Ye-nV<+~Z'FGڶ4p(RZ58$ZUcV
;δ	&X՘*Ѯ.-ѡ5A~`dO?晴YCqxS+aӜ+dSÀDW7;O߭
l5cZ*Ytz5=կ#klr~VIUG7F̓eNyvXe?iK͵ͷyKJA<Ů`:Pyv.:jzbvlly7sEeGElZ%`	D-fHdžlJo0ڼF6}c/Zx~ l|klT6mD,rMç#tGaq̖:a,| gge[JU{T6E-ВJ`k?SԾZ`AS!)wɷS :em)S4|@s_)3*Dm‚khu1a+	ƎG$P6G3H[D$`h#N`9,2\kJ<~<P.]GG@fsvJ"Ġq>Dʉ$e\YVcDZeԮgV:e~rjGfON	K0]l[?{v@nm@jRr2<[4ĝKU\Y+槩vjWo l]X(W0+84 WccتBև-Fen@MZ$
ߓNRC $Pd;XY6qT[-Ho+&
DzNN~L4sͦH*
{
[Ĕmnr #k~"wq:*jR,v7v=v%m/Eҿ9X~©
tS4c̯ME*mZwY9]R&M1Haii
h(eU!֡L_*bK`BugQH5i)z:ȚMx,7<ɀOY>ôڦMra1ra/!~D#߸5S"WHZUuAEqJi@%DS. pKNTȄ86dTphn+
Y>r-!0yR˜WO }yIYɳ_ @x<NgUk{nWfߏG4,d7V":"WLRZ\SpUn:a)2hteZiܜu
^0MsۄPpTfi(
gSTMmw6-:‰>{H	»3*7!mB(!v]n}]V)<
j9bxCR+f豩0FM*s,Ue>CflDxrYsR2:p]βP)(хNH+]]oKvGΓ6-4A'y
Ʃ{&P3t򓀇HOJ)R~ͽV+֕WU+2\6]+UJ1Q0``XӽʉVtˊPXH$Z)iV"jjH;T't
DuN:r%e
 G8z_=Gـob+>=9N2>%8DwASʮh]}1E+LQra+a?[vW.Dq
oI-T(:eDNRD]j
+\xu0#QrP+]cZonҔIvm&a+HSǺƌw/y)jwHAT~[ɞgchnغ۱<᱇MT)ga-	ҭZOTrvxMR_W9bNw3x@9Lw*k2-xq}0.
/ɦ$+QUXc]J
zPSϷ012v3d3֊L-HkIWCgKe2r3ΖGoI`KqjyޓSiI8^>[lI=[fK--	Gƌw/y;_i⸓X6Uq)I׉[
zr-?IPЈuJuFaon0mJ)L$LkSBG0:STiaj`!gm)LFծUopƖ=ncNQ{Sis#_O5._eC?:1	}
zz@)SאTjHXGCj2rXJ)
$.-BIc9-[uQl8	Q@IjdD\&jv;0#K6,a3bg
*6WgJH[B#eO:U6R*	q1EOl{h̕%	fmmnh2HDC~Ĵkք[mu܍VsGTซ+Ԗcr
ӯ_VZ
FpU%u9GRHb

yQ?fM!k6}C!=@".7E{Ue}WԸBiJYWrώtf*LZPvtv[=_>w99WIixMk>q:K(y#܌0~6;Eb{%]jA$øم.1[v fr8[i[q8Vt;<%kގWOq(N0~'txl	tvazl0D]rs#bsn^ZZ?ZG+kt^w/z~bZUO+*,x21IB׹ Wa 
q#ù-$}÷{9 fRe[~v J%WPqO.O4J#Fh+2H^UvUQGJfE]h3Ţ\Iu-G%B=l]K΃:[yttJY,7l6[\b+WځdE0n=iR'-Lbǣ]0yT-yy絥8,NR+T*h_	A4`R #[YhױZhbZZ9jXY::y#ww]V$컞*I%ZR*{i,o۷U,WJcpgy=+ɶPet5MD~EzkVе|UX^l+,#:qKg5U[>OT4XegJ3w޲SMҲk:b/wL^=LfeN:h2.s([f .;g;Y';DÏڷY{ݪuRV~ʕ-=S):5TGñ@&æInmr%?	I\)tӀ3R	qTFP:{0fEL7T/K_6j-KRwr%:3q	+|u[3j	fS.s.ٙ[66g!-gVק![u‚M#%"γ
C!P'UiYB7l#dc6.~T=G6EZIB}zJӛǦ5E<i-g:(>9ILyʔLbUAԐWxWJF^^]e7Nc
*!P'KN;Cx FeVe%;[fr)`\WN+o_%؞\w]WgIV4=J/TNݤuMv-%@]
7vjPJ\p&Y|{H\:[7u[ʨƉD8p2
'.ӹ2v29q'ZSZEr_3Z$!NZ	v8	;Y+]Fyt]odz'cRCK5CV5QK0bvn`3{+Bzޕuy=Rb5e\
ŎІ3
bb ͹;Lf/o4pGJ2>4pr!j~o%Ii6C |LH?'PLb8X~& EcϱQ%bQaY	IoԀA|T
BPƔ?G4M4 ]
*6i9)c@3~n8Sifݐ4/vB5ҏxvUV]pҋUy=xTX}	M2~	އ|[%3`I3`GlP;UםOe1(x=р7C.4KEjM0mF=BGIcr^2b]6G[k7fr7;+&=`dMϙY]$ا/q@rTЩɐ4zȭuoV87'30s8L
){3@[@]gATޖN|
+~-O[x&>ƃJk)nϋPoήp|GB԰$H,oTs=1n,L'o VSC(5r25>f1sjœpg	Gza D|QK0Bb0S3
F#τC1Q]o>` p0sy&M')VV2ǔ+ykVbr}}w:㇟@X|>|"-	(BDTq-}d%B-Ue}CVwݲ<`?^"K65f3h65&j7׋‹E{/E\?64*F:UoF&mb"?̣bǂ⏴vCOOO1'+'*h?w6Q0E&pM-[,K
㐓Va\4ŚBBExչ=8'ݟe?[`|^Uƞ!{j@c呂'҃lUD?2sA-,֜$ckS7-e*nkwId/
[U[=_T:yD2ѝJTH-;zj^Up]*IuW3Z[M2,^b3Դff\g5zvT2Y2Y4zVmoa<۝[zXv|T"pޡhEboMѝJTH<
ԹIMfZ8CLCLC̑a
783T8-'%z2&;(i%K'Hetc^CHhVͷMU^T-P3Rdtj6č6}U)9n6^&Dx`?Lw>|iAM+;8WsK(/B=S"TXteڡ2x$j/m-VapQ?^.]mUBƀZEx@7&F/~D6
|6hy8݈GPdK?VB
[M!|;7^-A]B,:-g(($Sɍ/`y{	a
)6zac`1x0*_,ꖤ'7iPڝ/.4O'f\:<89S|t#48
Ѽ_,?P[Y)9So%-Nr.BS$I7d^JU杆ãLݭ*fD%&9dcr
.Z;&K/֜g,6_?v#H]du[w+(n#	>(Yu]wtX`yR+{J[wh{[ߥ?1F	6~[pɸiA*Zmm982@•oxp mYPpp(}ah<
q,%?lRƿa&5(D޻5J
_~EM)@+Pc'" &[>uM|kj~q8a=ML{ JΪb<3Uy{:np@$u6[H|M^(&biBv?7ۜJ/cGZi#@ÓT)%xB}((RdU^]v*!!'⠪Zf,[;dSܔyqD/&A)@HFHqH(3o7&o}h-A,F%Еy9蘦n1))ۊӠFŶl+ڂ4sC\vcNnot1|a.i.0ƹHS`(h4	zFļlL7~*R-b- 
lb
rhFPoA3̫ь"NK@\_I#;N-av0O1kpldp8RڠDt_콇$[`El\t@7a:nb[e$৾)ƭu5nqkƍX6P8f4HAV]ɺ+Qt%cW@+b50Hqqp/Ƅ8{Cq1*.RàlUp(,uIT*1K+Y5?K&kʐ4c1("e,:K328g&c4M.P8^iqS^u:㵪4ZYdSN$dN'0n(hsEI
73CV5tʡZuJ:0ЩF.8U,]	ð r5a5Tnh!"X*<:i{'l{4Ӧj@ӧɉ8T5QG,ImҠ%'AmhuAm
{`T@qk.0?s%,c>
?TX 걸0jz8(:2?E=($1<ȡ[Xrb(F
$}<Z)O6u/g1F86@)ԓDm6OXiҳ%Fjnm ƒx؀&1zBFycasBx'>@YcG+!dqHS1#{gL4+3oeuR[%Xhsm.{0ɲiQUgCW*M6o9e 
ZQkEP҄hчq#Q6R'"C\8iX2
XZ	$,5* Ȝ~o>\hCa=e_#>b{MtѮc")t+
Zc#nY6}Pˣ+ao<θBީVuzy/1|w64UMCyp`$S2n2RTEmSlLz'FcxzKdOлt4/ܐ6G0,lUt*\GVۊYt0"Aؽ|j w|e(+
k?s&|#AH/Ň>=\gBE]xlFUBnDxyB	[xy
HO~:#F3HFj3vՈƊ/R׿˰0q,sqcɸWӎ[}=
s39LճĘ=jƌgP$mX7m{=!IۓK!7[4mpEÚW-M[lJYR[0~HN2Ɔ&oya3wpD$$'{JJ$T-\_mQpe=GDi(HUU}L.ӣ-A롚>AldAP4ȕNkE!-B5əoQo+|2ޝ.آm\!)?Gކ[Iqof>iSEAq N'rY̫
1y=2_׆4UMIEC|IaneF|`ʹ	Ŷ۸6$>Q(WԫE78g&;r.R51clkD<ǖ"!pid0A"ewHŌe*s"];)z8kmpmxaEg(;Wc^7u"
'|G-R;̳b|x+FU-Y!`D-q.[Ua5ok9UHYZ7):!)1;B*;@enk2awWy#b?G,aWͼʙW^x\>LA*ӕ@*dhԷ_ʪl?ELpS∽iLH:o33wL1+824C?VZ5;(
=.!mQbD1s!T*I!'fx.66gK/95ƄLY9vǰ)<#Jɤ%x*%JaqçS{Tg"yx62UWž xe豹
,
qR Ybhm
*G҇όm>påUR1Jy-d!Dp3*®fhR\ҡ~\lzq<
9ȡL	܄Tfilיۅn^"gXrfc%-(ƸE~($2]d2xGᒎczT4#M!Cؓ*Znw00kj0o*	=..,y[ 3QE<8ǼlŔ1	7vpch
>[ yvТj{{d&狤3S0m3̲"xҌy3{	q~c$ǐfrVq&KvItIr,U[BPƅԢjO_	C0E$
Jdۄ=!iC`a2K' GqUes#y9h.K5f	KN	ȇY:2!T39AΥi̕F;0\2jZ3PȳͬYwYlflq0nA
dB189rֿfHhL#W
A'5ZqcC&nMcv]7;oKcnPcpu^ۊ1zBءex*^&ʅAWLMA~kowIwBHy%3
SN7Kp%8E0BS=vktKK	WՆSޔ{#:2[9/w_344N?B8a,Q:ۭJOUg(o?JB!(,%$PUVObrosHB[iC@켱p8bM̝^h9V'w(ctaT.%i0*AvUl/it4:G}-H=FD8^E_krWbbSW*["SC1xe229^kIT טO̤H\=,8t($cv6qX`߰"n\ͱzԕSjnPK&BQu)PCLWv
ĵ6NjlsawZqjQD$<҆X>ķ3ChPp*L`&ص`B>Ը
_xeu}8ͪodʟ&`4eqAa|@àfBv4T"O45T!D`
3{ܘh39jXk	QB5uBԂfoJxMQU*GTu-+},>SxRXTHRS67*}lYBh!G-[hALA}KZ@#ܭ0H%+h!20 *icтh`EjiҪU:%_)NɗtJ^蔫y(-^=ȱHT-r
UNɗtJSB\i[6w">I\FT]!jtJSB\ȯJnO-r~-?U\uJS%:EEZToK+]Vj8*!d;1r~TW})X	hs(e4k8ä,]Mw8ux:Nf^pʹhf$kbyAFv3f3
L|Rdӭ$jׁQ	zM1]/D2jRm+T
Yxpy͎՜W@7B7
VʿO"fj&K/}CeͬNGHvB"ݔl>˓;q`azVt ;0.䯖Zx}gBa[$![q$9J288HݠH[@K[;h Z-i(hyOA(Ŗܻ*w>aC|Q
1&̈́ͅ=
&g8i~^-rbEn7/7aceeJ-

@{sDQ%TۛQ)P(в ^&RX i(]U8z5W^ͼhhKL1I,|#EqVZ|Ze!e!=,d,d,dW#G5/{YYYW^lEζ]:ș;,aeGae+wXٵgxjg+_S11~3CP0ZGW=/ƲcY(39^|;,jBԄJgmU9E\Q|eʗPEɯυ#"Vrr9Ȝ\QU\s_4ŜĜEɕ.TNQ*(ub<X+3Ƨ+@jg(gIG?BtHOgCuC2~AcN,!5
C2xs߱XipJeE(iAi.$mwIZ=V!o!C2#.%uFf=#sWmyGj?SX٩JV!t~)QS>SOQaM
o95+3"xR7=@lNlNLWJGsf9}7ͮ秚|#L4ɯxG^j^b+ǭW1yEyv|0)\yqxEe-v-mٰ|ˆs-bMbnG9El?GGlj.ՓAyD}x3_W##wggq3xt1lݰKW\_]|2Ncr(Vzbrhi?eOYaT=e%iuN甕WߔMyS)pMY9Rq
d)Wlx28H
	oҔidxMU(jp~;,UcjLgP[WmLݚZwݱ[`sի5}.Ćz1QU=曰6Y-Y\"|+TVXU"3]@$>l9GN(ZAX"m&8[(^`NBT%pnfy=R|몸.\$v#FQJ'#ϻk|#FȍPu,/c6BoH3Xb;U0m$Hr#s-4
4K&ƼY7i7lݨHŬY57Jlܨ}hTZO"UNYiL)gqԲƻSc!-y"p
]An!nSz^I֤Kݾzz
GTXF'`caXa_24I߇qVkZ^R/Fo|HEI.
>hf*lx(vGW\<
.+l~Pk~T\!xR#k 	liU {ox>}󡃏Cʤݻ©0	L@)z)蚌S^[,/xLD5´#lE!a5ͼ}0p):X}҈*~F¿3
bqA@SX䛁pCY~+lȲۂݨ@3<v1ϕ##aoh%
<
7{,$Jt6݀wE&szD4"]U#o{]J9\!ϵͶldd&m5٫i*|~T+jTK `&vm&uQ.Ʉ.Ʌ.;;w.̗}Y72Gw G@$@%C%r:pa
ދK.Tۥ6\(F}s_ꯪ\UPO՞,f!EH8)7B}#~ޞCs` 040Ϡ.G>D㺢ɇۭJ_<pe뙰uU_/F}=\'jgZUy}BGUTJJX+>_S!ိV/K=]RpN(9%Q"%r-wϹZ1ӹ)Ͻ{k8|$_nutI:ֿ](	pN,ZՉ#0w?Sa).4*EI݉GvlA턠vaw=S#[TdUxDtywi;aO$]VJwYռ:
#tM׵I-#c~.Z<}S}훵v:S&M'D+O8r|M}c'ju*1%F(I
BQ,t3%fxfo+Due_t)o8rE}9=Pe,puwxчj4&M:iyلLx}r/
>x	@:~Y^}n+p5#ڻ)WRul2g	;:E^yNUjVHs
>j=q6Wu/[ez"yꊴ+^n1E^Œq5ޅ#%@:8V^izi
o^!8|\,{5Ou%]#^&,`+8Ǻ_ϲ{{\.c}+
vqX|>.Vtx_0GRJ+UOi=?.;3{\.ޭ;5Ou5]ƒy
r{RSB9"i"IX;u>$z	yw_bZ449R)QfHisׂ[T6 ܘ\Bp"& B]:2v6C\#Ghfׂܾ:V_1kla1hB;Q^zē)Vcw)u޲	&@BS)rxF9<~%sJrVHrVH
I
I
հ™[N^&6zӾ[ՠ}	k]hgw۠$p6wmۋEuYܭȺ""kv2_=@̎mbdzkbd:;;y{Yh-[!/6>Ԩ-J[(,J[ZHmz!%YyH}.Sl~
QSYS=LuY<-TWD+B]c/ w
b.[irɕ&nCCJc:J+{ѴH*\؅،Ce{ŬLq<}m'ú[^nU.ht3lTllvUf71.鞜ͮK%K\֬BTϙR`Z`1YdQdl :)KQ/\~Þ7Qnؓ=oؓa?Z [qqYX抚f>bBrMFXC;7[@Xcvfb*JuG(ez-oD?R47f[XHsK^yDD"̖,RݳH$D))ItWb&u-$Z[<{Y$s9cHT$*DKQnQ8pbCy'ض|$5KVCuŇ$3t6%Q~1_n2cz1ա7&cBl0?|
fx$2<.wqŗ;Zj2_Fl8ӒDDM3]eٞfF
#!f-BAlF0͍aowǼzKXۺچ7	lqcʰra0!DsMTgIJM"wD'@O'}31'|lR7
˄nlfDH]
k2V0;R0;"#xv^'u|ױE^'N/:(xZٯ5ounbp͗8"[Ƃ})WO5.+ZhYDŽt|B:>2I(K>)K8Iа
``_^.xyLBwXsAſGLB~LJS6s1M' βpd5-MRZš)5E )LdSЦH&aĢ؆()C3M$,$7EEiAt,n
Η[^?&։xNe3Hp"|f滍/E7`gHWn髄O118/Yبr\Ƣ߅)4pfܝB7D֨m'6Y-k
/F07Լ
Uo|CP7oFo!h:-gܷi^t61߰mLa
DX*btŸIi`]{8ˮZ8tq\쒎^
SI=xPesQr!VpjgHxc:ZIf( 
,'QB5Pk5+{ިԶܴ ;d}!I#
Nmq,Ld뭑IJZ
@?
rY*=wMM7똴8AN˶S^:ׄrBByyޤi
]Xeeu|zzӇMux-)2*a=!7s0')tұmqԷ"8fsaJ(/4CHu/}GPphb	Օ#ѢqRc0YfahlGw"RPO@crҷ'1xcdJQ1m]/,^;S)/y%s:@/V[ʝ0 jNIu0
 u,×
-Ѿ7yKll
غ9JFfZ7ՁOQmj:t4PPFZ
5G`z+DetGsz;uLЙ(Y
4VBo7PJ3:
!ݫCo0о7j)fZA 	\`MXsӷ@wLtmcCM
#,>4Z5Sg$o
\5B"%d-҈VV1otv{Qx:FQ7`00m ꦷH`hs24s0&\1q4`Rx: +Bon`@giUKA˭R9u;ryv"㡷QG i73`PF(IH;`F݌K-H ˁ	,]JcMу"MkPAi'Q02h{h`趑
o{
CԬq
0JkjE+LzwF)
4;
3o8JoY9BooI~턖F*ƆFqu<.asՀl<3y04Qukoֺ*PX(SAƁA502qJLxX+`Vڷ76hZ>v8,P"az.-= %*P
؃Q7.XxFpЄ8=(Ό(G$%%#oZyIi0 [ڶ@Ar8w=K&`%9؋ {RSAV7@{u}[jyjepB r0m`\D]E;zMR9;`UR^9EAU-X8pJEf`|kp}n4}HЏ`s(VN635^)0AM`ܸThnxj
̔%Mv
L
SZ3>vw0RX{tXTek:r!`[;dsK%KH.uw0"\cq
'm8D(P^icXG޵=ל+O0C]~0\^ঐ"P[P̣B;ZAVxtNVF-ke0{'$eg*GwD--iXRIqFDk
\BƵJ;F90m`tQuΪTMF%D,'Y
tF$v0:9@@K1qQr7U`F@q9]]R *&Б
n:%lw\``23Ӵ-6H^P"ZܝRPy4S;RʋS.vw0=Ł	ɨ$^[*jp;_!Jgc#臩8n<9!A,V`RY@=;w&kOZM=ؔUgDV`h4"7+X߃`gBqQCFJ
fR 
[[;A1&1~c	Iy-M7Pu5*h0vw0:YNú Mbcpֽƃq%uu(xt@XP'@`FJ.(R)Xk@ hbPX-tI+ 07)Pq:ڦv!qdX*[PjaL˴wZCЦF*!nݻFN4j$F=Tcsl]Y
P$`μ1?'Qa))laA~Tg!8>(0рՁe`hJ}
P3hBf(:k%Swmz%>tJ	J{Yc;ہ
YYt8EX9,N"#J4{bC0c0줮A?&'f⦖378]T۔8ɬۃr2̷(ˎJg['@QKm0-7'F3I3۳	CbK#('q%Vx|SDZt09kYmmQԸ6GXI&oN[P~HϔFeײ^˝cl4ZhPt9.4/'vп 콷1D4It2m=]]A2r/:U 	PN4(NigTƭM+:E>	`)37*z4.rN
6z8{d`GUtBPNVŒT{
2
}\H";aEkE,z.q}@1'a-3TݧЍll^
͞ucUlۊ4* 9	gCitmPM	K$i@TƝsYi@#0:Zt(f7k@뗞uE5'Q,΃+“='J:¬DUzہM\kx6'a@T;
wU-u]P,IحtLu6Euՙa`@*>4,
0}dx9Xm(+'a`3m$%VPIm0=kP`xGoOȁ!g!^txsGPNm{&A~+y1
~ZIGOKmZ[a@7Y  mfOpU<hZD=҃ib	p9#6jpk4[X(^#'C^q*h//܊ "Lj9IX.sOA o`aJ-T

KIx. }Z<=uĵ (=|#p^N4B0m$u[y`9	3+"{hlo;AwHXOfD;C3ZO,'Q-Eo
ddk	r=:Q02r2RMA?L+Šz;Mwk#('څh<eR@E8w0]ߣϖisĴԃۀKk"('-L
La۞BIb4V5$\py㘅`{Hg=4,BO\#{e[ZhۮPl#('ar/G

qZ+g2^:Pd^0hѓ"W+\^zQ
	St΂n5CFOi#Ls=P%`",'q8|6tPl7ctƱuz)k`?H1J`,Ҁ7BuxZK`$EWXfIzBAgYQR`T!XPΕr]ϢCH<n`~tCg1)Eo=0aT2(&n"yNtvS ]!&@PEo60>eSDG4eۂy;w5g7NĜEM6#`AS#hgalRRh@;m5=c×?}uk!}]k⬝ERVz	joTkVxex#Qyz0X=9$z	ՃdUh8MךKu{"uPLGI/#XȒsi/q#V_"'o',0!Y~	O_Ҧu7`uvYU]nZZjn`&c\5EFK&wP-HFey$adM}HFy&p TÙP)QÙv!0uP51~F656"yaeR`$DriBHi)[ƓRMmAwVcB)ԣoϑavك­aR.pr]%VljF9=5&&M;-zd|,^Kʥ0iAcjiYJ(Э&kH%0Jc Qzy@#^Y&kH3	00$vycQr.5{@"mne`QOI)񖑄lgDIP3N8tCa#E4uYRc"j<,CdgLj}z
W'95İCEܹȫ;
)P)7/y$H
HM[MF
0W}( ³gM0ޗdUA;ӕ
{yF+%1`T@,LW</dBf۲=eZ,L2Qۃĸi{7R1mS-l,PTv<]v+=Bo#Mv=FE;P#qk
}ȍcœ><
Hf#x+1'"I_pd0hUOC	\u8
a%^1J}0LMk˘>!WAp'!-xs@m;ŨA
q5p65aIO;|Ҡ3x[/:H؉QMLuW?S֮Hg81MxʜEj(A"hnUz>EΣ4Iuߓ½Q#hg1΃^kn^Ix#ā,hMxIAaʑ:}ӆŀjxQ{DEγt5Յ8wCS0|y.(+:.5FVvFwD[SY.J¡ϭǧYR`:Y´\'Vf׍j1Ćc#9qQ^6	OM?#ees=0*!R'xHn}⬝EiضkZlCLr3/iI@
U5y~5>$q
@G{㷯_>葳W7@ֽE߉jaRt5GTBN*%,(c{':%V"e>rFu4j_;{=>c+lNώ>+0,NŔƒ[P.ۉ#Tv$+
N"'V{PNNϩ.wM)D3QC{E)XeڕY2P 1َgy\E:j1w~nV_Ǖ?١m;V`YS`ΥP	d
SJ1VWbfhRE1br;HKa"g^Y!2e_UKNַA}q-r_s)H?BK)oVd1dAyt8B!C{E6_*.P#Vާ2Q ~zeK}wtugK>V^ljVtt
?-t+b6[.p|kyF֖v"WGd&0ȜߦE3[;4gmJ`a|S}.EgkhX6̞@1ݽ}>WNRՇ5괈eB
bf1-n>ٖHw^މ
c(8U,XYǫRD~eY{(OWڅە87
ȯPnJȹ\fO^RoAޫDC{F6w
չZ̥B5"cH2[uԚyT-k}Þ\Ʉ+et;59|nVՑC[%#0۱{hX\0}.y
@b]kVE'Iq$G3.(Nyh\	Z%e6qVZ5('0P:XS5snY{XFZZ0V,VDwHUt3:jc25'œ.4+ݮ,wHнKن`s)wBmUvR1^yNkWAJwƈs̹R}f*}vf,aI{lCK'z\N].2&uap)rVu?rrZHoVKXͺ36W?V:>ßKᇎc\A
7klMӧѧVcWI#Z_;d5&zRL&0|~Raͺp^Ȱ괘COO4(٠i;g@rRtxt=lf^=ִĘSyhِZA;OsfOuRlr3C{'SQu5t^W:)Lw<2.w[V@tį_94R*Yt2qke=sfk;mԺkaώe^&!8=W8qB>|+bPb[w"+hnֶȄuȰ_g?mWz?ô
gmV;g!tb	6jqZ\Ϧw筴bhj00[*CLwޚr
^NiXw/DضS};o|h3ϡpKJF[>ͶEC#25\;,zǥќĴU17Ɔle0#9.wCw*
B5ԩq}l
<b
r]yE^,&>w43뵚rʪIQ]`K遌%CVHrVgkRFNj>6
7{h0JuPWP3S>J\.1=9>U= %Tޙ܂m_N銦	i;#Z_
;%#5kS;d{*0x{}ž2CAFU%nv,IJ
Z9Ί"u	ֲ9T1sдG'+p@X3Rgh5He@Tyqjå<ީ V%ɪy.
rB
>ygVT>S|١5Tl+]Ȱ==wN>ލsdzp%pEnwNvbi	#X
%;?P~j
"2۲lrA)i6+mm)ɇ\QcUL}E%
eqc!;V\4?^{|P
B1)7Um%=ӭ)5Iɐc3X\>`xSj{V-sڔq6ߣ/w>H,'
]0YzkL;vS9۾jW^^{;ޡk6CCͰ9]vi;Š@>) 1{.aTS*(_=ѲlyٮN1fcMy,ovgayjryݷX9u>Ӊɿ-lh643{')ҞzPj'3l+ORI^fAӣZf[/v;I>dsm=*l$ER7rzǍU߁ r;IQRQ>%
ו+{^=̝*.,^k)1gkpjoHUn^S}nm%'?_54p⾲s˹yo=ٚ*֥c
Emk:]eT#g@P=wWmRtfj;C{'kXauO=ݲN(lC{9NyC{żZu?rTPoeN.7 R2P%nzWc[Z멄wK){
Q9䮑ƠX㙵wjRWJ7V7<˫5WYGHqeсJ`S`vk;E
ZD
1ΚG\4kj7*KT-<, ׬SD·n
PfK>9o9}N
p¢ە~+vC{PyzW)FM5Twn;AlJPjqg&w+/|Y.b1:$A0wU%?47Fyc/>++CI ႻN=Is^!mL'k띴;[8SYc1NWk%aJ|d-5oNڝV1Y_=JR&VwWD#}cu+wwOV)ԌUr3;iwrVƮk^'wd)1
߫3ll޷
7ޡƍ#q|q3(+q*
k,N{9\ѕn^+6KHIxpF[InXg\ b
vխc/k5`bykz	!Yn2׎/L;ct;%Tq*+\9VwǂVGHl7U{)n.<*x%t9F؇ʟ[J}'PB],rr7}疵W5^A^Q:^rɻ.o
*=b
Rpwg^	V]Q8<iu\ouDͭ3IʅS;YzkeܳN€њ0srYm-,nCN>%>ү
h#)]ޒR>v8bR	cW]U;J.xQN9|'Uq	MfS2
LM\-15b'}NkG0;9%W
𦻇=rVVPМQ.y9w
?1MaR흂Ogqyt{D
9^+νĘo/p{)G굤Q{ZK'JH>3bGlatlu73Za#ӣ3բ4cn[=މtږ\v:aZ||{[ȏ~G*C}'@ܺLeymvZPp[&"N<|BEl=4>8Od4PQrL7!Su0[y.=3(W0[+̥(pՇṡAdh6®`BY>~HuLOd鼩h#Ղ
(s+gհ7ѥgAoA~Me@Ot;.V}r?x~<0WR܏`Rg
֨,s-<~5jGg Z<W§Op3oebխ)cFV!Os];w]8VD^B27,
"%/S*ů9 tTͼZ }?JBԠl=uz5
\	f*)x^=֒[k~.PU4X3˽h_>bXБOݨyJ3_ȒaJ@?=S]A|z.fW 1J4n\vD}z0y-}T۸u@:ǃ_
\d465̗n&Kh{{?@Ъ=åXϋ3r[fcxNDA21gϫ(G.
lӶwѝks\?/Y~,j`kUv5,]N1@{xco
%H1,)VǷR9$Amcwni>A9m\􆇌fO(y:cc_fI̔m-EbpY0lTSJJBX~gh0ip븊Y2[_m}\o +NRL5[<3}L*%	JBZɊ|!E{i,2ۡ窭ۨxZNs4Wgài5a_YkEg:Rԍ'F0ؽqYr@^vBc-8fp (w;UL9r!>Vȡ\&F	+-vubۉ*ZfpWJ!ҏIy0a	pQVvm{9>mO
֦2aSӉNr2'a~s8[5'=3QH]4Xգ}Ҏ`ӀOҌ~GUYG<}g?8kyD=0xW`tYGY=VXIY#N-	iS$$r--WX(}luEUÕ4ٻGG)ݚr*8Vr51X0 
(SIYB|VmX0V4їfJ18σu0\c+omZw[:A|։¥+*<^X4@j`aw/<T7bV~D|/GR>b-:bO+Q
4מe>|gvU/g8(x=[>;;eOdvλYRrPORѡឭ(S˯>	0vu/BUŬneuk>VH]DPAv;j վHai#j7d3[CUDInnfaNk)dlWHzba!kb1WEI8`S'P&OiqhZ":ny/F[`
r	)ۆ,'RR;tQ)vfWԽa܊ԞolF]d!BTՊ8&7l,*XBfÇα&fmn*u9݌R6}T5nVV#%2AAWoYs	B>(BK#8u1n
٪h0@|ڶ:Zd7c\QeZN]ٷkf#2KA8٢;ڕoϰ`̃> ʃBnW{Qe0Hމ4FM6s]d;
cv'sÏd9yYz3:p@ڻ}\4Z:Cj!T<*=ؠ7fmXuzQ-x}z0y丳q@\,uj=TQXs2LU;'LB}zh5l>
.":D(GAӃv3LP*U+Ã
Z壄݃!926|vJr)3Z_>-r*`%HE}`]~h*=L'i"mX=7Lkr-u7G[k[L$(mfOwlk̵yA9AhhoQ'	UgTMX:~KL3v#	bi5_L+Zeo!L
޳爢Vz_w;lqͱN2IL#
]%|Ǥzb(3GlYJC1mqtzD%,{Clh,9epGzDlbPF\RGc Xn5(})@ͧdnYRK_jx7vZK'Vknهh?EhM#U"Rp
w2-D+@El栂*KuBT .	mbBT>awo	r-'ƞk~wNX/+֙
ZN|dUl/ԡccaLCa2*tB*<aDIHB
vYsBL>"0TLw\?eR
[ʟRmjȹQy)~Kkb)J͌A)~KSSѺ}]8Va?$o/8fdCHz~x,-np@AN~bF#>$QhjA/-|K`iJݼaK&HXI a'3Vih)z.-خ~Csu*9Cڈ~yWэ*3L#xd.ӒDZD4-)nG5ҁPN#'Vw.sJ׺krl+VzM{\-|z_n׾o.@ Tp\eSh~9w<9,5W<`a>-W۰a/,[*2.7b/@2;FQW!ǻt#roP)pc+oDovWT=$0g-GX>+z7?&(g*ySXXj-cѡUnT\Q9.n~[ЎZ6
T+'@GUc_Dž!ln_^lV6e[|D`sZ{F"\9G=Ri<9`r 
pP<`%uNeُ~u#O=h莂n9gݘHsB#4u]4mԯfݱ9[In;
@&g1}i
>r\wn:gxvDVg
oǡٸ9V3sc/[~^7dȱ-.&e(Qxu9p,
ՌưT~h 7'ęءJw7kOٗ-1u
ގpj*Wk++Q~k3锢n)&k0;mV5r`%0:˗:Uг0cR^7@zD<<z4;w{̝yTŁȌ$3t
#\/#2XQ׭ʳ~)uԳh̐yt@{^74Qt
lslOxJS}{|P^ F,Y
gwYc^f.S]v1;=% P2:eWH#w{ݒK
j،{^79
֩-{׶XOĆ_wʥ\.6srxz[c;$))z왇{ݼW8[Cv*dn[;${u2Yu+Dr[ړMu-^,YMy^uP2ypݴ졡+]7'zAgX) qo'+M*Vȡԇ`I~o'!0XbC)4Z׭u9;T5[ẃEv6uJt6ҜfB*ʃv^5Ntrd('vFhY(UG,:ʱ{_JuΌ.mtPxI@0)rdE?eV.L<[<wM*H9E(ͧ8$ ]	g;fz?:RW
2\KGahmhM
pH\CWJ]9hE̳r
3Ջz_=߫'R(Rxr^މ(&7>bG OԌBw"#?`(/qFg+Ĺavd抗8,jgc
n
D(_.n{==tf{mcwltՐ]^G6fYuO>>]f#L*r4~hAt=G6tQ؝J:ޫL0A(C`N+$t9(>Heԍj8B@|5GudE2"(Ei`~(N
={0<`ݛaT2>Eq0aG{=;?dQX|`W&jcX}Bƽ_$ϰXEPi(aBxzA:/}W6nܷ5#˛F{Ȏ
+oN>=g'%rRUtWEzW\24MSBf>W4_W+jґC@NNy>0Go LwM1=x V0EX-GLpg㽂*4l&
?K{wm*9 4eetcwj}LUk	32ՂDLBPR٭`-@+\5'O)1aTC|s@ǂtlȠWIcSf_ol	ʨ%_UXaX _.
8Aa
huݟEL?%,Eֺ-<@!`f]#=+1x8O:08:Lf6`kbP:]ŢCB
Ω@DC6
]6Mx?@p2-mTP͞p-fB7('~pv@Q_kX!h99~?YA,}2h#SH~?̶jcKrIua>Y$zp:P5^HJY3g\T~Uׄ(Nm;] aj	GiXSg6q'^3ǓXL^O4~;9q)+04䕕UiztAV:Sl%/s	1G,cY+2~ه2x
6jnj{H}:8}NGycʨ6	ZVn1}%Lea[!|3x뗋p/+)PߊY
S,^19fn^Ptj7wk7/
RI|K"1:JG2?2O'>' ,F.a3~	xWzQk#~Bwpb()`Y|O9*<t'	;?'$S|b+ak3???'Uv
n0{\]G+~OR;
wFOU	h7}O^ۓ2cu
ƉEُ"#~"V93^Ӱq>2{dsW
gB!9N#~BڲSw9&# մ>'.z5]貯T:kfeV4#܁§q9|O/&ʆv2y?!iMqwo
jOhW+oX
K?13z+,V*vt:f	mKHWjA9~%.=>Ʈ~jv:wSw6z}n&։جZQ`pTp8	h}<C8wV~9z/w}VfM=tb臒)V)WYh5((%-d^x|K+ϢAY{Di*{v*'**WErNBKSCLIv.ۯ<٬,6	H8lඎ ]aHKWK`])X!mEʊRQ[FDQQokbl\0~֌a-Qaw(
؎G=XutVp`u^zZ?},u(xDkj4VhPfQ4+Bu|҆R[xf}7ww[+^Z,Yn1s5_8LGZwimwkIIW5>~֒yj׵#a)Zl
Ib=NaUu
3
AJ9*hVuPgO[iۺU=u~FJ*& K
d:Qi#*O!arLOij1Zlje5/Gk~Z
u1Ijk-9"֏@*A_ 66^fz֏LV:rNե_oAoG^#a~ ٺM
>/[D&:]J%4#j-jDPMޒ[EX]`1ĎyIyȪs$.n'X7c.$]TVf#
d1b㮏](^V<iuOՏ.N-N-|NZ4Ƣo50=azL@6u@^DzLMOXױoQ6`Lb׈juN{N{N{BTUj+x9K!Z.`Rs?ۘR4@Tws"E_n1y?|iɪ"=*[ܭ,+'uudu:C.F܂;GRR2:kea(C:r3熤wͫG%*wOި5riX(3u
09՗$7,:T@̧GVF5i
LB,p7L[lYqmuaTK/I=9ҩ保VO:e4JaY@AQյ÷F9^ɌSNJ֙ٯk)F!Ny[S2sgL긏+e?zT>3>;I~+jhN9rJZ!+)
˷us蘸8b~:_gSAgv!
cGi+-WIb޴:
R_?M${r˳14#Nu
T$h tgr K
Q-hsB؁Ҧ?SnhAuE©n -1..wݔIat(y(0F>0ӢOG;0 ol+B%~/AZs\3~2.Xl~2NR^rZf0PtyeM^^ݬE=**<-Wr}@'L_+-sAVDYbl]^fJG,c,OwW+Ѥ[%h~D	>C{:NtDm)CXgƣ13t['>﫟	g'lO:_n:3=$/.=C&UeD)'6n!.)e̋5/B$/`zE
ʮd]?})ej0SezjDʵ98/\:F(rcyi g곆8Qj{[o0ΣҝH\rPg.^7*Π-ვ	0$~ՁP5*ع\Hv{P7zD 5oro`?9̥ΐ~	AyG`s:}N0Y		 +{~u,0Q(н yݾb cy;.Ϝ/9zn>ԥ\ԿWl4ՙPXY+-#jD6%kʹlh/nW~<7a>|I~Y26:{wC^lpJ$LgQgƻt3]*P"7Ԏ:wiPg. Vnu)2.jR\ܑ_7ņ/QP\+CejAAA Lo\ɭ.%Z.婐YѺS(Rn4x
IhOy(B7X9~MZPcz^~VlƄ[q M/Oz]ZyTh}Ab'|Tc$%څb{]h?TMQ
~-?JQSE
BP A@ٟΪ`+w5&%G|g`[Gb~+*ϖgSHbE4>SٝϷPL?

An(o/|$s::KVn$4-(Ox+RY#cˬ+5O
cPLq/VUU/ICu6ӆmr?
[sr]UX|X%!ן6ؠW`vMtLm
y^~Lg
,1n2ey	(֏?|`1V8 FwޭfϋϟjƔi`#PI[?= ~0Nc>|}*݉W"~;Yaw€;?8e9MmcvۓjL[᳣ht"[;3vۮTQd/ ǚ*;d~W_+$_u6۪n*̫x~M̃.&n5.(Qef
EGKU1H?%P0m\fpY{gW?z%5SiV]R07<
=eʾzXvk$?z8gK[i$U"Ouxp(D[_0.Yx%5ѹpJے/LvJ7h9Ys^k/L\{w.+W/%?R>
ʍpڗ	(ֳ^BPدR6ޫUWHg)Ib/MPD&b@պ!)@Ldwʴػ2z/\׍MKthw /#UR\sXTΑl
M,bNh
=#_7"hZ/YVxfb_7JψlЛs~2#b.ҟg͵rø*m=r\.KbGt.(\TT(+*Ni(L?B%/-H*학y^TaBq_!Rcu
&g
7Dv2BzEWa"UMY>R8T)):2')Z }^c
>jJخɍ42cj9.BT/"&e▫JP=ZՌPcWK*.eSrG%:[9`#BZTcMuvYze!ZD#=#B=63z
Kl6WK}bN}Ζٕi:T͒V"~}4bU5uuzIM"qWuqsHuX ?[]E7YQJ=6E~`f@`;l"vKѶٕS)zFTl%Yiw՛xL]O25'6bvٔ1"ck}KX12l"[B~9"fwηN™mƑFM1/|WeOxݦM
S
/wҞWo.x^˗BX!,J&MXY$,xaI{Wp9ĞwϱO_u2ՒtY8	H0֑rwx)Z^XN_9$qXVNXH.aղZ)5ֺTw!A!\kaJ"Ivq@"+>WgR߬5XpjCjWh[͌um٤s(ꠂZt۠	O+G0,x욟qz3ck2Нzg|^>z3c,JUgQe9fps~5H0L9*G
O"BҋL)E9sǞVRZti;oϥ׃LƑAZ&]b[栯bY[XI173Uȷ>ek9GC^e<(;@-ee>"wOÔybeZsM%O4(>*9&]Og'eLZ1ky}St]9u@@
jiT[fiw+Ӵ~mDwl<ʢ
O5Ѐc/m3W`X+/BB,a0"Y)"J<{>pBEo46Ι`k"5L]oH`KD6ϳ&xJeZvDq2 OJ]v|h< ޥe׺K}eOg+ťtI}C"8쪵xb; 'nfhO<ݰ|[]
Af{8&)n^⨷3A٘ubz}tY-fdr
3Yy)UK"bc57TOɘhV&4<">+O^W'dxcꃼ?7sRb8e*SM!r$\xV׺FX7l;#(x>6ʷVx_h>=?Ss_nwήrO}PYg:}Ѭ9x5r(['c㓷ꚶʹy8vd
E&a~-=jzxg"G%ޮ#SiJs6È"GUCb	Gm"4!mεϬ8Ջ-JD)4L6
Zt4"z(lMO$rI
Θt(Z¦gl"F{,\续:XTv L']=G	t4,ぃϹ_L=P_߭.h9t!kEƩXbrsv?.vnMYN#A͉ٴOA]D9R˳{^T$ukEX-x\wnvU-ǹNѩ~3Vf>ZrҦB"Iim6Eע=9
4NFwK'  }QVP0!ΤE1{$}kD
j71Lsf̻+6$К=LfaK]F3̖壈Fp:cyu4qر9{V
bgݜw(jsm/8 }tsa6jfֹ]bn?:pS9Qb;B%g
v}55V5(Ua^.b)c΂ȟiCrA
rw!~+$Ocl)#x\þ90oq	PvSz'}wE6P<d|57JLD/Ͼ5ŪUJfy -^Í1+|DB%0KO{xs!"FH?:5=B6n(.bmXA#W\8|DCN]s(B$aP*'` l&f/ٵ(:daS>#50zo
ԳTgauV.,!MhrGwEQͨ)W{
VgEn;䬌`
-xOvTau9`#9ZLz17_@q=[Qz-yiU`#,uΚ>#٨I[:gYD>
2ψ٨F%`nsYg"(Fn]l1j$:9gpT6[{.bLbw:|-,r[9b75;8X#Mn#]mOΒgI-AXh=e|fX 3r6m<#В~-qIJ):%B拘M$>x޳X#Sol7GO?\E1{iD`gbJyO"fyP]836jly"f',7N2Hk͎z8m#}vs`dբkPqj
/Lr8V|fo7G1 Bkmo%l4-j]8΄QQL&ˬ-"X@vgQhZt``6;q:!D@{KTe4:	g7Grؖ;$9b
:bQjRDf;;ާvgO"sU窥M55ഺl_(n(s-٭e37q0B
lz`nv8ZT_nkMVZjXN~#ț]tr%HSz!
dE1;#Tl5x8Ykr<>mU9u)4z /rs`}kݾE0yJy6"fk-Kg-;v=Acެ^l,iw4;"n/3?iZtg#OmJv-40Hjc=7 Oos/!6&fWӎ$"^7%DŽa&1}?,	8/-2>_&1gd8	6s"j: S{o{+nFN d}ԦJ*8]9s"f̹姃G˦nvI8a'/CA݌Zkw~-<gG>	at di섐_mc	17XX}of'$u'8զh:e#7;!P<),84gP߳vrQ3"m[.P
l{sDȩSj0mM^)6kMݷ9!;bjc&/	:AD2
"YI!3ڛx1uě9VMel`xj{T=ⵈ,s^f{}>HuQf0=@&gX,57 bN$Y)Ɵ̓6fwnvBG!ѣWvU.Cv^:v
~ʨJ-{E7s#f*cq_ފqc>xRv[{b'}R8l|NI4s8]E>׍'V6DC>BK#ۃJhص:.	Yl>ȝ7DXן6s_oTl,x:xlsZ֥A^a܈ϭloE>HPeUf[V|-ٵLZgg4G]l/.~q,!4yƨ{}cŊȲ+i nFa}^ltg+4Qz}W 7ӈs٭QF{>b
{OZg~XoAZI9\x;f$kյ”_:ق<4xZ3ł϶7Et{%v(aY;msnw~b}%yKw=X"u١A/$ɳ?͢ͅР,]VNI籹]ن*)u\`=1Z&32Pfc”^KA4~^?#'y6ϡnF%1
4_U/q|ckaཁZud#uv+Et"j?J	>K[qfl~b_ZA6ƜC{{y)*w$G@FN1?$i ;V^dӐN^Nj)d޾7d̂Hrg=ߢQ;ӨXB>oa/B%`.}Ə@6bWoHI֜I<ŧ@_:Cqgp1'sfI1gΙBtf6Йv{+;y#?HBmGC2ƣ'|`~/%c@g3Cz_O;-h+O	why3-1.6.0/examples/multiprecision/logical.mlw000066400000000000000000001166221440160026300214330ustar00rootroot00000000000000module LogicalUtil

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas
  use int.EuclideanDivision

  let lemma pow2_64 ()
    ensures { power 2 64 = radix }
  =
    assert { power 2 2 = 4 };
    assert { power 2 4 = (power 2 2)*(power 2 2) };
    assert { power 2 8 = (power 2 4)*(power 2 4) };
    assert { power 2 16 = (power 2 8)*(power 2 8) };
    assert { power 2 32 = (power 2 16)*(power 2 16) };
    assert { power 2 64 = (power 2 32)*(power 2 32) = radix}

  (* is a logical lemma in ComputerDivision*)
  let lemma mod_mult (x y z:int)
    requires { x > 0 }
    ensures { mod (x * y + z) x = mod z x }
  =
    ()
let lsl_mod_ext [@extraction:inline] (x cnt: limb) : limb
    requires { 0 <= cnt < Limb.length }
    ensures  { result = mod (x * power 2 cnt) radix }
    ensures  { result <= radix - power 2 cnt }
  =
    let r = lsl_mod x cnt in
    let ghost p = power 2 (Limb.to_int cnt) in
    let ghost q = power 2 (Limb.length - Limb.to_int cnt) in
    assert { p * q = radix };
    let ghost d = div (Limb.to_int x * p) radix in
    assert { d * q >= 0 by d >= 0 so q >= 0 };
    assert { mod r p = 0
             by x * p = d * radix + r
             so mod (x * p) p = mod (p * x + 0) p = mod 0 p = 0
             so mod (d * radix + r) p = 0
             so d * radix + r = p * (d * q) + r
             so mod (d * radix + r) p = mod (p * (d * q) + r) p = mod r p };
    assert { r <= radix - p
             by mod r p = 0
             so r < radix
             so radix = p * power 2 (Limb.length - cnt)
             so mod radix p = mod (p * q + 0) p = mod 0 p = 0
             so let d1 = div r p in
                let d2 = div radix p in
                (r <= radix - p by
                r = p * d1 so radix = p * d2 so p * d1 < p * d2 so p > 0
                so d1 < d2 so d1 <= d2 - 1
                so p * d1 <= p * (d2 - 1) = radix - p) };
    r

  let lsld_ext [@extraction:inline] (x cnt:limb) : (limb,limb)
    requires { 0 < cnt < Limb.length }
    returns { (r,d) -> uint64'int r + radix * uint64'int d = (power 2 cnt) * x }
    returns { (r,_d) -> mod (l2i r) (power 2 cnt) = 0 }
    returns { (r,_d) -> l2i r <= radix - (power 2 cnt) }
    returns { (_r,d) -> l2i d < power 2 cnt }
  =
    let (r:limb,d:limb) = lsld x cnt in
    let ghost p = power 2 (l2i cnt) in
    let ghost q = power 2 (Limb.length - l2i cnt) in
    assert { p > 0 /\ q > 0 };
    assert { radix = p * q by
             radix = power 2 Limb.length = power 2 (cnt + (Limb.length - cnt))
                   = p*q };
    assert { mod radix p = 0
             by mod radix p
                = mod (p * q + 0) p
                = mod 0 p
                = 0 };
    assert { r < radix };
    mod_mult p (q*l2i d) (l2i r);
    mod_mult p (l2i x) 0;
    assert { mod (r) p = 0
             by
             mod (r) p = mod (p * (q * d) + r) p
             so p * (q * d) = radix * d
             so mod (r) p = mod (radix * d + r) p
                = mod (p * x) p
                = mod 0 p
                = 0 };
    assert { r <= radix - p
             by
             r = p * (div (r) p) + (mod (r) p)
                   = p * (div (r) p)
             so
             radix = p * q
             so
             r < radix
             so (div (r) p >= q -> (r = p * div (r) p >= p*q = radix)
                                   -> false)
             so div (r) p <= q-1
             so r = p * div (r) p <= p * (q-1) = p*q - p = radix - p };
    assert { d < p
             by
             r + radix * d = p * x
             so
             radix * d <= p * x
             so
             x < radix /\ p > 0
             so p * x < p * radix
             so radix * d < p * radix
             so d < p
             };
    (r,d)

  let clz_ext [@extraction:inline] (x:limb) : int32
    requires { x > 0 }
    ensures { power 2 result * x < radix }
    ensures { 2 * power 2 result * x >= radix }
    ensures { 0 <= result < Limb.length }
    ensures { power 2 result * x <= radix - power 2 result }
  =
    let r = count_leading_zeros x in
    let ghost p = power 2 (p2i r) in
    let ghost q = power 2 (Limb.length - p2i r) in
    assert { p * x <= radix - p
             by
             p * q = radix
             so p > 0 so q > 0
             so mod radix p = mod (q * p) p = 0
             so mod (p * x) p = 0
             so p * x < p * q
             so (x < q by p > 0)
             so radix - p = p * (q - 1)
             so x <= q - 1
             so p * x <= p * (q - 1)
           };
    r
end

module Logical

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas
  use int.EuclideanDivision
  use LogicalUtil

  let wmpn_lshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
    requires { valid r sz }
    requires { valid x sz }
    requires { writable r }
    requires { 0 < sz }
    requires { offset x <= offset r \/ offset r + sz <= offset x }
    alias    { r.data with x.data }
    ensures { value r sz + (power radix sz) * result =
              old value x sz * (power 2 (cnt)) }
    ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
    ensures { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
    ensures { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    writes  { r.data.elts }
  =
    let msb = sz - 1 in
    let xp = ref (C.incr x msb) in
    let rp = ref (C.incr r msb) in
    let ghost ox = pure { x } in
    let ghost oxp = ref (C.incr ox msb) in
    let high = ref 0 in
    let low = ref (C.get !xp) in
    let i = ref msb in
    let l, retval = lsld_ext !low cnt in
    high := l;
    let ghost c = power 2 (uint64'int cnt) in
    assert { value !oxp (sz - !i) = value !oxp 1 = !low };
    while (!i > 0) do
      variant { !i }
      invariant { 0 <= !i < sz }
      invariant { radix
                  * value_sub (pelts r) (r.offset + 1 + !i) (r.offset + sz)
                  + (power radix (sz - !i)) * retval + !high
                  = value !oxp (sz - !i) * c }
      invariant { (!rp).offset = r.offset + !i }
      invariant { (!xp).offset = x.offset + !i }
      invariant { (!oxp).offset = !xp.offset }
      invariant { plength !rp = plength r }
      invariant { !rp.min = r.min }
      invariant { !rp.max = r.max }
      invariant { writable !rp }
      invariant { pelts !rp = pelts r }
      invariant { plength !xp = plength x }
      invariant { !xp.min = ox.min }
      invariant { !xp.max = ox.max }
      invariant { !oxp.min = ox.min }
      invariant { !oxp.max = ox.max }
      invariant { pelts !xp = pelts x }
      invariant { pelts !oxp = pelts ox }
      invariant { !high <= radix - c }
      invariant unchanged { forall j. 0 <= j <= !i ->
                  (pelts x)[offset x + j] = (pelts ox)[offset x + j] }
      invariant { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
      label StartLoop in
      xp.contents <- C.incr !xp (-1);
      oxp.contents <- C.incr !oxp (-1);
      low := C.get !xp;
      let ghost olow = C.get !oxp in
      assert { !low = olow
               by offset !oxp = offset x + (!i-1) = offset !xp
               so !low = (pelts x)[offset !xp]
                  = (pelts x)[offset x + (!i-1)]
                  = (pelts ox)[offset x + (!i-1)]
                  = (pelts ox)[offset !oxp]
                  = olow };
      let l,h = lsld_ext !low cnt in
      assert { !high + h < radix  };
      let ghost v = !high + h in
      value_sub_update_no_change (pelts r) (!rp).offset (r.offset + 1 + p2i !i)
                                 (r.offset + p2i sz) v;
      value_sub_update_no_change (pelts x) (!rp).offset x.offset
                                 (x.offset + p2i !i) v;
      C.set !rp (!high + h);
      high := l;
      let ghost k = p2i !i in
      i := !i - 1;
      assert { forall j. 0 <= j <= !i ->
                      (pelts x)[offset x + j] = (pelts ox)[offset x + j]
                      by ((offset r <= offset !rp <= offset x <= offset x + j)
                         \/ (offset x <= offset r
                            so offset x + j <= offset !xp <= offset !rp))
                      so offset !rp <> offset x + j
                      so (pelts x)[offset x + j]
                      = (pelts x)[offset x + j] at StartLoop
                      = (pelts ox)[offset x + j] };
      rp.contents <- C.incr !rp (-1);
      value_sub_head (pelts r) (r.offset + k) (r.offset + p2i sz);
      value_sub_head (pelts !oxp) (!oxp).offset (ox.offset + p2i sz);
      assert { radix * (value_sub (pelts r) (r.offset + 1 + k) (r.offset + sz))
                         + power radix (sz - k) * retval
                         + (!high at StartLoop)
               = value (!oxp at StartLoop) (sz - k) * power 2 (cnt) };
      assert { radix
               * value_sub (pelts r) (r.offset + k) (r.offset + sz)
               + (power radix (sz - !i)) * retval + !high
              = value !oxp (sz - !i)
                * (power 2 (cnt))
             by
               (pelts r)[r.offset + k]
             = (pelts r)[(!rp.offset at StartLoop)]
             = (!high at StartLoop) + h
             so
                power radix (sz - !i)
              = power radix (sz - (k - 1))
              = power radix ((sz - k) +1)
              = radix * power radix (sz - k)
             so
              !low = (pelts ox)[(!oxp).offset]
             so
               radix * value_sub (pelts r) (r.offset + k) (r.offset + sz)
                + (power radix (sz - !i)) * retval + !high
             = radix * value_sub (pelts r) (r.offset + k) (r.offset + sz)
                + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (pelts r)[r.offset + k]
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + !high
             =  radix * ( (!high at StartLoop) + h
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * h
               + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * h
               + radix * (power radix (sz - k)) * retval + l
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + l
               + radix * h
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval
               + (power 2 (cnt)) * !low
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval
               + (power 2 (cnt)) * (pelts ox)[(!oxp).offset]
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz))
                          + power radix (sz - k) * retval )
               + (power 2 (cnt)) * (pelts ox)[(!oxp).offset]
             = radix * ( radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz))
                         + power radix (sz - k) * retval
                         + (!high at StartLoop) )
               + (power 2 (cnt)) * (pelts ox)[(!oxp).offset]
             = radix * value (!oxp at StartLoop) (sz - k)
                     * (power 2 (cnt))
               + (power 2 (cnt)) * (pelts ox)[(!oxp).offset]
             = (power 2 (cnt)) *
                      ((pelts ox)[(!oxp).offset]
                      + radix * value (!oxp at StartLoop) (sz - k))
             = (power 2 (cnt)) * value !oxp (sz - !i)
   };
   done;
   assert { !high + radix * value_sub (pelts r) (r.offset + 1) (r.offset + sz)
                  + (power radix sz) * retval
                = value !oxp sz
                  * (power 2 (cnt)) };
   value_sub_update_no_change (pelts r) r.offset (r.offset+1)
                              (r.offset + p2i sz) !high;
   label EndLoop in
   C.set r !high;
   assert { value_sub (pelts r) (offset r + 1) (offset r + sz)
            = value_sub (pelts r at EndLoop) (offset r + 1) (offset r + sz) };
   value_sub_head (pelts r) r.offset (r.offset + p2i sz);
   assert { value r sz + power radix sz * retval
            = value !oxp sz * power 2 cnt
            by value r sz
               = !high + radix * value_sub (pelts r at EndLoop)
                                 (r.offset + 1) (r.offset + sz)};
   retval

  use ptralias.Alias

  let wmpn_lshift_sep [@extraction:inline] (r x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
    requires { valid r sz }
    requires { valid x sz }
    requires { writable r }
    requires { 0 < sz }
    ensures { value r sz + (power radix sz) * result =
              old value x sz * (power 2 (cnt)) }
    ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. (pelts x)[j] = old (pelts x)[j] }
    ensures { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
    ensures { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
  =
    let ghost ox = pure { x } in
    let nr, nx, m = open_shift_sep r x sz in
    label Shift in
    let res = wmpn_lshift nr nx sz cnt in
    let ghost onx = pure { nx } in
    close_shift_sep r x sz nr nx m;
    assert { forall j. 0 <= j < sz ->
                       (pelts x)[offset x + j]
                       = (pelts onx)[offset onx + j]
                       = (pelts nx)[offset onx + j] at Shift
                       = (pelts ox)[offset x + j] at Shift };
    res

  let wmpn_rshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
    requires { valid x sz }
    requires { valid r sz }
    requires { 0 < sz }
    requires { writable r }
    requires { offset r <= offset x \/ offset x + sz <= offset r }
    alias    { r.data with x.data }
    ensures { result + radix * value r sz
              = old (value x sz) * (power 2 (Limb.length - cnt)) }
    ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
    ensures { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
    ensures { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    writes  { r.data.elts }
  =
    let tnc = (64:uint64) - cnt in
    let msb = sz - 1 in
    let xp = ref (C.incr x 0) in
    let ghost ox = pure { x } in
    let ghost oxp = ref (C.incr ox 0) in
    let rp = ref (C.incr r 0) in
    let high = ref (C.get !xp) in
    assert { value x 1 = !high };
    let retval, h = lsld_ext !high tnc in
    let low = ref h in
    let i = ref 0 in
    let ghost c = power 2 (uint64'int tnc) in
    while (!i < msb) do
      variant { sz - !i }
      invariant { 0 <= !i <= msb }
      invariant { retval + radix * (value r !i
                  + (power radix !i) * !low)
                  = value ox (!i+1) * c }
      invariant { (!rp).offset = r.offset + !i }
      invariant { (!xp).offset = x.offset + !i }
      invariant { (!oxp).offset = !xp.offset }
      invariant { plength !rp = plength r }
      invariant { !rp.min = r.min }
      invariant { !rp.max = r.max }
      invariant { writable !rp }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { !oxp.min = ox.min }
      invariant { !oxp.max = ox.max }
      invariant { pelts !rp = pelts r }
      invariant { pelts !xp = pelts x }
      invariant { pelts !oxp = pelts ox }
      invariant { !low < c }
      invariant unchanged { forall j. !i <= j < sz ->
                  (pelts x)[offset x + j] = (pelts ox)[offset x + j] }
      invariant { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
      label StartLoop in
      xp.contents <- C.incr !xp 1;
      oxp.contents <- C.incr !oxp 1;
      high := C.get !xp;
      let ghost ohigh = C.get !oxp in
      assert { !high = ohigh
               by offset !oxp = offset x + (!i+1) = offset !xp
               so !high = (pelts x)[offset !xp]
                  = (pelts x)[offset x + (!i+1)]
                  = (pelts ox)[offset x + (!i+1)]
                  = (pelts ox)[offset !oxp]
                  = ohigh };
      let l,h = lsld_ext !high tnc in
      assert { !low + l < radix };
      let ghost v = !low + l in
      value_sub_update_no_change (pelts r) (!rp.offset) (r.offset)
                                 (r.offset + p2i !i) v;
      value_sub_update_no_change (pelts x) (!rp.offset) (x.offset + p2i !i + 1)
                                 (x.offset + p2i sz) v;
      C.set !rp (!low + l);
      assert { value r !i = value (r at StartLoop) !i };
      value_tail r !i;
      value_tail ox (!i+1);
      assert { (pelts r)[r.offset + !i] = !low + l };
      low := h;
      assert { value ox (!i+2) * c = value ox (!i+1) * c
               + power radix (!i+1) * l + power radix (!i+2) * h
               by (pelts ox)[offset ox + !i + 1] = !high
               so value ox (!i+2) * c =
                  (value ox (!i+1) + power radix (!i+1)* !high) * c
               so !high * c = l + radix * h };
      (*nonlinear part*)
      assert { retval + radix * (value r (!i+1)
                 + (power radix (!i+1)) * !low)
                 = value ox (!i+2) * c };
      i := !i + 1;
      assert { forall j. !i <= j < sz ->
                      (pelts x)[offset x + j] = (pelts ox)[offset x + j]
                      by (offset x + j < offset r <= offset !rp
                         \/ (offset r <= offset x
                             so offset !rp = offset r + !i - 1 < offset x + j))
                      so offset !rp <> offset x + j
                      so (pelts x)[offset x + j]
                      = (pelts x)[offset x + j] at StartLoop
                      = (pelts ox)[offset x + j] };
      rp.contents <- C.incr !rp 1;
    done;
    label EndLoop in
    assert { retval + radix * (value r msb
                  + (power radix msb) * !low)
             = value ox sz * c };
    value_sub_tail (pelts r) r.offset (r.offset + p2i msb);
    assert { (!rp).offset = r.offset + msb };
    value_sub_shift_no_change (pelts r) r.offset
                              (r.offset + p2i msb) (r.offset + p2i msb) !low;
    C.set !rp !low;
    assert { pelts r = Map.set (pelts (r at EndLoop)) (r.offset + msb) !low};
    value_sub_tail (pelts r) r.offset (r.offset + p2i msb);
    assert { value r sz
           = value r msb + power radix msb * !low
           by value r sz
              = value r msb + power radix msb * (pelts r)[r.offset + msb] };
    assert { value r sz
           = value (r at EndLoop) msb
             + power radix msb * !low
           by value (r at EndLoop) msb = value r msb };
    retval

  let wmpn_rshift_sep [@extraction:inline] (r x:t) (sz:int32) (cnt:limb) : limb
    requires { valid x sz }
    requires { valid r sz }
    requires { 0 < cnt < Limb.length }
    requires { 0 < sz }
    requires { writable r }
    ensures { result + radix * value r sz
              = value x sz * (power 2 (Limb.length - cnt)) }
    ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
    ensures { pelts x =  old pelts x }
    ensures { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
=
    let ghost ox = pure { x } in
    let nr, nx, m = open_shift_sep r x sz in
    label Shift in
    let res = wmpn_rshift nr nx sz cnt in
    let ghost onx = pure { nx } in
    let ghost onr = pure { nr } in
    close_shift_sep r x sz nr nx m;
    assert { forall j. 0 <= j < sz ->
                       (pelts x)[offset x + j] = (pelts ox)[offset x + j]
                       by (pelts x)[offset x + j]
                       = (pelts onx)[offset onx + j]
                       = (pelts nx)[offset onx + j] at Shift
                       = (pelts ox)[offset x + j] };
    value_sub_frame_shift (pelts x) (pelts ox)
                          (offset x) (offset x) (int32'int sz);
    assert { value r sz = value onr sz };
    assert { value x sz = value onx sz };
    res

end

module LogicalOld

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas
  use int.EuclideanDivision
  use LogicalUtil

  (** `wmpn_lshift r x sz cnt` shifts `(x, sz)` `cnt` bits to the left and
      writes the result in `(r, sz)`. Returns the `cnt` most significant
      bits of `(x, sz)`. Corresponds to `mpn_lshift`. *)
  (*TODO overlapping allowed if r >= x*)
  let wmpn_lshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
    requires { valid r sz }
    requires { valid x sz }
    requires { writable r }
    requires { 0 < sz }
    ensures { value r sz + (power radix sz) * result =
              value x sz * (power 2 (cnt)) }
  =
    let msb = sz - 1 in
    let xp = ref (C.incr x msb) in
    let rp = ref (C.incr r msb) in
    let high = ref 0 in
    let low = ref (C.get !xp) in
    let i = ref msb in
    let l, retval = lsld_ext !low cnt in
    high := l;
    while (!i > 0) do
      variant { !i }
      invariant { 0 <= !i < sz }
      invariant { radix * value_sub (pelts r) (r.offset + 1 + !i) (r.offset + sz)
                  + (power radix (sz - !i)) * retval + !high
                = value !xp (sz - !i) * (power 2 (cnt)) }
      invariant { (!rp).offset = r.offset + !i }
      invariant { (!xp).offset = x.offset + !i }
      invariant { plength !rp = plength r }
      invariant { !rp.min = r.min }
      invariant { !rp.max = r.max }
      invariant { writable !rp }
      invariant { pelts !rp = pelts r }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { pelts !xp = pelts x }
      invariant { !high <= radix - power 2 (cnt) }
      label StartLoop in
      xp.contents <- C.incr !xp (-1);
      low := C.get !xp;
      let l,h = lsld_ext !low cnt in
      assert { !high + h < radix  };
      let ghost v = !high + h in
      value_sub_update_no_change (pelts r) (!rp).offset (r.offset + 1 + p2i !i)
                                 (r.offset + p2i sz) v;
      C.set !rp (!high + h);
      rp.contents <- C.incr !rp (-1);
      high := l;
      let ghost k = p2i !i in
      i := !i - 1;
      value_sub_head (pelts r) (r.offset + k) (r.offset + p2i sz);
      value_sub_head (pelts !xp) (!xp).offset (x.offset + p2i sz);
      assert { radix
               * value_sub (pelts r) (r.offset + k) (r.offset + sz)
               + (power radix (sz - !i)) * retval + !high
              = value !xp (sz - !i)
                * (power 2 (cnt))
             by
               (pelts r)[r.offset + k]
             = (pelts r)[(!rp.offset at StartLoop)]
             = (!high at StartLoop) + h
             so
                power radix (sz - !i)
              = power radix (sz - (k - 1))
              = power radix ((sz - k) +1)
              = radix * power radix (sz - k)
             so
              !low = (pelts x)[(!xp).offset]
             so
               radix * value_sub (pelts r) (r.offset + k) (r.offset + sz)
                + (power radix (sz - !i)) * retval + !high
             = radix * value_sub (pelts r) (r.offset + k) (r.offset + sz)
                + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (pelts r)[r.offset + k]
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + !high
             =  radix * ( (!high at StartLoop) + h
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * h
               + radix * (power radix (sz - k)) * retval + !high
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * h
               + radix * (power radix (sz - k)) * retval + l
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval + l
               + radix * h
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval
               + (power 2 (cnt)) * !low
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz)))
               + radix * (power radix (sz - k)) * retval
               + (power 2 (cnt)) * (pelts x)[(!xp).offset]
             = radix * ( (!high at StartLoop)
                          + radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz))
                          + power radix (sz - k) * retval )
               + (power 2 (cnt)) * (pelts x)[(!xp).offset]
             = radix * ( radix * (value_sub (pelts r)
                                         (r.offset + 1 + k) (r.offset + sz))
                         + power radix (sz - k) * retval
                         + (!high at StartLoop) )
               + (power 2 (cnt)) * (pelts x)[(!xp).offset]
             = radix * value (!xp at StartLoop) (sz - k)
                     * (power 2 (cnt))
               + (power 2 (cnt)) * (pelts x)[(!xp).offset]
             = (power 2 (cnt)) *
                      ((pelts x)[(!xp).offset]
                      + radix * value (!xp at StartLoop) (sz - k))
             = (power 2 (cnt)) * value !xp (sz - !i)
   };
   done;
   assert { !high + radix * value_sub (pelts r) (r.offset + 1) (r.offset + sz)
                  + (power radix sz) * retval
                = value !xp sz
                  * (power 2 (cnt)) };
   value_sub_update_no_change (pelts r) r.offset (r.offset+1)
                              (r.offset + p2i sz) !high;
   C.set r !high;
   value_sub_head (pelts r) r.offset (r.offset + p2i sz);
   retval

  (** `wmpn_rshift r x sz cnt` shifts `(x, sz)` `cnt` bits to the right and
      writes the result in `(r, sz)`. Returns the `cnt` least significant
      bits of `(x, sz)`. Corresponds to `mpn_rshift`. *)
  let wmpn_rshift (r x:t) (sz:int32) (cnt:limb) : limb
    requires { valid x sz }
    requires { valid r sz }
    requires { 0 < cnt < Limb.length }
    requires { 0 < sz }
    requires { writable r }
    ensures { result + radix * value r sz
              = value x sz * (power 2 (Limb.length - cnt)) }
  =
    let tnc = (64:uint64) - cnt in
    let msb = sz - 1 in
    let xp = ref (C.incr x 0) in
    let rp = ref (C.incr r 0) in
    let high = ref (C.get !xp) in
    assert { value x 1 = !high };
    let retval, h = lsld_ext !high tnc in
    let low = ref h in
    let i = ref 0 in
    let ghost c = power 2 (uint64'int tnc) in
    while (!i < msb) do
      variant { sz - !i }
      invariant { 0 <= !i <= msb }
      invariant { retval + radix * (value r !i
                  + (power radix !i) * !low)
                  = value x (!i+1) * c }
      invariant { (!rp).offset = r.offset + !i }
      invariant { (!xp).offset = x.offset + !i }
      invariant { plength !rp = plength r }
      invariant { !rp.min = r.min }
      invariant { !rp.max = r.max }
      invariant { writable !rp }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { pelts !rp = pelts r }
      invariant { pelts !xp = pelts x }
      invariant { !low < c}
      label StartLoop in
      xp.contents <- C.incr !xp 1;
      high := C.get !xp;
      let l,h = lsld_ext !high tnc in
      assert { !low + l < radix };
      let ghost v = !low + l in
      value_sub_shift_no_change (pelts r) r.offset (p2i !i) (p2i !i) v;
      C.set !rp (!low + l);
      assert { value r !i = value (r at StartLoop) !i };
      value_tail r !i;
      value_tail x (!i+1);
      assert { (pelts r)[r.offset + !i] = !low + l };
      low := h;
      assert { value x (!i+2) * c = value x (!i+1) * c
               + power radix (!i+1) * l + power radix (!i+2) * h
               by (pelts x)[offset x + !i + 1] = !high
               so value x (!i+2) * c =
                  (value x (!i+1) + power radix (!i+1)* !high) * c
               so !high * c = l + radix * h };
      (*nonlinear part*)
      assert { retval + radix * (value r (!i+1)
                 + (power radix (!i+1)) * !low)
                 = value x (!i+2) * c };
      i := !i + 1;
      rp.contents <- C.incr !rp 1;
    done;
    label EndLoop in
    assert { retval + radix * (value r msb
                  + (power radix msb) * !low)
             = value x sz * c };
    value_sub_tail (pelts r) r.offset (r.offset + p2i msb);
    assert { (!rp).offset = r.offset + msb };
    value_sub_shift_no_change (pelts r) r.offset
                              (r.offset + p2i msb) (r.offset + p2i msb) !low;
    C.set !rp !low;
    assert { pelts r = Map.set (pelts (r at EndLoop)) (r.offset + msb) !low};
    value_sub_tail (pelts r) r.offset (r.offset + p2i msb);
    assert { value r sz
           = value r msb + power radix msb * !low
           by value r sz
              = value r msb + power radix msb * (pelts r)[r.offset + msb] };
    assert { value r sz
           = value (r at EndLoop) msb
             + power radix msb * !low
           by
           value (r at EndLoop) msb = value r msb
           };
    retval

  let wmpn_lshift_in_place (x:t) (sz:int32) (cnt:limb) : limb
    requires { 0 < cnt < Limb.length }
    requires { valid x sz }
    requires { writable x }
    requires { 0 < sz }
    ensures  { value x sz + (power radix sz) * result =
               value (old x) sz * power 2 cnt }
  =
    label Start in
    let msb = sz - 1 in
    let xp = ref (C.incr x msb) in
    let ghost ox = { x } in
    let ghost oxp = ref (C.incr ox msb) in
    let high = ref 0 in
    let low = ref (C.get !xp) in
    let i = ref msb in
    let l, retval = lsld_ext !low cnt in
    high := l;
    let ghost c = power 2 (l2i cnt) in
    while (!i > 0) do
      variant   { !i }
      invariant { 0 <= !i < sz }
      invariant { radix * value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
                    + (power radix (sz - !i)) * retval + !high
                  =  value !oxp (sz - !i) * c }
      invariant { (!xp).offset = x.offset + !i }
      invariant { (!oxp).offset = x.offset + !i }
      invariant { plength !oxp = plength x }
      invariant { !oxp.min = x.min }
      invariant { !oxp.max = x.max }
      invariant { pelts !oxp = pelts ox }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { writable !xp }
      invariant { pelts !xp = pelts x }
      invariant { !high <= radix - c }
      invariant { forall j. 0 <= j <= !i ->
                  (pelts x)[offset x + j] = (pelts ox)[offset x + j] }
      label StartLoop in
      xp.contents <- C.incr !xp (-1);
      oxp.contents <- C.incr !oxp (-1);
      low := C.get !xp;
      let ghost olow = C.get !oxp in
      assert { olow = !low
               by pelts !oxp = pelts ox
               so offset !oxp = offset x + (!i-1) = offset !xp
               so (pelts x)[offset !xp] = (pelts ox)[offset !xp] };
      let l, h = lsld_ext !low cnt in
      assert { !high + h < radix };
      let ghost v = !high + h in
      value_sub_update_no_change (pelts x) (x.offset + p2i !i)
                                           (x.offset + 1 + p2i !i)
                                           (x.offset + p2i sz) v;
      value_sub_update_no_change (pelts x) (x.offset + p2i !i)
                                            x.offset (x.offset + p2i !i) v;
      C.set_ofs !xp 1 (!high + h);
      value_sub_frame (pelts x) (pure { pelts x at StartLoop })
                      (x.offset + int32'int !i + 1) (x.offset + int32'int sz);
      assert { value_sub (pelts x) (x.offset + !i + 1) (x.offset + sz)
             = (value_sub (pelts x at StartLoop) (x.offset + !i + 1) (x.offset + sz)
                at StartLoop) };
      assert { (pelts x)[x.offset + !i] = !high + h };
      high := l;
      value_sub_head (pelts x) (x.offset + int32'int !i) (x.offset + int32'int sz);
      value_sub_head (pelts !oxp) (x.offset + int32'int !i - 1) (x.offset + int32'int sz);
      (* nonlinear part *)
      assert { radix * value_sub (pelts x) (x.offset + !i) (x.offset + sz) =
               radix * (!high at StartLoop) + radix * h
               + (power radix 2) * value_sub (pelts x) (x.offset + !i + 1)
                                           (x.offset + sz)
               by value_sub (pelts x) (x.offset + !i) (x.offset + sz)
                  = !high at StartLoop + h
                    + radix * value_sub (pelts x) (x.offset + !i + 1)
                                                  (x.offset + sz)
               so radix * radix = power radix 2 };
      assert { value !oxp (sz - !i + 1) * c
               = radix * (value (!oxp at StartLoop) (sz - !i) * c) + !low * c
               by value !oxp (sz - !i + 1) * c
                  = value_sub (pelts !oxp) (x.offset + !i - 1) (x.offset + sz) * c
                  = !low * c + radix * value_sub (pelts !oxp) (x.offset + !i) (x.offset + sz) * c
                  = !low * c + radix * value (!oxp at StartLoop) (sz - !i) * c };
      assert { !high + radix * h = !low * c };
      (* proof by reflection *)
      assert { radix * value_sub (pelts x) (x.offset + !i) (x.offset + sz)
                 + (power radix (sz - (!i - 1))) * retval + !high
               = value !oxp (sz - !i + 1) * c };
      i := !i - 1;
      assert { forall j. 0 <= j <= !i ->
                  (pelts x)[offset x + j] = (pelts ox)[offset x + j]
               by (pelts x)[offset x + j] = (pelts x at StartLoop)[offset x + j]
                  = (pelts ox)[offset x + j] }
    done;
    assert { !high + radix * value_sub (pelts x) (x.offset + 1) (x.offset + sz)
                   + (power radix sz) * retval
                 = value (old x) sz * (power 2 cnt) };
    value_sub_update_no_change (pelts x) x.offset (x.offset+1)
                               (x.offset + p2i sz) !high;
    C.set x !high;
    value_sub_head (pelts x) x.offset (x.offset + int32'int sz);
    assert { value x sz
             = !high
               + radix * value_sub (pelts x) (x.offset + 1) (x.offset + sz) };
    retval

  let wmpn_rshift_in_place (x:t) (sz:int32) (cnt:limb) : limb
    requires { valid x sz }
    requires { writable x }
    requires { 0 < cnt < Limb.length }
    requires { 0 < sz }
    ensures  { result + radix * value x sz
               = value (old x) sz * (power 2 (Limb.length - cnt)) }
  =
    let tnc = (64:uint64) - cnt in
    let msb = sz - 1 in
    let xp = ref (C.incr x 0) in
    let ghost ox = { x } in
    let ghost oxp = ref (C.incr ox 0) in
    let high = ref (C.get !xp) in
    let retval, h = lsld_ext !high tnc in
    let low = ref h in
    let i = ref 0 in
    let ghost c = power 2 (l2i tnc) in
    assert { value x 1 = !high };
    while (!i < msb) do
      variant { sz - !i }
      invariant { 0 <= !i <= msb }
      invariant { retval + radix * (value x !i + (power radix !i) * !low)
                  = value ox (!i+1) * c }
      invariant { (!xp).offset = x.offset + !i }
      invariant { (!oxp).offset = x.offset + !i }
      invariant { plength !oxp = plength x }
      invariant { !oxp.min = x.min }
      invariant { !oxp.max = x.max }
      invariant { pelts !oxp = pelts ox }
      invariant { plength !xp = plength x }
      invariant { !xp.min = x.min }
      invariant { !xp.max = x.max }
      invariant { writable !xp }
      invariant { pelts !xp = pelts x }
      invariant { !low < c }
      invariant { forall j. !i <= j < sz ->
                  (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
      label StartLoop in
      xp.contents <- C.incr !xp 1;
      oxp.contents <- C.incr !oxp 1;
      high := C.get !xp;
      let ghost ohigh = C.get !oxp in
      assert { ohigh = !high
               by pelts !oxp = pelts ox
               so offset !oxp = offset x + (!i+1) = offset !xp
               so ohigh = (pelts ox)[x.offset + (!i + 1)]
                        = (pelts x)[x.offset + (!i + 1)] = !high };
      let l, h = lsld_ext !high tnc in
      assert { !low + l < radix };
      let ghost v = !low + l in
      value_sub_shift_no_change (pelts x) (x.offset) (int32'int !i) (int32'int !i) v;
      value_sub_update_no_change (pelts x) (x.offset + int32'int !i)
                                 (x.offset + 1 + int32'int !i) (x.offset + int32'int sz) v;
      C.set_ofs !xp (-1) (!low + l);
      assert { value x !i = value (x at StartLoop) !i };
      value_tail x !i;
      value_tail ox (!i+1);
      assert { (pelts x)[x.offset + !i] = !low + l };
      low := h;
      assert { value ox (!i+2) * c = value ox (!i+1) * c
               + power radix (!i+1) * l + power radix (!i+2) * h
               by (pelts ox)[offset ox + !i + 1] = !high
               so value ox (!i+2) * c =
                  (value ox (!i+1) + power radix (!i+1) * !high) * c
               so !high * c = l + radix * h };
      (* nonlinear part *)
      assert { retval + radix * (value x (!i+1) + power radix (!i+1) * !low)
               = value ox (!i+2) * c };
      i := !i + 1;
      assert { forall j. !i <= j < sz ->
                  (pelts x)[offset x + j] = (pelts ox)[offset x + j]
               by (pelts x)[offset x + j] = (pelts x at StartLoop)[offset x + j]
                  = (pelts ox)[offset x + j] }
    done;
    label EndLoop in
    assert { retval + radix * (value x msb + (power radix msb) * !low)
             = value ox sz * c };
    value_sub_tail (pelts x) x.offset (x.offset + int32'int msb);
    assert { (!xp).offset = x.offset + msb };
    value_sub_shift_no_change (pelts x) x.offset (x.offset + int32'int msb)
                                        (x.offset + int32'int msb) !low;
    C.set_ofs x msb !low;
    value_tail x msb;
    assert { value x sz = value (x at EndLoop) msb + (power radix msb) * !low };
    retval

end
why3-1.6.0/examples/multiprecision/logical/000077500000000000000000000000001440160026300207025ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/logical/why3session.xml000066400000000000000000004141461440160026300237340ustar00rootroot00000000000000


















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
       
       
       
      
      
      
      
      
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/logical/why3shapes.gz000066400000000000000000001265241440160026300233540ustar00rootroot00000000000000Yo96|_2p_>؍9xS7skZG-_<)yev|2A2_}>!:`/!QxW`
"ʢ׮(P/'yFM}w2jmӇ}ƙ/Ç.>vp|8d|8g7(&ݩo7w{:z.߼EUO?
ޛ,y;P,vH:-Dm5^S.j;퇷oL6ꗦ>6e;b^-3¤3n^8
tQ!DẸ#jRcN.6`evC]77oCR>sHum!?_ŨA
\Hf:#7L2j	*>bnBDh\p.!hKjL?Li]C_ */AP/GB,},p*v7r;}tRNdXjkSg_LDt
v$
cd
JjVV%+=U)G,l?12jw1y5oġV]SDndҮCgr
Ɣ=遾^ep^>v-"xٱPfS5Y_ߓrQ{JڒrnuVA>*{	7]?VƴVl+4@gнr<%?<%uOW "I.dgbU^.`[EFM!д0dV-^8Wiieȗ3oҭuYV+V\u
(VrWAuqB́f{\Yok֦֕ee@4-.Ypkl//Y9- l'R'+2G&'reVaOj.^v,piRTa?00P%(eF_V~6ۦV~-M"vY9Qga|Y_I_LvccCWԮw噞ws/l=l^={zzP{6_#6,.Ֆ4>;RR؊w䐵ߌfeemMQeeׁ,^ag{ޡO^8#7zgpL?s]Ǧ};@48i4Ysŧoӧ`r0>>;9܎oO2Ą$>,	%wYjR]組)洙f}OhmP|l ~@a_
O?۟Nnsko}koWƭś|sڋ`~o}#7;2CM#!%,;=D."yb'4B||Īܮfvi[73Q׿Q4E[%:r\2&`>9_}KGv&s*w=*ygÃ(yފ?Gxz.ǖ(4#r
N
lQ*KǗ.qģzO^-%|æGBz}T5Øo#&A
>(}Z	=pw8G`ń+w8•Mbb|tGku0~uVU0e4oNy%H"C9f-Onf	8Mș*73ܤtMSh)j)n)o)iiSSSh)jɷ}[}
>>E
?ؗqMzGOjΊ#_&옩Y	R];g#z$nL׻o~zň$-QZj̮hUھ².(7iiX?_NvCrY{nIh"'~F11Ɍ&]gl&ɔTKfUR_˷%JUvH[}o2,si_d[}Ӄ673@)woglZD,Cd:[^Q:SM$x˲R߽[ݓoH/gdm${B9{Xs/ɝ/@NBſs+G?#dDpEn[^0~[P;"#iG|V<coނ=zh9;,V?Jk9HR#B@vǠ+'{zrHdqNH'?L**yۛ$9KyMOOi4~"S@4?
D+(C0~69cO$Q*$Xl
$ql25i0rsxң0g
ґCdGsn6ٳ3n\
I[Y:Bg.r?4Y1#puD|U/eYz4FIHv_'k42kCfNW֕k}h2,!/:d<
фϧA,
R/19|	D>!UzMɷ
W8I#_BF
Ӽlu
Ѭ%;ʴ/9tLW|;*T{e"c:]?3uW+>*?mJf}=C:2	Y0EEa
#r'<
_cgW&jt
)_Êl19@9yhpAmYxPq5u  w^<9}*k	y|QXϭ̹G4v8֦3³!vq]sf7
Ἒk5h^k,L6/Uoz8m5qNnAI]ew-ADZ)q`n]\xTL ̹jf`}$cB#O'G.)	Meutx2n)ۉX1{cM1>S5{nܭ=GdbI]'1pE\B]Qߦ09Q΅	4l
X`[TR+B^ ңt6ŋW6wT\[6s
o6oޙLwsw&9[mhŻM&9Dg4qgJѽDV{`$*5E\8J/dD0{JZw%ɣeɣpv%h|ZZy9V
Y@tmn~6E<>`}
-̈8KDʮ`mB{]*_J\|	Yg9}؝$old	~ǿoN>\HɊ߫}c:Y>&/B(NB(^nP
$
dBA?q$L$4Ih#G'$i}kD^48ȗ!>"8^˒p03Yq;f/ӮYaYDdA}r#Hud$1~mQe7Ϩ
PVy?Q2[DiFI]ANѝw=h8E-:1g
tYÐ{*/n%_%.K^t?
+JeºVwkxSp^;Mtyi8vcyi4uzSSnZELi՟kky;Zm
;e.+>N!*	ICA0o*Qb7@K9[S\P)y^ad2bV̞CFiw#YךGT$'ǚ!:m֮^ěXL͍=FQyys>XKL1’A's[)Mo}lu
VrrżI8YX
M\TwOu^.hRvUT^nI[Nmu&Ū={{鹮{UruB庮(1
nxV\6i񽓖H<̴IUuFֹf.avfQwtņwx	-ֽbK-ûInsRnrƙdvz/:G3_]+6-%?a-pOOoͿ;,Eysz?WBk`
 ^:S[Tl|t~bNy̼	C<}7Їp;>Me{gi'!KBx\Daߏ`@q"ڑطGɜIM}cP{de\cɦ˗nׅHظhw+@6&BiC&JsH}DJS)?'QNBDJ"B)AM>rQh(P:s\q:ecsp/9g^\YNy-'&fӒoWN\Fj"%PDDV<İ·,Pͽ&Ek.yQ71%6]LSmw70ϰahP~Y2ry~o%wo%h*ڑf[p
:Dhw/	Ժp8)Iv`C)}UʒL5K/RQy[W}"{v5LWkXt۱Ak™cV.D/S}6 
Qѷ,8%F),/_Uؽ&>d|ﺻF$԰̪)Ju.̅bՅ\uEQ	,.[*e}_zV[.>ys=9R:B`u${ꓰ.VAok]ݦv}XeV(A+GVUekB^+&/^-+fJ9~Jjuu֜cy{o^2p~ajj|
,ڭÚ46xuvFsIb)bDR%5258\"UHO8wB#{>!'G,ٖȲ<ˊ\.i7
@ht2Mza͇?iJ4X"\{£rE};p&GbV'dnDRDR<YI鋵QqV|ZRQCCfk.1/Pw&+Nz\i/7IW2Wew#*N
fv֌,Mfn}M_[P0o2ĭ'۝A(;*
ZޥkPMRNK)ب,$z`qg
*|p+4MMc6Vo9nTx+t䁏;âx)gE!8tċFP<\xmw	˖~v{Ri\eIr%kNN|#

sK_߿Z^վ%r/׽-j	7vmr\y);ID,uzX%bJ/+DQpOXJ#hs%T=
2w6&ee\`2KFKJ(ԦR&_+RnJq˦h:^L6@jLWSr21eG̟uꦼ)Colic&ok.TqaW'/dOi0lhJ|)9wMdܓxJOrr%bZiT^]ۏCo.V2{ݎM4w6tdΝwJZgJe֧sZ;FLM=;8%5꽢mc~$.v05?
&9HESR#Ƀ=&FbȦf7Lbe­|? 99*R
Ժ5y)å—5l>isW~or~~nɣɔ7@Xvc`N]\'/lyyilcx߅ѯ߅'>Pۖsĉer0Gfxccw$NiN^v(#+uy,d?fPqձ$ɮ,9Y^?ơEoZIvwwjo0+bfB;o'l#w靂DX׏kA/{-`4ǏWPL<wV$~GKx)9xvƔ6>YUtJ	B#=Y)GYXŴgiLB9cG"$&5	A H2bLSar7\l8KCK?| UY	ԁXw9Dc>f%&KlvE$h_r1!*߮)g-]ȃ>tj08tR53D)jo\ŏT_~?_e
$&H\/bDňO#	m9eZgl-52	'/+TX3`EƖ
	*$lpB
?,\d3'J*(TP9@@~ΰ

*(!
LiД8O<1>u{q6S}|M¸y#ht4Ir&zL<6T"G %5%(IzU>l>=.Űd^WtӡG(ask|U,	@z@G@(
h@n*Tpc00ݒg^mlmQ2KҺfY8@pEJ6*/ћȊ"|ul|qLSawD)
mդB
?0 X?A;.hHg/?KUSc6$x&C:ȡ4"$ PA֘ka8HB×1+TTFغt	`F)#e4mrY_>w%.MY<\f4X%T	/;.֐lnNNwStV	]5MC&
o~48Qt.s=?Cl$u&b+ڇ)J9Ȟ	)Iه)0D)ph/"2Llk|'O1K31M\g
̻CWDRmI3I]`V.!6ZB
Vy3u5L%4XUǧ:~xֈ\+e`rC`or]be<qqB	Xs[[Q=$EfO/`Q&aU#,}`mVz
	$Z$:H:Vq\cm@"(*PTр"
T%*J<=eE~du9-\VPPAY1ve
	~2HHA6{iPB
**TT)P!da
*0T`x0o27^eEgXenˊ	*&\~n|/AT"4R=#HXJ@D'/PӒӐLW!Ҏ2#a{Y"LEG0ؑߚ/ˊ	*&$`$eFcލ`Div
PT1bHŐC.tnB
?,&pՑ؄G@,ʜsžh
UKE_I͢i&J.}%rLy}UѫWEN,%|Vd*LGK($Tt=C7$=$U!df^A=:0IDu"[fݯt(%3_τ2*UV"νQߴhn_;uSР"]q5]عxvawMRnZ˩`L|~#uu~.Y$iuVͱ0رkE	~$X
 *@q	ֱ	mNd˿Hx"&	e0Gl@!K)F1'|H]֩NuY!6e=.H9AIfCbkUReT?P7)ĥJYxJG,!=MtLBc:d@stp/R)1i^ZE
OqܻPqσy<(._e?$=@
I>$-E/uţ^W(Iq/ȶwңk	"(!NWe8UaC`+?C;p#zvN".-0l#K]>:"5yh^<㲗-^v$%-mɑ☴UzuFd
3֛ͨkMnѲx WiF10`/KNuJSz%Ңۅ"X6w7n&nNͱ
=\ak/1W(-w+ȇ+\ᤛF	4(b⤹鎚]'!pb|Xgz9ZACG=bD?}pR_BTid	/ArOABhQӟ
dF
^v|S5*AyYT."@\@"B. ,2e	tX@b:ltPP@.KMYp"o1ː!0"-!e Pѐg,)<..7l&|	mBaA.|V^exʨczFi~ni*i4]
5oDXdؽ&vHWW?fwI
mw7!ӋE;+6Y4,dpxpkt8zJmB	#*?O	^,SPCsDuYCDl%ܥߍ.ɞJ5Fv%}jå|?^7&=cZQDE'w *eZGn*sPL\亸TTRQ19qN>w^2Nz#ȚuZb~G3w41of&4i2|_h;NfuyIw+U{wzcVyquhס]12;Xs.UBO
=z."ie+DʼnO'"`z";+JT(P"=DO]VdP#,l:bP"O"CE?2\$&*,TX)`!
!_V`P'y;iˊ*"<0o0EsYB.00_eE~
d`F;5PA
-A@
:,!\2/FhtHc8b?Ooۛۗc<^(Ù}{^M[lڷ>pvh;O'O(jy:?ȳֹ@1o_ERYxQW#W/ءӑqz7R}szr7'	ɥ~3>EEnW]H?ƓWGL]9^Dr~d0~eK*U(!b(xa?1 F`!X9NM~ D4^@SQΣ@
@5/_@kDFPGE+7GOUةSa5ˊ	*tH`N$fG/}úr=
b>K`ԇp\A]@FB
,X*<*`(0"CE?2%cˑrO#kʣޚRY}5Cp[Y	ak>5:/bPx>ERDNkJivCP$WGɯ<\ve"c<8JLR!B	!P5'6}ؔB8=Zo|cc,*<LvQf`l0UY&R!)e߾BMKE\r_qI2qC2RW,<cJ(
˯C*T8؄+ƄdI*̻#Vy$,dVȲg|@`͋d|_	Kb`>\e>P2(/wNmf"?;PR_7t4,W:+N:*!p׏nPʏs#kUuTI(n%?pqP(g}`|r$$w6>ީyݓp&u光+\?<e,GCs
peץe껕}O64_I!Y#Mu7ǀt4Y\E&2'܉/]'6op`V)],t;M6?aw
1&~]H7 p6:MRM')wA{6n7o?q=~|sۦ*g>0
m6w{#^dݜ|[|
j*t3ˤY\	:=}zXN:9p5ɘ3&ČƗ
`P/ٍ1ARf.ҿ,/Ѹ1\$tݘqa,Ex1~2~]]w7$.iq:I4yY?lДq6er1$ac\IP0y33R
du"ys!{AE544\ZN؎Ğpv&sjw>5ّ;R95ݓZ{(G9}ƅ@krwn$Hj$='ʈGTr{ͧOĝtG!,789
jZ`vg8BC!4ֆOLBGN	]2~9\[&l!,dτfPr$KJg&辞ȜXwHe+ "gKFJ V^;wp:#6d^۟bh\EjHNVRǰ=5fhڷZ'hO1M⮻'ө*
#ݘGF|CTHIDRZAr:-9%	Gw!	=TBN\HD2udw/"Y,z%`Gv6@5)Q @0(}!`
QDcC8̬¥UQ(%pXe+%ޠpn9̞G}\xnA7<["'uT%>,Ė˾Ή/#ї
ufq
P(
[NW~Pd?m+Rjl짫īx^-/Yd$!lq^	gLaAk[^2y]o@P>N-Nz8Wt]Nq)΋YzΙeȦ6;sMOrTcH>s
,,4l2iݐ7s:`@	#*>4%xLB
ns.]U0t\gGR͓=oʓhF9ޘ'ҽ5/Wb<6cbR0Xn}FS_*:2Okx4|QV}՚CY9EnT|K=+8
>\䋨W:bE1c9%Ta/eIZlUDB,.,QSAIyYП?f/JW0ϕwm9ܫSyohЕF+cqK=_;˚q;ug,^
X?4Le*֖_L+Z%bU?gpz^]ﱿy
[/֯A([+8K$_ԪI+­ItKvž%/|'=-4u'Ϳ6g|kVΦ<>af		|fʋ^lBgZKܜ-s$egXXѧehmg	7LZcF_0F$13PT6v*݅6&23(pc{o{#;cMڑ=py8C?]&b7
9`Of`MB"1;[ft<]7#nrnW캉XItKD&
Ό/ɫS*z&IYԆJ&Ҳhtb圚o+@^|wń&LR{1dsSݭ:>f(=w3#BRNR&LtOISG!{ZmR2[`г)e
]4X{ܲ	3
)^f&T&̔M\TzR6a|SfaWKeC`%",F`䫗aRN,B!_f <4gXdgȊJeȓIsD:m^"3"S"kY"cY":1(DV23D43Df87DzaPn2"cZ0D6CȊ85*!kZBVdh\[muLDԘ	+.н˫|]bB[֢&0B;,k9EINV;Fa#ϔRV|$mm0rlv&_քq-lul=Rj螨?[{,[+u#r7+rmW$(`꿷1v6wgZ?"<{qVVw59=*d5o(}n㚘.)q&Oj߸.YVMq1g9h:]x={Vxfe]r"j%»z\2}S+Agn>XF=Kpܑnr;bdG^\4zrk14rhHZ̞a@,GvaqbɔhƶGzE0ZHܑōl`6DC"r{ȍ kD(c[!-Quw!oRcl@"vAY4׬|`-嬃D挴5꩔$	֏#i9$rl< NcNy;CgWyB3"{IG`Hb+@.R}(3BlNM;A}к8Gz\~X8di4uD@%mט2ǑB4S+QP";u"ޘz*dlzDq09bhU^7@H
m-Gaem5txD#@77EƤ30tٰQC -PpJ(PhAzɨ̈́
,4Z6J5ӌrFI0"
BK
.baTCL
"P`#PnY&JK.8̔0Ė],#L_Ш^]:[İ4mA=d&
)QeiK0`z`T%Fi4r;12Ǟf`97BЃ65`)Iq[~V0.(n`b*@%J-p]6"fCmk00`Z;(Iz1FzPG9u3Q%/`bLN`i,䀂
z(TIThPgZ+3FaI
88(HC
 @Af0I
)w	溱ŌH!F
A69:/(M1H5#{ $sb4=`Ajhj{;n8xd}Y
44P0H@-\5H'c5XKHu8ϥ@;
S;Lɣ Sw#5Aȁf)J*-նya@Ğ0`
܅?Kg〤10.E@haiEah##6?0ǰ ÊCbtDn5Ѓ0`ؚ
'@
ZhtLQu070JUa9qԨ{=R,~a]kH%Dqa[X`-m̪Rq4`IH/A
JcZ"`4@ GfmaIB'fy(;6$BJܠVXiڛ9TYzk,1~
5`c,Uj):1,1)U-.,mH
*C`Πd&kt ,B	Ma'cZHThUj
d4fjЃϽZӅƐ3)A0.f~+3f`S)UAN2WP(0=/tL\d]Y(QD #H#*'saa3'Q nl#`Xt0
0mRdq̹HO;
flG	m
(l,3|U*APv]	|
	K4L:f7R#X>0%̘1fM{1L좙]J4Lg@6[; ڬFNq/<.{Ps€Q0`j:fCFY##Ɣ`HZ,ոӰUـd5eNHtB)@WIJ!HXw4!ɉtHɗ07+#yT
3!G6a@yFVXkda3Տ,0.LkԂюz$4EV(I	=Bf5vJ ؀ayJӁ]$XFaD5T4	Kr@ʘq
dQ'9R6C?5`2+ؑ3$ak68AƐ6aZe'蝲]NM=~lY15
>@7J 1&fp
.A
|j")xkEϹ!RwkOLwҜ;oq$ah
YO1q]N
lE.2N44*%#04L-Ac?frflFǞٵdb]bXOzM6DL3Xi
ӁB'|	asTuSX@S+ȢLfhƒX#AX1k?m+Y1XwV#yZL4?2޸P5)381gnyK&W t\rt!H t!YU(@c#Q!G$G,Y5mDEu	O
OO#SNB:iB:	$N_NB:k+N Jx5 |c!BJ:Vk{cA]L)fTATؿ	sC0<48KkF
qGU =v`MQ 2hM3(YPd&6^E	i8nT07,H*RUdF+ZrAkN܌H1RUH598Z^wHXU
a09.U?Cu7bU>k>:G~a"JkX'Zxokf@*`ƶi{
ֿh$mL#Ezi3P?ƮrWHpW)|R+eJY-[Gλ
KmBԸK	V%3$v
m&T6F
2Whk-H@VswMa(7J{<@a3_@Ẉ#=${P8qo*p?=ƅf+q
i	n5,-C+tx
]/y&6)xG6SihUc;ʮu(Eb^/-i1_tA	|0_qt0v񾬔C#Z.c9W++iFk$$˜6Ì~lAR'*_I7Z%tCHd+FH3끼co~'4j1fX̝*U>:6=H%!MC!2 XPuH^=&QI-co VM+z.;pQٮL
QWq
hH4=֬{v|O6G8Vqy/^q4*ͷ%\uy2U8~q8
@ZMtđTq-y+`ㆰpǾPԌu71B}'#FG.^}r&qdU8~qdP\7#=-%}7OT7Y +i%Ⱦnw/ILor-5'\qqq0vMTX=-ıWFmJt#KDҠ.9&ݗ鍜θ_E䴬\F
c"
7_QBuVخ[gCo&Y3
rL v ^TbJym[$",z0aEر*zU1sˮ]Ӌ}@oI	'U}	WKIz(W@ؚ$@pۨOT"%i8FD3q\]7ta*&U~oelDl0ji&1TU(~eQDnioM&QU8~l6׈?{ߚ9l?`4Ja
4t:	>g;@"ۥZK9@tzǪgڒ!MɛoXl
imkt-9QottmS>ļ(4ϵk7eoʾʞN.Zjgnp듲MwD3ڊ$kEXe%Ɯ(0ԽŴFC?XQ
ZgN4ih^5;@=dO(n4~4^$1*y1j\LDg$G	ܭ?J"#5hbr%!pkOg3O9Q`6)0LC6b[vڄG5}
o0ޠbN%4СVC>)ܰpj*N?Z~vY
ݸayKXq^
FDA^HdtAyo+FPqvkR۲5G9+yyˑRҷm}B_"d,ѴK`!Bn`9Y-/(:0vs(ʁϏL}vXk2A͸l	rgYybsk&7P?Qb#[۠2vɊMR7P?65X[n*vݣ>X_]^_zt:,Gײr	3YJɅ9*
7e>HCv)☭#[P?i	Svl쾬sZ\ٮ*kH=Kt6:H*q=E(0 
(Hq9Uq57IϬTsBziMNft[mޭU(!T@O=GoPYʆ5T?C2t>#u&CKc`%$@d(Սߜ=''?S5W}:u18U{' J		o74H6Ho ]AZGЮ]7!L6ւ+T#WrSskDJƖ*hH9Qϫ}= Bf,;ƼÿCc6SCl
Fu
מz棷M
C|H%^ܵc ,eOv&`l&|}~/B|MYE7GY&lM~~ڐ|Md+[9f.g4aFlG*=C1d8(QVZ;?Un{XUjMǪ1/~Oӭמ_%,VQX5vVr'֪Z(g}jy6ޟFokjG^*8FO~¯s	u+_R:)nސɆa_\G=daYNr+_(#D:i1[6t":'KC\0|&FGa,=xOq$@D0ۢ)e];nIHxLir ;'s󩄜ȃRt눯O'i99TJo[`"L˕P@
*9#|&ɦG/3܋d:b#a+Լ '~	'@Rm[C6Ige9a_R(yשׁY3Nڨs,Qǖ1^EG0aV+IzA4#W`t5Ѷg>oNW:_igD EyεPz/HwAhՍ|{+MlW~Z&TAvuLy99uwE$%8(ijVZN0Ż=}nh!4
,-@UnصxYlrAqF:>j p!$ރƱHGT}|be$ApSU۲hQFW~v>x7@*W
XMAd]cG2I:;-VB&?ch5d9dLk!TA[ݥOTn#1aǿ0drV3u{Ȗ\ʧ̂1W
i:	H'U'o4X^{jQx!`ѤE`i{o{dUcw1" )\#`M6g\jeay/k3qS[U 3"~?~ɜFm[&M}qU@G=ްgf2^

?3Fhi^&Z7"o1xbJEB-G
/"Wx|Hwzmfˮ楖ĵ\Dn~eIHpvLCڋ=Tؾ7R?BsWOq2R~.ڍeLPMkR(~sRmJ^e~V7b1Z'7AGbq٣\kx}@֨6
C(M
T%OPVk"F7j5<-80d+6Y>+Ƚ3HOw<SD]7bN12{rUGz=FAv!FzI^s͢E̢`ўi+'T5Q#RӤT* O?{.E_xB;PB"M74ȅ;s+B.%דX7ވTlD֣s5͕沮,@ߤIw2hg0jV9|Zi75oj15i-C4xٱ4^a=I~O0:
xr	X/gdߤMџqF5!~c࿉iiz'FT$<鰤{8tֈۓ7UolU8>Ebҁ\ zU7|i-kuvy@S_ߔ)>({ta]dZIcc=|SMۛaC
w]xۀvk[smԽΨ	CKcRW궛7}!}%i[:KC1OM+f%wFc
AoW
71iEYN"]f>fMs
trݟGß$ovݴii5ZkbnOZk~~h{[enGH)*RjϚ\%	nE~Ky4ҁe!xڵ_Kt!۶r M/KYG+y8茹
kU\nEP3׺VfIA_Auz/%*zukogEˏz!n{NMͶ
oKw	dbGGT/u߇/^Z=c'GEYOe.^fxӠ 	N7]
p
/Lcr!%#GPi?B9o{/yT5YdC/ Z
8;f@ޣ]h5Kꊥ.
ڻkR1…6{- Bw]o>5[Ц!(x'x7p8Yngm.
"87hV_K>eΫԈ6Y
&f4^)yHi5S;I5Fc<|Gk/{auvmvk֨k`݌4^rUom|B,.$yr !.(ח$_0\/
`0a%eU\hpH\bߐA@Qf링c:zGưMAAK+UP
kp;*!T6kf=Bmj#$C90U46B`Ճ'I'^e.~gI
\ǻc`rjqBxK$IIaߐ]txЯoᾖѯ30MWpO¡e-殾΁C}|IGwpQվA=H+V^9j0ǂ6xO[>邘ƒLNozܴ2Dɜը};r5=Odmf̝˳ !\1yϳ-5 X4G)+SM|ۿ(Wd#l
|0!XYBL(vSQB
Ǜq`!:GnX%
cAr|Md½b:A7Î;#>Sn4<2brA35\jvArrZ>5?>4ViM9MyIk C[fȟ;KS&魝\[?MfU1x8]_`{֥K1#Z!"NT^0Yu{Cm{^grې
0
%eu>bG7\S~ޙHMd%BOz,t%zz.j\Rs1j/K	81ZO?J~?BN`M9xX(j(쪓
:-Sp-v5t3ֳ!:A	ЀR&%hh
PyX#>}ji5L)Z{c,kOk!DR
~1JJl%ZGVX^#Ɍjx9 bn
%oY9׃!PU8X[s>#+}IbL-3N>3 lZtvC(l9S^r
758S`ኖI">Zxky!8O6a{lRws*G|T($nu	"ٻ"r0;/\d4"9@32ӛCp
.xvfQc0G#~܌',Έ1|;숾=Ǎk^A8G
Ӭw9y</1'^8i1;ԁ.$?s{g
}H%*E\fO<n0QAxj~4\=jJ[T.%<Dni-D~<͍PMBhlH/<`YnwRe9KChQTCWsx2Xyr7B
B
`(49,`0{6=
>•m]泡,Y ͆!`C6Ļ-hkCHg(0Pư#ҋTOfUڷ
9}@3^_21@llHiIsnED:!Fպ_et S	
0l).?φ2rgAA6š
7W`\
lAP88(w
P_޻k0`smTpgCå_#"GPo٦ߗ/PG>1zU\EtFP,\ދ\#B?pȵ:r^v]@橐!C3rr
;͔;=ɞ{*;
؏Ɖ)00qx٪I6O:p6`'GU3!D-.;p\:\$qX<0f0FPb#D0O
l
딌AE
ff#:BgX
x=pTvK wģ]}#>Tw?=?e)*c|wΓrV~5+S
#UXj9HLWqZN4Gl<\^QIqEUq3R@!SK8sA[ϳ!Iۣ >xE|nĽ]$s*t!FFKP|_{#)e
9y%ϟD|0V?󆛪ER_e_v)k@)hBzl[FR>"D?LxdUJ('a46A*ڐ^҄)yxqX~6J
CYTC:jş"丄,;
"識Z_!}S"c`h
iĬ#v
T<&!J#DFDdz!/#
~-Yr	n	2"셡e%lx)4]vFq1){x8#ȏ,=:k=x6Bl^ƠzqE(L=lp/m
[i%W+'<8H
Hf;>FYNu`"yB8eTgNbL$_Yˢs<:2@zuXG|`bFwD7,8g6z:'dR߿R%񢔺Foq
a29\5Zfq#^CȶKn4"GF^V {Ez9kN3X!_"D4w/)KIʩI
BGޑ
Y{1/ygW\MSVSqxWU:N%dpԫSݹ	pdǒUx/7z5L$%wE5AP%_rʨ@b叼.ϻ<W.&J$JVb{wfYC<#Հd_L4p-mnt[u.'»~d!s@-'W<\ՓVe+Y2`n"nZs6u{hh/Y0NVІXY~S-h/YJG2j;XZ
:8כOv=ϖR^JZR۶Ryז0r(j-ml/972 _[i窹6=W19׷_LmurJ۹5嵥8;eeۥ33Wʩ/vɼOu:+jrp*^F^ͤ^޹񵥿1`q}!Y΅K^[J
Qw7\LN-ZʯH#v胾j^0::T#|}O%l/eBo_}J/: }rj`YShgCyQй֯O.ˊjiUҁyƧ5ݹhخp{\c})r
L1F	caWa#(g`["0w{6u4p9xm{P8tfy(L0pg
m=۫Rˀr5'Fi~S ,#O &ek:1``xQ|`84>5)\bjPh+]nO=iQ0@KwO6&u= H5׀Sֈ9v%
38k'(݆ؒ=gj##%,3np)T<0?|[cgr8<7$w\X/kmO$X9zȮ~=Š5YsU7BsQ_)(aV%7o$ҽTҀzYDOa˻OK7pt8žEʻzDD3!yfI")4;
	%EiH=3wէSa'En?>r_'^lN0ՖeԅՌZc#|]}Nk;k.)g3<va=o'~&F0$r虅)c";NQpmܭLG•sl;Ϡ*?t:ҐX$uhru9;k?7,\r7]s4}}ͬJ9+i|dʯ;=QJ.^
{Ǣrdeך&Y!_
ٓ:W(y|ǧ vn9EvVuy(pi_Zxϥhl#=4N(.؀^Th:L0xL#($OG[<8)ϳ35Ӡ+7Z܊jEnA\aMU^s[ScosjM69Vw̃솕7S
;뇑|MYQEN_w
k['i̶/E.^:iG4DH-oc+^i9cThpuV29VfT{+{u
AX6B`luL=<E|}ٷh,[y*7a8^]YjT-$F9h֛Ff5v)9rD<|Ѯr\l4z>ZtБCGF;/T'!y]ޔh>)%O
ễP+TL8nu?f
{fYy8uȳ?ae#'s:hl<ƶ!zX<&׃RU5u6=ybxC A\Y}Sѱw]=Mk%8e_yP`uzmEg55vCpu,c gMFL~@7ZY)%KO<^P{9j#>ѓbuEHEq8uPC;(yR\;yں
4H~,|ku#y=b&
^w3S)ږycԗ \:O%$\>E
4"ce}сns!]'^)vne"З
9q*2"7@[YyVP'tF\|3gj(Z9fge<!ͱMgFo|fhCA?elzJPn=\m6z(
o\Л
B%@YXTnVX4Ɖ$>za1;yS-f,-88+hnl}5>ۓ7;pJK+眾-2F].v!Uj[*ki5yD!MDɐz̒}eٹWAEרoשҵl|wUzms3ErKY»+SUzNbڛ27eΨq=cm7}~͘	ձRj4kH3%	מ>{#=
m#r!%_[(n2;Wq_þ>k}Ŝ-Yis8,	&'7_kwVuуRBA@(ZE mM,Ǻ^tC%R	/cY+/~e;s3ApGC9cu",v"jXͰSyX~~}YِY Tff-}v^N1zsuÝ	S
S^#E9_Qz|u+$6aN.
tn!
2hI43g|nN߸c"F2[\2(`v@8~SrO<"Ng<ij25|#sp&`R |@ W%?DF'uF[N*Z&ENmFyPǝ}p5\7F|^NwВv+oP=ݓ׆ِQUԥ޺TƦeEMQsiKwGw	'=Z-H7Lx,`]A_%)fWd&ր0#ykqWzhma{WtoLri(n6XXO2C=?խ+~FY#ֶݣk,OmV`KQj;xm6'?jU$ݻ%m2Z̆cvZgҡK}\bx_{0k 眰s.Š*F^H
{n!M(yWóG8+qj7SӥFTY()+ևn\?2:ApFԨN#D'@F#j	u$.݉rWܻR2f]mץiGX^yV;]8ƻ0{~w/@hm3'כ3zicjf8eQn.Æ.%rl].2]yq_E'rQYÿBYOnu]$|d%#YhE%WKvYϒ쵤(G_'nK.yd$jzzLp#%w#J.ydGK֧,PsMIrP5ldԸq<.\B%?NK.YWKq%J<.\Ir]kV^r'šiyǐn;^ߖO&iMmnL[Q]4Jhdݴ{Osʦ&t]Kq>|hgF㴆e]Ě{>Flf|ڣRKDo?40l|&{^TP.̡σyj4Xs[6ͺ_{vFCVR )u6/!f0`ֽGiKdp8<Q,x2*V>Aw/\T\ĺz#qxasA4w$Ud/֔R1n7QRC"	[ƥlYguX#g
!|~kW&a[IfKuڮ#i{jť>2gm(PbVe6%3Lm,ϞI[980fWLNÖȔ]&,TƒFY~lIh8.\j,$<ҾE>Q	XUFO5vHG:T,fAvQ\VTLk\*[V1i32[#?n]k]d_[K3[KB!R"why3-1.6.0/examples/multiprecision/mpz.mlw000066400000000000000000000270111440160026300206200ustar00rootroot00000000000000module Z

use int.Int
use int.Abs
use mach.int.Int32
use mach.c.C
use map.Map
use types.Types
use lemmas.Lemmas
use import mach.int.UInt64GMP as Limb
use int.Power

type mpz_ptr

val predicate mpz_eq (x y: mpz_ptr)
  ensures { result <-> x = y }

type mpz_memo = abstract {
  mutable abs_value_of : map mpz_ptr int;
  mutable alloc : map mpz_ptr int;
  mutable abs_size : map mpz_ptr int;
  mutable sgn : map mpz_ptr int;
  mutable readers : map mpz_ptr int;
  mutable zones : map mpz_ptr C.zone;
} invariant { forall p. 0 <= alloc p
                        /\ (sgn p = 1 \/ sgn p = -1)
                        /\ abs_size p <= alloc p
                        /\ 0 <= abs_size p <= max_int32
                        /\ 0 <= abs_value_of p
                        /\ (abs_size p >= 1 ->
                           power radix (abs_size p - 1) <= abs_value_of p)
                        /\ abs_value_of p < power radix (abs_size p) }
  by { abs_value_of = (fun _ -> 0);
       alloc = (fun _ -> 0);
       abs_size = (fun _ -> 0);
       sgn = (fun _ -> 1);
       readers = (fun _ -> 0);
       zones = (fun _ -> null_zone) }

(* readers : = 0 means there is currently no access
             = -1 means exactly one read-write access
             = n > 0 means there are n read-only accesses
             = -2 means the pointer is invalid *)

val ghost mpz : mpz_memo

function value_of (x:mpz_ptr) (memo: mpz_memo) : int
  = memo.sgn[x] * memo.abs_value_of[x]

function sgn_value (p:ptr limb) (sz:int32) : int
  = if sz >= 0 then value p sz else - value p (- sz)

predicate mpz_unchanged (x: mpz_ptr) (memo1 memo2: mpz_memo)
  = memo1.readers[x] = memo2.readers[x]
    /\ (memo1.readers[x] > - 2 ->
       (memo1.abs_value_of[x] = memo2.abs_value_of[x]
        /\ memo1.alloc[x] = memo2.alloc[x]
        /\ memo1.abs_size[x] = memo2.abs_size[x]
        /\ memo1.sgn[x] = memo2.sgn[x]
        /\ memo1.zones[x] = memo2.zones[x]))

let ghost unchanged (x:mpz_ptr) (memo1 memo2: mpz_memo) : unit
  requires { mpz_unchanged x memo1 memo2 }
  ensures  { memo1.readers[x] = memo2.readers[x] }
  ensures  { memo1.readers[x] > - 2 ->
       (memo1.abs_value_of[x] = memo2.abs_value_of[x]
    /\ memo1.alloc[x] = memo2.alloc[x]
    /\ memo1.abs_size[x] = memo2.abs_size[x]
    /\ memo1.sgn[x] = memo2.sgn[x]
    /\ memo1.readers[x] = memo2.readers[x]
    /\ memo1.zones[x] = memo2.zones[x]) }
= ()

lemma unchanged_transitive:
  forall x m1 m2 m3. mpz_unchanged x m1 m2 -> mpz_unchanged x m2 m3
                     -> mpz_unchanged x m1 m3

(* SIZ mpz macro *)
val size_of (x: mpz_ptr) : int32
  requires { mpz.readers[x] > -2 }
  ensures { result = mpz.sgn[x] * mpz.abs_size[x] }

val alloc_of (x: mpz_ptr) : int32
  requires { mpz.readers[x] > -2 }
  ensures { result = mpz.alloc[x] }

let abs [@extraction:inline] (x:int32) : int32
  requires { x > min_int32 }
  ensures { result = abs x }
= if Int32.(>=) x 0 then x else Int32.(-_) x

(* ABSIZ mpz macro *)
let abs_size_of [@extraction:inline] (x: mpz_ptr) : int32
  requires { mpz.readers[x] > -2 }
  ensures { result = mpz.abs_size[x] }
= abs (size_of x)

type mpz_struct = { ghost addr: mpz_ptr }

end


module Zutil

use int.Int
use int.Abs
use mach.int.Int32
use mach.c.C
use map.Map
use types.Types
use lemmas.Lemmas
use import mach.int.UInt64GMP as Limb
use int.Power
use ref.Ref
use Z

(* Sets the size of an mpz_ptr, leaving other fields unchanged. *)
val set_size (x:mpz_ptr) (sz:int32) (ghost p: ptr limb) : unit
  requires { mpz.zones[x] = zone p }
  requires { mpz.readers[x] = -1 }
  requires { offset p = 0 }
  requires { min p = 0 }
  requires { max p = plength p }
  requires { abs sz <= plength p }
  requires { plength p = mpz.alloc[x] }
  requires { sz <> 0 -> value p (abs sz) >= power radix (abs sz - 1) }
  writes  { mpz.sgn }
  writes  { mpz.abs_size }
  writes  { mpz.abs_value_of }
  ensures { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures { mpz.sgn[x] = 1 <-> 0 <= sz }
  ensures { mpz.sgn[x] = - 1 <-> sz < 0 }
  ensures { mpz.abs_size[x] = abs sz }
  ensures { mpz.abs_value_of[x] = value p (abs sz) }
  (* ensures size_of x = sz *)

(* Sets the size of an mpz_ptr to 0 *)
val set_size_0 (x:mpz_ptr) : unit
  requires { -1 <= mpz.readers[x] <= 0 }
  writes   { mpz.abs_size }
  writes   { mpz.abs_value_of }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.abs_size[x] = 0 }
  ensures  { mpz.abs_value_of[x] = 0 }

(* Sets the size of an mpz_ptr to minus its former size. *)
val wmpz_minus (x:mpz_ptr) : unit
  requires { mpz.readers[x] = -1 }
  writes   { mpz.abs_size }
  writes   { mpz.abs_value_of }
  writes   { mpz.sgn }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.sgn[x] = - old mpz.sgn[x] }
  ensures  { mpz.abs_size[x] = old mpz.abs_size[x] }
  ensures  { mpz.abs_value_of[x] = old mpz.abs_value_of[x] }

val set_alloc (x:mpz_ptr) (al:int32) : unit
  requires { mpz.abs_size[x] <= al }
  requires { -1 <= mpz.readers[x] <= 0 }
  writes   { mpz.alloc }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.alloc[x] = al }

val set_ptr (x:mpz_ptr) (p:ptr limb) : unit
  requires { offset p = 0 }
  requires { writable p }
  requires { min p = 0 }
  requires { max p = plength p }
  requires { plength p = mpz.alloc[x] }
  requires { mpz.readers[x] = 0 \/ mpz.readers[x] = -1 }
  writes   { mpz.abs_value_of }
  writes   { mpz.zones }
  writes   { mpz.readers }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.abs_value_of[x] = value p (mpz.abs_size[x]) }
  ensures  { mpz.readers[x] = -1 }
  ensures  { mpz.zones[x] = zone p }

val ghost value_of (x: mpz_ptr) : int
  ensures { result = mpz.sgn[x] * mpz.abs_value_of[x] }

val get_read_ptr (x: mpz_ptr) : ptr limb
  requires { mpz.readers[x] >= 0 }
  writes   { mpz.readers }
  ensures  { mpz.readers[x] = old mpz.readers[x] + 1 }
  ensures  { forall y. x <> y -> mpz.readers[y] = old mpz.readers[y] }
  ensures  { value result (mpz.abs_size[x]) = mpz.abs_value_of[x] }
  ensures  { plength result = mpz.alloc[x] }
  ensures  { offset result = 0 }
  ensures  { min result = 0 }
  ensures  { max result = plength result }
  ensures  { zone result = mpz.zones[x] }

val get_write_ptr (x: mpz_ptr) : ptr limb
  requires { mpz.readers[x] = 0 }
  writes   { mpz.readers }
  ensures  { mpz.readers[x] = -1 }
  ensures  { forall y. x <> y -> mpz.readers[y] = old mpz.readers[y] }
  ensures  { value result (mpz.abs_size[x]) = mpz.abs_value_of[x] }
  ensures  { plength result = mpz.alloc[x] }
  ensures  { offset result = 0 }
  ensures  { min result = 0 }
  ensures  { max result = plength result }
  ensures  { writable result }
  ensures  { zone result = mpz.zones[x] }

val release_reader (x: mpz_ptr) (p:ptr limb) : unit
  requires { mpz.zones[x] = zone p }
  requires { mpz.readers[x] >= 1 }
  requires { min p = 0 }
  requires { max p = plength p }
  writes   { mpz.readers }
  writes   { p } (* invalidates p and its aliases *)
  ensures  { mpz.readers[x] = old mpz.readers[x] - 1 }
  ensures  { forall y. y <> x -> mpz.readers[y] = old mpz.readers[y] }

val release_writer (x: mpz_ptr) (p:ptr limb) : unit
  requires { mpz.zones[x] = zone p }
  requires { mpz.readers[x] = -1 }
  requires { min p = 0 }
  requires { max p = plength p }
  requires { mpz.abs_value_of[x] = value p mpz.abs_size[x] }
  writes   { mpz.readers }
  writes   { p } (* invalidates p and its aliases *)
  ensures  { mpz.readers[x] = 0 }
  ensures  { forall y. y <> x -> mpz.readers[y] = old mpz.readers[y] }

type mpz_mem = abstract { ptr: mpz_ptr; mutable ok: bool }

val wmpz_struct_to_ptr (x:mpz_struct)
    : (res:mpz_ptr, ghost memo:mpz_mem)
  ensures { res = x.addr }
  ensures { memo.ptr = res }
  ensures { memo.ok }

val wmpz_tmp_decl [@extraction:c_declaration] () : mpz_struct
  writes  { mpz }
  ensures { old mpz.readers[result.addr] = -2 } (*result is fresh*)
  ensures { forall x. x <> result.addr -> mpz_unchanged x mpz (old mpz) }
  ensures { mpz.readers[result.addr] = 0 }
  ensures { mpz.alloc[result.addr] = 0 }
  ensures { mpz.abs_size[result.addr] = 0 }

val ghost wmpz_tmp_clear (x:mpz_ptr) (memo: mpz_mem) : unit
  requires { memo.ok }
  requires { x = memo.ptr }
  requires { -1 <= mpz.readers[x] <= 0 }
  writes   { mpz }
  writes   { memo }
  ensures  { mpz.readers[x] = -2 }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }

let wmpz_ptr_decl [@extraction:inline] () : (ptr: mpz_ptr, ghost memo:mpz_mem)
  writes  { mpz }
  ensures { ptr = memo.ptr }
  ensures { memo.ok }
  ensures { mpz.readers[ptr] = 0 }
  ensures { mpz.alloc[ptr] = 0 }
  ensures { mpz.abs_size[ptr] = 0 }
  ensures { old mpz.readers[ptr] = -2 }
  ensures { forall x. x <> ptr -> mpz_unchanged x mpz (old mpz) }
=
  let t = wmpz_tmp_decl () in
  wmpz_struct_to_ptr t

val partial wmpz_init (p: mpz_ptr) : unit
  requires { mpz.readers[p] = 0 }
  writes  { mpz }
  ensures { forall x. x <> p -> mpz_unchanged x mpz (old mpz) }
  ensures { mpz.readers[p] = 0 }
  ensures { mpz.abs_value_of[p] = 0 }
  ensures { mpz.abs_size[p] = 0 }
  ensures { mpz.sgn[p] = 1 }
  ensures { mpz.alloc[p] = 1 }
  ensures { mpz.zones[p] <> null_zone }

val wmpz_clear (x:mpz_ptr) : unit (* scrambles mpz._[x] *)
  writes { mpz }
  requires { mpz.readers[x] = 0 }
  ensures { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }

let partial wmpz_do_realloc (x:mpz_ptr) (sz:int32) : ptr limb
  requires { 1 <= sz } (* GMP does sz = max (sz,1) instead, do that if needed *)
  requires { mpz.readers[x] = 0 }
  requires { 1 <= mpz.alloc[x] }
  ensures { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.readers[x] = -1 }
  ensures  { mpz.alloc[x] = sz }
  ensures  { mpz.abs_value_of[x] = value result (mpz.abs_size[x]) }
  ensures  { mpz.zones[x] = zone result }
  ensures  { offset result = 0 }
  ensures  { plength result = sz }
  ensures  { min result = 0 }
  ensures  { max result = sz }
  ensures  { writable result }
  ensures  { if sz >= old mpz.abs_size[x]
             then mpz.abs_size[x] = old mpz.abs_size[x]
                  /\ value result (old mpz.abs_size[x])
                     = old mpz.abs_value_of[x]
             else mpz.abs_size[x] = 0 }
= let p = get_write_ptr x in
  assert { forall y. y <> x -> mpz_unchanged y mpz (old mpz) };
  let ghost op = { p } in
  let ghost os = abs_size_of x in
  label Realloc in
  let q = realloc p sz in
  c_assert (is_not_null q);
  if Int32.(>) (abs_size_of x) sz
  then begin
    set_size_0 x; (* data has shrunk, reset x to 0 *)
  end
  else begin
    value_sub_frame (pelts q) (pelts op) 0 (p2i os);
  end;
  set_alloc x sz;
  set_ptr x q;
  q

let wmpz_realloc (x:mpz_ptr) (sz:int32) : ptr limb
  requires { mpz.readers[x] = 0 }
  requires { 1 <= mpz.alloc[x] }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.readers[x] = -1 }
  ensures  { mpz.abs_value_of[x] = value result (mpz.abs_size[x]) }
  ensures  { mpz.zones[x] = zone result }
  ensures  { offset result = 0 }
  ensures  { plength result = mpz.alloc[x] }
  ensures  { min result = 0 }
  ensures  { max result = plength result }
  ensures  { writable result }
  ensures  { mpz.abs_size[x] = old mpz.abs_size[x] }
  ensures  { value result (old mpz.abs_size[x])
             = old mpz.abs_value_of[x] }
  ensures  { if sz > old mpz.alloc[x]
             then mpz.alloc[x] = sz
             else mpz.alloc[x] = old mpz.alloc[x]  }
= if sz > alloc_of x
  then wmpz_do_realloc x sz
  else get_write_ptr x

let mpz_ptr_swap [@extraction:inline] (ref x y: mpz_ptr)
  requires { mpz.readers[x] = 0 /\ mpz.readers[y] = 0 }
  ensures  { mpz.readers[x] = 0 /\ mpz.readers[y] = 0 }
  ensures  { x = old y }
  ensures  { y = old x }
= let z = x in
  x <- y;
  y <- z

end
why3-1.6.0/examples/multiprecision/mpz/000077500000000000000000000000001440160026300200765ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz/why3session.xml000066400000000000000000000457031440160026300231270ustar00rootroot00000000000000









 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
    
    
    
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz/why3shapes.gz000066400000000000000000000122441440160026300225410ustar00rootroot00000000000000\YoG~y/,c ̼&LIْ~YU]]GSD&"82}wzS-˛95Ix;zvQ޷}g	?wIp{kw!_~܏33!n{ț=ym$ޑ]^	?xܛˇfUgiaڮiڌu_x䷗<\ݗe3D9x@&/g,إFKN'LMorn%lD3mt>'_9H;CdPɤ+Јo+C}inЛ'`;٢ۛts/d
Ӷ-Csٌ>N.^Zk9N2ĥ=_@0t3p߯ 7?CSpMBD?n
,`5gtD=w?ܜŒ*Jm!+=Ԛ6g$Ť	 "tu<;$9iOnRift85uПr?6
Ƌ.lMHIFc8?KC7X`
pN%=l_.Bjkx[Χh>͌
RnxF'CJT
\٧j(ͮ~J4Y?,}E~FN<=>opyCg=dʐH}cc뛇	Oַ3nQ2	_V#uWN9]ޗ3屣%̆q3H//QuDE΃,k+mS]X
ώY7/Jx=9.^cif13,]NF7P5vu@ǎlLh՚l|bQrlF5\ngwwCqd֐;MǮNOXҏgP?mn*rzɽua$E*#z˨ˈ]ahoefڠah|a82QjzJOjcxʇ	C>}3;>Mуxxf<;2
:5"3Co)13GgeV=HOSld᛹oe薟C͢f8Cvp;\&uuZV݋O3=u(?tԸ;G2@	5Y>[K9Mԩ>"qi1?}i\N=[p"k\>&k\>#sF!FvCX/[L\Uܯ8"=&/_D\?b~3P;4]еls"D;wh@^6!*
![,,`CއkHn0j"DT=l>)//^fK)Ы4Dgz=!/[=Gs/Ep"몋i%)|jߟh[p>w`֧?ּVIkSUVEP[)4JcE$ZdIeݭutNW62kŶ~7߱=
Ti!CKp*]	9^eW$$q5)iL.VJII	)i.Y+VB%
.;Mr2ҝRNQD'}']'m'asX-C-aSP]ihi5{-p'1y.5$]~sJ
1:QB]dWOC6:T'\C
cGa
*b
eu9еt)Gg]I	pMXz_D#cKpHuU,Ȧؚ[9#(
&VQg+ۢʀ|S8BSpj(I(liN0Rˠ
X8 JL:^x[ͤy}&3:]Feꭏ^>!3UˮQ*)WD_𚙑fA[.DBPVR{E\
GaRD*G 
hi/GC;l2O$qBR.۰)Ig
?j)(yl'-u/"-h։W:М	6:7.TYd2IaQq4-u;%ۭQD>
	nzG}-Hd&c`YѬQĀ!QQ
[;<ѝ$rGr.pL8O!L 2AdL*j/'8`euƤy{2A~2CY"ĨN0T's
uUzLH+cTPVD'5qVfLzL+RNei)U!)g-لz8Ucag`~L2pI*gBҢ1ƹG9YAHY.FJ= KqĮDKH*;TBKi,rz_?P"9Py$N"avl
$PYd#11
L(dmz(g=Ė(j=(^fK<:4"?%!E.#m@/;adˁqF*1ڤ{SCryI:(DDm4"pvθ1LdQ8Idu(~K1$nɬN	iqRlByIkZv>dUHIsjlDUk/ֿIl.Ÿ)
O>\Tؤ"S9$uN"KU{WKTB{:2P,JSǔBD8gȑ Hə1"MJ
T=Kt^JkX|
kƧPR.WHb1ee.3ɷGKNZV^0Nc_$$$:kCD݊B(A
7QV
(8gږֆ%	o@M{
YS(lrcF??opB)Us=$]Z!#_,GFS	.mV':5|KgoO2VVYb&(W-<2dUPP(1590~P%\JcB\-E񺶇b9*yY
?mهd՘hX^"lÔ\Et	H0{<	sbxԒRj/ERr(yL,)Q92*PM@Id1$Ee-ƈǜf^PkZ -Ux$vR*h*Y'!7%\_TlXGVg&)TBb)$[;'Q%Af	$U9$6!j_DjCtV^$N{EB|1(欝*3%^=iWyY
5J$kWUC͉Rx_[׬@Q=jWEiPܧ>)T2RZes{c	Cr.eSd3ZI5%zN7#l\why3-1.6.0/examples/multiprecision/mpz_abs.mlw000066400000000000000000000020411440160026300214410ustar00rootroot00000000000000module Zabs

use int.Int
use int.Power
use map.Map
use mach.int.Int32GMP
use mach.c.C
use lemmas.Lemmas
use util.Util
use compare.Compare
use import mach.int.UInt64GMP as Limb
use int.Abs
use mpz.Z
use mpz.Zutil

let wmpz_abs (w u: mpz_ptr) : unit
  requires { mpz.readers[u] = 0 /\ mpz.readers[w] = 0 }
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[u] >= 1 }
  ensures { mpz.readers[u] = 0 /\ mpz.readers[w] = 0 }
  ensures { value_of w mpz = abs (old value_of u mpz) }
  ensures { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
=
  let ghost ompz = pure { mpz } in
  let size = abs_size_of u in
  if (not mpz_eq u w)
  then begin
    let wp = wmpz_realloc w size in
    unchanged u mpz ompz;
    let up = get_read_ptr u in
    assert { value up size = ompz.abs_value_of u };
    wmpn_copyd_sep wp up size;
    assert { sgn_value wp size = ompz.abs_value_of u };
    release_reader u up;
    set_size w size wp;
    release_writer w wp;
  end
  else begin
    let ghost wp = get_write_ptr w in
    set_size w size wp;
    release_writer w wp;
  end

endwhy3-1.6.0/examples/multiprecision/mpz_abs/000077500000000000000000000000001440160026300207235ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_abs/why3session.xml000066400000000000000000000246411440160026300237520ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
   
   
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_abs/why3shapes.gz000066400000000000000000000057251440160026300233740ustar00rootroot00000000000000ZYo~[$#DbKB\SOK˰e wWUKp[??7;C+!`ps%{hc`x&CCӾųۻnսξ'۫oV؅[mϾv«	f-[~:?Qìz}x-݇%NTB?D)ߕ7u
}?<uٟwdeu[3}pxƇúc[s\C|߻]9:fӒNqz.LիɅ1[[wjMĚ{M[8RɻI/.>_qpݡ=̵[:n]fwB7!FXZ8D=Ü
TʼnƗ&Be/@7wS187FnEQIDn'H&w3&=mMfz~a=1YIg"83csA0y؟>[aڷ]|}wUx-b
;|#.39ew	dq8AcgCGSy48sρ瑀aS7,xYbcV\?Ci5up"h93I,)a8:pŌ"hh$=kl7Z\gt|[ק^Yaùe
2gK*'ˤfLNqrBشZĮ'w	t=mf;\!)_n5'e}q{%DZ>C:8l޾߹e{r>Iȉ)8O6=~Ҟ}?/9֞#fcsK2oTF=l$:Qe&/r4xM\KTkH

Ii_OR8
?Q8xG\<+R{^W'HNK9
)x4>o0Dsrfm¤,WI;\i+q`l@m%T#~|hOޯ[LH
0hC&ƨŐ&Ik!yqp֔o>u4&6<c+dc\}9՘nő'fO%HC;yq.{
7mzV)lxmY4?ߣmdŤl3k"#p_ڳͿC31UI
(Ք9̙")D(tۢK[;QtRTEgHY*saO\U5+#EWJ3Pd:/	e-vׁ2Zu GAjq4X$1
(#ѦCVѠ*d]R(wӪ#ߑ$[#Q2uAGCߡ.Ab0V"5Gis,>(
,.ފݕ
"Wh}Mz2iP<0sTA:kU>DT͋S
Z%Rdl@V\}Ǯc۱;SرLNӶӦӢL4PcX^i dRRR$4y&(9TrZ4d %lWe]}*BϾ~2-
>gI<,8Tƒl(r`K!?6T%s̀4:$cH>YЀTl#%%9
ZgKpRl˅'	F
 e>4`CZ}	R:xIIR)L2PwֽtD+Tu瘥pSMѭrsss֝a礊S/g*cʘ=jHmJR)6uˀ꭭6g/$krY*9`|)h!jT6{b*QIIZ{xERO,+yMPT$$`0̘\Lu&B)*WeH"w7SdTdme H<'yY5l
+IJ%++)[x
5a:QthpstX(+>v]j0%[BTQ+PAU{WMTeZ;RL_*r\c̤dvP8}
Rh5,%M`FUW
iɏTPqZVǔaQ+PE*Sp	琽6EMEVgo
f[4;IMp>\$8½44ﮯY+	nN*UW+tJ7(8e"`˭vY)(hos_TpNg$)pI"Қ&Eʑ9*
%+ZE9c"$I|4ҟoFˎtھƌA&acE)AKi!EhR3}ȁ>4l [1LdQJv
l}^iQ RاkH;G1Y!Gf=#Gwa4ZUCkCO$1Fs+ŜXK\n-={ZXL)F4	V2R_Ե\=t5
eJm<cP5%5H$ۜ?QBcIVd38:=8cJ
S药}8
*
3C*$HU؆03ڬSZR`= 1 /\ mpz.alloc[u] >= 1 /\ mpz.alloc[v] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
  requires { mpz.abs_size[u] < max_int32 /\ mpz.abs_size[v] < max_int32 }
  ensures  { value_of w mpz = old (value_of u mpz + value_of v mpz) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
= [@vc:do_not_keep_trace] (* traceability info breaks the proofs *)
  label Start in
  let ref u = u in
  let ref v = v in
  let ref usize = size_of u in
  let ref vsize = size_of v in
  let ref abs_usize = abs usize in
  let ref abs_vsize = abs vsize in
  begin
    ensures { mpz.abs_size[u] = abs_usize /\ mpz.abs_size[v] = abs_vsize }
    ensures { abs_vsize <= abs_usize < max_int32 }
    ensures { 0 <= abs_vsize <= mpz.alloc[v] }
    ensures { 0 <= abs_usize <= mpz.alloc[u] }
    ensures { mpz.alloc[u] > 0 /\ mpz.alloc[v] > 0 }
    ensures { mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
    ensures { abs_usize * mpz.sgn[u] = usize /\
              abs_vsize * mpz.sgn[v] = vsize }
    ensures { value_of u mpz + value_of v mpz
              = old (value_of u mpz + value_of v mpz) }
    ensures { mpz_unchanged u mpz (old mpz) }
    ensures { mpz_unchanged v mpz (old mpz) }
    if Int32.(<) abs_usize abs_vsize
    then begin
      mpz_ptr_swap u v;
      let ref tmp_size = vsize in
      vsize <- usize;
      usize <- tmp_size;
      tmp_size <- abs_vsize;
      abs_vsize <- abs_usize;
      abs_usize <- tmp_size;
    end
  end;
  let ref wsize = Int32.(+) abs_usize 1 in
  let uw = mpz_eq u w in
  let vw = mpz_eq v w in
  label Realloc in
  let ompz = pure { mpz } in
  let wp = wmpz_realloc w wsize in
  assert { uw \/ mpz_unchanged u mpz ompz };
  assert { vw \/ mpz_unchanged v mpz ompz };
  assert { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) };
  label Op in
  if (bxor usize vsize < 0)
  then begin
      ensures { sgn_value wp wsize
                = (value_of u mpz + value_of v mpz) at Op }
      ensures { uw \/ mpz.readers[u] = 0 }
      ensures { vw \/ mpz.readers[v] = 0 }
      ensures { mpz.readers[w] = -1 }
      ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
      ensures { abs wsize <= plength wp }
      ensures { wsize <> 0 ->
                value wp (abs wsize) >= power radix (abs wsize - 1) }
      ensures { mpz.alloc[u] > 0 /\ mpz.alloc[v] > 0 }
      ensures { min wp = old min wp /\ max wp = old max wp
                /\ plength wp = old plength wp }
    assert { (usize >= 0 /\ vsize < 0)
             \/ (usize < 0 /\ vsize >= 0) };
    if abs_usize <> abs_vsize
    then begin
      begin ensures { value wp abs_usize
                      = old (mpz.abs_value_of[u] - mpz.abs_value_of[v]) }
            ensures { uw \/ mpz.readers[u] = 0 }
            ensures { vw \/ mpz.readers[v] = 0 }
            ensures { mpz.alloc[u] > 0 /\ mpz.alloc[v] > 0 }
            ensures { mpz.readers[w] = -1 }
            ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
            ensures { min wp = old min wp /\ max wp = old max wp
                      /\ plength wp = old plength wp }
      if uw
      then begin
        assert { not vw };
        let vp = get_read_ptr v in
        let _b = sub_rx wp abs_usize vp abs_vsize in
        assert { _b = 0 };
        release_reader v vp
      end else if vw
      then begin
        let up = get_read_ptr u in
        let _b = sub_ry up abs_usize wp abs_vsize in
        assert { _b = 0 };
        release_reader u up
      end else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        let _b = sub wp up abs_usize vp abs_vsize in
        assert { _b = 0 };
        release_reader u up;
        release_reader v vp
      end
      end;
      wsize <- abs_usize;
      normalize wp wsize;
      if usize < 0 then wsize <- -wsize;
      assert { sgn_value wp wsize = old (value_of u mpz + value_of v mpz)
               by if usize < 0
               then sgn_value wp wsize = - value wp (-wsize)
                    = - old (mpz.abs_value_of[u] - mpz.abs_value_of[v])
                    = old (value_of u mpz + value_of v mpz)
                    by vsize >= 0
               else sgn_value wp wsize = value wp wsize
                    = old (mpz.abs_value_of[u] - mpz.abs_value_of[v])
                    = old (value_of u mpz + value_of v mpz)
                    by vsize < 0 }
    end
    else begin
      wsize <- abs_usize;
      if uw
      then begin
        assert { not vw };
        let vp = get_read_ptr v in
        if wmpn_cmp wp vp abs_usize < 0
        then begin
          let _b = sub_n_ry vp wp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize >= 0
          then wsize <- -wsize
        end else begin
          let _b = sub_n_rx wp vp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- -wsize
        end;
        release_reader v vp
      end else if vw
      then begin
        let up = get_read_ptr u in
        if wmpn_cmp up wp abs_usize < 0
        then begin
          let _b = sub_n_rx wp up abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize >= 0 then wsize <- - wsize
        end else begin
          let _b = sub_n_ry up wp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- - wsize
        end;
        release_reader u up
      end else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        if wmpn_cmp up vp abs_usize < 0
        then begin
          let _b = sub_n wp vp up abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize >= 0 then wsize <- -wsize
        end else begin
          let _b = sub_n wp up vp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- -wsize
        end;
        release_reader u up;
        release_reader v vp
      end
    end
  end
  else begin
    assert { (usize >= 0 /\ vsize >= 0)
             \/ (usize < 0 /\ vsize < 0) };
    let ref cy = 0 in
    begin ensures { value wp wsize = old abs (value_of u mpz + value_of v mpz) }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { vw \/ mpz.readers[v] = 0 }
          ensures { mpz.readers[w] = -1 }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
          ensures { wsize <> 0 ->
                    value wp (abs wsize) >= power radix (abs wsize - 1) }
          ensures { min wp = old min wp /\ max wp = old max wp
                    /\ plength wp = old plength wp }
          ensures { abs_usize <= wsize <= plength wp }
    assert { abs (value_of u mpz + value_of v mpz)
             = abs (value_of u mpz) + abs (value_of v mpz)
             by if usize >= 0
                then vsize >= 0
                     so abs (value_of u mpz) = value_of u mpz
                     so abs (value_of v mpz) = value_of v mpz
                else vsize <= 0
                     so abs (value_of u mpz) = - value_of u mpz
                     so abs (value_of v mpz) = - value_of v mpz };
    if uw
    then if vw
      then begin
        cy <- add_n_rxy wp abs_vsize;
        assert { value wp abs_usize + power radix abs_usize * cy
                 = abs (value_of u mpz + value_of v mpz) };
      end
      else begin
        let vp = get_read_ptr v in
        cy <- add_rx wp abs_usize vp abs_vsize;
        assert { value wp abs_usize + power radix abs_usize * cy
                 = abs (value_of u mpz + value_of v mpz)
                 by value vp abs_vsize = abs (value_of v mpz)
                 so value wp abs_usize at Op = abs (value_of u mpz)};
        release_reader v vp
      end
    else if vw
      then begin
        let up = get_read_ptr u in
        assert { value wp abs_vsize = abs (value_of v mpz) };
        assert { value up abs_usize = abs (value_of u mpz) };
        cy <- add_ry up abs_usize wp abs_vsize;
        assert { value wp abs_usize + power radix abs_usize * cy
                 = abs (value_of u mpz + value_of v mpz)
                 by value up abs_usize = abs (value_of u mpz) };
        release_reader u up
      end
      else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        assert { value up abs_usize = abs (value_of u mpz)
                 /\ value vp abs_vsize = abs (value_of v mpz) };
        cy <- add wp up abs_usize vp abs_vsize;
        assert { value wp abs_usize + power radix abs_usize * cy
                 = abs (value_of u mpz + value_of v mpz)
                 by value up abs_usize = abs (value_of u mpz)
                 so value vp abs_vsize = abs (value_of v mpz) };
        release_reader u up;
        release_reader v vp;
      end;
    label Set in
    value_sub_update_no_change (pelts wp) (int32'int abs_usize)
                                    0 (int32'int abs_usize) cy;
    set_ofs wp abs_usize cy;
    value_tail wp abs_usize;
    assert { value wp (abs_usize + 1)
             = value wp abs_usize at Set + power radix abs_usize * cy
             = abs (value_of u mpz + value_of v mpz) };
    begin ensures { if cy = 0 then wsize = abs_usize
                              else wsize = abs_usize + 1 }
      wsize <- abs_usize + Limb.to_int32 cy;
      value_tail wp abs_usize;
    end;
    assert { wsize <> 0 -> value wp wsize >= power radix (wsize - 1)
             by
             if cy = 0
             then wsize = abs_usize
                  so abs_usize = ompz.abs_size u >= 1
                  so value wp wsize >= ompz.abs_value_of u
                  >= power radix (abs_usize - 1)
             else value wp wsize
                  = value wp abs_usize + power radix abs_usize * cy
                  >= power radix abs_usize * cy = power radix abs_usize };
    end;
    label Minus in
    if Int32.(<) usize 0
    then begin
      wsize <- Int32.(-_) wsize;
      assert { sgn_value wp wsize = - value wp (wsize at Minus)
               = - abs (value_of u mpz + value_of v mpz) at Op
               = (value_of u mpz + value_of v mpz) at Op
               by usize < 0 so vsize <= 0
               so value_of u mpz at Op < 0
               so value_of v mpz at Op <= 0
               so (value_of u mpz + value_of v mpz) at Op < 0 };
    end
    else begin
      assert { sgn_value wp wsize = value wp wsize
               = (value_of u mpz + value_of v mpz) at Op
               by usize >= 0 so vsize >= 0
               so value_of u mpz at Op >= 0
               so value_of v mpz at Op >= 0
               so abs (value_of u mpz + value_of v mpz) at Op
                  = (value_of u mpz + value_of v mpz) at Op
               so wsize >= abs_usize >= 0 }
    end;
    assert { sgn_value wp wsize = (value_of u mpz + value_of v mpz) at Op }
  end;
  set_size w wsize wp;
  assert { value_of w mpz = sgn_value wp wsize
           = (value_of u mpz + value_of v mpz) at Op };
  release_writer w wp

use add_1.Add_1
use sub_1.Sub_1

let wmpz_add_ui (w u: mpz_ptr) (v: uint64) : unit
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[u] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 }
  requires { mpz.abs_size[u] < max_int32 }
  ensures  { value_of w mpz = old (value_of u mpz + v) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 }
=
  label Start in
  let usize = size_of u in
  if usize = 0
  then begin
    let wp = get_write_ptr w in
    C.set wp v;
    assert { value wp 1 = v };
    set_size w (if v <> 0 then 1 else 0) wp;
    assert { value_of w mpz = v };
    release_writer w wp;
    return;
  end;
  let abs_usize = abs usize in
  assert { 0 <= abs_usize <= mpz.alloc[u] };
  let uw = mpz_eq u w in
  let ref wsize = abs_usize + 1 in
  let ghost ompz = pure { mpz } in
  let wp = wmpz_realloc w wsize in
  assert { uw \/ mpz_unchanged u mpz ompz };
  assert { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) };
  let ref cy = 0 in
  if usize >= 0
  then begin
    begin ensures { value wp abs_usize + power radix abs_usize * cy
                    = old (value_of u mpz + v) }
          ensures { 0 <= cy <= 1 }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { mpz.readers[w] = -1 }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
      if uw
      then
        cy <- wmpn_add_1_in_place wp abs_usize v
      else begin
        let up = get_read_ptr u in
        cy <- wmpn_add_1 wp up abs_usize v;
        release_reader u up;
      end
    end;
    label Carry in
    C.set_ofs wp abs_usize cy;
    value_tail wp abs_usize;
    assert { value wp (abs_usize + 1)
             = value wp abs_usize + power radix abs_usize * cy
             = (value_of u mpz at Start + v)
             by value wp abs_usize = value wp abs_usize at Carry };
    wsize <- abs_usize + (Limb.to_int32 cy);
    assert { value wp wsize = value wp (abs_usize + 1) };
    assert { value wp wsize = (value_of u mpz at Start + v) };
    assert { wsize <> 0 -> value wp wsize >= power radix (wsize - 1)
             by if cy = 0
                then value wp wsize >= value_of u mpz at Start
                     >= power radix (usize - 1)
                else value wp wsize
                     = value wp abs_usize + power radix abs_usize * cy
                     >= power radix abs_usize = power radix (wsize - 1) };
    end
  else begin
    begin ensures { sgn_value wp wsize = old (value_of u mpz + v) }
          ensures { abs wsize <= abs_usize + 1 }
          ensures { wsize <> 0
                    -> value wp (abs wsize) >= power radix (abs wsize - 1) }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { mpz.readers[w] = -1 }
      if uw then begin
        if (abs_usize = 1 && C.get wp < v)
        then begin
          assert { value_of u mpz = - (pelts wp)[0] };
          C.set wp (v - C.get wp);
          wsize <- 1;
          assert { value wp wsize = value wp 1
                   = v - old (pelts wp)[0]
                   = old (value_of u mpz + v) };
        end else begin
          assert { v <= value wp abs_usize };
          assert { value wp abs_usize = - value_of u mpz };
          assert { value wp abs_usize >= power radix (abs_usize - 1) };
          let ghost _b = wmpn_sub_1_in_place wp abs_usize v in
          assert { _b = 0 };
          assert { value wp abs_usize = - value_of u mpz - v };
          value_tail wp (abs_usize - 1);
          assert { (pelts wp)[abs_usize - 1] = 0
                   -> value wp (abs_usize - 1) = value wp abs_usize };
          wsize <- - (abs_usize
                      - (if C.get_ofs wp (abs_usize - 1) = 0 then 1 else 0));
          assert { sgn_value wp wsize = - value wp (- wsize)
                   = old (value_of u mpz + v) };
          assert { wsize = 0
                   \/ value wp (abs wsize) >= power radix (abs wsize - 1)
                   by if (pelts wp)[abs_usize - 1] = 0
                      then
                        if abs_usize >= 2
                        then
                          - wsize - 1 = abs_usize - 2
                          so v <= (radix - 1) * 1
                             <= (radix - 1) * (power radix (abs_usize - 2))
                          so power radix (-wsize - 1) + v
                             = power radix (abs_usize - 2) + v
                             <= power radix (abs_usize - 2)
                               + (radix - 1) * power radix (abs_usize - 2)
                             = radix * power radix (abs_usize - 2)
                             = power radix (abs_usize - 1)
                        else abs_usize = 1
                             so value wp abs_usize = 0
                             so wsize = 0
                      else
                        power radix (-wsize - 1) * 1
                        <=  power radix (-wsize - 1) * (pelts wp)[abs_usize - 1]
                        <= value wp (-wsize)
                   so value wp (abs wsize) = value wp (- wsize)
                     = old (abs_value_of mpz u - v)
                     >= power radix (- wsize - 1)
                     = power radix (abs wsize - 1) }
        end;
      end else begin
        let up = get_read_ptr u in
        if (abs_usize = 1 && C.get up < v)
        then begin
          assert { value_of u mpz = - value up 1 = - (pelts up)[0] };
          C.set wp (v - C.get up);
          wsize <- 1;
          assert { value wp wsize = v - (pelts up)[0]
                   (*= old (value_of u mpz + v)*) };
        end else begin
          assert { v <= abs_value_of mpz u };
          let ghost _b = wmpn_sub_1 wp up abs_usize v in
          assert { _b = 0 };
          assert { value wp abs_usize = - value_of u mpz - v };
          value_tail wp (abs_usize - 1);
          assert { (pelts wp)[abs_usize - 1] = 0
                   -> value wp (abs_usize - 1) = value wp abs_usize };
          wsize <- - (abs_usize
                      - (if C.get_ofs wp (abs_usize - 1) = 0 then 1 else 0));
          assert { sgn_value wp wsize = - value wp (- wsize)
                   = old (value_of u mpz + v) };
          assert { wsize = 0
                   \/ value wp (abs wsize) >= power radix (abs wsize - 1)
                   by if (pelts wp)[abs_usize - 1] = 0
                      then
                        if abs_usize >= 2
                        then
                          - wsize - 1 = abs_usize - 2
                          so v <= (radix - 1) * 1
                             <= (radix - 1) * (power radix (abs_usize - 2))
                          so power radix (-wsize - 1) + v
                             = power radix (abs_usize - 2) + v
                             <= power radix (abs_usize - 2)
                               + (radix - 1) * power radix (abs_usize - 2)
                             = radix * power radix (abs_usize - 2)
                             = power radix (abs_usize - 1)
                        else abs_usize = 1
                             so value wp abs_usize = 0
                             so wsize = 0
                      else
                        power radix (-wsize - 1) * 1
                        <=  power radix (-wsize - 1) * (pelts wp)[abs_usize - 1]
                        <= value wp (-wsize)
                   so value wp (abs wsize) = value wp (- wsize)
                     = old (abs_value_of mpz u - v)
                     >= power radix (- wsize - 1)
                     = power radix (abs wsize - 1) }
        end;
        release_reader u up;
      end
    end;
  end;
  set_size w wsize wp;
  release_writer w wp;
  return

endwhy3-1.6.0/examples/multiprecision/mpz_add/000077500000000000000000000000001440160026300207065ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_add/why3session.xml000066400000000000000000004743651440160026300237510ustar00rootroot00000000000000














 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
      
      
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
      
      
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_add/why3shapes.gz000066400000000000000000001003751440160026300233540ustar00rootroot00000000000000]7.|_=;d#Hx8
v`[^-{׿̬VRL&D0>Ȉ׿Woo_Rw%?]_9_+TƵڷZ퟿1۟G8oV\n;KIG-ޯ{[?:hs'q-߽9d[_}yOX_v-QY[yqݭnz	}e?VWGݬuw>uvoeP>u|b1[m<~fmN@p&'dz=1ހmSo6I>[cփxn]On-{KԿvs|
W\+Vl+2}c.;fska>#v7fD?~֬r)ݸsղy`ߏtFw?<ͺ_w7?ߔ6ި~oj~N!+N>S4ӗn~Բ߷=|X~տ!ML7oglJd}7Zw"ˎa~ka6VOgB~_S'߯7Dz{9vnp|zeP w˯KmI,ioםޒJ'&Pzvy{юϿ?6vDnoxS1/}X>|{w=l=|E}:~W?4!C/dܠ]c_>/X쇥九mC;kJM_5/h_S}7tyͷq®WMD[\3/~w_TQY
w[0jSvRە1{vrlXg4+u$V0t܊پm8kцK1mx+
gcZK,7I3.85W2n6e'[1eic7=Pۥ
/;׆2A{ChflazvkП\Gj9Rm[Din7Kv3Wm73v3Sm77K[OCJN,\,zb>2)Msgd\,͉;Bw+*.wߛ]6)MD˟y7]m)
ard:zLGtM3?_1ⶩIficf*3\7	S,,ZQ4SfGN4_{GĤO$/MC{5+1z(A/K=c=Nm.9vٶ[yHstylþ^G~Sy/	}غw\Ճ}X+ow큟f.rO$$.ynͰ3B;
f#ˍOG{ijζh]D&m4s@xi$^4γ#M2C*aCnjVʫe܃c˰9Ǯ9gpŋ=vʦsnwtnlokL>wy͍Qov"k޶zx6Von@?ئu	~7l5ܘ?wO4$o{~Z
\s!P>vH|7\Dyb.n7sW>zPobN$ҩucOk9Cu7VFiF86v%
6sv괘[Ye9o[}{WjszEǯ\O8C6߯Y{7qJA:{gl~L~2y?wsuo7ϳ;;B>UtN%Q?<IC~!+qɼfKH.a]⵰m$ianwes8(Jzv;ٌ9pc{wI	էZv&-nZxzȲ}7uSo}UhaZ]1եobzdx$m>3V#gYjbj
ȳZd&n0W/WD'\ˀWI{{vo郼ֹɵMlRޛ`6bg6G\of?ѫ߯t='SYFW'r>xck8gBޜPzӾ.۸{Ƽ._ow	g]޸n7g˚
mEmvtm{E/w5{^8Oū߿W_OjK2"Idb!sd^}Ԗc:}de0}W2SiG:_qE>@b]4;3j\F8O:C=+c$vKΫmvPS8
h?$0qufl!eZIGDڰ[JBdZ~1}a	nUh/3q]6Iw;-ΔQ	QrY'͐:˫˒jw;ta
knac}۷7op/񥩿%nU7sa3w_P[;ûdpvW}~ҿ>_9DM_GNwn4;f
olH󗼱uނҏsYP2];ͮ.۹8*	hUq5E캁\@ݽǷ|~2ƷTz{j4ĞHyba˻fFm{`~7/z6Jjeʎz;~Œ'bߘ#1f)IP3ٴVi'3W:fW{!2mt{hrw'o̢˞1[R-(ehy<:B79c^쨰e
ygjp-F|w=̄${,wgFGyHy|فCI>V>lpd6#݆
G$UpUveo#ɟN$6j]d쌂=sw$N^\Z=t։I3uf簤./oˉu!v}n۽Gi~rȬͮIoa7;aes=>o'Z_mcTvG<ȪE7kD
oku[%	6?w[oVoUv+7+~
wk[#K?ni|UN7opt3`'!R+~f>I8ϊ?>.\uNG=#x
9~m|Ò9Xq@KU_UO$e&>w{FX/l p5[mmmI=Ý)8^qOi+]3zdF yǯo~7ݽ{9*0W}wfew]K9w6=|`7{/ཛ9*.*Q{^7&N p?Klym-f5k`
hMʼg[V<NPɂ,i-tbeK4:>.Yɤ?tj>=ME]ۚyf>(nj= ujN}悅(Cs,Zoja; o5ƻ[%_t7l\8YC؆x׃SlbxWOl|N"ɏ)@{om)A5^owwo	ۙSi/qѰ+ŭu;q[6O)3]^	^uZӪm)su
f?gǵz?׶_vhveϳzԈ=|cHz3;ϵqUUkͳa]Htf;XsÌ^sR+OnrWBgcOW[fDQz	%I-D.Se{KlzW0tW/٢b6 `A6)م܅S_Ć"W~|wzyŃYݞhj+W\\eiue4?mzAG_|VOR}=|M5icHG9bzi#GG9bHX$kׯsv}Kҷ?!GL/M"GL}ƻ~}N~ͬyX~HMuOb3=@8Zy[]|teqyQN{.ÇENYN^0Yp.Xum^nuA\!|ׅfE[g.Wg1
biO8M},$[}`<ۘ	ZG׎+Q*<&`Dv_x
555k5k--DgfCesb鍢}|!h{Y6[I[.15W1Tv85kH2ŅTgSk(,J:/2K6U:
"E4*\ycKu[`ƦIKͥHz1e?5:ãl6N|#1֢y}M/&iĄ"vbnӛ…^
ȶʼZت0JezY8<BWҠVe8^_𩠄+٘(I
D3*)U2E`.
LXז/6TR6u`8\36#:(*{tV8ŧ9zLҢ6/NvR@ZTF>W#R"G)EU.o\RS qmj?iJ`aZ [WvȆT*+.e$0٢/xU^K*Л-_3^3ZlӱKӚޙQ\Puׁ_FrjO:(@7kx7בSjl5UBmTU&K*b|#d3BSdL5l0*X}dw_qA􏺅FB06nK5
51~>pwATԝp1UDѪb4A_>}I$x2n}#u: 袚
v5 aͫ#(RG-VA:!Vbt/b{l$/ދ/KKE6T4ͧ~9S.pk'P&g#KZ0EBO	)4RMpolS`Ij+GXlGUP2I6<}>'	LN
A)	`}NSNWX}՗X}:G
4b$zn0FRcn"k*;i})[)}06|-پM*H;y`~%m݊}EWO^G,LaVzF#RHMxzy=?7l]\u$oQ=پ:HqHLƐt!FB_۾/4x@耸TGd$cr^;	>ҢvQCfQmkEMNmiN
>ֆUaCG1&ӲJ{&*aDSjWπ6RZx*ތg%wfU"gB1 
6sZJ
`Dq
ubKWEr6貺-\za2C]G,&ǥ,?:Z#uUphY7le>OGA%ٙb}mP0Q&Ur.;@y(Pdx}(s=\T?}RܰEPh^}L)$Ov6pтW]U66)#$99e|ίѓ@C=d*g*0t,p?Tr}ՍԈl[^rm%%|*SR,nNհ%1/pF%9t3l 4$<'CMjq⽁0#BV_ÇV.|YԝM&MqɃk
xL!50U
I?|*$X1"\bqLUT'V8URR\\TOcs6I$^aޯGHY(\uRQi@>)4S9T>(U]Q?9Gx"v}xkf}ɸfd2IR[*2x~`]0jc.b^VClq*n~ew"
[M5_uZd:!#^bsWf=p}gk!iNkn j;Ӳ-zٗTTL{q2ԊOVZT[E/tNN{&.r rWs8lG
Z}zZ1Al%*j5g`5ROJ4*;mLbVzv{<1EmSgu|~rTӊCqΦ+⍕¤D?4|4EE"Vj
k+2$$ANGOjf6фHȴőug9/ꩩY]_]תD$`
?:T*IcTWBh>FlSV-:U6-m{n5PP zY?ziWAAAMfj"%)
8bZ-cݮ+X	=U5Y9^5ε~qK vzw})bLUwĞ"jͿ,&XfBN"&1xb.
A/`߭JϡJK$^\2bwb z̄~6!FkM9Nk;.z#rm@-S	|la*g6&CҜ03z`yԒq̄o
'k&~^8Z&*I|펎ymַ\jF1>t"Ѡ~~U
eV렪?ᐲ氒y_d`hZNls!9u%l@<+28|eiRobh`6S!yFzt-1f}SU%WТa6Va)	w7(8e%ѱZõY2;VI[dRAjtZ	=
>Q$£zAPD~V_al`D\
XMljIŐ60ϚC.$TV?Lq>)ӦekqG.x e?k '56VCfnzy~f`nGAOZ(T1Y8ZPSR0:a/nPXeS.^bLU\BNtBb^h`ș
)]Oa>a)ګf;FKQ_4_4AOҧQvLmuac`bf%IՕlkfJw{I66˶D@˪Qr5֎&H"j=o׺0^lDfwɻ_Ȉ4FoD6yw&<R7O	l}A!qj\+%"yw`HդD(^|*SɥOVE31pzR<@~%kkYPdJaɥ
̅U4!A^Jmҁc^MzP0A8ygZ[ɥ7IHSSB`4ZhJ.41
!gf%z$DIN.DdDkS~S0£Ka.j7K`M6ސ(N.Ĺ`h\ɥPQ	T[(5KV
OJ.dIULE5Q˩9ԘCK.xNN!GPmK>!%B]pBUD (.V6[ոч$:]NdCI%%B]򨭞+Jz}^$tlL$l
jaBzxlAEk9gwN.Bj^,x킮QE eE	D}}-l10{Ԗgp؏ŪzRqq3pT0{i^q*Dݟ};
?Jܛ1"#@SS֜S\7wp۵w^"0D9Kc‘?+x'Zzdr_JKQgg\^D3"Hd+\Uh%U8Ϗvh-Pbv:\jLAu51)%*:яL1SN.TR!;o*NB)ON8D`xKUZRت$dl-=5t蒉R@zf5(QmQi'eY
"]Ȫ
/'b]b5CJ$HD䣱1	XP԰Z֦M+QEN.YuH%_s,Z&q:lڈlzMZVk
Z%ڗsRܛQ>oٳ"熄T}^پQ2[AJ@#R$L&W|t>WÑ˯kPo"+/"NMm&%UCQS1Lrȱ~mx:SZ
\u$5-@Queu-l֛K--k6U뢤:\荁lZr5*mq~ouG${uH$9idWJ܅7F8@>əf';@j+%_8 ճAW/~]*!y&I%z7qI_}u K$*W
*{	F3!)iz-TzlȁD~\#<r])bU2 [T:2p	9~tbX%jIWTC$g:;`𮩏b6*#4Lȁe΀b\	}=10PVaLȁe#]*ycz"FM	9(0(%QK9YW(di-V==S
)6C^ۨ#P!
sQY.BNw.Ǿk!a]f'|`If2%{q	c%5Xo04q*'1ЃƝ㜌:w/v,x5SS+WYI bFvS#[TѓDˡiWK3@8©Z3ыa61`A5<}$-GGZ`ypR.UPUO9׵6ά+}4iW$E+]}Pjpkh{_#HRP}3pHS\򚹄\RdRc)5
4vو/V[>[_Q^8_AςBzv|pd\01PMA_8AdECPsSZFn~
p&cjr MBdRr='kمCJ	`,ܘAN*M/? eXm2jF~Ė
5V=֤E+. ?6kZJ@){ZCr%g^	ӵa18s@+䚲$>20Blͷ1^`.dmEBvJ	]2kp—	Ƌ{`Y=KΘt5憢7UƀxzW
ܩ_0S[> &5[ދcV5MNt
RLcEC3JRm*%S\)`惥T[+QHޫFyPh}pJ	xՈ>D	ŒRօw&TP9BJPe3ExMbabv.&IKTAla	~58r4H^JL(=qC^{`xj/z+d$*$.7$\a*M+)窘c
h]E&0Ըʵ,<;T[\Ԙ:K:v6oǦJ~"JbV00F@6rc
y^xv<ԄA+1`&yQrw2ԬV(kGQJ~dY1͖
&Y2Sga_8aEoPKu5դ,aJ3,g~b2
P3Km>}?bGjH@m*ߏ!2-0dbkzG6賋eNOѿ(Wȃ*PR#ƈ<(/X~ap8W1Wo%h%:[;r³^8'Fzfo!jah
/Sf)UW۪٫P[/<;8s/+kt bV
x錑jiRz[D`ԄXggpPA"@Tj17!Ă
1p.GѠ+ꛭjh)b
xQ gr* P".!*m٨bR^xvpK	ĄK
&ucLgp.BFTbIP)UoAMHV=(RpD\Hѷ(<;҉N*^F2)y1Q &hUғo@n(1fANTtF@jV
"p"3)0Sm/ώ~لlAH'<#fiДj"Up.Z$	^RBddb7/Vexp%yl0aٕ]
-Rŗ u@-XOcTL™«5=
 TJ㊞%\sE+F켯b@Q{cTL™8;\+!
hcQx\Qb,t{7TXh?j/;6ZbS.
^Mb[]ӡ'ZZ4!1~<+`/ƻ3d=Di~
FTIYa53&ER(r_u9;*"9-BROR--
vS5J%ʢCWS7F#Xj>8RSg'd%I1E(,Xb1G(Zb!O9h;98м8h`qUPn//C-Pc:FqFԡ tδӆ=>Jg2\lCbMCv;T-TuN2Td)#VwjǸ@Ƣv{]_
;()=	-Jܸ6h|hl4-CT2^	}jV'cD0Tj1ȞWxH܋.H1TKj_\Ddt{TϲתyVX\GV>o%H8%7${ti06fxHe%<˕	D`HPSxkAӖb
=M8>"{i@IkN-esVZnx#\PS^ص*{37NnuKGgPI&)-j[Ҧ^bپUtSz;܋C(j~8ΥȪ
C0/zUکiI
M;<cvQ=(XǁvSlU[$	-~
NH?ٖmjrNr[`?ț-Ax4-v~V$f%c{G)[Ec?yl{U`J
V))՘sUm}_!ZV ?\=zD;.ٞǖh>X$9|p7s4`?jL2TMwVԏQZ'\ڨ=585jx)F֘$N;6Q
ǽ/ԏk'2"aWk%yxQ

wOjs v/	R̠v`q)J3N'$赠Dșl~.⽸`ԗ"AҷUAfLjV%.2i}9\_9IUo#;[2Ry[f*4UBsn.I;K,EgJhDcJ5"]q~4fVk"V10֨_	d+_Ou€mn,bX(R!*&WV.}(oNzdmwSfgk|gB&n	aD,[b+>TZ8m|j	SiѰ1H:MUj|8 (τտw2|;>>z6Ai
Q߁,|
zYj
p0I]ߟ+WDq덾>CG1r׽@j_Zj-6ڜ|-V\,?,
#HS-V}<3uCF3je|$Y3">i}L_:^yIr=$Po?劽bal[־IVYIUiF`Iq3h>oI'9i[P5۞3fVY%ȍ7d֔'>dH8f3K^|×m0̚|ztZ=7gNR?RoFb2PKN9)cуhUWI7?$
!c`aZ[gi7?{c8Nnwp4{*~8êg]jm"[{UoPf0uiwO]2+׋	L9XRujCN
qOԯJriљ1`МQ7>~$-gl=	
&lwsJ,{cy=_|E0P>1:휺ii}t{~IcW1¼'Æ~A'KyܓLZ4s4vM@S'wc=-PMw?(ԥXW^sq!>&|&3`q[m!X 9XH='U0KWw%VS%|/0czkםfg+o)`n$hcS{S`niMÇ6b9,g'E'GǢc\&(cytR	V-]zϖMC_>G:٭wQ=9g4Q{Xzv C\%ȭaGL9x혳uQu>FpL*&DKLbag;f޹ZZb=g M"6m$J-/ԞټGډLCֳ`
Y6:'Цz:Gsk@;ߥ>Ŋ@_itaVQZYoHN-Ѫ-MU@NJ2L7
Ҙ7ТQr'ɩ09(iFH9nQ[/
VTnd0ZIOV+i΅֠igz, B9f.FGAޒq6i&S(f̫2 =Gs:v^HA$Os
$Wn͌50;ۨbTF8~ƾy"fVFv^Mv%!ÔS/Q鞔7FӁ\=5o55޶VwywSfH:DɗI誝ػ(wE3%cIg{ΪwBzm)z˓0h[dd$Jݓf؝B"l[4bL.&.vO՛DQs`6'4SxhƧɮIhF-:ޤ=]oW07j6UډrusZS>S۴}^7wuFe4 
=+ixJۈI@D
;&vB6v7~_[q14]	>
_'Vg}j=C[,R665!=%=Ko:l>0NCn*@TWx.*ie8ɗ %[LWѪ(<묱%U
޷_~՞[^;lg9ً9rNE1*F:_>QJq{S1z0+jCY[Uu/1fb	H\^YSkS{e`qS%В_}c
6U?Ѣ͈`"Z'BƵ V)h39IڽM,l-f7}M ܓ[O۪3Z\\!ɧO$J?,a)5&R|Wh_#"ν-rj=J#?O-mv٣Y0`:'==q~Q7O']83DW%	~LɐApRIt j$IѮ*dxD%X	1A4矗Z{T_i"4-d8}k{Ԃ-4σ-.>f{vq6gք	5^DpuOnAmRBRD=o[|?-kf\a+8vE­\rtfY&id\A[;R;|ғVRe:k?p+ɳ*ɞLljU}9ئy;Ctq~5Ѐ[KXKBØq>&+
^YY$-H[]{RHCMj4%nM5֔[S.Чmz4֔g֔XGt($38nv8<̃|ЕkVT\JM9Ϥ	x5CԕҞ^RKj)d<@5=oRKj5p`Vo^K3:teP?x*Xd
jȠufn9#ymӞ,QaKb=b^ďЈϊAL\{N:w@7|1u$ N65u:^0zz}h`b읤gOq(uc3YlE76|A1>)KjxcEk+)^MS7V*(#cF\v1E,ǧh`N`874rԪJ0DOR]uKU:I	8W"UԍXyRKZeQ5fk݉:VGUaYU{*Wȶ/FUh8s#K(|?,;ިݨL'zUn#MJz8\j6AFseӒl
ٶf/0\F7z_mު"PcES8-컼htW6/ZJ*[ZEasm%@`|mQ/i
z<9)z,Zuu#MTãΦhkII[&W|ߍw;F[}x.tk/F+?l`͢/iΘ"77[gGM޼P3;7ΔDo\LbD&Aִ(\V5ؿ{–<@Ɲ[uua~
7
'F}6pqDr˴Wy9~2.7?>]z	I"q2LH&m<~8XB;R:Gy-C|~6.ЫKӓ\%o
7)w`+#(5'Z$3uY{u
)
Y8q?dbD{ۘ8"YK'tҖi/6&oarXHfmʀ<EocFaXbI3PQBSmä{Hmb{ocfܜǕܭњ7y,_T>+OpahĶx㫭I\HFs)&][QP{76rOƌԻicNg6	tO~2\z	f 9)~tjf,/}BlNK;9x:3}$SA%9.شq;UZG	b|Vݙ iYv.cɇx6ƿ3{Y1*tB#
POf&F`όBs,im5	Wz8++V7UGc,nl-NBщm5^l>^aOrv⤉5?80@1nrNrmmUmUE7m±o~=OQ(_JOt|:g͑~&4zU[Xt6Y9dK$Z
E[y]u9ZcU0ЁA.Oy'EAZWIL@Te9:pWI}WeN:@IxNkpNt$G1-VZU%?3^fJ`$Gyﴻ7jW_:{dRLFmSi?VPgpMNe8ӤPZ8470X{M܋OZܳԇ475Hb2;ڜ8mn/vgoYÝaHx_0-Iy8]1{/wLGmSq#ITt,TS/7pEC'N:X8~esI֔NҲVzqdM 4NE&ļ'jAK&DnWW猒"2n8*U#Zzt_IrV㕯K/Wߗw*11d$ׇd<|]V=5TU5Horܯީu;U}=ycpTpdʛTD0|팄R`Bˑ8;0vUJXG4Ս(]K;\2Ыn>_n`WgWuNeˠb.t|(?O\ec
6
SoM)N-{ ꘪe[RAL$L#j"֭hxj1_c;4ڨӁۀVѵ+L<a'HQ%|$z2/zNrsLx.pm(&&d	:ϘSXuu\qgؖZպUzGc}35;fZC>p e`;r(*E?璒k۝nw90*JYpZyL-![']~.~XUҫ=`ճIHj2ѧ zu^"C*&P"xn#IP:cI7Hˑ(!%=9HOҥ'|(/CoiۖJ,R@ptx𓂀dߖLxjCfIdOr"uOsN]Fiz$?{U)3X3*qKMfJڵ_Y7ךk6d"Uq{1ev%4lU>@^0ڏ~QvTlct^?
#a<;ѧQsyvOkY{2Iϒ2O[ʜϚTZOco+Ɲ>k7c/klȉϦ {Y nFg!3QEIԎG[C x9jeLbSGgj$u
dĄ7~U,UIzкxPhX˞X.|~&?Lؖ[$Uu.DY*:ypd
d^a]n4#L=BpQ~)pevR˰RkK^V8͌xt4ǂ%5L]d=-oQɖ0/$lGw$u>xM0Ԧ{dbg0fdYu< JM2k#YԚ5YNf8>iU2n(}QN7qMv~YdF\Jd=`SJ歀bf0&qW+~-`O6
*Oq8}W?Gӊ<~!eTxX|~5fN5/3BjMv8랢q^7JP|8ZM;#)~h?f59#<
uIhSLjU!\l/Lp5:M0xruHJoH*-NO=Lja/,E"ۜr\QO$
fE#FE9uџ
vN
(D3ea@pC[zB34IWEgPvhrLxo[ivOTWuOo(A6멢'uլEӌsk붗i=cVillGOYhb$/ed\p8Jݿ۶f$\{X!磹V>%Urh4-GJ]<\UGRyS\+@R\mv"<1*.>i~(˥%Q~c*mft
t4+X%K2UdS&{IANar~p"
=}/GR<4
Vq6j?%h3_´cHj.\G	Ym&V(c?}'ٶYrt-*f^dRNOY뭊7B!.G?30
N@5ҙ# *3F<~;XdUuXZIII 33,vU~7K+ak2}\cQȩ<s/~K#t;1XJM5\p?G袞3FmMsX1U~^4f2 ?<hȔY)֦h77&^@}rNI2FcW-qXKܘ/d85|DƂ@Oc,U2F-6]z@yqm/>s&%	dk<@y"M!jRGr0&'`Vw#{T_H`b>%mII0fiV-òN(4<4j	ةH+}ҟ
O
[.ԭjsf1}|{-•ocNzg{\4δڇݶ^,E#T
	@r%ǎecf;3	]Q]Hʇ"9<5O52)+ӽC6ք-V%𳒢V}ԍL^`v=|߇tLՍQ#e}cvjc`XE]]F-ӕC9շ'갺BT,>
&zYL.OenLX!"H{JZsv+=EHKk[2n:ţM1Vi%-y5KqlXprh6kG{hF;ɽ;_3Bb㼚Wߋ<#ζcجr:bB_~$c)l6E,6j΀ԓ`$YHidϚ#~$qnUgsLtNZ`3xX=
UCF-O*+Tk[;{AvϊQZ-/+C뉳2+9L3'kYFY,`;AYW^Oϫ2B?_:n
oU
d5hKxY)nq7ъL{S{'
q$JpmFm#B%;=(Dr9zͯ!w'VT6w^5 Sb%3[]FЙN`mϸ#X?*:nuN䮢YsQa{dUuG"Ӈ]4'6Q>L7*TҵAxz6j%({WyYM8%v'vڞSt?*{4֒ㇴs뒖/e~T,\Aæm;C}%ᑞۙ:ᏊM%GK"(,ȷM'F3
2zzت9,r4yQ1M:,#Ӻl1=-~+{3.0dPeSΘMe-ёi}5=C
TQlfXkfHFϰ##]I"\?0v'k$5;0=Pt-:oVc@;p(iE>0цbu.Rv;uUZۨSj{LJ]]8ϛ($thHlQ*ĺk|`쀴
;+h.cY oR4o	&j`SJi>0v==F+n[ZSحՊ|CZ5u>0vɼbN;
.S8ri'Nj39Ut`=)od,S}E4"	BU<~uȸAXW*65lvQ{mv>@9@{>ID_]j+8"Hڊ[E\='jt띣rEtk\Y`b֬|94ɽVܙr1lɔ Pԅ`'D}x(%fp-p#?Qy^.H/)iN>V裎/,3`ѓhoj&t9X`џ[rU,q'45DžEFπEKP7oŐƣwhy3-1.6.0/examples/multiprecision/mpz_cmp.mlw000066400000000000000000000054571440160026300214710ustar00rootroot00000000000000module Zcmp

use int.Int
use int.Power
use map.Map
use mach.int.Int64
use mach.int.Int32GMP
use ref.Ref
use mach.c.C
use lemmas.Lemmas
use compare.Compare
use ptralias.Alias
use compare.Compare
use import mach.int.UInt64GMP as Limb
use int.Abs
use mpz.Z
use mpz.Zutil

let wmpz_cmp (u v:mpz_ptr) : int32
  requires { mpz.readers[u] >= 0 /\ mpz.readers[v] >= 0 }
  requires { Int32.in_bounds (mpz.sgn[u] * mpz.abs_size[u]
                             - mpz.sgn[v] * mpz.abs_size[v]) }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> value_of u mpz > value_of v mpz }
  ensures { result < 0 -> value_of u mpz < value_of v mpz }
  ensures { result = 0 -> value_of u mpz = value_of v mpz }
=
  let usize = size_of u in
  let vsize = size_of v in
  let dsize = usize - vsize in
  if dsize <> 0 then return dsize;
  let asize = abs usize in
  let up = get_read_ptr u in
  let vp = get_read_ptr v in
  let cmp = wmpn_cmp up vp asize in
  release_reader u up;
  release_reader v vp;
  return (if usize >= 0 then cmp else -cmp)

use types.Types

let wmpz_cmp_ui (u: mpz_ptr) (v_digit:limb) : int32
  requires { mpz.readers[u] >= 0 }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> value_of u mpz > v_digit }
  ensures { result < 0 -> value_of u mpz < v_digit }
  ensures { result = 0 -> value_of u mpz = v_digit }
=
  let un = size_of u in
  if un = 0
  then return (if v_digit <> 0 then -1 else 0);
  if un = 1
  then begin
    let up = get_read_ptr u in
    let ul = C.get up in
    release_reader u up;
    if ul > v_digit then return 1;
    if ul < v_digit then return -1;
    return 0
  end;
  return (if un > 0 then 1 else -1)

use mpz_getset.Set

let wmpz_cmp_si (u: mpz_ptr) (v_digit:int64) : int32
  requires { mpz.readers[u] >= 0 }
  requires { mpz.abs_size u < max_int32 }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> value_of u mpz > v_digit }
  ensures { result < 0 -> value_of u mpz < v_digit }
  ensures { result = 0 -> value_of u mpz = v_digit }
=
  let usize = size_of u in
  let vsize = (if v_digit > 0 then 1 else 0) - (if v_digit < 0 then 1 else 0) in
  assert { v_digit > 0 -> vsize = 1 };
  assert { v_digit < 0 -> vsize = -1 };
  if (usize = 0) || (usize <> vsize)
  then return usize - vsize
  else begin
    let up = get_read_ptr u in
    let ul = C.get up in
    let vl = abs_cast v_digit in
    release_reader u up;
    if ul = vl then return 0;
    if ul > vl then return usize else return (- usize)
  end

let wmpz_sgn (u:mpz_ptr) : int32
  requires { mpz.readers[u] >= 0 }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> value_of u mpz > 0 }
  ensures { result < 0 -> value_of u mpz < 0 }
  ensures { result = 0 -> value_of u mpz = 0 }
=
  if size_of u < 0 then -1 else if size_of u > 0 then 1 else 0



endwhy3-1.6.0/examples/multiprecision/mpz_cmp/000077500000000000000000000000001440160026300207355ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_cmp/why3session.xml000066400000000000000000000341501440160026300237600ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/multiprecision/mpz_cmp/why3shapes.gz000066400000000000000000000107131440160026300233770ustar00rootroot00000000000000Z[oܸ~ۜ3Xsk,PA55ccvڳ_%unn'ҖDź~E?K~z}s}?'O?7_On><}3σ//=]=>pnC3	K}vf_*).?t-??@j:Lz~|zjGye[o9?ڍw}ٚmnVr6C;]/-Vl/_Y2<֗jfю%|i:Uۭ5h6R=v;{4zo{OM>?wۖ :4iF?>٪gf7;Mͣxϛ:.[7gC)j{M)mruIkn>qd>pj>|g%@ȩ9s5MlC1^40|[eh]o1^xyehVMHPپyYx3󔿶sq~Pmfw0іo(b1"v3r1v_yHQ0C@mf;l^4Rhf9V@r:@>%8 l-&:@|:z5CS3ƳX_S~}esyΩ?MS{]^x.ܽ-'UN@Ϋ$9OֹЬi	oFj]d'\&\p506P9?{\O:˚^\/{(hW_fԟo{-]
(Q᱋d	)_V
ouuLPGݫ@fG׸<֖iٶ<_ki*.'-z";H	)
ZE7vzQb߿z?^:;T/ԁN/?W'-Ԟx?
GLǷ&{Hs^1W{uƼC^WCq۶]S5~ާàw
Y{AvcқٞDO`}b>r;NAr@Rؿ# :i	\[&[ݴzݢ_|2TIDڲ/'q>jeI<
wV;
^;l_NE.։".N;waB㳒׷L'%hȦ3cW3qܐXnkdRz[5~;'F#)eGtu#d[ikqA.z^bQ.ZAa'9t5FQtҎ6Q9cc\Ik0up%MpJ¡=ަWN6
poW.mʊIŕSHus[sO?AZH]@UKC.TkG<,}8F}`:+FzuX\0GZ9ȧ z˳n5.H33
d;rr384`EL:בqbj y䒁[s`/ѳItN2F0VkYfQ	6^ #S@]0ԛO4v
9:}}kz˃hg9'wwG߾3[|j7)>vr&3cW3iN+mM;ʃ=7mQirabA9kn٥>`ť6`.@~;s*m=]զ~z;N1݌\=\3*'pUOUzW\[pUNમpUU;5cP==ջcPʶglwծ:Ϸgca{7ɕrJr5#Ǵf;3ڎ?fiZeA#Eo{ɱUnċmd
\rM}^W,
ne&sފMIV2~XcQђ)})hae
ޞF4¸b%K˜[-u Սٗb|lcRn'箱ّ+'YqR1!ǬQT(\) #2uRSo::Wi"(Y	&`LctcTcdcDcxc1gB&GK>/9QtiK쇔G-HD[ڬҌh\E*卥ƲȤ@Ю)H(a=l)yS
h	%)۰5{'H)@;o^P'-霰	wH&$xDA``$b2MDP&(ƩF47-2\i3"S
H@Yp۬CtG!X2,cUr	$41lזAi#S0+5v;r
ݜ-"u-~r"}0U
P
Y`ShU;	C	a= #0-.1|G^')M(q]I8	&+vj;G~DOʅkYl.l8syy;%QB*)8; Czld[R	2EtlG@5f(@9'DQJLeBMAkw/pKEShŜ*I2V=Seg5T㥃RLĞ2>Z4W`ܡpCJ2VGD2=<'Y'T,
-((+VPч⇽H5cL""HnU1nI)\F)O"4JN3%rdB	E҇uKOf(ǡ
mTrR|
ceKP>^'V,(2P&T밤[@!FA0=tc@qם+t)ȅ,qr2-hg{"0qa` Eį~N[^
+YXlvU	sм%q=5.Pӡe>Igo
c*:{UdVfYtShS٬z'9\zfꑧGk;\+Z$10IDjNR3./)#:I+N"[_".xEu8J۟(Ce~DhO-SdLҚz.rje*$1wMSc9GE(AFDrQ?UZ%7ˤ9 /+x4k$'vkK@g-2H
܁]$CQ#:s+yBfo9Zk M'KJp!OS*:KQT"z|O }?F̒h\.I	/Jc6*޵6,7ީڦj߆Z۵$xd+ChCCK-RE~CY͞?Na/Lwhy3-1.6.0/examples/multiprecision/mpz_cmpabs.mlw000066400000000000000000000031301440160026300221410ustar00rootroot00000000000000module Zcmpabs

use int.Int
use int.Power
use map.Map
use mach.int.Int32GMP
use ref.Ref
use mach.c.C
use lemmas.Lemmas
use compare.Compare
use ptralias.Alias
use compare.Compare
use import mach.int.UInt64GMP as Limb
use int.Abs
use mpz.Z
use mpz.Zutil

lemma abs_value :
  forall u mpz. abs (value_of u mpz) = mpz.abs_value_of[u]

let wmpz_cmpabs (u v:mpz_ptr) : int32
  requires { mpz.readers[u] >= 0 /\ mpz.readers[v] >= 0 }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> abs (value_of u mpz) > abs (value_of v mpz) }
  ensures { result < 0 -> abs (value_of u mpz) < abs (value_of v mpz) }
  ensures { result = 0 -> abs (value_of u mpz) = abs (value_of v mpz) }
=
  let usize = abs_size_of u in
  let vsize = abs_size_of v in
  let dsize = usize - vsize in
  if dsize <> 0 then return dsize;
  let up = get_read_ptr u in
  let vp = get_read_ptr v in
  let cmp = wmpn_cmp up vp usize in
  release_reader u up;
  release_reader v vp;
  return cmp

use types.Types

let wmpz_cmpabs_ui (u: mpz_ptr) (v_digit:limb) : int32
  requires { mpz.readers[u] >= 0 }
  ensures  { forall w. mpz_unchanged w mpz (old mpz) }
  ensures { result > 0 -> abs (value_of u mpz) > v_digit }
  ensures { result < 0 -> abs (value_of u mpz) < v_digit }
  ensures { result = 0 -> abs (value_of u mpz) = v_digit }
=
  let un = size_of u in
  if un = 0
  then return (if v_digit <> 0 then -1 else 0);
  if abs un = 1
  then begin
    let up = get_read_ptr u in
    let ul = C.get up in
    release_reader u up;
    if ul > v_digit then return 1;
    if ul < v_digit then return -1;
    return 0
  end;
  return 1

end
why3-1.6.0/examples/multiprecision/mpz_cmpabs/000077500000000000000000000000001440160026300214235ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_cmpabs/why3session.xml000066400000000000000000000217351440160026300244530ustar00rootroot00000000000000








 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_cmpabs/why3shapes.gz000066400000000000000000000057351440160026300240750ustar00rootroot00000000000000Xn}W-.,^ɀcyx
5Ms=(īMsEaU_cyܗ/O7!wn[7lCf}(_"Ú26
_Ėnr.x%.J>?|%|ލ%MmɺʺvBlFSy:ܭ`6iWn˛9nA◗a~{HO%ߺqudF>4Sh}7pu}\u5g>Sv]	kn&L'6^ oa~>~vv;RmGmć&!.yV<~.گy9pn[sExMeՖ>ht"m>o, 'n#s?GG&#s#؆f
9mr3؏9c8Z=8c?vFY;ٯ_1->]7OWcf(b3k~@BSg
#FG@0
18;\hb9rj9`9N`m<3
RrZfVJ\
Do]Ml5E7kS꾟C3>zy-jGW%6.bLTµoސ}-T&pø[7ᘇ5/U;K'l1|ߧ{:!RH7
!<_r]Pfv.Mvbup7Eu~bd.\׃]>څ]z#.\cfa˒TH$2ݺ9>Nwxp;#dE0w*̰?.vZ]ϳf!e!mMǨW!.Xl? e]O_e×QղSbqN~:
-u-xTq8S療K7ˉ3us'! &]3}% 9>VwS_|U[[u4cdU[_mgGql
J9C·vXq}|~aힿ	}+>cߊG؊3AJIx:^59Gל]rKj9{M!Wшd⫐hc^KPsw߂RꄥNj	jZw$o>|Y;xgnp‡IjzlIN)8mH8*:4fF@fJ_~8)8IYR+iܾPp;PpfN@5y55hCvB\_r.*Uj0d0*MPd/VAI%Q"*RUPMFK'/(Ӫd\JIGNѩ,IQAذw`@&ju"g25dP3乲
'"M䤈1[s<bI"xR

JVyR3YR̩[<[j`R
RT"Q	i[%+FPb$r
%"n]zu#"!Yq-
9	rcdv:[,`޸:ԡ
"ʈbFfMc#QQπȑRtYDSvY4C	w;.8Rrha
$ÞܠJ4nQՖ		w[e9T	å
*8r$WYrmQ'嵤¥H*B*XSޥ<
9z~MܢS0}}}'eӐr*Be$*X*-c#t،Z׮v=+#`{Ցe\قU!5F&e
jBۜCŀOuDńI:GW":U`]%U++Љ0cMӗC4I
甙@lTZ}WL 47-J=dZ5TET@: L$.ݠM¾%.p1!CWeuhU`C&&z;0E<ߵX! q#o[`&(G]Ѝ;cR"h4֥ÄgoZL	=v`$|$aB6YLJX*ŒQ 0 /\ mpz.alloc[den] > 0 }
  requires { mpz.alloc[quot] > 0 /\ mpz.alloc[rem] > 0 }
  requires { mpz.readers[num] = 0 /\ mpz.readers[den] = 0
             /\ mpz.readers[quot] = 0 /\ mpz.readers[rem] = 0 }
  requires { quot <> rem }
  requires { value_of den mpz <> 0 }
  requires { mpz.abs_size[num] <= max_int32 - 1 }
  ensures  { value_of quot mpz * (old value_of den mpz) + value_of rem mpz
             = old value_of num mpz }
  ensures  { 0 <= mpz.abs_value_of rem < old mpz.abs_value_of den }
  ensures  { forall x. x <> quot -> x <> rem -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[num] = 0 /\ mpz.readers[den] = 0
             /\ mpz.readers[quot] = 0 /\ mpz.readers[rem] = 0 }
=
  let ns = size_of num in
  let ds = size_of den in
  let nl = abs ns in
  let ref dl = abs ds in
  let ref ql = nl - dl + 1 in
  assert { dl <> 0 };
  if ql <= 0
  then begin
    assert { old mpz.abs_value_of num < old mpz.abs_value_of den };
    if not mpz_eq num rem
    then begin
      let ghost ompz = pure { mpz } in
      let np = get_read_ptr num in
      label Realloc in
      let rp = wmpz_realloc rem dl in
      wmpn_copyd_sep rp np nl;
      assert { value rp nl = value np nl at Realloc
               = old mpz.abs_value_of num };
      set_size rem ns rp;
      unchanged num mpz (pure { mpz at Realloc });
      release_reader num np;
      unchanged num mpz ompz;
      release_writer rem rp;
      assert { value_of rem mpz = old value_of num mpz };
      ghost (if not mpz_eq num quot then unchanged quot mpz ompz);
    end;
    let ghost mpz0 = pure { mpz } in
    set_size_0 quot;
    unchanged rem mpz mpz0;
    assert { value_of quot mpz = 0 };
    assert { value_of rem mpz = old value_of num mpz };
    return
  end;
  let ref d' = den in
  let ref n' = num in
  let ghost mpz' = pure { mpz } in
  let ghost ref cmemd = any mpz_mem in
  let ghost ref cmemn = any mpz_mem in
  let ghost ref clear_d = false in
  let ghost ref clear_n = false in
  assert { mpz.readers[d'] = 0 /\ mpz.readers[n'] = 0
           /\ mpz.readers[quot] = 0 /\ mpz.readers[rem] = 0 };
  begin
    (*ensures { d' <> rem }
    ensures { d' <> quot }
    ensures { n' <> rem }
    ensures { n' <> quot }
    ensures { forall x. mpz_unchanged x mpz mpz' }
    ensures { mpz.readers[d'] = 0 /\ mpz.readers[n'] = 0
              /\ mpz.readers[quot] = 0 /\ mpz.readers[rem] = 0 }
    ensures { mpz.alloc[d'] > 0 }
    ensures { mpz.abs_size[d'] = old mpz.abs_size[den] }
    ensures { mpz.sgn[d'] = old mpz.sgn[den] }
    ensures { mpz.abs_value_of[d'] = old mpz.abs_value_of[den] }
    ensures { mpz.alloc[n'] > 0 }
    ensures { mpz.abs_size[n'] = old mpz.abs_size[num] }
    ensures { mpz.sgn[n'] = old mpz.sgn[num] }
    ensures { mpz.abs_value_of[n'] = old mpz.abs_value_of[num] }*)
  if mpz_eq den rem || mpz_eq den quot
  then begin
    let dp = get_read_ptr den in
    let ghost mpzd = pure { mpz } in
    let nd, memd = wmpz_ptr_decl () in
    d' <- nd;
    cmemd <- memd;
    clear_d <- true;
    let tdp = salloc (UInt32.of_int32 dl) in
    set_alloc d' dl;
    wmpn_copyd_sep tdp dp dl;
    assert { value tdp dl = mpz'.abs_value_of den };
    set_ptr d' tdp;
    set_size d' ds tdp;
    release_writer d' tdp;
    assert { mpz.readers[d'] = 0 };
    unchanged den mpz mpzd;
    release_reader den dp;
    unchanged den mpz mpz';
    assert { forall x. x <> d' ->  mpz_unchanged x mpz mpz' };
    unchanged num mpz mpz';
    unchanged rem mpz mpz';
    unchanged quot mpz mpz';
  end;
  let ghost mpz'' = pure { mpz } in
  if mpz_eq num rem || mpz_eq num quot
  then begin
    let np = get_read_ptr num in
    let ghost mpzn = pure { mpz } in
    let nn, memn = wmpz_ptr_decl () in
    cmemn <- memn;
    n' <- nn;
    clear_n <- true;
    let tnp = salloc (UInt32.of_int32 nl) in
    set_alloc n' nl;
    wmpn_copyd_sep tnp np nl;
    assert { value tnp nl = mpz'.abs_value_of num };
    set_ptr n' tnp;
    set_size n' ns tnp;
    release_writer n' tnp;
    unchanged num mpz mpzn;
    release_reader num np;
    unchanged num mpz mpz'';
    assert { forall x. x <> n' -> mpz_unchanged x mpz mpz'' };
    unchanged den mpz mpz'';
    unchanged rem mpz mpz'';
    unchanged quot mpz mpz'';
    unchanged d' mpz mpz'';
  end
  end;
  assert { d' <> quot /\ d' <> rem };
  assert { n' <> quot /\ n' <> rem };
  assert { forall x. x <> n' -> x <> d' -> mpz_unchanged x mpz mpz' };
  let ghost mpz' = pure { mpz } in
  let qp = wmpz_realloc quot ql in
  unchanged rem mpz mpz';
  let ghost mpzq = pure { mpz } in
  let rp = wmpz_realloc rem dl in
  unchanged n' mpz mpz';
  unchanged d' mpz mpz';
  let np = get_read_ptr n' in
  let dp = get_read_ptr d' in
  let ghost mpzn = pure { mpz } in
  let ghost mpzd = pure { mpz } in
  value_tail dp (dl - 1);
  assert { (pelts dp)[offset dp + dl - 1] > 0
           by value dp dl = mpz.abs_value_of[d']
              >= power radix (dl - 1)
           so value dp dl
              = value dp (dl - 1)
                + power radix (dl - 1) * (pelts dp)[offset dp + dl - 1]
              < power radix (dl - 1)
                + power radix (dl - 1) * (pelts dp)[offset dp + dl - 1]
              = power radix (dl - 1) * (1 + (pelts dp)[offset dp + dl - 1])
           so 1 + (pelts dp)[offset dp + dl - 1] > 1 };
  wmpn_tdiv_qr qp rp 0 np nl dp dl;
  label Norm in
  assert { value qp ql * value dp dl + value rp dl = value np nl };
  assert { nl - dl - 1 >= 0 -> value qp ql >= power radix (nl - dl - 1)
           by value rp dl < value dp dl
           so value qp ql * value dp dl + value rp dl
              < value qp ql * value dp dl + value dp dl
              = (value qp ql + 1) * value dp dl
              < (value qp ql + 1) * power radix dl
           so value np nl >= power radix (nl - 1)
           so value dp dl < power radix dl
           so power radix (nl - 1) < power radix dl * (value qp ql + 1)
           so power radix (nl - 1) = power radix dl * power radix (nl - dl - 1)
           so power radix (nl - dl - 1) < value qp ql + 1 };
  assert { value qp ql = value qp (nl - dl + 1) };
  let qh = C.get_ofs qp (ql - 1) in
  value_tail qp (ql - 1);
  ql <- ql - (if qh = 0 then 1 else 0);
  assert { value qp ql = value qp (nl - dl + 1) };
  assert { ql >= 1 -> value qp ql >= power radix (ql - 1)
           by if qh = 0
              then ql = nl - dl
                   so value qp ql >= power radix (ql - 1)
              else value qp ql = value qp (ql - 1) + power radix (ql - 1) * qh
                   >= power radix (ql - 1) * qh
                   >= power radix (ql - 1) };
  normalize rp dl;
  let qs = if (bxor ns ds >= 0) then ql else - ql in
  let rs = if ns >= 0 then dl else -dl in
  assert { sgn_value qp qs * sgn_value dp ds + sgn_value rp rs = sgn_value np ns
           by if ns >= 0
              then if ds >= 0
                   then qs = ql /\ rs = dl
                        so sgn_value qp qs = value qp ql
                        so sgn_value rp rs = value rp dl
                   else qs = - ql /\ rs = dl
                        so sgn_value qp qs = - value qp ql
                        so sgn_value rp rs = value rp dl
              else if ds >= 0
                   then qs = -ql /\ rs = -dl
                        so sgn_value qp qs = - value qp ql
                        so sgn_value rp rs = - value rp dl
                   else qs = ql /\ rs = -dl
                        so sgn_value qp qs = value qp ql
                        so sgn_value rp rs = - value rp dl };
  assert { sgn_value np ns = old value_of num mpz };
  assert { sgn_value dp ds = old value_of den mpz };
  unchanged quot mpz mpzq;
  set_size quot qs qp;
  let ghost mpzr = pure { mpz } in
  assert { sgn_value qp qs = value_of quot mpz };
  set_size rem rs rp;
  unchanged quot mpz mpzr;
  assert { sgn_value rp rs = value_of rem mpz };
  assert { value_of quot mpz * (old value_of den mpz) + value_of rem mpz
           = old value_of num mpz };
  release_writer rem rp;
  release_writer quot qp;
  let ghost mpzrq = pure { mpz } in
  assert { value_of quot mpz * (old value_of den mpz) + value_of rem mpz
           = old value_of num mpz };
  unchanged n' mpz mpzn;
  unchanged d' mpz mpzd;
  release_reader n' np;
  release_reader d' dp;
  unchanged d' mpz mpz';
  unchanged n' mpz mpz';
  ghost (if clear_d then wmpz_tmp_clear d' cmemd);
  ghost (if clear_n then wmpz_tmp_clear n' cmemn);
  unchanged quot mpz mpzrq;
  unchanged rem mpz mpzrq;
  return

let wmpz_tdiv_qr_ui (quot rem dividend: mpz_ptr) (divisor: limb) : limb
  requires { mpz.alloc[dividend] > 0 }
  requires { mpz.alloc[quot] > 0 /\ mpz.alloc[rem] > 0 }
  requires { mpz.readers[dividend] = 0 /\ mpz.readers[quot] = 0
             /\ mpz.readers[rem] = 0 }
  requires { quot <> rem }
  requires { divisor > 0 }
  ensures  { value_of quot mpz * divisor + value_of rem mpz
             = old value_of dividend mpz }
  ensures  { result = mpz.abs_value_of rem }
  ensures  { 0 <= mpz.abs_value_of rem < divisor }
  ensures  { forall x. x <> quot -> x <> rem -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[dividend] = 0 /\ mpz.readers[quot] = 0
             /\ mpz.readers[rem] = 0 }
=
  let ghost ompz = pure { mpz } in
  let ns = size_of dividend in
  let ghost avn = mpz.abs_value_of dividend in
  if ns = 0
  then begin
    set_size_0 quot;
    set_size_0 rem;
    assert { value_of quot mpz = 0 /\ value_of rem mpz = 0 };
    return 0;
  end;
  let nn = abs ns in
  let qp = wmpz_realloc quot nn in
  ghost (if not mpz_eq quot dividend
         then unchanged dividend mpz ompz);
  unchanged rem mpz ompz;
  let ref qn = nn in
  let ref rl = 0 in
  if mpz_eq quot dividend
  then begin
    let np = salloc (UInt32.of_int32 nn) in
    wmpn_copyd_sep np qp nn;
    rl <- wmpn_divrem_1 qp np nn divisor
  end else begin
    let np = get_read_ptr dividend in
    assert { plength np >= nn };
    rl <- wmpn_divrem_1 qp np nn divisor;
    release_reader dividend np;
    ghost (if not mpz_eq rem dividend
           then unchanged rem mpz ompz);
  end;
  assert { value qp qn * divisor + rl = avn };
  if rl = 0
  then set_size_0 rem
  else begin
    let rs = if ns >= 0 then 1 else -1 in
    let rp = get_write_ptr rem in
    assert { plength rp >= 1 };
    C.set rp rl;
    assert { value rp 1 = rl };
    set_size rem rs rp;
    release_writer rem rp;
  end;
  assert { nn - 2 >= 0 -> value qp qn >= power radix (nn - 2)
           by 0 <= rl < divisor
           so value qp qn * divisor + rl
              < value qp qn * divisor + divisor
              = (value qp qn + 1) * divisor
              < (value qp qn + 1) * radix
           so avn >= power radix (nn - 1)
           so power radix (nn - 1) < radix * (value qp qn + 1)
           so power radix (nn - 1) = radix * power radix (nn - 2)
           so power radix (nn - 2) < value qp qn + 1 };
  let qh = C.get_ofs qp (nn - 1) in
  value_tail qp (qn - 1);
  qn <- qn - (if qh = 0 then 1 else 0);
  assert { value qp qn = value qp nn };
  assert { qn >= 1 -> value qp qn >= power radix (qn - 1)
           by if qh = 0
           then qn = nn - 1
                so value qp qn >= power radix (nn - 2)
           else power radix (qn - 1) * 1 <= power radix (qn - 1) * qh
                so value qp qn = value qp (qn - 1) + power radix (qn - 1) * qh
                >= power radix (qn - 1) * qh
                >= power radix (qn - 1) };
  let qs = if ns >= 0 then qn else -qn in
  assert { sgn_value qp qs * divisor
           + value_of rem mpz = value_of dividend ompz
           by if ns >= 0
              then qs = qn so value_of dividend ompz = avn
                   so value_of rem mpz = rl
                   so sgn_value qp qs * divisor
                       + value_of rem mpz = value_of dividend ompz
              else qs = - qn /\ value_of dividend ompz = - avn
                   so value_of rem mpz = - rl
                   so sgn_value qp qs = - value qp qn
                   so sgn_value qp qs * divisor
                       + value_of rem mpz
                       = - (value qp qn * divisor + rl)
                       = - avn
                       = value_of dividend ompz };
  let ghost mpzq = pure { mpz } in
  set_size quot qs qp;
  release_writer quot qp;
  unchanged rem mpz mpzq;
  return rl

end
why3-1.6.0/examples/multiprecision/mpz_div/000077500000000000000000000000001440160026300207405ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_div/why3session.xml000066400000000000000000010611521440160026300237660ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
             
             
             
             
             
              
              
              
              
              
               
               
               
               
               
                
                
                
                
                
                
               
               
              
              
             
             
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
     
     
     
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
             
             
             
             
             
              
              
              
              
              
               
               
               
               
               
               
              
              
             
             
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
     
     
     
     
     
     
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
       
       
       
       
       
       
        
        
        
        
        
        
         
         
         
         
         
         
          
          
          
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
             
             
             
             
             
              
              
              
              
              
               
               
               
               
               
               
               
              
              
             
             
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
             
             
             
             
             
             
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_div/why3shapes.gz000066400000000000000000002112351440160026300234040ustar00rootroot00000000000000َ7(Лf˅mLF8yWeZ8Riu|
53T%+G$$cc0ߞy?<xf~6ƼzƚoE7o~ޏ2z!Y|_	?syMbGhj}xҽ6#%.yoˏ8`ḟ_V]T@heps8%:~~x1WiV5oM-Ûy'Ig__7@՛.⽶IEzd`H]yHP?G01"v叅l#Kowue4iۯKpW,y/oͽ0}]-%{=b\ռCwLxC<[ܿ5PWq>O+_9ۦ>	^y;avm)ϠYϚǟ,)x}6{=wwx*E
wc_~.K3X#@L	SDp"'{6i?jw9RIz{xk>z9YQ#UR?*$"tE^HU}9A'~-?Vvkops8)mpyJ}W?}MW
5ſ0Җw?͏`+%#wM8sQ<̥;1(nl9{Wݓ/m%0l>619lJjcD2)B>Rhfso޼7ų_:I g4SnCʒMbѨ,٬,Al$8fKGUL(EITPCL+f3g|o_s0
_{uIk
U-rΙq/v7 dhFRckLaka,o~ѝE7;fVMܲX=LLX2>c9(Ϥ%*9;ܲw+|_5Ly+2Ósm
h{h2ײlO?Kg<]f}.]vi{^J4xw`ߐ2'b*=i`.u\s*e8tB3~.tm	6VKn5ne'I&%V,e'**ĢQ8_P[aPPuH_Z Ws&H)UV\)V~F܁ʱJ
J~r'N[QLh/uh꺿5 T3޾1C?t3rgH}Vd@x#JU;S2&~cl}muhN5jspO(~o@_6;Vۻ~T+18S1C[ :X,8Ćkok|-[}pomIncQ&cRg6᭧gЙCauޣMFޚ~۬Pm,_}|l~vOr9Up[p[pGp["]cVG	D߰m/?x7GofZ4D6$]/Q0#.CX=]urƞ|3C,sϥK]r&O/kIgo?
UEQvY!w+:ʪ#>݋CƳߖu?mQo8FŒR{"4GTU8c)қSX:"qFYΏ%܋KZMZGB^L!q54ٌ2_]g9)m}X~NьKT쯕ǒLNk+
^~F
M׳KZn̓F(I;hZFDpli[r(8$X(84r
PVo7g>G7T:XO'>q«;k9Z\hoɨzقʱ,j[`5JRw`;oe}(jQ2ki}e-]iMW^V+Q.06\ix+N͙v?b~soδҙܝƒ?e{uO/}Lo5[m?MI?8bIKB"t)	su(@.OP}&)P+ҒJ,hK`;+d̮FF^gmrǝ5cz&O~Mui'UK6xta(`\rvrc~c>rL;a@ K}ʂq5'*|pMQ`R$bh>K'G#c'.И"'oav5Nʃ˵I'Ya[u	bQ]*5qcA56IIVt9ڗ#ssMOY0ɉGSBVB~RA.st4&;,|r^ӥv1i2Z¶NFKPNpxҹzk^MŒr[6=XYXG`U“	Z}
hhe8ud~}~~]}?nc/Cw[Vg#~cngpաqWp%;<w[*w[Bg޻g v
O8:xSgDpyboxz	SqKq~΁LwlCRs`*gXV&|#:Pl۹#Ws;`ΠIn57축͙t~jþ7o{XwOͽv!ODO,*$/>LupIo>vSag>cY{Ǥ&"3wSwNmabRs6Yb]+Ɲ@%bӐ&BV^@Jj&2rh4w*,MXi[40VzV~VTV|R3AeaȡlnNdl5sTwbLR8_hxF3+Z	NkS=`7!iNu/E)/jipJI
E-/r!ѕMђ""Ͽ>/HծWdgY>vV>]@MoW3*Ux1Nn-i?:'$s]ydtK/c+in8m)$ۤIv8Or$8Ly^M\ebYjeIvlй&˅oRT:=hٺT(P-iIX+X4NM*%;0&`*EmɲMl$5ID7;r6ݤ_
ZN
ܨIbVtT}jWFanݨs*<\*_"Ӷ(1W[r*e{z	oCDi_TÖ\+ݿv
^q1L.]ʀ5Vi@{T-6TR1A+߳Dӊ4?QՑK@M_2wgSu(7~Fi7("<^FyGhQL1/,ērMΖn1ٺh$͊N6c$K`,ॸ
P\b*RLm)WdPIޘAM1uGXEC6݇>|I15v'R^M(Rb.)6kz(EpOvQx/ysĎu	>?̟Mu;h|bǿqxO:v4>oxy<'?;OK;	{qCeƞ.هp:\wMOww͎=3
x
.ٱ`b?aÇ0ۅm)'l7-r줻5(f.Rݤs,4w@vPC	5/|{<GNG>zl_?g'Ah|qʷ?x4{H,U֒@RVwoM~xMvP(	R~۪sJ0=n$,au9q;{tܽġ_MC|>b=o-DXy}-Y|W/z<ZTStp|935׶~v/t7>o<7%L#!4pi|}cqȔ"rl~jZ:UjnߏZT4\SCOՂk*F}5+ekbdrŕLSϼT5CE{ϠxjNo?W}(X
g&;
6/A@)|sZ}r3Oy@*Aȳ1αm e`4? |7w@̛>N`+h"9r(~J':oHzxK&A!݇zۇR>h}U.G?WF9	]AJbŢk9iAxWr9t;7rWMTUeժ[B}M!GU
ۧiCyvīn6OD}4><%HŨ6v:Yխ>۸&fػmff
wv<}N*wU*es):ct/십_V=jMq[yt'uc^+Zw uyRNcH+'QQQ7\Vm2y[J2	̺F}cOkn碚 or)=+d\t4r.[9#Zκv%eki֬i7\E)v1Uʖ,G*I\!=H%zst\ɚۦ,#󼜪-kM	'
1% uV3gniUm{xlfK򾈪2X̕R;`с]kYld
oR-eܓ^WdoA*272gu]AN^AnXl1
vEIuB9UZxz=}l~w|Hޛ zGtygTҎG]Otv	I[̾UyzR>OךzU`@mv6_%g$Jk_A7=wn%䴚ݦ%\$ϵNX+m
jk\[TVգY;JMhL#Y%#]nig	
5U,6D!*9+[+nLl-Nqs*7ԦJg7o*;ȬyJeeN9JNV!lidk-:*:tкIftstH
u$
OL(llY	lGUr\7iqG\:64"4bcW(\pyn;%sp	i_snn9[N9VՃr~P.
A<;
!oYggeJ
hC+"MT(xœVM8"OS+ehj-SN?*NGE?cypW!^8?f%qœMjccg[~}}s^~|ߧ1~,'E{L,=?TqCN;^ȩ3v"|NxTʽBWw
\;BW
0Dt+:$Pgl܍1&Ƥ
osjϮ}'Wռ񿻚|[ͫ	ZʌjE@ޙE蕙Nj΢k/zĢ.zQ^+abM|&##'#_nj'm/jOIII")e*؎;#M/'pGĶmg'䟝(g
OpmoQ=3&jIg=:ͪaGu"I߰X%,ް5MhMKh:}GU4
0>o5^"kJl)2=^8a?ZZ1<䨆R̃dIbm{ӭ=se*h[.l1{O5vdf,%w zQejb	 
}uX]-g׉V@X6I@i-̷1)Dx	qkeyXp2aAt<^ě5.>gZü
_KGQKw{TuuZǏ&rqhקrN`gj6v
>$5yYG]O<£nk~HքIqa_OvԌ6fYXtױ/MO,Ã,monozb_v~=ֽiђvo=ikfJQ泿_¿|G|.XM$_IIe1~umϓJn$=D^4)XCu{}?LOR̍;9ތ]m7g޴tMoOR(]J)R;R
\3a9)G]vCx.By|iW8UIHK--@	d[v\lL&0$L23BWH*n碚+l9.aY
_&ie8Y>NVl:ŝw˖,?qͦv~)?I-wuVBT&D"nE-nOONu+9,|YR-]a]hjC?P:2H&LL
kk=xc.]z)Y\x[q|݁T0n}n>3XǗ
ڵ?G<9~Z>j>k=x}^XN`錄}9ȱyOiO֧֐}{~3k>%xO3~k.x;JknAܒ)+KV8-YxH-lY;wsVSא(p$)2e*MoAȔA43L˰2X+AQ5jy<FeFfYL׸9qr㰒Mڡ떅<^!'rɷj޽0mNKqp
0&mN68aSPNoUњRҏ4Ӿ,	1Ҿ1o`].4Ƒ>~GJk'n'R/nR|U]W13F*nmybj*F
f{E^`|I36nuMc
f(jK?GkR
@j#x߿	5lɜ;Sѓpӭl-d[1Q]\Uм[m&X;o[Ob2ļ=hS,oxW,N:Q,޼YNIIӾ$yI[g!UmH'5LZtTOTG"kҷdRP=Ki7)cyv%gW><+|J޻[e׷)1yN;I=;'Nތe+qx/%JL4OA*g*)\\܀ucbrz$rį`hQ$\НT/Lefedy"SƋf߲>:T~X_&#ZsuYRx>.bfn~2Ϳ7=诔͎ᇬuJm4$#mwZV6GK^۽uh~}@mv26_Mwof4@^sgRfhO2OOgQ(GTSNqDϤ׮ez\/c9_0nRtk~}UmRxvu]_H'ii0ya3 ])f3Obfb2}H3m}Yҝ{
dPk&nA*og7(s*_}85U4szF[;_;_{Wų7ݔ˜ZS}&FyK*	K_Z59x'.5{xK'Jj^9o%f;|/[pGz 42s(MO]}X6ב3~*<֧$oƞx>{HͨލuE0Eֱs‹BIu|Z8OPc4z":Ī/aeε&;nm;Cڝ|k{6t ע/V>{/FCs.2u1n=h(=Vcԋ-wo˯xعyݹ_߸f+g4dپvzһ1OXƆ5e)ʤi
1ls+ljWK[nTU2vq&֧WGXm)1VHNrj*T}'ED\+
'գ$k:\{'EDb7=G(Wչب70[ZVKNdiZ,6Xj{ebg$26l.!?7¥#ިZc]jLGm7_[K梟ˉVr1j5?vNJn{ŬM_3x-cע"o.Su	Դ[w2k$qzsU=ƣ2=5OfGzsfmהֻkl?Yi:{}wEmu]ZO+ltx*
B&C^>19K̸^~)kD*
_Al筪Y~z}9緡b1wo|Uji8d7'ݴrzUln{QulA+k)hǼw=wR~X۷Q.IJO^'؅JϣZ5iATUUc9n&U[l"MTyʞyjǚ10ItqxueٙPre<^=QxL7GgO92l:S9҉JGމd@E>MU7Q7jЗHBʑ(JngHB3e"Ɏ("ʍ(JɌ(:"΋(R>|Nc̊v	\1J	nNW}.R[5UWL	~)yO	%hH$ׄIl3≬[j&hp^~/5s->TcN#;RR[z+NIjwRq{$+wRHKf9Pew;Ip;yY̲)}ފsWɞq?qrq4	Zu槒*%I5ږpd~K'!e90mc+!UtZVRMBz}9%R*ӭ(IVE>,ghTͮOJGHY^P1>)bŖZ)s9US
CDJ1"H
D:a"k8TȜZ{VK69G')2ډu/se<.Bg}	2c
!y/˽I`n>
OJyix1;OGfQu1[F MuXm*pJlFXfznbVI&ɱ͛Yfil0NZve$oۋ4:a8e'^j́uLh6v`ep`#Łev9@|879l^4ʁw0pqqR_PsQýE޷@'W-tr+S:jZa:ZP[gS:XNOtNg,N@:@3FEVѻ::tY5<{/)!#yn|co4~+fXl?YÿTP~DwMA;oB$/0U?#ZB_\,[(kGֺJ-Leb&'hD		"pL!5"p\ 'mDBn!t3"f!!!-j,ZdB2z2!$#2Vky0\(ϊX{ɤӓZ̟cm_M+[OkZ0&
ud̔_?H+˶|Xn?jDGCw(ndT:eK*e.Q
%[ Zf?[a+3䷏gзYł,;KZ&	͉3O+-pFN\`)[$ [I剩l	ΡV`NFR|(M4dhiΜ#-u]vm֦eBݠkKB
uƟLשּׂϬ%Op\tR?Mm	1_aŶ0t|ϗ,ڭ*&uUŞ0^-aC`PdQ7[|0̡='Yۺlد{9?䥋S]>ߗ_0>>/)wI?^~7łE>*pR>;=#?߷Ul̯/Ֆ+Ļ{$Ê:ur4@H6Řh%T7TLz|z?f>tO˜W|Vc0󅈮ddB--JЉ<Ȼ޽S9/Z4MwocOы{TmTg@T" 'b
rwv
{Yވ9G3lR^y-o|	Y+|issB4#;sN.X{fu+tk}V_u?-,FrЭG{7a?3u5xpOR[Ii<ӻ-@6=/SKKO;UGR'('
q7&L6m˵%tۿaJֽKݷ3͏E!d^AS\B׷I'UCOݵݙO`#Ke/of7ۆ9A7q,OA<]ģy_V[l)\;Ayf^!~TfŶ|7^G|NJO]w]i~%sN=OzL}գ.!;vx~u+@nGp^j
#u`+H+)RFm
*.]crX)x!_} Oc#cc1X9ao==_/h zsSrڸmv}Xn:X	Qt\cHtZ{	)%Q9gj(_@J_"~mUұC,~-2oX|Cu8#~/~zDۛ%:,yʗWW;x%i<w[$k;(Mc^j>OWߨI`dsk>oˏ/TUy]7t]7Yߟ";[7JN'}/]&EqH}mk񀠼BARoRovvk*7Z+Z-˅MՖ@K?4n@gAh?ݷ/fbA*4§ӡ,.uҹ?4RAm;͡~2Ds$K@Ϯv-xH|=2>]O7e|7?I|Cglמ/6%G'_>8?!;tNF}87MNFt2¦'kʱlz2pEf)
X=z%gry2zq
Ηpq1|n߉-NuOl	gtg_i^8]cQ`0#Gu:xB*^v	}"~#O.LG~_3S9uNShE,"ߏ$cW{L7TL/Nbzj7ܟud%-"p;e[sͼŇ2Aǵp
9G5:ÝgGYtlQv#i	7IƎav'$yE,h(ϒS0܃<f,_aK@{I8Ah9DP=./2Wg˙r[E2ӕ4Xi<&f
"Hq%QVҤO2Q<99򳖷jjtUV}6B: 7&f)̀&}fIS$W!^`/~*0/BWN'[$k@JփP1 >A3@]x,؟*'1JUpрO0sSCZ!d7L!#xtC ,61V;xďcꀔA@$AKa-~GrBaFMc,lH@`J=^xpw+7X$HDt/k5x#kS|o$?Qv@\{P,':Z]~ڸ,<`ZE$p!
c`Ȥ@.?V/e|
V-dA1s"SHP`TX0c4~XI4=5PI%1H&"]ODN!x[`A3If8G|@PJap!Hf
GS[E	%KDYfy>A!N)
!=pӟ}Cm*`J`5c#^y%@*gP7a@jõi A1j~טV?n<"?|s$nhb@R1Ϩǻ
ꑮ\qˈ),Ȓm,7\'py}|*9n'UdЌP/DŽݱw#=n880{%R4 wޓ܎ o$Ғ@FabҞ(c}#BIoٌh7:0k`y|Ip%iU2ВqɌ)ŗzo8o
c~h"-5B"'Ș=fFУj$4A8((W
%e/JDX_ #""@ƑR3ʐ ﵲY`'@`ei@&Pfcb1>y6Xa#|mS128PЧںi*[⒁AzDF	"ldI%o`DT
LIٚ&Lo~"%5EvzDȁ&-N00KKѠ0j0-x\z&`s0	Xnv7[M7z`!m)).ni
cyBI)$p&#o,'=JAtbX"`SMb@dcN0ƕ]/+1,~!l4+i$B2ݴDKq!-OHH	;RU/*?!M^},)6z"j#J83
	}]#Px#fi*>zh$U2	JnB P&00"`JNiGQy	qk`/5WJb<`C9I]lSq4ls1R2\;
8p`t0$_Ƈ"y
ӏЯ>Wr12m%
H[d
:#20Պ8CV<00 }Lf80ɬB 34!>CsÌS\?1y7t(X`$082sB'"cKlưVbsOf}5d Nz"1GN\w1Fs/?I`
#aT
/ǧ(R>!Qj4V[AsN0cRQEEaϔ;Z@(%
?"hvuJ{lଐ!f&`f8YiQA– E1Z *ⓙ$""eLk祈jck^s48?_|{S4XC
0؉""@
eIXblԀI*@/\hP-lŨ2^[K0>L`>/Y8J1VXx1C@kGaÀ%RXĂx|;Ne"5숁mPx#h"LU7#fdPF:06,r.|IaÕi
a9ŷ'76b@wH
o|(^(^S=:(?p2q$&h)aP

r`@(:%ӘbPM@߉SYwBP'"WD4pPAsm1KL	|8/}MDS:FǺ#}-z/}ED3ޘ";_,g/)`*b˗TTtbŋϳi^T|qOzŎ_	)B^.i.y3J N)^{W!u`s =10]k|؞yi0npxffػZ0؞^_֘i^
E[1le@d@d\I~%
Qa<x)
pfṱ(\":`Fʰ`
@W(/
\2@&d2@%G08ALğA,RA,1fb-ntˠ[ݲ큸1`T'gʢ^"xNx13RT3'GXNbFDK?(jf`!"[}p%(^YEh96H
,}DK?(6 K4	Þ#;uDK!TrPu8|^#K.Q:rc?"7Ȁ`wCi.QD	=Fae>hF9ځ^t%J'@c
],-%J(]Ofqq0vE$X*b2\ChK.Q:tK*V8XM#33p8K.HPɹ<8a#B#/"/1ܤ*hA`q,p!(F0S0 J0
D00Aqa%v]b;L7~.004aOb0K.Ϊ0XW
F *ZdFK/D3%1	KDžPF[7mV= LÄ9LÄGSGh=E^zgX1,&ZtjsgnY3L	0)Ⱦ's'9">ڟs,g6>⧥bкӝ>]TzV:ọhQ\\dQQRfGKqbߛflFflʎH#eX,LvlXtj(+)eWRv%ewRveR!eу7yAٍ*}rB٧䄲)(JLǔ>]ֲ/FȾ#bd0@Q7r9#3r9#sFqAkJ.s2]f_r]n.n]܋ɑؑؑwCwCuap8TfHsRll#g}]ʓRA*H \s-wrDqѩr
C$Roǟb
[a+la_wVi\jڇZ{JV
[̌U#6>{6]58^.
[a+ly^e/EHyٺ_Y8gs6cqpnJzBy:ZXka_ֶ!U`D-&pb'&p~"6eg^8qVbըk=zi1d
6oW}ZYyѸA__FeDӖ;I$V%#B>|͘-}SnfWbcB@|<%EO*Xc).V]#`5JA3I9e'#PJ9gZo#:K5^σ8'ˏUݢcx=c&I|H,$ZkRn%%Y
Gwŏ͔2P@ԑ6xPQzFY>T
Kh@h$ˍ27 nm?4nnm^RnO7mm9yY"ι|u˞;2X`,cϩ&jb9BV%
>Y,ewa{Y{5;Փ8[Abe2X.,WU|p>NUK[l]2TP*'^ģ{.rP*Ce]TjQfx3Nڹl{Kzr@4 }+'67Qvc^MrKJ"zi0
41Sf>Xku\^LՠTFuHk4-uFUϣ<9~Q5\iv\IM{Ҝ.
A6 7|

ow_d
6c2ڒ]{${F}>'#y;??1D_B|wbUr,q 8Y:~_[e8d:~<އ<@uRbO٭ۢ<]júou[^αLր1Edc偕)ӞcC@wwƜ8-rj5㝕%dRv$D}JpƝ&VjOG`m,<׳Vѡ4F|},N#N=[ՊVjTF*A%{Jq,Le66<)˯g	361cTŌO&،§ժwUb^tU?O}}cCo
70z-Dudjm:yF@o
7Xz7e+aU(&s}]7z(i5Ou54y>qՆ p(r4JmM/I7W
7o+r!gMw/W3	g~y}ϡ|J1g>|B6۞U֘lK92tF)S dLQ޻ɴMV,r5ֽ|o_cx-rzA/~*CO峍ZMPOsHr `6z3cN뮵x,R7 `:VR!{,ri+p}WLa\_d	j1{g!dt˞O	C{h[k_kT6#ŹUxi?C^:9t9C{hW{ϞOo֐:~`~ep1.Vs?
A?П;{S"MSA6E{`}7򢝝:Yh󒘰fuWjA?s?E%EJd渿-bj0I}ߞeӵƼO+eʍXCѴ֫wk[պ{eY=S>`?id;IO|ؽI:kq~A?Sj5.^O*/ԃzPA[R=ɳKXUHyIbl/zċ>vYDSrq:{IMn.;;؆dA,pj>#)V퇧<0!ffAYFW	Zq4XIZr.A3h>ffs_H5INbMA3h͠֌+#a:Ԭ@3h͠,,K&[%tz,RkO*4f}pIʐnt8Gΰ
jͫڀjP
AZ?hRhXUhTmA6 fviΝ8-=ٲtn
A7ݠۏm<-c0Rͧv٪۵ߥL+cecx|ϭŽ%6d{o~°e))QH;2}9{w{;8ugFpf9u.vj.{Z>{nA9(ܛ*vS"2/S9+)A:HX.~NSez,Uxh{sFSt"*;NڞOҺ
ԃz^.N垇 4ZiC>MuJ-^lQsd/V]{`}Q(9Rs),
W6\Y\+k]XրzPA7QoI%lجVpn;Ky6A>>|5ˉkɥמ26GMz7~駭y4ue^` 03xd2*W5l;0 %'6nч='7gBP
A'p)Cd4=3۟O)!8(d)Y-{(XܲuK,E??-gq3\vBOW6
M&V2)}!#dHF-J:ٻe{QّD&]0uBBȟGȺ{cM5m=PJBI(*;ClmbX9ʽU9;AJH	)!O,qs05_DʜB6tCZ秔ZBKh	-r-ٚVtbuk*bg]/`L	0U֚vR& -[d`&̄0fw&ƬmOѩ7z2܄pn_NeNy~-j_9ּ)eroـBQ(
EbE=S>b,
#sZݟ8!)$vf4U==*3"1)4u>TNueơZ)ChAT
Q!*DO砙)G[$PFY2PBU9,}wzҷiG57hڹ;w.c/*;!,'ӆ]͜4kS"
z)UPBY(MtLTVY.=
nK6EBY(e,>~[ib	mPBY(eIumY7JRb.ߍcDKR(e,p82ci[%OePBo;5/.M$!`tNnOe'PBo;cjdYenuʝUrz{*\PBY(w [L"_E+zL3ruwՂB[hM3۶Y8rOYm-/iKu鞿B-PV{a~j-%mS5_Q/#si++i3ԶC[hm-KN:lojGڶ;;-A>gz-{zZZӵ%*?^	cYZיm-/iuij{,{hr	KlO2Om'Bۿv7C vmZ[cXvىPB]uz)qmyU|TuTB^y!'ojO" ʵnM|΅s}/=6_t+؛e|[!0=^hlv-,?wnڹY;7"Cd!"r-E#3VPPϷ@&Ae2T*KPwŮ6Mf1cF^g*!3dm\nyTf)(yBg3t8Ƚ9HkVg|?g#u?R,w6^ZCkh
XzSjVgIRǽv{Bkh
5Z뉬=%3R-zYe?߉ZC{4W!D67g!}٨;uglԝi<dl؝
TA;;hgyϳf\rW?7)SA
wrij~&,rLtUeYQ2]1	=_sP~O=e2)Ke2)I٥]J٥wB٭J٭J٭,_z|ۛǞ'}3e9S3e9S3e9G,kʲ,=eiP/FȾ#bdY`{{Gni.gz\(ݽe_Ur#92>;rsq#7^{ؑؑw'YnݒYUwc{ǻː=dx"X=?
^{I%^{ɟl/3WޒMrRjg(Y$Kb/$?^ZVZDrOy댋dy%+Kb/$K{IZRxv|s6+yz'nKb/$Kb/%XLۖOzUW^c/$Kb/O}rGw܋dU"eO>quhg+n~7(ZdYNШAkh
՚ƊSh6l}n;~6ԆPjobY5mM[.k|8bg*H!9$WMgY5jkI*8(;th͡94N~4vRko-9emYY-!:D\=ek]yzc<ϴ,ա:Toz}v%
[,[y>:TPh;-9jCu-;‡/|u[>st^كhneKNcw~Y&TPCk#hD.֠I-B=>xCuա^XR*c8#K=S	ա:TP-T_iY=D(g,TBuա:Tշ'qKMΜ3=UPCuB؂.>#mQS5̧
Cuա[>mhck\CN٭/WK;TPCP}زܐqhW.Yeבtze;tF#MVט\-F9f?CwJ7SLhܻYd$X*eݡ;tt߻O	^~d!xCwݡ;n-
<icy{ΑCwNKWDg]K޳
^ڳt;t'a5W.ޠ;tEi.pH[|M'{̃y0;1ȶH
9u09?ԃzPԻcjFv}_$I]Yr5K};?4)Vu=FHnRӃ~A?r]zݧ%|EygPg	ƽqScorrO;O2mNSNuy*CϤ\!VbvO5c2nbO'CO?Y
.ū)GNA]V/<6A?
[RSiqWgO:RZڵE(C?*y2F\VV{
C?.Δ6KMYqp?\g*,ɖiL4?N@?L31PDsFv.|LC'Ym\dYF}&17Cgcj5Yw0Q!)jCҿؚ%{L$+<<ڈyll?I)lZ[URZBMw\CϥrV

?me]lEgA?T7'YSsé`A)JC?Bf3ik~xot^f@?LgX+ZA`2ˌBy1d#ې/yx5nCϤ?s]G]mQ<7P;^?IX˫cQj}Df#]5Ǔ?s?#X.iIْiϱ?CϥٻKKȪXR,לCϥ=(|g]ȍeg?>qC?EJ֧KZeKwҞcCϥ?뒖,Kd<C?GW` iA%掁c<C?L±g];!tY#x.OW:,AˑfMd'`dA=oJ}*l#}hf)+8PCq(?>{E\U͈Vy(~CrH!|U^REVFM\8)JτCsh5wIf)dN}j;)PCsh!5/](
ZܺOsf]NPCuU_ҽEg*W"R9MNwyvfG!vR_
}w ăL|T4R۰Zb%?~w܃̽O2b5'扳r5-?vwԃL}]-úe?UĖA]gBq(š8hwZa4+Vţ*m멾WӄCsh!5r"B4ynVY`2'[dˀu:XȬ8ԅLnj@;hDftztYJ^}6?̃y01=|NiB=fmٖ~^'Y} ăx߉mS{i5ݓY|E؜,E>}|j\	v/z;{`}z4Bs4zE2
5s~
ޘr:
X6zr$CREF;cfK6ɝ;׉,ezޞ|O6}x֖Sfe4.yǹe'7dc{Xա̹X4|[<بڌ,sWXo%or:(1؟*(7jܹY#7k)쯸,ʑE9r%Ffd;w"8mwr#Ǎ3bby#)cE&m<*Y06W4h"5c[#ēZlUtC_j,')BCMpѢy֬gC*&BJ)B=җe 4f֜҅"u#9/]"4n
~Q1E`5}K9Zb<
AhZc
ĥ=O6;N9x#\jĥw8VtZV,$e}*(qۖ]Oe/G.8ron,l9˜G]iC]|F*RR:l,uS,Qku,rGr>|1(v:tV.ݣ	%,%k]Z%6U%Jdzev{5J8TEֹv>G*}w+;\F;-k~s{jɍƗ ŻRh{R[@:~t*WCȬR?M|S.0}c.za}H45$ϹR 7ޓGP;h3x.7|a;ͳuBzFe+Fɐ='MYf+x#o4FVm	wCoZSw?["]rs8ǩ6aðOμZ:qumeKiC#'pw;YѾM=?rernz$<*w>ݲk}݉W#(}GϾVk#',=IlwZ2N?[^Ζ|>MHn;W֝(+lqLm|!z&0n.V#RsW  ?g@,4ی1ȝʖUWT!)CG;wDU9R(Fo0*-Lx̘.C#{fE|Q]Go^{6?A1EPiMyT).{5P[yD?uAAP~ޠX&,;a
QsI]ϻ7Y埵DSG
/3{\BGi9Ue^ZYMtAx,rXfo>=z3"!s&ZLlMڌuWFV{s	q>}	曠י;1d_`>jK"km^p V<0y8qeW#&CkS<-U+`2g}R-
Qg=[j	X>5z	,1\GXnU+p3:P
m#}~%=<	E7[.MfKZ*r*3DABȏCwlAJN}uY[Urˑ$$	Iw}wMTU5rGJRO$}
GgS:M1-`YK4mnuRvf1]CWړ^DǨp|.Uh,wQXLp|^6gGYuhbr8>}-Y%g|Lx9[3eFsPVu#?rUVʺ+We"_&aTM.ʬkqJ592UB8<ao#K[a(C?|:X>es9͸yIKV(l`lzNr?DaVZǟ_2r`=ϱ{h5f6D!`ldw]5K9ݫ 0"YZӴ'1e%Wc~X>heQyӏ*/?`!02y* .ѲV<~dyt8+砲_xmOuZ)<
<=<[`$		>63C6ƺ3U٦scu#HGM1Gs’d?NY>u#ʈ23cxno97!EiDGy]3˃|@ֽQV~D3ޏY1d#HHe{3g*zj}Nzyd"82Nt;]hk2>tA㠷:ͼ}-*S'
'Ҏ#3zaɑmlw鵍W	GOrr=z%f)÷_͐z4gV%)"0R4K!>i8Q6K}ҮP2_H?ҏy^Ϣ&Ut}+`duff`,x{|Pz-9R.>/*@'!GZ]И}{UBm~gjvVМ"}YӞݠJ͋~oOEY@~:tkUzVp:>[XiO;Cy?Ch->PGtl=Xʣ.K< d>}m[cwVEV dn͂I]k
Afv+/2* dܻ(DHqOKhb@1YŪnÊgE'?!ĀfyP"1"|+䙋W[&<"J>NS.0FJkX5CSH[x1a	,%%0G&μuL~Ox7q{チY";@[AVP?ޥ<~UtWVPTno>ǧ[$Q$?K_1SvObHvF3CFȥsd_씑r:rFnȭϑ5fؑ?GtȖ=vG6vCn丄?Fe6OslGIoxG2߁,ͱr@2H?7$,pqU=չәE28S-w6c7ﮒ_j8HhVvmyLeq ā8@NxdOhC.=Buogpgp&뙮vL{5'j6^˔..$pW!`3lffi9N62G8RǑ:Tfg[ު>>13vfL̶!073TVhZFQXu`!0O0EX^;NWf!4Ƌ'p 'FMnT&;~$xEZCkh
z)=O,^ԭIy(uZCkh#h>sF]Ng6ZlZCkh
֫߇L"v^/ZCkh
mX[X-E{ڼ,/'ZCu•²J[N:P+z{jPC0?si@雦z1]prWѪ\>@Aja5:61E=f\kz*tN	::&|Q5G휽l}y^:- B˒=9vgIFةZS`1e{e[Z֠cČ~},L֬)A0Q㫭wƖ(Vbp.uо|y>Oqظ0faf0=}*ǻVNW*Dh
}xrز
M3cLTE/x{޴WEƩy*ܦoլ:_l:lm
mc7nyZW*̕: N)8~5LQGL^`Ǒ~1S?X1;٤T9Ki{ٲY7)bp
N)8N59+)z zt|X?Y6ef{
.5筎X``&iS阋>יrdz{E`,IEt;Ƕ(5sC+׌`v[e#zz56?uM_01JT_E"<nK$/}5A3h>fAjCyQͥ4nm^|yt5;W D{g|@{Ў*QDTYՋ*3xهl!|l,-is6!Dhc&LΣdyFvdɤ|9~$@P
A5UxnnIObZ̺N^'Pj@
jemIf2>c4`;J;iL[svkցPj@-P3.?-L/ѻ.Y;.ZUi0
0mؙsX9Pڲ<%6a2}:5TjP
}t6˦8E!,{Li0
i܇0>=#-D`^Tj@
@ȣjdw56GL@
44zGYm7Qqٴ5P'Pj@=P9j6q(uf'{dkچi0
0$
<1g\hXk6Pj@-P,~f+YsmNԺsv`Li0-L<5f--a644W.ty<˩Kxnܜ4`v,jѝi-[K8
	`LiobL5Bf48灧xp4QDm>|[;"qf44>9(q4-VF9Nä[`{47O߾qʱus`LiarfGvGiVl?i8i0
iErVϒǜvsk0
0m6}LBM:>z_04Z݊4:e~4ô}<挵J#F[4o/6sh0i59=>鮼;tB9fk]A߬rWɽsćRG86KGnS6ӑ7LjiSװNv.J~> iI7Aqjh;A-Q!Ig{sU}Kc9vj4rk =I|.
}띙M嘳g*l>at*;ܻc#yp%||.q/Yz94dbБ.K6s{ݷ%ٔusݤs,-]W#(Ãwc鍽[?}m+$3ꬫ*pܽ5XL_U듖{qò$E5DW8Ӊ{"l.PK~uT4Pu͞E6Đw{\V\>wLݳt{.Dm!wwFz:mЯiNuݼ1??;Ojxbu=]9-&4.p)2`ܺs(ݎfd'/3OcJ3rŶ}ݩfmy~z%e׳ࣺ/,m(y*>v۩ioYm0wlooU	5-k	l+lD۷/]߿ lp=spM,ucRo=Y=vs%	"=@GmW7hd5+{mj$cfΩ ىGd~dɻ3
忬d|y'`)F>8* +hdMBExr6,tx* kf{=,K0; Ɛ{?5mjҲkl_"i%ȱòFw@0涌>wAS9
Gkodٗ?hHQnVv~&083:Oߔ}6w֬u0tsp+YyTh4m&&uvfe^whzQD#N803|:u`&|u:r&Q~M;>V",٣m]02Y׭;v(^VY&doHel/+++7ӣݭC6b؛2ﳎ٫ȏ}:䶣pHy?6
gZ
^-k:kҙryky8~8	aH&8fXD~U?tDz'|OջekWO
;:X+e٨]#
)_uQ䇑Ӗ](!·'"?J.?\t8K^dJ2D?*@{Z쳲&Mji}Fal'4k#ky=ҰV
6~.'eA[
ԷKaExÚ:48M}x;Jk_5gJʆqG>UV8|WF.޼tK:_g?o?\漩^{N=7]K4{jF.Y%N
y1/{^=lsnjKA鴺ݍ1s^IGJO}8et0!].ͼ!ʞ-͗Co<}g8-T{^jq5i϶ۢv/}o3Ŀߗw4ž%eܗwOv{CL=?R@O )r|L)&H1A&!4A
~OAp=&|	
p	lv븱3].j_tQzvtvr/''0NADrEΊ\sLM-xV/:ļgigL]69{ЈZi;PȉĵSCL]Vd5`MM*닩ήl<^L޸	1Z3d`8ek!OϖddlCDnp=+'rac-Vx龴_=tl7iw?\TR#S6qO=6s(~Xܝz~>Nz"t|P>}xgupIxiL1KNxLq8S)|΄39T_lc9uRe~fV)g3~Q$n5!IzCdjޜ9řLq89il6Eߴ3řLq8F=hvR)`
Im5)g3řL2t
88װ6c4Ns;pԖ>(QkfoNASV[kZj1zMn%}35N/,eٵ67M-s>M/y=~Zʫ?B:i02˫T~-_?_uf!wVطhF6_Wy<[ wCc}4ak/m||aޣ_an>e=`ʯ[-~,	a`a~4,^geg3sn;kp6a@S2m?]()BH/@?c<6X䐬;W&}\f.3l3G3wh-KdNO`9&;1pN0^4S+2uLiL}
::HG:j:B5uF|]._"_O!yvm}J!a^.k?&HNBr:PP<Y/?MtY{5]]Oucrf`:,^m?޾>~Y5g)˗9l9--W^
t 9l/3A8>],Ba`aM4l\!V\)(HuºW~Q~$
P}n5@xݾ@)Ewete;o|ǽhQ(ZD+ZN`Bow/b1?;1@#㴶`6`s+FaQ͏=
o0␝1%˺/	/0R)YAD Xgis\>+K%Œ[	~g?%4hmGņS$%{J
%B%[vgQSpm~:?(ɴ%ŒbIwof3G7kD&5Cp7gbIXc^`*%W+7KfXR,)n^!{(j18͒^,)K%;_ҝXV4|t9ќ*k%XR,)K~7/1HHw?ќKVd%|xa,U*Eߟ9A3~&N
gaJLfFj^)l
6
6AK
#C  "^>/77="PT3JHngV@zv7fa0T*];q$i7>;$2b芻PT(*Χ(
{n:[;
^(:Qp/ŧSDF/.}n6WJK^O*JFcROx?{֟saM؟zP;-7nVǏHsA:(1+ys1W%77g{xp}<$_GrCe܈Sw*tr)HU8@:7!'2N@{~Z
QP|@

pA	}m5n/\Ǎ]_MKΟ?]4tu>f,2N^x/?ޛkц4,xtx?z^x/?CuSc&7:Ј0)'a7G^x/?!:Gwp2iN6ta)%{{^xTx?w骖n1O7ޡ^x/
/^ܲ«6ޤsyy~3'o-+Z}}-%.+y6l2E"UHOjg{3NWă&ud??]<]k+Z\GdUPڂz/KOR#%P7p[lk5P#@58#@1tuOH>sPV9۫5P#@5X#ѽGmp0IkjF~`5'Mx3*x?~V#@5P#5%Bmial÷i0"R	_jS#@5P#6 d@
CW{b_NgS,/~/Z_lZ]edM^i
EWѫuĘ:\,3euV_{>Fvy!V+}8Iw[vTvjmk
w8ŊbEؙcNaɬ>jgmtHV$+}\
mg{f罚
pV8+>4ط,ѮRG|txOЯ޷d\@+
hhb*BNh[uVh+}p
_B\W7m~)կ|Q(W+}E8ippx?\/
uϋ:6m*)qEn+{ Ezr.{ŽOͽ\d,3wg]\ܸzEA%Mb7΍)F;d;xV^aWQv"8rTW4WGE^QPOG;|ʸfN}HU+
{?@٧R 5Wi޾xx7z^ACO'h -ۘ{HZY+ŊbbB,44}܃K:1cƭ+YpV88@-nd[h}*W%:S^lE"[c
y:aPu|![/
oυ7hliuoY'W+uufkcS7ސM|aˑ]@Wtm̵Gn;z
[?-ج'LSe/ۖ
]B?.
GQyLO&L_ůG^AlhzyJiYT{^FV+}>*ڀM>.c
`X̑X\49x$0X&@HJy_O4ɊdE"ه#YdXpB>4ȓ%ɰHV$+>.ɼjgō29,M2*ɊdEKѲD^=|Jn\(~ZAVPpP3졙陡E,̩)~ZAF	KN2sditԊlE"[퓐MMgmv }m2QVd+}mxkNXq鰮_ȆE"[y6nWl[^Z!j[y7qR`[PŘsw-يlEG6Gca
cBNɶ"[Vd$dS$l!biNo&ۊlE"[yzG6#R
3e@aF+q+
o	o"m
٢>3Hv \a0Wp Ayvc(KB]PQj!c-t-~v<t].tBHl2׊tE"]Ӓnie16j2NhϛtHW+>/({^-o8gxW˿9OzX+
ttqp!AbG@/^7$NPW+}N39dnG:vid	dv]pIqyFְՈ
15S]pWĸAiɰJx65r]`W԰cC=Ђr30ahW+>50лjə 99ۅmY+
vvg{eX>FMԮ
٢]ѮhivDve[خ}7Wjv]sN")C]
MaѮhW+}nکM3Dլ8AA+Wjw
v]sκ%GXgYp?mԮ`W+}r ;IXEDSU;V	g	d
v]SguLϥQl"vE`W!=[J*4+].e#Zwk=$ḫ
vOi{ VcLMCYjUq`WL`MSWҦ	lM	2]`W}S֙$^sN0D+2`W+}veQ@OWfW7(
v']@83󞳫']n-X>l3( /zev`W+}r)x$fHQ3ce9n؂]`a7INn"FsȞ?;v]s-ymN<=KY
va]`1fXij0e9%`W+>5L4@Oh˦]!ˑq9R+qq[>2uxhANݺY*l
[[2|3tye($|/2mNE"XAn]H6?ÂY`V00k1ht
C']D+ъhhEľִ%bڻ/s78o[[Jo}PRm$M_Gu
n'@HԠd>unE[M"%'5?󐑧ĸyWp;Ŷb[9f&tOX븡5g?*:/O3Ϻ_͎cFsAdW|Y'Rؓ3ζ~̰>R\-6Mn_SgSg =4nWlW:Ct>u|V\:Lk>iza3rx{Å.Gp*M\b]$bil=뼭OB}ЋWSh%>WC{"_G&h"cKBwz	a;Gp$3!1fU__/`*q4fyOe05
ta4tpF7hОr`^Yc`
#m8FH_j,c~+wƬw:v}l?g8/
!twY˺ɗj$to76wj=5İ{-!:xZw=3Io;+r@LzcJZ|y>6l:lx1sYepL=-U=6#NDIKf0`9w?xy*f̙=!y;gwRy3_rgi^'Bs(6I; betZ}&;m36{&1vH5ObkK;VЖi?W|=aGV4a4gV
C+)]ZL0h#m%P%7ݹ:|vF,]su_|y?s6Xac!X0+İzpSµub=rQtiJo3z̨Δ;A~m ܄=}yt"29u&kv!ϱV;E6M
9rt;fVU{pѨ+sɠ=ۈ،ُ'}6;гm]T-[fXSuqd* p3t#6gMfy2bc9jf3DXe_|bc}Tu{mYxES*Ew{z Kk=OQF1f(AMiF>|uy[@`{rl#8EtݭBv`P{Di3O$j@gvW@V>b1Qr_ۗoCȓ'ܞ|`[X:Pup,X0zpnlϦ>_OT¨Ik73cKڴWO*#3Fw[W,{ROx;9Da15+&R(u9HN-Lprt.tIPR:x93!ggOO'oשmgָuI~AQrX'
J	kXi&bيO
`D1-V^j X)żjCZ?Kƙo=ȡ^wTSY$f$뭚U)T,5G'h| ˾fzJ=FJe`UТeOezw{^ɣS
*#WT]=aZ?.騾9eߵ'Nz/,-q̊f ra9BϢdS]=ϨbbFÛ[GG!d?">7޽eҠ/}XCq޼qutljf\CuCwO$ޜa3yr?|`CՀ0{[gc4ms?qcCX3x).(ϖvdW~皦gu=IV^Yܙ9zI.	)I̦9dο3e9d^#M+	d1M`FB<Da^%`s[̣"	6F-Zt{:"4UVxep_utJCe8l
,i=i?|~ڛ3U<`n8=NpG xxU?y	hl~<k}vv3܇Z3+;f45|廯ɏXϿ'KV~vija'ۙv2}$(˵4y2[hwU,'c5|N!qO i 9~gR3&ӕ]ZZ㯮3`ʮͳ2-'vXJr%ovψE]lw؋eoQoJrdF{y:t#{3_)W+}ۚU܉:فYu6f+ɕ.c
&w xIJrj0uޕQm~XWI$-$w۪TOuM$vq+Jr%o#9LH:e!3af>w
Qto7ša밎Sb'Pa륿¾=AW1#䪄[oմ]i-c>%D

ܜ9:a_sjv{?G˨owj2M||
#|JMOAⴶ+\i3z+	ԼJ{R{[<9p9z{Y7+=6t\ZT~İRp%_^ߧ@\xu0
%>+%b9}dH(>4ܲQ%Ls8-=q׌Ma黕>~N}pϱCVChH{:g>g<~Nys;3+tkVUS9v355< "uݸj>6q;%PiҐ9k	ڈ9D{4 (V+-~-2n}
[^2hMʞGMԾ}εOߟ ~j9Q 
C {]9K>9gAlݢ3(z"Y*aɝʐ $d|?y)mb35EymhL]ֹujkWdQ&	-):W/¾0mv}P>T0'ZKerv}9ⴖmdCIW=Bb&a $txD=Jr}y֙nN{xNLvi2Ҥwyz;|P>q}@v"E^ֈ<,lsxD^^(/^Їwi'dI(OBS~(?~X[%Kbq	;C;Gr531ѮW9:ē[:NkMֵ(2۲,i%K•v7rMU43zT{v]h8|4@0w1ȏ!JkGu|tѢlZDȫKïM
	џ?Gp 
TӋ#w:GG%Jj.eѾdF!ofZG&McW^
նl($>tӿ?Ah
uu"dl/8:utԿ)0OfTiK5[kOfj?:ut?^:
9,I
3vU77ˎv:FNgJ@jԋCG[p7KGюEt9hQ{c4Zj}QqhѶQĩa_-t݊Hi`>/mG!K 4ٽCFX
m";zwėuU9ke:7S^/C%:JjQf3,_f*GXkHxu:tkg#̢>2c|]g}^ۣYGf7꽨L!bST^^4z:ˇh8rtZ%,!*J0hUX>-U;vT{*
q[.N+Ejm{$^<&8v(5VuI\$>sT狪9U&WD)@$sqXH'G$Z
VL>Sʻ{h2Ի8Jt(kk:p諵Rj
ލDGUv	-;^ȋ/nu:t%vsnY8NK?{4hѬ/a"c(ZʹiU7^_m:uU&Hvseh@&Us|7xU;bZƊ}uJ8WbGŎ}M-H3Cu,qT{,UQbߗrE
},ҍˋU>Qb[W^ XOpi5BkHp{(;*݋U1wpy{sQS!sF@$J1`5Ul=;*:*HICɈ۾߁9@uT'JFS[VsQ1}[V@EU\f9*vT;ULuRڸ4n厣bGžtK֘e2/[G[QbGžSR tb%z#꽢(gQ
rꥭGӤCWR~U&hѬY/j
Vf܆1N(R4NݼB)5G}*,ה
J8'QK	Mw麟6F]$^>CĤKPaFOw-k0	b[
TFhҹkt	U(`cW
V~\_ymNVMy Ul
	S-Oj1EG	ic }h~a(q}߰Ӿ6>'(9mp9F{Rj}(
TO(
z	DYI)BO]"mu#؊+8v9VAKQ(_S$A0*/IS'ǾZ_~ľlXʊa魜=ޗh
Y}	54ubдV_HϺZ1f2_/[yz#ƴRE^Xxd@&[Ͽ46η#_yݝ=i&J(t"U	hWAmϭVS\ȌYf>4aS"RۚLX~9	cxZ!0sXl_#43~8/;Uգ<@ݷu(ݨCx;WP_d#635BmPt02,~՟c{{T)hhqzg1K:2vLSdʰ"ӯL.;hg"medؼ#b1ϲ?S~IQLPvMi[KNj;O4^fug೜ŬZPSmi+'{	&~WCL[oa܋{yo\GnIKlVtA7Z[Ԍ{LuKGv3qH/h0]kjF|m/e~{"ڑ2,Mr+dtn	o-~Y34Zr`4"h}x
fnv_3?XPڅc[];M
&݋Ġq@IJu2%Sjce?&:BFK4qu66H~z	9L2e|f:J0p5dWDBd@c
g?.ϚC~re6כX1lFlU+"}
,53ovo<Ãس -E,9j: J`|wT~]cw 
KȜ
c\#þ|{6qƕ-.§xe-jPؘnAHiT8{H|tU/I9>)i03\bBQВivYM&ql(8	9{:I1h(\A{~!Jiq,^.A}x%6IhoZ1f)!8wSeA9KӸ7SNq {CxfuJ
Wi}ZY:od'%FtBo8Em@v[Sk6d< ڐzK9n^+))]`ƔX5`P1g+S}&V==b3Zby	6;3nXu|r`{.31qsdH&@@
wvCZlԷea.WC)폱?p]KO>c)"Ve*fLzrIlׯr$7B< >-T[a6P"mB?dɧEr'>d%8Y')}-6[Y]NUxf:zLscKl5۷}Cvxp?*-Umv!olʶcTޚx̀5R_ID+R3JziCW+l>VՔ,Fգ1Eϸ8T07v49>
z~h
$Fhsh޲98ȿWCc**GkI=7{~@caݽgiz2
w|1UyƂ>lj<U2!#ɸivGОYxq{]f#(iӪr<5,[3KH##JwO6I	],lU3̧oPw\pa):uJv;(T(+8)4ⶰ	Wgx~}$oK,5>MQj{Uo쳉mgB{usGVnIkr0N^d~Pim\=>Ր0J0C9r)sO6Űh~"="yFPkzۻ`
҈:o^Ҥ̰0pBœu2Euz3-X{eX<%ҽ_W@HFoV/sYS
q`dWIkH 
2g,EnO H|تhD3A)Ъcd0)DIeW0έfa˰2[ʟ5T+2. RQ޳ND
1\$Rm8BXfY73^; >3tv=UG!y+B4u/(ĥ֜/l=)8kjssjaEb
wKzڥ"	!F@hR#S;F_7x ~+mcdUF\ffbw;Bi(:ApNӊ}R_h9|P'SJq`1t\:Zsj@}~PJHhǠ(ZjG~~kZ Kw(C2L;)]JU1S\ZnCLh(j:m&M>q&pѹB8,`P*B+vQ*qecSho"{^{_=887ӲZ*X( .ytK$s]3v{ŭ9>?\b<x<{lw~zaa9qK2>;9F
P3UXiJKiktI|.p;=3;kޗ'"S∾pJ&*,gGKiks:|x|hKeހd§u!+y:ؙ֪*PuS#lϫaf>h
6y%a>zL!̓4`F'{)XwZz%M;uON+쮞
ZjJ89y])b f 8Q
}H:[)DKR[cۘP)--t:ewgb`	ACC*f)
e'"ÛÛl6|:&OhM&DajR{oE2w4!GseP)SlKʇ>>0pKiЬh~O/m/r8t8vswi4!YCmybPUn6?eHHD$(!22eK{SstO)43R>]of¸tu>:7pm6.ɸK.6~|}/USrMa)v;:OrUA%N whCa=\D:+]縛\'rr}#Z8`he2EʅٷWSņ|kcTaK_xƇllђX/꽪@.R'aa܏1ouD}u/1ڪ|^nIfN2~FZ^d7eUcġk]f!!.e5W3ȷFhQY1^a6.)e-hoLJ||?aaZg2ԩ:iZDICCq'Gmexs|q6n?;	yg.zF{kX3w3Ά\=혫YGj&QlM><;aXڙf2f"4~LwC@:Ck՝5|HY-%I*7!!ߏ'ɀE&[i&Yd>	si5/]>ѕzwf	Riϰr]AN[r
>ÀgQĴBm&Sc&!GQ3k[&ӥ{Ɉv9K~/O2*!cnsj@}@{'uK%
̋zl@E3ӭkΫ`0bs$@gPZ^v}v$Twk:@rGZgN{lgch*\:pyGRu}M?]vO˄zޖ֡\qܚ3#.nȆ
3[TxU\~`:!-1*\.	쥦>
v.-s4QcB@!!bI^LCm)+.(iPG	3r; VdK),\ҸJ2VgU{w^Y*ghˌe	i{߿ 3TCI3ሂ>0T~
1b4KBmib\2y-_̵RWeZ2*MZЛ|׋{>8Gt7?uP21lQ5\;6ށ|Juy5ijBG&Dw{ixk)nl/mY(ip
YX#o,VL@5pfSR>7[h_s	U@seZW֢+ r5-Lgȵ/ܪKmxօ@ҕc~KiqT峉4cZkX7r3
P9y1F,ġf{m:Aꍻ@AF0v}f9:-ĐQꬄ3§׹|+\`,[5E}mb?n./r՘MKm11Fcdy{"עTg5G>3
E&SG47>UݏhËC	+xƠ#T}rd	U3ErL⇭xhdH^9@0QQY?w-Mǜ f5 uwS>MB`P9Ne2@[V
gMj:4SJQ5>=j[5Ġ%]
a/ӥԞ	5Cf[+ι}HttľqP{&Te
V .B|Yگ\0
.}zx:s(/W	WI	гꕎBՕ;SGQ~[Ag*;/e(r:<=tniK2cUp&	ˉV>vI̹zmњiaibK;&u!Oc&Up4׌>U
|=`X\+	N0
֫JOX0VeQ1mj2HiTRO	꠱bB]K9|ziu@cljh4W@T`԰aGԱ8:/d"{ЌR⌅"oc8b:X%M>=z?]j7m(mS?N~H:pio8P?0m);sdX6r0=ճZÌ/FLBVJ&6-iK RShr|$52\Rh)EԫPuhXηVHI
Ҕq[Ts%ʴ\q>K;[TwM:dʼNl6&bKqJy=#֜8jkzj$*
@=֔E}VȃhJ0i0l[Zj}z{aW{$x{>.7aBJ.BbXd>7vı,n
˛dv3.{Mx
݁Fk4'4K:,~4#9X>?SjgÅ1SƎ/SJԮM;'6T
d`{`>wa2)BːuF!n9˼?=`Q&oGV=> ?1V+̺/P`;cL	PVJTJzŲڅ1]wyJ;DI3HN$qG;n?xxCyLtV7n,̸,&51
sK_\o!4RMPDq.2nem˷GX~vʒ?Jr3yjCL(1fHU$~oYfuWY_`xX\l)5aI!{&AaJUpfho!{&n1fph;z.M!*.Cs>[ci&6}}9|%OPYo=!ݐZ]2Z@Jռ2YYw(n,Z^QP@rRN's4oǑ痲.>E{+
j[33p*I>It;IO̟xuKolﳾAfrr//7ѣ7;>/nWHBdsH:tUkzH>C]siUH]g;?[&)_RiFo(ދOdݰ}Po{3N+^lʗXov?Y`#*+`WZ!9=fw9W
24wVH`Km&.wg˸vl"5iE1>.'@<)!T`p+4{Y3LQĤ)dK.2 +A4f>vxfMؘS>=%|5h`iEPbVk0֍\1As0s{â˥[^ӆw:pu )56~f -fQgKd*UyV5h}55t,Ķϓ9Sqս8r_ET1sJlǁ7FIh}Haf;$SVU^ n}4A7@:q]rYM} ڬ>sT4n~s:~wι(Rc9U0Gԗ9#oJxQiR*	"Ж!dm^%n^GDlkia^|$^Z2{F \X{mŢ8HʢzqQx؊Ŋ҅-BpV̜bpޛH(ㄠ&Z"GA2V%Ըu򡹒+^trJ_r	{"_Xf.o*ƥּG&WohE
h%W]-kPP?sL86>$Ij.{;rCm{,9tXs"rp+{{Q`_S"G
O~`GW	zhU_a\9:3ћ6px业n$Dž$ÇwȇЋK<ۤK˼WEqH1H \v\ eg&Ez|4zD_i SP5-mFQYZ:)XP2E_
brHP*.ƃ<)U?91X=,qDf6ˢ~1@C_N)!ìĦêAbœ!>vpk{TI"ݣjZ<^9$CC_+W49 FPK8CH{9Láá/eF*Q&w,,l~:{̇??LE5nd"k:ؕaޫt0-n~5*ޫ2c5i6Bm=3Qppd*P/&*V徥O8<9oj+o%EiUM|~;àà٠+CؘV
'N`}خBuDLL
>W>NJj4f̻CUMææ<%2ٚC#Вڧ[(3͡&}I&:d:abJ~L'>lQt%8+šh.BˡԡԿTe/BQ"NjLP]%H]-^fLy
7+h^z,p}J";{WW^Q
񺪢yzŢ"!!."=>Z4Z_q<:۸\bq M˪h_+?"--#t7i=fc+]q_l^cc!4J_gc-6¯9 jXkmc6욙}KuHuH)]18\e,'Ό~2w\7qmOƧvm")﷎LJC֗:9O{l4n^4rV	p"=;sNpty1
ܬVEGbGW'H:t`BK9*=)޸g>y]\E3_[(7*Iy3J9:Z#NâU6F]vʫ6iW1z;J]UNINe1124M22
։6@K;2!!/Lj	xm!YS<6Acwp:wRZMCC_q@UUg(hm.jŖ9}Fe 0 }
  requires { x >= 0 }
  requires { q * y <= x < q * y + y }
  ensures  { div x y = q }
=
  let q' = div x y in
  let r' = mod x y in
  let r = x - q * y in
  assert { q = q'
           by q' * y + r' = x = q * y + r
           so q' * y <= x < q' * y + y
           so -y < q' * y - q * y < y
           so -1 < q' - q < 1 }

let lemma div_minus (x y:int)
  requires { y > 0 }
  requires { x >= 0 }
  ensures  { div (-x) y = - div x y }
= ()

let wmpz_tdiv_q_2exp (r u:mpz_ptr) (cnt:limb) : unit
  requires { mpz.alloc[r] >= 1 /\ mpz.alloc[u] >= 1 }
  requires { mpz.readers[r] = 0 /\ mpz.readers[u] = 0 }
  requires { mpz.abs_size[u] + div cnt 64 + 1 <= max_int32 }
  ensures  { value_of r mpz = div (old (value_of u mpz)) (power 2 cnt) }
  ensures  { forall x. x <> r -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[r] = 0 /\ mpz.readers[u] = 0 }
=
  let ghost ompz = pure { mpz } in
  let ghost ovu = value_of u in
  let un = size_of u in
  let limb_cnt = Limb.to_int32 (cnt / 64) in
  let ref rn = abs un - limb_cnt in
  if rn <= 0
  then begin
    set_size_0 r;
    assert { abs ovu < power 2 cnt
             by cnt >= 64 * limb_cnt
             so abs ovu < power radix (abs un) <= power radix limb_cnt
                = power 2 (64 * limb_cnt)
                <= power 2 cnt };
    assert { div ovu (power 2 cnt) = 0 };
  end else begin
    let rp = wmpz_realloc r rn in
    let c = cnt % 64 in
    assert { cnt = 64 * limb_cnt + c };
    assert { power 2 cnt = power 2 c * power radix limb_cnt
             by power 2 cnt
                = power 2 (64 * limb_cnt) * power 2 c
                = power (power 2 64) limb_cnt * power 2 c
                = power radix limb_cnt * power 2 c };
    if mpz_eq u r
    then begin
      assert { mpz.alloc[r] >= un };
      let up = C.incr rp limb_cnt in
      value_concat rp limb_cnt (abs un);
      assert { abs ovu = value rp (abs un)
               = value rp limb_cnt + power radix limb_cnt * value up rn };
      let ghost orp = pure { rp } in
      let ghost oup = pure { up } in
      if c <> 0 then begin
        label Shift in
        let ghost _m = wmpn_rshift rp up rn c in
        assert { _m + radix * value rp rn
                 = value oup rn * power 2 (64 - c) };
        assert { radix * value oup rn
                 = power 2 c * _m + power 2 c * radix * value rp rn
                 by power 2 (64 - c) * power 2 c = radix
                 so radix * value oup rn
                    = value oup rn * power 2 (64 - c) * power 2 c };
        let ghost d = div (power 2 (uint64'int c) * uint64'int _m) radix in
        assert { power 2 c * _m = radix * d
                 by power 2 c * _m >= 0
                 so power 2 c * _m
                    = radix * (value oup rn - power 2 c * value rp rn) + 0
                 so value oup rn - power 2 c * value rp rn >= 0
                 so mod (power 2 c * _m) radix
                    = mod (radix * (value oup rn - power 2 c * value rp rn) + 0)
                          radix
                    = 0 };
        assert { value oup rn = d + power 2 c * value rp rn };
        assert { abs ovu
                 = value orp limb_cnt + power radix limb_cnt * d
                   + power radix limb_cnt * power 2 c * value rp rn
                 = value orp limb_cnt + power radix limb_cnt * d
                   + power 2 cnt * value rp rn };
        assert { value orp limb_cnt + power radix limb_cnt * d < power 2 cnt
                 by _m < radix
                 so d * radix = power 2 c * _m < power 2 c * radix
                 so d < power 2 c
                 so d <= power 2 c - 1
                 so value orp limb_cnt < power radix limb_cnt
                 so value orp limb_cnt + power radix limb_cnt * d
                    < power radix limb_cnt + power radix limb_cnt * d
                    = power radix limb_cnt * (d+1)
                    <= power radix limb_cnt * power 2 c = power 2 cnt };
        assert { value rp rn = div (abs ovu) (power 2 cnt)
                 by let cq = value rp rn in
                    let cr = value orp limb_cnt + power radix limb_cnt * d in
                    abs ovu = power 2 cnt * cq + cr
                    so 0 <= value orp limb_cnt
                    so 0 <= d
                    so 0 <= power radix limb_cnt * d
                    so 0 <= cr < power 2 cnt
                    so div (abs ovu) (power 2 cnt) = cq };
        value_tail rp (rn - 1);
        label Size in
        rn <- rn - (if C.get_ofs rp (rn - 1) = 0 then 1 else 0);
        assert { value rp rn = div (abs ovu) (power 2 cnt) };
        assert { rn >= 1 -> value rp rn >= power radix (rn - 1)
                 by if (pelts rp)[rn - 1 at Size] <> 0
                    then value rp rn
                         >= (pelts rp)[rn - 1] * power radix (rn - 1)
                         >= power radix (rn - 1)
                 else rn = abs un - limb_cnt - 1
                 so abs ovu >= power radix (abs un - 1)
                 so mod (abs ovu) (power 2 c) < power 2 cnt
                 so value rp rn * power 2 cnt + power 2 cnt > ovu
                 so (value rp rn + 1) * power radix limb_cnt * power 2 c
                    = (value rp rn + 1) * power 2 cnt > abs ovu
                    >= power radix (abs un - 1)
                    = power radix (rn + limb_cnt)
                    = power radix rn * power radix limb_cnt
                 so power radix limb_cnt * power radix rn
                    < power radix limb_cnt * ((value rp rn + 1) * power 2 c)
                 so power radix rn < (value rp rn + 1) * power 2 c
                 so power radix rn = power radix (rn - 1) * power radix 1
                    = power radix (rn - 1) * radix
                    = power radix (rn - 1) * (power 2 (64 - c) * power 2 c)
                    >= power radix (rn - 1) * power 2 c
                 so power 2 c * power radix (rn - 1)
                    < power 2 c * (value rp rn + 1)
                 so power radix (rn - 1) < value rp rn + 1
                 so value rp rn >= power radix (rn - 1) };
      end else begin
        assert { power 2 cnt = power radix limb_cnt };
        wmpn_copyi rp up rn;
        value_sub_frame_shift (pelts rp) (pelts oup)
                              (offset rp) (offset oup)
                              (int32'int rn);
        assert { value rp rn = value oup rn };
        assert { value rp rn = div (abs ovu) (power 2 cnt) };
        value_concat oup limb_cnt (abs un);
        assert { value rp rn >= power radix (rn - 1)
                 by abs ovu >= power radix (abs un - 1)
                 so abs ovu = value orp limb_cnt
                          + power radix limb_cnt * value rp rn
                        < power radix limb_cnt
                          + power radix limb_cnt * value rp rn
                        = power radix limb_cnt * (value rp rn + 1)
                 so power radix (abs un - 1)
                    = power radix (limb_cnt + rn - 1)
                    = power radix limb_cnt * power radix (rn - 1)
                 so value rp rn + 1 > power radix (rn - 1) };
      end end
    else begin
      unchanged u mpz ompz;
      assert { mpz.alloc[u] >= abs un > limb_cnt};
      let up0 = get_read_ptr u in
      let up = C.incr up0 limb_cnt in
      value_concat up0 limb_cnt (abs un);
      assert { abs ovu = value up0 (abs un)
               = value up0 limb_cnt + power radix limb_cnt * value up rn };
      let ghost oup0 = pure { up0 } in
      let ghost oup = pure { up } in
      if c <> 0 then begin
        label Shift in
        let ghost _m = OL.wmpn_rshift rp up rn c in
        assert { _m + radix * value rp rn
                 = value oup rn * power 2 (64 - c) };
        assert { radix * value oup rn
                 = power 2 c * _m + power 2 c * radix * value rp rn
                 by power 2 (64 - c) * power 2 c = radix
                 so radix * value oup rn
                    = value oup rn * power 2 (64 - c) * power 2 c };
        let ghost d = div (power 2 (uint64'int c) * uint64'int _m) radix in
        assert { power 2 c * _m = radix * d
                 by power 2 c * _m >= 0
                 so power 2 c * _m
                    = radix * (value oup rn - power 2 c * value rp rn) + 0
                 so value oup rn - power 2 c * value rp rn >= 0
                 so mod (power 2 c * _m) radix
                    = mod (radix * (value oup rn - power 2 c * value rp rn) + 0)
                          radix
                    = 0 };
        assert { value oup rn = d + power 2 c * value rp rn };
        assert { abs ovu
                 = value oup0 limb_cnt + power radix limb_cnt * d
                   + power radix limb_cnt * power 2 c * value rp rn
                 = value oup0 limb_cnt + power radix limb_cnt * d
                   + power 2 cnt * value rp rn };
        assert { value oup0 limb_cnt + power radix limb_cnt * d < power 2 cnt
                 by _m < radix
                 so d * radix = power 2 c * _m < power 2 c * radix
                 so d < power 2 c
                 so d <= power 2 c - 1
                 so value oup0 limb_cnt < power radix limb_cnt
                 so value oup0 limb_cnt + power radix limb_cnt * d
                    < power radix limb_cnt + power radix limb_cnt * d
                    = power radix limb_cnt * (d+1)
                    <= power radix limb_cnt * power 2 c = power 2 cnt };
        assert { value rp rn = div (abs ovu) (power 2 cnt)
                 by let cq = value rp rn in
                    let cr = value oup0 limb_cnt + power radix limb_cnt * d in
                    abs ovu = power 2 cnt * cq + cr
                    so 0 <= value oup0 limb_cnt
                    so 0 <= d
                    so 0 <= power radix limb_cnt * d
                    so 0 <= cr < power 2 cnt
                    so div (abs ovu) (power 2 cnt) = cq };
        value_tail rp (rn - 1);
        label Size in
        rn <- rn - (if C.get_ofs rp (rn - 1) = 0 then 1 else 0);
        assert { value rp rn = div (abs ovu) (power 2 cnt) };
        assert { rn >= 1 -> value rp rn >= power radix (rn - 1)
                 by if (pelts rp)[rn - 1 at Size] <> 0
                    then value rp rn
                         >= (pelts rp)[rn - 1] * power radix (rn - 1)
                         >= power radix (rn - 1)
                 else rn = abs un - limb_cnt - 1
                 so abs ovu >= power radix (abs un - 1)
                 so mod (abs ovu) (power 2 c) < power 2 cnt
                 so value rp rn * power 2 cnt + power 2 cnt > ovu
                 so (value rp rn + 1) * power radix limb_cnt * power 2 c
                    = (value rp rn + 1) * power 2 cnt > abs ovu
                    >= power radix (abs un - 1)
                    = power radix (rn + limb_cnt)
                    = power radix rn * power radix limb_cnt
                 so power radix limb_cnt * power radix rn
                    < power radix limb_cnt * ((value rp rn + 1) * power 2 c)
                 so power radix rn < (value rp rn + 1) * power 2 c
                 so power radix rn = power radix (rn - 1) * power radix 1
                    = power radix (rn - 1) * radix
                    = power radix (rn - 1) * (power 2 (64 - c) * power 2 c)
                    >= power radix (rn - 1) * power 2 c
                 so power 2 c * power radix (rn - 1)
                    < power 2 c * (value rp rn + 1)
                 so power radix (rn - 1) < value rp rn + 1
                 so value rp rn >= power radix (rn - 1) };
      end else begin
        assert { power 2 cnt = power radix limb_cnt };
        OU.wmpn_copyi rp up rn;
        value_sub_frame_shift (pelts rp) (pelts oup)
                              (offset rp) (offset oup)
                              (int32'int rn);
        assert { value rp rn = value oup rn };
        assert { value rp rn = div (abs ovu) (power 2 cnt) };
        value_concat oup limb_cnt (abs un);
        assert { value rp rn >= power radix (rn - 1)
                 by abs ovu >= power radix (abs un - 1)
                 so abs ovu = value oup0 limb_cnt
                          + power radix limb_cnt * value rp rn
                        < power radix limb_cnt
                          + power radix limb_cnt * value rp rn
                        = power radix limb_cnt * (value rp rn + 1)
                 so power radix (abs un - 1)
                    = power radix (limb_cnt + rn - 1)
                    = power radix limb_cnt * power radix (rn - 1)
                 so power radix limb_cnt * power radix (rn - 1)
                    < power radix limb_cnt * (value rp rn + 1)
                 so power radix (rn - 1) < value rp rn + 1 };
      end;
      release_reader u up0;
    end;
    let ghost nrn = if size_of u >= 0 then rn else -rn in
    assert { abs nrn >= 1 -> value rp (abs nrn) >= power radix ((abs nrn) - 1)
             by abs nrn = rn };
    assert { sgn_value rp nrn = div ovu (power 2 cnt)
             by if mpz.sgn[u] >= 0
             then nrn = rn
                  so value_of u mpz = mpz.abs_value_of[u]
                  so sgn_value rp nrn = value rp rn
                  so abs ovu = ovu
             else nrn = -rn
                  so value_of u mpz = - mpz.abs_value_of[u]
                  so abs ovu = - ovu
                  so sgn_value rp nrn = - value rp rn
                     = - div (-ovu) (power 2 cnt)
                  so div (- (- ovu)) (power 2 cnt)
                     = - div (-ovu) (power 2 cnt) };
    label Size in
    set_size r (if size_of u >= 0 then rn else -rn) rp;
    release_writer r rp;
    assert { value_of r mpz = sgn_value (rp at Size) nrn }
  end

endwhy3-1.6.0/examples/multiprecision/mpz_div2exp/000077500000000000000000000000001440160026300215375ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_div2exp/why3session.xml000066400000000000000000002464571440160026300246010ustar00rootroot00000000000000












 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_div2exp/why3shapes.gz000066400000000000000000000436231440160026300242070ustar00rootroot00000000000000ndǕ6zН߂5FH%pԭc[KnwLfrf$nHf!o1?*_R|W݂~msgw}.*_oG0?BkG>_.KR/ǟ~DZWٟ+K1+˵uvEo?g._8Qv\bs	ѷ:nϿvz`/x[v~Ke>xCkr߇{[{kza|>6{zk_U
{ZwVk_~{=2퐽lݠZƵV?;=R[/[>8^r`0J7=n\R?Ғ?Пwi?քZ,(. 5x奏?_]GuX{GW__X!?ԟ?=ݐ/˟M̿?^S?y{{^w-Gyhv|}JJ+;Ye?r/i_=.\>,rt[?<|m˟Y,?C`$	xcs0m/wS٤WtgiX=lf7n}m39e~OWgEx+u9ͤq)^zYTիw.|zBS/CܴX|C?;ϵ,㕠*^$}"o.^~+~m^Vٕq
/,
eʞn'vyOylx3]ܮ/>\`OSׯ
SV%z],qo_hk_.6pyHZG:t8#g}<i\9#p$V}?_˕=I<*}=шD]^:Yŭbw*IQ't]9k!I]knXwuWƂ+]2R<$ŸOzםxC_	V4o{HV^QXa^iҸ%zF'#V;|q2hi{T1~8JgkgpL3F׭}
H?˧݀} YM˽
bpӰle}#t-V׵m~.[YWnIƗ|%/Կpeo\Opg.>+y^y-x:弥4_=Zk{A[5yZtf`6.>of[xUq>Sn_~ǟokKn󞿱)կOon]ca<_eRb~Ĕٷ|ql^D.^#/>9x6]U]qϡB/l
.ΛkSx֎a7}f'}tR>+2ŨXVQ;ڮygԭec
ّouwֻK->]ܗv^Nj{1{}d,Ϭu>|H׍xX{}=|vxmw9 F2i٭2ד_״LOܻs_v_uH?m{X^>&3&,,g:xN>@oF}۫z}oN_LO*>(wb׿AYKiwd.dھ{q|u͞xg܇B~s0Tw`X?׹9פљ[ipK๥G
uT~y=6]zxoUsΛ`A.kC<pò7gt_e/SՈ}ϱ{2t,|7Jʭ|me yL$>\_@{AO35d~qUr8?~ĹɦN6uS'V'X}>zg<#,qQ>_??}㯣>tqЀEw-ǗXo>|k֍5/bׯ)0HDq6*ۑzssefɬ(q_ů/_Y׷{n׷N,vXo{>\%]WߞBunp
9_œx.ԖSKy;iWNCfÛ;ZrI/a!m{-^,==|띣_Rbݓ㥳#aWϟYwjkи*^=_|nͩ!jt~|5X]ʿx"u'J!uuݖj6>v{|Yݖ*ϑfx//[(g
%N&<5Dqκ+C9cثg<.J|X?qqm+gH>]t5ӍS>7hZֹ{ɜн)CWYɀQX->Oy6C^;hr'jvlч`*h%5ْnkI6=cg='=1m8eǽ72eJ?Kme߿(Uc57whwLvwr^^N{~dݽk)mO"HNHl\ޝT_O9V)>V=SD
#q:mur3-k7ХgI
92@=*ԫdj/yyq/SѣvkX<&УQ=on
kgv\&w#λa1»{G~&kh{|C7.=ě%Rx?qǟri^1;ƣHcV

x5d}zcH{ AKi1ǫ[~:=O7lAF㏷ --Gu5%,@GM>`o`P;uW|jχ]_UwmA'nA]OܢSZ'TUu&(	|j5K.toɅq=^qqie-~ޒ_p/}2(o{lCY<'h23-Hu/޼eQ9dPC
,zCJOQ=
-u
kZ&b=ɈILL;JNqe[shq,oRI&GؘCLf_.&/2
C)q@!Kw`6^fb12Cȥ
J4Cm)yٰOCI!GZkFK-B	Z?5aḮ	+dl!A7,lQfIz@y}3tlpydnCY,4S}gVR;N;
$/}+mf)m#(j7)<94̞mjDw@KQ|xlT2$E+n֛jabi@rikefnMU?NϽ*$f&ؒ*khL;H_,`gݥZ7BH{%;ч|^5>#MߓwQ7h!UHf#VhwsL YЈ
k#><؋	;gCŤ#^~czV6>1Fᢐs`u|f;&L,Fw
bQI)nRHfqBo
N:1lMEʧC󐜼L-6lQ#W],-UIh:8TAcn
WФ
bJO8gj|>s'ej+]̻L#uhK"·DfSݧl#WS>QY$+YiO_F[1o\C-&b!a*lPIM+g]aI	z-(.h!@Ԑ	LYyA%EdfFe䙀JL)e|DrB4Jm	2_:zEt[EwiIeJB$d"UBoUyr Yj&җV>=}AEZ+ڰ2z`gO-OC5Ƴ,;1ܴrws,:Ca1cn]آ^+dvv*"Ԇ
;݉_)0?)jИ[3´B7碙KM85&nLI;M[vUi"+J;(4Us8q(L,zW`LPh
`,)(H1
:.³߭:gou`l9i.sUִ"6G9¤hDd_dc(@o1Ͻm^W,2ՌӨlp=\<^)Jͫ4
nVaݘ%d
7q4RCB6؎
6|.[S

&,+lyJmJYQ|'@.\u
`U,[Cc%3SbAG;6;Fb}h#vKa7cSj
+3Jn˞ڱ6o-h|9-- ska0
2
5&iT]%6!Z @]JϜsȷGrF7)r
ԇgU!'24֑
2hJ*xtDL]1UELPkQY)	7vSjKmz/i
Ņu
}MƾT-M03uoH	e3oYΟ<	o"2le	[LϠg.ݐYR.&W(Z3oTf2lҴpMh:ЉɐooGdVVq6i9ͽ-\fQs6hC sDHyC``(X3	ZA¼k!yPsOfy(3RP0EApS6
O15bZ}4AC*Gj,kau)X7@4MAO=%`No0?5SB%ͷDcYs!y^4F,YbȬn0?e>{+%@8|X:J3qZ]eI֏/dy:#bYHS`^rΑ=U@J30jD'Bqݩ"Hǜz^z2`?o, ops:t$,[jMe'i#DR̙K&c&1
^44CpND_3S@,U,(4wA)R5Ei}F<_OZ'aK_6햖4b!Nj9q~R0`!\W/FytH%VK,ek/gj%5Ej:jT,3W2\"Bm%%#Kn5k4:?1KHnRn3I`%dƛč	0mLk\Ղ5H+1Ce.Ec[h6`+d{GW\z1xZ7m}
9.w"9 6VOiT~

VAmP?}XBe_8wD0Wy"Y%9XHsI`\,j9np?w1$TS#bOēr
묅op7.ACuCLφ_p惶rYbjjFX1l?.9g9@BX~hJ"H8\[,~?G~e%C``dJaΔ["yt]Z>Ȝ=kB%O'k\N#?4%T@h:&@y'zfs8eveCiϯ-9ƒ Ե1-2/JەG9z.|6eD?Э~d0 XU8ycôq@#)n'dά;%G>mЦ^NnϘIv?j%oAjJ5.lKѓ1oq&ԡES籠 w3Ia\cz/$;`	,0A.B&V8G6%?ձfz[`?Fq7[(Q)̎mX}uEAmYGCbYBl	Z
Z
T`&c,1EdbhCV`Qh>g	@4k0/-s0~HӂN|SȴAڬd%j=Bڧ9?d#y(+w]ZA*Ӣ	/SXaзֶ:46Z̳FJ!ꓻ^
oMpDciUn JΩp_DrAQ?d)MTjp_z)NS΢()đ`C&]q13h^_*\Iy=МFО1>2D'6y^1t¬ZgG{5c
eGf'duVFP{e2:
?)衩NUN:. q=E-(h6?V&Qbqˌs"DqY
|uUōR֒l^B#p.ڍ^,6YR\Eo\ve؃`	0sE
X%:nߐ˘B) BAڜ.1l3%Vig3\X0$2..$D-jXoM(N-4olpRT%j4+5>Hy73L`B9'͉ԟ[r·$QIH1w*t4̷Nh6fSh3BA?0tI8ĺfj!rxh:
7VTH=l]9b'CSRnp1?ŽDQaAIK^@|hZ
ەJKR$
m8]TYо}Vb'$G8!<4k~,dzZm.2viu1wnNviu@ː%9YKϷNmsNjҨɺ&όF%f㊣UI1IlPsz6SfK^1j޴ϘH+FަfΪJAI,ʣeRceJЗ{Y5(.,'hh=:`nnJi9A%S2ěZMbځ4EX[p(BA4Yhr?Ⳮ$"VbiL\"'4YMʌSZMZskjO2?>CIl=]+L]E׼$n͂|uvѨi.7~?LSAVx%^v?d=QCu4Jjlf;jǠEKlV{ũtVK8_<[/fYcbٰiP~P5gs?!p6-:q)%f_LZ1L=<:XP^Wm͞XPTB3DkbjV'6	$!T3Bi(:(ʂMxRZSE}Le7E7Nf! >oLS|3j1נD=4(C4yP7p(@hfjk0(dD]$a|Ao#:l*hE#y-gJaU`a0rL1kX
%I1+i6EgQ[TwBB+T?9]Aw)hИDe!lĆ)M
I{
ɻ4?&5YY4Cu\Yv){$PuSYg`dW3k˱j7}k԰ή<1@>}S{6(
(L h̑,|zTr*cp &\QBE%هtRHY8ݢfhZ2>KD}lkI#2咖D`@\3ԓy<\K3Jo#%t$X=ݹ$uʭ
[d743ڰ
ƱNl ?i%0֘.>aJ"Ԃ:Wձ'
E,Σ<{5{P,#i}=X<kٸr6s*M3qc9jRF^=QԡʽЎJ|iPS*`YXl5'=_0օ}^C
hЪ56e(CV`T+6QIleBǴN\UVcg>%G?:*ˌ\]njVcOY0C};U*@8A%VFf)]LWNlH?Ugski91DJ,;aC3ÏD12Ԃ15&liܐ~*d[+7Ci&iCU
$S+x~6c'oDҁFc>g)Ƭ,^N2=y{oLiFeBYc1^04	Y7؞rSm>a/`%sBt$>2>g} E-4lh*i
q>oؿtCJ9kN)V6wrE~_a:GpVaKH;%s7.K F3Xv<$
{)%a*i%nDxљd,nb:!ƓJ,dL
fLI57}~"N^*f3vӍ-|*ڔ:@9_0m?TcL3$ܽcL"{я,?d4GJ
:
\
`LyG+'AQ
:A#ܹMM<w1r`1<,2if
`9!MbYv^E3.7}.B$0BV#W,n\F4_K4ߢ!:ZϞBXOƕh}>+cDk2t1fQx^0Cp	XMs{5^h)"Ss4fif]Mq2a/DVùLqOYd\/Mm<&Nr꜆HC1Vh
^t&b7~qZSfGa5*=X>Z*,8-?1뺹:3Ibְ<nI1`Xd5FlE?&Ƚ
j
0l?Zfͪ.5=!5pQ[G7
GQQHb@qLR[
E~	LeqTJmNoDIH:+cQu$0@
SU6M/6{UzFa2̵f*@$WΙM|9."8)O6츽^s	9W"@,$N{nx<=zO4!Y )*wf#6]y$ʚSft
c[%eP{=VXVm.
3+7LZrjR[Yj6b-2I@ ɽ&aVS4w3ˌq6h`7|$Eʤ1Egpm)e#QL!97r3*PCm8bZ0LYl6h2I0c#aV`a,W
w[7Y"Fi^s{|oj]0Y"vQ>AOIC0V0ȻcMZɤnz<-^V :YXA=Hqw@9b(ujRS.ތx%mxqBTyH%ڔڰ/2뜴^ó%gU<*g_-ШӺKNu68|֚5\b!?tr#Kk370q2Z],j#d#'\y"Hcbi%nЉc
\>ztVSAMB>^"ל	diZ*2J5\([`B8,@I-`(z-
=&x.ʄ֥6S@uzZųJY6t9D-C:4v0gڰ~,bzdB%SBg;`q9%20XDߞYRP0*Ğ9HԱ
`#v
qQ8;g;?0Mkg@ܰLS)Ŕ{04Um>m(
zj=?7:}
TĥTx6b!R&U2;g28:[;u@FWTOA*bJPg=g'ۈQY}VӅaN9mD{m
];ϙ$O%-Rm	B`XHpTf嚲< o#+;fbUOtzh}hlm"+ʈ)Zhg=9>zF7e"/:Ny#Bwhy3-1.6.0/examples/multiprecision/mpz_get_str.mlw000066400000000000000000000277731440160026300223660ustar00rootroot00000000000000module Zget_str

use int.Int
use int.EuclideanDivision
use int.Power
use mach.int.Int32
use mach.int.UInt32
use mach.int.Int32GMP
use ref.Ref
use mach.c.C
use mach.c.UChar
use lemmas.Lemmas
use import mach.int.UInt64GMP as Limb
use types.Types
use int.Abs
use util.Util
use mpz.Z
use mpz.Zutil
use string.Char
use mach.c.String
use array.Array
use map.Map
use base_info.BaseInfo
use stringlemmas.String_lemmas
use stringlemmas.Conversions
use stringlemmas.String_value
use get_str.Get_str

function effective (b:int) : int
  = if (abs b < 2) then 10 else abs b

let lemma pow_mon_strict (b x y:int)
  requires { 0 < b }
  requires { 0 <= x /\ 0 <= y }
  requires { 0 <= power b x < power b y }
  ensures  { x < y }
= ()

let lemma pow_mon (b x y:int)
  requires { 1 < b }
  requires { 0 <= x /\ 0 <= y }
  requires { 0 <= power b x <= power b y }
  ensures  { x <= y }
=
  if power b x = power b y
  then assert { x <= y
                by y < x ->
                   power b (x - y) >= b
                so power b y * 1 < power b y * power b (x - y)
                   = power b x }
  else pow_mon_strict b x y

let wmpz_get_str (sp: ptr char) (ghost sz:int32)
                 (base:int32) (u: mpz_ptr) : ptr char
  requires { valid sp sz }
  requires { writable sp }
  requires { 2 <= sz }
  requires { mpz.abs_value_of[u] < power (effective base) (sz-2) }
  requires { mpz.readers[u] = 0 }
  requires { 64 * mpz.abs_size[u] + 7 <= max_int32 }
  requires { -36 <= base <= 62 }
  ensures { result = sp }
  ensures { valid_string sp }
  ensures { string_in_base (effective base) (pelts sp) (offset sp) }
  ensures { forall x. mpz_unchanged x mpz (old mpz) }
  ensures { value_text (effective base) (pelts sp) (offset sp)
            = value_of u mpz }

=
  label Start in
  let ghost ob = base in
  let digits = begin ensures { base < 0 -> result = numupstring }
                     ensures { 0 <= base <= 36 -> result = numlowstring }
                     ensures { 36 < base -> result = numuplowstring }
                     ensures { effective base <= String.length result }
    if base > 36
    then "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
    else if base >= 0
    then "0123456789abcdefghijklmnopqrstuvwxyz"
    else "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ" end in
  let ref base = base in
  begin ensures { base = effective ob }
    if base <= 0 then base <- - base;
    if base <= 1 then base <- 10;
  end;
  let un = abs_size_of u in
  if un = 0
  then begin
    C.set_ofs sp 0 zero_num;
    C.set_ofs sp 1 zero_char;
    assert { strlen (pelts sp) (offset sp) = 1 };
    assert { value_text base (pelts sp) (offset sp) = 0
             by zero_num <> minus_char
             so value_text base (pelts sp) (offset sp)
                = abs_value_sub_text base (pelts sp) (offset sp) (offset sp + 1)
                = text_to_num ob zero_num
                = 0 };
    return sp
  end;
  let ref i : int32 = 0 in
  let ref sn : int32 = 0 in
  if size_of u < 0
  then begin
    C.set_ofs sp 0 minus_char;
    i <- i+1
  end;
  let bits = wmpn_base_power_of_two_p (Limb.of_int32 base) in
  let up = get_read_ptr u in
  assert { valid sp sz };
  label Open in
  let usp, ghost mem = open_from_charptr sp in
  assert { valid usp sz };
  let ghost ousp = pure { usp } in
  let uspi = C.incr usp i in
  if (bits <> 0)
  then begin
    value_tail up (un-1);
    let ghost um = C.get_ofs up (un - 1) in
    let ghost sb = wmpn_limb_size_in_base_2 um in
    let ghost ub = 64 * (un - 1) + (Limb.to_int32 sb) in
    assert { power 2 (ub - 1) <= value up un < power 2 ub
             by value up un < power radix (un - 1) + power radix (un - 1) * um
             = power radix (un - 1) * (1 + um)
             = power 2 (64 * (un - 1)) * (1 + um)
             <= power 2 (64 * (un - 1)) * power 2 sb
             = power 2 (64 * (un - 1) + sb)
             so value up un >= power radix (un - 1) * um
                >= power 2 (64 * (un - 1)) * um
                >= power 2 (64 * (un - 1)) * power 2 (sb - 1)
                = power 2 (64 * (un - 1) + sb - 1) };
    assert { power 2 ub <= power base (sz - 2)
             by base = power 2 bits
             so power 2 (ub - 1) <= value up un < power 2 (bits * (sz - 2))
             so ub - 1 < bits * (sz - 2)
             so ub <= bits * (sz - 2) };
    assert { div (ub + bits - 1) bits < sz - 1
             by power 2 ub <= power base (sz - 2)
                  = power (power 2 bits) (sz - 2)
                  = power 2 (bits * (sz - 2))
               so ub <= bits * (sz - 2)
               so ub + bits - 1 < bits * (sz - 1)
               so let d = div (ub + bits - 1) bits in
                  ub + bits - 1 >= bits * d
               so bits * d < bits * (sz - 1)
               so d < sz - 1 };
    let g = wmpn_get_str_bits uspi bits up un ub in
    assert { i = 1 -> (pelts uspi)[offset sp] = UChar.of_char minus_char
             by offset sp = offset sp at Open
             so (pelts uspi)[offset sp]
             = (pelts ousp)[offset sp]
             = UChar.of_char ((pelts sp)[offset sp] at Open) };
    sn <- i + UInt32.to_int32 g;
    assert { sn <= sz - 1
             by g <= div (ub + bits - 1) bits <= sz - 2
             so sn <= g + i <= sz - 1 };
    assert { svalue_sub (power 2 bits) (pelts usp)
                      (offset sp + i) (offset sp + sn)
             = mpz.abs_value_of[u]
             by svalue (power 2 bits) uspi g = mpz.abs_value_of[u]
             so svalue (power 2 bits) uspi g
                = svalue_sub (power 2 bits) (pelts uspi)
                             (offset uspi) (offset uspi + g)
                = svalue_sub (power 2 bits) (pelts usp)
                             (offset usp + i) (offset usp + sn)};
  end else begin
    let info = wmpn_get_base_info (Limb.of_int32 base) in
    let tp = salloc (UInt32.of_int32 un) in
    wmpn_copyd_sep tp up un;
    assert { value tp un = mpz.abs_value_of[u] };
    let g = wmpn_get_str_other uspi (sz - i) base info tp un in
    sn <- i + UInt32.to_int32 g;
    assert { i = 1 -> (pelts uspi)[offset sp] = UChar.of_char minus_char
             by offset sp = offset sp at Open
             so (pelts uspi)[offset sp]
             = (pelts ousp)[offset sp]
             = UChar.of_char ((pelts sp)[offset sp] at Open) };
    assert { svalue_sub base (pelts usp) (offset sp + i) (offset sp + sn)
             = mpz.abs_value_of[u]
             by svalue base uspi g = mpz.abs_value_of[u]
             so svalue base uspi g
                = svalue_sub base (pelts uspi) (offset uspi) (offset uspi + g)
                = svalue_sub base (pelts usp) (offset usp + i)
                                              (offset usp + sn) };
  end;
  assert { svalue_sub base (pelts usp)
                      (offset sp + i) (offset sp + sn)
           = mpz.abs_value_of[u] };
  assert bs { forall j. i <= j < sn
              -> 0 <= (pelts usp)[offset sp + j] < base
              by in_base base (pelts uspi) (offset uspi) (offset usp + sn)
              so (pelts usp)[j] = (pelts uspi)[j]
              so offset uspi <= offset sp + j < offset usp + sn};
  let ghost ousp = pure { usp } in
  close_from_charptr sp usp mem;
  assert tc { forall i. 0 <= i < plength sp -> (pelts sp)[i]
                        = to_char (pelts ousp)[i] };
  label Conv in
  assert { 0 <= i <= sn <= plength sp
           by sn <= sz - 1
              so valid (sp at Start) sz
              so plength sp = plength ousp = plength (sp at Start) >= sz };
  assert { i = 1 -> (pelts sp)[offset sp] = minus_char
           by offset sp < offset sp + i
           so (pelts sp)[offset sp] = to_char (pelts ousp)[offset sp]
              = to_char (of_char minus_char)
           so 0 <= code minus_char < 127 };
  for j = i to sn - 1 do
    invariant { i <= j <= sn }
    invariant { forall k. offset sp + j <= offset sp + k < offset sp + sn ->
                (pelts sp)[offset sp + k] = (pelts sp at Conv)[offset sp + k] }
    invariant { 0 <= ob <= 36 ->
                to_lowercase_text (pelts ousp) (pelts sp)
                                  (offset sp) (offset sp + j) }
    invariant { 36 < ob ->
                to_bothcase_text (pelts ousp) (pelts sp)
                                  (offset sp) (offset sp + j) }
    invariant { ob < 0 ->
                to_uppercase_text (pelts ousp) (pelts sp)
                                  (offset sp) (offset sp + j) }
    invariant { abs_value_sub_text base (pelts sp)
                                        (offset sp + i) (offset sp + j)
                = svalue_sub base (pelts ousp) (offset ousp + i)
                                               (offset ousp + j) }
    invariant { forall k. offset sp <= k < offset sp + j
                -> code (pelts sp)[k] <> 0 }
    invariant { text_in_base base (pelts sp) (offset sp + i) (offset sp + j) }
    invariant { i = 1 -> (pelts sp)[offset sp] = minus_char }
    invariant { i = 0 -> j > i -> (pelts sp)[offset sp] <> minus_char }
    label L in
    let ghost osp = pure { sp } in
    let cj = UChar.of_char (C.get_ofs sp j) in
    assert { cj = (pelts ousp)[offset sp + j] /\ 0 <= cj < base
             by (pelts sp)[offset sp + j]
                = (pelts sp at Conv)[offset sp + j]
                = UChar.to_char (pelts ousp)[offset sp + j]
             so let tc = UChar.to_char (pelts ousp)[offset sp + j] in
                0 <= (pelts ousp)[offset sp + j] < base < 127
             so code tc = (pelts ousp)[offset sp + j]
             so UChar.of_char tc = code tc = (pelts ousp)[offset sp + j]
             so cj
                = UChar.of_char (UChar.to_char (pelts ousp)[offset sp + j])
                = (pelts ousp)[offset sp + j] };
    assert { 0 <= cj < base <= String.length digits };
    let dc = String.get digits (UChar.to_int32 cj) in
    assert { dc <> minus_char };
    assert { text_to_num base dc = cj
             by text_to_num ob dc = cj
             so if abs ob < 2
                then text_to_num ob dc
                     = text_to_num_onecase dc
                     = text_to_num base dc
                else if -36 <= ob <= 36
                     then text_to_num ob dc
                     = text_to_num_onecase dc
                     = text_to_num base dc
                else ob = base };
    C.set_ofs sp j dc;
    assert { forall k. offset sp + (j + 1) <= offset sp + k < offset sp + sn ->
             (pelts sp)[offset sp + k] = (pelts sp)[offset sp + k] at Conv
             by (pelts sp)[offset sp + k] = (pelts sp)[offset sp + k] at L
                = (pelts sp)[offset sp + k] at Conv };
    abs_value_sub_text_frame (int32'int base) (pelts sp) (pelts osp)
                 (offset sp + int32'int i) (offset sp + int32'int j);
    assert { abs_value_sub_text base (pelts sp)
                                        (offset sp + i) (offset sp + (j + 1))
                = svalue_sub base (pelts ousp) (offset ousp + i)
                                               (offset ousp + (j + 1)) };
  done;
  let ghost osp = pure { sp } in
  C.set_ofs sp sn zero_char;
  abs_value_sub_text_frame (int32'int base) (pelts sp) (pelts osp)
               (offset sp + int32'int i) (offset sp + int32'int sn);
  assert { strlen (pelts sp) (offset sp) = sn };
  assert { strlen (pelts sp) (offset sp + i) = sn - i };
  assert { text_in_base (effective ob) (pelts sp) (offset sp + i)
           (offset sp + strlen (pelts sp) (offset sp))
           by base = effective ob
           so offset sp + strlen (pelts sp) (offset sp) = offset sp + sn
           so text_in_base base (pelts osp) (offset sp + i) (offset sp + sn)
           so text_in_base base (pelts sp) (offset sp + i) (offset sp + sn) };
  assert { value_text base (pelts sp) (offset sp) = value_of u mpz
           by abs_value_text base (pelts sp) (offset sp + i)
              = mpz.abs_value_of[u]
           so if i = 1
              then
                value_text base (pelts sp) (offset sp) = - mpz.abs_value_of[u]
                so mpz.sgn[u] = -1
              else
                value_text base (pelts sp) (offset sp)
                = abs_value_text base (pelts sp) (offset sp)
                = mpz.abs_value_of[u]
                so mpz.sgn[u] = 1 };
  release_reader u up;
  return sp

endwhy3-1.6.0/examples/multiprecision/mpz_get_str/000077500000000000000000000000001440160026300216255ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_get_str/why3session.xml000066400000000000000000004521161440160026300246560ustar00rootroot00000000000000











 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
     
     
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_get_str/why3shapes.gz000066400000000000000000001051711440160026300242720ustar00rootroot00000000000000Y9._A2 jԕC}tE-/eXOu5)z9""3#"#r9'FbY'32pOͿ~xM;?~[x'wC_w#޼z_^ˇ?~m|Yogu>ǫQqoO?j_Gmӧg&Q}72܍ѷij;}mn{W6u|?6wmsdX5kާہ7{,1q6!çϓ;ֿۯSe>uk{Sg0uwy_dm93<xֿ|%=?v7/|ov;z6OϠ?ήzه_r>|+P_>K_LL&DU[fXV5DD¾OÏǮS͚JOERno_/|"d/7o_߿,CL۟_~?/&vņ+_gvhU[|kҿ/ow;͐_>m㷋ulVa"iFՆ.w6w*_>i?~x|OLkiw'jiiJYy7\Nۺ[_?_ާOOXC.܏ڵ+a+2Z~TQZuk;rI
fwK^olNMy?_ty;{GWvZ}u
PʧK(\z^A]*͕h_)q'C9PokP6TKχ	Xv<_?ȳNEV~ӶrDYiy-gR$L*LmMm4kXMz1"oL75dP,zDʩ!^O[BQ}+k?F/ro
tJs?ܙD	x!XhkyխͣRkdH٬asrboq<#/_vU/Pci/|~ȸ?3PۧTƍ
yA=nͼ:̏ɿ)'^FNf?ofBQvrwԿӭvuOq}?yv`Wf?/#
ˠW}pg0ٗi}xyGP~P_k{_bg\ts7?+>_*Ô,4}gnW=l7e[_4v-}~;s]ys̺Oo_}oOm?T{}vȨ=꺽G}}(0S7
>l_lMo'?uIſ-QG~O?h},xV3Lv;`j4qo0-0_)>H?VdIg9vw`Digyn`I4|
޾0I)NoUh	kݙ><6B{s	yqyD	yykiY񛃽C>~?r),Ňٹ-;7PZrPYC)dgY[vNjwoFu_ק%L
mP.9]V'tiwMw[}R|ow)޾j{~i_ς[]H;wfinʸwwZID><\aQ
j16™fg8-O`wU`ݫv{nՌݦvۨoj4ަZes^lfs"o~w~]&
VvȫJ>u/fӍn{Q>xm9瞋r=xFV~i|/jr5Yߝ8û^:<&~B\`7F?&a]	)qFJ'T7646fK}׉|s{͗:8ӑ`L{8=߬wrlCi bߎL7v㇔O珢Tf+-V/l{7w#L;eIIV7fa8LFˇ_߾ֿ̟n?OgßVOJ8v;Jguax9/<ȯu_"p?]Wi%(WǫP2Z(.WeNMYwh,͞{WLW_"	[b(`V80TGܰ;`xn/TLʼnr;gw}

.&|-="VALLLQcí/|q%-7uWv\W$?/{\X-lf٣z1}gdΫ;O#YtK3akd7~{}SoEЌy6WD\=@i>3nkp١?|Yţ̸g'?5^߱^nZ+?n:sOO+zJxNY="}+Y&yz堁d
GPtӱfIdajWSl]g֍-59U=wk\\c]cњP"_$LjZ]Xyg(wVz:ձ^?a}s-5}#V}WUf_ttPᏔ;|iѱɹxz>.9EZ`v);굕#?r6`	Lz0Bnnm2їB)g+pw].Ukásygr3nj_wrDvy&O6WyNKaޥe\ר?^8ܻ>KIm򂃜raV:{mDA)lo32i~N	Iv~;U6ka$k#,7;ߝ7K,\H4Rt[áȊ4N;^DvC>ߑZ}pp^Co&ۜE%$^:^]4G,<3|{	T(e==I?oHײ+Bv^`舄Ws;N4V}S@lfl.cä̈́ߎD7`&@:ϿL_^JoBi^և[|"07[Aޖ7߽{f,UpWQUEriwT^W9oϧT|>|Cyb&)k~c'D.ZIEKa|66303o<y?j[Ij
9sMy?˾/zd{/?O-}pdqv>R8m?NsboFqOk̆ݷm^
wqqL(|{~r;}-XQWs:=Ui2%BwGNxsht2Eb.padqxFk?]ƮYŵo}R!ҼꅐK]gh5{ VxL WL݅afEs}yhdc,ŌxXqf|ka.d=nW%z]\dCb嫂9"@pN+!M_>m]֙yѡ_]bxiUݴb7AW,n*p
qYL&˜351B8ù7)h1ՊSЛ
bB¹څ<0!_Jaq2ХPp}(x8#G+C{Lų&M3O1մ=h=/d9|~lb/t;/DŽ3߿	vK}(%s\ԃUBrKK?wÒ8\\Ⲟ]vLz)f_\jaԐs/н_<{Xs_HJ/j//NvbϿjfE9Q+zޅKG->lC#9
H;
K0PfN씹q#]wuNwZEGNCpcz	048 c|1:NNe/hm2JQ@yصb]rv;ıND=^x"HW&G,]R&dfrol3cHv/|uj BZ5y^dRӪ-vq3-tS2q,g:9Q\/yׄhH5!a3Zr"Z*X$Yͻvϗ:s:A妎TFjjHdzRw
}Bv(SOW8W9zALPTYZ	VBmZ'p&j+r|i`.V¹WaKS!G>0p+d=xo<|ٛԻsR/9;u{]sjrs/=h<nzQ\>?R|/;/Ww{1iyn4ݝ/$Tqn4]5q;!W..VZ@]?׼[л`sC~қ=tu;UmN3ઇ?RС~5lNNƱzcVhcc1ɰvd+8xqyoJ5?=b#>!ĕ\&CiI/k]);$=Jt]=8.CzJ!ƮOO^@q1綝Dww܀gx]1/GwE[zJvF'A3:rm3:I
݃䝬9DXDboo6!qBkGB/0VVg(t0~x';}8L}4ێ'~<\bDNh6'm`|H{vY>O[)>{KS{<#ՍMx|v}CJ:K9
ZF2%$},Q]&HenԫQ,ɐA8k!S|-t7Ѝ.
ڄ\0PF睋>h6S7+$nŲWVm0cV:
(cjZ:eJ
)T28b0)KXFI7RJdDR}h
IV_+uW(Y	01
>uHIu`0E1&uIQ̚bSxg*岤Je+cdcYfB~G)QFB1VScD-XmrW11Ȩ Vܷ,%/
p7`o7
7 nkRf\ŤM%W@	ށzp
$J.N&x'>ϩ8fWq0CB*W4rm>sg֧M.3%2gn^9,Bd%UAֺ1ҊW
/ΊmE`㍁ίKEG^JQBz!AEfB2SƱl2.[CTYlLUb9ų 2/茭UZ,ݍmXz
Yx%"	XB2Z1	+ՖUi2'y(dT3Ü\WkEDZZpF01R2ͯ*l^!gPŔB&fo
軵,Z)"25g)\ZƵR&,^|bᤌ-덢*3gn8}$+^gVaKSAQ}OKhfKIVTsd1"*祡ҩ;x!H:3(SB*wcdBc;Lɻ)sIJo>I6H[\Ĩ+FS7r5(oXjU0Y6 J_I&3kz(*Y`Yd%#
o(sa	Ԭ۳DM6qGXjXrGЁm#38GW`$a9)b
!
?N E/dXKm&6R-Fy5dȤ[XcPl&k&blhaQmgOd`rȶK}/J>i?fW}^_4#+!qApZ&bx!5Wh,]lx=bK)j{.ߗ\d|-(9,o`:	od;~f!w#7gA/	,#K c&NrV?nZ7nZn5|ˊ$4QI^1ʠa%X%
_3	XǨ{:ˬ`(Խ*+Sq;d܀4aw+wK5KIZ~Iŗ҆hA&JJB#hl8
ušP\aBii3D!6vedhʢY#}u
{ɦ"t3QSaN sR!@TPuZH`T(8[>1H6AV=S	7QͶj'ZHdJ4)U_{(	z'Fӻmٰ
+c4pI02+	Fb
@	RE(l;-KncD%*B.[(	tؓ;d#%;jhHlPr,IK%\m$rJ#EKTA&](jDVJAc4:J3ijܦF*#,\ʄ`:Ju9nYu:xd5Cj@#(8+
d;@ɸʬ,ZGQXHD\zC@%SwM9orOf|_}(,\IYpb=m#=YZD
$:K*.NS-f WP?'Y-bBWt):J3RPd)	rlc'AUBJV&M0[ܫF8fQɱ!lɕXsi!^Jq"[tNB	H]x+Ttp	g=+?F=A6S7xh-w9]ht-ĊM^É64IE6lhH7_M)rp)z#`):V4ף&	XDY15н"]PT8#Dlz
;6jwX/	ARĚXh+nE6krL"yPL9F^Ƭ2a2z3\ٽQ8ya,P#Pazxht
P>
b:oC
"c5昔-#S?~27d~jt%#!ll
@W$u Ge	.:¤|
]0+$ *_G:ýjW!ULH]uQ 4:4حܳFIR0S6@@:|df68Y%E$k&ax]6	@YI,Svm
x}f_THx1hF,9E,B&Ja4^<fYCjaB0jA3O}!ޓ5r_D7Pɤ5zّH~=!_/W4	Ec̱ˤF+#ZSɖr!B27ӨF+GX(Pt=U"xȚdW]W'}`zM?y`5 dp5:ƆuёWؤjB,f$I
K+OJA"kB>e{6Ɔ>LT"J
*z].
DJ6^;gL5NjRl0
<AҌȲ51V2ڱiCDPơglM[̂hmrL68`ಬљ$wmvhVR W$,&n5&P3A6< 8e
fqƆvSupy\Lk#y<o\4V<֝F8(5[hҡXd*&b*[sy&ⶔeɩ/LRej:a~;2=&b*&)sac4+%YRaV 
Wƺ:ZS$r)iY鐜?u3ek;wGa]S{uІY'2KI`ٮa{T\<6c&b0(f%}ryiTdQ-(
:vw\
!g/Q֤:8aKƅ`	kkllkS1hR]IQGXk\6:UύzB4,,\!LZ`S4
|oۼ}aUڑMQfIc!WdRYdz!}$.iA28- ,6F{(YWkRY/tw6!,F3XPeVAM]E4>l>H!DQhe'*1SB|/YP3arH2ŜP
heD:QHc
2"lI$[y4WsZ
̨\p*RkBK"k
HDV1
[_(czUOT("Evl:]d-$tLDlH$,x&f`i$#B=*at.RS[_[mv	!QFgMk/1ƀg+uNlmY,90}=r"4\.=m/ 8p%Lzbɐ&-rw
l}YS2Z>zDɬ]L\UkBeiSH$
Il.DQzB9nfryd	:%2,ָz	עK2f6u&je;ZMWWTkUq]w;
/S>,eK478Iw"lV[!`TPڜVwpŠxO
R4ZEAہ	sf5DB
	*,%X|*&.
w-lT&ep\Vc(7X|C,j7sA{˦bX1Io) |H5QJPˊQui4FmA P&:HL ʙd*Ƣ-f/ B62!|>VB("p?
M7XmL`dzTD!dDݖfr09{lםnqI)Fق5L"w)PrH45HB>Kqr?UE7h-/'ID!iXИaC79
c$HTg[:]ihjo5`D8i[J3hB!	¸]saaEzH%9Olb40w8	"uPr:ϖq
J	l݁Ѭ
5JYRhYk4AhlʯjM՝a[C!
J#OP,9']njNIkv1wl3ofT!hm
K+IQօ.[fͪ:RgB[3iZl#̩|Ѹh)ct
X+=صB-Y&"|wl633jAM&	њDާb,٬
(9,CMXa
v
vWe`dF^K5"׬F
	ic뮶ZyBs2#
^1aenk{Q"IUY
C.55=@h(@5U#rنg7,>YTuA[%f
X

L䎱]XTI%UTFuE ,ABL>FJI&
xlrq4Hѡ,$LILˆGĥ35SDΦ%plц^6+1RƜY%p986E`|pr32RrY@1xmM<7L?{LGKeVߦ+`yM7Ov.,QwȼM7p)'-R%"J1z0`b}@NdF!~EH IURJ6*vĞ%z/4+kL3Đ)D!VY?1FUbQ1hIfY6!usI&pzRf4H:46>vHFCysP2ԋfkEAAA.c5k#=,\P5UgoU#:00`u`3z1>7P&0kņ
JGu)`Hl	€A00pP-%,2&H&JثT]FhVNEd"VoN 1Bh8l8|; jֳIRtP&Az!66>BWBYY4NkbK8

S$dc	+r<]@-
n-БvEF6K4d!E0N`^>ђ
%j5.,#s.

wMd7I1$y/YIi<<8]cXb/1@N=<'qVk`Y1A@\&Q  T^e>#t!RG"
CF^.ne

OtSURFf6AѠէ~O\
JQ[%<@i'u!]bVPlJzKv\mԗͶCRh0HVDY&A5_4C2Q˂c_m1Hƕ$(Ⱐ3=,46>$_Xd!ILSqMQhwjg0
y'V|~mm}2GT#,(b"PH!I0zp1]C1"P?TJ֐b00J
O'SW:%ٜW.T""uqb*R5ai⼔RZd!&Y"0^%툾THjW| u43PlW=$ue壺..ZEf,c +, 44IyG.UC[QД

OOI&:
d`cN.0uMxn^+jpmp}4=NK:j
V)uLTkGddd{/Y'k"bXGͦjm}.%E!Mf&'z *=ӯa9&R)TcƚC1<1MW&itj]rtVUQz]czȕl$bJ,

t0E
OdR76>32|,.$C6T+m4rCtttƳ s(2fPVEgc͝jm}fеk C \]۠۠ܠ)fsӗPP
רz*[
svNҞlSR*n@xє:쒓{

[e{Lt۹"'7T4Ah#0|2~݀_k(EDHQd:-2

$El*g9iT4ل/MV
6Q3xMV)Mb[7USf/RGK΄C	=Xp:(pblmKRSpEl{(*
ua)gX
H=?H7C\2I{'P贁`UWhbe}U-&fh&fuȹpTDR*	()"D̫s#$UʥDh4T(Y&>$:R6^rKD;
k<t0Q/AbY50\/녚Ҭj
5롚C߫ᷙ+4me6LQzR]guc#iBc"Xl2wbc$zd
x2\W&YoβJTjRlc#nk$A}0(#⾟))<|,TbkfTJ~4qɑiT%e) +LJhtEO +ӈu2&V*dM>RVMOzK@HTd2MmO	lUOϪBBDB`2HJ.YE]σ]5[-@(k%fUuyKQ74J)(sb$tv0l^M	(B8gX&^TNbAlkk{vM0(XnfDJ/$Uuh{n(eSF^&XIĪI
VYַƺ!pK@CF#)hm۬ͺg:3
%҂Y-
	E;tuύutheGّKEQcLPH)୕̋A3
$zOC_<
{o8phB0Ao 8KLJL;Z
CH
*_TbJM(1^xQ1L]`T9"P
#
y}ɝDyNdаI|{9DI9mƒJ:w;Qd㝵lbB,S*)
y0iiЙ6(o(EfcU:@hiЙJfmo@)4Ӡs%ɣ*Er.QxF:O>mj0Zسڛh2
c^
~N
$"37Ef]ՁLQѱcE̘*
oeKdy/67M)Ͼ^xZ5Q<6M|+gsXiWA,^V0EQ1HIو5JLUtG
Gǃ+2sQQV˔TY;AҀ&N_05SQYƜ5R0f-FQS9FHD2QBRVsXCQ.@Q2Z2C44K@!RZ^B|VAk=>l}|1}݆ he)a0FFlHیytfmDdɐjaa20g{=t+u`ERck=,`T]}@uF>J|jamJT"ʙV?oCx!ՖѧdtP,R$
ړFF6փ*J

Ovqdt=v!9VK
O9;!"J"b^mls,+}LZyP8eP	>H66>ʒLq%HٛFP6\Y7`ۆg]T:,P$F[i԰۰ܰ+]:!'!U	9AHU~ߝ@q{C)T5dȀch8n8~86Q 
yFhKl8n8~8r4{EXP9i9U	vp	ٮ~XS8"]Ng$x@jkU@MmPƧ.޽_y/6Ytëj]JȐK&'ׂ.\q,i'^eElBP_/Lbz1}1'	DpҞɇ-XتOLb)B2erb.]fxK_![
*W:fX5,MA)zQ0kacaA7|Zߺ^\W6vFC߫JR?[e[.L]W1`jG{e,5{g,vwēcċqY,;ٙNg;]>С}~_wsceۧ
uD_? :5t).Q6"w;k|y~w5L"trP♂eYV㜡p,l9k9OWw6mg+o{MX7>;hfr%oƶ6͐W7a>H#άP5!|a$JԢV^37c[x1 :U/σf&9W6޶6Tj	naqN1xϲ何o'B>x|JAY[sR9s}͏Fs܋a#֠ҩ؆G
b/e2_?IfZt׌}BV^ѝd̢7Ș#f=K;+CaYޙKݡVLP8Sm'Uzqf55y[Ujd/>C.ϏPj":LBL 3e+0"TAbe܎if28t%EdUo%1癧Wb'An]X ΑmzeMwwZ:Q)PT3l'VCgŚ*Pz_g^6W!n?s
2l
P*`rE	Kޅyo};IO%vsylԠg(Sp*ܾp30ew^6P8~|pƍLU~TGU~M?U+E K#7<׶Ŕ0¿]/?C3`DjJţ9m{J#ʏ\/EgqTsQI(&\g.3	0KVk}%*eqQ^N?tԀkJU4i}r䲽^N?0Vo58Bwkrz9|U`x(^s9'o=6vz㺨ՏF5cO!\#/cL*^V/Քb&AS[lrSzYhV{Ĩj˥w	֣DˮeѬ,bmGa"\{>2s^\NpR^@%Aa'
nޤ%oRU$a(/M9*+N!sW
7op{}?|agv%WCz+"vwl(Eĥm3xȊD1={1+ĕ@P28?0cN59%αAaW
grx>J{$r%Pm7_/ޟ,`Hn\GP}
-N{ǹ\"6cO1/=vVz񮸲ZKR}z}Xsbvx>疙ږ
d:6sV>'.φvr^BjipQͽh_?`TZ]P" +am?yپl6m$͏GBYSnkr(4vKq}CgΆF$7_/㟕q2"p.4b2Qe2Y/xpV,roF,)]ɝAĻl0(sV	o_?#㻑O]C*GE]$b\_e2)מ㞀p)
\~kU@)c BiqD70x6seo5}>k=	5
O6L|L[Z,XC Z"HxI8A̪Ogy̵-F=p#$2q|k꾣8]{
ս8\͚RceQ^Q4[A>i
}._Ĉcy2ǹgzuf*%Ze;V
4{ZH-o@݋Uto݌WI,24đ+2%)5~3Ѭ{P9;%EѴQ4STGֹr8R$O#Y>x+IE	
vbZksC~x@}4Yd*WPf_=z{ުWdHu#Wƌ1h_5m'	rWK Ṇ2=b*<+mCOh*+m~7[ Z 1@>ʝUΘG%yjQ5Mص׺u&ioYyj
)o'7#ttDI\ks.fy
2֘a
6!&!%`Ol@*HhnTXyVTy~{WSVr#Na	D?e{pe#0k۳Ee[vv!/ٶ+oJ0PS†#9o^mvC0cg=2SteB}O^MչMJ?BC7U\^<
\_}bMd>yp`s?^}yKetǕ%HLgMDssL6S{^lmG_^{GP]c
^s/Ԯ#nZ=/ƪ]7ΝyǕʷ9K6PN@"lEW̉gsb_"g;;*KQ"REbK0QoU{
O«هۢ
aPnT<
ɷ˟Acİc͙vn&cG$6TGVDfMr-q\~zsU{obn+X-b)vOUP?=O5[,ye{mBo{,lFr♣9vjӠ+-ac&ax+,MjmNo<zQEoiS~aHɺEf	d1ǹq Prmɺ

*PNegY%Db"s\Ī$b=Lߑg+ڨhӼ/iuX_mUWQPsBg4:l@㕕~^)[g.k~<3Li4WK'h)c0	O9a!cXh9R"r:pf'7|n98p
=y8vO1r5U4gUe3d9$k*h=4|4-HAqK&LWP,^TU._6"b	})JԀxqQ՚gGዂ{bVZ-ZT(/Un=a2%zn0Tm
`/JKp?[!Fn'
b^r]Ȑ$(%*)˽"k/~*t38GDͪd"~~QKEǞˌiPvr]:"+a%#z/ڰ~^Ih)-W
yPpmeScb$ĬXsVgUqVgUqu'i8@MzYE<3p)]s
85oklijEjPߺsqM.p1h2J[sK1:
px+\~{(sE/2-F^J5~NۻA,ijM^W._>螈gSllD?_UcV͵5KCnRniA_
M.2
NCT=RW+zZvi^Z/ֿus%e9FlU%jk;Τ~5Qw5R|)_/ş*ȂH72j/WK~rAxk[0Bv]m$>8R&&s/EMjgR{QKPe	;J4T//
@x2c+[}8	J=;eK%d
`LUٴ\Ջ`|K['/$2[
چnc*trK[+(0 8w=FIyV)^/oEql%e'dqN\/|@$\.P
W}~2 Q){3'Xj&S][5v	a0V~`@^ݥϰtiwlY1PwRZyY>ai?Xj]_֌|ƲT˩`kVm,H+_.`<=V\mMM3@Ӈ/ao\r94ISӦ3m Lz]¾u+y>Vew"_.axLh1
+̰l֡Üu.d͵E{=[hR<.=	^.h	Zaå-FSg
pvg>lY
kgV1js=VJǮ:ng^-qk&F֠
|w091'򎌣/ D'|zbrƤRl.D_Ssg+kW1Ɯ[nZr?LzA )>'!8n.m*N?yA i>Zcm
Fp|pmpO	a"͊F彩 0Ϲf}q)
"D ߅'T⳧o`nbZ)M~ zIfƅ!t\lpNVp'p@"_H!XV0O Kx=v!.N2AO0yW ՗)O+ݖ?uSS._LaLy
 9ܫ%'yq4ݼWnt9V-O0yʼn%ŊV^S\&tˮ]CU[1`%Ljh늡'|`m,B1ptnt6c'yWZW0sM\Ⱦ
SxMW9,ܬn\tr؃cx?UݻyW}~qYCWIx1`U7Xz|>L/Ob5Fv8ٙ3utډLk@_9-j
]N})K/>üە49&BUo|gڽ-"\^W_H%lݻ-NS{E2?\cf)7GY5qwi=|,0E$is!01o3sqhq8rH,̳S]¢&vf_b9$)ZkJp\]t~|jW$&ʾH}G^CWS/$_"ܪ-ľGy*4[>E6SY+/OO-/]}8h\?򋸞qF50֫~D%2JpdEZXแtbH`BsnsD80ӹn|EI*Xy=ׂ>-jU	cUQ"MV.#b S5ΥTDO'K.?xϭdk7m3G
XR\m>O08B_>t>Wůc|j5wӮB0\4]a%ZAPMCW
?S
%t[tGZaşjhW`8`$8C֞Fu6>50p/gyeziW̽Q=ǘr<7
8SnI6]8Zѥ5{/;tZFwT20h&QU=Q~\4YmKlo`뛼9}tM7Rv
ZaݞO	ǔmtR$JdYq#|>^=(kdo<),F|S+DM]75;[䈶F=Q-q&^.jnU.TPǠϯkь氆N~5Mӣc9l-[Ϟ5Pk[]f;C#}G.7=t~{ F26nnK#~#/\|}^1.{'(EPvmˍ*7<5Xjlf8cޞ.*^kDXurSјH2zemw@gϼ#Sp{WͿ'(8-5A@#$c7?6skIDJ=*kD۽f>zߓ*LnkѤ[iiۛz'[;X^$cFט|\a9L'7YxUU֨lM(3~'x>#+S42|>cqv!QB;8dQCYet:)ſߗpP2YLsJ
yK4._
FԓI(jROf?p1զ߆.49iр惎L
rI]IA2=
N	3vb̪
򻲒sP9"`-޻l&'w}Q՚_X~gX;!8Lȥɛ9wxf+1̪}[5"vٖEK=VўU7%aC69A:%Ź5VfnK_$5EZH$@*O6變Uc+ktj+9A%3?jIjsٴ3Ѭ_ȗƟ_\QQ1v<׊\"/([>s,age/_@AД$99l_QY}ym%WP3dvո>"_2/*D5"mq%Ȥx)GV!VlȽ䫄&ğfRg?i=3m$ʛ/J-~IMa|H56ԧIwn![iދ[DLpJwѧҘZ6h'nRA|GvʰT8rReUG{fvnדфs<7,g?Iim=(^/B϶*RvnKMjӭ\By睒O'&amndk[%t sfӲ}KtQXՠ,ua0p.$G&йqByƯ7;&Mm0Wk\SI~kDg2cʬfwzx:.&)r=i+ʏͦRyy~5ўfY/E݋MCK#,`%>uAJsհ?i3)KG^ܳ&{:ՕL7Ξ	_zb.lc{f_;Q`kSy9By/;R-4|40oռM?֗fq[PVKPΕ8UnK
׀:bk5w1XW%W2ͽGi|a~K){&gΤj!KhLZ@vή@[ު[͓z]g:o/p[;C AF'%6\%(}Y*2ճ;wTr%K-q;SڀRD*^/z"<!ol+gڴ ŗKg :I4,]3{%ʗoso۸;\rQ^r[;J*"KM_$?6>xe=Y^ZBC925芇ы"-}aރwZ~}MWQ-ị9qH7@_]هCe]%Cy.r]/OLL+fTt^5SWZ*[yn'0$]m*̅/I9,[/Q϶\/E^/埓51=ITY67gQ04/៎w]ЀĮB=H֋*W!R_?cm
 i>b"at礋t"ODΫ`3r>/
9N.`X
>Ww߀ޟ0.doteP,Y5!דϐ8^/60
 aI%<'z*|fh_D-G@@G3婊䵌2]7"sOGٚ+-O Rx)y[͙ebig3*x[<(^
z-Z)ynBIy^
ZCKXz!7]}-^VxYp-!v˳k7O
JCDb
,2{|4`^-hTA3Qq9
ӰxW1UL Q̄볈ޔS:_8/N*Zc:1j/8/Џ^dl :Y|/.8_Bq)v!K7a-:9^H?Ҋtx9f`CUB׾vD"1wt8	n-ܞf:({ӅS'yROӠ)N⏆d]OFO gZ˯b-UeU\'
ޯa"/ҏճh[dbBC9"j^J?Rk僢Tt/6kҩ]J/8/mNf!P:Rz)I7qƹC}ϹQnz}KǒJg]!ۻo=JlC#^v=Szu􆊽jL}GLJK#(5%2ݰ["Ɗ5{yeaݪMSY~*y4O:Qx,GTny{Pd$dQ*I={y~~M;be=7Y2?NO}\_6깏]Y"M9;um16YkVF58CmË^aa\YwIn]Ea	e2ИAL»G+dJgͻ\:r|	~;msF2j8ph稍"X.#&66XAr!jH(n{zgB/Xl.Z*As[K/1XX)why3-1.6.0/examples/multiprecision/mpz_getset.mlw000066400000000000000000000040431440160026300221730ustar00rootroot00000000000000module Set

use int.Int
use int.EuclideanDivision
use int.Abs
use map.Map
use lemmas.Lemmas
use mach.c.C
use mach.int.Int32
use mach.int.Int64
use mach.int.UInt64GMP
use mpz.Z
use mpz.Zutil

let wmpz_set_ui (dst: mpz_ptr) (src: uint64): unit
  requires { mpz.alloc[dst] >= 1 }
  requires { mpz.readers[dst] = 0 }
  ensures  { value_of dst mpz = src }
  ensures  { forall x. x <> dst -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[dst] = 0 }
=
  let dstp = wmpz_realloc dst 1 in
  set dstp src;
  assert { value dstp 1 = src };
  let size = if src <> 0 then 1 else 0 in
  set_size dst size dstp;
  assert { mpz.sgn[dst] = 1 };
  assert { value_of dst mpz = src };
  release_writer dst dstp

let abs_cast (x: int64): uint64
  ensures { result = abs x }
= if x >= 0 then of_int64 x else of_int64 (- (x + 1)) + 1

let wmpz_set_si (dst: mpz_ptr) (src: int64): unit
  requires { mpz.alloc[dst] >= 1 }
  requires { mpz.readers[dst] = 0 }
  ensures  { value_of dst mpz = src }
  ensures  { forall x. x <> dst -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[dst] = 0 }
=
  let dstp = wmpz_realloc dst 1 in
  let abs_src = abs_cast src in
  set dstp abs_src;
  assert { value dstp 1 = abs src };
  let size = if abs_src <> 0 then 1 else 0 in
  let size = if src >= 0 then size else - size in
  set_size dst size dstp;
  assert { mpz.sgn[dst] = if src >= 0 then 1 else -1 };
  assert { mpz.abs_value_of[dst] = abs src };
  assert { value_of dst mpz = src };
  release_writer dst dstp

let wmpz_get_ui (src: mpz_ptr): uint64
  requires { mpz.readers[src] = 0 }
  ensures { result = mod (abs (value_of src mpz)) radix }
  ensures { forall x. mpz_unchanged x mpz (old mpz) }
  ensures { mpz.readers[src] = 0 }
=
  if size_of src = 0 then return 0;
  let srcp = get_read_ptr src in
  let v = get srcp in
  value_sub_head (pelts srcp) 0 mpz.abs_size[src];
  assert { abs (value_of src mpz) = (pelts srcp)[0] + radix * value_sub (pelts srcp) 1 mpz.abs_size[src] };
  release_reader src srcp;
  assert { forall x y. 0 <= x < radix -> mod (x + radix * y) radix = x };
  v

end
why3-1.6.0/examples/multiprecision/mpz_getset/000077500000000000000000000000001440160026300214515ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_getset/why3session.xml000066400000000000000000000335541440160026300245030ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_getset/why3shapes.gz000066400000000000000000000105471440160026300241200ustar00rootroot00000000000000YYo7~ׯ[f`q@y8WGёO~&[s#FnXU,o?~|w>Ϲ>gwc>>ҙ]	(;|6]c.je]wx[_ix8><ǜşukJ|)!8qҷ#sGq3?y־uX)߷>ۏ
]>]Ψ?/|Yއ^{
.!iZ1Cڿ[:-ם{;ʸ9EUxؽ:FiaLܾ4>mK:?0-s?UTt@?o7:.iI9I~$khdkڊ[:%-jVPNNW+e&KUs9O_>Ln%ÁS	::f3[I
n%e!fy4Ji{> \	//f:&gFEUcd{F+#ly9Cjځ]MU/kǻ~Z@@iK]t-`C[Essʅ9/lpM
Z]OioR{BA$˸:Xe._GG5;A?(Ƈ"ѯ$y1p;Qv;s*	ﯫxEXcְ86:qK*P6"_axwG=A|xnD:x0Է%YL~|w~DORn~͜pֳ+5m}?~h_jf,yUo|zS% W"uviPU͇Gӯz3ʞ]ly.?.?HW3)w03W]

x K17сED/ϧ5;z?"5[Mb
~!Q$氜ViZ햯96Um
2Zp5uWݧ{=mϷuYrx5}|ӮDC|цSdRn_}=ov~vW.Ԇ_ÞSk1Ug{t~VW@R'i~1J6#-Zx[\] RV
.Wx˝i>Ugo8vxk1Yevt0~hGgXnj*УN=,%}>c,#dٍcw6dkK;Y>~^,WlO&#с~rptࢦ> ^\a5Wɭp5;L^)ņd;#: hts^8uy/]劐feP#lG4_J;=)p6>i.r6j]dS*F=ZT)]R*Wεk=N|
ɐr$k%v,ǒ:'33V!am`6PDQzlp1cQV!ݐjH6uZָ6эjdHjP$EdYQUe%̍{O6VE8s..N
g
HÜFyd9srE'WL!WE_b:V=ҬԞqRy*)+2H])9je͂eaYFk>L(B$}6Es*S%$YlX뢂1IJp 羠&)M^]+({MHNydEYΕkmiFFFAWzP]6ɘ$ED_™֍fUKaBƜ&
7LX@s8C~o-%*X-YIAJH"2([-{kS
\2S-,T=fj){U@\ED0%Å
OZ%)@I@B(J
nD1qB:M10x)f'YBs++l	$]Jҹ$`	z,$PC?20jEe&/sbs##Ez>MEoo[#R7FUbwb ̞

6fzr4e
d⊸Q(IVޖ5MK\)ٓVY3\-2$qYX:QAٴ	.H!)o@ɠ ţ: ix:kIA%du%%
̦3FZWq<: PE(M`:ۮuꉧo@s-U!YWN@z4PcT- pR荰ӁWhNSe$Q75J8xg$5_ɫږs&DDީTF]I AKCгso.RH˅EDL)6&P_RE3:yƸ]6)iS1H\y66$`Ħ~Vk[+ւ'%B|ZN|$q,f![%Fz
k_TB k2y.D'mUA⊰oKp@❵ĩ-bXgg9u)-PhkjvЫ#svq#j_U'%4R(AN6`"$\n^[++*
,SPRY;
b-AǜQ SM&*26Ixp$	[z֙Lr`ܼ9xm
Q,}ppeEPV
XbIRTy^x#Kӕ20O(.g*UU~3`"	4
͖JGtè\rѡYB#QD+%zO7?]2ZRYBgt
è\
ى|s4Ed幐NQ`$1XVeB%Ί= 1 /\ mpz.alloc[u] >= 1 /\ mpz.alloc[v] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
  requires { mpz.abs_size[u] + mpz.abs_size[v] <= max_int32 }
  requires { 8 * mpz.abs_size[u] < max_int32
             /\ 8 * mpz.abs_size[v] < max_int32 }
  ensures  { value_of w mpz = old (value_of u mpz * value_of v mpz) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
=
  let ghost ou = pure { u } in
  let ghost ov = pure { v } in
  label Start in
  let ref u = u in
  let ref v = v in
  let ref usize = size_of u in
  let ref vsize = size_of v in
  let sign_product = bxor usize vsize in
  assert { sign_product >= 0 -> value_of u mpz * value_of v mpz >= 0 };
  assert { sign_product >= 0 ->
           value_of u mpz * value_of v mpz
           = mpz.abs_value_of[u] * mpz.abs_value_of[v] };
  assert { sign_product < 0 -> value_of u mpz * value_of v mpz <= 0 };
  assert { sign_product < 0 -> value_of u mpz * value_of v mpz
           = - (mpz.abs_value_of[u] * mpz.abs_value_of[v]) };
  usize <- abs usize;
  vsize <- abs vsize;
  begin ensures { mpz.abs_size[u] = usize /\ mpz.abs_size[v] = vsize }
        ensures { mpz.alloc[u] >= 1 /\ mpz.alloc[v] >= 1 }
        ensures { vsize <= usize }
        ensures { usize + vsize <= max_int32 }
        ensures { 8 * usize < max_int32 }
        ensures { mpz.readers[w] = 0 /\ mpz.readers[u] = 0
                  /\ mpz.readers[v] = 0 }
        ensures { abs_value_of mpz u * abs_value_of mpz v
                  = old (abs_value_of mpz u * abs_value_of mpz v) }
        ensures { value_of u mpz * value_of v mpz
                  = old (value_of u mpz * value_of v mpz) }
        ensures { (u = ou /\ v = ov) \/ (u = ov /\ v = ou) }
  if usize < vsize
  then begin
    mpz_ptr_swap u v;
    let z = usize in
    usize <- vsize;
    vsize <- z
  end;
  end;
  if vsize = 0
  then begin
    assert { value_of v mpz = 0 };
    set_size_0 w;
    assert { value_of w mpz = 0 };
    return;
  end;
  let uw = mpz_eq u w in
  let vw = mpz_eq v w in
  let ompz = pure { mpz } in
  assert { value_of u mpz * value_of v mpz =
           value_of ou mpz * value_of ov mpz at Start };
  label Op in
  if vsize = 1
  then begin
    let vp = get_read_ptr v in
    let v0 = get vp in
    assert { v0 = value vp (abs vsize) = mpz.abs_value_of[v] };
    assert { v0 >= power radix (vsize - 1) = 1 };
    release_reader v vp;
    assert { mpz.readers[v] = 0 };
    assert { v0 = mpz.abs_value_of[v] at Op };
    let wp = wmpz_realloc w (usize + 1) in
    let cy = if uw
             then wmpn_mul_1_in_place wp usize v0
             else begin
                  unchanged u mpz ompz;
                  assert { mpz.readers[u] >= 0 };
                  let up = get_read_ptr u in
                  assert { usize = mpz.abs_size[u] <= mpz.alloc[u] };
                  let cy = wmpn_mul_1 wp up usize v0 in
                  release_reader u up;
                  cy end in
    value_sub_update_no_change (pelts wp) (int32'int usize)
                                    0 (int32'int usize) cy;
    C.set_ofs wp usize cy;
    assert { value wp usize + power radix usize * cy
             = old (mpz.abs_value_of[u] * mpz.abs_value_of[v]) };
    value_tail wp usize;
    label Size in
    usize <- usize + (if cy <> 0 then 1 else 0);
    assert { value wp usize
             = (mpz.abs_value_of[ou] * mpz.abs_value_of[ov]) at Start};
    assert { value wp usize >= power radix (usize - 1) by
             if cy = 0
             then value wp usize
                  = old (mpz.abs_value_of[u] * v0)
                  so old mpz.abs_value_of[u] >= power radix (usize - 1)
                  so v0 >= 1
                  so power radix (usize -1) * 1
                     <= old (mpz.abs_value_of[u] * mpz.abs_value_of[v])
             else usize = usize at Size + 1
                  so value wp usize
                     = value wp (usize - 1) + power radix (usize -1) * cy
                     >= power radix (usize - 1) * cy
                  so power radix (usize - 1) * 1
                     <= power radix (usize - 1) * cy };
    let wsize = begin
                ensures { sgn_value wp result =
                          (value_of ou mpz * value_of ov mpz) at Start }
                ensures { abs result = usize }
                if sign_product >= 0
                then begin
                  assert { sgn_value wp usize = value wp usize };
                  usize end
                else begin
                  let ghost us = - usize in
                  assert { sgn_value wp us = - value wp usize };
                  -usize
                end end in
    set_size w wsize wp;
    assert { value_of w mpz = sgn_value wp wsize };
    release_writer w wp;
    return
  end;
  let ref freew = false in
  let ref wsize = usize + vsize in
  let ref u' = u in
  let ref v' = v in
  let ref w' = w in
  let ghost ompz = pure { mpz } in
  let ghost ref should_clear_u = false in
  let ghost ref should_clear_v = false in
  let ghost ref clear_mpz_u = any mpz_mem in
  let ghost ref clear_mpz_v = any mpz_mem in
  let ghost ref clear_mpz_w = any mpz_mem in
  assert { mpz.alloc [u] > 0 /\ mpz.alloc[v] > 0 /\ mpz.alloc[w] > 0 };
  begin
  if alloc_of w < wsize
  then begin
    freew <- true;
    let nw, ghost memw = wmpz_ptr_decl () in
    clear_mpz_w <- memw;
    wmpz_init nw;
    w' <- nw;
    assert { ompz.readers[w'] = -2 };
    let wp' = wmpz_realloc w' wsize in
    assert { forall x. x <> w' -> mpz_unchanged x mpz ompz };
    unchanged u' mpz ompz;
    unchanged v' mpz ompz;
    unchanged w mpz ompz;
    release_writer w' wp';
  end else begin
    assert { w' = w };
    if uw
    then begin
      let wp = get_read_ptr w in
      let ghost mpz' = pure { mpz } in
      let up = salloc (UInt32.of_int32 usize) in
      let nu, ghost mu = wmpz_ptr_decl () in
      should_clear_u <- true;
      clear_mpz_u <- mu;
      u' <- nu;
      set_alloc u' usize;
      wmpn_copyi up wp usize;
      assert { value up usize = value wp usize = ompz.abs_value_of u };
      set_ptr u' up;
      set_size u' usize up;
      release_writer u' up;
      if vw then v' <- u' else unchanged v mpz mpz';
      unchanged u mpz mpz';
      unchanged w mpz mpz';
      release_reader w wp;
    end else
      if vw then begin
      let wp = get_read_ptr w in
      let ghost mpz' = pure { mpz } in
      let vp = salloc (UInt32.of_int32 vsize) in
      let nv, ghost mv = wmpz_ptr_decl () in
      should_clear_v <- true;
      clear_mpz_v <- mv;
      v' <- nv;
      set_alloc v' vsize;
      wmpn_copyi vp wp vsize;
      assert { value vp vsize = value wp vsize = ompz.abs_value_of v };
      set_ptr v' vp;
      set_size v' vsize vp;
      release_writer v' vp;
      unchanged u mpz mpz';
      unchanged v mpz mpz';
      unchanged w mpz mpz';
      release_reader w wp;
    end
  end end;
  label Read in
  let ghost mpzr = pure { mpz } in
  let up' = get_read_ptr u' in
  let vp' = get_read_ptr v' in
  unchanged w' mpz mpzr;
  let ghost mpz' = pure { mpz } in
  let wp' = get_write_ptr w' in
  unchanged u' mpz mpz';
  unchanged v' mpz mpz';
  assert { plength wp' = mpz.alloc w' >= wsize };
  (* TODO sqr if u' = v' *)
  let ghost mpzm = pure { mpz } in
  let cy = wmpn_mul wp' up' usize vp' vsize 64 in
  assert { value wp' wsize = ompz.abs_value_of[u] * ompz.abs_value_of[v] };
  let ghost wsize' = wsize - (if cy = 0 then 1 else 0) in
  assert { wsize' = abs wsize' };
  value_tail wp' (wsize - 1);
  assert { value wp' wsize
              = value wp' (wsize - 1) + power radix (wsize - 1) * cy };
  assert { value wp' wsize' = value wp' wsize
           by if cy = 0
              then value wp' wsize = value wp' (wsize - 1) = value wp' wsize'
              else wsize = wsize' };
  assert { value wp' wsize' >= power radix (wsize' - 1)
           by value up' usize >= power radix (usize - 1)
           so value vp' vsize >= power radix (vsize - 1)
           so power radix (wsize - 2)
              = power radix (usize - 1) * power radix (vsize - 1)
              <= value up' usize * value vp' vsize = value wp' wsize'
           so if cy = 0
              then wsize - 2 = wsize' -1
                   so value wp' wsize' >= power radix (wsize' -1)
              else value wp' wsize' = value wp' wsize
                   = value wp' (wsize - 1) + power radix (wsize - 1) * cy
                   >= power radix (wsize - 1) * cy
                   >= power radix (wsize - 1) = power radix (wsize' - 1) };
  release_reader u' up';
  ghost (if not mpz_eq u' v' then unchanged v' mpz mpz');
  release_reader v' vp';
  assert { mpz.readers[u'] = 0 /\ mpz.readers[v'] = 0 };
  unchanged w' mpz mpzm;
  assert { mpz.readers[w'] = -1 };
  if freew then begin
    let ghost mpzf = pure { mpz } in
    assert { w <> w' };
    assert { u <> w' };
    assert { v <> w' };
    let wp = get_write_ptr w in
    free wp;
    set_alloc w wsize;
    let ghost mpzw = pure { mpz } in
    wmpz_tmp_clear w' clear_mpz_w;
    ghost (if not mpz_eq u' w then unchanged u' mpz mpzf);
    ghost (if not mpz_eq v' w then unchanged v' mpz mpzf);
    unchanged w mpz mpzw;
    assert { mpz.readers[w] = - 1 };
  end;
  assert { value wp' wsize'
           = (mpz.abs_value_of[ou] * mpz.abs_value_of[ov]) at Start };
  wsize <- wsize - (if cy = 0 then 1 else 0);
  assert { value wp' wsize = value wp' wsize' by wsize = wsize' };
  wsize <- if sign_product < 0 then -wsize else wsize;
  assert { sgn_value wp' wsize = (value_of ou mpz * value_of ov mpz) at Start };
  let ghost mpz' = pure { mpz } in
  set_ptr w wp';
  set_size w wsize wp';
  assert { value_of w mpz = (value_of ou mpz * value_of ov mpz) at Start };
  ghost (if not mpz_eq w w' then unchanged w' mpz mpz');
  release_writer w wp';
  ghost (if not mpz_eq u' w then unchanged u' mpz mpz');
  ghost (if not mpz_eq v' w then unchanged v' mpz mpz');
  ghost (if not (mpz_eq u u' || mpz_eq u v' || mpz_eq u w' || mpz_eq u w)
         then unchanged u mpz ompz);
  ghost (if not (mpz_eq v u' || mpz_eq v v' || mpz_eq v w' || mpz_eq v w)
         then unchanged v mpz ompz);
  let ghost mpzc = pure { mpz } in
  ghost (if should_clear_u then wmpz_tmp_clear u' clear_mpz_u);
  ghost (if should_clear_v then wmpz_tmp_clear v' clear_mpz_v);
  unchanged w mpz mpzc;
  assert { mpz.readers[w] = 0 };
  assert { u <> w -> mpz_unchanged u mpz (mpz at Start) };
  assert { v <> w -> mpz_unchanged v mpz (mpz at Start) };
  assert { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) };
  return ()

use mach.int.Int64
use mpz_getset.Set
use bool.Bool

let wmpz_mul_si (prod mult: mpz_ptr) (small_mult:int64)
  requires { mpz.alloc[prod] >= 1 /\ mpz.alloc[mult] >= 1 }
  requires { mpz.readers[prod] = 0 /\ mpz.readers[mult] = 0 }
  requires { mpz.abs_size[mult] + 1 <= max_int32 }
  ensures  { value_of prod mpz = old (value_of mult mpz * small_mult) }
  ensures  { forall x. x <> prod -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[prod] = 0 /\ mpz.readers[mult] = 0 }
=
  label Start in
  let sign_product = size_of mult in
  if (sign_product = 0 || small_mult = 0)
  then begin
    set_size_0 prod;
    return
  end;
  let ref size = abs sign_product in
  let sml = abs_cast small_mult in
  let ghost mpz' = pure { mpz } in
  let pp = wmpz_realloc prod (size+1) in
  label Mult in
  let cy = if (mpz_eq prod mult)
           then
              wmpn_mul_1_in_place pp size sml
           else begin
              unchanged mult mpz mpz';
              let mp = get_read_ptr mult in
              let cy = wmpn_mul_1 pp mp size sml in
              release_reader mult mp; cy end in
  value_sub_update_no_change (pelts pp) (int32'int size)
                                        0 (int32'int size) cy;
  C.set_ofs pp size cy;
  value_tail pp size;
  assert { value pp (size + 1) = mpz.abs_value_of[mult] * sml at Start };
  size <- size + (if cy <> 0 then 1 else 0);
  assert { value pp size = mpz.abs_value_of[mult] * sml at Start };
  assert { value pp size >= power radix (size - 1)
           by if cy <> 0
              then
                value pp size
                >= power radix (size at Mult) * cy
                >= power radix (size at Mult)
                so size at Mult = size - 1
              else
                value pp size
                = mpz.abs_value_of[mult] * sml at Start
                >= mpz.abs_value_of[mult]
                >= power radix (abs sign_product - 1)
                so abs sign_product = size };
  size <- if (xorb (sign_product < 0) (small_mult < 0)) then -size else size;;
  assert { sgn_value pp size = value_of mult mpz * small_mult at Start };
  set_size prod size pp;
  release_writer prod pp


let wmpz_mul_ui (prod mult: mpz_ptr) (small_mult:uint64)
  requires { mpz.alloc[prod] >= 1 /\ mpz.alloc[mult] >= 1 }
  requires { mpz.readers[prod] = 0 /\ mpz.readers[mult] = 0 }
  requires { mpz.abs_size[mult] + 1 <= max_int32 }
  ensures  { value_of prod mpz = old (value_of mult mpz * small_mult) }
  ensures  { forall x. x <> prod -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[prod] = 0 /\ mpz.readers[mult] = 0 }
=
  label Start in
  let sign_product = size_of mult in
  if (sign_product = 0 || small_mult = 0)
  then begin
    set_size_0 prod;
    return
  end;
  let ref size = abs sign_product in
  let ghost mpz' = pure { mpz } in
  let pp = wmpz_realloc prod (size+1) in
  label Mult in
  let cy = if (mpz_eq prod mult)
           then
              wmpn_mul_1_in_place pp size small_mult
           else begin
              unchanged mult mpz mpz';
              let mp = get_read_ptr mult in
              let cy = wmpn_mul_1 pp mp size small_mult in
              release_reader mult mp; cy end in
  value_sub_update_no_change (pelts pp) (int32'int size)
                                        0 (int32'int size) cy;
  C.set_ofs pp size cy;
  value_tail pp size;
  assert { value pp (size + 1) = mpz.abs_value_of[mult] * small_mult at Start };
  size <- size + (if cy <> 0 then 1 else 0);
  assert { value pp size = mpz.abs_value_of[mult] * small_mult at Start };
  assert { value pp size >= power radix (size - 1)
           by if cy <> 0
              then
                value pp size
                >= power radix (size at Mult) * cy
                >= power radix (size at Mult)
                so size at Mult = size - 1
              else
                value pp size
                = mpz.abs_value_of[mult] * small_mult at Start
                >= mpz.abs_value_of[mult]
                >= power radix (abs sign_product - 1)
                so abs sign_product = size };
  size <- if (sign_product < 0) then -size else size;;
  assert { sgn_value pp size = value_of mult mpz * small_mult at Start };
  set_size prod size pp;
  release_writer prod pp

endwhy3-1.6.0/examples/multiprecision/mpz_mul/000077500000000000000000000000001440160026300207535ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_mul/why3session.xml000066400000000000000000014122731440160026300240050ustar00rootroot00000000000000















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
       
       
       
       
       
        
        
         
         
          
          
           
           
           
           
           
            
            
            
            
            
             
             
             
             
             
             
            
            
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
      
      
      
      
      
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
           
          
          
         
         
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
               
               
                
                
                
                
                
                
               
               
               
               
               
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
               
               
                
                
                
                
                
                
               
               
               
               
               
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
        
        
        
        
        
         
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
            
            
            
            
            
            
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
      
      
       
       
        
        
        
        
        
         
         
         
         
         
          
          
           
           
           
           
           
            
            
             
             
             
             
             
              
              
              
              
              
               
               
               
               
               
               
              
              
             
             
            
            
            
            
            
           
           
          
          
          
          
          
         
         
        
        
       
       
       
       
       
      
      
      
      
       
       
        
        
        
        
        
         
         
          
          
           
           
           
           
           
            
            
            
            
            
            
           
           
          
          
          
          
          
         
         
         
         
         
        
        
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
        
        
         
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
               
               
               
               
               
               
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
        
        
         
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
               
               
               
               
               
               
               
               
               
               
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
            
            
             
             
              
              
              
              
              
              
             
             
             
             
             
            
            
            
            
            
           
           
           
           
           
          
          
          
          
          
         
         
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
      
      
      
     
     
     
     
      
      
      
      
      
       
       
       
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_mul/why3shapes.gz000066400000000000000000002564051440160026300234270ustar00rootroot00000000000000َG(ί[tC/0
8^.UuQdkkDV5*w3ss3ssw0oûWog1ƙo;\k?'g0z[Z])}wоݫ
sɼ6)oN5
v*=X;ÿzH7oƼ?3kz;péY?;\!W֩TS^ݡ*e~-u~l&ƨwcc!S߅Ą	Sj{qyM!!8a5I;ۙUӮys~{@w3_qf9}]畫xkKTmz5>~눧e%,}}z;>p:ro {>\mhd5:kx!Pzƒw@g
xPį/WguVU:Qڑ4RSBSV{TE
%߿xSsĆ;"eϻ0-[ZxZzpi!Iʙ$|#}G*7?ao\/ySK|Z}u)|>w?.WA1Etb=y\N'_C~G!@Rysmcaqp6Y"r"8!NjH5V`-JX9ۚΜOSo̭m1]P
7P
YS1NLqiiZVLA%hioßO_d(f_hBW3@R+~v"j*#%3F.`[$nMl$Ѭ󊷸R0nYatq(ܧv=;ÿ눁|wo~>69gا2;Sф3aFn=UBт堽W:g_ə\h#qܿͪzo$C=Sm꩓sr[?{e~(gW)-pcBUq|VO[V{Up-^\ሗ+PDž~a+14o8AgѥrM}~.zKY PuK5COA}mCy?#lή팒UKTm+'3/m٢!*)ԔXFXig9Osȏ\pHS進 "rU;UH]

;
}2]be3֚;m9WM!lu>뚏U^#eZ͟ӑVHZ{u1Ioׯޅws˔۱Ï]]ϧD'Ӹ_v/>2ɼ#Ձ/FGp]3{^9ч׃?'?_O:okKw@ؼ]%vx2Rm3w_c%=:ÿxcƚ;NӄƓʞ@2wili{_dh"ʸژ{|[HeRԸ9G;SÕZ
[]$¾VdYZ
hֱZWY/3Md1ٗvuw6djڵ|EUakEsɏ]dG%HK
͡*8!Sm_@\X-/~'㋕+gkGLSz k/=C\D7L9]޵_Jp9ٙYkԿõHͨSIERbC/˥ʰ{"++Tq]
}o/`td[M7eY2p|P,ew:]Q!u;Pfwwokvޣ	lqf.Snf/vﻷ4T+Cga3rRWTc滫uڼ-bmⶈ"VP⌡.k*O߻z|C^y/%JdE*~Bd鞖{bJl}U<@l[EOl*VAb,*bl(hHfTsYsyqAZ2[`*[,~+']U^kbnP.fZMnrTy]x̻?ʛoJnTk8Hu3|ymvG_A=*7M+ϗSbPD'j׋8쀂
#߂.^n:UR׳;8E?w]sMONMi[v{%c.{
}Ryv^ooum~,BriVW+^\`PO5pqx?̟%K/k{sPp
Vqk|&?u=-jbJE\$b\Wnj?~T>9
o:I^~7Wx\n6|n.MHwӘso2MaϽ=nJ;jɭ7y+fwSczriPݴN~7X8<\6`{B6]q-+ЩOT(2sĩg:vSc:8+P>n,u{FRjdPoT/AtB}\P궰oAsa@la@UvHdS[sky:,5T{wM51׶Xs[kn.2{M|D(Q.1SW&/@C/!/LDΤn?<4!}. }!} } }* -:	p׋6\{W(7M|{4{\4GZmUqT|tK.v	
6T?gpewrA@&\87E	\tSkYɏ:
W˅Yot"\AR\tT$sk}oV[XXx~Jl>F;kY#t{)!v!֑@d#F"F22bU^Ȑ/_v8o:VTϫtk^0vnۋ͛ׄwxoqMz`7`% 9;w9)|ɺ3B.$$R*Dsw;3V=zqlϯ3n:}{Lɭ~[> oL8ȭu%k=GIcTPF\8Ad8Ar<`BY~&̓wn㻑Pg[lm5[Mvͭ
?L{jg[m]M:ݮM7
5ޝU}|%oەZHҍfvK[
n;f]sHj'2oݒVގDnW`j=	[m$vr:(}lE8pW_6\96ݖxpՃ7*㍺ڐ[ߨi)2MѧEu+x1W, 1ե32|d]c).L4
%{/y;1z@!0rv)VPeM4u Y(8ŏ[Uu(,@w;xSxy	qʼnnJQ"ŵw|?2# ϟ	_sħ拏 @Y@(&[^G*P!#T1R!,,#f!G[}jguVem}ݯJ?W|nUa`QVW7zr_rwl]|8ۊgD]ڽSW+ 58ZO
Fgf#aTIν >-&>]/#>}{A|:oMS*:xQE>XR^(lxеq0ʎGHPunP`mkm)Dբ&Tݷccr8;2_'|Rf.,1U,&ǥL=BAy4ւ-5Eٳ(n,M=]QZZ8MbSoMCDzZU7yfmcj993(6d3t ng=5?nlv<`s7j'P5jg.I&+Kp&u8(]-ێJMu-#Jw\Ȗ:RB6'JIٹJ7rnSՎ_U5a}ՉpDiMtyADg+.u*U󔣳#.UJtbҊ΁ܛV|}tvVnox³عBЙUKRXAXe{n-Rg?תycyP$7**Wa4;XqV6pt~2W-@>囙7k8xN=wo'ߐs/W<Ό sOrWaNE?vƀ}F@ٕV5]-5Y``ybs!ovV_yS%|8ްł6r#.p孶[,zv.RT;0hv
3hK0{Ap|Zc%iz	e|3λ<Eer)BDY߲yǸ률:'xϸ+oqWv
8c}\GЕd	6.&ۻ=zk}Ћ҈XLP3Avnxrŀr>}RPإ\q+)KOȅ(`Tw0 ҏAH>o7`ݝ!3={;CtwqB9.GXS{
OxGfkƔjyH)hz)h\CsJ.\?:yDst54Tw0^3?;5*}${P$)[NȘ7G47.|#6;,FᶼɦlxHEW؍kW/lu;sG_6.{q2yVuϼIw+V&Ec3Kd^jm>-i2q01b޿-X0eF,K0qW%6eKJ
ϖwxsmήrO~aWmS+d)0[W칯T"n~z_gk_T)5VI%=͟6__՞Tn´PiKg?MYH̛HW
AC8wIFl&y[oo*_M:sjS&[Z&%),3ͪi4:):/<7aan]dx%u]8cyNU\]ӷ}zڮJ20uiə2;ΑY4ha=
~QcfRlWrLRogwu=ի4:;.yQvVfmgly.ly<`S=,2:X9v+~)N]lαreȭx_|RK#btVbj=Fh>1N_;y9au"4߅v*%uN?fGE&ydqc{3)$gGj| t3^1O,Ј뀧EH(
!&bj bĦutWOFaq 8"Ž׳(VX'UlQ5'L
&9]z6N_lg;_z	-B{)
GO4dy_Jؖn,;^5lȲTYvf0lhqjuUS/'[ ~eY]n:;_;$w^_upܵzL\R}@UDYܽ$M.~U|9x[—l6ηOK~[h~6
'S?<9nmߴ^@j Kyhv4e꿧iq^d]
׹RXzN9
ԏB? N>:Nۭ6l$額ݹ}s9JCY7m)kZ"͕_V1YlyK[	at톊,1u%SAF6IFM2:miNdt$*2ȘjYǂzR&o̬bı"W?{Q_/mFSݠ}vXD|޵4TNF֓xsFFRs8ۼ4c,ޭ83%3
/.gUipjix[IMq෬i`ՒtXnqȃYO<#*Jnƍ><N-D/qK|{Xf[P;C>I!QRQ4Y.ԭdA*ui<ѭ |Pt+Y{>sq!Oϯ?U)`B(mgU5jtե66.nc<&-
Q6_ڦxڃ;#cUƼ+V0`*cyO0VJ0F)n1
f
A;
F31✙T?x޾ߋNөttt(։Nz*cI"בeJA_;s9:_z'.[wb혪rՙ>7H.>tR:5直z}˲3F+eԹJN%ϹJOP#ūZ_dڗI%jTc>͐*	Tw0%mKH>}EMAi'2T"7mמ_jI]RRJGyՒ"ב""=nE#vp;=_8>}0&TRLz!t70ӗ`Z5<TPkϨΡp$v#ޯEˁ4-f]VэLUVۭ{kIGU߀xH[-VlKu
[+uyG^*ɓ*̴p31-eZ˴.Ƿ3)4γoh@fΝT_yֳaTf5^_H9Xi #`Az>lXAǛN1DOj}mq,k_bSÍLV {͔WTzl+3@{e+|-֛|^|xa랉GM/3Fe4끹n˴teZMKX]Yh-3ޢ$$QgU蹴#Enznoۊ=mE=ֈIJ̖[㹴H:
k>vu}z8i_L^π7уk5jYGj!.Yb6<݈Mt䖞ʝܙw37W_?)%5:ImR!KxK3P,V[ASH2E?%|{́tW7h}7r_9TNe-T:P9P\ep
P*
K)3 fh<.\+m8Z+Rh(5ZYԐ
nf-,{!nx7_l˶Z8լjnU~ RvVjǸn
6`vh]FA2]e
Oe*?ީvOEvũȮ<dL]m.1yG|wM[^aoZWrnz伫Ց9eڪr!ChG9hbZ;(ЁzЍB-dpj(J1EdP<$o^1ʏS\ŵQc~<MdF>\y:nf)G<-z9<\LS൫wXc=mc߬-kmͶն2m}mb;0vSk+6x*=@ҡx}>sh_9ToOz/)7%9+-+PBpeJUJeJUJ倕[-+U]V.l`7.)v2ޣ/Уz#:n;ytn1*n|OpDWGWGAuNv_2tf/\a9V+lf
˰PݨH Eh?HQzݝk^\I|+7/3qUs&+g{'ӹߣvWuŹ<	WOUO;;oZZs@'f3dX??㇬}R$szNflO/ U7ؐtoW
"YH]mk'2Yyxi1y݀}`\3ivn6QbQ&Zn>v^Wqdq|Pǫr8v(s>i,eN:a1Kml6YGI9;);[65ndkJ8JjR_Hm(-h>K͖vE+s]*{Z?k?^2\Wb2Չ^jԺ[@y<ƣSKw8z:&kc:i#m&mVSAGU,d郺yp7湪T54HCN1z`V
ȥڪC-zC&F+PuP-[{Eu?˃SPa\KM@?jbc
Bct,[JVklbuװf]>8#rF]t<,jY!(N
omBx5O"h
ϋlSq[rа=DzY 
󀚖r97`Eyw o
[|*:/w@@(*#krf_.?ŹpRp>ΥJ:.
õ[Z"~ZU)lfEE
*hFh@9M^vޟK	{sVN[1ILNh7߷sFk+`(=fm2<8\aVWoi;ʝ&?i?]~|?g|5ytw.XfJ4{tO]ld,dZ E\/r7>Ot'V=̇鵵_<ͺ^<_<œً';Z(W)gZN;$ߏ j=m><Ӯnhg5zTEsۿn)?$o+741RJl5jE2utB	~RKцtܦtp*K
:<lNֈJohb}NŎ'
Yv]Zw>%I2[J~;\;G:2-t4&
/q:ؾXD.N7ʽ^g8XޏsS|<\Wq-mtZ]ϟ}csb5#w64:u_ǒۥGR"55A.;3׹j-^x+}٫^:h{57nM8Og4y	Ɍ&dhL4ЬgSY*kV|6>\vקR;x5b
^
fGlu<nt'׾rS8!~݊j*?/Zg}cmKvivsV\_漴Y'G^Up$e.{6e+ß/fAMw^o9C\Sݶus)T*4NB:
F?&lݗ?3R?(Ч3-whKK
(j_,v2^Qp09
P9}9En&iͽn}y?맟_ꖣ\OЧ1վynwn~Mlϊ?q8t7Sx,V|7^+_oo<(ecOHҸb"Ω@??9յUd˪d(lOxaߙޝ\_&Y'|W6}(dUEyn`h|ՖIkF.u~sMJa!U2*B*U$ȭ"4fg3MV[En[EHk!U\"oipسU<ϕU7Ըx5,oJfR߅YіP0m#r&JXQs,K,$ *b$:̂5IT>~^ʗ%^җ%~yQ*bf1
!DCUi-rQ8MQFm5	/z%%/1{i%QhC,rǩU!7P11"ZaBN;u_kzc|3'q-SbB!xtdx/zXq CcX3""qL(L:R={f͉ࠜTAL=CuKɘxD\-#G!sF^2(%U/|IK?"c2{%6p"C4N#'y
sd8ixӠU&=	18GYkLi\VXù!h<)̀맡_5:.DkM`#f˿pRiB2b#Ebq43LMP$p%ȱH^x%4Oh fi8 o4ipQfD*`GZEu`r
?,ypu$x@ pp艷pAChX-cp3'CG8cpR	AҠ4
l0SC0AҖq@iƒBmp!"A"Z#lcOہ'ΩrBLED\SHA@T8g!rA<FG|AKk3&iPJ-O,5$&	Mle/Yy/y)K9\b!E,HJ3MM"g.Q8h)aZQ*'HR%hf_
q&1(0L^tiI)>ab@'&8!(ē$4|a@YڋY8A;؁i
0?LQDN@^I/?q/aT쥢/L3Bq1#>zlzK%>"p"
*7
viNZ/zK-^jR	Yr$+
c8hY@`ՎL>%cbւfBH/#p2KP2H9.8O&"_Rq_aAb&"D;/~)Q40(IUd_oEmҩ8rEȁ>Y3)0%V2k%"-'Λ:P#D&>-D})L/bYZ&S*8b2װT)%Px1:ꥦa8@^2WtLK3"`H'}+A5!0F
2-{ڰ ێf,Y
נ{{ǭpd_Eũkx
3
DԁLˆqaÿtCa
X:	#cԃ)t
bt(QYZ?
:P(	NH3*H07,u}0m̠o˦l*PN&sN(2|J$fPW*BTSAHXC}EhLgnHN}G`g)`CH"ǂ84ơ3z8ǡC}p׊\%3bkQu@N%
Dk]0Y	
:`%!JQ8@/yo%ʌ!kB`6.iLR=q]v/d 6qAh2*rc+hT+O"CK]DH|ro>RF$=Xrspd00*XPZ>ZL`f6(zj g!NzTǖ13pڑZ.<D{rE^P-4"eQ@xW#}J9Xa4Dh3&Hh,遣O "1A|Lr$s/8>UocOHÞJ~H^'oqZ(MH%c<J7
GGM5'0=CEa2sOHAΦQQz<(7G*
i_^DVRErm<a
RtEC`` ,I!椧
\O%mڴOL"8bDPixH&Aǰ
"(h$QRnWZAq^N	,@g6Cq)NN"q%X)A>?!G"R%RxfP،:rD_`)^ $=>ÒI֝U-
vS訥yU/%V(NDK4Ҕp-RW3#*?T^4Qu)xY#M	E&%)6<z&8hЊ2`%DQ!ic0!8u
y`.՘^LG[Hd1:8)h)Q0F%xc"H!zɁ/y4C8$7~A/=E7xM
8OPHU_$z4de+{DXy1pϻ"p$ؠJȨyaRW"ѫBq"XRSGqX	),ޤ~S&_zi)Z?:DG/3|MS2:̓0ͭ JY@Y-8%@3q#xdE6+NCK#)vK&(]1ZW~=C)L{̢TH(R
d7_)O ;_&9hN&.j*81Q8g p8O	S)Ii&El&c
Ǫj.V+X=?,}6,}Km@(r&#A44h> Dng4
G#E>%( 惠C̯A?ӀX@7SpFy9wV8$)!Q88@
y"C9qcʝt؟.S`DSd*	*Etz^G`"CK!1JU@I-tA=P)Օ!+=J,s~"t->ʋLc#&y8]V)S"}D9:%qn
Rd@
Ij@'Gqsyc
$"˅A68I@'GeTS$a#2dB)#"<4UҁORI.]S =SU~p*ǟP*FK1Ğ	R=hhaI4R"l	vEPJQS:PQmCsVE 2e41V>eCw^8/ZSCG&
)Fak%ڥO" Ϟ!K
Jr`
1OSs4ӄ6JC\`€ ܸKrŷEHJh8aO:lRFh.H RÙV̂AtxMM|4
F&+)JRS'OugO0;=( _ꠍϞ6X>$Sӝ8OOqCq)zAQ@T	nQ0F}\cEtd3R:GBpz?yU0DƠ_Z@'G9WJ99l/K]v>T$Àl=!t@:5ځOrFSIϰV	>eq&k?9U0s(I!A3rF#)?9C=`/e,,=Ł$&ipb
F=T 6S*| !E#pʨry껃JZvocAc:A_%$揸~j<RrXb)|>͑
[$*W o0{AI!P/!ЖԃY|3d!}HEscV ;0EOR$^	J1%n;$rQY|]d42ˑ+cXS;8"1[&PxDplq b/a	$4tC\^=GV.#{?H AF\@b=WY9v6$?H >	!n@%q^10QsH
bk 멋:SQ@Zω^HHӃ2F9JIH9GWx / #qd4"#5bP&cmJ|NamE>H s%|$jbbFA1CZY	QXAF
.;bt)WH ɹ8p 6k `DEF2R;2ڐKpI?Rzcm	˽AFɈlTh)H)ͯR3'"\2:hrPCD.S6E|\2ڴiX@H}`iEp&AFmjR	AC"(ϰ&Ev 
{26JE !U A+. 63aР\x
Z"rAF%Y? WidRH-(2Ed鶏sNqꩳ	URAFm*6qVC-ƌ[gVBF xG
s:(q6,S\%у2
JҞf{se7d4Fp)\p"BW.? CmdŒ"mqd8f7d47i( SeI28lxi+qdyOÊ(İT[G2Tf@qm'"w$ATXS]dt2w\\уp\ʠ(2:hKƊFm4JhCkT5*:hLp+GƄhX4J!#֊gŒ2:hK(kpq
H l$diHAiS>ON(dKᜳ^{DX|uGKߡ
Kߠ
MBV		RL^ʧHcpԀDϜ1(4q'L:Q$:֚@AVZ+0)L_e4Nq/DJW]~Hs61I'GܙƾF)렱vA )yF+O&t~PAaM`-B
F=r)B8h젱G[0k3^9԰,ǧY1|젱_(l% {Q9 /rC;젳.FSB:52QJ⃍Buף̮ ݋hDm@nV.}{
kSzA02>2̀z1\?;hqrPR'PQBhvPs3;S:!Rc;h![0)#,`b#cQH&w
Ac=Ay&% 霗Ȍtvyҋ`4" s*@Dif-8i)^
A\w)SH
1",kEf!(CqjsI#{SPu|a
fpt((pAFY(f|N>	^zEzQ㵱~(A%4x'dF@Qt*c4+fz1rPA)=O)9%
#
H"-(ErKv!G%ŵ"t
> 
*†K?90'{,Š9&S@4$S:2`ԙ:6SH˂DR.`qA?XdEP%iք]@/bl'C*o݈})y2ECHS,sɭfHu/LyAum5sQPQ㱴kLl
#풐ik
;(Ѯ4[JRuLD+P0*{EP5I"\c6h|Z*;Cq`@]BGB G!hizP|A_>{%
ʛ0
?
-?H+!y8h$h=h̍1GÉ,59H 2<7+d`.0&DsLJH^k-WJ(Y^%Nr!$<6NP#XԒ8űFsς
=H #h[k`h!C̤?:{leHOR*DBdFeZq"c[萶 b_#g"PeF9];-TBGPz5#ރD,?-@
%4& #6h!.pBZ:b/Rro(l8W$+=O`Bl5I	-б
mDGB%	촍2 1
@$$
B JhE8ޭq;OO#1]terdw3#3?gQdmY]{<_+[+[~]$N}L{1m^7ޙ1??kgyq.DǂxF=J][ɲw/pжvSzGOe]k{dtEÝ<*+?qmb>ѡ9MncSg`O$9`X09jn&Y%^ٙf{fg6W~Ftgm"sx,W =|2?2((
ޑ+}G먋
;BcͿf}P$#	NҚ"2g”|$/wa1{D]|i߲յ'E{fs7u]ǁ]oLi8,N!{ۘq-uvʲKEfbgKEǛqO;W>miŮ>Q"%	if>\A`KV
cVa%E/L	9مЂA
;qohJF;3;3{'9c~>zj/}	Q	H?Wvt=	Ep\J{߾r`hڭ%w}Ã`ovzC
Xk+Xn;qpX(L}{.9F^2務bin}p;>:gaOiqZN9ќٖGơ<@cV
nnդhPgZ?T{pD[ozG]~pqZ?PLaQ^ҳzgZF{rjZdV]0O9md!4x-^>ٗFC%ˉOLpU~l1[|fѩ;xȩ,sCnsqofmRsG{@~.BV.T(ʅ\t/Ym
w{<rY<ӕglű
XbX.?7˭5RmgBֱ,#./X.Ͳ-NĬ8DlFsT,fY$8Z`Η=bXl,".?1]|d"7$0"ZW}tB.Ҥ8F6ˆ61	|]Ծh҅t!ngǼGo̞qhKB.S6!04tJeĠһ./4mħY4) il?*Y2:Ew]tvò
~h;dsf]h=NHJ~"H/ҿe}i`PbM'fFhv ٛ[AǘA;E|&O=̞]N96pn'(E}Q_Կ&bo5<}8ڡ/lEV,"߻oe3O/2_ݻmE_1lՖ,6ee2;`IgL0ALZ_'e2[do>DE5MpxpU5	e4A
]21'Z{4A~LPF(#VbIÐ3Սovk`=]/eBYͭ ̭/O+,1J8޾h)t#+]9PPfe̠yȤBiDfx
J%/&{q/8r0Ce2D3DOg4)s;W$e7@ GǖPQ^t**fLP&xG$m%4={Q	0#J%?dy?ÆA٠l6h:{TYReí_6eAmOҳ`f}ֽ
F٠lP6xwԬ.14z`
ewY!-+O)"ӕR4DlP6(
}a	l[z~d"+=mPR()_
#3[kֱ6N:(_PV(+V{K!	2fnBm-CgEnBoȲ!СKы"5u_J$wE}Q_ԿmwN7iQ1xJp1raGw3[͘as?E.ir`},P(Vрm8@}ބ׾2AL.&̏-NoSB>hЬW\2(EuۣihwSNQ!>lP6(
CF-C"O.)J
"s$5lig&1?>PV(+2D̤[6NB%trH/ҋ/M:3UD gLa֜'<ۿ_
kVPos4:}>vz<
/	u7w|>|$ʀg	w_?3"83)eP粀af_W.ܥOvð5}
{@[I$Px?	raьcYao^L˒@I$~<+C1[a>5[aCwJP"(RG(uED䭰	DP"(#f<0Abj
ql%AmE	A7f6XM/`DP"xclv;@ ƲlCc%(Jo,r'"YRyJ,ӏE]0B6bwO}5Q"(X;4r,M30J9%V"(XUt1	Nmz`]AEp&1L[dΆSSQK%wAkiQ$TqG1
KuDP"xg5tٴZKñ^"%;`o#2@=Q$,Jo,6n"!҃.Jo,E,cMpM#&/AEdYjlgXf3AKT"(XEDmfI
?6AD" V9X~7 ɔF-zDPK%w)mo|ڑ3;:E`AEܺ&LnQ&$"T{
J%we5`&#ڂ11oA]#(Y#h
z`W"Td:FDP"xkrecͣk;36jqD"Ytl)
dBJ|5u%; d>ZN{F 'j{aD"5lW:ID-fAE m fDH%GӐ%ZGP"($Dz04|:DP"xk6D[mJ,!5ٻ?V"(Z5H$S}v>AA-#((m3E4(C>~K%	dѧ;-kpez>zEO˰aFg:tnρ@+Jo*mGmt)"kG[s%+{+{?Y$;<.LU"obvΕΟ/tD6XNkxLh!8ѕџ/4VO> 'GSt++?_fo8̻yul2	/ިWIieves[HjBI7Wewe0e܀Lٖ>{WWn}}OqX+ágy*g:|mi2K0Q~f9VWL߭4H6du9FoL&ee{evL0GXpg0Sَo96sb0וֹcMpXlR_2*pNBAt"ߌ.9 &"KƁ%E@13!o'+|FtͣJeQP+q,7[g'k}+EB$dfg7 nP;:oΞ⒐Ӄhh1BDox6k|^EDAG۳ABp&2
#(2~!2h۸c'c
G
ıu%w52fk`fk`fkW̖)2"c-9\OѲ~c	GN2('F((	Hζf@Β=1q%AEIQRVQuD8Ӓ'%H)R~qRmaf?3u]~ǝh)Zs4w[NN㱰w"Q`Q6wl۾F=s$6/	a.̅L׀s=egVkuX\M1ZǑ([V}1YKK&hkPlb+1J4}gY'O&⮸u8m^+@qM+bD9{(7pik=f_L{!A;"dr.x_V}6
!J0d8xofQ0RX]іobk'=9OzpX<w="/g\|m)Ǥ*&b{2i~z>	,ƛZʉV`1?:{) ibv:ޛ
 ,!8gaYp}C޻f?  ,L8֞YGR:x@aAVu.oȔp4 ,t]o"E5-6'; %S|
G ,f2|5ޗLWEQnaaA.$v[ki3iC'l9EBAXĦj>&/,"c laAX~tp^"Z@
aAnQ*,H0Q%8FfMҌʹXZV20Z,S)@7Xv4.}aWv^,"ܽ{
x|=A{CWzzKct|"TG#rx띙E_W}i6<~pLX3w_f~T;?sRg̽}?a͸2uWv+Mn^e6:Axe}-}ʶYOڷY׋GJ$E2Q_B$k]/}̫9qp˱~TtIJ=풷	aݢ+DcS~(?~-?pCwϑ;L(p9CCP~(?H؅iMK_gm滜ï*Ԏ3\DXa'ݥlRB)~J 8myŴdmυYoY7fa,#vK)Gy<5#EaQ]i=-kp6tf<)d
°0.LFBm)r9ꓢcھQ$&,plM0"ȶS}UƙQR @3e0=Kܳ'?d
μKd]<OWOy+. R.xuF}}pٻ82=ͿeO5i]syvf6+uz^mLKS)0KGGWjz|3mੳ?)>B)?:Lj+cSd=8vϦr=g53#5{Hrk*V VtqӘF/mp	O16`
Q9}WZ1w+	$sr+lljI*s}O3Xy	U$c;Fzn=
g
Ё6FD1ep겵IST`3ֺ,o7_
'
jVkNL^lt?T踕~]?&~<8PͨQ!
'
 d,]9Q0;!^5*?k'Z0j;A1^ULqd"d,sD"n3'ORhsRRI:v3iwHVH@~@0Ź`]u>Ժ+<3
m݈fpį@B&ɰFNG~!eVtm/vd>9fzy*<7nr Ɛ[l_
'dnrI&.ga[%U%՟L~HleZ$4sTTRa[̮)3+'wXq4onʭʭ?[8`Z`X]IYwgsr&m@Y&x#+'+'ˑ4w2Q6D4#jC8(ہVܬaɼ43,tΈ>mĩhLqζ'џp'LvEܞ9&̜
QƎnN.DY&Y#ʟ9ʟ=~weQ33T.Yeh(|d?'z:Cڐu	yB7E[`߲:HF2?w9
>!']BuHI3OOjO{''g%i<]T[.0W-TV~|.
F۰ГݭmXxsrr=	Y;akTV~]##WUEMf2CxSW[Rn:}pߧZ砖U[	w]Ļ.x)MZwAz%:|mX<^d:CY6Qxtc}\\tjdLclm{o&G2pD7K$Оެ~!cDL]Akߕ_.6X
-Ѧ4$X!4y%y%MI=Zd6{[ەl=\̥hg6>n4!]J8TW\?/6[[
b%|%$"gb9 V6s7ov"[D
YF[6yBFYAV僋F#-plA_Cr(+ʊcTp+-W}4fgYq׎=be2"ΓQW#jux'"1 ^q}㤯_okwf{߽6!bc2bZVML|X|k5/Ԩp+
N
*y{'n­p+j5=G?tWyEp+
o8zlSXzI_[n5w+
o=zAfLDV*ފ!0\x2O[-ȝm=I={IW}M{Kwk$8ՠbZ,oeN~ڒJ^c$b(eЂ ^g󩷍8y}0Y? /XE7>{wlӆy	T$~6YYÿ@
4A__Lޑ+gB8vNx3bmX$ݦ3ˑdp<AqD6lM!C
x
c}e/&`Yx
"ț!9X,PEc鱞V6^ܛ5b
BCy9F
1sNqOio.֥_R{Xd9XOEb,&2X}洫mBL7e,ݑ%wC?<*V_Q|uln>YKRg*eӜœ-k(t}c3c¸NSo&5Md7IcTY*
]\תû@c{b(
B|Krω/Ƌ/8}͗.>x1^Ib9.=P0g!sd0bkgHћ3KXC\dݢ6P󻱄s<ة`//	v2f]NS,죈/w ~5>
 
>Rznڟ߹,Y(
F*WϨHdjK{_CX*(
UK|);%s#A{0tkPJ(%X	e֡9id`L3u
0˿i	wB(ol!}L|zW^(/~/`xCvM=p
r/憜5hw\{oa(]TO7@P~0n9d`#l#sbnB~J?Ϸme=
g?Al2OH$pA9T*}pӰ`k.3_zv(/wxʧ?naTz*=}chC@L!`~}DU*Q~McwgST>&*f|_*mJ[?T[*CKz0>`OM.bouŲ^+Jc@c,w9CiGsLV&+>l*+3uatɰlV6+feY٬l#lvi,H	e:oVVJ+>Ҹ
iT	Np,Ef`=J\d3Jl%[ȱS\
[/neeM[xܒl얡
|nW+ŕ⾠l-*L\W;&,&}Kq'Z$W+ŕ⾊@`Mi7.
!뷎r\9WncTVPdA9W+}AljҎ-|F@X6rZ^\fKv%].c5SP~=NcKvWYW+}ymǢ懶77R_k;:@/\hܮR_rra.Jߑ.>wc&Fr(K%w۸hF۞IwŊ1+K%X&[_1t"CDZʳ->DxͲOTX*,
gJMϐ{DPksJj%ڗ=e5gyZVz+}	1c
5qx.ę奷ZW+ϕs_s1pprjmw^;Jt%}xtu6o3zyW+ѕJt_StN-]8h6|T+6_<Z+ٕJv_Nv#-aLwEk·sCS%^	5F nq&9;`1yBa=*JyN!n`N>p]mTW+B}K	
ݷhm8-=_ɯW{b'd:(96#tc8qg'KnˎՂ
zIVR+}	F
]E)S+le2[k-q6pR&{-/k_vVf+}v-95XI32i6r\9W"kMe^p`۴޿_+ٕJv_Dva>xρ}Yd'|xe21^ٰ6h,
9*k7fi)W+}ya(9c"-KB8dJyRW^TBl{9ze^YXo=á3DܶW+D{t?r):~hJ{^i=H ̽c'ah8:{3zgY,6qez:ifꬰHG;ˀe21 Arnqz_N|rZ\V.+}fnvےٗ"nH, 7'=\v^\oj~G}uf=~{aO[Xw	7e%=PV!I,-%SQQƓ?IdYE)-ʖ}	lF<?yvՖfvѽR˾T-s˹ܿ|²mۻa8=#k:I\[F}|MT1Vj#-غKnۇpe2ܗ1\?nYjsQw:j{dJ~c	\Y,WZ[rDF
I;Dtsѳ_?Fs]|e}7A޴$,G5*]+x_x|pC
CN]yK|1ULS`mcYΒwkYG{t@+
?wis$Vb.;A.^؂`+H1r@#]r&iwvΠ=&]AW}fĉ5%[%+2ͦ'&as>:%b"+yS}+w!lmv=Bџ䝢+ˡ,̿6@ZO,3ߛYSIжgwdV"¢(~ {S]Gv}ֳ-=?'T۲-lZ~Tfe%bd"UkUC"(ogJ\ut:";GZv86qDg/jwfk3&IYb-^1c0kD0V.u:Y([)\78"'vblc:}y-+Β6W(]wfgTfiR=,?Go7>R!kf=vL;uR\APTN9~'HY']
Ҋ"yZdJkѐn^l ,"5"{F/6,9N#˥:>`dEvNv[TpޢļH7qZv#Ye\>tfhHKhXKo.Ks!ƈ1bbòl 4Uk'z
w#T"&mnGw{YF/~jnzVs6Տ3<<+5GKX٬Ӈ\LFZogj 423-艬^EuAs;k<lF**ڲ=iƘxGGzpqkyVh;>H;ҎݴowYkusT/KtlqGܿ{#ʙu(^Cq{]Uwqqo*ڂ]UvKjt?;⎸C9xL^wqqF+1ֵ8T(hynկ;~X{zWUGDoZ}<ȟRn/Bdfg0-y`ݓTxkۧ|3X4Ra@E]ZguC7SE*y!Xx2LzHk{Q9tx}@*@6*P&^za1y:zl'q2`xqdRh\m'px;Z!GGl-ժ
! xG!,Yk7TfܺjDqʶ}W/ٛN֡R@
HD3PR؍cHc R@'.J^0uy(1 R@'.,͡H9 I)gi\jsB?z)R@>2h)m2+7F'u)Q 'DܤH:ܕxW
qx|tRpu{{UP9f..2_ObYQ 'DUFSSd
iǞWRYQ 'Dن-hkM,HK{{ 
D(#]hh&yZNƓK.tR@
HuJ9	)wZ梺W'!
D(eC]3C(MOQBQ>3exh}]HK@OQV=&eeiyy	)@O޵E+%Z:ڒ9?a,H) 3:$={Z!#u:)Q 
DzU<}oԎm\ofA
H)Y7uLvtGs^D(3L'cY)(2{U ,ipm63F	Pj{ߑݕqm@!G:Y~hx8?n	 $_@b'N۔:I$vH	<'w:/]YK?⋂7=;&W(?ئoz_TȨx!Nxk#eX"ޓe)-6)mY]"2YOP*@{RQ*>e:E'w8@ ={&Qf~&؋{R`z~'y5/lfRmeJ@9 ǕcI81}8oY?(}럵%Nky>KW.-k+7f1˧PGB@?>HeXzz;FƧYz =B-u!}$(HlF8Gg]q5)nbegW-#p)!+\NEda?+0&E2~+xv/QJWߒ	N`L	0WJZϚ[JtYt><@h{kI>Hf]ڬz&͸Ɇ&@,o#q4|hB@h})uP[Or̗SdAhM?[lTYfϚ%nO5/C\&&n4~OXn~^7@h򻚴6guPm"3d_{c.	4&û?f.eu;@?[+}bUF<,{YM=`L5AzI
Gqym	`LY'd݋>̩&>%O$IݕW9+>00&[GAZj2w*yYikqk`/82׻o:JkR~ad8iey}Μg,œ,0&0&gGjGzfc穟k&`L	03Z*MTUsR^*AhM\<~"lgynΒ
,0&10գ['&
K`L`	,c5bF	&cY=9ժ:)`郶dY
e-{'g8)	&`L`X+(V9Hc	&>&>C`yWCdD6:a5!#+?(5g#p3=32efmefVg_#p#mZ٤ƽ7Lo[=Jg:	0&_9,8xҖ>EuM]N&+&#MDZڤ/koz&BQ P',Zeo'^@kwD&*۸}<6MMH) |n|,} Z-;h;)H ꎖaћ&>5](>H YգN/e:'QԈU_TD) |f5$ĸ3*ͻĢX
wK(@O̝͆xl'D@n}^bvbӉ5Q 
D%˃;ÝjjmDA@	Q,YT!2=u599KLI(|fԣ͡}rfw3DT|Q gF=Q+JSvbΘu1D(S+/:zdF#]%)JcQ 'D#:lQPRgDYQ gjnB֣6,uBQ>5
Tˠe-ARy>Di@Q 'n͑ո}tO̕,E>+R@
H)439^|f)EUQN]IYQ g^)(x@իEe.c[%ŚD7Q gbi	j,q25lQ 
D̤Vz<_>n:ui(@Q g3bڣL+GtP>E	91k-$y;5eegs@ڱo][~Ų.K8s
{10F3RtT*O>4lEȶ#p戋
:\LޙۣAc{2@i;<pܭيJZj|35;Ţ7<	tQUNW9qӊϗC}֛T
,Xm/hf#>Zh/z%+Exvd>#ʚZvz_ZXz߱,n+,?%Bir}do`덶ںyFrڗ-hc61VdU^'GϽ[OJ,q!uvl7{HmGʼnr7D2޽hVrX&GpUq*q3}@;~vkS| ɏ>J.Zէv3Fg-ygiC3~f,Omr;СWh/݌>CG-Ֆ-;Y~κ@k~,{SGvVcZqzmf!(X_X:Oѵp}Sj}p]euuTBѢhN*A9sjMZe|ϥ?vpQ_pfڹM]/pݣE~ˊ4ﭝ]$V!-Ï!-K0
KRQP=%j~)Q_2y76qGQmA}91K*sJFCZ]Ƽk3ZF-Z:j[civMϫ-9{v]P8^#gʢo,QFa56ҥlW)jOo/ƊJGJUUCyϨ8.וQ(/Q[cG#ucEk̓o%*~K;xu8j_g4^g_;ey=K]eYuYz춏&Ŗj?ŝP(/Q4]<<7yNoَocZnSQZOc֥l6##G2}<1K]czaoomtܗ]ϸ11yνCL4~eӓv>8de)q7%dg%6fz`sFϳI0OPCyݮI9ޒUM˂6uAGϘTk~ z$T3m,Ի^&lsdW#RdsdD6#ԸF:Ewk{iH&dwKV]w*Vb^[L$s8vޞιrL!]Ly%NL$}L:籹sǼh"͵c*^}Wk2456}:qQETۜkt[(\mGuR3{|mdYEVmv Z)}m[ "*HG`"ː#d۠ϏՉ"_UʎDLk'Gw5Z]*ҵ^oY\ht==d(*UUD/={Lg,Rlmj&p!yE^RZ]<ҜJe5Š",{cVvț+2G죞aicgkGcrdzt3<'n /r^\=_=M%xn{dyyP	7riuZ3/Bh:.Z.#Ɛ2XEDHAp~Myl7FYW1**9Տ38Ax`Ϗ¶bUU҆JڟX$u5_iBl>ef

&vV^d"H}n9#Y*yj\ǰh>47N>kB͞o{9jd
Z8Yl<CƐ`Uz7KwY\4'n"Lcԕ!g*`ߏ.eNJeh;=?x5d
Y?."
:H]Uyǘ?VҽA7cSp,e̻M/GcˊM|:<2~MO9_w͙okeӯrq]EbN}XwRjF1#߇^-b~n60&}z3"_]6Fp^B|bӜ"/W7KxYk2v}eyEbد1HPtiԬC^=JBl[ĖD]Jl:nL{輟2oJ0VjEobw]AH4DDs>[n2Dc11q%|D<~>aύy~l7`x}7ֺc'=mmhlkl#,+kRU{桬0m}|D*k0Ƿ)Gʑr2/9cu;bsQC3s11/Y4=m5?'11/s#9bmc4򝕬^[&ɱ5z1?9bט&By~S)b
b#54Z֜責>{L[Z%Nɷ';P<~SSv  (Y5G޵|h˘_
PQXdܭg7Ykjto{q~~>7f<EyCE
e^q,RŬ:cv={J@	(%|?˪225C입#'d)zFbb[_ohA
H) gzʖ)9gDt.\V
X)583-HhFQ&-9aal-zVVJQD>=-loS{beDdg4{s_@Hi 0`hTҰYj5t=9\m</~˸_:6q2՚w=9cܴrC=ºmzMNM-msB?>~=WXl'?Y&clY;e@8cƖu\FxJ]qcB@oD(mP	5V!]wy~"@
5|GLfkN]A#h'qcѵ݄Y{:cӍIv
uRâP}<#@^}&qwMcVEETz>PѲwYi^+x9ԓ>fήy
#`+s;ƦfaٱQ䛼Ĵ_KD7%b<65zr3ڮ"fތ3pٗlL>]g)nqu=Ǐs, D`e:g#ES4jP
AoR*`C.C]:9@hm߈6).
o,h֜˨=ib8>p-]6Y{6GqrP{*WVjv:W#'sC^@u;Si]&d׎wsC}~ԁ:PɂYHf{9d5UPh>{6z@}cf<ڱ9\^}
A?~&'ζ$c
ү? _j+{i/;x6Ƌ&A0)>BN^_ԣo>j;=𙷝,imλPIxSuS _m۞Zl曣VhA 6"@AuV4hVDɬG7 >gAE/e_h*{<ߢ؀"P@G"l!33>Ʋ&ätr@(ŷ@/i]ʖ>]Il|Wz8"P@PĻ3eL6k"UP̶@(7@qq}pˠr,-8LEa"L'zyX}},}P(b"P|lrvCUb˟"PoIxɵi,&*vt΁}"PWcn#.O]A%>cFP@-PY 
P@(J5Huެ3c|q(E(f[^NL]7Lr99ME;/RWyѡD4ł,0&ķ0Qefs94U$z\P1#b0[XJfƠZ_%<0&ķ0Qy.cq2ZA!ܫ
@(S6QTeƲӣ/]F:x|3P@-Pa5cjT9U5>.)!?[}9'F=F$Z7aa{#\3Uլ팟1!(E(کO<̓qg"Po]fXLSdh4ZP@-P,{UlT%4Dz5Sc'a[a[{zRjs*,"P|G;g&fkd|sBg@(]giƾtA̵a!,jrxenrbNQ$c<{! WЖr1♩z̛d;z?/?"@.ZVG584Uk $DkXc)yJy-92~<9n
o[YQf;;Jw##|x(.J*`́90#_e-琠փW_̍Gw{]W~(HbFۨJn=@=evt6j}Ʌ>=|,a*hAʾ;iK}i=sHRxˌ-ʡ<@A/E`QjQFlL92n->#6ru>Y oPBr;En2H	!!$vJcΥ5Yz8w_I~N滉i0
owP+5lAn3kJ`lm¶ZFLwZulQ|Lr@]DG֫yBy-w*t};4Ո,Z)nk|O=S
Ӡv{jbk|>B5Z:QoM;xݷ.hqtԱuhW]jc܃{p}{OhՖfcEvBt%s7z.*gB> /!l}GI#Dn0,CU!ygZs\5~<>^Cꐺj«N}.,5k=H.2O9r*Khmh	D`CZrKu{9Es|AD&/av"]{D~ӲdY<"xDͦk6isL;}&Ċ7c
>	Cug5M޹yFΥg7("tKѐ,>]V5BGOdJU-=? 48q$DD$HR&cIlݬ\[r\"^.W!=Z,=ҳHrdD6Z<#;#q%`5Z׮>3cBw=;aR7R"920{絻wU#<,W&ͪ¸X֨MJ䩱iQe	M_?"7½)P!vd)Gʑhuj\4'f9餬F|7\yW/h)Zyָc#7~i]Ozgf)#PÔ*#.wje#PaR琽j- dGwϡ=qf`zvs >Ke)1ZE}QYT >|>֪YymwSwPm$k69ƪG6]*Oh< %^s[V,H[<422^{ _J[,d-ۯg{!MF,ku)*L ("ݼnUN)jǃ9cݰL@$	88FCk>K* ˃V;gj2BjU1Ў@aUHs)lj!um~9L&@!˓#rVY* t¯B_ۖWֈe&?!4¯qm>tcOWq c2xHRzjKO^>@( _LiFVl25	x(j?!+}V+GY:=QujdS&!x,.c&Zv;sY]>x`\ز@۱|}vJ43||%62C4
!́F]_>|oay`"m멮C-v#|&jtږpVz*)>TZZ_iD$|xCS=a3ߓO)Ui?|IЇQl~+\-
/p>wa޴u%4M\@@7T!q5M<gY xC T}F*sEǶ0B	GYЉ{,fػ8rc[*z	F_T,["mDde8_^+dMa'_ÖX),]
w-a`_ڵR2y\%lvo=\e'OvUN 
@/'TGRd#[ّ]M  SƵEb:k~k}a/kcQ^k&kh}iK:@/ľ#ʊllKU%l4 Œ"l1t]Fv YFڦ{kڕE6֥[ ^.g6!}}Yʼ{ L D/ED*ڕ{>׌hb"n̗O2k*wy/,="'$1
Zx~ynP}9}Oy|?j=N~;}'Lgt}]?hSunQ{/1ge"a_ۊ#q̬RóOZ! M(κ6SH6'"olB@yoD+]Tn%̩4-Sי{B@;{[9^M8lC,$썐B@!B\7:E}d%^Ț!A yLhl1g/ƳB  ozGɺu6}s_dBA ;oBV! wnCq1lw5T>p-޼"S2ݕa-ƮUTj2*@A޻jPimeȺ]#2xB@ygn=m97Q7]ic\G?	iB@;LSs3k+TfG|VB@!2g1aY]1:oz!ȀB4-v!9%w:mBޛD1r+]zDk!B@yi1g!-_-*y_N%Ϲ7@ jSu6}ka['A!m½	usb|*{B]cgUTeo^pf=A!.suBciF:KhucEv M-vV{kx;V{gPQxY*Cyݦ1+fs[DC(+BHI ɻKP]%W_tdȰ&I$@w%&UHlRKQ;9(Е,BhM=ՇrsfSGQoJhM	4k}֋9el0i%]&7Q@G;F֏${Cᵉ[Q 
DQkrUe¥3޶ȳ) ?&EfqgR9*r_(eA
H) WRHI,3C%$a6>RQε R|M썔R@
H)LJE=E\n̥\˳ miBUI:{lMH ǤիtOFd[*+otR@
H.IGvǧ&2H) #k[]ʧېwA
eCQ ö	d%	k7Q0(|@XSͭTj6儞-dʂ(@?b֏j	ODA@cc&3d?!QDQ DYQ,tls
?.@%{֫Qɞu&%
CQ>r93ڝJ‘	3q@򑝗X^/=(:]+mbb,D(CK{Vl*ޔF-ڦ(X,Q 
D|ecyɖ=eT͗,[a@GDd)V.Tl2
_##E:q+}Hك)n@Lݖ+$NRޛnqXGQ G(#djHV궳
Cu,(|:U3jA)[fbg6(Q 
D(>a]u[C/QQ GlB)NBQ 
D('Z9X4;Zfj=((=>Q-bR?˧Ge@"@_b(z
E(7XK`mtVڐS;SFqHu}?-L	0&@ių}[}Y
>4߮{]
@(nu=>Zmlc{v 9P܋Z@/TEڌ*GڶGz 1 x/dfK+B$mW^|a/s,e_b)gVj'܀pnHWq/e-.,t#+~?aSVWAZ땤oճvvC^rC223½M䜈!7"P@wG2>U꺻wl"mH"P@Wz,T{ڻnَ7E*"P?IO6Ϊ{NagL/E&@(E~g13%!/ݭ9)˛"@(EoW>F#jsU:yS"P]Efi3GGJf/"@(E<!3[ѽ<Yh"ysk<	9&"NZ_`"@w926 g("@7W.S1ZPvdE"?7hAYb[f/E.B(E~6o+wUzYŴ="@߹*BSn~<ЎXe6P@("9jSk
N<[@_@(;ED֣5JsJUzm

"Pe+.JuEab/
"PwMQ/-ˉ#3`*"PwF4#Kp9ԽJÞqɆp/P@YC3Y./-m18fqԪfM"#cJ#sX7mߺ"@(;%K;YU%Ze
E"o-kg[(͠m[",@("*9p3%p93o[b-"Pw>-5,Fs3qV5mJ#`GcjϸOٲy{geˋ(+`L`Q{uUNO9d\#H~Q0i`ϔ|.:Fl^z3t17{P
+,wU	P
@(fRId	.ūlg\Vz(7Q@GDZm0rWoTxZVf5(zS
%:E_
T*PC{QJrTZ[BGн&շ{P@mٸDw]E9^*U
T*Rcmog]D:*@U>JHǹsbqeVk>DxSWk
T*ݕ+gjtӉC\ʀ*P@>4suhxFTVxeaҡ
T*Pc;ꊢۖK]Jq:PŝeUW%Kl;Bf#BM)T>4]:mUfTڒ8fPUʾE骻qu7%BM>Qɂ*@3{ÖMOxӛB=T{*[Ȳ5}46/T0U*=8.[Do`>P*@jwO䐺Z6N[@2KձCrjiE6R}N[@Uvfz	^KK)\*@|Ŕ+;0.<%n{Cj
P*S,Ҕ,y|xڬ9Tڭ0T
PPOvxH沑q%ߖBUTqunٌKTWWWj
P*
jjPiSZN/T*@|pjK٬rMXę*XT
P*.#
z2L*@|tJmImў>s,dR7"`
P*@˔ɋG§
c޵Qk1*XT
P6k궙8)!VZYwOB߀
P*CEZu$E,ɒ:xP*@cLK~p	{NvXpZ
bڥ}_sOS|n'?9eY՝Cc.*2NXM뱺NM+eYfkq?|<5+ƾSv>+;MU*̎$ 7m3ش%Pmp%ُӺ,ŝ{;yG)_8vWF-kU/<;wh3uMi۷(ܽ
֙ks}myɈWCE\wMDFY{vX{ճdL}+K/#G3?"*8]^{?il͎/.~hV_Q%KɈWG׶fĞݤq/^}yT{28qQv\{kFc6,Ų;r06^>m|:Ji-;օ:ϔ9c}WWr
pnwJ[S^E/YF泎˔⽌G}2uTOSeƶZEv,tFr *Kˏ
m{O2L
~랯2Q?a
GhZĨJ{˪guFճQo<+ܗ}_wgddP3WM[2Z8rP-g3j+[-揸3qma{)w`,XYmGsxKm6C,XRvI>3xYuziЇksm3j2g
Kʨl}t9ˆ`ST#G1Hb+υ2QEQ8,$5?3JvNҽ~=ngnuy̞GuK|1j)侻.ُI6jWݳwb!mZQ`hg2Q#:t?/Lݥ6@%z|1P- ns6ۡZ^:4crYͺγ]OjZv{WVо&mZukYt9\JgomTmm~gavZOu6Yvq*'ַ,//\YNugk)gm*|d/\jwL:i
z2Z#Һ^uYMpa]ζ-YrxBunr۲eǔy*jmʤL.mq&ިOQX[.5#nzmyڇT&FB޺~V~:Xܥ}Nfo9NԘg箳NM#?Y$I|I)|
9ֶQkh#`0 ;ܳ[+g.cɮPlQZ0m"HH[@L݂7\s܀P _#	cMZ57.[8擭<`|`H#dPi9}3`ܽ_cm6=n[yaK3?7+4Dz	khizسX[\EMĢ5󭫩LSFZTzwYvo5Oed)#-b̷p5!u%f1At]Dnˠuj(F5-ILCpmܧ槲N^]qlttYF;RuFY4i>-/>'Œ0#?w31[DYc8De6+giFYFxrBrtFlv2~<A`20fSf%
B|̭fm{٦6,Fw?.Yyq+eFH҆qVGX|jU[4{2yk"r"ľ;T˻uKAyo^vg=!{?Ǝ%'foGa*ƒr/dDk+wytz<=^j`r"4]Zd9s͎㿜NdYD싞}M
bW͢*qnGyyZVjlU>E;8#07wdf8cʊ\*D#O]2(VɏEB3=kubݲ9c~jb=mdŲW2CgcZ*no]9C1tm㸯slMޯEc"H4+$zX=pfTNKlGNk5bѱcõgG鼚0[4Oy󚇱Voz[Bx$Hn6lgiu:4ZJ|C{~Y+6luV=x>5˶|.6^oWcoy;3@gծ(ף!~ě`)N-xPχKsf&ŬSz/noq`>+ew,٭pskX6]-Dz,ggᰕn]v~Y+c:iz
6lXN[>Tf]|Vh[kZ0`"8²۰"ޯ
@h
n[unMjXv.>F/P<x^2KʳE3pymW>6j–^Hַ6-|{?7@(eUMyeFiMekۧ-ԀP.ivV{SهInn
7UW^itddžmԠ2oA9 /tQ{ܕ>[osvkpl-+m{h9ʲNx{`qi{S]z3+bJk]/{*@	7mj>=4}ɁDA?k¬CIryswnX들G}Yeޗq_:0FzĿU]!62sFRAhMϧR+*Ldc{*uy`lM\ԣQ:P_nۯIg(y	>>`G2}Pf5) _#5*J3-6'7Q}52y
P*@@u,?!#ܲ_.|
V
Z*牆YX\m[!fo=TרGPA1(TL{o~8j*>m5e'	@h?hJh:Y*s=46'h7|5Etng֭h!.MYmߺfkכY7]F;`~L%E[GϢtH5kGx*x_ž6Hz|G]WּI6z>>}RetRoIb[3?~}:vYc3.ya,ϥ	o% =Hv<{,K>L^9$~^	p:5p
Q6ecK+ϸތ	!!$MBs~bR͕gD{(5^7F`"L0sVӓ$JjSp	sc痉F#p*8&Nd3IW=b58DZp@ $	yhWdkvidF=2suɇPJBɯ>kcHDd_+vx rI8	'trH`g.^}|H)ِfdx>WΜT]#TICg׌|o3P
~-mz]'VU+8E9v38~qZ)l^Y=KtV6KF0&DyLd?y 4.qE\fV՗]3-?gyƕYD9"f}lS(˖>]!-r66?o*|#/oZ̋ovJs?	'\^M#h[ڳ6Ѭh6Ύ:zkP~ؗ)Gʑ2=𻺢JkXy'uFz<2™sїWUӀk~k =B	Bdl52sxlf}k~V6IG?S24lM{kۜG?Y:ew~4>JeߕL(gUdLL;7Ǵ}}ʀ=X$,PvֱhKxԳU,q!xVz8rP"ԵӅ:`_ZjFVL7S9ˮMy'X9=\8p.゗R(㬝}9wqBJ=
! BGuӈY{$ëy" D|="l]\9`}X6<&E-"@#B$fug'bSjFD D|E"füϦZDQ[ӛM7> DHD[J?:OoRj7XyE-RZ4Zj;z~ZOZUxS)Bj.gõT7=wQcV@A6GoKbG #0F~粨w(Do2A{[PoZfl=fTbeV+`,|1[]

Ԗh~^Fx<6W
\˳MpSi#JEDnC־_|]i=3(ӗ|<8g.IBWݣ7ޯ<`15G.⼬ɧK|/L}
7?T2'\ɶ-VF)xo
gݨ;M5_3
7
;`7X5uMg2iR]yvs
w܁;+Ǿ3m=19"cf͹q&@$&j!Mxjqm8O|噯3
T*P٘z ˊ=sOvʯO<{܀pn~Ré&{OԥwK
77:>١ic=2l:
pn~x4%J6ydCױOŞk[Ö܀^yED$+fY(^R"zqES܀W#&׶b;WwN1KƯ[Sn
anZltZ=ګw7܀vjv6)<TB
Mpn~ws/9pcFk4/n?{ߚ ׭r"C@b4@pQUu8~6'Ǖ{o	Z=P+))#7'[$ v*)))ܕ3bvp?|6g25ZMMMp{{vEmz6O"uFݔڔڔ|lý[(4l)F%YU*)))71i6#[۽=62eJlJlJlJlrqvH8
:KzԦԦԦ3Ne–(eM> KߺC[F;]\;m7	Y####:"HE/,1)1)1)1+q'/hkt/1!tYZRZRZRZǕpCh$5s@kiJiJiJi_ʅӳtSQ]L^/gJޞ5R4m ////ue&Gz׳4`pa=9ң&ݯלC%1%1%1%15"\F[b66Z?06/JgJgJgJgXzE-sܜ:3__@_:S:S:S:WOnMsힴṶme僮tȧؔؔؔK&gQU!m`$kPӯ{JlJlJlJlmO[=6Q;ߌ֗ڔڔڔ{½du|c8F6ԦԦԦbB%ڬRRRRR.KZgta(9ԆJmJmJmJm>Km

dń4It7YRRRϼj:Op1B>Ը6ԦԦԦ3פm0k|:EcYoj3JmJmJmJm>8q̙H`zR^+666H:#0g*K`ڬkϩ
κ\'܁ԅ0Ħ՛WMmpkSJlJlJlJl>Tl
#Rho$#cA^bSMMMgwe@pmYVHyxLF:Zf:PbSbSbkH֖&:
xVKlJlJl>Sl>͸22BcLAfwMMgVnK#FHZ$;:KljĦĦ3olIRR0[GiDKljĦĦ1)_%==L[KpM]bSbSbSb9s6-yj\dQ&-ZjSjSjSj[9@ƺ',f}KljW_MMMPԦm–]?swobC%6%6%6%6b>PN3>Px\ĦĦĦ3F8>L3pīٔ֔֔|b'iu%Y*)))#Q-)*O
m;ǝ|1%5%5%5%5r#˚1шSq;iP{JM%UZSZSZSZoThq*=ss%/χJAJAJAJA>P.mvA_,jIWp:W'JHJHJHJHw7R7.au
&$O͏kT{||}mCdx(&[–D'dث@|u[y^~4%883JrҟP>tzJ#C*w7;ݽ/mK'r:Ӂ8
ϯwrw޶آ#Fw$ya*9uN%ld0xbہ}گ6;~a++++~(ϵ<_!S!{ly%,%,%,%,LX44F(.[7XJ_J_J_J_>E_:І#/c9gJ•|+-FOh6x-+BZDLv2
dׁyW~DŽFE=m챝@hj>9ܡ'_g/v]+Lw=*;S!x/,bB?Ls]ҿ{%7d>s@%9>{v[dxX;Ϋ#?O-Y˚.ཽa;59;i-ŕһ
@ڽ?쎏8eOrG0t#iv&k]RU9
XSnmdfs獠2-s=Fi	/c7ɿMT@*PжLx5d9?@IpW9]'=$A4%7AR鯀;ؑ{GG8tm!QpBĊ9>zoӈ5:c3N,nmY7`b;ygŘ:D~S~BR!Odi0&>?9LW(5sdm#1unҤ/IE7ç{?}9LuΰZh1DqhcĚGt+Mgq!Yd(_>2f偃
^ íRa83=y/u"55xpP`7RRؒy{C9r0XPϘSּ%F/3IYkg}tA>m&4]q.?
_*HHE@3+Xøǁǥx{(_'
#?7F	2hwD_ii09y}N3N2pi4qh`),ƫG{Uk|
b9bf:^F`c6+`flmSpi4}z!~h
e3
=?zw;L\,,&0h3dnmFIP(sh1`Δig-$Lqo{d6{w\T? XPٷ39D5]u
_2o*VߧEc?F!Gcp`Ƙ㤻BcK̏̈́03i[^g~.{/)cg`Q_anp<]|#5cnuJ+%Ƌd$	J/BIInb4*Cr{F^ӂ鷄4?+%bvA~
o7/!Ni[>ajoϳ1
ou2]E6=.^]?(t=tr8VdӱаGϘ`tte`zc2^m)mBp>Ņ
Ş:7t:8vc+		tL9Ul^??w>68p(3>%߻]}3L}Xn:Ok.DKIDpp0jxoIz(?&ޜ`P=Qc]_CM>Tw"{..:gDZ9zxT/<LN">M$n
?|vkBM1)nh
_2_oBq5S6Q(
`8c:w3wD*
׏y!HzPl@<}4C*J%	%/EY5$vҵ/Z--h#|:MIC:3~OM5CwnSgiȦO=2j ^>iyb:Z)W˦

#8?ugỈRDyDd|gN~н-@H{k.c1q[L3▖ѧ'9g{q/=/E3\xo`q8sFSGk h3|LBEߝ؅LgV08JK"^BEǹeGv#1h>??[4*FS2	݉){0uV~rYT**Jn޲49l8;AztNEZ>#1г!|2CZK~fTq88k;5vl3-c$"|F]dѓ(ųYD>3b#2qDx6+ԝ,ߊo8xjB&|?P(%%%@z{9BPZG#L6WI6Nft̍2b+#|$Ubgro~f*g\}o=wچ9kˇUĥ(2	,ibp11t2,oV
ND<E"JdI8grArL{IlLz\L.&LN` F!<,5zܕ_,f3bJܭفy-,о
obh1뎝cuw3vޓ9wZL-~9x]=6nY8z1i銪Eբ귤<&HqG!N(UwQZT9|&
zdsXum2U;2Woե`HeCȁCaQZT-~<%ƉVv>Zl-~8NzSNCf	0
{.E"l[6mk|aMx]GJE٢lQS#rkL\c{R9sk6hݡ9aS0?auE{ᮧ3X$.u/Cob?Kkt~W]kWzdlK칢񡔓URRRi)lOr)9qҖҖҖO[l3db:"(j+޳эi#1^=dq8Eɲ܏N1p=U4E"\4-d'|3.&eJtjY,f~̼GE͢.tw\[pL4l,[Y,n~Unn]L?nRh뤫ܤ;^,n7"7	$Z(Nے.1޸9׽ك#5g
\?%bWdhA	iOZXZL-~AA+sЖ-SQ"xzfU
_iZ|UBy:XcM;i_*coe43QovϽ-HX/6
%ٚ4 7؉>4/_9\+o8dқ#E}3K~#t0$r父iі5
Sa/0ow"-E+<<@U`瓯٤3ݍfܖ8wGt)g&2*?XlC'vr44,ujw
E	.*jcoAçݷ`@V Z{BL,Cy{u_Gw%G@WidMH[{M|!
nbFޝ`cmKZ^pxgA]sNmi[HH_&	m1Cg8,6>t6V+}1Cm{'l6Co6%R,~ń:a'4:VIp	-6:DM@!uxH_(7-.͍'i29c!^ЛMau9
kԷs`H!]/h>}1GqEt:hP4h#!H,m35Yg-9fk	&#?1#08kVCg8#q'0q17vq>^s?ZB
]6VıVq?nd/I#IHb47I=	4)ŔM(dO޵O?(ybK彲efȕ3\!;6κ@|)X|)sC̚]Mi5{m;ۃ/oKxSy򗳲/CC,Q#$bN1hAGf6wFZfZ
Q(PY)08qO{:zݔDž5~Z2ذd`yL8ajIH.HF`{1+1Esykyk(jjX1ͳf}8.>5s=QxGnto )ݜ9ëHqc1Ryopҫ3j.	6~Q((<	Јu}9_Dy*EJQRT팊0T Dgˬ*;
ն7|,Kב~Oa}c>Pg!f-r'ʳŀbOɀt)
8D4ݛӴ茋~D*?Ohsg	s;Nۂ;mG۞EIY	h%ht_m{*R)~JRN}d16O=5?%5G$63jfOmOEOIAe{-[k7mOE"OIdÝue0;]Z_+۞(E(i[	eܭ);
^JQJovrdMc5\ջ=*6A>	|❼mL.VMX_ok8v*6s⭸mX3`]0&I0[yq!{Ac	Bq'B'b
GK(wϙ%Ň.6a(xuE](R))ș 
caңف$|E"Ż ގgΐ(\'>GLwa_}%hQx7гVC$=|L]bgEwB.p>lKOQ(^+^HaCi]mwҡŋ;⅒ߑb[]|[r;XŋV(^'^p9ci1ë'/:"F]cڄjfDPWi-<_F/^//z7lvn6|ff
[ܟM,^//d˸*-lL;%A*F#~zFX~C-WvpcmK4)=^:~8?+[c	W]$KQoI]OL3@pBYoґbOHAztţT._a⎁_鋷xz|~AǼ~MAa3lr؉5|QUSa$E;=2m+«?:t[{w5zk(ixv
~fik9vE/mc7t35#u ֿCwڂdD=cMi=kyC5}mfo8abwrݲehoځSq̑A³NllmϤ-TPz- 
)l{X;stD3kiQEÒ-CIAFqZe]V˴}\1~^+eʿ56T{m;M3ϱA>MIeۢ7s0qa{cg/~H-ѩqe=@)Z>[5O{7fd3U΋Αygo	w޺sߺ9/~0e7]غ(
8H6^Wߴǖ4Mrx
h(}S?#24Ke	5{f]eơpgsԋֶgj+UC3z͌)̃ݹ1T|Y啿Ǜ.,S3W2ҹ>	S^%=TNBNh[[*-BahΠNyya$]s]dɾ尪@/viz4S{j]>/V^^m0=jpǢQ,	_tlW|>9lTW\t۸_(F2FKî
S!.8'dDE{55]D;j|;asӮ4}F;6ݶl=эk{0p݃Gtວ=G\Î40-z<-fDNd{ah㦀I?>8 ?[QPFB#Bۨ"ss7jg$S2ksl?wl%XciKРc+~@+;~_>|#NHz 6Q/i-n(A(,hƿoѽW]yNh {~n5m(ۻn6*dĻxϋH3YPAB=Seݴ;Y*>''24@ˬfqg17Sո۾[g]z
LU3B/۴F?&:3c;;?<k[ӏ80PQ`:g~O8*E0	i5,gE7Q9Y2᮴3B!E{NYMf2HF[qTLTAi)Q#Gӳ{4L>{~m`rm	ŎL!?=;:M6s>,g|qRetz̃,_HwOuFgFa6(O}ZjEiH\,p4ˎ>2:UҨs;?CfmX2&lRk,o*8߃:-vU;lL_o荒`+?3cߟ|(OQq.#u~b?,Sk|#Sf~VۙFfT쇥Y.4̿<$dm!;|4߁þ\u!kOl9be2$m፾xrSh&90'!׊*|}؊3-2<uYʆ]Fj P@˱=Ivvo:5YPS؇>FT3Fr-Ό̃LHr̔XJe/Zqk}IN{&ZW
7&{Wg-ݸM+9nx7YoSYElbGʇߡCиR<^WGܧ.J  Co\у:i;)C֘a
轂7LtcO{vg'W&ׄE`{kh{'K5>ƙ"c*<翩q0A@p6\2X4s?25	8GFA(dVg83}d8[^.86[L}u@q6Ѩ{uNh]%cѸkfǽe|S߁/EjF
͐ijػ1|As藓`1mnr<@B/Y!ٚEǣgəxw-A%G%&ǡ:f_5ξKoyP3H)dH
uLoͨ38a@h^)RHin6Z_I9O;BnK/xKINfJN$60/ÑϽ4GvKjZMj^+φ|%&k6ojWwahtxKmMTkPm1j@{h!7aF(OIZMn>݆ܳ>rB'kҜh3&6)cȌ.<ն?
:6I]RʀezS$$+N'BElOꀾ2Y×­GYCȴ㷼:ziVp"+.u>ɫʠ]9Rē(JkI^W&
1&^\]OZp2g[$lj:b59(K
why3-1.6.0/examples/multiprecision/mpz_mul2exp.mlw000066400000000000000000000273771440160026300223130ustar00rootroot00000000000000module Zmul2exp

use int.Int
use int.EuclideanDivision
use int.Power
use map.Map
use mach.int.Int32GMP
use ref.Ref
use mach.c.C
use lemmas.Lemmas
use util.Util
use util.UtilOld
use ptralias.Alias
use compare.Compare
use import mach.int.UInt64GMP as Limb
use types.Types
use logical.LogicalUtil
use logical.Logical
use logical.LogicalOld as OL
use int.Abs
use mpz.Z
use mpz.Zutil

let wmpz_mul_2exp (r u:mpz_ptr) (cnt: limb) : unit
  requires { mpz.alloc[r] >= 1 /\ mpz.alloc[u] >= 1 }
  requires { mpz.readers[r] = 0 /\ mpz.readers[u] = 0 }
  requires { mpz.abs_size[u] + div cnt 64 + 1 <= max_int32 }
  ensures  { value_of r mpz = old (value_of u mpz * power 2 cnt) }
  ensures  { forall x. x <> r -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[r] = 0 /\ mpz.readers[u] = 0 }
=
  let ghost ompz = pure { mpz } in
  let un = abs_size_of u in
  let limb_cnt = Limb.to_int32 (cnt / 64) in
  let ref rn = un + limb_cnt in
  if un = 0 then set_size_0 r
  else begin
    let rp = wmpz_realloc r (rn + 1) in
    let c = cnt % 64 in
    assert { cnt = 64 * limb_cnt + c };
    assert { power 2 cnt = power 2 c * power radix limb_cnt
             by power 2 cnt
                = power 2 (64 * limb_cnt) * power 2 c
                = power (power 2 64) limb_cnt * power 2 c
                = power radix limb_cnt * power 2 c};
    if mpz_eq u r
    then begin
      assert { value rp un = old (mpz.abs_value_of[u]) by rn+1 >= un };
      if c <> 0
      then begin
        let rl = C.incr rp limb_cnt in
        label Shift in
        let rlimb = wmpn_lshift rl rp un c in
        value_concat rp limb_cnt rn;
        assert { value rp rn
                 = value rp limb_cnt
                    + power radix limb_cnt * value rl un };
        assert { value rl un + power radix un * rlimb
                 = old (mpz.abs_value_of[u] * power 2 c) };
        label Set in
        value_sub_update_no_change (pelts rp) (int32'int rn)
                                   0 (int32'int rn) rlimb;
        value_sub_update_no_change (pelts rp) (int32'int rn)
                                   0 (int32'int limb_cnt) rlimb;
        assert { value rp limb_cnt = value rp limb_cnt at Set };
        assert { value rp rn = value rp rn at Set };
        C.set_ofs rp rn rlimb;
        value_tail rp rn;
        assert { value rp (rn + 1)
                 = value rp limb_cnt
                   + power radix limb_cnt
                     * old (mpz.abs_value_of[u] * power 2 c)
                 = value rp limb_cnt
                   + power 2 cnt * old mpz.abs_value_of[u]
                 by value rp (rn+1)
                    = value rp rn + power radix rn * rlimb
                    = value rp rn at Set + power radix rn * rlimb
                    = value rp rn at Set
                      + power radix limb_cnt * power radix un * rlimb
                    = (value rp limb_cnt
                      + power radix limb_cnt * value rl un) at Set
                      + power radix limb_cnt * power radix un * rlimb
                    = value rp limb_cnt + power radix limb_cnt
                      * old (mpz.abs_value_of[u] * power 2 c) };
        value_concat rp limb_cnt rn;
        rn <- rn + (if rlimb <> 0 then 1 else 0);
        assert { value rp rn =
                 value rp limb_cnt + power 2 cnt * old (mpz.abs_value_of[u]) };
        assert { value rp rn >= value rp limb_cnt + power radix (rn - 1)
                 by if rlimb <> 0
                 then value rp rn
                      = value rp (rn - 1) + power radix (rn - 1) * rlimb
                      >= value rp limb_cnt + power radix (rn - 1) * rlimb
                      >= value rp limb_cnt + power radix (rn - 1)
                      by value rp (rn - 1)
                         = value rp limb_cnt
                            + power radix limb_cnt
                              * value_sub (pelts rp) limb_cnt (rn - 1)
                         >= value rp limb_cnt
                      so power radix (rn - 1) = power radix (rn - 1) * 1
                         <= power radix (rn - 1) * rlimb
                 else old mpz.abs_value_of[u] >= power radix (un - 1)
                      so rn = un + limb_cnt
                      so power 2 cnt * old (mpz.abs_value_of[u])
                         >= power 2 cnt * old (mpz.abs_value_of[u])
                         >= power 2 cnt * power radix (un-1)
                         = power 2 c * (power radix limb_cnt
                           * power radix (un - 1))
                         = power 2 c * power radix (rn - 1)
                         >= power radix (rn - 1)
                      so value rp rn
                         = value rp limb_cnt
                           + power 2 cnt * old (mpz.abs_value_of[u])
                         >= value rp limb_cnt + power radix (rn - 1) };
        value_concat rp limb_cnt rn;
        assert { power radix limb_cnt * value_sub (pelts rp) limb_cnt rn
                 = power 2 cnt * old (mpz.abs_value_of[u])
                 >= power radix (rn-1) }
      end
      else begin
        assert { power 2 cnt = power radix limb_cnt };
        let ghost ou = pure { rp } in
        assert { value ou un = old (mpz.abs_value_of[u]) };
        wmpn_copyd (C.incr rp limb_cnt) rp un;
        value_sub_frame_shift (pelts rp) (pelts ou)
                              (offset rp + int32'int limb_cnt)
                              (offset ou) (int32'int un);
        assert { value_sub (pelts rp) limb_cnt rn
                 = value ou un = old (mpz.abs_value_of[u]) };
        value_concat rp limb_cnt rn;
        assert { value rp rn = value rp limb_cnt
                       + power 2 cnt * old (mpz.abs_value_of[u]) };
        assert { power 2 cnt * old (mpz.abs_value_of[u]) >= power radix (rn - 1)
                 by old (mpz.abs_value_of[u]) >= power radix (un - 1)
                 so power 2 cnt * power radix (un - 1)
                 = power radix (limb_cnt) * power radix (un - 1)
                 = power radix (rn - 1) };
    end end
    else begin
      unchanged u mpz ompz;
      let up = get_read_ptr u in
      if c <> 0
      then begin
        let rl = C.incr rp limb_cnt in
        label Shift in
        let rlimb = OL.wmpn_lshift rl up un c in
        value_concat rp limb_cnt rn;
        assert { value rp rn
                 = value rp limb_cnt
                    + power radix limb_cnt * value rl un };
        assert { value rl un + power radix un * rlimb
                 = old (mpz.abs_value_of[u] * power 2 c) };
        label Set in
        value_sub_update_no_change (pelts rp) (int32'int rn)
                                   0 (int32'int rn) rlimb;
        value_sub_update_no_change (pelts rp) (int32'int rn)
                                   0 (int32'int limb_cnt) rlimb;
        assert { value rp limb_cnt = value rp limb_cnt at Set };
        assert { value rp rn = value rp rn at Set };
        C.set_ofs rp rn rlimb;
        value_tail rp rn;
        assert { value rp (rn + 1)
                 = value rp limb_cnt
                   + power radix limb_cnt
                     * old (mpz.abs_value_of[u] * power 2 c)
                 = value rp limb_cnt
                   + power 2 cnt * old mpz.abs_value_of[u]
                 by value rp (rn+1)
                    = value rp rn + power radix rn * rlimb
                    = value rp rn at Set + power radix rn * rlimb
                    = value rp rn at Set
                      + power radix limb_cnt * power radix un * rlimb
                    = (value rp limb_cnt
                      + power radix limb_cnt * value rl un) at Set
                      + power radix limb_cnt * power radix un * rlimb
                    = value rp limb_cnt + power radix limb_cnt
                      * old (mpz.abs_value_of[u] * power 2 c) };
        value_concat rp limb_cnt rn;
        rn <- rn + (if rlimb <> 0 then 1 else 0);
        assert { value rp rn =
                 value rp limb_cnt + power 2 cnt * old (mpz.abs_value_of[u]) };
        assert { value rp rn >= value rp limb_cnt + power radix (rn - 1)
                 by if rlimb <> 0
                 then value rp rn
                      = value rp (rn - 1) + power radix (rn - 1) * rlimb
                      >= value rp limb_cnt + power radix (rn - 1) * rlimb
                      >= value rp limb_cnt + power radix (rn - 1)
                      by 0 <= power radix limb_cnt
                              * value_sub (pelts rp) limb_cnt (rn - 1)
                      so value rp (rn - 1)
                         = value rp limb_cnt
                            + power radix limb_cnt
                              * value_sub (pelts rp) limb_cnt (rn - 1)
                         >= value rp limb_cnt
                      so power radix (rn - 1) = power radix (rn - 1) * 1
                         <= power radix (rn - 1) * rlimb
                 else old mpz.abs_value_of[u] >= power radix (un - 1)
                      so rn = un + limb_cnt
                      so power 2 cnt * old (mpz.abs_value_of[u])
                         >= power 2 cnt * old (mpz.abs_value_of[u])
                         >= power 2 cnt * power radix (un-1)
                         = power 2 c * (power radix limb_cnt
                           * power radix (un - 1))
                         = power 2 c * power radix (rn - 1)
                         >= power radix (rn - 1)
                      so value rp rn
                         = value rp limb_cnt
                           + power 2 cnt * old (mpz.abs_value_of[u])
                         >= value rp limb_cnt + power radix (rn - 1) };
        value_concat rp limb_cnt rn;
        assert { power radix limb_cnt * value_sub (pelts rp) limb_cnt rn
                 = power 2 cnt * old (mpz.abs_value_of[u])
                 >= power radix (rn-1) }
      end else begin
        assert { power 2 cnt = power radix limb_cnt };
        let rl = C.incr rp limb_cnt in
        wmpn_copyi rl up un;
        value_sub_frame_shift (pelts rl) (pelts up)
                              (offset rl) (offset up) (int32'int un);
        assert { value_sub (pelts rp) limb_cnt rn
                 = value up un = old (mpz.abs_value_of[u]) };
        value_concat rp limb_cnt rn;
        assert { value rp rn = value rp limb_cnt
                       + power 2 cnt * old (mpz.abs_value_of[u]) };
        assert { power 2 cnt * old (mpz.abs_value_of[u])
                 >= power radix (rn - 1)
                 by old (mpz.abs_value_of[u]) >= power radix (un - 1)
                 so power 2 cnt * power radix (un - 1)
                 = power radix (limb_cnt) * power radix (un - 1)
                 = power radix (rn - 1) };
      end;
      release_reader u up
    end;
    let ghost orp = pure { rp } in
    wmpn_zero rp limb_cnt;
    value_sub_frame (pelts rp) (pelts orp) (int32'int limb_cnt) (int32'int rn);
    value_concat rp limb_cnt rn;
    assert { value rp limb_cnt = 0 };
    assert { power radix limb_cnt * value_sub (pelts rp) limb_cnt rn
                = power 2 cnt * old (mpz.abs_value_of[u])
                >= power radix (rn-1) };
    assert { value rp rn = power 2 cnt * old (mpz.abs_value_of[u])
                         >= power radix (rn-1)  };
    let ghost nrn = if size_of u >= 0 then rn else -rn in
    assert { value rp (abs nrn) >= power radix ((abs nrn) - 1)
             by abs nrn = rn };
    assert { sgn_value rp nrn = power 2 cnt * old (value_of u mpz)
             by if mpz.sgn[u] >= 0
                then nrn = rn
                     so value_of u mpz = mpz.abs_value_of[u]
                     so sgn_value rp nrn = value rp rn
                else nrn = -rn
                     so value_of u mpz = - mpz.abs_value_of[u]
                     so sgn_value rp nrn = - value rp rn };
    label Size in
    set_size r (if size_of u >= 0 then rn else -rn) rp;
    release_writer r rp;
    assert { value_of r mpz = sgn_value (rp at Size) nrn
             = old (value_of u mpz) * power 2 cnt };
  end


endwhy3-1.6.0/examples/multiprecision/mpz_mul2exp/000077500000000000000000000000001440160026300215525ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_mul2exp/why3session.xml000066400000000000000000002044721440160026300246030ustar00rootroot00000000000000












 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_mul2exp/why3shapes.gz000066400000000000000000000367611440160026300242270ustar00rootroot00000000000000}Y9~f.
4EB*Icg~#2;*3" a?~y˻kO*לk/}g^<}gswgWdsz.Z>}C{MN%|_ǫ_GUnu?~/}h_!pH+ϯ?8<{vkq|Q~'waWl\#N~ۃnfm5l~c/w}bVB櫛/˰Ǹ??WFof_'vE.r\/\^<_ՕoS>}/\qӯ>}JFqzXR[|X_oCy'#}z
y8pHgSϟ4޿Wcnާ_}.J2x?O><>.w_sy?1r(4{P}v뒴f7e+>So9n_/_Vփ7NyQܾyJ嫟.uވܢ+y?`w|zJ~oO՛7oL@c|[b6_;8iW4%t:n,	X
|1k0l
/*xR/ty\??].m
[_d\1GW&91@B8SdnO"	x}ɸOܭq|jeW8x
w->ߠ_,n6Ws]r#5KWኚ+F}NVR	v~~Oj;#$o΃zJ\6x[mO$_v/},XtX?UGSxNtm[ah=f[ﰫ=zG87yDY:OH>o?.n4:;RwX_gDzNBx?rӝpxZg.Yi,+Dž6ĝү!nk҇%nZ\аR5]ϻ[-(}Dxo7HhOjS>b5'fI{"=)u{ƿUukU]\u<mZ{u24yW6߲fږ6[ϗ$/{u	_y7m~X;N΄MNvmccdawv;=5.,wٕc;brmv["	AAcۚ+߿alqHr9{W{>5+b-j_O3mJt>c@mvB ءx/7'r-exvEf3inΉ6k Km0|ݗ`ngKi;	NJ8xv0yny	OCsN.Zd&Me6RѤpQ+h:|ne7+6`'\m_$\JƒTMhCvq.eH,2|XUK7G.hm.\ZQ|kK"906D|a,óC7o=wӷna;|g˹;$~+bZɳl|~gt
n0̗ܺ#OY%DOùi\;ou:9Ɇ];𗯛\Mܝo&շ<t89
:m^92v?T6y[zc|k׿&e77w>n>/}Z۫uiqc16}4|KJߌY;ƍfMUMjv.]o^sCCÚC|*YV%fN[%V[Y6,W]uG΁zcX>.GN*K8A/FF'!+d#XY?w|3	?N-ۈکMKgLH;	'[6~'uv^B#&}ө4Ћ=/6+Xb2/,d;Bo<`lgg=t|~-G=b/RbZ;EvJQ7J҇.Gi1r|ApAx:cC=${uMznyAv_8~尰}c޽ۡm0_gYK0.핅㆛·]ނi[|4-୸oڲB~k@rdtӆ
nF6n*\ز\5t}r%w.wލZw+z;??ƍMϷo1n72?=ÿTnybc~]}ճhY{hfa>mDU/7L|`Џ;[}xשѴyc7Wyݦ%U,yxcgϣ%ǕK>7컬ի9^JɕӘk+aTZ1$-yN}^pztUZ/K$5"^0Vu"$Sw(R)J
z"D.[
ň	(Kٳsc@Rt>PHSMr"CJx 8eL=hJӨ-]@pHUgjfECف/0\@@@{/.]Wl/
{JHl\
XrSxC7k*
ZC23j,M+_\DIQ5&\b4Gf.7\a@mk4Ap8BV&RO3Y&1fOsѯ._````wAinLF#B념|-hn'=b9'V*ʝZc|-t!x!5IXbni2՘R	Qc1
ܣ;s
S-mƓvEl5=d*ySȕAZKUCn]2iȩRȕ3KfLrj]Y33'aW猵śpzqE%Њeㅇ&2Wdo:zɕ5S|[.<_x:!I3ύMEǡX Ȓd_._6\wӅ߇"`q+Gj*5_!Yi4oD j0KKFpB|z2}fkɘ\N3YPعŦNJS5RgR3}"Eħly6lTLLHͼcE怙f7B23Y'-2tSG3ORR7f)}V{)+EP	r.X~A
.hf}sů]jIKL
?Bu!!-zInJmr=qU/Z^-8~~E𚉡1O#p4/wBJcЃZ(d{bWi=X;>̯Q"U-\
rhz8O0n,NJ޸@$RԊ=f)=T4f>9Z37Zy0UKQ+ˢV^58B)oS5X+7^3Rh
@nfFV

VY+D)V*]8Xe~jF`lYHwrTg4ӊfO.eRSn9-hq8)nEv3\U3PK	ި43\32hEqHpG
Pp$} (0<7s}Bi@p̊u^${BXR-/]_- iFWϦ81쌹@Ur93^alʂ)E A̓=a3s\(x6`Au2'YA)I+^_l0^CDJ֭Kf-Uxm$ %0W#ZV3I+עHDʍXhA9	ɭŦՋًfyb	fvǽt3V=	!lw{Ȯ2}"ozX;-Ϲlv'ǘ[)9efF:zjC\2ޔU$'m5ɓ#h $:wk<6N`'	f7{]jI]w"ď/)~/^J^qpɇܻk0`n&aޙzj
&V-؞L+0%"]U= Nf:Xwk
Fݷ]nR%i%S)`բuiض>QH+:
X=&W`,j@9G\Hbi0wj[s%X\9@0118.QIIbJiLQQղY;P\QTcJ%Dh0ҁNfe4A?V,涘v
s,}9FʀB)ͮ&*V&~ʴ63`葸|o @=N
8a56S\L0@ 	Lb*{w9*#Ei5pI[oގفXcO$!sJ&H2dkXkVNufvUtE&r$e~VWu7,kŔU7@@H(?$ZV|?M՘+ġIE|Ͼ=5C+L\Yչ0xZkzTJEy憡93	5-äk-*4kGKW|Rr˜i.RNUYڰ%ٛۥf6Frh9E\fʝ9VPm֔d	Ʃ<3wdh_͡1%q$Dl1rir`bZrU	VfnJw)?aVlJEGҵki;80߅!$NR蹌|B#$(켹fvk"U]=o@1wTg5q*VO>yh/S
Fa+obzWQ$H1qP:
y\Msq.oa;h@YZ3(#cFI
)h4X=	EU˂b>?3>i*ٱo9Cϐp
k}{'CiH$IʒCskE۱Ô>M*V	kiR4UKє)6}FU iG	bDIF#ͬX2,`7Vrf]Y/^lb%Fy͟-3c1F4Bbblj/)5"!!z׫wQ=wAZr4
RI⸂ B۟{"3sZORș:o<1m+9`4"	:Z	,ܽS..h!*yiڊP0Pk.-4ʉ#MG%/4kr
xthThs:9"֑=*X7vҥqTؼ$,fn7)uj$:/NsJa2r̶,8IoN+>/I7ӱCr
J4o2ǘ&~j<eQ)8_9AH]- ivA-ǐ%(HDf
lmluy~jDⱄ4͕s+w*pLwJvZr9.Τnsθ9:!dWzlJ*9]u=up'Z7&ؕq"3r9߇Zo>j@}$)6M+pw96(MJ"!itNit+pW867,JL	;Q2wd.\HbYH%y_Hh%5SJe%OIJW,oXF#TAOf^_G"D?fڦ%GVisB~'{G^1%"V	Z%8ScVvM+pi/iSP.A\*qVXydDKHdkY,u%7fMi\q[29+TT@0ߦ^-ǯZfhr!fZg9ӻ&#iYPqv"k\S{iFVEEе%OLp>瑱|_pN]q\LMF*l+1V OeNշԜ˰;-4SFbZhYqnz,h%0't
mb r75\Zw
]UD2pvk,=b̭FrO'8
] 8DYΧq%2N$npRZ HB]s7{Rݵ ɨ>	YրjrCj&6U#DZ"4"iI#E/t(6ȊcuE-sɛ"ԌYvZg+ܫH`xQ9aG"&rꅰu,rr&4o>&ʄF"0]E+u[氓d+#(hؐB1ͥ*fe/ʏsM\k/YKWE(_Sa9wB1x5Sa&ù fp sʐs8u>1,,=wm'\r m%b)k&)`F\q
37L'b$yMF/iW[cl[EՃ))ҳp)dQ5W5|I-܂Ss#?޵f*#4,Q*}`qB#8Og2>S-<|+4èRٛDYT2%C!sR܍Qzc~4Ily:$^SK;S]m]YoH1o6Qtd!4?pقf<]q`ZY#(d_-H^"&FZ>utȜL(B)kk%cc~(G6Tb5WY \OةѦ{/uXZ#R9C6oMQ	J1;̜!9YHJ
$OI~.H(פֿtl;У`tu$22ǠJѯ	V%mKx@|Rp!	i	SB`"G)>w-4[g]{hedoс9hSR6?'>Rzmf5_r˥:i/!0nZv%Vr$46ʵ 0ꃐ4ԓsL^:j0{|65S)@t-ZKO7v-U68-q|Y==kUey
){fŜ-<11;+wZٓc,5Zn[3bz8!-՜WՂ`nXGZ"g$QIGuz,q+=B2aiSMxa;iOs+buMזBM7^\q~)-8,5k8L:㱰~?iTXR [j{BڞW5EC|\0uScJ\ejYRMչ0DMUb$t:GV"dž\iY{'Cncn`O˧qSݐ[5<+9rC	(,$NšSқX+ޏq7-G2r`#V	]
G֢X	Ti"4e?vR>f{^j$vUS) gYԫRH璅=Z/q*K~e3f!kF$%mZ[LHc7l)FƛԌU)4mYKvF(W<p1~|޼5Fn|."X|(ݨp8e5q>U7?wާItRw+nh;`p+qL\lry=?88Ir9YERS.<^7)CE;0JNLMF+_(=1FcTB6	]R>N!$cXv#M>W {@q.WfqAt\q8X5Dw`^5G1bfjJa+o Fea뛍1dAvzXb^[YcvZO:vdoAtW)]+͙mc9eQ26` ZM+ÚUP\we$cimeeȝ՞ZӠgIP&6~	Xkn=kSXVvvהщcuPRvc'j0`qeby΍M;ڻQ3yIqd1NNP؏666eW
PGR	QV2$up!szjjQ:_3U~qf	Ԗ <P1Pvc nhp/G0P޷&i#t|)4icam
|(!u$\|y%Eі\ڦ(-f22a5Wxr1VTBR(b!~'Y.ܙbQFw)pu,'*%u7a*/Ӏ@lQ,99~U^Vy]VTڽk1K5!'*R^΄^+;bz1))\5ϲ/YEFںW4~NQDud0JVieY@PWsGROy##aWFrgq[DCIƐbuI*#?JbYy1푠#8r0jk~beΑp䤷FUF~^1ǣhY]]ƌO$sS&1LWiED1
}%%-aiSk%22HdPK(Ր%5cLIF,*AMBUh\0
;BLuآTcK1#EuS.CjXr7	F9sx dgG:s+F~hkc,gZhhc񛙓	#
)q13b!<E-#$U3A",}USQ
V#[. %'6!IeSCƞb/
H5ȇq΅:&I	9+g 􉚋Ju1?~^4a31GBWX0Q+
噁)β4LIzt
jg88
ޱTvыJ-ʈn[d(x݂2$&kGcb,l(昚ЁNS$'.2qcu%h*+VUBM5怸8TYm쑾Uw>[o:EW9rJ!h5',oqa6rf!4
\´+1prl/!\݃&u AH1V/qA>)V!_S+ys~gYhSNcp|*g1e	5,I
6a!'Ҵopޣ	Нz0эjoIǩ4]!GVfJډ^f`?NfL[L*q5
.tayj瑎Gh4XR;̪ůL8]-e)	:|Z֑t	aU=6Yr=qL!JUeNFS)VqfȾa;9%r6mujNZZ.;եjeI49+wԹz j;Vj>_Uf~:)ƭ#'N}J2	2r2o8bq8 !i:r&>v?1iU_੅Xj	k{*%:-6/IqɄ|^Kՠs]mcdI|J+,Nkd=DAr8㫞4ʲ"ӮZo3ٟ'=y3Yd=5ͥFYnX9z]Ct
REfIk"Tʰg0Suǘe-5SՁw8vGjGB֦pw6h㬣ԢL==Wf=fePyrql6̲EV&=Kɤ^P@4;W+E}39I뒘b١cD?aeysJzAvlC+TJ+/ξ}OI4Wsd*o]@Eh된dOGE+OC\ubdlf.TL魮/{3,=Sj~&[y$="t6Ck!Z"Ivo<|!V
1E2E7v(Ɖmvw4ʿǿ5Ð;g&Uuk_.
X[uΖ|U.Zy>ԏL-c|h,@`)X'YVʫ5٤T}3k.xs	WF_X(VHֶ{+W!OblᕰKOt|ʯFZRG]բ&U7ʳg3
=kw(45U82O)ivkV=#sqgnKYs7m{
"ӡW=GމViưR%m-z9ȁNg]in{`ߛ]=sI+3?3KJ9qZGrj?h)HΤ
H)#D+S?S\BQ+K184Ic1Zb1_(PTb)1IȭX99V>,D"XKj
{qL}Lc1@l&4򢺜jL}Lu8G,JK0V_,l?gi@E4q&@o:rY01Pwhy3-1.6.0/examples/multiprecision/mpz_neg.mlw000066400000000000000000000021231440160026300214460ustar00rootroot00000000000000module Zneg

use int.Int
use int.Power
use map.Map
use mach.int.Int32GMP
use mach.c.C
use lemmas.Lemmas
use util.Util
use compare.Compare
use import mach.int.UInt64GMP as Limb
use int.Abs
use mpz.Z
use mpz.Zutil

let wmpz_neg (w u: mpz_ptr) : unit
  requires { mpz.readers[u] = 0 /\ mpz.readers[w] = 0 }
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[u] >= 1 }
  ensures { mpz.readers[u] = 0 /\ mpz.readers[w] = 0 }
  ensures { value_of w mpz = - (old value_of u mpz) }
  ensures { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
=
  let ghost ompz = pure { mpz } in
  let usize = size_of u in
  let wsize = - usize in
  if (not mpz_eq u w)
  then begin
    let size = abs usize in
    let wp = wmpz_realloc w size in
    unchanged u mpz ompz;
    let up = get_read_ptr u in
    assert { value up size = ompz.abs_value_of u };
    wmpn_copyd_sep wp up size;
    assert { sgn_value wp size = ompz.abs_value_of u };
    release_reader u up;
    set_size w wsize wp;
    release_writer w wp;
  end
  else begin
    let ghost wp = get_write_ptr w in
    set_size w wsize wp;
    release_writer w wp;
  end

endwhy3-1.6.0/examples/multiprecision/mpz_neg/000077500000000000000000000000001440160026300207275ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_neg/why3session.xml000066400000000000000000000233631440160026300237560ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_neg/why3shapes.gz000066400000000000000000000061301440160026300233670ustar00rootroot00000000000000ZIo\Wā@2B Z@\
J(&5_fyrbYr7>TnovnοY|}Eۻ6c_^m-ri;,-o{gw5ޔwµ}uO7n~^ߌrazx5,3~n7!>[d"ؗFNfq{!HX[q*82ݾ\1y⃟\žJ1c(=2$r3鉂K@,7f5'eݬ88=;ܐu|?Ҷz')T[+ENlriNOK{üwYVfa2
`6U],tQC1QbDrW~Ko

W!F*
g⇀
M
O>م.<
bc	dS@dƂ'3Onә=lI_;0H6NdfJ?
yY\RTtdwqg1,Wqcư>Gb/[lH
`2X
]^bd8xw
q&ZtE|:=QyoBjO.'Q&tOK8(zLӋc9:mk3輾9t,OVn:%t}1H{Ӟmqn[o볳k*
UFWQ0)2:d3EFݒҶ2{u@A:eK"`e]bHVD
@ZzbuT+EyOaA(!
~rfLMtiP5݀|?NY'RFG01d6"'e1Xk-&BZ`dPh2rB@pl@൩tQʷh1ClbC۬p '1րkX&V#r&8S@`@.
$7$w
A,RiT=IHxpuE-&XmMl<עwZ(vͳgebG"rs*jr{˥
JĪjUB`J
"U`'P0Am&h4MAc
?I	)S$38v2@`'A6W	;ML-7	u|JB,\q6EplJ/@vGg *@X=TSnj}40K
Fs@tlTP(%X`)XUZ\#"Kn
}HG_fZ6ꥢEKZQQgaݗRgm@< '0-Ya_~U)'Eh@N4R;ԗ"K2feir3VjlRBH0_ե"&!PW鱀Ly`JEAj\zSL%Spw}%JSZm%iIM*FGՒ!xg3/O]rl1)2Y`UiɓJ@ڬR*TY`euV:/WtF9smUk)Z#fC;&WwP-)cIXͦWzW1yE5K&U-oQ9rF*9y@QʫG_
U5,$ژ%a
&jI&TKDJ#ѿ"U۱JޱuV\bR~[ViPT)Q`S!ţUo*0sK)G:XW)mYH0'hkૄs	2T	*y4	d	L̦*۲$&-շ@cXq4U۲
x_ǜd>҉Eiͳ^$2'41Rege9\0SXB躐ԜԚVY^I꿰:k=I'~,fErքZGd@"$I0
uOD5U/H1Q"**){4^XVձM3PjV\nh>:W-OւSЀGGs,M'Xi
i*Rch|+=‡+QQ#<
jd~2Tu'XD^7+(N,6L!H){GsIу1>0)go	59BlG]:fާbf%iE.HCZ~:("ՔLRjތc0>XZ<.t%sEc3yRpn49rd_	yP)U&jUTYp"G_شkw-yI)6&õdy1!Km){sYp~!-W6;PjvId>Kn^,<6WzBTRJ K9+hiӢzz>why3-1.6.0/examples/multiprecision/mpz_realloc2.mlw000066400000000000000000000027471440160026300224140ustar00rootroot00000000000000module Zrealloc2

use int.Int
use int.Power
use int.EuclideanDivision
use map.Map
use mach.int.Int32GMP
use mach.c.C
use lemmas.Lemmas
use util.Util
use compare.Compare
use mach.int.UInt64GMP
use int.Abs
use mpz.Z
use mpz.Zutil


function alloc_of_bits (bits: int) : int
= if bits <= 0 then 1 else div (bits + 63) 64

let partial wmpz_realloc2 (x:mpz_ptr) (bits:uint64) : unit
  requires { mpz.readers[x] = 0 }
  requires { div (bits - 1) 64 < max_int32 }
  requires { 1 <= mpz.alloc[x] }
  ensures  { forall y. y <> x -> mpz_unchanged y mpz (old mpz) }
  ensures  { mpz.readers[x] = 0 }
  ensures  { mpz.alloc[x] = alloc_of_bits bits }
  ensures  { if alloc_of_bits bits >= old mpz.abs_size[x]
             then mpz.abs_size[x] = old mpz.abs_size[x]
                  /\ mpz.abs_value_of[x] = old mpz.abs_value_of[x]
             else mpz.abs_size[x] = 0 }
=
  let ghost obits = bits in
  let bits = bits - (if bits <> 0 then 1 else 0) in
  let new_alloc = UInt64GMP.to_int32 (1 + (bits / 64)) in
  assert { new_alloc = alloc_of_bits obits };
  let p = get_write_ptr x in
  assert { forall y. y <> x -> mpz_unchanged y mpz (old mpz) };
  let ghost op = { p } in
  let ghost os = abs_size_of x in
  let q = realloc p new_alloc in
  c_assert (is_not_null q);
  if Int32.(>) (abs_size_of x) new_alloc
  then begin
    set_size_0 x; (* data has shrunk, reset x to 0 *)
  end
  else begin
    value_sub_frame (pelts q) (pelts op) 0 (p2i os);
  end;
  set_alloc x new_alloc;
  set_ptr x q;
  release_writer x q


endwhy3-1.6.0/examples/multiprecision/mpz_realloc2/000077500000000000000000000000001440160026300216615ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_realloc2/why3session.xml000066400000000000000000000314171440160026300247070ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_realloc2/why3shapes.gz000066400000000000000000000066621440160026300243330ustar00rootroot00000000000000[Y\7~_Qo!HZv1p12%
{qى_sj;xwbR(OP׫Wn׿\kwU6ۇc6J|{_I7V>^k{ADno4Phi9f7!tᮬu9Å~սk\/+DV6Z_Wwhi#a>k)N
yߓw5ߕ~w]zڧ>bvR_z]mYn?TޝZQ[}q;{}[zǻcSmԺ+.ԍ+3_7>^QeyNnݏMgu}/˿U~foݍ/=y={k]I~E
+tZ8?6ν~}dSLaW,l>gcw&|ӆu/oq'UwOA{R譞+	1cF)'ū)ޜ;5A5__ݿ-x6֞NneFcv\gܝx0gfiлFG_t>>͛W5)kX%\ΆlKi@Mgwn=eݙ69;3O⇍WnʍrNCpJC7>9ҞڕNԅiyO+4hjA~7n?::cOR7Kw8D>^0o?r^4Vx+z!m/mF]Xu8j{u8qI4Q<:8=߷'41IR#R)'ɇ"'tN>I:EuG|aFg*]Ώ=~eXfN2ǂMA3VcDO%{D_KyQN$,jUu]y]XJ>O@=|cxZ͋&sGS)mzs8rAOλ< 0zBP,X{P5ZZzB6{m\NQo?Ɔc
ma7ȋjv|;j;6/ZK%O{Q9Pr_ܛ)L
:~P[˛Q7
jMVS
:jM7dAknNwqțgw{־{d7!P_޼-NƏTkcWXw_J*k>%\)b ɑTE_W`qr&c"oFn4\p`#_ɶ䳧P!a6'`ϮRk@٣7	Ef:.,emkE>42@DB>EZ[W`<5;S0A2IUbF)'g+8@FKԪd†YN1`R=6:@:` 3`0tv@€\-bMɵ9RZb纶r_d5P}j
5
Pkt6Eh͸_nABFG b/u沵1OFeЩ9CMzʰf%1rѣ5Vfh)%=)-f)BG͚8TJ?TbN{S+@"9ib[0\AJ1QT,
REK.w2Y.RہZ%\D,*A-辉Kѻ7D1Q=80k!
TB(7^BudYU~W|@]
E/opn+c{˹ A&Fڦ7Qqٷ<(d'!ۖC5JLnB/E
@46ӻ1댆y$"o_ I!ĪD@I@$Juq'”b9wꕞR56%޻#{ kUȥe&)мkȴczNBMFokq̚%BhCz/GJVhuzhLb!P޽Md]
)&3/e2d45NRBn&KUC=qa~-[*^xb(֖ح"ќڟ(ڦF%ŪT"V
)GsLD5hhmTdr9!c
4}0KNG	#4A^®X'cM9!lHSqz2y)E	,qjj#b>'&ZKzFavVJsB%s"R1S4I*cd&T`R/Bb,h:z@(s6SyvVܡkj¬wu!syPTbMfա`S	6#t"ҿh?OU43:7x7ieg8$T7)Qi'67b
ڳ8to#
04'r :#Xysg;vzk9B*5&Ax٩ްElƖ|Ay5V뼛,?;Y٦]zA@$1(H4m5)qCuWs
B$á!xo]R3O ɤW2Gݓf $grzL@xWxUC$Yˀ#(64ΦMlƾ4T\#p䚘)}LhِH5P8K{g/[.ڒB\K	c]1%7Ȍ"kL4/]
;ny	`')$a/]~8x`=zl6x
bv>g6z5A!D&{5-Js꿢Kgٿ&ʚ1faJZfx`m!`@R5ˢٙux`5ʥ2)#0W5I/QOR^>D0J89AV2\uß_HBejI,Q@in͹9{3B>h zE咼EbU@93G4F-P4AJ$&>AxMMƆƦ~;r-hcNa0|]i&5Ƌp$Ɠk@۽= 1 }
  requires { 2 <= base <= 62 }
  ensures  { forall x. x <> r -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[r] = 0 }
  ensures  { result = 0 ->
             value_of r mpz = value_text base (pelts sp) (offset sp) }
  ensures  { -1 <= result <= 0 }
  ensures  { result = 0 <-> string_in_base base (pelts sp) (offset sp) }
=
  let sign = if C.get sp = minus_char then 1 else 0 in
  let ghost slen = strlen sp in
  assert { slen >= 0 };
  assert { sign = 1 -> slen >= 1
           by (pelts sp)[offset sp] <> zero_char };
  assert { valid sp (slen + 1) };
  let ref spi = C.incr sp sign in
  if C.get spi = zero_char
  then begin
    assert { slen = int32'int sign };
    assert { not string_in_base base (pelts sp) (offset sp) };
    set_size_0 r;
    return -1
  end;
  let dp : ptr uchar = salloc (strlen sp) in
  let ref digit : uchar = 0 in
  let ref dn = 0 in
  assert { valid sp (strlen (pelts sp) (offset sp) + 1) };
  label Loop in
  while (C.get spi <> zero_char) do
    variant { offset sp + strlen (pelts sp) (offset sp) - offset spi }
    invariant { offset spi = offset sp + sign + dn }
    invariant { offset sp + sign <= offset spi
                <= offset sp + strlen (pelts sp) (offset sp) }
    invariant { min sp <= offset spi <= max sp }
    invariant { abs_value_sub_text base (pelts sp)
                                   (offset sp + sign) (offset spi)
                = svalue_sub base (pelts dp) 0 dn }
    invariant { in_base base (pelts dp) 0 dn }
    invariant { (pelts spi)[offset spi] <> 0 <->
                offset spi < offset sp + strlen (pelts sp) (offset sp) }
    invariant { min spi = min sp /\ max spi = max sp }
    invariant { plength spi = plength sp }
    invariant { pelts spi = pelts sp }
    invariant { mpz = mpz at Loop }
    invariant { text_in_base base (pelts sp) (offset sp + sign) (offset spi) }
    assert { offset spi < offset sp + strlen (pelts sp) (offset sp) };
    let c = C.get spi in
    assert { c <> zero_char };
    begin ensures { 0 <= digit < base -> digit = text_to_num base c }
          ensures { digit >= int32'int base ->
                    not (string_in_base base (pelts sp) (offset sp)) }
          ensures { 0 <= digit }
    if 36 < base
    then begin
      if code zero_num <= code c && code c <= code nine_num
      then digit <- UChar.of_int32 (code c - code zero_num)
      else if code small_a <= code c && code c <= code small_z
      then begin
        let ghost d = code c - code small_a + 36 in
        assert { d = text_to_num base c };
        digit <- UChar.of_int32 (code c - code small_a + 36)
      end else if code big_a <= code c && code c <= code big_z
      then digit <- UChar.of_int32 (code c - code big_a + 10)
      else begin
        assert { text_to_num base c = -1 };
        digit <- UChar.of_int32 base
      end
    end
    else begin
      if code zero_num <= code c && code c <= code nine_num
      then digit <- UChar.of_int32 (code c - code zero_num)
      else if code small_a <= code c && code c <= code small_z
      then begin
        let ghost d = code c - code small_a + 10 in
        assert { d = text_to_num base c };
        digit <- UChar.of_int32 (code c - code small_a + 10)
      end else if code big_a <= code c && code c <= code big_z
      then begin
        let ghost d = code c - code big_a + 10 in
        assert { d = text_to_num base c };
        digit <- UChar.of_int32 (code c - code big_a + 10)
      end else begin
        assert { text_to_num base c = -1 };
        digit <- UChar.of_int32 base
      end
    end;
    assert { string_in_base base (pelts sp) (offset sp) -> digit < base
             by text_in_base base (pelts sp) (offset sp + sign)
                                  (offset sp + slen)
             so offset sp + sign <= offset spi < offset sp + slen
             so 0 <= text_to_num base (pelts sp)[offset spi] < base
             so digit = text_to_num base (pelts sp)[offset spi] };
    end;
    if digit >= UChar.of_int32 base
    then begin
      (* sfree dp *)
      set_size_0 r;
      return -1
    end;
    assert { digit = text_to_num base c };
    let ghost odp = pure { dp } in
    C.set_ofs dp dn digit;
    assert { in_base base (pelts dp) 0 (dn + 1) };
    svalue_sub_frame (int32'int base) (pelts dp) (pelts odp) 0 (int32'int dn);
    svalue_sub_head (int32'int base) (pelts dp) 0 (int32'int dn + 1);
    dn <- dn + 1;
    spi <- C.incr spi 1;
  done;
  if dn = 0
  then begin
    assert { strlen (pelts sp) (offset sp) = sign };
    assert { not string_in_base base (pelts sp) (offset sp) };
    (* sfree dp *)
    set_size_0 r;
    return -1;
  end;
  assert { strlen (pelts sp) (offset sp) = dn + sign };
  assert { string_in_base base (pelts sp) (offset sp) };
  assert { dn * 8 + 63 <= max_int32 };
  let bits = wmpn_base_power_of_two_p (Limb.of_int32 base) in
  if bits > 0
  then begin
    assert { dn * bits <= dn * 8 };
    let alloc = (dn * UInt32.to_int32 bits + 63) / 64 in
    let rp = wmpz_realloc r alloc in
    assert { power 2 (bits * dn) <= power radix alloc
             by power radix alloc
                = power (power 2 64) alloc
                = power 2 (64 * alloc)
             so let m = mod (dn * bits + 63) 64 in
             dn * bits + 63 = 64 * alloc + m
             so 0 <= m < 64 };
    let rn = wmpn_set_str_bits rp alloc dp (UInt32.of_int32 dn) bits in
    ghost (if rn > 0 then value_tail rp (rn - 1));
    assert { rn > 0 ->
             value rp rn >= power radix (rn - 1)
             by (pelts rp)[offset rp + rn - 1] > 0
             so power radix (rn - 1) * (pelts rp)[offset rp + rn - 1]
                >= power radix (rn - 1)
             so value rp (rn - 1) >= 0 };
    let rn = if sign <> 0 then -rn else rn in
    assert { sgn_value rp rn = value_text base (pelts sp) (offset sp)
             by value rp (abs rn) = svalue base dp dn
                = abs_value_sub_text base (pelts sp)
                  (offset sp + sign) (offset sp + sign + dn)
             so if sign <> 0
                then sgn_value rp rn = - value rp (abs rn)
                  so (pelts sp)[offset sp] = minus_char
                  so sign = 1
                  so strlen (pelts sp) (offset sp + 1) = slen - 1
                  so value_text base (pelts sp) (offset sp)
                     = - abs_value_sub_text base (pelts sp)
                       (offset sp + sign) (offset sp + sign + dn)
                else sgn_value rp rn = value rp rn
                  so value_text base (pelts sp) (offset sp)
                     = abs_value_sub_text base (pelts sp)
                       (offset sp + sign) (offset sp + sign + dn) };
    set_size r rn rp;
    release_writer r rp;
  end
  else begin
    let info = wmpn_get_base_info (Limb.of_int32 base) in
    let alloc = (dn + (UInt32.to_int32 info.exp) - 1)
                / UInt32.to_int32 info.exp in
    assert { power base dn <= power radix alloc
             by let m = mod (dn + info.exp - 1) info.exp in
             dn + info.exp - 1 = info.exp * alloc + m
             so power base info.exp <= radix
             so 0 <= m < info.exp
             so dn = info.exp * (alloc - 1) + m + 1
                   <= info.exp * alloc
             so power base dn <= power base (info.exp * alloc)
                = power (power base info.exp) alloc
                <= power radix alloc };
    assert { alloc > 0
             by dn + info.exp - 1 >= info.exp };
    let rp = wmpz_realloc r alloc in
    let rn = wmpn_set_str_other rp alloc dp (UInt32.of_int32 dn)
                                (Limb.of_int32 base) info in
    let ghost orn = rn in
    label Size in
    value_tail rp (rn - 1);
    let rn = rn - if C.get_ofs rp (rn - 1) = 0
                  then begin assert { rn = 1 /\ svalue base dp dn = 0 };
                       1 end
                  else 0 in
    assert { rn >= 0 };
    assert { value rp rn = value rp orn };
    ghost (if rn > 0 then value_tail rp (rn - 1));
    assert { rn > 0 -> value rp rn >= power radix (rn - 1)
             by rn = orn
             so (pelts rp)[offset rp + rn - 1] > 0
             so power radix (rn - 1) * 1
                <= power radix (rn - 1) * (pelts rp)[offset rp + rn - 1]
             so value rp (rn - 1) >= 0 };
    let rn = if sign <> 0 then -rn else rn in
    assert { sgn_value rp rn = value_text base (pelts sp) (offset sp)
             by value rp (abs rn) = svalue base dp dn
                = abs_value_sub_text base (pelts sp)
                  (offset sp + sign) (offset sp + sign + dn)
             so if sign <> 0
                then sgn_value rp rn = - value rp (abs rn)
                  so (pelts sp)[offset sp] = minus_char
                  so sign = 1
                  so strlen (pelts sp) (offset sp + 1) = slen - 1
                  so value_text base (pelts sp) (offset sp)
                     = - abs_value_sub_text base (pelts sp)
                       (offset sp + sign) (offset sp + sign + dn)
                else sgn_value rp rn = value rp rn
                  so value_text base (pelts sp) (offset sp)
                     = abs_value_sub_text base (pelts sp)
                       (offset sp + sign) (offset sp + sign + dn) };
    set_size r rn rp;
    release_writer r rp;
  end;
  (* sfree dp *)
  return 0


endwhy3-1.6.0/examples/multiprecision/mpz_set_str/000077500000000000000000000000001440160026300216415ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_set_str/why3session.xml000066400000000000000000002256401440160026300246720ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
      
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_set_str/why3shapes.gz000066400000000000000000000375721440160026300243170ustar00rootroot00000000000000Yo\G_遁-qV˷F|42>qc(ț
7+
U~"&o?ƛCJqv:>h7}oɄӊ;Y˟>~O=J͊T_7>~Ovid~uM$׏WZY=GfcFVh]7?+`XD5SrGi|Y7wt8XIR]~y@SfAqoojaUatg"wHnPiL}ԁtBc;睵nCO>n&3Wgpu>{[uSvsȷOݧ	>mfGA؝G9=Xh9p56l~|$>^oZA%X{\?b0}W}.`{GQw=_}hw'ƟC}nnhXUu=iOjCvyѸb+y_ɽ1xW
γxq0s_6&kq76N֭:*0u3PYu1͏L?ǿPկūUwsV|Ûժ7N`Uf;swcl$ڂf{u_?w'+Ǔg=aͯ/|j't<4F'Z>M%}d#g[n#}99W_glY
Nu~T>+PkGv<~oh>~rQu᙭
0:H0:GǃF__f~x&L|=ۯQ65ip'9E}}tByMkl,۸|fv+^
]Y;㍇Ffy>ɹ<ȹl׶[c=n |ǝ{2N2$y#a7(ap;?<`$&_Jae%bKwݲ-O:_u}stTuzчH-[؃~O]+B}<̌ߗ$|imҷf,z&#~}zU%ꗳ&w7;&訵&h?9m##ͱf+ߌq0>|B?e	cW`ƍ_z/O6+pY4ϒe;8[
n}cfg=COp?jyshO^ݧw7i̇J6ܮCWߺCm_ۚ(#4rL7A9IAQﭩCѬlwMmVmգ%4~OEys)089pg퇽Iƴn7ޮЯ}I۵fXha-zn[nRntXcJ%mQ޷{ByюtVKw{r5U{op;cUjz?Ͽ%iT$
NTdh&`zH\WOз~Wksֱ7a]-_ikycz@܅_dr>Nwy+Ɂf_d(
*~СVdO	}}NG_Wa(:q f<\t\lrZc|Vǁ
6nwXIxoa0{U?{oL<߾?h(_〣X@MwrU`ny?o?\'·{;om|BgCh9>yu,?[b l%*eн>Nmc#}]n"<@՟	s8зV8`z&o,;6hAphǪ8:}ã\xƴG]0p'u1
tF˫wӾċ{-}zWOXMZOPl.|n2*ߊf۹Xhp'J[i+m@jJٛ/ev:Awh#sțܒ'&CIϮq]ЮNq{G[8{^}ZjnFGӫ_<~>t3?_ؽ'v<%NoO,vzvck:=՝^0W+
R;8Cl vW0mhl`-.w$pKI:w,
ئjݍp袀s74qo&/%YIRG%cI@x5z"gc	Bz־GI^۞3MV};׍d|p!F6>nu»o|`R;6Ǿ0	NL+{ENN9S:E9BЙ8{3lTlp|
6|?Z	Xjsjq~ݏ(yC]y}wE>C3۬\QZ؂SF-	w6lz*dJ9,|r$SO'S9.Uza<_VKuٗ?&V~7)&<p~r9~F\h"-|>&-rW;Qiom@og۩qMa߳Y,??-Y'ҍX*{4
|{zy;8VeV|v
K
Wrbs4ͥ07fF_~P˛mLWo~wl}ix/<2*
C{;=Z(zf={jhkNn̲[5W7-Ç-{rlOr25|hXzűk;'XsLjo5ȵ;f
|)!DZ:rJõkkk*V>E
=}7kB赀[EP'C({f3wvK3DCƈq*@L'b.}/)/u*LG
#^ԤƑt5yO
J¢&D(45!*ԕ#H(Uiyt`HNj)Z#%XR^ 5YQ(רEjgٗAfh`@ra%rט_<Var:)S]s:GPbu@jڬyq_&rīva
xp˧B+!վ+j 	[֊EϪ<$:|CetJԥ_NFW3_Dc (Ś)jKjmnL3j.TӘ5y4uA%L~'jvsrvFK3DՑ-NMv#Xp22y1"iL[<5qvtanŒ}WYΑl$ScTr+vѫt^@mr2pTM:
xi8:dSʖKjHeZ
u(٤fո
/'qzMsFѰs$lK1
oz 5\NSwbk]p5KOfVgv/CBq!
P[+r+yVj_q/̬1lϑ!
"s:,XщK5<{)QEXR@q<^(=UAcL@к*{+J`#9NCshA}t<K經"UUXԻ%`s}0ׄ*zBTjT=xRZ*g^9@Rx-AL1F
Bbmd
`ū0o.y<0Sa%a9{pꅰSeܤAq_
bD@9舐*MruH2`i)yujSڐ\###TWFH,`k;	b.S͉\>B)Gvتf:w̝\>J$)T:^4\Q|pa41s. {֨2[3Cs1ԖsST+lGrl.Ǣ[?Z,ImM_wh wV>Y^*p[A`kK,dӲʋ6pg7|F
:<ʻ(_\ݔ@[P@~
û\Ȟa kcEv{PwCPtd߷ˆ1H.r1sK]F_vE=h|^05QR9PV~~cenAs+$UE#C'
j{r,}<]&*ˆą֋OcL+Vo4#at[3mb=](PU{$Kc,#("r<]&pB	B_.]S;G ;# .

>ml'pJh8	R^{1^x)BR)h-i_IEkC2UiSE#}>=gVgC!*[lC7wlR/5EYNcz>ͦrVh
`glK{l2\%1h(F6\b!{!T-Q-Wfi'G#~ެFQj9
vrQ7971x(AȅjrsUh*"n"9K?oa1C*$i}/Gcw;Ge_k\_.F9Svj^c?onkjRa(Q;ѣ?ov]."G I^;u?"?o^TY@UuCx}Нd눟7hSrIIJFnqKad
5%)aSl/ϡ6AU.kG./TH+t@uGQ8;{$bSi8Yg}ė
G	{\(5cS$P<_6#djt;}2J>+owhe#RecvǕJO*&:y_6$at
)C$CQ[:IRkջS/
;Ι1罎
\>BRqd(SRg}_ӹ/6/,veLG|ٰN2gܓ5;'>QѺf&y誟R/!`֘_ze5LCF6v9e70ue9Z(cI5(	#~+ĂdP 8%ؘP՘!vW,$ޯpKC]
/mV:h%&<LGPЦ|i
wJ0elzT'%!JKnD-*86s:u|P$sO-wq{Y?TVIER`肪fh="\mc\|L#!TC;UEX:u}5EVN"P*ɱ]˪ӠXՎoNqYOC ;ddjiX>`ÜAF
%c@W!7沾?4jsĽg(ٮ<4rBydq~	yg,xJ*'O״<6xܰR\bUȍ	:[>u
Ni@^	RntY;•ɧSk׊)է=Oh\ulu8_WHKPshlZP/V;(Q%Ls*%VoӖyߚRmjOZ4h;:ʣ|[6%r	d9ךXLJCV`jd!K~yLaR|Il)]5E!?B[wYJ%r$	
оZjrAp@9Cr%z#ڤd)Χ9-MZ?ƪV~
{];f=zV(=F>ڛp=1USYT?F4SR̺UcH%tZrҋ˪sx@+qHUVC20CcQ
dE-rMC|JC tLh,RMz4g-{8PK_2P#At~;n@-`J]bfE~L?($23LW+x@
pȘ0>w>kZkZ0]wߦ5ָo9Y[%$9u'+^E=!9W1̊k^%^ޠ^RJ۠VTbQE%^Z6(YA
N8M=5e*t1P(7)8-v#QTo`';Kmj3KPPu-RS%kSb3	Xe;:FJ6+uw+P*9$q!9DȽ~/;t׫j̩ѣ'x2JiCc%p];t'
ǝuB%PC6ڕgĤ.+KbPIȃD2@^3ܪHNE{_J5h$q/!NCU>9ۭd*1jst˥C\ēľ(8ƨvD#|ʈ옌IަǬ`5gr#`JQH]b͎)ZCn0DmVe^O炤QңKc
C :^Z8,ΩF]wk貆)-䬇+%N.{:'um@#S̯&+E@uZS[T!Z{ЍpN~hG
{0 u%zbAWi(uh0gwiiF+f3(Z#DR	Z43&Q#;(ڠ]9yFyʜж|)XCԵ6YbKt14^@Pɡƫv+*d
V	zheyPV-=n[X54JaAu4B</[Ϫ2@}PWCrx4{kC34TP93L+=1.`̟$gLX#헽vPؒmW'n02X[+[\@ˢ@62._ȖCvOgȮߣ}Ž..QM{#	jKzᄟ_0\0	--rDA;Mʂ/s)YZ\Cmkٹ~jUH@RZDhSln4N9VBK"ຟ}be-XrhE+b'ui%\#X݂YS/7	;|`yւb+Q]XԕLcHkq4/,3`yG
P"eR#(:	KZ{vFӍ*p73ݒZM/+s6xb,ZnkWsse"_x%^یsJB9x;uWŌ|cj
.EH|q9be:"tl4~x
L!|\B`&}2IyVRH$j?aT)-<;%a(,ưQ-;ꪡt(GJsł&EclNK#(`*}4st~WW]Xku}8,22U$'a|JrI~EeHslAn"`'9,6j,c~d	vvF&YEJLWPGc4ۉ䛎!QvB L&N]d78AF=we@"sX˳Z	Jbs ]lΌ-	kHSX$ɶh|x\1dX>|4vXEFh3iE#-Sk4bB e1*NOHT<[' 9v:$jɅN+"g(;*EUEl}N{ov`2H&
6H/>aVZ3,Ĵ29.jʩM6b~kZR3rw\[7|pͧj=FmS4Y0_T2C{Cw<;f{kEL5rc|Q21%ш,w(`i~Ў$
3je"PJR*CLVNl
Bv,G~C*Sd@s~@U;zJ$q1:nMGUy-M\6>'B

ATc
00"d,n!s0Xm۬|`Y<&нJm&)N[I%?'
찷,$.5L>hPsMëoe$2'PRYv
#"(-e!
)L)ẓ6kBa:[:sF+.zk,#m[KIKEOA B.l[n%R()VCg'n.0jI\|H\v
9aڥtvXqQފ`M#Zz1&.<,=JXbFPWC^mH*i&|
wb4>M.oҸ)ۤAԎŅ@MPAU4WV/}7&2݈IMR@Ǚ!N{mݓ08f:舋@zǨ^o]С2mq?ڀq:ٍ |P#D@`h|
qڂE(̷c{d4?zW`yZD4p"gAu#`_/	:L5h¹b"?@cQ]4RsW'~Т!AsɆj9;j%}9hB˄O6)!KԨ;_KlG0|a!\ˮQ
MFz2異hsX:e
Tz)K]ƋОКj!'^?d?5x"g'h׆qOɩ5FA9JDkEO*MX_(W%TϒJub4" 8T%d>GK5,0z:-z)^MZ+G*ȱD_zuأF͙C"9vp?$Zti$e=+BSTF9K˘T(QU#q鮘n5:w`Y$TYj[8:Bex)N(reP<YY%JfKI#A"'RRa>a0+±ZJQ%[S%Ԡ~-LZJFrɩvK2ru[q%L^lA	^1.UM_gIT},-4$i%|BTPztlk*լ	/|E6G	6
QT&O#MZ-HJQ]Bڒx=!ҰC٤aRX|RlVs0B-a
d&I.g!3p3dCѬSs
pshWU YlmU$'05YdejcMw5wq:Boh(o?ؖawPEЩmY˰khkuuդqv=.­3
P԰g`Zdd9J뛋[t%y)1I*rL_L]SDd7f\Ƨ-UBD)ҘpEHr}$K
䋤cP\
u_E/Lц>&Iң%l_lyutS9kR*/1+,َ,}y򍭩z"1عN"F\de<\K,\SdsUhdS*2@[+vr&_1ι`-Y0-b_Ёp"}CzR;u^_(9
hVB
u%tX~ABoT](BKꩍJu6]Ӽ\b/If˴@]5'.g_$

jk_f]&Yi¯!^q@[b y	=,¿4'Hnے$F"Pm~Z:v"Rwhy3-1.6.0/examples/multiprecision/mpz_sub.mlw000066400000000000000000000653641440160026300215060ustar00rootroot00000000000000module Zsub

use int.Int
use int.Power
use map.Map
use mach.int.Int32GMP
use ref.Ref
use mach.c.C
use lemmas.Lemmas
use util.Util
use ptralias.Alias
use compare.Compare
use import mach.int.UInt64GMP as Limb
use add.Add
use sub.Sub
use int.Abs
use mpz.Z
use mpz.Zutil

let wmpz_sub (w u v: mpz_ptr) : unit
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[u] >= 1 /\ mpz.alloc[v] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
  requires { mpz.abs_size[u] < max_int32 /\ mpz.abs_size[v] < max_int32 }
  ensures  { value_of w mpz = old (value_of u mpz - value_of v mpz) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
=
  label Start in
  let ghost ou = pure { u } in
  let ghost ov = pure { v } in
  let ref u = u in
  let ref v = v in
  if (mpz_eq u v) then begin set_size_0 w; return (); end;
  let ref usize = size_of u in
  let ref vsize = - (size_of v) in
  assert { vsize >= 0 <-> value_of v mpz <= 0 };
  let ref abs_usize = abs usize in
  let ref abs_vsize = abs vsize in
  let ghost ref swapped = false in
  begin
    ensures { mpz.abs_size[u] = abs_usize /\ mpz.abs_size[v] = abs_vsize }
    ensures { abs_vsize <= abs_usize < max_int32 }
    ensures { 0 <= abs_vsize <= mpz.alloc[v] }
    ensures { 0 <= abs_usize <= mpz.alloc[u] }
    ensures { mpz.alloc[u] > 0 /\ mpz.alloc[v] > 0 }
    ensures { mpz.readers[u] = 0 /\ mpz.readers[v] = 0 }
    ensures { swapped <-> old abs_usize < old abs_vsize }
    ensures { swapped ->
                abs_usize * (old mpz).sgn[u] = - usize /\
                abs_vsize * (old mpz).sgn[v] = vsize }
    ensures { not swapped ->
                abs_usize * (old mpz).sgn[u] = usize /\
                abs_vsize * (old mpz).sgn[v] = - vsize }
    ensures { swapped -> - value_of u mpz + value_of v mpz
              = old (value_of u mpz - value_of v mpz) }
    ensures { not swapped -> value_of u mpz - value_of v mpz
              = old (value_of u mpz - value_of v mpz) }
    ensures { mpz_unchanged u mpz (old mpz) }
    ensures { mpz_unchanged v mpz (old mpz) }
    ensures { not mpz_eq u v }
    if Int32.(<) abs_usize abs_vsize
    then begin
      mpz_ptr_swap u v;
      let ref tmp_size = vsize in
      vsize <- usize;
      usize <- tmp_size;
      tmp_size <- abs_vsize;
      abs_vsize <- abs_usize;
      abs_usize <- tmp_size;
      swapped <- true;
      assert { value_of u mpz = old value_of v mpz
               /\ value_of v mpz = old value_of u mpz }
    end
  end;
  let ref wsize = Int32.(+) abs_usize 1 in
  let uw = mpz_eq u w in
  let vw = mpz_eq v w in
  label Realloc in
  let ompz = pure { mpz } in
  let wp = wmpz_realloc w wsize in
  assert { uw \/ mpz_unchanged u mpz ompz };
  assert { vw \/ mpz_unchanged v mpz ompz };
  assert { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) };
  label Op in
  if (bxor usize vsize < 0)
  then begin
     ensures { value wp (abs wsize)
               = old (abs(mpz.abs_value_of[u] - mpz.abs_value_of[v])) }
     ensures { sgn_value wp wsize
               = (value_of ou mpz - value_of ov mpz) at Start }
     ensures { uw \/ mpz.readers[u] = 0 }
     ensures { vw \/ mpz.readers[v] = 0 }
     ensures { mpz.readers[w] = -1 }
     ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
     ensures { abs wsize <= plength wp }
     ensures { wsize <> 0 ->
               value wp (abs wsize) >= power radix (abs wsize - 1) }
     ensures { min wp = old min wp /\ max wp = old max wp
               /\ plength wp = old plength wp }
    assert { (usize >= 0 /\ vsize < 0)
             \/ (usize < 0 /\ vsize >= 0) };
    if abs_usize <> abs_vsize
    then begin
      begin ensures { value wp abs_usize
                      = old (mpz.abs_value_of[u] - mpz.abs_value_of[v]) }
            ensures { uw \/ mpz.readers[u] = 0 }
            ensures { vw \/ mpz.readers[v] = 0 }
            ensures { mpz.readers[w] = -1 }
            ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
            ensures { min wp = old min wp /\ max wp = old max wp
                      /\ plength wp = old plength wp }
      if uw
      then begin
        assert { not vw };
        let vp = get_read_ptr v in
        let _b = sub_rx wp abs_usize vp abs_vsize in
        assert { _b = 0 };
        release_reader v vp
      end else if vw
      then begin
        let up = get_read_ptr u in
        let _b = sub_ry up abs_usize wp abs_vsize in
        assert { _b = 0 };
        release_reader u up
      end else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        let _b = sub wp up abs_usize vp abs_vsize in
        assert { _b = 0 };
        release_reader u up;
        release_reader v vp
      end
      end;
      wsize <- abs_usize;
      normalize wp wsize;
      if usize < 0 then wsize <- -wsize;
      assert { sgn_value wp wsize =
               (value_of ou mpz - value_of ov mpz) at Start
               by if swapped
               then (value_of ou mpz - value_of ov mpz) at Start
                    = (- value_of u mpz + value_of v mpz) at Start
                 so if usize < 0
                    then vsize >= 0
                         so sgn_value wp wsize
                         = - value wp abs_usize
                         = - value_of u mpz + value_of v mpz at Start
                    else vsize < 0
                         so sgn_value wp wsize
                         = value wp abs_usize
                         = - value_of u mpz + value_of v mpz at Start
               else (value_of ou mpz - value_of ov mpz) at Start
                    = (value_of u mpz - value_of v mpz) at Start
                 so if usize < 0
                    then vsize >= 0
                         so sgn_value wp wsize
                         = - value wp abs_usize
                         = value_of u mpz - value_of v mpz at Start
                    else vsize < 0
                         so sgn_value wp wsize
                         = value wp abs_usize
                         = value_of u mpz - value_of v mpz at Start };
    end
    else begin
      wsize <- abs_usize;
      if uw
      then begin
        assert { not vw };
        let vp = get_read_ptr v in
        if wmpn_cmp wp vp abs_usize < 0
        then begin
          let _b = sub_n_ry vp wp abs_usize in
          assert { _b = 0 };
          label Norm in
          normalize wp wsize;
          if usize >= 0
          then wsize <- -wsize;
          assert { value wp (abs wsize) = (value wp abs_usize at Norm) }
        end else begin
          let _b = sub_n_rx wp vp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- -wsize
        end;
        release_reader v vp
      end else if vw
      then begin
        let up = get_read_ptr u in
        if wmpn_cmp up wp abs_usize < 0
        then begin
          let _b = sub_n_rx wp up abs_usize in
          assert { _b = 0 };
          label Norm in
          normalize wp wsize;
          if usize >= 0 then wsize <- - wsize;
          assert { value wp (abs wsize) = (value wp abs_usize at Norm) }
        end else begin
          let _b = sub_n_ry up wp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- - wsize
        end;
        release_reader u up
      end else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        if wmpn_cmp up vp abs_usize < 0
        then begin
          let _b = sub_n wp vp up abs_usize in
          assert { _b = 0 };
          label Norm in
          normalize wp wsize;
          if usize >= 0 then wsize <- -wsize;
          assert { value wp (abs wsize) = (value wp abs_usize at Norm) }
        end else begin
          let _b = sub_n wp up vp abs_usize in
          assert { _b = 0 };
          normalize wp wsize;
          if usize < 0 then wsize <- -wsize
        end;
        release_reader u up;
        release_reader v vp
      end
    end
  end
  else begin
    assert { (usize >= 0 /\ vsize >= 0)
             \/ (usize < 0 /\ vsize < 0) };
    let ref cy = 0 in
    begin
          ensures { value wp (abs wsize)
                    = old (abs(mpz.abs_value_of[u] + mpz.abs_value_of[v])) }
          ensures { value wp wsize
                    = abs (value_of ou mpz - value_of ov mpz) at Start }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { vw \/ mpz.readers[v] = 0 }
          ensures { mpz.readers[w] = -1 }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
          ensures { wsize <> 0 ->
                    value wp (abs wsize) >= power radix (abs wsize - 1) }
          ensures { min wp = old min wp /\ max wp = old max wp
                    /\ plength wp = old plength wp }
          ensures { abs_usize <= wsize <= plength wp }
    assert { abs(mpz.abs_value_of u + mpz.abs_value_of v)
             = abs (value_of ou ompz - value_of ov ompz) };
    if uw
    then begin
        assert { not vw };
        let vp = get_read_ptr v in
        cy <- add_rx wp abs_usize vp abs_vsize;
        release_reader v vp
      end
    else if vw
      then begin
        let up = get_read_ptr u in
        cy <- add_ry up abs_usize wp abs_vsize;
        release_reader u up
      end
      else begin
        let up = get_read_ptr u in
        let vp = get_read_ptr v in
        cy <- add wp up abs_usize vp abs_vsize;
        release_reader u up;
        release_reader v vp;
      end;
    label Set in
    assert { value wp abs_usize + power radix abs_usize * cy
             = old abs(mpz.abs_value_of[u] + mpz.abs_value_of[v]) };
    value_sub_update_no_change (pelts wp) (int32'int abs_usize)
                                    0 (int32'int abs_usize) cy;
    set_ofs wp abs_usize cy;
    value_tail wp abs_usize;
    assert { value wp (abs_usize + 1)
             = value wp abs_usize at Set + power radix abs_usize * cy };
    begin ensures { if cy = 0 then wsize = abs_usize
                              else wsize = abs_usize + 1 }
      wsize <- abs_usize + Limb.to_int32 cy;
      value_tail wp abs_usize;
    end;
    assert { wsize <> 0 -> value wp wsize >= power radix (wsize - 1)
             by
             if cy = 0
             then wsize = abs_usize
                  so abs_usize = ompz.abs_size u >= 1
                  so value wp wsize >= ompz.abs_value_of u
                  >= power radix (abs_usize - 1)
             else value wp wsize
                  = value wp abs_usize + power radix abs_usize * cy
                  >= power radix abs_usize * cy = power radix abs_usize };
    end;
    label Minus in
    if Int32.(<) usize 0
    then begin
      wsize <- Int32.(-_) wsize;
      assert { sgn_value wp wsize = - value wp (wsize at Minus)
               = - abs (value_of ou mpz - value_of ov mpz) at Start
               = (value_of ou mpz - value_of ov mpz) at Start
               by usize < 0 so vsize <= 0 };
    end
    else begin
      assert { sgn_value wp wsize = value wp wsize
               = abs (value_of ou mpz - value_of ov mpz) at Start
               = (value_of ou mpz - value_of ov mpz) at Start
               by usize >= 0 so vsize >= 0
               so if swapped
                  then value_of u mpz at Start <= 0
                       /\ value_of v mpz at Start >= 0
                  so (value_of ou mpz - value_of ov mpz) at Start
                     = - (value_of u mpz - value_of v mpz) at Start
                     >= 0
                  else value_of u mpz at Start >= 0
                       /\ value_of v mpz at Start <= 0
                  so (value_of ou mpz - value_of ov mpz) at Start
                     = (value_of u mpz - value_of v mpz) at Start
                     >= 0 };
    end;
    assert { sgn_value wp wsize = (value_of ou mpz - value_of ov mpz) at Start }
  end;
  set_size w wsize wp;
  assert { value_of w mpz = sgn_value wp wsize
           = (value_of ou mpz - value_of ov mpz) at Start };
  release_writer w wp

use add_1.Add_1
use sub_1.Sub_1

let wmpz_sub_ui (w u: mpz_ptr) (v: uint64) : unit
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[u] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 }
  requires { mpz.abs_size[u] < max_int32 }
  ensures  { value_of w mpz = old (value_of u mpz - v) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[u] = 0 }
=
  label Start in
  let usize = size_of u in
  if usize = 0
  then begin
    let wp = get_write_ptr w in
    C.set wp v;
    assert { value wp 1 = v };
    set_size w (-(if v <> 0 then 1 else 0)) wp;
    assert { value_of w mpz = - v };
    release_writer w wp;
    return ();
  end;
  let abs_usize = abs usize in
  assert { 0 <= abs_usize <= mpz.alloc[u] };
  let uw = mpz_eq u w in
  let ref wsize = abs_usize + 1 in
  let ghost ompz = pure { mpz } in
  let wp = wmpz_realloc w wsize in
  assert { uw \/ mpz_unchanged u mpz ompz };
  assert { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) };
  let ref cy = 0 in
  if usize < 0
  then begin
    begin ensures { value wp abs_usize + power radix abs_usize * cy
                    = old (- value_of u mpz + v) }
          ensures { 0 <= cy <= 1 }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { mpz.readers[w] = -1 }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
      if uw
      then begin
        cy <- wmpn_add_1_in_place wp abs_usize v
      end else begin
        let up = get_read_ptr u in
        cy <- wmpn_add_1 wp up abs_usize v;
        release_reader u up;
      end
    end;
    label Carry in
    C.set_ofs wp abs_usize cy;
    value_tail wp abs_usize;
    assert { value wp (abs_usize + 1)
             = value wp abs_usize + power radix abs_usize * cy
             = (- value_of u mpz at Start + v)
             by value wp abs_usize = value wp abs_usize at Carry };
    wsize <- - (abs_usize + (Limb.to_int32 cy));
    assert { sgn_value wp wsize = - value wp (abs_usize + 1) };
    assert { sgn_value wp wsize = (value_of u mpz at Start - v) };
    assert { wsize <> 0 -> value wp (abs wsize) >= power radix (abs wsize - 1)
             by if cy = 0
                then value wp (abs wsize) >= mpz.abs_value_of u at Start
                     >= power radix (abs_usize - 1)
                else value wp (abs wsize)
                     = value wp abs_usize + power radix abs_usize * cy
                     >= power radix abs_usize = power radix (abs wsize - 1) };
    end
  else begin
    begin ensures { sgn_value wp wsize = old (value_of u mpz - v) }
          ensures { abs wsize <= abs_usize + 1 }
          ensures { wsize <> 0
                    -> value wp (abs wsize) >= power radix (abs wsize - 1) }
          ensures { forall x. x <> w -> mpz_unchanged x mpz (mpz at Start) }
          ensures { uw \/ mpz.readers[u] = 0 }
          ensures { mpz.readers[w] = -1 }
      if uw then begin
        if (abs_usize = 1 && C.get wp < v)
        then begin
          assert { value_of u mpz = (pelts wp)[0] };
          C.set wp (v - C.get wp);
          wsize <- - 1;
          assert { sgn_value wp wsize = - value wp 1
                   = - (v - old (pelts wp)[0])
                   = old (value_of u mpz - v) };
        end else begin
          assert { v <= value wp abs_usize };
          assert { value wp abs_usize = value_of u mpz };
          assert { value wp abs_usize >= power radix (abs_usize - 1) };
          let ghost _b = wmpn_sub_1_in_place wp abs_usize v in
          assert { _b = 0 };
          assert { value wp abs_usize = value_of u mpz - v };
          value_tail wp (abs_usize - 1);
          assert { (pelts wp)[abs_usize - 1] = 0
                   -> value wp (abs_usize - 1) = value wp abs_usize };
          wsize <- abs_usize
                   - (if C.get_ofs wp (abs_usize - 1) = 0 then 1 else 0);
          assert { sgn_value wp wsize = value wp wsize
                   = old (value_of u mpz - v) };
          assert { wsize = 0
                   \/ value wp (abs wsize) >= power radix (abs wsize - 1)
                   by if (pelts wp)[abs_usize - 1] = 0
                      then
                        if abs_usize >= 2
                        then
                          wsize - 1 = abs_usize - 2
                          so v <= (radix - 1) * 1
                             <= (radix - 1) * (power radix (abs_usize - 2))
                          so power radix (wsize - 1) + v
                             = power radix (abs_usize - 2) + v
                             <= power radix (abs_usize - 2)
                               + (radix - 1) * power radix (abs_usize - 2)
                             = radix * power radix (abs_usize - 2)
                             = power radix (abs_usize - 1)
                        else abs_usize = 1
                             so value wp abs_usize = 0
                             so wsize = 0
                      else
                        power radix (wsize - 1) * 1
                        <=  power radix (wsize - 1) * (pelts wp)[abs_usize - 1]
                        <= value wp (wsize)
                   so value wp (abs wsize) = value wp wsize
                     = old (abs_value_of mpz u - v)
                     >= power radix (wsize - 1)
                     = power radix (abs wsize - 1) }
        end;
      end else begin
        let up = get_read_ptr u in
        if (abs_usize = 1 && C.get up < v)
        then begin
          assert { value_of u mpz = value up 1 = (pelts up)[0] };
          C.set wp (v - C.get up);
          wsize <- - 1;
          assert { sgn_value wp wsize = - value wp 1 = (pelts up)[0] - v};
        end else begin
          assert { v <= abs_value_of mpz u };
          let ghost _b = wmpn_sub_1 wp up abs_usize v in
          assert { _b = 0 };
          assert { value wp abs_usize = value_of u mpz - v };
          value_tail wp (abs_usize - 1);
          assert { (pelts wp)[abs_usize - 1] = 0
                   -> value wp (abs_usize - 1) = value wp abs_usize };
          wsize <- abs_usize
                   - (if C.get_ofs wp (abs_usize - 1) = 0 then 1 else 0);
          assert { sgn_value wp wsize = value wp wsize
                   = old (value_of u mpz - v) };
          assert { wsize = 0
                   \/ value wp (abs wsize) >= power radix (abs wsize - 1)
                   by if (pelts wp)[abs_usize - 1] = 0
                      then
                        if abs_usize >= 2
                        then
                          wsize - 1 = abs_usize - 2
                          so v <= (radix - 1) * 1
                             <= (radix - 1) * (power radix (abs_usize - 2))
                          so power radix (wsize - 1) + v
                             = power radix (abs_usize - 2) + v
                             <= power radix (abs_usize - 2)
                               + (radix - 1) * power radix (abs_usize - 2)
                             = radix * power radix (abs_usize - 2)
                             = power radix (abs_usize - 1)
                        else abs_usize = 1
                             so value wp abs_usize = 0
                             so wsize = 0
                      else
                        power radix (wsize - 1) * 1
                        <=  power radix (wsize - 1) * (pelts wp)[abs_usize - 1]
                        <= value wp wsize
                   so value wp (abs wsize) = value wp wsize
                     = old (abs_value_of mpz u - v)
                     >= power radix (wsize - 1)
                     = power radix (abs wsize - 1) }
        end;
        release_reader u up;
      end
    end;
  end;
  set_size w wsize wp;
  release_writer w wp


let wmpz_ui_sub (w: mpz_ptr) (uval: uint64) (v:mpz_ptr) : unit
  requires { mpz.alloc[w] >= 1 /\ mpz.alloc[v] >= 1 }
  requires { mpz.readers[w] = 0 /\ mpz.readers[v] = 0 }
  requires { mpz.abs_size[v] < max_int32 }
  ensures  { value_of w mpz = old (uval - value_of v mpz) }
  ensures  { forall x. x <> w -> mpz_unchanged x mpz (old mpz) }
  ensures  { mpz.readers[w] = 0 /\ mpz.readers[v] = 0 }
=
  label Start in
  let ref vsize = size_of v in
  let ref wsize = 0 in
  let vw = mpz_eq v w in
  let ompz = pure { mpz } in
  if vsize > 1
  then begin
    let wp = wmpz_realloc w vsize in
    if vw
    then begin
      let ghost _b = wmpn_sub_1_in_place wp vsize uval in
      assert { _b = 0 };
    end else begin
      unchanged v mpz ompz;
      let vp = get_read_ptr v in
      assert { mpz.abs_size[v] = vsize };
      let ghost _b = wmpn_sub_1 wp vp vsize uval in
      assert { _b = 0
               by value vp vsize >= power radix (vsize - 1)
               so vsize - 1 >= 1
               so uval < radix <= power radix (vsize - 1) };
      release_reader v vp;
    end;
    value_tail wp (vsize - 1);
    assert { (pelts wp)[vsize - 1] = 0
             -> value wp (vsize - 1) = value wp vsize };
    wsize <- - (vsize - (if C.get_ofs wp (vsize - 1) = 0 then 1 else 0));
    assert { sgn_value wp wsize = old (uval - value_of v mpz)
             by sgn_value wp wsize = - value wp (-wsize)
             so if (pelts wp)[vsize - 1] = 0
                then value wp (-wsize) = value wp (vsize - 1) = value wp vsize
                else value wp (-wsize) = value wp vsize
             so - value wp (-wsize) = - value wp vsize
                = old (uval - value_of v mpz) };
    assert { wsize = 0 \/ value wp (abs wsize) >= power radix (abs wsize - 1)
             by value wp (abs wsize) = value wp vsize
                = value_of v mpz - uval
                >= power radix (abs wsize - 1)
                by power radix (vsize - 2) + uval
                   <= power radix (vsize - 2)
                      + (radix - 1) * power radix (vsize - 2)
                   = radix * power radix (vsize - 2)
                   = power radix (vsize - 1)
                so if (pelts wp)[vsize - 1] = 0
                then abs wsize = vsize - 1
                so value_of v mpz >= power radix (vsize - 1)
                so value_of v mpz - uval
                   >= power radix (vsize - 1) - uval
                   >= power radix (vsize - 2)
                   = power radix (abs wsize - 1)
                else value wp (abs wsize)
                     = value wp vsize
                     = value wp (vsize - 1)
                       + power radix (vsize - 1) * (pelts wp)[vsize - 1]
                     >= power radix (vsize - 1) * (pelts wp)[vsize - 1]
                     >= power radix (vsize - 1)
                     = power radix (abs wsize - 1)};
    set_size w wsize wp;
    release_writer w wp
  end else if vsize = 1 then begin
    let wp = get_write_ptr w in
    if vw
    then if uval >= C.get wp
      then begin
        C.set wp (uval - C.get wp);
        wsize <- (if C.get wp <> 0 then 1 else 0);
        assert { sgn_value wp wsize = old (uval - value_of v mpz)
                 by if (pelts wp)[0] = 0
                 then uval = old value_of v mpz
                      so value wp 0 = 0
                 else sgn_value wp wsize = value wp 1
                      = old (uval - value_of v mpz) };
      end else begin
        C.set wp (C.get wp - uval);
        wsize <- -1;
        assert { sgn_value wp wsize = - value wp 1
                 = old (uval - value_of v mpz) };
      end
    else begin
      let vp = get_read_ptr v in
      if uval >= C.get vp
      then begin
        C.set wp (uval - C.get vp);
        wsize <- (if C.get wp <> 0 then 1 else 0);
        assert { sgn_value wp wsize = old (uval - value_of v mpz)
                 by if (pelts wp)[0] = 0
                 then uval = old value_of v mpz
                      so value wp 0 = 0
                 else sgn_value wp wsize = value wp 1
                      = old (uval - value_of v mpz) };
      end else begin
        C.set wp (C.get vp - uval);
        wsize <- -1;
        assert { sgn_value wp wsize = - value wp 1
                 = old (uval - value_of v mpz) };
      end;
      release_reader v vp;
    end;
    set_size w wsize wp;
    release_writer w wp
  end else if vsize = 0 then begin
    let wp = get_write_ptr w in
    C.set wp uval;
    wsize <- (if uval <> 0 then 1 else 0);
    assert { wsize <> 0 -> value wp (abs wsize)
             = uval >= power radix (abs wsize - 1)
             by wsize = 1 };
    set_size w wsize wp;
    release_writer w wp
  end else begin
    assert { vsize < 0 };
    label Opp in
    vsize <- -vsize;
    let wp = wmpz_realloc w (vsize+1) in
    if vw
    then begin
      let cy = wmpn_add_1_in_place wp vsize uval in
      assert { value wp vsize + power radix vsize * cy
               = - value_of v mpz + uval };
      C.set_ofs wp vsize cy;
      value_tail wp vsize;
      wsize <- vsize + (if cy <> 0 then 1 else 0);
      assert { value wp (vsize + 1) = value wp vsize + power radix vsize * cy };
      assert { value wp (abs wsize) = value wp wsize
               = value wp vsize + power radix vsize * cy
               = - value_of v mpz + uval };
      assert { wsize = 0 \/ value wp (abs wsize) >= power radix (abs wsize - 1)
               by value wp (abs wsize)
                  = uval - value_of v mpz
                  >= power radix (abs wsize - 1)
                  by if cy <> 0
                  then abs wsize = vsize + 1
                       so value wp (abs wsize)
                          = value wp vsize + power radix vsize * cy
                          >= power radix vsize
                  else abs wsize = vsize
                       so mpz.abs_value_of[v] >= power radix (vsize - 1)
                       so value_of v mpz < 0
                       so value wp (abs wsize) = uval + mpz.abs_value_of[v]
                          >= power radix (vsize - 1) };
    end else begin
      unchanged v mpz ompz;
      let vp = get_read_ptr v in
      assert { vsize = mpz.abs_size[v] };
      let cy = wmpn_add_1 wp vp vsize uval in
      assert { value wp vsize + power radix vsize * cy
               = - value_of v mpz + uval };
      C.set_ofs wp vsize cy;
      value_tail wp vsize;
      wsize <- vsize + (if cy <> 0 then 1 else 0);
      assert { value wp (vsize + 1) = value wp vsize + power radix vsize * cy };
      assert { value wp (abs wsize) = value wp wsize
               = value wp vsize + power radix vsize * cy
               = - value_of v mpz + uval };
      assert { wsize = 0 \/ value wp (abs wsize) >= power radix (abs wsize - 1)
               by value wp (abs wsize)
                  = uval - value_of v mpz
                  >= power radix (abs wsize - 1)
                  by if cy <> 0
                  then abs wsize = vsize + 1
                       so value wp (abs wsize)
                          = value wp vsize + power radix vsize * cy
                          >= power radix vsize
                  else abs wsize = vsize
                       so mpz.abs_value_of[v] >= power radix (vsize - 1)
                       so value_of v mpz < 0
                       so value wp (abs wsize) = uval + mpz.abs_value_of[v]
                          >= power radix (vsize - 1) };
      release_reader v vp;
    end;
    set_size w wsize wp;
    release_writer w wp
  end

endwhy3-1.6.0/examples/multiprecision/mpz_sub/000077500000000000000000000000001440160026300207475ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mpz_sub/why3session.xml000066400000000000000000010764761440160026300240140ustar00rootroot00000000000000

















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mpz_sub/why3shapes.gz000066400000000000000000001271431440160026300234170ustar00rootroot00000000000000[9._o{4 ht]t*YPykfTU\ЅEEw???QN=G׶{S̞/<{~|?/A0o\_?w?{urݧ?r=}´:<~?݇lP~yc3zKׅ偢}]rxr]/>}r3	1?mk9zDJuy=?vw/=ʄf<+#>31?~SyuR/LWN?i4|sG#rX<|0yVߤ\U=,4s(g
D/Dxa+]aX1#Խ6>팩ٕ&BчOE
uA~?}9qGA'n%咄
ZB'of؏ ϫl>Cae+,Lbߵ:~i#Upk,0n^t/GSߪq}}bglx8xB%L/MfD;Ukئ*OD=FoX;_[wKL8=fhu?B*`}=ݩLJCm)̍įl=fp}R>/W>3_hwu}t([5?
ׇ_ŇvدwL8A|_v8N.mܵf?PyuLcqtۼT=þQ_>]6~k
-iλ/}{:ʚDŽ=Eq5+O:F3'hK
?=`<[np{@LEԞuy0.:]?rտ09:Cq'@=|oW`2u;e
s?Z¯7_N=·Ǒି#FB[?N~9u_Oǃ]T(Xt5/篚xcE[`@=1/k?|_uH^|@%ޱ/:zQ:3)wWOwɢ3{d{wA"`wbӧO>~ΟKN0ᗎ$zw̵73ς_c=~.mB}sd?bɺ/Y%k	>RYM~76$ǩCK~c/ktj.ҫ?-؁;J+W;;+:їq޵Z7Y!B5gTS'.3aʆ-ldi݇r_|&G]Nȩ:T /lU|JnDǛ%YVsE^bK̦Gߖ7%8>SOy_ם?Fo;	7Ƨ᱃cG/4dبΨov3-|&Tdw3_yv[</?q87E=J:bb^aCÙŹ
c|@Ilo_x{Lw^L>ɧ)k+ ;^lR?^zy5LuϥF~!5w9S>E\ 9
r\9On ճAn:{8y<|px'GGE?p/ONp8[<9S.W[H3Wy5{yc
BKahj~en2.,=}-VU򕝺^R5xF^F^w//ݑ\w*qKh}8.'Ku,i-Yo9ߢ:R8<
B-sᯟ`}$Nuq,pQA{ve=ˢ{E|V#G~;3}L7[5&WOUobKos{tXy;ٮ͡	B;k˓{-Y<ʀ7$ɞ~rϼ]]"g>s_;ku+Xڦ#Sd#|Sv.Q:Վ[ffqd~+oXBשty)[ҝ緋ٳۉ8{+'9D˥R?-l;^i~sȦ߬K둎hݏ%l	kKWloY^y)>nwla~#pOeZ,9sۥ
vRƂq/Y$"!7u[6m	E<4OK	g`+4}_){]߲	8>`?>T} |/IV
}"vN~\?#G?݃U??CyPOؗa6AN_;?Mio{s8w`)"Oӗߟpp}yFߏ
qlc=Oh7Gxaee?{C؂ho`>'9&K^(ZJqOΦƱj|89퇓qaKy#K2ʡvw vMO3vw['9t^tyəGݹw/Fi,`hݞY}`f'MRݦtұ\%7Ƅ>0!Ri7Nr#}]k57!9nq33lp>9HjkT^LSؠ ؂- ؂0-ZO'TNdnifn喃.}D$] ܵq
ۺ381lA	YJ8HTn/[tSjܻ~[-,_YLuV`-(gVmyb	V)sNw˶Y:ڀb*9L	":!nVjY}s~{S:22kR[\,iԴc>^X%lǵy
k6CgO6H>b4'ꝫLm+3*;N\\$2>Ȳ55ENM<S?e\j\[pt+.-ԎbYrS.,n^DyMki<}ULm
0X}&\Vua񵫳a.ǭ]c]vob/ءj?őoG
oʘmo@O֘Sh|JMs阞>ѻoWw}5iAI}ty#uPn[Vm+V8tϋIh_y9Lo[}9^AVpt
3ߠ8?t;rwaCV
%SZLWwwkvԤ]pQ]yF}܎7.2pvt;
PoG!?:p(*#{vmz;vx;nsnGq3祢gp5B;\7VI7¿{jT0H}7m\ܻUQ{qTL.%yY/	>=Y'Nɢ|ɢ\vxwDnȺ{+NN
aGbB|BBRBH	!ؗ9?5\H=?B(3(3KQf$LA<<<<,adwӣNpxseN?Ʉ'[ew.uV𘳢Q4IfI٩\^ﶾm
MOy:]t7k,vi_O΅JRWZ*<g{4O_3y|a<6lfxR7o3̪oMmgqla]`QDc;Yz
zm٠8~4>,0ieiEj)@ƭ}Pay>wO3t᧮3z!|ZڃPS?i,t 8-M/'հ!4ZaăNX|5ityw$'b^vW}0q^X;]p6Dڸ9KPamYL|ʉwyA51ʷ>ݝ'{8{tm`8:~)uZöP8QRIk::OnPi~~R+G	Kqr_Z\꯻U4\,
dKSg:~7l5	b1/oMxA}o~8?(e~	-K\FN{-bV9WS\rnVoX5>!S0R`.ݳ',Q/,1J\=q3]9G7siIKFTaDk8/|9T̒N&͒}_bPUf7m[|d/ZzXnBܴ3?x*dV<3>\Y#TQZj|7-E9K;7Ky*kGdS6Og|?s{3}X]I(pk6ڄhS~) Lr%Sv=SǙ&NKq\ڄr)ބ}LKh/D_ׯ/	@x	=a[u
u]d)֖j7=anč<Ϧ٣ķ>+8j I
\nZNF
bcvxe+g"g=ܷc]["'"rR٤oY	qF%?$f?Zèzϳ8j|?~Ҁ:^@4cߗcX?%w0O`Ϯ.^}}8?s;_c_n!"0p}xׇp}8WBIˣD8]yFq}a$TT>&80#?>|4Gt7`=hסM00!#81alf8	΃Z+LkZ{} w%
B|	LP?dIJ)p*C*EA[)nݭ5V-­(:BΉIiD	(V[ioV[Io%,֧t)HD*)̱pQ	4JE:`r3ZQ"h:9	
%eʪJ6зhSUaȮs:5J*j@D$2[1lSϑ aSq,"D[)`T΢ʒ3J(P)fILCicnQʀSdq*,"_*nnW,!Q(	ɗdEJ([J*qK,Ϭ[ҷu---&dVی0%^[=zn+LTObBkE_`	!l>j"C'L[q<dR	)Kumً5g0K!k1V,O6xR-eD!/MdPFy
9 8O8YYٳkT^hxzMDO1مE5&^u)E)
ˋH%WC"/ӱ't_<%@RU{RTe#16K-I3Y%h+cuD/
ˢ9@XEn
^xnp˒u6Fdy-$	%%|`"` Gn>>X7i/Pm`8VPxMe|6=YԭEh^Y\bTd͈U̮B:9V;(vɸ\'b姫!UՏ?̔XGt5D#K@. $/8=LQAiJVw#Rhΰ/Yr#<iO99{ke
[HTg(Wt9n]E\3 넆
$؂pΰ(:7ܗTuM
dN|Kuv3	&F]brl:z%!s)VW)`'㥨Ř.[gnu]ux`|:k
dbTf9;bZ]-i"/J,tR@asl6U&Sl8+6PkiƊ<#i)Dݒ{uSJm/!);\NncANj%	|N%0%kucAxcɅ:J:}r$3)6Q%Ҽ16:VDΐ+t=J+~[B\w]g*ee1
D$!Hj}z$p_72|x/X	vǜ$cْDH=
e~]]*UR0&`.Hems?r-i5JFIgHWH؂졢n!*@FMSHcRrdTʪz
k]d{=eZ%rXkkƔy]MBb{eUu@	*q/|E@Ĭ2kk:њH	N,y<3ЇCnA/܊fߝX朷K626Uŧ7HR!#l6-Ez̎h1CEJp8i[)ֲp7CC2G0Z2@?&k,Rh xh329bw_ड़j!lmȐIzr@w	ce=^,%mJ@Й6 E@(^lL(r=O=
oe	Jʔ"B:x-F/wvh;^=s. l15Ĉ>fR.+7<G4"iB**eqYŎP}CL$^K""X-ags/FrK;E0"-
8Au贂G͠*kAmtŊ}D])
^P
(K/T5X?n+ev(WU7h?hM_D'8KТlbΤr3qfJGJE8/Q2F
bFoKLN5ζ60],
kZnF쭤hO[Bł:	tjRyL6eBFHOp1p
IHc7&L>IB6{C`c?K3:^j6T=1b,A-\lQh+e4%SQ-Tc?kDisaKBbgJ!NBUÌ'RfuC9Y&*EJLA99$"jrV=؈B%wc?#$mV<J%-sE_GUQc@FUMw)]$0$j}8+s>h)XsPw+G7IL`#휴BdffI[u)VYW*k(`%`
Q;kY*žh6QQ|`)ʚ整Ά iӹK/,[S"/0(kPLjYSoq_;S1}((TNڻX\@#ڣV
F5CԸŢܙǂə]5_R+5T"QĎ躉K	ZE
&n=cu/M#%Ze4^S]oAYVɉgk-\5*!Sh->%4|"z'5	ZK#"XrF2cfS3Rv~ϫDl.%ZrZ8KZK#/׳ĶPQd0l
nDv#kDd254QaܢeLDh~s4r7\BP.;^@}肣@=!~Ä~)hs
,=M"#~7?u_ֱqCj4AGiPj$
^bG1K@>zb2V M,u{5R?fy6f{ǍdjܓZ6r_(JaƵ90f%(׽&6_΂V\\aVu z3jd
"WExOêvL„e2ZyYSQ卍zȚsR51oRƭ
/E`bRS+ΎodjD@m
c(kiSOVӓ#gOJhjMaj2SĉAzSY-UZB9\v5,yJGl$k
b(襗m4>'CUOi΄$CMkbdDHф,푿(,Qt@ۜhJj@\2S"h|7k&s6L_C2+qao]l"8{3zHK}'PFkoこB2Y&iwUFPA	LuFՕ򄌋toRLPu05^\{1B)tU)yKtm97$ 2fdNApC`SVˠt+$Xt
:V, [>׻tl9
,,Ma@p&6<5(_% sƊY"y4\mNȻ,
&eYeJIIIP+Ixm$xyHpYi+JQi-AYGUcpPQk/vgYd;309I`P>YS}LCKLB茵A=@jMV)
P3&(&jv``1E+trƤjP@ʹ$
Ivu5E",t]11M	
⁂&%sOUt&_U3ՆL5tNo+IX0%}0K{WDLDAGMNda>j00˚$9JdkHVM4
`.aH=*]6sY앁=}0W1Dɸ.^j.5ͩҢPp6;:/0AC0Fs	0A@ړf-e!w!:zCA(\k<5ڠX=n(BP(0Ɂtvr1SipxlDA#( j.H[猟Si1V?ӑxt`M^TIGdWlU,q!\Ѝ+X0k^,Y2ce4ƺ:cw`y}FI(|l!UDk09Eݢ:O	`>%`M7("e
!2WGWCaQl[]Se	:brfsslgh^TfBFYPY[d9a1Wu5@U(E$J,dUAJ\"$F0+2U
1f$Q-T0`%a4ٸ^Zkt1YMw`F+k!:ZښۃL=@5
?1	Q
sǵ:fs
ʡ(eFr<\캉29+1]Bb)BU\PI
R)(8)շG-$>I1k[C&G뚲09-|@%I2u)eF$"bג]\vS8nHQX;
A3FqQв%ϊe!U(
48^^R)`5JG
O4T y+e6"U`VwFX}S)L/%uQJ*bVA6CjKXURTD0HKNK^ܿ׫˧ l1xM^fuYA$d _łbI,Y嬻؞ EuRHִ6{$5@.c̀`qA*$2{R#5,
S
%0Lɓ1HpBbγ-تFƚKuBdnS7W: "WEEufk1׫g"S~\cSuЙDe6R뫇BMM
TKbYa/23
s2WdlP
LܙGGIS}7\D(b4_=r$P9&dC9!.d'YYʳM@&Etb4_=NB"$}`T&I,:ʗ[4_=DКAcHcc	M*14NmEӠ~PG	 gM^ѳ!Oadk0E0dqFd	P.,	lFUn7`~0ILID`PLdpd'5hS"F\%KQƨca-G>FmQ	"8dVy>:1ڸx(y2,	4Dž>}ē@=
EZc	a_&*%HAye_D"zO`+0'HlJW4%WwhvO$@`1P26$rAV>tetK24[x1UJ>ǀY[C^;o.\5^QI1U-LV!˜AWpiuGѩL!h3uj]2 &R+K]lWMDVsݶtfRFBaS،arRAFKJxysIb!3W2Q,\. JtJ>F2:n\L˹qyˆGlEa|
Y`pX!:L*AzuHeHDN[(2CIXX)>%LFzE.gf`$lG(U7oA6R.F!R	:)y?R$||Nh
Go
p0zaIǒJ	::p02T/(022S/|u})(|`^h(l^"F0dhyCFP!vxwt'5^<6frEt6&(}3Jz$1	X*u#ǫUMM)+"FTax[:k]$OD:^q(Y;[b*4
!)5EJR3i-l`-mQYB%
(8(R },;!kU9#r)RhuUR(U@6C5
T3"c(48%e-xFb^$ƶF̝5H_;\V1f!0%j&	WE6;0+Zj_2deqsb'4hfX!ନ%-E|F܄UUq0bD:&m,<'fBlb(!)(P턢T./A|]i,ڢd2!]"VBTA1iʳ[#ʷLuϑưA(A	d69mW/dVu;IBc%bOs뒪2Ǔ&&C#.S-!ۈ3ב[FZ,	@
aU0%kc)ǒx:*7_&+`sA\`RVbcEG`EkRx=I1k_D#9dY fR^rd͹87R?v2ؐ+Ε$Vf_p6x/-رkXV\.l ~'mmPcdhٸx̯f*$%e1+mAUN	_2mH.7Th%1ce&wč4SNzDV
ņ.ƙ$'mgbkQJ)ʺ("x}bnPc5gcˢaĸ_بɄ\YMh֎D&سjX|92VEb2%;KRFV$+U5iC
7j9E"VieKL|Lu^8(LKHkDQJrAhX-ɋ-Fx}ށхĴ۷[dbdJ0
>i3ܣ<}E$/Bg(eAU>Σ|E61ZId$*,$C8ynfc76*hT:ö(l&0PD>Q:uSũlט
aM#NQz$w+dv[a,[Q]Εi5ȶKXpf\sc祔 HTF l\y7j,`VYɤc1'=	y76jlp-S:AFal:^k׼75nZ؜%Fmh-FAt2j̤W=;5vZ`' S,2wIQZh׼75nZt2.Uq$A.&/!4kiᲱ>ܥTjIX!y;LتN	*j-zbL4͆تՖ
TCF{GTt"5Ukj-kTWm]v(39UN%4HX4$]E_bcR\	cbNVZ!/aQyRvr\XBҥNjIlXL皒-`@AZB!]A@sV$,R,Yt^SEڇ\[M1"IhE@MA޹DPH,f.	_.Jo~([XREq:e$Pʐbajo\rYc7%ͨW={I0E`P-Vt›d']2N&bU0>Öe5$ktWD,@ gFzǛdeu(Q"Hj&KpщeE$8B-.1cU @bx&oMAm6.*VDQ8SsZ_sG4ylKF%/dѲ.:ΛdUJ$.6dr"m_.f$/p,SE'DB^OrHBԼ~ҥRY4~,
m0 b&Y$Kh,&YHĨ*X6WRAKhl&٨&*PEf ˚:@v+7In,,t$lJ&ʐl,TNoF5JDAX֖|/qӛ&W5kb>,az;%7vz}JX^lqw/yt$[yP9IX\
5++@tVo #&eЁ#c+l
2rp'5Р[GIN=zcF3fJk2t:UQsQLJzfFXୱON
öN)ƳEH?d-66xklL֦*֦&ybehc%'d⿌dސ-0،zhcQeo<I첋F*F"'ţF{5`"4e.d/(Z4.EQX^J5N^蔝Zss4ys,mQ
gPCI9U!hlF2
k(Lڅuڬ>A[!F_˼$γ]\*Ac7ʤr
LCDQr},tI)٨%
؄3Vxʘl=# g9PށIos 4;)Uy5ڽ]M#xi}HNetǹ
v_x7.o>iψ62K^y'S;tV%MjXZtSOsw(]/;<'6x?8$WIѧSkJ|;͙rnә|=jG۲6@kRwsퟷSjރ].Pv˨Ea'oܨBhYN5*Tt:?75zV|.
r66Yyreqo|(.ȾIbv3h@%Լ[_*h{Ղ=+!9P=s]**΍[@()esl,䡒RU{LSKWq5lf1] K[)tѪ$m˜
`X	ாK]
\jI5;n9y.jTAU9mq)FVsSg.] 8TTr]|;u;?f{rlmw$c)D$9Fn.Ʉ]r)WkQ7-߷ǥ+KO[ݧ^dun;~AПH(pJv,?:rkRlP<4fߙrQkg{(\t37S
TVSK%otíYe;%aȥZmt,dl9>۳nAriuKkm*
q8ռ"?	C.ռSrZ'oɘc.#~/i9`Ә9P^Kri5G&uqN2T8(0RUC:-ӓiJϫX 0WYKHΆiPM0\j|7`8yFIcu\9{lX!&oMMCG`3͘5nFrYq7xK:9C8A08!*ofj'Ei*F9yL-C.uΘ@ԝ-ߧؘboAr)(%-Bs/6l[\L0=NU}Nwk.oFrtJ8]ksx
 =e%aȥ}upC9֘)͉ߚ0R()]nŢq!˃y#
0Qڃsg[pn{Er$|h'duao"4~Z$\S7ZtB԰'aȥP\~(rPĥ3!x^°(ȳ\(v
8\0m0Y}υcתMp1j)NZ1,S}XQ|;ùͫ_KJPݼƒ5Q_]VY`b*̷a#nGf,ZB7"AQY=/>>)D@ﻟҞd,b".eذM`hS{Y)!Jk/K@U8@v?[	ƞMg峚\жmAMj&OA^&YMN1>rX%l>ٴ	c-cu_'&s_廼,ZN>[qklBk^Ygm͘Wg'+:J!.=q@9Kn=ބ2oH(\Ud{}=$ߎoM}򞝒:_kix|;˚>5zFQ/+x{~˪>UA!ndݒ#V9g=eUߪ48[⸻/]uٚ3ކoI-%/+U.u.$
|>/#F766Rb
26M/#r%
i'YDoԶ(˄.UoN
NZZ,	eFU0*g%fKtkԶ 
u7#L2IP4zK}jcn6Q{rjˢ.#]ihJ}U߹Nv|L2J܆lk}4!(pOݮ?ˢ~$&<7o72nmY{
ˬ.U|Q;b//G*6&l	Vk}is|?/ӺLG;mН`^K-[ہXRi/U|NG=|r22=:/I <ېU)-"~Xl@]64GvVcZE@4i7ʨ;|zWAsHB\Jt~PP}/v,b:-WۍFO^Ⱦ~=%$Z*;a=w{B.d_}r	CA5DvE>m"4W{B/d_}7!D&/fENo}9z\/ߕl#kQ[<`ILTԈ% zJx*0gֲAaIacs6.w<
:mvZJxiTЦ'S
TH]
贇M(RևP֡sˠ)Dstڧs?I[ti#h쫩{w]2Zuci̞4>Sy 0+[1Q9$Fk
Y!.ƌ'`~ih@#uk,rRGPW (l6Fia]8!yKcAc4SlӼZ~9nKcAcq(PH (;)܃DQU{%\:1
FyØO!G=јs2/MO|#'p:
[
jT:/.hmʔZAԽ~ڵL;7cl?^D#ۆk]#d׽F+.`_#'CZaZ~NfR_	X}!
FjP	#Z'`_gұ2s2+{”4tڍL)K#!9w]	X-ZS&x
8	GnJrg'&?Mmܮ+\cZ@LU`-F
ja6}/TwE1bc.ر`}!,msbك΅+e,tB'Σ̅k#͝w
*HM8'8L7䍹`}E +e+{MSiТsANޢiQs)gW)smJs)c+
3mw\1į /q
YTcUZ̿܍|DXrp6pOg_Ă"LڨhL3bsPNoYop$^aoyo@d'ם_ðWd<֎jAٌV5ya.:ϬY4dȼu+Y0o=ROm1E/GhR̝O>7v;+4ܱ'YlLスTGe̱ts[IsmB6O1 $j-VVZ#0J6aRkB5CQ/fޘb}+S4:ZNH!D;Ώs\yK=*tYpLqo5/j6v؇P{]{igy5/jޖAtцLp9}M@YJK5o[vyȠcIcxsmmk^.ռ1]+}_yK3&|
ˁkY5Y|˜BV.lx[KwG{iXW4^#w;+cv=-Ϧ%d]^riw]i)xMeJ^KWZ#,]#+O2 A6Avt;ËmE(i+5@?5|.~g.D{g^mx5˥^3k+ <.~g·{4ʍApt;nh)֩mܦU*?07IKjw&w7V-!'57R=_
G4sv#$Y7;d &k:NBꊗINϚ5=2p=G˖݌&uY4ku7;&F:ArN
	m}prgGi^C fp5VoП[H঵djڶۡĐ\Ϗ}ʟG3#>mn!M޲,:FZ<-F96ȴ"ZQ"n882,Gllc>zX	j̧9]'_#Wkm0o0UTBP%T	=
ONd$Rm R{VksVHQ_KL
S Ϗ-IMUIeuQhcHS{f?Pc%z4T_ǐTlW%ˡ>b~[j`vuW!f1=OrUa}>izJlV-!'ohH8ʽYV*:+(t$k7-5]q	-gscKuVӇNDVO$ҏU@eso",5siؼ
f lxz^z2N6.C2{ozƏ>g3lCjָ%)	{%g%DřN\>DnS_Ic8,a
9{L*Ó5mG=&kD!3*ϮMc5t~!VrXAsԩx_>5y~	H[N[n[fyڞXkWw[iTDEk)t×F0 c1VAL5
u-BJZy{J!yCȹnw\ ZpJSW	ӄ#}I}aj&o5N10*X%n|j!kHMXgWT)F8PBrz"{񧟯5&'Йǧ(.!o-9?Cw_^iZZrJ7O~|q"	5iG8_@$6yXZ+nDp;=W 8
u]BœQ!Z&*UgyZ?DMZ%:[lUݻR0_	2wEL;PܛcҚBơaDq1u]}8ς*Om{kT^>G6;("<[l_÷
DG>PFC+=߬ߜZ:*HH[z05{$5yK%ۡ`Z+އC~$V.[ϻ`b:GDjA`bgT^&ns
sK7mNH\0YzԼ$~RmXCO;-xf^ptS?:',	?+:*5CPA|!k; acD܊,DD|zXߣŬhUa>{n mWP
D9֑<*NWƚ;_
7PQ"ܹ24	Yn%k,e0 /Y*%_e8k`&[X*kŶ9tF~FUb"1/y9;;LM[+=SEљNȹ@Ƃ5ʠP|ʞ}â]ɀtB+r"/
+NYյ-aLp/Uiђ@1UF˱ۊr2Dl۹k};m(Zeߓc0uýWA\slf~)zAulfrTbZhR~+w)ۨ%t'#h>W:%xf;f*Jr-uOoxeZŧeg`yMاob9Bbύ.{-5?Fs&.9ճ+smso$ h\~?VƮSnf8"N]q,얰Ne[f˻ keV~ԝVe
W.d_w[Φ"
'sOvl9F^6}r}z4ʱzYFS3hw4?25-/O#},U;	}gC4HV90vW[-8vH*lTjv|Kp"03XN1k W
LV	dh[tÍIKUIG7ʍ"~>+yhE`yo+#+H#9z-k>mPu;INOq<tI
A%wKc*n=7BXU9h1oޔapPS;匹Ri?	U0
Z>VZQU=] }CmطlQѦa}o5m^?%V~e
;RsZyT,>v+JÀ[L91gҒKlWsVIKWưm@Tf-9-	H0dt75>C+o8XD;eue#cV?8KœȹMD^Q!s]jr[ʭb'Oi =yՌg0Pݝ6{@0VVaſG*0lsI`ƹ4{(O]7QB=GG*){psx )Mp4%W1Fxde>>Ȱ{HxvA]Ϯcey~`>wC,>w0
BϮ[*OMxDѤݕx
'iR_	tgUTEtpS|v	@j^F^mkVꧤ'>Om>V$)ݩ]`Q6tVl=¶A=_`	ja@\QX~_{e9Q
Dh%bFAw_~G|jEJmAhֹrܣ=_
k[&3ɩz	/}r(jNZ'k-ɀ
$gUc8X:]T߅䠜km9ӸBf
IΛSC9Us~.{/
C6C΅|=.0dFЩ@E_S?e.B^ :ֹGZA\3w™n*i7*sPUعU\sW#<qlΗ_VGӨ`yӕtc2(%xj!kMX/1R:蹵/`]Wt[\de^ܣ"XH9辥OqLphW*7֤J5X)es5۹}n$XNCs?[Ѕ~Ts{г|kgK'*+䂰Ȏ[K)5ȵѳ/s'Nkwn+ah3e_$Qhr8gwcuCLNR	׀(Hr*:7i>/
Ox9mman#jhoR5\lYJ%sM+f%|o7<|MJmHajӵz5g'Vt&_%P#z@_:FmhR)׀bqTJjsQcm&r׀QmQMn`VE׀s]*WcהvmED'5 V69SNmu}K%ꁯaAykm֊|$[Tae<9O3~k`qXG-*>Hk]/)gBfNRItb=.EYz
#|D7	Eǡ	$>,cXecN|>]霭JM%GUQ)}fFS[m;֜uk4knA|Wא*^C\9Tfp&H|ikws	sqa
Betqz>G4%}#-Xiڲ@N"GebaQbL2*6R{\'YOay[D_\
|Һ|%XTn^ͧiȜY>qiOJa`0J(VV6)KBOQWh+U]d%xM^y^W/8o&${TC<K<֨%X7>$]ZlJS"tz!5Ҳ.ݵ"I#6A_)oZYn{E<ڠEм+
ǵ*XFJpgn)ʖJr^n$YlEs፬ߡURV|ڟb	H3	OpHF#r>Z,P
Jރ]e=+[PtEaؔU"l,GVyB97S~,
qmEQ)}~gd?![Vꓜ-
,v G!k8
0ءrԈ,s՝B,UdFbM%-4*e`i
QaT@%EdVԠ.eeP99jﳄ'*%D
BF3%QqtE[!cÚx:lHwrP
G2-iSFc(?S?}nb|lYfYWS-ј+O"\ϒ{q!Z*\4\!9GiYq0r5+[vkyKL>m튍Q@pȘxC?vsny**MO&a4EO0u>q}?֚2zCM_*Z\*1pr4q&ZLbm@PcN[m^v;Hώ9kicaP;K;WS;FPVdn3[Md$m?9\a=w[nM'4ϳw1Pt5Ү0{};`9o^Vйb}
ZL}ό\\>%뢞aԺwkX-sy)OP3
kTXR-(QAZyJW碎xB(gyQ9EF5GXaˬol{Y>\)F3mk	,'̍xJ-cQ%
'PNIbNje)p^@g#rة˻gV@NVk#H[H*3d	{vb.qOlϕbŤ nv>|*-띞VyVgLAE?awpAlzg.GB+hyN&^	'A?.ӴJ~Hgsh:
I0{Z.,mͭ[j,gOR̶4*Brݗt)kZѴS'b7Hu?Z2	
й*油m)S!|h,hڨ4J|M}Rpmwgmf-[aO(?yMEq'qzO8 T8[vJvYOuZ6?]E@[r3&ު_?tE6+I-ˇFWST_ysXBT1+$Bo9:V'F;
w֨H$C3<_KE`Sf;,ܽ!>66\ýYy”1ZbLSEp9+?,\ڻrV ކbKI:8.5ԤW>	lF\8(H\8:UHNؗp|3M['pI&)2f#2
{Mб.ي
X\2#ǕkMO_0퇫/5$8pmv#F3o[%c)W̅1G٤3v`d8[
|x>Si.fj9$-rpX/21w2
)w[nyJ(?b?88dq5NcMdԌ
u^'`sjWS	3|l+Efoiom9Bt꠺P;uOjƌ391Tp|_u]]kNcuoFcLPZ!Z[)髉®H6vtInSM:3ʲ CI;tΞ 
k
ڣe S;g6CG_Kia|zo]
+	m,#0H6ҬQfW|HKpi3QD%ߚ޳EI@3KQ2 bItŌpĥlnfz'\鑇13kb$U OuO&F6lfd9t>xtk|sM7ƈajGu–Gg67s^Fnh{Kڢk
$JLiv329sٙekL?:FcJdw?lv3Y]TXq
ԝwɾg7cqҡhFܤG'c:f#̸x/$7|?bv3hќOpFur(UqZT݌E98sup|[IFJ}f,y2)ߕ	ٮ`zv'ݨs}e͇:i73"\}՞=OWj*_?ur\v$gG`2࠶Ň`Qh:*]
d1fi	,XM1=^!di&/l94*RG@I;9~ۏ꼎F48ZNާ{6P-#d1!(̒YGܫksӧavѾۏBW4VYf
gZI@:5;W?J2bݝ̆ta{:{Nxr\+oh9^ÆNk({+z2تtںkJicj${{k$I+kʞ{{kGNw,ՙUJNmg232q0o5wZ:w!07G	}s#,+pb߬{5m_+ߺgF|Nmڪg~CYenhvc| n'(q†UL.76LV52z:5^
ˎkywhg(eFOEN-gO"Ϻ}sVMiX4Z7Ұī_}sFPCm-j#X,g6Io{H$doo'9+і"jD})8soA9+=b̚2H@@foTZ0uCEΕ3߻~sfupv:nrR\lVɤ9){hu'>תR8`~4e͏$PFkv X'Ӷ{&Pj-} 3M86:(HȽ??y#dCyinx4{;kc+*jAG~)Wlc^"m^_p)WR}w~zqL
grM&21au9jmľ42s}TB?.*Χ!%$d3gڐil3ڏLBQJ;'[NW
:T\ωP0]$Ӯ>F_!~֓|\`ssx9Յ4(ME"bLqbJ~ڒ9IͷgYj-̴0.K)a=I}6j4IhӬ$Y|_4Xsբ>
z4'%K%죯Cjbu/zGp8'#d$qKrIn(U_@&W٬AJ')VO:;5Jbh--s;?:Y;
\颳}M%ZҭZ[Outi,`/S;d6s9.>C4oh#GBY^jU3#F;WT5	7{*s6GS"}
Ff)SqhD8'xh۳Y~"g>|x3󉣑KާuLɅBQB8i%3qpANx(><3c\Cw]Dر꛹0}Z>L/D],'[rRTLem+6·[?8:gUCYS5 C6eͩ>]Yl5daD_-H g]܏nO$X!]J2@Ұi>AɒeP?-ewoIZ+ػzK'">&t`IFTWtp`Ua<m~XNVL^z(>YMG[\%^ۆ,p>wOJǯux>IUWjA^}"4M^ZLA^}zQs%jn"}"5؆VuPdm5\DMPcN!#[Rdǚѡo8EB5vll8xGk!Fډ|;#GJ6-PepThcHvF۱jN@	C4Yܓ~
ގZAәII(ķcU;W\Tj_BD&-MR&?'K%5% PqJ]ʹEdxHXz]
̼Ks+WiNϕ 3VU	TMNf۱jmnH.pU&pe۱l Q9Hn߃E۱VҪ{jL;w%on(;:;6eېאkLc6ی@uxEI1:]N{hKvpzQutXvyqڧ5hdHcu*[V$_Ip%\jOUݎՈ2:echW[Z|(|;Fw
Xz`mѰcu!svVѣ,e>i̯9aAjD]LohSTJ._!Ijͨ|i>X3c[Caۡ-T.f1i[\MsnD3qW(Uqݭ/
]u.!GLޱ:$NWԨ'4	_‡)VMӫ6X{sL=>0O'rV

9=:5vFK"'XvLݯs#E B%c$3j%LŀKCn/~ܲ	=|v+YSȩp$zhX &V\gig]M^=5?bIàU]eGR1$&afz>޳cV\]u6.!hvHf㌱$ Tv͋>jmH=eʚϏhz.bVE<	=c6V*XXCx>jDMFGHuG4tNsﱢdVI">?zZbXՔeQubN9l|Qk~X$'Lg>GcK'wZ@rtg+' GW5S7mOnv\!%utZ=Ȁç䂨+<6Bv#)i'bݧEYW~2ARQϵwOl˜+G5'$6~C>$Fu
aHB	e\!
L
8-F0mk4QPYR=O_O
5>SXjWmq
|I7UF>*"W	%9Ch&mm?9LqP6Z]$I/"k2=ZXwGUC6ZhƐR6O\"6{_Bum{5bV$xX=1>Uf:~aicq„]ZD}̲
:xݒY@u[wh;gqk# 3`|팺:g(2p\:L\˾dzq0<helR6GǷv[A`1	)x$HdAfZP4Bca*,^TqaKG"PȉnH{Jr4:)jN{ϗWЕbihB-r_sjTѣ6㉶M~q5'3Y]ngnti~p
|jnJh0W_SO^?qOEU\6k*ʮ%2+_xsζNn̦WfBf
o*%PcXOM.x:/o'nbtIiC
0xl
+RhezZsb,+^wHtۧMƌ0w_蓃$v?R"Z9Pm'z5*-Dz8Q2jjQoWȬ"y:VB+2 v'Y_fިa*X*};H򅀳*;/rOfwx;	bR*!]r2o^sL=Re!#tr|K1t6$$*rބo9|LjǪL\:k[M활~3Č;rΘ}^d+hۑ5NcW_QSfx?&Vn#w߲7A~${WgYڎR$0sX&3uG

zKtl8V"*K
R?p5&̇ay5մ],"dgsQ|/E=cVx/*LZ̿`&|DJFBui뱔iq)@7٩q,ҡ3<3kGx;^%_{E#xQORk¯z7U'?\r^A=g_ۑP:'5:Ar~|D[* (pelts r)[j] = old (pelts r)[j] }
    writes { r.data.elts }
  =
    let ref cl = 0 in
    let ref ul = 0 in
    let ref n = sz in
    let ref up = C.incr x 0 in
    let ref rp = C.incr r 0 in
    let ghost ref i : int32 = 0 in
    while n <> 0 do
      invariant { 0 <= n <= sz }
      invariant { i = sz - n }
      invariant { value r i + (power radix i) * cl =
                  value x i * y }
      invariant { rp.offset = r.offset + i }
      invariant { plength rp = plength r }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { writable rp }
      invariant { pelts rp = pelts r }
      invariant { up.offset = x.offset + i }
      invariant { plength up = plength x }
      invariant { up.min = x.min }
      invariant { up.max = x.max }
      invariant { pelts up = pelts x }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      variant { n }
      label StartLoop in
      ul <- C.get up;
      up <- C.incr up 1;
      let l, h = mul_double ul y in
      assert { h < radix - 1
               by ul * y <= (radix - 1) * (radix - 1)
               so radix * h <= ul * y };
      let lpl = add_mod l cl in
      begin ensures { lpl + radix * cl = ul * y + (cl at StartLoop) }
        cl <- (if lpl < cl then 1 else 0) + h;
      end;
      value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                 r.offset (r.offset + int32'int i) lpl;
      C.set rp lpl;
      assert { value r i = value r i at StartLoop };
      assert { (pelts r)[offset r + i] = lpl };
      value_tail r i;
      value_tail x i;
      assert { value x (i+1) = value x i + power radix i * ul };
      assert { value x (i+1) * y = value x i * y + power radix i * (ul * y) };
      assert { value r (i+1) + power radix (i+1) * cl = value x (i+1) * y };
      rp <- C.incr rp 1;
      n <- n-1;
      i <- i+1;
    done;
    cl


  (** `wmpn_addmul_1 r x sz y` multiplies `(x, sz)` by `y`, adds the `sz`
      least significant limbs to `(r, sz)` and writes the result in `(r, sz)`.
      Returns the most significant limb of the product plus the carry
      of the addition. Corresponds to `mpn_addmul_1`.*)
  let wmpn_addmul_1 (r x:t) (sz: int32) (y:limb) : limb
    requires { valid x sz }
    requires { valid r sz }
    requires { writable r }
    ensures { value r sz + (power radix sz) * result
            = value (old r) sz
              + value x sz * y }
    writes { r.data.elts }
    ensures { forall j. (j < r.offset \/ r.offset + sz <= j) ->
              (pelts r)[j] = (pelts (old r))[j] }
  =
    let ref ul = 0 in
    let ref rl = 0 in
    let ref cl = 0 in
    let ref n = sz in
    let ghost ref i = 0 in
    let ref rp = C.incr r 0 in
    let ref up = C.incr x 0 in
    while n <> 0 do
      invariant { 0 <= n <= sz }
      invariant { i = sz - n }
      invariant { value r i + (power radix i) * cl
                  = value (old r) i
                    + value x i * y }
      invariant { (rp).offset = r.offset + i }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { writable rp }
      invariant { pelts rp = pelts r }
      invariant { up.offset = x.offset + i }
      invariant { plength up = plength x }
      invariant { up.min = x.min }
      invariant { up.max = x.max }
      invariant { pelts up = pelts x }
      invariant { forall j. r.offset + i <= j < r.offset + sz ->
                 (pelts (old r)) [j] = (pelts r)[j]  }
      invariant { forall j. j < r.offset \/ r.offset + sz <= j ->
                 (pelts r)[j] = (pelts (old r))[j] }
      variant { sz - i }
      label StartLoop in
      ul <- C.get up;
      up <- C.incr up 1;
      let l, h = mul_double ul y in
      let ref lpl = add_mod l cl in
      assert { h < radix - 1
               by ul * y <= (radix - 1) * (radix - 1)
               so radix * h <= ul * y };
      begin ensures { lpl + radix * cl = ul * y + (cl at StartLoop) }
        cl <- (if lpl < cl then 1 else 0) + h;
      end;
      assert { cl = radix - 1 -> lpl = 0
               by ul * y <= (radix - 1) * (radix - 1)
               so cl at StartLoop <= radix - 1
               so lpl + radix * cl
                  = ul * y + (cl at StartLoop) = radix * (radix - 1) };
      rl <- C.get rp;
      assert { rl = (pelts (old r))[r.offset + i] };
      lpl <- add_mod rl lpl;
      begin ensures { lpl + radix * cl = ul * y + (cl at StartLoop) + rl }
        cl <- (if lpl < rl then 1 else 0) + cl;
      end;
      value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                 r.offset (r.offset + int32'int i) lpl;
      C.set rp lpl;
      assert { value r i = value r i at StartLoop };
      value_tail r i;
      value_tail x i;
      assert { value (old r) (i+1)
               = value (old r) i + power radix i * rl };
      assert { value x (i+1) = value x i + power radix i * ul };
      assert { value r (i+1) = value r i + power radix i * lpl };
      assert { value x (i+1) * y = value x i * y + power radix i * (ul * y) };
      assert { value r (i+1) + power radix (i+1) * cl =
               value (old r) (i+1) + value x (i+1) * y };
      rp <- C.incr rp 1;
      n <- n-1;
      i <- i+1;
    done;
    cl

 let wmpn_addmul_n (r x y:t) (sz:int32) : limb
    requires { sz > 0 }
    requires { valid x sz }
    requires { valid y sz }
    requires { valid r (sz + sz) }
    requires { writable r }
    writes { r.data.elts }
    ensures { value r (sz + sz)
                + power radix (sz + sz) * result
              = value (old r) (sz + sz)
                + value x sz * value y sz }
  = [@vc:do_not_keep_trace] (* traceability info breaks the proof *)
    let ref rp = C.incr r 0 in
    let ref vp = C.incr y 0 in
    let ref lr = 0 in
    let ref c = 0 in
    let ref vn = sz in
    let ghost ref i = 0 in
    while vn <> 0 do
      invariant { 0 <= i <= sz }
      invariant { i = sz - vn }
      invariant { value r (i + sz)
                    + (power radix (i + sz)) * c
                  = value (old r) (i + sz)
                    + value x sz * value y i }
      invariant { rp.offset = r.offset + i }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { writable rp }
      invariant { pelts rp = pelts r }
      invariant { plength rp = plength r }
      invariant { vp.offset = y.offset + i }
      invariant { plength vp = plength y }
      invariant { vp.min = y.min }
      invariant { vp.max = y.max }
      invariant { pelts vp = pelts y }
      invariant { 0 <= c <= 1 }
      invariant { forall j. rp.offset + sz <= j ->
                 (pelts (old r)) [j] = (pelts r)[j] }
      variant { sz - i }
      label StartLoop in
      value_concat r i (i+sz);
      assert { value rp sz
               = value_sub (pelts r) (r.offset + i) (r.offset + (i + sz)) };
      let ghost ly = pure { (pelts y)[y.offset + i] } in
      let c' =  wmpn_addmul_1 rp x sz (C.get vp) in
      assert { forall j. rp.offset + sz <= j ->
                 (pelts (old r)) [j] = (pelts r)[j]
                 by (pelts r)[j]
                 = (pelts rp)[j]
                 = (pelts rp)[j] at StartLoop
                 = (pelts (old r))[j]};
      assert { value rp sz + power radix sz * c'
              = value (rp at StartLoop) sz + value x sz * ly };
      assert { MapEq.map_eq_sub (pelts r) (pelts r at StartLoop)
                r.offset rp.offset
                by rp.offset = r.offset + i
                so forall j. r.offset <= j < rp.offset
                   ->
                   (j < rp.offset
                    so (pelts rp)[j] = (pelts rp at StartLoop)[j]
                         = (pelts r at StartLoop)[j]) };
      lr <- get_ofs rp sz;
      assert { lr = (pelts (old r))[(old r).offset + (i + sz)] };
      let (res, carry) = add_with_carry c' lr c in
      label BeforeCarry in
      value_sub_update_no_change (pelts r) (rp.offset + p2i sz)
                        r.offset  (r.offset + p2i i) res;
      set_ofs rp sz res;
      assert { value rp sz = value (rp at BeforeCarry) sz };
      c <- carry;
      assert { value r i = value (r at BeforeCarry) i
               = value (r at StartLoop) i};
      value_tail r (i+sz);
      value_tail y i;
      value_tail (pure { old r }) (i+sz);
      assert { value (old r) ((i+sz)+1)
               = value (old r) (i+sz) + power radix (i+sz) * lr };
      assert { (pelts r)[r.offset + (i + sz)] = res };
      value_concat r i (i+sz);
      assert { value_sub (pelts r) (r.offset + i) (r.offset+(i+sz))
               = value rp sz };
      assert { value r (i + sz + 1) =
               value r i + power radix i * (value rp sz) + power radix (i + sz) * res };
      assert { value x sz * value y (i+1)
               = value x sz * value y i + power radix i * (value x sz * ly) };
             (* nonlinear *)
      assert { value r (i + sz + 1)
                    + (power radix (i + sz + 1)) * c
                  = value (old r) (i + sz + 1)
                    + value x sz * value y (i + 1) };
      i <- i + 1;
      rp <- C.incr rp 1;
      vp <- C.incr vp 1;
      vn <- vn - 1;
      assert { forall j. rp.offset + sz <= j ->
                 (pelts (old r)) [j] = (pelts r)[j] };
    done;
    c

  (** In-place variant of wmpn_mul_1 *)
  let wmpn_mul_1_in_place (x:t) (sz:int32) (y:limb) : limb
    requires { valid x sz }
    requires { writable x }
    ensures  { value x sz + (power radix sz) * result
               = old value x sz * y }
    ensures  { forall j. (j < offset x \/ offset x + sz <= j)
              -> (pelts x)[j] = old (pelts x)[j] }
    writes   { x.data.elts }
  =
    let ghost ox = pure { x } in
    let ref cl = 0 in
    let ref ul = 0 in
    let ref n = sz in
    let ref up = C.incr x 0 in
    let ghost ref i : int32 = 0 in
    while n <> 0 do
      invariant { 0 <= n <= sz }
      invariant { i = sz - n }
      invariant { value x i + (power radix i) * cl =
                  value ox i * y }
      invariant { up.offset = x.offset + i }
      invariant { plength up = plength x }
      invariant { up.min = x.min }
      invariant { up.max = x.max }
      invariant { pelts up = pelts x }
      invariant { writable up }
      invariant { forall j. (j < offset x \/ offset x + i <= j)
                -> (pelts x)[j] = (pelts ox)[j] }
      variant { n }
      label StartLoop in
      ul <- C.get up;
      let l, h = mul_double ul y in
      assert { h < radix - 1
               by ul * y <= (radix - 1) * (radix - 1)
               so radix * h <= ul * y };
      let lpl = add_mod l cl in
      begin ensures { lpl + radix * cl = ul * y + (cl at StartLoop) }
        cl <- (if lpl < cl then 1 else 0) + h;
      end;
      value_sub_update_no_change (pelts x) (x.offset + int32'int i)
                                 x.offset (x.offset + int32'int i) lpl;
      C.set up lpl;
      assert { value x i = value x i at StartLoop };
      assert { (pelts x)[offset x + i] = lpl };
      value_tail x i;
      value_tail ox i;
      assert { value ox (i+1) = value ox i + power radix i * ul };
      assert { value ox (i+1) * y = value ox i * y + power radix i * (ul * y) };
      assert { value x (i+1) + power radix (i+1) * cl = value ox (i+1) * y };
      up <- C.incr up 1;
      n <- n-1;
      i <- i+1;
    done;
    cl

  (** `wmpn_submul_1 r x sz y` multiplies `(x, sz)` by `y`, subtracts the `sz`
      least significant limbs from `(r, sz)` and writes the result in `(r, sz)`.
      Returns the most significant limb of the product plus the borrow
      of the subtraction. Corresponds to `mpn_submul_1`.*)
  let wmpn_submul_1 (r x:t) (sz:int32) (y:limb):limb
    requires { valid x sz }
    requires { valid r sz }
    requires { writable r }
    ensures { value r sz - (power radix sz) * result
            = value (old r) sz
              - value x sz * y }
    writes { r.data.elts }
    ensures { forall j. j < r.offset \/ r.offset + sz <= j ->
              (pelts r)[j] = (pelts (old r))[j] }
  =
    let ref ul = 0 in
    let ref rl = 0 in
    let ref cl = 0 in
    let ref n = sz in
    let ghost ref i = 0 in
    let ref rp = C.incr r 0 in
    let ref up = C.incr x 0 in
    while n <> 0 do
      invariant { 0 <= n <= sz }
      invariant { i = sz - n }
      invariant { value r i - (power radix i) * cl
                  = value (old r) i
                    - value x i * y }
      invariant { (rp).offset = r.offset + i }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { writable rp }
      invariant { pelts rp = pelts r }
      invariant { up.offset = x.offset + i }
      invariant { plength up = plength x }
      invariant { up.min = x.min }
      invariant { up.max = x.max }
      invariant { pelts up = pelts x }
      invariant { forall j. r.offset + i <= j < r.offset + sz ->
                 (pelts (old r)) [j] = (pelts r)[j]  }
      invariant { forall j. j < r.offset \/ r.offset + sz <= j ->
                 (pelts r)[j] = (pelts (old r))[j] }
      variant { sz - i }
      label StartLoop in
      ul <- C.get up;
      up <- C.incr up 1;
      let l, h = mul_double ul y in
      let ref lpl = add_mod l cl in
      assert { h < radix - 1
               by ul * y <= (radix - 1) * (radix - 1)
               so radix * h <= ul * y };
      begin ensures { lpl + radix * cl = ul * y + (cl at StartLoop) }
        cl <- (if lpl < cl then 1 else 0) + h;
      end;
      assert { cl = radix - 1 -> lpl = 0
               by ul * y <= (radix - 1) * (radix - 1)
               so cl at StartLoop <= radix - 1
               so lpl + radix * cl
                  = ul * y + (cl at StartLoop) = radix * (radix - 1) };
      rl <- C.get rp;
      assert { rl = (pelts (old r))[r.offset + i] };
      lpl <- sub_mod rl lpl;
      begin ensures { lpl - radix * cl = rl - ul * y - (cl at StartLoop) }
        cl <- (if lpl > rl then 1 else 0) + cl;
      end;
      value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                 r.offset (r.offset + int32'int i) lpl;
      C.set rp lpl;
      assert { value r i = value r i at StartLoop };
      value_tail r i;
      value_tail x i;
      assert { value (old r) (i+1)
               = value (old r) i + power radix i * rl };
      assert { value x (i+1) = value x i + power radix i * ul };
      assert { value r (i+1) = value r i + power radix i * lpl };
      assert { value x (i+1) * y = value x i * y + power radix i * (ul * y) };
      assert { value r (i+1) - power radix (i+1) * cl =
               value (old r) (i+1) - value x (i+1) * y };
      rp <- C.incr rp 1;
      n <- n-1;
      i <- i+1;
    done;
    cl

 let wmpn_addmul_2 (r x:t) (sz:int32) (y:t) : limb
    requires { sz > 0 }
    requires { valid x sz }
    requires { valid y 2 }
    requires { valid r (sz + 2) }
    requires { writable r }
    writes   { r.data.elts }
    ensures  { value r (sz + 1)
                 + power radix (sz + 1) * result
               = value (old r) sz
                 + value x sz * value y 2 }
    ensures  { forall j. (j < r.offset \/ r.offset + sz + 1 <= j) ->
               (pelts r)[j] = (pelts (old r))[j] }
  =
    let ghost or = pure { r } in
    let y0 = C.get y in
    let rn = wmpn_addmul_1 r x sz y0 in
    value_sub_update_no_change (pelts r) (offset r + int32'int sz) (offset r)
                               (offset r + int32'int sz) rn;
    C.set_ofs r sz rn;
    value_tail r sz;
    assert { value r (sz + 1) = value or sz + value x sz * y0 };
    value_concat r 1 (sz + 1);
    let r1 = C.incr r 1 in
    assert { value r (sz + 1) = value r 1 + radix * value r1 sz };
    let y1 = C.get_ofs y 1 in
    assert { value y 2 = y0 + radix * y1 };
    label A2 in
    let c = wmpn_addmul_1 r1 x sz y1 in
    value_concat r 1 (sz + 1);
    value_sub_frame (pelts r) (pure { pelts r at A2 })
                    (offset r) (offset r + 1);
    assert { value r1 sz + power radix sz * c
             = value r1 sz at A2 + value x sz * y1 };
    assert { value r (sz + 1) + power radix (sz + 1) * c
             = value or sz + value x sz * value y 2
             by value r (sz + 1) + power radix (sz + 1) * c
                = value r 1 + radix * value r1 sz + power radix (sz + 1) * c
                = value r 1 + radix * (value r1 sz + power radix sz * c)
                = value r 1 + radix * (value r1 sz at A2 + value x sz * y1)
                = value r 1 at A2 + radix * value r1 sz at A2
                  + radix * (value x sz * y1)
                = value r (sz + 1) at A2 + radix * (value x sz * y1)
                = value or sz + value x sz * y0 + radix * value x sz * y1
                = value or sz + value x sz * (y0 + radix * y1)
                = value or sz + value x sz * value y 2 };
    assert { forall j. (j < r.offset \/ r.offset + sz + 1 <= j) ->
             (pelts r)[j] = (pelts (old r))[j]
             by (pelts r)[j] = (pelts r)[j] at A2 = (pelts (old r))[j] };
    c

end

module Mul_basecase

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas
  use util.Util
  use add.Add
  use Mul

  (** `wmpn_mul_basecase r x sx y sy` multiplies `(x, sx)` and `(y,sy)` and writes
  the result in `(r, sx+sy)`. `sx` must be greater than or equal to
  `sy`. Corresponds to `mpn_mul`. *)
  let wmpn_mul_basecase (r x:t) (sx:int32) (y:t) (sy:int32) : unit
    requires { 0 < sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid r (sy + sx) }
    requires { writable r }
    writes   { r.data.elts }
    ensures  { value r (sy + sx) = value x sx * value y sy }
    ensures { forall j. (j < offset r \/ offset r + (sy + sx) <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    (*ensures  { result = (pelts r)[r.offset + sx + sy - 1] }*)
  =
    let c = wmpn_mul_1 r x sx (C.get y) in
    value_sub_update_no_change (pelts r) (r.offset + p2i sx)
                               r.offset (r.offset + p2i sx - 1) c;
    set_ofs r sx c;
    value_sub_tail (pelts r) r.offset (r.offset + p2i sx);
    assert { value r (sx + 1) = value x sx * value y 1
             by (pelts y)[offset y] = value y 1
             so value r sx + power radix sx * c = value x sx * value y 1 };
    let ref rp = C.incr r 1 in
    let ref vp = C.incr y 1 in
    let ghost ref i = 1 in
    let ref vn = sy - 1 in
    while vn >= 2 do
      invariant { 1 <= i <= sy }
      invariant { i = sy - vn }
      invariant { value r (i + sx) = value x sx * value y i }
      invariant { rp.offset = r.offset + i }
      invariant { plength rp = plength r }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { pelts rp = pelts r }
      invariant { writable rp }
      invariant { vp.offset = y.offset + i }
      invariant { plength vp = plength y }
      invariant { vp.min = y.min }
      invariant { vp.max = y.max }
      invariant { pelts vp = pelts y }
      invariant { forall j. (j < offset r \/ offset r + (sy + sx) <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      variant { vn }
      label StartLoop in
      value_concat r i (i + sx);
      assert { value rp sx =
               value_sub (pelts r) (r.offset + i) (r.offset + (i + sx)) };
      let res =  wmpn_addmul_2 rp x sx vp in
      assert { value rp (sx+1) + power radix (sx+1) * res
              = value (rp at StartLoop) sx + value x sx * value vp 2 };
      assert { MapEq.map_eq_sub (pelts r) (pelts r at StartLoop)
                r.offset rp.offset
                by rp.offset = r.offset + i
                so forall j. r.offset <= j < rp.offset
                   ->
                   (j < rp.offset
                    so (pelts rp)[j] = (pelts rp at StartLoop)[j]
                         = (pelts r at StartLoop)[j]) };
      label BeforeCarry in
      value_sub_update_no_change (pelts r) (rp.offset + p2i sx + 1)
                        r.offset  (r.offset + p2i i) res;
      set_ofs rp (sx+1) res;
      assert { value rp (sx+1) = value (rp at BeforeCarry) (sx+1) };
      assert { value r i = value (r at BeforeCarry) i
             = value (r at StartLoop) i };
      value_tail r (i + sx + 1);
      value_tail rp (sx + 1);
      value_concat y i (i+2);
      assert { value vp 2
               = value_sub (pelts y) (y.offset + i) (y.offset + (i+2)) };
      value_concat r i (i + sx + 2);
(*      assert { value_sub (pelts r) (r.offset + i) (r.offset + (i + sx + 1))
               = value rp (sx + 1) };
      assert { (pelts r)[r.offset + (i + sx + 1)] = res };*)
      assert { value rp (sx + 2) = value (rp at StartLoop) sx
               + value x sx * value vp 2 };
      assert { value x sx * value y (i+2)
               = value x sx * value y i
                 + power radix i * (value x sx * value vp 2) };
      assert { value r (i + sx + 2) = value x sx * value y (i+2)
               by value r (i + sx + 2)
                  = value r i
                    + power radix i * (value_sub (pelts r) (offset r + i)
                                                 (offset r + i + sx + 2))
                  = value r i + power radix i * value rp (sx + 2)
                  = value r i
                    + power radix i
                      * (value (rp at StartLoop) sx + value x sx * value vp 2)
                  = value (r at StartLoop) i
                    + power radix i
                      * (value (rp at StartLoop) sx + value x sx * value vp 2)
                  = value (r at StartLoop) i
                    + power radix i * value (rp at StartLoop) sx
                    + power radix i * (value x sx * value vp 2)
                  = value (r at StartLoop) (sx + i)
                    + power radix i * (value x sx * value vp 2)
                  = value x sx * value y i
                    + power radix i * value x sx * value vp 2
                  = value x sx * (value y i + power radix i * value vp 2)
                  = value x sx * value y (i+2) };
      i <- i + 2;
      rp <- C.incr rp 2;
      vp <- C.incr vp 2;
      vn <- vn - 2;
    done;
    while vn >= 1 do
      invariant { 1 <= i <= sy }
      invariant { i = sy - vn }
      invariant { value r (i + sx) = value x sx * value y i }
      invariant { rp.offset = r.offset + i }
      invariant { plength rp = plength r }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { pelts rp = pelts r }
      invariant { writable rp }
      invariant { vp.offset = y.offset + i }
      invariant { plength vp = plength y }
      invariant { vp.min = y.min }
      invariant { vp.max = y.max }
      invariant { pelts vp = pelts y }
      invariant { forall j. (j < offset r \/ offset r + (sy + sx) <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      variant { vn }
      label StartLoop in
      value_concat r i (i + sx);
      assert { value rp sx =
               value_sub (pelts r) (r.offset + i) (r.offset + (i + sx)) };
      let ghost ly = pure { (pelts y)[y.offset + i] } in
      let res =  wmpn_addmul_1 rp x sx (C.get vp) in
      assert { value rp sx + power radix sx * res
              = value (rp at StartLoop) sx + value x sx * ly };
      assert { MapEq.map_eq_sub (pelts r) (pelts r at StartLoop)
                r.offset rp.offset
                by rp.offset = r.offset + i
                so forall j. r.offset <= j < rp.offset
                   ->
                   (j < rp.offset
                    so (pelts rp)[j] = (pelts rp at StartLoop)[j]
                         = (pelts r at StartLoop)[j]) };
      label BeforeCarry in
      value_sub_update_no_change (pelts r) (rp.offset + p2i sx)
                        r.offset  (r.offset + p2i i) res;
      set_ofs rp sx res;
      assert { value rp sx = value (rp at BeforeCarry) sx };
      assert { value r i = value (r at BeforeCarry) i
             = value (r at StartLoop) i };
      value_tail r (i + sx);
      value_tail y i;
      value_concat r i (i+sx);
      assert { value_sub (pelts r) (r.offset + i) (r.offset+(i+sx))
               = value rp sx };
      assert { (pelts r)[r.offset + (i+sx)] = res };
      assert { value x sx * value y (i+1)
               = value x sx * value y i
                 + power radix i * (value x sx * ly) };
             (*nonlinear*)
      assert { value r (i + sx + 1) = value x sx * value y (i+1) };
      i <- i + 1;
      rp <- C.incr rp 1;
      vp <- C.incr vp 1;
      vn <- vn - 1;
    done


endwhy3-1.6.0/examples/multiprecision/mul/000077500000000000000000000000001440160026300200655ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/mul/why3session.xml000066400000000000000000003050021440160026300231050ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/mul/why3shapes.gz000066400000000000000000000734441440160026300225410ustar00rootroot00000000000000[9._ޝB_=#,P/ZuFR_{~T)SJU
eN͌F3hnʇw߯]mR:<]7Jwxǀ'ßu~|	ޏPW{s
4nv$|Ur
?~m§/`8>vzǿxCaD-140#߼~.ܾ
>ۏh~oxSo[+e'c)'d%ky1W\;?*ބoX1:avXB>^uhK{u>i24j#o&ty3D6_nWJ{i{98}a^u9lqUu(nbV
N76v078i7E/fx{SBe9ry˳hqxڅiQ^^yC84$b%WۮڒgI,tf<5|(:_34OmNtVy+4X.|o\2v68ԓgnn؞<54?zW4mo!e>a]1G7~W
SGY?Ruo4գVNuF*~*(Ti/ç?ӻO!z-مl.Z~ߐP9Bq{:cAK^gw5^O
dW07bzi*PUHmmc\(xskS7%n7k9<'UyrJ"ۘrb<͸|Og}y^طwsơu33-F26X5XG,Jl'ez.A܀ܹ'X#8'v>֑=!}03~?z[{i#bĞ_mgbic]n<<)2
<݉.8as8˗|}iӀDp{\4%6/}?Y=wL=q9VQK;;6ѷ{Ag4ݞq3gPZb|Zڲ]mn06O)@Kٞ&,	#wMUwFswӳB#̌ґV'ީs[9>t>'߆@0wS$E(mpɪ|^xi}Yt 6E7}Y{PO
lBr|9kc
?wN輹=*=рnײתGѻj]wn~+b:	>9\N81R߶,rnEզ_;q+lY
V^[æ/Uyν53[߈Heÿ$?RZYT'bq,B
tܡ/4
~w	Uzr+{
G.1
t4Nx
4+_C~-RHF! mN8,׊9Wkuࢻ޿8zcE|oE[=pPڄ8[8
'rwn
/rEԆaM&7+얿X4Sx:Y{t-+?ʵ؝Ȇhҏ\CvW~>ja^:uq-͍ىu
B/=!Q355d<7ϛHȜiOP;[#n7]5?r{	ui8Cΰ@8	XT!n;(CѴ z<ix*zj?'[Ey
*Ba@ (z]erH7wׄk#ByywtKw716R*)LT
nnus!LaO?7?wN#r.7,kt\cB]Gw=WRvS+]r{V\UM7mr5WB@ͦ5[r|^Ε[o7z
	
/kၾnLx;|;e}E涋ES
oEYs	6[Wj_C/enPOHpIny*xHn$Hݐi QǑv%9§FLj1+HĹ X=w3A7{7.W7ߑٸH(o8X;Bҕ]DW;^06lk'Wz<z}#yd	:auK=KwwK	+!1!s3G4g>Vo//-mOǤ+]OOˤ$sn:3GOc҉m7ov4PI?,tD/pܠruHZt{X"^la^N>bDZ͎w߄׸?fMgˎi|dbCYTu>>^W{7.Z"u.,Z_oTv]dkkKљt"fNL76iı)c:3f]:3gm:#vkѷ(şND`_iqaӆlfδ=|ua~ƮR6Vglu|y,f6s:C"[q☃
fŵVgluVlufV̘NՍ&`Vgluӣ؁l]l.rkkD\7츜
/G›4}މMʗ__!I9fL@69mWI&$zr=FY74K@/YOnPM.wQ{u߾\Γfwur`^AHpRw7yuB]F@YCoa;}8L
͗be\.
~*P=VhNuǥg%LWps~~XL!ynRJ|͹i/qn4k-5;[׳C|#=lz؄9/Fp
lzl8/cIÀbG:󄬝
%!{/l̏b|bpyz=Y´If6WRW{KthxfEWsW-@>Q+6P_8~-^T|x,_vWPG#Ľ=3fQO2@=5&h3)u޼業KdA=<ta,I9)	ISÈd;ׇϫ2Qaa w'"$箱ij]y30VݝXXT=cLw1!kw#]ۛE1*W5ELGXdg_0)59/nN/m4sƍf)b:T!OUhΩRgTKlC2RYSPu`ح7|kݾ/)(v&.꼑pDZ_o%Lz?5\
d7mO+bXH򁴹j'mZtm|+~m|=EȶVvWu?+) MUsL;n>+EmT3^=&>}U'rjg>4%PG	8ePԭ4%>Hv?3w+tvֹA2nyQJפb[3Ģ{FYD͘
ˬUgWߴ^OoxN7x_LjۭmAIoa>,vjkgSխSD?/P|̀E͝Ɣf8ۨrN&pի7#9vopvR^?=`-Hv+lZ{'oxڣby!yPݲ*|!lz`6-3'-Cr{g)QǮar):<,|k̽yѼ懒o4YgL|- B5nY
料ĉCss#p:g:W8s&f=Mx|r7^pJ?NFu%{:;qj&˫Gn|-:)Ⱥ ksYs5S~?xS*~>.ZLj}${w;}(O.76(cRv"ڥNA7X?VN̛lwMݳ=r3fzx	n{Оukm4mN.?^u"?Cn=S|D\U]7=UWM +;m@\#Mw^;#~epI1hVBIzrXԛ'dMQoe
?D"7YRgةWu:jژiִ9[{fB[ʇ뮸Eǩ/^\¹AV^:r9ofhMjlMyisZVGȭF
<	ޱ'N?BԧMeQ4P	͉rf;y
sv[ty& O4mlJY35ڴ}PzjO?w˭|q,_|;O?D@:⡭&C:Vx~GL5ݖ5/k'LZΘƵ٬~cuw4Vw+˻;8k5&#Ĝs&ܐƙ.Ɵv`k/C&hzE0~"z#Oj#Q7c	Lu\Zm[Pk	n	1[긱tuLjj'a|'cȦ35Oft=sRSBQ)=N[6R]Sw̩9,rh
^WY%$}ܲ,}\G:'j,I.ܣ<ΐY~$&|g+'s;]>({3nˇ8~Rrޓ=}SB9NCV]V5$
^fӌNy'61[7I׮,d[{SĂ뽧CJ~j}jf,ՆXM`n

/7:2?#6k1T8CjI3Wm.Π-bfڧe~ڠxngA7W1f$ŦmOX-t3?5F9'B3q~$qJ37c%s8+i'tfiLbM
,
ʧ-t6?qӞL%%!3%p:?}د`-߱QKnΥ~q}z6r!s2ny׃GxFYc8EZ8X,G>
_ЕnK0!@*?yA0flS؜9}4bIu}x-CZޭH*iq|;}~z&:kWsDr9Tylp,dq8c|pG?d!~xosnTAv9ߡ)#NSmވhP鶷uZa}f֞hUvZ#:AJ]V+o`?r쩒=Nus=z_Ë:lv;YSJE%Nɩ~
TaͱѴpa:_MɎkyVlT]!ȍlm
5{6
g@CѴߧ?zt1Fyc:RCpQ`>)_+N	X4ŕW])ܕW\)}ԕWJ\)~ؕW]I{%͕WJ+ɮ<,m
se5IQ:P4,5
Mr%&d+te Tz2'|IN%!8x2'2`2xItXFP+^XD),J)gE?TQ^p"`h#g{XkYBk
[)MJ	gx_yw7W^_yua+ϯExJy>">+fVIVy&ѩY̘Zg`oɖB6Ey輊o:m`USfiѤ	GmHXDp1BIUiNe͔4ɩ	G&ό2XcyJt0jbA	/A&SWJWTav_

@DEcjIt?ߒlR`2c!Bn8%16&xR@~()Gi

X2ҢM/zJ㣲O1rJo578.z
٘p62jC
}d(YܰѢ/{
QXJ CXT.tybmx1>@J:daI|L6BDm~cjH:qqU
hJ+C`Z1-S:,/}xf`]%_}.ZM/ogٸf
EDX9u
PJ`IՌ~a0nmJk9DӀ3`.į7ČY9ӾZa:r3
Nq(8-(=	[~;޿aDکU()
92:^`M1UK&J$)\ژ %R%C3	 J |vcq?аafUMcvD,)SrsÍ+AU:+4:k?KLf:)p̘cσʠ\ʚKEoP璒tLk(tcVW
Kjt2U6.wA.4C͞6RVF0jP8]и5
Ujd/y,aCԹ*~L\d!0Y0)ȑ3=[rBBj9^oeB]Pz>j$$eM̰
VWaϪDkL{p(
̒5xY/~'8Tk
+О̻ZzT
@+;A
u9rKu9QPC=JL
U ȥdș=>`$/A)	_^	JB 
$vSs9	IKF=`Nssz$%,Ae	2KMB=z 88ӨzK\$z%ѝ}D~G,@<HD&4M$h"q
Q+NuP&4M$h"Aɉ&Y4z48$D!d@f=w)ŒU2.s2c^RNޒ]`Fd$]%^e]N=BWju[0g~(?^Q6Zl7)fmeұ]abs6^Px:YtC(]cs3/JUH;	xAu[SѩEۊ\*<\b
<
(C\>K,glBI>:Ac.hėͳˁsjɮz(Ȝ"8&4y"\_h6[fZ蔙P:UrQ1#r9bT
*iJ7kUJ)+ʸ:{vA^vl94WYTUTL.nh#)8Eq0d0A;S;a#/y&flfp%qxA2y3(tMQ11ZIUBR^\t
1;)__(^cn^x6)3D,N*[o6zWDRg)TSNmm@'>6B[&Y	ˢ`
l2L/4{".')B2Nho48:q$/9EKվFӅUtvwE?2{XǺB5)Zy(BNհ"`c##:Qϫe$3"6w;tF%˅aFB)2I_&
pZn_J!$3jFpUP4
10_eemq1 vVCi },kob„.+64`M \Qa6Mԏ7et2U	tK,">E"J}CmO%c+$)d`r *h
6!js=}BfCpH>,+Q*tb'ZunC>!nw/"JP`
e]F}BP6`,w0x1C[#hue'k]FrU!)b6Wr؋ ̖\Ϻ=Oۘ<~nB3VIe24@9uhAKjg`#\rކ#VYO$-rX.XX$٬xeqS:Be(xLJľ5ܙTxKsuo1Ĺ#&Ic2ӌ{Ge1pkLS!	+gi-loWSa0YDPcTw*\)*G]I&Ф"ax
y_-tZCc'Hl_}6D٨S쯨l h"P62IWC˥(и7KÓ/qx	uSRXMRxe[}nUB⠆C`*t-B)PaȂ*f^.$NICƆR1>un`d"`MBaӆ'BdVshwNSq8s},83
7mSֳ2K~ˡhNĭԢRdUzE_ELZM
BFlȖ+dhUYeITM9Be2`c\JHJ}! 'Gr4)rc‚rHN-ͅ/	_vi;;ء
d/lBjQ(2jz&&+OEdf*9xNY*݅YEή<#wXQ^g'/)2EWǭCO6/Vz5|6DŔVTjЮhנ]v
5
H)#?F=z1`c0,c|POQHP Q1`4`E82`7vހ`zvlzgzdNd1,
`"
.`#
>6
ю_8GuC=z,YԳ%,Y#6âizhCРT"|PР摢na7QbopRG=ՠM4hA
hD&4ѠMm&{/k'XpTTnd^(d؀.s2/sEu,*I	,Ӣ.tTչ̘%Ns]]e_˞U}W%qeb
lΗGZhf)(#kUѩ4Q\<&NX;-׃y,	md`C7
4{Q+RfQx"1ƃ/(h1˅Ml"Uq&\*R=Uո\O&2ɱy)12\_OɟOx\QDe䢂)VH SЅO|RMBs%Z<:i,ɟOxҥFr	.iUYR'+^aRU	N	%;1Q
/+~˨z,l-H\x(c\{Y*y`}bC,E֢&ޱvy+γ-_AVk4h60upMمϾ4sH)TiqVJ/#VY0RDA fG(6)Jd)ѥm0
eޠI+fXqXW/d`5\
߂m!WWzzxܫd%jQde5ex_lB諐=:

^"9C3fdM5fsa"AP3 1fiKٔ]5!s^SrUrĔQJUEƁ=PѢf*!3s&!?1IQ%Ǭ0M>Aa`1(EcUz`|j5'
yPzQ+APCs)
X%j&8X\$,J
`[rhdv^*jREV_@V}XPVbrgʉAQe5)a
2GfMX |=G^U,Dޕn!('cP,YDG]C@dX
 ꈜ!f!|;]).xN\J^ZkL>PkUhW4Zbc)+
Di˗s(8ea?I`ld r@;zG=zxTX##堅c;-d{`c|A+NhAWr<<0'
m8u
q8-A$s(;KJDThϢ=8,YXæA_a[A!lڏΗF1LN?21U_E6@)V-wg`Q}E)Ceπ+1(|2N\MNy
_le.`;] 0U:@9\v7,JR++jVҎ7uAZ33kʕk!'%ʄ4uAr%%\!\BP"Ga.r(r7.ۖo:&=Yx0!O]'|˂1^+[t0bˁ48
)i<
Lx1@gh.|:+29T,"	s\4pcKNF],bB \W
.wU)^jY<>!_:i_B"9*)T\ݣpL(cDk^&g&ǽHX"Jma)h:P~><\V!	QWQ1f>˒gmRgؐ5j m`r\Gy̬FmTEғ:X4B7:(E#:gvp1(O%*d
F0`9y6;|kmcfaQL\9HUsFAhWW0(5R1&
.TF߷R6 XR2)4ퟬ2ƊF (L?Lے%A탿S€
ުaaRz4䵏`wG'2YXt{k
z2JTYj`122Ǫ/
(]3E҈|3BXn	KTa^ ֟&Mn%kEx͐B`Gi&3f	E2&9oXJHNa(Z,Q,`mʱ D`]2+U.Cg̏Xmy􏦌vt+9Ҵu /EZVbVX&Qr!)w	<5Rb{DKJ=J,WBˠs)i"XA;4X
)+5(K887Q>F2
^àV`
bdh3ۇR`4La%`L.pR&!5#U	v׎YES?ȵ5XD$ְ\qv)4zG>o0YKhlWmx5]a$@Ꮘ:ɖrWcU0si,O.6
v{+L:s4n[^@x/NV}m-*SfWWD@PzY/ғ+Hpx)qVX:d_^?;îHX9[LlOi'cY[K;x 驑{
wイo_Ҧ\	ak
9Au#{ěd9g !fuTȶ\S/	e?Yۦਟxk<،2Zh.ʟh6>G'\K::ڸP)`RL.cB!#vt	/@Jz,
?|p*hxZPKu
ArSJ;q$'@r	$'9@r5HK  $@0KMp]u\rx .\4qu@]43:u_%	% L$wvē:N:~eU`"'0`"m"LϤII%U?>*"yXzљYnYn:+X`%աCW~q3R֜ښ5d:tu/cԽu}l(Ǫ=3r楺^wzlQK-cGj?ϣ_j0ِlI{2=yܧ<{rs:+o!'h-Iy*
Gb𝶳ݳ-~3+|%>Kt13P#MDPa`s:~7w4\t8Cy܋tSA=zɲ6ɼ'0[-eUoki6]L~&,k :ߔg|,e8w͞&#:	D~E
hI?͇ڶ=з\gcQtWR1 )f/>?%&ժCbi޵O;_~FӐ
*nehݼatqۢYhՁX5[K?J~bujlxv.MZ_`74^a$m9>cwi^4؛zZ1vQ!|r7'nxPZm
٧5^?`{$VAR$Ľ,?/U0~_W:Cr1?]9ȸ,h9p&͟vүVEH>fuictMM~ߦt;D!o|"A*NȀ<1{-wЄʽ>Jk]T8%{
aˀ~$6IОGWR;F`9.ApO<Ƿݮ,=V"jYJwwe6瓒.oE@`U 6Cm}'l(Ԛ+e<;z7=ŤkhVu}EwhSҷe{5//k1F#Yru{=1; Ktɉo$FqMrFoLN])/_GTB>-/e@^0Tz2m&QhInG-KlClKG&ʜ>gҩmfCDxx!pq!pF0>umMUЋ:Z|G&ef:ha6[\w[aVf½6doQx.0D->)Y=#p/-=F0B]Pfm\1|)^uլh.\\T(#xgn=nml%$0?1xõyAhVSLVύ-kR -
^{
þ>u
GBL7'>z_+[9})a7DA:}+)u|ZBw[qH00,yiҁ!PAts/P>\zT{|BUOy_H~};bx
7<8:ne.&?ع^?2m>,䌺X|ś/.{r*[b8܋c.ߟպ&;z6;zd;iaɄB8=(NP8ATN(8Ⱥ9Y~ɮZ_/?&ye?Qm.;oe2*y7nƩWmi2t)[rKQ~))@ir
So^zK
\@mM>2VɓIJeϥ\2|p2_vfi%zK\B|BLZsE-s3v?rxx]Z|Zɉ
q!ftb(|~ىKOE1H⓵:ؙǖWx'h
[%'$GD)ղYy	i.I>-Iݼ`9ᆌ)VΛߡ)vKL8:skzd9~|M$T/]>=](f6vdZ}|y>]\< G[UyRɴ]\jP[Mzas@;+m4KKsn2QBP-Qy߂>arqh"{䲤ؑ+b!b"LtҺxE7W9D9&x
jpt~^]}r
5~j-36BCC_
F 9P_<\#$^{/5/5;]rrl?ٽ\Gpd.o/oޞ>CX1~@-r{qxM9cզuEk3jcfd.]^m]c/2
uzėU|9|9r u4
.b_s$S)&Ԗ
x^._.\slؓvFg>g:zY}Y`試VzSږ~6LS?XUhl*z??V_=4j,="h怀ɔ6gL=k5o=~O=Ģ]:zbQETdfz^z0*Zys-{Ev4:ǖu0Mg1_eӄbْc $1m%k!p ^Dʃ&3/sṷ,1,<$Q[%(ufM3SKHX6auQ?2}7)aA|bIܟFàMb
$4`p,tFieq!&=Z/ii|beH@
%LV:Qh\1fo	3FPj+Jsީ;dj}f{N5lPsm}2e0g9q5))Qvc2=bk}m.,lp{)GF=<[,x}bg!!amvʏ0kGA،¥E擙[6$WRuY[/2?՚JIWY=Sj&OX\{!٘XMlEEArRp߿zsKp63xvW`"^;]?&;P!SuڱO{{N?$3D>cN^_/_zV|cZ0F]T;EUW/ש*cN
<^kX܋Nke鸞h

ڹvqںhŨȻ}

9|p̸ؙ(#wY!/rq`2%uJ01aVniTKNKzԼO(zP"Bop;FH)}WK=kddE֡8$NJSg-mA+OQzJ)'~ʗ9Wd/>8ߞ񹗓l4Ц쩅Fy\7zb[[ny6j{FV,egs̥t[b+4oÈ%%7ٯL0M:^maokƙzqt*d``'b:Tf˼˼oEFZ?l1C@1`?{>)KKo.?gΝo>ܝpH.=AK./	2-#Hf#oDD^D8'f>e1׺$2q%%\ŘNAKVf5[yRROI<9(s3ƒg%OJRN0I1W//˯_____yG$')8nyG?g/"7t8+pVᬤYIUa;,ﰼ;@[ޑUr,5yG;jQTVkD	%<jՀ+ZICcr#=URjՀh(mT!gpfj/W
|\5#R>f}.\]0ZmTuۊږBKuAB\
1k4M1X>!jՊO8ʑk/#+.s]+Uϥg͢Clr.1!b~'4h7&ڤ1޴]%JYdm]8bs	Ք)ZSG_Jn'exG񞋚$6_u%;L+y
sWg\yN).>:".ӗt?y*U8_>MqZcu>KlW{\agl<5rWJh8k9m/IڣW
]ݵƱFe yxILW2}MĆ8ES9HlA)/QIp7#G=cRjƴJ-HGT
f{Qzd
)p)}mo8qDޣ;4why3-1.6.0/examples/multiprecision/overlays/000077500000000000000000000000001440160026300211345ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/overlays/add.h000066400000000000000000000017451440160026300220440ustar00rootroot00000000000000#ifndef ADDOLD_H_INCLUDED
#include 

static inline uint64_t wmpn_add_n1(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz) {
  extern uint64_t __gmpn_add_n(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz);
  return __gmpn_add_n(r, x, y, sz);
}

static inline uint64_t wmpn_add1(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy) {
  extern uint64_t __gmpn_add(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy);
  return __gmpn_add(r, x, sx, y, sy);
}

static inline uint64_t wmpn_add_n_in_place(uint64_t * x, uint64_t * y, int32_t sz) {
  extern uint64_t __gmpn_add_n(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz);
  return __gmpn_add_n(x, x, y, sz);
}

static inline uint64_t wmpn_add_in_place(uint64_t * x, int32_t sx, uint64_t * y, int32_t sy) {
  extern uint64_t __gmpn_add(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy);
  return __gmpn_add(x, x, sx, y, sy);
}

#define ADDOLD_H_INCLUDED
#endif // ADDOLD_H_INCLUDED
why3-1.6.0/examples/multiprecision/overlays/mul.h000066400000000000000000000022251440160026300221030ustar00rootroot00000000000000#ifndef MUL_H_INCLUDED
#include 

static inline uint64_t wmpn_mul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y) {
  extern uint64_t __gmpn_mul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y);
  return __gmpn_mul_1(r, x, sz, y);
}

static inline uint64_t wmpn_addmul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y) {
  extern uint64_t __gmpn_addmul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y);
  return __gmpn_addmul_1(r, x, sz, y);
}

static inline uint64_t wmpn_mul_1_in_place(uint64_t * x, int32_t sz, uint64_t y) {
  extern uint64_t __gmpn_mul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y);
  return __gmpn_mul_1(x, x, sz, y);
}

static inline uint64_t wmpn_submul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y) {
  extern uint64_t __gmpn_submul_1(uint64_t * r, uint64_t * x, int32_t sz, uint64_t y);
  return __gmpn_submul_1(r, x, sz, y);
}

static inline uint64_t wmpn_addmul_2(uint64_t * r, uint64_t * x, int32_t sz, uint64_t * y) {
  extern uint64_t __gmpn_addmul_2(uint64_t * r, uint64_t * x, int32_t sz, uint64_t * y);
  return __gmpn_addmul_2(r, x, sz, y);
}

#define MUL_H_INCLUDED
#endif // MUL_H_INCLUDED
why3-1.6.0/examples/multiprecision/overlays/sub.h000066400000000000000000000017451440160026300221050ustar00rootroot00000000000000#ifndef SUBOLD_H_INCLUDED
#include 

static inline uint64_t wmpn_sub_n1(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz) {
  extern uint64_t __gmpn_sub_n(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz);
  return __gmpn_sub_n(r, x, y, sz);
}

static inline uint64_t wmpn_sub1(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy) {
  extern uint64_t __gmpn_sub(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy);
  return __gmpn_sub(r, x, sx, y, sy);
}

static inline uint64_t wmpn_sub_n_in_place(uint64_t * x, uint64_t * y, int32_t sz) {
  extern uint64_t __gmpn_sub_n(uint64_t * r, uint64_t * x, uint64_t * y, int32_t sz);
  return __gmpn_sub_n(x, x, y, sz);
}

static inline uint64_t wmpn_sub_in_place(uint64_t * x, int32_t sx, uint64_t * y, int32_t sy) {
  extern uint64_t __gmpn_sub(uint64_t * r, uint64_t * x, int32_t sx, uint64_t * y, int32_t sy);
  return __gmpn_sub(x, x, sx, y, sy);
}

#define SUBOLD_H_INCLUDED
#endif // SUBOLD_H_INCLUDED
why3-1.6.0/examples/multiprecision/overlays/uint64gmp.h000066400000000000000000000100511440160026300231370ustar00rootroot00000000000000#ifndef UINT64GMP_H_INCLUDED

#include 

struct __mul64_double_result {
  uint64_t __field_0;
  uint64_t __field_1;
};

#define __builtin_expect(x,y) (x)

#define UWtype uint64_t
#define UHWtype uint32_t
#define W_TYPE_SIZE 64
#define __ll_B ((UWtype) 1 << (W_TYPE_SIZE / 2))
#define __ll_lowpart(t) ((UWtype) (t) & (__ll_B - 1))
#define __ll_highpart(t) ((UWtype) (t) >> (W_TYPE_SIZE / 2))


#define umul_ppmm(w1, w0, u, v)						\
  do {									\
    UWtype __x0, __x1, __x2, __x3;					\
    UHWtype __ul, __vl, __uh, __vh;					\
    UWtype __u = (u), __v = (v);					\
									\
    __ul = __ll_lowpart (__u);						\
    __uh = __ll_highpart (__u);						\
    __vl = __ll_lowpart (__v);						\
    __vh = __ll_highpart (__v);						\
									\
    __x0 = (UWtype) __ul * __vl;					\
    __x1 = (UWtype) __ul * __vh;					\
    __x2 = (UWtype) __uh * __vl;					\
    __x3 = (UWtype) __uh * __vh;					\
									\
    __x1 += __ll_highpart (__x0);/* this can't give carry */		\
    __x1 += __x2;		/* but this indeed can */		\
    if (__x1 < __x2)		/* did we get it? */			\
      __x3 += __ll_B;		/* yes, add it in the proper pos. */	\
									\
    (w1) = __x3 + __ll_highpart (__x1);					\
    (w0) = (__x1 << W_TYPE_SIZE/2) + __ll_lowpart (__x0);		\
  } while (0)


#define __udiv_qrnnd_c(q, r, n1, n0, d) \
  do {									\
    UWtype __d1, __d0, __q1, __q0, __r1, __r0, __m;			\
									\
									\
    __d1 = __ll_highpart (d);						\
    __d0 = __ll_lowpart (d);						\
									\
    __q1 = (n1) / __d1;							\
    __r1 = (n1) - __q1 * __d1;						\
    __m = __q1 * __d0;							\
    __r1 = __r1 * __ll_B | __ll_highpart (n0);				\
    if (__r1 < __m)							\
      {									\
	__q1--, __r1 += (d);						\
	if (__r1 >= (d)) /* i.e. we didn't get carry when adding to __r1 */\
	  if (__r1 < __m)						\
	    __q1--, __r1 += (d);					\
      }									\
    __r1 -= __m;							\
									\
    __q0 = __r1 / __d1;							\
    __r0 = __r1  - __q0 * __d1;						\
    __m = __q0 * __d0;							\
    __r0 = __r0 * __ll_B | __ll_lowpart (n0);				\
    if (__r0 < __m)							\
      {									\
	__q0--, __r0 += (d);						\
	if (__r0 >= (d))						\
	  if (__r0 < __m)						\
	    __q0--, __r0 += (d);					\
      }									\
    __r0 -= __m;							\
									\
    (q) = __q1 * __ll_B | __q0;						\
    (r) = __r0;								\
  } while (0)


static inline struct __mul64_double_result mul64_double(uint64_t x, uint64_t y)
{
  struct __mul64_double_result result;
  umul_ppmm (result.__field_1, result.__field_0, x, y);
  return result;
}

static inline uint64_t div64_2by1(uint64_t ul, uint64_t uh, uint64_t d)
{
  uint64_t q, r;
  __udiv_qrnnd_c (q, r, uh, ul, d);
  return q;
}

struct __add64_with_carry_result {
  uint64_t __field_0;
  uint64_t __field_1;
};

static inline struct __add64_with_carry_result
add64_with_carry(uint64_t x, uint64_t y, uint64_t c)
{
  struct __add64_with_carry_result result;
  uint64_t r = x + y + c;
  result.__field_0 = r;
  if (r == x) result.__field_1 = c;
  else result.__field_1 = (r < x);
  return result;
}

struct __sub64_with_borrow_result {
  uint64_t __field_0;
  uint64_t __field_1;
};

static inline struct __sub64_with_borrow_result
sub64_with_borrow(uint64_t x, uint64_t y, uint64_t b)
{
  struct __sub64_with_borrow_result result;
  uint64_t r = x - y - b;
  result.__field_0 = r;
  if (r > x) result.__field_1 = 1;
  else if (r == x) result.__field_1 = b;
  else result.__field_1 = 0;
  return result;
}

struct __add64_3_result {
  uint64_t __field_0;
  uint64_t __field_1;
};

static inline struct __add64_3_result
add64_3(uint64_t x, uint64_t y, uint64_t z)
{
  struct __add64_3_result result;
  uint64_t r, c1, c2;
  r = x + y;
  c1 = r < y;
  r += z;
  c2 = r < z;
  result.__field_1 = c1 + c2;
  result.__field_0 = r;
  return result;
}

struct __lsld64_result {
  uint64_t __field_0;
  uint64_t __field_1;
};

static inline struct __lsld64_result
lsld64(uint64_t x, uint64_t cnt)
{
  struct __lsld64_result result;
  result.__field_1 = x >> (64 - cnt);
  result.__field_0 = x << cnt;
  return result;
}


#define UINT64GMP_H_INCLUDED
#endif // UINT64GMP_H_INCLUDED
why3-1.6.0/examples/multiprecision/plots/000077500000000000000000000000001440160026300204315ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/plots/Makefile000066400000000000000000000003751440160026300220760ustar00rootroot00000000000000all:
	./divplot &
	./divrelative &
	./mulrelative &
	./addrelative &
	./addplot &
	./minidivrelative &
	./minimulrelative &
	./miniaddrelative &
#	./gmpdivplot &
#	./gmpmulplot &
#	./gmpaddplot &
	./toomrelative &
	./minitoomrelative &
	./powmrelative

why3-1.6.0/examples/multiprecision/plots/addplot000077500000000000000000000117651440160026300220200ustar00rootroot00000000000000#!/usr/bin/gnuplot -persist
#
#    
#    	G N U P L O T
#    	Version 5.0 patchlevel 5    last modified 2016-10-02
#    
#    	Copyright (C) 1986-1993, 1998, 2004, 2007-2016
#    	Thomas Williams, Colin Kelley and many others
#    
#    	gnuplot home:     http://www.gnuplot.info
#    	faq, bugs, etc:   type "help FAQ"
#    	immediate help:   type "help"  (plot window: hit 'h')
# set terminal wxt 0 enhanced
# set output
unset clip points
set clip one
unset clip two
set bar 1.000000 front
set border 31 front lt black linewidth 1.000 dashtype solid
set zdata 
set ydata 
set xdata 
set y2data 
set x2data 
set boxwidth
set style fill  empty border
set style rectangle back fc  bgnd fillstyle   solid 1.00 border lt -1
set style circle radius graph 0.02, first 0.00000, 0.00000 
set style ellipse size graph 0.05, 0.03, first 0.00000 angle 0 units xy
set dummy x, y
set format x "% h" 
set format y "% h" 
set format x2 "% h" 
set format y2 "% h" 
set format z "% h" 
set format cb "% h" 
set format r "% h" 
set timefmt "%d/%m/%y,%H:%M"
set angles radians
set tics back
unset grid
set raxis
set style parallel front  lt black linewidth 2.000 dashtype solid
set key title "" center
set key inside right top vertical Right noreverse enhanced autotitle nobox
set key noinvert samplen 4 spacing 1 width 0 height 0 
set key maxcolumns 0 maxrows 0
set key noopaque
unset label
unset arrow
set style increment default
unset style line
unset style arrow
set style histogram clustered gap 2 title textcolor lt -1
unset object
set style textbox transparent margins  1.0,  1.0 border
unset logscale
set offsets 0, 0, 0, 0
set pointsize 1
set pointintervalbox 1
set encoding default
unset polar
unset parametric
unset decimalsign
unset minussign
set view 60, 30, 1, 1
set samples 100, 100
set isosamples 10, 10
set surface 
unset contour
set cntrlabel  format '%8.3g' font '' start 5 interval 20
set mapping cartesian
set datafile separator whitespace
unset hidden3d
set cntrparam order 4
set cntrparam linear
set cntrparam levels auto 5
set cntrparam points 5
set size ratio 0 1,1
set origin 0,0
set style data points
set style function lines
unset xzeroaxis
unset yzeroaxis
unset zzeroaxis
unset x2zeroaxis
unset y2zeroaxis
set xyplane relative 0.5
set tics scale  1, 0.5, 1, 1, 1
set mxtics default
set mytics default
set mztics default
set mx2tics default
set my2tics default
set mcbtics default
set mrtics default
set xtics border in scale 1,0.5 mirror norotate  autojustify
set xtics  norangelimit autofreq 
set ytics border in scale 1,0.5 mirror norotate  autojustify
set ytics  norangelimit autofreq 
set ztics border in scale 1,0.5 nomirror norotate  autojustify
set ztics  norangelimit autofreq 
unset x2tics
unset y2tics
set cbtics border in scale 1,0.5 mirror norotate  autojustify
set cbtics  norangelimit autofreq 
set rtics axis in scale 1,0.5 nomirror norotate  autojustify
set rtics  norangelimit autofreq 
unset paxis 1 tics
unset paxis 2 tics
unset paxis 3 tics
unset paxis 4 tics
unset paxis 5 tics
unset paxis 6 tics
unset paxis 7 tics
set title "" 
set title  font "" norotate
set timestamp bottom 
set timestamp "" 
set timestamp  font "" norotate
set rrange [ * : * ] noreverse nowriteback
set trange [ * : * ] noreverse nowriteback
set urange [ * : * ] noreverse nowriteback
set vrange [ * : * ] noreverse nowriteback
set xlabel "" 
set xlabel  font "" textcolor lt -1 norotate
set x2label "" 
set x2label  font "" textcolor lt -1 norotate
set xrange [ * : * ] noreverse nowriteback
set x2range [ * : * ] noreverse nowriteback
set ylabel "" 
set ylabel  font "" textcolor lt -1 rotate by -270
set y2label "" 
set y2label  font "" textcolor lt -1 rotate by -270
set yrange [ * : * ] noreverse nowriteback
set y2range [ * : * ] noreverse nowriteback
set zlabel "" 
set zlabel  font "" textcolor lt -1 norotate
set zrange [ * : * ] noreverse nowriteback
set cblabel "" 
set cblabel  font "" textcolor lt -1 rotate by -270
set cbrange [ * : * ] noreverse nowriteback
set paxis 1 range [ * : * ] noreverse nowriteback
set paxis 2 range [ * : * ] noreverse nowriteback
set paxis 3 range [ * : * ] noreverse nowriteback
set paxis 4 range [ * : * ] noreverse nowriteback
set paxis 5 range [ * : * ] noreverse nowriteback
set paxis 6 range [ * : * ] noreverse nowriteback
set paxis 7 range [ * : * ] noreverse nowriteback
set zero 1e-08
set lmargin  -1
set bmargin  -1
set rmargin  -1
set tmargin  -1
set locale "fr_FR.UTF-8"
set pm3d explicit at s
set pm3d scansautomatic
set pm3d interpolate 1,1 flush begin noftriangles noborder corners2color mean
set palette positive nops_allcF maxcolors 0 gamma 1.5 color model RGB 
set palette rgbformulae 7, 5, 15
set colorbox default
set colorbox vertical origin screen 0.9, 0.2, 0 size screen 0.05, 0.6, 0 front  noinvert bdefault
set style boxplot candles range  1.50 outliers pt 7 separation 1 labels auto unsorted
set loadpath 
set fontpath 
set psdir
set fit brief errorvariables nocovariancevariables errorscaling prescale nowrap v5
GNUTERM = "wxt"
x = 0.0
## Last datafile plotted: "../bench/gmpadd"
splot "../bench/why3add", "../bench/gmpadd"
#    EOF
why3-1.6.0/examples/multiprecision/plots/addrelative000077500000000000000000000120441440160026300226440ustar00rootroot00000000000000#!/usr/bin/gnuplot -persist
#
#    
#    	G N U P L O T
#    	Version 5.0 patchlevel 5    last modified 2016-10-02
#    
#    	Copyright (C) 1986-1993, 1998, 2004, 2007-2016
#    	Thomas Williams, Colin Kelley and many others
#    
#    	gnuplot home:     http://www.gnuplot.info
#    	faq, bugs, etc:   type "help FAQ"
#    	immediate help:   type "help"  (plot window: hit 'h')
# set terminal wxt 0 enhanced
# set output
unset clip points
set clip one
unset clip two
set bar 1.000000 front
set border 31 front lt black linewidth 1.000 dashtype solid
set zdata 
set ydata 
set xdata 
set y2data 
set x2data 
set boxwidth
set style fill  empty border
set style rectangle back fc  bgnd fillstyle   solid 1.00 border lt -1
set style circle radius graph 0.02, first 0.00000, 0.00000 
set style ellipse size graph 0.05, 0.03, first 0.00000 angle 0 units xy
set dummy x, y
set format x "% h" 
set format y "% h" 
set format x2 "% h" 
set format y2 "% h" 
set format z "% h" 
set format cb "% h" 
set format r "% h" 
set timefmt "%d/%m/%y,%H:%M"
set angles radians
set tics back
unset grid
set raxis
set style parallel front  lt black linewidth 2.000 dashtype solid
set key title "" center
set key inside right top vertical Right noreverse enhanced autotitle nobox
set key noinvert samplen 4 spacing 1 width 0 height 0 
set key maxcolumns 0 maxrows 0
set key noopaque
unset label
unset arrow
set style increment default
unset style line
unset style arrow
set style histogram clustered gap 2 title textcolor lt -1
unset object
set style textbox transparent margins  1.0,  1.0 border
unset logscale
set offsets 0, 0, 0, 0
set pointsize 1
set pointintervalbox 1
set encoding default
unset polar
unset parametric
unset decimalsign
unset minussign
set view 60, 30, 1, 1
set samples 100, 100
set isosamples 10, 10
set surface 
unset contour
set cntrlabel  format '%8.3g' font '' start 5 interval 20
set mapping cartesian
set datafile separator whitespace
unset hidden3d
set cntrparam order 4
set cntrparam linear
set cntrparam levels auto 5
set cntrparam points 5
set size ratio 0 1,1
set origin 0,0
set style data points
set style function lines
unset xzeroaxis
unset yzeroaxis
unset zzeroaxis
unset x2zeroaxis
unset y2zeroaxis
set xyplane relative 0.5
set tics scale  1, 0.5, 1, 1, 1
set mxtics default
set mytics default
set mztics default
set mx2tics default
set my2tics default
set mcbtics default
set mrtics default
set xtics border in scale 1,0.5 mirror norotate  autojustify
set xtics  norangelimit autofreq 
set ytics border in scale 1,0.5 mirror norotate  autojustify
set ytics  norangelimit autofreq 
set ztics border in scale 1,0.5 nomirror norotate  autojustify
set ztics  norangelimit autofreq 
unset x2tics
unset y2tics
set cbtics border in scale 1,0.5 mirror norotate  autojustify
set cbtics  norangelimit autofreq 
set rtics axis in scale 1,0.5 nomirror norotate  autojustify
set rtics  norangelimit autofreq 
unset paxis 1 tics
unset paxis 2 tics
unset paxis 3 tics
unset paxis 4 tics
unset paxis 5 tics
unset paxis 6 tics
unset paxis 7 tics
set title "" 
set title  font "" norotate
set timestamp bottom 
set timestamp "" 
set timestamp  font "" norotate
set rrange [ * : * ] noreverse nowriteback
set trange [ * : * ] noreverse nowriteback
set urange [ * : * ] noreverse nowriteback
set vrange [ * : * ] noreverse nowriteback
set xlabel "" 
set xlabel  font "" textcolor lt -1 norotate
set x2label "" 
set x2label  font "" textcolor lt -1 norotate
set xrange [ * : * ] noreverse nowriteback
set x2range [ * : * ] noreverse nowriteback
set ylabel "" 
set ylabel  font "" textcolor lt -1 rotate by -270
set y2label "" 
set y2label  font "" textcolor lt -1 rotate by -270
set yrange [ * : * ] noreverse nowriteback
set y2range [ * : * ] noreverse nowriteback
set zlabel "" 
set zlabel  font "" textcolor lt -1 norotate
set zrange [ * : * ] noreverse nowriteback
set cblabel "" 
set cblabel  font "" textcolor lt -1 rotate by -270
set cbrange [ * : * ] noreverse nowriteback
set paxis 1 range [ * : * ] noreverse nowriteback
set paxis 2 range [ * : * ] noreverse nowriteback
set paxis 3 range [ * : * ] noreverse nowriteback
set paxis 4 range [ * : * ] noreverse nowriteback
set paxis 5 range [ * : * ] noreverse nowriteback
set paxis 6 range [ * : * ] noreverse nowriteback
set paxis 7 range [ * : * ] noreverse nowriteback
set zero 1e-08
set lmargin  -1
set bmargin  -1
set rmargin  -1
set tmargin  -1
set locale "fr_FR.UTF-8"
set pm3d explicit at s
set pm3d scansautomatic
set pm3d interpolate 1,1 flush begin noftriangles noborder corners2color mean
set palette positive nops_allcF maxcolors 0 gamma 1.5 color model RGB 
set palette rgbformulae 7, 5, 15
set colorbox default
set colorbox vertical origin screen 0.9, 0.2, 0 size screen 0.05, 0.6, 0 front  noinvert bdefault
set style boxplot candles range  1.50 outliers pt 7 separation 1 labels auto unsorted
set loadpath 
set fontpath 
set psdir
set fit brief errorvariables nocovariancevariables errorscaling prescale nowrap v5
GNUTERM = "wxt"
x = 0.0
## Last datafile plotted: " 0 then pow_1 (k-1) in
    let hm = div (m+1) 2 in
    assert { mod (2 * hm) m = 1
             by 2 * hm = m + 1
             so mod (2 * hm) m = mod (m * 1 + 1) m = 1 };
    let hm64 = power hm 64 in
    mod_pow (2*hm) 1 64 m;
    pow_1 64;
    assert { mod (radix * hm64) m = 1
             by radix * hm64 = (power 2 64) * (power hm 64) = power (2 * hm) 64
             so mod (power 1 64) m = mod 1 m = 1 };
    let hm64n = power hm64 n in
    mod_pow (radix * hm64) 1 n m;
    pow_1 n;
    assert { mod ((power radix n) * hm64n) m = 1
             by power radix n * hm64n = power (radix * hm64) n
             so mod (power 1 n) m = mod 1 m = 1 };
    unredc_inv u1 ur u2 n m hm64n

  meta remove_prop axiom unredc_inv
  meta remove_prop axiom unredc

  let wmpn_redc_1 (rp up mp : t) (n: int32) (invm : limb)
    requires { n > 0 }
    requires { valid mp n /\ valid up (2 * n) /\ valid rp n }
    requires { odd (value mp n) }
    requires { mod ((value mp n) * invm) radix = radix - 1 }
    requires { writable up }
    requires { writable rp }
    ensures  { redc (value (old up) (2*n)) (value rp n) n (value mp n) }
    ensures  { forall j. j < offset rp \/ j >= offset rp + n
                         -> (pelts rp)[j] = (pelts (old rp))[j] }
    ensures  { value (old up) (2*n) < power radix n * value mp n
               -> value rp n < 2 * value mp n }
  =
    label Start in
    let ref cy = 0 in
    let ref u = C.incr up 0 in
    let ghost vm = value mp (int32'int n) in
    value_sub_head (pelts mp) (offset mp) (offset mp + int32'int n);
    assert { mod ((pelts mp)[offset mp] * invm) radix = radix - 1
             by radix - 1 = mod (vm * invm) radix
                = mod (radix *
                   (value_sub (pelts mp) (offset mp + 1) (offset mp + n) * invm)
                       + (pelts mp)[offset mp] * invm) radix
                = mod ((pelts mp)[offset mp] * invm) radix };
    let ghost ref added : int = 0 in
    for j = 0 to n-1 do
      invariant { offset u = offset up + j }
      invariant { pelts u = pelts up }
      invariant { u.min = up.min }
      invariant { u.max = up.max }
      invariant { plength u = plength up }
      invariant { writable u }
      (*invariant { mod (value u n + value up j) (power radix j) = 0 }*)
      invariant { power radix j * value u (n+n-j) + power radix n * value up j
                  = value (old up) (n+n) + vm * added }
      invariant { 0 <= added < power radix j }
      invariant { mod (power radix j * value u (n + n - j)
                      + power radix n * value up j) vm =
                  mod (value (old up) (n+n)) vm }
      let m = mul_mod (C.get u) invm in
      let ghost nnj = n + n - j in
      let ghost m0 = uint64'int (pelts mp)[offset mp] in
      let ghost u0 = uint64'int (pelts u)[offset u] in
      mod_mul (uint64'int m) (u0 * uint64'int invm) m0 m0 radix;
      assert { mod (m * m0) radix
               = mod ((u0 * invm) * m0) radix };
      assert { mod ((u0 * invm) * m0) radix
               = mod (- u0) radix
               by let d = div (invm * m0) radix in
                  invm * m0 = d * radix + radix - 1
               so mod ((u0 * invm) * m0) radix
                  = mod (u0 * (d * radix + radix - 1)) radix
                  = mod (radix * (u0 * d + u0) - u0) radix
                  = mod (- u0) radix };
      assert { mod (u0 + m * m0) radix = 0
               by mod (m * m0) radix
                  = mod (- u0) radix
               so let dm = div (m * m0) radix in
                  let du = div (-u0) radix in
                  m * m0 = - u0 + radix * (dm - du)
               so mod (u0 + m * m0) radix = mod (radix * (dm - du) + 0) radix
                  = 0 };
      label Addmul in
      let ghost oup = pure { up } in
      value_sub_head (pelts u) (offset u) (offset u + int32'int nnj);
      assert { u0 = mod (value u nnj) radix
               by value u nnj = radix *
                   (value_sub (pelts u) (offset u + 1) (offset u + nnj)) + u0 };
      value_concat u n nnj;
      cy <- wmpn_addmul_1 u mp n m;
      value_concat u n nnj;
      value_sub_frame (pelts up) (pelts oup) (offset u + int32'int n)
                                           (offset u + int32'int nnj);
      assert { value u nnj + power radix n * cy = value u nnj at Addmul + vm * m
               by value_sub (pelts u) (offset u + n) (offset u + nnj)
                  = value_sub (pelts u) (offset u + n) (offset u + nnj)
                    at Addmul
               so value u nnj = value u n + power radix n * value_sub (pelts u)
                                                (offset u + n) (offset u + nnj)
               so value u nnj at Addmul
                  = value u n at Addmul
                    + power radix n * value_sub (pelts u)
                                        (offset u + n) (offset u + nnj) };
      value_sub_head (pelts u) (offset u) (offset u + int32'int nnj);
      value_sub_head (pelts mp) (offset mp) (offset mp + int32'int n);
      assert { vm = m0 + radix * value_sub (pelts mp) (offset mp + 1)
                                                      (offset mp + n) };
      assert { (pelts u)[offset u] = 0
                by value u nnj = radix * (value_sub (pelts u) (offset u + 1)
                                                  (offset u + nnj))
                                 + (pelts u)[offset u]
                so (pelts u)[offset u] = mod (value u nnj) radix
                so value u nnj = value u nnj at Addmul + m * vm
                               - power radix n * cy
                             = radix * (power radix (n-1) *(- cy))
                               + (value u nnj at Addmul + m * vm)
                so mod (m * vm) radix
                   = mod (radix * m * value_sub (pelts mp) (offset mp + 1)
                                                           (offset mp + n)
                          + m * m0) radix
                   = mod (m * m0) radix
                so mod (value u nnj) radix
                   = mod (radix * (power radix (n-1) *(- cy))
                          + (value u nnj at Addmul + m * vm)) radix
                   = mod (value u nnj at Addmul + m * vm) radix
                   = mod (mod (value u nnj at Addmul) radix
                          + mod (m * vm) radix)radix
                   = mod (u0 + mod (m * m0) radix) radix
                   = mod (mod u0 radix + mod (m * m0) radix) radix
                   = mod (mod (u0 + m * m0) radix) radix
                   = 0 };
      value_sub_head (pelts u) (offset u) (offset u + int32'int nnj);
      assert { value u nnj = radix * value_sub (pelts u) (offset u + 1)
                                                       (offset u + nnj) };
      value_sub_frame (pelts up) (pelts oup) (offset up)
                               (offset up + int32'int j);
      assert { value up j = value up j at Addmul };
      label Carry in
      value_sub_update_no_change (pelts up) (up.offset + int32'int j) up.offset
                                            (up.offset + int32'int j) cy;
      value_sub_update_no_change (pelts up) (up.offset + int32'int j)
                                        (up.offset + int32'int j + 1)
                                      (up.offset + int32'int nnj) cy;
      C.set u cy;
      added <- added + uint64'int m * power radix (int32'int j);
      assert { added < power radix (j+1)
               by m <= radix - 1
               so added at Carry < power radix j
               so added <= added at Carry + (radix - 1) * power radix j
                  < power radix j + (radix - 1) * power radix j
                  = radix * power radix j = power radix (j+1) };
      value_tail up j;
      assert { value up (j+1) = value up j at Addmul + power radix j * cy };
      label Incr in
      u <- C.incr u 1;
      assert { radix * value u (n + n - (j + 1))
               = radix * (value_sub (pelts u) (offset u + 1)
                                   (offset u + nnj) at Incr)
               = radix * (value_sub (pelts u) (offset u + 1)
                                   (offset u + nnj) at Carry)
               = value (u at Carry) nnj };
      assert {  power radix (j+1) * value u (n + n - (j + 1))
                 + power radix n * value up (j+1)
               = vm * (power radix j * m)
                   + ((power radix j * value u nnj + power radix n * value up j)
                    at Addmul)
               by
               power radix (j+1) * value u (n + n - (j + 1))
                 + power radix n * value up (j+1)
               = power radix j * (radix * value u (n + n - (j + 1)))
                 + power radix n * value up (j+1)
               = power radix j * (value u nnj at Addmul + vm * m
                                 - power radix n * cy)
                 + power radix n * (value up j at Addmul + power radix j * cy)
               = (power radix j * value u nnj + power radix n * value up j)
                    at Addmul
                 + vm * (power radix j * m) };
      assert { 0 <= added
               by 0 <= added at Carry so 0 <= m
               so 0 <= m * power radix j };
      assert { mod (power radix (j+1) * value u (n + n - (j + 1))
                    + power radix n * value up (j+1)) vm
               = mod (vm * (power radix j * m)
                      + ((power radix j * value u nnj
                        + power radix n * value up j) at Addmul)) vm
               = mod (power radix j * value u nnj
                      + power radix n * value up j) vm at Addmul };
    done;
    let u' = C.incr u (-n) in
    assert { pelts u' = pelts up /\ offset u' = offset up };
    cy <- wmpn_add_n rp u (C.incr u (-n)) n;
    assert { mod (power radix n * (value rp n + power radix n * cy)) vm
             = mod (value (old up) (n+n)) vm
             by power radix n * (value rp n + power radix n * cy)
                = power radix n * value u n + power radix n * value up n
             so mod (power radix n * value u n + power radix n * value up n) vm
                = mod (value (old up) (n+n)) vm };
    assert { redc (value (old up) (2 * n))
                  (value rp n + power radix n * cy)
                  n vm };
    assert { power radix n * (value rp n + power radix n * cy)
             = value (old up) (2*n) + vm * added };
    assert { value rp n + power radix n * cy < vm + power radix n
             by value (old up) (2 * n) < power radix n * power radix n
             so added < power radix n
             so vm * added < vm * power radix n
             so power radix n * (value rp n + power radix n * cy)
                = value (old up) (2 * n) + vm * added
                < power radix n * power radix n + vm * power radix n
                = power radix n * (vm + power radix n) };
    assert { value (old up) (2 * n) < power radix n * vm
             -> (value rp n + power radix n * cy < 2 * vm)
             by value (old up) (2 * n) < power radix n * vm
             so added < power radix n
             so vm * added < vm * power radix n
             so power radix n * (value rp n + power radix n * cy)
                = value (old up) (2 * n) + vm * added
                < vm * power radix n + vm * power radix n
                = power radix n * (2 * vm) };
    label Sub in
    begin
      ensures { mod (value rp n) vm
                = old mod (value rp n + power radix n * cy) vm }
      ensures { forall j. j < offset rp \/ j >= offset rp + n
                           -> (pelts rp)[j] = (pelts (old rp))[j] }
      ensures { value (up at Start) (2 * n) < power radix n * vm
                -> (value rp n < 2 * vm) }
    if cy <> 0
    then begin
      assert { cy = 1 };
      let ghost b = wmpn_sub_n_in_place rp mp n in
      assert { value rp n + power radix n * (cy - b)
               = (value rp n at Sub + power radix n * cy) - vm };
      assert { b = 1
               by value rp n + power radix n * (cy - b)
               = (value rp n at Sub + power radix n * cy) - vm
               < power radix n
               so cy - b < 1 };
      assert { mod (value rp n) vm
               = mod (value rp n at Sub + power radix n * cy) vm
               by value rp n = (value rp n at Sub + power radix n * cy) - vm
               so mod (value rp n) vm
                  = mod (vm * -1 + (value rp n at Sub + power radix n * cy)) vm
                  = mod (value rp n at Sub + power radix n * cy) vm }
      end
    end;
    assert { mod (power radix n * value rp n) vm
             = mod (power radix n * (value rp n at Sub + power radix n * cy))
                   vm };
    assert { redc (value (old up) (2 * n))
                  (value rp n) n vm }

  (* TODO table like sqrt1 *)
  val binvert_limb_table (n:limb) : limb
    requires { 0 <= n < 128 }
    ensures { 0 <= result < 256 }
    ensures { mod (result * (2 * n + 1)) (power 2 8) = 1 }

  let binvert_limb (n:limb) : limb
    requires { odd n }
    ensures { mod (result * n) radix = 1 }
  =
    let lemma double_prec (n inv:int) (prec:int)
      requires { 0 <= n /\ 0 <= inv }
      requires { mod (inv * n) (power 2 prec) = 1 }
      requires { 0 <= 2 * prec <= Limb.length }
      ensures  { let inv' = mod (2 * inv - inv * (inv * n)) radix in
                 mod (inv' * n) (power 2 (2 * prec)) = 1 }
    =
      let d = div (inv * n) (power 2 prec) in
      assert { inv * n = d * power 2 prec + 1 };
      let inv' = 2 * inv - inv * (inv * n) in
      assert { inv' = 2 * inv - inv * (d * power 2 prec + 1)
                    = inv * (1 - d * power 2 prec) };
      assert { inv' * n = inv * n * (1 - d * power 2 prec)
                 = (d * power 2 prec + 1) * (1 - d * power 2 prec)
                 = 1 - d * d * (power 2 prec * power 2 prec)
                 = 1 - d * d * (power 2 (2 * prec))
                 = power 2 (2 * prec) * (-1 * d * d) + 1 };
      assert { mod (inv' * n) (power 2 (2 * prec)) = 1
               by mod (inv' * n) (power 2 (2 * prec))
                  = mod (power 2 (2 * prec) * (-1 * d * d) + 1)
                    (power 2 (2 * prec))
                  = 1};
      let inv'' = mod inv' radix in
      let d' = div inv' radix in
      assert { inv' = d' * radix + inv''
                    = d' * power 2 Limb.length + inv''
                    = d' * (power 2 (Limb.length - 2 * prec)
                        * power 2 (2 * prec))
                      + inv'' };
      assert { mod (inv' * n) (power 2 (2 * prec))
               = mod (inv'' * n) (power 2 (2 * prec))
               by mod (inv' * n) (power 2 (2 * prec))
                  = mod (power 2 (2 * prec)
                         * ((d' * power 2 (Limb.length - 2 * prec)) * n)
                         + inv'' * n) (power 2 (2 * prec))
                  = mod (inv'' * n) (power 2 (2 * prec)) }
    in
    let h = (n/2) % 128 in
    assert { power 2 8 = 256
             by power 2 2 = 4
             so power 2 4 = 16
             so power 2 8 = power 2 4 * power 2 4 };
    assert { 2 * h + 1 = mod n 256 };
    let ref inv = binvert_limb_table h in
    assert { mod (inv * n) (power 2 8) = 1 };
    label P8 in
    double_prec (uint64'int n) (uint64'int inv) 8;
    inv <- sub_mod (mul_mod 2 inv) (mul_mod inv (mul_mod inv n));
    assert { inv =
             mod (2 * (inv at P8) - (inv at P8) * ((inv at P8) * n)) radix
             by mod (2 * (inv at P8) - (inv at P8) * ((inv at P8) * n)) radix
                = mod (mod (2 * (inv at P8)) radix
                      - mod ((inv at P8) * ((inv at P8) * n)) radix) radix
                = mod (mod (2 * (inv at P8)) radix
                      - mod ((inv at P8) * mod ((inv at P8) * n) radix) radix)
                      radix
                = inv };
    assert { mod (inv * n) (power 2 16) = 1 };
    label P16 in
    double_prec (uint64'int n) (uint64'int inv) 16;
    inv <- sub_mod (mul_mod 2 inv) (mul_mod inv (mul_mod inv n));
    assert { inv =
             mod (2 * (inv at P16) - (inv at P16) * ((inv at P16) * n)) radix
             by mod (2 * (inv at P16) - (inv at P16) * ((inv at P16) * n)) radix
                = mod (mod (2 * (inv at P16)) radix
                      - mod ((inv at P16) * ((inv at P16) * n)) radix) radix
                = mod (mod (2 * (inv at P16)) radix
                      - mod ((inv at P16) * mod ((inv at P16) * n) radix) radix)
                      radix
                = inv };
    assert { mod (inv * n) (power 2 32) = 1 };
    label P32 in
    double_prec (uint64'int n) (uint64'int inv) 32;
    inv <- sub_mod (mul_mod 2 inv) (mul_mod inv (mul_mod inv n));
    assert { inv =
             mod (2 * (inv at P32) - (inv at P32) * ((inv at P32) * n)) radix
             by mod (2 * (inv at P32) - (inv at P32) * ((inv at P32) * n)) radix
                = mod (mod (2 * (inv at P32)) radix
                      - mod ((inv at P32) * ((inv at P32) * n)) radix) radix
                = mod (mod (2 * (inv at P32)) radix
                      - mod ((inv at P32) * mod ((inv at P32) * n) radix) radix)
                      radix
                = inv };
    assert { mod (inv * n) (power 2 64) = 1 };
    inv

  (* TODO rewrite this with array literal once they exist *)
  let win_size [@extraction:c_static_inline] (eb:int32) : int32
    ensures { 0 <= result <= 10 }
    ensures { eb > 0 -> result > 0 }
  = if eb = 0 then 0
    else if eb <= 7 then 1
    else if eb <= 25 then 2
    else if eb <= 81 then 3
    else if eb <= 214 then 4
    else if eb <= 673 then 5
    else if eb <= 1793 then 6
    else if eb <= 4609 then 7
    else if eb <= 11521 then 8
    else if eb <= 28161 then 9
    else 10

  let redcify [@extraction:c_static_inline]
              (rp up: t) (un: int32) (mp: t) (n: int32)
    requires { valid rp n /\ valid up un /\ valid mp n }
    requires { 1 <= n /\ 1 <= un }
    requires { un + n < max_int32 }
    requires { (pelts mp)[offset mp + n - 1] > 0 }
    requires { writable rp }
    ensures { value rp n = mod (power radix n * value up un) (value mp n) }
    ensures { redc (value rp n) (value up un) n (value mp n) }
  =
    let tp = salloc (UInt32.of_int32 (un + n)) in
    let qp = salloc (UInt32.of_int32 (un + 1)) in
    wmpn_zero tp n;
    label Copy in
    wmpn_copyi (C.incr tp n) up un;
    value_concat tp n (un+n);
    value_sub_frame (pelts tp) (pure { pelts tp at Copy })
                    (offset tp) (offset tp + int32'int n);
    assert { value tp (un + n) = power radix n * value up un };
    wmpn_tdiv_qr qp rp 0 tp (un+n) mp n;
    assert { mod (power radix n * value up un) (value mp n)
             = mod (value tp (un + n)) (value mp n)
             = mod (value rp n) (value mp n)
             by value tp (un + n) = value mp n * value qp (un + 1)
                                    + value rp n };
    assert { 0 <= value rp n < value mp n };
    assert { mod (value rp n) (value mp n) = value rp n };

  function valueb (p:t) (nbits:int) : int
  =
    if nbits < 0 then 0 else
    let i = div nbits 64 in
    value p i
      + power radix i * mod ((pelts p)[offset p + i]) (power 2 (nbits - 64*i))

  let lemma valueb_lower_bound (p:t) (nbits:int)
    ensures { 0 <= valueb p nbits }
  = if nbits < 0 then ()
    else
      let i = div nbits 64 in
      value_sub_lower_bound (pelts p) (offset p) (offset p + i)

  let lemma valueb_upper_bound (p:t) (nbits:int)
    requires { 0 <= nbits }
    ensures { valueb p nbits < power 2 nbits }
  = if nbits < 0 then ()
    else
      let i = div nbits 64 in
      value_sub_upper_bound (pelts p) (offset p) (offset p + i);
      assert { valueb p nbits < power 2 nbits
               by valueb p nbits
                  = value p i
                    + power radix i
                      * mod ((pelts p)[offset p + i]) (power 2 (nbits - 64*i))
               so power radix i = power 2 (64 * i)
               so mod ((pelts p)[offset p + i]) (power 2 (nbits - 64*i))
                  <= power 2 (nbits - 64 * i) - 1
               so value p i < power 2 (64 * i)
               so valueb p nbits < power 2 (64 * i)
                                   * (1 + power 2 (nbits - 64 * i) - 1)
                                 = power 2 (64 * i + (nbits - 64 * i))
                                 = power 2 nbits }

  let getbit [@extraction:c_static_inline] (p:t) (ghost pn:int32) (bi:int32) : limb
    requires { valid p pn }
    requires { 1 <= bi }
    requires { pn >= (div (bi + 63) 64) }
    ensures  { 0 <= result <= 1 }
    ensures  { result = mod (div (value p pn) (power 2 (bi-1))) 2 }
    ensures  { valueb p bi = valueb p (bi-1) + power 2 (bi-1) * result }
  =
    let i = Int32.(/) (bi - 1) 64 in
    let mi = Limb.of_int32 (bi - 1) % 64 in
    assert { bi - 1 = 64 * i + mi };
    let lp = C.get_ofs p i in
    value_concat p i (i+1);
    value_concat p (i+1) pn;
    let ghost p' = C.incr p (i+1) in
    assert { value p pn = value p i + power radix i * lp
             + power radix (i+1) * value p' (pn - (i+1)) };
    let lps = lsr_mod lp mi in
    let ghost lpm = mod (uint64'int lp) (power 2 (uint64'int mi)) in
    assert { lp = lpm + power 2 mi * lps };
    assert { power radix i * power 2 mi = power 2 (bi-1)
             by power radix i = power (power 2 64) i = power 2 (64 * i)
             so power radix i * power 2 mi = power 2 (64 * i + mi) };
    assert { value p pn = value p i + power radix i * lpm + power 2 (bi-1) * lps
                          + power radix (i + 1) * value p' (pn - (i+1)) };
    assert { valueb p (bi-1) = value p i + power radix i * lpm
             by valueb p (bi-1)
                = value p i + power radix i
                  * mod ((pelts p)[offset p + i]) (power 2 (bi - 1 - 64 * i))
                = value p i + power radix i * lpm };
    let ghost res = lps % 2 in
    assert { value p pn = valueb p (bi-1) + power 2 (bi-1) * lps
                          + power radix (i+1) * value p' (pn - (i+1)) };
    let ghost dps = div (uint64'int lps) 2 in
    assert { lps = res + 2 * dps };
    assert { valueb p bi = valueb p (bi-1) + power 2 (bi-1) * res
             by bi = 64 * i + (mi+1)
             so (valueb p bi
                = value p i + power radix i * mod lp (power 2 (mi+1))
                by
                if mi < 63
                then
                  div bi 64 = i && mod bi 64 = mi + 1
                  so valueb p bi
                  = value p i + power radix i
                    * mod ((pelts p)[offset p + i]) (power 2 (bi - 64 * i))
                  = value p i + power radix i * mod lp (power 2 (bi - 64 * i))
                  = value p i + power radix i * mod lp (power 2 (mi+1))
                else
                  mi = 63
                  so div bi 64 = (i+1) && mod bi 64 = 0
                  so valueb p bi
                     = value p (i+1)
                       + power radix (i+1) *
                         mod ((pelts p)[offset p + i + 1]) (power 2 0)
                     = value p (i+1)
                  so mod lp (power 2 (mi+1))
                     = mod lp (power 2 64) = mod lp radix = lp
                  so value p (i+1) = value p i
                     + power radix i * mod lp (power 2 (mi + 1)))
             so lp = lpm + power 2 mi * (res + 2 * dps)
                   = power 2 (mi+1) * dps + lpm + power 2 mi * res
             so (0 <= lpm + power 2 mi * res < power 2 (mi+1)
                 by 0 <= lpm < power 2 mi
                 so 0 <= res <= 1
                 so 0 <= power 2 mi * res <= power 2 mi
                 so 0 <= lpm + power 2 mi * res < power 2 mi + power 2 mi
                      = power 2 (mi+1))
             so mod lp (power 2 (mi + 1))
                = mod (power 2 (mi + 1) * dps + (lpm + power 2 mi * res))
                      (power 2 (mi + 1))
                = mod (lpm + power 2 mi * res) (power 2 (mi + 1))
                = lpm + power 2 mi * res };
    assert { power radix (i+1) = power 2 (bi-1) * 2 * power 2 (64 - mi - 1)
             by power 2 (bi - 1) = power radix i * power 2 mi
             so power 2 (bi - 1) * 2 * power 2 (64 -  mi - 1)
                = power radix i * power 2 mi * power 2 1 * power 2 (64 - mi - 1)
                = power radix i * (power 2 (mi + 1) * power 2 (64 - mi - 1))
                = power radix i * power 2 (mi + 1 + (64 - mi - 1))
                = power radix i * power 2 64
                = power radix i * radix = power radix (i+1) };
    let ghost d = dps + power 2 (64 - uint64'int mi - 1)
                  * value p' (int32'int pn - (int32'int i+1)) in
    assert { value p pn = power 2 (bi-1) * (res + 2 * d) + valueb p (bi-1)
             by power 2 (bi - 1) * 2 = power 2 bi
             so power 2 (bi - 1) * lps
                = power 2 (bi - 1) * (res + 2 * dps)
             so value p pn
             = valueb p (bi-1) + power 2 (bi-1) * (res + 2 * dps)
                          + power radix (i+1) * value p' (pn - (i+1))
             = valueb p (bi-1) + power 2 (bi-1) * (res + 2 * dps)
               + power 2 (bi-1) * (2 * power 2 (64 - mi - 1)
                                * value p' (pn - (i+1)))
             = power 2 (bi-1) * (res + 2 * d) + valueb p (bi-1) };
    assert { mod (value p pn) (power 2 (bi-1))
             = mod (valueb p (bi-1)) (power 2 (bi-1))
             = valueb p (bi-1) };
    assert { div (value p pn) (power 2 (bi-1)) = res + 2 * d
             by valueb p (bi - 1) = mod (value p pn) (power 2 (bi-1))
             so power 2 (bi - 1) * div (value p pn) (power 2 (bi - 1))
                  + mod (value p pn) (power 2 (bi - 1))
                = value p pn
                = power 2 (bi - 1) * (res + 2 * d) + valueb p (bi - 1)
             so power 2 (bi - 1) * (res + 2 * d)
                = power 2 (bi - 1) * (div (value p pn) (power 2 (bi-1)))};
    assert { mod (div (value p pn) (power 2 (bi-1))) 2
             = mod (2 * d + res) 2 = mod res 2 = res };
    lps % 2

  let getbits [@extraction:c_static_inline] (p: t) (ghost pn: int32) (bi:int32)
                                                           (nbits:int32) : limb
    requires { 1 <= nbits < 64 }
    requires { 0 <= bi }
    requires { 1 <= pn }
    requires { valid p pn }
    requires { pn >= (div (bi + 63) 64) }
    ensures  { nbits <= bi ->
                 valueb p bi = valueb p (bi - nbits)
                                    + power 2 (bi - nbits) * result }
    ensures  { bi < nbits -> valueb p bi = result }
    ensures  { 0 <= result < power 2 nbits }
    ensures  { result = mod (div (value p pn) (power 2 (bi - nbits)))
                                                      (power 2 nbits)  }
  =
    if bi < nbits
    then (C.get p) % (lsl 1 (Limb.of_int32 bi))
    else
      let ghost obi = bi in
      label Start in
      let ref bi = bi - nbits in
      let ghost bni = bi in
      assert { bni = obi - nbits };
      let ref i = bi / 64 in
      bi <- bi % 64;
      assert { i < pn };
      let pr = get_ofs p i in
      let ghost p' = C.incr p (i+1) in
      value_concat p i (i+1);
      value_concat p (i+1) pn;
      assert { value p pn = value p i + power radix i * pr
               + power radix (i+1) * value p' (pn - (i+1)) };
      let ref r = lsr_mod pr (Limb.of_int32 bi) in
      let ghost prm = mod (uint64'int pr) (power 2 (int32'int bi)) in
      assert { pr = prm + power 2 bi * r };
      let nbits_in_r = 64 - bi in
      assert { radix = power 2 nbits_in_r * power 2 bi
               by radix = power 2 64 = power 2 (nbits_in_r + bi)};
      assert { r < power 2 nbits_in_r
               by r = div pr (power 2 bi)
               so r * power 2 bi <= pr
                  < power 2 64
                  = power 2 (nbits_in_r + bi)
                  = power 2 nbits_in_r * power 2 bi
                so r * power 2 bi < power 2 nbits_in_r * power 2 bi};
      assert { power radix i * power 2 bi = power 2 bni
               by power radix i = power (power 2 64) i = power 2 (64 * i)
               so power radix i * power 2 bi = power 2 (64 * i + bi)
                  = power 2 bni };
      assert { value p pn = value p i + power radix i * prm + power 2 bni * r
                            + power radix (i+1) * value p' (pn - (i+1)) };
      assert { valueb p bni = value p i + power radix i * prm
               by valueb p bni
                  = value p i + power radix i
                      * mod ((pelts p)[offset p + i]) (power 2 (bni - 64 * i))
                  = value p i + power radix i * prm };
      if nbits_in_r < nbits
      then begin
        assert { i + 1 < pn
                 by obi
                    = 64 * i + bi + nbits
                    > 64 * i + bi + 64 - bi
                    = 64 * (i+1)
                 so (obi + 63) >= 64 * (i+1) + 64 = 64 * (i+2)
                 so pn >= div (obi + 63) 64 >= i+2 };
        let pr' = get_ofs p (i+1) in
        let prs = lsl_mod_ext pr' (Limb.of_int32 nbits_in_r) in
        let ghost p'' = C.incr p (i+2) in
        value_concat p (i+1) (i+2);
        value_concat p (i+2) pn;
        assert { value p pn
                 = value p i + power radix i * prm + power 2 bni * r
                   + power radix (i+1) * pr'
                   + power radix (i+2) * value p'' (pn - (i+2))
                 by value p pn
                    = value p i + power radix i * prm + power 2 bni * r
                      + power radix (i+1) * value p' (pn - (i+1))
                 so value p' (pn - (i+1))
                    = pr' + radix * value p'' (pn - (i+2)) };
        let ghost prd = div ((power 2 (int32'int nbits_in_r)) * uint64'int pr')
                            radix in
        assert { power 2 nbits_in_r * pr' = radix * prd + prs };
        assert { radix * pr' =  radix * (power 2 bi * prd) + power 2 bi * prs
                 by radix * pr'
                 = power 2 bi * power 2 nbits_in_r * pr'
                 = radix * (power 2 bi * prd) + power 2 bi * prs };
        assert { power radix (i+1) * pr'
                 = power radix (i+1) * (power 2 bi * prd)
                   + power 2 bni * prs
                 by power radix (i+1) = radix * power radix i
                 so power radix (i+1) * pr'
                 = radix * power radix i * pr'
                 = power radix i * (radix * pr')
                 = power radix i * radix * power 2 bi * prd
                   + power radix i * power 2 bi * prs
                 = power radix (i+1) * (power 2 bi * prd)
                   + power radix i * power 2 bi * prs
                 = power radix (i+1) * (power 2 bi * prd)
                   + power 2 bni * prs };
        assert { value p pn
                 = value p i + power radix i * prm
                   + power 2 bni * (r + prs)
                   + power radix (i+1) * (power 2 bi * prd)
                   + power radix (i+2) * value p'' (pn - (i+2)) };
        let ghost or = pure { r } in
        r <- r + prs;
        let ghost res = pure { mod r (power 2 (int32'int nbits)) } in
        let ghost drs = pure { div r (power 2 (int32'int nbits)) } in
        assert { r = res + power 2 nbits * drs };
        assert { power radix (i+1) = power 2 bni * power 2 nbits_in_r
                 by power radix (i+1) = power radix i * radix
                    = power radix i * power 2 bi * power 2 nbits_in_r
                    = power 2 bni * power 2 nbits_in_r };
        assert { valueb p obi
                 = valueb p bni + power 2 bni * res
                 by bni = 64 * i + bi
                 so obi = bni + nbits > bni + 64 - bi = 64 * (i+1)
                 so div obi 64 = i+1
                 so obi - 64 * (i+1)
                    = 64 *i + bi + nbits - 64 * (i+1)
                    = bi + nbits - 64
                    = nbits - nbits_in_r
                 so valueb p obi
                     = value p (i+1)
                       + power radix (i+1)
                         * mod ((pelts p)[offset p + (i+1)])
                               (power 2 (obi - (64 * (i+1))))
                     = value p (i+1)
                       + power radix (i+1)
                         * mod pr' (power 2 (nbits - nbits_in_r))
                 so value p (i+1) = value p i + power radix i * pr
                    = value p i + power radix i * (prm + power 2 bi * or)
                    = valueb p bni + power 2 bni * or
                 so valueb p obi
                    = valueb p bni
                      + power 2 bni * or
                      + power 2 bni * power 2 nbits_in_r
                        * mod pr' (power 2 (nbits - nbits_in_r))
                 so power 2 nbits_in_r * power 2 (nbits - nbits_in_r)
                    = power 2 nbits
                 so power 2 nbits_in_r * mod pr' (power 2 (nbits - nbits_in_r))
                    = mod (pr' * power 2 nbits_in_r)
                          (power 2 (nbits - nbits_in_r) * power 2 nbits_in_r)
                    = mod (power 2 nbits_in_r * pr') (power 2 nbits)
                    = mod (radix * prd + prs) (power 2 nbits)
                 so radix * prd = power 2 64 * prd
                    = power 2 nbits * power 2 (64 - nbits) * prd
                 so mod (radix * prd + prs) (power 2 nbits)
                    = mod (power 2 nbits * (power 2 (64 - nbits) * prd) + prs)
                          (power 2 nbits)
                    = mod prs (power 2 nbits)
                 so valueb p obi
                    = valueb p bni
                      + power 2 bni * (or + mod prs (power 2 nbits))
                 so prs <= radix - power 2 nbits_in_r
                (* so radix = power 2 nbits_in_r * power 2 bi *)
                 so prs = power 2 nbits_in_r * pr' - radix * prd
                         = power 2 nbits_in_r * (pr' - power 2 bi * prd) + 0
                 so mod prs (power 2 nbits_in_r) = mod 0 (power 2 nbits_in_r)
                    = 0
                 so (mod prs (power 2 nbits)
                     <= power 2 nbits - power 2 (nbits_in_r)
                    by let nbr = nbits - nbits_in_r in
                       let k = div prs (power 2 nbits_in_r) in
                       power 2 nbits = power 2 (nbr + nbits_in_r)
                       = power 2 nbr * power 2 nbits_in_r
                    so prs = k * power 2 nbits_in_r
                    so mod prs (power 2 nbits)
                       = mod (k * power 2 nbits_in_r)
                             (power 2 nbr * power 2 nbits_in_r)
                       = power 2 nbits_in_r * (mod k (power 2 nbr))
                    so mod k (power 2 nbr) <= power 2 nbr - 1
                    so mod prs (power 2 nbits)
                       <= (power 2 nbits_in_r) * (power 2 nbr - 1)
                       = power 2 nbits - power 2 nbits_in_r)
                 so or < power 2 nbits_in_r < power 2 nbits
                 so mod or (power 2 nbits) = or
                 so mod or (power 2 nbits) + mod prs (power 2 nbits)
                    < power 2 nbits_in_r + (power 2 nbits - power 2 nbits_in_r)
                    <= power 2 nbits
                 so mod or (power 2 nbits) + mod prs (power 2 nbits)
                    = mod (mod or (power 2 nbits) + mod prs (power 2 nbits))
                          (power 2 nbits)
                    = mod (or + prs) (power 2 nbits)
                    = mod r (power 2 nbits)
                    = res };
        assert { power radix (i+1) * power 2 bi * prd
                 = power 2 bni * radix * prd };
        assert { power radix (i+2) = power 2 bni * radix * power 2 nbits_in_r };
        assert { value p pn
                 = value p i + power radix i * prm
                   + power 2 bni * (res + power 2 nbits * drs)
                   + power 2 bni * radix * prd
                   + power 2 bni * radix * power 2 nbits_in_r
                     * value p'' (pn - (i+2)) };
        let ghost d = pure { prd + power 2 nbits_in_r
                                   * value p'' (pn - (i+2)) } in
        assert { value p pn
                 = power 2 bni * (res + power 2 nbits * drs + radix * d)
                   + valueb p bni };
        assert { mod (value p pn) (power 2 bni)
                 = mod (valueb p bni) (power 2 bni)
                 = valueb p bni };
        assert { div (value p pn) (power 2 bni)
                 = res + power 2 nbits * drs + radix * d
                 by valueb p bni = mod (value p pn) (power 2 bni)
                 so power 2 bni * div (value p pn) (power 2 bni)
                      + mod (value p pn) (power 2 bni)
                    = value p pn
                    = power 2 bni * (res + power 2 nbits * drs + radix * d)
                      + valueb p bni
                 so power 2 bni * (res + power 2 nbits * drs + radix * d)
                    = power 2 bni * div (value p pn) (power 2 bni) };
        assert { radix = power 2 64 = power 2 nbits * power 2 (64 - nbits) };
        let ghost d' = pure { drs + power 2 (64 - nbits) * d } in
        assert { div (value p pn) (power 2 bni)
                 = power 2 nbits * drs
                   + power 2 nbits * power 2 (64 - nbits) * d + res
                 = power 2 nbits * d' + res };
        assert { mod (div (value p pn) (power 2 bni)) (power 2 nbits)
                 = mod (power 2 nbits * d' + res) (power 2 nbits)
                 = mod res (power 2 nbits)
                 = res };
      end
      else begin
        let ghost res = pure { mod r (power 2 nbits) } in
        let ghost drs = pure { div r (power 2 nbits) } in
        assert { r = power 2 nbits * drs + res };
        assert { valueb p obi = valueb p bni + power 2 bni * res
                 by obi = 64 * i + bi + nbits
                        <= 64 * i + bi + (64 - bi)
                        = 64 * (i+1)
                 so if obi < 64 * (i+1)
                    then
                      div obi 64 = i
                      so valueb p obi
                         = value p i
                           + power radix i * mod ((pelts p)[offset p + i])
                                               (power 2 (obi - 64 * i))
                         = value p i
                           + power radix i * mod pr (power 2 (bi + nbits))
                      so pr = prm + power 2 bi * r
                            = prm + power 2 bi * (res + power 2 nbits * drs)
                            = prm + power 2 bi * res
                              + power 2 bi * power 2 nbits * drs
                            = power 2 (bi + nbits) * drs
                              + prm + power 2 bi * res
                      so (0 <= prm + power 2 bi * res < power 2 (bi + nbits)
                          by 0 <= prm < power 2 bi
                          so 0 <= res <= power 2 nbits - 1
                          so power 2 bi * res
                             <= power 2 bi * (power 2 nbits - 1)
                             = power 2 (bi + nbits) - power 2 bi)
                      so mod pr (power 2 (bi + nbits))
                         = mod (power 2 (bi + nbits) * drs
                                 + (prm + power 2 bi * res))
                               (power 2 (bi + nbits))
                         = mod (prm + power 2 bi * res) (power 2 (bi + nbits))
                         = prm + power 2 bi * res
                      so valueb p obi
                         = value p i + power radix i * (prm + power 2 bi * res)
                         = value p i + power radix i * prm + power 2 bni * res
                         = valueb p bni + power 2 bni * res
                    else
                      obi = 64 * (i+1)
                      so div obi 64 = (i+1)
                      so bi + nbits = 64
                      so valueb p obi
                         = value p (i+1)
                           + power radix (i+1)
                             * (mod (pelts p)[offset p + (i + 1)]) (power 2 0)
                         = value p (i+1)
                         = value p i + power radix i * pr
                      so nbits_in_r = nbits
                      so r < power 2 nbits
                      so res = r
                      so pr = prm + power 2 bi * res
                      so valueb p obi
                         = value p i + power radix i * prm
                           + power radix i * power 2 bi * res
                         = valueb p bni + power 2 bni * res };
        assert { mod (div (value p pn) (power 2 bni)) (power 2 nbits) = res
                 by power radix (i+1)
                    = power radix i * radix
                    = power radix i * power 2 bi * power 2 nbits_in_r
                    = power 2 bni * power 2 nbits_in_r
                 so value p pn
                    = valueb p bni + power 2 bni * r
                      + power radix (i+1) * value p' (pn - (i+1))
                    = valueb p bni + power 2 bni * r
                      + power 2 bni
                        * (power 2 nbits_in_r * value p' (pn - (i+1)))
                 so value p pn
                    = power 2 bni
                        * (r + power 2 nbits_in_r * value p' (pn - (i+1)))
                      + valueb p bni
                 so mod (value p pn) (power 2 bni)
                    = mod (valueb p bni) (power 2 bni) = valueb p bni
                 so let d = power 2 (nbits_in_r - nbits)
                            * value p' (pn - (i+1)) in
                    power 2 nbits_in_r
                    = power 2 (nbits_in_r - nbits) * power 2 nbits
                 so value p pn
                    = valueb p bni
                      + power 2 bni * (r + power 2 nbits * d)
                 so value p pn
                    = mod (value p pn) (power 2 bni)
                      + power 2 bni * (div (value p pn) (power 2 bni))
                 so power 2 bni * (r + power 2 nbits * d)
                    = power 2 bni * (div (value p pn) (power 2 bni))
                 so r + power 2 nbits * d
                    = div (value p pn) (power 2 bni)
                 so r + power 2 nbits * d
                    = power 2 nbits * (drs + d) + res
                 so mod (r + power 2 nbits * d) (power 2 nbits)
                    = mod res (power 2 nbits)
                    = res };
      end;
      r % (lsl 1 (Limb.of_int32 nbits))

  let lemma valueb_mod (p:t) (nbits:int) (n:int32)
    requires { nbits >= 0 }
    requires { 64 * n >= nbits }
    ensures  { valueb p nbits = mod (value p n) (power 2 nbits) }
  = let i = div nbits 64 in
    assert { i <= n };
    if i = int32'int n then return else ();
    assert { mod (power 2 (64 * i) * (pelts p)[offset p + i]) (power 2 nbits)
             = power 2 (64 * i)
               * mod (pelts p)[offset p + i] (power 2 (nbits - 64 * i))
             by power 2 nbits = power 2 (64 * i) * power 2 (nbits - 64 * i)
             so power 2 (64 * i)
                * mod (pelts p)[offset p + i] (power 2 (nbits - 64 * i))
                = mod (power 2 (64 * i) * (pelts p)[offset p + i])
                      (power 2 (64 * i) * power 2 (nbits - 64 * i)) };
    assert { valueb p nbits
             = value p i
               + power radix i * mod (pelts p)[offset p + i]
                                     (power 2 (nbits - 64 * i))
             = value p i
               + power 2 (64 * i) * mod (pelts p)[offset p + i]
                                        (power 2 (nbits - 64 * i))
             = value p i + mod (power 2 (64 * i) * (pelts p)[offset p + i])
                               (power 2 nbits) };
    mod_id (value p i) (power 2 nbits);
    assert { mod (power 2 (64 * i) * (pelts p)[offset p + i]) (power 2 nbits)
                 <= power 2 nbits - power 2 (64 * i)
             by mod (power 2 (64 * i) * (pelts p)[offset p + i]) (power 2 nbits)
                = power 2 (64 * i)
                  * mod (pelts p)[offset p + i] (power 2 (nbits - 64 * i))
             so mod (pelts p)[offset p + i] (power 2 (nbits - 64 * i))
                <= power 2 (nbits - 64 * i) - 1
            so power 2 (64 * i)
               * mod (pelts p)[offset p + i] (power 2 (nbits - 64 * i))
               <= power 2 (64 * i) * (power 2 (nbits - 64 * i) - 1)
               = power 2 (64 * i) * power 2 (nbits - 64 * i) - power 2 (64 * i)
               = power 2 nbits - power 2 (64 * i) };
    mod_id (mod (value p i) (power 2 nbits)
           + mod (power 2 (64 * i) * uint64'int (pelts p)[offset p + i])
                 (power 2 nbits))
           (power 2 nbits);
    mod_sum (value p i) (power 2 (64 * i) * uint64'int (pelts p)[offset p + i])
            (power 2 nbits);
    value_tail p (Int32.of_int i);
    assert { valueb p nbits
             = mod (value p i + power 2 (64 * i) * (pelts p)[offset p + i])
                   (power 2 nbits)
             = mod (value p i + power radix i * (pelts p)[offset p + i])
                   (power 2 nbits)
             = mod (value p (i+1)) (power 2 nbits) };
    value_concat p (Int32.of_int i+1) n;
    let x = value_sub (pelts p) (offset p + (i+1)) (offset p + int32'int n) in
    let d = 64 * (i+1) - nbits in
    assert { d >= 0 };
    assert { power radix (i+1) = power 2 (64 * (i+1))
             = power 2 nbits * power 2 d };
    assert { value p n = value p (i+1) + power radix (i+1) * x
             = power 2 nbits * (power 2 d * x) + value p (i+1) };
    assert { mod (value p n) (power 2 nbits)
             = mod (power 2 nbits * (power 2 d * x) + value p (i+1))
                   (power 2 nbits)
             = mod (value p (i+1)) (power 2 nbits)
             = valueb p nbits }

  let lemma valueb_mon (p:t) (pn:int32) (bi1 bi2:int32)
    requires { 0 <= bi1 <= bi2 }
    requires { valid p pn }
    requires { pn >= div (bi2 + 63) 64 }
    ensures  { valueb p bi1 <= valueb p bi2 }
  =
    if bi2 - bi1 >= 64
    then begin
      let i1 = bi1 / 64 in
      let i2 = bi2 / 64 in
      assert { i1 < i2 };
      value_concat p (i1+1) i2;
      value_tail p i1;
      assert { valueb p bi1
               = value p i1 + power radix i1
                    * mod ((pelts p)[offset p + i1]) (power 2 (bi1 - 64 * i1))
               <= value p i1 + power radix i1 * (pelts p)[offset p + i1]
               = value p (i1 + 1)
               by mod ((pelts p)[offset p + i1]) (power 2 (bi1 - 64 * i1))
                  <= (pelts p)[offset p + i1]
             };
      assert { valueb p bi2
               = value p i2 + power radix i2
                    * mod ((pelts p)[offset p + i2]) (power 2 (bi2 - 64 * i2))
               >= value p i2
               by div bi2 64 = i2
               so mod ((pelts p)[offset p + i2]) (power 2 (bi2 - 64 * i2)) >= 0
               so power radix i2 >= 0 };
      assert { value p i2
               = value p (i1+1) + power radix (i1 + 1)
                       * value_sub (pelts p) (offset p + i1 + 1) (offset p + i2)
               >= value p (i1 + 1) }
    end
    else if bi1 = bi2 then ()
    else
      begin
      let x = getbits p pn bi2 (bi2-bi1) in
      assert { valueb p bi2 = valueb p bi1 + power 2 bi1 * x };
      assert { power 2 bi1 * x >= 0 by x >= 0 }
    end

  let lemma redc_mul (p q a b c n m : int)
    requires { redc p a n m }
    requires { redc q b n m }
    requires { redc (p*q) c n m }
    requires { odd m }
    requires { 0 < m /\ 0 < n }
    ensures  { redc c (a * b) n m }
  = assert { mod p m = mod (power radix n * a) m
             /\ mod q m = mod (power radix n * b) m };
    mod_mul p (power radix n * a) q (power radix n * b) m;
    assert { mod (p * q) m = mod (power radix n * c) m
             = mod (power radix n * (power radix n * a * b)) m };
    unredc c (p * q) (power radix n * (a * b)) n m

  let wmpn_powm (rp bp : t) (bn : int32) (ep : t) (en : int32) (mp : t)
                (n : int32) (tp : t) : unit
    requires { valid rp n /\ valid bp bn /\ valid ep en /\ valid mp n }
    requires { valid tp (2*n) }
    requires { writable tp /\ writable rp }
    requires { odd (value mp n) }
    requires { value ep en > 1 }
    requires { en >= 1 }
    requires { (pelts ep)[offset ep + en - 1] > 0 }
    requires { (pelts mp)[offset mp + n - 1] > 0 }
    requires { n >= 1 }
    requires { bn >= 1 }
    requires { bn + n < max_int32 }
    requires { n * 512 <= max_int32 }
    requires { 64 * en < max_int32 - 64 }
    ensures  { value rp n
               = mod (power (value bp bn) (value ep en)) (value mp n) }
  =
    let ghost vb = value bp (int32'int bn) in
    let ghost vm = value mp (int32'int n) in
    let ghost ve = value ep (int32'int en) in
    (* SIZEINBASE_2EXP start, move to function? *)
    let le = C.get_ofs ep (en - 1) in
    let ref cnt = count_leading_zeros le in
    let ref ebi = 64 * en - cnt in
    (* ep has ebi bits *)
    value_tail ep (en-1);
    assert { ve = value ep (en - 1) + power radix (en - 1) * le };
    assert { power 2 ebi = power radix (en - 1) * power 2 (64 - cnt)
             by power radix (en - 1) = power (power 2 64) (en - 1)
                = power 2 (64 * (en - 1))
             so power radix (en - 1) * power 2 (64 - cnt)
                = power 2 (64 * (en - 1)) * power 2 (64 - cnt)
                = power 2 (64 * (en - 1) + (64 - cnt))
                = power 2 ebi };
    assert { le < power 2 (64 - cnt)
             by radix = power 2 cnt * power 2 (64 - cnt) > power 2 cnt * le };
    assert { le >= power 2 (64 - (cnt + 1))
                 by radix = power 2 (cnt + 1) * power 2 (64 - (cnt + 1))
                 so power 2 (cnt + 1) * power 2 (64 - (cnt + 1))
                    <= power 2 (cnt + 1) * le};
    assert { power 2 (ebi-1) <= ve < power 2 ebi
             by power radix (en - 1) = power (power 2 64) (en - 1)
                = power 2 (64 * (en - 1))
             so 0 <= value ep (en - 1) < power radix (en - 1)
             so power radix (en - 1) * le
                <= ve < power radix (en - 1) * (1 + le) };
    assert { ve = valueb ep ebi
             by ebi > 0
             so 0 <= cnt < 64
             so 64 * (en - 1) < ebi <= 64 * en
             so if cnt = 0
             then
               ebi = 64 * en
               so div ebi 64 = en
               so valueb ep ebi
                  = value ep en
                    + power radix en * mod (pelts ep)[offset ep + en] 1
                  = value ep en
                  = ve
             else
               ebi < 64 * en
               so div ebi 64 = en - 1
               so ebi - 64 * (en - 1) = 64 - cnt
               so mod le (power 2 (64 - cnt)) = le
               so valueb ep ebi
                  = value ep (en - 1)
                    + power radix (en - 1)
                      * mod le (power 2 (ebi - 64 * (en - 1)))
                  = value ep (en - 1)
                    + power radix (en - 1) * le = ve };
    let windowsize = win_size ebi in
    assert { n <= n * power 2 (windowsize - 1) <= max_int32
             by windowsize - 1 <= 9
             so power 2 (windowsize - 1) <= power 2 9
             so power 2 2 = 4
             so power 2 4 = power 2 2 * power 2 2
             so power 2 8 = power 2 4 * power 2 4 = 256
             so power 2 9 = 2 * power 2 8 = 512 };
    let m0 = C.get mp in
    value_concat mp 1 n;
    assert { vm = m0 + radix *
                (value_sub (pelts mp) (offset mp + 1) (offset mp + n)) };
    let im = binvert_limb m0 in
    let mip = minus_mod im in
    assert { mod (vm * mip) radix = radix - 1
             by mod (im * m0) radix = 1
             so (im <> 0
                 by mod (0 * m0) radix = 0)
             so mod (m0 * mip) radix
                = mod (m0 * (mod (- im) radix)) radix
             so mod (- im) radix
                = mod (radix - im) radix
                = radix - im
             so mod (m0 * mip) radix
                = mod (m0 * (radix - im)) radix
                = mod (radix * m0 - im * m0) radix
                = mod (- im * m0) radix
                = mod ((-1)  * (im * m0)) radix
                = mod ((mod (-1) radix)
                       * (mod (im * m0) radix)) radix
                = mod ((radix - 1) * 1) radix
                = radix - 1
             so mod (vm * mip) radix
                = mod ((radix *
                         (value_sub (pelts mp) (offset mp + 1) (offset mp + n))
                       + m0) * mip) radix
                = mod (radix *
                         (value_sub (pelts mp) (offset mp + 1) (offset mp + n)
                         * mip)
                       + m0 * mip) radix
                = mod (m0 * mip) radix };
    let pp = salloc
               (UInt32GMP.lsl (UInt32.of_int32 n)
                              (UInt32.of_int32 windowsize-1)) in
    let ref this_pp = C.incr pp 0 in
    redcify this_pp bp bn mp n;
    let ghost vp = value pp (int32'int n) in
    assert { vp = value this_pp n = mod (power radix n * vb) vm };
    assert { value this_pp n < vm };
    assert { redc (value pp n) vb n vm };
    wmpn_mul_n tp this_pp this_pp n 64;
    assert { value tp (2 * n) = vp * vp };
    wmpn_redc_1 rp tp mp n mip;
    redc_mul vp vp vb vb (value rp (int32'int n)) (int32'int n) vm;
    assert { redc (value rp n) (power vb 2) n vm };
    let ghost ref j = (0:int) in
    label Window in
    for i = UInt32GMP.lsl 1 (UInt32.of_int32 windowsize-1) - 1 downto 1 do
      invariant { j = power 2 (windowsize-1) - 1 - i }
      invariant { min pp = 0 <= j * n }
      invariant { windowsize > 1 -> i > 1 ->
                  j*n + n + n <= power 2 (windowsize-1) * n = max pp }
      invariant { offset this_pp = j * n }
      invariant { pelts this_pp = pelts pp }
      invariant { min this_pp = min pp }
      invariant { max this_pp = max pp }
      invariant { plength this_pp = plength pp }
      invariant { writable this_pp }
      invariant { plength tp = plength (tp at Window) }
      invariant { min tp = min (tp at Window) }
      invariant { max tp = max (tp at Window) }
      invariant { forall k. 0 <= k <= j ->
                  redc (value_sub (pelts pp) (k*n) (k*n + n))
                        (power vb (2*k+1)) n vm }
      assert { redc (value this_pp n) (power vb (2*j + 1)) n vm };
      label Mul in
      let ghost ovp = value this_pp (int32'int n) in
      wmpn_mul_n tp this_pp rp n 64;
      this_pp <- C.incr this_pp n;
      assert { offset this_pp = j*n + n };
      assert { forall j. 0 <= j < max pp ->
               (pelts pp)[j] = (pelts pp at Mul)[j] };
      label Redc in
      wmpn_redc_1 this_pp tp mp n mip;
      assert { forall k. 0 <= k < j*n + n ->
               (pelts pp)[k] = (pelts pp at Redc)[k] = (pelts pp at Mul)[k]
               by pelts pp = pelts this_pp
               so pelts pp at Redc = pelts this_pp at Redc
               so k < j*n + n = offset this_pp
               so (pelts this_pp)[k] = (pelts this_pp)[k] at Redc };
      assert { forall k. 0 <= k <= j ->
               redc (value_sub (pelts pp) (k*n) (k*n + n))
                    (power vb (2*k+1)) n vm
               by (forall l. k*n <= l < k*n + n ->
                   (pelts pp)[l] = (pelts pp)[l] at Mul
                   by k*n <= j*n
                   so l < j*n+n)
               so value_sub (pelts pp) (k*n) (k*n + n)
                  = value_sub (pelts pp) (k*n) (k*n + n) at Mul };
      j <- j+1;
      redc_mul ovp (value rp (int32'int n))
               (power vb (2 * j - 1)) (power vb 2)
               (value this_pp (int32'int n)) (int32'int n) vm;
      assert { redc (value this_pp n) (power vb (2*j + 1)) n vm
               by power vb (2*j + 1) = power vb (2*j - 1) * power vb 2 };
    done;
    assert RedcW { forall k. 0 <= k < power 2 (windowsize - 1) ->
                    redc (value_sub (pelts pp) (k*n) (k*n + n))
                         (power vb (2*k+1)) n vm };
    let ref expbits = getbits ep en ebi windowsize in
    begin ensures { ve = valueb ep ebi + power 2 ebi * expbits }
          ensures { 0 <= ebi <= old ebi }
          ensures { expbits < power 2 windowsize }
      if ebi < windowsize
      then begin
        ebi <- 0;
        assert { expbits = valueb ep ebi + power 2 ebi * expbits };
        assert { expbits = ve };
      end
      else ebi <- ebi - windowsize
    end;
    label Shift in
    cnt <- count_trailing_zeros expbits;
    ebi <- ebi + cnt;
    expbits <- lsr expbits (Limb.of_int32 cnt);
    assert { odd expbits
             by expbits at Shift = power 2 cnt * expbits
             so mod (expbits at Shift) (power 2 (cnt+1)) <> 0
             so let d = div expbits 2 in
                let m = mod expbits 2 in
                expbits = 2*d+m
             so expbits at Shift = power 2 (cnt+1) * d + power 2 cnt * m
             so mod (expbits at Shift) (power 2 (cnt + 1))
                = mod (power 2 cnt * m) (power 2 (cnt + 1))
             so m <> 0 };
    assert { ebi <= 64 * en
             by expbits >= 1
             so ve = valueb ep (ebi - cnt)
                   + (power 2 (ebi-cnt) * power 2 cnt * expbits)
                   = valueb ep (ebi - cnt) + power 2 ebi * expbits
                >= power 2 ebi * expbits
                >= power 2 ebi
             so power 2 ebi <= ve < power radix en = power 2 (64 * en) };
    valueb_mod ep (int32'int ebi) en;
    assert { ve = valueb ep ebi + power 2 ebi * expbits
             by expbits at Shift = power 2 cnt * expbits
             so ebi at Shift = ebi - cnt
             so (power 2 ebi * expbits) at Shift
                 = power 2 (ebi - cnt) * power 2 cnt * expbits
                 = power 2 ebi * expbits
             so valueb ep (ebi at Shift) = valueb ep (ebi - cnt)
                < power 2 (ebi - cnt) <= power 2 ebi
             so valueb ep ebi = mod ve (power 2 ebi)
                = mod (power 2 ebi * expbits + valueb ep (ebi at Shift))
                      (power 2 ebi)
                = mod (valueb ep (ebi at Shift))
                      (power 2 ebi)
                = valueb ep (ebi at Shift) };
    assert { div expbits 2 <= max_int32
             by power 2 10 = power 2 4 * power 2 4 * power 2 2 = 16 * 16 * 4
                = 1024
             so expbits <= power 2 windowsize <= power 2 10 < max_int32 };
    let ebh = Limb.to_int32 (lsr_mod expbits 1) in
    assert { 2 * ebh + 1 = expbits
             by expbits = 2 * (div expbits 2) + mod expbits 2
             so div expbits 2 = ebh so mod expbits 2 = 1 };
    assert { n * ebh + n <= n * power 2 (windowsize - 1)
             by 2 * ebh < expbits <= expbits at Shift < power 2 windowsize
                = 2 * power 2 (windowsize-1)
             so ebh < power 2 (windowsize-1)
             so ebh <= power 2 (windowsize-1) - 1
             so n * ebh <= n * (power 2 (windowsize-1) - 1)
                = n * power 2 (windowsize-1) - n };
    let ppn = C.incr pp (n * ebh) in
    wmpn_copyi rp ppn n;
    assert { redc (value rp n) (power vb expbits) n vm
             by value rp n = value ppn n
                = value_sub (pelts pp) (ebh * n) (ebh * n + n)
             so redc (value_sub (pelts pp) (ebh * n) (ebh * n + n))
                     (power vb (2 * ebh + 1)) n vm };
    let ghost ref expdone = uint64'int expbits in
    let ref this_windowsize = windowsize in
    label Loop in
    while (ebi <> 0) do
      variant { ebi }
      invariant { 0 <= ebi <= ebi at Loop }
      invariant { 0 <= expdone }
      invariant { en >= div (ebi + 63) 64 }
      invariant { redc (value rp n) (power vb expdone) n vm }
      invariant { ve = valueb ep ebi + power 2 ebi * expdone }
      invariant { plength tp = plength (tp at Window) }
      invariant { min tp = min (tp at Window) }
      invariant { max tp = max (tp at Window) }
      label ILoop in
      while getbit ep en ebi = 0 do
        variant { ebi }
        invariant { 1 <= ebi <= ebi at ILoop }
        invariant { 0 <= expdone }
        invariant { en >= div (ebi + 63) 64 }
        invariant { redc (value rp n) (power vb expdone) n vm }
        invariant { ve = valueb ep ebi + power 2 ebi * expdone }
        invariant { plength tp = plength (tp at Window) }
        invariant { min tp = min (tp at Window) }
        invariant { max tp = max (tp at Window) }
        let ghost orp = value rp (int32'int n) in
        wmpn_mul_n tp rp rp n 64;
        wmpn_redc_1 rp tp mp n mip;
        redc_mul orp orp (power vb expdone) (power vb expdone)
                 (value rp (int32'int n)) (int32'int n) vm;
        assert { redc (value rp n) (power vb (expdone + expdone)) n vm };
        assert { valueb ep ebi = valueb ep (ebi - 1) };
        assert { ve = valueb ep (ebi-1) + power 2 (ebi-1) * (2 * expdone)
                 by power 2 (ebi - 1) * 2 = power 2 ebi };
        expdone <- 2 * expdone;
        ebi <- ebi - 1;
        if ebi = 0 then begin
          assert { redc (value rp n) (power vb expdone) n vm };
          assert { ve = valueb ep ebi + power 2 ebi * expdone
                      = expdone };
          break (* TODO GMP uses a goto to break twice *)
        end
      done;
      if ebi = 0 then begin
        assert { redc (value rp n) (power vb ve) n vm };
        assert { ve = expdone };
        break
      end;
      assert { valueb ep ebi = valueb ep (ebi - 1) + power 2 (ebi - 1) * 1 };
      label WindowL in
      let ghost oebi = ebi in
      expbits <- getbits ep en ebi windowsize;
      this_windowsize <- windowsize;
      begin ensures { 0 <= ebi < old ebi }
            ensures { ebi + this_windowsize = oebi }
            ensures { valueb ep (old ebi)
                      = valueb ep ebi + power 2 ebi * expbits }
            ensures { 0 < expbits < power 2 this_windowsize }
            ensures { 0 < this_windowsize <= windowsize }
      if (ebi < windowsize)
      then begin
        this_windowsize <- this_windowsize - (windowsize - ebi);
        ebi <- 0;
        assert { expbits = valueb ep (oebi)
                 < power 2 (oebi) = power 2 this_windowsize };
      end
      else ebi <- ebi - windowsize
      end;
      valueb_mon ep en ebi (oebi - 1);
      assert { 0 < expbits
               by valueb ep (oebi)
                   = valueb ep (oebi - 1) + power 2 (oebi - 1) * 1
               so valueb ep (oebi) > valueb ep (oebi-1)
               so valueb ep (oebi) = valueb ep ebi + power 2 ebi * expbits
               so valueb ep ebi <= valueb ep (oebi - 1) };
      label ShiftL in
      cnt <- count_trailing_zeros expbits;
      assert { this_windowsize >= cnt
               by expbits < power 2 this_windowsize
               so mod expbits (power 2 cnt) = 0
               so expbits >= power 2 cnt };
      this_windowsize <- this_windowsize - cnt;
      ebi <- ebi + cnt;
      expbits <- lsr expbits (Limb.of_int32 cnt);
      assert { odd expbits
               by expbits at ShiftL = power 2 cnt * expbits
               so mod (expbits at ShiftL) (power 2 (cnt+1)) <> 0
               so let d = div expbits 2 in
                  let m = mod expbits 2 in
                  expbits = 2*d+m
               so expbits at ShiftL = power 2 (cnt+1) * d + power 2 cnt * m
               so mod (expbits at ShiftL) (power 2 (cnt + 1))
                  = mod (power 2 cnt * m) (power 2 (cnt + 1))
               so m <> 0 };
      assert { ebi <= 64 * en
               by ebi <= ebi at Loop <= 64 * en };
      valueb_mod ep (int32'int ebi) en;
      assert { valueb ep oebi
               = valueb ep ebi + power 2 ebi * expbits
               /\ ve = valueb ep ebi + power 2 ebi * expbits
                                     + power 2 oebi * expdone
               by expbits at ShiftL = power 2 cnt * expbits
               so (ebi at ShiftL) = ebi - cnt
               so (power 2 ebi * expbits) at ShiftL
                  = power 2 (ebi-cnt) * power 2 cnt * expbits
                  = power 2 ebi * expbits
               so valueb ep (ebi at ShiftL) = valueb ep (ebi - cnt)
                  < power 2 (ebi - cnt) <= power 2 ebi
               so oebi = ebi + this_windowsize
               so power 2 oebi = power 2 ebi * power 2 this_windowsize
               so ve = valueb ep (ebi at ShiftL) + power 2 ebi * expbits
                       + power 2 oebi * expdone
                     = valueb ep (ebi at ShiftL) + power 2 ebi * expbits
                       + power 2 ebi * (power 2 this_windowsize * expdone)
                     = valueb ep (ebi at ShiftL)
                       + power 2 ebi
                         * (expbits + power 2 this_windowsize * expdone)
               so valueb ep ebi = mod ve (power 2 ebi)
                  = mod (power 2 ebi
                         * (expbits + power 2 this_windowsize * expdone)
                         + valueb ep (ebi at ShiftL))
                        (power 2 ebi)
                  = mod (valueb ep (ebi at ShiftL)) (power 2 ebi)
                  = valueb ep (ebi at ShiftL) };
      assert { ebi + this_windowsize = oebi };
      assert { ve =
                 valueb ep ebi + power 2 ebi *
                         (expbits + power 2 this_windowsize * expdone)
               by power 2 ebi * power 2 this_windowsize = power 2 oebi };
      label WLoop in
      while this_windowsize <> 0 do
        variant { this_windowsize }
        invariant { 0 <= this_windowsize <= this_windowsize at WLoop }
        invariant { 0 <= expdone }
        invariant { redc (value rp n) (power vb expdone) n vm }
        invariant { ve = valueb ep ebi + power 2 ebi *
                         (expbits + power 2 this_windowsize * expdone) }
        invariant { plength tp = plength (tp at Window) }
        invariant { min tp = min (tp at Window) }
        invariant { max tp = max (tp at Window) }
        let ghost orp = value rp (int32'int n) in
        wmpn_mul_n tp rp rp n 64;
        wmpn_redc_1 rp tp mp n mip;
        redc_mul orp orp (power vb expdone) (power vb expdone)
                 (value rp (int32'int n)) (int32'int n) vm;
        assert { redc (value rp n) (power vb (expdone + expdone)) n vm };
        assert { power 2 (this_windowsize - 1) * (2 * expdone)
                 = power 2 this_windowsize * expdone };
        this_windowsize <- this_windowsize - 1;
        expdone <- 2 * expdone;
      done;
      assert { div expbits 2 <= max_int32
               by power 2 10 = power 2 4 * power 2 4 * power 2 2 = 16 * 16 * 4
                  = 1024
               so expbits <= power 2 windowsize <= power 2 10 < max_int32 };
      let ebh = Limb.to_int32 (lsr_mod expbits 1) in
      assert { 2 * ebh + 1 = expbits
               by expbits = 2 * (div expbits 2) + mod expbits 2
               so div expbits 2 = ebh so mod expbits 2 = 1 };
      assert { ebh < power 2 (windowsize - 1)
               by 2 * ebh < expbits <= expbits at ShiftL < power 2 windowsize
                  = 2 * power 2 (windowsize-1)
               so ebh < power 2 (windowsize-1) };
      assert { n * ebh + n <= n * power 2 (windowsize - 1)
               by ebh <= power 2 (windowsize-1) - 1
               so n * ebh <= n * (power 2 (windowsize-1) - 1)
                  = n * power 2 (windowsize-1) - n };
      let ppn = C.incr pp (n * ebh) in
      assert { redc (value ppn n) (power vb expbits) n vm
               by value ppn n = value_sub (pelts pp) (ebh * n) (ebh * n + n)
               so redc (value_sub (pelts pp) (ebh * n) (ebh * n + n))
                       (power vb (2 * ebh + 1)) n vm };
      let ghost orp = value rp (int32'int n) in
      wmpn_mul_n tp rp ppn n 64;
      wmpn_redc_1 rp tp mp n mip;
      redc_mul orp (value ppn (int32'int n))
               (power vb expdone) (power vb (uint64'int expbits))
               (value rp (int32'int n)) (int32'int n) vm;
      assert { redc (value rp n) (power vb (expdone + expbits)) n vm };
      expdone <- expdone + uint64'int expbits
    done;
    assert { redc (value rp n) (power vb ve) n vm };
    wmpn_copyi tp rp n;
    let ghost otp = pure { tp } in
    wmpn_zero (C.incr tp n) n;
    value_sub_frame (pelts tp) (pelts otp)
                    (offset tp) (offset tp + int32'int n);
    assert { value tp n = value rp n };
    assert { value_sub (pelts tp) (offset tp + n) (offset tp + (n+n)) = 0 };
    value_concat tp n (2 * n);
    assert { value tp (2*n)
                = value rp n + power radix n * 0
                = value rp n };
    assert { redc (value tp (2 * n)) (power vb ve) n vm };
    label Reduce in
    wmpn_redc_1 rp tp mp n mip;
    unredc (value rp (int32'int n))
           (value (pure { rp at Reduce }) (int32'int n))
           (power vb ve) (int32'int n) vm;
    assert { mod (value rp n) vm = mod (power vb ve) vm };
    assert { value rp n < 2 * vm
             by value tp (2 * n) at Reduce
                = value rp n at Reduce
                < power radix n = power radix n * 1 <= power radix n * vm };
   begin ensures { mod (value rp n) vm = mod (power vb ve) vm }
         ensures { value rp n < vm }
     if (wmpn_cmp rp mp n >= 0)
      then begin
        label Sub in
        let ghost _b = wmpn_sub_n_in_place rp mp n in
        assert { _b = 0
                 by value rp n - power radix n * _b
                    = value rp n at Sub - vm
                    >= 0
                 so value rp n < power radix n
                 so 0 <= value rp n - power radix n * _b
                    < power radix n * (1 - _b)
                 so _b < 1 };
        assert { value rp n = value rp n at Sub - vm };
        assert { mod (value rp n) vm
                 = mod (vm * (-1) + value rp n at Sub) vm
                 = mod (value rp n at Sub) vm
                 = mod (power vb ve) vm };
        ()
      end
    end;
    assert { value rp n = mod (value rp n) vm }

endwhy3-1.6.0/examples/multiprecision/powm/000077500000000000000000000000001440160026300202525ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/powm/why3session.xml000066400000000000000000011330601440160026300232760ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/powm/why3shapes.gz000066400000000000000000002410401440160026300227130ustar00rootroot00000000000000n;({[0r88_rqaTRe=|
$Kd0LF޾g1>|jvC۶wo޽j/5VgcEU0UuSUǫ࡟ohw"*
؟f	-_^<`aobds	qmT(A6k:-QM~]&:$=vנwo7G(f#}FYEە1&
T/PnBWd.o967EQA[DnkSߢ|3eаuVJ(QTbRab
[gPHnaPHj6/4 A#Z
3\&P$mUSR߯7z^>l`|`3ʎ'5 ed24+-uM(E0
":/J_;Paz3u‡zo&
LY2
PH4T6r*

Ѝ+Ax:sc+[Z0to	i˵K+oMiȅIUŤ F{6CP-RQ[ͺLJg}g7ՠob6f`QDf+]O
!l8f^o#n>FKY.fC"c6vCH'43aC.X<7h{cw _G
w
b4hHf`c^V`~@E@xYE,X%Yr%)J&acEp'5 F7`o#
fކz6@٣+e1ּ0K({V	$ ۥޯer_kO|E}iXѴ#Qܥ#j&ehFW?ڇm{z66@-(neSٍ(W[r&(fwoa߿XniǍOW<A$H;;RQ[$GIi8LوCݢ[""}/X)+ʆ(adHIv#?dg6;|W\}$a5N+G1摜?䚚 fgQ<=,%AD)~A$I	́	+vt*Ʀyө|jBo?u7h/91>6_vd vi 6
KyƲ>ZtZ/.LՈ/Ip=_i.0..)~
JfE8?&,|$?!Y[CYsZY
yԖ:d{W*u3_?/AOkyF3y3u]s,$^@pljỳtja)aеӽN.QP\֌]&)Hepov?/w
:ƒxc&F|faTwYgcmt8Ծ/`&O@@B4x*%AFh\CκVfvNG>U!tDit<a}7޵];|WVׅ_-{ p#XͣCMQbP\<;[+Zbp+~b٣f\<6ߗyZ.]ǨN)?NS~bkd>׮`}t&#Z-aU1 Ɨ궛ur t`gSa<]EdtU:L9洂nr;uxi.tp
4LVǠMHEXM
>"6gﳖK+fn5[5ߦ#>l$
;HٕɬXvH7CX6R$$zM/ZП\gx,'JOpϊy)"tyJ%OGug|ةg,
5j{6Vp*Ka5ףs{אI*J[q9r0@#.N=X
:@Ku1]B*wo*u0sqEUהOmqiuWe[A>$c^Dom݊ȉ$ly=j<)=x5·sO($aQ[{tei8Xk.~ ?[J?qSDw`ry`gU3}>W ;+h2nIsԧ)s\r1S}ګ(N"dt-! 6i1C \!ô)%U3dXn3LQ/`a_¦`8E4*¬j@aj	S@YS@a /
EF2:EKhɳ;[zɢH1Qa.)F|k
4m֪_Kok{j}Ac񑋭}#jql&jvhU?'L=-`U*L(߹T NSa$U?aEg{Eo~BͯTuAcZVpU6Oγ\Ҭ^*G^-`%Dt~US󎷧XLu"9&.O:/\~aSryyYĖiJWO7-dd<|\~4xaTx.s/h܎#?C}7I
?-}/Ӹ^=
%ec/KnVm|N_ދ~Rh[NQb}(OYsQu9Ҙf4+>3 w˄	iNY=9>l|@Wةvl/9DhI#*ĀfƼU$M+hw8
o܍o(E(-Col\5%2ϹԇR:b+݂(Id8¨oX5`Pd؎ƞπA>`?xbg~ʽPW|2Ü{A0s?T)(x7NMLcɿ	͌34JJXJoҟO2_ވNjW-,t'f+"}%ԟ/eܯTzft
uNQ0X@ߥ^`]ΈOI|G)T3IB8By
텈y6:9MIi؄IIϨ:-G`LdsnBHΖ#p`c`*l۔^^PohG,-2vBs3ͶUmVk~fiX7}25/pc׫MSX[S4r]?I7)vԊלyj?-6w:C2g{i(Xa[.ːNKCW2GhޣK\x/McpkT2@zNqઠՋorbT\Z`rjt_t&/;쐟 >
5]\利Q_9zWr,sJisͤ)J#{,N(#^LCfoC*:|[10<^[ĞѧiXYߗAe)'͉?dc:3-[[.*|.>»Xg\IJJ[_)^*Xm
E6Bʙ'w|j-KB~33a_ePgrRHҝ{HTS1t@wge*j]i\_ivWs\|LN[qPCPa@W)r.rKm2wXXLzEA6}jx~$UUN!=ڪ֦:Wc89kҲNS?Nxx텾-/`^AM@'1
ma!*>iX#@_|dn9p`-
Fඤ7øys<}זQI-
zJQmۭq"[_F(uQYHõ
qA۷ny~WHvIh]{dF	e2PXqv?%V{
f~h|yܕDJrОSI7gu.k9@ֹSW@P]-qURZE/tvjxRj">4	jqi>0ENG=2/{s(WU_Vډ}|T2Nޭ,<}d"5t{n=3g6y#Z9#׽['1Ucdf,	%ugTpr-bՔ$zD=;{c|ɿjk
4SzLQ&S!n9o̙nL9Qfď4(OG=u)URU-QeLR(SG+3y~L₤|"	cfQ]<K.YY%G&	Nb2]"qoZ*RelQ8w}ӷ?[@#ؕ͊˵ur8fLi].ӈg.U,F	ks{Կl	T
faۏ2¥m_U}@5f:YNv뺔PAe9Ktew=lCV6WlZˌ/{@`g8W\~nr䫵J~WɯjPΫWJ~Wɯrj_UZ%N}p"
WL
IꦨJ]IN&V鯿s(|/rwxߜBK̤Qs0<ܧ%kf\m"qj^;hV7#+_^#U9#wc奯ԂmAޔ&i[bU2=x,@h|2X׎Fk5Xc&%I
JȬP)YS*?`Χ0f*SEǔQ[3v	gֹ#/>9Xk[?1 -ofNrJTQް?XmVS=5	Qkf4)pIu&rqa5)I$J.ؽ%t)/,+gVtRmto@ŜKg/8$>-ʽ32D󖝁Y<4mbI·u~F-Q=ãBK}f4EaR"]WkhQ3!IVa^EkkB`9){n߉2A5k9ɶa$î\>MP"`dž^{290(}k7?kp̴P lX%"Mg.<߾ywY>ov?Z݆G~Piv􇪚'!6
Fi4Q*3fjE
hRՊZYjVۦ`ݧVcS|}[ja1޽m{x/7v[u[?V
\Tvd9<ۿؐ/뾽}df-8k&oóivm-KedEul'5@ޗ4դ9]D%~}0<:~-}C9'{*\I%СiЅ\;?MuV|khj|c)Gqx:/CF>kaŸYOLn'C^I<^A:E>a9>7c?kX66@YO{FjGK/NؓGlr<>êW-affr[`aMSi:{29n&U.~eGۭ)v}NMukvynxcH]|zֶw~xtliν;nfDsniתqvj$j5b	h{{ _-|dV:^ZW>z*hFA5ZNW\t=XnhoCHh(^>OV C8[EIM'"xgTU۪Qզ(Nhg+ӅKg]z5(=nEi24
JڃvKM2R.]pkMizTb+E`qrs(Zֱ&^Ƙwf͟XEUmcVũĺ&eyObu(ֆ8_˳UKW̨v{qs=VE$f.^.눃/859z>\8+8u0.=s;P8[,.d,g4򧆰]m.!?Хُm!(164C,Ǒ|)A8bXMCfDaպ	'Ձ\KJNtH%'W3
#8QP/Vj\[=_#92։zAa'!VC=?1_*3Aag|zj+ڥzڋ3.33U;֧WǵOV}Y|plIkЁpHؗpzژ)9Fs c7ekҶԻϯ/R
Qϵ7YJbwʎB2SŤhd1q,I쬙u2̻3@ŝ%?M_1
	|rl0?/JQ{Qwɬwy̸i#MrNyA5 vY
7Q)lQHC:lVw8֮tGJeiLi|JUi=<]ɯixvY|
xwsT㝵Y٧K xU'J6ιB]2җMHdtSRrRI)uadKCȧi{:n='t#:L~8ӡs
61=\&q:_>Xwu+0,gA{F+`wO>BEo[C"K@
lN%!Q0i\=dn嚗&	t+:fL]Ll-F1k^D	}zϝ!O֤'Qpll
LF瘵_[KkY\eq~k̀Ϸ;HMpA/0|_D+{+m	g
rACp4,8i;!:KBvaؗԍeeAM߷dPr7}f]SIT'uDR2H˥to
>b_^~eC\A{*孠-48_ѲiC^`<9EmZ/g&A;WC6'-*QwCdFsKَre/`i9G9HbrBoO*Qڋ-Fy./Q,l݌ԔI7
!
Ζp6o	2}i^s}k
&Fb>r6O3Ϧͯd'Ox6iY֍&蛪na'B|Y̞{4wi{Q8#.7sxھ=pkd9cT߯~mkgAW)b_I!)Ɵ𰖡{pVUWMu(7amUҕB1)LttW\Ojn|͝lbH/;rJr ;Q+1uɁL6Oq{d>uQaf,19ph:K:l2EIOHTPR+{?񰝎;GО-A/{^PuWqi%{ڤW1?'8bk1%z\ۗOcɇYOx&*Q4(Jb:PS#κJZs뷁m`~k`7hMŗ@I`bֈhe#z%%`(y7QFP`HOG:\u4חfDtc//Iq+a
PM#Ƥk#ހH&=qjhgQdbZƜ#@%X@|S-v7#NS/ޔlKrh#NNcF9\Z88YJ[J|uxYqWۭ!*3O<;pOd
ͯpWm"H.W@$]z%Єn%=t[V|gݖ<>4iChӸM&BzB@4b VdE
|9MO"|O-_m;_҆~#%^TiK/'P hq&+XM:u$-eOf?Hj%TCa-|NF8ԩGi	c/Qn7c!;

 1
xwA%C;ꭉ9=3;V21D1:
F`M=7I(7?{7jY춮nk݈e}g	JoE)N]ܰ3Z3u"AU^gUYk3o+H֘|̩]8vXU5Ckb*Fun#_3wJk 
g,ȼm13T5u ̲	ַ&;#J!#U.4;ӛ?G2`a3>pd4DL}P߇/Jx!V;wk/l2/
42J-M'9ly]rb~dY]GntdwD:te2 ޤ@IAmQC,4_(_|=섶@źan1,N߈p7G@t})'vV_AޱG@ٖydDegRءm|dFs^nuɟV:`~(~ZXqM_LѢU(X+^EqY9
3mXG&^PF3+hQހᨅ8I1pMҕY7?70"T=cQ?w#0F皱aT:46DΈ m2"LzIh7yn0`Kka;4yFȇW8`O_N{YAI/Jk{bfwӻ}UX@"`&0ݮh[U! -ihY7d%nޒf5[e&)j0}&L)K^p0`%7pzoI=6CV>$ΰ9U9O]P
`0L[aSx
R\]qiЊGi	+%D1Q@#+ƨ=XšS0+̒c%WT/Am3]_vt-l\T<\ovO:V~-*ŀoV},vxoRw@/6|%Na&(X,`.
DrstǢYbߛBάwHL֨Zu6x]&td^|`:1P志ާizwblR.~!wHsm-Vb%Y9	,Ztw*\LBn^6`3^fGY̖6mHVH6ևN^&E+礕[-_o;NNHem+m+ˠ~g
G%ѪkfT(S_:ؼ=#͞ݽzcWBo_o@z(`o,)ܛ	w_5-yOqsVbG0MXMlvYcXD͢JN3nݩ7rP29צeҝ?m^;0S4C$λެ:nD/)yX¡}lY+XP"Xa,VJ_Q4U(Qj)	ݽo{o6rf~s=򚊌]	~j<$Bq\%i5Uit"ꤼ(#1R?r"k\y&c0HNgQu;@`GgẢlK2'Gynd_~j=
y/0=L/{izvn݄|UﭭՇ_AV
;{k"&btb	H:"s1Rٗ ܧbuŖm׵y1Q@,a.>P#	1w=~EJ&mˀ罃>P{~bk$V!?ooE`Pϩq+^O1Q(&N|Z1m5=M$M *ߖr[880]\"9X:X3Vտ93ge_	'oIf"T-45jΖE-5>7O/X/cEois7QA=Vmb=}a*m6u^n`Ǡa˾هx]l0dY>loa`r}?r(٪⃚q)`ؠ&2e64]	n!+l<1ybpb+1elXND0Mz֭2}dTM	gm8gh4'$S[ZZEⰤt7
95iL9;q^{vr	r5{QĒ^gW2qGŒG@mQĪk
	]5kYhDDDmqvK+5xfZ\J,ᎹK|ml*&4QxחWǵq9d62?_Mѷkvh[Z֑$`zcWQD]O*K38
CjkG {Zk3?]ecp_RX6(zo!4˄efǵJ>'it	$Sq|΁8V Zg}8~vʮgVA
}/flɟu"3'/wOru'3h_߾vö|?x`oi|KjdQ
Gǜ¸1v9*|D?.O }C2?kV߳1)j>$3A4;.[,@Ďvvx*]!jLN:Ip-^PI:㸲1؁kD8ëvEWYnA)r4G6:${gC]!<17
	9{xm2pKOp,.0Zk|z$M=Ft_3|`ƲTHM8>(Nw4ݏi]nAOڏXҁjydF̹[Z'	`f>a~d贼	&(f%f!Ǡ3a%Х1t)nr?Ek!8ZCRnT\xMo8w߿F&3Od2zD~Dz*8kMT.iƲyJFy	S^6*>}dbSIi}%%M}'9S(Y[!(xoOݿ+H:U|jtBdNґpܼam}.(.`dҜްEIyey%9{ZJA:ze ѣ#tEn4O/+o!O.GG]0,QUiC/u档`VKms47kuY=Rav*RS#hrݟX=8XO99%k76M2Cdwr:tnN끑9	-&)\,L{״{7,~>hFa
|c.;'+0$!I$bgO$tDVLi(_N݋T]DB~m`q,~]k$]$bk):i:i=P%M{F]nkyKi!{Шhlkw_{	rƑعU%OWY-DfZZTP)-hős@|Xr[VSbBѣ|y9)|E
heZ-ݡ8(CfwxR>J0F\^PEdRizQ
695˪i>UeNɬZ
h4Y!/	!s-%DJ.BU$%%ڬ|pg)v%avYc
Z`}U3
?BAֿ*[C±CX7/.PLY{RtD@$lP4hXIe8EMfFɼbh_]<3"2!,hjT-մZV
"Zͫix+&G;Ti
DP7RiCˠf{'6+*t(]S^7y|JIʦEy,X4(
}(4`'iHõh"2NW+0҄Bs)41gт4MR(fDm)Akb-36FA
F&jagE@y2x2j
Lɡ`̚6GDzv
kP_HMi
S,IBSOu] Y&ό.tRoh0vZ;!/ZpńNXĄ:YX+N9=D&iJpw{
Zpc׭ծvj]Lo Au{QhO]w݅fYguwaU6IIul&H´7;{]oDɚס`3tc/_/*͇.6:wXGt&fHĭh`'VcEw#vP@$xo!3\i=ΕDWv읲sdnKΕcffD[iSe*oJ>uc6m
P
%?;j"yHfuHtHŠe6A,4'{v%jάW6R]Zs4-Y:8iznN+(	i]B>@LbT[IryJmf@meux*-;4bPH0:;]ä`;Gp+&[]Vz7/ԯV/mK:ؗsM,&0%ϽܞįmGOf`G$뽷&""K+SYFt7&t]ͦT5=Y9롧Uy	.
9°$y>"b0NXnad"EVPJ#)ƞ\ⵝԑld%N<&L+4|isdD,eϏO	)k	%ጔ؟2ɖ1>8YxsɥsH&77W_|.Ӛ
-^l;la_G1ss!!?\J1uµR Ѡ"Όs{\~U
s9'au鍌g\ĄbYczHr6P8;[3?/kYXxv]L*.Kfs'Hץ\\RVL<\>w^kbպԴέs%NΥ经SwJ}Rv\NkA(GQQMWk-h{^[Å{v'Wvepoؕڅj~q$7+~B8z7|ai	EhG}&R9ƈkG,eҹeӄƲKjPk:X#\aF BNюT#]7(/_ai4<>%&IzM4JudX4AYpbAx)! N7Bݯ„69%]&OS	n9}@%D'PMt$Wzp~ |{(p3!_=ɹ|IP0ҟj^댘?.ٍk,EgͫZ`(#S!d2r":ߔ>~sb41m";v!ҹc^3S+v0w^+]7MFUmp
28&\-/Hp|>ăOB}Xfq_U%Nv?jUƢK_{;XGua1AO3KDDѠ j]Dp	;|kՏ#Xcw#TóM6t^B?p/39=:9_S+9A5PQq4cwK7A0.sU.aw=?t[G}jGm~jD})n"x"NJE6xKpUR)z37b`|:h	0U0-_ `V4BHk/Y0x%{<1=_xwXhyj\{lZ'o;48پP,/hB&_"zO{=%Z5;>Xr)AիJܾ5!x6O8J*_*=TDLy+!j~6Q\y+3T=QO1e<	55'$.'͡HO kH}19WPbweT&==Ȕ	U%?/m~ݔUhj#mP̈Cc#4ӄBM9jMYAjͬ롦Fj顦fB9A,@dڅH]-a7KniK?BQ$$"hUkуr?kbWSy6z6
4Pf=F>2T(<2i9O>|WUuH 8^x]ȡ5B{?oRP͊L8Ts:*g':\\uxXv1T?8͸Z.bo/{!|X~$6>T3+3$Wn;2`#ٮ?t$'cbE1Ag'	j>Ѿ0͙*;f1
-^B]/wfŚ^ճ}llgxx+) ^L|0'IڣW۩[DЙ:o}k`3SQk+ԃk_YE(K/~
|Ϩl3{Df Yg  0CY܇xޯ(
B%e	aXRl9/	HŎ,pK^O\/-RW_ux*M=(ns|[d4\ȨaXzrWE(N?E>YQ.M|.!4hL
N@n4-*J=i	VgeU&e0YXW0]W}O#-q`Ӣ}$٫lY޷Qb=^ӏ#>f*Tkhnz UIbSi}E+n"(1'oH7xhyDz!'0oh>Y
X.>(	eQuQhi[l⊔HHPW@˾;F_Pܷv4s34[HUCѡ-B
^
YeUtoz<rۺF&ͦp(RA':U0tKJˮ-nۊ
ڐ!C^
gcVC6fF@K]eUR0%Hc(H]@rgH꾅εCk;tuYm>˱dPPZv,BlZR7#ưlTP;MQ
2';ߌ&ڌfZ8}
3Hb$0s
hL?Uj\:~іEb^g#o6C)~Y*ƽz랂~uc>䌒cM
-
%PO`kux1lGD.$؄.|dgX"~(\v"c_051Z&f0,_Q.?h௙eX"PL4r,QfeޕoJ9c'A.(NUԛ
1DiWwF2/Ȧ.q]NQ?|s0A% QK!sRC#a6Ek\UTNm.]
eQ0Gc`TפHVb֛;A
Y\LH	e1Vho`0-l$β1w,j`26
r6+Um?v`0UuV
Ǣ,[*۶.{%<$#f42Jjs"۳䛖ɏ.;f^sXAfզ#*94	WIɅ盶a]C94/2訆^cN<2=X6CUֶ]|?RfZ*`
(H	s4#HVphay{XX2#&hn7KڀAʼJ]liDll`!Fʚ(݈.]F
C;r䣐E@Si{*?Nq,`kp2FUuWٰ.`hG6lm򮇞n|mK1:Giz`r)g0dT,v]=\9BHs%f&ʶrہi}B&L$pi0V:9^栥E>6@QB=X6|3B pd-pYdsLSalgڑN=&æ(Ū`z(b.8+}
s̪h!
+Hnڀ24n<``%ȜKp++Ҏ
ZB$VVpi
XjjYNYDSV=t^&s0iqHΐ
0oۺ;39NOi	NlK`|}N	n=	᪒YF)خpm@O`A>,X[ID	
v[tZo)TS1lzp:
thm6-f+=2S9:kWH\y]Kh,ǒ|,1#D3
>UÐx=8eKbd5HF7>oM_wmW]u=l;jFX^j)UVzNX2'#ø),-XHU]++lndti )6xpxjHsѮ3"eCM޴lea35drpVf|cm7IBL+RGOp˾l>%L̇Pʊ~jil%1GY>zt7U+(o
0asFˏUb>x2%8ECE#L`l2]V`Wozus.amJ<Q[úfom76EK2]_qϡRu9–0)z,BE)X3F5JD2CKؗn{792v}5,`1ٴokԁ.(ǗJ_%:Nؕ9t8CFdA0vv/1W0\e::ؼ50*PwS2GRP*ظvyUeXWQ`{Yİ܀cI	+D
+:V8:-0ymQaR&+?:5xx=Ҷ{o`߈m³;#J,30؃2QBCWT:eH	ih[#{=[W%
Xy{!8;Uw1c)K4fgV|hLQ(&VX	` XqyHyFlb9mRƊފs+ݐQRU}\}/Gsưȷt(Ǽ5/Lf<9vcذ#EQ[$zG5ڀNXaqyɦ`_Vyh&i9Gl)F098p6zCZ%cP߶wU.G :FC)pS6#sR!vsGѱe"6($-SC`{0d%ͺvlKvatVz:ʞt#n-|ClSC{-A~r9*`l*E	E9h
[
6s
>H0.)pAJ礱a>

c=>v"ϞΒ})
v9i^VoHOKTVI:Kud0%li^mZj5^	*%|M
+]詀
9)rSpU5{)[Y&rJـc
6y?_m)\XdUaX@#?ol	[~ص6T-5%m`ւc(eoov׀Ysʟìz-b6757C)k9~v.;^sTm8_e×an\ToK0l7\.#gk
saI;Z]"eUU]?tV:aذ;ڀoUVm-xz[ݘuv
>M
mg}W=zhjOH^l9;$߶_s>l|3T-T٦pqoSib5l]N
gU+pm2^@"ˆrcMh޵A}~qV=?0dwaauvjJgu+la**{PyW%@K>׿8w8'-62"2J
,oMx׀5dVz״bg$-
)ݦfB
`-{U&Gرw]		Zq?r786
&C`a|qWnK#֏H+b@{޸w5p~5K6aX,q,ٕb>W*ۺ݀A@sah@P[2Z?u㖚R]V 8vdw+v:vEXq[v]Qmvx(hMa/7%KJJm(,Ru9KJP%߇rA>6۰(x3`CR,Ko*c&U&,PKRmvD,Ӑ1-#w,عa#9bmzX>
)]}2g8oQYmru]繼7Y-(ml3#F߲ZZf~Z{-L/,Kka+oi['9@HבdyEʡe1]BC-%nfM_c1`ҎK$|8緼Osr\j,Q`I
(`9K*[·dW2͔7M+ǵEQHD33
[̓d["X`5(-]<~,KHf d;@'_^r!#Z瘳O-wwh7XzC_[Wz:bM0_>?eoO|i"kQO@4r7%d霑
lN-Oĭ|Qsx־>1h-+-}x:83DߑͪN?yMꭃ9IE쒵P.CUgB>pgc8=kZрgڵ·>K쒢4W-WX_t =zxK7nZd-y+u>k]x-[گ$C-kͼ<5w[\H%.X|"zxw+Fx [|X{΢#+.z6Eu1ξ<ۑ{l6Ht&s]M 1[|i\Ѭ@Hh&=Voi4Fe	]jNzJn
|.YR&.T~i GU̞,~<%L-0gyiZkOٷrf'~H魅YRj?X
ucҸv@ᭉUʖg)W|5Uo=Ýe8h(Y+y̑
cγޭ=d}9.]N~׻6xl?3{w:f֦\uo
54|ϾFѣ_.RywN_Wq0vtu#:YNZrk5!@6v*UfGم" sH!!<{--AJ^1e]kmef{]oK-C#6[cuJ96W=pz[/o	le\xټɧ~>C-׷rV7׆	65?}wЍ~kKl8'tm'
~SFfr7n
bT1C:b|%J{mU;SQ7 UX"!E,B`I,BUBt3| -$& K 5RHM 5RHM 5RHM 5&@j9XZD9 I$V#	>'$+A ,AI$-@I##|H>iC#@iP`+X
V(B	,M`iKX&kRaqP._C}0C}0z>`jW>}0C} >}0C}0C}0C}0i_C}0C}0C}0C}0iiC}0C}0SZ2>}0C}0C}0C}0C}`1>`胡>}A-+oN.J{Yy:~;Veef*}+o_;J˖XkS5o_yW޾}O}tyxȼ\YxV{YE.T>CcKvmUcզguObܽ6kܻ#ek9M,s9Qe8J3"f/udP#kqn1}zqWFّOhvw$^]B
i3m}B]BE&!b:!6BʒC|:#6ХOivfCۘzڀ&Й 7
=---Kpl+.KWbach>Nڇh]L.:~O똣Ÿ!v;*2 <~K3Vx^y6Gh[nƐ}X<*LuOc~ڇ3@Mk9iX|ΐ}m#rȤY,v^'A~xOiv´ǜG]=ZqS`	Οɕ܉oj3uI&`2kZLyzm+p+6w+:]TiluV춗^.{D|Y{/3;n^fYȕg6NtH.M`涛~b\G!ZңeyQ]ܶ>ҋ?NeO@դ{/r]v}`FbA'<'~lԇfF9TB}j4:٨aF
>MK[tY_h,D(
fxn!Go-ΘpU{>7*x9k>0#4"G소p]jAۑ,x_hoxJW6/l3:NWuLB*_=ޯ&ǎu60Egd
Яĵ*>JPvYvԇn~Ry}*٣L|2LM~q." >DY2+PҽOPdـ,@@/B|d93[JfPq9u̅y0\Y᪻L$PAP4bzI%7Wv)6z5fAוd
T7P@uK57P@}ø:d'j!:r^{_ZΪ
vhj]G_O'%ڪ8^Xmx=da|ݲbS95BD:}XũXiTrd%Zbؗ?طlu79ծUm$r4HFuyգg=2Cu]p\C=u;=en~\9݌l*cAVƅ\όo~c¶:">|RfgW-o;|;Z{"Gs?@=wdQ9lyXe9v؀>ꧻ,j!lwB=y}e	?eO󖤪#!)S{Z=!Ovp);@BȦ}q$\u#[igOjg;[-oe^!_R1	U;򕂼a^
)-0-F翲[O\5ծ3eiV++^@BVZ>3_;;eэY0igSq|d8vqcPdUHmCkq究C~m~>5ZusH;Ѹ#zK1m>~t-eGY)i*WqAIp+ԙ{Hv.	[?X{llP:ywa3k[?t Ր4|kN|d=-w)-wo0>^kռE¯GJ
p>R+|k4rN碂g]XSk-8r;`aJR`.mȯ6dwj]#Z= hF,r;5
@ܓխYm̫pBl歗
F-v'4mx4S7~'!xD
^zrsBi6ͿmU4>meXg\6\:kI^F,II{8gOWͯj:9&]
,)ȥ
5zWOg>OY?;Qz7򭢟xI]ûJz?<~(v{:}iIm/kLM^JVR񫷘?W){C;0Wx:EۆBGY&<|G=zmb4HJroS7M:WCQ7\\gک].-h'.&!	`2o؝%W)7\MVS[yDw[!2ӿsvvRjwd\i6sgsfZOv9ۤtAntGTu[gQ\0cVG!e%X|#ߑW+(zuj/OVX2,M
ɮ1Dhb.\s}pATJ駳73RMfR")>cf	ˣE+4%o)PhN?+@ghv+ώnvRzQ@jp0*ѝ/m˳DYp$c5#猈`uݶ׬C> D
msYihwl2ȡKS#n5OUy@@K)y1j!QWPiU~|Ƚti)bH^^Gf7,@YpNhcEڱiG[8[/|Y	.9b٬sWZ/޳-H.XZ1%p7{ּ⎀+%t#
bA=V;;ϻIf"y qt5˰Kӷc̮g̗W:s
P.=w_9~c--̂U2vyE~(`@JpE%@dc?EfCgMHOޑ>*Or~H7i1>cʘӁ,:eH9oO@UxN[ɚ*@HfB5dW$cụ
WVLrAߍ]yU5AN'c:	a{d-&mE>̓*F:k,U7RZo
=#̑HHPh=꺴||.C0&`3*X'!Ys1kbeHN1[.v챳T11f۸V~;:S W2_[i;OՀ~P|/P-#"!!Ͷ2K6m0rOس7XVRRsDŽ^Gf{曆u=ëDGgqʜy`608YA
kxnj֠=n޹:mkz(A`ȁт#ژzΎiwXJb\q.ͪ!L9Nc|VGL,+̤U2[o_[
1s)UXȲtDׇxo%{Su H&koppvmȋw'j YtyL^Ͻ\VfwꈮʴV60d%?2G%Uך,^ŃSdu\deղxǁRB4݊#^-`3st+xRk
:C;/b2Eߤ}v:T0/SC;|i_h*U/4XhzEèbTèY1V0ڿI<ʩs:-/{Ҷ/9!f|aDnjf0aDxOBN­V;܋r/՞y	qI40;|7rFS
*V!l[u \q}Ї}X@=s|HĀD^H+
Vʨ
P茳ǀtv1K]$4|u8?!ӐQ/}$prL2@6|)1]RM*FA~fkFeO!M:q^wL/Ll`[`l8*R>8{kl[ǑF
ZO/]%U{<ʰuսmǯT.>d޶eeurGB7g[R_vX|,Hko 8:.˞-Kaix=m@Ê&&e^yK?.4ٻzr-'j!l=!~OƷ o+f;Ye-FWYl'ҷk/_흵r`˳@G'&A |49Sg[KViQvH,]{In~9*^\UmV6
t֣No~v2wP
([߹
`WF^OK(/whWzV2ao~QX!._u2oyپ\-o	KQukTuru)rKLΖMةw
:_Q[ՁEój=朽ҋ{("prCty>QmGcVGܑ\;UޮBAV1gK[yxi׈{Ӈ۟^Wv*Zdߺә]i!	
BPS8dvj5/[vTl[Io2.fηיZZch1rnVRLȴ)fh+nWm{vs'pns"Oh)?`=.WcU 4nȮ"0TרxUe	}Ϳeݣ f>cYn$Q)1[mZfד/>G5d"Zq"c쳠RF=U06VU~g=Ǯ3qvnin0
6z
2GP\g禅"AXc~	?OO>{fa6"1M]F*BuOUPaL.j7W̠YU]1u>4.e6i1;??bDG^f贺vA3{|f֤۬kMQu~..ɿߍG0&GKgM@󀝏	YT*nw4,2ưA1uSN0eQyiJ_y/~øn;y3[bcY!%m#d܇JIF#|.wTf)@
3$R]!#U j6˛bO>cv˯3§[MpgX:!YZE
C,Yjԝ/;SV_YL0#O:iM3m66OE͚u9Sy3mBfF7=	L=fb`1Px7ʗ?#gZ6ڰjTؼڰ
KkF4KXN`n3{Θu7ʒ,	G(k(g#\,	;Ψ19{!QW;ȕ/P)iТ
?s8ڰr
ܔ64SH%);m`Z:[H_u_
̌D~`a A`8Vs@d_f1D
	z$M]dBDB/ޑ;{Gr")㏠lTy@RUbBR2yB?:]6)/Z†frQ_(yXnH'>q$dtiL
b>ȲZȴ C꤫K̓{59YʗtX.9tYi0ij džWMO
*+1P}"l.HY['?]:r4Y9zo4gܖz[g[6ogOXcu~`ת'?weQȊ]]V5:m_~j)kcz6
@xʟZX. UZs;V>$>1^yN?G	b.!y~YgI󧑲Ҝ={^2kQ,A 9̶L;;fipQ
3S]gV	K$;/up|7M&h Z9<?|!/V	UajX]GϋgIZ\Mu\Y߼‡^X^Ԭly`gqZ?	y_5	tT1nKD/nv]=Hi
ag>SU.vgٮpHSK}~La:Aڠzz%*Q5c[CYH$^lgϸZiXݎ-/i7~BH(e#*Qb1ڲ/}&d)ΛZ;kdk	=qJZ}p99Xeҗl7Xr?0::Cadp	.:
M
(mnl%u! yFQkp+-ԃ
@
;_qla-q@tAm3sDQܡ󑵔[cTh"6&e~Z#.e%T|]ro O}g}]=V+|PױV֘t2gR{>; [<^k `%(}r>B;(Zֶ28$UAc
R9WC^@Y5-$g片:]`EϨuRN4y<_xIboeӡ)߇o`",7|:˅ ,Ȃ|97FFZ$ah3y"ymn`繕_,Sr@}eJO^U)CCYJD(\3[03gkwٹw|B1O6}~Zk\ќTHY?G'OlOϒضgmKJNݼ>ԜD`zTa6~'.?.E͂"ur3
~|={;ڷF5Ǝr<0N"[iHQc,=u4
immybK`ssN='Z
Y^5{(R|دWI,lkVekDW"'o/ٚ}%+˦5>X_챽2cYo뵞yT'/d2dQ,Kgm/ړSeY=
G7#6=bWUH4YVq͖/ոZB/'Λn%;>~`%~m|bUa0dzoZSyyME-
߶UdS_щlV	Qb},gD~Q_Mf{~vxkزJ0?fǏ*OoH`+o5%HXJ"	9^)S"6@0HZwA|+ORb)=HFr7X>Klg*sdy}D+KEAךhm)_XMOêiXվ˒ZC[s:{VBt%&A4"xqP&Nox|ԛesnd~AWΛR[g+Hzl3*0	쾄gY(H"XM ]'\j.kPݬt'z7FӑM;$jfݧ"fԫg!yO((Sq,rO]D&"e"(kFAdٔ6՜NVAhјY^uDUTkAf6iׂh|no_L ;?w3Gd	;=~pec>/OX4#wK3e=s%B,|Xx]-6ՃO<⋫
9,F[ަn}7.B|ru*3;pօty슼6Z#]_,HWRKCZ0Мd-ZFaeR0<`W)ٵ䳷yF0%Z=jl'Uu-Lk1Zق2ǚƎ.0"U^)Y9Y^]w$r}[o퍹SIv=PluXGm8WKM"1b~%*C{celݚ͉4@Y t]q9Aۛi*-0Ej,^j ӞcHYRxW^>^	ԹtO-`*{~:H"
ϩ"(iy}auUIݨ9@0	!̇*F/,$Qu@zei1}}~Kͪ0f0}-DbI/rڂi-ENq{Auش'kR{
pfҟ:O(Hޤ3CoÛ%K'CO(}nHQXȭ=m>R6(c-y}i	,=K?"B]Ri nZtu4oWEWۨJhFl}m
r}[w:yeB:oJ
ϘU&ت Zil͆]zXOkXyGst-SzNzgϷemBhEmE}iEѼ-˿;-D=;uՑnaťKׂߏ~-i|s	[<3j\}۪V>zy-~mb[9>YOh.tY?&Nﹹ(
b,mphe	\FBx8x-
6#
(F+Yn74,ު|9»7PW^^Ԭs(ʵ)-\,6_b7-9&.Z9fGz-I{!\@ɲ,H֛xo]WSN'ZrX)o[ud7ժD\yE6'"^
cSga6G>Z-oxb7σl[lUVsxVm8حŪWmrً?7EsRzx]	1(.y)eE(mm>Ga殧̑d[$!ݳ-oװs*Ess]Rc?DnQ~B򝴎ʫٳ4z Jse'$@Y)vڠ33B]z|<[عoy_6)푽*3h\̛NYyE~&!Sw:rv̜
^޶[ԧidSik^oX6G?*9;MTKiKy;rW?lm
5
N@LVJ{ojhkKe+k
l~;.>Bp	Ftn]|<?Y 8,L;>:]MZo]|pbpRHfHs*NorYnv'>efqII\'"'/7ح="xβ%[(s9Pĭ;׳߆?A}%<
8uH|]ۿ4"n@Q[p3$>{SRn/ۧPħvfWηUV;X<)

K^ޢo~Дgcnƒ$>y͚yuVQwWqӳv?

[vkio,l[M7`Geq	79utw抵lۊq5?Wݧ(~lp;>th£[^o٨gfՏ6Gz:M{qkiOݧI|fsdceds
UxO̹k>>[>s&2?2uܤ7hdv7VgUfbBׁݎ{CMj[^ʲ@6YuQ.Uc	"ǼYcg6o j5YAy
d[
o9II2j=XpB5ש
KV(gSsWVx>_Iҋ-X{ҕ]&2qku\Au{J;wKv_Z}Q+4sG†
6c]ەPW:lNC>T
Xٛp-otC~y8[۽ŸjAz-`g[鿈{T+ճn'Yg'ݷlic'/юG}}UQ`K}HƇw_l!Xc2vyS=\Inkխ!Kw6ymEXCvWZe2LCPY&d_0riMQU
jt/n3r
e&eSm4m1R!;{$֚Pnrn|ɾBMvv^2vgm*/V.68&!ث1OXmgƷqvя%e,}#-A82 ci!+}S[lqROXzXm
2G/crۧ˚5?}svjl
).6xaـ?
5YWyLۀڙ³}ML6$DOzvIҥw2^
$׷I&9u1tʋP@I|_.Al@ν笍ZCoAqvс-4Ď&
qR
6c֒8~3X*pJgM7k1868<X8^J;l|mvQ8ڛ\>27f6vRP3;INXdnBQ F.[̱u#e_ߒ%Hҥyge]{&RX αQGhğRuqeCl[k:L]%ѭ{hݑMj<"><()Ys,kG3֔ϭ.-m
.Ȧc,w)ޚ qf?fEAWo@UHiz,	ъ`9ţ	a)sհ17Q
ƭXk:
MឪʾE$num/$I%sluȷ,[_6xnە/aCtMvLOzk_t/5ܪWwl&E,ۣ7VRۛNuYXZn޾5=,v{EdH\.UW7T#WY^-
Q3-WQH-*i^mVl;(2u*7COp~9rng/mujAmׂ
nc
ɭ(u*4wb.
~
L *@enWq9l/$ԇ'UGF1r rFjdo
wk{\b+DhC1Q$1衻vtwi׽Tf%rI[ ;Xף󟳶eB)cW6 Glb-v[`+Q_bi4D):2}4'b[Y}5s(ejku,h݌Z)dNZ*3+IDdb	|׍mEdpo]v}褿NnMtOS,d44iNtSf}`m,!cB:릘bPt@( Tf[$_[Ou&|,N[M]g}:yȊYiJw,ΰ"}<BDՙu-ֶ#CDo!ewX[7d? ~yXRVꬺ@]kYG\m
RgTȼLyl.>zuzDE;|ؘM*!$SPdmrPsGd!
37<skO<"i3o1ְQd[T]Ԃ	r2("3,ls<o{LslLU7tq#78PhnpUCCV_%&&Z.ao-u7'!{xTOZܛX8V1vdw0|lB*
F{Wu>—D~A[fP聜B:QF:хAtۦ?){qWюT*Z4BKm@s>K<3_VE}=/Gg_XbN݀l>"_┚cQy%6E }üf*2C]`bÔ},׳)bGD2#]:#"8ӳEs-%'vYr,C=iGw[â50
ʶjgq4
?-QEUH7`к0zC{wz5Fv6@k6E+rM	3{@&6aV'@	Qe,qfmy>?jDѵ	*3lo{,f{NA``65ΝWν<ϮXi֭;qiٽ/Ukiaw$֦ QBS+cspsG($%I
M(*tZ}Q,qzS|
Xױw-C'a;`U':2pn&7aK(jy{^BbZ
-ctluSom,˜(uti؋Ή5mSkdnh͘>x$l/
-B{:t#Bi䪜"ʾśgA߫?Z&vT(%2
IS":5q뚤s CZ)Ƹυ:sqcKF4}*_aGn0ێ\!(DjTyr
5{Oj
±CԪ=	Wi|oxZa1RNM*e=Ԉ65Bfʲ>GSAc>l-b~u e[d-|X(f=rtXP뇿x`Xep^L./kD޹Iࡹ6-j$
E`[p67eep`7j3*;L2#Fx{%O$@TaEr,wnƟPxX~tɬE=
yّ;1
%tZ#r!CIتI.|K|LW\c^[XxEBrYsk6r`}]4ruRXB-$9[Ͷ"=oA.BPZ+R5_|$ y=pn_Es?NH6)+yH ºɊ>RT ٵYRxņ6"ٶ#!4׫C:~~UGlfpyHR
"@^mhnG2}s7oog媹
pꝬL7gY^,**.H,oc~[0WQ~fF[x$Wx81dȂ5b*ncƙYsS^r89H|J[Rp=g6zLvyϑ+f^`X4jm48ڑ
;{jd}Xòk\D1{GbksQ{KF$>7~~CUyG:
`c}cxKzpzl<{|~ؠf#{Qyoc2p@xj讔#FGobid49GЂry[EYd4ruBoG-bnyB ϼ`$upfx)o2^f 5*ړ0`|e?mULΥElAy4Œux
~(z:"oS9qK#oܟDW4x/GmMTtoCI!Oޮx2D|[|gym~hL!4EkaSn#ÊHwLB1&WܻL.aζn/Tr#)"-k["fsɊ3Y') ,SвZ/G{y~;rGM-24[.Hn"WKWbՊ{_;dDE	u6*m#_)}Q-VP5»f3^ųAzՐFU
EfM&iÑg"/w7n_/׳CpDX?e+|evr=RͰrjMP+ߋ6k2מZ77ےF=b?n,)H#`L|/Z'G'EH2u"Gy¶^loύ{1XXKc^%@^۩
rE_m\ϫQd>󇔢Ly_joFn~Ͻaz]/Rzeo)y*}qC`l,^VcLW^=~(3Xn!ڗ@EXVw@P4
3!ENAu[{ڃ!~M*XA1[.o(IC|r|asXH˃ZDbyep!Wk-4Qm敦[5Ͼ9#3B'Nͺq,YҞU06{8j+m䊤7]7y
YZjCsxR`71p:G/aK]cT{6gM8z)*sNiUR `Zw}U!gx:Yg)Y^dX-/ޅ_]VW	q1{l!דu\S,"}OYJɍTzwmcPd;B}U	vSbw"Pw<қ_zBp}N+VkH!|
qE\[Rh|C\~I#]̵|"0mVGJEZJ+<`z$Yz`|ĸyB.kfH]32*hOf(;0AqV:ߕemXĴw 5jrCֈV07[闄Kl׊yߥW3R
$o&4B3y<bʐ"X( 9JE`_W1%M50
ܸD<ݼBjAsaflM,8z嵬uxն"9!j/>Ǩ{H${D*PK>%vӅ%bm*D
&T
BKeE~Fkki%ۻ3uf!Si=\/6j]+<nK*hH%q]MFQ7
TP+#?ReBC`v
BጃgpFsx((5s+C5FڬMut9"Emh̗WM;__ذNf_CGiu̽`*!Pn(e-JF2}S~n=g{!yԦZj	^T"pPFS#l"
鶲֒mނ0":rgۛq+)nJ[,^55n[Z14^q	@3z}YEJ;v[.[
Sр5>jHZv\
zl}ԫ(g;\=#~/0Ba+:mUv479.5=-cPƈ98{
lzݑ-qyhmr/@Gu[}T͍]g1#oBE[${4lkkWླྀr7{ԡXev:ך>KG߱ՎyAcf2ӊ+U`[yt	eaVDۀ2^#wtʦST`ćPDr-WT1+޷JK^#4Z{eMm58Ar3[/,օԬc-MZ&}{GcWDsd*^^C}ak?~}`Msjq/f3%tR[rdM[#YڈgxHzJFpEkGLcdĝ^P#k+
#,`2Ȓ)H1I
iԅ	fݖWj+޵>?B~GJlBǵSԣ]ш0jm/QYBzQǪ(,Rx)#\}!fpOB+f=%#Y
ɶ"lQPłyl,˄e4"#je6-^xۍ晊_uj	e9mCt3H#Ypd!ÑG2Y{&Fmd%uG*fd3e 4ug;"cm/=:X(&VL52c,3_zmG̢0ٜztYN}SPPaaёW$n(ߦz~!`<.gk-:pi|VlVlʫœFr[
gk˶gCj+C& &h:sAYXvՖbd%пO$k~gnK,0C[歉.grnEm`t[Ku7?܄e#p#jl5OZm}c
Rk)Mgݓv&BkRX)ԍ6pf)g[U#l?v){2'ѧ/\vud@"X>x^h]IvBM-;	\9ff`6HL,9=c/`6FSF
x975pӖgeL[h1-dQrdEri	m%\yN*6%yTnZRc)/n)m[1HDֹ%bo\\>5dg]vU9&sLMX[k
|g|Q2L_999999y3~[wo8EEWᘻЖل\AwVN6;F٭Z[P
mCi~hPбVd7[M}bN6g?v65o;f})ZW-*Rзs^̰oRUQ1;f1T\]9NtrōΆC*V,L]~3@6k	K`)C}9!;GhZ}3c=um$'BKkVBX[d+4]T!+nyyӝ_
1O`j_o-β[zYk<	T0ku,mˬ,S^R*T9ĔSB)&1eŔSVLY1-"ƜL1ESY`Uaն[QI}ձ  <9lsaYbl&MٮR7o0^
m01#-`Yn1f4
nksC"_}j|q\pGa,2ũ|\q	
|M)!c7!хXm..^
>V"U6`U+Kd/-88^	b%w{#|AA+!Ķ
eX2T/“\]0s1SV_5$a9I((.sRp+ps-$u#*4a0'S~L1's^P%LwdS$w;^% ~5AʜO jжVB?]Q9::u۠Qv uV`e\)ׁׁw5Ĉ"6cgB[jĔ:gξjuQbM6V0j&E,/P!7k8BڳO=Y2`]E$gb1sGb4䐾C!aׁq`[e&:΢ox~,\%L׶6^kk|n`qqq25RACC=<ُjRfv﮿HfiL[ĴELajSs8'G̟y&_O˖džm\*4L6{f6-kmwvJeNW8,,PL9Pư`j_}C
xv>B),XYg5U[E`oJZ|BXG0{K=
ի
'l{Bڅfr6͇	&xb&([Ϥfي]ۀ5	ߘ:8tt0w>jĄ6z
":xܮ?)'
=BU8N
-³ELPG"jFm0̷#9#<;#o:d>hK[V7Yط1CC9;+B8)IF%	YmYBv-[-;FxpႧU:&:fkm7.H_z]=dä`pb8tqFN]gG?.p3p5"=Ĕv`28q!.)댸o"U6Am<߈c8q_@[WkBi<c/uU5pUx=TrPɡEv!oeh
$oTKRC(PB8I]w6vb9	8ɖzz>Mc$RvZQlDu]f?>GoC}jҖ.ÐﶟB9!]ӡ _}Q}q(h;ҵKaUv1d)

'9Hi֬*R&m.胂E=HA_p	((<;F_h.:fE.c}m%4^YR`YeYAτTp=
f<{6,nEyE+0pyZMu>L
GǸRR^)eMq̧~):	-PYg'qpfXX,.g.*m5n򧤄ʁƁ@Cz#;.ݛESثh!$$sEp9Vmy]|
׏9N!kZ޶NȽ?f$$0=cֹjFt	(W>ִFF#<[kDꕁG_=W{D'^99/+̽G\pu>99xChcnY!JU'  ]t]
wu2j[Ft?~^90:0:0oZ[֕QiL4
u/,5)
^h5s:yQra]0J?gT6V^>w	6w|C^[8~aWuH0dyiSEVboxuuI#Z{Yϥ]t v v =!lsو@>fA,+}gV@,,ygWGxm2>8;8;8^=u-06Piaď!iWeee5z];1Ѧ-J%ǮoNxvc媆TNZsiAʴnzgk7=¨VL	m֬ Dƹ=kAӠ8X|X`deYoǢ'PUUTAk:"zv]]]ZmCU
6]|uu"">[Ѷ߾),'AAA׷K+7/p_})ZQ^OvZ׷we*+%?Mwu`VV"	$*R
]"\JŹNںeެGpj]]],@,98t[gEV7.lX,%Tgm…:[[ߊ-$.)b|NY)#Gu-&8ᨃo6uZv[-cۜ[
R8@6iݻLqcĵ)@<;;q1mCgIvt՝j+3XmhUw͚;?5Tۻ:A[aU[[!
PgfKEU]y.RD0dWpPuPuP*ID+Eq) GO\|}f|QKOgv7cucͤ͹uCKxEVh?p6~@
ddecǖ^l0}!4	-ڠ݆$`ڏ4iE2Za:2(\
|He*C\.Peq0|DGvJ~vƶJ(޽fXꨥF|`w`w`QYxm\5`#8;;.
J)dCs~h9`BPK?N
AAAOB"tjTU^gU\k[[SaMBiuu9Ei{*۸n!_i3


Ғ5Ps^0IU2"?v"R_w('g  ge;s+(^ض-|ي^kJsٹz1sTD@YkpA>9:  [Nŋi2l
a{t0Ⱦd76԰ulRgglEb69&s[/V;-/ddd}KHl
\}Wn90;0;0[``n{!H+-]sRK%O4(qñMK|C/]x0-M&tw$7|%z; ; ; Ui^!8yB>IR(Ҿi_@ mcO'ښƗBI>3DV]ݘsxkd8>['rӲ\
%O~I[y113l]4ƒƒŸ>7C(sivҾ182;,nn*asWjE.%;׃sxx{ݦ18(Eخʼ}lu kÐ}wTsJ;_x8;;6=gGYmQ
p4}f0
3yڦ5Fq~Mh]}&kJCw<PPPPt7N[	(AAA/4Աx0%	9(9   Wa4i0wEJFu_'fr<``WbTG	t00or7~1c5uu@0dLS,l͖;0)yJ@o\Dvitsi
3g~Ϝ!TG6}C_5L\'-vjӄd@߷C٨),'PvaElݨvzz{UھBZ6Si{
Tiי:J%$[h=*Ḵj'\F#yg6oﶗlxs+e;4k9kkZarx06oW5$!o乬JW_	"x$˖{Km5[W/>??z}WlЧP$hX9JAQUCm66]:Ppؿ69uk
@K/q>iBf_LϼP̉z&O=δ9/fȟHL47GUPơC2l#
WXh,ߎ$8qxmFB8|H@|jLv,p!CE!0%xEB{W*8r0a6$AVu5 F94rj]#(mYA5]CQ}Ƹh俐%KܓR[ W/ZeCo\!C(PnK$wtjV)ݫE)8?a*Une6!Vz7Gi$=)Ұqq
ʏ'eGȏ4]L}bZCE.QJ!ț8wv9|tᣟGW"@bzXy7Wý;R:tH'Ynwu38iwbnlRzjR:4=}fz*Y@YVMo԰&=;S/NJ©wagbF|<5##+b64&3(>du!|)Ӽ-*k!".e
Y:u0og,V*ػKllR/:uh-ֲPHy]Kd`Z1E鍶]w}**U@sۺ*V\Ϲp᮳xXsXYP[ٝ5mp$x:0#&굖bdYa`l;,vX'e1	K0F	ֱJwCe}f*a"Em Km[ZDjjEg59fnYrMk>;|l)1ӛh4kPvd-Wh9CjR
b\ˆ6;d߽Ob;vW!6>fxja]2F
|an_6L:9h
ܠ^-;)NREI99oj;o=@މ%$;٧YWf*-듟d.TJPRF%ݕoߧTl^Kx{l:[NZΓ8LIȗkx@HKYǢnN>vrj/ PJJR\_j\O)v83|g/gSۘwMrnCZK	4jU_$@.YVKBZ΋*A%/~	43EO"9'x~SV*R9|K͢\<;'?PUٌrR)TK+|rRd_c1ϝ[
Ca(iUG$gaEìucu^15cKekI[)F,tT.b&'.ۼr:yER@.b3rr٬i楛ҝu T
RmN-{?U>,#EMaGXl7tV/拫Mv<߾n\+pʭ^5T]مw+BXax-HQK4ܷxw~Y0f,.fmRvt.DVVsNX;KvCZۅrI>O(dgU.ƣjS=H(I5^^gusϹw3wU18gpjsmisӢw:g?q̹6`Dz=nڷFױ6wLE|+
a7ocw<%-i3-J[dq1q(gn[:ߓ3$q>ط]
_}ztӹ书\;Νl.]y5\S2-<
~	hԥ5<\r\.@P
9tx>{=J}Y2 O=D/U-@'n
O$-:fԍk;*
$ 	H'wo4_!9cy/qzݯU@PTU٫pŞ1iҚѪn_,?S9(瘢iP`Рkˁ	D@$_1gG9h3JYb$DŽHM$	ix4m՘4c%gݪ|atiF^}FJΥ!R&-9UR(JRpMFg}GJP
p$saXm3y)1MDyx*Fh5bLwҊfr&Z8BP ů6kݸ6j4eZl<]N6b@T(6j1?9ط2Ez/t^O x 6U¼w!A	YBi}ҼI*b(b5'A[döEkꮅuTE6
d@6au4d-EN2'#vhځvmrl
s'3}&\7?hvot@7
t@8􄦡((
(bQvLrx~D"9z +
 +MVBx˕r)Lڅ3tiAZe߷]fh/6J%k\*"D"HwM~"%&(UFtKorxa`!Xm)j͜gr=s
Oz?q[z^?aZvڸ3!aHU^lx#[s.I%"aH!aH[%ʭ6[YV˚n}89o	b!fbf16'/Qlݗ8+[.ņh(h\416Qr.U_WxMe^I[˼P+T2\evޞ1VX2*F)d
BTE9h41Iz)D,>_<]sJԥ1$zS_ZH҅t!]H.ZؼxW[:8Iؿ7v"]H҅t!]zRKwĮ}3>γTB.B#]=2'#K垉-ƹPѾ+VX(bX(?\VV-8rVº
_Zc$eUAksF7T)djܸl 8[(uI_;r紇e߆!DB!Dt|_rȓ8-R1c˧#Gr!Gяіs|ߺ[$j\Ykf`W
\m}aX:#j{K.#,.lm]~V"9M[AMYM8Xoo-f!	驝|g2>>'v>`̂Y0fj3Ytº.eMg0Xka-߽s\rW*-?qzx/K\p.sz^UdʸƑIFg.PB]us9.*C_w//⻟߸{`a009|(ΔBGF=z9sbXa8>E(h63{N=s=&da3w1liFbE&|t!3dVKXi!]Fa	T]9>d
2P(c눧A\YNcrB>Jcx&wٹ6\s/-Q+Goe2P)\0]}0yZ[唶 3d̐2m5TkʑALe|3x<4%lM@.*D_OHs\}skyRCjH
ehUfC.k<4 qXk`O.ꌳ[9T8j)f%x(
!6Ć⍣-:k^qclm
c{Sj1he`
!6Ćhs[9ލe^+f
60$}:h("+"bgEtuX
A9(=(W9k\n	1z1g与x(`g)M}.:t˷9e2=B%Mۚs^hp	ȅM^;l.mA{h=7&œڈ5-j:A>\2m:2OדUA>Tbo,/w靥S_U~=??6i6UTYkOCl
(
`dR7K6!@~!ˬ1`j?q
b- C鬜,AN"=5xE$I@~$Zs`oI:ڽ`˷.BRdQ-V+:
*څ8 8:q]7ohm(}a@!P+Ğ>}$ũsΣ"2L b&:sуQ^[v_Q¼`ez\
ŸAO*7
>ձXAiP9KÃM4D]*sIv=*wj#7
r 7zQrXln½~
9hZJI}빚!<ƒ <_r˜7V9N`]'~NA}P+C'"@P}P3DޫTw{"AH!AH_|=8MWE9!j_Ct A.A;>!t=:tgw6HHey%.5|6DQi"md	[F(OQ$lC!ǃ>Hro\R#9E?:t#1B#ޔ pژc˪1s0oW>ޯz{^5.H("H(w^:5F9sV-Q8Μ,!KܖG^JAT'OP"B&	iBo|Vܻ2lfw3(>O>Oc{"RsTm<7_B)D
BHWQ":M<&7I;DP*
BPڵQ#6(x/3#	:~qa>*B>^܇
BkOBσnꆺn?`ꬽTc_!qH!q)q2+qR5l=
mV5|vtC9tZdrK9E-:Kϓl!C;vFRDmA>x(xxUdQ3ˢGU_WQH!qHMUʺOz8B9tCйOٹ/Is(5_u:ۣ뗗W[C;1®>7Y_ml]wGP>CP[>-w!Ef6/AzoC>G#-5|8zk~4m}(k,G)H "H s%$n~イb[FF_XAtDAt' 9)WOxayg.A1DC1icfL4'mKt'2k1l(""("S4˅9zJ)!"vdYDEdY8bb&;Ӑ6xns 5H
R 5ߑ+*}d⫕Y*=<"uZ
zޠ7
z'L,N{mbV={֞]i :5b9+N"w/AyPAyYZKdc(ܡ|< ?EI*ޤU<+?t4
B 4
+94aK2z]L)B")ʔ.3!b63PVSs_6jFjEr6k>wJ{o_ksge6OᄎzTAx2~_
jZjj8k˖Ξ1!ԏv/zE\(ʅr\(+i}qɰI;WF/BWZsrYZӛ{y^QA04
CаkҰJFOd/keќÞ?̆!dB!dzSѸFlte&-J{5CP35C޹f+Nءm-RAխi{n;i iH!iH['C"k.\0*JF5t
]CеOѵckܾ"H^C9dC>_/{;rdmln!uHR!uHݧMQɬtɔiuMF~9 w?0zޡwz}m	JFۆ)w_V.繋!z٣w|YYUg媺v	uDP>CP|9=6CfÇ~ZK
.9Rا#;}=IȺXyPKD-QKrUqG9!_|\4S˧ZH&d"H&k'sa*,~(3g/KF&n&nf7NBΕo@u|biz;=x"'x"xΜգ&g	kT.gkφ((
(OaH#tY_n~wېL$D2L$N槛sWҙwXˌL~B9no̞tD?OD?S>!on#&|Oh!'|"'m\)3s1ELh2W>S4
ECP4
ECk#.)k4jU_)B")BCG	mh\Mim]1z
j)jm*Hsi)҃"H*"HKjս7eBO'z%羄L**EW}>vh?8q?mk:Ev!+⊸"+_􎤕*ˇTu۬q(,
¢(,
]9cYj_pqRX
Ka),`vB%fTtJL#_
JA)(#Z8KӓI`swSx
O)<7+-KspaydRi}|xZv@UQ].B=JD3i+(
Y!+dOXpeU[+9I+xWscLj5sɹ-^v<0?hX;rZ@hAkGb-jf5CM6FWnlp/쀶B[hOշvF8]hzܞ{m[ҽD-Vޞ|Vru^n-z/x
 dO)pR9uKl^ `o&X@p:7ôE:cPtc`]SVHQjkG9ѻIާ`,ek٩7ض_[?tg޿
4u%EI+'~.<+gԯjω;b};Iwܽ-wmM٨T3UϮy.懻{ݳΘԗ?,6"X,!f;}#BejˋE6_F=?uH=ގH{QGJwByͻ		
BXaa`?YZڢL0,`+UZYt۫UhsZXka-ֺ4il˲]iXS_b/ϳ!JrA.&sKQsc=utB5u.ԅ;g=Zesmooکp^zA_ܜZڍ#,繪f'?//jQ7IGghSN4[0`Cv?l|GF[)DzvA1 ĀG]X[*m'cݫ$C0q]I"|>ߨ31"Cd&gRKbRخlH<
\,e
[(zoh9a	6fafsUrԦqErL.Y(bCl
v~ř%mn[׃^&`l`{*%t-}yϡtn
A;]=e=a/,x:hw7
7fteW,(-DKDq ā"nڶH_.[L֧x݇
6SGJ0{Vws%o%^l/
a7dwQrޣ*I y~]pW%W4ڈ,/]w@q "RWGUJn䭅~O<}_ցCrHnsOprK
|9)spߚz83}mXFwtA[ޙVx.nsk;.GiP5rW?wQ~F﷾	bG]FԭgJyn\y!!<ǚ;\ƽ(N?F+ [Þ%k_.2?˺/ߥ
j7q=}>-|+,
(
`d}՘-ޏ2K,d@dYRH7|ض܅q>@}ִv3i6g
wEƺ:hXW`k+sŝosr8~ Xa^uwjI=
;UFEٗ:ߎCX4X}U:hv#>
=Ss_-Dv'GZʰKֹmGUnl
kFgQ+t<`A7h|c7u%'95os5c`]!=ZZ6FÆx=`,e}-;ӣ5ͥ̽z7Rl\Y@IʧkmwJaԁ:PIe9a2˶r)բoAf,6c?=zVur.&O{z@'@\CzY֕ڨ[[زޭ8khT&oEz.;]z=ջ}n}pNsq_|AG\^݄݃nHx	^??]r\V)̓_w^g1_3 8DkVWrYb˦ҝ?nXH $$ʔ)m?ɑF\Q߮xDeH$s>(ukT?مgζ/6RßC}D8Rfz#}`/D""z⹎GQ2T)G'yX`,*,j7uPF\dŸr "D4~V\}MZQ^`,şEKaJjgE$7T(ֻxl<">YݠTJPPYjh}N+e_VC8h37K}POS{"c%x0MZx?=r0J7Z|?.Y>[JE9|r7_'@?u(*kbփCOZM@Y d-g*b$9@fոIckm˗{7ְĂXb8ב9TƃM\\΂`̂Y0}tTr:z_ʱroomޗu.ԅPTu^>0WNq^ϢB{yRA?O*uV^Sc0ٻ9Xϝ]UBSh
My,9饍VLr3ҴT
RA*H/}trQI9slgsT
RA*H0Zt\!?TKHoF*Lw5|ICjU{pCb} d,`lUh:뱲ˢRԳ|}CvBZHi!-[v
khx
5vF}tGЇ%^kx
?z>ú>[-۴4~Mf1(נ޽Zs)3؃BXaC@eZ˥[E|-ma!]-eɅpc9ivZXka-3ZZt#_K׶~oLhm-߽I;gOz|˲^:M)lo	m-O鵨fD^4'i툪Gѭ}0\p]Lsz-N~v{Znz|rA[Aɮ'?Ysos3Ghm-߯[NBH;bRCrA.gh)4bbox^|3]w_r(mEYoGt"^W|/݅Rۥa[zsaC`WB9תi6W7`T)牒Kb=9_Ҳ_\z^o/9Jyι7~	/μss׮;q};~s?!CrHkӵDGzV:J~spΜ/pjͫ&)9L07=9ZQ5'VTY=`:L$ˡ
$GVNrwăxvY`?3EKb
ī]̍fDzyuCw?Zk=Ir`Pjc\2 ăx?2Ue c7J=kkR۾׏%|ו=3cDž\
u0֪nmTH?@C|/ګC#nNTke>gSn>?	g G4ω6-rx._C}8zs3g)fѨנ1$cU@-^`W=tӈ}6f OKhҽ%Kеoo@;U)ҜgIRҞ-?TǑjr]2hg}" "FxBis=	6ʷ}P%@	P%IK`̺&Aێb:@_=_.r-?aߗu_}y~e环sYkOO*zQƃu(ٜ,"@=z|$t;">Mr;$rۣokܣVb &/	q[{jQE7Dj^	9:#:vĉo+~XCx=b &	bw,A:IS.qQ_1i(
((
vsQsx$DN
r5
w}. !H !H2-.ssjSb !osL2Q43{3Ƣ6^(oQl#ב٣VdVs/RZf	r '	rհvG>2kF,	raNay簨ui91ye旌ʺey{];*CqpAv9;8s$jk	܌LF_t݃!@/@Av/;[k65cQM1y@9(%4p!4!Ssv+KrPB@Qt"(qe}<`2akjAU'7汃̃y0?#HYb}讱Ϝ[VcM}xYp%ԇPVw:޴5Yѯg/H/!;dOn3t%5d1ϗk/ԁ:P@Q-B:69gާd댚!;dS>%k~Ͻȟ*_WBvٱ2{S55v-hkщ۲NzXiW'\׈͋"4-r~|>KRh̴85|?;ԇPCϮ>{oz-}@=ʂO\S},ޚw
αSb0U%#z@YρZJ2>~sC	}6t(T(¤ۉ&?|=BOti;\
w5j]o'瞝9u?.Tȣ;l/LqD@Dg@cQ/cj'GSe:s|'cc|(3;@&Ǩ=\aI]k3N.B1gth}?a] ^ӫm
z:;}^ TSWikk#j]Rz
2­*
ASh#.mUZ@27k:Nb'td.Vrʑ)&3.bX /}2ˎ{kxw,d}ɯ:q4%E)xea=Fye8w~#< Rfrftڻ8
gZH`Kd5es8L_V.V>o=ڰZˣhF_5;&!Xj۶Mv#BP _5ŘcuK2Z"ÎG}MVQ@-P\V;GScZjKnWNb!d Hd|d{٢Ė	W2nnhM=E\2_؈x #^]FZc,)1cVuh?ןw{QAAPSe)IudbQ-dAFd32kYX?Cfsʷiޥ}jQT+''thTO3׌h{fICPAAPϕYsB>uBsK (
oAYVLM˩ݦJ?ՆAyDQQCWLwEKP(%ZRu
	z'	z]N+Gȥ`ń *
 *(1(,0ETE/DYPeAYPͶd.Aw.I'!\ϟدyO>gEMӥMW⨑JFy&q<$#'~$qnAm5~nJ=GV~VHm+"G;mɍ՛vY2}}߶jZVjݦ|74;~zVPYu#YHd!YH?el$(gqH78Ѿo`1n[n}n
S\[tl>'m[B/B>J$oݣD,]fC(
`(

VZyQZlK:EMz7`|q0$?iP=T=DZ<.U5~KvQh]k8+{pSsm9/5tLǾdpU.ڞSt:I gMa9sψrJ'C^LB#b3X9Xm)-&!Ͼ{h.ϟt?ajt.m]Ȱ_{$q5|ץ?K~u(NQ1~z?&BP
ς[w|.:6hE}"PlZͿ:hm
KFy_~oǣ{naq~yeg@{,mds,ݶ~u{L@'Kn"JU9oxtvpAL>c^l&!rrESZ/>{1r@CNK
^̊@ҳ,{m>_t٧iK͌duU-J/:tL)~
YM5ki=j:Ueހy0OawԽs1t7n_-l>lbwmXtE9[QV+mwv[KO=>YȺѽNY<>yu3TH:q)5Cp=i܋c!_|\RHm.ߩ^>{}]st
Yް$W 6}Ǒӊ[6Vgkwx^'	3[pJ8-8stmlݛ.nJj=Oe?
Cx!QA*W
8wRw%I+qdzQxayGW;P6]h/׷6=P$Sb-Qm!ҢH/!zigm(	%$J+{ʥ9|RzTr0R~i)IkDz>#X3#ORip	.%\Z쥕*szv>g$0fL	3Ǧ08%W#9ݥNesSJBI(	%^$}jue!kaQZeGETJPVW*Y5>ͯ]*q
6.{{(?a"=9,mS|AN	9!'qezb\ԝcW0焜rBΟYb\#WKQѶ\9crBN	9?S[zW[}N4:thHZ|~9*{7:7t?ͶzgF>+/rv{>Pԟ:܈gRji
ú]8r*9qz'x^Ҵ)Y\̕i)Et"n	3a&̄s[9f+]Nnu^|G}YU'ɕ9|-98zBOZBS)bim?oCP
A!(ӉJm-ZK~\kn6
`Gq(ZJ;κWSsSQy=Rb^
P?я贩ڈk?:[(GLAu;ƺwѸϿյ,	ZXkaӊO9TEWO:eǭ[G;\4ΈYCJE^7Ozzl޵]gJa8%,;}ιzTݧ0
~~z`10H>bkaǚc`a܆6OfUfiuh7=92X`,
UmqסVbJ9I,7a3lͿ8=.=`=S.q0mŹ;käK{9ovC	/ńO/9lsaŖݏƩF?˜_zאַfC8rZk.N98^.S_L}?#gQBr^QF/@@r_'T΂K=tgO};V0@ImM[blټ;0P
茣~$KbxWFq>@h+-j&oGa8\Z2Ί¿8+~<{+kHUNҵs]`n6Wʫ*:3$p<=n	eȖv	6Lv#Z I-&DknjVgNQUusO	?'|\ܡe'!9t6]ӎևpկjh5v4o]+t_xv1mVPW8:Sf4Lkwxu$z[pk!j{	z<~5why3-1.6.0/examples/multiprecision/ptralias.mlw000066400000000000000000000214041440160026300216310ustar00rootroot00000000000000module Alias

  use mach.c.C
  use lemmas.Lemmas
  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use types.Types
  use array.Array
  use map.Map

  type mem = abstract { zr:zone; zx:zone; zy:zone;
                        mr: int32; mx: int32; my: int32;
                        lr: int32; lx: int32; ly: int32;
                        mutable ok: bool }

  predicate identical (p1 p2:ptr limb) =
    data p1 = data p2 /\ offset p1 = offset p2
    /\ min p1 = min p2 /\ max p1 = max p2 /\ zone p1 = zone p2


  val open_sep (r x:ptr limb) (ghost sx:int32) (y:ptr limb) (ghost sy:int32) :
               (nr:ptr limb, nx:ptr limb, ny:ptr limb, ghost m:mem)
    requires { valid r sx /\ valid x sx /\ valid y sy }
    requires { writable r }
    requires { 0 <= sy <= sx }
    ensures { writable nr }
    ensures { value nx sx = old value x sx /\ value ny sy = old value y sy }
    ensures { valid nr sx /\ valid nx sx /\ valid ny sy }
    ensures { 0 <= offset nr /\ offset nr + sx <= offset nx
              /\ offset nx + sx <= offset ny }
    ensures { m.zr = r.zone /\ m.zx = x.zone /\ m.zy = y.zone }
    ensures { m.mr = old r.max /\ m.mx = old x.max /\ m.my = old y.max }
    ensures { m.lr = sx /\ m.lx = sx /\ m.ly = sy }
    ensures { m.ok }
    ensures { map_eq_sub_shift (pelts nr) (pelts r) (offset nr) (offset r) sx }
    ensures { map_eq_sub_shift (pelts nx) (pelts x) (offset nx) (offset x) sx }
    ensures { map_eq_sub_shift (pelts ny) (pelts y) (offset ny) (offset y) sy }
    ensures { pelts r = old pelts r /\ pelts x = old pelts x
              /\ pelts y = old pelts y }
    ensures { plength r = old plength r /\ plength x = old plength x
              /\ plength y = old plength y }
    ensures { min r = old min r /\ min x = old min x /\ min y = old min y }
    ensures { data nr = data nx = data ny }
    writes  { r, x, y }
    alias { nr.data with nx.data }
    alias { nr.data with ny.data }
    alias { nx.data with ny.data }

  val close_sep (r x:ptr limb) (ghost sx:int32) (y:ptr limb) (ghost sy:int32)
                (nr nx ny:ptr limb) (ghost m:mem) : unit
    alias { nr.data with nx.data }
    alias { nr.data with ny.data }
    alias { nx.data with ny.data }
    requires { m.ok }
    requires { 0 <= sy <= sx }
    requires { m.zr = r.zone /\ m.zx = x.zone /\ m.zy = y.zone }
    requires { m.lr = sx /\ m.lx = sx /\ m.ly = sy }
    requires { 0 <= offset nr /\ offset nr + sx <= offset nx
               /\ offset nx + sx <= offset ny }
    requires { writable r /\ writable nr }
    ensures { r.max = m.mr /\ x.max = m.mx /\ y.max = m.my }
    ensures { map_eq_sub_shift (old pelts nr) (pelts r)
                               (offset nr) (offset r) sx }
    ensures { map_eq_sub_shift (old pelts nx) (pelts x)
                               (offset nx) (offset x) sx }
    ensures { map_eq_sub_shift (old pelts ny) (pelts y)
                               (offset ny) (offset y) sy }
    ensures { forall j. j < offset r \/ offset r + sx <= j
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. j < offset x \/ offset x + sx <= j
              -> (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. j < offset y \/ offset y + sy <= j
              -> (pelts y)[j] = old (pelts y)[j] }
    ensures { plength r = old plength r /\ plength x = old plength x
              /\ plength y = old plength y }
    ensures { min r = old min r /\ min x = old min x /\ min y = old min y }
    writes { nr, nx, ny, nr.data, nx.data, ny.data,
             r.data, r.max, x.data, x.max, y.data, y.max, m.ok }

  val open_rx (x:ptr limb) (ghost sx:int32) (y:ptr limb) (ghost sy:int32) :
               (nr:ptr limb, nx:ptr limb, ny:ptr limb, ghost m:mem)
    requires { valid x sx /\ valid y sy }
    requires { 0 <= sy <= sx }
    requires { writable x }
    ensures { writable nr }
    ensures { value nx sx = old value x sx /\ value ny sy = old value y sy }
    ensures { valid nx sx /\ valid ny sy }
    ensures { identical nr nx }
    ensures { 0 <= offset nx /\ offset nx + sx <= offset ny
              \/ 0 <= offset ny /\ offset ny + sy <= offset nx }
    ensures { m.zx = x.zone /\ m.zy = y.zone }
    ensures { m.mx = old x.max /\ m.my = old y.max }
    ensures { m.lx = sx /\ m.ly = sy }
    ensures { m.ok }
    ensures { map_eq_sub_shift (pelts nx) (pelts x) (offset nx) (offset x) sx }
    ensures { map_eq_sub_shift (pelts ny) (pelts y) (offset ny) (offset y) sy }
    ensures { pelts x = old pelts x /\ pelts y = old pelts y }
    ensures { plength x = old plength x /\ plength y = old plength y }
    ensures { min x = old min x /\ min y = old min y }
    ensures { data nr = data nx = data ny }
    writes  { x, y }
    alias { nr.data with nx.data }
    alias { nr.data with ny.data }
    alias { nx.data with ny.data }

  val close_rx (x:ptr limb) (ghost sx:int32) (y:ptr limb) (ghost sy:int32)
                (nr nx ny:ptr limb) (ghost m:mem) : unit
    alias { nr.data with nx.data }
    alias { nr.data with ny.data }
    alias { nx.data with ny.data }
    requires { writable x /\ writable nr }
    requires { m.ok }
    requires { 0 <= sy <= sx }
    requires { identical nr nx }
    requires { 0 <= offset nx /\ offset nx + sx <= offset ny
               \/ 0 <= offset ny /\ offset ny + sy <= offset nx  }
    requires { m.zx = x.zone /\ m.zy = y.zone }
    requires { m.lx = sx /\ m.ly = sy }
    ensures { x.max = m.mx /\ y.max = m.my }
    ensures { map_eq_sub_shift (old pelts nx) (pelts x)
                               (offset nx) (offset x) sx }
    ensures { map_eq_sub_shift (old pelts ny) (pelts y)
                               (offset ny) (offset y) sy }
    ensures { forall j. j < offset x \/ offset x + sx <= j
              -> (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. j < offset y \/ offset y + sy <= j
              -> (pelts y)[j] = old (pelts y)[j] }
    ensures { plength x = old plength x /\ plength y = old plength y }
    ensures { min x = old min x /\ min y = old min y }
    writes { nr, nx, ny, nr.data, nx.data, ny.data,
             x.data, x.max, y.data, y.max, m.ok }

  val open_shift_sep (r x:ptr limb) (ghost sz:int32) :
                     (nr:ptr limb, nx:ptr limb, ghost m:mem)
    requires { valid r sz /\ valid x sz }
    requires { 0 <= sz }
    requires { writable r }
    ensures  { writable nr }
    ensures  { value nx sz = old value x sz }
    ensures  { valid nr sz /\ valid nx sz }
    ensures  { 0 <= offset nx /\ offset nx + sz <= offset nr }
    ensures  { m.zr = zone r /\ m.zx = zone x }
    ensures  { m.mr = old r.max /\ m.mx = old x.max }
    ensures  { m.lr = m.lx = sz }
    ensures  { m.ok }
    ensures  { map_eq_sub_shift (pelts nx) (pelts x) (offset nx) (offset x) sz }
    ensures  { map_eq_sub_shift (pelts nr) (pelts r) (offset nr) (offset r) sz }
    ensures  { pelts r = old pelts r /\ pelts x = old pelts x }
    ensures  { plength r = old plength r /\ plength x = old plength x }
    ensures  { min r = old min r /\ min x = old min x }
    ensures  { data nr = data nx }
    writes   { r, x }
    alias    { nr.data with nx.data }

  val close_shift_sep (r x:ptr limb) (ghost sz:int32) (nr nx:ptr limb) (ghost m:mem)
                      : unit
    alias    { nr.data with nx.data }
    requires { writable r /\ writable nr }
    requires { m.ok }
    requires { 0 <= sz }
    requires { 0 <= offset nx /\ offset nx + sz <= offset nr }
    requires { m.zx = x.zone /\ m.zr = r.zone }
    requires { m.lx = m.lr = sz }
    ensures  { x.max = m.mx /\ r.max = m.mr }
    ensures  { map_eq_sub_shift (old pelts nx) (pelts x)
                                (offset nx) (offset x) sz }
    ensures  { map_eq_sub_shift (old pelts nr) (pelts r)
                                (offset nr) (offset r) sz }
    ensures  { forall j. j < offset x \/ offset x + sz <= j
                -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { forall j. j < offset r \/ offset r + sz <= j
                -> (pelts r)[j] = old (pelts r)[j] }
    ensures  { plength x = old plength x /\ plength r = old plength r }
    ensures  { min r = old min r /\ min x = old min x }
    writes   { nr, nx, nr.data, nx.data, x.data, x.max, r.data, r.max, m.ok }

(*
  let double_open (r x y: ptr limb)
    requires { valid r 0 /\ valid x 0 /\ valid y 0 }
  =
    let nr, nx, ny, m = open_sep r x 0 y 0 in
    let nr, nx, ny, m = open_sep r x 0 y 0 in
        (* invalid precondition valid _ 0 *)
    close_sep r x 0 y 0 nr nx ny m

  let double_free (r x y: ptr limb)
    requires { valid r 0 /\ valid x 0 /\ valid y 0 }
  =
    let nr, nx, ny, m = open_sep r x 0 y 0 in
    close_sep r x 0 y 0 nr nx ny m;
    close_sep r x 0 y 0 nr nx ny m (* invalid precondition m.ok *)

  let use_after_open (r x y: ptr limb)
    requires { valid x 1 }
  =
    let x' = incr x 0 in
    let nr, nx, ny, m = open_sep r x 0 y 0 in (* forbids x'*)
    let a = C.get x' in
    close_sep r x 0 y 0 nr nx ny m
*)

endwhy3-1.6.0/examples/multiprecision/set_str.mlw000066400000000000000000000534741440160026300215110ustar00rootroot00000000000000module Set_str

  use int.Int
  use int.Power
  use array.Array
  use map.Map
  use mach.int.Int32
  use mach.int.UInt32
  use mach.c.UChar
  use import mach.int.UInt64GMP as Limb
  use mach.c.C
  use types.Types
  use lemmas.Lemmas
  use powm.Powm
  use stringlemmas.String_lemmas
  use logical.Logical
  use util.Util
  use int.ComputerDivision as CD
  use int.EuclideanDivision
  use base_info.BaseInfo

  let wmpn_set_str_bits (rp: ptr limb) (ghost sz: int32)
                        (sp: ptr uchar) (sn: uint32)
                        (bits: uint32) : int32
    requires { 0 < sn <= max_int32 }
    requires { 0 < sz }
    requires { valid rp sz }
    requires { valid sp sn }
    requires { 1 <= bits <= 8 }
    requires { power 2 (bits * sn) <= power radix sz }
    requires { writable rp }
    requires { in_base (power 2 bits) (pelts sp)
                       (offset sp) (offset sp + sn) }
    ensures  { 0 <= result <= sz }
    ensures  { value rp result = svalue (power 2 bits) sp sn }
    ensures  { result > 0 -> (pelts rp)[offset rp + result - 1] > 0 }
  =
    let ref rn = 0 in
    let ref shift = 0 in
    let ghost ref rdone : int = 0 in
    let ref j = UInt32.to_int32 sn in
    let ghost b = power 2 (uint32'int bits) in
    assert { bits * sn <= 64 * sz
             by power 2 (bits * sn) <= power radix sz
                = power (power 2 64) sz
                = power 2 (64 * sz) };
    assert { 2 <= b <= 256
             by 1 <= bits <= 8
             so power 2 5 = 32
             so power 2 6 = 64
             so power 2 7 = 128
             so power 2 8 = 256 };
    while j > 0 do
      invariant { 0 <= j <= sn }
      invariant { 0 <= rn <= sz }
      invariant { (sn - j) * bits = rdone }
      invariant { j > 0 -> if shift = 0 then rdone = 64 * rn
                           else rdone = 64 * rn - 64 + shift }
      invariant { 0 <= shift < 64 }
      invariant { shift > 0 ->
                  (pelts rp)[offset rp + rn - 1] < power 2 shift }
      invariant { rn = 0 -> shift = 0 }
      invariant { value rp rn
                  = svalue_sub b (pelts sp) (offset sp + j)
                                            (offset sp + sn) }
      variant   { j }
      label StartLoop in
      let ghost orp = pure { rp } in
      j <- j-1;
      let sj = UChar.to_uint64 (C.get_ofs sp j) in
      svalue_sub_tail b (pelts sp) (offset sp + int32'int j + 1)
                                   (offset sp + uint32'int sn);
      assert { svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
               = svalue_sub b (pelts sp) (offset sp + j + 1)
                                              (offset sp + sn)
                 + power b (sn - (j+1)) * sj
               = svalue_sub b (pelts sp) (offset sp + j + 1)
                                              (offset sp + sn)
                 + power 2 rdone * sj
               by power b (sn - (j+1))
                  = power (power 2 bits) (sn - (j+1))
                  = power 2 (bits * (sn - (j+1)))
                  = power 2 rdone };
      if shift = 0
      then begin
        assert { rn < sz
                 by (sn - (j+1)) * bits = 64 * rn + shift
                 so (sn - (j+1)) * bits
                    = bits * sn - (j+1) * bits
                    <= 64 * sz - (j+1) * bits
                    < 64 * sz
                 so 64 * rn < 64 * sz };
        C.set_ofs rp rn sj;
        value_sub_frame (pelts rp) (pelts orp)
                        (offset rp) (offset rp + int32'int rn);
        assert { value rp rn = value rp rn at StartLoop };
        value_tail rp rn;
        rn <- rn + 1;
        shift <- bits;
        assert { (pelts rp)[offset rp + rn - 1]
                 = sj
                 < power 2 bits };
        assert { power b (sn - (j+1)) = power radix (rn-1)
                 by power b (sn - (j+1))
                 = power 2 (bits * (sn - (j+1)))
                 = power 2 rdone
                 = power 2 (64 * (rn-1))
                 = power radix (rn-1) };
        assert { value rp rn = svalue_sub b (pelts sp) (offset sp + j)
                                            (offset sp + sn)
                 by value rp rn
                    = value rp (rn - 1) + power radix (rn - 1) * sj
                    = value orp (rn - 1) + power radix (rn - 1) * sj
                    = svalue_sub b (pelts sp) (offset sp + j + 1)
                                              (offset sp + sn)
                      + power radix (rn - 1) * sj
                    = svalue_sub b (pelts sp) (offset sp + j)
                                              (offset sp + sn) };
      end
      else begin
        let rlow = C.get_ofs rp (rn - 1) in
        assert { rlow < power 2 shift };
        assert { radix = power 2 (64 - shift) * power 2 shift };
        let slow = lsl_mod sj (Limb.of_uint32 shift) in
        assert { slow = power 2 shift * mod sj (power 2 (64 - shift))
                 by slow = mod (sj * power 2 shift) radix
                    = mod (sj * power 2 shift)
                          (power 2 (64 - shift) * power 2 shift)
                    = power 2 shift * mod sj (power 2 (64 - shift)) };
        assert { rlow + slow < radix
                 by slow = power 2 shift * mod sj (power 2 (64 - shift))
                    <= power 2 shift * (power 2 (64 - shift) - 1)
                    = power 2 shift * power 2 (64 - shift)
                      - power 2 shift
                    = radix - power 2 shift };
        let nr = rlow + slow in
        C.set_ofs rp (rn-1) nr;
        let ghost oshift = pure { shift } in
        shift <- shift + bits;
        assert { power radix (rn - 1) * power 2 oshift
                 = power b (sn - (j+1))
                 by power radix (rn - 1) = power 2 (64 * (rn - 1))
                 so power radix (rn - 1) * power 2 oshift
                    = power 2 (64 * (rn - 1) + oshift)
                    = power 2 (bits * (sn - (j+1)))
                    = power b (sn - (j+1)) };
        if shift >= 64
        then begin
          shift <- shift - 64;
          if shift > 0
          then begin
            assert { rdone = 64 * rn + shift - bits };
            assert { rn < sz
                     by (sn - (j+1)) * bits = rdone
                        = 64 * rn + shift - bits
                     so bits * sn <= 64 * sz
                     so 64 * rn + shift - bits
                        = sn * bits - (j+1) * bits
                        <= 64 * sz - (j+1) * bits
                        <= 64 * sz - bits
                     so 64 * rn + shift <= 64 * sz
                     so 64 * rn < 64 * rn + shift };
            let shigh = lsr_mod sj (Limb.of_uint32 (bits - shift)) in
            assert { shigh < power 2 shift
                     by shigh = div sj (power 2 (bits - shift))
                     so sj = (power 2 (bits - shift))
                                * div sj (power 2 (bits - shift))
                             + mod sj (power 2 (bits - shift))
                     so power 2 (bits - shift) * shigh
                        = sj - mod sj (power 2 (bits - shift))
                        <= sj < power 2 bits
                        = power 2 (bits - shift) * power 2 shift
                     so shigh < power 2 shift };
            assert { slow + radix * shigh = power 2 oshift * sj
                     by slow = mod (power 2 oshift * sj) radix
                     so shigh = div sj (power 2 (bits - shift))
                     so shift = oshift + bits - 64
                     so shigh = div sj (power 2 (64 - oshift))
                     so let m = mod sj (power 2 (64 - oshift)) in
                        sj = power 2 (64 - oshift) * shigh + m
                     so power 2 oshift * sj
                        = power 2 oshift * power 2 (64 - oshift) * shigh
                          + power 2 oshift * m
                        = radix * shigh + power 2 oshift * m
                     so 0 <= m < power 2 (64 - oshift)
                     so 0 <= power 2 oshift * m
                          < power 2 oshift * power 2 (64 - oshift)
                          = radix
                     so mod (power 2 oshift * sj) radix
                        = mod (radix * shigh + power 2 oshift * m) radix
                        = mod (power 2 oshift * m) radix
                        = power 2 oshift * m
                     so power 2 oshift * m = slow
                     so power 2 oshift * sj = radix * shigh + slow };
            C.set_ofs rp rn shigh;
            value_tail rp (rn - 1);
            value_sub_frame (pelts rp) (pelts orp)
                            (offset rp) (offset rp + int32'int rn - 1);
            assert { value rp rn
                     = value orp (rn - 1) + power radix (rn - 1) * nr
                     by (pelts rp)[offset rp + rn - 1] = nr
                     so value rp rn
                        = value rp (rn - 1) + power radix (rn - 1) * nr };
            value_tail orp (rn - 1);
            value_tail rp rn;
            assert { value rp (rn + 1)
                     = svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
                     by value rp (rn + 1)
                        = value rp rn + power radix rn * shigh
                        = value orp (rn - 1) + power radix (rn - 1) * nr
                          + power radix rn * shigh
                        = value orp (rn - 1) + power radix (rn - 1) * rlow
                          + power radix (rn - 1) * slow
                          + power radix rn * shigh
                        = value orp rn
                          + power radix (rn - 1) * slow
                          + power radix rn * shigh
                        = value orp rn
                          + power radix (rn - 1) * (slow + radix * shigh)
                        = value orp rn
                          + power radix (rn - 1) * power 2 oshift * sj
                        = value orp rn + power b (sn - (j+1)) * sj
                        = svalue_sub b (pelts sp)
                                       (offset sp + j) (offset sp + sn) };
            rn <- rn + 1;
          end else begin
            value_tail rp (rn - 1);
            value_tail orp (rn - 1);
            assert { slow = power 2 oshift * sj
                     by slow = power 2 oshift * mod sj (power 2 (64 - oshift))
                     so 64 - oshift = bits
                     so 0 <= sj < power 2 bits
                     so mod sj (power 2 (64 - oshift))
                        = mod sj (power 2 bits)
                        = sj };
            assert { value rp rn
                     = svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
                     by value rp rn
                        = value rp (rn - 1) + power radix (rn - 1) * nr
                        = value rp (rn - 1) + power radix (rn - 1) * rlow
                          + power radix (rn - 1) * slow
                        = value orp (rn - 1) + power radix (rn - 1) * rlow
                          + power radix (rn - 1) * slow
                        = value orp rn + power radix (rn - 1) * slow
                        = value orp rn
                          + power radix (rn - 1) * power 2 oshift * sj
                        = value orp rn + power b (sn - (j+1)) * sj
                        = svalue_sub b (pelts sp) (offset sp + j)
                                                  (offset sp + sn) };
          end;
        end else begin
          assert { slow = power 2 oshift * sj
                   by slow = power 2 oshift * mod sj (power 2 (64 - oshift))
                   so oshift + bits < 64
                   so sj < power 2 bits <= power 2 (64 - oshift)
                   so mod sj (power 2 (64 - oshift)) = sj };
          assert { nr < power 2 shift
                   by nr = rlow + slow
                   so rlow < power 2 oshift
                   so rlow + slow < power 2 oshift + power 2 oshift * sj
                      = power 2 oshift * (1 + sj)
                      <= power 2 oshift * power 2 bits
                      = power 2 shift };
          value_tail rp (rn - 1);
          value_tail orp (rn - 1);
          assert { value rp rn
                   = svalue_sub b (pelts sp) (offset sp + j) (offset sp + sn)
                   by value rp rn
                      = value rp (rn - 1) + power radix (rn - 1) * nr
                      = value rp (rn - 1) + power radix (rn - 1) * rlow
                        + power radix (rn - 1) * slow
                      = value orp (rn - 1) + power radix (rn - 1) * rlow
                        + power radix (rn - 1) * slow
                      = value orp rn + power radix (rn - 1) * slow
                      = value orp rn
                        + power radix (rn - 1) * power 2 oshift * sj
                      = value orp rn + power b (sn - (j+1)) * sj
                      = svalue_sub b (pelts sp) (offset sp + j)
                                                  (offset sp + sn) };
        end
      end;
      rdone <- rdone + uint32'int bits;
    done;
    normalize rp rn;
    rn

  use mul.Mul
  use add_1.Add_1

  let wmpn_set_str_other (rp: ptr limb) (ghost sz: int32)
                         (sp: ptr uchar) (sn: uint32) (b:limb)
                         (info: wmpn_base_info) : int32
    requires { 0 < sn <= max_int32 }
    requires { 0 < sz }
    requires { valid rp sz }
    requires { valid sp sn }
    requires { 2 <= b <= 256 }
    requires { power b sn <= power radix sz }
    requires { writable rp }
    requires { in_base b (pelts sp) (offset sp) (offset sp + sn) }
    requires { info.b = b }
    ensures  { svalue b sp sn > 0 -> 1 <= result <= sz }
    ensures  { value rp result = svalue b sp sn }
    ensures  { svalue b sp sn > 0 -> (pelts rp)[offset rp + result - 1] > 0 }
    ensures  { svalue b sp sn = 0 -> result = 1 }
    ensures  { 0 < result }
  =
    let ref k = 1 + (sn - 1) % info.exp in
    label Start in
    let ref w = UChar.to_uint64 (C.get sp) in
    let ref j = 1 in
    while (k <- k - 1; k) > 0 do
      variant { k }
      invariant { 1 <= k <= sn }
      invariant { 1 <= j <= sn }
      invariant { w = svalue_sub b (pelts sp) (offset sp) (offset sp + j) }
      invariant { 0 <= w < power b j }
      invariant { j + k - 1 = 1 + mod (sn - 1) info.exp }
      invariant { int32'int j = uint32'int sn -> k = 1 }
      label Loop in
      assert { k > 0 };
      assert { j < info.exp };
      let sj = UChar.to_uint64 (C.get_ofs sp j) in
      svalue_sub_head (uint64'int b) (pelts sp)
                      (offset sp) (offset sp + int32'int j + 1);
      assert { w * b + sj
               = svalue_sub b (pelts sp) (offset sp) (offset sp + j + 1) };
      assert { w * b + sj < radix
               by w * b + sj
               = svalue_sub b (pelts sp) (offset sp) (offset sp + j + 1)
               < power b (j+1)
               so j+1 <= info.exp
               so power b (j+1) <= power b (info.exp) < radix };
      w <- w * b + sj;
      j <- j + 1;
    done;
    C.set rp w;
    let ref rn = 1 in
    assert { value rp 1
             = w
             = svalue_sub b (pelts sp) (offset sp) (offset sp + j) };
    assert { j = 1 + mod (sn - 1) info.exp };
    assert { mod (sn - j) info.exp = 0
             by info.exp > 1
             so mod 1 info.exp = 1
             so mod j info.exp
                = mod (mod 1 info.exp + mod (sn - 1) info.exp) info.exp
                = mod sn info.exp
             so let ds = div sn info.exp in
             let dj = div j info.exp in
             sn = ds * info.exp + mod sn info.exp
             so j = dj * info.exp + mod j info.exp
             so sn - j = (ds - dj) * info.exp
             so mod (sn - j) info.exp = 0 };
    while j < UInt32.to_int32 sn do
      variant { sn - j }
      invariant { 0 <= j <= sn }
      invariant { value rp rn
                  = svalue_sub b (pelts sp) (offset sp)
                                 (offset sp + int32'int j) }
      invariant { j <= sn }
      invariant { 0 <= rn <= sz }
      invariant { svalue b sp j > 0 -> (pelts rp)[offset rp + rn - 1] > 0 }
      invariant { svalue b sp j = 0 -> rn = 1 }
      invariant { mod (sn - j) info.exp = 0 }
      w <- UChar.to_uint64 (C.get_ofs sp j);
      let oj = pure { j } in
      assert { j + info.exp <= sn };
      j <- j+1;
      for k = 1 to info.exp - 1 do
        invariant { w = svalue_sub b (pelts sp) (offset sp + oj)
                                     (offset sp + j) }
        invariant { 1 <= k <= info.exp }
        invariant { j = oj + k }
        let sj = UChar.to_uint64 (C.get_ofs sp j) in
        svalue_sub_head (uint64'int b) (pelts sp) (offset sp + int32'int oj)
                                      (offset sp + int32'int j + 1);
        assert { w * b + sj = svalue_sub b (pelts sp) (offset sp + oj)
                                           (offset sp + j + 1) };
        assert { w * b + sj < radix
                 by svalue_sub b (pelts sp) (offset sp + oj) (offset sp + j + 1)
                    < power b (j + 1 - oj)
                    = power b (k+1) <= power b info.exp < radix };
        w <- w * b + sj;
        j <- j + 1;
      done;
      assert { mod (sn - j) info.exp = 0
               by j = oj + info.exp
               so mod (sn - j) info.exp
               = mod (sn - oj - info.exp) info.exp
               = mod (mod (sn - oj) info.exp
                     + mod (- info.exp) info.exp) info.exp
               = mod (0 + 0) info.exp = 0 };
      svalue_sub_concat (uint64'int b) (pelts sp) (offset sp)
                          (offset sp + int32'int oj) (offset sp + int32'int j);
      assert { svalue b sp j
               = svalue b sp oj * power b (j - oj) + w
               = value rp rn * power b info.exp + w
               = value rp rn * info.bb + w };
      let ghost orp = pure { rp } in
      let ref cy = wmpn_mul_1_in_place rp rn info.bb in
      assert { cy < radix - 1
               by value rp rn <= (power radix rn - 1)
               so info.bb <= radix - 1
               so info.bb * value orp rn <= (radix - 1) * (power radix rn - 1)
                  < (radix - 1) * (power radix rn)
               so value orp rn * info.bb = value rp rn + power radix rn * cy
                  >= power radix rn * cy
               so power radix rn * cy < power radix rn * (radix - 1) };
      let cy1 = wmpn_add_1_in_place rp rn w in
      cy <- cy + cy1;
      assert { value rp rn + power radix rn * cy
               = svalue_sub b (pelts sp) (offset sp) (offset sp + j) };
      if cy > 0 then begin
        value_sub_update_no_change (pelts rp) (offset rp + int32'int rn)
                                   (offset rp) (offset rp + int32'int rn)
                                   cy;
        value_tail orp (rn - 1);
        assert { rn < sz
                 by power b sn <= power radix sz
                 so value rp rn + power radix rn * cy
                    = svalue_sub b (pelts sp) (offset sp) (offset sp + j)
                    < power b j <= power b sn <= power radix sz
                 so power radix rn * cy >= power radix rn
                 so value rp rn >= 0
                 so power radix rn < power radix sz };
        C.set_ofs rp rn cy;
        value_tail rp rn;
        rn <- rn + 1;
      end
      else begin
        value_tail rp (rn - 1);
        value_tail orp (rn - 1);
        assert { svalue b sp j > 0 -> (pelts rp)[offset rp + rn - 1] > 0
                 by info.bb >= 1
                 so value rp rn = value orp rn * info.bb + w
                    >= value orp rn * info.bb
                    >= value orp rn
                 so if svalue b sp oj > 0
                    then (pelts orp)[offset rp + rn - 1] > 0
                    so value orp rn
                       = value orp (rn - 1)
                         + power radix (rn - 1)
                           * (pelts orp)[offset rp + rn - 1]
                       >= power radix (rn - 1) * (pelts orp)[offset rp + rn - 1]
                       >= power radix (rn - 1)
                    so value rp rn >= value orp rn
                    so power radix (rn - 1) * 1
                       = power radix (rn - 1) <= value rp rn
                       = value rp (rn - 1)
                         + power radix (rn - 1) * (pelts rp)[offset rp + rn - 1]
                       < power radix (rn - 1)
                         + power radix (rn - 1) * (pelts rp)[offset rp + rn - 1]
                       = power radix (rn - 1)
                         * (1 + (pelts rp)[offset rp + rn - 1])
                    so 1 < 1 + (pelts rp)[offset rp + rn - 1]
                    else rn = 1 /\ value rp rn = svalue b sp j = w
                    so w > 0
                    so (pelts rp)[offset rp + rn - 1] > 0 };
      end
    done;
    value_tail rp (rn - 1);
    rn

  let wmpn_set_str (rp: ptr limb) (ghost sz: int32) (sp: ptr uchar) (sn:uint32)
                   (base: int32) : int32
    requires { valid sp sn }
    requires { valid rp sz }
    requires { sz > 0 }
    requires { sn >= 0 }
    requires { power base sn <= power radix (sz - 1) }
    requires { 2 <= base <= 256 }
    requires { writable rp }
    requires { in_base base (pelts sp) (offset sp) (offset sp + sn) }
    writes   { rp.data.elts }
    ensures  { result <= sz - 1 }
    ensures  { value rp result = svalue base sp sn }
    ensures  { sn > 0 -> (pelts sp)[offset sp] > 0
               -> (pelts rp)[offset rp + result - 1] > 0 }
  =
    ghost (if sn > 0 then
              svalue_sub_tail (int32'int base) (pelts sp) (offset sp + 1)
              (offset sp + uint32'int sn));
    assert { sn > 0 -> (pelts sp)[offset sp] > 0 -> svalue base sp sn > 0
             by svalue base sp sn
                = svalue_sub base (pelts sp) (offset sp + 1) (offset sp + sn)
                  + power base (sn - 1) * (pelts sp)[offset sp]
                >= power base (sn - 1) * (pelts sp)[offset sp]
                > 0 };
    if sn = 0 then return 0;
    let bits = wmpn_base_power_of_two_p (Limb.of_int32 base) in
    if (bits <> 0)
    then return wmpn_set_str_bits rp (sz-1) sp sn bits
    else begin
      let info = wmpn_get_base_info (Limb.of_int32 base) in
      return wmpn_set_str_other rp (sz-1) sp sn (Limb.of_int32 base) info
    end

endwhy3-1.6.0/examples/multiprecision/set_str/000077500000000000000000000000001440160026300207535ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/set_str/why3session.xml000066400000000000000000002554061440160026300240070ustar00rootroot00000000000000












 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/set_str/why3shapes.gz000066400000000000000000000475571440160026300234350ustar00rootroot00000000000000َ$Ǒ.|Ows	$847}+:jIdęyYDTUFddVfv핢226Mվ||޽K?߭7G?͟_ex0KJ\ӗVm󢷟Ͽ])JvGRLn%Ǘh&@/l_rnz_[Wm_o=G/\Z?p_	}~aP&_nSP.
/_/a}?`s66%EsypaϾhb
oRhm@7667Sj>eh=W9;[#*Jh]aA=
p/$nD6Э3<ϣ_ӽ赁 |]6J_9[5	_i_⳼qS{xk|2^(]A_;HmŊlE/C"4!MO;//Eo0XZY6=7=[Kgw{@S|.!Oۿr-+PJ+<W7(_Ԫ~`WHVk͝M{Pک٢;;:	Z\<|O0Ρj'^8i.ng_"0sXvT]w{8=YouD흅(IGssK~L@y 8w[ۼB|,<m_m@(K}_7xoIөT=:}ѓ>Y=:8sC]݉蕞~|ݢQҧXJ?3Op,Lد_kr;rM't>q\ӫKr͈DSw;!_zU	|&c|_~xHmW6(2Ɵז=
-wwWg̸P2.MpI]ܳNuܜH=s剔qޑ::O,Zkq=Qsj᫣F|bOY7ߪ<[6i=zvIgJmtn]x]rq诟06:pnh;)|b?
T=8oNS1
*IzOLsۀYv]R?n[m=oل^.ȼ(:l>lpܽX(13.ջty@xFcw5Drv`PK;x|SLNq.=B<a_~Yqۭ}MOj҄6wI'	p3q
NqM=mjOw5鎓(c/#3˨}R2v,b[[fw~]&[fwfwVww5pa;l2ޞͰsZL=ۧW~mroe+?f]_	"ZlC!Xg׮P<{t|kk֙oٯch'G<Ǹ
|hzmNg#f[EͶ0mzl ma|_\]P~
qǪ/up垤tda{y#^QTz.= AG1W7fCC{c%&~1yܹbc^0H+wC_KQW7/ŸwӜxӜ{]􌁎.j_]n%X=5=?s	t=G>E|7,yxo^ t}b^ jw@0`z`Azc;|.\{Qm?nmۜ	!Izҡ%7JC_ٛ1lv3ﭳ0R^נC^\oY%8{[
3=>%\}cnL2uaWHYɬtgyjyfp{?mw	ΉT@:/y'tCO98JNjIN;zݝm{9ec~`hՒ'×'zWZ	oXSksB6696Y	-9ǃ8LqŚ~yxGTgfZ\p-FZ\ݩ@a$xo_WIvОSQn߮>+@qU«%P.יDZiloȧn6Y䙺I|}?02R
3NEԘCHuwds홌E}|7l'qB||οmɻج)AgVU alTAfol^Ģv|sb&Dy0$ؕ37i9[7UTM'W5;YE2gO*
:fj81GW+oyJ߆1}j{.#[m
gǬ	w|wBUKz32/]w˖~%=ABңBO2zsrh	dSzWXpyk_^@灟S36rI?cm/a>Cz.:;%L7~1:{FqooMӊ'J@'+`f4~:M(
5T.cA٘'rG7gb}+&/
_}y/69b{f^{]o,ٍ=kzŞٳ1֫',n֛~{7Nvt=cY#Xw~.gܕn{>vY[#PPk2,KSj;1Ȝǝ\+ԧ=c_<5AttK7gnܡ_7"JuKSuOk%%ib@]ͣXʸrcߛ"WV%ǝn=9\ǒs"ݱޥ牺]$\go?%+"'DwN{+_$zbV^س(7wƶX&O+[7o!uaU|bs̡\hF2O.J=~)Ӟi3;=bO_ԴgjV9+.Ɂ#֬b,yj}&oOX=Q{;nW:O@qst?j!jߒEڝ-Z9c&7|{7497t7z{UP3W`T Hw[:O4>[q\*6Ϟƛ%ԛ(6(Aݞ~1K;s
{ bZsʉ#VX1#Y7u0Y;k^8yqkഓ/_5xx)zzey4a2;6is~v=;[`p-;f=hwwNBvmkrW{d|b9puy~g_}.ϡN?f[oX]O[|ߒч1:[$g<#ű{;{zO/%bQ|(4Cp΃s?oD_.FCwHYl}Ko}iiمM
f|e7H6oA'G}s|:`Ӓa۵.7K߸Huލq]j#~^9Иxg̓0fIK@yeaAߤ/'bfhfɋF'.'IvW$'mɉYvS`1H'I}4l]:48ȣф2YQo\sYWOB)/,;-mϫx̲j~?̻:*U|}~JH0f(Z'2<~j4EN⵫o_+
׹mOi38J@}=qe4{fUHyq	$u:{{vpz(1=!/7ɛ>Ѳ#	៏iŜ4޻륅پ
:}<`*L'3P
ObK_'ۺ5r	͇>!7E5(,1TTSOjb-_Fǿ>޾9Ri{ӿ퓫-/2<әŘrP񏻸݌#
@~Ju't9<]U,^SNh)G;k1*gNۻ }癰ld8<'Þ99c\{&zM-dUuajии~G*'2J4?b.!jwqn}^[|$9Y=m+gpJ>[Up2EZXעi}ײװ|!L~>.|y~}1G#"͑ACwIag9zMk=@z})A=fI%g>ߒjkxuB]^ȟY)x|p]juWHEˑvt_c@SX%S	Fț"Xj{>C?>OԻnk֪Rmh%{^o]bqo*oBHl{.Wm"K뽍{6e9vOL)ui-tZ{C+JSFli_kf*-YjjJQBXCv?iWklkDVR
"0:Z6X%jPl%i@Ruj)פ6𿦨;Їnj*5;
.N2Ńn4&2f(
Ԕ96n1=1ը"x{1aRYoCmbh!pdgwPU
ݕddδtfRaAb}V]kKN؇.
t]b8Y((
AKADk.=cœ\Rj?lC{K\'.*kT*%w`}(\<6V!SYWt2>h>Pw?P@Nd>@ꃍwBԊ3ΰeU4PW":;Tsyvΐ^
^7\I
"HXme`ҲwTE9d>YP#Z-GV#d5}~vU
EJ.q/2ǐY;a|b"7[wj@攚u9hCC\P6	RSyUExh(VL
m9g8	Y
g85lz8a͒mhvm(18^=8UXt	NBv)%ಫ
oUBDzO	Qht.Óн_t
.Ek#rW&ep B6(#쀂.2VBN
@G
2'J$
\ѽa	TT04b:n'Sbw[KZ8rqqUb,d#
N(@%8Dӏ].k4Q%U~	yd8RmzSkI)@s[_e-9f6жᰤh>DtI>~l"T
v+hAt+Tb"L5\`d+"j!I'jazrp:0ou猈FYkx$dYAGF~Ѝ{FmvAͰJjsaT6ЃAhPa2z+56*
e-ʧ_q^?O[βrJ/˦X9Vv?_Qg"\-&+PBbIg+BU:L0	QzƔ{*0ŧL][7YՀ3?fzHCjsq3X|>.ʦbl6`M2
,D[
Gd%a1`{5dzrLig7	6U=oט
&`yˤ&FȪcPQɶ{+=eR]5&2y?h#2;8;"/'aؚ֫>?7I}>ҦQiaȋP50?ɤU1+#C
S.>}p=܃&9"܄|fHÐ1ɍRl>C%8XqNKHiUdzmvn Hq*_f)(g݁{"fqF!N-h=ʤ'3gh1Vs<^#B)L%8GJ?MW»S4}@r֘M=;C]#*Rpz^{p.ucU*{?Ig|XAw+pJq~C5l`*;&k*R$:γD+P)
GeAZW}hĽ4cj(UØV9L+a9MR:5u@XdN'!'^&zW8%de|&}E^(T垔].oD6]_^*zrƉ[r+c*n%W֓/ղO!9Y9%7h1?+(xCQΰG/(ʾ@t
3xKFr[NO0~ɮkQ^	#2BR&01jx^Z
s
d\/͸~$+I9[A~:svuJAju*Wԁl>ɺfC|Wc`|JcD+тb[vpT1wsWy]Vg'91ׯspHsΔKZ<#f^x*%?wM!kQHӫf}0kLR-9MDk]WR Y"kL)\\s]6*|<^J0nrZw\4$@f\5aEsPV3h^Z;nUD/YgT
icleE$۵1WpC6b51dڒG7FNK).%}Bڈa
1e*:TJ	(X|qMT2oMfj'Ss>srxM6]2M2(uH>%jD>IvD*C,r4ZFgI%,++Fm,R{2QtI*KHzd)q*UX!nΏ3ݮuR̈Bi6JՄ}&vъ+>&S] F	hBlxFхWFa,X>6U+2KEoFV&,WY)s&lP=(@K{brc[#|F*7@G:6l|}HQ)
&|1{
QJHYSZ%[Z*	RLoiJiM%S-HH]5QKPH))S&.j%#05X򮩪fG,vJAshBp$e1M1x[VN5=ԅb_C}>Z&\RD_=3e+ZY(WU׸eBhGWٔJ&e+Śr7@զ`bi	V"6-7_SvW&/Bd'#h%EkONrՅx@Vx6>RԂ2: ȐPp1@bVJ e6M},2/#\
Lh
.'ϛXG
Rj*)8^LI]Bŷ8R^(${-Rҹl=HAP9PܓaU|^
Rܽ^ŜB`IQ'ɍt
?3B$\NFDBit?R_(x V;g1\&TIÅmqGk\tSY
$%=T3na~+WK=oM}4jw=Basj9?0x4rj(kה+Z0$6RQZԉ!".fEvqfZ!;;%iѬIJ<{%T8i~G5Ƣ8wJjG.7.\곍ى/TKV;nS%z2հ_y]h\2;!ЍH6Tc3ڗV
v>5o$`XZ܇mW:cs g[hI[ax*+ ْ;"<2RultB4Z)hR,V)Q=I%ׁlT1:떴TkY׌9[$Ru[UXxAC79$bK_ΦN*lRľ[I\zet,>  L
1?^~-#m ]:uXȪzm}5;,X+խ pҼ
tUIUߜRj!覍n4Jhg_>7*(|EX˙tH?({k9zSҀVϟ|ℜxUd88_$'nٲGݳ\UDOpLyrdz6jLr%ӌP
LCDØDJ%8-yׇ:$?q'@YׇzpRD)ȂHZ%4ToΑ>}IuGm$uFꮷ^ꥺT2:hA`:kFҸd)jM);,|! -G{}dQJ&WLTtnh+j|o%
/V1~aԝSItFR)Nû[vpD"N|r>录
:~o%?L:hBh3WuQf1ʡBx	*A~2j6D>>Y3YgҶdHTv*tOIg5<U45֕F|{}V滗,9@"oc7;lXf1$@=B9e.^Jj"{k@N+R0j&G&[u56(t\	*f8U]| Jҥ?28zq	" R9Z3zCm:j:Oc`Tq$0B?(n}J&6Cg疕Qe~鼾k)U5IU0	P[R!o>uXrVұt;om]NeFyr&93co5<#`o@Xg3A3O}W
ʺJTMScR8-Ƃ3ƊƊ9U
(BS7N̿RzZn{$Q&b5!X]":8TRF[5\NrU
u#0xFVG
އzpb	QhR1)@>8;Ï	1C^@
ʜyTH2JBd+eLmSveH $v+tq*jOXWH,.~}:Y.N.[J=*X_j20/$׽l""5fV|l*s
&[P͵6xy"Z`{Tbr)+TT'Snf#!K1+0ܔpt`OJG1HVB#sW0Úl)\ӑ&8<8JP>L*ဒTIqpZ}Y2dyչ@-3-5AAv2b7-"Ct9"b֣ObΔZTQD݉3$1G'^?%A#hQZ%ZL+>5VLd[MF2pt f!FUBw,`
MTt>T.-fWtTM`/M͔PCu	(2bC	h&bѿw6N0wB@2vh(۸Irz"\Wզ"%*RD`"@-z^LDB@D>-a%vbմݐʊ&9(7t>86$ld}LI!gM)81")i	N
4lkeO蕇
K1)A7C987AOe+"8aZ[%--X`krO;]?s2q̌aD橬5jvXbVvF F*QuʮWݍܳ20 +35-ء`Qv:7pz6-؊pCfI4LbpD#Egw4K-9`%H)ْ\#܌@쳂=xoRsޕr{ݳ=BXlbyaIzdWWR~IݢiF~<
T~{O¾VNDGF4
XrN9/?x`K
7R8k*$TN
7/ɒe:xN
pkiJ*\
Iq4g5"
KG=#
B&hQCP>}Q"kIUǤ@㈴}}aWblptm@\ZFU-c/z%)ѳsD
ՀFt'
߯`{W9%BAT
"H!,F7F獥V(VCko0+bOæh@4"0YȾ	Dn|͊ha5#'HJ^&SV:3I?-aj5/nIܼˍݭ*}LR&q\r[:#2VUcv7ǿM
@܈/TQAH5?o8ѕlo"{9ǨuB~coT	t/}3Q
{c8`o| װ\:N3&FV&<Go@"Mc-yE}KqH *

lr":icN@P@P4p'J=LrbTCfct4DFk%Wt*+CGZ)I2b!w{]DКg㯃QaC{HxDx*c(iNPxPCY׫7!m*!K5۠F:799-J.* mP#VUrj9to2u0}
jtRzT7(5IԪGrᬰ%Dr<f~48r1~(&S)Qs=kr+лmY[@ DSTݱ1V#A!H;T[-Af!{6UNkgh"a:c#tjFsV]XaQd/D?&!Iy(ILhDTG!%IJVaA9y,!2҂iPG&{Ta^FCv,ԅґ*rDx= sL\u₾pA7)!`*Zrn37S{Ԙ\zC=TJBJ2Lz.Yhx`a'N+^u5f:wd'g?9\Ul-ڢM9kN<w6'g4cK74AOv[L18UV.8C[VNxt5cu
J)Rn0"1Tj=v3_h )sK
&Ѥ&gRu4#G,kP
ܷ%iUO0䎨DhDrFaYӌhgim-JGԢnC?ր;\rK)y
#8â4`\4	%xCYDYψR$w
GO#2K%gWSh<§'?`8l:%Wa0hG^=5/n%KvlZn:Ԙ9FϞϢ2q(:hUm|uTYTvǎS
8x%CF(T`.|{>|s
+
Kw8c5z9Œ)BoXnu׌Քi)S&z>u!+W3$ZU^6JIsηR.'P')@-5WL-[p XMwK+$:;8EjZvpoYT˅xQ;rαiqx._ƉZܠ”pntۯa?q27|t4.i81ϊ8Սa/xѓ&2uVz|MQ"thG|
aM=j|][wΣGtJ):cm<k.ysu%u!.&rfƻppTuff9'$rʓ}☻pp7c *TKɹMUE)_Ǟǒgi+%aйpp,.hj85FJv(05?iHx#ϊQɺ0j55;Y>feVӪS>]ܳ^L{R_TNpYp˱J1ԠRO.n34}[_㈾U(
c#f9D8݄cˑ{9P^ʵҽRAnۅikͭv]ne‹dH}YI-`)8NdnuӒGڅxͩ¥Vg7*\)*9'|;|t]a:k2T6H22<`+Bk_>BUS$֗CTk')HlyZɽ9"^Z1>iGܳIٖHXs^tՍo]%	hM9?ȅׅySZ9jx;M-@{㹧$U~jjqC>a/z(%){gPg.=:ЭˋKW08+iKk$dcoHC)|'qyvCwc
6g+t/UO{N$kiШ"Fm  T|=xGtDS>aOi(CTt[?zua2z
`3J.Fm!\lpw讑 %9:#'9Oba>4?C:M	O.\@{'koi
&%0e{F9nP
ji	Kc(eb{(xCI58*%kZ/6PzOxED(&aqX&e1n2On&JpeVLRpJ5,o8#{roa(
R8j*ꨬ;clX:(m!LsM8oYO^w]ٚ7jh{RF8=Z-i"uB
q/J<,{9w.O Ib~	Qbi\j1B!1DV@GEV[%V\evqd<"*UBzh;mBrQ
589MPː
VgJ9{[pMM Ymg9ᕯ0iMjE+d@7>~#SfU!iFsWOr|1d;|u lQ:B?W@Ҩ2MA\
#why3-1.6.0/examples/multiprecision/sqrt.mlw000066400000000000000000000112031440160026300207770ustar00rootroot00000000000000module Sqrt1

use int.Int
use int.EuclideanDivision
use real.RealInfix
use real.Square
use real.FromInt
use real.Truncate as Trunc
use mach.int.UInt64
use int.Power
use map.Map
use mach.c.C
use lemmas.Lemmas
use mach.fxp.Fxp

meta coercion function rval

let lemma real_sqr_compat (x y: real)
  requires { 0. <. x <. y }
  ensures  { x *. x <. y *. y }
= ()

meta remove_prop axiom real_sqr_compat

let lemma trunc_lower_bound (x: real) (k:int)
  ensures { x <. trunc_at x k +. pow2 k }
= assert { x *. pow2 (-k)
           <. from_int (Trunc.floor (x *. pow2 (-k)) + 1)
           = from_int (Trunc.floor (x *. pow2 (-k))) +. 1.
           = from_int (Trunc.floor (x *. pow2 (-k))) *. (pow2 k *. pow2 (-k))
             +. 1.
           = trunc_at x k *. pow2 (-k) +. 1.
           = (trunc_at x k +. pow2 k) *. pow2 (-k) }

val rsa_estimate (a: fxp): fxp
  requires { 0.25 <=. a <=. 0xffffffffffffffffp-64 }
  requires { iexp a = - 64 }
  ensures { iexp result = -8 }
  ensures { 256 <= ival result <= 511 }
  ensures { 1. <=. result <=. 2. }
  ensures { let rsa = 1. /. sqrt a in
            let e0 = (result -. rsa) /. rsa in -0.00281 <=. e0 <=. 0.002655 }

let sqrt1 (rp: ptr uint64) (a0: uint64): uint64
  requires { valid rp 1 }
  requires { 0x4000000000000000 <= a0 }
  requires { writable rp }
  ensures { result * result <= a0 < (result + 1) * (result + 1) }
  ensures { result * result + (pelts rp)[offset rp] = a0 }
  ensures { (pelts rp)[offset rp] <= 2 * result }
=
  let a = fxp_init a0 (-64) in
  assert { 0.25 <=. a <=. 0xffffffffffffffffp-64 };
  assert { 0. <. a };
  let rsa = pure { 1. /. sqrt a } in
  let x0 = rsa_estimate a in
  let e0 = pure { (x0 -. rsa) /. rsa } in
  let a1 = fxp_lsr a 31 in
  let ea1 = pure { (a1 -. a) /. a } in
  let m1 = fxp_sub (fxp_init 0x2000000000000 (-49)) (fxp_init 0x30000 (-49)) in
  let t1' = fxp_sub m1 (fxp_mul (fxp_mul x0 x0) a1) in
  let t1 = fxp_asr t1' 16 in
  let x1 = fxp_add (fxp_lsl x0 16) (fxp_asr' (fxp_mul x0 t1) 18 1) in
  let mx1 = pure { x0 +. x0 *. t1' *. 0.5 } in
  assert { (mx1 -. rsa) /. rsa = -0.5 *. (e0 *. e0 *. (3. +. e0) +. (1. +. e0) *. (1. -. m1 +. (1. +. e0) *. (1. +. e0) *. ea1)) };
  let e1 = pure { (x1 -. rsa) /. rsa } in
  let a2 = fxp_lsr a 24 in
  let ea2 = pure { (a2 -. a) /. a } in
  let u1 = fxp_mul x1 a2 in
  let eu1 = pure { (u1 -. sqrt a) /. sqrt a } in
  assert { eu1 = (1. +. e1) *. (1. +. ea2) -. 1. };
  let u2 = fxp_lsr u1 25 in
  let eu2 = pure { (u2 -. u1) /. u1 } in
  let m2 = fxp_init 0x24000000000 (-78) in
  let t2' = fxp_sub (fxp_sub (fxp_lsl a 14) (fxp_mul u2 u2)) m2 in
  assert { sqrt a *. sqrt a = a };
  let t2 = fxp_asr t2' 24 in
  let x2 = fxp_add u1 (fxp_asr' (fxp_mul x1 t2) 15 1) in
  let mx2 = pure { u1 +. x1 *. t2' *. 0.5 } in
  assert { let ee = (1. +. eu1) *. (1. +. eu1) *. eu2 *. (2. +. eu2) +. eu1 *. eu1 in
           (mx2 -. sqrt a) /. sqrt a = -0.5 *. (ee +. m2 /. a) *. (1. +. e1) -. e1 *. eu1
           by x1 <> 0. /\ a2 <> 0. };
  let x = fxp_lsr x2 32 in
  let sa = pure { trunc_at (sqrt a) (-32) } in
  assert { -0x1.p-32 <=. x -. sa <=. 0. };
  let ref c = ival x in
  assert { c = Trunc.floor (pow2 32 *. x)
           by x <=. sa <=. 1.
           so iexp x = -32
           so pow2 32 *. x <. pow2 32
           so 0 <= Trunc.floor (pow2 32 *. x)
                < power 2 32
                < radix
           so c = mod (Trunc.floor (pow2 32 *. x)) radix
                = Trunc.floor (pow2 32 *. x) };
  assert { c * c <= a0 < (c+2) * (c+2)
           by x *. x <=. a
           so from_int a0 = pow2 64 *. a
           so from_int c = pow2 32 *. x
           so pow2 32 *. pow2 32 = pow2 64
           so from_int (c * c) = from_int c *. from_int c
              = pow2 64 *. (x *. x) <=. from_int a0
           so c * c <= a0
           so let x' = x +. 0x2.p-32 in
              let sa' = sa +. pow2 (-32) in
              pow2 (-32) = 0x1.p-32
           so sa' <=. x'
           so sqrt a <. trunc_at (sqrt a) (-32) +. pow2 (-32) = sa'
           so a = sqrt a *. sqrt a <. sa' *. sa'<=. x' *. x'
           so from_int (c + 2) = from_int c +. from_int 2
              = from_int c +. 2.
              = pow2 32 *. x +. 2.
              = pow2 32 *. (x +. 0x2.p-32)
              = pow2 32 *. x'
           so from_int a0
              = pow2 64 *. a
              <. pow2 64 *. (x' *. x')
              = from_int ((c+2) * (c+2))
           };
  let ref s = c * c in
  assert { (c+1) * (c+1) <= radix };
  assert { s + c <= s + c + c < (c+1) * (c+1) <= radix };
  if (s + 2 * c <= a0 - 1)
  then begin
    assert { (c+1) * (c+1) <= a0 };
    s <- s + 2 * c + 1;
    c <- c + 1;
    assert { s = c * c };
  end;
  C.set rp (a0 - s);
  c

  meta remove_prop axiom trunc_lower_bound
endwhy3-1.6.0/examples/multiprecision/sqrt/000077500000000000000000000000001440160026300202615ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/sqrt/sqrt_Sqrt1_VC_sqrt1_1.v000066400000000000000000000505241440160026300245030ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require int.Power.
Require real.Real.
Require real.RealInfix.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require real.ExpLog.
Require real.PowerReal.
Require map.Map.
Require map.Const.

Require Import Reals.

Axiom uint64 : Type.
Parameter uint64_WhyType : WhyType uint64.
Existing Instance uint64_WhyType.

Parameter uint64'int: uint64 -> Numbers.BinNums.Z.

Axiom uint64'axiom :
  forall (i:uint64),
  (0%Z <= (uint64'int i))%Z /\ ((uint64'int i) <= 18446744073709551615%Z)%Z.

(* Why3 assumption *)
Definition in_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds : forall (n:uint64), in_bounds (uint64'int n).

Axiom extensionality :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned: uint64.

Axiom zero_unsigned_is_zero : ((uint64'int zero_unsigned) = 0%Z).

Axiom t : Type.
Parameter t_WhyType : WhyType t.
Existing Instance t_WhyType.

Parameter max: Numbers.BinNums.Z.

Parameter to_int: t -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition in_bounds1 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= max)%Z.

Axiom to_int_in_bounds1 : forall (n:t), in_bounds1 (to_int n).

Axiom extensionality1 :
  forall (x:t) (y:t), ((to_int x) = (to_int y)) -> (x = y).

Parameter zero_unsigned1: t.

Axiom zero_unsigned_is_zero1 : ((to_int zero_unsigned1) = 0%Z).

Parameter radix: Numbers.BinNums.Z.

Axiom radix_def : (radix = (max + 1%Z)%Z).

Axiom int32 : Type.
Parameter int32_WhyType : WhyType int32.
Existing Instance int32_WhyType.

Parameter int32'int: int32 -> Numbers.BinNums.Z.

Axiom int32'axiom :
  forall (i:int32),
  ((-2147483648%Z)%Z <= (int32'int i))%Z /\ ((int32'int i) <= 2147483647%Z)%Z.

(* Why3 assumption *)
Definition in_bounds2 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

Axiom to_int_in_bounds2 : forall (n:int32), in_bounds2 (int32'int n).

Axiom extensionality2 :
  forall (x:int32) (y:int32), ((int32'int x) = (int32'int y)) -> (x = y).

Axiom uint32 : Type.
Parameter uint32_WhyType : WhyType uint32.
Existing Instance uint32_WhyType.

Parameter uint32'int: uint32 -> Numbers.BinNums.Z.

Axiom uint32'axiom :
  forall (i:uint32),
  (0%Z <= (uint32'int i))%Z /\ ((uint32'int i) <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds3 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

Axiom to_int_in_bounds3 : forall (n:uint32), in_bounds3 (uint32'int n).

Axiom extensionality3 :
  forall (x:uint32) (y:uint32), ((uint32'int x) = (uint32'int y)) -> (x = y).

Parameter zero_unsigned2: uint32.

Axiom zero_unsigned_is_zero2 : ((uint32'int zero_unsigned2) = 0%Z).

Parameter is_msb_set: uint32 -> Prop.

Axiom is_msb_set'spec :
  forall (x:uint32),
  is_msb_set x <-> (4294967295%Z < (2%Z * (uint32'int x))%Z)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition in_us_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds4 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom zone : Type.
Parameter zone_WhyType : WhyType zone.
Existing Instance zone_WhyType.

Parameter null_zone: zone.

Axiom ptr : forall (a:Type), Type.
Parameter ptr_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ptr a).
Existing Instance ptr_WhyType.

Parameter data: forall {a:Type} {a_WT:WhyType a}, ptr a -> array a.

Parameter offset:
  forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter min: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter max1: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter zone1: forall {a:Type} {a_WT:WhyType a}, ptr a -> zone.

(* Why3 assumption *)
Definition plength {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z :=
  length (data p).

(* Why3 assumption *)
Definition pelts {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z -> a :=
  elts (data p).

Parameter is_not_null: forall {a:Type} {a_WT:WhyType a}, ptr a -> Prop.

Axiom is_not_null'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a), is_not_null p <-> ~ ((zone1 p) = null_zone).

(* Why3 assumption *)
Definition valid_ptr_shift {a:Type} {a_WT:WhyType a} (p:ptr a)
    (i:Numbers.BinNums.Z) : Prop :=
  ((min p) <= ((offset p) + i)%Z)%Z /\ (((offset p) + i)%Z < (max1 p))%Z.

(* Why3 assumption *)
Definition valid {a:Type} {a_WT:WhyType a} (p:ptr a) (sz:Numbers.BinNums.Z) :
    Prop :=
  in_bounds4 sz /\
  (0%Z <= sz)%Z /\
  ((0%Z <= (min p))%Z /\ ((min p) <= (offset p))%Z) /\
  (((offset p) + sz)%Z <= (max1 p))%Z /\ ((max1 p) <= (plength p))%Z.

Axiom valid_itv_to_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a) (sz:Numbers.BinNums.Z), valid p sz ->
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  valid_ptr_shift p i.

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:Numbers.BinNums.Z -> a)
    (a2:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z -> ((a1 i) = (a2 i)).

(* Why3 assumption *)
Definition map_eq_sub_shift {a:Type} {a_WT:WhyType a}
    (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  ((x (xi + i)%Z) = (y (yi + i)%Z)).

Axiom map_eq_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z)
    (k:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz -> (0%Z <= k)%Z /\ (k < sz)%Z ->
  ((x (xi + k)%Z) = (y (yi + k)%Z)).

Axiom map_eq_shift_zero :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub_shift x y n n (m - n)%Z -> map_eq_sub x y n m.

Axiom int64 : Type.
Parameter int64_WhyType : WhyType int64.
Existing Instance int64_WhyType.

Parameter int64'int: int64 -> Numbers.BinNums.Z.

Axiom int64'axiom :
  forall (i:int64),
  ((-9223372036854775808%Z)%Z <= (int64'int i))%Z /\
  ((int64'int i) <= 9223372036854775807%Z)%Z.

(* Why3 assumption *)
Definition in_bounds5 (n:Numbers.BinNums.Z) : Prop :=
  ((-9223372036854775808%Z)%Z <= n)%Z /\ (n <= 9223372036854775807%Z)%Z.

Axiom to_int_in_bounds4 : forall (n:int64), in_bounds5 (int64'int n).

Axiom extensionality4 :
  forall (x:int64) (y:int64), ((int64'int x) = (int64'int y)) -> (x = y).

(* Why3 assumption *)
Definition in_bounds6 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds5 : forall (n:uint64), in_bounds6 (uint64'int n).

Axiom extensionality5 :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned3: uint64.

Axiom zero_unsigned_is_zero3 : ((uint64'int zero_unsigned3) = 0%Z).

Parameter uint64_max: uint64.

Axiom uint64_max'def : ((uint64'int uint64_max) = 18446744073709551615%Z).

Parameter is_msb_set1: uint64 -> Prop.

Axiom is_msb_set'spec1 :
  forall (x:uint64),
  is_msb_set1 x <-> (18446744073709551615%Z < (2%Z * (uint64'int x))%Z)%Z.

(* Why3 assumption *)
Definition limb := uint64.

(* Why3 assumption *)
Definition t1 := ptr uint64.

Axiom limb_max_bound : (1%Z <= 18446744073709551615%Z)%Z.

Axiom prod_compat_strict_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a < b)%Z -> (0%Z < c)%Z -> ((c * a)%Z < (c * b)%Z)%Z.

Axiom prod_compat_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a <= b)%Z -> (0%Z <= c)%Z -> ((c * a)%Z <= (c * b)%Z)%Z.

Parameter value_sub:
  (Numbers.BinNums.Z -> uint64) -> Numbers.BinNums.Z -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z.

Axiom value_sub'def :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  ((n < m)%Z ->
   ((value_sub x n m) =
    ((uint64'int (x n)) +
     ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z)) /\
  (~ (n < m)%Z -> ((value_sub x n m) = 0%Z)).

Axiom value_sub_frame :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub x y n m -> ((value_sub x n m) = (value_sub y n m)).

Axiom value_sub_frame_shift :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz ->
  ((value_sub x xi (xi + sz)%Z) = (value_sub y yi (yi + sz)%Z)).

Axiom value_sub_tail :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n <= m)%Z ->
  ((value_sub x n (m + 1%Z)%Z) =
   ((value_sub x n m) +
    ((uint64'int (x m)) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_concat :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (l:Numbers.BinNums.Z),
  (n <= m)%Z /\ (m <= l)%Z ->
  ((value_sub x n l) =
   ((value_sub x n m) +
    ((value_sub x m l) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_head :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n < m)%Z ->
  ((value_sub x n m) =
   ((uint64'int (x n)) +
    ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z).

Axiom value_sub_update :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= i)%Z /\ (i < m)%Z ->
  ((value_sub (map.Map.set x i v) n m) =
   ((value_sub x n m) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (i - n)%Z) *
     ((uint64'int v) - (uint64'int (x i)))%Z)%Z)%Z).

Axiom value_zero :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  map_eq_sub x (map.Const.const zero_unsigned3 : Numbers.BinNums.Z -> uint64)
  n m -> ((value_sub x n m) = 0%Z).

Axiom value_sub_update_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= m)%Z -> (i < n)%Z \/ (m <= i)%Z ->
  ((value_sub x n m) = (value_sub (map.Map.set x i v) n m)).

Axiom value_sub_shift_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (ofs:Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) (v:uint64),
  (i < 0%Z)%Z \/ (sz <= i)%Z -> (0%Z <= sz)%Z ->
  ((value_sub x ofs (ofs + sz)%Z) =
   (value_sub (map.Map.set x (ofs + i)%Z v) ofs (ofs + sz)%Z)).

Axiom value_sub_lower_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (0%Z <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 <= x2)%Z ->
  ((value_sub x x1 x2) <
   (int.Power.power (18446744073709551615%Z + 1%Z)%Z (x2 - x1)%Z))%Z.

Axiom value_sub_lower_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  (((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * (uint64'int (x (x2 - 1%Z)%Z)))%Z
   <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  ((value_sub x x1 x2) <
   ((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * ((uint64'int (x (x2 - 1%Z)%Z)) + 1%Z)%Z)%Z)%Z.

(* Why3 assumption *)
Definition value (x:ptr uint64) (sz:Numbers.BinNums.Z) : Numbers.BinNums.Z :=
  value_sub (pelts x) (offset x) ((offset x) + sz)%Z.

Axiom value_concat :
  forall (x:ptr uint64) (n:int32) (m:int32),
  (0%Z <= (int32'int n))%Z /\ ((int32'int n) <= (int32'int m))%Z ->
  ((value x (int32'int m)) =
   ((value x (int32'int n)) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (int32'int n)) *
     (value_sub (pelts x) ((offset x) + (int32'int n))%Z
      ((offset x) + (int32'int m))%Z))%Z)%Z).

(* Why3 assumption *)
Definition pow2 (k:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
  Reals.Rpower.Rpower 2%R (BuiltIn.IZR k).

(* Why3 assumption *)
Definition trunc_at (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z) :
    Reals.Rdefinitions.R :=
  ((BuiltIn.IZR (real.Truncate.floor (x * (pow2 (-k)%Z))%R)) * (pow2 k))%R.

Axiom fxp : Type.
Parameter fxp_WhyType : WhyType fxp.
Existing Instance fxp_WhyType.

Parameter ival: fxp -> uint64.

Parameter rval: fxp -> Reals.Rdefinitions.R.

Parameter iexp: fxp -> Numbers.BinNums.Z.

Axiom fxp'invariant :
  forall (self:fxp),
  ((rval self) = (trunc_at (rval self) (iexp self))) /\
  ((uint64'int (ival self)) =
   (int.EuclideanDivision.mod1
    (real.Truncate.floor ((rval self) * (pow2 (-(iexp self))%Z))%R)
    (18446744073709551615%Z + 1%Z)%Z)).

Axiom trunc_lower_bound :
  forall (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z),
  (x < ((trunc_at x k) + (pow2 k))%R)%R.

Parameter rp: ptr uint64.

Parameter a0: uint64.

Axiom Requires : valid rp 1%Z.

Axiom Requires1 : (4611686018427387904%Z <= (uint64'int a0))%Z.

Parameter a: fxp.

Axiom H : ((ival a) = a0).

Axiom H1 : ((rval a) = ((BuiltIn.IZR (uint64'int a0)) * (pow2 (-64%Z)%Z))%R).

Axiom H2 : ((iexp a) = (-64%Z)%Z).

Axiom Assert :
  ((25 / 100)%R <= (rval a))%R /\
  ((rval a) <= (18446744073709551615 / 18446744073709551616)%R)%R.

Axiom Assert1 : (0%R < (rval a))%R.

Parameter x0: fxp.

Axiom Ensures : ((iexp x0) = (-8%Z)%Z).

Axiom H3 : (256%Z <= (uint64'int (ival x0)))%Z.

Axiom H4 : ((uint64'int (ival x0)) <= 511%Z)%Z.

Axiom H5 : (1%R <= (rval x0))%R.

Axiom H6 : ((rval x0) <= 2%R)%R.

Axiom Ensures1 :
  let rsa := (1%R / (Reals.R_sqrt.sqrt (rval a)))%R in
  let e0 := (((rval x0) - rsa)%R / rsa)%R in
  ((-(00281 / 100000)%R)%R <= e0)%R /\ (e0 <= (002655 / 1000000)%R)%R.

Parameter a1: fxp.

Axiom Ensures2 : ((rval a1) = (trunc_at (rval a) ((iexp a) + 31%Z)%Z)).

Axiom Ensures3 : ((iexp a1) = ((iexp a) + 31%Z)%Z).

Parameter o: fxp.

Parameter rliteral: uint64.

Axiom rliteral_axiom : ((uint64'int rliteral) = 196608%Z).

Axiom H7 : ((ival o) = rliteral).

Axiom H8 : ((rval o) = ((BuiltIn.IZR 196608%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H9 : ((iexp o) = (-49%Z)%Z).

Parameter o1: fxp.

Parameter rliteral1: uint64.

Axiom rliteral_axiom1 : ((uint64'int rliteral1) = 562949953421312%Z).

Axiom H10 : ((ival o1) = rliteral1).

Axiom H11 :
  ((rval o1) = ((BuiltIn.IZR 562949953421312%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H12 : ((iexp o1) = (-49%Z)%Z).

Parameter m1: fxp.

Axiom Ensures4 : ((rval m1) = ((rval o1) - (rval o))%R).

Axiom Ensures5 : ((iexp m1) = (iexp o1)).

Parameter o2: fxp.

Axiom Ensures6 : ((rval o2) = ((rval x0) * (rval x0))%R).

Axiom Ensures7 : ((iexp o2) = ((iexp x0) + (iexp x0))%Z).

Parameter o3: fxp.

Axiom Ensures8 : ((rval o3) = ((rval o2) * (rval a1))%R).

Axiom Ensures9 : ((iexp o3) = ((iexp o2) + (iexp a1))%Z).

Parameter t1': fxp.

Axiom Ensures10 : ((rval t1') = ((rval m1) - (rval o3))%R).

Axiom Ensures11 : ((iexp t1') = (iexp m1)).

Parameter t11: fxp.

Axiom Ensures12 : ((rval t11) = (trunc_at (rval t1') ((iexp t1') + 16%Z)%Z)).

Axiom Ensures13 : ((iexp t11) = ((iexp t1') + 16%Z)%Z).

Parameter o4: fxp.

Axiom Ensures14 : ((rval o4) = ((rval x0) * (rval t11))%R).

Axiom Ensures15 : ((iexp o4) = ((iexp x0) + (iexp t11))%Z).

Parameter o5: fxp.

Axiom Ensures16 :
  ((rval o5) =
   (trunc_at ((rval o4) * (pow2 (-1%Z)%Z))%R (((iexp o4) + 18%Z)%Z - 1%Z)%Z)).

Axiom Ensures17 : ((iexp o5) = (((iexp o4) + 18%Z)%Z - 1%Z)%Z).

Parameter o6: fxp.

Axiom Ensures18 : ((rval o6) = (rval x0)).

Axiom Ensures19 : ((iexp o6) = ((iexp x0) - 16%Z)%Z).

Parameter x1: fxp.

Axiom Ensures20 : ((rval x1) = ((rval o6) + (rval o5))%R).

Axiom Ensures21 : ((iexp x1) = (iexp o6)).

Axiom Assert2 :
  (((((rval x0) + (((rval x0) * (rval t1'))%R * (5 / 10)%R)%R)%R -
     (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
    / (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
   =
   ((-(5 / 10)%R)%R *
    ((((((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
       *
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      (3%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
     +
     ((1%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      ((1%R - (rval m1))%R +
       (((1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
         *
         (1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
        * (((rval a1) - (rval a))%R / (rval a))%R)%R)%R)%R)%R)%R).

Parameter a2: fxp.

Axiom Ensures22 : ((rval a2) = (trunc_at (rval a) ((iexp a) + 24%Z)%Z)).

Axiom Ensures23 : ((iexp a2) = ((iexp a) + 24%Z)%Z).

Parameter u1: fxp.

Axiom Ensures24 : ((rval u1) = ((rval x1) * (rval a2))%R).

Axiom Ensures25 : ((iexp u1) = ((iexp x1) + (iexp a2))%Z).

Axiom Assert3 :
  ((((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
    (Reals.R_sqrt.sqrt (rval a)))%R
   =
   (((1%R +
      (((rval x1) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
       (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
     * (1%R + (((rval a2) - (rval a))%R / (rval a))%R)%R)%R
    - 1%R)%R).

Parameter u2: fxp.

Axiom Ensures26 : ((rval u2) = (trunc_at (rval u1) ((iexp u1) + 25%Z)%Z)).

Axiom Ensures27 : ((iexp u2) = ((iexp u1) + 25%Z)%Z).

Parameter m2: fxp.

Parameter rliteral2: uint64.

Axiom rliteral_axiom2 : ((uint64'int rliteral2) = 2473901162496%Z).

Axiom H13 : ((ival m2) = rliteral2).

Axiom H14 :
  ((rval m2) = ((BuiltIn.IZR 2473901162496%Z) * (pow2 (-78%Z)%Z))%R).

Axiom H15 : ((iexp m2) = (-78%Z)%Z).

Parameter o7: fxp.

Axiom Ensures28 : ((rval o7) = ((rval u2) * (rval u2))%R).

Axiom Ensures29 : ((iexp o7) = ((iexp u2) + (iexp u2))%Z).

Parameter o8: fxp.

Axiom Ensures30 : ((rval o8) = (rval a)).

Axiom Ensures31 : ((iexp o8) = ((iexp a) - 14%Z)%Z).

Parameter o9: fxp.

Axiom Ensures32 : ((rval o9) = ((rval o8) - (rval o7))%R).

Axiom Ensures33 : ((iexp o9) = (iexp o8)).

Parameter t2': fxp.

Axiom Ensures34 : ((rval t2') = ((rval o9) - (rval m2))%R).

Axiom Ensures35 : ((iexp t2') = (iexp o9)).

(* Why3 goal *)
Theorem sqrt1'vc :
  (((Reals.R_sqrt.sqrt (rval a)) * (Reals.R_sqrt.sqrt (rval a)))%R =
   (rval a)).
Proof.
set (sa := sqrt (rval a)).
replace (rval a) with (sa^2)%R.
field.
rewrite <- Rsqr_pow2.
apply Rsqr_sqrt, Rlt_le, Assert1.
Qed.why3-1.6.0/examples/multiprecision/sqrt/sqrt_Sqrt1_VC_sqrt1_2.v000066400000000000000000000455251440160026300245110ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require int.Power.
Require real.Real.
Require real.RealInfix.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require real.ExpLog.
Require real.PowerReal.
Require map.Map.
Require map.Const.

Require Import Reals.

Axiom uint64 : Type.
Parameter uint64_WhyType : WhyType uint64.
Existing Instance uint64_WhyType.

Parameter uint64'int: uint64 -> Numbers.BinNums.Z.

Axiom uint64'axiom :
  forall (i:uint64),
  (0%Z <= (uint64'int i))%Z /\ ((uint64'int i) <= 18446744073709551615%Z)%Z.

(* Why3 assumption *)
Definition in_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds : forall (n:uint64), in_bounds (uint64'int n).

Axiom extensionality :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned: uint64.

Axiom zero_unsigned_is_zero : ((uint64'int zero_unsigned) = 0%Z).

Axiom t : Type.
Parameter t_WhyType : WhyType t.
Existing Instance t_WhyType.

Parameter max: Numbers.BinNums.Z.

Parameter to_int: t -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition in_bounds1 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= max)%Z.

Axiom to_int_in_bounds1 : forall (n:t), in_bounds1 (to_int n).

Axiom extensionality1 :
  forall (x:t) (y:t), ((to_int x) = (to_int y)) -> (x = y).

Parameter zero_unsigned1: t.

Axiom zero_unsigned_is_zero1 : ((to_int zero_unsigned1) = 0%Z).

Parameter radix: Numbers.BinNums.Z.

Axiom radix_def : (radix = (max + 1%Z)%Z).

Axiom int32 : Type.
Parameter int32_WhyType : WhyType int32.
Existing Instance int32_WhyType.

Parameter int32'int: int32 -> Numbers.BinNums.Z.

Axiom int32'axiom :
  forall (i:int32),
  ((-2147483648%Z)%Z <= (int32'int i))%Z /\ ((int32'int i) <= 2147483647%Z)%Z.

(* Why3 assumption *)
Definition in_bounds2 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

Axiom to_int_in_bounds2 : forall (n:int32), in_bounds2 (int32'int n).

Axiom extensionality2 :
  forall (x:int32) (y:int32), ((int32'int x) = (int32'int y)) -> (x = y).

Axiom uint32 : Type.
Parameter uint32_WhyType : WhyType uint32.
Existing Instance uint32_WhyType.

Parameter uint32'int: uint32 -> Numbers.BinNums.Z.

Axiom uint32'axiom :
  forall (i:uint32),
  (0%Z <= (uint32'int i))%Z /\ ((uint32'int i) <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds3 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

Axiom to_int_in_bounds3 : forall (n:uint32), in_bounds3 (uint32'int n).

Axiom extensionality3 :
  forall (x:uint32) (y:uint32), ((uint32'int x) = (uint32'int y)) -> (x = y).

Parameter zero_unsigned2: uint32.

Axiom zero_unsigned_is_zero2 : ((uint32'int zero_unsigned2) = 0%Z).

Parameter is_msb_set: uint32 -> Prop.

Axiom is_msb_set'spec :
  forall (x:uint32),
  is_msb_set x <-> (4294967295%Z < (2%Z * (uint32'int x))%Z)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition in_us_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds4 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom zone : Type.
Parameter zone_WhyType : WhyType zone.
Existing Instance zone_WhyType.

Parameter null_zone: zone.

Axiom ptr : forall (a:Type), Type.
Parameter ptr_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ptr a).
Existing Instance ptr_WhyType.

Parameter data: forall {a:Type} {a_WT:WhyType a}, ptr a -> array a.

Parameter offset:
  forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter min: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter max1: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter zone1: forall {a:Type} {a_WT:WhyType a}, ptr a -> zone.

(* Why3 assumption *)
Definition plength {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z :=
  length (data p).

(* Why3 assumption *)
Definition pelts {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z -> a :=
  elts (data p).

Parameter is_not_null: forall {a:Type} {a_WT:WhyType a}, ptr a -> Prop.

Axiom is_not_null'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a), is_not_null p <-> ~ ((zone1 p) = null_zone).

(* Why3 assumption *)
Definition valid_ptr_shift {a:Type} {a_WT:WhyType a} (p:ptr a)
    (i:Numbers.BinNums.Z) : Prop :=
  ((min p) <= ((offset p) + i)%Z)%Z /\ (((offset p) + i)%Z < (max1 p))%Z.

(* Why3 assumption *)
Definition valid {a:Type} {a_WT:WhyType a} (p:ptr a) (sz:Numbers.BinNums.Z) :
    Prop :=
  in_bounds4 sz /\
  (0%Z <= sz)%Z /\
  ((0%Z <= (min p))%Z /\ ((min p) <= (offset p))%Z) /\
  (((offset p) + sz)%Z <= (max1 p))%Z /\ ((max1 p) <= (plength p))%Z.

Axiom valid_itv_to_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a) (sz:Numbers.BinNums.Z), valid p sz ->
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  valid_ptr_shift p i.

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:Numbers.BinNums.Z -> a)
    (a2:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z -> ((a1 i) = (a2 i)).

(* Why3 assumption *)
Definition map_eq_sub_shift {a:Type} {a_WT:WhyType a}
    (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  ((x (xi + i)%Z) = (y (yi + i)%Z)).

Axiom map_eq_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z)
    (k:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz -> (0%Z <= k)%Z /\ (k < sz)%Z ->
  ((x (xi + k)%Z) = (y (yi + k)%Z)).

Axiom map_eq_shift_zero :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub_shift x y n n (m - n)%Z -> map_eq_sub x y n m.

Axiom int64 : Type.
Parameter int64_WhyType : WhyType int64.
Existing Instance int64_WhyType.

Parameter int64'int: int64 -> Numbers.BinNums.Z.

Axiom int64'axiom :
  forall (i:int64),
  ((-9223372036854775808%Z)%Z <= (int64'int i))%Z /\
  ((int64'int i) <= 9223372036854775807%Z)%Z.

(* Why3 assumption *)
Definition in_bounds5 (n:Numbers.BinNums.Z) : Prop :=
  ((-9223372036854775808%Z)%Z <= n)%Z /\ (n <= 9223372036854775807%Z)%Z.

Axiom to_int_in_bounds4 : forall (n:int64), in_bounds5 (int64'int n).

Axiom extensionality4 :
  forall (x:int64) (y:int64), ((int64'int x) = (int64'int y)) -> (x = y).

(* Why3 assumption *)
Definition in_bounds6 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds5 : forall (n:uint64), in_bounds6 (uint64'int n).

Axiom extensionality5 :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned3: uint64.

Axiom zero_unsigned_is_zero3 : ((uint64'int zero_unsigned3) = 0%Z).

Parameter uint64_max: uint64.

Axiom uint64_max'def : ((uint64'int uint64_max) = 18446744073709551615%Z).

Parameter is_msb_set1: uint64 -> Prop.

Axiom is_msb_set'spec1 :
  forall (x:uint64),
  is_msb_set1 x <-> (18446744073709551615%Z < (2%Z * (uint64'int x))%Z)%Z.

(* Why3 assumption *)
Definition limb := uint64.

(* Why3 assumption *)
Definition t1 := ptr uint64.

Axiom limb_max_bound : (1%Z <= 18446744073709551615%Z)%Z.

Axiom prod_compat_strict_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a < b)%Z -> (0%Z < c)%Z -> ((c * a)%Z < (c * b)%Z)%Z.

Axiom prod_compat_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a <= b)%Z -> (0%Z <= c)%Z -> ((c * a)%Z <= (c * b)%Z)%Z.

Parameter value_sub:
  (Numbers.BinNums.Z -> uint64) -> Numbers.BinNums.Z -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z.

Axiom value_sub'def :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  ((n < m)%Z ->
   ((value_sub x n m) =
    ((uint64'int (x n)) +
     ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z)) /\
  (~ (n < m)%Z -> ((value_sub x n m) = 0%Z)).

Axiom value_sub_frame :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub x y n m -> ((value_sub x n m) = (value_sub y n m)).

Axiom value_sub_frame_shift :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz ->
  ((value_sub x xi (xi + sz)%Z) = (value_sub y yi (yi + sz)%Z)).

Axiom value_sub_tail :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n <= m)%Z ->
  ((value_sub x n (m + 1%Z)%Z) =
   ((value_sub x n m) +
    ((uint64'int (x m)) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_concat :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (l:Numbers.BinNums.Z),
  (n <= m)%Z /\ (m <= l)%Z ->
  ((value_sub x n l) =
   ((value_sub x n m) +
    ((value_sub x m l) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_head :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n < m)%Z ->
  ((value_sub x n m) =
   ((uint64'int (x n)) +
    ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z).

Axiom value_sub_update :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= i)%Z /\ (i < m)%Z ->
  ((value_sub (map.Map.set x i v) n m) =
   ((value_sub x n m) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (i - n)%Z) *
     ((uint64'int v) - (uint64'int (x i)))%Z)%Z)%Z).

Axiom value_zero :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  map_eq_sub x (map.Const.const zero_unsigned3 : Numbers.BinNums.Z -> uint64)
  n m -> ((value_sub x n m) = 0%Z).

Axiom value_sub_update_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= m)%Z -> (i < n)%Z \/ (m <= i)%Z ->
  ((value_sub x n m) = (value_sub (map.Map.set x i v) n m)).

Axiom value_sub_shift_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (ofs:Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) (v:uint64),
  (i < 0%Z)%Z \/ (sz <= i)%Z -> (0%Z <= sz)%Z ->
  ((value_sub x ofs (ofs + sz)%Z) =
   (value_sub (map.Map.set x (ofs + i)%Z v) ofs (ofs + sz)%Z)).

Axiom value_sub_lower_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (0%Z <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 <= x2)%Z ->
  ((value_sub x x1 x2) <
   (int.Power.power (18446744073709551615%Z + 1%Z)%Z (x2 - x1)%Z))%Z.

Axiom value_sub_lower_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  (((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * (uint64'int (x (x2 - 1%Z)%Z)))%Z
   <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  ((value_sub x x1 x2) <
   ((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * ((uint64'int (x (x2 - 1%Z)%Z)) + 1%Z)%Z)%Z)%Z.

(* Why3 assumption *)
Definition value (x:ptr uint64) (sz:Numbers.BinNums.Z) : Numbers.BinNums.Z :=
  value_sub (pelts x) (offset x) ((offset x) + sz)%Z.

Axiom value_concat :
  forall (x:ptr uint64) (n:int32) (m:int32),
  (0%Z <= (int32'int n))%Z /\ ((int32'int n) <= (int32'int m))%Z ->
  ((value x (int32'int m)) =
   ((value x (int32'int n)) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (int32'int n)) *
     (value_sub (pelts x) ((offset x) + (int32'int n))%Z
      ((offset x) + (int32'int m))%Z))%Z)%Z).

(* Why3 assumption *)
Definition pow2 (k:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
  Reals.Rpower.Rpower 2%R (BuiltIn.IZR k).

(* Why3 assumption *)
Definition trunc_at (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z) :
    Reals.Rdefinitions.R :=
  ((BuiltIn.IZR (real.Truncate.floor (x * (pow2 (-k)%Z))%R)) * (pow2 k))%R.

Axiom fxp : Type.
Parameter fxp_WhyType : WhyType fxp.
Existing Instance fxp_WhyType.

Parameter ival: fxp -> uint64.

Parameter rval: fxp -> Reals.Rdefinitions.R.

Parameter iexp: fxp -> Numbers.BinNums.Z.

Axiom fxp'invariant :
  forall (self:fxp),
  ((rval self) = (trunc_at (rval self) (iexp self))) /\
  ((uint64'int (ival self)) =
   (int.EuclideanDivision.mod1
    (real.Truncate.floor ((rval self) * (pow2 (-(iexp self))%Z))%R)
    (18446744073709551615%Z + 1%Z)%Z)).

Axiom trunc_lower_bound :
  forall (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z),
  (x < ((trunc_at x k) + (pow2 k))%R)%R.

Parameter rp: ptr uint64.

Parameter a0: uint64.

Axiom Requires : valid rp 1%Z.

Axiom Requires1 : (4611686018427387904%Z <= (uint64'int a0))%Z.

Parameter a: fxp.

Axiom H : ((ival a) = a0).

Axiom H1 : ((rval a) = ((BuiltIn.IZR (uint64'int a0)) * (pow2 (-64%Z)%Z))%R).

Axiom H2 : ((iexp a) = (-64%Z)%Z).

Axiom Assert :
  ((25 / 100)%R <= (rval a))%R /\
  ((rval a) <= (18446744073709551615 / 18446744073709551616)%R)%R.

Axiom Assert1 : (0%R < (rval a))%R.

Parameter x0: fxp.

Axiom Ensures : ((iexp x0) = (-8%Z)%Z).

Axiom H3 : (256%Z <= (uint64'int (ival x0)))%Z.

Axiom H4 : ((uint64'int (ival x0)) <= 511%Z)%Z.

Axiom H5 : (1%R <= (rval x0))%R.

Axiom H6 : ((rval x0) <= 2%R)%R.

Axiom Ensures1 :
  let rsa := (1%R / (Reals.R_sqrt.sqrt (rval a)))%R in
  let e0 := (((rval x0) - rsa)%R / rsa)%R in
  ((-(00281 / 100000)%R)%R <= e0)%R /\ (e0 <= (002655 / 1000000)%R)%R.

Parameter a1: fxp.

Axiom Ensures2 : ((rval a1) = (trunc_at (rval a) ((iexp a) + 31%Z)%Z)).

Axiom Ensures3 : ((iexp a1) = ((iexp a) + 31%Z)%Z).

Parameter o: fxp.

Parameter rliteral: uint64.

Axiom rliteral_axiom : ((uint64'int rliteral) = 196608%Z).

Axiom H7 : ((ival o) = rliteral).

Axiom H8 : ((rval o) = ((BuiltIn.IZR 196608%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H9 : ((iexp o) = (-49%Z)%Z).

Parameter o1: fxp.

Parameter rliteral1: uint64.

Axiom rliteral_axiom1 : ((uint64'int rliteral1) = 562949953421312%Z).

Axiom H10 : ((ival o1) = rliteral1).

Axiom H11 :
  ((rval o1) = ((BuiltIn.IZR 562949953421312%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H12 : ((iexp o1) = (-49%Z)%Z).

Parameter m1: fxp.

Axiom Ensures4 : ((rval m1) = ((rval o1) - (rval o))%R).

Axiom Ensures5 : ((iexp m1) = (iexp o1)).

Parameter o2: fxp.

Axiom Ensures6 : ((rval o2) = ((rval x0) * (rval x0))%R).

Axiom Ensures7 : ((iexp o2) = ((iexp x0) + (iexp x0))%Z).

Parameter o3: fxp.

Axiom Ensures8 : ((rval o3) = ((rval o2) * (rval a1))%R).

Axiom Ensures9 : ((iexp o3) = ((iexp o2) + (iexp a1))%Z).

Parameter t1': fxp.

Axiom Ensures10 : ((rval t1') = ((rval m1) - (rval o3))%R).

Axiom Ensures11 : ((iexp t1') = (iexp m1)).

Parameter t11: fxp.

Axiom Ensures12 : ((rval t11) = (trunc_at (rval t1') ((iexp t1') + 16%Z)%Z)).

Axiom Ensures13 : ((iexp t11) = ((iexp t1') + 16%Z)%Z).

Parameter o4: fxp.

Axiom Ensures14 : ((rval o4) = ((rval x0) * (rval t11))%R).

Axiom Ensures15 : ((iexp o4) = ((iexp x0) + (iexp t11))%Z).

Parameter o5: fxp.

Axiom Ensures16 :
  ((rval o5) =
   (trunc_at ((rval o4) * (pow2 (-1%Z)%Z))%R (((iexp o4) + 18%Z)%Z - 1%Z)%Z)).

Axiom Ensures17 : ((iexp o5) = (((iexp o4) + 18%Z)%Z - 1%Z)%Z).

Parameter o6: fxp.

Axiom Ensures18 : ((rval o6) = (rval x0)).

Axiom Ensures19 : ((iexp o6) = ((iexp x0) - 16%Z)%Z).

Parameter x1: fxp.

Axiom Ensures20 : ((rval x1) = ((rval o6) + (rval o5))%R).

Axiom Ensures21 : ((iexp x1) = (iexp o6)).

(* Why3 goal *)
Theorem sqrt1'vc :
  (((((rval x0) + (((rval x0) * (rval t1'))%R * (5 / 10)%R)%R)%R -
     (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
    / (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
   =
   ((-(5 / 10)%R)%R *
    ((((((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
       *
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      (3%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
     +
     ((1%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      ((1%R - (rval m1))%R +
       (((1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
         *
         (1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
        * (((rval a1) - (rval a))%R / (rval a))%R)%R)%R)%R)%R)%R).
Proof.
rewrite Ensures10, Ensures8, Ensures6.
set (sa := sqrt (rval a)).
replace (rval a) with (sa^2)%R.
apply Rminus_diag_uniq.
field.
apply Rgt_not_eq, sqrt_lt_R0, Assert1.
rewrite <- Rsqr_pow2.
apply Rsqr_sqrt, Rlt_le, Assert1.
Qed.why3-1.6.0/examples/multiprecision/sqrt/sqrt_Sqrt1_VC_sqrt1_3.v000066400000000000000000000466011440160026300245060ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require int.Power.
Require real.Real.
Require real.RealInfix.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require real.ExpLog.
Require real.PowerReal.
Require map.Map.
Require map.Const.

Require Import Reals.

Axiom uint64 : Type.
Parameter uint64_WhyType : WhyType uint64.
Existing Instance uint64_WhyType.

Parameter uint64'int: uint64 -> Numbers.BinNums.Z.

Axiom uint64'axiom :
  forall (i:uint64),
  (0%Z <= (uint64'int i))%Z /\ ((uint64'int i) <= 18446744073709551615%Z)%Z.

(* Why3 assumption *)
Definition in_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds : forall (n:uint64), in_bounds (uint64'int n).

Axiom extensionality :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned: uint64.

Axiom zero_unsigned_is_zero : ((uint64'int zero_unsigned) = 0%Z).

Axiom t : Type.
Parameter t_WhyType : WhyType t.
Existing Instance t_WhyType.

Parameter max: Numbers.BinNums.Z.

Parameter to_int: t -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition in_bounds1 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= max)%Z.

Axiom to_int_in_bounds1 : forall (n:t), in_bounds1 (to_int n).

Axiom extensionality1 :
  forall (x:t) (y:t), ((to_int x) = (to_int y)) -> (x = y).

Parameter zero_unsigned1: t.

Axiom zero_unsigned_is_zero1 : ((to_int zero_unsigned1) = 0%Z).

Parameter radix: Numbers.BinNums.Z.

Axiom radix_def : (radix = (max + 1%Z)%Z).

Axiom int32 : Type.
Parameter int32_WhyType : WhyType int32.
Existing Instance int32_WhyType.

Parameter int32'int: int32 -> Numbers.BinNums.Z.

Axiom int32'axiom :
  forall (i:int32),
  ((-2147483648%Z)%Z <= (int32'int i))%Z /\ ((int32'int i) <= 2147483647%Z)%Z.

(* Why3 assumption *)
Definition in_bounds2 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

Axiom to_int_in_bounds2 : forall (n:int32), in_bounds2 (int32'int n).

Axiom extensionality2 :
  forall (x:int32) (y:int32), ((int32'int x) = (int32'int y)) -> (x = y).

Axiom uint32 : Type.
Parameter uint32_WhyType : WhyType uint32.
Existing Instance uint32_WhyType.

Parameter uint32'int: uint32 -> Numbers.BinNums.Z.

Axiom uint32'axiom :
  forall (i:uint32),
  (0%Z <= (uint32'int i))%Z /\ ((uint32'int i) <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds3 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

Axiom to_int_in_bounds3 : forall (n:uint32), in_bounds3 (uint32'int n).

Axiom extensionality3 :
  forall (x:uint32) (y:uint32), ((uint32'int x) = (uint32'int y)) -> (x = y).

Parameter zero_unsigned2: uint32.

Axiom zero_unsigned_is_zero2 : ((uint32'int zero_unsigned2) = 0%Z).

Parameter is_msb_set: uint32 -> Prop.

Axiom is_msb_set'spec :
  forall (x:uint32),
  is_msb_set x <-> (4294967295%Z < (2%Z * (uint32'int x))%Z)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition in_us_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds4 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom zone : Type.
Parameter zone_WhyType : WhyType zone.
Existing Instance zone_WhyType.

Parameter null_zone: zone.

Axiom ptr : forall (a:Type), Type.
Parameter ptr_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ptr a).
Existing Instance ptr_WhyType.

Parameter data: forall {a:Type} {a_WT:WhyType a}, ptr a -> array a.

Parameter offset:
  forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter min: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter max1: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter zone1: forall {a:Type} {a_WT:WhyType a}, ptr a -> zone.

(* Why3 assumption *)
Definition plength {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z :=
  length (data p).

(* Why3 assumption *)
Definition pelts {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z -> a :=
  elts (data p).

Parameter is_not_null: forall {a:Type} {a_WT:WhyType a}, ptr a -> Prop.

Axiom is_not_null'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a), is_not_null p <-> ~ ((zone1 p) = null_zone).

(* Why3 assumption *)
Definition valid_ptr_shift {a:Type} {a_WT:WhyType a} (p:ptr a)
    (i:Numbers.BinNums.Z) : Prop :=
  ((min p) <= ((offset p) + i)%Z)%Z /\ (((offset p) + i)%Z < (max1 p))%Z.

(* Why3 assumption *)
Definition valid {a:Type} {a_WT:WhyType a} (p:ptr a) (sz:Numbers.BinNums.Z) :
    Prop :=
  in_bounds4 sz /\
  (0%Z <= sz)%Z /\
  ((0%Z <= (min p))%Z /\ ((min p) <= (offset p))%Z) /\
  (((offset p) + sz)%Z <= (max1 p))%Z /\ ((max1 p) <= (plength p))%Z.

Axiom valid_itv_to_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a) (sz:Numbers.BinNums.Z), valid p sz ->
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  valid_ptr_shift p i.

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:Numbers.BinNums.Z -> a)
    (a2:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z -> ((a1 i) = (a2 i)).

(* Why3 assumption *)
Definition map_eq_sub_shift {a:Type} {a_WT:WhyType a}
    (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  ((x (xi + i)%Z) = (y (yi + i)%Z)).

Axiom map_eq_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z)
    (k:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz -> (0%Z <= k)%Z /\ (k < sz)%Z ->
  ((x (xi + k)%Z) = (y (yi + k)%Z)).

Axiom map_eq_shift_zero :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub_shift x y n n (m - n)%Z -> map_eq_sub x y n m.

Axiom int64 : Type.
Parameter int64_WhyType : WhyType int64.
Existing Instance int64_WhyType.

Parameter int64'int: int64 -> Numbers.BinNums.Z.

Axiom int64'axiom :
  forall (i:int64),
  ((-9223372036854775808%Z)%Z <= (int64'int i))%Z /\
  ((int64'int i) <= 9223372036854775807%Z)%Z.

(* Why3 assumption *)
Definition in_bounds5 (n:Numbers.BinNums.Z) : Prop :=
  ((-9223372036854775808%Z)%Z <= n)%Z /\ (n <= 9223372036854775807%Z)%Z.

Axiom to_int_in_bounds4 : forall (n:int64), in_bounds5 (int64'int n).

Axiom extensionality4 :
  forall (x:int64) (y:int64), ((int64'int x) = (int64'int y)) -> (x = y).

(* Why3 assumption *)
Definition in_bounds6 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds5 : forall (n:uint64), in_bounds6 (uint64'int n).

Axiom extensionality5 :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned3: uint64.

Axiom zero_unsigned_is_zero3 : ((uint64'int zero_unsigned3) = 0%Z).

Parameter uint64_max: uint64.

Axiom uint64_max'def : ((uint64'int uint64_max) = 18446744073709551615%Z).

Parameter is_msb_set1: uint64 -> Prop.

Axiom is_msb_set'spec1 :
  forall (x:uint64),
  is_msb_set1 x <-> (18446744073709551615%Z < (2%Z * (uint64'int x))%Z)%Z.

(* Why3 assumption *)
Definition limb := uint64.

(* Why3 assumption *)
Definition t1 := ptr uint64.

Axiom limb_max_bound : (1%Z <= 18446744073709551615%Z)%Z.

Axiom prod_compat_strict_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a < b)%Z -> (0%Z < c)%Z -> ((c * a)%Z < (c * b)%Z)%Z.

Axiom prod_compat_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a <= b)%Z -> (0%Z <= c)%Z -> ((c * a)%Z <= (c * b)%Z)%Z.

Parameter value_sub:
  (Numbers.BinNums.Z -> uint64) -> Numbers.BinNums.Z -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z.

Axiom value_sub'def :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  ((n < m)%Z ->
   ((value_sub x n m) =
    ((uint64'int (x n)) +
     ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z)) /\
  (~ (n < m)%Z -> ((value_sub x n m) = 0%Z)).

Axiom value_sub_frame :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub x y n m -> ((value_sub x n m) = (value_sub y n m)).

Axiom value_sub_frame_shift :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz ->
  ((value_sub x xi (xi + sz)%Z) = (value_sub y yi (yi + sz)%Z)).

Axiom value_sub_tail :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n <= m)%Z ->
  ((value_sub x n (m + 1%Z)%Z) =
   ((value_sub x n m) +
    ((uint64'int (x m)) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_concat :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (l:Numbers.BinNums.Z),
  (n <= m)%Z /\ (m <= l)%Z ->
  ((value_sub x n l) =
   ((value_sub x n m) +
    ((value_sub x m l) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_head :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n < m)%Z ->
  ((value_sub x n m) =
   ((uint64'int (x n)) +
    ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z).

Axiom value_sub_update :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= i)%Z /\ (i < m)%Z ->
  ((value_sub (map.Map.set x i v) n m) =
   ((value_sub x n m) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (i - n)%Z) *
     ((uint64'int v) - (uint64'int (x i)))%Z)%Z)%Z).

Axiom value_zero :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  map_eq_sub x (map.Const.const zero_unsigned3 : Numbers.BinNums.Z -> uint64)
  n m -> ((value_sub x n m) = 0%Z).

Axiom value_sub_update_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= m)%Z -> (i < n)%Z \/ (m <= i)%Z ->
  ((value_sub x n m) = (value_sub (map.Map.set x i v) n m)).

Axiom value_sub_shift_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (ofs:Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) (v:uint64),
  (i < 0%Z)%Z \/ (sz <= i)%Z -> (0%Z <= sz)%Z ->
  ((value_sub x ofs (ofs + sz)%Z) =
   (value_sub (map.Map.set x (ofs + i)%Z v) ofs (ofs + sz)%Z)).

Axiom value_sub_lower_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (0%Z <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 <= x2)%Z ->
  ((value_sub x x1 x2) <
   (int.Power.power (18446744073709551615%Z + 1%Z)%Z (x2 - x1)%Z))%Z.

Axiom value_sub_lower_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  (((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * (uint64'int (x (x2 - 1%Z)%Z)))%Z
   <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  ((value_sub x x1 x2) <
   ((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * ((uint64'int (x (x2 - 1%Z)%Z)) + 1%Z)%Z)%Z)%Z.

(* Why3 assumption *)
Definition value (x:ptr uint64) (sz:Numbers.BinNums.Z) : Numbers.BinNums.Z :=
  value_sub (pelts x) (offset x) ((offset x) + sz)%Z.

Axiom value_concat :
  forall (x:ptr uint64) (n:int32) (m:int32),
  (0%Z <= (int32'int n))%Z /\ ((int32'int n) <= (int32'int m))%Z ->
  ((value x (int32'int m)) =
   ((value x (int32'int n)) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (int32'int n)) *
     (value_sub (pelts x) ((offset x) + (int32'int n))%Z
      ((offset x) + (int32'int m))%Z))%Z)%Z).

(* Why3 assumption *)
Definition pow2 (k:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
  Reals.Rpower.Rpower 2%R (BuiltIn.IZR k).

(* Why3 assumption *)
Definition trunc_at (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z) :
    Reals.Rdefinitions.R :=
  ((BuiltIn.IZR (real.Truncate.floor (x * (pow2 (-k)%Z))%R)) * (pow2 k))%R.

Axiom fxp : Type.
Parameter fxp_WhyType : WhyType fxp.
Existing Instance fxp_WhyType.

Parameter ival: fxp -> uint64.

Parameter rval: fxp -> Reals.Rdefinitions.R.

Parameter iexp: fxp -> Numbers.BinNums.Z.

Axiom fxp'invariant :
  forall (self:fxp),
  ((rval self) = (trunc_at (rval self) (iexp self))) /\
  ((uint64'int (ival self)) =
   (int.EuclideanDivision.mod1
    (real.Truncate.floor ((rval self) * (pow2 (-(iexp self))%Z))%R)
    (18446744073709551615%Z + 1%Z)%Z)).

Axiom trunc_lower_bound :
  forall (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z),
  (x < ((trunc_at x k) + (pow2 k))%R)%R.

Parameter rp: ptr uint64.

Parameter a0: uint64.

Axiom Requires : valid rp 1%Z.

Axiom Requires1 : (4611686018427387904%Z <= (uint64'int a0))%Z.

Parameter a: fxp.

Axiom H : ((ival a) = a0).

Axiom H1 : ((rval a) = ((BuiltIn.IZR (uint64'int a0)) * (pow2 (-64%Z)%Z))%R).

Axiom H2 : ((iexp a) = (-64%Z)%Z).

Axiom Assert :
  ((25 / 100)%R <= (rval a))%R /\
  ((rval a) <= (18446744073709551615 / 18446744073709551616)%R)%R.

Axiom Assert1 : (0%R < (rval a))%R.

Parameter x0: fxp.

Axiom Ensures : ((iexp x0) = (-8%Z)%Z).

Axiom H3 : (256%Z <= (uint64'int (ival x0)))%Z.

Axiom H4 : ((uint64'int (ival x0)) <= 511%Z)%Z.

Axiom H5 : (1%R <= (rval x0))%R.

Axiom H6 : ((rval x0) <= 2%R)%R.

Axiom Ensures1 :
  let rsa := (1%R / (Reals.R_sqrt.sqrt (rval a)))%R in
  let e0 := (((rval x0) - rsa)%R / rsa)%R in
  ((-(00281 / 100000)%R)%R <= e0)%R /\ (e0 <= (002655 / 1000000)%R)%R.

Parameter a1: fxp.

Axiom Ensures2 : ((rval a1) = (trunc_at (rval a) ((iexp a) + 31%Z)%Z)).

Axiom Ensures3 : ((iexp a1) = ((iexp a) + 31%Z)%Z).

Parameter o: fxp.

Parameter rliteral: uint64.

Axiom rliteral_axiom : ((uint64'int rliteral) = 196608%Z).

Axiom H7 : ((ival o) = rliteral).

Axiom H8 : ((rval o) = ((BuiltIn.IZR 196608%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H9 : ((iexp o) = (-49%Z)%Z).

Parameter o1: fxp.

Parameter rliteral1: uint64.

Axiom rliteral_axiom1 : ((uint64'int rliteral1) = 562949953421312%Z).

Axiom H10 : ((ival o1) = rliteral1).

Axiom H11 :
  ((rval o1) = ((BuiltIn.IZR 562949953421312%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H12 : ((iexp o1) = (-49%Z)%Z).

Parameter m1: fxp.

Axiom Ensures4 : ((rval m1) = ((rval o1) - (rval o))%R).

Axiom Ensures5 : ((iexp m1) = (iexp o1)).

Parameter o2: fxp.

Axiom Ensures6 : ((rval o2) = ((rval x0) * (rval x0))%R).

Axiom Ensures7 : ((iexp o2) = ((iexp x0) + (iexp x0))%Z).

Parameter o3: fxp.

Axiom Ensures8 : ((rval o3) = ((rval o2) * (rval a1))%R).

Axiom Ensures9 : ((iexp o3) = ((iexp o2) + (iexp a1))%Z).

Parameter t1': fxp.

Axiom Ensures10 : ((rval t1') = ((rval m1) - (rval o3))%R).

Axiom Ensures11 : ((iexp t1') = (iexp m1)).

Parameter t11: fxp.

Axiom Ensures12 : ((rval t11) = (trunc_at (rval t1') ((iexp t1') + 16%Z)%Z)).

Axiom Ensures13 : ((iexp t11) = ((iexp t1') + 16%Z)%Z).

Parameter o4: fxp.

Axiom Ensures14 : ((rval o4) = ((rval x0) * (rval t11))%R).

Axiom Ensures15 : ((iexp o4) = ((iexp x0) + (iexp t11))%Z).

Parameter o5: fxp.

Axiom Ensures16 :
  ((rval o5) =
   (trunc_at ((rval o4) * (pow2 (-1%Z)%Z))%R (((iexp o4) + 18%Z)%Z - 1%Z)%Z)).

Axiom Ensures17 : ((iexp o5) = (((iexp o4) + 18%Z)%Z - 1%Z)%Z).

Parameter o6: fxp.

Axiom Ensures18 : ((rval o6) = (rval x0)).

Axiom Ensures19 : ((iexp o6) = ((iexp x0) - 16%Z)%Z).

Parameter x1: fxp.

Axiom Ensures20 : ((rval x1) = ((rval o6) + (rval o5))%R).

Axiom Ensures21 : ((iexp x1) = (iexp o6)).

Axiom Assert2 :
  (((((rval x0) + (((rval x0) * (rval t1'))%R * (5 / 10)%R)%R)%R -
     (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
    / (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
   =
   ((-(5 / 10)%R)%R *
    ((((((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
       *
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      (3%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
     +
     ((1%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      ((1%R - (rval m1))%R +
       (((1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
         *
         (1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
        * (((rval a1) - (rval a))%R / (rval a))%R)%R)%R)%R)%R)%R).

Parameter a2: fxp.

Axiom Ensures22 : ((rval a2) = (trunc_at (rval a) ((iexp a) + 24%Z)%Z)).

Axiom Ensures23 : ((iexp a2) = ((iexp a) + 24%Z)%Z).

Parameter u1: fxp.

Axiom Ensures24 : ((rval u1) = ((rval x1) * (rval a2))%R).

Axiom Ensures25 : ((iexp u1) = ((iexp x1) + (iexp a2))%Z).

(* Why3 goal *)
Theorem sqrt1'vc :
  ((((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
    (Reals.R_sqrt.sqrt (rval a)))%R
   =
   (((1%R +
      (((rval x1) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
       (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
     * (1%R + (((rval a2) - (rval a))%R / (rval a))%R)%R)%R
    - 1%R)%R).
Proof.
rewrite Ensures24.
set (sa := sqrt (rval a)).
replace (rval a) with (sa^2)%R.
field.
apply Rgt_not_eq, sqrt_lt_R0, Assert1.
rewrite <- Rsqr_pow2.
apply Rsqr_sqrt, Rlt_le, Assert1.
Qed.why3-1.6.0/examples/multiprecision/sqrt/sqrt_Sqrt1_VC_sqrt1_4.v000066400000000000000000000544621440160026300245130ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require int.Power.
Require real.Real.
Require real.RealInfix.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require real.ExpLog.
Require real.PowerReal.
Require map.Map.
Require map.Const.

Require Import Reals.

Axiom uint64 : Type.
Parameter uint64_WhyType : WhyType uint64.
Existing Instance uint64_WhyType.

Parameter uint64'int: uint64 -> Numbers.BinNums.Z.

Axiom uint64'axiom :
  forall (i:uint64),
  (0%Z <= (uint64'int i))%Z /\ ((uint64'int i) <= 18446744073709551615%Z)%Z.

(* Why3 assumption *)
Definition in_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds : forall (n:uint64), in_bounds (uint64'int n).

Axiom extensionality :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned: uint64.

Axiom zero_unsigned_is_zero : ((uint64'int zero_unsigned) = 0%Z).

Axiom t : Type.
Parameter t_WhyType : WhyType t.
Existing Instance t_WhyType.

Parameter max: Numbers.BinNums.Z.

Parameter to_int: t -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition in_bounds1 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= max)%Z.

Axiom to_int_in_bounds1 : forall (n:t), in_bounds1 (to_int n).

Axiom extensionality1 :
  forall (x:t) (y:t), ((to_int x) = (to_int y)) -> (x = y).

Parameter zero_unsigned1: t.

Axiom zero_unsigned_is_zero1 : ((to_int zero_unsigned1) = 0%Z).

Parameter radix: Numbers.BinNums.Z.

Axiom radix_def : (radix = (max + 1%Z)%Z).

Axiom int32 : Type.
Parameter int32_WhyType : WhyType int32.
Existing Instance int32_WhyType.

Parameter int32'int: int32 -> Numbers.BinNums.Z.

Axiom int32'axiom :
  forall (i:int32),
  ((-2147483648%Z)%Z <= (int32'int i))%Z /\ ((int32'int i) <= 2147483647%Z)%Z.

(* Why3 assumption *)
Definition in_bounds2 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

Axiom to_int_in_bounds2 : forall (n:int32), in_bounds2 (int32'int n).

Axiom extensionality2 :
  forall (x:int32) (y:int32), ((int32'int x) = (int32'int y)) -> (x = y).

Axiom uint32 : Type.
Parameter uint32_WhyType : WhyType uint32.
Existing Instance uint32_WhyType.

Parameter uint32'int: uint32 -> Numbers.BinNums.Z.

Axiom uint32'axiom :
  forall (i:uint32),
  (0%Z <= (uint32'int i))%Z /\ ((uint32'int i) <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds3 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

Axiom to_int_in_bounds3 : forall (n:uint32), in_bounds3 (uint32'int n).

Axiom extensionality3 :
  forall (x:uint32) (y:uint32), ((uint32'int x) = (uint32'int y)) -> (x = y).

Parameter zero_unsigned2: uint32.

Axiom zero_unsigned_is_zero2 : ((uint32'int zero_unsigned2) = 0%Z).

Parameter is_msb_set: uint32 -> Prop.

Axiom is_msb_set'spec :
  forall (x:uint32),
  is_msb_set x <-> (4294967295%Z < (2%Z * (uint32'int x))%Z)%Z.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition in_us_bounds (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 4294967295%Z)%Z.

(* Why3 assumption *)
Definition in_bounds4 (n:Numbers.BinNums.Z) : Prop :=
  ((-2147483648%Z)%Z <= n)%Z /\ (n <= 2147483647%Z)%Z.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Axiom zone : Type.
Parameter zone_WhyType : WhyType zone.
Existing Instance zone_WhyType.

Parameter null_zone: zone.

Axiom ptr : forall (a:Type), Type.
Parameter ptr_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ptr a).
Existing Instance ptr_WhyType.

Parameter data: forall {a:Type} {a_WT:WhyType a}, ptr a -> array a.

Parameter offset:
  forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter min: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter max1: forall {a:Type} {a_WT:WhyType a}, ptr a -> Numbers.BinNums.Z.

Parameter zone1: forall {a:Type} {a_WT:WhyType a}, ptr a -> zone.

(* Why3 assumption *)
Definition plength {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z :=
  length (data p).

(* Why3 assumption *)
Definition pelts {a:Type} {a_WT:WhyType a} (p:ptr a) : Numbers.BinNums.Z -> a :=
  elts (data p).

Parameter is_not_null: forall {a:Type} {a_WT:WhyType a}, ptr a -> Prop.

Axiom is_not_null'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a), is_not_null p <-> ~ ((zone1 p) = null_zone).

(* Why3 assumption *)
Definition valid_ptr_shift {a:Type} {a_WT:WhyType a} (p:ptr a)
    (i:Numbers.BinNums.Z) : Prop :=
  ((min p) <= ((offset p) + i)%Z)%Z /\ (((offset p) + i)%Z < (max1 p))%Z.

(* Why3 assumption *)
Definition valid {a:Type} {a_WT:WhyType a} (p:ptr a) (sz:Numbers.BinNums.Z) :
    Prop :=
  in_bounds4 sz /\
  (0%Z <= sz)%Z /\
  ((0%Z <= (min p))%Z /\ ((min p) <= (offset p))%Z) /\
  (((offset p) + sz)%Z <= (max1 p))%Z /\ ((max1 p) <= (plength p))%Z.

Axiom valid_itv_to_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (p:ptr a) (sz:Numbers.BinNums.Z), valid p sz ->
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  valid_ptr_shift p i.

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:Numbers.BinNums.Z -> a)
    (a2:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z -> ((a1 i) = (a2 i)).

(* Why3 assumption *)
Definition map_eq_sub_shift {a:Type} {a_WT:WhyType a}
    (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) :
    Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < sz)%Z ->
  ((x (xi + i)%Z) = (y (yi + i)%Z)).

Axiom map_eq_shift :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z)
    (k:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz -> (0%Z <= k)%Z /\ (k < sz)%Z ->
  ((x (xi + k)%Z) = (y (yi + k)%Z)).

Axiom map_eq_shift_zero :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:Numbers.BinNums.Z -> a) (y:Numbers.BinNums.Z -> a)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub_shift x y n n (m - n)%Z -> map_eq_sub x y n m.

Axiom int64 : Type.
Parameter int64_WhyType : WhyType int64.
Existing Instance int64_WhyType.

Parameter int64'int: int64 -> Numbers.BinNums.Z.

Axiom int64'axiom :
  forall (i:int64),
  ((-9223372036854775808%Z)%Z <= (int64'int i))%Z /\
  ((int64'int i) <= 9223372036854775807%Z)%Z.

(* Why3 assumption *)
Definition in_bounds5 (n:Numbers.BinNums.Z) : Prop :=
  ((-9223372036854775808%Z)%Z <= n)%Z /\ (n <= 9223372036854775807%Z)%Z.

Axiom to_int_in_bounds4 : forall (n:int64), in_bounds5 (int64'int n).

Axiom extensionality4 :
  forall (x:int64) (y:int64), ((int64'int x) = (int64'int y)) -> (x = y).

(* Why3 assumption *)
Definition in_bounds6 (n:Numbers.BinNums.Z) : Prop :=
  (0%Z <= n)%Z /\ (n <= 18446744073709551615%Z)%Z.

Axiom to_int_in_bounds5 : forall (n:uint64), in_bounds6 (uint64'int n).

Axiom extensionality5 :
  forall (x:uint64) (y:uint64), ((uint64'int x) = (uint64'int y)) -> (x = y).

Parameter zero_unsigned3: uint64.

Axiom zero_unsigned_is_zero3 : ((uint64'int zero_unsigned3) = 0%Z).

Parameter uint64_max: uint64.

Axiom uint64_max'def : ((uint64'int uint64_max) = 18446744073709551615%Z).

Parameter is_msb_set1: uint64 -> Prop.

Axiom is_msb_set'spec1 :
  forall (x:uint64),
  is_msb_set1 x <-> (18446744073709551615%Z < (2%Z * (uint64'int x))%Z)%Z.

(* Why3 assumption *)
Definition limb := uint64.

(* Why3 assumption *)
Definition t1 := ptr uint64.

Axiom limb_max_bound : (1%Z <= 18446744073709551615%Z)%Z.

Axiom prod_compat_strict_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a < b)%Z -> (0%Z < c)%Z -> ((c * a)%Z < (c * b)%Z)%Z.

Axiom prod_compat_r :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= a)%Z /\ (a <= b)%Z -> (0%Z <= c)%Z -> ((c * a)%Z <= (c * b)%Z)%Z.

Parameter value_sub:
  (Numbers.BinNums.Z -> uint64) -> Numbers.BinNums.Z -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z.

Axiom value_sub'def :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  ((n < m)%Z ->
   ((value_sub x n m) =
    ((uint64'int (x n)) +
     ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z)) /\
  (~ (n < m)%Z -> ((value_sub x n m) = 0%Z)).

Axiom value_sub_frame :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  map_eq_sub x y n m -> ((value_sub x n m) = (value_sub y n m)).

Axiom value_sub_frame_shift :
  forall (x:Numbers.BinNums.Z -> uint64) (y:Numbers.BinNums.Z -> uint64)
    (xi:Numbers.BinNums.Z) (yi:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z),
  map_eq_sub_shift x y xi yi sz ->
  ((value_sub x xi (xi + sz)%Z) = (value_sub y yi (yi + sz)%Z)).

Axiom value_sub_tail :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n <= m)%Z ->
  ((value_sub x n (m + 1%Z)%Z) =
   ((value_sub x n m) +
    ((uint64'int (x m)) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_concat :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z) (l:Numbers.BinNums.Z),
  (n <= m)%Z /\ (m <= l)%Z ->
  ((value_sub x n l) =
   ((value_sub x n m) +
    ((value_sub x m l) *
     (int.Power.power (18446744073709551615%Z + 1%Z)%Z (m - n)%Z))%Z)%Z).

Axiom value_sub_head :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  (n < m)%Z ->
  ((value_sub x n m) =
   ((uint64'int (x n)) +
    ((18446744073709551615%Z + 1%Z)%Z * (value_sub x (n + 1%Z)%Z m))%Z)%Z).

Axiom value_sub_update :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= i)%Z /\ (i < m)%Z ->
  ((value_sub (map.Map.set x i v) n m) =
   ((value_sub x n m) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (i - n)%Z) *
     ((uint64'int v) - (uint64'int (x i)))%Z)%Z)%Z).

Axiom value_zero :
  forall (x:Numbers.BinNums.Z -> uint64) (n:Numbers.BinNums.Z)
    (m:Numbers.BinNums.Z),
  map_eq_sub x (map.Const.const zero_unsigned3 : Numbers.BinNums.Z -> uint64)
  n m -> ((value_sub x n m) = 0%Z).

Axiom value_sub_update_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (i:Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z) (v:uint64),
  (n <= m)%Z -> (i < n)%Z \/ (m <= i)%Z ->
  ((value_sub x n m) = (value_sub (map.Map.set x i v) n m)).

Axiom value_sub_shift_no_change :
  forall (x:Numbers.BinNums.Z -> uint64) (ofs:Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) (sz:Numbers.BinNums.Z) (v:uint64),
  (i < 0%Z)%Z \/ (sz <= i)%Z -> (0%Z <= sz)%Z ->
  ((value_sub x ofs (ofs + sz)%Z) =
   (value_sub (map.Map.set x (ofs + i)%Z v) ofs (ofs + sz)%Z)).

Axiom value_sub_lower_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (0%Z <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 <= x2)%Z ->
  ((value_sub x x1 x2) <
   (int.Power.power (18446744073709551615%Z + 1%Z)%Z (x2 - x1)%Z))%Z.

Axiom value_sub_lower_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  (((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * (uint64'int (x (x2 - 1%Z)%Z)))%Z
   <= (value_sub x x1 x2))%Z.

Axiom value_sub_upper_bound_tight :
  forall (x:Numbers.BinNums.Z -> uint64) (x1:Numbers.BinNums.Z)
    (x2:Numbers.BinNums.Z),
  (x1 < x2)%Z ->
  ((value_sub x x1 x2) <
   ((int.Power.power (18446744073709551615%Z + 1%Z)%Z ((x2 - x1)%Z - 1%Z)%Z)
    * ((uint64'int (x (x2 - 1%Z)%Z)) + 1%Z)%Z)%Z)%Z.

(* Why3 assumption *)
Definition value (x:ptr uint64) (sz:Numbers.BinNums.Z) : Numbers.BinNums.Z :=
  value_sub (pelts x) (offset x) ((offset x) + sz)%Z.

Axiom value_concat :
  forall (x:ptr uint64) (n:int32) (m:int32),
  (0%Z <= (int32'int n))%Z /\ ((int32'int n) <= (int32'int m))%Z ->
  ((value x (int32'int m)) =
   ((value x (int32'int n)) +
    ((int.Power.power (18446744073709551615%Z + 1%Z)%Z (int32'int n)) *
     (value_sub (pelts x) ((offset x) + (int32'int n))%Z
      ((offset x) + (int32'int m))%Z))%Z)%Z).

(* Why3 assumption *)
Definition pow2 (k:Numbers.BinNums.Z) : Reals.Rdefinitions.R :=
  Reals.Rpower.Rpower 2%R (BuiltIn.IZR k).

(* Why3 assumption *)
Definition trunc_at (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z) :
    Reals.Rdefinitions.R :=
  ((BuiltIn.IZR (real.Truncate.floor (x * (pow2 (-k)%Z))%R)) * (pow2 k))%R.

Axiom fxp : Type.
Parameter fxp_WhyType : WhyType fxp.
Existing Instance fxp_WhyType.

Parameter ival: fxp -> uint64.

Parameter rval: fxp -> Reals.Rdefinitions.R.

Parameter iexp: fxp -> Numbers.BinNums.Z.

Axiom fxp'invariant :
  forall (self:fxp),
  ((rval self) = (trunc_at (rval self) (iexp self))) /\
  ((uint64'int (ival self)) =
   (int.EuclideanDivision.mod1
    (real.Truncate.floor ((rval self) * (pow2 (-(iexp self))%Z))%R)
    (18446744073709551615%Z + 1%Z)%Z)).

Axiom trunc_lower_bound :
  forall (x:Reals.Rdefinitions.R) (k:Numbers.BinNums.Z),
  (x < ((trunc_at x k) + (pow2 k))%R)%R.

Parameter rp: ptr uint64.

Parameter a0: uint64.

Axiom Requires : valid rp 1%Z.

Axiom Requires1 : (4611686018427387904%Z <= (uint64'int a0))%Z.

Parameter a: fxp.

Axiom H : ((ival a) = a0).

Axiom H1 : ((rval a) = ((BuiltIn.IZR (uint64'int a0)) * (pow2 (-64%Z)%Z))%R).

Axiom H2 : ((iexp a) = (-64%Z)%Z).

Axiom Assert :
  ((25 / 100)%R <= (rval a))%R /\
  ((rval a) <= (18446744073709551615 / 18446744073709551616)%R)%R.

Axiom Assert1 : (0%R < (rval a))%R.

Parameter x0: fxp.

Axiom Ensures : ((iexp x0) = (-8%Z)%Z).

Axiom H3 : (256%Z <= (uint64'int (ival x0)))%Z.

Axiom H4 : ((uint64'int (ival x0)) <= 511%Z)%Z.

Axiom H5 : (1%R <= (rval x0))%R.

Axiom H6 : ((rval x0) <= 2%R)%R.

Axiom Ensures1 :
  let rsa := (1%R / (Reals.R_sqrt.sqrt (rval a)))%R in
  let e0 := (((rval x0) - rsa)%R / rsa)%R in
  ((-(00281 / 100000)%R)%R <= e0)%R /\ (e0 <= (002655 / 1000000)%R)%R.

Parameter a1: fxp.

Axiom Ensures2 : ((rval a1) = (trunc_at (rval a) ((iexp a) + 31%Z)%Z)).

Axiom Ensures3 : ((iexp a1) = ((iexp a) + 31%Z)%Z).

Parameter o: fxp.

Parameter rliteral: uint64.

Axiom rliteral_axiom : ((uint64'int rliteral) = 196608%Z).

Axiom H7 : ((ival o) = rliteral).

Axiom H8 : ((rval o) = ((BuiltIn.IZR 196608%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H9 : ((iexp o) = (-49%Z)%Z).

Parameter o1: fxp.

Parameter rliteral1: uint64.

Axiom rliteral_axiom1 : ((uint64'int rliteral1) = 562949953421312%Z).

Axiom H10 : ((ival o1) = rliteral1).

Axiom H11 :
  ((rval o1) = ((BuiltIn.IZR 562949953421312%Z) * (pow2 (-49%Z)%Z))%R).

Axiom H12 : ((iexp o1) = (-49%Z)%Z).

Parameter m1: fxp.

Axiom Ensures4 : ((rval m1) = ((rval o1) - (rval o))%R).

Axiom Ensures5 : ((iexp m1) = (iexp o1)).

Parameter o2: fxp.

Axiom Ensures6 : ((rval o2) = ((rval x0) * (rval x0))%R).

Axiom Ensures7 : ((iexp o2) = ((iexp x0) + (iexp x0))%Z).

Parameter o3: fxp.

Axiom Ensures8 : ((rval o3) = ((rval o2) * (rval a1))%R).

Axiom Ensures9 : ((iexp o3) = ((iexp o2) + (iexp a1))%Z).

Parameter t1': fxp.

Axiom Ensures10 : ((rval t1') = ((rval m1) - (rval o3))%R).

Axiom Ensures11 : ((iexp t1') = (iexp m1)).

Parameter t11: fxp.

Axiom Ensures12 : ((rval t11) = (trunc_at (rval t1') ((iexp t1') + 16%Z)%Z)).

Axiom Ensures13 : ((iexp t11) = ((iexp t1') + 16%Z)%Z).

Parameter o4: fxp.

Axiom Ensures14 : ((rval o4) = ((rval x0) * (rval t11))%R).

Axiom Ensures15 : ((iexp o4) = ((iexp x0) + (iexp t11))%Z).

Parameter o5: fxp.

Axiom Ensures16 :
  ((rval o5) =
   (trunc_at ((rval o4) * (pow2 (-1%Z)%Z))%R (((iexp o4) + 18%Z)%Z - 1%Z)%Z)).

Axiom Ensures17 : ((iexp o5) = (((iexp o4) + 18%Z)%Z - 1%Z)%Z).

Parameter o6: fxp.

Axiom Ensures18 : ((rval o6) = (rval x0)).

Axiom Ensures19 : ((iexp o6) = ((iexp x0) - 16%Z)%Z).

Parameter x1: fxp.

Axiom Ensures20 : ((rval x1) = ((rval o6) + (rval o5))%R).

Axiom Ensures21 : ((iexp x1) = (iexp o6)).

Axiom Assert2 :
  (((((rval x0) + (((rval x0) * (rval t1'))%R * (5 / 10)%R)%R)%R -
     (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
    / (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
   =
   ((-(5 / 10)%R)%R *
    ((((((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
       *
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      (3%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
     +
     ((1%R +
       (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
        (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
      *
      ((1%R - (rval m1))%R +
       (((1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
         *
         (1%R +
          (((rval x0) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
           (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
        * (((rval a1) - (rval a))%R / (rval a))%R)%R)%R)%R)%R)%R).

Parameter a2: fxp.

Axiom Ensures22 : ((rval a2) = (trunc_at (rval a) ((iexp a) + 24%Z)%Z)).

Axiom Ensures23 : ((iexp a2) = ((iexp a) + 24%Z)%Z).

Parameter u1: fxp.

Axiom Ensures24 : ((rval u1) = ((rval x1) * (rval a2))%R).

Axiom Ensures25 : ((iexp u1) = ((iexp x1) + (iexp a2))%Z).

Axiom Assert3 :
  ((((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
    (Reals.R_sqrt.sqrt (rval a)))%R
   =
   (((1%R +
      (((rval x1) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
       (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
     * (1%R + (((rval a2) - (rval a))%R / (rval a))%R)%R)%R
    - 1%R)%R).

Parameter u2: fxp.

Axiom Ensures26 : ((rval u2) = (trunc_at (rval u1) ((iexp u1) + 25%Z)%Z)).

Axiom Ensures27 : ((iexp u2) = ((iexp u1) + 25%Z)%Z).

Parameter m2: fxp.

Parameter rliteral2: uint64.

Axiom rliteral_axiom2 : ((uint64'int rliteral2) = 2473901162496%Z).

Axiom H13 : ((ival m2) = rliteral2).

Axiom H14 :
  ((rval m2) = ((BuiltIn.IZR 2473901162496%Z) * (pow2 (-78%Z)%Z))%R).

Axiom H15 : ((iexp m2) = (-78%Z)%Z).

Parameter o7: fxp.

Axiom Ensures28 : ((rval o7) = ((rval u2) * (rval u2))%R).

Axiom Ensures29 : ((iexp o7) = ((iexp u2) + (iexp u2))%Z).

Parameter o8: fxp.

Axiom Ensures30 : ((rval o8) = (rval a)).

Axiom Ensures31 : ((iexp o8) = ((iexp a) - 14%Z)%Z).

Parameter o9: fxp.

Axiom Ensures32 : ((rval o9) = ((rval o8) - (rval o7))%R).

Axiom Ensures33 : ((iexp o9) = (iexp o8)).

Parameter t2': fxp.

Axiom Ensures34 : ((rval t2') = ((rval o9) - (rval m2))%R).

Axiom Ensures35 : ((iexp t2') = (iexp o9)).

Axiom Assert4 :
  (((Reals.R_sqrt.sqrt (rval a)) * (Reals.R_sqrt.sqrt (rval a)))%R =
   (rval a)).

Parameter t2: fxp.

Axiom Ensures36 : ((rval t2) = (trunc_at (rval t2') ((iexp t2') + 24%Z)%Z)).

Axiom Ensures37 : ((iexp t2) = ((iexp t2') + 24%Z)%Z).

Parameter o10: fxp.

Axiom Ensures38 : ((rval o10) = ((rval x1) * (rval t2))%R).

Axiom Ensures39 : ((iexp o10) = ((iexp x1) + (iexp t2))%Z).

Parameter o11: fxp.

Axiom Ensures40 :
  ((rval o11) =
   (trunc_at ((rval o10) * (pow2 (-1%Z)%Z))%R
    (((iexp o10) + 15%Z)%Z - 1%Z)%Z)).

Axiom Ensures41 : ((iexp o11) = (((iexp o10) + 15%Z)%Z - 1%Z)%Z).

Parameter x2: fxp.

Axiom Ensures42 : ((rval x2) = ((rval u1) + (rval o11))%R).

Axiom Ensures43 : ((iexp x2) = (iexp u1)).

(* Why3 goal *)
Theorem sqrt1'vc :
  ~ ((rval x1) = 0%R) /\ ~ ((rval a2) = 0%R) ->
  (((((rval u1) + (((rval x1) * (rval t2'))%R * (5 / 10)%R)%R)%R -
     (Reals.R_sqrt.sqrt (rval a)))%R
    / (Reals.R_sqrt.sqrt (rval a)))%R
   =
   ((((-(5 / 10)%R)%R *
      ((((((1%R +
            (((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
             (Reals.R_sqrt.sqrt (rval a)))%R)%R
           *
           (1%R +
            (((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
             (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
          * (((rval u2) - (rval u1))%R / (rval u1))%R)%R
         * (2%R + (((rval u2) - (rval u1))%R / (rval u1))%R)%R)%R
        +
        ((((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
          (Reals.R_sqrt.sqrt (rval a)))%R
         *
         (((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
          (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R
       + ((rval m2) / (rval a))%R)%R)%R
     *
     (1%R +
      (((rval x1) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
       (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R)%R
    -
    ((((rval x1) - (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R /
      (1%R / (Reals.R_sqrt.sqrt (rval a)))%R)%R
     *
     (((rval u1) - (Reals.R_sqrt.sqrt (rval a)))%R /
      (Reals.R_sqrt.sqrt (rval a)))%R)%R)%R).
Proof.
intros (h1,h2).
rewrite Ensures34, Ensures32, Ensures30, Ensures28, Ensures24.
set (sa := sqrt (rval a)).
replace (rval a) with (sa^2)%R.
field.
split.
apply Rgt_not_eq, sqrt_lt_R0, Assert1.
easy.
rewrite <- Rsqr_pow2.
apply Rsqr_sqrt, Rlt_le, Assert1.
Qed.why3-1.6.0/examples/multiprecision/sqrt/why3session.xml000066400000000000000000000425051440160026300233070ustar00rootroot00000000000000













 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/sqrt/why3shapes.gz000066400000000000000000000125631440160026300227300ustar00rootroot00000000000000]Yo]9~[f8#R6H=\P8=/
V/3~qHDQRo.?#?\>gG㥸.";w"sgu^noc/}zs3Y3QjDհ:?LYK=1oM?2ρ.QH&7^1z;k_f}>}x7[pNz%ť=3r.kobgLIص^Nԣy$CptgUwqIhXB#qw]޷Gdfʵywk28/4u*?y\ض!OF'c.q`F=y:IBzV;á>M?g/l(*=׶YԦQ(}tBm]dfPhkKG1^%ժAm[m#;%e{|_c~pԟߤyjq{{||BvrrdU1S~. ˚I>9TړO8--qvt뫇0};n"=}AvaшkB90x:}D]}ر2Z8\H_)w06k	歭vﷵۥ紐>hcSz]®*wcP-C57_W^If{P^KJ W'L`zzv_mH_XxYwNz.gīSՉJ=UixkKF?׭+_tNSE-:vո:A%s{B7e>_BMxG7	:4~FŲ>WV8&Q0Hscp5I!#D2`wpu9/5[X#m)s]]njV~7='v\J1:g'
ﶦ
[q`^mw{?ڜ*y|h+k?CiMG#99Db{A|8|zvyecųO25~ЧF·W^fkv^Z۳_뜗N׆•{K;eΈVk`isl!.ge0h!4ui/Z47f֎~u嫛_mys4/ϟ7's?ЭZ[9j
%ygMnjܰk~MiM&hfjh8lmөkVl-m7B$$-
7E94x+U1H8K
Eҝl+FOIIV	SFeQs8&lB,1QD!oP[dUZH)b%Em 2ddI䣎JK$Ԕcܖ>`2d%*u$Kl1e=PĠeD9JmT\8h@(Ea|B)I2t4**]D	\ ml݀
..&,EaP	y6K1g"D	TǥMu?KE#x+`[2mz	VxEa!B싽!9$l1hhOX{p6LF*3X/5`P<"15X;QHz+`c1111116 >hpr.l7BtcUcO4"xKkUÌlTsO76j
] ĐtI'9#"XDe
9iǧ9wVmiARP('Eu988}XT*L98
N4pEB8Y(nt	!JAP(Kp	j!$~;zQq~\S-G8ijt?t.uข- '.0bD%E	V3&UְEO"Sl%+PK"AtMCk2ʫPCY5}h)i+s21D(H.d:)W-`3x	u(&WuxтP89eAdK
LJQn3ݔ䝵H"XA{Qa

V/AX?8.Pۇ^ۂzjJŒ#b"FȌ;˚q$$e(d4H!G`QhAy`w܉uY0~}~3A<;Yo+4ѱUg8Y0~},	lot}z|})*9A>U`#	|5zPE]PA,E, Jjc`eUr+Fv!Q;8]g87%kv†fIBH@"sz-OaQ⢨7tĂ)ĿM>S\Dz-`*ޡ!ς^p#oEX'5S@t=^׫o8v깨fh^Ĥ'8
-sb8UEge8tXv>*?iRǔP
	'kA;4L0.2s(]aE({ts`r}1͉T{s8	ԭ?0D2kQ|!֓O2*ZM.ٴad0YJPS[&VX*xgZg#z+6xtaNڛxx(ے{|IE8ˍ	tVrx	sgՁu_[͸H}t	52VHVRLe=	b# Aa3`] ܝ҅Fr$ɐG_;V>PgDSE E9ǎmCY@<L"&
BN'Rt.xB C2c/T
IKꔱՂQÌx%28:
MD!Z4G9v$3Qp"ti_H'rHğ^>mcdcvJ猰mTtiAm[areRJ3WZ S}qJF+f@u1^ 4YRLP
ƸՂ"icl은X9Y)FRXCQ++S=U`C1bn/\jͼ$YfT0z Ѕ/L6(xkp͊a+o+ bd+;Owhy3-1.6.0/examples/multiprecision/sqrtinit.ml000066400000000000000000000006631440160026300215040ustar00rootroot00000000000000open Printf

let () =
  printf "/* The common 0x100 was removed */\
    \nstatic const unsigned char invsqrttab[384] = {\n";
  for i1 = 16 to 63 do
    printf "  ";
    for i2 = 0 to 7 do
      let i = i1 * 8 + i2 in
      let j = int_of_float (sqrt (512. /. (float_of_int i +. 0.5)) *. 256. +. 0.5) in
      printf "0x%02x," (j - 256);
    done;
    printf " /* sqrt(1/%x)..sqrt(1/%x) */\n" (i1*8) (i1*8+7);
  done;
  printf "};\n%!"
why3-1.6.0/examples/multiprecision/sqrtrem.mlw000066400000000000000000001670451440160026300215230ustar00rootroot00000000000000module Sqrt

  use array.Array
  use map.Map
  use mach.c.C
  use ref.Ref
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.EuclideanDivision
  use int.Int
  use int.Power
  use types.Types
  use lemmas.Lemmas
  use compare.Compare
  use util.UtilOld
  use add_1.Add_1
  use add.AddOld
  use sub_1.Sub_1
  use sub.SubOld
  use mul.Mul
  use logical.LogicalUtil
  use logical.Logical
  use div.Div
  use sqrt.Sqrt1
  use ptralias.Alias

  use real.ExpLog (* have to use real to be able to remove log2/log10... *)
  meta remove_logic function log10 (* kills CVC3 *)
  meta remove_logic function log2  (* same *)

  let lemma same_mod (a b:int)
    requires { 0 <= a }
    requires { 0 < b }
    ensures  { ComputerDivision.mod a b = EuclideanDivision.mod a b }
  = ()

  meta remove_prop axiom same_mod

  let wmpn_sqrtrem2 (sp rp np: ptr limb) : limb
    requires { valid rp 1 }
    requires { valid sp 1 }
    requires { valid np 2 }
    requires { (pelts np)[offset np + 1] >= power 2 (Limb.length - 2) }
    requires { writable sp /\ writable rp }
    ensures  { value np 2
               = (pelts sp)[offset sp] * (pelts sp)[offset sp]
                  + result * radix + (pelts rp)[offset rp] }
    ensures  { (pelts rp)[offset rp] + result * radix <= 2 * (pelts sp)[offset sp] }
    ensures  { 0 <= result <= 1 }
  =
    let np0 = C.get np in
    let ghost np1 = C.get_ofs np 1 in
    let ref sp0 = sqrt1 rp (C.get_ofs np 1) in
    let ref rp0 = C.get rp in
    let ghost orp = pure { rp0 } in
    let ghost osp = pure { sp0 } in
    let prec = (Limb.of_int Limb.length) / 2 in (* prec = 32 *)
    assert { power 2 prec * power 2 prec = radix };
    assert { sp0 * sp0 + rp0 = np1 };
    assert { sp0 >= power 2 (prec - 1)
             by np1 >= power 2 (Limb.length - 2)
             so ((sp0 + 1) * (sp0 + 1) > np1
                by (sp0 + 1) * (sp0 + 1) > sp0 * sp0 + 2 * sp0 >= np1)
             so (power 2 (prec - 1)) * (power 2 (prec - 1))
                 = power 2 (Limb.length - 2) };
    assert { sp0 < power 2 prec
             by sp0 * sp0 <= np1 < radix = power 2 (Limb.length)
             so (power 2 prec) * (power 2 prec) = power 2 (Limb.length) };
    let nph = lsr_mod np0 (prec + 1) in
    assert { nph < power 2 (prec - 1)
             by nph = div np0 (power 2 (prec + 1))
             so nph * power 2 (prec + 1) <= np0 < radix
             so power 2 (prec - 1) * power 2 (prec + 1) = radix };
    assert { power 2 (prec - 1) * rp0 + nph < radix
             by rp0 < power 2 (prec + 1)
             so rp0 <= power 2 (prec + 1) - 1
             so power 2 (prec - 1) * rp0
                <= power 2 (prec + prec) - power 2 (prec - 1)
                = radix - power 2 (prec - 1)
             so nph < power 2 (prec - 1) };
    rp0 <- lsl rp0 (prec - 1) + nph;
    label Div in
    let ref q = Limb.(/) rp0 sp0 in
    assert { q <= power 2 prec
             by rp0 = power 2 (prec - 1) * orp + nph
             so orp <= 2 * sp0
             so nph < power 2 (prec - 1) <= sp0
             so rp0 < power 2 prec * sp0 + sp0
                     = (power 2 prec + 1) * sp0
             so 0 <= mod rp0 sp0
             so rp0 = sp0 * q + mod rp0 sp0
             so q * sp0 <= rp0
             so q * sp0 < (power 2 prec + 1) * sp0
             so q < power 2 prec + 1 };
    assert { q = div rp0 osp };
    begin
      ensures { if old q = power 2 prec
                then q = power 2 prec - 1
                else q = old q }
      ensures { q < power 2 prec }
      let rq = lsr_mod q prec in
      assert { q = power 2 prec -> rq = div q q = 1 by mod q q = 0 };
      q <- q - rq
    end;
    assert { q * sp0 < radix by q < power 2 prec so sp0 < power 2 prec
             so q * sp0 < power 2 prec * power 2 prec = radix };
    assert { rp0 - q * sp0 >= 0
             by q <= div rp0 sp0
             so rp0 = div rp0 sp0 * sp0 + mod rp0 sp0
             so 0 <= mod rp0 sp0
             so rp0 >= div rp0 sp0 * sp0
             so q * sp0 <= div rp0 sp0 * sp0 };
    let u = rp0 - (q * sp0) in
    assert { sp0 * power 2 prec < radix - q
             by sp0 <= power 2 prec - 1
             so sp0 * power 2 prec <= power 2 prec * power 2 prec - power 2 prec
                = radix - power 2 prec < radix - q };
    assert { q <> power 2 prec - 1 -> u <= osp - 1
             by div rp0 osp = q
             so rp0 = osp * div rp0 osp + mod rp0 osp
             so u = mod rp0 osp < osp };
    assert { q = power 2 prec - 1 -> u <= osp + nph
             by rp0 = power 2 (prec - 1) * orp + nph
             so orp <= 2 * osp
             so rp0 <= power 2 prec * osp + nph
             so q = power 2 prec - 1
             so u = rp0 - (power 2 prec - 1) * osp };
    sp0 <- lsl sp0 prec + q;
    assert { sp0 = osp * power 2 prec + q };
    let uh = lsr_mod u (prec - 1) in
    assert { uh <= power 2 (prec + 1)
             by uh = div u (power 2 (prec - 1))
             so uh * power 2 (prec - 1) = u - mod u (power 2 (prec - 1))
                <= u < radix
             so power 2 (prec + 1) * power 2 (prec - 1)
                = power 2 (prec + 1 + prec - 1) = radix };
    let ref cc = to_int64 uh in
    let npl = np0 % (lsl 1 (prec + 1)) in
    assert { np0 = power 2 (prec + 1) * nph + npl
             by np0 = (power 2 (prec + 1)) * div np0 (power 2 (prec + 1))
                      + mod np0 (power 2 (prec + 1))
             so npl = mod np0 (power 2 (prec + 1)) };
    let ul = lsl_mod_ext u (prec + 1) in
    rp0 <- ul + npl;
    assert { q * q < radix by q < power 2 prec
             so q * q < power 2 prec * power 2 prec = radix };
    let q2 = q * q in
    assert { ul + radix * uh = power 2 (prec + 1) * u
             by
               let p = u * power 2 (prec + 1) in
               let m = mod u (power 2 (prec - 1)) in
               mod p radix = ul
               so m < power 2 (prec - 1)
               so power 2 (prec + 1) * m
                  < power 2 (prec + 1) * power 2 (prec - 1) = radix
               so u = power 2 (prec - 1) * uh + m
               so p = power 2 (prec + 1) * power 2 (prec - 1) * uh
                      + power 2 (prec + 1) * m
                    = uh * radix + power 2 (prec + 1) * m
                    < uh * radix + radix
               so uh * radix <= p
               so div p radix = uh
               so p = uh * radix + ul };
    assert { rp0 + radix * cc = npl + power 2 (prec + 1) * u
             by rp0 + radix * cc = npl + ul + radix * uh };
    begin ensures { rp0 + radix * cc = old (rp0 + radix * cc) - q2 }
      label S in
      if rp0 < q2 then cc <- Int64.(-) cc 1;
      rp0 <- sub_mod rp0 q2;
    end;
    assert { sp0 * sp0 + rp0 + radix * cc = np0 + radix * np1
             by rp0 + radix * cc = (power 2 (prec + 1)) * u + npl - q * q
             so sp0 * sp0 = ((power 2 prec) * osp + q)
                            * ((power 2 prec) * osp + q)
                          = power 2 prec * power 2 prec * osp * osp
                            + q * q
                            + 2 * power 2 prec * osp * q
                          = radix * osp * osp + q * q
                            + 2 * power 2 prec * osp * q
             so osp * q = rp0 at Div - u
             so osp * osp = np1 - orp
             so rp0 at Div = power 2 (prec - 1) * orp + nph };
    assert { rp0 + radix * cc <= 2 * sp0
             by rp0 + radix * cc = power 2 (prec + 1) * u + npl - q * q
             so 2 * sp0 = 2 * (power 2 prec * osp + q)
                        >= power 2 (prec + 1) * osp
             so npl < power 2 (prec + 1)
             so if q = power 2 prec - 1
                then
                  u <= osp + nph
                  so power 2 (prec + 1) * u
                     <= power 2 (prec + 1) * (osp + nph)
                  so rp0 + radix * cc
                     <= power 2 (prec + 1) * osp
                        + power 2 (prec + 1) * nph + npl - q * q
                      = power 2 (prec + 1) * osp + np0 - q * q
                  so 2 * sp0 = power 2 (prec + 1) * osp + 2 * q
                  so q * q = (power 2 prec - 1) * (power 2 prec - 1)
                           = radix - power 2 (prec + 1) + 1
                  so rp0 + radix * cc - 2 * sp0
                     <= np0 - q * q - 2 * q
                     <= radix - 1 - q * q - 2 * q
                     = power 2 (prec + 1) - 2 - 2 * q
                     = 0
                else
                  rp0 + radix * cc <= power 2 (prec + 1) * (osp - 1) + npl
                                   <= power 2 (prec + 1) * osp };
    label Adjust in
    let ghost sp0a = pure { sp0 } in
    if Int64.(<) cc 0 (* cc = -1 *)
    then begin
      assert { cc = -1 };
      assert { sp0 + sp0 > radix
               by sp0 * sp0 + rp0 - radix = np0 + radix * np1
               so np1 >= power 2 (Limb.length - 2)
               so rp0 < radix
               so sp0 * sp0 > np0 + radix * np1 >= radix * np1
                  >= power 2 (Limb.length) * power 2 (Limb.length - 2)
                  = power 2 (Limb.length + Limb.length - 2)
                  = power 2 (Limb.length - 1) * power 2 (Limb.length - 1)
               so sp0 > power 2 (Limb.length - 1) };
      begin ensures { rp0 + radix * cc = old (rp0 + radix * cc) + sp0 }
            ensures { cc >= 0 \/ rp0 = old rp0 + sp0 }
        rp0 <- add_mod rp0 sp0;
        if rp0 < sp0 then cc <- Int64.(+) cc 1;
      end;
      sp0 <- sp0 - 1;
      begin ensures { rp0 + radix * cc = old (rp0 + radix * cc) + sp0 }
            ensures { cc >= 0 }
        label A2 in
        rp0 <- add_mod rp0 sp0;
        if rp0 < sp0 then cc <- Int64.(+) cc 1
      end;
      assert { sp0 * sp0 + rp0 + radix * cc
               = (sp0 * sp0 + rp0 + radix * cc) at Adjust
               by sp0 = sp0a - 1
               so sp0 * sp0 = sp0a * sp0a - sp0a - sp0a + 1
               so rp0 + radix * cc = rp0 + radix * cc at Adjust + sp0 + sp0a };
    end;
    C.set rp rp0;
    C.set sp sp0;
    assert { value np 2 = np0 + radix * np1 };
    of_int64 cc

  use toom.Toom

  let rec wmpn_dc_sqrtrem (sp np: ptr limb) (n:int32) (scratch: ptr limb) : limb
    requires { valid np (n+n) }
    requires { valid sp n }
    requires { 1 <= n }
    requires { valid scratch (1 + div n 2) }
    requires { (pelts np)[offset np + n + n - 1] >= power 2 (Limb.length - 2) }
    requires { writable sp /\ writable scratch /\ writable np }
    requires { 4 * n < max_int32 }
(*    writes   { np, sp, scratch }*)
    ensures  { (value sp n) * (value sp n)
               + value np n + (power radix n) * result
               = old value np (n+n) }
    ensures  { value np n + power radix n * result <= 2 * value sp n }
    ensures  { (pelts sp)[offset sp + n-1] >= power 2 (Limb.length - 1) }
    ensures  { 0 <= result <= 1 }
    ensures  { max np = old max np }
    ensures  { min np = old min np }
    ensures  { plength np = old plength np }
    ensures  { max scratch = old max scratch }
    ensures  { min scratch = old min scratch }
    ensures  { plength scratch = old plength scratch }
    ensures  { max sp = old max sp }
    ensures  { min sp = old min sp }
    ensures  { plength sp = old plength sp }
    variant  { n }
  = label Start in
    if n = 1
    then
      let r = wmpn_sqrtrem2 sp scratch np in
      C.set np (C.get scratch);
      r
    else begin
      let l = n / 2 in
      assert { 1 <= l };
      let h = n - l in
      let ghost vn = value np (int32'int n + int32'int n) in
      value_concat np (l+l) (n+n);
      let np' = C.incr_split np (l+l) in
      value_concat np l (l+l);
      let ghost n0 = value np (int32'int l) in
      let ghost n1 = value_sub (pelts np) (offset np + int32'int l)
                               (offset np + int32'int l + int32'int l) in
      let ghost n'' = pure { n0 + power radix l * n1 } in
      let ghost n' = pure { value np' (h+h) } in
      assert { value np (l+l) = n''};
      assert { vn = n'' + power radix (l+l) * n' };
      begin ensures { power radix (n+n) <= 4 * vn }
        value_tail np (n+n-1);
        assert { 4 * vn >= power radix (n+n)
                 by vn = value np (n+n-1)
                         + power radix (n+n-1) * (pelts np)[offset np + (n+n-1)]
                       >= power radix (n+n-1) * (pelts np)[offset np + (n+n-1)]
                       >= power radix (n+n-1) * power 2 (Limb.length - 2)
                 so 4 * power 2 (Limb.length - 2) = radix
                 so 4 * vn >= power radix (n+n-1) * radix = power radix (n+n) };
      end;
      let spl = C.incr_split sp l in
      label Rec in
      let ref q = wmpn_dc_sqrtrem spl np' h scratch in
      assert { n' = value spl h * value spl h
                    + value np' h + power radix h * q };
      begin ensures { power radix l <= 2 * value spl h }
        assert { power radix (h+h) * power radix (l+l)
                 = power radix (n+n)
                 <= 4 * (n'' + power radix (l+l) * n')
                 < 4 * (n' + 1) * power radix (l+l)
                 by n'' < power radix (l+l) };
        assert { power radix (h+h) <= 4 * n' };
        assert { (value spl h + 1) * (value spl h + 1) > n' };
        let ghost ts = pure { 2 * (value spl h + 1) } in
        assert { power radix h < ts
                 by power radix h * power radix h <= 4 * n' < ts * ts
                 so 0 < power radix h * power radix h < ts * ts
                 so 0 < power radix h so 0 < ts
                 so 0 < (ts - power radix h) * (ts + power radix h)
                 so 0 < ts + power radix h
                 so 0 < ts - power radix h };
        assert { power radix l <= 2 * value spl h
                 by power radix l <= power radix h
                 so power radix h < ts
                 so power radix l < ts};
      end;
      let ghost r' = value np' (int32'int h) + power radix (int32'int h) * (l2i q) in
      assert { r' <= 2 * value spl h };
      label Sub in
      begin ensures {    (q = 1 /\ value np' h = r' - value spl h)
                      \/ (q = 0 /\ value np' h = r') }
      if (q <> 0) then begin
        assert { q = 1 };
        assert { value np' h = r' - power radix h };
        assert { value np' h < value spl h
                 by value np' h + power radix h = value np' h + power radix h * q
                    <= 2 * value spl h
                 so value np' h < power radix h
                 so value np' h + value np' h < 2 * value spl h };
        let ghost b = wmpn_sub_n_in_place np' spl h in
        assert { b = 1 };
        assert { value np' h = r' - value spl h
                 by value np' h - power radix h = value np' h at Sub - value spl h
                    = r' - power radix h - value spl h };
        end
      end;
      label Join1 in
      let ghost onp = { np } in
      let ghost onp' = { np' } in
      join np np';
      value_sub_frame (pelts np) (pelts onp') (offset np + p2i l + p2i l)
                                      (offset np + p2i l + p2i l + p2i h);
      value_sub_frame (pelts np) (pelts onp) (offset np) (offset np + p2i l);
      value_sub_frame (pelts np) (pelts onp) (offset np + p2i l) (offset np + p2i l + p2i l);
      assert { value_sub (pelts np) (offset np + l + l) (offset np + l + l + h)
               = value onp' h };
      let npl = C.incr_split np l in
      assert { value_sub (pelts npl) (offset npl + l) (offset npl + l + h)
               = value np' h at Join1 };
      value_concat npl l n;
      assert { value npl n = n1 + power radix l * value onp' h };
      label DivS in
      wmpn_tdiv_qr_in_place scratch 0 npl n spl h;
      assert { n1 + power radix l * (r' - q * value spl h)
               = value scratch (l+1) * value spl h + value npl h };
      value_tail scratch l;
      value_tail spl h;
      assert { 0 <= (pelts scratch)[offset scratch + l] <= 1
               by value (npl at DivS) n < power radix n
               so (pelts spl)[offset spl + h-1] >= power 2 (Limb.length - 1)
               so 2 * (pelts spl)[offset spl + h - 1] >= radix
               so value spl h
                  >= power radix (h-1) * (pelts spl)[offset spl + h-1]
               so 2 * value spl h
                  >= power radix (h-1) * 2 * (pelts spl)[offset spl + h - 1]
                  >= power radix (h-1) * radix = power radix h
               so 0 <= value npl h
               so value spl h * value scratch (l+1) < power radix n
                  = power radix h * power radix l
                  <= value spl h * 2 * power radix l
               so value scratch (l+1) < 2 * power radix l
               so value scratch (l+1)
                  = value scratch l + power radix l
                    * (pelts scratch)[offset scratch + l]
                  >= power radix l * (pelts scratch)[offset scratch + l]
               so (pelts scratch)[offset scratch + l] < 2 };
      let sl = get_ofs scratch l in
      value_concat scratch l (l+1);
      assert { value scratch (l+1) = value scratch l + power radix l * sl };
      q <- q + sl;
      assert { 0 <= q <= 2 };
      assert { n1 + power radix l * r'
               = (value scratch l + power radix l * q) * value spl h
                 + value npl h };
      let sh = C.get scratch in
      let ref c = to_int64 (sh % 2) in
      value_concat scratch 1 l;
      assert { c = mod (value scratch l) 2
               by let st = value_sub (pelts scratch) (offset scratch + 1) (offset scratch + l) in
                  value scratch l = sh + radix * st
               so sh = value scratch 1
               so let q = div sh 2 in
                  c = mod sh 2
               so sh = c + 2 * q
               so value scratch l = c + 2 * q + radix * st
                  = c + 2 * (q + power 2 (Limb.length - 1) * st) };
      let ghost r = wmpn_rshift_sep sp scratch l 1 in
      label Div2 in
      assert { 2 * value sp l + c = value scratch l
               by r + radix * value sp l = value scratch l * power 2 (Limb.length - 1)
               so let p = power 2 (Limb.length - 1) in
                  2 * p = radix
               so p * (2 * value sp l) + r = p * value scratch l };
      let st = C.get_ofs sp (l-1) in
      value_tail sp (l-1);
      assert { value sp l = value sp (l-1) + power radix (l-1) * st };
      assert { st + power 2 (Limb.length - 1) < radix
               by 2 * value sp l <= value scratch l < power radix l
               so value sp l  >= power radix (l-1) * st
               so (2 * st) * power radix (l-1) < power radix l
                     = radix * power radix (l-1)
               so 2 * st < radix
               so st < power 2 (Limb.length - 1) };
      let ql = lsl_mod_ext q (Limb.of_int Limb.length - 1) in
      let qh = lsr_mod q 1 in
      assert { 0 <= qh <= 1
               by 0 <= q <= 2
               so qh = div q 2 };
      assert { ql + radix * qh = power 2 (Limb.length - 1) * q
               by qh = div q 2
               so q = 2 * qh + mod q 2
               so power 2 (Limb.length - 1) * q
                  = radix * qh + power 2 (Limb.length - 1) * mod q 2
               so (0 <= power 2 (Limb.length - 1) * mod q 2 < radix
                   by mod q 2 = 0 \/ mod q 2 = 1)
               so ql = mod (q * power 2 (Limb.length - 1)) radix
                     = mod (radix * qh + power 2 (Limb.length - 1) * mod q 2) radix
                     = mod (power 2 (Limb.length - 1) * mod q 2) radix
                     = power 2 (Limb.length - 1) * mod q 2
               };
      value_sub_update_no_change (pelts sp) (sp.offset + p2i l - 1)
                                 (sp.offset) (sp.offset + p2i l - 1) (st + ql);
      C.set_ofs sp (l-1) (st + ql);
      value_tail sp (l-1);
      assert { value sp l = value sp l at Div2 + power radix (l-1) * ql
               by value sp l = value sp (l-1) + power radix (l-1) * (st + ql)
               so value sp (l-1) = value sp (l-1) at Div2 };
      (* TODO if (UNLIKELY ((sp[0] & approx) != 0)) /* (sp[0] & mask) > 1 */
	return 1; /* Remainder is non-zero */ *)
      q <- qh;
      assert { 2 * (value sp l + power radix l * q) + c
                 = value scratch l + power radix l * (q at Div2) };
      assert { n1 + power radix l * r'
               = 2 * value spl h * (value sp l + power radix l * q)
                 + value spl h * c
                 + value npl h
               by 2 * value spl h * (value sp l + power radix l * q)
                  + value spl h * c
                  = value spl h * (2 * (value sp l + power radix l * q) + c)
                  = value spl h
                    * (value scratch l + power radix l * (q at Div2)) };
      assert { value npl h < value spl h };
      begin
        ensures { n1 + power radix l * r'
                  = 2 * value spl h * (value sp l + power radix l * q)
                    + value npl h + power radix h * c }
        ensures { 0 <= c <= 1 }
        ensures { 0 <= value npl h + power radix h * c < 2 * value spl h }
        if not (Int64.(=) c 0)
        then begin
          assert { c = 1 };
          assert { n1 + power radix l * r'
               = 2 * value spl h * (value sp l + power radix l * q)
                 + value spl h + value npl h };
          let c' = wmpn_add_n_in_place npl spl h in
          c <- to_int64 c';
          end
      end;
      let ghost dq = pure { value sp l + power radix l * q } in
      let ghost s' = pure { value spl h } in
      let ghost r'' = pure { value npl h + power radix h * c } in
      assert { n1 + power radix l * r'
                  = (2 * s') * dq + r''};
      assert { r'' < 2 * s' };
      assert { 0 <= dq <= power radix l
               by n1 < power radix l <= 2 * s'
               so r' <= 2 * s'
               so n1 + power radix l * r'
                  < 2 * s' + power radix l * r'
                  <= 2 * s' + power radix l * (2 * s')
                  = 2 * s' * (1 + power radix l)
               so 0 <= r''
               so (2 * s') * dq <= (2 * s') * dq + r'' = n1 + power radix l * r'
               so (2 * s') * dq < (2 * s') * (1 + power radix l)
               so dq < 1 + power radix l
               so 0 <= value sp l
               so 0 <= q };
      let ghost onp = pure { np } in
      let ghost onpl = pure { npl } in
      join np npl;
      value_sub_frame (pelts np) (pelts onpl)
                      (offset np + p2i l) (offset np + p2i n);
      value_sub_frame (pelts np) (pelts onp) (offset np) (offset np + p2i l);
      assert { value_sub (pelts np) (offset np + l) (offset np + n)
               = value onpl h by offset npl + h = offset np + n};
      assert { value np l = value onp l = n0 };
      value_concat np l n;
      assert { value np n + power radix n * c = n0 + power radix l * r''
               by value np n = n0 + power radix l * value onpl h
               so power radix n = power radix (l+h)
                  = power radix l * power radix h
               so power radix n * c = power radix l * (power radix h * c)
               so value np n + power radix n * c
                  = n0 + power radix l * value onpl h
                    + power radix l * (power radix h * c) };
      let npn = C.incr_split np n in
      let ghost _ = wmpn_mul npn sp l sp l 64 in
      let ll = 2 * l in
      assert { value npn ll + power radix ll * q = dq * dq
               by 0 <= q <= 1 so q * q = q
               so dq <= power radix l
               so power radix ll = power radix l * power radix l
               so value sp l + power radix l * q <= power radix l
               so (value sp l = 0 \/ q = 0
                   by 0 <= value sp l
                   so if q = 1
                      then value sp l = 0
                      else q = 0)
               so value sp l * q = 0
               so dq * dq = value sp l * value sp l
                  + (power radix l * q) * (power radix l * q)
                  = value sp l * value sp l + power radix ll * q };
      label Sub2 in
      let ghost onp = pure { np } in
      value_concat np ll n;
      let bo = wmpn_sub_n_in_place np npn ll in
      value_concat np ll n;
      value_sub_frame (pelts np) (pelts onp) (offset np + int32'int ll)
                                             (offset np + int32'int n);
      let b = q + bo in
      assert { value np ll - power radix ll * b
               = value np ll at Sub2 - dq * dq };
      assert { value np n - power radix ll * b
               = value np n at Sub2 - dq * dq
               by value np n = value np ll + power radix ll
                    * value_sub (pelts np) (offset np + ll) (offset np + n)
               so value_sub (pelts np) (offset np + ll) (offset np + n)
                  = value_sub (pelts onp) (offset np + ll) (offset np + n) };
      begin ensures { value np n + power radix n * c
                      = n0 + power radix l * r'' - dq * dq }
            ensures { - 1 <= c <= 1 }
        if l = h
        then begin
          assert { n = ll };
          assert { value np n - power radix n * b
                   = value np n at Sub2 - dq * dq };
          c <- Int64.(-) c (to_int64 b);
          assert { value np n + power radix n * c
                   = value np n - power radix n * b
                     + power radix n * (c at Sub2)
                   = (value np n + power radix n * c at Sub2) - dq * dq
                   = n0 + power radix l * r'' - dq * dq };
          assert { -1 <= c
                   by dq * dq <= power radix l * power radix l = power radix n
                   so 0 <= n0 so 0 <= r''
                   so 0 <= n0 + power radix l * r''
                   so - power radix n <= n0 + power radix l * r'' - dq * dq
                   so value np n < power radix n
                   so - power radix n <= value np n + power radix n * c
                      < power radix n + power radix n * c
                   so - 2 * power radix n < power radix n * c
                   so -2 < c };
        end
        else begin
          assert { h = l + 1
                   by n = 2 * l + ComputerDivision.mod n 2
                   so h = l + ComputerDivision.mod n 2
                   so h <= l + 1 };
          assert { n = ll + 1 };
          let nll = C.incr np ll in
          label Borrow in
          let ghost onp = pure { np } in
          value_concat np ll n;
          let bo = wmpn_sub_1_in_place nll 1 b in
          value_sub_frame (pelts np) (pelts onp) (offset np)
                          (offset np + int32'int ll);
          value_concat np ll n;
          assert { value nll 1 = value_sub (pelts np) (offset np + ll) (offset np + n) };
          assert { value np n - power radix n * bo
                   = value np n at Borrow - power radix ll * b
                   by value np ll = value np ll at Borrow
                   so value nll 1 - radix * bo = value nll 1 at Borrow - b
                   so value np n - power radix n * bo
                      = value np ll + power radix ll * value nll 1 - power radix n * bo
                      = value np ll + power radix ll * (value nll 1 - radix * bo)
                      = value np ll + power radix ll * (value nll 1 at Borrow - b)};
          c <- Int64.(-) c (to_int64 bo);
          assert { value np n + power radix n * c
                   = value np n - power radix n * bo
                     + power radix n * (c at Sub2)
                   = value np n at Borrow - power radix ll * b
                     + power radix n * c at Sub2
                   = (value np n + power radix n * c at Sub2) - dq * dq
                   = n0 + power radix l * r'' - dq * dq };
        end
      end;
      let ghost vs = pure { dq + power radix l * s' } in
      let ghost vr = pure { power radix l * r'' + n0 - dq * dq } in
      assert { vn = vs * vs + vr
               by vn = n' * power radix (l+l) + n1 * power radix l + n0
               so n' = s' * s' + r'
               so power radix (l+l) = power radix l * power radix l
               so vn = s' * s' * power radix (l+l) + r' * power radix (l+l)
                     + n1 * power radix l + n0
                     = (s' * power radix l) * (s' * power radix l)
                       + r' * power radix (l+l) + n1 * power radix l + n0
                     = (s' * power radix l) * (s' * power radix l)
                       + power radix l * (r' * power radix l + n1) + n0
               so r' * power radix l + n1 = 2 * s' * dq + r''
               so vn = (s' * power radix l) * (s' * power radix l)
                       + power radix l * (2 * s' * dq + r'') + n0
                     = (s' * power radix l) * (s' * power radix l)
                       + 2 * (s' * power radix l * dq)
                       + dq * dq + power radix l * r'' + n0 - dq * dq
               so (s' * power radix l) * (s' * power radix l)
                       + 2 * (s' * power radix l * dq)
                       + dq * dq
                   = vs * vs
               so vn = vs * vs + power radix l * r'' + n0 - dq * dq };
      assert { vr <= 2 * vs
               by n0 < power radix l
               so r'' <= 2 * s' - 1
               so r'' * power radix l + n0
                    < (2 * s' - 1) * power radix l + power radix l
                    = 2 * s' * power radix l
               so dq * dq >= 0
               so vr <= r'' * power radix l + n0 };
      label Adjust in
      assert { dq = value sp l + power radix l * q };
      assert { vr = value np n + power radix n * c };
      assert { value spl h = s' };
      assert { power radix n = power radix l * power radix h };
      assert { (vs - 1) * (vs - 1) <= vn
               by vn = (vs - 1) * (vs - 1) + vr + 2 * vs - 1
               so dq - 1 <= power radix l <= 2 * s'
               so (dq - 1) * (dq - 1) <= (2 * s') * (power radix l)
               so 0 <= n0
               so power radix l * r'' >= 0
               so n0 >= 0
               so vr + 2 * vs - 1
                  = power radix l * r'' + n0 - dq * dq + 2 * dq
                    + 2 * s' * power radix l - 1
                  = power radix l * r'' + n0
                    + 2 * s' * power radix l - (dq - 1) * (dq - 1)
                  >= power radix l * r'' + n0
                  >= 0 };
      assert { vs <= power radix n
               by (vs - 1) * (vs - 1) <= vn
                  < power radix (n+n) = power radix n *  power radix n
               so if vs - 1 < power radix n
                  then true
                  else false
                       by power radix n * power radix n <= (vs - 1) * (vs - 1) };
      if (Int64.(<) c 0)
      then begin
        assert { vr < 0
                 by value np n < power radix n
                 so power radix n * c <= - power radix n };
        q <- wmpn_add_1_in_place spl h q;
        assert { q = 0 \/ q = 1 };
        assert { value sp l + power radix l * value spl h + power radix n * q
                   = vs
                 by value spl h + power radix h * q
                    = s' + q at Adjust
                 so value sp l + power radix l * value spl h + power radix n * q
                    = value sp l
                      + power radix l * (value spl h + power radix h * q)
                    = value sp l + power radix l * s'
                      + power radix l * (q at Adjust)
                    = dq + power radix l * s' = vs };
        let ghost osp = pure { sp } in
        let ghost ospl = pure { spl } in
        join sp spl;
        value_sub_frame (pelts sp) (pelts osp) (offset sp)
                                (offset sp + int32'int l);
        value_sub_frame (pelts sp) (pelts ospl) (offset sp + int32'int l)
                                                (offset sp + int32'int n);
        value_concat sp l n;
        assert { value sp n = value osp l + power radix l * value ospl h
                 by value ospl h = value_sub (pelts ospl) (offset sp + l)
                    (offset sp + n)};
        assert { value sp n + power radix n * q = vs };
        assert { q = 0 \/ value sp n = 0
                 by 0 <= value sp n
                 so if q = 1
                    then value sp n = 0
                    else q = 0 };
        let c' = wmpn_addmul_1 np sp n 2 in
        assert { c' = 0 \/ (q = 0 /\ c' <= 2)
                 by if q = 1
                    then value sp n = 0
                         so value np n + power radix n * c'
                            = value np n at Adjust < power radix n
                         so power radix n * c' < power radix n * 1
                         so c' = 0
                    else value np n + power radix n * c'
                           = value np n at Adjust + 2 * vs
                         so value np n at Adjust < power radix n
                         so vs <= power radix n
                         so value np n + power radix n * c' < 3 * power radix n
                         so 0 <= value np n
                         so c' < 3 };
        c <- Int64.(+) c (to_int64 (2 * q + c'));
        assert { value np n + power radix n * c
                 = value np n at Adjust + 2 * value sp n
                   + power radix n * (2 * q)
                   + power radix n * (c at Adjust)
                 = vr + power radix n * (2 * q)
                      + 2 * value sp n
                 = vr + 2 * vs };
        c <- Int64.(-) c (to_int64 (wmpn_sub_1_in_place np n 1));
        assert { value np n + power radix n * c = vr + 2 * vs - 1 };
        assert { 0 <= c
                 by 0 <= vr + 2 * vs - 1
                 so 0 <= value np n + power radix n * c
                 so value np n < power radix n
                 so -1 < c };
        label AdjS in
        let bo = wmpn_sub_1_in_place sp n 1 in
        assert { bo = 1 -> q = 1
                 by value sp n - power radix n * bo
                    = value sp n at AdjS - 1
                    so value sp n < power radix n
                    so value sp n - power radix n * bo < 0
                    so value sp n at AdjS = 0
                    so vs = power radix n * q
                    so 0 < vs };
        assert { q = 1 -> bo = 1
                 by value sp n at AdjS + power radix n = vs <= power radix n
                 so value sp n at AdjS = 0
                 so value sp n - power radix n * bo = - 1
                 so 0 <= value sp n };
        q <- q - bo;
        assert { q = 0 };
        assert { value sp n = vs - 1 };
        assert { (value sp n) * (value sp n) + value np n + power radix n * c
                   = vn
                 by (value sp n) * (value sp n) = (vs - 1) * (vs - 1)
                    = vs * vs - 2 * vs + 1
                 so value np n + power radix n * c = vr + 2 * vs - 1 };
        assert { value np n + power radix n * c <= 2 * value sp n
                 by value np n + power radix n * c = vr + 2 * vs - 1
                    <= 2 * vs - 1 };
      end
      else begin
        assert { 0 <= vr
                 by 0 <= value np n
                 so 0 <= power radix n * c };
        let ghost osp = pure { sp } in
        let ghost ospl = pure { spl } in
        join sp spl;
        value_sub_frame (pelts sp) (pelts osp) (offset sp)
                                 (offset sp + int32'int l);
        value_sub_frame (pelts sp) (pelts ospl) (offset sp + int32'int l)
                                                (offset sp + int32'int n);
        value_concat sp l n;
        assert { value sp n = value osp l + power radix l * s'
                 by s' = value ospl h
                    = value_sub (pelts ospl) (offset sp + l) (offset sp + n) };
        assert { vs = value sp n + power radix l * q };
        assert { dq * dq < power radix l * (r'' + 1)
                 by 0 <= vr
                 so dq * dq <= power radix l * r'' + n0
                 so n0 < power radix l
                 so power radix l * r'' + n0 < power radix l * (r'' + 1) };
        assert { q = 1 -> dq = power radix l };
        assert { q = 1 -> r'' < power radix l
                 by r' * power radix l + n1 = 2 * s' * dq + r''
                 so dq = power radix l
                 so r' * power radix l + n1 = (2 * s') * power radix l + r''
                 so r' <= 2 * s'
                 so r' * power radix l <= (2 * s') * power radix l
                 so r'' <= n1 < power radix l };
        assert { q = 1 -> false
                 by r'' + 1 <= power radix l
                 so power radix l * power radix l = dq * dq
                    < power radix l * (r'' + 1)
                    <= power radix l * power radix l };
        assert { q = 0 };
        assert { vs = value sp n };
      end;
      let ghost onp = pure { np } in
      join np npn;
      value_sub_frame (pelts np) (pelts onp) (offset np)
                              (offset np + int32'int n);
      assert { value np n = value onp n };
      value_tail sp (n-1);
      let ghost ms = C.get_ofs sp (n-1) in
      let ghost sqrt = pure { value sp n } in
      assert { sqrt = value sp (n-1) + power radix (n-1) * ms };
      assert { (sqrt + 1) * (sqrt + 1) > vn };
      assert { ms >= power 2 (Limb.length - 1)
               by power radix (n+n) <= 4 * vn
               so if (2 * (sqrt + 1)) <= power radix n
                  then (false
                        by 4 * vn <= (2 * (sqrt + 1)) * (2 * (sqrt + 1))
                                  <= power radix n * power radix n
                                  = power radix (n+n))
                  else true
               so power radix n < 2 * (sqrt + 1)
               so value sp (n-1) < power radix (n-1)
               so 1 + value sp (n-1) <= power radix (n-1)
               so sqrt + 1 <= power radix (n-1) * (ms + 1)
               so power radix n = power radix (n-1) * radix
               so power radix (n-1) * radix < power radix (n-1) * (2 * (ms + 1))
               so 0 < power radix (n-1)
               so 0 <= radix so 0 <= 2 * (ms + 1)
               so radix < 2 * (ms + 1)
               so radix = 2 * power 2 (Limb.length - 1) };
      of_int64 c
    end

  let ghost function ceilhalf (n:int)
    ensures { 2 * result >= n }
    ensures { 2 * (result + 1) > n }
  = ComputerDivision.div (n+1) 2

  (* TODO rp = NULL case? *)

  let lemma sqrt_norm (n nn c s s0 s1 : int)
    requires { 0 <= c }
    requires { 0 < n }
    requires { 0 <= s }
    requires { 0 <= s0 < power 2 c }
    requires { nn = power 2 (2 * c) * n }
    requires { s1 = power 2 c * s + s0 }
    requires { s1 * s1 <= nn < (s1 + 1) * (s1 + 1) }
    ensures  { s * s <= n < (s+1) * (s+1) }
  =
    assert { power 2 (2 * c) = power 2 c * power 2 c };
    assert { s * s <= n < (s + 1) * (s + 1)
             by 0 <= s so 0 <= power 2 c
             so power 2 (2 * c) * (s * s)
                = (power 2 c * s) * (power 2 c * s)
                <= s1 * s1 <= nn = power 2 (2 * c) * n
             so power 2 (2 * c) * (s * s) <= power 2 (2 * c) * n
             so 0 <= power 2 (2 * c) so 0 <= s * s so 0 <= n
             so s * s <= n
             so s0 < power 2 c
             so (s1 + 1) = power 2 c * s + s0 + 1
                <= power 2 c * s + power 2 c
                = power 2 c * (s + 1)
             so power 2 (2 * c) * n = nn < (s1 + 1) * (s1 + 1)
                <= (power 2 c * (s + 1)) * (power 2 c * (s + 1))
                = power 2 (2 * c) * ((s + 1) * (s + 1))
             so power 2 (2 * c) * n
                < power 2 (2 * c) * ((s + 1) * (s + 1))
             so 0 < power 2 (2 * c) so 0 < (s + 1) * (s + 1) so 0 < n
             so n < (s + 1) * (s + 1) }

  let rec wmpn_sqrtrem (sp rp np: ptr limb) (n: int32) : int32
    requires { valid sp (ceilhalf n) }
    requires { valid rp n }
    requires { valid np n }
    requires { writable sp /\ writable rp /\ writable np }
    requires { 1 <= n }
    requires { 4 * n < max_int32 }
    requires { (pelts np)[offset np + n - 1] > 0 }
    ensures  { value np n = value sp (ceilhalf n) * value sp (ceilhalf n)
                            + value rp result }
    ensures  { 0 <= result <= n }
    ensures  { value rp result <= 2 * value sp (ceilhalf n) }
    ensures  { result > 0 -> (pelts rp)[offset rp + result - 1] > 0 }
    ensures  { forall j. (pelts np)[j] = old (pelts np)[j] }
    ensures  { max np = old max np }
    ensures  { min np = old min np }
    ensures  { plength np = old plength np }
    ensures  { max rp = old max rp }
    ensures  { min rp = old min rp }
    ensures  { plength rp = old plength rp }
    ensures  { max sp = old max sp }
    ensures  { min sp = old min sp }
    ensures  { plength sp = old plength sp }
    variant  { n }
  =
    label Start in
    let ghost k = ceilhalf (int32'int n) in
    let high = C.get_ofs np (n-1) in
    let ref c = (of_int32 (count_leading_zeros high)) / 2 in
    assert { power 2 (2 * c) * high < radix };
    assert { power 2 (2 * c) * high <= radix - power 2 (2 * c)
             by let p = power 2 (2 * c) in
                let q = power 2 (64 - 2 * c) in
                let r = p * high in
                radix = p * q
                so mod r p = mod (p * high + 0) p = 0
                so r = p * div r p
                so r < p * q
                so div r p < q
                so r <= p * (q - 1) = radix - power 2 (2 * c) };
    assert { 4 * power 2 (2 * c) * high >= radix };
    if n = 1
    then begin
      assert { k = 1 };
      value_tail np 0;
      assert { value np n = high };
      if c = 0
      (* TODO if high & 0xc000_0000_0000_0000 *)
      then begin
        let s = sqrt1 rp high in
        C.set sp s;
        value_tail sp 0;
        assert { value sp k = s };
      end
      else begin
        let nh = lsl high (2 * c) in
        assert { nh = power 2 (2 * c) * high
                 so 4 * nh >= radix   };
        let ncc = sqrt1 rp nh in
        let cc = lsr_mod ncc c in
        let ghost s0 = pure { mod ncc (power 2 c) } in
        assert { ncc = power 2 c * cc + s0 };
        assert { power 2 c * cc <= ncc
                 by 0 <= s0 };
        sqrt_norm (uint64'int high) (uint64'int nh) (uint64'int c)
                  (uint64'int cc) s0 (uint64'int ncc);
        C.set sp cc;
        value_tail sp 0;
        assert { value sp k = cc };
        C.set rp (high - cc * cc);
        assert { value rp 1 = high - cc * cc };
      end;
      let res = if C.get rp = 0 then 0 else 1 in
      value_tail rp 0;
      assert { value rp res = value rp 1 = (pelts rp)[offset rp] };
      return res
    end;
    let ref tn = (n + 1) / 2 in
    assert { tn = k };
    let ref rn : int32 = 0 in
    let adj = to_int32 ((of_int32 n) % 2) in
    assert { 2 * tn = n + adj };
    let scratch = salloc (UInt32.(+) (UInt32.(/) (UInt32.of_int32 tn) 2) 1) in
    if (adj <> 0 || c <> 0)
    then begin
      let ref tp = salloc (UInt32.(*) 2 (UInt32.of_int32 tn)) in
      C.set tp 0;
      begin ensures { value tp (n+adj)
                      = power 2 (2 * c) * power radix adj * value np n }
            ensures { 4 * value tp (n+adj) >= power radix (n+adj) }
            ensures { max tp = old max tp }
            ensures { plength tp = old plength tp }
            ensures { min np = old min np /\ max np = old max np
                      /\ plength np = old plength np }
            ensures  { forall j. (pelts np)[j] = old (pelts np)[j] }
        assert { value tp adj = 0
                 by value tp 1 = 0
                 so adj = 0 \/ adj = 1 };
        let ghost otp = pure { tp } in
        let tpa = C.incr_split tp adj in
        label Shift in
        (if c <> 0
        then begin
          value_tail np (n-1);
          assert { value np n * power 2 (2 * c) < power radix n
                   by value np n = value np (n-1) + power radix (n-1) * high
                   so high * power 2 (2 * c) <= radix - power 2 (2 * c)
                   so power 2 (2 * c) * value np (n-1)
                      < power 2 (2 * c) * power radix (n-1)
                   so power radix (n-1) * (high * power 2 (2 * c))
                      <= power radix (n-1) * (radix - power 2 (2 * c))
                   so value np n * power 2 (2 * c)
                      = value np (n-1) * power 2 (2 * c)
                        + power radix (n-1) * high * power 2 (2 * c)
                      < power 2 (2 * c) * power radix (n-1)
                        + power radix (n-1) * (radix - power 2 (2 * c))
                      = power radix (n-1) * radix = power radix n };
          label Shift in
          let ghost h = wmpn_lshift_sep tpa np n (2 * c) in
          value_sub_frame (pelts np) (pure { pelts np at Shift })
                          (offset np) (offset np + int32'int n);
          assert { value np n = value np n at Shift };
          assert { h = 0
                   by value np n * power 2 (2 * c) < power radix n
                   so value tpa n + power radix n * h < power radix n
                   so 0 <= value tpa n
                   so h < 1 };
          assert { 4 * value tpa n >= power radix n
                   by value np n >= power radix (n-1) * high
                   so value tpa n
                      = power 2 (2 * c) * value np n
                      >= power 2 (2 * c) * power radix (n-1) * high
                   so 4 * power 2 (2 * c) * high >= radix
                   so power radix n
                      = power radix (n-1) * radix
                      <= power radix (n-1) * (4 * power 2 (2 * c) * high)
                      <= 4 * value tpa n };
        end
        else begin
          wmpn_copyi tpa np n;
          assert { 4 * high >= radix };
          assert { 4 * value tpa n >= power radix n
                   by value np n >= power radix (n-1) * high
                   so power radix n
                      = power radix (n-1) * radix
                      <= power radix (n-1) * 4 * high
                      <= 4 * value np n = 4 * value tpa n };
          assert { value tpa n = value np n };
        end);
        let otpa = pure { tpa } in
        join tp tpa;
        value_sub_frame (pelts tp) (pelts otp) 0 (int32'int adj);
        value_sub_frame (pelts tp) (pelts otpa) (int32'int adj)
                                  (int32'int adj + int32'int n);
        assert { value_sub (pelts tp) adj (n+adj) = value otpa n };
        assert { value tp adj = 0 };
        value_concat tp adj (n+adj);
        assert { value tp (n+adj) = power radix adj * value otpa n };
        assert { 4 * value tp (n+adj) >= power radix (n + adj)
                 by power radix (n+adj) = power radix adj * power radix n
                 <= power radix adj * (4 * value otpa n)
                 = 4 * value tp (n+adj) };
      end;
      c <- c + (if adj <> 0 then 32 else 0);
      assert { 0 <= c <= 63 };
      assert { value tp (n+adj) = power 2 (2 * c) * value np n };
      (*let mask = lsl 1 c - 1 in*)
      value_tail tp (tn + tn - 1);
      let ghost h = pure { (pelts tp)[tn + tn - 1] } in
      assert { h >= power 2 (Limb.length - 2)
               by value tp (n+adj)
                  = value tp (tn + tn - 1) + power radix (tn + tn - 1) * h
                  < power radix (tn + tn - 1) + power radix (tn + tn - 1) * h
                  = power radix (tn + tn - 1) * (h+1)
               so power radix (tn + tn) <= 4 * value tp (n+adj)
                  < power radix (tn + tn - 1) * 4 * (h+1)
               so power radix (tn + tn) = power radix (tn + tn - 1) * radix
               so power radix (tn + tn - 1) * radix
                  < power radix (tn + tn - 1) * (4 * (h+1))
               so radix < 4 * (h+1)
               so radix = 4 * power 2 (Limb.length - 2)
               so power 2 (Limb.length - 2) < h+1 };
      let ghost vn = pure { value np n } in
      let ghost vn1 = pure { value tp (n+adj) } in
      assert { vn1 = power 2 (2 * c) * vn };
      let ref rl = wmpn_dc_sqrtrem sp tp tn scratch in
      let ghost vs = pure { value sp tn } in
      let ghost vr = pure { value tp tn + power radix tn * rl } in
      assert { 0 <= vr
               by 0 <= value tp tn
               so 0 <= rl
               so 0 <= power radix tn };
      assert { vn1 = vs * vs + vr };
      let ghost vs0 = pure { mod vs (power 2 c) } in
      assert { vn1 = (vs - vs0) * (vs - vs0) + 2 * vs0 * vs - vs0 * vs0 + vr };
      let s0 = salloc 1 in
      value_concat sp 1 tn;
      let s00 = (C.get sp) % (lsl 1 c) in
      assert { s00 = vs0
               by radix = power 2 Limb.length
                  = power 2 c * power 2 (Limb.length - c)
               so let q = value_sub (pelts sp) (offset sp + 1)
                                              (offset sp + tn) in
                  vs = value sp tn = (pelts sp)[offset sp] + radix * q
                     = power 2 c * (power 2 (Limb.length - c) * q)
                       + (pelts sp)[offset sp]
                  so mod vs (power 2 c)
                     = mod (power 2 c * (power 2 (Limb.length - c) * q)
                            + (pelts sp)[offset sp])
                           (power 2 c)
                     = mod (pelts sp)[offset sp] (power 2 c)
                     = s00 };
      C.set s0 s00;
      assert { value s0 1 = s00 };
      let rc = wmpn_addmul_1 tp sp tn (2 * s00) in
      assert { value tp tn + power radix tn * (rl + rc) = vr + 2 * vs0 * vs };
      assert { rl + rc < radix
               by vr <= 2 * vs
               so vr + 2 * vs0 * vs <= 2 * vs * (vs0 + 1)
               so vs0 < power 2 c <= power 2 63
               so 2 * vs * (vs0 + 1) <= 2 * vs * power 2 63 = radix * vs
               so vs < power radix tn
               so radix * vs < radix * power radix tn
               so power radix tn * radix > value tp tn + power radix tn * (rl + rc)
                  >= power radix tn * (rl + rc)
               so power radix tn * (rl + rc) < power radix tn * radix };
      rl <- rl + rc;
      assert { value tp tn + power radix tn * rl = vr + 2 * vs0 * vs };
      value_concat tp 1 tn;
      let ghost otp = pure { tp } in
      let ref cc = wmpn_submul_1 tp s0 1 s00 in
      value_sub_frame (pelts tp) (pelts otp) (offset tp + 1)
                                  (offset tp + int32'int tn);
      value_concat tp 1 tn;
      assert { value tp tn - radix * cc = value otp tn - s00 * s00 };
      assert { value tp tn + power radix tn * rl - radix * cc
               = vr + 2 * vs0 * vs - vs0 * vs0 };
      begin ensures { value tp tn + power radix tn * rl
                      = vr + 2 * vs0 * vs - vs0 * vs0 }
        if tn > 1
        then begin
          label Sub in
          value_concat tp 1 tn;
          let tp1 = C.incr tp 1 in
          let ghost otp = pure { tp } in
          let ghost otp1 = pure { tp1 } in
          assert { value tp tn = value tp 1 + radix * value tp1 (tn-1) };
          cc <- wmpn_sub_1_in_place tp1 (tn - 1) cc;
          value_sub_frame (pelts tp) (pelts otp1) (offset tp)
                                             (offset tp + 1);
          assert { value tp 1 = value tp 1 at Sub };
          value_concat tp 1 tn;
          assert { value tp tn - power radix tn * cc
                   = value otp tn - radix * (cc at Sub)
                   by value tp1 (tn - 1) - power radix (tn - 1) * cc
                      = value otp1 (tn - 1) - cc at Sub
                   so value tp tn = value tp 1 + radix * value tp1 (tn - 1)
                   so power radix tn = radix * power radix (tn - 1)
                   so value tp tn - power radix tn * cc
                      = value tp 1
                        + radix * (value tp1 (tn - 1) - power radix (tn-1) * cc)
                      = value tp 1 + radix * (value otp1 (tn-1) - (cc at Sub))
                      = value tp 1 + radix * value otp1 (tn-1)
                        - radix * (cc at Sub)
                      = value otp tn - radix * (cc at Sub) };
        end
        else begin
          assert { tn = 1 };
        end;
        assert { value tp tn + power radix tn * (rl - cc)
                   = vr + 2 * vs0 * vs - vs0 * vs0 };
        assert { 0 <= rl - cc
                 by (vs0 = mod vs (power 2 c) <= vs
                     by vs = div vs (power 2 c) * power 2 c + vs0
                     so div vs (power 2 c) >= 0
                     so power 2 c >= 0
                     so div vs (power 2 c) * power 2 c >= 0)
                 so vs0 * vs0 <= vs0 * vs
                 so 2 * vs0 * vs - vs0 * vs0 >= 0
                 so 0 <= vr
                 so 0 <= value tp tn + power radix tn * (rl - cc)
                 so value tp tn < power radix tn
                 so power radix tn * (rl - cc) >= - (power radix tn)
                 so rl - cc > - 1 };
        rl <- rl - cc
      end;
      let ghost r = wmpn_rshift sp sp tn c in
      let ghost vsq = pure { div vs (power 2 c) } in
      assert { vs = vsq * power 2 c + vs0 };
      assert { value sp tn * radix + r = vs * power 2 (Limb.length - c) };
      assert { mod r (power 2 (Limb.length - c)) = 0
               by let q = power 2 (Limb.length - c) in
                  let p = power 2 c in
                  p * q = radix
               so r = vs * q - value sp tn * p * q
                    = q * (vs - value sp tn * p)
               so mod r q
                  = mod (q * (vs - value sp tn * p) + 0) q
                  = 0 };
      let ghost q = pure { div r (power 2 (Limb.length - c)) } in
      assert { r = power 2 (Limb.length - c) * q
               by let p = power 2 (Limb.length - c) in
               r = p * div r p + mod r p
               so div r p = q so mod r p = 0 };
      assert { value sp tn * power 2 c + q = vs
               by radix = power 2 c * power 2 (Limb.length - c)
               so value sp tn * power 2 c * power 2 (Limb.length - c)
                    + power 2 (Limb.length - c) * q
                  = (value sp tn * power 2 c + q) * power 2 (Limb.length - c)
                  = value sp tn * radix + power 2 (Limb.length - c) * q
                  = vs * power 2 (Limb.length - c)
               so (value sp tn * power 2 c + q) * power 2 (Limb.length - c)
                  = vs * power 2 (Limb.length - c)
               so power 2 (Limb.length - c) <> 0 };
      assert { q = vs0
               by vs0 = mod vs (power 2 c)
                  = mod (value sp tn * power 2 c + q) (power 2 c)
                  = mod q (power 2 c)
               so 0 <= q
               so q * power 2 (Limb.length - c) = r < radix
                  = power 2 c * power 2 (Limb.length - c)
               so let p = power 2 (Limb.length - c) in
                  q * p < power 2 c * p
               so 0 <= q so 0 < p
               so q < power 2 c
               so div q (power 2 c) = 0
               so mod q (power 2 c) = q };
      assert { value sp tn * power 2 c = vs - vs0 };
      assert { value tp tn + power radix tn * rl
               = vr + 2 * vs0 * vs - vs0 * vs0 };
      value_sub_update_no_change (pelts tp) (offset tp + int32'int tn)
                                 (offset tp) (offset tp + int32'int tn) rl;
      label Set in
      C.set_ofs tp tn rl;
      value_tail tp tn;
      assert { value tp (tn + 1) = vr + 2 * vs0 * vs - vs0 * vs0
               by value tp (tn + 1) = value tp tn + power radix tn * rl
                  = value (tp at Set) tn + power radix tn * rl };
      assert { vn1 = value tp (tn + 1) + (vs - vs0) * (vs - vs0) };
      assert { power 2 (2 * c) * vn = value tp (tn + 1)
               + power 2 (2 * c) * value sp tn * value sp tn
               by power 2 (2 * c) = power 2 c * power 2 c
               so power 2 (2 * c) * value sp tn * value sp tn
               = (vs - vs0) * (vs - vs0) };
      let ghost vsp = pure { value sp tn } in
      begin ensures { 0 < vn }
        value_tail np (n-1);
        assert { 0 < vn
                 by vn = value np (n-1)
                       + power radix (n-1) * (pelts np)[offset np + n - 1]
                 so 0 <= value np (n-1)
                 so 0 < (pelts np at Start)[offset np + n - 1]
                      = (pelts np)[offset np + n - 1]
                 so 0 < power radix (n-1)
                 so 0 < power radix (n-1) * (pelts np)[offset np + n - 1] };
      end;
      sqrt_norm vn vn1 (uint64'int c) vsp vs0 vs;
      let ref c2 = lsl c 1 in
      assert { c2 = 2 * c };
      assert { value tp (tn + 1) = power 2 c2 * (vn - vsp * vsp) };
      begin ensures { power 2 c2 * (vn - vsp * vsp)
                      = value tp tn }
            ensures { 0 <= c2 < 64 }
            ensures { valid tp tn }
            ensures { 0 < tn <= k+1 }
        if c2 < 64
        then tn <- tn + 1
        else begin
          value_concat tp 1 (tn + 1);
          let tp1 = C.incr tp 1 in
          assert { value tp (tn + 1) = value tp 1 + radix * value tp1 tn };
          assert { power 2 c2 = radix * power 2 (c2 - 64)
                   by radix = power 2 64 so radix * power 2 (c2 - 64) = power 2 c2 };
          assert { value tp (tn + 1)
                   = power 2 c2 * (vn - vsp * vsp)
                   = radix * power 2 (c2 - 64) * (vn - vsp * vsp) };
          assert { value tp 1 = 0
                   by value tp (tn + 1)
                      = radix * power 2 (c2 - 64) * (vn - vsp * vsp)
                   so mod (value tp (tn + 1)) radix
                      = mod (radix * (power 2 (c2 - 64) * (vn - vsp * vsp)) + 0)
                            radix
                      = 0
                   so mod (value tp (tn + 1)) radix
                      = mod (value tp 1) radix
                   so 0 <= value tp 1 < radix
                   so value tp 1 = mod (value tp 1) radix };
          assert { value tp1 tn = power 2 (c2 - 64) * (vn - vsp * vsp)
                   by radix * value tp1 tn
                      = radix * (power 2 (c2 - 64) * (vn - vsp * vsp)) };
          c2 <- c2 - 64;
          tp <- tp1
        end
      end;
      begin ensures { value rp rn = vn - vsp * vsp }
            ensures { 0 < rn <= k+1 }
            ensures { min rp = old min rp /\ max rp = old max rp
                      /\ plength rp = old plength rp }
        if (not (c2 = 0))
        then begin
          label Shift in
          let ghost b = wmpn_rshift_sep rp tp tn c2 in
          value_sub_frame (pelts tp) (pure { pelts tp at Shift })
                          (offset tp) (offset tp + int32'int tn);
          assert { value tp tn = power 2 c2 * value rp tn
                   by radix = power 2 c2 * power 2 (64 - c2)
                   so b + radix * value rp tn
                      = value tp tn * power 2 (64 - c2)
                      = power 2 c2 * (vn - vsp * vsp) * power 2 (64 - c2)
                      = radix * (vn - vsp * vsp)
                   so mod (radix * (vn - vsp * vsp)) radix = 0
                   so 0 = mod (b + radix * value rp tn) radix
                      = mod b radix
                   so 0 <= b < radix
                   so b = mod b radix = 0
                   so value rp tn * power 2 c2 * power 2 (64 - c2)
                      = radix * value rp tn
                      = value tp tn * power 2 (64 - c2) };
          assert { value rp tn = vn - vsp * vsp
                   by value tp tn = power 2 c2 * value rp tn
                   so value tp tn = power 2 c2 * (vn - vsp * vsp) };
        end
        else wmpn_copyi rp tp tn;
        rn <- tn
      end
    end
    else begin
      wmpn_copyi rp np n;
      assert { (pelts rp)[offset rp + tn + tn - 1] >= power 2 (Limb.length - 2)
               by tn + tn = n
               so c = 0
               so (pelts rp)[offset rp + tn + tn - 1]
                  = (pelts rp)[offset rp + (n - 1)]
                  = (pelts np)[offset np + (n - 1)] = high
               so 4 * high >= radix };
      assert { value np n = value rp (tn + tn)
               by tn + tn = n };
      let h = wmpn_dc_sqrtrem sp rp tn scratch in
      value_sub_update_no_change (pelts rp) (offset rp + int32'int tn) (offset rp)
                                 (offset rp + int32'int tn) h;
      C.set_ofs rp tn h;
      value_tail rp tn;
      assert { value rp (tn+1) + value sp tn * value sp tn = value np n
               by value np n = value sp tn * value sp tn + value rp tn + power radix tn * h
               so value rp (tn + 1) = value rp tn + power radix tn * h };
      assert { value rp (tn+h) = value rp (tn + 1)
               by [@case_split] (h = 0 \/ h = 1) };
      rn <- tn + to_int32 h;
    end;
    let ghost orp = pure { rp } in
    let ghost orn = pure { rn } in
    assert { value np n = value sp k * value sp k + value orp orn };
    assert { 1 <= rn <= n };
    while C.get_ofs rp (rn - 1) = 0 do
      invariant { value rp rn = value orp orn }
      invariant { 1 <= rn <= orn }
      variant   { rn }
      value_tail rp (rn-1);
      assert { value rp (rn - 1) = value rp rn };
      rn <- rn - 1;
      if rn = 0
      then begin
        assert { value orp orn = 0
                 by 0 = value rp 0 = value rp 1 = value orp orn };
        break
      end
    done;
    rn

endwhy3-1.6.0/examples/multiprecision/sqrtrem/000077500000000000000000000000001440160026300207655ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/sqrtrem/why3session.xml000066400000000000000000010557211440160026300240200ustar00rootroot00000000000000













 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/sqrtrem/why3shapes.gz000066400000000000000000002145561440160026300234420ustar00rootroot00000000000000o "oM@w
b`0rׁJU%3UW]ݶsÌUEQER?޾>~y-^箾A7~bZ0QW~u^wo(Pzշkpo|?Jv~><
Հ^wmͣ-79'[JG]6V_I|n>ݫϏ@[ e{B	#*Y sWX=-3To8:a=\'g@C|bߺeda˨.dx>ۉG!
p-;5O~?0H_;ۮG&x2ĠW?i΅	qY{;MB?Lm
k0?}CDr4d!ʽƻh#O҅D`gen
fJowLo|Z GɢT93qG3dĘ(ǘZ^bdל5X~	^K$>4I2ե@3_Heݹ]8`Ox0+̤yZ~;U^bgyE0b>WQ04`7e+݀k4Ǖ
#oRXxW;+]t"w#]@,̌['UTLW˒r
#g=b]}-Wk(W7=(#EB_|PncByy[OʌEcBdbK27̅ro[8RH̎Z,?uٞ\o֪?ߢVvwʟ=R,]/?;Թ'PY¸²@PO˅3Uظ~]-@Ÿ+mH,"9b}ظ|׃x
8-leVsvP㖤NR,U;-_xSVK_^Ŏts[gLj}:vQy_wM*2ùAPAo7oL1;eM>EfKCTo`%}/6߸-S8 pAizPxwk2AE\>[3[}]HUR_׭Skߥ4	ӛ7KÜ<؉v$PᗊQ41wI1lⱌb\-raoT˜ţ8?;#T"^Zhҋ%`zhl-h߅8>|៵89ԫԯ)՛;A]APkyB
Sf0~rx@n}C3OPj3i#Z>m2/gy^NvfB/͟^_&L1|{:ZD,I``ݾ`K]1듦!Our}"n7zVuY0aM	XcwۋƎ5Vp7/6fN{r{)`%lЏ
?nM}-@z]g5xgWg*.dWˠWW\ϷH򹇮|YV-_x!"]R´|_>皹G;z^qc%~OYK=퀽}O\^srL6]1vTW[9ލ\=0AoۑBVh?
Ҧ{we:[O/gr!K0Lmy3"#?\wQQwi1aZ6pDM.8	/!15%wZE Ui7/?}P<;-R0KsYH%XX)g8f4.bƒ$'dd@jD""{&EQN|Gf?I#=
q;bVϒƯI렸Z1a<±*YlXN"0ADf8~g[O%g>ȫ4Sd3%h7H^8ooJKzS"/G^ayVjNcPz"5P2 .<v䉙~#Ǒ8NyCfoxz[,QB٧
0}h?ߟo~TuO
SI~#htO9
YxqH.b<F$^cx`İ÷QzqWVΝofT(vȔ:}Bj=c9&4ѓY;KE)#$V*#
]VwXpaG<}wL<8SlU^%W?8	mDF'CzT0pąvJ摻#K%?E]4fmuz
sﻁ>~^]HA_r_ab&!b8[ʬ7>zA^.!	AL/o7IR	8ַ^z;&oorGAX=[wԋ,MLf(eIotEPx-ƉoQ:&"Q "߷;apauBop@\06|=?eBL#po0ː{.z
QvKwNgj'O<>1d3;Yx4{Yoǁi͚eQ?Bymw,nCvmoݑmo}q&zRM쵺kq}36sO՗s]ؐ뼺
0㽺
W~*H{ЏZ%O]G"{$#ni:w7/0vXCo7O`+nZd}jxQfnF{ǂpR=v6N~ʧ%Z2pe1#i`y^=-GUI!UrtH5a @?VwsAm3{o[xX/ԀfŅAfնU|sIR-aRޙOџ6SϷ>ADOou,]2!E&*Ā0M8D=z[#bZU/{f!/l#]]%$=oU w-;
}m2&/J̅ݣq
j=)篓ZWKVX$ֳX$¨/k7Ls#?)`I;hgRS>I]HrWhJtp_^8._xV:quF}QUMgO/!,O!ޥL=;Y:^wBvfZ/Cptlpɞ\[
-	`?ħhm2N7eM直V.b>_ pf-4ቄef}{7w/ʀ2aHP|rNOg͔"~!7
^AZ/4Q GF^oFKo3ӻ1ypH@xσ,A>Ekݖ8*/\:i6q6$}	.هzhR3esNd2߉gy
TyΉm<}f }P$IB_n{5uiQ!r'ګmXStTާPmR6)B:h˧KbCf'H~	oY_‹i%2/DmX]*?=r/nI(ljgG_cE@C\ gr,(	ǜ˳YlH@X/ev@+RZotcmf*̏Ra̞&S˾ktK'ұuRvL4p|y}jn)S6(u[^W}cgIzwut9{BO7#5N|4O`}	X8ﵿ':.^?B+?I#N)Bm/O
|4QNt|w6Mπ;[2շA碜b-uy5օo=1CʟT&a^12Ȩ!vS`jspРdzuK9>nos[stLۜsmd:b@||ܓmd>G͛jތc5\ `ٯ݄v;2!9!6A{c{霟MpN`șVR-="3smM/BN_*(ZBѹ ؅LvFZLottI&޼vyjW߸izpp1Z*5Oo(Ԉ&S˻n({^yNP*~N9Uē2%:ں,Lu9I=JZ.`Y8H0/LO6n}qSoH`'=(<^ؚbjߩj_y1);ShT9Qs{SB0bD
ͼW,m$unPF~jCA'}@G.YÖsH~{#@%$ӷܐ;6>%zd.QPv]r!r|Υk]ޝFoE'i۸N)}`~"V
C~/8ݖNoj2'OM!4k{:`
Je!R"mYo#9z#Ƞ!nCt2r[Lrp=LHj.wU^!WQpeB\W޹]+ɏSxxw!?~zhn)ZDna|̡O~*'_/)Xc@`k@7k)oi0AQXnt('`eDmF"=/KnLϔ;+^'OX.ʵ]KYtXlS#>H$|FsyǞ{'ueyjۈTJ8kbfpPaa᨝3AkW)2s Ęݣs]s(F?
l|owDݶS f7&&i2>)_X9`\GH7wmkMx!
[tꄵE>;t;t5,BQɝ::~ lwnlz6[΢զvzD7mmG*\Tgm-*4Dcw*{CPcƆ-;lI9MQYv%C{{}R~tv#Q=[g˺3Yd@uMԊ~r,2;%<#`)QB0Wҋ}(%YM䭒c-0(o-[=&u{<]U69fgtqRuQMN>yFf2UT
_nK~ӷ
͜
OCzK5e@'N@7G`t2Ƌ2#ߑί"uXWX]yn&c̈́I	OGJDžM;䦺IŮF7v4{s~s&yۮǧ6{HN΅B;McV~.a|׉o{eߙ*/ Bd\2F[r\I~$Su34{­Nɿ(B-7qg::c7xۡGp|cxISC[[{`_\OF޼9%3ILp3 C|-g$n6062P#?.;+x
>u-_Bh	2.9.Ftyr7LI4T.S=s ̌mi߆%,_GwFxG/c˘qN;tșM/
9{0w-S\8+&ƞ.{]<
9ͥccu:>>|m^}3Npf elF~V&9|֡ꝃe&@ɶ-]]7Y6
4֫!C`o5^aOǁFeQ~\+I^nN0	n[uY\r9~_ysFrEt9U/؍YH<%|nu,^u^<ut26-rS:QNϾ=&pc61J`G'qL`t0K`tN[2ٗa1L$qJ/fJU$9nM.ؽήm	$FyyxnJ3GX^f~eT^`8rntŁf{fW:l6޹ͼ&./s$P_7N1C87>د%6pwktսK,ns_=|2zޱ,TԳ7Nzj2Xl=rqvJ@9=xOvm |>	_ۚ5%̓0JƖLDtJX)mZ9ed8?dR舎w"#9j<3QɜaaQ?fJZU&0(GvcH[
K	#`a|$$t0#BrUr+q&<<6៯?!~ZZp?Ƙ?+@O}(K//^/d%$q_t<~ZF/>0_l8py9DLZ SE^VHQA1)wY+VZݰ]bi>;*i\ɷAYI?~P^}	0
±kf+F/`B+&?[_p$vnx,ԋ jqgUvEsZ9E{.䐸_#nv(,9tFyz^Sn_?oɃh|s|P܋Dt)]/3T
2<څ670o!q+!h{X8|ڐpqQP
fܟެގK{J(^YwSLi-tه{EJƂ#1C8BM̍<
uE%
-˲|*E.y%N{⾧{Ő'6S"7~dlXtg.\ϺXy9CjwG=7U/E@i]Ju"׆a(K˫O֟xB
gk܎&FY~6fFvntca1+uמ_Q2rBxb^{C9Xs8v]7؇hUj[WFm3`ѳU6&_ǚgւ=#px'k񛰫i#Vtqz&Ün'MArMU_IKJku)
C)W
|MP[j{,w-
794a@' RdzK3ku/Ю,6.mŁ=1Sxpo-~@aB,dB]c1M.F9pGvswX9;~ZEa;pr4`2ݐL,tb1uᆏUCǪnUtjvc,W7I|v%tĩc>x3s^fϺӓ3Ů'yUA~/bDZIyVv^/SVL:
a͞![Zi"|gqyd'ojto7
5S_bpP.Mm'Hz|b 7DZu?ԮG41@waa?Skz{v=w2GiY5t8Ϯu`}{qM:
{y\'x`zy@]
@DjWc>0$	cOԫ7ٗsh{<	=)c]\
&F>Zhu>>*!.Dre2n,w˓GL2w>-O"+NtfwQf$rrJQw
ay)Yzx
鼜zÜIT7ϙq!sd>	xt˅'i0QϘ"g>G'2jiԮӨ]QPQQw9鶾Gpzzp>@C?!^oeqknc8u!ʧihkCb] Pt L`q'ҷ:BWq~uPfWjk_:	=Z"ok<4Lճzt9lCǺ߼_&g{ܙX˯v>VC/	cg4D?b
Bh|srxzS߇;JOeJy7AcJrfծ?RX?
ND$VXle;
,)o滇^+Php[C	+F$U@,|v~{Xةw&QDз1/:~kkfj!AA;f>^qp<ɰLWցg[?w,&ɮ2gX|cDλ	N>|X}W{RzXS	ud'C׶Q8fwP#w)*h!ϩy@7y
v,'/\gR}T9틼9+OU_SEA0,DAfZS@Y.h=J,m.Ӗ	h&p:K,up8&KUm9S;(w
~Y3`$q޹b1
j"v9S5mԁbF_-YPKG".JGV<ԭ(,TN3m˙6L%Ж>.b*)]у=vQގ2V8̹eu=J+s*RH̑2G\m,)s$̹ye,f!fTt=mlk!g@O_S#EOKb1*
V_{-Sy@W{<쇫Z}[w:OĖ"qo)nվݖ*]CTOjMܬKu@C|sQ|Ps
K0&(>M!(]*xb.?'dIݙ%'J_`yf/$@a/Nn_>w}{lt:?>cSPZnN{s%Ÿ.*bQIz^0.Ӊ:x}uک㽳9f1b8nwtb6PFxk'DakBbd8cϠ6v8#/akqsEǸ]k^oO&]7w>:{U3uPޞ
w>+}HisϞ=J7Tۢ	X߮	*$k#\Ei䳀ήdhx[v%݀kx'+-(q=ː6 MYwnqzy^.1d/JixQɒ58aD77O=Q$ԪG?oc]4H/(A@`twQV/e|-uT{ZvI׽؟/0/K5y59WηgN
-_xҔRZx^ߧ%ǺQv]i+G{]Wyx7|=ːI`z=͝8ﱟ_;{8/U&O-!`w
}	%Đv& RJ@!3e	Z.*ME} 7A?;ӼC\5kp!WI[T),i˭-hE"G*l$@]Nv)$Pþ8nm[ULLcY5iV]V98XttPyI1h0p}J
G8ZJ=-@WswFGϣ,2o1Khr$FH{HZ,/M^q	:rlZ3Oo"E	߸̓޼qŤ:]}j5+zui='_= ~N$mouۤ"8tGU冾yi9M34|R+ayҹ:0{4iਡDg83ijF|
%R=wmF~Co*]c/jJE	.>EY.SET=KWΪ4DihP}\67X\a^.z
KwCu&;6g*Nw{~;11I%'i?m(tf0~֑r,3>K0^hzA[pXa4ݵc ^BI~?	Km.k`&Gpq=ojy9^T٠Jn\+1SdI7o(&x:gEװw׿
$@qq`2{*F-ɍ27xZɱ±mG	6}t)xempg)&W:aH0?{=߿A>ﱫiFj̍z8=W4Df|D&2q*Zeog2V\9{(GkyCkwcJ8m[ЩPazM&!ES3`iVv@K/UיRn^toZ3>=ۘ>I6J0_sߓ'^H2릔O sbW"llb$=d:POv|i{r]68}^Y_^j*Aa~4c(H|C'rQDP4.v.Q֭yMV:t,4ʱ{
=yͫ@I[+;mYٽBTȦl"/x:OÀm/@:s6g3b,ppbGS,qI9KP/ւ)NM(W1~ g!4hp%Z*}Zݎt5t~J=ʏK5_%r~KDy=pBN[X+ vzRomʗar*'j:˭B 	Vn]1[{疷?n(vW9Nk\_&uͨmPϢ*b0Y`1lT5fbIװO5Ŝ=5tsGo`^%,=چa0-F+u"m*[$9s-h$ΛUk/,Vw%I6B[AR19y[Dwfd
|ck!vxǬ]p(rkf7ePCsN}O{
Qt4`JuUboq5?鵍33Zz5
O
S,*'^$
ߴTF8?P,g	BZ*142LKOYT}9Ӵ=$ "քJyzk'ѻoB/?mBmnםew'1Xz>P6͟|ۏW5^pU-&뗂}9,sh6]ipL 6FI.6҆b]~]jx`]a}(Lp
hNe^<[De&Y5zƒ|3ᠻJ<9}л
À/լ+ٓ'
AI
B;`p$ᥘ(|NQ8ea&#0^2כ0At?(w/1ȍ99iz:l4rYC!mN~nc	\X̓b[G_O#}BccQx?Ք/
jS*0%8
	B7+d[OLrz޻D@_wF`PW'p{[J7٦CEb{C97׬ppb{FhpY^v;޸\LX~#T6:}I}*lt=ĺ&	>B3d\?J,jj
H$1]L]K! 2t//!N[C2{/6jĂzc[%3,^ctO>LlΗeWK@ԠatL'i3fa'\
|~)ň䇺f#
CZ{ӔxSʘ(()3d|^`vrrqHP]W6+-b:t}x,d@Qa!Y`ccx1{߯TR>، DXg^?4xԣ$$qC(4񏤉`9ipPx@,}Xdb8T,EPq?TJGqϛW,GjFu՞5S2M6nj;uOx,WלÜZ# 'G8;0۰v'fȥ3LLTn2DZVO0ʳuMvO*ʗѽ
OE-;n@rb\?	I9CQϺx8faA{.}=>_bqGcMމZBkR  ?!#{Uŗe
Xv2ݿ|W?|ևGqч}tQatfL("f)ۑY*6yձvt; .[,zMD8	\\P_2Wqmc]OOLe=1˖~\l2+345oܮsv mQ7bh>%^O7G>v㧭Dp<=F~
/PG!>8zc\yexЕ웿|EPm~ŷTO-0zqO߂܂݂pOұцxn|n|po|pn|oyzs?yK"]+9N6*O1r3Nm=y#Ɠ>"z%K-9i{;8<Ό;I|wovW5\[	Y	5:kP^ m%u\t7y\`O,sg!y0y4J!6\81}T&}x.Pisύ3|fTiox_~GvHɂLlS|l9/p~*[
Lz?Fk1(gBɮhTQ}8-6p)~g}Zay(,H`Rz]['|.~7/;s[mN},1r_(P3<[5񸃑m	}eݜS(*<@,/_"3-(5k4FҢz?WUKe4˖
T_3#yUJjS#R՚*Y	#_c>ʏ#>RCG-k5Jbjiᨲu0*a"jD[x-V-REMk.DNVZVm[QKҢOhPTѪQ(%)]C$q\p#ki%UZ-R@@聥 r2b)Ru1G?hG?b k&E#CZa΅QRp,ںh`D_] +S1	M4F\UHG"vA%RPQhꖡM	.
VUU2$eO;0k
?Rk)[EU5F)JX`lHj4X3CsxyNG@+*Nږ.K^ׂ:n)b-t6Vmj**+i5"$FSỲ*qISp
M1|hѴ5
XL5)ƱERJ
FOoEZTPajaʘ/LL~dv8Q4ר
]smPC@DmUZa"1LS*q~;XK$p4/@0'і94oJF#;XTt}K.HV\)+@Z*)ajqU]5P0+PIP"AԦ %ZXZk[T5uN`(T x]hk/CP
BjYQE!@FnMVh86KAQ.hI^5J*BK̩\S:- ݣVzADp*70ܐe(~QAlDkY 5Qƴv1&σ(u
/H0ƀyPդqP^ZjVpm&$`,`3IP'[7рD6*$!"*"AFTfBk4&m?=ᇍղP]ipQ2b
'."TR`6zïx1`J*c
h
fYޘ8k	ꚰtJlBVVsDZִa#0Ǒ(nYm0òQ
3i1^Y!TB߀E4JJ8Cخ'-o4{Ȇ3U
ֶJTFUlR#[8q}$0	T5=4~Ex14kl=D;5GFY5-/ee@L5m˥n4`9Qȷf`.DVaTIdSB&&3M-
0@U!ekPj*Azo
g-k-`aVj!zc?
ހ:P
ҶUw%){Y*RS
Pp
F^`O4'mQKnh*T]\
\b۩PhD4qYWц2;e
SEEdb2 lQÚbQUĘIĴe
6j82jtIkF
!Ҧȼm&PUyf.
*:%BG
HFͶn@"eCԱ|#b'jJjiT<*);c5up[#fpXR=XJFz9ӆcGt!,l"+R#Ŀ:t4d1XVZUS.)Wq{7h%]
m!L
B(SFiPE۪VMj49+}]~V-iٚ5Zל1Ҽ
;﫢5
~N{]A} ^(
	yoxجUӵakԪEFUE
k2iRכZ36M551eJ1
P}. ZCk^-ADϤ6ފk6
!LBU61V"4ѭ˖5
@^Q?<&@63YÔ
Ax猄1'BV	.TS6sEh~蹀Pս2ɦm*Ѫ{B4۪`mr)%´JT4	jcKyO7Mk#VitYx]
K⇠jׁn*xzZ{)T*2t[%/a[K6)Q֪U	I*Pzg?Vj]6 C'l.Ɲ†b
4Ђ4#놘VWselX 
`ټ?Xk-.*SaYs@3缪*t'ˏwblVWVV[*9!es7(La~W-0[kA[GR.O9wm>?Z߉ȴX.Z
E\>, CW&jj
C^4^Y1$EWFal.
z
^Ե;ZH*H_oH5j.9E0VV_
4qZJVCFc@G
SCQڤvFVh57}@,ПA=MZMAX;L*ӭ*cajUTJӚ^lؤM?ϔAE5	R*0tsma=g#`
,)IcfA(֓ld)l,UiRրeF#Rdai~:iyQhkQS鷜	I$tLk׬Ob.jUִ1{X[%z- d7 jkLjA;EW`H0E4HqDlHÊV"ZӞO@"V`kiU"ڀkls<ב:OAJPpi4=j
ƨMݟ#^?(
dK(-P`iiwǧykx	Z
BdPGq?>Fʀ5 %6㦲G1Bփ?-$mjۓd3z> .@e`mP
GSD{q@gmzF@E'nJ&2S{/LBMOEٶFAV7u'UF@	hl\4
`+Zh.G=MOE%8]UcJ+;
ǎ.ns]iSc6m!UdC	FpM*و!>heK1p|Š3QMߎn?8M0D	ę^R3?/tnIwi&HG?]tTj"[N@h5H>86DQ%A4V39T!)ڞ6oF4`VU+%mTaVZ	bڊ#Y(TZltu2y.4i
K{-76NT:},ȟ>m+6ECB S 캻Z?-$C2AmZ-=OO(b򟚊V)a0զ6uyO';OIZ
[Va{-̄hj
&~>⧦n[0
],(LV{'L#XۍAEUKİjh҇6Jc$)H˽jA-4WT#uT4*†h({=$dqөb`YWBтۋ8J^ 4VK![ZWbڐVh@ZQGDDH"*MD"z5rHv2ٴ9n5QU8[jz2}@R@'knov;+%5ȧz (@(H_3lo@0K[Hj]OD\	+ϡ~6$ (X*8.(BT#݃DEߓx5TH?T9p٘ҸEGҦUJ A.(efi211\!#HEeEZ4~bh}	U**
$Th
oY%iM~쥶E%HEtC+ܚjS%
zJ0ĮKXh*Ò0MӂNx (дŬF7͕i@AF AV6i03a覧i`*cU[WaeUںv?08cHhY)DUפ(X_PScUڤI 1;aOL.lx$hF@ѴR()OKPfIE5+
B&!e
0iWfOJ!!+tiPVLJ&ROJ;H^	º6^;_9	k
HulMC4&hbp4ؼ=_Wa6sEMжmR`ȶ@lX6uEs{"ݍkXx9wOٓ
_y,&͖='.C{qZfweO_mkSK@Y(+%b-Wg2z5㳿Hy[680l.902)y}248#ݔM3eϝdܯV IC$[[(+^;1zeqݴRJENg<'/Z#[Gblc_wy~dv8-Ϛz6f CZJ$a`ܢ7?b[o?TvcolݶM.kl,!&fwC?pf
8sD&6?pd??=X̧tN7g!xNv/ydX(]h~Ϝ㇟%{BqJjg8ƿʴyo+khJ?w~-?{w{gWOMwR.ڞ3ϻ?wf΀ؚed<[g{郳8w3*L
hT%'|~,c&Zkezx|≚,d01 &KR=}O'N={h6=@c`~?q9^as:[b>"<>1_l2Kf$d>ӗc(]Bw=S	Y+C,GqZ:>Gv"PWv6ݸw۫PljޙS(YLo,~a;Ř=d*@
jny0#DtʆebsW?wYƽLwF~T>}򙜽<	lX]A6|X{8Sa'.o'7L7e=pmB"/'2
2:6xxVwЪL|Ggt@ +ߛX(Yyx+۫ỷ
l@pϬW4a3CW+89[ܶ
}ȼwvV~IDŽ&8qfe?=gT)QU,{g;{Eqڮx[1f{q-ʃ{xD=:%.2ж̇XqK7		0dlb37{7Z@SJH4"<ɘ<Ŋܧ`de~P9f3|;.9jHP7Ҍs*߫q?bYn|diWECaB'/luȌ7Uw\ϼ0Pyvd䞀$5~	݁u B};,Pt;sW=Y{ҏ؞d.货ܛ	zx#3.;3.YY6TDaAlX@\AUO]Oz؋zX8eq<.Y;}b[YE@Fdcz~pãc<*c:x0+@OGl͓p3w>@oZ@(1e|byTs
A,=)u@U?;l]Jqjq,,͓82ЌVuFkyca
37-|=Ԫ>r	
퓳xpɮJ~xeY檫y5d>zVk[ftf+ݔnцO'.Dbq]Ni翵SN;#0&#쥝^Y1.nHP	5\c)3`,Fz/qakQb̴YoqvǞD4KH%@z\w#?k힪0⛐JL%@WhE-;s;Ssvl|iJL9O:A
s6l]bd%&,1s3,
BM,Wpy	jWWgKG=`8\@oWk3]uׂfBcS\J\%7+̧	زsFCC:`{J\oOޓN{m̲fc8ԛ6vmZUz둟6saλEMz3)qz!Y53,k̼,N]8V/q.|5ISo<3$_§}Kh߱kv)>Dg_W`VB!ƊP{ڷY½#d/F	CB gѽ
Cd8,~HhjG<3&O
M.~lČv^
JOϷS;lQ۲LSuJl?>o2#Cx4SvZ#e+•a.x,oo
ElضD%u9Ax^*[?vKx%*C:ku+=(
QRfYtȾBnU*
3RCæ=yd4Um\g4pT@eũ]_Mj3)MveC]Olmۿt5,m-2gHAb	,ο J[o_ܢ{7=i{v
ϪW/ic^GǰTCjֈ;aW!hlcqΙqbs[F*}ެPPNC[2314ޙ,k|h,vS+}ltw	=H5c=,:tV:nmcwq
?N9uVfi3C
W2#OpĞ[r*g,9:4Zg>8KpDW{=q;t'|.~5V+_ԅ1aGz	J|q_`mTm׍Y_aז?cNsB
+7-ݽknק5O?rS¯UMapDCݐ:
#ۭW	cvbleKgcvm7FkW	/[&jdP̻KJq'/̯_s}XY:U|KO/晆L\4;<4:-VߘS.P'	{7,mC|w#}^a`KBE3_Yn|SV֓,hKF+m,|mFYpxKBpXms8swx鷺^WoHeт+T{z\rorJ_	W8B;fk	:O3Gގ7yNA=4;KOٶO_s;Qdkw16H
fnKE^D9B}l ۱KO]`U7p0$ZeJ2"֘WK'{CZ涞oS귋l`;rk
D\ .!N!OasAAaKPb.1z1[c)8.DtTaK̽\bb>)AΝ1d[%"tlBCc8tșۈտ]R>nx/qnQ[]znz!}S™Vˁ*++,)~6v6wdꍺǽL~wVv~~i45L]VӮc1d'ZX`pqKoGa78
2;Q<.VCَe{f4ߚlNA>jflw>gvJϥϬ獂m"!:c(rsܔ7]#yN>4]2.M;f1WGi+hza(#G
MR˄|17@`MKoA@E{#drxzK_J]X2HtFBϴJq\J%$pr~RwS+6OtD!/cDeE`)\Kvൾtyˊ|6KʬAv:dw{kؤeg,[ARcm<'vSdN|}OҾ7m{yˊ܏,Ż^OP;L5/QB/e|Љkenr(2}p_B%;a!*ksG}KHKfZcL҆'_-/k%Rj<7ƉMD__#$n_k&|~K׺:):ts\K%FG]0ڈO5ց=%o#z}v]4(sg2?Gm%||:	~ġ,CvΊoKuX=x)}Aߺvl<ռoǦ|L}J/7tyNfuJSk[K/󁃘uw@3`$9cnwWteun=M#7̏Nե0}߷ރJ/M!6&ц~I~.Í;M6Ӓ>}uST/͗K/To_CZ߸u.>wEL-oܝY[y𥽰dH'2ٝyMK}r\O|eTwϽA=$	Ce\AGClY+
?9l>#l;oʯ#o̯ut08pXGR
J5P+A霡}L1ꘔGްN1; v-v'"#]K{zڒ|q8}uBhͽRYMom)s(r֖
ō6|v79q*y$yy(w;c -PiHg<ΫO#_䮆TrfoM/Sc7an-!
.+;*a
i#`FhCp=x`3f<0lkT+g_ nҹgGi(m^ǩ+3.Z|V>5M47^zm7:gV^+"R\|Ɣlءd&c=k5Q~{3/&8z&mc +rQ~+|MӆKKO	̌!uhdP~'+,Ǒ!ڜF:Ci`>p/j*v|.nsjv|W{5;r08[7OQ~7#gް}wSȶV<)2|m8}3M|_柵?Y1cc
YNydd( +axz'=|:71ć[(]^0@I^>M/ʫ7-~_bT!B9u$P-Ӗi?i.˚oKUDFrX-mLYL$}x.R^gfV_STOV[-~RoY-]e~8aw4uV\.BK>*~܄KAh=9m`نWZ^-~tzBKb푥`OmUZ~-~_
Ӗ
1S-ϖg?g-h˚Kvhq͟Ĭ/̲cH,7f1ˍYn̺ì;̺xy1Hw"1y|U}2!7ڊu]^/׿͸8
lIӰi6(Ͼ*￁72B$e)wīmwڒZ[RH;eTmz&aOj󻷸e݇܋!w(xO|_|oS:Τ160sq_/^=|eB#r
_
{Lޯv_ݼƙݫq,l_X)?>dwec<9ЫePy@
]FLEgN3տOdl΃_'0v~glVq8PX[o&57ZVzR'U,(~_t¤mfL
6ƃu,q'(&|:v\P4|f3Ytd	ńbŸӑb&10
[f>2L^(@ @@k/i$gf"vA QC!C`4 wOR41|r Eua/s(1zv7EφmkwdO5Ē'=*.,NAQ(hL,zݢu ^Y
tk'FAW:06\sS;g*D{A#/P(h4
fiaA!_X[/h'8
Ɵ
Lc(u3x-FAZ1
HuCTs`4vAQ(h<3p|*0nAֱb/pTQ(x<^w5zS3؇Z?јE0qL߃29f}P;lh?#qSsOVL(&&lug(l[zqP\S{1%5\uA_}'FPlsDdt0OOCA9ɛYL1{qnj;G(
:ɑbIXR,-Bf͵eK.;Kj}x/|#`0K`Pn.KR`'g-5 =u)_\
.FU|
	:>cFg/SN|KW>+522i>eY,ىkv[-ŖbFZΏvOЎǪ|KR|yEM1tj
6Xy=1ŘbL1g֑5}w2@+5Ø1bGfo#V;a`'ar\Dw>ṙphw	ݴ9G߄3T^S݉w
G݅1wMxSy[EجO]|M++"ē7xS)o~|xCOK`vA qޤjxSc7Ś::ž4	oy˸?)TSyxoۗfvCl,Y!*|
>OS;?񃢮Nh^{=ŞbrpChі2ɽ)'j T*/([ggsz~{Q@T *lH74\~q|QieCT0*
F?&s;=f{T@* ɚhF2hO``+;
J/o^+5hsN/5-KSgd-(&]V RTSġI
N!lul4_p̩U*@Y8V1{SZSCz U*H>R=PLS*:~ֽU@qJ350r! 8x3D9uHGV	tۤܨh0;oySN{hC`	%!1PР+ߡy;sg0vc6[L֙cEɺ8[-Ŗb?
; Їh~j3:(U)O/̖3UgLR
fj5_3YM@4|oqi'}b4`S)l~l#>th,bҡ[_)p
8NA:MG=s
.|R>mYHZkZceϲc1Řb0!	O8
Y-`;'\d2ɯd]Q1T*}iff×[V[ws
|0^(Cšq.=$]Ԩ5uhF6UCXT,*~* !"dI,@n}}["gQݴRAsg06-ߺiT`*0~@SUlqVɢT`*0~Pzx9	Z
	֍;/8UT*@~့( gffN(f+ U*H>Rʩ:ǽ6xCS`GN;
TU1+vx?^Γǵ{>XV·p'X['aq|%ɝr{?,=wtAak#ILA T*LGAh
D[&)
vP85f.o*#*
D?qr	LDAE7Bf|'*3* 
H?132Nylc&>m[[$,(
J_3nč:[pl}8y$_T`*0~m;{m[ رaCyglT+jEQC\O{#_<3AŠbP1\ȈDz@ty/?MŦJàqbчNȪ9BQuM{VυwEQD>C]{:Ι]aq8T*,u)2'?=L}S *
D?qln"zP{."53]X *
D?k:⚪cd.zLZ(QXT,y,=CͶM|Θ9Z Z͠>tYCxZ(N@-[2S˶y%:mϾ0_T`*0~YtA#	9`^lb-)ʜ
P/{Sk+B$
ހM@5jA U*HbHkt̙8/T
 U*H~Xg]ݐ9{ZSATA U'~^@;bM#k)ֳwhT/H
Rʤbرy	~T!1h~cR5p^*H>RI MҺ^ಟ3{YU@U(PECGwشϩTU`]?X8{e;>,LsBU*`>Xv/c̵`
Xև	9>L/8dvNU*`}8h𘶳3nG9XT*`
XnYi8TeT?	|'Ϋ{XcZX1q_17E[N1xY.Qxu^c]&Ɣܱ٦Hi<<҇
uwBܾӔ'zqT\*.2.1<nfkǺ9GOUN-oDž_Ǻd)X*P
T2.dXV6p>i&O^I|ŚXAyvZ{r\Ӈnn1nE۠頬(:^ U*H>R0.PI&mwG8[יYYU@a[s:h(].ɪ?Q5U#QŦ89-36"w4g2%)&ʟ.>Oŧ_;ұ/MeLٟ|bT1UFɊ#xGΛen;:;-~ۺ6ǏvvAv
fYŒ3,gjG_0"ZVDDg0Ú#:q[BBKǿ
k'Z~2l?'joZ/ۊmŶĶ#]2't-TfnV>jUX1[Be,>윣|^J>	*+a#Gf1i}'WY;rp)rp)X,
%{-U%8b`1wd6tc`oI1˱
awYK!+̙a\S`fl.68uhPB3yA|`X0,[vP'^|\߃.#5Bb!XH	ng?3C;sXߠX\,..ZS8v%:sLhc8
ǂccj !C!d]^c!E"EH:;g.&]G+O;aňc&Is_λEEƙ&XY,V+dVxDǸ\b-$r=G$%ڼa"l޿aӋqE"i#霺7:|aYNt^]88SvꔝꇞHTtdΚ=	`1"{Vja?mltֶh~kQwB[rւkZpp
^[,`r_x@Zl-eF_Y)={K\`E٢lQM+M]t`Z$"ȇ7ʎBmP[-~`Am/򽵱JFpZ迡om{ylD2'[{ۑ)-`π`bmX[sdю>8ȐN`aZl-[ḁgM%0LE=9=pd#Ƕ6ԗ35}?vWl%X?0dPj‹u+iۻZt-]FB"{@jO4	oc%nBl![-ľ\Xl>Gfg|$bsd[q8[-gH`ws3
a;ĸn\[H d K%9;8%p+zjsvRi,}rlۂmt[*3C?$V2E"nϏ]ǎ}.=wqr.".".}?ޫ\d.2_G=*#i
i68יIUd.2E
ZJu8ds<$=?9kE-(V6`ڼ
g1S˚I=JMLW*]t]l]N͇
[=e0_Rq+FbMM}CLC'/|2zuf
Z紱Hx]6])'IF]ԟ5L]ԅDY\9
ۧ(:u*9D
Y/ŋEHq&A>Z,>wEi+ByPaQ4u$~vf[cfWx^ഹ#Yol5l2U/}`_/?(짰3X|exȣi!OS_/vK;\F8PZ!>~a_/
g.lwQg+g5[_Oa'rz_au׹fwc[fAciy^cMMMMMWug|9к3|=̦̦̦̦̦櫷tИw#%7d-ŠA,)))))))))))f[V9ϹFl?h̦̦̦̦̦ƍ6Lb]ݧN	̦̦̦̦̦kͦE2G?gZ?q^̦̦̦̦̦+FB2Xlk;C[϶֟fZ9N9N9N9N9N9?K[80֎`.mr)e;e;e;e;e;e;v@H[ݡFxjo()))))F+&1:kC#͇wF{FPPPPPз4 AY5$k4{5Y.T.T.T.T.T.<3=Cu-t#DѐW*+*+*+*+*+*+^"K	vaKkV*{R%Z*?*?*?*?*?*?~#qN6;/8l2}K.0]LLLLLLTݎlie`ltx5%*g*g*g*g*g*g!΄ȂyH'Uu{fSSSSSӏIc.4TڀiO|222222U'ہ3Ɲ͝5?Uuӏo]t/3WS*gf΂**HgFwi
PMZZZZZZZ,YxKdhOk/dD-k@֡:*8$y*)))))]?3y.9idfMMMMMW>Iaj񛖼Āqit߃ٛ666666[sR"5!eJҊ6#B95SyOMh	A|nS i.g,$ўTݞ|.nOu{rޥCQA1u@W94ٞ;;;;;;d*tG3HI;_|=@OOOOO7Yc3R;q'%ڰ糞rrrrrroz
OIN1ef>#b^ʆʆʆʆʆʆ
XzSW@$q`P͆f}>Sp5]	Gd(e>-g@t
CwOsQүIQRyѻgLZlcrw!Hӟ;=;>@hO5H(:$d[‰{l2>=^Myp]Qp.FpV:O;U:OJrp\D&P&})\MW0wVd*2L?HHi-MdDhd}PI(~|YKkcYTdNT*NSl9lj:ɖOvfRkZ_U`UzOXӳR#5YƤ;vG;7`Q*<WT6k5T0|	QŨbT1]ξ]Blf
aQ^uUU&ZK=t
f'FJ
T4â
6w!S̊wE;2YXV,+~l%
_.600@'T1-pGr6j d~&8dM|ذVp+~.hNcY3:qxņ>wB\uJSZhSDd 鉖1%>*+=	7-1{/kj
&&D kxE৤`oIh䇸5;>79dE`Q(9)h#67{mɘ`Q(X̹AxKnqCX,
mg&+,?W ńW
`Q(XXAgeO}>5hq8Z-':L\A4(mpC=8ڱLӂimF鸳 "8r&E"jZD'N$ٰAY]5ś5%-w*Okߏ㷸7msŽ3,ҳl"<#U-bBA,ԥ{K*/YBl![-,v0Bޜf%}9-ˁeg![-bBl!a˝E&Sn}1@*bB>Mllݭw^K_Bl!wa?(gKfِO8oYE-j![-b,vN!`Nbapq8[-gnMl[s;91#>{_ϙ[0[`[-lva!iMZaϿ845z][-qxaBt$orFl8M&+qGa[-vίDW(lbo[-~Z#K`HXdi[p\.Gj=Qh*GxSy+"Y7Dm尕`e2ׁ򋞵wW'`E٢lQ(U
[ӻ/]8g&闲iE"mISytÝ0Ny\-nC!H;&)sbn1ldH#-]>Oo[-~^ـ
=8Ƒ(>]U-}Eo1Ҿ2p}%Oڍ\#+c@[sr?G<pq8\NzwŰ@ luqdGqpq8\N֞NF3-CkFkH)}DRc{wS&܂e\qwȬ1&˂uLH%Ga?a_aBɾ#n]BtvC2Y%Mk/w6ֱ)0G}z	9$Z3]˶cp5ޮ6,㢡-ic{
͊#.vs&JʁpYl
!yLJ%HPdCaM
qHi߮jЕ"[nBlJKL!M#yM2D#GƬKZ`Z#=v;"Sro߿,)R_->3ۖD s|G(}~?Ӹjm
?T[ˎF:>)&WË*z:Ž/JGt2ע=zTQ>6L/"kKK7oISd1iYo
g
VAʗ>j5:FfXMG/ؤZHzpO8WV,V'q)L}NQ\2#5&r&&Q|dd}Op3'5r\bWhT秹-{acPq4I6~6b=35&҄LfH'SmofC9dq,{5d'7*ñ`2M2/OF^Q2#۲Iv4oBN֮hٽKa<_&l^}Ji=vܳjXcC5;xG![P~ާ"BpA!wֹ8~^#2DD}ks8Sv%Ӟ:c7lD]0!uޗOo8#ncV7$l;<.'{$܎ftAV7Kn/^#z7w^{PGmvTTɍ;c݊{x9
CmQQފ%Q|FxG'Q3OnUnvFGƳk#v;~*5=2ʊ́}1?I[GNɗ]BM~_gޒ{ﳋ%p^aY~Ù?z罽> ǘˏkVXd{5_/yW3+@y<"jv%1e3~q;ouL=WgޙfGdGp8;B
^΃O\)]loO=d))ad|w3lxOD@ux`LE'YD.,/ꜩ#T]hQ&ևb#hwˇQ+'_/D)8BMp'gEB8X4dF'z!
˞r{Κ~g;#dwpCU6cUcKWe
;/Lfz.KP޿@4dW5',ɺGH;ڄ_䷪k%n[|\|rPpv_5zvk҆5,ӊG3TyUeOcj7*9e=B
=H+ɸ"LPnRPH2U0Ѻsb@[ʪؿ;2u--tmzM]^8݉wwo|].DnYE΀Ei~^,7DZmlqaغ;&[Z*;;Bhs~C!Qo;lS
7ATdZOԏ|ǶOI7I^Lڝ7>"3Kvf##pphw>I{GX
c(%2wx~NSwlBuɸ|W{d…;|<ܶ#x}Q..1S
3̞ރ+{OBlol{^D|ڈб$l!3]{6@:lѾ2bkO_|b1mS:mfظ%{
eC6[-}3wtPeo	*%~13"1q蹐qۿXt&-R)D2ݷߘhia>旉w 5d-hgs x<^w2vdIwDHu6?̰>{EiPnFs	lJYW_'FFm5@Q͉y6ԗqBZUe_H[;iCL!X6xs~M|v}Ww`52dJ֟VxT~egtv}9s档9x|TUMGjñUN$n!?^nUu.?49cl{rKrK֪οI݃zv;2>o1-po6$݁=7O@l}YTf}}4s=w@J|4,۔zw}'{
wnp&p8*g
b{J\̾V@=p˖*"tUBٛi[њ_Wa!z3spFn*}lRȰFB0`]LIO{_mqs$0[S,/ꙓu}һN	FMCɼi.̝vg*TAd115q7 x[Xᒽlv	O՛y[W!!#iƵ1/i}4V>B28t$'=
Ej㜿
ۗmSǹ{k`}Mmdga!?56&];KyTm}zjC\~ԇyLo!}>v8-힤EQ?N~/{lP	=rvdFLF8gPs
<>BYc=,a]z?wygsiW#V&{tn6]z
2_9Z3wiA.c̗}59ڇp;]̝YAAI^socI(3Zwl"u'?˖]M8818d-<'m+{-jNCL[C'aIo۳rܕ08ߝ8|3mK1hwۢy-sۛ?ͯB. w7L
`(YEwy7n5=YvLmoV9|ˢy;r?q5̖TN-ٶSl^1
vwkU9 Y}3qݘ#j.h1Tx?w3U+c''\̶W`!tyaXkޡßN2i%{4Z{Ofɶq<3q+?IL}ZmwGhm
v+?I`[1P2ތ+YN=GD
lNβG+h|6lߟ282sp,H;*?mA3Z٘X[gE玴A[ƝHz:(oppSzeՄ;L{oiFU)$N3{k.qvK2+ܟ!*wzȒFdzO}&*ܟ ݣ402Dw[-AϘEӮsό36OTtqX~Lgӥ{!CB3xf:>3:K
s>~vYNnѓ+:%.(⃶Ș)bi]][00e"RL)͆t/ڛϸ{`ORL)9=mè8p;
ߒpJ8_}e"$i#]-]	K={@9-㪲u	O$.M=JBaYd久Duݯд3&^:*>U{p[&³ůR*ٔlnWk
	:8σ4A9%ͿL~6Ƕ,}!6rROߡ3i!ሽ<w{{Nyu:[gx^[qx+ocyE)},]
b>|zij_?&/
G{xϲYW4𞦁p[{_LWgxuWg8>!%q=v6u4*~(~aXΦ;?avcS͚qpe4a	8-uY
 /cIXZnЄ""Ñݖ͸%JUY1hZco]6>eΰbvnz*K?j`94۴&AdƘ3ϳ's{0\Iy@iZ#wOܔ>K?TS\'ap;g yi5w6THh֯>idZDn")y(+ޏ>EK%{](:+4֘;=r;1[y=>Di=eH_UKהNllCQl+oF7RKﴇǭw`.At휙j*u\K@
XCʕX(r-͖f?f#ÒEff%rB7jHT5O;'}GuqS
YugJnM1jWq2U݀SvNg>*QEߏϚ70.ܕtڗO-O<7tҩ	cܷm^d|CWDeM[AwEgZOpIJEF/5|	]#d"dnnnL{/>tU8p6wzz˙u[Mgַxv2OD}
OXĴ
=Q;PvXF^)Id]љ1[kP}dAþc3c|A8X><EN
/0ECĀNdmKnֲ_ej	?;M'=%h=	]|RL6	=5S7<۠$9% m9l7n뺉a'i3Bi`P>fo'@Kctic^4Vk%O*=-v^t>jK@3O0(űfHֽIU='#q!\Zx.('QTgk"qΓ?}S;%_M
=`?U!۹=cbPNz"Kp+V"+}#plTߓpWȷǗCֽv) Ͳx_O(LyIAp[#}/!JnDnVؐ>{V[/ܾø'Mォ4Sl
Yz_'(Ėy4"72hWJ8{\
2MFaW\i
,gⱛB
%7^&v'mSXB#dC9 ecR_/qNGH^IS'Ia͉j(~~IIyUw8fvYs+f0-k,3{#[΂óŵtX:~O8a:`-6؎3-J%= ]L'25sV<^݈/g?ݴsev
8L,1}"T<ee\729rY,nͭ6uݺ}U=n7@}-rư-k[|*c݀Ƿ72@~@:i;fK{*lϏlK 3;@~@Eǝa9h@QyELdzc'ֽ懎fA1ZqMY>r{UÇӨ9`(4pj{?wc!׏c~kSV\?f\aw#bk\su
dqSH6^wԽ^-D9<`ƽ-лSD,
L`*7	E[m!̮;$xg6P>;BA<{#	|͸]_ظ/nb@{,{35{Ϩ6{M<ۥhJX}:#Sfxa;kQ$51=6]&QZZ3AMhVAwϛFAϑ79pW[oÎL~=~yuoWQ;Að3MRXfl]Y#-	ݶ(߳[tR3lT4Mds/^3W?COz
AG:Ym%;Mںl:s۟tΏDWu+v
ly(cKT6
{x"U>δW+Jxa8S98"{6f{Ȼfny˹p\uz[~Aˍ2|ߙ37yS㱐O׼J\?w2i)sLѐ>jc*hi_-RМ6fO㙯)оzdtfi"%^FO6SQ`;5gm~S'.ɕ侉tgf>P
V癫=UeVՙOB7E=H0xs2u˔[I%?y\
'Q>KTj`|o],MвlMLٟe/9Bxߴ&K?@S;{.È;^㎑[˟Tc
37yg{eݮ ?	%uP:[;y7#814L8J%(3sY27iD	tKLPF7M:$,HILSABrBY_}Ov9#o20(|,fKD`:Ft0htq,ɖd?d=h"7ԺNUYӧa4[L`[
+ۇ]*Y%ofKCۺhӧ)كl'C1lI#Hцd0loR;]"^-~ng9lgl%}ɸKcN5fRp^|0?}Tg/a~4ajx?esJ|nѐEgN2pߋ6~_<"{niGjX
~f{Y~jwvKM6Zp
qҝ8V{,TGd˲Y<9M)mh/.?7+{[-ؒE}K\
pp2°g*Sʻ?^o<_샿먎HϠWc!{ήX:gҳ1)O,iG$woz^13>%K#"X-U1<$-|жq1j'0dcmaP5jD`ACǡ> =_Q5lB	iZ6C9ngmTO7>!j^U6cNk0̮6!:ݪx1}k \
/@c`v쀦soX.o񟭤ʯT8dFcenxk*J5_mqGU|pnGxRe[rD'"Dt+{TBC3C栩=4Sɩl
ۘ~< JN}?̊Oŧ|yqa|bۺSGOW0N.2gcgC
ү3e#n5;@QY(?qO˃%82ζ9oko!eHRʐvm[NYpY|^@e$IARއf\W&c84)MJ?M'CK?,	-'8߯bR)EʟluΆoxW:<B6*Wʕr\gaqY`$+D;?m͕-KR.Ciau~Z7_"_"ql}PN|QSi?j"(26+	d-%rm6rdxIOVP+ܾ<9z6i
kg놎
jO`;23o-~n.YYx>`o8H#:sF-?UVFYVn]d80_3
j6蟮TAVPnl2D
3}wW4}Jkz=ffN\`L-3I}fک"[Ⱦ@da9g֝M=$-Wn+ȭfvڭA=Tx+
Npw	܁
qT+J12 qwowLV[++"jlgsɶ60@L˸rY\K0 l>Fg
dQÒ6!gwl;n81ŐJh%p)}l=ZF{[BߊiŴb4!lqtgfVV+!(PTC"4N砗*
vlﰖGYwбyB[оLh<4vqDn<<5{;Jn%Rɍ;|7hCi{_v#?s3;gu_ަpW+~gPw}z@΁1Z}˕Jx%%%0A8n-U+>7=u5Ցtx>+g}2CVc94W7![VT+uǭ$5P
3~;ܸT+u69c]H'V}=UYW?v91rWWS{Tc
{q
dOl{w_aW?r#GAۏiv9
0o:!_ȳL;C){ȷ|E"	"&}	r_
SmoɃ~]WцתW+*ǎfڻʷ+cߍ9kޗaW+('5O?b@w3_BL~eSe_o)1P49G}BJ_P |p,TcuRS*׻fB_Y?9֗bgNhwW	ogt.J
5҅3ءo_{.o6>/?Cw+O{at:
zcxqH{G_TGQس-m4 e!u~
,b016=A&FwCu0&AR_?p=ڡl4҈I+y>T+u,wJ9lpE
֊xc_T~pth*S_TFAgsP|{*
'
6˸/A<Sc>'=]Y@YP|>:=gnwzP ]}@5dc	ӌ;w_bP*
_AΡں*lkX<ع|_ѯ>|w?[L8Y11m52iRzR_O'λfeAY, 03֖qmWgʇx|@(
OB5Vh$W
QP  CX1d3N|-|
5{3po0`Р>B($x 5]Y[HsF> %EIuن}c!F/.sKt{lj6<6-^feFчhHz6l
t澺}22(8DŔ7Gestwô1jz")B!v)̬m9ͶfG{,H_]ֳd}t}Ⱦz~oBjK/hm2fzP#?C@!P|Jچf@A,GOJޗ4~Cp8?i pne[Y#.x
>pvIp9"8kJ_~<oNJ _VfP/[FteJ;?%/AjvP`	SXCL7T&_R|AM^&4rnk4DhtApn{9s''7w5OyBIp/a{̳11A+s0``X;l1hEGV;!	5c<3:J0ӆqn*h͠nCP ٤4MRC&mH6ù>0øϾB& 0%6{iB
夆(gRsW2815džeXi(R)){,Gic&bu>}M+'&?5)T~mqunqvD*k}R,!d<2Ӡ#%~6,d)YJoԠ!v[2~xSR)eU0ɜvM'YUZM|x)^^:rgh=[SA;PR/=pix|xyu^jr_rPvKԧ[WVKvc Y;?)~n쬰3+x[KNݠDQAc!rq`nq)JҨ4Gge3N%x6yfaT$IEҿA;,@G:O aS|0wZj1'k?Yb,<ѭ-wۛP)hO?(XWc.g|sXڔ6Mi_Ҏlfltܢi3")r~dAq%17oh{-V;N>%dV*Ctw	L]}߅OS>?`xHtv;i=s3J*~@3I)0&!6Ujl{W[E1aj;֖|
ʢZ z.wN8Mmuٝ@OfMjzVӳbbt$֘*NqƓKĸDwU9EN$umcpx԰:og)wʝr
u0'3gϳfϚ<|CNS;?LW1"%{s!DAOwZS>g!M-}jBv<\*bXZ̴C
N,`9K~b*j4sq2#
9scGo^Bo7OeQYTEE&:!`&Y3ӢS HR֎eqјÉJ,JRT>#OSG~)gqwJT4MESo.hl9}zV7!7^~vm*bG34Қ!-B]^L-),*ʢ"JyO5[sMs{v’>cNVEڱ<<qŸK阎°ϱQT Hҿ3	a͏K8kOkJҧRfl/20\Kv
mq3tۇעsn#eUp\?DG@bj[3O*JzDyE瀬SUz^_\:87cgMS1,LS~풬$+J,z;~z2rxzgYqV4gB :3{k8Tmny)Z9V}a+ˊf]"l"P5L3o
c趍2ɦowWP9Vcث:'ֆs^h3z(K9甒j^Yf5|Y6i#jq?/=`
Z#@0}0+jd|rW'޿]<[Vl6nbYj(%(bȂﰍ`+
+s>źșQ3u[WqIJI ]I\9WΕsuF
;;‡4j;˹r+>s{hlgi A9BΝwjdWx%ilvb+Ols_Z}AVhubvGܡ
_M̷!Z+JD{iрM.ڋm3\|va-_me[궑X|Ч#fgNN&ԟ+
\ϢA}bLճ9ywJR+>rm-
g& 6S+ꊺL

#^7}˓wtA4޿z}HUqU\Wj,qy0,e'WXfYeV
fF4ȺLĞfQUp\%hh>XM+pҫ*JUƁku2!P9˯*^Я=^crhS$_a>?A,>Do!_!Cz<}Dϙ㯶7;0Mƹx v=x
xG~7KאLeedG㑄76)J%׾nd GedI!^^:ܮ7y}x.s*u_魫gA_kJZSҚ+J"نAw!GNW@+ktx<<^YXeg2%>CЦ6ܶE>U7e`Xˬ}Za{vH[ovdayX1Gw\`94?vi<,O!u.cAn;'}|X<,?68cZ,Q(H|ŻbMxSelgs˙;,#29jV8H$=24ލqdYF_ȅ8&z0~rtfmoNր,,/=vӗgK4==|PҲ,-K˯e"'N1g5sy#fYl~q6ur	=d >b,6b^c3wdFU4ճ:;w6whZ>(a94(%wSePQlPhZrMv7&=t\|7yhQZE/)e=ї`&Dz8:ϕ5-
Kհa9"h^H' ,~n
,k;Gc>(BP(Rq53Tm,Kƒd*2qOK|F4}׸^~\,:)Iԡ-&i^ܺ"'bX._Ņޥmh=Zΰht
±p,[ʥhٚ3,`l<~S\WUq?Jd=Ïnpw'
O*ʬ2Dp.!c`,,]y5KR*^F-ֶrf:V	42nx85~=ΓݎOrh%ZVOaS[lAMrN~hVkm̳L;E	q7˶l+^׶cyf跓=u8cP&loo7g{7oֽߍQaEXo6Ά" jO1xvʱr+^ձ|{cnFN/A
OV9Vcїlmjlue=ݙn4}A7waVfkcv!m@ڑhɂ)g'DL+jҜ`}>Ģ{g1gʴ2L+>i{lѷϠ5wlױgEǮ~d|]ukl+ʶmPqdbL.XSG7?݇Up\[
?җo×$~]EKR.%>u!>vAI)ꊺE~50ߩ6_tV~G5-ʻ~8݈8G666Wʻ+>w<dCcx~Ta?v+
Bއ8GIθdE%_W|C>eDxvƜwܞý]JWAX'{{aYvlKbsދ-u4,
* q;;][Ƴb$"H,{_f)k?$$\ӡ.CX$E c"rS>wfedYF~#n9F>L9l|l3q7&RKX$֥ϩa0b#mird?5EbX$_D[,K"Wqeg7WX.qq3ݫ
=D,T\'|xcg%d	YB~)!۴1#C(u8=.,!Kȯ%uLa{Nvb7B~I,%KR)zmӏ~C-MI()KʒRzvi<2P}^YߤҲ,-K/8*O&n%>a%>LߌKC
2}nS5@HWn"07p)=DsmM7O{<sxnn-'Gye{=ݼ_}oA|
62Wo>|\5UjT3ӿLv`2PBf
8_p~g_.2r	igY~5a%?bYeiϵ7?W?(5g9{<ȔV 
f>*8΂,8w3ZL'oKҳ,=Kϟ9JE4Ǟ$XnA -EhZ>i,fV!@ǡ&pHZh9Z1x0,3Mt_}9OzXxayXCEb],hNk`ZK-ayXC6^t2a*X\*8I+ʻyI4ᙱSkz.ge>k^Wz=:$7Ѿ#OOzW|%O7,=?{Nxx8e`XlR&HN%}0_Um
Dy.mD-0G_&jW&ͰAh[H,ZsH6fv!62“=Ƕ[&5Sr͔km*Uyc'&^~~Al9XsY7GX=b"99in,,²YV:2Z-0H,ku;{+?NUS?H8eXWQ^ES%^-V%h,ƺi%	TIJw9-࿽_k͢_ŚE,<
8h
+zNa$;bEbX$~>mw!1$0%k&5~)ky&u~񕄌&Vj:2'cYB%dfB6uںa#=D#6JX3Y?XErߝifa@qOB-Ƣh|4nti̕Ł;YTLfcX>Gl|dZz4ǷLB,$?Bg̶djoN|!ҿaiIYR%瓲L38u7쨭E9?5xڕkɁҺe(+Aʓ׳'oE+ߵ`/'owX]?
BCDe=Vb0y8&Ÿ$S}ost'L
zk6jRCKyȊrS>/Ls$z7z8{3jmC{LxINfd,Vʗˆ//3	9Jw4%sAo+yhn;gBs{УmX;om;ɷ2|}q`lHsٱ2jE'9Yr@rҷu1ք_HzrR
~Gcl4ڋr7JL pGrz;cj{~t>f<;`}*Nv4CV9ǑgQ5ܯ&af(<hۛb~{쯒xڶ{#3(oɽo'E,&pDs3R~BD`m}G]?aq_w6,G)@FlѪS	+H>CMySn:9ё՗=lΠ3Yw10%2:eVPMDZKȃF]홱o;&݇Gg=>ר/"軑M14;k?kH'@1ZK;rWo~on.u5fiB=6V|ƗF"M\޼{}T}}Ι7ѽ8=;2 ~mЀ&3Q<*3șSpoƮ{W~^Ev 1W3h(v{յk׽qz5s6ՈݬzI9^Jˣ6pPk=SuGli5a JkkWw'$ywnx_PRT>=L6g-ztoTyz۞|^{βic: ]o#V%Ka;b~WXGf:uН?P!h:sX%vӨR`Zxw)\qRYU*_T6eVuhMDvNT2IGbɆ9C|ʽuvMlY9n,g9**Dۊѵ}LGrj$Lj{TTr836Fr|j}5X?*ʧ?.G7OZۚ xoOP/jHȐQyK鮧,]=GNoӪfxf;ѩ{Z=W5U55Jɲ)fQ5y*ά*VMJJ~"A:G+fyǩva󭢪T(5}z3ˡnҪ;g#}K1=%R4nD3b+oD/,P:m?uۺQ@J䫔HktAuY%D5qDh@)buDegųDxzɗ12\m9SϽ!,w?{+R>J@t١Pz!qNlH9)?
J3c'nTx6,IAbC}k?X}i0yFSeUʢH!xEN=V~'*RiEȸqA!
.}תjq#]{v}1Aagg¹NН|WS)`igǿ4`pNhÕ\eS1zx<Τ*S 0 <= x[i] < b

  let lemma in_base_concat (b:int) (x:map int uchar) (n m l:int)
    requires { in_base b x n m }
    requires { in_base b x m l }
    ensures  { in_base b x n l }
  = ()

  let rec ghost function
      svalue_le_sub (b:int) (x:map int uchar) (n:int) (m:int) : int
    variant  { m - n }
  =
    if n < m
    then uchar'int x[n] + b * svalue_le_sub b x (n+1) m
    else 0

  predicate string_in_base (b:int) (p:ptr uchar) =
    in_base b (pelts p) (min p) (max p)

  let rec lemma svalue_le_sub_tail (b:int) (x:map int uchar) (n m:int)
    requires { n <= m }
    requires { in_base b x n (m+1) }
    requires { 2 <= b <= 256 }
    variant  { m - n }
    ensures  {
      svalue_le_sub b x n (m+1) =
        svalue_le_sub b x n m + (Map.get x m) * power b (m-n) }
  = [@vc:sp] if n < m then svalue_le_sub_tail b x (n+1) m else ()

  let rec lemma svalue_le_sub_concat (b:int) (x:map int uchar) (n m l:int)
    requires { n <= m <= l}
    requires { in_base b x n l }
    requires { 2 <= b <= 256 }
    variant  { m - n }
    ensures  {
      svalue_le_sub b x n l =
        svalue_le_sub b x n m + svalue_le_sub b x m l * power b (m-n) }
  =
  if n < m then
     begin
     assert {n Map.get t i = num_to_lowercase_text (Map.get d i)

  constant numupstring : string = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"

  function num_to_uppercase_text (d:uchar) : char
  = if 0 <= d < 36
    then get numupstring d
    else chr (-1)

  predicate to_uppercase_text (d:map int uchar) (t:map int char) (m n:int)
  = forall i. n <= i < m -> Map.get t i = num_to_uppercase_text (Map.get d i)

  constant numuplowstring : string
           = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

  function num_to_bothcase_text (d:uchar): char
  = if 0 <= d < 62
    then get numuplowstring d
    else chr (-1)

  predicate to_bothcase_text (d:map int uchar) (t:map int char) (m n:int)
  = forall i. n <= i < m -> Map.get t i = num_to_bothcase_text (Map.get d i)

  lemma lowconcat: numlowstring = concat digitstring lowstring
  lemma upconcat: numupstring = concat digitstring upstring
  lemma digitsublow: digitstring = substring numlowstring 0 10
  lemma digitsubup: digitstring = substring numupstring 0 10
  lemma lowsub: lowstring = substring numlowstring 10 26
  lemma upsub: upstring = substring numupstring 10 26
  lemma lowupconcat: numuplowstring = concat numupstring lowstring
  lemma digitsublowup: digitstring = substring numuplowstring 0 10
  lemma upsublowup: upstring = substring numuplowstring 10 26
  lemma lowsublowup: lowstring = substring numuplowstring 36 26

  function text_to_num_onecase (c:char) : int
  = if (get "0" 0) <= c <= (get "9" 0)
    then c - (get "0" 0)
    else if (get "a" 0) <= c <= (get "z" 0)
    then c - (get "a" 0) + 10
    else if (get "A" 0) <= c <= (get "Z" 0)
    then c - (get "A" 0) + 10
    else -1

  function text_to_num_bothcase (c:char) : int
  = if (get "0" 0) <= c <= (get "9" 0)
    then c - (get "0" 0)
    else if (get "a" 0) <= c <= (get "z" 0)
    then c - (get "a" 0) + 36
    else if (get "A" 0) <= c <= (get "Z" 0)
    then c - (get "A" 0) + 10
    else -1

  function text_to_num (base:int) (c:char) : int
  = if - 36 <= base <= 36
    then text_to_num_onecase c
    else text_to_num_bothcase c

  function num_to_text (base:int) (d:uchar) : char
  = if 0 <= base <= 36
    then num_to_lowercase_text d
    else if 36 < base <= 62
    then num_to_bothcase_text d
    else if -36 <= base
    then num_to_uppercase_text d
    else chr (-1)

  predicate to_num (base:int) (t: map int char) (d: map int uchar) (n m:int)
    = forall i. n <= i < m -> Map.get d i = text_to_num base (Map.get t i)

  let lemma digits ()
    ensures { code (get "9" 0) = code (get "0" 0) + 9 }
  =
    assert { "9" = substring digitstring 9 1 };
    assert { get "9" 0 = get digitstring 9 }

  let lemma lower ()
    ensures { code (get "z" 0) = code (get "a" 0) + 25 }
  =
    assert { "z" = substring lowstring 25 1 };
    assert { get "z" 0 = get lowstring 25 }

  let lemma upper ()
    ensures { code (get "Z" 0) = code (get "A" 0) + 25 }
  =
    assert { "Z" = substring upstring 25 1 };
    assert { get "Z" 0 = get upstring (25+0) = get upstring 25 }


  lemma diglow: code (get "9" 0) < code (get "a" 0)
  lemma digup: code (get "9" 0) < code (get "A" 0)
  lemma lowup: code (get "Z" 0) < code (get "a" 0)

  let lemma tnt_low (d:uchar)
    requires { 0 <= d < 36 }
    ensures { text_to_num_onecase (num_to_lowercase_text d) = d }
  =
    let t = num_to_lowercase_text d in
    if 0 <= d < 10
    then assert { t = get digitstring d }
    else begin
      assert { get lowstring (d - 10) = t
               by get lowstring (d-10)
                  = get (substring numlowstring 10 26) (d - 10)
                  = get numlowstring d };
      assert { text_to_num_onecase t = d
               by code t = code (get lowstring (d-10))
                    = code (get "a" 0) + (d-10)
                    <= code (get "z" 0)
               so code t > code (get "9" 0)
               so text_to_num_onecase t = code t - code (get "a" 0) + 10 = d }
    end

  let lemma tnt_up (d:uchar)
    requires { 0 <= d < 36 }
    ensures { text_to_num_onecase (num_to_uppercase_text d) = d }
  =
    let t = num_to_uppercase_text d in
    if 0 <= d < 10
    then assert { t = get digitstring d }
    else begin
      assert { get upstring (d - 10) = t
               by get upstring (d-10)
                  = get (substring numupstring 10 26) (d - 10)
                  = get numupstring d };
      assert { text_to_num_onecase t = d
               by code t = code (get upstring (d-10))
                    = code (get "A" 0) + (d-10)
                    <= code (get "Z" 0)
               so code t > code (get "9" 0)
               so code t < code (get "a" 0)
               so text_to_num_onecase t = code t - code (get "A" 0) + 10 = d }
    end

  let lemma tnt_both (d:uchar)
    requires { 0 <= d < 62 }
    ensures { text_to_num_bothcase (num_to_bothcase_text d) = d }
  =
    let t = num_to_bothcase_text d in
    if 0 <= d < 10
    then assert { t = get digitstring d }
    else begin
      if 10 <= d < 36
      then begin
        assert { get upstring (d-10) = t
                 by get upstring (d-10)
                  = get (substring numuplowstring 10 26) (d - 10)
                  = get numuplowstring d };
        assert { text_to_num_bothcase t = d
                 by code t = code (get upstring (d-10))
                     = code (get "A" 0) + (d-10)
                     <= code (get "Z" 0)
                 so code t > code (get "9" 0)
                 so code t < code (get "a" 0)
                 so text_to_num_bothcase t
                    = code t - code (get "A" 0) + 10 = d }
      end
      else begin
        assert { get lowstring (d - 36) = t
                 by get lowstring (d-36)
                    = get (substring numuplowstring 36 26) (d - 36)
                    = get numuplowstring d };
        assert { text_to_num_bothcase t = d
                 by code t = code (get lowstring (d-36))
                      = code (get "a" 0) + (d-36)
                      <= code (get "z" 0)
                 so code t > code (get "9" 0)
                 so text_to_num_bothcase t
                    = code t - code (get "a" 0) + 10 = d }
      end
    end

  use int.Abs

  let lemma tnt (base:int) (d:uchar)
    requires { -36 <= base <= 62 }
    requires { 0 <= d < abs base }
    ensures  { text_to_num base (num_to_text base d) = d }
  = if 0 <= base <= 36 then tnt_low d
    else if 36 < base <= 62
    then begin
      tnt_both d
    end else tnt_up d

end
module String_value

  use mach.c.C
  use mach.c.String
  use string.Char
  use map.Map
  use int.Int
  use String_lemmas
  use Conversions
  use mach.c.UChar

  let rec ghost function
                abs_value_sub_text (b:int) (s:map int char) (n m: int) : int
    variant { m - n }
  = if n < m
    then text_to_num b s[m-1] + b * abs_value_sub_text b s n (m-1)
    else 0

  let rec lemma text_conversion (b:int) (t: map int char)
                                (d: map int uchar) (n m:int)
    requires { to_num b t d n m }
    variant  { m - n }
    ensures  { abs_value_sub_text b t n m = svalue_sub b d n m }
  =
    if n < m then text_conversion b t d n (m-1)

  function abs_value_text (b:int) (s:map int char) (ofs:int) : int
    = abs_value_sub_text b s ofs (ofs + strlen s ofs)

  function value_text (b:int) (s:map int char) (ofs:int) : int
    = if Char.(=) s[ofs] minus_char
      then - abs_value_text b s (ofs + 1)
      else abs_value_text b s ofs

  predicate text_in_base (b:int) (t: map int char) (n m:int)
    = forall i. n <= i < m -> 0 <= text_to_num b t[i] < b

  predicate string_in_base (b:int) (s:map int char) (ofs: int)
    = (text_in_base b s ofs (ofs + strlen s ofs) /\ strlen s ofs > 0)
      \/ (s[ofs] = minus_char
         /\ text_in_base b s (ofs + 1) (ofs + strlen s ofs)
         /\ strlen s ofs > 1)

  let rec lemma abs_value_sub_text_frame (b:int) (x y: map int char) (n m: int)
    requires { forall i. n <= i < m -> x[i] = y[i] }
    ensures  { abs_value_sub_text b x n m = abs_value_sub_text b y n m }
    variant  { m - n }
  = if n < m then abs_value_sub_text_frame b x y n (m-1) else ()

end
why3-1.6.0/examples/multiprecision/stringlemmas/000077500000000000000000000000001440160026300217755ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/stringlemmas/why3session.xml000066400000000000000000001042501440160026300250170ustar00rootroot00000000000000












 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/stringlemmas/why3shapes.gz000066400000000000000000000237511440160026300244450ustar00rootroot00000000000000}YI~E^z~@e~J{dD0<ԍJ2܎<<ǫ	_o??+s>{ٲ-ߊ\[u}Cn÷pӔ6sJ-Ws~o|[j-,~[ci7׭ݺ{	ۏ/ˏKG|9|WP_i	B7aIy.!pw;]ԘDSLB|1p^O󻿆oU.[Fw{[BϏXCǎugyc__?zm~~B>Y覽Aok91).>

{"}Ez3a?|sh}R G+N:bo,?F>@*wK#}T 7Q<-Pſ|%6{(~*{L86Ƴu7wJ`R[!BoYhQe)h@j+:rE[JnĮ'j$VvZ|ޯ۷[6#c/Y+U\լh&|yNPݗN:>~/"՜7r!-<6y}Fp¡¦RiD9<
tȧ"l?a2 Dҥuq^؃ڭ[IZ.A3G
bgϻv#~s_շyuKyS7*9^SWF>f8s
l^͒SwO?
^קB
~ĦcP5Q(E#9N/^>{%XF>khvC|oǤVsiqf{2f#r\tqs{I%!7X7K2oe>ͶaT%Ne˴SwBIۇ%mh%6{[ɛ%|@lb$g~bio{62۞4Bmߝo GbڱvIY,z発X{O(@M-7Gjk	YV~tYd`8)kEpɵX652rX+_#Rr$}Gh+;_(}?]zǝ^K$a`#LI+2iaDC[3+`rh@ʎ
+Юn8,9ɪgHNGV4E/otXRqwPb2'h/ui(
U]W̲zumaiU*O~ZxzjYYGQQp1(58עQirzI[>§-tg3~5~~VpQ?oA}o	uuе=arIMÏjTƀi8vDVRo
Ws&o(fO_N%.$f'fQnӮu^G8lڵWrL|x䀗O0aeVX=I0	">Dfbe8zlsg
䝴d'͵֨?:CE,?,E;Tۍ:6D΍|`It'и!.ogYѫ]׫]׫.x0=>3!N8XGlGh	Dvxԏ;`>9M?pi}}0qcu^ç)鳓]Gz{WHrT#z\&.Δ1^EkMqW&6+M~LzM$JS{G;||RiSw)tVr[|*_(J,ZDS]kNL\`4t}|_niQ~OE\ϏQACg?bߠҺW?5~D:INO)pPwۡhӴνyDG׎=4*@5~'e/Sݮa_?/~%XZf#wꇆwß)#V"M">(y=T5Xmux)d;va)>ggeŅoGǣ]p	f#FP=Z}>R!*L
уӒw#]!$v+3hOLI=?~xH<立zF&Xz/v0/|l-F<g9ΎE]&{uyᱱfI>'=CE'UzZ>>bGK
8ЅO	oiCaqOΖΖ0AYeϱ>I#X'蝴c/,]Ȳ=3~ĜWwK'׶%v04;:?,N	>cvN^=-iR+RjWYJ}ZH[s΋wkeWJu|mj?'?^i@o@z+:\ׯd+K𤁞v_cA^ZP؃W8`Sq¦|-qF:hAY6ϰ>I. wj[8w9W}_ӓGvrӐlm%%QF'#^s^8]fs0oӻoO3w&'5,zLP2R[PL[c
'KC9{٘ո"}ω+r%XqE[]r:/n'p἟˓~<Y=|c8;|`C;3vK{Ɏ	 i~NEgEN׆c8,CgW'砾ʃ~*Hk޼'Iy7oszܑ;}zlsb~TzbazɼXLc:~fexN,ŴZg;)B%Ai0bXB_LZ}C{Jz%F=,۞qf1E9jDvvʞОz速}9-qsNOT_^Knj粔;ف@.:N2O/ӻo/(G#vTW^Gqv?y&|V:">y[q9Ҏk ?f.1fx3t=ɯk_O/_iuLvI;
CCHCi?І?.ؑf$={{'z'X'zo.G~v"0
OygcH$mk`%YNbasLVüd\T:QPWFވwUcc!Zud\9RtpWB~XRΙ(SB,k(\+.n8߸{c(a5+ΕGs*'CCXu(˘LZ$1%X2$-Yzt	6ޝ$dɕuZ#W,(mE	*AۨRɒb1eWLpAǒX4K^LlF[3UquFA8ʘ
UayV*_L

JoLE}2;؄iK%H*xs.yrY)[M+&,C$4VŨH+
ldRW/]\UUk,F`y83\iak]L[o@pQRBUV?p1jhiUYɸâpXh;&^'"a8:75KSQ-6MyF4:Ř4'xdM{M(Za7h]J(xmPp"XjnZh|Kd
)zMa1[8`:XV}P?0D:b)B|ny&(s++D)W!/)gA$LB㆙(푷/ I_ycčKq)E:)L-0-`̧++n,1jeR,j9`dȧC9
pU F)!0 *ƞG"QD/냷hH۶rgH!9n<0!
ŐLP_ek52?Ḡ1s˭-bhNR#J+oL3&gPV1xGZGo:(F8,hjdUV	sh8ǚK(2Ÿ)G,B,#h-Z{!Q}q 蜫UVbuȥL6JQTt[_c11a2"i{=G+nq$< p^*''=R5;,g7"1e
^6!#>M	'JXЎ(ѽD6S2nyo_WRϦ06+bEȐ)Jy<rBzLCE\JgmV?C
X!iT6rAG.({#e'xAy&z((DÖԁn.dPKM Z<!S7&6Ka}9,LpECe%ˋ1Hj@;5"b+La0_%@`p:&L~΢U"1h@~;f(]Ua_DHnE7xQ"	z
؂R
;C!9'(QXGxõ6*'ȩ6I&5n"+Tn z".ա0!\Jdd,D
,$Zj~1*IQ#Yu.)^hw
j
U={
ͺńȟ5Sն|X?[
{TH	uE]Dg,j.๚]"_#3
ȮZahQs(0dks6-eo*D^NYcp;K4U9R|q]IXr0d/CWd	 DE;qH(Jkhj\u/+ ٞ)SC[I
SQ@S\3*26higF䀶ddL:$w Tumڠ e֖i{Td>mƤGi
-h5~H#-'B٨ GȈ``aUWڄBcyqBѷK%+]e:\jcijh71AF)YWt. eԳ}HGHM!r	q*`ޗ\MJ+WA0tC1&۶AݳdYyXUa
c 1e"l
Y:03Jj$O3&JѷؖwtZc,XbY
(jqn<_A"=''\
(3}t0y?`~O2Y^/؎N@p7`0&/ĽeW+mtFFj*;]	5AȰEMg/y| G|*X\`(ī3VVd-JcX:c:P+QMGPME)X:ꌃɁyJ]36w׷iQrUE8dNav~2y,BIe(cE)Ke3яzexesۇ pZ~4<UXJHg~RӕpZ*57z13pk{Z*؄ő+uݼN_#&-Y![l!xݯR06)%@FHxӑJbM{\TT?hmཐ_7d(H#WN)X3_P[&xQBIq͊N
y~_9stvd|P sRKThikK	:_ȉʂ:ܽ	rzs4m`$jx5lYn@20s:Y(@du#cEJBW!}aYrx.	 dcxA0f#[`˩i$Pu,!Ъ7_`kh`cgQT`5&:fBT͢aȗU٠B7]F86CJ'| 0	UO"0I`,UN5d+ v
nUIDJ@d6P
hOi'}QE?26s5c\
GD`&dbjWClNXjiP/HUJ6ɧzZmUv{4rT〨JEy=WF#\N}Oprie<"6P#T12JGBZ\{QTrT\8	c-P5(qtNK7Ҍi^$BٸdS2e7b!8qR
x~
Յ~M)8KZ8IUtfO@礳|7]µe*IXVhPĠrr'ʎN8l>|t@J*W.?QVҗ(I2=+
C,TJ{n'*=oH~^ в_q([{ E.c50.;<{DB=P*why3-1.6.0/examples/multiprecision/sub.mlw000066400000000000000000000617001440160026300206060ustar00rootroot00000000000000module Sub

  use mach.c.C
  use lemmas.Lemmas
  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use types.Types
  use array.Array
  use map.Map
  use ptralias.Alias
  use int.Power
  use map.MapEq

  (** `wmpn_sub_n r x y sz` subtracts `(y, sz)` from `(x, sz)` and
      writes the result to `(r, sz)`. Returns borrow, either 0 or
      1. Corresponds to `mpn_sub_n`. *)
  let wmpn_sub_n (r x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid r sz /\ valid x sz /\ valid y sz }
    requires { offset r = offset x \/ offset r + sz <= offset x
               \/ offset x + sz <= offset r }
    requires { offset r = offset y \/ offset r + sz <= offset y
               \/ offset y + sz <= offset r }
    requires { r.data = x.data = y.data }
    requires { writable r }
    alias    { r.data with x.data, r.data with y.data }
    ensures  { value r sz - power radix sz * result
               = old (value x sz - value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset r \/ offset r + sz <= j)
                         -> (pelts r)[j] = old (pelts r)[j] }
    ensures  { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                 (offset x) (offset x + sz) }
    ensures  { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                 (offset y) (offset y + sz) }
    writes { r.data.elts }
  =
    let ref lx = 0 in
    let ref ly = 0 in
    let ref b = 0 in
    let ref i = 0 in
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    while i < sz do
      variant { sz - i }
      invariant { 0 <= i <= sz }
      invariant { value r i - power radix i * b = value ox i - value oy i }
      invariant { forall j. (j < offset r \/ offset r + i <= j)
                            -> (pelts r)[j] = old (pelts r)[j] }
      invariant { pelts x = pelts r = pelts y }
      invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                   (offset x) (offset x + sz) }
      invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                    (offset y) (offset y + sz) }
      invariant { 0 <= b <= 1 }
      label StartLoop in
      lx <- get_ofs x i;
      ly <- get_ofs y i;
      let ghost olx = get_ofs ox i in
      let ghost oly = get_ofs oy i in
      assert { lx = olx /\ ly = oly };
      let res, borrow = sub_with_borrow lx ly b in
      value_sub_update_no_change (pelts r) (offset r + int32'int i)
                                 (offset r) (offset r + int32'int i) res;
      set_ofs r i res;
      assert { value r i = value r i at StartLoop };
      assert { value r i - power radix i * b = value ox i - value oy i };
      b <- borrow;
      value_tail r i;
      value_tail ox i;
      value_tail oy i;
      assert { value r (i+1) - power radix (i+1) * b
               = value ox (i+1) - value oy (i+1) };
      i <- i+1;
    done;
    b

  (** `wmpn_sub r x sx y sy` subtracts `(y,sy)` from `(x, sx)` and writes the
      result in `(r, sx)`. `sx` must be greater than or equal to
      `sy`. Returns borrow, either 0 or 1. Corresponds to `mpn_sub`. *)
  let wmpn_sub (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid r sx /\ valid x sx /\ valid y sy }
    requires { offset r = offset x \/ offset r + sx <= offset x
               \/ offset x + sx <= offset r }
    requires { offset r = offset y \/ offset r + sx <= offset y
               \/ offset y + sy <= offset r }
    requires { r.data = x.data = y.data }
    requires { writable r }
    alias    { r.data with x.data }
    alias    { r.data with y.data }
    alias    { x.data with y.data }
    ensures  { value r sx - power radix sx * result
               = old (value x sx - value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset r \/ offset r + sx <= j)
                         -> (pelts r)[j] = old (pelts r)[j] }
    ensures  { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                 (offset x) (offset x + sx) }
    ensures  { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                 (offset y) (offset y + sy) }
    writes { r.data.elts }
  =
    let ref lx = 0 in
    let ox = pure { x } in
    let oy = pure { y } in
    let ref b = wmpn_sub_n r x y sy in
    let ref i = sy in
    assert { offset r <> offset x ->
             forall j. offset x <= j < offset x + sx ->
                       (pelts x)[j] = (pelts ox)[j]
             by offset r + sy <= j \/ j < offset r };
    if (b <> 0)
    then begin
      while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { value r i - power radix i * b
                    = value ox i - value oy sy }
        invariant { forall j. (j < offset r \/ offset r + i <= j)
                              -> (pelts r)[j] = old (pelts r)[j] }
        invariant { pelts x = pelts r }
        invariant { pelts y = pelts r }
        invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                   (offset x) (offset x + sx) }
        invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                   (offset y) (offset y + sy) }
        invariant { 0 <= b <= 1 }
        invariant { i = sx \/ b = 1 }
        label StartLoop in
        assert { b = 1 };
        lx <- get_ofs x i;
        let ghost olx = get_ofs ox i in
        assert { lx = olx };
        let res = sub_mod lx 1 in
        value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                   r.offset (r.offset + int32'int i) res;
        set_ofs r i res;
        assert { value r i = value r i at StartLoop };
        value_tail r i;
        value_tail ox i;
        i <- i+1;
        if lx <> 0
        then begin
          b <- 0;
          assert { res = lx - 1 };
          assert { value r i = value ox i - value oy sy };
          break
        end
        else begin
          assert { res = radix - 1 };
          assert { value r i - power radix i * b = value ox i - value oy sy };
        end
      done
    end;
    while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { i = sx \/ b = 0 }
        invariant { value r i - power radix i * b
                    = value ox i - value oy sy }
        invariant { forall j. (j < offset r \/ offset r + i <= j)
                              -> (pelts r)[j] = old (pelts r)[j] }
        invariant { pelts x = pelts r }
        invariant { pelts y = pelts r }
        invariant { offset r = offset x \/ map_eq_sub (pelts x) (old pelts x)
                                                   (offset x) (offset x + sx) }
        invariant { offset r = offset y \/ map_eq_sub (pelts y) (old pelts y)
                                                   (offset y) (offset y + sy) }
        invariant { 0 <= b <= 1 }
        label StartLoop2 in
        assert { b = 0 by i < sx };
        lx <- get_ofs x i;
        let ghost olx = get_ofs ox i in
        assert { olx = lx };
        value_sub_update_no_change (pelts r) (r.offset + int32'int i)
                                   r.offset (r.offset + int32'int i) lx;
        set_ofs r i lx;
        assert { value r i = value r i at StartLoop2 };
        value_tail r i;
        value_tail ox i;
        assert { value r (i+1) - power radix (i+1) * b
                 = value ox (i+1) - value oy sy };
        i <- i+1
     done;
     b

  let sub_n [@extraction:inline] (r x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid r sz /\ valid x sz /\ valid y sz }
    requires { writable r }
    ensures  { value r sz - power radix sz * result
               = old (value x sz - value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures { value x sz = old value x sz }
    ensures { value y sz = old value y sz }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
    ensures  { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_sep r x sz y sz in
    label Sub in
    let res = wmpn_sub_n nr nx ny sz in
    let ghost onx = pure { nx } in
    let ghost ony = pure { ny } in
    close_sep r x sz y sz nr nx ny m;
    assert { forall j. 0 <= j < sz
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Sub)[offset onx + j]
                = (pelts ox)[offset x + j] };
    assert { forall j. 0 <= j < sz
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Sub)[offset ony + j]
                = (pelts oy)[offset y + j] };
    res

  let sub_n_rx [@extraction:inline] (x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid x sz /\ valid y sz }
    requires { writable x }
    ensures  { value x sz - power radix sz * result
               = old (value x sz - value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sz <= j)
                      -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures  { value y sz = old value y sz }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  = let ghost oy = pure { y } in
    let nr, nx, ny, m = open_rx x sz y sz in
    label Sub in
    let res = wmpn_sub_n nr nx ny sz in
    let ghost ony = pure { ny } in
    close_rx x sz y sz nr nx ny m;
    assert { forall j. 0 <= j < sz
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Sub)[offset ony + j]
                = (pelts oy)[offset y + j] };
    value_sub_frame_shift (pelts y) (pelts oy) (offset y) (offset y)
                          (int32'int sz);
    res

  let sub_n_ry [@extraction:inline] (x y:ptr limb) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid x sz /\ valid y sz }
    requires { writable y }
    ensures  { value y sz - power radix sz * result
               = old (value x sz - value y sz) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset y \/ offset y + sz <= j)
               -> (pelts y)[j] = old (pelts y)[j] }
    ensures  { forall j. (pelts x)[j] = (old pelts x)[j] }
    ensures  { value x sz = old value x sz }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  = let ghost ox = pure { x } in
    let nr, ny, nx, m = open_rx y sz x sz in
    label Sub in
    let res = wmpn_sub_n nr nx ny sz in
    let ghost onx = pure { nx } in
    close_rx y sz x sz nr ny nx m;
    assert { forall j. 0 <= j < sz
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Sub)[offset onx + j]
                = (pelts ox)[offset x + j] };
    value_sub_frame_shift (pelts x) (pelts ox)
                          (offset x) (offset x) (int32'int sz);
    res

  let sub [@extraction:inline] (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid r sx /\ valid x sx /\ valid y sy }
    requires { writable r }
    ensures  { value r sx - power radix sx * result
               = old (value x sx - value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures { forall j. (j < offset r \/ offset r + sx <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { forall j. (pelts x)[j] = old (pelts x)[j] }
    ensures { forall j. (pelts y)[j] = old (pelts y)[j] }
    ensures { value x sx = old value x sx }
    ensures { value y sy = old value y sy }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
    ensures  { min r = old min r /\ max r = old max r
               /\ plength r = old plength r }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_sep r x sx y sy in
    label Sub in
    let res = wmpn_sub nr nx sx ny sy in
    let ghost onx = pure { nx } in
    let ghost ony = pure { ny } in
    close_sep r x sx y sy nr nx ny m;
    assert { forall j. 0 <= j < sx
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Sub)[offset onx + j]
                = (pelts ox)[offset x + j] };
    assert { forall j. 0 <= j < sy
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Sub)[offset ony + j]
                = (pelts oy)[offset y + j] };
    res

  let sub_rx [@extraction:inline] (x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx /\ valid y sy }
    requires { writable x }
    ensures  { value x sx - power radix sx * result
               = old (value x sx - value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sx <= j)
               -> (pelts x)[j] = old (pelts x)[j] }
    ensures  { forall j. (pelts y)[j] = (old pelts y)[j] }
    ensures  { value y sy = old value y sy }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  =
    let ghost oy = pure { y } in
    let nr, nx, ny, m = open_rx x sx y sy in
    label Sub in
    let res = wmpn_sub nr nx sx ny sy in
    let ghost ony = pure { ny } in
    close_rx x sx y sy nr nx ny m;
    assert { forall j. 0 <= j < sy
                       -> (pelts y)[offset y + j] = (pelts oy)[offset y + j]
             by (pelts y)[offset y + j]
                = (pelts ony)[offset ony + j]
                = (pelts ny at Sub)[offset ony + j]
                = (pelts oy)[offset y + j] };
    value_sub_frame_shift (pelts y) (pelts oy)
                          (offset y) (offset oy) (int32'int sy);
    res

  let sub_ry [@extraction:inline] (x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx /\ valid y sx }
    requires { writable y }
    ensures  { value y sx - power radix sx * result
               = old (value x sx - value y sy) }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset y \/ offset y + sx <= j)
               -> (pelts y)[j] = old (pelts y)[j] }
    ensures  { forall j. (pelts x)[j] = (old pelts x)[j] }
    ensures  { value x sx = old value x sx }
    ensures  { min x = old min x /\ max x = old max x
               /\ plength x = old plength x }
    ensures  { min y = old min y /\ max y = old max y
               /\ plength y = old plength y }
  =
    let ghost ox = pure { x } in
    let ghost oy = pure { y } in
    let nr, ny, nx, m = open_rx y sx x sx in
    label Sub in
    value_sub_frame_shift (pelts ny) (pelts oy)
                          (offset ny) (offset y) (int32'int sy);
    assert { value ny sy = old (value y sy) };
    assert { value nx sx = old (value x sx) };
    let res = wmpn_sub nr nx sx ny sy in
    let ghost onx = pure { nx } in
    close_rx y sx x sx nr ny nx m;
    assert { forall j. 0 <= j < sx
                       -> (pelts x)[offset x + j] = (pelts ox)[offset x + j]
             by (pelts x)[offset x + j]
                = (pelts onx)[offset onx + j]
                = (pelts nx at Sub)[offset onx + j]
                = (pelts ox)[offset x + j] };
    value_sub_frame_shift (pelts x) (pelts ox)
                          (offset x) (offset x) (int32'int sx);
    res


end

(* TODO remove when sub_rx can be used instead *)
module SubOld

  use mach.c.C
  use lemmas.Lemmas
  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use types.Types
  use array.Array
  use map.Map
  use int.Power
  use map.MapEq
  use ptralias.Alias
  use ref.Ref

  let wmpn_sub_n (r x y:t) (sz:int32) : limb
    requires { valid x sz }
    requires { valid y sz }
    requires { valid r sz }
    requires { writable r }
    ensures { 0 <= result <= 1 }
    ensures { value r sz - power radix sz * result
              = value x sz - value y sz }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    writes { r.data.elts }
  =
    let lx = ref 0 in
    let ly = ref 0 in
    let b = ref 0 in
    let i = ref 0 in
    while !i < sz do
      variant { sz - !i }
      invariant { 0 <= !i <= sz }
      invariant { value r !i - (power radix !i) * !b
                  = value x !i - value y !i }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      invariant { 0 <= !b <= 1 }
      label StartLoop in
      lx := get_ofs x !i;
      ly := get_ofs y !i;
      let res, borrow = sub_with_borrow !lx !ly !b in
      set_ofs r !i res;
      assert { value r !i - (power radix !i) * !b =
      value x !i - value y !i };
      b := borrow;
      value_tail r !i;
      value_tail x !i;
      value_tail y !i;
      assert { value r (!i+1) - (power radix (!i+1)) * !b
                  = value x (!i+1) - value y (!i+1) };
      i := !i + 1;
      done;
      !b

  let wmpn_sub (r x:t) (sx:int32) (y:t) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { valid r sx }
    requires { writable r }
    ensures { value r sx  - power radix sx * result
              = value x sx - value y sy }
    ensures { forall j. (j < offset r \/ offset r + sx <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
    ensures { 0 <= result <= 1 }
    writes { r.data.elts }
  =
    let ref lx = 0 in
    let ref b = wmpn_sub_n r x y sy in
    let ref i = sy in
    if b <> 0
    then begin
      while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { value r i - power radix i * b =
                    value x i - value y sy }
        invariant { forall j. (j < offset r \/ offset r + sx <= j)
                  -> (pelts r)[j] = old (pelts r)[j] }
        invariant { 0 <= b <= 1 }
        invariant { i = sx \/ b = 1 }
        assert { b = 1 };
        lx <- get_ofs x i;
        let res = sub_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + int32'int i)
                                             (x.offset + int32'int i + 1)
                                             (x.offset + int32'int sx) res;
        set_ofs r i res;
        assert { value r i - (power radix i) * b = value x i - value y sy };
        value_tail r i;
        value_tail x i;
        i <- i + 1;
        if (lx <> 0)
        then begin
          b <- 0;
          assert { res = lx - 1 };
          assert { value r i = value x i - value y sy};
          break;
        end
        else begin
          assert { res = radix - 1 };
          assert { value r i - power radix i = value x i - value y sy }
        end
      done
    end;
    while i < sx do
      variant { sx - i }
      invariant { sy <= i <= sx }
      invariant { i = sx \/ b = 0 }
      invariant { value r i - power radix i * b =
                value x i - value y sy }
      invariant { forall j. (j < offset r \/ offset r + sx <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      assert { b = 0 by i < sx };
      lx <- get_ofs x i;
      set_ofs r i lx;
      value_tail r i;
      value_tail x i;
      assert { value r i = value x i - value y sy };
      assert { value r (i+1) - power radix (i+1) * b
               = value x (i+1) - value y sy };
      i <- i + 1;
    done;
    b

  let wmpn_sub_n_in_place (x y:t) (sz:int32) : limb
    requires { 0 <= sz }
    requires { valid x sz }
    requires { valid y sz }
    requires { writable x }
    ensures { value x sz  - power radix sz * result
              = value (old x) sz - value y sz }
    ensures { 0 <= result <= 1 }
    writes { x.data.elts }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
  =
    let ghost ox = { x } in
    let ref lx = 0 in
    let ref ly = 0 in
    let ref b = 0 in
    let ref i = 0 in
    while i < sz do
      variant { sz - i }
      invariant { 0 <= i <= sz }
      invariant { value x i - power radix i * b =
                  value ox i - value y i }
      invariant { 0 <= b <= 1 }
      invariant { forall j. i <= j < sz ->
                  (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
      invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                  (pelts x)[j] = (pelts (old x))[j] }
      label StartLoop in
      lx <- get_ofs x i;
      assert { lx = (pelts ox)[ox.offset + i] };
      ly <- get_ofs y i;
      let res, borrow = sub_with_borrow lx ly b in
      value_sub_update_no_change (pelts x) (offset x + int32'int i)
                                 (offset x) (offset x + int32'int i) res;
      set_ofs x i res;
      assert { forall j. i < j < sz ->
                 (pelts x)[x.offset + j]
                 = (pelts ox)[x.offset + j]
                 by (pelts x)[x.offset + j]
                 = (pelts (x at StartLoop))[x.offset + j]
                 = (pelts ox)[x.offset + j]};
      assert { value x i - power radix i * b = value ox i - value y i };
      b <- borrow;
      value_tail ox i;
      value_tail x i;
      value_tail y i;
      assert { value x (i+1) - power radix (i+1) * b =
              value ox (i+1) - value y (i+1) };
      i <- i + 1;
    done;
    b

  let wmpn_sub_in_place (x:t) (sx:int32) (y:t) (sy:int32) : limb
    requires { 0 <= sy <= sx }
    requires { valid x sx }
    requires { valid y sy }
    requires { writable x }
    ensures { value x sx  - power radix sx * result
              = value (old x) sx - value y sy }
    ensures { 0 <= result <= 1 }
    writes { x.data.elts }
    ensures { forall j. j < x.offset \/ x.offset + sx <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
  =
    let ghost ox = { x } in
    let ref lx = 0 in
    let ref b = wmpn_sub_n_in_place x y sy in
    let ref i = sy in
    if not (b = 0)
    then begin
      while i < sx do
        variant { sx - i }
        invariant { sy <= i <= sx }
        invariant { value x i - power radix i * b =
                    value ox i - value y sy }
        invariant { 0 <= b <= 1 }
        invariant { i = sx \/ b = 1 }
        invariant { forall j. i <= j < sx ->
                    (pelts x)[x.offset + j] = (pelts ox) [x.offset + j] }
        invariant { forall j. j < x.offset \/ x.offset + sx <= j ->
                    (pelts x)[j] = (pelts (old x))[j] }
        assert { b = 1 };
        lx <- get_ofs x i;
        assert { lx = (pelts ox)[ox.offset + i] };
        let res = sub_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + int32'int i)
                                             (x.offset + int32'int i + 1)
                                             (x.offset + int32'int sx) res;
        set_ofs x i res;
        assert { value x i - power radix i * b = value ox i - value y sy };
        assert { forall j. i < j < sx ->
                 (pelts x)[x.offset + j] = (pelts ox) [x.offset + j] };
        value_tail ox i;
        value_tail x i;
        i <- i + 1;
        if not (lx =  0)
        then begin
          b <- 0;
          assert { res = lx - 1 };
          assert { value x i = value ox i - value y sy };
          break;
        end
        else begin
          assert { res = radix - 1 };
          assert { value x i - power radix i = value ox i - value y sy }
        end
      done
    end;
    assert { forall j. x.offset + i <= j < x.offset + sx
             -> (pelts x)[j] = (pelts ox)[j]
             by i <= j - x.offset < sx
             so (pelts x)[x.offset + (j - x.offset)]
                = (pelts ox)[x.offset + (j - x.offset)] };
    value_sub_frame (pelts x) (pelts ox) (x.offset + int32'int i)
                                         (x.offset + int32'int sx);
    value_concat x i sx;
    value_concat ox i sx;
    b

endwhy3-1.6.0/examples/multiprecision/sub/000077500000000000000000000000001440160026300200615ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/sub/why3session.xml000066400000000000000000003262541440160026300231150ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/sub/why3shapes.gz000066400000000000000000000731301440160026300225250ustar00rootroot00000000000000[o$7(_^^=,>=6O9}ijZ[,tu*qzX7||ǥW0/uC+?w81Q{ݣ>çvwܧ/×_
A
PwO+]~8J[5|;RSi㓫/W_~n0*t'?H|Օ[}o&ڮypg-ǿ#9W(B|TG>АGӧӓgGSsb?|*?oc]T,@?o?uO\
aԁu::@*3#P= 
ܝ !g)cF̦UzDOS*2L,4qNoX3*0ig~jo6N|igN_=7kxAڎrsv?1\ˇˌ>1Jɫ?R?|!uM[4xqy1|<	~\(A=vu4>[W_H{sztWoWR/_;a-K`;gR?$7z1JbY`VՆX{MiY'f{&WU*/NJ^yuZ},G4*j?s`pf@maD$Br4`ms;i2d$Mѥj4AsZ`n-M&L{ปq~$B0gP43`ea,3n[sLv=Ո|(w7nfB=lN=V;>q^flu<׾ma]?>got]x?Y	~֏?_/ЇN]"кO-mdi2۝9ߒzHjzl0Ѐ^ጿWonzy7T	݁a&gl̯KZΜY=¥-m'>]zuN2Aq[~*rWYoJC*8#
×˓f&op
V+U`
8jz|jܥ֬9z]M?y醛^'viZ]zS0VkMΟRJ`)b%=a}NEZ5-jFS`=4Qj"R5Tc|ӜrMUѫ
͋BS}JjZ֗Ib+ulSg'K_~//gWAXyo|*dzQϟ+wX\u9,W].ZTCW]j~meiL?>tx?7f2Բ=cXй%{<.b*|\Um" lWEf*03X3%LCg
ݬb`nO?>WgDݪy*GgU~qT-,`Y/,`݊<-0Lեfq`qaIQ/,|aZX=pÚ:@qa249<-0b\mr\}}uAc(:H2MH^
	̌=5L,q3/Â=y+	NIV7=}2kzl,3yn-vCx3M-8683
<3f|xH.MRcǙa}0*NZEQKhKhQ7Չf1QBAPZ̥$IRORsbABAPZb.'	-N8p܉Q;,A=Jh1ZB$8IMZaPk.6V;\2^]lMv4ci:x>M4i*ViK͎gi:-Swڕƚ}$!5j~JM.>6a
%l\˒`q6:-@Чr*2?Οq=xU+l8eou^MV39HRy&je\Ҩ䠔jm$iF&mt)h9hY]ǯr%6kIɓV9wfHrը@ǚFrNIɓVre䠓NYuJT-TnjGb5ky:}ʹ͞14mš)43{,C]~,ɴX~^tY5	[I=ZOx8KM$,1YanD&$VYaVd1$,I"IkI"5gvÖ0"}U\olhWB?M6krUT.Ӭ@:$|y]Ih}Nz7NIcE LTdioY;̒a˭{'u{7aN&T&Cb~ɪr7a]%2٤,&YjlVl	jo?J7	s.T}7a-ޛP_ߛ.bK{ZU`v|BRTP7
=l'4-s1mMf^h9RٮTJ/Auw1R?`*\>Q]a|p܍pGpzqh^ܝ^t|0~"Udo!1yIkM	|쓣wi#ӹ9inY&1zz6ӡa>}}?{~IޟVcN*uzÉ|r{zsz΂Ӧ=>wJ移W̭]Rk|Rs2|]~lqQq.ϕǤ^;,ò^;)~66(FrFv~*S~~w(%?TRSɏSɏSɏS^C5&>1c'~Rcby;ڙDi2O>?M'B-~?v<^T
JWϧqSv:[֭2l<,Z7O9?8?m'lGXtUSKf+ƌoO}(>xoOѺONʞꝎ]3*NNGUC!ƯlW?l?
ߥ^_{W>wmP:lȳYY\(۲â 
;V47b<ꥸ'κ!ml;1_vLUbg

leDر#sm|r|[9k":#<Q&Aly^wVj|uwZgQJzb>l}ӗ},+M˓jp/]h{}gƥD	*IoBCq㯗Gg
#K)j!^ꯍigY-Qd=E)B(aEfEEZ
,شi
kc=uAxeZ#|oR[Rh-de!\0\c=<7kq2l*g)'lJ+bbLUs+#,W0V/K~OUwv7&8OIݛAU+zlvLW~2bzuQ*Yfh&{{^[AZnԚT=6vxmk'QV,VМM2+S6l=75v,]ޞTRl[Nw;wd/_/UAvh
ZסZmZ^4]ZjGV3|4˭gN>+
W)Uߺ~\m>$cnn8vyHw_L,9m6R问AE7VcjsX$X^l
啦']^Eg.l-UUokJӷ6}d[ӷ'{lWxGom;.X^M_֚03}3}kie[/mmɚ痙m6}{;3u[Sx]3gl=m=kMfLE|aqa=kkaIcXaדSan^~x7JI?>"%0JI-/{M,Oɒ@:,lY-ovL2e5sHO<{K3~ܸ x}n	RRh絃??CmԺ(çmi2|ĔS|v#E|=KoԚwNZ|?^g4]?̥{PRsJKV2uYVfzז95&I2jeRcfqf&=&;g9xFrάΪK'JiO;@1c0&J*QIF(=֎$O/<݇׹MB8ϭ\ZZ]x"_of S
"'"]-B/XZ(7UA)=y^Y-`*9k"~({ CW!f7kҤV4,6h	ŨMz_J0O~"}V=1hre+eK܈[*ؿJ
[_l9]~r}\_GWuya|uD$YdwF.&YuF'bSm2YFT<㕍^-,#JVV9TdUm@3QXeDխ^rFԊ3MFd)I)Y幢HgZ/,dD	-VRG$r72ݨ5FJ.וּ.(Q)#7s-*op68kX{?z}
zH=A
sqqvN՗7J7wX:ڬlԶӰvf?B-!`g~SϟSB\75r[颴P^a[soBz?>sß圗VXq,.#j	3D?}\rjݿu驪kJ\-4k
@E
2@!Rv8tֿmVU<+S
HaBC݀gM䛽0=5דfjQ/qqzPԂ՞z=S}}Ѷ
O۫].exB-%.+ڼFMUL;,Bhe5o[zIBUgm-Aϫ|pi[C;NUi=g7M'̏{4,,Ǒ5:4xkn5vG0l,ޢKP¼aq2-5~UW+*yXwL ^q󪛗}ח^k?, 5:~]NtҗEŧk]$=*W$uX\@qfum#6Pm]?ƿzLEȥ@U}+⧶$w_%.Χ8xe
muٿ^CYZxwP]8.	y*ASz%2zNA^>.5OQgUBo	VH'tŗX/սfub_Woq)/Qe18Y]k8W.l7_Lwm&b{|x'(Ϟi]N`nEcܸcsCi0w?pE$^~7ّ
?a{8#-Ano`v4?{A[	td%p,znʢdUi0PZt<"޴w8{7.xDܺqUtGn~aC>md!6leuVHo_ol6*SQ{S4ncռ2kYf=+9\RX`A֭Kwl
[+Ww㗕P
~rԏ.Dǵm@\37oʛ8CS/ztw3k|A?.
6)3UuZɼM捼'}M8ɭ6{-(.
rCY
Qz-7D.憨H+!_:O`"]Hf)QD	^NKYZ_ʂPgs,QOą d-9k+c] β$$sn
~mq̗i}+O+#Lt¸>۩$rƔrTzJ2QI&YI}ŞWmb]RG^̙UJ4E/os_\<&guEd)ϥ.\~M+9.i#_Rrߚv˺x:J-.Znj@i]BUw1Q5nm7h- 7]9l(oh#pW|ĉMPu?j(WԨbq}#nDCg~ T-xsV
rE֢l<'t[AƂٍRL&YP{gh$ZyuEb`*ؼf7?Zo:o̹h7=FMa.md*7`XZLgǵ,M)0hǃ(GEe𗝐Ym.Qs#Llvdl_5>~31Y7s1z^is:	^
4gM\-D.ڗkfsJ_
ImY/ˣK'ÄC`Y_"u^J"8ӻ5Mk'z>H;Mq벛7k|g"ʼnRJۃdr7;O1Ϳ2ՎMA)Z-IS}VszۥяQu{Ttp
>Vm^v,ӿa~Ԇy68*6=ۼg.WH܀9%Th~ZWnx8f釚T̀_jbS2R>5sfCRjLfLnnX-铪Nm[X&`t6Qn.l-#!P;*R; t,* 02y1U*w]ksյx
]91d	N+ybU.{2,UBp6*tk
``EspFaJu\(L׀bcr1hL$x0D![ѥvҫd\Q+ѢLеmFcf1Zm0ʘ3! af%-H	>9F;Nג]{-̵B]/^ZkhQ_Fy<^#\#Fv
5kb zk@`.A28GKsAٌ"*31(5Rp3%^vk)N!Z%`@<ǀjcuy`s>+IFl2֓fe,&D(B&F.lHpgX(-=IԟFF`x2lYx
%"K4	貃(3KxD_lj
dJ$^Z1h==32X֎<:F@~5N nfF
qFu@)ɐ'Ӟl|,,h	H2~TV][ymŵkKOld׆4F_um
\~mصךZ]ky1La@N.+hV,RZs  Fg!3>1f
Q>`kěd2Ƥ=kH##G{
1%NqL-Ix/8ZjFJ`I%Toh9erFn=4lȷs3
2|%@N;q;2vQ =@Ic74VMu–fԑD#I;^7̾[)TP3seI2m?~_3%]wAzEvqE7иxƅ

HI@KQx3$(EV`EgՉLф\70u2rbrz~K8aܒZvLZZL,pb^Ъ2Ir S`xʼ0Eg}
h֢r%/w),ELaq+󀴲c2* h$D,F{I޾`$885L j7]e6%@k@ATe 
!< e].W$WHP)0)bF=Jͺ*.8	.Nqh`WG%/4yBcLY2ȕ9tjxt$,Ҵd?}k-FfQ9[|alhQ=Ud
Bk_&p!`Stx$i޷rd
0+-c,pBc[9#ۆ"iרd2pEKEl„C	)ʢpW.cjNxz]vP(r;JHsIb@ȶQTk
$SB`wRj	ihy.vc(	hsqO nw^X>K!@jF| ITq’cH&'mU+\"Yd<v)$+(D{S.l&;L iv$і53/x\`3z\B
H)>I<A:觔ijd(\%
& #kCb(,*L3}hx1>}O2R%B[#oDL!v&zdfIZW$eGQ/_pdGzie_|x~!ilQ$s ePLZr7'=#:@Z]rr,Ʉ44BY'2儘L
iǐǵx(r3i~e‚siؐ
۝d1f%.dܓGM^D>V'	lҘ$#!IAEdvTLN)T YY\U9'8OAn".)`$Q4	uVyN#&FVwKV`0Y^.SڰK}*828a
P9B'pB	rNhv+M*ʒ(%$s2	a;UM6MB	G*ȝ׉sf24'CE!rMRYg2ܥoX޺;=:Iɒ0n01*W}$;L	JD)O2dKQ^'ọwRR#&2c1>#P'zm섲ݘ &ѩ'IrHV2渷тЮς:q=ɨy.wҽ,҅l
.KkiNf&H#KIGpe.dι6Խ(S9(?CJܘ4AJ&)ʕєu#Y
2+%D-dR9%ƵNh0y.^	n_`hudгu"2;C$M^Z2Y^Ele)#vYf.Vl9hBa."d-,cwf4{N&cʬ뛉CTAjs;)wfHW9yF$!U9t	v+mj!1yfCLT*l;sFsLk$kGbf=P4uv֙p49O?%q
WqggEU &]Ι/Gxvθ)PG4,q
hd@CSS4:.Q9!h*4#.v֨;K,y/'	'DMᆙYDD|'h\;[l=ʐrVIIc,2XbbKwYf]kI!
LKmQ/@;{|cLX!`RV)1"3N@yt%
ٗWF(G21b"Dw;ʝOw>}p	E!DV٢yIb(i <|si:u7։-rς켺sBX0	#"'TQF/D4ڝ_w~}	c*A	莑WR>j_tη/oY	BZ4,Sgl[۝o_&O|sy.Y!X$켻ݒZNfs2bL.hn+w%RYfHRq!4yxZDKFC1D+<^u/
θ %!S6Av!+|w^yۼµl:̳fB+NJC+e+_o̤/=垟^tf监o8LŘ H
JrƄ@zDV|AI1=]%r%p)-
|H1|OaTZbN1	ԁ^\q,5Gɻ3wZ="$d&[/2Kސ%?ȿfNbޡ$r*so0Ғf;tًD$]TCm\u"ǁfvˢ[#ttL{Ii:~=ox݋LR砂2%,jFwH2FKLt0̎q@EI1WwTz©dUڤVJȃU)D"c>8-.ҼKH7a\Nbt=!)gG7SҦ\7= I	a+YH#aB"٢]DdeEm'	B%iS"1/l\R80zK8 }r)14瀧 OjUPfQ(&.^03f=􎯓RIλX.X!BfE	'u!›Y
Z1UN5OdaTƓw^v5&Z#"R\y"˺$؝Pw
=ϖHiHedvsO.إQHY	0Y<D7`!ȝJϛ'J0/9x\H?`\aQJ3,D/dNkxb	=NgK"BaDsVbyDHa
;#v?o
*wlh
YHҁ
&;eWɅȏ#DH%U0M;Z.֓@rPl$1@ĎƐ2VA	*`Iϥt/Ϛjg7)C<LD0=_|o%H(,*Du=
;K`%YL2
AZko-4KHdVm))15`XÂ*r6ς!S{aYMAqF=q*GPQc/=.H,YD&b{3j]1;m6H/.7häK0cR1b؝Um&`egJ!7\Ŕ>CH#Hv瘝c:lYNzBG&ЖCFTI]KdZ@1
U;e ,	9H5;`A'3SRz0o+6)O0ZBPb9zsP^GUTҠ3'*'},v*=d9ȜT9m73}~(Q	w#d4ZH,3|w/bCJ9ȣKmM)/
F2eV5Y`dK)il:a3"+.%Y?`LI5q`ёrf1XTs9Ղ
Dz3M'Q/3YsHI$dleajv
bGdh`rٓ˄!f_]S47 IH0\a=Ox
v1!zC9>fiƔvdƒ	dy}%|6SD8m	&N{Xy;L!SQRӽo|Ɓ&K.;4Yėc,SWFfrBV
&181m|9*1F!HC&qNڱ5)ԑ( gI$܈b]J>},SdOe˙Is0)Xԓ݉mūQ+_!
ڒ#No+r6["FfK*+r!P
c,MrȂڑ7Jd&6;Iy"SP%"ڔMj,Ͼ{YOBPM4aO^s'`m'w]LGH>F,34>CIoS0>k2I4q@@yNCƥRh.rn's9.3ə@΄X$PͤbY@ʙ{[FN0P,L<+F*{SGSIDKM>,p颗0쨺ʤZM
22LLV4#'H+JdWd9sRC)$cĐD4k_S̤ 9-/\idF́`*5LSrh3	0EEyE_򬞌Igg-F&8RKBVB*
чJt¢ʼnRXuaOau"_c`zMX:"1u?"DrV*H-%ON'"jT&G^	&+FH2tiO2#i}G|@fD)NCƤYcEVU$4bDSecYoB>#^tQG,qATpEIAîrʑ.:'>TQ9+"@:GCh˰i@$t70xe$L.YjA"#EIAsR6f2ὉY`˵=+BHKMu$m1Hu
/ f@6VXtK_+f1i
2lR91<|ٙdVj$HˉxіddY6D[5Š%4BSvKLc)xi AFrf
Td}-^|BS[dIe.Y,uA K].+*zwDB.&l+2
::O#:u4Ie%-ˁ6VtO2Oɟ"uEQPG'TLU%U$K)*vWO6e3uXgT$ȝԜ 	rybjC#>THl1xe	XvڠC![,
$;$vAKqZ-@9%SnI,wyIlGiMPz<R=.&.XG>;
r)d	&-ȊsNrK$1dDGqɺ('F1/J3U9[yL-Dʑ{(UH$93ucDTIDad1YN#e;P[m2ϒ~Rl'ሊ#b0":zjVoHI"pDNm*F`HЭ
^+H.Ŝ9q"S%o߈`dYa	;pYrDȒ~`)YG(+`.t(:E(懡>+	`yBhMrFvJR}/YQ"tyt	d)FL'_#(^+;/कAy$dRXv
u##0dIem%lb{e;
hIwo 5&\N(R0pxٺrG* C`<ys
4EhU9k<.@QoWԸ5t.42^<ҊsUD>$decԓ[~Fd2d^=NԒ!Hj':l,'(a3*#L$Ep2UE*e>SӈaEqgutx*'BQ'!k4$hJ9{/(q:G}bN;J(e,˕;3Րކ0BdgzZ^rŧZ{ZYҚ+&)/#b?o
XIviG-ef~o_E	7T8[qi5Id	g(?}D$ʣaR^03:7=ZlgmkXʻC^WPW/=]u`
zE>,ǜ99Ͼ?JDLj3'I8u_#[v55u,ug_ww2?YkXqX,cr"`좡ГgB-5bF
X؁o?J~[°3!o,;1V̻7e-Ug9#2m
k>IRf/l=^淥nC~IQ5avM?TKh[YZ)ݹRf}GPM'|cBb_goKjz@XuG!y)gv,6"d2qͻΫgvhYPcـ4Atw>7]]8	::Κtpb`"j&SV)YD-/x/ɾO;9/1ϳWk/q_-qփR[1&wPr#J}7"QZT!L}^|Ӏz`~ԟgKP"qex`me_h'83!!)k?bhh=#ү6NPx 5 )Ҩ"":g1FB툋<3,:QW|èQK3d+V.#Ӄ߯*9Q[zP٧ѝ2Fn`k-rlʂլgҶ>ΥxA*'We,M֧e뮾j=vk՘_ҴCos.`5m5d9K!l~-Z~LPHխ+gtYY[$(0[mwzxI₿u?6B[#6"řۉlr&8!7t#D	ݞLM])]UHTF>*iukH8ه0ro^ܖT_j8{OȂRS;WZZ>ޛ4 r?۷Q.VNcЂO/i2`!'q=S#Mz,[\#z	TW}aw2lEXQ~*v-$O.¬{ޔAA=(Imr0>Oj'Z蠫
K7toǿ}t=
+0
njWM?!PҼf$f?^_KK5RV
wZݜ>\ҹcP+zf;N;Rx5gHQ	fV紽	#/RP{bBRֆO8EԲ`:1/7?ܒM_ܠk-1l~UuM7z/L~m+5:͟?sR&Dft8leiٗ/H'NEÔ'ydHɊBoV@ʺY]V=]wլMf:G{v{h:cN5, %A&UyGڼp{S^@k\Z	Tޫ];vl=nVK[$>m^\Qfrmsw&TG=Cƫٖ魜,9}r|ݜtn~,:US4?UN2R
fu3pd=31
]Ȅ
tVX]:fTw5:J;YsE*؇:3G
nM4S W^BXٌT PYV5`:g`x0d1R^*>؃^`9ACFH`Gr恁$NX#u<nPJ[aƒSnx9\s	. >xB`S๊`n%1XCh\Mϥzl PϕTO)Txk^B)uYxm0DӿчL?Lt+={&"̩n222(25QױUVx'Hc#L 8^Ʈ;blЂG~=paLgVŧ`*U/GlTwۣWa^[!4s4nLVO4e?
Oyk/T;0^OaaL	gg4`,`l(}/Xݪ"\g^P׋)	GY
Tk}zyVDxɸy@ؽ2Wp4p;PuJ76(o3H48Xr@h>e^/~3%W/lc}.x(a4Uw
'@5vb:ؗ?oEߘ
H,/ =g;Ś^uyG\`U[oyV'BOl4%kB)gz]=,oRKd f9^^lWw5\p,S
?{t@^s\g;,JYNVLk6cl6Z᭭z+;xF4퉝׌_|
ڪˡl}⩵,t^u=ihFp	>/%!ލl=3'*/jsuG1M)hwRt~UnM¥(R]}tq#ÿ<|dfUmy2#|:ݼ~=\2v(s(
by*O)1g^)>3p{q^x9Ͽ}|=υTMH<ӿ{LܢYG_Cxv̺x+9,z+<@rns0GvR*1Ea˸	Lu3kvVtҳo׹
R+aTɼnV5{b>opbfiqdSZ3ѭRR]i\Y׸bRlep[ܥ<dLeL

X2iJ#dҵ2/Ϭ'uxuT&}q_wmgSLWg:H֧:ؐ\B&&Ƨ~y
p`eUP{kl)Zԡ>xEtU,{V7 ?̈́G
rkn>iB4Y(R};ę3iBjB:P-KNI?XOR/>E5L˲z__:Ҏ駛;C,L8dʱ"?ju{XנV~[~.Mle^]k؈(M|7F8d,S'>ٙGC]iT
mdQ6K3Nui<}m]b"e/rc.<˖SY&y!zʀn!u	]Y:r~9RSƊrnY6@]:Fs¯ʙOGiꫝY.S_̟jގ5%WJ9c #P^FE.vO7wn5lZXEv
g#,b3{XSnS3!Pa&6}iޞElyHȧf0!yk.>!-lTin3B?
cZ[JfD5ἁb"q<4C0Uk6TV=3(	?]wB9Y5g$)Ԩ%aľ`cx.4N֥;ΔWɚòt@|R|=lZW]S.X:{xOӚpj0>vì+|!]1IY10	RΏ#Sϒ1`M~܂՞BOMY*Eћ<H	x:טn&Ճ-	o
zɧai.9~/i9Wo
̹fሬt%Wؙu]}t>2k)]
Kէmջo'DBy	|Tvހ[1)^԰Nz+%r?zLghuϊ{e!.4TB%N4KU\9~W:r-SxvR+/@i/Cf-uoS1

,6l]X]T
 V	j~Nctn—D~S_V;&ֲ%\
5Gzs
3
ӊ^i]01(ٳS_UPu
u	=֠Jҵ!kskAሼO?fOё+GbC:afW6,hvA;Pvxz}4uFPGZl;9be(rKvEfe胮6GfgrKeO+{%F`@{ucu)ޑ#
њvH2M`s`=^?j3RQqwޅ4J+sNlg:uʡǢ-GߗѱvЁg`I{8)@ΤNY!k&R_]_1E6'I;xVL*YsijrWW<G>up4IY?0|VOϧϟfu~~OnĞͱ|t\v [ó
6c-`{is
@w](lt;)E*ـ,lI@&D6Zo;	
ٲ筫~7	_2'N8=ѢPɮ!
VJVA=rQ$Ws(|@UUVssVUN6,3x=v7@:;H0d}=`՟י%9K4|+o`1fI_=w`ڲX	W:7Gn9_zL,µR-XG-Kfr~?3%_Pֱ8ȱN`	)߯4v3OLT'`
ȩζ
BxnC+}@E,
x:!8Lm@O9#CԸ›k?KnՂj[hU}J3=Ny)DoAO(.KLLZ)3oE}8KX{\eҸi:վFw(w;{!w5chGh7N^μ{ɮ~_zQxdJyݸN^hn:yQ=`v`l=:fރ\\Nl[֥q<>Į2)ydѬyҲ禼h姚ASF;شM
OI'*esjU+6?pym{?imMJjzLԪ%ʇ^4j@Xw-yYWr2TLJdmVfTPHkd#{_uvĕujxp3(t
sՎ|ʹ8y0q&da.d:s^Z(ZwY;o%Z]}H}1ҲO>?i»
62*>'fcC#t2,1<C/Ŕ,^f	V+PL%<>-lL#,!vES38CeDu&j}^y846U8gY9L=DÄՇ4O*\j̚ग"SlshK1'pƿshUɥ˝ڄV	#y5vոce.hQJ\sYG͛^(P'
mx\Bv} H%g6KgM_pg]+c9TzWNY2@O1N[e (pelts r)[j] = old (pelts r)[j] }
    ensures { 0 <= result <= 1 }
    writes { r.data.elts }
  =
    let ref b = 0 in
    let ref lx = C.get x in
    let ref i = 1 in
    let res = sub_mod lx y in
    C.set r res;
    if (lx < y)
    then begin
      b <- 1;
      assert { res - radix = lx - y };
      while (i < sz) do
        invariant { 1 <= i <= sz }
        invariant { 0 <= b <= 1 }
        invariant { i = sz \/ b = 1 }
        invariant { value r i - (power radix i) * b =
                    value x i - y }
        invariant { forall j. (j < offset r \/ offset r + sz <= j)
                  -> (pelts r)[j] = old (pelts r)[j] }
        variant { sz - i }
        assert { b = 1 };
        lx <- get_ofs x i;
        let res = sub_mod lx 1 in
        set_ofs r i res;
        assert { value r i - (power radix i) * b = value x i - y };
        value_tail r i;
        value_tail x i;
        i <- i + 1;
        if lx <> 0
        then begin
          b <- 0;
          assert { res = lx - 1 };
          assert { value r i = value x i - y };
          break
        end
        else begin
          assert { res = radix - 1 };
          assert { value r i - power radix i = value x i - y }
        end
      done;
    end;
    while i < sz do
      invariant { i = sz \/ b = 0 }
      invariant { 0 <= i <= sz }
      invariant { value r i - (power radix i) * b =
                  value x i - y }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      variant { sz - i }
      lx <- get_ofs x i;
      set_ofs r i lx;
      assert { value r i - (power radix i) * b =
                  value x i - y };
      value_tail r i;
      value_tail x i;
      i <- i + 1;
    done;
    b

  (** `wmpn_decr x sz y` subtracts from `x` the value of the limb `y` in place.
      `x` has size `sz`. The subtraction must not overflow. This corresponds
      to `mpn_decr` *)
  let wmpn_decr (x:t) (ghost sz:int32) (y:limb) : unit
    requires { valid x sz }
    requires { sz > 0 }
    requires { 0 <= value x sz - y }
    requires { writable x }
    ensures  { value x sz = value (old x) sz - y }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = { x } in
    let ref b = 0:limb in
    let ref lx : limb = C.get x in
    let ref xp = C.incr x 1 in
    let ghost ref i : int32 = 1 in
    let res = sub_mod lx y in
    C.set x res;
    if (res > lx)
    then begin
      b <- 1;
      assert { res - radix = lx - y };
      while not (b = 0) do
        invariant { 1 <= i <= sz }
        invariant { offset xp = offset x + i }
        invariant { pelts xp = pelts x }
        invariant { plength xp = plength x }
        invariant { min xp = min x /\ max xp = max x }
        invariant { i = sz -> b = 0 }
        invariant { 0 <= b <= 1 }
        invariant { writable xp }
        invariant { value x i - (power radix i) * b
                    = value ox i - y }
        invariant { forall j. i <= j < sz ->
                    (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
        invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                    (pelts x)[j] = (pelts ox)[j] }
        variant   { sz - i }
        assert { b = 1 };
        lx <- C.get xp;
        assert { lx = (pelts ox)[ox.offset + i] };
        let res = sub_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                             (x.offset + p2i i + 1)
                                             (x.offset + p2i sz) res;
        C.set xp res;
        assert { forall j. i < j < sz ->
                   (pelts x)[x.offset + j]
                   = (pelts ox)[x.offset + j] };
        assert { value x i - (power radix i) * b = value ox i - y };
        value_tail x i;
        value_tail ox i;
        i <- i + 1;
        xp <- C.incr xp 1;
        if not (lx = 0)
        then begin
          assert { res = lx - 1 };
          assert { value x i = value ox i - y
                   by power radix (i-1) * res
                      = power radix (i-1) * lx - power radix (i-1) * b };
          b <- 0;
          assert { forall j. j < x.offset \/ x.offset + sz <= j ->
                    (pelts x)[j] = (pelts ox)[j] };
          break
        end
        else begin
          assert { res = radix - 1 };
          assert { value x i - power radix i = value ox i - y
                   by power radix (i-1) * res - power radix i
                      = power radix (i-1) * lx - power radix (i-1) * b};
        end;
        assert { i = sz -> b = 0
                 by value x sz - power radix sz * b = value ox sz - y
                 so 0 <= value ox sz - y
                 so value x sz < power radix sz
                 so value x sz - power radix sz * 1 < 0
                 so (b=0 \/ b=1) };
        done
    end;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz)

  (** `decr_1 x sz` subtracts 1 from `x` in place.
      `x` has size `sz`. The subtraction must not overflow.
      This corresponds to `mpn_decr_1` *)
  let wmpn_decr_1 (x:t) (ghost sz:int32) : unit
    requires { valid x sz }
    requires { sz > 0 }
    requires { 0 <= value x sz - 1 }
    requires { writable x }
    ensures  { value x sz = value (old x) sz - 1 }
    ensures { forall j. j < x.offset \/ x.offset + sz <= j ->
              (pelts x)[j] = (pelts (old x))[j] }
    writes   { x.data.elts }
  =
    let ghost ox = { x } in
    let ghost ref b = 1:limb in
    let ref lx = 0 in
    let ghost ref i = 0 in
    let ref xp = C.incr x 0 in
    while (lx = 0) do
      invariant { 0 <= i <= sz }
      invariant { i = sz -> lx <> 0 }
      invariant { offset xp = offset x + i }
      invariant { pelts xp = pelts x }
      invariant { plength xp = plength x }
      invariant { min xp = min x /\ max xp = max x }
      invariant { lx <> 0 <-> b = 0 }
      invariant { 0 <= b <= 1 }
      invariant { value x i - (power radix i) * b
                  = value ox i - 1 }
      invariant { writable xp }
      invariant { forall j. i <= j < sz ->
                  (pelts x)[x.offset + j] = (pelts ox)[x.offset + j] }
      invariant { forall j. j < x.offset \/ x.offset + sz <= j ->
                  (pelts x)[j] = (pelts ox)[j] }
      variant   { sz - i }
      label StartLoop in
      lx <- C.get xp;
      assert { lx = (pelts ox)[ox.offset + i] };
      let res = sub_mod lx 1 in
      ghost (if lx = 0 then b <- 1 else b <- 0);
      assert { res - radix * b = lx - 1 };
      value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                           (x.offset + p2i i + 1)
                                           (x.offset + p2i sz) res;
      C.set xp res;
      assert { forall j. i < j < sz ->
                 (pelts x)[x.offset + j]
                 = (pelts ox)[x.offset + j] };
      assert { value x i - (power radix i) * (b at StartLoop)
               = value ox i - 1 };
      value_tail x i;
      value_tail ox i;
      assert { value x (i+1) - power radix (i+1) * b =
               value ox (i+1) - 1
               by power radix i * res - power radix (i+1) * b
                  = power radix i * (lx - 1)
                  = power radix i * lx - power radix i * (b at StartLoop)
               so value x (i+1) - power radix (i+1) * b
                  = value x i + power radix i * res - power radix (i+1) * b };
      i <- i + 1;
      xp <- C.incr xp 1;
      assert { i = sz -> b = 0
               by value x sz - power radix sz * b = value ox sz - 1
                  so 0 <= value ox sz - 1
                  so value x sz < power radix sz
                  so value x sz - power radix sz * 1 < 0
                  so (b=0 \/ b=1) };
    done;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz)

  let wmpn_sub_1_in_place (x:t) (sz:int32) (y:limb) : limb
    requires { valid x sz }
    requires { sz > 0 }
    requires { writable x }
    ensures  { value x sz - (power radix sz) * result = value (old x) sz - y }
    ensures  { 0 <= result <= 1 }
    ensures  { forall j. (j < offset x \/ offset x + sz <= j)
              -> (pelts x)[j] = old (pelts x)[j] }
    writes { x.data.elts }
  =
    let ghost ox = { x } in
    let ref b = 0 in
    let ref lx = C.get x in
    let ref i = 1 in
    let res = sub_mod lx y in
    C.set x res;
    if lx < y
    then begin
      b <- 1;
      assert { res - radix = lx - y };
      while i < sz do
        invariant { 1 <= i <= sz }
        invariant { 0 <= b <= 1 }
        invariant { b = 1 \/ i = sz }
        invariant { value x i - (power radix i) * b =
                    value ox i - y }
        invariant { forall j. (j < offset x \/ offset x + i <= j)
                  -> (pelts x)[j] = old (pelts x)[j] }
        variant { sz - i }
        assert { b = 1 };
        lx <- get_ofs x i;
        assert { lx = (pelts ox)[offset ox + i] };
        let res = sub_mod lx 1 in
        value_sub_update_no_change (pelts x) (x.offset + p2i i)
                                             (x.offset + p2i i + 1)
                                             (x.offset + p2i sz) res;
        set_ofs x i res;
        assert { forall j. i < j < sz ->
                   (pelts x)[x.offset + j]
                   = (pelts ox)[x.offset + j] };
        assert { value x i - (power radix i) * b = value ox i - y };
        value_tail x i;
        value_tail ox i;
        i <- i + 1;
        if not (lx = 0)
        then begin
          b <- 0;
          assert { res = lx - 1 };
          assert { value x i = value ox i - y };
          break
        end
        else begin
          assert { res = radix - 1 };
          assert { value x i - power radix i = value ox i - y };
        end;
      done;
    end;
    value_concat x i sz;
    value_concat ox i sz;
    assert { forall j. x.offset + i <= j < x.offset + sz ->
             (pelts x)[j] = (pelts ox)[j]
             by let k = j - x.offset in
                i <= k < sz
                so (pelts x)[x.offset + k] = (pelts ox)[x.offset + k]};
    value_sub_frame (pelts x) (pelts ox) (x.offset + p2i i) (x.offset + p2i sz);
    b

end
why3-1.6.0/examples/multiprecision/sub_1/000077500000000000000000000000001440160026300203015ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/sub_1/why3session.xml000066400000000000000000001475421440160026300233360ustar00rootroot00000000000000
















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/sub_1/why3shapes.gz000066400000000000000000000357651440160026300227610ustar00rootroot00000000000000}Y{
H׋ _z-w%K"\*KGѩ:bۥSd|AgU߽|fMk;?ƿ
7^wbN?{!_띈?+"wyWu;{QN/ؽ}Whݤ]bh8Koč'*zFR4?(/=ownn~x)eH?-z7RІ;'SsW:4RAݞ6G~Hr/7!
w]5ҎǺ\竿_c"ߚ/^}}}?W|٥Ky͛^ur40`$1[ϰcsܩ]=;dBz߾w}7vgv*:"Q.FxSC wn n9ox+-+¤jEf,YY954x9qUssUSjjnP5wD\f<)f!z
tFZ[+ǿ|(^g?_{F'	-nΕWJ;tHsuHvk̓N_l2I&	&Z(4I#
2%$	$9$$leVob;n}h1y;
rIFHx3k=ZY}{VO'Zc‘&.L`#h!@͢Ll*z$5N2-?:Q(:~tcB
:(<]Pz8y ^s╀Sl{h
4뇎"[{Q8.O gA'"n$Kǽ3>=>}|*Qn:(tP}[e
kfoJH@m-beߊ\f@ ?u:u7n-MnxnA-xd蕆otTg2m.pa<x|R
Vo,B]b_bK#&I;ǤTFǍO7vH3^v@ӁfeL^+k;t0`y^'
H1~Zkj 8
3"!u="?g|r^hG]>Q֍&Kps9|fTW|a9*<vL8a&\]Jι$@ՀrKEUtxо3?2.a'e/v1too-cձc:2tdx0r'iP7ќn\$~,7:MϧATޏ9'un0	&|C
ܐBdy:0\J] 2uA甄8(lWܮ]qoAq˰ؒ~n#C)A%ZZv,JpɕaEnBxˋUY,V~ɢ`/~|iO/][wkϾT^.L+sòse:ty //_ӼvDa+@$.nC3OhuY3g-hk؂.i,^X
%5苓5NC{a<@kL!;ƀ!ϟOkЦ}!o:u,ڛw?_n
bweSt!1s@\k
pc7;X,9;r|vo~%i\MoF?!9ﳎy~
'Li8űz7112fB3y(F212/UCEo~{_j	9%|+O^[9=q"1&]Zȵ1aloLVAγ\]ۃ?O6o8^<	fn*kىeUg>P=Tבo|k}Q/4|;jQ,ALóQ/)Z\8ݴF'o~߻Xo=@crAπ:goxբL)͓ŦLI'@G87Zqo:4rtsVX/FӱZjb95 ^pxiƃcݿp3eYZ8QR/?_ifO34[4ȥ[~sG'^^zݘxubE	4g@8ϦMܕkbf`,/wj;߀Qyk[ty^__6C9u9o'~K`%\Qӯ.aR-_"=K\QfpIDEyً2tw>ê?GZFtS_w.-͐?Y%1J-}?y綞:Nd}To1b7878-.uo=a(p#?ZiUl\Ӧ7N+oN{ΐٙeMq{&	׃+e]dY,l?F.٘'羃gGΎn}+)mيg[rÖXpa>:sy%[οpώ!S`=2U.4nRafV/yYb,?"[^{qQ2ƿEqrCͻH4Om>?]L n鯥Bo^\n*[
~0˲Vy,V]PU^=޸(xZ
h'\vm8=2fe3diz9%pJSvzIO84&<^O? 4~)I֯÷9&Z6zZ
Y\gٺp	,wmqC\,r%>&k\zc$-Dlи hpNWJgma>Kdθ;CK&f_ǫcG^D{5ǝ13ȯ|}&V3
(y!	LLb7'hE<^<\Cs	޷;Z1ejO/
"1|}}H'tn0{8@ld,-cyF?T9gp>ohZ|y17$9T4cBXn'm{ӧ]u,sIp;ЏdU_F2,䙼`*B˰g2,פC't89*).2fB3˙zʙzJxLr6󶦉
&y[٬=rV$o]ªc7n.,ǜ7Z?jಥs=ݮ/w/oǚo]>̫ȯڕron5]_vsd>9/H[ߜM3}o¸"/~߽ͩ}TXϷӗ+]d.l3;0I6>[S$ru!ǼY_:?ӟwMN'{O'ŭ=I>d\Esa._}kE^	Ӈfs@ЅusfzCԗfz.QcgszO>/AU|_,
q޼!08lyYH5_KW Ǩ'aazw6>rXr\lOa1.--ΌKׇa 2l<u1yyzbrKx'}γ֟'4XNT\Afti]<#mu8v3?anr+aJgJ;qa뻁Ptrn \K7J&cssm&CBJ*u,[ٱ.ywv@aݻMQx}s/h0䂩n- >"5)?,Q˜=u6L}N[a2{E\BZs}wrCI?#Dvϟg.b_;_
νaRN6Й=m'lOF*8wN%;^y\n}1LLپ:~z2>:631tz/ov2i49S]ҪXoܳ~
rpYR2NF%UՁg'sTU^&lKs)R;O`q%KNlj[(D;dI9Uˡd-%wsPMdM5F?s?ٝUV&.FS*DE	dZiBQ^Xu(GTBaJUdjqPY)IP&lӲAhרY.%w]62$yYZH5R@RMZHL>qH%i']DY:mU}\J|0Tb	J
٥JVHP.mIyew,ꊣJ,!Xu]pjͪGa}`i%/D	8LB	-l93%I]֊lDYw+ZU`Jl%8&6$%+R VL6ےPd5)ډBDA	L)όHyRzG-M:DS	o5ʦVA.evA,r.@-ov[獁|p)c=µ4^.A#RY}& URpEH}9.wLԀMȖ6E.vi6XE!Z*EbdA^ApH&!ɝKxX! o3JA!NOjGh|k6[
J6M!n4Q15HA
Z'3BXIRMG:OyUx	蚵JlKP(ih		4!j(v"2kc@W|-;(e.xN;>PLgZNq
+ȕ ֚dPvP%EB]BR)I)gPLjР
R>AE.d	M30UI(Z5XݥeȟV(V֔uIB+R;	A~ eKUjz0֠P,j`N%P`	!p>r1#v	z2W'+Pībr竆QQ@o+sPqڹ^&2"@\\(g(E;1U#
0TiJf04eӦe){		l!.p!@
Q`,t"Dv(27s&Gh̥РR"Ș Ebd4+<I5՜[6pKAp+CJ&<`b
Hε(pXQƱ%R
Zo	Y.&?S2rȔ
Ap
OAhU=L2N'{@p/7'$BC(|SJ)C`y:!@H2Wj?^aT#u&"BP̢jQEZ
=pI('QND9rV!
yQ0o15	6#pc'YGi@ӒgA4Ep-+p
-պ8(:;ZZ-t1E'rE<8t *NZ%L*%]BI
oC|U48q9 #ltsxl@\K5SpuF,i
tIŨԵms:7
8hVivj1srxcbaWrx	D@(]X@*	Zqh9j%kk`mhjؘ3uHR^x+vՠOFTϾ'?rQxI12@{DHqiy7:вըSsǹt	P
Aɢ=/CnƘhϿ}WÜͼC>oUyx)`tk$*^_KQҩ"nszrvhVkq`PŚbX񦈁w]Zj*DYjZ*/’C5Eed16ViJIJާy~^wj|zQ6kD"+RB}lf-Zw=(|+*Sn胓bz>^bɄ(EZdK!Fk|z講0::TUHajaD9H
2`e*I+oTp(F3
MSuV=2)Y^9,ϥhCv /6R:tV=>
.Tl*6d1줤ή`WYhDUSZݚVz.Yv=,sҷ`JPI|.}}8Gζb[TuږMVQ[[qmYw}#+2ɐI\k݃kdR!Q"}##pEYhFVu^#5\Tx7ӖiCA򦰾rdln6R!C
!{K-9XE$l#;+oY2騛ZU][;z
vq`k*ADT#DQh
=̇;7V+Z9]kEQDgryRL2Z(˜o箎VOTgrDte+PE
rا\9WSֺRFrh(1PXzYdZd-jrB)Њs9\,|8%w~F
=|T@-
,մj֧CFӦB\w&:{B&wnٯnO/)KeKDeO%MSK|JbO伋بkVf<	vR\'[uALub4Fp{?a28޿^T>q^kX?ȡx[JsY168Ӥx0@
[ijs[ѥ[ZgosՎ-߲U
qFTZ}B7ؗg>NwC[+KTvJb.	a%DcN^zDZt&i/|E(ʛjb)RIfI9BD`a'tT]T>e4^H)NF	+OZDBڌʐ
DJxeuPu+	$#^Db,%"24xXBsU:8PBeDH,Rpb)uZ&]#F^II.3C}RV
8p"<*?~"d{>”f8o_|;mV+^ldr>Zц(dc=ćT
𑏂d8.GʷZrTf=@_uiZAjP(JTMNBq	2fd?L^9z  mP2tI^uym[ܷP'ô!WFpUb-DB4wÌ>6#N,ޡ>̲dSN-F2:B|:dSĩ؄	u_M(BbT4H7?)>cW}Y`vj7(F8@`!GMT68kEC_G,k5뚇vX}fC>豺Y#O^l5~tMh$iöCnO:{QRhS|p#>nO|Ơ%Wh7q|Vh[BfagM6XZq_s:AEi8|jvv
0	N+aE d4^UH+5=RU[P}~5XoIzL4;z&V:[*A$eKq-i6+H2(LtsY4A7<|>%PIq0Pr]Cd/+X>RF[	cPbmO=)9~Q`[l*&oM9D섛sZU+u2S9Sd)bxBFq^G|DC ՎI9JLviGN߳˩*܎qi0:d4BN7%D%	|9\]ӵd_'ywCHŧYK&&XXXu	EUm
^9.ltVǘ0ZF#"L>K
ʘयѷj!Ni+ԉUf(
9ZE-#*RjӞغĪ\UMdaSjImͦE%^؉5W.JZ8UBr*')50Kl-uÂNX)>ܼU\X3@,dmX72~)*rrdLxؼdc"3_Ǒ*&'ΐ
	$>*W4J
R긷~ivB@igEMOLydZá:6okq˧i-GYB}v5dӔ(K]YfmBɼKw\.3nOiTXzգAE*s[/[M>{њM:hT2Tfk4묫NT*hey@BR|3hNqX4dQx>'M^=Ax:HV~TZ3P"_ESI"p[	xU p>`.\dRD[
g(ug|rIe+$?$n1-هJ}D!&+#hL9`1dMKYN^-T 
Si"Ub3fQobDM$M!'!=QEo	.4WM:F/MMCjAU>hH¹>d-AڞK*OZ-"fs
oYxTId]vea|7oxPƅ,6UFV6Xso	QiQsꬎIX	Uӓ;F%j.*[/JV|-\-0%Gk[ZԜ0Z>xJ-$*$x"nԋ,mvnh4t!QgQ
MJJjifMaeκ&|&y+pmÖׇ@ŵ2d
EH)t8TP(uXN&i)(s8`QDA-o޼󂌦C7kj"%Yq̃E<7Ǟ(kUU8j%G
oK7j
FęC{`klQ3g-zw3XNlN=5h'8r-x+ɶWߙ&"Qs:O-$\˼BlR3UjsaP.xʇ^SZv6p2
rx~!p)D)œ)Uxe>n EA4&1lM_sZ')yIk*:Dxsf>_K7IFːY+¸ѷyB'WcѲ̛ú]:&Tu3]9б$r>I*${Im upcu8שf2>F8> ZKdI.i϶mC,{"\T"W	$X>=b/Sp8Ee>F6'9C/2C/#X^fبu?MyH|Pi"V]i)6:}i%kHR+pXq<$uJ3_U#2Ŋ܆#zACG$t) &'LaH4#
nqJ7'/TIx۱&-E-*C^DHSwdb~R<އNh;:&LJ0Hu699KC
l	Ěyd4
[S4[{hVˡRf>'kEhCAV7
/	^	bR#'G>ȷ,
4DDos'|SЂO%!A9$-0xp?]"$
M
0KsPje$Ea	/U|P&5C#D
V j14'~z|R:K^낿:(@r'=jUt5Q*xkmN&H	T%\OŎW@$a5=Vl_UTyO+fLwq^hׂpAy+Zǝ~/gbrW=rv^'SYݦDq}[t%pC!!$0E}r۵j0IO}p35
#u&vb+y-!A֢Q]Ԣ)oa1礪͸3*rwy&8|d=G(Mr͊HG+V-h}
c_ޘoh)d6Cw"z롡ɫhp2J-
J--"A<ڤ?ǝh9$$<4t_68:V;UmZIeرcޗݔ܍VQkQF1$f-fAyKs%Mj:oUڨn/l&Ӡ&ͨ.Z/䙍їjHBDuU^Dwwhy3-1.6.0/examples/multiprecision/tests.c000066400000000000000000001051511440160026300206010ustar00rootroot00000000000000#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#if defined(TEST_GMP) || defined(TEST_WHY3) || defined(TEST_MINIGMP)
#define BENCH
#if !(defined(TEST_ADD) || defined(TEST_MUL) || defined(TEST_TOOMB) || defined(TEST_TOOMM) || defined(TEST_TOOMU) || defined(TEST_DIV) || defined(TEST_SQRT1) || defined(TEST_SQRTREM) || defined(TEST_POWM) || defined(TEST_ZADD) || defined(TEST_ZSUB) || defined(TEST_ZMUL) || defined(TEST_ZDIV) || defined (TEST_ZGETSET) || defined(TEST_MILLERRABIN))
#error "missing TEST_foo macro definition"
#endif //no TEST_OP
#else //no TEST_LIB
#define COMPARE
#define TEST_WHY3
#ifdef COMPARE_MINI
#define TEST_MINIGMP
#else //MINI
#define TEST_GMP
#endif //MINI
#define TEST_ADD
#define TEST_MUL
#define TEST_TOOMB
#define TEST_TOOMM
#define TEST_TOOMU
#define TEST_DIV
#define TEST_SQRT1
#define TEST_SQRTREM
#define TEST_POWM
#define TEST_ZADD
#define TEST_ZSUB
#define TEST_ZMUL
#define TEST_ZDIV
#define TEST_ZGETSET
#ifndef COMPARE_MINI
#define TEST_MILLERRABIN
#endif
#endif

#ifdef TEST_MINIGMP
#include "mini-gmp.c"
#else
#include 
extern void __gmpn_powm (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t,
                      mp_srcptr, mp_size_t, mp_ptr);
#endif

#define SIZ(x) ((x)->_mp_size)
#define ABSIZ(x) ABS (SIZ (x))
#define PTR(x) ((x)->_mp_d)
#define ALLOC(x) ((x)->_mp_alloc)

#include "wmp.h"

extern wmp_limb_t sqrt1(wmp_ptr, wmp_limb_t);
extern void normalize(wmp_ptr, wmp_size_t*);

#include "mt19937-64.c"

#define TMP_ALLOC_LIMBS(n) (mp_ptr)malloc((n) * 8)

void mpn_dump(mp_ptr ap, mp_size_t an) {
  for (mp_size_t i = 0; i != an; ++i)
    printf("%016lx ", ap[i]);
  printf("\n");
}

void init_valid (mp_ptr ap, mp_ptr bp, mp_size_t an, mp_size_t bn) {
  for (int i = 0; i < an; i++)
    ap[i] = genrand64_int64();
  for (int i = 0; i < bn; i++)
    bp[i] = genrand64_int64();
  while (bp[bn-1]==0)
    bp[bn-1] = genrand64_int64();
  return;
}

void init_mpz_1 (mpz_ptr a, mp_size_t an) {
  mp_ptr ap = mpz_realloc(a, an);
  for (int i = 0; i < an; i++)
    ap[i] = genrand64_int64();
  while (ap[an-1]<1)
    ap[an-1] = genrand64_int64();
  SIZ(a) = genrand64_int64() & 1 ? an : - an;
  return;
}

void init_valid_1(mp_ptr ap, mp_size_t an) {
  for (int i = 0; i < an; i++)
    ap[i] = genrand64_int64();
  while (ap[an-1]<2)
    ap[an-1] = genrand64_int64();
  return;
}

void compare_mpz (mpz_ptr u, mpz_ptr v, mpz_ptr w, mpz_ptr refw) {
  mp_size_t an, bn;
  if (mpz_cmp(w, refw))
    {
      an = abs (SIZ(u));
      bn = abs (SIZ(v));
      printf ("ERROR, an = %d, bn = %d\n", (int) an, (int) bn);
      printf ("a: "); mpn_dump (PTR(u), an);
      printf ("b: "); mpn_dump (PTR(v), bn);
      printf ("r:   "); mpn_dump (PTR(w), abs (SIZ(w)));
      printf ("ref: "); mpn_dump (PTR(refw), abs (SIZ(refw)));
      abort();
    }
}

#ifdef TEST_MILLERRABIN
#ifdef TEST_WHY3
void wmpz_powm (mpz_ptr r, mpz_ptr b, mpz_ptr e, mpz_ptr m) {
  mp_ptr rp, tp;
  mp_ptr bp, ep, mp;
  int32_t es = SIZ(e);
  int32_t n = SIZ(m);
  int cnt;
  int32_t rn, bn, en, itch;
  mpz_t new_b;
  mp = PTR(m);
  //ASSUME: e > 0
  //ASSUME: m odd
  //ASSUME: m > 0
  //ASSUME: b >= 0
  if (es == 0)
    {
      SIZ(r) = n != 1 || mp[0] != 1;
      PTR(r)[0] = 1;
      return;
    }
  bn = SIZ(b);
  if (bn == 0)
    {
      SIZ(r) = 0;
      return;
    }
  ep = PTR(e);
  en = es;
  if (en == 1 && ep[0] == 1)
    {
      rp = alloca (n * sizeof(uint64_t));
      bp = PTR(b);
      if (bn >= n)
        {
          mp_ptr qp = alloca ((bn - n + 1) * sizeof(uint64_t));
          wmpn_tdiv_qr (qp, rp, 0L, bp, bn, mp, n);
          rn = n;
          normalize (rp, &rn);
        }
      else
        {
          wmpn_copyi (rp, bp, bn);
          rn = bn;
        }
      goto ret;
    }
  tp = alloca (3*n * sizeof(uint64_t));
  rp = tp;
  tp += n;
  bp = PTR (b);
  //  printf ("bn %d en %d n %d\n", bn, en, n);
  wmpn_powm (rp, bp, bn, ep, en, mp, n, tp);
  rn = n;
  normalize (rp, &rn);
 ret:
  wmpz_realloc(r, rn);
  SIZ(r) = rn;
  wmpn_copyi (PTR(r), rp, rn);
  //  printf ("%d\n", rn);
}
#else
#define wmpz_powm mpz_powm
#define wmpn_mul_n mpn_mul_n
#ifdef TEST_GMP
#define wmpn_tdiv_qr(q, r, qxn, x, sx, y, sy) \
  mpn_tdiv_qr(q, r, qxn, x, sx, y, sy)
#else
//FIXME can we avoid a copy?
#define wmpn_tdiv_qr(q, r, qxn, x, sx, y, sy)    \
do {                                             \
  mpn_div_qr(q, x, sx, y, sy);                   \
  mpn_copyi(r,x,sy);                             \
 } while (0)
#endif
#define wmpz_cmp mpz_cmp
#define wmpz_cmp_ui mpz_cmp_ui
#define wmpz_set_ui mpz_set_ui
#define wmpz_tdiv_q_2exp mpz_tdiv_q_2exp
#define wmpz_add_ui mpz_add_ui
#define wmpz_sub_ui mpz_sub_ui
#define wmpz_realloc mpz_realloc
#define normalize(DST, NLIMBS) \
  do {                                                                  \
    while (*(NLIMBS) > 0)                                               \
      {                                                                 \
        if ((DST)[*(NLIMBS) - 1] != 0)                                  \
          break;                                                        \
        (*(NLIMBS))--;                                                  \
      }                                                                 \
  } while (0)

#endif

void sqrmod (mp_ptr qp, mp_ptr tp, mpz_ptr y, mpz_ptr n)
{
  int32_t yn, nn;
  mp_ptr yp, np;
  yn = SIZ(y);
  nn = SIZ(n);
  yp = PTR(y);
  np = PTR(n);
  wmpn_mul_n(tp, yp, yp, yn);
  wmpn_tdiv_qr(qp, yp, 0, tp, 2 * yn, np, nn);
  yn = nn;
  normalize(yp, &yn);
  wmpz_realloc(y, yn);
  SIZ(y) = yn;
}

static int do_millerrabin (mpz_ptr n, mpz_ptr nm1, mpz_ptr x, mpz_ptr y,
                           mpz_ptr q, unsigned long int k,
                           mp_ptr qp, mp_ptr tp)
{
  wmpz_powm (y,x,q,n);
  if (wmpz_cmp_ui (y, 1L) == 0 || wmpz_cmp (y, nm1) == 0)
    return 1;
  for (unsigned long int i = 1; i < k; i++)
    {
      sqrmod (qp, tp, y, n);
      // mpz_powm_ui(y,2,n);
      if (wmpz_cmp (y, nm1) == 0)
        return 1;
      if (wmpz_cmp_ui (y, 1L) <= 0)
        return 0;
    }
  return 0;
}

#define MPZ_TMP_INIT(X, NLIMBS)						\
  do {									\
    mpz_ptr __x = (X);							\
    __x->_mp_alloc = (NLIMBS);						\
    __x->_mp_d = TMP_ALLOC_LIMBS (NLIMBS);				\
  } while (0)

void urandomm (mpz_t a, mpz_t upper)
{
  mp_ptr ap, up;
  mp_size_t un;
  uint64_t um;
  int cnt;
  un = SIZ(upper);
  wmpz_realloc (a, un);
  ap = PTR(a);
  up = PTR(upper);
  for (int i = 0; i < un; i++) {
    ap[i] = genrand64_int64();
  }
  um = up[un-1];
  if (um <= 1)
    {
      SIZ(a) = un - 1;
      return;
    }
  cnt = __builtin_clz(up[un-1]);
  ap[un-1] >>= cnt;
  while (ap[un-1] >= um || ap[un-1] == 0) {
    ap[un-1] = genrand64_int64();
    ap[un-1] >>= cnt;
  }
  SIZ(a) = un;
}

static int wmpz_millerrabin (mpz_ptr n, int reps)
{
  int r = 0;
  mpz_t nm1, nm3, x, y, q;
  mp_ptr qp, tp;
  unsigned long int k;
  int is_prime;
  //  printf ("%d\n", SIZ(n));
  MPZ_TMP_INIT(nm1,SIZ(n)+1);
  wmpz_sub_ui (nm1, n, 1L);

  MPZ_TMP_INIT(x, SIZ(n)+1);
  MPZ_TMP_INIT(y, SIZ(n)+1); //TODO check

  //ASSUME n > 0
  //ASSUME n odd

  wmpz_set_ui (x, 210L);
  wmpz_powm (y, x, nm1, n);

  if (wmpz_cmp_ui (y, 1L) != 0)
    {
      return 0;
    }

  MPZ_TMP_INIT(q, SIZ(n));
  k = mpz_scan1 (nm1, 0L);
  wmpz_tdiv_q_2exp (q, nm1, k);

  MPZ_TMP_INIT (nm3, SIZ(n) + 1);
  wmpz_sub_ui (nm3, n, 3L);

  is_prime = 1;
  qp = alloca ((SIZ(n) + 1) * sizeof(uint64_t));
  tp = alloca ((2 * SIZ(n)) * sizeof(uint64_t));
  for (r = 0; r < reps && is_prime; r++)
    {
      /* 2 to n-2 inclusive, don't want 1, 0 or -1 */
      urandomm (x, nm3);
      wmpz_add_ui (x, x, 2L);
      is_prime = do_millerrabin(n, nm1, x, y, q, k, qp, tp);
    }
 ret:
  //  if (r > 0) printf ("%d reps done", r);
  return is_prime;
}

void mr_candidate (mpz_t c, int len) {
  init_mpz_1(c, len);
  SIZ(c) = abs (SIZ(c));
  mpz_setbit (c, 0);
}

#endif //TEST_MILLERRABIN

int main () {
  mp_ptr ap, bp, rp, refp, rq, rr, refq, refr, ep, rep, mp, tp;
  mp_size_t max_n, max_add, max_mul, max_toom, max_div, max_sqrt, max_powm,
    max_getset, an, bn, rn, cn;
  mpz_t q, r, u, v, w, refzq, refzr, refw, cp;
  int nb, nb_iter, base;
  char * sp, * refsp;
  double elapsed, elapsed2, duration;
  mpz_init(cp);
  mpz_init(u);
  mpz_init(v);
  mpz_init(w);
  mpz_init(refw);
  mpz_init(q);
  mpz_init(refzq);
  mpz_init(r);
  mpz_init(refzr);
#ifdef BENCH
  struct timeval begin, end;
#endif
  uint64_t a, c, refc;

  //TMP_DECL;
  //TMP_MARK;

  //tests_start ();
  //TESTS_REPS (reps, argv, argc);


  //gmp_randseed_ui(rands, 42);
  /* Re-interpret reps argument as a size argument.  */

#ifdef BENCH
  init_genrand64(0);
#else
  init_genrand64((unsigned long long)time(NULL));
#endif
  max_n = 100000;
  max_add = 50;
  max_mul = 20;
  max_toom = 95;
  max_div = 20;
  max_sqrt = 95;
  max_powm = 50;
  max_getset = 50;

  ap = TMP_ALLOC_LIMBS (max_n + 1);
  bp = TMP_ALLOC_LIMBS (max_n + 1);
  /* nap = TMP_ALLOC_LIMBS (max_n + 1); */
  /* nbp = TMP_ALLOC_LIMBS (max_n + 1); */
  rp = TMP_ALLOC_LIMBS (2 * max_n);
  refp = TMP_ALLOC_LIMBS (2 * max_n);
  rq = TMP_ALLOC_LIMBS (max_n + 1);
  rr = TMP_ALLOC_LIMBS (max_n + 1);
  refq = TMP_ALLOC_LIMBS (max_n + 1);
  refr = TMP_ALLOC_LIMBS (max_n + 1);
  tp = TMP_ALLOC_LIMBS(2 * max_n);
  ep = TMP_ALLOC_LIMBS(max_n + 1);
  mp = TMP_ALLOC_LIMBS(max_n + 1);
  sp = malloc (max_getset * 64);
  refsp = malloc (max_getset * 64);

#ifdef TEST_ADD
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_add; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_valid (ap, bp, an, bn);
            nb = 10000 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif

#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            refc = mpn_add (refp, ap, an, bp, bn);
#endif
#ifdef TEST_WHY3
            c = wmpn_add (rp, ap, an, bp, bn);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
            (end.tv_sec - begin.tv_sec) * 1000000.0
            + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          rn = an;
          if (mpn_cmp (refp, rp, rn))
            {
              printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                      (int) an, (int) bn, (int) rn);
              printf ("a: "); mpn_dump (ap, an);
              printf ("b: "); mpn_dump (bp, bn);
              printf ("r:   "); mpn_dump (rp, rn);
              printf ("ref: "); mpn_dump (refp, rn);
              abort();
            }
          if (c != refc)
            {
              printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                      (int) an, (int) bn, (int) rn);
              printf ("a: "); mpn_dump (ap, an);
              printf ("b: "); mpn_dump (bp, bn);
              printf ("c:    %016lx\n", c);
              printf ("refc: %016lx\n", refc);
              abort();
            }
#endif
        }
    }
#ifdef COMPARE
  printf ("addition ok\n");
#endif
#endif
#ifdef TEST_MUL
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_mul; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 500;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_valid (ap, bp, an, bn);
            nb = 5000 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpn_mul (refp, ap, an, bp, bn);
#endif
#ifdef TEST_WHY3
            wmpn_mul (rp, ap, an, bp, bn);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
            (end.tv_sec - begin.tv_sec) * 1000000.0
            + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          rn = an + bn;
          if (mpn_cmp (refp, rp, rn))
            {
              printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                      (int) an, (int) bn, (int) rn);
              printf ("a: "); mpn_dump (ap, an);
              printf ("b: "); mpn_dump (bp, bn);
              printf ("r:   "); mpn_dump (rp, rn);
              printf ("ref: "); mpn_dump (refp, rn);
              abort();
            }
#endif
        }
    }
#ifdef COMPARE
  printf ("multiplication ok\n");
#endif
#endif

#ifdef TEST_TOOMB
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif

  for (bn = 5; bn <= max_toom * 10; bn = (int)ceil(bn * 1.1))
    {
      //mp_ptr ws = TMP_ALLOC_LIMBS(9 * bn / 2 + 32);
      //an = (bn * 3) / 2;
      an = bn;
      elapsed = 0;
      nb_iter = 500;
      for (int iter = 0; iter != nb_iter; ++iter) {
        init_valid (ap, bp, an, bn);
        nb = 5000 / bn;
#ifdef BENCH
        gettimeofday(&begin, NULL);
        for (int i = 0, maxi = nb; i != maxi; ++i)
          {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpn_mul (refp, ap, an, bp, bn);
#endif
#ifdef TEST_WHY3
            wmpn_mul (rp, ap, an, bp, bn);
#endif

#ifdef BENCH
          }
        gettimeofday(&end, NULL);
        elapsed +=
          (end.tv_sec - begin.tv_sec) * 1000000.0
          + (end.tv_usec - begin.tv_usec);
#endif
      }
      elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
      printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
#endif
#ifdef COMPARE
      rn = an + bn;
      if (mpn_cmp (refp, rp, rn))
        {
          printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                  (int) an, (int) bn, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("b: "); mpn_dump (bp, bn);
          printf ("r:   "); mpn_dump (rp, rn);
          printf ("ref: "); mpn_dump (refp, rn);
          abort();
        }
#endif
      //free(ws);
    }
#ifdef COMPARE
  printf ("balanced toom ok\n");
#endif
#endif //TOOMB

#ifdef TEST_TOOMM
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif

  for (bn = 5; bn <= max_toom * 5; bn = (int)ceil(bn * 1.1))
    {
      //mp_ptr ws = TMP_ALLOC_LIMBS(9 * bn / 2 + 32);
      //an = (bn * 3) / 2;
      an = 6 * bn;
      elapsed = 0;
      nb_iter = 300;
      for (int iter = 0; iter != nb_iter; ++iter) {
        init_valid (ap, bp, an, bn);
        nb = 5000 / bn;
#ifdef BENCH
        gettimeofday(&begin, NULL);
        for (int i = 0, maxi = nb; i != maxi; ++i)
          {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpn_mul (refp, ap, an, bp, bn);
#endif
#ifdef TEST_WHY3
            wmpn_mul (rp, ap, an, bp, bn);
#endif

#ifdef BENCH
          }
        gettimeofday(&end, NULL);
        elapsed +=
          (end.tv_sec - begin.tv_sec) * 1000000.0
          + (end.tv_usec - begin.tv_usec);
#endif
      }
      elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
      printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
#endif
#ifdef COMPARE
      rn = an + bn;
      if (mpn_cmp (refp, rp, rn))
        {
          printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                  (int) an, (int) bn, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("b: "); mpn_dump (bp, bn);
          printf ("r:   "); mpn_dump (rp, rn);
          printf ("ref: "); mpn_dump (refp, rn);
          abort();
        }
#endif
      //free(ws);
    }
#ifdef COMPARE
  printf ("medium toom ok\n");
#endif
#endif //TOOMM

#ifdef TEST_TOOMU
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif

  for (bn = 5; bn <= max_toom * 5 ;bn = (int)ceil(bn * 1.1))
    {
      //mp_ptr ws = TMP_ALLOC_LIMBS(9 * bn / 2 + 32);
      //an = (bn * 3) / 2;
      an = 24 * bn;
      elapsed = 0;
      nb_iter = 100;
      for (int iter = 0; iter != nb_iter; ++iter) {
        init_valid (ap, bp, an, bn);
        nb = 5000 / bn;
#ifdef BENCH
        gettimeofday(&begin, NULL);
        for (int i = 0, maxi = nb; i != maxi; ++i)
          {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpn_mul (refp, ap, an, bp, bn);
#endif
#ifdef TEST_WHY3
            wmpn_mul (rp, ap, an, bp, bn);
#endif

#ifdef BENCH
          }
        gettimeofday(&end, NULL);
        elapsed +=
          (end.tv_sec - begin.tv_sec) * 1000000.0
          + (end.tv_usec - begin.tv_usec);
#endif
      }
      elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
      printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
#endif
#ifdef COMPARE
      rn = an + bn;
      if (mpn_cmp (refp, rp, rn))
        {
          printf ("ERROR, an = %d, bn = %d, rn = %d\n",
                  (int) an, (int) bn, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("b: "); mpn_dump (bp, bn);
          printf ("r:   "); mpn_dump (rp, rn);
          printf ("ref: "); mpn_dump (refp, rn);
          abort();
        }
#endif
      //free(ws);
    }
#ifdef COMPARE
  printf ("unbalanced toom ok\n");
#endif
#endif //TOOMU

#ifdef TEST_DIV
#ifdef BENCH
  printf ("#an bn t(µs) dt(µs)\n");
#endif
  for (an = 2; an <= max_div; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          elapsed2 = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_valid (ap, bp, an, bn);
#ifdef TEST_MINIGMP
            mpn_copyi(refr, ap, an);
#endif
            nb = 1500 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif
#ifdef TEST_GMP
                mpn_tdiv_qr(refq, refr, 0, ap, an, bp, bn);
#endif
#ifdef TEST_MINIGMP
                mpn_div_qr (refq, refr, an, bp, bn);
#endif
#ifdef TEST_WHY3
                wmpn_tdiv_qr(rq, rr, 0, ap, an, bp, bn);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            duration =
              (end.tv_sec - begin.tv_sec) * 1000000.0
              + (end.tv_usec - begin.tv_usec);
            duration /= nb;
            elapsed += duration;
            elapsed2 += duration * duration;
#endif
          }
          elapsed /= nb_iter;
          elapsed2 /= nb_iter;
#ifdef BENCH
          printf ("%d %d %g %g\n", (int)an, (int)bn, elapsed, sqrt(elapsed2 - elapsed*elapsed));
          if (an==bn)
            printf ("\n\n"); //for gnuplot
#endif
#ifdef COMPARE
            rn = bn;
          if (mpn_cmp (refr, rr, rn))
            {
          printf ("ERROR, an = %d, bn = %d, rn = %d\n",
            (int) an, (int) bn, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("b: "); mpn_dump (bp, bn);
          printf ("q:    "); mpn_dump (rq, an-bn+2);
          printf ("refq: "); mpn_dump (refq, an-bn+2);
          printf ("r:    "); mpn_dump (rr, rn);
          printf ("refr: "); mpn_dump (refr, rn);
          abort();
        }
          rn = an - bn + 1;
          if (mpn_cmp (refq, rq, rn))
            {
          printf ("ERROR, an = %d, bn = %d, qn = %d\n",
            (int) an, (int) bn, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("b: "); mpn_dump (bp, bn);
          printf ("q:   "); mpn_dump (rq, rn);
          printf ("refq: "); mpn_dump (refq, rn);
          abort();
        }
#endif
        }
        }
#ifdef COMPARE
  printf ("division ok\n");
#endif
#endif // TEST_DIV

#ifdef TEST_SQRT1
#ifdef BENCH
  printf ("#t(s)\n");
#endif
      elapsed = 0;
      an = bn = rn = 1;
      for (int iter = 0; iter != 500; ++iter) {
        init_valid (bp, ap, 1, 1);
        a = *ap;
        if (a < 0x4000000000000000) continue;
#ifdef BENCH
        gettimeofday(&begin, NULL);
        for (int i = 0; i != 100; ++i)
          {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpn_sqrtrem (refr, refp, ap, 1);
            refc = *refr;
#endif
#ifdef TEST_WHY3
            c = sqrt1 (rp, a);
#endif

#ifdef BENCH
          }
        gettimeofday(&end, NULL);
        elapsed +=
          (end.tv_sec - begin.tv_sec)
          + ((end.tv_usec - begin.tv_usec)/1000000.0)
        printf ("%g\n", elapsed);
#endif
#ifdef COMPARE
      if (mpn_cmp (refp, rp, rn) || c != refc)
        {
          printf ("ERROR, i=%d\n",
                  (int) iter);
          printf ("a: "); mpn_dump (ap, an);
          printf ("r:   "); mpn_dump (rp, rn);
          printf ("ref: "); mpn_dump (refp, rn);
          printf ("c:    %016lx\n", c);
          printf ("refc: %016lx\n", refc);
          abort();
        }
#endif
    }
#ifdef COMPARE
    printf ("sqrt1 ok\n");
#endif
#endif

#ifdef TEST_SQRTREM
#ifdef BENCH
  printf ("#an t(µs)\n");
#endif
  bn=1;
  for (an = 1; an <= max_sqrt * 15; an = (int)ceil(an * 1.1))
    {
      elapsed = 0;
      nb_iter = 1000;
      for (int iter = 0; iter != nb_iter; ++iter) {
        init_valid (bp, ap, 1, an);
#ifdef TEST_MINIGMP
        mpn_copyi(refr, ap, an);
#endif
#ifdef BENCH
        gettimeofday(&begin, NULL);
        nb = 1500 / an;
        for (int i = 0; i != nb; ++i)
          {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            rn = mpn_sqrtrem(refq, refr, ap, an);
#endif
#ifdef TEST_WHY3
            cn = wmpn_sqrtrem(rq, rr, ap, an);
#endif

#ifdef BENCH
          }
        gettimeofday(&end, NULL);
        elapsed +=
          (end.tv_sec - begin.tv_sec) * 1000000.0
          + (end.tv_usec - begin.tv_usec);
#endif
      }
      elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
      printf ("%d %g\n", (int)an, elapsed);
#endif
#ifdef COMPARE
      if (cn != rn)
        {
          printf ("ERROR, an = %d, expected rn = %d, actual rn = %d\n",
                  (int) an, (int) rn, (int) cn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("s: "); mpn_dump (rq, (an+1)/2);
          printf ("refs: "); mpn_dump (refq, (an+1)/2);
          printf ("r: "); mpn_dump (rr, cn);
          printf ("refr: "); mpn_dump (refr, rn);
          abort ();
        }
      if (mpn_cmp (refr, rr, rn))
        {
          printf ("ERROR, an = %d, rn = %d\n",
                  (int) an, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("s: "); mpn_dump (rq, (an+1)/2);
          printf ("refs: "); mpn_dump (refq, (an+1)/2);
          printf ("r: "); mpn_dump (rr, rn);
          printf ("refr: "); mpn_dump (refr, rn);
          abort();
        }
      if (mpn_cmp (refq, rq, (an+1)/2))
        {
          printf ("ERROR, an = %d, rn = %d\n",
                  (int) an, (int) rn);
          printf ("a: "); mpn_dump (ap, an);
          printf ("s: "); mpn_dump (rq, (an+1)/2);
          printf ("refs: "); mpn_dump (refq, (an+1)/2);
          printf ("r: "); mpn_dump (rr, rn);
          printf ("refr: "); mpn_dump (refr, rn);
          abort();
        }
#endif
    }
#ifdef COMPARE
  printf ("sqrtrem ok\n");
#endif
#endif

#ifdef TEST_POWM
#ifdef TEST_MINIGMP
  printf ("powm not available in mini-GMP\n");
  goto skip;
#endif
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_powm; an += 5)
    {
      for (rn = 1; rn <= max_powm; rn += 5)
        {
          elapsed = 0;
          nb_iter = 1;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_valid_1 (ap, an);
            init_valid_1 (ep, an);
            init_valid_1 (tp, 2 * rn);
            init_valid_1 (mp, rn);
            mp[0] |= 1;
            nb = 150 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif
#ifdef TEST_GMP
                __gmpn_powm(refr, ap, an, ep, an, mp, rn, tp);
#endif
#ifdef TEST_WHY3
                wmpn_powm(rr, ap, an, ep, an, mp, rn, tp);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
              (end.tv_sec - begin.tv_sec) * 1000000.0
              + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)rn, elapsed);
          if (an==rn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          if (mpn_cmp (refr, rr, rn))
            {
          printf ("ERROR, an = %d, rn = %d\n",
            (int) an, (int) rn);
          printf ("b: "); mpn_dump (ap, an);
          printf ("e: "); mpn_dump (ep, an);
          printf ("m: "); mpn_dump (mp, rn);
          printf ("r:    "); mpn_dump (rr, rn);
          printf ("refr: "); mpn_dump (refr, rn);
          abort();
        }
#endif
        }
        }
#ifdef COMPARE
  printf ("powm ok\n");
#endif
 skip:
#endif

#ifdef TEST_ZADD
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_add; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_mpz_1 (u, an);
            init_mpz_1 (v, bn);
            mpz_realloc (w, an+1);
            mpz_realloc (refw, an+1);
            nb = 10000 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif

#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpz_add (refw, u, v);
#endif
#ifdef TEST_WHY3
            wmpz_add (w, u, v);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
            (end.tv_sec - begin.tv_sec) * 1000000.0
            + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          compare_mpz (u, v, w, refw);
          mpz_add (refw, u, u);
          wmpz_add (w, u, u);
          compare_mpz (u, u, w, refw);
          mpz_set(w,u);
          mpz_set (refw, u);
          mpz_add (refw, refw, v);
          wmpz_add (w, w, v);
          compare_mpz (w,v,w,refw);
          mpz_set(w,v);
          mpz_set (refw, v);
          mpz_add (refw, u, refw);
          wmpz_add (w, u, w);
          compare_mpz (u,w,w,refw);
#endif
        }
    }
#ifdef COMPARE
  printf ("mpz addition ok\n");
#endif
#endif


#ifdef TEST_ZSUB
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_add; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_mpz_1 (u, an);
            init_mpz_1 (v, bn);
            mpz_realloc (w, an+1);
            mpz_realloc (refw, an+1);
            nb = 10000 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif

#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpz_sub (refw, u, v);
#endif
#ifdef TEST_WHY3
            wmpz_sub (w, u, v);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
            (end.tv_sec - begin.tv_sec) * 1000000.0
            + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          compare_mpz (u, v, w, refw);
          mpz_sub (refw, u, u);
          wmpz_sub (w, u, u);
          compare_mpz (u, u, w, refw);
          mpz_set(w,u);
          mpz_set (refw, u);
          mpz_sub (refw, refw, v);
          wmpz_sub (w, w, v);
          compare_mpz (w,v,w,refw);
          mpz_set(w,v);
          mpz_set (refw, v);
          mpz_sub (refw, u, refw);
          wmpz_sub (w, u, w);
          compare_mpz (u,w,w,refw);
#endif
        }
    }
#ifdef COMPARE
  printf ("mpz subtraction ok\n");
#endif
#endif


#ifdef TEST_ZMUL
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_mul; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_mpz_1 (u, an);
            init_mpz_1 (v, bn);
            mpz_realloc (w, an+1);
            mpz_realloc (refw, an+1);
            nb = 10000 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif

#if defined(TEST_GMP) || defined(TEST_MINIGMP)
            mpz_mul (refw, u, v);
#endif
#ifdef TEST_WHY3
            wmpz_mul (w, u, v);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
            (end.tv_sec - begin.tv_sec) * 1000000.0
            + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          compare_mpz (u, v, w, refw);
          mpz_mul (refw, u, u);
          wmpz_mul (w, u, u);
          compare_mpz (u, u, w, refw);
          mpz_set(w,u);
          mpz_set (refw, u);
          mpz_mul (refw, refw, v);
          wmpz_mul (w, w, v);
          compare_mpz (w,v,w,refw);
          mpz_set(w,v);
          mpz_set (refw, v);
          mpz_mul (refw, u, refw);
          wmpz_mul (w, u, w);
          compare_mpz (u,w,w,refw);
#endif
        }
    }
#ifdef COMPARE
  printf ("mpz multiplication ok\n");
#endif
#endif

#ifdef TEST_ZDIV
#ifdef BENCH
  printf ("#an bn t(µs)\n");
#endif
  for (an = 2; an <= max_div; an += 1)
    {
      for (bn = 1; bn <= an; bn += 1)
        {
          elapsed = 0;
          nb_iter = 1000;
          for (int iter = 0; iter != nb_iter; ++iter) {
            init_mpz_1(u, an);
            init_mpz_1(v, bn);
            mpz_realloc (q, an - bn + 1);
            mpz_realloc (r, bn);
            nb = 1500 / an;
#ifdef BENCH
            gettimeofday(&begin, NULL);
            for (int i = 0; i != nb; ++i)
              {
#endif
#ifdef TEST_GMP
                mpz_tdiv_qr(refzq, refzr, u, v);
#endif
#ifdef TEST_WHY3
                wmpz_tdiv_qr(q, r, u, v);
#endif

#ifdef BENCH
              }
            gettimeofday(&end, NULL);
            elapsed +=
              (end.tv_sec - begin.tv_sec) * 1000000.0
              + (end.tv_usec - begin.tv_usec);
#endif
          }
          elapsed = elapsed / (nb * nb_iter);
#ifdef BENCH
          printf ("%d %d %g\n", (int)an, (int)bn, elapsed);
          if (an==bn)
            printf ("\n"); //for gnuplot
#endif
#ifdef COMPARE
          compare_mpz (u, v, q, refzq);
          compare_mpz (u, v, r, refzr);

          wmpz_tdiv_qr (q, r, u, u);
          mpz_tdiv_qr (refzq, refzr, u, u);
          compare_mpz (u, v, q, refzq);
          compare_mpz (u, v, r, refzr);

          mpz_set (w, u);
          mpz_set (refw, u);
          wmpz_tdiv_qr (w, r, w, v);
          mpz_tdiv_qr (refw, refzr, refw, v);
          compare_mpz (u, v, w, refw);
          compare_mpz (u, v, r, refzr);

          mpz_set (w, u);
          mpz_set (refw, u);
          wmpz_tdiv_qr (q, w, w, v);
          mpz_tdiv_qr (refzq, refw, refw, v);
          compare_mpz (u, v, w, refw);
          compare_mpz (u, v, r, refzr);

          mpz_set (q, u);
          mpz_set (refzq, u);
          mpz_set (r, v);
          mpz_set (refzr, v);
          wmpz_tdiv_qr (q, r, q, r);
          mpz_tdiv_qr (refzq, refzr, refzq, refzr);
          compare_mpz (u, v, q, refzq);
          compare_mpz (u, v, r, refzr);

          mpz_set (r, u);
          mpz_set (refzr, u);
          mpz_set (q, v);
          mpz_set (refzq, v);
          wmpz_tdiv_qr (q, r, r, q);
          mpz_tdiv_qr (refzq, refzr, refzr, refzq);
          compare_mpz (u, v, q, refzq);
          compare_mpz (u, v, r, refzr);
#endif
        }
        }
#ifdef COMPARE
  printf ("mpz division ok\n");
#endif
#endif //TEST_ZDIV

#ifdef TEST_MILLERRABIN
#define REPS 25
  nb_iter = 50;
  for (int len = 16; len <= 200; len = (int)ceil(len * 1.1)) {
#ifdef BENCH
    elapsed = 0;
    for (int i = 0; i < nb_iter; i++) {
#endif
      mr_candidate(cp, len);
#ifdef BENCH
      gettimeofday(&begin, NULL);
#endif
      c = wmpz_millerrabin(cp,REPS);
      //   if (c > 0)
      //printf (" at step %d\n", i);
#ifdef BENCH
      gettimeofday(&end, NULL);
      elapsed +=
        (end.tv_sec - begin.tv_sec) * 1000000.0
        + (end.tv_usec - begin.tv_usec);
    }
    elapsed = elapsed/nb_iter;
    printf ("%d %g\n", len, elapsed);
#endif
#ifdef COMPARE
    refc = mpz_millerrabin(cp,REPS);
    if (c != refc) {
      printf ("c %ld refc %ld\n", c, refc);
      abort ();
    }
#endif
  }
#ifdef COMPARE
  printf ("Miller-Rabin ok\n");
#endif
#endif // TEST_MILLERRABIN

#ifdef TEST_ZGETSET
  nb_iter = 1000;
  for (int len = 1; len < max_getset; len = (int)ceil(len * 1.1)) {
#ifdef BENCH
    elapsed = 0;
    for (base = 2; base <= 36; base++) {
#else
    for (base = -36; base <= 62; base++) {
      if (-2 < base && base < 2)
        continue;
#endif
      for (int iter = 0; iter != nb_iter; ++iter) {
        init_mpz_1(u,len);
#ifdef BENCH
        nb = 500 / len;
        gettimeofday(&begin, NULL);
        for (int i = 0; i != nb; ++i) {
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
          mpz_get_str(refsp, base, u);
#endif
#ifdef TEST_WHY3
          wmpz_get_str(sp, base, u);
#endif
#ifdef COMPARE
          if (strcmp(sp, refsp)) {
            printf ("ERROR in wmpz_get_str, len = %d, base = %d :\n", len, base);
            mpn_dump (PTR(u), len);
            printf ("sp %s refsp %s\n", sp, refsp);
            abort ();
          }
#endif
#if defined(TEST_GMP) || defined(TEST_MINIGMP)
          refc = mpz_set_str(refw, refsp, abs (base));
#endif
#ifdef TEST_WHY3
          c = wmpz_set_str(w, refsp, abs (base));
#endif
#ifdef COMPARE
          if (c != refc) {
            printf ("ERROR in wmpz_set_str, c = %ld refc = %ld : \n", c, refc);
            printf ("base %d, sp %s, refsp %s, strlen %lu\n",
                    base, sp, refsp, strlen(refsp));
            printf ("w:   "); mpn_dump (PTR(w), abs SIZ(w));
            printf ("refw: "); mpn_dump (PTR(refw), abs SIZ(refw));
            abort();
          }
          if (mpz_cmp(w, refw)) {
            printf ("ERROR, an = %d\n", SIZ(u));
            printf ("a: "); mpn_dump (PTR(u), len);
            printf ("r:   "); mpn_dump (PTR(w), abs SIZ(w));
            printf ("ref: "); mpn_dump (PTR(refw), abs SIZ(refw));
            abort();
          }
#endif
#ifdef BENCH
        }
        gettimeofday(&end, NULL);
        duration =
          (end.tv_sec - begin.tv_sec) * 1000000.0
          + (end.tv_usec - begin.tv_usec);
        elapsed += duration / nb;
#endif
      }
    }
#ifdef BENCH
    elapsed = elapsed / nb_iter;
    printf ("%d %g\n", len, elapsed);
#endif
  }
#ifdef COMPARE
  printf ("mpz get/set_str ok\n");
#endif
#endif // TEST_ZGETSET

  //TMP_FREE;
  //tests_end ();
  return 0;
}
why3-1.6.0/examples/multiprecision/toom.mlw000066400000000000000000003013301440160026300207670ustar00rootroot00000000000000module Toom

  use array.Array
  use map.Map
  use mach.c.C
  use ref.Ref
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Int
  use int.Power
  use valuation.Valuation
  use int.ComputerDivision
  use types.Types
  use lemmas.Lemmas
  use compare.Compare
  use util.Util
  use util.UtilOld
  use add_1.Add_1
  use add.AddOld
  use sub_1.Sub_1
  use sub.SubOld
  use mul.Mul
  use mul.Mul_basecase
  use logical.Logical

let constant toom22_threshold : int32 = 29

let lemma no_borrow (x y r b m:int)
  requires { 0 <= y <= x }
  requires { 0 <= r < m }
  requires { r - m * b = x - y }
  requires { 0 <= b }
  ensures  { b = 0 }
= assert { b <= 0 by m * b < m * 1 }

let lemma no_borrow_ptr (x y r: ptr limb) (nx ny:int) (b:limb)
  requires { 0 < ny <= nx }
  requires { value y ny <= value x nx }
  requires { value r nx - (power radix nx) * b = value x nx - value y ny }
  requires { 0 <= b }
  ensures  { b = 0 }
= no_borrow (value x nx) (value y ny) (value r nx) (l2i b) (power radix nx)

let rec wmpn_toom22_mul (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32)
                        (scratch: ptr limb) (ghost k: int) : unit
  requires { valid x sx }
  requires { valid y sy }
  requires { valid r (sx + sy) }
  requires { toom22_threshold < sy }
  requires { 0 < k <= 64 }
  requires { sx <= toom22_threshold * power 2 k }
  requires { valid scratch (2 * (sx + k)) } (*TODO faire en fonction de sy *)
  requires { writable r /\ writable scratch }
  requires { 8 * sx < max_int32 }
  requires { 2 < sy <= sx < sy + sy - 1 }
  requires { 4 * sx < 5 * sy }
  ensures  { min r = old min r }
  ensures  { max r = old max r }
  ensures  { plength r = old plength r }
  ensures  { min scratch = old min scratch }
  ensures  { max scratch = old max scratch }
  ensures  { plength scratch = old plength scratch }
  ensures  { value r (sx + sy) = value x sx * value y sy }
  ensures  { forall j. min r <= j < offset r \/ offset r + sx + sy <= j < max r
                       -> (pelts r)[j] = old (pelts r)[j] }
  ensures  { forall j. min scratch <= j < offset scratch
                       -> (pelts scratch)[j] = old (pelts scratch)[j] }
  variant { k + k }
=
  let s = sx / 2 in (* TODO sx >> 1 *)
  let n = sx - s in
  let t = sy - n in
  assert { 0 < s };
  assert { n-1 <= s <= n };
  assert { 0 < t <= s };
  let x0 = x in
  let x1 = C.incr x n in
  let y0 = y in
  let y1 = C.incr y n in
  let ghost a0 = value x0 (int32'int n) in
  let ghost a1 = value x1 (int32'int s) in
  let ghost b0 = value y0 (int32'int n) in
  let ghost b1 = value y1 (int32'int t) in
  let ghost m = power radix (int32'int n) in
  value_concat x n sx;
  value_concat y n sy;
  assert { value x sx = a0 + m * a1 };
  assert { value y sy = b0 + m * b1 };
  let r' = decr_split r 0 in
  let ro = C.incr_split r (sx + sy) in
  let scratch' = decr_split scratch 0 in
  assert { min r = offset r /\ max r = offset r + sx + sy };
  let s_out = C.incr_split scratch (n + n) in
  let vinf = C.incr_split r (n + n) in
  label ASM1 in
  let xsm1 = r in
  let ysm1 = C.incr_split r n in
  let vm1_neg = ref false in
  begin ensures { (!vm1_neg /\ value xsm1 n = a1 - a0)
                  \/ (not !vm1_neg /\ value xsm1 n = a0 - a1) }
        ensures { min scratch = old min scratch }
        ensures { max scratch = old max scratch }
        ensures { plength scratch = old plength scratch }
    if (s = n)
    then
      if begin ensures { result <->  value x0 n < value x1 n }
           (wmpn_cmp x0 x1 n) < 0
         end
      then begin
        let ghost b = wmpn_sub_n xsm1 x1 x0 n in
        no_borrow_ptr x1 x0 xsm1 (p2i n) (p2i n) b;
        vm1_neg := true end
      else let ghost b = wmpn_sub_n xsm1 x0 x1 n in
           no_borrow_ptr x0 x1 xsm1 (p2i n) (p2i n) b
    else
      (* n-s=1*)
      if ((get_ofs x0 s) = 0) &&
         ((wmpn_cmp x0 x1 s) < 0)
      then begin
        assert { value x0 s < value x1 s };
        value_tail x0 s;
        assert { value x0 n = value x0 s };
        let ghost b = wmpn_sub_n xsm1 x1 x0 s in
        no_borrow_ptr x1 x0 xsm1 (p2i s) (p2i s) b;
        value_sub_shift_no_change (pelts xsm1) (xsm1.offset) (p2i s) (p2i s) 0;
        set_ofs xsm1 s 0;
        vm1_neg := true;
        value_tail xsm1 s
        end
      else begin
        let b = wmpn_sub_n xsm1 x0 x1 s in
        label Borrow in
        value_sub_shift_no_change (pelts xsm1) (xsm1.offset) (p2i s) (p2i s) b;
        let lx = get_ofs x0 s in
        set_ofs xsm1 s (lx - b);
        assert { value xsm1 s = value (xsm1 at Borrow) s };
        value_tail x0 s;
        value_tail xsm1 s;
        end
  end;
  label BSM1 in
  begin ensures { (!vm1_neg = (!vm1_neg at BSM1) /\ value ysm1 n = b0 - b1)
                  \/ (!vm1_neg = not (!vm1_neg at BSM1) /\ value ysm1 n = b1 - b0) }
        ensures { value xsm1 n = (value xsm1 n at BSM1) }
        ensures { min scratch = old min scratch }
        ensures { max scratch = old max scratch }
        ensures { plength scratch = old plength scratch }
    if (t = n)
    then
      if begin ensures { result <-> value y0 n < value y1 n }
           (wmpn_cmp y0 y1 n) < 0
         end
      then begin
        let ghost b = wmpn_sub_n ysm1 y1 y0 n in
        no_borrow_ptr y1 y0 ysm1 (p2i n) (p2i n) b;
        vm1_neg := not !vm1_neg end
      else
        let ghost b = wmpn_sub_n ysm1 y0 y1 n in
        no_borrow_ptr y0 y1 ysm1 (p2i n) (p2i n) b;
    else
      let y0t = C.incr y0 t in
      let c0 = ((wmpn_zero_p y0t (n - t)) = 1) in
      let c1 = ((wmpn_cmp y0 y1 t) < 0) in
      if c0 && c1
      then begin
        assert { value y0 t < value y1 t };
        value_concat y0 t n;
        assert { value y0 n = value y0 t };
        let ghost b = wmpn_sub_n ysm1 y1 y0 t in
        no_borrow_ptr y1 y0 ysm1 (p2i t) (p2i t) b;
        assert { forall j. (j < offset r \/ offset r + sx + sy <= j)
                             -> (pelts r)[j] = (pelts r)[j] at BSM1 };
        label Zero in
        let ghost ysm1z = { ysm1 } in
        let ysm1t = C.incr ysm1 t in
        wmpn_zero ysm1t (n - t);
        value_sub_frame_shift (pelts ysm1) (pelts ysm1z)
                              (offset ysm1) (offset ysm1z) (p2i t);
        assert { value ysm1 t = value ysm1 t at Zero };
        assert { value xsm1 n = value xsm1 n at Zero };
        value_concat ysm1 t n;
        assert { value ysm1 n = value ysm1 t };
        vm1_neg := not !vm1_neg end
      else begin
        value_concat y0 t n;
        assert { value y0 n = value y0 t + power radix t * value y0t (n-t) };
        assert { value y1 t <= value y0 n
                 by (not c0
                     so 1 <= value y0t (n - t)
                     so power radix t * 1 <= power radix t * value y0t (n-t)
                     so power radix t <= value y0 n
                     so value y1 t < power radix t)
                  \/ (not c1
                      so value y1 t <= value y0 t
                      so value y0 t <= value y0 n) };
        let ghost b = wmpn_sub ysm1 y0 n y1 t in
        no_borrow_ptr y0 y1 ysm1 (p2i n) (p2i t) b;
        end
  end;
  let ghost asm1_abs = value xsm1 (int32'int n) in
  let ghost bsm1_abs = value ysm1 (int32'int n) in
  label RecM1 in
  wmpn_toom22_mul_n_rec scratch xsm1 ysm1 s_out n (k-1);
  assert { value scratch (n+n) = asm1_abs * bsm1_abs };
  join r ysm1;
  assert { min scratch = offset scratch };
  assert { max scratch = max scratch at ASM1 };
  assert { plength scratch = old plength scratch };
  assert { min r = offset r };
  assert { max r = max r at ASM1 };
  assert { plength r = old plength r };
  assert { forall j. min scratch <= j < offset scratch -> (pelts scratch)[j]
            = old (pelts scratch)[j] };
  let v0 = r in
  label Rec in
  begin ensures { value scratch (n+n) = asm1_abs * bsm1_abs }
        ensures { value v0 (n+n) = a0 * b0 }
        ensures { value vinf (s+t) = a1 * b1 }
        ensures { min scratch = old min scratch }
        ensures { max scratch = old max scratch }
        ensures { plength scratch = old plength scratch }
        ensures { min s_out = old min s_out }
        ensures { max s_out = old max s_out }
        ensures { min vinf = old min vinf }
        ensures { max vinf = old max vinf }
        ensures { plength vinf = old plength vinf }
        ensures { min r = old min r }
        ensures { max r = old max r }
        ensures { plength r = old plength r }
    let lemma valid_monotonous (s n:int32)
      requires { valid s_out (2*(n+(k-1))) }
      requires { 0 <= s <= n }
      ensures  { valid s_out (2*(s+(k-1))) }
    = assert { 0 <= 2*(s+(k-1)) <= 2*(n+(k-1)) };
      assert { forall p: ptr limb, n1 n2. 0 <= n1 <= n2 -> valid p n2 -> valid p n1 } in
    valid_monotonous s n;
    valid_monotonous t n;
    (if s > t
     then wmpn_toom22_mul_rec vinf x1 s y1 t s_out (k-1)
     else wmpn_toom22_mul_n_rec vinf x1 y1 s_out s (k-1));
    wmpn_toom22_mul_n_rec v0 x0 y0 s_out n (k-1);
  end;
  label Adds in
  value_concat v0 n (n + n);
  value_concat vinf n (s + t);
  let v0n = incr_split v0 n in
  let vinfn = incr_split vinf n in
  let ghost lv0 = value v0 (int32'int n) in
  let ghost hv0 = value v0n (int32'int n) in
  let ghost lvinf = value vinf (int32'int n) in
  let ghost hvinf = value vinfn (int32'int s + int32'int t- int32'int n) in
  assert { lv0 + m * hv0 = a0 * b0 };
  assert { lvinf + m * hvinf = a1 * b1 };
  let cy = ref (wmpn_add_n_in_place vinf v0n n) in
  assert { value vinf n = lvinf + hv0 - m * !cy };
  let c = wmpn_add_n v0n vinf v0 n in
  let cy2 = c + !cy in
  assert { value v0n n = lvinf + hv0 + lv0 - m * cy2
           by value v0n n = lv0 + value vinf n - m * c
                          = lvinf + hv0 + lv0 - m * !cy - m * c
                          = lvinf + hv0 + lv0 - m * cy2 };
  label Add3 in
  let c' = wmpn_add_in_place vinf n vinfn ((s+t) - n) in
  cy := !cy + c';
  assert { value vinf n = hvinf + lvinf + hv0 - m * !cy
           by m * (!cy at Add3) + m * c' = m * !cy
           so value vinf n = value vinf n at Add3 + hvinf - m * c'
              = lvinf + hv0 - m * (!cy at Add3) + hvinf - m * c'
              = hvinf + lvinf + hv0 - m * !cy };
  assert { !cy <= 2 };
  label JoinMid in
  let ghost v0nj = { v0n } in
  let ghost vinfj = { vinf } in
  join v0n vinf;
  value_sub_frame (pelts v0n) (pelts v0nj) (offset v0n) (offset v0n + p2i n);
  assert { value v0n n = value v0nj n };
  value_sub_frame (pelts v0n) (pelts vinfj) (offset vinf) (offset vinf + p2i n);
  assert { value_sub (pelts v0n) (offset v0n + n) (offset v0n + n + n)
           = value vinfj n };
  value_concat v0n n (n + n);
  assert { value v0n (n+n) = a1 * b1 + a0 * b0 + hv0 + m * lvinf
             - m * cy2 - m * m * !cy
           by value v0n (n+n)
           = value v0n n at JoinMid + m * value vinf n at JoinMid
           = lvinf + hv0 + lv0 - m * cy2
             + m * (hvinf + lvinf + hv0 - m * !cy)
           = lvinf + hv0 + lv0 - m * cy2 + m * hvinf + m * lvinf
             + m * hv0 - m * m * !cy
           = a1 * b1 + a0 * b0 + hv0 + m * lvinf
             - m * cy2 - m * m * !cy };
  label AddSub in
  begin ensures { !cy <= 3 (*2?*)
                   /\ value v0n (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                      + hv0 + m * lvinf - m * cy2 - m * m * !cy
                  \/ !cy = radix - 1
                      /\ value v0n (n+n) = a1 * b1 + a0 * b0  - (a0 - a1)*(b0 - b1)
                         + hv0 + m * lvinf - m * cy2 + m * m
                      /\ !cy at AddSub = 0 }
    assert { !vm1_neg /\ value scratch (n+n) = - (a0-a1)*(b0-b1)
             \/ not !vm1_neg /\ value scratch (n+n) = (a0-a1)*(b0-b1)
             by value scratch (n+n) = asm1_abs * bsm1_abs
             so [@case_split]
                 (!vm1_neg at BSM1 /\ !vm1_neg
               \/ !vm1_neg at BSM1 /\ not !vm1_neg
               \/ not !vm1_neg at BSM1 /\ !vm1_neg
               \/ not !vm1_neg at BSM1 /\ not !vm1_neg) };
    assert { power radix (n+n) = m * m };
    if !vm1_neg
    then
      let c'' = wmpn_add_n_in_place v0n scratch (n+n) in
      assert { value v0n (n+n)
               = value v0n (n+n) at AddSub + value scratch (n+n)
                 - power radix (n+n) * c'' };
      cy := !cy + c'';
      assert { value v0n (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                 + hv0 + m * lvinf - m * cy2 - m * m * !cy
               by - m * m * c'' - m * m * !cy at AddSub = - m * m * !cy
               so value scratch (n+n) = -(a0-a1)*(b0-b1)
               so value v0n (n+n)
                  = value v0n (n+n) at AddSub + value scratch (n+n)
                    - power radix (n+n) * c''
                  = value v0n (n+n) at AddSub - (a0 - a1)*(b0-b1) - m * m * c''
                  = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                    + hv0 + m * lvinf - m * cy2 - m * m * !cy }
    else
      let b = wmpn_sub_n_in_place v0n scratch (n+n) in
      assert { value v0n (n+n)
               = value v0n (n+n) at AddSub - value scratch (n+n)
                 + power radix (n+n) * b };
      cy := sub_mod !cy b;
      assert { !cy <= 2 /\ !cy = !cy at AddSub - b
               \/ !cy = radix - 1 /\ !cy at AddSub = 0 /\ b = 1
               by [@case_split]
                  ((!cy at AddSub = 0 /\ b = 1
                   so !cy = EuclideanDivision.mod (-1) radix = radix - 1)
                   \/
                   (1 <= !cy at AddSub \/ b = 0
                   so 0 <= !cy at AddSub - b < radix
                   so !cy = !cy at AddSub - b)) };
      assert { !cy <= 2 ->
               (value v0n (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                  + hv0 + m * lvinf - m * cy2 - m * m * !cy
               by !cy = !cy at AddSub - b
               so m * m * b - m * m * !cy at AddSub = - m * m * !cy
               so value scratch (n+n) = (a0-a1)*(b0-b1)
               so value v0n (n+n)
                  = value v0n (n+n) at AddSub - value scratch (n+n)
                    + power radix (n+n) * b
                  = value v0n (n+n) at AddSub - (a0 - a1)*(b0-b1) + m * m * b
                  = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                    + hv0 + m * lvinf - m * cy2 - m * m * !cy) };
      assert { !cy = radix - 1 ->
               (value v0n (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                  - m * cy2 + hv0 + m * lvinf + m * m
                by b = 1 so power radix (n+n) * b = m * m
                so m * m * !cy at AddSub = 0
                so value scratch (n+n) = (a0-a1)*(b0-b1)
                so value v0n (n+n)
                   = value v0n (n+n) at AddSub - value scratch (n+n)
                     + power radix (n+n) * b
                   = value v0n (n+n) at AddSub - (a0 - a1)*(b0-b1) + m*m
                   = a1 * b1 + a0 * b0 + hv0 + m * lvinf
                     - m * cy2 - m * m * (!cy at AddSub) - (a0 - a1)*(b0-b1) + m*m
                   = a1 * b1 + a0 * b0 + hv0 - (a0 - a1)*(b0 - b1)
                     + m * lvinf - m * cy2 + m * m) }
  end;
  label Join in
  let ghost rj = { r } in
  let ghost v0nj = { v0n } in
  let ghost vinfnj = { vinfn } in
  join r v0n;
  value_sub_frame (pelts r) (pelts rj) (offset r) (offset r + p2i n);
  assert { value r n = value rj n = lv0 };
  value_concat r n (3 * n);
  value_sub_frame (pelts r) (pelts v0nj) (offset r + p2i n)
                                         (offset r + 3 * p2i n);
  assert { value r (3*n) = value r n + m * value (v0n at Join) (n+n)
           by offset v0nj = offset r + n
           so offset v0nj + (n + n) = offset r + 3 * n
           so value_sub (pelts r) (offset r + n) (offset r + 3*n)
              = value v0nj (n+n) };
  label JoinH in
  let ghost rh = { r } in
  join r vinfn;
  value_sub_frame (pelts r) (pelts rh) (offset r) (offset r + 3 * p2i n);
  assert { value r (3*n) = value r (3*n) at JoinH };
  value_sub_frame (pelts r) (pelts rh) (offset r) (offset r + p2i n);
  assert { value r n = value r n at JoinH };
  value_concat r (3*n) ((3 * n) + ((s + t) - n));
  assert { forall i. offset r + 3 * n <= i < offset r + 3 * n + s + t - n ->
           min vinfnj <= i < max vinfnj
           by max vinfnj >= offset r + sx + sy
              = offset r + n + s + n + t
              = offset r + 3 * n + s + t - n };
  value_sub_frame (pelts r) (pelts vinfnj) (offset r + 3 * p2i n)
                            (offset r + 3 * p2i n + p2i s + p2i t - p2i n);
  assert { value r (sx + sy)
           = value r (3*n + s + t - n)
           = value r (3*n) + m*m*m* value (vinfn at Join) (s+t-n)
           by offset vinfnj = offset r + 3*n
           so offset vinfnj + s + t - n = offset r + 3*n + s + t - n
           so m * m * m = power radix n * power radix n * power radix n
              = power radix (n+n+n) = power radix (3 * n)
           so value_sub (pelts r) (offset r + 3*n) (offset r + 3*n + s + t - n)
              = value vinfnj (s+t-n) };
  join scratch s_out;
  assert { a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1) = a0 * b1 + a1 * b0 };
  assert { value x sx * value y sy
           = (a0 +  m * a1)*(b0 + m * b1)
           = a0 * b0 + m * (a0 * b1 + a1 * b0) + m * m * (a1 * b1) };
  assert { !cy <= 3 /\ value r (sx + sy) = value x sx * value y sy
                                            - m * m * cy2 - m * m * m * !cy
           \/ !cy = radix - 1 /\ value r (sx + sy) = value x sx * value y sy
                                  - m * m * cy2 + m * m * m
            by value r n = lv0
               so value vinfnj (s+t-n) = hvinf
               so value r (sx + sy)
               = value r (3 * n) + m * m * m * value vinfnj (s+t-n)
               = value r n + m * value v0nj (n+n)
                 + m*m*m * value vinfnj (s+t-n)
               = lv0 + m * value v0nj (n+n) + m * m * m * hvinf
            so (lv0 + m * (a1*b1 + a0*b0 - (a0 - a1)*(b0 - b1) + hv0 + m*lvinf)
                + m * m * m * hvinf = value x sx * value y sy
               by lv0 + m * (a0 * b1 + a1 * b0 + hv0 + m * lvinf)
                      + m * m * m * hvinf
                  = lv0 + m * hv0 + m * (a0 * b1 + a1 * b0)
                     + m * m * lvinf + m * m * m * hvinf
                  = lv0 + m * hv0 + m * (a0 * b1 + a1 * b0)
                    + m * m * (lvinf + m * hvinf)
                  = a0 * b0 + m * (a0 * b1 + a1 * b0)
                    + m * m * a1 * b1
                  = value x sx * value y sy)
            so [@case_split] (* TODO *)
               ((!cy <= 3
                so value v0nj (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                     + hv0 + m * lvinf - m * cy2 - m * m * !cy
                   = a0 * b1 + a1 * b0 + hv0 + m * lvinf - m * cy2 - m * m * !cy
                so value r (sx + sy)
                   = lv0 + m * value v0nj (n+n) + m * m * m * hvinf
                   = lv0 + m * (a0 * b1 + a1 * b0 + hv0 + m * lvinf
                               - m * cy2 - m * m * !cy)
                               + m * m * m * hvinf
                   = lv0 + m * (a0 * b1 + a1 * b0 + hv0 + m * lvinf)
                      + m * m * m * hvinf
                      - m * m * cy2 - m * m * m * !cy
                   = value x sx * value y sy
                     - m * m * cy2 - m * m * m * !cy)
                 \/
                 (!cy = radix - 1
                  so value v0nj (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                     + hv0 + m * lvinf - m * cy2 + m * m
                   = a0 * b1 + a1 * b0 + hv0 + m * lvinf - m * cy2 + m * m
                  so value r (sx + sy)
                   = lv0 + m * value v0nj (n+n) + m * m * m * hvinf
                   = lv0 + m * (a0 * b1 + a1 * b0 + hv0 + m * lvinf
                               - m * cy2 + m * m)
                               + m * m * m * hvinf
                   = lv0 + m * (a0 * b1 + a1 * b0 + hv0 + m * lvinf)
                      + m * m * m * hvinf
                      - m * m * cy2 + m * m * m
                   = value x sx * value y sy
                     - m * m * cy2 + m * m * m)) };
  let vinf0 = C.incr r (n+n) in
  value_sub_upper_bound (pelts x1) (offset x1) (offset x1 + int32'int s);
  value_sub_upper_bound (pelts y1) (offset y1) (offset y1 + int32'int t);
  assert { s + t - n > 0
           by s >= n-1
           so 4 * sx < 5 * sy
           so 4 * n + 4 * s < 5 * n + 5 * t
           so 5 * t > 4 * s - n >= 4 * n - 4 - n = 3 * n - 4
           so 5 * t > 3 * n - 4
           so n > 3
           so t > 1 };
  let ghost m' = power radix (p2i s + p2i t - p2i n) in
  begin ensures { value r (sx + sy) + m * m * cy2  < m * m * m * m' }
        ensures { value x sx * value y sy < m * m * m * m' }
  assert { power radix (s+t) = m * m' };
  value_sub_upper_bound (pelts r) (offset r) (offset r + int32'int n);
  value_sub_upper_bound (pelts v0nj) (offset v0nj)
                        (offset v0nj + int32'int n + int32'int n);
  value_sub_upper_bound (pelts x) (offset x) (offset x + int32'int sx);
  value_sub_upper_bound (pelts y) (offset y) (offset y + int32'int sy);
  assert { !cy = radix - 1 -> hvinf <= m' - 2
           by value v0nj (n+n) < power radix (n+n) = m * m
           so value v0nj (n+n) = a1 * b1 + a0 * b0 - (a0 - a1)*(b0 - b1)
                                     + hv0 + m * lvinf - m * cy2 + m * m
                   = a0 * b1 + a1 * b0 + hv0 + m * lvinf - m * cy2 + m * m
                              so (0 <= a0 * b1 by 0 <= a0 /\ 0 <= b1)
           so (0 <= a1 * b0 by 0 <= a1 /\ 0 <= b0)
           so hv0 >= 0
           so value v0nj (n+n) >= m * lvinf - m * cy2 + m * m
           so m * lvinf - m * cy2 + m * m < m * m
           so m * (lvinf - cy2) = m * lvinf - m * cy2 < 0
           so lvinf - cy2 < 0
           so (cy2 <= 1 by !cy at AddSub = 0 so !cy at Add3 = 0)
           so (lvinf = 0 by 0 <= lvinf)
           so a1 * b1 = m * hvinf
           so if a1*b1 <= 0
           then (hvinf <= m' - 2
                 by m*hvinf=0 so 0 <> m so hvinf = 0
                 so 1 <= s+t-n
                 so radix = power radix 1 <= power radix (s+t-n)
                 so m' > 2
                 so hvinf <= m' - 2)
           else hvinf <= m'-2 by
                (forall s. 0 <= s -> power radix s = power 2 (64*s)
                by radix = power 2 64)
           so (m = power 2 (64 * n)
               by m = power radix n)
           so m >= 1
           so (hvinf >= 1 by m*hvinf > 0)
           so valuation m 2 = 64*n
           so 64*n <= valuation (a1*b1) 2 = valuation a1 2 + valuation b1 2
           so if 64*n < valuation (a1*b1) 2
           then hvinf <= m'-2
                 by valuation (m*hvinf) 2 > 64*n
                 so valuation m 2 = 64*n
                 so if valuation hvinf 2 = 0
                    then false by valuation (m*hvinf) 2 = valuation m 2
                    else hvinf <= m'-2
                    by even hvinf
                    so (odd (m'-1)
                       by m' = power radix (s+t-n)
                             = power 2 (64*(s+t-n))
                             = 2 * power 2 (64*(s+t-n) - 1)
                          so even m')
                    so hvinf <> m'-1
                    so (hvinf < m'
                        by hvinf = value vinfnj (s+t-n)
                                 < power radix ((offset vinfnj +(s+t-n))
                                                 - offset vinfnj)
                                 = power radix (s+t-n))
                    so hvinf < m'-1
           else hvinf <= m'-2
           by power radix s = power 2 (64*s)
           so power radix t = power 2 (64*t)
           so m' = power radix (s+t-n) = power 2 (64*(s+t-n))
           so let k = valuation a1 2 in
              let l = valuation b1 2 in
              let a1' = div a1 (power 2 k) in
              let b1' = div b1 (power 2 l) in
              a1 = (power 2 k) * a1'
           so b1 = (power 2 l) * b1'
           so 64*n = k + l
           so 1 <= a1 /\ 1 <= b1
           so 0 <= k /\ 0 <= l
           so 1 <= a1' /\ 1 <= b1'
           so (k <= 64*s by power 2 k <= a1 < power 2 (64*s)
                         so power 2 k < power 2 (64*s)
                         so not 64*s < k)
           so (l <= 64*t by power 2 l <= b1 < power 2 (64*t)
                         so power 2 l < power 2 (64*t)
                         so not 64*t < l)
           so (forall a b c m:int. 0 <= a -> 0 <= b -> 0 < c -> 0 < m
              -> a * c < m -> b * c >= m -> a < b)
           so a1' < power 2 (64*s - k)
              (*(by a1' * (power 2 k) = a1 < power radix s = power 2 (64*s)
              so a1' * power 2 k < power 2 (64*s)
              so power 2 (64*s-k) * power 2 k = power 2 (64*s))*)
           so a1' <= power 2 (64*s - k) - 1
           so b1' < power 2 (64*t - l)
           so b1' <= power 2 (64*t - l) - 1
           so a1' * b1'
              <= (power 2 (64*s - k) - 1) * b1'
              <= (power 2 (64*s - k) - 1) * (power 2 (64*t - l) - 1)
              = (power 2 (64*s-k))*(power 2 (64*t -l))
                - power 2 (64*s-k)
                - power 2 (64*t-l)
                + 1
              <= (power 2 (64*s-k))*(power 2 (64*t -l)) - 2
              = power 2 (64*(s+t) - (k+l)) - 2
              = power 2 (64*(s+t) - 64*n) - 2
              = power 2 (64*(s+t-n)) - 2
              = power radix (s+t-n) - 2
              = m' - 2
           so a1 * b1 = (power 2 k) * a1' * (power 2 l) * b1'
              = power 2 k * power 2 l * a1' * b1'
              = (power 2 (k+l)) * a1' * b1'
              = power 2 (64*n) * a1' * b1'
              = power radix n * a1' * b1'
              = m * (a1' * b1')
           so a1 * b1 = m * hvinf = m * (a1' * b1')
           so hvinf = a1' * b1' <= m' - 2 };
  assert { value x sx * value y sy < m * m * m * m'
           by (m * m * m * m' = power radix (n+n+s+t)
              by m * m * m * m'
                 = power radix n * power radix n * power radix n
                   * power radix (s+t-n)
                 = power radix n * power radix n * power radix (s+t)
                 = power radix n * power radix (n+s+t)
                 = power radix (n+n+s+t))
           so value x sx < power radix sx = power radix (n+s)
           so value y sy < power radix sy = power radix (n+t)
           so (forall a b c d. 0 <= a < b -> 0 <= c < d -> a * c < b * d
               by [@case_split]
                  (((a=0\/c=0) so a*c=0 so b*d>0 so a*c < b*d)
                  \/
                  ((0= 0
           so m * m * m * m' > value r (sx + sy) + m * m * cy2
              = value r (n+n) + m * m * value vinf0 (s+t) + m * m * cy2
              >= m * m * value vinf0 (s+t) + m * m * cy2
              = m * m * (value vinf0 (s+t) + cy2)
              so (m * m) * (value vinf0 (s+t) + cy2) < (m * m) * (m * m') };
  let ghost ri = { r } in
  label IncrM in
  wmpn_incr vinf0 (s + t) cy2;
  value_concat r (n + n) (sx + sy);
  assert { value_sub (pelts r) (offset r + n + n) (offset r + sx + sy)
           = value vinf0 (s+t) };
  assert { value r (sx + sy) = value r (n+n) + m * m * value vinf0 (s+t) };
  assert { forall j. offset r <= j < offset r + (n+n)
           -> (pelts r)[j] = (pelts r)[j] at IncrM };
  value_sub_frame (pelts r) (pelts ri) (offset r)
                  (offset r + (int32'int n + int32'int n));
  assert { value r (sx + sy) = value r (sx+sy) at IncrM + m * m * cy2
           by value vinf0 (s+t) = value vinf0 (s+t) at IncrM + cy2
           so value r (n+n) = value r (n+n) at IncrM
           so value r (sx + sy) = value r (n+n) + m * m * value vinf0 (s+t)
              = (value r (n+n) at IncrM)
                + m * m * (value vinf0 (s+t) at IncrM + cy2)
              = (value r (n+n) + m * m * value vinf0 (s+t) at IncrM)
                + m * m * cy2
              = value r (sx+sy) at IncrM + m * m * cy2 };
  assert { forall j. min r <= j < offset r \/ offset r + sx + sy <= j < max r
             -> (pelts r)[j] = (pelts r)[j] at IncrM
                by (pelts r)[j] = (pelts vinf0)[j]
                   = (pelts vinf0)[j] at IncrM };
  assert { !cy <= 3 /\ value r (sx + sy)
                       = value x sx * value y sy - m * m * m * !cy
           \/ value r (sx + sy) = value x sx * value y sy + m * m * m };
  let rh = { r } in
  let vinfn = C.incr r (3 * n) in
  label IncrH in
  assert { valid vinfn (s+t-n) };
  value_concat r (3 * n) (sx + sy);
  assert { value_sub (pelts r) (offset r + 3*n) (offset r + sx + sy)
           = value vinfn (s+t-n)
           by pelts r = pelts vinfn
           so offset r + 3*n = offset vinfn
           so offset r + sx + sy = offset vinfn + s + t - n };
  assert { value r (sx + sy) = value r (3*n)
                               + power radix (3*n) * value vinfn (s+t-n)};
  assert { power radix (3*n) = m * m * m
           by power radix (3*n) = power radix (n+n+n)
              = power radix (n+n) * power radix n
              = power radix n * power radix n * power radix n };
  if ([@likely] !cy <= 3)
  then begin
    assert { value r (sx+sy) = value x sx * value y sy
                               - power radix (3*n) * !cy
              by value r (sx+sy) = value x sx * value y sy - m * m * m * !cy };
    assert { value r (sx+sy) + power radix (3*n)* !cy < power radix (3*n) * m'
             by value r (sx+sy) + power radix (3*n) * !cy
                = value x sx * value y sy
                < m*m*m*m' = power radix (3*n) * m' };
    assert { value vinfn (s+t-n) + !cy < m'
             by power radix (3*n) * m'
                > value r (sx+sy) + power radix (3*n) * !cy
                = value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
                                + power radix (3*n) * !cy
                = value r (3*n) + power radix (3*n) * (value vinfn (s+t-n) + !cy)
                >= power radix (3*n) * (value vinfn (s+t-n) + !cy)
                so power radix (3*n) * (value vinfn (s+t-n) + !cy)
                   < power radix (3*n) * m'};
    wmpn_incr vinfn ((s + t) - n) !cy;
    value_concat r (3 * n) (sx + sy);
    assert { value_sub (pelts r) (offset r + 3*n) (offset r + sx + sy)
             = value vinfn (s+t-n)
             by pelts r = pelts vinfn
             so offset r + 3*n = offset vinfn
             so offset r + sx + sy = offset vinfn + s + t - n };
    assert { value r (sx + sy) = value r (3*n)
                                + power radix (3*n) * value vinfn (s+t-n)};
    assert { forall j. offset r <= j < offset r + (3*n)
             -> (pelts r)[j] = (pelts r)[j] at IncrH };
    value_sub_frame (pelts r) (pelts rh) (offset r)
                    (offset r + (3 * int32'int n));
    assert { value r (sx + sy) = value x sx * value y sy
             by value vinfn (s+t-n) = (value vinfn (s+t-n) at IncrH) + !cy
             so value r (3*n) = value r (3*n) at IncrH
             so value r (sx + sy)
                = value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
                = value r (3*n) at IncrH
                  + power radix (3*n) * (value vinfn (s+t-n) at IncrH + !cy)
                = (value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
                         at IncrH)
                  + power radix (3*n) * !cy
                = value r (sx+sy) at IncrH + power radix (3*n) * !cy
                = value x sx * value y sy - power radix (3*n) * !cy
                                          + power radix (3*n) * !cy };
  end
  else begin
    assert { !cy = radix - 1 };
    assert { value r (sx+sy) = value x sx * value y sy
                               + power radix (3*n)
              by value r (sx+sy) = value x sx * value y sy + m * m * m };
    value_sub_upper_bound (pelts r) (offset r) (offset r + 3 * int32'int n);
    assert { 0 <= value vinfn (s+t-n) - 1
             by 0 <= value x sx so 0 <= value y sy
             so 0 <= value x sx * value y sy
             so value r (sx + sy) >= power radix (3*n)
             so value r (sx + sy)
                = value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
             so value r (3*n) < power radix (3*n)
             so power radix (3*n) * value vinfn (s+t-n) > 0
             so value vinfn (s+t-n) > 0 };
    wmpn_decr_1 vinfn ((s + t) - n);
    value_concat r (3 * n) (sx + sy);
    assert { value_sub (pelts r) (offset r + 3*n) (offset r + sx + sy)
             = value vinfn (s+t-n)
             by pelts r = pelts vinfn
             so offset r + 3*n = offset vinfn
             so offset r + sx + sy = offset vinfn + s + t - n };
    assert { value r (sx + sy) = value r (3*n)
                                + power radix (3*n) * value vinfn (s+t-n)};
    assert { forall j. offset r <= j < offset r + (3*n)
             -> (pelts r)[j] = (pelts r)[j] at IncrH };
    value_sub_frame (pelts r) (pelts rh) (offset r)
                    (offset r + (3 * int32'int n));
    assert { value r (sx + sy) = value x sx * value y sy
             by value vinfn (s+t-n) = (value vinfn (s+t-n) at IncrH) - 1
             so value r (3*n) = value r (3*n) at IncrH
             so value r (sx + sy)
                = value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
                = value r (3*n) at IncrH
                  + power radix (3*n) * (value vinfn (s+t-n) at IncrH - 1)
                = (value r (3*n) + power radix (3*n) * value vinfn (s+t-n)
                         at IncrH)
                  - power radix (3*n)
                = value r (sx+sy) at IncrH - power radix (3*n)
                = value x sx * value y sy };
  end;
  label JoinRight in
  let rf = { r } in
  C.join r ro;
  label JoinLeft in
  C.join_r r' r;
  assert { forall j. offset r <= j < offset r + sx + sy ->
           (pelts r)[j] = (pelts rf)[j]
           by (pelts r)[j] = (pelts r)[j] at JoinLeft
              = (pelts rf)[j] };
  value_sub_frame (pelts r) (pelts rf) (offset r) (offset r + p2i sx + p2i sy);
  assert { value r (sx + sy) = value r (sx + sy) at JoinRight };
  C.join_r scratch' scratch


  (* Choose which multiplication algorithm is called recursively.
     Equivalent to the macros WMPN_TOOM22_MUL_REC and WMPN_TOOM22_MUL_N_REC
     respectively, in wmpn_toom22_mul.c *)
with wmpn_toom22_mul_rec (r x: ptr limb) (sx:int32) (y:ptr limb) (sy: int32)
                         (scratch:ptr limb) (ghost k: int)
     : unit
  requires { valid x sx }
  requires { valid y sy }
  requires { valid r (sx + sy) }
  requires { writable r /\ writable scratch }
  requires { 0 < sy <= sx <= sy + sy }
  requires { 8 * sx < max_int32 }
  requires { 0 <= k <= 64 }
  requires { sx <= toom22_threshold * power 2 k }
  requires { valid scratch (2 * (sx + k)) }
  ensures  { value r (sx + sy) = value x sx * value y sy }
  ensures  { forall j. min r <= j < offset r \/ offset r + sx + sy <= j < max r
                       -> (pelts r)[j] = old (pelts r)[j] }
  ensures  { forall j. min scratch <= j < offset scratch
             -> (pelts scratch)[j] = old (pelts scratch)[j] }
  ensures  { min r = old min r }
  ensures  { max r = old max r }
  ensures  { plength r = old plength r }
  ensures  { min scratch = old min scratch }
  ensures  { max scratch = old max scratch }
  ensures  { plength scratch = old plength scratch }
  variant  { k + k + 1 }
=
  if sy <= toom22_threshold
  then wmpn_mul_basecase r x sx y sy
  else
    if (4 * sx < 5 * sy) (* ? *)
    then wmpn_toom22_mul r x sx y sy scratch k
    else wmpn_toom32_mul r x sx y sy scratch k

with wmpn_toom22_mul_n_rec (r x y scratch: ptr limb) (sz:int32) (ghost k: int) : unit
  requires { valid x sz }
  requires { valid y sz }
  requires { valid r (sz + sz) }
  requires { writable r /\ writable scratch }
  requires { 0 < sz }
  requires { 8 * sz < max_int32 }
  requires { 0 <= k <= 64 }
  requires { sz <= toom22_threshold * power 2 k }
  requires { valid scratch (2 * (sz + k)) }
  ensures  { value r (sz + sz) = value x sz * value y sz }
  ensures  { forall j. min r <= j < offset r \/ offset r + sz + sz <= j < max r
                       -> (pelts r)[j] = old (pelts r)[j] }
  ensures  { forall j. min scratch <= j < offset scratch
             -> (pelts scratch)[j] = old (pelts scratch)[j] }
  ensures  { min r = old min r }
  ensures  { max r = old max r }
  ensures  { plength r = old plength r }
  ensures  { min scratch = old min scratch }
  ensures  { max scratch = old max scratch }
  ensures  { plength scratch = old plength scratch }
  variant  { k + k + 1 }
=
  if sz <= toom22_threshold
  then wmpn_mul_basecase r x sz y sz
  else wmpn_toom22_mul r x sz y sz scratch k

with wmpn_toom32_mul (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32)
                     (scratch: ptr limb) (ghost k: int) : unit
  requires { valid x sx }
  requires { valid y sy }
  requires { valid r (sx + sy) }
  requires { writable r /\ writable scratch }
  requires { toom22_threshold < sy }
  requires { 0 < k <= 64 }
  requires { sx <= toom22_threshold * power 2 k }
  requires { valid scratch (2 * (sx + k)) }
  requires { 8 * sx < max_int32 }
  requires { 4 < sy + 2 <= sx }
  requires { sx + 6 <= 3 * sy }
  ensures  { min r = old min r }
  ensures  { max r = old max r }
  ensures  { plength r = old plength r }
  ensures  { min scratch = old min scratch }
  ensures  { max scratch = old max scratch }
  ensures  { plength scratch = old plength scratch }
  ensures  { value r (sx + sy) = value x sx * value y sy }
  ensures  { forall j. min r <= j < offset r \/ offset r + sx + sy <= j < max r
                       -> (pelts r)[j] = old (pelts r)[j] }
  ensures  { forall j. min scratch <= j < offset scratch
                       -> (pelts scratch)[j] = old (pelts scratch)[j] }
  variant { k + k }
=
  let n = 1 + (if 2 * sx >= 3 * sy
               then (sx - 1) / 3
               else (sy - 1) / 2) in
  let s = sx - 2 * n in
  let t = sy - n in
  assert { 0 < s <= n };
  assert { 0 < t <= n };
  assert { s + t >= n };
  let x0 = x in
  let x1 = C.incr x n in
  let x2 = C.incr x1 n in
  let y0 = y in
  let y1 = C.incr y n in
  let ghost a0 = value x0 (int32'int n) in
  let ghost a1 = value x1 (int32'int n) in
  let ghost a2 = value x2 (int32'int s) in
  let ghost b0 = value y0 (int32'int n) in
  let ghost b1 = value y1 (int32'int t) in
  let ghost m  = power radix (int32'int n) in
  value_concat x1 n (sx - n);
  value_concat x n sx;
  value_concat y n sy;
  assert { value y sy = b0 + m * b1 };
  assert { value x sx = a0 + m * a1 + m * m * a2 };
  let rol = decr_split r 0 in
  let ror = incr_split r (sx + sy) in
  let sol = decr_split scratch 0 in
  let sor = incr_split scratch ((n + n) + 1) in
  (* xp1 | yp1 | xm1 | ym1 *)
  let xp1 = r in                  (* x(1) = a0 + a1 + a2  *)
  let yp1 = incr_split r n in     (* y(1) = b0 + b1       *)
  let xm1 = incr_split yp1 n in   (* x(-1) = a0 - a1 + a2 *)
  let ym1 = incr_split xm1 n in   (* y(-1) = b0 - b1      *)
  let v1  = scratch in            (* x(1)*y(1)            *)
  let vm1 = r in                  (* x(-1)*y(-1)          *)
  let xp1_hi = ref 0 in           (* high limb of xp1     *)
  let yp1_hi = ref 0 in           (* high bit of yp1      *)
  let hi = ref 0 in               (* high bit of xm1      *)
  let vm1_neg = ref false in      (* negate vm1 ?         *)
  begin ensures { value xp1 n + m * !xp1_hi = a0 + a1 + a2 }
        ensures { (!vm1_neg /\ value xm1 n + m * !hi = a1 - (a0 + a2))
                  \/ (not !vm1_neg /\ value xm1 n + m * !hi = a0 - a1 + a2) }
        ensures { 0 <= !xp1_hi <= 2 }
        ensures { 0 <= !hi <= 1 }
    xp1_hi := wmpn_add xp1 x0 n x2 s;
    begin
      let cmp = wmpn_cmp xp1 x1 n in
      if (*begin ensures { result <-> a0 + a2 < a1 }*)
           !xp1_hi = 0
           && (cmp < 0)
         (*end*)
      then begin
        assert { value xp1 n < value x1 n };
        assert { value xp1 n = a0 + a2 };
        let ghost b = wmpn_sub_n xm1 x1 xp1 n in
        assert { b = 0 };
        hi := 0;
        vm1_neg := true end
      else begin
        let b = wmpn_sub_n xm1 xp1 x1 n in
        assert { !xp1_hi = 0 -> b = 0 };
        hi := !xp1_hi - b;
        assert { value xm1 n + m * !hi = a0 - a1 + a2
                 by value xm1 n + m * !hi
                  = value xm1 n - m * b + m * !xp1_hi
                  = value xp1 n - a1 + m * !xp1_hi
                  = a0 - a1 + a2 };
        end
    end;
    label Addx1 in
    assert { value xp1 n + m * !xp1_hi = a0 + a2 };
    let c = wmpn_add_n_in_place xp1 x1 n in
    xp1_hi := !xp1_hi + c;
    assert { value xp1 n + m * !xp1_hi = a0 + a2 + a1
             by value xp1 n + m * !xp1_hi
                = value xp1 n + m * c + m * (!xp1_hi at Addx1)
                = (value xp1 n at Addx1) + value x1 n + m * (!xp1_hi at Addx1)
                = a0 + a2 + value x1 n = a0 + a2 + a1 };
  end;
  label B1 in
  begin ensures { value yp1 n + m * !yp1_hi = b0 + b1 }
        ensures { (!vm1_neg = (!vm1_neg at B1) /\ value ym1 n = b0 - b1)
                  \/ (!vm1_neg = not (!vm1_neg at B1) /\ value ym1 n = b1 - b0) }
        ensures { 0 <= !yp1_hi <= 1 }
    if (t = n)
    then begin
      yp1_hi := wmpn_add_n yp1 y0 y1 n;
      let cmp = wmpn_cmp y0 y1 n in
      if (cmp < 0)
      then begin
        let ghost b = wmpn_sub_n ym1 y1 y0 n in
        assert { b = 0 };
        vm1_neg := not !vm1_neg end
      else begin
        let ghost b = wmpn_sub_n ym1 y0 y1 n in
        assert { b = 0 }
        end
      end
    else begin
      yp1_hi := wmpn_add yp1 y0 n y1 t;
      let y0t = C.incr y0 t in
      let c0 = ((wmpn_zero_p y0t (n - t)) = 1) in
      let cmp = wmpn_cmp y0 y1 t in
      let c1 = (cmp < 0) in
      if c0 && c1
      then begin
        value_concat y0 t n;
        assert { value y0 t = value y0 n };
        assert { value y0 t < value y1 t };
        let ghost b = wmpn_sub_n ym1 y1 y0 t in
        assert { b = 0 };
        let ghost ym1z = { ym1 } in
        let ym1t = C.incr ym1 t in
        label Zero in
        wmpn_zero ym1t (n - t);
        assert { forall i. 0 <= i < t ->
                 (pelts ym1)[offset ym1 + i] = (pelts ym1z)[offset ym1z + i]
                 by offset ym1 + i < offset ym1t
                 so (pelts ym1)[offset ym1 + i]
                     = (pelts ym1t)[offset ym1 + i]
                     = (pelts ym1t at Zero)[offset ym1 + i]
                     = (pelts ym1 at Zero)[offset ym1 + i] };
        value_sub_frame_shift (pelts ym1) (pelts ym1z)
                              (offset ym1) (offset ym1z) (p2i t);
        assert { value ym1 t = value ym1 t at Zero };
        value_concat ym1 t n;
        assert { value ym1 n = value ym1 t
                 by value_sub (pelts ym1) (offset ym1 + t) (offset ym1 + n)
                    = value ym1t (n-t) = 0 };
        vm1_neg := not !vm1_neg end
      else begin
        value_concat y0 t n;
        assert { value y0 n = value y0 t + power radix t * value y0t (n-t) };
        assert { value y1 t <= value y0 n
                 by (not c0
                     so 1 <= value y0t (n - t)
                     so power radix t * 1 <= power radix t * value y0t (n-t)
                     so power radix t <= value y0 n
                     so value y1 t < power radix t)
                  \/ (not c1
                      so value y1 t <= value y0 t
                      so value y0 t <= value y0 n) };
        let ghost b = wmpn_sub ym1 y0 n y1 t in
        assert { b = 0 }
        end;
      end
  end;
  let ghost am1_abs = value xm1 (int32'int n) + m * (uint64'int !hi) in
  let ghost bm1_abs = value ym1 (int32'int n) in
  label RecP1 in
  wmpn_toom22_mul_n_rec v1 xp1 yp1 sor n (k-1);
  let cy = ref 0 in
  begin ensures { value scratch (2 * n) + power radix (n + n) * !cy
                  = (a0 + a1 + a2) * (b0 + b1) }
    assert { value scratch (n+n) = value xp1 n * value yp1 n };
    begin ensures { value scratch (n + n) + power radix (n + n) * !cy
                    = (a0 + a1 + a2) * (value yp1 n) }
          ensures { 0 <= !cy <= 3 }
          (* actually 2, but this is enough to prove there is no overflow *)
    if (!xp1_hi = 1)
    then begin
      let sa = { scratch } in
      let sn = C.incr scratch n in
      label Adjust1 in
      value_concat scratch n (n+n);
      assert { pelts scratch = pelts sn };
      let c = wmpn_add_n_in_place sn yp1 n in
      assert { pelts scratch = pelts sn };
      value_concat scratch n (n+n);
      value_sub_frame_shift (pelts scratch) (pelts sa)
                            (offset scratch) (offset sa) (p2i n);
      assert { value scratch n = value (scratch at Adjust1) n };
      assert { m * m = power radix (n+n) };
      assert { value scratch (n+n) + m * m * c = (a0 + a1 + a2) * value yp1 n
               by value sn n = value_sub (pelts scratch) (offset scratch + n)
                                         (offset scratch + (n+n))
               so value scratch (n+n) = value scratch n + m * value sn n
               so value (sn at Adjust1) n
                   = value_sub (pelts sa) (offset scratch + n)
                                          (offset scratch + (n+n))
               so value (scratch at Adjust1) (n+n)
                   = value scratch n + m * value (sn at Adjust1) n
               so value sn n + m * c = value (sn at Adjust1) n + value yp1 n
               so value scratch (n+n) + m * m * c
                  = value scratch n + m * (value sn n + m * c)
                  = value scratch n + m * value (sn at Adjust1) n + m * value yp1 n
                  = value (scratch at Adjust1) (n+n) + m * value yp1 n
                  = value xp1 n * value yp1 n + m * value yp1 n
                  = (value xp1 n + m * !xp1_hi) * value yp1 n
                  = (a0 + a1 + a2) * value yp1 n };
      cy := c end
    else begin
      if (!xp1_hi = 2)
      then begin
      let sa = { scratch } in
      let sn = C.incr scratch n in
      label Adjust2 in
      value_concat scratch n (n+n);
      assert { pelts scratch = pelts sn };
      let c = wmpn_addmul_1 sn yp1 n 2 in
      assert { pelts scratch = pelts sn };
      value_concat scratch n (n+n);
      value_sub_frame_shift (pelts scratch) (pelts sa)
                            (offset scratch) (offset sa) (p2i n);
      assert { value scratch n = value (scratch at Adjust2) n };
      assert { m * m = power radix (n+n) };
      assert { value scratch (n+n) + m * m * c = (a0 + a1 + a2) * value yp1 n
               by value sn n = value_sub (pelts scratch) (offset scratch + n)
                                         (offset scratch + (n+n))
               so value scratch (n+n) = value scratch n + m * value sn n
               so value (sn at Adjust2) n
                   = value_sub (pelts sa) (offset scratch + n)
                                          (offset scratch + (n+n))
               so value (scratch at Adjust2) (n+n)
                   = value scratch n + m * value (sn at Adjust2) n
               so value sn n + m * c = value (sn at Adjust2) n + !xp1_hi * value yp1 n
               so value scratch (n+n) + m * m * c
                  = value scratch n + m * (value sn n + m * c)
                  = value scratch n + m * value (sn at Adjust2) n
                                    + m * !xp1_hi * value yp1 n
                  = value (scratch at Adjust2) (n+n) + m * !xp1_hi * value yp1 n
                  = value xp1 n * value yp1 n + m * !xp1_hi * value yp1 n
                  = (value xp1 n + m * !xp1_hi) * value yp1 n
                  = (a0 + a1 + a2) * value yp1 n };
      assert { c <= 3
               by value sn n + m * c = value (sn at Adjust2) n + (value yp1 n) * 2
               so 0 <= value sn n
               so value (sn at Adjust2) n < m
               so value yp1 n < m
               so m * c < m * 3
               so c <= 3 };
      cy := c end
    else assert { !xp1_hi = 0 }  end
    end;
    begin ensures { value scratch (n + n) + power radix (n + n) * !cy
                    = (a0 + a1 + a2) * (b0 + b1) }
    if not (!yp1_hi = 0)
    then begin
      let sa = { scratch } in
      let sn = C.incr scratch n in
      label Adjust3 in
      value_concat scratch n (n+n);
      assert { pelts scratch = pelts sn };
      let c = wmpn_add_n_in_place sn xp1 n in
      value_concat scratch n (n+n);
      assert { pelts scratch = pelts sn };
      value_sub_frame_shift (pelts scratch) (pelts sa)
                            (offset scratch) (offset sa) (p2i n);
      assert { value scratch n = value (scratch at Adjust3) n };
      cy := !xp1_hi * !yp1_hi + c + !cy;
      assert { m * m = power radix (n+n) };
      assert { value scratch (n + n) + power radix (n + n) * !cy
                    = (a0 + a1 + a2) * (b0 + b1)
               by value sn n = value_sub (pelts scratch) (offset scratch + n)
                                         (offset scratch + (n+n))
               so value scratch (n+n) = value scratch n + m * value sn n
               so value (sn at Adjust3) n
                   = value_sub (pelts sa) (offset scratch + n)
                                          (offset scratch + (n+n))
               so value (scratch at Adjust3) (n+n)
                   = value scratch n + m * value (sn at Adjust3) n
               so !yp1_hi = 1
               so value sn n + m * c
                  = value (sn at Adjust3) n + !yp1_hi * value xp1 n
               so !yp1_hi * value xp1 n + m * !xp1_hi * !yp1_hi
                  = (a0 + a1 + a2) * !yp1_hi
               so value scratch (n+n) + m * m * !cy
                  = value scratch (n+n) + m * m * c
                       + m * m * !xp1_hi * !yp1_hi + m * m * (!cy at Adjust3)
                  = value scratch n + m * (value sn n + m * c)
                       + m * m * !xp1_hi * !yp1_hi + m * m * (!cy at Adjust3)
                  = value scratch n
                       + m * (value (sn at Adjust3) n + !yp1_hi * value xp1 n)
                       + m * m * !xp1_hi * !yp1_hi + m * m * (!cy at Adjust3)
                  = value scratch n + m * value (sn at Adjust3) n
                       + m * !yp1_hi * value xp1 n
                       + m * m * !xp1_hi * !yp1_hi + m * m * (!cy at Adjust3)
                  = value (scratch at Adjust3) (n+n)
                       + m * !yp1_hi * value xp1 n
                       + m * m * !xp1_hi * !yp1_hi + m * m * (!cy at Adjust3)
                  = (a0 + a1 + a2) * value yp1 n
                       + m * !yp1_hi * value xp1 n
                       + m * m * !xp1_hi * !yp1_hi
                  = (a0 + a1 + a2) * value yp1 n + m * (a0 + a1 + a2) * !yp1_hi
                  = (a0 + a1 + a2) * (value yp1 n + m * !yp1_hi)
                  = (a0 + a1 + a2) * (b0 + b1) } end
      else assert { b0 + b1 = value yp1 n }
    end;
  end;
  label RecM1 in
  join vm1 yp1;
  wmpn_toom22_mul_n_rec vm1 xm1 ym1 sor n (k-1);
  begin ensures { value vm1 (2*n) + m * m * !hi = am1_abs * bm1_abs }
        ensures { min r = old min r }
        ensures { max r = old max r }
        ensures { plength r = old plength r }
        ensures { 0 <= !hi <= 1 }
  if (not (!hi = 0))
  then begin
    assert { !hi = 1 };
    value_concat vm1 n (2*n);
    label HiSplit in
    let vm1n = incr_split vm1 n in
    let vm1l = { vm1 } in
    assert { value vm1 (2*n) at HiSplit = value vm1l n + m * value vm1n n
             by value vm1n n = value_sub (pelts vm1 at HiSplit)
                               (offset vm1 + n) (offset vm1 + 2*n) };
    label HiAdd in
    let c = wmpn_add_n_in_place vm1n ym1 n in
    label HiJoin in
    let vm1nj = { vm1n } in
    join vm1 vm1n;
    value_concat vm1 n (2*n);
    value_sub_frame (pelts vm1) (pelts vm1l) (offset vm1) (offset vm1 + p2i n);
    value_sub_frame (pelts vm1) (pelts vm1nj) (offset vm1 + p2i n)
                                              (offset vm1 + 2 * p2i n);
    assert { value vm1 n = value vm1l n };
    assert { value vm1 (2*n) = value vm1l n + m * value vm1nj n
             by value vm1nj n = value_sub (pelts vm1) (offset vm1 + p2i n)
                                                  (offset vm1 + 2 * p2i n) };
    assert { value vm1 (2*n) + m * m * c = am1_abs * bm1_abs
             by value vm1 (2 * n) + m * m * c
                = value vm1l n + m * (value (vm1n at HiJoin) n + m * c)
                = value vm1l n + m * (value (vm1n at HiAdd) n + value ym1 n)
                = value vm1 (2*n) at HiSplit + m * value ym1 n
                = value xm1 n * value ym1 n + m * value ym1 n
                = (value xm1 n + m * !hi) * value ym1 n
                = am1_abs * bm1_abs };
    hi := c;
    end
  end;
  let ghost vx0 = a0 * b0 in
  let ghost vx1 = a1 * b0 + a0 * b1 in
  let ghost vx2 = a2 * b0 + a1 * b1 in
  let ghost vx3 = a2 * b1 in
  assert { 0 <= vx0 /\ 0 <= vx1 /\ 0 <= vx2 /\ 0 <= vx3
           by 0 <= a0 /\ 0 <= a1 /\ 0 <= a2 /\ 0 <= b0 /\ 0 <= b1 };
  assert { (a0 + m * a1 + m * m * a2) * (b0 + m * b1)
           = vx0 + m * vx1 + m * m * vx2 + m * m * m * vx3 };
  assert { (a0 + a1 + a2) * (b0 + b1) = vx0 + vx1 + vx2 + vx3 };
  assert { vx0 + vx2 < 3 * m * m
            by (0 <= a0 < m /\ 0 <= a1 < m /\ 0 <= a2 < m
                /\ 0 <= b0 < m /\ 0 <= b1 < m
                by a2 < power radix s <= m
                so b1 < power radix t <= m)
            so (vx0 < m * m
                by vx0 = a0 * b0 <= a0 * m = m * a0 < m * m)
            so (vx2 < 2 * m * m
                by vx2 = a2 * b0 + a1 * b1
                so a2 * b0 <= a2 * m = m * a2 < m * m
                so a1 * b1 <= a1 * m = m * a1 < m * m) };
  begin ensures { value scratch (2*n + 1) = vx0 + vx2 }
        ensures { if !vm1_neg
                  then am1_abs*bm1_abs = (a0 - a1 + a2) * (b1 - b0)
                  else am1_abs*bm1_abs = (a0 - a1 + a2) * (b0 - b1) }
    begin ensures { value scratch (2*n + 1) = 2 * (vx0 + vx2) }
          ensures { if !vm1_neg
                    then am1_abs*bm1_abs = (a0 - a1 + a2) * (b1 - b0)
                    else am1_abs*bm1_abs = (a0 - a1 + a2) * (b0 - b1) }
    if !vm1_neg
    then begin
      assert { am1_abs * bm1_abs = (a0 - a1 + a2) * (b1 - b0)
               by if !vm1_neg at B1
               then am1_abs * bm1_abs = (a0 - a1 + a2) * (b1 - b0)
                    by am1_abs = a1 - (a0 + a2) /\ bm1_abs = b0 - b1
               else am1_abs * bm1_abs = (a0 - a1 + a2) * (b1 - b0)
                    by am1_abs = a0 - a1 + a2 /\ bm1_abs = b1 - b0 };
      assert { (a0 - a1 + a2) * (b1 - b0) = vx1 -vx0 + vx3 - vx2 };
      label Sub in
      let b = wmpn_sub_n_in_place scratch vm1 (2*n) in
      let r, ghost b' = sub_with_borrow !cy !hi b in
      assert { (b' = 0 /\ value scratch (2*n) + m * m * r = 2 * (vx0 + vx2))
               by r - radix * b' = !cy - !hi - b
               so m * m * r - m * m * radix * b'
                  = m * m * !cy - m * m * !hi - m * m * b
               so (m * m * b
                    = value scratch (2*n) - value (scratch at Sub) (2*n)
                      + value vm1 (2*n)
                   by value scratch (2*n) - (m * m) * b
                      = value (scratch at Sub) (2*n) - value vm1 (2*n))
               so m * m * r - m * m * radix * b' + value scratch (2 * n)
                  = m * m * !cy - m * m * !hi + value (scratch at Sub) (2*n)
                    - value vm1 (2*n)
                  = (value (scratch at Sub) (2*n) + m * m * !cy)
                    - (value vm1 (2*n) + m * m * !hi)
                  = (vx0 + vx1 + vx2 + vx3) - (vx1 - vx0 + vx3 - vx2)
                  = 2 * (vx0 + vx2)
                  >= 0
               so m * m * r - m * m * radix * b' + value scratch (2 * n) >= 0
               so value scratch (2 * n) < m * m
               so (m * m) * r <= (m * m) * (radix - 1)
               so value scratch (2 * n) + m * m * r < m * m * radix
               so m * m * radix * (1 - b') > 0
               so b' < 1
               so b' = 0
               };
      label Set in
      value_sub_shift_no_change (pelts scratch) (offset scratch)
                                (2 * p2i n)
                                (2 * p2i n) !cy;
      set_ofs scratch (2*n) r;
      assert { value scratch (2 * n) = value (scratch at Set) (2 * n) };
      value_tail scratch (2*n);
      assert { value scratch (2*n + 1) = 2 * (vx0 + vx2)
               by value scratch (2*n + 1) = value scratch (2*n) + (m*m) * r };
      end
    else begin
      assert { am1_abs * bm1_abs = (a0 - a1 + a2) * (b0 - b1)
               by if !vm1_neg at B1
               then am1_abs * bm1_abs = (a0 - a1 + a2) * (b0 - b1)
                    by am1_abs = a1 - (a0 + a2) /\ bm1_abs = b1 - b0
               else am1_abs * bm1_abs = (a0 - a1 + a2) * (b0 - b1)
                    by am1_abs = a0 - a1 + a2 /\ bm1_abs = b0 - b1 };
      assert { (a0 - a1 + a2) * (b0 - b1) = vx0 - vx1 + vx2 - vx3 };
      label Add in
      let c = wmpn_add_n_in_place scratch vm1 (2*n) in
      let r, ghost c' = add_with_carry !cy !hi c in
      assert { (c' = 0 /\ value scratch (2*n) + (m*m) * r = 2 * (vx0 + vx2))
                by r + radix * c' = !cy + !hi + c
                so m * m * r + m * m * radix * c'
                   = m * m * !cy + m * m * !hi + m * m * c
                so (m * m * c
                    = value (scratch at Add) (2*n) - value scratch (2*n)
                      + value vm1 (2*n)
                    by value scratch (2*n) + (m*m)*c
                       = value (scratch at Add) (2*n) + value vm1 (2*n))
                so m * m * r + m * m * radix * c' + value scratch (2*n)
                   = m * m * !cy + m * m * !hi + value (scratch at Add) (2*n)
                     + value vm1 (2*n)
                   = (value (scratch at Add) (2*n) + m * m * !cy)
                     + (value vm1 (2*n) + m * m * !hi)
                   = (vx0 + vx1 + vx2 + vx3) + (am1_abs * bm1_abs)
                   = (vx0 + vx1 + vx2 + vx3) + (vx0 - vx1 + vx2 - vx3)
                   = 2 * (vx0 + vx2)
                so 2 * (vx0 + vx2) < 6 * m * m < m * m * radix
                so (m * m * radix * c' < m * m * radix
                    by 0 <= r so 0 <= m * m * r
                    so 0 <= value scratch (2*n)
                    so m * m * radix * c'
                       <= m * m * r + m * m * radix * c' + value scratch (2*n)
                       < m * m * radix)
                so c' < 1
                so c' = 0
      };
      label Set in
      value_sub_shift_no_change (pelts scratch) (offset scratch)
                                (2 * p2i n)
                                (2 * p2i n) !cy;
      set_ofs scratch (2*n) r;
      assert { value scratch (2 * n) = value (scratch at Set) (2 * n) };
      value_tail scratch (2*n);
      assert { value scratch (2*n + 1) = 2 * (vx0 + vx2)
               by value scratch (2*n + 1) = value scratch (2*n) + (m*m) * r };
    end
    end;
    label Shift in
    let s = (2 * n) + 1 in
    let ghost low = wmpn_rshift scratch scratch s 1 in
    assert { low = 0 /\ value scratch s = vx0 + vx2
             by (low + radix * value scratch s)
                = value (scratch at Shift) s * power 2 (Limb.length - 1)
                = 2 * (vx0 + vx2) * power 2 (Limb.length - 1)
                = (vx0 + vx2) * power 2 Limb.length
                = (vx0 + vx2) * radix
             so divides radix ((vx0 + vx2) * radix)
             so divides radix (low + radix * value scratch s)
             so divides radix low }
  end;
  let ghost vy = vx1 + vx3 + (vx0 + vx2) * m in
  assert { vy = (vx0 + vx2) * m + vx0 + vx2 - (vx0 - vx1 + vx2 - vx3) };
  join xm1 ym1;
  (* (    r    |    xm1  ) *)
  let ghost ss = (2 * n) + 1 in
  assert { value scratch ss = vx0 + vx2 };
  let vy0 = scratch in
  let ghost l02 = value scratch (int32'int n) in
  let vy1 = xm1 in
  let vy2 = incr_split scratch n in
  let ghost h02 = value vy2 (int32'int n) in
  let t02 = get_ofs vy2 n in
  begin ensures { value vy0 n + m * value vy1 n + m * m * value vy2 (n+1) = vy }
        ensures { value vy2 (n+1) < (power radix n) * 6 }
  label Vy in
  let os = { vy0 } in
  value_tail vy2 n;
  value_concat scratch n ss;
  assert { l02 + m * h02 + m * m * t02 = vx0 + vx2
           by vx0 + vx2 = value scratch ss
              = value scratch n + m * value_sub (pelts scratch)
                                      (offset scratch + n) (offset scratch + ss)
              = value scratch n + m * value vy2 (n+1)
              = l02 + m * (h02 + m * t02) };
  assert { t02 < 3
           by l02 + m * h02 + m * m * t02 < m * m * 3
           so 0 <= l02 /\ 0 <= h02 /\ 0 <= m
           so 0 <= l02 + m * h02
           so m * m * t02 < m * m * 3 };
  let c = wmpn_add_n vy1 vy0 vy2 n in
  assert { value vy2 (n+1) < (power radix n) * 4
           by value vy2 (n+1) = value vy2 n + (power radix n) * t02
              < power radix n + (power radix n) * t02
              <= (power radix n) * 4 };
  assert { value vy2 (n+1) + (c + t02) < (power radix n) * 5
           by c + t02 <= power radix n
           so value vy2 (n+1) + (c+t02) <= (power radix n) * 5 };
  wmpn_incr vy2 (n+1) (c + t02);
  assert { value vy2 (n+1) < (power radix n) * 5 };
  value_sub_frame (pelts vy0) (pelts os) (offset scratch) (offset scratch + int32'int n);
  assert { value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)
           = l02 + m * (l02 + h02) + m * m * (h02 + t02 + m * t02)
           = (vx0 + vx2) * m + vx0 + vx2
           by value vy0 n = l02
           so value vy1 n + m * c = l02 + h02
           so value vy2 (n+1) = value vy2 (n+1) at Vy + c + t02
              = h02 + t02 + m * t02 + c
           so value vy0 n + m * value vy1 n + m * m * value vy2 (n+1) + m * c
              = l02 + m * (l02 + h02) + m * m * (h02 + t02 + m * t02) + m * c };
  let vm1n = incr vm1 n in
  value_concat vm1 n (2*n);
  assert { value vm1 n + m * value vm1n n + m * m * !hi = am1_abs * bm1_abs
           by value vm1 n + m * value vm1n n = value vm1 (2*n) };
  begin ensures { value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)
                  = old (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1))
                    - (vx0 - vx1 + vx2 - vx3) }
        ensures { value vy2 (n+1) < (power radix n) * 6 }
  label Vm1 in
  let ovy2 = { vy2 } in
  if !vm1_neg
  then begin
    assert { am1_abs*bm1_abs = (a0 - a1 + a2) * (b1 - b0)
             = - (vx0 - vx1 + vx2 - vx3) };
    let c1 = wmpn_add_n_in_place scratch vm1 n in
    assert { value scratch n = value scratch n at Vm1 + value vm1 n - m * c1 };
    let c2 = wmpn_add_n_in_place vy1 vm1n n in
    assert { value vy1 n = value vy1 n at Vm1 + value vm1n n - m * c2};
    hi := !hi + c2;
    let c3 = wmpn_add_1_in_place vy1 n c1 in
    assert { value vy1 n
             = value vy1 n at Vm1 + value vm1n n + c1 - m * (c2 + c3) };
    hi := !hi + c3;
    wmpn_incr vy2 (n+1) !hi;
    assert { value vy2 (n+1) = value ovy2 (n+1) + c2 + c3 + !hi at Vm1 };
    assert { value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               - (vx0 - vx1 + vx2 - vx3)
             by value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)
             = value vy0 n at Vm1 + value vm1 n - m * c1
               + m * (value vy1 n at Vm1 + value vm1n n + c1 -  m * (c2 + c3))
               + m * m * (value ovy2 (n+1) + c2 + c3 + !hi at Vm1)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               + (value vm1 n + m * value vm1n n + m * m * !hi at Vm1)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               + am1_abs * bm1_abs
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
                - (vx0 - vx1 + vx2 - vx3) };
    end
  else begin
    assert { am1_abs*bm1_abs = (a0 - a1 + a2) * (b0 - b1)
             = vx0 - vx1 + vx2 - vx3 };
    let b1 = wmpn_sub_n_in_place scratch vm1 n in
    assert { value scratch n = value scratch n at Vm1 - value vm1 n + m * b1 };
    let b2 = wmpn_sub_n_in_place vy1 vm1n n in
    assert { value vy1 n = value vy1 n at Vm1 - value vm1n n + m * b2 };
    hi := !hi + b2;
    let b3 = wmpn_sub_1_in_place vy1 n b1 in
    assert { value vy1 n
             = value vy1 n at Vm1 - value vm1n n - b1 + m * (b2 + b3) };
    hi := !hi + b3;
    assert { value vy0 n + m * value vy1 n + m * m * (value vy2 (n+1) - !hi)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               - (vx0 - vx1 + vx2 - vx3)
             by value vy0 n + m * value vy1 n + m * m * (value vy2 (n+1) - !hi)
             = value vy0 n + m * value vy1 n
               + m * m * (value ovy2 (n+1) - b2 - b3 - !hi at Vm1)
             = value vy0 n at Vm1 - value vm1 n + m * b1
               + m * (value vy1 n at Vm1 - value vm1n n - b1 +  m * (b2 + b3))
               + m * m * (value ovy2 (n+1) - b2 - b3 - !hi at Vm1)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               - (value vm1 n + m * value vm1n n + m * m * !hi at Vm1)
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               - am1_abs * bm1_abs
             = (value vy0 n + m * value vy1 n + m * m * value vy2 (n+1)) at Vm1
               - (vx0 - vx1 + vx2 - vx3) };
    assert { value vy2 (n+1) - !hi >= 0
             by value vy0 n + m * value vy1 n + m * m * (value vy2 (n+1) - !hi)
                = vy
             so (vy >= 0 by 0 <= vx1 /\ 0 <= vx1 /\ 0 <= vx2 /\ 0 <= vx3)
             so value vy0 n < m
             so value vy1 n <= m - 1
             so m * value vy1 n <= m * (m-1)
             so value vy0 n + m * value vy1 n <= value vy0 n + m * (m-1)
                < m + m * (m-1) = m * m
             so 0 <= value vy0 n + m * value vy1 n + m * m * (value vy2 (n+1) - !hi)
                < m * m * (1 + value vy2 (n+1) - !hi)
             so 0 < (m * m) * (1 + value vy2 (n+1) - !hi)
             so 0 < (1 + value vy2 (n+1) - !hi) };
    wmpn_decr vy2 (n+1) !hi;
    assert { value vy2 (n+1) = value ovy2 (n+1) - b2 - b3 - !hi at Vm1 };
    end;
  end
  end;
  label Split3 in
  let ghost ovy1 = { vy1 } in
  wmpn_toom22_mul_n_rec r x y sor n (k-1);
  let r3n = incr_split xm1 n in
  value_sub_frame (pelts vy1) (pelts ovy1) (offset vy1)
                              (offset vy1 + int32'int n);
  assert { value vy1 n = value ovy1 n };
  assert { value r (n+n) = vx0
           by value x n = a0 so value y n = b0 };
  begin
    ensures { value r3n (s+t) = vx3 }
    ensures { min r3n = old min r3n /\ max r3n = old max r3n }
    ensures { plength r3n = old plength r3n }
    if (s > t)
    then let ghost _ = wmpn_mul r3n x2 s y1 t (k-1) in ()
    else let ghost _ = wmpn_mul r3n y1 t x2 s (k-1) in ()
  end;
  assert { (a0 + m * a1 + m * m * a2) * (b0 + m * b1)
           = m * vy + vx0 + m * m * m * vx3 - m * m * vx0 - m * vx3 };
  assert { 0 <= vx0 < m * m /\ 0 <= vx3 < m * m
           by a0 * b0 <= a0 * m = m * a0 < m * m
           so a2 < power radix s <= m
           so b1 < power radix t <= m
           so a2 * b1 <= a2 * m = m * a2 < m * m };
  let ghost or = { r } in
  let r1n = incr_split r n in
  value_sub_frame (pelts r) (pelts or) (offset r) (offset r + int32'int n);
  value_sub_frame (pelts r1n) (pelts or) (offset r1n) (offset r1n + int32'int n);
  let ghost lvx0 = value r (int32'int n) in
  let ghost hvx0 = value r1n (int32'int n) in
  value_concat or n (n + n);
  assert { vx0 = lvx0 + m * hvx0 };
  let ghost or3n = { r3n } in
  let r4n = incr_split r3n n in
  let r2n = xm1 in
  value_sub_frame (pelts r3n) (pelts or3n) (offset r3n)
                                           (offset r3n + int32'int n);
  value_sub_frame (pelts r4n) (pelts or3n) (offset r4n)
                  (offset r4n + int32'int s + int32'int t - int32'int n);
  let ghost lvx3 = value r3n (int32'int n) in
  let ghost hvx3 = value r4n (int32'int s + int32'int t- int32'int n) in
  value_concat or3n n (s + t);
  assert { vx3 = lvx3 + m * hvx3 };
  let ghost vvy0 = value vy0 (int32'int n) in
  let ghost vvy1 = value vy1 (int32'int n) in
  let ghost vvy2 = value vy2 (int32'int n+1) in
  assert { vy = vvy0 + m * vvy1 + m * m * vvy2 };
  assert { m * vy + vx0 + m * m * m * vx3 - m * m * vx0 - m * vx3
           = lvx0 + m * (vvy0 + hvx0 - lvx3) + m * m * (vvy1 - lvx0 - hvx3)
             + m * m * m * (vvy2 - (hvx0 - lvx3)) + m * m * m * m * hvx3 };
  label R1 in
  let bo1 = wmpn_sub_n_in_place r1n r3n n in
  let bo = ref bo1 in
  assert { value r1n n - m * bo1 = hvx0 - lvx3 };
  let ly2 = get_ofs vy2 n in
  value_tail vy2 n;
  assert { 0 <= ly2 < 6
           by 0 <= value vy2 n
           so value vy2 n + (power radix n) * ly2 = value vy2 (n+1)
           so (power radix n) * ly2 <= value vy2 (n+1) < (power radix n) * 6 };
  let h = ref (Limb.to_int64 (ly2 + bo1)) in
  label R2 in
  let bo2 = wmpn_sub_n_in_place r2n r n in
  let bo2' = wmpn_sub_1_in_place r2n n !bo in
  bo := bo2 + bo2';
  assert { value r2n n - m * !bo = vvy1 - lvx0 - (!bo at R2) };
  assert { value r1n n + m * value r2n n - m * m * !bo
           = hvx0 - lvx3 + m * (vvy1 - lvx0) };
  label R3 in
  let bo3 = wmpn_sub_n r3n vy2 r1n n in
  let bo3' = wmpn_sub_1_in_place r3n n !bo in
  bo := bo3 + bo3';
  assert { value r3n n - m * !bo = value vy2 n - value r1n n - (!bo at R3) };
  assert { value r1n n + m * value r2n n + m * m * value r3n n - m * m *m * !bo
           = hvx0 - lvx3 + m * (vvy1 - lvx0) + m * m * value vy2 n
             - m * m * (hvx0 - lvx3 + m * bo1) };
  h := Int64.(-) !h (Limb.to_int64 !bo);
  label Join3 in
  let ghost or1n = { r1n } in
  let ghost or2n = { r2n } in
  let ghost or3n = { r3n } in
  join r2n r3n;
  value_concat r2n n (n + n);
  join r1n r2n;
  value_sub_frame (pelts r1n) (pelts or1n)
                  (offset r1n) (offset r1n + int32'int n);
  value_sub_frame (pelts r1n) (pelts or2n)
                  (offset r1n + int32'int n) (offset r1n + 2 * int32'int n);
  value_sub_frame (pelts r1n) (pelts or3n)
                  (offset r1n + 2 * int32'int n) (offset r1n + 3 * int32'int n);
  value_concat r1n n (3 * n);
  value_sub_concat (pelts r1n) (offset r1n + int32'int n)
                   (offset r1n + int32'int (2 * n))
                   (offset r1n + int32'int (3 * n));
  assert { value r1n (3*n)
           = value r1n n + m * value r2n n + m * m * value r3n n at Join3
           by offset r2n at Join3 = offset r1n + n
           so offset r3n at Join3 = offset r1n + 2 * n
           so value r1n n = value r1n n at Join3
           so value_sub (pelts r1n) (offset r1n + n) (offset r1n + 2*n)
              = value r2n n at Join3
           so value_sub (pelts r1n) (offset r1n + 2*n) (offset r1n + 3*n)
              = value_sub (pelts or3n) (offset r1n + 2*n) (offset r1n + 3*n)
              = value r3n n at Join3
           so value r1n (3*n)
              = value r1n n
                + m * value_sub (pelts r1n) (offset r1n + n) (offset r1n + 3*n)
              = value r1n n
                + m *
                (value_sub (pelts r1n) (offset r1n + n) (offset r1n + 2*n)
                 + m * value_sub (pelts r1n) (offset r1n + 2*n)
                                             (offset r1n + 3*n))
              = value r1n n
                + m * value_sub (pelts r1n) (offset r1n + n) (offset r1n + 2*n)
                + m * m * value_sub (pelts r1n) (offset r1n + 2*n)
                                                (offset r1n + 3*n) };
  assert { value r1n (3*n) + m * m * m * !h
           = hvx0 - lvx3 + m * (vvy1 - lvx0) + m * m * vvy2
             - m * m * (hvx0 - lvx3)
           by value r1n (3*n) - m * m * m * !bo
              = hvx0 - lvx3 + m * (vvy1 - lvx0) + m * m * value vy2 n
               - m * m * (hvx0 - lvx3 + m * bo1)
           so !h = ly2 + bo1 - !bo
           so value r1n (3*n) + m * m * m * !h
              = value r1n (3*n) - m * m * m * !bo
                + m * m * m * ly2 + m * m * m * bo1
           so m * m * value vy2 n + m * m * m * ly2 = m * m * vvy2 };
  label Addy0 in
  let c = wmpn_add_in_place r1n (3 * n) scratch n in
  h := Int64.(+) !h (Limb.to_int64 c);
  assert { power radix (3*n) = m * m * m };
  assert { value r1n (3*n) + m * m * m * !h
           = vy + hvx0 - lvx3 - m * lvx0 - m * m * (hvx0 - lvx3)
           = vy + hvx0 - lvx3 - m * vx0 + m * m * lvx3
           by value r1n (3*n) + m * m * m * !h
              = value r1n (3*n) + (m * m * m * !h at Addy0) + m * m * m * c
              = (value r1n (3*n) + m * m * m * !h at Addy0)
                 + vvy0
              = vvy0 + hvx0 - lvx3 + m * (vvy1 - lvx0) + m * m * vvy2
                - m * m * (hvx0 - lvx3) };
  label Join1 in
  let ghost or = { r } in
  let ghost or1n = { r1n } in
  join r r1n;
  value_sub_frame (pelts r) (pelts or) (offset r) (offset r + int32'int n);
  value_sub_frame (pelts r) (pelts or1n)
                  (offset r + int32'int n)
                  (offset r + 4 * int32'int n);
  value_concat r n (4*n);
  assert { value r (4*n)
           = lvx0 + m * value r1n (3*n) at Join1
           by offset or1n = offset r + n
           so value r n = lvx0
           so value r1n (3*n) at Join1
              = value_sub (pelts r) (offset r + n) (offset r + 4*n) };
  assert { m * m * m * m = power radix (4*n)
           by m * m = power radix (2*n) };
  assert { value r (4*n) + m * m * m * m * !h
           = vx0 + m * vy - m * lvx3 - m * m * vx0 + m * m * m * lvx3 };
  let rs = s + t - n in
  begin ensures { value r (4*n) + m * m * m * m * value r4n rs
                  = (value x sx) * (value y sy) }
  if [@extraction:likely] (s + t > n)
  then begin
    let r2n = incr r (2 * n) in
    label Sub2 in
    value_concat r (2 * n) (4 * n);
    assert { value r (4*n) = value r (2*n) + m*m * value r2n (2*n)
             by m * m = power radix (2*n)
             so value_sub (pelts r) (offset r + 2*n) (offset r + 4*n)
                = value r2n (2*n) };
    assert { value r4n rs = hvx3 };
    let ghost or = { r } in
    let b = wmpn_sub_in_place r2n (2 * n) r4n rs in
    value_sub_frame (pelts r) (pelts or) (offset r) (offset r + 2 * int32'int n);
    assert { value r (2*n) = value or (2*n) };
    value_concat r (2 * n) (4 * n);
    assert { value r (4*n) = value r (2*n) + m*m * value r2n (2*n)
             by m * m = power radix (2*n)
             so pelts r2n = pelts r
             so offset r2n = offset r + 2*n
             so offset r2n + 2*n = offset r + 4*n
             so value_sub (pelts r) (offset r + 2*n) (offset r + 4*n)
                = value r2n (2*n) };
    h := Int64.(-) !h (Limb.to_int64 b);
    assert { value r2n (2*n) - m * m * b = (value r2n (2*n) at Sub2) - hvx3
             by m * m = power radix (2*n) };
    assert { value r (4*n) - m * m * m * m * b
             = value r (4*n) at Sub2 - m * m * hvx3 };
    assert { value r (4*n) + m * m * m * m * !h + m * m * m * m * value r4n rs
             = value x sx * value y sy
             by value r (4*n) + m * m * m * m * !h
             = value r (4*n) + m * m * m * m * (!h at Sub2) - m * m * m * m * b
             = value r (4*n) at Sub2 + m * m * m * m * !h at Sub2 - m * m * hvx3
             = vx0 + m * vy - m * lvx3 - m * m * vx0 + m * m * m * lvx3
               - m * m * hvx3
             = vx0 + m * vy - m * vx3 - m * m * vx0 + m * m * m * lvx3
             so value r (4*n) + m * m * m * m * !h
                + m * m * m * m * value r4n rs
             = vx0 + m * vy - m * vx3 - m * m * vx0 + m * m * m * lvx3
                + m * m * m * m * value r4n rs
             = vx0 + m * vy - m * vx3 - m * m * vx0 + m * m * m * vx3
             = (a0 + m * a1 + m * m * a2) * (b0 + m * b1)
             = value x sx * value y sy };
    (if Int64.(<) !h 0
    then begin
      assert { 0 <= value r4n rs + !h
               by 0 <= value x sx so 0 <= value y sy
               so 0 <= value x sx * value y sy
               so value r (4*n) < power radix (4*n) = m * m * m * m
               so 0 <= value r (4*n) + m * m * m * m * (value r4n rs + !h)
                    < (m * m * m * m) * (1 + value r4n rs + !h)
               so 0 < (m * m * m * m) * (1 + value r4n rs + !h)
               so 0 < (m * m * m * m)
               so 0 < 1 + value r4n rs + !h };
      wmpn_decr r4n rs (Limb.of_int64 (Int64.(-_) !h))
      end
    else begin
      assert { value r4n rs + !h < power radix rs
               by value x sx < power radix sx
               so value y sy < power radix sy
               so value x sx * value y sy
                  <= value x sx * power radix sy
                  < power radix sx * power radix sy
                  = power radix (sx + sy)
                  = power radix (3*n+s+t)
               so 0 <= value r (4*n)
               so power radix (4*n) * (value r4n rs + !h)
                  = m * m * m * m * (value r4n rs + !h)
                  <= value r (4*n) + m * m * m * m * (value r4n rs + !h)
                  < power radix (3*n + s + t) = power radix (4*n + rs)
                  = power radix (4*n) * power radix rs
               so power radix (4*n) * (value r4n rs + !h)
                  < power radix (4*n) * power radix rs
               so 0 < power radix (4*n) };
      wmpn_incr r4n rs (Limb.of_int64 !h)
      end)
  end
  else begin
    assert { !h = 0
             by rs = 0
             so sx + sy = 4 * n
             so hvx3 = 0
             so vx3 = lvx3
             so value r (4*n) + power radix (4*n) * !h = value x sx * value y sy
             so 0 <= value x sx < power radix sx
             so 0 <= value y sy < power radix sy
             so 0 <= value x sx * value y sy
             so value x sx * value y sy
                <= value x sx * power radix sy
                < power radix sx * power radix sy
                = power radix (sx + sy)
                = power radix (4*n)
             so 0 <= value r (4*n) < power radix (4*n)
             so 0 <= value x sx * value y sy
                < power radix (4*n) + power radix (4*n) * !h
                = power radix (4*n) * (1 + !h)
             so 0 < power radix (4*n) * (1 + !h)
             so 0 < 1 + !h
             so power radix (4*n) * 1 > value x sx * value y sy
                >= power radix (4*n) * !h
             so power radix (4*n) * !h < power radix (4*n) * 1
             so !h < 1 };
  end
  end;
  label Join4 in
  let ghost or = { r } in
  let ghost or4n = { r4n } in
  join r r4n;
  value_sub_frame (pelts r) (pelts or) (offset r) (offset r + 4 * int32'int n);
  value_sub_frame (pelts r) (pelts or4n) (offset r + 4 * int32'int n)
                  (offset r + 3 * int32'int n + int32'int s + int32'int t);
  value_concat r (4*n) (3*n + s + t);
  assert { value r (3*n + s + t) = value x sx * value y sy
           by offset or4n = offset r + 4*n
           so offset r4n + rs = offset r + 3*n + s + t
           so value_sub (pelts r) (offset r + 4*n) (offset r + 3*n + s + t)
              = value_sub (pelts or4n) (offset r + 4*n) (offset r + 3*n + s + t)
              = value or4n rs
           so value r (3*n + s + t)
              = value or (4*n) + m * m * m * m * value or4n rs };
  join scratch vy2;
  join scratch sor;
  join_r sol scratch;
  label JoinR in
  let ghost or = { r } in
  join r ror;
  value_sub_frame (pelts r) (pelts or) (offset r)
                  (offset r + int32'int sx + int32'int sy);
  label JoinL in
  join_r rol r;
  value_sub_frame (pelts r) (pelts or) (offset r)
                  (offset r + int32'int sx + int32'int sy);
  assert { value r (sx + sy) = value x sx * value y sy
           by value r (sx + sy) = value r (sx + sy) at JoinL
              = value r (sx + sy) at JoinR }

  with wmpn_mul (r x:ptr limb) (sx:int32) (y:ptr limb) (sy:int32) (ghost k: int) : limb
    requires { valid x sx }
    requires { valid y sy }
    requires { valid r (sx + sy) }
    requires { writable r }
    requires { 0 < sy <= sx }
    requires { 8 * sx < max_int32 }
    requires { sx <= toom22_threshold * power 2 k }
    requires { 0 <= k <= 64 }
    ensures  { min r = old min r }
    ensures  { max r = old max r }
    ensures  { plength r = old plength r }
    ensures  { value r (sx + sy) = value x sx * value y sy }
    ensures  { result = (pelts r)[offset r + sx + sy - 1] }
    ensures  { forall j. min r <= j < offset r \/ offset r + sx + sy <= j < max r
                         -> (pelts r)[j] = old (pelts r)[j] }
    variant  { k+k+1 }
  =
    if sy <= toom22_threshold
    then
    (* TODO block product if sx large, for memory locality according to GMP *)
     wmpn_mul_basecase r x sx y sy
    else begin
      (* this would be faster with salloc *)
      (*let ghost k = 64 in*) (* is always enough *)
      let scratch = salloc (UInt32.of_int32 ((5 * sy) + 128)) in
      (* c_assert (is_not_null scratch); *)
      let rol = decr_split r 0 in
      let ror = incr_split r (sx + sy) in
      if ((2 * sx) >= (5 * sy))
      then begin
        let un = ref sx in
        let su = (3 * sy) / 2 in
        assert { 0 < su };
        let ghost sr = su + sy in
        let ws = salloc (UInt32.of_int32 (4 * sy)) in
        (* c_assert (is_not_null ws); *)
        wmpn_toom32_mul r x su y sy scratch k;
        un := !un - su;
        let up = ref (C.incr x su) in
        let rp = ref (C.incr r su) in
        let ghost ou = ref su in
        let ghost or = ref sr in
        while (!un >= (2 * sy)) do (* 5/2?*)
          invariant { min_int32 <= 2 * !un <= max_int32 }
          invariant { !ou + !un = sx }
          invariant { !or = !ou + sy }
          invariant { su <= !ou < sx }
          invariant { !un < sx }
          invariant { 2 * sy - su <= !un }
          invariant { value r !or = value x !ou * value y sy }
          invariant { offset !rp = offset r + !ou }
          invariant { offset !up = offset x + !ou }
          invariant { min !up = min x /\ max !up = max x }
          invariant { plength !up = plength x }
          invariant { min !rp = min r /\ max !rp = max r }
          invariant { plength !rp = plength r }
          invariant { writable !rp }
          invariant { min ws = 0 /\ max ws = plength ws = 4 * sy }
          invariant { min scratch = 0 /\ max scratch = plength scratch }
          invariant { plength scratch = 5 * sy + 128 }
          invariant { pelts !rp = pelts r }
          invariant { pelts !up = pelts x }
          variant { p2i !un }
          (*wmpn_copyi ws !rp sy;
          let rr = rp.contents in
          wmpn_toom32_mul rr !up y scratch su sy k;
          let cy = wmpn_add_in_place rr ws sy sy in
          let rpn = C.incr rr sy in
          wmpn_incr rpn cy su;
          un := !un - su;
          up.contents <- C.incr !up su;
          ou := !ou + su;
          or := !or + su;
          rp.contents <- C.incr !rp su;*)
          label StartLoop in
          let ghost o_r = { r } in
          let ghost rrp = !rp in
          let ghost o_rp = { rrp } in (* TODO why not { !rp } ? *)
          value_concat r !ou !or;
          assert { value r !or = value r !ou + power radix !ou * value !rp sy };
          wmpn_toom32_mul ws !up su y sy scratch k;
          let cy = wmpn_add_n_in_place !rp ws sy in
          value_sub_frame (pelts r) (pelts o_r) (offset r) (offset r + p2i !ou);
          assert { value r !ou = value o_r !ou };
          assert { value !rp sy + (power radix sy) * cy
                   = value o_rp sy + value ws sy };
          let rpn = C.incr !rp sy in
          let wsy = C.incr ws sy in
          let orp = { rpn } in
          label Copy in
          wmpn_copyi rpn wsy su;
          value_sub_frame_shift (pelts rpn) (pelts wsy)
                                (offset rpn) (offset wsy) (int32'int su);
          value_sub_frame (pelts r) (pelts orp) (offset r) (offset r + p2i !ou);
          value_sub_frame (pelts rpn) (pelts orp)
                          (offset !rp) (offset !rp + p2i sy);
          assert { value rpn su = value wsy su };
          assert { value !rp sy = value (!rp at Copy) sy };
          assert { value r !ou = value o_r !ou };
          value_concat ws sy sr;
          assert { value ws sr
                   = value ws (sy + su)
                   = value ws sy + power radix sy * value wsy su };
          value_concat r !ou (!ou + sr);
          assert { value r (!or + su) = value r (!ou + sr)
                   = value r !ou + power radix !ou * value !rp sr };
          value_concat !rp sy sr;
          assert { value !rp sr = value !rp sy + power radix sy * value rpn su };
          value_concat x !ou (!ou + su);
          assert { value x (!ou + su)
                   = value x !ou + power radix !ou * value !up su };
          assert { value r (!ou + sr) + (power radix !or) * cy
                   = value x (!ou + su) * value y sy
                   by value r (!ou + sr) + (power radix !or) * cy
                      = value r !ou + power radix !ou * value !rp sr
                        + power radix !ou * (power radix sy) * cy
                      = value r !ou + power radix !ou * value !rp sy
                        + power radix !ou * power radix sy * value wsy su
                        + power radix !ou * power radix sy * cy
                      = value r !ou
                        + power radix !ou * (value !rp sy + power radix sy * cy)
                        + power radix !ou * power radix sy * value wsy su
                      = value r !ou
                        + power radix !ou * (value o_rp sy + value ws sy)
                        + power radix !ou * power radix sy * value wsy su
                      = value r !ou + power radix !ou * value o_rp sy
                        + power radix !ou
                          * (value ws sy + power radix sy * value wsy su)
                      = value o_r !or
                        + power radix !ou * value ws sr
                      = value x !ou * value y sy
                        + power radix !ou * value !up su * value y sy
                      = (value x !ou + power radix !ou * value !up su)
                        * value y sy
                      = value x (!ou + su) * value y sy };
          value_concat r !or (!ou + sr);
          assert { value r (!ou + sr)
                      = value r !or + power radix !or * value rpn su 
                   by value rpn su = value_sub (pelts r) (offset r + !or) (offset r + !ou + sr) };
          assert { value rpn su + cy < power radix su
                   by value x (!ou + su) < power radix (!ou + su)
                   so value y sy < power radix sy
                   so value x (!ou + su) * value y sy
                      < power radix (!ou + su) * power radix sy
                      = power radix (!ou + su + sy)
                      = power radix (!or + su)
                   so value r (!ou + sr) + power radix !or * cy
                      = value r !or + power radix !or * (value rpn su)
                        + power radix !or * cy
                      = value r !or + power radix !or * (value rpn su + cy)
                   so value r !or + power radix !or * (value rpn su + cy)
                      < power radix (!or + su)
                   so 0 <= value r !or
                   so power radix !or * (value rpn su + cy)
                      < power radix (!or + su)
                      = power radix !or * power radix su };
          label Incr in
          let orp = { rpn } in
          wmpn_incr rpn su cy;
          value_sub_frame (pelts r) (pelts orp) (offset r) (offset r + p2i !or);
          assert { value r !or = value r !or at Incr };
          value_concat r !or (!ou + sr);
          assert { value r (!ou + sr) = value x (!ou + su) * value y sy
                   by value r (!ou + sr)
                   = value r !or + power radix !or * value rpn su
                   = value r !or at Incr + power radix !or * value rpn su
                   = value r !or at Incr
                     + power radix !or * (value rpn su at Incr + cy)
                   = value r !or at Incr
                     + power radix !or * value rpn su at Incr
                     + power radix !or * cy
                   = value r (!ou + sr) at Incr + power radix !or * cy };
          un := !un - su;
          up.contents <- C.incr !up su;
          ou := !ou + su;
          or := !or + su;
          rp.contents <- C.incr !rp su;
        done;
 (*       wmpn_copyi ws !rp sy;*)
        (* sy <= !un <= 2.5 * sy *)
        value_concat r !ou !or;
        assert { value r !or = value r !ou + power radix !ou * value !rp sy };
        let ghost o_r = { r } in
        let ghost rrp = !rp in
        let ghost o_rp = { rrp } in (* TODO why not { !rp } ? *)
        begin
          ensures { value ws (!un + sy) = value !up !un * value y sy }
          ensures { min ws = old min ws /\ max ws = old max ws
                    /\ plength ws = old plength ws }
          ensures { min scratch = old min scratch
                    /\ max scratch = old max scratch
                    /\ plength scratch = old plength scratch }
          if sy <= !un
          then begin
            if ((4 * !un) < (5 * sy))
            then wmpn_toom22_mul ws !up !un y sy scratch k
            else wmpn_toom32_mul ws !up !un y sy scratch k
          end
          else let _ = wmpn_mul ws y sy !up !un (k-1) in ()
        end;
        let cy = wmpn_add_n_in_place !rp ws sy in
        value_sub_frame (pelts r) (pelts o_r) (offset r) (offset r + p2i !ou);
        assert { value r !ou = value o_r !ou };
        assert { value !rp sy + (power radix sy) * cy
                 = value o_rp sy + value ws sy };
        assert { valid !rp sy };
        let rpn = C.incr !rp sy in
        let wsy = C.incr ws sy in
        let orp = { rpn } in
        label Copy in
        wmpn_copyi rpn wsy !un;
        value_sub_frame_shift (pelts rpn) (pelts wsy)
                              (offset rpn) (offset wsy) (int32'int !un);
        value_sub_frame (pelts r) (pelts orp) (offset r) (offset r + p2i !ou);
        value_sub_frame (pelts rpn) (pelts orp)
                        (offset !rp) (offset !rp + p2i sy);
        assert { value rpn !un = value wsy !un };
        assert { value !rp sy = value (!rp at Copy) sy };
        assert { value r !ou = value o_r !ou };
        let ghost sr = sy + !un in
        value_concat ws sy sr;
        assert { value ws sr
                 = value ws sy + power radix sy * value wsy !un };
        value_concat r !ou (!ou + sr);
        assert { value r (!or + !un) = value r (!ou + sr)
                 = value r !ou + power radix !ou * value !rp sr };
        value_concat !rp sy sr;
        assert { value !rp sr = value !rp sy + power radix sy * value rpn !un };
        value_concat x !ou (!ou + !un);
        assert { value x (!ou + !un)
                 = value x !ou + power radix !ou * value !up !un };
        assert { value r (!ou + sr) + (power radix !or) * cy
                 = value x (!ou + !un) * value y sy
                 by value r (!ou + sr) + (power radix !or) * cy
                    = value r !ou + power radix !ou * value !rp sr
                      + power radix !ou * (power radix sy) * cy
                    = value r !ou + power radix !ou * value !rp sy
                      + power radix !ou * power radix sy * value wsy !un
                      + power radix !ou * power radix sy * cy
                    = value r !ou
                      + power radix !ou * (value !rp sy + power radix sy * cy)
                      + power radix !ou * power radix sy * value wsy !un
                    = value r !ou
                      + power radix !ou * (value o_rp sy + value ws sy)
                      + power radix !ou * power radix sy * value wsy !un
                    = value r !ou + power radix !ou * value o_rp sy
                      + power radix !ou
                        * (value ws sy + power radix sy * value wsy !un)
                    = value o_r !or
                      + power radix !ou * value ws sr
                    = value x !ou * value y sy
                      + power radix !ou * value !up !un * value y sy
                    = (value x !ou + power radix !ou * value !up !un)
                      * value y sy
                    = value x (!ou + !un) * value y sy };
        value_concat r !or (!ou + sr);
        assert { value r (!ou + sr)
                    = value r !or + power radix !or * value rpn !un };
        assert { value rpn !un + cy < power radix !un
                 by value x (!ou + !un) < power radix (!ou + !un)
                 so value y sy < power radix sy
                 so value x (!ou + !un) * value y sy
                    < power radix (!ou + !un) * power radix sy
                    = power radix (!ou + !un + sy)
                    = power radix (!or + !un)
                 so value r (!ou + sr) + power radix !or * cy
                    = value r !or + power radix !or * (value rpn !un)
                      + power radix !or * cy
                    = value r !or + power radix !or * (value rpn !un + cy)
                 so value r !or + power radix !or * (value rpn !un + cy)
                    < power radix (!or + !un)
                 so 0 <= value r !or
                 so power radix !or * (value rpn !un + cy)
                    < power radix (!or + !un)
                    = power radix !or * power radix !un };
        let orp = { rpn } in
        label Incr in
        wmpn_incr rpn !un cy;
        value_sub_frame (pelts r) (pelts orp) (offset r) (offset r + p2i !or);
        assert { value r !or = value r !or at Incr };
        value_concat r !or (!ou + sr);
        assert { value r (!ou + sr) = value x (!ou + !un) * value y sy
                 by value r (!ou + sr)
                 = value r !or + power radix !or * value rpn !un
                 = value r !or at Incr + power radix !or * value rpn !un
                 = value r !or at Incr
                   + power radix !or * (value rpn !un at Incr + cy)
                 = value r !or at Incr
                   + power radix !or * value rpn !un at Incr
                   + power radix !or * cy
                 = value r (!ou + sr) at Incr + power radix !or * cy };
        assert { value r (sx + sy) = value x sx * value y sy
                 by !ou + sr = sx + sy /\ !ou + !un = sx };
        sfree ws;
      end
      else begin
        if ((4 * sx) < (5 * sy))
        then wmpn_toom22_mul r x sx y sy scratch k
        else wmpn_toom32_mul r x sx y sy scratch k
      end;
      sfree scratch;
      label JoinR in
      let ghost or = { r } in
      join r ror;
      value_sub_frame (pelts r) (pelts or) (offset r)
                      (offset r + int32'int sx + int32'int sy);
      label JoinL in
      join_r rol r;
      value_sub_frame (pelts r) (pelts or) (offset r)
                      (offset r + int32'int sx + int32'int sy);
      assert { value r (sx + sy) = value x sx * value y sy
               by value r (sx + sy) = value r (sx + sy) at JoinL
                = value r (sx + sy) at JoinR }
    end;
  C.get_ofs r (sx + sy - 1)
        (* sy <= !un <= 2.5 * sy *)
       (* if sy <= !un
        then begin
           if ((4 * !un) < (5 * sy))
           then wmpn_toom22_mul ws !up y scratch !un sy k
           else wmpn_toom32_mul ws !up y scratch !un sy k
        end
        else wmpn_mul ws y !up sy !un (k-1);
        let cy = wmpn_add_in_place !rp ws sy sy in
        let rpn = C.incr !rp sy in
        wmpn_copyi rpn (C.incr ws sy) !un;
        wmpn_incr rpn cy !un;
        sfree ws;
      end
      else begin
        if ((4 * sx) < (5 * sy))
        then wmpn_toom22_mul r x y scratch sx sy k
        else wmpn_toom32_mul r x y scratch sx sy k
      end;
      sfree scratch
    end*)

  (** `wmpn_mul_n r x y sz` multiplies `(x, sz)` and `(y, sz)` and
  writes the result to `(r, 2*sz)`. `r` must not overlap with either
  `x` or `y`. Corresponds to `mpn_mul_n`.  *)
  let wmpn_mul_n (r x y:t) (sz:int32) (ghost k: int) : unit
    requires { sz > 0 }
    requires { valid x sz }
    requires { valid y sz }
    requires { valid r (sz + sz) }
    requires { writable r }
    requires { 8 * sz < max_int32 }
    requires { sz <= toom22_threshold * power 2 k }
    requires { 0 <= k <= 64 }
    ensures { value r (sz + sz) = value x sz * value y sz }
    ensures  { min r = old min r }
    ensures  { max r = old max r }
    ensures  { plength r = old plength r }
    ensures  { forall j. min r <= j < offset r \/ offset r + sz + sz <= j < max r
                         -> (pelts r)[j] = old (pelts r)[j] }
  =
    if sz <= toom22_threshold
    then wmpn_mul_basecase r x sz y sz
    else
      let ws = salloc (UInt32.of_int32 (2 * (sz + 64))) in
      wmpn_toom22_mul r x sz y sz ws 64

  meta remove_prop axiom no_borrow
  meta remove_prop axiom no_borrow_ptr
  meta remove_prop lemma power_ge_1
  meta remove_prop axiom valuation'def
  meta remove_prop axiom valuation'spec
  meta remove_prop lemma valuation_mul
  meta remove_prop axiom valuation_times_pow
  meta remove_prop axiom valuation_lower_bound
  meta remove_prop axiom valuation_monotonous
  meta remove_prop lemma valuation_nondiv
  meta remove_prop lemma valuation_zero_prod
  meta remove_prop axiom valuation_times_nondiv
  meta remove_prop lemma valuation_split
  meta remove_prop lemma valuation_prod
  meta remove_prop lemma valuation_mod
  meta remove_prop lemma valuation_decomp
  meta remove_prop lemma valuation_pow

end
why3-1.6.0/examples/multiprecision/toom/000077500000000000000000000000001440160026300202465ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/toom/why3session.xml000066400000000000000000017325261440160026300233060ustar00rootroot00000000000000

















 
 
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
     
     
     
     
     
     
     
     
    
    
    
    
    
    
    
    
   
   
   
   
    
    
     
     
      
      
       
       
        
        
        
        
        
        
        
        
        
       
       
       
       
       
       
       
       
      
      
      
      
      
      
      
      
     
     
     
     
     
     
     
     
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
      
      
      
      
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
      
      
       
       
       
       
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
    
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/toom/why3shapes.gz000066400000000000000000004211611440160026300227130ustar00rootroot00000000000000[o(_1o;qDvvh`xvŨabo̍0vh`umV+x)ݠL 9iHKJ}=_4Y"$Eʛ;B˜ٸ1k¾AgM(k@L)H_d(,-N\VB<:@YMk@$,"cM p,T@0:FpY[8;YZ˦	G̜,3C6p}:m{7{A7('}N8x߉}%ЄSfE00D'6ᖠ؄	]y}#|
k^
t\w!&)&2t$8Y|2_O;FNK\5j
εLgF-iȠ0-@"E$HΦtT* 0Vp?Vкtҩ[UAZŠh &ONT)+`+h#o2@	@=Z!a0M]!H"ڳT*PKEmek'HE
VtLu:־X4LhY4K2HX+1xJyc1'
Zj\?<.6ʡ]4!^Ka7R^bȲxaT8P^BHKp/RcJ4"^	zn8wP!^$1&S9J[ٵ/vW9-s! 17W!@`_IK
Xǃ/I8Wh~'Ed{-ݻ{#Hɘă&p=Ϋ휸Že0"IASOKxoA(~>?
X;SExW_qTqgq̷-hHtK1soQ'IݒNی&ζ`bi>1m&Bz%* "6nE0BvI͹[\=e:
xgdB!
F:aOahHgc1e
BUh
Zb4lW~e1W'
DNU$-WKR+3ԔGd8)'d2:n$hsDLk:m[3l`G("ZZMɂit+Q>Х uXZ{Jr.imbtwmޖh]PNq1OP@*{ԘM~DCfsFIڑjwp$cH6#ui	W`7lX^7Xݵv?ne1,O8`8l5]XyBIl!.2d= Fcw`mtq/nfFdFZ<
,c_0SJFNmIi8?ctfp	&ʎb2@~h9mQ6a.zMAWjͣ*a=Wciv%<IJ.GJ5qL*&l6J&=bNzy!9Z[
M7&FF	ea۵hwlIGHD.|B<}q&)C;K*]HMM߻M9ʻhjEVqn (6=vxїsvIդlj36	,"V@zR;_wQq~KRVһPx\b7fY	=w^hF!{|Lsf]O`X`H%L
m᷌-f$Ka=q(,hvEaITEs,kveDGu2q@I<:9Emv}�H䵨%CkmҺExzjV~U1&O+(,%;R|"B"QLċ!1i9\2$*hd}Z{rB(܋"6d˶Oz.LRۢ>%vɗO^ws^MV!twO>4=ܜכbl(ljE%oǗtѪ!+:D>Iy`I4
2`bcOv(-j V苷Zoo1b6ȷu8vȕOvp˾vZbGqf\t!j 9<"pKj+7`+uP@x̭B&^荀Mw?R>{vӯmmˢ/p(O~3`eNf~Vx'xoL1,P7c:UIᲑʺ$ks˄7Ȭ5/$*H~r'42H-NQE#jaLLX/=ǗTakb	2	$
DkIe:lv4,ʐŖNor0ۿt-xĿkڵjcc|F
"1 W1*|F938/l* }P,78%Q#
׳8CԧD5jt&"\E%҅GRBW,s-)@[S"
1żY	MXĕ%RhPc1	gd
8ngPu:}ƻ`ԥDH$CQZ*I0#C]䝫0MpR|+Бd؀%W+^lqDzkBe	d_r5ikS(T9K+pU(**#"tΩP(%-JYZ\je|ib|tz<P+6e-6S&O>-^>[!	2RdkF󣕠	XQ^~]+X_痴㗤Uݾȍ5ǂ>{
	M-)"t.n^v'XsnOz<]-p
 1MT6lIoyWټd57`bY/eȠy,(q8%K'3ٺB!
zEr,k>F3
0q7#&t37}BMlL`ng|Ʈi>Ci
ގBQgc=؈xLؙtʁŭ3݌z4yl+!ÂR,PE&eGJDh%ō-l	mC`bKokS{Zasdh!HFIǙ$lB!~ 5A߯6M	.}I4yUjw\'g
(:
26sYU1)e,5Nx67Y2i=4S2yqVl;ߑ2]G3{Y]齵̒!!ֽI=SpP9!ul:ot*K]$WLWV:YEKsR5
.Sj8PyCdYo
2G1Ro@|#k\<4Orw
bjU6!g!n;t$@ɤĒbkLI_[U\s
SיUXqƜqo{{4H,(eӮT(sA[sfI)N.ώ)KdS1lFӞAlj((ps609{[HsM]!lވrͱHw19a&1bqԸ;?m6k~6eژG?*fٱ%۹R|ySja{bYʞXdU
	. WVx]H(1lq]R6MXi^)IAxʸO7~ev^p8E=}YO׏wtdwC7yuyڄ$ce#&h+C+|bQ$''HI
rqF."z/w^û7ߚ"Gϻu^M湸Y su-mW7:cʪzX[=7?)xkF
%g""S`I[cohhw_k221M	oXvDǖY7Omr2$7ZV	CdgJx/70Xg)5wv^(|x_%KK8E=yppf2+~#i^#bLDlcchK/3iE'&Sף ލᨻwtut?_)Y>%2a[e}n]ԬA4-bL+6:/1 AY(e@E
PvpH
2h`̏7Ib]~Db`7SM	kOvMߩ9
*~zy9HKuy!an+Ya\GM9χWb
9a_5>E+ryJ~/~Fӷ$rѬE/09Բ7ʦΊ˞lK$ħ'{[{ÂPT@\:0Rպ~fʀƽawx=A	;.5'ţ<ו7ݼ7 R3l85yl!	|@`vkDR#J7CD"nׅgqfVU]JÁu=6|]Ojk#{-_HʺaTgߢwP$d[.=Au>P(}%@@ܭŕP8@\OBQt<=ΈDnlZe.s "~n{V1W$CmB *%-DNZjOБ
|q
69X60	46S|apE9sj^|Hzqpn"JlLO6	z,nzHOAHQKǘx&dD$|X&Pzk$mbY#{A

"	>Gv,3G`Ff7Bs0#S徨J7Pm|s[+Pgb^4i]Aufΐbp.PB%~ӏ8``jHM
m	7E
m*S2zصY(2K*LXyA${!'<]鯒2Y̰qTAKBAV?+Ӽ4ؤs%H4sYze|3SPjWμgV5iuoKVn7d,T&Udba9Fs+`e>wۜ.x>T\|<>hE7΄~IxвTD;SΏ3{`,.m]w(bqNHmN4M)|6'f 7
	t15i
Jhլn&&`Q&wU^*T^4D$Os;9UyjlL!tēƐTO^τ(
^BIIDniq}}mߎDdiau; h
p_35{#:
+fa['R-ͱUkCcj*ZwlQw(V`jS3,̽[«	_M}kpM/M(J?9|Pn"|FS@r:)(7䣴S`sJ`T6&"ȫˏqdşX{
+#9f`TEs(m$QdeBqT,1/3^?3`E+#A
gщ.Ґw+\/(<2y%?'1S.OnKV`*ͭK"PhML{#ه&)&oSe񤳧=:/Q_|s_|\}?Q'V?@h~fԼmќ~2Sf]6f1Sh[E
 vL0rlCd+>Ơ$s1)'AYGZ=:9m/t=me:×
u/H(y;W8lV]0\N0yVأ|@+iAw"Z!?U鲏7@#>*Cr!TdχPd25 (GE"$pJA?z[a+&+g
N3,4whpP[v%_8V#*b	.]Ey&e/"#NWc5o9!Uy:9ߣF+v!sO<	'g/lp
h&ΆQGk2xMt\\W$r26g5=L̄|~|Y? U!b灑3|H'6R,Rq)̎6sDK~VP+*ܝ8C[6'SR[Bx9m8GI:)܁/]Ǻ?(7$ףs~J+	h ~HRew"v:yOIFK<'s}JƮOImY_ftHnLi/:uB|5)J8OM/hr@WV0vk(#=2WP3{.y2?{8|Z5:,DAcyC;/ܚX\C9S>9u=3bN
-ePT},=

}Q?J
$]
~U/|$.}jlgi|N]óY
Ȧ"RM*\GӞפUJ_d SZ\юq(וӰUo$E#p)Ŵڔ7LKMe&I}e=:I`g3g6Yu.nA.?T|f̯4tǵƵbRF	s(uj(v
[hY%|N}[>YXg?qr)3~(p[/ZB)onrAN}}!-bsxz^%8K9LWz:.ǫ=:Oxo8PVZ8GOl|bR_L9m:%]v$ӭҸ=\3	H>,[3eEsg>|5Zp1);fs:>ȓ
7ARHDd{J'X2+%hIeeuHK/HIK*6\D|Hc[/1Ԍ/"	p/~9&1Xx8$;{9!2m$gPΈQM(PΉEA9q}h8;]*,;|nJvjէsr7d.WrsBRNT`RoNUU	NT'D*6E50noXhA$3d	D2H&/ZKH&
)Dh^EeQ͓*eT1DZ$5F""gLiM)pzJOVB)[EDEb|Xe^
@Tv&hXRGow?PeB
!`ET,};>?$Ry
CE0T,	zYhhQE:Ζt$?nh
;8"TЧjH8,oez[FGX]xg#qޖ{Əf)9Xl"	<;z,O)ExAm\gYZrgiIݶgĬyE=JMX`9}FZ/?|{Ixx((n1ǞŸ^$:!7L(b^q6<6_A˛]F*B7JT2Qŏt-S,~(aȆ3dJVV$ }hZC8`OnUy7uV-?3{k^I2w\
M% vȁV	d،ʀ;I|0.-oA2Y'6$
#;iC;0I0SNhٓ[euଙ	&e$yxLǤX<&HrJJ
`'5K,DKFbJ2ڮ
"PuvʣrئyAD`
~	rS/2aJ:C4T
ȢCW'?(3`	d?D`Ö`K~v@_#λpOKJ	Y	BH!ЋC?( %r?M:GrP^N||\gSB+1${
/x@bT(*aSD`8
SH0)d b[Ȥp!@KvӽJʇ#.lG2eռ857u]=,
-
D"A+=ux_W\Tj@1
t/,ZB;](돣*^B^ N#5Q@nRݹ%z]Mn(b =wo-,CnJ9數޼tGmUD>qcMq}hGF
Fu=)/eURsU67uε	霦u"MM4zĥec!i\7|@O<~hE+kvF3µ$P6l}]%X"F@$w]4Mva Q|exHdJs(y
hq?-37|oqZXH
nUۡ{|q+1yUʪu Q_\Ⱦ0
Z0"VY_M'Q
/Gxc?X_UK"A8+PDFv)E+u0I. .vv@UyvaRS	8B萩
B:*E=uQpAwg#
;ĵ0J$>@DIUw;E@஀f$lg@8cNZX<.Vᣒ$`!46'WlhG98蕍7^5QsH
%!7c	 ?v41TuTh@3I
	,Se#sJ@<0h;ITNy6A
L,ΰ`Nr.?l5p$WSQ,Hߡ|Ql6lb(|b
+B`r(.cl"#Z"߃}>}Q]ޞ͸id	tZbwYRw[Ls_]nb6seAEJ-7K/o+tZ$h"d["FZoxd5c5bíqLW:| "wKp[prWK|YؓnPߨЫLx6ֶd_ܴ =+tL*B*7(w13SS2ԀNrgL kc%[8] v$؁F	eiB%jz^=
:,+ 0WEɺعxG)׬dTY'$ΔgnDPltDmt](_HrZ%֘8cҊG4a_d/GѺN.{6o>^rOqh
ip6c$,7#q
SM*%=JPdh/^8[9i;Y?cakzgJtDK81u*B,37(OwS~)&ĦǼZ$k@_q-UIe*-NgHPVN/p߰ǃpdl
q(ikATHyPU2ZU<ƲC/-hov߆!`5oU6E0m蛷bLs{4mπ"!y*p.ڣIX&$dg4d6f#,D^hŦY/\-G_js.-*ۃK7R3Ln^la&,:9R.BN̔3I:uzNxKuj߇}f8Y=lVǬ%@ްBCY!IL^0\]!|`s:';﨎=YZ"ֶlnV{ŏ^pw[&P[
%")-.$⚻P((fG=l<4㵮zu+G 5Y1tr3):F-&ЁXt"Kδ+BhRtP*S25KѠJ{5Z-t!W-/؟WԷDh~B^$GQ)#
FK%%ɱۼ))j~ŁHkޞu?1]0x!,w1%qs-yptv~Ǒb?:=y#RN]χqjTh^C>W"md@]nЮGua(/_5 7kw@Y`#~Q?ܛ
D~x@"p᫰CczV]EwViEWUT~tf>E3뇉zt~\)L+
m/
*y-&گ~[L E_UҋJQlsW֕NwΙʀ3{n.Dz!ޏy3aik<}M㶒R@dL Xh+|ڏ;:- Ri%1R;
{fmyːAQ4$(iYӑ)QC֜FawU`)D$/(>br-'0~BdLùyAWy-ķ]-2+SV0h=3#܊*4T*
=ßiY-8!ήL=-,AKRpN7e"_\'/(f
;>dX|yj,kba=Kmk8x-JAm^ Me^LQ򐣴4+:n#1#)Q#4ϪjS{O~GAG'c,Mhj\t'~R,A>g}׈T"
(x6#Mдuq]ܘCi\ Gld{y޼Q߃ӆkN
e1EgiAx	KgSoGh"lۣQ
#m=y	+VWs/g5?\Զ+pYCWQ:MB[lI[ޱxU4O1CH?#YMT"hn^*(t5cʌP˛y(]gݔP`<:-74jUu s
{tULjJد=cwOq:tVT!A{i)
LjxTVĔ;+:'N94'NsCB;%ϊSȆ^3lM؛tJ.M7ّ'YIgv&2؛GUcGM^8PJgQpl*;iOƖ	fZF3#.gU೨JYeΧ<}G,;):-zCy1)bi]^jnF3a^f0׵Vzӊ<fϞ;8Qˇ]M̎~
3>`QdiF+PpEg
nr/)QYRF9nj)ٲa#n܁:I@q[KGx]A>
Z:
on9WQJ&B`Pt0}N<ҷ<\7K!|	걠C6>Dun
L⥛75_b=-ʾW#=Uu!Nx؞KXqqRB2pcK)ʡ=QY8^E$r	jrQixGo;*:hUчXpM4S8ɿ01fpVAXgh_ˆ!#?1NnpW䉗	MQO$hc^|s(Z~}:^80ڦ}՜DM`kqҜJDuRPā"d\F	 |&C-4ADb-iX6	Lt'RtVT1lKZb@/u@J_QG'H1R	ũCnPI7XvAW}u𿐺oe
Gr>/:ъZ5%R&lqKar$p&2]4g3>RANYtfo[L1:ؼYYdU:z2M9tM}$z1
ey}ќH5tq֣rnE.hk@m
xC>,v!*)6UT:x$s^*t&7s*nŸy$KQ+;1J4&0=ﺉq*zl	∞֚Z;1͜F/{?E^m|hr=)bWߥKT}uW)oH聣%3qXnNG&t_ 7pT%7i-;:1X`4"]\`wfл)%sgbZ8$@M҈1I=tHdg/lDڠ†E2_+<ϬAc^#aHü!a^6#D2͂5	@HS.^PAX6A51㺬zMkDsULsUKR
kH%A;Y2

v
W‹8?ʓ0B&ʯ

QTs=صXSn\,ӭ5>K:Z%p`J靾FUJL
tEjZ2rvXsLWZ=jrI-7!2FhɅjIi=肉NW/Whhsfq5xsN9́G]|0st`J!wJ3 uyE.HlCS鸇N0[|H1
fMhx6HVqFaog@r7(Ť>)c,]-*Oߟ̆r,@L'2Qi
|an	i0ҍqt)g=b݅Oss#IXSTiM:-o*ak$z7RT黺c
kBϫ-N[Y#.^?S'`3$xF~#zIz.}ph+;˹*
![X#N0@0&⣂a^&=dríM0<(˭AI	t	o8CSNX=uk*zM@	=~eqB}7T+ZJ:Ctm[P[KP) >OJCY3Yx!ʰvJԚlvLXѾ'F%@sÕQErYk
vK{#T(vx,
>|%Ams^,<MG@_p</~$"~^Q9i9C"+":g–'A' 8V~7My'rs5'&
'$g]?V9Ǫqt~XVd&Lofݭ5DdXǏ_>Ȝt1]vm3
s=1s
+wx.+LHK$;U$)JQ)ZK<a1b,DLL2D7*?^j)!!&`7~Z/(""0ȜRO_Z*Ē =eRG*9fTJdXIbr	WFOvEXw"
mwPw.:UE`ld=Xy U=G05;XA_M~?nm/ȝC2b=b'ĻU "Et8
,~O2D֬Kq@־+A־+i5`=X/]d{Z_11XTY"TEE2|
4e'7D%
}׌9rgoM	44j5.2wp-߰Ma*H\ţ"=΁ZnG}v{$:~ǡ2m^à-	Ml`a:u평>1
	}LOʩlZLҋ(7:'j%^Ҝ_k$.ʕdmfrJgDr,MUjn
E,%x\^Kaaa"x
C
C`!@a0U)
C!°m9$ vϰS4*gCaK`>L.qTeT ƝQDEcE{T9PέjDChwIMںlI
சqܭ:K)2P^8c{{	4'in8N3/)EY<לg)g]|sΛuI7xq)!!89;;hRsnoFM:HYEħ#']UPF<1LiXeٴW
=mޤwx&P;";|0{*QEm^ɭ05Gڙ.;*#{ဟ/_+G<	ris`΂ĻA[>?D=@jmA^^ȫIY9nӫh9İ>E$b
O&\bWhEGu.V'
n+L
VSJL!C.)ULFeA;VГe[\)b]=*w:O c i?bU1VHc!$Xɗ|:fZ&-_LSfNWw`j1HtﷻL!3 `sE0CScOf{w߃k2pVOY.|C5f{}1
QbJJqSVGm9yWD.n_a%l/$
'`$σ\>apV;_+k~{d)nx5o?N=(AecP٬|kt
(~XҨx!FIqwTR+1ͥ(>,kƊn(I6*WoYtѻ1Z-ow
Ӓ-|Om:'?"Ϣ9=jpè&T0#S$_>L41G@q/&+MY‚MyK]pXRq<5'!{gŽ4b&Bq+VrJjM,zXf8ш[CEӂ/1`!
=ԟ¨U}#p޹G|QzexD7&11>DzѸkS$1jB>iY"+_LOeGe~q()U
H9T3p}O ʔd\qҜxNkQ̼^	4țy
nm-?񪄓OlԷ3pӛ"M8T-H}c{Ɯڅ	xaq0ff"&SEp$kx+5֙I7*a͢fΌŞi
GզW5P^@objL"4`[5j,h⠺7>AחTJ`:ւ|11݊⺪5$"z1(dqyEujªӈcQ.sblfiDrͫfnY<XFўE]SYRO/C&S.+ʜRCȱa}W?R
N6[Pگi+A2cd]|:o֫3XCyIg1qƅ&D&8mgIjJ\-EG绰I8X%1	|,/{iY%Bۣ	p~b;qJ[!.<]G*9Q	EEX	5sQP-EI:,|8̄l(yV!=\eU^=߹}Aeg&mͩEyÅ9Qy{%|_/GUY\2ٸ}9K4d	dRgq"r|+ǀ|,Xt)߄CVƪmu|s"nfPv/,*Зxi$w<
"*	qu9=0
0aXlaxQ]mǚƎ6p󻎵X>	k'`nCƅ._2|be_'B
},ߋfgGshx9np:LW
޾Rl"lEqes\IY|kTUjLה~&ר-G_ʮSvb'_twb]h
~Kvp˅EI}CuEGGfPX;EY
<UېQj'Dhx%YyCyͩǸlg*GUD3غ.]d:Oŏ,J
qvuOd>R>=SPynR;5`8N2#_H}nA|]9;IBy Yj psq3mkrHٍ(T*wⰋz#E>/u*VC&
ğ\ZwۓEWBR|aOoIn?	U+PZv
gU}Veb/E$hWmKΖ~¡MY,ZQXl7$󮃙V}E.vQ]9lHJK@RJO	2RBl13<NUeu	iNXΒ*%
L?^T0SU4ﭩw8gQ1*B_bOB"{( c%Ĵ)A &
{$ w=̈Nޥ]
ZUe<D!1F$y
mUE%Sqn2ߕj`IҚٻR՘Hf`҂UٗC5Մ#b
	䡚jJ|a|ZΪteH;,jbt]IچAQq+)1VnɝDũ[i6*ou}\gnv1kݻj#Oy<˞O}*gKm()l^>T7cos\AhYJev0t(nse:}n7)N`,aWˇawөM
A^pb'<6 cKA+>
|h(Qh="Y^;LP[H|54}kn|d{+&o!KcGn!gĖC(KvWf\`ES5~V~(m)2^	ۥ%`su	@BG=4S8Ǵ`4&PRP9CGÓ	Gj^aGpBkx=ߓWrE;DEks5DPIaG0%\`H?SuTtQ`dV_#geo귐^XL.Oݱ^>"d8a3vy͵ݙ>$L&Fkvcewd+#[xD62͵AmBgGwv=9XW9asvaNzv΂.vpg
;RW@Wq}k8/yg2,F0;%F^(}fe}UtysT8y{5,AܓM"l>G4.J߬.gXoA-MRP71$O,Xׂ)
I!t%-כKPXgY{@
v1P+*Q(&L;9dKgՁM{(S3ȓYjw\FUuȘdHLL[1R1QbR.Z(yَO8(PonOO7EY|V?˂zT}6[K^/eA#},7csVoӘ[	rn1̜x{&eoբ6~;n1;'IVONWOvZ310Dz'YŜӦzeO;Aqkd 鿜xHn^~amw_hXmg2;T͈IPlt6M/MWmA槏]օ{xQsz=AW +G:u2&Vh`PD)$4R<\н{KtS%*AmA{|ah	lO؋ƿ|uG
VkHxM&NRfxI'g~\ia¦	Vx	I#/15hzX' Vӊ}@7R%c@$C) zZRr9sJqef,aH=_p4Gu)w܋"m!&yN5Ņ"Ąc6~-cVGh=COF-T7G;ѕ1s*6ڜI]Ђ~kl*튦;3&s6k;72ӵ/Wgs0O;@&9ŀ3.!>	'.}X D$MlS ξjlNİDŽRb곇Rb<2L=U|(OtHVyܐCUcQ8IL3=ȍ$
sm
2eN7ERf_7Dujɇm568/NaLJ^l4'v
33S
Ev7boU*ŶJ54ӏk
@<<><ݿ-[o+_t4?jks֟-#IY=Sۤ28&tS-hLŞH@yN#ūc얓oūD7_5fTpr,L_yG3o7;DJ	`a/=QʇLS!}r!#r,Y+i	|NOAI	*1H{P|l6;sl2Լ	i?i~%{w;Ֆa!ti
xJ-H9MwHf&LnRbؑM^͕!|ntG#hg#{466E̓٘$	g9e8	H)
tVPg r:	:	.&hJ,G#9EsmAaaAހwj/nЉ˩{ז#ӘWbAueLEl%*)|qn
{y֔'W3̟1F$6zv!`l'].
"Ԁ.ka0O\q@e`^^U5oU71C=/;/|?ͳ&2C	LST!`!٪/xr7'{_h~¥'wi	_r~MSSܝ3E/bA*
^u.k@WR݊0,jG[XՎtbҍjSFeϫ`u2\ob{#'I?qsXMC,(_V
|AWGiCʟ󹹨Ou}Hxx#1G")eP\9>s0|(鞩{fER

iC4lHT=

!S:FUEQ)ehǫily~{h9Hl0&/#ABS1#ūAE#b?jEA[A'y*z뢱<Υ:tTI'\pF#cS9~-!mTJU)
%4M"60.t4UC3E2Վ·&=M&溠	߻4Ņ_Ka]
i9
_t^Y#bwS6ėݧ-}97
)lVL|*_đٱM∣"/ջ<
DjAa$;R}$A@J]C^bAt#ۈ6>l#qHCE?"}i#U#U(IREj;<{GV!홠e+Z]*KI<=kn7]G.HlXcnz{P $twBF]q&*yO{S3_~:ˢIa	_(.mazp:
Q<Gs K¡?{^B"ȡx/=YDJCN_)2I	ZqaoGsUtf^AqLGwVC&g+	Euf46̌y-`Y$cp$]uo<$͇YZPess"ܲvY߇=z.(;}:E]"r86Os-DyKk
ȼ?'ƔH^	,\V.l،p4(n!@k1YӬEBNPa]㝇*}s}߅;4OHh.Aa+Dꦅrr%w+	'ѻ`J/([hx/,X1Bu-ցV^8撛6666 `MiSy65VKw%)X#]m6utwG] 9ao<@biS3Ӧ]Vw68fɌT+SԒ؅ȒCXƜKcĥq.ǓĘ2ǟ~3RKjܙÁ?oC!_~S?ﱅ#/_9;c<{YoC}ݝ?K{qN_Fx]~oW].|C1?63~̟|G/~RsXYMC>ljc?Ho232s/}dBEGB|0>QGUÿ}Q
O7j|ݟ<>?U,~"|Ûg&MW?+_nתGQ~8(u?祛놊{wWK~U?glv&9St
5iȃ@\"ؚ2M9ؑ|b Nh.0;B4_k1̌eؘ_/:62@e
3L
 \Z;>ceǻ_mej逃x1u;N+HmҼE̾P)<=/TG[uN7(fZF7,DžމOYR~h6aGXgMʜ'fSSz^BfkaY8:nWP"1f#n,dMbFDkܲvH2}уxYqv_;HwA{7wލnw
x7ƻݞ71=	Yw@_v99I;I,{ol@j*'m8@Jsl{{e?,,Сx?R7mp:Sͼ7av|HfNOB3L-Aczj|ZnJ1,TDm;Yl/QIlݳ[E|.Ehd¡2CXR'o3ɐR?BJ[o0+k>8MiH,
l5[糶h#{xe[d!KLwQPw4Q?C#UL{q3M작Wn9/(O$SNt۠ݶszleܩ!wvEOnll1gZm*AVn=:ҋfT̴~'N;	sAl)[#WӶ{2znz=r`" 6=y0{PyP@:mB33VQW3HFk=/=KGoܳÞ=]A-.;G3@kYsuhm/joO?UB#;6Y'0;eOG`%?zs"נ !c"@jr3#yP(pkI$\:fv#e-qne ΢ZׄXG_6F[a#2$YX({ڬ-HLN7}K~0u~ds;e-,{=u>v%P9;iǀϗ3ݐT|
mccF6w]3
e2yR*[VB6}:F'X҅QI5MU>0g?!|+"3=3}݊ʤLk
#	UqlHd~ϖÓE̾l!(WVy'uvde/ I?*UVVVVME%1$ڼyqx_tAX<-;[&;cRϼu'f{g{󝟙·ڳi;51mߗ,mo^ZYczs`x0lݣ?=H!-VV,BP,51`#B:<>%ԥ._Y]ec6֖NwitB7F
u9MQ;ݹpl\<^Ր|bVTʂES}0x!MApda{,f >6EnwPTTYjAgh#t,eh.lW|w|bl.Aj{e82cȂY#ad!,=M.(YPY]VA9}IlfnlbԜfCЬ	M5H 5wUssD
Beg
r9.k8vOׄWY|٧3vfM1egNS}T9q>=Dm̞/$PS=ͷ4[ۜL'}e_G/v6=8Z
!N3E6Pv)~>xȆ]MuvF`FSVt|O1T}j~Ws\|7;4`Ϗ*OMtn<1CNӦv0U0n<s{gg{
1Xv62s٩3g0	yZ jXq1׆HC~l.۔WHy'6=|O]olfd/j(7>oo{|d3T@6w`^!&224Y=[fg55st&n@Y&پSSnX6ŪȞD.+^ 'CMo*9.
?hzhXv2#F{o#Mqpn:r"0=D;#ǎqڼ}dW]aSiTӖj}[b=CǜG2KO9w	#oB{Kvx'
n}(
df
29xn6Omr&/w+.^?	A'ִ
	_)4aL6fqq?x|
>"c`z0e|N9VώPu^,Ђjg
Mښa=xmf~<Bvדo-4۳'f;2OS
Z1H	}{~aod%
Uyg5qIӢܗA-:=0,CiDdh^b3fɿ=sKᰑ	|U5as=hljBy̫HGH_j.8j*>ߥv[`',pFCiClUAyPIsEpo}LZ'T*┙Û
ǂ}S97}7]g&kdƼfF&+>AlhVEяv\/Is0	
m#"o_dLeͷ5}\|,b,oE.nm2Զhm߳=m)4A~EB0C`vydiuh0XiR=@[d@A-JVmlAf!Mw<c37͂4]14U>Sv{?k z{e'6H衆hOhܝ`5Rɷ5vv׍y}ٺ/.A׭\<Gxvװn>-o:,#6Ns-TWMߟ4}5ty#i
O-U:@sw>vԗT1O	>584=Lv;U1b GTնQP毚p@{RjYNBkr|nwP%i3>M'鍯k3ŅV水tǹO}/Jf?7FtT!9Mwc@=~o@iY{M	{C&LjTlVK3,tbGd4SwdѧgҪZtz4]W?;eqqV=9DF˻-GcN\+S+6l1X[wt96px?(
0Pl擩EyX1ѡ+<5d;{tD߻nS)w).DubXw^kdƆagC8wX&ɟH$9ga*φ}
Y~e`G[wʂ^Yeb`46h}w{/
p6GpIT,;jcl+:w^#[ߌ
?l%f݀:f/zZmq*>gG,kawq'mh>gf6FMMmRFrdll'AXUy+*X]0ϼsg%܇
,h+?~,ȯ}}tgtM
G3
p-G!_ +nqhgKm~Dr'x\|`f#.(1\ަؔJx#hFcEq G8~I(/b]ӳj"(!,z5{իϚҸm	Hm,gSD2ܯ۸m9K͐Ȳb63֞4._JgBգOq,osNٝK޴PZ#*u7{=0Hz2__=
`*.mwVRvts1kd{1LJ%?Bl;bGQ>am&IAUP}K*/8b#qa`26ŽamkLc3~loZ9	eӒc5Ǿoo_!2SlB*=!غ #YuZAX~s{Κ]㘨	/ P b@MC8;=K >AbÃ=Mqذ7n#fA~5"|7%x/wN~ОShBϰ]	EuyȅbQT[4a͹eM(JX(~k|^a0q%Fi㉅b	WԠOIX@smcYoϳp޼P,^f؆eѢ΀~;f
@d
bԈ7ϧx,xČc`IW:JAYP//XgݰLt+PEo9XrgsҞhjD[{J.,K"@?&j0ښ8tZj}@tN:[Hxf~?,89hbgEdUː./@4'rEXNT@빈t ᎚sԌ0
g]kZ~WPHn44
W6njziB4og	>qAN磞@Ͼލ=(9;=C@8mkB -8yhs4%#g'_V?wh.~}T!ٍc9yA;!HsLQ0?8̼ܐ<}8`w)5M)H|J&V,Y`/|5M	x٠}72pL'dOhaZK
c7zp	z*Ԃ5a,j̺Mv7OK-$كd!sE{H^aP^9-X^Xz^{l8fTz*=pd\wOݳ>ڏT*MӊIcN5m-3`ƻ`A޵J[7s#@&DI78t3ɘ@>z򈷁/&ɀPH>[IHEo[VA+;-}_"!h6w̼ckfϲDŬtkHmp0	g=&έ#:Yg;^g>-Fƾpm'KiTrGek8-N'YIV;,8.1%K{lAg͇cӯ}P{PSntO.H)ęI{ꐶ*![w$ڙ~tpcy7É	p.е5 Ӊ憹?ϜƎqABkgWW'Ӵ+dK@Acb>t޷T[=׎ٯ^qi[RSPmJ]W?$ìXDaf$p'qq#sl,qn	^0(jypbXY6#M@xa~xy}΍w14kl}tm=6bGf:ҜΘ[M9ƍ~,)=A').ڊ?K=±9z)BsklݕX},zjemb.[pEjg-	77A-r
|y%gg_igxlAU5:CӾ1%އS0g3iڃ|NQV5,$m}3)E@A#K	(
'2~C;#	^jXac
@wn>N1΅Zwhsa?AMg:Wt>'
_UZMoRB-MW߻i?FlĈ9\vF#}w{b}130o81n*|6.÷\_>Oʊjb9{z]Z?ւOcQPvl9j	,`WFJÖ3|{OhmE'_kb3
]}N>hޯQtMMMJK\<w)\KuX?:OeML´̦؅2WvA0YIuqsq}`L:kn
#':?c.ퟏm.ٽ[lnmlK]||dU\ou#!z`;R?-ڼ=
D?$#Da
3Y{S>u>$màbJLg!?cL.f=*/
o#qgQwû9!t?cKWdD:$(#!Q$fX3x$#Biukj0
Td/==ɔ:
}~pCmdn<+1qf+Cu]{A_пERXZCh]Ӗ5P{tٻ	`d;bf3/Ej3d26,ʽmuǁOw%e_6
*eF0Z
}K%('Z363bP28DEafDP"x"P	8@12FҚso'^%t]pL-a2gQxڐȖmgYs4jY4g>'gZrJ9O9ItRO͉'a=̥#1aI}_9fTzs"5<fg4e)gYDDԻL[cllq1%қr;;t
W9aۆ/=fTbzsbj0ͭm(zwY/AޜLX$WklD^*Q9QW
0l`3Ra`٥qz	S0l)w4bu6ʆIcK7?VksB]f?|zi44b${nYG(6ͯ1PK5!`a[Y/-ߜٔbYvAƝ;?"|cK7i]dƻωmXvl;^,M9MrR45;Ǭ.KoNc);ބ㬻;vUCcyei(vL{†cm))Q~rQ	% lux+[x3X*a>wulˬͤcfffpY+833?Q{&wj}]anMV۠C	111%cp !kd)0aRPPd]p2a6.)^AAA=m0<XҚTv{Deeeo$$ME="hLQfyf=b5=333>%96gtv=m/	Y3LS|՝
eҵ7
#6xz
5}ވޢ|%:2gNo)ől-j
jo)e6%jÖ́k_//RQQ}iw}DSbl)I`_u]g
:K*ͳlRuxL|)l\fRfRfRf':[O:sDk;keO.N}X<~غMVOCe(5:6FG>6bg{:؎#16666>X#)+t~ZT0Յ,ST`5bi+Uss32222cŶ6كKx,s)s)s)sҨIyga8-Nz4c5Y6@*Oe|NKWqӚ{q-ZK^Eh^*~h*{l:QM9/>5P999_
titYho{ݍZۨzUo4a sSgKFd
/(r掷6_@46Xv=W9eTSN:$YgCmm,R3ӄVQQQѷ3=YK)iw*dFDeFeFeFeF֌dy%mHĆW>r3WV›4|g	Xx+ʴʴʴʴ-ԃ#qg,~x]rnʴ~kK&+}l45}P"6LÚܩB
*1BͷXK֋Ӗhg걕G>||||=XVsMrƷ~fQ
Җb_
c36{u	
ZYVb.O!w!0w9/#ʤeʿʿʿʿ~(

!nV4{~LLLLG4j
dim!Lmk,Af2edededed?=M9rp@%eeee?a	sxn>bs+=^3W_}TiXdn!v~uVUUU+xa,|H)g0ñF9V9V9V9XxBD\2z:cccceNJ~԰^|&F~5%w*p^m/p.VCV[|V?qh{^,k
OvKڵ˝u9-?qg*
w58kew/***qśHF unŻGٸxXSoB4"+QFޠ(اsM7}9llsTSxcU4%k݂d}9[F]'n~x
Z]eenenenenoܺ6y3K`Ѯw[[[Oenm(N;Hciᡏ}2*z+++n4-}My>
~Nk{)bЄu1iܼuc̟>&%eeee3r:VX
v?.?,?,?,?|~԰ȉt-tG'Y_XC54%{a_$.80Mt=K~^iJiQڍdq?m2ߕ.nxͲ}dpW	iyz___k+$h[Ecy)z:Ki>~Fİmƃ<_,>=W_5z\b~چ=mutrW|5#
:d͈Yc18|p?
(g&~shx #q1}/҄mNZK|[\\\Oepwm73cli	o\&W&W&W&3u3w>'[~N@/y+-KH_Kۢ@zZ:Fx'|OegA۫17E	#eRkoٕٕٕfg$JcP/qJwg{+џb?=ĖgzѦrtkhn~x__5kW'3ն^^Ud!N_4_/XWWWZomecnMVy_y_y_ykֶHݑ$[՘Hg_>z_ÞD(d.u3}}}}mIk+*tf	)trW~5
d/i)jk##Kgx{勯f//zgI)IoxqF\}}+}amڎ3ljP>X>X>X>Z}x{mAgRvɻq7M/o.U兯EWvWaiKebyayayayk…a֛
UJQygyayayaykBhk-OlNxO?////v_\_ַXJP)`΢7ٙrW5
:e0CvaspiBܱ3{yƟ+:cvmɊvxP/#R>X>X>X>Z}P 0fW셴Dbnqؿͺ.?,?,?,?|~x(Ympjpdz_'6	ʖO9d*K''''	Oٻk9$
G
nk0jتcS&7
CkȌjE
:\&b&h[4E.nmykTH˕iEa');&h"ML_HΝWn.s7qw]y4/h$\ZkzGIlPپ̯Dߠk
KV=CtmB*\'WfkyXWc;C>zFY(WlB\wI\`1cʁs﹞&%T5"G"VѲx6WDenO#y}W~ؕv]y," "DQmNѹD4)]m嶽VAD4MM8#rvϒ
8v_	aDF}Ⱦmy5mfG>+8"qWjۢΧ]vNq|}bD w
Eq홥r%mc6|jA#H4|F6Y'w1о#ۥYB'?y'_&d[-<-QRX/L*h"&oD*vI~@S졑xMDEt]|.VgcǶldņ6h#Nm
Q-tYUkR~i<[_08;^#"(܄$/ܨC}˕+˕k}]t(Еz]zCrZWd>qL$+7
x܈W3+?ϳϓ*6Iҕ^hs]9BuV[iϜ9F.ӮՎ}Pb]҉}Ʃ޹zα4"Zg^בD0LD0LD0LD0LڭvDmTçVVrs`Ңw+wıP[.ǯ'uO
'xmH#҈4"oEʍY<VC%v+;Wñs8vv
)Sϔܛܑ[ccWsvz)zvNax}ƕm۲R;QETUDQ7Q{iڭ/ҽr1WNjɾ]EWUt]GR<\
IFFiz&7򌆸"+⊸~C6*bM]k’ύ+C`_98ۏߑQ8`FMI%v2TdO~7]	V6k4%Egw?g󭼻vDEdYD7e9.f6Β5"fB"-B"-B~n՗ڡLbmV殥sCZEh>>^([ENUhV bʁ5{=}1xجNʫd[I]H*"H꿸;-Z\"ʡdZX 	 8$C8$}mEniˌ-kl-kߟEWl+".#\r/9u۬auojh/ڋh7WA۶Z<%s]3~7i/߾C_8~'l#|񑱥֤Ǣ9;tAeQYTEes_6Fmmz]l.t~7+YtEgQ([\M{6͢(-JҢ[Z-YvnZKKsvf,*ʢWYua5.eѤ~W#󯻷梹htLܫ
ҫ/^*gn梹h.]Y{)fwO\)}VrHwE+.E缬i<6O VV_Tt19h/ڋhOj/g)dքLV;Ct4+Sh8}-|Geyv_;jùEkZ+F6FFV8:֣Eo[W_vܝsJBʽ-zޢ?zӃm&sW)液(۞mAo[Eo2.pSZmxn*kBo[Eo[EoW\ikFחsdq[sq1{Oh-zޢ#b/[qP_~onǵ
h/ڋ?c_%u.4=*;_EߟEmV\uxw/?Z>TS4Zr{MW	xRSRG.aȅxOB()UZZ?aC_9>w>=#bGrsu=-{ߋ_KKpbCs5TѕL~A1b#ƈq0[%=JLeo=cx rq0#Af6/=IpGv]dEv3ʨ7uȸZw\idkg
(?}ܣj8*⨄wo{_C}w>s~Vr=9`K*/j:hǏKcV{ϟ{~rcncƲjа)sA[=w+7{؃+-D9+PVo.5ݲ
a**ʨoNdk\oӨ=wv;Ҝkm8c8Ҫ{qa(!':={8Ɓnco{؛]g	s̩ʙg#fRsݮwvh4Fѿm.4:Nڟznasa*?eFit3Ǧ[;m(멟&L2c h6f٥堘Э…
sh3r{h7ڍvH~8{pnsl6:}1\OfxL{\?gcs9|k=ћ+-7u+=; 7p#!miΥrGnuZپ%8(|V/|fץoէgXgidF?ae$Sr׸2}\?sv198L||0fI{WPR[Y(aNjwqG{.?$k:+zmr"080AiNsM\/4";_7:*
Ǯp
sZ%Gq(9h<ƣh5^رڷώF12h=GnqUmEGʴ\;rr9Ǯf=KӦe.eBrnG{G_2Kr~j3ѓsrp|Gf/c,ܾ3k猄`"#>x&3Q)Fnmq1!?# kܤGD3jmu)Nm?.сDx,+[Mr9ٻRmLQQzGQ-nQޗmu1 Zǻ{ݣh>t3d3|f[f&{4h>bƥWnQE6T=֧F~G_aժɟj&.eٞG~x.BR3<+h{`TT?
8jչ,M?ŖӔr
"Gs?33U#jujo0pO=r|p2czla0OdTn̨l鵘0`8؊l4epFthXy-X[:AܯO';αSä8<l2}3ϥ܎x=jHZ]`=	''w!vЕ[zU^n.`l
6
*hѡf2yqqA]>ʇQ3=VrXzQ=)_#`0X$W^d5񯔃Xu|>wCq_)BJckjǽl#`x;#+E]GӮz~cm0?0FFF7;8rS_{v]s\aVvlY'eF׃}dKij
W
\+p?]yT7Fq+
U
\+pL%?%df³^ǿaW
\+p߸x/y✫I%rÕ9l-,)S:-\3<)t[`l-_?QT
^W1SprZe[`l-֖wųͧmQL;̇/3p|۳.b/{J^y|lXk`
5\sYs΅?_
|/|6rug.?쥝ف10cy̹mv*ѽycz[+10Yڔb:0):}=`10o}hv^?FzN"cp>c`̷%,q&2zGp5nw[/_ƈjpօZǖU|~9|9_|׉9S5Wk?׹qe>|/oeDecګw~jQ^>|Y_˷f%m!W-Uv}ϩ4ه/_|kDzqiCW1g7_:10-,eYֻei*+3a10o1F[;>yfam.~';8c`10qƖ`i#z;zYg3p|3NM4kFedlkf3p8ga2їweV~.wl08}ŋ޽hE#nOp*8#x)>*s\S^u^T?wu0=se'#돕#|<'<z@oӦ~X,HoNcrLV۬Ymz5m'S.>-r3:iiBވ։2羊me! B?-Sѫnk9x9}=@=􀞟5Q*YxwK4)oz@IW^b\.-f=ϺmjQ񽲎V	Bg??$ֹ|4[<˷>B@! ~S/M0Fwa{/KW B?	>.m,}9r)4aLI0	&_}P3.K,GDtӤ`LI0	&rlƹ13s@s~5i$`LIؤղD(esNiҁI0	&$~I]umYnlr+g']	`LI0	&יָ1[9siRI0	&$~	&$`ү6)q2ҎakP0`LaDc%J,-[r*ޡtN	:Ax6s߻9En/ތJ`gٞ.	:A'o*U !EO-r@<boF(@(D6Uw+T
Kjk}u{5Sp
N?h"#-f%t)8S)LFeN&e[NC$Sp
Nv;%1f5&D)1k?TZ4k~)8S\ܘ̮dBwY]S)8SjfY-%-ԘJݾΧp]:Sp
N?V!?xQ;TSp
N)8{þm59"QcԧSN)8)V~|M[yԀSp
N)8fs|w5јӏ<(Sp
N"~-=U|MٰSmfu;x;g5^
xt
ԀPj@OCUq-N3͍̖Dm5ԀPjVP69#_%G:j{Jn$[9Ԧdʹ*e5ԀP%4cYqr6n޴bԀPj@C֥ڵZQ)FrpĻ9q5ԀPjMZ,M֤)+BmDPj@
Zsu881yIl@
5ԀGG*Ԩ
ưjq`z%/?7nͯ#W_ÝA<>x)HJ-C^Spln4<@{q'+"1疪l5TF+^W=L`}}Ξ*DWws%>`$UL[Vsr7Pzܻ1uOs]y}B#`_>ryI.ũ֯:20&`ήmrœYr
Rm\\䯘XĢV?-2!^=Rs[kuT맵~|W47?^׏hA.O@ֳ?e)\QrVh(9ErǞ>>em/Styk+l2֣h=Zֿp/bz yec915ƺZh=Z֣h˶~2~Ӧ
Hq
>e/h=Z֣h[h*sdts뉟܏lGz[r`r-*ŨL.K_h=Z֣h^h[92ȾWmSMG{3..z3[qS#G{c]Mέ[UĹQr{-=r-tGQ{ek_ܛ?We~ح3j =bؿrqG{
b={G7}ƫ,>wF:Ǒ3=wRCh=Z֣RTtxW[K4DXdc8{qKZ֣h+i{66;Ҁzo=h=ZֿrۉVT}:Yh!ϵm|
h=Z֣h˶|3f؜[y*J֣h=Zֿp`ck$焷kV|]h=ZֿrXG{G{/^}YWvNj[F~؞\+jڣ=jǓ{G CVg6%>ys{Pܵ=jڣA{-b#{G xMjڣ;{G ]3*DZ⓸~=~oh@4ZAa,]9jm?O|$GWM~HnMV5JUOx#H'\o&RuokO޵gcG=5i%7ÎZu?#X+gVi{Nhz֌3׀q4h^
Q;ښ3s=.,a|>]][MB\{L/$@퐐ᇦɰ5.f[9>HTH) o*EUI)TG \#y?$@ V(GXaKV."{"с@H-hkx2@H	 ~HddY1/r)&u	$@vLr
aije>^	|xV,Mhh6Զ?OGX``{NPZZ\ȾkX`'u>Ϝ:vĴD{n,ÂZ`,|Z2eN@K+Qp)i#'>W΅Dyة@?{h?ڏhgiL%lKh:\χ{~G?GCeo/TgDsoG~Ӵ8{$vRڬvG~ӴOnqԜx^R)=8'W7>lYrLUhc?uG~99g8[07)>Vϗ@~G?ImF{}"5.ز? LLthkiA F72Ij@H	>h"sfZ{O\i?.4@OCjc3eڲ!u`
43kk_[e{=`6g=_	$ggjrbNCZϓ`l
mlln"^hiTtY\Rhӆ	 ⽀ 閃m8TZ*w?jm?X@ =w݊4yʟzx>ށK
P*@śQҎRꞳ2e\Tx/oEfҵT.#FhAܻsjq
&^7bVMa4_tB̈2Zfr@r;iW]ϢYjgK5P}tGWEڎRcVheHs__RA_QO^{x{\?wQg_ُiJ+u/^z@m`0`0scPy^hl˕3h4n8Spgqw>(نQj~ɡ/ǎ>JMǎ;˷FAWb빯?\Cks~K5h>h+7?rCmnNБOm>8c88;eȸ˵iyZ5/ox,ιw9('䡹{~FQG?K75>xsSZEƺTGQտէjmkh	oŻ֥}@Z,fކM[6J#a5
@(gS`4޻G.F'4KL pOaG7BuhFxߏƯs\qoq=G)Fɥd$#?r8OY)]yY3Gms:Yy]\E΅dsPM?<C~Oxtqr$4ynSٗ~}zto
\\}0WG>c0@y Ϗˣm;#Fru <@"E9}QF慺A}y <9OReJ@=F{3 <@"O?|ҝȑvAZRĔGW~n4FAO=nU!tŹ]FׅTn*}.wp->[|h5=sx龅Qt|f0Ha<$NNn%vŧ}T܁;pN,gBveөKz}`A0sn*ε̮eO8
_I\ٟ?zgY\ޙ/b|NY#K>2#p8G#m:mݝʎ"⾏e޵@P	(%/E)hq6iY:nG(^khuN)M`]ە&mX3
FϨ{K_~HֲGܣO]#ŠbP}$Ŗ/uRWь5.4j	A1\>f,Q5cֱ\Km|5.vގNȅHbaa-;VʉvNVILQr3xG7/-#3Keek,µ+[#8z͜
*{n:iNʆl;XO`"*@1 ĀCzQǨֺYrURʧz>Fn3XH $dIvZVd9Ui~S2p8gs\ZեnKlZ
oH.v;Vhz_5Ġ
6@k6vDm]fImZ\k~/5̠
6@kvlٱa*͛U@hmUhRrHkvJy\?)}wp<K7NruK8j3[Y-OԃzPA=%nlg]hOwvrC;nwok
M0+.|2|83zA]k}Z.0!mь
x,ab! B(ڛƋg&=Yvp灀B@?=[gՊlf1cB@TWgp;cIsQn`1ϊτ}o"}pV{!9vDVܜ	BXa!,z<^zg}柷.GkҵZ4ol^]KH6oĵ$ZPBQ(
E'Q4f˞H*x.RtRX
Ka),4s_B5uxT\ރ{pyo}\I.t9GN׼q\nb.(t.ZŪ5<ks+U*TPBUTNCr}tfwyWkczqz\'!b;?^D|-LP
JA)(wKhYM/ԖI'Sx
O)<|xΈG<=@U
T*P6m	$l露&밺ϙҏ).G	#r?1ike-Nd歭ףsT9*樘9v)k9miv5kWsSVx)+)j*ZZ$rfڔOz:]BY(e,PBY(e,ZVQ|U&2Ytn;z(KPBY(e,sV;izOI]q;7{nvHi!-~SˤFtEo٭<~Ԁ+-.Wy
Z\rΛsig%Wc%W
^uM\գ:9gj4b^MXca,d9r
K+z-]|Naa,0X:r,YnOc70Xc+EԲ}ґȴӿ{`,0XM^f'rw"rnKϷҝc?41*@n#YEJv[ݲĩnQlUfqƂ`,Ƃn,5Z*y&ӔbϠ*6a2/wuU]R_eqA+U//E/29ih5F65׆6.B6׼j"j.44@3AȀ/Ƒ1q\Cmsl(\w܀(nW(nQܾxlgrڶlf !/*\.*\ToXᦖVWeٵ'#/΢eAYPeAߪfsVjf5*en.{ݪzTO'|,('˹5@C@01Ԍwjl}H.Zxj2m;w8OAhߒQ2s(pr8ޘtgi`i`~sL>ʛi|Ȳs_xX3^<[lkIq<^9/@Pe@P_ٳR{Dw_zizZ-izZ欧=iz9UoC}Sָ΢Rs[)l,!=@:jrq5Z^Lfsʖ|xpp#=jVRêw#ŊQ-Չu|>;;8t-inQ|ZZ{DR3@<x!4j]5*ߚ6<[ֽj߫>M\v=ЮI$H 	@I@ӵwN-/KU{eH 	x$k`̽fWfբQ	0=Z=]o/>\G	]-]}H"|`^	TH @:tM+̤Dd<
9r	 '@NssܞbZ̔^9fWZr	:$H 1@b+$&maԞ#md ;@vq#FDm;%ε-;H" E@)R"$ᗞՕd5#c:
RӨ, Y@d$_.Y(͹Rxz$¿dHlg^(v9lWkP%h$IǕ	I(`D+%QIF9mRzzJ	fiH6|cH0-BQRGK{ԝH^/.h2_x8hOcrZDyY9Tq8΁s8Ӡ\yNUpF7upcJP1Ɉ\'K6F0]7
pG[$p褖,ٷkL_7miO&γV2?7hJ{dҡC%;ARuZ#o,O*-{5^hk P3z^ƶh(/Lsiވ@Su&)ĺ
xx1}Jۖ(&+
x@=P@=P7=q(WYL$ut9~=>go~;vMfM|2]R4=  ~ܼ-ʥ+y=wIEvQ7v`A`1x^ZJ4kF%188|dbf|,M9Y}ߠW7@> '#
/HF?)ʥR>0m[s(" b1LDIEf/B\MyDO}Zx:,˸yatcW{ӕ@)P
@)PPZk_:-륰epʃ۪t΋@PT@Pԟ-ۨZj+?}b[pg6X{C(*
*_O>֑U1f_xhƷCӱefhZVhZwźuC0UU;+/[Z@hŚ kVfkVp͊F=&3
0n3kvR|:<OS<Oӟ4XQi=yVމϛUO-@-@g+մ#HwiT8^<	
hZhߘdR9ዕCp6Κ@ZhZSwIZ}MlI2kkP7^5|{oYR 0 0;YvQjK8obw
NQTbh&X\sHֻ.C / /-UOO݆-O;y///>.~$kZm.
j)J(KKYcffVafά3*] $,9)˲&Df:E@-PZבޅ6%.{f@]um=ANb^xO('˹5g1Fa<;޲GG&;޲-9rBV@륮m=S.8ނ|뎈9[k8A߽{J썀4O~X)ꍌ+2v"zWȕUQy;\w&ʦ&I)2[\_nDpERGCiqHk۵}WzBzDzHf
`'?gt{@x$Rws)ҵA$*u*,
-xdБ̳Ҹ׻ܛ+юIGD[Ѡ^{"7{	yRrg1wON[#s8VӖx`ou]"YQBq.||6*-Zķ+#h'jʽ]C5|JL@GetXi9lTI6ˁl?d/ri͓^q-RvW^(FgܪY}jwΞvWdEZejƣXJI{S+|κ+iG()5{C⍤Њޫ^>'#E*-RfY;CjHTvL>Ѝޣ=CQ`ˉlYQq,8>ڽ'nxf݃+ENgk>c6M>km͑1=3OUʖrHkQz=G]G#> -kd=zJʟՇ{(tVVX~GbYֳ{c۟_/˜BEWd%L"}i*%.VFm44#/LOH=o%?V!/qˉK|91\$M["IxySkwYL{V׍~#ljϻ`yG^ƥ9Z٤Bs[c	*oBVYoj5t(	z֧+mӧg*$?E,Y]Q|.ȶV>I3k׿FYRg(RR3Ǡ{-܍׈"CXlJmDy񆷔t3HmB]F^[*ke"
K8h%
(KW#/#0$3`; MQȁC#k^xij2T#/ՙ)2:"%
ZתF^7Ur۴*5׭F^mٌ-vK׶xj%a>GAB}E.ߢyв9Hsr4pBoUH-"x|'- y&
1)<ṏHCGa!wR<ґN޳3_]=$=rË87O\g\mKNez9V4+/*WoX*]4%r>VO<0*?e&sPR=F.$6Mt0
`ˬIe+oqz$g6RG4aXv٣6a.2Dýu]%*T`%zF\S^nsXhNųϽϝ-tO*yśG8E8{z?nP0a%>4mC^
!YU(}Nmn(:QPJX<5za~Cm*
m
r]ݤE3gO?2oounFhHrΛ?%rq6T}F[L.+]ojx~&㍰N:~J%J;񷽥<6szOwa<{ңbϣy|ud7mU.$|oYF`!UEu[Efs.hsY;`{MkVm3
+'q,#t3mbΤ+2"IiI'Ш<ʵʬް<Qy2BmmOQ炸k?Zԛ%p?D޺6_4jl7/&\vlo淫zR?bTXe+Q*؎bH2I,\=YeU\9Rږ:H'|	bMR'FRW9X}Vk]zȉ(A|٩V}]vx]?X>gm,ly\.³µ"W3AGZJejgBO+[+Egur>˓_B^o2sVkST1go;K|_[w5Β`5!# >K_Κ<9
s\\99 qV7KINl;,iN]wv]9:
hų~z[)`Təi<#n@~.nSHHSŹ
?EmmUSVV:%3>>vvc7A/y%E|Vip@ڼ~<=	b;ya;{>!-m
r*rO?S&#ˮ~F1veD(FgiWW*~գWpIIK_iΣ^9{]<Ӯݔw&0V4yqNרl\xR>ݲFiT:	G)mMڬL[
ݳ	69/<(QE\u_=eEg-c}"9I>+Exg𙏷KԢ((]y|}B)؎LY88>51h)xΔżŚHw9I?{sSkίa#/'IM"ZF]7l[uZS}6y׾6,PSG;>l_}߾+R[iw)|P[SK4.i1Fgyl2*c9mQ4ًgș^=<>N7ψMgoSkRek[xDzo6DW&h\SDz^ٴ^
©_k^(>ȔRΎ=;?-Ϩ|ݬZ]_-^ry%gs]f((җt<"g=+VtD%gbiWiR,pq䤹^Ԣuv^4WD\C/ωɚϙʚ)_qҮÌJYVRTg ;PfHn^w|7~6dxd;wyudb"$ibܹyݯy`|wnƞ΁Ȟh0:~}}FdMdY$J)>N}ٰKv/~Bt#0ᚔ?JV]ՖDΩs_'NSl
o~O3,O9R*M;zNBYӾA	"HHV-)j7|sbNm[$-UA)PWV
5>Yԓ2yc[{\ //.QspMٴhyOX˵=ϕ6Mk#֧pv"SyiJ3,Kw9=5%hr59_ۨFQ;]#‚k-ϝ(K1_)Afٿ<03G(ԩ6& 6
b<%U)
J9rHApܟJZfL0n'UYefӾPTսPNY$G"IՄ#I5xqiَ'82Nt8Η~@',V}O3*V5rq:@!з疼}RsVL25vB軝9|61ڙE3-K
uj:xGP)T
Jv[#>Flָt@P)Tn*E9u%RK44tBP)Tn*YkvQ"wۼȆ׷a^j90U}?FNsZ^35lQ]T!UH޳9q=͙8kB{3e8ITӧ%+?TyqX

~8V\<=$Bx"5H^tffGQe[:VA3z7'\Gk+qr4m+vձi^DBE乬ZwUwG.%*?,='ԎZ*R*9nE8iBEmM(JJ>eP.2ć8.l	~-ҧ$:D4|yhZ3;ؒn>ٲH=]> 0jڵ!;Qx]HJMY6Qx^T!-H啽4hJӶC[\&|sbt!yA^B^4W-yuDhV*&cA|z;ٴaTs).[#McƠXiYtKu͔4t6h0*ƠXej4bˆ.8DEݟVzDAu=bgiY'ѤҶtÓ 4	GAJV#6Ұ6x'Lga_tҠ4(օBdS]Wŗ\cY<Am92/f3Sy{yV]:NkAH{ܵ^SY3g'0@+b%f{^IJ|eX(}WZMܑ_bNDu7Sk)g^4O9x޸sS)C?7]Ak#i-{4{wz=sHMk
zޠѳw$Q4[;VmfDAt/#:NjQTrU	i\{CtDRyrK;m$uc'.n.:95kj#=~IqٺF՛&Ax/:Ox}-KAŸm԰y֛W!rQE^
7z,{oKF&CPC+}/ЗUiռX#ռ	.QA)t^_t+)TY_bA*^Z*kĺΉGDtB?@`!X)r^ȆD:NEIdj[e.;ʻ
<=CV翾@^G k~\eVU1}hR6
m?GiTFr})iڗl	KJ
!GMZݚM7_Y%tNxqCPC|YmmŶMQyGK^Cr$]xl5unQ$fͧ޶:Ґdٽ(>JFM"fܨm7*Az/+($Eޤ^	Ց;OV?6⥯T-{)*DB/ƥW[꽌.Ƣ9m:蚿2
B鋈Խ]ٹlZ"&Ia[bϩA/W_S1A1Dng
BdX4Z%\xu)CUCRf}gm	mOkk*iqMCǖx2rakx5KdC+sp
<,ߕs7.C<7*=z)SP_۵k&nщy}>AC㋾f|[	0‡!|‡YiRx@|[tYF)}~?e1R[czt4e[~|N(5I%2ZEe˸M	!`j3{x^DګS7O{;K9)ʚ5/4`0g35g+޷}*Wˀe2`gfJiH%ѭZx<-Xy:aƟg4>g=O7[4g칶\y2_/󲤴syg+ѹOhɚEa20LNPʩVMmװ]z^g
#y5/.g90JNjNӽo7N\Y,x<7|9e5[وhqB,x<KU7)"g_ǸFm^G=vRh{u-˄j``0f`liRJ{ͽ{}yuեqn:jirSVn3[`aha-)i>vJZ+SQH4a'+CJ?>Sāo)/hJ"Kۅ:l!n&=^/}1%b",a!ue2xه0]|S"mȪkWJ2
C}|Cb]8dMT2mh9}C-vٴ݆hmE5,5<CwӦk+.,d1sl;Cg٦ԴZ.;K*}qn=Dѿf"L%%mۢiT~,!ZYMkOxfRu7{ug<5Lꚫּ"DήE)s3T
``0i&^wjl3t!kވ6+lqe2DSU=M=CP't9ܪԌg%NK.G%!&~4Z%X&ߓ}JQ`0hmI.B~r]]FF2k:vgL\.i])-T8NJlݔJU\
TXV𙭀uږ	刕yy}k ?
NA	'	IUq}rB뻩<2%Kk/v퍿ǀcct[LmE?I歞zZ筛a
lh-!;Rxk?ts$-DhiWkk'=C
.g쭴vvBЬOW*%nӻPӹ6OqȄp!\S*J-EG3*}}
BN%dۦZdQ.Kmp?y(
?3.}x:YGsonP1TX\͆m,Eme5k)Tܠd(JJNWͫж\jաiE#VR;;5C^-tCyB{O'>'4YWXp^iWoOu1kyyk^j85/):`/`^%RkL5q-Xwd˫@Ni4bf)HטĺTL&u르>fõ#UK"DL-g!V+JT}3D0#K%1^/O'qszIHЌvMxJMLS>4[ZgHנ<-742V??f;Y~pi<;oM|鲤c!gS-|	_L'W|lS-_$Ü`N0'sjigTTJ2ݎw-,
EEUͩbSMuDUqNS)|=&OZ]eE_wIZyi^x
^z
;Ԩ.hFRv}߽
Âa>aе>ue4[۝\uׂk>k.ܓI#R(\VmҬׂkZZt˯e5^T{܅zTuuz>3cUeRkla>>1I%U,3Yv7"y3`fhmRGu뒱ESfg3hphH^aGkvVܓݦ`k5ڇe}U_3ΒgFIsٳytl
[=TBNf;>5mab2S![+5l
&#mFrJqR&ڽYA5l
L=JβLZ;+hy[`kakiݸtgn9W7-:lk[z2tnrq]5uƓ]yU^m׻'`zbz)Ld2m]JUD.[O`bbb~GHa*z7O)RlE.:1L&}DZzRwj6ʚP۷mϭrl(]aXgHk8^ce[ΙoH-"`/hͻʊڇtćmJ~R/ p8	:="tNCeD=O'O_2ɘDKvg}m$z
2)x
<RhKפlĦCoY,p8/IW|lCsiSљjI8,^`/˿&*-R.5մ.R%.w{x<[)LUI؝ze[Ev6~
/~˂euBҶ>nRsSV)Y|߂o}{-3sNMf|"y}$2cUuP*-xYRoIWy`^080LZYdT"ԽNyӠOt}8N'{w'jbsph5BF}v	;`gΦ|P$g.e>;YiUV~OiӢr(4/3E賲i`l06ۃ[^mfZ7JVcwR-ړQD5ڭhK28;U
w{$w+hBf90Tp=nnp7ikjTRUf.=[npGrvi+i(Ud2)l?ۀnpGr7M:[]mP3!$kv+U@w,uaGi2i=]}?[x.TQ}} )#|v%Z7z~1l6VaRMjT@t۶c`p08GMr7EeFnBG8fn`gmg5͚זFk発-i4xAjnIfqFff2
c=kmu%jߡfKϋF[npGr7>452\l.m%zyv
`qgqlt6JisDZWs9ҷwyQv%nXmzr:
Chj1vsš+Ui"ɓϚ\^vc
CVH9,6MIIHZ4j~ڹ
C=D^c{ҙuq][N\
(Sjq+ja)S2GmD~x=h\m+]ҥYBIƐBC%z!Y%?W+WIRPf_MF}{73Àa7U]۬y5͎oILေSYe[vw+Ҿw2ʊ;[+5/GK?f^=Ϯ4cpΰT(Pj@
ޮuvf_{ѩŽ˧g>/nm[_'v>?N@(EءJ{ز*rO/ikճW1H 99ZWַX!|Jn|ߚ;
2b5&OK3pv]ݗBdJYP#3wn}e;14o׏W*o=UݙF|_rI5db$CVJ1w; @8$%<ٜ#Y6w4
OEĭ*LmqrSANA"HI8OTz_tNVO܅vH\p.EA\,OӤV<Ķ/-E.2p8~ W:$9;OdRvN@H	!!ҷhfc%G~2[3joӥ}	!!$XBdr/K]BBHф,hY]p4.䂐BBȏ&$Xi-hIq_ɇgM>p3A&78~4N[XVaZjus>Χn)@{=բޚ$|jL(݇?YO^,ݧhyƘ}[yoY>KoWm~Ʒ*o=u;LYk)ǻi8!!$הp>Erk%RM4brjoY95&PQh`L	O'ScJs2+pQӎ맇D"ˤ|U5{7ZǨ82BpPS`JUm.cC\/nv<	"@HT-$sxoDT8'u^fE>g6 oB9р>ԙ-fQVtԳ|ޯqY,%9߅m}wv(]s)OwcEx/6ϴ8wHUa?\Z%7^c^qΤm)z/chCgJy3f@h?J(!=ˉt{)2urm޶AhmWj%U"Usds]nMq ā8` %=I{FQwNuKuԁ:J5NBlkNmX΀<@o(Olt@ϕꉗ<@}>,ea)e5;Yvj<@AaXnlC6{Yڵ5ykYt{'zv)?xLJnwkV~~J{	_/׊ص8k#CSw7|b@Ә,0CYs#b@B!KDɭ
NNط5Ԁoj}q\Փ0~+Lدݷl1llscNV]G
)lS:A3h~]IH2˴B2u!ŭ7 
4˓&ҲҭŴS[Ƈ^u\m\"]ۡ<V%N)ZW炳[S~lt??]pn35w-g#xy79^mr=m[r@K؋#x_:C|N[% iJTsgsI	V~P+kU*;+5vv^ztkeʨQRBJHKIo86)՛K.KߖRBʏ*e3;mר$Q?YE\KpUTya5L:]߶uߊ/_6=9Gן@U!QŕrY+Gl񾬾JBV
Yy[!n;vJfevW
^rKOj^eJݮ>i[3+tO\e{MUYI,Zo=ca,0?76Pӵks+K%Qo+;Z<sg;5V[j/2X`O`4Z -CGjS,ewgy9]BRl=2e{!yMF܏
2X`G[4T۳b<,?*CeZYv[IΚ:J=5wc6f݅i
>ى+z+)J24@OI֩:)h,Q|f314@8'Iɣܲ5ygR,}ǾHi 
9#1kV1%inRCjH
EicqY?h7ԐRC{c56Ӷ\kp
"D4^ͤӎy{j\`l_Kh'j-h9{H^pl
a6I{t1efr,I9$p
5?ݖIhhE*0fl
;i&Zݏ6T^f
a6̆ٿ&!͍W;	c	a6̆00|0-=BKk~Գ2{l
a6l-ӧZ+amf
a6̆ٿٕ71?Cf+-7z:{tْgA:P@oL<|qytagn;zCYsgֺ;~<»nzCok}Xx2%cS;k,k6^zwA8ᲇYK,2t_qb"|q88EϓaN6[v80_sXEhKU]//G/_+{zSʬyfi$$_0~=`]wZ91զa`102bgKV[Zɺ7@(eWlrn1]~ZOswNlg3x/Y
MXkm_JB>gAe;Rԁ:PsG:eQqOwE…M;K	A:H~MBh=+S-M[f]wXGi0mc5w;كӪvQVQ-]w܁ߞ;᭬A-[SwjZ|&6wVUm^jcuYOI6	#a$FڲvlqVɂk݄gHN 	$$HR4cpY*In	#a$F&Cd=k[kkw$@H~@$w+J6Z)wë"zG_RcI~޻>u>'0R5r,|8&+7|Ͽ>{DwޒXCV'|}ɞ4TBP*j˒*x0]`U
V5=4VȰ6Fl{ec
.#E+Yuy?߆֘zpN~0'I1\]Nhݶ۩Tz$c
(%xP>y8zO?CϦ"_W<cv#Ϙhg{`.ޑ^@FaϷ{_%J,WRcyY`o7"X(,z/NJ]'z޾#pP8j|ކV..ulڊ9
18~,[CXe!:wV8%J^>էYBBHrE$Su{*	BBH񄴹5zudlU}
IߏxB>Dnm~Ʒ#_ϻU*ӟ{
|/?G$ئ1!&Ą)_+finž%'ԗ`lb(Q!6EJl>O;캗z/ZN
+a%nd5:ou(7>m50&Lu*4"_8-VR6370/}Y*-3ߏEKD_4
Q!*Dx"1VM9LZ^KV]K85p-
U*Tzi%DY
h\±_+|?d*k1l||Mtk8o[`l?ƖI\˚*dl=rr޷
B\q!Wkgoa5D,)+᫾wq!.ą+=G)э4I5O>2
q!.ąĝvz0^ܶbY].`٫yΫRt6t]v.
v6O?dp)Swv`oV]e:K+)p_.	v.`[ܫ{&al:ټ>s]v.Jp,^yy9Ug;v.`kOM`xsݿ]s1uv"25ԀPAutocm=z0y
h
5?O^Zd)Uk
A6?2b{:p5	A6 'vOa"['B/6V?o
e,;޲9ݛwXk$\f,PzY'z4*RX5u({9\?E0{h[xGeooem_pv6hہ{%L{~?~_V~L)/$410lT7k0	UzvC`}i|)er?X?&\2z_)_Z]qgPp?aroKC|e,zto3fBuҺ~ΑgDQ._e(h6[Y^@Mn׾]1zAϦS
TCgzmgu)n笶Q;-~۰6IdBYsog+1~//f^+;QVM+1
:1p18?d7kR-Li_p벦˧|fBɇ'rwFb_6Ui{+0U3*0UOU#	>mrZ38cf,}mn4H`|=7`
5ֿi@z7YTtl~2j}.Ȩpr3fN>5֩*<,sFyJea3l?ȗ5,vLլJ5Z6͇gnd@i(

->ݤ%{"uCTjP
AϢZgޣآrUO=xeϿ5uյћuVߧ`.dl
*r|EXLmOҎOyE(
wߋDu

9QMSJ4P(==fjZKtJRcflgC?N295RfxW:!pn
:CX+9̈́H7v^[`,EGAI<}t]Õyw"T?8[ETL
1M~F4ƏD+,/ə4~}L}x
$a#lFr<	baӝw/o#a#lӅIΦd(!eEoCkL=I8	'?{RGW#?˫{3\>qr`
(%xPR9ߏ$#MҔouw(kx<~O2~wvߚza#ln#U}V3*m_1#p88桛ݢ1b0.d"dGGlzgP[Ue#g1#[XK`b-wǮ56t8u>;ĖqbC11=Z'XVlB{Ϧuf	Y$`2Ye1
b-$Ynxƿ$D~ Qf;0&4KPsQ|WBU
UjԜXo*v~kJϸB8+|tgL:{.緧h}]*KK2{3(VDi[B\+k3Z,m6x_
q!.ą&*Sy|][]TB\qN\vbD.&?K1v.bUl:]/abV{x]vWܽ哨
hG?J2	v.`[,xZ~d
LUgpT9U!,.ң0-c`=1NKel']1H $g#x	E=ShkuiR	2\W~1LS՛<S*fa3lA6t!UݔrvH(m}=$PJCi()CGZf
̻ϬPs-Ics! dlsNjay[3Kd!Q/4߽.6+Bi(
@yŠXhaR~4P(uJBϊYdTvcBR	6&l-EQіvzkwz8l\6[}xu,a'석vTPi6{j-VQncN	;a'6bk!=转`gey+(BA}*W)gIzE(PPfe=.Ki
=
"wEA)(~yhgݦCy{#+gQ)<ߞڎ2yʊ5DlA@U
T5¬YIJ:CKZVc)Ly/צjBo*+[3vFm(I.?[+fHi!-~ˍ-!+EH&GQiK7nS}xe@ZH3l9[ %Tyzb.n6TZ6[}]^{??f
hyZk0)60c6n1t>rP),#4풟dn9}>ծst}xkŮϋu}wCtѿfnռﳼF,piMQ6~@_ƒ!UmH;f"o]t`uu֩!wO
^zZä-vAo@j)]O3^wA;hU+=hRɥ&IN;|7]n֛aPѳ4A5^O;|￙GPcҭ~8e!yT|_w3߳6NoG-cgۍ|ubߝ36`ߍ.Τ6NzٯbN
ӭo~ <~jXM$b4nsOg5|/wN5>^XtWo@@Lf>{#'4eXLmg~肞ezmNtz5BP@( ~Pn4OTGAR$lxeVVP@( 
B(|)YCuT|ZW$ɀd@2|dzޗl^UhH--ɀd@2 >L29gYXI[Ə΢}|=x_BV +Ȋ3{ަyt;^og@< O}NZ'̦zEK_3.O|@>||0IOsQvO>z-&FH $	
D\X|I+M:[%|$I@R|0+l
]Q\{WW~[n4q@\|Ƞ謞6춻[\2@f 3ArHIAٚRr{eF@p<1p|$vdtZd5z^3J>>:@A P>j^BuL˚٬J=s{D&!V+
bo-(%s2Vg>e8e=тhA Z{?Z6Ѯ6{l[&тhA Zh1kVZjU,ҹų|^jNr9A gq)lzZ]2KVյI=gaA l64l&[Ns۬U+'=laA l66+5eQS2+
W*aW`A v;>v7(ȏ?[&NG2yϱ
كA {=&{N0VOBPV/ZVj*r}HA {=d7Ȟ䃓*l֓ŭdU5s<*>?H$
I39OӪh!fw#N"R)A)c6llF)$k`v[tD
QA ja)/JguN)'}֓vm+=y3˿E!z=BGڒ8}X=ɫMzFuчC!}?"L2ղeW(EKb	C!ȿ?)j~&si3)^PA"A Bf'ˢdQX]镆>}Xaއq.uJEV"+Jd%ʰsJ}(_ͨ`e˼+/fN6$&Db"1?vbIϴhn>Cך1xX3$&bDl"6?vl.Ml2ǔY\[ld'ىDv";ؼw=9eSKęN(E"@?YX&!u,\+HtH_//y桺$+gzf䍽⡙Cl-N5	|B>!O?&VcK8{LOt_^!BH!RR=9+ڛ0.IBR!THT4TսFyU'c*$
IBR%gm[79+%7~c ̔1?$-z,Ff!Y,d2gVw!-Zv,gd962Bf!Y?;&d=ˋXkz}Zu+c!Y,d2]^{[G:;Bf!Y,d2gg[/mڭ
.VC׳d|ƽI>|y9*zC!z?g_1zikHgUpɇC!|BujIǪg6y?|[woC!$ևtř9d=l/z+3ۃ@d 220z2O<)7UNy[*"@d 2eXIU1Wcݞ@A!A DA>*@ML) J+t?פ!oL_!1ɇ-
|i4DiHߏxix+hὭz3B6]ޜJV~R+}[e2y`n^'Q1gI5q@:"HG#H
Q6ڽr0Z#s^goz;Dt$]'y_#;1ϊDvBىysi]<־;Љ`RyWVd%YDV"+?lV|ӈnzгS'FHL$&؉)EV=̙bNT綷cbDl"6;61F34αN:Nd'ىDv
9O>m(qH,[o9P(E}Cلv^Au5
w^Wݼ'5o8F}MoE5,r9E"gzw?AuȃKQ8KQw[=]MH[-iE"mil-kUګS_*r#|F|cFE"qH8ݞ5Eo399+C؛-ƓXE"v].bnR
g^5{F,ӷ7B^d/ًE~yo%feqlbӫeCSw=1A F#b1A F# Cx׈Y:z6 4A F#>W$h9N]4{A<b1A Fqռ4e[[yw9oALL_`g3pF8[K~fcy+?{ѭMEù%4i4F#HoƾډmH9|[Q{OHF$#ɈdD2";Fq;ۥHL9^~\F.#e2r{粚y,[T^ib\^g3pF8#Y5d+'^Nskx3#g3p!sjJ*ԂVkAb>{8cZpF8#4rI5w١{\B6aKx7 $KRW(q8m͒UC"ȫkZɇ>%`dL{Gi5մVx\CҤŞ9;+̔BV@uG<:=n۝'n߯['(6Vڭ)A>\ū]~n,tL0o;olX_lvF$cd12F9c$Vٿ5cv-ZZVWYn[NL8HhٗkG?Du-[3mĬ3I	v߷rvI='ԓz>l5]m;:3gQP
JA)(ϗ]lҌV^i}eYZkrTNzʉumwbpy}9ޙ~JP	*A%ݲM#;0[fUnAMTRUJU*U,'FoOWM+1fYOJZI+i%7]gASG-쇍YKsn8 DHI"I$Q$eX%ty5Yf+6q"q~,64FHYmgNcmvN7iH
ɸPJBI(	we?ӯQg[-Rt[c?ZԒZRKjI-w刣s+.viIwRwJOB2I&$$dLI2I&$$dC2㲝qll5YcMI7&ݤ߹a#o,)тM!2{7+$ēxOI<_Xi1[I,e8miRP
JA)(sA笵۰n|Xv.	ߒ^RQ*JE(YQ?WC.'mjmb^ޞx2j?_RRJJI?CIed^̶`U})Uf99䔜SrJN)9cʌ힡,_(:NU*UT~>c[91MM2JU*UTeU.&jmPJ+~-?ͫ>BGVJZI+i%/jhyӖjNڪ,N\WdWFI(	%$Ql8]'gcqFuM6GG(tSf=4-?%a;iYl՟:(tOsfﲟchhzW+k!䔜SrJN_LjOLtP۬aKlK+֘2iRSjJM)5YӘktSˬeM[ǠfMGzSbJL)1%Ӹ
JhʹC\ݕG>n1ĔSbJL)1g6Wוth3e{rklemύ\KrI.%$ׯ/Qݞv`]tU-$\KrI.}CrP/Z1ZZg=ݹx}kw83S`
@)Lt;fiK-Ҝ}u=R`
L)0{L7wNs9KնIx)0S`
~9tWѦ{ZN)0S+p,uv{[5=GjkHk/}mp@K`	,%־\'nS^gŋ-jkHXK`	,%'k3E]Ǝ-4Ms ϑ6PY*Ke,Tg+kOUzZ\mQ,{qeKU؄]>Ǿ=a=oό3uԙ:Sg߾wEi,ūI^.I7úWMI4&$DD5ϫ Uhh[D_Kt')hM?@uG<lj>=F۝'F߯'6V~scgɜtߵav̻Zy/ۡ¶VјǨ=MI6&$dr˵INkR*-s~Z46HrU3w6`8&۟4U[؆ݴ!kќg^_l@8oĚXkbM5eϩBӲRņRy:մVjZMylfSQx}ݺPlM)6Ŧ,i2\ENrnFrcvcTjSmMuL~\!"1=iz\9ҟ]G5kz{y_]n_=]6*]J"~oM7}^{-?Tg}Xn\i'VqԜsԜSSqΣs".ԑ-\{EmtQmM6զT߭
ElnjjVBUIk	7&ݤtnF#VqQk#=ݞ~oM7mVu޾YEm
 I۟[6/|		-|iK=_8lp6PW?'ğ/_$ʴ	nUm6RיDf@ /!\je4ڳGݶ	O39#-P
@(/Wޗ7vq>]xx׸͜;he(g9P
@(=#uw4tٳI:(gT
P*@أGϻ&w(|\vWEZyK
>
8`d%$.ĺ{w{VP.ux<hv%1FNń
x<\=xjUzYCkx/쁞W-*}u`]Vh
sKy <x+{@j-v@[dZF@@H	 &na5VC}To	J60mY>HP!$@HI*zŔf%^W-]D[
@(X^朱j]#o0Bv=4p"L0&&RE_qIh`)f6rYrnc0F=/g$斦VYFUތy)|)
R@
H
9_abU[{!Xt&5d2@ d=duecg#>}]P*<kyDӊ]Z;<8x<߆;[aP\l6ZϙGkyVWGi,;\KngnP
@(ogk]IcYer
_VKk
'h-ZZe1l0!;TCG2H]9ʧgYYᬬpVV}P
@(ŷEU~<xi1g
X+`V-+1[fQ}Uux@U
T*P߾kq5hGKnv/F4h-Z@io3|
۸U?o'Vth-Z|
Z5~8OgZb/\g3p8'{]*6^39b-پn;l
6`6uFI[
n嗓;6
6`l<619sH%O۟CCt8v;~U*jҖu ҃v;`M4LiGEi8ݖCs_.)~:5ԀPj@@_sǦ}0Wyr]ݭ&kDv3ϢPj@
5ԀPj@
5ԀPj@
5;h~ϫ-[+i?{n_'b
5Xk%Kg4VKRuw3ҘѕYogY
6`l<6Tzպy3:ٗ:jz|
7܀pn
71/WҬ$ZlYsWv;e`́90s,5ڎ_x6v[fws<x7ã,{{.3Tݒx<oGK^~J4w.+ۏ=dWY"=@}>@}Q|ZfLcYZEX>oG7}z^OD?	nFjխnIaQ{eoМ
q ā8@ibȻҜv2|qnhV+q"98spgsN=綛yke8RoJs`bo={`&Y"e{׽Զ=|>|r+l#?V-{`=EVnQuiX/7q*éé| p*<م:nܩ$-6v̋1xA< ySCY	'GڋEy;]+g3ʙ.&"P@(E󠨷9MjFgE5In\퉌2BF!#deԲV4\9N-iE#xxMs&XNם#l5//\"V
ZA+h[Z%UlV݆J2:x:W
_+|W.[%9Z}m$g}UAY d,@Ϝu5t
7LY:H{=ՐBZHi!-JKWuaV?@	cU{s&No?+gӳQTֱbXa1,Űgte#ٟl}%"Cd!2DȞ:B|sԹ{-S]d!2D"Cd=KdhOOsT[~>Y	2@ d{GK}NL-:661q;X`,e2XDuG\P
a3lͰ6ff~
s-❛z?f(U)tͰ6fa3lͰ6fa3lͰ8!yD{Hgj;i9LgmvBzvbzx|lVAY<ѥ͠44͟l,,?9,~6;h7k׽;Ktͧ
&5mcQnMTm~ՠTjP
A5~j$GdٿjSUFܫ2mƩcv+=y6^l=?˞ev,?Sy:/ln@;:RΨ/gԗ3G9(%;0pa8Tk[,KԘ2nֻZs7Õr@9 ǁ5,ļOr9 r@}0ȝ^ܶd],1ﯪt͡94Csh},͵ђ-i{e9>ՆtW.&
4Csh͡944Wvnj3Y"6e,K_l+z,WCt!:D-1FiXӐUݲ~|:\pu}PőӜV7c#"{I{:\puẏBsqv"j+a;lvamC+Ci>F+R)ٝ9Cx!<>vX7oi*{pRn`̃y0<`g`ҙjcmoe:Vl/AgJA=ԃzP}&im³bZ5:le\ԫPA=ԃzP	ԋ3lؖ}ҡFV؂aՕnj}>܇p}}s[u&qړӋ?W?ߧ_)KR_ХMY5:]]
"@ D~
j#4F_ۯZ\zdP{:a 0@U(EWI.FIÏ`:gW@a 0/@梁m3-v`^0@a J}}pX[hۖH34q /B@! ~)jQEUm٬[%OWz~0B@! /	YClM|GG,m& B@! Kb{jFUV޹Z2 L^
yC|!>ćkPӪ)Cv>s[>9
>@}}vZpҚ )=6cX/	@}>>%nVv~oF_KFzA?~AL:k;n/E9ѯ?/⿮Z{VehW[r?A  @қfD[R- w$ DH	"A$$8#9_ve`=ovo9|$.g3"TP*BE'⮱kժu'D}O6},b#hyv˫M}O>'D}~}Gު̅la&߫8tAAQ(
E(PBQ(uێcJs0iH1?((ţxQUVYG
{.$K\ãQt^1ŴbZLi1-ŴδEÐU&1CfY:z[`l-[`QakxԠ36TčQo[`l-[`aEkӪiQ`rylR9jn-܂[pn?8n]v35VbdPу[wy܂[pn-܂1\&笱įY[xH"]t.EH~"J퍚llU3	H7]w.܅p]+}7I4Zc|;/7=sa.̅0\sa>91eqk6-Ź8\sq.Źƹ> [*M[KգRv.`]v?vufհ[mS-)v[A"^ċx/Esw0Xb99hԖ͈"^ċx/E~N"N}]w.ð44	
)V{a/셽^{?eRI>[G\.m5~?/žb_}/=
_(L[f6}=žb_}/žݾ:agComok9-`_}/žb_FYz-Vk٤)/žb_}/i6G3l4ղ|mro¾b_}/žW\ju(!h͚db_sx傾b_}/ž^,tI
w
^{a/셽~bɨԳvgkۃҪí>b_}/ž3F:8keBZ`0
]fR:{bX#
`0/`uj7e3Μv&=`0/%f^cfv]۵4Z`0`%<]vm,}x=U0`夨Tq;¿`0_mD-f38m/r×m?o.p;hsj8\
ǫMg'Ϩ?>@=
?z(ݹۥ7{V.=s{[a7R~Ϗx6{	SowC~?XuΒ9]麿kü\6ml[nݎM80pa8?˵Iz+չִZ]KC3#T$<=cǟuϺgy1K;jP8E9+88x+4
yvEZc#9[[IU|0w?W3~?gse4ьnlKrF14Cch14J}-ݘ-{Փ1$4FHI#i$jiXз9rKlIc?;;=Ni8
4pNi8{3͍ъdC ݫ~5:#`jL15ԘScjL!XV#46d%N~15ԘScjL15?|.-Qů5֐<&xi:j\q5ոWj\j-fteIngI.:՛=ոWj\q5ոo\m5rkVͲ}ڪbjWp5ոWj\q5ܮg#uP5чNi+DR dl
A6 @vr^א&Rs[Ms~+FHi#m6FH'g'÷ĵcms5젶C
nm
6܆pnmܮiIR;&8ʃۘscn̍17ܘsc_3>r*cV="ր7xo
7޿olʋy5Lgalw,Sv
!6ĆbCl
!'&?;tscn̍17ܘscnmӋl-hSOo7܀pn
7:~$3lf.ɩ첵I\%Xܬ6Xkcm6?imǽ%,=/m$%^΅ۀpn
7܀pHZX=i\֭:_Vsnjvpn
7܀pn5[Nߎ40Zeڞ|h[nnunԍQ7Fݨu_Vw],cM>lȶ5):N7uwԍQ7FݨunԍQ}ҬpӰUm];2nt;ԍQ7FݨunԍQ/ݍ6*$KY{>?9to08`q0i$ϝa-|om{gXq<08`q08qٳ^TMc8`q08դ^J$EmtB}`8`q08;|
vmN׍ۅa.nY+G:@t{_pϥ\w]n\3V阇 gDܝ7o?'ò5y~Fsi=};޶zCo
7_޿]{ce5
g>iPbpq88pReuMn8WW8`q08߃ݙiL1hk6Gya#rD9"G#rDN)˫LevuW"o#rD9"G#uO뒊N9cCp=U9"G#rD9"c䱦(,{Z5Ǣڏ9m7s
6cslͱ96OarsmWUrmwaͱ96cslͱ96pINfqa.~=l@:JG(tQ:JGOU/bd[uvg*-q}m}Cuա:TPCuOD_g-8j~fC3^xu:^xc7Sb3E:vA;hvh#/uQdvh_5.ګQ8
G(pQ8

/wYGM-NBO.oOu٭i[ș(pQ8
G(+k)mbM]
g8PCq(š8mی4]zC͙5'5)8PCq(š8J5m~،Y[3y>
̙PCq(š8P+7kJILjjpVY\{q<8xq<ǟޭUb꫍wɒvw[uxq<8x	GսݘmԦqH%
'^q<8xq<k#֕).#Ь[9xq<8x=>}YcsZVQ܈'+3T8xq<8~|<,J`?Vw[_쟄p쟃F.=A9(rPʿʟ}kR~.=G_rPA9(rP>Ws4,S!ضLCFL;mRCBy3㻠LKͅ
G:C)7E'O~|;VopZ?sk_Of&?:(1y`sO3y4$?OxVKCrHH???&Y'(O5y8r(?0yL~lc巟Ү{?7vO]MD;8;粕A-!:DCt!:DHrm#JtFH=5)K^n/--Hs~RGE9oA#sd̑92G'҇-z	Xҝ팵!qMkT\v dZN|9} ;bG#vĎ;b6$nB˛vlG~^_^o3ZzCo
7z:eD[;G4{.Co{=zCo
7_޿峄V?-%V@K:;o7o߮Z]gVUc-s°%?9q88pq{9jQ{4	06-9܆F8pq88çr:F=vmepxw`q08`}1n/٧h\!2\\><08`q08K~f~`4n'9"G#rD9"k#hZUnB^+Xcq,ű8XcZUZO/kGeRK?ýű8Xcq,ű87G?EUtSO.{xXcq,ű8X9*nhz(n4m8`q08W6
ZlaY./`q08`=2]={,Pgp'zu*\}t:@w>|E74iնln.WO-.@o(tQ:JG(ߤvQq+S!yI١9Q:JG(tQ:eK1iZNq.-a>:JgtQ:JG(tw50lpQ7|~tQ:JG(tQ:J=JJ^fEvr)IMz(=tQ:JG(tfu[O{ڔ~mb-8!D3H tA:H wJe--38ϒ(NnHtA:H t{GK>st]6u泾kmwI][IqF;|wޣR:̨}=cx1<cx?pjsԹD.
 <@y [UΏГ/mar?<
G(pQ8
G_[>탐|۶d_bKݯ|\鹙~8(pQ8
G(wPFkR=MZ=
(pQ8
G(w;S[6Z]*A#iH[MgvpQ8
G(p][.갖	}.77W(š8PCq(š;_kVӈaiqa
Ii2oPCq(š8PCwmRv5:&.Cq(š8PCq(ߕ⫪1%;1gífCq(š8PCq(人i锘?{gG
-aK@d:khWz1CܪD)TD95i>`31@šPq8T*CšPLJNfޕE_)~r*~{?xH̊◫>|O*^%_ˉW*R\œ˥&7w*N`UIe]{Eĸ۵c~lxMnY·5W2tZs9b1C!s9|\]q‰CdV̊w@!u:dYC!#\kNJ4t9E]⿹M.@P!T*
ABP!o,YfZIiSj=ulABP!T*
A׽`Pӄ1Co%q/
VaU*l
[VaVgfܘPmSuH:V'
eBYPV(+{]ZcפnMݑ[CY
o[Vx+,ڵj'&{<UUY
yB^!W+
ynyDkdX	]o588̂
epY,\.>:tl
^[N~s,fjaZX-VjjVO|:[):[[m(Р߭6q3b3i>vg{`K)HjV
	|Ph^I~ֈ:N}1Ԗ8ȟ^W6ӱ˥v]{Eĸ۵c~p2-%K=RGsUWy7B[-zBo[Bۉҕ3(e-j1lݯ}_;,lTwpݮ0?`;j_-ʻk%?{wپw&wlr_΀w5؏G^e_cGY҅Kh_|8'Wb̉!M4DG%1,B!͐fH3i4C!͐fH33CHIW͝	c"0ZHH޾ގKb{Q=
F=ieo/:	Co[-zBoߑι^Uxj<`.<@~1S0S ͐&ȴFf$aBS>XbcK-Xqi,UYJuqM\
jBmP[-j}jx/jTI8"yGo[-~ooWͪ2+G-mNb[zY+0[-fla0[ӛ5/0Gl97*fla0[-ffyQ?nu:,/y}mla0[-fllWiҖ%-莕"z̶P[-jBmP[S9&w&riSqk,BmP[-j}n%]fjM!e3{'=6~e.t݅Bw].tuY;2u2^}c؄Bw].t݅Bwߙi}pNi:?t@w].t݅BwNw3ڱt%ڪg/yj\Ŵ/B|!_jkg|uꚹؙr7IqA|!_/B|!X|h:Jz֏.]LB|!_/c&Ǐ>:qwOՇ6|Ã`x0<w^v!b窬̱O0d2C!Ða0dɰg,;1{~w*$I52`0b1F#Èa0hf5L&fldn/5aĸF#Èa0b1F#F,:djjCH؅yVqH]qn7Ípc1n!xy|l,9FdұpA C!d2A A>>g2kZֈ@*\`ɰdX2,K%Òaɰbkoaŧt=$ɛqNI[HAwd*T
UBUPU*T5BV|LӴ#H*٫ 1tǕrv@N(
Y8+Bl![-bؾ@JYT2iU,I]lvna[-vvÊ5mI9fJEyyͻn(.ŅBqP\(.(EWZ>, qwBqP\(.ŅBq916,T)ͦC\<=yyw]\x.<υs\x{=6*gVmI8&ciA(|%]ſBvvξf3Ìa0c1f3~I3cS4=:[t4OH1R)C!ŐbH1J1*ilnR/0c1f3Ìa0c5c[4B;۲Iz{`0c1f3Ìa0mƶvN	8au\^]`ǰc1v;ÎaǰmE=ZϠdι{rܳh;v3c1z=CcsdNj3|:#BuP`,G#Ñpd82szXÛUT<,|̟E/ۍD9Zoư0_y?2<Pf{\ȝVw	}w0÷qh^@
u::׈:u~u1;8ȟ^Wܹ9ֱ˧nkﱱrwȕ"F&W4q17@ӫ,24T*
JCPi4T$UiƝ5Փ2O=݈ΩU:c^u|8Ƽg5jQèȨ1}`HͲ'땗X~zBw.hh44
FChh44Ѳ1ɱx#ۏݍMKht	.UĎ;rLG+L
ӆiôa0m6LM{C!t:AC!@}-ҝAG	zn-\K}}װ:px8<px89|%;wyĵ3l5?*"Z"{yb+o7T
;@\!ZIj/caK^CrU)x_%ĎM+'Mx]w#v>w1G􎤼+ѣ_YQ(~r}UEҩĉ8'fDzoRlh96$F(=y5Qaz!dxRPJ=	sWC%PJ4{J8/[[%D%
J((QPDA%
J7/QV^N1安[Qw*g͏eDA%
J((QPDA%ʛ(;=˽x{eUMKtrl}<6BPPj<<BPjZSC!*"fˇj/-[V((P0`@
(P0`ǵSSIVm[3Eڭ`P5j@ՀUT
P5jUCݦqau<͚EJ(P:t@J]:V;AKLͶmbk÷ҡ~@P?~@^Ek2TԄHz0V?T("PD@"E("PD?&mQBjeiX`dS*	T$PI@%J*	T$TI%vVeJU8")PS@M5j
)PSkMQdbxm:Dyݦ8]UtT.P]@uT.P]"ݪ31uTZ|qaj|Ӑtz;ﴞ)zR;)rW"iQìI&R2Fwlռ.I)9)S[mk64N#߃3gz(enes1i;d^(V}]NF:;cr?/+w]$k\M1p.Պ4yér]j;iJ#v7:{ďi*hM/ms|^%'i#z.WuSз]i
}[Y^Sm^m̙l̴-V0̍v'axK.MhbBcЇkY;e<	)W]*%$բ~Qy}t-kI2u8C҉0zܯ2q#2
)%v҈7myκb>p2ǢDўn݇u/i{fuhpҲ.\z>Kq3֏xT5L'/3*lʹV'Yëfuiٗ!;
1syʽp~܏=SRz=ԋUiW6tomWsM1g^yq,xiF/-b4 TqbM6]R$:8:u3rËH|L'ӡ%ںoA}pq>iThNnknqPhXGT/5q8ޢ<1oW+/dːJG,)VВKu_HUTM`+usZ\Т4j9̦|6K5ǛrYd4|mѰߚ{R}db>*w_p.uucŃW73FjK]ASb*suתJ^pm\}	v]>r|LwԭdҺJe,MCm%-޺j[ƲMd^nHٌ~|d=bWCω⪁v.5tI\2oK֪^w+tscYyo[!IBbUa\H2>B .>S\l[ĊXXMVܼUaDGV?JZ.Okj!3B{ꖕFV;IB{d쵖f,`4N폎C|XI3v3w~xsIΛVDh)fb;mt:*Rqke=-D'7p ͫBIUDU;83B!Y8?V8a%)s=Dq[o^xڌe[L	UiZ#e=*Bwk懻)ojuRw,*Yx
Py爗Lr{k.u^4AsC[߭Jֺ-nף$I}UgBhrL?=E"|.|úִN摜d=zueÈ᧋ ,=={IdK+"OȥY2NFіx1WkD+h{*VY'/Dە2[sEuDfi̊A|ݩՔI1O?
i!6uFeVY."6TWJ]jUoF},D:"Gz,YuI=xeu:4D]Bw^e};cv	"PgmL/d2eTϸMEf9=:2
zDoVkos%~ELEEE#UȪ׌SUWV5r>#Ӭ/Rb=Gy&^tdtx
/gBC!w=\]Уlo\lݧG]TJtQ.*E%DD""q1G.4tL]Y+Kt,ѕ%+a7	}ˑGɲȐ]c6l+-agG"kϒhsM뇭j$Ket!kgZ[83Hs,w;M	%EZdsdd|JW:Zd-YV4O+l,][bQs*2UHuH[Yx>'6M2ߦ=\i?0t8NRۃE?um}=S"t	p}&驍CHk#$t)`X'9&ӂW3<ʔU
1@znuTdwvޗmnqGFVUb݋ez?4F|T;;J=BtR>ҲQoh`v}]
=RYλwt;]W"KRZZMX%"FˡrA@YVn;8F`+@RuRy}sgQDO(Jv=픡?-N}V[KP	x|e5ip`gZ)O
x'ݣV=ڈ_=4(&GH=OCYmG7A	#ɸ*kmUn9KZٮ,fowlhZ^_yK͜8y6P҆'_&/˷5dGmc$gYWdr1f1`|LE'½n<ꙅ.D4
@|/hz^U	Ghtgڍd&+h
&9@nUg瞖t:Ww r׮EDZx{UMW9@9?mji
gJRkn=FlQK@9=/Ew6|3ߐӁ r~4>2([ώȎzd9@S.TK+iuXm2 r~Β:QX+mlMtw/F=Qjǥ?n_Sx2DQ@@TGlc"ٽJZ{cRWn=IN'YxrEHݤߞ$T`9?v{bbAgk9cBsnˁpw~;}vқvosbql<׍;[; HO>mIݽՉ@ #vLc".rY$ESj`Ao:3~¸S5ݣ$_4 0bA{P]mZ55gbYA`Ho1/>ֽKzu
w2e\@"HZk/ɅCTnϸGX#̹IWjWML5K'ݖo80C]ZwZlG]jҌ)auP!`z3*2Rf.
*8WOCHROGxƴupi#8ZHaA$D̹DuY2P$0	L~҉:t.NވDynެ+:}*Q4+$I@қl8J*~6-̽P} iI@$h9W27
{bi1d2&I`3iLxir9rX=$0	L~si14ڔtqVrt<0)R,t.xQ@^º9J.g-}tQ( #j;ԃ1瘃czv7i+?Up
>XVXL?yZc|Q1!U@,Ě;sl~<ll[O̔TgQkõ:l[S`#t8Rh;BFz`k<09Vs1[Tj^?%Ԛ쬷LaXd6Uت"Dو{MA  -xr]a?EW"FDde\*c}PF`99nV{,
F`ብ'?O.]FKN;݊3#荗s'%Ȯ-:yͽZSץcap0Q¬WGYjtTMYV	0#mokˮ@eVHԖF[ގwܪӯ@D6 ͋uלցu`XYhUKfuYV;:Xցu`{f>)CY*Qy`Xցuu֠ϝԴ͚eNm1	+t
@;=.znu:[K4VOijr];,2OO;=Ofޥ@=PcP/Wk[KWIZՑR{Wx>/S{ZdW'UFԈiW9]<`98mE/6'HB |mmIٲmE
!@qAH<䌮u4Χ^[5J76 B@aj.Q%nAg@B ?.ՖUJbB]Ɛy2B  V|"1;QY &ﯦudYәUR\yE"M`6?;6UW[VG}nwa`'	vix1]yaM]{/EphJ3ڤA|yiV΃,(ʂ7z,I6wjܽ䜃A(ʂ,(.SGklf|ʴ"nF.F`^s=d2By=\`0`hUx=*HޝW pyAޟd9i~i/6*4)U+?~_lu[ؙLd~_'W*۰v.@26俷)M<"Ot2J@`0|jK,k
WlۑrqUb1@oswkgVc6g,@eL_@Ơ1hkiZCv:ӌYRA$@2$¼mѰr:ʙLR.2.CƤVf-4l+
gLJ󘼓5O5nuyM΀3)+#%GWjMҚ)Sby<
B 4k	\|O1ly_s:wBn
i`.g%>gL{em>0jJvZmyXǶ6Z7
`6{GˤEh:d4wwlD"@mPAM-27`ҹGNǽn)m{B
eSR[@woGmQJtr>/劶W! o4m>tzdÂ9ׂM^BI%XnEoJ+/WO/O]&ug5SS:CcZZ/W	ӢcQ3IgH])d2$U^N\a9A,K:7)NK\iWiõFzJ_}ײNRQD,")"6+@L\`aLaW*mϵL[B32ev"r7MV-"כ"|OVu!*J<9w_ȈaưŚie2M"<1\d-sRWֈ.{|8pMB4#<,9Zx>~QFH#֘#z~lsΖ(KʍU~#/XMN**iīUR
JX#)\,mz̜5Lפ|eB >r4*I+Uyz(5։dbsrNeZ4ϖt??D ^]vjãlKr߭IZKu럞A"\wm\;GSFZ{:۫QZQLم﹊S쪮N{vb)ýWnYKBE"|2|M+JR\쭛{.0b	cnTgvz/{{3^dywtʎF\қydizÿLr>&;FpV/
mfb-;l7" .z-fB!C>~xH`!.xqq-SJLw}nf!;cqQ6E~ҶTD^okSxeV2<ere.bbd{t*-$.kijc̚R/	ʤUVOI41鱭X]
 ˿|6cLy%*Z˄-kٌhtYwnzzJ}dns85;Ոw++S.F8[[a5&5''L[D5/8بs~Lϕwm;dQwڥN꒩&MQeʒ-߈w5*߲
c
Y
$֞|T2NKDW>3/6[VBV!^\L{^B5ʃvi!jVnYU*d몙+9lUe%Ӹ&d
YU{lDh5|˪BV!^:(|N_ǩI6m߲ UȪ׿{ϣXs|fnYBV~ZRrm9V3O۸kBn}<;7O$2[T#vs˭]TJtQ4DA7Np7šBI_^tr9|	8Zi4enmԱc׫d+Kt,ѕ%kU*r^.2Hk%ĵVZ+5s_1	E]e{Ei$Ln83=ߗVE"k"km=6n&6#vzռ7Z5k5욭Q􋀸eX,yT%bŲ.(oBe
r}v;ֆGu#Nz2ҋڥ-kJD|Ӆ@dNI޽爧{bDrw+<	Gjzf"bd;3IN:@D|2DI-qwеb7ت8NGgK\bVoPښ8)ʟqS(Sg/kR%;2 we;kd
F5K=7
p#T}zF#ndKz.q^1;*2}ͬmʽ7~/S6  WϐĒUZJIn!{4yU-"ȭ~F`Rܕ[Tbvc3^\EL`(%@	P5]eX9gܳY6$%@	PJE(ƳT&:Xn()@	P%>{̎3/t5~Vɓl.@P(&*ȖXxLb*N{Ztsv*+V|(%,A*mduz-@˷kItMm@Ad4cJ'3#`Q)
hڀ6?ZIZ4*FwV䬮iSAm~t2&3Ԭ2W=T7}om@Mx|HQ:%R,SA
hڀ6?C\Yr^O%c{.6@m~6j[=$";eެHv;iR&f6
hUEL oOŇ
aڣanԹD窭
uO~ـ:W%%7;2ؒK)feiMPxn[HH9NenυGS9`Ώʢ:v92^Gmam
rj6wpqfSL%gqJi6>3Q3iJs7o2oF2@X>gRml\Y$-[=U$@74;8*̇xYfFƏ;Gp{Up,
\f_vtJ4@#ml'O.Z$љ\j46hF[s;Pvn͚i%fQu8=;nUd	|rJ'ԤRv%X${	Pax[i<ԂB%f
GBA2e~6б7'qR.:N?v3׮=Q1qNXt*:NsYbn\uT=;Q~**NSo]vXBZ+4,X
VF	|P7Q&~`	XE"%
wnpYk C|b"VӉ`&)É+>}#xabW	ؕUVq8T*5G5{!ryw$šPqۀSANjyT	h/Q`T0AzjD8Lj`lHE",0Nl=Xۼ)@^LUJe";/xYsQv.Zdt]@][7dY)w=L<*@V +>)Ȇv6y[lf]CʹbH/e
E\Q(%){>.1t{Ɓw:{ЮB^!eg`H5ĹS:֋zuu0W+..FKv	-UќLFk*ګnXW+}YֱZj!/t^Brp:(
x/yOjx9Hrg6^z>rS+zꝴь{4R|o[7
sŜMud:.d0Gźb]XYwmc뺙
Ŏ4{@uW+>4hB3N{po|W+![MoZ>Khi]\a0W+
sgOIm
'	7H/	bb]X|	
KE"jdW[㷌EU	B9~I
?XہC?@S_{4lF,b~MZ\&@)JB,tdVrT}tEWxZ<-OWn"ڔim
_rCpZ8-N؝NNrNixڙP5u8=bj1ZLLuK7dttC͟LkZ`-a.d
4X]Խ=e@w6N]E**ɤC3i+@7ۓ[kѵZts&xK4:df/kg=JBl![ڮ~(QXFXlۂmY7R}
:ݞ5mk@qEܿ?r(`wwEgA05<4|-牀9יu40E_=%2?XF*=4|[z6o_VN']m\mE0#0'XiLu6"q;c8=öHfg
^o#dt1keʅvu6ɏR,ȏ30,9""
̷z:Q'	1sFEMrv|\v3'ڶ![F&Sa,g4қ'Ba|Y(dB-pdύ0Fݭ	G܇%גϗkTGvT?Js4:Y.VsKWw^o=M{1TIE_NUٗ[+sqJZGFL(úߧ̥wôMn pMwϴЗFi⇻/%ֺ{31yΥGw#AUw۹ڵSz!IVF@f0IsqpTKýtIWiI9a=60[E&1h	MχdpRXD{l26qTTǠs"{*Nq7=];snrLAF),O=8	9rFө *M~nMh=LxL,FƁftS]8Tn'53§:RRt;kZμcgCZ[dpELc	mַz7`Ow=o8)FBxX;Dcg16kQ&rhO6AOq3gm/;
g-YF%,ZCeY"f5;Ah<sf=rX1L槯x=yP=6̾D
b=ffEeD_
dB]&}7QۖURpSR08a)LEd.Oe:p+eLQP`-ILtE|7k@WlQq}7Qbm{ݯ|;pv_z}j?;D3`#Scggs=uJS*a,"S:yoؽn3ENt3;f:!~p^}>=cj ck8QϽ@_?\DKF}3fo.
䌮Z0Z]nnFtW|Up~/6Vsf8뉯ٖ69qu}Mzh--P$U~2Pi[k7e?xo}Mpٜx({:x`Cp6mQ?$t?orݳiZsAӍ'Qi[01^}ǚ/SssNK]v	?wG%ۂmrfNE
fBuZF?R\eƧ#[1CN83',s-@)j-ʭ1h5LZBoq`ȸq:l;	/%/:ǸnvJӵ,]62G|ݳ~	}Y%`bh˜F8~03)33JdqgLJ|ސ20Ơ4LpzƂN0>̀$gD vPh[șk޾,ޟkԹ>:̓rˁG2TI2spsǻD(!z^aέs/ۍΗg޵ɰE7=Ǣ!eZ!S_=s%rF悙$.1?t]bYPFWf%YqM>taS@why3-1.6.0/examples/multiprecision/types.mlw000066400000000000000000000005151440160026300211560ustar00rootroot00000000000000module Config

  meta "select_inst" "goal"
  meta "select_lskept" "goal"
  meta "select_lsinst" "goal"

end

module Types

  use Config
  use mach.c.C
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb

  type limb = uint64
  type t = ptr limb

  exception Break
  exception Return32 int32
  exception ReturnLimb limb

end
why3-1.6.0/examples/multiprecision/types/000077500000000000000000000000001440160026300204345ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/types/why3session.xml000066400000000000000000000004171440160026300234560ustar00rootroot00000000000000






why3-1.6.0/examples/multiprecision/types/why3shapes.gz000066400000000000000000000000551440160026300230740ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/multiprecision/util.mlw000066400000000000000000000175721440160026300210020ustar00rootroot00000000000000module Util

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas

   (* `wmpn_zero_p` checks if `x[0..sz-1]` is zero. It corresponds to `mpn_zero_p`. *)
   let wmpn_zero_p (x:t) (sz:int32) : int32
     requires { valid x sz }
     ensures { 0 <= Int32.to_int result <= 1 }
     ensures { Int32.to_int result = 1 <-> value x sz = 0 }
   =
     let i = ref sz in
     let uzero = (0:uint64) in
     let lx = ref uzero in
     try
       while Int32.(>=) !i (1:int32) do
         variant { p2i !i }
         invariant { 0 <= !i <= sz }
         invariant { value_sub (pelts x) (x.offset + !i) (x.offset + sz)=0 }
         let ghost k = p2i !i in
         i := Int32.(-) !i (1:int32);
         assert { 0 <= !i < sz };
         lx := get_ofs x !i;
         if not (Limb.(=) !lx uzero)
         then begin
           value_sub_concat (pelts x) x.offset (x.offset+k) (x.offset + p2i sz);
           value_sub_lower_bound_tight (pelts x) x.offset (x.offset+k);
           value_sub_lower_bound (pelts x) (x.offset+k) (x.offset + p2i sz);
           raise Return32 (0:int32);
         end
         else begin
           assert { 1+2=3 };
         end
       done;
       (1:int32)
     with Return32 r -> r
     end

  (** `wmpn_zero r sz` sets `(r,sz)` to zero. Corresponds to `mpn_zero`. *)
  let wmpn_zero (r:t) (sz:int32) : unit
    requires { valid r sz }
    requires { writable r }
    ensures { value r sz = 0 }
    ensures { forall j. (j < offset r \/ offset r + sz <= j)
              -> (pelts r)[j] = old (pelts r)[j] }
  =
    let i = ref (0:int32) in
    let lzero = (0:uint64) in
    while Int32.(<) !i sz do
      invariant { 0 <= !i <= sz }
      variant { sz - !i }
      invariant { value r !i = 0 }
      invariant { forall j. (j < offset r \/ offset r + sz <= j)
                -> (pelts r)[j] = old (pelts r)[j] }
      set_ofs r !i lzero;
      value_sub_tail (pelts r) r.offset (r.offset + p2i !i);
      i := Int32.(+) !i (1:int32);
    done

  (** `normalize p n` sets n to the smallest number such that the value `(p,n)`
       remains unchanged *)
  let normalize (p: ptr limb) (ref n: int32)
    requires { n >= 0 }
    requires { valid p n }
    ensures  { 0 <= n <= old n }
    ensures  { value p n = value p (old n) }
    ensures  { n = 0 \/ (pelts p)[offset p + n-1] > 0 }
    ensures  { n = 0 \/ value p n >= power radix (n-1) }
  = label Start in
    while n > 0 do
      invariant { value p n = value p n at Start }
      invariant { 0 <= n <= n at Start }
      variant   { n }
      if get_ofs p (n-1) <> 0
      then begin
        value_tail p (n-1);
        break
      end;
      n <- n-1;
    done

  use ptralias.Alias

  let wmpn_copyd (rp up:t) (n:int32) : unit
    requires { valid up n }
    requires { valid rp n }
    requires { writable rp }
    requires { offset up <= offset rp \/ offset rp + n <= offset up }
    alias    { rp.data with up.data }
    ensures { map_eq_sub_shift (pelts rp) (old pelts up)
                               rp.offset up.offset n }
    ensures { forall j. (j < offset rp \/ offset rp + n <= j) ->
              (pelts rp)[j] = old (pelts rp)[j] }
    writes  { rp.data.elts }
  = let ghost ou = pure { up } in
    for i = n-1 downto 0 do
      invariant { forall j. i + 1 <= j < n ->
                            (pelts rp)[offset rp + j]
                            = (pelts ou)[offset up + j] }
      invariant { forall j. (j < offset rp \/ offset rp + n <= j) ->
                            (pelts rp)[j] = old (pelts rp)[j] }
      invariant { forall j. 0 <= j <= i -> (pelts up)[offset up + j]
                            = (pelts ou)[offset up + j] }
      let lu = C.get_ofs up i in
      let ghost lou = C.get_ofs ou i in
      assert { lu = lou };
      C.set_ofs rp i lu
    done

  let wmpn_copyd_sep (rp up:t) (n:int32) : unit
    requires { valid up n }
    requires { valid rp n }
    requires { writable rp }
    ensures { map_eq_sub_shift (pelts rp) (old pelts up)
                               rp.offset (old up.offset) n }
    ensures { forall j. (j < offset rp \/ offset rp + n <= j) ->
              (pelts rp)[j] = old (pelts rp)[j] }
    ensures { forall j. (pelts up)[j] = old (pelts up)[j] }
    ensures { min up = old min up /\ max up = old max up
              /\ plength up = old plength up }
    ensures { min rp = old min rp /\ max rp = old max rp
              /\ plength rp = old plength rp }
  =
    let ghost ou = pure { up } in
    let nr, nx, m = open_shift_sep rp up n in
    label Copy in
    wmpn_copyd nr nx n;
    let ghost onx = pure { nx } in
    let ghost onr = pure { nr } in
    close_shift_sep rp up n nr nx m;
    assert { forall j. 0 <= j < n ->
                       (pelts up)[offset up + j]
                       = (pelts ou)[offset up + j]
                       by offset nx + j at Copy < offset nr
                       \/ offset nr + n <= offset nx + j at Copy
                       so (pelts up)[offset up + j]
                       = (pelts onx)[offset onx + j]
                       = (pelts nx)[offset onx + j] at Copy
                       = (pelts ou)[offset up + j] };
    assert { forall j. 0 <= j < n ->
                       (pelts rp)[offset rp + j] = (pelts ou)[offset ou + j]
                       by (pelts rp)[offset rp + j]
                       = (pelts onr)[offset nr + j]
                       = (pelts nx)[offset nx + j] at Copy
                       = (pelts ou)[offset ou + j] }

  let wmpn_copyi (rp up:t) (n:int32) : unit
    requires { valid up n }
    requires { valid rp n }
    requires { writable rp }
    requires { offset rp <= offset up \/ offset up + n <= offset rp }
    alias    { rp.data with up.data }
    ensures { map_eq_sub_shift (pelts rp) (old pelts up)
                               rp.offset up.offset n }
    ensures { forall j. (j < offset rp \/ offset rp + n <= j) ->
              (pelts rp)[j] = old (pelts rp)[j] }
    writes  { rp.data.elts }
  =
    let ghost ou = pure { up } in
    for i = 0 to n-1 do
      invariant { forall j. 0 <= j < i ->
                            (pelts rp)[offset rp + j]
                            = (pelts ou)[offset up + j] }
      invariant { forall j. (j < offset rp \/ offset rp + n <= j) ->
                            (pelts rp)[j] = old (pelts rp)[j] }
      invariant { forall j. i <= j < n -> (pelts up)[offset up + j]
                            = (pelts ou)[offset up + j] }
      label StartLoop in
      let lu = C.get_ofs up i in
      let ghost lou = C.get_ofs ou i in
      assert { lu = lou };
      C.set_ofs rp i lu;
    done

end
module UtilOld

  use int.Int
  use mach.int.Int32
  use import mach.int.UInt64GMP as Limb
  use int.Power
  use ref.Ref
  use mach.c.C
  use array.Array
  use map.Map
  use types.Types
  use lemmas.Lemmas

  let wmpn_copyi (r x:t) (sz:int32) : unit
    requires { valid x sz }
    requires { valid r sz }
    requires { writable r }
    ensures { map_eq_sub_shift (pelts r) (pelts x) r.offset x.offset sz }
    ensures { forall j. (j < offset r \/ offset r + sz <= j) ->
              (pelts r)[j] = old (pelts r)[j] }
  =
    let ref i = 0 in
    let ref xp = C.incr x 0 in
    let ref rp = C.incr r 0 in
    while (Int32.(<) i sz) do
      variant { p2i sz - p2i i }
      invariant { 0 <= i <= sz }
      invariant { map_eq_sub_shift (pelts r) (pelts x) r.offset x.offset i }
      invariant { pelts xp = pelts x }
      invariant { pelts rp = pelts r }
      invariant { xp.min = min x }
      invariant { xp.max = x.max }
      invariant { rp.min = r.min }
      invariant { rp.max = r.max }
      invariant { writable rp }
      invariant { xp.offset = x.offset + i }
      invariant { rp.offset = r.offset + i }
      invariant { forall j. (j < offset r \/ offset r + sz <= j) ->
                  (pelts r)[j] = old (pelts r)[j] }
      C.set rp (C.get xp);
      rp <- C.incr rp 1;
      xp <- C.incr xp 1;
      i <- i+1;
    done

endwhy3-1.6.0/examples/multiprecision/util/000077500000000000000000000000001440160026300202455ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/util/why3session.xml000066400000000000000000000623331440160026300232740ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/util/why3shapes.gz000066400000000000000000000214311440160026300227060ustar00rootroot00000000000000|Yo]7~9<$ۀr_mImw+5kc;*X,*rP^ﵹ\׷9<ۻwRzK^nX_ݿ6ܽ=5}Dϯ߽E7߄Zߖwϥ'vvC'z{.]~do{9\߃?/r߾-w4yz,OhԐxR#ӴAN^ڲTѱ%Ipp]'ACGk蟡m꯭P@&O"Iu
L}
ϣRUJ.P۲]^=jW_O苕|C$qR-s}3=ߖ۫o3t˖Ⱦg
.=/B1~Rjr#{~Wb_5sʴIJH˓w/^u4A",_)Y:|EY=M/9Kz/yD!QRɎ!M*ks"y%ɻ$_o^a#վW5؅9f}
Pj^WP(ۛ8n%qfxWS3!D0{n-
_ܜjo_\Ug:x_\9>{W+l
ި	l&nT~	dz˔rLvWpf4y^'(2ڃ&b&g,}Z#$lg%LCpg|hwnfɽMe4{}3"0sdgk^2H
/eB143Y;v/ٺ$;`&sGfMmƙk\v?tyDߚ
ByxXÙbB>=WC\E+jʉSz/YYJ߽{0iOi	#HoD;=#;I82ζt5A-:Μ?1{LGl̶!'nym7X쇺ӄiJ5=~|Uܑ?k6??tlnq`:@Zǰ
Rc3]j(13%߬H$ypذ'lfwxkm™&#~8[їS?aR6C|I(|58E̮CG"o*kĤ2O^9AݞGp{>xgkF|9cM2^.ozGds
adOᒽxA]qmO]MSZj:[t>xCCvb{
c»"vEZY1[>͒MJa0tXi:L4#Gh?
}
ۭÒVϨW=Z{y^B'D^xqQNj
?7gC^5zAmB^^PM(|;[
_ưO|
jX߮z~,0ُo-
^em_Baf
;].naIywu}G!G{GT%,6Ev\Mk5/ϛqO-_ȏ('qMȜɃ^
xlF%/Jݨڊ`Te6
oWmbChTCŔͺ$E+d7\^ڊ{aehœ@(,̋n+ykǕ6H6H^la#ue9M	fM[4Ұ
c#jt1ZX
8tqtK>"ޜqOEf\OTU9uB`y匠;ImJ 99z(y7А5$:2\t:k1Bs#g؊7q^{l(<49&pC9
0~O6s-;t-{%F4s`hJs=F>Vђq4PqX8D4V	g%a="q+]Ko.Ë-Sh5xJ:{:Z7G
jY2#tNh9V23)kh_]\ϧu47㰦Ѽ4BoLoo䛹*f.JK`4C|~jUۗf[W|o$mЬqu7oίI;ey,&m
X9]`ԆM0tvhܤgO*w^pE+pe^Khj=e{ǷՎ
aU}CkmSp_ۻn>~P77_|:?6HnL
S\gE?q?iX9ٹDoͧ(N7Ĥyvs2ϰqq^	P84-)Fq^7/ƭs֣ARK]PNp?~ySy{vC^+Ϗjc`giḵY_E9^uќk&mA75*B~ܪi/Y1$\s㹋y۱D&(IL%_χi}9GjڮT #⤨WjCǶUm=mkG;E[ś;JQFOP=WgؓܶvKM{R-Sj)!"H۬sz3+mƥˋ`-[j[Bmn3;_	32ĒNHW!ao{UyK
پ:(hWMkݵ:n>؅/=ev#2f|<=qysqm8G@x`6ޏ9u0d2ۑe(M^ÛVF:mV4M]j9tfBf*.QSK>:LJv*173źyBGh{M:#rVXMC|W軦UּLCsn[=>ٶ=Do!,ʥkxoѤK#kǙ8ƴ[Ͼuaa?[BЊ"+gV?>ŧt-q>_}lsc!rM<ъ'E	G?hwL(y>aprΎh=)TbS_۶p%E>J𩱜NG8ў#jsW5l(fh̻g*HӌbߥXvv	XH1f|!'/%L#9F4OeMyv>b</mewd(?p1*ܴtI;%wQFH_Ucʤf;(jiVjv:/{34$OuPӕeBt'fR2]mCmL稠nI5Ҥ7G>Tnq7iq	.wxG,)*m:e2cޕZW{X2'.B™TR`bw쪪Y;tI0YZXͤRPX-Q_p^#祺PJʌ]ٝBq-%mq䒹T>fv]8kDBJmk.Bg9ZEjQ5Å*m%zJ6B7qv͎㞉CpUyI\LǪe
5!Nd1)3I3eb"@Cr'ćʠu-^̤YsEU<m'7W"xYrR%Y2rn'%R̜UXOFDaגP+腕A1fH,^kZBZpTb+.H0KxzhE>!gTV%!Is\2sb?q_2**$>ʡTJ%X>hBptvg͕G0`H5EawIdI>P!AY'=9QEc01BDae72^r
}ƀi!Ƣ*S
VMa/H	r1S)A,UNUk0OE
\Rw5,0K`ZZ"ĘhGrt*2eh|f_(s͡-UWpĢp𣅇PN'`nfG@Y)@Bh>A
dP6x"6ʑG"XL&bG	t+Uc>FtW3υ{9a'{55*p oYbtPG@,c%X68$~(/crpF8|%N:
)UZ,G:Ns*94M
THVIMt(bqRūJ+4Ehee'tJ+i=X6\kuzx48\q=q8C?&t*$rM	X?]ƃ@+aKW,1&(MRO'=΁..$d|נLrcP@+PW0ďByFV'@2J{0+ђsw,
;O|c:_hk*,JfG2臯|!{ˊHΒU.٥Qb,
,#MXf<;cwkCFy<5& i^XIf_g/؍

?Emwa,@lBQoބ7"<d'AC;@4@F킶uhvhF^WK&J6s
T)yT]RG.*hG?G_ƌG315V
tO+|؂Ep/y*#r|'AM*['?Kgba-4
Vpp	h(ui)10^>OYI:pMLQIѤׂxg"AiJvlq?E.O%	iQy	:
4.(`>*L{n&b.ەNxbѱk	!KE-cS[aӧ
tl4tꜶA(2*"i&g~T3cc2|&g`k3c?0GGJNڣto0E2 g~쾙c*VΓ
rAdFpNժg~Ԇd:8mt8r. L0:X7-l3_?&Slʕb1*'lUӱGg\-Px}H=Q:t)<
6QE%<%k_Nu꿝Te`tQփO^rU:6D>Aro%Xx2VzeYf*FKk>-sK9:M&0"SݗZ9[Y(tjtZV04U$*85^9:.rD:yv\5>|KaMQ)5G!3Bm`|lNuq:b0e,*CgJQF~˩=iQ9|-sNP!P
ɛ
b4=B	*IqImnt[5x⺖1&EWmݩnT1t~1TbJΘWR\Nuӹ&2Kyat(`qlI:g?Wi.R :b
QoOu):Z:ΫIk.3[˩nA
>)<)B`VW&CbNʱ"0^"D{OWWwcmۊIƇYBh0*/$~?}z`-X$KcsbUAE6aAw%$ p%+[R+U'&Uxe19i`|5}++J,T4O044xx-j׊y.8J9+ov5Ez5T?l1%gɆ5I3R3MrT/EwB*zmQ`X
PKbR6gJTgTrii*`t܎njd9a)59=(njmP\@7CjpD^5N^"+8pID(
ZΒF@Kz{SUW0\#0[JC}'ŖϑhcxJZAp>4X 1Dəap4N3l\4i:/3е畻hHhNǔb10Yݫ6&ybdI7\Nώ/r
IA㹜5q@H%܃bX$bM8ܺtsL|I!!#*r5^'
3ut$EUPGg$zGףNLTs&5F__"$v>Cyfyׇ38h~陇灊~'RNN(rࡒ|}1Y{˓B)NGN(SѺꙗO
:l"򔳃d}3?O+Ygae	3Y<ޯWfC)f)qᙷ'|&b.x
7GїA[l0浩yf	.$u6f 1 < p
    -> valuation (n*p) p = 1 + valuation n p
       by mod (n*p) p = 0 so div (n*p) p = n

  lemma power_ge_1: forall b e. 1 <= b -> 0 <= e -> 1 <= power b e

  let rec lemma valuation_times_pow (n p k:int)
    requires { 1 <= n /\ 1 < p /\ 0 <= k }
    ensures  { valuation (n * power p k) p = k + valuation n p }
    variant  { k }
  =
    if k > 0
    then begin
      valuation_times_pow n p (k-1);
      assert { valuation (n * power p k) p
               = 1 + valuation (n * power p (k-1)) p
               by valuation (n * power p k) p
               = valuation (n * power p (k-1) * p) p
               = 1 + valuation (n * power p (k-1)) p }
    end

  lemma valuation_split: forall n p. 1 <= n -> prime p ->
    let v = valuation n p in
    valuation (div n (power p v)) p = 0        (* only altergo proves this? *)

  let lemma valuation_lower_bound (n p v:int)
    requires {  1 <= n /\ 1 < p /\ 0 <= v }
    requires { divides (power p v) n }
    ensures  { v <= valuation n p }
  =
    let q = div n (power p v) in
    assert { n = q * power p v };
    valuation_times_pow q p v

  lemma valuation_pow: forall p k. 1 < p /\ 0 <= k -> valuation (power p k) p = k

  let rec lemma valuation_monotonous (n c p:int)
    requires { 1 <= n /\ 1 <= c /\ 1 < p }
    ensures { valuation n p <= valuation (n*c) p }
    variant { n }
  = if mod n p = 0
    then begin
      let q = div n p in
      assert { n = p * q };
      valuation_monotonous q c p;
      assert { valuation n p = 1 + valuation q p };
      let m = q * c in
      assert { valuation (n * c) p = 1 + valuation m p
               by n * c = m * p
               so valuation (n*c) p = valuation (m*p) p
                  = 1 + valuation m p };
    end

  lemma valuation_nondiv: forall n p. 1 <= n -> 1 < p ->
    valuation n p = 0 <-> not (divides p n)

  lemma valuation_zero_prod: forall c1 c2 p. 1 <= c1 -> 1 <= c2 -> prime p ->
    valuation c1 p = 0 -> valuation c2 p = 0 -> valuation (c1 * c2) p = 0

  let rec lemma valuation_times_nondiv (n c p:int)
    requires { 1 <= n /\ 1 <= c }
    requires { prime p }
    requires { valuation c p = 0 }
    ensures  { valuation (n*c) p = valuation n p }
    variant  { n }
  = if mod n p = 0
    then let d = div n p in
         valuation_times_nondiv d c p;
         assert { valuation (n*c) p
                  = valuation (d*c*p) p
                  = 1 + valuation (d*c) p
                  = 1 + valuation d p = valuation n p }
    else ()

  lemma valuation_prod: forall n1 n2 p. 1 <= n1 -> 1 <= n2 -> prime p
    -> valuation (n1 * n2) p = valuation n1 p + valuation n2 p
    by let v1 = valuation n1 p in
       let v2 = valuation n2 p in
       let c1 = div n1 (power p v1) in
       let c2 = div n2 (power p v2) in
       n1 = power p v1 * c1
    so n2 = power p v2 * c2
    so valuation c1 p = 0
    so valuation c2 p = 0
    so valuation (c1 * c2) p = 0
    so n1 * n2 = power p v1 * power p v2 * (c1 * c2)
       = power p (v1+v2) * (c1 * c2)
    so let pow = power p (v1+v2) in
       let c = c1 * c2 in
       1 <= c1 so 1 <= c2 so 1 <= c
       so valuation (n1*n2) p = valuation (pow * c) p = valuation pow p =  v1 + v2

  lemma valuation_mod: forall n p. 1 <= n -> 1 < p -> (mod n p = 0 <-> valuation n p > 0)

  lemma valuation_decomp: forall n p. 1 <= n -> 1 < p ->
        n = (power p (valuation n p)) * (div n (power p (valuation n p)))
        by divides (power p (valuation n p)) n

endwhy3-1.6.0/examples/multiprecision/valuation/000077500000000000000000000000001440160026300212725ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/valuation/why3session.xml000066400000000000000000000404251440160026300243170ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/multiprecision/valuation/why3shapes.gz000066400000000000000000000110661440160026300237360ustar00rootroot00000000000000ZYoIr~_0@Fmh&}1U&$Ii_fU5"5Ȋ+#";p[Ͼ;3gaMI\>$Ze
ot+:_=Ú
}	uKk_nZiOT{C6(=]뇳\]	Bo:YokeW?lDP/T+$ r>k-\?ݚnmF׸\Zp{s
8_oKBnk`
w=|$w_u_t_z@oᤧ}{v!oo$7ɋ=vkQ`f_jx×$ڨX,՛M,C"f+ϤH^5hguƒy>w-z/K>á=9-cmA?}R1r2hXHvh+Xc&B!RӘIU,
z"|$X1iwڄr@c}ýa[h+`V+>P<}u94Vyt,xwt[l!`/wS||vhN4>\})AJ=`Wzu9n4_~=ҊnӛQ'wcz5oz층oewï @'yYmyZ	1ko	#\8.@
QZڦ
ZADZ\w1n5kL˃yZ1haKޡO#z}}Cr6}\wyoq40]kk2ۛq6A.WOhFp'<"\xiƲ
x&C~F>~nͷ|tۇ\PӜWR|:HI3MHi4i~w8\Sڱy.c]_á|o74lՠAGvi.|m'uۊL~שDcAfdhşpK{Uw=[m7O[m59#dX-:)om>	1e<,)o)bIGs&髗x\?yl{~vF}Sp4]l;ϳۻ/o9O{<Ǿ>CygG"Y>__xK"my7ϣOqַ3k[ed\	{~P1l=7}fȡbwf~Û'6_GQdc){N]uN;4`|Ђж5︆סm&Gߟn:8w鏦/x[֢&Ugms7v9߅8ktm;Vli}#z|xtaM򏻫''ԟ0+`}?uC~ҝu7,[kmvѠhR^aV6O[)7t
%K?luvB.Lj+FG7ty1bc6Ur(aL?욲	8cu볚(&0VtӞ#ioOm$AȢm[ѰcׄMuM=m^Ώ}*irKN$yӇ-zV_x1}0Eab=k?G'RԾ7(:>
^=M.QtXB	>r,q0gW5RmĔ
qtF+ l:gB8e423xIa]Smw2;L'MK\\XZtoU5JLxD$eٕYNL):zUk'4yԡb!R7**ZPLD9cCLf\Nb) "b
6*JKbO5fr,)A'H2PpNJY6$VX#EJps+bmӪdjrżb\ȯȭN@4Z-jQndk/AUH)ٸ	nM
i\$=BZ( 
	b	sѢJ$E09%Y(hƫ
G-D_uB]E+B^9:UgK#h%9KLw|M:Uq>M	ջtK:&mKE0*JAvd\J;sw6Q$X2VG=ubV؂^ ^(SJN/@&	H0dTlm)ƴ:'ׂkI4nb͏IF8bP̨_džp@Ȯ`gۤaɰÌ6̘(Q T"T`1z`m X\pA'C[i}M?a1d@G;#$%XLJ
#/
qTH&Y\nuF2
B̰*ab}bX`h0(J6j44~hbE+5ֶu[3g~0
J@bD*{~Y;죺8-*eKm=Cdpxߊel03vQ@	 >Ԋ+wI0)ϓdBj"SUs`%Nzk~H6Z.1 Omd$dd+*E`8I|PA{SJl
]b0zJRAM8
-ӂl:TT	غ`Ÿ@!#AQ@z"C@$G5z
tjٚ9uS`}C0%LV\NC	-}YBr Kp52Nq\Q{HpC!C$`#1!M
qZϖՠ˾.Y$@ņȢ F'fEcDph`ǐMT'}6̼>
f]=0&JIʘ˱vqcmjx89zU^`RB_G#AgM
}'}Q?E:\6T"d5	Y~zdcuIQ	ҟ! RQpV⪊Mj?K^ԊY(ȑɌP,إҟ$FuZ=
߀'gL@hIx#ޛlkTi?I}0^XϦoo})nPo~z	H'U䥡R
 Qa#m.CR	.5Co>Rp^$K{$2|:Pqn>]gXJ=@eSd">mK97 PL(9EJS&A§|:\Hpbm̭)liLƄAY
Gwhy3-1.6.0/examples/multiprecision/wmp.h000066400000000000000000000101441440160026300202440ustar00rootroot00000000000000#ifndef __WMP_H__
#define __WMP_H__

#include 
#include 

typedef int32_t wmp_size_t;
typedef uint64_t wmp_limb_t;
typedef wmp_limb_t *wmp_ptr;
typedef wmp_limb_t const *wmp_srcptr;

#if !defined(__GMP_H__) && !defined(__MINI_GMP_H__)
typedef struct {
  int _mp_alloc;
  int _mp_size;
  wmp_limb_t *_mp_d;
} __mpz_struct;
#endif

typedef __mpz_struct wmpz_t[1];
typedef __mpz_struct *wmpz_ptr;
typedef __mpz_struct const *wmpz_srcptr;

#ifdef __cplusplus
extern "C" {
#endif

static inline void wmpz_init (wmpz_ptr p)  {
  p->_mp_alloc = 1;
  p->_mp_size = 0;
  p->_mp_d = malloc(sizeof(uint64_t));
}



void wmpz_clear (wmpz_ptr);
wmp_ptr wmpz_realloc (wmpz_ptr, wmp_size_t);
void wmpz_realloc2 (wmpz_ptr, uint64_t);

void wmpz_set_ui (wmpz_ptr, uint64_t);
void wmpz_set_si (wmpz_ptr, int64_t);
uint64_t wmpz_get_ui (wmpz_srcptr);

// whitespace, leading base prefix, and base detection are not supported.
int32_t wmpz_set_str (wmpz_ptr, char const *, int32_t base);
// not verified when size >= 0x2000000.
// sp == NULL is not supported.
char *wmpz_get_str (char *, int32_t base, wmpz_srcptr);

int32_t wmpz_cmp (wmpz_srcptr, wmpz_srcptr);
int32_t wmpz_cmp_ui (wmpz_srcptr, uint64_t);
int32_t wmpz_cmp_si (wmpz_srcptr, int64_t);

int32_t wmpz_cmpabs (wmpz_srcptr, wmpz_srcptr);
int32_t wmpz_cmpabs_ui (wmpz_srcptr, uint64_t);

int32_t wmpz_sgn (wmpz_srcptr);
void wmpz_abs (wmpz_ptr, wmpz_srcptr);

void wmpz_neg (wmpz_ptr, wmpz_srcptr);

void wmpz_add (wmpz_ptr, wmpz_srcptr, wmpz_srcptr);
void wmpz_add_ui (wmpz_ptr, wmpz_srcptr, uint64_t);

void wmpz_sub (wmpz_ptr, wmpz_srcptr, wmpz_srcptr);
void wmpz_sub_ui (wmpz_ptr, wmpz_srcptr, uint64_t);
void wmpz_ui_sub (wmpz_ptr, uint64_t, wmpz_srcptr);

void wmpz_mul (wmpz_ptr, wmpz_srcptr, wmpz_srcptr);
void wmpz_mul_si (wmpz_ptr, wmpz_srcptr, int64_t);
void wmpz_mul_ui (wmpz_ptr, wmpz_srcptr, uint64_t);

void wmpz_mul_2exp (wmpz_ptr, wmpz_srcptr, uint64_t);
void wmpz_tdiv_q_2exp (wmpz_ptr, wmpz_srcptr, uint64_t);

void wmpz_tdiv_qr (wmpz_ptr quot, wmpz_ptr rem, wmpz_srcptr, wmpz_srcptr);
uint64_t wmpz_tdiv_qr_ui (wmpz_ptr quot, wmpz_ptr rem, wmpz_srcptr, uint64_t);



int32_t wmpn_cmp (wmp_srcptr, wmp_srcptr, wmp_size_t);

void wmpn_copyi (wmp_ptr, wmp_srcptr, wmp_size_t);
void wmpn_copyd (wmp_ptr, wmp_srcptr, wmp_size_t);

int32_t wmpn_zero_p (wmp_srcptr, wmp_size_t);
void wmpn_zero (wmp_ptr, wmp_size_t);

wmp_limb_t wmpn_add (wmp_ptr, wmp_srcptr, wmp_size_t, wmp_srcptr, wmp_size_t);
wmp_limb_t wmpn_add_n (wmp_ptr, wmp_srcptr, wmp_srcptr, wmp_size_t);
wmp_limb_t wmpn_sub (wmp_ptr, wmp_srcptr, wmp_size_t, wmp_srcptr, wmp_size_t);
wmp_limb_t wmpn_sub_n (wmp_ptr, wmp_srcptr, wmp_srcptr, wmp_size_t);
void wmpn_mul (wmp_ptr, wmp_srcptr, wmp_size_t, wmp_srcptr, wmp_size_t);
void wmpn_mul_n (wmp_ptr, wmp_srcptr, wmp_srcptr, wmp_size_t);

wmp_limb_t wmpn_lshift (wmp_ptr, wmp_srcptr, wmp_size_t, uint64_t);
wmp_limb_t wmpn_rshift (wmp_ptr, wmp_srcptr, wmp_size_t, uint64_t);

void wmpn_powm (wmp_ptr, wmp_srcptr, wmp_size_t, wmp_srcptr, wmp_size_t,
                wmp_srcptr, wmp_size_t, wmp_ptr);

// not verified when rp and up are aliased.
wmp_limb_t wmpn_add_1 (wmp_ptr rp, wmp_srcptr up, wmp_size_t, wmp_limb_t);
wmp_limb_t wmpn_sub_1 (wmp_ptr rp, wmp_srcptr up, wmp_size_t, wmp_limb_t);
wmp_limb_t wmpn_mul_1 (wmp_ptr rp, wmp_srcptr up, wmp_size_t, wmp_limb_t);
wmp_limb_t wmpn_addmul_1 (wmp_ptr rp, wmp_srcptr up, wmp_size_t, wmp_limb_t);
wmp_limb_t wmpn_submul_1 (wmp_ptr rp, wmp_srcptr up, wmp_size_t, wmp_limb_t);

// not verified when qp and up are aliased.
wmp_limb_t wmpn_divrem_1 (wmp_ptr qp, wmp_srcptr up, wmp_size_t, wmp_limb_t);

// not verified when rp and np are aliased. qxn must be == 0.
void wmpn_tdiv_qr (wmp_ptr qp, wmp_ptr rp, wmp_size_t qxn, wmp_srcptr np,
                   wmp_size_t nn, wmp_srcptr dp, wmp_size_t dn);

// not verified when rp and np are aliased.
wmp_size_t wmpn_sqrtrem (wmp_ptr sp, wmp_ptr rp, wmp_srcptr np, wmp_size_t);

wmp_size_t wmpn_set_str (wmp_ptr, unsigned char const *, uint32_t, int32_t base);
// not verified when un >= 0x2000000
wmp_size_t wmpn_get_str (unsigned char *, int32_t base, wmp_srcptr, wmp_size_t);

#ifdef __cplusplus
}
#endif

#endif
why3-1.6.0/examples/multiprecision/wmpn.drv000066400000000000000000000104631440160026300207720ustar00rootroot00000000000000module sqrt.Sqrt1

  prelude
"#include \"sqrtinit.h\"\
\n\
\nuint64_t rsa_estimate (uint64_t a) {\
\n  uint64_t abits, x0;\
\n  abits = a >> 55;\
\n  x0 = 0x100 | invsqrttab[abits - 0x80];\
\n  return x0;\
\n}\
"

syntax val rsa_estimate "rsa_estimate"

end

blacklist "invsqrttab"

module powm.Powm

prelude
"\n#include \"binverttab.h\"\
\n\
\nuint64_t binvert_limb_table (uint64_t n) {\
\n  return (uint64_t)binverttab[n];\
\n}"

syntax val binvert_limb_table "binvert_limb_table"

end

blacklist "binverttab"

module mach.int.UInt64GMP
  interface "\
    \ntypedef unsigned __int128 uint128_t;\
    \n\
    \nstruct __mul64_double_result {\
    \n  uint64_t __field_0;\
    \n  uint64_t __field_1;\
    \n};\
    \n\
    \nstatic inline struct __mul64_double_result\
    \nmul64_double(uint64_t x, uint64_t y)\
    \n{\
    \n  uint128_t z = (uint128_t)x * (uint128_t)y;\
    \n  struct __mul64_double_result result = { z, z >> 64 };\
    \n  return result;\
    \n}\
    \n\
    \nstatic inline uint64_t\
    \ndiv64_2by1(uint64_t ul, uint64_t uh, uint64_t d)\
    \n{\
    \n  return (((uint128_t)uh << 64) | ul) / d;\
    \n}\
  "

  syntax val mul_double "mul64_double"
  syntax val div2by1 "div64_2by1"

end

blacklist "mul64_double" "div64_2by1"

module ptralias.Alias

  interface "\
    \nstruct __open_sep_result {\
    \n  uint64_t *__field_0;\
    \n  uint64_t *__field_1;\
    \n  uint64_t *__field_2;\
    \n};\
    \n\
    \nstruct __open_rx_result {\
    \n  uint64_t *__field_0;\
    \n  uint64_t *__field_1;\
    \n  uint64_t *__field_2;\
    \n};\
    \n\
    \nstruct __open_shift_sep_result {\
    \n  uint64_t *__field_0;\
    \n  uint64_t *__field_1;\
    \n};\
    \n\
    \nstatic inline struct __open_sep_result\
    \nopen_sep (uint64_t *r, uint64_t *x, uint64_t *y)\
    \n{\
    \n  struct __open_sep_result result;\
    \n  result.__field_0 = r;\
    \n  result.__field_1 = x;\
    \n  result.__field_2 = y;\
    \n  return result;\
    \n}\
    \n\
    \nstatic inline struct __open_rx_result\
    \nopen_rx (uint64_t *x, uint64_t *y)\
    \n{\
    \n  struct __open_rx_result result;\
    \n  result.__field_0 = x;\
    \n  result.__field_1 = x;\
    \n  result.__field_2 = y;\
    \n  return result;\
    \n}\
    \n\
    \nstatic inline struct __open_shift_sep_result\
    \nopen_shift_sep (uint64_t *r, uint64_t *x)\
    \n{\
    \n  struct __open_shift_sep_result result;\
    \n  result.__field_0 = r;\
    \n  result.__field_1 = x;\
    \n  return result;\
    \n}\
  "

  syntax val open_sep "open_sep"
  syntax val open_rx "open_rx"
  syntax val open_shift_sep "open_shift_sep"
  syntax val close_sep "IGNORE3(%1, %2, %3)" prec 1 15 15 15
  syntax val close_rx "IGNORE2(%1, %2)" prec 1 15 15
  syntax val close_shift_sep "IGNORE2(%1, %2)" prec 1 15 15

end

module mpz.Z

interface
"\ntypedef struct\
\n{\
\n  int _alloc;\
\n  int _size;\
\n  uint64_t * _ptr;\
\n} __wmpz_struct;\
\n\
\ntypedef __wmpz_struct *wmpz_ptr;\
\ntypedef __wmpz_struct wmpz_t[1];\
\n\
\n#define SIZ(x) ((x)->_size)\
\n#define ALLOC(x) ((x)->_alloc)\
\n#define PTR(x) ((x)->_ptr)\
\n\
"

  syntax type mpz_ptr "wmpz_ptr"
  syntax type mpz_struct "__wmpz_struct"
  syntax val mpz_eq "%1 == %2" prec 7 15 14
  syntax val size_of "SIZ(%1)" prec 1 15
  syntax val alloc_of "ALLOC(%1)" prec 1 15
end

module mpz.Zutil

prelude
"\nvoid __wmpz_init (wmpz_ptr x) {\
\n  ALLOC(x) = 1;\
\n  SIZ(x) = 0;\
\n  PTR(x) = malloc(sizeof(uint64_t));\
\n  PTR(x)[0] = 0;\
\n  return;\
\n}"

prelude
"\nvoid wmpz_clear (wmpz_ptr x)\
\n{\
\n  free (PTR(x));\
\n}"

interface "\n\
void __wmpz_init (wmpz_ptr);\
\nvoid wmpz_clear (wmpz_ptr);\
"

  syntax val set_size "SIZ(%1) = %2" prec 14 15 14
  syntax val set_size_0 "SIZ(%1) = 0" prec 14 15
  syntax val wmpz_minus "SIZ(%1) = -SIZ(%1)" prec 14 15 15
  syntax val set_alloc "ALLOC(%1) = %2" prec 14 15 14
  syntax val set_ptr "PTR(%1) = %2" prec 14 15 14
  syntax val get_read_ptr "PTR(%1)" prec 1 15
  syntax val get_write_ptr "PTR(%1)" prec 1 15
  syntax val release_reader "(void)(%1)" prec 2 15
  syntax val release_writer "(void)(%1)" prec 2 15
  syntax val wmpz_init "__wmpz_init" prec 2
  syntax val wmpz_tmp_decl "{ 0, 0, NULL }" prec 2
  syntax val wmpz_struct_to_ptr "&%1" prec 2 2
  syntax val wmpz_clear "wmpz_clear" prec 2

end

blacklist "__wmpz_init"

module types.Types
  remove module
end

module logical.LogicalUtil
  remove module
end
why3-1.6.0/examples/multiprecision/wmpn.mlw000066400000000000000000000020131440160026300207660ustar00rootroot00000000000000module Wmpn

  use export types.Types
  use export lemmas.Lemmas
  use export util.Util
  use util.UtilOld
  use export compare.Compare
  use export add_1.Add_1
  use export add.Add
  use add.AddOld
  use export sub_1.Sub_1
  use export sub.Sub
  use sub.SubOld
  use export logical.Logical
  use logical.LogicalOld
  use export mul.Mul
  use export mul.Mul_basecase
  use export div.Div
  use export toom.Toom
  use export sqrt.Sqrt1
  use export sqrtrem.Sqrt
  use export powm.Powm
  use export base_info.BaseInfo
  use export get_str.Get_str
  use export set_str.Set_str
  use export mpz.Z
  use export mpz.Zutil
  use export mpz_getset.Set
  use export mpz_cmp.Zcmp
  use export mpz_cmpabs.Zcmpabs
  use export mpz_abs.Zabs
  use export mpz_neg.Zneg
  use export mpz_add.Zadd
  use export mpz_sub.Zsub
  use export mpz_mul.Zmul
  use export mpz_mul2exp.Zmul2exp
  use export mpz_div2exp.Zdiv2exp
  use export mpz_div.Zdiv
  use export mpz_get_str.Zget_str
  use export mpz_set_str.Zset_str
  use export mpz_realloc2.Zrealloc2

end
why3-1.6.0/examples/multiprecision/wmpn/000077500000000000000000000000001440160026300202515ustar00rootroot00000000000000why3-1.6.0/examples/multiprecision/wmpn/why3session.xml000066400000000000000000000004161440160026300232720ustar00rootroot00000000000000






why3-1.6.0/examples/multiprecision/wmpn/why3shapes.gz000066400000000000000000000000551440160026300227110ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/mutual_recursion.mlw000066400000000000000000000013661440160026300203510ustar00rootroot00000000000000
(** Some examples of mutual recursion and corresponding proofs of
    termination *)

use int.Int

(** This example is from the book "Program Proofs" by Rustan Leino *)

let rec f1 (n: int) : int
  requires { 0 <= n }
  variant  { n, 1 }
= if n = 0 then 0 else f2 n + 1

with f2 (n: int) : int
  requires { 1 <= n }
  variant  { n, 0 }
= 2 * f1 (n - 1)

(** Hofstadter's Female and Male sequences *)

let rec function f (n: int) : int
  requires { 0 <= n }
  variant  { n, 1 }
  ensures  { if n = 0 then result = 1  else 1 <= result <= n }
= if n = 0 then 1 else n - m (f (n - 1))

with function m (n: int) : int
  requires { 0 <= n }
  variant  { n, 0 }
  ensures  { if n = 0 then result = 0 else 0 <= result < n }
= if n = 0 then 0 else n - f (m (n - 1))
why3-1.6.0/examples/mutual_recursion/000077500000000000000000000000001440160026300176225ustar00rootroot00000000000000why3-1.6.0/examples/mutual_recursion/why3session.xml000066400000000000000000000074341440160026300226520ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
 
 



why3-1.6.0/examples/mutual_recursion/why3shapes.gz000066400000000000000000000023141440160026300222620ustar00rootroot00000000000000VۊG}{>eD潯D`KFS3#ixSӧ>|iwq;z8"W^#D|sdn/c_zi21cc^ɈOڎxꝺs?f9;?)c<4XavgnANwx}v[flj\z9nwwŗ_ϧO2= P߿78lv-aN`w/+h)'ddVqsckeY)tؽՖJ5@l_YsWlxksӱF}oOOe^6M]Ŏ4kGb!R=lޝyTmRhWi45jG-7jCՎCbVm͹(Y@9"-B2eT>m^Iz6G R+fp=,nުfwʅ7om﹨7X}PZ>Q}?gצ<,A{CڵӌYY9")xx%x
~Jc;q<E0Vp#x

;\?K_#j&0y*֖R'IBB+QKN:-TS/AE`TY00hU˪ɸ@C-"J.
u9fЃd6:kπ!8In
XP#z)̦KIy!G2+:退R (`H\4Akr2Ɗv\P0VㄓH@)*Հ3\8!bErs(%]2
g`3xkHQ\.)	YJ*\-
2,+"Z哤@8ȅO~$)E0}	HrP0'j"g!B:Nc)_gzaa~)[O)jgxG&5[bd2
 '[dFʆsi$ҙ٢H38WB0`Dtd̕?csvN['*4UR#PJP؀9We	sT&hJS&)o,hAB

  ((Reals.Rbasic_fun.Rabs
    ((1%R -
      (((floating_point.Single.value x) * (floating_point.Single.value x))%R
       * (1 / 2)%R)%R)%R
     - (Reals.Rtrigo_def.cos (floating_point.Single.value x)))%R)
   <= (1 / 16777216)%R)%R.
(* Why3 intros x h1. *)
Proof.
intros x h1.
interval with (i_bisect (Single.value x), i_autodiff (Single.value x)).
Qed.
why3-1.6.0/examples/my_cosine/why3session.xml000066400000000000000000000032051440160026300212270ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/my_cosine/why3shapes.gz000066400000000000000000000006611440160026300206520ustar00rootroot00000000000000TKk1Wl~JLOaa$!]_ڱK@P(ΧF&~5Vű:H Tڊ|f`2ۭ-aR	l:irS-aĺ^a.W[@._ [i" uˣp	cҳwhwQkj{7S;-$y7nN~pNk::4_U\FMq5 !Y4uEЉϒ#Jj
ӪUlm")3= 0 }
  variant { n }
= if n < 2 then n else nist (n-2) + 2 * nist (n-1)

(** {2 Implementation} *)

use ref.Ref

let rec nistonacci (n:int) : int
  requires { n >= 0 }
  variant { n }
  ensures { result = nist n }
= let x = ref 0 in
  let y = ref 1 in
  for i=0 to n-1 do
    invariant { !x = nist i }
    invariant { !y = nist (i+1) }
     let tmp = !x in
     x := !y;
     y := tmp + 2 * !y
  done;
  !x

(** {2 A general lemma on Nistonacci numbers}

  That lemma function is used to prove the lemma `forall n. nist(n) >=
    n` by induction on `n`

*)

(***  (new in Why3 1.0: markdown in comments !) *)

let rec lemma nist_ge_n (n:int)
   requires { n >= 0 }
   variant { n }
   ensures { nist(n) >= n }
= if n >= 2 then begin
  (** recursive call on `n-1`, acts as using the induction
      hypothesis on `n-1` *)
  nist_ge_n (n-1);
  (** let's also use induction hypothesis on `n-2` *)
  nist_ge_n (n-2)
  end


(** test: this can be proved by instantiating the previous lemma *)

goal test : nist 42 >= 17
why3-1.6.0/examples/nistonacci/000077500000000000000000000000001440160026300163545ustar00rootroot00000000000000why3-1.6.0/examples/nistonacci/why3session.xml000066400000000000000000000017271440160026300214030ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/nistonacci/why3shapes.gz000066400000000000000000000007711440160026300210210ustar00rootroot00000000000000m[0)򶭇Xe0{z-coa;%I/;%%'7yu;c)͇!-v_[jm	,4˨Tee,
(Lk~vZSyΗb2[)-rXj
!	;ABDl	qe̒P2qwUԕc6ڜ3XNvN#D3O
ƪVLEqEr?vMu1.MYHya1Eqn63+0cTмU~ Õ
F9mRpiTS3UH%ZeZj:̾7;w}#+xm,½^ӯV«7pQ0FA%vPxpWg(Gki0 and a function f such that 0 <= f(i) < i
   for all i in 1..N-1. We define a reachability as follows:
   each integer i in 1..N-1 can be reached from any integer in f(i)..i-1
   in one step.

   The problem is then to compute the distance from 0 to N-1 in O(N).
   Even better, we want to compute this distance, say d, for all i
   in 0..N-1 and to build a predecessor function g such that

      i <-- g(i) <-- g(g(i)) <-- ... <-- 0

   is the path of length d[i] from 0 to i.
*)

module OptimalReplay

  use int.Int
  use ref.Refint
  use array.Array

  val constant n: int
    ensures { 0 < result }

  val function f (k:int): int
    requires { 0 < k < n }
    ensures { 0 <= result < k}

  (* path from 0 to i of distance d *)
  inductive path int int =
  | path0: path 0 0
  | paths: forall i: int. 0 <= i < n ->
           forall d j: int. path d j -> f i <= j < i -> path (d+1) i

  predicate distance (d i: int) =
    path d i /\ forall d': int. path d' i -> d <= d'

  (* function [g] is built into local array [g]
     and ghost array [d] holds the distance *)
  let distance () =
    let g = make n 0 in
    g[0] <- -1; (* sentinel *)
    let ghost d = make n 0 in
    let ghost count = ref 0 in
    for i = 1 to n-1 do
      invariant { d[0] = 0 /\ g[0] = -1 /\ !count + d[i-1] <= i-1 }
      (* local optimality *)
      invariant {
        forall k: int. 0 < k < i ->
           g[g[k]] < f k <= g[k] < k /\
           0 < d[k] = d[g[k]] + 1 /\
           forall k': int. g[k] < k' < k -> d[g[k]] < d[k'] }
      (* could be deduced from above, but avoids induction *)
      invariant { forall k: int. 0 <= k < i -> distance d[k] k }
      let j = ref (i-1) in
      while g[!j] >= f i do
        invariant { f i <= !j < i /\ !count + d[!j] <= i-1 }
        invariant { forall k: int. !j < k < i -> d[!j] < d[k] }
        variant { !j }
        incr count;
        j := g[!j]
      done;
      d[i] <- 1 + d[!j];
      g[i] <- !j
    done;
    assert { !count < n }; (* O(n) is thus ensured *)
    assert { forall k: int. 0 <= k < n -> distance d[k] k } (* optimality *)

end
why3-1.6.0/examples/optimal_replay/000077500000000000000000000000001440160026300172435ustar00rootroot00000000000000why3-1.6.0/examples/optimal_replay/why3session.xml000066400000000000000000000131521440160026300222650ustar00rootroot00000000000000












 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/optimal_replay/why3shapes.gz000066400000000000000000000062321440160026300217060ustar00rootroot00000000000000\n\}W[ )wKތG2ԚAOIf&-y͵Xu!WO;.nXف]]w~;`ͥǂ|en}	8ߞ?<
6>o~'4<WWiÑf43vP8ƊXrOcTm+4klil~p]߯|_ꤚ
7cw-n[G`3Aa\f;LEddɹK$x/	CO)]qPhLUa1Lcka\2	8#	?LizvTdwpF?VgbG[Wvn7Cq8!OW2N,$#-̂"CԀ(:.4uTCslS2I^]~(iH@HRC~ɣyK0ůE(Ǣ_Tx8A 9+I-D5
F#FKUQN)(oȃ׀=l+z&gz}IL
F%1iXXE:XX3V5jծU7bMXª+EVՐMcսJ#yêgŪeFѰ*EǸ>܇\ĺ_nyNh̀%$~
-
ᄔG8:[f?}D,6jK+\qR6cwCsQVB^YgK55.RDIBG8!UGjjUP's$
nRF-	w{Wft,	ֿCoIMSO/w[8&,<=M{ԅ=i`TS8^;KGat/C
79հXͤZ9L͋hojo[¹R[JtL~֤}1DZo+b3;K`Ցz-Z$ٷS妺TcJiV#Dꩋ.4V7R@4R󒺜gvRKSubgM5MSR֩.jSQu.
ҔMkZ3qF!]k5&7`pݦ5f3iԥVΖj-DָQk.'}!o씇䲍je	ɨ0elI'˶Y'M'Π7I'sćjb~f&?ΟQZ*'WX(JoZ{	0@}\)QMYt
Px_@'BiBҋQ$S\HEYԛA&<ۓEU,+ˁ.G*SZrA?5oRo+E(F5Ezo'DDMD$
no_<o
c-Gr6ǫv~;.Bіof2ޭ_L7]ynʨ?&W8yc"\ކK>h>TCsnW2*	xѷXy'yB+B^x1+ر_Ѿ ˥-F 1aS>u5aMqTq:c糤I=Gl)O*?|/WB{
Ṽ.acWj2o\LR'%Xͼ+80A#	rhM5	@ݻS:R4uq|aONS{
N)\e|~KH5-a0wn	T-ak)y_lh'Wݛ^'W36KxrtԗӖMEq_'O,0rN'/g]w|KSGsUy		Ks@w,peja?82zj̣ޢыZ`njY	Aiy+WB)ٔXs
0Iw-+۔Y`RʰuQmjܺZsag3ךz`f(iL.88'^pMl|7=w1;Y8vJm~,fva^Bnc.䜚R^ek[06f>RSAM%p7`^p+tXtXn"t%*iS"^sm5WV\D BrEnhCrC-E{\,b
VlEcyv*#ƀk]&6mt"zhiFiVx*Z! 0;!EƼ[=[[^pj*N6'pmNkp*.!$4UO9gf]W5	W(#cj%EFh* S>a-ۢba7%m\٧Zh9d:p[4;jbх%(^#0~E.5TۆXaq+3l1:q1j‚TZ4ڇA:l^m2 jQ>/yUBF520JTpt
tB}ϡi;J%"WU'^iA	Pj"P8DItjW#Lwhy3-1.6.0/examples/pairing_heap.mlw000066400000000000000000000212521440160026300173730ustar00rootroot00000000000000
(** Pairing heaps (M. Fredman, R. Sedgewick, D. Sleator, R. Tarjan, 1986).

    Purely applicative implementation, following Okasaki's implementation
    in his book "Purely Functional Data Structures" (Section 5.5).

    Author: Mário Pereira (Université Paris Sud)
*)

module Heap

  use int.Int

  type elt
  val predicate le elt elt

  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  type heap

  function size heap : int

  function occ elt heap : int

  predicate mem (x: elt) (h: heap) = occ x h > 0

  function minimum heap : elt

  predicate is_minimum (x: elt) (h: heap) =
    mem x h && forall e. mem e h -> le x e

  axiom min_def:
    forall h. 0 < size h -> is_minimum (minimum h) h

  val constant empty : heap
    ensures { size result = 0 }
    ensures { forall x. occ x result = 0 }

  val is_empty (h: heap) : bool
    ensures { result <-> size h = 0 }

  val size (h: heap) : int
    ensures { result = size h }

  val merge (h1 h2: heap) : heap
    ensures { forall x. occ x result = occ x h1 + occ x h2 }
    ensures { size result = size h1 + size h2 }

  val insert (x: elt) (h: heap) : heap
    ensures { occ x result = occ x h + 1 }
    ensures { forall y. y <> x -> occ y h = occ y result }
    ensures { size result = size h + 1 }

  val find_min (h: heap) : elt
    requires { size h > 0 }
    ensures  { result = minimum h }

  val delete_min (h: heap) : heap
    requires { size h > 0 }
    ensures  { let x = minimum h in occ x result = occ x h - 1 }
    ensures  { forall y. y <> minimum h -> occ y result = occ y h }
    ensures  { size result = size h - 1 }

end

module HeapType

  use list.List

  type elt

  type raw_heap = E | H tree
  with tree     = T elt (list tree)

end

module Size

  use HeapType
  use int.Int
  use list.List

  function size_heap (h: raw_heap) : int = match h with
    | E -> 0
    | H t -> size_tree t
    end
  with size_tree (t: tree) : int = match t with
    | T _ l -> 1 + size_list l
    end
  with size_list (l: list tree) : int = match l with
    | Nil -> 0
    | Cons t l -> size_tree t + size_list l
    end

  let rec lemma size_nonneg (h: raw_heap)
    ensures { size_heap h >= 0 }
    variant { h }
  = match h with
    | E -> ()
    | H t -> size_tree_nonneg t
    end
  with lemma size_tree_nonneg (t: tree)
    ensures { size_tree t >= 0 }
    variant { t }
  = match t with T _ l -> size_list_nonneg l end
  with lemma size_list_nonneg (l: list tree)
    ensures { size_list l >= 0 }
    variant { l }
  = match l with
    | Nil -> ()
    | Cons t r ->
       size_tree_nonneg t; size_list_nonneg r
    end

  let lemma size_empty (h: raw_heap)
    ensures { size_heap h = 0 <-> h = E }
  = match h with
    | E -> ()
    | H t -> size_tree_nonneg t
    end

end

module Occ

  use HeapType
  use int.Int
  use list.List

  function occ_heap (x: elt) (h: raw_heap) : int = match h with
    | E -> 0
    | H t -> occ_tree x t
    end
  with occ_tree (x: elt) (t: tree) : int = match t with
    | T e l -> (if x = e then 1 else 0) + occ_list x l
    end
  with occ_list (x: elt) (l: list tree) : int = match l with
    | Nil -> 0
    | Cons t r -> occ_tree x t + occ_list x r
    end

  let rec lemma occ_nonneg (x: elt) (h: raw_heap)
    ensures { occ_heap x h >= 0 }
    variant { h }
  = match h with
    | E -> ()
    | H t -> occ_tree_nonneg x t
    end
  with lemma occ_tree_nonneg (x: elt) (t: tree)
    ensures { occ_tree x t >= 0 }
    variant { t }
  = match t with T _ l -> occ_list_nonneg x l end
  with lemma occ_list_nonneg (x: elt) (l: list tree)
    ensures { occ_list x l >= 0 }
    variant { l }
  = match l with
    | Nil -> ()
    | Cons t r ->
       occ_tree_nonneg x t; occ_list_nonneg x r
    end

  predicate mem (x: elt) (h: raw_heap) =
    0 < occ_heap x h

  predicate mem_tree (x: elt) (t: tree) =
    0 < occ_tree x t

  predicate mem_list (x: elt) (l: list tree) =
    0 < occ_list x l

end

module PairingHeap

  use int.Int
  use export HeapType
  use export Size
  use export Occ
  use list.List
  use list.Length

  val predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  (* [e] is no greater than the root of [h], if any *)
  predicate le_tree (e: elt) (t: tree) = match t with
    | T x _ -> le e x
    end

  predicate le_root (e: elt) (h: raw_heap) = match h with
    | E -> true
    | H t -> le_tree e t
    end

  lemma le_root_trans:
    forall x y h. le x y -> le_root y h -> le_root x h

  (* [e] is no greater than the roots of the trees in [l] *)
  predicate le_roots (e: elt) (l: list tree) = match l with
    | Nil -> true
    | Cons t r -> le_tree e t && le_roots e r
    end

  lemma le_roots_trans:
    forall x y l. le x y -> le_roots y l -> le_roots x l

  predicate heap (h: raw_heap) = match h with
    | E -> true
    | H t -> heap_tree t
    end
  with heap_tree (t: tree) = match t with
    | T x l -> le_roots x l && heap_list l
    end
  with heap_list (l: list tree) = match l with
    | Nil -> true
    | Cons t r -> heap_tree t && heap_list r
    end

  type heap = { h: raw_heap }
    invariant { heap h }
    by { h = E }

  function size (hh: heap) : int = size_heap hh.h
  function occ (e: elt) (hh: heap) : int = occ_heap e hh.h

  let rec lemma heap_mem (h: raw_heap)
    requires { heap h }
    variant  { h }
    ensures  { forall x. le_root x h -> forall y. mem y h -> le x y }
  = match h with
    | E -> ()
    | H t -> heap_mem_tree t
    end
  with heap_mem_tree (t: tree)
    requires { heap_tree t }
    variant  { t }
    ensures  { forall x. le_tree x t -> forall y. mem_tree y t -> le x y }
  = match t with T _ l -> heap_mem_list l end
  with heap_mem_list (l: list tree)
    requires { heap_list l }
    variant  { l }
    ensures  { forall x. le_roots x l -> forall y. mem_list y l -> le x y }
  = match l with
    | Nil -> ()
    | Cons t r ->
       heap_mem_tree t;
       heap_mem_list r
    end

  predicate is_minimum_tree (x: elt) (t: tree) =
    mem_tree x t && forall e. mem_tree e t -> le x e

  predicate is_minimum (x: elt) (h: raw_heap) =
    mem x h && forall e. mem e h -> le x e

  function minimum_tree tree : elt
  axiom minimum_tree_def: forall x l. minimum_tree (T x l) = x

  function minimum raw_heap : elt
  axiom minimum_def: forall t. minimum (H t) = minimum_tree t

  function minimum_heap (hh: heap) : elt =
    minimum hh.h

  let lemma root_is_minimum (h: raw_heap)
    requires { 0 < size_heap h }
    requires { heap h }
    ensures  { is_minimum (minimum h) h }
  = match h with
    | E -> absurd
    | H (T e l) -> occ_list_nonneg e l
    end

  let constant empty : heap = { h = E }
    ensures { size_heap result.h = 0 }
    ensures { forall e. not (mem e result.h) }

  let is_empty (hh: heap) : bool
    ensures { result <-> size_heap hh.h = 0 }
  = match hh.h with E -> true | _ -> false end

  let merge (h1 h2: heap) : heap
    ensures  { size_heap result.h = size_heap h1.h + size_heap h2.h }
    ensures  { forall x. occ_heap x result.h
                       = occ_heap x h1.h + occ_heap x h2.h }
  = match h1.h, h2.h with
    | E, h | h, E -> { h = h }
    | H (T x1 l1), H (T x2 l2) ->
       if le x1 x2 then
         { h = H (T x1 (Cons (T x2 l2) l1)) }
       else
         { h = H (T x2 (Cons (T x1 l1) l2)) }
    end

  let insert (x: elt) (hh: heap) : heap
    ensures  { size_heap result.h = size_heap hh.h + 1 }
    ensures  { occ_heap x result.h = occ_heap x hh.h + 1 }
    ensures  { forall y. x <> y -> occ_heap y result.h = occ_heap y hh.h }
  = merge { h = H (T x Nil) } hh

  let find_min (hh: heap) : elt
    requires { 0 < size_heap hh.h }
    ensures  { result = minimum hh.h }
  = match hh.h with
    | E -> absurd
    | H (T x _) -> x
    end

  let rec merge_pairs (l: list tree) : heap
    requires { heap_list l }
    ensures  { size_heap result.h = size_list l }
    ensures  { forall x. occ_heap x result.h = occ_list x l }
    variant  { length l }
  = match l with
    | Nil -> { h = E }
    | Cons t Nil -> { h = H t }
    | Cons t1 (Cons t2 r) ->
       let h1 = { h = H t1 } in
       let h2 = { h = H t2 } in
       merge (merge h1 h2) (merge_pairs r)
    end

  let delete_min (hh: heap) : heap
    requires { 0 < size_heap hh.h }
    ensures  { occ_heap (minimum hh.h) result.h =
               occ_heap (minimum hh.h) hh.h - 1 }
    ensures  { forall y. y <> minimum hh.h ->
                 occ_heap y result.h = occ_heap y hh.h }
    ensures  { size_heap result.h = size_heap hh.h - 1 }
  = match hh.h with
    | E -> absurd
    | H (T _ l) ->
       merge_pairs l
    end

end

module Correct

  use PairingHeap
  use Size

  clone Heap with
    type elt, type heap, val le,
    function size, function occ,
    function minimum = minimum_heap,
    val empty,  val is_empty, val merge,
    val insert, val find_min, val delete_min

endwhy3-1.6.0/examples/pairing_heap/000077500000000000000000000000001440160026300166505ustar00rootroot00000000000000why3-1.6.0/examples/pairing_heap/why3session.xml000066400000000000000000000265031440160026300216760ustar00rootroot00000000000000







 
 
 


 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/pairing_heap/why3shapes.gz000066400000000000000000000106011440160026300213060ustar00rootroot00000000000000Z]o#7}ׯN\L06J}	AXձӝ{HdfH*?~}__q_kSYbS~K=o]~e0o_^o?"z}z17`TW`߮e|}sٖ>?$gmnK,`=)K˿u~y=jΣrO==U}|oGuؾ<#ƕ(Oyͱ~T[LKr]+'ot/\r;ޭd[	)OΑ9b.r؞An)4ue~YM&9uC.=3?/~`nU}񹖀I9,בnftbA',wJ ,?/q'~W[=Q0W(MOR)`{ҍM5$y㚻CP׈~1FN!xr!a+T	G+5kC&`#{q,d]XJX:g*l-7~A/C]1&*rq.1ܧx	|z*㛉98p4OL|~eH<۪TVbY-A]Y_'Vn_yx|8		JM͔StI5Ý]\3]p;mN0zd4cF/up=:ngںf#[`GZ˷=<"zMKB~)]{QSq{LF?О4?D	4nJB{
ѯDϞKzD, ۗ[۷oiFڅw~MBِ/O?=674y|NI2N׵-j-/b3u};:d[|5W.H'u畤qu+0|\ݪ&V)[=j ytۿזi^%zR܌
r]_޾	Kׅ%X.T]W}.qW{DV8os!'Es6}b#?/{rW-Wh9m3ʦِoW#*CQߋ?D椺/X^+%ݗOEfC˧) |i
Pje#1[i?@|`X?HϿ=5>=bGRDOgmZ;*ߵP=w5~;̵~PǢ`5-`qOdxIh9q,ɖ3>bչԭ٦9;'
g0!O_,c1Ɂ8qGtlؐ{0ݘnan{73¼|.zL7<>O\ /w5MZ?w@7
;t|H;C`nAChI%NQ9jjuq긋#-fS)J=3R5?-$_NSŔ!\O)!8<fC	yq4;t7tb_A#l3e\m)B++ZٍVK`e|J`g^ru1S3)4^ۦ4[g+fғ0N1i=:f0=qA5kT36/]3B;$$~֞I75;y
q	t-
bc_jt{kwٛ>:BƔB,U.}RE-F<}-(R^?
ft`lg0^`l!̸?;w.JYTfe4ATsŌYywZn+J&*sHst|:ىwԱUA!0֑sCkʎ[υ$2tNj┭Xή(3slR5p#"|D)v4pi5TG#_̕aH&d;20H.6dsq;$_s֑[ioXb,$Ϧp䃒&;`!DFG| 2Λ5ߙPcdt1@<	715h	h`+:{=3Y,\$}^957#b*Y	/9ځؘsl	q7ەK;.=2o>Ub-D'rW'+'e'.HPG@61('tty-m'M'l'`xIR^6#øk):;Idpghat=QLekC2l-u'/K5Y	+Sajf 4g]+))zZ4h63rmLg&Hj&5b۝R9B^+)0FBpҢӼtCq*AŔCPPLMs5axCX"=$bF٠Ds/^4)PΙhQP[R4LGay6Kcsp
JUahU!UQa} ;#Y9%O
LZ̙aJO㸡sQq靣S~/!!1pXKHgED	S}5ב7ˠ?Hw9u^Lh"
QdBn#m%ᩄRg/J͓qj`,))T,P}.=jWrrPEgZp[Kf. d$j 2+ibNi2~b TK{V2ḧIܶLZYs7nʊ4pcdc5auGcu29oL\	q}#`xPuEUXB0hznݰZh)LZG^HI'
	
YAe
`=i4.&p]p\Hƭd[(xG@~0=ga;++vs]YL3#%ȁ%
w^uV0$sF7
*pHĤ	XܠɄtB(WSa:D
6%q{,TS,>@";8'Ա&,'SDu!&@f@i%}TZB
)a*T5Ǽ͡:E+^-eh 0

  function minimum heap : elt

  predicate is_minimum (x: elt) (h: heap) =
    mem x h && forall e. mem e h -> le x e

  axiom min_def:
    forall h. 0 < size h -> is_minimum (minimum h) h

  val constant empty : heap
    ensures { size result = 0 }
    ensures { forall x. occ x result = 0 }

  val is_empty (h: heap) : bool
    ensures { result <-> size h = 0 }

  val size (h: heap) : int
    ensures { result = size h }

  val merge (h1 h2: heap) : heap
    ensures { forall x. occ x result = occ x h1 + occ x h2 }
    ensures { size result = size h1 + size h2 }

  val insert (x: elt) (h: heap) : heap
    ensures { occ x result = occ x h + 1 }
    ensures { forall y. y <> x -> occ y h = occ y result }
    ensures { size result = size h + 1 }

  val find_min (h: heap) : elt
    requires { size h > 0 }
    ensures  { result = minimum h }

  val delete_min (h: heap) : heap
    requires { size h > 0 }
    ensures  { let x = minimum h in occ x result = occ x h - 1 }
    ensures  { forall y. y <> minimum h -> occ y result = occ y h }
    ensures  { size result = size h - 1 }

end

module HeapType

  use bintree.Tree

  type elt
  type heap = E | T elt (tree elt)

end

module Size

  use HeapType
  use int.Int
  use bintree.Tree
  use bintree.Size as T

  let function size (h: heap) : int = match h with
    | E -> 0
    | T _ r -> 1 + T.size r
    end

  let lemma size_nonneg (h: heap) : unit
    ensures { size h >= 0 }
  = match h with
    | E -> ()
    | T _ r -> assert { T.size r >= 0 }
    end

  lemma size_empty: forall h.
    size h = 0 <-> h = E

end

module Occ

  use HeapType
  use int.Int
  use bintree.Tree
  use bintree.Occ as T

  function occ (x: elt) (h: heap) : int = match h with
    | E -> 0
    | T e r -> (if x = e then 1 else 0) + T.occ x r
    end

  let lemma occ_nonneg (x: elt) (h: heap) : unit
    ensures { occ x h >= 0 }
  = match h with
    | E -> ()
    | T _ r -> assert { T.occ x r >= 0 }
    end

  predicate mem (x: elt) (h: heap) =
    0 < occ x h

end

module PairingHeap

  use int.Int
  use bintree.Tree
  use bintree.Occ as T
  use bintree.Size as TS
  use HeapType
  use Size
  use Occ

  val predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  predicate le_root (e: elt) (h: heap) = match h with
    | E -> true
    | T x _ -> le e x
    end

  lemma le_root_trans:
    forall x y h. le x y -> le_root y h -> le_root x h

  predicate le_root_tree (e: elt) (t: tree elt) = match t with
    | Empty -> true
    | Node _ x r -> le e x && le_root_tree e r
    end

  lemma le_root_tree_trans:
    forall x y t. le x y -> le_root_tree y t -> le_root_tree x t

  predicate heap_tree (t: tree elt) = match t with
    | Empty -> true
    | Node l x r -> le_root_tree x l && heap_tree l && heap_tree r
    end

  predicate heap (h: heap) = match h with
    | E -> true
    | T x r -> le_root_tree x r && heap_tree r
    end

  function minimum (h: heap) : elt
  axiom minimum_def: forall x r. minimum (T x r) = x

  predicate is_minimum (x: elt) (h: heap) =
    mem x h && forall e. mem e h -> le x e

  let rec lemma mem_heap_tree (t: tree elt)
    requires { heap_tree t }
    ensures  { forall x. le_root_tree x t -> forall y. T.mem y t -> le x y }
    variant  { t }
  = match t with
    | Empty -> ()
    | Node l _ r ->
       mem_heap_tree l;
       mem_heap_tree r
    end

  let lemma mem_heap (h: heap)
    requires { heap h }
    ensures  { forall x. le_root x h -> forall y. mem y h -> le x y }
  = match h with
    | E -> ()
    | T _ r -> mem_heap_tree r
    end

  lemma root_is_minimum: forall h.
    heap h -> 0 < size h -> is_minimum (minimum h) h

  let constant empty : heap = E
    ensures { heap result }
    ensures { size result = 0 }
    ensures { forall e. not (mem e result) }

  let is_empty (h: heap) : bool
    ensures { result <-> size h = 0 }
  = match h with E -> true | _ -> false end

  let size (h: heap) : int
    ensures { result = size h }
  = size h

  let merge (h1 h2: heap) : heap
    requires { heap h1 && heap h2 }
    ensures  { heap result }
    ensures  { size result = size h1 + size h2 }
    ensures  { forall x. occ x result = occ x h1 + occ x h2 }
  = match h1, h2 with
    | E, h | h, E -> h
    | T x1 r1, T x2 r2 ->
       if le x1 x2 then
         T x1 (Node r2 x2 r1)
       else
         T x2 (Node r1 x1 r2)
    end

  let insert (x: elt) (h: heap) : heap
    requires { heap h }
    ensures  { heap result }
    ensures  { occ x result = occ x h + 1 }
    ensures  { forall y. x <> y -> occ y result = occ y h }
    ensures  { size result = size h + 1 }
  = merge (T x Empty) h

  let find_min (h: heap) : elt
    requires { heap h && 0 < size h }
    ensures  { result = minimum h }
  = match h with
    | E -> absurd
    | T x _ -> x
    end

  let rec merge_pairs (t: tree elt) : heap
    requires { heap_tree t }
    ensures  { heap result }
    ensures  { size result = TS.size t }
    ensures  { forall x. occ x result = T.occ x t }
    variant  { TS.size t }
  = match t with
    | Empty -> E
    | Node l x Empty -> T x l
    | Node l x (Node l2 y r) ->
       let h = T x l in
       let h' = T y l2 in
       merge (merge h h') (merge_pairs r)
    end

  let delete_min (h: heap) : heap
    requires { heap h && 0 < size h }
    ensures  { heap result }
    ensures  { occ (minimum h) result = occ (minimum h) h - 1 }
    ensures  { forall e. e <> minimum h -> occ e result = occ e h }
    ensures  { size result = size h - 1 }
  = match h with
    | E -> absurd
    | T _ l -> merge_pairs l
    end

end
why3-1.6.0/examples/pairing_heap_bin/000077500000000000000000000000001440160026300175005ustar00rootroot00000000000000why3-1.6.0/examples/pairing_heap_bin/why3session.xml000066400000000000000000000076321440160026300225300ustar00rootroot00000000000000









 
 
 


 
 
 
 
 
 


 
 
 


 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/pairing_heap_bin/why3shapes.gz000066400000000000000000000030351440160026300221410ustar00rootroot00000000000000Vn6}Wݢ9-`1dؾz
Hj
lm~})N6P4uϿ3==~t1]/bpҠwa0{?8DXb3tS?ID9ۦ䘿5b{_BeC" aK/$+\Ȧ%?k$Z"2`3,a)S{z|<10v,̼`mn$R%Eeoܴu.r4_A"TA2=9:e>
 bȾr[i͵+Y97XmD':vhVbau(3	"::#KtnW/w36n1|WN(|"/!
Ĭ'̳n"rvo=[L̙ʋk|$I&}Tyٜ}ZWNHHy?=s40٣F:|hpSo?,2,5J}ckToJ*pkǢ(xy&P34oꐟe0"vׇŌN!//n&sTK:Z؆fP?spF7(:g6-"^E梽`+>G|1m;Kp1ŒM.T3]\ƶIC>Y׽|Rjf홓TU)"+TW뱃MLJ1B-[G@egXOץdR
$\$@}~%;-0{ȸHtV2ud.,ذH
-g
E[-1cNsH*Y
4DaԔtԫ{e/6)&tJIkqL7r}8!H2$&uIѻnLQ QG\
1uB屓Tn`)d8s8
W-{B-?Q`e3[jL:DfrFD!

\bd-f{iz/m%+;!+2@Oܐ൚(YǸ;F!$CvW"IGep7&ÈN4iC|{L8M&oztbJv`z=W#ĉFGH
c!7!S[f#I?&
h$gߡQYW%&J
3E{"h3i^Nf2B@E>)uH=7qNJbKF2Oyf&&NU\e03Z&Xwhy3-1.6.0/examples/pancake_sorting.mlw000066400000000000000000000035141440160026300201150ustar00rootroot00000000000000
(** {1 Pancake sorting}

   See {h Pancake
   sorting}.

   Author: Jean-Christophe Filliâtre (CNRS)
*)

use mach.int.Int
use ref.Ref
use array.Array
use array.ArraySwap
use array.ArrayPermut

(** We choose to have the bottom of the stack of pancakes at `a[0]`.
    So it means we sort the array in reverse order. *)

predicate sorted (a: array int) (hi: int) =
  forall j1 j2. 0 <= j1 <= j2 < hi -> a[j1] >= a[j2]

(** Insert the spatula at index `i` and flip the pancakes *)
let flip (a: array int) (i: int)
  requires { 0 <= i < length a }
  ensures  { forall j. 0 <= j < i        -> a[j] = (old a)[j] }
  ensures  { forall j. i <= j < length a -> a[j] = (old a)[length a -1-(j-i)] }
  ensures  { permut_all (old a) a }
= let n = length a in
  for k = 0 to (n - i) / 2 - 1 do
    invariant { forall j. 0   <= j < i   -> a[j] = (old a)[j]     }
    invariant { forall j. i   <= j < i+k -> a[j] = (old a)[n-1-(j-i)] }
    invariant { forall j. i+k <= j < n-k -> a[j] = (old a)[j]     }
    invariant { forall j. n-k <= j < n   -> a[j] = (old a)[n-1-(j-i)] }
    invariant { permut_all (old a) a }
    swap a (i + k) (n - 1 - k)
  done

let pancake_sort (a: array int)
  ensures { sorted a (length a) }
  ensures { permut_all (old a) a }
= for i = 0 to length a - 2 do
    invariant { sorted a i }
    invariant { forall j1 j2. 0 <= j1 < i <= j2 < length a -> a[j1] >= a[j2] }
    invariant { permut_all (old a) a }
    (* 1. look for the maximum of a[i..] *)
    let m = ref i in
    for k = i + 1 to length a - 1 do
      invariant { i <= !m < length a }
      invariant { forall j. i <= j < k -> a[j] <= a[!m] }
      if a[k] > a[!m] then m := k
    done;
    (* 2. then flip the pancakes to put it at index i *)
    if !m = i then continue;
    if !m < length a - 1 then flip a !m;
    flip a i
  done
why3-1.6.0/examples/pancake_sorting/000077500000000000000000000000001440160026300173715ustar00rootroot00000000000000why3-1.6.0/examples/pancake_sorting/why3session.xml000066400000000000000000000173071440160026300224210ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/pancake_sorting/why3shapes.gz000066400000000000000000000062111440160026300220310ustar00rootroot00000000000000Xn7}X6 , !Oy]lv@}:|?os}·cxwҋ$.ԏb?M>_D,uD<PjD
h'bs&P_OBU(Bn/f}~K(“WiosuvwcSHԊjpr@guoYz1yYٖpm~BCȿO\܉7hpK䃂-L
cT1SNVs"z|[9@sJ׫ܨ:r.S@̲x=9]&mDZ8vȆ`ߒ_/Tw35W~(+_wO*U֭AmВK:lLm`.Z{
Uh
vO-lqקpk]'4OoQv-4M
cK7HVU$OvH6ejTIu=;[Ck
ͨ4*2"s-bx(U;r)&a	F=n?)_/˝Uv'[E"<(/'1)&Y/V&U)ڪcFHZ	FIZĸMA."KL}_'!WK/Z`6'o*|8˫]5[^)wb8P=Pjmm.6LN{zGx=nS눐fqfUL+O4ɥ8|9߯f*1y{x=~\_|hLandc%lVCјٚOJP&ڣγ%YmLɮxrccbF[
s4@ܬ˻e`Risbpp 7_7eZݴS~f%~݃=;hFe3}e6XyzI%ҎhGK5BAߞE%TWRԎTޅѮ,=Y$W\6Ûk,\rSȚPgf,7ղB
ЗӲv}ևLfy=N%Vr%$rl!KHd%2SB.*]9yyVɓÞ1;s~x:W~0ӽbC%y2r .F%Le~EXA"W_'3Ƅ@L77fݓ+Ko)efж'3ajMWma6xrP]w;z㩡u˅-zض4-墴aib4d	74ss܎ַ;\o<	u+Q=-gWKrΖvr4/A2A,u	GG	q%8u|.9pKgu.Ze}ç]js!mpH5v"%Z6\7
W7D
zڻDmejx}A -%7AVr[SX|6߲z8x'\֔>9rr?A-uhRCXYeuЋ!<][>;aU:ۙNwn:eDSbH85@	ԑ$3hO>J
@C6^d*Hwr2 "QpLfkè	6kIUB$V|z-XH$QQ0H0e>(EǾcHێMǺc1&=4w9bQNPɝqC8+2eXZfUl'M|fI
6ž::ȡ,0QwҽVeiФXz
ֆlH"Eƣ"`;E?sqH9	h5ULz(
lP>:$&/6,#VBf*))ө4G)IJtB2A͝ū8!/6
!(

NY-5%bTDEIhKQxQ鶛B(~0KNp})uD}ٙP!/E]tԡqгFʛ#'h@+6ugTgdE{,F5iH1vSdlr}F2xds&';Oۉ&[㭁1JC:xѧ",;%^"T bF(@,lgMgugk`UTT1RhbQ1㯀9z#RZDɒ)mPZQHZdK/~ّI'g%ZsIgƠ2Ʃuξ/ FE('/lQ9˾?`dv\l7Z"i)!`ϝ΋	m6D%iF4iD=4!
҃H"K
X$I:KVQI:PM9o߈Gu-yJC$?]a;H݈Iy +Wڥ(
m܃VH$YP>	UrU
$@Ə(_5e`YK"е0F/5~ߦ݃L"!h4i/oTړ(wւIjv"4;WW[!SoK6&	L	Verified Software
Competition 2014}

Patience Solitaire is played by taking cards one-by-one from a deck of
cards and arranging them face up in a sequence of stacks arranged from
left to right as follows. The very first card from the deck is kept
face up to form a singleton stack. Each subsequent card is placed on
the leftmost stack where its card value is no greater than the topmost
card on that stack. If there is no such stack, then a new stack is
started to right of the other stacks. We can do this with positive
numbers instead of cards. If the input sequence is 9, 7, 10, 9, 5, 4,
and 10, then the stacks develop as

{h 
    }
<[[9]]>
<[[7, 9]]>
<[[7, 9]], [[10]]>
<[[7, 9]], [[9, 10]]>
<[[5, 7, 9]], [[9, 10]]>
<[[4, 5, 7, 9]], [[9, 10]]>
<[[4, 5, 7, 9]], [[9, 10]], [[10]]>
{h 
    }

Verify the claim is that the number of stacks at the end of the game
is the length of the longest (strictly) increasing subsequence in the
input sequence.


*)



(** {2 Preliminary: pigeon-hole lemma} *)


module PigeonHole

(** The Why standard library provides a lemma
    `map.MapInjection.injective_surjective` stating that a map from
    `(0..n-1)` to `(0..n-1)` that is an injection is also a
    surjection.

    This is more or less equivalent to the pigeon-hole lemma. However, we need such a lemma more generally on functions instead of maps.

    Thus we restate the pigeon-hole lemma here. Proof is left as an exercise.

*)

  use int.Int

  predicate range (f: int -> int) (n: int) (m:int) =
    forall i: int. 0 <= i < n -> 0 <= f i < m
  (** `range f n m` is true when `f` maps the domain
      `(0..n-1)` into `(0..m-1)` *)

  predicate injective (f: int -> int) (n: int) =
    forall i j: int. 0 <= i < j < n -> f i <> f j
  (** `injective f n m` is true when `f` is an injection
      from `(0..n-1)` to `(0..m-1)` *)




(*
  lemma pigeon_hole2:
    forall n m:int, f: int -> int.
      range f n m /\ n > m >= 0 ->
        not (injective f n m)
*)




  exception Found

  function shift (f: int -> int) (i:int) : int -> int =
    fun k -> if k < i then f k else f (k+1)

  let rec lemma pigeon_hole (n m:int) (f: int -> int)
    requires { range f n m }
    requires { n > m >= 0 }
    variant  { m }
    ensures  { not (injective f n) }
  =
      for i = 0 to n-1 do
        invariant { forall k. 0 <= k < i -> f k <> m-1 }
        if f i = m-1 then begin
          (* we have found index i such that f i = m-1 *)
          for j = i+1 to n-1 do
            invariant { forall k. i < k < j -> f k <> m-1 }
          (* we know that f i = f j = m-1 hence we are done *)
            if f j = m-1 then return
          done;
          (* we know that for all k <> i, f k <> m-1 *)
          let g = shift f i in
          assert { range g (n-1) (m-1) };
          pigeon_hole (n-1) (m-1) g;
          return
        end
      done;
      (* we know that for all k, f k <> m-1 *)
      assert { range f n (m-1) };
      pigeon_hole n (m-1) f

end




(** {2 Patience idiomatic code} *)


module PatienceCode

  use int.Int
  use list.List
  use list.RevAppend

  (** this code was the one written initially, without any
      specification, except for termination, ans unreachability
      of the 'absurd' branch'.

      It can be tested, see below. *)

  type card = int

  (** stacks are well-formed if they are non-empty *)
  predicate wf_stacks (stacks: list (list card)) =
    match stacks with
    | Nil -> true
    | Cons Nil _ -> false
    | Cons (Cons _ _) rem -> wf_stacks rem
    end

  (** concatenation of well-formed stacks is well-formed *)
  let rec lemma wf_rev_append_stacks (s1 s2: list (list int))
    requires { wf_stacks s1 }
    requires { wf_stacks s2 }
    variant { s1 }
    ensures { wf_stacks (rev_append s1 s2) }
  = match s1 with
    | Nil -> ()
    | Cons Nil _ -> absurd
    | Cons s rem -> wf_rev_append_stacks rem (Cons s s2)
    end

  (** `push_card c stacks acc` pushes card `c` on stacks `stacks`,
      assuming `acc` is an accumulator (in reverse order) of stacks
      where `c` could not be pushed.
  *)
  let rec push_card (c:card) (stacks : list (list card))
     (acc : list (list card)) : list (list card)
    requires { wf_stacks stacks }
    requires { wf_stacks acc }
    variant  { stacks }
    ensures  { wf_stacks result }
  =
    match stacks with
    | Nil ->
      (* we put card `c` in a new stack *)
      rev_append (Cons (Cons c Nil) acc) Nil
    | Cons stack remaining_stacks ->
        match stack with
        | Nil -> absurd (* because `wf_stacks stacks` *)
        | Cons c' _ ->
           if c <= c' then
             (* card is placed on the leftmost stack where its card
                value is no greater than the topmost card on that
                stack *)
             rev_append (Cons (Cons c stack) acc) remaining_stacks
           else
             (* try next stack *)
             push_card c remaining_stacks (Cons stack acc)
        end
     end

  let rec play_cards (input: list card) (stacks: list (list card))
    : list (list card)
    requires { wf_stacks stacks }
    variant { input }
    ensures  { wf_stacks result }
  =
    match input with
    | Nil -> stacks
    | Cons c rem ->
        let stacks' = push_card c stacks Nil in
        play_cards rem stacks'
    end


  let play_game (input: list card) : list (list card) =
    play_cards input Nil


  (** test, can be run using `why3 patience.mlw --exec PatienceCode.test` *)
  let test () =
    (** the list given in the problem description
       9, 7, 10, 9, 5, 4, and 10 *)
    play_game
      (Cons 9 (Cons 7 (Cons 10 (Cons 9 (Cons 5 (Cons 4 (Cons 10 Nil)))))))

end


(** {2 Abstract version of Patience game} *)

module PatienceAbstract

  use int.Int

(** To specify the expected property of the Patience game, we first
    provide an abstract version, working on a abstract state that
    includes a lot of information regarding the positions of the cards
    in the stack and so on.

    This abstract state should then be including in the real code as a
    ghost state, with a gluing invariant that matches the ghost state
    and the concrete stacks of cards.

*)


  type card = int

  (** {3 Abstract state} *)

  use map.Map
  use map.Const

  type state = {
    ghost mutable num_stacks : int;
    (** number of stacks built so far *)
    ghost mutable num_elts : int;
    (** number of cards already seen *)
    ghost mutable values : map int card;
    (** cards values seen, indexed in the order they have been seen,
        from `0` to `num_elts-1` *)
    ghost mutable stack_sizes : map int int;
    (** sizes of these stacks, numbered from `0` to `num_stacks - 1` *)
    ghost mutable stacks : map int (map int int);
    (** indexes of the cards in respective stacks *)
    ghost mutable positions : map int (int,int);
    (** table that given a card index, provides its position, i.e. in
        which stack it is and at which height *)
    ghost mutable preds : map int int;
    (** predecessors of cards, i.e. for each card index `i`, `preds[i]`
        provides an index of a card in the stack on the immediate left,
        whose value is smaller. Defaults to `-1` if the card is on the
        leftmost stack. *)
  }

(** {3 Invariants on the abstract state} *)

  predicate inv (s:state) =
     0 <= s.num_stacks <= s.num_elts
     (** the number of stacks is less or equal the number of cards *)
  /\ (s.num_elts > 0 -> s.num_stacks > 0)
     (** when there is at least one card, there is at least one stack *)
  /\ (forall i. 0 <= i < s.num_stacks ->
         s.stack_sizes[i] >= 1
         (** stacks are non-empty *)
      /\ forall j. 0 <= j < s.stack_sizes[i] ->
           0 <= s.stacks[i][j] < s.num_elts)
         (** contents of stacks are valid card indexes *)
  /\ (forall i. 0 <= i < s.num_elts ->
       let is,ip = s.positions[i] in
       0 <= is < s.num_stacks &&
       let st = s.stacks[is] in
         0 <= ip < s.stack_sizes[is] &&
         st[ip] = i)
     (** the position table of cards is correct, i.e. when
        `(is,ip) = s.positions[i]` then card `i` indeed
        occurs in stack `is` at height `ip` *)
  /\ (forall is. 0 <= is < s.num_stacks ->
        forall ip. 0 <= ip < s.stack_sizes[is] ->
        let idx = s.stacks[is][ip] in
        (is,ip) = s.positions[idx])
     (** positions is the proper inverse of stacks *)
  /\ (forall i. 0 <= i < s.num_stacks ->
        let stack_i = s.stacks[i] in
        forall j,k. 0 <= j < k < s.stack_sizes[i] ->
           stack_i[j] < stack_i[k])
     (** in a given stack, indexes are increasing from bottom to top *)
  /\ (forall i. 0 <= i < s.num_stacks ->
        let stack_i = s.stacks[i] in
        forall j,k. 0 <= j <= k < s.stack_sizes[i] ->
           s.values[stack_i[j]] >= s.values[stack_i[k]])
     (** in a given stack, card values are decreasing from bottom to top *)
  /\ (forall i. 0 <= i < s.num_elts ->
       let pred = s.preds[i] in
       -1 <= pred < s.num_elts &&
       (** the predecessor is a valid index or `-1` *)
       pred < i /\
       (** predecessor is always a smaller index *)
       let is,_ip = s.positions[i] in
       if pred < 0 then is = 0
         (** if predecessor is `-1` then `i` is in leftmost stack *)
       else
         s.values[pred] < s.values[i] /\
         (** if predecessor is not `-1`, it denotes a card with smaller value... *)
         is > 0 &&
         (** ...the card is not on the leftmost stack... *)
         let ps,_pp = s.positions[pred] in
         ps = is - 1)
         (** ...and predecessor is in the stack on the immediate left *)



  (** {2 Programs} *)

  use ref.Ref
  exception Return int

  (** `play_card c i s` pushes the card `c` on state `s` *)
  let ghost play_card (c:card) (s:state) : unit
    requires { inv s }
    writes   { s }
    ensures  { inv s }
    ensures  { s.num_elts = (old s).num_elts + 1 }
    ensures  { s.values = (old s).values[(old s).num_elts <- c] }
  =
    let ghost pred = ref (-1) in
  try
    for i = 0 to s.num_stacks - 1 do
      invariant { if i=0 then !pred = -1 else
        let stack_im1 = s.stacks[i-1] in
        let stack_im1_size = s.stack_sizes[i-1] in
        let top_stack_im1 = stack_im1[stack_im1_size - 1] in
        !pred = top_stack_im1 /\
        c > s.values[!pred]  /\
        0 <= !pred < s.num_elts /\
        let ps,_pp = s.positions[!pred] in
        ps = i - 1
      }
      let stack_i = s.stacks[i] in
      let stack_i_size = s.stack_sizes[i] in
      let top_stack_i = stack_i[stack_i_size - 1] in
      if c <= s.values[top_stack_i] then raise (Return i);
      assert { 0 <= top_stack_i < s.num_elts };
      assert { let is,ip = s.positions[top_stack_i] in
        0 <= is < s.num_stacks &&
        0 <= ip < s.stack_sizes[is] &&
        s.stacks[is][ip] = top_stack_i &&
        is = i /\ ip = stack_i_size - 1
      };
      pred := top_stack_i
    done;
    (* we add a new stack *)
    let idx = s.num_elts in
    let i = s.num_stacks in
    let stack_i = s.stacks[i] in
    let new_stack_i = stack_i[0 <- idx] in
    s.num_elts <- idx + 1;
    s.values <- s.values[idx <- c];
    s.num_stacks <- s.num_stacks + 1;
    s.stack_sizes <- s.stack_sizes[i <- 1];
    s.stacks <- s.stacks[i <- new_stack_i];
    s.positions <- s.positions[idx <- i,0];
    s.preds <- s.preds[idx <- !pred]
  with Return i ->
         let stack_i = s.stacks[i] in
         let stack_i_size = s.stack_sizes[i] in
         (* we put c on top of stack i *)
         let idx = s.num_elts in
         let new_stack_i = stack_i[stack_i_size <- idx] in
         s.num_elts <- idx + 1;
         s.values <- s.values[idx <- c];
         (* s.num_stacks unchanged *)
         s.stack_sizes <- s.stack_sizes[i <- stack_i_size + 1];
         s.stacks <- s.stacks[i <- new_stack_i];
         s.positions <- s.positions[idx <- i,stack_i_size];
         s.preds <- s.preds[idx <- !pred];
  end





  use list.List
  use list.Length
  use list.NthNoOpt



  let rec play_cards (input: list int) (s: state) : unit
    requires { inv s }
    variant  { input }
    writes   { s }
    ensures  { inv s }
    ensures  { s.num_elts = (old s).num_elts + length input }
    ensures  { forall i. 0 <= i < (old s).num_elts ->
                 s.values[i] = (old s).values[i] }
    ensures  { forall i. (old s).num_elts <= i < s.num_elts ->
                 s.values[i] = nth (i - (old s).num_elts) input }
  =
    match input with
    | Nil -> ()
    | Cons c rem -> play_card c s; play_cards rem s
    end







  type seq 'a = { seqlen: int; seqval: map int 'a }

  predicate increasing_subsequence (s:seq int) (l:list int) =
    0 <= s.seqlen <= length l &&
    (* subsequence *)
    ((forall i. 0 <= i < s.seqlen -> 0 <= s.seqval[i] < length l)
    /\ (forall i,j. 0 <= i < j < s.seqlen -> s.seqval[i] < s.seqval[j]))
    (* increasing *)
    && (forall i,j. 0 <= i < j < s.seqlen ->
          nth s.seqval[i] l < nth s.seqval[j] l)






  use PigeonHole








  let ghost play_game (input: list int) : state
    ensures { exists s: seq int.  s.seqlen = result.num_stacks /\
        increasing_subsequence s input
      }
    ensures { forall s: seq int.
        increasing_subsequence s input -> s.seqlen <= result.num_stacks
      }
  = let s = {
      num_elts = 0;
      values = Const.const (-1) ;
      num_stacks = 0;
      stack_sizes = Const.const 0;
      stacks = Const.const (Const.const (-1));
      positions = Const.const (-1,-1);
      preds = Const.const (-1);
    }
    in
    play_cards input s;
    (**

      This is ghost code to build an increasing subsequence of maximal length

    *)
    let ns = s.num_stacks in
    if ns = 0 then
      begin
        assert { input = Nil };
        let seq = { seqlen = 0 ; seqval = Const.const (-1) } in
        assert { increasing_subsequence seq input };
        s
      end
    else
    let last_stack = s.stacks[ns-1] in
    let idx = ref (last_stack[s.stack_sizes[ns-1]-1]) in
    let seq = ref (Const.const (-1)) in
    for i = ns-1 downto 0 do
       invariant { -1 <= !idx < s.num_elts }
       invariant { i >= 0 -> !idx >= 0 &&
         let is,_ = s.positions[!idx] in is = i }
       invariant { i+1 < ns -> !idx < !seq[i+1] }
       invariant { 0 <= i < ns-1 -> s.values[!idx] < s.values[!seq[i+1]] }
       invariant { forall j. i < j < ns -> 0 <= !seq[j] < s.num_elts }
       invariant { forall j,k. i < j < k < ns -> !seq[j] < !seq[k] }
       invariant { forall j,k. i < j < k < ns ->
         s.values[!seq[j]] < s.values[!seq[k]]
       }
       seq := !seq[i <- !idx];
       idx := s.preds[!idx];
    done;
    let sigma = { seqlen = ns ; seqval = !seq } in
    assert { forall i. 0 <= i < length input -> nth i input = s.values[i] };
    assert { increasing_subsequence sigma input };
    (**

      These are assertions to prove that no increasing subsequence of
      length larger than the number of stacks may exists

    *)
    assert {  (* non-injectivity *)
      forall sigma: seq int.
        increasing_subsequence sigma input /\ sigma.seqlen > s.num_stacks ->
        (exists i,j.
          0 <= i < j < sigma.seqlen &&
          let si = sigma.seqval[i] in
          let sj = sigma.seqval[j] in
          let stack_i,_pi = s.positions[si] in
          let stack_j,_pj = s.positions[sj] in
          stack_i = stack_j)
        by let f i =
          let si = sigma.seqval[i] in
          let stack_i,_ = s.positions[si] in
          stack_i
        in
           (forall i. 0 <= i < sigma.seqlen ->
            let si = sigma.seqval[i] in
            0 <= si < length input &&
            let stack_i,_ = s.positions[si] in
            0 <= stack_i < s.num_stacks
           )
           so range f sigma.seqlen s.num_stacks
           so not (injective f sigma.seqlen)
    };
    assert { (* contradiction from non-injectivity *)
      forall sigma: seq int.
        increasing_subsequence sigma input /\ sigma.seqlen > s.num_stacks ->
        forall i,j.
          0 <= i < j < sigma.seqlen ->
          let si = sigma.seqval[i] in
          let sj = sigma.seqval[j] in
          let stack_i,pi = s.positions[si] in
          let stack_j,pj = s.positions[sj] in
          stack_i = stack_j ->
          si < sj && pi < pj && s.values[si] < s.values[sj]
    };
    s

  let ghost test () =
    (* the list given in the problem description
       9, 7, 10, 9, 5, 4, and 10 *)
    play_game
      (Cons 9 (Cons 7 (Cons 10 (Cons 9 (Cons 5 (Cons 4 (Cons 10 Nil)))))))

end

(** {2 Gluing abstract version with the original idiomatic code} *)

module PatienceFull

  use int.Int
  use PatienceAbstract


(** glue between the ghost state and the stacks of cards *)

  use list.List
  use list.Length
  use list.NthNoOpt
  use map.Map

  predicate glue_stack (s:state) (i:int) (st:list card) =
      length st = s.stack_sizes[i] /\
      let stack_i = s.stacks[i] in
      forall j. 0 <= i < length st ->
        nth j st = s.values[stack_i[j]]

  predicate glue (s:state) (st:list (list card)) =
    length st = s.num_stacks /\
    forall i. 0 <= i < length st ->
      glue_stack s i (nth i st)




(** {3 playing a card} *)

  use list.RevAppend
  use ref.Ref
  exception Return


(*** FIXME: not proved

  let play_card (c:card) (old_stacks : list (list card)) (ghost state:state) : list (list card)
    requires { inv state }
    requires { glue state old_stacks }
    writes   { state }
    ensures  { inv state }
    ensures  { state.num_elts = (old state).num_elts + 1 }
    ensures  { state.values = (old state).values[(old state).num_elts <- c] }
    ensures  { glue state result }
  =
    let acc = ref Nil in
    let rem_stacks = ref old_stacks in
    let ghost pred = ref (-1) in
    let ghost i = ref 0 in
    try
    while !rem_stacks <> Nil do
      invariant { 0 <= !i <= state.num_stacks }
      invariant { if !i = 0 then !pred = -1 else
        let stack_im1 = state.stacks[!i-1] in
        let stack_im1_size = state.stack_sizes[!i-1] in
        let top_stack_im1 = stack_im1[stack_im1_size - 1] in
        !pred = top_stack_im1 /\
        c > state.values[!pred]  /\
        0 <= !pred < state.num_elts /\
        let ps,_pp = state.positions[!pred] in
        ps = !i - 1
      }
      invariant { old_stacks = rev_append !acc !rem_stacks }
      invariant {
        forall j. 0 <= j < !i -> glue_stack state j (nth (!i - j) !acc)
      }
      invariant {
        forall j. !i <= j < state.num_stacks ->
          glue_stack state j (nth (j - !i) !rem_stacks)
      }
      variant { !rem_stacks }
      match !rem_stacks with
      | Nil -> absurd
      | Cons stack remaining_stacks ->
          rem_stacks := remaining_stacks;
          match stack with
          | Nil ->
            assert { glue_stack state !i stack };
            absurd
          | Cons c' _ ->
             if c <= c' then
               begin
                 acc := Cons (Cons c stack) !acc;
                 raise Return;
               end;
             let ghost stack_i = state.stacks[!i] in
             let ghost stack_i_size = state.stack_sizes[!i] in
             let ghost top_stack_i = stack_i[stack_i_size - 1] in
             assert { 0 <= top_stack_i < state.num_elts };
             assert { let is,ip = state.positions[top_stack_i] in
               0 <= is < state.num_stacks &&
               0 <= ip < state.stack_sizes[is] &&
               state.stacks[is][ip] = top_stack_i &&
               is = !i /\ ip = stack_i_size - 1
             };
             i := !i + 1;
             acc := Cons stack !acc;
             pred := top_stack_i
         end
      end
    done;
    (* we add a new stack *)
    let ghost idx = state.num_elts in
    let ghost i = state.num_stacks in
    let ghost stack_i = state.stacks[i] in
    let ghost new_stack_i = stack_i[0 <- idx] in
    state.num_elts <- idx + 1;
    state.values <- state.values[idx <- c];
    state.num_stacks <- state.num_stacks + 1;
    state.stack_sizes <- state.stack_sizes[i <- 1];
    state.stacks <- state.stacks[i <- new_stack_i];
    state.positions <- state.positions[idx <- i,0];
    state.preds <- state.preds[idx <- !pred];
    (* we put card [c] in a new stack *)
    rev_append (Cons (Cons c Nil) !acc) Nil
  with Return ->
         let ghost stack_i = state.stacks[!i] in
         let ghost stack_i_size = state.stack_sizes[!i] in
         let ghost top_stack_i = stack_i[stack_i_size - 1] in
         assert { c <= state.values[top_stack_i] };
         (* we put c on top of stack i *)
         let ghost idx = state.num_elts in
         let ghost new_stack_i = stack_i[stack_i_size <- idx] in
         state.num_elts <- idx + 1;
         state.values <- state.values[idx <- c];
         (* state.num_stacks unchanged *)
         state.stack_sizes <- state.stack_sizes[!i <- stack_i_size + 1];
         state.stacks <- state.stacks[!i <- new_stack_i];
         state.positions <- state.positions[idx <- !i,stack_i_size];
         state.preds <- state.preds[idx <- !pred];
         (* card is placed on the leftmost stack where its card
            value is no greater than the topmost card on that
            stack *)
         rev_append !acc !rem_stacks
  end

*)


(*** a version closer to the original code
  let play_card (c:card) (old_stacks : list (list card)) (ghost state:state) : list (list card)
    requires { inv state }
    requires { glue state old_stacks }
    writes   { state }
    ensures  { inv state }
    ensures  { state.num_elts = (old state).num_elts + 1 }
    ensures  { state.values = (old state).values[(old state).num_elts <- c] }
    ensures  { glue state result }
  = let i = ref 0 in
    let pred = ref (-1) in
    let rec push_card (c:card) (st : list (list card))
                      (acc : list (list card)) : list (list card)
      requires { old_stacks = rev_append acc st }
      variant { st }
    =
    match st with
    | Nil ->
        (* we put card [c] in a new stack *)
        rev_append (Cons (Cons c Nil) acc) Nil
    | Cons stack remaining_stacks ->
        match stack with
        | Nil ->
          assert { glue_stack state !i stack };
          absurd
        | Cons c' _ ->
           if c <= c' then
             (* card is placed on the leftmost stack where its card
                value is no greater than the topmost card on that
                stack *)
             rev_append (Cons (Cons c stack) acc) remaining_stacks
           else
             (* try next stack *)
             push_card c remaining_stacks (Cons stack acc)
        end
    end
    in
   let new_stacks = push_card c old_stacks Nil in
   let idx = state.num_elts in
   state.num_elts <- idx + 1;
   state.values <- state.values[idx <- c];
   new_stacks
*)


(*** {3 playing cards} *)



(***


  let rec play_cards (input: list card) (stacks: list (list card))
    (ghost state:state) : list (list card)
    requires { inv state }
    requires { glue state stacks }
    variant  { input }
    (* writes   { state } *)
    ensures  { inv state }
    ensures  { state.num_elts = (old state).num_elts + length input }
    ensures  { forall i. 0 <= i < (old state).num_elts ->
                 state.values[i] = (old state).values[i] }
    ensures  { forall i. (old state).num_elts <= i < state.num_elts ->
                 state.values[i] = nth (i - (old state).num_elts) input }
    ensures  { glue state result }
  =
    match input with
    | Nil -> stacks
    | Cons c rem ->
        let stacks' = play_card c stacks state in
        play_cards rem stacks' state
    end

*)






(*** {3 playing a whole game} *)

(***

  type seq 'a = { seqlen: int; seqval: map int 'a }
  (** a sequence is defined by a length and a mapping *)

  (** definition of an increasing sub-sequence of a list of card *)
  predicate increasing_subsequence (sigma:seq int) (l:list card) =
       0 <= sigma.seqlen <= length l
       (** the length of [sigma] is at most the number of cards *)
    && (forall i. 0 <= i < sigma.seqlen -> 0 <= sigma.seqval[i] < length l)
       (** [sigma] maps indexes to valid indexes in the card list *)
    && (forall i,j. 0 <= i < j < sigma.seqlen -> sigma.seqval[i] < sigma.seqval[j])
       (** [sigma] is an increasing sequence of indexes *)
    && (forall i,j. 0 <= i < j < sigma.seqlen ->
          nth sigma.seqval[i] l < nth sigma.seqval[j] l)
       (** the card values denoted by [sigma] are increasing *)

  use PigeonHole

  let play_game (input: list card) : list (list card)
    requires { length input > 0 }
    ensures  { exists sigma: seq int.
                 sigma.seqlen = length result /\
                 increasing_subsequence sigma input
             }
    ensures  { forall sigma: seq int.
                increasing_subsequence sigma input ->
                  sigma.seqlen <= length result
             }
  = let ghost state = {
      num_elts = 0;
      values = Const.const (-1) ;
      num_stacks = 0;
      stack_sizes = Const.const 0;
      stacks = Const.const (Const.const (-1));
      positions = Const.const (-1,-1);
      preds = Const.const (-1);
    }
    in
    let final_stacks = play_cards input Nil state in
    assert { forall i. 0 <= i < length input -> nth i input = state.values[i] };
    (**

      This is ghost code to build an increasing subsequence of maximal length

    *)
    let ghost ns = state.num_stacks in
    let ghost _sigma =
      if ns = 0 then
      begin
        assert { input = Nil };
        absurd
(*
        TODO: if input is empty, we may be able to prove that:
        let sigma = { seqlen = 0 ; seqval = Const.const (-1) } in
        assert { increasing_subsequence sigma input };
        sigma
*)
      end
    else
    let ghost last_stack = state.stacks[ns-1] in
    let ghost idx = ref (last_stack[state.stack_sizes[ns-1]-1]) in
    let ghost seq = ref (Const.const (-1)) in
    for i = ns-1 downto 0 do
       invariant { -1 <= !idx < state.num_elts }
       invariant { i >= 0 -> !idx >= 0 &&
         let is,_ = state.positions[!idx] in is = i }
       invariant { i+1 < ns -> !idx < !seq[i+1] }
       invariant { 0 <= i < ns-1 -> state.values[!idx] < state.values[!seq[i+1]] }
       invariant { forall j. i < j < ns -> 0 <= !seq[j] < state.num_elts }
       invariant { forall j,k. i < j < k < ns -> !seq[j] < !seq[k] }
       invariant { forall j,k. i < j < k < ns ->
         state.values[!seq[j]] < state.values[!seq[k]]
       }
       seq := !seq[i <- !idx];
       idx := state.preds[!idx];
    done;
    let ghost sigma = { seqlen = ns ; seqval = !seq } in
    assert { increasing_subsequence sigma input };
    (**

      These are assertions to prove that no increasing subsequence of
      length larger than the number of stacks may exists

    *)
    assert {  (* non-injectivity *)
      forall sigma: seq int.
        increasing_subsequence sigma input /\ sigma.seqlen > state.num_stacks ->
        let f = fun i ->
          let si = sigma.seqval[i] in
          let stack_i,_ = state.positions[si] in
          stack_i
        in range f sigma.seqlen state.num_stacks &&
           not (injective f sigma.seqlen state.num_stacks)
    };
    assert {  (* non-injectivity *)
      forall sigma: seq int.
        increasing_subsequence sigma input /\ sigma.seqlen > state.num_stacks ->
        exists i,j.
          0 <= i < j < sigma.seqlen &&
          let si = sigma.seqval[i] in
          let sj = sigma.seqval[j] in
          let stack_i,_pi = state.positions[si] in
          let stack_j,_pj = state.positions[sj] in
          stack_i = stack_j
    };
    assert { (* contradiction from non-injectivity *)
      forall sigma: seq int.
        increasing_subsequence sigma input /\ sigma.seqlen > state.num_stacks ->
        forall i,j.
          0 <= i < j < sigma.seqlen ->
          let si = sigma.seqval[i] in
          let sj = sigma.seqval[j] in
          let stack_i,pi = state.positions[si] in
          let stack_j,pj = state.positions[sj] in
          stack_i = stack_j ->
          si < sj && pi < pj && state.values[si] < state.values[sj]
    };
    sigma
  in
  final_stacks

*)

end
why3-1.6.0/examples/patience/000077500000000000000000000000001440160026300160125ustar00rootroot00000000000000why3-1.6.0/examples/patience/why3session.xml000066400000000000000000000517751440160026300210510ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
      
      
       
       
       
       
       
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/patience/why3shapes.gz000066400000000000000000000234111440160026300204530ustar00rootroot00000000000000}Yo%7z6p_N+@p4`0lu2sRj~|+iɣ*N6\_RϏ>np31jAIqsEW^~?wz_Y(_*BhT$xd˕RDRi}|1',sdr4V|}ʊV>lWcKYcqCwD9;JbtYE]Ue(A E؉Or?K;a^ɜ?pSHX;vv-M_%/϶}߫>Cxۼ\Q1(j#1po%F3j`2"XV֫獓r9Tm(zzdj??.[m]n?w.3x^CV~Ѣo.olA6s $tYB<*gtCB3k6x;,婅\	qړ8_88"6M22PʉZ0}%|Ŗ**>&	z)L4RT5)F0)U	P8 a5G)cI%b(4$曥}~ll
+I*|0eԸ&NcͪLy/Z:^?^|9/Ow!]~)|oÏwwt܌*'xeuc/ dm'n7k~/y
ij^Vw!$H=8"&Uȧ#A؎bUQ,4=$oNv!Ȯff`IC(h!0Q/(RJNfJoXm,Ƞ)ZLBkK/6<
?(cEU(g/?u߂vu|lc?L㉫kKUIS46Gbxz_?3w4|s[OnWEq
-[8mlQW+j*NH}5)roiûSn!~-MmP6ח!e~͌J4LɌx%sLK`O.|6/}cq9!!oqś)TW >>bz0v@ecx&Tw*yx/DiCoo˫i%^FrUĊj
bE~M!"Y̴i--ͲY.oHὪɕ齢P6Wʙ5%%Wդ䪅
jE}M
f0PѬf4떃f]_Ӭ745:4#UT5%%
fEM	H"݄vD̕aeּ,[0}fid|Hڂydj\}uw5unt
6aJTj+'GnjfGGÞlne/5W,-r/U;'^{993*BaY	.RXndŒ'7.u,CNg{eOfϏY՞U
q8vO8j#[}Z_#I_Tl|r#=?rҖ\iK{~$f֛j9JZWmqYORgՖY)INJ+%ZIV3l|K6$U{tWw͓916WUNꪑo0$|M.ӖS%rXΘe:@}4ZWs
:mKq>=HsIVL"\kԏ;)^3O&Bn(vfuu	t@bnn͈nwjONY"AÃ`
,dO46}i?ݰ _dz-x3 KEϧv-[kD4rӨPZ[StYR/y 6x|+mMdk#@$w.0{~-aeez},O$u5I]RW{RW"%QBX%pL*3̞FelL/*^eߝUy@WߚV*NʶힲFٮ(;[ힿi{o鈾|zς*娽iteG_BQq2K]hV[͇Ff!&9>ϰ5aZa`*X2VճRDžߛeM=5>2eՂ,HOg{7d[łsb?ΣW\U!V7kÄ~5WI0a|Q(1eMZTRP-f)RP奠Z,'?Ɛv2`n-9Ȭ߾ٿmؿߚ#c"1`jl!'3V;r_W.侼WzS]iwvכ.iw]~jIvd<6K<,
7T{:@pfo"ޜ'v'}}XdUtwt{jH$܍'HKxnlA[y3 c_L
<Zw/G>{A0?>;0jJɟw٥Oܬ7
JYAjsgG#=oKޥBڥU5odrV5lZ{ֺ)>kRڿ!0?/~l+rʋ!4YR7e=+ûxye~$!o|Ϟ9*Ի+F#䚬dbǰGcأ}ݯ|}L|o|?-<ϐO.$ɷi0K[܃j}]}u_/w giDD
z$
6#c?3ׅfVLk=T S  FoL>:С'4!aWa@nҧ
򗗦'
ϥOmN6}jz>i}Ϛ~Аkj&>ɳ)
q>P΂VxZ4f&8/5G‡ZJƟDHF5^f153NpR$dP
|<
|4||!>&6 jq~kVd{n+-iKcv#?-|'sYC!S@l"SJ֠|pnmMT88:jJYek
/]mʡ<oM#v~ގ\?霮`W1&Zg;Ya9̩58V+5r$Zr|S7m5cg4Ќf#lB>oJE+"+<_=[5oY0=WϽF$*$(H\ɷIC7'ǖ&7D}Qt/?swlnRNviҰcR]!Q^3mSRv^u^dGv0,wCRQwYu HL2:6xi:^}PB!J MtڥRTAAsh156}%Kx'f/=WNո74!qmU"%:%ևx
=g	V!ea|7^虊$\+աS37c=Fu12Й9r}>B39t6ޓ@lSD-dx;;nf ?d,;Dd4'f1g!b2	)9h
6ȍ]
Pw/|LZЧ(]{;vI)ɹbbYxztKi-KIB4&{=RǨ$[TZ@]<\{>8̅wFwnw׹Ɏ;;85@R=k)jpA*#(9Ae$X`T"	Jj	0m(\~Aw:+nRS˔`JXPXmI
qmz9ǰ@I\843(xpBINzZGvCvJ5Lx7f>:utcG>e>ZuheG=s4hȣGÏ?jwQˣG͏?*wTQRG%J?*v(aL0JSdpnJL{vdap`wPCo@/4ؙgGv09ɔX!nd??i'893B(T(e&ٶ]JvY@h潐Nw`Dgώ.jbg6ƃfL6vds̼Kz ,ĩhBB)YQcы;tCȊ=Kke
ot@NZׄջ7WZ9mN Ƭ0eZJMN8)uשGR~~eTJ0Â< ǢGj%r~(g08un7g˂K܇8@;<Wq%9>YŤC8tJ03J
Cd&2Xx:!	Z(¸B>Jt@˒F$3K-L}`]d
(聀T[\"=;KhXu3% pbJtV`:Ǥ	n}u])\"NY:-b.DʎbF_{;kI+^zi7A/su/[ynPW7DzFv]Дq-K-d|fuVhxQE~iE3#RA.Xe^Zl+g-wxs|ʪQBͰ1rcX;Z)
0SLhs&zPL耙AAXDcL.ȮuSkP;RqfDC,)UBӋ=`NuL[kzM[%G\g1`Q0!
(YIFzP	q!/4	Y4 }ϩfN9A$?XB㞧V\Ɲ$N#L^H70mNAցdE~Hrd[јN#
}+&zgs3"cAik:E
:fYځeZDǼ(h)J镧c"ž,XD}neV虖i᥄UoGFxz`UTrS+㩳?àza*{༕Iy	tiCmn#BZ>~j;c}yKqEɂ]H"UAw28d):a5:Hj-$&4qJ0,7tAg;PjA]a=	ӻVAS~PjT#@@.<&Mvҩι`;*H`̇}[=7X%Sq;5cyvd{,K<=C9"v퀌JէdN wгFYGA!
32Ȧ4why3-1.6.0/examples/pigeonhole.mlw000066400000000000000000000015701440160026300170770ustar00rootroot00000000000000
(** Pigeonhole principle (also know as Dirichlet's drawer principle)

    Proved using a lemma function. *)

module Pigeonhole

  use int.Int, set.Fset, ref.Ref

  let rec ghost below (n: int) : fset int
    requires { 0 <= n }
    ensures  { forall i. mem i result <-> 0 <= i < n }
    ensures  { cardinal result = n }
    variant  { n }
  = if n = 0 then empty else add (n-1) (below (n-1))

  let lemma pigeonhole (n m: int) (f: int -> int)
    requires { 0 <= m < n }
    requires { forall i. 0 <= i < n -> 0 <= f i < m }
    ensures  { exists i1, i2. 0 <= i1 < i2 < n /\ f i1 = f i2 }
  =
    let s = ref empty in
    for i = 0 to n-1 do
      invariant { cardinal !s = i }
      invariant { forall x. mem x !s <-> (exists j. 0 <= j < i /\ x = f j) }
      if mem (f i) !s then return;
      s := add (f i) !s
    done;
    let b = below m in assert { subset !s b };
    absurd

end
why3-1.6.0/examples/pigeonhole/000077500000000000000000000000001440160026300163535ustar00rootroot00000000000000why3-1.6.0/examples/pigeonhole/why3session.xml000066400000000000000000000041571440160026300214020ustar00rootroot00000000000000






 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/pigeonhole/why3shapes.gz000066400000000000000000000022031440160026300210100ustar00rootroot00000000000000V[4~ϯp+bڨn;6[mJ]ĿǗ$MVB-^|yn_/O/?_Z̃qюl׃#nsܠnm;15;ՉS#NlDǒ"N%Ƕcɬ?/HY?X_	`
`lElFfki/QcMco~9ù0@$ͷOHٜ}"^ȸ저*&54aNj{sƯ5d>rz,lbٽ+rBr=#oGIXy,Kȥ({M"׷2g[̶'Ed'er Sbs@PgГQbT&n\䜆
~JJq#DygZE
yIsP:H"/"V(mrϯfS
w\+1PnW&|宀++w|$Wt	#I7Ό@%a+MiwyxyM-p0lqirb$0J=fw&vO^goܓ_ZDQ2WI٘bo>!;g:ANa&o^\r/f֘!4WK'ݢמ.'1/.LpeM@Zp*bJ8TH
{#`
{d^@QUh˱;sk-ej啢Uˍu"'̠j++ι=G9˸R\,N:e(x
RYlTgРQQl0VySs@+dڙ>I#X*8K2^Kܡ  0}why3-1.6.0/examples/power.mlw000066400000000000000000000016141440160026300161010ustar00rootroot00000000000000
(* fast exponentiation *)

module FastExponentiation

  use int.Int
  use int.Power
  use int.ComputerDivision

  (* recursive implementation *)

  let rec fast_exp x n variant { n }
    requires { 0 <= n }
    ensures { result = power x n }
  = if n = 0 then
      1
    else begin
      let r = fast_exp x (div n 2) in
      if mod n 2 = 0 then r * r else r * r * x
    end

  (* non-recursive implementation using a while loop *)

  use ref.Ref

  let fast_exp_imperative x n
    requires { 0 <= n }
    ensures { result = power x n }
  = let r = ref 1 in
    let p = ref x in
    let e = ref n in
    while !e > 0 do
      invariant { 0 <= !e /\ !r * power !p !e = power x n }
      variant   { !e }
      label L in
      if mod !e 2 = 1 then r := !r * !p;
      p := !p * !p;
      e := div !e 2;
      assert { power !p !e =
               let x = power (!p at L) !e in x * x }
    done;
    !r

end
why3-1.6.0/examples/power/000077500000000000000000000000001440160026300153565ustar00rootroot00000000000000why3-1.6.0/examples/power/why3session.xml000066400000000000000000000066151440160026300204060ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/power/why3shapes.gz000066400000000000000000000023571440160026300200250ustar00rootroot00000000000000XۊG}7zꪾA-?y572Iz$쮴	datWu:uz.zh6ۇִw
6GM7"nw9ؕ(%^$mILW#(EpN.ԉ+wWr92{qCWgǯT?~B*韩˱f.%g!iYmcMOImrTKp+e}ägcͪsUuFUN_]
>_zXtZ1c5P%w;DW]Urc|7S{}?Sewj&9)zTB-
D*椣Qlȑ+\J4dr$E9P:&!^QD0zQAe	+UB(!,TSl2pu #l#[r+ˎh	%tFLآ[mB&d,pɸFlgoAB2XYd|	
E`|| S}S^ȔK
EP\
LE$ 0 do
      invariant { 0 <= !e /\ !r * power !p !e = power x n }
      variant   { !e }
      label L in
      if mod !e 2 = 1 then r := !r * !p;
      p := !p * !p;
      e := div !e 2;
      assert { power !p !e =
               let x = power (!p at L) !e in x * x }
    done;
    !r

end
why3-1.6.0/examples/power_vc_sp/000077500000000000000000000000001440160026300165505ustar00rootroot00000000000000why3-1.6.0/examples/power_vc_sp/why3session.xml000066400000000000000000000053441440160026300215760ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/power_vc_sp/why3shapes.gz000066400000000000000000000021271440160026300212120ustar00rootroot00000000000000Tn6+UrE}@BVÇPeNd9!y̛7xáwXXpz
p6{ =W>8,=)ζ8^$&g=-	-L|<[O^ճtrUޜM,8'"i^sHZpn>M={тr$jrs^L)VPz]zB0$Y

Qb+Fz;]LdcEYd8-kT\XMx@t1:/1zG^4yT"(U
1Xe+Sirz[I!whA,!*W6TdZFoVzF(A| Q--pJ)99+JKRy ath[I3ӂ
lf list 'a ;
  }

  type t 'a = {
    (* (-1) mean array resizing (doubling in size), i >= 0 mean
       update at case i. *)
    mutable history : list int ;
    mutable current_time : int ;
    mutable buffer : array (list 'a) ;
    (* Invariant of stored data. *)
    ghost inv : 'a -> bool ;
  }

end

module Logic

  use Types
  use int.Int
  use int.ComputerDivision
  use import map.Map as M
  use array.Array
  use list.List
  use Functions.Func
  use Choice.Choice

  function func_of_array (a:array 'a) (def:'a) : int -> 'a
  axiom func_of_array_def : forall a:array 'a,def:'a,x:int.
    func_of_array a def x = if (0 <= x < a.length)
    then M.get a.elts x
    else def

  function current_timestamp (x:t 'a) : timestamp 'a =
    { time = x.current_time ;
      size = x.buffer.length ;
      table = func_of_array x.buffer Nil ; }

  predicate correct_table (sz:int) (b: int -> list 'a) =
    forall x:int. x >= sz \/ x < 0 -> b x = Nil

  function pop (l:list 'a) : list 'a = match l with
    | Nil -> default
    | Cons _x q -> q
  end

  function unroll (tm:int) (t0:int) (h:list int) (b:int -> list 'a)
    (sz:int) : timestamp 'a =
    if tm = 0
    then { time = t0 ; size = sz ; table = b }
    else match h with
      | Nil -> { time = (t0+tm) ; size = sz ; table = b ; }
      | Cons x q -> if x = (-1)
        then unroll (tm-1) t0 q b (div sz 2)
        else unroll (tm-1) t0 q (b[x <- pop (b x)]) sz
      end

  predicate unroll_correct (tm:int) (h:list int) (b:int -> list 'a) (sz:int)
    = match h with
      | Nil -> tm = 0
      | Cons x q -> if x = (-1)
        then let s0 = div sz 2 in
          s0 * 2 = sz /\ unroll_correct (tm-1) q b s0 /\
          (forall i:int. i >= s0 \/ i < 0 -> b i = Nil)
        else b x <> Nil /\ 0 <= x < sz
          /\ unroll_correct (tm-1) q (b[x <- pop (b x)]) sz
    end

  predicate past_time (t:timestamp 'a) (tb:t 'a) =
    tb.current_time >= t.time /\
    unroll (tb.current_time - t.time) t.time
      tb.history (func_of_array tb.buffer Nil) tb.buffer.length = t

  predicate precede (tb1:t 'a) (tb2:t 'a) =
    forall t:timestamp 'a. past_time t tb1 -> past_time t tb2

  predicate before (t1 t2:timestamp 'a) =
    t1.time <= t2.time

  predicate list_forall (p:'a -> bool) (l:list 'a) = match l with
    | Nil -> true
    | Cons x q -> p x /\ list_forall p q
  end

  predicate correct (tb:t 'a) =
    (forall t:timestamp 'a. past_time t tb -> t.size > 0) /\
    (forall t:timestamp 'a,i:int.
      past_time t tb /\ i >= 0 -> list_forall tb.inv (eval t.table i)) /\
    (forall t:timestamp 'a.
      past_time t tb -> correct_table t.size t.table) /\
    unroll_correct tb.current_time tb.history
      (func_of_array tb.buffer Nil) tb.buffer.length

  (* I MUST INTRODUCE THIS PREDICATE FOR ONLY ONE REASON :
     ABUSIVE RECORD DECONSTRUCTION IN ASSERTIONS. *)
  predicate backtrack_to (tbold:t 'a) (tbinter:t 'a) (tbnew:t 'a) =
    (forall tm:timestamp 'a.
     past_time tm tbold -> past_time tm tbinter
              && time tm <= time (current_timestamp tbold)
              && time tm <= time (current_timestamp tbnew)
              && before tm (current_timestamp tbnew)
              && past_time tm tbnew) && (forall tm:timestamp 'a.
            past_time tm tbold -> past_time tm tbnew) &&
            precede tbold tbnew

end

module Impl

  use Types
  use Logic
  use int.Int
  use int.ComputerDivision
  use import map.Map as M
  use array.Array
  use list.List
  use Functions.Func
  use Predicates.Pred
  use Choice.Choice

  (* extraction trick to speedup integer operations with
     constants. *)
  let constant mone : int = -1
  let constant zero : int = 0
  let constant one : int = 1
  let constant two : int = 2

  let create (ghost p: 'a -> bool) : t 'a
    ensures { forall t:timestamp 'a.
      past_time t result ->  t.table = const Nil }
    ensures { past_time (current_timestamp result) result }
    ensures { result.inv = p }
    ensures { correct result }
  =
    let res = {
      history = Nil ;
      current_time = zero ;
      buffer = make one Nil ;
      inv = p ;
    } in
    assert { extensionalEqual (func_of_array res.buffer Nil) (const Nil) } ;
    res


  (* Internal utility (break some of the invariants),
     but useful in practice. *)
  let add_event (x:int) (tb:t 'a) : unit
    writes { tb.history,tb.current_time }
    ensures { tb.history = Cons x (old tb).history }
    ensures { tb.current_time = (old tb).current_time + 1 }
  =
    tb.history <- Cons x tb.history ;
    tb.current_time <- tb.current_time + one


  (* Internal utility. *)
  let resize_for (x:int) (tb:t 'a) : unit
    writes { tb }
    requires { correct tb }
    requires { x >= tb.buffer.length }
    ensures { x < tb.buffer.length }
    ensures { precede (old tb) tb }
    ensures { correct tb }
    ensures { (current_timestamp tb).table =
      (current_timestamp (old tb)).table }
  =
    (* pattern : in order to do an optimization
       (resize only once), introduce a ghost value
       on which we 'execute' the unoptimized code and
       'check' at end that it give the same result. *)
    let ghost tbc = {
      history = tb.history ;
      current_time = tb.current_time ;
      buffer = copy tb.buffer;
      inv = tb.inv ;
    } in
    let rec aux (size:int) : int
      requires { 0 < size <= x }
      requires { correct tbc }
      requires { tbc.history = tb.history /\
        tbc.current_time = tb.current_time /\
        func_of_array tbc.buffer Nil = func_of_array tb.buffer Nil }
      requires { tbc.buffer.length = size }
      variant { x - size }
      writes { tb.history,tb.current_time,tbc.history,tbc.current_time,tbc.buffer }
      ensures { correct tbc }
      ensures { tbc.history = tb.history /\
        tbc.current_time = tb.current_time /\
        func_of_array tbc.buffer Nil = func_of_array tb.buffer Nil }
      ensures { tbc.buffer.length = result }
      ensures { result > x }
      ensures { result >= size }
      ensures { precede (old tbc) tbc }
    =
      label AuxInit in
      assert { past_time (current_timestamp tbc) tbc } ;
      add_event mone tb ;
      add_event mone tbc ;
      let size2 = two * size in
      let ghost buf2 = make size2 Nil in
      let buf1 = tbc.buffer in
      blit buf1 zero buf2 zero size ;
      tbc.buffer <- buf2 ;
      assert { extensionalEqual (func_of_array tbc.buffer Nil)
        (func_of_array (tbc at AuxInit).buffer Nil) } ;
      assert { forall t:timestamp 'a.
        (past_time t (tbc at AuxInit) \/ t = current_timestamp tbc) <-> past_time t tbc } ;
      if size2 > x
      then size2
      else aux size2 in
    let len = length tb.buffer in
    assert { extensionalEqual (func_of_array tbc.buffer Nil)
      (func_of_array tb.buffer Nil) } ;
    assert { len = (current_timestamp tb).size } ;
    let size = aux len in
    let buf2 = make size Nil in
    let buf1 = tb.buffer in
    blit buf1 zero buf2 zero len ;
    assert { extensionalEqual (func_of_array buf1 Nil)
      (func_of_array buf2 Nil) } ;
    tb.buffer <- buf2

  let iadd (x:int) (b:'a) (tb:t 'a) : unit
    writes { tb.history,tb.current_time,tb.buffer.elts }
    requires { 0 <= x < tb.buffer.length }
    requires { correct tb }
    requires { inv tb b }
    ensures { past_time (current_timestamp tb) tb }
    ensures { correct tb }
    ensures { precede (old tb) tb }
    ensures { let tb0 = (current_timestamp (old tb)).table in
      (current_timestamp tb).table = tb0[x <- Cons b (tb0 x)] }
  =
    label Init in
    let buf = tb.buffer in
    buf[x]<- Cons b (buf[x]) ;
    add_event x tb ;
    assert { let tb0 = (current_timestamp (tb at Init)).table in
      extensionalEqual ((current_timestamp tb).table) (tb0[x <- Cons b (tb0 x)]) } ;
    assert { let tb0 = (current_timestamp (tb at Init)).table in
      let tb1 = (current_timestamp tb).table in
      extensionalEqual (tb1[x <- pop (tb1 x)]) tb0 } ;
    assert { past_time (current_timestamp tb) tb } ;
    assert { forall t:timestamp 'a.
      past_time t tb <-> past_time t (tb at Init) \/ t = current_timestamp tb } ;
    assert { precede (tb at Init) tb }

  let add (x:int) (b:'a) (tb:t 'a) : unit
    writes { tb }
    requires { correct tb }
    requires { x >= 0 }
    requires { inv tb b }
    ensures { past_time (current_timestamp tb) tb }
    ensures { correct tb }
    ensures { precede (old tb) tb }
    ensures { let tb0 = (current_timestamp (old tb)).table in
      (current_timestamp tb).table = tb0[x <- Cons b (tb0 x)] }
  =
    if x >= length tb.buffer
    then resize_for x tb ;
    iadd x b tb


  let get (tb:t 'a) (x:int) : list 'a
    requires { correct tb }
    requires { x >= 0 }
    ensures { result = table (current_timestamp tb) x }
    ensures { list_forall tb.inv result }
  =
    if x >= length tb.buffer
    then Nil
    else let res = tb.buffer[x] in
      (assert { res = table (current_timestamp tb) x } ; res )

  let backtrack (t:timestamp 'a) (tb:t 'a) : unit
    writes { tb }
    requires { past_time t tb }
    requires { correct tb }
    ensures { correct tb }
    ensures { current_timestamp tb = t }
    ensures { past_time (current_timestamp tb) tb }
    ensures { forall t2:timestamp 'a. before t2 t /\ past_time t2 (old tb) ->
      past_time t2 tb }
    ensures { precede tb (old tb) }
  =
    let final_size = t.size in
    let ghost tbc = {
      history = tb.history ;
      current_time = tb.current_time ;
      buffer = copy tb.buffer ;
      inv = tb.inv ;
    } in
    let rec unroll (delta:int) : unit
      requires { correct tbc }
      requires { past_time t tbc }
      requires { delta >= 0 }
      requires { tbc.current_time = t.time + delta }
      requires { tbc.history = tb.history /\
        (forall x:int. 0 <= x < final_size /\ x < tbc.buffer.length ->
          func_of_array tbc.buffer Nil x = func_of_array tb.buffer Nil x) }
      requires { tb.buffer.length <= final_size }
      variant { delta }
      writes { tb.history,tb.buffer.elts,tbc }
      ensures { correct tbc }
      ensures { tbc.history = tb.history /\
        (forall x:int. 0 <= x < final_size ->
          func_of_array tbc.buffer Nil x = func_of_array tb.buffer Nil x) }
      ensures { current_timestamp tbc = t }
      (* This is a trick avoiding an inductive reasoning outside. *)
      ensures { tbc.buffer.length <= (old tbc).buffer.length }
      ensures { precede tbc (old tbc) }
      ensures { forall t2:timestamp 'a. before t2 t /\ past_time t2 (old tbc) ->
        past_time t2 tbc }
    =
      label UInit in
      if delta <> zero
      then begin
        match tb.history with
          | Nil -> absurd
          | Cons x q -> tb.history <- q ;
            tbc.history <- q ;
            tbc.current_time <- tbc.current_time - one ;
            if x = mone
            then begin
              let buf1 = tbc.buffer in
              let len = length buf1 in
              let len2 = div len two in
              (* nothing to do on non-ghost side. *)
              let buf2 = make len2 Nil in
              blit buf1 zero buf2 zero len2 ;
              tbc.buffer <- buf2 ;
              assert { let t0 = { time = tbc.current_time ;
                  size = len2 ;
                  table = func_of_array (tbc at UInit).buffer Nil
                } in
                let t1 = { t0 with table = func_of_array tbc.buffer Nil } in
                past_time t0 (tbc at UInit) &&
                extensionalEqual t0.table t1.table && t0 = t1 } ;
              assert { extensionalEqual (func_of_array tbc.buffer Nil)
                (func_of_array (tbc at UInit).buffer Nil) } ;
              assert { precede tbc (tbc at UInit) } ;
              unroll (delta - one)
            end else begin
              assert { 0 <= x < tbc.buffer.length } ;
              if x < final_size
              then begin
                let h = tb.buffer[x] in
                match h with
                  | Nil -> absurd
                  | Cons _ q -> tb.buffer[x]<- q ;
                    tbc.buffer[x]<- q ;
                    assert {
                      let tb0 = func_of_array (tbc at UInit).buffer Nil in
                      extensionalEqual (tb0[x <- pop (tb0 x)])
                        (func_of_array tbc.buffer Nil) } ;
                    assert { precede tbc (tbc at UInit) } ;
                    unroll (delta - one)
                end
              end
              else begin
                let hc = tbc.buffer[x] in
                match hc with
                  | Nil -> absurd
                  | Cons _ q -> tbc.buffer[x]<- q
                end ;
                assert { let tb0 = func_of_array (tbc at UInit).buffer Nil in
                  extensionalEqual (tb0[x <- pop (tb0 x)])
                  (func_of_array tbc.buffer Nil) } ;
                assert { precede tbc (tbc at UInit) } ;
                (* nothing to do on non-ghost side. *)
                unroll (delta - one)
              end
            end
        end
      end
    in
    assert { extensionalEqual (func_of_array tb.buffer Nil)
      (func_of_array tbc.buffer Nil) } ;
    (* direct resizing if necessary. *)
    if final_size < length tb.buffer
    then begin
      let buf2 = make final_size Nil in
      let buf1 = tb.buffer in
      blit buf1 zero buf2 zero final_size ;
      tb.buffer <- buf2
    end ;
    let tm0 = tb.current_time in
    tb.current_time <- t.time ;
    unroll (tm0 - t.time) ;
    assert { extensionalEqual (func_of_array tb.buffer Nil)
      (func_of_array tbc.buffer Nil) }

  val ghost hack_func_of_array (a:array 'a) (def:'a) : int -> 'a
    ensures { result = func_of_array a def }

  let stamp (tb:t 'a) : timestamp 'a
    requires { correct tb }
    ensures { result = current_timestamp tb }
  =
    {
      time = tb.current_time ;
      size = length tb.buffer ;
      table = hack_func_of_array tb.buffer Nil ;
    }

  (* look for the correct syntax :
    meta "remove_program" val hack_func_of_array*)

end
why3-1.6.0/examples/prover/BacktrackArray/000077500000000000000000000000001440160026300204235ustar00rootroot00000000000000why3-1.6.0/examples/prover/BacktrackArray/why3session.xml000066400000000000000000000750211440160026300234500ustar00rootroot00000000000000











 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/prover/BacktrackArray/why3shapes.gz000066400000000000000000000306101440160026300230630ustar00rootroot00000000000000}nIfؾR$
Czik|Z%eI9%T)2h涜so5߮|{ekSu-|ߛP˟ӗow>}qnǻn(]3=&|=|
__8fq3^뗃8>5ok#:Xӻu˻])j|6)p64>~_Q.p*/m|ŕC8s?i4[BS/ /;P\\PU4gwT@-ڍ@woߚ Mlg{-ח]6K9=oPf'(M'rnxL2}'یm@VtB MM|. j̺wQ4"%xBOBR.d77Bꅊ QKu&_>&DfM{-詾e^(ґFǯ#c"0Ÿ)IˉñSAgcB;8dw[fDQ=w݄.s>s缏$~y.Ώ[Mwm:GpObN{bgb{KXPd⯣Xg,b!(gbыE֔6}v?w|\nzE;G;yU(PVBŪ@32Bօ@,Ye!Y"dEx{Poj'v!B$E)O%}=iWH07#	s㼢f泻yE!c؄`,E?|g1|Z-	O2e e8cȧnd1b,Ⱥu'ΏԝL kCֆ
O
EK=)$A6ϯʸ~~A\wdWr%Oq~Ɲq>_>}ӗUFoYU5еNXjR*1kk)?!9= Mbu//
;N%ȏPҹN_bkFhRRw"aǴte{ 'UiB22c[%[#{yKnUg:vw~/~F?CkC"h@*RjjKЃnDm3W
P
T[5Q5sƺFSY?@5;PbbvKw'"J+R+D֊VȞr%BEB/B͵,¼
{D+l
Zb:C
wB+\O?_V sbd$-moB+_~_n_K/IWߗ$I<$mh!I~L/1c,&"89n">d"t6ND|"BqEJ,'"+dE:D&"d"B版OJ۬;YwX+d]ȺuBic`VY
.]
KqpVY	ޖNpYd9xkrp%udDGofgEv;`f6O!rZ^Ena鼟P-t'T*>i*!mkɟ&Sb|wԼ_Vg
8Yj>h//5_)曛*j3ܣRlO?b:<{??r@Z_&Y,GQߣ'+ȄSc54C
v
F
YqH5ʟUlxgKTU;/xY=FP%xu:LRTBf
wm]%,	U/}[Qs<WД%U["JN!3m
PіXzbiIr?bUOjIjm1w~	,p^Р_/;ّ6#e}>7yn=dLiH:ÀעnXf쳽5BΘ,=AMdUixr*/Nk#N@7fHfH>?$Oԕue<>,^rz'Eof"aD0{
DJ{1Bc#	;1O{ύ=/V	fki9[l=-Ь$f'gG1(|#edžĄ>OȓsQ
|T>Gc^k>Vidvfvfvvmfjfjfe4Qo333/oa֭+qwO~ryB-7ODsb`gj$:Mb+Z\ܧ)qťS$ZܓFltBG]܃~}~#H>/vCr|"}j{32@*_^Sr׊s(SL>脗|Vo1ܖͫ/IcQ("fX^Hc,XzKcEɥbQr@!%ÍqL]"X3[Dl|YzDqbq
G4d]#4f\;9W\VNyy}*mfwQ|u]Iw{i_'~QΌΗӐ~>%9}BPǜ[si~qV)ı]!b5k}P%,DlPHK$*:yl͑G>[
|QŅN's~N}0Љ%DpN8z??Ns!x*xAj .uI`O$v%IӒJV	/>`4
)q18=Ggv@{ĜY?kzyr)InW8WF+{1GN՝2+	gYViw	
\7Ofu_3`J5XtaH&ޤ+	9#}+ի􍎵+ӗOYj#2|;GrJdJ^t"=aXD(tIr$SXIТ({1hTT!};HdIP!UR5bŲI!U|S/esŷYJd)yRB'Y>|dxpEh(k@ր?PĔDb$+qM: g=zrJ?r6Q@FbJi&*`P	P<5;*G%Ġb"ĶJKǏlFȂ!›.^)Y	d%xsJưHRweBB"tp4@Rv	qEOq~P젇^u(yut:W:G$-!!IŨC<:4Q=2IAf]ȺumdFODMkF.'`MXAqrOw
b/A.zi%3nSV^EW
HX5wFe]ʺ4%=%^u$}(K&꒙蒙ұ(6uqa"8}a*YVYN2H>w\h7\eɒN84 -/Gǟ$b)aF`Y_eAۑQ9r5m־}}'όr A<..Q |,Y ^@,Ί|eEȊ!gO +AVKT,Y @\@<8w	fo^29dZuɗ{GCu(}:uq>d}aPlzua5
irpo$28irC?h5>YջMdL)|䂍rX7M>NDT,J#NlӞvOq6RmA۴_88'?Y4diiXqe眗Y%J\JSbl!Ί!+*BqbnY/:j}ai2}uzXu}za&za^<^>
NH}+VK8*00pJyg8jcṜ,.r1.Cvy c<ω<݃^ϪEvb״YM
L4dl#kѲ,eYz,:ֹSˌI zֹ}	߸0#G.ERT5.:U2Og`>نq,Ґ!KeHe4e"DbJyY"\"'|#{zA[]zOE3
F
z/C/D/D֋'֋q&Q,m\CNGtj(Է
Ska;θa3BF
:Y*JgLeL8$f/wwww7;)09@8|!ėi`}h?u[nUn<աn֦ƞt0)d~H3/F
CHH>0r\<|FƁ)j`J{`jTEnMDDDD}Xݒnd)nJL m,өI2wl}
Zy5bd'YG˷DlsMo]JP|A4 )G	RI'/%HE	R	Rg =Hܔ%Ac$C!BKmY6dmx0Xv6eRKE1gd9n_```yJ0d؝2K5Z
Cw!Qy}f0`N^	,	F A7$%ܭ{.zznmNZXOZ{=ɿӭhF/&rf*,]»6!ι_x,/wVu`]<|W+Dd\\%".Y%K{gRnnOG#4_1:[\i||;{3Nv.Ale5AɊA1	'wN:KXi8=DґHi]^I?R!ZLLLGZ&tH8--܃۴b{&32323i/seVK)sx\]֙CxbՉ'6xttt~Ut8|};$J|~
|hgw2gn2g:6ٝY+t2纟̙C]ɜJ	./LbNUş_U7TdmVzM3G	λOS_^a7}aRɊiJiBV^+_zv߳֍f*]fj%cN%t{%ߋB)gXmhn*f[n򾶵oV#\ۮ{UX_*8
dyԭZ`{S4e-Zix(Ec
Ϯ{WT%f2\ZPyַ"gEqS,hoh+[6L
۶n+	nAKK!FȚrT,EUZ[Gi)9/+sYTF;%X$/(uuiqgLR+4yo,31)<75kuhieuڔ*)|%ۊ[Qk=1dXjzL[+k9@BU͈rՍRZF(Ɔ+VhS1nR׍
m-x%] lAd#`
@FU
EC*YXn*Hj*Y[Be}(*$uUG^Uu(ĒR3aHT	Wu%1TK)P|Qh^FY+b$d1$G
3񮱕c-8Qs&KhkҪjx[9%hoc2W0QZ'jKբ6[TK4!G30)K+QFF7R2ɊV1'Y69PF]ZU[j*Pq9U)x)c`}m#$*3kWRf[^]1.кMT55VA&\ɵtMUʢ}+)ڋ*fԟ*Nvp0KaL.yp1Jj)~o{[ޚ_{+[7{o"V5oЙ0FU0\J3严\գsd#haǡDՒI{{tdу9@2;m[w 1[lp|j
+-Gg[R1hHJ!

@M_-ΨZ9/A}s f9Z4*G/0)GxOj*h<)/cA-QBۦ	A"|	U_НKx#xj
D@4(uL@{#|)>!4PJ8 &)BZ]
"QAH#bxo
/<!O8V>(C8Cժհ4,r
4DWRD@-ʊP4 5؅"Pׁ3Ađh8Cڳbے(@dw@vԡ"QEᘃŁ6af1
਩/+8f,Dje*P틺tz8b%{޴D
O\7Imm\k,
Z`Qj2G>!JR:
H5K(AFcjJ0J `E,,\`N
O@(/ܨj۲u~9VdJ0 .]:hf࢛1^7 QB
k	9u.ǔ7.Ȁd48XU
᪮R:[*<ٵ%|gP8EfthB0/:>G S"c
.Heɐ"IHJZD,'
|d0'ւo96Ir@)m~Xr&L~6lw")GC``1|h#O\Q06.0`4b2VV) bool) : 'a
  axiom choice_behaviour : forall p: 'a -> bool, x: 'a.
    p x -> p (choice p)

end

why3-1.6.0/examples/prover/Choice/000077500000000000000000000000001440160026300167315ustar00rootroot00000000000000why3-1.6.0/examples/prover/Choice/why3session.xml000066400000000000000000000004201440160026300217450ustar00rootroot00000000000000






why3-1.6.0/examples/prover/Choice/why3shapes.gz000066400000000000000000000000551440160026300213710ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/prover/Firstorder_formula_impl.mlw000066400000000000000000006322561440160026300231670ustar00rootroot00000000000000module Types
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  type nl_fo_formula 'b0 'b1 =
    | NL_Forall (nl_fo_formula 'b0 'b1)
    | NL_Exists (nl_fo_formula 'b0 'b1)
    | NL_And (nl_fo_formula 'b0 'b1) (nl_fo_formula 'b0 'b1)
    | NL_Or (nl_fo_formula 'b0 'b1) (nl_fo_formula 'b0 'b1)
    | NL_Not (nl_fo_formula 'b0 'b1)
    | NL_FTrue
    | NL_FFalse
    | NL_PApp (nl_symbol 'b0) (nl_fo_term_list 'b0 'b1)


  type nlimpl_fo_formula =
    { nlrepr_fo_formula_field : nl_fo_formula int int ;
      nlfree_var_symbol_set_abstraction_fo_formula_field : int ;
      nlfree_var_fo_term_set_abstraction_fo_formula_field : int ;
      ghost model_fo_formula_field : fo_formula int int ;
    }

  type cons_fo_formula = | NLC_Forall (int) (nlimpl_fo_formula)
    | NLC_Exists (int) (nlimpl_fo_formula)
    | NLC_And (nlimpl_fo_formula) (nlimpl_fo_formula)
    | NLC_Or (nlimpl_fo_formula) (nlimpl_fo_formula)
    | NLC_Not (nlimpl_fo_formula) | NLC_FTrue | NLC_FFalse
    | NLC_PApp (nlimpl_symbol) (nlimpl_fo_term_list)


end

module Logic
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  use Types
  function nat_nlsize_fo_formula (t:nl_fo_formula 'b0 'b1) : nat =
    match t with
      | NL_Forall v0 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_formula v0) s in s
      | NL_Exists v0 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_formula v0) s in s
      | NL_And v0 v1 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_formula v1) s in
          let s = add_nat (nat_nlsize_fo_formula v0) s in s
      | NL_Or v0 v1 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_formula v1) s in
          let s = add_nat (nat_nlsize_fo_formula v0) s in s
      | NL_Not v0 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_formula v0) s in s
      | NL_FTrue -> let s = one_nat in s | NL_FFalse -> let s = one_nat in s
      | NL_PApp v0 v1 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_term_list v1) s in
          let s = add_nat (nat_nlsize_symbol v0) s in s
    end

  with nlsize_fo_formula (t:nl_fo_formula 'b0 'b1) : int =
    match t with
      | NL_Forall v0 -> let s = 1 in let s = nlsize_fo_formula v0 + s in s
      | NL_Exists v0 -> let s = 1 in let s = nlsize_fo_formula v0 + s in s
      | NL_And v0 v1 ->
        let s = 1 in let s = nlsize_fo_formula v1 + s in
          let s = nlsize_fo_formula v0 + s in s
      | NL_Or v0 v1 ->
        let s = 1 in let s = nlsize_fo_formula v1 + s in
          let s = nlsize_fo_formula v0 + s in s
      | NL_Not v0 -> let s = 1 in let s = nlsize_fo_formula v0 + s in s
      | NL_FTrue -> let s = 1 in s | NL_FFalse -> let s = 1 in s
      | NL_PApp v0 v1 ->
        let s = 1 in let s = nlsize_fo_term_list v1 + s in
          let s = nlsize_symbol v0 + s in s
    end

  let rec lemma nlsize_positive_lemma_fo_formula (t:nl_fo_formula 'b0 'b1) :
    unit ensures { nlsize_fo_formula t > 0 }
    variant { nat_to_int (nat_nlsize_fo_formula t) } =
    match t with | NL_Forall v0 -> nlsize_positive_lemma_fo_formula v0 ; ()
      | NL_Exists v0 -> nlsize_positive_lemma_fo_formula v0 ; ()
      | NL_And v0 v1 ->
        nlsize_positive_lemma_fo_formula v0 ;
          nlsize_positive_lemma_fo_formula v1 ; ()
      | NL_Or v0 v1 ->
        nlsize_positive_lemma_fo_formula v0 ;
          nlsize_positive_lemma_fo_formula v1 ; ()
      | NL_Not v0 -> nlsize_positive_lemma_fo_formula v0 ; ()
      | NL_FTrue -> () | NL_FFalse -> ()
      | NL_PApp v0 v1 ->
        nlsize_positive_lemma_symbol v0 ;
          nlsize_positive_lemma_fo_term_list v1 ; ()
    end

  function nlmodel_fo_formula (t:nl_fo_formula 'b0 'b1)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0))
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1)) :
    fo_formula 'c0 'c1 =
    match t with
      | NL_Forall v0 ->
        Forall
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity)))
      | NL_Exists v0 ->
        Exists
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity)))
      | NL_And v0 v1 ->
        And
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
          (nlmodel_fo_formula v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Or v0 v1 ->
        Or
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
          (nlmodel_fo_formula v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Not v0 ->
        Not
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
      | NL_FTrue -> FTrue | NL_FFalse -> FFalse
      | NL_PApp v0 v1 ->
        PApp
          (nlmodel_symbol v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity)))
          (nlmodel_fo_term_list v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec lemma nlmodel_subst_commutation_lemma_fo_formula
    (t:nl_fo_formula 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> (symbol 'd0))
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures {
      nlmodel_fo_formula t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0) (subst_compose_fo_term fr1 s0 s1)
        (subst_compose_fo_term bnd1 s0 s1)
      = subst_fo_formula (nlmodel_fo_formula t fr0 bnd0 fr1 bnd1) s0 s1 }
    variant { nlsize_fo_formula t } =
    match t with
      | NL_Forall v0 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity (compose some identity)))
          ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity (compose some identity))
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term (olifts_fo_term s1) identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              (compose some identity))
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term (shiftb_fo_term bnd1) identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term (olifts_fo_term s1) identity identity))
            =
            (rename_subst_fo_term
              (shiftb_fo_term (subst_compose_fo_term bnd1  s0 s1)) identity
              identity)
            } ;
          ()
      | NL_Exists v0 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity (compose some identity)))
          ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity (compose some identity))
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term (olifts_fo_term s1) identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              (compose some identity))
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term (shiftb_fo_term bnd1) identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term (olifts_fo_term s1) identity identity))
            =
            (rename_subst_fo_term
              (shiftb_fo_term (subst_compose_fo_term bnd1  s0 s1)) identity
              identity)
            } ;
          ()
      | NL_And v0 v1 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_formula v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
      | NL_Or v0 v1 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_formula v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
      | NL_Not v0 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
      | NL_FTrue -> () | NL_FFalse -> ()
      | NL_PApp v0 v1 ->
        nlmodel_subst_commutation_lemma_symbol v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_term_list v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
    end

  let lemma nlmodel_rename_commutation_lemma_fo_formula
    (t:nl_fo_formula 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0)
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> 'd1) : unit
    ensures {
      nlmodel_fo_formula t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0) (rename_subst_fo_term fr1 s0 s1)
        (rename_subst_fo_term bnd1 s0 s1)
      = rename_fo_formula (nlmodel_fo_formula t fr0 bnd0 fr1 bnd1) s0 s1 }
    =
    nlmodel_subst_commutation_lemma_fo_formula t fr0 bnd0
      (subst_of_rename_symbol s0) fr1 bnd1 (subst_of_rename_fo_term s1)

  predicate correct_indexes_fo_formula (t:nl_fo_formula 'b0 'b1) =
    match t with | NL_Forall v0 -> correct_indexes_fo_formula v0
      | NL_Exists v0 -> correct_indexes_fo_formula v0
      | NL_And v0 v1 ->
        correct_indexes_fo_formula v0 /\ correct_indexes_fo_formula v1
      | NL_Or v0 v1 ->
        correct_indexes_fo_formula v0 /\ correct_indexes_fo_formula v1
      | NL_Not v0 -> correct_indexes_fo_formula v0 | NL_FTrue -> true
      | NL_FFalse -> true
      | NL_PApp v0 v1 ->
        correct_indexes_symbol v0 /\ correct_indexes_fo_term_list v1
    end

  function bound_depth_of_symbol_in_fo_formula (t:nl_fo_formula 'b0 'b1) :
    int =
    match t with
      | NL_Forall v0 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in a
      | NL_Exists v0 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in a
      | NL_And v0 v1 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_formula v1 in
          let a = if a > b then a else b in a
      | NL_Or v0 v1 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_formula v1 in
          let a = if a > b then a else b in a
      | NL_Not v0 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in a
      | NL_FTrue -> 0 | NL_FFalse -> 0
      | NL_PApp v0 v1 ->
        let b = bound_depth_of_symbol_in_symbol v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_term_list v1 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_fo_term_in_fo_formula (t:nl_fo_formula 'b0 'b1) : int =
    match t with
      | NL_Forall v0 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in
          let b = if b < 1 then 0 else b - 1 in let a = b in a
      | NL_Exists v0 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in
          let b = if b < 1 then 0 else b - 1 in let a = b in a
      | NL_And v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_fo_term_in_fo_formula v1 in
          let a = if a > b then a else b in a
      | NL_Or v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_fo_term_in_fo_formula v1 in
          let a = if a > b then a else b in a
      | NL_Not v0 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in let a = b in a
      | NL_FTrue -> 0 | NL_FFalse -> 0
      | NL_PApp v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_term_list v1 in let a = b in a
    end

  let rec lemma bound_depth_of_symbol_in_fo_formula_nonnegative
    (t:nl_fo_formula 'b0 'b1) : unit
    requires { correct_indexes_fo_formula t }
    ensures { bound_depth_of_symbol_in_fo_formula t >= 0 }
    variant { nlsize_fo_formula t } =
    match t with
      | NL_Forall v0 ->
        bound_depth_of_symbol_in_fo_formula_nonnegative v0 ; ()
      | NL_Exists v0 ->
        bound_depth_of_symbol_in_fo_formula_nonnegative v0 ; ()
      | NL_And v0 v1 ->
        bound_depth_of_symbol_in_fo_formula_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_formula_nonnegative v1 ; ()
      | NL_Or v0 v1 ->
        bound_depth_of_symbol_in_fo_formula_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_formula_nonnegative v1 ; ()
      | NL_Not v0 -> bound_depth_of_symbol_in_fo_formula_nonnegative v0 ; ()
      | NL_FTrue -> () | NL_FFalse -> ()
      | NL_PApp v0 v1 ->
        bound_depth_of_symbol_in_symbol_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_term_list_nonnegative v1 ; ()
    end

  with lemma bound_depth_of_fo_term_in_fo_formula_nonnegative
    (t:nl_fo_formula 'b0 'b1) : unit
    requires { correct_indexes_fo_formula t }
    ensures { bound_depth_of_fo_term_in_fo_formula t >= 0 }
    variant { nlsize_fo_formula t } =
    match t with
      | NL_Forall v0 ->
        bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ; ()
      | NL_Exists v0 ->
        bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ; ()
      | NL_And v0 v1 ->
        bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ;
          bound_depth_of_fo_term_in_fo_formula_nonnegative v1 ; ()
      | NL_Or v0 v1 ->
        bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ;
          bound_depth_of_fo_term_in_fo_formula_nonnegative v1 ; ()
      | NL_Not v0 -> bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ; ()
      | NL_FTrue -> () | NL_FFalse -> ()
      | NL_PApp v0 v1 ->
        () ; bound_depth_of_fo_term_in_fo_term_list_nonnegative v1 ; ()
    end

  let rec lemma model_equal_fo_formula (t:nl_fo_formula 'b0 'b1)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0))
    (fr11: 'b1 -> (fo_term 'c0 'c1)) (fr21: 'b1 -> (fo_term 'c0 'c1))
    (bnd11: int -> (fo_term 'c0 'c1)) (bnd21: int -> (fo_term 'c0 'c1)) :
    unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_fo_formula t ->
        bnd10 i = bnd20 i
      }
    requires { fr10 = fr20 }
    requires {
      forall i:int. 0 <= i < bound_depth_of_fo_term_in_fo_formula t ->
        bnd11 i = bnd21 i
      }
    requires { fr11 = fr21 } requires { correct_indexes_fo_formula t }
    ensures { nlmodel_fo_formula t fr10 bnd10 fr11 bnd11 =
      nlmodel_fo_formula t fr20 bnd20 fr21 bnd21 }
    variant { nlsize_fo_formula t } =
    match t with
      | NL_Forall v0 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity (compose some identity)))
          ((rename_subst_fo_term fr21 identity (compose some identity)))
          ((rename_subst_fo_term (shiftb_fo_term bnd11) identity identity))
          ((rename_subst_fo_term (shiftb_fo_term bnd21) identity identity)) ;
          ()
      | NL_Exists v0 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity (compose some identity)))
          ((rename_subst_fo_term fr21 identity (compose some identity)))
          ((rename_subst_fo_term (shiftb_fo_term bnd11) identity identity))
          ((rename_subst_fo_term (shiftb_fo_term bnd21) identity identity)) ;
          ()
      | NL_And v0 v1 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity identity))
          ((rename_subst_fo_term fr21 identity identity))
          ((rename_subst_fo_term bnd11 identity identity))
          ((rename_subst_fo_term bnd21 identity identity)) ;
          model_equal_fo_formula v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          ()
      | NL_Or v0 v1 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity identity))
          ((rename_subst_fo_term fr21 identity identity))
          ((rename_subst_fo_term bnd11 identity identity))
          ((rename_subst_fo_term bnd21 identity identity)) ;
          model_equal_fo_formula v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          ()
      | NL_Not v0 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity identity))
          ((rename_subst_fo_term fr21 identity identity))
          ((rename_subst_fo_term bnd11 identity identity))
          ((rename_subst_fo_term bnd21 identity identity)) ; ()
      | NL_FTrue -> () | NL_FFalse -> ()
      | NL_PApp v0 v1 ->
        model_equal_symbol v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity)) ;
          model_equal_fo_term_list v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          ()
    end

  predicate nlimpl_fo_formula_ok (t:nlimpl_fo_formula) =
    nlmodel_fo_formula t.nlrepr_fo_formula_field subst_id_symbol
      (const (Var_symbol ((-1)))) subst_id_fo_term
      (const (Var_fo_term ((-1)))) = t.model_fo_formula_field
    /\ correct_indexes_fo_formula t.nlrepr_fo_formula_field /\
    bound_depth_of_symbol_in_fo_formula t.nlrepr_fo_formula_field = 0 /\
    bound_depth_of_fo_term_in_fo_formula t.nlrepr_fo_formula_field = 0 /\
    (forall x:int.
       is_symbol_free_var_in_fo_formula x t.model_fo_formula_field -> (x) <
       (t.nlfree_var_symbol_set_abstraction_fo_formula_field))
    /\
    (forall x:int.
       is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field -> (x) <
       (t.nlfree_var_fo_term_set_abstraction_fo_formula_field))

  predicate cons_ok_fo_formula (c:cons_fo_formula) =
    match c with | NLC_Forall v0 v1 -> nlimpl_fo_formula_ok v1
      | NLC_Exists v0 v1 -> nlimpl_fo_formula_ok v1
      | NLC_And v0 v1 -> nlimpl_fo_formula_ok v0 /\ nlimpl_fo_formula_ok v1
      | NLC_Or v0 v1 -> nlimpl_fo_formula_ok v0 /\ nlimpl_fo_formula_ok v1
      | NLC_Not v0 -> nlimpl_fo_formula_ok v0 | NLC_FTrue -> true
      | NLC_FFalse -> true
      | NLC_PApp v0 v1 -> nlimpl_symbol_ok v0 /\ nlimpl_fo_term_list_ok v1
    end

  predicate cons_rel_fo_formula (c:cons_fo_formula) (t:nlimpl_fo_formula) =
    match c with
      | NLC_Forall v0 v1 -> t.model_fo_formula_field =
        Forall
          (rename_fo_formula v1.model_fo_formula_field identity
             (update (compose some identity) v0 None))
      | NLC_Exists v0 v1 -> t.model_fo_formula_field =
        Exists
          (rename_fo_formula v1.model_fo_formula_field identity
             (update (compose some identity) v0 None))
      | NLC_And v0 v1 -> t.model_fo_formula_field =
        And (rename_fo_formula v0.model_fo_formula_field identity identity)
          (rename_fo_formula v1.model_fo_formula_field identity identity)
      | NLC_Or v0 v1 -> t.model_fo_formula_field =
        Or (rename_fo_formula v0.model_fo_formula_field identity identity)
          (rename_fo_formula v1.model_fo_formula_field identity identity)
      | NLC_Not v0 -> t.model_fo_formula_field =
        Not (rename_fo_formula v0.model_fo_formula_field identity identity)
      | NLC_FTrue -> t.model_fo_formula_field = FTrue
      | NLC_FFalse -> t.model_fo_formula_field = FFalse
      | NLC_PApp v0 v1 -> t.model_fo_formula_field =
        PApp (rename_symbol v0.model_symbol_field identity)
          (rename_fo_term_list v1.model_fo_term_list_field identity identity)
    end

  predicate cons_open_rel_fo_formula (c:cons_fo_formula)
    (t:nlimpl_fo_formula) =
    match c with
      | NLC_Forall v0 v1 ->
        match t.model_fo_formula_field with
          | Forall w0 ->
            v1.model_fo_formula_field =
              (rename_fo_formula w0 identity (ocase identity v0))
          | Exists w0 -> false | And w0 w1 -> false | Or w0 w1 -> false
          | Not w0 -> false | FTrue -> false | FFalse -> false
          | PApp w0 w1 -> false
        end
      | NLC_Exists v0 v1 ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 ->
            v1.model_fo_formula_field =
              (rename_fo_formula w0 identity (ocase identity v0))
          | And w0 w1 -> false | Or w0 w1 -> false | Not w0 -> false
          | FTrue -> false | FFalse -> false | PApp w0 w1 -> false
        end
      | NLC_And v0 v1 ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false
          | And w0 w1 ->
            v0.model_fo_formula_field =
              (rename_fo_formula w0 identity identity) /\
              v1.model_fo_formula_field =
                (rename_fo_formula w1 identity identity)
          | Or w0 w1 -> false | Not w0 -> false | FTrue -> false
          | FFalse -> false | PApp w0 w1 -> false
        end
      | NLC_Or v0 v1 ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false | And w0 w1 -> false
          | Or w0 w1 ->
            v0.model_fo_formula_field =
              (rename_fo_formula w0 identity identity) /\
              v1.model_fo_formula_field =
                (rename_fo_formula w1 identity identity)
          | Not w0 -> false | FTrue -> false | FFalse -> false
          | PApp w0 w1 -> false
        end
      | NLC_Not v0 ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false | And w0 w1 -> false | Or w0 w1 -> false
          | Not w0 ->
            v0.model_fo_formula_field =
              (rename_fo_formula w0 identity identity)
          | FTrue -> false | FFalse -> false | PApp w0 w1 -> false
        end
      | NLC_FTrue ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false | And w0 w1 -> false | Or w0 w1 -> false
          | Not w0 -> false | FTrue -> true | FFalse -> false
          | PApp w0 w1 -> false
        end
      | NLC_FFalse ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false | And w0 w1 -> false | Or w0 w1 -> false
          | Not w0 -> false | FTrue -> false | FFalse -> true
          | PApp w0 w1 -> false
        end
      | NLC_PApp v0 v1 ->
        match t.model_fo_formula_field with | Forall w0 -> false
          | Exists w0 -> false | And w0 w1 -> false | Or w0 w1 -> false
          | Not w0 -> false | FTrue -> false | FFalse -> false
          | PApp w0 w1 ->
            v0.model_symbol_field = (rename_symbol w0 identity) /\
              v1.model_fo_term_list_field =
                (rename_fo_term_list w1 identity identity)
        end
    end


end

module Impl
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  use Types
  use Logic
  let rec bind_var_symbol_in_fo_formula (t:nl_fo_formula int int) (x:int)
    (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_fo_formula int int
    requires { correct_indexes_fo_formula t }
    requires { bound_depth_of_symbol_in_fo_formula t <= i }
    variant { nlsize_fo_formula t }
    ensures { bound_depth_of_symbol_in_fo_formula result <= i + 1 }
    ensures { correct_indexes_fo_formula result }
    ensures { bound_depth_of_fo_term_in_fo_formula t =
      bound_depth_of_fo_term_in_fo_formula result }
    ensures { nlmodel_fo_formula result fr0 bnd0 fr1 bnd1 =
      nlmodel_fo_formula t (update fr0 x (bnd0 i)) bnd0 fr1 bnd1 }
    =
    match t with
      | NL_Forall v0 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_Forall
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                  identity)))
      | NL_Exists v0 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_Exists
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                  identity)))
      | NL_And v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_And
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_symbol_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Or v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_Or
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_symbol_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Not v0 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_Not
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_PApp
            (bind_var_symbol_in_symbol v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity)))
            (bind_var_symbol_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  with bind_var_fo_term_in_fo_formula (t:nl_fo_formula int int) (x:int)
    (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_fo_formula int int
    requires { correct_indexes_fo_formula t }
    requires { bound_depth_of_fo_term_in_fo_formula t <= i }
    variant { nlsize_fo_formula t }
    ensures { bound_depth_of_fo_term_in_fo_formula result <= i + 1 }
    ensures { correct_indexes_fo_formula result }
    ensures { bound_depth_of_symbol_in_fo_formula t =
      bound_depth_of_symbol_in_fo_formula result }
    ensures { nlmodel_fo_formula result fr0 bnd0 fr1 bnd1 =
      nlmodel_fo_formula t fr0 bnd0 (update fr1 x (bnd1 i)) bnd1 }
    =
    match t with
      | NL_Forall v0 ->
        assert { (rename_fo_term (bnd1 i) identity (compose some identity)) =
          (eval
             ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity))
             (i+1))
          };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 (compose some identity)))
              ((update
                  ((rename_subst_fo_term fr1 identity
                     (compose some identity)))
                  x
                  (rename_fo_term (bnd1 i) identity (compose some identity))))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity
              (compose some identity))
            =
            (update
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               x
               (eval
                  ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                     identity))
                  (i+1)))
            };
          NL_Forall
            (bind_var_fo_term_in_fo_formula v0 x (i+1)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                  identity)))
      | NL_Exists v0 ->
        assert { (rename_fo_term (bnd1 i) identity (compose some identity)) =
          (eval
             ((rename_subst_fo_term (shiftb_fo_term bnd1) identity identity))
             (i+1))
          };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 (compose some identity)))
              ((update
                  ((rename_subst_fo_term fr1 identity
                     (compose some identity)))
                  x
                  (rename_fo_term (bnd1 i) identity (compose some identity))))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity
              (compose some identity))
            =
            (update
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               x
               (eval
                  ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                     identity))
                  (i+1)))
            };
          NL_Exists
            (bind_var_fo_term_in_fo_formula v0 x (i+1)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd1) identity
                  identity)))
      | NL_And v0 v1 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd1 i) identity identity) =
            (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_And
            (bind_var_fo_term_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_fo_term_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Or v0 v1 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd1 i) identity identity) =
            (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_Or
            (bind_var_fo_term_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_fo_term_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_Not v0 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_Not
            (bind_var_fo_term_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_PApp (v0)
            (bind_var_fo_term_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec unbind_var_symbol_in_fo_formula (t:nl_fo_formula int int) (i:int)
    (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_formula int int
    requires { i >= 0 } requires { correct_indexes_fo_formula t }
    requires { bound_depth_of_symbol_in_fo_formula t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    variant { nlsize_fo_formula t }
    ensures { correct_indexes_fo_formula result }
    ensures { bound_depth_of_symbol_in_fo_formula result <= i }
    ensures { bound_depth_of_fo_term_in_fo_formula result =
      bound_depth_of_fo_term_in_fo_formula t }
    ensures { nlmodel_fo_formula result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula t fr0 (update bnd10 i (nlmodel_symbol x fr0 bnd20))
        fr1 bnd11
      }
    =
    match t with
      | NL_Forall v0 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Forall
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Exists v0 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Exists
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_And v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_And
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Or v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Or
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Not v0 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Not
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_PApp
            (unbind_var_symbol_in_symbol v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with unbind_var_fo_term_in_fo_formula (t:nl_fo_formula int int) (i:int)
    (x:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_fo_formula int int
    requires { i >= 0 } requires { correct_indexes_fo_formula t }
    requires { bound_depth_of_fo_term_in_fo_formula t <= i + 1 }
    requires { correct_indexes_fo_term x }
    requires { bound_depth_of_symbol_in_fo_term x = 0 }
    requires { bound_depth_of_fo_term_in_fo_term x = 0 }
    variant { nlsize_fo_formula t }
    ensures { correct_indexes_fo_formula result }
    ensures { bound_depth_of_fo_term_in_fo_formula result <= i }
    ensures { bound_depth_of_symbol_in_fo_formula result =
      bound_depth_of_symbol_in_fo_formula t }
    ensures { nlmodel_fo_formula result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula t fr0 bnd10 fr1
        (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
      }
    =
    match t with
      | NL_Forall v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            (compose some identity)
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term bnd21 identity (compose some identity)))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (shiftb_fo_term
                   (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)))
                 identity identity))
              (update
                 ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                    identity))
                 (i+1)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity (compose some identity)))
            } ;
          assert {
            (rename_subst_fo_term
              (shiftb_fo_term
                (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)))
              identity identity)
            =
            update
              ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                 identity))
              (i+1)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 ((rename_subst_fo_term bnd21 identity
                    (compose some identity))))
            } ;
          NL_Forall
            (unbind_var_fo_term_in_fo_formula v0 (i+1) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity (compose some identity))))
      | NL_Exists v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            (compose some identity)
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term bnd21 identity (compose some identity)))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (shiftb_fo_term
                   (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)))
                 identity identity))
              (update
                 ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                    identity))
                 (i+1)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity (compose some identity)))
            } ;
          assert {
            (rename_subst_fo_term
              (shiftb_fo_term
                (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)))
              identity identity)
            =
            update
              ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                 identity))
              (i+1)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 ((rename_subst_fo_term bnd21 identity
                    (compose some identity))))
            } ;
          NL_Exists
            (unbind_var_fo_term_in_fo_formula v0 (i+1) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity (compose some identity))))
      | NL_And v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_And
            (unbind_var_fo_term_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (unbind_var_fo_term_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_Or v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Or
            (unbind_var_fo_term_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (unbind_var_fo_term_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_Not v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Not
            (unbind_var_fo_term_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_PApp (v0)
            (unbind_var_fo_term_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let rec subst_base_symbol_in_fo_formula (t:nl_fo_formula int int) (x:int)
    (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_formula int int
    requires { correct_indexes_fo_formula t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    variant { nlsize_fo_formula t }
    ensures { correct_indexes_fo_formula result }
     ensures { bound_depth_of_symbol_in_fo_formula result =
       bound_depth_of_symbol_in_fo_formula t }
    ensures { bound_depth_of_fo_term_in_fo_formula result =
      bound_depth_of_fo_term_in_fo_formula t }
    ensures { nlmodel_fo_formula result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula t (update fr0 x (nlmodel_symbol u fr0 bnd20)) bnd10
        fr1 bnd11
      }
    =
    match t with
      | NL_Forall v0 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Forall
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Exists v0 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Exists
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_And v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_And
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Or v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Or
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_Not v0 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Not
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_PApp
            (subst_base_symbol_in_symbol v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with subst_base_fo_term_in_fo_formula (t:nl_fo_formula int int) (x:int)
    (u:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_fo_formula int int
    requires { correct_indexes_fo_formula t }
    requires { correct_indexes_fo_term u }
    requires { bound_depth_of_symbol_in_fo_term u = 0 }
    requires { bound_depth_of_fo_term_in_fo_term u = 0 }
    variant { nlsize_fo_formula t }
    ensures { correct_indexes_fo_formula result }
     ensures { bound_depth_of_symbol_in_fo_formula result =
       bound_depth_of_symbol_in_fo_formula t }
    ensures { bound_depth_of_fo_term_in_fo_formula result =
      bound_depth_of_fo_term_in_fo_formula t }
    ensures { nlmodel_fo_formula result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula t fr0 bnd10
        (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) bnd11
      }
    =
    match t with
      | NL_Forall v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            (compose some identity)
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term bnd21 identity (compose some identity)))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity (compose some identity)))
              (update
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity (compose some identity)))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              (compose some identity))
            =
            update
              ((rename_subst_fo_term fr1 identity (compose some identity))) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 ((rename_subst_fo_term bnd21 identity
                    (compose some identity))))
            } ;
          NL_Forall
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity (compose some identity))))
      | NL_Exists v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            (compose some identity)
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity (compose some identity)))
            ((rename_subst_fo_term bnd21 identity (compose some identity)))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity (compose some identity)))
              (update
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity (compose some identity)))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              (compose some identity))
            =
            update
              ((rename_subst_fo_term fr1 identity (compose some identity))) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity (compose some identity)))
                 ((rename_subst_fo_term bnd21 identity
                    (compose some identity))))
            } ;
          NL_Exists
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity (compose some identity)))
               ((rename_subst_fo_term (shiftb_fo_term bnd11) identity
                  identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity (compose some identity))))
      | NL_And v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_And
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (subst_base_fo_term_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_Or v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Or
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (subst_base_fo_term_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_Not v0 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Not
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
      | NL_FTrue -> NL_FTrue | NL_FFalse -> NL_FFalse
      | NL_PApp v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_PApp (v0)
            (subst_base_fo_term_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let construct_fo_formula (c:cons_fo_formula) : nlimpl_fo_formula
    requires { cons_ok_fo_formula c } ensures { nlimpl_fo_formula_ok result }
    ensures { cons_rel_fo_formula c result }
    (*ensures { cons_open_rel_fo_formula c result }*) =
    match c with
      | NLC_Forall v0 v1 -> assert { nlimpl_fo_formula_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_Forall
                 (let v1 = v1.nlrepr_fo_formula_field in
                    let v1 =
                      bind_var_fo_term_in_fo_formula v1 v0 0
                        (ghost
                           (rename_subst_symbol
                              (subst_id_symbol:(int)->(symbol (int)))
                              identity))
                        (ghost
                           (rename_subst_symbol (const (Var_symbol (-1)))
                             identity))
                        (ghost
                           (rename_subst_fo_term
                              (subst_id_fo_term:(int)->(fo_term (int) (int)))
                              identity (compose some identity)))
                        (ghost
                           (rename_subst_fo_term
                             (shiftb_fo_term (const (Var_fo_term (-1))))
                             identity identity))
                    in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              v1.nlfree_var_symbol_set_abstraction_fo_formula_field ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              v1.nlfree_var_fo_term_set_abstraction_fo_formula_field ;
            model_fo_formula_field = ghost
              (Forall
                 (rename_fo_formula v1.model_fo_formula_field identity
                    (update (compose some identity) v0 None))) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity
                 (update (compose some identity) v0 None))
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula (Some x)
              (rename_fo_formula v1.model_fo_formula_field identity
                 (update (compose some identity) v0 None))
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v1.model_fo_formula_field
               /\
               eval ((update (compose some identity) v0 None)) y = (Some x))
               -> y <> v0 && (Some x) = eval ((compose some identity)) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v1.model_fo_formula_field identity
                  (update (compose some identity) v0 None)))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_formula (Some x)
               (rename_fo_formula v1.model_fo_formula_field identity
                  (update (compose some identity) v0 None)))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity
               (update (compose some identity) v0 None))
            ((update
                (rename_subst_fo_term
                   (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                   (compose some identity))
                v0 (Var_fo_term None)))
          } ;
        assert {
          rename_subst_fo_term subst_id_fo_term identity
            (update (compose some identity) v0 None)
          =
          (update
             (rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                (compose some identity))
             v0 (Var_fo_term None))
          } ;
        model_equal_fo_formula v1.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity
             (update (compose some identity) v0 None))
          (rename_subst_fo_term subst_id_fo_term identity
             (update (compose some identity) v0 None))
          ((rename_subst_fo_term (shiftb_fo_term (const (Var_fo_term (-1))))
             identity identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity
             (update (compose some identity) v0 None)) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual
              (rcompose ((update (compose some identity) v0 None))
                 ((ocase identity v0)))
              ((identity : (int) -> (int)))
            } ;
        assert {
          rcompose ((update (compose some identity) v0 None))
            ((ocase identity v0))
          = (identity : (int) -> (int)) } ;*)
        res
      | NLC_Exists v0 v1 -> assert { nlimpl_fo_formula_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_Exists
                 (let v1 = v1.nlrepr_fo_formula_field in
                    let v1 =
                      bind_var_fo_term_in_fo_formula v1 v0 0
                        (ghost
                           (rename_subst_symbol
                              (subst_id_symbol:(int)->(symbol (int)))
                              identity))
                        (ghost
                           (rename_subst_symbol (const (Var_symbol (-1)))
                             identity))
                        (ghost
                           (rename_subst_fo_term
                              (subst_id_fo_term:(int)->(fo_term (int) (int)))
                              identity (compose some identity)))
                        (ghost
                           (rename_subst_fo_term
                             (shiftb_fo_term (const (Var_fo_term (-1))))
                             identity identity))
                    in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              v1.nlfree_var_symbol_set_abstraction_fo_formula_field ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              v1.nlfree_var_fo_term_set_abstraction_fo_formula_field ;
            model_fo_formula_field = ghost
              (Exists
                 (rename_fo_formula v1.model_fo_formula_field identity
                    (update (compose some identity) v0 None))) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity
                 (update (compose some identity) v0 None))
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula (Some x)
              (rename_fo_formula v1.model_fo_formula_field identity
                 (update (compose some identity) v0 None))
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v1.model_fo_formula_field
               /\
               eval ((update (compose some identity) v0 None)) y = (Some x))
               -> y <> v0 && (Some x) = eval ((compose some identity)) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v1.model_fo_formula_field identity
                  (update (compose some identity) v0 None)))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_formula (Some x)
               (rename_fo_formula v1.model_fo_formula_field identity
                  (update (compose some identity) v0 None)))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity
               (update (compose some identity) v0 None))
            ((update
                (rename_subst_fo_term
                   (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                   (compose some identity))
                v0 (Var_fo_term None)))
          } ;
        assert {
          rename_subst_fo_term subst_id_fo_term identity
            (update (compose some identity) v0 None)
          =
          (update
             (rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                (compose some identity))
             v0 (Var_fo_term None))
          } ;
        model_equal_fo_formula v1.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity
             (update (compose some identity) v0 None))
          (rename_subst_fo_term subst_id_fo_term identity
             (update (compose some identity) v0 None))
          ((rename_subst_fo_term (shiftb_fo_term (const (Var_fo_term (-1))))
             identity identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity
             (update (compose some identity) v0 None)) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual
              (rcompose ((update (compose some identity) v0 None))
                 ((ocase identity v0)))
              ((identity : (int) -> (int)))
            } ;
        assert {
          rcompose ((update (compose some identity) v0 None))
            ((ocase identity v0))
          = (identity : (int) -> (int)) } ;*)
        res
      | NLC_And v0 v1 -> assert { nlimpl_fo_formula_ok v0 } ;
        assert { nlimpl_fo_formula_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_And (let v0 = v0.nlrepr_fo_formula_field in v0)
                 (let v1 = v1.nlrepr_fo_formula_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)) ;
            model_fo_formula_field = ghost
              (And
                 (rename_fo_formula v0.model_fo_formula_field identity
                    identity)
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v0.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v1.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
      | NLC_Or v0 v1 -> assert { nlimpl_fo_formula_ok v0 } ;
        assert { nlimpl_fo_formula_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_Or (let v0 = v0.nlrepr_fo_formula_field in v0)
                 (let v1 = v1.nlrepr_fo_formula_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)) ;
            model_fo_formula_field = ghost
              (Or
                 (rename_fo_formula v0.model_fo_formula_field identity
                    identity)
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v0.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v1.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
      | NLC_Not v0 -> assert { nlimpl_fo_formula_ok v0 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_Not (let v0 = v0.nlrepr_fo_formula_field in v0)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              v0.nlfree_var_symbol_set_abstraction_fo_formula_field ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              v0.nlfree_var_fo_term_set_abstraction_fo_formula_field ;
            model_fo_formula_field = ghost
              (Not
                 (rename_fo_formula v0.model_fo_formula_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v0.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
      | NLC_FTrue ->
        let res =
          { nlrepr_fo_formula_field = (NL_FTrue) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field = 0 ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field = 0 ;
            model_fo_formula_field = ghost (FTrue) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (false) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (false) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        res
      | NLC_FFalse ->
        let res =
          { nlrepr_fo_formula_field = (NL_FFalse) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field = 0 ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field = 0 ;
            model_fo_formula_field = ghost (FFalse) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (false) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (false) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        res
      | NLC_PApp v0 v1 -> assert { nlimpl_symbol_ok v0 } ;
        assert { nlimpl_fo_term_list_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_field =
              (NL_PApp (let v0 = v0.nlrepr_symbol_field in v0)
                 (let v1 = v1.nlrepr_fo_term_list_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_symbol_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_formula_field =
              v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field ;
            model_fo_formula_field = ghost
              (PApp (rename_symbol v0.model_symbol_field identity)
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_symbol x
              (rename_symbol v0.model_symbol_field identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_symbol y v0.model_symbol_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_symbol_free_var_in_symbol x v0.model_symbol_field)
            && is_symbol_free_var_in_symbol x v0.model_symbol_field && (x) <
            (v0.nlfree_var_symbol_set_abstraction_symbol_field) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_symbol_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_fo_term_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_symbol_free_var_in_symbol x
               (rename_symbol v0.model_symbol_field identity) \/
               is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x res.model_fo_formula_field ->
            (is_fo_term_free_var_in_fo_term_list x
               (rename_fo_term_list v1.model_fo_term_list_field identity
                  identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        model_equal_symbol v0.nlrepr_symbol_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_term_list v1.nlrepr_fo_term_list_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
    end

  let destruct_fo_formula (t:nlimpl_fo_formula) : cons_fo_formula
    requires { nlimpl_fo_formula_ok t } ensures { cons_ok_fo_formula result }
    ensures { cons_rel_fo_formula result t }
    ensures { cons_open_rel_fo_formula result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_fo_formula_field in
    let fv1 = t.nlfree_var_fo_term_set_abstraction_fo_formula_field in
    match t.nlrepr_fo_formula_field with
      | NL_Forall v0 ->
        let w0 = fv1 in
          let fv1 =
            (let aux (a:int) (b:int) : int
               ensures { result >= a /\ result >= b } =
               if a < b then b else a in aux ((1 + (w0))) (fv1))
          in
          assert { t.model_fo_formula_field =
            Forall
              (nlmodel_fo_formula v0
                 (rename_subst_symbol subst_id_symbol identity)
                 (rename_subst_symbol
                   (const (Var_symbol (-1)) : int -> (symbol int)) identity)
                 (rename_subst_fo_term subst_id_fo_term identity
                   (compose some identity))
                 (rename_subst_fo_term
                   (shiftb_fo_term
                     (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                   identity identity))
            } ;
          let (mv0) =
            match t.model_fo_formula_field with | Forall x0 -> (x0)
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> absurd | Not x0 -> absurd | FTrue -> absurd
              | FFalse -> absurd | PApp x0 x1 -> absurd
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity
                 (compose some identity)))
              ((rename_subst_fo_term
                 (shiftb_fo_term
                   (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 1 } ;
          assert {
            forall x:(option int). is_fo_term_free_var_in_fo_formula x mv0 ->
              match x with | None -> true
                | Some x ->
                  is_fo_term_free_var_in_fo_formula x
                    t.model_fo_formula_field
                  && (x) <
                  (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
              end
            } ;
          assert {
            eval
              ((update (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  0 (Var_fo_term w0)))
              0
            =
            (rename_fo_term (Var_fo_term None) (identity)
               ((ocase identity w0)))
            =
            eval
              (rename_subst_fo_term
                 ((rename_subst_fo_term
                    (shiftb_fo_term
                      (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                    identity identity))
                 (identity) ((ocase identity w0)))
              0
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity
                  (compose some identity)))
               (identity) ((ocase identity w0))) ((update
                                                     (const
                                                        (Var_fo_term (-1)) :
                                                        int
                                                          -> (fo_term int int))
                                                     0 (Var_fo_term w0)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (shiftb_fo_term
                    (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                  identity identity))
               (identity) ((ocase identity w0))) ;
          let ghost mrv0 = rename_fo_formula mv0 identity (ocase identity w0) in
          let v0 =
            unbind_var_fo_term_in_fo_formula v0 0 (NLFVar_fo_term w0)
              (ghost subst_id_symbol)
              (ghost (const (Var_symbol (-1)) : int -> (symbol int)))
              (ghost subst_id_fo_term)
              (ghost (const (Var_fo_term (-1)) : int -> (fo_term int int)))
              (ghost (const (Var_symbol (-1)) : int -> (symbol int)))
              (ghost (const (Var_fo_term (-1)) : int -> (fo_term int int)))
          in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in let res = NLC_Forall w0 resv0 in
          assert {
            forall x:(option int). is_fo_term_free_var_in_fo_formula x mv0 ->
              match x with
                | None -> eval (identity) (None) =
                  eval ((update (compose some identity) w0 None)) w0 =
                  eval
                    (rcompose ((ocase identity w0))
                       ((update (compose some identity) w0 None)))
                    (None)
                | Some x -> x <> w0 && eval (identity) ((Some x)) =
                  eval ((update (compose some identity) w0 None)) x =
                  eval
                    (rcompose ((ocase identity w0))
                       ((update (compose some identity) w0 None)))
                    ((Some x))
              end
            } ;
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose ((ocase identity w0))
               ((update (compose some identity) w0 None))) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:(option int).
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval ((ocase identity w0)) y = x)
                 ->
                 match y with | None -> x = w0 && (x) < (fv1)
                   | Some y -> x = y &&
                     is_fo_term_free_var_in_fo_formula x
                       t.model_fo_formula_field
                     && (x) < (fv1)
                 end )
              && (x) < (fv1)
            } ;
          res
      | NL_Exists v0 ->
        let w0 = fv1 in
          let fv1 =
            (let aux (a:int) (b:int) : int
               ensures { result >= a /\ result >= b } =
               if a < b then b else a in aux ((1 + (w0))) (fv1))
          in
          assert { t.model_fo_formula_field =
            Exists
              (nlmodel_fo_formula v0
                 (rename_subst_symbol subst_id_symbol identity)
                 (rename_subst_symbol
                   (const (Var_symbol (-1)) : int -> (symbol int)) identity)
                 (rename_subst_fo_term subst_id_fo_term identity
                   (compose some identity))
                 (rename_subst_fo_term
                   (shiftb_fo_term
                     (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                   identity identity))
            } ;
          let (mv0) =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> (x0) | And x0 x1 -> absurd | Or x0 x1 -> absurd
              | Not x0 -> absurd | FTrue -> absurd | FFalse -> absurd
              | PApp x0 x1 -> absurd
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity
                 (compose some identity)))
              ((rename_subst_fo_term
                 (shiftb_fo_term
                   (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 1 } ;
          assert {
            forall x:(option int). is_fo_term_free_var_in_fo_formula x mv0 ->
              match x with | None -> true
                | Some x ->
                  is_fo_term_free_var_in_fo_formula x
                    t.model_fo_formula_field
                  && (x) <
                  (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
              end
            } ;
          assert {
            eval
              ((update (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  0 (Var_fo_term w0)))
              0
            =
            (rename_fo_term (Var_fo_term None) (identity)
               ((ocase identity w0)))
            =
            eval
              (rename_subst_fo_term
                 ((rename_subst_fo_term
                    (shiftb_fo_term
                      (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                    identity identity))
                 (identity) ((ocase identity w0)))
              0
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity
                  (compose some identity)))
               (identity) ((ocase identity w0))) ((update
                                                     (const
                                                        (Var_fo_term (-1)) :
                                                        int
                                                          -> (fo_term int int))
                                                     0 (Var_fo_term w0)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (shiftb_fo_term
                    (const (Var_fo_term (-1)) : int -> (fo_term int int)))
                  identity identity))
               (identity) ((ocase identity w0))) ;
          let ghost mrv0 = rename_fo_formula mv0 identity (ocase identity w0) in
          let v0 =
            unbind_var_fo_term_in_fo_formula v0 0 (NLFVar_fo_term w0)
              (ghost subst_id_symbol)
              (ghost (const (Var_symbol (-1)) : int -> (symbol int)))
              (ghost subst_id_fo_term)
              (ghost (const (Var_fo_term (-1)) : int -> (fo_term int int)))
              (ghost (const (Var_symbol (-1)) : int -> (symbol int)))
              (ghost (const (Var_fo_term (-1)) : int -> (fo_term int int)))
          in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in let res = NLC_Exists w0 resv0 in
          assert {
            forall x:(option int). is_fo_term_free_var_in_fo_formula x mv0 ->
              match x with
                | None -> eval (identity) (None) =
                  eval ((update (compose some identity) w0 None)) w0 =
                  eval
                    (rcompose ((ocase identity w0))
                       ((update (compose some identity) w0 None)))
                    (None)
                | Some x -> x <> w0 && eval (identity) ((Some x)) =
                  eval ((update (compose some identity) w0 None)) x =
                  eval
                    (rcompose ((ocase identity w0))
                       ((update (compose some identity) w0 None)))
                    ((Some x))
              end
            } ;
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose ((ocase identity w0))
               ((update (compose some identity) w0 None))) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:(option int).
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval ((ocase identity w0)) y = x)
                 ->
                 match y with | None -> x = w0 && (x) < (fv1)
                   | Some y -> x = y &&
                     is_fo_term_free_var_in_fo_formula x
                       t.model_fo_formula_field
                     && (x) < (fv1)
                 end )
              && (x) < (fv1)
            } ;
          res
      | NL_And v0 v1 ->
        assert { t.model_fo_formula_field =
          And
            (nlmodel_fo_formula v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_formula v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> (x0 , x1)
              | Or x0 x1 -> absurd | Not x0 -> absurd | FTrue -> absurd
              | FFalse -> absurd | PApp x0 x1 -> absurd
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv1 =
            nlmodel_fo_formula v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv0 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv1 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv1 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_formula v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_fo_formula mv0 identity identity in
          let ghost mrv1 = rename_fo_formula mv1 identity identity in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_formula_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv1 ;
            }
          in let res = NLC_And resv0 resv1 in
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_formula mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv1 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
      | NL_Or v0 v1 ->
        assert { t.model_fo_formula_field =
          Or
            (nlmodel_fo_formula v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_formula v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> (x0 , x1) | Not x0 -> absurd | FTrue -> absurd
              | FFalse -> absurd | PApp x0 x1 -> absurd
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv1 =
            nlmodel_fo_formula v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv0 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv1 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv1 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_formula v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_fo_formula mv0 identity identity in
          let ghost mrv1 = rename_fo_formula mv1 identity identity in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_formula_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv1 ;
            }
          in let res = NLC_Or resv0 resv1 in
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_formula mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv1 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
      | NL_Not v0 ->
        assert { t.model_fo_formula_field =
          Not
            (nlmodel_fo_formula v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0) =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> absurd | Not x0 -> (x0) | FTrue -> absurd
              | FFalse -> absurd | PApp x0 x1 -> absurd
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv0 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_fo_formula mv0 identity identity in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in let res = NLC_Not resv0 in
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
      | NL_FTrue ->
        assert { t.model_fo_formula_field = FTrue } ;
          let () =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> absurd | Not x0 -> absurd | FTrue -> ()
              | FFalse -> absurd | PApp x0 x1 -> absurd
            end
          in let res = NLC_FTrue in res
      | NL_FFalse ->
        assert { t.model_fo_formula_field = FFalse } ;
          let () =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> absurd | Not x0 -> absurd | FTrue -> absurd
              | FFalse -> () | PApp x0 x1 -> absurd
            end
          in let res = NLC_FFalse in res
      | NL_PApp v0 v1 ->
        assert { t.model_fo_formula_field =
          PApp
            (nlmodel_symbol v0 (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
            (nlmodel_fo_term_list v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_formula_field with | Forall x0 -> absurd
              | Exists x0 -> absurd | And x0 x1 -> absurd
              | Or x0 x1 -> absurd | Not x0 -> absurd | FTrue -> absurd
              | FFalse -> absurd | PApp x0 x1 -> (x0 , x1)
            end
          in
          assert { mv0 =
            nlmodel_symbol v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
            } ;
          assert { mv1 =
            nlmodel_fo_term_list v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_symbol v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_symbol x mv0 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mv1 ->
              is_symbol_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mv1 ->
              is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field &&
              (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            } ;
          model_equal_symbol v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity)) ;
          model_equal_fo_term_list v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_symbol mv0 identity in
          let ghost mrv1 = rename_fo_term_list mv1 identity identity in
          let resv0 =
            { nlrepr_symbol_field = v0 ;
              nlfree_var_symbol_set_abstraction_symbol_field = fv0 ;
              model_symbol_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_term_list_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_term_list_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_term_list_field = fv1 ;
              model_fo_term_list_field = ghost mrv1 ;
            }
          in let res = NLC_PApp resv0 resv1 in
          free_var_equivalence_of_rename_symbol mv0 (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_term_list mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_symbol x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_symbol y mv0 /\ eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula x t.model_fo_formula_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
    end

  let nlsubst_symbol_in_fo_formula (t:nlimpl_fo_formula) (x:int)
    (u:nlimpl_symbol) : nlimpl_fo_formula requires { nlimpl_fo_formula_ok t }
    requires { nlimpl_symbol_ok u } ensures { nlimpl_fo_formula_ok result }
    ensures { result.model_fo_formula_field =
      subst_fo_formula t.model_fo_formula_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
        (subst_id_fo_term: (int) -> (fo_term (int) (int)))
      }
    =
    model_equal_fo_formula t.nlrepr_fo_formula_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_formula_field =
          subst_base_symbol_in_fo_formula t.nlrepr_fo_formula_field x
            u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_formula_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_formula_field =
          t.nlfree_var_fo_term_set_abstraction_fo_formula_field ;
        model_fo_formula_field = ghost
          subst_fo_formula t.model_fo_formula_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field)
            (subst_id_fo_term: (int) -> (fo_term (int) (int))) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_formula x2 res.model_fo_formula_field ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_formula y t.model_fo_formula_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_formula_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_fo_formula_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_formula_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula y t.model_fo_formula_field
                 /\
                 is_symbol_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> false))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_formula x2 res.model_fo_formula_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula y t.model_fo_formula_field
                 /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> x2 = y && (x2) <
              (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
      } ;
    res

  let nlsubst_fo_term_in_fo_formula (t:nlimpl_fo_formula) (x:int)
    (u:nlimpl_fo_term) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok t } requires { nlimpl_fo_term_ok u }
    ensures { nlimpl_fo_formula_ok result }
    ensures { result.model_fo_formula_field =
      subst_fo_formula t.model_fo_formula_field
        (subst_id_symbol: (int) -> (symbol (int)))
        (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
           u.model_fo_term_field)
      }
    =
    model_equal_fo_formula t.nlrepr_fo_formula_field
      (subst_compose_symbol subst_id_symbol
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((subst_id_symbol: (int) -> (symbol (int))))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
          u.model_fo_term_field))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_formula_field =
          subst_base_fo_term_in_fo_formula t.nlrepr_fo_formula_field x
            u.nlrepr_fo_term_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1))))
            ((const (Var_fo_term (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_formula_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_formula_field)
               (u.nlfree_var_symbol_set_abstraction_fo_term_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_formula_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_fo_term_set_abstraction_fo_formula_field)
               (u.nlfree_var_fo_term_set_abstraction_fo_term_field)) ;
        model_fo_formula_field = ghost
          subst_fo_formula t.model_fo_formula_field
            (subst_id_symbol: (int) -> (symbol (int)))
            (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
               u.model_fo_term_field) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_formula x2 res.model_fo_formula_field ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_formula y t.model_fo_formula_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval ((subst_id_symbol: (int) -> (symbol (int)))) y))
              -> x2 = y && (x2) <
              (res.nlfree_var_symbol_set_abstraction_fo_formula_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula y t.model_fo_formula_field
                 /\
                 is_symbol_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_formula_field))
                 /\ (x <> y -> false)) && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_formula_field)))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_formula_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_formula x2 res.model_fo_formula_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula y t.model_fo_formula_field
                 /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_fo_term_set_abstraction_fo_formula_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)))
                 && (x2) <
                 (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_formula_field)
      } ;
    res


end
why3-1.6.0/examples/prover/Firstorder_formula_impl/000077500000000000000000000000001440160026300224305ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_formula_impl/why3session.xml000066400000000000000000005506341440160026300254650ustar00rootroot00000000000000












 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_formula_impl/why3shapes.gz000066400000000000000000001432721440160026300251010ustar00rootroot00000000000000ko8ݿ"i ޥr2*#tbgslgMg"DJT\lE+e)jq/*~_>~~?yWV|/^|}W/_'ϯEΆ$ep^Iχל=F)#⣥Tx`qQ19)=sk cA?dD_?}+ZWiQoR_	vy̹z,ߋoZqZoJ#iD;
󧑭4,KS	?WMGS,QTۺ~q,ض0T}ټ._̗+e$3vd- v/̪W
0иm{Qg{ZچJEJtj<,_B<`̗s9a6*lz^}ˬR_Q[iۖe;o1Gl
0йb
Jr!,?YA{ӳj,PܨJN3&`:;`wS@j3ޯGϔiM$ͳjzW,~X웽|A'fvu]a(_.sq^@ll	C'_d}@[2)婕|y>Pv~{Cme*x耠 $	zY9#U;zku?3[{3\JC,UKKݸu<4aa]+fM383J__"58o+:]dhˀN[{eȇۖ!󾦴~.zc|e_5
v{C[-k;$O[r,/EaC
Ƭ3EHR|
\wxS}Y]AۯY$x_o^F`Av뢽bvp-a--Ɓku]lyMw=JWMk=oW=tj/ăΪco%03+e
F	tMWpKu^
l{G>C1)Ϡw,y27mzvѦ~?*˙a8;QJճBž9i(t?}7ͰV~;'suR7D妤UZ_|U^nX|usooUR(pS׭>Mu婫~$UgL}x}j_Vڥƻ,Ou=mn=m]{D5?ӏm#ܝ!|Bn_=rsP47oʨ*s#/3{g
G^V898"F܁'#g5.Z?es`,0Hc}f^s5m軡pӶzwwdvV_LL#[߮~(ߟ_=3ڶm|oSsvy΢N49
;4k?Ƽ@AUh0;=1\1`rsMC5E]`g`rӁi߸LYc.jXz.jXN:/i'
Y;Qh߾mEhB݉"7yVFΙy\><ѐ{+Srͥ\D3-u/{}뙡T9/~Jl6jHVIѧ˓GYr?xI,KoKc%c1oȘϘEe)FpLFH&6UêȪ)!$9y2ff!0!@d%#"+39@)}J]4CH%$ݦ)WX³mT>t@&:ǃ+`B.m(]cה:wLY1e

6e!MvXX{*t*\V'ckkj⵶rώ{v.ҵmsǡ!”&OT0^ik"uyzM>G{tEu~5N麔g/g @2 WЯ_^^o-@7Ыvu7wZ׻nYЏ}kHe]EkTAG:*9yګ_?ݗV12%DyFQV!
ҷگ~~|!&N꜊:=h1|!ߩȌARd\|?]3{}M#B); g82obxxz.~Xndn\P
4:S7171úDAڵ:^S'i:5ɣ	qîPe!˻eϢQU0_WoS|i'yҲE 7!|y^|WUEQ~HXo[/8#.//L$'p+#1?тL`e;M_?ڟXhȖv02枯
V:
+̊ZGA4Lz"&}bVPEuNƘ1違NJ1I_I+ƿSSA[G~A~mM Co'ߢgY:v匙\9l.r
C>!+={N囷<i92dݻ
LѢ$wOy$XhKRx%C߳,e,"'|	jl2Q]?Q{:W[޳_G˨{YڈėnY!`8bdp\\..o|߯,P_[K.Y0ɷ+O(~z-z>6R
)wV
OE/b,=
Rާ髓P,3ޡ6C텛govw&,:0=@#{u2#.
jMuLE)cƇ$9dՒv/[/S_W0fza@;{E-9;[p9j`;Ȅ}	񉽂!?`O30֕?>8p:ً0P
;[8
N +kI`3__G	Qؒ^Rn=w]Z8Ni?h4k|6NlvT!#d7P9iZ&ΚKblh%B.V?I\$ 
L(w~I莊=_&i	h\MNhE@hs  2?*rrzTJ{J~hvBK[uQ!޾,{/瘦_mOKNNiNfW~6%Mq'Cb$v`=&'@$y'Wjؓ3([{+[36P)=$w36	ANGCJq'cX{6xp뎆yPo):떍zalGM)PţެHXoWWn$x:cN
):0@;!{	F{uUA	[7T]ɻ
כ*u,&!p@ڐ6}Ҏ~rWݕ$\{gcƅXہm0!衩N}ʒzz\̅ks-pÝvof⶿ӷ#VB0+nG{?$H|!nw[0{Pk^owiX">b
1_LAB$  Wb%F^}ߢ 	}}_iMmj{̅!Nߥ `
2@oBKQ+
{{RsIsT	KD
—"uS:4CR9e?2ǥˢ_)SUNyJ=5[!1D_O5T@ŕbT|"B&B8.'A:Åm@P19Tr﷚^]Hg^Z;D*
B,V!ylYOOS	Ε%3įqc5wZ<
_ߏ4ݻ8Pe-0(
{͠?	e`})C-څx(?FǏ;'毪;A_X,]	:&t'ѿݿ%+B,-PM۷`̀MܿG8!0jMqY[&b$#BmQior8DNAi&oҸ1
М`F\;#	k"؈ޙ<dCAt:yU'isb <%{%zՊ~f.ti^/Ef*&[P*..%_jdEc#1鈭++6'ӷO/:Fgİ^eJ,FPl|g}##X^x\}W^5Tff}}sx޿ͳҧ+O]![Z豅^e[/+v*[ì٬'om41}j<=Vz'8+
;!LN;
ݭ0vKá50pDJMD3Y>\APVn/OP1T_S:=Ux^<.A:pBjG`D &wTk1(+Šl\6T|///S})ì۬1ZhjGd[EIfW6J2n8Ӝ8	#9ŒC00xS·VhZ{mf.˪""/&?LV<,UWVȼ[{7;m8aFV'z@իjQ,ehZl-dս[Y2ߑĂ~c03.'6
`UMw>19nLs#`Xo
EYD žn*s
I?3Jrn(0_
JфryM͒RUz{ԽG1aL-O~Y0__6zCU[8sHuny N:t6 Ž{!_>=.CK[ޘTa<O&Ɠ;2iߗIeT-,7
p97b;M5m0J?Po}A_ųXڻ\5eƢ)LPY)5SnP]=WjDN+P.#x~s]r6}pꆂ%MΒ|WSH;R*4)Ƽ!󍆃u^EBP
: -HdҪ/] :g
6Mh
ޱ	v	`K:%a
	(=:ia
AtX6ͩjs}_W8`H@21#]`HWjH33t~aUէЩaal܎jЯ}dy߈@޷ޯ"`J@ĕy_U7hR@ťq>qq8w1kՑ'3K5aR_ۿ&M8EB<7Y$#<ׅ~3/W߱Ozp|8:8NĻ;^857[bX1'
:	ԎЯٯû|zzED	[(3:ēSAO;ÇRSG]EHm$6ZVc
BEPTF!6
b[²I7t0Î1HAjH
t~~=-!7ܦ_^^ Я1WׯyXܴQ֯ɀ=.͝][ٷhsҝ{Ǧmߗi };#칿*5e<
`pl8SfČ󏯏yJ֙s-$i֝hFkJsXXdbا'v_ gs*yRDC_bk1PֶsCeyRRD19\Yd6
i_C()@
:H1vT?v7`Xqɬt<2+qZF￾LmFax8>!	}D[DDgWyFi590G	8Î4ba82z(,\c͘øʛf>:yWl?ڞlG׈^7|eCPe*;֚
pn{(.	:c8Q*E@Km-Zt2G=N-x$#¤Ctv:;IQs9w,B//BYۯf@U#j((ʆ/PL>9/
0[PŅbJh r4M1AW:$q
>X\5%5?~yyEp&@l<\
(Żj<cRwӝ|}̳YqgvNY ~Isse,Ħ{&/Oܗ6%tr<(~I{8Ly82},u-!v˺xy#k3^R_eSCeM["c%Fe޼cqhZ=U.Nqzh0Z'|U@PeRT+%2J*}/jם`Ƽ3cMh덥@FRrAP6(@QVsG7Gۜ|o"vXK_=jm_VM-X;k/E^"Q
*+}MhIH2x5S)OĔs)\TxA7+ԩwu@9|R뿊Pqpo.2xSj̘2w!a>n
s٩lUXA:n?JVN?(񒦱CL9:[&K
7dDkU
}ou6q-U
Du6 w-/ jJsS}8y څZaJN*PTׇzB=
VQpsF8^?f~w7"G<GnPA$94: JZlmC/VּgUXG_#ՖWW+UUFJW>?{G S&qt9Wٌ1V)iHa˷leGUD.Q8N:ߨQ|1u9eƩ菹*
ЦBDW
*
B;v61^5*m@ōѴ+گ}Y:;Ҋ"::US\]@\]q@FL3iFuh>ʔyHdf`F]Sξ=9̷v]D@<z@/0Gn<5SѧS9ӑeB_RpO+L*ӎiL @	
mA5"tu(R:{?Qmt:tJNG<ڟ>l{p$VĪXU7R
1	1BGxɬuHt`~rOa$I9P7r*+T~=KޥIZ$uy#i&	hr^9ads$	n=
S(38*#1Ɖd`Wb8xUN!'NaW;|#KPD M:4\ȒsB|zz_JuCL`{WR4+9#ϭ/HkN9SD>hwn8s7"d=w:uYc+Y2wྒྷ}bܣƹ4|޲=Y2]]G0P('C!8X'C/C]="ѤM̿oէ$-J(öNLJқ)lAz|xD5?l U5mg]ÙkwfRowEZ?斾ݢ8l$CWY&l!]XXG_7icX}XH8']0\mjtVv{}IgD9A!arq*
39QW χ9:9#pwebi_4.WW_3T<26ïnK}îe	]=sdaIC>OJH$ɺ*eyq"|+FIB>
8Ȑb{㈫ifOH4#Ё,"+u",W2WcUGT.#n8vQz#:7=Kt_ݦvOq}s>:tQ'F̦S{lu|uɣx\!x->JfxbEs?ŨzO~ᇨ/wreTp>5";gCO~lO~q{3/]G-k=yZ93S[h1 |YtF@5]㎻:];CTK+ǬF+FٍJ<xgby0?dO] 4<-pjP0r-´MF	Yu)Q=^âF^8KR:gLUWj//m<3x?
R6P&|#yghP2$d(ӻ(c2f8Lkee	h{[S+TFڛ
@ph(gR&(:]
'l8	pD$~)^eZ`X6zbj*E:y#k怠jD(S!w}+ط^J n!@-zxPS0UyfRFvŹd\fE<t"Ҁ"Ҷ"Ґ"Ҁ"L[&s"10!E"LME"WQ&EVm2Ea F&[6]Ȋ--`p[-bƐp\9.ze{|ksP';antgl<_z
yy
L񰞫;\Ɂzpڭz{8idʽI<bޕ?+?(󜅔QfG
TsLR_i9vuo',9'=q*aK'	bGJhp?Q/H!*ᴏCZ80t!5GT⇜E:qmy^7pϙmMCǶqǟvj
f~Ԩkn	쌠
k%}O-c.?| =\k*Q),cw)OX?b{X1
J{!pš?~@PA@4ljHl6\6O{cWˎ><ҿzߙH9FW$~o]KҀЁejzt>b\k&׵k
UF03d,n'-*ګ$jrGHx3iiIP7y4YEl@iF%qQO,v 8(
FAOiw Hqplx)n}LI2:v{EOO1B:DVLwv:+)ʺ\Bݯ#
Z;+.SyLUUawesGlh$@_=w<oVColoէo}vb??Q5߉ʹYBpӨ{Hp(Nqgkl(FmxmCeI~P{;d2Aߢ'NC+@Zwb*X}Nge _ߌk~{ood}EROT_zYONIu_Iύ
c	=:K5Hj{[V_޳̮]ތUac^x ,g#SwXpRޘxNY`-Bmϧ:l@ʱCw"u@X"$Yʈrtw'N+^'HFN$'%y q7:ek<`mcyך	PᴽÉd+ǚ]t3ipp?6G;1p)9fxl&	4a|ń6teOpXe}H%Ѩ;ADh"ZQv4jF[$d4M|*R;rU5uESKS@g=#A$Mtm@$φ3wcr!9D<9ېC48jC䐧& Kr3Cv/(
ӄm%`iA$	@	ҠVKѧ?v[cS/@hWѲѣemlt@6-:߶so<=8tomeVכQ'BG'Cٜo+EynuB"Qg9`{ֽ( M 0EVd.W9,dY@!+ Hp$FlpLUc! }Qriwr4NS2OI|>26C4m,/
l|st
{j;U@JPddGtdjڠԖ3sPGڜq9xLa.̾R9@w_%'~z؝c_?9)g.ML0_biYVp.@7՚U;r/uMd
x͛˦P9:Rn&gB_Qm\mP~.>mm)5KƉl;yY o"NtaKŁa;#ݳDVn8b]*#TNhglϸmD6̾ݽa3|yu'l|sqeYfv햑y;vcO(]X+)){nq9鞛S̭DNl1(	P%GHΥX7hp<5![&KI*a/
XiVge\aW!ZY:nܲY|=[Gv\x¿L\Y(\u`F\?#FlG(FH`s8'8\"KP$XR ŕÁ]@b ƕ~`- [.a:U1r$ڏlNL߹rfzk1	#a-̍ IQ'W\|L>9#:}T[Cpv")zP'꼎Ȥ  'E݌n[K=IK'tŽ1k:zlmN344gј|Zj9Ѣ[VXRvjI,/jxòN^Ɯ:ʪ~oMs/ExZ_Eϻ[^c񴤎lI!wZr,zVEu#Ұacu˜5~@gviC~d)}{ZƸk0F|%Gh]4x“v=IkRŢv'=H_~P1t-+KV7Ɏv/ãvzeR0ϴ aF܂EBԻDꝤDzbT6ҿ_-޲!m\?w:=7zɣ݋sT^Yda*_~<}iiؐjՌOO`3l῞a1xy(d`2&ُnbKͿ/E]/QaoWU
ƩpK7܊XGỹV\΅nFAqQC(
jڎQ[AyƼNy\i	5`) D:
9B;ǸQAEy
skٰX޵aʼns1q~
G
˦ʀ:N:?j/qzU.qe0So$œv
B,n$8q>,D]܀3"j	pĸT1@ougQz)%F)y$(JMRoXb<^O'Ԁ/?SlN]3/.u?&[G&BROI_"6' d'UA܏DI;Qۆ5lU('?X9U~:Y(
3Y[xgܑ{g9gX&V2!Emb%XIuȐ"!c%'E/yAx˂Lw#+~FG< 9*,~Jpe'<#
*T;~ff`
1|dچO>Җĭ,*weT۪ԣUCU*u@JJ2l5lu*UJeORT)KoeJ)ʃU8YD AbGnVĻ}N0:
PPN(u/s]
%noM޹>P%Dln ͑wQ0px(4O33·!\
S{R*Ss\7lOtҜ(EIL輝2	٪U+}g7߷jG(!%H,q:7YU1@xQB`^$KJd1QY ȴR'-w;G%h-g})'<27_Q,cRL jz:=@ÝsUܹa)w.r,M*&jhL\c<9w0!@51S0sǀ	m0a`$2OO8;F}]F_?0iC6
"Lac}vzMli=xz.~=V}]ռ|חX5slrnɺ$⏣Y%
`蓝*,՜ηxXV!Ow6?/CZx>	VUcU@@qȘf\Urlk*{M/eBV| *+qd,5T7BDè!* !j,U5@DU`lL2,y}s0uF@Pa.&[BeObPvJDtwuGo_}ownҸݲ-ƭ+7 *ePn}z8[>=$ HpY$k@M"0zc_*9LsMCJ'xk,1)~  {..` ֵp	v`iED?9vMFbz}
PP~F;v]H#a$	@Pqϧޱ47Sn3gs>6Ôd.OO?$V?&~_(K?,INQx'ʫ["ؠsXNi

k3g+ʞFKk᥮JI~]'yc-\oy/)_ݳ}<ůQKĞzBx<ɿl^?S̡bZY7jnsk)C#KAOBCLUeYXLk=tMt-4kL-EthSYi,1>[$ʎˉsԓ5d$.">28˫{'z*lxI*w'<P7ØOc׷'l`>Fiݵ{(ې,,[
5`cܿ#8![9!ruj-~:'*r=e<bn;!fsBTjӨՀD5{	Ya^Co
l^$^un8/*ubO3ܜ0=bmvZ/zINXNXB/3A/:;yb}m܋A/:;=jbQzb}mvb=IB3bSCzXgQ{֗Xf=Ү㐿_^"(ƕBm/Dށ)z#m]i9(vWq%u׿
VWnnwl)Coܖ#C?N!pM
;:Q:QGu g(D6i2#;G=T۲;o1Ϧu({˸KIk0cgMs9:2@"fx09ɛj(u`WMqDܶψM)s؁dEH69]4Yr5=$YC6jspٳ}ζNe򬧡T^UcXuq!g<]Nu{eSC4\&CS:Y
st`S2e搑HݖK{>*cd
jpE՛802,ڬ25~uys
i$E^-<Юx}~#]~]NbqYae`91bᲩQ|Dž,2.652)^UvT 0,X
5]鮼Mlg,䞣Dv4U߬qkjwY-]ZKΕ[;WROowhƵ1t6fqx1d|f0`ng@ɿ!ܐ~6:؂i:j*tNdnAbӬ-JwU7P:N'@!A	PJ@atb UnyNg}vɎdނQ1(C{u$*db[`{2s	#`0NS7}^)!Fhs&Yw&򝧑,}+䬗Q@V[)$,`^2@aPjJ}jшBE,nX7l;!ٛzfg&<3Wб.*1q@א` -^wxjWD7kpGd
.|UK.p	R]TpUA4qG7WS/T՜PW''A9+
	N\'ʠf4qo	~P`vഛ+mNCv\/tSwBNM˘Jw"?g<8D
}
0QkG\<ڟNjuKX)+yBl/f/)jv``miڑq:eS_6Y\9zZIvF6g|H]*\H`sR+j9ܤz\{e}>=7ƵuU$q؋k[El
9ԳchA#r S!sL)%l$H;{F:sue0wzvV)+1	S38}vON(r]r-n:ց!|q50Z_rJYRĆr'L]p,zOIwLp\W9@+#nʐzw3rij&;iLQSBNWQ]Oer{}#9xA}g!*m&b	؛U0x`}:C	D@"B3U`X>XԿ.MQG4^VG-` v
SVJ³NYU
k|k[UeytO[Y.k[O vf H 	Z~up0ó>\?|0
*D.̅;ADx<'TJWRD-;2ƃ v 
9pL`OuJJouf
x/lE{r%G8Dք:	1!@)N$0Q5[	j,`%w"Y4&Ԙf#Z*dlF1F,t+Q'KJDd+*K4_lJM$I4-2lЋ$QzN2H-^Ҭ֒Q^IJћbezI%*Y)VK
Eݒ-Dj^`<ˊ"3r֫57fYP"s!k,1LFM3U0!#[п̚h{L"a!I-dY,k҈ͦSW,֫a)ݓ	Xp֌rE_͊Qr&[`&mJQkz]pCEYB"O]JmS&EiȢU/LJ}421'.+f6l+HZf¬6d.ejS*f-fL\-t,U(	WΚJPBrfpɘ0+&O\qjBMRlEԅ+nΙKSm	NM?2RG&^^%2/J}f,,C͝?2&7Ϙ/@+?
sxeHcZ)7X@eI]us{,8ٗ#$/Σ5`}?B?	h͐szpgzp)|Xn!IKg
SkcEо!A@E5p#Qu)L3Vd^#:]xa&	3ķ)b#AOܘlWEeHIg
l%e|p0c`[/#ƛ}W0".y L~JO"*hz!!DVpcǵyĻ5^Zt׏`7l1ŗ` od`l@
L0:0WߤͣBc]S;S.L?by{ă{#:LuHl|/fi)hU[~Ġ˅s#Ңf;4W=Z	_<k)	yp(h)@"/+n9ҎP+(<ǝA4x^?Xyr|kƍ\Y9/tCA67@t8x.	"ѱ#*_8抮C	ݻ>5<}Ix&	ac!(X0U4)Wyƻsok>[^㳇ǐx̵Mh-iq˜TWUpCp6Yք7av] S}u*@|G>Vt7]`Z
;-5{<`d*-
--*>YI}TQ2A@M[[<H8(]`̅Pl\ aP&	(2A@,|T*]Uh,ޟ'cYļPq&%-DNsc5ZxqDjUQ-\ֽ5<"{<ѝ8UYTyllT	
<<Re]kl!TpVغKw2iw[ݙίϠp8N7{[ uL,oĸHN!G@IJ.3Np`QV&x1 &H`7`8;|$k\
un$)|B '[{>3xP,x1So+1H`,CΧzeDTv7np>zճ~UXĤ'+P~=+8ef
{'y4RT?%;CHA[gUFwΙ,&Dmd%8cnx{D!8*=Pu_S c_V;F@&u)^	ԀeO`oX=8T{+ϋ{b"7m 7 jC*7: Usы1 <G(8Px}(4 f82}ޗ\QTf}(5'alwIAwc=?p_Sv喆ɥ Md134sep&j|Bq%۴qܲ%YIFV3\ssF^ƟL~3>B8_è}$H,m_p)Rs@G壧Ϙ<³S1~,/s{3Viq,47PHWڰ/	!h|ΐX^Jp
B0-}oc=Lw`q Zr4ޘka2xu=8wWt1&pq d_92w_@]BVTw*vIe!꺣Ű|r0.@%WT+0A)؉s.78V3,"a^0	0.e".8,L7?ٴ+ $z˭hGm#3qj,Y1'g#A{l`LuK&a8gvI}nw?Rg?Wi(00wG!n]K+E@WY.0Br'+AQr,
YC288~}nS(:{<=`!-m3}@
o.p)#-ua#+_L$cQDHҙa`C$&Rl1(^+7,l9
}Ⱥ?4K婨VO?:ZMeh\t~ܼ\`fpC4TXǡAOk((1TZUrM̬;A7t;تVL=Vdƈe3nØVlug<i,SZNHo/SwBbkJ{bºW>eRz	b"qr4^-z;bNc6A׸ۅCAihN8~{0fVH	I
N?fېq^Ila1;@:ùd͆`1,AjaX,n\3 w$.pp~ɕ0+ 48$@N	dDEϴcOep| lxs%vi`*%@ҌU0˹sLH	;yt`3Z{4arbh<9G+I1v%kmW6iމz!JcXTLgdE;X[T4t;` 2 %׀䪞1{\Uagfh.}>DMqEx< EYXQ\4'd5!gj&/r1XtG cKic5Ǽw@#x!RV MTݛ_X"l&=-=fD1nna$h,(J:갖\tc\d0۶Xڎlz&v#);qk@8Gusk->k1i	'vllA^9{15
н bgH$B[v&qo7넛Me;j$?i~́Lj#4z4Ҽ2#D%2Yjx^UY7|B0	ݪZ
C		iu..LڼoSXν߬4V	Xk
0A?iNL	FA͹'1n6w!¤\sp
|?i$ج2
OK?ǟ40ץ:)9Պ7?i^F'
n&yPuR3;wJhؠ=nTܺp ]ck\~y0
QiKyj40\x?h3i=8
irܑ^_Xr9X:8V2"x<	P=-iPnp>nrµp4Á+nXub< #gCe BАjǭcLc7\ӈ
A*N@XAc;h,{꼃G7+f)%sx)4MDLΟlJ`nS>gbVxqMјnZ#0CYe(8	(oDp
]j{=fa?1	v1֛.~nȴy8F3t]8d6=5

9I !`&wq<14"+ ˷9ڠjÅt"ȗhJ:o[@t
6.x/2E7
붡'YT[!-K#tGdu

JɏLC>ŅSl`0'诃	=o]wpు#ZC
pk>M2la8W6㿻I;oSb>Zc_wȴr*Yz
BX?s奱hgz3םML}3i1:?BϽdcKG(`G?4Z"pȗ<'dsqE,!/*7(y,W114&.6[{\;dICejQ`52F\փlY*t79x3a[Q|)xQ1	_=yŀtE>]4s^
6}b=#++K	wXf)0X'V|2f`\+YMy߸r6エ e):G{3}UaYFt۰qu{U/h\׸1lu 56'~y"x 3~6'5]@?pW"1+vIⶾqˌuyc8EѶh4ʗ[˳y0T?&PzѤ	QAm1Ͱқ 0ܰ:fq0àAƮqټodF7f*0FP?lG@JW!}Wi㙿9mí	`~QYFڽ=n`/)`}`SZ0+߸Qlx6&?%Vmm4$-jߺ.	ݦ+#qK}R3^68Żw១(o||,l5Ak-y юS-
Y-n#iz;5AՅ›-o?8i~qE`:>:?=bJ1Y5v<nC3/\/@ϟvX8k5GB+.{=wsK؁ZҬڑdSh)R@)U8)M]cAY̼J7
ޫ?tnge]}06+m{,P/Vvu^$}ӎŹ2$a/iG?,ZcbguVpr*08`ּy>{Yt_W7Bp(7lW@*f"5{.q&DwYYS'WŪV4јc0lp>w1}3mu*i\&3n	JZxsQJZ6/},Ac.6.5m-.{~]
n>-EP
7)ϵ37=Sfda:$cpC,L*_ Qν͛+OzށM|9}".>)`Lށ1E4{b5j:{f2nW-
Ճ{}p##o2Vp@?+ķ`$Hjb4G
.,6
*q`+7zoZƒ5}ebxC|fCn9ݏCq ~ʻ}㯰o
̰v9Tn {VJ<)RaAS"1jx$L켲Aڻ-Y߰v,0a$8*+FYf^X<\ţW߰ab^ՌKNLC
a.DCK/@+%T;Wͻi3n\Ksc<U=&5؁ ,cc
r/ *JGű^&8 6'|SL	tnY
Ąٿ?]Oj
۾m
d]@@	Ǟ/%%t'"WBӄk;|Uf
4w ĎGLҧoh،aZ=x+ex;lN9h'*eZu6ceQsrX(\fX=ɜq-!FXq2Ax7n*zd1
O@tM	Jo
PuL7tY`nq?|n3YkWNݰҵ:&+TeË|-OT!DJsKr=aQ;O*1|X`#k@%i&,&cbH)`/oٲC&(լ7to]$
bXZH5<O50sEH~Kl&ƭYy8	q5B@au7C|g7VvSpn]v9):h}j;%,^N˂p< [î)RK*?Y-S_TЄn38D]垻Sҥnk*6tcÍv<|AAC
,70C1fJy	x3#*uZݸvw*J;}+h
Q``=e=)PhrbQ)7MW;.W:pIx7} .V֘k|	˖xq$&KXheUY݃@'T)<18p9t Ą"q/ƚ>ˎ9#h2Pl&J?4-큳Bh{\;[gs~藝R	plAb39@DnǣyRjft׊70ڱn{JHv9Fے&V8_?"blet;ۘnXYCDnߏϨ8qp%VYj~
:Gfxuwc'x{-@V.SOpȵ{-)	۸iVV}{~4$ @¨@mj?wǼO2Ț?;拆oxRGpc	V7024_}+rJiA3b>z"FIs@n>e[pѕ>;f+2"trf[ LԢ!
@/~9`]+~|dO92#-𱵀y+;@6ް@Q9g~."f,<
;3"p [JwLڿ6y@bmNX	ZF9UΛ5VhK׎eY.8
#(6OlC
RR4T0&PeAM
쉷ǥ&V-|W{ݴl	XݵӰMyKa^Y v.? C6r!f+j6PZ07%Gތj"SD׃lq7u 
`^e3Apg/3
yc5=8wo4΄u̽YxU_ےyd.?P#am̶
8d뼅h@o)}_S&rُ=.mnC@ka\Axv~5,ВKəe/O03oһ݉ErVl۳ǕlFB̆CˁHJE4WkscZ7I'z\NP.B/'0\V=!GӹlKb93WxW*qc,'"8c,>]><;NI',+h~E#GPukJ&_Pap\&E@1B#de Ihϯv7k(5rZ~Z,c<ߚpf6%{Q=,c5bYM7#soÃCFx(NԟR;q9.>`;Ƽ6K[Q#D.@>qRqώi2>0
1ǵE6y5J8~#ڤk_zep
At~?vM.d~Xa\v~߱%/C`$jm10"q5y05FyW{bX{88p{6=-wp.}\ЉKv\a˪?qިUj50fY݃&>^ѨAQ*w=?,j/U>;5Eƹ-m{&޸r[vx8*pw)nl.VݺWbx;U[mpv
yt:Y	PUb%U0ZmWm{$gYQ"i=C>Xt5YjnղJmq*;g{:_ΩϐT_.7X0d!Z1[cy/tqwǠ*ïw$VC:QoqY
΄侖x\MkN
6xBòObaIuopZ7;SEK1gAXߤ%c
 mql,˝[`9{ğettnY)w@%,#/f/Th_*\`LpM,#٦,ǍQƆ??Xx_xwGleܿ`l90,pS=Vc2[(25MW,#FwM`y(/#sj=gYQXDiڟeD^k/ mdZx	2"+WA;@觉XOnc)RIkܠl7nqHN V3*_Kk#BbJ_ wfw!̈9y{>/=A
0T{U0O3RBYZ3q{㲭gҧa('v-m8]¢N0J׵k3w~ipiTe3Ib-}
2ЃUgqMnsgǁX@x`),O\0Y ؎b63\h`t
'ݫ@QuY.%ض,7Y[
֗u^^ckhۗm56
=<[`8{cIPwF-$z?&$eonkfu# WX-bUV@cNs6
fX-ǰyj/}m5H1sw2KX
Z˾Ͼ{̴qadR˓K`pp_9nRYۿii[eXޜ=r?[Ş8hS<=rbFI5XuFK0b1szJAlNY;H_VV`!l	]+Nyh5Y趈Bk|L
dس< z!n#|]Zy@(iҊP#8@k=vhK"b8ö\bAR:L3Aqx}5T>_p-|ޡVc¡X+4fȤ"Qt!yxQ_л%j
nO !~!&Ul8tРvZjf)r[>ik}lfbcx<nS꓆Z{ L/5y|Hx(aRCW]KIH_h,%ū{o3O [E)/;b`s7dJ8Rt.i%/ؘSZ8enNv{Fg -5Z;LjsUZ5/F>|Ykߖ=$6H}zN!L=	RncAb^ɍMz~ϵ[֤)(t
yݪ[e8~|Du7"bd,t&J_Vsq0Wcb[¬u;FtvsY^Xn?||+6qוݽ=.zzi7Fg#N7(vFKr`{&{}"a779{Lj[e^g^gמow?=98wƝ'9@nkx9;z\abl[>ʶ`2_>=p
5x5q>&;irH	DwmRmsy/K6?K򱐲83>'0^y皏q|a/3#(}>0rU(}yީ`~9o`d_6`'_2e]*~ai;׍oOD;Zaj~SA|=:zɡŖl9(Wb%pIf
ak;+`yyXխ_)1=#=ԺxnnO';͐7r =?2XsIDZ(6)
K^TY(i*A >@"ϳ6Q?͌_”I]A@1g@ɣHy{\{
q<~2h钄W2xP-VͿ#^k=z`՞N-J̀jg출_!,xA$nT)	@Z##0p'y
*!m6"hiֱ$φhpVL-뜠'N3e/=	L
$#@Se=9|'v,N-!LV욕b>&@sJ{>_gl
R{OZy=Kz3TcNfg$~OFYL{ZVk
@<y=U?=n*)Ps	<軞ܾ}Tp{6^qѴAZ-kQFu|MG;$o^yw6X~PΗmK=Gj屃yإ7rmjǹz4ӳJ	?+nmǴ^fxah7t|c̉!4<ܕqXtJ>~bf1K{~eKonF.dXHj+=meP,{^81,0~eAa}gϯ҃NZo[EphߒdIi6xPvj?{
.+N0=/٠}jV򭏍	`ݓӅ^<3;yv&5w=@s|a	]i."=Ԡf)M`c乓Ѕ_@6]A	߸GTn6fkCL>@W
|\_~ma3wc[vs	S>E(-mC4'P75Doirؘnߛԉ7|>
($$	pv8Z5]Syg,=Z\760y
fBP-;t29v6\
wl<;#(=6BF/7o
C#S32]5=.|O>_;,|aC6{a+uO2~/70yô:X_S7y5#(Ja6y4Vou?dh\=0
[y8ܘ_YNkef:Q=.5aɤavfz(Wl̜&)8kc@rcbXݸ塷N[:A^`C8̚W"XKv^=)XRp9tc'߸Mzt7.~㶛f}G,(Jjb'X#ЋUF8$vo
Lj'qn̏^/;"Z>mdau=nLW|Xv	Gg+ +b㒅}s9C-
Ĩ7yɲw0
저M|8kT7+C:1l2%dyayMi/#BꞏXol5'{wLQ]6aLzyI^=X
KdGotru7<)[Y [;!񨷺<& :^&4/o,m3YcP ]Ђ%b"?mvo`?FC: 
Q+͏0{8Smȗķ{q( [Η\j_X@,	-۴Yў1_DooXg[u[E@7_yگlmM0
	j+Be$Ei(
Eբ$dw.C0@H7eق_H1^';0eJ
M[]=_6Gx&;RWSDO ٕ#q%0C䪷	K_F,3bD.U`yXh?YyQR;G!%%JPfjMKb{xlW,#M<.ug躿=*t}u+.K3κsn8UoOKt-3^x:~i/u0esoPFfU+d:&d:.H}!"Fh0Ow6!^`y=moX=&x4&5pX
[IDwZ1Y;]n՞rkwD}}f_3Fc&2b9k6wC^7Oo֣
S7fO!ճm>\iͺb^k~sw w[cwS%[#na>k%})dSL}I(-7݁k>=ˊ螂(0?ga/W:皃O(`D9DTmgz(#Nf_fHNMc!((+xqxN7O7VyZ=,ÈU,qf?lmо<3]vKxYl%Kkztt8~w!6xxxVTчY|wB(Y{l+
gE31-8faTz[30xnLh
L߮y`u[ap4Z$ǑN
N	Gw!g6wo`=Ne\lQklϮCo-3y0\#	؏.<;GZ~Zy^_U6\PYϵuÇlͺ&NT(HOvG?gA+<	mQqO{5z&2r"HDģ16jum"G6ȍض8b`ؗKhլ-1l+|̿h'D⬦osXy:W4{4Ր̗z{>t_o`?/T61׆osMعf7ZcZ&RҞ>x詰~t&{6ǩoĤoSJ;L0y p)2=-s&l!~	HrG,Kxʟc]_Z|}"Y"	!>/6/b>hѣ[<(MhKaj}{t}ͥfL<6 let s = one_nat in s
      | NL_FOFCons v0 v1 ->
        let s = one_nat in
          let s = add_nat (nat_nlsize_fo_formula_list v1) s in
          let s = add_nat (nat_nlsize_fo_formula v0) s in s
    end

  with nlsize_fo_formula_list (t:nl_fo_formula_list 'b0 'b1) : int =
    match t with | NL_FOFNil -> let s = 1 in s
      | NL_FOFCons v0 v1 ->
        let s = 1 in let s = nlsize_fo_formula_list v1 + s in
          let s = nlsize_fo_formula v0 + s in s
    end

  let rec lemma nlsize_positive_lemma_fo_formula_list
    (t:nl_fo_formula_list 'b0 'b1) : unit
    ensures { nlsize_fo_formula_list t > 0 }
    variant { nat_to_int (nat_nlsize_fo_formula_list t) } =
    match t with | NL_FOFNil -> ()
      | NL_FOFCons v0 v1 ->
        nlsize_positive_lemma_fo_formula v0 ;
          nlsize_positive_lemma_fo_formula_list v1 ; ()
    end

  function nlmodel_fo_formula_list (t:nl_fo_formula_list 'b0 'b1)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0))
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1)) :
    fo_formula_list 'c0 'c1 =
    match t with | NL_FOFNil -> FOFNil
      | NL_FOFCons v0 v1 ->
        FOFCons
          (nlmodel_fo_formula v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
          (nlmodel_fo_formula_list v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec lemma nlmodel_subst_commutation_lemma_fo_formula_list
    (t:nl_fo_formula_list 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> (symbol 'd0))
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures {
      nlmodel_fo_formula_list t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0) (subst_compose_fo_term fr1 s0 s1)
        (subst_compose_fo_term bnd1 s0 s1)
      =
      subst_fo_formula_list (nlmodel_fo_formula_list t fr0 bnd0 fr1 bnd1) s0
        s1
      }
    variant { nlsize_fo_formula_list t } =
    match t with | NL_FOFNil -> ()
      | NL_FOFCons v0 v1 ->
        nlmodel_subst_commutation_lemma_fo_formula v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_formula_list v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
    end

  let lemma nlmodel_rename_commutation_lemma_fo_formula_list
    (t:nl_fo_formula_list 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0)
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> 'd1) : unit
    ensures {
      nlmodel_fo_formula_list t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0) (rename_subst_fo_term fr1 s0 s1)
        (rename_subst_fo_term bnd1 s0 s1)
      =
      rename_fo_formula_list (nlmodel_fo_formula_list t fr0 bnd0 fr1 bnd1) s0
        s1
      }
    =
    nlmodel_subst_commutation_lemma_fo_formula_list t fr0 bnd0
      (subst_of_rename_symbol s0) fr1 bnd1 (subst_of_rename_fo_term s1)

  predicate correct_indexes_fo_formula_list (t:nl_fo_formula_list 'b0 'b1) =
    match t with | NL_FOFNil -> true
      | NL_FOFCons v0 v1 ->
        correct_indexes_fo_formula v0 /\ correct_indexes_fo_formula_list v1
    end

  function bound_depth_of_symbol_in_fo_formula_list
    (t:nl_fo_formula_list 'b0 'b1) : int =
    match t with | NL_FOFNil -> 0
      | NL_FOFCons v0 v1 ->
        let b = bound_depth_of_symbol_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_formula_list v1 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_fo_term_in_fo_formula_list
    (t:nl_fo_formula_list 'b0 'b1) : int =
    match t with | NL_FOFNil -> 0
      | NL_FOFCons v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_formula v0 in let a = b in
          let b = bound_depth_of_fo_term_in_fo_formula_list v1 in
          let a = if a > b then a else b in a
    end

  let rec lemma bound_depth_of_symbol_in_fo_formula_list_nonnegative
    (t:nl_fo_formula_list 'b0 'b1) : unit
    requires { correct_indexes_fo_formula_list t }
    ensures { bound_depth_of_symbol_in_fo_formula_list t >= 0 }
    variant { nlsize_fo_formula_list t } =
    match t with | NL_FOFNil -> ()
      | NL_FOFCons v0 v1 ->
        bound_depth_of_symbol_in_fo_formula_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_formula_list_nonnegative v1 ; ()
    end

  with lemma bound_depth_of_fo_term_in_fo_formula_list_nonnegative
    (t:nl_fo_formula_list 'b0 'b1) : unit
    requires { correct_indexes_fo_formula_list t }
    ensures { bound_depth_of_fo_term_in_fo_formula_list t >= 0 }
    variant { nlsize_fo_formula_list t } =
    match t with | NL_FOFNil -> ()
      | NL_FOFCons v0 v1 ->
        bound_depth_of_fo_term_in_fo_formula_nonnegative v0 ;
          bound_depth_of_fo_term_in_fo_formula_list_nonnegative v1 ; ()
    end

  let rec lemma model_equal_fo_formula_list (t:nl_fo_formula_list 'b0 'b1)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0))
    (fr11: 'b1 -> (fo_term 'c0 'c1)) (fr21: 'b1 -> (fo_term 'c0 'c1))
    (bnd11: int -> (fo_term 'c0 'c1)) (bnd21: int -> (fo_term 'c0 'c1)) :
    unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_fo_formula_list t ->
        bnd10 i = bnd20 i
      }
    requires { fr10 = fr20 }
    requires {
      forall i:int. 0 <= i < bound_depth_of_fo_term_in_fo_formula_list t ->
        bnd11 i = bnd21 i
      }
    requires { fr11 = fr21 } requires { correct_indexes_fo_formula_list t }
    ensures { nlmodel_fo_formula_list t fr10 bnd10 fr11 bnd11 =
      nlmodel_fo_formula_list t fr20 bnd20 fr21 bnd21 }
    variant { nlsize_fo_formula_list t } =
    match t with | NL_FOFNil -> ()
      | NL_FOFCons v0 v1 ->
        model_equal_fo_formula v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity identity))
          ((rename_subst_fo_term fr21 identity identity))
          ((rename_subst_fo_term bnd11 identity identity))
          ((rename_subst_fo_term bnd21 identity identity)) ;
          model_equal_fo_formula_list v1
            ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          ()
    end

  predicate nlimpl_fo_formula_list_ok (t:nlimpl_fo_formula_list) =
    nlmodel_fo_formula_list t.nlrepr_fo_formula_list_field subst_id_symbol
      (const (Var_symbol ((-1)))) subst_id_fo_term
      (const (Var_fo_term ((-1)))) = t.model_fo_formula_list_field
    /\ correct_indexes_fo_formula_list t.nlrepr_fo_formula_list_field /\
    bound_depth_of_symbol_in_fo_formula_list t.nlrepr_fo_formula_list_field =
      0
    /\
    bound_depth_of_fo_term_in_fo_formula_list t.nlrepr_fo_formula_list_field
      = 0
    /\
    (forall x:int.
       is_symbol_free_var_in_fo_formula_list x t.model_fo_formula_list_field
       -> (x) < (t.nlfree_var_symbol_set_abstraction_fo_formula_list_field))
    /\
    (forall x:int.
       is_fo_term_free_var_in_fo_formula_list x t.model_fo_formula_list_field
       -> (x) < (t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field))

  predicate cons_ok_fo_formula_list (c:cons_fo_formula_list) =
    match c with | NLC_FOFNil -> true
      | NLC_FOFCons v0 v1 -> nlimpl_fo_formula_ok v0 /\
        nlimpl_fo_formula_list_ok v1
    end

  predicate cons_rel_fo_formula_list (c:cons_fo_formula_list)
    (t:nlimpl_fo_formula_list) =
    match c with | NLC_FOFNil -> t.model_fo_formula_list_field = FOFNil
      | NLC_FOFCons v0 v1 -> t.model_fo_formula_list_field =
        FOFCons
          (rename_fo_formula v0.model_fo_formula_field identity identity)
          (rename_fo_formula_list v1.model_fo_formula_list_field identity
             identity)
    end

  predicate cons_open_rel_fo_formula_list (c:cons_fo_formula_list)
    (t:nlimpl_fo_formula_list) =
    match c with
      | NLC_FOFNil ->
        match t.model_fo_formula_list_field with | FOFNil -> true
          | FOFCons w0 w1 -> false
        end
      | NLC_FOFCons v0 v1 ->
        match t.model_fo_formula_list_field with | FOFNil -> false
          | FOFCons w0 w1 ->
            v0.model_fo_formula_field =
              (rename_fo_formula w0 identity identity) /\
              v1.model_fo_formula_list_field =
                (rename_fo_formula_list w1 identity identity)
        end
    end


end

module Impl
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_impl.Types
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_spec.Spec
  use Types
  use Logic
  let rec bind_var_symbol_in_fo_formula_list (t:nl_fo_formula_list int int)
    (x:int) (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_fo_formula_list int int
    requires { correct_indexes_fo_formula_list t }
    requires { bound_depth_of_symbol_in_fo_formula_list t <= i }
    variant { nlsize_fo_formula_list t }
    ensures { bound_depth_of_symbol_in_fo_formula_list result <= i + 1 }
    ensures { correct_indexes_fo_formula_list result }
    ensures { bound_depth_of_fo_term_in_fo_formula_list t =
      bound_depth_of_fo_term_in_fo_formula_list result }
    ensures { nlmodel_fo_formula_list result fr0 bnd0 fr1 bnd1 =
      nlmodel_fo_formula_list t (update fr0 x (bnd0 i)) bnd0 fr1 bnd1 }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_FOFCons
            (bind_var_symbol_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_symbol_in_fo_formula_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  with bind_var_fo_term_in_fo_formula_list (t:nl_fo_formula_list int int)
    (x:int) (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_fo_formula_list int int
    requires { correct_indexes_fo_formula_list t }
    requires { bound_depth_of_fo_term_in_fo_formula_list t <= i }
    variant { nlsize_fo_formula_list t }
    ensures { bound_depth_of_fo_term_in_fo_formula_list result <= i + 1 }
    ensures { correct_indexes_fo_formula_list result }
    ensures { bound_depth_of_symbol_in_fo_formula_list t =
      bound_depth_of_symbol_in_fo_formula_list result }
    ensures { nlmodel_fo_formula_list result fr0 bnd0 fr1 bnd1 =
      nlmodel_fo_formula_list t fr0 bnd0 (update fr1 x (bnd1 i)) bnd1 }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd1 i) identity identity) =
            (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_FOFCons
            (bind_var_fo_term_in_fo_formula v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_fo_term_in_fo_formula_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec unbind_var_symbol_in_fo_formula_list (t:nl_fo_formula_list int int)
    (i:int) (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_formula_list int int
    requires { i >= 0 } requires { correct_indexes_fo_formula_list t }
    requires { bound_depth_of_symbol_in_fo_formula_list t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    variant { nlsize_fo_formula_list t }
    ensures { correct_indexes_fo_formula_list result }
    ensures { bound_depth_of_symbol_in_fo_formula_list result <= i }
    ensures { bound_depth_of_fo_term_in_fo_formula_list result =
      bound_depth_of_fo_term_in_fo_formula_list t }
    ensures { nlmodel_fo_formula_list result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula_list t fr0
        (update bnd10 i (nlmodel_symbol x fr0 bnd20)) fr1 bnd11
      }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_FOFCons
            (unbind_var_symbol_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_formula_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with unbind_var_fo_term_in_fo_formula_list (t:nl_fo_formula_list int int)
    (i:int) (x:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_fo_formula_list int int
    requires { i >= 0 } requires { correct_indexes_fo_formula_list t }
    requires { bound_depth_of_fo_term_in_fo_formula_list t <= i + 1 }
    requires { correct_indexes_fo_term x }
    requires { bound_depth_of_symbol_in_fo_term x = 0 }
    requires { bound_depth_of_fo_term_in_fo_term x = 0 }
    variant { nlsize_fo_formula_list t }
    ensures { correct_indexes_fo_formula_list result }
    ensures { bound_depth_of_fo_term_in_fo_formula_list result <= i }
    ensures { bound_depth_of_symbol_in_fo_formula_list result =
      bound_depth_of_symbol_in_fo_formula_list t }
    ensures { nlmodel_fo_formula_list result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula_list t fr0 bnd10 fr1
        (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
      }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_FOFCons
            (unbind_var_fo_term_in_fo_formula v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (unbind_var_fo_term_in_fo_formula_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let rec subst_base_symbol_in_fo_formula_list (t:nl_fo_formula_list int int)
    (x:int) (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_formula_list int int
    requires { correct_indexes_fo_formula_list t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    variant { nlsize_fo_formula_list t }
    ensures { correct_indexes_fo_formula_list result }
     ensures { bound_depth_of_symbol_in_fo_formula_list result =
       bound_depth_of_symbol_in_fo_formula_list t }
    ensures { bound_depth_of_fo_term_in_fo_formula_list result =
      bound_depth_of_fo_term_in_fo_formula_list t }
    ensures { nlmodel_fo_formula_list result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula_list t (update fr0 x (nlmodel_symbol u fr0 bnd20))
        bnd10 fr1 bnd11
      }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_FOFCons
            (subst_base_symbol_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_formula_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with subst_base_fo_term_in_fo_formula_list (t:nl_fo_formula_list int int)
    (x:int) (u:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_fo_formula_list int int
    requires { correct_indexes_fo_formula_list t }
    requires { correct_indexes_fo_term u }
    requires { bound_depth_of_symbol_in_fo_term u = 0 }
    requires { bound_depth_of_fo_term_in_fo_term u = 0 }
    variant { nlsize_fo_formula_list t }
    ensures { correct_indexes_fo_formula_list result }
     ensures { bound_depth_of_symbol_in_fo_formula_list result =
       bound_depth_of_symbol_in_fo_formula_list t }
    ensures { bound_depth_of_fo_term_in_fo_formula_list result =
      bound_depth_of_fo_term_in_fo_formula_list t }
    ensures { nlmodel_fo_formula_list result fr0 bnd10 fr1 bnd11 =
      nlmodel_fo_formula_list t fr0 bnd10
        (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) bnd11
      }
    =
    match t with | NL_FOFNil -> NL_FOFNil
      | NL_FOFCons v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_FOFCons
            (subst_base_fo_term_in_fo_formula v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (subst_base_fo_term_in_fo_formula_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let construct_fo_formula_list (c:cons_fo_formula_list) :
    nlimpl_fo_formula_list requires { cons_ok_fo_formula_list c }
    ensures { nlimpl_fo_formula_list_ok result }
    ensures { cons_rel_fo_formula_list c result }
    (*ensures { cons_open_rel_fo_formula_list c result }*) =
    match c with
      | NLC_FOFNil ->
        let res =
          { nlrepr_fo_formula_list_field = (NL_FOFNil) ;
            nlfree_var_symbol_set_abstraction_fo_formula_list_field = 0 ;
            nlfree_var_fo_term_set_abstraction_fo_formula_list_field = 0 ;
            model_fo_formula_list_field = ghost (FOFNil) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula_list x
              res.model_fo_formula_list_field
            -> (false) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula_list x
              res.model_fo_formula_list_field
            -> (false) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
          } ;
        res
      | NLC_FOFCons v0 v1 -> assert { nlimpl_fo_formula_ok v0 } ;
        assert { nlimpl_fo_formula_list_ok v1 } ;
        let res =
          {
            nlrepr_fo_formula_list_field =
              (NL_FOFCons (let v0 = v0.nlrepr_fo_formula_field in v0)
                 (let v1 = v1.nlrepr_fo_formula_list_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_formula_list_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_formula_list_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_formula_list_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
                   (v1.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)) ;
            model_fo_formula_list_field = ghost
              (FOFCons
                 (rename_fo_formula v0.model_fo_formula_field identity
                    identity)
                 (rename_fo_formula_list v1.model_fo_formula_list_field
                    identity identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v0.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v0.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v0.model_fo_formula_field
            && (x) < (v0.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula_list x
              (rename_fo_formula_list v1.model_fo_formula_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula_list y
                  v1.model_fo_formula_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula_list x
                 v1.model_fo_formula_list_field)
            &&
            is_symbol_free_var_in_fo_formula_list x
              v1.model_fo_formula_list_field
            && (x) <
            (v1.nlfree_var_symbol_set_abstraction_fo_formula_list_field) &&
            (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula_list x
              (rename_fo_formula_list v1.model_fo_formula_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula_list y
                  v1.model_fo_formula_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula_list x
                 v1.model_fo_formula_list_field)
            &&
            is_fo_term_free_var_in_fo_formula_list x
              v1.model_fo_formula_list_field
            && (x) <
            (v1.nlfree_var_fo_term_set_abstraction_fo_formula_list_field) &&
            (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula_list x
              res.model_fo_formula_list_field
            ->
            (is_symbol_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_symbol_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v1.model_fo_formula_list_field
                    identity identity))
            && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula_list x
              res.model_fo_formula_list_field
            ->
            (is_fo_term_free_var_in_fo_formula x
               (rename_fo_formula v0.model_fo_formula_field identity identity)
               \/
               is_fo_term_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v1.model_fo_formula_list_field
                    identity identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v0.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula_list v1.nlrepr_fo_formula_list_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
    end

  let destruct_fo_formula_list (t:nlimpl_fo_formula_list) :
    cons_fo_formula_list requires { nlimpl_fo_formula_list_ok t }
    ensures { cons_ok_fo_formula_list result }
    ensures { cons_rel_fo_formula_list result t }
    ensures { cons_open_rel_fo_formula_list result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_fo_formula_list_field in
    let fv1 = t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field in
    match t.nlrepr_fo_formula_list_field with
      | NL_FOFNil ->
        assert { t.model_fo_formula_list_field = FOFNil } ;
          let () =
            match t.model_fo_formula_list_field with | FOFNil -> ()
              | FOFCons x0 x1 -> absurd
            end
          in let res = NLC_FOFNil in res
      | NL_FOFCons v0 v1 ->
        assert { t.model_fo_formula_list_field =
          FOFCons
            (nlmodel_fo_formula v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_formula_list v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_formula_list_field with | FOFNil -> absurd
              | FOFCons x0 x1 -> (x0 , x1)
            end
          in
          assert { mv0 =
            nlmodel_fo_formula v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv1 =
            nlmodel_fo_formula_list v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv0 ->
              is_symbol_free_var_in_fo_formula_list x
                t.model_fo_formula_list_field
              && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv0 ->
              is_fo_term_free_var_in_fo_formula_list x
                t.model_fo_formula_list_field
              && (x) <
              (t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_formula_list v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula_list x mv1 ->
              is_symbol_free_var_in_fo_formula_list x
                t.model_fo_formula_list_field
              && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula_list v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula_list x mv1 ->
              is_fo_term_free_var_in_fo_formula_list x
                t.model_fo_formula_list_field
              && (x) <
              (t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
            } ;
          model_equal_fo_formula v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_formula_list v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_fo_formula mv0 identity identity in
          let ghost mrv1 = rename_fo_formula_list mv1 identity identity in
          let resv0 =
            { nlrepr_fo_formula_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_formula_list_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_formula_list_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_list_field =
                fv1 ;
              model_fo_formula_list_field = ghost mrv1 ;
            }
          in let res = NLC_FOFCons resv0 resv1 in
          free_var_equivalence_of_rename_fo_formula mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_formula_list mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv0 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula_list x
                   t.model_fo_formula_list_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv0 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula_list x
                   t.model_fo_formula_list_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula_list x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_formula_list x
                   t.model_fo_formula_list_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula_list x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_formula_list x
                   t.model_fo_formula_list_field
                 && (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
    end

  let nlsubst_symbol_in_fo_formula_list (t:nlimpl_fo_formula_list) (x:int)
    (u:nlimpl_symbol) : nlimpl_fo_formula_list
    requires { nlimpl_fo_formula_list_ok t } requires { nlimpl_symbol_ok u }
    ensures { nlimpl_fo_formula_list_ok result }
    ensures { result.model_fo_formula_list_field =
      subst_fo_formula_list t.model_fo_formula_list_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
        (subst_id_fo_term: (int) -> (fo_term (int) (int)))
      }
    =
    model_equal_fo_formula_list t.nlrepr_fo_formula_list_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_formula_list_field =
          subst_base_symbol_in_fo_formula_list t.nlrepr_fo_formula_list_field
            x u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_formula_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_formula_list_field =
          t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field ;
        model_fo_formula_list_field = ghost
          subst_fo_formula_list t.model_fo_formula_list_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field)
            (subst_id_fo_term: (int) -> (fo_term (int) (int))) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_formula_list x2
          res.model_fo_formula_list_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> false))
        && (x2) <
        (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_formula_list x2
          res.model_fo_formula_list_field
        ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> x2 = y && (x2) <
              (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)))
        && (x2) <
        (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
      } ;
    res

  let nlsubst_fo_term_in_fo_formula_list (t:nlimpl_fo_formula_list) (x:int)
    (u:nlimpl_fo_term) : nlimpl_fo_formula_list
    requires { nlimpl_fo_formula_list_ok t } requires { nlimpl_fo_term_ok u }
    ensures { nlimpl_fo_formula_list_ok result }
    ensures { result.model_fo_formula_list_field =
      subst_fo_formula_list t.model_fo_formula_list_field
        (subst_id_symbol: (int) -> (symbol (int)))
        (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
           u.model_fo_term_field)
      }
    =
    model_equal_fo_formula_list t.nlrepr_fo_formula_list_field
      (subst_compose_symbol subst_id_symbol
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((subst_id_symbol: (int) -> (symbol (int))))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
          u.model_fo_term_field))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_formula_list_field =
          subst_base_fo_term_in_fo_formula_list
            t.nlrepr_fo_formula_list_field x u.nlrepr_fo_term_field
            (subst_id_symbol) ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1))))
            ((const (Var_fo_term (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_formula_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
               (u.nlfree_var_symbol_set_abstraction_fo_term_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_formula_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
               (u.nlfree_var_fo_term_set_abstraction_fo_term_field)) ;
        model_fo_formula_list_field = ghost
          subst_fo_formula_list t.model_fo_formula_list_field
            (subst_id_symbol: (int) -> (symbol (int)))
            (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
               u.model_fo_term_field) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_formula_list x2
          res.model_fo_formula_list_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval ((subst_id_symbol: (int) -> (symbol (int)))) y))
              -> x2 = y && (x2) <
              (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field))
                 /\ (x <> y -> false)) && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)))
        && (x2) <
        (res.nlfree_var_symbol_set_abstraction_fo_formula_list_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_formula_list x2
          res.model_fo_formula_list_field
        ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_formula_list y
                 t.model_fo_formula_list_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)))
                 && (x2) <
                 (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)))
        && (x2) <
        (res.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)
      } ;
    res


end
why3-1.6.0/examples/prover/Firstorder_formula_list_impl/000077500000000000000000000000001440160026300234635ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_formula_list_impl/why3session.xml000066400000000000000000001416121440160026300265100ustar00rootroot00000000000000










 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_formula_list_impl/why3shapes.gz000066400000000000000000000374371440160026300261410ustar00rootroot00000000000000[8Smwx,ƃ)4
3/jPcPʬHJdD2??_܇_//n?~kϻ/w﷟q/_KZ\
Z\-}˷uff9<_>3K>>zC_?}3-;ݥ׫1yjʟoG~ÿo*}i/w=y6ks
߾7n+Zd8	ok)~V{??[D2z.cv˘2f)FJ҇ؔǥ1rk+a![?wER^􁔱ij?V_g^$f7XpDڌ4SҺJb1NhEp~o۵>@#HG6Rtn#aGLbVu f *Mug%}GN?۟,j028i#K7`g?#=mk`Z2-ρv!h뒫}Y:늵tF_Z#w.^Dwfv5x9Qఉ7e;?[?
x/WG|sF젏wQ?泞i4Yb{am} À5GFof$0܇Ef$`#Fs([hlHcy @׃V)3T(l$
4+N⢁x2Oq]D kľbѧg-1Rzw4i.nad|ɡPQ96Txs,۶Ɵm˲e="d
ɶeۗCdXoXY/V'nXX._FuGq"^k;"J{BiGDiO((
	{+vTlҌ͠P
BiF5dX(E@2AP8%JKy[xˬpcX+XdXfEѬ}qڨ'c*0
K {*(,*!*
TP5a<0
<ğ1ndNqøa,ƍq3Bq.^0!NOf3r\):ATB%dHAx)cW)_tb`
 kjW샵l0
7e$@DH+k|'"[Y_߉@#%%lmDȰ0NW;'?go_89Yڞ^_wO_V
=`&^6u^^rcnβ>>SO-h,ݣRpRpiǢxc{Ŵatp=#hzt9{eplr$LG
daeAN^GQ;[0ŗ{0S߮UܪZ^C՟Tk53T>6>EWH6ѺHaɚx%Ӓ|C'}M˕'?'TrFY"cY\K/pSuY.vlZ0V'݇reL-+:;y&8BiQ_@8( Vr9JLP.gHnoZɴ!ivN},Ly_f+Ae,
"Gi#K96:g⎭˫Nf3qfX-%rf#2`0|OGa%Q]pha0Z-eݰ{/=`s(g1^zg%mh۝qzA@47ǹnDO/عWi3\F0ٌ˩+bux#\#t;XZXy;`hs>vpXX28^jx,iKvJC{^@yz%K,	<Ȳ팆w':]
]
cBQ!fkPtM2C^zTGvm2j*Re5juj)鳎`YUZ5o=fξ6g'3S)qɔ}@}-fڑgb01gIO2!L ċM247	g"a$+@
)})>Ʋk-**Q`9(@赲]
t~^٢]b
xJ`a64tfIC`6+tfiia6tfz2.yd}%vaẀP=g!4KOxػ4Fnpv8jC8I!X23[3Dcq&&=t~;Ѳf2-Ɉv*>2t:s΋PbYsQbaA|eJ0%s+m]q(}oe6`ǣq\qLfp'<CI kL}2}-~\rLme9cDJ_(cXǡTmw(9\O&;c97P˂yC3y$ӍSwKHԫ噍KԅJe듓b"}otޣwGMEs)r\\4"OΥ]nZ1c;3@`s,Ỏw1
,Ỏɔ=a|	;#P'UW).u{$侵~CY0"f3EY*,FVw-*
%ʂrCʂ2wyq&:c3FF墄jF%'WgYK=ZL-+ +#-LTrQZe<{ð4!{IPG˱E[,L&ydiL=IäaҼ6i{sOE@(`0e2o2/Be[DE[BS)p)w
<;
wx?+q}Da.8tUmMSJr_n4SlM/1	υAu/Ag0ssϣs:
fHs3sfyq.F廖r#^$͓'o3
̆KgÓͨ`T0*/{6Qx[LoG;hD>Ӈu>Gk0IiGzrþ^ttvmʝcQ>l#Ǭk'	A'
9a09L njA?eZΞ$[@?*A	畛-5]B[XGRÀXbcMCp$UDz3CLnx5L#QB% xTg̯,wiQ1,L&["˲4_G4(,s9ÜyeL%PYSK~1v;˱``״1fbXpkʉZ⪽I_6|ncHtG?~׽ԢKo4yzj
.5K:8rB.Қ'NDKۯ<@(0aJ|q^AGi*z(d{1%O_<,<ٝ}Օ|i6>ϒ7L&&Miuw*_I$x$7lۛ?
Ca1EŢӮ#\v];MnQNvߠ-5UU\1$fꊑ7vwǂշe]ZoP'tb&\mF` .Iw2'}ٵP}֚={9/McZ
Pw+p		]. nN]ǧ??VӻfZkx
"3nj۽*$7̌Kvf{dx&~ZNX*fz-7)XL,&ST4qqAcϸ`\l{+f9Mh4k`K0 jJ3Co79nfd?Ϣhp#{Xڽzx[ZBbG4]jpz̶}CVh.;"S&lF
mRIr^{26=ܜ̣M=I9LAof3b@dEÈ?wφcژ6E1L˽@)ο_|[`@a0P(ЉQ(x(8}IaT0* >>gV[ܠdĮy`vK}.K/'y4:Pr:sT;+R
Ή>;}"/0%z!iܖDN1ۘmyӯVokeg<ǘMr w}>:ިͻ~c,({;IwgI{:ʾ7=Q㗚nȥ#b
q#TfΣiGVd6Յc]8P|J.خfh`m\x<tv5ƀ'kF&Gqbv`GUac)Oͱ^|?D<YN
+++3+۩
}"7wOn6INKN_?]ۢMH~i:SТ)4K3"SkK)QQv;7	x8m=d`eF;v_ߣ8)1AD՜6*rs.?$CBaD0"
4<oPc<09LK mv
GrlI_WZ[
6]Nlc
Ԧ0VRcJ,QKg2^}Cؖӝ~ܨ7Oy=Q\?gy1(4F#!``0	;\RW}>zګno:{rHwI|Mԡo7Q}uQwL:&9n+x8f`B_8USѣ2M=-Dvnj7Xc6p3۟zSpS
7tpS[,XsX`,0vz[(Ŏa0`<V`0+Ʒ+c_Q+܀b;i7	
9gj͜-(ڝݙs=~pUkWhcYiTH'TfrrgXUkr O9zl:ONY\6/6koXxYxOxEfN}Wfou!K!YX^ʢnX)X)X)ff-	xYqXqXq&Rkʿ[.-ٍu1Out*y@pt;S雨&Օ7>L:zVUVUV׳]z֮|StT_׶hFһfekuB1ߍ{~?1
̆GYΕ8|cy}Km6^j]4]mrEIG"6=pub
Vz1`L<?u|x|غ)TZ0:8ru$>!y&O̧^_L&%#f|I2i(TLǜÜ=7xt=\G{lҌ75g0{I$x$ء@W+0ɇ!\	B,`?1`3=I\
|ٜ++^kɫހBlvtmr@zi1Gx`0fxc@.1z=Gas{4\1
/
UU)ַ!4Z%զXUVRZ%ᤲYz~4ʦZ5U61ڻZEm߳>OL0>VW٤Zֶ	bBcuUB6hg	UoP̡XlrMx.SL^9db9!YLmu?z6nguC(+b2kڤ@9m¸ƩF&icEI;j(0g%覒Nev-S(Wkdur“T.Teod#a9V\VvcZU67Mp#Rd$okB*=sV2qLv#5+t6B0n1u@o7uUn&[]Aݠ#	B!6!c0E"@\5ʴY
#mчBhhXll*>Y@dݴ c4R%4@$<:UZ[ւ1aN!AJ Pը]"ɆcJA	Rke !ˬRS+dloWC[)jz0

XJ:X]#	&A0>V(4窆GdJH0rB+ǁ|)*fŪ1|G&V-b,J੠>
XX+JB99X)+@Yd"V0	b+[)lmT$KB+JhtT|ԡ+	h+h;l&*Q
Hm)V0lxrS6YRˠ}óyɛ獂UκrP+t-
+malU\$	Cݠ%UdhXj[oHSZP)jڼպ(OlA!$hz_P'hK	WRzdn^T>`*dh{y	Okæ9RhS*HthJJZ(;Ӄ8Hu,PrW6@*omщxTJZe頴XYE-R,S¨$lye_uCc*P5E+8}F/
Ah:B h.6\1s7ѥF*QÏR9nS+C‚tpq8BGaEJ5L^8X$+dP
1 wӒfPƃcx@;
ml=%GpAyWWaε-K$x0P< WْAbGeָ&)rժ,4h5b3!p4Ad>7/Ȯa!Y־0(x|=
=csyvE_IUsck҄VZ\o5nkS%J1&m6&
E8ԢadQABhDh(SAfJ¡!@~~ArkK(V8DpkaEņ#j<&blFm?%M]QϪ нd0+Iw<pVbc%bfLC
>r00oj]1
Рht7*+66DFt$5=Tp@>)6PAU-x!K+9ZWA=3n.Zdkjl	; i4
;BD)&WpP^`aA""v	p'59PcHh/B|@`(
q-z%mmrR@(4'Gu@[[ rdd	xpV1ꦩhD
ELBúrR
T,:Y"yY\X	sUY`A~[B3Ov񚌭9hs"OA,ʔrR`2RBq1uU'UP̮\
MNR5p+<ԩp)j5t[ w0h@h26I51^G'+p8㡜6 ,l!]9dA7"
QV]9CJ0Ёk0ԅF2*d8
8&>œ\CF@(ZxQ5jE4Hh/[++ğ=+L)|`"4hX庮j^Kt=Vw0:w@I0Ǿ5BEFp, h	M̡L@\/HBmXVHɈpf`5\0$#vMoiR"V({F5kKR#[0I܀@jGhRs	YOu"Ȋ8PqgK3>;u(SЅ4MYqN>&hSrSwR[HgCP8+])#:Oc0 A @')@x
ACJM«Ul̀Q]cUGC.spCHվ\\e@J2g cMIem[-
*⦎#	dC
B,H8x8TTB"@c`ȡ}@#Ɇ#K!@m\hJokl7+Ī6S[}nb`C\aa'A
sFBj2cp"(	m)[=#1B
;Gj)]]=[.wS CE82!- ; ZF.@[B:T Eh.;)%D/GqEHHsM	E
.[CBZ<4Hny
ס1-|r8IPnG@\Ĵu2pGY	p`R̭2z\CMU(KHRt$9Q7#>\YMoUh6U
7]
1	b)m4a5$AZ>FX%8	B&{)XEqW^Z!P5`D!z-L{,N]AL@O	c8FV5i,Tau#$k_n^f)BʶU[A}p`SPWKkJ1% ¥א0ͤ*!V=**G	;rcFn)&W	1
=|R^%@5j-RSvQXA7ђ:JéE&7-`ֽCZ
J"1XK>+gm^Y]ȜATdV9DC7`g"KxXXyB. &e2b[
Y/b4 F"D^UBl(AuMX&B(cŢ#j(9&Ǯ<}WCr"3
E2ʕN@<I#ʷPp0f6~BL
.&Z)pkE{C
-k@kq2Q-+UՍl[{W$Wz
Z_A}H[N
z["B!<}kqpAjz=͠fp);9ԘfdF,Yx\!`8SptO)peÑ^f6op|i8xp@PZVqDu]2`ϓ"d4
!e UK..'(ESЙk'`
){&I>5?Ļ[tBE@ƔE'
Ap лyZHpU劗ulmJu_W`@.hr3K2úgyV#nt0ܥ`,|s?+x1U|@
5
/Y!Κ@z5&bjh&\+0ZdU0TcPR̬ZHt"f!I0ow^k-W;zPbrP;
@K~1pO@>9b+Eoe3ƛW>?ܖꐌ11 
QӜnJPuڈ,!-B`ȕbprjtI\Sܕ+
!&oiA	W74*0}UT5EZ
1B8QڂbK3f +F©c*G6ln
ߎ 
݅QJ)"GoZW
F" mw9o=xg9
-NP-\*	ˁ?hE4:9j$|]hI3[@`']*H_Е+Y21`xvB@H!CXHcP?ZW=m& `
^DYf(%aZ@GWp9;YUp5I%FyW)WÁp"D5AuPˆhBRA2;yҢT@&p/]DtFqc˳κea}0WmEWLY}F8]ʄ8S)-bj%$b
),)K$\ X
hT-*@DTu4*EpC+6J-9̴QQ[DrDp"\\tPȮ\Xwhy3-1.6.0/examples/prover/Firstorder_formula_list_spec.mlw000066400000000000000000000706741440160026300242130ustar00rootroot00000000000000module Spec
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_term_spec.Spec
  use Firstorder_formula_spec.Spec
  type fo_formula_list 'b0 'b1 =
    | FOFNil
    | FOFCons (fo_formula 'b0 'b1) (fo_formula_list 'b0 'b1)
    
  
  function nat_size_fo_formula_list (t:fo_formula_list 'b0 'b1) : nat =
    match t with | FOFNil -> let s = one_nat in s
      | FOFCons v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula_list v1) s in
          let s = add_nat (nat_size_fo_formula v0) s in s
    end
  
  with size_fo_formula_list (t:fo_formula_list 'b0 'b1) : int =
    match t with | FOFNil -> let s = 1 in s
      | FOFCons v0 v1 ->
        let s = 1 in let s = size_fo_formula_list v1 + s in
          let s = size_fo_formula v0 + s in s
    end
  
  let rec lemma size_positive_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) : unit ensures { size_fo_formula_list t > 0 }
    variant { nat_to_int (nat_size_fo_formula_list t) } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        size_positive_lemma_fo_formula v0 ;
          size_positive_lemma_fo_formula_list v1 ; ()
    end
  
  function rename_fo_formula_list (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0)
    (s1:'b1 -> 'c1) : fo_formula_list 'c0 'c1 =
    match t with | FOFNil -> FOFNil
      | FOFCons v0 v1 ->
        FOFCons (rename_fo_formula v0 s0 s1)
          (rename_fo_formula_list v1 s0 s1)
    end
  
  let rec lemma renaming_composition_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> 'c0) (s11:'b1 -> 'c1)
    (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) : unit
    ensures {
      rename_fo_formula_list (rename_fo_formula_list t s10 s11) s20 s21 =
      rename_fo_formula_list t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        renaming_composition_lemma_fo_formula v0 s10 s11 s20 s21 ;
          renaming_composition_lemma_fo_formula_list v1 s10 s11 s20 s21 ; ()
    end
  
  let rec lemma renaming_identity_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) : unit
    ensures { rename_fo_formula_list t identity identity = t }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        renaming_identity_lemma_fo_formula v0 ;
          renaming_identity_lemma_fo_formula_list v1 ; ()
    end
  
  function subst_fo_formula_list (t:fo_formula_list 'b0 'b1)
    (s0:'b0 -> (symbol 'c0)) (s1:'b1 -> (fo_term 'c0 'c1)) :
    fo_formula_list 'c0 'c1 =
    match t with | FOFNil -> FOFNil
      | FOFCons v0 v1 ->
        FOFCons
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
          (subst_fo_formula_list v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
    end
  
  let rec lemma rename_then_subst_composition_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> 'c0) (s11:'b1 -> 'c1)
    (s20:'c0 -> (symbol 'd0)) (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures {
      subst_fo_formula_list (rename_fo_formula_list t s10 s11) s20 s21 =
      subst_fo_formula_list t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          rename_then_subst_composition_lemma_fo_formula_list v1 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_then_rename_composition_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) : unit
    ensures {
      rename_fo_formula_list (subst_fo_formula_list t s10 s11) s20 s21 =
      subst_fo_formula_list t (rename_subst_symbol s10 s20)
        (rename_subst_fo_term s11 s20 s21)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ;
          subst_then_rename_composition_lemma_fo_formula_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
    end
  
  let rec lemma subst_composition_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s20:'c0 -> (symbol 'd0))
    (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures { subst_fo_formula_list (subst_fo_formula_list t s10 s11) s20 s21
      =
      subst_fo_formula_list t (subst_compose_symbol s10 s20)
        (subst_compose_fo_term s11 s20 s21)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          subst_composition_lemma_fo_formula_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_identity_lemma_fo_formula_list
    (t:fo_formula_list 'b0 'b1) : unit
    ensures { subst_fo_formula_list t subst_id_symbol subst_id_fo_term = t }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_identity_lemma_fo_formula v0 ;
          subst_identity_lemma_fo_formula_list v1 ; ()
    end
  
  let rec lemma renaming_preserve_size_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { size_fo_formula_list (rename_fo_formula_list t s0 s1) =
      size_fo_formula_list t }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        renaming_preserve_size_fo_formula v0 (s0) (s1) ;
          renaming_preserve_size_fo_formula_list v1 (s0) (s1) ; ()
    end
  
  predicate is_symbol_free_var_in_fo_formula_list (x:'b0)
    (t:fo_formula_list 'b0 'b1) =
    match t with | FOFNil -> false
      | FOFCons v0 v1 ->
        is_symbol_free_var_in_fo_formula x v0 \/
          is_symbol_free_var_in_fo_formula_list x v1
    end
  
  with is_fo_term_free_var_in_fo_formula_list (x:'b1)
    (t:fo_formula_list 'b0 'b1) =
    match t with | FOFNil -> false
      | FOFCons v0 v1 ->
        is_fo_term_free_var_in_fo_formula x v0 \/
          is_fo_term_free_var_in_fo_formula_list x v1
    end
  
  let rec ghost rename_free_var_constructive_inversion_symbol_fo_formula_list
    (x:'c0) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b0
    requires {
      is_symbol_free_var_in_fo_formula_list x
        (rename_fo_formula_list t s0 s1)
      }
    ensures { is_symbol_free_var_in_fo_formula_list result t /\ s0 result = x
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> absurd
      | FOFCons v0 v1 ->
        if is_symbol_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_symbol_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_formula_list
                    x v1 s0 s1
                in sumx 
              else absurd
    end
  
  with lemma rename_free_var_inversion_symbol_fo_formula_list (x:'c0)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires {
      is_symbol_free_var_in_fo_formula_list x
        (rename_fo_formula_list t s0 s1)
      }
    ensures {
      exists y:'b0. is_symbol_free_var_in_fo_formula_list y t /\ s0 y = x }
    variant { 1 + size_fo_formula_list t } =
    let sumx =
      rename_free_var_constructive_inversion_symbol_fo_formula_list x t s0 s1
    in ()
  
  with ghost rename_free_var_constructive_inversion_fo_term_fo_formula_list
    (x:'c1) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b1
    requires {
      is_fo_term_free_var_in_fo_formula_list x
        (rename_fo_formula_list t s0 s1)
      }
    ensures { is_fo_term_free_var_in_fo_formula_list result t /\ s1 result =
      x }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> absurd
      | FOFCons v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_fo_term_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_fo_term_fo_formula_list
                    x v1 s0 s1
                in sumx 
              else absurd
    end
  
  with lemma rename_free_var_inversion_fo_term_fo_formula_list (x:'c1)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires {
      is_fo_term_free_var_in_fo_formula_list x
        (rename_fo_formula_list t s0 s1)
      }
    ensures {
      exists y:'b1. is_fo_term_free_var_in_fo_formula_list y t /\ s1 y = x }
    variant { 1 + size_fo_formula_list t } =
    let sumx =
      rename_free_var_constructive_inversion_fo_term_fo_formula_list x t s0
        s1
    in ()
  
  let rec lemma rename_free_var_propagation_symbol_fo_formula_list (x:'b0)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_symbol_free_var_in_fo_formula_list x t ->
      is_symbol_free_var_in_fo_formula_list (s0 x)
        (rename_fo_formula_list t s0 s1)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_symbol_fo_formula_list x v1 (s0) (s1) ;
          ()
    end
  
  with lemma rename_free_var_propagation_fo_term_fo_formula_list (x:'b1)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_fo_term_free_var_in_fo_formula_list x t ->
      is_fo_term_free_var_in_fo_formula_list (s1 x)
        (rename_fo_formula_list t s0 s1)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        rename_free_var_propagation_fo_term_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_fo_term_fo_formula_list x v1 (s0)
          (s1) ; ()
    end
  
  let rec ghost subst_free_var_constructive_inversion_symbol_fo_formula_list
    (x:'c0) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : sum ('b0) ('b1)
    requires {
      is_symbol_free_var_in_fo_formula_list x (subst_fo_formula_list t s0 s1)
      }
    ensures { let sumx = result in
      match sumx with | Left sumx ->
        is_symbol_free_var_in_fo_formula_list sumx t /\
          is_symbol_free_var_in_symbol x (s0 sumx)
        | Right sumx ->
        is_fo_term_free_var_in_fo_formula_list sumx t /\
          is_symbol_free_var_in_fo_term x (s1 sumx)
      end }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> absurd
      | FOFCons v0 v1 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx)
            end 
          else
            if is_symbol_free_var_in_fo_formula_list x
                 (subst_fo_formula_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_formula_list
                    x v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity 
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx)
                end 
              else absurd
    end
  
  with lemma subst_free_var_inversion_symbol_fo_formula_list (x:'c0)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires {
      is_symbol_free_var_in_fo_formula_list x (subst_fo_formula_list t s0 s1)
      }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_fo_formula_list y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      \/
      (exists y:'b1. is_fo_term_free_var_in_fo_formula_list y t /\
         is_symbol_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_fo_formula_list t } =
    let sumx =
      subst_free_var_constructive_inversion_symbol_fo_formula_list x t s0 s1
    in match sumx with | Left sumx -> () | Right sumx -> () end
  
  with ghost subst_free_var_constructive_inversion_fo_term_fo_formula_list
    (x:'c1) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : 'b1
    requires {
      is_fo_term_free_var_in_fo_formula_list x
        (subst_fo_formula_list t s0 s1)
      }
    ensures { let sumx = result in
      is_fo_term_free_var_in_fo_formula_list sumx t /\
      is_fo_term_free_var_in_fo_term x (s1 sumx) }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> absurd
      | FOFCons v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else
            if is_fo_term_free_var_in_fo_formula_list x
                 (subst_fo_formula_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_fo_term_fo_formula_list
                    x v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term x
                    (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx 
              else absurd
    end
  
  with lemma subst_free_var_inversion_fo_term_fo_formula_list (x:'c1)
    (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires {
      is_fo_term_free_var_in_fo_formula_list x
        (subst_fo_formula_list t s0 s1)
      }
    ensures {
      (exists y:'b1. is_fo_term_free_var_in_fo_formula_list y t /\
         is_fo_term_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_fo_formula_list t } =
    let sumx =
      subst_free_var_constructive_inversion_fo_term_fo_formula_list x t s0 s1
    in ()
  
  let rec lemma subst_free_var_propagation_symbol_symbol_fo_formula_list
    (x:'b0) (y:'c0) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_symbol_free_var_in_fo_formula_list x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_fo_formula_list y (subst_fo_formula_list t s0 s1)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_formula_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_symbol_fo_formula_list
    (x:'b1) (y:'c0) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_fo_formula_list x t /\
        is_symbol_free_var_in_fo_term y (s1 x) ->
      is_symbol_free_var_in_fo_formula_list y (subst_fo_formula_list t s0 s1)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_formula_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_fo_term_fo_formula_list
    (x:'b1) (y:'c1) (t:fo_formula_list 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_fo_formula_list x t /\
        is_fo_term_free_var_in_fo_term y (s1 x) ->
      is_fo_term_free_var_in_fo_formula_list y
        (subst_fo_formula_list t s0 s1)
      }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_formula_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  let rec lemma free_var_equivalence_of_subst_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_formula_list x t ->
        s10 x = s20 x
      }
    requires {
      forall x:'b1. is_fo_term_free_var_in_fo_formula_list x t ->
        s11 x = s21 x
      }
    ensures { subst_fo_formula_list t s10 s11 =
      subst_fo_formula_list t s20 s21 }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula_list x t
          } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 ->
              is_fo_term_free_var_in_fo_formula_list x t
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_formula_list x v1 ->
              is_symbol_free_var_in_fo_formula_list x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula_list x v1 ->
              is_fo_term_free_var_in_fo_formula_list x t
            } ;
          free_var_equivalence_of_subst_fo_formula_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
    end
  
  let lemma free_var_equivalence_of_rename_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> 'c0) (s20:'b0 -> 'c0)
    (s11:'b1 -> 'c1) (s21:'b1 -> 'c1) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_formula_list x t ->
        s10 x = s20 x
      }
    requires {
      forall x:'b1. is_fo_term_free_var_in_fo_formula_list x t ->
        s11 x = s21 x
      }
    ensures { rename_fo_formula_list t s10 s11 =
      rename_fo_formula_list t s20 s21 }
    =
    free_var_equivalence_of_subst_fo_formula_list t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s11) (subst_of_rename_fo_term s21)
  
  let rec lemma free_var_derive_equivalence_of_subst_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_formula_list x t ->
        s10 x = s20 x
      }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_fo_formula_list x t ->
        s11 x = s21 x
      }
    requires { subst_fo_formula_list t s10 s11 =
      subst_fo_formula_list t s20 s21 }
    variant { size_fo_formula_list t } =
    match t with | FOFNil -> ()
      | FOFCons v0 v1 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s11 identity identity))
          ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v0 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 -> s11 x =
              s21 x
            } ;
          free_var_derive_equivalence_of_subst_fo_formula_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula_list x v1
               -> rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula_list x v1 -> s10 x
              = s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula_list x v1 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula_list x v1 ->
              s11 x = s21 x
            } ;
          ()
    end
  
  let lemma free_var_derive_equivalence_of_rename_fo_formula_list
    (t:fo_formula_list 'b0 'b1) (s10:'b0 -> 'c0) (s20:'b0 -> 'c0)
    (s11:'b1 -> 'c1) (s21:'b1 -> 'c1) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_formula_list x t ->
        s10 x = s20 x
      }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_fo_formula_list x t ->
        s11 x = s21 x
      }
    requires { rename_fo_formula_list t s10 s11 =
      rename_fo_formula_list t s20 s21 }
    =
    free_var_derive_equivalence_of_subst_fo_formula_list t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s11) (subst_of_rename_fo_term s21);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      };
    assert {
      forall x:'b1. (subst_of_rename_fo_term s11 x:fo_term 'c0 'c1) =
        (subst_of_rename_fo_term s21 x:fo_term 'c0 'c1) ->
        (Var_fo_term (s11 x):fo_term 'c0 'c1) =
        (Var_fo_term (s21 x):fo_term 'c0 'c1) && s11 x = s21 x
      }
  
  
end


why3-1.6.0/examples/prover/Firstorder_formula_list_spec/000077500000000000000000000000001440160026300234545ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_formula_list_spec/why3session.xml000066400000000000000000000244451440160026300265050ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_formula_list_spec/why3shapes.gz000066400000000000000000000122261440160026300261170ustar00rootroot00000000000000][oJ~K/A 
;bWn# 3`o5EJMi1,U_}U}ټ꾆{z?oC|>^%ǽc?ϹF&JZKY$O}2)VZj{Pޔ7lӶヌw.pl7ݗǙKZ~:h)NRtX=7{R(U^1tmm!$931Z/D/|x>(u`ˎ&eS=YM@%AxTչthn7mzcٔPR8fuё?
Ly;2MfdʇC޹K9*ٛ>67QKoHTIE{x:-@#Q[,P{1=x)yffff#3a֚yakxD8-tDIEIepQھQf	1D
ϡF9^d
hImff<=)=N"&EI
IlbjUNmK%Q,;cViIzMC(8kaRKbɐaa"ە@Mda	G\ǏtJR_ʿKE!&a|wq~%k:֢,`aܤ}i[ۋDA!-qSrUrQrm<zs<]9y~Ԕ9Oy>YtJHG2{`{`Xqen	;I<}4SL	0%ìTɕL5Dh(G1/_㟃m@^`Vz0vzRRi)ѫ#s2Gw
iFz^ng}/{H]ۛ-<>DmDuv/`a{뻏Mg*-n!ۣDD	Pum-,8,:.aaJqJqi]T/G'$`]Zۓv	\;#6X-I9q6[:XP=X4_Ep*!<Ö`Gl^䘽̉$d͉
̯O_/n?UPUX(WPcFpIobfdq _
DKnj>:T0*%A\C/=
ڃl
u\
#d9z5ruo|?7nFKٴw͠E7v:.Kڑ;}v%!0!P0(n1Ҥ4)#{JV-3g}B
TO$kc'%l{:ƟY`:ח%
myęU-ά:Y+NǬB:zdO@ǧX&ݟS	r[,_FXtNmqs:>I@E($
I[i\2	|isv?
~r~$>|}}݌~+!}9v+G ?k(@E4IrxTLܴYwBw\ewgsS~-)Tf3?hqiM(]2؉^x:CB\l
(oy'ǵK$5Ψž-mZY1,u*FGH
=4#s\Ӽ_N:	sn3	+>;:p̤|?E(O"-//)ZHeV9rXM߂S0~=2pEh}NثȥY@m
Y-8j;
  7Jy^,zX>mLz,h'z)Ye\Nj:W]+|+p=iM"h>!>6Uiiit*M6ƜM߈
H?BZr$ʇld(:o-'1nnKi_sKP=Pi_n?b@I>پCжf{߬EUWH$RXxSHs'7ѣN՞%Pd;)Mn|$FS_pla@B6>VShVxkSRwއlL\&/(bo!M}vh?X\>#אxvy>CJo
`',-FG۹HJi'oM;~򦛼AOtO	VG&ȘA:9tNM3dsߩiwuñyߨ;q	hdx!ls}և.1ͱ,ۇ'bݡ]2#bȣ9BiYr,;Q/'h!rq*J"kLENx$Ҍ
O\.Ms0uE&ٟ}Tji824LGBR
'2#?dN&\%U4s*3M۝24"dFĺ
̱S&7$GCF$Q*~NP|V]ʎ

'V^OÑ*P ?UgV翔ë9?Ӄov
B%ˉ<{̿{ab~9u}7ץPɠ0RvZ BfDy4u#/Xqׂ
A3x~-Q9'	U<1@+A((H6N(g2쒹nV&gΚ	^Z:dzR2(r7Q"dFĺlaЦ"n|.||Cb{!M({WyBhpdiP.Od*	%e*-+Qh(#&HBI!h:tgx/7ذO/("ɬ9
AhpdiB.Od
IMaJnChᏧz&?ǠC;;a	"񫈰W*4y\D$$]9O=čnȲ{#ж߿8\&࣎ sojԛmŗm~y?(2|Lk*|%b"OUst%%bWji9O~L;m{'ucSmy!XTɏ7<>eOAD;ܝ%{lԛ0N:ԛS3SCpwǀ3G-;FwNDhsw.Xc3Ԫ^uzFUCuM9Z=Z=DQrZ{D
wQɉPo$@M}ϸbnnA
Pfr *M5im*AmDvSUT֜kO<V.T!!^F:()\ִ͌8T͆mkt`* #54Uc
e]{IjldIUZ`R1a%PUQmXEt	VQy7TTXa\#Aq4\UFhiՆQZJ+mDRa`CV0:W5LTĒJAw1rT8HwZS+j
:zlLt`\KIpAsK$j7&w&}-WZ3KԆt_RY(@U!V
Z{Ih8YZ"5nn
2;>[NJGAA$D˥2T
ԕDBMɩaX唖RDŽ 3YhЅPr4dMHh׮:he7ˡ0- z	nYa#i!ɼ!k8$Tf#e!E!y!ټ4`CSoݍn.JLmMj€*l0c&TFB14I`	(ikFBnJhJRJ Y{*"XiR_UtKKP0
R[`UuS-MW57.h|-3&peU-*51""(i+͎}$FSٍ&%{Ӏ,BPISM` UQ^hF8RHЈI
!lh6Zz06B\SK@󕫭fZjB($lŸ
h(E [iR8u~$IĴ |Z͙16
5Xc&P;4Dܬ6Tb!75])	ZF
fnob[KVQR3Buq"
	07tࡌRU;+t d< b^{`=]ҪtcYaZF*:F
@h		QZWW޹*o W9	PCV^ssZzƂ,HRVY/_X
5
&b
ЦҤu]/_ҀC/+3N<&tZwhy3-1.6.0/examples/prover/Firstorder_formula_spec.mlw000066400000000000000000002332641440160026300231540ustar00rootroot00000000000000module Spec
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_term_spec.Spec
  type fo_formula 'b0 'b1 =
    | Forall (fo_formula 'b0 (option 'b1))
    | Exists (fo_formula 'b0 (option 'b1))
    | And (fo_formula 'b0 'b1) (fo_formula 'b0 'b1)
    | Or (fo_formula 'b0 'b1) (fo_formula 'b0 'b1)
    | Not (fo_formula 'b0 'b1)
    | FTrue
    | FFalse
    | PApp (symbol 'b0) (fo_term_list 'b0 'b1)
    
  
  function nat_size_fo_formula (t:fo_formula 'b0 'b1) : nat =
    match t with
      | Forall v0 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula v0) s in s
      | Exists v0 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula v0) s in s
      | And v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula v1) s in
          let s = add_nat (nat_size_fo_formula v0) s in s
      | Or v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula v1) s in
          let s = add_nat (nat_size_fo_formula v0) s in s
      | Not v0 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula v0) s in s
      | FTrue -> let s = one_nat in s | FFalse -> let s = one_nat in s
      | PApp v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_term_list v1) s in
          let s = add_nat (nat_size_symbol v0) s in s
    end
  
  with size_fo_formula (t:fo_formula 'b0 'b1) : int =
    match t with
      | Forall v0 -> let s = 1 in let s = size_fo_formula v0 + s in s
      | Exists v0 -> let s = 1 in let s = size_fo_formula v0 + s in s
      | And v0 v1 ->
        let s = 1 in let s = size_fo_formula v1 + s in
          let s = size_fo_formula v0 + s in s
      | Or v0 v1 ->
        let s = 1 in let s = size_fo_formula v1 + s in
          let s = size_fo_formula v0 + s in s
      | Not v0 -> let s = 1 in let s = size_fo_formula v0 + s in s
      | FTrue -> let s = 1 in s | FFalse -> let s = 1 in s
      | PApp v0 v1 ->
        let s = 1 in let s = size_fo_term_list v1 + s in
          let s = size_symbol v0 + s in s
    end
  
  let rec lemma size_positive_lemma_fo_formula (t:fo_formula 'b0 'b1) : unit
    ensures { size_fo_formula t > 0 }
    variant { nat_to_int (nat_size_fo_formula t) } =
    match t with | Forall v0 -> size_positive_lemma_fo_formula v0 ; ()
      | Exists v0 -> size_positive_lemma_fo_formula v0 ; ()
      | And v0 v1 ->
        size_positive_lemma_fo_formula v0 ;
          size_positive_lemma_fo_formula v1 ; ()
      | Or v0 v1 ->
        size_positive_lemma_fo_formula v0 ;
          size_positive_lemma_fo_formula v1 ; ()
      | Not v0 -> size_positive_lemma_fo_formula v0 ; () | FTrue -> ()
      | FFalse -> ()
      | PApp v0 v1 ->
        size_positive_lemma_symbol v0 ; size_positive_lemma_fo_term_list v1 ;
          ()
    end
  
  function rename_fo_formula (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0)
    (s1:'b1 -> 'c1) : fo_formula 'c0 'c1 =
    match t with | Forall v0 -> Forall (rename_fo_formula v0 s0 (olift s1))
      | Exists v0 -> Exists (rename_fo_formula v0 s0 (olift s1))
      | And v0 v1 ->
        And (rename_fo_formula v0 s0 s1) (rename_fo_formula v1 s0 s1)
      | Or v0 v1 ->
        Or (rename_fo_formula v0 s0 s1) (rename_fo_formula v1 s0 s1)
      | Not v0 -> Not (rename_fo_formula v0 s0 s1) | FTrue -> FTrue
      | FFalse -> FFalse
      | PApp v0 v1 ->
        PApp (rename_symbol v0 s0) (rename_fo_term_list v1 s0 s1)
    end
  
  let rec lemma renaming_composition_lemma_fo_formula (t:fo_formula 'b0 'b1)
    (s10:'b0 -> 'c0) (s11:'b1 -> 'c1) (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) :
    unit
    ensures { rename_fo_formula (rename_fo_formula t s10 s11) s20 s21 =
      rename_fo_formula t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        renaming_composition_lemma_fo_formula v0 s10 (olift s11) s20
          (olift s21) ; ()
      | Exists v0 ->
        renaming_composition_lemma_fo_formula v0 s10 (olift s11) s20
          (olift s21) ; ()
      | And v0 v1 ->
        renaming_composition_lemma_fo_formula v0 s10 s11 s20 s21 ;
          renaming_composition_lemma_fo_formula v1 s10 s11 s20 s21 ; ()
      | Or v0 v1 ->
        renaming_composition_lemma_fo_formula v0 s10 s11 s20 s21 ;
          renaming_composition_lemma_fo_formula v1 s10 s11 s20 s21 ; ()
      | Not v0 ->
        renaming_composition_lemma_fo_formula v0 s10 s11 s20 s21 ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        renaming_composition_lemma_symbol v0 s10 s20 ;
          renaming_composition_lemma_fo_term_list v1 s10 s11 s20 s21 ; ()
    end
  
  let rec lemma renaming_identity_lemma_fo_formula (t:fo_formula 'b0 'b1) :
    unit ensures { rename_fo_formula t identity identity = t }
    variant { size_fo_formula t } =
    match t with | Forall v0 -> renaming_identity_lemma_fo_formula v0 ; ()
      | Exists v0 -> renaming_identity_lemma_fo_formula v0 ; ()
      | And v0 v1 ->
        renaming_identity_lemma_fo_formula v0 ;
          renaming_identity_lemma_fo_formula v1 ; ()
      | Or v0 v1 ->
        renaming_identity_lemma_fo_formula v0 ;
          renaming_identity_lemma_fo_formula v1 ; ()
      | Not v0 -> renaming_identity_lemma_fo_formula v0 ; () | FTrue -> ()
      | FFalse -> ()
      | PApp v0 v1 ->
        renaming_identity_lemma_symbol v0 ;
          renaming_identity_lemma_fo_term_list v1 ; ()
    end
  
  function subst_fo_formula (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : fo_formula 'c0 'c1 =
    match t with
      | Forall v0 ->
        Forall
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term (olifts_fo_term s1) identity identity))
      | Exists v0 ->
        Exists
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term (olifts_fo_term s1) identity identity))
      | And v0 v1 ->
        And
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
          (subst_fo_formula v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
      | Or v0 v1 ->
        Or
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
          (subst_fo_formula v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
      | Not v0 ->
        Not
          (subst_fo_formula v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
      | FTrue -> FTrue | FFalse -> FFalse
      | PApp v0 v1 ->
        PApp (subst_symbol v0 (rename_subst_symbol s0 identity))
          (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
    end
  
  let rec lemma rename_then_subst_composition_lemma_fo_formula
    (t:fo_formula 'b0 'b1) (s10:'b0 -> 'c0) (s11:'b1 -> 'c1)
    (s20:'c0 -> (symbol 'd0)) (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures { subst_fo_formula (rename_fo_formula t s10 s11) s20 s21 =
      subst_fo_formula t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 (olift s11)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term (olifts_fo_term s21) identity identity) ; ()
      | Exists v0 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 (olift s11)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term (olifts_fo_term s21) identity identity) ; ()
      | And v0 v1 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          rename_then_subst_composition_lemma_fo_formula v1 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | Or v0 v1 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          rename_then_subst_composition_lemma_fo_formula v1 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | Not v0 ->
        rename_then_subst_composition_lemma_fo_formula v0 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        rename_then_subst_composition_lemma_symbol v0 s10
          (rename_subst_symbol s20 identity) ;
          rename_then_subst_composition_lemma_fo_term_list v1 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_then_rename_composition_lemma_fo_formula
    (t:fo_formula 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) : unit
    ensures { rename_fo_formula (subst_fo_formula t s10 s11) s20 s21 =
      subst_fo_formula t (rename_subst_symbol s10 s20)
        (rename_subst_fo_term s11 s20 s21)
      }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term (olifts_fo_term s11) identity identity) s20
          (olift s21) ; ()
      | Exists v0 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term (olifts_fo_term s11) identity identity) s20
          (olift s21) ; ()
      | And v0 v1 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ;
          subst_then_rename_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
      | Or v0 v1 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ;
          subst_then_rename_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
      | Not v0 ->
        subst_then_rename_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        subst_then_rename_composition_lemma_symbol v0
          (rename_subst_symbol s10 identity) s20 ;
          subst_then_rename_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
    end
  
  let rec lemma subst_composition_lemma_fo_formula (t:fo_formula 'b0 'b1)
    (s10:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s20:'c0 -> (symbol 'd0)) (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures { subst_fo_formula (subst_fo_formula t s10 s11) s20 s21 =
      subst_fo_formula t (subst_compose_symbol s10 s20)
        (subst_compose_fo_term s11 s20 s21)
      }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term (olifts_fo_term s11) identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term (olifts_fo_term s21) identity identity) ; ()
      | Exists v0 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term (olifts_fo_term s11) identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term (olifts_fo_term s21) identity identity) ; ()
      | And v0 v1 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          subst_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | Or v0 v1 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          subst_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | Not v0 ->
        subst_composition_lemma_fo_formula v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        subst_composition_lemma_symbol v0 (rename_subst_symbol s10 identity)
          (rename_subst_symbol s20 identity) ;
          subst_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_identity_lemma_fo_formula (t:fo_formula 'b0 'b1) : unit
    ensures { subst_fo_formula t subst_id_symbol subst_id_fo_term = t }
    variant { size_fo_formula t } =
    match t with | Forall v0 -> subst_identity_lemma_fo_formula v0 ; ()
      | Exists v0 -> subst_identity_lemma_fo_formula v0 ; ()
      | And v0 v1 ->
        subst_identity_lemma_fo_formula v0 ; subst_identity_lemma_fo_formula
          v1 ; ()
      | Or v0 v1 ->
        subst_identity_lemma_fo_formula v0 ; subst_identity_lemma_fo_formula
          v1 ; ()
      | Not v0 -> subst_identity_lemma_fo_formula v0 ; () | FTrue -> ()
      | FFalse -> ()
      | PApp v0 v1 ->
        subst_identity_lemma_symbol v0 ; subst_identity_lemma_fo_term_list
          v1 ; ()
    end
  
  let rec lemma renaming_preserve_size_fo_formula (t:fo_formula 'b0 'b1)
    (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { size_fo_formula (rename_fo_formula t s0 s1) = size_fo_formula t
      }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        renaming_preserve_size_fo_formula v0 (s0) ((olift s1)) ; ()
      | Exists v0 ->
        renaming_preserve_size_fo_formula v0 (s0) ((olift s1)) ; ()
      | And v0 v1 ->
        renaming_preserve_size_fo_formula v0 (s0) (s1) ;
          renaming_preserve_size_fo_formula v1 (s0) (s1) ; ()
      | Or v0 v1 ->
        renaming_preserve_size_fo_formula v0 (s0) (s1) ;
          renaming_preserve_size_fo_formula v1 (s0) (s1) ; ()
      | Not v0 -> renaming_preserve_size_fo_formula v0 (s0) (s1) ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        renaming_preserve_size_symbol v0 (s0) ;
          renaming_preserve_size_fo_term_list v1 (s0) (s1) ; ()
    end
  
  predicate is_symbol_free_var_in_fo_formula (x:'b0) (t:fo_formula 'b0 'b1) =
    match t with | Forall v0 -> is_symbol_free_var_in_fo_formula x v0
      | Exists v0 -> is_symbol_free_var_in_fo_formula x v0
      | And v0 v1 ->
        is_symbol_free_var_in_fo_formula x v0 \/
          is_symbol_free_var_in_fo_formula x v1
      | Or v0 v1 ->
        is_symbol_free_var_in_fo_formula x v0 \/
          is_symbol_free_var_in_fo_formula x v1
      | Not v0 -> is_symbol_free_var_in_fo_formula x v0 | FTrue -> false
      | FFalse -> false
      | PApp v0 v1 ->
        is_symbol_free_var_in_symbol x v0 \/
          is_symbol_free_var_in_fo_term_list x v1
    end
  
  with is_fo_term_free_var_in_fo_formula (x:'b1) (t:fo_formula 'b0 'b1) =
    match t with | Forall v0 -> is_fo_term_free_var_in_fo_formula (Some x) v0
      | Exists v0 -> is_fo_term_free_var_in_fo_formula (Some x) v0
      | And v0 v1 ->
        is_fo_term_free_var_in_fo_formula x v0 \/
          is_fo_term_free_var_in_fo_formula x v1
      | Or v0 v1 ->
        is_fo_term_free_var_in_fo_formula x v0 \/
          is_fo_term_free_var_in_fo_formula x v1
      | Not v0 -> is_fo_term_free_var_in_fo_formula x v0 | FTrue -> false
      | FFalse -> false
      | PApp v0 v1 -> is_fo_term_free_var_in_fo_term_list x v1
    end
  
  let rec ghost rename_free_var_constructive_inversion_symbol_fo_formula
    (x:'c0) (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b0
    requires { is_symbol_free_var_in_fo_formula x (rename_fo_formula t s0 s1)
      }
    ensures { is_symbol_free_var_in_fo_formula result t /\ s0 result = x }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        if is_symbol_free_var_in_fo_formula x
             (rename_fo_formula v0 s0 (olift s1))
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 (olift s1)
            in sumx 
          else absurd
      | Exists v0 ->
        if is_symbol_free_var_in_fo_formula x
             (rename_fo_formula v0 s0 (olift s1))
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 (olift s1)
            in sumx 
          else absurd
      | And v0 v1 ->
        if is_symbol_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_formula x
                    v1 s0 s1
                in sumx 
              else absurd
      | Or v0 v1 ->
        if is_symbol_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_formula x
                    v1 s0 s1
                in sumx 
              else absurd
      | Not v0 ->
        if is_symbol_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_formula x v0
                s0 s1
            in sumx 
          else absurd
      | FTrue -> absurd | FFalse -> absurd
      | PApp v0 v1 ->
        if is_symbol_free_var_in_symbol x (rename_symbol v0 s0)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_symbol x v0 s0
            in sumx 
          else
            if is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_term_list
                    x v1 s0 s1
                in sumx 
              else absurd
    end
  
  with lemma rename_free_var_inversion_symbol_fo_formula (x:'c0)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires { is_symbol_free_var_in_fo_formula x (rename_fo_formula t s0 s1)
      }
    ensures { exists y:'b0. is_symbol_free_var_in_fo_formula y t /\ s0 y = x
      }
    variant { 1 + size_fo_formula t } =
    let sumx =
      rename_free_var_constructive_inversion_symbol_fo_formula x t s0 s1
    in ()
  
  with ghost rename_free_var_constructive_inversion_fo_term_fo_formula
    (x:'c1) (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b1
    requires {
      is_fo_term_free_var_in_fo_formula x (rename_fo_formula t s0 s1) }
    ensures { is_fo_term_free_var_in_fo_formula result t /\ s1 result = x }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        if is_fo_term_free_var_in_fo_formula (Some x)
             (rename_fo_formula v0 s0 (olift s1))
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula
                (Some x) v0 s0 (olift s1)
            in match sumx with | None -> absurd | Some sumx -> sumx end 
          else absurd
      | Exists v0 ->
        if is_fo_term_free_var_in_fo_formula (Some x)
             (rename_fo_formula v0 s0 (olift s1))
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula
                (Some x) v0 s0 (olift s1)
            in match sumx with | None -> absurd | Some sumx -> sumx end 
          else absurd
      | And v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 s0 s1
                in sumx 
              else absurd
      | Or v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula x v0
                s0 s1
            in sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 s0 s1
                in sumx 
              else absurd
      | Not v0 ->
        if is_fo_term_free_var_in_fo_formula x (rename_fo_formula v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_formula x v0
                s0 s1
            in sumx 
          else absurd
      | FTrue -> absurd | FFalse -> absurd
      | PApp v0 v1 ->
        if is_fo_term_free_var_in_fo_term_list x
             (rename_fo_term_list v1 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_term_list x
                v1 s0 s1
            in sumx 
          else absurd
    end
  
  with lemma rename_free_var_inversion_fo_term_fo_formula (x:'c1)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires {
      is_fo_term_free_var_in_fo_formula x (rename_fo_formula t s0 s1) }
    ensures { exists y:'b1. is_fo_term_free_var_in_fo_formula y t /\ s1 y = x
      }
    variant { 1 + size_fo_formula t } =
    let sumx =
      rename_free_var_constructive_inversion_fo_term_fo_formula x t s0 s1
    in ()
  
  let rec lemma rename_free_var_propagation_symbol_fo_formula (x:'b0)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_symbol_free_var_in_fo_formula x t ->
      is_symbol_free_var_in_fo_formula (s0 x) (rename_fo_formula t s0 s1) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0)
          ((olift s1)) ; ()
      | Exists v0 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0)
          ((olift s1)) ; ()
      | And v0 v1 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_symbol_fo_formula x v1 (s0) (s1) ; ()
      | Or v0 v1 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_symbol_fo_formula x v1 (s0) (s1) ; ()
      | Not v0 ->
        rename_free_var_propagation_symbol_fo_formula x v0 (s0) (s1) ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        rename_free_var_propagation_symbol_symbol x v0 (s0) ;
          rename_free_var_propagation_symbol_fo_term_list x v1 (s0) (s1) ; ()
    end
  
  with lemma rename_free_var_propagation_fo_term_fo_formula (x:'b1)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_fo_term_free_var_in_fo_formula x t ->
      is_fo_term_free_var_in_fo_formula (s1 x) (rename_fo_formula t s0 s1) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        rename_free_var_propagation_fo_term_fo_formula (Some x) v0 (s0)
          ((olift s1)) ; ()
      | Exists v0 ->
        rename_free_var_propagation_fo_term_fo_formula (Some x) v0 (s0)
          ((olift s1)) ; ()
      | And v0 v1 ->
        rename_free_var_propagation_fo_term_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_fo_term_fo_formula x v1 (s0) (s1) ; ()
      | Or v0 v1 ->
        rename_free_var_propagation_fo_term_fo_formula x v0 (s0) (s1) ;
          rename_free_var_propagation_fo_term_fo_formula x v1 (s0) (s1) ; ()
      | Not v0 ->
        rename_free_var_propagation_fo_term_fo_formula x v0 (s0) (s1) ; ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        () ; rename_free_var_propagation_fo_term_fo_term_list x v1 (s0)
          (s1) ; ()
    end
  
  let rec ghost subst_free_var_constructive_inversion_symbol_fo_formula
    (x:'c0) (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : sum ('b0) ('b1)
    requires { is_symbol_free_var_in_fo_formula x (subst_fo_formula t s0 s1)
      }
    ensures { let sumx = result in
      match sumx with | Left sumx ->
        is_symbol_free_var_in_fo_formula sumx t /\
          is_symbol_free_var_in_symbol x (s0 sumx)
        | Right sumx ->
        is_fo_term_free_var_in_fo_formula sumx t /\
          is_symbol_free_var_in_fo_term x (s1 sumx)
      end }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              match sumx with | None -> absurd
                | Some sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity (compose some identity) 
                    in assert { y = x } ; sumx) end
            end 
          else absurd
      | Exists v0 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              match sumx with | None -> absurd
                | Some sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity (compose some identity) 
                    in assert { y = x } ; sumx) end
            end 
          else absurd
      | And v0 v1 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx)
            end 
          else
            if is_symbol_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity 
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx)
                end 
              else absurd
      | Or v0 v1 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx)
            end 
          else
            if is_symbol_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity 
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx)
                end 
              else absurd
      | Not v0 ->
        if is_symbol_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx)
            end 
          else absurd
      | FTrue -> absurd | FFalse -> absurd
      | PApp v0 v1 ->
        if is_symbol_free_var_in_symbol x
             (subst_symbol v0 (rename_subst_symbol s0 identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_symbol x v0
                (rename_subst_symbol s0 identity)
            in
            let y =
              rename_free_var_constructive_inversion_symbol_symbol x
                (eval s0 sumx) identity 
            in assert { y = x } ; Left sumx 
          else
            if is_symbol_free_var_in_fo_term_list x
                 (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_term_list x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity 
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx)
                end 
              else absurd
    end
  
  with lemma subst_free_var_inversion_symbol_fo_formula (x:'c0)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires { is_symbol_free_var_in_fo_formula x (subst_fo_formula t s0 s1)
      }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_fo_formula y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      \/
      (exists y:'b1. is_fo_term_free_var_in_fo_formula y t /\
         is_symbol_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_fo_formula t } =
    let sumx =
      subst_free_var_constructive_inversion_symbol_fo_formula x t s0 s1
    in match sumx with | Left sumx -> () | Right sumx -> () end
  
  with ghost subst_free_var_constructive_inversion_fo_term_fo_formula (x:'c1)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : 'b1
    requires { is_fo_term_free_var_in_fo_formula x (subst_fo_formula t s0 s1)
      }
    ensures { let sumx = result in is_fo_term_free_var_in_fo_formula sumx t
      /\ is_fo_term_free_var_in_fo_term x (s1 sumx) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        if is_fo_term_free_var_in_fo_formula (Some x)
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula
                (Some x) v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity)
            in
            match sumx with | None -> absurd
              | Some sumx ->
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term
                    (Some x) (eval s1 sumx) identity (compose some identity) 
                in assert { y = x } ; sumx end
             else absurd
      | Exists v0 ->
        if is_fo_term_free_var_in_fo_formula (Some x)
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula
                (Some x) v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term (olifts_fo_term s1) identity identity)
            in
            match sumx with | None -> absurd
              | Some sumx ->
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term
                    (Some x) (eval s1 sumx) identity (compose some identity) 
                in assert { y = x } ; sumx end
             else absurd
      | And v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term x
                    (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx 
              else absurd
      | Or v0 v1 ->
        if is_fo_term_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term x
                    (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx 
              else absurd
      | Not v0 ->
        if is_fo_term_free_var_in_fo_formula x
             (subst_fo_formula v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_formula x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else absurd
      | FTrue -> absurd | FFalse -> absurd
      | PApp v0 v1 ->
        if is_fo_term_free_var_in_fo_term_list x
             (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_term_list x v1
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else absurd
    end
  
  with lemma subst_free_var_inversion_fo_term_fo_formula (x:'c1)
    (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires { is_fo_term_free_var_in_fo_formula x (subst_fo_formula t s0 s1)
      }
    ensures {
      (exists y:'b1. is_fo_term_free_var_in_fo_formula y t /\
         is_fo_term_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_fo_formula t } =
    let sumx =
      subst_free_var_constructive_inversion_fo_term_fo_formula x t s0 s1
    in ()
  
  let rec lemma subst_free_var_propagation_symbol_symbol_fo_formula (x:'b0)
    (y:'c0) (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_symbol_free_var_in_fo_formula x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_fo_formula y (subst_fo_formula t s0 s1) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
      | Exists v0 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
      | And v0 v1 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
      | Or v0 v1 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
      | Not v0 ->
        subst_free_var_propagation_symbol_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        subst_free_var_propagation_symbol_symbol_symbol x y v0
          ((rename_subst_symbol s0 identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_symbol_fo_formula (x:'b1)
    (y:'c0) (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_fo_formula x t /\
        is_symbol_free_var_in_fo_term y (s1 x) ->
      is_symbol_free_var_in_fo_formula y (subst_fo_formula t s0 s1) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula (Some x) y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            (compose some identity) ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval
                 ((rename_subst_fo_term (olifts_fo_term s1) identity
                    identity))
                 (Some x))
            } ;
          ()
      | Exists v0 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula (Some x) y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            (compose some identity) ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval
                 ((rename_subst_fo_term (olifts_fo_term s1) identity
                    identity))
                 (Some x))
            } ;
          ()
      | And v0 v1 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | Or v0 v1 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | Not v0 ->
        subst_free_var_propagation_fo_term_symbol_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        () ;
          subst_free_var_propagation_fo_term_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_fo_term_fo_formula (x:'b1)
    (y:'c1) (t:fo_formula 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_fo_formula x t /\
        is_fo_term_free_var_in_fo_term y (s1 x) ->
      is_fo_term_free_var_in_fo_formula y (subst_fo_formula t s0 s1) }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula (Some x)
          (Some y) v0 ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            (compose some identity) ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term (Some y)
              (eval
                 ((rename_subst_fo_term (olifts_fo_term s1) identity
                    identity))
                 (Some x))
            } ;
          ()
      | Exists v0 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula (Some x)
          (Some y) v0 ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term (olifts_fo_term s1) identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            (compose some identity) ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term (Some y)
              (eval
                 ((rename_subst_fo_term (olifts_fo_term s1) identity
                    identity))
                 (Some x))
            } ;
          ()
      | And v0 v1 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | Or v0 v1 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | Not v0 ->
        subst_free_var_propagation_fo_term_fo_term_fo_formula x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        () ;
          subst_free_var_propagation_fo_term_fo_term_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  let rec lemma free_var_equivalence_of_subst_fo_formula
    (t:fo_formula 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_formula x t -> s10 x = s20 x }
    requires {
      forall x:'b1. is_fo_term_free_var_in_fo_formula x t -> s11 x = s21 x }
    ensures { subst_fo_formula t s10 s11 = subst_fo_formula t s20 s21 }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          assert {
            forall x:(option 'b1). is_fo_term_free_var_in_fo_formula x v0 ->
              match x with | None -> true
                | Some x -> is_fo_term_free_var_in_fo_formula x t
              end
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term (olifts_fo_term s11) identity identity))
            ((rename_subst_fo_term (olifts_fo_term s21) identity identity)) ;
          ()
      | Exists v0 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          assert {
            forall x:(option 'b1). is_fo_term_free_var_in_fo_formula x v0 ->
              match x with | None -> true
                | Some x -> is_fo_term_free_var_in_fo_formula x t
              end
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term (olifts_fo_term s11) identity identity))
            ((rename_subst_fo_term (olifts_fo_term s21) identity identity)) ;
          ()
      | And v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 ->
              is_symbol_free_var_in_fo_formula x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
      | Or v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 ->
              is_symbol_free_var_in_fo_formula x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
      | Not v0 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_formula x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_formula v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_symbol x v0 ->
            is_symbol_free_var_in_fo_formula x t
          } ;
          free_var_equivalence_of_subst_symbol v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 ->
              is_symbol_free_var_in_fo_formula x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_term_list x v1 ->
              is_fo_term_free_var_in_fo_formula x t
            } ;
          free_var_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
    end
  
  let lemma free_var_equivalence_of_rename_fo_formula (t:fo_formula 'b0 'b1)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s11:'b1 -> 'c1) (s21:'b1 -> 'c1) :
    unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_formula x t -> s10 x = s20 x }
    requires {
      forall x:'b1. is_fo_term_free_var_in_fo_formula x t -> s11 x = s21 x }
    ensures { rename_fo_formula t s10 s11 = rename_fo_formula t s20 s21 } =
    free_var_equivalence_of_subst_fo_formula t (subst_of_rename_symbol s10)
      (subst_of_rename_symbol s20) (subst_of_rename_fo_term s11)
      (subst_of_rename_fo_term s21)
  
  let rec lemma free_var_derive_equivalence_of_subst_fo_formula
    (t:fo_formula 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_formula x t -> s10 x = s20 x }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_fo_formula x t -> s11 x = s21 x }
    requires { subst_fo_formula t s10 s11 = subst_fo_formula t s20 s21 }
    variant { size_fo_formula t } =
    match t with
      | Forall v0 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term (olifts_fo_term s11) identity identity))
          ((rename_subst_fo_term (olifts_fo_term s21) identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula (Some x) v0 ->
               rename_fo_term (s11 x) identity (compose some identity) =
               eval ((rename_subst_fo_term (olifts_fo_term s11) identity
                       identity)) (Some x)
               =
               eval ((rename_subst_fo_term (olifts_fo_term s21) identity
                       identity)) (Some x)
               = rename_fo_term (s21 x) identity (compose some identity) &&
               s11 x =
               rename_fo_term
                 (rename_fo_term (s11 x) identity (compose some identity))
                 identity (ocase identity y1)
               =
               rename_fo_term
                 (rename_fo_term (s21 x) identity (compose some identity))
                 identity (ocase identity y1)
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula (Some x) v0 ->
              s11 x = s21 x
            } ;
          ()
      | Exists v0 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term (olifts_fo_term s11) identity identity))
          ((rename_subst_fo_term (olifts_fo_term s21) identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula (Some x) v0 ->
               rename_fo_term (s11 x) identity (compose some identity) =
               eval ((rename_subst_fo_term (olifts_fo_term s11) identity
                       identity)) (Some x)
               =
               eval ((rename_subst_fo_term (olifts_fo_term s21) identity
                       identity)) (Some x)
               = rename_fo_term (s21 x) identity (compose some identity) &&
               s11 x =
               rename_fo_term
                 (rename_fo_term (s11 x) identity (compose some identity))
                 identity (ocase identity y1)
               =
               rename_fo_term
                 (rename_fo_term (s21 x) identity (compose some identity))
                 identity (ocase identity y1)
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula (Some x) v0 ->
              s11 x = s21 x
            } ;
          ()
      | And v0 v1 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s11 identity identity))
          ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v0 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 -> s11 x =
              s21 x
            } ;
          free_var_derive_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v1 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 -> s11 x =
              s21 x
            } ;
          ()
      | Or v0 v1 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s11 identity identity))
          ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v0 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 -> s11 x =
              s21 x
            } ;
          free_var_derive_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v1 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 -> s11 x =
              s21 x
            } ;
          ()
      | Not v0 ->
        free_var_derive_equivalence_of_subst_fo_formula v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s11 identity identity))
          ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v0 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v0 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v0 -> s11 x =
              s21 x
            } ;
          ()
      | FTrue -> () | FFalse -> ()
      | PApp v0 v1 ->
        free_var_derive_equivalence_of_subst_symbol v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_symbol x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_symbol x v0 -> s10 x = s20 x
            } ;
          free_var_derive_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_term_list x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_term_list x v1 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_term_list x v1 -> s11 x =
              s21 x
            } ;
          ()
    end
  
  let lemma free_var_derive_equivalence_of_rename_fo_formula
    (t:fo_formula 'b0 'b1) (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s11:'b1 -> 'c1)
    (s21:'b1 -> 'c1) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_formula x t -> s10 x = s20 x }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_fo_formula x t -> s11 x = s21 x }
    requires { rename_fo_formula t s10 s11 = rename_fo_formula t s20 s21 } =
    free_var_derive_equivalence_of_subst_fo_formula t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s11) (subst_of_rename_fo_term s21);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      };
    assert {
      forall x:'b1. (subst_of_rename_fo_term s11 x:fo_term 'c0 'c1) =
        (subst_of_rename_fo_term s21 x:fo_term 'c0 'c1) ->
        (Var_fo_term (s11 x):fo_term 'c0 'c1) =
        (Var_fo_term (s21 x):fo_term 'c0 'c1) && s11 x = s21 x
      }
  
  
end


why3-1.6.0/examples/prover/Firstorder_formula_spec/000077500000000000000000000000001440160026300224215ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_formula_spec/why3session.xml000066400000000000000000002204111440160026300254410ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_formula_spec/why3shapes.gz000066400000000000000000000501221440160026300250610ustar00rootroot00000000000000YI&o3;H	]E&nY\Y_nAI"'?˧W,?ʼoOO[~O,_|o>|TV_OoUb+KzG~1"EZsx|כ2{s~G'OO?|zzb#>oy1l	4?-?v6ڜަ|TִJ$;!6A[:l6laFOO?Ÿ,^0o~
>??\~ğē|RO]>M?w>ghx\}(mp*f^L{m,nm\k`ihk]k]FoPmv4Rg6ٓv_7O$P	>O
E>QAgE:'SG|{MͽVgdWs$[fƉw.qœ!֞?߳Ϻiڜv)VR΀DMleTړe'{*BM@d8kh߷HTߏ3N0F?D=|>F1DO(p1KZ+*Q@%UE'i.(O(\WyO%G~M_7v
VORTN}}=:jņnbaʕ{R)W'SN\w?uOg?ή
"=L}-_|ic⚨DM֟(jT_}NE6xz0h
?·e3'ay̓Y|?T+|?NEcVъ?腚e<{d}bd?/^-e/6UIJL]TqTE=Vj|$ņm,7>f(kK~艪":ш”M끥&"]R1mט:\ܗ4:?}jGӃ_O%Yɇs]]"[}L.g$il}M˦cEq2d;	.s[Ȉ$uFsJ
dKCX3;oc3ktxrvpiJ<38Y%ӓ_}^/ЏaMߴ-m)L==Եϭ/C\+RLuU2އT6qvuC:mIaT9:-lᡆ	|i*;u0:&`SA'%)q>jyᡆ	PK0۰S]~IAU1,JNK:lcپ l!/>xlνZXKO)eY:WN4%u=!	>$5	>0,eHO󱋫`vkWsuk۔>~\Ua3RTzPnv6x)_ė<#ۘ"]ڒڔڜ!%uC.((Kt)w[NmάC8Vߵw126]@!q޻Y$v%udVS'6Aqap#A@('h\-N/ZT;>Eyuٍc78M1Wxz78nUMd7D旗qoQHV[d%֭խj%v+٭{7;bz>U[n%ߓ|n3vV|ԋ ~m(PYc5Bo3O:gn4Z)Q
{z
Tji*1ك;wՊ=þ'-eyY*U"\F*;I~jIlO857FotdyioR~g?Nd,
E=puQAWއA%2X}}pԓ#}mSl>8>+zC]'4hcj${WxTЫu)ͮ:+ߠQtUk-)Ϡxw\p$wO⭓7S1
jζz0<=MMoMEņ,ȵܦܐYAuEI3Z?Cv%6[Bw!=z80q
Wڣ+=ٻ!6y-Azg4wF7u쌮iBSFJsn[s76uKHqmP&Ŷ&/=~-X^" ;lDj)d0Y˷D+]p?
ѕ@kvH$]4RK>ty9=w~1tTAиnxEZi_|,!gW~x+TpҊsd>!%01d6^[>}G9]3$}sEp@X7T"r r 
\ѥA%W5kk6my7ݯmhg^="{&lޓ_wO~ɯ@׮{/	=*\?`	G	.~џ87C{Ub8bz1_1ep."$܏,xc.E&
?GMTͮ_CHJjd%g~,iYc[56Үf~}P9'z\j젹AG/Pq殛@
;J~PzP~*31i2Zx[y8X3;
*EmK211Ӳ~9-mU	jʏe:|ݸ`7ݼ_^R~x,݋3ƥ{"7Bѕ-v*]W(˰:Q֮_X鎹ayԌˣrdmGq{lx򸾾E-55&v|jy?	YTsXTq~]/.
zT0tl󇝟=64sLRSBANbEC63J*OU\Ǭ/>]W&&@م5sbpbpMW4Dbp+^M>0\T	[dm>T
J҃yJsΕOKMCQg3uE;u;GU[{wf5y7n+gg"
>|d7%n6|4
kX3=o~zjlylǧJ`,?aNcm6CoZP䗿7BR{ן?SEj9Kfk:KiRe]O|yk˻O]jt4bZPQ.WJ|i/qiZ^Jݷ_D}xٻY]JsqK7S*xkȷ!k
aeȃ(UsIǾ[yI>zW]19קb-?욹k39ߧG#ߐ^uG#hdא/{4+WT=5Ej<_qVUxKys_8bz3wr&&ehFc&]]9Cˋ}Mº*5Z,ߖ+⮈+kv4e-f{|OOiW6P:|u+iw"gl5w-`oܿ;/({J'7_-{jsW=o^殇/[߿i~dس?_[DpJB/
_%jx72{hBxpvB0Xc
1cUH
g|̮+әzHg1)OәzfWGYۏ/vJO$/ܿjqz`_ajכoprW8ם>Y[ѹU5%_Wzu~7s'tw=L7tx3髇鳩S8xl/-Y
p~aNSۛb.FUuDz@4k#&|y\<ϓ2y;(YPClQue򐷿)+OٓTy2%tmjM@}X\Aݣ3֛w!j{ì^Z
JW7"6bveKkO=5Rו~ұv2TUYWOտA=6"%vaᴟK~Z}k݋n&_K	%XrXle|xY|Z#^
W*>R;Sٕ+݋NTvcݍCl);vs~+ݤr/5ߧ+:hدN8=X9fM6*t!EEچ*DGi.ln(~>nl^#3%Omp/\v
|+~}7&[qt/4
hrgЙ|n-S򝮻M/Oֶ"kqC%˺w.녭A~gyri;N_PU40j_ruᨶS/|EjC/bExSkp)x,7MêϺl>a؞:@ڹֱ! akG+hK:0$aL/D9_md/RG'Ӝz|2Ӣ9q^HŤ$]+`|_Ȇ%~u˖n?!wqŋg L-
/(_׵5ܗ^AOV$qn|+N¿m	JϗQ=r|#?NUE8Oϱa\KO#+3wGCKU.epHkjXsY]?C	רVaoºVj密0Zy1EPVjE4mEk1a^~x>)T
)oT(PbTT)
%GuPVJ
fi6Qm9>]QwQX4>wU娍WÛS:j-6BUP}sUEvB-)K#T5	/Pմ%*lln
53FFFФ):*?}DSJ8@զ$PKa&ٝǗZٴtbЃMg+čI39z,IoloTr|W*aZU5rVՍN%*1Bk38@W	`kz	d+>Q_bs1ߕ>{\q+Ǎi{|kFC0>
'	Oͣ; bmd/D1^s/J|ҽ6f6>&MD+DDeՉ}uďhľ6-HUi_k}eR}a%Y4}]b_aeKTr_-z_2%*BW%n9J}3-ʹb{[Vp.˯<`EUX>,Q#VEEjZѧq)>n:%Ef	;&tlkj~w[
1XЇ>EYrdE5AT9]T(gtG*}~xF8zv~=f[včZqp|Fj"Aͫ
xȂp-
:3](N--/nF]{S]
79i7l_H.aI)_$m}Q\#(Fxב+`>CZPT=BqfFBMI7tf	]hk3/?'@r*._
x_sR^ⶖOr[Tj.EץOjmrR/hI3F;b@T*pGS"{#U8TK!<8nw39[ӞO`s][5NKDz*K/#VKzZ>m-o@&.ts7#Ę!i#zge'j
b]P\>gi5q;PCKm8p̀+L50wRi
b7?>!ڈSWկH}fjq;]-2;(hi{PnvA6b"!yY;~{7
Z6uvfmz>>mF|.8CF[Ʊ"ql0=y"Ghυ~`Q^5Ǿy۾?v]8`|:Kkr5~2‡{/uo4uGa4Y
MKňT品rE68caK}G"o:؟
mUOQۨϏjv4g~ivM-kṉjjÓIx\&:Q@Vꯨzui9qP]jv>}UnR^ⶖQE_cWKx8M
KE/|v13[wSyx"Uk}\O&q=	.:<Хe.;m-oϛ׆FC~wMG6B׿{LcsjJ:pF|^x[~Sŧ]
|}O#
r/W i<$7ynnB/Tq[ˇpJ'}iڗ-r_Nz7p錩[͹>cJf^༡+O?$
.b (x"ATWpS!lkhO͎e[\pq4LF F箷">}}zڴC׵x8nNhLTo!gXmaݛaݻ!]p nHTb?KlO_kH;;~չ
Pm-БL#^aU\\xG_t'޴'iO@
pֺ'6ۻԪlW@ӍpW`
C*Bz/v`8&v}los
C$i[
mG=*-'Nwfw38dƼշ_ώ
`Ϻ=ofms2>E_aQ|q,<5;MV
o7.^t}l{9\Dt4~>xz=/蒢W94ǻ>)gHO;7eN2?Q-/fXJM23A~XԱ:vr.*1JC(+Rga|;PscmB$ڇ
zU^^uu2+zeze'j?vWW͇:ǖ+uM7꥙7k6eMQN̻k׵Ү襝륛ک^^6AreUQ/*~]!hd**W~*x
JW:Ea<^ɹԱhϓY\0̘l+ּxPre]عPP&[6B`+r
G_JyҢ"|:W>IhOwOĂ,BN,2/aSrH[TRb|X{\A])bT;n0XP)6F킷9w	X]?Ƈ^`D)0L.*p`6IU)`0βXPT8tÌ+[8c.B

h&WY(C2N7KBJJl
vz^%$o6OoŬ6U"'C8c}R}4ƔcuFʤTDEM2%3ƻT\8
VR^HO1jTͤYcet3Z+lм	SPhfK(Ԑ;9]&Qy`KrT(gEr
,gEhcDEiLf5ėMQ{1J_A;	!.	&x'Exb<3SmAl$AJ<<)K!3vBB:ЄIJC+c}gU!|t5R|(O>au̙Er(bOx2J7{*}s:]I4@7m&xZtY.uq'E"`O8db-&-;)`Mf蘃:*|`]R̚;-rEqLJ	;|4y)fJIuZCs$eqJE
sJ )+#d8`Kp98s	uPdHJyiŠV'aZ;/0WƘӠs
6]@^ wOL5\o2=lTfV2DG	.=CBM~ER&ْ:Z#$0`m`R8/%8FϽ'a` cdG]S:Nۀ:@CozO5
1]A.zT%j.ƜBM!y)Q):!]异
tQ[eTl˰R(,6<{Ox!<H5fD
&LfB,븆XzԎN@c@ys/FYe 	܃Ir]]+`zzLL9+ˆC^VIX$Bb2ҔY
̚R 'Jd#)WQܿI\t^ge8%Jo:g.&mS	"?5BFҎ(sl6
Q2Ņ1d6حh*Ps@HOFv
CMϚEx!C1.h+$b(UP_u7Fm9v@GaRv 	L4kz"9aa Xij&xJ'9?W\3G8j';B	OoBe"D
X΁:%ZVӠ{@*	Fr78PwA-ĉgp
7PT@~225k3&>9*aՆP>L
SƉF*Ecmth$H0aRզ;0PPPwc:e,7^#mP,MDȓ)Zd,W:3P7n6Vhaᅈ ERh]JFu%L?3BhT7p6øk
,jdD_G!ڊEP$gf
phQÿzB9wVsB̥0R
pYʔ~S'x

#U` T>ZT|&FKB*++'-k*넒VIh;ZRSYg1h
E)F"Z8eGkI)8Xb¬!د3
Uo%
,PK2J	9=h:RL8Rk41@x*ԓEcmBQB#DH{7Lv15o2(F2w:((QBhg'-I.,|0yh`V=Z@CQzr""(Ba= zFK@@%3ˢ	䈷"l4i-90(h8¬1"A A:+T3$u2"Z\mw"#5+z]J܈&M0Z lÜ#N-3cLU3'z("ĘT4*MeE5(lBɱr[w]QtcGY?dڨUf\(	ZK0vUo8VV\s0]|
;U4$h!|52{e%mWCNrü]hV:exwJ"Ӆcn4+ƀPUs*
MF7;PqpRo5+1]'gil	*mt!	,#t~u]1@\w2 4
Ϗn+J"F|
d01%;ڌV#d4坆ɃaqEj=C'::&iM>nے@Sq$xnIg
|4+QVh 7k4\WTnSCKn\ B+;ٕԟَ<Dx:R"01(|.s"mf/W|uZa~eP!-!vDp0M{lv#@aUm	!#V6tuYDb(m'!mXeAC&+
A7upR#Y]d
&`24#vCL̠	;
A87+:Y(./.w5h%c8pPo7tUt&(-]M1>1Z1cW7"&1Pj^xE1i݈ j&.vʩ"0@
bFb72XESYBA)Xt&.șm7AߢbUVy	%J$0Ch?_u|u#HÝuY8<$|*S?Wa
#
C`@J.`qPX"nҲ,Y(E7ɠd[
MW$阋kxlُa؈y#Ҩ]77hk,)cA찣"Ar׳-&;:_2i[/i,u
)LWQ+aіNۈEQ53ʓ9)ʌrF[;JvEwYvӱ16Ȧqq]7pE)ұ+'	~L`[â0#8%A;W% "Ta"9eh0I㽷+1qEKd鯥ՠJ{1>cä9:6+4-5BqҊnjOpD'N;ѵt8Kw4ԇ!t.zG
tFF)0i(DqCQz><ޕR"R4W̘.utnobtj, *a!;
]_J-ZALs!Qol;T7@zڙ
"1TR?%hthf	ScNJsK7\FAwJ%
-d8%E/)^h#-N65ݒDm
6<O"ؒ@K߼=J
N#rB@Wq

-)YhmjWh%zUv>Ldzli4XK6G"t^yXo,i-4"s1!Yt
-\
-=#JXe ;V#duhQ
q2FJsoVL#\MR:wΥH/rtA,\x,#=pY"(V\ hX"ž(azPOk:(K{-Z}v%'=!D0c-D`.ORrt"k!T\AH`S)!
A8<߆BhKLnXq-Ř3]֔\	{Cx	&F5|YIM6"{zO Pcԝ
pQyWЕ#T/pG1)4nׅ1-AnKHAЪ8#ThI4G*+PF+gpt~Y50OL'9T0v1 tLbv}FwtY'Mtl&qB<`Gέњz$N+(]1.ˎ-=@}*K(i><;?k:YSu%[zt+]]G5!+iZ1{g"%FAczP%vQmxNvUю.)#8J3]f,:C(OdGP!ʌB4CC@G]qei:P`ީWpWh	sg`YB >;2^aA[HKUiYb&Ei.zacZ͝ΧD_Љ%MBi'yLkb@b%D]SrP (list 'st -> 'st) ;
    interp_pred : 'ls -> (list 'st -> bool) ;
  }

  function term_semantic (t:fo_term 'ls 'b) (m:model 'ls 'st)
    (rho:'b -> 'st) : 'st = match t with
      | Var_fo_term x -> rho x
      | App (Var_symbol f) l -> let ifun = m.interp_fun in
        ifun f (term_list_semantic l m rho)
    end

  with term_list_semantic (t:fo_term_list 'ls 'b) (m:model 'ls 'st)
    (rho:'b -> 'st) : list 'st = match t with
      | FONil -> Nil
      | FOCons x q -> Cons (term_semantic x m rho) (term_list_semantic q m rho)
    end

  predicate formula_semantic (t:fo_formula 'ls 'b) (m:model 'ls 'st)
    (rho:'b -> 'st) = match t with
      | Forall t -> forall x:'st.
        formula_semantic t m (ocase rho x)
      | Exists t -> exists x:'st.
        formula_semantic t m (ocase rho x)
      | And t1 t2 -> formula_semantic t1 m rho /\ formula_semantic t2 m rho
      | Or t1 t2 -> formula_semantic t1 m rho \/ formula_semantic t2 m rho
      | Not t -> not (formula_semantic t m rho)
      | FTrue -> true
      | FFalse -> false
      | PApp (Var_symbol p) l -> let ipred = m.interp_pred in
        ipred p (term_list_semantic l m rho)
    end

  predicate formula_list_conj_semantic (t:fo_formula_list 'ls 'b)
    (m:model 'ls 'st) (rho:'b -> 'st) = match t with
      | FOFNil -> true
      | FOFCons x q -> formula_semantic x m rho /\
        formula_list_conj_semantic q m rho
    end

  predicate formula_list_disj_semantic (t:fo_formula_list 'ls 'b)
    (m:model 'ls 'st) (rho:'b -> 'st) = match t with
      | FOFNil -> false
      | FOFCons x q -> formula_semantic x m rho \/
        formula_list_disj_semantic q m rho
    end

  predicate tableau_node (b:bool) (phib:fo_formula_list 'ls 'b)
    (phi0:fo_formula 'ls 'b) (m:model 'ls 'st) (rho:'b -> 'st) =
    ( b = True /\ formula_semantic phi0 m rho)
      \/ formula_list_disj_semantic phib m rho

  (* This one work by accumulation, as it is related to a context. *)
  predicate tableau_semantic_with (t:tableau 'ls 'b)
    (b:bool) (m:model 'ls 'st) (rho:'b -> 'st) =
    match t with
      | Root -> b = True
      | Node tnext phi0 phib ->
        let b' = if tableau_node b phib phi0 m rho
          then True
          else False in
        tableau_semantic_with tnext b' m rho
    end

  (* Abstraction-definition axiom :
     function semantic_subst (s:'b -> (fo_term 'ls 'c))
       (m:model 'ls 'st) (rho:'c -> 'st) : 'b -> 'st =
         (\ x:'b. term_semantic (s x) m rho) *)
  function semantic_subst (s:'b -> (fo_term 'ls 'c))
    (m:model 'ls 'st) (rho:'c -> 'st) : 'b -> 'st
  axiom semantic_subst_def : forall s:'b -> (fo_term 'ls 'c),
    m:model 'ls 'st, rho:'c -> 'st, x:'b.
      semantic_subst s m rho x = term_semantic (s x) m rho

  (*(* Abstraction-definition axiom :
     constant symbol_name : (symbol 'b) -> 'b =
       (\ x:symbol 'b. match x with Var_symbol x -> x end) *)
  constant symbol_name : (symbol 'b) -> 'b
  axiom symbol_name_def : forall x:symbol 'b.
    symbol_name x = match x with Var_symbol x -> x end
  let lemma symbol_name_subst_identity_inverse (u:unit) : unit
    ensures { rcompose symbol_name subst_id_symbol =
      (identity:(symbol 'b) -> (symbol 'b)) }
    ensures { rcompose subst_id_symbol symbol_name =
      (identity:'b -> 'b) }
  =
    assert { extensionalEqual (identity:(symbol 'b) -> (symbol 'b))
      (rcompose symbol_name subst_id_symbol) } ;
    assert { extensionalEqual (identity:'b -> 'b)
      (rcompose subst_id_symbol symbol_name) }*)

  function model_rename (r:'b -> 'c) (m:model 'c 'st) :
    model 'b 'st = {
    interp_fun = rcompose r m.interp_fun ;
    interp_pred = rcompose r m.interp_pred ;
  }

  lemma model_rename_id : forall m:model 'b 'st.
    model_rename identity m = m

  (* semantic commutation with substitution.
     Required for example for
     universal quantification elimination deduction rule:
     forall x. phi -> phi[x <- t] come from this lemma
     (*and generally speaking, quantifier handling*) *)

  let rec lemma term_semantic_subst_commutation (t:fo_term 'ls 'b)
    (m:model 'ls2 'st) (rho : 'c -> 'st)
    (thetal:'ls -> 'ls2)
    (theta:'b -> (fo_term 'ls2 'c)) : unit
    ensures { term_semantic (
      subst_fo_term t (rcompose thetal subst_id_symbol) theta) m rho =
      term_semantic t (model_rename thetal m) (semantic_subst theta m rho) }
    variant { size_fo_term t }
  =
    match t with
      | Var_fo_term x -> ()
      | App (Var_symbol f) l ->
        term_list_semantic_subst_commutation l m rho thetal theta ;
        let thetals = rcompose thetal subst_id_symbol in
        assert { subst_fo_term t thetals theta =
          App (Var_symbol (thetal f)) (subst_fo_term_list l thetals theta) } ;
        let m2 = model_rename thetal m in
        let l2 = term_list_semantic l m2 (semantic_subst theta m rho) in
        assert { eval m.interp_fun (thetal f) l2 =
            eval m2.interp_fun f l2 }
    end

  with lemma term_list_semantic_subst_commutation (t:fo_term_list 'ls 'b)
    (m:model 'ls2 'st) (rho : 'c -> 'st)
    (thetal:'ls -> 'ls2)
    (theta:'b -> (fo_term 'ls2 'c)) : unit
    ensures { term_list_semantic (
      subst_fo_term_list t (rcompose thetal subst_id_symbol) theta) m rho =
      term_list_semantic t (model_rename thetal m)
        (semantic_subst theta m rho) }
    variant { size_fo_term_list t }
  =
    match t with
      | FONil -> ()
      | FOCons x q -> term_semantic_subst_commutation x m rho thetal theta ;
        term_list_semantic_subst_commutation q m rho thetal theta
    end

  let lemma term_list_semantic_rename_commutation (t:fo_term_list 'ls 'b)
    (m:model 'ls2 'st) (rho:'c -> 'st)
    (thetal:'ls -> 'ls2) (theta:'b -> 'c) : unit
    ensures { term_list_semantic (
      rename_fo_term_list t thetal theta) m rho =
      term_list_semantic t (model_rename thetal m)
        (rcompose theta rho) }
  =
    let p1 = rcompose theta rho in
    let p2 = semantic_subst (rcompose theta subst_id_fo_term) m rho in
    assert { extensionalEqual p1 p2 && p1 = p2 }

  let lemma term_semantic_rename_commutation (t:fo_term 'ls 'b)
    (m:model 'ls2 'st) (rho:'c -> 'st)
    (thetal:'ls -> 'ls2) (theta:'b -> 'c) : unit
    ensures { term_semantic (rename_fo_term t thetal theta) m rho =
      term_semantic t (model_rename thetal m) (rcompose theta rho) }
  =
    assert { extensionalEqual (rcompose theta rho)
      (semantic_subst (subst_of_rename_fo_term theta) m rho) }


  let lemma semantic_lifting_commutation (theta:'b -> (fo_term 'ls 'c))
    (rho : 'c -> 'st) (m:model 'ls 'st) (x:'st) : unit
    ensures { semantic_subst (olifts_fo_term theta) m (ocase rho x) =
      ocase (semantic_subst theta m rho) x }
  =
    let stheta = olifts_fo_term theta in
    let srho = ocase rho x in
    let p1 = semantic_subst stheta m srho in
    let ctr = semantic_subst theta m rho in
    let p2 = ocase ctr x in
    assert { forall x:option 'b. match x with
      | None -> p1 None = p2 None
      | Some z -> p1 (Some z) = p2 (Some z) end
        && p1 x = p2 x } ;
    assert { extensionalEqual p1 p2 }

  let lemma formula_semantic_subst_commutation (t0:fo_formula 'ls 'b)
    (m0:model 'ls2 'st)
    (thetal0:'ls -> 'ls2)
    (theta0:'b -> (fo_term 'ls2 'c))
    (rho:'c -> 'st) : unit
    ensures { formula_semantic (
      subst_fo_formula t0 (rcompose thetal0 subst_id_symbol) theta0) m0 rho
      <-> formula_semantic t0
        (model_rename thetal0 m0) (semantic_subst theta0 m0 rho) }
  =
    let rec ghost aux (t:fo_formula 'ls3 'b2)
      (m:model 'ls4 'st)
      (thetal:'ls3 -> 'ls4)
      (theta:'b2 -> (fo_term 'ls4 'c2)) : unit
      ensures { forall rho:'c2 -> 'st.
        formula_semantic (
          subst_fo_formula t (rcompose thetal subst_id_symbol) theta) m rho
        <-> formula_semantic t
          (model_rename thetal m) (semantic_subst theta m rho) }
      variant { size_fo_formula t }
    =
      let thetals = rcompose thetal subst_id_symbol in
      match t with
        | Forall t2 -> let os = olifts_fo_term theta in
          let st = subst_fo_formula t thetals theta in
          let st2 = subst_fo_formula t2 thetals os in
          aux t2 m thetal os ;
          assert { st = Forall st2 }
        | Exists t2 -> let os = olifts_fo_term theta in
          let st = subst_fo_formula t thetals theta in
          let st2 = subst_fo_formula t2 thetals os in
          aux t2 m thetal os ;
          assert { st = Exists st2 }
        | And t1 t2 -> aux t1 m thetal theta ;
          aux t2 m thetal theta
        | Or t1 t2 -> aux t1 m thetal theta ;
          aux t2 m thetal theta
        | Not t2 -> aux t2 m thetal theta ;
          let st = subst_fo_formula t thetals theta in
          let st2 = subst_fo_formula t2 thetals theta in
          assert { st = Not st2 }
        | FTrue -> ()
        | FFalse -> ()
        | PApp (Var_symbol p) l ->
          let l2 = subst_fo_term_list l thetals theta in
          let t2 = subst_fo_formula t thetals theta in
          assert { t2 = PApp (Var_symbol (thetal p)) l2 } ;
          let m2 = model_rename thetal m in
          assert { forall rho:'c2 -> 'st.
            let rho2 = semantic_subst theta m rho in
            let l3 = term_list_semantic l m2 rho2 in
            let l4 = term_list_semantic l2 m rho in
            (l3 = l4 /\
             (formula_semantic t m2 rho2 <->
               eval m2.interp_pred p l3) /\
             (formula_semantic t2 m rho <->
               eval m.interp_pred (thetal p) l4)) &&
            (formula_semantic t m2 rho2 <->
             formula_semantic t2 m rho) }
      end in
    aux t0 m0 thetal0 theta0

  let lemma formula_semantic_rename_commutation
    (t:fo_formula 'ls 'b) (m:model 'ls2 'st)
    (thetal:'ls -> 'ls2)
    (theta:'b -> 'c) (rho:'c -> 'st) : unit
    ensures { formula_semantic (rename_fo_formula t thetal theta) m rho
      <-> formula_semantic t (model_rename thetal m) (rcompose theta rho) }
  =
    let thetas = rcompose theta subst_id_fo_term in
    assert { rename_fo_formula t thetal theta =
      subst_fo_formula t (rcompose thetal subst_id_symbol) thetas } ;
    let p1 = rcompose theta rho in let p2 = semantic_subst thetas m rho in
    assert { extensionalEqual p1 p2 && p1 = p2 }

  let lemma formula_semantic_term_subst_commutation
    (t:fo_formula 'ls 'b) (m:model 'ls 'st)
    (theta:'b -> (fo_term 'ls 'c)) (rho:'c -> 'st) : unit
    ensures {
      formula_semantic (subst_fo_formula t subst_id_symbol theta) m rho <->
      formula_semantic t m (semantic_subst theta m rho) }
  =
    let t2 = subst_fo_formula t (rcompose identity subst_id_symbol) theta in
    let rho2 = semantic_subst theta m rho in
    assert { formula_semantic t2 m rho <->
      formula_semantic t (model_rename identity m) rho2 }

  let lemma formula_semantic_term_rename_commutation
    (t:fo_formula 'ls 'b) (m:model 'ls 'st)
    (theta:'b -> 'c) (rho:'c -> 'st) : unit
    ensures { formula_semantic (rename_fo_formula t identity theta) m rho <->
      formula_semantic t m (rcompose theta rho) }
  =
    ()

  let rec lemma formula_list_conj_semantic_subst_commutation
    (t:fo_formula_list 'ls 'b) (m:model 'ls2 'st)
    (thetal:'ls -> 'ls2)
    (theta:'b -> (fo_term 'ls2 'c)) (rho:'c -> 'st) : unit
    ensures { formula_list_conj_semantic (
      subst_fo_formula_list t (rcompose thetal subst_id_symbol) theta) m rho
      <-> formula_list_conj_semantic t
        (model_rename thetal m) (semantic_subst theta m rho) }
    variant { size_fo_formula_list t }
  =
    match t with | FOFNil -> () | FOFCons _ q ->
      formula_list_conj_semantic_subst_commutation q m thetal theta rho end

  let rec lemma formula_list_disj_semantic_subst_commutation
    (t:fo_formula_list 'ls 'b) (m:model 'ls2 'st)
    (thetal:'ls -> 'ls2)
    (theta:'b -> (fo_term 'ls2 'c)) (rho:'c -> 'st) : unit
    ensures { formula_list_disj_semantic (
      subst_fo_formula_list t (rcompose thetal subst_id_symbol) theta) m rho
      <-> formula_list_disj_semantic t
        (model_rename thetal m) (semantic_subst theta m rho) }
    variant { size_fo_formula_list t }
  =
    match t with | FOFNil -> () | FOFCons _ q ->
      formula_list_disj_semantic_subst_commutation q m thetal theta rho end


  let lemma formula_list_conj_semantic_term_subst_commutation
    (t:fo_formula_list 'ls 'b) (m:model 'ls 'st)
    (theta:'b -> (fo_term 'ls 'c)) (rho:'c -> 'st) : unit
    ensures { formula_list_conj_semantic
        (subst_fo_formula_list t subst_id_symbol theta) m rho <->
      formula_list_conj_semantic t m (semantic_subst theta m rho) }
  =
    formula_list_conj_semantic_subst_commutation t m identity theta rho

  let lemma formula_list_disj_semantic_term_subst_commutation
    (t:fo_formula_list 'ls 'b) (m:model 'ls 'st)
    (theta:'b -> (fo_term 'ls 'c)) (rho:'c -> 'st) : unit
    ensures { formula_list_disj_semantic
        (subst_fo_formula_list t subst_id_symbol theta) m rho <->
      formula_list_disj_semantic t m (semantic_subst theta m rho) }
  =
    formula_list_disj_semantic_subst_commutation t m identity theta rho

  let rec lemma tableau_semantic_subst_commutation
    (t:tableau 'ls 'b) (m:model 'ls2 'st)
    (b:bool)
    (thetal:'ls -> 'ls2)
    (theta:'b -> (fo_term 'ls2 'c)) (rho:'c -> 'st) : unit
    ensures { tableau_semantic_with (
      subst_tableau t (rcompose thetal subst_id_symbol) theta) b m rho
      <-> tableau_semantic_with t b
        (model_rename thetal m) (semantic_subst theta m rho) }
    variant { size_tableau t }
  =
    match t with
      | Root -> ()
      | Node tnext phi0 phib ->
        let s1 = rcompose thetal subst_id_symbol in
        let b' = if tableau_node b
          (subst_fo_formula_list phib s1 theta)
          (subst_fo_formula phi0 s1 theta) m rho
          then True
          else False in
        tableau_semantic_subst_commutation tnext m b' thetal theta rho
    end

  let lemma tableau_semantic_term_subst_commutation
    (t:tableau 'ls 'b) (b:bool) (m:model 'ls 'st)
    (theta:'b -> (fo_term 'ls 'c)) (rho:'c -> 'st) : unit
    ensures { tableau_semantic_with (
      subst_tableau t subst_id_symbol theta) b m rho <->
      tableau_semantic_with t b m (semantic_subst theta m rho) }
  =
    tableau_semantic_subst_commutation t m b identity theta rho

  let rec lemma term_semantic_depend_only_free_var
    (t:fo_term 'ls 'b) (m1 m2:model 'ls 'st)
    (rho1 rho2:'b -> 'st) : unit
    requires { forall f:'ls. is_symbol_free_var_in_fo_term f t ->
      eval m1.interp_fun f = eval m2.interp_fun f /\
      eval m1.interp_pred f = eval m2.interp_pred f }
    requires { forall x:'b. is_fo_term_free_var_in_fo_term x t ->
      rho1 x = rho2 x }
    ensures { term_semantic t m1 rho1 = term_semantic t m2 rho2 }
    variant { size_fo_term t }
  =
    match t with Var_fo_term x -> () | App (Var_symbol f) l ->
      term_list_semantic_depend_only_free_var l m1 m2 rho1 rho2 ;
      assert { is_symbol_free_var_in_fo_term f t } end

  with lemma term_list_semantic_depend_only_free_var
    (t:fo_term_list 'ls 'b) (m1 m2:model 'ls 'st)
    (rho1 rho2:'b -> 'st) : unit
    requires { forall f:'ls. is_symbol_free_var_in_fo_term_list f t ->
      eval m1.interp_fun f = eval m2.interp_fun f /\
      eval m1.interp_pred f = eval m2.interp_pred f }
    requires { forall x:'b. is_fo_term_free_var_in_fo_term_list x t ->
      rho1 x = rho2 x }
    ensures { term_list_semantic t m1 rho1 = term_list_semantic t m2 rho2 }
    variant { size_fo_term_list t }
  =
    match t with FONil -> () | FOCons x q ->
      term_semantic_depend_only_free_var x m1 m2 rho1 rho2 ;
      term_list_semantic_depend_only_free_var q m1 m2 rho1 rho2 end

  let lemma formula_semantic_depend_only_free_var
    (t:fo_formula 'ls0 'b0) (m1 m2:model 'ls0 'st0)
    (rho1 rho2:'b0 -> 'st0) : unit
    requires { forall f:'ls0. is_symbol_free_var_in_fo_formula f t ->
      eval m1.interp_fun f = eval m2.interp_fun f /\
      eval m1.interp_pred f = eval m2.interp_pred f }
    requires { forall x:'b0. is_fo_term_free_var_in_fo_formula x t ->
      rho1 x = rho2 x }
    ensures { formula_semantic t m1 rho1 <-> formula_semantic t m2 rho2 }
  =
    let rec aux (t:fo_formula 'ls 'b) (m1 m2:model 'ls 'st) : unit
      requires { forall f:'ls. is_symbol_free_var_in_fo_formula f t ->
        eval m1.interp_fun f = eval m2.interp_fun f /\
        eval m1.interp_pred f = eval m2.interp_pred f }
      ensures { forall rho1 rho2:'b -> 'st.
        (forall x:'b.
          is_fo_term_free_var_in_fo_formula x t -> rho1 x = rho2 x) ->
        formula_semantic t m1 rho1 <-> formula_semantic t m2 rho2 }
      variant { size_fo_formula t }
    =
      match t with
        | Forall t2 -> aux t2 m1 m2 ;
          assert { forall rho1 rho2:'b -> 'st.
            (forall x:'b.
              is_fo_term_free_var_in_fo_formula x t -> rho1 x = rho2 x) ->
            ((forall x:'st. formula_semantic t2 m1 (ocase rho1 x) <->
              formula_semantic t2 m2 (ocase rho2 x)) &&
            ((forall x:'st. formula_semantic t2 m1 (ocase rho1 x)) <->
              formula_semantic t m1 rho1) &&
            ((forall x:'st. formula_semantic t2 m1 (ocase rho2 x)) <->
              formula_semantic t m2 rho2)) }
        | Exists t2 -> aux t2 m1 m2 ;
          assert { forall rho1 rho2:'b -> 'st.
            (forall x:'b.
              is_fo_term_free_var_in_fo_formula x t -> rho1 x = rho2 x) ->
            ((forall x:'st. formula_semantic t2 m1 (ocase rho1 x) <->
              formula_semantic t2 m2 (ocase rho2 x)) &&
            ((exists x:'st. formula_semantic t2 m1 (ocase rho1 x)) <->
              formula_semantic t m1 rho1) &&
            ((exists x:'st. formula_semantic t2 m1 (ocase rho2 x)) <->
              formula_semantic t m2 rho2)) }
        | And t1 t2 -> aux t1 m1 m2 ; aux t2 m1 m2
        | Or t1 t2 -> aux t1 m1 m2 ; aux t2 m1 m2
        | Not t2 -> aux t2 m1 m2
        | FTrue -> ()
        | FFalse -> ()
        | PApp (Var_symbol p) l ->
          assert { is_symbol_free_var_in_fo_formula p t } ;
          assert { forall rho1 rho2:'b -> 'st.
            ((forall x:'b. is_fo_term_free_var_in_fo_formula x t ->
              rho1 x = rho2 x) ->
            term_list_semantic l m1 rho1 = term_list_semantic l m2 rho2) /\
            (formula_semantic t m1 rho1 <->
              eval m1.interp_pred p (term_list_semantic l m1 rho1)) /\
            (formula_semantic t m2 rho2 <->
              eval m2.interp_pred p (term_list_semantic l m2 rho2)) }
      end in
    aux t m1 m2

  let rec lemma formula_list_conj_semantic_depend_only_free_var
    (t:fo_formula_list 'ls 'b) (m1 m2:model 'ls 'st)
    (rho1 rho2:'b -> 'st) : unit
    requires { forall f:'ls. is_symbol_free_var_in_fo_formula_list f t ->
      eval m1.interp_fun f = eval m2.interp_fun f /\
      eval m1.interp_pred f = eval m2.interp_pred f }
    requires { forall x:'b. is_fo_term_free_var_in_fo_formula_list x t ->
      rho1 x = rho2 x }
    ensures { formula_list_conj_semantic t m1 rho1 <->
      formula_list_conj_semantic t m2 rho2 }
    variant { size_fo_formula_list t }
  =
    match t with FOFNil -> () | FOFCons x q ->
      formula_semantic_depend_only_free_var x m1 m2 rho1 rho2 ;
      formula_list_conj_semantic_depend_only_free_var q m1 m2 rho1 rho2 end

  let rec lemma formula_list_disj_semantic_depend_only_free_var
    (t:fo_formula_list 'ls 'b) (m1 m2:model 'ls 'st)
    (rho1 rho2:'b -> 'st) : unit
    requires { forall f:'ls. is_symbol_free_var_in_fo_formula_list f t ->
      eval m1.interp_fun f = eval m2.interp_fun f /\
      eval m1.interp_pred f = eval m2.interp_pred f }
    requires { forall x:'b. is_fo_term_free_var_in_fo_formula_list x t ->
      rho1 x = rho2 x }
    ensures { formula_list_disj_semantic t m1 rho1 <->
      formula_list_disj_semantic t m2 rho2 }
    variant { size_fo_formula_list t }
  =
    match t with FOFNil -> () | FOFCons x q ->
      formula_semantic_depend_only_free_var x m1 m2 rho1 rho2 ;
      formula_list_disj_semantic_depend_only_free_var q m1 m2 rho1 rho2 end

  predicate formula_list_mem (phi:fo_formula 'ls 'b)
    (l:fo_formula_list 'ls 'b) = match l with
      | FOFNil -> false | FOFCons x q -> x = phi \/ formula_list_mem phi q end

  let rec lemma formula_list_conj_semantic_other_def
    (l:fo_formula_list 'ls 'b) (m:model 'ls 'st)
    (rho:'b -> 'st) : unit
    ensures { formula_list_conj_semantic l m rho <->
      (forall phi:fo_formula 'ls 'b.
        formula_list_mem phi l -> formula_semantic phi m rho) }
    variant { size_fo_formula_list l }
  = match l with FOFNil -> () | FOFCons _ q ->
    formula_list_conj_semantic_other_def q m rho end

  let rec lemma formula_list_disj_semantic_other_def
    (l:fo_formula_list 'ls 'b) (m:model 'ls 'st)
    (rho:'b -> 'st) : unit
    ensures { formula_list_disj_semantic l m rho <->
      (exists phi:fo_formula 'ls 'b.
        formula_list_mem phi l /\ formula_semantic phi m rho) }
    variant { size_fo_formula_list l }
  = match l with FOFNil -> () | FOFCons x q ->
    formula_list_disj_semantic_other_def q m rho end

  (* Problem : validity/unsatifiability are not even axiomatizable in why3,
     since we would have to introduce it from a type quantification.
     However, we can define a demonstrability predicate and show for it
     the same elimination principle as unsatisfiability. *)

  (* Demonstration object (not directly a predicate,
     so we can actually construct the proof object ourselves). *)

  (* G |- A can be read as : for every model+interpretation,
     if /\G is true then A too.
     Which in particular mean : if G |- false, G have no model,
     so we can use G |- false instead of unsat predicate as long
     as it can represent all our demonstration steps. *)

  (*type demonstration 'ls 'b =
    | Axiom
    | ModusPonens (demonstration 'ls 'b) (demonstration 'ls 'b)
      (fo_formula 'ls 'b)
    | Abstraction (demonstration 'ls 'b) (fo_formula 'ls 'b)
      (fo_formula 'ls 'b)
    | ConjunctionIntro (demonstration 'ls 'b) (fo_formula 'ls 'b)
      (demonstration 'ls 'b) (fo_formula 'ls 'b)
    | ConjunctionLeft (demonstration 'ls 'b) (fo_formula 'ls 'b)
    | ConjunctionRight (demonstration 'ls 'b) (fo_formula 'ls 'b)
    | DisjunctionLeft (demonstration 'ls 'b) (fo_formula 'ls 'b)
      (fo_formula 'ls 'b)
    | DisjunctionRight (demonstration 'ls 'b) (fo_formula 'ls 'b)
      (fo_formula 'ls 'b)
    | DisjunctionElim (demonstration 'ls 'b) (demonstration 'ls 'b)
      (demonstration 'ls 'b) (fo_formula 'ls 'b) (fo_formula 'ls 'b)
    | UniversalInstantiation (demonstration 'ls 'b)
      (fo_formula 'ls (option 'b)) (fo_term 'ls 'b)
    | Instantiation (demonstration 'ls 'b)
      (fo_formula_list 'ls 'b)
      (fo_formula 'ls 'b) 'b (fo_term 'ls 'b)
    | ExistentialIntroduction (demonstration 'ls 'b)
      (fo_formula 'ls (option 'b)) (fo_term 'ls 'b)
    | ExistentialElimination (demonstration 'ls 'b)
      (demonstration 'ls 'b)
      (fo_formula 'ls (option 'b)) (fo_formula 'ls (option 'b))
    | PointlessExistential (demonstration 'ls 'b)
    | ExFalso (demonstration 'ls 'b)
    | Trivial
    | Weakening (demonstration 'ls 'b) (fo_formula_list 'ls 'b)
    | Skolemization (demonstration 'ls 'b) (fo_formula 'ls 'b) 'ls*)

  (*predicate is_skolem_axiom (phi:fo_formula 'ls 'b) (f:'ls)
    (env:fo_term_list 'ls 'b) =
    match phi with
      | Forall phi2 -> is_skolem_axiom phi2 f
        (FOCons (Var_fo_term None) (rename_fo_term_list env identity some))
      | Or (Not (Exists phi2)) phi3 ->
        phi3 = subst_fo_formula phi2 subst_id_symbol
          (ocase subst_id_fo_term (App (Var_symbol f) env)) /\
        not(is_symbol_free_var_in_fo_formula f phi2)
      | _ -> false
    end*)

  (*(* Hack to force possibility of instantiation of extend_env
     definition axiom ! *)
  function extend_env_selection (g:(list 'st) -> ('b -> 'st))
    (x:option 'b) (y:'st) (q:list 'st) : 'st = match x with
      | None -> y | Some x -> g q x end
  (* Abstraction-definition axiom :
     function extend_env (g:(list 'st) -> ('b -> 'st) :
       (list 'st) -> ((option 'b) -> 'st) =
       (\ l:list 'st. (\ x:option 'b. match l with
         | Cons y q -> extend_env_selection g x y q
         | Nil -> default ) ) *)
  function extend_env (g:(list 'st) -> ('b -> 'st)) :
    (list 'st) -> ((option 'b) -> 'st)
  axiom extend_env_def : forall g:(list 'st) -> ('b -> 'st),
    l:list 'st,x:option 'b. extend_env g l x =
    match l with
      | Cons y q -> extend_env_selection g x y q
      | Nil -> default
    end

  lemma extend_env_none : forall g:(list 'st) -> ('b -> 'st),
    y:'st,l:list 'st. extend_env g (Cons y l) None = y
  lemma extend_env_some : forall g:(list 'st) -> ('b -> 'st),
    x:'b,y:'st,l:list 'st. extend_env g (Cons y l) (Some x) = g l x*)

  (* Abstraction-definition axiom :
    function skolem_predicate (phi:fo_formula 'ls (option 'b))
      (m:model 'ls 'st) (rho:'b -> 'st) : 'st -> bool =
      (\ x:'st. formula_semantic phi m (ocase rho x) ) *)
  function skolem_predicate (phi:fo_formula 'ls (option 'b))
    (m:model 'ls 'st) (rho:'b -> 'st) : 'st -> bool
  axiom skolem_predicate_def : forall phi:fo_formula 'ls (option 'b),
    m:model 'ls 'st,rho:'b -> 'st,x:'st.
    skolem_predicate phi m rho x <-> formula_semantic phi m (ocase rho x)

  (* Abstraction-definition axiom :
    function skolem_function (phi:fo_formula 'ls (option 'b))
      (m:model 'ls 'st) (g:(list 'st) -> ('b -> 'st)) : (list 'st) -> 'st
      = (\ l:list 'st. choice (skolem_predicate phi m rho (g l)) ) *)
  function skolem_function (phi:fo_formula 'ls (option 'b))
    (m:model 'ls 'st) (g:(list 'st) -> ('b -> 'st)) : (list 'st) -> 'st
  axiom skolem_function_def : forall phi:fo_formula 'ls (option 'b),
    m:model 'ls 'st,g:(list 'st) -> ('b -> 'st),l:list 'st.
    skolem_function phi m g l = choice (skolem_predicate phi m (g l))

  (* Abstraction-definition axiom :
    function skolem_transformer (phi:fo_formula 'ls (option 'b)) (f:'ls)
      (g:(list 'st) -> ('b -> 'st)) : (model 'ls 'st) -> (model 'ls 'st) =
      (\ m:model 'ls 'st.
        {
          interp_fun = m.interp_fun[f <- skolem_function phi m g] ;
          interp_pred = m.interp_pred ;
        }) *)

  function skolem_transformer (phi:fo_formula 'ls (option 'b)) (f:'ls)
    (g:(list 'st) -> ('b -> 'st)) : (model 'ls 'st) -> (model 'ls 'st)
  axiom skolem_transformer_def : forall phi:fo_formula 'ls (option 'b),f:'ls,
    g:(list 'st) -> ('b -> 'st), m:model 'ls 'st.
    skolem_transformer phi f g m = {
      interp_fun = m.interp_fun[f <- skolem_function phi m g] ;
      interp_pred = m.interp_pred ;
    }

  let ghost skolem_model_transformer (phi:fo_formula 'ls (option 'b)) (f:'ls)
    (vars:fo_term_list 'ls 'b)
    (g:(list 'st) -> ('b -> 'st)) : (model 'ls 'st) -> (model 'ls 'st)
    requires { not(is_symbol_free_var_in_fo_formula f phi) }
    requires { forall m:model 'ls 'st, rho:'b -> 'st,x:'b.
      is_fo_term_free_var_in_fo_formula (Some x) phi ->
        g (term_list_semantic vars m rho) x = rho x }
    requires { not(is_symbol_free_var_in_fo_term_list f vars) }
    ensures { forall m:model 'ls 'st.
      m.interp_pred = (result m).interp_pred }
    ensures { forall m:model 'ls 'st,f0:'ls.
      f0 <> f -> eval m.interp_fun f0 = eval (result m).interp_fun f0 }
    ensures { forall m:model 'ls 'st,rho:'b -> 'st.
      formula_semantic (Exists phi) m rho ->
      formula_semantic (subst_fo_formula phi subst_id_symbol
        (ocase subst_id_fo_term (App (Var_symbol f) vars))) (result m) rho }
  =
    let skf = skolem_transformer phi f g in
    let skt = App (Var_symbol f) vars in
    let sks = ocase subst_id_fo_term skt in
    let phi' = subst_fo_formula phi subst_id_symbol sks in
    assert { forall m:model 'ls 'st,rho:'b -> 'st.
      let semf = skolem_function phi m g in
      let skm = skf m in
      let em = term_list_semantic vars m rho in
      let esm = term_list_semantic vars skm rho in
      (skm.interp_fun = m.interp_fun[f <- semf]) &&
      (skm.interp_pred = m.interp_pred) &&
      (em = esm) &&
      (forall x:'st.
        let rhox = ocase rho x in
        let rhox2 = ocase (g em) x in
        (forall y:option 'b.
          is_fo_term_free_var_in_fo_formula y phi ->
            rhox y = rhox2 y) &&
        (formula_semantic phi m rhox <-> formula_semantic phi m rhox2)) &&
      (let s1 = semantic_subst sks skm rho in
       let s2 = ocase rho (semf esm) in
       s1 None = s2 None &&
       (forall y:'b. s1 (Some y) = s2 (Some y)) &&
       extensionalEqual s1 s2 &&
       (forall f':'ls. is_symbol_free_var_in_fo_formula f' phi ->
          eval m.interp_fun f' = eval skm.interp_fun f' /\
          eval m.interp_pred f' = eval skm.interp_pred f') &&
       (forall x:'st.
          let rhox = ocase rho x in
          (formula_semantic phi m (ocase (g em) x) ->
           formula_semantic phi m (ocase (g em) (semf em)) &&
           formula_semantic phi m (ocase rho (semf em)) &&
           formula_semantic phi skm s2 &&
           formula_semantic phi' skm rho) &&
          (formula_semantic phi m rhox ->
           formula_semantic phi' skm rho))) &&
       (formula_semantic (Exists phi) m rho ->
         formula_semantic phi' skm rho)
    } ;
    skf

  (*
  let ghost skolemized_model (phi0:fo_formula 'ls0 'b0) (f0:'ls0)
    (m0:model 'ls0 'st) : model 'ls0 'st
    requires { is_skolem_axiom phi0 f0 FONil }
    requires { forall x:'b0. not(is_fo_term_free_var_in_fo_formula x phi0) }
    ensures { forall rho:'b0 -> 'st.
      formula_semantic phi0 result rho }
    ensures { m0.interp_pred = result.interp_pred }
    ensures { forall f':'ls0. f0 <> f' ->
      eval m0.interp_fun f' = eval result.interp_fun f' }
  =
    let rec aux (phi:fo_formula 'ls 'b) (f:'ls)
      (env:fo_term_list 'ls 'b)
      (g:(list 'st) -> ('b -> 'st))
      (m:model 'ls 'st) : model 'ls 'st
      requires { is_skolem_axiom phi f env }
      requires { forall rho:'b -> 'st,x:'b.
        is_fo_term_free_var_in_fo_formula x phi ->
          g (term_list_semantic env m rho) x = rho x }
      requires { not(is_symbol_free_var_in_fo_term_list f env) }
      ensures { forall rho:'b -> 'st.
        formula_semantic phi result rho }
      ensures { m.interp_pred = result.interp_pred }
      ensures { forall f':'ls. f <> f' ->
        eval m.interp_fun f' = eval result.interp_fun f' }
      variant { size_fo_formula phi }
    =
      match phi with
        | Forall phi2 ->
          let renv = rename_fo_term_list env identity some in
          let nenv = FOCons (Var_fo_term None)
            (rename_fo_term_list env identity some) in
          assert { forall rho:(option 'b) -> 'st,x:option 'b.
            is_fo_term_free_var_in_fo_formula x phi2 ->
              let u = term_list_semantic nenv m rho in
              u = Cons (rho None) (term_list_semantic renv m rho) &&
              match x with
              | None -> rho x = extend_env g u x
              | Some y -> is_fo_term_free_var_in_fo_formula y phi &&
                rcompose some rho y = g (term_list_semantic env m
                  (rcompose some rho)) y = g (term_list_semantic renv m rho) y
                  = extend_env g u x
            end } ;
          aux phi2 f nenv (extend_env g) m
        | Or (Not (Exists phi2)) phi3 ->
          let semf = skolem_function phi2 m g in
          let skm = {
            interp_fun = m.interp_fun[f <- semf] ;
            interp_pred = m.interp_pred ;
          } in
          assert { forall rho:'b -> 'st.
            let em = term_list_semantic env m rho in
            let esm = term_list_semantic env skm rho in
            let skt = App (Var_symbol f) env in
            let sks = ocase subst_id_fo_term skt in
            (em = esm) &&
            (phi3 = subst_fo_formula phi2 subst_id_symbol sks) &&
            (forall x:'st.
             let rhox = ocase rho x in
             let rhox2 = ocase (g em) x in
             (forall y:option 'b.
               is_fo_term_free_var_in_fo_formula y phi2 ->
                 rhox y = rhox2 y) &&
             (formula_semantic phi2 m rhox <->
               formula_semantic phi2 m rhox2)) &&
             (let s1 = semantic_subst sks skm rho in
              let s2 = ocase rho (semf esm) in
              s1 None = s2 None &&
              (forall y:'b. s1 (Some y) = s2 (Some y)) &&
              extensionalEqual s1 s2 &&
            (forall f':'ls. is_symbol_free_var_in_fo_formula f' phi2 ->
              eval m.interp_fun f' = eval skm.interp_fun f' /\
              eval m.interp_pred f' = eval skm.interp_pred f') &&
            (forall x:'st.
             let rhox = ocase rho x in
             (formula_semantic phi2 m (ocase (g em) x) ->
              formula_semantic phi2 m (ocase (g em) (semf em)) &&
              formula_semantic phi2 m (ocase rho (semf em)) &&
              formula_semantic phi2 skm s2 &&
              formula_semantic phi3 skm rho) &&
             (formula_semantic phi2 m rhox <-> formula_semantic phi2 skm rhox)
             && (formula_semantic phi2 skm rhox ->
               formula_semantic phi3 skm rho)))
          } ;
          skm
        | _ -> absurd
      end in
    aux phi0 f0 FONil default m0*)

  (*predicate deducible_from (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) (d:demonstration 'ls 'b) =
    match d with
      | Axiom -> formula_list_mem phi gamma
      | ModusPonens d1 d2 phi2 -> deducible_from gamma phi2 d1 /\
        deducible_from gamma (Or (Not phi2) phi) d2
      | Abstraction d phi1 phi2 ->
        deducible_from (FOFCons phi1 gamma) phi2 d /\
        phi = Or (Not phi1) phi2
      | ConjunctionIntro d1 phi1 d2 phi2 ->
        deducible_from gamma phi1 d1 /\
        deducible_from gamma phi2 d2 /\
        phi = And phi1 phi2
      | ConjunctionLeft d phi2 -> deducible_from gamma (And phi phi2) d
      | ConjunctionRight d phi2 -> deducible_from gamma (And phi2 phi) d
      | DisjunctionLeft d phi1 phi2 ->
        deducible_from gamma phi1 d /\ phi = Or phi1 phi2
      | DisjunctionRight d phi1 phi2 ->
        deducible_from gamma phi2 d /\ phi = Or phi1 phi2
      | DisjunctionElim d1 d2 d3 phi1 phi2 ->
        deducible_from gamma (Or phi1 phi2) d1 /\
        deducible_from gamma (Or (Not phi1) phi) d2 /\
        deducible_from gamma (Or (Not phi2) phi) d3
      | UniversalInstantiation d phi2 t ->
        deducible_from gamma (Forall phi2) d /\
        phi = subst_fo_formula phi2 subst_id_symbol (ocase subst_id_fo_term t)
      | Instantiation d gamma2 phi2 x t ->
        let s = subst_id_fo_term[x<-t] in
        deducible_from gamma2 phi2 d /\
        gamma = subst_fo_formula_list gamma2 subst_id_symbol s /\
        phi = subst_fo_formula phi2 subst_id_symbol s
      | ExistentialIntroduction d phi2 t ->
        phi = Exists phi2 /\
        deducible_from gamma (
          subst_fo_formula phi2 subst_id_symbol (ocase subst_id_fo_term t)) d
      | ExistentialElimination d1 d2 phi1 phi2 ->
        deducible_from gamma (Forall (Or (Not phi1) phi2)) d1 /\
        deducible_from gamma (Exists phi1) d2 /\
        phi = Exists phi2
      | PointlessExistential d ->
        deducible_from gamma (Exists
          (rename_fo_formula phi identity some)) d
      | ExFalso d -> deducible_from gamma FFalse d
      | Trivial -> phi = FTrue
      | Weakening d gamma2 ->
        deducible_from gamma2 phi d /\
        (forall phi0:fo_formula 'ls 'b.
          formula_list_mem phi0 gamma2 ->
          formula_list_mem phi0 gamma)
      | Skolemization d phis f ->
        not(is_symbol_free_var_in_fo_formula_list f gamma) /\
        not(is_symbol_free_var_in_fo_formula f phi) /\
        deducible_from (FOFCons phis gamma) phi d /\
        is_skolem_axiom phis f FONil /\
        (forall x:'b. not(is_fo_term_free_var_in_fo_formula x phis))
    end

  let lemma deducible_correct (gamma0:fo_formula_list 'ls 'b0)
    (phi0:fo_formula 'ls 'b0) (d0:demonstration 'ls 'b0)
    (m0:model 'ls 'st0) (rho0:'b0 -> 'st0) : unit
    requires { deducible_from gamma0 phi0 d0 }
    requires { formula_list_conj_semantic gamma0 m0 rho0 }
    ensures { formula_semantic phi0 m0 rho0 }
  =
    let rec ghost aux (gamma:fo_formula_list 'ls 'b)
      (phi:fo_formula 'ls 'b) (d:demonstration 'ls 'b)
      (m:model 'ls 'st) : unit
      requires { deducible_from gamma phi d }
      ensures { forall rho:'b -> 'st.
        formula_list_conj_semantic gamma m rho ->
        formula_semantic phi m rho }
      variant { d }
    =
      match d with
        | Axiom -> ()
        | ModusPonens d1 d2 phi2 ->
          aux gamma phi2 d1 m ; aux gamma (Or (Not phi2) phi) d2 m
        | Abstraction d1 phi1 phi2 ->
          aux (FOFCons phi1 gamma) phi2 d1 m
        | ConjunctionIntro d1 phi1 d2 phi2 ->
          aux gamma phi1 d1 m ; aux gamma phi2 d2 m
        | ConjunctionLeft d1 phi2 -> aux gamma (And phi phi2) d1 m
        | ConjunctionRight d1 phi2 -> aux gamma (And phi2 phi) d1 m
        | DisjunctionLeft d1 phi1 phi2 -> aux gamma phi1 d1 m
        | DisjunctionRight d1 phi1 phi2 -> aux gamma phi2 d1 m
        | DisjunctionElim d1 d2 d3 phi1 phi2 -> aux gamma (Or phi1 phi2) d1 m ;
          aux gamma (Or (Not phi1) phi) d2 m ;
          aux gamma (Or (Not phi2) phi) d3 m
        | UniversalInstantiation d1 phi2 t -> aux gamma (Forall phi2) d1 m ;
          assert { forall rho:'b -> 'st.
            let f1 = semantic_subst (ocase subst_id_fo_term t) m rho in
            let f2 = ocase rho (term_semantic t m rho) in
            (forall x:option 'b. match x with
              | None -> f1 None = f2 None
              | Some z -> f1 (Some z) = f2 (Some z) end && f1 x = f2 x)
            && extensionalEqual f1 f2 && f1 = f2 }
        | Instantiation d gamma2 phi2 x t -> aux gamma2 phi2 d m
        | ExistentialIntroduction d phi2 t ->
          let s = ocase subst_id_fo_term t in
          let phi3 = subst_fo_formula phi2 subst_id_symbol s in
          aux gamma phi3 d m ;
          assert { forall rho:'b -> 'st.
            let f1 = semantic_subst (ocase subst_id_fo_term t) m rho in
            let f2 = ocase rho (term_semantic t m rho) in
            (forall x:option 'b. match x with
              | None -> f1 None = f2 None
              | Some z -> f1 (Some z) = f2 (Some z) end && f1 x = f2 x)
            && extensionalEqual f1 f2 && f1 = f2 }
        | ExistentialElimination d1 d2 phi1 phi2 ->
          aux gamma (Forall (Or (Not phi1) phi2)) d1 m ;
          aux gamma (Exists phi1) d2 m
        | PointlessExistential d ->
          let phi2 = rename_fo_formula phi identity some in
          assert { phi2 = subst_fo_formula phi
            (rcompose identity subst_id_symbol)
            (rcompose some subst_id_fo_term) } ;
          assert { forall rho:'b -> 'st,x:'st.
            formula_semantic phi2 m (ocase rho x) <->
            formula_semantic phi m rho } ;
          aux gamma (Exists (rename_fo_formula phi identity some)) d m
        | ExFalso d -> aux gamma FFalse d m
        | Trivial -> ()
        | Weakening d2 gamma2 -> aux gamma2 phi d2 m
        | Skolemization d phis f ->
          let skm = skolemized_model phis f m in
          assert { forall rho:'b -> 'st.
            (formula_list_conj_semantic gamma m rho
              <-> formula_list_conj_semantic gamma skm rho) /\
            (formula_semantic phi m rho <->
              formula_semantic phi skm rho) } ;
          aux (FOFCons phis gamma) phi d skm
        | _ -> absurd
      end in
    aux gamma0 phi0 d0 m0

  predicate entail (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) =
    exists d:demonstration 'ls 'b.
      deducible_from gamma phi d

  predicate unsat (gamma:fo_formula_list 'ls 'b) =
    entail gamma FFalse

  predicate valid (phi:fo_formula 'ls 'b) =
    entail FOFNil phi

  lemma entail_correct : forall gamma:fo_formula_list 'ls 'b,
    phi:fo_formula 'ls 'b,m:model 'ls 'st,rho:'b -> 'st.
    entail gamma phi ->
      formula_list_conj_semantic gamma m rho -> formula_semantic phi m rho

  lemma unsat_correct : forall gamma:fo_formula_list 'ls 'b,
    m:model 'ls 'st,rho:'b -> 'st.
    unsat gamma -> not(formula_list_conj_semantic gamma m rho)

  lemma valid_correct : forall phi:fo_formula 'ls 'b,
    m:model 'ls 'st,rho:'b -> 'st.
    valid phi -> formula_semantic phi m rho

  function imply (phi1 phi2:fo_formula 'ls 'b) : fo_formula 'ls 'b =
    Or (Not phi1) phi2

  function equiv (phi1 phi2:fo_formula 'ls 'b) : fo_formula 'ls 'b =
    And (imply phi1 phi2) (imply phi2 phi1)

  type sequent 'ls 'b = {
    demo : demonstration 'ls 'b ;
    context : fo_formula_list 'ls 'b ;
    conclusion : fo_formula 'ls 'b ;
  }

  predicate sequent_correct (s:sequent 'ls 'b) =
    deducible_from s.context s.conclusion s.demo

  let ghost make_axiom (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) : sequent 'ls 'b
    requires { formula_list_mem phi gamma }
    ensures { sequent_correct result }
    ensures { result.context = gamma }
    ensures { result.conclusion = phi }
  = { demo = Axiom ; context = gamma ; conclusion = phi }

  let ghost make_abstraction (s:sequent 'ls 'b) :
    sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.context with FOFNil -> false | _ -> true end }
    ensures { sequent_correct result }
    ensures { match s.context with FOFNil -> false | FOFCons x q ->
      result.context = q /\ result.conclusion = imply x s.conclusion end }
  = match s.context with FOFNil -> absurd
      | FOFCons x q -> { demo = Abstraction s.demo x s.conclusion ;
        context = q ; conclusion = imply x s.conclusion }
    end

  let ghost modus_ponens (s1 s2:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s1 /\ sequent_correct s2 }
    requires { match s1.conclusion with
      | Or (Not phi1) phi2 -> s2.conclusion = phi1
      | _ -> false end }
    requires { s1.context = s2.context }
    ensures { sequent_correct result }
    ensures { result.context = s1.context }
    ensures { match s1.conclusion with
      | Or _ phi2 -> result.conclusion = phi2
      | _ -> false end }
  = match s1.conclusion with
    | Or (Not phi1) phi2 -> { demo = ModusPonens s2.demo s1.demo phi1 ;
        context = s1.context ;
        conclusion = phi2 }
    | _ -> absurd end

  let ghost make_classical (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) : sequent 'ls 'b
    ensures { sequent_correct result }
    ensures { result.context = gamma }
    ensures { result.conclusion = Or (Not phi) phi }
  = make_abstraction (make_axiom (FOFCons phi gamma) phi)

  let ghost disjunction_elimination (s1 s2 s3:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s1 /\ sequent_correct s2 /\ sequent_correct s3 }
    requires { match s1.conclusion , s2.conclusion , s3.conclusion with
      | Or phi1 phi2 , Or (Not phi1') phi3 , Or (Not phi2') phi3' ->
        phi1 = phi1' /\ phi2 = phi2' /\ phi3 = phi3'
      | _ -> false end }
    requires { s1.context = s2.context = s3.context }
    ensures { sequent_correct result }
    ensures { result.context = s1.context }
    ensures { match s3.conclusion with
      | Or _ phi3 -> result.conclusion = phi3
      | _ -> false end }
  =
    match s1.conclusion , s3.conclusion with
      | Or phi1 phi2 , Or _ phi3 ->
        { demo = DisjunctionElim s1.demo s2.demo s3.demo phi1 phi2 ;
          context = s1.context ;
          conclusion = phi3 ; }
      | _ -> absurd
    end

  let ghost disjunction_left (s:sequent 'ls 'b) (phi2:fo_formula 'ls 'b) :
    sequent 'ls 'b
    requires { sequent_correct s }
    ensures { sequent_correct result }
    ensures { result.conclusion = Or s.conclusion phi2 }
    ensures { s.context = result.context }
  =
    { demo = DisjunctionLeft s.demo s.conclusion phi2 ;
      context = s.context ;
      conclusion = Or s.conclusion phi2 }

  let ghost disjunction_right (phi1:fo_formula 'ls 'b) (s:sequent 'ls 'b) :
    sequent 'ls 'b
    requires { sequent_correct s }
    ensures { sequent_correct result }
    ensures { result.conclusion = Or phi1 s.conclusion }
    ensures { s.context = result.context }
  =
    { demo = DisjunctionRight s.demo phi1 s.conclusion ;
      context = s.context ;
      conclusion = Or phi1 s.conclusion }

  let ghost conjunction (s1 s2:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s1 /\ sequent_correct s2 }
    requires { s1.context = s2.context }
    ensures { sequent_correct result }
    ensures { result.context = s1.context }
    ensures { result.conclusion = And s1.conclusion s2.conclusion }
  =
    { demo = ConjunctionIntro s1.demo s1.conclusion s2.demo s2.conclusion ;
      context = s1.context ;
      conclusion = And s1.conclusion s2.conclusion }

  let ghost conjunction_left (s:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.conclusion with And _ _ -> true | _ -> false end }
    ensures { sequent_correct result }
    ensures { result.context = s.context }
    ensures { match s.conclusion with And phi _ -> result.conclusion = phi
      | _ -> false end }
  = match s.conclusion with
      | And phi1 phi2 -> { demo = ConjunctionLeft s.demo phi2 ;
        context = s.context ;
        conclusion = phi1 }
      | _ -> absurd
    end

  let ghost conjunction_right (s:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.conclusion with And _ _ -> true | _ -> false end }
    ensures { sequent_correct result }
    ensures { result.context = s.context }
    ensures { match s.conclusion with And _ phi -> result.conclusion = phi
      | _ -> false end }
  = match s.conclusion with
      | And phi2 phi1 -> { demo = ConjunctionRight s.demo phi2 ;
        context = s.context ;
        conclusion = phi1 }
      | _ -> absurd
    end

  let ghost exfalso (s:sequent 'ls 'b) (phi:fo_formula 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.conclusion with FFalse -> true | _ -> false end }
    ensures { sequent_correct result }
    ensures { result.context = s.context }
    ensures { result.conclusion = phi }
  = { demo = ExFalso s.demo ; context = s.context ; conclusion = phi }

  let ghost make_trivial (gamma:fo_formula_list 'ls 'b) : sequent 'ls 'b
    ensures { sequent_correct result }
    ensures { result.context = gamma }
    ensures { result.conclusion = FTrue }
  = { demo = Trivial ; context = gamma ; conclusion = FTrue }

  let ghost weaken (gamma:fo_formula_list 'ls 'b)
    (s:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { forall phi:fo_formula 'ls 'b.
      formula_list_mem phi s.context -> formula_list_mem phi gamma }
    ensures { sequent_correct result }
    ensures { result.context = gamma }
    ensures { result.conclusion = s.conclusion }
  = { demo = Weakening s.demo s.context ;
      context = gamma ;
      conclusion = s.conclusion }

  let ghost skolem_elim (f:'ls) (s:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.context with FOFCons phis gamma ->
      is_skolem_axiom phis f FONil /\
      (forall x:'b. not(is_fo_term_free_var_in_fo_formula x phis)) /\
      not(is_symbol_free_var_in_fo_formula_list f gamma)
      | _ -> false end }
    requires { not(is_symbol_free_var_in_fo_formula f s.conclusion) }
    ensures { sequent_correct result }
    ensures { match s.context with FOFCons _ gamma -> result.context = gamma
      | _ -> false end }
    ensures { result.conclusion = s.conclusion }
  = match s.context with FOFCons phis gamma ->
      { demo = Skolemization s.demo phis f ;
        context = gamma ;
        conclusion = s.conclusion }
      | _ -> absurd end

  let ghost conjunction_commutative (s:sequent 'ls 'b) : sequent 'ls 'b
    requires { sequent_correct s }
    requires { match s.conclusion with And _ _ -> true | _ -> false end }
    ensures { sequent_correct result }
    ensures { result.context = s.context }
    ensures { match s.conclusion with And phi1 phi2 ->
      result.conclusion = And phi2 phi1 | _ -> false end }
  = conjunction (conjunction_right s) (conjunction_left s)

  let ghost equiv_reflexive (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) : sequent 'ls 'b
    ensures { sequent_correct result }
    ensures { result.context = gamma }
    ensures { result.conclusion = equiv phi phi }
  =
    let u = make_classical gamma phi in
    conjunction u u

  (*

  let ghost imply_or_morphism (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2 phi3 phi4:fo_formula 'ls 'b)
    (d1 d2:demonstration 'ls 'b) : demonstration 'ls 'b
    requires { deducible_from gamma (imply phi1 phi3) d1 }
    requires { deducible_from gamma (imply phi2 phi4) d2 }
    ensures { deducible_from gamma
     (imply (Or phi1 phi2) (Or phi3 phi4)) result }
  =
    let o34 = Or phi3 phi4 in
    let o12 = Or phi1 phi2 in
    let gamma12 = FOFCons o12 gamma in
    let gamma121 = FOFCons phi1 gamma12 in
    let gamma122 = FOFCons phi2 gamma12 in
    let d1 = modus_ponens gamma121 phi1 phi3
      (weaken gamma gamma121 (imply phi1 phi3) d1)
      (make_axiom gamma121 phi1) in
    let d2 = modus_ponens gamma122 phi2 phi4
      (weaken gamma gamma122 (imply phi2 phi4) d2)
      (make_axiom gamma122 phi2) in
    disjunction_elimination gamma12 phi1 phi2 o34
      (make_axiom gamma12 o12)
      (make_abstraction gamma12 phi1 o34
        (disjunction_left gamma121 phi3 phi4 d1))
      (make_abstraction gamma12 phi2 o34
        (disjunction_right gamma122 phi3 phi4 d2))

  let ghost equiv_or_morphism (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2 phi3 phi4:fo_formula 'ls 'b)
    (d1 d2:demonstration 'ls 'b) : demonstration 'ls 'b
    requires { deducible_from gamma (equiv phi1 phi3) d1 }
    requires { deducible_from gamma (equiv phi2 phi4) d2 }
    ensures { deducible_from gamma
      (equiv (Or phi1 phi2) (Or phi3 phi4)) result }
  =
    let (o12,o34) = (Or phi1 phi2,Or phi3 phi4) in
    let way1 = imply_or_morphism gamma phi1 phi2 phi3 phi4
      (conjunction_left gamma (imply phi1 phi3) (imply phi3 phi1) d1)
      (conjunction_left gamma (imply phi2 phi4) (imply phi4 phi2) d2) in
    let way2 = imply_or_morphism gamma phi3 phi4 phi1 phi2
      (conjunction_right gamma (imply phi1 phi3) (imply phi3 phi1) d1)
      (conjunction_right gamma (imply phi2 phi4) (imply phi4 phi2) d2) in
    conjunction (imply o12 o34) (imply o34 o12) way1 way2
  *)


  (*
  let ghost disjunction_commutation (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Or phi1 phi2) d }
    ensures { deducible_from gamma (Or phi2 phi1) result }
  =
    let o = Or phi2 phi1 in
    let (gamma1,gamma2) = (FOFCons phi1 gamma,FOFCons phi2 gamma) in
    let d1 = disjunction_right gamma1 phi2 phi1 (make_axiom gamma1 phi1) in
    let d2 = disjunction_left gamma2 phi2 phi1 (make_axiom gamma2 phi2) in
    let d1 = make_abstraction gamma phi1 o d1 in
    let d2 = make_abstraction gamma phi2 o d2 in
    disjunction_elimination gamma phi1 phi2 o d d1 d2

  let ghost disjunction_associative_r (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2 phi3:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Or (Or phi1 phi2) phi3) d }
    ensures { deducible_from gamma (Or phi1 (Or phi2 phi3)) result }
  =
    let o12 = Or phi1 phi2 in
    let o23 = Or phi2 phi3 in
    let ob = Or o12 phi3 in
    let oa = Or phi1 o23 in
    let gamma12 = FOFCons o12 gamma in
    let gamma1 = FOFCons phi1 gamma12 in
    let gamma2 = FOFCons phi2 gamma12 in
    let gamma3 = FOFCons phi3 gamma in
    let d1 = disjunction_left gamma1 phi1 o23
      (make_axiom gamma1 phi1) in
    let d2 = disjunction_right gamma2 phi1 o23
      (disjunction_left gamma2 phi2 phi3 (make_axiom gamma2 phi2)) in
    let d1 = make_abstraction gamma12 phi1 oa d1 in
    let d2 = make_abstraction gamma12 phi2 oa d2 in
    let d12 = disjunction_elimination gamma12 phi1 phi2 oa
      (make_axiom gamma12 o12) d1 d2 in
    let d3 = disjunction_right gamma3 phi1 o23
      (disjunction_right gamma3 phi2 phi3 (make_axiom gamma3 phi3)) in
    let d12 = make_abstraction gamma o12 oa d12 in
    let d3 = make_abstraction gamma phi3 oa d3 in
    disjunction_elimination gamma o12 phi3 oa d d12 d3

  let ghost disjunction_associative_l (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2 phi3:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Or phi1 (Or phi2 phi3)) d }
    ensures { deducible_from gamma (Or (Or phi1 phi2) phi3) result }
  =
    let o23 = Or phi2 phi3 in
    let o12 = Or phi1 phi2 in
    let ob = Or phi1 o23 in
    let oa = Or o12 phi3 in
    let gamma23 = FOFCons o23 gamma in
    let gamma3 = FOFCons phi3 gamma23 in
    let gamma2 = FOFCons phi2 gamma23 in
    let gamma1 = FOFCons phi1 gamma in
    let d3 = disjunction_right gamma3 o12 phi3
      (make_axiom gamma3 phi3) in
    let d2 = disjunction_left gamma2 o12 phi3
      (disjunction_right gamma2 phi1 phi2 (make_axiom gamma2 phi2)) in
    let d3 = make_abstraction gamma23 phi3 oa d3 in
    let d2 = make_abstraction gamma23 phi2 oa d2 in
    let d23 = disjunction_elimination gamma23 phi2 phi3 oa
      (make_axiom gamma23 o23) d2 d3 in
    let d1 = disjunction_left gamma1 o12 phi3
      (disjunction_left gamma1 phi1 phi2 (make_axiom gamma1 phi1)) in
    let d23 = make_abstraction gamma o23 oa d23 in
    let d1 = make_abstraction gamma phi1 oa d1 in
    disjunction_elimination gamma phi1 o23 oa d d1 d23
  *)

  (*
  let ghost double_negation_elimination (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Not (Not phi)) d }
    ensures { deducible_from gamma phi result }
  =
    let nphi = Not phi in
    let nnphi = Not nphi in
    let d0 = make_classical gamma phi in
    let d2 = disjunction_left gamma nnphi phi d in
    disjunction_elimination gamma nphi phi phi d0 d2 d0
  *)

  (*let ghost false_neutral_left_disjunction (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Or FFalse phi) d }
    ensures { deducible_from gamma phi result }
  =
    let d1 = Abstraction (ExFalso Axiom) FFalse phi in
    let d2 = Abstraction Axiom phi phi in
    DisjunctionElim d d1 d2 FFalse phi

  let ghost false_neutral_right_disjunction (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) (d:demonstration 'ls 'b) :
    demonstration 'ls 'b
    requires { deducible_from gamma (Or phi FFalse) d }
    ensures { deducible_from gamma phi result }
  =
    false_neutral_left_disjunction gamma phi
      (disjunction_commutation gamma phi FFalse d)*)

  (*(* Now we do not need the demonstration object anymore. *)

  let lemma entail_axiom (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) : unit
    requires { formula_list_mem phi gamma }
    ensures { entail gamma phi }
  =
    ()

  let lemma entail_modus_ponens (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b) : unit
    requires { entail gamma phi1 /\ entail gamma (Or (Not phi1) phi2) }
    ensures { entail gamma phi2 }
  =
    assert { forall d1 d2:demonstration 'ls 'b.
      deducible_from gamma phi1 d1 /\
      deducible_from gamma (Or (Not phi1) phi2) d2 ->
      deducible_from gamma phi2 (ModusPonens d1 d2 phi1) }

  let lemma entail_abstraction (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b) : unit
    requires { entail (FOFCons phi1 gamma) phi2 }
    ensures { entail gamma (Or (Not phi1) phi2) }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from (FOFCons phi1 gamma) phi2 d ->
      deducible_from gamma (Or (Not phi1) phi2) (Abstraction d phi1 phi2) }

  let lemma entail_conjunction (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b) : unit
    ensures { entail gamma (And phi1 phi2)
      <-> entail gamma phi1 /\ entail gamma phi2 }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma (And phi1 phi2) d ->
      deducible_from gamma phi1 (ConjunctionLeft d phi2) /\
      deducible_from gamma phi2 (ConjunctionRight d phi1) } ;
    assert { forall d1 d2:demonstration 'ls 'b.
      deducible_from gamma phi1 d1 /\
      deducible_from gamma phi2 d2 ->
      deducible_from gamma (And phi1 phi2) (ConjunctionIntro d1 phi1 d2 phi2) }

  let lemma entail_disjunction_left (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b)
    requires { entail gamma phi1 }
    ensures { entail gamma (Or phi1 phi2) }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma phi1 d ->
      deducible_from gamma (Or phi1 phi2) (DisjunctionLeft d phi1 phi2) }

  let lemma entail_disjunction_right (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b)
    requires { entail gamma phi2 }
    ensures { entail gamma (Or phi1 phi2) }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma phi2 d ->
      deducible_from gamma (Or phi1 phi2) (DisjunctionRight d phi1 phi2) }

  let lemma entail_disjunction_elim (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2 phi3:fo_formula 'ls 'b)
    requires { entail gamma (Or phi1 phi2) }
    requires { entail gamma (Or (Not phi1) phi3) }
    requires { entail gamma (Or (Not phi2) phi3) }
    ensures { entail gamma phi3 }
  =
    assert { forall d1 d2 d3:demonstration 'ls 'b.
      deducible_from gamma (Or phi1 phi2) d1 /\
      deducible_from gamma (Or (Not phi1) phi3) d2 /\
      deducible_from gamma (Or (Not phi2) phi3) d3 ->
      deducible_from gamma phi3 (DisjunctionElim d1 d2 d3 phi1 phi2) }

  let lemma entail_universal_instantiation (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls (option 'b)) (t:fo_term 'ls 'b)
    requires { entail gamma (Forall phi) }
    ensures { entail gamma (subst_fo_formula phi
      (ocase subst_id_fo_term t)) }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma (Forall phi) d ->
      deducible_from gamma (subst_fo_formula phi
        (ocase subst_id_fo_term t)) (UniversalInstantiation d phi t) }

  let lemma entail_instantiation (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls 'b) (x:'b) (t:fo_term 'ls 'b)
    requires { entail gamma phi }
    ensures { let s = subst_id_fo_term[x<-t] in
      entail (subst_fo_formula_list gamma s) (subst_fo_formula phi s) }
  =
    let s = subst_id_fo_term[x<-t] in
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma phi d ->
      deducible_from (subst_fo_formula_list gamma s)
        (subst_fo_formula phi s) (Instantiation d gamma phi x t) }

  let lemma entail_existential_introduction (gamma:fo_formula_list 'ls 'b)
    (phi:fo_formula 'ls (option 'b)) (t:fo_term 'ls 'b)
    requires { entail gamma (subst_fo_formula phi
      (ocase subst_id_fo_term t)) }
    ensures { entail gamma (Exists phi) }
  =
    assert { forall d:demonstration 'ls 'b.
      deducible_from gamma (subst_fo_formula phi
        (ocase subst_id_fo_term t)) d ->
      deducible_from gamma (Exists phi) (ExistentialIntroduction d phi t) }

  let lemma entail_existential_elimination (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls (option 'b))
    requires { entail gamma (Forall (Or (Not phi1) phi2)) }
    requires { entail gamma (Exists phi1) }
    ensures { entail gamma (Exists phi2) }
  =
    assert { forall d1 d2:demonstration 'ls 'b.
      deducible_from gamma (Forall (Or (Not phi1) phi2)) d1 /\
      deducible_from gamma (Exists phi1) d2 ->
      deducible_from gamma (Exists phi2)
        (ExistentialElimination d1 d2 phi1 phi2) }

  let lemma disjunction_commutative (gamma:fo_formula_list 'ls 'b)
    (phi1 phi2:fo_formula 'ls 'b)
    requires { entail gamma (Or phi1 phi2) }
    ensures { entail gamma (Or phi2 phi1) }
  =
    entail_axiom (FOFCons phi1 gamma) phi1 ;
    entail_axiom (FOFCons phi2 gamma) phi2 ;
    entail_disjunction_right (FOFCons phi1 gamma) phi2 phi1 ;
    entail_disjunction_left (FOFCons phi2 gamma) phi2 phi1 ;
    entail_disjunction_elim gamma phi1 phi2 (Or phi2 phi1)*)
  *)
end
why3-1.6.0/examples/prover/Firstorder_semantics/000077500000000000000000000000001440160026300217305ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_semantics/why3session.xml000066400000000000000000000575541440160026300247700ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_semantics/why3shapes.gz000066400000000000000000000261761440160026300244040ustar00rootroot00000000000000}[oܸ{
y2
шQz
(swޗTUҒJUq9NpǖDrq]uI{rӧycn~_~mVlex?q];wǧ&~x9~
cxl"yVmOzGKOGx>O:|>%n]wy_[5[{
޺[0Ne{??>-]˭SR؇CR;aB-qaևDw>I#@7J99Nm[}^@Ȉ”["O{H?3f*{B@Bg
(ITK_-i!ϒ4m_}|s`ɥ{@i$֢N~}zytC9;Dbӧ/5/5Z<:
DO@ʞnY+RC.4
)CzH*mG47
-7p#FD4V0m|R>C^vD/K7~;t	0sI;˱ned#xN'FOO`j%=0bx֧;ړ,pbs}ކ'Z,qH}eRne?_}_kקO1_-u	+V&ĭ>s$:pSNotS?U	C'?߱^A?>Č%FȿU;=l:JU`mm0:=2px$=}>$$ҌaϏMi`:wFߩ4_'=PoԴ{;\_E޲*'Iem~ɟȤw7&٣F=O?@wub8}8>=B43v]̾YJc;:Iu$+QxCAn'LuJNGҨhɔ:OYTvJ$qs"?"GL?5sHS)Yo$$"bem>V[c@p_Ҵvq%Ԃ	ODѭnt]%Y
Dm,QA'T>Jъ_1oڬ_w歩)&Ȧ0d?ywSSʧ	R+wϵ]MYe8-帉`	kB?SXrɠby<^^ _3<>BO!E)+_e4rTKL84'l+䫼^1zBѱQĥ
b.R o_t
1}1$ZSH6y#LzUR&SM&ü5Ի16y[;CKFԫ7켫eg	H?;	utO]|;rw%,VFƇ›ʯukI8嘫WOcל
 ro#+ΩR|,M眇Mw.Ɯ˳B+oWxKr,ȔRESPrh47Vgi
9rDNhӞ&L%{閚r,KkUjDiZOmpwO]c;0nԧZR+k9"RAe
k5%yN=GkW7ZPO7s],'?:oRc6H8d/N,3tooe\x)H\u6L{_c$xtgi<&C X%oo9TbcG?y;3hʤa<.n-ti̖?OO3Yucmz,?F㥿p> pOo?4֜ EVnxz%dp[=, &/e'6+wW)98u:QUM'z-vK5NJA۴Yu$DВJz5O؇L-SGΓV'UQI"/_;VrzsQ:%;bmE.'&0cԂ{FZBR'Mk95ҥ2*鞆dI:G.9"d\hch9Fd	Mc3z1q	K\̴y9og)VLLf‡ӷk	&Y{;⤵aG]@Ŏ9&{SN=/9o,r2
7j&Rd9~ӲN"q!qf:9H9zֳO`o[^nŭ7g蒟d91Yl\ɼqg?)L=t3jB$tMO!!ߓ{.#1D8&979?93y\ [xMt'J|Bq=:XOaoĥ
CLs=?Ο,E9ya_ɟU؜꾻?~&)EئY"fF=S4KN$A:@B7㲵ߦ:}:u9aPQ6}>_u9^ᆝ+Ps#$il
%7qD6m	|<=;ȈTWӧez󊲍*)A:Ni
g8L?~WjNYM6&9M6&ul
)&+")G#P`q`dک<׬3/Žj`*ޱx̒	]"^IC^sF*هO^N^y-L$=mӿWjd@10}>_սH!7ɚOr?l򎞞7[OL/]MW K}#*uyI숶gsevz=a"_
V&UA
]z}f	y;E6nX":8=/wI"Zr_B5jzIBfp;*qY..-Φ}^<>kGuIAhHKd;7ty1
^ݝD$I$C!ŠKЎ>7}b/>LYs	S
LN_?u;>OE~Oo?ZDv#5Oo?[̼Ջrv֥O[vW'=/|byB%:h1imŽ9o4kEv,YdY9;d_+s,s-]YC]QKgtEꊦuE~s@"
bw׻b@?oZ'r=M)Dr=
bji5nEHzGjD	"Zz.hGyو׀G
(VO\㉕r
'K+Mh"J~-8#Ǝ/;yzbzQگk{䒡d7a37m׹WS}	K~xEEJgP1xMUF/
ߛ*Kd	WUTa^sRMW4ek׀?yؽG\t[lg[QJ,Pm-ؾa7\wmRe~H:! 
/͗+w~#=1<>edR=6zn`|"WGa:5'T|Na~*/S&`M=K5+jIwRkG(&ݗxF~mc+/n9N
3ƎE!"EMmID.DHѺ$V9JeTr=7YvTX]P_
ij^R'y/`d(ڗVI:Ӆ3DZ3-tzrPui.uz#LuNVOfz?u9:s:ZԴΥ:ZWR\zΥ\zΥWչ)D_?${kUoDg.$W;I
K˹5]]`#3;YC_}B"Rr(zg}<.PiD@Z
Hqe+$W٢	fg&o~Vx«u액Ϛ-кn+FlN]DrqKC;'7ot?ǝ>eGޔDVs`,r˴;kIY?V5L!e:2˧py9_:+N|vcIΞz(/<)iwx_Y<:y"N^&qե}`R&t'	aI,qgʄDrݜR&I!t%I*y]%ڔ%ڔ1g=6~XoF݆c_Vd|ryf9f]O,'BttWE+{'=ˆNىsMRؽJ5k2C-8Ȇ<jCzx/A"ڹ>sMaTg^F9|WBq:MzA¸}YrK

zqBӧgo1#}oSfP5e^@B2YTnEgCbsveʋ-m~w^uOUovMC=玞S~;oF2Bf~y`Q]e{-goDCL8Y^FMuCdʕP*׊Lw=ZcCa=R}[eJݨA^.. 䧽{Օq.6V4,%ObМ
-:X ڔfX[Fi}Uk.b#p(]({~65X|ԟFmm|6mv^!wu7G;q^4v>Y^gDD=Y;5ǍߘNxiR6zi^Rxi^E";-scw-Hu1E޽H>65\3ލ;7smb[QG~zkm/pZc!޻#>O],T]w{.A"rNf5Ez?"}I"gu™o	—z?f(ys*iY@Hi#<:c.syM~ӗDs|F
>h#AC,߅2]Žiè~#%j,.QaJbMK=x
={eɻͰS"FvtS?,_)u%{,v\Ţ=GrGgn,E%'wEW3.or{whʒ	uցk?ԛ
?wgL7y2<@84q5HL쨱+w*0x>C_j>W9c&sP9w84NZInܙno(œ1Nyhj߃qm%+B_m{RKy5ϫyyΩXC wmfs@-ẁ@/w%\
F6'a:ZB65=î!0D
O_1{̹bm"CE>qō+n|1݁W A-ˏp?#<	3^m;XKʱr++@囁PZNʺ,8BV8r;#Gq#Ry4X+\`
Evv;GÈSI+6
>CC|Ffe05HQlT5fDTVւ-M-&"_ɜ:0yĵkLqS
lw*Q"LF[a×\՚ic˙5:2fJ¸uA-ǀ3z|+jFÜ[̙lĪAf7*1F̑X&:J|A
	u "*a
G21VGi~#d
ZtF'F0,+7IkUR/eFm
?ik gYĽZZX
֍o ϖJ!JP6
egt"&,
)BhнYBl
B1`C
lࣹ.22Ec3Vm#M<щqTcmZ69J2ūr奤StA7m=5,cnyp}[9ӵVZDUkY\fpǁ'HY
jDꡍ]Bvΐ
ƒ2q`ƴ& :mwga9D_b2$;n\d)XXppT4IBF7+9i2h(`W!0MC%SY!A2Z+t]2BVCy	xElK!,6״ژR/Fhع¹شpU2-]x~!s
?hƜUF])
~:vĺ\Hf6zEt*@b%L!4
:ַ5ip.2	-gwhy3-1.6.0/examples/prover/Firstorder_symbol_impl.mlw000066400000000000000000000256321440160026300230210ustar00rootroot00000000000000module Types
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  type nl_symbol 'b0 = | NLFVar_symbol 'b0
    | NLBruijn_symbol int
    
  
  type nlimpl_symbol =
    { nlrepr_symbol_field : nl_symbol int ;
      nlfree_var_symbol_set_abstraction_symbol_field : int ;
      ghost model_symbol_field : symbol int ;
    }
  
  type cons_symbol = | NLCVar_symbol int
  
  
end

module Logic
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Types
  function nat_nlsize_symbol (t:nl_symbol 'b0) : nat =
    match t with | NLFVar_symbol v0 -> one_nat
      | NLBruijn_symbol v0 -> one_nat
    end
  
  with nlsize_symbol (t:nl_symbol 'b0) : int =
    match t with | NLFVar_symbol v0 -> 1 | NLBruijn_symbol v0 -> 1 end
  
  let rec lemma nlsize_positive_lemma_symbol (t:nl_symbol 'b0) : unit
    ensures { nlsize_symbol t > 0 }
    variant { nat_to_int (nat_nlsize_symbol t) } =
    match t with | NLFVar_symbol v0 -> () | NLBruijn_symbol v0 -> () end
  
  (* Abstraction definition axiom :
      function shiftb_symbol (bnd: int -> (symbol 'b0)) :
         int -> (symbol (option 'b0)) =
        (\ i:int.
           if i = 0 then Var_symbol None else rename_symbol (bnd (i-1)) some)*)
  function shiftb_symbol (bnd: int -> (symbol 'b0)) :
     int -> (symbol (option 'b0))
  axiom shiftb_symbol_definition :
    forall bnd: int -> (symbol 'b0), i:int.
      eval (shiftb_symbol bnd) i =
        if i = 0 then Var_symbol None else rename_symbol (bnd (i-1)) some
  
  let lemma shiftb_compose_lemma_symbol (bnd: int -> (symbol 'b0))
    (s0:'b0 -> (symbol 'c0)) : unit
    ensures { subst_compose_symbol (shiftb_symbol bnd) (olifts_symbol s0) =
      shiftb_symbol (subst_compose_symbol bnd s0) }
    =
    assert {
      forall i:int. (i = 0 \/ i <> 0) ->
        subst_symbol (shiftb_symbol bnd i) (olifts_symbol s0) =
        eval (shiftb_symbol (subst_compose_symbol bnd s0)) i
      } ;
    assert {
      extensionalEqual
        (subst_compose_symbol (shiftb_symbol bnd) (olifts_symbol s0))
        (shiftb_symbol (subst_compose_symbol bnd s0))
      }
  
  function nlmodel_symbol (t:nl_symbol 'b0) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) : symbol 'c0 =
    match t with | NLFVar_symbol v0 -> fr0 v0 | NLBruijn_symbol v0 -> bnd0 v0
    end
  
  let rec lemma nlmodel_subst_commutation_lemma_symbol (t:nl_symbol 'b0)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0))
    (s0:'c0 -> (symbol 'd0)) : unit
    ensures {
      nlmodel_symbol t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0)
      = subst_symbol (nlmodel_symbol t fr0 bnd0) s0 }
    variant { nlsize_symbol t } =
    match t with | NLFVar_symbol v0 -> () | NLBruijn_symbol v0 -> () end
  
  let lemma nlmodel_rename_commutation_lemma_symbol (t:nl_symbol 'b0)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0) :
    unit
    ensures {
      nlmodel_symbol t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0)
      = rename_symbol (nlmodel_symbol t fr0 bnd0) s0 }
    =
    nlmodel_subst_commutation_lemma_symbol t fr0 bnd0
      (subst_of_rename_symbol s0)
  
  predicate correct_indexes_symbol (t:nl_symbol 'b0) =
    match t with | NLFVar_symbol v0 -> true | NLBruijn_symbol v0 -> v0 >= 0
    end
  
  function bound_depth_of_symbol_in_symbol (t:nl_symbol 'b0) : int =
    match t with | NLFVar_symbol v0 -> 0 | NLBruijn_symbol v0 -> 1 + v0 end
  
  let rec lemma bound_depth_of_symbol_in_symbol_nonnegative
    (t:nl_symbol 'b0) : unit requires { correct_indexes_symbol t }
    ensures { bound_depth_of_symbol_in_symbol t >= 0 }
    variant { nlsize_symbol t } =
    match t with | NLFVar_symbol v0 -> () | NLBruijn_symbol v0 -> () end
  
  let rec lemma model_equal_symbol (t:nl_symbol 'b0)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0)) : unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_symbol t ->  bnd10 i =
        bnd20 i
      }
    requires { fr10 = fr20 } requires { correct_indexes_symbol t }
    ensures { nlmodel_symbol t fr10 bnd10 = nlmodel_symbol t fr20 bnd20 }
    variant { nlsize_symbol t } =
    match t with | NLFVar_symbol v0 -> () | NLBruijn_symbol v0 -> () end
  
  predicate nlimpl_symbol_ok (t:nlimpl_symbol) =
    nlmodel_symbol t.nlrepr_symbol_field subst_id_symbol
      (const (Var_symbol ((-1)))) = t.model_symbol_field
    /\ correct_indexes_symbol t.nlrepr_symbol_field /\
    bound_depth_of_symbol_in_symbol t.nlrepr_symbol_field = 0 /\
    (forall x:int. is_symbol_free_var_in_symbol x t.model_symbol_field -> (x)
       < (t.nlfree_var_symbol_set_abstraction_symbol_field))
  
  predicate cons_ok_symbol (c:cons_symbol) =
    match c with | NLCVar_symbol v0 -> true end
  
  predicate cons_rel_symbol (c:cons_symbol) (t:nlimpl_symbol) =
    match c with | NLCVar_symbol v0 -> t.model_symbol_field = Var_symbol v0
    end
  
  predicate cons_open_rel_symbol (c:cons_symbol) (t:nlimpl_symbol) =
    match c with | NLCVar_symbol v0 -> t.model_symbol_field = Var_symbol v0
    end
  
  
end

module Impl
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Types
  use Logic
  let rec bind_var_symbol_in_symbol (t:nl_symbol int) (x:int) (i:int)
    (ghost fr0: int -> (symbol 'b0)) (ghost bnd0: int -> (symbol 'b0)) :
    nl_symbol int requires { correct_indexes_symbol t }
    requires { bound_depth_of_symbol_in_symbol t <= i }
    ensures { bound_depth_of_symbol_in_symbol result <= i + 1 }
    ensures { correct_indexes_symbol result }
    ensures { nlmodel_symbol result fr0 bnd0 =
      nlmodel_symbol t (update fr0 x (bnd0 i)) bnd0 }
    =
    match t with
      | NLFVar_symbol v0 ->
        if v0 = x then NLBruijn_symbol i else NLFVar_symbol v0
      | NLBruijn_symbol v0 -> NLBruijn_symbol v0
    end
  
  let rec unbind_var_symbol_in_symbol (t:nl_symbol int) (i:int)
    (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost bnd20: int -> (symbol 'b0)) :
    nl_symbol int requires { i >= 0 } requires { correct_indexes_symbol t }
    requires { bound_depth_of_symbol_in_symbol t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    ensures { correct_indexes_symbol result }
    ensures { bound_depth_of_symbol_in_symbol result <= i }
    ensures { nlmodel_symbol result fr0 bnd10 =
      nlmodel_symbol t fr0 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) }
    =
    match t with | NLFVar_symbol v0 -> NLFVar_symbol v0
      | NLBruijn_symbol v0 ->
        if v0 = i then (model_equal_symbol x fr0 fr0 bnd10 bnd20 ; x)
          else NLBruijn_symbol v0
    end
  
  let rec subst_base_symbol_in_symbol (t:nl_symbol int) (x:int)
    (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost bnd20: int -> (symbol 'b0)) :
    nl_symbol int requires { correct_indexes_symbol t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    ensures { correct_indexes_symbol result }
     ensures { bound_depth_of_symbol_in_symbol result =
       bound_depth_of_symbol_in_symbol t }
    ensures { nlmodel_symbol result fr0 bnd10 =
      nlmodel_symbol t (update fr0 x (nlmodel_symbol u fr0 bnd20)) bnd10 }
    =
    match t with
      | NLFVar_symbol v0 ->
        if v0 = x then (model_equal_symbol u fr0 fr0 bnd10 bnd20 ; u)
          else NLFVar_symbol v0
      | NLBruijn_symbol v0 -> NLBruijn_symbol v0
    end
  
  let construct_symbol (c:cons_symbol) : nlimpl_symbol
    requires { cons_ok_symbol c } ensures { nlimpl_symbol_ok result }
    ensures { cons_rel_symbol c result }
    (*ensures { cons_open_rel_symbol c result }*) =
    match c with
      | NLCVar_symbol v0 ->
        { nlrepr_symbol_field = NLFVar_symbol v0 ;
          nlfree_var_symbol_set_abstraction_symbol_field = (1 + (v0)) ;
          model_symbol_field = ghost (Var_symbol v0) ;
        }
    end
  
  let destruct_symbol (t:nlimpl_symbol) : cons_symbol
    requires { nlimpl_symbol_ok t } ensures { cons_ok_symbol result }
    ensures { cons_rel_symbol result t }
    ensures { cons_open_rel_symbol result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_symbol_field in
    match t.nlrepr_symbol_field with | NLFVar_symbol v0 -> NLCVar_symbol v0
      | NLBruijn_symbol v0 -> absurd
    end
  
  let nlsubst_symbol_in_symbol (t:nlimpl_symbol) (x:int) (u:nlimpl_symbol) :
    nlimpl_symbol requires { nlimpl_symbol_ok t }
    requires { nlimpl_symbol_ok u } ensures { nlimpl_symbol_ok result }
    ensures { result.model_symbol_field =
      subst_symbol t.model_symbol_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
      }
    =
    model_equal_symbol t.nlrepr_symbol_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))));
    let res =
      {
        nlrepr_symbol_field =
          subst_base_symbol_in_symbol t.nlrepr_symbol_field x
            u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_symbol_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_symbol_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        model_symbol_field = ghost
          subst_symbol t.model_symbol_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field) ;
      }
    in
    assert {
      forall x2:int. is_symbol_free_var_in_symbol x2 res.model_symbol_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_symbol y t.model_symbol_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_symbol_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_symbol_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_symbol_field)))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_symbol_field)
      } ;
    res
  
  
end


why3-1.6.0/examples/prover/Firstorder_symbol_impl/000077500000000000000000000000001440160026300222705ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_symbol_impl/why3session.xml000066400000000000000000000170731440160026300253200ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_symbol_impl/why3shapes.gz000066400000000000000000000056071440160026300247400ustar00rootroot00000000000000\[o~ׯ[],H
l}Y5Nb3ĖXq38CDyѧZϗ觿TYܯ	w?}lmmVo?V(.W]z
wo+sm'soqcU&s
6Rz"kڪ[?-`֧Y;;/i&	LYz-m0;|p=Sos
qvaEP묩LGSic6
-x?/!IsԾƨƤ\k-ɈaYL-W6܇?Y3-EIx/RqìČ(.&8*};k(vdio;ܐtN4,DћM4VrsMo扝])jJܚu0¶ѼZ.MSn+M
}l;QzVXt};1ج%B%dp&A@F6w2M䓓ȸm)MT*ftAƛmRӿB'޹J_ΡCv0M	KeX9=L:'  Ctρx1H*cD7B*TT~u#/~fYhC)6)]D7m,]YKyCzbg}h@yM7`ӒflX:ne¹?gcvu,}1!P_jѴc.aH9B"gP_Go//^rPoy,QmLџ/[Y}=)51,AT4ep˸Rgb+qC=qC⶝\LۛzCM/z`
N}so׫k
=6ޟiZ\ݑ)PZӃ{jtqɑ/Lbar"9Q!`b>]~`\Ef,vA4P~dHI4{ȟ!9,#N){ᅔ!φ<G]՜䨼N=38پW5(AZZsv4ʐ;Ll*D!T3
	*
ϿKTC>	|TS}VzVw#RB`~4.8L00?Qdda J2x3p\U*`
z/~>yAD8N'v[o븄f8pv[lܟPnҎ0N5@1XV؄.#`T6&qiAtw'@Bf-_o)RT~|BJBC>]1Cg{E60U=^7|lZt+/9=0F:pg~1=̡=9t9ɋ՛9ZJ+9ﻙC
1,pW72piU׏>YθlpF-93
=gH/S|P%la-sV-h`ozu^;?.mZʉϿvGRñ!WRVUau2NEUA̜e(NU:JIG|&tB*!WV(@̹ HMDdQ\Pc.DR8'fL&z/. "WE)sx	&l8że#ØrFRA[1N*6Dyp#'XUIMy	;Mg#'UC'$#F
`*NHR}ZsFEe$L$qGXdoK+N""\X$F	k"'d{("*
3,B3wi^,xǛxiGP7"byb`
kSHdF(PR$#m{83֋*A16JHj0̝dɄ+ -.Rg;0,$OULPr"QqƊ,&ƃG3BFg1U!Xt,F&ue1]QKθ	*y/CI*A3R9A,4icrkLf8^	9H#*GRcUQAYV@4
@C9Уi	GOkވpiqD{5%f	%Eg1Q!0Ғh!ĕX{%9*J9'	eP!"Jb
nT*@Uao dL=bIr-P$6LۭBp. 4	+ \q"t$qX`4<0aWxBsx)c1Ad1

"XAESXews#ZK0!Jx00 %`QUijwhy3-1.6.0/examples/prover/Firstorder_symbol_spec.mlw000066400000000000000000000354771440160026300230220ustar00rootroot00000000000000module Spec
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  type symbol 'b0 = | Var_symbol 'b0


  function nat_size_symbol (t:symbol 'b0) : nat =
    match t with | Var_symbol v0 -> one_nat end

  with size_symbol (t:symbol 'b0) : int = match t with | Var_symbol v0 -> 1
    end

  let rec lemma size_positive_lemma_symbol (t:symbol 'b0) : unit
    ensures { size_symbol t > 0 } variant { nat_to_int (nat_size_symbol t) }
    = match t with | Var_symbol v0 -> () end

  let function rename_symbol (t:symbol 'b0) (s0:'b0 -> 'c0) : symbol 'c0 =
    match t with | Var_symbol v0 -> Var_symbol (s0 v0) end

  let rec lemma renaming_composition_lemma_symbol (t:symbol 'b0)
    (s10:'b0 -> 'c0) (s20:'c0 -> 'd0) : unit
    ensures { rename_symbol (rename_symbol t s10) s20 =
      rename_symbol t (rcompose s10 s20) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let rec lemma renaming_identity_lemma_symbol (t:symbol 'b0) : unit
    ensures { rename_symbol t identity = t } variant { size_symbol t } =
    match t with | Var_symbol v0 -> () end

  (* Abstraction definition axiom :
      function rename_subst_symbol (s0:'b0 -> (symbol 'c0))
        (s10:'c0 -> 'd0) : 'b0 -> (symbol 'd0) =
        (\ x:'b0.rename_symbol (s0 x) s10)
      *)
  function rename_subst_symbol (s0:'b0 -> (symbol 'c0)) (s10:'c0 -> 'd0) :
    'b0 -> (symbol 'd0)
  axiom rename_subst_symbol_definition :
    forall s0:'b0 -> (symbol 'c0), s10:'c0 -> 'd0, x:'b0.
    rename_subst_symbol s0 s10 x = rename_symbol (s0 x) s10

  let lemma associativity_subst_rename_rename_lemma_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> 'd0) (s30:'d0 -> 'e0) : unit
    ensures { rename_subst_symbol s1 (rcompose s20 s30) =
      rename_subst_symbol (rename_subst_symbol s1 s20) s30 }
    =
    assert {
      extensionalEqual (rename_subst_symbol s1 (rcompose s20 s30))
        (rename_subst_symbol (rename_subst_symbol s1 s20) s30)
      }

  let lemma associativity_rename_subst_rename_lemma_symbol (s1:'b0 -> 'c0)
    (s20:'c0 -> (symbol 'd0)) (s30:'d0 -> 'e0) : unit
    ensures { rcompose s1 (rename_subst_symbol s20 s30) =
      rename_subst_symbol (rcompose s1 s20) s30 }
    =
    assert {
      extensionalEqual (rcompose s1 (rename_subst_symbol s20 s30))
        (rename_subst_symbol (rcompose s1 s20) s30)
      }

  let lemma right_rename_subst_by_identity_lemma_symbol
    (s0:'b0 -> (symbol 'c0)) : unit
    ensures { rename_subst_symbol s0 identity = s0 } =
    assert { extensionalEqual (rename_subst_symbol s0 identity) (s0) }

  function olifts_symbol (s:'b0 -> (symbol 'c0)) :
    (option 'b0) -> (symbol (option 'c0)) =
    ocase (rename_subst_symbol s some) (Var_symbol None)

  let lemma olifts_composition_lemma_rename_subst_symbol (s1:'b0 -> 'c0)
    (s20:'c0 -> (symbol 'd0)) : unit
    ensures { (olifts_symbol (rcompose s1 s20)) =
      rcompose (olift s1) (olifts_symbol s20) }
    =
    assert {
      forall x:option 'b0.
        match x with | None ->
          eval ((olifts_symbol (rcompose s1 s20))) x =
            eval (rcompose (olift s1) (olifts_symbol s20)) x
          | Some y ->
          eval ((olifts_symbol (rcompose s1 s20))) x =
            eval (rcompose s1 (rename_subst_symbol s20 some)) y =
            eval ((rename_subst_symbol (olifts_symbol s20) identity)) (
              rcompose s1 some y) =
            eval (rcompose (olift s1) (olifts_symbol s20)) x
        end
      } ;
    assert {
      extensionalEqual ((olifts_symbol (rcompose s1 s20)))
        (rcompose (olift s1) (olifts_symbol s20))
      }

  let lemma olifts_composition_lemma_subst_rename_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> 'd0) : unit
    ensures { (olifts_symbol (rename_subst_symbol s1 s20)) =
      rename_subst_symbol (olifts_symbol s1) (olift s20) }
    =
    assert {
      forall x:option 'b0.
        match x with | None ->
          eval ((olifts_symbol (rename_subst_symbol s1 s20))) x =
            eval (rename_subst_symbol (olifts_symbol s1) (olift s20)) x
          | Some y ->
          eval ((olifts_symbol (rename_subst_symbol s1 s20))) x =
            eval (rename_subst_symbol s1 (rcompose s20 some)) y =
            rename_symbol (rename_symbol (s1 y) some) (olift s20) =
            eval (rename_subst_symbol (olifts_symbol s1) (olift s20)) x
        end
      } ;
    assert {
      extensionalEqual ((olifts_symbol (rename_subst_symbol s1 s20)))
        (rename_subst_symbol (olifts_symbol s1) (olift s20))
      }

  function subst_symbol (t:symbol 'b0) (s0:'b0 -> (symbol 'c0)) : symbol 'c0
    = match t with | Var_symbol v0 -> s0 v0 end

  let rec lemma rename_then_subst_composition_lemma_symbol (t:symbol 'b0)
    (s10:'b0 -> 'c0) (s20:'c0 -> (symbol 'd0)) : unit
    ensures { subst_symbol (rename_symbol t s10) s20 =
      subst_symbol t (rcompose s10 s20) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let rec lemma subst_then_rename_composition_lemma_symbol (t:symbol 'b0)
    (s10:'b0 -> (symbol 'c0)) (s20:'c0 -> 'd0) : unit
    ensures { rename_symbol (subst_symbol t s10) s20 =
      subst_symbol t (rename_subst_symbol s10 s20) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  (* Abstraction definition axiom :
      function subst_compose_symbol (s0:'b0 -> (symbol 'c0))
        (s10:'c0 -> (symbol 'd0)) : 'b0 -> (symbol 'd0) =
        (\ x:'b0.subst_symbol (s0 x) s10)
      *)
  function subst_compose_symbol (s0:'b0 -> (symbol 'c0))
    (s10:'c0 -> (symbol 'd0)) : 'b0 -> (symbol 'd0)
  axiom subst_compose_symbol_definition :
    forall s0:'b0 -> (symbol 'c0), s10:'c0 -> (symbol 'd0), x:'b0.
    subst_compose_symbol s0 s10 x = subst_symbol (s0 x) s10

  let lemma associativity_rename_subst_subst_lemma_symbol (s1:'b0 -> 'c0)
    (s20:'c0 -> (symbol 'd0)) (s30:'d0 -> (symbol 'e0)) : unit
    ensures { rcompose s1 (subst_compose_symbol s20 s30) =
      subst_compose_symbol (rcompose s1 s20) s30 }
    =
    assert {
      extensionalEqual (rcompose s1 (subst_compose_symbol s20 s30))
        (subst_compose_symbol (rcompose s1 s20) s30)
      }

  let lemma associativity_subst_rename_subst_lemma_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> 'd0) (s30:'d0 -> (symbol 'e0)) :
    unit
    ensures { subst_compose_symbol s1 (rcompose s20 s30) =
      subst_compose_symbol (rename_subst_symbol s1 s20) s30 }
    =
    assert {
      extensionalEqual (subst_compose_symbol s1 (rcompose s20 s30))
        (subst_compose_symbol (rename_subst_symbol s1 s20) s30)
      }

  let lemma associativity_subst_subst_rename_lemma_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> (symbol 'd0)) (s30:'d0 -> 'e0) :
    unit
    ensures { subst_compose_symbol s1 (rename_subst_symbol s20 s30) =
      rename_subst_symbol (subst_compose_symbol s1 s20) s30 }
    =
    assert {
      extensionalEqual
        (subst_compose_symbol s1 (rename_subst_symbol s20 s30))
        (rename_subst_symbol (subst_compose_symbol s1 s20) s30)
      }

  let lemma olifts_composition_lemma_subst_subst_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> (symbol 'd0)) : unit
    ensures { (olifts_symbol (subst_compose_symbol s1 s20)) =
      subst_compose_symbol (olifts_symbol s1) (olifts_symbol s20) }
    =
    assert {
      forall x:option 'b0.
        match x with | None ->
          eval ((olifts_symbol (subst_compose_symbol s1 s20))) x =
            eval
              (subst_compose_symbol (olifts_symbol s1) (olifts_symbol s20)) x
          | Some y ->
          eval ((olifts_symbol (subst_compose_symbol s1 s20))) x =
            eval (subst_compose_symbol s1 (rename_subst_symbol s20 some)) y =
            subst_symbol (rename_symbol (s1 y) some)
              (rename_subst_symbol (olifts_symbol s20) identity) =
            eval
              (subst_compose_symbol (olifts_symbol s1) (olifts_symbol s20)) x
        end
      } ;
    assert {
      extensionalEqual ((olifts_symbol (subst_compose_symbol s1 s20)))
        (subst_compose_symbol (olifts_symbol s1) (olifts_symbol s20))
      }

  let rec lemma subst_composition_lemma_symbol (t:symbol 'b0)
    (s10:'b0 -> (symbol 'c0)) (s20:'c0 -> (symbol 'd0)) : unit
    ensures { subst_symbol (subst_symbol t s10) s20 =
      subst_symbol t (subst_compose_symbol s10 s20) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let lemma associativity_subst_subst_subst_lemma_symbol
    (s1:'b0 -> (symbol 'c0)) (s20:'c0 -> (symbol 'd0))
    (s30:'d0 -> (symbol 'e0)) : unit
    ensures { subst_compose_symbol s1 (subst_compose_symbol s20 s30) =
      subst_compose_symbol (subst_compose_symbol s1 s20) s30 }
    =
    assert {
      extensionalEqual
        (subst_compose_symbol s1 (subst_compose_symbol s20 s30))
        (subst_compose_symbol (subst_compose_symbol s1 s20) s30)
      }

  (* Abstraction definition axiom :
      constant subst_id_symbol : 'b0 -> (symbol 'b0) =
        (\ x:'b0. Var_symbol x)*)
  constant subst_id_symbol : 'b0 -> (symbol 'b0)
  axiom subst_id_symbol_definition :
    forall x:'b0.
      eval (subst_id_symbol : 'b0 -> (symbol 'b0)) x = Var_symbol x

  function subst_of_rename_symbol (r:'b0 -> 'c0) : 'b0 -> (symbol 'c0) =
    rcompose r subst_id_symbol

  let lemma olifts_identity_symbol (_:'b0) : unit
    ensures { (olifts_symbol (subst_id_symbol : 'b0 -> (symbol 'b0))) =
      subst_id_symbol }
    =
    assert {
      forall x:option 'b0.
        match x with
          | None ->
            eval ((olifts_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)))) x
            = eval (subst_id_symbol) x
          | Some y ->
            eval ((olifts_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)))) x
            = eval (subst_id_symbol) x
        end
      } ;
    assert { extensionalEqual
      ((olifts_symbol (subst_id_symbol : 'b0 -> (symbol 'b0))))
      (subst_id_symbol) }

  let lemma left_rename_subst_identity_lemma_symbol (s0:'b0 -> 'c0) : unit
    ensures { rename_subst_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)) s0
      = subst_of_rename_symbol s0 }
    =
    assert {
      extensionalEqual
        (rename_subst_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)) s0)
        (subst_of_rename_symbol s0)
      }

  let rec lemma subst_identity_lemma_symbol (t:symbol 'b0) : unit
    ensures { subst_symbol t subst_id_symbol = t } variant { size_symbol t }
    = match t with | Var_symbol v0 -> () end

  let lemma left_subst_subst_identity_lemma_symbol (s0:'b0 -> (symbol 'c0)) :
    unit
    ensures { subst_compose_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)) s0
      = s0 }
    =
    assert {
      extensionalEqual
        (subst_compose_symbol (subst_id_symbol : 'b0 -> (symbol 'b0)) s0)
        (s0)
      }

  let lemma right_subst_subst_by_identity_lemma_symbol
    (s0:'b0 -> (symbol 'c0)) : unit
    ensures { subst_compose_symbol s0 subst_id_symbol = s0 } =
    assert { extensionalEqual (subst_compose_symbol s0 subst_id_symbol) (s0)
      }

  let rec lemma renaming_preserve_size_symbol (t:symbol 'b0)
    (s0:'b0 -> 'c0) : unit
    ensures { size_symbol (rename_symbol t s0) = size_symbol t }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  predicate is_symbol_free_var_in_symbol (x:'b0) (t:symbol 'b0) =
    match t with | Var_symbol v0 -> v0 = x end

  let rec ghost rename_free_var_constructive_inversion_symbol_symbol (x:'c0)
    (t:symbol 'b0) (s0:'b0 -> 'c0) : 'b0
    requires { is_symbol_free_var_in_symbol x (rename_symbol t s0) }
    ensures { is_symbol_free_var_in_symbol result t /\ s0 result = x }
    variant { size_symbol t } = match t with | Var_symbol v0 -> v0 end

  with lemma rename_free_var_inversion_symbol_symbol (x:'c0) (t:symbol 'b0)
    (s0:'b0 -> 'c0) : unit
    requires { is_symbol_free_var_in_symbol x (rename_symbol t s0) }
    ensures { exists y:'b0. is_symbol_free_var_in_symbol y t /\ s0 y = x }
    variant { 1 + size_symbol t } =
    let sumx = rename_free_var_constructive_inversion_symbol_symbol x t s0 in
    ()

  let rec lemma rename_free_var_propagation_symbol_symbol (x:'b0)
    (t:symbol 'b0) (s0:'b0 -> 'c0) : unit
    ensures { is_symbol_free_var_in_symbol x t ->
      is_symbol_free_var_in_symbol (s0 x) (rename_symbol t s0) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let rec ghost subst_free_var_constructive_inversion_symbol_symbol (x:'c0)
    (t:symbol 'b0) (s0:'b0 -> (symbol 'c0)) : 'b0
    requires { is_symbol_free_var_in_symbol x (subst_symbol t s0) }
    ensures { let sumx = result in is_symbol_free_var_in_symbol sumx t /\
      is_symbol_free_var_in_symbol x (s0 sumx) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> v0 end

  with lemma subst_free_var_inversion_symbol_symbol (x:'c0) (t:symbol 'b0)
    (s0:'b0 -> (symbol 'c0)) : unit
    requires { is_symbol_free_var_in_symbol x (subst_symbol t s0) }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_symbol y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      }
    variant { 1 + size_symbol t } =
    let sumx = subst_free_var_constructive_inversion_symbol_symbol x t s0 in
    ()

  let rec lemma subst_free_var_propagation_symbol_symbol_symbol (x:'b0)
    (y:'c0) (t:symbol 'b0) (s0:'b0 -> (symbol 'c0)):  unit
    ensures {
      is_symbol_free_var_in_symbol x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_symbol y (subst_symbol t s0) }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let rec lemma free_var_equivalence_of_subst_symbol (t:symbol 'b0)
    (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_symbol x t -> s10 x = s20 x }
    ensures { subst_symbol t s10 = subst_symbol t s20 }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let lemma free_var_equivalence_of_rename_symbol (t:symbol 'b0)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_symbol x t -> s10 x = s20 x }
    ensures { rename_symbol t s10 = rename_symbol t s20 } =
    free_var_equivalence_of_subst_symbol t (subst_of_rename_symbol s10)
      (subst_of_rename_symbol s20)

  let rec lemma free_var_derive_equivalence_of_subst_symbol (t:symbol 'b0)
    (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0)) : unit
    ensures { forall x:'b0. is_symbol_free_var_in_symbol x t -> s10 x = s20 x
      }
    requires { subst_symbol t s10 = subst_symbol t s20 }
    variant { size_symbol t } = match t with | Var_symbol v0 -> () end

  let lemma free_var_derive_equivalence_of_rename_symbol (t:symbol 'b0)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) : unit
    ensures { forall x:'b0. is_symbol_free_var_in_symbol x t -> s10 x = s20 x
      }
    requires { rename_symbol t s10 = rename_symbol t s20 } =
    free_var_derive_equivalence_of_subst_symbol t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      }


end
why3-1.6.0/examples/prover/Firstorder_symbol_spec/000077500000000000000000000000001440160026300222615ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_symbol_spec/why3session.xml000066400000000000000000000245001440160026300253020ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/Firstorder_symbol_spec/why3shapes.gz000066400000000000000000000051111440160026300247170ustar00rootroot00000000000000Z[o~ϯc{)bXF_
k" r,%h;dYM(j.܇d[m3?mW_+U~w~zoOǏ5nw:P^Sgٮv[~|GF?ѩU9y1h7>kMoGߤ6nSb5.;Pَ17.	,`x
bXjȃIq]wuK	%6șfz՗et]Ldo-끊D2`[%N	A5Ѵu~;.MM#zQ췛G+TߜԞH;̛Wyr6Wb=%QC
HZ Rwn~Vez!=ci>&;;1^4\俰	%|}u֐롍ek7vFh/8R	|͡ECg{]sw-?ҥCH(m$+r:\\vOݛv䞿;w9:&7?)U{'fD@vi+[BZSvAw:bD@88|^!
ÌX5F8f;yQ}7[u-k3]LAkY8_a?FC0czPmN+Έ3긾H>6]+K]XL9ɉv#^=73
~'wW|;E4h[;@"I|5LA).q5(ZjxJvGwx
@=L 
j%&bD=]lɪA8)jKD&Ix/IzO<+U)ǧy}M.K[ǩ#)|9L<_Y=憬AhUToɞHTS7JJM("[w1yY[;
M.6#eGZCstxo۾z'ǏluPqR/d_#865`Y3;S?›=kTFN!xn5?4M-:հhOkiyWdxgѝz;!eQ#}SL9ZxLj}t~\Sֵ7'>s3GwgJ{up{4q2Sq2_\C9#qOǣ`}C2񮗪f_+vn:+CFc01䵐1T؇ 
Ȣ2ZgLKU	?(&-L0Yia >
˳E#0Ai9̞{1P(IJx.ܳ*~PAD6ąVbځrLr${)`MBh3ցi+	GKdCSUPqrw`U@
,YXB(0у4WV *X6*Qqq\	B
Ԫhn)L&["J' A"lb?R9dLb脜*f(*m Wu8c@ŖhDK*&%Nl let s = one_nat in s
      | NL_Node v0 v1 v2 ->
        let s = one_nat in
          let s = add_nat (nat_nlsize_fo_formula_list v2) s in
          let s = add_nat (nat_nlsize_fo_formula v1) s in
          let s = add_nat (nat_nlsize_tableau v0) s in s
    end

  with nlsize_tableau (t:nl_tableau 'b0 'b1) : int =
    match t with | NL_Root -> let s = 1 in s
      | NL_Node v0 v1 v2 ->
        let s = 1 in let s = nlsize_fo_formula_list v2 + s in
          let s = nlsize_fo_formula v1 + s in let s = nlsize_tableau v0 +
          s in s
    end

  let rec lemma nlsize_positive_lemma_tableau (t:nl_tableau 'b0 'b1) : unit
    ensures { nlsize_tableau t > 0 }
    variant { nat_to_int (nat_nlsize_tableau t) } =
    match t with | NL_Root -> ()
      | NL_Node v0 v1 v2 ->
        nlsize_positive_lemma_tableau v0 ;
          nlsize_positive_lemma_fo_formula v1 ;
          nlsize_positive_lemma_fo_formula_list v2 ; ()
    end

  function nlmodel_tableau (t:nl_tableau 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (fr1:'b1 -> (fo_term 'c0 'c1))
    (bnd1: int -> (fo_term 'c0 'c1)) : tableau 'c0 'c1 =
    match t with | NL_Root -> Root
      | NL_Node v0 v1 v2 ->
        Node
          (nlmodel_tableau v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
          (nlmodel_fo_formula v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
          (nlmodel_fo_formula_list v2 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec lemma nlmodel_subst_commutation_lemma_tableau
    (t:nl_tableau 'b0 'b1) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> (symbol 'd0))
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures {
      nlmodel_tableau t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0) (subst_compose_fo_term fr1 s0 s1)
        (subst_compose_fo_term bnd1 s0 s1)
      = subst_tableau (nlmodel_tableau t fr0 bnd0 fr1 bnd1) s0 s1 }
    variant { nlsize_tableau t } =
    match t with | NL_Root -> ()
      | NL_Node v0 v1 v2 ->
        nlmodel_subst_commutation_lemma_tableau v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_formula v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_formula_list v2
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr1 identity identity))
          ((rename_subst_fo_term bnd1 identity identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr1 s0 s1) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd1 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s1 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd1  s0 s1)
              identity identity)
            } ;
          ()
    end

  let lemma nlmodel_rename_commutation_lemma_tableau (t:nl_tableau 'b0 'b1)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0)
    (fr1:'b1 -> (fo_term 'c0 'c1)) (bnd1: int -> (fo_term 'c0 'c1))
    (s1:'c1 -> 'd1) : unit
    ensures {
      nlmodel_tableau t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0) (rename_subst_fo_term fr1 s0 s1)
        (rename_subst_fo_term bnd1 s0 s1)
      = rename_tableau (nlmodel_tableau t fr0 bnd0 fr1 bnd1) s0 s1 }
    =
    nlmodel_subst_commutation_lemma_tableau t fr0 bnd0
      (subst_of_rename_symbol s0) fr1 bnd1 (subst_of_rename_fo_term s1)

  predicate correct_indexes_tableau (t:nl_tableau 'b0 'b1) =
    match t with | NL_Root -> true
      | NL_Node v0 v1 v2 ->
        correct_indexes_tableau v0 /\ correct_indexes_fo_formula v1 /\
          correct_indexes_fo_formula_list v2
    end

  function bound_depth_of_symbol_in_tableau (t:nl_tableau 'b0 'b1) : int =
    match t with | NL_Root -> 0
      | NL_Node v0 v1 v2 ->
        let b = bound_depth_of_symbol_in_tableau v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_formula v1 in
          let a = if a > b then a else b in
          let b = bound_depth_of_symbol_in_fo_formula_list v2 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_fo_term_in_tableau (t:nl_tableau 'b0 'b1) : int =
    match t with | NL_Root -> 0
      | NL_Node v0 v1 v2 ->
        let b = bound_depth_of_fo_term_in_tableau v0 in let a = b in
          let b = bound_depth_of_fo_term_in_fo_formula v1 in
          let a = if a > b then a else b in
          let b = bound_depth_of_fo_term_in_fo_formula_list v2 in
          let a = if a > b then a else b in a
    end

  let rec lemma bound_depth_of_symbol_in_tableau_nonnegative
    (t:nl_tableau 'b0 'b1) : unit requires { correct_indexes_tableau t }
    ensures { bound_depth_of_symbol_in_tableau t >= 0 }
    variant { nlsize_tableau t } =
    match t with | NL_Root -> ()
      | NL_Node v0 v1 v2 ->
        bound_depth_of_symbol_in_tableau_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_formula_nonnegative v1 ;
          bound_depth_of_symbol_in_fo_formula_list_nonnegative v2 ; ()
    end

  with lemma bound_depth_of_fo_term_in_tableau_nonnegative
    (t:nl_tableau 'b0 'b1) : unit requires { correct_indexes_tableau t }
    ensures { bound_depth_of_fo_term_in_tableau t >= 0 }
    variant { nlsize_tableau t } =
    match t with | NL_Root -> ()
      | NL_Node v0 v1 v2 ->
        bound_depth_of_fo_term_in_tableau_nonnegative v0 ;
          bound_depth_of_fo_term_in_fo_formula_nonnegative v1 ;
          bound_depth_of_fo_term_in_fo_formula_list_nonnegative v2 ; ()
    end

  let rec lemma model_equal_tableau (t:nl_tableau 'b0 'b1)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0))
    (fr11: 'b1 -> (fo_term 'c0 'c1)) (fr21: 'b1 -> (fo_term 'c0 'c1))
    (bnd11: int -> (fo_term 'c0 'c1)) (bnd21: int -> (fo_term 'c0 'c1)) :
    unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_tableau t ->  bnd10 i =
        bnd20 i
      }
    requires { fr10 = fr20 }
    requires {
      forall i:int. 0 <= i < bound_depth_of_fo_term_in_tableau t ->  bnd11 i
        = bnd21 i
      }
    requires { fr11 = fr21 } requires { correct_indexes_tableau t }
    ensures { nlmodel_tableau t fr10 bnd10 fr11 bnd11 =
      nlmodel_tableau t fr20 bnd20 fr21 bnd21 }
    variant { nlsize_tableau t } =
    match t with | NL_Root -> ()
      | NL_Node v0 v1 v2 ->
        model_equal_tableau v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr11 identity identity))
          ((rename_subst_fo_term fr21 identity identity))
          ((rename_subst_fo_term bnd11 identity identity))
          ((rename_subst_fo_term bnd21 identity identity)) ;
          model_equal_fo_formula v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          model_equal_fo_formula_list v2
            ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr11 identity identity))
            ((rename_subst_fo_term fr21 identity identity))
            ((rename_subst_fo_term bnd11 identity identity))
            ((rename_subst_fo_term bnd21 identity identity)) ;
          ()
    end

  predicate nlimpl_tableau_ok (t:nlimpl_tableau) =
    nlmodel_tableau t.nlrepr_tableau_field subst_id_symbol
      (const (Var_symbol ((-1)))) subst_id_fo_term
      (const (Var_fo_term ((-1)))) = t.model_tableau_field
    /\ correct_indexes_tableau t.nlrepr_tableau_field /\
    bound_depth_of_symbol_in_tableau t.nlrepr_tableau_field = 0 /\
    bound_depth_of_fo_term_in_tableau t.nlrepr_tableau_field = 0 /\
    (forall x:int. is_symbol_free_var_in_tableau x t.model_tableau_field ->
       (x) < (t.nlfree_var_symbol_set_abstraction_tableau_field))
    /\
    (forall x:int. is_fo_term_free_var_in_tableau x t.model_tableau_field ->
       (x) < (t.nlfree_var_fo_term_set_abstraction_tableau_field))

  predicate cons_ok_tableau (c:cons_tableau) =
    match c with | NLC_Root -> true
      | NLC_Node v0 v1 v2 -> nlimpl_tableau_ok v0 /\ nlimpl_fo_formula_ok v1
        /\ nlimpl_fo_formula_list_ok v2
    end

  predicate cons_rel_tableau (c:cons_tableau) (t:nlimpl_tableau) =
    match c with | NLC_Root -> t.model_tableau_field = Root
      | NLC_Node v0 v1 v2 -> t.model_tableau_field =
        Node (rename_tableau v0.model_tableau_field identity identity)
          (rename_fo_formula v1.model_fo_formula_field identity identity)
          (rename_fo_formula_list v2.model_fo_formula_list_field identity
             identity)
    end

  predicate cons_open_rel_tableau (c:cons_tableau) (t:nlimpl_tableau) =
    match c with
      | NLC_Root ->
        match t.model_tableau_field with | Root -> true
          | Node w0 w1 w2 -> false
        end
      | NLC_Node v0 v1 v2 ->
        match t.model_tableau_field with | Root -> false
          | Node w0 w1 w2 ->
            v0.model_tableau_field = (rename_tableau w0 identity identity) /\
              v1.model_fo_formula_field =
                (rename_fo_formula w1 identity identity)
              /\
              v2.model_fo_formula_list_field =
                (rename_fo_formula_list w2 identity identity)
        end
    end


end

module Impl
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_impl.Types
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_spec.Spec
  use Firstorder_formula_list_impl.Types
  use Firstorder_formula_list_impl.Logic
  use Firstorder_formula_list_impl.Impl
  use Firstorder_tableau_spec.Spec
  use Types
  use Logic
  let rec bind_var_symbol_in_tableau (t:nl_tableau int int) (x:int) (i:int)
    (ghost fr0: int -> (symbol 'b0)) (ghost bnd0: int -> (symbol 'b0))
    (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_tableau int int
    requires { correct_indexes_tableau t }
    requires { bound_depth_of_symbol_in_tableau t <= i }
    variant { nlsize_tableau t }
    ensures { bound_depth_of_symbol_in_tableau result <= i + 1 }
    ensures { correct_indexes_tableau result }
    ensures { bound_depth_of_fo_term_in_tableau t =
      bound_depth_of_fo_term_in_tableau result }
    ensures { nlmodel_tableau result fr0 bnd0 fr1 bnd1 =
      nlmodel_tableau t (update fr0 x (bnd0 i)) bnd0 fr1 bnd1 }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_Node
            (bind_var_symbol_in_tableau v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_symbol_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_symbol_in_fo_formula_list v2 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  with bind_var_fo_term_in_tableau (t:nl_tableau int int) (x:int) (i:int)
    (ghost fr0: int -> (symbol 'b0)) (ghost bnd0: int -> (symbol 'b0))
    (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd1: int -> (fo_term 'b0 'b1)) : nl_tableau int int
    requires { correct_indexes_tableau t }
    requires { bound_depth_of_fo_term_in_tableau t <= i }
    variant { nlsize_tableau t }
    ensures { bound_depth_of_fo_term_in_tableau result <= i + 1 }
    ensures { correct_indexes_tableau result }
    ensures { bound_depth_of_symbol_in_tableau t =
      bound_depth_of_symbol_in_tableau result }
    ensures { nlmodel_tableau result fr0 bnd0 fr1 bnd1 =
      nlmodel_tableau t fr0 bnd0 (update fr1 x (bnd1 i)) bnd1 }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert { (rename_fo_term (bnd1 i) identity identity) =
          (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd1 i) identity identity) =
            (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd1 i) identity identity) =
            (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr1 x (bnd1 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr1 identity identity)) x
                  (rename_fo_term (bnd1 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr1 x (bnd1 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr1 identity identity)) x
               (eval ((rename_subst_fo_term bnd1 identity identity)) (i+0)))
            };
          NL_Node
            (bind_var_fo_term_in_tableau v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_fo_term_in_fo_formula v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
            (bind_var_fo_term_in_fo_formula_list v2 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd1 identity identity)))
    end

  let rec unbind_var_symbol_in_tableau (t:nl_tableau int int) (i:int)
    (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_tableau int int
    requires { i >= 0 } requires { correct_indexes_tableau t }
    requires { bound_depth_of_symbol_in_tableau t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    variant { nlsize_tableau t }
    ensures { correct_indexes_tableau result }
    ensures { bound_depth_of_symbol_in_tableau result <= i }
    ensures { bound_depth_of_fo_term_in_tableau result =
      bound_depth_of_fo_term_in_tableau t }
    ensures { nlmodel_tableau result fr0 bnd10 fr1 bnd11 =
      nlmodel_tableau t fr0 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) fr1
        bnd11
      }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Node
            (unbind_var_symbol_in_tableau v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_formula_list v2 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with unbind_var_fo_term_in_tableau (t:nl_tableau int int) (i:int)
    (x:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_tableau int int
    requires { i >= 0 } requires { correct_indexes_tableau t }
    requires { bound_depth_of_fo_term_in_tableau t <= i + 1 }
    requires { correct_indexes_fo_term x }
    requires { bound_depth_of_symbol_in_fo_term x = 0 }
    requires { bound_depth_of_fo_term_in_fo_term x = 0 }
    variant { nlsize_tableau t }
    ensures { correct_indexes_tableau result }
    ensures { bound_depth_of_fo_term_in_tableau result <= i }
    ensures { bound_depth_of_symbol_in_tableau result =
      bound_depth_of_symbol_in_tableau t }
    ensures { nlmodel_tableau result fr0 bnd10 fr1 bnd11 =
      nlmodel_tableau t fr0 bnd10 fr1
        (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
      }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd11 i (nlmodel_fo_term x fr0 bnd20 fr1 bnd21))
              identity identity)
            =
            update ((rename_subst_fo_term bnd11 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Node
            (unbind_var_fo_term_in_tableau v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (unbind_var_fo_term_in_fo_formula v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (unbind_var_fo_term_in_fo_formula_list v2 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let rec subst_base_symbol_in_tableau (t:nl_tableau int int) (x:int)
    (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0)) : nl_tableau int int
    requires { correct_indexes_tableau t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    variant { nlsize_tableau t }
    ensures { correct_indexes_tableau result }
     ensures { bound_depth_of_symbol_in_tableau result =
       bound_depth_of_symbol_in_tableau t }
    ensures { bound_depth_of_fo_term_in_tableau result =
      bound_depth_of_fo_term_in_tableau t }
    ensures { nlmodel_tableau result fr0 bnd10 fr1 bnd11 =
      nlmodel_tableau t (update fr0 x (nlmodel_symbol u fr0 bnd20)) bnd10 fr1
        bnd11
      }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_Node
            (subst_base_symbol_in_tableau v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_formula_list v2 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with subst_base_fo_term_in_tableau (t:nl_tableau int int) (x:int)
    (u:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr1: int -> (fo_term 'b0 'b1))
    (ghost bnd11: int -> (fo_term 'b0 'b1))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd21: int -> (fo_term 'b0 'b1)) : nl_tableau int int
    requires { correct_indexes_tableau t }
    requires { correct_indexes_fo_term u }
    requires { bound_depth_of_symbol_in_fo_term u = 0 }
    requires { bound_depth_of_fo_term_in_fo_term u = 0 }
    variant { nlsize_tableau t }
    ensures { correct_indexes_tableau result }
     ensures { bound_depth_of_symbol_in_tableau result =
       bound_depth_of_symbol_in_tableau t }
    ensures { bound_depth_of_fo_term_in_tableau result =
      bound_depth_of_fo_term_in_tableau t }
    ensures { nlmodel_tableau result fr0 bnd10 fr1 bnd11 =
      nlmodel_tableau t fr0 bnd10
        (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) bnd11
      }
    =
    match t with | NL_Root -> NL_Root
      | NL_Node v0 v1 v2 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr1 identity identity))
            ((rename_subst_fo_term bnd21 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr1 identity identity))
              ((rename_subst_fo_term bnd21 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21))
                 identity identity))
              (update ((rename_subst_fo_term fr1 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr1 x (nlmodel_fo_term u fr0 bnd20 fr1 bnd21)) identity
              identity)
            =
            update ((rename_subst_fo_term fr1 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr1 identity identity))
                 ((rename_subst_fo_term bnd21 identity identity)))
            } ;
          NL_Node
            (subst_base_fo_term_in_tableau v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (subst_base_fo_term_in_fo_formula v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
            (subst_base_fo_term_in_fo_formula_list v2 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr1 identity identity))
               ((rename_subst_fo_term bnd11 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd21 identity identity)))
    end

  let construct_tableau (c:cons_tableau) : nlimpl_tableau
    requires { cons_ok_tableau c } ensures { nlimpl_tableau_ok result }
    ensures { cons_rel_tableau c result }
    (*ensures { cons_open_rel_tableau c result }*) =
    match c with
      | NLC_Root ->
        let res =
          { nlrepr_tableau_field = (NL_Root) ;
            nlfree_var_symbol_set_abstraction_tableau_field = 0 ;
            nlfree_var_fo_term_set_abstraction_tableau_field = 0 ;
            model_tableau_field = ghost (Root) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_tableau x res.model_tableau_field ->
            (false) && (x) <
            (res.nlfree_var_symbol_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_tableau x res.model_tableau_field ->
            (false) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_tableau_field)
          } ;
        res
      | NLC_Node v0 v1 v2 -> assert { nlimpl_tableau_ok v0 } ;
        assert { nlimpl_fo_formula_ok v1 } ;
        assert { nlimpl_fo_formula_list_ok v2 } ;
        let res =
          {
            nlrepr_tableau_field =
              (NL_Node (let v0 = v0.nlrepr_tableau_field in v0)
                 (let v1 = v1.nlrepr_fo_formula_field in v1)
                 (let v2 = v2.nlrepr_fo_formula_list_field in v2)) ;
            nlfree_var_symbol_set_abstraction_tableau_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux
                   ((let aux (a:int) (b:int) : int
                       ensures { result >= a /\ result >= b } =
                       if a < b then b else a in
                       aux
                         (v0.nlfree_var_symbol_set_abstraction_tableau_field)
                         (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)))
                   (v2.nlfree_var_symbol_set_abstraction_fo_formula_list_field)) ;
            nlfree_var_fo_term_set_abstraction_tableau_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux
                   ((let aux (a:int) (b:int) : int
                       ensures { result >= a /\ result >= b } =
                       if a < b then b else a in
                       aux
                         (v0.nlfree_var_fo_term_set_abstraction_tableau_field)
                         (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)))
                   (v2.nlfree_var_fo_term_set_abstraction_fo_formula_list_field)) ;
            model_tableau_field = ghost
              (Node (rename_tableau v0.model_tableau_field identity identity)
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity)
                 (rename_fo_formula_list v2.model_fo_formula_list_field
                    identity identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_tableau x
              (rename_tableau v0.model_tableau_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_tableau y v0.model_tableau_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_symbol_free_var_in_tableau x v0.model_tableau_field)
            && is_symbol_free_var_in_tableau x v0.model_tableau_field && (x)
            < (v0.nlfree_var_symbol_set_abstraction_tableau_field) && (x) <
            (res.nlfree_var_symbol_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_tableau x
              (rename_tableau v0.model_tableau_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_tableau y v0.model_tableau_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_fo_term_free_var_in_tableau x v0.model_tableau_field)
            && is_fo_term_free_var_in_tableau x v0.model_tableau_field && (x)
            < (v0.nlfree_var_fo_term_set_abstraction_tableau_field) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_symbol_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_symbol_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_symbol_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula x
              (rename_fo_formula v1.model_fo_formula_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula y v1.model_fo_formula_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field)
            && is_fo_term_free_var_in_fo_formula x v1.model_fo_formula_field
            && (x) < (v1.nlfree_var_fo_term_set_abstraction_fo_formula_field)
            && (x) < (res.nlfree_var_fo_term_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_formula_list x
              (rename_fo_formula_list v2.model_fo_formula_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_formula_list y
                  v2.model_fo_formula_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_formula_list x
                 v2.model_fo_formula_list_field)
            &&
            is_symbol_free_var_in_fo_formula_list x
              v2.model_fo_formula_list_field
            && (x) <
            (v2.nlfree_var_symbol_set_abstraction_fo_formula_list_field) &&
            (x) < (res.nlfree_var_symbol_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_formula_list x
              (rename_fo_formula_list v2.model_fo_formula_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_formula_list y
                  v2.model_fo_formula_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_formula_list x
                 v2.model_fo_formula_list_field)
            &&
            is_fo_term_free_var_in_fo_formula_list x
              v2.model_fo_formula_list_field
            && (x) <
            (v2.nlfree_var_fo_term_set_abstraction_fo_formula_list_field) &&
            (x) < (res.nlfree_var_fo_term_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_tableau x res.model_tableau_field ->
            (is_symbol_free_var_in_tableau x
               (rename_tableau v0.model_tableau_field identity identity) \/
               is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity)
               \/
               is_symbol_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v2.model_fo_formula_list_field
                    identity identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_tableau_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_tableau x res.model_tableau_field ->
            (is_fo_term_free_var_in_tableau x
               (rename_tableau v0.model_tableau_field identity identity) \/
               is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1.model_fo_formula_field identity
                    identity)
               \/
               is_fo_term_free_var_in_fo_formula_list x
                 (rename_fo_formula_list v2.model_fo_formula_list_field
                    identity identity))
            && (x) < (res.nlfree_var_fo_term_set_abstraction_tableau_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_tableau v0.nlrepr_tableau_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula v1.nlrepr_fo_formula_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_formula_list v2.nlrepr_fo_formula_list_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
    end

  let destruct_tableau (t:nlimpl_tableau) : cons_tableau
    requires { nlimpl_tableau_ok t } ensures { cons_ok_tableau result }
    ensures { cons_rel_tableau result t }
    ensures { cons_open_rel_tableau result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_tableau_field in
    let fv1 = t.nlfree_var_fo_term_set_abstraction_tableau_field in
    match t.nlrepr_tableau_field with
      | NL_Root ->
        assert { t.model_tableau_field = Root } ;
          let () =
            match t.model_tableau_field with | Root -> ()
              | Node x0 x1 x2 -> absurd
            end
          in let res = NLC_Root in res
      | NL_Node v0 v1 v2 ->
        assert { t.model_tableau_field =
          Node
            (nlmodel_tableau v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_formula v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_formula_list v2
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1 , mv2) =
            match t.model_tableau_field with | Root -> absurd
              | Node x0 x1 x2 -> (x0 , x1 , x2)
            end
          in
          assert { mv0 =
            nlmodel_tableau v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv1 =
            nlmodel_fo_formula v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv2 =
            nlmodel_fo_formula_list v2
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_tableau v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_tableau x mv0 ->
              is_symbol_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_symbol_set_abstraction_tableau_field)
            } ;
          assert { bound_depth_of_fo_term_in_tableau v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_tableau x mv0 ->
              is_fo_term_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_fo_term_set_abstraction_tableau_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mv1 ->
              is_symbol_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_symbol_set_abstraction_tableau_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mv1 ->
              is_fo_term_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_fo_term_set_abstraction_tableau_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_formula_list v2 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula_list x mv2 ->
              is_symbol_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_symbol_set_abstraction_tableau_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_formula_list v2 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula_list x mv2 ->
              is_fo_term_free_var_in_tableau x t.model_tableau_field && (x) <
              (t.nlfree_var_fo_term_set_abstraction_tableau_field)
            } ;
          model_equal_tableau v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_formula v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_formula_list v2 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_tableau mv0 identity identity in
          let ghost mrv1 = rename_fo_formula mv1 identity identity in
          let ghost mrv2 = rename_fo_formula_list mv2 identity identity in
          let resv0 =
            { nlrepr_tableau_field = v0 ;
              nlfree_var_symbol_set_abstraction_tableau_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_tableau_field = fv1 ;
              model_tableau_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_formula_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_formula_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_field = fv1 ;
              model_fo_formula_field = ghost mrv1 ;
            }
          in
          let resv2 =
            { nlrepr_fo_formula_list_field = v2 ;
              nlfree_var_symbol_set_abstraction_fo_formula_list_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_formula_list_field =
                fv1 ;
              model_fo_formula_list_field = ghost mrv2 ;
            }
          in let res = NLC_Node resv0 resv1 resv2 in
          free_var_equivalence_of_rename_tableau mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_formula mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_formula_list mv2 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_tableau x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_tableau y mv0 /\ eval (identity) y =
                    x)
                 -> x = y &&
                 is_symbol_free_var_in_tableau x t.model_tableau_field && (x)
                 < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_tableau x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_tableau y mv0 /\ eval (identity) y =
                    x)
                 -> x = y &&
                 is_fo_term_free_var_in_tableau x t.model_tableau_field &&
                 (x) < (fv1))
              && (x) < (fv1)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula y mv1 /\ eval (identity) y
                    = x)
                 -> x = y &&
                 is_symbol_free_var_in_tableau x t.model_tableau_field && (x)
                 < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_tableau x t.model_tableau_field &&
                 (x) < (fv1))
              && (x) < (fv1)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_formula_list x mrv2 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_formula_list y mv2 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_tableau x t.model_tableau_field && (x)
                 < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_formula_list x mrv2 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_formula_list y mv2 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_tableau x t.model_tableau_field &&
                 (x) < (fv1))
              && (x) < (fv1)
            } ;
          res
    end

  let nlsubst_symbol_in_tableau (t:nlimpl_tableau) (x:int)
    (u:nlimpl_symbol) : nlimpl_tableau requires { nlimpl_tableau_ok t }
    requires { nlimpl_symbol_ok u } ensures { nlimpl_tableau_ok result }
    ensures { result.model_tableau_field =
      subst_tableau t.model_tableau_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
        (subst_id_fo_term: (int) -> (fo_term (int) (int)))
      }
    =
    model_equal_tableau t.nlrepr_tableau_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_tableau_field =
          subst_base_symbol_in_tableau t.nlrepr_tableau_field x
            u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_tableau_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_tableau_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        nlfree_var_fo_term_set_abstraction_tableau_field =
          t.nlfree_var_fo_term_set_abstraction_tableau_field ;
        model_tableau_field = ghost
          subst_tableau t.model_tableau_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field)
            (subst_id_fo_term: (int) -> (fo_term (int) (int))) ;
      }
    in
    assert {
      forall x2:int. is_symbol_free_var_in_tableau x2 res.model_tableau_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_tableau y t.model_tableau_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_tableau_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_tableau_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_tableau_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_tableau y t.model_tableau_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> false))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_tableau_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_tableau x2 res.model_tableau_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_tableau y t.model_tableau_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> x2 = y && (x2) <
              (res.nlfree_var_fo_term_set_abstraction_tableau_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_tableau_field)
      } ;
    res

  let nlsubst_fo_term_in_tableau (t:nlimpl_tableau) (x:int)
    (u:nlimpl_fo_term) : nlimpl_tableau requires { nlimpl_tableau_ok t }
    requires { nlimpl_fo_term_ok u } ensures { nlimpl_tableau_ok result }
    ensures { result.model_tableau_field =
      subst_tableau t.model_tableau_field
        (subst_id_symbol: (int) -> (symbol (int)))
        (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
           u.model_fo_term_field)
      }
    =
    model_equal_tableau t.nlrepr_tableau_field
      (subst_compose_symbol subst_id_symbol
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((subst_id_symbol: (int) -> (symbol (int))))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
          u.model_fo_term_field))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_tableau_field =
          subst_base_fo_term_in_tableau t.nlrepr_tableau_field x
            u.nlrepr_fo_term_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1))))
            ((const (Var_fo_term (-1)))) ;
        nlfree_var_symbol_set_abstraction_tableau_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_tableau_field)
               (u.nlfree_var_symbol_set_abstraction_fo_term_field)) ;
        nlfree_var_fo_term_set_abstraction_tableau_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_fo_term_set_abstraction_tableau_field)
               (u.nlfree_var_fo_term_set_abstraction_fo_term_field)) ;
        model_tableau_field = ghost
          subst_tableau t.model_tableau_field
            (subst_id_symbol: (int) -> (symbol (int)))
            (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
               u.model_fo_term_field) ;
      }
    in
    assert {
      forall x2:int. is_symbol_free_var_in_tableau x2 res.model_tableau_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_tableau y t.model_tableau_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval ((subst_id_symbol: (int) -> (symbol (int)))) y))
              -> x2 = y && (x2) <
              (res.nlfree_var_symbol_set_abstraction_tableau_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_tableau y t.model_tableau_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_tableau_field))
                 /\ (x <> y -> false)) && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_tableau_field)))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_tableau_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_tableau x2 res.model_tableau_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_tableau y t.model_tableau_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_fo_term_set_abstraction_tableau_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_fo_term_set_abstraction_tableau_field)))
                 && (x2) <
                 (res.nlfree_var_fo_term_set_abstraction_tableau_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_tableau_field)
      } ;
    res


end
why3-1.6.0/examples/prover/Firstorder_tableau_impl/000077500000000000000000000000001440160026300224005ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_tableau_impl/why3session.xml000066400000000000000000001002721440160026300254220ustar00rootroot00000000000000










 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_tableau_impl/why3shapes.gz000066400000000000000000000321311440160026300250400ustar00rootroot00000000000000koHзٝq,ʍ
-8hme[^Y.ɼ1ŖhRb0s 3??_w_
_>}ԆV{?>~{Ț]nZ^3󏻦z/݇_ǣsՉoPR׿Ym~BR_}|WSsOJ͊|g7ب?n
{÷\}ڈi<||
2rMQeQLC{yKLi,}܏^wnnVUm֮»U}ƔCN׉aHN^f#B1yO{>c2҇ljk0˃Cmbc{6}kK>q#*^Y
ؤ*,i_`fFeX|j\+~ZSSs_kʍCc!s]3-F[Lˌ5ϴXLck
1"g#r-U..|Wi\*{YӬ,
lE+8"xHN =m3IՏUOg\ebU*g\[l9H/vERV

.JeY  ґV~zg

^Vg12F359;sX	J
-lڙGEBهK1>^Km?*p
_%7{zP,uP?>2p9*?"b{O%kw9s>1ԇ

nLJWU7ǖ88_*.Tw߿4?i0|eg{u3L`W9;Ux$suBzkۧݗ/	”w이Tdm%ժ0ti-6vsd2{؟}k[OֻĻLivތZMY
9bN0bŌa3ε^u1boĩ7OT~[7Ve8MgtJMnۛ=oo:kI{SYHڛ=-=6Ye
A<̉#zL#0By쥚pu!A!A!őW~t3we=eX	’’’,K2?ǒ@u!A!A!ő`u‡‡‡C Xvi<~ҩv1/7S97ۿq,Lvd=)i&kEI0Y+JZ	?=@c趹EggnB(C..(((((TJygD+nJigfu+++/RNօoM,= X\wTÞRDnTAt:O_6FzC~ zf-`qHw89mJC%!b}ڸm`j#1H]o#4	W*9g_H3+G1r|r*=6/ȑ©!{)י	pWF=8bbRS}~/@+:l{xz31LYFJ[Y
FԨ[[Hvi!
B jK֘7{'ni]<)IoZZ*zיX$Pdgi,#g"b@DP`Mf/ ![z$*eChyW Lbd)Mr RX7g7Jh>hMrd'H=dO|nlkX.IrIPLjLU>Mn/jdR-/Ǒez$A
dRJBeĉM"IIE_[6Ӻ&W"E%;irzIHɉH>ǟBٿq$RJ%iAtchRn)F[F6*=#󟣋լfВ2\˷w|}~i!L(4+}1QGkLi=J&z$PjzD_E0&S'عb-(O=r'!6)'ȉx8̓X<Ŕ)?)>C(=
)ғ[nڿ§1
N^Χ/wsR#kL35ȥͩql8Ke_>ݷ_fXʚK>GCZCG
-hzDБb	&mL8nQzVT;ˀǝx^o'ZH:fL`({G
Ç|:ǧN\?hB!3|Y0Nn_zϪ/Za'1[a"A,/w1{YbhSh-FZx$罋O@K{*pj@SN^pN9(pfx`g?ؿ(w`xĈE<ǝ8C'	}rzCL=/'ƸGzic)lGBPzƊ?ñC?3%HWzKSϞ?^>^y 0_s&/X?Gqqy^*3ZƄ/0di͡c3s


^V낀E)	0\a&#օAAAAACCÅҡߪ
[[M`rҪ3{N̝ٹokmClCMf	trggZ@F:c:N~]M?iŮva%+dc;Vxo1XNϊ'u25[\:ǮgYug BP_RRc@=I25Y""""L_suEEŅ>zx`=ݿBad6Y7lُ~0001↮PPP.1C:7}Il\783۶qvpvGics3]\?US\\%]m]U\U\U\UU,\ž)WyQn5օ			Ƅ^	8783Nw/04P׽UUg
)/`BBB#yC[@@@]@ǃw@#8/$I'/N^*=TPPpɏ788Qk}rѳ\nd| @&轫|/{x	nEO0&
A9W)Sptη¹x9<3o3w[I ȵօNr|Fp1Ϳi-d[r-|LLs@&!օƂ޶.((xX1>~I
_NNIFmjvݝޡ>&n=akHQ/~5Y,?_ 㟆Z'ʢOOЂLF]ߞ8d%x-s~-;	|GEG8ӴлZ)P?G^?\tZnCԷ{ n

.i\\6_b+z$^yљ4[dK^496Y)
nV]8lP&ŷLoCO׻_SJc3}g"Oy+0qnbY]D7^_n܆V_cv&CZ:D]z7wwD.,řz@@]6(/dׅvvv)EKca!i!Ӑ
[b6
6LO6v#'̀:r.`*`*``JɁq
5~=*x=}>jL{-rs=C&d2$)d*d4*?A)!PQQ㵬
-<	6aӜkϟ6H6¦aӉSBW'+ZXz2Q/2s=#^`#
ft9`W&PQQ|x}÷5Xzzϓ^Gʽl9 y$qR-^%"""o"rw/իJu|V ){Ɯϟx>;wܥ(M?
~RENIU8MݨTl[$s[Φrc.)%&F4;MP)VABҿCxC5ܧ*dioa"}K7=%y/zܪ,OBL=Z
9|IF_UT
.(((8%'!x)
cz3 9  Oِ|딋.@d^љvka|{b..((x36&ؙEmrf=MM;??}4QLZ'MZ?5Q'QQ%QW[TG[d{
%:uTP> #BBB#A/_g1<=eX%*YB*pݺa0[BBBeBwȵKh`X_ΒKeFo玧ύόOO?~xUUۺKKKڤK\mv.ig]rDPŠL)laǷ0E>.,(,(,4q{~NBŌP1}틤qI_RRP!59l]PPpqP[n]QQg\}:![;>&&lh|Xt/nw:ɿ7>a_>AI橤LBn(dzK%P.vz!RJOϠ=/n%=0P%|WLrZy	G]@ 4@LHH	,y`ą/ErЉb'E<'V<'(((no[=-B"QЦ6~Ri^|2~+sL\G~|`h=q$ 
Z
Z
ZNeo0r-+))	[_>Xœ+lBWصqiOW>}
=żq@%TϏBBK%ψyp>0_'Z1PG%ݷ5(hr*a0050안#6_P `׻'T
־QLa@gO5_ӕESP엧ث,zȀ,[K.N%wN],ؖn9rL.ᘜk?jP*~EOWqL^<^8X<Gdppi<ɲb)"	z$MʄB=qIȼo?ˤOCЧ+7˘̴WTX|bF#΃5N=O-S!'ǩЋ⩐,ރ7>.@qwwOӅ([?X*zo#"N9&#)NgpJn?S豛jZ)5g=1΢j7fhz2/YIuY`ڍ`}E
p㤸%٩<ꅧ> ȽpbaBB%`a_/888\fpuCC+rմ;`׈5bB1#衈([O?
>2Nq_Ns5O8X:5{͜iF̳tK'{Man_B4|vڅvn9zsCI6ָ}cO4ggòm+1!MHgr܀M|7U._򌟾*{YcISᅂg->T|
=fř3gz3^o%G+VyoVzdiip>}kowh+my$ӑ,/3;SK&G @І^vc
nt鿐BCWcفn_=
mw̨~m1lM2?9;2KNLL^ޯ	)荁	Z[*lʅ7bcz.$r-N՞ze
sUhQ뒛0Ċ#8[o0j+[Ɠ)Rkw0
Deǹ9W4ݰ.`P+|˄(4(4(4(4Q>\Op]R‰‰ɉoĥћ'k^Vc}ݫ;|PpG
D
D+[@IC!Z!!





̷_8g=3zS\%r<
wG%Ft$jDХNK<
]ٍl:]5օI=.
-<(<(
'_2/,x@ZyM.))y}aHw%u!@!AF_>>ư0}5޲7~;::n%F4yC\҉"Um	~v8ċ'7.gŶt>59O6gT]sv6gҖe挧o(զ3i1Wj^6u4b6S[X?}b/d1.b/s^|R=yƞǭQOL73]eSYd@\?E_=}t
_|
]

^/f7~ޱ s!E!E![ E{Ç(((x˸8a0ReiTjI=r-*'z({^o=GOОN.D(D(D(D8 FϣgTjF{c2
2
2Q8q7v";~D

o
{ycm?""^"vnT@P@P@p 8|\#z0{faȁjjrr.gwHTwP,T{+T˼;   p 
	
	
	.{>d]††dž~q,{sDAA_=   pu:aܕ|1/9AAmvNۮf6R?էo?A.}Ͻn(u`_<ӞO槣!`.				Go^lcٴL#څ9V9nZ7BWL7Y=wJ;c*?Ni8BVz/QRh2ߨp+^S760ڧm+}SzC1Kmb4r\pa^ʠ55^kVռ6Ίʉ*T[Wbj|
fu;i=qr6iښ*͕Ru͍LpU%G;pqʹ],x-S9AJvmgk09AkNcLBTV;YK_׆娜,Lk42ҋ
0=uӰhT8
.0WG|uc*YW!xiA 1	I'A5]QTfC֪U-DڡsmW+{[icn%\`&CRtؕ@w124ZoC1,$f${Cu%DFūԵmv<.9W
-+R
q&+e
≹©%gT@
]h0\k:s	tA
uM0)C#ʅ1g`&K;i0IQÇJS)OaN:4ք:8.Fᵕc`p]0+VMƹ V >P)=Et^zUi֑:2pC0!pY:_bl aq
f'05bD140c]MӬ'PmaOt)Ԣha!Fn$I-VvLP<DJBSʨ[b,+xCyzC`B&HaD}b1BB.*BB*1m{P%8$\lB)wgqf~"iH9%M@񕡴ȕ_P
I)ZW	+:!-8#.|7Tl1
:xCAc`z/S4Nj٠k<Fت2X\kJ eőbfՈ["#ÖI8_n6"m	ЗS+!I5- 8O"JrZh5U3̎'y!`(O$m_ή@p4\ZK8E[CZ<(&вi$jäx81<&hj/W?.Qgia::!a4./ĸ$&0	
|2N;m_Nب"j!0yId}9U
M@-P`ơ=\An0}.@v}9kd|N3o+H>׬2H*Ѯ!+ܶjxx_ή0H8F,H
S(BRDn!eL !rj?k@3z 4z
GUa^iIV`2*dWM.D8	BwCH9$.4DL
&1Z/R?*jHca_YpUP9JƥBGaV{`R*Xy 
N(w]ePw5ߠ0`Cl =gu'1'E[xq:ehVBuH1~G~[5pA
ӌNPC|?Hp(x
&lr X_94BNS	O@*Gl!xK#0ͅLîF ULEŐT
&9-B@V+	f/ /XLPj]!۪
$qGt6H
Z!@V7P.|B:
pc`ND&}G>;vh\+^!!Fz ID7Fw(|P1d< 88qXoؖBFER@`4&'Xiu? ~H	H#V!٘]#'pb{maDI_9G :+d$BsZd
(ӰG}9I+V0
։ U]kU%+A7 8
1ې2d.p'HW)YM&1;Y@=YD*hhR шL/c)ԶP
H\1ڡ@,1B7HjaOp}$sh$.8-"C`
$Ė2tTy-6I{k 3$P s$`q>ơ/utC*.xT(H?d$iCKiBL[ԄmkcSix4NVB5Vʊľ@Ƈ6Mb  !hdIc.r`FPZ$R`mŐCZdHqX=4nbxDO,
E:xw|W$`mݣlaUH@X!E{v_uF%VxqCYl}m5-E!#[ɾ`~U7t@m$mhYGi\, K7$$䘕LVtWS v84b6(5QC *U!ڸAxG71Rθ`'"Ŝ R&	_|cz'(`D& ':N&,RRDPJȣB&UKXwhy3-1.6.0/examples/prover/Firstorder_tableau_spec.mlw000066400000000000000000001035031440160026300231140ustar00rootroot00000000000000module Spec
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_term_spec.Spec
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_list_spec.Spec
  type tableau 'b0 'b1 =
    | Root
    | Node (tableau 'b0 'b1) (fo_formula 'b0 'b1) (fo_formula_list 'b0 'b1)
    
  
  function nat_size_tableau (t:tableau 'b0 'b1) : nat =
    match t with | Root -> let s = one_nat in s
      | Node v0 v1 v2 ->
        let s = one_nat in let s = add_nat (nat_size_fo_formula_list v2) s in
          let s = add_nat (nat_size_fo_formula v1) s in
          let s = add_nat (nat_size_tableau v0) s in s
    end
  
  with size_tableau (t:tableau 'b0 'b1) : int =
    match t with | Root -> let s = 1 in s
      | Node v0 v1 v2 ->
        let s = 1 in let s = size_fo_formula_list v2 + s in
          let s = size_fo_formula v1 + s in let s = size_tableau v0 + s in s
    end
  
  let rec lemma size_positive_lemma_tableau (t:tableau 'b0 'b1) : unit
    ensures { size_tableau t > 0 }
    variant { nat_to_int (nat_size_tableau t) } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        size_positive_lemma_tableau v0 ; size_positive_lemma_fo_formula v1 ;
          size_positive_lemma_fo_formula_list v2 ; ()
    end
  
  function rename_tableau (t:tableau 'b0 'b1) (s0:'b0 -> 'c0)
    (s1:'b1 -> 'c1) : tableau 'c0 'c1 =
    match t with | Root -> Root
      | Node v0 v1 v2 ->
        Node (rename_tableau v0 s0 s1) (rename_fo_formula v1 s0 s1)
          (rename_fo_formula_list v2 s0 s1)
    end
  
  let rec lemma renaming_composition_lemma_tableau (t:tableau 'b0 'b1)
    (s10:'b0 -> 'c0) (s11:'b1 -> 'c1) (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) :
    unit
    ensures { rename_tableau (rename_tableau t s10 s11) s20 s21 =
      rename_tableau t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        renaming_composition_lemma_tableau v0 s10 s11 s20 s21 ;
          renaming_composition_lemma_fo_formula v1 s10 s11 s20 s21 ;
          renaming_composition_lemma_fo_formula_list v2 s10 s11 s20 s21 ; ()
    end
  
  let rec lemma renaming_identity_lemma_tableau (t:tableau 'b0 'b1) : unit
    ensures { rename_tableau t identity identity = t }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        renaming_identity_lemma_tableau v0 ;
          renaming_identity_lemma_fo_formula v1 ;
          renaming_identity_lemma_fo_formula_list v2 ; ()
    end
  
  function subst_tableau (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : tableau 'c0 'c1 =
    match t with | Root -> Root
      | Node v0 v1 v2 ->
        Node
          (subst_tableau v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
          (subst_fo_formula v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
          (subst_fo_formula_list v2 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s1 identity identity))
    end
  
  let rec lemma rename_then_subst_composition_lemma_tableau
    (t:tableau 'b0 'b1) (s10:'b0 -> 'c0) (s11:'b1 -> 'c1)
    (s20:'c0 -> (symbol 'd0)) (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures { subst_tableau (rename_tableau t s10 s11) s20 s21 =
      subst_tableau t (rcompose s10 s20) (rcompose s11 s21) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        rename_then_subst_composition_lemma_tableau v0 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          rename_then_subst_composition_lemma_fo_formula v1 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          rename_then_subst_composition_lemma_fo_formula_list v2 s10 s11
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_then_rename_composition_lemma_tableau
    (t:tableau 'b0 'b1) (s10:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s20:'c0 -> 'd0) (s21:'c1 -> 'd1) : unit
    ensures { rename_tableau (subst_tableau t s10 s11) s20 s21 =
      subst_tableau t (rename_subst_symbol s10 s20)
        (rename_subst_fo_term s11 s20 s21)
      }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_then_rename_composition_lemma_tableau v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ;
          subst_then_rename_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ;
          subst_then_rename_composition_lemma_fo_formula_list v2
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity) s20 s21 ; ()
    end
  
  let rec lemma subst_composition_lemma_tableau (t:tableau 'b0 'b1)
    (s10:'b0 -> (symbol 'c0)) (s11:'b1 -> (fo_term 'c0 'c1))
    (s20:'c0 -> (symbol 'd0)) (s21:'c1 -> (fo_term 'd0 'd1)) : unit
    ensures { subst_tableau (subst_tableau t s10 s11) s20 s21 =
      subst_tableau t (subst_compose_symbol s10 s20)
        (subst_compose_fo_term s11 s20 s21)
      }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_composition_lemma_tableau v0 (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          subst_composition_lemma_fo_formula v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ;
          subst_composition_lemma_fo_formula_list v2
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s11 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s21 identity identity) ; ()
    end
  
  let rec lemma subst_identity_lemma_tableau (t:tableau 'b0 'b1) : unit
    ensures { subst_tableau t subst_id_symbol subst_id_fo_term = t }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_identity_lemma_tableau v0 ; subst_identity_lemma_fo_formula
          v1 ; subst_identity_lemma_fo_formula_list v2 ; ()
    end
  
  let rec lemma renaming_preserve_size_tableau (t:tableau 'b0 'b1)
    (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { size_tableau (rename_tableau t s0 s1) = size_tableau t }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        renaming_preserve_size_tableau v0 (s0) (s1) ;
          renaming_preserve_size_fo_formula v1 (s0) (s1) ;
          renaming_preserve_size_fo_formula_list v2 (s0) (s1) ; ()
    end
  
  predicate is_symbol_free_var_in_tableau (x:'b0) (t:tableau 'b0 'b1) =
    match t with | Root -> false
      | Node v0 v1 v2 ->
        is_symbol_free_var_in_tableau x v0 \/
          is_symbol_free_var_in_fo_formula x v1 \/
          is_symbol_free_var_in_fo_formula_list x v2
    end
  
  with is_fo_term_free_var_in_tableau (x:'b1) (t:tableau 'b0 'b1) =
    match t with | Root -> false
      | Node v0 v1 v2 ->
        is_fo_term_free_var_in_tableau x v0 \/
          is_fo_term_free_var_in_fo_formula x v1 \/
          is_fo_term_free_var_in_fo_formula_list x v2
    end
  
  let rec ghost rename_free_var_constructive_inversion_symbol_tableau (x:'c0)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b0
    requires { is_symbol_free_var_in_tableau x (rename_tableau t s0 s1) }
    ensures { is_symbol_free_var_in_tableau result t /\ s0 result = x }
    variant { size_tableau t } =
    match t with | Root -> absurd
      | Node v0 v1 v2 ->
        if is_symbol_free_var_in_tableau x (rename_tableau v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_tableau x v0 s0
                s1
            in sumx 
          else
            if is_symbol_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_formula x
                    v1 s0 s1
                in sumx 
              else
                if is_symbol_free_var_in_fo_formula_list x
                     (rename_fo_formula_list v2 s0 s1)
                  then
                    let sumx =
                      rename_free_var_constructive_inversion_symbol_fo_formula_list
                        x v2 s0 s1
                    in sumx 
                  else absurd
    end
  
  with lemma rename_free_var_inversion_symbol_tableau (x:'c0)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires { is_symbol_free_var_in_tableau x (rename_tableau t s0 s1) }
    ensures { exists y:'b0. is_symbol_free_var_in_tableau y t /\ s0 y = x }
    variant { 1 + size_tableau t } =
    let sumx =
      rename_free_var_constructive_inversion_symbol_tableau x t s0 s1
    in ()
  
  with ghost rename_free_var_constructive_inversion_fo_term_tableau (x:'c1)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : 'b1
    requires { is_fo_term_free_var_in_tableau x (rename_tableau t s0 s1) }
    ensures { is_fo_term_free_var_in_tableau result t /\ s1 result = x }
    variant { size_tableau t } =
    match t with | Root -> absurd
      | Node v0 v1 v2 ->
        if is_fo_term_free_var_in_tableau x (rename_tableau v0 s0 s1)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_tableau x v0 s0
                s1
            in sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (rename_fo_formula v1 s0 s1)
              then
                let sumx =
                  rename_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 s0 s1
                in sumx 
              else
                if is_fo_term_free_var_in_fo_formula_list x
                     (rename_fo_formula_list v2 s0 s1)
                  then
                    let sumx =
                      rename_free_var_constructive_inversion_fo_term_fo_formula_list
                        x v2 s0 s1
                    in sumx 
                  else absurd
    end
  
  with lemma rename_free_var_inversion_fo_term_tableau (x:'c1)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    requires { is_fo_term_free_var_in_tableau x (rename_tableau t s0 s1) }
    ensures { exists y:'b1. is_fo_term_free_var_in_tableau y t /\ s1 y = x }
    variant { 1 + size_tableau t } =
    let sumx =
      rename_free_var_constructive_inversion_fo_term_tableau x t s0 s1
    in ()
  
  let rec lemma rename_free_var_propagation_symbol_tableau (x:'b0)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_symbol_free_var_in_tableau x t ->
      is_symbol_free_var_in_tableau (s0 x) (rename_tableau t s0 s1) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        rename_free_var_propagation_symbol_tableau x v0 (s0) (s1) ;
          rename_free_var_propagation_symbol_fo_formula x v1 (s0) (s1) ;
          rename_free_var_propagation_symbol_fo_formula_list x v2 (s0) (s1) ;
          ()
    end
  
  with lemma rename_free_var_propagation_fo_term_tableau (x:'b1)
    (t:tableau 'b0 'b1) (s0:'b0 -> 'c0) (s1:'b1 -> 'c1) : unit
    ensures { is_fo_term_free_var_in_tableau x t ->
      is_fo_term_free_var_in_tableau (s1 x) (rename_tableau t s0 s1) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        rename_free_var_propagation_fo_term_tableau x v0 (s0) (s1) ;
          rename_free_var_propagation_fo_term_fo_formula x v1 (s0) (s1) ;
          rename_free_var_propagation_fo_term_fo_formula_list x v2 (s0)
          (s1) ; ()
    end
  
  let rec ghost subst_free_var_constructive_inversion_symbol_tableau (x:'c0)
    (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : sum ('b0) ('b1)
    requires { is_symbol_free_var_in_tableau x (subst_tableau t s0 s1) }
    ensures { let sumx = result in
      match sumx with | Left sumx ->
        is_symbol_free_var_in_tableau sumx t /\
          is_symbol_free_var_in_symbol x (s0 sumx)
        | Right sumx ->
        is_fo_term_free_var_in_tableau sumx t /\
          is_symbol_free_var_in_fo_term x (s1 sumx)
      end }
    variant { size_tableau t } =
    match t with | Root -> absurd
      | Node v0 v1 v2 ->
        if is_symbol_free_var_in_tableau x
             (subst_tableau v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_tableau x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity 
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx)
            end 
          else
            if is_symbol_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity 
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx)
                end 
              else
                if is_symbol_free_var_in_fo_formula_list x
                     (subst_fo_formula_list v2
                        (rename_subst_symbol s0 identity)
                        (rename_subst_fo_term s1 identity identity))
                  then
                    let sumx =
                      subst_free_var_constructive_inversion_symbol_fo_formula_list
                        x v2 (rename_subst_symbol s0 identity)
                        (rename_subst_fo_term s1 identity identity)
                    in
                    match sumx with | Left sumx ->
                      let y =
                        rename_free_var_constructive_inversion_symbol_symbol
                          x (eval s0 sumx) identity 
                        in assert { y = x } ; Left sumx
                      | Right sumx ->
                      Right
                        (let y =
                           rename_free_var_constructive_inversion_symbol_fo_term
                             x (eval s1 sumx) identity identity 
                        in assert { y = x } ; sumx)
                    end 
                  else absurd
    end
  
  with lemma subst_free_var_inversion_symbol_tableau (x:'c0)
    (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires { is_symbol_free_var_in_tableau x (subst_tableau t s0 s1) }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_tableau y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      \/
      (exists y:'b1. is_fo_term_free_var_in_tableau y t /\
         is_symbol_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_tableau t } =
    let sumx = subst_free_var_constructive_inversion_symbol_tableau x t s0 s1
    in match sumx with | Left sumx -> () | Right sumx -> () end
  
  with ghost subst_free_var_constructive_inversion_fo_term_tableau (x:'c1)
    (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : 'b1
    requires { is_fo_term_free_var_in_tableau x (subst_tableau t s0 s1) }
    ensures { let sumx = result in is_fo_term_free_var_in_tableau sumx t /\
      is_fo_term_free_var_in_fo_term x (s1 sumx) }
    variant { size_tableau t } =
    match t with | Root -> absurd
      | Node v0 v1 v2 ->
        if is_fo_term_free_var_in_tableau x
             (subst_tableau v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_tableau x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s1 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s1 sumx) identity identity 
            in assert { y = x } ; sumx 
          else
            if is_fo_term_free_var_in_fo_formula x
                 (subst_fo_formula v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_fo_term_fo_formula x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s1 identity identity)
                in
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term x
                    (eval s1 sumx) identity identity 
                in assert { y = x } ; sumx 
              else
                if is_fo_term_free_var_in_fo_formula_list x
                     (subst_fo_formula_list v2
                        (rename_subst_symbol s0 identity)
                        (rename_subst_fo_term s1 identity identity))
                  then
                    let sumx =
                      subst_free_var_constructive_inversion_fo_term_fo_formula_list
                        x v2 (rename_subst_symbol s0 identity)
                        (rename_subst_fo_term s1 identity identity)
                    in
                    let y =
                      rename_free_var_constructive_inversion_fo_term_fo_term
                        x (eval s1 sumx) identity identity 
                    in assert { y = x } ; sumx 
                  else absurd
    end
  
  with lemma subst_free_var_inversion_fo_term_tableau (x:'c1)
    (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)) : unit
    requires { is_fo_term_free_var_in_tableau x (subst_tableau t s0 s1) }
    ensures {
      (exists y:'b1. is_fo_term_free_var_in_tableau y t /\
         is_fo_term_free_var_in_fo_term x (s1 y))
      }
    variant { 1 + size_tableau t } =
    let sumx =
      subst_free_var_constructive_inversion_fo_term_tableau x t s0 s1
    in ()
  
  let rec lemma subst_free_var_propagation_symbol_symbol_tableau (x:'b0)
    (y:'c0) (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_symbol_free_var_in_tableau x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_tableau y (subst_tableau t s0 s1) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_free_var_propagation_symbol_symbol_tableau x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_formula_list x y v2
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_symbol_tableau (x:'b1)
    (y:'c0) (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_tableau x t /\
        is_symbol_free_var_in_fo_term y (s1 x) ->
      is_symbol_free_var_in_tableau y (subst_tableau t s0 s1) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_free_var_propagation_fo_term_symbol_tableau x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_formula_list x y v2
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s1 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s1 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  with lemma subst_free_var_propagation_fo_term_fo_term_tableau (x:'b1)
    (y:'c1) (t:tableau 'b0 'b1) (s0:'b0 -> (symbol 'c0))
    (s1:'b1 -> (fo_term 'c0 'c1)):  unit
    ensures {
      is_fo_term_free_var_in_tableau x t /\
        is_fo_term_free_var_in_fo_term y (s1 x) ->
      is_fo_term_free_var_in_tableau y (subst_tableau t s0 s1) }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        subst_free_var_propagation_fo_term_fo_term_tableau x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_formula x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_formula_list x y v2
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s1 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s1 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s1 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s1 identity identity)) x)
            } ;
          ()
    end
  
  let rec lemma free_var_equivalence_of_subst_tableau (t:tableau 'b0 'b1)
    (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_tableau x t -> s10 x = s20 x }
    requires {
      forall x:'b1. is_fo_term_free_var_in_tableau x t -> s11 x = s21 x }
    ensures { subst_tableau t s10 s11 = subst_tableau t s20 s21 }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_tableau x v0 ->
            is_symbol_free_var_in_tableau x t
          } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_tableau x v0 ->
              is_fo_term_free_var_in_tableau x t
            } ;
          free_var_equivalence_of_subst_tableau v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 ->
              is_symbol_free_var_in_tableau x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 ->
              is_fo_term_free_var_in_tableau x t
            } ;
          free_var_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_formula_list x v2 ->
              is_symbol_free_var_in_tableau x t
            } ;
          assert {
            forall x:'b1. is_fo_term_free_var_in_fo_formula_list x v2 ->
              is_fo_term_free_var_in_tableau x t
            } ;
          free_var_equivalence_of_subst_fo_formula_list v2
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity)) ;
          ()
    end
  
  let lemma free_var_equivalence_of_rename_tableau (t:tableau 'b0 'b1)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s11:'b1 -> 'c1) (s21:'b1 -> 'c1) :
    unit
    requires {
      forall x:'b0. is_symbol_free_var_in_tableau x t -> s10 x = s20 x }
    requires {
      forall x:'b1. is_fo_term_free_var_in_tableau x t -> s11 x = s21 x }
    ensures { rename_tableau t s10 s11 = rename_tableau t s20 s21 } =
    free_var_equivalence_of_subst_tableau t (subst_of_rename_symbol s10)
      (subst_of_rename_symbol s20) (subst_of_rename_fo_term s11)
      (subst_of_rename_fo_term s21)
  
  let rec lemma free_var_derive_equivalence_of_subst_tableau
    (t:tableau 'b0 'b1) (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0))
    (s11:'b1 -> (fo_term 'c0 'c1)) (s21:'b1 -> (fo_term 'c0 'c1)) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_tableau x t -> s10 x = s20 x }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_tableau x t -> s11 x = s21 x }
    requires { subst_tableau t s10 s11 = subst_tableau t s20 s21 }
    variant { size_tableau t } =
    match t with | Root -> ()
      | Node v0 v1 v2 ->
        free_var_derive_equivalence_of_subst_tableau v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s11 identity identity))
          ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_tableau x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_tableau x v0 -> s10 x = s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_tableau x v0 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_tableau x v0 -> s11 x =
              s21 x
            } ;
          free_var_derive_equivalence_of_subst_fo_formula v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula x v1 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula x v1 -> s11 x =
              s21 x
            } ;
          free_var_derive_equivalence_of_subst_fo_formula_list v2
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s11 identity identity))
            ((rename_subst_fo_term s21 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_formula_list x v2
               -> rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_formula_list x v2 -> s10 x
              = s20 x
            };
          assert {
            (forall x:'b1, y0:'c0, y1:'c1.
               is_fo_term_free_var_in_fo_formula_list x v2 ->
               rename_fo_term (s11 x) identity identity =
               eval ((rename_subst_fo_term s11 identity identity)) x =
               eval ((rename_subst_fo_term s21 identity identity)) x =
               rename_fo_term (s21 x) identity identity && s11 x =
               rename_fo_term (rename_fo_term (s11 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s21 x) identity identity)
                 identity identity
               = s21 x && s11 x = s21 x)
            &&
            forall x:'b1. is_fo_term_free_var_in_fo_formula_list x v2 ->
              s11 x = s21 x
            } ;
          ()
    end
  
  let lemma free_var_derive_equivalence_of_rename_tableau (t:tableau 'b0 'b1)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s11:'b1 -> 'c1) (s21:'b1 -> 'c1) :
    unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_tableau x t -> s10 x = s20 x }
    ensures {
      forall x:'b1. is_fo_term_free_var_in_tableau x t -> s11 x = s21 x }
    requires { rename_tableau t s10 s11 = rename_tableau t s20 s21 } =
    free_var_derive_equivalence_of_subst_tableau t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s11) (subst_of_rename_fo_term s21);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      };
    assert {
      forall x:'b1. (subst_of_rename_fo_term s11 x:fo_term 'c0 'c1) =
        (subst_of_rename_fo_term s21 x:fo_term 'c0 'c1) ->
        (Var_fo_term (s11 x):fo_term 'c0 'c1) =
        (Var_fo_term (s21 x):fo_term 'c0 'c1) && s11 x = s21 x
      }
  
  
end


why3-1.6.0/examples/prover/Firstorder_tableau_spec/000077500000000000000000000000001440160026300223715ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_tableau_spec/why3session.xml000066400000000000000000000236101440160026300254130ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_tableau_spec/why3shapes.gz000066400000000000000000000117041440160026300250340ustar00rootroot00000000000000]Yo~ׯ/ D0,!_6il )1̮d~`G/8\`Ac2=F-',%RiG	lf^
<9"~4/="P}MGX7Ukz"0yA䬽0sAVQ?7χ$ĎyN1"_O*T̺	&Ӂ	Ly8*~(1uDV0kWlxf/
3ӆL;w1_8wl&"Kfl cC-!QI)[UZ;8R`hxɴ>$}R T!E(%نB`F33fa~DdyE1'A"AI;ESfPXti*,'uUf-*?XB38I*FH*ZfJ%e[nH#5Aqȸ.$:BJtYzqKSErH[
uN蜠Oh;hRhhxN*d(Yy2Z[K5ɜcy"3Y$BltxC!(ony8Zgyvl=`J laS'{QZ3@DL֌,@<(>Г&5YJ-+טWhy}h\*kCG-:Fi	K,EܶM,f蠰ա*#˒:B@8TjqC(#_8֫ߓ 81[bx,NՕx~XUړ bbuu3tzOc^Zԙ|6A:Rd#6UDZ^l!)RuN
Dhwzi&0-OO=}q]Kya$yrñCh$oN*8)>ף HiAKAcJߗ3t77ó3~>)XA!xH'xJ%`:,c3M2f/Cms,,485	)+tO$<uys}joG>SИrL )c	'7`z2JYvctl-+l	!2t!"4]\ hB-dQ؊XH,,FJZl}t79I'pu[48xE$/e0\dn;skz&,Cze |ۋ/gP)C6eۅLK^7nS9OO+h9mw	V_,qvser	FXve*VTTtSphջlK,ʥ*csNO	)^
(i@?rkSE;(gTjAFQ(43VdP
sQ7F$)RPĎj*X(t]jMK4wARԚWȚ3
@A`\C+iD+cl'{ϡ6.3DKL)1hijC# 
$7u)tYHFʥ!wZR8ώ&ʅe7[\>	יE_&I^*\J|&\33!S
oӨٖ{+	xy@+}Ky.QALH	ߗpiꆨ$mʻhӢ1eM	0d-d(lӯ{uǡ
Wz:%W,xGygs]AjQy>ՀH7T+Kأ8uߔza6h<..5]iut6Y:t/4$+a=App#"@CRD2[%a??3"[oڿ:d;б~:ŝNi#oyXtP=]M
3k:yaر4μRjPJRRRjPJeRR#@ߜ@>̉s[D$w#cKy"$=
Y]&^[),Xo7Ù~酌ҊdQs"۰S:zZ^c2|).Zb!:aS`JFPevBWqbZITneJƌ5l*Z+Dqk=1 k5CDš!x$
a
e50tTSNeIuZô¤xhO7)J(-K̈[ú²f,U^y,
T
Ғâ|EY0qG0b;ƒQQrGHEpEЬk򦑄4HA75m,a;XE#'T`rzKR-4b#"""#ðWbwF)Js":WV% 6O̍UjGIEq!%XkzvFsVI'H,7RzX0/Uq	-5`
5`\pJ4hPEIqq--@d8Z(cbbbx[C^cBIJ0	dg$DT(dM61[OCAЂɼ# let s = one_nat in s
      | NL_FOCons v0 v1 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_term_list v1) s in
          let s = add_nat (nat_nlsize_fo_term v0) s in s
    end

  with nat_nlsize_fo_term (t:nl_fo_term 'b0 'b3) : nat =
    match t with | NLFVar_fo_term v0 -> one_nat
      | NLBruijn_fo_term v0 -> one_nat
      | NL_App v0 v1 ->
        let s = one_nat in let s = add_nat (nat_nlsize_fo_term_list v1) s in
          let s = add_nat (nat_nlsize_symbol v0) s in s
    end

  with nlsize_fo_term_list (t:nl_fo_term_list 'b0 'b3) : int =
    match t with | NL_FONil -> let s = 1 in s
      | NL_FOCons v0 v1 ->
        let s = 1 in let s = nlsize_fo_term_list v1 + s in
          let s = nlsize_fo_term v0 + s in s
    end

  with nlsize_fo_term (t:nl_fo_term 'b0 'b3) : int =
    match t with | NLFVar_fo_term v0 -> 1 | NLBruijn_fo_term v0 -> 1
      | NL_App v0 v1 ->
        let s = 1 in let s = nlsize_fo_term_list v1 + s in
          let s = nlsize_symbol v0 + s in s
    end

  let rec lemma nlsize_positive_lemma_fo_term_list
    (t:nl_fo_term_list 'b0 'b3) : unit ensures { nlsize_fo_term_list t > 0 }
    variant { nat_to_int (nat_nlsize_fo_term_list t) } =
    match t with | NL_FONil -> ()
      | NL_FOCons v0 v1 ->
        nlsize_positive_lemma_fo_term v0 ;
          nlsize_positive_lemma_fo_term_list v1 ; ()
    end

  with lemma nlsize_positive_lemma_fo_term (t:nl_fo_term 'b0 'b3) : unit
    ensures { nlsize_fo_term t > 0 }
    variant { nat_to_int (nat_nlsize_fo_term t) } =
    match t with | NLFVar_fo_term v0 -> () | NLBruijn_fo_term v0 -> ()
      | NL_App v0 v1 ->
        nlsize_positive_lemma_symbol v0 ;
          nlsize_positive_lemma_fo_term_list v1 ; ()
    end

  (* Abstraction definition axiom :
      function shiftb_fo_term (bnd: int -> (fo_term 'b0 'b3)) :
         int -> (fo_term 'b0 (option 'b3)) =
        (\ i:int.
           if i = 0 then Var_fo_term None
             else rename_fo_term (bnd (i-1)) identity some)*)
  function shiftb_fo_term (bnd: int -> (fo_term 'b0 'b3)) :
     int -> (fo_term 'b0 (option 'b3))
  axiom shiftb_fo_term_definition :
    forall bnd: int -> (fo_term 'b0 'b3), i:int.
      eval (shiftb_fo_term bnd) i =
        if i = 0 then Var_fo_term None
          else rename_fo_term (bnd (i-1)) identity some

  let lemma shiftb_compose_lemma_fo_term (bnd: int -> (fo_term 'b0 'b3))
    (s0:'b0 -> (symbol 'c0)) (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures {
      subst_compose_fo_term (shiftb_fo_term bnd)
        (rename_subst_symbol s0 identity) (olifts_fo_term s3)
      = shiftb_fo_term (subst_compose_fo_term bnd s0 s3) }
    =
    assert {
      forall i:int. (i = 0 \/ i <> 0) ->
        subst_fo_term (shiftb_fo_term bnd i)
          (rename_subst_symbol s0 identity) (olifts_fo_term s3)
        = eval (shiftb_fo_term (subst_compose_fo_term bnd s0 s3)) i
      } ;
    assert {
      extensionalEqual
        (subst_compose_fo_term (shiftb_fo_term bnd)
           (rename_subst_symbol s0 identity) (olifts_fo_term s3))
        (shiftb_fo_term (subst_compose_fo_term bnd s0 s3))
      }

  function nlmodel_fo_term_list (t:nl_fo_term_list 'b0 'b3)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0))
    (fr3:'b3 -> (fo_term 'c0 'c3)) (bnd3: int -> (fo_term 'c0 'c3)) :
    fo_term_list 'c0 'c3 =
    match t with | NL_FONil -> FONil
      | NL_FOCons v0 v1 ->
        FOCons
          (nlmodel_fo_term v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd3 identity identity)))
          (nlmodel_fo_term_list v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd3 identity identity)))
    end

  with nlmodel_fo_term (t:nl_fo_term 'b0 'b3) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (fr3:'b3 -> (fo_term 'c0 'c3))
    (bnd3: int -> (fo_term 'c0 'c3)) : fo_term 'c0 'c3 =
    match t with | NLFVar_fo_term v0 -> fr3 v0
      | NLBruijn_fo_term v0 -> bnd3 v0
      | NL_App v0 v1 ->
        App
          (nlmodel_symbol v0 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity)))
          (nlmodel_fo_term_list v1 ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd0 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd3 identity identity)))
    end

  let rec lemma nlmodel_subst_commutation_lemma_fo_term_list
    (t:nl_fo_term_list 'b0 'b3) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> (symbol 'd0))
    (fr3:'b3 -> (fo_term 'c0 'c3)) (bnd3: int -> (fo_term 'c0 'c3))
    (s3:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures {
      nlmodel_fo_term_list t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0) (subst_compose_fo_term fr3 s0 s3)
        (subst_compose_fo_term bnd3 s0 s3)
      = subst_fo_term_list (nlmodel_fo_term_list t fr0 bnd0 fr3 bnd3) s0 s3 }
    variant { nlsize_fo_term_list t } =
    match t with | NL_FONil -> ()
      | NL_FOCons v0 v1 ->
        nlmodel_subst_commutation_lemma_fo_term v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr3 identity identity))
          ((rename_subst_fo_term bnd3 identity identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr3 s0 s3) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd3  s0 s3)
              identity identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_term_list v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr3 identity identity))
          ((rename_subst_fo_term bnd3 identity identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr3 s0 s3) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd3  s0 s3)
              identity identity)
            } ;
          ()
    end

  with lemma nlmodel_subst_commutation_lemma_fo_term (t:nl_fo_term 'b0 'b3)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0))
    (s0:'c0 -> (symbol 'd0)) (fr3:'b3 -> (fo_term 'c0 'c3))
    (bnd3: int -> (fo_term 'c0 'c3)) (s3:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures {
      nlmodel_fo_term t (subst_compose_symbol fr0 s0)
        (subst_compose_symbol bnd0 s0) (subst_compose_fo_term fr3 s0 s3)
        (subst_compose_fo_term bnd3 s0 s3)
      = subst_fo_term (nlmodel_fo_term t fr0 bnd0 fr3 bnd3) s0 s3 }
    variant { nlsize_fo_term t } =
    match t with | NLFVar_fo_term v0 -> () | NLBruijn_fo_term v0 -> ()
      | NL_App v0 v1 ->
        nlmodel_subst_commutation_lemma_symbol v0
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          nlmodel_subst_commutation_lemma_fo_term_list v1
          ((rename_subst_symbol fr0 identity))
          ((rename_subst_symbol bnd0 identity))
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term fr3 identity identity))
          ((rename_subst_fo_term bnd3 identity identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          assert {
            subst_compose_symbol (rename_subst_symbol fr0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol fr0 s0) identity) } ;
          assert {
            subst_compose_symbol (rename_subst_symbol bnd0 identity)
              ((rename_subst_symbol s0 identity))
            = (rename_subst_symbol (subst_compose_symbol bnd0  s0) identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term fr3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term fr3 s0 s3) identity
              identity)
            } ;
          assert {
            subst_compose_fo_term
              (rename_subst_fo_term bnd3 identity identity)
              ((rename_subst_symbol s0 identity))
              ((rename_subst_fo_term s3 identity identity))
            =
            (rename_subst_fo_term (subst_compose_fo_term bnd3  s0 s3)
              identity identity)
            } ;
          ()
    end

  let lemma nlmodel_rename_commutation_lemma_fo_term_list
    (t:nl_fo_term_list 'b0 'b3) (fr0:'b0 -> (symbol 'c0))
    (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0)
    (fr3:'b3 -> (fo_term 'c0 'c3)) (bnd3: int -> (fo_term 'c0 'c3))
    (s3:'c3 -> 'd3) : unit
    ensures {
      nlmodel_fo_term_list t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0) (rename_subst_fo_term fr3 s0 s3)
        (rename_subst_fo_term bnd3 s0 s3)
      = rename_fo_term_list (nlmodel_fo_term_list t fr0 bnd0 fr3 bnd3) s0 s3
      }
    =
    nlmodel_subst_commutation_lemma_fo_term_list t fr0 bnd0
      (subst_of_rename_symbol s0) fr3 bnd3 (subst_of_rename_fo_term s3)

  let lemma nlmodel_rename_commutation_lemma_fo_term (t:nl_fo_term 'b0 'b3)
    (fr0:'b0 -> (symbol 'c0)) (bnd0: int -> (symbol 'c0)) (s0:'c0 -> 'd0)
    (fr3:'b3 -> (fo_term 'c0 'c3)) (bnd3: int -> (fo_term 'c0 'c3))
    (s3:'c3 -> 'd3) : unit
    ensures {
      nlmodel_fo_term t (rename_subst_symbol fr0 s0)
        (rename_subst_symbol bnd0 s0) (rename_subst_fo_term fr3 s0 s3)
        (rename_subst_fo_term bnd3 s0 s3)
      = rename_fo_term (nlmodel_fo_term t fr0 bnd0 fr3 bnd3) s0 s3 }
    =
    nlmodel_subst_commutation_lemma_fo_term t fr0 bnd0
      (subst_of_rename_symbol s0) fr3 bnd3 (subst_of_rename_fo_term s3)

  predicate correct_indexes_fo_term_list (t:nl_fo_term_list 'b0 'b3) =
    match t with | NL_FONil -> true
      | NL_FOCons v0 v1 ->
        correct_indexes_fo_term v0 /\ correct_indexes_fo_term_list v1
    end

  with correct_indexes_fo_term (t:nl_fo_term 'b0 'b3) =
    match t with | NLFVar_fo_term v0 -> true | NLBruijn_fo_term v0 -> v0 >= 0
      | NL_App v0 v1 ->
        correct_indexes_symbol v0 /\ correct_indexes_fo_term_list v1
    end

  function bound_depth_of_symbol_in_fo_term_list
    (t:nl_fo_term_list 'b0 'b3) : int =
    match t with | NL_FONil -> 0
      | NL_FOCons v0 v1 ->
        let b = bound_depth_of_symbol_in_fo_term v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_term_list v1 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_fo_term_in_fo_term_list (t:nl_fo_term_list 'b0 'b3) :
    int =
    match t with | NL_FONil -> 0
      | NL_FOCons v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_term v0 in let a = b in
          let b = bound_depth_of_fo_term_in_fo_term_list v1 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_symbol_in_fo_term (t:nl_fo_term 'b0 'b3) : int =
    match t with | NLFVar_fo_term v0 -> 0 | NLBruijn_fo_term v0 -> 0
      | NL_App v0 v1 ->
        let b = bound_depth_of_symbol_in_symbol v0 in let a = b in
          let b = bound_depth_of_symbol_in_fo_term_list v1 in
          let a = if a > b then a else b in a
    end

  with bound_depth_of_fo_term_in_fo_term (t:nl_fo_term 'b0 'b3) : int =
    match t with | NLFVar_fo_term v0 -> 0 | NLBruijn_fo_term v0 -> 1 + v0
      | NL_App v0 v1 ->
        let b = bound_depth_of_fo_term_in_fo_term_list v1 in let a = b in a
    end

  let rec lemma bound_depth_of_symbol_in_fo_term_list_nonnegative
    (t:nl_fo_term_list 'b0 'b3) : unit
    requires { correct_indexes_fo_term_list t }
    ensures { bound_depth_of_symbol_in_fo_term_list t >= 0 }
    variant { nlsize_fo_term_list t } =
    match t with | NL_FONil -> ()
      | NL_FOCons v0 v1 ->
        bound_depth_of_symbol_in_fo_term_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_term_list_nonnegative v1 ; ()
    end

  with lemma bound_depth_of_fo_term_in_fo_term_list_nonnegative
    (t:nl_fo_term_list 'b0 'b3) : unit
    requires { correct_indexes_fo_term_list t }
    ensures { bound_depth_of_fo_term_in_fo_term_list t >= 0 }
    variant { nlsize_fo_term_list t } =
    match t with | NL_FONil -> ()
      | NL_FOCons v0 v1 ->
        bound_depth_of_fo_term_in_fo_term_nonnegative v0 ;
          bound_depth_of_fo_term_in_fo_term_list_nonnegative v1 ; ()
    end

  with lemma bound_depth_of_symbol_in_fo_term_nonnegative
    (t:nl_fo_term 'b0 'b3) : unit requires { correct_indexes_fo_term t }
    ensures { bound_depth_of_symbol_in_fo_term t >= 0 }
    variant { nlsize_fo_term t } =
    match t with | NLFVar_fo_term v0 -> () | NLBruijn_fo_term v0 -> ()
      | NL_App v0 v1 ->
        bound_depth_of_symbol_in_symbol_nonnegative v0 ;
          bound_depth_of_symbol_in_fo_term_list_nonnegative v1 ; ()
    end

  with lemma bound_depth_of_fo_term_in_fo_term_nonnegative
    (t:nl_fo_term 'b0 'b3) : unit requires { correct_indexes_fo_term t }
    ensures { bound_depth_of_fo_term_in_fo_term t >= 0 }
    variant { nlsize_fo_term t } =
    match t with | NLFVar_fo_term v0 -> () | NLBruijn_fo_term v0 -> ()
      | NL_App v0 v1 ->
        () ; bound_depth_of_fo_term_in_fo_term_list_nonnegative v1 ; ()
    end

  let rec lemma model_equal_fo_term_list (t:nl_fo_term_list 'b0 'b3)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0))
    (fr13: 'b3 -> (fo_term 'c0 'c3)) (fr23: 'b3 -> (fo_term 'c0 'c3))
    (bnd13: int -> (fo_term 'c0 'c3)) (bnd23: int -> (fo_term 'c0 'c3)) :
    unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_fo_term_list t ->
        bnd10 i = bnd20 i
      }
    requires { fr10 = fr20 }
    requires {
      forall i:int. 0 <= i < bound_depth_of_fo_term_in_fo_term_list t ->
        bnd13 i = bnd23 i
      }
    requires { fr13 = fr23 } requires { correct_indexes_fo_term_list t }
    ensures { nlmodel_fo_term_list t fr10 bnd10 fr13 bnd13 =
      nlmodel_fo_term_list t fr20 bnd20 fr23 bnd23 }
    variant { nlsize_fo_term_list t } =
    match t with | NL_FONil -> ()
      | NL_FOCons v0 v1 ->
        model_equal_fo_term v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity))
          ((rename_subst_fo_term fr13 identity identity))
          ((rename_subst_fo_term fr23 identity identity))
          ((rename_subst_fo_term bnd13 identity identity))
          ((rename_subst_fo_term bnd23 identity identity)) ;
          model_equal_fo_term_list v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr13 identity identity))
            ((rename_subst_fo_term fr23 identity identity))
            ((rename_subst_fo_term bnd13 identity identity))
            ((rename_subst_fo_term bnd23 identity identity)) ;
          ()
    end

  with lemma model_equal_fo_term (t:nl_fo_term 'b0 'b3)
    (fr10: 'b0 -> (symbol 'c0)) (fr20: 'b0 -> (symbol 'c0))
    (bnd10: int -> (symbol 'c0)) (bnd20: int -> (symbol 'c0))
    (fr13: 'b3 -> (fo_term 'c0 'c3)) (fr23: 'b3 -> (fo_term 'c0 'c3))
    (bnd13: int -> (fo_term 'c0 'c3)) (bnd23: int -> (fo_term 'c0 'c3)) :
    unit
    requires {
      forall i:int. 0 <= i < bound_depth_of_symbol_in_fo_term t ->  bnd10 i =
        bnd20 i
      }
    requires { fr10 = fr20 }
    requires {
      forall i:int. 0 <= i < bound_depth_of_fo_term_in_fo_term t ->  bnd13 i
        = bnd23 i
      }
    requires { fr13 = fr23 } requires { correct_indexes_fo_term t }
    ensures { nlmodel_fo_term t fr10 bnd10 fr13 bnd13 =
      nlmodel_fo_term t fr20 bnd20 fr23 bnd23 }
    variant { nlsize_fo_term t } =
    match t with | NLFVar_fo_term v0 -> () | NLBruijn_fo_term v0 -> ()
      | NL_App v0 v1 ->
        model_equal_symbol v0 ((rename_subst_symbol fr10 identity))
          ((rename_subst_symbol fr20 identity))
          ((rename_subst_symbol bnd10 identity))
          ((rename_subst_symbol bnd20 identity)) ;
          model_equal_fo_term_list v1 ((rename_subst_symbol fr10 identity))
            ((rename_subst_symbol fr20 identity))
            ((rename_subst_symbol bnd10 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr13 identity identity))
            ((rename_subst_fo_term fr23 identity identity))
            ((rename_subst_fo_term bnd13 identity identity))
            ((rename_subst_fo_term bnd23 identity identity)) ;
          ()
    end

  predicate nlimpl_fo_term_list_ok (t:nlimpl_fo_term_list) =
    nlmodel_fo_term_list t.nlrepr_fo_term_list_field subst_id_symbol
      (const (Var_symbol ((-1)))) subst_id_fo_term
      (const (Var_fo_term ((-1)))) = t.model_fo_term_list_field
    /\ correct_indexes_fo_term_list t.nlrepr_fo_term_list_field /\
    bound_depth_of_symbol_in_fo_term_list t.nlrepr_fo_term_list_field = 0 /\
    bound_depth_of_fo_term_in_fo_term_list t.nlrepr_fo_term_list_field = 0 /\
    (forall x:int.
       is_symbol_free_var_in_fo_term_list x t.model_fo_term_list_field -> (x)
       < (t.nlfree_var_symbol_set_abstraction_fo_term_list_field))
    /\
    (forall x:int.
       is_fo_term_free_var_in_fo_term_list x t.model_fo_term_list_field ->
       (x) < (t.nlfree_var_fo_term_set_abstraction_fo_term_list_field))

  predicate nlimpl_fo_term_ok (t:nlimpl_fo_term) =
    nlmodel_fo_term t.nlrepr_fo_term_field subst_id_symbol
      (const (Var_symbol ((-1)))) subst_id_fo_term
      (const (Var_fo_term ((-1)))) = t.model_fo_term_field
    /\ correct_indexes_fo_term t.nlrepr_fo_term_field /\
    bound_depth_of_symbol_in_fo_term t.nlrepr_fo_term_field = 0 /\
    bound_depth_of_fo_term_in_fo_term t.nlrepr_fo_term_field = 0 /\
    (forall x:int. is_symbol_free_var_in_fo_term x t.model_fo_term_field ->
       (x) < (t.nlfree_var_symbol_set_abstraction_fo_term_field))
    /\
    (forall x:int. is_fo_term_free_var_in_fo_term x t.model_fo_term_field ->
       (x) < (t.nlfree_var_fo_term_set_abstraction_fo_term_field))

  predicate cons_ok_fo_term_list (c:cons_fo_term_list) =
    match c with | NLC_FONil -> true
      | NLC_FOCons v0 v1 -> nlimpl_fo_term_ok v0 /\ nlimpl_fo_term_list_ok v1
    end

  predicate cons_ok_fo_term (c:cons_fo_term) =
    match c with | NLCVar_fo_term v0 -> true
      | NLC_App v0 v1 -> nlimpl_symbol_ok v0 /\ nlimpl_fo_term_list_ok v1
    end

  predicate cons_rel_fo_term_list (c:cons_fo_term_list)
    (t:nlimpl_fo_term_list) =
    match c with | NLC_FONil -> t.model_fo_term_list_field = FONil
      | NLC_FOCons v0 v1 -> t.model_fo_term_list_field =
        FOCons (rename_fo_term v0.model_fo_term_field identity identity)
          (rename_fo_term_list v1.model_fo_term_list_field identity identity)
    end

  predicate cons_rel_fo_term (c:cons_fo_term) (t:nlimpl_fo_term) =
    match c with
      | NLCVar_fo_term v0 -> t.model_fo_term_field = Var_fo_term v0
      | NLC_App v0 v1 -> t.model_fo_term_field =
        App (rename_symbol v0.model_symbol_field identity)
          (rename_fo_term_list v1.model_fo_term_list_field identity identity)
    end

  predicate cons_open_rel_fo_term_list (c:cons_fo_term_list)
    (t:nlimpl_fo_term_list) =
    match c with
      | NLC_FONil ->
        match t.model_fo_term_list_field with | FONil -> true
          | FOCons w0 w1 -> false
        end
      | NLC_FOCons v0 v1 ->
        match t.model_fo_term_list_field with | FONil -> false
          | FOCons w0 w1 ->
            v0.model_fo_term_field = (rename_fo_term w0 identity identity) /\
              v1.model_fo_term_list_field =
                (rename_fo_term_list w1 identity identity)
        end
    end

  predicate cons_open_rel_fo_term (c:cons_fo_term) (t:nlimpl_fo_term) =
    match c with
      | NLCVar_fo_term v0 -> t.model_fo_term_field = Var_fo_term v0
      | NLC_App v0 v1 ->
        match t.model_fo_term_field with | Var_fo_term w0 -> false
          | App w0 w1 ->
            v0.model_symbol_field = (rename_symbol w0 identity) /\
              v1.model_fo_term_list_field =
                (rename_fo_term_list w1 identity identity)
        end
    end


end

module Impl
  use option.Option
  use int.Int
  use Nat.Nat
  use Functions.Func
  use OptionFuncs.Funcs
  use Sum.Sum
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Types
  use Logic
  let rec bind_var_symbol_in_fo_term_list (t:nl_fo_term_list int int) (x:int)
    (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd3: int -> (fo_term 'b0 'b3)) : nl_fo_term_list int int
    requires { correct_indexes_fo_term_list t }
    requires { bound_depth_of_symbol_in_fo_term_list t <= i }
    variant { nlsize_fo_term_list t }
    ensures { bound_depth_of_symbol_in_fo_term_list result <= i + 1 }
    ensures { correct_indexes_fo_term_list result }
    ensures { bound_depth_of_fo_term_in_fo_term_list t =
      bound_depth_of_fo_term_in_fo_term_list result }
    ensures { nlmodel_fo_term_list result fr0 bnd0 fr3 bnd3 =
      nlmodel_fo_term_list t (update fr0 x (bnd0 i)) bnd0 fr3 bnd3 }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_FOCons
            (bind_var_symbol_in_fo_term v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
            (bind_var_symbol_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
    end

  with bind_var_fo_term_in_fo_term_list (t:nl_fo_term_list int int) (x:int)
    (i:int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd0: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd3: int -> (fo_term 'b0 'b3)) : nl_fo_term_list int int
    requires { correct_indexes_fo_term_list t }
    requires { bound_depth_of_fo_term_in_fo_term_list t <= i }
    variant { nlsize_fo_term_list t }
    ensures { bound_depth_of_fo_term_in_fo_term_list result <= i + 1 }
    ensures { correct_indexes_fo_term_list result }
    ensures { bound_depth_of_symbol_in_fo_term_list t =
      bound_depth_of_symbol_in_fo_term_list result }
    ensures { nlmodel_fo_term_list result fr0 bnd0 fr3 bnd3 =
      nlmodel_fo_term_list t fr0 bnd0 (update fr3 x (bnd3 i)) bnd3 }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert { (rename_fo_term (bnd3 i) identity identity) =
          (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr3 x (bnd3 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr3 identity identity)) x
                  (rename_fo_term (bnd3 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr3 x (bnd3 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr3 identity identity)) x
               (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)))
            };
          assert { (rename_fo_term (bnd3 i) identity identity) =
            (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr3 x (bnd3 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr3 identity identity)) x
                  (rename_fo_term (bnd3 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr3 x (bnd3 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr3 identity identity)) x
               (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)))
            };
          NL_FOCons
            (bind_var_fo_term_in_fo_term v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
            (bind_var_fo_term_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
    end

  with bind_var_symbol_in_fo_term (t:nl_fo_term int int) (x:int) (i:int)
    (ghost fr0: int -> (symbol 'b0)) (ghost bnd0: int -> (symbol 'b0))
    (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd3: int -> (fo_term 'b0 'b3)) : nl_fo_term int int
    requires { correct_indexes_fo_term t }
    requires { bound_depth_of_symbol_in_fo_term t <= i }
    variant { nlsize_fo_term t }
    ensures { bound_depth_of_symbol_in_fo_term result <= i + 1 }
    ensures { correct_indexes_fo_term result }
    ensures { bound_depth_of_fo_term_in_fo_term t =
      bound_depth_of_fo_term_in_fo_term result }
    ensures { nlmodel_fo_term result fr0 bnd0 fr3 bnd3 =
      nlmodel_fo_term t (update fr0 x (bnd0 i)) bnd0 fr3 bnd3 }
    =
    match t with | NLFVar_fo_term v0 -> NLFVar_fo_term v0
      | NLBruijn_fo_term v0 -> NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert { (rename_symbol (bnd0 i) identity) =
          (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          assert { (rename_symbol (bnd0 i) identity) =
            (eval ((rename_subst_symbol bnd0 identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_symbol (update fr0 x (bnd0 i)) identity))
              ((update ((rename_subst_symbol fr0 identity)) x
                  (rename_symbol (bnd0 i) identity)))
            };
          assert { (rename_subst_symbol (update fr0 x (bnd0 i)) identity) =
            (update ((rename_subst_symbol fr0 identity)) x
               (eval ((rename_subst_symbol bnd0 identity)) (i+0)))
            };
          NL_App
            (bind_var_symbol_in_symbol v0 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity)))
            (bind_var_symbol_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
    end

  with bind_var_fo_term_in_fo_term (t:nl_fo_term int int) (x:int) (i:int)
    (ghost fr0: int -> (symbol 'b0)) (ghost bnd0: int -> (symbol 'b0))
    (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd3: int -> (fo_term 'b0 'b3)) : nl_fo_term int int
    requires { correct_indexes_fo_term t }
    requires { bound_depth_of_fo_term_in_fo_term t <= i }
    variant { nlsize_fo_term t }
    ensures { bound_depth_of_fo_term_in_fo_term result <= i + 1 }
    ensures { correct_indexes_fo_term result }
    ensures { bound_depth_of_symbol_in_fo_term t =
      bound_depth_of_symbol_in_fo_term result }
    ensures { nlmodel_fo_term result fr0 bnd0 fr3 bnd3 =
      nlmodel_fo_term t fr0 bnd0 (update fr3 x (bnd3 i)) bnd3 }
    =
    match t with
      | NLFVar_fo_term v0 ->
        if v0 = x then NLBruijn_fo_term i else NLFVar_fo_term v0
      | NLBruijn_fo_term v0 -> NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert { (rename_fo_term (bnd3 i) identity identity) =
          (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)) };
          assert {
            extensionalEqual
              ((rename_subst_fo_term (update fr3 x (bnd3 i)) identity
                 identity))
              ((update ((rename_subst_fo_term fr3 identity identity)) x
                  (rename_fo_term (bnd3 i) identity identity)))
            };
          assert {
            (rename_subst_fo_term (update fr3 x (bnd3 i)) identity identity)
            =
            (update ((rename_subst_fo_term fr3 identity identity)) x
               (eval ((rename_subst_fo_term bnd3 identity identity)) (i+0)))
            };
          NL_App (v0)
            (bind_var_fo_term_in_fo_term_list v1 x (i+0)
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd0 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd3 identity identity)))
    end

  let rec unbind_var_symbol_in_fo_term_list (t:nl_fo_term_list int int)
    (i:int) (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_term_list int int
    requires { i >= 0 } requires { correct_indexes_fo_term_list t }
    requires { bound_depth_of_symbol_in_fo_term_list t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    variant { nlsize_fo_term_list t }
    ensures { correct_indexes_fo_term_list result }
    ensures { bound_depth_of_symbol_in_fo_term_list result <= i }
    ensures { bound_depth_of_fo_term_in_fo_term_list result =
      bound_depth_of_fo_term_in_fo_term_list t }
    ensures { nlmodel_fo_term_list result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term_list t fr0
        (update bnd10 i (nlmodel_symbol x fr0 bnd20)) fr3 bnd13
      }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_FOCons
            (unbind_var_symbol_in_fo_term v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with unbind_var_fo_term_in_fo_term_list (t:nl_fo_term_list int int) (i:int)
    (x:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd23: int -> (fo_term 'b0 'b3)) : nl_fo_term_list int int
    requires { i >= 0 } requires { correct_indexes_fo_term_list t }
    requires { bound_depth_of_fo_term_in_fo_term_list t <= i + 1 }
    requires { correct_indexes_fo_term x }
    requires { bound_depth_of_symbol_in_fo_term x = 0 }
    requires { bound_depth_of_fo_term_in_fo_term x = 0 }
    variant { nlsize_fo_term_list t }
    ensures { correct_indexes_fo_term_list result }
    ensures { bound_depth_of_fo_term_in_fo_term_list result <= i }
    ensures { bound_depth_of_symbol_in_fo_term_list result =
      bound_depth_of_symbol_in_fo_term_list t }
    ensures { nlmodel_fo_term_list result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term_list t fr0 bnd10 fr3
        (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
      }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd23 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
              identity identity)
            =
            update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr3 identity identity))
              ((rename_subst_fo_term bnd23 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
              identity identity)
            =
            update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          NL_FOCons
            (unbind_var_fo_term_in_fo_term v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
            (unbind_var_fo_term_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
    end

  with unbind_var_symbol_in_fo_term (t:nl_fo_term int int) (i:int)
    (x:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_term int int
    requires { i >= 0 } requires { correct_indexes_fo_term t }
    requires { bound_depth_of_symbol_in_fo_term t <= i + 1 }
    requires { correct_indexes_symbol x }
    requires { bound_depth_of_symbol_in_symbol x = 0 }
    variant { nlsize_fo_term t }
    ensures { correct_indexes_fo_term result }
    ensures { bound_depth_of_symbol_in_fo_term result <= i }
    ensures { bound_depth_of_fo_term_in_fo_term result =
      bound_depth_of_fo_term_in_fo_term t }
    ensures { nlmodel_fo_term result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term t fr0 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) fr3
        bnd13
      }
    =
    match t with | NLFVar_fo_term v0 -> NLFVar_fo_term v0
      | NLBruijn_fo_term v0 -> NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
          nlmodel_symbol x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol x fr0 bnd20) identity =
            nlmodel_symbol x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity))
              (update ((rename_subst_symbol bnd10 identity)) (i+0)
                 (rename_symbol (nlmodel_symbol x fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol
              (update bnd10 i (nlmodel_symbol x fr0 bnd20)) identity)
            =
            update ((rename_subst_symbol bnd10 identity)) (i+0)
              (nlmodel_symbol x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_App
            (unbind_var_symbol_in_symbol v0 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_symbol bnd20 identity)))
            (unbind_var_symbol_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with unbind_var_fo_term_in_fo_term (t:nl_fo_term int int) (i:int)
    (x:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd23: int -> (fo_term 'b0 'b3)) : nl_fo_term int int
    requires { i >= 0 } requires { correct_indexes_fo_term t }
    requires { bound_depth_of_fo_term_in_fo_term t <= i + 1 }
    requires { correct_indexes_fo_term x }
    requires { bound_depth_of_symbol_in_fo_term x = 0 }
    requires { bound_depth_of_fo_term_in_fo_term x = 0 }
    variant { nlsize_fo_term t }
    ensures { correct_indexes_fo_term result }
    ensures { bound_depth_of_fo_term_in_fo_term result <= i }
    ensures { bound_depth_of_symbol_in_fo_term result =
      bound_depth_of_symbol_in_fo_term t }
    ensures { nlmodel_fo_term result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term t fr0 bnd10 fr3
        (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
      }
    =
    match t with | NLFVar_fo_term v0 -> NLFVar_fo_term v0
      | NLBruijn_fo_term v0 ->
        if v0 = i
          then (model_equal_fo_term x fr0 fr0 bnd10 bnd20 fr3 fr3 bnd13 bnd23 ;
            x)
          else NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23) identity
            identity
          =
          nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd23 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
              identity identity)
            =
            update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23) identity
              identity
            =
            nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr3 identity identity))
              ((rename_subst_fo_term bnd23 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
                 (rename_fo_term (nlmodel_fo_term x fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update bnd13 i (nlmodel_fo_term x fr0 bnd20 fr3 bnd23))
              identity identity)
            =
            update ((rename_subst_fo_term bnd13 identity identity)) (i+0)
              (nlmodel_fo_term x ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          NL_App (v0)
            (unbind_var_fo_term_in_fo_term_list v1 (i+0) x
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
    end

  let rec subst_base_symbol_in_fo_term_list (t:nl_fo_term_list int int)
    (x:int) (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_term_list int int
    requires { correct_indexes_fo_term_list t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    variant { nlsize_fo_term_list t }
    ensures { correct_indexes_fo_term_list result }
     ensures { bound_depth_of_symbol_in_fo_term_list result =
       bound_depth_of_symbol_in_fo_term_list t }
    ensures { bound_depth_of_fo_term_in_fo_term_list result =
      bound_depth_of_fo_term_in_fo_term_list t }
    ensures { nlmodel_fo_term_list result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term_list t (update fr0 x (nlmodel_symbol u fr0 bnd20))
        bnd10 fr3 bnd13
      }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_FOCons
            (subst_base_symbol_in_fo_term v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with subst_base_fo_term_in_fo_term_list (t:nl_fo_term_list int int) (x:int)
    (u:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd23: int -> (fo_term 'b0 'b3)) : nl_fo_term_list int int
    requires { correct_indexes_fo_term_list t }
    requires { correct_indexes_fo_term u }
    requires { bound_depth_of_symbol_in_fo_term u = 0 }
    requires { bound_depth_of_fo_term_in_fo_term u = 0 }
    variant { nlsize_fo_term_list t }
    ensures { correct_indexes_fo_term_list result }
     ensures { bound_depth_of_symbol_in_fo_term_list result =
       bound_depth_of_symbol_in_fo_term_list t }
    ensures { bound_depth_of_fo_term_in_fo_term_list result =
      bound_depth_of_fo_term_in_fo_term_list t }
    ensures { nlmodel_fo_term_list result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term_list t fr0 bnd10
        (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) bnd13
      }
    =
    match t with | NL_FONil -> NL_FONil
      | NL_FOCons v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd23 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term fr3 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) identity
              identity)
            =
            update ((rename_subst_fo_term fr3 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr3 identity identity))
              ((rename_subst_fo_term bnd23 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term fr3 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) identity
              identity)
            =
            update ((rename_subst_fo_term fr3 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          NL_FOCons
            (subst_base_fo_term_in_fo_term v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
            (subst_base_fo_term_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
    end

  with subst_base_symbol_in_fo_term (t:nl_fo_term int int) (x:int)
    (u:nl_symbol int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0)) : nl_fo_term int int
    requires { correct_indexes_fo_term t }
    requires { correct_indexes_symbol u }
    requires { bound_depth_of_symbol_in_symbol u = 0 }
    variant { nlsize_fo_term t }
    ensures { correct_indexes_fo_term result }
     ensures { bound_depth_of_symbol_in_fo_term result =
       bound_depth_of_symbol_in_fo_term t }
    ensures { bound_depth_of_fo_term_in_fo_term result =
      bound_depth_of_fo_term_in_fo_term t }
    ensures { nlmodel_fo_term result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term t (update fr0 x (nlmodel_symbol u fr0 bnd20)) bnd10 fr3
        bnd13
      }
    =
    match t with | NLFVar_fo_term v0 -> NLFVar_fo_term v0
      | NLBruijn_fo_term v0 -> NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
          nlmodel_symbol u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          assert { rename_symbol (nlmodel_symbol u fr0 bnd20) identity =
            nlmodel_symbol u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_symbol
                 (update fr0 x (nlmodel_symbol u fr0 bnd20)) identity))
              (update ((rename_subst_symbol fr0 identity)) x
                 (rename_symbol (nlmodel_symbol u fr0 bnd20) identity))
            } ;
          assert {
            (rename_subst_symbol (update fr0 x (nlmodel_symbol u fr0 bnd20))
              identity)
            =
            update ((rename_subst_symbol fr0 identity)) x
              (nlmodel_symbol u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity)))
            } ;
          NL_App
            (subst_base_symbol_in_symbol v0 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_symbol bnd20 identity)))
            (subst_base_symbol_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity)))
    end

  with subst_base_fo_term_in_fo_term (t:nl_fo_term int int) (x:int)
    (u:nl_fo_term int int) (ghost fr0: int -> (symbol 'b0))
    (ghost bnd10: int -> (symbol 'b0)) (ghost fr3: int -> (fo_term 'b0 'b3))
    (ghost bnd13: int -> (fo_term 'b0 'b3))
    (ghost bnd20: int -> (symbol 'b0))
    (ghost bnd23: int -> (fo_term 'b0 'b3)) : nl_fo_term int int
    requires { correct_indexes_fo_term t }
    requires { correct_indexes_fo_term u }
    requires { bound_depth_of_symbol_in_fo_term u = 0 }
    requires { bound_depth_of_fo_term_in_fo_term u = 0 }
    variant { nlsize_fo_term t }
    ensures { correct_indexes_fo_term result }
     ensures { bound_depth_of_symbol_in_fo_term result =
       bound_depth_of_symbol_in_fo_term t }
    ensures { bound_depth_of_fo_term_in_fo_term result =
      bound_depth_of_fo_term_in_fo_term t }
    ensures { nlmodel_fo_term result fr0 bnd10 fr3 bnd13 =
      nlmodel_fo_term t fr0 bnd10
        (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) bnd13
      }
    =
    match t with
      | NLFVar_fo_term v0 ->
        if v0 = x
          then (model_equal_fo_term u fr0 fr0 bnd10 bnd20 fr3 fr3 bnd13 bnd23 ;
            u)
          else NLFVar_fo_term v0
      | NLBruijn_fo_term v0 -> NLBruijn_fo_term v0
      | NL_App v0 v1 ->
        assert {
          rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23) identity
            identity
          =
          nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
            ((rename_subst_symbol bnd20 identity))
            ((rename_subst_fo_term fr3 identity identity))
            ((rename_subst_fo_term bnd23 identity identity))
          } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term fr3 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) identity
              identity)
            =
            update ((rename_subst_fo_term fr3 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          assert {
            rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23) identity
              identity
            =
            nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
              ((rename_subst_symbol bnd20 identity))
              ((rename_subst_fo_term fr3 identity identity))
              ((rename_subst_fo_term bnd23 identity identity))
            } ;
          assert {
            extensionalEqual
              ((rename_subst_fo_term
                 (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23))
                 identity identity))
              (update ((rename_subst_fo_term fr3 identity identity)) x
                 (rename_fo_term (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)
                    identity identity))
            } ;
          assert {
            (rename_subst_fo_term
              (update fr3 x (nlmodel_fo_term u fr0 bnd20 fr3 bnd23)) identity
              identity)
            =
            update ((rename_subst_fo_term fr3 identity identity)) x
              (nlmodel_fo_term u ((rename_subst_symbol fr0 identity))
                 ((rename_subst_symbol bnd20 identity))
                 ((rename_subst_fo_term fr3 identity identity))
                 ((rename_subst_fo_term bnd23 identity identity)))
            } ;
          NL_App (v0)
            (subst_base_fo_term_in_fo_term_list v1 x u
               ((rename_subst_symbol fr0 identity))
               ((rename_subst_symbol bnd10 identity))
               ((rename_subst_fo_term fr3 identity identity))
               ((rename_subst_fo_term bnd13 identity identity))
               ((rename_subst_symbol bnd20 identity))
               ((rename_subst_fo_term bnd23 identity identity)))
    end

  let construct_fo_term_list (c:cons_fo_term_list) : nlimpl_fo_term_list
    requires { cons_ok_fo_term_list c }
    ensures { nlimpl_fo_term_list_ok result }
    ensures { cons_rel_fo_term_list c result }
    (*ensures { cons_open_rel_fo_term_list c result }*) =
    match c with
      | NLC_FONil ->
        let res =
          { nlrepr_fo_term_list_field = (NL_FONil) ;
            nlfree_var_symbol_set_abstraction_fo_term_list_field = 0 ;
            nlfree_var_fo_term_set_abstraction_fo_term_list_field = 0 ;
            model_fo_term_list_field = ghost (FONil) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term_list x res.model_fo_term_list_field
            -> (false) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term_list x
              res.model_fo_term_list_field
            -> (false) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
          } ;
        res
      | NLC_FOCons v0 v1 -> assert { nlimpl_fo_term_ok v0 } ;
        assert { nlimpl_fo_term_list_ok v1 } ;
        let res =
          {
            nlrepr_fo_term_list_field =
              (NL_FOCons (let v0 = v0.nlrepr_fo_term_field in v0)
                 (let v1 = v1.nlrepr_fo_term_list_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_term_list_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_fo_term_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_term_list_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_fo_term_set_abstraction_fo_term_field)
                   (v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field)) ;
            model_fo_term_list_field = ghost
              (FOCons
                 (rename_fo_term v0.model_fo_term_field identity identity)
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term x
              (rename_fo_term v0.model_fo_term_field identity identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_term y v0.model_fo_term_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_symbol_free_var_in_fo_term x v0.model_fo_term_field)
            && is_symbol_free_var_in_fo_term x v0.model_fo_term_field && (x)
            < (v0.nlfree_var_symbol_set_abstraction_fo_term_field) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term x
              (rename_fo_term v0.model_fo_term_field identity identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_term y v0.model_fo_term_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_fo_term_free_var_in_fo_term x v0.model_fo_term_field)
            && is_fo_term_free_var_in_fo_term x v0.model_fo_term_field && (x)
            < (v0.nlfree_var_fo_term_set_abstraction_fo_term_field) && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_symbol_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_fo_term_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term_list x res.model_fo_term_list_field
            ->
            (is_symbol_free_var_in_fo_term x
               (rename_fo_term v0.model_fo_term_field identity identity) \/
               is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity))
            && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term_list x
              res.model_fo_term_list_field
            ->
            (is_fo_term_free_var_in_fo_term x
               (rename_fo_term v0.model_fo_term_field identity identity) \/
               is_fo_term_free_var_in_fo_term_list x
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity))
            && (x) <
            (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_term v0.nlrepr_fo_term_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_term_list v1.nlrepr_fo_term_list_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
    end

  let construct_fo_term (c:cons_fo_term) : nlimpl_fo_term
    requires { cons_ok_fo_term c } ensures { nlimpl_fo_term_ok result }
    ensures { cons_rel_fo_term c result }
    (*ensures { cons_open_rel_fo_term c result }*) =
    match c with
      | NLCVar_fo_term v0 ->
        { nlrepr_fo_term_field = NLFVar_fo_term v0 ;
          nlfree_var_symbol_set_abstraction_fo_term_field = 0 ;
          nlfree_var_fo_term_set_abstraction_fo_term_field = (1 + (v0)) ;
          model_fo_term_field = ghost (Var_fo_term v0) ;
        }
      | NLC_App v0 v1 -> assert { nlimpl_symbol_ok v0 } ;
        assert { nlimpl_fo_term_list_ok v1 } ;
        let res =
          {
            nlrepr_fo_term_field =
              (NL_App (let v0 = v0.nlrepr_symbol_field in v0)
                 (let v1 = v1.nlrepr_fo_term_list_field in v1)) ;
            nlfree_var_symbol_set_abstraction_fo_term_field =
              (let aux (a:int) (b:int) : int
                 ensures { result >= a /\ result >= b } =
                 if a < b then b else a in
                 aux (v0.nlfree_var_symbol_set_abstraction_symbol_field)
                   (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field)) ;
            nlfree_var_fo_term_set_abstraction_fo_term_field =
              v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field ;
            model_fo_term_field = ghost
              (App (rename_symbol v0.model_symbol_field identity)
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity)) ;
          }
        in
        assert {
          forall x:int.
            is_symbol_free_var_in_symbol x
              (rename_symbol v0.model_symbol_field identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_symbol y v0.model_symbol_field /\
               eval (identity) y = x) -> x = eval (identity) y && x = y &&
               is_symbol_free_var_in_symbol x v0.model_symbol_field)
            && is_symbol_free_var_in_symbol x v0.model_symbol_field && (x) <
            (v0.nlfree_var_symbol_set_abstraction_symbol_field) && (x) <
            (res.nlfree_var_symbol_set_abstraction_fo_term_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_symbol_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_symbol_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_symbol_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_symbol_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_symbol_set_abstraction_fo_term_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term_list x
              (rename_fo_term_list v1.model_fo_term_list_field identity
                 identity)
            ->
            (forall y:int.
               (is_fo_term_free_var_in_fo_term_list y
                  v1.model_fo_term_list_field
               /\ eval (identity) y = x) -> x = eval (identity) y &&
               x = y &&
               is_fo_term_free_var_in_fo_term_list x
                 v1.model_fo_term_list_field)
            &&
            is_fo_term_free_var_in_fo_term_list x v1.model_fo_term_list_field
            && (x) <
            (v1.nlfree_var_fo_term_set_abstraction_fo_term_list_field) && (x)
            < (res.nlfree_var_fo_term_set_abstraction_fo_term_field)
          } ;
        assert {
          forall x:int.
            is_symbol_free_var_in_fo_term x res.model_fo_term_field ->
            (is_symbol_free_var_in_symbol x
               (rename_symbol v0.model_symbol_field identity) \/
               is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1.model_fo_term_list_field identity
                    identity))
            && (x) < (res.nlfree_var_symbol_set_abstraction_fo_term_field)
          } ;
        assert {
          forall x:int.
            is_fo_term_free_var_in_fo_term x res.model_fo_term_field ->
            (is_fo_term_free_var_in_fo_term_list x
               (rename_fo_term_list v1.model_fo_term_list_field identity
                  identity))
            && (x) < (res.nlfree_var_fo_term_set_abstraction_fo_term_field)
          } ;
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        model_equal_symbol v0.nlrepr_symbol_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        assert {
          extensionalEqual (rename_subst_symbol subst_id_symbol identity)
            ((rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
                identity))
          } ;
        assert { rename_subst_symbol subst_id_symbol identity =
          (rename_subst_symbol (subst_id_symbol:(int)->(symbol (int)))
             identity)
          } ;
        assert {
          extensionalEqual
            (rename_subst_fo_term subst_id_fo_term identity identity)
            ((rename_subst_fo_term
                (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
                identity))
          } ;
        assert { rename_subst_fo_term subst_id_fo_term identity identity =
          (rename_subst_fo_term
             (subst_id_fo_term:(int)->(fo_term (int) (int))) identity
             identity)
          } ;
        model_equal_fo_term_list v1.nlrepr_fo_term_list_field
          (rename_subst_symbol subst_id_symbol identity)
          (rename_subst_symbol subst_id_symbol identity)
          ((rename_subst_symbol (const (Var_symbol (-1))) identity))
          (rename_subst_symbol (const (Var_symbol (-1))) identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          (rename_subst_fo_term subst_id_fo_term identity identity)
          ((rename_subst_fo_term (const (Var_fo_term (-1))) identity
             identity))
          (rename_subst_fo_term (const (Var_fo_term (-1))) identity identity) ;
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        (*assert {
            extensionalEqual (rcompose (identity) (identity))
              ((identity : (int) -> (int)))
            } ;
        assert { rcompose (identity) (identity) = (identity : (int) -> (int))
          } ;*)
        res
    end

  let destruct_fo_term_list (t:nlimpl_fo_term_list) : cons_fo_term_list
    requires { nlimpl_fo_term_list_ok t }
    ensures { cons_ok_fo_term_list result }
    ensures { cons_rel_fo_term_list result t }
    ensures { cons_open_rel_fo_term_list result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_fo_term_list_field in
    let fv3 = t.nlfree_var_fo_term_set_abstraction_fo_term_list_field in
    match t.nlrepr_fo_term_list_field with
      | NL_FONil ->
        assert { t.model_fo_term_list_field = FONil } ;
          let () =
            match t.model_fo_term_list_field with | FONil -> ()
              | FOCons x0 x1 -> absurd
            end
          in let res = NLC_FONil in res
      | NL_FOCons v0 v1 ->
        assert { t.model_fo_term_list_field =
          FOCons
            (nlmodel_fo_term v0
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            (nlmodel_fo_term_list v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_term_list_field with | FONil -> absurd
              | FOCons x0 x1 -> (x0 , x1)
            end
          in
          assert { mv0 =
            nlmodel_fo_term v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { mv1 =
            nlmodel_fo_term_list v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_fo_term v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term x mv0 ->
              is_symbol_free_var_in_fo_term_list x t.model_fo_term_list_field
              && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_term_list_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_term v0 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term x mv0 ->
              is_fo_term_free_var_in_fo_term_list x
                t.model_fo_term_list_field
              && (x) <
              (t.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mv1 ->
              is_symbol_free_var_in_fo_term_list x t.model_fo_term_list_field
              && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_term_list_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mv1 ->
              is_fo_term_free_var_in_fo_term_list x
                t.model_fo_term_list_field
              && (x) <
              (t.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
            } ;
          model_equal_fo_term v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          model_equal_fo_term_list v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_fo_term mv0 identity identity in
          let ghost mrv1 = rename_fo_term_list mv1 identity identity in
          let resv0 =
            { nlrepr_fo_term_field = v0 ;
              nlfree_var_symbol_set_abstraction_fo_term_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_term_field = fv3 ;
              model_fo_term_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_term_list_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_term_list_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_term_list_field = fv3 ;
              model_fo_term_list_field = ghost mrv1 ;
            }
          in let res = NLC_FOCons resv0 resv1 in
          free_var_equivalence_of_rename_fo_term mv0 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_term_list mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_term y mv0 /\ eval (identity) y =
                    x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_term_list x
                   t.model_fo_term_list_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term x mrv0 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_term y mv0 /\ eval (identity) y =
                    x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_term_list x
                   t.model_fo_term_list_field
                 && (x) < (fv3))
              && (x) < (fv3)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_term_list x
                   t.model_fo_term_list_field
                 && (x) < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_term_list x
                   t.model_fo_term_list_field
                 && (x) < (fv3))
              && (x) < (fv3)
            } ;
          res
    end

  let destruct_fo_term (t:nlimpl_fo_term) : cons_fo_term
    requires { nlimpl_fo_term_ok t } ensures { cons_ok_fo_term result }
    ensures { cons_rel_fo_term result t }
    ensures { cons_open_rel_fo_term result t } =
    let fv0 = t.nlfree_var_symbol_set_abstraction_fo_term_field in
    let fv3 = t.nlfree_var_fo_term_set_abstraction_fo_term_field in
    match t.nlrepr_fo_term_field with
      | NLFVar_fo_term v0 -> NLCVar_fo_term v0
      | NLBruijn_fo_term v0 -> absurd
      | NL_App v0 v1 ->
        assert { t.model_fo_term_field =
          App
            (nlmodel_symbol v0 (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
            (nlmodel_fo_term_list v1
               (rename_subst_symbol subst_id_symbol identity)
               (rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity)
               (rename_subst_fo_term subst_id_fo_term identity identity)
               (rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
          } ;
          let (mv0 , mv1) =
            match t.model_fo_term_field with | Var_fo_term x0 -> absurd
              | App x0 x1 -> (x0 , x1)
            end
          in
          assert { mv0 =
            nlmodel_symbol v0
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
            } ;
          assert { mv1 =
            nlmodel_fo_term_list v1
              ((rename_subst_symbol subst_id_symbol identity))
              ((rename_subst_symbol
                 (const (Var_symbol (-1)) : int -> (symbol int)) identity))
              ((rename_subst_fo_term subst_id_fo_term identity identity))
              ((rename_subst_fo_term
                 (const (Var_fo_term (-1)) : int -> (fo_term int int))
                 identity identity))
            } ;
          assert { bound_depth_of_symbol_in_symbol v0 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_symbol x mv0 ->
              is_symbol_free_var_in_fo_term x t.model_fo_term_field && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_term_field)
            } ;
          assert { bound_depth_of_symbol_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mv1 ->
              is_symbol_free_var_in_fo_term x t.model_fo_term_field && (x) <
              (t.nlfree_var_symbol_set_abstraction_fo_term_field)
            } ;
          assert { bound_depth_of_fo_term_in_fo_term_list v1 <= 0 } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mv1 ->
              is_fo_term_free_var_in_fo_term x t.model_fo_term_field && (x) <
              (t.nlfree_var_fo_term_set_abstraction_fo_term_field)
            } ;
          model_equal_symbol v0 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity)) ;
          model_equal_fo_term_list v1 subst_id_symbol
            (rename_subst_symbol
               ((rename_subst_symbol subst_id_symbol identity)) (identity)) ((
            const (Var_symbol (-1)) : int -> (symbol int)))
            (rename_subst_symbol
               ((rename_subst_symbol
                  (const (Var_symbol (-1)) : int -> (symbol int)) identity))
               (identity))
            subst_id_fo_term
            (rename_subst_fo_term
               ((rename_subst_fo_term subst_id_fo_term identity identity))
               (identity) (identity)) ((const (Var_fo_term (-1)) :
                                          int -> (fo_term int int)))
            (rename_subst_fo_term
               ((rename_subst_fo_term
                  (const (Var_fo_term (-1)) : int -> (fo_term int int))
                  identity identity))
               (identity) (identity)) ;
          let ghost mrv0 = rename_symbol mv0 identity in
          let ghost mrv1 = rename_fo_term_list mv1 identity identity in
          let resv0 =
            { nlrepr_symbol_field = v0 ;
              nlfree_var_symbol_set_abstraction_symbol_field = fv0 ;
              model_symbol_field = ghost mrv0 ;
            }
          in
          let resv1 =
            { nlrepr_fo_term_list_field = v1 ;
              nlfree_var_symbol_set_abstraction_fo_term_list_field = fv0 ;
              nlfree_var_fo_term_set_abstraction_fo_term_list_field = fv3 ;
              model_fo_term_list_field = ghost mrv1 ;
            }
          in let res = NLC_App resv0 resv1 in
          free_var_equivalence_of_rename_symbol mv0 (identity)
            (rcompose (identity) (identity)) ;
          free_var_equivalence_of_rename_fo_term_list mv1 (identity)
            (rcompose (identity) (identity)) (identity)
            (rcompose (identity) (identity)) ;
          assert {
            forall x:int. is_symbol_free_var_in_symbol x mrv0 ->
              (forall y:int.
                 (is_symbol_free_var_in_symbol y mv0 /\ eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_term x t.model_fo_term_field && (x)
                 < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_symbol_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_symbol_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_symbol_free_var_in_fo_term x t.model_fo_term_field && (x)
                 < (fv0))
              && (x) < (fv0)
            } ;
          assert {
            forall x:int. is_fo_term_free_var_in_fo_term_list x mrv1 ->
              (forall y:int.
                 (is_fo_term_free_var_in_fo_term_list y mv1 /\
                    eval (identity) y = x)
                 -> x = y &&
                 is_fo_term_free_var_in_fo_term x t.model_fo_term_field &&
                 (x) < (fv3))
              && (x) < (fv3)
            } ;
          res
    end

  let nlsubst_symbol_in_fo_term_list (t:nlimpl_fo_term_list) (x:int)
    (u:nlimpl_symbol) : nlimpl_fo_term_list
    requires { nlimpl_fo_term_list_ok t } requires { nlimpl_symbol_ok u }
    ensures { nlimpl_fo_term_list_ok result }
    ensures { result.model_fo_term_list_field =
      subst_fo_term_list t.model_fo_term_list_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
        (subst_id_fo_term: (int) -> (fo_term (int) (int)))
      }
    =
    model_equal_fo_term_list t.nlrepr_fo_term_list_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_term_list_field =
          subst_base_symbol_in_fo_term_list t.nlrepr_fo_term_list_field x
            u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_term_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_term_list_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_term_list_field =
          t.nlfree_var_fo_term_set_abstraction_fo_term_list_field ;
        model_fo_term_list_field = ghost
          subst_fo_term_list t.model_fo_term_list_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field)
            (subst_id_fo_term: (int) -> (fo_term (int) (int))) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_term_list x2 res.model_fo_term_list_field ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_term_list_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_term_list_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> false))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_term_list x2 res.model_fo_term_list_field
        ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> x2 = y && (x2) <
              (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
      } ;
    res

  let nlsubst_fo_term_in_fo_term_list (t:nlimpl_fo_term_list) (x:int)
    (u:nlimpl_fo_term) : nlimpl_fo_term_list
    requires { nlimpl_fo_term_list_ok t } requires { nlimpl_fo_term_ok u }
    ensures { nlimpl_fo_term_list_ok result }
    ensures { result.model_fo_term_list_field =
      subst_fo_term_list t.model_fo_term_list_field
        (subst_id_symbol: (int) -> (symbol (int)))
        (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
           u.model_fo_term_field)
      }
    =
    model_equal_fo_term_list t.nlrepr_fo_term_list_field
      (subst_compose_symbol subst_id_symbol
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((subst_id_symbol: (int) -> (symbol (int))))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
          u.model_fo_term_field))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_term_list_field =
          subst_base_fo_term_in_fo_term_list t.nlrepr_fo_term_list_field x
            u.nlrepr_fo_term_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1))))
            ((const (Var_fo_term (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_term_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_term_list_field)
               (u.nlfree_var_symbol_set_abstraction_fo_term_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_term_list_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
               (u.nlfree_var_fo_term_set_abstraction_fo_term_field)) ;
        model_fo_term_list_field = ghost
          subst_fo_term_list t.model_fo_term_list_field
            (subst_id_symbol: (int) -> (symbol (int)))
            (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
               u.model_fo_term_field) ;
      }
    in
    assert {
      forall x2:int.
        is_symbol_free_var_in_fo_term_list x2 res.model_fo_term_list_field ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval ((subst_id_symbol: (int) -> (symbol (int)))) y))
              -> x2 = y && (x2) <
              (res.nlfree_var_symbol_set_abstraction_fo_term_list_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_term_list_field))
                 /\ (x <> y -> false)) && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_term_list_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_term_list x2 res.model_fo_term_list_field
        ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term_list y
                 t.model_fo_term_list_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)))
                 && (x2) <
                 (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_term_list_field)
      } ;
    res

  let nlsubst_symbol_in_fo_term (t:nlimpl_fo_term) (x:int)
    (u:nlimpl_symbol) : nlimpl_fo_term requires { nlimpl_fo_term_ok t }
    requires { nlimpl_symbol_ok u } ensures { nlimpl_fo_term_ok result }
    ensures { result.model_fo_term_field =
      subst_fo_term t.model_fo_term_field
        (update (subst_id_symbol: (int) -> (symbol (int))) x
           u.model_symbol_field)
        (subst_id_fo_term: (int) -> (fo_term (int) (int)))
      }
    =
    model_equal_fo_term t.nlrepr_fo_term_field
      (subst_compose_symbol subst_id_symbol
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((update (subst_id_symbol: (int) -> (symbol (int))) x
          u.model_symbol_field))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field)))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((update (subst_id_symbol: (int) -> (symbol (int))) x
             u.model_symbol_field))
         ((subst_id_fo_term: (int) -> (fo_term (int) (int)))))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_term_field =
          subst_base_symbol_in_fo_term t.nlrepr_fo_term_field x
            u.nlrepr_symbol_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_term_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_term_field)
               (u.nlfree_var_symbol_set_abstraction_symbol_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_term_field =
          t.nlfree_var_fo_term_set_abstraction_fo_term_field ;
        model_fo_term_field = ghost
          subst_fo_term t.model_fo_term_field
            (update (subst_id_symbol: (int) -> (symbol (int))) x
               u.model_symbol_field)
            (subst_id_fo_term: (int) -> (fo_term (int) (int))) ;
      }
    in
    assert {
      forall x2:int. is_symbol_free_var_in_fo_term x2 res.model_fo_term_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_term y t.model_fo_term_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval
                      ((update (subst_id_symbol: (int) -> (symbol (int))) x
                          u.model_symbol_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_term_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_symbol_set_abstraction_fo_term_field)))
                 && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_term_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term y t.model_fo_term_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> false))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_term_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_term x2 res.model_fo_term_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term y t.model_fo_term_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval ((subst_id_fo_term: (int) -> (fo_term (int) (int))))
                      y))
              -> x2 = y && (x2) <
              (res.nlfree_var_fo_term_set_abstraction_fo_term_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_term_field)
      } ;
    res

  let nlsubst_fo_term_in_fo_term (t:nlimpl_fo_term) (x:int)
    (u:nlimpl_fo_term) : nlimpl_fo_term requires { nlimpl_fo_term_ok t }
    requires { nlimpl_fo_term_ok u } ensures { nlimpl_fo_term_ok result }
    ensures { result.model_fo_term_field =
      subst_fo_term t.model_fo_term_field
        (subst_id_symbol: (int) -> (symbol (int)))
        (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
           u.model_fo_term_field)
      }
    =
    model_equal_fo_term t.nlrepr_fo_term_field
      (subst_compose_symbol subst_id_symbol
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((subst_id_symbol: (int) -> (symbol (int))))
      (subst_compose_symbol (const (Var_symbol (-1)))
         ((subst_id_symbol: (int) -> (symbol (int)))))
      ((const (Var_symbol (-1))))
      (subst_compose_fo_term subst_id_fo_term
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
          u.model_fo_term_field))
      (subst_compose_fo_term (const (Var_fo_term (-1)))
         ((subst_id_symbol: (int) -> (symbol (int))))
         ((update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
             u.model_fo_term_field)))
      ((const (Var_fo_term (-1))));
    let res =
      {
        nlrepr_fo_term_field =
          subst_base_fo_term_in_fo_term t.nlrepr_fo_term_field x
            u.nlrepr_fo_term_field (subst_id_symbol)
            ((const (Var_symbol (-1)))) (subst_id_fo_term)
            ((const (Var_fo_term (-1)))) ((const (Var_symbol (-1))))
            ((const (Var_fo_term (-1)))) ;
        nlfree_var_symbol_set_abstraction_fo_term_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_symbol_set_abstraction_fo_term_field)
               (u.nlfree_var_symbol_set_abstraction_fo_term_field)) ;
        nlfree_var_fo_term_set_abstraction_fo_term_field =
          (let aux (a:int) (b:int) : int
             ensures { result >= a /\ result >= b } = if a < b then b else a
             in
             aux (t.nlfree_var_fo_term_set_abstraction_fo_term_field)
               (u.nlfree_var_fo_term_set_abstraction_fo_term_field)) ;
        model_fo_term_field = ghost
          subst_fo_term t.model_fo_term_field
            (subst_id_symbol: (int) -> (symbol (int)))
            (update (subst_id_fo_term: (int) -> (fo_term (int) (int))) x
               u.model_fo_term_field) ;
      }
    in
    assert {
      forall x2:int. is_symbol_free_var_in_fo_term x2 res.model_fo_term_field
        ->
        (true /\
           (forall y:int.
              (is_symbol_free_var_in_fo_term y t.model_fo_term_field /\
                 is_symbol_free_var_in_symbol x2
                   (eval ((subst_id_symbol: (int) -> (symbol (int)))) y))
              -> x2 = y && (x2) <
              (res.nlfree_var_symbol_set_abstraction_fo_term_field))
           /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term y t.model_fo_term_field /\
                 is_symbol_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_symbol_set_abstraction_fo_term_field))
                 /\ (x <> y -> false)) && (x2) <
                 (res.nlfree_var_symbol_set_abstraction_fo_term_field)))
        && (x2) < (res.nlfree_var_symbol_set_abstraction_fo_term_field)
      } ;
    assert {
      forall x2:int.
        is_fo_term_free_var_in_fo_term x2 res.model_fo_term_field ->
        (true /\
           (forall y:int.
              (is_fo_term_free_var_in_fo_term y t.model_fo_term_field /\
                 is_fo_term_free_var_in_fo_term x2
                   (eval
                      ((update
                          (subst_id_fo_term: (int) -> (fo_term (int) (int)))
                          x u.model_fo_term_field))
                      y))
              ->
              ((x = y -> (x2) <
                  (res.nlfree_var_fo_term_set_abstraction_fo_term_field))
                 /\
                 (x <> y -> x2 = y && (x2) <
                    (res.nlfree_var_fo_term_set_abstraction_fo_term_field)))
                 && (x2) <
                 (res.nlfree_var_fo_term_set_abstraction_fo_term_field)))
        && (x2) < (res.nlfree_var_fo_term_set_abstraction_fo_term_field)
      } ;
    res


end
why3-1.6.0/examples/prover/Firstorder_term_impl/000077500000000000000000000000001440160026300217325ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_term_impl/why3session.xml000066400000000000000000002371371440160026300247670ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_term_impl/why3shapes.gz000066400000000000000000000650431440160026300244020ustar00rootroot00000000000000[HBoejtN% TͨZI՘OF'F #/Rf5P't7_ۿWt{?Ǧkӷ}V4կ~{_?~*RHv+s_~1wcx֚jjBm+r26__yO;ݶׯ~ϻ
g^DBu}-U^ՌG]9VUy]woէۿ׻Vvw嫿mUЖvշ/wACV~Uo[F'2ӃR)_>]ywrSfk{P}ij]W Ӎj gHltى^le&&+~Ro}32&_&Q2R'vu?P}qJUy{nK7m|oݼӋ-4R[~>g/CёiOP9tJ'3i>Жe8yyt	۩U߾u_IY|)R22<2_2}cdI$QzSV^V^V5Iʫ+/y<:ãy왢IiSe^I^tᵏ^Iy"UE"?xҗ?4RjOnn@7zgqaMJj3/."c1O̧<{7	Ypd1ޮoR3m_^mQ8uh6IjDD͗an1gz^QRٗz`iiI'Kѳ@ϩlV8TYv8my0WyWTSW!	YDd:zHIv >1jwMngˤK+ԫ=k+O@j}Qj@ERRz9I촴g6jKrwZW͗_o?uNC
%p[.Shd>E$BQ7dÊGLO#VQ@GY ϿN+q|F1rE
:ˇT~(aN(rkB?-IFF%29	0$'9fF$Y;k'cI7+vE?{0/7TP ^lt|GGh~yʊ
{>!珛79n[W]b]a|Bz
чJmilҬq⥝gȢ	[it[*LCCM___!:*K]yw_myoTEU+	ʱXdY|N(zakX z= OA95Gw?e?Z8ϳ,\Y,nYCN(qkXcuh{jRd=<	|a04$Jrs($7$ЗP}QF2@WJߓ@WT&Y!
1HeVkH	/	A%$Eʋ]2H:!!zRXJyST(NF#`􈀂.#@`Ff5P{fYp,p4$8wrȀ9X|j,fK&+=Àa0q_'LҢ_N!PÕ\FRb,v9{;b2><ͥV?VgvQVL>ޤ	xAX+h)VJ7|@_Ɲgue62vX`ϬjZbûLghE9uLVJRsE[Z<,mLâ
;[1oU b\"U bV[ǝ
:-JUXXګuJ+99{;ۙ7
hbx>'ŏ~4+
MFYMpC{xCRŜ+Vli4cayd؜ҸQi_ݯجKn=kkkjI4[8ךd𺤊k
M-"3K9gU1Fiɯ㴿mfdd:b}+-+-+KR<Vn!24fLi	Ţ5ϩf^6XV%wsf	XIcLifI}UkT}~HHȟO6jQR|tNAҿW~9\.--xo%Kt﵎i*?狓zgUBv[Xz%?hJIV+k6YlbYWUe:9-t>|@w+:rK#cKL(D4N1_XY=MZ>(ѢOggPCUh7)a8,×yC|s[HeKT/|DzńTZ	tCQcϕN$?9ivqQ	`PSڡy!YPny#0QdDuGhNqbˉ@,jn*"DAP&Tz $y%>T3NC7)Y}ZT7%~ƔŜN{/O'_(W{[eͶl#ܿFzLrq?]Okk$W!vO,/EEmglE~=~m޶^$L$KVWТϢ;߼q
=^=pNg/<`g!}j_ػ?lShT;s32d'h6e~	'>ȸ0 2To;kPanfƵ1cUH_qha9<(yPwGFe!tf㒑*,*+OlWWvW_aFX	w--.ru|eZT
KW-P>"`i1a,eiMw?wD`>.`80UWJߖ&LɋIn'\qzq=A y y۸)uژL&%Xvu&mZ?"9}gdhAZaXu;
uTfb*
9! \)71+pAGfRmAw!IѠF)ٹ|]
/
DKs/Dw¥
LYؐ=b&H&	IRHrf!-_fmY,y,yJ6l`0$rb߰wj
JN{Gba/IY0
ٜnSi'dszVŭ#~ݭ[m3ʦ-)ӳ2o$j+IMz&XU'8=eHaO[qu"4#tnr>E!c:1aMW$G3#AQ(Kr\HI'JĨ30٤Qn
-c<6㈢72mh1%nVX&/e)2T 1b+3LL䎄,]|/-/MJsV̠I9aT.BM-xp
W1Xo!-)…|KNyG4aϾcO얥n]k@lK_~?^w|=er}RĔ6Y͎2-oR~ӣe+FLM,ő%֡!7ِwD|{ڿ[P=q{-E(w.ŠؿS\Ԫ|!fU]SE(>`ÂzP6Wb*tÓE/֜7pqJjKҥ@ƍ{f3qXucF#ZAӁptxQAs99QwCvI'VNE``00x^vl+la0[^[r	Pi
f4\w3STyTyKιR*Kc`02`E>S.)gǢje)&dSKPbȘ
G]uL-lChh7:h}۫j͊Llٸv4Ǚo=7󲏛(\m35ظ
X'`jj[x`<0ng˴`v0;6 ``00rp}ζJqò;QհBeSuo-0߽Aew1,6fN-Ǵn錙ZܞKnȺW[:{;y-d
G[lOv3`GEtg`йn0mbZ0-WHU#qH6
ӄi4yE4ى/jj 9Üat<Vm\C,㹌[LSLyy/n?jͶ7~}\d|m\6=6{mAv
1e{L}K.O?tOOX,M/\~;,,bucu{}tzԔ(mÏo[nC֞׫=ܯ:/DVV[s3$XЯOp=Âau>F
=:ZPrS_P"CV)f2f%@4Z"aeTrSڒqjMֶ(iPމXYY_n?fpg>0ć`V0+w݇ut;mѹm)[Ӯv]sl{a/I_G5vVj^p"Ul7y^*t~uaߏ0fyopőS.mDC;戈BGD,ukCn+p)-FD˪D}
Jpa0\^\2{G+35t)>J:yüa$<3.zj,``ˑ^u%9؇8~=ޟ}>ӟn>aʷL>@^W/LSJÉ?aVFmgnʿ۪@?*	^azER׼ӽx/s+e̊,/yrx5-JiN;>B5Ek빷2՞fQm>z馅|5+HZxfpl8vP`f03^93/EV_w/K??
9JC(퇓C(ʏgP~/םU3б=I9{Sc6GeŊ{\N	HG1~Y=)e7K:ۯEw|&	өOWyggl&_`gsrJηQwWqhC5Cf|<̳u4.rTqfRoʧ
]fbWyg#p0y0N201]*߿8¹4s\OuX=,*
˯MF7=?,^8/9?9%YlyK&5WIU+*r	qJpn}
![ha(W3?}rÅ|XrVM@y!]INՍ𢡊Ӫ]?!m!q,`K߈F&N~mg߾qh:ӏUf'E]LG(-[{}Kx'}?
hӔሕޥyqqkpObs8\Ԃ[{zI2wѧw(jFOz
EIơɶoPN5a>'gw'5},XuoiT褡L?[<kjTxGq9pOS><٧xhgI 4.#1fi{_c7g9<-\é
ٌZف|NR]~`<~dzkmbG<-`F#vrKN/{Nx=C!Zvs`Hii+Νɱ˨mp Yh.DT_!
d	d	%ՇG!S!V"Y.y7ߌ,*[/7;
t,d٤QꆠcL
&-`XnLV:Ր>gwv.}9㱨'gcMLgYMb=ٮ'pD&;|l-MPL=^5k&N7-t#d9;ሢDtSKR2p{{7}ѰIOwr\BUXЗ=6Ky-'dA09~z4xydg驳]?\cJ	=O^Ã;tOr2:dq)2=r@'۵''5zV؝#S/>vtиS2eKbtg&	OA&z33znԟLfx]_~a_S`Εswx;C6L͏?H1`4}5C>s&(fʙ`(!R}qY+
a]ʖaϖ}G.rk6v-Gͅ]f;=/Gqrtoe:BF͡`if𳎄!b}I?z=6.;La;2DyRl1a>36<
q8`42?/%@ߘf@&tv뇴}4
i/mp+,q
J


cƖYOю]\Jn	.muϰt#]uy7/Dд{Àap0[`|N,f$p_{da<YsL&͑`7? bL0&׋yЖRIrvK~xw֤fi$}:H_,B(ֹS2n֙u鼐2(CPEO]?ea!U:pX;<ŕkqDi/t:˞va^ekM+fwCCuMǭ<wsX5N1pzS7ÁppC`vC!ZvY(a`we]6dݦƭv]{U@w
d49CG\\7:2<߆wPըQ2~e/z%2Nnty,)RcfV.Ei0F#lM4vϤNqgR<)(|`FAjk*2AaT1^V

BsfƵ0eLw_2̭E=?˭}֞*[-zZ72p#`b01/~\`IhbCSŮE>Kz{֞:@Vi5ƃ?̊?v/|p|ؚ}D_FRn}[Fn.
B"Yk~ت&t݄^M)
f;]i
e2[yA/tydJMxA1TнҠP2Z5hI$` 	t|?'IbFXO$aȹ=I,)I59wv*o"$	`B0!(3
c!߽G$'9d,6)dÚBB.p/re5|
sƿk_~NM:Ӊ?u
w+K?~·KW)ĹhBhtbFѱka2exݽ\+x_{ww/|/zœ4#lG|=NI5%_>>ohcK>tZ2줠!A,T,T3=c!15P+aKDuae}{.G$`l\yt~BQ
3n7ǞH8yɢ8a,xGM4g?ыqMM̦Ȧ>`nn\~&ʣX+{S/@IN9]쳒S#ƙSĩHƭ?/I"c^rzo_VJgU]r fs0άէIXv
tC砦:]v5)1䃨|85Ux5U|9]*fjZ=CP9(̏uh`40
)0qkI_j3{F1jj-h=r{R3Zn
Zn+j_0PpI͞Ny gGE'zRCBwYdG|ӃDg	1 kDᴡcpƲ19cV$54Yјqq>_ʇGnhul)ͤ)V߻ϒNesT)_:.-Tq-f#iGʔ9LihDfBJkB&܌ָf+CbiM3Rאt̑.P*uӢ;`=IlQ+ϩ\Wv=+++3(]ܳ>F铻Xƿ~ؐ<X>}gvkE05vYU4O()bq1/Ԁ"[,1DztÀa``=D/	WFL?d+hݢiph(5+6NG>
'ʅKΛ<[srcul`60n
4wY5byyA-n RmW-	[4wt2UúhƸq*+uGRJTTt~v74WwʩZ*hN3k;M}Ao2ۄ#4`0
n8.jp7	ĕsb†IgN`ee}9&~ptQpEN59%)Q㔨uN::ߙm̶aێw	s9Q4HGDjQJ^L0>Q/MMpS3~f7n 7p"5`p@KA(`+>	A*' r;YR4Rɭz t+#.hԮ&oC +'@b)5؋B3 ^> h\Ъ	LfZub1^~!T!wL&b̡S"G(T`B_jݘ
Lvm]u6Z:>2ªtpJnf>!?3  OףLR3j|`}ms.Itيlge}527jZ2z?8/Vsϊpӊpvp˚šš2dS>'xotH=AF͚Čn	ʤC7q>F)Ih7hhR)0QҳVVV(#ӳ9dcagJBЧ υHnm_F{aW;ލ]1x!Nk:u٥Z铙s3Oӱ}w2A/E<}wARAqx=rC01Lk#FӻΈ`t0:	F):2_~hFgcWՓjQ'XULkQTfq7/ŲOy~0̇;0&1S0/'1FLD1u\\s&%)VJ[<#^bxĄqc*1Ś)E&iRWܔ|I(
b衢T?LeJUflҹ.+1ןkB&\m]𐜡=muCǫ	Cwgpag5O
2o"?G2?!?n/!::tMTJh=+++S)mS[(O鈢(aE㷧Gl=>~L3-iE>kHmh\kp
tw3uI?kGl\M/f%'mC(6\m6ZxD9ldCnea1^'0/:9`N\'ΞBTF#qӃi{J5t9#|sBGUvƸHؐvi,¦E(_&c~՚U1V]T*2_!`Ӏi4pSJWH̡s9qm2lry?k,k,k{Oq⁜l<@YH>zCP`(t&{SI`uFkbZyF#t	]jBאhgڣkmѵ
lt)F׭kJ?hL&MㇻK;)y>C!M g4wSbZoq(swxpn6-jS6vӈy.Ry4 hg^$.sg4L&'#@.q6G;&usq/o/_|:}10mͤ[_nLiTC6l 9AsH*,P>3S)+*z̯3LI3j|`֜}m.o΁8Q,,/WHS.A6mQ43P6GY
%YY֟ʢ]YYoFK.o&RgW;|!
$_gxGQ0cҡ҆L}:iHvA[rgM*(#%Jbbzj:yV9V9Va):[3V-V'T-kVMT:؀>5aw~Av8[.BO4k囤=sN?ˑKɏ9]jCyz)KrO_cV2Hd$$$%g80/g/س wzIRd 0Ìqqh3)Nys
sn9yjnyt9A)g"0L#";`k;_-=wsF#0dl~]:ш*ПbĎpl8wJ>x3aDb"\"mj `0nǘȟ٘x:}7^}|"jj}՞91SZ_6+#5L&Hp@w(0
ʆ^9֝~4`0
/;|F#pCX:RHe>L'
v?
̑5ُ$'8#8wKh^񇚌pO,$a8\8d1kGnPO/c0j5?5?	Ǚ"	M|dkkMt:Y>&1HnjYض׺qA7:4}-	SjZ{ciބ{oߛMչt)-k2zmu6]cho|/Ůxcu+bcuD>P
ukFo~/wllJ([h8(l͛އev΁@c]s0Ct2Nh72%(;#
 2 LC{zmӵPj)45Zirj~YD%u;p,_
Ԣk9UxA&l6aDue"@5,9r
 yp$'#ep0e:TmO:6{v:,Ca
?8jz|
Im
to'R	/v0A	}B
kTOVgj
נ(އgHZ,|!@>E04wj|sdPub'z@ԦD!Bߴ0UV-m!z(0v`+
1bf{2Qa, ~y(F5^!D80ETmK
E9%;R1z(\"0`x_7j mX1>B{{;Deu@]Ġ1n:	BãuC(ɇh#h8IA-U)'Bq(uɳXr156IU΅_]AU%eFTU4@!Ąfn(Wo϶c)hhxVqm`pàTI!DG}AAAQjz˥%FZA90A`l,%MD[Ѐ֝
M!F6zHdG-^Dնa bI x0P"F6.R9r51J|Gt/BToTD,
TڀVVm`
]O߁yjlj9&"COlhfoQ"&v(9U:8GF٨0qo(5l@c<^E	,HQvB(EߵњҰwB/ېʹ
 0B
ToKBt4EdAhz`Z"
ZT.n~1HA2߫FPUiL":Dۍb65"DIPCt"th\GAiX>@ӣB):A@	rz\5Lzĸx_TEqȺq@r[RZrvcT5QkJxv8GX?	qɃ o<,X*72l+!wdeb:rjSJT^	TmdB
|8EFW6k}Ѝ}ش
4Lx)BpC$j?FBNAAnK\K(gRyaPrVp!NBO

<M&JFVzS9aB6$Զ1080\zA:0A;d
1@:ѕCAhBLhu#`כET
-=OUgk 

Wڦr|	ۂ^K63bog@A@?v8
IFz0V
	4^u^p&@[Dkе=4Iʁ!
dװ٦T
PΡuM-8Gt,I7.s`p=Ex^h	L2HDG^|_R
JF	aYpR9XaTFAu	0\(O"DP	x`T.$_ifG4!*]S_CCT2ʥrEhi
(aFP+@]rO":Dr|$SxdžM@C]kft@3évUC@A%`uSdiDph[M=C+Wp]Ʃ4!AaFZWײhk덭+Kt PEolT^M`F2֐@ѱ6}Qc4cA|V!
WTKBBL4kAV5,b)x?	j`# *u
4oC#bhD8CQX 

:14+${`T[0O
BMpec8^Ii	3WEvj/,(h8
ƴl^pdYԈnaa۞%\qR)jGU7N&ɶʩ%G	}x),TcW.9m N.Ra0Np7=FšU`F*
"\HPXW5UҴSgƾoT
4ݮ0#p@"|$C7GAqQci]#1WpS9>4mj= L%ALz"b!P.v'!/19bj47.QspVɄ`=TBa|wD(GfnniQ5J"(S5NH3
ᨁ{Ba$HQB:?&6-b(@[B@#Nh--rn"D|

Po҄(Q.i$I*ںu=
BdgZut=!aWVJ~bNWbn99H	ɂ=^ĘN(MCW8.Lo~8{yOf,ޘxhjT1BT
 PC贒m@+A6=p]7-UTqDB"0YG!mN[j#MzG@8AT"ua<""@9+RjYHRAxgS\CLC~nR9lZGV= -ܢ7^a'T:F-Br86f$4ZҤt!>4ڭۊV$rPPݢ%DLX#ZD=v4&15 vA<ժ"A`rr6@8( <}"Mm;{"L.+: LεÙTG5-*S9hX $\q)6BH
P!Ԡ}<,|h^)'X"
] H{phnINu>S9zD"@9읤TEתiˡxy40|
锄tdZMX{[D#j۪S9'Y:#"	B[tYP
Տ0D)h*)U)$1'«ZRʁ
C#5P0A#4:'i@>SCJ[Kѹ0Xiu1Tp9 )xI5wF|aQʤu>4AU
[O$w~@A7DL3]T.bEp!]~j!`43 \@*U=_҄QQ/fͿB2b[h0x>6j>x"΂?SBFTz
-"CO>{D4xȼA#ڙT @RpE%Щ.LsLAG	=ѤҽB<"w4hG2hz"^'IEy0. Gȍ
w00R1	>\
t0K)4mLHh4&IidGh$H$
0rVkQ4@OBrjAtM~7	L;TFO`<{74C3̰iTM+h8?@Uo0G+[],aLQAЈ>p!ELjxp& ѧc]Ct‡[uT>704-Z!@,==1I)E@cZ:		rAG	A%N%Bv/Ec9#EZh!-
z"~BrzS0Qj dPaxѩ- 1F@pU(x=QOG\J뾣yit	lr

]w#єu*7DZw(=lMGaH<6=R4MCCEFrĂ!VjYD$OQԷXn8|]dꄦV<@"ٖ:Mw7hZP74,Cց!b4
S!o{u@3	C9ZA:6=m׈*HILBa:=E%BOqB
']M;N7Dhdv
EP)xfDlψ?9W5
\ÐધrbBrL /vOt]Ds5brV
v Lp,0i	Q
!$7yj=Mczx)7(XA!DaOZ"}	P`;Љi}*7ld
h>k
j¥mR94w W»T0N&ZzZ&S~JEϥA0EkR9Wwj+[υ?@$ +T;{pJ>Q0h
/Y[&
P9Jo?{aVP5Mc;rr=!ia%0Kץrnp!I?sһG82!~x4ˮ;_krܐqрё6r@_ZƷ0^0ud)
Ak|f͸jGC:ZZT\"M3mh]3;x.@{{MȀ.K;%+#D5T`MZrnC[iQ
]h
Y7AFDCOQlXDJC'W4p:tb`%Z݉D=?u8Ohx
%.
6ݐ҃05<K}Hz 
DhĦC
B>4D2	Yd+HѪ	G'`G	7Cehɮ԰&|5U0#Id19jp[麁c]Ma0Z\b=gbS;Z:mA!Me$tQSuPԵx[4P;O0L?\u
iQ't uhZ756yRe^X4#ހa4N	tc]>p*Z@v|.ك)K)4:gS L5`D4R4~7]XnL[J;M6'{x45-W*E+5O[.xph|["	S2-h2C6j)m=L{«1a:ؐB=?+Pa0<0ڇDAAQXv5`G3@Ʀb-"Bn\:T+ڡy`#?TooeYw Qnri.2FERZD9*X?;,©t4\8NL:'3	\øO-'dyظ֐A4Dj q
<-`"VQV$
oKPT)[qBВDzC@/OT.nPfPd@U"Ol(>(Zc
o&`S9q
i"AQf!?S9QBk4 4J+zOΦ-#3G{@F詜XG.{iV@|(.XOilɅT(={	>cSpKoS9AaUh괐%.grK-^YU& let s = one_nat in s
      | FOCons v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_term_list v1) s in
          let s = add_nat (nat_size_fo_term v0) s in s
    end

  with nat_size_fo_term (t:fo_term 'b0 'b3) : nat =
    match t with | Var_fo_term v0 -> one_nat
      | App v0 v1 ->
        let s = one_nat in let s = add_nat (nat_size_fo_term_list v1) s in
          let s = add_nat (nat_size_symbol v0) s in s
    end

  with size_fo_term_list (t:fo_term_list 'b0 'b3) : int =
    match t with | FONil -> let s = 1 in s
      | FOCons v0 v1 ->
        let s = 1 in let s = size_fo_term_list v1 + s in
          let s = size_fo_term v0 + s in s
    end

  with size_fo_term (t:fo_term 'b0 'b3) : int =
    match t with | Var_fo_term v0 -> 1
      | App v0 v1 ->
        let s = 1 in let s = size_fo_term_list v1 + s in
          let s = size_symbol v0 + s in s
    end

  let rec lemma size_positive_lemma_fo_term_list (t:fo_term_list 'b0 'b3) :
    unit ensures { size_fo_term_list t > 0 }
    variant { nat_to_int (nat_size_fo_term_list t) } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        size_positive_lemma_fo_term v0 ;
          size_positive_lemma_fo_term_list v1 ; ()
    end

  with lemma size_positive_lemma_fo_term (t:fo_term 'b0 'b3) : unit
    ensures { size_fo_term t > 0 }
    variant { nat_to_int (nat_size_fo_term t) } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        size_positive_lemma_symbol v0 ; size_positive_lemma_fo_term_list v1 ;
          ()
    end

  function rename_fo_term_list (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0)
    (s3:'b3 -> 'c3) : fo_term_list 'c0 'c3 =
    match t with | FONil -> FONil
      | FOCons v0 v1 ->
        FOCons (rename_fo_term v0 s0 s3) (rename_fo_term_list v1 s0 s3)
    end

  with rename_fo_term (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) :
    fo_term 'c0 'c3 =
    match t with | Var_fo_term v0 -> Var_fo_term (s3 v0)
      | App v0 v1 -> App (rename_symbol v0 s0) (rename_fo_term_list v1 s0 s3)
    end

  let rec lemma renaming_composition_lemma_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> 'c0) (s13:'b3 -> 'c3)
    (s20:'c0 -> 'd0) (s23:'c3 -> 'd3) : unit
    ensures { rename_fo_term_list (rename_fo_term_list t s10 s13) s20 s23 =
      rename_fo_term_list t (rcompose s10 s20) (rcompose s13 s23) }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        renaming_composition_lemma_fo_term v0 s10 s13 s20 s23 ;
          renaming_composition_lemma_fo_term_list v1 s10 s13 s20 s23 ; ()
    end

  with lemma renaming_composition_lemma_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> 'c0) (s13:'b3 -> 'c3) (s20:'c0 -> 'd0) (s23:'c3 -> 'd3) :
    unit
    ensures { rename_fo_term (rename_fo_term t s10 s13) s20 s23 =
      rename_fo_term t (rcompose s10 s20) (rcompose s13 s23) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        renaming_composition_lemma_symbol v0 s10 s20 ;
          renaming_composition_lemma_fo_term_list v1 s10 s13 s20 s23 ; ()
    end

  let rec lemma renaming_identity_lemma_fo_term_list
    (t:fo_term_list 'b0 'b3) : unit
    ensures { rename_fo_term_list t identity identity = t }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        renaming_identity_lemma_fo_term v0 ;
          renaming_identity_lemma_fo_term_list v1 ; ()
    end

  with lemma renaming_identity_lemma_fo_term (t:fo_term 'b0 'b3) : unit
    ensures { rename_fo_term t identity identity = t }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        renaming_identity_lemma_symbol v0 ;
          renaming_identity_lemma_fo_term_list v1 ; ()
    end

  (* Abstraction definition axiom :
      function rename_subst_fo_term (s0:'b3 -> (fo_term 'c0 'c3))
        (s10:'c0 -> 'd0) (s13:'c3 -> 'd3) : 'b3 -> (fo_term 'd0 'd3) =
        (\ x:'b3.rename_fo_term (s0 x) s10 s13)
      *)
  function rename_subst_fo_term (s0:'b3 -> (fo_term 'c0 'c3))
    (s10:'c0 -> 'd0) (s13:'c3 -> 'd3) : 'b3 -> (fo_term 'd0 'd3)
  axiom rename_subst_fo_term_definition :
    forall s0:'b3 -> (fo_term 'c0 'c3), s10:'c0 -> 'd0, s13:'c3 -> 'd3, x:'b3.
    rename_subst_fo_term s0 s10 s13 x = rename_fo_term (s0 x) s10 s13

  let lemma associativity_subst_rename_rename_lemma_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> 'd0) (s23:'c3 -> 'd3)
    (s30:'d0 -> 'e0) (s33:'d3 -> 'e3) : unit
    ensures { rename_subst_fo_term s1 (rcompose s20 s30) (rcompose s23 s33) =
      rename_subst_fo_term (rename_subst_fo_term s1 s20 s23) s30 s33 }
    =
    assert {
      extensionalEqual
        (rename_subst_fo_term s1 (rcompose s20 s30) (rcompose s23 s33))
        (rename_subst_fo_term (rename_subst_fo_term s1 s20 s23) s30 s33)
      }

  let lemma associativity_rename_subst_rename_lemma_fo_term (s1:'b3 -> 'c3)
    (s20:'c0 -> (symbol 'd0)) (s23:'c3 -> (fo_term 'd0 'd3)) (s30:'d0 -> 'e0)
    (s33:'d3 -> 'e3) : unit
    ensures { rcompose s1 (rename_subst_fo_term s23 s30 s33) =
      rename_subst_fo_term (rcompose s1 s23) s30 s33 }
    =
    assert {
      extensionalEqual (rcompose s1 (rename_subst_fo_term s23 s30 s33))
        (rename_subst_fo_term (rcompose s1 s23) s30 s33)
      }

  let lemma right_rename_subst_by_identity_lemma_fo_term
    (s0:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures { rename_subst_fo_term s0 identity identity = s0 } =
    assert {
      extensionalEqual (rename_subst_fo_term s0 identity identity) (s0) }

  function olifts_fo_term (s:'b3 -> (fo_term 'c0 'c3)) :
    (option 'b3) -> (fo_term 'c0 (option 'c3)) =
    ocase (rename_subst_fo_term s identity some) (Var_fo_term None)

  let lemma olifts_composition_lemma_rename_subst_fo_term (s1:'b3 -> 'c3)
    (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { (olifts_fo_term (rcompose s1 s23)) =
      rcompose (olift s1) (olifts_fo_term s23) }
    =
    assert {
      forall x:option 'b3.
        match x with | None ->
          eval ((olifts_fo_term (rcompose s1 s23))) x =
            eval (rcompose (olift s1) (olifts_fo_term s23)) x
          | Some y ->
          eval ((olifts_fo_term (rcompose s1 s23))) x =
            eval (rcompose s1 (rename_subst_fo_term s23 identity some)) y =
            eval ((rename_subst_fo_term (olifts_fo_term s23) identity
                    identity)) (rcompose s1 some y) =
            eval (rcompose (olift s1) (olifts_fo_term s23)) x
        end
      } ;
    assert {
      extensionalEqual ((olifts_fo_term (rcompose s1 s23)))
        (rcompose (olift s1) (olifts_fo_term s23))
      }

  let lemma olifts_composition_lemma_subst_rename_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> 'd0) (s23:'c3 -> 'd3) : unit
    ensures { (olifts_fo_term (rename_subst_fo_term s1 s20 s23)) =
      rename_subst_fo_term (olifts_fo_term s1) s20 (olift s23) }
    =
    assert {
      forall x:option 'b3.
        match x with | None ->
          eval ((olifts_fo_term (rename_subst_fo_term s1 s20 s23))) x =
            eval (rename_subst_fo_term (olifts_fo_term s1) s20 (olift s23)) x
          | Some y ->
          eval ((olifts_fo_term (rename_subst_fo_term s1 s20 s23))) x =
            eval (rename_subst_fo_term s1 s20 (rcompose s23 some)) y =
            rename_fo_term (rename_fo_term (s1 y) identity some) s20
              (olift s23) =
            eval (rename_subst_fo_term (olifts_fo_term s1) s20 (olift s23)) x
        end
      } ;
    assert {
      extensionalEqual ((olifts_fo_term (rename_subst_fo_term s1 s20 s23)))
        (rename_subst_fo_term (olifts_fo_term s1) s20 (olift s23))
      }

  function subst_fo_term_list (t:fo_term_list 'b0 'b3)
    (s0:'b0 -> (symbol 'c0)) (s3:'b3 -> (fo_term 'c0 'c3)) :
    fo_term_list 'c0 'c3 =
    match t with | FONil -> FONil
      | FOCons v0 v1 ->
        FOCons
          (subst_fo_term v0 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s3 identity identity))
          (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s3 identity identity))
    end

  with subst_fo_term (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : fo_term 'c0 'c3 =
    match t with | Var_fo_term v0 -> s3 v0
      | App v0 v1 ->
        App (subst_symbol v0 (rename_subst_symbol s0 identity))
          (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
            (rename_subst_fo_term s3 identity identity))
    end

  let rec lemma rename_then_subst_composition_lemma_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> 'c0) (s13:'b3 -> 'c3)
    (s20:'c0 -> (symbol 'd0)) (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { subst_fo_term_list (rename_fo_term_list t s10 s13) s20 s23 =
      subst_fo_term_list t (rcompose s10 s20) (rcompose s13 s23) }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        rename_then_subst_composition_lemma_fo_term v0 s10 s13
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ;
          rename_then_subst_composition_lemma_fo_term_list v1 s10 s13
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ; ()
    end

  with lemma rename_then_subst_composition_lemma_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> 'c0) (s13:'b3 -> 'c3) (s20:'c0 -> (symbol 'd0))
    (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { subst_fo_term (rename_fo_term t s10 s13) s20 s23 =
      subst_fo_term t (rcompose s10 s20) (rcompose s13 s23) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        rename_then_subst_composition_lemma_symbol v0 s10
          (rename_subst_symbol s20 identity) ;
          rename_then_subst_composition_lemma_fo_term_list v1 s10 s13
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ; ()
    end

  let rec lemma subst_then_rename_composition_lemma_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> (symbol 'c0))
    (s13:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> 'd0) (s23:'c3 -> 'd3) : unit
    ensures { rename_fo_term_list (subst_fo_term_list t s10 s13) s20 s23 =
      subst_fo_term_list t (rename_subst_symbol s10 s20)
        (rename_subst_fo_term s13 s20 s23)
      }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_then_rename_composition_lemma_fo_term v0
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity) s20 s23 ;
          subst_then_rename_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity) s20 s23 ; ()
    end

  with lemma subst_then_rename_composition_lemma_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> (symbol 'c0)) (s13:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> 'd0)
    (s23:'c3 -> 'd3) : unit
    ensures { rename_fo_term (subst_fo_term t s10 s13) s20 s23 =
      subst_fo_term t (rename_subst_symbol s10 s20)
        (rename_subst_fo_term s13 s20 s23)
      }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        subst_then_rename_composition_lemma_symbol v0
          (rename_subst_symbol s10 identity) s20 ;
          subst_then_rename_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity) s20 s23 ; ()
    end

  (* Abstraction definition axiom :
      function subst_compose_fo_term (s0:'b3 -> (fo_term 'c0 'c3))
        (s10:'c0 -> (symbol 'd0)) (s13:'c3 -> (fo_term 'd0 'd3)) :
        'b3 -> (fo_term 'd0 'd3) = (\ x:'b3.subst_fo_term (s0 x) s10 s13)
      *)
  function subst_compose_fo_term (s0:'b3 -> (fo_term 'c0 'c3))
    (s10:'c0 -> (symbol 'd0)) (s13:'c3 -> (fo_term 'd0 'd3)) :
    'b3 -> (fo_term 'd0 'd3)
  axiom subst_compose_fo_term_definition :
    forall s0:'b3 -> (fo_term 'c0 'c3), s10:'c0 -> (symbol 'd0),
      s13:'c3 -> (fo_term 'd0 'd3), x:'b3.
    subst_compose_fo_term s0 s10 s13 x = subst_fo_term (s0 x) s10 s13

  let lemma associativity_rename_subst_subst_lemma_fo_term (s1:'b3 -> 'c3)
    (s20:'c0 -> (symbol 'd0)) (s23:'c3 -> (fo_term 'd0 'd3))
    (s30:'d0 -> (symbol 'e0)) (s33:'d3 -> (fo_term 'e0 'e3)) : unit
    ensures { rcompose s1 (subst_compose_fo_term s23 s30 s33) =
      subst_compose_fo_term (rcompose s1 s23) s30 s33 }
    =
    assert {
      extensionalEqual (rcompose s1 (subst_compose_fo_term s23 s30 s33))
        (subst_compose_fo_term (rcompose s1 s23) s30 s33)
      }

  let lemma associativity_subst_rename_subst_lemma_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> 'd0) (s23:'c3 -> 'd3)
    (s30:'d0 -> (symbol 'e0)) (s33:'d3 -> (fo_term 'e0 'e3)) : unit
    ensures { subst_compose_fo_term s1 (rcompose s20 s30) (rcompose s23 s33)
      = subst_compose_fo_term (rename_subst_fo_term s1 s20 s23) s30 s33 }
    =
    assert {
      extensionalEqual
        (subst_compose_fo_term s1 (rcompose s20 s30) (rcompose s23 s33))
        (subst_compose_fo_term (rename_subst_fo_term s1 s20 s23) s30 s33)
      }

  let lemma associativity_subst_subst_rename_lemma_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> (symbol 'd0))
    (s23:'c3 -> (fo_term 'd0 'd3)) (s30:'d0 -> 'e0) (s33:'d3 -> 'e3) : unit
    ensures {
      subst_compose_fo_term s1 (rename_subst_symbol s20 s30)
        (rename_subst_fo_term s23 s30 s33)
      = rename_subst_fo_term (subst_compose_fo_term s1 s20 s23) s30 s33 }
    =
    assert {
      extensionalEqual
        (subst_compose_fo_term s1 (rename_subst_symbol s20 s30)
           (rename_subst_fo_term s23 s30 s33))
        (rename_subst_fo_term (subst_compose_fo_term s1 s20 s23) s30 s33)
      }

  let lemma olifts_composition_lemma_subst_subst_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> (symbol 'd0))
    (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { (olifts_fo_term (subst_compose_fo_term s1 s20 s23)) =
      subst_compose_fo_term (olifts_fo_term s1)
        (rename_subst_symbol s20 identity) (olifts_fo_term s23) }
    =
    assert {
      forall x:option 'b3.
        match x with | None ->
          eval ((olifts_fo_term (subst_compose_fo_term s1 s20 s23))) x =
            eval
              (subst_compose_fo_term (olifts_fo_term s1)
                 (rename_subst_symbol s20 identity) (olifts_fo_term s23))
              x
          | Some y ->
          eval ((olifts_fo_term (subst_compose_fo_term s1 s20 s23))) x =
            eval
              (subst_compose_fo_term s1 (rename_subst_symbol s20 identity)
                 (rename_subst_fo_term s23 identity some))
              y
            =
            subst_fo_term (rename_fo_term (s1 y) identity some)
              (rename_subst_symbol s20 identity)
              (rename_subst_fo_term (olifts_fo_term s23) identity identity) =
            eval
              (subst_compose_fo_term (olifts_fo_term s1)
                 (rename_subst_symbol s20 identity) (olifts_fo_term s23))
              x
        end
      } ;
    assert {
      extensionalEqual ((olifts_fo_term (subst_compose_fo_term s1 s20 s23)))
        (subst_compose_fo_term (olifts_fo_term s1)
           (rename_subst_symbol s20 identity) (olifts_fo_term s23))
      }

  let rec lemma subst_composition_lemma_fo_term_list (t:fo_term_list 'b0 'b3)
    (s10:'b0 -> (symbol 'c0)) (s13:'b3 -> (fo_term 'c0 'c3))
    (s20:'c0 -> (symbol 'd0)) (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { subst_fo_term_list (subst_fo_term_list t s10 s13) s20 s23 =
      subst_fo_term_list t (subst_compose_symbol s10 s20)
        (subst_compose_fo_term s13 s20 s23)
      }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_composition_lemma_fo_term v0 (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ;
          subst_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ; ()
    end

  with lemma subst_composition_lemma_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> (symbol 'c0)) (s13:'b3 -> (fo_term 'c0 'c3))
    (s20:'c0 -> (symbol 'd0)) (s23:'c3 -> (fo_term 'd0 'd3)) : unit
    ensures { subst_fo_term (subst_fo_term t s10 s13) s20 s23 =
      subst_fo_term t (subst_compose_symbol s10 s20)
        (subst_compose_fo_term s13 s20 s23)
      }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        subst_composition_lemma_symbol v0 (rename_subst_symbol s10 identity)
          (rename_subst_symbol s20 identity) ;
          subst_composition_lemma_fo_term_list v1
          (rename_subst_symbol s10 identity)
          (rename_subst_fo_term s13 identity identity)
          (rename_subst_symbol s20 identity)
          (rename_subst_fo_term s23 identity identity) ; ()
    end

  let lemma associativity_subst_subst_subst_lemma_fo_term
    (s1:'b3 -> (fo_term 'c0 'c3)) (s20:'c0 -> (symbol 'd0))
    (s23:'c3 -> (fo_term 'd0 'd3)) (s30:'d0 -> (symbol 'e0))
    (s33:'d3 -> (fo_term 'e0 'e3)) : unit
    ensures {
      subst_compose_fo_term s1 (subst_compose_symbol s20 s30)
        (subst_compose_fo_term s23 s30 s33)
      = subst_compose_fo_term (subst_compose_fo_term s1 s20 s23) s30 s33 }
    =
    assert {
      extensionalEqual
        (subst_compose_fo_term s1 (subst_compose_symbol s20 s30)
           (subst_compose_fo_term s23 s30 s33))
        (subst_compose_fo_term (subst_compose_fo_term s1 s20 s23) s30 s33)
      }

  (* Abstraction definition axiom :
      constant subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3) =
        (\ x:'b3. Var_fo_term x)*)
  constant subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3)
  axiom subst_id_fo_term_definition :
    forall x:'b3.
      eval (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3)) x = Var_fo_term x

  function subst_of_rename_fo_term (r:'b3 -> 'c3) : 'b3 -> (fo_term 'c0 'c3)
    = rcompose r subst_id_fo_term

  let lemma olifts_identity_fo_term (_:'b3) (_:'b0) : unit
    ensures { (olifts_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3)))
      = subst_id_fo_term }
    =
    assert {
      forall x:option 'b3.
        match x with
          | None ->
            eval
              ((olifts_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3))))
              x
            = eval (subst_id_fo_term) x
          | Some y ->
            eval
              ((olifts_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3))))
              x
            = eval (subst_id_fo_term) x
        end
      } ;
    assert { extensionalEqual
      ((olifts_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3))))
      (subst_id_fo_term) }

  let lemma left_rename_subst_identity_lemma_fo_term (s0:'b0 -> 'c0)
    (s3:'b3 -> 'c3) : unit
    ensures {
      rename_subst_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3)) s0
        s3
      = subst_of_rename_fo_term s3 }
    =
    assert {
      extensionalEqual
        (rename_subst_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3))
           s0 s3)
        (subst_of_rename_fo_term s3)
      }

  let rec lemma subst_identity_lemma_fo_term_list (t:fo_term_list 'b0 'b3) :
    unit
    ensures { subst_fo_term_list t subst_id_symbol subst_id_fo_term = t }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_identity_lemma_fo_term v0 ; subst_identity_lemma_fo_term_list
          v1 ; ()
    end

  with lemma subst_identity_lemma_fo_term (t:fo_term 'b0 'b3) : unit
    ensures { subst_fo_term t subst_id_symbol subst_id_fo_term = t }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        subst_identity_lemma_symbol v0 ; subst_identity_lemma_fo_term_list
          v1 ; ()
    end

  let lemma left_subst_subst_identity_lemma_fo_term (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures {
      subst_compose_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3)) s0
        s3
      = s3 }
    =
    assert {
      extensionalEqual
        (subst_compose_fo_term (subst_id_fo_term : 'b3 -> (fo_term 'b0 'b3))
           s0 s3)
        (s3)
      }

  let lemma right_subst_subst_by_identity_lemma_fo_term
    (s0:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures { subst_compose_fo_term s0 subst_id_symbol subst_id_fo_term = s0
      }
    =
    assert {
      extensionalEqual
        (subst_compose_fo_term s0 subst_id_symbol subst_id_fo_term) (s0)
      }

  let rec lemma renaming_preserve_size_fo_term_list (t:fo_term_list 'b0 'b3)
    (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { size_fo_term_list (rename_fo_term_list t s0 s3) =
      size_fo_term_list t }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        renaming_preserve_size_fo_term v0 (s0) (s3) ;
          renaming_preserve_size_fo_term_list v1 (s0) (s3) ; ()
    end

  with lemma renaming_preserve_size_fo_term (t:fo_term 'b0 'b3)
    (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { size_fo_term (rename_fo_term t s0 s3) = size_fo_term t }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        renaming_preserve_size_symbol v0 (s0) ;
          renaming_preserve_size_fo_term_list v1 (s0) (s3) ; ()
    end

  predicate is_symbol_free_var_in_fo_term_list (x:'b0)
    (t:fo_term_list 'b0 'b3) =
    match t with | FONil -> false
      | FOCons v0 v1 ->
        is_symbol_free_var_in_fo_term x v0 \/
          is_symbol_free_var_in_fo_term_list x v1
    end

  with is_fo_term_free_var_in_fo_term_list (x:'b3) (t:fo_term_list 'b0 'b3) =
    match t with | FONil -> false
      | FOCons v0 v1 ->
        is_fo_term_free_var_in_fo_term x v0 \/
          is_fo_term_free_var_in_fo_term_list x v1
    end

  with is_symbol_free_var_in_fo_term (x:'b0) (t:fo_term 'b0 'b3) =
    match t with | Var_fo_term v0 -> false
      | App v0 v1 ->
        is_symbol_free_var_in_symbol x v0 \/
          is_symbol_free_var_in_fo_term_list x v1
    end

  with is_fo_term_free_var_in_fo_term (x:'b3) (t:fo_term 'b0 'b3) =
    match t with | Var_fo_term v0 -> v0 = x
      | App v0 v1 -> is_fo_term_free_var_in_fo_term_list x v1
    end

  let rec ghost rename_free_var_constructive_inversion_symbol_fo_term_list
    (x:'c0) (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : 'b0
    requires {
      is_symbol_free_var_in_fo_term_list x (rename_fo_term_list t s0 s3) }
    ensures { is_symbol_free_var_in_fo_term_list result t /\ s0 result = x }
    variant { size_fo_term_list t } =
    match t with | FONil -> absurd
      | FOCons v0 v1 ->
        if is_symbol_free_var_in_fo_term x (rename_fo_term v0 s0 s3)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_fo_term x v0 s0
                s3
            in sumx
          else
            if is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1 s0 s3)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_term_list
                    x v1 s0 s3
                in sumx
              else absurd
    end

  with lemma rename_free_var_inversion_symbol_fo_term_list (x:'c0)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    requires {
      is_symbol_free_var_in_fo_term_list x (rename_fo_term_list t s0 s3) }
    ensures {
      exists y:'b0. is_symbol_free_var_in_fo_term_list y t /\ s0 y = x }
    variant { 1 + size_fo_term_list t } =
    let sumx =
      rename_free_var_constructive_inversion_symbol_fo_term_list x t s0 s3
    in ()

  with ghost rename_free_var_constructive_inversion_fo_term_fo_term_list
    (x:'c3) (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : 'b3
    requires {
      is_fo_term_free_var_in_fo_term_list x (rename_fo_term_list t s0 s3) }
    ensures { is_fo_term_free_var_in_fo_term_list result t /\ s3 result = x }
    variant { size_fo_term_list t } =
    match t with | FONil -> absurd
      | FOCons v0 v1 ->
        if is_fo_term_free_var_in_fo_term x (rename_fo_term v0 s0 s3)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_term x v0 s0
                s3
            in sumx
          else
            if is_fo_term_free_var_in_fo_term_list x
                 (rename_fo_term_list v1 s0 s3)
              then
                let sumx =
                  rename_free_var_constructive_inversion_fo_term_fo_term_list
                    x v1 s0 s3
                in sumx
              else absurd
    end

  with lemma rename_free_var_inversion_fo_term_fo_term_list (x:'c3)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    requires {
      is_fo_term_free_var_in_fo_term_list x (rename_fo_term_list t s0 s3) }
    ensures {
      exists y:'b3. is_fo_term_free_var_in_fo_term_list y t /\ s3 y = x }
    variant { 1 + size_fo_term_list t } =
    let sumx =
      rename_free_var_constructive_inversion_fo_term_fo_term_list x t s0 s3
    in ()

  with ghost rename_free_var_constructive_inversion_symbol_fo_term (x:'c0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : 'b0
    requires { is_symbol_free_var_in_fo_term x (rename_fo_term t s0 s3) }
    ensures { is_symbol_free_var_in_fo_term result t /\ s0 result = x }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> absurd
      | App v0 v1 ->
        if is_symbol_free_var_in_symbol x (rename_symbol v0 s0)
          then
            let sumx =
              rename_free_var_constructive_inversion_symbol_symbol x v0 s0
            in sumx
          else
            if is_symbol_free_var_in_fo_term_list x
                 (rename_fo_term_list v1 s0 s3)
              then
                let sumx =
                  rename_free_var_constructive_inversion_symbol_fo_term_list
                    x v1 s0 s3
                in sumx
              else absurd
    end

  with lemma rename_free_var_inversion_symbol_fo_term (x:'c0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    requires { is_symbol_free_var_in_fo_term x (rename_fo_term t s0 s3) }
    ensures { exists y:'b0. is_symbol_free_var_in_fo_term y t /\ s0 y = x }
    variant { 1 + size_fo_term t } =
    let sumx =
      rename_free_var_constructive_inversion_symbol_fo_term x t s0 s3
    in ()

  with ghost rename_free_var_constructive_inversion_fo_term_fo_term (x:'c3)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : 'b3
    requires { is_fo_term_free_var_in_fo_term x (rename_fo_term t s0 s3) }
    ensures { is_fo_term_free_var_in_fo_term result t /\ s3 result = x }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> v0
      | App v0 v1 ->
        if is_fo_term_free_var_in_fo_term_list x
             (rename_fo_term_list v1 s0 s3)
          then
            let sumx =
              rename_free_var_constructive_inversion_fo_term_fo_term_list x
                v1 s0 s3
            in sumx
          else absurd
    end

  with lemma rename_free_var_inversion_fo_term_fo_term (x:'c3)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    requires { is_fo_term_free_var_in_fo_term x (rename_fo_term t s0 s3) }
    ensures { exists y:'b3. is_fo_term_free_var_in_fo_term y t /\ s3 y = x }
    variant { 1 + size_fo_term t } =
    let sumx =
      rename_free_var_constructive_inversion_fo_term_fo_term x t s0 s3
    in ()

  let rec lemma rename_free_var_propagation_symbol_fo_term_list (x:'b0)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { is_symbol_free_var_in_fo_term_list x t ->
      is_symbol_free_var_in_fo_term_list (s0 x) (rename_fo_term_list t s0 s3)
      }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        rename_free_var_propagation_symbol_fo_term x v0 (s0) (s3) ;
          rename_free_var_propagation_symbol_fo_term_list x v1 (s0) (s3) ; ()
    end

  with lemma rename_free_var_propagation_fo_term_fo_term_list (x:'b3)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { is_fo_term_free_var_in_fo_term_list x t ->
      is_fo_term_free_var_in_fo_term_list (s3 x)
        (rename_fo_term_list t s0 s3)
      }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        rename_free_var_propagation_fo_term_fo_term x v0 (s0) (s3) ;
          rename_free_var_propagation_fo_term_fo_term_list x v1 (s0) (s3) ;
          ()
    end

  with lemma rename_free_var_propagation_symbol_fo_term (x:'b0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { is_symbol_free_var_in_fo_term x t ->
      is_symbol_free_var_in_fo_term (s0 x) (rename_fo_term t s0 s3) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        rename_free_var_propagation_symbol_symbol x v0 (s0) ;
          rename_free_var_propagation_symbol_fo_term_list x v1 (s0) (s3) ; ()
    end

  with lemma rename_free_var_propagation_fo_term_fo_term (x:'b3)
    (t:fo_term 'b0 'b3) (s0:'b0 -> 'c0) (s3:'b3 -> 'c3) : unit
    ensures { is_fo_term_free_var_in_fo_term x t ->
      is_fo_term_free_var_in_fo_term (s3 x) (rename_fo_term t s0 s3) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        () ; rename_free_var_propagation_fo_term_fo_term_list x v1 (s0)
          (s3) ; ()
    end

  let rec ghost subst_free_var_constructive_inversion_symbol_fo_term_list
    (x:'c0) (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : sum ('b0) ('b3)
    requires {
      is_symbol_free_var_in_fo_term_list x (subst_fo_term_list t s0 s3) }
    ensures { let sumx = result in
      match sumx with | Left sumx ->
        is_symbol_free_var_in_fo_term_list sumx t /\
          is_symbol_free_var_in_symbol x (s0 sumx)
        | Right sumx ->
        is_fo_term_free_var_in_fo_term_list sumx t /\
          is_symbol_free_var_in_fo_term x (s3 sumx)
      end }
    variant { size_fo_term_list t } =
    match t with | FONil -> absurd
      | FOCons v0 v1 ->
        if is_symbol_free_var_in_fo_term x
             (subst_fo_term v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_fo_term x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity)
            in
            match sumx with | Left sumx ->
              let y =
                rename_free_var_constructive_inversion_symbol_symbol x
                  (eval s0 sumx) identity
                in assert { y = x } ; Left sumx
              | Right sumx ->
              Right
                (let y =
                   rename_free_var_constructive_inversion_symbol_fo_term x
                     (eval s3 sumx) identity identity
                in assert { y = x } ; sumx)
            end
          else
            if is_symbol_free_var_in_fo_term_list x
                 (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_term_list x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s3 sumx) identity identity
                    in assert { y = x } ; sumx)
                end
              else absurd
    end

  with lemma subst_free_var_inversion_symbol_fo_term_list (x:'c0)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    requires {
      is_symbol_free_var_in_fo_term_list x (subst_fo_term_list t s0 s3) }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_fo_term_list y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      \/
      (exists y:'b3. is_fo_term_free_var_in_fo_term_list y t /\
         is_symbol_free_var_in_fo_term x (s3 y))
      }
    variant { 1 + size_fo_term_list t } =
    let sumx =
      subst_free_var_constructive_inversion_symbol_fo_term_list x t s0 s3
    in match sumx with | Left sumx -> () | Right sumx -> () end

  with ghost subst_free_var_constructive_inversion_fo_term_fo_term_list
    (x:'c3) (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : 'b3
    requires {
      is_fo_term_free_var_in_fo_term_list x (subst_fo_term_list t s0 s3) }
    ensures { let sumx = result in is_fo_term_free_var_in_fo_term_list sumx t
      /\ is_fo_term_free_var_in_fo_term x (s3 sumx) }
    variant { size_fo_term_list t } =
    match t with | FONil -> absurd
      | FOCons v0 v1 ->
        if is_fo_term_free_var_in_fo_term x
             (subst_fo_term v0 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_term x v0
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s3 sumx) identity identity
            in assert { y = x } ; sumx
          else
            if is_fo_term_free_var_in_fo_term_list x
                 (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_fo_term_fo_term_list
                    x v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity)
                in
                let y =
                  rename_free_var_constructive_inversion_fo_term_fo_term x
                    (eval s3 sumx) identity identity
                in assert { y = x } ; sumx
              else absurd
    end

  with lemma subst_free_var_inversion_fo_term_fo_term_list (x:'c3)
    (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    requires {
      is_fo_term_free_var_in_fo_term_list x (subst_fo_term_list t s0 s3) }
    ensures {
      (exists y:'b3. is_fo_term_free_var_in_fo_term_list y t /\
         is_fo_term_free_var_in_fo_term x (s3 y))
      }
    variant { 1 + size_fo_term_list t } =
    let sumx =
      subst_free_var_constructive_inversion_fo_term_fo_term_list x t s0 s3
    in ()

  with ghost subst_free_var_constructive_inversion_symbol_fo_term (x:'c0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : sum ('b0) ('b3)
    requires { is_symbol_free_var_in_fo_term x (subst_fo_term t s0 s3) }
    ensures { let sumx = result in
      match sumx with | Left sumx ->
        is_symbol_free_var_in_fo_term sumx t /\
          is_symbol_free_var_in_symbol x (s0 sumx)
        | Right sumx ->
        is_fo_term_free_var_in_fo_term sumx t /\
          is_symbol_free_var_in_fo_term x (s3 sumx)
      end }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> Right (v0)
      | App v0 v1 ->
        if is_symbol_free_var_in_symbol x
             (subst_symbol v0 (rename_subst_symbol s0 identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_symbol_symbol x v0
                (rename_subst_symbol s0 identity)
            in
            let y =
              rename_free_var_constructive_inversion_symbol_symbol x
                (eval s0 sumx) identity
            in assert { y = x } ; Left sumx
          else
            if is_symbol_free_var_in_fo_term_list x
                 (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity))
              then
                let sumx =
                  subst_free_var_constructive_inversion_symbol_fo_term_list x
                    v1 (rename_subst_symbol s0 identity)
                    (rename_subst_fo_term s3 identity identity)
                in
                match sumx with | Left sumx ->
                  let y =
                    rename_free_var_constructive_inversion_symbol_symbol x
                      (eval s0 sumx) identity
                    in assert { y = x } ; Left sumx
                  | Right sumx ->
                  Right
                    (let y =
                       rename_free_var_constructive_inversion_symbol_fo_term
                         x (eval s3 sumx) identity identity
                    in assert { y = x } ; sumx)
                end
              else absurd
    end

  with lemma subst_free_var_inversion_symbol_fo_term (x:'c0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    requires { is_symbol_free_var_in_fo_term x (subst_fo_term t s0 s3) }
    ensures {
      (exists y:'b0. is_symbol_free_var_in_fo_term y t /\
         is_symbol_free_var_in_symbol x (s0 y))
      \/
      (exists y:'b3. is_fo_term_free_var_in_fo_term y t /\
         is_symbol_free_var_in_fo_term x (s3 y))
      }
    variant { 1 + size_fo_term t } =
    let sumx = subst_free_var_constructive_inversion_symbol_fo_term x t s0 s3
    in match sumx with | Left sumx -> () | Right sumx -> () end

  with ghost subst_free_var_constructive_inversion_fo_term_fo_term (x:'c3)
    (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : 'b3
    requires { is_fo_term_free_var_in_fo_term x (subst_fo_term t s0 s3) }
    ensures { let sumx = result in is_fo_term_free_var_in_fo_term sumx t /\
      is_fo_term_free_var_in_fo_term x (s3 sumx) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> v0
      | App v0 v1 ->
        if is_fo_term_free_var_in_fo_term_list x
             (subst_fo_term_list v1 (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity))
          then
            let sumx =
              subst_free_var_constructive_inversion_fo_term_fo_term_list x v1
                (rename_subst_symbol s0 identity)
                (rename_subst_fo_term s3 identity identity)
            in
            let y =
              rename_free_var_constructive_inversion_fo_term_fo_term x
                (eval s3 sumx) identity identity
            in assert { y = x } ; sumx
          else absurd
    end

  with lemma subst_free_var_inversion_fo_term_fo_term (x:'c3)
    (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)) : unit
    requires { is_fo_term_free_var_in_fo_term x (subst_fo_term t s0 s3) }
    ensures {
      (exists y:'b3. is_fo_term_free_var_in_fo_term y t /\
         is_fo_term_free_var_in_fo_term x (s3 y))
      }
    variant { 1 + size_fo_term t } =
    let sumx =
      subst_free_var_constructive_inversion_fo_term_fo_term x t s0 s3
    in ()

  let rec lemma subst_free_var_propagation_symbol_symbol_fo_term_list (x:'b0)
    (y:'c0) (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_symbol_free_var_in_fo_term_list x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_fo_term_list y (subst_fo_term_list t s0 s3) }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_free_var_propagation_symbol_symbol_fo_term x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
    end

  with lemma subst_free_var_propagation_fo_term_symbol_fo_term_list (x:'b3)
    (y:'c0) (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_fo_term_free_var_in_fo_term_list x t /\
        is_symbol_free_var_in_fo_term y (s3 x) ->
      is_symbol_free_var_in_fo_term_list y (subst_fo_term_list t s0 s3) }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_free_var_propagation_fo_term_symbol_fo_term x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s3 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s3 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s3 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s3 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          ()
    end

  with lemma subst_free_var_propagation_fo_term_fo_term_fo_term_list (x:'b3)
    (y:'c3) (t:fo_term_list 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_fo_term_free_var_in_fo_term_list x t /\
        is_fo_term_free_var_in_fo_term y (s3 x) ->
      is_fo_term_free_var_in_fo_term_list y (subst_fo_term_list t s0 s3) }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        subst_free_var_propagation_fo_term_fo_term_fo_term x y v0
          ((rename_subst_symbol s0 identity))
          ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s3 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s3 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          subst_free_var_propagation_fo_term_fo_term_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s3 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s3 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          ()
    end

  with lemma subst_free_var_propagation_symbol_symbol_fo_term (x:'b0) (y:'c0)
    (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_symbol_free_var_in_fo_term x t /\
        is_symbol_free_var_in_symbol y (s0 x) ->
      is_symbol_free_var_in_fo_term y (subst_fo_term t s0 s3) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        subst_free_var_propagation_symbol_symbol_symbol x y v0
          ((rename_subst_symbol s0 identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          subst_free_var_propagation_symbol_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_symbol y (eval s0 x) identity ;
          assert { is_symbol_free_var_in_symbol y (s0 x) ->
            is_symbol_free_var_in_symbol y
              (eval ((rename_subst_symbol s0 identity)) x)
            } ;
          ()
    end

  with lemma subst_free_var_propagation_fo_term_symbol_fo_term (x:'b3)
    (y:'c0) (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_fo_term_free_var_in_fo_term x t /\
        is_symbol_free_var_in_fo_term y (s3 x) ->
      is_symbol_free_var_in_fo_term y (subst_fo_term t s0 s3) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        () ;
          subst_free_var_propagation_fo_term_symbol_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_symbol_fo_term y (eval s3 x) identity
            identity ;
          assert { is_symbol_free_var_in_fo_term y (s3 x) ->
            is_symbol_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          ()
    end

  with lemma subst_free_var_propagation_fo_term_fo_term_fo_term (x:'b3)
    (y:'c3) (t:fo_term 'b0 'b3) (s0:'b0 -> (symbol 'c0))
    (s3:'b3 -> (fo_term 'c0 'c3)):  unit
    ensures {
      is_fo_term_free_var_in_fo_term x t /\
        is_fo_term_free_var_in_fo_term y (s3 x) ->
      is_fo_term_free_var_in_fo_term y (subst_fo_term t s0 s3) }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        () ;
          subst_free_var_propagation_fo_term_fo_term_fo_term_list x y v1
            ((rename_subst_symbol s0 identity))
            ((rename_subst_fo_term s3 identity identity)) ;
          rename_free_var_propagation_fo_term_fo_term y (eval s3 x) identity
            identity ;
          assert { is_fo_term_free_var_in_fo_term y (s3 x) ->
            is_fo_term_free_var_in_fo_term y
              (eval ((rename_subst_fo_term s3 identity identity)) x)
            } ;
          ()
    end

  let rec lemma free_var_equivalence_of_subst_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s13:'b3 -> (fo_term 'c0 'c3))
    (s23:'b3 -> (fo_term 'c0 'c3)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_term_list x t -> s10 x = s20 x }
    requires {
      forall x:'b3. is_fo_term_free_var_in_fo_term_list x t -> s13 x = s23 x
      }
    ensures { subst_fo_term_list t s10 s13 = subst_fo_term_list t s20 s23 }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_fo_term x v0 ->
            is_symbol_free_var_in_fo_term_list x t
          } ;
          assert {
            forall x:'b3. is_fo_term_free_var_in_fo_term x v0 ->
              is_fo_term_free_var_in_fo_term_list x t
            } ;
          free_var_equivalence_of_subst_fo_term v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s13 identity identity))
            ((rename_subst_fo_term s23 identity identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 ->
              is_symbol_free_var_in_fo_term_list x t
            } ;
          assert {
            forall x:'b3. is_fo_term_free_var_in_fo_term_list x v1 ->
              is_fo_term_free_var_in_fo_term_list x t
            } ;
          free_var_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s13 identity identity))
            ((rename_subst_fo_term s23 identity identity)) ;
          ()
    end

  with lemma free_var_equivalence_of_subst_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0))
    (s13:'b3 -> (fo_term 'c0 'c3)) (s23:'b3 -> (fo_term 'c0 'c3)) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_term x t -> s10 x = s20 x }
    requires {
      forall x:'b3. is_fo_term_free_var_in_fo_term x t -> s13 x = s23 x }
    ensures { subst_fo_term t s10 s13 = subst_fo_term t s20 s23 }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        assert {
          forall x:'b0. is_symbol_free_var_in_symbol x v0 ->
            is_symbol_free_var_in_fo_term x t
          } ;
          free_var_equivalence_of_subst_symbol v0
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity)) ;
          assert {
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 ->
              is_symbol_free_var_in_fo_term x t
            } ;
          assert {
            forall x:'b3. is_fo_term_free_var_in_fo_term_list x v1 ->
              is_fo_term_free_var_in_fo_term x t
            } ;
          free_var_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s13 identity identity))
            ((rename_subst_fo_term s23 identity identity)) ;
          ()
    end

  let lemma free_var_equivalence_of_rename_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> 'c0) (s20:'b0 -> 'c0)
    (s13:'b3 -> 'c3) (s23:'b3 -> 'c3) : unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_term_list x t -> s10 x = s20 x }
    requires {
      forall x:'b3. is_fo_term_free_var_in_fo_term_list x t -> s13 x = s23 x
      }
    ensures { rename_fo_term_list t s10 s13 = rename_fo_term_list t s20 s23 }
    =
    free_var_equivalence_of_subst_fo_term_list t (subst_of_rename_symbol s10)
      (subst_of_rename_symbol s20) (subst_of_rename_fo_term s13)
      (subst_of_rename_fo_term s23)

  let lemma free_var_equivalence_of_rename_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s13:'b3 -> 'c3) (s23:'b3 -> 'c3) :
    unit
    requires {
      forall x:'b0. is_symbol_free_var_in_fo_term x t -> s10 x = s20 x }
    requires {
      forall x:'b3. is_fo_term_free_var_in_fo_term x t -> s13 x = s23 x }
    ensures { rename_fo_term t s10 s13 = rename_fo_term t s20 s23 } =
    free_var_equivalence_of_subst_fo_term t (subst_of_rename_symbol s10)
      (subst_of_rename_symbol s20) (subst_of_rename_fo_term s13)
      (subst_of_rename_fo_term s23)

  let rec lemma free_var_derive_equivalence_of_subst_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> (symbol 'c0))
    (s20:'b0 -> (symbol 'c0)) (s13:'b3 -> (fo_term 'c0 'c3))
    (s23:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_term_list x t -> s10 x = s20 x }
    ensures {
      forall x:'b3. is_fo_term_free_var_in_fo_term_list x t -> s13 x = s23 x
      }
    requires { subst_fo_term_list t s10 s13 = subst_fo_term_list t s20 s23 }
    variant { size_fo_term_list t } =
    match t with | FONil -> ()
      | FOCons v0 v1 ->
        free_var_derive_equivalence_of_subst_fo_term v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity))
          ((rename_subst_fo_term s13 identity identity))
          ((rename_subst_fo_term s23 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_term x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_term x v0 -> s10 x = s20 x
            };
          assert {
            (forall x:'b3, y0:'c0, y3:'c3.
               is_fo_term_free_var_in_fo_term x v0 ->
               rename_fo_term (s13 x) identity identity =
               eval ((rename_subst_fo_term s13 identity identity)) x =
               eval ((rename_subst_fo_term s23 identity identity)) x =
               rename_fo_term (s23 x) identity identity && s13 x =
               rename_fo_term (rename_fo_term (s13 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s23 x) identity identity)
                 identity identity
               = s23 x && s13 x = s23 x)
            &&
            forall x:'b3. is_fo_term_free_var_in_fo_term x v0 -> s13 x =
              s23 x
            } ;
          free_var_derive_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s13 identity identity))
            ((rename_subst_fo_term s23 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_term_list x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b3, y0:'c0, y3:'c3.
               is_fo_term_free_var_in_fo_term_list x v1 ->
               rename_fo_term (s13 x) identity identity =
               eval ((rename_subst_fo_term s13 identity identity)) x =
               eval ((rename_subst_fo_term s23 identity identity)) x =
               rename_fo_term (s23 x) identity identity && s13 x =
               rename_fo_term (rename_fo_term (s13 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s23 x) identity identity)
                 identity identity
               = s23 x && s13 x = s23 x)
            &&
            forall x:'b3. is_fo_term_free_var_in_fo_term_list x v1 -> s13 x =
              s23 x
            } ;
          ()
    end

  with lemma free_var_derive_equivalence_of_subst_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> (symbol 'c0)) (s20:'b0 -> (symbol 'c0))
    (s13:'b3 -> (fo_term 'c0 'c3)) (s23:'b3 -> (fo_term 'c0 'c3)) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_term x t -> s10 x = s20 x }
    ensures {
      forall x:'b3. is_fo_term_free_var_in_fo_term x t -> s13 x = s23 x }
    requires { subst_fo_term t s10 s13 = subst_fo_term t s20 s23 }
    variant { size_fo_term t } =
    match t with | Var_fo_term v0 -> ()
      | App v0 v1 ->
        free_var_derive_equivalence_of_subst_symbol v0
          ((rename_subst_symbol s10 identity))
          ((rename_subst_symbol s20 identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_symbol x v0 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_symbol x v0 -> s10 x = s20 x
            } ;
          free_var_derive_equivalence_of_subst_fo_term_list v1
            ((rename_subst_symbol s10 identity))
            ((rename_subst_symbol s20 identity))
            ((rename_subst_fo_term s13 identity identity))
            ((rename_subst_fo_term s23 identity identity));
          assert {
            (forall x:'b0, y0:'c0. is_symbol_free_var_in_fo_term_list x v1 ->
               rename_symbol (s10 x) identity =
               eval ((rename_subst_symbol s10 identity)) x =
               eval ((rename_subst_symbol s20 identity)) x =
               rename_symbol (s20 x) identity && s10 x =
               rename_symbol (rename_symbol (s10 x) identity) identity =
               rename_symbol (rename_symbol (s20 x) identity) identity =
               s20 x && s10 x = s20 x)
            &&
            forall x:'b0. is_symbol_free_var_in_fo_term_list x v1 -> s10 x =
              s20 x
            };
          assert {
            (forall x:'b3, y0:'c0, y3:'c3.
               is_fo_term_free_var_in_fo_term_list x v1 ->
               rename_fo_term (s13 x) identity identity =
               eval ((rename_subst_fo_term s13 identity identity)) x =
               eval ((rename_subst_fo_term s23 identity identity)) x =
               rename_fo_term (s23 x) identity identity && s13 x =
               rename_fo_term (rename_fo_term (s13 x) identity identity)
                 identity identity
               =
               rename_fo_term (rename_fo_term (s23 x) identity identity)
                 identity identity
               = s23 x && s13 x = s23 x)
            &&
            forall x:'b3. is_fo_term_free_var_in_fo_term_list x v1 -> s13 x =
              s23 x
            } ;
          ()
    end

  let lemma free_var_derive_equivalence_of_rename_fo_term_list
    (t:fo_term_list 'b0 'b3) (s10:'b0 -> 'c0) (s20:'b0 -> 'c0)
    (s13:'b3 -> 'c3) (s23:'b3 -> 'c3) : unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_term_list x t -> s10 x = s20 x }
    ensures {
      forall x:'b3. is_fo_term_free_var_in_fo_term_list x t -> s13 x = s23 x
      }
    requires { rename_fo_term_list t s10 s13 = rename_fo_term_list t s20 s23
      }
    =
    free_var_derive_equivalence_of_subst_fo_term_list t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s13) (subst_of_rename_fo_term s23);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      };
    assert {
      forall x:'b3. (subst_of_rename_fo_term s13 x:fo_term 'c0 'c3) =
        (subst_of_rename_fo_term s23 x:fo_term 'c0 'c3) ->
        (Var_fo_term (s13 x):fo_term 'c0 'c3) =
        (Var_fo_term (s23 x):fo_term 'c0 'c3) && s13 x = s23 x
      }

  let lemma free_var_derive_equivalence_of_rename_fo_term (t:fo_term 'b0 'b3)
    (s10:'b0 -> 'c0) (s20:'b0 -> 'c0) (s13:'b3 -> 'c3) (s23:'b3 -> 'c3) :
    unit
    ensures {
      forall x:'b0. is_symbol_free_var_in_fo_term x t -> s10 x = s20 x }
    ensures {
      forall x:'b3. is_fo_term_free_var_in_fo_term x t -> s13 x = s23 x }
    requires { rename_fo_term t s10 s13 = rename_fo_term t s20 s23 } =
    free_var_derive_equivalence_of_subst_fo_term t
      (subst_of_rename_symbol s10) (subst_of_rename_symbol s20)
      (subst_of_rename_fo_term s13) (subst_of_rename_fo_term s23);
    assert {
      forall x:'b0. (subst_of_rename_symbol s10 x:symbol 'c0) =
        (subst_of_rename_symbol s20 x:symbol 'c0) ->
        (Var_symbol (s10 x):symbol 'c0) = (Var_symbol (s20 x):symbol 'c0) &&
        s10 x = s20 x
      };
    assert {
      forall x:'b3. (subst_of_rename_fo_term s13 x:fo_term 'c0 'c3) =
        (subst_of_rename_fo_term s23 x:fo_term 'c0 'c3) ->
        (Var_fo_term (s13 x):fo_term 'c0 'c3) =
        (Var_fo_term (s23 x):fo_term 'c0 'c3) && s13 x = s23 x
      }


end
why3-1.6.0/examples/prover/Firstorder_term_spec/000077500000000000000000000000001440160026300217235ustar00rootroot00000000000000why3-1.6.0/examples/prover/Firstorder_term_spec/why3session.xml000066400000000000000000000675501440160026300247600ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Firstorder_term_spec/why3shapes.gz000066400000000000000000000314601440160026300243670ustar00rootroot00000000000000}Y$7~E>ξ>
%Ww' UiJB5N̊L+hgF9ׇ?×ϟ?o~i>-|_~;|7kz<}r~Ov~ƑU*o/>{3k775C/2|I~>qKa2D0*
0AG-D?/m!ّQ%,2}?Dh&O:Cdfu2q1ϣ}QOzֹ4%)xa\#׮1aJEhٟ?vнϟָm5)ǿi&8+65\氩RK(JTQ$kh_'h]$.)kp!ן}ۿ_
:R&s<Ւ,n!J*KxiSTv;'/dP\E@&mϯǹ9:kVjfK)]Ѭzg;89UMEAex#HFPȑdPqE>a<~p2ׯgJQSct&LLs>Ld|X9S6gMb7,5ԑU?>
I/z-y"}4t	qr??]d/4hv72LyMM{jGٸq7+O91k+k9/Wصո(Џtkv5?9X7⬩Z;63q+6se݋5i!rk:ryuhFB7=ޟNjI:
N&I}큾^O>bwqyMO6;
f#)lJ1bX	dŧ
UNh$۴adG9笘rVN9+b,¨‘
g|G
[-2nЂMS,B\,8kaGP7n5#ۢKv_Z_hMn0өү0=Ugt)߂"EU:%MG*Ӯ&e SpdhaJѶyR٣TG)VȱIrW~4Pb9o-m$穵ZȰ%*Rk9
eʏk[gr:'d3&bGL\y2M+Ӂph!l"
8 !y..>XW&*ZW.*@NH%̟	FDv>Q3NYs/hdȗ:]8+
#QDDE:8Pw>4؆iYS|s Cӵ3kSr
B\!F"zF1͒4L0I(9uIO҈fdGMOĭu"R~EiJWFϸg-n>M--58y8E_ۊ"ӣӼ|	H2}u[d=1Sm17wFq:^ah0G{im9͈3vX{Fqy_Pgߕ[;R.#
 5xރo|7v@Qr:0#Mr>&ӕ닠EsɨɀX/@F_wr+&hϲ:Gdx4:QsÌj)+hI#j=n4Oqcd*õ=,)}yv=P	k3{(5lrd7693hػx8S5a&G8|E-ۨcJfʣGKƦ[n4CO?GhU T;
IfN.B;,k}Pߵ6u.GJ$N=
B4RhB#>Ng9Ek\E!u.>
N_ՙ)Gˎ9nAj}rHݍ"u&DUdeHR2fF
Q2l
X6ZIW
uW+)WQUٕ`i?((6ǃI
cI+/7F%Uvv
\7\rE
Ra28 bhDq̮kqwXYXݖ1͛?SC;A1cOmQWK2cZqm=xҧA'F_2N{iIyLm)wn>(=\F1=I
4wCSs3{IaٿfV9p覊sN2ܟƚkznhE b;Z^otݸ
ʦn,[NM˻lnթ˚ţieH~CO#6ضeWGRiMOsa"^dK*T|d2q*.1Ϗ0q8śSdcY
89fw׼zEess-O)hk`2UEQB@1	ItǏGxP$b[;xi+~/啶s!ϩNbln}bs*u
D@3%)(lla)@5ZHZ;ӗO'h"
#1=_
KGmĨhmt=mӹJeϨ7mةti H)i#D3p?ޱ.ģ^CZYƿphX6ϑJ*di׼/-5?gJ?2={elo2ꚙK]⏥;;y||8-,ceTRi>3S9ߵ
a:y⏭5!9"fl6Uc(>Kkv!0_}_6ٶBp	
]'0h!51z8SdԄ}]M}{1⎗ʔ_m>x5mFAeg༚t@#NɀݡE)?.ėGkVk)ucO`x8ᚱ-%{Byqf(/>iNeVV>[\$?d"ZYcq,T?OB0cO ~iϷ]>3xGf:J"W٘DIcY~d>4cQ۪Š̤~oTY@_'aד!1	{H#fv|!]V	%w_H8=b]6uَbcj.0i`ro.l \(CwGqkp~gd~v~ReS׮ X4shD
^S3cw.)<-ޱNvWRk]yyBond	mBtMȲ]qCmсIBno|!~cIv~0y~ŀmeA&7c|IeBI[hYbV6leV")b`,ҏeT Ci#Hnh 
ցkUˀK#`%#EjOqӴ_z!
VzaY\2[{V8U|lSAK*>dwVEMRc*Ħ?lđ9eIrR34d#'0nLIo{
`n
UiN):"3_4Q#vBoگuI9Jʝf0,+
}X̬rrV_Ha/WvnUغXl8?O_[h_uBG,u /a>JOa%
%($[@kQm6^3aˏGgi?e385c]n:@l dRXɿYbcqGWPʤ@7x%{*yRP{uQ\xj	7^b)^ SzJp3c-W[Ԅ~ii:G/$|w*%`KT\]n?+nSbmqo0V @t䖙M~/wS_g%K7%8Az}HV֫mK_W7i˂ 0Q%0¤;P5薥Otr>OUWRNC*9H}x=*bʄ;tȗ.br<F3V!߈xh۞ܾD~eGU 1(e&%}iR(ɂcG(\^㹉z'\\3NFLMYQLHK6}l)l2(#jX[_"7Ң*bD,dZ9"gRHro
JFȚCqZPT
'oaxR„(]QJ1YL*J	l̍W̔V謙6롘U6eWvS%#j"*N"޿h1%[~ n
kE(#Ki
K*̂Id`ᶠD6Y0SvQ8zÊcL#`k\3[qO  Zo+QCT_>7$v[iW%1)Wn۽a@bE.N-'؁SD/mSNW០㱿6VڏzJ|Ҁ0myV[
dm9p{ӯ2"{no5d۶kT`oaxwD'mc 6߾"5Ej 5؎{9@
jub^
[V
[4Z
2Fcid9rA`TQ<=){jЏ޼U4{6s{]S]p0AXWtBO>-T޾Ey~:x~ZmOTŠlPw:>{'d!ӺƼL(dCDB&2퐉̵%{;nL
w6Fcc[.f֓:YOkI}.F!Cj-!w$6IW>?Vmn3ofG1a(Vzfс9^1Y[1HmїoYV'Vr-Ndrԗrj>~m]0!S7vQFSa܎cX6EtRAY33nb;9LK6'f9ھblAqDBBO(<:7ZeAߥߵaJ:i7Ÿѕۮ(7BP ՛4Lc&遀e18u7NHEea`]2LL/s~9c"o(k3'$~߉?衋o1XFĀ|]:Af

!AΜ|3'A/&1ɒtyMxmuQ]:lwo9[[3mI~ճ`r=̞ϔ1sh4|E""i_՗	+ٚ!٤*!5fAUN1TLHZŐ	zK=^xE &OץPTdr
]Ι/&YҶc̼xE6?t[~1V!'pǑHW$<ɝO<G8H
pgPUr3(c8C@p
;חs2{/Q0U`"qYI$2.}qPEdHϧ{=5lz$L޴Hf`xɧ9s=EPI)拠蚡gԖ@y7ڼ8PlC%%j5K4!{kͽ~MnZMȢAi.Uh;7t]AHf3'.|%m{@Öϛ
4.Fs
yEX+)cap
;a
**Vf3qImeh"źu	/.zzhiEܨg^:L֓bIfJf_)+Hy/,HXYy/gR8RQ4!kprJ4$VrJe WSp$n=&wA(b@I2"(HW$򼣀	+9( 
ܤj( Ō3*U`zϫկ[{񲂂 1"##3Qd9$4aD
f_)+Hy  ae1w eZ3ΠjOj%\
w
8v
2'/X}I@u!"C'~ħ,vO2`'8<}㼭$8|𥚕F

dZμi{#'BXXވx֤Vy%?ohǀuemec>CN|inDQYnsp(Q&Ĩyg8":#cAFAKc[ʣ'c)ͽv+0/;U7;AcLTD@yL\fKDNyF
(I0w*;ULt)bb3bhqJZl&ہr@۱
Z,K3ΝZ\x(]Z;8/ukh}G1Aٖ81Ȁէ}Siѹkl4z@)ʕ;^/w YVZ%:3SPcu[,("cB_-YX-Wx{d#"}.kNF0cE["&"E)SXQԠ(w*Jea[ˏ Z1=K|gbgr Z>?.3grgjг;l:El_ߕ-g}SE[`BO0|L\)꩜c=]KĶLTzZ%z%ľs4/|z9~ [+xE4!xc=jCiលF-ǩF+FkB-5!(¸{u.{=1J71}x`&6YBM!aTRh
eJpؠE*A	6t*FjK1giTkK{`@큚F=W+0-x`v`4YqJ*C!N:IySQABL=S
kD-5F2쁙!$P540ING1gUh2
sA.o
DXpF"RpUWhXͅ(r`LKRSrQC^c>oF4*rn(pi01z1[㵩(I@Z8|A"0Yk΂3 0sPT]o>
;GkGj5Wde5R܄+1qk%>%0T\Zr0b+h,'StWCD8 ^uV$Jhm4T}`ŵg ^"-@1p2v/0x`V{`kmlm3ö@
JKIJ`;D=y
	F԰`u`	*RW5P[,{,_
ƫxpPsi@Om,*Q/KV)['R#n	3/KӁ–ཽ	qq(*@7-4~jcFWA*4C >AL
-v
^TZW)BCL
W"g;?W"
e|bti0X;%(S:L#4V65H
g]u:_IPo5֬f]!1uJ˸j(&*]c,(ք}_'. LXka}6,JyZ[j28˼8W2)Z
p}HEA`w *QI	@'JJ>7T{g B-+PPJNJCTaY
!Mmf%1ЗWbUU3A9VTt:5&&+	^w-ol*kа<0B\aC\i=kՌ1h']9*IEXgA~Dz=*d~)UAci|˅qb+1: jbJ&:X\%*ÜU
woI	_ڟ
n
!d4`ӶG)L#LZ=8hWpkm/kUZ/s&=HUFx儭b3U[Uk)*Tj_	X^mEWT
DK!3*"q&x8lB`GeEzTN"]h`sA+6WTxxض7do{޲ԴAy%Le`~`0o (model int 'st) ;
  }

  type skolemization_list_return 'st = {
    skolemized_l : nlimpl_fo_formula_list ;
    skolem_bound_l : int ;
    ghost model_transformer_l : (model int 'st) -> (model int 'st) ;
  }

  type skolemization_env_return 'st = {
    skolemized_fv_list : nlimpl_fo_term_list ;
    ghost skolem_env : (list 'st) -> (int -> 'st) ;
  }

end

module Logic

  use Firstorder_formula_spec.Spec
  use Firstorder_term_spec.Spec
  use Firstorder_symbol_spec.Spec
  use Firstorder_formula_list_spec.Spec
  use Functions.Func
  use option.Option
  use OptionFuncs.Funcs

  predicate is_atom (phi:fo_formula 'ls 'b) = match phi with
    | PApp _ _ -> true
    | Not (PApp _ _) -> true
    | _ -> false
  end

  (* Negational normal form. *)

  predicate is_nnf (phi:fo_formula 'ls 'b) = match phi with
    | Not (PApp _ _) -> true
    | Not _ -> false
    | PApp _ _ -> true
    | And a b -> is_nnf a /\ is_nnf b
    | Or a b -> is_nnf a /\ is_nnf b
    | Forall a -> is_nnf a
    | Exists a -> is_nnf a
    | FTrue -> true
    | FFalse -> true
  end

  predicate is_nnf_list (phis:fo_formula_list 'ls 'b) = match phis with
    | FOFNil -> true
    | FOFCons x q -> is_nnf x /\ is_nnf_list q
  end

  let rec lemma is_nnf_subst (phi:fo_formula 'ls 'b) (f:'b -> (fo_term 'ls 'c)) : unit
    requires { is_nnf phi }
    ensures { is_nnf (subst_fo_formula phi subst_id_symbol f) }
    variant { size_fo_formula phi }
  =
    match phi with
      | Not (PApp p l) -> assert {
          subst_fo_formula phi subst_id_symbol f =
            Not (subst_fo_formula (PApp p l) subst_id_symbol f) =
            Not (PApp (subst_symbol p subst_id_symbol)
                      (subst_fo_term_list l subst_id_symbol f)) }
      | Not _ -> absurd
      | PApp _ _ -> ()
      | And a b -> is_nnf_subst a f ; is_nnf_subst b f
      | Or a b -> is_nnf_subst a f ; is_nnf_subst b f
      | Forall a -> is_nnf_subst a (olifts_fo_term f) ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Forall (subst_fo_formula a subst_id_symbol (olifts_fo_term f)) }
      | Exists a -> is_nnf_subst a (olifts_fo_term f) ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Exists (subst_fo_formula a subst_id_symbol (olifts_fo_term f)) }
      | FTrue -> ()
      | FFalse -> ()
    end

  let lemma is_nnf_renaming (phi:fo_formula 'ls 'b) (f:'b -> 'c) : unit
    requires { is_nnf phi }
    ensures { is_nnf (rename_fo_formula phi identity f) }
  =
    is_nnf_subst phi (rcompose f subst_id_fo_term)

  (* Simplified formula. *)

  predicate is_simpl (phi:fo_formula 'ls 'b) = match phi with
    | Not u -> is_simpl u
    | PApp _ _ -> true
    | And a b -> is_simpl a /\ is_simpl b
    | Or a b -> is_simpl a /\ is_simpl b
    | Forall a -> is_simpl a
    | Exists a -> is_simpl a
    | FTrue -> false
    | FFalse -> false
  end

  predicate is_simpl_list (phis:fo_formula_list 'ls 'b) = match phis with
    | FOFNil -> true
    | FOFCons x q -> is_simpl x /\ is_simpl_list q
  end

  let rec lemma is_simpl_subst (phi:fo_formula 'ls 'b) (f:'b -> (fo_term 'ls 'c)) : unit
    requires { is_simpl phi }
    ensures { is_simpl (subst_fo_formula phi subst_id_symbol f) }
    variant { size_fo_formula phi }
  =
    match phi with
      | Not u -> is_simpl_subst u f ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Not (subst_fo_formula u subst_id_symbol f) }
      | PApp _ _ -> ()
      | And a b -> is_simpl_subst a f ; is_simpl_subst b f
      | Or a b -> is_simpl_subst a f ; is_simpl_subst b f
      | Forall a -> is_simpl_subst a (olifts_fo_term f) ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Forall (subst_fo_formula a subst_id_symbol (olifts_fo_term f)) }
      | Exists a -> is_simpl_subst a (olifts_fo_term f) ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Exists (subst_fo_formula a subst_id_symbol (olifts_fo_term f)) }
      | FTrue -> absurd
      | FFalse -> absurd
    end

  let lemma is_simpl_renaming (phi:fo_formula 'ls 'b) (f:'b -> 'c) : unit
    requires { is_simpl phi }
    ensures { is_simpl (rename_fo_formula phi identity f) }
  =
    is_simpl_subst phi (rcompose f subst_id_fo_term)

  (* Simplified formula, + true/false allowed at top. *)

  predicate is_simpl_extended (phi:fo_formula 'ls 'b) =
    is_simpl phi \/ phi = FTrue \/ phi = FFalse

  lemma is_simpl_extended_renaming :
    forall phi:fo_formula 'ls 'b,f:'b -> 'c.
      is_simpl_extended phi -> is_simpl_extended (rename_fo_formula phi identity f)

  predicate no_existential (phi:fo_formula 'ls 'b) = match phi with
      | Not u -> no_existential u
      | PApp _ _ -> true
      | And a b -> no_existential a /\ no_existential b
      | Or a b -> no_existential a /\ no_existential b
      | Forall a -> no_existential a
      | Exists _ -> false
      | FTrue -> true
      | FFalse -> true
    end

  predicate no_existential_list (phis:fo_formula_list 'ls 'b) = match phis with
    | FOFNil -> true
    | FOFCons x q -> no_existential x /\ no_existential_list q
  end

  let rec lemma no_existential_subst (phi:fo_formula 'ls 'b) (f:'b -> (fo_term 'ls 'c)) : unit
    requires { no_existential phi }
    ensures { no_existential (subst_fo_formula phi subst_id_symbol f) }
    variant { size_fo_formula phi }
  =
    match phi with
      | Not u -> no_existential_subst u f ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Not (subst_fo_formula u subst_id_symbol f) }
      | PApp _ _ -> ()
      | And a b -> no_existential_subst a f ; no_existential_subst b f
      | Or a b -> no_existential_subst a f ; no_existential_subst b f
      | Forall a -> no_existential_subst a (olifts_fo_term f) ;
        assert { subst_fo_formula phi subst_id_symbol f =
          Forall (subst_fo_formula a subst_id_symbol (olifts_fo_term f)) }
      | Exists _ -> absurd
      | FTrue -> ()
      | FFalse -> ()
    end

  let lemma no_existential_renaming (phi:fo_formula 'ls 'b) (f:'b -> 'c) : unit
    requires { no_existential phi }
    ensures { no_existential (rename_fo_formula phi identity f) }
  =
    no_existential_subst phi (rcompose f subst_id_fo_term)

  (* Skolemization environment. *)

  use Choice.Choice
  use list.List

  (* Hack to force possibility of instantiation of extend_env
     definition axiom ! *)
  function extend_env_selection (g:(list 'st) -> ('b -> 'st))
    (x:'b) (y:'b) (z:'st) (q:list 'st) : 'st = if x = y then z else g q x
  (* Abstraction-definition axiom :
     function extend_env (g:(list 'st) -> ('b -> 'st) (y:'b) :
       (list 'st) -> ('b -> 'st) =
       (\ l:list 'st. (\ x:option 'b. match l with
         | Cons z q -> extend_env_selection g x y z q
         | Nil -> default ) ) *)
  function extend_env (g:(list 'st) -> ('b -> 'st)) (y:'b) :
    (list 'st) -> ('b -> 'st)
  axiom extend_env_def : forall g:(list 'st) -> ('b -> 'st),y:'b,
    l:list 'st,x:'b. extend_env g y l x =
    match l with
      | Cons z q -> extend_env_selection g x y z q
      | Nil -> default
    end

end

module Impl

  use Types
  use Logic
  use Functions.Func
  use import set.Set as S
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_impl.Types
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_spec.Spec
  use Firstorder_formula_list_impl.Impl
  use Firstorder_formula_list_impl.Logic
  use Firstorder_formula_list_impl.Types
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Impl
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Types
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Impl
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Types
  use list.List
  use option.Option
  use OptionFuncs.Funcs
  use Firstorder_semantics.Sem
  use bool.Bool
  use list.Mem
  use int.Int

  exception Unsat

  let smart_and (phi1 phi2:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi1.model_fo_formula_field -> S.mem x fvp }
    requires { nlimpl_fo_formula_ok phi2 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi2.model_fo_formula_field -> S.mem x fvp }
    requires { is_simpl_extended phi1.model_fo_formula_field }
    requires { is_simpl_extended phi2.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic result.model_fo_formula_field m rho <->
      formula_semantic phi1.model_fo_formula_field m rho /\
      formula_semantic phi2.model_fo_formula_field m rho }
    ensures { is_nnf phi1.model_fo_formula_field /\
      is_nnf phi2.model_fo_formula_field ->
        is_nnf result.model_fo_formula_field }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      result.model_fo_formula_field -> S.mem x fvp }
  =
    let phi1m = phi1.model_fo_formula_field in
    let phi2m = phi2.model_fo_formula_field in
    match destruct_fo_formula phi1 with
      | NLC_FFalse -> phi1
      | NLC_FTrue -> phi2
      | _ -> assert { phi1m <> FTrue } ; assert { phi1m <> FFalse } ;
        match destruct_fo_formula phi2 with
          | NLC_FFalse -> phi2
          | NLC_FTrue -> phi1
          | _ -> assert { phi2m <> FTrue } ; assert { phi2m <> FFalse } ;
            assert { is_simpl phi1m /\ is_simpl phi2m } ;
            let phi0 = construct_fo_formula (NLC_And phi1 phi2) in
            assert { phi0.model_fo_formula_field = And phi1m phi2m } ;
            phi0
        end
    end

  let smart_or (phi1 phi2:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi1.model_fo_formula_field -> S.mem x fvp }
    requires { nlimpl_fo_formula_ok phi2 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi2.model_fo_formula_field -> S.mem x fvp }
    requires { is_simpl_extended phi1.model_fo_formula_field }
    requires { is_simpl_extended phi2.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic result.model_fo_formula_field m rho <->
      formula_semantic phi1.model_fo_formula_field m rho \/
      formula_semantic phi2.model_fo_formula_field m rho }
    ensures { is_nnf phi1.model_fo_formula_field /\
      is_nnf phi2.model_fo_formula_field ->
        is_nnf result.model_fo_formula_field }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      result.model_fo_formula_field -> S.mem x fvp }
  =
    let phi1m = phi1.model_fo_formula_field in
    let phi2m = phi2.model_fo_formula_field in
    match destruct_fo_formula phi1 with
      | NLC_FTrue -> phi1
      | NLC_FFalse -> phi2
      | _ -> assert { phi1m <> FTrue } ; assert { phi1m <> FFalse } ;
        match destruct_fo_formula phi2 with
          | NLC_FTrue -> phi2
          | NLC_FFalse -> phi1
          | _ -> assert { phi2m <> FTrue } ; assert { phi2m <> FFalse } ;
            assert { is_simpl phi1m /\ is_simpl phi2m } ;
            let phi0 = construct_fo_formula (NLC_Or phi1 phi2) in
            assert { phi0.model_fo_formula_field = Or phi1m phi2m } ;
            phi0
        end
    end

  let smart_forall (x:int) (phi:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi }
    requires { forall y:int. is_fo_term_free_var_in_fo_formula y
      phi.model_fo_formula_field -> S.mem y fvp \/ y = x }
    requires { is_simpl_extended phi.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic result.model_fo_formula_field m rho <->
      (forall xm:'st.
        let r = rcompose (some[x <- None]) (ocase rho xm) in
        formula_semantic phi.model_fo_formula_field m r) }
    ensures { is_nnf phi.model_fo_formula_field ->
        is_nnf result.model_fo_formula_field }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall y:int. is_fo_term_free_var_in_fo_formula y
      result.model_fo_formula_field -> S.mem y fvp }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_FFalse -> assert { phim = FFalse &&
        forall m:model int 'st,rho:int -> 'st.
          not(formula_semantic phim m rho) } ;
        phi
      | NLC_FTrue -> phi
      | _ -> assert { phim <> FTrue /\ phim <> FFalse && is_simpl phim } ;
        let phi0 = construct_fo_formula (NLC_Forall x phi) in
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phim identity (some[x <- None]) in
        assert { phi0m = Forall phi1m } ;
        assert { forall xf:int.
          (forall y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x<-None]) y = Some xf -> y <> x &&
            Some xf = Some y && xf = y) && is_fo_term_free_var_in_fo_formula xf phi0m ->
          is_fo_term_free_var_in_fo_formula (Some xf) phi1m &&
          (exists y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x <- None]) y = Some xf) && is_fo_term_free_var_in_fo_formula xf phim
            && xf <> x && S.mem xf fvp } ;
        phi0
    end

  let smart_exists (x:int) (phi:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi }
    requires { forall y:int. is_fo_term_free_var_in_fo_formula y phi.model_fo_formula_field
      -> S.mem y fvp \/ y = x }
    requires { is_simpl_extended phi.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic result.model_fo_formula_field m rho <->
      (exists xm:'st.
        let r = rcompose (some[x <- None]) (ocase rho xm) in
        formula_semantic phi.model_fo_formula_field m r) }
    ensures { is_nnf phi.model_fo_formula_field ->
        is_nnf result.model_fo_formula_field }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall y:int. is_fo_term_free_var_in_fo_formula y result.model_fo_formula_field
      -> S.mem y fvp }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_FFalse -> phi
      | NLC_FTrue -> assert { phim = FTrue /\
        forall m:model int 'st,rho:int -> 'st.
          formula_semantic phim m rho } ;
        phi
      | _ -> assert { phim <> FTrue /\ phim <> FFalse && is_simpl phim } ;
        let phi0 = construct_fo_formula (NLC_Exists x phi) in
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phim identity (some[x <- None]) in
        assert { phi0m = Exists phi1m } ;
        assert { forall xf:int.
          (forall y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x<-None]) y = Some xf -> y <> x &&
            Some xf = Some y && xf = y) && (is_fo_term_free_var_in_fo_formula xf phi0m ->
          is_fo_term_free_var_in_fo_formula (Some xf) phi1m &&
          (exists y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x <- None]) y = Some xf) && is_fo_term_free_var_in_fo_formula xf phim
            && xf <> x && S.mem xf fvp) && (is_fo_term_free_var_in_fo_formula xf phi0m ->
            S.mem xf fvp) } ;
        phi0
    end

  (* Put in negational normal form and
     simplify formula (e.g. true/false removal/propagation to toplevel) *)

  let rec nnf_simpl (phi:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi }
    requires { forall x:int.
      is_fo_term_free_var_in_fo_formula x phi.model_fo_formula_field -> S.mem x fvp }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall x:int.
      is_fo_term_free_var_in_fo_formula x result.model_fo_formula_field -> S.mem x fvp }
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_semantic phi.model_fo_formula_field m rho <->
      formula_semantic result.model_fo_formula_field m rho }
    ensures { is_nnf result.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    variant { size_fo_formula phi.model_fo_formula_field }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_PApp p l -> phi
      | NLC_Not phi' -> assert { forall x:int.
        is_fo_term_free_var_in_fo_formula x phi'.model_fo_formula_field ->
        is_fo_term_free_var_in_fo_formula x phim && S.mem x fvp } ;
        nnf_neg_simpl phi' fvp st
      | NLC_And phi1 phi2 -> let phi'1 = nnf_simpl phi1 fvp st in
        let phi'2 = nnf_simpl phi2 fvp st in
        smart_and phi'1 phi'2 fvp st
      | NLC_Or phi1 phi2 -> let phi'1 = nnf_simpl phi1 fvp st in
        let phi'2 = nnf_simpl phi2 fvp st in
        smart_or phi'1 phi'2 fvp st
      | NLC_FTrue -> phi
      | NLC_FFalse -> phi
      | NLC_Forall x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phi0m identity (some[x<-None]) in
        assert { phim = Forall phi1m } ;
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) };
        let ghost fvp' = S.add x fvp in
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };
        let phi' = nnf_simpl phi0 fvp' st in
        let phi'' = smart_forall x phi' fvp st in
        phi''
      | NLC_Exists x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phi0m identity (some[x<-None]) in
        assert { phim = Exists phi1m } ;
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) };
        let ghost fvp' = S.add x fvp in
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };

        let phi' = nnf_simpl phi0 fvp' st in
        let phi'' = smart_exists x phi' fvp st in
        phi''
    end

  with nnf_neg_simpl (phi:nlimpl_fo_formula) (ghost fvp:set int) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi.model_fo_formula_field -> S.mem x fvp }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      result.model_fo_formula_field -> S.mem x fvp }
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_semantic phi.model_fo_formula_field m rho <->
      not(formula_semantic result.model_fo_formula_field m rho) }
    ensures { is_nnf result.model_fo_formula_field }
    ensures { is_simpl_extended result.model_fo_formula_field }
    variant { size_fo_formula phi.model_fo_formula_field }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_PApp p l -> construct_fo_formula (NLC_Not phi)
      | NLC_Not phi' -> nnf_simpl phi' fvp st
      | NLC_And phi1 phi2 -> let phi'1 = nnf_neg_simpl phi1 fvp st in
        let phi'2 = nnf_neg_simpl phi2 fvp st in
        smart_or phi'1 phi'2 fvp st
      | NLC_Or phi1 phi2 -> let phi'1 = nnf_neg_simpl phi1 fvp st in
        let phi'2 = nnf_neg_simpl phi2 fvp st in
        smart_and phi'1 phi'2 fvp st
      | NLC_FTrue -> construct_fo_formula NLC_FFalse
      | NLC_FFalse -> construct_fo_formula NLC_FTrue
      | NLC_Forall x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phi0m identity (some[x<-None]) in
        assert { phim = Forall phi1m } ;
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) };
        let ghost fvp' = S.add x fvp in
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };
        let phi' = nnf_neg_simpl phi0 fvp' st in
        let phi'' = smart_exists x phi' fvp st in
        phi''
      | NLC_Exists x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phi0m identity (some[x<-None]) in
        assert { phim = Exists phi1m } ;
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) };
        let ghost fvp' = S.add x fvp in
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };

        let phi' = nnf_neg_simpl phi0 fvp' st in
        let phi'' = smart_forall x phi' fvp st in
        phi''
    end

  (* gnum : take care of eliminated starting points. *)
  let rec nnf_simpl_list (phis:nlimpl_fo_formula_list) (gnum:int)
    (ghost fvp:set int) (ghost st:'st) :  (nlimpl_fo_formula_list,int)
    requires { nlimpl_fo_formula_list_ok phis }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phis.model_fo_formula_list_field -> S.mem x fvp }
    returns { (rs,_) -> nlimpl_fo_formula_list_ok rs }
    returns { (rs,_) -> forall x:int. is_fo_term_free_var_in_fo_formula_list x
      rs.model_fo_formula_list_field -> S.mem x fvp }
    returns { (rs,_) -> forall m:model int 'st,rho:int -> 'st.
      formula_list_conj_semantic phis.model_fo_formula_list_field m rho <->
        formula_list_conj_semantic rs.model_fo_formula_list_field m rho }
    returns { (rs,_) -> is_nnf_list rs.model_fo_formula_list_field }
    returns { (rs,_) -> is_simpl_list rs.model_fo_formula_list_field }
    raises { Unsat -> forall m:model int 'st,rho:int -> 'st.
      not(formula_list_conj_semantic phis.model_fo_formula_list_field m rho) }
    variant { size_fo_formula_list phis.model_fo_formula_list_field }
  =
    let phism = phis.model_fo_formula_list_field in
    match destruct_fo_formula_list phis with
      | NLC_FOFNil -> (phis,gnum)
      | NLC_FOFCons phi q ->
        let phim = phi.model_fo_formula_field in
        let qm = q.model_fo_formula_list_field in
        assert { phism = FOFCons phim qm } ;
        let (q',gnum') = nnf_simpl_list q (gnum-1) fvp st in
        let phi' = nnf_simpl phi fvp st in
        let phi'_m = phi'.model_fo_formula_field in
        let q'_m = q'.model_fo_formula_list_field in
        match destruct_fo_formula phi' with
          | NLC_FTrue -> (q',if gnum > 0 then gnum' else gnum'+1)
          | NLC_FFalse -> raise Unsat
          | _ -> assert { is_simpl phi'.model_fo_formula_field } ;
            let res = construct_fo_formula_list (NLC_FOFCons phi' q') in
            let resm = res.model_fo_formula_list_field in
            assert { resm = FOFCons phi'_m q'_m } ;
            (res,gnum'+1)
        end
    end

  use ISet.Logic
  use ISet.Impl
  use Choice.Choice

  let rec term_free_vars (t:nlimpl_fo_term) (ghost fvp:set int) : list int
    requires { nlimpl_fo_term_ok t }
    requires { forall x:int. is_fo_term_free_var_in_fo_term x t.model_fo_term_field ->
      S.mem x fvp }
    ensures { forall x:int.
      is_fo_term_free_var_in_fo_term x t.model_fo_term_field ->
       mem x result }
    ensures { forall x:int. mem x result -> S.mem x fvp }
    ensures { iset_ok result }
    variant { size_fo_term t.model_fo_term_field }
  =
    match destruct_fo_term t with
      | NLCVar_fo_term x -> Cons x Nil
      | NLC_App _ l -> term_list_free_vars l fvp
    end

  with term_list_free_vars (l:nlimpl_fo_term_list) (ghost fvp:set int): list int
    requires { nlimpl_fo_term_list_ok l }
    requires { forall x:int.
      is_fo_term_free_var_in_fo_term_list x l.model_fo_term_list_field ->
        S.mem x fvp }
    ensures { forall x:int.
      is_fo_term_free_var_in_fo_term_list x l.model_fo_term_list_field ->
        mem x result }
    ensures { forall x:int. mem x result -> S.mem x fvp }
    ensures { iset_ok result }
    variant { size_fo_term_list l.model_fo_term_list_field }
  =
    match destruct_fo_term_list l with
      | NLC_FONil -> Nil
      | NLC_FOCons t q -> merge (term_free_vars t fvp) (term_list_free_vars q fvp)
    end

  let rec skolem_parameters (l:list int) (acc:skolemization_env_return 'st)
    (ghost fvp:set int) : skolemization_env_return 'st
    requires { iset_ok l }
    requires { forall x:int. mem x l -> S.mem x fvp }
    requires { nlimpl_fo_term_list_ok acc.skolemized_fv_list }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      acc.skolemized_fv_list.model_fo_term_list_field -> S.mem x fvp }
    requires { forall x:int. not(mem x l /\
      is_fo_term_free_var_in_fo_term_list x
        acc.skolemized_fv_list.model_fo_term_list_field) }
    requires { forall x:int,m:model int 'st,rho:int -> 'st.
      is_fo_term_free_var_in_fo_term_list x
        acc.skolemized_fv_list.model_fo_term_list_field ->
      eval acc.skolem_env (term_list_semantic
        acc.skolemized_fv_list.model_fo_term_list_field m rho) x =
        rho x }
    requires { forall f:int. not(is_symbol_free_var_in_fo_term_list f
      acc.skolemized_fv_list.model_fo_term_list_field) }
    ensures { nlimpl_fo_term_list_ok result.skolemized_fv_list }
    ensures { forall x:int. is_fo_term_free_var_in_fo_term_list x
      result.skolemized_fv_list.model_fo_term_list_field -> S.mem x fvp }
    ensures { forall x:int,m:model int 'st,rho:int -> 'st.
      mem x l \/ is_fo_term_free_var_in_fo_term_list x
        acc.skolemized_fv_list.model_fo_term_list_field ->
      eval result.skolem_env (term_list_semantic
        result.skolemized_fv_list.model_fo_term_list_field m rho) x =
        rho x }
    ensures { forall x:int. is_fo_term_free_var_in_fo_term_list x
      result.skolemized_fv_list.model_fo_term_list_field ->
      mem x l \/ is_fo_term_free_var_in_fo_term_list x
        acc.skolemized_fv_list.model_fo_term_list_field }
    ensures { forall f:int. not(is_symbol_free_var_in_fo_term_list f
      result.skolemized_fv_list.model_fo_term_list_field) }
    variant { l }
  =
    match l with
      | Nil -> acc
      | Cons x q -> let accl = acc.skolemized_fv_list in
        let skenv = acc.skolem_env in
        let varx = construct_fo_term (NLCVar_fo_term x) in
        let accl' = construct_fo_term_list (NLC_FOCons varx accl) in
        let (acclm,accl'_m) = (accl.model_fo_term_list_field ,accl'.model_fo_term_list_field) in
        assert { accl'_m = FOCons (Var_fo_term x) acclm } ;
        let ghost skenv' = extend_env skenv x in
        let acc' = {
          skolemized_fv_list = accl' ;
          skolem_env = skenv'
        } in
        skolem_parameters q acc' fvp
    end

  (* Not sufficient yet. *)

  let rec skolemize (phi:nlimpl_fo_formula) (skb:int) (b:bool)
    (ghost fvp:set int) : skolemization_return 'st
    requires { nlimpl_fo_formula_ok phi }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi.model_fo_formula_field -> S.mem x fvp }
    requires { is_simpl phi.model_fo_formula_field }
    requires { is_nnf phi.model_fo_formula_field }
    requires { forall ls:int.
      is_symbol_free_var_in_fo_formula ls phi.model_fo_formula_field -> ls < skb }
    ensures { nlimpl_fo_formula_ok result.skolemized }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      result.skolemized.model_fo_formula_field -> S.mem x fvp }
    ensures { result.skolem_bound >= skb }
    ensures { forall ls:int.
      is_symbol_free_var_in_fo_formula ls result.skolemized.model_fo_formula_field ->
        ls < result.skolem_bound }
    ensures { is_nnf result.skolemized.model_fo_formula_field }
    ensures { is_simpl result.skolemized.model_fo_formula_field }
    ensures { no_existential result.skolemized.model_fo_formula_field }
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_semantic phi.model_fo_formula_field m rho ->
      formula_semantic result.skolemized.model_fo_formula_field
        (eval result.model_transformer m) rho }
    (* Completeness concern.
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_semantic result.skolemized.model_fo_formula_field m rho ->
      formula_semantic phi.model_fo_formula_field m rho
     *)
    ensures { forall m:model int 'st, ls:int.
      ls < skb -> eval m.interp_fun ls =
        eval (eval result.model_transformer m).interp_fun ls }
    ensures { forall m:model int 'st.
      m.interp_pred = (eval result.model_transformer m).interp_pred }
    ensures { forall x:int. b = True ->
      is_fo_term_free_var_in_fo_formula x result.skolemized.model_fo_formula_field ->
        mem x result.free_var_list }
    ensures { iset_ok result.free_var_list }
    ensures { forall x:int. b = True -> mem x result.free_var_list -> S.mem x fvp }
    variant { size_fo_formula phi.model_fo_formula_field }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_PApp _ l -> { skolemized = phi ;
        skolem_bound = skb ;
        model_transformer = identity ;
        free_var_list = if b
          then term_list_free_vars l fvp
          else Nil }
      | NLC_Not phi' -> let phi'_m = phi'.model_fo_formula_field in
        assert { phim = Not phi'_m } ;
        assert { match phi'_m with
        | PApp _ _ -> true | _ -> false end } ;
        { skolemized = phi ;
          skolem_bound = skb ;
          model_transformer = identity ;
          free_var_list = if b
            then match destruct_fo_formula phi' with
                | NLC_PApp _ l -> term_list_free_vars l fvp
                | _ -> absurd
              end
            else Nil }
      | NLC_And phi1 phi2 ->
        let phi1m = phi1.model_fo_formula_field in
        let phi2m = phi2.model_fo_formula_field in
        assert { phim = And phi1m phi2m } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula ls phi1m ->
          is_symbol_free_var_in_fo_formula ls phim } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula ls phi2m ->
          is_symbol_free_var_in_fo_formula ls phim } ;
        let res1 = skolemize phi1 skb b fvp in
        let res2 = skolemize phi2 res1.skolem_bound b fvp in
        let res1m = res1.skolemized.model_fo_formula_field in
        let res2m = res2.skolemized.model_fo_formula_field in
        let skr = construct_fo_formula (NLC_And res1.skolemized res2.skolemized) in
        let skrm = skr.model_fo_formula_field in
        let (res1f,res2f) = (res1.model_transformer,res2.model_transformer) in
        let ghost transf = rcompose res1f res2f in
        let fvlist = merge res1.free_var_list res2.free_var_list in
        assert { skrm = And res1m res2m } ;
        assert { forall m:model int 'st.
          m.interp_pred = (res1f m).interp_pred =
          (transf m).interp_pred } ;
        assert { forall m:model int 'st, ls:int.
          ls < skb ->
            eval m.interp_fun ls = eval (res1f m).interp_fun ls
              = eval (transf m).interp_fun ls } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic res1m m rho <->
            formula_semantic res1m (res2f m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic phi2m m rho <->
            formula_semantic phi2m (res1f m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          transf m = res2f (res1f m) &&
          (formula_semantic phi1m m rho ->
            formula_semantic res1m (res1f m) rho &&
            formula_semantic res1m (transf m) rho) /\
          (formula_semantic phi2m m rho ->
            formula_semantic phi2m (res1f m) rho &&
            formula_semantic res2m (transf m) rho) } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x skrm ->
          (is_fo_term_free_var_in_fo_formula x res1m \/
           is_fo_term_free_var_in_fo_formula x res2m) &&
          S.mem x fvp } ;
        { skolemized = skr ;
          skolem_bound = res2.skolem_bound ;
          model_transformer = transf ;
          free_var_list = fvlist }
      | NLC_Or phi1 phi2 ->
        let phi1m = phi1.model_fo_formula_field in
        let phi2m = phi2.model_fo_formula_field in
        assert { phim = Or phi1m phi2m } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula ls phi1m ->
          is_symbol_free_var_in_fo_formula ls phim } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula ls phi2m ->
          is_symbol_free_var_in_fo_formula ls phim } ;
        let res1 = skolemize phi1 skb b fvp in
        let res2 = skolemize phi2 res1.skolem_bound b fvp in
        let res1m = res1.skolemized.model_fo_formula_field in
        let res2m = res2.skolemized.model_fo_formula_field in
        let skr = construct_fo_formula (NLC_Or res1.skolemized res2.skolemized) in
        let skrm = skr.model_fo_formula_field in
        let (res1f,res2f) = (res1.model_transformer,res2.model_transformer) in
        let ghost transf = rcompose res1f res2f in
        let fvlist = merge res1.free_var_list res2.free_var_list in
        assert { skrm = Or res1m res2m } ;
        assert { forall m:model int 'st.
          m.interp_pred = (res1f m).interp_pred =
          (transf m).interp_pred } ;
        assert { forall m:model int 'st, ls:int.
          ls < skb ->
            eval m.interp_fun ls = eval (res1f m).interp_fun ls
              = eval (transf m).interp_fun ls } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic res1m m rho <->
            formula_semantic res1m (res2f m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic phi2m m rho <->
            formula_semantic phi2m (res1f m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          transf m = res2f (res1f m) &&
          (formula_semantic phi1m m rho ->
            formula_semantic res1m (res1f m) rho &&
            formula_semantic res1m (transf m) rho) /\
          (formula_semantic phi2m m rho ->
            formula_semantic phi2m (res1f m) rho &&
            formula_semantic res2m (transf m) rho) } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x skrm ->
          (is_fo_term_free_var_in_fo_formula x res1m
            \/ is_fo_term_free_var_in_fo_formula x res2m) &&
          S.mem x fvp } ;
        { skolemized = skr ;
          skolem_bound = res2.skolem_bound ;
          model_transformer = transf ;
          free_var_list = fvlist }
      | NLC_FTrue -> absurd
      | NLC_FFalse -> absurd
      | NLC_Forall x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost r0 = some[x <- None] in
        let ghost phi1m = rename_fo_formula phi0m identity r0 in
        assert { phim = Forall phi1m } ;
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) } ;
        assert { forall ls:int.
          (is_symbol_free_var_in_fo_formula ls phi1m <->
          is_symbol_free_var_in_fo_formula ls phi0m) &&
          (is_symbol_free_var_in_fo_formula ls phim <->
          is_symbol_free_var_in_fo_formula ls phi0m) } ;
        let ghost fvp' = S.add x fvp in
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };
        let res = skolemize phi0 skb b fvp' in
        let resm = res.skolemized.model_fo_formula_field in
        let ghost res1m = rename_fo_formula resm identity r0 in
        let skr = construct_fo_formula (NLC_Forall x res.skolemized) in
        let skrm = skr.model_fo_formula_field in
        let fvl = remove x res.free_var_list in
        let transf = res.model_transformer in
        assert { skrm = Forall res1m } ;
        assert { forall ls:int.
          (is_symbol_free_var_in_fo_formula ls res1m <->
           (exists ls':int.
             is_symbol_free_var_in_fo_formula ls' resm /\ identity ls' = ls)) &&
          (is_symbol_free_var_in_fo_formula ls res1m <->
           is_symbol_free_var_in_fo_formula ls resm) } ;
        assert { forall m:model int 'st, rho:int -> 'st, xm:'st.
            formula_semantic phi1m m (ocase rho xm) ->
              formula_semantic phi0m m (rcompose r0 (ocase rho xm)) &&
              formula_semantic resm (transf m) (rcompose r0 (ocase rho xm)) &&
              formula_semantic res1m (transf m) (ocase rho xm)
          } ;
        assert { forall y:int.
          is_fo_term_free_var_in_fo_formula (Some y) res1m ->
            (forall z:int.
              is_fo_term_free_var_in_fo_formula z resm /\ r0 z = Some y ->
                z <> x && z = y ) &&
            (is_fo_term_free_var_in_fo_formula y resm /\ y <> x)
            && ((b = True -> mem y fvl) /\ (S.mem y fvp' && S.mem y fvp))
          } ;
        { skolemized = skr ;
          skolem_bound = res.skolem_bound ;
          model_transformer = transf ;
          free_var_list = fvl }
      | NLC_Exists x phi0 ->
        let phi0m = phi0.model_fo_formula_field in
        let ghost r0 = some[x <- None] in
        let ghost phi1m = rename_fo_formula phi0m identity r0 in
        assert { phim = Exists phi1m } ;
        assert { forall ls:int.
          (is_symbol_free_var_in_fo_formula ls phi1m <->
          is_symbol_free_var_in_fo_formula ls phi0m) &&
          (is_symbol_free_var_in_fo_formula ls phim <->
          is_symbol_free_var_in_fo_formula ls phi0m) } ;
        let ghost fvp' = S.add x fvp in
        assert { phi0m = rename_fo_formula phi1m identity (ocase identity x) } ;
        assert { forall xf:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
           ocase identity x y = xf -> match y with None -> x = xf && S.mem xf fvp'
             | Some y -> y = xf && is_fo_term_free_var_in_fo_formula y phim &&
               S.mem xf fvp && S.mem xf fvp' end && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m ->
           (exists y:option int. is_fo_term_free_var_in_fo_formula y phi1m /\
             ocase identity x y = xf) && S.mem xf fvp') &&
          (is_fo_term_free_var_in_fo_formula xf phi0m -> S.mem xf fvp') };
        let res = skolemize phi0 skb True fvp' in
        let resm = res.skolemized.model_fo_formula_field in
        let ghost res1m = rename_fo_formula resm identity r0 in
        let fvl = res.free_var_list in
        let fvl = remove x fvl in
        let skb' = res.skolem_bound in
        let fonil = construct_fo_term_list NLC_FONil in
        assert { fonil.model_fo_term_list_field = FONil } ;
        let skenv = skolem_parameters fvl { skolemized_fv_list = fonil ; skolem_env = default } fvp in
        let skparams = skenv.skolemized_fv_list in
        let skenv = skenv.skolem_env in
        let skparamsm = skparams.model_fo_term_list_field in
        assert { forall y:int.
          is_fo_term_free_var_in_fo_formula (Some y) res1m ->
            (forall z:int.
              is_fo_term_free_var_in_fo_formula z resm /\ r0 z = Some y ->
              z <> x && z = y ) &&
            (is_fo_term_free_var_in_fo_formula y resm /\ y <> x) && mem y fvl } ;
        let transf = skolem_model_transformer res1m skb' skparamsm skenv in
        let symb = construct_symbol (NLCVar_symbol skb') in
        assert { symb.model_symbol_field = Var_symbol skb' } ;
        let skolemf = construct_fo_term (NLC_App symb skparams) in
        let skolemfm = skolemf.model_fo_term_field in
        assert { skolemfm = App (Var_symbol skb') skparamsm } ;
        let phir = nlsubst_fo_term_in_fo_formula res.skolemized x skolemf in
        let phirm = phir.model_fo_formula_field in
        let resf = res.model_transformer in
        let ghost transf2 = rcompose resf transf in
        (* sat (Exists phi1m) -> sat (Exists res1m). *)
        assert { forall m:model int 'st, rho:int -> 'st, xm:'st.
            formula_semantic phi1m m (ocase rho xm) ->
              formula_semantic phi0m m (rcompose r0 (ocase rho xm)) &&
              formula_semantic resm (resf m) (rcompose r0 (ocase rho xm)) &&
              formula_semantic res1m (resf m) (ocase rho xm)
          } ;
        assert { forall m:model int 'st, rho:int -> 'st.
          formula_semantic phim m rho ->
          formula_semantic (Exists res1m) (resf m) rho } ;
        (* sat (Exists res1m) -> sat phir. *)
        let ghost sub1 = subst_id_fo_term[x <- skolemfm] in
        let ghost r1 = ocase identity x in
        let ghost sub2 = ocase subst_id_fo_term skolemfm in
        assert { phirm = subst_fo_formula resm subst_id_symbol sub1 } ;
        assert { forall y:option int.
          is_fo_term_free_var_in_fo_formula y res1m ->
            (y <> Some x) && rcompose r1 sub1 y = sub2 y } ;
        assert { subst_fo_formula res1m subst_id_symbol sub2 =
          subst_fo_formula res1m subst_id_symbol (rcompose r1 sub1) } ;
        assert { extensionalEqual (rcompose r0 r1) identity } ;
        assert { phirm = subst_fo_formula res1m subst_id_symbol sub2 } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic (Exists res1m) m rho ->
            formula_semantic phirm (transf m) rho } ;
        assert { forall y:int.
          is_fo_term_free_var_in_fo_formula y phirm ->
            (forall z:int.
              is_fo_term_free_var_in_fo_formula z resm /\
              is_fo_term_free_var_in_fo_term y (sub1 z) ->
              (if z <> x then z = y && mem y fvl
               else is_fo_term_free_var_in_fo_term y skolemfm &&
                 mem y fvl)) && mem y fvl } ;
        (* Vexingly painful ! *)
        assert { forall ls:int.
          is_symbol_free_var_in_fo_formula ls phirm ->
          is_symbol_free_var_in_fo_formula ls (subst_fo_formula resm subst_id_symbol sub1) &&
            ((forall z:int.
              is_symbol_free_var_in_fo_formula z resm /\
              is_symbol_free_var_in_symbol ls (subst_id_symbol z) ->
              z = ls && z < skb' + 1 ) /\
            (forall z:int.
              is_fo_term_free_var_in_fo_formula z resm /\
              is_symbol_free_var_in_fo_term ls (sub1 z) ->
              (if z <> x then sub1 z = Var_fo_term z
               else is_symbol_free_var_in_fo_term ls skolemfm &&
                 ls = skb' && ls < skb' + 1) && ls < skb' + 1) /\
             ((exists z:int.
               is_symbol_free_var_in_fo_formula z resm /\
               is_symbol_free_var_in_symbol ls (subst_id_symbol z)) \/
             (exists z:int.
               is_fo_term_free_var_in_fo_formula z resm /\
               is_symbol_free_var_in_fo_term ls (sub1 z))))
             && ls < skb' + 1 } ;

        (* Two point of views : either why3 do not deconstruct
           records enough, either too much. *)
        assert { forall m:model int 'st.
          let mf = (resf m).interp_fun in
          let mp = (resf m).interp_pred in
          m.interp_pred = mp =
          (transf ({ interp_fun = mf ; interp_pred = mp })).interp_pred
          = (transf2 m).interp_pred &&
          m.interp_pred = (transf2 m).interp_pred } ;
        assert { forall m:model int 'st, ls:int.
          ls < skb ->
            let mf = (resf m).interp_fun in
            let mp = (resf m).interp_pred in
            eval m.interp_fun ls = eval mf ls
              = eval (transf { interp_fun = mf ; interp_pred = mp }).interp_fun ls
              = eval (transf2 m).interp_fun ls &&
            eval m.interp_fun ls = eval (transf2 m).interp_fun ls } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          let mf = (resf m).interp_fun in
          let mp = (resf m).interp_pred in
          formula_semantic phim m rho ->
            formula_semantic (Exists res1m) ({ interp_fun = mf ; interp_pred = mp }) rho &&
            formula_semantic phirm (transf ({ interp_fun = mf ; interp_pred = mp})) rho &&
            formula_semantic phirm (transf2 m) rho } ;
        { skolemized = phir ;
          skolem_bound = skb' + 1 ;
          model_transformer = transf2 ;
          free_var_list = fvl }
    end

  let rec skolemize_list (phil:nlimpl_fo_formula_list) (skb:int)
    (ghost fvp:set int) : skolemization_list_return 'st
    requires { nlimpl_fo_formula_list_ok phil }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phil.model_fo_formula_list_field -> S.mem x fvp }
    requires { is_simpl_list phil.model_fo_formula_list_field }
    requires { is_nnf_list phil.model_fo_formula_list_field }
    requires { forall ls:int.
      is_symbol_free_var_in_fo_formula_list ls phil.model_fo_formula_list_field -> ls < skb }
    ensures { nlimpl_fo_formula_list_ok result.skolemized_l }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      result.skolemized_l.model_fo_formula_list_field -> S.mem x fvp }
    ensures { result.skolem_bound_l >= skb }
    ensures { forall ls:int.
      is_symbol_free_var_in_fo_formula_list ls result.skolemized_l.model_fo_formula_list_field ->
        ls < result.skolem_bound_l }
    ensures { is_nnf_list result.skolemized_l.model_fo_formula_list_field }
    ensures { is_simpl_list result.skolemized_l.model_fo_formula_list_field }
    ensures { no_existential_list result.skolemized_l.model_fo_formula_list_field }
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_list_conj_semantic phil.model_fo_formula_list_field m rho ->
      formula_list_conj_semantic result.skolemized_l.model_fo_formula_list_field
        (eval result.model_transformer_l m) rho }
    (* Completeness concern.
    ensures { forall m:model int 'st, rho:int -> 'st.
      formula_semantic result.skolemized.model_fo_formula_field m rho ->
      formula_semantic phi.model_fo_formula_field m rho
     *)
    ensures { forall m:model int 'st, ls:int.
      ls < skb -> eval m.interp_fun ls =
        eval (eval result.model_transformer_l m).interp_fun ls }
    ensures { forall m:model int 'st.
      m.interp_pred = (eval result.model_transformer_l m).interp_pred }
    variant { size_fo_formula_list phil.model_fo_formula_list_field }
  =
    let philm = phil.model_fo_formula_list_field in
    match destruct_fo_formula_list phil with
      | NLC_FOFNil -> { skolemized_l = phil ;
        skolem_bound_l = skb ;
        model_transformer_l = identity }
      | NLC_FOFCons phi phiq -> let phim = phi.model_fo_formula_field in
        let phiqm = phiq.model_fo_formula_list_field in
        assert { philm = FOFCons phim phiqm } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula ls phim ->
          is_symbol_free_var_in_fo_formula_list ls philm } ;
        assert { forall ls:int. is_symbol_free_var_in_fo_formula_list ls phiqm ->
          is_symbol_free_var_in_fo_formula_list ls philm } ;
        let res = skolemize phi skb False fvp in
        let resq = skolemize_list phiq res.skolem_bound fvp in
        let resm = res.skolemized.model_fo_formula_field in
        let resqm = resq.skolemized_l.model_fo_formula_list_field in
        let skr = construct_fo_formula_list (NLC_FOFCons res.skolemized resq.skolemized_l) in
        let skrm = skr.model_fo_formula_list_field in
        let (resf,resqf) = (res.model_transformer,resq.model_transformer_l) in
        let ghost transf = rcompose resf resqf in
        assert { skrm = FOFCons resm resqm } ;
        assert { forall m:model int 'st.
          m.interp_pred = (resf m).interp_pred =
          (transf m).interp_pred } ;
        assert { forall m:model int 'st, ls:int.
          ls < skb ->
            eval m.interp_fun ls = eval (resf m).interp_fun ls
              = eval (transf m).interp_fun ls } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic resm m rho <->
            formula_semantic resm (resqf m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_list_conj_semantic phiqm m rho <->
            formula_list_conj_semantic phiqm (resf m) rho } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          transf m = resqf (resf m) &&
          (formula_semantic phim m rho ->
            formula_semantic resm (resf m) rho &&
            formula_semantic resm (transf m) rho) /\
          (formula_list_conj_semantic phiqm m rho ->
            formula_list_conj_semantic phiqm (resf m) rho &&
            formula_list_conj_semantic resqm (transf m) rho) } ;
        { skolemized_l = skr ;
          skolem_bound_l = resq.skolem_bound_l ;
          model_transformer_l = transf }
    end

  (* No need for it in the logic... *)

  type preprocessing_return 'st = {
    preprocessed : nlimpl_fo_formula_list ;
    final_goals_number : int ;
    ghost model_transf : (model int 'st) -> (model int 'st) ;
  }

  type fvr = {
    ghost sr : set int ;
    lr : list int ;
  }

  let rec term_free_vars_noghost (t:nlimpl_fo_term) : fvr
    requires { nlimpl_fo_term_ok t }
    ensures { forall x:int.
      is_fo_term_free_var_in_fo_term x t.model_fo_term_field ->
       mem x result.lr }
    ensures { iset_ok result.lr }
    ensures { forall x:int. S.mem x result.sr <-> mem x result.lr }
    variant { size_fo_term t.model_fo_term_field }
  =
    match destruct_fo_term t with
      | NLCVar_fo_term x -> { sr = S.singleton x ; lr = Cons x Nil }
      | NLC_App _ l -> term_list_free_vars_noghost l
    end

  with term_list_free_vars_noghost (l:nlimpl_fo_term_list) : fvr
    requires { nlimpl_fo_term_list_ok l }
    ensures { forall x:int.
      is_fo_term_free_var_in_fo_term_list x l.model_fo_term_list_field ->
        mem x result.lr }
    ensures { forall x:int. S.mem x result.sr <-> mem x result.lr }
    ensures { iset_ok result.lr }
    variant { size_fo_term_list l.model_fo_term_list_field }
  =
    match destruct_fo_term_list l with
      | NLC_FONil -> { lr = Nil ; sr = S.empty }
      | NLC_FOCons t q -> let r1 = term_free_vars_noghost t in
        let r2 = term_list_free_vars_noghost q in
        { lr = merge r1.lr r2.lr ; sr = S.union r1.sr r2.sr }
    end

  let rec collect_free_var_formula (phi:nlimpl_fo_formula) : fvr
    requires { nlimpl_fo_formula_ok phi }
    ensures { iset_ok result.lr }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi.model_fo_formula_field -> mem x result.lr }
    ensures { forall x:int. mem x result.lr <-> S.mem x result.sr }
    variant { size_fo_formula phi.model_fo_formula_field }
  =
    let phim = phi.model_fo_formula_field in
    match destruct_fo_formula phi with
      | NLC_PApp p l -> let pm = p.model_symbol_field in
        let lm = l.model_fo_term_list_field in
        assert { phim = PApp pm lm } ;
        term_list_free_vars_noghost l
      | NLC_Not phi0 -> let phi0m = phi0.model_fo_formula_field in
        assert { phim = Not phi0m } ;
        collect_free_var_formula phi0
      | NLC_And phi1 phi2 -> let phi1m = phi1.model_fo_formula_field in
        let phi2m = phi2.model_fo_formula_field in
        assert { phim = And phi1m phi2m } ;
        let r1 = collect_free_var_formula phi1 in
        let r2 = collect_free_var_formula phi2 in
        { lr = merge r1.lr r2.lr ; sr = S.union r1.sr r2.sr }
      | NLC_Or phi1 phi2 -> let phi1m = phi1.model_fo_formula_field in
        let phi2m = phi2.model_fo_formula_field in
        assert { phim = Or phi1m phi2m } ;
        let r1 = collect_free_var_formula phi1 in
        let r2 = collect_free_var_formula phi2 in
        { lr = merge r1.lr r2.lr ; sr = S.union r1.sr r2.sr }
      | NLC_FTrue -> { lr = Nil ; sr = S.empty }
      | NLC_FFalse -> { lr = Nil ; sr = S.empty }
      | NLC_Forall x phi0 -> let phi0m = phi0.model_fo_formula_field in
        let ghost r0 = some[x <- None] in
        let ghost phi1m = rename_fo_formula phi0m identity r0 in
        assert { phim = Forall phi1m } ;
        let r = collect_free_var_formula phi0 in
        let res = { lr = remove x r.lr ; sr = S.remove x r.sr } in
        assert { forall xf:int.
          (forall y:int. is_fo_term_free_var_in_fo_formula y phi0m /\
            eval (some[x<-None]) y = Some xf -> y <> x &&
            Some xf = Some y && xf = y) && is_fo_term_free_var_in_fo_formula xf phim ->
          is_fo_term_free_var_in_fo_formula (Some xf) phi1m &&
          (exists y:int. is_fo_term_free_var_in_fo_formula y phi0m /\
            eval (some[x <- None]) y = Some xf) && is_fo_term_free_var_in_fo_formula xf phi0m
            && xf <> x && mem xf res.lr } ;
        res
      | NLC_Exists x phi0 -> let phi0m = phi0.model_fo_formula_field in
        let ghost r0 = some[x <- None] in
        let ghost phi1m = rename_fo_formula phi0m identity r0 in
        assert { phim = Exists phi1m } ;
        let r = collect_free_var_formula phi0 in
        let res = { lr = remove x r.lr ; sr = S.remove x r.sr } in
        assert { forall xf:int.
          (forall y:int. is_fo_term_free_var_in_fo_formula y phi0m /\
            eval (some[x<-None]) y = Some xf -> y <> x &&
            Some xf = Some y && xf = y) && is_fo_term_free_var_in_fo_formula xf phim ->
          is_fo_term_free_var_in_fo_formula (Some xf) phi1m &&
          (exists y:int. is_fo_term_free_var_in_fo_formula y phi0m /\
            eval (some[x <- None]) y = Some xf) && is_fo_term_free_var_in_fo_formula xf phi0m
            && xf <> x && mem xf res.lr } ;
        res
    end

  let rec collect_free_var_formula_list (phil:nlimpl_fo_formula_list) : fvr
    requires { nlimpl_fo_formula_list_ok phil }
    ensures { iset_ok result.lr }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phil.model_fo_formula_list_field -> mem x result.lr }
    ensures { forall x:int. mem x result.lr <-> S.mem x result.sr }
    variant { size_fo_formula_list phil.model_fo_formula_list_field }
  =
    match destruct_fo_formula_list phil with
      | NLC_FOFNil -> { lr = Nil ; sr = S.empty }
      | NLC_FOFCons phi0 q -> let fvr1 = collect_free_var_formula phi0 in
        let fvr2 = collect_free_var_formula_list q in
        { lr = merge fvr1.lr fvr2.lr ;
          sr = S.union fvr1.sr fvr2.sr }
    end


  let rec exists_quantify (l:list int) (phi:nlimpl_fo_formula) (ghost st:'st) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok phi }
    requires { is_simpl phi.model_fo_formula_field }
    requires { is_nnf phi.model_fo_formula_field }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi.model_fo_formula_field -> mem x l }
    ensures { nlimpl_fo_formula_ok result }
    ensures { forall x:int. not(is_fo_term_free_var_in_fo_formula x
      result.model_fo_formula_field) }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic phi.model_fo_formula_field m rho ->
      formula_semantic result.model_fo_formula_field m rho }
    ensures { is_simpl result.model_fo_formula_field }
    ensures { is_nnf result.model_fo_formula_field }
    variant { l }
  = let phim = phi.model_fo_formula_field in
    match l with
      | Nil -> phi
      | Cons x q -> let phi' = construct_fo_formula (NLC_Exists x phi) in
        let phi'_m = phi'.model_fo_formula_field in
        let ghost phi1m = rename_fo_formula phim identity (some[x <- None]) in
        assert { phi'_m = Exists phi1m } ;
        assert { forall xf:int.
          (forall y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x<-None]) y = Some xf -> y <> x &&
            Some xf = Some y && xf = y) && is_fo_term_free_var_in_fo_formula xf phi'_m ->
          is_fo_term_free_var_in_fo_formula (Some xf) phi1m &&
          (exists y:int. is_fo_term_free_var_in_fo_formula y phim /\
            eval (some[x <- None]) y = Some xf) && is_fo_term_free_var_in_fo_formula xf phim
            && xf <> x && mem xf q } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_semantic phim m rho ->
          let rhos = ocase rho (rho x) in
          let sub = rcompose (some[x <- None]) subst_id_fo_term in
          let rhos' = semantic_subst sub m rhos in
          extensionalEqual rhos' rho &&
          phi1m = subst_fo_formula phim subst_id_symbol (rcompose (some[x <- None]) subst_id_fo_term) &&
          formula_semantic phi1m m rhos &&
          (exists xm:'st. formula_semantic phi1m m (ocase rho xm)) &&
          formula_semantic phi'_m m rho } ;
        exists_quantify q phi' st
    end

  type comb_ret = {
    form : nlimpl_fo_formula ;
    llen : int ;
  }

  let rec combine_with (l:nlimpl_fo_formula_list) (phi0:nlimpl_fo_formula)
    (ghost fvp:set int) (ghost st:'st) : comb_ret
    requires { nlimpl_fo_formula_list_ok l }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x phi0.model_fo_formula_field
      -> S.mem x fvp }
    requires { nlimpl_fo_formula_ok phi0 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      l.model_fo_formula_list_field -> S.mem x fvp }
    requires { is_simpl_list l.model_fo_formula_list_field }
    requires { is_nnf_list l.model_fo_formula_list_field }
    requires { is_simpl phi0.model_fo_formula_field }
    requires { is_nnf phi0.model_fo_formula_field }
    variant { size_fo_formula_list l.model_fo_formula_list_field }
    ensures { nlimpl_fo_formula_ok result.form }
    ensures { is_simpl result.form.model_fo_formula_field }
    ensures { is_nnf result.form.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_semantic result.form.model_fo_formula_field m rho <->
      (formula_list_conj_semantic l.model_fo_formula_list_field m rho /\
       formula_semantic phi0.model_fo_formula_field m rho) }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula x
      result.form.model_fo_formula_field -> S.mem x fvp }
  =
    let lm = l.model_fo_formula_list_field in
    let phi0m = phi0.model_fo_formula_field in
    match destruct_fo_formula_list l with
      | NLC_FOFNil -> { form = phi0 ; llen = 1 }
      | NLC_FOFCons x q -> let xm = x.model_fo_formula_field in
        let qm = q.model_fo_formula_list_field in
        assert { lm = FOFCons xm qm } ;
        let cr = combine_with q x fvp st in
        let phi' = cr.form in
        let phi'_m = phi'.model_fo_formula_field in
        let phir = construct_fo_formula (NLC_And phi0 phi') in
        let phirm = phir.model_fo_formula_field in
        assert { phirm = And phi0m phi'_m } ;
        { form = phir ; llen = cr.llen + 1 }
    end

  type split_ret = {
    forms : nlimpl_fo_formula_list ;
    total_goals : int ;
  }

  let rec split (phi:nlimpl_fo_formula) (l:nlimpl_fo_formula_list) (lnum:int) (gnum:int) (ghost st:'st) : split_ret
    requires { nlimpl_fo_formula_ok phi }
    requires { forall x:int. not(is_fo_term_free_var_in_fo_formula x
      phi.model_fo_formula_field) }
    requires { is_simpl phi.model_fo_formula_field }
    requires { is_nnf phi.model_fo_formula_field }
    requires { no_existential phi.model_fo_formula_field }
    requires { nlimpl_fo_formula_list_ok l }
    requires { forall x:int. not(is_fo_term_free_var_in_fo_formula_list x
      l.model_fo_formula_list_field) }
    requires { is_simpl_list l.model_fo_formula_list_field }
    requires { is_nnf_list l.model_fo_formula_list_field }
    requires { no_existential_list l.model_fo_formula_list_field }
    variant { size_fo_formula phi.model_fo_formula_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_list_conj_semantic result.forms.model_fo_formula_list_field m rho
      <-> (formula_semantic phi.model_fo_formula_field m rho /\
      formula_list_conj_semantic l.model_fo_formula_list_field m rho) }
    ensures { nlimpl_fo_formula_list_ok result.forms }
    ensures { forall x:int. not(is_fo_term_free_var_in_fo_formula_list x
      result.forms.model_fo_formula_list_field) }
    ensures { is_simpl_list result.forms.model_fo_formula_list_field }
    ensures { is_nnf_list result.forms.model_fo_formula_list_field }
    ensures { no_existential_list result.forms.model_fo_formula_list_field }
  =
    match destruct_fo_formula phi with
      | NLC_And phi1 phi2 ->
        (* gnum <> 0 : either need full count (<0),
           either phi is a "goal". if lnum = 1,
           then gnumcall must be updated accordingly.
           if lnum <> 1 (not last of initial list),
           then either gnum = 1 (last goal,do not want next count),
           either it is expected. *)
        let phim = phi.model_fo_formula_field in
        let phi1m = phi1.model_fo_formula_field in
        let phi2m = phi2.model_fo_formula_field in
        assert { phim = And phi1m phi2m } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi1m ->
          is_fo_term_free_var_in_fo_formula x phim } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi2m ->
          is_fo_term_free_var_in_fo_formula x phim } ;
        let gnumcall = if lnum = 1
          then if gnum <> 0
            then (-1)
            else gnum - 1
          else gnum - 1 in
        let r0 = split phi2 l (lnum-1) gnumcall st in
        let l0 = r0.forms in
        (* need full count for r1. *)
        let r1 = split phi1 l0 0 (-1) st in
        let l1 = r1.forms in
        { forms = l1 ;
          total_goals = if gnum <> 0
            then r0.total_goals + r1.total_goals
            else 0 }
      | _ -> let lr = construct_fo_formula_list (NLC_FOFCons phi l) in
        { forms = lr ;
          total_goals = if gnum <> 0
            then 1
            else 0 }
    end

  (* Prover preprocessing function:
     From a set of formulas,
     return an equi-satisfiable
     (as completeness is not considered here,
      it is only proved that satisfiability is preserved)
     set of formulas without occurence of true/false,
     in negational normal form, without existential quantifiers.
     Potentially raises an exception when the input set of formulas
     was (trivially) unsatisfiable. *)

  exception Sat

  let preprocessing (phil:nlimpl_fo_formula_list) (gnum:int) (ghost st:'st) : preprocessing_return 'st
    requires { nlimpl_fo_formula_list_ok phil }
    ensures { nlimpl_fo_formula_list_ok result.preprocessed }
    ensures { forall x:int. not(is_fo_term_free_var_in_fo_formula_list x
      result.preprocessed.model_fo_formula_list_field) }
    ensures { is_nnf_list result.preprocessed.model_fo_formula_list_field }
    ensures { is_simpl_list result.preprocessed.model_fo_formula_list_field }
    ensures { no_existential_list result.preprocessed.model_fo_formula_list_field }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_list_conj_semantic phil.model_fo_formula_list_field m rho ->
      formula_list_conj_semantic result.preprocessed.model_fo_formula_list_field
        (eval result.model_transf m) rho }
    raises { Unsat ->
      forall m:model int 'st,rho:int -> 'st.
        not(formula_list_conj_semantic phil.model_fo_formula_list_field m rho) }
    raises { Sat -> forall m:model int 'st,rho:int -> 'st.
        formula_list_conj_semantic phil.model_fo_formula_list_field m rho }
  =
    let s = collect_free_var_formula_list phil in
    let fvp = s.sr in
    let (phisimpl,gnum) = nnf_simpl_list phil gnum fvp st in
    match destruct_fo_formula_list phisimpl with
      | NLC_FOFNil -> raise Sat
      | NLC_FOFCons phi0 q -> let cb = combine_with q phi0 fvp st in
        let len = cb.llen in
        let phicb = cb.form in
        let phiex = exists_quantify s.lr phicb st in
        let skr = (skolemize phiex phiex.nlfree_var_symbol_set_abstraction_fo_formula_field False S.empty:skolemization_return 'st) in
        let phisk = skr.skolemized in
        let tr = skr.model_transformer in
        let fonil = construct_fo_formula_list NLC_FOFNil in
        let spl = split phisk fonil len gnum st in
        assert { forall m:model int 'st,rho:int -> 'st.
          formula_list_conj_semantic phil.model_fo_formula_list_field m rho ->
          formula_list_conj_semantic phisimpl.model_fo_formula_list_field m rho &&
          (formula_semantic phi0.model_fo_formula_field m rho /\
           formula_list_conj_semantic q.model_fo_formula_list_field m rho) &&
          formula_semantic phicb.model_fo_formula_field m rho &&
          formula_semantic phisk.model_fo_formula_field (tr m) rho &&
          formula_list_conj_semantic fonil.model_fo_formula_list_field (tr m) rho &&
          formula_list_conj_semantic spl.forms.model_fo_formula_list_field (tr m) rho } ;
        { preprocessed = spl.forms ;
          final_goals_number = spl.total_goals ;
          model_transf = tr }
    end


  (*
  let preprocessing (phil:nlimpl_fo_formula_list) : preprocessing_return 'st
    requires { nlimpl_fo_formula_list_ok phil }
    ensures { nlimpl_fo_formula_list_ok result.preprocessed }
    ensures { forall x:int. not(is_fo_term_free_var_in_fo_formula_list x
      result.preprocessed.model_fo_formula_list_field) }
    ensures { is_nnf_list result.preprocessed.model_fo_formula_list_field }
    ensures { is_simpl_list result.preprocessed.model_fo_formula_list_field }
    ensures { no_existential_list result.preprocessed.model_fo_formula_list_field }
    ensures { forall m:model int 'st, rho:int -> 'st.
       formula_list_conj_semantic phil.model_fo_formula_list_field m rho ->
       formula_list_conj_semantic result.preprocessed.model_fo_formula_list_field
         (eval result.model_transf m) rho }
    raises { Unsat ->
      forall m:model int 'st,rho:int -> 'st.
        not(formula_list_conj_semantic phil.model_fo_formula_list_field m rho) }
  =
    let s = collect_free_var_formula_list in
    let fvp = s.sr in
    let phil' = nnf_simpl_list phil fvp in
    TODO

    let skr =
      (skolemize_list phil' phil'.nlfree_var_symbol_set_abstraction_fo_formula_list_field fvp:
        skolemization_list_return 'st) in
    { preprocessed = skr.skolemized_l ;
      model_transf = skr.model_transformer_l }*)

end
why3-1.6.0/examples/prover/FormulaTransformations/000077500000000000000000000000001440160026300222565ustar00rootroot00000000000000why3-1.6.0/examples/prover/FormulaTransformations/why3session.xml000066400000000000000000004402431440160026300253050ustar00rootroot00000000000000
















 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/FormulaTransformations/why3shapes.gz000066400000000000000000001501661440160026300247270ustar00rootroot00000000000000ko9]{b$
PA~5jlyW;dKr%$3%eUnUU&L2-ߞg?nڿ?ol~E+w_??k.obxWw/6'׉_bx_&Gd{~}zpMnϷ>2!֟?=i/u^?k>ץ}|յn_g~<=\uۭ
>%߽ρ2Zn/ϷWt띪GDLts~K@mKqxrNe^).wᄑ<[fg-*NN)Z6芯ewBd-oYˡF͇g{K?Mb~K*@?{x'#	PglR*'T+oCZ6vo\^C/zbQm?/Dy5ǩ_c8ˑ."ot>^pitX*>?~ !cU;tXӭ_+X*B8ÕqUM~MWguOt]涫z捚DnC/w/oͬz7*GOxp~I=cnz0||)]SK!cfNt -ksG-bs۸ELfTy%s]~e^]_Wؗ]]z44
4}Fb$|Q8SŌW8V}aļ%Fַoyo5`l徢[JCsrPϴSޓ1>jុlIm:?cڇyc!Nu`؃+FJh53D	0.[foo3P91%<ٱ%ub!	,uX@3NY|
g˻\Tꂽ}sHTkΝMhN)zc3dmQ1A1;\K]|ήNw{5n`ڙ|e蹘8ތ6{R|^`}א>=t>rq1Ko1}K
(ǔneY
*A_&St~RAfGDwg;-z0_??}rp߫7gu{߷kR"~p|;@Z!^tP2)hyIIc/H2g,G>!`jG`'n_lLPOtR@!6]N_O/zZt
iT)XO3)1r1{\ WŬ%sWi-0ѭM q?w$tCCXK}4waæÇ?!P#!fOU;W#zUMGYTB~!ZÐ}=SZÐzɼz7%&tmDW3S^IT#FKwɵK8D6`vzvۋO
/^6l~Y.%B'b/:Z3ϖi䂵%pټZ佑|n*{){.;
_Yv-VvUfRթ>JFWS.
# ~`A DW#H Z@ ˭ޗ{(KXm'zqz>\f5
j*9wZߒ'X,$
فJߌ<'*pp`aJ#	´OLwfܧv:flpY(,2ςE6Zw=$9HNՂ~Τ{&!H+9,XHTehO$X	h钖.nH(]*Z2}L!iy4HVCIG!IHH`+]:ۥ̳]
g]|ۥKفۥߐU/]U/A^K-^/USz@hKсҩNz~L;Ơsd,rug:W;[z{z:yZ{4NCi#a腴BYh:3|kbEo1MnpQhM:	.):xNLm&B6oyC	ըmB[w	/wo8'$1`}k8H M'$4SC#̟q8p>	
Bś┎8&#b2mHL&={G+W=tuzrƓdVj[VVÀ,:HH;LIHjkSu\t4H+`F43߃3#-yU'Ur,ruIy:m48:֞gRoݶy|y/.Z;fN]]}QNJzQۛ%[ozjSVj[yPuK;?cgϺgY^s]wҶ1w:Ѿ9u+[mk9hAémfߘ'19rνLn䣻[	n~~LJ[}j7m%Vo]H
ӎD
Оn%=hݓAOKT{LR
SgZG@+A0HFwqN]+;^EV
Z#k5RHMjdf=5lkr7nj;RMPR7ktV4B.LIjUyhV)ˇ@>V;P/G
r3pa`8AۮѡxKLW`@֬ADn;QGӗ?uwe|λ;mB{D7!xq{w!'v~uf"(fk"XD#ږ66nh44G64'է$NX@;0sT>"j/Fu\R)z;O6c܎ySc}3!sB>w`^MWNqs;G#aF]'h0@ h0ph4 4 \@B!@B%"@
V2'yT'eaXpR*_ J$NNq,<_}@,!KI\,XAGXIt;$SZ,YbZ1(k.!J{WR|ػU&;4ٹɎvtNMZм2H &K0ItۥBBMH) }=iUPHJM-T1r%(;X0JἚB6^1g0hQ&MxVۃaTZOJܖAp[&r|Њ@T *40
DQs@H $ڭ"@Dm?DzCԝduVE"D(r>m=N(#C9Ѫ(-yAd࡭xhm"{hR|CU:CH
Ml
ez#XBaPM&EJ/$L`<-^F_$>$YzaeHꅯr6\(K]m^![Dmr9Xwʫ.77}KZtu^ȩeSWSJ\k:n[GkUY=l"^.g>Q>_!סűsW7ԄWK=6svpcwQ
ߕ.}-Sn!z0E7C<
o9r
%Z~B.]m/YIH2%pU,!d1˝vssc*WTYQ	l g;=\ lzW;XՏR;
*&CVLvzj1hz9X&ׯvȹ7
##2jTª~
ΣTXΑjC(Ն^ի6G.#UKa`=`@0ƺl>=kY&aa(o(yd@@f	cEV	dpJV	o+dp&[N`-lHI/Dikaͦfj6Y$D2H ^/
%}(ثQwN(7^Jct]=85՜D:oINH[8eHpo}89#ȯsXEt1])13i;@k~{]uOw'w	AքOB[#F	B!aVOnf6Jtڴ?_t;:]|;X8)[T5@q#	16:3l[c*Y*ؚ˷/v{o-f[רj7fU)̘U0uyZpwʽzƓk}
W&\Ay'od9,MD "^4F8i"\4FXIIOYG&,<& "N
e՝
)cLуA8YzĠ`ZΏB(>Pp(?&MXkTl[$7}y%wuty{|w$oz%T򡱀cgGCF\F1c).#S}B1@(f;$ッ.K_JuG.gVAqXe+.Hp)!BlH8yIPXkȋ3o+o.rvw3	K_]>:4WxkVx:J r\Be5~-vҋ444
B)DcM֬q1{1+V$+7Gf_&kAA d2h'>=7H hrARhAOk-vA;s9=;%$uLZ7fԨcw~Q-icI\
^yӑ2[u	l}6V`֝잨K;i{
B1[tYidžq,0P4ur3S5I<(݄8JWx&k)a~Q%I5%/3C	.'є8Y?-μ~ٻEDh*t&V>7:p	*=}yvV6W[\G0\+\3yb2+
uU"nRA`({5')Md:\rTTUh҃4hV@8mDJ0aKL &J1@L88_4NƟ[88mow~y\8.~IuTT8{6H{~;ƒjR&xA ^\/"M/A8UrĐ`ZLLB$IHp$?&M։\_Iuh#ZV%:)%}[_unfڢd՞iVUQUQU\㫓*2ЋonƲ:zۘ3e|^mpGKOS#ApAѝ7FTHHPR{da6v/gn{ƚEVU0[[M݊uw+7>w$3Q/J.J!pX,4)_~ba.Mc&lP4p1`jO9豮:f\Dggl38uUzbA:
GlW~ZTħ"1
.-Ke3+
VL)"2*4VL%q6XWTlOP఑5TuƬr8+zPehZ݋$Kygld+"{pFSqDd"z@½}ܽw>8g]Ql<8c*Θ|OcWǀyhOy]ֈD 5*9c
?_Y5cf;K7$GDTLNN	K+RG`)vv炥!X:qif;ad9Ds"G|)]UL]5A_Cv?TN_b+!C18VGN{0qu/?^x|~7~/e"caן_(/|zҽvWb!Q}3s9W3!U|	Tir 4Ʀ 
{<+GB!d

B@	!~G!XM}g)?!*[4l?!pB9
@/a)`T8#Xzb _
/;"U e/_R.%5/*U>=i}!
*Ψ}65'{r!!%
  cB@]R|	 ~x/@$f/_-nݦlhhc
ZtB-T(@Iz'M@w=`GP;yM6
4MulRr	TgSF	6euu9xA8O^XoyD n7NX%fver=f9)ż$c:
?IMf/-msozz|8{;D:ĸrKn#UL|?ocxx5}*oy0)XT\(cX}~ֶ	Q]ci뉹͡$ݜΆǡHM=?v;4?l'
.GOFS`Zei^@#L7P@MP[L[mmy۶bm[N[-?6|Bw,31lȲM؋-:VR!ё=>{cho
G:sC7w*I;~RbwR
~:9_D	TNV:;lzmgWTQZx
t_,0t]fjKkim	۴C:]]5Zn:aܶz5,mϭ3¶^`26c'ZשPjSlH䚠~pajl&'='61lOK~ڏ3g+W0mSX
,"bfށŕ鱙(7!ii5
Wv3oq1}
S+$gy(W#W [U#vd1w XUYQVMTDJd`NOds,شpL2v4|xi+)ڰބ%Fa
ĴVX0ܽ疬.{Re^eț
-%RۧT'jzq@f<ݩ߃w7-Ѐ
}:"XQ
	_M)G2.w2FɣVeQᛚzk?k2$_O*8*ܢnӇV!]>.ѱtTtewpC;_Ruǻzb{wy#)aNq'/xx
vz-q"Jr~nqK&^y֩S3jfD9]]`cCF>BYz;pq	Sʅv?91ҎEb4bձ,KRЇ>r%v?k}P 95B,}.]iB3fŰ9iɲ)veeX[maG)[yaő+;ud{6Кp>(vЊj5v0{|q,je7t/Mu)DbV:u܏ȚiIY(sH]/yI\5X+o{(8V!ǚ\ELE߯asd D
o		IV]
&~#wqL۩T:O0Xd
펱6׮76^R~FoJs\G˷8+
E^*"\Hyͬ;k`k`.|V+H/u'm69f|xك?jPƨ
O
{DN}otBʭҶcxj
nΕ~{0=pH	Ã=
Y:<@(	 r~fMuCڃOO:jo7ݬv4Ux[Y&qt#(q>k)q'\! 0C-oT&k 78‘^׭z8e6loL.hD -pe(X3Rx5-q4yvԒpp/CGw5XŋNts\~9nݠ,&%R#P)n@1/jVjyZF^5;LRӢ_qZT*(iQja4cpA`3OS7/w9vϦu8ɆЩ؎I$w2<1WmG|y?~[y'bLv
o~v@1||?̾qV\\5ѳ\:>i<Li)i)iZT9݆?W$f3.N1#}fϮscDf
o(I[@b&0\羉0\!r9Cjz]A f.3Jj~Rj5DRg'
J,@	ߩ)wp)77dʛzQ<	6M:ڦ"Y:HiB$p4I~2~e"i*`$ˆ4uF-=^Ao`q	`5K$>5Dz5D%	F$e7`
D`A" IA#@+dGI^gEH @rfB`-)b

)\'G
	<)R,)R7)2j1)#2p*7N0 Ҡ8A8EN\j#i6KY|90)C-@DAY@ l@Ͱ;{GW_@~K=:ҎnV9~GA.qBP@(hPI>'Qn`;ء)麮/)vk>$pY+4&;UtbiR@ Zd5$o@bHPAXn@=Lx'w:sX?H@= K87vK6;gII>!-H$d
 )b%kH6ʱF\ۈ+gu\Á7AOȚOe"Ng_\X%?Ѐ#F4/MbmTI|@+@+'"2Z"h==dZOz;7ܩu@L
5Z:5ړPz &b]9GEMq %~@x|	kzT9T4R֬yk͚5Nb[u`:4`8h8O P.ZFO1\่%
ou.buA(T )
$q;9qHR$Gj%deB_S2CpmlZ
^K^{xky$yIN{DC^6D8B{c[yup}ﭛzR]Erb^BPp.(8^a0qX^>.޺AV`>'W` X^1Snz!M#w!'wyJ
3Ge:'
=U:&~F.s1Bﰁ@ %(xp=ݳjQ䞡>v?υ9.~(pdP@a;!.Z[+GWq8cgcմ}|鲬n,}v/l
ptZuS?B ;{h2G;M;of-oHRp6o͎i3Ր^ej!/>j~4m|>LnkmLDXއшH#53FpE5# sO9D(#8tCAA1.@(JW~yD-RN-ّZ Ԃ"(@[*\G"""M]HHHթYPM٪F5tݨV8.ppp5n\MGyof~+ 1K9R!9Nّ~#[;Q723FE/_PRpx͛!`C Fݿm썲lIзC7Е{P^^^^ zm)ATGTFW~UhUñdR(uXR,,%ȗ\a_c@*ǒ%WT(S0a0qC8oa]$x-g#M&/ѓ?JՂl>@"Hd@} @"5?Ł+
Ag%4t|so麴l\#cD|1l3f;.v,KΘw:ciDTu?tB͊yLz`Fz9{Ͳ
=zje"#?F=
n2JeJd.h¯"cnOf\QdlWCJ1Y:8RR^ҘR~P@)SE?Tu(3"X!pkxFIm g1^0H0G{40uJ&R>)x
)RqHI)RqD@6pBJvuZD!)x P#1q~yr"N;so0[pLbFtf|xdXdǹ`Fc@Pq(@5`LQ)! 
ObDT 
A @85*
Uh	ol"*1>%]AA$[í-1[YíVFj:dctM{_7 !` jzTQ*ռBL۰(355d"ZfOBButE.O" ~zH!I9H';CKl.ښXȏu3N+bHhbĒVs`c],&̓(غXY&۱FFJ⳻4pr!zd{̔ㄱub_]F\RZRRR^wq8 ob;iObNNNT7R8RT8:Ξ/FOo3x#U'U'Uo}8F"]2(%Ն-䓊:,y@.F P((a0AxLP7x[;Q8v@;h˴>$CyzGMJQw$"&*l?N6-mk:ۖ	ۖm˱a|}V`]4}JӋ*W;էwj7|k`\lIQ0'l>[P p eʅ܍EWx)-/`xIٜJ@!R#CxyMi[$.;nm&NlhiO
Z
@q>:B)-耏ֵZ{||d˯jzmfE<-Ohy '.	xRayR'9FOqx¥FE8kI:'WVqDR2Z_>XJļ1{$._Bީ1vN@Y*I}+0Fw~!)S)΁2eKCr=:qAs(-OSa)ܔae
uʤR9(Uǧ~әڍEJqRG=T:HծTk
сL|Az	n	w:Q;twduG`yط<~X[0wwTTUTD6n6Tr4kHNTTq5
GD긑-ZYDK=iр$7y Wk1 vgBt_+1(J24U3?U㆗$kղvjWrBC( 
.>!f3g=H>O
Gd('[4, h4l!
7Է"HqvBMe
mU01.
h
$h
R~I.hay
[mA7:4YZBUAA#Ù]=m.h&wN4HD V+gʊQ%;Z*VϿl添&Jj
=WU).ĺWY\[*<R(ȶ΄Nv#VA"Cy(ߐ:/vښ媨ptMg)փ{\7~㯇(7֭4JBȑ|P8UDFׅ:C<ޤ)gNeؤmFoVT*:<-$4T-SxGaJ2Eb7LZlSSX)PK&ˮK_/:qke{0*['A4›L><|ޡ;/h-J2Tg ^^AHCM!{rcL#.^K'˼=#i5Iݞq"9z-'\x%*Fn&p|5`Fpcxr
R[f
WS}cT&}o3MzeU?ŅKΪPiΙ#-OgaĒ%ڛd
Rc,
o).H	9Jo@BaFJnbXgj<|.63M'dɵS7rg"|+OviQY~sǡ<A 0>=a7eRN+MïYˌJT`_2
k.?r(_C Ԗ|C&T6Ӛ;uku¸NeTœ7҉D]4EH'>{1)cJSz}Vt}|!koqR0NJ㌓rqR.k4L3NJIi8I`Jqk<9Ⱟ qqE笱Eⷣ^Ye*{m,"e?E\"-BY%Eȕ9HwʷIOSW ',@"Q\KWA'J Z-ΖWS;:sF-LTx.E"D$F2xݳ+uBieb,Qg%g,Ǩl2*0*X5-0*,=Q5܊5
*"]Cl':tr;5G\xc(bQ|.DIDc(ŀ(%J!JVt=xh"ʀX%_Lp4\]<̴~a&{?-/b`fFezoLhߍظkdXw2`?&\Tb8cK@t5կ{[Fט@D4Po+8G~~x|x
_TNo @DZHՙr	ގ	+-W	PX[%cSEzMiXG,F9zܫLƉlzy"""FkQ"tqRD'2:DY=Q7ϊCRD7F)2Rd(ߜhA;R1J#GIBXXX®KMhb[y
M^@?QZ9N?OTpU?tݿnWRDڻ_	;̜F7߼椟r%ͽSeJ0:E~5+)Ow
DnmڽZw\Af+>'5v*)؀3=Thd[SgM*|C%''gQþވum煆JBAT&WH`쬝P(kf,P
*8P*x|T J́
ZP4Ay_**W`B0!\L:
b	Xre``fKHHYp
@T-Rl@ O1GDHA
Q,p#b8)Sc %U>C"j#kDJ>)!)WخoJ?|t|/A`;@%+kK?8}i!yV]d)@EO"^Zaעm!Iuӏb2Fl9bqBYeOL;j}UD$ࣽ=މ+M+@W&vA&֍|IQ@tWxpqK'KG7-g_B;ROZ)ZZiZqR)ZQEB-t@tQjJ*,7HHƈ
H0F!'Ď@$FFaH1Q(pp	YbD= WșJU,w0dCf́l]*%!eHHqyU0~=TuHH)ttHsl8
iAcR
O^ZiK.V#]L~Rfggzz#zR)+GGU=&ˎ0y5zdPU@ࣸۇl
*p)g`4]^w)mv@r@AexJIPy{dlnlnQP1
._*΂91w(A I#ߢAM$=^k&E
vT;|H^ρd
a!Fwa]x(ꗸPc`y.+:t?	c+V0F$}0jw0ʮ}p>np}LJ30)ݲH
R3792:s!%%u6>͠G]r4&;f||T>.H	9B(P.孅QK̃3%]y鳀F]ВfYِc<\J($oĉзNt ]:p@G!=LN>VٵK\=͚c	Ml	Հ7Y1CXtR}pȜM䄎/NA'wCG2m6:eTJY;:БEN{qDq,	%pEM#u?@s'HbL&LꚙQ4&(CFCHm	+)f"N/PnǥL_rǗdS#o)G#8UKLM#`GTHMF\A'j@B 9}D80!A t8:K,"\@ $dL!-̢.V]pe#Ԡ'+̦s"+b2HacKuX(]/z0*w5n=u}H #jX6v:2
"u	2'&ҟ*R|吂jryBHQUg,ceX[Qf7rM]=^ D*je W׽+aI8#T1"c$RCE5u4;%p]'#|<NىMԤ;-AX 0p)G纕P^%^
.O
qD{F?&&kv
b*߸~ZVhRڻypQAHe`Tl~EvGLnHSa,:q{FK\O`IꮽRx-|WRdv}R%k\ga#@y/?M\P7($Tz-+ؕ}jh{׺q4]]uG6Va'j8Yq#8
Xu㼲	od_EN
2>BM\?u=Mrzm%ӏ?qn͕Ѱ"]9vl?s&IW-/Umu[Z)#4Ωd1&s)INn	nWֈyNI7)L#5	b
d4v`mZEwYon=lnшe-SP#/].]GYeO	~尌Ýfs@@R}b,7Qh39|L6k$UpIZ	_B_/UleJqiYR_&WN˷]f^COF?(03/B.42})n4̊&&2cѕ1S2-
}id=ycV4
mWn`%þSY%HcՕ>R/ݗFsHԗIiSuHo=ddsM	l^lvme	c{[OG8g
X-OcG#R(;}d^?N?%g3˸fR~U.U	9-YJQKU8shRJx1%.лjJ/=qu!S.,29
Rl9Jdz;zkp5fy7[O[4qSߜz:/d'ZPױjm U)Z$8hʏ%[;5,7˿ϝ!^
CxfVcx[!.C8a{켐S٬6ASX=UOSGNT<1Mbp	ԋ'kO8w!`
ɃzOOKiUophzoM7G[4&!	*ICw|}|7{ON)?S	p6y!zf\v^)-$.$.$f%Go'|WΊGCVl0bm,CZ|S;Oh#6=HM8bhu	5v5j
sE"F
$>}ѹFB_y*yЗЗЗXzB+0Ћ=JJAq:QKS<i	iekIs̴)))Ja6VaPխCq#))J^<#>CVkYm_lyb43X麰Qǻ3[eD&UΤ˛i;:9\YW,㕅r8^'+kFپCPpvlK {bNcYs^N,{.bG1{.[T.qXR0i4|4*;_e}f^e0AF2f:oCo0++WX({*lP50B2t
7ͫ:+ۼyQVi3Q6Pn|=ΪOcmǎ7PEcnjɌ2V2LsiCo&}[QRjcգH.z=>ZILdTWnRMVAda!OceGW=/z@geƨSMnEYڮ+f:(&yw|(x|("ƇNd8`2(|γ#EЄw
i9U&礶}uK?_H5kXR

LSe\>e]E,0X,0jg?7FԶUTɫ@[JC,+5fX׿+~6g=>y?*kYj,brB2"b*#ye8,f'tz1."/plbsқ2^̍Əg~5MXG-Mpi&US1|L3]z2NUF]u?;zI׫"%Y-|χ!X/.mJ?ĥ-@
=82Z.ig_zrr`H[2RU٨4rfv}:fc"8cF̎*u:H2^~l27ᨖ!lu5w3_4_ލ#Q꘶L{!MŮn M˵Js7}!‹Έ9:AX';f$uЄ۶Bu:85樶E{Ek90ǚ'<d$xs	ސm:X'[*ԣϻo1T81Oi?zŤ[fj1Lzڂב:)}애*v(kwL-_??<|ޡnx\cyLz66	
&Rc0;:8rx9KVn}?==zbfF~H1f=>>0l
<|
SYN5WzEw˨5ł3
)/ϲ_%^ϿJ7^p_-^]<@ٕdKcsʲZFf<Ź1c|xfpYp,(h?W>"48ް3Fzh޷F
i*i*iQ4u$,rCJLJLJ|Jܨ;uj:ΑνnՅc%B9VӹtYδ^1jzU4=Cjce4=ѲoA p6`!&ֹ 6D"`q|T/՛ĂaUoYꕬoT}]+Nb5
ҪR%EGJeYaEbT>b@EmUQ'xE##HmƴG<%@{Bu	b\},B^
@|nV3:qw.yעPJ,@@x`]I@(EqP@U4rFYwIMhp	YEE H$NW'	BY"=qIRv}eТ-JТā(,7d)8+QGzөF:G{^J/Aee#{~6up1)Y=зNe-fP6A~6bi5%`dE7AQ
XdCƺ:aP
7|Z:RҺ7[2~aS0
qN@wHx}c+XץhЁ7%
L?YG>r_(" (\ljEQk,ZCaFH&nA~,Hb.@
PTtϱ_2WxuJE(wsQ=\De4}"
0PYqIfK%eū&/)gOQF<LɜK
&GR7QC5Lii-FbKPNFK+}<A F#<Q(qR?(' JcWz@ŮkѩB܉*
uPsȰOħV?izR؋bk,8c>@kCV.A+`*zE+j<AE?b{B|CŇ;\T]({oOD9Pմyi;i;ih#$g:+llwSLx^k%^kd⭬z[HS,Omkۻ'%"M@\gKB'CN$wPa>˓u<@qXl0@ \.xO1L9Tb%(#ҩ|STRZ싁+VYP	
1+U.AU\땝T
~Zw!·br>RA,*	
*jYfgʘWPQ\aW|@x@J);\+pE
O˝r/J.RWWd	>|Op';UPʮg?I,:<`i7DOt2Wx
5+weE8oT`=!r` xw{9+9xxR=ƪHbvHkS9݌F>IKLqN D"NWȢSƥB!|tu>l Qq,"-NVjh-HNk@˲QN1E Z-N~|?+Ċbpbq숰͏f۸|nJFVO]KjU2M:%]8	'9,t3ؔXgݮ^5^Tyz1I)I)I)/hH3vhyIƒ{_$!$`@6 I#I9s"ɴq)D3 Ŕq>.F d2NXC|jHA R)vǍxA ^	/"-!BցF,f%x/8G;Q&(q0C@ 3XPB(!8Jt(&6:Fv/?겮?5?mUGIOO:Lk]0Wՙo!n=lCnN9u]zӇ|V.j*uylUpw/M䢴2@!	1W1!
"P5~
\0D8:P$qI_4h}pud/[ŨAvJaYM-4q	T(M)#!AA6Ƭ.~W,	|)*/RBZ/_TdŗBF8QV{|ad
_ г1/"/M|aZPkcfL`3ČsazӫUFB!qȈꁁHB$!If!#tl@oߔ,NۀO5uL~R[!Lr_{ﶫYnegޯ;|F7!@𕑷
*I-;q{GJUUkqs999yjK]gKmӹ_x\%}0.u]W?,Ǹ}Lޞ>o'ˋG~w_o?6khMúRx<}:@~)#sy+'W~H)u7'FiPg
1/O8o_	_'D4k?ȓu[2A$?ӻ/>3Fo1r_C%RB
FIJ>4ʟ~eX_a/ӯKOR
ۨ_c3_%opK]ҥ>-.UQ|8e}^wYpTápC;?\_.~;pJ&w{ko<7J?QmWډ?W>wWN?7Ԅ|?2$V8'pYpv?`}^쾾>" HA⫤5D!-ˮlm=~
t9~2Do-݋x3{k97,r|f)_5p/6/ETxW7ݿ͋j}J=s0B$\7"YΛoB2=
H=_d3qE	C|&ȯB?9箠zx~\pZ{U{@*P񫃊%$< B{vmIz)|bY&/ES᎑iwz^bN<>_iO-ӽRChWoF_7鏛Q~ԘAOoOl
_eDFl9ƩY$>6md~~()P$EP$
E>G"(>"rנ8HHŰ_"E}1EKQs(#>yȓ|@'0%В-S3_Rhɟ
hQ--D`_-?Shqo;ſZ^ƍ?-/Ixx7~սh<@6qU@D _|xxow~^b˗'\Y?hI?O`K%
Z>wJR^
-Т=@˽Kn?Z,:h/~fb3_fw9d< vn
pz7_t=*W򵗕>UP~/AO8UV7ބSo~Q)7RDO@	T
'Q)B|*]/6mx@2~vf
`_: ogxq<@2\y9(SC7{`KX7+
Dy Q~FV>0yL~)`Sb7'*xCo1j?00(k_4_?ӿs#97l(
[FqGOy)gзuW|+o_/&p(0=U8t~ѧ؇_xfçL^37uW`Wo|e-`ws{x2U	+N<eWz8_.敤WrׅQ.L^	¨W|+oq&mu6~~o}m_x|.xk^u?H:Ӛo
䝼Q 	+߅-VtB@^[(We
_^97ZÿC@xM?f.(hç5`M?sk^y}_g>7ؽnc-lMuBy{i(ݙ^3iRƹsˌw݃͡s!{:Ɇ2_9sq]|Cʳ፯~6O&6w{ߧk6R=LŚTc,~yRB]Κ_CW7O׬zinRsټ*O*)ݰmwnvh{kKQ^EͶw~9}ek&;%oFž潫j
IS93X22)=hmcco;3M5f:=7>uz
v8Nkq<4_H+0=1OmWs0j;j[sS2e8|8W+yd1ӽ[
c}1fDg}x7&kmacD
X3GR}bx6٫myVN7Z]O16ow7
а,h	
+fLlj1'`o[nKQed&_mmÜA]j@2?+.qfmuF0',֔*v`2vB/!yr?kqz9ŤP4AX޳mcZmїՅa7xEnSh#s?"z詭l|*
A5Or3ur*Oi#$%i$:ZH5WN$}dGO!5v\RFF7,%Z)ELb`[7.؝
|E{Ag0tM?Hd"A-;A6{+\gLpl,Ҳ6vAC11A
P8hn*^:vP\˂8nt4I4
XU/SY8)C5qzJ#ҨV=-;DEstJ6`Xs;e"Z|lLg,+6
mb0mvHx346Gd:Vg4Q
Le‰O;K;z,Cu!b%80ߥcF0Avmu2j
bS 8RdZ~EQ)|6Adޭhm!ylEѤ+d?SI
r~%}?Fyx;%>äqm7
;[Avp;3 DI"
g%?!T5|ic?ulUÔ-q܎0Ω¥F!~4bcہ-ba=9Cy>`B/E$pU%~nLxBXz.upxMN\Ry>^Dܶ2@ݗD4ζ^eCkfT$DF0^s'b`&EC}E@$[NHc._ĸȌE}H-n㉀ܯ68|8aӊvt	O
1`,|]3|㼸0|i-Pm[ˈ
|F@}!
0+߷L4Dp>~0p^+B{;~ D%½"U:,`3Br~Y?#K
)f﮳7V60nT9@Q&o"QSS;w9ĀqP%5RfԈW,-v\*iaM"sIZ9zEL=CXtes;ɷ|96ڳx}ő<&ԗY@:h͟ÿ Bp?Afx3@',o@PP
dk\=b[k
01|L
^1D[;2GP~9\
8	DNn`IeZG24"w;@kF-ak@]8b?@akDLZlj6Y*:n,ӆx*;"$b$wS,rQnegIJRW.HW4SJ6D%fͧmąm:B%ᴚLdt|}Ar/o{pMW(xLSBIv7Ҳ.@p+E6Qx1X3@g`{ix&$A"m~ѡ-Ԕ _Z^*yݎ 	"F&:ra_A{4ds]	1,YE#6О#cڅ+=t1Xa+8C
u!`ĕkgm
H
`H\Кp#g`貗p\\"3O- Ý-ҐbBa#Nt)8C$oYutҺM!<#4 |M"r)15N+w3?CLay'SM0Ār	<+csDRX|ߺf"lxF59%2]9 
k`Ww;w_
-l
J90EیAOv"s^gqjHuh`
Vc+齸1;k:w!\壡8KVo.ef"YbOC'LXnoG`Nm2DpZff3jovHy&}_B1cYA"\D!	w;t%
z^ObFKv.nWqX8f2qF!"hKܑ֞Z8(]1sQPdo(#fo{A%2H6+AQB}Y4}՝jM.b{*ЂZĘ
'|7yъ˖A63`80O@QV}fI(\#jδŅ&$ftGuP;`RY'^L5,@bcE]rΉ9@U%݆%{9KŸf$qO\y)PE2	=02KIΝk.l\3(vC޸i/yh儩͓X,O;;%-6΀ml16u6C1mo:kgZpE$
;,iCVwi2[RN+`W	+D)ieE3e.%,3'c:Jp!ħ"XBisVmHU~d8KV؉ՌCˊӌFc|-1G?/W)au5 TEV`Wkh=c&1W"q'kNī&eIuaB "vK|xUAb`,8cLPn"i7PJ[{[K3{rڇL)SpqaP9-^`az@0QrD["3<,|MXޅWheFܧrO]743ەc)؏Uxp<
O@RLb𐠆83Xd6hyad^/8WQ+hs	KcX.N3
@B$6 O34bWTAִX{.XA4*3ұ.	pD8^CuW>opYAEgdPtoqC>p!pv]cEot>:E#	ihoh'k!ݻm 'lA2d.,XɉB>
Lx}y,ZT{t)ЍBITfX]zCl0F*Dž	@\,$>`L&
∿`(nnjEhLCTA)Vhʻ$Vu1Ӷ~(,PS1"p<׮X*Ѯ	Vm2+ki[w@/RȮ
Xc݄]4W#*,	ͅdlffni>#x8c$>IZ}
T
N$gOUM0#&DTݵșVX?Ui%9
t*A9h9NzlkfPp{~0 •$N0ǸyCGbv)gW,(;$є@^f\
,=}Gc@7GYcIq{=2o
5UHҦBa'Cҥ=NdױxDigqv|xTC,HTӚߛu"8nWsE`
0xXsJ7K`
כF|b,c#v0-B./,)kmQ|;k5ƨ 2Ι0v=P`ZR]4JQvmYwf@Qi[a\%'rCl3906z&ǠCceFtvѝ/L6̲@u,<7ءГ`٩v'V-Ue>bF,:DO3b&7E{pX|>m? ~1jNpACX֣͉e7+`tL
dUH]jǡ<`M
Jo^X1$DPTwS%B8}Ec{¯fQyP~bF0t9P	v
,L*ȩA76!t@GLJ>}SLqe#dV+N3wQ7qm<HbH6=4̩%
=`+rm:Kky0Ca+}pXʏ}JDr,4nf`+JA-#&mO0Zچݳc5_P"))5-1OX3sFډ#^X$(Z/l^հ
zK!;u]0e~k>?5%ʛ=C};KۡiѠ8[P,p1CWYH9EB(gUoif|x8~pi/b:ڡ&9Vs,YA(GحEK+JĄҘ"*iV5X IŨhҜa+ON;Lns2pv
B1VGG#ls`H1MY+0*J5D"x1!} ?6?T\[욮S0aҨezK6fm}bw+;Áֹ:#dd0Kt!#P<
6c’%	愫,P]io4;3PLǹ^T%>6$a'AoO<+/Xi+uYRi%J)uPM[Id maď-oB5Ñ} Be$T@P:2J@"UA<#:	;fȸ-šxDL@:iA ʐ"iBj۰Oe&lXZ7DL3pr"xÄ$Þpqj5Ui@s#=~^
gJVADAKw;pJ
)ɂ&}aΪE\F\"0jh
f"ՖGx}k9&BV*-:L_c\kIZD]ehvʼ	eW+R25"`L;]+}C[)?
ug6t
#9i>݃vJM{~0avY61v^z-Bbvk}N:RxoPYo;:8
;IxP8+s:\T,`8ğB1Κ!mL` ;x{mKcP:XXC~>
Z8<-C?d[|7bL%\h{3Wȸ#ݿ.LԪ.A3AN.e9r3ZQlcN%R"2Lծ>sĞcZC2>AWDF`o$ɚEz]Iv2s^)FʎpfZxfVh/SR63t,'*,U4Co͊,%Buq3#.1KDO@`{a BYiX"ܽN	!ӷ]Vf+ޢ
9i"Եgݫ΀B5b읿St4UL퀈cR`p:D.R5g
ղ-IFKhqsY#+pL$Z^X݅uyխu8kϝC
TS`"JSD[9]e"2z33^uN+fi,F:10m0wi#EP"tbP'yչ4|JU<4UȄFFBtZQTPba`7*wN)57G|"lź
{d*h
;<uA1g	[P5Dj!+s\3b$LSkD&ӪD8:Kt(c8$F\ڂ5:ѾYSbΐT
tW?hgI h"QAcA(iBw	zx6S%l{%P$]Q>BHFqy%YSE%BvS
\$¡攝`%|0Ԩ|`dćߦ.y>i ]iz%'RZe@/&-B,KA*ky"X9%݀kf1R/&w𨬽\	<)Gpy6ӈ,)S\bUQKWKaCjYSgZw3BO푹LB+!]YɦeyTs8UmvF("wQʚ*V)Q@d'7<>۴xۦE?|4*v'Qmȏ=*`#N IL4t-5`[@Bđ
,i&Mv.M@cCCBBV3@!Qj=e-LveM^o4WCb4U٪T	2ACq
jёPDE{=M:-7Ł8HAAc'iu !E|9Gab<{GFyD@t,η,iQS)
Z (Fs,ҙP"kK=u@ePp*
q*gѝB;$K@:du8kyd`	a0w-N9&t`9,fX/j70ZqBiƜǬf>ѲI腤BBѢ;,	%9,Ѫiԅڸ+E2=[à*fGk-1mî+?f(ML0%ۃs3eӒj
?aM	`ʲa,_YJ

i`U2_,+wУe,jux rʻ`tiVWPVIiLWX&iw,HFARIZ$D,ĀT1c&c}Fn*P
hKib&BD	ʧ DQT=*`-Tal/P,< 9&W6*F˙$sYR\B&\TӘsMgD,;srѦq;h~%[YgWEx E&VOH[Y5,`ud t\h(No"}B@phݾÞ>봺t>)9pgP٨9?0aȟ 픪?t-~_Ƀ\1CuJda$a5YPp}v>f|EǗz:i:	ڨz̈́/KbXGFVJ!#P	bux[W
P^[WkҊBWNi
XF#\U)Uqotj_'BPF/UQ @<.s
,eG`DNC&	t?Mgz,R_l(b;zR5e(0Ѫ%'
>fHsdIJW].m
@`9^_`:_VuVAq&*)\$)EX!hZW%9}Ld/(RHwUA.	y/-݁٘@ikb%o& zb*gᠪS4t^;,A`٘&sY:WEӴ/`y"x	ᇖ$CP]s2[iBh2J>S1*`t} i`\XDPH<+ܲЯdS_vyEV'뢭MD!YC1
X\sYo28AD1(R+fH<^#rM3dSj^^ILu4WG F:K1kTv4
(`+~)P2i/ٚImgZǽ_[t,N ,2{!iphly*RJ1檳sY奨1j.&	@nt;_s(Hi{mb$g¸;t
f,byVi.k[ІWdO|1YĨi_:Zf&0Q&ZCPSk1#-V ZT*)@cAWb07VEur٘݌`jEqN3b
Y1pҲK>f	i:vsJKa5r'XX)yC'r
Ϧ(_ETͳ"5q%
ZZ/ΔO;3FM
X{gf0n5eة.qadOCyΌ`tPw;􏀤1[ 8iTeqͣUحh8pqaw]5vZ_.HrA׿ЦPء`YуH+
:uJkE9N3)#]WEdt@JJrB[DS1krBz7S@-!:o *DAt7RH02hCW,HN>DJB^\ѮJ{В"cD	*IoMg %lUQ[amg%"IG6.iܩ<(=͔^QT@cfd0L

E*ZWRBZ%`	=)-ڋuT7c2҉-<8S;*_ZGo{!k%-2(&yj͊*ȴO;Z&Zfx^-̼]JHWZ:|NP(qR{֖!@Ѫ6`Ԭ:Q&UX5*pf©mHAqvA
>^U^xk:UF0,&0ɩY:\Db3[	?ep*=:q(A:R1F(	ai	3o|rw3ǝ%4	Qҵ*-˽I
*
.*,{PLY:JI5m!Zsp9Ԙr,4 ҧ=p4Fm$
:g0NC%!2dJ@0Y*5
QЄK3LʃT"vh|&+l>@kzB̛q%T|6ҤWD.>9w9OSYɱo@L*aLzӄjahVTA;!+z[akS^L˃,M-g6I^$֋UTLGꔀEb#PZׂ-C!"!; dP*Vtn一I)?-|f{Ն2-4*EHY*ST1M%QLtIAr!nstWpPrSgh8_UNJ>+n$Pa\$`e;m ]NKo	7:**Ry&]q*YG:|AD-)A=QҴt8ĸO&ba1UsH;qҳNX/d,;R`D-{߁"|KܸpQObR]	*sIn|_,PuC4DUs]*}RИ~I*\Th~u
6ʃ'&e.Eez<2w*|pm-yՉ:*Tuq&|tF,]k樃8ξ:OPŤql}6f	i2i_+Aܞ#}Z0r0SN3e
N
Y^
؅VAY"UѹB̳ѨfKZw},9)xr槲=z-c޻5dC>oYiXTf`CKʧ2mRB\;^ձ!,== wNhٻʬs)7"ڊQDP@!@4uNzn1 T}CLʊv^L[ZeTUVVp%T+XНVqKW&K8$i+)#lܱp'	N4Enf`iR``aA,^תּcL8h"ǩ:%QGU,vw^6UƧj[ pw]`αӌqkT֮q㽫6O3M~9k,*p%OHIѡ먣MZQ,4SmͬKpHc6Jcvaֆ^Z(,Z-jR٪⬺g{a=hVxa<Ń0VN՞f}a?V|6*IUa/&iF˶.hǪ!ZX<;_騋vEQxyX
F*w0A\F"Y1!XwCg5(1q5"tCd(V&UTNݻ]:r+vD1]-jeI&TJQyAȻ],\	[}}T)'Q.!n,	}P|ϤeR14#*2 %&֟cÜβ*m.U0uZmЁ?=Jր:NB2u3s//
	r~2'(iF~
/)$!PS@E蘭u)G7.ޠ	tO=U-JR%$z6=SI\VVS}vq6fouQI,PlqQcP+pcXZ'WOSwнV00+RURؔM	,X%6XB ֜LA&:O@jpS:JEEjeƴo%Jvyx[,W֮@\B@ˈ~ e Eh5gڮ`~	6"jӽ`glע崪N&
&XWSxy%B3_8DCj-WtU2Ay`r'z)$/PSvQnjU>]Z)VF9:+УzԊ2zBaƺ*j0)N7cѵuRUi28tVU[P"4|<\BBvh?zzlנzlXz6Z)]sQmf5	ػPDlaA~RxAvS]+Nΰm.; TqQ_CYOAera[ڮ	&	bLQerFDez^ک6ƹ過0X8
rL萮i:ut֟wi0ѭ-OɹLlDuIRV+\H+7s2gEaWa%$:U*U1%t MBqUCdppK&$
Q,OF>6i/$v@ܯD]9"1UoQwazs#s>ɂWA$>/%^p2gl.2.GxɂznU
u>B߼0r>iޫ:Yؤ"#JO6N-7fJwQp	:]VcF46HxMXU(W[ؾ*K"+
{\tpc,[,UosR	Rs%Vj[
:stƸ_vW,RA6j
roKT;"۩ںU`xʼ=t@8(-:3V(f:LhySl5'/Q7UEBU)ۂjʂU>OTI`8؎ө
pXxn_|"ΟJQ1`zL)5C׻n[L%hN]đ`6?՗ 4<6"XYc>kEhMt#Dl]TpgMzsUk5uAB|&

qZ$JKXt=62N3UUf	J%gڹ:gDIpզ
.hP	a5:7X:i0YHXW|qυYgJe(QlnM
KTyǐ]4S*;[i'*2u@\y)ZT,CUF%UsBeӆUɃ,hبxPһ>4q*/asiI_
z)!"a\~ZtS
m6t=Ti:ƍ[:<0rYYLx"Ɠѝxx>-ھvsV9d7_*2)g`*խ
Ă$2!
R5R`gV[Y?QUSè(xH֍/ j|TgֹㄵyMg#[܌Έx"lu¼5a@/0$TU`.lF]nɠOLXN#u
kJ@·$,p&}	׭T;'!Z^zWVu*Pۜp3fԩM(+C̭:U/|Qꠦ:0Y
T8mzV"=:ļ+u֤-
&Hâ\9UK]5UN߬dR0A' uכ:?s2BA%tJ2:=4شtcB}xr$\4wy?M[:ScA(Ê6i%:%U&|jnfaB1aJZs:6EE &6$ɷ],7=TX
YE`SZI.(zXTj>3#J#Tc^!kR1#,I;~]wZijʕSPlUB.XZD.h6
ݏӔߴj>^ŰĽ,w
щsurhgtl9wgX	^aUVDP.)!CU
đr-vӀdҐsoTyA*)#|P@RD[uN1cњ8ncc;`=X:]rlӲ"_hL?ޏ>Rwn_i0,vxYYJfm`|´RuT>"B#/2YM:hu1)S|B-V+i/޺L~@0kNS>8YkHT/>͈:fFwD*ϤS&x骮L7{ͤzm20ב{4]v=K煍0IkEFv/eVW:)g:%C&1:{>\~1MY0D^"i8E*1Jdԫ9ʞDҠނV(Z
}փ1Nw35*eEi3$*v,.-W$٭#5^$7(zfŲx9YjLx0i:6gg!HY*"i4CN՚,/U\PUL),KTtYPWAYU%c>OxCS"h)MqTJ^Gr%)AU1̺IJe^I!:=C̓Ρ'.LŔJ
mZ_.gԥǐrݶWBblJэXG?+!EjVw,JmZuRe,AaUW~Mt8]O B8*]!0UP^%Cl/5WJS9ZեMRGp%gIv\AnD2Y@= "ny42cP*-nS@ nTabl<¥S}0JȄGlFgN	>drUȤmxv‹Ru7Ry[p/칮M!개n(^wwpj
|a*Tt_~x׺S~*)[jaRDFAyU.2tgVS;|E(6Z
*R*FMw;"5zrw#tDs.BT2<8qV.WJ*s(N2%t幃jұ#nև
why3-1.6.0/examples/prover/Functions.mlw000066400000000000000000000047771440160026300202470ustar00rootroot00000000000000
module Config

  meta "select_inst" "goal"
  meta "select_lskept" "goal"
  meta "select_lsinst" "goal"

end

module Func

  use Config

  predicate extensionalEqual (f g:'a -> 'b) =
    forall x:'a. f x = g x

  (* Assume extensionality of function. *)

  axiom functionExtensionality [@W:non_conservative_extension:N] :
    forall f g:'a -> 'b. extensionalEqual f g -> f = g

  (* Mainly for use in whyml *)

  function eval (f:'a -> 'b) (x:'a) : 'b = f x

  (* Abstraction definition axiom :
       update (f:'a -> 'b) (x:'a) (y:'b) : 'a -> 'b =
         (\ z:'a. if x = z then y else f z) *)
  function update (f:'a -> 'b) (x:'a) (y:'b) : 'a -> 'b
  axiom update_def : forall f:'a -> 'b,x:'a,y:'b,z:'a.
    update f x y z = if x = z then y else f z

  function ([<-])(f:'a -> 'b) (x:'a) (y:'b) : 'a -> 'b = update f x y
  lemma update_eq : forall f:'a -> 'b,x:'a,y:'b.
    update f x y x = y
  lemma update_neq : forall f:'a -> 'b,x:'a,y:'b,z:'a.
    x <> z -> update f x y z = f z

  (* Abstraction definition axiom :
       constant identity : 'a -> 'a = (\ x:'a. x) *)
  constant identity : 'a -> 'a
  axiom identity_def : forall x:'a. identity x = x

  (* Abstraction definition axiom :
       function compose (g:'b -> 'c) (f:'a -> 'b) : func 'a 'c =
         (\ x:'a. g (f x)) *)
  function compose (g:'b -> 'c) (f:'a -> 'b) : 'a -> 'c
  axiom compose_def : forall g:'b -> 'c,f:'a -> 'b,x:'a.
    compose g f x = g (f x)
  function rcompose (f:'a -> 'b) (g:'b -> 'c) : 'a -> 'c = compose g f

  let lemma compose_associative (h:'c -> 'd) (g:'b -> 'c) (f:'a -> 'b) : unit
    ensures { compose (compose h g) f = compose h (compose g f) }
  =
    assert { extensionalEqual (compose (compose h g) f) (compose h (compose g f)) }

  let lemma identity_neutral (f:'a -> 'b) : unit
    ensures { compose f identity = f }
    ensures { compose identity f = f }
  =
    assert { extensionalEqual (compose f identity) f } ;
    assert { extensionalEqual (compose identity f) f }

  (* Abstraction definition axiom :
       function const (x:'b) : 'a -> 'b =
         (\ z:'a.x) *)
  function const (x: 'b) : 'a -> 'b
  axiom const_def : forall x:'b,z:'a. const x z = x

  let lemma const_compose_left (f:'a -> 'b) (x:'c) : unit
    ensures { compose (const x) f = const x }
  =
    assert { extensionalEqual (const x) (compose (const x) f) }

  let lemma const_compose_right (f:'a -> 'b) (x:'a) (_:'c) : unit
    ensures { compose f (const x) = (const (f x): 'c -> 'b) }
  =
    assert { extensionalEqual (const (f x) : 'c -> 'b) (compose f (const x)) }

end
why3-1.6.0/examples/prover/Functions/000077500000000000000000000000001440160026300175075ustar00rootroot00000000000000why3-1.6.0/examples/prover/Functions/why3session.xml000066400000000000000000000024771440160026300225410ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/Functions/why3shapes.gz000066400000000000000000000007451440160026300221550ustar00rootroot00000000000000RMo0Wd,
bX^v5di5&Y{IՐ'
W/ywŗTw'+!bMT>lVm2#+]P%>n؎tWl{150ӈΫkbWy3bFĠm iset_ok (Cons x (Cons y q))
  
  let rec lemma iset_ok_char (x:int) (l:iset) : unit
    ensures { iset_ok (Cons x l) <-> iset_ok l /\ forall y:int.
      mem y l -> x < y }
    variant { l }
  =
    match l with
      | Nil -> ()
      | Cons z q -> iset_ok_char z q ;
        assert { (forall y:int. mem y l -> x < y) -> x < z }
    end
  
end

module Impl
  
  use list.List
  use list.Mem
  use Types
  use int.Int
  use Logic
  
  (* Very stupid integer sets. *)
  
  let rec insert (x:int) (l:list int) : list int
    requires { iset_ok l }
    variant { l }
    ensures { iset_ok result }
    ensures { forall y:int. mem y result <->
      y = x \/ mem y l }
  =
    match l with
      | Nil -> Cons x Nil
      | Cons y q -> if x < y
        then Cons x l
        else if x > y
        then Cons y (insert x q)
        else l
    end
  
  let rec remove (x:int) (l:iset) : iset
    requires { iset_ok l }
    variant { l }
    ensures { iset_ok result }
    ensures { forall y:int. mem y result <->
      mem y l /\ y <> x }
  =
    match l with
      | Nil -> Nil
      | Cons y q ->
        assert { forall z:int. mem z q ->
          y <= z } ;
        if y = x
        then remove x q
        else Cons y (remove x q)
    end
  
  let rec merge (l1 l2:iset) : iset
    requires { iset_ok l1 }
    requires { iset_ok l2 }
    variant { l1 , l2 }
    ensures { iset_ok result }
    ensures { forall y:int. mem y result <->
      mem y l1 \/ mem y l2 }
  =
    match l1 with
      | Nil -> l2
      | Cons x q1 -> match l2 with
        | Nil -> l1
        | Cons y q2 ->
          assert { forall z:int.
            mem z q1 -> x <= z } ;
          assert { forall z:int.
            mem z q2 -> y <= z } ;
          if x < y
          then ( assert { forall z:int. mem z l2 -> x <= z } ;
            Cons x (merge q1 l2) )
          else if x > y
          then ( assert { forall z:int. mem z l1 -> y <= z } ;
            Cons y (merge l1 q2) )
          else Cons x (merge q1 q2)
        end
    end
  
end


why3-1.6.0/examples/prover/ISet/000077500000000000000000000000001440160026300164035ustar00rootroot00000000000000why3-1.6.0/examples/prover/ISet/why3session.xml000066400000000000000000000126201440160026300214240ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/ISet/why3shapes.gz000066400000000000000000000041041440160026300210420ustar00rootroot00000000000000YKo9ׯDE2@#@c;v؃*E}H(olCy|n~{^)|{Smx+ym!<ބ\c	O^]z
7Ooe7&`$|Sy|/7'G}mxի^ݯVzߠvhFYm}7a疼0ۏa+AmGieli9a2ʣQ?b	)z2rKxz7w!KvMLK}N^/s.¯˛pnJ(i;|51z^
{-:%M{,/PvV&OiS.đlHz%

:^V:UD5m@t+w{=\ޯ{={=mVd_Ü% AQpDktvQHG{qg53VH6
;콗ԒfADl~|R՟&z9OOeomY߫Ei`WeφWS[-e`_[&j0}Oej1Ձۧ/{Qɇy+Լm\G:&Mݛq385,&xL&@̪\YKެ
|:H26?gӣ}Yү*/k	@NmC5$O#ɾp<9^HOb.P+>z:QOp*M;?]ϣ	r-M:_k:9"hBjl`D:y^r/]o|Y
~W|Ԛu7	

m7Fe改ƸIww7nKyJljmɂhB&ug]q;9?n}ܦt@[Nh(j]6^0:WcƴGWU<._-=OUFz]p
q=Mn6EN>[M"̥MyʐSH~MZS?aQ85y$}7SMcfqLݤ˒%FkR-S{:,%%6p^6;PVbJ ,u#mp;y@Q1њQQf9zݙ:kOK8Z]1]Mawnǝʨ67Sdڀwuګk,^~1P*ĆLN0EghhL
j-(Us`#b
	40i@C6xT905P5-eq։bӚHqCժKV6F6VdL41DSPX$(JX⥚BR\
yar.wD8J@}5)(CZr,()J6&	e΋;rM.U>F!K$
t#8q)ʠeXE1'b,O:\ˆhGCa\jR. .
e9RAENMˋ-1$:;@ӢJrVR,;@I
E
 g"iJ$VGj	C1]xKT*y:V&ŠQAMwW}%a,*jQ`4d	5JTV&I4A	P|lL*C%
H+_Zжz%`'w,K9_Fk*$N
cSQ%h/׆SIfdi/[fg'3βPaق$^HtNaEF6xFjj/OO=lwhy3-1.6.0/examples/prover/Makefile000066400000000000000000000033121440160026300171760ustar00rootroot00000000000000
BENCH ?= no

ifeq ($(BENCH),yes)
  WHY3=../../bin/why3.opt
  WHY3SHARE=../../share
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
  WHY3SHARE=$(shell $(WHY3) --print-datadir)
endif

include $(WHY3SHARE)/Makefile.config

ifeq ($(BENCH),yes)
  INCLUDE += -I ../../lib/why3
endif


BD=prover
OCAMLC=ocamlopt.opt
INCLUDES=$(INCLUDEALL) -I ../../plugins/tptp
LIBS=unix.cmxa nums.cmxa $(BIGINTLIB).cmxa dynlink.cmxa str.cmxa menhirLib.cmx zip.cmxa why3.cmxa why3extract.cmxa tptp_ast.cmx tptp_typing.cmx tptp_parser.cmx tptp_lexer.cmx
WHY3FLAGS=-L . --debug=ignore_unused_vars
MLFLAGS=
MLIFLAGS=
MLEXECFLAGS=

.PHONY: clean depend extract replay

$(BD): $(BD).cmx run.cmx
	echo "WHY3SHARE="$(WHY3SHARE)
	$(OCAMLC) $(INCLUDES) $(LIBS) $(MLFLAGS) $(MLEXECFLAGS) \
		-o $(BD) $^

extract: $(ML)

$(BD).ml:
	why3 $(WHY3FLAGS) extract -D ocaml64 -o $(BD).ml ProverTest.mlw

%.cmx: %.ml
	$(OCAMLC) $(INCLUDES) $(MLFLAGS) -c $<

.depend: Makefile $(ML)
	ocamldep.opt -I $(BD) $(ML) > .depend

ifneq "$(MAKECMDGOALS:clean%=clean)" "clean"
ifneq "$(MAKECMDGOALS:extract%=extract)" "extract"
ifneq "$(MAKECMDGOALS:extract%=replay)" "replay"
include .depend
endif
endif
endif

replay:
	@printf "===================================\n"
	@printf "Starting time (UTC): "
	@date --utc +%H:%M
	@printf "===================================\n"
	@for i in *.mlw; do \
		printf "Replaying $$i..." ; \
		why3 $(WHY3FLAGS) replay -q `basename $$i .mlw` ; \
	 done
	@printf "===================================\n"
	@printf "Ending time (UTC): "
	@date --utc +%H:%M
	@printf "===================================\n"

depend: .depend

clean:
	rm -f $(BD)/*.o $(BD)/*.cmi $(BD)/*.cmx
	rm -f $(BD)*.ml
	rm -f *~ *.o *.cmi *.cmx build/prover
why3-1.6.0/examples/prover/Nat.mlw000066400000000000000000000015401440160026300170020ustar00rootroot00000000000000
(* non-negative integers. For mutual induction using size variant. *)

module Nat
  
  use int.Int
  
  type nat = ONat | SNat nat
  
  function nat_to_int (n:nat) : int = match n with
    | ONat -> 0 | SNat n -> 1 + nat_to_int n end
  
  function add_nat (n1 n2:nat) : nat = match n1 with
    | ONat -> n2 | SNat n1 -> SNat (add_nat n1 n2) end
  
  let rec lemma nat_to_int_nonnegative (n:nat) : unit
    ensures { nat_to_int n >= 0 }
    variant { n }
  =
    match n with ONat -> () | SNat n -> nat_to_int_nonnegative n end
  
  let rec lemma add_nat_simulate_add_int (n1 n2:nat) : unit
    ensures { nat_to_int (add_nat n1 n2) = nat_to_int n1 + nat_to_int n2 }
    variant { n1 }
  =
    match n1 with ONat -> () | SNat n1 -> add_nat_simulate_add_int n1 n2 end
  
  constant one_nat : nat = SNat ONat
  
  lemma one_nat_value : nat_to_int one_nat = 1
  
end

why3-1.6.0/examples/prover/Nat/000077500000000000000000000000001440160026300162615ustar00rootroot00000000000000why3-1.6.0/examples/prover/Nat/why3session.xml000066400000000000000000000016001440160026300212760ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/Nat/why3shapes.gz000066400000000000000000000004361440160026300207240ustar00rootroot00000000000000Q=O0+ (option 'a) = (\ x:'a. Some x) *)
  constant some : 'a -> (option 'a)
  axiom some_def : forall x:'a. some x = Some x

  (* Abstraction definition axiom :
       constant ocase (f:'a -> 'b) (d:'b) : (option 'a) -> 'b =
         (\ x:'a. match x with None -> d | Some x -> f x end) *)
  function ocase (f:'a -> 'b) (d:'b) : (option 'a) -> 'b
  axiom ocase_def : forall f:'a -> 'b,d:'b,x:option 'a.
    ocase f d x = match x with None -> d | Some x -> f x end

  lemma ocase_some : forall f:'a -> 'b,d:'b,x:'a.
    ocase f d (Some x) = f x
  lemma ocase_none : forall f:'a -> 'b,d:'b.
    ocase f d None = d
  let lemma compose_ocase_some (f:'a -> 'b) (d:'b) : unit
    ensures { rcompose some (ocase f d) = f }
  =
    assert { extensionalEqual (rcompose some (ocase f d)) f }

  function omap (f:'a -> 'b) (x:option 'a) : option 'b = match x with
    | None -> None
    | Some x -> Some (f x)
  end
  function olift (f:'a -> 'b) : (option 'a) -> (option 'b) = ocase (compose some f) None
  lemma olift_def : forall f:'a -> 'b,x:option 'a. olift f x = omap f x

  lemma olift_none : forall f:'a -> 'b. olift f None = None
  lemma olift_some : forall f:'a -> 'b,x:'a. olift f (Some x) = Some (f x)
  lemma olift_none_inversion : forall f:'a -> 'b,x:option 'a. olift f x = None <-> x = None
  let lemma olift_some_inversion (f:'a -> 'b) (x:option 'a) (y:'b) : unit
    ensures { olift f x = Some y <->
      match x with None -> false | Some x' -> f x' = y end }
  =
    match x with
      | None -> ()
      | Some _x' -> ()
    end

  let lemma olift_identity (_:'a) : unit
    ensures { olift (identity:'a -> 'a) = identity }
  =
    assert { extensionalEqual (olift (identity:'a -> 'a)) identity }

  let lemma olift_composition (g:'b-> 'c) (f:'a -> 'b) : unit
    ensures { compose (olift g) (olift f) = olift (compose g f) }
  =
    assert { extensionalEqual (compose (olift g) (olift f)) (olift (compose g f)) }

  lemma olift_some_commutation : forall f:'a -> 'b.
    compose some f = compose (olift f) some

  let lemma olift_update (f:'a -> 'b) (x:'a) (y:'b) : unit
    ensures { olift (f[x<-y]) = (olift f)[Some x <- Some y] }
  =
    assert { extensionalEqual (olift (f[x <- y])) ((olift f)[Some x <- Some y]) }

end
why3-1.6.0/examples/prover/OptionFuncs/000077500000000000000000000000001440160026300200065ustar00rootroot00000000000000why3-1.6.0/examples/prover/OptionFuncs/why3session.xml000066400000000000000000000041411440160026300230260ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/OptionFuncs/why3shapes.gz000066400000000000000000000012361440160026300224500ustar00rootroot00000000000000M6>v$R(X`(B$ىvL3уm|^|e~8%G=
iw:|r:CKS9<']Zi@&ϤYy<|nOÙ_3.<ڔX9V23	~%ܵYbB8FԓSBnZd.ˌK\vUnz]r>o]oSZB{YYtLO_xvl϶}X,t/+%܄>!'rA޴/r2fSC	ʬkT9iw8h6@"HȐ!x%)uhH9*٨4XGw٫4#
f&hIz0/0&ƌ>ؘ2j,u<)ؘ
-(M-]QD
Is#+T\vΉf]žxץP
@E2OZ]ĥf
+=q0UђE":o\++7J(	Q+Ml}em5enwhy3-1.6.0/examples/prover/Predicates.mlw000066400000000000000000000047211440160026300203470ustar00rootroot00000000000000
module Pred

  use Functions.Func
  use bool.Bool

  predicate predExtensionalEqual (p q:'a -> bool) =
    forall x:'a. p x <-> q x

  (* Assume extensionality of predicate. *)

  axiom predicateExtensionality [@W:non_conservative_extension:N] :
    forall p q:'a -> bool. predExtensionalEqual p q -> p = q

  (* Mainly for use in whyml *)

  predicate evalp (p:'a -> bool) (x:'a) = p x


  (* Abstraction definition axiom :
       pupdate (p:'a -> bool) (x:'a) (y:bool) : 'a -> bool =
         (\ z:'a. if x = z then y = True else p z) *)
  function pupdate (p:'a -> bool) (x:'a) (y:bool) : 'a -> bool
  axiom pupdate_def : forall p:'a -> bool,x:'a,y:bool,z:'a.
    pupdate p x y z <-> if x = z then y = True else p z

  lemma pupdate_eq : forall p:'a -> bool,x:'a,y:bool.
    pupdate p x y x <-> y = True
  lemma pupdate_neq : forall p:'a -> bool,x:'a,y:bool,z:'a.
    x <> z -> pupdate p x y z <-> p z

  (* Abstraction definition axiom :
       function pcompose (p:'b -> bool) (f:'a -> bool 'b) : 'b -> bool =
         (\ x:'a. p (f x)) *)
  function pcompose (p:'b -> bool) (f:'a -> 'b) : 'a -> bool
  axiom pcompose_def : forall p:'b -> bool,f:'a -> 'b,x:'a.
    pcompose p f x <-> p (f x)

  let lemma pcompose_associative (p:'c -> bool) (g:'b -> 'c) (f:'a -> 'b) : unit
    ensures { pcompose (pcompose p g) f = pcompose p (compose g f) }
  =
    assert { predExtensionalEqual (pcompose (pcompose p g) f) (pcompose p (compose g f)) }

  let lemma identity_neutral (p:'a -> bool) : unit
    ensures { pcompose p identity = p }
  =
    assert { predExtensionalEqual (pcompose p identity) p }

  (* Abstraction definition axiom :
     constant pfalse : 'a -> bool = (\z:'a. false) *)

  constant pfalse : 'a -> bool
  axiom pfalse_def : forall x:'a. not(pfalse x)

  (* Abstraction definition axiom :
     constant ptrue : 'a -> bool = (\z:'a. true) *)
  constant ptrue : 'a -> bool
  axiom ptrue_def : forall x:'a. ptrue x


  (*(* Abstraction definition axiom :
       function const (x:'b) : 'a -> 'b =
         (\ z:'a.x) *)
  function const (x: 'b) : 'a -> 'b
  axiom const_def : forall x:'b,z:'a. const x z = x

  let lemma const_compose_left (f:'a -> 'b) (x:'c) : unit
    ensures { compose (const x) f = const x }
  =
    assert { extensionalEqual (const x) (compose (const x) f) }

  let lemma const_compose_right (f: 'a -> 'b) (x:'a) : unit
    ensures { compose f (const x) = (const (f x) : 'c -> 'b) }
  =
    assert { extensionalEqual (const (f x) : func 'c 'b) (compose f (const x)) }*)

end
why3-1.6.0/examples/prover/Predicates/000077500000000000000000000000001440160026300176225ustar00rootroot00000000000000why3-1.6.0/examples/prover/Predicates/why3session.xml000066400000000000000000000017551440160026300226520ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/Predicates/why3shapes.gz000066400000000000000000000005471440160026300222700ustar00rootroot00000000000000j0~
ۜW!RKOEװԐƮ+qpJff5݂RϾf[g<@sYg5.1S4Ƞ?G}qɠNz\%d
.DpeNj|q%&5m?*mzJ;&&kƘ6+xG+ݴjgV5
}S8_tk౎&m6"Ƒހ
u\hd.ryVK͝P$$$O
-BKW@%CaKfs3lPeExxbsY
?-why3-1.6.0/examples/prover/Prover.mlw000066400000000000000000002456561440160026300175570ustar00rootroot00000000000000
module Types

  use Functions.Func
  use Firstorder_term_spec.Spec

  (* The prover return a contradictory assignment.
     To be perfectly correct, its initial
     input (even before preprocessing) should not
     contain any free variable of kind term. *)

  type prover_return = {
    ghost contradictory_assignment : int -> (fo_term int int) ;
  }

end

module Logic

  use FormulaTransformations.Types
  use FormulaTransformations.Logic
  use Firstorder_formula_list_spec.Spec
  use Firstorder_formula_spec.Spec
  use Firstorder_symbol_spec.Spec
  use Firstorder_term_spec.Spec
  use Firstorder_tableau_spec.Spec
  use Functions.Func
  use bool.Bool
  use Firstorder_semantics.Sem

  predicate is_atom_list (phil:fo_formula_list 'ls 'b) = match phil with
    | FOFNil -> true
    | FOFCons x q -> is_atom x /\ is_atom_list q
  end

  let lemma is_atom_subst (phi:fo_formula 'ls 'b)
    (sigma:'b -> (fo_term 'ls 'c)) : unit
    requires { is_atom phi }
    ensures { is_atom (subst_fo_formula phi subst_id_symbol sigma) }
  =
    match phi with
      | PApp _ _ -> ()
      | Not (PApp _ _ ) -> ()
      | _ -> absurd
    end

  let rec lemma is_atom_list_subst (phil:fo_formula_list 'ls 'b)
    (sigma:'b -> (fo_term 'ls 'c)) : unit
    requires { is_atom_list phil }
    ensures { is_atom_list (subst_fo_formula_list phil subst_id_symbol sigma) }
    variant { size_fo_formula_list phil }
  =
    match phil with
      | FOFNil -> ()
      | FOFCons x q -> is_atom_list_subst q sigma
    end

  predicate is_procedure_tableau (t:tableau 'ls 'b) = match t with
    | Root -> true
    | Node tnext phi0 phib -> is_procedure_tableau tnext /\
      is_atom phi0 /\ is_atom_list phib
  end

  let rec lemma is_procedure_tableau_subst (t:tableau 'ls 'b)
    (sigma:'b -> (fo_term 'ls 'c)) : unit
    requires { is_procedure_tableau t }
    ensures { is_procedure_tableau (subst_tableau t subst_id_symbol sigma) }
    variant { size_tableau t }
  =
    match t with
      | Root -> ()
      | Node tnext phi0 phib -> is_procedure_tableau_subst tnext sigma
    end

  (*let rec lemma tableau_semantic_increasing (t:tableau 'ls 'b)
    (b1 b2:bool) (m:model 'ls 'st) (rho:'b -> 'st) : unit
    requires { implb b1 b2 = True }
    ensures { tableau_semantic_with t b1 m rho ->
      tableau_semantic_with t b2 m rho }
    variant { size_tableau t }
  =
    match t with
      | Root -> ()
      | Node tnext phi0 phib ->
        tableau_semantic_increasing tnext (tableau_node b1 phib phi0 m rho)
          (tableau_node b2 phib phi0 m rho) m rho
    end*)

end

module Impl

  use Firstorder_semantics.Sem
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_impl.Types
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_spec.Spec
  use Firstorder_formula_list_impl.Types
  use Firstorder_formula_list_impl.Logic
  use Firstorder_formula_list_impl.Impl
  use Firstorder_tableau_spec.Spec
  use Firstorder_tableau_impl.Types
  use Firstorder_tableau_impl.Logic
  use Firstorder_tableau_impl.Impl
  use FormulaTransformations.Types
  use FormulaTransformations.Logic
  use FormulaTransformations.Impl
  use Unification.Types
  use Unification.Logic
  use Unification.Impl
  use BacktrackArray.Logic
  use BacktrackArray.Impl
  use Functions.Func
  use option.Option
  use OptionFuncs.Funcs
  use bool.Bool
  use int.Int
  use Types
  use Logic
  use ref.Ref
  use list.List

  exception Failure

  let rec merge (phi1 phi2:nlimpl_fo_formula_list) (ghost st:'st) : nlimpl_fo_formula_list
    requires { nlimpl_fo_formula_list_ok phi1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phi1.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok phi2 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phi2.model_fo_formula_list_field -> x >= 0 }
    requires { is_atom_list phi1.model_fo_formula_list_field }
    requires { is_atom_list phi2.model_fo_formula_list_field }
    ensures { nlimpl_fo_formula_list_ok result }
    ensures { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      result.model_fo_formula_list_field -> x >= 0 }
    ensures { forall m:model int 'st,rho:int -> 'st.
      formula_list_disj_semantic result.model_fo_formula_list_field m rho <->
        formula_list_disj_semantic phi1.model_fo_formula_list_field m rho \/
        formula_list_disj_semantic phi2.model_fo_formula_list_field m rho }
    ensures { is_atom_list result.model_fo_formula_list_field }
    variant { size_fo_formula_list phi1.model_fo_formula_list_field }
  =
    let phi1m = phi1.model_fo_formula_list_field in
    let phi2m = phi2.model_fo_formula_list_field in
    match destruct_fo_formula_list phi1 with
      | NLC_FOFNil -> phi2
      | NLC_FOFCons phi0 q ->
        let phi0m = phi0.model_fo_formula_field in
        let qm = q.model_fo_formula_list_field in
        assert { phi1m = FOFCons phi0m qm } ;
        let phi3 = construct_fo_formula_list (NLC_FOFCons phi0 phi2) in
        let phi3m = phi3.model_fo_formula_list_field in
        assert { phi3m = FOFCons phi0m phi2m } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_fo_formula_list x phi1m && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phi3m ->
          (is_fo_term_free_var_in_fo_formula x phi0m \/
           is_fo_term_free_var_in_fo_formula_list x phi2m) && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qm ->
          is_fo_term_free_var_in_fo_formula_list x phi1m && x >= 0 } ;
        merge q phi3 st
    end

  (* extend the current tableau branch by the given formula list.
     equivalent to contraction of empty branches
     until a non-empty branch is found. *)
  let rec contract_tableau (tab:nlimpl_tableau)
    (branch:nlimpl_fo_formula_list) (ndepth:ref int) (ghost st:'st) : option nlimpl_tableau
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok branch }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      branch.model_fo_formula_list_field -> x >= 0 }
    requires { is_procedure_tableau tab.model_tableau_field }
    requires { is_atom_list branch.model_fo_formula_list_field }
    returns { None -> forall m:model int 'st,rho:int -> 'st.
        let b = if formula_list_disj_semantic branch.model_fo_formula_list_field m rho
          then True
          else False in
        not(tableau_semantic_with tab.model_tableau_field b m rho)
      | Some x -> (forall m:model int 'st,rho:int -> 'st.
        let b = if formula_list_disj_semantic branch.model_fo_formula_list_field m rho
          then True
          else False in
        tableau_semantic_with tab.model_tableau_field b m rho ->
          tableau_semantic_with x.model_tableau_field True m rho) /\
        is_procedure_tableau x.model_tableau_field /\
        nlimpl_tableau_ok x /\
        (forall y:int. is_fo_term_free_var_in_tableau y x.model_tableau_field
          -> y >= 0) }
    variant { size_tableau tab.model_tableau_field }
  =
    let tabm = tab.model_tableau_field in
    let brm = branch.model_fo_formula_list_field in
    match destruct_fo_formula_list branch with
      | NLC_FOFNil -> assert { brm = FOFNil } ;
        assert { forall m:model int 'st,rho:int -> 'st.
              not(formula_list_disj_semantic brm m rho) } ;
        match destruct_tableau tab with
          | NLC_Root -> assert { tabm = Root } ; None
          | NLC_Node tnext phi0 phib ->
            let tnm = tnext.model_tableau_field in
            let phi0m = phi0.model_fo_formula_field in
            let phibm = phib.model_fo_formula_list_field in
            assert { tabm = Node tnm phi0m phibm } ;
            assert { forall x:int. is_fo_term_free_var_in_tableau x tnm ->
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phibm ->
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            assert { forall m:model int 'st,rho:int -> 'st.
              tableau_semantic_with tab.model_tableau_field False m rho ->
              let b = if formula_list_disj_semantic phibm m rho
                then True
                else False in
              tableau_semantic_with tnm b m rho } ;
            ndepth := !ndepth + 1 ;
            contract_tableau tnext phib ndepth st
        end
      | NLC_FOFCons phi0 qb -> let phi0m = phi0.model_fo_formula_field in
        let qbm = qb.model_fo_formula_list_field in
        assert { brm = FOFCons phi0m qbm } ;
        let ftab = construct_tableau (NLC_Node tab phi0 qb) in
        let ftabm = ftab.model_tableau_field in
        assert { ftabm = Node tabm phi0m qbm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_fo_formula_list x brm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qbm ->
          is_fo_term_free_var_in_fo_formula_list x brm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x ftabm ->
          (is_fo_term_free_var_in_tableau x tabm
            \/ is_fo_term_free_var_in_fo_formula x phi0m
            \/ is_fo_term_free_var_in_fo_formula_list x qbm) && x >= 0 } ;
        Some ftab
    end

  let rec branch_conflict_atom (p1:int) (t1:nlimpl_fo_term_list) (tab:nlimpl_tableau)
    (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { nlimpl_fo_term_list_ok t1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t1.model_fo_term_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok rhob rho }
    requires { is_procedure_tableau tab.model_tableau_field }
    ensures { precede (old rhob) rhob }
    ensures { unifier_subst_ok rhob rho }
    raises { Failure -> precede (old rhob) rhob /\ correct rhob }
    diverges (* variant { size_tableau tab.model_tableau_field } *)
  =
    let tabm = tab.model_tableau_field in
    match destruct_tableau tab with
      | NLC_Root -> ()
      | NLC_Node tnext phi1 phib ->
        let tnextm = tnext.model_tableau_field in
        let phi1m = phi1.model_fo_formula_field in
        let phibm = phib.model_fo_formula_list_field in
        assert { tabm = Node tnextm phi1m phibm } ;
        assert { is_atom phi1m } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        match destruct_fo_formula phi1 with
          | NLC_PApp p2 t2 -> let p2m = p2.model_symbol_field in
            let t2m = t2.model_fo_term_list_field in
            assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
              is_fo_term_free_var_in_fo_formula x phi1m &&
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            let p3 = match destruct_symbol p2 with
              | NLCVar_symbol p3 -> p3 end in
            if p1 = p3
            then begin
              try conflict t1 t2 rhob rho with UnificationFailure ->
              raise Failure end ;
              branch_conflict_atom p1 t1 tnext rhob rho
            end
            else branch_conflict_atom p1 t1 tnext rhob rho
          | NLC_Not _ -> branch_conflict_atom p1 t1 tnext rhob rho
          | _ -> absurd
        end
    end

  let rec branch_conflict_neg_atom (p1:int) (t1:nlimpl_fo_term_list) (tab:nlimpl_tableau)
    (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { nlimpl_fo_term_list_ok t1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t1.model_fo_term_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok rhob rho }
    requires { is_procedure_tableau tab.model_tableau_field }
    ensures { precede (old rhob) rhob }
    ensures { unifier_subst_ok rhob rho }
    raises { Failure -> precede (old rhob) rhob /\ correct rhob }
    diverges (* variant { size_tableau tab.model_tableau_field } *)
  =
    let tabm = tab.model_tableau_field in
    match destruct_tableau tab with
      | NLC_Root -> ()
      | NLC_Node tnext phi1 phib ->
        let tnextm = tnext.model_tableau_field in
        let phi1m = phi1.model_fo_formula_field in
        let phibm = phib.model_fo_formula_list_field in
        assert { tabm = Node tnextm phi1m phibm } ;
        assert { is_atom phi1m } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        match destruct_fo_formula phi1 with
          | NLC_Not phi2 -> let phi2m = phi2.model_fo_formula_field in
            assert { phi1m = Not phi2m } ;
            match destruct_fo_formula phi2 with
              | NLC_PApp p2 t2 -> let p2m = p2.model_symbol_field in
                let t2m = t2.model_fo_term_list_field in
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
                  is_fo_term_free_var_in_fo_formula x phi1m &&
                  is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
                let p3 = match destruct_symbol p2 with
                  | NLCVar_symbol p3 -> p3 end in
                if p1 = p3
                then begin
                  try conflict t1 t2 rhob rho with UnificationFailure ->
                  raise Failure end ;
                  branch_conflict_atom p1 t1 tnext rhob rho
                end
                else branch_conflict_atom p1 t1 tnext rhob rho
              | _ -> absurd
            end
          | NLC_PApp _ _ -> branch_conflict_atom p1 t1 tnext rhob rho
          | _ -> absurd
        end
    end

  let rec clause_conflicts (phil:nlimpl_fo_formula_list) (tab:nlimpl_tableau)
    (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phil.model_fo_formula_list_field -> x >= 0 }
    requires { is_atom_list phil.model_fo_formula_list_field }
    requires { nlimpl_fo_formula_list_ok phil }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { is_procedure_tableau tab.model_tableau_field }
    requires { nlimpl_tableau_ok tab }
    requires { unifier_subst_ok rhob rho }
    ensures { precede (old rhob) rhob }
    ensures { unifier_subst_ok rhob rho }
    raises { Failure -> precede (old rhob) rhob /\ correct rhob }
    diverges (* variant { size_fo_formula_list phil.model_fo_formula_list_field } *)
  =
    let philm = phil.model_fo_formula_list_field in
    match destruct_fo_formula_list phil with
      | NLC_FOFNil -> ()
      | NLC_FOFCons phi0 phiq -> let phi0m = phi0.model_fo_formula_field in
        let phiqm = phiq.model_fo_formula_list_field in
        assert { philm = FOFCons phi0m phiqm } ;
        assert { is_atom phi0m } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phiqm ->
          is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
        match destruct_fo_formula phi0 with
          | NLC_PApp p1 t1 -> let p1m = p1.model_symbol_field in
            let t1m = t1.model_fo_term_list_field in
            assert { phi0m = PApp p1m t1m } ;
            let p1' = match destruct_symbol p1 with
              | NLCVar_symbol p1' -> p1'
            end in
            assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t1m ->
              is_fo_term_free_var_in_fo_formula x phi0m &&
              is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
            branch_conflict_atom p1' t1 tab rhob rho ;
            clause_conflicts phiq tab rhob rho
          | NLC_Not phi1 -> let phi1m = phi1.model_fo_formula_field in
            assert { phi0m = Not phi1m } ;
            match destruct_fo_formula phi1 with
              | NLC_PApp p1 t1 -> let p1' = match destruct_symbol p1 with
                  | NLCVar_symbol p1' -> p1'
                end in
                let t1m = t1.model_fo_term_list_field in
                let p1m = p1.model_symbol_field in
                assert { phi1m = PApp p1m t1m } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t1m ->
                  is_fo_term_free_var_in_fo_formula x phi1m &&
                  is_fo_term_free_var_in_fo_formula x phi0m &&
                  is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
                branch_conflict_neg_atom p1' t1 tab rhob rho ;
                clause_conflicts phiq tab rhob rho
              | _ -> absurd
            end
          | _ -> absurd
        end
    end

  (* base:set of initial (preprocessed) formula.
     tab:context still to be proved.
     Return: nothing, if successful, base is unsatisfiable.
     May fail without justification.
   *)

  let rec decompose (base:nlimpl_fo_formula_list)
      (tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (phi0:nlimpl_fo_formula)
      (clause:nlimpl_fo_formula_list)
      (remaining:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_formula_ok phi0 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi0.model_fo_formula_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok clause }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      clause.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok remaining }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      remaining.model_fo_formula_list_field -> x >= 0 }

    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_simpl phi0.model_fo_formula_field }
    requires { no_existential phi0.model_fo_formula_field }
    requires { is_nnf phi0.model_fo_formula_field }

    requires { is_atom_list clause.model_fo_formula_list_field }

    requires { is_simpl_list remaining.model_fo_formula_list_field }
    requires { is_nnf_list remaining.model_fo_formula_list_field }
    requires { no_existential_list remaining.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        formula_semantic phi0.model_fo_formula_field m rhos \/
        formula_list_disj_semantic clause.model_fo_formula_list_field m rhos \/
        formula_list_disj_semantic remaining.model_fo_formula_list_field m rhos }
    diverges
    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let phi0m = phi0.model_fo_formula_field in
    let rmgm = remaining.model_fo_formula_list_field in
    let basem = base.model_fo_formula_list_field in
    let clausem = clause.model_fo_formula_list_field in
    let tabm = tab.model_tableau_field in
    match destruct_fo_formula phi0 with
      | NLC_Or a b ->
        let am = a.model_fo_formula_field in
        let bm = b.model_fo_formula_field in
        assert { phi0m = Or am bm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x am ->
          is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x bm ->
          is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
        let rmg = construct_fo_formula_list (NLC_FOFCons b remaining) in
        let rmg'_m = rmg.model_fo_formula_list_field in
        assert { rmg'_m = FOFCons bm rmgm } ;
        decompose base tab unifb unif fresh a clause rmg depth goalnum st
      | NLC_And a b -> let am = a.model_fo_formula_field in
        let bm = b.model_fo_formula_field in
        assert { phi0m = And am bm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x am ->
          is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x bm ->
          is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
        label B in
        let tp = stamp unifb in
        try decompose base tab unifb unif fresh a clause remaining depth goalnum st
        with Failure -> label F in backtrack tp unifb ;
          assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
          decompose base tab unifb unif fresh b clause remaining depth goalnum st end
      | NLC_Exists _ _ -> absurd
      | NLC_FTrue -> absurd
      | NLC_FFalse -> absurd
      | NLC_Forall x phi1 ->
        let phi1m = phi1.model_fo_formula_field in
        let vfresh = construct_fo_term (NLCVar_fo_term fresh) in
        let phi2 = nlsubst_fo_term_in_fo_formula phi1 x vfresh in
        let phi2m = phi2.model_fo_formula_field in
        let ghost r0 = some[x <- None] in
        let ghost r1 = ocase identity x in
        let ghost r2 = ocase identity fresh in
        let ghost r3 = identity[x <- fresh] in
        let ghost sid = (subst_id_fo_term:int -> (fo_term int int)) in
        let ghost s3 = sid[x <- Var_fo_term fresh] in
        let ghost s3' = rcompose r3 sid in
        let ghost s2 = rcompose r2 sid in
        assert { extensionalEqual s3' s3 } ;
        let ghost phi3m = rename_fo_formula phi1m identity r0 in
        assert { phi0m = Forall phi3m &&
          phi1m = rename_fo_formula phi3m identity r1 } ;
        assert { phi2m = subst_fo_formula phi1m (rcompose identity subst_id_symbol) s3'
          = rename_fo_formula phi1m identity r3 } ;
        assert { extensionalEqual r3 (rcompose r0 r2) } ;
        assert { phi2m = rename_fo_formula phi3m identity r2 =
          subst_fo_formula phi3m subst_id_symbol s2 } ;
        assert { forall m:model int 'st, rho:int -> 'st.
          let rhos = semantic_subst unif.unifier m rho in
          let s0 = semantic_subst s2 m rhos in
          let s1 = ocase rhos (term_semantic (Var_fo_term fresh) m rhos) in
          s0 None = s1 None &&
          (forall x:int. s2 (Some x) = Var_fo_term x &&
            s0 (Some x) = term_semantic (Var_fo_term x) m rhos = s1 (Some x)) &&
          extensionalEqual s0 s1 &&
          (formula_semantic phi0m m rhos ->
            formula_semantic phi2m m rhos)
        } ;
        assert { forall x:int.
          (forall y:option int. is_fo_term_free_var_in_fo_formula y phi3m /\
            r2 y = x -> match y with None -> x = fresh && x >= 0
              | Some y -> x = y &&
                is_fo_term_free_var_in_fo_formula (Some x) phi3m &&
                is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 end &&
              x >= 0) &&
          (is_fo_term_free_var_in_fo_formula x phi2m ->
          (exists y:option int. is_fo_term_free_var_in_fo_formula y phi3m /\
            r2 y = x) && x >= 0) &&
          (is_fo_term_free_var_in_fo_formula x phi2m -> x >= 0)
        } ;
        decompose base tab unifb unif (fresh + 1) phi2 clause remaining depth goalnum st
      | NLC_PApp p l ->  assert { is_atom phi0m } ;
        decompose_literal base tab unifb unif fresh phi0 clause remaining depth goalnum st
      | NLC_Not phi1 -> assert { is_atom phi0m } ;
        decompose_literal base tab unifb unif fresh phi0 clause remaining depth goalnum st
    end

  with decompose_literal (base:nlimpl_fo_formula_list)
      (tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (phi0:nlimpl_fo_formula)
      (clause:nlimpl_fo_formula_list)
      (remaining:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_formula_ok phi0 }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula x
      phi0.model_fo_formula_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok clause }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      clause.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok remaining }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      remaining.model_fo_formula_list_field -> x >= 0 }

    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_atom phi0.model_fo_formula_field }

    requires { is_atom_list clause.model_fo_formula_list_field }

    requires { is_simpl_list remaining.model_fo_formula_list_field }
    requires { is_nnf_list remaining.model_fo_formula_list_field }
    requires { no_existential_list remaining.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        formula_semantic phi0.model_fo_formula_field m rhos \/
        formula_list_disj_semantic clause.model_fo_formula_list_field m rhos \/
        formula_list_disj_semantic remaining.model_fo_formula_list_field m rhos }

    diverges
    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let phi0m = phi0.model_fo_formula_field in
    let rmgm = remaining.model_fo_formula_list_field in
    let basem = base.model_fo_formula_list_field in
    let clausem = clause.model_fo_formula_list_field in
    let tabm = tab.model_tableau_field in
    match destruct_fo_formula_list remaining with
      | NLC_FOFNil -> assert { rmgm = FOFNil } ;
        match destruct_tableau tab with
          | NLC_Root -> (* Topmost decomposition,
                do not look for contradiction here. *)
            let tab' = construct_tableau (NLC_Node tab phi0 clause) in
            let tab'_m = tab'.model_tableau_field in
            assert { tab'_m = Node tabm phi0m clausem } ;
            if depth = 0 then raise Failure else
            select_lemma base base tab' unifb unif fresh (depth-1) goalnum (-1) st
          | NLC_Node tnext phi1 phib ->
            let clse = construct_fo_formula_list (NLC_FOFCons phi0 clause) in
            let clsem = clse.model_fo_formula_list_field in
            let phi1m = phi1.model_fo_formula_field in
            let tnextm = tnext.model_tableau_field in
            let phibm = phib.model_fo_formula_list_field in
            assert { clsem = FOFCons phi0m clausem } ;
            assert { is_atom_list clsem } ;
            assert { tabm = Node tnextm phi1m phibm } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phibm ->
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi1m ->
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
              is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
            let fonil = construct_fo_formula_list NLC_FOFNil in
            assert { fonil.model_fo_formula_list_field = FOFNil } ;
            assert { is_atom phi1m } ;
            match destruct_fo_formula phi1 with
              | NLC_PApp ptab ttab ->
                let ptabm = ptab.model_symbol_field in
                let ttabm = ttab.model_fo_term_list_field in
                assert { phi1m = PApp ptabm ttabm } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x ttabm ->
                  is_fo_term_free_var_in_fo_formula x phi1m && x >= 0 } ;
                let ptab2 = match destruct_symbol ptab with
                  | NLCVar_symbol ptab2 -> assert { ptabm = Var_symbol ptab2 } ;
                    ptab2
                end in
                contradiction_atom base tab unifb unif fresh ptab2 ttab phibm tnextm clsem clse fonil depth goalnum st
              | NLC_Not phi2 -> let phi2m = phi2.model_fo_formula_field in
                assert { phi1m = Not phi2m } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi2m
                  -> is_fo_term_free_var_in_fo_formula x phi1m && x >= 0 } ;
                match destruct_fo_formula phi2 with
                  | NLC_PApp ptab ttab ->
                    let ptabm = ptab.model_symbol_field in
                    let ttabm = ttab.model_fo_term_list_field in
                    assert { phi2m = PApp ptabm ttabm } ;
                    assert { forall x:int. is_fo_term_free_var_in_fo_term_list x ttabm ->
                      is_fo_term_free_var_in_fo_formula x phi2m && x >= 0 } ;
                    let ptab2 = match destruct_symbol ptab with
                      | NLCVar_symbol ptab2 -> assert { ptabm = Var_symbol ptab2 } ;
                        ptab2
                    end in
                    contradiction_neg_atom base tab unifb unif fresh ptab2 ttab phibm tnextm clsem clse fonil depth goalnum st
                  | _ -> absurd
                end
              | _ -> absurd
            end
        end
      | NLC_FOFCons phi1 qr ->
        let phi1m = phi1.model_fo_formula_field in
        let qrm = qr.model_fo_formula_list_field in
        assert { rmgm = FOFCons phi1m qrm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi1m ->
          is_fo_term_free_var_in_fo_formula_list x rmgm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qrm ->
          is_fo_term_free_var_in_fo_formula_list x rmgm && x >= 0 } ;
        let clse = construct_fo_formula_list (NLC_FOFCons phi0 clause) in
        let clsem = clse.model_fo_formula_list_field in
        assert { clsem = FOFCons phi0m clausem } ;
        decompose base tab unifb unif fresh phi1 clse qr depth goalnum st
    end

  (* find a contradiction with the current leaf of the tableau,
     if it is a non-negated literal. *)
  with contradiction_atom (base:nlimpl_fo_formula_list)
      (tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (p:int)
      (t:nlimpl_fo_term_list)
      (ghost phit:fo_formula_list int int)
      (ghost tnext:tableau int int)
      (ghost clsem:fo_formula_list int int)
      (phil:nlimpl_fo_formula_list)
      (phiacc:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok phil }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phil.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok phiacc }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phiacc.model_fo_formula_list_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_term_list_ok t }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t.model_fo_term_list_field -> x >= 0 }

    requires { tab.model_tableau_field =
      Node tnext (PApp (Var_symbol p) t.model_fo_term_list_field) phit }

    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_atom_list phil.model_fo_formula_list_field }
    requires { is_atom_list phiacc.model_fo_formula_list_field }


    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        formula_list_disj_semantic clsem m rhos }

    requires { forall m:model int 'st, rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_disj_semantic clsem m rhos <->
        formula_list_disj_semantic phil.model_fo_formula_list_field m rhos \/
        formula_list_disj_semantic phiacc.model_fo_formula_list_field m rhos }
    diverges
    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let basem = base.model_fo_formula_list_field in
    let tabm = tab.model_tableau_field in
    let tm = t.model_fo_term_list_field in
    let philm = phil.model_fo_formula_list_field in
    let phiaccm = phiacc.model_fo_formula_list_field in
    let phibasem = PApp (Var_symbol p) tm in
    match destruct_fo_formula_list phil with
      | NLC_FOFNil -> raise Failure (* no contradiction found. *)
      | NLC_FOFCons phi0 q -> (* Maybe phi0 is a contradiction. *)
        let phi0m = phi0.model_fo_formula_field in
        let qm = q.model_fo_formula_list_field in
        assert { philm = FOFCons phi0m qm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qm ->
          is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
        assert { is_atom phi0m } ;
        (* prepare backtracking data. *)
        let phiacc2 = construct_fo_formula_list (NLC_FOFCons phi0 phiacc) in
        let phiacc2m = phiacc2.model_fo_formula_list_field in
        assert { phiacc2m = FOFCons phi0m phiaccm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phiacc2m ->
          (is_fo_term_free_var_in_fo_formula x phi0m \/
          is_fo_term_free_var_in_fo_formula_list x phiaccm) && x >= 0 } ;
        match destruct_fo_formula phi0 with
          | NLC_Not phi1 -> let phi1m = phi1.model_fo_formula_field in
            assert { phi0m = Not phi1m } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi1m ->
              is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
            match destruct_fo_formula phi1 with
              | NLC_PApp p2 t2 -> match destruct_symbol p2 with
                  | NLCVar_symbol p3 -> let t2m = t2.model_fo_term_list_field in
                    assert { phi1m = PApp (Var_symbol p3) t2m } ;
                    assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
                      is_fo_term_free_var_in_fo_formula x phi1m && x >= 0 } ;
                    if p = p3
                    then (* let-try. *)
                      label B in let tp = stamp unifb in
                      let l0 = ref Nil in
                      match try let u = unify_term_list t t2 l0 unifb unif in Some u
                      with UnificationFailure -> None end with
                        (* Contradiction found. *)
                        | Some u -> let unif2 = u.final_unifier in
                          (* should walk back in the tableau
                            until a non-empty branch is found. *)
                          let phifinal = merge phiacc q st in
                          let b = try clause_conflicts phifinal tab unifb unif2;
                            False with Failure -> True end in
                          match b with
                            | True -> label T in backtrack tp unifb ;
                            assert { backtrack_to (unifb at B) (unifb at T) unifb } ;
                          contradiction_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                            | False -> assert { precede (unifb at B) unifb } ;
                            let phifm = phifinal.model_fo_formula_list_field in
                          assert { forall m:model int 'st,rho:int -> 'st.
                            let rhos = semantic_subst unif2.unifier m rho in
                            let rhos0 = semantic_subst u.unifier_factor m rho in
                            (forall x:int.
                              eval unif2.unifier x = subst_fo_term (eval unif.unifier x)
                                (rcompose identity subst_id_symbol) u.unifier_factor &&
                              rhos x = term_semantic (eval unif2.unifier x) m rho
                                = term_semantic (eval unif.unifier x) (model_rename identity m) rhos0
                                = semantic_subst unif.unifier m rhos0 x) &&
                            extensionalEqual rhos
                              (semantic_subst unif.unifier m rhos0) &&
                            subst_fo_formula phi1m subst_id_symbol unif2.unifier =
                            subst_fo_formula phibasem subst_id_symbol unif2.unifier &&
                            (formula_semantic phi1m m rhos <->
                              formula_semantic phibasem m rhos) &&
                            not(formula_semantic phi0m m rhos /\
                              formula_semantic phibasem m rhos) &&
                            (formula_list_conj_semantic basem m rhos ->
                              tableau_semantic_with tabm True m rhos &&
                              (formula_list_disj_semantic clsem m rhos) &&
                              (formula_list_disj_semantic phifm m rhos \/
                               formula_semantic phi0m m rhos) &&
                              let b = if formula_list_disj_semantic phifm m rhos
                                then True
                                else False in
                              tableau_semantic_with tabm b m rhos) } ;
                          let nd = ref depth in
                          let ct = contract_tableau tab phifinal nd st in
                          let depth = !nd in
                          match ct with
                            | None -> assert { forall m:model int 'st,rho:int -> 'st.
                              let rhos = semantic_subst unif2.unifier m rho in
                              let b = if formula_list_disj_semantic phifm m rhos
                                then True
                                else False in
                              not(tableau_semantic_with tabm b m rhos) &&
                              not(formula_list_conj_semantic basem m rhos) } ;
                              { contradictory_assignment = unif2.unifier }
                            (* continue proof search. If fail,
                             backtrack to find another contradiction. *)
                            | Some tab2 ->
                              let tab2m = tab2.model_tableau_field in
                              assert { forall m:model int 'st,rho:int -> 'st.
                                let rhos = semantic_subst unif2.unifier m rho in
                                formula_list_conj_semantic basem m rhos ->
                                  let b = if formula_list_disj_semantic phifm m rhos
                                    then True
                                    else False in
                                  tableau_semantic_with tabm b m rhos &&
                                  tableau_semantic_with tab2m True m rhos
                                 } ;
                              match !l0 with
                                | Nil -> extend_branch base tab2 unifb unif2 fresh depth goalnum st
                                | _ -> try extend_branch base tab2 unifb unif2 fresh depth goalnum st
                                with Failure ->
                                  label F in backtrack tp unifb ;
                                  assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
                                  try conflict t t2 unifb unif
                                  with UnificationFailure -> raise Failure end ;
                                  contradiction_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                                end
                              end
                          end end
                        | None -> label N in backtrack tp unifb ;
                          assert { backtrack_to (unifb at B) (unifb at N) unifb } ;
                          contradiction_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                      end
                    else (* do not conflict. *)
                      contradiction_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                end
              | _ -> absurd (* phi0 is literal. *)
            end
          | NLC_PApp _ _ -> (* do not conflict. *)
            contradiction_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
          | _ -> absurd (* phi0 is literal. *)
        end
    end

  (* find a contradiction with the current leaf of the tableau,
     if it is a negated literal. *)
  with contradiction_neg_atom (base:nlimpl_fo_formula_list)
      (tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (p:int)
      (t:nlimpl_fo_term_list)
      (ghost phit:fo_formula_list int int)
      (ghost tnext:tableau int int)
      (ghost clsem:fo_formula_list int int)
      (phil:nlimpl_fo_formula_list)
      (phiacc:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok phil }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phil.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok phiacc }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      phiacc.model_fo_formula_list_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_term_list_ok t }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t.model_fo_term_list_field -> x >= 0 }

    requires { tab.model_tableau_field =
      Node tnext (Not (PApp (Var_symbol p) t.model_fo_term_list_field)) phit }

    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_atom_list phil.model_fo_formula_list_field }
    requires { is_atom_list phiacc.model_fo_formula_list_field }


    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        formula_list_disj_semantic clsem m rhos }

    requires { forall m:model int 'st, rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_disj_semantic clsem m rhos <->
        formula_list_disj_semantic phil.model_fo_formula_list_field m rhos \/
        formula_list_disj_semantic phiacc.model_fo_formula_list_field m rhos }
    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    diverges
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let basem = base.model_fo_formula_list_field in
    let tabm = tab.model_tableau_field in
    let tm = t.model_fo_term_list_field in
    let philm = phil.model_fo_formula_list_field in
    let phiaccm = phiacc.model_fo_formula_list_field in
    let phi1m = PApp (Var_symbol p) tm in
    let phibasem = Not phi1m in
    match destruct_fo_formula_list phil with
      | NLC_FOFNil -> raise Failure (* no contradiction found. *)
      | NLC_FOFCons phi0 q -> (* Maybe phi0 is a contradiction. *)
        let phi0m = phi0.model_fo_formula_field in
        let qm = q.model_fo_formula_list_field in
        assert { philm = FOFCons phi0m qm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qm ->
          is_fo_term_free_var_in_fo_formula_list x philm && x >= 0 } ;
        assert { is_atom phi0m } ;
        (* prepare backtracking data. *)
        let phiacc2 = construct_fo_formula_list (NLC_FOFCons phi0 phiacc) in
        let phiacc2m = phiacc2.model_fo_formula_list_field in
        assert { phiacc2m = FOFCons phi0m phiaccm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phiacc2m ->
          (is_fo_term_free_var_in_fo_formula x phi0m \/
          is_fo_term_free_var_in_fo_formula_list x phiaccm) && x >= 0 } ;
        match destruct_fo_formula phi0 with
          | NLC_PApp p2 t2 -> match destruct_symbol p2 with
              | NLCVar_symbol p3 -> let t2m = t2.model_fo_term_list_field in
                assert { phi0m = PApp (Var_symbol p3) t2m } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
                  is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
                if p = p3
                then (* let-try. *)
                  label B in let tp = stamp unifb in
                  let l0 = ref Nil in
                  match try let u = unify_term_list t t2 l0 unifb unif in Some u
                  with UnificationFailure -> None end with
                    (* Contradiction found. *)
                    | Some u -> let unif2 = u.final_unifier in
                      (* should walk back in the tableau
                        until a non-empty branch is found. *)
                      let phifinal = merge phiacc q st in
                      let b = try clause_conflicts phifinal tab unifb unif2 ;
                        False with Failure -> True end in
                      match b with
                      | True -> label T in backtrack tp unifb ;
                        assert { backtrack_to (unifb at B) (unifb at T) unifb } ;
                        contradiction_neg_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                      | False -> assert { precede (unifb at B) unifb } ;
                      let phifm = phifinal.model_fo_formula_list_field in
                      assert { forall m:model int 'st,rho:int -> 'st.
                        let rhos = semantic_subst unif2.unifier m rho in
                        let rhos0 = semantic_subst u.unifier_factor m rho in
                        (forall x:int.
                          eval unif2.unifier x = subst_fo_term (eval unif.unifier x)
                            (rcompose identity subst_id_symbol) u.unifier_factor &&
                          rhos x = term_semantic (eval unif2.unifier x) m rho
                            = term_semantic (eval unif.unifier x) (model_rename identity m) rhos0
                            = semantic_subst unif.unifier m rhos0 x) &&
                        extensionalEqual rhos
                         (semantic_subst unif.unifier m rhos0) &&
                        subst_fo_formula phi1m subst_id_symbol unif2.unifier =
                        (*PApp (subst_symbol (Var_symbol p) subst_id_symbol)
                          (subst_fo_term_list tm subst_id_symbol unif2.unifier) =
                        PApp (subst_symbol (Var_symbol p) subst_id_symbol)
                          (subst_fo_term_list t2m subst_id_symbol unif2.unifier) =*)
                        subst_fo_formula phi0m subst_id_symbol unif2.unifier &&
                        (formula_semantic phi0m m rhos <->
                          formula_semantic phi1m m rhos) &&
                        not(formula_semantic phi0m m rhos /\
                          formula_semantic phibasem m rhos) &&
                        (formula_list_conj_semantic basem m rhos ->
                          tableau_semantic_with tabm True m rhos &&
                          (formula_list_disj_semantic clsem m rhos) &&
                          (formula_list_disj_semantic phifm m rhos \/
                           formula_semantic phi0m m rhos) &&
                          let b = if formula_list_disj_semantic phifm m rhos
                            then True
                            else False in
                          tableau_semantic_with tabm b m rhos) } ;
                        let nd = ref depth in
                        let ct = contract_tableau tab phifinal nd st in
                        let depth = !nd in
                      match ct with
                        | None -> assert { forall m:model int 'st,rho:int -> 'st.
                          let rhos = semantic_subst unif2.unifier m rho in
                          let b = if formula_list_disj_semantic phifm m rhos
                            then True
                            else False in
                          not(tableau_semantic_with tabm b m rhos) &&
                          not(formula_list_conj_semantic basem m rhos) } ;
                          { contradictory_assignment = unif2.unifier }
                        (* continue proof search. If fail,
                           backtrack to find another contradiction. *)
                        | Some tab2 ->
                          let tab2m = tab2.model_tableau_field in
                          assert { forall m:model int 'st,rho:int -> 'st.
                            let rhos = semantic_subst unif2.unifier m rho in
                            formula_list_conj_semantic basem m rhos ->
                              let b = if formula_list_disj_semantic phifm m rhos
                                then True
                                else False in
                              tableau_semantic_with tabm b m rhos &&
                              tableau_semantic_with tab2m True m rhos
                            } ;
                          match !l0 with
                            | Nil -> extend_branch base tab2 unifb unif2 fresh depth goalnum st
                            | _ -> try extend_branch base tab2 unifb unif2 fresh depth goalnum st
                              with Failure ->
                                label F in backtrack tp unifb ;
                                assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
                                try conflict t t2 unifb unif
                                with UnificationFailure -> raise Failure end ;
                                contradiction_neg_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                              end
                          end
                      end end
                    | None -> label N in backtrack tp unifb ;
                      assert { backtrack_to (unifb at B) (unifb at N) unifb } ;
                      contradiction_neg_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
                  end
                else (* do not conflict. *)
                  contradiction_neg_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
            end
          | NLC_Not _ -> (* do not conflict. *)
            contradiction_neg_atom base tab unifb unif fresh p t phit tnext clsem q phiacc2 depth goalnum st
          | _ -> absurd (* phi0 is literal. *)
        end
    end

  (* Technically speaking, the entry point of the main loop.
     Should be called with a preprocessed set of formula
     independent of the interpretation (no free variable),
     and a empty unifier (identity substitution). *)

  with extend_branch (base:nlimpl_fo_formula_list)
      (tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }

    requires { is_procedure_tableau tab.model_tableau_field }
    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }
    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    diverges
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let tabm = tab.model_tableau_field in
    let basem = base.model_fo_formula_list_field in
    match destruct_tableau tab with
      | NLC_Root -> if depth = 0
        then raise Failure
        else let depth = depth - 1 in
          select_lemma base base tab unifb unif fresh depth goalnum goalnum st
      | NLC_Node tnext phi0 phib -> let tnextm = tnext.model_tableau_field in
        let phi0m = phi0.model_fo_formula_field in
        let phibm = phib.model_fo_formula_list_field in
        assert { tabm = Node tnextm phi0m phibm } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phibm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { is_atom phi0m } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          let rhos = semantic_subst unif.unifier m rho in
          formula_list_conj_semantic basem m rhos ->
            let b1 = if tableau_node True phibm phi0m m rhos
              then True
              else False in
            tableau_semantic_with tnextm b1 m rhos &&
            (tableau_semantic_with tnextm True m rhos \/
             tableau_semantic_with tnextm False m rhos) } ;
        match destruct_fo_formula phi0 with
          | NLC_PApp ps t -> let psm = ps.model_symbol_field in
            let tm = t.model_fo_term_list_field in
            assert { phi0m = PApp psm tm } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_term_list x tm ->
              is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
            let p = match destruct_symbol ps with
              | NLCVar_symbol p -> assert { psm = Var_symbol p } ; p
            end in
            contradiction_find_atom base tab tnext tnext unifb unif fresh p t phib depth goalnum st
          | NLC_Not phi1 -> let phi1m = phi1.model_fo_formula_field in
            assert { phi0m = Not phi1m } ;
            match destruct_fo_formula phi1 with
              | NLC_PApp ps t ->
                let psm = ps.model_symbol_field in
                let tm = t.model_fo_term_list_field in
                assert { phi1m = PApp psm tm } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x tm ->
                  is_fo_term_free_var_in_fo_formula x phi1m &&
                  is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
                let p = match destruct_symbol ps with
                  | NLCVar_symbol p -> assert { psm = Var_symbol p } ; p
                end in
                contradiction_find_neg_atom base tab tnext tnext unifb unif fresh p t phib depth goalnum st
              | _ -> absurd
            end
          | _ -> absurd
        end
    end

  (* Look for a contradiction inside the current branch. *)
  with contradiction_find_atom (base:nlimpl_fo_formula_list)
      (tab0 tab1 tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (p:int)
      (t:nlimpl_fo_term_list)
      (philist:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab0 }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab0.model_tableau_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab1 }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab1.model_tableau_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_term_list_ok t }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t.model_fo_term_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok philist }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      philist.model_fo_formula_list_field -> x >= 0 }

    requires { is_procedure_tableau tab0.model_tableau_field }
    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_atom_list philist.model_fo_formula_list_field }

    requires { tab0.model_tableau_field =
      Node tab1.model_tableau_field
           (PApp (Var_symbol p) t.model_fo_term_list_field)
           philist.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab0.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos \/
        tableau_semantic_with tab.model_tableau_field False m rhos }
    requires { forall m:model int 'st,rho:int -> 'st,b:bool.
      let rhos = semantic_subst unif.unifier m rho in
      (tableau_semantic_with tab.model_tableau_field True m rhos <->
        tableau_semantic_with tab.model_tableau_field False m rhos) ->
      (tableau_semantic_with tab0.model_tableau_field True m rhos <->
       tableau_semantic_with tab0.model_tableau_field False m rhos) }

    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    diverges
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let tab0m = tab0.model_tableau_field in
    let tab1m = tab1.model_tableau_field in
    let tabm = tab.model_tableau_field in
    let tm = t.model_fo_term_list_field in
    let philm = philist.model_fo_formula_list_field in
    let basem = base.model_fo_formula_list_field in
    let phibasem = PApp (Var_symbol p) tm in
    match destruct_tableau tab with
      | NLC_Root -> (* No branch contradiction found, try to instantiate
        a lemma. *)
        if depth = 0
        then raise Failure
        else select_lemma base base tab0 unifb unif fresh (depth-1) goalnum (-1) st
      | NLC_Node tnext phi0 phib ->
        let tnextm = tnext.model_tableau_field in
        let phi0m = phi0.model_fo_formula_field in
        let phibm = phib.model_fo_formula_list_field in
        assert { tabm = Node tnextm phi0m phibm } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phibm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { is_atom phi0m } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          (tableau_semantic_with tnextm True m rho <->
            tableau_semantic_with tnextm False m rho) ->
          (tableau_semantic_with tabm True m rho <->
            tableau_semantic_with tabm False m rho) } ;
        assert { forall m:model int 'st,rho:int -> 'st,b:bool.
          tableau_semantic_with tabm b m rho ->
            let b1 = if tableau_node b phibm phi0m m rho
              then True
              else False in
            tableau_semantic_with tnextm b1 m rho &&
            (tableau_semantic_with tnextm True m rho \/
             tableau_semantic_with tnextm False m rho) } ;
        match destruct_fo_formula phi0 with
          | NLC_PApp _ _ -> contradiction_find_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
          | NLC_Not phi1 -> let phi1m = phi1.model_fo_formula_field in
            assert { phi0m = Not phi1m } ;
            match destruct_fo_formula phi1 with
              | NLC_PApp p2 t2 ->
                let p2m = p2.model_symbol_field in
                let t2m = t2.model_fo_term_list_field in
                assert { phi1m = PApp p2m t2m } ;
                assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
                  is_fo_term_free_var_in_fo_formula x phi1m &&
                  is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
                let p3 = match destruct_symbol p2 with
                    | NLCVar_symbol p3 -> p3
                  end in
                assert { p2m = Var_symbol p3 } ;
                (* Unification attempt. *)
                if p = p3
                then (* let-try. *) label B in let tp = stamp unifb in
                  let l0 = ref Nil in
                  match try let u = unify_term_list t t2 l0 unifb unif in Some u
                  with UnificationFailure -> None end with
                    | Some u -> (* Unifiable. *)
                      let unif2 = u.final_unifier in
                      assert { forall m:model int 'st,rho:int -> 'st.
                        let rhos = semantic_subst unif2.unifier m rho in
                        let rhos0 = semantic_subst u.unifier_factor m rho in
                        (forall x:int.
                          eval unif2.unifier x = subst_fo_term (eval unif.unifier x)
                            (rcompose identity subst_id_symbol) u.unifier_factor &&
                          rhos x = term_semantic (eval unif2.unifier x) m rho
                            = term_semantic (eval unif.unifier x) (model_rename identity m) rhos0
                            = semantic_subst unif.unifier m rhos0 x) &&
                        extensionalEqual rhos
                          (semantic_subst unif.unifier m rhos0) &&
                        subst_fo_formula phi1m subst_id_symbol unif2.unifier =
                        subst_fo_formula phibasem subst_id_symbol unif2.unifier &&
                        (formula_semantic phi1m m rhos <->
                          formula_semantic phibasem m rhos) &&
                        not(formula_semantic phi0m m rhos /\
                          formula_semantic phibasem m rhos) &&
                        (formula_list_conj_semantic basem m rhos ->
                          tableau_semantic_with tab0m True m rhos &&
                          (if formula_semantic phibasem m rhos
                          then (tableau_semantic_with tabm True m rhos <->
                              tableau_semantic_with tabm False m rhos) &&
                            tableau_semantic_with tabm False m rhos &&
                            tableau_semantic_with tab0m False m rhos
                          else tableau_semantic_with tab0m False m rhos) &&
                            tableau_semantic_with tab0m False m rhos &&
                          let b = if formula_list_disj_semantic philm m rhos
                            then True
                            else False in
                          tableau_semantic_with tab1m b m rhos) } ;
                      let nd = ref depth in
                      let ct = contract_tableau tab1 philist nd st in
                      let depth = !nd in
                      match ct with
                        | Some tab2 ->
                          let tab2m = tab2.model_tableau_field in
                          assert { forall m:model int 'st,rho:int -> 'st.
                            let rhos = semantic_subst unif2.unifier m rho in
                            formula_list_conj_semantic basem m rhos ->
                              let b = if formula_list_disj_semantic philm m rhos
                                then True
                                else False in
                              tableau_semantic_with tab1m b m rhos &&
                              tableau_semantic_with tab2m True m rhos
                             } ;
                          match !l0 with
                            | Nil -> extend_branch base tab2 unifb unif2 fresh depth goalnum st
                            | _ -> try extend_branch base tab2 unifb unif2 fresh depth goalnum st
                          with Failure -> label F in
                            backtrack tp unifb ;
                            assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
                            try conflict t t2 unifb unif
                            with UnificationFailure -> raise Failure end ;
                            contradiction_find_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
                          end end
                        | None -> assert { forall m:model int 'st,rho:int -> 'st.
                          let rhos = semantic_subst unif2.unifier m rho in
                          let b = if formula_list_disj_semantic philm m rhos
                            then True
                            else False in
                          not(tableau_semantic_with tab1m b m rhos) &&
                          not(formula_list_conj_semantic basem m rhos) } ;
                          { contradictory_assignment = unif2.unifier }
                      end
                    | None -> label N in backtrack tp unifb ;
                      assert { backtrack_to (unifb at B) (unifb at N) unifb } ;
                      contradiction_find_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
                  end
                else contradiction_find_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
              | _ -> absurd (* atomic. *)
            end
          | _ -> absurd (* atomic. *)
        end
    end


  (* Look for a contradiction inside the current branch,
     negated version. *)
  with contradiction_find_neg_atom (base:nlimpl_fo_formula_list)
      (tab0 tab1 tab:nlimpl_tableau)
      (unifb:subst)
      (ghost unif:unifier_subst)
      (fresh:int)
      (p:int)
      (t:nlimpl_fo_term_list)
      (philist:nlimpl_fo_formula_list)
      (depth:int)
      (goalnum:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab0 }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab0.model_tableau_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab1 }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab1.model_tableau_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_term_list_ok t }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t.model_fo_term_list_field -> x >= 0 }
    requires { nlimpl_fo_formula_list_ok philist }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      philist.model_fo_formula_list_field -> x >= 0 }

    requires { is_procedure_tableau tab0.model_tableau_field }
    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_atom_list philist.model_fo_formula_list_field }

    requires { tab0.model_tableau_field =
      Node tab1.model_tableau_field
           (Not (PApp (Var_symbol p) t.model_fo_term_list_field))
           philist.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab0.model_tableau_field True m rhos }
    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos \/
        tableau_semantic_with tab.model_tableau_field False m rhos }
    requires { forall m:model int 'st,rho:int -> 'st,b:bool.
      let rhos = semantic_subst unif.unifier m rho in
      (tableau_semantic_with tab.model_tableau_field True m rhos <->
        tableau_semantic_with tab.model_tableau_field False m rhos) ->
      (tableau_semantic_with tab0.model_tableau_field True m rhos <->
       tableau_semantic_with tab0.model_tableau_field False m rhos) }

    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    diverges
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    let tab0m = tab0.model_tableau_field in
    let tab1m = tab1.model_tableau_field in
    let tabm = tab.model_tableau_field in
    let tm = t.model_fo_term_list_field in
    let philm = philist.model_fo_formula_list_field in
    let basem = base.model_fo_formula_list_field in
    let phi1m = PApp (Var_symbol p) tm in
    let phibasem = Not phi1m in
    match destruct_tableau tab with
      | NLC_Root -> if depth = 0
        then raise Failure
        else select_lemma base base tab0 unifb unif fresh (depth-1) goalnum (-1) st
      | NLC_Node tnext phi0 phib ->
        let tnextm = tnext.model_tableau_field in
        let phi0m = phi0.model_fo_formula_field in
        let phibm = phib.model_fo_formula_list_field in
        assert { tabm = Node tnextm phi0m phibm } ;
        assert { forall x:int. is_fo_term_free_var_in_tableau x tnextm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x phi0m ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x phibm ->
          is_fo_term_free_var_in_tableau x tabm && x >= 0 } ;
        assert { is_atom phi0m } ;
        assert { forall m:model int 'st,rho:int -> 'st.
          (tableau_semantic_with tnextm True m rho <->
            tableau_semantic_with tnextm False m rho) ->
          (tableau_semantic_with tabm True m rho <->
            tableau_semantic_with tabm False m rho) } ;
        assert { forall m:model int 'st,rho:int -> 'st,b:bool.
          tableau_semantic_with tabm b m rho ->
            let b1 = if tableau_node b phibm phi0m m rho
              then True
              else False in
            tableau_semantic_with tnextm b1 m rho &&
            (tableau_semantic_with tnextm True m rho \/
             tableau_semantic_with tnextm False m rho) } ;
        match destruct_fo_formula phi0 with
          | NLC_Not _ -> contradiction_find_neg_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
          | NLC_PApp p2 t2 ->
            let p2m = p2.model_symbol_field in
            let t2m = t2.model_fo_term_list_field in
            assert { phi0m = PApp p2m t2m } ;
            assert { forall x:int. is_fo_term_free_var_in_fo_term_list x t2m ->
              is_fo_term_free_var_in_fo_formula x phi0m && x >= 0 } ;
            let p3 = match destruct_symbol p2 with
                | NLCVar_symbol p3 -> p3
              end in
            assert { p2m = Var_symbol p3 } ;
            (* Unification attempt. *)
            if p = p3
            then (* let-try. *) label B in let tp = stamp unifb in
              let l0 = ref Nil in
              match try let u = unify_term_list t t2 l0 unifb unif in Some u
              with UnificationFailure -> None end with
                | Some u -> (* Unifiable. *)
                  let unif2 = u.final_unifier in
                  assert { forall m:model int 'st,rho:int -> 'st.
                    let rhos = semantic_subst unif2.unifier m rho in
                    let rhos0 = semantic_subst u.unifier_factor m rho in
                    (forall x:int.
                      eval unif2.unifier x = subst_fo_term (eval unif.unifier x)
                        (rcompose identity subst_id_symbol) u.unifier_factor &&
                      rhos x = term_semantic (eval unif2.unifier x) m rho
                        = term_semantic (eval unif.unifier x) (model_rename identity m) rhos0
                        = semantic_subst unif.unifier m rhos0 x) &&
                    extensionalEqual rhos
                      (semantic_subst unif.unifier m rhos0) &&
                    subst_fo_formula phi1m subst_id_symbol unif2.unifier =
                    subst_fo_formula phi0m subst_id_symbol unif2.unifier &&
                    (formula_semantic phi0m m rhos <->
                      formula_semantic phi1m m rhos) &&
                    not(formula_semantic phi0m m rhos /\
                      formula_semantic phibasem m rhos) &&
                    (formula_list_conj_semantic basem m rhos ->
                      tableau_semantic_with tab0m True m rhos &&
                      (if formula_semantic phibasem m rhos
                      then (tableau_semantic_with tabm True m rhos <->
                          tableau_semantic_with tabm False m rhos) &&
                        tableau_semantic_with tabm False m rhos &&
                        tableau_semantic_with tab0m False m rhos
                      else tableau_semantic_with tab0m False m rhos) &&
                        tableau_semantic_with tab0m False m rhos &&
                      let b = if formula_list_disj_semantic philm m rhos
                        then True
                        else False in
                      tableau_semantic_with tab1m b m rhos) } ;
                  let nd = ref depth in
                  let ct = contract_tableau tab1 philist nd st in
                  let depth = !nd in
                  match ct with
                    | Some tab2 ->
                      let tab2m = tab2.model_tableau_field in
                      assert { forall m:model int 'st,rho:int -> 'st.
                        let rhos = semantic_subst unif2.unifier m rho in
                        formula_list_conj_semantic basem m rhos ->
                        let b = if formula_list_disj_semantic philm m rhos
                          then True
                          else False in
                          tableau_semantic_with tab1m b m rhos &&
                          tableau_semantic_with tab2m True m rhos
                         } ;
                      match !l0 with
                        | Nil -> extend_branch base tab2 unifb unif2 fresh depth goalnum st
                          (* no need to backtrack ! *)
                        | _ -> try
                          extend_branch base tab2 unifb unif2 fresh depth goalnum st
                          with Failure -> label F in
                            backtrack tp unifb ;
                            assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
                            try conflict t t2 unifb unif
                            with UnificationFailure -> raise Failure end;
                            contradiction_find_neg_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
                          end end
                    | None -> assert { forall m:model int 'st,rho:int -> 'st.
                      let rhos = semantic_subst unif2.unifier m rho in
                      let b = if formula_list_disj_semantic philm m rhos
                        then True
                        else False in
                      not(tableau_semantic_with tab1m b m rhos) &&
                      not(formula_list_conj_semantic basem m rhos) } ;
                      { contradictory_assignment = unif2.unifier }
                  end
                | None -> label N in backtrack tp unifb ;
                  assert { backtrack_to (unifb at B) (unifb at N) unifb } ;
                  contradiction_find_neg_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
              end
            else contradiction_find_neg_atom base tab0 tab1 tnext unifb unif fresh p t philist depth goalnum st
          | _ -> absurd (* atomic. *)
        end
    end

  (* Iterate through every lemma of the base formula set. *)

  with select_lemma (base:nlimpl_fo_formula_list) (basecursor:nlimpl_fo_formula_list)
    (tab:nlimpl_tableau)
    (unifb:subst)
    (ghost unif:unifier_subst)
    (fresh:int)
    (depth:int)
    (goalnum:int)
    (number:int) (ghost st:'st) : prover_return
    requires { fresh >= 0 }
    requires { nlimpl_fo_formula_list_ok base }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      base.model_fo_formula_list_field -> x >= 0 }
    requires { nlimpl_tableau_ok tab }
    requires { forall x:int. is_fo_term_free_var_in_tableau x
      tab.model_tableau_field -> x >= 0 }
    requires { unifier_subst_ok unifb unif }
    requires { nlimpl_fo_formula_list_ok basecursor }
    requires { forall x:int. is_fo_term_free_var_in_fo_formula_list x
      basecursor.model_fo_formula_list_field -> x >= 0 }

    requires { is_procedure_tableau tab.model_tableau_field }

    requires { is_simpl_list base.model_fo_formula_list_field }
    requires { is_nnf_list base.model_fo_formula_list_field }
    requires { no_existential_list base.model_fo_formula_list_field }

    requires { is_simpl_list basecursor.model_fo_formula_list_field }
    requires { is_nnf_list basecursor.model_fo_formula_list_field }
    requires { no_existential_list basecursor.model_fo_formula_list_field }

    requires { forall m:model int 'st,rho:int -> 'st.
      formula_list_conj_semantic base.model_fo_formula_list_field m rho ->
        formula_list_conj_semantic basecursor.model_fo_formula_list_field m rho }

    requires { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst unif.unifier m rho in
      formula_list_conj_semantic base.model_fo_formula_list_field m rhos ->
        tableau_semantic_with tab.model_tableau_field True m rhos }

    ensures { forall m:model int 'st,rho:int -> 'st.
      let rhos = semantic_subst result.contradictory_assignment m rho in
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rhos) }
    ensures { precede (old unifb) unifb /\ correct unifb }
    diverges
    raises { Failure -> precede (old unifb) unifb /\ correct unifb }
  =
    if number = 0
    then raise Failure ;
    let bcm = basecursor.model_fo_formula_list_field in
    match destruct_fo_formula_list basecursor with
      | NLC_FOFNil -> raise Failure
      | NLC_FOFCons x q -> let qm = q.model_fo_formula_list_field in
        let xm = x.model_fo_formula_field in
        assert { bcm = FOFCons xm qm } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula x xm ->
          is_fo_term_free_var_in_fo_formula_list x bcm && x >= 0 } ;
        assert { forall x:int. is_fo_term_free_var_in_fo_formula_list x qm ->
          is_fo_term_free_var_in_fo_formula_list x bcm && x >= 0 } ;
        let fonil = construct_fo_formula_list NLC_FOFNil in
        assert { fonil.model_fo_formula_list_field = FOFNil } ;
        label B in let tp = stamp unifb in
        try decompose base tab unifb unif fresh x fonil fonil depth goalnum st
        with Failure -> label F in backtrack tp unifb ;
          assert { backtrack_to (unifb at B) (unifb at F) unifb } ;
          select_lemma base q tab unifb unif fresh depth goalnum (number-1) st end
    end

end
why3-1.6.0/examples/prover/Prover/000077500000000000000000000000001440160026300170145ustar00rootroot00000000000000why3-1.6.0/examples/prover/Prover/why3session.xml000066400000000000000000011710431440160026300220430ustar00rootroot00000000000000












 
 
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Prover/why3shapes.gz000066400000000000000000003437071440160026300214720ustar00rootroot00000000000000io:~πHB
09(NmҶ>fE-JIu7z۱8y_?}߽s~?{mKEdOGϏKAkQׇ_oi\ٿdivT&b^?go٬~<߳/߾r8r8u9(
{%q{şŽ}lˣre?}yɴ_|Lݪ?߿n߿?7PۿFd~r,^wXՍ9|Y)MTc"oZQ˹Pp̋~̩q=XT0/2Ⱥl^e>d\6)'ЯջiS8h\}OLƓq-GSrKLV}CVKqwAcިEcިIqÚǼME^Qꛈ)<.=A;iJ}v&Xσ뤮&2$0xso&;R̼~=~9]^l0psM-j'7"7_0^C_i-d-Іbt6s̍툚[(U;Z9[p,Zp&jϝت\5#SR|x|Kcۺ}~=eoʍjO3p568O{b&3q~Fk
^-*IK.42vR&)MK$KSnRUxI8Azn
x>,6^ꕷ
ڳ%i$UE$;hۦOy	6O0/`
(}-vYN'\EvˇJln0	&/M"{yi<
;󨋌xMr$`ƭÆ
{l0Rlr6vNv/ݥF5RZJyh3FE8[9cJ1ue@u?(1$sԠ]
ETi^6[h;ZujhjYAgվiURԚ[4ndQH+fZ:<*+j]nyٜq1Ϊoo3yȔu֌<1]q۞[0Aw9̌Xt]~TM坁7=j׭q~תAӔkez!A2v
;\S*qi*ѩVԲ4JiHнQ	{N3nddIдͩj# QܱGlk3T:OCۺ돷
=kq(=Ԫ衣njt,z0m]=j81ߩ)NpLj
L`(a

L*F&T[++FKШbMX[MnP	ԹiJ0
*E?w@%bUep&T򦟳2;@B5*VB	@^1׻O5
X?֏DUH,L-gB4|uLՑϑW=f1
9Hh"ZDE[K$zZemNgE퀳9RwYFBP_S37K
--j!l$_O+w(Õݶ
\>3ԝ.g'l-ލpxNŶd:B"
e#D& l1,Ez,KXk)9V,=µ[ZM˺I&fɵdrI&[,e"༾3m/,V4nv4ʁEO`41f.&!h2M&-d7.Hu>ƍ+IB>IeHEDK
:@_r$x^,#nNM1TXBJnYI3¯'9nus\Z|m9{M@B5\[%cl-dl}/E|Nj7W:"91tʃEOot
t.KŞR1ŴX[p90ۡ)k
/0q}T;,
`aC-DUgPSQAT2W{vq;m$C w!\,7.h͂mFGz`/KUg]\pv	&G!\M&9se!#R]K985ٌ$iq6#=3
d-7M("Ϡy6'@/{B (:Z#Pp
ж-aܸ0auz$	,Jݖ~;J&c%{}N5Fd^O/+AR7n\Ը@IL#q-zbQLA%׋a*ߦc{ sܿIJ2;u;Rm	0FՆiNCTX_dήV~;շ-$@"II:I*kJ"7/	KD}8j72H$t#t#g&gjeQvFz.[$njlU;v{v?%уΙW^X
Y!I+$C"K:j)RL_1RM̨M#H_/HsmlI#%T)5o݃WCo|L\|L晓]a1+FL>.LjkQAјs5ΰTR7k̭jm=:Ўd$ÞԠ8=GP} iڵG͠ \JQmLjsz4pj(coo:epH/{si~+.nmvm\".Kw34\a>gT±O1k0]єФFrmR&5?]}ޠb*sSO43zu5`9-@˳x;496^vh?vXaxgiݨ%[W)Oq)sǍwi0Hexż7r#UsTsTC%ԚثYip*7/1@;3SwGF"2~{O_8C]g".v?t=UBPT9\H$ͭ<͉ʌTL.T\
~q@GV?2%=8ej?23=~KG6XیL+Ӝ0*7Z^/ZgĶ7d]^_3CVP#ʪs$x*մʤwΙɞGNo;}]k"8ej.a2 0WhSms7k'[=u$Қ؜ߦ1>s>m>><ޥQ!ADD9{rHڙ+@s͹p^~EWiܞ|ݲ?UNZCeh|ݞdn'p;WjZmmfǰTFHq?
3foSv
7r%[4X4l2K7SSn
3cڀsDM9F2> MzzLo8N}³jNAM9u0N*Eڠ*ʠT6t 0
8vTWNAo=+$6/bߵ+ud蠖b|t
c1d㨙k3L0̸nf8t;x-"bPc{T_Ů1P葡GF['g6YA@d91t-@B5׻jې%Ω:=.K,O%2*X2aSK†%b,',bI<-Au u@p\nfzj둊U4h#:YN.i^o![t܁ PB4'!:_JQW!}ا{
z>+ճ9a,(}ܿ-5l*~t6-UشTzT*F16Liڅ0k;ADWDI*KPWKd j^͠4X6jmCT+ǎ8!1vc/vh_t$_~0#M
BS3_w rxl4,86άtx.+cft]L1fN۴\ ەҷgcۃYOl9oܑ!!9LSrŶ…rE"kg39-wr߸-6
gp?`pVNG[bۧd23C!67=כ9]ot,d,+jpP#n{}
u)ۑKl>W>_>Ty6yvތ-t7
@qE+͎Hp!ǰ^dÐh!ֆmX,k:m4
@*4r7۶*_q,t]\.f_V[hn
EK_wT!uH*nTR]	v!߶{G&b1}qߴ1=W%۷*;Fd_.]Ч)_SŰi緇{sΪ~>OU6O)v2o2vRmd.kQLm'L7,? ŵN))G&i+1*O]tJu&~PEk<"u44;P.Jo(IU95d$(O͑.KK,[3B	қK+SBMpq1r4_13똙u,/lSN%JoFKnc<^(	/2]ϫGw_9 ra'La'La'3h&5e3C}H'0~3OplhNs%$ZbrLO#n~ZO1?-{_0~
5iYz}f騑⏦J05ބF&Adn&_%lx;F[Δ#/LY:S$)Li`Jxnsz=DɌ~u%Gл;Z^!Ptwi}(_@PT*zP5p|1U M8ȼ>Cd󆌊]3M y;/:e@bh3XbШfLPgސkP…ypc\ppM]j)<,d05*3NkӠ±[٭2@7dꚡrPagd4P5L]pd\f|ǂ𱲶v9f`F=*0(	@=Ht&F#8r)'
B6
`cP8`:i@бPtج0nb_O,Z2iaX@d5£BbFқ,{MWf14XhhFSASk8Sl,ܓdrJ(`2<o& *	6Xe#=6*`swSe/O(I_^v\;v2=x)*@_<ڏ=<*u%!ipg\k>jϴbMzf` !Z#ݗćoH`c$[?-YogGwTzqrL^çPzӼ>ي<*s"̚Y1>\iIJ4LM*K9SNϠ
%BJoJL]1T9RE.$	H/(
Ō`̃"`D)igLLf#ÝQɧқ#*H-q"VD,j.n{;=cDwUDe?$
>=<0WS/̬]f.|.m
\8X*thYptLLsJ:,RˎaxgrL̬3k,)=8zT@p':|[\k49Kx̬=f0|NH;=#<.?P
B7;8ht@%fP;PqFQL¯EE(GP}	IbyXPZ>V	CBtAYxmfL80#130s9`1uA
@R'
5}bE@;(F*xdldNCONT,e#-q.;v1NO{e4iШGX H,	@PT,$_@D"F~J~<ےe|a;›RXW8\kWю'u_mC2igck{>Ӹ4s$kK}=U
 H,{7SֽS{0P4ڌQl;=ü$dN4VT_1`pc0hv(qIiӺvcqdc-,k;~.g'}|ys}=}|xwE.ʤkEp~]V"~5\CF>mf/'vxo9:HypOCY/s9o䣮oV_>v&?Z7o.K&I}l3{,$_,+Io]|6Zљ}Wf17w
ܱ-U
|Q֠\UC|ՔBޤpm=U
^ZMy6`\)bf1i{b){6
[8+ɊtJB'3%2%l1%VA%Sbf13LY6SVƐ 
Dw
*E̪hJh$$Z$$G{Iu:I.$CfԴ;@D\?"tSdPh p#d:4VU͈o\Ռ1yw_+bô09@
l旁 XD̾Ȳ
hGb+σJrX9)KƊG;T@Eb˃Œ3,DƘXP1&gLb0Fyv.Ԍ!i]'cl~~e|:šSMj\
5я
898c^pԃFu՞e
@0B)0-@Ѣ" B {?
K&܂hTZ,F[p7
Jad#+_n\67VYyl?/s/?r3Qi/eԋ-_spU 4+fLtĉwtin2仺YM0LžbH~|'C=#cr|(`l`iTrY3㛭$Yɒ.kۖ͝J~<j#\F/zJ<]1}j/aBTMز2_eilg[kc>Ӏ4rE:En9`/ƙd렰z!28iF/0
WXכㄩN O0a#G[^A=)&#Y0뙘5&fm3Yآ;N)ogL:"S_1=pJ(`>n\2b@!)X6VAIT˾y(ٿdN\N)8igLQ-7 _uR&v)ia^'Nz]ɶm[,!l6@bA抧DMG7C;!LxtPz:dw9Xiݻ	$%Bb~>쟳=2/wU6%5D-,v'eWz?U;o/_N@W$EBN-%S=wB!ϧ/1hU&b]CM&A8i`\m'0hUl
^vӮYsSkΓKkEc	䛒iɜDt]@ˠH߸[@n;Ud($YiDpH>1Jj:AdPN?a,ȏ΁ PBT]zY-fa!`X@$TRHnѰPA493MV[H?J8Q4X`}4Xh0{}{ٽ~?/7_VR	zr:0.|Q??8,g
Zf6*iǐzQ9eܧN]>΋#;OE%ۚ_9QRm+,&I^'{ڽBSyl-yuS;Ցj/yyj9pc
/fWIVIڑ6U
ZY{os@WBEyߩ~6*.
M.%sg"FܹZ8AyZ/Kn/U?;NVYn}gfRbP--JKpʈ*/Vo,C;$I|XBL<>Wvpͫ`Rr` EaHhڅQ0(4mEvYV-(PEU]Roc^TĩgyURjmƴ@;^\--

h^EsCEA}wۂ*6]P4?4aR -SF,!]|WTvA']Pe> ~+wbiFer->#uƭcc/8d[U^UFTIP貘Sγ,&"nK	FՎD3&=vf<)~dN@s7"#:g}"+Ä۩S+ʕj?'=}`l4AFA_#QyʂBXIʿkDۉ,:4f5"Cֈ5"]@s(,F4QE;.uxKM*j>`S}{RX
>


>-Tk*MTTl(Ig1QHߌ*xH*˒
E/&*-T4 $H*V
:,+MKqm|Щ{/W&WJA+R=[f8W
@ZL1“p8		+qMDj6SU
 H7	iT 1ؚ׈B HZ	`Xh%@M,و,K+cbd|[oVfl7^r ӵiC],2(,|'d
]Ռ?±RӰ~U|'#="#u~|(`d\>"J"+4Ag!2tW'4ۤkAY/6w|?%^vo?^ew~}ݥrh=xДBO苧G=<+TtG`!vXI@qȶܹ=)^Cai"3="s"
ќD
Xd<,hT@(foNMea$j[d-tMh2"W[p'	!BBo^x3{IvdL~{Sᦂ&Ăgl~Ze`*
ShrψsR3D#$']`¤K'ФK'0F􅳞sa)pe=Ϲm\s.9\=rA	P@aM*b'bB8~[.-lSN`%"aJoF%RˑFM尥c*FˆnA':*;_J.%R3PB	(қ+Q(SϙR0Jo*XLQb
Hĭ@Džj`@ra3c(^_1	#K8ޘ+[,tВ3Xr5{S`dX̾9hS,=4bf`ұBSNʔua>,w8dayOfaYX4+khZ,u
|Ǖb"(r>\U;Xۈ$$Fd 
,ENp\4@D
kv  ȼ4FrA5jfTTD^X_繚Rxnz(ū\ rF}}]zSl1vT	mQ=2(o{4l
B꯫X4#}KYKԝ"vz|s̏W	7D{{"\|O#
@uL-@ܜY
9er\Y0|.0v7	1mü`/۵@71pXlC:et ^
X*(f_,dgE0eL2h:,XF%Tf;US.)*;?,b83:A@q,n,xi(=hca@E=@ЃBƸD;-;DH͸ŚUƂH#/ag<S\Qz#z4|gW*
3+fzb`_\Gz_kKnȺ?dG'ޡ2@C'?p*Kứ~Sx
G:I?ECBnbTz(|((]7LQHR/2^ĞYaFC~⾏lK*.y>49SNR)_,Job9=)=+2N?0+Ëli:QTߟ/1ziNApg_nn3\dzkL$hn
Jٿ;UDZB]Nu`<2rnb-zպw&(,jTNkMCR\Ъ9NzZ%VGMkujyZ݉ǕbbkŐ4;w&{|ݩ/mdFOI;=&`f)I2\zSfTzS|Z񥖟CJ~v|}|(Id2|-OQM#&GL)`6
7lz
rZ`2N-[)nÝzzw".!bc=Ûš: "4]7"c~qovx4!F7O
-lϧ1-ZO52 8KV0C!.u:b@dX	@X,-788zqQ*
`LVaM:i].(4:Zia}ƿ7[EǛNrsI;YBŚR<5ljwb8@)Wgy(5Ňw69FU:(NZWIH>4OW.hW`7u>Mq4
@UCZ=Z7^" X^/cUGf&^FJL+i-AZh'2n/Y/dsR'̜@j2wkOR"S,)p'"ـd7I2/c)vzF'LF6!G?dSj(n]b1rk Ī\\.&X,JB|_n/45T'0_T	O{hX--778o[,΀F,/8K]+ rd_9F%%F
sYId,@!
bXeNVh1!5+ajC|l.F-'Wfطb-dKDX`f@lxX<B/S?$u6.+ܯ|y}2,PMYi
jB5S3%g$ΔLIj`5S`	lͦ(GAQX0hĪ3'	JpzWwU4%9:b@!:j7p~]RMt\ک"f4fK@yÙXaN0AMqhE	*I]RbsLb9|L<.F
sY	D8DlL8?" bшX
?,SvCP	y2]XTԾ}	ql|PYiL{[`&nÝzHAk٭`41nI4&u߈UdN+4N	X&0LH,q}b&bjN+/2^˜0|gx	37DΌ&rLhgc+Bcjݎ-913ráڀ/EsQR008$	@b`
Lo-p28q2yh{|h
_rc/#W,劌x؂+C\NF+ê,7^A=ioLay5_1Vac]VL-۩e~!0l
xaypÆXTL{PS݀0{im1&ԫ7ܵ /%6b% gYL˂p\h+Qx^ͽw5jɜfd&NLWyq2`/$"p—
'p2qʪo0dY"slza/
q.8lAfZ(ǛxEw?`週Z+ HƀgўC'MMF.Od]Mq>LM·D؀LS4
1 ӌbi>\22d
m$4Jh];:~"[SSzqD:%Lri)8SH9Ʉil"3Js9AʞR0Jo*ͤ6ڌEq0YMq?w.X2@~nU7﷯N>,IH_^Ë^@]I0/&SW5V?4Ȝ׫y@HѼX7o^/$$:MހEhuaM#F|'8W7@O}Mz	tM즢<OT@ۋe%\? Iɠ6]ڬDͰq4N妋U+qbQ~re7+lϹ9BY~r{x88UxUTO{U&@['@%@!@TC$@H7)Œ{zIP*Q2
gp	܈q\6NlNܜ apR@rv6nZ_Ae>w\?_wٯ엛GC{5mI)=;_4Sj巆x~=}|X:
|R^/ǠUxI^>3Mƾhx@ɝ.D$MB$VUmC=\BTږCDQ|!Rw};jEV6IyGF坜~礑V32T>5P@PQP?ߊu$M 󳋇gӋo҈UdϷpa0ή`0z۶O'hSg!}r&2~[kҹp])*qp}^ŝɀS8m26sYUqTѨ򝊡M$w+w˳
Lg]Q2>@3,ߦ9J$r)Nc1d5Ʃ>qv*J'p:]7NRCkc^~$ktTzC(\ȂnyT<2P~XX^?e|qB%`'zvzvgD}#ÝQؑ=)fDTzvis<TEZ6KI!#L@N'0rT)v~eScr甂yj_0$w8mM|zd%2<rDC}[ u9q['S55+Gyjri$h1<ɝj]}cӸ
|lsL[uy+!s&'Yun)ӛdj\yA̝x%~Yi)IHCqL"'g⃤D MYkBQqSJK7FUlOl-6	f'2Mn*&›D3!,Zr`7Uo;5ui=
>L|DR1i-FC`jMzqjr<7# j<tT]LȈ2>S2cҶ;``j'	W˥3bWL6w\&	0iLbcLDgq_axj4do4PÊ"?ߟX߰1]A!V_+Us41?~kS2͔ϝ1%sF,Vxp..z%Kx-p9\l<&1.12.=*d
y"HI0PCR100P*]ȰԑaP9Nr	la4L`5
\4L`3
XM4L`3
pa;O K(ėx	RǑhCsY*AS(/B61w6&	e6&*V1A=lL?lga\[b5
epuW+XǑC%w&{|ݩ5ڦa3$C:ᵒ/e3f6 _Cl\!CVow_@RwIoO;:nj7̐Q3BYc2#t/H>Lf†*z6=l->7χB\)86|a6VElXGFƳwFvx^Mb>˾{Yp{6\ҁOklPˆ…g,MbhݽKCot˫>Y}{44
cs?QJ*e-"ri0Ay#"#s!Y-ALJm?wCqI.A)w	%$	i[Q1GR$a$աZtDܑTtT>V1}̺q*ha$qhaиDm6h}ꂆ}'S@b0#ʈٻ"1q.s5_QodPa-Pfbb.Tۀ
T*{6{1@$H`,!j
!9FD0Fg`E;P<ͺl<
Hv=O ?DDp1. ZIȢW;
`X>6L	7
p㚹1<`(X[5Gd`gb[eDHaN	e0'AEgI0,`''!p1.O+)|+.E5 (J[PTn
H,Dj܋vaȕQ,B5E&
U8@3$ʠH`#ͣq1|L-.?}<{(&wgXPN寥ȥ,Wo)MO:G>KEGW>U.v؝8rp8'bo,g\1b#U)q\~[ 2OhJȮOTk]ALr`Hdz/S9`YM;Ӏ;^l8^$e4Tvb2*(&jThj]d*V!kIe\Wt"^O>Y֔7Z'A-
5UT]jg|Cϻy>kgJk-T6K}>f:sݯ^Rÿ~dj!(AL5C`zD״ЛAoz{3o{}
H{][a.0HeAUF +
`X,64Xo ,~6#0 O1)RvE_RG_G?`Vb4vz=,8	Xz`1$=XDEHb\$tiEfBxJI
X$w
fX"4hJ6!@ZU? ^ңA!Eʩ"O
H=5D+rY(w"^t)"Ag@˧H$QcMo"5D`<+2Hw492_
Tuڎ~ZA%Qub2LIJg*i**Tٟ*AIYLP2=*3NOK[,b1tNZh8Gc84gtd q5K.-(!@p@eAۀϬ_OE]Jn!@P}l9@A(pA8-p3n83J	d	(_	η\lPIPjфÆ*5lw(*ۨH22g҂гNj8d,:"=8{V7̊U=|{?P'7_F>d|}rX~:ٿdc&4o`庙>7w}i/Du5ٴFT+HIe\խVս؂(lJpH@X"/Vٗ,X q̈́L	`X9,hH`V#=m
֪Vv8XS:g"~fE``E`aY)B}}`ť"th}:KK2QIdxot~8nmA` "|~۫¹<$nQQM)M
SQU z%SfN&:Kۡ,vTw2\M;mWin{uLk3׳VlVwE/74]DZ;.{Uf-R5ύlArhJQՃ8q}5L,QP:
"-w_H,<:D-I+Fl*Wh|z]t8AV@V;];#xH|6<lN	:B2A?&dS#wJQb{PfP	󶴆
:F@	(a(a(u<<.l_V@Q)kJ>xeD?{fD2/0Hb,™5Iz&MLT1$>D]D-DAi(^8D^hFGLpKIUVl|'3?%V.VV3BK}x|)*qE%J+e/WtUahhTC-U4
@"ThiF13jPQL8/
ǩbwhKd&J҅J҂JrP)L.?[b@-7주?߿gld>}?
i91@s!YYlH`4X/+~
8#+V|+2-o`6
Oj.bQ .‘L'oH0<}&&O؀L4kAdQ]L2%6wLf 4/&6k02iV$oϢ!XC3Z
Y`	XdVJF\fѬzbu=,DbJ5`s(h/D1gr"zXcqmhCsn.vDׁw헱W'":eC#C6wr)K{?TZM2'HzXSkȠh;HufJcz
dC/u"EGAUڷRWiƐOY퉝?w7=
T#|..|jWw_gGQ@~ٿd,v?"TMډ]d^`AG2h$WpǶW틈ms#qvþ `XV,D&cbUK%8Nω܀58
DTkQSYUcLU:K)]܍3TG#"1 "a BS[DPex	qaJ[JDmDxDx2xXe9P?p6փ  E՗PPoVbT3	[})@7
Z[}`x2I\œ2Q2Edcm#2[8^&)MDc^CCt2ueZU Aܔ7D>6h˔˔ŔLi0vOb
e0)AΔxXuY`gf.eǔUYCPTn
sd;%q%q%7DjrJ(I(
ؘBhߌS4+P.)@
bᤘ}rgȀ->$"+L>$lْtْ2u;lQfEe0-*-6cc7hJRXO#01{׀a4& TA3J۱@u7ՠ!4Mچ7	4$и|fA4Ьezw|@>4nPh40^[4l|33əg1Lb͙9ipFHNe03l~on\	\VgvXa&w`fzB @cQP-h(ZXp\Kt&Wuhci4695O9ƣӜGyt2F(TBӜdrPG/X,JLiN#;5ufЌm`C&3VG5[h=|m(@_1TT̽Ҥk`?Y[vbYkU2Κ`v~ Ο،dYK%
;k+d@4Vm+o6`vmb]ީ
7;?ߖ7p ۷v
PJ$|i424H!d;%⚚
8dxӵ2j@P~"?SX,;?wǻ%g*L'(_tox~_>hܶ'H޺_r|aq(@}O=do;U
wC[7"yFP灝#%Jyzl8Gqy/+{+WZչS+;3|n5FJh
Y6
®p1ĐL.0&'}Bvj\w{-)APe_{9ËkxhО&2=
>Qã{xN~sIe
4ͽG2D/Gmo
>ag@ْR^ scƗ$ƶKZm7k]4`X Vp PTEŪKp'݉gPTn
1Vøªu8X@S#aj=ӏ	!L`	m]
L`BV}aM`B1w0!;as8
AAW@,a3(ІjuQ&oCd&AN(v~<|cg;Qmx3S͙"h9@$J֨:nLR"MQ-nH}|6_ꚮqUw5>Fs~~t]K!^GU>Y7KT>__&v|2ȝL<}+iЗڄflItTD[;1U$!KUoN߰1^VKR-=XQ[vRUDyeJ&:oBtފ^-?#$!r5h
hWp(,!'CN՗;&	pȆȺv[J9 @Vnl*e7Js9'p8T%395ZC95)ZYCv}z
DM8͔j

T'@`Dh2fZB0*馁ʘ^̉
TSY{|'^7zj5%kg=L5&߁5^C#B-QuoBaTz~ ݩJe:0EU
3ˆ&Vhɢ`]lVMETGeD0"GD?lkuOyBv"zAqʲS1Իn!3'3 H2 bIV]T[1`'}z
4-w]hV5IعV} vf1*.hX.Hc=
?0klN}'f"a(Ѽe|4o[Ua^kqz1[0WA
r]@9w^f3qFf\U]ӂiq$Z,5.C @237˴`Z2-8.qq˸n|~H`8Hׁ)`dM3M1~%_G)(I`w{*mP*#0N;PC3CYLKfpZɧRIr"jG_W=%ZЌ,™g1j?%ܮ=
RD'8W$UJ+f}	ST=vNpWoDTc.r'}QNEHˮGZtgHO:%M@` 0+KXYYoJV^}c0HOh͓y^7ä7,`03LaAiT8)T:yX|pu݅HnN4!! r:Ce}.uM\cFAذ:"G"'1WI“)=^;	%]s#`'ñ/NЈI\6Na3D@=,МhP
Q{'J
J:#6#__#V5cfnF>JJOyeDH9O_r[*)ʄ|=\!
ur'KMk0+OpBr$׮lfy7`Cr]@\ VҐ^lۀB]L0JD
y
9b:?R1HM
ypZm\6X#DO3!SbztdO XVdm
(AHNu~BG(L*&aI#v*^
}&f&b݄tt秴GNOwz؊cSCqؐ(ϔzX<!j0Jaǐh'$u$-2PN
h͓BTj't~L
MW*A@MDJ lꖐ0uFB$@!:k:srC~LUz2:B*+x9Zi".FP
EJ&
d0.BOpC~La~zBVrRz\`.0h[Qc*boPc-$1E(>B
"(Y# KF޽(&P3h4I4PiHsA[$GzFG!؄FmPU^4dΧcn$c"|̧[S,\H!q_gFQqhq`h	M̺/rm;	FܳJ$hvmswkq7179&fΥsDzP}^^WfJ>5^3vV=wo)AS\	nДt2NƳ;!4""[tm62uFQ'j ]@(X/|sk?3>=}{DzІu,c@VRQFѣzĘdDsVGa#_鑯H?lX:VRRu
&nLMbF*&Օ(zJ4Ή}0dJ0%˦Č}9|pBkka8$ZCH8U;P>3(r__?5!r8x.p	)@W٨ǝ^]SQzwssZ?9_5zY[~?8@lV9?ӆR
zsāSN88464a\/MVƨ}.ɵ:sW.izBwUm	Cb@&0rhsz3A L+#@9fCV+BW	b"

Кt*WsB@tސlf#fIlMԓ	p}pxhO&_4F1
RwPIAXaad@:];Uc* hatz"T*%!D;fX0,ˁEdl"ӂi4Z>јL11zhGh0x'SwڐQ]YJ*r8Vb.ˢۇn,6t~
AY}!pas@ayS
m۲#~tWIs"
R$X[Zzǜ`N0'	6>8cZu%'ߏjbs}jUz'3
2(T@yY68f:TU=7SI')QUB=UUsJ_g{!PU'
h`40YBwxEDH6b>ܻ{Z4gjtkU+q7[1RuZ7,6T
;!Ӑ" C@6	sb *`0%hwc%˴XP:lo(XХbX0WRB"-,`S[,n%MXHbDan>ł"bZTiZ1#̈3Bw]c#bzp
dbEaE	W-Xn1XIXQ$;.VqR5e,07py-@viȂ%;Y\)6[,T,9]YVlu0,f]u%d1dQd5Y`dYyaxpͅy`^,?tEi*B`f\34P`Z0-L/Uwpb'+;C!YD<ĞnaoT㝻E&3E	J2(6A tXԫŦxCI~=yKpn&Vi:nfR&UBܗ߶	>&֛z:[ZhYbN6[H-LZ+Sj>ں)fJ}k!:w.KagӁtX:uoVX^yw3nD80&oB5gUfUfU"U>CfY4Vyǡ
측AE<+ Th*p ]Ce!/r!Ӂt8P4~X)2b[n-Hұңvr]9{"9"[37Eyk(M5ۣlȘ`L0&=en07uπw0;7|ȴ`Z0-x!3q
p@`Yg"
D(\-"ql1Ы(,wHTiU81C`ץb朮'4Hۈ(J}k:(܁2cO}^KcNah`GSqJA*R>{S	>_ۓW




m/靄x,@=ߪ<&RAl6TayU+菧Q*ojگї׽zOVm8^ʍ_Y_Ewdٍ{	_>llKu?ܪj{{~zx{zy?^61C!̐e3Bϼ`^0/ȋGU]cu	`B\3!JaA6YQ=omk݆M%CȊ=)Š
GbYB[SfťBz+LcKOedoe[
q8` A0TFAU>hb5Ҙ|vJ46WLZ0fvK3M"
~S6[W諲sg[m&vGҩtْ{MmU/._>)-w84cd02KGAR5qǀ`@0 n]\#K#FWԠ42z~0fh	
ofbAaWYwXHIXH=Ϯ$jWoÎOA#1LTIW*ǫ)3\%b@(
1@(GPv6JL!h'GW$>!HD$:@G|VdQ ɵGHtHU(b&|(A0ay**LhYNXD\k5yawP>y`d02.J\DPfZ*4,HLOl:PjJÚL!1S] nLo'ɡi=s`tmZZð`X0,ҨECO;`S9'
8gl='1B3''y'ufh8KH_TEgx~k~؏]0aWL&icZ0-ˣHL&cuh
f\X_>=RC'63X
3t7➅^##X2b(P12e!cc\3$Ӳ&&״ItMh:
vK4zє\1M£h*cw!&T>E!Zn[̢SӔ>#h>}b5HnV1ڨ$<"/D숇ZhZbfCDPUGνXK1V(|.ANrߩ6a{F./z}|oHy
O7SWQw
j4mijtVv2(Y3tyKC𣛬i֒5Z]V;poJFsr*`
{'Z`VQ‡rZx\tẁ\Bs4~+K3Z7:Yy)FV5BAVY|Smlc+l2tgVU_5ϳ58sо\<=~jU3QgL؏Ԗ%dڨU6FzYuPH;Si+߿>~`߂Oyҥ{WhoG>vrnsNO36&%)mzR
nF΄,5c0
FP	XNȡ4M]<~~"ݛY	#a0EVAW>wEWW7_Jc8ДYz鿡}s\7V۱_3/77u*&O+QJZUm\ArÎ"ǒ{lQ*횮+|- cV0+d"c1X.&V,R`N0'ω5Áp88+!dyYmc+
Kˆy{4"r9UF
]U;^}eQ
QQ(*yeh?q8
A	` `0/3-Rc$$ڙo֯ʙdixm*ILP$[&ika8(pǶe*FDEmJJ5p5-Sy]LA A`!-ha|XmNv9d1E2S,$@L	x뷮L)\L)8S*B5@5)8
L­P!hv@܅<J!JJo%(`J%1CqQB-(IPh
A$6+ &Iq}r$e@˖XEbXlɇl{l!D!$@Rɼz޺pgGfq$1!pil9T3tF5 Elsx@
4Y0{xh`40n
M<
d@}̜ZǑ3D`׬oF^$k)ڴ?fDSZVZ>VNջc40
~-g0v>:#US:>fBךּTQLbe;??Z (O!dS)Hic5%*+B{ޜ(?>||V}mNʍI~;{p[f2v*z2^Һm]֓.Kٚ,H~|b)D^ɰX6o?nSUյԝqX*LM"Ws`ZQŽxX2a]J禒~%YU2U@P`Jyȫ3
PWc FUY̅6BeulGUUD*U
]]ќEh,@=XQHQDߪ3hD{QD´_Ï.*ڊ""B袈'T$' @)Tٖiյ];fYXVP ;FQ`T9yc	`N0'gSpKTp@WD煵
2^kX* 0]>ȉ(ߣ1Q (8B4&U芷w4L9'Lh0KQX*V-tuQ<
B؄HК{[Lə)D|Qa
Ȕ")zI@s%NO\ySSS(qhnqJ&΀8<e`p= rs@
%M&qS'M++e+`Y
[	ydTƕաB5ן\`.\ a@0VlX(H_,VTrVf bS+Eٻ	@H*2*ф2IwR$؝Gλd*ϢB_1ȏUL̢SՔZuE3EEst00nh$8"/DfZVzBt~b0N4LLG`Z̦0AYA{N@	{5y[gXˀNH;ߙm쁑sB[QꕸIe\^"Gv
[sVܨ膭a+
[b<Q.]q|35{$ƞnؓvrvmvvvD]e&"e&R	FK%}vIqٟɘ%w)}0_	-TE/]Er{BO`Fɤ:y-OP$*MP:LRij4
	E+nVceXMaEFaE^VtPNYNJÊ?
cXX>}UrSXV0OZX"!2H^ EA$C["3I3̸ff>7@3}DJU6OT0UёMآ
GGR%VQhT]Kt1c*8G@%fo6O0TxlAP	Q(gQAAAPzKcX1,DDaR0)K#iL`ͶɜMɌsDP@<^uX
q]1_π2C\SqM499VW=bX	i!-OfGZcٟSš^&aqW肴ÅD]5%Q\O\	m[/y
n`ÃS-T٧Zbkj9էZS-jyW'6ad02ׁHʘfN	4uҼu:>{Ԇ+c6\p4\peTÕ]Õ1
WR>?@DJr_&Tb2
*@J똅5uap} AKiS)q+c@ڎ1稀-dx
!74TQ2GQVLsv$	|y>`r09IС{UitqJHGBlKVV.1Ԕ8fos=ไ(f3L̸(LXrCGaf03nieZpPq1"
H\GuC: 8!!T/b4!2B%PxM*V_DC!0:QQ4g:`u3DCъ>%. 
J#>JEΏEC3!-Bi1vj?)AYǍwu_S'\KmzǻCw>O;띛6Up-kGq2J13õV^l`6\	 )n}]orXtM]=\ڿ=?zs
߽xz[AL$笃"}NN|o<6S0 o_^_B&&]Zyd%
>qӋu䧪SjU@=
%S`T:ʠV}u3*bn'Ķ~_EЮz.?dwC>fP1|b
t8u"g4FJ꺇1@7V88J[4԰O6Yz|=ȦMQJ$3`<&i&qc9N0B=n)J漙]MYAVF
rrBΏUB+y+)XTzYAN6dg]:R7c:by>Ivɔyynݏ-yC_D,o"7Υ
|\m\/ߔĝBhaݮ<"6&i۽3HڏwggPK)* uE
l*@P<"*0	y(}'/4 Wqzzݯ*X`5 Nqnrzzܪz
lvJZn)p5NW)ru~L@{OYO1+錎rnV`fQ+
-WR"+sb%A~ccXQVx`K3GOuhe40


Ƒz:L|KuA1J7=sTw-=vqXnǼ#hXt|b(w͉ǒ8'+Zr<+߈uLFcF#lDYRyBTE$B;L##`16IR4MbCCŒt;NS}DLCB0GhZ868%(C(
(g4hV`ZqZ5/:nݖ &PBA||2!$&/3"n'YǗjXgZ&_ڱAr0!
F͠inY⠔&1i:{c`	[tFFMaDh080*=s2!`*J0U}>r>`pYҨ{9dƵtHȥC"S $@h*$s$BDC!P3qNӕz
$J	ɑ AK̔`J0%LUfGgdɖN5p(dd2̑H
EEdSM;Q-Y&&Kґb-(?4ST1*ݢG`)'Al{8M$JtQE$
M%
aDh(8(*teFtDcXXw[EXExWJ_So))ҙRw) 4)P9!b*SꖤL&Ǖ;xG2HJ#r$s@,{ltKJAT@H
e#΀`@0 nQk`F,$;#J{zd;ND;;O0A''y"j
38N2|V>njdhj.MT}d;ss@%͝^TPCAK$}گiLCy^@1-LB#a5B#AՙLřhw}~`f03Œ6QXC]3-L%b~BځFkA0A̠0+T?L$ӌ6D2lc	V˫nzdSrB)9qEAyRS.M"T1	ERU!ZB9Tew(CĈ,Xdkt/c,hh^N'P*#xq|\}֎+6a{W[?cэxT~e	Փ2Ƀ=mz>=
#enu3	JWUtRWU-4q#.i}h)AJwxU^UW^c>0K$Z=eZ_X\Am"M^LͼqzW˳5ݴإ&6]]9Қ
4]Sv7htEL]+MWtM_ٖKibt/詣OZs32A|>	C`{&.\i"V2#PG	u9QjѽiF\Sı86Ҩa!ڡAD0,
LmP"M&kV\W[Y`?;%
R2]~mCL?")KR+{S
=bM\*sڊZ[h+GzЊ=hrȅU츀3"%
Ƣ:v3%Qq|99_0G"_@4ėakEp[…qalœ[?-pR(HFKh9Z0CBSe#- BK;g.07Dž靂9kJ`6-R*VR:VRY+ 4+0k%w
""(pT:ESQudN0'n+;Df@2$m찧WEyrZLp	{ODO"x٘TH:O3+n|3%av{b_ـmdw\%cœ%&ă*]Ybd}:aT|`D,qqѸSԸL
f┬X->3LbQk-dZ0-nQah?E"ԋP;s9t>NMlX6i:MdSzʶ3>0}l\!HF)9SrN)9" <)<qqjL5LA5LETˏA.}ĉMy!^e:
6TR1ȏULLÄ.\A}C߫jlh¬˵f]5z#N|޶	F`g͈T3ՌA5cgp
%,AU;		B @R.鳯[kWS
sJX<"IĴH=UEn^n.ߞ}i[")2]Lp4StlT].EXG)w7Qrp}0u2wӇdB[&#rWmEku(o.?u%~4Ó_)T٥~pߚ{*YsPؤɺB섴7#ѿW>$V_4["-AӤ[ߒv4Tdͬc[3 dOCRb0зʀ~Kʺ8dSw]N,W/چvkµԂڨ[Gʵ"};TOޖ_vo_f320财zoQk9pml @*AׯlUΪpuz>;E6;-fn33
Ld03]x6(Bu  Z-HK8tq HKN)lAAV+\3,f
&Ip$r7DA'cq0]_d3YK%yźt'Zhb]PH\b.YC!Dc
0b(
0C@i	1s\5\'mwޔ?e&4W(>d$6@?J(݄-JMz6Be!j!ȏu_TzL
Doзnb^TU|7͜+a,[ZE
q`vsl;)UI%[4$#={Aa]ЫY=cFߥQ5
:?vGz{^!Rm
`Ck{_;mr`?kY2nǟN8z8i[FwccnA*7FxS|Xdzlz'wXϩNT|ct?º  ^ݟj*;2t_5zt9T1ȏULw;A1|X,VOq
^%sf0֖0ŬI
XC}"aԾkƫ^kwF1%+]/$gJ0%CpנєVB,Lɂ`lc`bFN(m`FoLN4ЏeS)X
%3F#bو8*q2JL|+Ƿb\U`U51T}M,*DPeh`x,
c0b`00WD;cX0,g:c$25L9`b01K"
fjXqQÁ
q#X۷E)U%AR?A"A2$3h*"bvNAxS=O%׋U%WYFgUNUϫ"j>Z
(3>6OAN_SWjQ:p	^U~ACyߍd'lƬE_PXD{>nK;9fKηh)4 4@RX.UxkeEM(t^nֵ֡6XB{8pRl}YV261K.J/}k:&Ώ}Uz7"vrS5XUL$ϮfZhe^7m^b/(bxcQxQx-{1
k3@K@Qh.E.S57hCa\,!SvS!|>)C3693e8`󷧵"5JqpGk$iPphQZN'"pRt%p\F)8#.cp./L&adh͊B,TּF;/u$uǽ5&-4.Z	K_ࢆny. ~TXQ!\(=2jGv=2#=$Hv/04BcLb_,.+p"(#8iDXQE+ ~TXQ!VT5VkJFx{zy_2\r%ȇtZ=/??O/_ڊwU}^3CC9]Wȥ??z{ڻ
\FH>ӒπmK57"D<%Ыm`NhXMm"y"XjgJ 'ۡ#gWua
 4C5=;p:=qCBP_`
+}T Pɯ[cgJ2wj6YgJQLI2)I6ޔ5Hcd,L$@$@&@p(szw."᝺(
*11I@R`, ~TXQC̪5`%ȒR
N	dqvɽf3qu̘W(݊_N|(A(1.r	_GҪo0(ELSQzQ:"DJ^( ~TXQ!Q(IGוX`,l;8Y5q͠`P0(
aK-f^d4(M0o˕4q\FjiBhR6x0#F8F5
$[+DZT󨴐&aH6
Cj1
m\bJ:?Sh>Δ	2,)X2FB) 4)vy]9bLcLZS	0E'NŰ`X0,@e\0.ąZ24k&y#2,buL,h5T5lÂa0X܏J\tC?HQ	b@(0"44L(Ld|
JE'8U#d3KH]*e#uNp4w(2|JçC~IeRi_0;u{}Iz'i_]YnW\|N&ޗևߗckmˏ:㨗=6]㸙Bk`L~0'sޜĬs
]k=^MGĿB{_1ȏUgy'Y}nmL_~*ǷB_GfהUZgkgt}z`}^kh˂WԬK0GG6(A-BWPQaE
[)W+Yp%YΨW.JN#X:" )9BGKp1aOWB^=}U%
^׸E9 l*G6v-h;dX4 zU~R F&"I#52hGffQx`N_!7F
f>
{ؠ*:dPNY$ɓX/ݹQ
mTTtT䌊3B5--4
>]9bcHJp#|ThQͣBX_۟O_{x~*><}z{/s&lr؜eHƐ"oF*sDHGHV%Cvyp`
)
\Ȑ`H0$UԆ<#plJ$T$t$3D)yNEIcxK0G'=q'҈ztVfwfalwpBx
x<`fmJTt3Dnp?f.a{+c,0Ok"wE7L_f_ ׇo_TO9>7|?b~.PUM=}yz&*͡9}E`+.!
*@jdjK˭fyz7ӃBڽyA"2hZWsA_}..c]5kr3Y"C4`bZM]u*ya\&@~sZ@gggLWObEUVtM6ѣ
ӌiXAwmXU:O%"~Ǵa0m.6֣g>ֻ;L&`l,tZ`,j9Lsqe'%im\1Q(Lk#VEoc1Ø@ UF	zTХc1,L s`L0&׊	"	addͼ~>e>'IȷݹaI.f./dB~PPs͆#Èa4'D		FhM:	՜0FggWzL 7ɀ88((3a@혫i/֔0Y[~bpZ!#EߣATV.|=SU\%5ܸs_jqyh&-pa)5qjnF̟`h\	6
L+sS1$Q1齖
3$ш]*]+nd.s'Cͅ(C@@'0$7%Sjb;yӁtX6]:e2(}
YJr)PICcTRB Ra .RAZ97p] TtI8Ijry{rHDBI>*+/>6:Vpa`X\,VM4RXqc^0/o5Pq>@3`/eJz0%a8F12KŘbJns5b(bJEaJ͔2)eSJ+O)qQ]6Mr!)h߀H5Q״z@>V3`E9
+Dym VtV.J8V+QWF]VnT1XRXQ+ywm1!NӂiX-4~-BL&

fbX_>=RU{3B! c9yMvOֹ[$Mbdؔm~"ٔie"d.kziodE!Wl4/a{WRǷ`yxy}}|xӛH9,oԯtUCۄk8/86ܳh&-TD+LUiE精/6r=Tn*衊2zjdV?ʩ{v0
Ay0˃;?ksH#`f՘՘J[	8q-)Æ+y"|؏f2E1E;*zzs1ʲBqUDUkz3HLI陒	4bMp
FѰPH^7V$^Oˈݹm ^c4r,_-^R
^R'n$1xyHxQ:.y!C!89$x!SԨ{-Yr.DfY̌f<䝇	TM"Th}+"Sokz3imiO0W3Ճ.A"]*K]U\V}PVN%d6|P#zZh83d60n
ۓzϿt	(%dW㔂R5bw*xJݳ\i,/lGf<=& 6Ę=1jϷWuzO^03AȻP?:2rۦ~*'ҕ}_%FS96jZ;2>7P ufWm<ݟZT5֡މӫ?{GzokJ;|UBX%ֿA=XUL@ca{.9Iu%tpn"&t
,ꮫv2&to*`(ب/|_9EJkt'}O|tyy5ecXH_k=^(:HKRKBV~a5ݯ]
6bMIR;ɴv3o߷[mM1AK+|;/|}R?f'+w҈X<^Xڱh`4:*}:Cn蠵$5TK ~lcHۘnnmm.cC@+`rt5XA$jqd\g\EbdK9dKcKylc[8,93,QgrT`*0n
.@SD""Xg"ABA
^<
"JC	K2(ڕT"T"z )>8(@	HÝs(.LNOJߖAa`R]L`y8Du0mb
c0GPu(T(s"{N
njEJ2J҃JrP=AE5qHK2(@ TtT))͏1`L"&lkn7&48IÂa8X`5LQ{(ʔ(Pb܁W3?%P!PP
LЀ",b
fS\,av[
m[ɐbJyL|)Steʄ(SLI)bc@/'3%"FnjhL&dI9Vx_ӂiq
f\f3c&f>[XG˸`\0.κ_	Eav!0?̟
.>;~Y rzVNc2]洑)d#Ց6L>z!ӄ($\QD@Zq&yRD-3P1WgVd] 0<`6LWlG`[&E/bIOEjDӵhVǸٚR)FiTÚեP:L)ә9;_u^b:کl")m#fbo4"2Yt "DR#\-ItUN#彩a*jUÄ^[:\	{1[}_~>CpBXvGL_F &m'Lz&LNW=u866+HƦ:Q?6j~삩6%#;oȥy9^9uOh`4,2ԁk
s-%˪ra,=wΔ$q0vEj̱vAt~D
nuQnMI@7rǙ.kr%et.Jlrhrsk38ts(kk;>~c>':;a]i\"w	:nPeT1AXn0,TǹtC/t_	ou\|}-#
Pu@(q@e<0Kg{3εIьT-Sr?<}_}KG7]6-sdn/s` ǧ
_[d'ƤyNٝ;
XEs`nvB%dDqʡՓPgǿJ.3%7v$e
(@0
LQarosG}[{#SOD>ODp]c)p],YĐ,GB|m&FUl%ӂiZD`Dx6ӂiqѴX]D$ӂiqZ-Y`j05|Нʴ`Z0-8|4Èat0Z7Մ:?ҵY#44L!({dBtdO&J.ix7Mx7<)BѠHŴwf%
lt6yeaRIt9'+¤+l҈_v4O9Nvՙ7z
"(uR{Eui{?TԹ
KAN;h(%KtSggzk{~"ZX{[VX<y'kO`_;\SQ5Uh!/'L!t_PDྔHs_@x" c,1WuYfruҝ1ݨSVQB}aTcS钻QՍX
!Jsz^A&.|ޤ*DU_ULD$mWczQpYᡯk`_'߉C\P}-t_eZ^9OrJ\cfpl@W=f.-xGʹ^Zp
3#FΨ3z$#	af
HZhL$	
K0G$p_$F{m$|!y-2sX Y,m;n`LatX5ZD^ɲY̙.*9*9*9*9STQͮRFQj0QhJOJeDT#2̅s!hQZJg1<jɳDTt̐30DicaP(aH_Sw\CS)xJL`[P]o/'E3$223d!R C@($!s\).L,h>J~,>
{='
Eh3Qm2\v7AGCYRd80CTBfٰ06l#<"88N&=ǀ9
	C'q71M9}C~+a
Lr00	SB*STGBq/Ň^c
^h$D$T$t$pFcQ8nBq}0F#ΐ
scvnLpCAG6z{bd)QRswTL9%*c8*ơV1yNExN*~ m6T'h5Zd@Dck%0m cbiXY6?B:xND^Ĕ^)1Th'+{䃸?M+OVtQ H;D5zU˥z޶ZH'L7?M]T9ݥj.UDG9#B^g$>`D\" )W譵J5>|lPE]*wi~?^ޞ^T~zRV0Vdo?zxJ*LLUt>Z'u{3d9[a+˝g%$UK?NmڔmJF;ǫM;m*ArLr5h4&LNmJڴ	ڴF\˝PRS9b{^M@P) y) VTEOMnӭjE,ԨEӭmJ^dR^n1+r`0ni:Ȕ4nlok|DܧJ1eO
BdM'Yh#8'3">SBDBOXd%#Ҩҍ{UrgܮN6
YxYu͹=Ow5PAb7+f_TR2, ]YXCuyϥ"Ӑj1*E{sDT/EªRU-~TXQCUؼR՗'BUtP]XʲUUI!D	cI	ӥUOL	ZdNKs{W;ҼnuFePEczAnj;9@}:ee]R;$
+fYq۬hcy<3㠝=
4B(BPԺK0G=q!@ACQ FXQ-
@ȁSY
X[zNEAޡ`:,)FA1̂d!>:
㈏KO6뢢YXkճ
F`78QԩEMCQ'Q2"%HXu.APx	+]!,A%HR'%:`RS'2CaiI]uV="mErMS&pH{+
"RUR[ayk~(Uj=_lfd3`P78}rCTTyQUo46*r]QP~o'=v
qjH{%![vUzƠf"=TI;)m(#v+Ċ:_
낈o6BM-f[{]#ot~ =f)Iˮf̮v|3lߐww;=ջzq+>rށ۽xF>{S:G>ItH"#HTHA(HMxWptN- DOomkob/(b3(@ÁLOMMzjzUWLUpL!`H,G z"CTp@T@Qp.xG%W2.޸;^!?vG9,K74+144
L­R!Fk4_`j",̾98,O5y1`9lX`,s	cv0q	C?aQ/:DFܝd,0C0recaf_hkT7b#04Bcu 7
:@,fYqX]eH=&	2+A"L
ScI8Y`V\%+.jxpAUa0Gn#	VKDq&uAQFQϣW<ÏymT_wN4:CEf5^.*l*b8J
x6U1wW] VS|qrNpBsA( kG-$xsUO'׹ F\T/1&u1s1gIAmrս;Fph@(pӿϻv.ksç`<:,ׄ :0&Pb㩽NNl'탧l\v]d(
b*{Aa]S!ff0U_PǾ*=Mn5I`tA
5\sV?,ckI\c/(bZ}=1\@=r]5XkJ5)t՚1sch,c0cP
낄1#j$Ո~f;3#Y1a@CRpBN1ؒ(pRdpf]5Ūa1ۂb'dB5BPͥC.7\J)T.(A%Ԓb.k?KfH11@Q\o`[q-Rq	Z0n

ZΌ;+\J!o)`J,MCmQշE~uϞ$u߽

{䋷
BK0G1=q1}=;z]8GBĔ]-SvL1I얠2RFZx	J!t`:,fv*gbvAP~~W}TBTzTvJ/
?*Q*s}utj6YQ3ҺSvN؆LSV݃1.&MK5?mox{?=<s<%}I3!]u^Pz/nϟ>?~˗]vUfrו ewv)ϏrŞn#7>׵|d3 |jwu"&,sJ[@JEn
b5qŃ-msi
£drdԯ~cc	ByQ/G_f##+J+@(GBY%翘o+_A1SP3KjB5*HãSL*LNO Tq'gqyAT;N:UQT)LdpĨǨRU*~APQaE
TSkt3(Mr5XfUWgA'UbrAd֣4>8%s;bh	IMzM*"@|RZhBjrdN}iv4IJ_23̌amx%FY"^	2 A;l3/:ktLM&h=JJCD._M
ݾ(T

M8b4c4ZMvAP&XQ-M@ANT$Dq}CB6d|`qEϕ	G[nϕCAsk
,BcPެGI}_Qotp`%@>k*ucExxd{&Cti$Sa|p
W'[	8sSv,Ȫ7`/?0sـррQPmOmhh^ڍBa5whhhx[xNg?\   m t(P~hdzdzTMd:uLɴ=O!Srt9cV=iu)r9HKJvk^$}gǛr~3UJ>]ODI~_թ>je+IekL_+.E&UO}cO??_,6-#͒>.]Q<';VhJ$\//G}}gw.BOo\P?ײgD6v7"tnu*:Hhnݠnaoanv7aC}hxhxhxxxX7/׷MKۦ/}җtS'KUNt(;mA|J@F},^~n\;[-ww[QnQ@[zWn?SsNTlzlƝXۥJI+d&o)veDe;ʸ[\r_=ԗam>EBBwE̽pH'?0vb҅*Ց?P~%|mo;EMΎГ?\ܡ~avAagQUvCUl9_t=YG`~ѿ(BۇoMn5o"1"$EEQd*ώUvCUc<~vuB[gnPv?˿O?o1
O,|Plr(ǿ(t쳠"Ör+@pg@M8Uz}U#儋p-QNlވшшk֎ļG.UvN=*z\H kT'F]E6PŢ~g"B穲vUDUS{]pBgN+0gVՁ
G7Vn~A>"$1`T
q(Y٪Z9aaa{‚,|XP*E+vm_oIp~=c~2ְފHlɵR47K+ȸj]D>)s<)q7Ü/x9T|.1,ƽKVG79,⻲eRY׷ظq6;n͎/~6[7!br=&Com&VT>Urmjhhx8si7oߴEj?r]???FxRxUw?,8t=;YVAi666/6a}+]yW


oGp+lhhhx鈚jCF+Ɖn٥{jDiDiDymD9	Cbշ3T9aaa[bfwUs%ywήThhhxYX


I3M3f6|~čIlЩemR܊ƮƮƮ
:w/C:LVa
FQQT[`^c0Wc
F|7gI]o+/!=Gw_3
€\?n!P;yh]X\)THE,KE)QE>򷗟E	\ԧU_	.ꫭ\
pW9e/	%-
͑)YĶ=.ʆamM+.k1$E?E/J.}yض{vP):g^P)w:x8@U*zEUvR"PDqǼשw#hhhxmj]ofDnb:YryI/kzו]բxT~ᥭ$OOןWql|u$utZ][_gerhwL#Lv!k5H&!ϭrK¢I&>/RGƺ`m3N=@xOO]DSrY2L|(Cdp]D]QwrxoٔԖfTO`S)&.yKC>'=KEIyMvGu*
+(8[0ۂ4vmw󹚣 yڃKۯ?75njJk/1lhhxcK+Sd&nyB:~.X{l]BM?^S\r;LٲMT:MTǙ/aʩC NHc.#*_9r&x=hNŋ8Ou!^tsŋ>2r/eӐW//y^qeO.˩NHMmaDDWD[}بѨѨ
ڲFFmbcEcẘ11fF[yV>2mxrS.ē+.зeg䎬72t"-3z-QUM* c5ϓPT?/Qr9w]Q2T s){YS%!zdz%Ywe





wyϟh/baU9mWEŖ;Q-O>||+_2u;$BįO$]/;^V?4 4 4 |@>z{uE~<>H3e(y9}?Zo9W޾;GTI8bπ'ن':B-ШШШ}PABMtAdz B$܃Hx/~D}ǹ|^\ΟHDʈ߫-#|\{Usy'qqqMqjgUzs^=>2
5LI|x&ux0q7\^#:{\P2&B咽35B%݃JzP?~T4@E7\_0w,T]נR T000=bn6Q````){-ܼׅ/j(W(*P8o(l~iï	(PJs:B2]`..8\v(k9ySFQCCëóվ7%aLB0
_e2emG_S$S۫`ۘfg=qGGPl
3khhxx5V4V4V|+V333?yͯpS=4|?~n_~+=W
.9T9Lωc"?42L2=c&2ɓCtd52Cm{	Uvٕ_#ܦ
_m2vϧmU_-[6i!1IR$w+zm/4xsoLOƔ?sŚ;D>}˽go<~<_/[S?rc~nނΕv寴{%}UrO>I
ks:Ϫ{?ZVkEou^igM9z:sѻ~oğ~Yj5ܩe,E{/0?41?rʹp
2WIpf\Vp/8a:Pn%O=v[&q~%9əw۠4W􅹢5gG6Ȇ/.X8L39_s|~t=Ũxg'aqun_m__吒mFٿjEgVN7aUG1---;Z25h2?Uڶ/g2zev9])Sa)Sw`~8MvT\;*U)q;*%W	?D{~n[nU?/)I|eL=ǥ-SMRG{\Rtrr􎀦X󹎚{01/&xZS1~ju#hQO}q,z:HQLojUV.OI}Q*%tLܢ<*^S=muJghsd/8oϠ6n	ýEk{0b\qx?}sGbu5Zow߼qQXB_oϿb.8~wϿ>SyMq7rԂ~[dsEG9=v/PKJeyjΝ"\rL5t+j72$KfR@NdRTQ"tjH{]a/+~T]CU+D|?oB:"RD|UPU"P:tͼ5mHyBBBXx08[c/J

R<~8LJ{w.F^oW(<+z@h|R9ϫHu


!֎!ECC[C.X$o,yK2cʆ<ƔeJȔ)3EL'1%!s)"~XQQQ;y0x׵ͫ™MS	(aAR$nHN)nZ~K:y˩<v[}/Xe>
CC{!_!i#Cv7ɐc^nʆW;	[^Lٲx8*S.8o}Ř2%cJjLLY˔)+1{Ho۸ииֹ]tcCcCcbæ;qov&4B
_ɖVir04Ys$?IGhi6D&kySFQ#F#F#+'Ƴgo90\"ݴ/@+Y *Y.?0\rTaxR/$>Y
7xFFFC---^4-p^REE7EVkhhx^VtoDFFF{WFF];PRwQ`rQ}ldzdz4Md:uw Ӛ>N">
m@_
m@;Zx*7s+gȼ?X~!~!"*Gў=D=_zhs__~'rgx:CDZաDadarQ{ ->`mwAw7o$ƍƍƍ̍nJKb%EnDݎтh'%Y
s
-~ngђJ\ynu*zgUNhְааb9>%L),m$NɂJoUzY@>rO|,l KFaϒEWڭU%BwrxFFF7O=dU]?^ΐK9E3od"
y!"$=C1$U!CZ9ʬaaaվk~'[P98 f<1hlLO'2wx'"$=bA|ɣM-WrJ





o
dа)]nBݳ->
?+~'[RRZ%dz9Ed}J:Yԣ,OQhhhxxD-[hlgrVٲe7?ْ6%mgKzl7/{YGGk:ެAAAkCuoXXXXu !ȳƠƠAO8̛wܽ;^wx~޾o^P2=cF&2Idrb?~b2m93?3qL[hGh{҉gErעxeu&ׯlDۋۙL
oۙ3N-?;†crY'xcS1Ϟ#e+IeL_+nk<9zpX9AA1"*v9KH)ʮNJW8^Mq(NFh$V
۷V
o}krI\9饀aWjC\Y%|_|e?9h;&'#9tJo^Yo[-@_-72% }8dth_'OOqONuO]o?\;|)v"G;ϕy_|s"4;9ZաDqt[NqnO[v[O'w-:Wuꎔ-WR2V6~UW{|}CܘT4>ף,b#k/I73vWW(,7}-7:K?OujԿM7MHfX(ł=	vr{kXXf,D|UPU"tk~/B<`-t9=mĂK,<H5,\{.,o5`B<܏KJ߼.`8g	$BON{2MĮM*a:ּ͞NAL0fkt%Ûl~{ۀe8*8Hut2߼;yAQڒuEM-8dJ({D)xiKN	e|+2k:RA]s]۞\U0흷ȽI?@Lfɟ=Grko}>/3uv_SK~F9jz
[>Sk[aX{ɮܮkoxkGguOE|焁W\\q-7<QcZU\bR/Z׺F{ӧ?S}*lD}}/|[@^rt
Zf?Poy&򽾊>n|MFg%N}1nƬ=Fe2JB_x)WQ{\ϕewbxg)A@$G鍴ЍFs7%4-vioLrBmɨ~?Thԇ*qZB(k麹((v]g76<PܕJiӁK(׿xܙ4(-T |¶Kc5k&Ik\s!ݘ|MÅnCDs?/\Z#`ba-ua#B³a!^urvX(W\plƌƌƌ7Ό~ŖSW^4YdY[躸,Ȓkb{zwwNY,t
Yb#Vihh~8q98,w9sIR9AmGKaL
&h\,g=&~ACDCDCěAıqCI\GYk|h|h|xc|d *Yl9x?xz%h.ЏFFFOnX5:F:=2xFD۶$Wӟ4owӗ|٨]PqUq2t͆zUviؕ_SW̟ǯ?Je23u52~xX)uG'_/u~}QBo?{|蒽%{1۽%ٍ{1۶mXnܓ-RwR?4\4\4\|?k-ڇ@˓xM*j*aWbEO|&uIw}


!}KPBד\BU?dʙÿɳ埿m{?nIwhک8]pD±"E8]=_5GNV	zw"GW>zJw<_nHo뿶ߪNŲ~WyzW߻9;_:M|`bW <x_sYn{:FFFM-$j///"/~)nQ~#D#D#k&aaaaFv
}Ry)	<0Ya>vv+RV+w6V4V8gX;9#wY"uww*744|8wgAP~?JP%h"qR]v5䥼ܼ/Ak.y٘kZӳ82pU_Kqe3A_te\*{>p^qٸY:5..lAAA-C{U[Wz*ZC{h1
-hAwCFg@KwrFFF
}l߾ߔ*fS=F˨ |!~#UwJh훠5B4B4BbBJ0}))*rK^~SPqT.*_`'	׃J-Zmhhиo3sEE3^^@>{C44|@$J-hhhnp=z>PPPaGFFFGɧ7UKO8!QcCۂ$w9.9ޮ")CRx1Hz9ꢸJŷkw`M}!gCSDsDS܂x9.9
ޮєSEeǔ@
>:wtűsG&{LɎwίה/+с/[,t6?
zJS^KSKShq={)
iohh.xB
]ik|jk|^Ӛ wzp=N^tQΝww
wɼ^qt0w7ͺO9Pܽ`E#%k9QuZՇ<m8j=R9(c=!dJ,l6ݛ~^?X5Bt.Ɣsz*M*bK…iyJc0C#ωawE<}F?-cBl]LJb)ٙ1)̺=B:Q2˳QFa\: ;*5ea^q̃2وP1.νuLq
}ovni	“ |x龴VZ9RaZ0i٫86fO?41G8¢*?<쒋d^kr9nҠ~X|)Vsv)^A۩_~0yHn!'{5/AY
5%Լ3gG24+uΙ!{hn;Uo<{O/+*s\Bj֖P&.Q]?ya8GgLHkutX^B;K$5aLzk{J
4S>5&K753U)k\hEQœvAZ۸NţeL`fH!t!i
Fli`&;؁N-Rs[4Y)Cs*^hb)tQM>8&FьwwsL{=k,B~2΋TaRvOmA-hѩ3g3Ы'eӜ."Q~.M`l Jm,ht,ԇqAl8=Y$y8M
VѦi	Py.YfH8FcBdܔHN8+HJ=͒:ըQi;Nlf8QTyX!b7$!ڜ$U?c`	qBeilᅲ-^2pE3jv w3L.kQʙ!/y `C
l4ؠj]l7*&97aӒc`roh="L6nŘ@F(O՝40s%bed4b"M?F;XRL.ijIh렸#a%"F	-CU1Qaoz;=D	+|'>2
{3fFȊUE2>0*9aZݍ8vU–*%<ШFe|JA47RYz|g>LٰcRiVɞ@(nΉXVl=	fL0mԂ0	#~4PT&ryme5qиnť޲xړoaq+wSq"ː&>$tθapsՈ?3./1ư@bѧj,UB{vDc	83Jp+5siŎJIZ9ZGPje\	q-l)uADGv?f—1PELdY|eC'ggQ~q;*Ci,d>d,Ů;zUO
>FkǨ/a1r13CAuANٙj/yq0igBqMZ[+?6'8G-\&MUgm0A4	,? i4r9-r9\38K4)$2~3|}D>M\EHxšU{57]9+SxTVt:zc?HwF'3OEO5PW9߹T1lF07uI4
կrPj3:ly;PU&\Ebtǔ~{9J?,~v#.}"$,[؀MjE	!8ҥ[#ʛ8bء<=kM;4Jh4j%CH@;Jj*񦓪?ʽNo!90iJ9kPz,bDo\dTX[ Eѩʅ.P{B&ˀѺ*G@ %8'1Ն#j4b,aBai!:U\^:rKJOS7})r
nbf+*\zjEK`"ӣ(G5`X?p?|Q)4N˽`=+;1	hdpXlaF8P#Pbx7[k0C91¸rs
zLǖ1L`6Ș
jz	!&|WovW=d XdÅOO{H!{C1֏ţ1<g}}H!*aqvS!T	e}D>G$& \14-]G}CĻ ~%0Tow$M?-wsz=Zb~Q}Ĕa+->Dt':J\uuA:Ő,2l!2&J[w ݫf24oy3(T	+	0{XO(Jܜ$I8Q,7age2[2ɳ踉ߓ.#tty+NECס'";jmA	bL&q|;WML}9ÄiuL-=K!1t7eB6(xQ1{'[˸DÊI]$nCbMXT.8'UNF%wҡipZA.]2[Ur1ōAc"~hx|U?ZFA`KLxZcz!ciEee(y|Aŏ@!qr~BA/'V	b;AɈ/R[XY)y]ʛ4߉`%^hNw 3~»tV#j\sOa)ML4<M>6v';G!_]u=jACêEެN(R?Z@pqI'
চ膑)4x1ef&\Vr/vZh2Ds2OIֱ|O12<%DLF/y1'ÈXߙ8	kH`aTUpN Cևؑ`4V؍Vm?]"
M~c#g6N202nDw~ñ)erH}Xq1]7e=9ɐ3p%4lq|2gێMG|Q_g:{EUc6ҬMO9z@[F|0p}1*;a\6JR.;}/K!NUcmdvX;P!yՔRW9s22]baJ)dgβ:Zg\[<I2zN㢖p+I\DIsh[%	Sx;9;dGYxibdI^q'G{%2eK¥@I#ˎh g)<鬈_}ƧGMgeb7Cge&YM+z
W%sGe"H\KZ+B622uw5ݴSXLSp2qykccdC+C/w]q%rhZftx%ćƖ$r;҆IRFЃeg	݌iHuȔ;J^
@(G~?cPfr	\B.!'1;1;OkiB'IzL>H*@w%(s9lBI{蝠r%UBA,(qf0%t]S/ۀ㷌B?NS/͒z*BܒÆwv.3-` IŸݤFQa$ENP"-"B-<I&YMD?"A3?3UNzPNGF˨\
dk²^K1JDŽ[txy$Zbr=XKi J`%w҆VSjR,:MN2L^k:rA9Cy	{e@^0tb{PAwNOoN'Vc@~}uŐ
l%CJ>Hd\C^f{A{:V$#d*l&tG@Բu,tҩNC[P[B3ꈫM,O	 n冉O8sb俱:U!Wܲ$B=#E2\pfqQ
Ƞkg2۹RI#LȁYl'MtDp'H..z?ElC#ʀ@2#Yg 93W1DI:\I MmHIQ<U:D҉Q;p:!)L`Y2&4xrG|󶳤d
w+Y1+K8@ $cNҩI5,U2=J-cidwqw9eGx؏a80X(=;7J N@ՃA|.Blb+4EuN-D$FxJvEv#Wa}#A`WݜzV3@'ÈjHJȩ_knj;'*]02ͷ{.8&o~Yz5,ĵed7DUXۃ@_A-h
NT$hr-Z*Zt2,͵	e# nh$;(bZfIN@7MK	}.v/:GSa#6ңT;Jl'⛥Fihl(\df&`1|3cq=|8]}$b%dXT
+*:GՈcT1'*7.ty0NQ, ]pE)uSB|/D0-Txde(j=0KW&8W-D\>d
\Bx%7DZO]𤕲'%,Uu^Syֲh\LS&r82X/2S
tɳwhH:| ӝcPK,Dc航|*)zC:8MLё1rJq'IPGJ*6ҒT?=y 2磹8iU",	ǹqB'S)¼{n&Vdூ,kf\+aVCLu)K*a&]&̊39w}T,Sʎ&*@L
~[]ğ3ͩycK~	>B+ɪ-+I$skMV|Rȅ,
I/'I:$JMvuN֑)5҇@?p@!В\Qyz{vkYc;c*$% c#<
pg\Yey>BȀ5Zd<7c
jQC)Q``~rnc%C^%-_o1Lj
?0YIBL:ɂp|]/W'F~?Ǐ%Er r\@#y=b.ռ]S'9q@վMſ#)=>2"TgD}Bgq/6/Q.K|5AY51T} Vo^;@o4h$^;.sX|0̘&g)ӤnS~D1Tv]i1/8tӌ$y6ٷrDm^*/`I>>^2?O~4?Ҧ\:ʐwg-QZTX&Ȟ^fy꡼?nh(Ⴌ%K_vpi)>4jC-fc5F}W9'yfMTX
1W9Y2csىߺd>aarQDgNI'P7MmA<[uOfYfex_>()PE;IO	o_2)J\U	\rs̕aNAIP2=gu!P20H|DpBed',~@k^7>Ձ^/3/+	O6aptZw#AXGt<id6265B!CˌZPx'Ylf8+5}@k"	I3מOfE=-RnI|{^Q-QFd<,##^<zyEݗD'f-OƆhQ~dHPyjʙNSa֖(8g\-is.+]
tR;ӌĒ_l%xzʜD4/̽L
Ͳ>P6.m\de)YCYJb@z-73ZeXGf
'*z8S5c HxzD&eRPffpk,^/WfM<BX4P>!Vb.TwyrA1t/SQɜ=FYzeQY\dɨtΠ%2?=ttE,vr#8n2=%c/j]/IQ]6dX1ѪO8v8 ]pm/6c{(;|dy9m0S!YM`[Vy
R7ʢ6$-nMϹ*peEYe\$QU,$Jކ%JʶK\;%S|xI*'
"Pԍ9cP>f~w?Df"tߧņXg.v.vv'˼E`w˔=עNv2+`<
R`MD1He?]D@ic%,d}1/*'zmrtdZ`EA&Y[r$(b"Q2)r~/Y) pT9YxP(W(Qf\iYLdxdq¨%зY7-XӤd1utVR`d6O8mU?]nkQyG梶oٍŊ/d+
f623ep
d$] ,]wE~Mis(yC
Ned@[:h?k$)N<6HĂkYFdBG;O,v#
QsO@_ėK}A(ı7v⿁d&<_$Yɜ%D2ꔢ5~f܆^փr$[j.&XqhyyJ߼l8N#&I2SUeMDxfse}Zb]hF]ǻ%8<";P&(1mKϓ~=i=Pd/eRю0*CuOAJb -
d'Q^-SRcbeYC-Ɠ8 L#߰HkIdF✥گRN-i":3-}md)	58.{مeXhP20˰v턘Qa> ;!8&*2.8 {W^=ڟ,:unvl~Y\810ҲQBhqb+8'TMl7LgH=Iv?F4ˎ8\KVBGL
 @Kg1".YI:YfEN6FOdmlyɒr%qYy=R?Ԥ
q㾲un;I2^My.C$ed;
G̓])5*BBY5,,숳qnMlH8S;XF@ ST]Zɪ
%?WrQOӱyMK	4&
bIb@U.tx|SLuH%^U2?lN91ɒ?{ݮ|4cd褌"EeP\	'gY/y8t.ʎ^\A?71٥HӒM-)O.{I.`25_'kg6=b2!*LeeX{`5O-%Qޞ¢\'Pj=e3s\R,?C8A4	w&L-A	ңl:kvȴ)#`$-&Gg[ku{j$KB.V DQZ#O@w$ju9D
WɾoeT?Ȧ!I0ʬkG%&ނ,'^Wl:-QzyG&{bi}DL;X|yLؒW9a4DUjAD8V9G=
s/rx-[H4%U0*eLi41BiaU.ɮ\,Ue	r \p
epG	gdK?t?IE<׌*`i|+!}Ih=%*ޠN9p@&c21XY\Ђu^tàa `sqvu]0S;8v<s'q'?{zL7Ɍ?f$ݍ2Cy[@^ƩL?+C$C~_plPPo0DG?mULYplmeW6Vʶ/E(= Sj~EGgH'	6l&`$mr6(k[eO5nd=dAWkD=]LWs&'
pq3ϴl3ڗ iMƲccܽ>/2)YUl%*= {`ILs,XD@S@$y7$/Bqٿ5Kc5\F2p#Hx`	aõKW(uWp %\!\r臒f*G6O'3!\J^UcAVNtZ&Z	}do\~&<:p'.t9ȈR/s}qĵKZtM6bhT%Լ$\7pa%,e62Ӯ^hEA0XA6cH:j:I~m7+2(-p[ge$wv{U27<Pt%Q([hNr-Q""JqeT9bJ SX=$G T"ӱpN0S.KN4ޘީd3E,,{{XEz I
%/y+$ LőU"~ZT:qBHM&0UI/,nd0=G	L[dlNCb^uCHe%CA!_$)~4h= H>k6YKu"QtǛ-cA/eA*A/#$J\)	;A3`ͧ잋N'Y3Y/
=02tsDGE$9TXSܲ]ɛdO&H%9>trz;/xYg6^}ycq"]z{$i9[$L,\v;Eɶ4r
/to-@q
,pNv⒙ny0JUghl%)A~CGٔU鹨|Nu<,a1K@C~vdケűR8td'~9+{|T9C"{=0݊^eIe><]d㽞[3dYK}r:%Nu·Q
p>nߨ".^ڟ,`3!O#TA*!R{8e{
YUS[1rܑWrOAz	ԐozJ#
&]d׊<Fs2&#
@gM&ɑ#
.;xۀM_»՜uݬ*f1mTEUb5Y`%}
ck>>*IeO! ^XU²/u
	kpwX0J<}fE+X-Ov_/wO7Bd{
LNf
a+<-
\ݩ\O_ƯVwe[9O'uYϺɮr-Dx!iomnXS޹D,qIposÕ?]MV_PnavEWH6nvT
?3YkMuL
Gr'Ԣ]]6'X"vYX0:A[$R/$B|r5siɮ!Z^iczʗ
@ yX)VjQE>ȸ_5o*!]g֪COv[I&ղwTWTL84oAay;w\FfG&NH^a׫vsc
"ZaVFĉO%q\#o6~yVlCwbDӜz;,Zcto\h9UT((n{`9qe0zdqJ=q([6se` onbAovɻA-uP]
ư׷k<~6U@{3{_˓$qϊퟩA*Tlz0cRl[/Hvڢ|jMr$uzp˃vk$}f߸99FtZO>u}LuL!A
tfؿq2vEyMxb^j~gGuijiéNgJU}?1EԢ=&kۡS+2UYmhRu^D"1uwO\ݤn\ ӆ|<ʥ۞ŶN=ʀ#}av>O+hA?KOet|?߸i
4{5=vۉpo\&0?~="lILG{O$0Qc\u8=Yl\ѷG
WOqymب-}Kp}Fj[hG[v0O߅>~Zb5\^qqcjvښ@2ײhI6v'h,e7JGm1vBч5"+`7ނRF>Xɻ[$ϪkX^"(ԬAŶ"E!K¶Es~B=ҽ	A$j
&˜[TN
["2Zi7'g_E֏kq<PqqI{E3T8TyMʾLoU?ᥞ4h1RT"ЛB.pL_baʋ$t\v-NPo˫U;n.	l΢`>oT5oRo^A+<(V~«
28yQ0X'K;]zf?!,h.wG6q%=)}ɳȤVݲ	zS#ft`;uWɞ[ _ElmxDu#8\M"@\),;Qq>&3H&j07 ou[=8}oܾ9zzڮ}C
?j *Z!><Ƒۑ_|@ye!	ط^[K$8J3dmS&| 9u,cե'IIg`ފF&𼴭sF? LF:)yrIų^e/!yLۿ^N@*3&CT:,'K
ϑ2zHd#~'9Ctf*M|{^!~4 ;@
R76I@mt'C\
SF<=Rjb
~+[Lz
Q\9jX&_r[n'R>XЬlRUn?z6q[u,q@s5y6+pi.Lf"KqϮ۫mU02*IAyAyo0c=! TJ0J_`n/$v)&)\ҿqQw{BM@j效Ne9`M^߶dF„^
ҊmS3{QZu;K:`uLGzb"$4azǑ`pE]箜7ąhk
ܾ,&o3DcWE0Yk:|w.Q33cG%N@(2}b_oحT1*?AwX|{URHN襺IThGpҪd+;UTܽ$¿r@꫕͏E=+g;|=ɂ%۞DMo UMʬ559p$\L>0knCGq}/v2)kxjǜlm
	,[034aNP65ZU(W4|ĆblѫgZ^U}k~
qP(~qwaN1x:d~w)v=]CŞX;	[Q'%\F8\>t<~FVwIl
'"9$D]cR[vr_Xނfn
9KCYΫ&
&4/[lۇx{u6'NrG9m{4"z]_?Vny҄‘?xP6C3v%[6De`BŽf~"5-@p#3]Ћ'kQ/0J.{5q) :;T9@>aEiŘMRʗ0 ƫ+?ڄYMNk	D̒'UA[
yٿ$.{M!s[\ۆ.oіP5J{%"rd%3nƒ78OOq4<qqG	Vue2T~{*+fkA0 H+ >ͶV]78
þr%l! \0ϞEl+ޒ,h=iJ&O	&n;]!1Ozyg@n#r}M7AMu65JFI@9@.rawj}zh-el)m^vٱY$nKC^nz]3o\܊<5}XLV>:B>y<&f^lZ'&v]ҡBeF}a͡lU4
ָ4J|L536o\XJ76Bo1
$%;rTÂzUK`p1~WH@,˜WL"fu/]gGY^|7pvƓLkbr34C>a}^yT}] -KqqSEq/q؀,jUxU5(
dz2\Xde2QQ"-Qss++o' a:|T=?X~a;#y7?c*+fN'?&q88
[oW陵tkjÆg3$"qpC&o'Bֿ3p/o	Mj߆>5-WOϩt&db_E.vY}H4'\nS3IAKίV36t'Pm]WRBVܽ잖%"bO@
hy>7U+'T)y UlWO3gFk
jn=Sl7IN$YgC5{dgL7yePei9~Oޏ|kFpt~;dQܶ^air=T2pU4/ltvZN-]u[
ncWX^L{%+qU1)a'Gϕ5p^=W2\38Zz(0:5mT
N᷇@h6
YnK顭`YJgn
^cYgo/
îVxkXY
G^/|o5if
k]0|À׀+&p֛@/U;|g]qYa֐.l3[G4T%xa2ҥFVמ1kuFLh`n7;H=f[Z
/6ʂ0`M¢NU3d4~wk]Ovϣa7w'@ɣoZL
=y?Ftd[I$&q{:!Eߓ	TH*8OWkeYZf:Kx0
D7V;c'%j[5)=y%u0eM|ly!LZnjd5Jj~
7{­,Y$\%T1k sBnKڼ-J@HL3:wFX>UU}T,vx,$A,iut$EQCTa\OV"ڑ{Ty{ma޷[chqKŷ)M'O8+57A;\n7pcTslg^LM:>!F6^EOQgfEV+5Χp*wZ{[nVʌYt&	Z!]0lv&^ǩ*J`@^|!n010#85]ZgMѶF\1M.(mӳޡWXąjq8VZPf}^}M{[*y@ٕ;ޣJJ<ƿt*xOS+)Uy<*[WA]G}
["gk_o m?Ƭ1?r'3MyС#]Y48D	 -U{b)%S;jk40kq=]t9]CJ?AKqeL؍=P65jP+e‡ƻXSp՞
_g";yH0/_w7.Qg'[ԉ9}2(+Ƌ ű&߲d5ZjSl`JN}C!(dxXɵ
-̢ 2_g(O&WvB6`JΟfs	Ҭ㟡 &e֔{S0̿z\5:т395*p?CAsPU?$O:NzԌ.'p:?R_
î@uz	b
X֜)jt=eqI2V{<TC4V"(UkT7ڌBIf.t}u"Ti۹rUT˞N4E2@&zV6(wLLmweKu${tt{^rO*k=
?'$fDc*.v~ۮ+6@㡛ZXa<{us #N^q9Z9fxDhEi/wj#x84 G.+TynYQ"PL~so|TnD˽D
2ZjyMGgP~Xƍ/PsIa=pߵ{w@T	j4UG`9c[?bdI?,*a"\|em^mu;{h4ci0i{&w<'f'ZѳfҮ{ǩC2 ˆސd~jkGIiB2hBF.Vqܰ>h<"eXxg(+2dX=$y]y*3a*֨cK^.k)ԆC29"^_bXf,PQiCv[4 xm~m6pkྩ8ɼzC3{3]G=$v{ś?zN'5`HxwZ^E^?kjQvw1bmT(W`R|$=7"xHpvaX_jfvBydӎk[}޹̟ŨY?ʙ/
7(ϻn6[گo<UEᱟP0`_J-axܵ R'jWe?O
-.*
FbpW-e9^wƹ[Q&ZA2I|HI@Zl.uk0i;+Q]aV/6u,P;Р5}aM<2A(ۄCU^?II}*8NUTZvB"fS%_Xm3%4@MK8ԩˢ^y
TDAe0CZo=IUzى.-ǚU	}bW3*$E7@N$^*m3VpNPEPVԾO]#o!w/uiUY4)~8L4-e>q%u4Zm^0npڤ䫟^۳*0U=wt;~7*}b4zca69@誫d=W%OK)R#obfMVZDL\t2Zl7]ѻ]׹B:޵O6cVbճ-(kk2W
ayK8CUS&Nt%o$Msp>DgVm+
ΗmV6.Y3+^I^lmvT!J;ړ#̆Jjd"2t%]GedXx}uTj`9֒͟17WP
F4|q~DIjYo
m4"LK :R=[jtAҀn.R~H˧ݐ4UItxvLj?LNc9c5]yGK7Hy2p߬R$!fQ(t@zT+wjpk,Cyմ[`FTHZU6J|DբyP6}Yx;x҇xy@Y	$f
'̔K?R$:U7K6ZD̰Th
nv}״xO,I-%Iwa'aj@}fhP5X=6Q
ϦZ|#@
Is:S
^7%V5}
S)dD52DĔ*cҫêBTk6NZMYvShg`ܤ,LNZoGHtKh3Eey{[AG%ۄJ}LZ|y(ti>Tu]fwnVT宄_}b+
9u.!%kw^&'6R^-B Ty#M
U	)+
^gw	
D2&itK*Sj`/˄rS&Z,Q>l
lNS>y^mT޷WSrWǠbw3c/9:_>҇h3B:H.nT!Sța,]$|M2ޖꬁqZ	7D-*BfQL9BL[߿`\PX[,o6573=WX|E
<+Wu!+EoYEiNwʬs~ʞlE!d6y}6r{5R&l6HW K?}+Afjp[qTw+ee[huTNuYߟ[/OJSya[c(߽~X*xiBP*V
(gឯ]}6wn-M4oamɂH/ZN}1 CS>yi_whPY5Kū/%Xqza!=Ets'uT7n)[d&sPxwM0HI	~yn]/3+IXkAikjl{{4KL78U9[)Lڲ1MxOzfp0٤)
ԚNQZ!TV`J
.5LdOYؿC9WօhsB@z
P`-G
̧%k`ͅ~8Yt{6~M)qݟ[vhwkgB h>l,T`鵾h.MFOS0ǣ×dk"5u[U'끗DqJw=NN8`?Xf\|Uӽv2Ko@^hkyYJ;kQu7"adkk:
6N'Ɋ'OԵ@]P$?,G%Ig XY0)tZb$hz5p+"x0GqI7Pzvʲr?*6T\kྩr	6I,V8a7h;zR*AC͸udTND%	M"wVl&	*J(X쾾lV(?YMa~5Կߟˑ(dZI1mkyΦ\Pa@6BJ^Uӫ'1Wpv3F=pJz c1MSXMpŀC,dX=2lz3-nzh8vY<2kCv{=W3?D$i}39 /Pc}XV毻r/+aխntJSng(Aqْi:O+tӫWi!_jj.!жn l-sE5r?ȴހx2`Vɂ^Ub5
ٓg1:krGwU>Vs#Xzouu?ȧ]Λ6KI$)JWG#mMz,тi7)zݘqUZμ^npmٌwp/r3E*fSxx:GGmWZ7P/ẩ0G*qכq
7MX~ۿh?9KTdZΨ1؋gaetov=dREs]w=S{MP6|vv:>?tFku7NtLn۩4x}5`6Z3:Ȫig6@ c|r
zRλ#}f}W:k{J!lh0q:*'BAuCkk`ܸ.fO7WS%{E@2Yq
[
"fg?dGUÞ^X˦Qv7ɪ&9ĺo3f G4	lv,	ڭ)gvjr	PQ{
D`CIPF#4@x0]}
縇)-4~ԻՃt0)ec!6z5яboYut7wݵTPcYUl:yW@PѠH#|{6*8gγX
lz4o 
yY>4hZ#otߝkWQeS<=`TEͪ_qZPhcKFk*pŸ[2}xԮ.þ
J
Tnԋ$&y(닿Fhj)١,B8RA(kEKc?~Tyqwӆ#DlVJd	p{Aao$F[!No*^?!ejTU,LpUIUo
V;P< 0\sr]]IҲgSV:ۚ͡5^[$0̀xᶀz>2?Ҟ<= N*܋3437Wu)~{}L)OŊp6swLY06&JzGq.
.C:?
ҟr_g9p.-.NثX4+c}Aђuqopqmuncg<`
X/ӳ-.Lni WMgA7t_AXzJ֤dW0kܿkFofR?ܴPdbu}CvLxg٨u@n=-wT\vB?CI3xHֱľ=
ֿQ`Y)'ꭘo(x{!H`Jfք
<dR
w?<6">2(;]VĭָX"d
u!lR}Uyxhht구x>xW1uŽϢ]3\1YݾWXG"~?zТ꺮4tA{i~@SĢQ:u
J^-<2]]JNg@}]O@^ z^j }NK\IJ{)FU'd
=i oUjO:h/cVߔϻ@ݗ^	q
[3*>R5l-1
&4XQΪK_50lk= `k6LAkT5Rܪh:WmwW\U#y4wC,g\{lO3pI:r'׺Ea1ed
(yh/\Ju\n+kJ`9~HP+@YoH\(u?~[ʼnHe
yR5t:n5/}/ǘX72GvZkr:@)>RPqVde-\dfk{]\ǻW3=Pc WңvqN|o#
mA̷Ij:B/6L`iU,d^EN&{n;Z46TN+$W7u9ipX}̎z%~=5_?u:}T**˰F_B1-ldx{ۀouەRV}u%פ]l׸VW7>-O
Š}ln'VeGW68 1F:	S\)s=@D zc"<;uFx/uwϫ.+fqtP"%.`Hު<_?ptk|nQ"1s
o."s}*3fV,:*VFj|'n rxo`zv@ܲXTR̐[6:V3ʫR9z	9r]5,JߟAƲ@OnhoCXR-[߈^E[q^E]{=;e/G@-amLe
7d޵~Z7^?/i+
VC7w|!;yfy|Ҋ:=mԃy?_M,f{!^$w؇ṇB5mm5-eM}ϧf]^
H!Z=ħfTPYڃ*e#˰c_lwo;d,TZ&/MU$<(O[X30Z3LL[UO@p1`XIt0l%1z&XRx_P	kY*J4eɠ,/K
@'$CzNvJA]+`gbB,Vm5@wRiJC\7=0I3;^):u틃L6s dҋli^㩢3ەUZK}Wcr})Mz*v2, ;XTמsyǥa{N6]az,.T~૾R0yt k f%2Qʐ`5!pwㄻviRsoik~nfVi-W+.;I~@:_⃘0<4wnfǙdhk`:B]5]%0/݌^>)I
`-gWǨL	N[)fE:+ipخUA}؜7kuμ2uE!j*ƑֺTX꿞jx1OViUA7Cyݼ,me=syxhZ2!@|XcT3>'kNTr8vw	39'->`pR٩xh{ e(#@VuXgiݢ~)#^I;YŊ@!c>kf][_xAP%_īYN3%% Ҫ)N pƢ @hiy{(t]]{|斾D\U: Cc}VL}oK"S,UQ%*U~R'UQ[OƟ}TFpTF9TF}
=ߛ'"yy πK}Lz4kNh}ZdUk[S@(._Z&%(X=Repښu"k pi+wYVDgjÌE:K='P |[c؉4tk1lu>jRF+F(Q,.*C0جS)6Br0X?Ĝmʓ>߮I,ʣCƒ:}57s5!~Z1!l9:V%5'ut*zV*{)wO?ۙGdóDˆ5nS mUZDmŽk4eU+XJ-Pg:O
tW>Ї9b2T
O\y՚V5Z~?Tyha4SՋy/6#z_ߗ	`aPq
ڥ
}.)GozHYZe=HHg:&	hodڂ]Ca	īq:kPm#8'JE],2d0ӺTUW׆4%gik`+9gfvRw:Wz+rHWB/|]6N5~Z)TF19E}DsQ2.&^Z8zfk}#?'
yo;EӬ]mEŎש_X~* iқ"s4UN'50mДg L7NJғmk4uv
|?(opC[*fs̈́`/Xa÷ʼV?M@ӏ{d,:6̨'7NI<#ov*0rf𰻽^&J8,|.|aV/3|)Ϩ}oٗ.V0Shf쐩v| k	VSxV˓gya0k>zb `*7K(8<ٸݣ5ݏu:2}WTeU<]=2(8ijP 2PuG<:ynt\
~ZU(ՋLW-m'
2SC-@Ŭ}ΠQ0͐ 5Pk=oXS
$ϏЕq_іLm5Sh3>YĸJ(8FZ{~Xzrjsj٭nӎT\ګ0Ev1M^VLgO}RwvЪ.t&74}GsZbf;U	W/le:|8{e(swU;cǽG**5y]n2Yt=at(
D:e3F_1ޣZFݶXuQ
buA-I8vrWc0G|qG'Bj&tqeQaV¥=rT2Ar'jgxT+G>I#j*rGmkT^O}׎t׻	T,D`	фݹ!.?@B`0hPO4wA$Ni!\r
?w׷[gNSܕC`	L 8Ԟ`/y-l])'OHG:k󦖻V`TC- {^N(rh{cpZVK%߇ZIl`HO$)Rk֐Θjljl2Z얻U[ku\{\wsʩZ;֫f`7ڍW:~W\aQ<حe^_DMXZf弚H#%]ڜm=˭*8[2>NXs6>ݒ50nO9'FW(6S\w[lhpW_Ku+я5,ӧ@KzR]ˁGzԟIZ7|]-^yiJ:Ȍ;ݾ<յQ;x|:s0C~,5?Tivt2:?{>ǡ>9oqv^g-h5܈7s|}:2õd:5gn
[E0Q43Al3k'g
R΀hWweN˩:k`f눣O'RppZ
Q}/<4jWnGmԖ~FW*զnFG@zײk96u3-GC}^^C^b%K$|-Uƅ;fy)i8C/si/&Piq=Wa'jƭn֩u/C5MNwՂ9 l1"50k^pYab ]C-O%+C`g+֐>Zح]npZ~ycH8][&x*}*M'5pl-'wmղII>6Ef_?J	z}x8e'Vf]q>w]z#g]ѳ~Qy:VoEG/롪֚M:꯫x
`jٯ(d±q'1Yȣ'VkY_+<KL[gy^]0-JbƽE<zW?T`2붇YW-:rHd/M8~ϱ]^]kUQҚ=2F$jp:dmDͽongߏ׫|88o̳qveFYAUcJzX~F{|~?Ӷk(n]YW6h59<ǻne{PWIVCfEٳw{yd#|#vءzi|cY'":|ԏ7ڙ>_j	_:CKxKiDd*nWZ
AlzYh4yna|gS=(klņ_-	45mY
8
12NΦz8V+ .-LbtzJn$,pv,˚W\*tqkn
K9{vutհ;dq#ι,gKsૉdAImIYIw Ѽr2]"ھi!)m'ͮ]?mZ}Q=7{JoyM3`KFlڝeimo:PbCADyndnUT+Tj>X"֬i
rQ s*ztVe&YJH^j궟v8*?يMB!RGࣥ+ŋ׻~;1YﲼQ"*qq{խFzÒ4^@U5gX,7LPL$vuvKt$IvXD	zkdw,!O:D8N}?$I}ax̶1&|Ôhw{5K3\T5P##kM9w#k|*D_ZFhfZoQ+}uقMݮS`p̔9g[Ku%wv{k^`|`t9&{u"ԕoOM.xo:f]?d|;OmYVvhz0V5PEbx[&ky(
mq7M%|0K`/DV@#O9L?
ʳu9wrjо&؜J;λ
Rl?DT^ml:l1]95@C#gY4JD`x扬OL$AUֻ"Pѯ^R`y5([mBf.@궖bEO+YpXr{yj1x\BZ3	qi'@Ck)C#؇b*CS\djԝoIUTI^zg.ݟ>VC~BȊ:iH	z7r-"R+~V=PnDfGjKtzՓ
he
Ԩ6Ղ'MBѢcs6DG^%`T&~Z޶u
U@oQ51!
ϔ
lzZ:6r$ciQ5acyieѷ+ZLT,M#[%-)R&OcKǍS=tO{A6@SpW+PEĢGi}.!htH
//e!nB-9t$Dz+CJswX!ż5&DUl\5w|@PeUn^Qo'sN{f
BzI[\'k+Imb;~%	VDsB)|U\8^ylnW忒~
܁&GKbKĝ(cإ|x{:Ԁ`fMn4@7=*p%"rG=]UɪzEFҴ$X&s˞5pEՌ|X6=jA4
)"\œRd"lt4C|
l&hC^6I
q?741J˻~mSGe5H!1FL˲WE3kz"gUQ؜O#| ޯo8Urtr\o5F/Nj֭
kB[5ˋxAZʈU$#GQoW=?:w_@..zPG`
LW*Ly@H:qBCkKtIwӾJjQw&zV0:_Xv$PSȱI	 ':㮁Lv齽dP}zg\`Dn5$	wm0:nC	R
OS	ԅFb<{͛+lׯͮ+XadAJm6O!GߊF@tyq5Dg#_@Y[W1h S8ܢ'*_Cڳ?$xط
_9+gG	fYQl/=
HU/w/9U[:%Md'4:u
`yg;kңc'1/Y*Ps
Z'I&XZMoWUד:q~z@H-q4Jha
,abqļfO˫:{#΢j+J| aFUIJܪ.:|ft^GLk`🬬)!vkꛮxCJ5]ݒZ6X6sq{
OSz
Y
Q1Z]{T
㧰D'`_~xzyo@o<4a7Dۛh1gjh-yOg0<~x[n|	g>ׄ
h^+i­q`wdk!xn޶xz\>}wwàFK^Piq]cq:I立ɾVbF_7~Zy.vZQk*Kr{kmlɐ,UBTF3jssLc
̐_TA]2)Y;&n+$"Gk`SuZL*=s|uC%v}vu?C)z7ldgz=x7 ']sHK7RG6Ɔ噔]XI0w~#*M*]-#;G/ԶcӔABjY+ٞkzzY1(s';8gï8D0~.Wg{왏={j0l޷lmjޏBE:ۮ룜c)@Mf!Maq>riP z[imY
7k0\k̈́pZmޤy	Հ`aogLj$蟿Qx٠ja,
"tQĎ-G
!BXdv@;fQ^ݽ7{afaiw	 *=TF"_a|6,YyYES)P3OA<WCM^=MКYpԓhfۯ"s73?˙cjLe)'';*%5B//8U3t'RU	7ـdoV@&RV2f#,)ݧ:|ה𐜬{!jHuw|Ṻ85)z?nM*~hހ
-g 	繊0l{g*.;#S1kxn(1_1Z^*lK/("ܿك3j먁\bJk}Nt6'xKg
*j5k[xkh1vi
L5n5%F>|50oӨwzZBTmy]pYc=ɫueW1֣9t0l	
3'/co}
;$ҒEG5KwH(c>lfo k2H2~xYtaDw UB#{~U;Ez*)YD6qZ/杬ik|:Y'r{ތڋpa
fp'Zul&|
f

ġץ.3EۦUPԥkMyBI)X0W^譳zo

\D3F{޻70"$D&kX,o]O<-(P
%_s"2lW0}Yy`*D;@eȮPYyk {z|$6m#?}lQfd's?SM~l4^rukfv@_<6f66WI{;_UġhSPϬ9;?Ҙß8m9'k
[!M~b]ܚye–H^rٜkB"$f^W"Gr'ͣ[PSpyKJɞ\J1xX֍AN!A	+Ug
l=yq⁨P}Vz*};Լʼ[q5)lh_D\JOGow|LKtRԠt=L%d_:
[X}c^&'a{
ӣ\r祙i ELjcq0KX!2H@T%>.εyopfa'_¡}&eEZ7>IH`B@$۩.
I7}#be}7=rgJ=vA`
7,T~!z)xBzTTdӞR??p]JVlIɶov
why3-1.6.0/examples/prover/ProverMain.mlw000066400000000000000000000066041440160026300203500ustar00rootroot00000000000000
module Types

end

module Impl

  use Firstorder_semantics.Sem
  use Firstorder_term_spec.Spec
  use Firstorder_formula_spec.Spec
  use Firstorder_formula_impl.Types
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_spec.Spec
  use Firstorder_formula_list_impl.Types
  use Firstorder_formula_list_impl.Logic
  use Firstorder_formula_list_impl.Impl
  use Firstorder_tableau_spec.Spec
  use Firstorder_tableau_impl.Types
  use Firstorder_tableau_impl.Logic
  use Firstorder_tableau_impl.Impl
  use FormulaTransformations.Types
  use FormulaTransformations.Logic
  use FormulaTransformations.Impl
  use Unification.Types
  use Unification.Logic
  use Functions.Func
  use option.Option
  use OptionFuncs.Funcs
  use bool.Bool
  use int.Int
  use Prover.Types
  use Prover.Logic
  use Prover.Impl
  use list.List
  use import set.Set as S
  use import BacktrackArray.Impl as BA

  val ghost sdata_inv_hack (u:unit) : sdata -> bool
    ensures { result = sdata_inv }

  let main (base:nlimpl_fo_formula_list) (gnum:int) (ghost st:'st): int
    requires { nlimpl_fo_formula_list_ok base }
    diverges
    ensures { forall m:model int 'st,rho:int -> 'st.
      not(formula_list_conj_semantic base.model_fo_formula_list_field m rho) }
    raises { Sat -> forall m:model int 'st,rho:int -> 'st.
      formula_list_conj_semantic base.model_fo_formula_list_field m rho }
  =
    let root = construct_tableau NLC_Root in
    try let phip = preprocessing base gnum st in
      let phip0 = (phip:preprocessing_return 'st).preprocessed in
      let phip0m = phip0.model_fo_formula_list_field in
      assert { root.model_tableau_field  = Root } ;
      let gnum = phip.final_goals_number in
      let gnum = if gnum <= 0 then (-1) else gnum in
      let rec aux (n:int) (ghost st:'st) : (int, prover_return)
        diverges
        returns { (_,{ contradictory_assignment = s }) ->
        forall m:model int 'st,rho:int -> 'st.
          let rhos = semantic_subst s m rho in
          not(formula_list_conj_semantic phip0.model_fo_formula_list_field m rhos) }
      =
        (* Do work to define them outside the loop, but harder
           to prove while not more performant. *)
        let unifb = BA.create (sdata_inv_hack ()) in
        let unif = {
          unifier_base_model = subst_id_fo_term ;
          unifier = subst_id_fo_term } in
        assert { extensionalEqual (smodel (BA.current_timestamp unifb))
          (subst_id_fo_term) &&
          (smodel (BA.current_timestamp unifb)) = subst_id_fo_term } ;
        assert { forall x:int. unassigned (BA.current_timestamp unifb) x } ;
        try (n,extend_branch phip0 root unifb unif 0 n gnum st)
        with Failure -> aux (n+1) st
        end
      in
      let n,r = aux 0 st in
      let s = r.contradictory_assignment in
      let basem = base.model_fo_formula_list_field in
      let tr = phip.model_transf in
      assert { forall m:model int 'st,rho:int -> 'st.
        let m' = { interp_fun = (tr m).interp_fun ;
          interp_pred = (tr m).interp_pred } in
        let rhos = semantic_subst s m' rho in
        m' = (tr m) &&
        not(formula_list_conj_semantic phip0m m' rhos) &&
        (forall x:int. is_fo_term_free_var_in_fo_formula_list x phip0m ->
          rho x = rhos x) &&
        not(formula_list_conj_semantic phip0m m' rho) &&
        not(formula_list_conj_semantic basem m rho) };
      n
    with Unsat -> 0
    end

end
why3-1.6.0/examples/prover/ProverMain/000077500000000000000000000000001440160026300176215ustar00rootroot00000000000000why3-1.6.0/examples/prover/ProverMain/why3session.xml000066400000000000000000000122701440160026300226430ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/ProverMain/why3shapes.gz000066400000000000000000000043371440160026300222700ustar00rootroot00000000000000n#)td,x
2 E[]eeOe,YX"34bi7?[Ӣlמƅt16Z:?In}4ld8}V7K2oYy'r%ݭ9f:l`nٜڝ/F.N~#Y.a)|4n{ϸmp}l~
H_hB^/iFC*i{lA=qaT:uxml*.Oݑ('GXw7gn-g]~x2xud֧"5MS0&[_}pnH*\.)-_f<|}4sww@Z\~0?jTSs4;p?SwUUUO)ǿLSܯc`T%,(Xи
T



c&UUZTZTZ\=-ʶ4\~jx@rXWEr.Kn3nA***n
o6oƫwI~'$8@QIB*
}	I#Iua11oo***M1j6Wt"


kGsYWĊ\YCOV7
JيK>٠pTUa`/Oj7DwGm9nwo6%ewi:c%\ZG-X0IY8caЃǭ@wgze+p0u}Beܔ~tYDْ3{lF9u^[k[w*_ʙ@>:x<|eohULT-mz=9hOJf(`(%P2;dv(($dz;;k/3Scʎ[o<(z^`#!;$QbN2c2Z`Y,}I0uZ9KFq5Zԑ;d̡qd/
ITFӒi$6,8GBQLF6Ƞy6>dAJ'#Mt,  R29rQz6ڛ=)d$jiXÕ
BSD2MṴFu*V-SF*a$ϔ+8X|RDЖ[1ANJhluقJYl`*Ve$ns#$1GyBq]fss&J5BmXL"sV؍Q7Q,Zh[YF_LRZ&CCM9:-e+j5ǜ(THDs9bbޘRYɜS9aUYIUW{shb0pCHtHGD
FǬT6b&QQpP0\$\gϔqI*Zj
IE.ЋDs"
)#,xXIzLj6#$Γ.)=p*ُLT_ҖR#/V0dm=PlTLrҋGY&RH5(PXzGӚNCTJB"
 LMa4i>@5IRs@'ĽBmwhy3-1.6.0/examples/prover/ProverTest.mlw000066400000000000000000000355761440160026300204150ustar00rootroot00000000000000
module Types

end

module Impl

  use ProverMain.Impl
  use Firstorder_symbol_impl.Types
  use Firstorder_term_impl.Types
  use Firstorder_formula_impl.Types
  use Firstorder_formula_list_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_term_impl.Logic
  use Firstorder_formula_impl.Logic
  use Firstorder_formula_list_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_impl.Impl
  use Firstorder_formula_impl.Impl
  use Firstorder_formula_list_impl.Impl
  use int.Int

  let imply (a b:nlimpl_fo_formula) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok a }
    requires { nlimpl_fo_formula_ok b }
    ensures { nlimpl_fo_formula_ok result }
  =
    construct_fo_formula (NLC_Or
      (construct_fo_formula (NLC_Not a)) b)

  let equiv (a b:nlimpl_fo_formula) : nlimpl_fo_formula
    requires { nlimpl_fo_formula_ok a }
    requires { nlimpl_fo_formula_ok b }
    ensures { nlimpl_fo_formula_ok result }
  =
    construct_fo_formula (NLC_And (imply a b) (imply b a))

  let drinker () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let fotnil = construct_fo_term_list NLC_FONil in
    let c0 = construct_symbol (NLCVar_symbol 0) in
    let v0 = construct_fo_term (NLCVar_fo_term 0) in
    let l0 = construct_fo_term_list (NLC_FOCons v0 fotnil) in
    let phip = construct_fo_formula (NLC_PApp c0 l0) in (* c0 x *)
    let phi0 = construct_fo_formula (NLC_Forall 0 phip) in (* forall x,c0 x *)
    let phi1 = construct_fo_formula (NLC_Not phip) in (* Not (c0 x) *)
    let phi2 = construct_fo_formula (NLC_Or phi1 phi0) in (* c0 x -> forall x,c0 x *)
    let phi3 = construct_fo_formula (NLC_Exists 0 phi2) in
    (* exists x, (c0 x -> forall x,c0 x) *)
    let phi4 = construct_fo_formula (NLC_Not phi3) in
    construct_fo_formula_list (NLC_FOFCons phi4 fonil)

  let group () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fonil = construct_fo_formula_list NLC_FOFNil in (* [] *)
    let fotnil = construct_fo_term_list NLC_FONil in (* [] *)
    let c0 = construct_symbol (NLCVar_symbol 0) in (* c0 *)
    let c1 = construct_symbol (NLCVar_symbol 1) in (* e *)
    let neutral = construct_fo_term (NLC_App c1 fotnil) in
    let aux (v1 v2 v3:nlimpl_fo_term) : nlimpl_fo_formula
      requires { nlimpl_fo_term_ok v1 }
      requires { nlimpl_fo_term_ok v2 }
      requires { nlimpl_fo_term_ok v3 }
      ensures { nlimpl_fo_formula_ok result }
    =
      let l = construct_fo_term_list (NLC_FOCons v3 fotnil) in
      let l = construct_fo_term_list (NLC_FOCons v2 l) in
      let l = construct_fo_term_list (NLC_FOCons v1 l) in
      construct_fo_formula (NLC_PApp c0 l)
    in
    let v0 = construct_fo_term (NLCVar_fo_term 0) in (* x *)
    let v1 = construct_fo_term (NLCVar_fo_term 1) in (* y *)
    let v2 = construct_fo_term (NLCVar_fo_term 2) in (* z *)
    let v3 = construct_fo_term (NLCVar_fo_term 3) in (* t *)
    let v4 = construct_fo_term (NLCVar_fo_term 4) in (* u *)
    let v5 = construct_fo_term (NLCVar_fo_term 5) in (* v *)

    (* forall x y, exists z. c0(x,y,z) *)
    let phimul = aux v0 v1 v2 in (* c0(x,y,z) *)
    let phimul = construct_fo_formula (NLC_Exists 2 phimul) in (* exists z,c0(x,y,z) *)
    let phimul = construct_fo_formula (NLC_Forall 1 phimul) in (* forall y,exists z. c0(x,y,z) *)
    let phimul = construct_fo_formula (NLC_Forall 0 phimul) in (* forall x y,exists z.c0(x,y,z) *)

    (* forall x y z t u v.
      (* xy = t /\ yz = v -> (tz = u <-> xv = u) *)
      c0(x,y,t) /\ c0(y,z,v) -> (c0(t,z,u) <-> c0(x,v,u)) *)
    let phi0ass = aux v0 v1 v3 in (* c0(x,y,t) *)
    let phi1ass = aux v1 v2 v5 in (* c0(y,z,v) *)
    let phi0ass = construct_fo_formula (NLC_And phi0ass phi1ass) in (* c0(x,y,t) /\ c0(y,z,v) *)
    let phi1ass = aux v3 v2 v4 in (* c0(t,z,u) *)
    let phi2ass = aux v0 v5 v4 in (* c0(x,v,u) *)
    let phicass = equiv phi1ass phi2ass in
    (*let phi0ass = construct_fo_formula (NLC_And phi0ass phi1ass) in*)
    (*let phi1ass = aux v0 v5 v4 in (* c0(x,v,u) *)*)
    let phiass = imply phi0ass phicass in
      (* c0(x,y,t) /\ c0(y,z,v) -> (c0(t,z,u) <-> c0(x,v,u)) *)
      (* Universal quantification... *)
    let phiass = construct_fo_formula (NLC_Forall 5 phiass) in
    let phiass = construct_fo_formula (NLC_Forall 4 phiass) in
    let phiass = construct_fo_formula (NLC_Forall 3 phiass) in
    let phiass = construct_fo_formula (NLC_Forall 2 phiass) in
    let phiass = construct_fo_formula (NLC_Forall 1 phiass) in
    let phiass = construct_fo_formula (NLC_Forall 0 phiass) in


    (* forall x. c0(e,x,x) /\ c0(x,e,x) *)
    let phin0 = aux neutral v0 v0 in
    let phin1 = aux v0 neutral v0 in
    let phin = construct_fo_formula (NLC_And phin0 phin1) in
    let phin = construct_fo_formula (NLC_Forall 0 phin) in

    (* forall x. c0(x,x,e) *)
    let phi2 = aux v0 v0 neutral in
    let phi2 = construct_fo_formula (NLC_Forall 0 phi2) in

    (* forall x y z. c0(x,y,z) -> c0(y,x,z) *)
    let phigh = aux v0 v1 v2 in
    let phig = aux v1 v0 v2 in
    let phig = imply phigh phig in
    let phig = construct_fo_formula (NLC_Forall 2 phig) in
    let phig = construct_fo_formula (NLC_Forall 1 phig) in
    let phig = construct_fo_formula (NLC_Forall 0 phig) in
    let phig = construct_fo_formula (NLC_Not phig) in

    let l = construct_fo_formula_list (NLC_FOFCons phimul fonil) in
    let l = construct_fo_formula_list (NLC_FOFCons phiass l) in
    let l = construct_fo_formula_list (NLC_FOFCons phin l) in
    let l = construct_fo_formula_list (NLC_FOFCons phi2 l) in
    let l = construct_fo_formula_list (NLC_FOFCons phig l) in
    l

  let bidon1 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let a = construct_symbol (NLCVar_symbol 0) in
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let r = construct_fo_formula (NLC_Not (imply a a)) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let bidon2 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let a = construct_symbol (NLCVar_symbol 0) in
    let b = construct_symbol (NLCVar_symbol 1) in
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let b = construct_fo_formula (NLC_PApp b fotnil) in
    let o = construct_fo_formula (NLC_Or a b) in
    let a = construct_fo_formula (NLC_And a b) in
    let r = construct_fo_formula (NLC_Not (imply a o)) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let bidon3 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let fotnil = construct_fo_term_list NLC_FONil in
    let a = construct_symbol (NLCVar_symbol 0) in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let b = construct_symbol (NLCVar_symbol 1) in
    let b = construct_fo_formula (NLC_PApp b fotnil) in
    let c = construct_symbol (NLCVar_symbol 2) in
    let c = construct_fo_formula (NLC_PApp c fotnil) in
    let r = imply (imply a (imply b c)) (imply (imply a b) (imply a c)) in
    let r = construct_fo_formula (NLC_Not r) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let bidon4 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let fotnil = construct_fo_term_list NLC_FONil in
    let a = construct_symbol (NLCVar_symbol 0) in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let b = construct_symbol (NLCVar_symbol 1) in
    let b = construct_fo_formula (NLC_PApp b fotnil) in
    let c = construct_symbol (NLCVar_symbol 2) in
    let c = construct_fo_formula (NLC_PApp c fotnil) in
    let r = imply (imply a (imply b c)) (imply b (imply a c)) in
    let r = construct_fo_formula (NLC_Not r) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let pierce () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let a = construct_symbol (NLCVar_symbol 0) in
    let b = construct_symbol (NLCVar_symbol 1) in
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let b = construct_fo_formula (NLC_PApp b fotnil) in
    let r = imply (imply (imply a b) a) a in
    let r = construct_fo_formula (NLC_Not r) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let generate (n:int) : nlimpl_fo_formula_list
    requires { n >= 0 }
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let rec aux1 (m:int) : nlimpl_fo_formula
      ensures { nlimpl_fo_formula_ok result }
      requires { m >= 0 }
      variant { m + n + 1 }
    =
      let symb = construct_symbol (NLCVar_symbol m) in
      let symb = construct_fo_formula (NLC_PApp symb fotnil) in
      if m = 0
      then equiv symb (aux0 n)
      else equiv symb (aux1 (m-1))

    with aux0 (m:int) : nlimpl_fo_formula
      ensures { nlimpl_fo_formula_ok result }
      requires { m >= 0 }
      variant { m }
    =
      let symb = construct_symbol (NLCVar_symbol m) in
      let symb = construct_fo_formula (NLC_PApp symb fotnil) in
      if m = 0
      then symb
      else equiv symb (aux0 (m-1))
    in
    let r = construct_fo_formula (NLC_Not (aux1 n)) in
    construct_fo_formula_list (NLC_FOFCons r fonil)

  let zenon5 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let a = construct_symbol (NLCVar_symbol 0) in
    let b = construct_symbol (NLCVar_symbol 1) in
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let a = construct_fo_formula (NLC_PApp a fotnil) in
    let v = construct_fo_term (NLCVar_fo_term 0) in
    let v = construct_fo_term_list (NLC_FOCons v fotnil) in
    let bv = construct_fo_formula (NLC_PApp b v) in
    let e1 = construct_fo_formula (NLC_Exists 0 (imply a bv)) in
    let e2 = construct_fo_formula (NLC_Exists 0 (imply bv a)) in
    let g = construct_fo_formula (NLC_Exists 0 (equiv a bv)) in
    let ng = construct_fo_formula (NLC_Not g) in
    let l = construct_fo_formula_list (NLC_FOFCons e1 fonil) in
    let l = construct_fo_formula_list (NLC_FOFCons e2 l) in
    let l = construct_fo_formula_list (NLC_FOFCons ng l) in
    l

  (* Quite good ! *)

  let zenon6 () : nlimpl_fo_formula_list
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let p = construct_symbol (NLCVar_symbol 0) in
    let q = construct_symbol (NLCVar_symbol 1) in
    let r = construct_symbol (NLCVar_symbol 2) in
    let s = construct_symbol (NLCVar_symbol 3) in
    let x = construct_fo_term (NLCVar_fo_term 0) in
    let x = construct_fo_term_list (NLC_FOCons x fotnil) in
    let px = construct_fo_formula (NLC_PApp p x) in
    let qx = construct_fo_formula (NLC_PApp q x) in
    let rx = construct_fo_formula (NLC_PApp r x) in
    let sx = construct_fo_formula (NLC_PApp s x) in
    let h1 = construct_fo_formula (NLC_And sx qx) in
    let h1 = construct_fo_formula (NLC_Exists 0 h1) in
    let h1 = construct_fo_formula (NLC_Not h1) in
    let h2 = construct_fo_formula (NLC_Exists 0 px) in
    let h2 = construct_fo_formula (NLC_Not h2) in
    let h2_ = construct_fo_formula (NLC_Exists 0 qx) in
    let h2 = imply h2 h2_ in
    let h3 = construct_fo_formula (NLC_Or qx rx) in
    let h3 = imply h3 sx in
    let h3 = construct_fo_formula (NLC_Forall 0 h3) in
    let h4 = construct_fo_formula (NLC_Or qx rx) in
    let h4 = imply px h4 in
    let h4 = construct_fo_formula (NLC_Forall 0 h4) in
    let g = construct_fo_formula (NLC_And px rx) in
    let g = construct_fo_formula (NLC_Exists 0 g) in
    let g = construct_fo_formula (NLC_Not g) in
    let l = construct_fo_formula_list (NLC_FOFCons h1 fonil) in
    let l = construct_fo_formula_list (NLC_FOFCons h2 l) in
    let l = construct_fo_formula_list (NLC_FOFCons h3 l) in
    let l = construct_fo_formula_list (NLC_FOFCons h4 l) in
    let l = construct_fo_formula_list (NLC_FOFCons g l) in
    l

  let zenon10 (n:int) : nlimpl_fo_formula_list
    requires { n >= 0 }
    ensures { nlimpl_fo_formula_list_ok result }
  =
    let fotnil = construct_fo_term_list NLC_FONil in
    let fonil = construct_fo_formula_list NLC_FOFNil in
    let r = construct_symbol (NLCVar_symbol 0) in
    let f = construct_symbol (NLCVar_symbol 1) in
    let x = construct_fo_term (NLCVar_fo_term 0) in
    let x = construct_fo_term_list (NLC_FOCons x fotnil) in
    let rec aux (n0:int) : nlimpl_fo_term_list
      ensures { nlimpl_fo_term_list_ok result }
      requires { n0 >= 0 }
      variant { n0 }
    =
      if n0 = 0
      then x
      else let t = aux (n0-1) in
        let fx = construct_fo_term (NLC_App f t) in
        construct_fo_term_list (NLC_FOCons fx fotnil) in
    let rx = construct_fo_formula (NLC_PApp r x) in
    let rfx = construct_fo_formula (NLC_PApp r (aux 1)) in
    let rfnx = construct_fo_formula (NLC_PApp r (aux n)) in
    let h = construct_fo_formula (NLC_Or rx rfx) in
    let h = construct_fo_formula (NLC_Forall 0 h) in
    let g = construct_fo_formula (NLC_And rx rfnx) in
    let g = construct_fo_formula (NLC_Exists 0 g) in
    let g = construct_fo_formula (NLC_Not g) in
    let l = construct_fo_formula_list (NLC_FOFCons h fonil) in
    let l = construct_fo_formula_list (NLC_FOFCons g l) in
    l

  use import FormulaTransformations.Impl as F

  let test (ghost st:'st) : unit
    diverges
    raises { F.Sat -> true }
    =
    (*let fonil = construct_fo_formula_list NLC_FOFNil in
    let fotnil = construct_fo_term_list NLC_FONil in
    let false_ = construct_fo_formula NLC_FFalse in
    let c0 = construct_symbol (NLCVar_symbol 0) in
    let c1 = construct_symbol (NLCVar_symbol 1) in
    let c2 = construct_symbol (NLCVar_symbol 2) in
    let c3 = construct_symbol (NLCVar_symbol 3) in
    let c4 = construct_symbol (NLCVar_symbol 4) in
    let v0 = construct_fo_term (NLCVar_fo_term 0) in
    let v1 = construct_fo_term (NLCVar_fo_term 1) in
    let v2 = construct_fo_term (NLCVar_fo_term 2) in
    let v3 = construct_fo_term (NLCVar_fo_term 3) in
    let v4 = construct_fo_term (NLCVar_fo_term 4) in
    let tl1 = construct_fo_term_list (NLC_FOCons v0 fotnil) in
    let tl2 = construct_fo_term_list (NLC_FOCons v1 fotnil) in
    let phip1 = construct_fo_formula (NLC_PApp c0 tl1) in
    let phip2 = construct_fo_formula (NLC_PApp c0 tl2) in
    let phi0 = construct_fo_formula (NLC_Forall 0 phip1) in
    let phi1 = construct_fo_formula (NLC_Exists 1 phip2) in
    let nphi1 = construct_fo_formula (NLC_Not phi1) in
    let fl1 = construct_fo_formula_list (NLC_FOFCons nphi1 fonil) in
    let fl2 = construct_fo_formula_list (NLC_FOFCons phi0 fl1) in*)
    let _ = main (zenon10 2) 1 st in
    ()

end
why3-1.6.0/examples/prover/ProverTest/000077500000000000000000000000001440160026300176545ustar00rootroot00000000000000why3-1.6.0/examples/prover/ProverTest/why3session.xml000066400000000000000000000047261440160026300227050ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/prover/ProverTest/why3shapes.gz000066400000000000000000000045721440160026300223240ustar00rootroot00000000000000Zݏ
_6A!;XnK.F_{^{cIe[8.}iΧH
G?7fnuv6=a]TwCs=X"	O쿌X_á03/#H6qMB=?Pu(>.’_nW%8ML!BItِO_7?r9t24)9\$wxzGg?mQ˩Eԁ$S'8;NohH DG'/4c
MS((aI	
JcC_GGC,.fBQ)$Rs?)hZ@k
s
yd_S@7ZPB%~nu;
 -ok>XvJSߎ`4XfE
f9,tX;r@d 4ֱ>3M;,`ݝi7y6|GVuwkW.U<+#}ci=ҜGSߑU,`ݝFmBhȃRvC4ΈtҠFB$da0IexP҅B&Ȍt]ᙢm|4`?9d=e^EB1<1Pth/L\QJ >U\9DIoY4E(looG?O5Ŧ?[f.QMa|jtzN6ަ94iLn =YX .pY؏91[M7	zyEy;(8r\9qO.(xߓ~4'tE继:%|"x"2*rNY2㠏RЇ"AwAo
76L=82&xI3\nٌFDN)d~r.=*X\Y7~Î)|m^!U;2ry
:
]@-_tv pGK>V%p(Xld7\ᛂ8
b #xB.3Ny3l`D~"HȕW\\2sҘI^{JEڣWxr6Rީ >	?jwu8x4ȹ?x9mrrڙoE\](^/PaB8
Fi0~Z+HV	oF@/n~x|z&ݧI?6õwkXᭊi^Y$.]ƒ^
3-1^^yb;bЭv+9OdhAnSX)Y/5oӷvw¹/CzU(8E9Pp9dv{n6׽sZm{ayJX[386D`l~=ߑWz@ux(wd&#J{w?^5"<
MH=QhZD2XtЍ4(CH‡(C$_x|"Xp3Pu#f8,W 9i<r#*&
Wi-ȧIK N6MDxlU_mҼK!Iż#tt>0|b,Ԑ:ҐD("5E'4
Ҡf[?-ӈ9slS{X誉ѦX%DRV`!ZJ-Zb6:aYmT:KER['
UX.:5+
JD@Lk+)iίܢLiWiC)6Z$vWaac	vjۦ2}Zu
B@+2}& *WK)˨1)nB\^.u˶tٶ)C1)m]K+0&Wv6luZ_MS[hxVW
T[j,nT7eKvajaT6(HKX#ͩ@$K$)j]






why3-1.6.0/examples/prover/Sum/why3shapes.gz000066400000000000000000000000551440160026300207430ustar00rootroot00000000000000R(H,H-V(K-*ϳR0S&why3-1.6.0/examples/prover/Unification.mlw000066400000000000000000001607521440160026300205430ustar00rootroot00000000000000
module Types

  use Functions.Func
  (*use import Assoc.Types as AS
  use import Assoc.Logic as AS
  use import Assoc.Impl as AS*)
  use import BacktrackArray.Types as BA
  use import BacktrackArray.Logic as BA
  use import BacktrackArray.Impl as BA
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl

  type sdata = PConflict nlimpl_fo_term_list nlimpl_fo_term_list
    | Assign nlimpl_fo_term

  type subst = BA.t sdata
  type timesubst = BA.timestamp sdata

  type unifier_subst = {
    ghost unifier_base_model : int -> (fo_term int int) ;
    ghost unifier : int -> (fo_term int int) ;
  }

  type unification_return = {
    ghost final_unifier : unifier_subst ;
    ghost unifier_factor : int -> (fo_term int int) ;
  }

  (*type unify_return = {
    ghost factor : int -> (fo_term int int);
  }*)

end

module Logic

  use int.Int
  use Functions.Func
  use option.Option
  use import BacktrackArray.Types as BA
  use import BacktrackArray.Logic as BA
  use import BacktrackArray.Impl as BA
  use list.List
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Types

  constant sdata_inv : sdata -> bool
  axiom sdata_inv_def : forall x:sdata.
    sdata_inv x <-> match x with
      | PConflict l1 l2 -> nlimpl_fo_term_list_ok l1 /\
        nlimpl_fo_term_list_ok l2 /\ (forall x:int.
          is_fo_term_free_var_in_fo_term_list x
            l1.model_fo_term_list_field -> x >= 0) /\
          (forall x:int. is_fo_term_free_var_in_fo_term_list x
            l2.model_fo_term_list_field -> x >= 0)
      | Assign l -> nlimpl_fo_term_ok l /\
        (forall x:int. is_fo_term_free_var_in_fo_term x
          l.model_fo_term_field -> x >= 0)
    end

  function smodel (l:timesubst) : int -> (fo_term int int)
  axiom smodel_def : forall l:timesubst,x:int.
    smodel l x = match table l x with
      | Nil -> Var_fo_term x
      | Cons (PConflict _ _) _ -> Var_fo_term x
      | Cons (Assign u) _ -> u.model_fo_term_field
    end

  predicate unassigned (l:timesubst) (x:int) = match table l x with
    | Cons (Assign _) _ -> false
    | _ -> true
  end

  let lemma smodel_depend_only_model (l1 l2:timesubst) : unit
    requires { l1.table = l2.table }
    ensures { smodel l1 = smodel l2 }
  =
    assert { extensionalEqual (smodel l1) (smodel l2) }

  function sc (s1:'b -> (fo_term 'ls 'b)) (s2:'b -> (fo_term 'ls 'b)) :
    'b -> (fo_term 'ls 'b) =
    subst_compose_fo_term s1 subst_id_symbol s2

  function st (t:fo_term 'ls 'b) (s:'b -> (fo_term 'ls 'b)) : fo_term 'ls 'b =
    subst_fo_term t subst_id_symbol s

  function stl (t:fo_term_list 'ls 'b)
    (s:'b -> (fo_term 'ls 'b)) : fo_term_list 'ls 'b =
    subst_fo_term_list t subst_id_symbol s

  (*
  (* power relation. *)

  inductive power_rel (s:'b -> (fo_term 'ls 'b)) (n:int)
    (sr:'b -> (fo_term 'ls 'b)) =
    | Power0 : forall s:'b -> (fo_term 'ls 'b).
      power_rel s 0 subst_id_fo_term
    | Powern : forall s:'b -> (fo_term 'ls 'b),n:int,
      sr:'b -> (fo_term 'ls 'b).
      n >= 0 /\ power_rel s n sr ->
      power_rel s (n+1) (sc s sr)

  let rec lemma power_rel_det (s:'b -> (fo_term 'ls 'b)) (n:int) : unit
    ensures { forall sr1 sr2:'b -> (fo_term 'ls 'b).
      power_rel s n sr1 /\ power_rel s n sr2 -> sr1 = sr2 }
    variant { n }
  =
    if n > 0
    then power_rel_det s (n-1)

  let rec lemma power_rel_additive (s:'b -> (fo_term 'ls 'b)) (n m:int)
    (srm:'b -> (fo_term 'ls 'b)) : unit
    ensures { forall srn:'b -> (fo_term 'ls 'b).
      power_rel s n srn /\ power_rel s m srm ->
      power_rel s (n+m) (sc srn srm) }
    variant { n }
  =
    if n > 0
    then power_rel_additive s (n-1) m srm

  let rec ghost power (s:'b -> (fo_term 'ls 'b)) (n:int) :
    'b -> (fo_term 'ls 'b)
    requires { n >= 0 }
    ensures { power_rel s n result }
    variant { n }
  =
    if n = 0
    then subst_id_fo_term
    else sc s (power s (n-1))

  let rec lemma power_fixed_point (s:'b -> (fo_term 'ls 'b)) (n:int)
    (x:'b) : unit
    requires { s x = Var_fo_term x }
    ensures { forall srn:'b -> (fo_term 'ls 'b).
      power_rel s n srn -> srn x = Var_fo_term x }
    variant { n }
  =
    if n > 0
    then power_fixed_point s (n-1) x
  *)

  (* In other words : unifier is the idempotent limit reached by power
     iteration of the model of unifier_base, which is unifier_base_model,
     and iteration is an exponent reaching the fixed point. *)

  predicate unifier_subst_ok (rho:subst) (u:unifier_subst) =
    smodel (BA.current_timestamp rho) = u.unifier_base_model /\
    (forall x:int. eval u.unifier_base_model x = Var_fo_term x ->
      unassigned (BA.current_timestamp rho) x) /\
    (*power_rel u.unifier_base_model u.iteration u.unifier /\
    u.iteration > 0 /\*)
    (* Replace *) (forall x:int. eval u.unifier_base_model x = Var_fo_term x ->
      eval u.unifier x = Var_fo_term x) /\
    sc u.unifier_base_model u.unifier = u.unifier /\
    sc u.unifier u.unifier_base_model = u.unifier /\
    sc u.unifier u.unifier = u.unifier /\
    BA.correct rho /\
    rho.inv = sdata_inv

  (*let rec lemma size_term_increase (t:fo_term int int) (x:int)
    (s:int -> (fo_term int int)) : unit
    ensures { is_fo_term_free_var_in_fo_term x t ->
      size_fo_term (subst_fo_term t subst_id_symbol s)
      >= size_fo_term t + size_fo_term (s x) -
        size_fo_term (Var_fo_term x:fo_term int int) }
    ensures { size_fo_term (subst_fo_term t subst_id_symbol s) >=
      size_fo_term t }
    variant { size_fo_term t }
  =
    match t with
      | Var_fo_term _ -> ()
      | App _ l -> size_list_increase l x s
    end

  with lemma size_list_increase (t:fo_term_list int int) (x:int)
    (s:int -> (fo_term int int)) : unit
    ensures { is_fo_term_free_var_in_fo_term_list x t ->
      size_fo_term_list (subst_fo_term_list t subst_id_symbol s)
      >= size_fo_term_list t + size_fo_term (s x) -
        size_fo_term (Var_fo_term x:fo_term int int) }
    ensures { size_fo_term_list (subst_fo_term_list t subst_id_symbol s)
      >= size_fo_term_list t }
    variant { size_fo_term_list t }
  =
    match t with
      | FONil -> ()
      | FOCons u q -> size_term_increase u x s ;
        size_list_increase q x s
    end*)

end

module Impl

  use int.Int
  use Functions.Func
  use option.Option
  use import BacktrackArray.Types as BA
  use import BacktrackArray.Logic as BA
  use import BacktrackArray.Impl as BA
  use list.List
  use Firstorder_symbol_spec.Spec
  use Firstorder_symbol_impl.Types
  use Firstorder_symbol_impl.Logic
  use Firstorder_symbol_impl.Impl
  use Firstorder_term_spec.Spec
  use Firstorder_term_impl.Types
  use Firstorder_term_impl.Logic
  use Firstorder_term_impl.Impl
  use Types
  use Logic
  use ref.Ref
  use list.Mem

  exception UnificationFailure

  (* Utility for a frequent reasoning that
     allow to decrease variant. *)
  (*let ghost checkit (rhob:subst) (rho:unifier_subst) (x:int) (*(it:int)*) : unit
    (*requires { it >= 0 }
    requires { forall sp:int -> (fo_term int int).
      let tm = Var_fo_term x in
      power_rel rho.unifier_base_model it sp ->
      st tm sp = st tm rho.unifier }*)
    requires { unifier_subst_ok rhob rho }
    requires { match table (BA.current_timestamp rhob) x with
        | Cons (Assign _) _ -> true
        | _ -> false
      end }
    (*ensures { it >= 1 }*)
    ensures { forall sp:int -> (fo_term int int).
      let tm = eval rho.unifier_base_model x in
      power_rel rho.unifier_base_model (it-1) sp ->
      st tm sp = st tm rho.unifier }
  =
    let rho0 = rho.unifier in
    let tm = (Var_fo_term x:fo_term int int) in
    assert { (it = 0 -> tm = st tm subst_id_fo_term
      = st tm rho0 && tm = st tm (sc rho0 rho.unifier_base_model)
      = st tm rho.unifier_base_model &&
      eval rho.unifier_base_model x = Var_fo_term x &&
      match table (BA.current_timestamp rhob) x with
        | Cons (Assign _) _ -> false
        | _ -> true
      end) && it <> 0 } ;
    assert { forall sp:int -> (fo_term int int).
      let rho0 = rho.unifier_base_model in
      let rhoi = rho.unifier in
      let tm = rho0 x in
      let mx = Var_fo_term x in
      power_rel rho0 (it-1) sp ->
      power_rel rho0 it (sc rho0 sp) &&
      st tm sp = st mx (sc rho0 sp) = st mx rhoi =
      st mx (sc rho0 rhoi) = st tm rhoi && st tm sp = st tm rhoi }*)

  let ghost bottomvar (rhob:subst) (ghost rho:unifier_subst) (x:int) : unit
    requires { unifier_subst_ok rhob rho }
    requires { unassigned (BA.current_timestamp rhob) x }
    ensures { let tm = Var_fo_term x in
      tm = st tm rho.unifier_base_model /\
      tm = st tm rho.unifier }
  =
    assert { eval rho.unifier_base_model x = Var_fo_term x } ;
    assert { eval rho.unifier x = Var_fo_term x }

  (* Check presence of a variable inside the fully substituted term. *)
  let rec check_unified_free_var (x:int) (t:nlimpl_fo_term)
    (rhob:subst) (ghost rho:unifier_subst)
    (*(ghost it:int)*) : unit
    requires { unifier_subst_ok rhob rho }
    requires { nlimpl_fo_term_ok t }
    (* Variant requirement. *)
    (*requires { forall sp:int -> (fo_term int int).
      let tm = t.model_fo_term_field in
      power_rel rho.unifier_base_model it sp ->
      st tm sp = st tm rho.unifier }*)
    (*requires { it >= 0 }*)
    requires { forall y:int. is_fo_term_free_var_in_fo_term y
      t.model_fo_term_field -> y >= 0 }
    diverges (* variant { 0 } *)
    (* variant { it , size_fo_term t.model_fo_term_field } *)
    ensures { not(is_fo_term_free_var_in_fo_term x
      (st t.model_fo_term_field rho.unifier)) }
    raises { UnificationFailure (*->
      is_fo_term_free_var_in_fo_term x (st t.model_fo_term_field rho.unifier)*) }
  =
    let tm = t.model_fo_term_field in
    let rho0 = rho.unifier in
    match destruct_fo_term t with
      | NLCVar_fo_term y -> assert { tm = Var_fo_term y } ;
        assert { (y < 0 -> table (BA.current_timestamp rhob) y = Nil
          && eval rho.unifier_base_model y = Var_fo_term y
          && eval rho.unifier y = Var_fo_term y
          && st tm rho.unifier = Var_fo_term y
          && is_fo_term_free_var_in_fo_term y (st tm rho.unifier)) && y >= 0 } ;
        let by' = BA.get rhob y in
        match by' with
          | Nil -> bottomvar rhob rho y ;
            if x = y
            then raise UnificationFailure
          | Cons (PConflict _ _) _ -> bottomvar rhob rho y ;
            if x = y
            then raise UnificationFailure
          | Cons (Assign t2) _ -> assert { sdata_inv (Assign t2) } ;
            let t2m = t2.model_fo_term_field in
            assert { st tm rho0 = eval rho0 y = st t2m rho0 } ;
            (*checkit rhob rho y it ;*)
            check_unified_free_var x t2 rhob rho (*(it-1)*)
        end
      | NLC_App f l -> let fm = f.model_symbol_field in
        let lm = l.model_fo_term_list_field in
        assert { tm = App fm lm } ;
        assert { forall s:int -> (fo_term int int).
          st tm s = App fm (stl lm s) } ;
        check_unified_free_var_list x l rhob rho (*it*)
    end

  with check_unified_free_var_list (x:int) (t:nlimpl_fo_term_list)
    (rhob:subst) (ghost rho:unifier_subst) (*(ghost it:int)*) : unit
    requires { nlimpl_fo_term_list_ok t }
    requires { unifier_subst_ok rhob rho }
    (* Variant requirement. *)
    (*requires { forall sp:int -> (fo_term int int).
      let tm = t.model_fo_term_list_field in
      power_rel rho.unifier_base_model it sp ->
      stl tm sp = stl tm rho.unifier }*)
    (*requires { it >= 0 }*)
    requires { forall y:int. is_fo_term_free_var_in_fo_term_list y
      t.model_fo_term_list_field -> y >= 0 }
    diverges (* variant { 0 } *)
    (*variant { it , size_fo_term_list t.model_fo_term_list_field }*)
    ensures { not(is_fo_term_free_var_in_fo_term_list x
        (stl t.model_fo_term_list_field rho.unifier)) }
    raises { UnificationFailure (*->
      is_fo_term_free_var_in_fo_term_list x
        (stl t.model_fo_term_list_field rho.unifier)*) }
  =
    let tm = t.model_fo_term_list_field in
    let rho0 = rho.unifier in
    match destruct_fo_term_list t with
      | NLC_FONil -> ()
      | NLC_FOCons u q -> let um = u.model_fo_term_field in
        let qm = q.model_fo_term_list_field in
        assert { tm = FOCons um qm } ;
        assert { forall s:int -> (fo_term int int).
          stl tm s = FOCons (st um s) (stl qm s) } ;
        check_unified_free_var x u rhob rho (*it*) ;
        check_unified_free_var_list x q rhob rho (*it*)
    end

  (*
  (* to prevent : 1) expanding of t0 as a record,
     2) inlining of nlimpl_fo_term *)
  predicate ugly_hack (rho:table int nlimpl_fo_term) =
    forall x:int, t0:nlimpl_fo_term.
      AS.model rho x = Some t0 -> nlimpl_fo_term_ok t0
  *)

  (* Unification core routine : set a variable to some equation. *)

  let assign (z:int) (t:nlimpl_fo_term) (lv:ref (list int)) (rhob:subst)
    (ghost rho:unifier_subst) (ghost lp:int -> bool)
    (*(ghost fv s:S.set int)*) : unification_return

    (* Invariant requirements. *)
    requires { z >= 0 }
    requires { nlimpl_fo_term_ok t }
    requires { unifier_subst_ok rhob rho }


    (* Essential requirement : the variable is not yet assigned. *)
    requires { unassigned (current_timestamp rhob) z }
    (* Essential requirement given the structure invariants :
       do not assign a variable to itself. *)
    requires { st t.model_fo_term_field rho.unifier <> Var_fo_term z }

    requires { forall y:int. is_fo_term_free_var_in_fo_term y
      t.model_fo_term_field -> y >= 0 }

    requires { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    requires { forall x:int. unassigned (current_timestamp rhob) x -> lp x }
    ensures { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    ensures { forall x:int. unassigned (current_timestamp rhob) x -> lp x }

    (* Invariant ensures. *)
    ensures { unifier_subst_ok rhob result.final_unifier }
    ensures { precede (old rhob) rhob }

    (* Unifier properties. *)
    ensures { sc rho.unifier result.unifier_factor =
      result.final_unifier.unifier }
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      s' z = st t.model_fo_term_field s' ->
      s' = sc result.final_unifier.unifier s }
    ensures { let s0 = result.final_unifier.unifier in
      s0 z = st t.model_fo_term_field s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier_base_model in
      sc s0 s1 = s0 = sc s1 s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier in
      sc s0 s1 = s0 = sc s1 s0 }

    diverges
    (* Variant post-conditions. *)
    (*ensures { cardinal result.unassigned_set < cardinal s }
    ensures { forall x:int.
      mem x fv /\ AS.model result.final_unifier.unifier_base x = None ->
      mem x result.unassigned_set }
    ensures { forall x y:int.
      mem x fv /\
      is_fo_term_free_var_in_fo_term y (
        eval result.final_unifier.unifier_base_model x)
        -> mem y fv }*)
    raises { UnificationFailure -> precede (old rhob) rhob /\
      correct rhob
    (*-> forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      s' z <> st t.model_fo_term_field s'*) }
  =
    label Init in
    assert { forall s1 s2 s3:int -> (fo_term int int).
      sc s1 (sc s2 s3) = sc (sc s1 s2) s3 } ;
    assert { forall t0:fo_term int int,s1 s2:int -> (fo_term int int).
      st (st t0 s1) s2 = st t0 (sc s1 s2) } ;
    let tm = t.model_fo_term_field in
    let rho0 = rho.unifier_base_model in
    let rhoi = rho.unifier in
    let ghost stm = st tm rhoi in
    (*let n0 = rho.iteration in*)
    bottomvar rhob rho z;
    assert { rho0 z = Var_fo_term z } ;
    assert { rhoi z = Var_fo_term z } ;
    (*assert { forall s:int -> (fo_term int int).
      is_fo_term_free_var_in_fo_term z stm ->
      match stm with
        | Var_fo_term _ -> false
        | _ -> size_fo_term (st stm s) > size_fo_term (s z) end &&
      size_fo_term (st tm (sc rhoi s)) > size_fo_term (s z) &&
      s z = sc rhoi s z && st tm (sc rhoi s) <> sc rhoi s z } ;*)
    check_unified_free_var z t rhob rho (*rho.iteration*) ;
    let ghost uf = subst_id_fo_term[z <- stm] in
    let ghost rhoi' = sc rhoi uf in
    let ghost rho0' = rho0[z <- tm] in
    BA.add z (Assign t) rhob ;
    lv := Cons z !lv;
    (*let n1 = 2 * n0 + 1 in*)
    assert { let rho' = current_timestamp (rhob at Init) in
      let rho'' = current_timestamp rhob in
      (forall x:int.
      (x <> z -> table rho'' x = table rho' x &&
        (smodel rho'' x = smodel rho' x = rho0 x = rho0' x)) /\
      (x = z -> (smodel rho'' x = t.model_fo_term_field = rho0' x))) &&
      extensionalEqual (smodel rho'') rho0' &&
      smodel rho'' = rho0' } ;
    let ghost rho0'' = rho0[z <- stm] in
    assert { (forall x:int.
      (x <> z -> uf x = Var_fo_term x && rho0'' x = rho0 x = sc uf rho0 x) /\
      (x = z -> rho0'' x = stm = st stm rho0 = sc uf rho0 x)) &&
      extensionalEqual rho0'' (sc uf rho0) && rho0'' = sc uf rho0 } ;
    free_var_equivalence_of_subst_fo_term stm subst_id_symbol
          subst_id_symbol rho0 rho0' ;
    assert { (forall x:int.
      (x <> z -> uf x = Var_fo_term x &&
        rho0'' x = rho0 x = rho0' x = sc uf rho0' x) /\
      (x = z -> rho0'' x = stm = st stm rho0 = st stm rho0' = sc uf rho0 x)) &&
      extensionalEqual rho0'' (sc uf rho0') && rho0'' = sc uf rho0' } ;
    (*assert { forall r:int -> (fo_term int int).
        power_rel r 0 subst_id_fo_term /\ sc r subst_id_fo_term = r &&
        power_rel r 1 r } ;*)
    (*let rec ghost aux0 (m:int) (sp1 sp2:int -> (fo_term int int)) : unit
      requires { m >= 0 }
      requires { power_rel rho0 m sp1 /\ power_rel rho0'' m sp2 }
      variant { m }
      ensures { sc sp2 uf = sc sp1 uf }
      ensures { sc rhoi sp1 = rhoi }
      ensures { sc sp1 rhoi = rhoi }
    =
      if m <> 0
      then ( let sp1' = power rho0 (m-1) in
        let sp2' = power rho0'' (m-1) in
        aux0 (m-1) sp1' sp2' ;
        free_var_equivalence_of_subst_fo_term stm subst_id_symbol
          subst_id_symbol subst_id_fo_term uf ;
        assert { power_rel rho0 1 rho0 &&
          power_rel rho0'' 1 rho0'' &&
          (power_rel rho0 m (sc rho0 sp1') /\
          power_rel rho0 m (sc sp1' rho0)) &&
          power_rel rho0'' m (sc rho0'' sp2') &&
          sc sp1' rho0 = sp1 = sc rho0 sp1' && sp2 = sc rho0'' sp2'} ;
        assert { sc rhoi sp1 = sc rhoi sp1' = rhoi = sc sp1' rhoi = sc sp1 rhoi
          && st stm sp1 = st tm (sc rhoi sp1) = st tm rhoi = stm } ;
        assert {
          sc sp2 uf = sc rho0'' (sc sp2' uf) = sc (sc uf rho0) (sc sp1' uf)
          = sc uf (sc sp1 uf) &&
          (forall x:int. x <> z ->
            sc uf (sc sp1 uf) x = sc sp1 uf x) &&
          (sc uf (sc sp1 uf) z = st stm (sc sp1 uf) = st stm uf = stm
            = uf z = sc sp1 uf z)
          && extensionalEqual (sc uf (sc sp1 uf)) (sc sp1 uf)
          && sc sp2 uf = sc sp1 uf })
      else assert { sp1 = subst_id_fo_term }
    in*)
    (*
    let rec ghost aux1 (m:int) (sp1 sp2:int -> (fo_term int int)) : unit
      requires { m >= 0 }
      requires { power_rel rho0 m sp1 }
      requires { power_rel rho0' m sp2 }
      variant { m }
      ensures { st tm sp1 = st tm sp2 }
    =
      if m <> 0
      then (
        let sp1' = power rho0 (m-1) in
        let sp2' = power rho0' (m-1) in
        assert { power_rel rho0 1 rho0 &&
          power_rel rho0 m (sc sp1' rho0) &&
          sp1 = sc sp1' rho0 } ;
        assert { power_rel rho0' 1 rho0' &&
          power_rel rho0' m (sc sp2' rho0') &&
          sc sp2' rho0' = sp2 } ;
        aux1 (m-1) sp1' sp2' ;
        aux0 (m-1) sp1' (power rho0'' (m-1)) ;
        assert { is_fo_term_free_var_in_fo_term z (rhoi z) &&
          (is_fo_term_free_var_in_fo_term z (st tm sp1') ->
          is_fo_term_free_var_in_fo_term z (st (st tm sp1') rhoi) &&
          is_fo_term_free_var_in_fo_term z stm) &&
          not(is_fo_term_free_var_in_fo_term z (st tm sp1')) } ;
        free_var_equivalence_of_subst_fo_term (st tm sp1') subst_id_symbol
          subst_id_symbol rho0 rho0'
      )
      else assert { sp1 = subst_id_fo_term = sp2 }
    in*)(*
    let rec ghost aux2 (m:int) (sp1 sp2 sp3:int -> (fo_term int int)) : unit
      requires { m >= 0 }
      requires { power_rel rho0 m sp2 /\
        power_rel rho0' n0 sp3 /\
        power_rel rho0' (m+n0+1) sp1 }
      variant { m }
      ensures { sp1 = sc sp2 (sc rho0'' sp3) }
    =
      let sp0 = sc rhoi rhoi in
      assert { power_rel rho0 (n0+n0) sp0 } ;
      aux0 n0 rhoi (power rho0'' n0) ; (*rho0^(2*n0) = rhoi *)
      aux1 n0 rhoi sp3 ; (* st t rho^n0 = st t rho'^n0 *)
      let sp3_ = sc sp3 sp3 in
      assert { power_rel rho0' (2*n0) sp3_ } ;
      aux1 (2*n0) sp0 sp3_ ; (* st t rho^(2*n0) = st t (rho'^(2*n0)) *)
      assert { st tm sp3 = st tm rhoi = st tm sp0 = st tm sp3_
        = st (st tm sp3) sp3 = st (st tm rhoi) sp3 = st stm sp3 } ;
      assert { extensionalEqual (sc rho0' sp3)
        (update (sc rho0 sp3) z (st tm sp3)) } ;
      assert { extensionalEqual (sc rho0'' sp3)
        (update (sc rho0 sp3) z (st stm sp3)) } ;
      assert { sc rho0' sp3 = sc rho0'' sp3 } ;
      assert { power_rel rho0' (1+n0) (sc rho0' sp3) &&
        power_rel rho0' (n0+1) (sc sp3 rho0') &&
        sc sp3 rho0' = sc rho0' sp3 } ;
      if m = 0
      then assert { sp2 = subst_id_fo_term /\
          sp1 = sc rho0' sp3 }
      else (
        let sp1' = power rho0' (m+n0) in
        assert { power_rel rho0' (m+n0+1) (sc sp1' rho0') &&
          sp1 = sc sp1' rho0' } ;
        let sp2' = power rho0 (m-1) in
        assert { power_rel rho0 1 rho0 &&
          power_rel rho0 ((m-1)+1) (sc sp2' rho0) &&
          sc sp2' rho0 = sp2 } ;
        aux2 (m-1) sp1' sp2' sp3 ;
        free_var_equivalence_of_subst_fo_term stm subst_id_symbol
          subst_id_symbol rho0'' rho0 ;
        assert { (forall x:int. x <> z ->
          sc rho0'' rho0'' x = sc rho0 rho0'' x) /\
          sc rho0'' rho0'' z = st stm rho0'' = st stm rho0
          = st tm (sc rhoi rho0) = stm = sc rho0 rho0'' z } ;
        assert { extensionalEqual (sc rho0'' rho0'') (sc rho0 rho0'') } ;
        assert { sp1 = sc sp2' (sc (sc rho0'' sp3) rho0')
          = sc sp2' (sc rho0'' (sc sp3 rho0'))
          = sc sp2' (sc rho0'' (sc rho0'' sp3))
          = sc (sc sp2' (sc rho0'' rho0'')) sp3
          = sc (sc (sc sp2' rho0) rho0'') sp3
          = sc (sc sp2' rho0) (sc rho0'' sp3)
          = sc sp2 (sc rho0'' sp3) }
      )
    in*)
    (*let sp3 = power rho0' n0 in
    let rhoi_ = power rho0' n1 in
    aux2 n0 rhoi_ rhoi sp3 ;
    assert { power_rel rho0' 1 rho0' &&
      power_rel rho0' (1+n1) (sc rho0' rhoi_) &&
      power_rel rho0' (n1+1) (sc rhoi_ rho0') } ;
    assert { power_rel rho0 1 rho0 &&
      power_rel rho0 (1+n0) (sc rho0 rhoi) } ;
    aux2 (1+n0) (sc rho0' rhoi_) (sc rho0 rhoi) sp3 ;
    assert { sc rhoi' (sc rho0 sp3)
      = sc rhoi (sc uf (sc rho0 sp3)) = rhoi_
      = sc rho0' rhoi_
      = sc (sc rho0 rhoi) (sc rho0'' sp3)
      = sc rho0 (sc rhoi (sc rho0'' sp3))
      = sc rho0 rhoi_ } ;
    assert { rhoi_ = sc rhoi_ rho0' } ;
    assert { rhoi_ = sc (sc rhoi' rho0) sp3
      = sc (sc rhoi' rho0') sp3 = sc rhoi' (sc rho0' sp3) } ;*)
    (*let rec ghost aux3 (m:int) (sp:int -> (fo_term int int)) : unit
      requires { m >= 0 }
      requires { power_rel rho0' m sp }
      variant { m }
      ensures { sc rhoi' sp = rhoi' }
    =
      if m = 0
      then assert { sp = subst_id_fo_term }
      else (
        let sp' = power rho0' (m-1) in
        assert { power_rel rho0' 1 rho0' &&
          power_rel rho0' m (sc rho0' sp') &&
          sc rho0' sp' = sp } ;
        aux3 (m-1) sp' ;
        assert { forall x:int.
          (forall y:int.
            is_fo_term_free_var_in_fo_term y (rhoi x) ->
            st (rhoi x) rho0 = st (rhoi x) subst_id_fo_term &&
            rho0 y = subst_id_fo_term y &&
            rho0'' y = uf y) &&
          (forall y:int.
            is_fo_term_free_var_in_fo_term y (rhoi x) ->
              rho0'' y = uf y) &&
          (forall y:int.
            is_symbol_free_var_in_fo_term y (rhoi x) ->
              subst_id_symbol y = subst_id_symbol y) &&
          st (rhoi x) rho0'' = st (rhoi x) uf &&
          sc rhoi rho0'' x = sc rhoi uf x } ;
        assert { extensionalEqual (sc rhoi rho0'') (sc rhoi uf) &&
          sc rhoi' rho0' = sc rhoi' rho0 = sc rhoi (sc uf rho0)
          = sc rhoi rho0'' = sc rhoi uf = rhoi' &&
          sc rhoi' sp = sc rhoi' sp' = rhoi' }
      ) in
    aux3 (n0+1) (sc rho0' sp3) ;*)
    (* Main difficulty done : rhoi' is indeed the idempotent limit of rho0'. *)
    (*assert { rhoi_ = rhoi' } ;
    aux3 n1 rhoi_ ;*)
    (*assert { sc rhoi' rhoi' = rhoi' } ;*)
    (*let rec ghost aux4 (m:int) (sp:int -> (fo_term int int)) : unit
      requires { m >= 0 }
      requires { power_rel rho0 m sp }
      variant { m }
      ensures { sc rhoi' sp = rhoi' }
    =
      if m = 0
      then assert { sp = subst_id_fo_term }
      else (
        let sp' = power rho0 (m-1) in
        assert { power_rel rho0 1 rho0 &&
          power_rel rho0 m (sc rho0 sp') &&
          sc rho0 sp' = sp } ;
        aux4 (m-1) sp' ;
        assert { sc rhoi' sp = sc (sc rhoi' rho0) sp' = sc rhoi' sp' }
      ) in
    aux4 n0 rhoi ;
    assert { forall x:int, t0:nlimpl_fo_term.
      AS.model rho'' x = Some t0 ->
        ((x = z -> t0 = t) /\ (x <> z ->
          AS.model rho.unifier_base x = AS.model rho'.unifier_base x
            = AS.model rho'' x &&
          AS.model rho.unifier_base x = Some t0))
        && nlimpl_fo_term_ok t0 } ;
    assert { ugly_hack rho'' } ;*)
    free_var_equivalence_of_subst_fo_term stm subst_id_symbol
       subst_id_symbol uf subst_id_fo_term ;
    assert { rhoi' z = st (rhoi z) uf = st (Var_fo_term z) uf
      = stm = st stm uf = st tm rhoi' } ;
    assert { ((forall x:int.
      x <> z -> uf x = Var_fo_term x && sc uf rhoi' x = rhoi' x) /\
      (sc uf rhoi' z = st stm rhoi' = st (st stm rhoi) uf = st (st tm rhoi) uf
        = st stm uf = stm = uf z = st (Var_fo_term z) uf =
        sc rhoi uf z = rhoi' z
      )) && extensionalEqual (sc uf rhoi') rhoi' &&
      sc rhoi' rhoi' = rhoi' } ;
    (*assert { forall x y:int.
      mem x fv /\ is_fo_term_free_var_in_fo_term y (rho0' x) ->
      ((x = z -> rho0' x = tm && mem y fv) /\
       (x <> z -> rho0' x = rho0 x && mem y fv)) && mem y fv } ;
    assert { forall x:int.
      mem x fv /\
      AS.model rho'' x = None ->
      x <> z && AS.model rho'' x = AS.model rho.unifier_base x &&
      mem x s && mem x (remove z s) } ;*)
    assert { forall s0:int -> (fo_term int int).
      let s0' = sc rhoi s0 in
      s0' z = st tm s0' ->
      st stm s0 = s0' z = st (rhoi z) s0 = s0 z &&
      (forall x:int. x <> z ->
        update s0 z (st stm s0) x = s0 x = st (uf x) s0 &&
        update s0 z (st stm s0) x = sc uf s0 x) &&
      (update s0 z (st stm s0) z = st stm s0 = st (uf z) s0 &&
        update s0 z (st stm s0) z = sc uf s0 z) &&
      extensionalEqual (sc uf s0) (update s0 z (st stm s0)) &&
      extensionalEqual (update s0 z (s0 z)) s0 &&
      sc uf s0 = s0 &&
      sc rhoi' s0 = sc rhoi (sc uf s0) = sc rhoi s0 } ;
    assert { sc rho0 rhoi' = sc (sc rho0 rhoi) uf = rhoi' } ;
    assert { sc rhoi rhoi' = sc (sc rhoi rhoi) uf = rhoi' } ;
    assert { sc rhoi' rho0 = sc rhoi rho0'' = sc rhoi' rho0' } ;
    assert { (forall x:int. let tx = rhoi x in
        st tx rho0 = st tx subst_id_fo_term &&
        (forall y:int. is_fo_term_free_var_in_fo_term y tx ->
          rho0 y = subst_id_fo_term y) &&
        (forall y:int. is_fo_term_free_var_in_fo_term y tx ->
          rho0'' y = uf y) &&
        st tx rho0'' = st tx uf
      ) &&
      extensionalEqual (sc rhoi rho0'') rhoi' &&
      sc rhoi' rho0 = rhoi' = sc rhoi' rho0' } ;
    let ghost rhoi'' = rhoi[z <- stm] in
    assert { ((forall x:int. x <> z ->
      uf x = Var_fo_term x &&
      rhoi'' x = rhoi x = sc uf rhoi x) /\
      (rhoi'' z = stm = st stm rhoi = sc uf rhoi z)
      ) && extensionalEqual rhoi'' (sc uf rhoi) } ;
    assert { (forall x:int. let tx = rhoi x in
        st tx rhoi = st tx subst_id_fo_term &&
        (forall y:int. is_fo_term_free_var_in_fo_term y tx ->
          rhoi y = subst_id_fo_term y) &&
        (forall y:int. is_fo_term_free_var_in_fo_term y tx ->
          rhoi'' y = uf y) &&
        st tx rhoi'' = st tx uf
      ) &&
      extensionalEqual (sc rhoi rhoi'') rhoi' &&
      sc rhoi' rhoi = rhoi' } ;
    assert { ((forall x:int. x <> z ->
      sc rho0' rhoi' x = st (rho0 x) rhoi' = rhoi' x) /\
      (sc rho0' rhoi' z = st (st tm rhoi) uf = st stm uf = stm
        = uf z = st (rhoi z) uf = rhoi' z)) &&
      extensionalEqual (sc rho0' rhoi') rhoi' && sc rho0' rhoi' = rhoi' } ;
    assert { forall x:int.
      (rho0' x = Var_fo_term x -> x <> z &&
      ((rho0' x = rho0 x = Var_fo_term x &&
      rhoi x = Var_fo_term x &&
      rhoi' x = uf x = Var_fo_term x) /\
      (table (current_timestamp rhob) x =
       table (current_timestamp (rhob at Init)) x &&
       unassigned (current_timestamp rhob) x)))
       && (rho0' x = Var_fo_term x -> rhoi' x = Var_fo_term x)
       && (rho0' x = Var_fo_term x ->
         unassigned (current_timestamp rhob) x)
    } ;(*
    assert { forall y:int,yt:int.
      is_fo_term_free_var_in_fo_term yt tm /\
      is_fo_term_free_var_in_fo_term y (rhoi' yt) ->
      (yt <> z -> rhoi' yt = rhoi yt
        && is_fo_term_free_var_in_fo_term y (st tm rhoi) && y >= 0) /\
      (yt = z -> rhoi' yt = stm && y >= 0) && y >= 0
    } ;*)
    let rhou = {(*
      unifier_base = rho'' ;*)
      unifier_base_model = rho0' ;
      (*iteration = n1 ;*)
      unifier = rhoi' } in
    let res = { final_unifier = rhou ;
      unifier_factor = uf (*;
      unassigned_set = remove z s*) } in
    res

  (*
  meta "remove_logic" predicate ugly_hack
  *)

  (* Forced because of the model fields. *)
  val ghost unassigned_vars (rhob:subst) : int -> bool
    ensures { forall x:int.
      result x <-> unassigned (current_timestamp rhob) x }

  let rec unification_term (t1 t2:nlimpl_fo_term) (lv:ref (list int))
    (rhob:subst) (ghost rho:unifier_subst) (ghost lp:int -> bool)
    (*(ghost fv s:S.set int) (ghost it1 it2:int)*) : unification_return

    (* Invariant requirements. *)
    requires { nlimpl_fo_term_ok t1 }
    requires { nlimpl_fo_term_ok t2 }
    requires { unifier_subst_ok rhob rho }
    requires { forall y:int. is_fo_term_free_var_in_fo_term y
      t1.model_fo_term_field -> y >= 0 }
    requires { forall y:int. is_fo_term_free_var_in_fo_term y
      t2.model_fo_term_field -> y >= 0 }

    (* Variant requirements. *)
    (*requires { forall x:int.
      is_fo_term_free_var_in_fo_term x t1.model_fo_term_field -> mem x fv }
    requires { forall x:int.
      is_fo_term_free_var_in_fo_term x t2.model_fo_term_field -> mem x fv }
    requires { forall x y:int.
      mem x fv /\
      is_fo_term_free_var_in_fo_term y (eval rho.unifier_base_model x)
        -> mem y fv }
    requires { forall x:int.
      mem x fv /\ AS.model rho.unifier_base x = None -> mem x s }
    requires { forall sp:int -> (fo_term int int).
      let tm = t1.model_fo_term_field in
      power_rel rho.unifier_base_model it1 sp ->
      st tm sp = st tm rho.unifier }
    requires { it1 >= 0 }
    requires { forall sp:int -> (fo_term int int).
      let tm = t2.model_fo_term_field in
      power_rel rho.unifier_base_model it2 sp ->
      st tm sp = st tm rho.unifier }
    requires { it2 >= 0 }*)

    (* Invariant ensures. *)
    ensures { unifier_subst_ok rhob result.final_unifier }
    ensures { precede (old rhob) rhob }

    requires { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    requires { forall x:int. unassigned (current_timestamp rhob) x -> lp x }
    ensures { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    ensures { forall x:int. unassigned (current_timestamp rhob) x -> lp x }

    (* Unifier properties. *)
    (* The final unifier is obtained by composition with
       the first one and some given factor. *)
    ensures { sc rho.unifier result.unifier_factor =
      result.final_unifier.unifier }
    (* Any possible unifier obtained in such a way can be
       factorised with the final unifier as factor. In fact,
       the factorisation is trivial, so we can avoid existentials. *)
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      st t1.model_fo_term_field s' = st t2.model_fo_term_field s' ->
      s' = sc result.final_unifier.unifier s }
    (* It is of course an unifier. *)
    ensures { let s0 = result.final_unifier.unifier in
      st t1.model_fo_term_field s0 = st t2.model_fo_term_field s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier_base_model in
      sc s0 s1 = s0 = sc s1 s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier in
      sc s0 s1 = s0 = sc s1 s0 }

    (* Variant postconditions. *)
    (*ensures { result.unassigned_set = s ->
      rho.unifier = result.final_unifier.unifier /\
      rho.unifier_base_model = result.final_unifier.unifier_base_model }
    ensures { result.unassigned_set <> s ->
      cardinal result.unassigned_set < cardinal s }
    ensures { forall x:int.
      mem x fv /\ AS.model result.final_unifier.unifier_base x = None ->
      mem x result.unassigned_set }
    ensures { forall x y:int.
      mem x fv /\
      is_fo_term_free_var_in_fo_term y (
        eval result.final_unifier.unifier_base_model x)
        -> mem y fv }*)
    raises { UnificationFailure -> precede (old rhob) rhob /\ correct rhob
    (*-> forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      st t1.model_fo_term_field s' <> st t2.model_fo_term_field s'*) }
    diverges (* variant { 0 } *)
    (*variant { S.cardinal s , it1 + it2 ,
      size_fo_term t1.model_fo_term_field +
      size_fo_term t2.model_fo_term_field }*)
  =
    let t1m = t1.model_fo_term_field in
    let t2m = t2.model_fo_term_field in
    match destruct_fo_term t1 , destruct_fo_term t2 with
      | NLCVar_fo_term x , NLCVar_fo_term y ->
        assert { t1m = Var_fo_term x } ;
        assert { t2m = Var_fo_term y } ;
        if x = y
        then { final_unifier = rho ;
          unifier_factor = subst_id_fo_term (*;
          unassigned_set = s*) }
        else let bx = BA.get rhob x in
          match bx with
            | Cons (Assign bx) _ -> (*checkit rho x it1 ;*)
              let bxm = bx.model_fo_term_field in
              let rhobm = rho.unifier_base_model in
              let rhoi = rho.unifier in
              assert { bxm = rhobm x (*/\ mem x fv*) } ;
              assert { st bxm rhoi = sc rhobm rhoi x = rhoi x = st t1m rhoi
                && forall s:int -> (fo_term int int).
                  st bxm (sc rhoi s) = st t1m (sc rhoi s) } ;
              let res = unification_term bx t2 lv rhob rho lp (*
                fv s (it1-1) it2*) in
              let rhoi' = res.final_unifier.unifier in
              assert { st bxm rhoi' = sc rhobm rhoi' x
                = rhoi' x = st t1m rhoi' && st bxm rhoi' = st t1m rhoi' } ;
              res
            | _ -> let by' = BA.get rhob y in
              match by' with
                | Cons (Assign by') _ -> (*checkit rho y it2 ;*)
                  let bym = by'.model_fo_term_field in
                  let rhobm = rho.unifier_base_model in
                  let rhoi = rho.unifier in
                  assert { sdata_inv (Assign by') } ;
                  assert { bym = rhobm y (*/\ mem y fv*) } ;
                  assert { st bym rhoi = sc rhobm rhoi y = rhoi y = st t2m rhoi
                    && forall s:int -> (fo_term int int).
                      st bym (sc rhoi s) = st t2m (sc rhoi s) } ;
                  let res = unification_term t1 by' lv rhob rho lp (*fv s it1 (it2-1)*) in
                  let rhoi' = res.final_unifier.unifier in
                  assert { st bym rhoi' = sc rhobm rhoi' y
                    = rhoi' y = st t2m rhoi' && st bym rhoi' = st t2m rhoi' } ;
                  res
                | _ -> bottomvar rhob rho y ;
                  bottomvar rhob rho x ;
                  if x < y
                  then assign x t2 lv rhob rho lp (*fv s*)
                  else assign y t1 lv rhob rho lp
              end
          end
      | NLC_App f1 l1 , NLC_App f2 l2 ->
        let l1m = l1.model_fo_term_list_field in
        let l2m = l2.model_fo_term_list_field in
        let f1m = f1.model_symbol_field in
        let f2m = f2.model_symbol_field in
        assert { t1m = App f1m l1m } ;
        assert { t2m = App f2m l2m } ;
        match destruct_symbol f1 , destruct_symbol f2 with
          | NLCVar_symbol f1 , NLCVar_symbol f2 -> if f1 = f2
            then (
              assert { forall l1 l2:fo_term_list int int,
                s1 s2:int -> (fo_term int int).
                st (App f1m l1) s1 = st (App f2m l2) s2 <->
                stl l1 s1 = stl l2 s2 } ;
                unification_term_list l1 l2 lv rhob rho lp (*fv s it1 it2*)
              )
            else raise UnificationFailure
        end
      | NLCVar_fo_term x , NLC_App f l ->
        let fm = f.model_symbol_field in
        let lm = l.model_fo_term_list_field in
        assert { t1m = Var_fo_term x } ;
        assert { t2m = App fm lm } ;
        let bx = BA.get rhob x in
        match bx with
          | Cons (Assign bx) _ ->
            (*checkit rho x it1 ;*)
            let bxm = bx.model_fo_term_field in
            let rhobm = rho.unifier_base_model in
            let rhoi = rho.unifier in
            assert { bxm = rhobm x } ;
            assert { st bxm rhoi = sc rhobm rhoi x = rhoi x = st t1m rhoi
              && forall s:int -> (fo_term int int).
                st bxm (sc rhoi s) = st t1m (sc rhoi s) } ;
            let res = unification_term bx t2 lv rhob rho lp (*
              fv s (it1-1) it2*) in
            let rhoi' = res.final_unifier.unifier in
            assert { st bxm rhoi' = sc rhobm rhoi' x
              = rhoi' x = st t1m rhoi' && st bxm rhoi' = st t1m rhoi' } ;
            res
          | _ -> assign x t2 lv rhob rho lp (*fv s*)
        end
      | NLC_App f l , NLCVar_fo_term x ->
        let fm = f.model_symbol_field in
        let lm = l.model_fo_term_list_field in
        assert { t2m = Var_fo_term x } ;
        assert { t1m = App fm lm } ;
        let bx = BA.get rhob x in
        match bx with
          | Cons (Assign bx) _ -> (*checkit rho x it2 ;*)
            let bxm = bx.model_fo_term_field in
            let rhobm = rho.unifier_base_model in
            let rhoi = rho.unifier in
            assert { bxm = rhobm x } ;
            assert { st bxm rhoi = sc rhobm rhoi x = rhoi x = st t2m rhoi
              && forall s:int -> (fo_term int int).
                st bxm (sc rhoi s) = st t2m (sc rhoi s) } ;
            let res = unification_term t1 bx lv rhob rho lp
              (*fv s it1 (it2-1)*) in
            let rhoi' = res.final_unifier.unifier in
            assert { st bxm rhoi' = sc rhobm rhoi' x
              = rhoi' x = st t2m rhoi' && st bxm rhoi' = st t2m rhoi' } ;
            res
          | _ -> assign x t1 lv rhob rho lp (*fv s*)
        end
    end

  with unification_term_list (t1 t2:nlimpl_fo_term_list) (lv:ref (list int))
    (rhob:subst) (ghost rho:unifier_subst) (ghost lp:int -> bool)
    (*(ghost fv s:S.set int) (ghost it1 it2:int)*) :
    unification_return
    (* Invariant requirements. *)
    requires { nlimpl_fo_term_list_ok t1 }
    requires { nlimpl_fo_term_list_ok t2 }
    requires { unifier_subst_ok rhob rho }
    requires { forall y:int. is_fo_term_free_var_in_fo_term_list y
      t1.model_fo_term_list_field -> y >= 0 }
    requires { forall y:int. is_fo_term_free_var_in_fo_term_list y
      t2.model_fo_term_list_field -> y >= 0 }

    (* Variant requirements. *)
    (*requires { forall x:int.
      is_fo_term_free_var_in_fo_term_list x t1.model_fo_term_list_field ->
        mem x fv }
    requires { forall x:int.
      is_fo_term_free_var_in_fo_term_list x t2.model_fo_term_list_field ->
        mem x fv }
    requires { forall x y:int.
      mem x fv /\
      is_fo_term_free_var_in_fo_term y (eval rho.unifier_base_model x) ->
        mem y fv }
    requires { forall x:int.
      mem x fv /\ AS.model rho.unifier_base x = None -> mem x s }
    requires { forall sp:int -> (fo_term int int).
      let tm = t1.model_fo_term_list_field in
      power_rel rho.unifier_base_model it1 sp ->
      stl tm sp = stl tm rho.unifier }
    requires { it1 >= 0 }
    requires { forall sp:int -> (fo_term int int).
      let tm = t2.model_fo_term_list_field in
      power_rel rho.unifier_base_model it2 sp ->
      stl tm sp = stl tm rho.unifier }
    requires { it2 >= 0 }*)

    (* Invariant ensures. *)
    ensures { unifier_subst_ok rhob result.final_unifier }
    ensures { precede (old rhob) rhob }

    requires { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    requires { forall x:int. unassigned (current_timestamp rhob) x -> lp x }
    ensures { forall x:int. mem x !lv ->
      lp x /\ x >= 0 }
    ensures { forall x:int. unassigned (current_timestamp rhob) x -> lp x }

    (* Unifier properties. *)
    ensures { sc rho.unifier result.unifier_factor =
      result.final_unifier.unifier }
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      stl t1.model_fo_term_list_field s' = stl t2.model_fo_term_list_field s' ->
      s' = sc result.final_unifier.unifier s }
    ensures { let s0 = result.final_unifier.unifier in
      stl t1.model_fo_term_list_field s0 =
        stl t2.model_fo_term_list_field s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier_base_model in
      sc s0 s1 = s0 = sc s1 s0 }
    ensures { let s0 = result.final_unifier.unifier in
      let s1 = rho.unifier in
      sc s0 s1 = s0 = sc s1 s0 }

    (* Variant postconditions. *)
    (*ensures { result.unassigned_set = s ->
      rho.unifier = result.final_unifier.unifier /\
      rho.unifier_base_model = result.final_unifier.unifier_base_model }
    ensures { result.unassigned_set <> s ->
      cardinal result.unassigned_set < cardinal s }
    ensures { forall x:int.
      mem x fv /\ AS.model result.final_unifier.unifier_base x = None ->
      mem x result.unassigned_set }
    ensures { forall x y:int.
      mem x fv /\
      is_fo_term_free_var_in_fo_term y (
        eval result.final_unifier.unifier_base_model x)
        -> mem y fv }*)
    raises { UnificationFailure -> precede (old rhob) rhob /\ correct rhob
    (*-> forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      stl t1.model_fo_term_list_field s' <>
        stl t2.model_fo_term_list_field s'*) }
    diverges (* variant { 0 } *)
     (*variant { S.cardinal s , it1 + it2 ,
      size_fo_term_list t1.model_fo_term_list_field +
      size_fo_term_list t2.model_fo_term_list_field }*)
  =
    let t1m = t1.model_fo_term_list_field in
    let t2m = t2.model_fo_term_list_field in
    match destruct_fo_term_list t1 , destruct_fo_term_list t2 with
      | NLC_FONil , NLC_FONil -> { final_unifier = rho ;
        unifier_factor = subst_id_fo_term (*;
        unassigned_set = s*) }
      | NLC_FOCons u1 q1 , NLC_FOCons u2 q2 ->
        let u1m = u1.model_fo_term_field in
        let u2m = u2.model_fo_term_field in
        let q1m = q1.model_fo_term_list_field in
        let q2m = q2.model_fo_term_list_field in
        assert { t1m = FOCons u1m q1m /\ t2m = FOCons u2m q2m } ;
        assert { forall a c:fo_term int int,b d:fo_term_list int int,
          s1 s2:int -> (fo_term int int).
          stl (FOCons a b) s1 = stl (FOCons c d) s2 <->
          st a s1 = st c s2 /\ stl b s1 = stl d s2 } ;
        let rho0 = rho.unifier in
        let rho2 = unification_term_list q1 q2 lv rhob rho lp (*fv s it1 it2*) in
        let rho2f = rho2.final_unifier in
        let rho20 = rho2f.unifier in
        assert { forall s:int -> (fo_term int int).
          stl t1m (sc rho0 s) = stl t2m (sc rho0 s) ->
            stl q1m (sc rho0 s) = stl q2m (sc rho0 s) &&
            sc rho0 s = sc rho20 s &&
            st u1m (sc rho20 s) = st u2m (sc rho20 s) } ;
        (*let u = rho2f.iteration in*)
        (*let ghost aux_ (u_:unit) : (int,int)
          returns { (it'1,it'2) ->
            (rho2.unassigned_set = s -> it1=it'1 /\ it2 = it'2) /\
            (forall sp:int -> (fo_term int int).
              power_rel rho2f.unifier_base_model it'1 sp ->
              stl t1m sp = stl t1m rho20) /\
            (forall sp:int -> (fo_term int int).
              power_rel rho2f.unifier_base_model it'2 sp ->
              stl t2m sp = stl t2m rho20) /\
              it'1 >= 0 /\
              it'2 >= 0 }
        = if rho2.unassigned_set = s
          then (it1,it2)
          else ( assert { forall sp:int -> (fo_term int int).
            power_rel rho2f.unifier_base_model u sp ->
            sp = rho2f.unifier } ; (u,u) ) in
        let (it1,it2) = aux_ () in*)
        let rho3 = unification_term u1 u2 lv rhob rho2f lp
          (*fv rho2.unassigned_set it1 it2*) in
        let rho30 = rho3.final_unifier.unifier in
        assert { forall s:int -> (fo_term int int).
          stl t1m (sc rho0 s) = stl t2m (sc rho0 s) ->
            sc rho0 s = sc rho20 s &&
            st u1m (sc rho20 s) = st u2m (sc rho20 s) &&
            sc rho30 s = sc rho0 s } ;
        let rhof3 = rho3.unifier_factor in
        assert { stl q1m rho30 = stl (stl q1m rho20) rhof3
          = stl (stl q2m rho20) rhof3 = stl q2m rho30 } ;
        { final_unifier = rho3.final_unifier ;
          unifier_factor = ghost sc rho2.unifier_factor rho3.unifier_factor (*;
          unassigned_set = rho3.unassigned_set*) }
      | NLC_FONil , NLC_FOCons u q ->
        (*assert { forall s:int -> (fo_term int int).
          subst_fo_term_list t1m subst_id_symbol s = FONil /\
          let um = u.model_fo_term_field in
          let qm = q.model_fo_term_list_field in
          stl t2m s = FOCons (st um s) (stl qm s) } ;*)
        raise UnificationFailure
      | NLC_FOCons u q , NLC_FONil ->
        (*assert { forall s:int -> (fo_term int int).
          subst_fo_term_list t2m subst_id_symbol s = FONil /\
          let um = u.model_fo_term_field in
          let qm = q.model_fo_term_list_field in
          stl t1m s = FOCons (st um s) (stl qm s) } ;*)
        raise UnificationFailure
    end

  let conflict (t1 t2:nlimpl_fo_term_list) (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { sdata_inv (PConflict t1 t2) }
    requires { unifier_subst_ok rhob rho }
    diverges
    ensures { unifier_subst_ok rhob rho }
    (* Useless : trivial consequence of unifier_subst_ok rhob rho.
    ensures { smodel (current_timestamp rhob) =
      smodel (current_timestamp (old rhob)) }*)
    ensures { precede (old rhob) rhob }
    (*raises { UnificationFailure -> unifier_subst_ok rhob rho }*)
    (*raises { UnificationFailure -> (current_timestamp rhob).table =
      (current_timestamp (old rhob).table }*)
    raises { UnificationFailure -> precede (old rhob) rhob /\ correct rhob }
  =
    label Init in
    let l = ref Nil in
    let t = stamp rhob in
    let lp = unassigned_vars rhob in
    let u = try Some (unification_term_list t1 t2 l rhob rho lp)
    with UnificationFailure -> None end in
    label Mid0 in
    match u with
      | Some _ -> match !l with
          | Nil -> raise UnificationFailure
          | Cons v _ -> backtrack t rhob ;
            assert { backtrack_to (rhob at Init) (rhob at Mid0) rhob } ;
            label Middle in
            add v (PConflict t1 t2) rhob ;
            assert { (forall t:timesubst,x:int. unassigned t x ->
              let u = smodel t x in match table t x with
                | Nil -> u = Var_fo_term x
                | Cons (PConflict _ _) _ -> u = Var_fo_term x
                | _ -> false end &&
              u = Var_fo_term x) &&
              (forall x:int.
              x <> v -> smodel (current_timestamp rhob) x =
                smodel (current_timestamp (rhob at Middle)) x) &&
              lp v &&
              unassigned (current_timestamp (rhob at Middle)) v &&
              unassigned (current_timestamp rhob) v &&
              (let u = current_timestamp rhob in
               let u' = current_timestamp (rhob at Middle) in
               let ut = u.time in
               let utb = u.table in
               let us = u.size in
               u = { time = u.time ; table = u.table ; size = u.size } /\
               u' = { time = u'.time ; table = u'.table ; size = u'.size }) &&
              smodel (current_timestamp rhob) v = Var_fo_term v =
              smodel (current_timestamp (rhob at Middle)) v &&
              extensionalEqual (smodel (current_timestamp rhob))
                (smodel (current_timestamp (rhob at Middle))) &&
              smodel (current_timestamp rhob) = smodel (current_timestamp (rhob at Middle)) } ;
            assert { (forall x:int.
              x <> v -> unassigned (current_timestamp (rhob at Middle)) x ->
              unassigned (current_timestamp rhob) x) &&
              (forall x:int.
                unifier_base_model rho x = Var_fo_term x ->
                unassigned (current_timestamp (rhob at Middle)) x &&
                unassigned (current_timestamp rhob) x) }
        end
      | None -> backtrack t rhob ;
        assert { backtrack_to (rhob at Init) (rhob at Mid0) rhob }
    end

  let rec conflicts (lv:list sdata) (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { list_forall sdata_inv lv }
    requires { unifier_subst_ok rhob rho }
    ensures { unifier_subst_ok rhob rho }
    (*ensures { smodel (current_timestamp rhob) = smodel (current_timestamp (old rhob)) }*)
    ensures { precede (old rhob) rhob }
    diverges (* variant { lv } *)
    raises { UnificationFailure -> correct rhob /\ precede (old rhob) rhob }
  =
    match lv with
      | Nil -> ()
      | Cons (Assign _) q -> conflicts q rhob rho
      | Cons (PConflict t1 t2) q -> conflict t1 t2 rhob rho ; conflicts q rhob rho
    end

  let rec unif_conflicts (lv:list int) (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { forall x:int. mem x lv -> x >= 0 }
    requires { unifier_subst_ok rhob rho }
    ensures { unifier_subst_ok rhob rho }
    ensures { precede (old rhob) rhob }
    diverges (* variant { lv } *)
    raises { UnificationFailure -> correct rhob /\ precede (old rhob) rhob }
  =
    match lv with
      | Nil -> ()
      | Cons v0 q -> conflicts (get rhob v0) rhob rho ; unif_conflicts q rhob rho
    end

  let unify_term_list (t1 t2:nlimpl_fo_term_list) (watch:ref (list int))
    (rhob:subst) (ghost rho:unifier_subst) :
    unification_return
    requires { !watch = Nil }
    requires { nlimpl_fo_term_list_ok t1 }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t1.model_fo_term_list_field -> x >= 0 }
    requires { nlimpl_fo_term_list_ok t2 }
    requires { forall x:int. is_fo_term_free_var_in_fo_term_list x
      t2.model_fo_term_list_field -> x >= 0 }
    requires { unifier_subst_ok rhob rho }
    diverges
    ensures { unifier_subst_ok rhob result.final_unifier }
    ensures { result.final_unifier.unifier = sc rho.unifier result.unifier_factor }
    ensures { precede (old rhob) rhob }
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      stl t1.model_fo_term_list_field s' = stl t2.model_fo_term_list_field s' ->
      s' = sc result.final_unifier.unifier s }
    ensures { let s0 = result.final_unifier.unifier in
      stl t1.model_fo_term_list_field s0 =
        stl t2.model_fo_term_list_field s0 }
    raises { UnificationFailure -> correct rhob /\ precede (old rhob) rhob }
  =
    let lp = unassigned_vars rhob in
    let u = unification_term_list t1 t2 watch rhob rho lp in
    unif_conflicts !watch rhob u.final_unifier ;
    u

  (*let rec conflicts (lv:list sdata) (rhob:subst) (ghost rho:unifier_subst) : unit
    requires { list_forall sdata_inv lv }
    requires { unifier_subst_ok rhob rho }
    ensures { unifier_subst_ok rhob rho }
    raises { UnificationFailure ->  }*)

  (*
  let rec ghost term_free_var_set (t:fo_term int int) (it:int)
    (rho:unifier_subst) : set int
    requires { unifier_subst_ok rho }
    requires { it >= 0 }
    requires { forall sp:int -> (fo_term int int).
      power_rel rho.unifier_base_model it sp ->
      st t sp = st t rho.unifier }
    ensures { forall x:int. is_fo_term_free_var_in_fo_term x t ->
      mem x result }
    ensures { forall x y:int.
      is_fo_term_free_var_in_fo_term x (eval rho.unifier_base_model y) /\
      mem y result -> mem x result }
    variant { it , size_fo_term t }
  =
    match t with
      | Var_fo_term x -> let rho0 = rho.unifier_base_model in
        let rhoi = rho.unifier in
        if it = 0
        then (assert { t = st t subst_id_fo_term = st t rhoi &&
          t = st t (sc rhoi rho0) = st t rho0 && rho0 x = t } ;
          assert { forall y:int. is_fo_term_free_var_in_fo_term y (rho0 x) ->
            y = x } ;
          add x empty)
        else
          let t2 = eval rho0 x in
          (assert { forall sp:int -> (fo_term int int).
            power_rel rho0 (it-1) sp ->
            power_rel rho0 it (sc rho0 sp) &&
            st t2 sp = st t (sc rho0 sp) = st t rhoi =
            st t (sc rho0 rhoi) = st t2 rhoi && st t2 sp = st t2 rhoi } ;
            add x (term_free_var_set t2 (it-1) rho))
      | App _ l -> assert { forall s s2:int -> (fo_term int int).
        st t s = st t s2 <-> stl l s = stl l s2 } ;
        term_list_free_var_set l it rho
    end

  with ghost term_list_free_var_set (t:fo_term_list int int) (it:int)
    (rho:unifier_subst) : set int
    requires { unifier_subst_ok rho }
    requires { it >= 0 }
    requires { forall sp:int -> (fo_term int int).
      power_rel rho.unifier_base_model it sp ->
      stl t sp = stl t rho.unifier }
    ensures { forall x:int. is_fo_term_free_var_in_fo_term_list x t ->
      mem x result }
    ensures { forall x y:int.
      is_fo_term_free_var_in_fo_term x (eval rho.unifier_base_model y) /\
      mem y result -> mem x result }
    variant { it , size_fo_term_list t }
  =
    match t with
      | FONil -> empty
      | FOCons x q -> assert { forall s s2:int -> (fo_term int int).
        stl t s = stl t s2 <->
        st x s = st x s2 /\ stl q s = stl q s2 } ;
        union (term_free_var_set x it rho)
        (term_list_free_var_set q it rho)
    end

  (* Two main
     functions, far more preferable for the user than
     the incredibly ugly functions before !
     Unification functions which are :
       1) sound (if it returns, then it returns an unifier factor+
         if it fails, then there is no unifier factor)
       2) complete/terminating (either case is true) *)

  let unify_term (t1 t2:nlimpl_fo_term) (rho:unifier_subst) : unify_return
    requires { nlimpl_fo_term_ok t1 }
    requires { nlimpl_fo_term_ok t2 }
    requires { unifier_subst_ok rho }
    (* Factorisation using previous unifier. *)
    ensures { sc rho.unifier result.factor =
      result.usubst.unifier }
    (* All possible unifier factorisable using rho
       can be factorised using the generated one. *)
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      st t1.model_fo_term_field s' = st t2.model_fo_term_field s' ->
      s' = sc result.usubst.unifier s }
    (* this is an unifier. *)
    ensures { let s0 = result.usubst.unifier in
      st t1.model_fo_term_field s0 =
        st t2.model_fo_term_field s0 }
    ensures { unifier_subst_ok result.usubst }
    (* There is no unifier factorisable by rho. *)
    raises { UnificationFailure -> forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      st t1.model_fo_term_field s' <>
        st t2.model_fo_term_field s' }
  =
    let it = rho.iteration in
    let fv = term_free_var_set t1.model_fo_term_field it rho in
    let fv = union fv (term_free_var_set t2.model_fo_term_field it rho) in
    let res = unification_term t1 t2 rho fv fv it it in
    { usubst = res.final_unifier ; factor = res.unifier_factor }

  let unify_term_list (t1 t2:nlimpl_fo_term_list) (rho:unifier_subst) :
    unify_return
    requires { nlimpl_fo_term_list_ok t1 }
    requires { nlimpl_fo_term_list_ok t2 }
    requires { unifier_subst_ok rho }
    ensures { sc rho.unifier result.factor =
      result.usubst.unifier }
    ensures { forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      stl t1.model_fo_term_list_field s' = stl t2.model_fo_term_list_field s' ->
      s' = sc result.usubst.unifier s }
    ensures { let s0 = result.usubst.unifier in
      stl t1.model_fo_term_list_field s0 =
        stl t2.model_fo_term_list_field s0 }
    ensures { unifier_subst_ok result.usubst }
    raises { UnificationFailure -> forall s:int -> (fo_term int int).
      let s' = sc rho.unifier s in
      stl t1.model_fo_term_list_field s' <>
        stl t2.model_fo_term_list_field s' }
  =
    let it = rho.iteration in
    let fv = term_list_free_var_set t1.model_fo_term_list_field it rho in
    let fv = union fv
      (term_list_free_var_set t2.model_fo_term_list_field it rho) in
    let res = unification_term_list t1 t2 rho fv fv it it in
    { usubst = res.final_unifier ; factor = res.unifier_factor }
  *)

end
why3-1.6.0/examples/prover/Unification/000077500000000000000000000000001440160026300200075ustar00rootroot00000000000000why3-1.6.0/examples/prover/Unification/why3session.xml000066400000000000000000003661451440160026300230460ustar00rootroot00000000000000

















 
 
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 


 
 
  
  
   
   
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
     
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
     
     
     
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/prover/Unification/why3shapes.gz000066400000000000000000001424611440160026300224570ustar00rootroot00000000000000]8y_Qw=s$~cеF09m•y:ёՙQU")\d-YaIhi)~oO?~//ߟyc;|ˇק_?|_m_~˧`_?VAOҧũ=[{S˷_>$M$&*>__\?~|?Ꟈ?>^lFoVܷa/.g~m%1?,O3S\DxͺX;q>ޏO_E lOz}&c~xN7)uq^~~|.s.?>|zۧ/ߞAm.yO^?~z`IGn߈>%dŝ>$?@*uAupP]:gt~hG͜ _ЕNf_?SmzRRٓ=Ux8*P8CZsβjy,gRq8+
GfBk{JoIXn?^??_OU?
xQ?~U5l"qg8T~=goѶ>䓻\S{*oS85|2&n.><եVxaREs\\9yytJȷ7|ݳ,o8ej\G|?ՋL}2YŢxQPI+-4ы{;q,O-aLcL@LϽ;be}[Ku|FѠh2boZ%(qd_}y;AI)Φ,Yݭq]?T[< ˴h}HOl'{J2-UTϹg6ZQ73U4ZӿR/+Nh~ȍ_<[>&GR%N6؎^tnbMF-'nZRnUC+/P]UWd7tS-Wb'}LjzB0fVw
Up}$XwZռ;v|#U}֧,TouitUG=R`#	DXm&Xǒuk	ԏܾjzmuQ,dh+Kw;Nb8:޶;zJ*;Gnc#pɺ.coRlҩA]$IKJW~ߝI5C܀&3ŝu*V%*GQ
'*xs90ge\vek
i|4Ԁs^b(1p[iYbScx/_#1RVwDK G_:uzyyק-ͣ+
LŞ>9|nm!?X])'?ڧK*o'<]R%t	Տ=]%t̹֧?ě>=z?^Dvbkó1JdL`P2JG%(0QRq0`!\p?JH7IN(QуsRb115#&n`a	ٯujJp^7߮bUc6V*U!]Ľ3%7n'{GS^'ēx]$/PX/DbZ$-TM3U%y'B:w*=g5)v=U~~N4="rB }$ex?]WN^I,.ju$ݴ©JMx({iVr™M`V鏑p4&04M`7`(wDj(ːAQkV7@Q(}O=T:*~J.P٣Q(ӿ^~xjvK#Cx
aၞg3l O'I%ZG. wÅ<`ex'S1i
EƋ^[Ɗ# 
UțFF#>{dܭoB&BdtcGȈ
2,ߎTd 12 2ÃCFkk-.4H$'"{FiQkv@u@.RܐH$]0@ !lIKb6/_q#a$_#Bj½`eSh#lMQ#Pxn>va[$[Z˖X}ѷ[ڐ-lllaU(^&"iïN{ܭn-#ӱ@B[lf4kʖe;@-B$D$D:·H7=0@!it9*;:йz@!2}
1q@"vZC~"!0M	c1-*+EƛNvCv0/MBP(L H"0Z@ -jFm@GL	 Ȃd9A" HjA, B.x	1UC{!An;5h0Y
z ċd{w2@h_&?^vKF?e0mr/Hm"҆%P!?hua;T;D߶QO HfQ˞vo#C?SN<<Чo>&=Y~Ph,r;*eQbR>ce@ē(5x\-;H{.2=0oɲࡼYry0)S'NHMf7Fؚ$>|Q=gnI}a::hl@hܫNo:쮡m߇m^kHuDgX $h utfO8yx`|MGds(
F^7YDzz&(M|,XlyLN^	jvxM<6>
~IV(Bө"EFՇ;7qW}_C;qCܮno:w?ˍ~Q3yb-abԥ
k@`eMA=KKy|Oc7;0>;dVVv$VR[vߕ?[;_mBU)>݂/WU߿,|_zra~&xb>#fQA_N[Ugl7W,{7ttuc?0;k/grd._Oj3q*$5E*RyIkxGRrW/?ʼe蝨~Ik_q**ؑ}CCuytK1aI40
D`AƸo};MGw^-0hQ{LW
9@ MBzDVp?xwOW5̆׌1wӼN#d!,DB#Kz6Y@pS!T|Jvt!{@@E`)ZlUHA2R2YEV +Ê`p*BѣQT!^	bdԎm	
b庱29PqRk%"0|h(E"(Ձf
(Ly<@CT'p8Xwa@ t#aa"'^m[*`PMm	
d`lE<"H{&26dO}#&0ѫb1cXbC	Bx^õ};|X13@.@ 
YT@*\ޡ=/{O쥙W3@RPeusWv˃Fxr}f-cʰڅ`oytQ3`4U0+0ۥJ":*w'	I<$D}LhU/ՐP$$ 	I?2zqK:cIXhQ$#sz?OGJPG$)ba$Q{Y	tyȚAmR4:C>2ѡ$0u#㣃>:g\F:~)wf|@:G,D
~޿`.1HIi!;bpXHxITۓ][	J~xN	+!]~Ã-y
<=~sA-2hfGRgp{SB7thl52DFП:]G#	ȟpaѴѕϡЍј{dN߆h#%2ZW!nD& 	giP)b1&V$45w5M
0$]_	GxcR\:]	^澠g\u3	-CW{x?OGJA7NZ6a@ 
:5_*dYp/,O)$aaOlSѕ;;ޠ!-X7\sgE6M!<-hј4e77ТE[>OkcJi]3-:KΣEѢS4-:Sǹ_0B	{|Zt-:3.Ãp+g^.+%qG2wx
pՀ aH=`IXay4$M־x &XW>OgcJA$fX)Hٍ$>]`hAH1Gpex_N|utaJбrPu']=x@>Ѓz,Zz=:ےO>|ޞǔFӣM>!Wu6]؍RSu?ǹ_i*==!ĽAU:C2kӝ;bpXH[ȱ'aa<lO@\KhJ0;|}RUëq?_CMo9u>JD|P'eSb2m2?Ƀ?]@s>ite2]xذ)/ך2)M{@N&_I<Ğǔ?&}Q82G[Bh/n@j}|24<42#h$Nt[ih4}xF*4j:1Ѐ1^//{jpjcJQ4TחOOϓukxۏV?_,DB?\%w&]r|V_"$^__΄b6*בbap3>`_sIG߱H`5U6) |ABh{CLat}ZLj1ѽ#!W=_2#<#`88y'5GlmݛzפFFLjMIq#*ofo7'OI UGկTna0"ϿUr||m?:8y'5G(U@b67S?Sq.!%\\7Q?}za( P]p@86*fy%u8חO{2-8##HqŒ,jo#RԶ-^a#ծ]]q/vř㈳(dM`QarweՐAE]=FTP!H/R|4}|2*6|aȖ1"qphZ}Mba
'a0pkn~/0lE~A1K.nY8E^*DTI"ćD	jSb"4:@$Wfs߾<84GhP"n"l!4D)8k2pby<#ToÃ%iaM)C½>Τ҂Z0̧-<~>(/ޓNeZ<-@\-'M"MӢhĴhÆA Q.cx-l;(o;5Cxhգ_:AI<ݬ#ݞToJɞЃ^U.Q1>A #})@">CeyLI<w/iS}DG*/_#6GTEgūӿ>>o/?^?|E~Nh{bMDejdM
j;=Ym/QA6Sw{*5Q6ȭ zTYr
>"xcnۓ$P("O%60k՚
w=?V]ZCj:YSSx~?y9u\pAF;X36=\Ufc&"4M
$rCj)Ok9#
#Ԉ:U=91Mz~pxݸ>6	\4ly}
	KlH[L|anm|o!;T:|3&^ߌ{3+Z>EތƮJzr)EJόȷ1^xQ@NQg3ԙ!$H"vls@xD+?4J́Q6$2Lw[)wSt23	
I4snԈ]yja%@ȉ]Tu@fr,@PչoTcbJ(e"G/gc]9X!+Ap8t]Tq
QpQp U{Pq&5
FJon3玽&kB
x|X5h
Z
zQAZ;jIjɛ5/k}̈f8r-S/!)cg?=
PvύmN`?iR	tJ^G% muA=Q^'p(;KqBʗʏdzb~'7f9`kO&;8"KAdN,uS^2DŽ^dxqT'yw(Y,Jj%;u)͢Q(+q4%aP0e`̣<
((2˕)b6a	B!Ȑe1M4u22͝NNswpGhfSTČ@	2΢l ?:+
w(#{o2,a@@8tp3p_Ƭ!L͢stjD55QMè]xy^Q˷U1U3T2xWf,ǩHS<8 caR`8Kώe26D{3r奛̥؃zs}|"/rЬzr
[b3on=:[ʢ&+:?KJ8	tf=r:驾02TVvOPЈ/9եPxm)ҙ9SE.
؜~AEnˠ#QGz͌8@ IxҢQ-"PD&n`(eh2XFv	d20jݦ/"{!d7t1o2'SuVB\}Spqajjl<55̥Z^F0`ͯuzd:;b1rrY}X׎žvlfm;M`
!50"sZNaO3 \eS<3gxV-ZK[2Ǜ99Y;e^ܔPuEJe\Xl&N
l4Ty0㫠Jc1X$4#*bÞ
/,^JO^:SA<* zفjY F0.,GcH`&E+rUk~nrM+uB洋l
N=:!cNV:PPTu)TnJL'D]B]7zuC1GnG[9
d!
DNqܠs?v3tlP ^DlڋhLV;RpT
o@6F, fC3h2#C`iD!C!_i71ğFsPC	! D`iE!D":i?z}"X'3#vzF!#ZdȈfzj1qwnjM.dF̀1̸Ffyڬ@F{'S\T jF5#4R6:"6W,qҩrZ.,T{0){eTi:#.>aU_΁ 0
\ʜZƆ66ܼy2|o2d8sj,9
H):AQ7"T25("!Q6芦]ԣxzHTb@ԃL=.pԊߨU̧Za@-{0=6!1˴[Դ'b+?iO72ҧ 30ӞA"=Nu_zO
/אBZFYPFo8XoOBTgsyh$cK:9ko	
~~ŠK.ف@v8;6Y+UGз[9I@
}@N%Nee1rJϖ1gx)IXp3T *if,̳z%,P%,(]*cZVgAy	k%IK^
Rkָ(:]~u\C
|D2Yß7i
j~S4u+_7m1%ĤR?ſǑj9&eKFM^&a/{	iOir&g3\l3u e}ʥDT._Ct"D;Vz>:M8B<։uknuT>:pgju`>`QO|i@ 
pbpOX񶎰@X ,n_ҳKjoBS%
bcU]~Mfc@>siGҤj?3Md"M&)Ph'\S0Q("~"Qs	d}Zh1_B&z$-\ĽgZ, &~ien (Iz
YЂ5hV	
WW
HĈPwBd҅V#QCThZQ1K7EI:8,#*^MVe|
po&
Y:xD.4T@@g< %	U:IDJſER2eXthqT	%JbRnX+qP\LVAѤV67] ſpRtMWKO$E'E:]"N)<)sn>)@h%)Fe"-b5)ݫ7r@##Ę9Ff#̋rT|i`֭Q@l89ed1}B~٫9͐v1YEr`Yo-#G͔cxk9YYt)8C9'͘S؛̩TysJn)ԟR!	0*O(REB3FTBzO;@[Ux*qfg
bf|y+!.D8zQ3KYl:X64
B7ԕ))\P=~=OKYʉ+'Eʄ5[4IG3`ٙ 
_pxosE
l6À0!`HoC(2d)rːyQN){	?7bÜzPa>326Ti4o=rR&{Iu76IuiTԫ_!BͲԴY}rLcm$3~=޻ulޛ9U;$	p;!ca=iyZ伃,Q 7ȍuqcyPJ{q^}Еb)+5Af{2㺙q7AՒv!ܳ]Hr~!kB NrX?(;
@<@
UpU@{6A!Bh! [P*wl!`xQ'm!rBܱ*83-8(w;6r8A 4=㠂Ł宂A'5V9|Bݽ8TyWB¸'[թ/st

5%Z kijB]OrlXAZo83beQKt)sUjw@-!ьxkDE:h,:b͆E1EqTÝ\IwND3IkCQkQtuGݯ['>#
U!g9"
A!iJR9Kklk̶>E4ZuS4?VP(OQd
?wLMoE;6=J\ҔWK	ύG	RG	^(PlNy9zmE#vfEֲʺaQ.NlTf+`c:UM"ȅsaS~c)AmvZ@Dٱ8Jysuqrٹ2P_%ΥPs[k2ܗ>oV/D֔|&J=…n6GuKZ.뗘YZK?X|\q^U`잹Ig/u_~a|]Wt\&ف>vll=c$n){3znAFs3yXF=Ws*=	90dr9oJ2N{uq*4OkHU`޼x--;*fT)G:@|%Ìќv]%Pz0oCh%̲̫_	1Uf`F,ygss.͹9,7v/lR|897*ps]73܂ܜ/87K"BN6~=#32yh
,alRVw89*p]31fFΞj"$gfel8=ngT'y}C?8ΟTjQl3.ןdT.T>ijR
edCזw~jGW#SM%Q(U	Dxdٰ.6.Q!D"u@dPM̿Jb&pFZ!&z,n!AUXe^#w;(>n+B0 P0ܩPNYr@HХ ?`B+ܳyށ?x:
0";s5??)矜ޗs]厝T9~? lq~?ܱߏ	Xԝ-'w9?W5|3gdcOM*U`^K`z	1Ds^B %d:O^0\t4x;YÏO"*ť8l=]6DzOgAi3?6n;/ԓB](H6r
9df;_? J%xQ	فhF eُfZl +J>9z{@iBCP	fhrfؙ	q'	(MY,X4+/u*qi6J(n`3f.ό&dF@f3 snP͢xo	afAΪG?I^&(BEcNeS2-rfLc]">*<|ĿGfƘUIV(c.{J|KfOKS`dʇOzDOq?}!FzڍMGeqyxb_)CكyܼkwScoDz-(gQ,(DT/~"H.q/Ie$vyTK`XFCŁ"y}1Tc\Ƹ6]jD#A
2
ojD	#LGS4㲐(se9CQ>	ylHبnKHxbDzmeob_qxfAʅ[2IίFzBBdvu
Uχ[Bë߸_qz1h#zFCv ;7Ύm gZyQ%d(xD!c7(*ׁ2/Q.\BENQYlPr^<-/{r7*9T["Ǜ?9Ycq'xL`*,OT͵ҢnW\U:f%Rz+D+!;xeN+qY$^ۺ?
t̥
f!*@W\lf:dc&O~'-(	NR38=>Nu"Nd.[D\'%Mg˘8{m$ms>'@T@,%gxqzrm3!eƃ=eHI2gl1Gl1ztHzQ8gԮ{FTEkf֢0	}.PO!h(NpB^
~AOAOL/====}BAJEephx+d
Ot('^qr;Hn3cEWCNQ_C-6u<.JءiLGKhkq%(Ҫ/iGY4TzLaAf復"+YEg6jwpT8*|-
n#QugDѰ*4l~IOVXE2YCT;(2["B&z$Ez8HS2D8|C-K Փo)ѫ/iQBF,)PlU~2)Q>B[**tq{
?bCөO4ʢKeuoo/WV(le!D#rY`D}"Joqa*ة¯F\YB-Zd#S4ب)D5\@. V̅2L]{4%M㖈PiBԦqKDȏ'R7K%Ul
p9>%[P>oy3ϛQb5%37-">twk5JZ5p>8,g,AW"?3-aچ
#c5>!ciGC\+>֫:Kف@v\; C̼u7zћent١qnovEuisjL_p
Y{Ov(q8J|5:Ubiq>
l@6 ņ\Ɵ62B!NS#	11I	LDf!Bn0oI%{rW21&ظ¬?Ý&\_*wf]
N)=q:@x s0)`ބQAܩbrPmij$TĈk[d;Fu,C.Թ!QOew[N>E9EkQ(ᷕt3Fa߸fm.>jڿH$ck,:)-)EJDJ;!9TA	巆CCdh&@.N=&鰐5r\ceXpSrZ9rS$<"!&|TN7ҩG@T@&}>W8M:G4(9a/&z(}Ə=iPpm ckRMJ;*<$8.1ܙho-4%[1%S	ra\
M%|,$j*([	//C9’!$7TB¼Ro_խ!1> _ʸlgrcBgj?[gzVXXӳsqfzagpt#\"M!9#Dv yQPlf|};F28#ڐ-2qFFEA-p#M,c# Z=E?ƢΖI,RV2_gET'qf?+gTu+O:,}nφ|:HCDڹ9PtoNxsN{|Hj&KN4*
xDIl,**|
I8]!KT*{Obǩ=Sm<ՔF$ 	E¦d\@D	#St㢐(oMR	9Zh,ƩZhs.j}.h`Z
iƀX#h@x P3WTW[%cTMHNUTdlo?H;)'_03n'jU
7
b?~UdRT3KYy4++1TE`PTr& B*D}7OJY4yp&&
3H_oMa֝ 
_poEe^3W\$nj{HR@$eHRx8]$!I~I/$iߌ$.&AoC^0.R^J_n3S:LKvΟggZl˗gh\W8<[qYk
sS01JA}>n^WBUݼTi /$+
y0/fP]a0g%PCd7	׍$WVEvO.ܹ	3\0[x&*^<Ǯح	~r_LA.3ĭ_x!ǓScLq21'糏9O`1
>PP}-"dbn11WvǐYn1^#`ǐSbLq2n1!s9C`n1My<4(B{V"t}n%К $.niI"%\ԙ8V;͋UQp]oR
:@?øŸ5M4;fsߟ˻P7,hviRO)p151m_㟺įiÛ~I,Q,MMɺ.f(jωsRQ U&xS&`X-6~Kf$
YNiK:
DSgz]j]ܺԽYX\SV@6DP/s8WgԽ9 av:HC!	6Oz'B,(BC?1oOdz@Vg@Xl
*"4ceܫs_А=4N
yȚQ2<#6dUcS,c
v`+9@kW2;QSY}"_{N<_xUuҗ%_!R.G\=s%/JUOܯ8;;_$2_Y$c:)q7d:N$'ՌqN2tR~.N,(+9f=d|zId-pƖRℂp刍+yٸ$Yxx?71PC}-"lp/up$9b8oΛC$QcEَjzI-pƜRHRp}%/WBH['iB$9u8nsR9#\`lj'>P\3ڼ`/|F<}>h2}<}mN8.2vmڎ.<}VTī_!W!H@T<B֙cb^8]e(JSv&52\Vh~ؚ{s#jn%mJ#;ϒok8ҡh.^˰mիR4W3X#Kݘd_~P{ğj:2;
s2i*Cm6XmrEŢboAȐe2F_N5c7}c➹4Ҁ 8q>@mUŝ Y۴unr~> fB'OW'Olxp
υPP;
T#q8@
JWM2qȘe-jU@FşEFus[Kg| O2 aF[BF0o{0Yly*?5FPFoluXoOSPg3wș;KgxjԀfs]Kjx7/F`К_uZd	j5@ëc_0z4d6Bch5Cx <+ƶ3-[MF 1{;,1P$IyѥHRx89cdHCbx$.&AmC^0.R^J_n3`g[?Ψ+/.ӱFW8‘F܊K[S`c~O
&?W
q4TUJy'Eaނ0aHlUYaH>01o.F{PӴw.pL;퀮 
m][[J7hű?uniVgR7&^wv
=5+C.8?LMG|zDr.)Nf.pjv,xWi^W`x35d?~Dn6W)楹b7[70$ԄZ:l~m8XHj;OFUY8Y49'3OB8G(;$`B&@1(j3Ɯɐ9ˍh\r)Nf"dlDf#2C G#7ΑmgbnE2qG⸫IOfL1:%0q9`F'g0Cs̜90f0b]2KӤyW/gC)M!fh	O|6aʎE”#"2K|Lv+["$LfVH$1Bb~[f,Qgq18'0f"3'sLd~2q89D'c"#qr>sf"Ld	/87K"BF/a#}eϘyq93'#r>Ϙs1D1C"$gC7Փj_*{\?n3fC\%q	MUm,0giwG]Ĝ(ia29ʕCw h,))I`^Ü
sA?&v?*ˣ{"{B3/z.ClO0|?81'Qͪ*u#8LjZaN+q0%|~geN=xoO//LYUHLQٯ&\
|k1kx]
XNGV`NH3'_e=YےtlJ;Y
5Y#A=T6)ܳp{l-K┭g1'B.NjaD/IG
-^Q}4̦ڏ}X˶$(Z{/[
п)0&9YhD:11}c1m2TwD/&aa-!]"[@\o2jo`Nw\"fǮTU*漉wjS?M%*OFD)A/O}î*d>E%#=Qs4K#j5w@G'	ͣ&uO7Կdd9EFS/O#'E\gOCNoUI'ce
rzjlM4ad1|D#?
~o1/uE%1
JmL!3"5*)om>qej.AAɄ]suf^4Nqq5#v*
fB:iZ(_/܋ÀjφgeXzR}à}`{{_F`
;HmA,	ָ,ҕv!0.<m4IԒm2|mk
ZcIXRsHq,kK	L1)]ӳM,%ުpŔ÷6X%il1TjT
dp׆YTɌ<e(jwaCO6|mufOafG]Z[zp2ҰU|x
EixvܸV]xD]SmQd|v0WGSSmIN{
?8Ķنu]rʬ*[ke9r9b'JV^QkWhkX3aͤw`%=GPGeqb_h:Hi('s-
To{N-߿jFd=grH$0	frtb6,L
`@06! s͔:dJ17L##ScR^U\&`YҔ\8dJbJyU!SdCL1~>.Is;=FD!O1SOn"$ m B"DHr,Dʭ"D*LcOdz@ 8nHkJd6%MʶpXt7:߱KCDJ_%b'(v aan)Yc4q^JАԣ
7%4=vBxLVxJ\yD{JiZDH~Jܨ%X>쨸oG%y!JlbIХ[hfH],4X
6F]PZ}Z.bW~Ih,42Sh
xk^^
\@3=hyʝYtv/yǽn>>3F,8-lUcMf:>T=.AroHd@NwH-2鷮B)3=wL6vk{h#_ХM,l]P^xW[w[QcCLW*O10/*Q7Q7Y7*"0ejjF{TLԮ>u^6
m?}
!d5{|8Oɱ)CUvTo`
OIRf%xxܵxF'Vx>xo6%ssmI5xoxoꓚTNq؛NZW	OlDY"oo
C
\AHP_T 4{?.&&&ffHPHRևT{fHQ3qp_8P#!	 '3q"|h#ND#
=v\JHȏGpBEVaKsi59Kf$'<'דn'Fq4 9aFZO/ږƉML[ol(D|@6G8x
sGv,>M2> C#4>JU}*ᣎюNTOh=ѶZ{r;j񰱯WL.ifRhp@8Dn|OdӀ:p8m2,
Bb{^\8EgC!ܵCUl4ެxb]LWi}>	L14*>)1oGLiCSZqĔ6bJ{,S:ÀƮ%EW(L!9]B)Y)@l?Ė/Ē`|0LC!rR"
¡TJǣ3l|ʦCȐj1{C!U薊?94CXb'#CzgH]LrZ{W3הA%Ir"'CKuL6LDmDԶvcrQi[KPkEXL<I
qzГ"_d򔔓FcOIgqXO~]x@` 04H$=[.܀G3Ᏺ_|%ƜVA˗gુk&afk?avk4
/UA`eX6SNFn !X[鏥r[R|1!qXb!qpR-#88㖐~"_>SUF
SqoLcGHu:?rQY>$,xYa䞭Ã=GZf6SxVV~Km{֖∸Hڗ]]}_o"ĂŮ= {a E=Zu(D=B ꇉc/77ۦ^g
X-:¬{}To_`kp6/,yLB7JnMK51U=<1oTd2<)ay0)sU=?Aeoow#/-w}/???{+oFU0S%PP'PO.p?wfQx&OSe]3S}5at'RׅǗ4hjPau"G0'D\*^m@[g+6|X4|X[à
f>o0E}N#˼dܲXm diS;pWuA75KdxGXr3S
fJgEVtVd,Y4̍"k|f99~jAY!NTd6Ql/`{PsZ vMQ z0!Vю(l=<E~"E@n(}>JU@4+@Q{^fF4~aA6y@-euY\uTA$ 	MaB,@J %D	B!X)$TO`fN5PGd&%;v#Nag#N?N!v"vX4Ͼ`v]/ zsܲ3}&P[We"	{@BAF"('zr"[l q8WL	P߅F kӿ^"~x΅x.wǣdM#['+ف@v3@]ۋ`{ @P:[uǁ`rT栌?3mbTY(43.^<WX!S ֩69A+|#XiJXit4+}Nc%j2ڞJ2!VrӢ-cESiSC.^o@@V£G)JPjcCKm2QQZ2%
bWDm5DoSSQ(rK(uDDY@H $nܑ,(GY,x^jnD"DS>a@W6z//ߞ燞k0]6[Y?pwϷ{!6D6bCYH*}qu&EEĢItXǮ4Uwzo&R^}Qgx&Os6o)`iݦM#4^7^I_Uu3H]
;jͯ-heW~@TRjP;!yvvē8V,#cH00UwZ~3l'\W;]=%i$	f0
*q
--<p@գQkU7	FQ(t*DD^P0E:&ѕ=q{Tɞ3RbYpvYKbҀD|(_;X#dk9E8SEp7kN}r^T0?33܆OΕj}ܥ5l.F*xy+Iv☜7)YU!/KޤVoTHΤcew7iL7i~NP0B$<mF
QZ2ڪccslޤͣ<)IP@HPz(of@y_iSdM1 <ԩ/;V/6̓e{pҕz!&1+-P/tK)U57֮*.l?cHUiRT"nYU}]VV=談Bֵ.~]ͫe&_5l{n7yC\`=1&gb8۷YLB3܅~2FGyw_?{	lj[ބS!۝?[ъg䴿W??}4qzzdקB+R@SgiY쉗9nGb{.Eqώ*Jgˮ`qe9?_Ǡ5!5	`WwW

̈+1Ty#잇ٶ[D?#k>K%ų[Ayd ;ɛ/o8֔N15t3oKNSոݙ6]K//ĿLM/_ѵ?~,9yD.<>u]CMnv/7ASy?W~5ۘ_Zz~u,GǍ_{_=s֍;L~joΣd|-$x>?dӷ	?)VlBSfm~Vn_qϸMmt?w^}8ڛX#~P]-O&`_л?_>
*qKn)Տ|:|׿y{.ޯ}]?AQ7-Ưj="{OW:z_Fg?o##8p3HrJpQ~8vkųR?Z
g:o&4oݿYrԿA#EV6v>߅~K>|m8HݧȿC|_	S2u
]WFq8˺J֕Ӡ';NWs~ǎ߱w;Gp;+ϸ+_?
}EDZ:OA7~{g~)/ @H/l"o@oy
>|bw}	o8}jϝg?ίi	y+~\S?=Ʒ›_zO!d?A_(ė_v_C@П??4)|yy7gw^v%X@_S_:o!D>ȗ|ȗl|KS5?fDO×sdYtoD?rL2O*a}K_Ρ̮'wSj>VK#~J~o7uxojG#|EJ
}̞1>]X->h>´9gyI;YsakeϟL)a|_^Sv`4a4]5۽ӊYkns3oFycuXg/%n1qٕ]z,{6l#,?]pKr=FP-Kiq3B7+LwleVmn^|9O03n]6][ǹ\;/Y/ֹe.9<6>Z[6lel=iױ}>ƽg3}|$P̜<_%~%Vךq;,g-dw-skl%l3xl3ʝ/tWbq`峮)Zc]]N6-97L6q	_f	?0S9JLń|.
9I)\Q/pf
ѥcct-SqA:g/i|zڣt"?)R]{(f0+O7m4	uTV}+kc}-a^_Af<ǵxӽF9d@\-gugkފ&[jHJ1sO=m?ؠJHn'fJ5!@:I7Jէ^횽.T,?"H5Ά}Ԝ[-у%dA]%EH)d1Q`=F8u(	cFc}hpK[~GfL!e	1;ڙ)?s.me@$!)?Gp$QYlM>6;c$f&i2ML<, 6l#Vz8}l5[(Al:l
N[[JC$xON&}1̣Sl9Id=\biC@
61G'-yQ{(0mNX(nH&Yals~PW=à=};Hj5CHXX-?(cUWsh~.VDNDJwnPA_VX0_u'TڀD@=-0dki-G|/^Ȥ(^Li,Xm~.a6fl^_rItUV
l(pBZog>2yax5L8Jeu,IL'結`'{W_<4>buKc$oH0ljy<,	x״K0!ه|K&&\q
>xoi"ZƐ@Y3QI3CT-ۇW-Fx%[:q0鷦0ոr&Jg2el(?aKT^^#oR6=|;*1	%||= &
VM-V!#?DG8q|6NI"YϖN@ٷä!ɭ;Zhl@Hu&]
5	8.@[%Q!w_C\o^qqveyX~aSm$ĝEȘ@!7b#r>PZá{fdw;kxrs|9[Dy"{NnC$NQR&)
NH-"/a~UR
@ţ42'Oьiay C`b7\:aa}xa=&Y[$H5H&)5DO\2ĚjXQHNqndčČ!	lmv	u^^y2ڑBÓAP>rhB:ņuF5fd+yg00d#W*#d6AR\}Z~!SA5t^~,GeGn~a$y`'uTW'	Dx[=:&nPc,eIϓo?B<TgH}[=ݯT!
ApE~"9}.,K	-0q#Tǣ3w?7O	.=.U}	At5#V29Kp$nc9nHB(Pr
yn%1'<オ
|oZt"o["ٮ@zǬ>!a!#EZ3q,4LnrShW,fA$d<5j79$l%InO#	2Se/-uohͣ53ڴZީ&#^kۡ-G3RfIqh)x~!o>Dmz;(rWCQ
9G۳#}S.F*3pڣHxi)CF#/j2װMwBElK#/ٲ50YF#Cƶ&xIߝAU޼T=k ƈzٶJ:3u
ߵJ
O!K(腎͊*W+2#-NW3ØD݇^[Nk5$6,ĩPy]kX
o AO"+2yf:#Rr3k<]1+<3!!XY9rtH}ƂG*8MGN}\=G}ǯ-/zP̾FbQ(;ЦeiaQ64xǙZѳUw6΂+
x[7el5!*B5LOc qh*~Hg;B=
bPz%L BkUr0p,X!&,Q05$LiE𑁲^CzUٶd7\@ly\CasWL	B޿̋q+Q$v+oG#+H{2<47$djJ
n/B8ˬ|LzDg{Gъr[C
X
)D躜26];8$d4kHn':Y.Ύ6.W>3Os2 ^kXY.7j}k&B{ :#"9={-3Nd5$ɽh?h&S4ZY˕U	,-wx◊@QU\"i "`Fӣ
ZHLhAj~0InszJ(Y[yFhDȅT,aR8900mm1v1Ǭ<3VL}v5dwֹl)fU[^
û7Ys#שYXkx*Y@sDI0&w611#FpZg‰ȽNBOoS_ѨnCzfܖ_CXu_B!>	IiM	|a3qv]1
~.SkɊO%ϱvM"`p`l0#OئO`-w/O6u	dZdzӚ2Rv/	$\#io{+v
<*
G_S6Y31Z,>/~Q05G{<[v\CC|
qhpGj!	՝g8V #yݎ4"2	[u5d~=ifiNauC]xQf1ZfأMʤMW*J񝔇@̺ǵ?^Z1QȀi̓^y3/P%FA2$;4Y4&?.
@2ccfQ"^F܉jPJ3\ [&p;H^,><|2*月(ԋ9&HG(4=ڴL,jVyk0Z	@ykBn7aCyC~lOIˌ<dX\*]Οڔo㖍`5~$l:U!T
+yBYVIag@P*dPЅcuv>5 1pmv
!i`댩*8]J7xu"j:9lf$02Lhݒɘ"Ct_BQ2oQrgtg +sXpH*``<DҴqkvP\ ʅY@;<1_gۡ9cxuˤ@YI~~@O"NDp0v
ip%E'm`=@
1ڻʄ\J,|*X/sA$5Zv|c?*Ax Q]j/dh9-HQ5	Ff_Ud_OF2C/T6g 12j
PI>5UhU$YO DkO$JG`LT&;=?>j#?qVA@7"ň\AGjn,m`E4	1ڥF
*.̡TrҭB%*3KXN[F"gfDc"Ǚ|Dh|n\RXڊmʹ}86tMrqOP&kεc.vIV[.\;@2AB/RõH:f_;,)B1PVbxobvQ.VX14xTjA>N.=z 26(*$ap™)t絚ѬfSIb6f)O)p&@q8)ZZkc8f*l\9W_$OhINQ:	§2Z1OWYa
4*HN{bpHX%)|܃HшSUF@r0MbÆ9fL]&vr(~t{DUk33S$c(D%›C=4('={%
)[rHY?ku5
^O7vBqI'(S1]RDR[(n**0HbI \%N%$dtW8xuڤ?[/nCڕ
Vݬ\2*9,lU{ŕZ][HA6ebi%k>kwZSSN3!wȔnٶ&lU`$5ɜ&:Emj7ꘑARGax).bO1TV
1(2|:<8ze j5WbjGHЭ0*".oIr M3P8c6Wp7/u~Ab	ٍ0c2./Cr/c!Poyn_;Rw*E;vdAa~ځRYNLjYk`LڅQ^4:q~/\r*Uu
һF+ER}Q<1`-UmWj^}_T@f1#xO/nbFOYbNwq}(DrQ[(
l3d\Y	ZuJr.n\M,;PL,2;cuܓH!d"[(ѽ=EՄO|_X=
ga%[U];PjE+sxjwu'kW
X'š# Ivtr{D\)yDz`M
dC5b2z⎙{nvB	]~uU>\3+2YcAVCg^lJUffl<,%VzXK˜d7Qy.=I=DB0=(؎昑CsKrvO8ZmMp>DdTŏ{4kxcV`<\Q=vV+KvHe<$c~K4CsdzALi
?[Y5>|~zmI^vX1*SS¤j9)^^43.V}d|	Pw%/j4=t0T"y:qX'^ MJěRj!EXDVT`X@+5Sȋ yq1Kj8$={d۔%mh1VC=P.Hd٢NonǼ@d7D>(>$bI|w"-4s 	l~/6
E8vO1
S:	='HRmfӮD+E\9߭S!XoTNA]@W`F/jBtT2k$:x?g(i"e@(>P. PT	 =3PO?r8gjj>7=՝
)xĀſw]+0#{NPM!RϿ$m-h-rK(teV08LKG Tng(aYƌ+{	}RQQIxG\Ul蠿XLym=Q5谬Zd3R(bgF\ZkX@%NVyz_;I E*/2ڸ^;~ߗ
q`%vZa4>CR#	ش:TCѪ
T,T6udXD}]X Ψӑ-T>ړ~WZK.t-ytRA+IŒr31C5fd~ZbQc1 eE4t:c-WAkK%䴴p1ɗZ=C-ص? s{kŇzد*]Yg#"`	\ORL~׽ZhsuGZtjV
^5CrX>ge/^;YpٮT=Z i
}孴vrUiĒ:Z])9@Y]XmHUPs۵Oh'	>Yj?Z2?[{6ƂQF_zN.U!uzXm2Z׎}蚎SGYO-v5u1UhJ{
9u88
dդ6͇	6(=Y+\]M$^js"#|:ig"-'јƍY,:`3悇&?jpdU#ݎla'V*oEP~SǨ`Np!<4xwQ`̤i!)L~'DBtjlkHsh~vN3l>7=OL;SzC^X?̃`tL)S[JU=ngB4kV0 ҒxŦ	{F6S;90pߨ!1#,TLMoEMmc^5*ԾȍxG:(u8vHZLj5u㜩/Z>,"{^HHur"TKS)\R<Fpe@J}B_g+4u@V,I([3Xj%87lx ygeu|0J2UYHND@]C,hQJN{aAB%1RiZ. NgӦnFǣUש֠[|=}"w"lٜVLhMfjдjش*Yp_Y
"9!-e˨,ʿN)w ^)uRs	v`Q_ܰ:,)3-cmM!VIZf^gx/Lkԃ $uPQ?fmX&ywߐbq)y2:AwĦ3yxM9	
P	P?TР3VŽNTeby鈕tl0C{mLŽS~/Gol* !N8ګOR\+4n3{%@lkau(Z;t
P3HkM<(>hTPطnK8pwu2zZU3gXSL|+ <A^o=3ӖZyÊSk=ճh@6u`Z64H
d KbI0IBZuU_9
x-v5^<.<ҺoٹWj1\	;*Gzk/!5`:~ua:P'mNre[=p>?Z("'9-.uBI8Fzdj:"Gp^;$ĥj$ET§4l7WPPͦ|9^B hZq+P'YTFN-Tx؍ uؿUڲQ͖{v~Ll^ZzӖ
tHIC҄':!*CRTyS^IZ{DPU>Z;tH=@S($
HZ+ExTˤ{=gS[!706u\/
i4,ˎ?~*k#jJ>1YxAc2OlR6)k#H49>' q5?9k,}@۵pl-.tǤol^q( 5*X
%^C'Cբ&	f&jV20.f:͉Շz|hh4T|W'Գu^Q1n!&zuZM'^;2BaooΙ&+&)TZ|>AC$ɁYC[$aޣvClAGMx>vemFHguJZR*s:@ȩPFĴ6hhC|9h.8HLN_Gڍ0/zU(1:JHhCtbNT7OPߍA'M'.4;D= !D0]9mUa6zN:VP=%֡sME>0k`D'd5)P܇ir
=CGאV
[ȂQX6bق}6ݒ>4zu*
, ,ÔG0}M\<oS0bu76$u]8'mC2VCz:k\[=XD	AdɎXVEhSQ҆yZxgX:C
n!Iť(\iJ%f3}Uzw*!Iڮm-}SGtu`#̵ɠ(3+yk^_G#% aXa'RAeS@i8,>"kAѾװ<2FvVAHHbAGGllY|UY|
ɆNѺJ($Zz5柡G[j䔨7di&]-N0*r5O?ߐ՚V":A7J몰+A4{GEh:raTd:}
G`J
AI`}ĝD{0]֙/0i,fQp%T其a:\AoӮ&@EZWϼ@neT8+&P`1lO9ş$3kz5cy}وNG24ڹ8
;ג;纩e-sT[СF+y;jYe&`NYeT~RSox.sF-^ֹ"r
uu#cv(	k3g+;Tkx}3;s:eW[Лa
nuk+Qj8[SOZ:xO:"S!My9^C:|z[{=U3k|qZcQ%%uh$t鍊nV7{X4Vu¿®97U!ҩDwk2ݪړ9~EӌyZD3:ڡQ99m{VTmwҽUN'Uбx>Aob[}Ֆ]
why3-1.6.0/examples/prover/bench.sh000066400000000000000000000167611440160026300171650ustar00rootroot00000000000000#!/bin/sh
# tests for the safe prover

timelimit=60
memlimit=4000

report="report.txt"
reperr="report_errors.txt"
report_xml="why3session.xml"

TMP=bench.out

WHY3CPULIMIT=../../../lib/why3-cpulimit
export TPTP=/home/marche/TPTP-v6.2.0

run_dir () {
cat << EOF > $report_xml












EOF
for file in `ls $1/*.p`; do
# reprint in TPTP/FOF without include
build/prover -print $file > $TMP 2>&1
ret=$?
if test "$ret" != "0" ; then
    printf "$file: ret code=$ret\n" >> $reperr
    cat $TMP >> $reperr
else
    printf "\n" >> $report_xml
    printf "$file:\n"  >> $report
    # safeprover
    $WHY3CPULIMIT $timelimit $memlimit -s build/prover tmp.p > $TMP 2>&1
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Unsat" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
        printf "Proved $time\n" >> $report
    else
        printf "\n" >> $report_xml
        printf "Not proved $time\n" >> $report
    fi
    if true ; then
    # zenon
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s zenon-0.8.0 -p0 -itptp -max-size $memlimit"M" -max-time $timelimit"s" tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "PROOF-FOUND" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the time limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the memory size limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "zenon: $res $time\n" >> $report
    # eprover
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s eprover -s -R -xAuto -tAuto --cpu-limit=$timelimit --tstp-in tmp.p > $TMP 2>&1
    ret=$?
    res=`sed -n -e 's|# SZS status \(.*\)|\1|p' $TMP`
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Proof found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Ran out of time\|CPU time limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Out of Memory" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "eprover: $res $time\n" >> $report
    # SPASS
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s SPASS -TPTP -PGiven=0 -PProblem=0 -TimeLimit=$timelimit tmp.p > $TMP 2>&1
    ret=$?
    res=`sed -n -e 's|SPASS beiseite: \(.*\)|\1|p' $TMP`
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Proof found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Ran out of time\|CPU time limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Out of Memory" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "SPASS: $res $time\n" >> $report
    # zenon modulo
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s zenon_modulo -p0 -itptp -max-size $memlimit"M" -max-time $timelimit"s" tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "PROOF-FOUND" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the time limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the memory size limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "zenon_modulo: $res $time\n" >> $report
    # Vampire
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s vampire -t $timelimit"s" < tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Refutation found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Time limit reached\|Time out" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Memory limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "vampire: $res $time\n" >> $report
    # LeanCoP
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s /home/marche/Downloads/leancop21/leancop.sh tmp.p $timelimit > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "is a Theorem\|is a Non-Theorem\|is Unsatisfiable" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Timeout\|Time out" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Memory limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "leancop: $res $time\n" >> $report
    # end of proofs
    fi
    printf "\n" >> $report_xml
fi
done
cat << EOF >> $report_xml



EOF
}


run_dir $1
why3-1.6.0/examples/prover/bench/000077500000000000000000000000001440160026300166165ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/ANA/000077500000000000000000000000001440160026300172155ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/ANA/why3session.xml000066400000000000000000000302121440160026300222330ustar00rootroot00000000000000











































































































































































































why3-1.6.0/examples/prover/bench/COL/000077500000000000000000000000001440160026300172335ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/COL/why3session.xml000066400000000000000000000276371440160026300222720ustar00rootroot00000000000000











































































































































































































why3-1.6.0/examples/prover/bench/COM/000077500000000000000000000000001440160026300172345ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/COM/why3session.xml000066400000000000000000000163531440160026300222640ustar00rootroot00000000000000


























































































































why3-1.6.0/examples/prover/bench/CSR/000077500000000000000000000000001440160026300172455ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/CSR/why3session.xml000066400000000000000000006062111440160026300222730ustar00rootroot00000000000000































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/FLD/000077500000000000000000000000001440160026300172235ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/FLD/why3session.xml000066400000000000000000004615361440160026300222620ustar00rootroot00000000000000





























































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/GEO/000077500000000000000000000000001440160026300172305ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/GEO/why3session.xml000066400000000000000000002037531440160026300222620ustar00rootroot00000000000000

































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/GRA/000077500000000000000000000000001440160026300172275ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/GRA/why3session.xml000066400000000000000000000217561440160026300222620ustar00rootroot00000000000000





















































































































































why3-1.6.0/examples/prover/bench/GRP/000077500000000000000000000000001440160026300172465ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/GRP/why3session.xml000066400000000000000000002153271440160026300223000ustar00rootroot00000000000000























































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/HWV/000077500000000000000000000000001440160026300172625ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/HWV/why3session.xml000066400000000000000000000240001440160026300222760ustar00rootroot00000000000000







































































































































































why3-1.6.0/examples/prover/bench/KRS/000077500000000000000000000000001440160026300172555ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/KRS/why3session.xml000066400000000000000000000236601440160026300223040ustar00rootroot00000000000000







































































































































































why3-1.6.0/examples/prover/bench/LAT/000077500000000000000000000000001440160026300172365ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/LAT/why3session.xml000066400000000000000000000162771440160026300222730ustar00rootroot00000000000000


























































































































why3-1.6.0/examples/prover/bench/LCL/000077500000000000000000000000001440160026300172305ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/LCL/why3session.xml000066400000000000000000010745511440160026300222650ustar00rootroot00000000000000












































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/MED/000077500000000000000000000000001440160026300172235ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/MED/why3session.xml000066400000000000000000000153461440160026300222540ustar00rootroot00000000000000

















































































































why3-1.6.0/examples/prover/bench/MGT/000077500000000000000000000000001440160026300172455ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/MGT/why3session.xml000066400000000000000000000475321440160026300223000ustar00rootroot00000000000000


















































































































































































































































































































































why3-1.6.0/examples/prover/bench/MSC/000077500000000000000000000000001440160026300172405ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/MSC/why3session.xml000066400000000000000000000365541440160026300222750ustar00rootroot00000000000000

































































































































































































































































why3-1.6.0/examples/prover/bench/NLP/000077500000000000000000000000001440160026300172475ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/NLP/why3session.xml000066400000000000000000003264221440160026300223000ustar00rootroot00000000000000


















































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/NUM/000077500000000000000000000000001440160026300172555ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/NUM/why3session.xml000066400000000000000000000353461440160026300223100ustar00rootroot00000000000000
























































































































































































































































why3-1.6.0/examples/prover/bench/PLA/000077500000000000000000000000001440160026300172325ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/PLA/why3session.xml000066400000000000000000000706301440160026300222600ustar00rootroot00000000000000

























































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/PRD/000077500000000000000000000000001440160026300172435ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/PRD/why3session.xml000066400000000000000000000047161440160026300222730ustar00rootroot00000000000000









































why3-1.6.0/examples/prover/bench/PUZ/000077500000000000000000000000001440160026300172745ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/PUZ/why3session.xml000066400000000000000000001454411440160026300223250ustar00rootroot00000000000000



















































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/RNG/000077500000000000000000000000001440160026300172445ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/RNG/why3session.xml000066400000000000000000000132561440160026300222730ustar00rootroot00000000000000































































































why3-1.6.0/examples/prover/bench/SET/000077500000000000000000000000001440160026300172515ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SET/why3session.xml000066400000000000000000000727771440160026300223150ustar00rootroot00000000000000




















































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/SEU/000077500000000000000000000000001440160026300172525ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SEU/why3session.xml000066400000000000000000000035661440160026300223040ustar00rootroot00000000000000
































why3-1.6.0/examples/prover/bench/SWB/000077500000000000000000000000001440160026300172515ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SWB/why3session.xml000066400000000000000000000046221440160026300222750ustar00rootroot00000000000000









































why3-1.6.0/examples/prover/bench/SWV/000077500000000000000000000000001440160026300172755ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SWV/why3session.xml000066400000000000000000002616721440160026300223330ustar00rootroot00000000000000









































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/SWW/000077500000000000000000000000001440160026300172765ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SWW/why3session.xml000066400000000000000000000014761440160026300223260ustar00rootroot00000000000000














why3-1.6.0/examples/prover/bench/SYN/000077500000000000000000000000001440160026300172675ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SYN/why3session.xml000066400000000000000000022350051440160026300223160ustar00rootroot00000000000000

















































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































































why3-1.6.0/examples/prover/bench/SYO/000077500000000000000000000000001440160026300172705ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/SYO/why3session.xml000066400000000000000000000101651440160026300223130ustar00rootroot00000000000000




































































why3-1.6.0/examples/prover/bench/TOP/000077500000000000000000000000001440160026300172605ustar00rootroot00000000000000why3-1.6.0/examples/prover/bench/TOP/why3session.xml000066400000000000000000000346301440160026300223060ustar00rootroot00000000000000















































































































































































































































why3-1.6.0/examples/prover/bench2.sh000066400000000000000000000167721440160026300172510ustar00rootroot00000000000000#!/bin/sh
# tests for the safe prover

timelimit=60
memlimit=4000

report="report.txt"
reperr="report_errors.txt"
report_xml="why3session.xml"

TMP=bench.out

WHY3CPULIMIT=../../../../lib/why3-cpulimit
export TPTP=/home/marche/TPTP-v6.2.0

run_dir () {
cat << EOF > $report_xml












EOF
for file in `ls $1/*.p`; do
# reprint in TPTP/FOF without include
../build/prover -print $file > $TMP 2>&1
ret=$?
if test "$ret" != "0" ; then
    printf "$file: ret code=$ret\n" >> $reperr
    cat $TMP >> $reperr
else
    printf "\n" >> $report_xml
    printf "$file:\n"  >> $report
    # safeprover
    $WHY3CPULIMIT $timelimit $memlimit -s ../build/prover tmp.p > $TMP 2>&1
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Unsat" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
        printf "Proved $time\n" >> $report
    else
        printf "\n" >> $report_xml
        printf "Not proved $time\n" >> $report
    fi
    if true ; then
    # zenon
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s zenon-0.8.0 -p0 -itptp -max-size $memlimit"M" -max-time $timelimit"s" tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "PROOF-FOUND" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the time limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the memory size limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "zenon: $res $time\n" >> $report
    # eprover
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s eprover -s -R -xAuto -tAuto --cpu-limit=$timelimit --tstp-in tmp.p > $TMP 2>&1
    ret=$?
    res=`sed -n -e 's|# SZS status \(.*\)|\1|p' $TMP`
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Proof found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Ran out of time\|CPU time limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Out of Memory" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "eprover: $res $time\n" >> $report
    # SPASS
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s SPASS -TPTP -PGiven=0 -PProblem=0 -TimeLimit=$timelimit tmp.p > $TMP 2>&1
    ret=$?
    res=`sed -n -e 's|SPASS beiseite: \(.*\)|\1|p' $TMP`
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Proof found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Ran out of time\|CPU time limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Out of Memory" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "SPASS: $res $time\n" >> $report
    # zenon modulo
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s zenon_modulo -p0 -itptp -max-size $memlimit"M" -max-time $timelimit"s" tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "PROOF-FOUND" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the time limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Zenon error: could not find a proof within the memory size limit" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "zenon_modulo: $res $time\n" >> $report
    # Vampire
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s vampire -t $timelimit"s" < tmp.p > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "Refutation found" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Time limit reached\|Time out" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Memory limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "vampire: $res $time\n" >> $report
    # LeanCoP
    $WHY3CPULIMIT `expr $timelimit + 1` $memlimit -s /home/marche/Downloads/leancop21/leancop.sh tmp.p $timelimit > $TMP 2>&1
    ret=$?
    time=`sed -n -e 's|.*time : \(.*\) s.*|\1|p' $TMP`
    if grep "is a Theorem\|is a Non-Theorem\|is Unsatisfiable" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Timeout\|Time out" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    elif grep "Memory limit exceeded" $TMP > /dev/null ; then
        printf "\n" >> $report_xml
    else
        printf "\n" >> $report_xml
    fi
    printf "leancop: $res $time\n" >> $report
    # end of proofs
    fi
    printf "\n" >> $report_xml
fi
done
cat << EOF >> $report_xml



EOF
}


run_dir $1
why3-1.6.0/examples/prover/drinker.p000066400000000000000000000000751440160026300173600ustar00rootroot00000000000000fof(drinker,conjecture,
  (? [X] : (p(X) => ! [Y] : p(Y)))).
why3-1.6.0/examples/prover/macro_generator/000077500000000000000000000000001440160026300207065ustar00rootroot00000000000000why3-1.6.0/examples/prover/macro_generator/Macrogen.ml000066400000000000000000000345251440160026300230040ustar00rootroot00000000000000
open Format
open Macrogen_decls
open Macrogen_transform
open Macrogen_params
open Macrogen_printing

let (<<) f x = f x
(*
let lambda_def = {
    var_parameters = [] ;
    binder_types = [ TypeDefinition ( "lambda" ,
        [ Var ;
          BCons ("App" , [] , [ DeclaredType "lambda" ; DeclaredType "lambda" ] ) ;
          BCons ( "Lam" , [ "lambda" , [] ] , [ DeclaredType "lambda" ] ) ;
          BCons ( "Fix" , [ "lambda" , [] ; "lambda" , [] ] , [ DeclaredType "lambda" ] ) ] ,
        [] ) ]
  }

let first_order_def = {
    var_parameters = [ "function_symbol" ; "predicate_symbol" ] ;
    binder_types = [ TypeDefinition ( "fo_term" ,
        [ Var ;
          BCons ("FOApp" , [] , [ TypeVar "function_symbol" ; DeclaredType "fo_term_list" ] ) ] ,
        [] ) ;
      TypeDefinition ( "fo_term_list" ,
        [ BCons ("FONil" , [] , [] ) ;
          BCons ("FOCons" , [] , [ DeclaredType "fo_term" ; DeclaredType "fo_term_list" ] ) ] ,
        [] ) ;
      TypeDefinition ( "fo_formula" ,
        [ BCons ( "FOForall" , [ "fo_term" , [] ] , [ DeclaredType "fo_formula" ] ) ;
          BCons ( "FOExists" , [ "fo_term" , [] ] , [ DeclaredType "fo_formula" ] ) ;
          BCons ( "FOAnd" , [] , [ DeclaredType "fo_formula" ; DeclaredType "fo_formula" ] ) ;
          BCons ( "FOOr" , [] , [ DeclaredType "fo_formula" ; DeclaredType "fo_formula" ] ) ;
          BCons ( "FONot" , [] , [ DeclaredType "fo_formula" ] ) ;
          BCons ( "FOPred" , [] , [ TypeVar "predicate_symbol" ; DeclaredType "fo_term_list" ] ) ] ,
        [] ) ]
  }

let coc_def = {
  var_parameters = [] ;
  binder_types = [ TypeDefinition ( "coc_term" ,
      [ Var ;
        BCons ( "App" , [] , [ DeclaredType "coc_term" ; DeclaredType "coc_term" ] ) ;
        BCons ( "Lam" , [ "coc_term" , [ DeclaredType "coc_term" ] ] , [ DeclaredType "coc_term" ] ) ;
        BCons ( "Forall" , [ "coc_term" , [ DeclaredType "coc_term" ] ] , [ DeclaredType "coc_term" ] ) ;
        BCons ( "Type" , [] , [ DeclaredType "integer" ] ) ] , [] ) ;
      TypeDefinition ( "integer" ,
      [ BCons ( "O" , [] , [] ) ;
        BCons ( "S" , [] , [ DeclaredType "integer" ] ) ] , [] ) ]
  }
*)
let fsub_def = {
  var_parameters = [] ;
  binder_types = [ TypeDefinition ( "fsub_type" ,
      [ Var ;
        BCons ( "Arrow" , [] , [ DeclaredType "fsub_type" ; DeclaredType "fsub_type" ] ) ;
        BCons ( "Top" , [] , [] ) ;
        BCons ( "Forall" , [ "fsub_type" , [ DeclaredType "fsub_type" ] ] , [ DeclaredType "fsub_type" ] ) ] ,
      [] ) ;
      TypeDefinition ( "fsub_term" ,
      [ Var ;
        BCons ( "App" , [] , [ DeclaredType "fsub_term" ; DeclaredType "fsub_term" ] ) ;
        BCons ( "Lam" , [ "fsub_term" , [ DeclaredType "fsub_type" ] ] , [ DeclaredType "fsub_term" ] ) ;
        BCons ( "TLam" , [ "fsub_type" , [ DeclaredType "fsub_type" ] ] , [ DeclaredType "fsub_term" ] ) ;
        BCons ( "TApp" , [] , [ DeclaredType "fsub_term" ; DeclaredType "fsub_type" ] ) ] ,
      [] ) ]
  }
(*
let horror_def = {
  var_parameters = [ "t1" ; "t2" ; "t3" ] ;
  binder_types = [ TypeDefinition ( "t4" , [ Var ] , [] ) ;
    TypeDefinition ( "t8" , [ BCons ( "W" , [] , [] ) ;
      BCons ( "V" , [] , [ DeclaredType "t8" ] ) ] , [] ) ;
    TypeDefinition ( "t5" , [ Var ;
      BCons ( "U" , [ "t5" , [ DeclaredType "t4" ; DeclaredType "t5" ; TypeVar "t2" ] ;
        "t4" , [ TypeVar "t3" ; DeclaredType "t4" ; DeclaredType "t5" ; DeclaredType "t6" ] ;
        "t6" , [ TypeVar "t1" ; DeclaredType "t7" ; DeclaredType "t8" ; DeclaredType "t7" ] ] ,
        [ TypeVar "t3" ; DeclaredType "t5" ; DeclaredType "t5" ; DeclaredType "t6" ; DeclaredType "t6" ] ) ;
      BCons ( "ZZ" , [] , [ DeclaredType "t7" ; DeclaredType "t5" ; DeclaredType "t6" ] ) ]
      , [] ) ;
    TypeDefinition ( "t6" , [ Var ;
      BCons ( "X" , [ "t7" , [ DeclaredType "t8" ] ] , [ DeclaredType "t6" ] ) ] , [] ) ;
    TypeDefinition ( "t7" , [ BCons ( "Y" , [ "t5" , [] ; "t5" , [ DeclaredType "t6" ] ;
      "t5" , [ DeclaredType "t5" ] ] , [ DeclaredType "t5" ; DeclaredType "t6" ] ) ] , [] ) ]
  }*)

let dfoterm = DeclaredType "fo_term"
let dfoterml = DeclaredType "fo_term_list"
let dfoformula = DeclaredType "fo_formula"
let dfoformulal = DeclaredType "fo_formula_list"
(*let dfsymb = (*DeclaredType*) TypeVar "function_symbol"
let dpsymb = (*DeclaredType*) TypeVar "predicate_symbol"*)
let dlsymb = DeclaredType "symbol"
let foterm_var = [ (*"function_symbol" ; "predicate_symbol"*) ]

(* For some reason, going that way do not work at all-
   why3ide do not even terminates the task generation for the
   provers I normally use for some goal-and goals
   for those two cases are abnormally hard ! *)

(*let function_symbol = TypeDefinition ( "function_symbol" ,
  [ Var ] , [] )

let function_symbol_sig = TypeAssumption ( "function_symbol" ,
  [ "function_symbol" ] )

let predicate_symbol = TypeDefinition ( "predicate_symbol" ,
  [ Var ] , [] )

let predicate_symbol_sig = TypeAssumption ( "predicate_symbol" ,
  [ "predicate_symbol" ] )*)

let symbol = TypeDefinition ( "symbol" , [ Var ] , [] )

let symbol_sig = TypeAssumption ( "symbol" , [ "symbol" ] )

let foterm = TypeDefinition ( "fo_term" ,
  [ Var ; BCons ( "App" , [] ,
    [ dlsymb ; dfoterml ] ) ] , [] )

let foterm_sig = TypeAssumption ( "fo_term" ,
  [ "symbol" ; "fo_term" ] )

let foterm_list = TypeDefinition ( "fo_term_list" ,
  [ BCons ( "FONil" , [] , [] ) ;
    BCons ( "FOCons" , [] , [ dfoterm ; dfoterml ] ) ] , [] )

let foterm_list_sig = TypeAssumption ( "fo_term_list" ,
  [ "symbol" ; "fo_term" ] )

let foformula = TypeDefinition ( "fo_formula" ,
  [ BCons ( "Forall" , [ "fo_term" , [] ] , [ dfoformula ] ) ;
    BCons ( "Exists" , [ "fo_term" , [] ] , [ dfoformula ] ) ;
    BCons ( "And" , [] , [ dfoformula ; dfoformula ] ) ;
    BCons ( "Or" , [] , [ dfoformula ; dfoformula ] ) ;
    (*BCons ( "Imply" , [] , [ dfoformula ; dfoformula ] ) ;
    BCons ( "Equiv" , [] , [ dfoformula ; dfoformula ] ) ;*)
    BCons ( "Not" , [] , [ dfoformula ] ) ;
    BCons ( "FTrue" , [] , [] ) ;
    BCons ( "FFalse" , [] , [] ) ;
    BCons ( "PApp" , [] , [ dlsymb ; dfoterml ] ) ] , [] )

let foformula_sig = TypeAssumption ( "fo_formula" ,
  [ "symbol" ; "fo_term" ] )

let foformula_list = TypeDefinition ( "fo_formula_list" ,
  [ BCons ( "FOFNil" , [] , [] ) ;
    BCons ( "FOFCons" , [] , [ dfoformula ; dfoformulal ] ) ] , [] )

let foformula_list_sig = TypeAssumption ( "fo_formula_list" ,
  [ "symbol" ; "fo_term" ] )

let fo_tableau = TypeDefinition ( "tableau" ,
  [ BCons ( "Root" , [] , [] ) ;
    BCons ( "Node" , [] , [ DeclaredType "tableau" ;
      DeclaredType "fo_formula" ;
      DeclaredType "fo_formula_list" ] ) ] , [] )

let fo_tableau_sig = TypeAssumption ( "tableau" ,
  [ "symbol" ; "fo_term" ] )

(*let _ =
  let dbase = fsub_def in
  let dm = convert dbase in
  let module D = struct let dm = dm let indent = 2 end in
  let module PP = MakePP(MakeDefaultP(D)) in
  let module PT = Macrogen_theory.Printer(PP) in
  let module PNP = Macrogen_nlparams.MakeDefaultP(D) in
  let module PNL = Macrogen_nameless.Printer(PP)(PNP) in
  fprintf std_formatter "%tmodule A@\n\
    %t%t%t%t@]@ end@\n@\n%tmodule B@\n\
    %tuse import A@\n%t@]@ end@\n@\n%tmodule C@\n\
    %tuse import A@\nuse import B@\n%t@]@ end@\n%tmodule D@\n\
    %tuse import A@\nuse import B@\nuse import C@\n%t@]@ end@\n@\n"
    << PP.H.indent
    << PT.required_imports
    << PT.base_defs_printer
    << PT.subst_lemmae_defs_printer
    << PT.free_var_lemmae_defs_printer
    << PP.H.indent
    << PT.required_imports
    << PNL.types_defs_printer
    << PP.H.indent
    << PT.required_imports
    << PNL.logics_defs_printer
    << PP.H.indent
    << PT.required_imports
    << PNL.impls_defs_printer
*)
let p othimp1 n1 othimp2 n2 dbase =
  let dm = convert dbase in
  let module D = struct let dm = dm let indent = 2 end in
  let module PP = MakePP(MakeDefaultP(D)) in
  let module PT = Macrogen_theory.Printer(PP) in
  let module PNP = Macrogen_nlparams.MakeDefaultP(D) in
  let module PNL = Macrogen_nameless.Printer(PP)(PNP) in
  let c1 = open_out_bin (n1^".mlw") in
  let _ = try let fmt1 = formatter_of_out_channel c1 in
    fprintf fmt1 "%tmodule Spec@\n\
      %t%t%t%t%t@]@ end@\n@\n@."
      << PP.H.indent
      << PT.required_imports
      << othimp1
      << PT.base_defs_printer
      << PT.subst_lemmae_defs_printer
      << PT.free_var_lemmae_defs_printer
  with e -> close_out c1 ; raise e in close_out c1 ;
  let c2 = open_out_bin (n2^".mlw") in
  let _ = try let fmt2 = formatter_of_out_channel c2 in
    fprintf fmt2 "%tmodule Types@\n\
      %t%tuse import %s.Spec@\n%t@]@ end@\n@\n\
      %tmodule Logic@\n\
      %t%tuse import %s.Spec@\n\
      use import Types@\n%t@]@ end@\n@\n%tmodule Impl@\n\
      %t%tuse import %s.Spec@\n\
      use import Types@\nuse import Logic@\n%t@]@ end@\n@\n@."
      << PP.H.indent
      << PT.required_imports
      << othimp2
      << n1
      << PNL.types_defs_printer
      << PP.H.indent
      << PT.required_imports
      << othimp2
      << n1
      << PNL.logics_defs_printer
      << PP.H.indent
      << PT.required_imports
      << othimp2
      << n1
      << PNL.impls_defs_printer
  with e -> close_out c2 ; raise e in close_out c2

let _ =
  let nextothimp1 othimp1 n1 fmt =
    fprintf fmt "%tuse import %s.Spec@\n" othimp1 n1 in
  let nextothimp2 othimp2 n1 n2 fmt = fprintf fmt "%tuse import %s.Spec@\n\
    use import %s.Types@\n\
    use import %s.Logic@\n\
    use import %s.Impl@\n" othimp2 n1 n2 n2 n2 in
  let dbase = { var_parameters = foterm_var ;
    binder_types = [ symbol ] } in
  let n1 = "Firstorder_symbol_spec" in
  let n2 = "Firstorder_symbol_impl" in
  let _ = p ignore n1 ignore n2 dbase in
  let othimp1 = nextothimp1 ignore n1 in
  let othimp2 = nextothimp2 ignore n1 n2 in
  let dbase = { var_parameters = foterm_var ;
    binder_types = [ symbol_sig ; foterm ; foterm_list ] } in
  let n1 = "Firstorder_term_spec" in
  let n2 = "Firstorder_term_impl" in
  let _ = p othimp1 (*ignore*) n1 othimp2 (*ignore*) n2 dbase in
  let othimp2 = nextothimp2 othimp2 (*ignore*) n1 n2 in
  let othimp1 = nextothimp1 othimp1 (*ignore*) n1 in
  (*let dbase = { var_parameters = foterm_var ;
    binder_types = [ predicate_symbol ] } in
  let n1 = "Firstorder_predicate_symbol_spec" in
  let n2 = "Firstorder_predicate_symbol_impl" in
  let _ = p ignore n1 ignore n2 dbase in
  let othimp1 = nextothimp1 othimp1 n1 in
  let othimp2 = nextothimp2 othimp2 n1 n2 in*)
  let dbase = { var_parameters = foterm_var ;
    binder_types = [ symbol_sig ; foterm_sig ; foterm_list_sig ; foformula ] } in
  let n1 = "Firstorder_formula_spec" in
  let n2 = "Firstorder_formula_impl" in
  let _ = p othimp1 n1 othimp2 n2 dbase in
  let othimp1 = nextothimp1 othimp1 n1 in
  let othimp2 = nextothimp2 othimp2 n1 n2 in
  let dbase = { var_parameters = foterm_var ;
    binder_types = [ symbol_sig ; foterm_sig ; foformula_sig ; foformula_list ] } in
  let n1 = "Firstorder_formula_list_spec" in
  let n2 = "Firstorder_formula_list_impl" in
  let _ = p othimp1 n1 othimp2 n2 dbase in
  let othimp1 = nextothimp1 othimp1 n1 in
  let othimp2 = nextothimp2 othimp2 n1 n2 in
  let dbase = { var_parameters = foterm_var ;
    binder_types = [ symbol_sig ; foterm_sig ; foformula_sig ; foformula_list_sig ;
      fo_tableau ] } in
  let n1 = "Firstorder_tableau_spec" in
  let n2 = "Firstorder_tableau_impl" in
  let _ = p othimp1 n1 othimp2 n2 dbase in
  ()






(*
let _ =
  let dbase = fsub_def in
  let dm = convert dbase in
  let module D = struct let dm = dm let indent = 2 end in
  let module PP = MakePP(MakeDefaultP(D)) in
  let module PT = Macrogen_theory.Printer(PP) in
  let module PNP = Macrogen_nlparams.MakeDefaultP(D) in
  let module PNL = Macrogen_nameless.Printer(PP)(PNP) in
  fprintf std_formatter "%tmodule A@\nuse import option.Option@\n\
    use import int.Int@\nuse import Nat.Nat@\n\
    use import Functions.Func@\nuse import OptionFuncs.Funcs@\n\
    use import Sum.Sum@\n
    %t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t\
    %t%t%t%t%t%t%t%t%t%t%t%t%t%t%t\
    \
    %t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t%t@]@\nend@\n@\n"
    << PP.H.indent
    << PT.type_defs_printer
    << PT.size_defs_printer
    << PT.size_lemma_printer
    << PT.subst_defs_printer false
    << PT.composition_lemma_printer false false
    << PT.identity_lemma_printer false
    << PT.subst_composition_def_printer false
    << PT.associativity_lemma_printer (false,true,false)
    << PT.associativity_lemma_printer (true,false,false)
    << PT.right_identity_lemma_printer false
    << PT.subst_lifting_printer
    << PT.lifting_composition_lemma_printer (false,true)
    << PT.lifting_composition_lemma_printer (true,false)
    << PT.subst_defs_printer true
    << PT.composition_lemma_printer false true
    << PT.composition_lemma_printer true false
    << PT.subst_composition_def_printer true
    << PT.associativity_lemma_printer (false,true,true)
    << PT.associativity_lemma_printer (true,false,true)
    << PT.associativity_lemma_printer (true,true,false)
    << PT.lifting_composition_lemma_printer (true,true)
    << PT.composition_lemma_printer true true
    << PT.associativity_lemma_printer (true,true,true)
    << PT.subst_identity_printer
    << PT.left_identity_lemma_printer false
    << PT.identity_lemma_printer true
    << PT.left_identity_lemma_printer true
    << PT.right_identity_lemma_printer true
    << PT.free_var_def_printer
    << PT.subst_free_var_inversion_printer false
    << PT.rename_free_var_propagation_lemma_printer
    << PT.subst_free_var_inversion_printer true
    << PT.subst_free_var_propagation_lemma_printer
    << PT.free_var_equivalence_lemma_printer true
    << PT.free_var_equivalence_lemma_printer false
    << PT.open_close_defs_printer
    << PT.size_preservation_lemma_printer
    
    << PNL.type_defs_printer
    << PNL.size_defs_printer
    << PNL.size_lemma_printer
    << PNL.shift_defs_printer
    << PNL.shift_lemma_printer
    << PNL.model_defs_printer
    << PNL.model_subst_commutation_lemma_printer
    << PNL.model_rename_commutation_lemma_printer
    << PNL.correct_indexes_printer
    << PNL.bound_depth_printer
    << PNL.bound_depth_lemma_printer
    << PNL.model_equal_lemma_printer
    << PNL.bind_var_printer
    << PNL.unbind_var_printer
    << PNL.implementation_type_printer
    << PNL.invariant_printer
    << PNL.constructor_type_printer
    << PNL.constructor_invariant_printer
    << PNL.constructor_relation_printer
    << PNL.constructor_open_relation_printer
    << PNL.construction_operator_printer
    << PNL.destruction_operator_printer
    << PNL.subst_operator_printer*)


why3-1.6.0/examples/prover/macro_generator/MacrogenFormat.ml000066400000000000000000002072161440160026300241540ustar00rootroot00000000000000
type 'n types =
  | TypeVar of 'n
  | DeclaredType of 'n

type 'n constructor =
  | Var
  | BCons of 'n * ( 'n * 'n types option) list * 'n types list
    (* BCons (C , [ t,u ; t2,u2 ] [ v1 ; v2 ; v3 ] :
       C : [ x_t : u1 . [ x_t2 : u2 . v1 v2 v3 ] ].
       x_{t} is bound at the right as a variable for declared type t. *)

type 'n typedef =
  (* TypeAssumption (t,[v_1...v_n] : assume
     type t using variables in types v_1...v_n. *)
  | TypeAssumption of 'n * 'n list
  (* Add definition. The list may be incomplete/contains variables
     not really used. In the second case, the variables will be added. *)
  | TypeDefinition of 'n * 'n constructor list * 'n list

type 'n decls = { var_parameters : 'n list ;
  binder_types : 'n typedef list }

let rec mapt f = function
  | DeclaredType t -> DeclaredType ( f t )
  | TypeVar x -> TypeVar (f x)

let mapc f = function
  | BCons ( c , b , e ) -> BCons ( f c , List.map (fun (x,y) -> match y with
    | None -> f x , None
    | Some y -> f x , Some (mapt f y) ) b ,
    List.map (mapt f) e )
  | Var -> Var

let mapdef f = function
  | TypeDefinition ( t , c , fv ) ->
    TypeDefinition ( f t , List.map (mapc f) c , List.map f fv )
  | TypeAssumption ( t , fv ) -> TypeAssumption ( f t , List.map f fv )

let mapdecl f { var_parameters ; binder_types } =
  { var_parameters = List.map f var_parameters ;
    binder_types =  List.map (mapdef f) binder_types }

module SMap = Map.Make(String)
module IntO = struct type t = int let compare = compare end
module IMap = Map.Make(IntO)
module ISet = Set.Make(IntO)

module type PrivS = sig
  type base
  type t = private base
  val make : base -> t
end

module Priv : functor (X:sig type t end) -> PrivS with type base = X.t =
  functor (X:sig type t end) -> struct
    type base = X.t
    type t = base
    let make x = x
  end

module CName : PrivS with type base = int = Priv(IntO)
module TName : PrivS with type base = int = Priv(IntO)
module VName : PrivS with type base = int = Priv(IntO)

module TO = struct type t = TName.t let compare (t1:TName.t) (t2:TName.t) =
  compare (t1:>int) (t2:>int) end
module CO = struct type t = CName.t let compare (c1:CName.t) (c2:CName.t) =
  compare (c1:>int) (c2:>int) end

module TMap = Map.Make(TO)
module TSet = Set.Make(TO)
module CSet = Set.Make(CO)

(* change names from string to faster integers. *)

let translate_names decls =
  let name_gen = ref 0 in
  let translate = ref SMap.empty in
  let rename s =
    try SMap.find s !translate
    with Not_found -> let u = !name_gen in
      name_gen := u + 1 ; translate := SMap.add s u !translate ;
      u in
  let u = mapdecl rename decls in
  let trback = SMap.fold ( fun s i acc ->
    IMap.add i s acc ) !translate IMap.empty in
  u , trback

type internal_types =
  | ITVar of VName.t
  | ITDecl of TName.t

type constructors = {
  var_present : bool ;
  cons_list : ( CName.t * ( TName.t * internal_types option) list * internal_types list ) list
}

type internal_typedef =
  | ITypeDef of constructors * TName.t list
  | ITypeAssumption of TName.t list

(* second integer : rank of apparition in file. Used for
   determining ordering : for example, the binder type variables
   should be ordered by rank of apparition in input file *)

type internal_decl =
  { var_params : VName.t list ;
    type_decls : (internal_typedef * int ) TMap.t ;
    names : string IMap.t }

let make_itype t = match t with
  | TypeVar v -> ITVar (VName.make v)
  | DeclaredType t -> ITDecl ( TName.make t)

let make_cons_list cons_set cl =
  let cs,cm = List.fold_left ( fun (cs,cm) -> function
    | BCons ( c , b , e ) -> let c' = CName.make c in
      if CSet.mem c' cs
      then assert false (* TODO->send error "duplicate constructor". *)
      else let b' = List.map ( fun ( x , t ) -> match t with
        | None -> TName.make x , None
        | Some t -> TName.make x , Some ( make_itype t ) ) b in
        let e' = List.map make_itype e in
        CSet.add c' cs, { cm with cons_list = (c',b',e')::cm.cons_list }
    | Var -> ( if cm.var_present
      then assert false (* TODO : decide if I send error here (* "duplicate var" *) *) ) ;
      cs,{cm with var_present = true } )
  (cons_set,{var_present = false ; cons_list = []}) cl in
  cs,{cm with cons_list = List.rev cm.cons_list}

let make_decl_map d =
  let _ , dmap , _ = List.fold_left ( fun (cs,dm,rank) -> function
    | TypeDefinition (tn,cstr,fv) -> let tn = TName.make tn in
      if TMap.mem tn dm
      then assert false (* TODO : error (duplicate type name) *)
      else let cs,csl = make_cons_list cs cstr in
        cs,TMap.add tn (ITypeDef (csl,List.map TName.make fv),rank) dm,rank + 1
    | TypeAssumption (tn,fv) -> let tn = TName.make tn in
      if TMap.mem tn dm
      then assert false (* TODO : error (duplicate type name) *)
      else cs,TMap.add tn (ITypeAssumption (List.map TName.make fv),rank) dm,rank + 1)
    (CSet.empty,TMap.empty,0) d in
  dmap

let convert_decl d0 =
  let { var_parameters ; binder_types } , names = translate_names d0 in
  { names ;
    var_params = List.map VName.make var_parameters ;
    type_decls = make_decl_map binder_types }

let type_def tn { type_decls ; _ } =
  let td , _ = TMap.find tn type_decls in td

(* TODO : various "unbound ident" check. *)

(* TODO : constructor "Var_" forbidden check. *)

(* edges of the dependency graph. *)
let dependents_fold f def acc = match def with
  | ITypeDef ( c , _ ) -> let fold_cons acc c =
      let _ , l1 , l2 = c in
      let acc = List.fold_left ( fun acc ( _ , t ) ->
          match t with
            | None -> acc
            | Some t -> match t with
              | ITVar _ -> acc
              | ITDecl u -> f u acc
        ) acc l1
      in
      List.fold_left ( fun acc -> function
        | ITVar _ -> acc
        | ITDecl u -> f u acc
        ) acc l2
    in
    List.fold_left fold_cons acc c.cons_list
  | ITypeAssumption _ -> acc

(* scc computation of the dependency graph
   return 1) the scc index of each type,
     2) the vertices in each scc. *)

let make_scc dm =
  let table = ref TMap.empty in
  let sccg = ref IMap.empty in
  let s = ref [] in
  let p = ref [] in
  let c = ref 1 in
  let scc = ref 0 in
  let rec pop_until num p = match p with
    | [] -> assert false
    | x :: q-> if TMap.find x !table >= num
      then p
      else pop_until num q in
  let rec process tn =
    let _ = table := TMap.add tn (- !c) !table in
    let _ = c := !c + 1 in
    let _ = s := tn :: !s in
    let _ = p := tn :: !p in
    let smake s _ =
      (* "let try" idiom would be better if available. *)
      match try Some (TMap.find s !table)
        with Not_found -> None with
        | None -> process s
        | Some x -> if x < 0
          then p := pop_until x !p
          else () in
    let td = type_def tn dm in
    let _ = dependents_fold smake td () in
    let rec pop_until sccn tn s acc = match s with
      | [] -> assert false
      | x :: q -> let acc = x :: acc in
        table := TMap.add x sccn !table ;
        if x = tn
        then q , acc
        else pop_until sccn tn q acc in
    match !p with
      | x :: q when x = tn -> p := q ;
        let sccn = !scc in
        let _ = scc := sccn + 1 in
        let ns , cpt = pop_until sccn tn !s [] in
        sccg := IMap.add sccn cpt !sccg ;
        s := ns
      | _ -> () in
  TMap.iter ( fun tn _ ->
    if not(TMap.mem tn !table)
    then process tn ) dm.type_decls ;
  !table,!sccg

(* compute set of potential binding variables occuring in each type,
   e.g fixpoint of propagation starting from given binding list + current type if it
   contains variable constructor. Straightforward from scc.
   After this, the list of binding vars associated to each type is exact. *)

let compute_binding_vars dm =
  let get_scc , get_types = make_scc dm in
  let tb = ref IMap.empty in
  let rec get_binding_vars sccn =
    try IMap.find sccn !tb
    with Not_found -> let all = IMap.find sccn get_types in
      (* dependents in scc quotiented graph + base set from current component. *)
      let dep,base = List.fold_left (fun (dep,base) tn ->
        let td = type_def tn dm in
        let dep = dependents_fold (fun tnd dep ->
          let sccnd = TMap.find tnd get_scc in
          if sccnd = sccn
          then dep
          else ISet.add sccnd dep ) td dep in
        let v,base = match td with
          | ITypeDef (c,v) ->
            v , if c.var_present then TSet.add tn base else base
          | ITypeAssumption v -> v , base in
        let base = List.fold_left (fun acc v -> TSet.add v acc ) base v in
        (dep,base) ) (ISet.empty,TSet.empty) all in
      let res = ISet.fold (fun sccnd acc ->
        TSet.union acc (get_binding_vars sccnd)) dep base in
      tb := IMap.add sccn res !tb ; res in
  let reorder bv =
    let compare t1 t2 =
      let _ , r1 = TMap.find t1 dm.type_decls in
      let _ , r2 = TMap.find t2 dm.type_decls in
      compare r1 r2 in
    List.sort compare bv in
  { names = dm.names ;
    var_params = dm.var_params ;
    type_decls = TMap.mapi (fun tn (td,rank) -> match td with
    | ITypeAssumption v -> ITypeAssumption (reorder v) , rank
    | ITypeDef ( c , _ ) -> let sccn = TMap.find tn get_scc in
      let bv = get_binding_vars sccn in
      ITypeDef ( c , reorder ( TSet.elements bv ) ) , rank ) dm.type_decls }

let type_name (tn:TName.t) dm = IMap.find (tn:>int) dm.names

let cons_name (cn:CName.t) dm = IMap.find (cn:>int) dm.names

let var_name (vn:VName.t) dm = IMap.find (vn:>int) dm.names

open Format

let print_params dm fmt =
  List.iter (fun v -> fprintf fmt " 'a%s" (var_name v dm)) dm.var_params

let level tn blv = try TMap.find tn blv with Not_found -> 0

let inc_level tn blv = TMap.add tn (level tn blv + 1) blv

let bvar_list = function ITypeAssumption v | ITypeDef (_,v) -> v

let print_tindex fmt (tn:TName.t) =
  fprintf fmt "%d" (tn:>int)

let print_binding_param dm prefix blevels fmt tn =
  let bl = level tn blevels in
  let rec print_p fmt = function
    | 0 -> fprintf fmt "'%s%a" prefix print_tindex tn
    | n -> fprintf fmt "(option@ %a)" print_p (n-1) in
  fprintf fmt "@[%a@]" print_p bl

let print_type_app dm ?(blevels=TMap.empty) prefix fmt tn =
  let tname = type_name tn dm in
  let td = type_def tn dm in
  fprintf fmt "%s%t" tname (print_params dm) ;
  let v = bvar_list td in
  List.iter (fun vn ->
    fprintf fmt "@ %a" (print_binding_param dm prefix blevels) vn) v

let print_type dm ?(blevels=TMap.empty) prefix fmt = function
  | ITVar x -> fprintf fmt "'a%s" (var_name x dm)
  | ITDecl tn -> print_type_app dm ~blevels prefix fmt tn

let make_first_case_printer p1 p2 =
  let first = ref true in
  fun fmt -> if !first
    then begin first := false ; fprintf fmt "%t" p1 end
    else fprintf fmt "%t" p2

let make_first_case_sprinter s1 s2 =
  let make s fmt = fprintf fmt "%s" s in
  make_first_case_printer (make s1) (make s2)

let print_type_defs fmt dm =
  let reorder tp =
    let compare ( _ , ( _ , r1 ) ) ( _ , ( _ , r2 ) ) = compare r1 r2 in
    List.sort compare tp in
  let tlist = TMap.bindings dm.type_decls in
  let tlist = reorder tlist in
  let print_decl = make_first_case_sprinter "type" "with" in
  List.iter (fun ( tn , ( td , _ ) ) ->
    match td with ITypeAssumption _ -> ()
      | ITypeDef ( c , v ) ->
        let tname = type_name tn dm in
        fprintf fmt "@[%t @[%a@] =@ " print_decl (print_type_app dm "b") tn ;
        begin if c.var_present
          then fprintf fmt "| Var_%s 'b%a@\n" tname print_tindex tn end ;
        List.iter (fun ( cn , bl , tl ) ->
          let cname = cons_name cn dm in
          fprintf fmt "| %s@[" cname ;
          let rec print_parameters blevels bl = match bl with
            | [] -> blevels
            | ( vn , t ) :: q -> let nblevels =
                let u = try 1 + TMap.find vn blevels with Not_found -> 1 in
                TMap.add vn u blevels in
              match t with
                | None -> print_parameters nblevels q
                | Some t -> fprintf fmt "@ (%a)" (print_type dm ~blevels "b") t ;
                  print_parameters nblevels q
          in
          let blevels = print_parameters TMap.empty bl in
          List.iter (fprintf fmt "@ (%a)" (print_type dm ~blevels "b")) tl ;
          fprintf fmt "@]@\n"
        ) c.cons_list ;
      fprintf fmt "@]@\n"
  ) tlist

(* print a case in a pattern-matching and return the list of variables. *)

let print_cons_case ?(vbase="v") dm fmt ( cn , bl , tl ) =
  let cname = cons_name cn dm in
  fprintf fmt "| %s@[" cname ;
  let vars , blevels , cnt = List.fold_left (
    fun ( vars , blevels , cnt ) ( bound_one , associated_binding ) ->
        let nblevels = inc_level bound_one blevels in
        match associated_binding with
          | None -> ( vars , nblevels , cnt )
          | Some tp -> let vname = vbase ^ (string_of_int cnt) in
            fprintf fmt "@ %s" vname ;
            ( ( vname , blevels , tp ) :: vars , nblevels , cnt + 1 )
      ) ( [] , TMap.empty , 0 ) bl in
  let vars , _ = List.fold_left (
    fun ( vars , cnt ) cons_type ->
      let vname = vbase ^ (string_of_int cnt) in
      fprintf fmt "@ %s" vname ;
      ( ( vname , blevels , cons_type ) :: vars , cnt + 1 ) ) ( vars , cnt ) tl in
  fprintf fmt "@] ->@ " ; List.rev vars

(* print full pattern-matching. *)

let print_pattern_match ?(vbase="v") dm tn c var_case cons_case fmt vname =
  fprintf fmt "match %s with@\n" vname ;
  let tname = type_name tn dm in
  begin if c.var_present
    then begin
    let vname = vbase ^ "0" in
    fprintf fmt "  @[| Var_%s %s ->@ %a@]@\n" tname vname var_case vname
  end end ;
  List.iter (fun x ->
    fprintf fmt "  @[" ;
    let vars = print_cons_case ~vbase dm fmt x in
    fprintf fmt "%a@]@\n" (cons_case x) vars) c.cons_list ;
  fprintf fmt "end"

let make_for_defs dm f =
  TMap.iter (fun tn (td,_) -> match td with
    | ITypeAssumption _ -> ()
    | ITypeDef (c,v) ->
      f tn c v) dm.type_decls

let make_for_bdefs dm f =
  make_for_defs dm (fun tn c -> function
    | [] -> ()
    | v -> f tn c v)

let make_for_vdefs dm f =
  make_for_defs dm (fun tn c v ->
    if c.var_present
    then f tn c v
    else ())

let lemma_cons_case f (cn,_,_) fmt v =
  fprintf fmt "@[" ;
  List.iter (fun (vname,blv,ct) ->
    match ct with
      | ITVar _ -> ()
      | ITDecl tn -> fprintf fmt "%a ;@ " (f blv tn) vname
  ) v ;
  fprintf fmt "()@]"

let blemma_cons_case dm f (cn,_,_) fmt v =
  fprintf fmt "@[" ;
  List.iter (fun (vname,blv,ct) ->
    match ct with
      | ITVar _ -> ()
      | ITDecl tn when bvar_list (type_def tn dm) = [] -> ()
      | ITDecl tn -> fprintf fmt "%a ;@ " (f blv tn) vname
  ) v ;
  fprintf fmt "()@]"

let reconstruct_cons_case dm f (cn,_,_) fmt v =
  let cname = cons_name cn dm in
  fprintf fmt "%s@[ " cname;
  List.iter (fun (vname,blv,ct) ->
    match ct with
      | ITVar _ -> fprintf fmt "%s@ " vname
      | ITDecl tn when bvar_list (type_def tn dm) = [] -> fprintf fmt "%s@ " vname
      | ITDecl tn -> fprintf fmt "(%a)@ " (f blv tn) vname
  ) v ;
  fprintf fmt "@]"

let print_size_defs fmt dm =
  let print_kw = make_first_case_sprinter "function" "with" in
  let print_decl tn c v is_nat =
    let prefix = if is_nat then "nat_" else "" in
    let tp = if is_nat then "nat" else "int" in
    let one = if is_nat then "one_nat" else "1" in
    let add = if is_nat then fun fmt p -> fprintf fmt "add_nat s (%t)" p
      else fun fmt p -> fprintf fmt "s + %t" p in
    let var_case fmt vname = fprintf fmt "%s" one in
    let cons_case _ fmt v =
      fprintf fmt "let s = %s in@\n" one ;
      List.iter (fun (vname,_,ct) -> match ct with
        | ITVar _ -> ()
        | ITDecl tn -> let tname = type_name tn dm in
          let rec_call fmt = fprintf fmt "%ssize_%s %s" prefix tname vname in
          fprintf fmt "let s = %a in@\n" add rec_call ) v ;
      fprintf fmt "s" in
    let tname = type_name tn dm in
    fprintf fmt "@[%t %ssize_%s (t:@[%a@]) : %s =@ %a@]@\n@\n"
      print_kw prefix tname (print_type_app dm "b") tn tp
      (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_defs dm (fun tn c v ->
    print_decl tn c v true ; print_decl tn c v false )

let print_size_lemmae fmt dm =
  let print_kw = make_first_case_sprinter "let rec" "with" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let var_case fmt _ = fprintf fmt "()" in
    let cons_case = lemma_cons_case (fun blv tn fmt vname ->
      let tname = type_name tn dm in
      fprintf fmt "size_%s_positive %s" tname vname ) in
    fprintf fmt "@[%t lemma size_%s_positive (t:@[%a@]) : unit@\n\
    ensures { size_%s t > 0 }@\n\
    variant { @[nat_to_int (nat_size_%s t)@] }@]@\n\
    @[=@ %a@]@\n@\n"
      print_kw tname (print_type_app dm "b") tn tname tname
      (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_defs dm print_decl

let print_lift sub dm prefix blv fmt tn =
  let tname = type_name tn dm in
  let lifting = if sub
    then (fun fmt -> fprintf fmt "olifts_%s" tname )
    else (fun fmt -> fprintf fmt "olift" ) in
  let rec aux fmt = function
    | 0 -> fprintf fmt "%t" prefix
    | n -> fprintf fmt "(%t@ %a)" lifting aux (n-1) in
  let aux fmt n = fprintf fmt "@[%a@]" aux n in
  let n0 = level tn blv in
  if sub
  then begin fprintf fmt "@[(rename_subst_%s@ %a" tname aux n0 ;
      let v = bvar_list (type_def tn dm) in
      let rec composed fmt = function
        | 0 -> fprintf fmt "identity"
        | n -> fprintf fmt "(compose some@ %a)" composed (n-1) in
      List.iter (fun tn' ->
        if tn = tn'
        then fprintf fmt "@ identity"
        else fprintf fmt "@ @[%a@]" composed (level tn' blv) ) v ;
      fprintf fmt ")@]"
    end
  else aux fmt n0

let print_subst_type sub dm p1 p2 fmt tn =
  if sub
  then fprintf fmt "'%s%a -> @[(%a)@]"
    p1 print_tindex tn (print_type_app dm p2) tn
  else fprintf fmt "'%s%a -> '%s%a" p1 print_tindex tn p2 print_tindex tn

let print_subst_def dm fmt sub =
  let print_kw = make_first_case_sprinter "function" "with" in
  let fprefix = if sub then "subst" else "rename" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let var_case = if sub
      then fun fmt vname ->
        fprintf fmt "s%a %s" print_tindex tn vname
      else fun fmt vname ->
        fprintf fmt "Var_%s (s%a %s)" tname print_tindex tn vname in
    let print_args blv fmt v =
      let prefix tn fmt = fprintf fmt "s%a" print_tindex tn in
      List.iter (fun tn ->
          fprintf fmt "@ %t" (fun fmt ->
            print_lift sub dm (prefix tn) blv fmt tn)) v in
    let cons_case = reconstruct_cons_case dm (fun blv tn fmt vname ->
      let tname = type_name tn dm in
      let v = bvar_list (type_def tn dm) in
      fprintf fmt "@[%s_%s@ %s%a@]" fprefix tname vname
      (print_args blv) v) in
    fprintf fmt "@[%t %s_%s @[(t:@[%a@])" print_kw fprefix tname
    (print_type_app dm "b") tn ;
    List.iter (fun tn ->
      fprintf fmt "@ (s%a : %a)"
      print_tindex tn (print_subst_type sub dm "b" "c") tn) v ;
    fprintf fmt "@] : %a =@ %a@]@\n@\n" (print_type_app dm "c") tn
      (print_pattern_match dm tn c var_case cons_case) "t"
  in
  make_for_bdefs dm print_decl

let print_composition dm sub1 side1 sub2 side2 fmt tn =
  if sub1
  then begin let tname = type_name tn dm in
    let p = if sub2 then "subst_compose" else "rename_subst" in
    fprintf fmt "(@[%s_%s %t" p tname side1 ;
    let v = bvar_list (type_def tn dm) in
    List.iter (fun tn ->
      fprintf fmt "@ %a" side2 tn) v ;
    fprintf fmt "@])" end
  else fprintf fmt "(@[rcompose %t@ %a@])"
    side1 side2 tn

let print_composition_lemma dm fmt (sub1,sub2) =
  let print_kw = make_first_case_sprinter "let rec" "with" in
  let fp s = if s then "subst" else "rename" in
  let fp1 , fp2 , fpc = fp sub1 , fp sub2 , fp (sub1 || sub2) in
  let prefix id tn fmt = fprintf fmt "s%s%a" id print_tindex tn in
  let print_args blv fmt v =
      List.iter (fun tn ->
          fprintf fmt "@ %a@ %a"
          (print_lift sub1 dm (prefix "1" tn) blv) tn
          (print_lift sub2 dm (prefix "2" tn) blv) tn) v in
  let print_nargs id fmt v =
    List.iter (fun tn -> fprintf fmt "@ s%s%a" id print_tindex tn) v in
  let print_cargs fmt v =
    List.iter (fun tn ->
      let side1 fmt = fprintf fmt "s1%a" print_tindex tn in
      let side2 fmt tn = fprintf fmt "s2%a" print_tindex tn in
      fprintf fmt "@ %a" (print_composition dm sub1 side1 sub2 side2) tn) v in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let var_case fmt _ = fprintf fmt "()" in
    let cons_case = blemma_cons_case dm (fun blv tn fmt vname ->
        let tname = type_name tn dm in
        let v = bvar_list (type_def tn dm) in
        fprintf fmt "@[composition_lemma_%s_%s_%s %s%a@]"
        fp1 fp2 tname vname (print_args blv) v ) in
    fprintf fmt "@[%t lemma composition_lemma_%s_%s_%s @[(t:@[%a@])"
    print_kw fp1 fp2 tname (print_type_app dm "b") tn ;
    List.iter (fun tn ->
      fprintf fmt "@ (s1%a : %a)@ (s2%a : %a)"
      print_tindex tn (print_subst_type sub1 dm "b" "c" ) tn
      print_tindex tn (print_subst_type sub2 dm "c" "d" ) tn) v ;
    fprintf fmt "@] : unit@\n\
      @[ensures { @[%s_%s (@[%s_%s t %a@])@ %a@] =@ \
        @[%s_%s t@ %a@] }@]@\n\
      variant { size_%s t }@]@\n@[=@ %a@]@\n"
      fp2 tname fp1 tname (print_nargs "1") v (print_nargs "2") v
      fpc tname print_cargs v
      tname (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_bdefs dm print_decl

let print_identity_lemma dm fmt sub =
  let print_kw = make_first_case_sprinter "let rec" "with" in
  let fp = if sub then "subst" else "rename" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let print_identities = if sub
      then fun fmt ->
        List.iter (fun tn -> let tname = type_name tn dm in
          fprintf fmt "@ subst_id_%s" tname) v
      else fun fmt ->
        List.iter (fun _ -> fprintf fmt "@ identity") v in
    let var_case fmt _ = fprintf fmt "()" in
    let cons_case = blemma_cons_case dm (fun blv tn fmt vname ->
      let tname = type_name tn dm in
      fprintf fmt "identity_lemma_%s_%s %s" fp tname vname) in
    fprintf fmt "@[%t lemma identity_lemma_%s_%s (t:@[%a@]) : unit@\n\
      ensures { @[%s_%s t%t@] = t }@\n\
      variant { size_%s t }@]@\n@[=@ %a@]@\n"
    print_kw fp tname (print_type_app dm "b") tn
    fp tname print_identities
    tname (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_bdefs dm print_decl

let print_associativity_lemma dm fmt (sub1,sub2,sub3) =
  let fp = function true -> "subst" | false -> "rename" in
  let fp1,fp2,fp3 = fp sub1,fp sub2,fp sub3 in
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "@[let lemma@ associativity_lemma_%s_%s_%s_%s@ (s1:@[%a@])"
    fp1 fp2 fp3 tname (print_subst_type sub1 dm "b" "c" ) tn ;
    (if sub1
    then List.iter (fun tn ->
      fprintf fmt "@ (s2%a:@[%a@])@ (s3%a:@[%a@])"
      print_tindex tn (print_subst_type sub2 dm "c" "d" ) tn
      print_tindex tn (print_subst_type sub3 dm "d" "e" ) tn ) v
    else begin fprintf fmt "@ (s2%a:@[%a@])"
          print_tindex tn (print_subst_type sub2 dm "c" "d") tn ;
      if sub2
      then List.iter (fun tn ->
          fprintf fmt "@ (s3%a:@[%a@])"
          print_tindex tn (print_subst_type sub3 dm "d" "e") tn ) v
      else fprintf fmt "@ (s3%a:@[%a@])"
        print_tindex tn (print_subst_type sub2 dm "d" "e") tn
    end);
    let print_first fmt =
      let side1 fmt = fprintf fmt "s1" in
      let side2 fmt tn =
        let side1 fmt = fprintf fmt "s2%a" print_tindex tn in
        let side2 fmt tn = fprintf fmt "s3%a" print_tindex tn in
        print_composition dm sub2 side1 sub3 side2 fmt tn in
      print_composition dm sub1 side1 (sub2||sub3) side2 fmt tn in
    let print_second fmt =
      let side1 fmt =
        let side1 fmt = fprintf fmt "s1" in
        let side2 fmt tn = fprintf fmt "s2%a" print_tindex tn in
        print_composition dm sub1 side1 sub2 side2 fmt tn in
      let side2 fmt tn = fprintf fmt "s3%a" print_tindex tn in
      print_composition dm (sub1||sub2) side1 sub3 side2 fmt tn in
    fprintf fmt "@\nensures { %t =@ %t }@]@\n@[=@ \
      @[assert { extensionalEqual %t@ %t }@]@]@\n@\n"
      print_first print_second print_first print_second in
  make_for_vdefs dm print_decl

(* case with left side a renaming come directly from functions axiom,
   hence do not need to be generated. The same hold for right identity. *)
let print_left_identity_lemma dm fmt sub2 =
  let fp2 = if sub2 then "subst" else "rename" in
  let cop = if sub2 then "subst_compose" else "rename_subst" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "@[let lemma identity_neutral_left_%s_%s"
      fp2 tname ;
    List.iter (fun tn ->
       fprintf fmt "@ (s%a:%a)" print_tindex tn
         (print_subst_type sub2 dm "b" "c") tn) v ;
    let print_first fmt =
      fprintf fmt "@[%s_%s (subst_id_%s:%a)"
        cop tname tname (print_subst_type true dm "b" "b") tn ;
      List.iter (fprintf fmt "@ s%a" print_tindex) v ;
      fprintf fmt "@]" in
    let print_second = if sub2
      then fun fmt -> fprintf fmt "s%a" print_tindex tn
      else fun fmt -> fprintf fmt "subst_of_rename_%s s%a" tname print_tindex tn in
    fprintf fmt " : unit@\n@[ensures { %t =@ %t }@]@]@\n@[=@ \
      @[assert { extensionalEqual (%t)@ (%t) }@]@]@\n@\n"
      print_first print_second print_first print_second in
  make_for_vdefs dm print_decl

let print_right_identity_lemma dm fmt sub2 =
  let fp2 = if sub2 then "subst" else "rename" in
  let cop = if sub2 then "subst_compose" else "rename_subst" in
  let prid = if sub2 then fun fmt tn ->
    fprintf fmt "subst_id_%s" (type_name tn dm) else fun fmt _ ->
      fprintf fmt "identity" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let print_first fmt =
      fprintf fmt "@[%s_%s s" cop tname ;
      List.iter (fprintf fmt "@ %a" prid) v ;
      fprintf fmt "@]" in
    let print_second fmt = fprintf fmt "s" in
    fprintf fmt "@[let lemma identity_neutral_right_%s_%s (s:%a) : unit@\n\
      @[ensures { %t =@ %t }@]@]@\n\
      @[=@ @[assert { extensionalEqual (%t)@ (%t) }@]@]@\n@\n"
      fp2 tname (print_subst_type true dm "b" "c") tn
      print_first print_second print_first print_second in
  make_for_vdefs dm print_decl

let print_substitution_composition_def dm fmt sub =
  let print_args fmt = List.iter (fprintf fmt "@ s1%a" print_tindex) in
  let print_args_typed fmt = List.iter (fun tn ->
    fprintf fmt "@ (s1%a:%a)"
      print_tindex tn (print_subst_type sub dm "c" "d") tn) in
  let print_args_typed2 fmt = List.iter (fun tn ->
    fprintf fmt ",@ s1%a:%a"
      print_tindex tn (print_subst_type sub dm "c" "d") tn) in
  let cop = if sub then "subst_compose" else "rename_subst" in
  let dop = if sub then "subst" else "rename" in
  let print_decl tn c v =
    let tname = type_name tn dm in
    let mytype fmt = print_subst_type true dm "b" "c" fmt tn in
    let print_def fmt = fprintf fmt "@[%s_%s (s0 x)%a@]" dop tname print_args v in
    let print_left_fun fmt =
      fprintf fmt "function %s_%s (s0:%t)%a :@ %a"
        cop tname mytype print_args_typed v (print_subst_type true dm "b" "d") tn in
    fprintf fmt "(* @[Abstraction definition axiom :@ \
      @[%t =@ (\\ x: 'b%a. %t)@]@ *)@]@\n\
      @[%t@]@\n\
      @[axiom %s_%s_definition :@ forall s0:%t%a,@ x:'b%a.@ \
      @[@[%s_%s s0%a@ x@] =@ %t@]@]@\n@\n"
      print_left_fun print_tindex tn print_def
      print_left_fun
      cop tname mytype print_args_typed2 v print_tindex tn
      cop tname print_args v print_def in
  make_for_vdefs dm print_decl

let print_lifting_composition_lemma dm fmt (sub1,sub2) =
  let fp s = if s then "subst" else "rename" in
  let li s = if s then (fun fmt tname -> fprintf fmt "olifts_%s" tname)
    else (fun fmt _ -> fprintf fmt "olift") in
  let fp1,fp2 = fp sub1 , fp sub2 in
  let li1,li2,lic = li sub1,li sub2,li (sub1||sub2) in
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "@[let lemma olift_composition_%s_%s_%s (s0:%a)"
      fp1 fp2 tname (print_subst_type sub1 dm "b" "c") tn ;
    let print_targ tn = fprintf fmt "@ (s1%a:%a)"
      print_tindex tn (print_subst_type sub2 dm "c" "d") tn in
    (if sub1 then List.iter print_targ v else print_targ tn);
    let print_first fmt =
      let side1 fmt = fprintf fmt "s0" in
      let side2 fmt tn = fprintf fmt "s1%a" print_tindex tn in
      fprintf fmt "%a (%a)" lic tname
        (print_composition dm sub1 side1 sub2 side2) tn in
    let blv = TMap.singleton tn 1 in
    let print_second fmt =
      let side1 fmt = fprintf fmt "(%a s0)" li1 tname in
      let side2 fmt tn' = if tn = tn'
        then fprintf fmt "(%a s1%a)" li2 tname print_tindex tn
        else print_lift sub2 dm (fun fmt ->
          fprintf fmt "s1%a" print_tindex tn') blv fmt tn' in
      print_composition dm sub1 side1 sub2 side2 fmt tn in
    fprintf fmt " : unit@\n\
      @[ensures { %t =@ %t }@]@]@\n@[=@ \
      @[assert { forall x:'b%a. eval (%t) (Some x) =@ eval (%t) (Some x) };@]@\n
      @[assert { eval (%t) None =@ eval (%t) None };@]@\n
      @[assert { extensionalEqual (%t)@ (%t) }@]@]@\n@\n"
      print_first print_second print_tindex tn print_first print_second
      print_first print_second print_first print_second
  in
  make_for_vdefs dm print_decl

let print_subst_lifting fmt dm =
  let print_decl tn c v =
    let tname = type_name tn dm in
    let blevels = TMap.singleton tn 1 in
    let print_args fmt =
      List.iter (fun tn' -> if tn = tn'
        then fprintf fmt "@ some"
        else fprintf fmt "@ identity") v in
    let print_lhs1 fmt =
      fprintf fmt "@[rename_%s (s x)%t@]" tname print_args in
    let print_lhs2 fmt =
      fprintf fmt "@[rename_subst_%s s%t@]" tname print_args in
    let mytype = print_subst_type true dm "b" "c" in
    fprintf fmt "@[function osubst_%s (s:%a)@ (x:option 'b%a) :@ @[%a@] =@\n\
      @[match x with@\n| None -> Var_%s None@ | Some x -> %t@]@\nend@]@\n@\n"
      tname mytype tn print_tindex tn (print_type_app dm ~blevels "c") tn
      tname print_lhs1 ;
    fprintf fmt "@[function olifts_%s (s:%a) :@ (option 'b%a) -> (%a) =@ \
      ocase (%t) (Var_%s None)@]@\n@\n"
      tname mytype tn
      print_tindex tn (print_type_app dm ~blevels "c") tn
      print_lhs2 tname ;
    fprintf fmt "@[lemma olifts_%s_some_value :@ \
      @[forall s:%a,@ x:'b%a.@ \
      olifts_%s s (Some x) =@ %t@]@]@\n@\n"
      tname mytype tn print_tindex tn tname print_lhs1 ;
    fprintf fmt "@[lemma olifts_%s_none :@ \
      @[forall s:%a.@ \
      olifts_%s s None =@ Var_%s None@]@]@\n@\n"
      tname mytype tn tname tname ;
    (* most provers needs us to write the disjunction ourselves... *)
    fprintf fmt "@[let lemma olifts_%s_other_def@ (s:%a)@ (x:option 'b%a) : unit@\n\
      @[ensures { olifts_%s s x =@ osubst_%s s x }@]@]@\n\
      @[=@ \
      @[match x with@\n| None -> ()@\n| Some _ -> ()@]@\nend@]@\n@\n"
      tname mytype tn print_tindex tn tname tname
  in
  make_for_vdefs dm print_decl

let print_subst_ids fmt dm =
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "(*@[ Abstraction-definition axiom :@ \
      @[constant subst_id_%s : %a =@ (\\ x:'b%a. Var_%s x)@]@ *)@]@\n\
      constant subst_id_%s : %a@\n\
      @[axiom subst_id_%s_def :@ forall x:'b%a.@ \
      eval (subst_id_%s : %a) x = Var_%s x@]@\n@\n\
      @[function subst_of_rename_%s (r:%a) : %a =@ \
      rcompose r subst_id_%s@]@\n@\n"
      tname (print_subst_type true dm "b" "b") tn print_tindex tn tname
      tname (print_subst_type true dm "b" "b") tn
      tname print_tindex tn tname (print_subst_type true dm "b" "b") tn tname
      tname (print_subst_type false dm "b" "c") tn
      (print_subst_type true dm "b" "c") tn tname ;
    let print_first fmt =
      fprintf fmt "olifts_%s (subst_id_%s : %a)"
        tname tname (print_subst_type true dm "b" "b") tn in
    let print_second fmt =
      fprintf fmt "subst_id_%s" tname in
    let print_dummy_args fmt =
        let td = type_def tn dm in
        let v = bvar_list td in
        List.iter (fun vn ->
                   fprintf fmt "@ (_:'b%a)" print_tindex vn) v
    in
    fprintf fmt "@[let lemma olifts_identity_%s (_:'b%a) (* %t *) : unit@ \
      @[ensures { %t =@ %t }@]@]@\n
      @[=@ \
      @[assert { forall x:'b%a. eval (%t) (Some x) =@ eval (%t) (Some x) };@]@\n\
      @[assert { eval (%t) None =@ eval (%t) None };@]@\n\
      @[assert { extensionalEqual (%t)@ (%t) }@]@]@\n@\n"
            tname print_tindex tn print_dummy_args
            print_first print_second print_tindex tn
      print_first print_second print_first print_second print_first print_second in
  make_for_vdefs dm print_decl

let print_renaming_as_subst_lemmae fmt dm =
  let print_decl tn c v =
    let tname = type_name tn dm in
    let print_targs fmt = List.iter (fun tn ->
      fprintf fmt ",@ r%a:%a" print_tindex tn
      (print_subst_type false dm "b" "c") tn) v in
    let print_args1 fmt = List.iter (fun tn ->
      fprintf fmt "@ r%a" print_tindex tn) v in
    let print_args2 fmt = List.iter (fun tn ->
      let tname = type_name tn dm in
      fprintf fmt "@ (subst_of_rename_%s r%a)" tname print_tindex tn) v in
    fprintf fmt "@[lemma renaming_as_subst_%s :@ \
      forall t:%a%t.@ @[ @[rename_%s t%t@] =@ \
      @[subst_%s t%t@]@]@]@\n@\n"
      tname (print_type_app dm "b") tn print_targs tname
      print_args1 tname print_args2 ;
    fprintf fmt "@[lemma subst_of_rename_preserve_identity_%s :@ \
      @[(subst_id_%s : %a) =@ \
      subst_of_rename_%s identity@]@]@\n@\n"
      tname tname (print_subst_type true dm "b" "b") tn tname in
  make_for_vdefs dm print_decl

let print_left_compose_renaming_as_subst_lemma dm fmt sub =
  let fp = if sub then "subst" else "rename" in
  let cast = if sub then fun _ _ -> () else fun fmt tname ->
    fprintf fmt "subst_of_rename_%s" tname in
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "@[lemma left_compose_subst_of_rename_%s_%s :@ \
      forall r:%a"
      fp tname (print_subst_type false dm "b" "c") tn ;
    List.iter (fun tn ->
      fprintf fmt ",@ s%a:%a" print_tindex tn
        (print_subst_type sub dm "c" "d") tn) v ;
    let side1_1 fmt = fprintf fmt "r" in
    let side1_2 fmt = fprintf fmt "(subst_of_rename_%s r)" tname in
    let side2 fmt tn = fprintf fmt "s%a" print_tindex tn in
    fprintf fmt ".@ @[%a(%a) =@ %a@]@]@\n@\n" cast tname
      (print_composition dm false side1_1 sub side2) tn
      (print_composition dm true side1_2 sub side2) tn in
  make_for_vdefs dm print_decl

let print_right_compose_renaming_as_subst_lemma dm fmt sub =
  let fp = if sub then "subst" else "rename" in
  let cast = if sub then fun _ _ -> () else fun fmt tname ->
    fprintf fmt "subst_of_rename_%s" tname in
  let print_decl tn c v =
    let tname = type_name tn dm in
    fprintf fmt "@[lemma right_compose_subst_of_rename_%s_%s :@ \
      forall s:%a" fp tname (print_subst_type sub dm "b" "c") tn ;
    let print_targ tn =
      fprintf fmt ",@ r%a:%a" print_tindex tn
        (print_subst_type false dm "c" "d") tn in
    (if sub
     then List.iter print_targ v
     else print_targ tn);
    let side1 fmt = fprintf fmt "s" in
    let side2_1 fmt tn = fprintf fmt "r%a" print_tindex tn in
    let side2_2 fmt tn =
      fprintf fmt "(subst_of_rename_%s r%a : %a)"
      (type_name tn dm) print_tindex tn
      (print_subst_type true dm "c" "d") tn in
    fprintf fmt ".@ @[%a(%a) =@ %a@]@]@\n@\n" cast tname
      (print_composition dm sub side1 false side2_1) tn
      (print_composition dm sub side1 true side2_2) tn in
  make_for_vdefs dm print_decl

let print_free_var_def fmt dm =
  let print_kw = make_first_case_sprinter "predicate" "with" in
  let rec print_in_somes fmt = function
    | 0 -> fprintf fmt "x"
    | n -> fprintf fmt "(Some %a)" print_in_somes (n-1) in
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    let var_case fmt vname = if tn = tnv
      then fprintf fmt "%s = x" vname
      else fprintf fmt "false" in
    let cons_case _ fmt vlist =
      let printed = ref false in
      List.iter (fun (vname,blv,ct) -> match ct with
        | ITVar _ -> ()
        | ITDecl tn -> if List.mem tnv (bvar_list (type_def tn dm))
          then begin
              (if !printed then fprintf fmt "@ \\/@ " else printed := true);
              fprintf fmt "is_%s_free_var_in_%s %a %s"
                tnamev (type_name tn dm) print_in_somes (level tnv blv) vname
            end ) vlist ;
      if not(!printed)
      then fprintf fmt "false" in
    fprintf fmt "@[%t is_%s_free_var_in_%s (x:'b%a) (t:%a) =@\n\
      @[%a@]@]@\n@\n"
      print_kw tnamev tname print_tindex tnv
      (print_type_app dm "b") tn
      (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv ->
      print_decl tnv tn c v ) v)

let print_free_var_equivalence_def fmt dm =
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    fprintf fmt "@[predicate %s_free_var_%s_equivalence (t:%a) (f g: 'b%a -> 'c) =@\n\
      @[forall x:'b%a. is_%s_free_var_in_%s x t ->@ f x = g x@]@]@\n@\n"
      tnamev tname (print_type_app dm "b") tn
      print_tindex tnv print_tindex tnv tnamev tname (*;
    fprintf fmt "@[lemma %s_free_var_%s_equivalence_reflexive :@\n\
      @[forall t:%a,f: 'b%a -> 'c. %s_free_var_%s_equivalence t f f@]@]@\n@\n"
      tnamev tname (print_type_app dm "b") tn
      print_tindex tnv tnamev tname*)
  in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv ->
      print_decl tnv tn c v) v)

let print_free_var_equivalence_lemma dm fmt sub =
  let fp = if sub then "subst" else "rename" in
  let print_kw = make_first_case_sprinter "let rec" "with" in
  let rec print_in_options p fmt = function
    | 0 -> p fmt
    | n -> fprintf fmt "(option %a)" (print_in_options p) (n-1) in
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    let var_case fmt _ = fprintf fmt "()" in
    let prefix id tn fmt = fprintf fmt "s%s%a" id print_tindex tn in
    let cons_case = blemma_cons_case dm (fun blv tn fmt vname ->
      let tname2 = type_name tn dm in
      let v = bvar_list (type_def tn dm) in
      if List.mem tnv v
      then begin
        let p0 = print_in_options (fun fmt -> fprintf fmt "'b%a" print_tindex tnv) in
        let nv0 = level tnv blv in
        let rec print_disjunction somep fmt = function
          | 0 -> fprintf fmt "@[| %a ->@ is_%s_free_var_in_%s y t@]@ "
            somep "y" tnamev tname
          | n -> let somep' fmt a = fprintf fmt "(Some %a)" somep a in
            fprintf fmt "@[| %a ->@ true@]@ %a"
              somep "None" (print_disjunction somep') (n-1) in
        let print_disj fmt =
          print_disjunction (fun fmt -> fprintf fmt "%s") fmt nv0 in
        fprintf fmt "@[assert { forall x:%a. is_%s_free_var_in_%s x %s ->@ \
            @[match x with %t end@] };@]@,"
          p0 nv0 tnamev tname2 vname print_disj ;
        fprintf fmt "%s_%s_free_var_equivalence_lemma_%s %s"
          fp tnamev tname2 vname ;
        let pl id tn fmt = print_lift sub dm (prefix id tn) blv fmt tn in
        List.iter (fun tn ->
          if tn = tnv
          then fprintf fmt "@ %t@ %t" (pl "1" tn) (pl "2" tn)
          else fprintf fmt "@ %t" (pl "0" tn)) v
      end else fprintf fmt "()" ) in
    fprintf fmt "@[%t lemma %s_%s_free_var_equivalence_lemma_%s (t:%a)"
      print_kw fp tnamev tname (print_type_app dm "b") tn ;
    List.iter (fun tn ->
      if tn = tnv
      then fprintf fmt "@ (s1%a:%a)@ (s2%a:%a)" print_tindex tn
          (print_subst_type sub dm "b" "c") tn print_tindex tn
          (print_subst_type sub dm "b" "c") tn
      else fprintf fmt "@ (s0%a:%a)" print_tindex tn
          (print_subst_type sub dm "b" "c") tn
      ) v ;
    let print_call fmt id =
      fprintf fmt "%s_%s t" fp tname ;
      List.iter (fun tn -> if tn = tnv
        then fprintf fmt " s%s%a" id print_tindex tn
        else fprintf fmt " s0%a" print_tindex tn) v in
    fprintf fmt " : unit@\n" ;
    fprintf fmt "@[requires { %s_free_var_%s_equivalence t s1%a s2%a }@]@\n"
      tnamev tname print_tindex tnv print_tindex tnv ;
    fprintf fmt "@[ensures { %a =@ %a }@]@\n\
      @[variant { size_%s t }@]@]@\n\
      @[=@\n@[%a@]@]@\n@\n"
      print_call "1" print_call "2" tname
      (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv -> print_decl tnv tn c v) v)

(* Awful. *)

let print_free_var_substitution_lemma dm fmt sub =
  let fp = if sub then "subst" else "rename" in
  let print_kw = make_first_case_sprinter "let rec" "with" in
  let rec print_in_somes s fmt = function
    | 0 -> fprintf fmt "%s" s
    | n -> fprintf fmt "(Some %a)" (print_in_somes s) (n-1) in
  let rec print_in_options p fmt = function
    | 0 -> p fmt
    | n -> fprintf fmt "(option %a)" (print_in_options p) (n-1) in
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    let var_case fmt _ = fprintf fmt "()" in
    let tname0 = tname in
    let cons_case = lemma_cons_case (fun blv tn fmt vname ->
        let v2 = bvar_list (type_def tn dm) in
        if List.mem tnv v2
        then begin
          let print_right fmt ty =
            let ynamev = type_name ty dm in
            fprintf fmt"is_%s_free_var_in_%s y t@ /\\@ "
              ynamev tname ;
            if sub
            then fprintf fmt "is_%s_free_var_in_%s x (s%a y)"
                  tnamev ynamev print_tindex ty
            else fprintf fmt "s%a y = x" print_tindex tnv in
          let rec print_disj ty ynamev somep fmt = function
            | 0 -> fprintf fmt "@[| %a ->@ %a@ &&@ exists y:'b%a.%a@]" somep "y"
              print_right ty print_tindex ty print_right ty
            | n -> let somep' fmt s = fprintf fmt "(Some %a)" somep s in
              fprintf fmt "@[| %a ->@ false@]@ %a" somep "None"
                (print_disj ty ynamev somep') (n-1) in
          let print_disj ty ynamev fmt lv =
            fprintf fmt "@[match y with %a@ end@]"
              (print_disj ty ynamev (fun fmt -> fprintf fmt "%s")) lv in
          let lv = level tnv blv in
          let tname = type_name tn dm in
          fprintf fmt "@[%s_%s_free_var_in_%s %a %s"
            fp tnamev tname (print_in_somes "x") lv vname ;
          List.iter (fun tn -> fprintf fmt "@ %a"
            (print_lift sub dm (fun fmt ->
              fprintf fmt "s%a" print_tindex tn ) blv ) tn ) v2 ;
          fprintf fmt ";@]@," ;
          begin if sub
            then List.iter (fun tny ->
              if List.mem tnv (bvar_list (type_def tny dm))
              then begin
                let ynamev = type_name tny dm in
                let lvy = level tny blv in
                let ps fmt tn = print_lift sub dm (fun fmt ->
                      fprintf fmt "s%a" print_tindex tn) blv fmt tn in
                fprintf fmt "@[assert { forall y:'b%a.@ \
                  is_%s_free_var_in_%s %a (eval (%a) %a) ->@ \
                  is_%s_free_var_in_%s x (s%a y) };@]@,"
                  print_tindex tny
                  tnamev ynamev (print_in_somes "x") lv ps tny
                  (print_in_somes "y") lvy
                  tnamev ynamev print_tindex tny ;
                fprintf fmt "@[assert { forall y:%a.@ \
                  is_%s_free_var_in_%s y %s@ /\\@ is_%s_free_var_in_%s %a (eval (%a) y) ->@ \
                  %a@ &&@ exists y:'b%a.%a};@]@,"
                  (print_in_options (fun fmt ->
                    fprintf fmt "'b%a" print_tindex tny)) lvy
                    ynamev tname vname tnamev ynamev
                    (print_in_somes "x") lv ps tny
                    (print_disj tny ynamev) lvy print_tindex tny print_right tny ;
                fprintf fmt "@[assert { (exists y:%a.@ \
                  is_%s_free_var_in_%s y %s@ /\\@ is_%s_free_var_in_%s %a (eval (%a) y)) ->@ \
                  exists y:'b%a.%a};@]@,"
                  (print_in_options (fun fmt ->
                    fprintf fmt "'b%a" print_tindex tny)) lvy
                    ynamev tname vname tnamev ynamev
                    (print_in_somes "x") lv ps tny
                    print_tindex tny print_right tny ;
                fprintf fmt "@[assert { forall y:'b%a.@ \
                  (is_%s_free_var_in_%s %a %s@ /\\@ is_%s_free_var_in_%s x (s%a y)) ->@ \
                  (is_%s_free_var_in_%s %a (eval (%a) %a)@ &&@ \
                  (exists y:%a. is_%s_free_var_in_%s y %s@ /\\@ \
                  is_%s_free_var_in_%s %a (eval (%a) y))@ &&@ \
                  is_%s_free_var_in_%s %a (subst_%s %s"
                  print_tindex tny ynamev tname (print_in_somes "y") lvy vname
                  tnamev ynamev print_tindex tny
                  tnamev ynamev (print_in_somes "x") lv ps tny (print_in_somes "y") lvy
                  (print_in_options (fun fmt -> fprintf fmt "'b%a" print_tindex tny)) lvy
                  ynamev tname vname tnamev ynamev (print_in_somes "x") lv ps tny
                  tnamev tname (print_in_somes "x") lv tname vname ;
                List.iter (fun tns -> fprintf fmt "@ %a" ps tns ) v2 ;
                fprintf fmt ")@ &&@ is_%s_free_var_in_%s x (subst_%s t"
                  tnamev tname0 tname0 ;
                List.iter (fun tns -> fprintf fmt "@ s%a" print_tindex tns) v ;
                fprintf fmt ")) };@]@," ;
              end) v2
            else fprintf fmt "@[assert { forall y:%a.@ \
              is_%s_free_var_in_%s y %s@ /\\@ eval (%a) y = %a ->@ %a };@]@,"
                (print_in_options (fun fmt ->
                  fprintf fmt "'b%a" print_tindex tnv)) lv tnamev tname vname
                  (print_lift sub dm (fun fmt ->
                    fprintf fmt "s%a" print_tindex tnv) blv) tnv
                  (print_in_somes "x") lv
                  (print_disj tnv tnamev) lv
          end ;
          fprintf fmt "()"
        end else fprintf fmt "()" ) in
    fprintf fmt "@[%t lemma %s_%s_free_var_in_%s (x:'c%a)@ (t:%a)"
      print_kw fp tnamev tname print_tindex tnv (print_type_app dm "b") tn ;
    List.iter (fun tn -> fprintf fmt "@ (s%a:%a)" print_tindex tn
      (print_subst_type sub dm "b" "c") tn) v ;
    fprintf fmt " : unit@\n\
      @[ensures { " ;
    begin if sub
     then let print_or = make_first_case_printer ignore
         (fun fmt -> fprintf fmt "@ \\/@ ") in
       List.iter (fun tn' ->
         if List.mem tnv (bvar_list (type_def tn' dm))
         then let tname' = type_name tn' dm in
           fprintf fmt "%t@[(exists y:'b%a.@ is_%s_free_var_in_%s y t@ \
             /\\@ is_%s_free_var_in_%s x (s%a y))@]"
             print_or print_tindex tn' tname' tname
             tnamev tname' print_tindex tn'
       ) v
     else fprintf fmt "(exists y:'b%a.@ is_%s_free_var_in_%s y t /\\ s%a y = x)"
       print_tindex tnv tnamev tname print_tindex tnv
    end;
    fprintf fmt "@] <->@ ";
    fprintf fmt "is_%s_free_var_in_%s x (@[%s_%s t"
      tnamev tname fp tname ;
    List.iter (fun tn -> fprintf fmt "@ s%a" print_tindex tn) v;
    fprintf fmt ") }@]@\nvariant { size_%s t }@]@\n@[=@\n%a@]@\n@\n"
      tname (print_pattern_match dm tn c var_case cons_case) "t" in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv ->
      print_decl tnv tn c v) v)

let print_free_var_injective_renaming_lemma fmt dm =
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    fprintf fmt "@[lemma inj_rename_%s_free_var_in_%s :@\n\
      @[forall x:'b%a,@ t:%a"
      tnamev tname print_tindex tnv (print_type_app dm "b") tn ;
    List.iter (fun tn -> fprintf fmt ",@ r%a:%a" print_tindex tn
      (print_subst_type false dm "b" "c") tn ) v ;
    fprintf fmt ".@ injective r%a ->@ \
      (is_%s_free_var_in_%s (r%a x) (@[rename_%s t"
      print_tindex tnv tnamev tname print_tindex tnv tname ;
    List.iter (fun tn -> fprintf fmt "@ r%a" print_tindex tn) v ;
    fprintf fmt ")@] <->@ is_%s_free_var_in_%s x t)@]@]@\n@\n"
      tnamev tname in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv ->
      print_decl tnv tn c v) v)

let print_free_var_lifting_lemma fmt dm =
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    if tn = tnv
    then begin
      fprintf fmt "@[let lemma none_free_var_in_olifts_%s \
        (s:%a)@ (y:option 'b%a) : unit@\n\
        @[ensures { is_%s_free_var_in_%s None (olifts_%s s y) <->@ \
        y = None }@]@]@\n@[=@\n\
        @[match y with@\n| None -> ()@\n| Some y' -> () @]end@]@\n@\n"
        tname (print_subst_type true dm "b" "c") tn
        print_tindex tn tnamev tname tname ;
      fprintf fmt "@[let lemma some_free_var_in_olifts_%s \
        (s:%a)@ (x:'c%a)@ (y:option 'b%a) : unit@\n\
        @[ensures { is_%s_free_var_in_%s (Some x) (olifts_%s s y) <->@ \
        @[exists y':'b%a.@ y = Some y'@ /\\@ is_%s_free_var_in_%s x (s y')\
        @] }@]@]@\n@[=@\n\
        @[match y with@\n| None -> ()@\n| Some y' -> assert { y = Some y' } @]end@]@\n@\n"
        tname (print_subst_type true dm "b" "c") tn
        print_tindex tnv print_tindex tn tnamev tname tname
        print_tindex tn tnamev tname
    end
    else begin
      fprintf fmt "@[let lemma kind_%s_free_var_in_olifts_%s \
        (s:%a)@ (x:'c%a)@ (y:option 'b%a) : unit@\n\
        @[ensures { is_%s_free_var_in_%s x (olifts_%s s y) <->@ \
        @[exists y':'b%a.@ y = Some y'@ /\\@ is_%s_free_var_in_%s x (s y')\
        @] }@]@]@\n@[=@\n\
        @[match y with@\n| None -> ()@\n| Some y' -> assert { y = Some y' } @]end@]@\n@\n"
        tnamev tname (print_subst_type true dm "b" "c") tn
        print_tindex tnv print_tindex tn tnamev tname tname
        print_tindex tn tnamev tname
    end in
  make_for_bdefs dm (fun tn c v ->
    List.iter (fun tnv ->
      print_decl tnv tn c v) v)

let print_open_close fmt dm =
  let print_decl tnv tn c v =
    let tname = type_name tn dm in
    let tnamev = type_name tnv dm in
    let blevels = TMap.singleton tnv 1 in
    let pc = print_type_app ~blevels dm "b" in
    let po = print_type_app dm "b" in
    fprintf fmt "@[function openv_%s_with_%s (t:%a) (x:'b%a) : %a =@\n\
      @[rename_%s t"
      tname tnamev pc tn print_tindex tnv po tn tname ;
    List.iter (fun tn' ->
      if tnv = tn'
      then fprintf fmt "@ (ocase identity x)"
      else fprintf fmt "@ identity") v ;
    fprintf fmt "@]@]@\n@\n@[function close_%s_with_%s (x:'b%a) (t:%a) : %a =@\n\
      @[rename_%s t"
      tname tnamev print_tindex tnv po tn pc tn tname ;
    List.iter (fun tn' -> if tnv = tn'
      then fprintf fmt "@ (update some x None)"
      else fprintf fmt "@ identity") v;
    fprintf fmt "@]@]@\n@\n@[function close_nothing_%s_with_%s (t:%a) : %a =@\n\
      @[rename_%s t"
      tname tnamev po tn pc tn tname ;
    List.iter (fun tn' -> if tnv = tn'
      then fprintf fmt "@ some"
      else fprintf fmt "@ identity") v;
    fprintf fmt "@]@]@\n@\n@[function opent_%s_with_%s (t:%a) (u:%a) : %a =@\n\
      @[subst_%s t"
      tname tnamev pc tn po tnv po tn tname ;
    List.iter (fun tn' -> if tnv = tn'
      then fprintf fmt "@ (ocase subst_id_%s u)" tnamev
      else fprintf fmt "@ subst_id_%s" (type_name tn' dm)) v;
    fprintf fmt "@]@]@\n@\n@[let lemma open_closure_%s_with_%s\
       (t:%a) (x:'b%a) : unit@\nensures { \
       openv_%s_with_%s (close_%s_with_%s x t) x = t }@\n@]@[=@ \
       assert { extensionalEqual (rcompose (update some x None) \
         (ocase identity x)) identity }@]@\n@\n"
       tname tnamev po tn print_tindex tnv tname tnamev tname tnamev ;
    let local fmt = fprintf fmt "(rcompose (ocase identity x) (update some x None))" in
    fprintf fmt "@[let lemma close_fresh_open_%s_with_%s\
      (t:%a) (x:'b%a) : unit@\nrequires { \
      not(is_%s_free_var_in_%s (Some x) t) }@\n\
      ensures { close_%s_with_%s x (openv_%s_with_%s t x) = t }@]@\n@[=@ \
      assert { forall y:option 'b%a. is_%s_free_var_in_%s y t -> match y with \
        | None -> eval %t y = y | Some z -> eval %t y = y end };@\n\
      assert { %s_free_var_%s_equivalence t %t identity };@\n\
      @[assert { %t = %t }@]@\n"
      tname tnamev pc tn print_tindex tnv
      tnamev tname tname tnamev tname tnamev
      print_tindex tnv tnamev tname local local tnamev tname local
      (fun fmt -> fprintf fmt "rename_%s t" tname ;
        List.iter (fun tn -> if tn = tnv
          then fprintf fmt "@ %t" local
          else fprintf fmt "@ identity") v)
      (fun fmt -> fprintf fmt "rename_%s t" tname ;
        List.iter (fun _ -> fprintf fmt "@ identity") v) ;
    fprintf fmt "@]@\n@\n" ;
    let pr_f fmt = fprintf fmt "subst_of_rename_%s (ocase identity x)" tnamev in
    let pr_s fmt = fprintf fmt "ocase (subst_id_%s : %a) (Var_%s x)"
      tnamev (print_subst_type true dm "b" "b") tnv tnamev in
    fprintf fmt "@[let lemma openv_as_opent_%s_with_%s\
      (t:%a) (x:'b%a) : unit@\n\
      ensures { openv_%s_with_%s t x = opent_%s_with_%s t (Var_%s x) }@]@\n\
      @[=@ \
      @[assert { forall x:'b%a. %t (Some x) =@ %t (Some x) };@]@\n\
      @[assert { %t None =@ %t None };@]@\n\
      @[assert { extensionalEqual (%t)@ (%t) }@]@]@\n@\n"
      tname tnamev pc tn print_tindex tnv tname tnamev tname tnamev tnamev
      print_tindex tnv pr_f pr_s pr_f pr_s pr_f pr_s ;
    fprintf fmt "@[let lemma close_nothing_is_close_fresh_%s_with_%s\
      (t:%a) (x:'b%a) : unit@\nrequires { \
      not(is_%s_free_var_in_%s x t) }@\n\
      ensures { close_%s_with_%s x t = close_nothing_%s_with_%s t }@]@\n\
      @[=@ assert { %s_free_var_%s_equivalence t some (update some x None) }@]@\n@\n"
      tname tnamev po tn print_tindex tnv tnamev tname
      tname tnamev tname tnamev tnamev tname ;
    fprintf fmt "@[lemma opent_close_nothing_%s_with_%s : \
      forall t:%a,u:%a. opent_%s_with_%s (close_nothing_%s_with_%s t) u = t@]@\n@\n"
      tname tnamev po tn po tnv tname tnamev tname tnamev ;
    fprintf fmt "@[lemma openv_close_nothing_%s_with_%s : \
      forall t:%a,x:'b%a. openv_%s_with_%s (close_nothing_%s_with_%s t) x = t@]@\n@\n"
      tname tnamev po tn print_tindex tnv tname tnamev tname tnamev ;
    (* Now, free variables. *)
    List.iter (fun tnv2 ->
      let tnamev2 = type_name tnv2 dm in
      fprintf fmt "@[let lemma close_%s_with_%s_free_var_%s \
        (t:%a) (x:'b%a) (y:'b%a) : unit@\n\
        ensures { is_%s_free_var_in_%s "
        tname tnamev tnamev2 po tn print_tindex tnv print_tindex tnv2 tnamev2 tname ;
      (if tnv = tnv2
       then fprintf fmt "(Some y)"
       else fprintf fmt "y");
      fprintf fmt " (close_%s_with_%s x t) <->@ \
        (is_%s_free_var_in_%s y t" tname tnamev tnamev2 tname ;
      (if tnv = tnv2
       then fprintf fmt "@ /\\@ y <> x");
      fprintf fmt ") }@]@\n@[=@ @[assert { " ;
      (if tnv <> tnv2
       then fprintf fmt "identity y = y"
       else fprintf fmt "y <> x -> update some x None y = Some y");
      fprintf fmt "}@]@]@\n@\n" ;
      fprintf fmt "@[let lemma close_nothing_%s_with_%s_free_var_%s \
        (t:%a) (y:'b%a) : unit@\n\
        ensures { is_%s_free_var_in_%s "
        tname tnamev tnamev2 po tn print_tindex tnv2 tnamev2 tname ;
      (if tnv = tnv2
       then fprintf fmt "(Some y)"
       else fprintf fmt "y");
      fprintf fmt " (close_nothing_%s_with_%s t) <->@ \
        is_%s_free_var_in_%s y t }@]@\n@[=@ ()@]@\n@\n"
        tname tnamev tnamev2 tname ;
      fprintf fmt "@[let lemma opent_%s_with_%s_conserve_free_var_%s \
        (t:%a) (u:%a) (y:'b%a) : unit@\n\
        requires { is_%s_free_var_in_%s "
        tname tnamev tnamev2 pc tn po tnv print_tindex tnv2 tnamev2 tname ;
      (if tnv = tnv2
       then fprintf fmt "(Some y)"
       else fprintf fmt "y");
      fprintf fmt " t }@\nensures { is_%s_free_var_in_%s y (opent_%s_with_%s t u) }@]@\n@[=@ \
        assert { is_%s_free_var_in_%s y "
        tnamev2 tname tname tnamev tnamev2 tnamev2 ;
      (if tnv = tnv2
       then fprintf fmt "(ocase subst_id_%s u (Some y))" tnamev
       else fprintf fmt "(eval (subst_id_%s : %a) y)" tnamev2
         (print_subst_type true dm "b" "b") tnv2 );
      fprintf fmt " }@]@\n@\n" ;
      fprintf fmt "@[let lemma openv_%s_with_%s_conserve_free_var_%s \
        (t:%a) (x:'b%a) (y:'b%a) : unit@\n\
        requires { is_%s_free_var_in_%s "
        tname tnamev tnamev2 pc tn print_tindex tnv print_tindex tnv2 tnamev2 tname ;
      (if tnv = tnv2
       then fprintf fmt "(Some y)"
       else fprintf fmt "y");
      fprintf fmt " t }@\nensures { is_%s_free_var_in_%s y (openv_%s_with_%s t x) }\
        @]@\n@[=@ ()@]@\n@\n"
        tnamev2 tname tname tnamev ;
      fprintf fmt "@[let lemma opent_%s_with_%s_free_var_in_%s \
        (t:%a) (u:%a) (y:'b%a) : unit@\n\
        requires { is_%s_free_var_in_%s y (opent_%s_with_%s t u) }@\n\
        ensures { is_%s_free_var_in_%s "
        tname tnamev tnamev2 pc tn po tnv print_tindex tnv2
        tnamev2 tname tname tnamev
        tnamev2 tname ;
      let memv2_v = List.mem tnv2 (bvar_list (type_def tnv dm)) in
      (if tnv = tnv2
       then fprintf fmt "(Some y) t"
       else fprintf fmt "y t");
      (if memv2_v
       then fprintf fmt " \\/ is_%s_free_var_in_%s y u" tnamev2 tnamev );
       fprintf fmt " }@]@\n@[=@ " ;
      (* An assertion should be added...which one ? *)
      List.iter (fun tnv3 ->
        if List.mem tnv2 (bvar_list (type_def tnv3 dm))
        then if tnv3 = tnv
          then if tnv = tnv2
            then fprintf fmt "@[assert { forall z:option 'b%a. \
              (is_%s_free_var_in_%s z t@ /\\@ \
               is_%s_free_var_in_%s y (ocase subst_id_%s u z)) ->@ \
              match z with \
                | Some z -> y = z && is_%s_free_var_in_%s (Some y) t@ \
                | None -> is_%s_free_var_in_%s y u end};@]@,"
              print_tindex tnv tnamev tname tnamev2 tnamev tnamev
              tnamev2 tname tnamev2 tnamev
            else fprintf fmt "@[assert { forall z:option 'b%a. \
              (is_%s_free_var_in_%s z t /\\@ \
               is_%s_free_var_in_%s y (ocase subst_id_%s u z)) ->@ \
               match z with | None -> is_%s_free_var_in_%s y u \
                 | Some _ -> false end };@]@,"
              print_tindex tnv tnamev tname tnamev2 tnamev tnamev
              tnamev2 tnamev
          else begin let tnamev3 = type_name tnv3 dm in
            fprintf fmt "@[assert { forall z:'b%a. \
              (is_%s_free_var_in_%s z t@ /\\@ is_%s_free_var_in_%s y \
              (eval (subst_id_%s : %a) z))\
              ->@ "
              print_tindex tnv3 tnamev3 tname tnamev2 tnamev3 tnamev3
              (print_subst_type true dm "b" "b") tnv3 ;
            if tnv2 = tnv3
            then fprintf fmt "is_%s_free_var_in_%s y t };@]@," tnamev2 tname
            else fprintf fmt "false };@]@,"
          end
      ) v ;
      fprintf fmt "()@]@]@\n@\n"
    ) v ;
  in
  make_for_bdefs dm (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

(* proofs/defs scheme :
   1) define considered types
   2) define size operators, one into nat and one into integers,
      for variants. Full-mutually-recursive definition.
   3) using nat_to_int of nat_size as variant,
      prove that we can use the other one
      (much more practical for smt solvers !) as a variant since
      it is never negative. Full-mutually-inductive proof.
   4) define renamings of free variables by full mutual recursion.
   5) prove renaming composition lemma for all types by full mutual induction.
   6) prove identity renaming lemma.
   7) define right renaming (point-wise renaming) of substitution
      (left is normal composition).
   8) prove the renaming compositionality ("associativity") of both
      operations,+ commutation between them.
      At the same time, prove that composing with identity(ies) preserve
      the substitution. It is not strictly necessary, but simplify prover task
      as I usually generate a lot of this kind of renaming in substitution definitions.
   9) define substitution lifting.
   10) prove the commutation lemmaes between
       substitution left/right renaming and substitution lifting. Require
       the renaming composition lemma.
   11) Define all substitutions operators by full mutual recursion.
   12) prove both substitution/renaming composition lemmae, using compositionality
       of renaming/substitution composition operations and lifting commutation lemmaes.
   13) Define substitution compositions by point-wise substitutions.
   14) prove associativity lemmae when there is two substitutions. Require both renaming/substitution
       commutation lemmaes.
   15) prove the commutation lemma between substitution lifting and substitution compositions.
       require the renaming/substitution commutation lemmaes.
   16) prove substitution composition lemma. Require commutation lemmaes about
       substitution composition lifting and composition between a substitution and a renamed one.
   17) Prove associativity of substitution composition.
   18) define identity substitutions/cast of renaming to substitution.
   19) prove that identity substitution is preserved under lifting.
   20) prove the commutation lemma between identity substitutions and renamings.
   21) thanks to the two previous one, prove that the identity substitution preserve
       terms.
   22) prove that identity substitution is actually the neutral element for substitution
       composition.
   23) Prove that behaviour of renamings is preserved when casting to substitution.
   24) Define free variables of kind "something" in term type "something".
   25) Prove the caracterisation of free variables in a renamed term.
   26) Caracterise free variables of application of lifted substitution
       (some kind of inversion lemma)
   2X) Prove the caracterisation of free variables in a substituted term.

   (* TODO list *)
   ) !!! find which variables are preserved under renaming/subst,etc.
   ) !!! show the free_var_equivalence lemmaes (including reflexivity this time !)
   ) !!! opening binders with var/terms, free variables of opened term.
   ) !!! closing terms, free variables of closed binder.
   ) !!! open/close commutation properties.
   ) !!! renaming (and thus importantly
         opening a binder with a variable/closing a term) preserve size.
   *)

let until_print fmt dcl =
  let dm = convert_decl dcl in
  let dm = compute_binding_vars dm in
  fprintf fmt "%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n\
    %a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n\
    %a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n%a@\n\
    %a@\n%a@\n"
    print_type_defs dm
    print_size_defs dm
    print_size_lemmae dm
    (print_subst_def dm) false
    (print_composition_lemma dm) (false,false)
    (print_identity_lemma dm) false
    (print_substitution_composition_def dm) false
    (print_associativity_lemma dm) (false,true,false)
    (print_associativity_lemma dm) (true,false,false)
    (print_right_identity_lemma dm) false
    print_subst_lifting dm
    (print_lifting_composition_lemma dm) (false,true)
    (print_lifting_composition_lemma dm) (true,false)
    (print_subst_def dm) true
    (print_composition_lemma dm) (true,false)
    (print_composition_lemma dm) (false,true)
    (print_substitution_composition_def dm) true
    (print_associativity_lemma dm) (false,true,true)
    (print_associativity_lemma dm) (true,false,true)
    (print_associativity_lemma dm) (true,true,false)
    (print_lifting_composition_lemma dm) (true,true)
    (print_composition_lemma dm) (true,true)
    (print_associativity_lemma dm) (true,true,true)
    print_subst_ids dm
    (print_left_identity_lemma dm) false
    (print_identity_lemma dm) true
    (print_left_identity_lemma dm) true
    (print_right_identity_lemma dm) true
    print_renaming_as_subst_lemmae dm
    (print_left_compose_renaming_as_subst_lemma dm) false
    (print_left_compose_renaming_as_subst_lemma dm) true
    (print_right_compose_renaming_as_subst_lemma dm) false
    (print_right_compose_renaming_as_subst_lemma dm) true
    print_free_var_def dm
    print_free_var_equivalence_def dm
    (print_free_var_equivalence_lemma dm) false
    (*(print_free_var_substitution_lemma_predicate dm) false*)
    (print_free_var_substitution_lemma dm) false
    (print_free_var_equivalence_lemma dm) true
    print_free_var_injective_renaming_lemma dm
    print_free_var_lifting_lemma dm
    (print_free_var_substitution_lemma dm) true
    print_open_close dm

let lambda_def =
  TypeDefinition ( "lambda" ,
    [ Var ;
      BCons ("App" , [] , [ DeclaredType "lambda" ; DeclaredType "lambda" ] ) ;
      BCons ( "Lam" , [ "lambda" , None ] , [ DeclaredType "lambda" ] ) ;
      BCons ( "Fix" , [ "lambda" , None ; "lambda" , None ] , [ DeclaredType "lambda" ] ) ] ,
    [] )

let first_order_def =
  [ TypeDefinition ( "fo_term" ,
      [ Var ;
        BCons ("FOApp" , [] , [ TypeVar "function_symbol" ; DeclaredType "fo_term_list" ] ) ] ,
      [] ) ;
    TypeDefinition ( "fo_term_list" ,
      [ BCons ("FONil" , [] , [] ) ;
        BCons ("FOCons" , [] , [ DeclaredType "fo_term" ; DeclaredType "fo_term_list" ] ) ] ,
      [] ) ;
    TypeDefinition ( "fo_formula" ,
      [ BCons ( "FOForall" , [ "fo_term" , None ] , [ DeclaredType "fo_formula" ] ) ;
        BCons ( "FOExists" , [ "fo_term" , None ] , [ DeclaredType "fo_formula" ] ) ;
        BCons ( "FOAnd" , [] , [ DeclaredType "fo_formula" ; DeclaredType "fo_formula" ] ) ;
        BCons ( "FOOr" , [] , [ DeclaredType "fo_formula" ; DeclaredType "fo_formula" ] ) ;
        BCons ( "FONot" , [] , [ DeclaredType "fo_formula" ] ) ;
        BCons ( "FOPred" , [] , [ TypeVar "predicate_symbol" ; DeclaredType "fo_term_list" ] ) ] ,
      [] ) ]

let coc_def =
  [ TypeDefinition ( "coc_term" ,
    [ Var ;
      BCons ( "App" , [] , [ DeclaredType "coc_term" ; DeclaredType "coc_term" ] ) ;
      BCons ( "Lam" , [ "coc_term" , Some (DeclaredType "coc_term") ] , [ DeclaredType "coc_term" ] ) ;
      BCons ( "Forall" , [ "coc_term" , Some (DeclaredType "coc_term") ] , [ DeclaredType "coc_term" ] ) ;
      BCons ( "Type" , [] , [ DeclaredType "integer" ] ) ] , [] ) ;
    TypeDefinition ( "integer" ,
    [ BCons ( "O" , [] , [] ) ;
      BCons ( "S" , [] , [ DeclaredType "integer" ] ) ] , [] ) ]

let fsub_def =
  [ TypeDefinition ( "fsub_type" ,
    [ Var ;
      BCons ( "Arrow" , [] , [ DeclaredType "fsub_type" ; DeclaredType "fsub_type" ] ) ;
      BCons ( "Top" , [] , [] ) ;
      BCons ( "Forall" , [ "fsub_type" , Some(DeclaredType "fsub_type") ] , [ DeclaredType "fsub_type" ] ) ] ,
    [] ) ;
    TypeDefinition ( "fsub_term" ,
    [ Var ;
      BCons ( "App" , [] , [ DeclaredType "fsub_term" ; DeclaredType "fsub_term" ] ) ;
      BCons ( "Lam" , [ "fsub_term" , Some(DeclaredType "fsub_type") ] , [ DeclaredType "fsub_term" ] ) ;
      BCons ( "TLam" , [ "fsub_type" , Some(DeclaredType "fsub_type") ] , [ DeclaredType "fsub_term" ] ) ;
      BCons ( "TApp" , [] , [ DeclaredType "fsub_term" ; DeclaredType "fsub_type" ] ) ] ,
    [] ) ]

let _ =
  let fmt = std_formatter in
  fprintf fmt "@[module A@\nuse import option.Option@\n\
    use import int.Int@\nuse import Nat.Nat@\n\
    use import Functions.Func@\nuse import OptionFuncs.Funcs@\n" ;
  let l = ( [ "function_symbol" ; "predicate_symbol" ] , first_order_def ) in
  (*let l = ( [] , coc_def ) in*)
  (*let l = ( [] , [ lambda_def ] ) in*)
  (*let l = ( [] , fsub_def ) in*)
  let l1 , l2 = l in
  let l = { var_parameters = l1 ; binder_types = l2 } in
  until_print fmt l ;
  fprintf fmt "lemma incoherence : false@\n@]@\nend@\n@\n"
why3-1.6.0/examples/prover/macro_generator/Macrogen_decls.ml000066400000000000000000000026451440160026300241540ustar00rootroot00000000000000
type 'n types =
  | TypeVar of 'n
  | DeclaredType of 'n

type 'n constructor =
  | Var
  | BCons of 'n * ( 'n * 'n types list) list * 'n types list

type 'n typedef =
  | TypeAssumption of 'n * 'n list
  | TypeDefinition of 'n * 'n constructor list * 'n list

type 'n decls = { var_parameters : 'n list ;
  binder_types : 'n typedef list }

open Priv

module IntO = struct
  type t = int
  let compare (x:int) (y:int) = compare x y
end

module CName = Priv.Make(IntO)
module TName = CName
module VName = CName
module IMap = Map.Make(IntO)
module TMap = Map.Make(struct type t = TName.t
  let compare x y =
    compare (x:TName.t:>int) (y:TName.t:>int) end)

type internal_types =
  | ITVar of VName.t
  | ITDecl of TName.t

type constr =
  CName.t * (TName.t * internal_types list) list * internal_types list

type constructors = {
  var_present : bool ;
  cons_list : constr list
}

type internal_typedef =
  | ITypeDef of constructors * TName.t list
  | ITypeAssumption of TName.t list

type internal_decl =
  { var_params : VName.t list ;
    type_decls : internal_typedef TMap.t ;
    names : string IMap.t ;
    sccg : TName.t list list }

let type_name dm (tn:TName.t) = IMap.find (tn:>int) dm.names
let var_name = type_name
let cons_name = type_name
let type_def dm tn = TMap.find tn dm.type_decls
let def_binder_vars = function
  | ITypeDef (_,v) | ITypeAssumption v -> v
let binder_vars dm tn = def_binder_vars (type_def dm tn)
  



why3-1.6.0/examples/prover/macro_generator/Macrogen_decls.mli000066400000000000000000000046671440160026300243330ustar00rootroot00000000000000
(* Input declarations *)

type 'n types =
  | TypeVar of 'n
  | DeclaredType of 'n

type 'n constructor =
  | Var
  | BCons of 'n * ( 'n * 'n types list) list * 'n types list
    (* BCons (C , [ t,u ; t2,u2 ] [ v1 ; v2 ; v3 ] :
       C : [ x_t : u1 . [ x_t2 : u2 . v1 v2 v3 ] ].
       x_{t} is bound at the right as a variable for declared type t. *)

type 'n typedef =
  (* TypeAssumption (t,[v_1...v_n] : assume
     type t using variables in types v_1...v_n. *)
  | TypeAssumption of 'n * 'n list
  (* Add definition. The list may be incomplete/contains variables
     not really used. In the second case, the variables will be added. *)
  | TypeDefinition of 'n * 'n constructor list * 'n list

type 'n decls = { var_parameters : 'n list ;
  binder_types : 'n typedef list }

module CName : Priv.S with type base = int
module TName : Priv.S with type base = int
module VName : Priv.S with type base = int
module IMap : Map.S with type key = int
module TMap : Map.S with type key = TName.t

(* Processed declarations. *)

type internal_types =
  | ITVar of VName.t
  | ITDecl of TName.t

type constr =
  CName.t * (TName.t * internal_types list) list * internal_types list

type constructors = {
  var_present : bool ;
  cons_list : constr list
}

(* Here, the variables sets should be complete,
   i.e the set of variable declared by a type is
   exactly the union of variable sets declared by types used
   in constructor,+ itself if it contain var,+ the bound variables. *)

type internal_typedef =
  | ITypeDef of constructors * TName.t list
  | ITypeAssumption of TName.t list

type internal_decl =
  { (* Polymorphic common parameters *)
    var_params : VName.t list ;
    (* type declarations map. *)
    type_decls : internal_typedef TMap.t ;
    (* real names. *)
    names : string IMap.t ;
    (* topologically increasing list of scc. A type is considered dependent on
       another iff its definition depend on the other OR one of the binding
       parameter correspond to the other type. Interestingly, every type in
       a scc have same type parameters (for coq translation).  *)
    sccg : TName.t list list }

(* Interrogators *)

val type_name : internal_decl -> TName.t -> string
val var_name : internal_decl -> VName.t -> string
val cons_name : internal_decl -> CName.t -> string
val type_def : internal_decl -> TName.t -> internal_typedef
val def_binder_vars : internal_typedef -> TName.t list
val binder_vars : internal_decl -> TName.t -> TName.t list



why3-1.6.0/examples/prover/macro_generator/Macrogen_nameless.ml000066400000000000000000002462001440160026300246660ustar00rootroot00000000000000
let (<<) f x = f x

open Macrogen_printing
open Macrogen_decls
open Macrogen_nlparams
open Format

module Printer = functor (P:PrintParameters) ->
  functor (NLP:NLParameters) -> struct

  open P.P
  open P.H
  open NLP

  let nltype_app_printer b tn fmt =
    fprintf fmt "%t%t%t%t@]" indent << nltype_name tn
      << params_printer << list_printer (fun tn fmt ->
          fprintf fmt "@ '%t%t" << b << tindex_printer tn
        ) (binder_vars dm tn)

  let nlrtype_app_printer tn fmt =
    fprintf fmt "%t%t%t%t@]" indent << nltype_name tn
      << params_printer << list_printer (fun tn fmt ->
        fprintf fmt "@ %t" << nlfree_var_type_name tn
      ) (binder_vars dm tn)

  (*let nlcons_case_printer ?(vbase=string_printer "v") case (cn,bl,tl) fmt =
    fprintf fmt "%t| %t%t" indent indent << nlcons_name cn ;
    let process_type blevels (vars,cnt) ty =
      let vprinter fmt = fprintf fmt "%t%d" vbase cnt in
      fprintf fmt "@ %t" vprinter ;
      ((vprinter,blevels,ty)::vars,cnt+1) in
    let process_types blevels = List.fold_left (process_type blevels) in
    let (vars,blevels,cnt) =
      List.fold_left (fun (vars,blevels,cnt) (bo,tys) ->
        let nblevels = inc_level bo blevels in
        let vars,cnt = process_types blevels (vars,cnt) tys in
        (vars,nblevels,cnt) ) ( [] , TMap.empty , 0 ) bl in
    let (vars,_) = process_types blevels (vars,cnt) tl in
    fprintf fmt "@] ->@ %t%t@]@]" << indent << case (List.rev vars)*)

  let nlcons_case_printer ?(vbase=string_printer "v") case (cn,bl,tl) fmt =
    fprintf fmt "%t| %t%t" indent indent << nlcons_name cn ;
    let process_type (vars,cnt) ty =
      let vprinter fmt = fprintf fmt "%t%d" vbase cnt in
      fprintf fmt "@ %t" vprinter ;
      ((vprinter,ty)::vars,cnt+1) in
    let process_types = List.fold_left process_type in
    let (vars,blevels,cnt) =
      List.fold_left (fun (vars,blevels,cnt) (bo,tys) ->
        let nblevels = inc_level bo blevels in
        let vars0,cnt = process_types ([],cnt) tys in
        ((blevels,bo,List.rev vars0)::vars,nblevels,cnt) ) ( [] , TMap.empty , 0 ) bl in
    let (vars0,_) = process_types ([],cnt) tl in
    let v0 = (List.rev vars,(blevels,List.rev vars0)) in
    fprintf fmt "@] ->@ %t%t@]@]" << indent << case v0

  let flatten (v1,(blv,v2)) =
    let add blv l = List.map (fun (x,ty) -> (x,blv,ty)) l in
    let v = List.fold_left (fun acc (blv,_,vars) ->
      List.rev_append (add blv vars) acc) [] v1 in
    List.rev (List.rev_append (add blv v2) v)

  let nlvar_case_printer ?(vbase=string_printer "v") fcase bcase tn fmt =
    let vname fmt = fprintf fmt "%t0" vbase in
    fprintf fmt "%t| %t%t@ %t0@] ->@ %t%t@]@]@ \
      %t| %t%t@ %t0@] ->@ %t%t@]@]" indent indent
      << free_variable_name tn << vbase << indent << fcase vname
      << indent << indent << bound_variable_name tn << vbase
      << indent << bcase vname

  let nlmatch_printer ?(vbase=string_printer "v") tn
    fvcase bvcase ccase mt fmt =
    match type_def dm tn with
      | ITypeAssumption _ -> assert false
      | ITypeDef ( c , _ ) ->
        fprintf fmt "%tmatch %t with" indent mt ;
        (if c.var_present
         then fprintf fmt "@ %t"
           << nlvar_case_printer ~vbase fvcase bvcase tn);
        fprintf fmt "%t@]@ end"
          << list_printer (fun cs fmt ->
            fprintf fmt "@ %t%t@]" indent
              << nlcons_case_printer ~vbase ( ccase cs ) cs) c.cons_list

  let env_type_printer ?(blevels=TMap.empty) inp b tn fmt =
    fprintf fmt "%t %t -> (%t)@]"
      indent inp << type_app_printer ~blevels b tn

  let nlbenv_type_printer ?(blevels=TMap.empty) b tn fmt =
    env_type_printer ~blevels (string_printer "int") b tn fmt

  let benv_lift_printer sp blevels tn fmt =
    let lift = shift_name tn in
    let middle = rpapply_printer lift sp << level tn blevels in
    fprintf fmt "%t(%t@ %t%t)@]" indent << rename_subst_name tn
      << middle << list_printer (fun tn' fmt ->
         if tn = tn'
         then fprintf fmt "@ identity"
         else fprintf fmt "@ %t"
           (csomes_printer << level tn' blevels))
         (binder_vars dm tn)

  let frenv_lift_printer sp blevels tn fmt =
    fprintf fmt "%t(%t@ %t%t)@]" indent << rename_subst_name tn
      << sp
      << list_printer (fun tn fmt ->
        fprintf fmt "@ %t" (csomes_printer << level tn blevels))
        (binder_vars dm tn)

  let full_reconstruct_cons_case case (cn,_,_) vars fmt =
    let vars = flatten vars in
    fprintf fmt "%t%s%t@]" indent << cons_name dm cn
      << list_printer (fun (vname,blevels,ty) fmt ->
          match ty with
            | ITVar _ -> fprintf fmt "@ %t" vname
            | ITDecl tn -> fprintf fmt "@ %t(%t)@]" indent
                << case vname blevels tn ) vars

  let nlrecons_case case (cn,_,_) vars fmt =
    let vars = flatten vars in
    fprintf fmt "%t%t%t@]" indent << nlcons_name cn
      << list_printer (fun (vname,blevels,ty) fmt ->
          match ty with
            | ITVar _ -> fprintf fmt "@ %t" vname
            | ITDecl tn -> match binder_vars dm tn with
              | [] -> fprintf fmt "@ %t" vname
              | _ -> fprintf fmt "@ %t(%t)@]" indent
                << case vname blevels tn ) vars

  let type_defs_printer fmt =
    List.iter (fun scc ->
      let tp = rec_type_printer () in
      List.iter (fun tn ->
        match type_def dm tn with
          | ITypeAssumption _ -> ()
          | ITypeDef (c,v) -> let b = string_printer "b" in
            fprintf fmt "%t%t %t%t@] =@ " indent tp indent
              << nltype_app_printer b tn ;
            (if c.var_present
             then fprintf fmt "| %t %t@\n| %t int@\n" << free_variable_name tn
               << binding_type_printer b tn
               << bound_variable_name tn);
            let internal ty fmt = match ty with
              | ITVar x -> fprintf fmt "@ 'a%s" << var_name dm x
              | ITDecl tn -> fprintf fmt "@ (%t)" << nltype_app_printer b tn in
            fprintf fmt "%t@]@\n@\n" << list_printer (fun (cn,bl,tl) fmt ->
                fprintf fmt "%t| %t%t%t@]@\n" indent << nlcons_name cn
                 << list_printer (fun (_,tys) -> list_printer internal tys) bl
                 << list_printer internal tl) c.cons_list
      ) scc
    ) dm.sccg

  let size_defs_printer fmt =
    let pr = rec_fun_printer () in
    let print_decl is_nat tn _ _ =
      let fn = if is_nat then nat_nlsize_name else nlsize_name in
      let tyn = if is_nat then "nat" else "int" in
      let unity = if is_nat then "one_nat" else "1" in
      let op = if is_nat
        then fun p fmt ->
          fprintf fmt "%tlet s = add_nat@ (%t)@ s in@]@ " indent p
        else fun p fmt -> fprintf fmt "let s = %t@ +@ s in@ " p in
      let vcase _ fmt = fprintf fmt "%s" unity in
      let cons_case _ v fmt =
        let v = flatten v in
        let rec aux v fmt = match v with
          | [] -> fprintf fmt "let s = %s in@ " unity
          | ( vn , _ , ty ) :: q -> match ty with
            | ITVar _ -> aux q fmt
            | ITDecl tn -> fprintf fmt "%t%t" << aux q
              << op (fun fmt -> fprintf fmt "%t%t@ %t@]" indent << fn tn << vn)
        in fprintf fmt "%ts" << aux v in
      fprintf fmt "%t%t %t@ (t:%t) :@ %s@ =@ %t@]@\n@\n" indent pr << fn tn
        << nltype_app_printer (string_printer "b") tn
        << tyn
        << nlmatch_printer tn vcase vcase cons_case (string_printer "t") in
    make_for_defs << print_decl true ;
    make_for_defs << print_decl false

  let size_lemma_printer fmt =
    let pr = rec_val_printer () in
    let print_decl tn _ _ =
      let vcase _ fmt = fprintf fmt "()" in
      let cons_case cs v =
        let v = flatten v in
        lemma_cons_case (fun vp blevels tn fmt ->
          fprintf fmt "%t%t@ %t@]" indent << nlsize_lemma_name tn << vp
        ) cs v in
      fprintf fmt "%t%t lemma %t@ (t:%t) :@ unit@ \
        %tensures {@ %t@ t@ >@ 0@ }@]@ \
        %tvariant {@ nat_to_int %t(%t@ t)@]@ }@]@ =@ %t@]@\n@\n" indent pr
        << nlsize_lemma_name tn
        << nltype_app_printer (string_printer "b") tn
        << indent << nlsize_name tn
        << indent << indent << nat_nlsize_name tn
        << nlmatch_printer tn vcase vcase cons_case (string_printer "t") in
    make_for_defs print_decl

  (* Shifting *)

  let shift_defs_printer fmt =
    let b = string_printer "b" in
    let print_decl tn _ v =
      let blevels = inc_level tn TMap.empty in
      let pl fmt =
        fprintf fmt "function@ %t@ (bnd:%t) :@ %t"
          << shift_name tn << nlbenv_type_printer b tn
          << nlbenv_type_printer ~blevels b tn in
      let pr fmt =
        fprintf fmt "%tif i = 0@ \
          %tthen@ %t%t@ None@]@]@ \
          %telse@ %t%t@ (bnd (i-1))%t@]@]@]"
          indent indent indent << variable_name tn
          << indent << indent << rename_name tn
          << list_printer (fun tn' fmt ->
              if tn = tn'
              then fprintf fmt "@ some"
              else fprintf fmt "@ identity"
            ) v in
      fprintf fmt "(*%t@ Abstraction@ definition@ axiom :@ \
        %t%t@ =@ (%t\\ i:int.@ %t@])@]@]*)@\n\
        %t%t@]@\n%taxiom@ %t_definition :@ \
        %tforall@ bnd:%t,@ i:int.@ %t%teval@ (%t bnd)@ i@]@ =@ %t@]@]@]@\n@\n"
        indent indent pl indent pr
        indent pl indent << shift_name tn << indent
        << nlbenv_type_printer b tn << indent
        << indent << shift_name tn << pr
    in
    make_for_vdefs print_decl

  (* shift composition. *)

  let shift_lemma_printer fmt =
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tn _ v =
      let blevels = inc_level tn TMap.empty in
      let lifting tn' fmt =
        if tn = tn'
        then fprintf fmt "(%t%t@ s%t@])" indent
              << slift_name tn << tindex_printer tn
        else lift_printer true (fun fmt ->
          fprintf fmt "s%t" << tindex_printer tn') blevels tn' fmt in
      let p1 fmt =
        fprintf fmt "%t%t@ (%t%t@ bnd@])%t@]"
          indent << subst_compose_name tn << indent
          << shift_name tn << list_printer (fun tn fmt ->
            fprintf fmt "@ %t" << lifting tn) v in
      let p2 fmt =
        fprintf fmt "%t%t (%t%t@ bnd%t@])@]"
          indent << shift_name tn << indent
            << subst_compose_name tn << list_printer (fun tn fmt ->
            fprintf fmt "@ s%t" << tindex_printer tn) v in
      fprintf fmt "%tlet@ lemma@ %t@ (bnd:%t)%t :@ unit@ \
        %tensures {@ %t@ =@ %t@ }@]@ =@ \
        %tassert {@ %tforall i:int.@ (i = 0 \\/ i <> 0) ->@ \
          %t%t@ (%t%t@ bnd@ i@])%t@]@ =@ %teval (%t) i@]@]@ }@] ;@ \
        %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@]@]@\n@\n"
        indent << shift_lemma_name tn << nlbenv_type_printer b tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ (s%t:%t)" << tindex_printer tn
            << subst_type_printer true b c tn) v
        << indent << p1 << p2 << indent << indent << indent
        << subst_name tn << indent << shift_name tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ %t" << lifting tn) v
        << indent << p2 << indent << indent << p1 << p2
    in
    make_for_vdefs print_decl

  (* model. *)

  let model_defs_printer fmt =
    let b,c = string_printer "b",string_printer "c" in
    let pr = rec_fun_printer () in
    let print_decl tn _ v =
      let fvcase vname fmt =
        fprintf fmt "fr%t %t" << tindex_printer tn << vname in
      let bvcase vname fmt =
        fprintf fmt "bnd%t %t" << tindex_printer tn << vname in
      let ccase = full_reconstruct_cons_case (fun vname blv tn fmt ->
          fprintf fmt "%t@ %t%t"
            << model_name tn << vname << list_printer (fun tn fmt ->
              fprintf fmt "@ (%t)@ (%t)" << frenv_lift_printer (fun fmt ->
                fprintf fmt "fr%t" << tindex_printer tn) blv tn
                << benv_lift_printer (fun fmt ->
                  fprintf fmt "bnd%t" << tindex_printer tn) blv tn
            ) (binder_vars dm tn)) in
      fprintf fmt "%t%t@ %t@ (t:%t)%t :@ %t@ =@ %t@]@\n@\n"
        indent pr << model_name tn << nltype_app_printer b tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ (fr%t:%t)@ (bnd%t:%t)" << tindex_printer tn
            << subst_type_printer true b c tn
            << tindex_printer tn
            << nlbenv_type_printer c tn) v
        << type_app_printer c tn
        << nlmatch_printer tn fvcase bvcase ccase (string_printer "t")
    in
    make_for_defs print_decl

  let model_commutation_prelude sub pr tn v fmt =
    let b,c,d = string_printer "b",string_printer "c",string_printer "d" in
    let variant = if sub
      then fun fmt ->
        fprintf fmt "%tvariant {@ %t t@ }@]@ " indent << nlsize_name tn
      else ignore in
    fprintf fmt "%t%t@ lemma@ %t@ (t:%t)%t :@ unit@ \
      %tensures {@ %t%t@ t%t@]@ =@ %t%t@ (%t%t@ t%t@])%t@]@ }@]@ \
      %t=@ "
      indent pr << (if sub
        then model_subst_commutation_lemma_name tn
        else model_rename_commutation_lemma_name tn)
      << nltype_app_printer b tn
      << list_printer (fun tn fmt ->
        fprintf fmt "@ (fr%t:%t)@ (bnd%t:%t)@ (s%t:%t)" << tindex_printer tn
          << subst_type_printer true b c tn << tindex_printer tn
          << nlbenv_type_printer c tn << tindex_printer tn
          << subst_type_printer sub c d tn) v
      << indent << indent << model_name tn << list_printer (fun tn fmt ->
        let side2 tn fmt = fprintf fmt "s%t" << tindex_printer tn in
        fprintf fmt "@ (%t)@ (%t)"
          << print_composition true sub tn (fun fmt ->
            fprintf fmt "fr%t" << tindex_printer tn) side2
          << print_composition true sub tn (fun fmt ->
            fprintf fmt "bnd%t" << tindex_printer tn) side2) v
      << indent << (if sub then subst_name tn else rename_name tn)
      << indent << model_name tn
      << list_printer (fun tn fmt ->
        fprintf fmt "@ fr%t@ bnd%t" << tindex_printer tn
          << tindex_printer tn) v
      << list_printer (fun tn fmt ->
        fprintf fmt "@ s%t" << tindex_printer tn) v
      << variant

  let model_subst_commutation_lemma_printer fmt =
    let pr = rec_val_printer () in
    let print_decl tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase cs v =
        let v = flatten v in
        blemma_cons_case (fun vname blv tn fmt ->
        let p1 tn fmt = fprintf fmt "fr%t" << tindex_printer tn in
        let p2 tn fmt = fprintf fmt "bnd%t" << tindex_printer tn in
        let p3 tn fmt = fprintf fmt "s%t" << tindex_printer tn in
        let pa tn = list_printer (fun tn fmt ->
          fprintf fmt "@ %t" << p3 tn) (binder_vars dm tn) in
        let p10 tn = frenv_lift_printer (p1 tn) blv tn in
        let p20 tn = benv_lift_printer (p2 tn) blv tn in
        let p30 tn = lift_printer true (p3 tn) blv tn in
        let pa0 tn = list_printer (fun tn fmt ->
          fprintf fmt "@ (%t)" << p30 tn) (binder_vars dm tn) in
        let v0 = binder_vars dm tn in
        fprintf fmt "%t@ %t%t%t"
          << model_subst_commutation_lemma_name tn
          << vname << list_printer (fun tn fmt ->
            fprintf fmt "@ (%t)@ (%t)@ (%t)" << p10 tn << p20 tn << p30 tn) v0
          << list_printer (fun tn fmt -> let sn = subst_compose_name tn in
            fprintf fmt " ;@ %tassert {@ %t%t@ %t%t@]@ =@ %t@ }@] ;@ \
              %tassert {@ %t%t@ %t@ %t@]@ =@ %t@ }@]"
              indent indent << sn << p10 tn << pa0 tn
              << frenv_lift_printer (fun fmt ->
                fprintf fmt "(%t%t@ %t%t@])" indent sn
                  << p1 tn << pa tn) blv tn
              << indent << indent << sn << p20 tn << pa0 tn
              << benv_lift_printer (fun fmt ->
                fprintf fmt "(%t%t@ %t@ %t@])" indent sn
                  << p2 tn << pa tn) blv tn) v0
          ) cs v in
      fprintf fmt "%t%t@]@\n@\n"
        << model_commutation_prelude true pr tn v
        << nlmatch_printer tn vcase vcase ccase (string_printer "t")
    in
    make_for_bdefs print_decl

  (* Derive immediately from subst commutation. *)

  let model_rename_commutation_lemma_printer fmt =
    let pr fmt = fprintf fmt "let" in
    let print_decl tn _ v =
      fprintf fmt "%t%t%t@ t%t@]@]@\n@\n"
        << model_commutation_prelude false pr tn v
        << indent
        << model_subst_commutation_lemma_name tn
        << list_printer (fun tn fmt ->
          let ti = tindex_printer tn in
          fprintf fmt "@ fr%t@ bnd%t@ (%t%t@ s%t@])"
            ti ti indent << subst_of_rename_name tn << ti) v in
    make_for_bdefs print_decl

  let correct_indexes_printer fmt =
    let pr = make_first_case_printer << string_printer "predicate"
      << string_printer "with" in
    let print_decl tn _ _ =
      let fvcase _ fmt = fprintf fmt "true" in
      let bvcase vname fmt = fprintf fmt "%t >= 0" vname in
      let ccase _ v =
        let v = flatten v in
        let printed = ref false in
        let rec aux v fmt = match v with
          | [] -> if not(!printed)
            then fprintf fmt "true"
          | (vn,_,ty) :: q -> match ty with
            | ITVar _ -> aux q fmt
            | ITDecl tn -> match binder_vars dm tn with
              | [] -> aux q fmt
              | _ -> (if !printed
                then fprintf fmt "@ /\\@ "
                else printed := true);
                fprintf fmt "%t%t@ %t@]%t" indent
                  << correct_indexes_name tn
                  << vn
                  << aux q in
        aux v in
      fprintf fmt "%t%t@ %t@ (t:%t)@ =@ %t@]@\n@\n" indent pr
        << correct_indexes_name tn
        << nltype_app_printer (string_printer "b") tn
        << nlmatch_printer tn fvcase bvcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let bound_depth_printer fmt =
    let pr = rec_fun_printer () in
    let print_decl tnv tn _ _ =
      let fvcase _ fmt = fprintf fmt "0" in
      let bvcase = if tn = tnv
        then fun vname fmt -> fprintf fmt "1@ +@ %t" vname
        else fun _ fmt -> fprintf fmt "0" in
      let ccase _ v =
        let v = flatten v in
        let printed = ref false in
        let rec aux v fmt = match v with
          | [] -> if !printed
            then fprintf fmt "a"
            else fprintf fmt "0"
          | (vn,blv,ty) :: q -> match ty with
            | ITDecl tn when List.mem tnv (binder_vars dm tn) ->
              fprintf fmt "%tlet b =@ %t%t@ %t@]@]@ in@ "
                indent indent << bound_depth_name tnv tn << vn ;
              let lv = level tnv blv in
              (if lv <> 0
               then fprintf fmt "%tlet b =@ %tif b < %d@ \
                 then 0@ else@ b - %d@]@]@ in@ " indent indent lv lv);
              (if !printed
               then fprintf fmt "%tlet a =@ %tif a > b@ \
                   then a@ else b@]@]@ in@ " indent indent
               else (printed := true; fprintf fmt "let a = b in@ "));
              aux q fmt
            | _ -> aux q fmt in
        aux v in
      fprintf fmt "%t%t@ %t@ (t:%t) :@ int@ =@ %t@]@\n@\n" indent pr
        << bound_depth_name tnv tn
        << nltype_app_printer (string_printer "b") tn
        << nlmatch_printer tn fvcase bvcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let bound_depth_lemma_printer fmt =
    let pr = rec_val_printer () in
    let print_decl tnv tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase cs v =
        let v = flatten v in
        blemma_cons_case (fun vname blv tn fmt ->
        if List.mem tnv (binder_vars dm tn)
        then fprintf fmt "%t@ %t"
          << bound_depth_lemma_name tnv tn << vname
        else fprintf fmt "()"
      ) cs v in
      fprintf fmt "%t%t@ lemma@ %t@ (t:%t) :@ unit@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %tensures {@ %t%t@ t@] >= 0@ }@]@ \
        %tvariant {@ %t%t@ t@]@ }@]@ =@ %t@]@\n@\n"
        indent pr << bound_depth_lemma_name tnv tn
        << nltype_app_printer (string_printer "b") tn
        << indent << indent << correct_indexes_name tn
        << indent << indent << bound_depth_name tnv tn
        << indent << indent << nlsize_name tn
        << nlmatch_printer tn vcase vcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let model_equal_lemma_printer fmt =
    let pr = rec_val_printer () in
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase cs v =
        let v = flatten v in
        blemma_cons_case (fun vname blv tn fmt ->
        let v0 = binder_vars dm tn in
        fprintf fmt "%t%t@ %t%t@]"
          indent << model_equal_lemma_name tn
          << vname << list_printer (fun tnv fmt ->
            fprintf fmt "@ (%t)@ (%t)@ (%t)@ (%t)" << frenv_lift_printer (fun fmt ->
                  fprintf fmt "fr1%t" << tindex_printer tnv) blv tnv
              << frenv_lift_printer (fun fmt ->
                fprintf fmt "fr2%t" << tindex_printer tnv) blv tnv
              << benv_lift_printer (fun fmt ->
                fprintf fmt "bnd1%t" << tindex_printer tnv) blv tnv
              << benv_lift_printer (fun fmt ->
                fprintf fmt "bnd2%t" << tindex_printer tnv) blv tnv) v0) cs v in
      let p id = list_printer (fun tnv fmt ->
          fprintf fmt "@ fr%s%t@ bnd%s%t" << id << tindex_printer tnv
            << id << tindex_printer tnv) v in
      fprintf fmt "%t%t@ lemma@ %t@ (t:%t)%t :@ unit@ %t\
        %trequires {@ %t%t@ t@]@ }@]@ \
        %tensures {@ %t%t@ t%t@]@ =@ %t%t@ t%t@]@ }@]@ \
        %tvariant {@ %t%t@ t@]@ }@]@ \
        =@ %t@]@\n@\n"
        indent pr << model_equal_lemma_name tn
        << nltype_app_printer b tn
        << list_printer (fun tnv fmt ->
            fprintf fmt "@ (fr1%t:%t)@ (fr2%t:%t)@ (bnd1%t:%t)@ (bnd2%t:%t)"
              << tindex_printer tnv
              << env_type_printer (fun fmt ->
                fprintf fmt "'b%t" << tindex_printer tnv) c tnv
              << tindex_printer tnv
              << env_type_printer (fun fmt ->
                fprintf fmt "'b%t" << tindex_printer tnv) c tnv
              << tindex_printer tnv << nlbenv_type_printer c tnv
              << tindex_printer tnv << nlbenv_type_printer c tnv) v
        << list_printer (fun tnv fmt ->
            fprintf fmt "%trequires {@ %tforall i:int.@ \
              0@ <=@ i@ <@ %t%t@ t@]@ ->@ \
              @ bnd1%t i@ =@ bnd2%t i@]@ }@]@ \
              %trequires {@ fr1%t@ =@ fr2%t@ }@]@ "
              << indent << indent << indent << bound_depth_name tnv tn
              << tindex_printer tnv << tindex_printer tnv
              << indent << tindex_printer tnv << tindex_printer tnv) v
        << indent << indent << correct_indexes_name tn
        << indent << indent << model_name tn << p "1"
        << indent << model_name tn << p "2"
        << indent << indent << nlsize_name tn
        << nlmatch_printer tn vcase vcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let bind_var_printer fmt =
    let pr = rec_val_printer () in
    let b = string_printer "b" in
    let print_decl tnv tn _ v =
      let fvcase = if tnv = tn
        then fun vname fmt ->
          fprintf fmt "%tif %t = x@ \
            then %t i@ \
            else %t %t@]" indent vname
            << bound_variable_name tn
            << free_variable_name tn << vname
        else fun vname fmt ->
          fprintf fmt "%t %t" << free_variable_name tn << vname in
      let bvcase vname fmt =
        fprintf fmt "%t %t" << bound_variable_name tn << vname in
      let ccase = nlrecons_case (fun vname blv tn fmt ->
        let v = binder_vars dm tn in
        if List.mem tnv v
        then fprintf fmt "%t%t@ %t@ x@ (i+%d)%t@]"
          indent << bind_var_name tnv tn
          << vname
          << level tnv blv
          << list_printer (fun tn fmt ->
            fprintf fmt "@ (%t)@ (%t)"
              << frenv_lift_printer (fun fmt ->
                fprintf fmt "fr%t" << tindex_printer tn) blv tn
              << benv_lift_printer (fun fmt ->
                fprintf fmt "bnd%t" << tindex_printer tn) blv tn) v
        else vname fmt) in
      let ccase cs v0 fmt =
        let v = flatten v0 in
        List.iter (fun (vn,blv,ty) -> match ty with
          | ITDecl tn' when List.mem tnv (binder_vars dm tn') ->
            let lv = level tnv blv in
            let p1 = frenv_lift_printer (fun fmt ->
              fprintf fmt "(%tupdate@ fr%t@ x@ (%tbnd%t@ i@])@])"
                << indent << tindex_printer tnv << indent << tindex_printer tnv)
              blv tnv in
            let p2 fmt = fprintf fmt "(%t%t@ (%tbnd%t@ i@])%t@])"
              << indent << rename_name tnv << indent << tindex_printer tnv
              << list_printer (fun tn fmt ->
                  fprintf fmt "@ %t" << csomes_printer (level tn blv)
                ) (binder_vars dm tnv) in
            let p3 p fmt = fprintf fmt "(%tupdate@ (%t)@ x@ %t@])"
              << indent << frenv_lift_printer (fun fmt ->
                fprintf fmt "fr%t" << tindex_printer tnv) blv tnv << p in
            let p4 fmt = fprintf fmt "(%teval@ (%t)@ (i+%d)@])"
              << indent << benv_lift_printer (fun fmt ->
                fprintf fmt "bnd%t" << tindex_printer tnv) blv tnv
              << lv in
            fprintf fmt "%tassert {@ %t@ =@ %t@ };@]@ \
              %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ };@]@ \
              %tassert {@ %t@ =@ %t@ };@]@ "
              << indent << p2 << p4
              << indent << indent << p1 << p3 p2
              << indent << p1 << p3 p4
          | _ -> ()
        ) v ;
        ccase cs v0 fmt in
      fprintf fmt "%t%t@ %t@ (t:%t)@ (x:%t)@ (i:int)%t :@ %t@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %trequires {@ %t%t@ t@]@ <=@ i@ }@]@ \
        %tensures {@ %t%t@ result@]@ <= i + 1@ }@]@ \
        %tensures {@ %t%t@ result@]@ }@]@ %t\
        %tensures {@ %t%t@ result%t@]@ =@ %t%t@ t%t@]@ }@]@ \
        =@ %t@]@\n@\n"
        indent pr << bind_var_name tnv tn
          << nlrtype_app_printer tn
          << nlfree_var_type_name tn
          << list_printer (fun tn fmt ->
            fprintf fmt "@ (ghost fr%t:%t)@ (ghost bnd%t:%t)"
              << tindex_printer tn
              << env_type_printer (nlfree_var_type_name tn) b tn
              << tindex_printer tn << nlbenv_type_printer b tn) v
          << nlrtype_app_printer tn
          << indent << indent << correct_indexes_name tn
          << indent << indent << bound_depth_name tnv tn
          << indent << indent << bound_depth_name tnv tn
          << indent << indent << correct_indexes_name tn
          << list_printer (fun tnv2 fmt ->
              if tnv <> tnv2
              then fprintf fmt "%tensures {@ %t%t@ t@]@ =@ \
                %t%t@ result@]@ }@]@ "
                indent indent << bound_depth_name tnv2 tn
                << indent << bound_depth_name tnv2 tn) v
          << indent << indent << model_name tn << list_printer (fun tn fmt ->
              fprintf fmt "@ fr%t@ bnd%t" << tindex_printer tn
                << tindex_printer tn) v
          << indent << model_name tn << list_printer (fun tn fmt ->
            if tn = tnv
            then fprintf fmt "@ (%tupdate@ fr%t@ x@ (%tbnd%t@ i@])@])@ bnd%t"
              << indent << tindex_printer tn << indent << tindex_printer tn
              << tindex_printer tn
            else fprintf fmt "@ fr%t@ bnd%t" << tindex_printer tn
              << tindex_printer tn
            ) v
          << nlmatch_printer tn fvcase bvcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let unbind_var_printer fmt =
    let pr = rec_val_printer () in
    let b = string_printer "b" in
    let print_decl tnv tn _ v =
      let vv = binder_vars dm tnv in
      let fvcase vname fmt =
        fprintf fmt "%t%t@ %t@]" indent
          << free_variable_name tn << vname in
      let bvcase = if tn = tnv
        then fun vname fmt ->
          fprintf fmt "%tif %t = i@ \
            %tthen (%t%t@ x%t@] ;@ x)@]@ else %t %t@]" indent
              vname << indent << indent << model_equal_lemma_name tn
              << list_printer (fun tnv2 fmt ->
                let ti2 = tindex_printer tnv2 in
                fprintf fmt "@ fr%t@ fr%t@ bnd1%t@ bnd2%t" ti2 ti2 ti2 ti2) v
              << bound_variable_name tn << vname
        else fun vname fmt ->
          fprintf fmt "%t%t@ %t@]" indent
            << bound_variable_name tn << vname in
      let ccase = nlrecons_case (fun vname blv tn fmt ->
        let v = binder_vars dm tn in
        if List.mem tnv v
        then fprintf fmt "%t%t@ %t@ (i+%d)@ x%t%t@]" indent
          << unbind_var_name tnv tn << vname << level tnv blv
          << list_printer (fun tn fmt ->
              fprintf fmt "@ (%t)@ (%t)"
                << frenv_lift_printer (fun fmt ->
                  fprintf fmt "fr%t" << tindex_printer tn) blv tn
                << benv_lift_printer (fun fmt ->
                  fprintf fmt "bnd1%t" << tindex_printer tn) blv tn) v
          << list_printer (fun tn fmt ->
            fprintf fmt "@ (%t)"
              << frenv_lift_printer (fun fmt ->
                fprintf fmt "bnd2%t" << tindex_printer tn) blv tn) vv
        else vname fmt) in
      let ccase cs v0 fmt =
        let v = flatten v0 in
        List.iter (fun (vname,blv,ty) -> match ty with
          | ITVar _ -> ()
          | ITDecl tn -> let pm0 fmt =
              fprintf fmt "%t%t@ x%t@]" << indent << model_name tnv
              << list_printer (fun tn fmt ->
                  let ti = tindex_printer tn in
                  fprintf fmt "@ fr%t@ bnd2%t" ti ti) vv in
            let pm1 fmt =
              fprintf fmt "%t%t@ (%t)%t@]" indent << rename_name tnv << pm0
                << list_printer (fun tn fmt ->
                  fprintf fmt "@ %t" << csomes_printer (level tn blv)) vv in
            let pm2 fmt = fprintf fmt "%t%t@ x%t@]" indent << model_name tnv
              << list_printer (fun tn fmt ->
                let ti = tindex_printer tn in
                fprintf fmt "@ (%t)@ (%t)"
                  << frenv_lift_printer (fun fmt ->
                    fprintf fmt "fr%t" ti) blv tn
                  << frenv_lift_printer (fun fmt ->
                    fprintf fmt "bnd2%t" ti) blv tn) vv in
            let p1 = benv_lift_printer (fun fmt ->
                fprintf fmt "(%tupdate@ bnd1%t@ i@ (%t)@])"
                  indent << tindex_printer tnv << pm0
              ) blv tnv in
            let p2 pm fmt = fprintf fmt "%tupdate@ (%t)@ (i+%d)@ (%t)@]"
              indent << benv_lift_printer (fun fmt ->
                fprintf fmt "bnd1%t" << tindex_printer tnv) blv tnv
              << level tnv blv << pm in
            fprintf fmt "%tassert {@ %t@ =@ %t@ }@] ;@ \
              %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@] ;@ \
              %tassert {@ %t@ =@ %t@ }@] ;@ "
              indent pm1 pm2 indent indent p1 << p2 pm1
              << indent << p1 << p2 pm2
        ) v ;
        ccase cs v0 fmt in
      fprintf fmt "%t%t@ %t@ (t:%t)@ (i:int)@ (x:%t)%t%t :@ %t@ \
        %trequires {@ i@ >=@ 0@ }@]@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %trequires {@ %t%t@ t@]@ <=@ i + 1@ }@]@ \
        %trequires {@ %t%t@ x@]@ }@]@ %t\
        %tensures {@ %t%t@ result@]@ }@]@ \
        %tensures {@ %t%t@ result@]@ <=@ i@ }@]@ %t\
        %tensures {@ %t%t@ result%t@]@ =@ %t%t@ t%t@]@ }@]@ \
        =@ %t@]@\n@\n"
        indent pr << unbind_var_name tnv tn << nlrtype_app_printer tn
        << nlrtype_app_printer tnv
        << list_printer (fun tn fmt ->
            fprintf fmt "@ (ghost fr%t:%t)@ (ghost bnd1%t:%t)"
              << tindex_printer tn
              << env_type_printer (nlfree_var_type_name tn) b tn
              << tindex_printer tn << nlbenv_type_printer b tn) v
        << list_printer (fun tn fmt ->
            fprintf fmt "@ (ghost bnd2%t:%t)"
              << tindex_printer tn << nlbenv_type_printer b tn) vv
        << nlrtype_app_printer tn
        << indent << indent << indent << correct_indexes_name tn
        << indent << indent << bound_depth_name tnv tn
        << indent << indent << correct_indexes_name tnv
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "%trequires {@ %t%t@ x@]@ =@ 0@ }@]@ "
            indent indent << bound_depth_name tnv2 tnv) vv
        << indent << indent << correct_indexes_name tn
        << indent << indent << bound_depth_name tnv tn
        << list_printer (fun tnv2 fmt ->
          if tnv <> tnv2
          then fprintf fmt "%tensures {@ %t%t@ result@]@ =@ %t%t@ t@]@ }@]@ "
            indent indent << bound_depth_name tnv2 tn
            << indent << bound_depth_name tnv2 tn) v
        << indent << indent << model_name tn << list_printer (fun tn fmt ->
          fprintf fmt "@ fr%t@ bnd1%t"
            << tindex_printer tn << tindex_printer tn) v
        << indent << model_name tn << list_printer (fun tn fmt ->
          if tn = tnv
          then fprintf fmt "@ fr%t@ (%tupdate@ bnd1%t@ i@ (%t%t@ x%t@])@])"
            << tindex_printer tn << indent << tindex_printer tn
            << indent << model_name tnv << list_printer (fun tn fmt ->
              fprintf fmt "@ fr%t@ bnd2%t"
                << tindex_printer tn << tindex_printer tn) vv
          else fprintf fmt "@ fr%t@ bnd1%t"
            << tindex_printer tn << tindex_printer tn) v
        << nlmatch_printer tn fvcase bvcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)


  let subst_base_printer fmt =
    let pr = rec_val_printer () in
    let b = string_printer "b" in
    let print_decl tnv tn _ v =
      let vv = binder_vars dm tnv in
      let fvcase =
        if tn = tnv
        then fun vname fmt ->
          fprintf fmt "%tif %t = x@ \
            %tthen (%t%t@ u%t@] ;@ u)@]@ else %t %t@]" indent
              vname indent indent << model_equal_lemma_name tn
              << list_printer (fun tnv2 fmt ->
                let ti2 = tindex_printer tnv2 in
                fprintf fmt "@ fr%t@ fr%t@ bnd1%t@ bnd2%t" ti2 ti2 ti2 ti2) v
              << free_variable_name tn << vname
        else fun vname fmt ->
          fprintf fmt "%t%t@ %t@]" indent
            << free_variable_name tn << vname in
      let bvcase vname fmt =
        fprintf fmt "%t%t@ %t@]" indent
          << bound_variable_name tn << vname in
      let ccase = nlrecons_case (fun vname blv tn fmt ->
        let v = binder_vars dm tn in
        if List.mem tnv v
        then fprintf fmt "%t%t@ %t@ x@ u%t%t@]" indent
          << subst_base_name tnv tn << vname
          << list_printer (fun tn fmt ->
              fprintf fmt "@ (%t)@ (%t)"
                << frenv_lift_printer (fun fmt ->
                  fprintf fmt "fr%t" << tindex_printer tn) blv tn
                << benv_lift_printer (fun fmt ->
                  fprintf fmt "bnd1%t" << tindex_printer tn) blv tn) v
          << list_printer (fun tn fmt ->
            fprintf fmt "@ (%t)"
              << frenv_lift_printer (fun fmt ->
                fprintf fmt "bnd2%t" << tindex_printer tn) blv tn) vv
        else vname fmt) in
      let ccase cs v0 fmt =
        let v = flatten v0 in
        List.iter (fun (vname,blv,ty) -> match ty with
          | ITVar _ -> ()
          | ITDecl tn -> let pm0 fmt =
              fprintf fmt "%t%t@ u%t@]" << indent << model_name tnv
              << list_printer (fun tn fmt ->
                  let ti = tindex_printer tn in
                  fprintf fmt "@ fr%t@ bnd2%t" ti ti) vv in
            let pm1 fmt =
              fprintf fmt "%t%t@ (%t)%t@]" indent << rename_name tnv << pm0
                << list_printer (fun tn fmt ->
                  fprintf fmt "@ %t" << csomes_printer (level tn blv)) vv in
            let pm2 fmt = fprintf fmt "%t%t@ u%t@]" indent << model_name tnv
              << list_printer (fun tn fmt ->
                let ti = tindex_printer tn in
                fprintf fmt "@ (%t)@ (%t)"
                  << frenv_lift_printer (fun fmt ->
                    fprintf fmt "fr%t" ti) blv tn
                  << frenv_lift_printer (fun fmt ->
                    fprintf fmt "bnd2%t" ti) blv tn) vv in
            let p1 = frenv_lift_printer (fun fmt ->
                fprintf fmt "(%tupdate@ fr%t@ x@ (%t)@])"
                  indent << tindex_printer tnv << pm0
              ) blv tnv in
            let p2 pm fmt = fprintf fmt "%tupdate@ (%t)@ x@ (%t)@]"
              indent << frenv_lift_printer (fun fmt ->
                fprintf fmt "fr%t" << tindex_printer tnv) blv tnv
              << pm in
            fprintf fmt "%tassert {@ %t@ =@ %t@ }@] ;@ \
              %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@] ;@ \
              %tassert {@ %t@ =@ %t@ }@] ;@ "
              indent pm1 pm2 indent indent p1 << p2 pm1
              << indent << p1 << p2 pm2
        ) v ;
        ccase cs v0 fmt in
      fprintf fmt "%t%t@ %t@ (t:%t)@ (x:int)@ (u:%t)%t%t :@ %t@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %trequires {@ %t%t@ u@]@ }@]@ %t\
        %tensures {@ %t%t@ result@]@ }@]@  %t\
        %tensures {@ %t%t@ result%t@]@ =@ %t%t@ t%t@]@ }@]@ \
        =@ %t@]@\n@\n"
        indent pr << subst_base_name tnv tn << nlrtype_app_printer tn
        << nlrtype_app_printer tnv
        << list_printer (fun tn fmt ->
            fprintf fmt "@ (ghost fr%t:%t)@ (ghost bnd1%t:%t)"
              << tindex_printer tn
              << env_type_printer (nlfree_var_type_name tn) b tn
              << tindex_printer tn << nlbenv_type_printer b tn) v
        << list_printer (fun tn fmt ->
            fprintf fmt "@ (ghost bnd2%t:%t)"
              << tindex_printer tn << nlbenv_type_printer b tn) vv
        << nlrtype_app_printer tn
        << indent << indent << correct_indexes_name tn
        << indent << indent << correct_indexes_name tnv
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "%trequires {@ %t%t@ u@]@ =@ 0@ }@]@ "
            indent indent << bound_depth_name tnv2 tnv) vv
        << indent << indent << correct_indexes_name tn
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "%tensures {@ %t%t@ result@]@ =@ %t%t@ t@]@ }@]@ "
            indent indent << bound_depth_name tnv2 tn
            << indent << bound_depth_name tnv2 tn) v
        << indent << indent << model_name tn << list_printer (fun tn fmt ->
          fprintf fmt "@ fr%t@ bnd1%t"
            << tindex_printer tn << tindex_printer tn) v
        << indent << model_name tn << list_printer (fun tn fmt ->
          if tn = tnv
          then fprintf fmt "@ (%tupdate@ fr%t@ x@ (%t%t@ u%t@])@])@ bnd1%t"
            << indent << tindex_printer tn << indent << model_name tnv
            << list_printer (fun tn fmt ->
              fprintf fmt "@ fr%t@ bnd2%t"
                << tindex_printer tn << tindex_printer tn) vv
            << tindex_printer tn
          else fprintf fmt "@ fr%t@ bnd1%t"
            << tindex_printer tn << tindex_printer tn) v
        << nlmatch_printer tn fvcase bvcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)




  let implementation_type_printer fmt =
    let print_decl tn _ v =
      fprintf fmt "%ttype@ %t%t@ =@ %t{@ \
        %t%t :@ %t ;@]%t@ \
        %tghost@ %t :@ %t%s%t%t@] ;@]@]@ }@]@\n@\n"
        indent << impl_type_name tn << params_printer
        << indent << indent << data_field_name tn
        << nlrtype_app_printer tn << list_printer (fun tnv fmt ->
          fprintf fmt "@ %t%t :@ %t ;@]"
            indent << varset_field_name tnv tn << varset_type_name tnv) v
        << indent << model_field_name tn << indent
        << type_name dm tn << params_printer
        << list_printer (fun tn fmt ->
          fprintf fmt "@ %t" << nlfree_var_type_name tn) v
    in
    make_for_defs print_decl

  let invariant_printer fmt =
    let print_decl tn _ v =
      let correct_indexes fmt = match v with
        | [] -> ()
        | _ -> fprintf fmt "@ /\\@ %t%t@ t.%t@]"
          << indent << correct_indexes_name tn << data_field_name tn in
      fprintf fmt "%tpredicate@ %t@ (t:%t%t%t@])@ =@ \
        %t%t%t@ t.%t%t@]@ =@ t.%t@]\
        %t%t%t@]@\n@\n"
        indent << invariant_name tn << indent << impl_type_name tn
        << params_printer << indent << indent << model_name tn
        << data_field_name tn << list_printer (fun tn fmt ->
          fprintf fmt "@ %t@ (%tconst@ (%t%t@ (%t)@])@])"
            << subst_identity_name tn << indent
            << indent << variable_name tn << default_variable_value tn) v
        << model_field_name tn
        << correct_indexes
        << list_printer (fun tnv fmt ->
          fprintf fmt "@ /\\@ %t%t%t@ t.%t@]@ =@ 0@]"
            indent indent << bound_depth_name tnv tn
            << data_field_name tn) v
        << list_printer (fun tnv fmt ->
          fprintf fmt "@ /\\@ (%tforall@ x:%t.@ %t%t@ x@ t.%t@]@ ->@ %t@])"
            << indent << nlfree_var_type_name tn << indent
            << free_var_predicate_name tnv tn << model_field_name tn
            << free_var_in_set_predicate tnv (string_printer "x") (fun fmt ->
              fprintf fmt "t.%t" << varset_field_name tnv tn)) v
    in
    make_for_defs print_decl

  (* Time to go for explicit construction/destruction ! *)

  let constructor_type_printer fmt =
    let print_decl tn c v =
      fprintf fmt "%ttype@ %t%t@ =" indent << constructor_type_name tn
        << params_printer ;
      (if c.var_present
       then fprintf fmt "@ %t| %t@ %t@]" indent << constructor_variable_name tn
         << nlfree_var_type_name tn) ;
      let pf = list_printer (fun ty fmt -> match ty with
        | ITVar vname -> fprintf fmt "@ 'a%s" << var_name dm vname
        | ITDecl tn -> fprintf fmt "@ (%t%t%t@])"
          indent << impl_type_name tn << params_printer) in
      fprintf fmt "%t@]@\n@\n" << list_printer (fun (cn,bl,tl) fmt ->
        fprintf fmt "@ %t| %t%t%t@]" indent << constructor_cons_name cn
          << list_printer (fun (tn,tl) fmt ->
            fprintf fmt "@ (%t)%t" << nlfree_var_type_name tn
              << pf tl) bl << pf tl
      ) c.cons_list in
    make_for_defs print_decl

  let env_list tn elv = try TMap.find tn elv with Not_found -> []

  let add_to_env tn vp elv =
    TMap.add tn (vp::env_list tn elv) elv

  let cons_match_variables ?(vbase=string_printer "v") (cn,bl,tl) =
    let process_type blevels elv (vars,cnt) ty =
      let vprinter fmt = fprintf fmt "%t%d" vbase cnt in
      ((vprinter,blevels,elv,ty)::vars,cnt+1) in
    let process_types blevels elv = List.fold_left (process_type blevels elv) in
    let (vars,blevels,elv,cnt) =
      List.fold_left (fun (vars,blevels,elv,cnt) (bo,tys) ->
        let nblevels = inc_level bo blevels in
        let vprinter fmt = fprintf fmt "%t%d" vbase cnt in
        let nelv = add_to_env bo vprinter elv in
        let ivars,cnt = process_types blevels elv ([],cnt+1) tys in
        ((vprinter,blevels,bo,elv,List.rev ivars)::vars,nblevels,nelv,cnt)
      ) ( [] , TMap.empty , TMap.empty , 0 ) bl in
    let (ivars,_) = process_types blevels elv ([],cnt) tl in
    List.rev vars,List.rev ivars

  let cons_match_printer tn vcase ccase v fmt =
    let c = match type_def dm tn with
      | ITypeDef (c,_) -> c
      | _ -> assert false in
    fprintf fmt "%tmatch %t with" indent v ;
    (if c.var_present
     then fprintf fmt "@ %t| %t@ v0@ ->@ %t@]"
       indent << constructor_variable_name tn
       << vcase (string_printer "v0"));
    fprintf fmt "%t@]@ end"
      << list_printer (fun ((cn,_,_) as cs) fmt ->
        let bl,tl = cons_match_variables cs in
        let p (vp,_,_,_) fmt = fprintf fmt "@ %t" vp in
        let p = list_printer p in
        fprintf fmt "@ %t| %t%t%t%t@]@ ->@ %t@]"
          indent indent << constructor_cons_name cn
          << list_printer (fun (vp,_,_,_,tl) fmt ->
            fprintf fmt "@ %t%t" vp << p tl) bl
          << p tl << ccase cs bl tl) c.cons_list

  let constructor_invariant_printer fmt =
    let print_decl tn _ v =
      let vcase _ fmt = fprintf fmt "true" in
      let ccase _ bl tl fmt =
        let printed = ref false in
        let p (vp,_,_,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn -> (if !printed
            then fprintf fmt "@ /\\@ "
            else printed := true);
            fprintf fmt "%t%t@ %t@]" indent << invariant_name tn
              << vp in
        let p = list_printer p in
        fprintf fmt "%t%t" << list_printer (fun (_,_,_,_,tl) -> p tl) bl
          << p tl ;
        if not(!printed)
        then fprintf fmt "true" in
      fprintf fmt "%tpredicate@ %t@ (c:%t%t%t@])@ =@ %t@]@\n@\n"
        indent << constructor_invariant_name tn
        << indent << constructor_type_name tn << params_printer
        << cons_match_printer tn vcase ccase (string_printer "c") in
    make_for_defs print_decl

  let closure_renaming tn blv elv fmt =
    let l = env_list tn elv in
    (*let lv = level tn blv in*)
    let rec aux n l fmt = match l with
      | [] -> csomes_printer n fmt
      | vp :: l -> fprintf fmt "(%tupdate@ %t@ %t@ %t@])"
        indent << aux (n+1) l << vp
        << somes_printer (string_printer "None") n in
    aux 0 l fmt

  let open_renaming tn elv fmt =
    let l = env_list tn elv in
    let rec aux l fmt = match l with
      | [] -> fprintf fmt "identity"
      | vp :: l -> fprintf fmt "(%tocase@ %t@ %t@])"
        indent << aux l << vp in
    aux l fmt

  let constructor_relation_printer fmt =
    let print_decl tn _ v =
      let vcase vname fmt = fprintf fmt "t.%t@ =@ %t%t@ %t@]"
        << model_field_name tn << indent << variable_name tn
        << vname in
      let ccase (cn,_,_) bl tl fmt =
        let p (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "@ %t" vp
          | ITDecl tn -> let v = binder_vars dm tn in
            match v with
              | [] -> fprintf fmt "@ %t.%t" vp << model_field_name tn
              | _ -> fprintf fmt "@ (%t%t@ %t.%t%t@])"
                << indent << rename_name tn << vp << model_field_name tn
                << list_printer (fun tnv fmt ->
                    fprintf fmt "@ %t" << closure_renaming tnv blv elv
                  ) v in
        let p = list_printer p in
        fprintf fmt "t.%t@ =@ %t%s%t%t@]"
          << model_field_name tn << indent << cons_name dm cn
          << list_printer (fun (_,_,_,_,tl) -> p tl) bl
          << p tl
      in
      fprintf fmt "%tpredicate@ %t@ (c:%t%t%t@])@ (t:%t%t%t@])@ =@ %t@]@\n@\n"
        indent << constructor_relation_name tn << indent
        << constructor_type_name tn << params_printer << indent
        << impl_type_name tn << params_printer
        << cons_match_printer tn vcase ccase (string_printer "c") in
    make_for_defs print_decl

  let constructor_open_relation_printer fmt =
    let print_decl tn _ v =
      let vcase vname fmt = fprintf fmt "t.%t@ =@ %t%t@ %t@]"
        << model_field_name tn << indent << variable_name tn
        << vname in
      let ccase (cn,_,_) bl tl (cn2,_,_) vars fmt =
        if cn = cn2
        then let printed = ref false in
          let conj fmt = if !printed
            then fprintf fmt "@ /\\@ "
            else printed := true in
          let rec zip acc tl vars = match tl,vars with
            | [] , vars -> List.rev acc , vars
            | _ , [] -> assert false
            | (vp,blv,elv,ty) :: tl, (mvp,_,_) :: vars ->
              zip ((vp,mvp,blv,elv,ty) :: acc) tl vars in
          let rec zipb acc bl vars = match bl with
            | [] -> List.rev acc , let tl , _ = zip [] tl vars in tl
            | (vp,blv,bo,elv,tl) :: bl ->
              let tl,vars = zip [] tl vars in
              zipb ((vp,blv,bo,elv,tl)::acc) bl vars in
          let bl,tl = zipb [] bl vars in
          let p (vp,mvp,blv,elv,ty) fmt = match ty with
            | ITVar _ -> fprintf fmt "%t%t%t@ =@ %t@]" conj indent vp mvp
            | ITDecl tn -> let v = binder_vars dm tn in match v with
              | [] -> fprintf fmt "%t%t%t.%t@ =@ %t@]"
                conj indent vp << model_field_name tn << mvp
              | _ -> fprintf fmt "%t%t%t.%t@ =@ (%t%t@ %t%t@])@]"
                conj indent vp << model_field_name tn << indent
                << rename_name tn << mvp << list_printer (fun tnv fmt ->
                    fprintf fmt "@ %t" << open_renaming tnv elv
                  ) v in
          let p = list_printer p in
          List.iter (fun (_,_,_,_,tl) -> p tl fmt) bl ;
          p tl fmt ;
          (if not(!printed)
          then fprintf fmt "true")
        else fprintf fmt "false" in
      let ccase cs bl tl =
        let vbase = string_printer "w" in
        match_printer ~vbase tn (fun _ fmt ->
          fprintf fmt "false") (ccase cs bl tl) (fun fmt ->
          fprintf fmt "t.%t" << model_field_name tn) in
      fprintf fmt "%tpredicate@ %t@ (c:%t%t%t@])@ (t:%t%t%t@])@ =@ %t@]@\n@\n"
        indent << constructor_open_relation_name tn << indent
        << constructor_type_name tn << params_printer << indent
        << impl_type_name tn << params_printer
        << cons_match_printer tn vcase ccase (string_printer "c") in
    make_for_defs print_decl

  let construction_operator_printer fmt =
    let print_decl tn _ v =
      let vcase vname fmt =
        fprintf fmt "%t{@ \
          %t%t@ =@ %t%t@ %t@] ;@]%t@ \
          %t%t@ =@ ghost@ (%t%t@ %t@]) ;@]@]@ }"
          indent indent << data_field_name tn << indent
          << free_variable_name tn << vname << list_printer (fun tnv fmt ->
            fprintf fmt "@ %t%t@ =@ %t ;@]"
              indent << varset_field_name tnv tn
              << (if tn = tnv
                then varset_singleton tnv vname
                else varset_empty tnv)) v
          << indent << model_field_name tn << indent
          << variable_name tn << vname in
      let ccase (cn,_,_) bl tl fmt =
        let nextup up tnvp bvp n tn fmt =
          if tnvp = tn
          then fprintf fmt "(%tupdate@ %t@ %t@ (%t%t@ %t@])@])"
            indent << up tn << bvp << indent << variable_name tn
            << somes_printer (string_printer "None") n
          else up tn fmt in
        let bbase blv tn fmt =
          benv_lift_printer (fun fmt ->
            fprintf fmt "(%tconst@ (%t%t@ %t@])@])"
              indent indent << variable_name tn << default_variable_value tn)
          blv tn fmt in
        let upd blv tn fmt =
          fprintf fmt "(%t%t@ (%t:(%t)->(%t%s%t%t@]))%t@])" indent
            << rename_subst_name tn
            << subst_identity_name tn << nlfree_var_type_name tn
            << indent << type_name dm tn
            << params_printer << list_printer (fun tnv fmt ->
              fprintf fmt "@ (%t)" << nlfree_var_type_name tnv
            ) (binder_vars dm tn)
            << list_printer (fun tnv fmt ->
              fprintf fmt "@ %t" << csomes_printer (level tnv blv)
            ) (binder_vars dm tn)
        in
        let print_nl_element (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "@ %t" vp
          | ITDecl tn ->
            fprintf fmt "@ (%t%tlet@ %t@ =@ %t.%t@]@ in@ " indent indent vp vp
              << data_field_name tn ;
              let update_list = TMap.fold (fun tnv l acc ->
                let l,_ = List.fold_left (fun (acc,n) bvp ->
                  (bvp,tnv,n)::acc,n+1) ([],0) l in
                List.append l acc) elv [] in
              let update_list,_ = List.fold_left (fun (acc,up) (bvp,tnv,n) ->
                  let nup = nextup up tnv bvp n in
                  (bvp,tnv,n,up)::acc,nup) ([],upd blv) update_list in
              List.iter (fun (bvp,tnv,n,up) ->
                fprintf fmt "%tlet@ %t@ =@ %t%t@ %t@ %t@ %d%t@]@]@ in@ "
                  indent vp indent << bind_var_name tnv tn << vp << bvp << n
                  << list_printer (fun tnv2 fmt ->
                      fprintf fmt "@ (%tghost@ %t@])@ \
                        (%tghost@ %t@])"
                        << indent << up tnv2 << indent << bbase blv tnv2
                  ) (binder_vars dm tn) ;
              ) update_list ;
              fprintf fmt "%t@])" vp in
        let print_nl_elements tl fmt = list_printer print_nl_element tl fmt in
        let print_nl_elements fmt =
          fprintf fmt "%t%t"
            << list_printer (fun (_,_,_,_,tl) fmt ->
              print_nl_elements tl fmt) bl
            << print_nl_elements tl in

        let print_renaming vp blv elv tn fmt =
          fprintf fmt "(%t%t@ %t.%t%t@])" indent
            << rename_name tn << vp << model_field_name tn
            << list_printer (fun tn fmt ->
                fprintf fmt "@ %t" << closure_renaming tn blv elv
              ) (binder_vars dm tn) in
        let print_l_element (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "@ %t" vp
          | ITDecl tn -> let v = binder_vars dm tn in
            match v with
              | [] -> fprintf fmt "@ %t" vp
              | _ -> fprintf fmt "@ %t" << print_renaming vp blv elv tn in
        let print_l_elements tl fmt =
          list_printer print_l_element tl fmt in
        let print_l_elements fmt =
          fprintf fmt "%t%t"
            << list_printer (fun (_,_,_,_,tl) fmt -> print_l_elements tl fmt) bl
            << print_l_elements tl in

        let rec print_join tnv a l = match l with
          | [] -> a
          | (vp,_,_,ty) :: l -> match ty with
            | ITVar _ -> print_join tnv a l
            | ITDecl tn2 -> if List.mem tnv (binder_vars dm tn2)
              then let p fmt = fprintf fmt "%t.%t" vp
                << varset_field_name tnv tn2 in
                match a with None -> print_join tnv (Some p) l
                  | Some a -> print_join tnv (Some (varset_join tnv a p)) l
              else print_join tnv a l in
        let print_join tnv fmt =
          let a = List.fold_left (fun acc (_,_,_,_,tl) ->
            print_join tnv acc tl) None bl in
          match print_join tnv a tl with
            | None -> varset_empty tnv fmt
            | Some a -> a fmt in

        let print_fv_assertion vp blv elv tnv tn2 fmt =
          fprintf fmt "%tassert {@ %tforall@ x:%t.@ \
            %t%t@ %t@ %t@]@ ->@ (%tforall@ y:%t.@ \
            (%t%t@ y@ %t.%t@]@ /\\@ %teval@ (%t)@ y@ =@ %t@])@ ->@ \
            %t%t%t@ =@ %teval@ (%t)@ y@]@]@ &&@ %tx@ =@ y@]@ &&@ \
            %t%t@ x@ %t.%t@]@])@ &&@ %t%t@ x@ %t.%t@]@ \
            &&@ %t@ &&@ %t@]@ }@] ;@ "
            indent indent << nlfree_var_type_name tnv
            << indent << free_var_predicate_name tnv tn2
            << somes_printer (string_printer "x") (level tnv blv)
            << print_renaming vp blv elv tn2
            << indent << nlfree_var_type_name tnv
            << indent << free_var_predicate_name tnv tn2 << vp
            << model_field_name tn2 << indent << closure_renaming tnv blv elv
            << somes_printer (string_printer "x") (level tnv blv)
            << list_printer (fun vp2 fmt ->
                fprintf fmt "%ty@ <>@ %t@]@ &&@ " indent vp2
              ) (env_list tnv elv)
            << indent << somes_printer (string_printer "x") (level tnv blv)
            << indent << csomes_printer (level tnv blv)
            << indent << indent << free_var_predicate_name tnv tn2 << vp
            << model_field_name tn2
            << indent << free_var_predicate_name tnv tn2 << vp
            << model_field_name tn2
            << free_var_in_set_predicate tnv (string_printer "x") (fun fmt ->
              fprintf fmt "%t.%t" vp << varset_field_name tnv tn2)
            << free_var_in_set_predicate tnv (string_printer "x") (fun fmt ->
              fprintf fmt "res.%t" << varset_field_name tnv tn) in
        let print_fv_assertion (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn -> list_printer (fun tnv fmt ->
            print_fv_assertion vp blv elv tnv tn fmt) (binder_vars dm tn) fmt in
        let print_fv_assertion tl fmt =
          list_printer print_fv_assertion tl fmt in
        let print_fv_assertion fmt =
          fprintf fmt "%t%t%t"
            << list_printer (fun (_,_,_,_,tl) fmt ->
              print_fv_assertion tl fmt) bl
            << print_fv_assertion tl
            << list_printer (fun tnv fmt ->
              let disj = ref false in
              let pdisj fmt = if !disj
                then fprintf fmt "@ \\/@ "
                else disj := true in
              let pvar (vp,blv,elv,ty) fmt = match ty with
                | ITDecl tn2 when List.mem tnv (binder_vars dm tn2) ->
                  fprintf fmt "%t%t%t@ %t@ %t@]"
                    pdisj indent << free_var_predicate_name tnv tn2
                    << somes_printer (string_printer "x") (level tnv blv)
                    << print_renaming vp blv elv tn2
                | _ -> () in
              let pvar tl fmt = list_printer pvar tl fmt in
              fprintf fmt "%tassert {@ %tforall@ x:%t.@ \
                %t%t@ x@ res.%t@]@ ->@ \
                (%t%t%t%t@])@ &&@ %t@]@ }@] ;@ "
                indent indent << nlfree_var_type_name tnv << indent
                << free_var_predicate_name tnv tn << model_field_name tn
                << indent << list_printer (fun (_,_,_,_,tl) fmt ->
                  pvar tl fmt) bl
                << pvar tl << (fun fmt -> if not(!disj)
                  then fprintf fmt "false")
                << free_var_in_set_predicate tnv (string_printer "x")
                  (fun fmt -> fprintf fmt "res.%t" << varset_field_name tnv tn)
            ) v
        in

        let print_model_assertion vp blv elv tn2 fmt =
          let update_list = TMap.fold (fun tnv l acc ->
              let l,_ = List.fold_left (fun (acc,n) bvp ->
                (bvp,tnv,n)::acc,n+1) ([],0) l in
              List.append l acc) elv [] in
          let updt = List.fold_left (fun up (bvp,tnv,n) ->
            nextup up tnv bvp n) (upd blv) update_list in
          let p1 tnv fmt =
            fprintf fmt "%t%t@ %t%t@]"
              indent << rename_subst_name tnv << subst_identity_name tnv
              << list_printer (fun tnv2 fmt ->
                fprintf fmt "@ %t" << closure_renaming tnv2 blv elv
              ) (binder_vars dm tnv) in
          let p2 tnv fmt =
            fprintf fmt "%trcompose@ (%t)@ (%t)@]" indent
              << closure_renaming tnv blv elv
              << open_renaming tnv elv in
          let p3 tnv fmt = fprintf fmt "(%tidentity :@ %t(%t)@ -> (%t)@]@])"
            indent indent << nlfree_var_type_name tnv
            << nlfree_var_type_name tnv in
          List.iter (fun tnv ->
            fprintf fmt "%tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@] ;@ \
              %tassert {@ %t@ =@ %t@ }@] ;@ "
              indent indent << p1 tnv << updt tnv
              << indent << p1 tnv << updt tnv
            ) (binder_vars dm tn2) ;
          fprintf fmt "%t%t@ %t.%t%t@] ;@ %t"
            indent << model_equal_lemma_name tn2 << vp << data_field_name tn2
            << list_printer (fun tnv fmt ->
              fprintf fmt "@ (%t)@ (%t)@ (%t)@ \
                (%t%t@ (%tconst@ (%t%t@ %t@])@])%t@])"
                << p1 tnv << p1 tnv << bbase blv tnv
                << indent << rename_subst_name tnv
                << indent << indent << variable_name tnv
                << default_variable_value tnv << list_printer (fun tnv2 fmt ->
                  fprintf fmt "@ %t" << closure_renaming tnv2 blv elv
                ) (binder_vars dm tnv)
            ) (binder_vars dm tn2)
            << list_printer (fun tnv fmt ->
              fprintf fmt "(*%tassert {@ %textensionalEqual@ \
                (%t)@ (%t)@]@ }@] ;@ \
                %tassert {@ %t@ =@ %t@ }@] ;*)@ "
                << indent << indent << p2 tnv << p3 tnv
                << indent << p2 tnv << p3 tnv
            ) (binder_vars dm tn2) in
        let print_model_assertion (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 -> print_model_assertion vp blv elv tn2 fmt in
        let print_model_assertion tl fmt =
          list_printer print_model_assertion tl fmt in
        let print_model_assertion fmt =
          fprintf fmt "%t%t"
            << list_printer (fun (_,_,_,_,tl) fmt ->
              print_model_assertion tl fmt) bl
            << print_model_assertion tl in

        let print_ok_assertion (vp,blv,elv,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn ->
            fprintf fmt "%tassert {@ %t%t@ %t@]@ }@] ;@ "
              indent indent << invariant_name tn << vp in
        let print_ok_assertion tl fmt =
          list_printer print_ok_assertion tl fmt in
        let print_ok_assertion fmt =
          fprintf fmt "%t%t"
            << list_printer (fun (_,_,_,_,tl) fmt ->
              print_ok_assertion tl fmt) bl
            << print_ok_assertion tl in

        fprintf fmt "%t%tlet@ res@ =@ %t{@ \
          %t%t@ =@ (%t%t%t@]) ;@]%t@ \
          %t%t@ =@ ghost@ (%t%s%t@]) ;@]@]@ }@]@ in@ %t%tres"
          << print_ok_assertion
          << indent << indent << indent << data_field_name tn
          << indent << nlcons_name cn << print_nl_elements
          << list_printer (fun tnv fmt ->
            fprintf fmt "@ %t%t@ =@ %t ;@]"
              indent << varset_field_name tnv tn
              << print_join tnv
            ) v
          << indent << model_field_name tn << indent
          << cons_name dm cn
          << print_l_elements
          << print_fv_assertion
          << print_model_assertion in

      fprintf fmt "%tlet@ %t@ (c:%t%t%t@]) :@ %t%t%t@]@ \
        %trequires {@ %t%t@ c@]@ }@]@ \
        %tensures {@ %t%t@ result@]@ }@]@ \
        %tensures {@ %t%t@ c@ result@]@ }@]@ \
        (*%tensures {@ %t%t@ c@ result@]@ }@]*)@ \
        =@ %t@]@\n@\n"
        indent << construction_operator_name tn << indent
        << constructor_type_name tn << params_printer
        << indent << impl_type_name tn << params_printer
        << indent << indent << constructor_invariant_name tn
        << indent << indent << invariant_name tn
        << indent << indent << constructor_relation_name tn
        << indent << indent << constructor_open_relation_name tn
        << cons_match_printer tn vcase ccase (string_printer "c") in
    make_for_defs print_decl

  let destruction_operator_printer fmt =
    let print_decl tn _ v =
      let bvcase _ fmt = fprintf fmt "absurd" in
      let fvcase vname fmt =
        fprintf fmt "%t@ %t" << constructor_variable_name tn << vname in
      let ccase (cn,_,_) (bvars,(blvf,vf)) fmt =
        (* Update utility. *)
        let upd tn fmt =
          fprintf fmt "(%tconst@ (%t%t@ %t@]) :@ %tint@ -> (%t%s%t%t@])@]@])"
            indent indent << variable_name tn << default_variable_value tn
            << indent << indent << type_name dm tn << params_printer
            << list_printer (fun tnv fmt ->
                fprintf fmt "@ %t" << nlfree_var_type_name tnv
              ) (binder_vars dm tn) in
        let nextup up tnvp bvp n tn fmt =
          if tn = tnvp
          then fprintf fmt "(%tupdate@ %t@ %d@ (%t%t@ %t@])@])"
            indent << up tn << n << indent << variable_name tn << bvp
          else up tn fmt in
        (* generate fresh variables. *)
        let bvars,elvf,_ = List.fold_left (fun (vars,elv,cnt) (blv,bo,vrs) ->
          let wp fmt = fprintf fmt "w%d" cnt in
          fprintf fmt "%tlet@ %t@ =@ %t@]@ in@ \
            %tlet@ fv%t@ =@ %t@]@ in@ " indent wp << varset_fresh bo (fun fmt ->
              fprintf fmt "fv%t" << tindex_printer bo)
            << indent << tindex_printer bo << varset_add bo wp (fun fmt ->
              fprintf fmt "fv%t" << tindex_printer bo) ;
          ((blv,elv,wp,bo,vrs)::vars,add_to_env bo wp elv,cnt+1)
        ) ([],TMap.empty,0) bvars in
        let bvars = List.rev bvars in
        (* Done generation. Inverse the model. *)
        let comma = ref false in
        let pcomma fmt = if !comma
          then fprintf fmt " ,@ "
          else comma := true in
        let pv (vp,_) fmt = fprintf fmt "%tm%t" pcomma vp in
        let pv l fmt = list_printer pv l fmt in
        let mvcase _ fmt = fprintf fmt "absurd" in
        let mccase (cn2,_,_) v fmt = if cn = cn2
          then let _ = comma := false in
            fprintf fmt "(%t%t@])" indent
              << list_printer (fun (vp,_,_) fmt ->
                fprintf fmt "%t%t" pcomma vp) v
          else fprintf fmt "absurd" in
        let vbase = string_printer "x" in
        let pva blv (vp,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "@ %t" vp
          | ITDecl tn -> fprintf fmt "@ (%t%t@ %t%t@])"
            indent << model_name tn << vp << list_printer (fun tnv fmt ->
              fprintf fmt "@ %t@ %t"
                << frenv_lift_printer (subst_identity_name tnv) blv tnv
                << benv_lift_printer (upd tnv) blv tnv
            ) (binder_vars dm tn)
        in
        let pva blv l fmt = list_printer (pva blv) l fmt in
        fprintf fmt "%tassert {@ t.%t@ =@ %t%s%t%t@]@ }@] ;@ "
          indent << model_field_name tn << indent << cons_name dm cn
          << list_printer (fun (blv,_,_,_,vrs) fmt -> pva blv vrs fmt) bvars
          << pva blvf vf ;
        fprintf fmt "%tlet@ (%t%t%t@])@ =@ %t@]@ in@ "
          indent indent
          << list_printer (fun (_,_,_,_,vrs) fmt -> pv vrs fmt) bvars
          << pv vf
          << match_printer ~vbase tn mvcase mccase (fun fmt ->
            fprintf fmt "t.%t" << model_field_name tn) ;
        (* Relation between inversed model/inversed data (strange,
           but become difficult to prove very quickly with other assertions
           stacking before). Basically, this is a problem coming with the
           fact that they are invariant of the inversed data. *)
        let pv blv elv (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 ->
            fprintf fmt "%tassert {@ m%t@ =@ %t%t@ %t%t@]@ }@] ;@ "
              indent vp indent << model_name tn2 << vp
              << list_printer (fun tnv fmt ->
                fprintf fmt "@ (%t)@ (%t)"
                  << frenv_lift_printer (subst_identity_name tnv) blv tnv
                  << benv_lift_printer (upd tnv) blv tnv
              ) (binder_vars dm tn2) in
        let pv blv elv l fmt = list_printer (pv blv elv) l fmt in
        fprintf fmt "%t%t" << list_printer (fun (blv,elv,_,_,vrs) fmt ->
          pv blv elv vrs fmt) bvars << pv blvf elvf vf ;
        (* Idem for depth bound majorations and free variables
           set abstraction. *)
        let pv blv (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 -> list_printer (fun tnv fmt ->
              let lv = level tnv blv in
              let rec aux n fmt = match n with
                | 0 -> fprintf fmt "%t%t@ x@ t.%t@]@ &&@ %t"
                  indent << free_var_predicate_name tnv tn
                  << model_field_name tn
                  << free_var_in_set_predicate tnv (string_printer "x")
                  (fun fmt -> fprintf fmt "t.%t" << varset_field_name tnv tn)
                | _ -> fprintf fmt "%tmatch x with@ %t| None@ ->@ true@]@ \
                  %t| Some x@ ->@ %t@]@]@ end"
                  << indent << indent << indent << aux (n-1) in
              fprintf fmt "%tassert {@ %t%t@ %t@]@ <=@ %d@ }@] ;@ \
                %tassert {@ %tforall x:%t.@ \
                  %t%t@ x@ m%t@]@ ->@ %t@]@ }@] ;@ "
                indent indent << bound_depth_name tnv tn2 << vp
                << lv << indent << indent
                << options_printer (nlfree_var_type_name tnv) lv
                << indent << free_var_predicate_name tnv tn2 << vp
                << aux lv
            ) (binder_vars dm tn2) fmt in
        let pv blv l fmt = list_printer (pv blv) l fmt in
        fprintf fmt "%t%t" << list_printer (fun (blv,_,_,_,vrs) fmt ->
          pv blv vrs fmt) bvars << pv blvf vf ;
        (* relation between fully inversed model/updated data model. *)
        let pv blv elv (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 ->
            let updt = TMap.fold (fun tnv l up ->
              let _,up = List.fold_left (fun (n,up) bvp ->
                n+1,nextup up tnv bvp n) (0,up) l in up) elv upd in
            let bnd2 tnv fmt =
              fprintf fmt "%t%t@ (%t)%t@]"
                indent << rename_subst_name tnv
                << benv_lift_printer (upd tnv) blv tnv
                << list_printer (fun tnv2 fmt ->
                  fprintf fmt "@ (%t)" << open_renaming tnv2 elv
                ) (binder_vars dm tnv) in
            fprintf fmt "%t%t%t@ %t%t@] ;@ "
              << list_printer (fun tnv fmt ->
                let n0 = level tnv blv in
                for i = 0 to n0 - 1 do
                  fprintf fmt "%tassert {@ %teval@ (%t)@ %d@]@ =@ \
                    (%t%t@ (%t%t@ %t@])%t@])@ =@ %teval@ (%t)@ %d@]@ }@] ;@ "
                    indent indent << updt tnv << i << indent
                    << rename_name tnv
                    << indent << variable_name tnv
                    << somes_printer (string_printer "None") i
                    << list_printer (fun tnv2 fmt ->
                      fprintf fmt "@ (%t)" << open_renaming tnv2 elv
                    ) (binder_vars dm tnv)
                    << indent << bnd2 tnv << i
                done
              ) (binder_vars dm tn2)
              << indent << model_equal_lemma_name tn2 << vp
              << list_printer (fun tnv fmt ->
                fprintf fmt "@ %t@ (%t%t@ (%t)%t@]) (%t)@ (%t)"
                  << subst_identity_name tnv
                  << indent << rename_subst_name tnv
                  << frenv_lift_printer (subst_identity_name tnv) blv tnv
                  << list_printer (fun tnv2 fmt ->
                    fprintf fmt "@ (%t)" << open_renaming tnv2 elv
                  ) (binder_vars dm tnv)
                  << updt tnv << bnd2 tnv
              ) (binder_vars dm tn2) in
        let pv blv elv l fmt = list_printer (pv blv elv) l fmt in
        fprintf fmt "%t%t" << list_printer (fun (blv,elv,_,_,vrs) fmt ->
          pv blv elv vrs fmt) bvars << pv blvf elvf vf ;
        (* Finish inversion by renaming. *)
        let pv elv (vp,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "%tlet@ mr%t@ =@ m%t@]@ in@ " indent vp vp
          | ITDecl tn -> let v = binder_vars dm tn in
            match v with
              | [] -> fprintf fmt "%tlet@ mr%t@ =@ m%t@]@ in@ " indent vp vp
              | _ -> fprintf fmt "%tlet@ mr%t@ =@ %t%t@ m%t%t@]@]@ in@ "
                indent vp indent << rename_name tn << vp
                << list_printer (fun tnv fmt ->
                  fprintf fmt "@ %t" << open_renaming tnv elv) v in
        let pv elv l fmt = list_printer (pv elv) l fmt in
        fprintf fmt "%t%t"
          << list_printer (fun (_,elv,_,_,vrs) fmt -> pv elv vrs fmt) bvars
          << pv elvf vf ;
        (* Unbind the variables (here). *)
        let pv update_list (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 -> list_printer (fun (bvp,n,tnv,up) fmt ->
              fprintf fmt "%tlet@ %t@ =@ \
                %t%t@ %t@ %d@ (%t%t@ %t@])%t%t@]@]@ in@ "
                indent vp indent << unbind_var_name tnv tn2 << vp
                << n << indent << free_variable_name tnv << bvp
                << list_printer (fun tnv2 fmt ->
                  fprintf fmt "@ (%tghost@ %t@])@ \
                    (%tghost@ %t@])"
                    << indent << subst_identity_name tnv2
                    << indent << up tnv2
                ) (binder_vars dm tn2)
                << list_printer (fun tnv2 fmt ->
                  fprintf fmt "@ (%tghost@ %t@])" indent << upd tnv2
                ) (binder_vars dm tnv)
            ) update_list fmt in
        let upl elv =
          let update_list,_ = TMap.fold (fun tnv l (acc,up) ->
            let acc,_,up = List.fold_left (fun (acc,n,up) bvp ->
              let nup = nextup up tnv bvp n in
              (bvp,n,tnv,up)::acc,n+1,nup) (acc,0,up) l in
            acc,up) elv ([],upd) in
          update_list in
        let pv elv l fmt = list_printer (pv (upl elv)) l fmt in
        fprintf fmt "%t%t"
          << list_printer (fun (_,elv,_,_,vrs) fmt -> pv elv vrs fmt) bvars
          << pv elvf vf ;
        (* Model inversed, build the resulting elements. *)
        let pv (vp,ty) fmt = match ty with
          | ITVar _ -> fprintf fmt "%tlet@ res%t@ =@ %t@]@ in@ " indent vp vp
          | ITDecl tn2 -> fprintf fmt "%tlet@ res%t@ =@ %t{@ \
            %t%t@ =@ %t ;@]@ %t\
            %t%t@ =@ ghost@ mr%t ;@]@ \
            @]@ }@]@ in@ "
            indent vp indent indent << data_field_name tn2 << vp
            << list_printer (fun tnv fmt ->
              fprintf fmt "%t%t@ =@ fv%t ;@]@ "
                indent << varset_field_name tnv tn2 << tindex_printer tnv
            ) (binder_vars dm tn2)
            << indent << model_field_name tn2 << vp
        in
        let pv l fmt = list_printer pv l fmt in
        fprintf fmt "%t%t"
          << list_printer (fun (_,_,_,_,vrs) fmt -> pv vrs fmt) bvars
          << pv vf ;
        (* Build the result *)
        let pv (vp,ty) fmt = fprintf fmt "@ res%t" << vp in
        let pv l fmt = list_printer pv l fmt in
        fprintf fmt "%tlet@ res@ =@ %t%t%t%t@]@]@ in@ "
          << indent << indent << constructor_cons_name cn
          << list_printer (fun (_,_,wp,_,vrs) fmt ->
            fprintf fmt "@ %t%t" wp << pv vrs) bvars
          << pv vf ;
        (* Assertions : open|close = identity over the free variables,
           so free-var equivalence lemma. *)
        let pv blv elv (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 -> let p1 fmt = fprintf fmt "identity" in
              let p2 tnv fmt = fprintf fmt "%trcompose@ (%t)@ (%t)@]"
                << indent
                << open_renaming tnv elv
                << closure_renaming tnv blv elv in
              let pint tnv fmt = closure_renaming tnv blv elv fmt in
            list_printer (fun tnv fmt ->
              let e0 = env_list tnv elv in
              let rec aux nb n l fmt = match l with
                | [] -> let v = somes_printer (string_printer "x") nb in
                  fprintf fmt "%t%teval@ (%t)@ (%t)@]@ =@ \
                    %teval@ (%t)@ x@]@ =@ \
                    %teval@ (%t)@ (%t)@]" << list_printer (fun bvp fmt ->
                      fprintf fmt "%tx@ <>@ %t@]@ &&@ " indent bvp
                    ) e0
                    << indent << p1 << v << indent << pint tnv
                    << indent << p2 tnv << v
                | ovp :: l ->
                  let v = somes_printer (string_printer "None") nb in
                  fprintf fmt "%tmatch x with@ \
                    %t| None@ ->@ %teval@ (%t)@ (%t)@]@ =@ \
                    %teval@ (%t)@ %t@]@ =@ \
                    %teval@ (%t)@ (%t)@]@]@ \
                    %t| Some x@ ->@ %t@]@]@ end"
                    indent indent indent p1 v
                    indent << pint tnv << ovp << indent << p2 tnv << v
                    << indent << aux (nb+1) (n-1) l in
              let n0 = level tnv blv in
              (* n0 = 0 degenerates to identity || identity = identity. *)
              if n0 <> 0
              then fprintf fmt "%tassert {@ %tforall@ x:%t.@ \
                %t%t@ x@ m%t@]@ ->@ %t@]@ }@] ;@ "
                indent indent << options_printer (nlfree_var_type_name tnv) n0
                << indent << free_var_predicate_name tnv tn2 << vp
                << aux 0 n0 e0 ) (binder_vars dm tn2) fmt ;
            fprintf fmt "%t%t@ m%t%t@] ;@ "
              indent << free_var_equivalence_lemma_name false false tn2
              << vp << list_printer (fun tnv fmt ->
                fprintf fmt "@ (%t)@ (%t)" p1 << p2 tnv
              ) (binder_vars dm tn2) in
        let pv blv elv l fmt = list_printer (pv blv elv) l fmt in
        fprintf fmt "%t%t" << list_printer (fun (blv,elv,_,_,vrs) fmt ->
          pv blv elv vrs fmt) bvars << pv blvf elvf vf ;
        (* Assertions : free variables of opened terms are indeed in the set
           abstractions. *)
        let pv blv elv (vp,ty) fmt = match ty with
          | ITVar _ -> ()
          | ITDecl tn2 -> list_printer (fun tnv fmt ->
            let e0 = env_list tnv elv in
            let p = free_var_in_set_predicate tnv (string_printer "x")
              (fun fmt -> fprintf fmt "fv%t" << tindex_printer tnv) in
            let rec aux n l fmt = match l with
              | [] -> fprintf fmt "x@ =@ y@ &&@ %t%t@ x@ t.%t@]@ &&@ %t"
                indent << free_var_predicate_name tnv tn
                << model_field_name tn << p
              | ovp :: l -> fprintf fmt "%tmatch y with@ \
                  %t| None@ ->@ x@ =@ %t@ &&@ %t@]@ \
                  %t| Some y@ ->@ %t@]@]@ end@ "
                  indent indent << ovp << p << indent << aux (n-1) l in
            let lv = level tnv blv in
            fprintf fmt "%tassert {@ %tforall@ x:%t.@ \
              %t%t@ x@ mr%t@]@ ->@ (%tforall@ y:%t.@ \
              (%t%t%t@ y@ m%t@]@ /\\@ %teval@ (%t)@ y@]@ =@ x@])@ ->@ \
              %t@])@ &&@ %t@]@ }@] ;@ "
              indent indent << nlfree_var_type_name tnv
              << indent << free_var_predicate_name tnv tn2 << vp
              << indent << options_printer (nlfree_var_type_name tnv) lv
              << indent << indent << free_var_predicate_name tnv tn2 << vp
              << indent << open_renaming tnv elv << aux lv e0 << p
            ) (binder_vars dm tn2) fmt in
        let pv blv elv l fmt = list_printer (pv blv elv) l fmt in
        fprintf fmt "%t%t" << list_printer (fun (blv,elv,_,_,vrs) fmt ->
          pv blv elv vrs fmt) bvars << pv blvf elvf vf ;
        fprintf fmt "res" in

      fprintf fmt "%tlet@ %t@ (t:%t%t%t@]) :@ %t%t%t@]@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %tensures {@ %t%t@ result@]@ }@]@ \
        %tensures {@ %t%t@ result@ t@]@ }@]@ \
        %tensures {@ %t%t@ result@ t@]@ }@]@ \
        =@ %t%t@]@\n@\n"
        indent << destruction_operator_name tn << indent
        << impl_type_name tn << params_printer
        << indent << constructor_type_name tn << params_printer
        << indent << indent << invariant_name tn
        << indent << indent << constructor_invariant_name tn
        << indent << indent << constructor_relation_name tn
        << indent << indent << constructor_open_relation_name tn
        << list_printer (fun tnv fmt ->
            fprintf fmt "%tlet@ fv%t@ =@ t.%t@]@ in@ " indent
              << tindex_printer tnv << varset_field_name tnv tn) v
        << nlmatch_printer tn fvcase bvcase ccase (fun fmt ->
          fprintf fmt "t.%t" << data_field_name tn) in
    make_for_defs print_decl

  let subst_operator_printer fmt =
    let print_decl tnv tn c v =
      let vv = binder_vars dm tnv in
      let sid tn fmt =
        fprintf fmt "(%t%t:@ %t(%t)@ -> (%t%s%t%t@])@]@])"
          indent << subst_identity_name tn
          << indent << nlfree_var_type_name tn
          << indent << type_name dm tn << params_printer
          << list_printer (fun tnv fmt ->
            fprintf fmt "@ (%t)" << nlfree_var_type_name tnv
          ) (binder_vars dm tn)
      in
      let b0 tn fmt = fprintf fmt "(%tconst@ (%t%t@ (-1)@])@])"
        indent indent << variable_name tn in
      let s fmt = fprintf fmt "(%tupdate@ %t@ x@ u.%t@])"
        indent << sid tnv << model_field_name tnv in
      let s' tnv2 fmt = if tnv2 = tnv
        then s fmt
        else sid tnv2 fmt in
      fprintf fmt "%tlet@ %t@ (t:%t%t%t@])@ (x:%t)@ (u:%t%t%t@]) :@ %t%t%t@]@ \
        %trequires {@ %t%t@ t@]@ }@]@ \
        %trequires {@ %t%t@ u@]@ }@]@ \
        %tensures {@ %t%t@ result@]@ }@]@ \
        %tensures {@ result.%t@ =@ %t%t@ t.%t%t@]@ }@]@ \
        =@ %t%t@ t.%t%t@];@ \
        %tlet@ res@ =@ %t{@ \
          %t%t@ =@ %t%t@ t.%t@ x@ u.%t%t%t@]@] ;@ \
          %t%t%t@ =@ ghost@ %t%t@ t.%t%t@]@] ;@]@ \
        }@]@ in@ %tres@]@\n@\n"
        indent << subst_operator_name tnv tn << indent << impl_type_name tn
        << params_printer << nlfree_var_type_name tnv
        << indent << impl_type_name tnv << params_printer
        << indent << impl_type_name tn << params_printer
        << indent << indent << invariant_name tn
        << indent << indent << invariant_name tnv
        << indent << indent << invariant_name tn
        << indent << model_field_name tn << indent << subst_name tn
        << model_field_name tn << list_printer (fun tnv2 fmt ->
          fprintf fmt "@ %t" << s' tnv2) v
        << indent << model_equal_lemma_name tn << data_field_name tn
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "@ (%t%t@ %t%t@])@ (%t)@ (%t%t@ %t%t@])@ (%t)"
            indent << subst_compose_name tnv2 << subst_identity_name tnv2
            << list_printer (fun tnv3 fmt ->
              fprintf fmt "@ (%t)" << s' tnv3
            ) (binder_vars dm tnv2)
            << s' tnv2
            << indent << subst_compose_name tnv2 << b0 tnv2
            << list_printer (fun tnv3 fmt ->
              fprintf fmt "@ (%t)" << s' tnv3
            ) (binder_vars dm tnv2)
            << b0 tnv2
        ) v
        << indent << indent << indent << data_field_name tn
        << indent << subst_base_name tnv tn
        << data_field_name tn
        << data_field_name tnv
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "@ (%t)@ (%t)" << subst_identity_name tnv2 << b0 tnv2
        ) v
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "@ (%t)" << b0 tnv2
        ) vv
        << list_printer (fun tnv2 fmt ->
          fprintf fmt "%t%t@ =@ %t@] ;@ "
            indent << varset_field_name tnv2 tn << (if List.mem tnv2 vv
              then varset_join tnv2 (fun fmt ->
                fprintf fmt "t.%t" << varset_field_name tnv2 tn) (fun fmt ->
                fprintf fmt "u.%t" << varset_field_name tnv2 tnv)
              else fun fmt -> fprintf fmt "t.%t" << varset_field_name tnv2 tn)
        ) v
        << indent << model_field_name tn << indent << subst_name tn
        << model_field_name tn << list_printer (fun tnv2 fmt ->
          fprintf fmt "@ %t" << s' tnv2) v
        << list_printer (fun tnv2 fmt ->
          let p = free_var_in_set_predicate tnv2 << string_printer "x2"
            << fun fmt -> fprintf fmt "res.%t" << varset_field_name tnv2 tn in
          fprintf fmt "%tassert {@ %tforall@ x2:%t.@ \
            %t%t@ x2@ res.%t@]@ ->@ (%ttrue%t@])@ &&@ %t@]@ }@] ;@ "
            indent indent << nlfree_var_type_name tnv2
            << indent << free_var_predicate_name tnv2 tn
            << model_field_name tn << indent
            << list_printer (fun tnv3 fmt ->
              if List.mem tnv2 (binder_vars dm tnv3)
              then begin
                fprintf fmt "@ /\\@ (%tforall@ y:%t.@ \
                  (%t%t%t@ y@ t.%t@]@ /\\@ \
                  %t%t@ x2@ (%teval@ (%t)@ y@])@]@])@ ->@ "
                  indent << nlfree_var_type_name tnv3
                  << indent << indent << free_var_predicate_name tnv3 tn
                  << model_field_name tn << indent
                  << free_var_predicate_name tnv2 tnv3 << indent
                  << s' tnv3 ;
                if tnv3 = tnv
                then fprintf fmt "(%t(%t%tx@ =@ y@]@ ->@ %t@])@ \
                  /\\@ (%t%tx@ <>@ y@]@ ->@ %t)@])@ &&@ %t@])@]"
                  indent indent indent p indent indent
                  (fun fmt -> if tnv2 = tnv3
                    then fprintf fmt "%tx2@ =@ y@]@ &&@ %t" indent p
                    else fprintf fmt "false") p
                else if tnv2 = tnv3
                  then fprintf fmt "%tx2@ =@ y@]@ &&@ %t@])" indent p
                  else fprintf fmt "false@])"
              end
            ) (binder_vars dm tn)
            << p
        ) v
    in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let types_defs_printer fmt =
    type_defs_printer fmt ;
    implementation_type_printer fmt ;
    constructor_type_printer fmt

  let logics_defs_printer fmt =
    size_defs_printer fmt ;
    size_lemma_printer fmt ;
    shift_defs_printer fmt ;
    shift_lemma_printer fmt ;
    model_defs_printer fmt ;
    model_subst_commutation_lemma_printer fmt ;
    model_rename_commutation_lemma_printer fmt ;
    correct_indexes_printer fmt ;
    bound_depth_printer fmt ;
    bound_depth_lemma_printer fmt ;
    model_equal_lemma_printer fmt ;
    invariant_printer fmt ;
    constructor_invariant_printer fmt ;
    constructor_relation_printer fmt ;
    constructor_open_relation_printer fmt

  let impls_defs_printer fmt =
    bind_var_printer fmt ;
    unbind_var_printer fmt ;
    subst_base_printer fmt ;
    construction_operator_printer fmt ;
    destruction_operator_printer fmt ;
    subst_operator_printer fmt

end
why3-1.6.0/examples/prover/macro_generator/Macrogen_nameless.mli000066400000000000000000000022761440160026300250420ustar00rootroot00000000000000
open Macrogen_nlparams
open Macrogen_decls
open Macrogen_printing

module Printer : functor (P:PrintParameters) ->
  functor (NLP:NLParameters) -> sig
  
  val type_defs_printer : printer
  val size_defs_printer : printer
  val size_lemma_printer : printer
  val shift_defs_printer : printer
  val shift_lemma_printer : printer
  val model_defs_printer : printer
  val model_subst_commutation_lemma_printer : printer
  val model_rename_commutation_lemma_printer : printer
  val correct_indexes_printer : printer
  val bound_depth_printer : printer
  val bound_depth_lemma_printer : printer
  val model_equal_lemma_printer : printer
  val bind_var_printer : printer
  val unbind_var_printer : printer
  
  val implementation_type_printer : printer
  val invariant_printer : printer
  val constructor_type_printer : printer
  val constructor_invariant_printer : printer
  val constructor_relation_printer : printer
  val constructor_open_relation_printer : printer
  val construction_operator_printer : printer
  val destruction_operator_printer : printer
  val subst_operator_printer : printer
  
  
  val types_defs_printer : printer
  val logics_defs_printer : printer
  val impls_defs_printer : printer
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_nlparams.ml000066400000000000000000000111701440160026300246700ustar00rootroot00000000000000
let (<<) f x = f x

open Macrogen_decls
open Macrogen_params
open Format

module rec X : module type of Macrogen_nlparams_sig = X
include X

module MakeDefaultP = functor (D0:Decls) -> struct
  
  open D0
  
  let nlfree_var_type_name _ fmt = fprintf fmt "int"
  
  let default_variable_value _ fmt = fprintf fmt "(-1)"
  
  let nltype_name tn fmt =
    fprintf fmt "nl_%s"
      << type_name dm tn
  
  let free_variable_name tn fmt =
    fprintf fmt "NLFVar_%s"
      << type_name dm tn
  
  let bound_variable_name tn fmt =
    fprintf fmt "NLBruijn_%s"
      << type_name dm tn
  
  let nlcons_name cn fmt =
    fprintf fmt "NL_%s"
      << cons_name dm cn
  
  let nlsize_name tn fmt =
    fprintf fmt "nlsize_%s"
      << type_name dm tn
  
  let nat_nlsize_name tn fmt =
    fprintf fmt "nat_nlsize_%s"
      << type_name dm tn
  
  let nlsize_lemma_name tn fmt =
    fprintf fmt "nlsize_positive_lemma_%s"
      << type_name dm tn
  
  let shift_name tn fmt =
    fprintf fmt "shiftb_%s"
      << type_name dm tn
  
  let shift_lemma_name tn fmt =
    fprintf fmt "shiftb_compose_lemma_%s"
      << type_name dm tn
  
  let model_name tn fmt =
    fprintf fmt "nlmodel_%s"
      << type_name dm tn
  
  let model_subst_commutation_lemma_name tn fmt =
    fprintf fmt "nlmodel_subst_commutation_lemma_%s"
      << type_name dm tn
  
  let model_rename_commutation_lemma_name tn fmt =
    fprintf fmt "nlmodel_rename_commutation_lemma_%s"
      << type_name dm tn
  
  let correct_indexes_name tn fmt =
    fprintf fmt "correct_indexes_%s" << type_name dm tn
  
  let bound_depth_name tnv tn fmt =
    fprintf fmt "bound_depth_of_%s_in_%s"
      << type_name dm tnv << type_name dm tn
  
  let bound_depth_lemma_name tnv tn fmt =
    fprintf fmt "bound_depth_of_%s_in_%s_nonnegative"
      << type_name dm tnv << type_name dm tn
  
  let model_equal_lemma_name tn fmt =
    fprintf fmt "model_equal_%s"
      << type_name dm tn
  
  let bind_var_name tnv tn fmt =
    fprintf fmt "bind_var_%s_in_%s"
      << type_name dm tnv << type_name dm tn
  
  let unbind_var_name tnv tn fmt =
    fprintf fmt "unbind_var_%s_in_%s"
      << type_name dm tnv << type_name dm tn
  
  let subst_base_name tnv tn fmt =
    fprintf fmt "subst_base_%s_in_%s"
      << type_name dm tnv << type_name dm tn
  
  let impl_type_name tn fmt =
    fprintf fmt "nlimpl_%s" << type_name dm tn
  
  let data_field_name tn fmt =
    fprintf fmt "nlrepr_%s_field" << type_name dm tn
  
  let varset_type_name _ fmt =
    fprintf fmt "int"
  
  let varset_field_name tnv tn fmt =
    fprintf fmt "nlfree_var_%s_set_abstraction_%s_field"
      << type_name dm tnv << type_name dm tn
  
  let model_field_name tn fmt =
    fprintf fmt "model_%s_field" << type_name dm tn
  
  let invariant_name tn fmt =
    fprintf fmt "%t_ok" << impl_type_name tn
  
  let free_var_in_set_predicate _ p1 p2 fmt =
    fprintf fmt "(%t)@ <@ (%t)" p1 p2
  
  let varset_singleton _ p1 fmt =
    fprintf fmt "(" ;
    pp_open_box fmt indent ;
    fprintf fmt "1@ +@ (%t)@])" p1
  
  let varset_empty _ fmt = fprintf fmt "0"
  
  (*let varset_join _ p1 p2 fmt =
    let indent fmt = pp_open_box fmt indent in
    fprintf fmt "(%t%tlet@ a@ =@ (%t)@]@ in@ \
      %tlet@ b@ =@ (%t)@]@ in@ \
      %tif a < b@ then b@ else a@]@])"
      indent indent p1 indent p2 indent*)
  
  (* For some reason, this version generates a
     VERY different wp structure ! *)
  let varset_join _ p1 p2 fmt =
    let indent fmt = pp_open_box fmt indent in
    fprintf fmt "(%t%tlet@ aux@ (a:int)@ (b:int) :@ int@ \
      %tensures@ {@ %tresult@ >=@ a@]@ /\\@ %tresult@ >=@ b@]@ }@]@ \
      =@ %tif a < b@ then b@ else a@]@]@ in@ %taux@ (%t)@ (%t)@]@])"
      indent indent indent indent indent indent indent p1 p2
  
  let varset_fresh _ p = p
  
  let varset_add tn p1 p2 fmt =
    varset_join tn (varset_singleton tn p1) p2 fmt
  
  let constructor_type_name tn fmt =
    fprintf fmt "cons_%s" << type_name dm tn
  
  let constructor_variable_name tn fmt =
    fprintf fmt "NLCVar_%s" << type_name dm tn
  
  let constructor_cons_name cn fmt =
    fprintf fmt "NLC_%s" << cons_name dm cn
  
  let constructor_invariant_name tn fmt =
    fprintf fmt "cons_ok_%s" << type_name dm tn
  
  let constructor_relation_name tn fmt =
    fprintf fmt "cons_rel_%s" << type_name dm tn
  
  let constructor_open_relation_name tn fmt =
    fprintf fmt "cons_open_rel_%s" << type_name dm tn
  
  let construction_operator_name tn fmt =
    fprintf fmt "construct_%s" << type_name dm tn
  
  let destruction_operator_name tn fmt =
    fprintf fmt "destruct_%s" << type_name dm tn
  
  let subst_operator_name tnv tn fmt =
    fprintf fmt "nlsubst_%s_in_%s" << type_name dm tnv << type_name dm tn
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_nlparams.mli000066400000000000000000000001761440160026300250450ustar00rootroot00000000000000
open Macrogen_params

include module type of Macrogen_nlparams_sig

module MakeDefaultP : functor(D0:Decls) -> NLParameters

why3-1.6.0/examples/prover/macro_generator/Macrogen_nlparams_sig.mli000066400000000000000000000042511440160026300257050ustar00rootroot00000000000000
type printer = Format.formatter -> unit

open Macrogen_decls

module type NLParameters = sig
  
  val nlfree_var_type_name : TName.t -> printer
  val default_variable_value : TName.t -> printer
  val nltype_name : TName.t -> printer
  val free_variable_name : TName.t -> printer
  val bound_variable_name : TName.t -> printer
  val nlcons_name : CName.t -> printer
  val nlsize_name : TName.t -> printer
  val nat_nlsize_name : TName.t -> printer
  val nlsize_lemma_name : TName.t -> printer
  val shift_name : TName.t -> printer
  val shift_lemma_name : TName.t -> printer
  val model_name : TName.t -> printer
  val model_subst_commutation_lemma_name : TName.t -> printer
  val model_rename_commutation_lemma_name : TName.t -> printer
  val correct_indexes_name : TName.t -> printer
  val bound_depth_name : TName.t -> TName.t -> printer
  val bound_depth_lemma_name : TName.t -> TName.t -> printer
  val model_equal_lemma_name : TName.t -> printer
  val bind_var_name : TName.t -> TName.t -> printer
  val unbind_var_name : TName.t -> TName.t -> printer
  val subst_base_name : TName.t -> TName.t -> printer
  
  val impl_type_name : TName.t -> printer
  val data_field_name : TName.t -> printer
  val varset_type_name : TName.t -> printer
  val varset_field_name : TName.t -> TName.t -> printer
  val model_field_name : TName.t -> printer
  val invariant_name : TName.t -> printer
  val free_var_in_set_predicate : TName.t -> printer -> printer -> printer
  val varset_singleton : TName.t -> printer -> printer
  val varset_empty : TName.t -> printer
  val varset_join : TName.t -> printer -> printer -> printer
  val varset_fresh : TName.t -> printer -> printer
  val varset_add : TName.t -> printer -> printer -> printer
  val constructor_type_name : TName.t -> printer
  val constructor_variable_name : TName.t -> printer
  val constructor_cons_name : CName.t -> printer
  val constructor_invariant_name : TName.t -> printer
  val constructor_relation_name : TName.t -> printer
  val constructor_open_relation_name : TName.t -> printer
  val construction_operator_name : TName.t -> printer
  val destruction_operator_name : TName.t -> printer
  val subst_operator_name : TName.t -> TName.t -> printer
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_params.ml000066400000000000000000000110001440160026300243260ustar00rootroot00000000000000
let (<<) f x = f x

open Macrogen_decls
open Format

module rec X : module type of Macrogen_params_sig = X
include X

module MakeDefaultP = functor (D0:Decls) -> struct
  
  include D0
  
  let variable_name tn fmt =
    fprintf fmt "Var_%s" << type_name dm tn
  
  let size_name tn fmt =
    fprintf fmt "size_%s" << type_name dm tn
  
  let nat_size_name tn fmt =
    fprintf fmt "nat_size_%s" << type_name dm tn
  
  let rename_name tn fmt =
    fprintf fmt "rename_%s" << type_name dm tn
  
  let size_lemma_name tn fmt =
    fprintf fmt "size_positive_lemma_%s" << type_name dm tn
  
  let subst_name tn fmt =
    fprintf fmt "subst_%s" << type_name dm tn
  
  let slift_name tn fmt =
    fprintf fmt "olifts_%s" << type_name dm tn
  
  let rename_subst_name tn fmt =
    fprintf fmt "rename_subst_%s" << type_name dm tn
  
  let subst_compose_name tn fmt =
    fprintf fmt "subst_compose_%s" << type_name dm tn
  
  let renaming_composition_lemma_name tn fmt =
    fprintf fmt "renaming_composition_lemma_%s" << type_name dm tn
  
  let rename_then_subst_composition_lemma_name tn fmt =
    fprintf fmt "rename_then_subst_composition_lemma_%s" << type_name dm tn
  
  let subst_then_rename_composition_lemma_name tn fmt =
    fprintf fmt "subst_then_rename_composition_lemma_%s" << type_name dm tn
  
  let subst_composition_lemma_name tn fmt =
    fprintf fmt "subst_composition_lemma_%s" << type_name dm tn
  
  let renaming_identity_lemma_name tn fmt =
    fprintf fmt "renaming_identity_lemma_%s" << type_name dm tn
  
  let subst_identity_lemma_name tn fmt =
    fprintf fmt "subst_identity_lemma_%s" << type_name dm tn
  
  let subst_identity_name tn fmt =
    fprintf fmt "subst_id_%s" << type_name dm tn
  
  let associativity_lemma_name (sub1,sub2,sub3) =
    let name = function true -> "subst" | false -> "rename" in
    let n1,n2,n3 = name sub1,name sub2,name sub3 in
    fun tn fmt ->
      fprintf fmt "associativity_%s_%s_%s_lemma_%s" n1 n2 n3 << type_name dm tn
  
  let right_rename_by_identity_lemma_name tn fmt =
    fprintf fmt "right_rename_subst_by_identity_lemma_%s" << type_name dm tn
  
  let right_subst_by_identity_lemma_name tn fmt =
    fprintf fmt "right_subst_subst_by_identity_lemma_%s" << type_name dm tn
  
  let left_rename_identity_lemma_name tn fmt =
    fprintf fmt "left_rename_subst_identity_lemma_%s" << type_name dm tn
  
  let left_subst_identity_lemma_name tn fmt =
    fprintf fmt "left_subst_subst_identity_lemma_%s" << type_name dm tn
  
  let slift_composition_lemma_name (b1,b2) tn fmt =
    let r b = if b then "subst" else "rename" in
    fprintf fmt "olifts_composition_lemma_%s_%s_%s"
      << r b1 << r b2 << type_name dm tn
  
  let subst_of_rename_name tn fmt =
    fprintf fmt "subst_of_rename_%s" << type_name dm tn
  
  let slift_identity_lemma_name tn fmt =
    fprintf fmt "olifts_identity_%s" << type_name dm tn
  
  let free_var_predicate_name tnv tn fmt =
    fprintf fmt "is_%s_free_var_in_%s" << type_name dm tnv << type_name dm tn
  
  let subst_free_var_inversion_helper_name sub tnv tn fmt =
    if sub
    then fprintf fmt "subst_free_var_constructive_inversion_%s_%s"
      << type_name dm tnv << type_name dm tn
    else fprintf fmt "rename_free_var_constructive_inversion_%s_%s"
      << type_name dm tnv << type_name dm tn
  
  let subst_free_var_inversion_lemma_name sub tnv tn fmt =
    if sub
    then fprintf fmt "subst_free_var_inversion_%s_%s"
      << type_name dm tnv << type_name dm tn
    else fprintf fmt "rename_free_var_inversion_%s_%s"
      << type_name dm tnv << type_name dm tn
  
  let rename_free_var_propagation_lemma_name tnv tn fmt =
    fprintf fmt "rename_free_var_propagation_%s_%s"
      << type_name dm tnv << type_name dm tn
  
  let subst_free_var_propagation_lemma_name tni tnv tn fmt =
    fprintf fmt "subst_free_var_propagation_%s_%s_%s"
      << type_name dm tni << type_name dm tnv << type_name dm tn
  
  let free_var_equivalence_lemma_name sub inv tn fmt =
    let p = if sub then "subst" else "rename" in
    fprintf fmt "free_var_%sequivalence_of_%s_%s"
      << (if inv then "derive_" else "")
      << p << type_name dm tn
  
  let close_name tnv tn fmt =
    fprintf fmt "close_%s_with_%s"
      << type_name dm tn << type_name dm tnv
  
  let openv_name tnv tn fmt =
    fprintf fmt "openv_%s_with_%s"
      << type_name dm tn << type_name dm tnv
  
  let opent_name tnv tn fmt =
    fprintf fmt "opent_%s_with_%s"
      << type_name dm tn << type_name dm tnv
  
  let size_preservation_lemma_name tn fmt =
    fprintf fmt "renaming_preserve_size_%s"
      << type_name dm tn
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_params.mli000066400000000000000000000001441440160026300245060ustar00rootroot00000000000000
include module type of Macrogen_params_sig

module MakeDefaultP : functor(D0:Decls) -> Parameters

why3-1.6.0/examples/prover/macro_generator/Macrogen_params_sig.mli000066400000000000000000000043561440160026300253610ustar00rootroot00000000000000
type printer = Format.formatter -> unit

open Macrogen_decls

module type Decls = sig
  
  val dm : internal_decl
  val indent : int
  
end

module type Parameters = sig
  
  include Decls
  
  val variable_name : TName.t -> printer
  val size_name : TName.t -> printer
  val nat_size_name : TName.t -> printer
  val size_lemma_name : TName.t -> printer
  val slift_name : TName.t -> printer
  val rename_subst_name : TName.t -> printer
  val subst_compose_name : TName.t -> printer
  val renaming_composition_lemma_name : TName.t -> printer
  val rename_then_subst_composition_lemma_name : TName.t -> printer
  val subst_then_rename_composition_lemma_name : TName.t -> printer
  val subst_composition_lemma_name : TName.t -> printer
  val renaming_identity_lemma_name : TName.t -> printer
  val subst_identity_lemma_name : TName.t -> printer
  val associativity_lemma_name : bool * bool * bool -> TName.t -> printer
  val slift_composition_lemma_name : bool * bool -> TName.t -> printer
  val subst_identity_name : TName.t -> printer
  val slift_identity_lemma_name : TName.t -> printer
  val subst_of_rename_name : TName.t -> printer
  (* rename_subst s id = s *)
  val right_rename_by_identity_lemma_name : TName.t -> printer
  (* subst_compose s sid = s *)
  val right_subst_by_identity_lemma_name : TName.t -> printer
  (* rename_subst sid r = subst_of_rename r *)
  val left_rename_identity_lemma_name : TName.t -> printer
  (* subst_compose sid s = s *)
  val left_subst_identity_lemma_name : TName.t -> printer
  val rename_name : TName.t -> printer
  val subst_name : TName.t -> printer
  val free_var_predicate_name : TName.t -> TName.t -> printer
  val subst_free_var_inversion_helper_name :
    bool -> TName.t -> TName.t -> printer
  val subst_free_var_inversion_lemma_name :
    bool -> TName.t -> TName.t -> printer
  val rename_free_var_propagation_lemma_name : TName.t -> TName.t -> printer
  val subst_free_var_propagation_lemma_name :
    TName.t -> TName.t -> TName.t -> printer
  val free_var_equivalence_lemma_name : bool -> bool -> TName.t -> printer
  val close_name : TName.t -> TName.t -> printer
  val openv_name : TName.t -> TName.t -> printer
  val opent_name : TName.t -> TName.t -> printer
  val size_preservation_lemma_name : TName.t -> printer
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_printing.ml000066400000000000000000000161071440160026300247120ustar00rootroot00000000000000
open Format
open Macrogen_decls
open Macrogen_params

module rec X : module type of Macrogen_printing_sig = X
include X

module Helper = functor (P:Parameters) -> struct

  open P

  let (<|) f x y = f y x
  let (<<) f x = f x

  let indent = pp_open_box <| indent
  let string_printer s = fprintf <| "%s" <| s

  let params_printer fmt =
    List.iter (fun tn -> fprintf fmt "@ 'a%s" << var_name dm tn) dm.var_params

  let level tn blv = try TMap.find tn blv with Not_found -> 0
  let inc_level tn blv = TMap.add tn ( 1 + level tn blv ) blv

  let tindex_printer tn = fprintf <| "%d" <| (tn:TName.t:>int)
  let tname_printer tn = fprintf <| "%s" <| type_name dm tn

  let rec rpapply_printer op middle times fmt = match times with
    | 0 -> fprintf fmt "%t" middle
    | n -> fprintf fmt "%t(%t@ %t)@]" indent op
      << rpapply_printer op middle (n-1)

  let options_printer = rpapply_printer << string_printer "option"
  let somes_printer = rpapply_printer << string_printer "Some"
  let csomes_printer =
    rpapply_printer << string_printer "compose some"
      << string_printer "identity"

  let list_printer f l fmt =
    List.iter (fun x -> f x fmt) l

  let sep_list_printer f s l fmt =
    let _ = List.fold_left (fun acc x -> (if acc
      then s fmt ) ; f x fmt ; true ) false l in ()

  let binding_type_printer ?(blevels=TMap.empty) p tn =
    options_printer (fprintf <| "'%t%t" <| p <| tindex_printer tn)
     (level tn blevels)

  let type_app_printer ?(blevels=TMap.empty) p tn fmt =
    fprintf fmt "%t%t%t@ %t@]" indent << tname_printer tn << params_printer
      << sep_list_printer (fun tn -> binding_type_printer ~blevels p tn)
         (fprintf <| "@ ") (binder_vars dm tn)

  let type_printer ?(blevels=TMap.empty) p ty fmt = match ty with
    | ITVar x -> fprintf fmt "'a%s" << var_name dm x
    | ITDecl tn -> type_app_printer ~blevels p tn fmt

  let make_first_case_printer p1 p2 =
    let a = ref true in
    fun fmt ->
      if !a
      then ( a:=false ; p1 fmt )
      else p2 fmt

  let rec_printer s =
    make_first_case_printer ( fprintf <| s ) ( fprintf <| "with" )
  let rec_fun_printer () = rec_printer "function"
  let rec_type_printer () = rec_printer "type"
  let rec_val_printer () = rec_printer "let rec"
  let rec_ind_printer () = rec_printer "inductive"

  let match_variables ?(blevels=TMap.empty) ?(vbase=string_printer "v")
    (cn,bl,tl) =
    let process_type blevels (vars,cnt) ty =
      let vprinter fmt = fprintf fmt "%t%d" vbase cnt in
      ((vprinter,blevels,ty)::vars,cnt+1) in
    let process_types blevels = List.fold_left (process_type blevels) in
    let (vars,blevels,cnt) =
      List.fold_left (fun (vars,blevels,cnt) (bo,tys) ->
        let nblevels = inc_level bo blevels in
        let vars,cnt = process_types blevels (vars,cnt) tys in
        (vars,nblevels,cnt) ) ( [] , blevels , 0 ) bl in
    let (vars,_) = process_types blevels (vars,cnt) tl in
    List.rev vars

  let cons_case_printer ?(blevels=TMap.empty) ?(vbase=string_printer "v")
    case (cn,bl,tl) fmt =
    let vars = match_variables ~blevels ~vbase (cn,bl,tl) in
    fprintf fmt "%t| %t%s%t@] ->@ %t%t@]@]" indent indent << cons_name dm cn
      << list_printer (fun (vp,_,_) fmt -> fprintf fmt "@ %t" vp) vars
      << indent << case vars

  let var_case_printer ?(vbase=string_printer "v") case tn fmt =
    let vname fmt = fprintf fmt "%t0" vbase in
    fprintf fmt "%t| %t%t@ %t0@] ->@ %t%t@]@]" indent indent
      << variable_name tn << vbase << indent << case vname

  let match_printer ?(blevels=TMap.empty) ?(vbase=string_printer "v")
    tn vcase ccase mt fmt =
    match type_def dm tn with
      | ITypeAssumption _ -> assert false
      | ITypeDef ( c , _ ) ->
        fprintf fmt "%tmatch %t with" indent mt ;
        (if c.var_present
         then fprintf fmt "@ %t" << var_case_printer ~vbase vcase tn);
        fprintf fmt "%t@]@ end"
          << list_printer (fun cs fmt ->
            fprintf fmt "@ %t%t@]" indent
              << cons_case_printer ~blevels ~vbase ( ccase cs ) cs) c.cons_list

  let make_for_defs f =
    TMap.iter (fun tn -> function
      | ITypeAssumption _ -> ()
      | ITypeDef ( c , v ) -> f tn c v) dm.type_decls

  let make_for_bdefs f =
    make_for_defs (fun tn c -> function
      | [] -> ()
      | v -> f tn c v)

  let make_for_vdefs f =
    make_for_defs (fun tn c v ->
      if c.var_present
      then f tn c v
      else ())

  let lemma_cons_case case _ vars fmt =
    fprintf fmt "%t()"
      << list_printer (fun (vname,blevels,ty) fmt ->
          match ty with
            | ITVar _ -> ()
            | ITDecl tn -> fprintf fmt "%t ;@ "
                << case vname blevels tn ) vars

  let blemma_cons_case case _ vars fmt =
    fprintf fmt "%t()"
      << list_printer (fun (vname,blevels,ty) fmt ->
          match ty with
            | ITVar _ -> ()
            | ITDecl tn -> match binder_vars dm tn with
              | [] -> ()
              | _ -> fprintf fmt "%t ;@ "
                << case vname blevels tn ) vars

  let reconstruct_cons_case case (cn,_,_) vars fmt =
    fprintf fmt "%t%s%t@]" indent << cons_name dm cn
      << list_printer (fun (vname,blevels,ty) fmt ->
          match ty with
            | ITVar _ -> fprintf fmt "@ %t" vname
            | ITDecl tn -> match binder_vars dm tn with
              | [] -> fprintf fmt "@ %t" vname
              | _ -> fprintf fmt "@ %t(%t)@]" indent
                << case vname blevels tn ) vars

  let lift_printer sub sp blevels tn fmt =
    let lift = if sub
      then slift_name tn
      else fprintf <| "olift" in
    let middle = rpapply_printer lift sp << level tn blevels in
    if sub
    then fprintf fmt "%t(%t@ %t%t)@]" indent << rename_subst_name tn
      << middle << list_printer (fun tn' fmt ->
         if tn = tn'
         then fprintf fmt "@ identity"
         else fprintf fmt "@ %t"
           (csomes_printer << level tn' blevels))
         (binder_vars dm tn)
    else middle fmt

  let subst_type_printer sub ?(blevels=TMap.empty) p1 p2 tn fmt =
    let p' p tn fmt = fprintf fmt "'%t%t" p << tindex_printer tn in
    fprintf fmt "%t%t ->" indent
      (options_printer << p' p1 tn << level tn blevels) ;
    if sub
    then fprintf fmt "@ %t(%t)@]@]" indent << type_app_printer ~blevels p2 tn
    else fprintf fmt "@ %t@]"
      (options_printer << p' p2 tn << level tn blevels)

  let print_composition sub1 sub2 tn p1 p2 fmt =
    if sub1
    then begin
      fprintf fmt "%t%t@ %t%t@]"
        indent
        (if sub2 then subst_compose_name tn else rename_subst_name tn) p1
        << list_printer (fun tn fmt ->
            fprintf fmt "@ %t" << p2 tn
          ) (binder_vars dm tn)
    end else fprintf fmt "%trcompose@ %t@ %t@]" indent p1 << p2 tn

  let typed_identity_printer sub b tn fmt =
    let name = if sub
      then subst_identity_name tn
      else string_printer "identity" in
    fprintf fmt "(%t%t :@ %t@])" indent name
      << subst_type_printer sub b b tn

  let typed_sor_printer p b tn fmt =
    fprintf fmt "(%t%t%t@ %t@] :@ %t@])" indent indent
      << subst_of_rename_name tn << p << type_app_printer b tn

end

module MakePP = functor (P0:Parameters) -> struct

  module P = P0
  module H = Helper(P)

end
why3-1.6.0/examples/prover/macro_generator/Macrogen_printing.mli000066400000000000000000000003551440160026300250610ustar00rootroot00000000000000
open Format
open Macrogen_params
open Macrogen_decls

include module type of Macrogen_printing_sig

module Helper : functor (P0:Parameters) -> HelperType

module MakePP : functor (P0:Parameters) -> PrintParameters with module P = P0



why3-1.6.0/examples/prover/macro_generator/Macrogen_printing_sig.mli000066400000000000000000000111661440160026300257250ustar00rootroot00000000000000
open Macrogen_params
open Macrogen_decls

module type HelperType = sig
  
  (* ~fun fmt -> fprintf fmt "@[" *)
  val indent : printer
  val string_printer : string -> printer
  val params_printer : printer
  val level : TName.t -> int TMap.t -> int
  val inc_level : TName.t -> int TMap.t -> int TMap.t
  val tindex_printer : TName.t -> printer
  val tname_printer : TName.t -> printer
  
  (* rpapply_printer p1 p2 n : print the n-times application
     of p1 to p2, inside parenthesis if n>= 1 *)
  val rpapply_printer : printer -> printer -> int -> printer
  
  (* operation : option _ *)
  val options_printer : printer -> int -> printer
  (* operation : Some _ *)
  val somes_printer : printer -> int -> printer
  (* operation : compose some _,with identity at the bottom.*)
  val csomes_printer : int -> printer
  
  val list_printer : ('a -> printer) -> 'a list -> printer
  val sep_list_printer : ('a -> printer) -> printer -> 'a list -> printer
  
  (* print binding type parameter inside the correct amount of options,
     given base prefix. *)
  val binding_type_printer :
    ?blevels:int TMap.t -> printer -> TName.t -> printer
  val type_app_printer : ?blevels:int TMap.t -> printer -> TName.t -> printer
  val type_printer : ?blevels:int TMap.t -> printer -> internal_types -> printer
  
  (* make_first_case_printer p1 p2 : print p1 the first time,
     p2 the others. *)
  val make_first_case_printer : printer -> printer -> printer
  (* variant for recursive logic functions *)
  val rec_fun_printer : unit -> printer
  (* variant for recursive types *)
  val rec_type_printer : unit -> printer
  (* variant for recursive procedures *)
  val rec_val_printer : unit -> printer
  (* variant for inductive predicates *)
  val rec_ind_printer : unit -> printer
  
  val match_variables : ?blevels:int TMap.t -> ?vbase:printer ->
    constr -> ( printer * int TMap.t * internal_types ) list
  
  (* cons_case_printer ~blevels ~vbase ccase cs :
     generate the match case for normal constructor cs,
     under binding context blevels, using vbase to generate
     bound variables in the pattern.
     call ccase with the left-to-right list of variables,
     together with correct binding context and type. *)
  val cons_case_printer :
    ?blevels:int TMap.t -> ?vbase:printer ->
    ( ( printer * int TMap.t * internal_types ) list -> printer ) ->
    constr -> printer
  
  (* var_case_printer ~vbase vcase tn : generate variable
     match case for type tn, with code given by
     vcase called over generated variable. Use vbase as base to
     generate variables in pattern-matching, default "v". *)
  val var_case_printer :
    ?vbase:printer -> (printer -> printer) -> TName.t -> printer
  
  (* match_printer _ _ tn vcase ccase t :
     print pattern-matching over t,using vcase for variable
     case and ccase for constructor case. *)
  val match_printer :
    ?blevels:int TMap.t -> ?vbase:printer -> TName.t ->
    ( printer -> printer ) ->
    ( constr -> ( printer * int TMap.t * internal_types ) list -> printer ) ->
    printer -> printer
  
  (* make_for_defs f : call f for each defined type, together
     with its constructors and its binding parameter list. *)
  val make_for_defs : (TName.t -> constructors -> TName.t list -> unit) -> unit
  
  (* make_for_bdefs f : as make_for_defs, but filter out
     types that do not have any binding parameter *)
  val make_for_bdefs : (TName.t -> constructors -> TName.t list -> unit) -> unit
  
  (* make_for_vdefs f : as make_for_defs, but filter out
     types that do not have the variable case
     (* = cannot be substituted *) *)
  val make_for_vdefs : (TName.t -> constructors -> TName.t list -> unit) -> unit
  
  val lemma_cons_case :
    ( printer -> int TMap.t -> TName.t -> printer ) ->
    ( constr -> ( printer * int TMap.t * internal_types ) list -> printer )
  
  val blemma_cons_case :
    ( printer -> int TMap.t -> TName.t -> printer ) ->
    ( constr -> ( printer * int TMap.t * internal_types ) list -> printer )
  
  val reconstruct_cons_case :
    ( printer -> int TMap.t -> TName.t -> printer ) ->
    ( constr -> ( printer * int TMap.t * internal_types ) list -> printer )
  
  val lift_printer :
    bool -> printer -> int TMap.t -> TName.t -> printer
  
  val subst_type_printer :
    bool -> ?blevels:int TMap.t -> printer -> printer -> TName.t -> printer
  
  val print_composition :
    bool -> bool -> TName.t -> printer -> ( TName.t -> printer ) -> printer
  
  val typed_identity_printer : bool -> printer -> TName.t -> printer
  
  val typed_sor_printer : printer -> printer -> TName.t -> printer
  
end

module type PrintParameters = sig
  
  module P : Parameters
  module H : HelperType
  
end


why3-1.6.0/examples/prover/macro_generator/Macrogen_theory.ml000066400000000000000000001271301440160026300243710ustar00rootroot00000000000000
let (<<) f x = f x
let (<|) f x y = f y x

open Macrogen_printing
open Macrogen_decls
open Format

module Printer = functor (P:PrintParameters) -> struct

  open P.P
  open P.H

  let type_defs_printer fmt =
    List.iter (fun scc ->
      let tp = rec_type_printer () in
      List.iter (fun tn ->
        match type_def dm tn with
          | ITypeAssumption _ -> ()
          | ITypeDef (c,v) -> let b = string_printer "b" in
            fprintf fmt "%t%t %t%t@] =@ " indent tp indent
              << type_app_printer b tn ;
            (if c.var_present
             then fprintf fmt "| %t %t@\n" << variable_name tn
               << binding_type_printer b tn);
            let pl blevels l fmt =
              List.iter (fun ty ->
                fprintf fmt "@ (%t)" << type_printer ~blevels b ty ) l in
            List.iter (fun (cn,bl,tl) ->
              fprintf fmt "%t| %s" indent << cons_name dm cn ;
              let blevels = List.fold_left (fun blevels (tnv,tl) ->
                pl blevels tl fmt ; inc_level tnv blevels ) TMap.empty bl in
              fprintf fmt "%t@]@\n" << pl blevels tl ) c.cons_list ;
            fprintf fmt "@]@\n@\n"
      ) scc
    ) dm.sccg

  let size_defs_printer fmt =
    let pr = rec_fun_printer () in
    let print_decl is_nat tn _ _ =
      let fn = if is_nat then nat_size_name else size_name in
      let tyn = if is_nat then "nat" else "int" in
      let unity = if is_nat then "one_nat" else "1" in
      let op = if is_nat
        then fun p fmt ->
          fprintf fmt "%tlet s = add_nat@ (%t)@ s in@]@ " indent p
        else fun p fmt -> fprintf fmt "let s = %t@ +@ s in@ " p in
      let vcase _ fmt = fprintf fmt "%s" unity in
      let cons_case _ v fmt =
        let rec aux v fmt = match v with
          | [] -> fprintf fmt "let s = %s in@ " unity
          | ( vn , _ , ty ) :: q -> match ty with
            | ITVar _ -> aux q fmt
            | ITDecl tn -> fprintf fmt "%t%t" << aux q
              << op (fprintf <| "%t%t@ %t@]" <| indent <| fn tn <| vn)
        in fprintf fmt "%ts" << aux v in
      fprintf fmt "%t%t %t@ (t:%t) :@ %s@ =@ %t@]@\n@\n" indent pr << fn tn
        << type_app_printer (string_printer "b") tn
        << tyn << match_printer tn vcase cons_case (string_printer "t") in
    make_for_defs << print_decl true ;
    make_for_defs << print_decl false

  let size_lemma_printer fmt =
    let pr = rec_val_printer () in
    let print_decl tn _ _ =
      let vcase _ fmt = fprintf fmt "()" in
      let cons_case = lemma_cons_case (fun vp blevels tn fmt ->
          fprintf fmt "%t%t@ %t@]" indent << size_lemma_name tn << vp
        ) in
      fprintf fmt "%t%t lemma %t@ (t:%t) :@ unit@ \
        %tensures {@ %t@ t@ >@ 0@ }@]@ \
        %tvariant {@ nat_to_int %t(%t@ t)@]@ }@]@ =@ %t@]@\n@\n" indent pr
        << size_lemma_name tn
        << type_app_printer (string_printer "b") tn
        << indent << size_name tn
        << indent << indent << nat_size_name tn
        << match_printer tn vcase cons_case (string_printer "t") in
    make_for_defs print_decl

  let subst_defs_printer sub fmt =
    let pr = rec_fun_printer () in
    let fn = if sub then subst_name else rename_name in
    let b = string_printer "b" in
    let c = string_printer "c" in
    let sp tn fmt = fprintf fmt "s%t" << tindex_printer tn in
    let print_decl tn _ v =
      let vcase = if sub
        then fun v fmt ->
          fprintf fmt "s%t@ %t" << tindex_printer tn << v
        else fun v fmt ->
          fprintf fmt "%t %t(s%t@ %t)@]" << variable_name tn
            << indent << tindex_printer tn << v in
      let ccase = reconstruct_cons_case (fun v blevels tn fmt ->
          fprintf fmt "%t@ %t%t" << fn tn << v
            << list_printer (fun tn fmt ->
                fprintf fmt "@ %t" << lift_printer sub (sp tn) blevels tn
              ) (binder_vars dm tn)
        ) in
      fprintf fmt "%t%t %t@ (t:%t)%t :@ %t@ =@ %t@]@\n@\n"
        indent pr << fn tn << type_app_printer b tn
        << list_printer (fun tn fmt ->
            fprintf fmt "@ (s%t:%t)" << tindex_printer tn
            << subst_type_printer sub b c tn
          ) v
        << type_app_printer c tn
        << match_printer tn vcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let composition_lemma_printer sub1 sub2 fmt =
    let fn = match sub1,sub2 with
      | false,false -> renaming_composition_lemma_name
      | false,true -> rename_then_subst_composition_lemma_name
      | true,false -> subst_then_rename_composition_lemma_name
      | true,true -> subst_composition_lemma_name in
    let fn0 s = if s then subst_name else rename_name in
    let fn1,fn2,fna = fn0 sub1,fn0 sub2,fn0 (sub1||sub2) in
    let pr = rec_val_printer () in
    let b = string_printer "b" in
    let c = string_printer "c" in
    let d = string_printer "d" in
    let sp id tn fmt = fprintf fmt "s%s%t" id << tindex_printer tn in
    let print_cargs blevels sub id tn fmt =
      let v = binder_vars dm tn in
      list_printer (fun tn fmt ->
        fprintf fmt "@ %t" << lift_printer sub (sp id tn) blevels tn
      ) v fmt in
    let print_nargs sub id tn fmt =
      let v = binder_vars dm tn in
      list_printer (fun tn fmt ->
        fprintf fmt "@ %t" << sp id tn) v fmt in
    let vcase _ fmt = fprintf fmt "()" in
    let ccase = blemma_cons_case (fun vp blevels tn fmt ->
        fprintf fmt "%t@ %t%t%t"
        << fn tn << vp << print_cargs blevels sub1 "1" tn
        << print_cargs blevels sub2 "2" tn ) in
    let print_decl tn _ v =
      let print_dargs sub a b id fmt =
        list_printer (fun tn fmt ->
          fprintf fmt "@ (s%s%t:%t)" id << tindex_printer tn
            << subst_type_printer sub a b tn
        ) v fmt in
      fprintf fmt "%t%t lemma %t@ (t:%t)%t%t :@ unit@ \
        %tensures {@ %t%t@ %t(%t@ t%t)%t@]@]@ =@ %t%t@ t%t@]@ }@]@ \
        %tvariant {@ %t@ t@ }@]@ =@ %t@]@\n@\n" indent pr << fn tn
        << type_app_printer b tn
        << print_dargs sub1 b c "1" << print_dargs sub2 c d "2"
        << indent << indent << fn2 tn << indent << fn1 tn
        << print_nargs sub1 "1" tn << print_nargs sub2 "2" tn
        << indent << fna tn << list_printer (fun tn fmt ->
          fprintf fmt "@ (%t)"
          << print_composition sub1 sub2 tn (sp "1" tn) (sp "2")
        ) v
        << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let identity_lemma_printer sub fmt =
    let pr = rec_val_printer () in
    let fp = if sub then subst_name else rename_name in
    let fn = if sub then subst_identity_lemma_name
      else renaming_identity_lemma_name in
    let identity = if sub then fun tn -> subst_identity_name tn
      else fun _ fmt -> fprintf fmt "identity" in
    let b = string_printer "b" in
    let vcase _ fmt = fprintf fmt "()" in
    let ccase = blemma_cons_case (fun vp _ tn fmt ->
      fprintf fmt "%t@ %t" << fn tn << vp) in
    let print_decl tn _ v =
      fprintf fmt "%t%t lemma %t@ (t:%t) :@ unit@ \
        %tensures {@ %t%t@ t%t@]@ =@ t@ }@]@ \
        %tvariant {@ %t@ t@ }@]@ =@ %t@]@\n@\n" indent pr << fn tn
        << type_app_printer b tn
        << indent << indent << fp tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ %t" << identity tn) v
        << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let subst_composition_def_printer sub fmt =
    let fn = if sub then subst_compose_name else rename_subst_name in
    let fp = if sub then subst_name else rename_name in
    let b,c,d = string_printer "b",string_printer "c",string_printer "d" in
    let print_decl tn _ v =
      let print_args = list_printer (fun tn fmt ->
        fprintf fmt "@ s1%t" << tindex_printer tn) v in
      let print_right fmt =
        fprintf fmt "%t%t@ (s0 x)%t@]"
          indent << fp tn << print_args in
      let print_left fmt =
        fprintf fmt "%tfunction %t@ (s0:%t)%t :@ %t@]"
          << indent << fn tn << subst_type_printer true b c tn
          << list_printer (fun tn fmt ->
            fprintf fmt "@ (s1%t:%t)" << tindex_printer tn
              << subst_type_printer sub c d tn) v
          << subst_type_printer true b d tn in
      fprintf fmt "(*%t@ Abstraction@ definition@ axiom :@ \
        %t%t@ =@ %t(\\ x:'b%t.%t)@]@]@ @]*)@\n%t@\n\
        %taxiom %t_definition :@ %tforall s0:%t%t,@ x:'b%t@].@ \
          %t%t@ s0%t@ x@]@ =@ %t@]@\n@\n"
        << indent << indent << print_left << indent << tindex_printer tn
        << print_right << print_left << indent << fn tn << indent
        << subst_type_printer true b c tn
        << list_printer (fun tn fmt ->
          fprintf fmt ",@ s1%t:%t" << tindex_printer tn
            << subst_type_printer sub c d tn) v
        << tindex_printer tn << indent << fn tn << print_args
        << print_right in
    make_for_vdefs print_decl

  let associativity_lemma_printer (sub1,sub2,sub3) fmt =
    let fn = associativity_lemma_name (sub1,sub2,sub3) in
    let print_decl tn _ v =
      let b,c,d,e = string_printer "b",string_printer "c",
        string_printer "d",string_printer "e" in
      let print_targs b c d id = list_printer (fun tn fmt ->
        fprintf fmt "@ (s%s%t:%t)" id << tindex_printer tn
          << subst_type_printer b c d tn) v in
      let s1 fmt = fprintf fmt "s1" in
      let s2 id tn fmt = fprintf fmt "s%s%t" id << tindex_printer tn in
      let p1 =
        let p0 tn fmt =
          fprintf fmt "(%t)"
            (print_composition sub2 sub3 tn << s2 "2" tn << s2 "3") in
        print_composition sub1 (sub2||sub3) tn s1 p0 in
      let p2 =
        let p0 fmt =
          fprintf fmt "(%t)"
            << print_composition sub1 sub2 tn s1 (s2 "2") in
        print_composition (sub1||sub2) sub3 tn p0 << s2 "3" in
      fprintf fmt "%tlet lemma %t@ (s1:%t)%t%t :@ unit@ \
        %tensures {@ %t@ =@ %t@ }@]@ =@ \
        %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@]@]@\n@\n"
        indent << fn tn << subst_type_printer sub1 b c tn
        << print_targs sub2 c d "2" << print_targs sub3 d e "3"
        << indent << p1 << p2 << indent << indent << p1 << p2 in
    make_for_vdefs print_decl

  let right_identity_lemma_printer sub fmt =
    let fn = if sub then right_subst_by_identity_lemma_name
      else right_rename_by_identity_lemma_name in
    let id = if sub then subst_identity_name
      else fun _ fmt -> fprintf fmt "identity" in
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tn _ v =
      let p2 = string_printer "s0" in
      let p1 = print_composition true sub tn p2 id in
      fprintf fmt "%tlet lemma@ %t@ (s0:%t) :@ unit@ \
        %tensures {@ %t@ =@ %t@ }@]@ =@ \
        %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@]@]@\n@\n"
        indent << fn tn << subst_type_printer true b c tn
        << indent << p1 << p2 << indent << indent << p1 << p2
    in make_for_vdefs print_decl

  let left_identity_lemma_printer sub fmt =
    let fn = if sub then left_subst_identity_lemma_name
      else left_rename_identity_lemma_name in
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tn _ v =
      let p2 tn fmt = fprintf fmt "s%t" << tindex_printer tn in
      let p1 = print_composition true sub tn
        << typed_identity_printer true  b tn << p2 in
      let p2 = if sub then p2 tn
        else fun fmt -> fprintf fmt "%t%t@ s%t@]" indent
          << subst_of_rename_name tn << tindex_printer tn in
      fprintf fmt "%tlet lemma@ %t%t :@ unit@ \
        %tensures {@ %t@ =@ %t@ }@]@ =@ \
        %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@]@]@\n@\n"
        indent << fn tn << list_printer (fun tn fmt ->
          fprintf fmt "@ (s%t:%t)" << tindex_printer tn
             << subst_type_printer sub b c tn) v
        << indent << p1 << p2 << indent << indent << p1 << p2 in
    make_for_vdefs print_decl

  let subst_identity_printer fmt =
    let b = string_printer "b" in
    let c = string_printer "c" in
    let print_decl tn _ _ =
      let print_right fmt =
        fprintf fmt "%t%t@ x@]" indent << variable_name tn in
      let print_left fmt =
        fprintf fmt "constant@ %t :@ %t" << subst_identity_name tn
          << subst_type_printer true b b tn in
      fprintf fmt "(*%t@ Abstraction@ definition@ axiom :@ \
        %t%t@ =@ (%t\\ x:'b%t.@ %t@])@]@]*)@\n\
        %t%t@]@\n%taxiom@ %t_definition :@ \
        %tforall x:'b%t.@ %t%teval %t@ x@]@ =@ %t@]@]@]@\n@\n"
        indent indent print_left indent << tindex_printer tn
        << print_right << indent << print_left << indent
        << subst_identity_name tn << indent << tindex_printer tn
        << indent << indent << typed_identity_printer true b tn
        << print_right ;
      fprintf fmt "%tfunction@ %t@ (r:%t) :@ %t@ =@ \
        %trcompose@ r@ %t@]@]@\n@\n"
        indent << subst_of_rename_name tn << subst_type_printer false b c tn
        << subst_type_printer true b c tn << indent << subst_identity_name tn ;
      let p1 fmt =
        fprintf fmt "(%t%t@ %t@])" indent << slift_name tn
          << typed_identity_printer true b tn in
      let p2 = subst_identity_name tn in
      fprintf fmt "%tlet lemma@ %t@ (_:'b%t) :@ unit@ \
        %tensures {@ %t@ =@ %t@ }@]@ =@ \
        %tassert {@ %tforall x:option 'b%t.@ \
          %tmatch x with@ \
            %t| None ->@ %teval@ (%t)@ x@]@ =@ %teval@ (%t)@ x@]@]@ \
            %t| Some y ->@ %teval@ (%t)@ x@]@ =@ %teval@ (%t)@ x@]@]@]@ \
          end@]@ }@] ;@ \
        %tassert {@ extensionalEqual@ (%t)@ (%t)@ }@]@]@\n@\n"
        indent << slift_identity_lemma_name tn << tindex_printer tn
        << indent << p1 << p2
        << indent << indent << tindex_printer tn
        << indent << indent << indent << p1 << indent << p2
        << indent << indent << p1 << indent << p2
        << indent << p1 << p2
      in
    make_for_vdefs print_decl

  let subst_lifting_printer fmt =
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tn _ v =
      let blevels = inc_level tn TMap.empty in
      fprintf fmt "%tfunction@ %t@ (s:%t) :@ %t@ =@ \
        %tocase@ (%t%t@ s%t@])@ (%t%t@ None@])@]@]@\n@\n"
        indent << slift_name tn
        << subst_type_printer true b c tn
        << subst_type_printer true ~blevels b c tn
        << indent << indent << rename_subst_name tn
        << list_printer (fun tn' fmt ->
          if tn = tn' then fprintf fmt "@ some" else fprintf fmt "@ identity") v
        << indent << variable_name tn
    in
    make_for_vdefs print_decl

  let lifting_composition_lemma_printer (sub1,sub2) fmt =
    let b,c,d = string_printer "b",string_printer "c",string_printer "d" in
    let li s = if s then slift_name else fun _ fmt -> fprintf fmt "olift" in
    let li1,li2,lic = li sub1,li sub2,li (sub1||sub2) in
    let print_decl tn _ v =
      let blevels = inc_level tn TMap.empty in
      let print_targ tn fmt = fprintf fmt "@ (s2%t:%t)" << tindex_printer tn
        << subst_type_printer sub2 c d tn in
      let pa = if sub1
        then list_printer print_targ v
        else print_targ tn in
      let p0 tn fmt = fprintf fmt "s2%t" << tindex_printer tn in
      let p1 fmt =
        fprintf fmt "(%t%t@ (%t)@])" indent << lic tn
          << (print_composition sub1 sub2 tn << string_printer "s1"
            << fun tn fmt -> fprintf fmt "s2%t" << tindex_printer tn) in
      let p2 =
        let side1 fmt = fprintf fmt "(%t%t@ s1@])" indent << li1 tn in
        let side2 tn' fmt = if tn = tn'
          then fprintf fmt "(%t%t@ s2%t@])" indent
            << li2 tn << tindex_printer tn
          else lift_printer sub2 (p0 tn') blevels tn' fmt in
        print_composition sub1 sub2 tn side1 side2 in
      let cname = if sub2 then subst_name else rename_name in
      let pint fmt = if sub1
        then fprintf fmt "%t%t@ (%t%t@ (s1 y)%t@])%t@]"
          indent << cname tn << indent << rename_name tn
            << list_printer (fun tn' fmt -> if tn = tn'
              then fprintf fmt "@ some" else fprintf fmt "@ identity") v
            << list_printer (fun tn fmt ->
              fprintf fmt "@ %t" << lift_printer sub2 (p0 tn) blevels tn) v
        else fprintf fmt "%teval (%t) (%trcompose@ s1@ some@ y@])@]" indent
          << lift_printer sub2 (p0 tn) blevels tn
          << indent in
      let pint2 =
        let side1 fmt = fprintf fmt "s1" in
        let side2 = if sub2 then fun tn' fmt ->
            fprintf fmt "(%t%t@ s2%t%t@])"
              indent << rename_subst_name tn' << tindex_printer tn'
              << list_printer (fun tn'' fmt ->
                  if tn = tn'' then fprintf fmt "@ some"
                  else fprintf fmt "@ identity" ) (binder_vars dm tn')
          else fun tn' fmt -> if tn = tn'
            then fprintf fmt "(%trcompose@ s2%t@ some)@]" indent
              << tindex_printer tn
            else fprintf fmt "s2%t" << tindex_printer tn' in
        print_composition sub1 sub2 tn side1 side2 in
      fprintf fmt "%tlet lemma@ %t@ (s1:%t)%t :@ unit@ \
        %tensures {@ %t@ =@ %t }@]@ =@ \
        %tassert {@ %tforall x:option 'b%t.@ \
          %tmatch x with@ | None ->@ \
            %t%teval@ (%t)@ x@]@ =@ %teval@ (%t)@ x@]@]@ \
            | Some y ->@ %t%teval@ (%t)@ x@]@ =@ %teval@ (%t)@ y@]@ \
              =@ %t =@ %teval@ (%t)@ x@]@]@]@ end@]@ \
          }@] ;@ %tassert {@ %textensionalEqual@ (%t)@ (%t)@]@ }@]@]@\n@\n"
        indent << slift_composition_lemma_name (sub1,sub2) tn
        << subst_type_printer sub1 b c tn << pa << indent << p1 << p2
        << indent << indent << tindex_printer tn << indent
        << indent << indent << p1 << indent << p2
        << indent << indent << p1 << indent << pint2 << pint << indent << p2
        << indent << indent << p1 << p2 in
    make_for_vdefs print_decl

  let free_var_def_printer fmt =
    let pr = make_first_case_printer
      << string_printer "predicate"
      << string_printer "with" in
    let b = string_printer "b" in
    let print_decl tnv tn _ v =
      let vcase vname fmt =
        if tn = tnv
        then fprintf fmt "%t@ =@ x" vname
        else fprintf fmt "false" in
      let ccase _ vlist fmt =
        let printed = ref false in
        List.iter (fun (vname,blv,ct) -> match ct with
          | ITVar _ -> ()
          | ITDecl tn -> if List.mem tnv (binder_vars dm tn)
            then begin
                 (if !printed then fprintf fmt "@ \\/@ " else printed := true);
                fprintf fmt "%t%t@ %t@ %t@]" indent
                  << free_var_predicate_name tnv tn
                  << somes_printer (string_printer "x") (level tnv blv)
                  << vname
              end) vlist ;
        if not(!printed)
        then fprintf fmt "false" in
      fprintf fmt "%t%t@ %t@ (x:'b%t)@ (t:%t)@ =@ %t@]@\n@\n"
        indent pr << free_var_predicate_name tnv tn << tindex_printer tnv
        << type_app_printer b tn
        << match_printer tn vcase ccase (string_printer "t") in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv -> print_decl tnv tn c v) v)

  let subst_free_var_inversion_printer sub fmt =
    let pr = rec_val_printer () in
    let b,c,x = string_printer "b",string_printer "c",string_printer "x" in
    let sum_type p v fmt =
      let rec aux tn1 l fmt = match l with
        | [] -> p tn1 fmt
        | tn2 :: q -> fprintf fmt "%tsum@ (%t%t@])@ (%t%t@])@]"
          indent indent << p tn1 << indent << aux tn2 q in
      match v with
        | [] -> assert false
        | tn :: q -> aux tn q fmt in
    let sum_matching p v fmt =
      let rec aux tn1 l fmt = match l with
        | [] -> p tn1 fmt
        | tn2 :: q -> fprintf fmt "%tmatch@ sumx@ with@ \
          %t| Left@ sumx@] ->@ %t%t@]@ \
          %t| Right@ sumx@] ->@ %t%t@]@]@ end"
          indent indent indent << p tn1 << indent << indent << aux tn2 q in
      match v with
        | [] -> assert false
        | tn :: q -> aux tn q fmt in
    let rec rule_nones_out p n fmt = match n with
      | 0 -> p fmt
      | _ -> fprintf fmt "%tmatch@ sumx@ with@ \
          %t| None ->@ absurd@]@ \
          %t| Some sumx ->@ %t@]@] end" indent indent
          indent << rule_nones_out p (n-1) in

    let print_decl tnv tn _ v =
      let v0 = List.filter (fun tn2 ->
        List.mem tnv (binder_vars dm tn2)) v in
      let vcase = if sub
        then fun vname ->
          let rec aux l fmt = match l with
            | [] -> assert false
            | tnvr :: [] -> vname fmt
            | tnvr :: _ when tn = tnvr -> fprintf fmt "Left %t" vname
            | tnvr :: q -> fprintf fmt "%tRight@ (%t)@]" indent << aux q in
          aux v0
        else if tnv = tn
        then fun vname -> vname
        else fun _ -> string_printer "absurd" in
      let ccase _ vlist fmt =
        let rec aux l fmt = match l with
          | [] -> fprintf fmt "absurd"
          | (vname,blv,ITDecl tn2) :: q
            when List.mem tnv (binder_vars dm tn2) ->
              let lv = level tnv blv in
              let v2 = binder_vars dm tn2 in
              let args fmt =
                fprintf fmt "%t%t" vname
                  << list_printer (fun tn fmt ->
                    fprintf fmt "@ %t"
                      << lift_printer sub (fun fmt ->
                      fprintf fmt "s%t" << tindex_printer tn) blv tn
                    ) v2 in
              fprintf fmt "%tif %t%t@ %t@ (%t%t@ %t@])@]@ \
                %tthen@ %tlet sumx =@ %t%t@ %t@ %t@]@]@ in@ %t@ @]@ \
                %telse@ %t@]@]"
                indent indent << free_var_predicate_name tnv tn2
                << somes_printer x lv << indent
                << (if sub then subst_name tn2 else rename_name tn2)
                << args << indent << indent << indent
                << subst_free_var_inversion_helper_name sub tnv tn2
                << somes_printer x lv
                << args
                << (if sub
                  then sum_matching (fun tnvr ->
                      rule_nones_out (let rec aux l fmt = match l with
                          | [] -> assert false
                          | tnvr2 :: q when tnvr = tnvr2 ->
                            let base = match q with [] -> "sumx"
                              | _ -> "Left sumx" in
                            fprintf fmt "%tlet y =@ \
                              %t%t@ %t@ (%teval@ s%t@ sumx@])%t@] @]@ in@ \
                              %tassert {@ y@ =@ x@ }@] ;@ %s"
                              << indent << indent
                              << subst_free_var_inversion_helper_name
                                   false tnv tnvr
                              << somes_printer x (level tnv blv)
                              << indent << tindex_printer tnvr
                              << list_printer (fun tn fmt ->
                                fprintf fmt "@ %t"
                                  (csomes_printer << level tn blv))
                                  (binder_vars dm tnvr)
                              << indent << base
                          | tnvr2 :: q -> fprintf fmt "%tRight@ (%t)@]"
                            indent << aux q
                        in aux v0) (level tnvr blv)
                    ) (List.filter (fun tnx ->
                      List.mem tnv (binder_vars dm tnx)) (binder_vars dm tn2))
                  else rule_nones_out (string_printer "sumx") lv
                  )
                << indent << aux q
          | _ :: q -> aux q fmt in
        aux vlist fmt in
      let prefix gh name fmt =
        fprintf fmt "%t%t@ %s@ %t@ (x:'c%t)@ (t:%t)%t :@ %t@ \
          %trequires {@ %t%t@ x@ (%t%t@ t%t@])@]@ }@]@ "
          indent pr << (if gh then "ghost" else "lemma") << name
          << tindex_printer tnv
          << type_app_printer b tn << list_printer (fun tn fmt ->
            fprintf fmt "@ (s%t:%t)" << tindex_printer tn
              << subst_type_printer sub b c tn) v
          << (if gh
            then if sub
              then sum_type (fun tn fmt ->
                  fprintf fmt "'b%t" << tindex_printer tn
                ) v0
              else fun fmt -> fprintf fmt "'b%t" << tindex_printer tnv
            else string_printer "unit" )
          << indent << indent << free_var_predicate_name tnv tn << indent
          << (if sub then subst_name tn else rename_name tn)
          << list_printer (fun tn fmt ->
            fprintf fmt "@ s%t" << tindex_printer tn) v in

      fprintf fmt "%t%tensures {@ %t@ }@]@ \
        %tvariant {@ %t%t@ t@]@ }@]@ =@ \
        %t@]@\n@\n"
        << prefix true (subst_free_var_inversion_helper_name sub tnv tn)
        << indent << (if sub
          then fun fmt -> fprintf fmt "%tlet sumx =@ result@]@ in@ %t"
            indent << sum_matching (fun tn' fmt ->
              fprintf fmt "%t%t@ sumx@ t@]@ /\\@ %t%t@ x@ (%ts%t@ sumx@])@]"
                indent << free_var_predicate_name tn' tn << indent
                << free_var_predicate_name tnv tn' << indent
                << tindex_printer tn' ) v0
          else fun fmt ->
            fprintf fmt "%t%t@ result@ t@]@ /\\@ s%t result@ =@ x" indent
              << free_var_predicate_name tnv tn
              << tindex_printer tnv)
        << indent << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t") ;
      fprintf fmt "%t%tensures {@ %t@ }@]@ \
        %tvariant { 1 + %t%t@ t@] }@]@ =@ \
        %tlet sumx =@ %t%t@ x@ t%t@]@]@ in@ \
        %t@]@\n@\n"
        << prefix false (subst_free_var_inversion_lemma_name sub tnv tn)
        << indent << (if sub
          then sep_list_printer (fun tnvr fmt ->
              fprintf fmt "(%texists y:'b%t.@ \
                %t%t@ y@ t@]@ /\\@ %t%t@ x@ (s%t y)@]@])"
                indent << tindex_printer tnvr << indent
                << free_var_predicate_name tnvr tn
                << indent << free_var_predicate_name tnv tnvr
                << tindex_printer tnvr
            )
            (fun fmt -> fprintf fmt "@ \\/@ ")
            v0
          else fun fmt ->
            fprintf fmt "%texists y:'b%t.@ \
              %t%t@ y@ t@]@ /\\@ %ts%t y@ =@ x@]@]"
              indent << tindex_printer tnv
              << indent << free_var_predicate_name tnv tn
              << indent << tindex_printer tnv
            )
        << indent << indent << size_name tn
        << indent << indent << subst_free_var_inversion_helper_name sub tnv tn
        << list_printer (fun tn fmt ->
            fprintf fmt "@ s%t" << tindex_printer tn) v
        << if sub
          then sum_matching (fun _ fmt ->
                fprintf fmt "()") v0
          else fun fmt -> fprintf fmt "()"
    in

    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let rename_free_var_propagation_lemma_printer fmt =
    let pr = rec_val_printer () in
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tnv tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase = blemma_cons_case (fun vname blv tn fmt ->
        if List.mem tnv (binder_vars dm tn)
        then fprintf fmt "%t@ %t@ %t%t"
          << rename_free_var_propagation_lemma_name tnv tn
          << somes_printer (string_printer "x") (level tnv blv)
          << vname << list_printer (fun tn fmt ->
            fprintf fmt "@ (%t)" << lift_printer false (fun fmt ->
              fprintf fmt "s%t" << tindex_printer tn
            ) blv tn
          ) (binder_vars dm tn)
        else fprintf fmt "()"
      ) in
      fprintf fmt "%t%t@ lemma@ %t@ (x:'b%t)@ (t:%t)%t :@ unit@ \
        %tensures {@ %t%t@ x t@] ->@ %t%t@ (s%t x)@ (%t%t@ t%t@])@]@ }@]@ \
        %tvariant {@ %t@ t@ }@]@ =@ %t@]@\n@\n"
        indent pr << rename_free_var_propagation_lemma_name tnv tn
        << tindex_printer tnv << type_app_printer b tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ (s%t:%t)" << tindex_printer tn
            << subst_type_printer false b c tn) v
        << indent << indent << free_var_predicate_name tnv tn
        << indent << free_var_predicate_name tnv tn
        << tindex_printer tnv << indent << rename_name tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ s%t" << tindex_printer tn) v
        << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t")
    in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let subst_free_var_propagation_lemma_printer fmt =
    let pr = rec_val_printer () in
    let b,c = string_printer "b",string_printer "c" in
    let print_decl tni tnv tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase = blemma_cons_case (fun vname blv tn fmt ->
        if List.mem tni (binder_vars dm tn)
        then let sx = somes_printer (string_printer "x") (level tni blv) in
          let sy = somes_printer (string_printer "y") (level tnv blv) in
          let li tn = lift_printer true (fun fmt ->
          fprintf fmt "s%t" << tindex_printer tn) blv tn in
          fprintf fmt "%t%t@ %t@ %t@ %t%t@] ;@ \
            %t%t@ y@ (eval s%t x)%t@] ;@ \
            %tassert {@ %t%t@ y@ (s%t x)@] ->@ \
            %t%t@ %t@ (%teval@ (%t)@ %t@])@]@ }@]"
            indent << subst_free_var_propagation_lemma_name tni tnv tn
            << sx << sy
            << vname << list_printer (fun tn fmt ->
              fprintf fmt "@ (%t)" << li tn) (binder_vars dm tn)
            << indent << rename_free_var_propagation_lemma_name tnv tni
            << tindex_printer tni << list_printer (fun tn fmt ->
              fprintf fmt "@ %t" << csomes_printer (level tn blv))
              (binder_vars dm tni)
            << indent << indent << free_var_predicate_name tnv tni
            << tindex_printer tni
            << indent << free_var_predicate_name tnv tni
            << sy << indent << li tni << sx
        else fprintf fmt "()") in
      fprintf fmt "%t%t@ lemma@ %t@ (x:'b%t)@ (y:'c%t)@ (t:%t)%t: @ unit@ \
        %tensures {@ %t%t%t@ x t@]@ /\\@ %t%t@ y@ (s%t x)@]@] ->@ \
          %t%t@ y@ (%t%t@ t%t@])@]@ }@]@ \
        %tvariant {@ %t@ t@ }@]@ =@ %t@]@\n@\n"
        indent pr << subst_free_var_propagation_lemma_name tni tnv tn
        << tindex_printer tni << tindex_printer tnv
        << type_app_printer b tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ (s%t:%t)" << tindex_printer tn
            << subst_type_printer true b c tn) v
        << indent << indent << indent << free_var_predicate_name tni tn
        << indent << free_var_predicate_name tnv tni << tindex_printer tni
        << indent << free_var_predicate_name tnv tn
        << indent << subst_name tn
        << list_printer (fun tn fmt ->
          fprintf fmt "@ s%t" << tindex_printer tn) v
        << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t")
    in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tni ->
        List.iter (fun tnv ->
          print_decl tni tnv tn c v
        ) (binder_vars dm tni)
      ) v)

  let free_var_equivalence_lemma_prelude sub inv pr tn c v fmt =
    let b,c = string_printer "b",string_printer "c" in
    let sn = if sub then subst_name tn else rename_name tn in
    let ens,req = if inv then "requires","ensures" else
      "ensures","requires" in
    let args id = list_printer (fun tn fmt ->
      fprintf fmt "@ s%s%t" id << tindex_printer tn) v in
    let variant = if sub
      then fun fmt -> fprintf fmt "%tvariant {@ %t%t@ t@]@ }@]@ "
        indent indent << size_name tn
      else ignore in
    fprintf fmt "%t%t@ lemma@ %t@ (t:%t)%t :@ unit@ %t\
      %t%s {@ %t%t@ t%t@]@ =@ %t%t@ t%t@]@ }@]@ %t=@ "
      indent pr << free_var_equivalence_lemma_name sub inv tn
      << type_app_printer b tn << list_printer (fun tn fmt ->
          fprintf fmt "@ (s1%t:%t)@ (s2%t:%t)" << tindex_printer tn
            << subst_type_printer sub b c tn << tindex_printer tn
            << subst_type_printer sub b c tn) v
      << list_printer (fun tnv fmt ->
        fprintf fmt "%t%s {@ %tforall x:'b%t.@ \
          %t%t@ x@ t@] ->@ %ts1%t x@ =@ s2%t@ x@]@]@ }@]@ "
          indent req indent << tindex_printer tnv << indent
          << free_var_predicate_name tnv tn << indent
          << tindex_printer tnv << tindex_printer tnv
        ) v
      << indent << ens << indent << sn << args "1"
      << indent << sn << args "2" << variant

  let free_var_equivalence_lemma_printer sub fmt =
    if sub
    then let pr = rec_val_printer () in
      let print_decl tn c v =
        let vcase _ fmt = fprintf fmt "()" in
        let ccase = blemma_cons_case (fun vname blv tn2 fmt ->
          fprintf fmt "%t%t%t@ %t%t@]"
            << list_printer (fun tnv fmt ->
                let n0 = level tnv blv in
                let rec print_disj n fmt = match n with
                  | 0 -> fprintf fmt "%t%t@ x@ t@]" indent
                    << free_var_predicate_name tnv tn
                  | _ -> fprintf fmt "%tmatch x with@ \
                    %t| None ->@ true@]@ \
                    %t| Some x ->@ %t@]@]@ end"
                    indent indent indent << print_disj (n-1) in
                fprintf fmt "%tassert {@ %tforall x:%t.@ \
                  %t%t@ x@ %t@] ->@ %t@]@ }@] ;@ "
                  indent indent << options_printer (fun fmt ->
                    fprintf fmt "'b%t" << tindex_printer tnv) n0
                  << indent << free_var_predicate_name tnv tn2 << vname
                  << print_disj n0
              ) (binder_vars dm tn2)
            << indent << free_var_equivalence_lemma_name true false tn2
            << vname << list_printer (fun tnv fmt ->
              fprintf fmt "@ (%t)@ (%t)"
                << lift_printer true (fun fmt ->
                  fprintf fmt "s1%t" << tindex_printer tnv
                ) blv tnv
                << lift_printer true (fun fmt ->
                  fprintf fmt "s2%t" << tindex_printer tnv
                ) blv tnv) (binder_vars dm tn2)) in
        fprintf fmt "%t%t@]@\n@\n"
          << free_var_equivalence_lemma_prelude sub false pr tn c v
          << match_printer tn vcase ccase (string_printer "t") in
      make_for_bdefs print_decl
    else let pr fmt = fprintf fmt "let" in
      let print_decl tn c v =
        fprintf fmt "%t%t%t@ t%t@]@]@\n@\n"
          << free_var_equivalence_lemma_prelude sub false pr tn c v
          << indent << free_var_equivalence_lemma_name true false tn
          << list_printer (fun tn fmt ->
              let sor = subst_of_rename_name tn in
              fprintf fmt "@ (%t%t@ s1%t@])@ (%t%t@ s2%t@])"
                indent sor << tindex_printer tn
                << indent << sor << tindex_printer tn) v in
      make_for_bdefs print_decl

  let free_var_derive_equivalence_lemma_printer sub fmt =
    if sub
    then let pr = rec_val_printer () in
      let print_decl tn c v =
        let vcase _ fmt = fprintf fmt "()" in
        let ccase = blemma_cons_case (fun vname blv tn2 fmt ->
          fprintf fmt "%t%t@ %t%t@]%t"
            << indent << free_var_equivalence_lemma_name true true tn2
            << vname << list_printer (fun tnv fmt ->
              fprintf fmt "@ (%t)@ (%t)"
                << lift_printer true (fun fmt ->
                  fprintf fmt "s1%t" << tindex_printer tnv
                ) blv tnv
                << lift_printer true (fun fmt ->
                  fprintf fmt "s2%t" << tindex_printer tnv
                ) blv tnv) (binder_vars dm tn2)
            << list_printer (fun tnv fmt ->
              let ox = somes_printer (string_printer "x") (level tnv blv) in
              let pl1 = list_printer (fun tnv2 fmt ->
                fprintf fmt "@ %t" << csomes_printer (level tnv2 blv))
                (binder_vars dm tnv) in
              let pl2 = list_printer (fun tnv2 fmt ->
                let rec aux n fmt = if n = 0
                  then fprintf fmt "identity"
                  else fprintf fmt "(%tocase@ %t@ %t@])"
                    indent << aux (n-1)
                    << (somes_printer (fun fmt ->
                      fprintf fmt "y%t" << tindex_printer tnv2) (n-1)) in
                fprintf fmt "@ %t" << aux (level tnv2 blv))
                (binder_vars dm tnv) in
              fprintf fmt ";@ %tassert {@ (%tforall x:'b%t%t.@ \
                %t%t@ %t@ %t@]@ ->@ %t%t@ (s1%t x)%t@]@ =@ %teval (%t) %t@]@ \
                  =@ %teval (%t) %t@]@ =@ %t%t@ (s2%t x)%t@]@ &&@ \
                  s1%t x@ =@ %t%t@ (%t%t@ (s1%t x)%t@])%t@]@ =@ \
                  %t%t@ (%t%t@ (s2%t x)%t@])%t@]@ =@ s2%t x@ &&@ \
                  s1%t x@ =@ s2%t x@])@ &&@ %tforall x:'b%t.@ \
                %t%t@ %t@ %t@]@ ->@ s1%t x@ =@ s2%t x@]@ }@]"
                indent indent << tindex_printer tnv
                << list_printer (fun tnv2 fmt ->
                    fprintf fmt ",@ y%t:'c%t" << tindex_printer tnv2
                      << tindex_printer tnv2
                  ) (binder_vars dm tnv)
                << indent << free_var_predicate_name tnv tn2
                << ox << vname << indent << rename_name tnv
                << tindex_printer tnv << pl1
                << indent << lift_printer true (fun fmt ->
                  fprintf fmt "s1%t" << tindex_printer tnv) blv tnv
                << ox << indent << lift_printer true (fun fmt ->
                  fprintf fmt "s2%t" << tindex_printer tnv) blv tnv
                << ox << indent << rename_name tnv << tindex_printer tnv << pl1
                << tindex_printer tnv << indent << rename_name tnv << indent
                << rename_name tnv << tindex_printer tnv << pl1 << pl2
                << indent << rename_name tnv << indent << rename_name tnv
                << tindex_printer tnv << pl1 << pl2 << tindex_printer tnv
                << tindex_printer tnv << tindex_printer tnv
                << indent << tindex_printer tnv
                << indent << free_var_predicate_name tnv tn2
                << ox << vname << tindex_printer tnv << tindex_printer tnv
            ) (binder_vars dm tn2)) in
        fprintf fmt "%t%t@]@\n@\n"
          << free_var_equivalence_lemma_prelude sub true pr tn c v
          << match_printer tn vcase ccase (string_printer "t") in
      make_for_bdefs print_decl
    else let pr fmt = fprintf fmt "let" in
      let print_decl tn _ v =
        let c = string_printer "c" in
        fprintf fmt "%t%t%t@ t%t@]%t@]@\n@\n"
          << free_var_equivalence_lemma_prelude sub true pr tn c v
          << indent << free_var_equivalence_lemma_name true true tn
          << list_printer (fun tn fmt ->
              let sor = subst_of_rename_name tn in
              fprintf fmt "@ (%t%t@ s1%t@])@ (%t%t@ s2%t@])"
                indent sor << tindex_printer tn
                << indent << sor << tindex_printer tn) v
          << list_printer (fun tn fmt ->
            let sor = subst_of_rename_name tn in
            fprintf fmt ";@ %tassert {@ %tforall x:'b%t.@ \
              (%t%t@ s1%t@ x:%t@])@ =@ (%t%t@ s2%t@ x:%t@])@ ->@ \
              (%t%t@ (s1%t x):%t@])@ =@ (%t%t@ (s2%t x):%t@])@ &&@ \
              s1%t x@ =@ s2%t x@]@ }@]"
              indent indent << tindex_printer tn
              << indent << sor << tindex_printer tn << type_app_printer c tn
              << indent << sor << tindex_printer tn << type_app_printer c tn
              << indent << variable_name tn << tindex_printer tn
              << type_app_printer c tn
              << indent << variable_name tn << tindex_printer tn
              << type_app_printer c tn
              << tindex_printer tn << tindex_printer tn) v in
      make_for_bdefs print_decl

  (* TODO : remove ? do not seem that useful in fact. *)

  let open_close_defs_printer fmt =
    let b = string_printer "b" in
    let print_decl tnv tn c v =
      let blevels = inc_level tnv TMap.empty in
      fprintf fmt "%tfunction@ %t@ (t:%t)@ (x:'b%t) :@ %t@ =@ \
        %t%t@ t%t@]@]@\n@\n\
        %tfunction@ %t@ (t:%t)@ (x:'b%t) :@ %t@ =@ \
        %t%t@ t%t@]@]@\n@\n\
        %tfunction@ %t@ (t:%t)@ (u:%t) :@ %t@ =@ \
        %t%t@ t%t@]@]@\n@\n"
        indent << close_name tnv tn << type_app_printer b tn
        << tindex_printer tnv << type_app_printer ~blevels b tn
        << indent << rename_name tn << list_printer (fun tnv2 fmt ->
          if tnv = tnv2
          then fprintf fmt "@ (%tupdate@ some@ x@ None@])" indent
          else fprintf fmt "@ identity") v
        << indent << openv_name tnv tn << type_app_printer ~blevels b tn
        << tindex_printer tnv << type_app_printer b tn << indent
        << rename_name tn << list_printer (fun tnv2 fmt ->
          if tnv = tnv2
          then fprintf fmt "@ (%tocase@ identity@ x@])" indent
          else fprintf fmt "@ identity") v
        << indent << opent_name tnv tn << type_app_printer ~blevels b tn
        << type_app_printer b tnv << type_app_printer b tn
        << indent << subst_name tn << list_printer (fun tnv2 fmt ->
          if tnv = tnv2
          then fprintf fmt "@ (%tocase@ %t@ u@])" indent
            << subst_identity_name tnv
          else fprintf fmt "@ %t" << subst_identity_name tnv2) v
    in
    make_for_bdefs (fun tn c v ->
      List.iter (fun tnv ->
        print_decl tnv tn c v) v)

  let size_preservation_lemma_printer fmt =
    let b,c = string_printer "b",string_printer "c" in
    let pr = rec_val_printer () in
    let print_decl tn _ v =
      let vcase _ fmt = fprintf fmt "()" in
      let ccase = blemma_cons_case (fun vname blv tn fmt ->
          fprintf fmt "%t%t@ %t%t@]" indent
            << size_preservation_lemma_name tn
            << vname << list_printer (fun tn fmt ->
              fprintf fmt "@ (%t)" << lift_printer false (fun fmt ->
                  fprintf fmt "s%t" << tindex_printer tn
                ) blv tn) (binder_vars dm tn)) in
      fprintf fmt "%t%t@ lemma@ %t@ (t:%t)%t :@ unit@ \
        %tensures {@ %t%t@ (%t%t@ t%t@])@]@ =@ %t%t@ t@]@ }@]@ \
        %tvariant {@ %t%t@ t@]@ }@]@ =@ %t@]@\n@\n"
        indent pr << size_preservation_lemma_name tn
        << type_app_printer b tn << list_printer (fun tn fmt ->
          fprintf fmt "@ (s%t:%t)" << tindex_printer tn
            << subst_type_printer false b c tn) v
        << indent << indent << size_name tn << indent << rename_name tn
        << list_printer (fun tn fmt ->
          fprintf fmt " s%t" << tindex_printer tn) v
        << indent << size_name tn
        << indent << indent << size_name tn
        << match_printer tn vcase ccase (string_printer "t") in
    make_for_bdefs print_decl

  let required_imports fmt =
    fprintf fmt "use import option.Option@\n\
      use import int.Int@\nuse import Nat.Nat@\n\
      use import Functions.Func@\nuse import OptionFuncs.Funcs@\n\
      use import Sum.Sum@\n"

  let base_defs_printer fmt =
    type_defs_printer fmt ;
    size_defs_printer fmt ;
    size_lemma_printer fmt

  let subst_lemmae_defs_printer fmt =
    subst_defs_printer false fmt ;
    composition_lemma_printer false false fmt ;
    identity_lemma_printer false fmt ;
    subst_composition_def_printer false fmt ;
    associativity_lemma_printer (true,false,false) fmt ;
    associativity_lemma_printer (false,true,false) fmt ;
    right_identity_lemma_printer false fmt ;
    subst_lifting_printer fmt ;
    lifting_composition_lemma_printer (false,true) fmt ;
    lifting_composition_lemma_printer (true,false) fmt ;
    subst_defs_printer true fmt ;
    composition_lemma_printer false true fmt ;
    composition_lemma_printer true false fmt ;
    subst_composition_def_printer true fmt ;
    associativity_lemma_printer (false,true,true) fmt ;
    associativity_lemma_printer (true,false,true) fmt ;
    associativity_lemma_printer (true,true,false) fmt ;
    lifting_composition_lemma_printer (true,true) fmt ;
    composition_lemma_printer true true fmt ;
    associativity_lemma_printer (true,true,true) fmt ;
    subst_identity_printer fmt ;
    left_identity_lemma_printer false fmt ;
    identity_lemma_printer true fmt ;
    left_identity_lemma_printer true fmt ;
    right_identity_lemma_printer true fmt ;
    size_preservation_lemma_printer fmt

  let free_var_lemmae_defs_printer fmt =
    free_var_def_printer fmt ;
    subst_free_var_inversion_printer false fmt ;
    rename_free_var_propagation_lemma_printer fmt ;
    subst_free_var_inversion_printer true fmt ;
    subst_free_var_propagation_lemma_printer fmt ;
    free_var_equivalence_lemma_printer true fmt ;
    free_var_equivalence_lemma_printer false fmt ;
    free_var_derive_equivalence_lemma_printer true fmt ;
    free_var_derive_equivalence_lemma_printer false fmt



end
why3-1.6.0/examples/prover/macro_generator/Macrogen_theory.mli000066400000000000000000000024601440160026300245400ustar00rootroot00000000000000
open Macrogen_params
open Macrogen_decls
open Macrogen_printing

module Printer : functor (P:PrintParameters) -> sig
  
  val type_defs_printer : printer
  val size_defs_printer : printer
  val size_lemma_printer : printer
  val subst_defs_printer : bool -> printer
  val composition_lemma_printer : bool -> bool -> printer
  val identity_lemma_printer : bool -> printer
  val subst_composition_def_printer : bool -> printer
  val associativity_lemma_printer : bool * bool * bool -> printer
  val right_identity_lemma_printer : bool -> printer
  val left_identity_lemma_printer : bool -> printer
  val subst_lifting_printer : printer
  val lifting_composition_lemma_printer : (bool * bool) -> printer
  val subst_identity_printer : printer
  val free_var_def_printer : printer
  val subst_free_var_inversion_printer : bool -> printer
  val rename_free_var_propagation_lemma_printer : printer
  val subst_free_var_propagation_lemma_printer : printer
  val free_var_equivalence_lemma_printer : bool -> printer
  val free_var_derive_equivalence_lemma_printer : bool -> printer
  val open_close_defs_printer : printer
  val size_preservation_lemma_printer : printer
  
  val required_imports : printer
  val base_defs_printer : printer
  val subst_lemmae_defs_printer : printer
  val free_var_lemmae_defs_printer : printer
  
end

why3-1.6.0/examples/prover/macro_generator/Macrogen_transform.ml000066400000000000000000000162741440160026300251000ustar00rootroot00000000000000
open Macrogen_decls

let rec mapt f = function
  | DeclaredType t -> DeclaredType ( f t )
  | TypeVar x -> TypeVar (f x)

let mapc f = function
  | BCons ( c , b , e ) -> BCons ( f c , List.map (fun (x,y) ->
    f x , List.map (mapt f) y) b , List.map (mapt f) e )
  | Var -> Var

let mapdef f = function
  | TypeDefinition ( t , c , fv ) ->
    TypeDefinition ( f t , List.map (mapc f) c , List.map f fv )
  | TypeAssumption ( t , fv ) -> TypeAssumption ( f t , List.map f fv )

let mapdecl f { var_parameters ; binder_types } =
  { var_parameters = List.map f var_parameters ;
    binder_types =  List.map (mapdef f) binder_types }

module SMap = Map.Make(String)
module IntO = struct type t = int let compare = compare end
module ISet = Set.Make(IntO)
module TO = struct type t = TName.t let compare t1 t2 =
  compare (t1:TName.t:>int) (t2:TName.t:>int) end
module CO = struct type t = CName.t let compare c1 c2 =
  compare (c1:CName.t:>int) (c2:CName.t:>int) end

module TSet = Set.Make(TO)
module CSet = Set.Make(CO)

(* change names from string to faster integers. *)

let translate_names decls =
  let name_gen = ref 0 in
  let translate = ref SMap.empty in
  let rename s =
    try SMap.find s !translate
    with Not_found -> let u = !name_gen in
      name_gen := u + 1 ; translate := SMap.add s u !translate ;
      u in
  let u = mapdecl rename decls in
  let trback = SMap.fold ( fun s i acc ->
    IMap.add i s acc ) !translate IMap.empty in
  u , trback

let make_itype t = match t with
  | TypeVar v -> ITVar (VName.make v)
  | DeclaredType t -> ITDecl ( TName.make t)

let make_cons_list cons_set cl =
  let cs,cm = List.fold_left ( fun (cs,cm) -> function
    | BCons ( c , b , e ) -> let c' = CName.make c in
      if CSet.mem c' cs
      then assert false (* TODO->send error "duplicate constructor". *)
      else let b' = List.map ( fun ( x , t ) ->
        TName.make x , List.map make_itype t ) b in
        let e' = List.map make_itype e in
        CSet.add c' cs, { cm with cons_list = (c',b',e')::cm.cons_list }
    | Var -> ( if cm.var_present
      then assert false (* TODO : decide if I send error here (* "duplicate var" *) *) ) ;
      cs,{cm with var_present = true } )
  (cons_set,{var_present = false ; cons_list = []}) cl in
  cs,{cm with cons_list = List.rev cm.cons_list}

let make_decl_map d =
  let _ , dmap , _ = List.fold_left ( fun (cs,dm,rank) -> function
    | TypeDefinition (tn,cstr,fv) -> let tn = TName.make tn in
      if TMap.mem tn dm
      then assert false (* TODO : error (duplicate type name) *)
      else let cs,csl = make_cons_list cs cstr in
        cs,TMap.add tn (ITypeDef (csl,List.map TName.make fv),rank) dm,rank + 1
    | TypeAssumption (tn,fv) -> let tn = TName.make tn in
      if TMap.mem tn dm
      then assert false (* TODO : error (duplicate type name) *)
      else cs,TMap.add tn (ITypeAssumption (List.map TName.make fv),rank) dm,rank + 1)
    (CSet.empty,TMap.empty,0) d in
  dmap

(* TODO : various "unbound ident" check. *)

(* TODO : constructor "Var_" forbidden check. *)

(* edges of the dependency graph. *)
let dependents_fold f def acc = match def with
  | ITypeDef ( c , _ ) -> let fold_cons acc c =
      let _ , l1 , l2 = c in
      let acc = List.fold_left ( fun acc ( x , t ) ->
        let acc = f x acc in
          List.fold_left (fun acc -> function
            | ITVar _ -> acc
            | ITDecl u -> f u acc) acc t
        ) acc l1
      in
      List.fold_left ( fun acc -> function
        | ITVar _ -> acc
        | ITDecl u -> f u acc
        ) acc l2
    in
    List.fold_left fold_cons acc c.cons_list
  | ITypeAssumption _ -> acc

(* scc computation of the dependency graph
   return 1) the scc index of each type,
     2) the vertices in each scc. *)

let make_scc dm =
  let table = ref TMap.empty in
  let sccg = ref IMap.empty in
  let s = ref [] in
  let p = ref [] in
  let c = ref 1 in
  let scc = ref 0 in
  let rec pop_until num p = match p with
    | [] -> assert false
    | x :: q-> if TMap.find x !table >= num
      then p
      else pop_until num q in
  let rec process tn =
    let _ = table := TMap.add tn (- !c) !table in
    let _ = c := !c + 1 in
    let _ = s := tn :: !s in
    let _ = p := tn :: !p in
    let smake s _ =
      (* "let try" idiom would be better if available. *)
      match try Some (TMap.find s !table)
        with Not_found -> None with
        | None -> process s
        | Some x -> if x < 0
          then p := pop_until x !p
          else () in
    let td , _ = TMap.find tn dm in
    let _ = dependents_fold smake td () in
    let rec pop_until sccn tn s acc = match s with
      | [] -> assert false
      | x :: q -> let acc = x :: acc in
        table := TMap.add x sccn !table ;
        if x = tn
        then q , acc
        else pop_until sccn tn q acc in
    match !p with
      | x :: q when x = tn -> p := q ;
        let sccn = !scc in
        let _ = scc := sccn + 1 in
        let ns , cpt = pop_until sccn tn !s [] in
        sccg := IMap.add sccn cpt !sccg ;
        s := ns
      | _ -> () in
  TMap.iter ( fun tn _ ->
    if not(TMap.mem tn !table)
    then process tn ) dm ;
  !table,!sccg

(* compute set of potential binding variables occuring in each type,
   e.g fixpoint of propagation starting from given binding list + current type if it
   contains variable constructor. Straightforward from scc.
   After this, the list of binding vars associated to each type is exact. *)

let compute_binding_vars dm =
  let get_scc , get_types = make_scc dm in
  let tb = ref IMap.empty in
  let rec get_binding_vars sccn =
    try IMap.find sccn !tb
    with Not_found -> let all = IMap.find sccn get_types in
      (* dependents in scc quotiented graph + base set from current component. *)
      let dep,base = List.fold_left (fun (dep,base) tn ->
        let td , _ = TMap.find tn dm in
        let dep = dependents_fold (fun tnd dep ->
          let sccnd = TMap.find tnd get_scc in
          if sccnd = sccn
          then dep
          else ISet.add sccnd dep ) td dep in
        let v,base = match td with
          | ITypeDef (c,v) ->
            v , if c.var_present then TSet.add tn base else base
          | ITypeAssumption v -> v , base in
        let base = List.fold_left (fun acc v -> TSet.add v acc ) base v in
        (dep,base) ) (ISet.empty,TSet.empty) all in
      let res = ISet.fold (fun sccnd acc ->
        TSet.union acc (get_binding_vars sccnd)) dep base in
      tb := IMap.add sccn res !tb ; res in
  let reorder bv =
    let compare t1 t2 =
      let _ , r1 = TMap.find t1 dm in
      let _ , r2 = TMap.find t2 dm in
      compare r1 r2 in
    List.sort compare bv in
  let dmr = TMap.mapi (fun tn (td,rank) -> match td with
    | ITypeAssumption v -> ITypeAssumption (reorder v)
    | ITypeDef ( c , _ ) -> let sccn = TMap.find tn get_scc in
      let bv = get_binding_vars sccn in
      ITypeDef ( c , reorder ( TSet.elements bv ) ) ) dm in
  let b = IMap.bindings get_types in
  let b' = List.sort (fun (k1,_) (k2,_) -> compare k2 k1) b in
  let sccgr = List.rev_map snd b' in
  dmr , sccgr

let convert d =
  let d , names = translate_names d in
  let dmap = make_decl_map d.binder_types in
  let dmap , sccg = compute_binding_vars dmap in
  {
    var_params = List.map VName.make d.var_parameters ;
    type_decls = dmap ;
    names ;
    sccg
  }


why3-1.6.0/examples/prover/macro_generator/Macrogen_transform.mli000066400000000000000000000001031440160026300252310ustar00rootroot00000000000000
open Macrogen_decls

val convert : string decls -> internal_decl

why3-1.6.0/examples/prover/macro_generator/Priv.ml000066400000000000000000000003601440160026300221570ustar00rootroot00000000000000
module type S = sig
  type base
  type t = private base
  val make : base -> t
  val destruct : t -> base
end

module Make = functor (X:sig type t end) -> struct
  type base = X.t
  type t = base
  let make x = x
  let destruct x = x
end

why3-1.6.0/examples/prover/macro_generator/Priv.mli000066400000000000000000000002641440160026300223330ustar00rootroot00000000000000
module type S = sig
  type base
  type t = private base
  val make : base -> t
  val destruct : t -> base
end

module Make : functor (X:sig type t end) -> S with type base = X.t

why3-1.6.0/examples/prover/macro_generator/build/000077500000000000000000000000001440160026300220055ustar00rootroot00000000000000why3-1.6.0/examples/prover/macro_generator/build/.notempty000066400000000000000000000000001440160026300236530ustar00rootroot00000000000000why3-1.6.0/examples/prover/macro_generator/depend/000077500000000000000000000000001440160026300221455ustar00rootroot00000000000000why3-1.6.0/examples/prover/macro_generator/depend/.notempty000066400000000000000000000000001440160026300240130ustar00rootroot00000000000000why3-1.6.0/examples/prover/macro_generator/makefile000066400000000000000000000045031440160026300224100ustar00rootroot00000000000000
ML=Priv Macrogen_decls Macrogen_printing Macrogen_params Macrogen_theory Macrogen_transform Macrogen_nlparams Macrogen_nameless
MLI=Macrogen_params_sig Macrogen_printing_sig Macrogen_nlparams_sig
DP=./depend/
BD=./build/
SRC=./
CMX=$(patsubst %,$(BD)%.cmx,$(ML))
CMI=$(patsubst %,$(BD)%.cmi,$(ML) $(MLI))
MLC=ocamlopt.opt
INCLUDES=-I $(BD)
MLFLAGS=
MLIFLAGS=
MLEXECFLAGS=

$(BD)macrogen: $(CMX) Macrogen.ml
	$(MLC) $(INCLUDES) $(MLFLAGS) $(MLEXECFLAGS) -o $(BD)macrogen $(CMX) $(SRC)Macrogen.ml

$(BD)%.cmi:$(DP)%.mli.depend
	$(MLC) $(INCLUDES) $(MLIFLAGS) -c -o $@ $(SRC)$*.mli

$(BD)%.cmx:$(DP)%.ml.depend $(BD)%.cmi
	$(MLC) $(INCLUDES) $(MLFLAGS) -c -o $@ $(SRC)$*.ml

$(DP)%.depend:$(SRC)%
	touch $@

$(DP)Priv.ml.depend:

$(DP)Priv.mli.depend:

$(DP)Macrogen_decls.mli.depend: $(BD)Priv.cmi

$(DP)Macrogen_decls.ml.depend: $(BD)Priv.cmi

$(DP)Macrogen_printing.mli.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params.cmi $(BD)Macrogen_printing_sig.cmi

$(DP)Macrogen_printing.ml.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params.cmi $(BD)Macrogen_printing_sig.cmi

$(DP)Macrogen_theory.ml.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_printing.cmi

$(DP)Macrogen_theory.mli.depend: $(BD)Macrogen_params.cmi $(BD)Macrogen_decls.cmi $(BD)Macrogen_printing.cmi

$(DP)Macrogen_nameless.ml.depend: $(BD)Macrogen_nlparams.cmi $(BD)Macrogen_decls.cmi $(BD)Macrogen_printing.cmi

$(DP)Macrogen_nameless.mli.depend: $(BD)Macrogen_nlparams.cmi $(BD)Macrogen_decls.cmi $(BD)Macrogen_printing.cmi

$(DP)Macrogen_params.mli.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params_sig.cmi

$(DP)Macrogen_params.ml.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params_sig.cmi

$(DP)Macrogen_nlparams.mli.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params.cmi $(BD)Macrogen_nlparams_sig.cmi

$(DP)Macrogen_nlparams.ml.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params.cmi $(BD)Macrogen_nlparams_sig.cmi

$(DP)Macrogen_transform.ml.depend: $(BD)Macrogen_decls.cmi

$(DP)Macrogen_transform.mli.depend: $(BD)Macrogen_decls.cmi

$(DP)Macrogen_printing_sig.mli.depend: $(BD)Macrogen_params.cmi

$(DP)Macrogen_params_sig.mli.depend: $(BD)Macrogen_decls.cmi

$(DP)Macrogen_nlparams_sig.mli.depend: $(BD)Macrogen_decls.cmi $(BD)Macrogen_params.cmi

.SECONDARY:

.PHONY: clean restore

clean:
	rm -f $(BD)*.o $(BD)*.cmi $(BD)*.cmx $(DP)*.depend

restore: clean
	rm -f $(BD)macrogen


why3-1.6.0/examples/prover/run.ml000066400000000000000000000362541440160026300167070ustar00rootroot00000000000000
open Format
open Prover

let pr_symbol fmt s =
  match s with
  | NLFVar_symbol v ->
    fprintf fmt "f%s" (Z.to_string v)
  | NLBruijn_symbol n ->
    fprintf fmt "v%s" (Z.to_string n)

let rec pr_term fmt t =
  match t with
  | NLFVar_fo_term v ->
    fprintf fmt "f%s" (Z.to_string v)
  | NLBruijn_fo_term n ->
    fprintf fmt "v%s" (Z.to_string n)
  | NL_App(s,tl) ->
    fprintf fmt "%a%a" pr_symbol s pr_term_list tl

and pr_term_list fmt tl =
  match tl with
  | NL_FONil -> fprintf fmt "()"
  | NL_FOCons(t,tl) ->
      fprintf fmt "@[(%a%a)@]" pr_term t pr_term_list_tail tl

and pr_term_list_tail fmt tl =
  match tl with
    | NL_FONil -> ()
    | NL_FOCons(t,tl) ->
      fprintf fmt ",@ %a%a" pr_term t pr_term_list_tail tl

let pr_term_impl fmt t = pr_term fmt t.nlrepr_fo_term_field

let rec pr_formula fmt f =
  match f with
  | NL_Forall f -> fprintf fmt "@[(forall@ %a)@]" pr_formula f
  | NL_Exists f  -> fprintf fmt "@[(exists@ %a)@]" pr_formula f
  | NL_And(f1,f2) ->
    fprintf fmt "@[(%a@ and %a)@]" pr_formula f1 pr_formula f2
  | NL_Or(f1,f2) ->
    fprintf fmt "@[(%a@ or %a)@]" pr_formula f1 pr_formula f2
  | NL_Not f -> fprintf fmt "@[(not@ %a)@]" pr_formula f
  | NL_FTrue -> fprintf fmt "true"
  | NL_FFalse -> fprintf fmt "false"
  | NL_PApp(s,tl) ->
    fprintf fmt "@[%a%a@]" pr_symbol s pr_term_list tl

and pr_formula_list fmt l =
  match l with
  | NL_FOFNil -> fprintf fmt "[]"
  | NL_FOFCons(f,l) ->
    fprintf fmt "@[[ %a%a ]@]" pr_formula f pr_formula_list_tail l

and pr_formula_list_tail fmt l =
  match l with
  | NL_FOFNil -> ()
  | NL_FOFCons(f,l) ->
    fprintf fmt ";@ %a%a" pr_formula f pr_formula_list_tail l

let pr_formula_impl fmt f = pr_formula fmt f.nlrepr_fo_formula_field

let pr_formula_list_impl fmt l =
  pr_formula_list fmt l.nlrepr_fo_formula_list_field

let n = Z.of_int

let run_test name l =
  Format.printf "Running the test '%s'@." name;
  Format.printf "Formulas: %a@." pr_formula_list_impl l;
  let t = Unix.gettimeofday () in
  let n = Prover.main l (n 1) in
  let t = Unix.gettimeofday () -. t in
  Format.printf "Unsat (time = %.02f, depth=%s)@.@." t
                (Z.to_string n)

let run_all_tests () =
  run_test "drinker" (Prover.drinker ());
  run_test "group" (Prover.group ());
  run_test "bidon1" (Prover.bidon1 ());
  run_test "bidon2" (Prover.bidon2 ());
  run_test "bidon3" (Prover.bidon3 ());
  run_test "bidon4" (Prover.bidon4 ());
  run_test "pierce" (Prover.pierce ());
  run_test "zenon5" (Prover.zenon5 ());
(* too long -> sat ?
  run_test "zenon6" (Prover.zenon6 ());
*)
  run_test "zenon10 2" (Prover.zenon10 (n 2));
(* too long -> sat !
  run_test "zenon10 3" (Prover.zenon10 (n 3))
*)
  run_test "zenon10 4" (Prover.zenon10 (n 4));
  run_test "zenon10 6" (Prover.zenon10 (n 6));
  run_test "zenon10 8" (Prover.zenon10 (n 8));
  run_test "zenon10 10" (Prover.zenon10 (n 10));
  run_test "zenon10 12" (Prover.zenon10 (n 12));
(* warning: the following needs around 6 minutes *)
(*
  run_test "zenon10 14" (Prover.zenon10 (n 14));
*)
  printf "End of tests.@."

open Tptp_ast

exception Unsupported of string

let unsupported s = raise (Unsupported s)

exception Ill_Typed of string

let ill_typed s = raise (Ill_Typed s)

let mk_not f =
  let o = NLC_Not f in construct_fo_formula o

type env =
  { cnf : bool;
    var_cnt : Z.t;
    var_assoc : (string * Z.t) list;
    sym_cnt : Z.t;
    sym_assoc : (string * Z.t) list }

let find_var env v =
  try
    let n = List.assoc v env.var_assoc in
    env,n
  with Not_found ->
    if env.cnf then
      let n = env.var_cnt in
      { env with
        var_cnt = Z.succ n;
        var_assoc = (v,n)::env.var_assoc }, n
    else
      ill_typed ("unknown variable id " ^ v)

let add_var env (v,_ty) =
  let n = env.var_cnt in
  { env with
    var_cnt = Z.succ n;
    var_assoc = (v,n)::env.var_assoc }, n

let find_sym env s =
  try
    let n = List.assoc s env.sym_assoc in
    env,n
  with Not_found ->
    let n = env.sym_cnt in
    { env with
      sym_cnt = Z.succ n;
      sym_assoc = (s,n)::env.sym_assoc }, n

let rec tr_term env e =
  match e.e_node with
  | Elet(e1,e2) -> unsupported "let"
  | Eite(e1,e2,e3) -> unsupported "ite"
  | Eqnt(q,vl,e) -> ill_typed "quantifier in term"
  | Ebin(op,e1,e2) -> ill_typed "bin op in term"
  | Enot e -> ill_typed "'not' in term"
  | Eequ(e1,e2) -> ill_typed "'equ' in term"
  | Eapp(w,el) ->
    let fotnil =
      let o = NLC_FONil in construct_fo_term_list o
    in
    let env,tl =
      List.fold_right
        (fun e (env,acc) ->
          let env,t = tr_term env e in
          let o = NLC_FOCons (t, acc) in
          (env,construct_fo_term_list o))
        el
        (env,fotnil)
    in
    let env,sym = find_sym env w in
    let o = NLCVar_symbol sym in
    let sym = construct_symbol o in
    let o = NLC_App (sym, tl) in
    env,construct_fo_term o
  | Edef(w,el) -> unsupported "def"
  | Edob d -> unsupported "dob"
  | Enum n -> unsupported "num"
  | Evar v ->
    let env,v = find_var env v in
    let o =
      NLCVar_fo_term v
    in
    env,construct_fo_term o

let rec mk_bin_op op phi1 phi2 =
  let phi =
    match op with
    | BOequ -> unsupported "BOequ"
    | BOnequ -> unsupported "BOnequ"
    | BOimp -> NLC_Or (mk_not phi1, phi2)
    | BOpmi -> unsupported "BOpmi"
    | BOand -> NLC_And (phi1, phi2)
    | BOor -> NLC_Or (phi1, phi2)
    | BOnand -> NLC_Not (mk_bin_op BOand phi1 phi2)
    | BOnor -> NLC_Not (mk_bin_op BOor phi1 phi2)
  in
  construct_fo_formula phi

let rec tr_fmla env e =
  match e.e_node with
  | Elet(e1,e2) -> unsupported "let"
  | Eite(e1,e2,e3) -> unsupported "ite"
  | Eqnt(q,vl,e) ->
    let env1,nl =
      List.fold_right
        (fun v (env,vl) ->
          let env,n = add_var env v in
          (env,n::vl))
        vl (env,[])
    in
    let env2,phi = tr_fmla env1 e in
    (* suppressing quantified variables from the env *)
    let env =
      { env2 with var_cnt = env.var_cnt; var_assoc = env.var_assoc }
    in
    let phi = match q with
      | Qforall ->
        List.fold_right
          (fun n phi ->
            let o =
              NLC_Forall (n,phi)
            in
            construct_fo_formula o)
          nl phi
      | Qexists ->
        List.fold_right
          (fun n phi ->
            let o =
              NLC_Exists (n,phi)
            in
            construct_fo_formula o)
          nl phi
    in env, phi
  | Ebin(op,e1,e2) ->
    let env1,phi1 = tr_fmla env e1 in
    let env2,phi2 = tr_fmla env1 e2 in
    env2, mk_bin_op op phi1 phi2
  | Enot e ->
    let env1,phi1 = tr_fmla env e in
    env1,mk_not phi1
  | Eequ(e1,e2) -> unsupported "equ"
  | Eapp(w,el) ->
    let fotnil =
      let o = NLC_FONil in
      construct_fo_term_list o
    in
    let env,tl =
      List.fold_right
        (fun e (env,acc) ->
          let env,t = tr_term env e in
          let o = NLC_FOCons (t, acc) in
          (env,construct_fo_term_list o))
        el
        (env,fotnil)
    in
    let env,sym = find_sym env w in
    let o = NLCVar_symbol sym in
    let sym = construct_symbol o in
    let o = NLC_PApp (sym, tl) in
    env,construct_fo_formula o
  | Edef(DP(DPfalse),[]) ->
     let o =
      NLC_FFalse
    in
    env,construct_fo_formula o
  | Edef(w,el) -> unsupported "def"
  | Edob d -> unsupported "dob"
  | Enum n -> unsupported "num"
  | Evar v -> ill_typed "var in formula"

let tr_cnf env e =
  let rec tr env e =
    match e.e_node with
    | Elet(e1,e2) -> unsupported "let in cnf"
    | Eite(e1,e2,e3) -> unsupported "ite in cnf"
    | Eqnt(q,vl,e) -> unsupported "qnt in cnf"
    | Ebin(op,e1,e2) ->
      let env1,phi1 = tr env e1 in
      let env2,phi2 = tr env1 e2 in
      env2, mk_bin_op op phi1 phi2
    | Enot e ->
      let env1,phi1 = tr env e in
      env1,mk_not phi1
    | Eequ(e1,e2) -> unsupported "equ"
    | Eapp(w,el) ->
      let fotnil =
        let o = NLC_FONil in
        construct_fo_term_list o
      in
      let env,tl =
        List.fold_right
          (fun e (env,acc) ->
            let env,t = tr_term env e in
            let o = NLC_FOCons (t, acc) in
            (env,construct_fo_term_list o))
          el
          (env,fotnil)
      in
      let env,sym = find_sym env w in
      let o = NLCVar_symbol sym in
      let sym = construct_symbol o in
      let o = NLC_PApp (sym, tl) in
      env,construct_fo_formula o
    | Edef(w,el) -> unsupported "def in cnf"
    | Edob d -> unsupported "dob in cnf"
    | Enum n -> unsupported "num in cnf"
    | Evar v -> ill_typed "var in cnf"
  in
  let env,phi = tr env e in
  let phi =
    List.fold_right
      (fun (_,n) phi ->
        let o =
          NLC_Forall (n,phi)
        in
        construct_fo_formula o)
      env.var_assoc phi
  in
  { env with
    var_cnt = Z.zero;
    var_assoc = [] }, phi

let empty_env () =
{ cnf = false;
  var_cnt = Z.zero;
  var_assoc = [];
  sym_cnt = Z.zero;
  sym_assoc = [] }

let tr_top_formula env kind role f =
  match f with
  | TypedAtom _ -> unsupported "TypedAtom"
  | Sequent _ -> unsupported "Sequent"
  | LogicFormula e ->
    let env,f =
      match kind with
      | FOF -> tr_fmla { env with cnf = false } e
      | CNF -> (* assert false *) tr_cnf { env with cnf = true } e
      | TFF -> assert false
    in
    let phi =
      match role with
      | Axiom -> f
      | Hypothesis -> f
      | Definition -> unsupported "Definition"
      | Assumption -> f
      | Corollary -> unsupported "corollary" (* mk_not f ? *)
      | Lemma -> unsupported "lemma" (* mk_not f ? *)
      | Theorem -> unsupported "theorem" (* mk_not f ? *)
      | Conjecture -> mk_not f
      | Negated_conjecture -> f
      | Type -> unsupported "Type"
    in env,phi

let tr_decl (env,acc) d =
  match d with
  | Include _ -> unsupported "Include"
  | Formula(TFF,_,role,top_formula,_) -> unsupported "TFF"
  | Formula(CNF,_,role,top_formula,_) -> unsupported "CNF"
  | Formula(kind,_,role,top_formula,_) ->
    let env,phi = tr_top_formula env kind role top_formula in
    let o = NLC_FOFCons (phi, acc) in
    let acc = construct_fo_formula_list o in
    env,acc

let tr_file a =
  let fonil =
    let o = NLC_FOFNil in
    construct_fo_formula_list o
  in
  List.fold_left tr_decl (empty_env (),fonil) a

(*** output in FOF format *)

let comma fmt () = fprintf fmt ",@ "

let rec print_list_pre sep print fmt = function
  | [] -> ()
  | x :: r -> sep fmt (); print fmt x; print_list_pre sep print fmt r

let print_list sep print fmt = function
  | [] -> ()
  | [x] -> print fmt x
  | x :: r -> print fmt x; print_list_pre sep print fmt r

let pr_var fmt (v,_) = pp_print_string fmt v

let rec pr_fof_expr fmt e =
  match e.e_node with
  | Elet(e1,e2) -> unsupported "let"
  | Eite(e1,e2,e3) -> unsupported "ite"
  | Eqnt(q,vl,e) ->
     let q = match q with Qforall -> "!" | Qexists -> "?" in
     fprintf fmt "@[(%s[%a]:@ %a)@]" q
        (print_list comma pr_var) vl pr_fof_expr e
  | Ebin(op,e1,e2) ->
     let s = match op with
       | BOand -> "&" | BOor -> "|" | BOimp -> "=>"
       | _ -> unsupported "binop"
     in
     fprintf fmt "@[(%a@ %s %a)@]" pr_fof_expr e1 s pr_fof_expr e2
  | Enot e -> fprintf fmt "~@ %a" pr_fof_expr e
  | Eequ(e1,e2) -> unsupported "equ"
  | Eapp(w,[]) -> fprintf fmt "%s" w
  | Eapp(w,el) ->
     fprintf fmt "@[%s(%a)@]" w (print_list comma pr_fof_expr) el
  | Edef(w,el) -> unsupported "def"
  | Edob d -> unsupported "dob"
  | Enum n -> unsupported "num"
  | Evar v -> fprintf fmt "%s" v

let rec add x l =
  match l with
  | [] -> [x]
  | y :: r as l -> if x = y then l else y :: add x r

let get_vars e =
  let rec aux env e =
    match e.e_node with
    | Elet(e1,e2) -> unsupported "let"
    | Eite(e1,e2,e3) -> unsupported "ite"
    | Eqnt(q,vl,e) -> unsupported "quant in cnf"
    | Ebin(op,e1,e2) -> aux (aux env e1) e2
    | Enot e -> aux env e
    | Eequ(e1,e2) -> unsupported "equ"
    | Eapp(w,el) -> List.fold_left aux env el
    | Edef(w,el) -> unsupported "def"
    | Edob d -> unsupported "dob"
    | Enum n -> unsupported "num"
    | Evar v -> add v env
  in
  aux [] e

let pr_role fmt r =
  match r with
  | Axiom -> fprintf fmt "axiom"
  | Hypothesis -> fprintf fmt "hypothesis"
  | Definition -> unsupported "Definition"
  | Assumption -> fprintf fmt "assumption"
  | Corollary -> unsupported "corollary"
  | Lemma -> unsupported "lemma"
  | Theorem -> unsupported "theorem"
  | Conjecture -> fprintf fmt "conjecture"
  | Negated_conjecture -> fprintf fmt "negated_conjecture"
  | Type -> unsupported "Type"

let pr_fof_top_formula fmt name kind role f =
  match f with
  | TypedAtom _ -> unsupported "TypedAtom"
  | Sequent _ -> unsupported "Sequent"
  | LogicFormula e ->
     match kind with
     | FOF -> fprintf fmt "@[fof(%s,@ %a,@ %a).@]@\n"
                      name pr_role role pr_fof_expr e
     | CNF ->
        let r = match role with
          | Conjecture -> unsupported "conjecture in CNF format"
          | Negated_conjecture -> Axiom
          | Axiom -> role
          | Hypothesis -> role
          | Definition | Assumption
          | Corollary|Lemma|Theorem|Type -> unsupported "role"
        in
        begin
          match get_vars e with
          | [] -> fprintf fmt "@[fof(%s,@ %a,@ %a).@]@\n"
                          name pr_role r pr_fof_expr e
          | l -> fprintf fmt "@[fof(%s,@ %a,@ (![%a]: %a)).@]@\n"
                         name pr_role r
                         (print_list comma pp_print_string) l
                         pr_fof_expr e
        end
     | TFF -> assert false

let pr_fof_decl fmt k d =
  match d with
  | Include _ -> unsupported "Include"
  | Formula(TFF,_,role,top_formula,_) -> unsupported "TFF"
  | Formula(kind,name,role,top_formula,_) ->
    pr_fof_top_formula fmt name kind role top_formula;
    match k with
    | None -> Some kind
    | Some k' -> if k'=kind then k else unsupported "mixed CNF/FOF"


let pr_fof fmt a =
  let k = List.fold_left (pr_fof_decl fmt) None a in
  match k with
  | Some CNF ->
    fprintf fmt "fof(contradiction,conjecture,$false).@."
  | None -> unsupported "empty file ??"
  | _ -> fprintf fmt "@."

let run_file ~print file =
  try
    let ast = Tptp_lexer.load file in
    printf "File '%s': parsing OK.@." file;
    if print then
      begin
        let ch = open_out "tmp.p" in
        let fmt = formatter_of_out_channel ch in
        pr_fof fmt ast;
        close_out ch
      end
    else
      let _,l = tr_file ast in
      run_test (Filename.basename file) l;
    exit 0
  with
  | Tptp_lexer.FileNotFound f ->
    eprintf "File not found: %s@." f; exit 2
  | Unsupported s ->
      eprintf "File %s: '%s' is not supported@." file s; exit 1
  | e ->
    eprintf "Parsing error: %a@." Why3.Exn_printer.exn_printer e;
    exit 2

let () =
  printf "The safe prover, version 0.0.1@.";
  if Array.length Sys.argv = 1 then run_all_tests ()
  else
    try
      let arg = Sys.argv.(1) in
      match arg with
      | "-version" -> exit 0
      | "-print" ->
         if Array.length Sys.argv <> 3 then raise Exit;
         run_file ~print:true Sys.argv.(2)
      | _ ->
         if Array.length Sys.argv <> 2 then raise Exit;
         run_file ~print:false arg
    with Exit ->
      begin
        eprintf "Usage: %s [options] [file]@\n\
                  -version: prints the version@\n\
                  -print  : reprints the file in TPTP/FOF without includes@\n\
                 Internal tests are run if no file is given@."
                Sys.argv.(0);
        exit 2
      end
why3-1.6.0/examples/prover/test_binders.p000066400000000000000000000001001440160026300203740ustar00rootroot00000000000000fof(test_binders,conjecture,
  (? [X,Y] : (p(X,Y) => p(Y,X)))).
why3-1.6.0/examples/python/000077500000000000000000000000001440160026300155435ustar00rootroot00000000000000why3-1.6.0/examples/python/arrays.py000066400000000000000000000021361440160026300174200ustar00rootroot00000000000000###################################################
#                 ...[expr] += ...                #
###################################################

def side_effect1(tab):
    #@ ensures result == 0
    #@ ensures len(tab) == len(old(tab)) + 1
    tab.append(1)
    return 0

a = [0]
tab = []

a[side_effect1(tab)] += 1

#@ assert a[0] == 1
#@ assert len(tab) == 1


###################################################
#                 expr[...] += ...                #
###################################################

def side_effect2(tab):
    #@ ensures result[0] == 0
    #@ ensures len(result) == 1
    #@ ensures len(tab) == len(old(tab)) + 1
    tab.append(1)
    return [0]

tab.clear()

side_effect2(tab)[0] += 1

#@ assert len(tab) == 1


###################################################
#                     expr[:]                     #
###################################################

def side_effect3(tab):
    #@ ensures len(result) == 3
    #@ ensures len(tab) == len(old(tab)) + 1
    tab.append(1)
    return [0, 1, 2]

tab.clear()

side_effect3(tab)[:]

#@ assert len(tab) == 1
why3-1.6.0/examples/python/arrays/000077500000000000000000000000001440160026300170445ustar00rootroot00000000000000why3-1.6.0/examples/python/arrays/why3session.xml000066400000000000000000000010511440160026300220610ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/arrays/why3shapes.gz000066400000000000000000000007231440160026300215060ustar00rootroot00000000000000}S]0|[;B!g=B\ҟYI})Aٕ3]k=N:_/_[}iN%	R0ە.zyQ#hn[Ȭ`
@B,k%jl5Ir-}[c‹JЀ
@mrL7%@!; LEvg|'u3Qgxz&K(k\6O9Q$l2 UH1*K":ݩP"n.aQc3KS6jd^`d#Xx\%Y	YZWŪn!"]K s == i*(i-1)//2
    #@ invariant i > 42 -> s + 42 == i*(i-1)//2
    if i == 42:
        continue
    s += i

#@ assert s == 4908
why3-1.6.0/examples/python/break_continue/000077500000000000000000000000001440160026300205335ustar00rootroot00000000000000why3-1.6.0/examples/python/break_continue/why3session.xml000066400000000000000000000010711440160026300235520ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/break_continue/why3shapes.gz000066400000000000000000000006101440160026300231700ustar00rootroot00000000000000RN0+rQj*J9"7Eڎ,!.\K̈£!p$DsCb3l^p'	\jDLYH@cv^VX[TVzE|B\)Xf߲>
^گ*cIcĹB|ꨈ8K+4Y8k}
	
yP+,*-ٺ"QH!	IVܟ'DF׆N
"ܤ<_/[M`Vz9.Yg	q9ؓ]_Qw.ܜ%ld6CsHedMw1AwSjPJ)}&&}LKwhy3-1.6.0/examples/python/check_duplicates.py000066400000000000000000000003531440160026300214100ustar00rootroot00000000000000def check_duplicates(elt, tab):
    #@ ensures result == occurrence(elt, tab, 0, len(tab))
    nb = 0
    for e in tab:
        #@ invariant nb == occurrence(elt, tab, 0, e'index)
        if e == elt:
            nb += 1
    return nb
why3-1.6.0/examples/python/check_duplicates/000077500000000000000000000000001440160026300210355ustar00rootroot00000000000000why3-1.6.0/examples/python/check_duplicates/why3session.xml000066400000000000000000000010751440160026300240600ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/check_duplicates/why3shapes.gz000066400000000000000000000004041440160026300234730ustar00rootroot00000000000000uPMk@+6%ZTX>DhYI5b񲼯v'}3;z(cK{iY"pb[҇WǐS/e*fNt%.mE^ˏ
\qmPA^_eҦHa>w}3gCj%zـT"P萾Uplթi;4|`FEPF ފ;:
{{8C۔~cF)!why3-1.6.0/examples/python/concat.py000066400000000000000000000011601440160026300173620ustar00rootroot00000000000000def concat(l1, l2):
    #@ ensures len(result) == len(l1) + len(l2)
    #@ ensures forall i. 0 <= i < len(l1) -> result[i] == l1[i]
    #@ ensures forall i. 0 <= i < len(l2) -> result[len(l1) + i] == l2[i]

    size1 = len(l1)
    size2 = len(l2)
    size = size1 + size2

    res = [-1] * size

    for i in range(size1):
        #@ invariant forall j. 0 <= j < i -> res[j] == l1[j]
        res[i] = l1[i]

    for i in range(size2):
        #@ invariant forall j. 0 <= j < i -> res[len(l1) + j] == l2[j]
        #@ invariant forall j. 0 <= j < len(l1) -> res[j] == l1[j]
        res[size1 + i] = l2[i]
    
    return res
why3-1.6.0/examples/python/concat/000077500000000000000000000000001440160026300170125ustar00rootroot00000000000000why3-1.6.0/examples/python/concat/why3session.xml000066400000000000000000000010541440160026300220320ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/concat/why3shapes.gz000066400000000000000000000007201440160026300214510ustar00rootroot00000000000000eSMk0WݖRڅ`6qhi_X+r==7ͻ/ks&<އ'%iwyi=-ք(IUڕ3ki?l
lm@eFpJhڤ(jhWڬ
vXXe馪Q=W‘=:!E'O.
)jQvJlQ 7C,o13ɩw"iQ$&A(ϱrV'{H[d7an-`A榵dEB$QLfVi_vZ-IV0(V0dTP4	QLtqr6ޚٖ	4NZu%z&6&quOL)k3Yn==auOK^]7]pYΎF`Fc0˱L]Lwhy3-1.6.0/examples/python/dicho.py000066400000000000000000000014371440160026300172100ustar00rootroot00000000000000
from random import randint

n = 42
a = [0] * n
#@ assert len(a) == n

a[0] = randint(0, 100)
for i in range(1, n):
    #@ invariant forall i1, i2. 0 <= i1 <= i2 < i -> a[i1] <= a[i2]
    a[i] = a[i-1] + randint(0, 10)

#@ assert forall i1, i2. 0 <= i1 <= i2 < len(a) -> a[i1] <= a[i2]

print(a)
v = int(input("quelle valeur cherchez-vous : "))

l = 0
u = n-1
r = -1
while l <= u:
    #@ invariant 0 <= l and u < n
    #@ invariant r == -1
    #@ invariant forall i. 0 <= i < n -> a[i] == v -> l <= i <= u
    #@ variant   u-l
    m = (l + u) // 2
    if a[m] < v:
        l = m+1
    elif a[m] > v:
        u = m-1
    else:
        r = m
        break

if r == -1:
    #@ assert forall i. 0 <= i < n -> a[i] != v
    print("valeur absente")
else:
    #@ assert a[r] == v
    print("position", r)

why3-1.6.0/examples/python/dicho/000077500000000000000000000000001440160026300166315ustar00rootroot00000000000000why3-1.6.0/examples/python/dicho/why3session.xml000066400000000000000000000117541440160026300216610ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/python/dicho/why3shapes.gz000066400000000000000000000040121440160026300212660ustar00rootroot00000000000000Wn8}Лw'b2
`iѯawж-^ԒN6n9ug~As?^AS8vߦ;/xڋ >Pp?\؋띿Oև bq8S\Ȳ*z`ehhw1w|}'D/5-TEճ~6q:VNj^{BQ<<^0)lպQWqysOFvO|3C'=[/CiG
q6vcIrq6K_.f[3geѭ떎%1ci񣟼5|Y"/O,GɱVg.ɍ[N-bՀ({5Uݵ,%}:tJ^:^:>-U=MkYٛ_}|L'e2(>1eg@|H}ДS>5
ҍ?|OoXaDt+X̆\_UU:^&I&mY܆
^xGW>iYkZ)i2dݫXXlauc4Q3dJTTei{lVUmeZmeِ"gs꘠9єia/X^[mV)[Y8li[i-v*,kdUwn-J~ȭu?YVGۑtU-!|d4il Ч %z' Z:"n`LʶwSCy_
wrWzTl:FJ#'~0f4z4t55why3-1.6.0/examples/python/even.py000066400000000000000000000004051440160026300170510ustar00rootroot00000000000000def even (start, stop):
  #@ ensures forall i. 0 <= i < len(result) -> result[i] % 2 == 0
  step = 0
  deb = 0
  if start < stop:
    step = 2
  else:
    step = -2
  if start % 2 == 0:
    deb = start
  else:
    deb = start + 1
  return range(deb, stop, step)why3-1.6.0/examples/python/even/000077500000000000000000000000001440160026300165005ustar00rootroot00000000000000why3-1.6.0/examples/python/even/why3session.xml000066400000000000000000000010461440160026300215210ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/even/why3shapes.gz000066400000000000000000000007351440160026300211450ustar00rootroot00000000000000m[0+MX]Ɩl!BB}VqMRgv.4sF:-os,>ñ~<˃D룭M"sA[9
 hL+\r&3Y
\0zP2$˿ hJJևx	8lWcՑ4\At=# GzHTS%Zc#Yw%y/1}Ma(XOM6hg4Qy.s2}S|5jgnծ)YM<n9rN\ZYGnv
T+W1- de -n-g
;]T,;$uyFq0?PlM&Ajz+7$oj+O= 1
    #@ variant n
    if n <= 1:
        return 1
    return n * fact(n - 1)
why3-1.6.0/examples/python/fact/000077500000000000000000000000001440160026300164605ustar00rootroot00000000000000why3-1.6.0/examples/python/fact/why3session.xml000066400000000000000000000010471440160026300215020ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/fact/why3shapes.gz000066400000000000000000000002521440160026300211170ustar00rootroot00000000000000=
0DԂ%mD(
9޷m+	fxl3Gz(?.DGeN-VV(C@mPVYugj@H2 ,XtLiW` l[j1] <= l[j2])
    for i in range(len(l)-1):
        #@ invariant forall j1,j2. 0 <= j1 <= j2 <= i -> l[j1] <= l[j2]
        if l[i+1] < l[i]:
            return False
    return True

a = [2, 3, 4]
a.sort()
c = is_sorted(a)

#@ assert c
why3-1.6.0/examples/python/is_sorted/000077500000000000000000000000001440160026300175365ustar00rootroot00000000000000why3-1.6.0/examples/python/is_sorted/why3session.xml000066400000000000000000000046221440160026300225620ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/python/is_sorted/why3shapes.gz000066400000000000000000000021071440160026300221760ustar00rootroot00000000000000V[o6~ϯ۶s0@$uNP\ ׁe]tI{Q[3`hkRI	Ss_ӱiͧV!*?6x!碈gFUfkj߿6&޽6N3SOꀧ,U٩	mai7%LÇpypRaѹy`aGs*s\oq7ꗻ\8G)!(b\_WR]f$rswڅHt^w*b"VDLjx
hԙ?2ҡ/Inp/`)Mě@t(4Jj$dKp5zlcZ9M~&!螭6! ˈТxbSYU)F*{tEZH

}*a
Z\t-Jf8F;FX#y3p`$E?CBRLR&rutuUߐoɵTB%/_(7
why3-1.6.0/examples/python/isqrt.py000066400000000000000000000004451440160026300172620ustar00rootroot00000000000000
print("racine carrée entière")

n = int(input("entrez n : "))
#@ assume n >= 0

r = 0
s = 1
while s <= n:
    #@ invariant 0 <= r
    #@ invariant r * r <= n
    #@ invariant s == (r+1) * (r+1)
    #@ variant   n - s
    r += 1
    s += 2 * r + 1

print(r)
#@ assert r*r <= n < (r+1)*(r+1)
why3-1.6.0/examples/python/isqrt/000077500000000000000000000000001440160026300167055ustar00rootroot00000000000000why3-1.6.0/examples/python/isqrt/why3session.xml000066400000000000000000000010521440160026300217230ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/isqrt/why3shapes.gz000066400000000000000000000004231440160026300213440ustar00rootroot00000000000000}OJ0+rS+d
P\Qr	]iwMkO4^:mw
	_/T]SrwxځrR`֙yq@i$rVo:;qg'׌KQJJDQ]^ߴ>@wX/F
i!m@-+ƒ890E`^ml#=NTX2uPg/YV{5U}4a}/9;Ywhy3-1.6.0/examples/python/isqrt_fun.py000066400000000000000000000005571440160026300201360ustar00rootroot00000000000000
# same as sqrt.py, but with a function

def isqrt(n):
    #@ requires n >= 0
    #@ ensures  result * result <= n < (result + 1) * (result + 1)
    r = 0
    s = 1
    while s <= n:
        #@ invariant 0 <= r
        #@ invariant r * r <= n
        #@ invariant s == (r+1) * (r+1)
        #@ variant   n - s
        r = r + 1
        s = s + 2 * r + 1
    return r
why3-1.6.0/examples/python/isqrt_fun/000077500000000000000000000000001440160026300175555ustar00rootroot00000000000000why3-1.6.0/examples/python/isqrt_fun/why3session.xml000066400000000000000000000010621440160026300225740ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/isqrt_fun/why3shapes.gz000066400000000000000000000004141440160026300222140ustar00rootroot00000000000000}Ak0mK)m ]U#ai`}OS3~wozy6{>%=(v(٩.p.{u,ǬSw=?7elEg;ն*ZPe%4=5z~mAP
^&Y+8"je`X9#T^"Ŀ:3$ٷb^08+"Թ6NƾAAwhy3-1.6.0/examples/python/mult.py000066400000000000000000000006131440160026300170760ustar00rootroot00000000000000
print("la multiplication dite russe")

a = int(input("entrez a : "))
b = int(input("entrez b : "))

p = a
q = b

if q < 0:
    p = -a
    q = -b

#@ assert q >= 0

r = 0
while q > 0:
    #@ invariant 0 <= q
    #@ invariant r + p * q == a * b
    #@ variant   q
    print(p, q, r)
    if q % 2 == 1:
        r += p
    p += p
    q //= 2
print(p, q, r)
print("a * b =", r)
#@ assert r == a * b
why3-1.6.0/examples/python/mult/000077500000000000000000000000001440160026300165245ustar00rootroot00000000000000why3-1.6.0/examples/python/mult/why3session.xml000066400000000000000000000010511440160026300215410ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/mult/why3shapes.gz000066400000000000000000000007171440160026300211710ustar00rootroot00000000000000mRMo0W
ˡVH+"Nwdڢ]獳Řߛ]yHKo<_OwiJHvQD;Xm󩦨:,5BzHtq(-3},
"m#it46+`d
m椊ԌU P]T.aJ2>w䶫鎏D{[J9K9%IKd1kn8}YH8CA;b{rd!%`GJDB-}= 1 -> not lose(n) or not win(n)

#@ assume lose(1)
#@ assume forall n. n >= 1 and lose(n) -> win(n+1) \
#@   and win(n+2) and win(n+3)
#@ assume forall n. n >= 1 and win(n) and win(n+1) \
#@   and win(n+2) -> lose(n+3)

def lemma(n):
    #@ requires n >= 1
    #@ ensures  lose(n) <-> n % 4 == 1
    #@ variant  n
    if n >= 5:
        lemma(n-1)
        lemma(n-2)
        lemma(n-3)
        lemma(n-4)

start = int(input("start = "))
#@ assume start >= 1
n = start
while n >= 1:
    #@ invariant win(n) -> win(start)
    #@ variant n
    print(n, " matches")
    k = int(input("your turn: "))
    #@ assume k == 1 or k == 2 or k == 3
    #@ assume k <= n
    n = n - k
    if n == 0:
        print("you lose")
        break
    if n == 1:
        #@ assert win(start)
        print("you win")
        break
    m = n % 4
    if m == 1:
        k = 1
    elif m == 0:
        k = 3
    else:
        k = m - 1
    lemma(n)
    lemma(n-k)
    #@ assert win(n) -> lose(n - k)
    n -= k
why3-1.6.0/examples/python/nim/000077500000000000000000000000001440160026300163265ustar00rootroot00000000000000why3-1.6.0/examples/python/nim/why3session.xml000066400000000000000000000010501440160026300213420ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/nim/why3shapes.gz000066400000000000000000000006771440160026300210000ustar00rootroot00000000000000ۊ0)mHʺ`
)CMw6KvVna!7RԗotL|:~M}Nɰ~v;ݘ[Gt҇uS&p?S&$D)'R=zmm&[8gU.X'(hg=YTq;_ϿU+m\HۅkPXH_SSBJ͉<Ұy>a!,3ɔn
90m]/^Au$Y'O`Kԗj3-j\}j2;h˃ZzDo{|*K1̿ܔr&]D^POt|*
Z
$:jYTޒKwhy3-1.6.0/examples/python/pgcd.py000066400000000000000000000003251440160026300170320ustar00rootroot00000000000000
def pgcd(a, b):
    #@ requires a > 0 and b > 0
    while a != b:
        #@ invariant a > 0 and b > 0
        #@ variant a + b
        if a < b:
            b -= a
        else:
            a -= b
    return a

why3-1.6.0/examples/python/pgcd/000077500000000000000000000000001440160026300164605ustar00rootroot00000000000000why3-1.6.0/examples/python/pgcd/why3session.xml000066400000000000000000000010501440160026300214740ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/pgcd/why3shapes.gz000066400000000000000000000003441440160026300211210ustar00rootroot00000000000000mAo01!`4RӔ)6`jaN#zzx4ힿCBqIU<"?{[tO!o^W&
%7~8|JU]=IsA d]I$aד%ī*#h.!e$$<&J9bDnPUקF84[@@WWhn:#75*
oFwhy3-1.6.0/examples/python/range.py000066400000000000000000000003541440160026300172130ustar00rootroot00000000000000
s = 0

for x in range(100, -1, -1):
    #@ invariant s == 5050 - x*(x+1)//2
    s = s + x

#@ assert s == 5050

s = 0

for x in range(1, 100, 2):
    #@ invariant s == x'index * (2*x'index + 1)
    s = s + x + x+1

#@ assert s == 5050
why3-1.6.0/examples/python/range/000077500000000000000000000000001440160026300166375ustar00rootroot00000000000000why3-1.6.0/examples/python/range/why3session.xml000066400000000000000000000010501440160026300216530ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/range/why3shapes.gz000066400000000000000000000007411440160026300213010ustar00rootroot0000000000000010w
om'A]РMR$>Ҳݺ$HǦL[>\osScٰ٧/٤U>Dm(a)JMvŌn3fl'ٽfkt>~z8[hVMn`H
bRm
^pyNb
I'*.*Kn=df< e_}ZGT4wh i	,3f)>%F{Zgk,rXV9 4>XMhY8n
/4==)X`Ō<~ 0
    #@ ensures len(result) == len(old(a))
    #@ ensures len(a) == 0
    #@ ensures forall i. 0 <= i < len(result) -> result[i] == (old(a))[-(i+1)]
    #@ label L

    res = []

    while(len(a) != 0):
        #@ invariant len(a) + len(res) == at(len(a), L)
        #@ invariant forall i. 0 <= i < len(res) -> res[i] == at(a[-(i+1)], L)
        #@ invariant forall i. 0 <= i < len(a) -> a[i] == at(a[i], L)
        #@ variant len(a)
        res.append(a.pop())

    return res
why3-1.6.0/examples/python/reverse/000077500000000000000000000000001440160026300172165ustar00rootroot00000000000000why3-1.6.0/examples/python/reverse/why3session.xml000066400000000000000000000010531440160026300222350ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/reverse/why3shapes.gz000066400000000000000000000006161440160026300216610ustar00rootroot00000000000000UR]k0}W4NG;( {ys);1U(x>~_|}k=,]<$-oFlxo\`Of%e#bAFr(P[PfhԣG@. Ӷp.]Y%6b"&|kSIv9aƫm
FYPAxԍ[.[~~lY;[䶠h0G!c4*.A)tfcR$a36b]n핵QzTAYPzuԢTFp$Lp121/ܥGnOI"G5qNYcu䂬k8KH|oCwhy3-1.6.0/examples/python/sort.py000066400000000000000000000015671440160026300171150ustar00rootroot00000000000000
from random import randint

n = 42
a = [0] * n

### On remplit le tableau "a"

for i in range(0, len(a)):
    a[i] = randint(0, 100)

print(a)

### Et maintenant on le trie

m = 1
while m < len(a):
    #@ invariant 1 <= m <= len(a)
    #@ invariant forall i,j. 0 <= i <= j < m -> a[i] <= a[j]
    #@ variant   len(a) - m
    x = a[m]
    k = m
    while k > 0 and a[k-1] > x:
        #@ invariant 0 <= k <= m
        #@ invariant forall i,j. 0 <= i <= j < k               -> a[i] <= a[j]
        #@ invariant forall i,j. 0 <= i      < k <      j <= m -> a[i] <= a[j]
        #@ invariant forall i,j.               k < i <= j <= m -> a[i] <= a[j]
        #@ invariant forall   j.               k <      j <= m -> x    <  a[j]
        #@ variant   k
        a[k] = a[k-1]
        k = k - 1
    a[k] = x
    m = m + 1

#@ assert forall i,j. 0 <= i <= j < len(a) -> a[i] <= a[j]

print(a)

why3-1.6.0/examples/python/sort/000077500000000000000000000000001440160026300165325ustar00rootroot00000000000000why3-1.6.0/examples/python/sort/why3session.xml000066400000000000000000000113371440160026300215570ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/python/sort/why3shapes.gz000066400000000000000000000042241440160026300211740ustar00rootroot00000000000000W[k$~_oN*t	0m% xel/ҥ{^1[]UUߺ/N/~_}b!}:x Fq?/y1
G(hgig[VBl]NuQy.@31}vΟN]8>cQgx{j>ew#nHSԔ>Fj"0@1	C6:Pe6gU];2-VeUU9fU԰=TUjm2,4OLi.\-RHfJbW{틲
|[|T.gk+)㛾׾
U:]Xwɋ\'+ekLO׼ݷ.Ϗ)ƼUّLz}˒+c&g

7/	(|ReX({hRXsY4L5ð@y]ryLv\N].@:AFu%Ƶs&^cd2Ȗf.[o,DUW3㻒_f5WX\Ѐ?ACV<˶~ooyUji}ݺZ,u0`/;ݲ~dT\}잶sX,RiL@U~7HSn<RB3Yzer^{,>HS.ٖ_ř8o(p	;XTcmh#jfh}O4/oj(3ՕDa"QǼݙNXqIX/BsD	Vb*Tcc&u5Xv"9(K&EUN#Qn[KyQm5{ԥnwu]{[惗]` yTMmov'qsTLfn_+g^Q]SˡŅ-ÙT{#x=欳Rr5mOqѾrO]UPJs`+I%B?c_/t
5ڂ5fcp3TzaۚpNj@v&Iu~S-U#@P42LABXf)emKf[V3\Sڗ^i-̸K^i%׼ɭƔqnj"X|i>!DEJ_2yi/"MK&*4mNP㛌kes .
p/cn<TSfذFTe_7r:NHc"֠EP"~
JRO*%01I)+H8fQ#="-D	@SoH>fH?"pa
0HuNJYG3$!Ie]'ǀ):$0qF!Js}Hm*yNƠx'm@ >I=~ON1&PH٩qL6!NFsTx^AX%;Ucȟ$8IhBʏVzVQPb(8NfюA#߿hנgϤ	ФyR&y:D\lLNV64iRD0BCaё	?b0I1FN{o%g$"[TEnj%iV.Jd
#;ClO}Ԥd?1Illir[gt6'zr,,ZZNil)4M.A6A>~UWh&t`LDϯ@qCTnj߈u6c;KpZE2Zi_"f?h$&?i%As{9Ѥ8ru	l*?lJ~3CJĠ|&AS48
Bg07pS~bvc&~J\%UFF1Hwhy3-1.6.0/examples/python/sum_reverse.py000066400000000000000000000003151440160026300204530ustar00rootroot00000000000000def sum_reverse (l):
    #@ ensures result == 0
    l2 = l.copy()
    l2.reverse()
    t = 0
    for i in range (len(l)):
        #@ invariant t == 0
        t += l[i]
        t -= l2[-(i+1)]
    return t
why3-1.6.0/examples/python/sum_reverse/000077500000000000000000000000001440160026300201025ustar00rootroot00000000000000why3-1.6.0/examples/python/sum_reverse/why3session.xml000066400000000000000000000010631440160026300231220ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/sum_reverse/why3shapes.gz000066400000000000000000000005221440160026300225410ustar00rootroot00000000000000}Qj0+tkJqJRSϺ"м~g$v/=H]jG3}%v'|zV=e	::_湧e-o<HcXr5y8~!*/e4[^cC<xË#YBE,t6H!bFu#iu
Jz.Wcц0 FET	zhsS$Kl=0Zyws u-9xe
*]JRiտ}[MP}зvytIjέ:e[2Ru.rcR_})nwhy3-1.6.0/examples/python/triangular.py000066400000000000000000000004061440160026300202650ustar00rootroot00000000000000
print("somme des n premiers entiers")

n = int(input("entrez n : "))
#@ assume n >= 0

s = 0
k = 0
while k <= n:
    #@ invariant k <= n+1
    #@ invariant s == (k - 1) * k // 2
    #@ variant n - k
    s += k
    k += 1

print(s)
#@ assert s == n * (n+1) // 2
why3-1.6.0/examples/python/triangular/000077500000000000000000000000001440160026300177135ustar00rootroot00000000000000why3-1.6.0/examples/python/triangular/why3session.xml000066400000000000000000000010651440160026300227350ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/triangular/why3shapes.gz000066400000000000000000000004021440160026300223470ustar00rootroot00000000000000UON0|W
f'E**ݘTT
N$wϷ?'/c< int

#@ assume factorial(0) == 1

#@ assume forall n. n > 0 -> factorial(n) == n * factorial(n-1)

def routine(n):
    #@ requires n >= 0
    #@ ensures  result == factorial(n)
    u = 1
    for r in range(n):
        #@ invariant u == factorial(r)
        v = u
        for s in range(1, r+1):
            #@ invariant u == s * factorial(r)
            u += v
    return u
why3-1.6.0/examples/python/turing/000077500000000000000000000000001440160026300170535ustar00rootroot00000000000000why3-1.6.0/examples/python/turing/why3session.xml000066400000000000000000000010511440160026300220700ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/turing/why3shapes.gz000066400000000000000000000004551440160026300215170ustar00rootroot00000000000000mN0:ٍF- int

def test1(x):
    #@ requires f(x) == f(x)
    return len(x)

print(test1([1,2,3]))

#@ function g(x: list[int]) -> int

#@ assume forall l. g(l) == len(l)

def test2(x):
    #@ requires x[0] == 1
    #@ requires len(x) == 3
    #@ ensures result > g(x)
    return x[0] + len(x)

print(test2([1,2,3]))

def test3(x: list[int]) -> int:
    #@ ensures result == g(x)
    return len(x)

def test4(x: list) -> int:
    return len(x)

why3-1.6.0/examples/python/types/000077500000000000000000000000001440160026300167075ustar00rootroot00000000000000why3-1.6.0/examples/python/types/why3session.xml000066400000000000000000000010471440160026300217310ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/python/types/why3shapes.gz000066400000000000000000000005571440160026300213560ustar00rootroot00000000000000Un ~
nmSUJ"EZ;Y4j~w006~^Ap^>D%V/9UOT[?ӥ?8;qTmP-=iNH,$d8qu
u;Ӥ8Pմ@zߦ"RSE0mb,Tf!durgH*S24;
*8D0(:{-:vN0c;m^?8cj:8('#- yLw")A.,e ,32yaiR,4&3j ۱)ܧ7qKQRm@Jڠ@)ԗ,ywhy3-1.6.0/examples/queens.mlw000066400000000000000000000125761440160026300162560ustar00rootroot00000000000000
(* Verification of the following 2-lines C program solving the N-queens puzzle:

   t(a,b,c){int d=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d)*2,(
   c+d)/2));return f;}main(q){scanf("%d",&q);printf("%d\n",t(~(~0< i >= 1 /\ mem (i - 1) s }

  val pred (s: set): set
    ensures { forall i: int. mem i result <-> i >= 0 /\ mem (i + 1) s }

end

module NQueensSetsTermination

  use S
  use ref.Refint

  let rec t (a b c : set) variant { cardinal a } =
    if not (is_empty a) then begin
      let e = ref (diff (diff a b) c) in
      let f = ref 0 in
      while not (is_empty !e) do
        invariant { subset !e (diff (diff a b) c) }
        variant { cardinal !e }
        let d = min_elt !e in
        f += t (remove d a) (succ (add d b)) (pred (add d c));
        e := remove d !e
      done;
      !f
    end else
      1

end

theory Solution

  use int.Int
  use export map.Map

  (* the number of queens *)
  constant n : int

  type solution = map int int

  (* solutions t and u have the same prefix [0..i[ *)
  predicate eq_prefix (t u: map int 'a) (i: int) =
    forall k: int. 0 <= k < i -> t[k] = u[k]

  predicate eq_sol (t u: solution) = eq_prefix t u n

  (* s stores a partial solution, for the rows 0..k-1 *)
  predicate partial_solution (k: int) (s: solution) =
    forall i: int. 0 <= i < k ->
      0 <= s[i] < n /\
      (forall j: int. 0 <= j < i -> s[i]      <> s[j] /\
                                    s[i]-s[j] <> i-j  /\
                                    s[i]-s[j] <> j-i)

  predicate solution (s: solution) = partial_solution n s

  lemma partial_solution_eq_prefix:
    forall u t: solution, k: int.
    partial_solution k t -> eq_prefix t u k -> partial_solution k u

  predicate lt_sol (s1 s2: solution) =
    exists i: int. 0 <= i < n /\ eq_prefix s1 s2 i /\ s1[i] < s2[i]

  type solutions = map int solution

  (* s[a..b[ is sorted for lt_sol *)
  predicate sorted (s: solutions) (a b: int) =
    forall i j: int. a <= i < j < b -> lt_sol s[i] s[j]

  (* a sorted array of solutions contains no duplicate *)
  lemma no_duplicate:
    forall s: solutions, a b: int. sorted s a b ->
    forall i j: int. a <= i < j < b -> not (eq_sol s[i] s[j])

end

(* 1. Abstract version of the code using sets (not ints) *******************)

module NQueensSets

  use int.Int
  use S
  use ref.Refint
  use Solution

  val ghost col: ref solution  (* solution under construction *)
  val ghost k  : ref int       (* current row in the current solution *)

  val ghost sol: ref solutions (* all solutions *)
  val ghost s  : ref int       (* next slot for a solution
                                  = current number of solutions *)

  let rec t3 (a b c : set) variant { cardinal a }
    requires { 0 <= !k /\ !k + cardinal a = n /\ !s >= 0 /\
      (forall i: int. mem i a <->
        (0<=i  !col[j] <> i)) /\
      (forall i: int. i>=0 -> (not (mem i b) <->
        (forall j: int. 0 <= j < !k -> !col[j] <> i + j - !k))) /\
      (forall i: int. i>=0 -> (not (mem i c) <->
        (forall j: int. 0 <= j < !k -> !col[j] <> i + !k - j))) /\
      partial_solution !k !col }
    ensures { result = !s - old !s >= 0 /\ !k = old !k /\
      sorted !sol (old !s) !s /\
      (forall t: solution.
         ((solution t /\ eq_prefix !col t !k) <->
          (exists i: int. old !s <= i < !s /\ eq_sol t !sol[i]))) /\
      (* assigns *)
      eq_prefix (old !col) !col !k /\
      eq_prefix (old !sol) !sol (old !s) }
  = if not (is_empty a) then begin
      let e = ref (diff (diff a b) c) in
      (* first, you show that if u is a solution with the same k-prefix as col, then
          u[k] (the position of the queen on the row k) must belong to e *)
      assert { forall u:solution. solution u /\ eq_prefix !col u !k ->
               S.mem u[!k] !e };
      let f = ref 0 in
      label L in
      while not (is_empty !e) do
        invariant {
          !f = !s - (!s at L) >= 0 /\ !k = !k at L /\
          subset !e (diff (diff a b) c) /\
          partial_solution !k !col /\
          sorted !sol (!s at L) !s /\
          (forall i j: int. mem i (diff (!e at L) !e) -> mem j !e -> i < j) }
        invariant { forall i:int. (!s at L) <= i < !s ->
           solution !sol[i] /\ eq_prefix !col !sol[i] !k /\
           mem !sol[i][!k] (diff (!e at L) !e) }
        invariant {
          (forall t: solution.
           (solution t /\ eq_prefix !col t !k /\ mem t[!k] (diff (!e at L) !e))
           ->
           mem t[!k] (!e at L) && not (mem t[!k] !e) &&
           (exists i: int. (!s at L) <= i < !s /\ eq_sol t !sol[i])) }
        (* assigns *)
        invariant { eq_prefix (!col at L) !col !k }
        invariant { eq_prefix (!sol at L) !sol (!s at L) }
        variant { cardinal !e }
        let d = min_elt !e in
        ghost col := !col[!k <- d];
        ghost incr k;
        f += t3 (remove d a) (succ (add d b)) (pred (add d c));
        ghost decr k;
        e := remove d !e
      done;
      !f
    end else begin
      ghost sol := !sol[!s <- !col];
      ghost incr s;
      1
    end

  let queens3 (q: int)
    requires { 0 <= q = n /\ !s = 0 /\ !k = 0 }
    ensures { result = !s /\ sorted !sol 0 !s /\
      forall t: solution.
        solution t <-> (exists i: int. 0 <= i < result /\ eq_sol t !sol[i]) }
  = t3 (interval 0 q) (empty ()) (empty ())

end
why3-1.6.0/examples/queens/000077500000000000000000000000001440160026300155225ustar00rootroot00000000000000why3-1.6.0/examples/queens/queens_NQueensSets_VC_t3_2.v000066400000000000000000000242701440160026300227320ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require set.Fset.
Require set.FsetInt.
Require set.SetApp.
Require set.SetAppInt.

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Parameter n: Numbers.BinNums.Z.

(* Why3 assumption *)
Definition solution := Numbers.BinNums.Z -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition eq_prefix {a:Type} {a_WT:WhyType a} (t:Numbers.BinNums.Z -> a)
    (u:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z) : Prop :=
  forall (k:Numbers.BinNums.Z), (0%Z <= k)%Z /\ (k < i)%Z -> ((t k) = (u k)).

(* Why3 assumption *)
Definition partial_solution (k:Numbers.BinNums.Z)
    (s:Numbers.BinNums.Z -> Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < k)%Z ->
  ((0%Z <= (s i))%Z /\ ((s i) < n)%Z) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((s i) = (s j)) /\
   ~ (((s i) - (s j))%Z = (i - j)%Z) /\ ~ (((s i) - (s j))%Z = (j - i)%Z)).

Axiom partial_solution_eq_prefix :
  forall (u:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (t:Numbers.BinNums.Z -> Numbers.BinNums.Z) (k:Numbers.BinNums.Z),
  partial_solution k t -> eq_prefix t u k -> partial_solution k u.

(* Why3 assumption *)
Definition lt_sol (s1:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (s2:Numbers.BinNums.Z -> Numbers.BinNums.Z) : Prop :=
  exists i:Numbers.BinNums.Z,
  ((0%Z <= i)%Z /\ (i < n)%Z) /\ eq_prefix s1 s2 i /\ ((s1 i) < (s2 i))%Z.

(* Why3 assumption *)
Definition solutions :=
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.

(* Why3 assumption *)
Definition sorted
    (s:Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  (a <= i)%Z /\ (i < j)%Z /\ (j < b)%Z -> lt_sol (s i) (s j).

Axiom no_duplicate :
  forall (s:Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
  sorted s a b -> forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  (a <= i)%Z /\ (i < j)%Z /\ (j < b)%Z -> ~ eq_prefix (s i) (s j) n.

(* Why3 goal *)
Theorem t3'vc :
  forall (col:Numbers.BinNums.Z -> Numbers.BinNums.Z) (k:Numbers.BinNums.Z)
    (sol:Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (s:Numbers.BinNums.Z) (a:set.SetAppInt.set) (b:set.SetAppInt.set)
    (c:set.SetAppInt.set),
  (0%Z <= k)%Z ->
  ((k + (set.Fset.cardinal (set.SetAppInt.to_fset a)))%Z = n) ->
  (0%Z <= s)%Z ->
  (forall (i:Numbers.BinNums.Z),
   set.Fset.mem i (set.SetAppInt.to_fset a) <->
   ((0%Z <= i)%Z /\ (i < n)%Z) /\
   (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < k)%Z ->
    ~ ((col j) = i))) ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z ->
   ~ set.Fset.mem i (set.SetAppInt.to_fset b) <->
   (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < k)%Z ->
    ~ ((col j) = ((i + j)%Z - k)%Z))) ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z ->
   ~ set.Fset.mem i (set.SetAppInt.to_fset c) <->
   (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < k)%Z ->
    ~ ((col j) = ((i + k)%Z - j)%Z))) ->
  partial_solution k col -> ~ set.Fset.is_empty (set.SetAppInt.to_fset a) ->
  forall (o:set.SetAppInt.set),
  ((set.SetAppInt.to_fset o) =
   (set.Fset.diff (set.SetAppInt.to_fset a) (set.SetAppInt.to_fset b))) ->
  forall (o1:set.SetAppInt.set),
  ((set.SetAppInt.to_fset o1) =
   (set.Fset.diff (set.SetAppInt.to_fset o) (set.SetAppInt.to_fset c))) ->
  (forall (u:Numbers.BinNums.Z -> Numbers.BinNums.Z),
   partial_solution n u /\ eq_prefix col u k ->
   set.Fset.mem (u k) (set.SetAppInt.to_fset o1)) ->
  forall (f:Numbers.BinNums.Z) (e:set.SetAppInt.set) (s1:Numbers.BinNums.Z)
    (sol1:Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (k1:Numbers.BinNums.Z) (col1:Numbers.BinNums.Z -> Numbers.BinNums.Z),
  (f = (s1 - s)%Z) -> (0%Z <= (s1 - s)%Z)%Z -> (k1 = k) ->
  set.Fset.subset (set.SetAppInt.to_fset e)
  (set.Fset.diff
   (set.Fset.diff (set.SetAppInt.to_fset a) (set.SetAppInt.to_fset b))
   (set.SetAppInt.to_fset c)) ->
  partial_solution k1 col1 -> sorted sol1 s s1 ->
  (forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
   set.Fset.mem i
   (set.Fset.diff (set.SetAppInt.to_fset o1) (set.SetAppInt.to_fset e)) ->
   set.Fset.mem j (set.SetAppInt.to_fset e) -> (i < j)%Z) ->
  (forall (i:Numbers.BinNums.Z), (s <= i)%Z /\ (i < s1)%Z ->
   partial_solution n (sol1 i) /\
   eq_prefix col1 (sol1 i) k1 /\
   set.Fset.mem (sol1 i k1)
   (set.Fset.diff (set.SetAppInt.to_fset o1) (set.SetAppInt.to_fset e))) ->
  (forall (t:Numbers.BinNums.Z -> Numbers.BinNums.Z),
   partial_solution n t /\
   eq_prefix col1 t k1 /\
   set.Fset.mem (t k1)
   (set.Fset.diff (set.SetAppInt.to_fset o1) (set.SetAppInt.to_fset e)) ->
   set.Fset.mem (t k1) (set.SetAppInt.to_fset o1) /\
   ~ set.Fset.mem (t k1) (set.SetAppInt.to_fset e) /\
   (exists i:Numbers.BinNums.Z,
    ((s <= i)%Z /\ (i < s1)%Z) /\ eq_prefix t (sol1 i) n)) ->
  eq_prefix col col1 k1 -> eq_prefix sol sol1 s ->
  ~ set.Fset.is_empty (set.SetAppInt.to_fset e) ->
  let d := set.FsetInt.min_elt (set.SetAppInt.to_fset e) in
  forall (col2:Numbers.BinNums.Z -> Numbers.BinNums.Z),
  (col2 = (map.Map.set col1 k1 d)) -> forall (k2:Numbers.BinNums.Z),
  (k2 = (k1 + 1%Z)%Z) -> forall (o2:set.SetAppInt.set),
  ((set.SetAppInt.to_fset o2) = (set.Fset.add d (set.SetAppInt.to_fset c))) ->
  set.Fset.mem d (set.SetAppInt.to_fset c) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o2)) =
   (set.Fset.cardinal (set.SetAppInt.to_fset c))) \/
  ~ set.Fset.mem d (set.SetAppInt.to_fset c) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o2)) =
   ((set.Fset.cardinal (set.SetAppInt.to_fset c)) + 1%Z)%Z) ->
  forall (o3:set.SetAppInt.set),
  (forall (i:Numbers.BinNums.Z),
   set.Fset.mem i (set.SetAppInt.to_fset o3) <->
   (0%Z <= i)%Z /\ set.Fset.mem (i + 1%Z)%Z (set.SetAppInt.to_fset o2)) ->
  forall (o4:set.SetAppInt.set),
  ((set.SetAppInt.to_fset o4) = (set.Fset.add d (set.SetAppInt.to_fset b))) ->
  set.Fset.mem d (set.SetAppInt.to_fset b) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o4)) =
   (set.Fset.cardinal (set.SetAppInt.to_fset b))) \/
  ~ set.Fset.mem d (set.SetAppInt.to_fset b) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o4)) =
   ((set.Fset.cardinal (set.SetAppInt.to_fset b)) + 1%Z)%Z) ->
  forall (o5:set.SetAppInt.set),
  (forall (i:Numbers.BinNums.Z),
   set.Fset.mem i (set.SetAppInt.to_fset o5) <->
   (1%Z <= i)%Z /\ set.Fset.mem (i - 1%Z)%Z (set.SetAppInt.to_fset o4)) ->
  forall (o6:set.SetAppInt.set),
  ((set.SetAppInt.to_fset o6) =
   (set.Fset.remove d (set.SetAppInt.to_fset a))) ->
  set.Fset.mem d (set.SetAppInt.to_fset a) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o6)) =
   ((set.Fset.cardinal (set.SetAppInt.to_fset a)) - 1%Z)%Z) \/
  ~ set.Fset.mem d (set.SetAppInt.to_fset a) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset o6)) =
   (set.Fset.cardinal (set.SetAppInt.to_fset a))) ->
  forall (s2:Numbers.BinNums.Z)
    (sol2:Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (k3:Numbers.BinNums.Z) (col3:Numbers.BinNums.Z -> Numbers.BinNums.Z),
  (0%Z <= (s2 - s1)%Z)%Z -> (k3 = k2) -> sorted sol2 s1 s2 ->
  (forall (t:Numbers.BinNums.Z -> Numbers.BinNums.Z),
   partial_solution n t /\ eq_prefix col3 t k3 <->
   (exists i:Numbers.BinNums.Z,
    ((s1 <= i)%Z /\ (i < s2)%Z) /\ eq_prefix t (sol2 i) n)) ->
  eq_prefix col2 col3 k3 -> eq_prefix sol1 sol2 s1 ->
  forall (f1:Numbers.BinNums.Z), (f1 = (f + (s2 - s1)%Z)%Z) ->
  forall (k4:Numbers.BinNums.Z), (k4 = (k3 - 1%Z)%Z) ->
  forall (e1:set.SetAppInt.set),
  ((set.SetAppInt.to_fset e1) =
   (set.Fset.remove d (set.SetAppInt.to_fset e))) ->
  set.Fset.mem d (set.SetAppInt.to_fset e) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset e1)) =
   ((set.Fset.cardinal (set.SetAppInt.to_fset e)) - 1%Z)%Z) \/
  ~ set.Fset.mem d (set.SetAppInt.to_fset e) /\
  ((set.Fset.cardinal (set.SetAppInt.to_fset e1)) =
   (set.Fset.cardinal (set.SetAppInt.to_fset e))) ->
  sorted sol2 s s2.
(* Why3 intros col k sol s a b c h1 h2 h3 h4 h5 h6 h7 h8 o h9 o1 h10 h11 f e
        s1 sol1 k1 col1 h12 h13 h14 h15 h16 h17 h18 h19 h20 h21 h22 h23 d
        col2 h24 k2 h25 o2 h26 h27 o3 h28 o4 h29 h30 o5 h31 o6 h32 h33 s2
        sol2 k3 col3 h34 h35 h36 h37 h38 h39 f1 h40 k4 h41 e1 h42 h43. *)
Proof.
intros col k sol s a b c h1 h2 h3 h4 h5 h6 h7 h8 o h9 o1 h10 h11 f e
        s1 sol1 k1 col1 h12 h13 h14 h15 h16 h17 h18 h19 h20 h21 h22 h23 d
        col2 h24 k2 h25 o2 h26 h27 o3 h28 o4 h29 h30 o5 h31 o6 h32 h33 s2
        sol2 k3 col3 h34 h35 h36 h37 h38 h39 f1 h40 k4 h41 e1 h42 h43.
red; intros i j hij.
assert (case: (j < s1 \/ s1 <= j)%Z) by omega. destruct case.
do 2 (rewrite <- h39; try omega).
apply h17; omega.
assert (case: (s1 <= i \/ i < s1)%Z) by omega. destruct case.
apply h36; omega.
(* s1 <= i < s2 <= j < s3 *)
red.
subst k1. (* rename k1 into k.*)
assert (k < n)%Z.
generalize (Fset.cardinal_nonneg (SetAppInt.to_fset a)).
generalize (Fset.cardinal_empty (SetAppInt.to_fset a)).
intros.
assert (case: (Fset.cardinal (SetAppInt.to_fset a) = 0 \/ 
              Fset.cardinal (SetAppInt.to_fset a) > 0)%Z) by omega. destruct case.
absurd (Fset.is_empty (SetAppInt.to_fset a)). auto. intuition.
omega.

assert (ha: eq_prefix col1 (sol1 i) k /\ 
       Fset.mem (sol1 i k) (Fset.diff (SetAppInt.to_fset o1) (SetAppInt.to_fset e))).
  apply (h19 i).
  omega.
destruct ha as (ha,hb).

destruct (h37 (sol2 j)) as (_,hj).
destruct hj.
exists j.
split.
intuition.
red; intuition.
clear h36.

exists k.
split. intuition.
(* eq_prefix ... *)
rewrite <- h39; try omega.
split.
red; intros l hl.
rewrite <- H3; try omega.
rewrite <- h38; try omega.
subst col2.
generalize (Map.set'def col1 k d l).
intros (_,h).
rewrite h.
rewrite <- ha; omega.
omega.
(* s[i][k] < s[j][k] *)
apply h18.
rewrite <- h39; try omega.
auto.
rewrite <- H3; try omega.
rewrite <- h38; try omega.
subst col2.
generalize (Map.set'def col1 k d k).
intros (h,_).
rewrite h; try omega.
generalize (set.FsetInt.min_elt_def (SetAppInt.to_fset e)); intuition.
Qed.

why3-1.6.0/examples/queens/why3session.xml000066400000000000000000000462371440160026300205560ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/queens/why3shapes.gz000066400000000000000000000127201440160026300201640ustar00rootroot00000000000000[Yov~_ԾB0
uP+EK|&l[NEdթwNQx_nzCyTMZ{l˕x>O&vy5j4ësj%xfTHu?/]xP¿\v9~=|::>v(q5ˋLSA\\~G]ʻ??~*C>>ǐ§|-c$nÏރ7Fv&ޗ`=Yf'k~H	mWo3wG; „_堽?r 3BΛČ(e/RjR+R=))νs)F
q.@4?~ψ}JO%<;~)5i^Gi(^	vGȝh2܉Wx'Ո.wiQton={9J{sR]3G	[]3>ǟdg2c&\ʧCoǏs6a'y>Ԏy>0aΨVITRW"W2r/S
{yPiJG	G"t	][%=:W~)gɞWK)gI,G]-9kE’hWKD{L%g^
=IgIH%g9+6Rs)ZΒ;9K+E0MtxçcxϔF1סF=GF`g;4ga(q#hFK>!+z,CԨS=@Z
!|8B!1,*t"<:,|d+u6!o\Ȼ~̋=uuQ|קK$+EN',	~(v4xZa5.->).#90=Qǯd
|hƟ6=wwn(lZTpM]Fn)a+]brG>R]}M5#V^OSV̷:f4	=x]gs{?.~SYmx稜r o6/E[%7t=oy	ru8Bq	~%ܝyy膞is瘟70?7
D8
ٟ*0ꎐ;CA	w	%Bڅ4rhSPΌuxWaf:|˻
xsy¹zyñ{8S_Dc@cGsh#Eջ^fj;7cc>B^9׊&e<6r;ٺ(wrXx|inSΞ.;~p)vғ='i"wtD-s]dk]->Z#SUmV#3%JGwvv76hu
>
B
[ԱZ`ܲν«	FEowHf9c\GZx~7hl
\Q7xPi@	&49L.l+ava׶W1j:YNz=<)ތJ?ݕ;uuLqlk~g]'[Ox7_lL+xۏlӏ^=ҏI7'=kx}%n?+b'gr>A:Fڒӈ_7w^ь	zxܤPn#]8~ůJ?|H&?>6qEBJ᪆'`x]wFV/OG3ȸm{Ӏ?4%H Tm2d9srjٲn=-YqSФTXJo#NTnA)H-l+:&YzGڗl+ds)Y
w\Z[8/DFRiS&"RR9k)zUSg!Ϭhs%AUA+N8H7E0EZj9$Hj$EƥjsMqǰR`08AAAAAAAՠחrGˠ*&
dzD	o@ \>X͒ΰNk|Z̙|NJBb5`w}'F?#.$da_#4eYb<#,|JLTI2SѺfYĈ}FR>$`3Fԧ1M8RrYklnF,qGUXL8.!:̙HƁx1XLe
$/jUErd)7Xt䟃ϹoQe
•KB:23GVQB (T05xi
0HfبLuجgϢjy0Ay.J `e`*
G{'FdVrґ.FɎO׸hxUo񉀔 QtvBq4i"݊%tZ`Mn
'989!׀*VCVVfR']'0ʨ901cp}A)uU^1wƔDrX(lřWMS1埛)Ի؂2h=ܗch\XLʨ
jD*xP&z49(
J|90aE18u)#Ʊ{IfUYJUX)EyEJHNg^r)Gifc\ qL
pʍS$]Xdc-b2#-y@E+/YbFċ9]V`>%Aq+>aKj[jWB
`)2[TܺP=
Hb_YHNF1t,0lm\ʙwgRYaEFI1! +ʬ+>^"yAVG#D	\*Ca	P-T@L}2ģT`R6jJ(KAdMHk	K+gх<ɠK!!j2INjM$yVʤ(aXTx*y1$p:I	*2oWƕV1t8X@]tPXd؛t!$QʀT/LK0TCKˆETADSAA7UҊLtP֊nV9N4X@lK5}YwS,!Q57.$BI&Ί)R&$fiT@:|FmdI)(XsW-v"LJ'X72;jV``M)ht]EO,GNd3%SkX`|dNZ*CAKT1䶜^a/+^{(%kuҘ1U:&jj"k9XULj]f5EdNﴚ=^Zl!{3!eMZ~2kVV@5D::hبMkh4d\(̄
F}YnjqdYpeaTO"bEɭ;%zY\W֎y.{Y
&JP|{FԄ4CZJj+m+*,T<dSDWHj
lHl%pGo^bwhy3-1.6.0/examples/queens_bv.mlw000066400000000000000000000260431440160026300167370ustar00rootroot00000000000000
(**

{1 N-queens problem}

Verification of the following 2-lines C program solving the N-queens problem:

{h 
       t(a,b,c){int d=0,e=a&~b&~c,f=1;if(a)for(f=0;d=(e-=d)&-e;f+=t(a-d,(b+d)*2,(
   c+d)/2));return f;}main(q){scanf("%d",&q);printf("%d\n",t(~(~0<<q),0,0));}

    }

*)

(**

{2 finite sets of integers, with succ and pred operations }

*)

theory S

  use int.Int
  use export set.FsetInt

  function succ (fset int) : fset int

  axiom succ_def:
    forall s: fset int, i: int. mem i (succ s) <-> i >= 1 /\ mem (i-1) s

  function pred (fset int) : fset int

  axiom pred_def:
    forall s: fset int, i: int. mem i (pred s) <-> i >= 0 /\ mem (i+1) s

end

(** {2 Formalization of the set of solutions of the N-queens problem} *)

theory Solution

  use int.Int
  use export map.Map

  (** the number of queens *)
  constant n : int

  type solution = map int int

  (** solutions `t` and `u` have the same prefix `[0..i[` *)
  predicate eq_prefix (t u: map int 'a) (i: int) =
    forall k: int. 0 <= k < i -> t[k] = u[k]

  predicate eq_sol (t u: solution) = eq_prefix t u n

  (** `s` stores a partial solution, for the rows `0..k-1` *)
  predicate partial_solution (k: int) (s: solution) =
    forall i: int. 0 <= i < k ->
      0 <= s[i] < n /\
      (forall j: int. 0 <= j < i -> s[i]      <> s[j] /\
                                    s[i]-s[j] <> i-j  /\
                                    s[i]-s[j] <> j-i)

  predicate solution (s: solution) = partial_solution n s

  lemma partial_solution_eq_prefix:
    forall u t: solution, k: int.
    partial_solution k t -> eq_prefix t u k -> partial_solution k u

  predicate lt_sol (s1 s2: solution) =
    exists i: int. 0 <= i < n /\ eq_prefix s1 s2 i /\ s1[i] < s2[i]

  type solutions = map int solution

  (** `s[a..b[` is sorted for `lt_sol` *)
  predicate sorted (s: solutions) (a b: int) =
    forall i j: int. a <= i < j < b -> lt_sol s[i] s[j]

  (** a sorted array of solutions contains no duplicate *)
  lemma no_duplicate:
    forall s: solutions, a b: int. sorted s a b ->
    forall i j: int. a <= i < j < b -> not (eq_sol s[i] s[j])

end

(** {2 More realistic code with bitwise operations} *)

module BitsSpec

  use int.Int
  use S

  constant size : int = 32

  type t = private {
    ghost mdl: fset int;
  }
  invariant { forall i. mem i mdl -> 0 <= i < size }

  val empty () : t
    ensures { is_empty result.mdl }

  val is_empty (x:t) : bool
    ensures { result  <-> is_empty x.mdl }

  val remove_singleton (a b: t) : t
    requires { b.mdl = singleton (min_elt b.mdl) }
    requires { mem (min_elt b.mdl) a.mdl }
    ensures  { result.mdl = remove (min_elt b.mdl) a.mdl }

  val add_singleton (a b: t) : t
    requires { b.mdl = singleton (min_elt b.mdl) }
    (* requires { not (mem (min_elt b.mdl) a.mdl) } *)
    (* this is not required if the implementation uses or instead of add *)
    ensures  { result.mdl = S.add (min_elt b.mdl) a.mdl }

  val mul2 (a: t) : t
    ensures { result.mdl = remove size (succ a.mdl) }

  val div2 (a: t) : t
    ensures { result.mdl = pred a.mdl }

  val diff (a b: t) : t
    ensures { result.mdl = diff a.mdl b.mdl }

  use ref.Ref
  val rightmost_bit_trick (a: t) (ghost min : ref int) : t
    requires { not (is_empty a.mdl) }
    writes   { min }
    ensures  { !min = min_elt a.mdl }
    ensures  { result.mdl = singleton !min }

  use bv.BV32 as BV32
  val below (n: BV32.t) : t
    requires { BV32.ule n (32:BV32.t) }
    ensures  { result.mdl = interval 0 (BV32.t'int n) }
end

(** {2 The 1-bits of an integer, as a set of integers} *)

module Bits

  use int.Int
  use S
  use bv.BV32

  constant size : int = 32

  type t = {
          bv : BV32.t;
    ghost mdl: fset int;
  }
  invariant {
    forall i: int. (0 <= i < size /\ nth bv i) <-> mem i mdl
  }

  let empty () : t
    ensures { is_empty result.mdl }
  = { bv = zeros; mdl = empty }

  let is_empty (x:t) : bool
    ensures { result  <-> is_empty x.mdl }
  = assert {is_empty x.mdl -> x.bv = zeros by x.bv == zeros};
    BV32.eq x.bv zeros

  let remove_singleton (a b: t) : t
    requires { b.mdl = singleton (min_elt b.mdl) }
    requires { mem (min_elt b.mdl) a.mdl }
    ensures  { result.mdl = remove (min_elt b.mdl) a.mdl }
  =
    { bv = bw_and a.bv (bw_not b.bv);
      mdl = ghost remove (min_elt b.mdl) a.mdl }
    (* { bv = sub a.bv b.bv; mdl = remove (min_elt b.mdl) a.mdl } *)

  let add_singleton (a b: t) : t
    requires { b.mdl = singleton (min_elt b.mdl) }
    (* requires { not (mem (min_elt b.mdl) a.mdl) } *)
    (* this is not required if the implementation uses or instead of add *)
    ensures  { result.mdl = S.add (min_elt b.mdl) a.mdl }
  =
    { bv = bw_or a.bv b.bv;
      mdl = ghost S.add (min_elt b.mdl) a.mdl }
    (* { bv = add a.bv b.bv; mdl = add (min_elt b.mdl) a.mdl } *)

  let mul2 (a: t) : t
    ensures { result.mdl = remove size (succ a.mdl) }
  =
    { bv = lsl_bv a.bv (1:BV32.t);
      mdl = ghost remove size (succ a.mdl) }

  let div2 (a: t) : t
    ensures { result.mdl = pred a.mdl }
  =
    { bv = lsr_bv a.bv (1:BV32.t);
      mdl = ghost pred a.mdl }

  let diff (a b: t) : t
    ensures { result.mdl = diff a.mdl b.mdl }
  =
    { bv = bw_and a.bv (bw_not b.bv);
      mdl = ghost diff a.mdl b.mdl }

  predicate bits_interval_is_zeros_bv (a:BV32.t) (i:BV32.t) (n:BV32.t) =
    eq_sub_bv a zeros i n

  predicate bits_interval_is_one_bv (a:BV32.t) (i:BV32.t) (n:BV32.t) =
    eq_sub_bv a ones i n

  predicate bits_interval_is_zeros (a:BV32.t) (i : int) (n : int) =
    eq_sub a zeros i n

  predicate bits_interval_is_one (a:BV32.t) (i : int) (n : int) =
    eq_sub a ones i n

  let rightmost_bit_trick (a: t) : t
    requires { not (is_empty a.mdl) }
    ensures  { result.mdl = singleton (min_elt a.mdl) }
  =
    let ghost n = min_elt a.mdl in
    let ghost n_bv = of_int n in
    assert {bits_interval_is_zeros_bv a.bv zeros n_bv};
    assert {nth_bv a.bv n_bv};
    assert {nth_bv (neg a.bv) n_bv};
    let res = bw_and a.bv (neg a.bv) in
    assert {forall i. 0 <= i < n -> not (nth res i)};
    assert {bits_interval_is_zeros_bv res (add n_bv (1:BV32.t)) (sub (31:BV32.t) n_bv )};
    assert {bits_interval_is_zeros res (n + 1) (31 - n)};
    { bv = res;
      mdl = singleton n }

  let below (n: BV32.t) : t
    requires { BV32.ule n (32:BV32.t) }
    ensures  { result.mdl = interval 0 (t'int n) }
  =
    { bv = bw_not (lsl_bv ones n);
      mdl = ghost interval 0 (t'int n) }

end

module NQueensBits

  use BitsSpec
  use ref.Ref
  use Solution
  use int.Int

  val ghost col: ref solution  (* solution under construction *)
  (* val ghost k  : ref int       (* current row in the current solution *) *)

  val ghost sol: ref solutions (* all solutions *)
  val ghost s  : ref int       (* next slot for a solution =
                                  number of solutions *)

  let rec t (a b c: BitsSpec.t) (ghost k : int)
    requires { n <= size }
    requires { 0 <= k }
    requires { k + S.cardinal a.mdl = n }
    requires { !s >= 0 }
    requires { forall i: int. S.mem i a.mdl <->
        ( 0 <= i < n /\ forall j: int. 0 <= j < k ->  !col[j] <> i) }
    requires { forall i: int.  0 <= i < size ->
        ( not (S.mem i b.mdl) <->
          forall j: int. 0 <= j < k -> i - !col[j] <> k - j) }
    requires { forall i: int. 0 <= i < size ->
        ( not (S.mem i c.mdl) <->
          forall j: int. 0 <= j < k -> i - !col[j] <> j - k ) }
    requires { partial_solution k !col }
    variant { S.cardinal a.mdl }
    ensures { result = !s - old !s >= 0 }
    ensures { sorted !sol (old !s) !s }
    ensures { forall i:int. old !s <= i < !s -> solution !sol[i] /\ eq_prefix !col !sol[i] k }
    ensures { forall u: solution.
        solution u /\ eq_prefix !col u k ->
        exists i: int. old !s <= i < !s /\ eq_sol u !sol[i] }
    (* assigns *)
    ensures { eq_prefix (old !col) !col k }
    ensures { eq_prefix (old !sol) !sol (old !s) }
  = if not (is_empty a) then begin
    let e = ref (diff (diff a b) c) in
    (* first, you show that if u is a solution with the same k-prefix as col, then
       u[k] (the position of the queen on the row k) must belong to e *)
    assert { forall u:solution. solution u /\ eq_prefix !col u k -> S.mem u[k] !e.mdl };
    let f = ref 0 in
    let ghost min = ref (-1) in
    label L in
    while not (is_empty !e) do
      variant { S.cardinal !e.mdl }
      invariant { not (S.is_empty !e.mdl) -> !min < S.min_elt !e.mdl }
      invariant { !f = !s - (!s at L) >= 0 }
      invariant { S.subset !e.mdl (S.diff (S.diff a.mdl b.mdl) c.mdl) }
      invariant { partial_solution k !col }
      invariant { sorted !sol (!s at L) !s }
      invariant { forall i: int. S.mem i (!e.mdl at L) /\ not (S.mem i !e.mdl) -> i <= !min }
      invariant { forall i:int. (!s at L) <= i < !s -> solution !sol[i] /\ eq_prefix !col !sol[i] k /\ 0 <= !sol[i][k] <= !min }
      invariant { forall u: solution.
        (solution u /\ eq_prefix !col u k /\ 0 <= u[k] <= !min)
        ->
        S.mem u[k] (!e.mdl at L) && not (S.mem u[k] !e.mdl) &&
        exists i: int. (!s at L) <= i < !s /\ eq_sol u !sol[i] }
      (* assigns *)
      invariant { eq_prefix (!col at L) !col k }
      invariant { eq_prefix (!sol at L) !sol (!s at L) }
      label N in
      let d = rightmost_bit_trick !e min in
      ghost col := !col[k <- !min];
      assert { 0 <= !col[k] < size };
      assert { not (S.mem !col[k] b.mdl) };
      assert { not (S.mem !col[k] c.mdl) };

      assert { eq_prefix (!col at L) !col k };
      assert { forall i: int. S.mem i a.mdl -> (forall j: int. 0 <= j < k ->  !col[j] <> i) };
      assert { forall i: int. S.mem i (S.remove (S.min_elt d.mdl) a.mdl) <-> (0 <= i < n /\ (forall j: int. 0 <= j < k + 1 ->  !col[j] <> i)) };

      let ghost b' = mul2 (add_singleton b d) in
      assert { forall i: int.  0 <= i < size ->
        S.mem i b'.mdl -> (i = !min + 1 \/ S.mem (i - 1) b.mdl) && not (forall j:int. 0 <= j < k + 1 -> i - !col[j] <> k + 1 - j) };

      let ghost c' = div2 (add_singleton c d) in
      assert { forall i: int.  0 <= i < size ->
        S.mem i c'.mdl -> (i = !min - 1 \/ (i + 1 < size /\ S.mem (i + 1) c.mdl)) && not (forall j:int. 0 <= j < k + 1 -> i - !col[j] <> j - k - 1) };

      label M in
      f := !f + t (remove_singleton a d)
                  (mul2 (add_singleton b d)) (div2 (add_singleton c d)) (k + 1);

      assert { forall i j. (!s at L) <= i < (!s at M) <= j < !s -> (eq_prefix !sol[i] !sol[j] k /\ !sol[i][k] <= (!min at N) < !min = !sol[j][k]) && lt_sol !sol[i] !sol[j]};

      e := remove_singleton !e d
    done;
    assert { forall u:solution. solution u /\ eq_prefix !col u k -> S.mem u[k] (!e.mdl at L) && 0 <= u[k] <= !min  };
    !f
    end else begin
      ghost sol := !sol[!s <- !col];
      ghost s := !s + 1;
      1
    end

  let queens (q: BV32.t)
    requires { BV32.t'int q = n }
    requires { BV32.ule q BV32.size_bv }
    requires { !s = 0 }
    ensures  { result = !s }
    ensures  { sorted !sol 0 !s }
    ensures  { forall u: solution.
      solution u <-> exists i: int. 0 <= i < result /\ eq_sol u !sol[i] }
    =
    t (below q) (empty()) (empty()) 0


  let test8 ()
    requires { size = 32 }
    requires { n = 8 }
  =
    s := 0;
    queens (BV32.of_int 8)

end
why3-1.6.0/examples/queens_bv/000077500000000000000000000000001440160026300162115ustar00rootroot00000000000000why3-1.6.0/examples/queens_bv/why3session.xml000066400000000000000000000522371440160026300212420ustar00rootroot00000000000000

















 
 
 
 
 
 
 


 
 
 


 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
      
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/queens_bv/why3shapes.gz000066400000000000000000000265111440160026300206560ustar00rootroot00000000000000[o6W73A<6
.Afc|p{^Wχkx6}p~gv
oo~}7N,N[aM݄Y
Ϟg{G1g??\ ꬯)D~_x8۫ݫx
-*ǻ&Uܕ"o,?p_iyuPp&f-^T7guB$,8D(uWss(Lsuw|wpbsI!F)RSxzxQB#̗/~}n{<˜p>1|7Az𾿿nSf㏟]_/woƷU~ϧ%)8vDw6D\yx
 &
gnM
owϜNEAD,ȉ=SNG"l+?ǜt]l7KaˊX]V
)+֔%?oߡdRA>`>5|dF6v~k}=99vxY{S:͢wc%\5޴\^SK$+z|x۲ӥtSv+7W/Ky@Kz^NXJ/?9ԴľZJ#76!*E
ӔBHm+}"t6Ò%J@HI,RU^onޏ'FT*lx'
kokUJXαmO{im}a	hujisj
YΒ:x	<4wA_pPy|w(TxEQ~澁IKx~>Er/m~n#e/uK]REv9x$Q:ܢqkkXGjXמ('JϮ㣵wܬ%zzo7?W'|}77)AwCvK
r~r:NYdOs FSM1A)oLNm%g/Qet&^]i.~\8^0g-5).P}6F_񷟲RO[1.C?1*q%cr9!S\
:	:0%
MwCRLu;ߡnos9]|RETrD4/j
&q!+GlU1rUoªWGGMٯoxi=7	++ZoBEp$	=.פ$^VLm;•(\-YŻrw5jͫvy\}Qп%x\-/VD+P:2T
ըBJv2. 3AnGK8>@RCu`$^J%6}V.%էru8ey^$Acø<,C,9&H͆ikg.P}U尘=DRvL}f:i7yLq3jL7fz7qLq3t7˸t3ntECuW+Q
2MF(vYflfS[;+TR4#pt]Wї-p8kTpt[8~8&c"pdfC9dR;v$HxHX Ȏ	;^(	;v$8$QvJƽ(Hw4i&Wp8%8l/$?;S¯HVJO0ðt&8G/cct| Aj~wqZbvsS}h7hROè~+4ů/[ќ^%
-mKyx$g
-E"[ȌÆ_3bgΈgΈkT]W;CJyJnZmV^^DnnIDLt}Ò4I@~Oe6HO|ěAՕx.\C*NT5UsǬcc܉3~L5cL掭c[o;<$Y}UK:2ci:Dj3xfDf( "\23Ό/e;Wc5cc51VӎzլXYhc5yTcc51q23bgΈɈ4,4k29t
@.ҝ9	YMGͲ٢6O^քCJ.ȉFrkU!'u!]Kۦ&UdODĘ}Av|!r,TSѭr,Deȡr,[!ǶXV!NJrD+8eEtceA:rj ױyJcM2ClŒ^ԖLSJU#,od-1dˌC,kgX0IJ!Ykmdt0ʤ6ra5ChebuV<C4#>eiE[XyE\4XXZؙ!fgȗ2%myl5oۖ}y[1b_O]>	{4(|+r{䞐'*r^xaҙ''jyj4V}U“Ăֵ4<1-OL͓Ɨxaj'e}+s~W8sq-G\͑GJ\8cLqc
G|kk8t)joS-GDmFqD]P+91VM M_>5(_'/6۳AU,z(_w_]QbQvQmEdIǤ̣r<*Wϣr<*t*ٷN\G<*=2ܓϣ @G	mi#Q\M˖m%(+TR|=LG]LQED5QzDQY(1mf4+I]+I]3=JJm>q%gJR7$u+IEЬ
;v6<6Tss|C~nBг7홟x9ǗtWdURWn2!K˷ТՄ~mlF̱
JN/9X_TWkQ^|f1
#m̳A)DܘlCi-̽sG}B=@Y!ʿ!"sTl^xi[ۻyMyXh-:;mrW?,iH)CxOǽO9+ax94-M2eZ{~.H@Wb]ZI-%eZWD>/N(Z	?=\Ǩ'ο;}CFZ()Org8:%.8ҥ❅D:D4QSG_m&Ur>\rmΪYqEiAzg)6
%Ly7w
|/S6oNo ge;G"v;/Movw7;3Ӧ@7KҏweeOn_+WxvHow΁ȁCx׎.pe",Yd;v5'dNmNmN妘UG:
'rBg!B^qB_pBornp"U;'ibO+(·+(|YA/VPzoWPzoh@+Pdߝ_,m5)SJ鼰w]K_r
;v6)<|L
9
*-8[_ouH|g2FΒ$g1BZyθ%I̽bTg:/09S9G	;_+\-;}Kmt݌n	iv--D!bBfZLUh.h*ZKZȆ׽~3 ZH. lboc—N[1?-)eD&$&"M^IQѹ.XH
).~/6DwIO@	`K=
d;8pkIYyS(,j&n&n
׾hC_ķ0/
&~MIȋ
Tח;HYـ/6+ՆT/-ȋ
.DG[(:8֧PT:'`VV|6Ӆ8U?FALK)Ә77\DS#ѫ/
ǜ\_*w0,lgNDBۖue९OsMn_I3q5y䳣4O=%ʤ(9j{UyJi=%9;1-'f)KOIn{JzS6ߠI8p#`GA@2
=PءC@f~ڑ#aGKAB8yk$I7QURoU2ZJFɸBc܆+q#[N
PذH,sIfRzaR9%\{ef]3ZP6UUH2|z^.1TyKQߦJqfV|ʫ-b XH([!,2H|4Xk]s]"].6PaܜIorG4V+&CWl('\,0|Gl=1$]Sk͖ok|
t\_4qI?1V{¬Y*.Џ2B\F$4QXV0¬a.aڌ~YnfDjrbowF<&#[`DkY13BkFkٳv @؁rp0=6=}Zڥ;ؒZm՟x\	îq9lqfG;lff_WObtK_ءYvv|1v/͎Mҹkz\uMxKavmqD~9F\&W0*F|,-j:f#~f|RO|d
l8_JNdt1"*#b0=5FSb䰲΅;^
+=Hؑ# !
*O
-![;7Dܟ-O.P9ȇ4!W"o\*2!j)bEI^ϼ+BXlJ!-VYXcEgKRRSyl'KIK59.Ɋ拖R$#%
,EKR[J\eQ<ϧmpZSJF276Ky[e"2&M5ydnrm+s\2fd"ln,:OK:*榲?	LgVu+vϵ?+[nH]$_$_l^TqB^wɏXq/kWя/DkYw_1fXaI5lF΍,;7r4[~1#~y~}˭"Ѡ`ധ=}Ϭ̓9=Y]O_FЊq;#aN_5q}٤ ѨgYn#Y4h~F9cߗ\9LJp1X%swTν%:G ccM$((G˃ˁw:>QR 1ITo] _A }Y,C֊7{9`ds^j@ll7+.A@Ɣ;=\qo=q9{d]smgs#7QBI|gI
߇X9">#`QHh{7Ǿ;3KԈ+
G)#Su
!t=7B S%3(iD6]/;Wy4mG%턊a)A}%G38{[ukAaN2fuu~+ia(3B~NNOVNaעOfh%쵠unDJ09Qe^	-Am7=
ު7
Շ|{%.h\Oh''4(TՒ! L?yЫAtCi5jϐRGpaS
Y/o1GCzDB{cav샴!N!8p?J5
ZHI/Ub@~J3J	z<^Bj2%E3>я7Hu-GfuqJ:kXǕ*s:hg)(5 s8hOVYřOL:AL`@19B#n/I)(J@0Bx|)lMARZɃT
>P16PHcVɛN9o$hBI%!	 G	7`Ѓ=QVrfF9]p1;8zn/tޡ4t*8.MR)^Hƹiv{mLs봊!0*18Bu>>TCġN|J@fka:1?p$38gbQ@vfPGC``h0CuAY"UAAw19H(:k	[DNd
MBfHP;#O@!CQeڡt!
C=U`eJ(#\&tɍp&	ᨗwjhE9KdHsp$p\']EPwZqT.€,p*7|7{Nͱ{4NE9;v3[(Ѥ&F93hF:`Gyt0sb0qR`a`Nʞ1x:ܻŁc )H͐XR8va0v,4PGef1 Ph1s{
M$4sH7qC8)p8a!.'>O\"=!C8p1c!꯽ڛkڋkϯ=vڹkgvکk'a@%+WjVhU`sPb+K~LrHPG؈ʢ.)YDR@9:=x6LhMQq8'F٧p M/!dУG?BG[hᬰQey-y8݄ɔك5F/@4/BFC9ubb87(hA4AC)&=	!P| ud?==<_N#`>PX2	w0lo
-BK$?1m4%C?= ZX'mA#4I.FE
"L k5(	@LppIC8pY."EXrK{,K3>Ag<>kF6QDFăsMQ窡Ě
I肂Gk|Ď
4PAFuS/D^Ѡ*/;GŢ*ar|tJ(4@/|]Go4an{x1sѮ`6Pu#EZz!GWY]B:a̡1l4sn0/g	aɴR;u0~4 z_O8n;ψC@MMpF):eXҘ2wNw-cAi,ç#:N&`OjWG%pQI8n,DZ{1$ H8pBx
^vv]"u1K|8s-;S@u(
Nep,
z(S MN:9<wԄ>
^o
B6B^T#jeiiP
fڣGZr4wuW	]8,m5
#=2$kXkRkDeQ.xAвaN gMtbia#%Ё蟧pJ\swhy3-1.6.0/examples/queue_two_lists.mlw000066400000000000000000000104351440160026300202010ustar00rootroot00000000000000
(** Implementation of a mutable queue using two lists.

    Author: Léo Andrès (Univ. paris-Sud) *)

module Queue

  use int.Int
  use mach.peano.Peano
  use list.List
  use list.Length
  use list.Reverse
  use list.NthNoOpt
  use list.Append
  use seq.Seq
  use seq.FreeMonoid

  type t 'a = {
    mutable front: list 'a; (* entry *)
    mutable rear: list 'a;  (* exit *)
    ghost mutable seq: Seq.seq 'a;
  }
    invariant { length seq = Length.length front + Length.length rear }
    invariant { Length.length front > 0 -> Length.length rear > 0 }
    invariant {
      forall i. 0 <= i < length seq ->
        seq[i] =
          let n = Length.length rear in
          if i < n then nth i rear
          else nth (Length.length front - 1 - (i - n)) front }

  meta coercion function seq

  let create () : t 'a
    ensures { result = empty }
  = {
    front = Nil;
    rear = Nil;
    seq = empty
  }

  let push (x: 'a) (q: t 'a) : unit
    writes  { q }
    ensures { q = snoc (old q) x }
  = match q.front, q.rear with
    | Nil, Nil -> q.rear <- Cons x Nil
    | _        -> q.front <- Cons x q.front
    end;
    q.seq <- snoc q.seq x

  let rec lemma nth_append (i: int) (l1: list 'a) (l2: list 'a)
    requires { 0 <= i < Length.length l1 + Length.length l2 }
    ensures {
      nth i (Append.(++) l1 l2) =
      if i < Length.length l1 then nth i l1
      else nth (i - Length.length l1) l2 }
    variant { l1 }
  =
    match l1 with
    | Nil -> ()
    | Cons _ r1 ->
      if i > 0 then nth_append (i - 1) r1 l2
    end

  (* TODO: move this to stdlib ? *)
  let rec lemma nth_rev (i: int) (l: list 'a)
    requires { 0 <= i < Length.length l }
    ensures { nth i l = nth (Length.length l - 1 - i) (reverse l) }
    variant { l }
  =
    match l with
    | Nil -> absurd
    | Cons _ s ->
      if i > 0 then nth_rev (i - 1) s
    end

  exception Empty

  let pop (q: t 'a) : 'a
    writes  { q }
    ensures { (old q) <> empty }
    ensures { result = (old q)[0] }
    ensures { q = (old q)[1 ..] }
    raises  { Empty -> q = old q = empty }
  =
    let res = match q.rear with
      | Nil -> raise Empty
      | Cons x Nil -> q.front, q.rear <- Nil, reverse q.front; x
      | Cons x s -> q.rear <- s; x
      end in
    q.seq <- q.seq [1 ..];
    res

  let peek (q: t 'a) : 'a
    ensures { q <> empty }
    ensures { result = q[0] }
    raises  { Empty -> q == empty }
  =
    match q.rear with
    | Nil -> raise Empty
    | Cons x _ -> x
    end

  let safe_pop (q: t 'a) : 'a
    requires { q <> empty }
    writes { q }
    ensures { result = (old q)[0] }
    ensures { q = (old q)[1 ..] }
  = try pop q with Empty -> absurd end

  let safe_peek (q: t 'a) : 'a
    requires { q <> empty }
    ensures { result = q[0] }
  = try peek q with Empty -> absurd end

  let clear (q: t 'a) : unit
    writes { q }
    ensures { q = empty }
  =
    q.seq <- empty;
    q.rear <- Nil;
    q.front <- Nil

  let copy (q: t 'a) : t 'a
    ensures { result == q }
  = {
    front = q.front;
    rear = q.rear;
    seq = q.seq
    }

  let is_empty (q: t 'a)
    ensures { result <-> q == empty }
  =
    match q.front, q.rear with
    | Nil, Nil -> true
    | _ -> false
    end

  let length (q: t 'a) : Peano.t
    ensures { result = Seq.length q.seq }
  =
    let rec length_aux (acc: Peano.t) (l: list 'a) : Peano.t
      ensures { result = acc + Length.length l }
      variant { l }
    = match l with
    | Nil -> acc
    | Cons _ s -> length_aux (Peano.succ acc) s
    end in
    length_aux (length_aux Peano.zero q.front) q.rear

  let transfer (q1: t 'a) (q2: t 'a) : unit
    writes  { q1, q2 }
    ensures { q1 = empty }
    ensures { q2 = (old q2) ++ (old q1) }
  = match q2.rear with
    | Nil ->
      q2.front, q2.rear, q2.seq <- q1.front, q1.rear, q1.seq
    | _ ->
      q2.front <- Append.(++) q1.front (Append.(++) (reverse q1.rear) q2.front);
      q2.seq <- q2.seq ++ q1.seq;
    end;
    clear q1

end

(** the module above is a valid implementation of queue.Queue *)
module Correct
  use Queue as Q
  clone queue.Queue with
    type t = Q.t, exception Empty = Q.Empty,
    val create = Q.create, val push = Q.push, val pop = Q.pop, val peek = Q.peek,
    val safe_pop = Q.safe_pop, val safe_peek = Q.safe_peek,
    val clear = Q.clear, val copy = Q.copy, val is_empty = Q.is_empty,
    val length = Q.length, val transfer = Q.transfer
end
why3-1.6.0/examples/queue_two_lists/000077500000000000000000000000001440160026300174555ustar00rootroot00000000000000why3-1.6.0/examples/queue_two_lists/why3session.xml000066400000000000000000000205531440160026300225020ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/queue_two_lists/why3shapes.gz000066400000000000000000000076471440160026300221330ustar00rootroot00000000000000ZYo$9~_o;3Fn
\
IDzZkC]{:J^t3u"?R)_?ħt{;W5=E/{FC
5Om7S`89כ(42cާ3ⷞϧ*$q,*qMCMIBCB:y)R`ccPgURzx||$^awI
[wSDAF;W4$Xk2HMP<%N\X
,f~xϟ+}e/ڐuxmJUsv;WAʄO=Bn}KWG(Q\i0iMMS1mm9r^Br84Q_C8o/VYl}'#XԟߐX$6X4:[B#gdLz9~MjdpǷ!DaeW@?d헼9nrmмK[QڧۮfYlcys?up[j/IK[GIV-H=<uU9ft(=w#nN&2[>vоmhNYYW [
'lXr\̀yTV{)[Ι81.sr4¶r\T(|Qv94V]0ͩXRiZMV<`5o=붖u<۬ȶTt>?nZYNT]6qKG]l'yJY7fn%?ũkz^[<y!{ɧ!M3q&\C y
e4l| ʨ:vϣ!hs
91.s4d-9u4m[DCX2/*z
A!,vCotj[@z}CѪJUqǖ/"q4uA[⭍\Fڈ
FomN:n$**0Df}+zHW`1\ΰmY}d%Rn}Жq~}jidSXۯ9P^*V9UeII)çk>SNi2"Wo+uSE\jk*r	^at7``)”.h,UV%yKȪlvThy}),fDؖ0lyB*il7
We(֘h}uUjK0Aؿ;kQ=L&T݆ع
AҏF&{KkCNwx/%Cp]6t}]Ҷ~z7_m3e&tlCE+Z!G;}1ӹun~NQ
*B,jq.,墌
r&SMm7T#ū??۫xS\cZ(RGږG€\o@	wz6vyxIza(ޡ^0?W]2y;|f?vgӴYt[/[+cQ#rKv7dh,P'Oeftp,~t	}ּB5_-6ig^h,Z+!!K:i<Ȍڏ~PsCRNt|7.w6XD޸םiB
I(#Fn $ؽNs<Ȃ!J?Ѧ`1=@s4IAHjУ
JbᤇdRtwl Šg%x>*ktفh4&(C4,cI=lfAȹeA
lPIȅ
~s8[p.cJ8B`RɽfĚQcm\fpCX0LD\u~,RhOI1`lj[%	8p6F*BM"ey@FAARRPN:YR*gAZ
biЊ̊1 <:YGPk!!]H(c
͠A&2>ƆaFit*L1=7pPƠSXeԶCͲ1)!T&ȭ֎&8L:^gG9=zQrgc 2)p3[cۥ7VqorTpl!Ĭp_IL'R#Z%=&&&lDy*q|LrEf0{bn0x<3LI+0NH6Ǥ,3
	:5i9zۉ`a/T+өIK?saXLǨlMFR(tۼhA

|R[Y0XGE
|Ds
 a2[j] < v) /\
    (forall j: int. m < j < r -> v <= a2[j]) /\
    a2[m] = v

  (* partitioning à la Bentley, that is

     l            i          m          r
    +-+----------+----------+----------+
    |v|   < v    |    ?     |   >= v   |
    +-+----------+----------+----------+     *)

  let rec quick_rec (a: array int) (l: int) (r: int) : unit
    requires { 0 <= l <= r <= length a }
    ensures  { sorted_sub a l r }
    ensures  { permut_sub (old a) a l r }
    variant  { r - l }
  = if l + 1 < r then begin
      let v = a[l] in
      let m = ref l in
      label L in
      for i = l + 1 to r - 1 do
        invariant { a[l] = v /\ l <= !m < i }
        invariant { forall j:int. l < j <= !m -> a[j] < v }
        invariant { forall j:int. !m < j <  i -> a[j] >= v }
        invariant { permut_sub (a at L) a l r }
        label K in
        if a[i] < v then begin
          m := !m + 1;
          swap a i !m;
          assert { permut_sub (a at K) a l r }
        end
      done;
      label M in
      swap a l !m;
      assert { qs_partition (a at M) a l !m r v };
      label N in
      quick_rec a l !m;
      assert { qs_partition (a at N) a l !m r v };
      label O in
      quick_rec a (!m + 1) r;
      assert { qs_partition (a at O) a l !m r v };
      assert { qs_partition (a at N) a l !m r v };
    end

  let quicksort (a: array int) =
    ensures { sorted a }
    ensures { permut_all (old a) a }
    quick_rec a 0 (length a)

end

(** {2 Knuth's shuffle}

    A realistic quicksort first shuffles the array. *)

module Shuffle

  use int.Int
  use array.Array
  use array.ArraySwap
  use array.ArrayPermut
  use random.Random

  let shuffle (a: array int) : unit
    writes  { a, Random.s }
    ensures { permut_all (old a) a }
  = for i = 1 to length a - 1 do
      invariant { permut_all (old a) a }
      swap a i (Random.random_int (i+1))
    done

end


module QuicksortWithShuffle

  use array.Array
  use array.IntArraySorted
  use array.ArrayPermut
  use Shuffle
  use Quicksort

  let qs (a: array int) : unit =
    ensures { sorted a }
    ensures { permut_all (old a) a }
    shuffle a;
    quicksort a

end

(** {2 with 3-way partitioning}

    A realistic quicksort also has to use 3-way partitioning, to cope
    with arrays were many values are identical. *)

module Quicksort3way

  use int.Int
  use ref.Refint
  use array.Array
  use array.IntArraySorted
  use array.ArraySwap
  use array.ArrayPermut
  use array.ArrayEq

  predicate qs_partition (a1 a2: array int) (l ml mr r: int) (v: int) =
    permut_sub a1 a2 l r /\
    (forall j: int. l  <= j < ml -> a2[j] < v) /\
    (forall j: int. ml <= j < mr -> a2[j] = v) /\
    (forall j: int. mr <= j < r  -> a2[j] > v)

  (* 3-way partitioning

     l          ml         i          mr          r
    +----------+----------+----------+-----------+
    |   < v    |    = v   |     ?    |    > v    |
    +----------+----------+----------+-----------+       *)

  let rec quick_rec (a: array int) (l r: int) : unit
    requires { 0 <= l <= r <= length a }
    ensures  { sorted_sub a l r }
    ensures  { permut_sub (old a) a l r }
    variant  { r - l }
  = if l + 1 < r then begin
      let v  = a[l] in
      let ml = ref l in
      let mr = ref r in
      let i  = ref (l + 1) in
      label L in
      while !i < !mr do
        invariant { l <= !ml < !i <= !mr <= r }
        invariant { forall j: int. l   <= j < !ml -> a[j] < v }
        invariant { forall j: int. !ml <= j < !i  -> a[j] = v }
        invariant { forall j: int. !mr <= j < r   -> a[j] > v }
        invariant { permut_sub (a at L) a l r }
        variant   { !mr - !i }
        label K in
        if a[!i] < v then begin
          swap a !ml !i;
          incr ml;
          incr i;
          assert { permut_sub (a at K) a l r }
        end else if a[!i] > v then begin
          decr mr;
          swap a !i !mr;
          assert { permut_sub (a at K) a l r }
        end else
          incr i
      done;
      assert { qs_partition (a at L) a l !ml !mr r v };
      label N in
      quick_rec a l !ml;
      assert { qs_partition (a at N) a l !ml !mr r v };
      label O in
      quick_rec a !mr r;
      assert { qs_partition (a at O) a l !ml !mr r v };
      assert { qs_partition (a at N) a l !ml !mr r v }
    end

  let quicksort (a: array int) =
    ensures { sorted a }
    ensures { permut_all (old a) a }
    quick_rec a 0 (length a)

  use Shuffle

  let qs (a: array int) : unit =
    ensures { sorted a }
    ensures { permut_all (old a) a }
    shuffle a;
    quicksort a

end

module Test

  use int.Int
  use array.Array
  use Quicksort

  let test1 () =
    let a = make 3 0 in
    a[0] <- 7; a[1] <- 3; a[2] <- 1;
    quicksort a;
    a

  let test2 () ensures { result.length = 8 } =
    let a = make 8 0 in
    a[0] <- 53; a[1] <- 91; a[2] <- 17; a[3] <- -5;
    a[4] <- 413; a[5] <- 42; a[6] <- 69; a[7] <- 6;
    quicksort a;
    a

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let a = test2 () in
    if a[0] <> -5 then raise BenchFailure;
    if a[1] <> 6 then raise BenchFailure;
    if a[2] <> 17 then raise BenchFailure;
    if a[3] <> 42 then raise BenchFailure;
    if a[4] <> 53 then raise BenchFailure;
    if a[5] <> 69 then raise BenchFailure;
    if a[6] <> 91 then raise BenchFailure;
    if a[7] <> 413 then raise BenchFailure;
    a

end

module Traditional

  use int.Int
  use ref.Refint
  use array.Array
  use array.IntArraySorted
  use array.ArraySwap
  use array.ArrayPermut
  use array.ArrayEq

  let rec quick_rec (a: array int) (l: int) (r: int) : unit
    requires { 0 <= l <= r <= length a }
    ensures  { sorted_sub a l r }
    ensures  { permut_sub (old a) a l r }
    variant  { r - l }
  = if l + 1 >= r then return;
    let v = a[l] in
    let ref i = l in
    let ref j = r in
    while true do
      invariant { l <= i < r-1 }
      invariant { forall k. l <= k <= i -> a[k] <= v }
      invariant { l < j <= r }
      invariant { forall k. j <= k < r -> a[k] >= v }
      invariant { permut_sub (old a) a l r }
      invariant { a[l] = v }
      variant   { j - i }
      label L in
      (* while (a[++i] < v) { if (i == r-1) break; } *)
      incr i;
      while a[i] < v do
        invariant { i at L < i < r }
        invariant { forall k. l <= k < i -> a[k] <= v }
        variant   { r - i }
        if i = r - 1 then break;
        incr i
      done;
      (* while (v < a[--j]) { if (j == l) break; } *)
      decr j;
      while a[j] > v do
        invariant { l <= j < j at L }
        invariant { forall k. j < k < r -> a[k] >= v }
        variant { j }
        if j = l then break;
        decr j;
      done;
      if i >= j then break;
      swap a i j
    done;
    swap a l j;
    quick_rec a l     j;
    quick_rec a (j+1) r

  let quicksort (a: array int) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  = (* insert a call to shuffle here if you wish *)
    quick_rec a 0 (length a)

end
why3-1.6.0/examples/quicksort/000077500000000000000000000000001440160026300162465ustar00rootroot00000000000000why3-1.6.0/examples/quicksort/why3session.xml000066400000000000000000001021601440160026300212660ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
 


 
 
 


 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/quicksort/why3shapes.gz000066400000000000000000000220541440160026300207110ustar00rootroot00000000000000}Yo\{
{ ű0dӅ^8vi	}{*Ų] Ub9,ozwWy/ſ]ZƷ~Z\Ɵ_dq-_T_7e|{WEuǵ@jZ^wͻx{"]C^K=VEFkW<\ƒu麗߯۵{{9o߿oov!DedW?Ĭ//VS3)ns??LSAdK7] tn³|WLSˁ7Jde5N_˱bob;_zn(Mbo’.S't
0^1#>ɑ$GbYr4A,9O^r]1K1Nea+e/YBjZ	W-¥Ip]$
CS='ۅY?b19WN—T3^=eЈZa#z~XYE,C6͘=rE0̘#fyٰlHg }F*fLկ'VP$@=sg%3ǬcLH2Sh|л2_=%#eW2E#|)tO_GX,' .P|8O\g\ZxNӖ|Rmwuk؅)YlߑIy3W,\.]ƻjDV2U}S9QnOn9''矻TTa€Ÿ0\ҬҬn
gth7G<g;DLEr$ D
K,5OS-DCG}r&h:tMCSǩ^.mT9HЈ4Z@!E
pjm)L?.ۋ&ۚg߾(Dekf&d5}S4ªa
l(Q(cf^W+
쫽{%Cv-kfԵs'q?eyH#
F]8yy>3ͻlm}
mJ
/̈́Q
K~ޠlh2N`G=2|dzY3{?3L-dy}޿{bڴ7_UXJLQGgћ(ό:b09қC8|KapɛdC=_lƠYa2z1\^ɈyE/ǵ4aE4vp,#?i.V|
Énű`B88x܂Q9€_00'>猁u-'܉_{EJ/b˜Wai:>Ze?#M-=l3L|9C'a(!9;^w#a/Y?Q9COq3MQyFcz|8<-<x+x4㝾~O<]RpbmWo[q|^Npˁݬ؇ƍ0?0l0|EF,0a
9|{oW?cc:;'[`P,b`GAx[t@tn^Zt72y[O3r9u	~Z`-YK/Zį=c`t3uowGYg~w`{~3CIn2LXT]InzC]Okgó2e}nXZti铴Qc_(+I@Y2yyPLg}vʳtwɣo&`?O	|^g@a3ΐ|G(Ճ(ek2,6z\krfh.c4z̰~h3nϸqg؟|M#>iaO9䢿W]?\~4G|đ<]~tKߪ)+lm>l䲵auU0[zTگ8#FEn{s<)|4)}_'e5v_'eW㤌^,чb8'u	].A+iu<&]a5<6Fq{Fpa/Z*jڀ<&^S>gpι,'pM>i_ܧXkl(e/._w
ebzzA/|m
Z ׂX^1ш(!iv\ctC%"HVe\!IfWr{E#Y6Ayyi${x1Zz_Ihv@22lz2^P6>^[>_&+Ʈx ןqXܫ><7Jkrj|
>
}eTˏF5ߪ݌NE,m4C60Qtоv%t/7
dl0<57Cs
F4Kh70롹4iǩ9pnu/eڠnjz[~S.6 kj)C{e3˿/?x?o1ooAz#ơc~4eSgX()oZĿzVD<_&;wxfz$IhYӄoz73r7{4 Ivn$y}76fed_SS0BHz9V'{AMPFVhh
gy
v4U+?״=CK&Ĝ^Et$1f΋7f2~zQrhcި`BZ@LZ5W('9
3~FѢc4μ]?nnvp9AqAZ57Ćkhhk45Bk3p5V =w;OԘn!=mb:O3ufMVʆ*3jw͐r?|E%_뗴~xؠ-s:@!E۵uDeƷ_WT/1exy3BartE∢X(eYQOQ&EXQxjOQXxJև$8cU+;2)SkBתՠFVL!y%v;
g%%rH!&cn)i$oJ}ىVGX4O6k1laI8# hZp;WRLC5Fb;(مV;	x@&RW$wY4E'V@DMPjk
2s^QT+tqT5G8ߒ73Ц-jj0
yE@	ҫEoY].€HQVssZ^i-TY[Pr45Յya|^48 dA]
Njx͕;(:'mQ	NPְqP+ق:u
A!oU4:]7&Jê9Vxhͱ2)v4 ,\_'@q-`\
0fģT=\dR&_%2~GVJ	X|{[:*Z 8r"꒔ȝSJ.~A,fPF}1QR	fAS$8KehB?HFנ҅1WFhH!)K(g+(k؝c`opТ:
K7}'LRNB`<8n0B
nE$0Y0kZgfI1Q-°)
) crr|Ò1
nf
WE`@'Qdg0~
A^N"`xd@#"D}G+b1Sj(9P5G#΃(4v:A
9!BJ%0͠(2"FltvR`TFc]Lܚ+/V
.ԛmj^xsD@t'":5
etzqxְW
qP
.ZXy8XqYQ
eD!Ⱥܛ[5MQѧF&?n	m	3YY5B>뿷0L8p*ȖӉ@?ҋI$Iɒ|0{Q`.15.%`4"RmqxQq!%$C|$ae\@03ϵIdU=CJ+a`iTX`=t&t(H	~7bHHa
[$uRtHVr6zdBKK䵈fI'@Ct,Bdx6a$ԨdBsj&*$
TR^E;T%QbIg
i>spN+ k-$[HhH($8h5hBEI-- 0	0sMU4#ۄv#៹ɀ
҇לEp	a
o -7# hgpV??uǠ7U%{Ƅ['ݴ
ee&L!p ibEoѥ	NJN&pZ( QT
8bV9-4X9+Є@Q	oX$KjEDUÚJ"4G->5ND@JQW5Fi9F'@vj"-2BAmc,n7ѴHHG:/HZ4ru@CN|3ɒ(	d"zs,82AAH7әwL(>^oG&xv_w
o\ IG6G~lL	șQ7*rAzE*JQ+h60ڹFo60.A[RB*X䡼- cmxlmZdRr
jlĵHN¢/
JxOƴH+%5Cƅ꣌Ngk䥛>@L.>"d* QF(U4981(V1x=vfVC־PZ+6/]t滠z
/lnSоڽw@$§bV6/X:SjHE.r J3Z$rKmN:5O$	?z!EJM*)eg"T142[%#Q+Rw@C
ټ>E
bU9NL&\˥4>(o{zipB-uT0BJGD``4@r*uǣKZIOh/8_{Swa]]zT
\U	Umv)1sAɗBl#Um
iGXHI5zN!HoДF#JH>:cKCkJ
6&Tl5RYX߇/_=":4eJu=!>+"FaIܣ~9%N&Kր,A[IQc1ntY G.Y
8`5]BDFңbW} \}eQE!EIRJ}':(L$]Q7}{'$dB|0#B}Q.5abZo+6|Ҟ	I
$	6^t>eT>݂|vR;\*I{է]S!T>ժ|>)V~f3Y0/l!U#^\:	J!)!'LAU!O_{DZֈ2
x!D)M?dod ZF`\WklqRZA@F)ҧӴhP\i"Ҟ	!.+0/𾴴YˏHLY+DLHOT,D3	J:ޅcT	'16@O
t$Ҧ7E{Ч0g*,, +SD@S_Tj}o߬m]MiOX@R@)2uAg3o^{	;V mt%!QQ`9ĪU 4RU^daQ>yo4gSD.%{.EZr`UB̷!qY̐]R~)ԿTR's˱:
/~
kntĘmBrA~e>k/BjںVc#(#ᛍ>)ȂC
ox?7|j)G3es
Ԟdtϑ1^'%kJ+A;/~+N/s:AO
P!'rWZqc]Oy
'.+I"[\O}'xO\KZ LPMjʝfVnTGj4&'<Ib'9%"ro?#U﷋Vk{e=6!Vb:ڧ ԴK%d5'5fO"Vk+#H[n)^4٧G
%;TlJ-^%	Obk~',rVùA>ES(~2{'mЄ23:B3,wOnjѹдSqSI#mӑUd|WwIhU#گ	94%?8|pG%MNXV;{o@q124b(i6y߂6%
p'Y_7զ^jXo@\B*Uꘐs8I.7 QYӿ*%y%Ql8Sx_Ct0)UX/`Wgq/UPwhy3-1.6.0/examples/random_access_list.mlw000066400000000000000000000175701440160026300206110ustar00rootroot00000000000000
(** Random Access Lists.
    (Okasaki, "Purely Functional Data Structures", 10.1.2.)

    The code below uses polymorphic recursion (both in the logic
    and in the programs).

    Author: Jean-Christophe Filliâtre (CNRS)
 *)

module RandomAccessList

  use int.Int
  use int.ComputerDivision
  use list.List
  use list.Length
  use list.Nth
  use option.Option

  type ral 'a =
  | Empty
  | Zero    (ral ('a, 'a))
  | One  'a (ral ('a, 'a))

  function flatten (l: list ('a, 'a)) : list 'a =
    match l with
    | Nil -> Nil
    | Cons (x, y) l1 -> Cons x (Cons y (flatten l1))
    end

  let rec lemma length_flatten (l:list ('a, 'a))
    ensures { length (flatten l) = 2 * length l }
    variant { l }
    =
    match l with
    | Cons (_,_) q -> length_flatten q
    | Nil -> ()
    end

  function elements (l: ral 'a) : list 'a =
    match l with
    | Empty    -> Nil
    | Zero l1  -> flatten (elements l1)
    | One x l1 -> Cons x (flatten (elements l1))
    end

  let rec size (l: ral 'a) : int
    variant { l }
    ensures { result = length (elements l) }
    =
    match l with
    | Empty    -> 0
    | Zero  l1 ->     2 * size l1
    | One _ l1 -> 1 + 2 * size l1
    end

  let rec cons (x: 'a) (l: ral 'a) : ral 'a
    variant { l }
    ensures { elements result = Cons x (elements l) }
    =
    match l with
    | Empty    -> One x Empty
    | Zero l1  -> One x l1
    | One y l1 -> Zero (cons (x, y) l1)
    end

  let rec lemma nth_flatten (i: int) (l: list ('a, 'a))
    requires { 0 <= i < length l }
    variant  { l }
    ensures  { match nth i l with
               | None -> false
               | Some (x0, x1) -> Some x0 = nth (2 * i)     (flatten l) /\
                                  Some x1 = nth (2 * i + 1) (flatten l) end }
    =
    match l with
    | Nil -> ()
    | Cons _ r -> if i > 0 then nth_flatten (i-1) r
    end

  let rec lookup (i: int) (l: ral 'a) : 'a
    requires { 0 <= i < length (elements l) }
    variant  { i, l }
    ensures  { nth i (elements l) = Some result }
    =
    match l with
    | Empty    -> absurd
    | One x l1 -> if i = 0 then x else lookup (i-1) (Zero l1)
    | Zero l1  -> let (x0, x1) = lookup (div i 2) l1 in
                  if mod i 2 = 0 then x0 else x1
    end

  let rec tail (l: ral 'a) : ral 'a
    requires { elements l <> Nil }
    variant  { l }
    ensures  { match elements l with
               | Nil -> false
               | Cons _ l -> elements result = l
               end }
    =
    match l with
    | Empty    -> absurd
    | One _ l1 -> Zero l1
    | Zero  l1 -> let (_, x1) = lookup 0 l1 in One x1 (tail l1)
    end

  let rec update (i: int) (y: 'a) (l: ral 'a) : ral 'a
    requires { 0 <= i < length (elements l) }
    variant  { i, l}
    ensures  { nth i (elements result) = Some y}
    ensures  { forall j. 0 <= j < length (elements l) ->
               j <> i -> nth j (elements result) = nth j (elements l) }
    ensures  { length (elements result) = length (elements l) }
    ensures  { match result, l with
               | One _ _, One _ _ | Zero _, Zero _ -> true
               | _                                 -> false
               end }
    =
    match l with
    | Empty    -> absurd
    | One x l1 -> if i = 0 then One y l1 else
                  match update (i-1) y (Zero l1) with
                  | Empty | One _ _ -> absurd
                  | Zero l1         -> One x l1
                  end
    | Zero l1  ->
        let (x0, x1) = lookup (div i 2) l1 in
        let l1' =
          update (div i 2) (if mod i 2 = 0 then (y,x1) else (x0,y)) l1 in
        assert { forall j. 0 <= j < length (elements l) -> j <> i ->
                 match nth (div j 2) (elements l1) with
                 | None -> false
                 | Some (x0,_) -> Some x0 = nth (2 * (div j 2)) (elements l)
                 end
                 && nth j (elements l) = nth j (elements (Zero l1')) };
        Zero l1'
    end

end

(** A straightforward encapsulation with a list ghost model
    (in anticipation of module refinement) *)

module RAL

  use int.Int
  use list.List
  use list.Length
  use option.Option
  use list.Nth
  use RandomAccessList

  type t 'a = { r: ral 'a; ghost l: list 'a }
    invariant { l = elements r }

  let constant empty : t 'a = { r = Empty; l = Nil }
    ensures { result.l = Nil }

  let size (t: t 'a) : int
    ensures { result = length t.l }
    =
    size t.r

  let cons (x: 'a) (s: t 'a) : t 'a
    ensures { result.l = Cons x s.l }
    =
    { r = cons x s.r; l = Cons x s.l }

  let lookup (i: int) (s: t 'a) : 'a
    requires { 0 <= i < length s.l }
    ensures { Some result = nth i s.l }
    =
    lookup i s.r

end

(** Model using sequences instead of lists *)

module RandomAccessListWithSeq

  use int.Int
  use int.ComputerDivision
  use seq.Seq

  type ral 'a =
  | Empty
  | Zero    (ral ('a, 'a))
  | One  'a (ral ('a, 'a))

  function flatten (s: seq ('a, 'a)) : seq 'a =
    create (2 * length s)
           (fun i -> let (x0, x1) = s[div i 2] in
                     if mod i 2 = 0 then x0 else x1)

  lemma cons_flatten : forall x y :'a,s:seq ('a,'a).
    let a = flatten (cons (x,y) s) in
    let b = cons x (cons y (flatten s)) in
    a = b by a == b by forall i. 0 <= i < a.length -> a[i] = b[i]
    by (i <= 1 so (cons (x,y) s)[div i 2] = (x,y))
       \/ (i >= 2 so (cons (x,y) s)[div i 2] = s[div (i-2) 2]
       )

  function elements (l: ral 'a) : seq 'a =
    match l with
    | Empty    -> empty
    | Zero l1  -> flatten (elements l1)
    | One x l1 -> cons x (flatten (elements l1))
    end

  let rec size (l: ral 'a) : int
    variant { l }
    ensures { result = length (elements l) }
    =
    match l with
    | Empty    -> 0
    | Zero  l1 ->     2 * size l1
    | One _ l1 -> 1 + 2 * size l1
    end

  let rec cons (x: 'a) (l: ral 'a) : ral 'a
    variant { l }
    ensures { elements result == cons x (elements l) }
    =
    match l with
    | Empty    -> One x Empty
    | Zero l1  -> One x l1
    | One y l1 -> Zero (cons (x, y) l1)
    end

  let rec lookup (i: int) (l: ral 'a) : 'a
    requires { 0 <= i < length (elements l) }
    variant  { i, l }
    ensures  { (elements l)[i] = result }
    =
    match l with
    | Empty    -> absurd
    | One x l1 -> if i = 0 then x else lookup (i-1) (Zero l1)
    | Zero l1  -> let (x0, x1) = lookup (div i 2) l1 in
                  if mod i 2 = 0 then x0 else x1
    end

   let rec tail (l: ral 'a) : ral 'a
    requires { 0 < length (elements l) }
    variant  { l }
    ensures  { elements result == (elements l)[1..] }
    =
    match l with
    | Empty    -> absurd
    | One _ l1 -> Zero l1
    | Zero  l1 -> let (_, x1) as p = lookup 0 l1 in
      let tl = tail l1 in
      assert { elements l1 == cons p (elements tl) };
      One x1 tl
    end

  (** update in O(log n)
      for this, we need to pass a function that will update the element
      when we find it *)

  function setf (s: seq 'a) (i: int) (f: 'a -> 'a) : seq 'a =
    set s i (f s[i])

  let function aux (i: int) (f: 'a -> 'a) : ('a, 'a) -> ('a, 'a) =
    fun z -> let (x,y) = z in if mod i 2 = 0 then (f x, y) else (x, f y)

  let rec fupdate (f: 'a -> 'a) (i: int) (l: ral 'a) : ral 'a
    requires { 0 <= i < length (elements l) }
    variant  { i, l }
    ensures  { elements result == setf (elements l) i f }
    =
    match l with
    | Empty    -> absurd
    | One x l1 -> if i = 0 then One (f x) l1 else
                  cons x (fupdate f (i-1) (Zero l1))
    | Zero l1  ->
      let ul1 = fupdate (aux i f) (div i 2) l1 in
      let res = Zero ul1 in
      assert { forall j. 0 <= j < length (elements res) ->
        (elements res)[j] = (setf (elements l) i f)[j]
        by div j 2 <> div i 2 ->
          (elements ul1)[div j 2] = (elements l1)[div j 2]
      };
      res
    end

  let function f (y: 'a) : 'a -> 'a = fun _ -> y

  let update (i: int) (y: 'a) (l: ral 'a) : ral 'a
    requires { 0 <= i < length (elements l) }
    ensures  { elements result == set (elements l) i y}
    =
    fupdate (f y) i  l

end
why3-1.6.0/examples/random_access_list/000077500000000000000000000000001440160026300200565ustar00rootroot00000000000000why3-1.6.0/examples/random_access_list/why3session.xml000066400000000000000000000357541440160026300231140ustar00rootroot00000000000000









 
 
  
  
  
  
  
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
      
      
     
     
    
    
    
    
     
     
      
      
       
       
        
        
         
         
          
          
           
           
           
           
           
            
            
            
           
           
          
          
          
          
          
         
         
        
        
        
        
        
       
       
       
       
       
      
      
     
     
     
     
     
    
    
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/random_access_list/why3shapes.gz000066400000000000000000000156101440160026300225210ustar00rootroot00000000000000\Yo$7~ׯca-zؗ\+wJq{|A2GIjk%U1d0/W~÷]z3?׋eowD>A\7w÷L!]3߆>ūWDz_߆.<>E-ėဦ17}w1|'GO
E4O=wLJx|>bd+kY1~~L
??Pt`&(:n8J=(`]>}|8pb "A\fB=?p"{n'Ws7fÛ	W2=G?|#./!L~EA难9V[ʜqC?enٷ-ea(M$FD\l$&sgQ#X(Zl3SȽM${eO+unJNrKLr=\/oU@"|n#;	'dU?s>V/K}jWMʮuH]&-*={=~EV_(dOO	s2ű>={R_#==-_ϙmpT+>fP4uUaq	#d"ul~ʐ>B+?,ܳ(ոP٭\D.-y@ȠMEe4Zj+-Oe‡OL}jrz>l?,!tz
E߿]sEkgo>N=YE+Oݨt 6\$Ae}ܟʢXL>y}vPx+K(J
+4/W1z^[9/T5gj4ӴU>s=~QBx9yfIFrZI2|9YZ{&]W6ԋmzS/~Şnb`oۯeIEB,/(V]KazmP<}\?55?.ƧR*3l94#GBReI^IGUNYgDBDUf*Nu\2	{Tf>dۥ“ZGi&څCAzUROCÐ\8Z= x 5`OB
Eob4xŦ_	ZB
Afm\Vp9H{uI<΂uf%qY)V֙Aܻmdާ
]ڽ;޾}8zX!o2VGOx^tYې;~uD.r!;~ >mK6qP7#\zˡ=1zw-tX~3d/ !V	\X;$!~o	Ud.
\깫itBkwf$"tW?kJ=)ᡤx;ﵸsYN'j<X6?nohgau9/AfM!K\唒ϗ-ۄMohft"WXuD-vC
̰\3ނ~X=Tr
ZtDؔ!]TWOIiR\E򕡴EPC٘i
kkCe%~C^H.K)u]7x2:dVp8gNZ#+\>82VZ?0 WUV6(/H^aNy]B/聖*7`\4Z4"1QWEQzܘy}*RZ-#|]ǎ01.
=7V-H3_:fS2/1cΩ.xgʵ6 =xh<ҭ4{=ӆCTU.PY|]CvM=k.c~F&22>ͻt~wJ:XZ\Nӧڢ
9]/5yS_y|@wtMzvJv^OQJmKj9r+'qI򇋱܄8;cx M3G:,>rb,]cx":}HPSk+VS'HoL|r1#s	}zکx#XoI&7bӉܛvCTg}IuhgPI!t#PzA|<Թ~A/lU^G 8tEҷu",<ʨfGsF
Ym
F[!k[ޔq9늫:i#]h_aO/0/03=׳X%f7oh1Xa+!rCC3mfzIeʉ{#fi-`<՞x2d<
=ÈB3.%*Q}phpl~nn+׷9g/YQŒA%HIBO^B0錁;ȴ{O㕓tӎ x
s㲖=Y݃6Kyk81-R6X:FBBlOW$Cr-A*ՓP5q\&ךS>GRlm)h;.fM*e9vSlouUixyt:FltmnQ5+kjFIQ6noKBz)lLO)V6wtմɮjCJ[e̛`+{::ى2,&+P'0HS,3fZRBmI:!
#*izCukRq-y
5ظJZՙĐ:q%A0i"j)JzY	mw]/|O^ļ07X̞{e*S}
رw9TTTOJwp))z.ZmxJb]'&XvNIɝ
w6A$,Ez5uoVIO
cbyjMU˃"ky;4PU^S$.Ja*+\0KGfY\CnjB4X!%! g?m.B({Wt~_?lu4ד{J\vL{P?O;PI)" %9
U$BZA,[Vh18c:zE80rѻ,EA0~St
Jtp+roE
^dGi
p0ުB)$=QyNzL'ri}/'8FgpZ
Lv ZWU(Nw:xbq*^F%\1Q]@ݽƠc!8-4cV
,(e	-:ݡt; Q##ra(2mU5H-Dqm9C4R5$2mUN=B3mUv!q	sQ{$P#St"30hHʘ8rXg $
H\2?#( 
>+l0!>$vd:LwQ:2Yw-@5sP)Fb
HOkpAƃ4HAyZ4Aubn)D<vx"Z#Y6Zd	$=@;PwUDciF2o{$ИYdz#rAa2vhp">X8НQ
-rFk+b
AJ99)FQj&u0<60WE`/jTM:yXYw)
̩]֊*ph!^Aܪ3|ET@#x˪)/5r` Z
B$ս^ ďkk.`t=>;J7`$Tl)R$Z^3liBCT!H
RF⠐xF$a@VH"Ĕ(9$SlU>"y&
 m: "

aTXMQ(D+YhB#*#P8a.b5^PC1hvc@‡	tpLi:hgöAbH= :R0B4 qDR3C
!\ryC	/WfR#Ȑ"#fMmm-L{̃=L&sbk)euxn024DHbS YJ7
o	gl#BF1U&pLBzbC֔ssS_f]lwhy3-1.6.0/examples/reduced_regtests.list000066400000000000000000000007461440160026300204610ustar00rootroot00000000000000binary_sort
conjugate
# counting_sort # randomly fail with Z3
dfs
finite_tarski
insertion_sort
# kmp # randomly fail with z3 4.8.4
leftist_heap
# mergesort_array # fail with Alt-Ergo 2.3.0
pairing_heap
# rightmostbittrick # randomly fail with CVC4 1.5
# sieve # fail with Alt-Ergo 2.3.0
# sudoku # some goals are too long for the continuous integration
toy_compiler
# tree_of_list # uses Alt-Ergo 2.2.0 and CVC4 1.6
vstte10_max_sum
# warshall_algorithm # fail with Alt-Ergo 2.3.0
zeros
why3-1.6.0/examples/register_allocation.mlw000066400000000000000000000212271440160026300210000ustar00rootroot00000000000000
(** A tiny register allocator for tree expressions.

    Authors: Martin Clochard (École Normale Supérieure)
             Jean-Christophe Filliâtre (CNRS)
 *)

module Spec

  use int.Int

  type addr

  type expr =
  | Evar addr
  | Eneg expr
  | Eadd expr expr

  type memory = addr -> int

  function eval (m: memory) (e: expr) : int =
    match e with
    | Evar x     -> m x
    | Eneg e     -> - (eval m e)
    | Eadd e1 e2 -> eval m e1 + eval m e2
    end

  type register = int

  type instr =
    | Iload addr register
    | Ineg  register
    | Iadd  register register
    | Ipush register
    | Ipop  register

  type registers = register -> int

  function update (reg: registers) (r: register) (v: int) : registers =
    fun r' -> if r' = r then v else reg r'

  use list.List

  type stack = list int

  type state = {
    mem: memory;
    reg: registers;
    st : stack;
  }

  function exec (i: instr) (s: state) : state =
    match i with
    | Iload x r   -> { s with reg = update s.reg r (s.mem x) }
    | Ineg  r     -> { s with reg = update s.reg r (- s.reg r) }
    | Iadd  r1 r2 -> { s with reg = update s.reg r2 (s.reg r1 + s.reg r2) }
    | Ipush r     -> { s with st = Cons (s.reg r) s.st }
    | Ipop  r     -> match s.st with
                     | Nil       -> s (* fails *)
                     | Cons v st -> { s with reg = update s.reg r v; st = st }
                     end
    end
  meta rewrite_def function exec

  type code = list instr

  function exec_list (c: code) (s: state) : state =
    match c with
    | Nil      -> s
    | Cons i l -> exec_list l (exec i s)
    end

  use list.Append

  let rec lemma exec_append (c1 c2: code) (s: state) : unit
    ensures { exec_list (c1 ++ c2) s = exec_list c2 (exec_list c1 s) }
    variant { c1 }
  = match c1 with
    | Nil        -> ()
    | Cons i1 l1 -> exec_append l1 c2 (exec i1 s)
    end

  (** specification of the forthcoming compilation:
      - value of expression e lies in register r in final state
      - all registers smaller than are preserved
      - memory and stack are preserved *)
  function expr_post (e: expr) (r: register) : state -> state -> bool =
    fun s s' -> s'.mem = s.mem /\ s'.reg r = eval s.mem e /\ s'.st = s.st /\
      forall r'. r' < r -> s'.reg r' = s.reg r'
  meta rewrite_def function expr_post

end

(** Double WP technique

    If you read French, see https://hal.inria.fr/hal-01094488

    See also this other Why3 proof, from where this technique originates:
    http://toccata.lri.fr/gallery/double_wp.en.html
*)

module DWP

  use list.List
  use list.Append
  use Spec

  meta compute_max_steps 0x10000

  predicate (-->) (x y: 'a) = [@rewrite] x = y
  meta rewrite_def predicate (-->)

  type post = state -> state -> bool
  type hcode = {
    hcode : code;
    ghost post : post;
  }
  predicate hcode_ok (hc: hcode) = forall s. hc.post s (exec_list hc.hcode s)

  type trans = (state -> bool) -> state -> bool
  type wcode = {
    ghost trans : trans;
    wcode : code;
  }
  predicate wcode_ok (wc: wcode) = forall q s.
    wc.trans q s -> q (exec_list wc.wcode s)

  function to_wp (pst: post) : trans = fun q s1 -> forall s2. pst s1 s2 -> q s2
  meta rewrite_def function to_wp

  function rcompose : ('a -> 'b) -> ('b -> 'c) -> 'a -> 'c = fun f g x -> g (f x)
  meta rewrite_def function rcompose

  function exec_closure (i: instr) : state -> state = fun s -> exec i s
  function id : 'a -> 'a = fun x -> x

  let ($_) (hc: hcode) : wcode
    requires { hcode_ok hc }
    ensures { wcode_ok result }
    ensures { result.trans --> to_wp hc.post }
  = { wcode = hc.hcode; trans = to_wp hc.post }

  let wrap (wc: wcode) (ghost pst: post) : hcode
    requires { wcode_ok wc }
    requires { forall x. wc.trans (pst x) x }
    ensures { hcode_ok result }
    ensures { result.post --> pst }
  = { hcode = wc.wcode; post = pst }

  let (--) (w1 w2: wcode) : wcode
    requires { wcode_ok w1 /\ wcode_ok w2 }
    ensures { wcode_ok result }
    ensures { result.trans --> rcompose w2.trans w1.trans }
  = { wcode = w1.wcode ++ w2.wcode; trans = rcompose w2.trans w1.trans }

  let cons (i: instr) (w: wcode) : wcode
    requires { wcode_ok w }
    ensures { wcode_ok result }
    ensures { result.trans --> rcompose w.trans (rcompose (exec i)) }
  = { wcode = Cons i w.wcode;
      trans = rcompose w.trans (rcompose (exec_closure i)) }

  let nil () : wcode
    ensures { wcode_ok result }
    ensures { result.trans --> fun q -> q }
  = { wcode = Nil; trans = id }

end

module InfinityOfRegisters

  use int.Int
  use list.List
  use list.Append
  use Spec
  use DWP

  (** `compile e r` returns a list of instructions that stores the value
      of `e` in register `r`, without modifying any register `r' < r`. *)

  let rec compile (e: expr) (r: register) : hcode
    variant { e }
    ensures { hcode_ok result }
    ensures { result.post --> expr_post e r }
  = wrap (
      match e with
      | Evar x -> cons (Iload x r) (nil ())
      | Eneg e -> $ compile e r -- cons (Ineg r) (nil ())
      | Eadd e1 e2 ->
          $ compile e1 r -- $ compile e2 (r + 1) -- cons (Iadd (r+1) r) (nil ())
      end) (expr_post e r)

  (* To recover usual specification. *)
  let ghost recover (e: expr) (r: register) (h: hcode) : unit
    requires { hcode_ok h /\ h.post --> expr_post e r }
    ensures  { forall s. let s' = exec_list h.hcode s in
               s'.mem = s.mem /\
               s'.reg r = eval s.mem e /\
               s'.st = s.st /\
               forall r'. r' < r -> s'.reg r' = s.reg r' }
  = ()

end

module FiniteNumberOfRegisters

  use int.Int
  use list.List
  use list.Append
  use Spec
  use DWP

  (** we have k registers, namely 0,1,...,k-1,
      and there are at least two of them, otherwise we can't add *)
  val constant k: int
    ensures { 2 <= result }

  (** `compile e r` returns a list of instructions that stores the value
      of `e` in register `r`, without modifying any register `r' < r`. *)

  let rec compile (e: expr) (r: register) : hcode
    requires { 0 <= r < k }
    variant  { e }
    ensures  { hcode_ok result }
    ensures  { result.post --> expr_post e r }
  = wrap (
      match e with
      | Evar x -> cons (Iload x r) (nil ())
      | Eneg e -> $ compile e r -- cons (Ineg r) (nil ())
      | Eadd e1 e2 ->
          if r < k-1 then
            $ compile e1 r -- $ compile e2 (r + 1) --
            cons (Iadd (r + 1) r) (nil ())
          else
            cons (Ipush (k - 2)) (
            $ compile e1 (k - 2) -- $ compile e2 (k - 1) --
            cons (Iadd (k - 2) (k - 1)) (
            cons (Ipop (k - 2)) (nil ())))
      end) (expr_post e r)

end

module OptimalNumberOfRegisters

  use int.Int
  use int.MinMax
  use list.List
  use list.Append
  use Spec
  use DWP

  (** we have `k` registers, namely `0,1,...,k-1`,
      and there are at least two of them, otherwise we can't add *)
  val constant k: int
    ensures { 2 <= result }

  (** the minimal number of registers needed to evaluate e *)
  let rec function n (e: expr) : int
  variant { e }
  = match e with
    | Evar _     -> 1
    | Eneg e     -> n e
    | Eadd e1 e2 -> let n1 = n e1 in let n2 = n e2 in
                    if n1 = n2 then 1 + n1 else max n1 n2
    end

  (** Note: This is of course inefficient to recompute function `n` many
      times. A realistic implementation would compute `n e` once for
      each sub-expression `e`, either with a first pass of tree decoration,
      or with function `compile` returning the value of `n e` as well,
      in a bottom-up way *)

  function measure (e: expr) : int =
    match e with
    | Evar _     -> 0
    | Eneg e     -> 1 + measure e
    | Eadd e1 e2 -> 1 + if n e1 >= n e2 then measure e1 + measure e2
                        else 1 + measure e1 + measure e2
    end

  lemma measure_nonneg: forall e. measure e >= 0

  (** `compile e r` returns a list of instructions that stores the value
      of `e` in register `r`, without modifying any register `r' < r`. *)

  let rec compile (e: expr) (r: register) : hcode
    requires { 0 <= r < k }
    variant  { measure e }
    ensures  { hcode_ok result }
    ensures  { result.post --> expr_post e r }
  = wrap (
      match e with
      | Evar x -> cons (Iload x r) (nil ())
      | Eneg e -> $ compile e r -- cons (Ineg r) (nil ())
      | Eadd e1 e2 ->
          if n e1 >= n e2 then (* we must compile e1 first *)
            if r < k-1 then
              $ compile e1 r -- $ compile e2 (r + 1) --
              cons (Iadd (r + 1) r) (nil ())
            else
              cons (Ipush (k - 2)) (
              $ compile e1 (k - 2) -- $ compile e2 (k - 1) --
              cons (Iadd (k - 2) (k - 1)) (
              cons (Ipop (k - 2)) (nil ())))
          else
            $ compile (Eadd e2 e1) r (* compile e2 first *)
      end) (expr_post e r)

end
why3-1.6.0/examples/register_allocation/000077500000000000000000000000001440160026300202535ustar00rootroot00000000000000why3-1.6.0/examples/register_allocation/why3session.xml000066400000000000000000000605031440160026300232770ustar00rootroot00000000000000







 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/register_allocation/why3shapes.gz000066400000000000000000000306721440160026300227230ustar00rootroot00000000000000}ُ7{zX`wH0TheQ<ؒFhdfXCݘ"G׋~>L߿_/܋WiϿ}QQmQǟe=9ڷKOoQe0RCz,=:b~E*az7^u~7TC=U8?-?(SSR~[~|G&'O/[P-yjQT*Rqw/?v^kwtں݇RI~vNž-4GzBuHM[Y [R[dY}OԵ+U^~{sGأS&QG%2}5+{R[
_SgQ\b=ATh|퀌c@u5o6#;$`7F+0Tpnͥc1]eѻw6]m QkS{t_g
SwgupJkóUcn:QtJ$rw	\F77G9 x}ԧV(ϊAVGDU8K3FN&>sV_p3Ic3;<1Z*Đ>̀Qp%VaNJvA8|K0);*X:i@f#9K)tl̨UdUTQ*O7D&%=DTaL5DmW #X}}pFPFxab7rٲ)ʑ#k=䲻W(v:?5N-nu[547mzfD##3ܲ*[6EY!+@I7D
2nF63˼{JPu,®=
kݺ\]NW-wS&{zJicC^fUcߠϲ;Ujy]L^~NnTMՑ	[;ǣ6p%h,K
j
T/ٱ$6\>ڳ}K\9rVq~pw4RڕbJLe%Ntʭ44*Nmja@­Ăjǃ!xP9Ƈ"d59.XՄ'[wndדT1HSյ[w%ͤ񋑠PzUkRVY/̖TG N&%b%IiF0( M7'¨ˊeF+,'F=U<)dOӛ;Z'NzXOMF:Ɏ3-KoIe܄')c)Msx-͢y8MOz,yۭ!^8Ș}k__xr{Gղ8sl;YfjaZCM-\MVU+SM[^uPS2hQـ .p0}Z"[MViU\zFRiUk$k.fxag4éG2l'rn.egΏgfHνkkpn-<[xC,<,&폗%FulE[-1ZSK=QފzqSޒpZc4pG
1Ma^KK
G%z6YVuZf:8WӟV$wv8U@;%UST5صvͅ[^~jZTTRKUdJr˕kZ8K!.8@CZړ8
LU8onVs/6?k>c:'.W׵V8+F08/W׼lV'7T}0m$b[pm1@pX%Pp۩<3^<_/ΣQU;opuڕG6\.%Ut<&!
.VyJU*rIEӥn{Mےʶ<4
.^v_5&nCkvp|K9R8\uJZ+N*elp
.j5ۚlD*dJ۲m9LsZ_/^%<כ&6ivs\o{5泀`NzzzY{xFI/|+-$uxEn~^'OR}v޶Gw_4
|nd#J-2rU"uGϫC_g2#:mA~v9%9%r[YN6a>OS9ܖh5_hys?]K/FM#x+ݦ,8KLAJ>b}dqĨ#Q4du :&;q:*>0Vh6"MqgE˲aJ\ˬ|q4۴S!/ͭ%eށ/Bխ\8UD͘M󸶔5X
BjQ_Zh_h*
X/dǮK]ڊY>4Wsx+_nx~j)ά|p_,zACr͛A{M8an.np5]UmWZu[A5XVqSH{s3R,b`b=-MŌX١/rEދ&%oHɯ/!oi%2zdWEqU۷`
T9ZWnVPOcJ~
V+'|1f5h'Xd2rUMiYj)rbSoafX)yoNȜ:}o?Nɴ[QW`͙Cs<30<͇q(UMȁΨ/[q/~ϗ
l{G)y8zU׫-xK_USu\ۻ!t|o굫:G{\몽vG{K[Vʖ:em['4i;8oP^qHd{tsc(@M*H[`fIxӋzws}R}K0G(
W;CU'&#Iw`z5KgytOy+{q͖Y;|)e6C'Wpp3WӼA8JIsՙA'|c&RS.'e7EL~Vʝ/\CI.*Kj=W^,wi1Y9
EV-T3ufd(.K@i;zYCK&l$Wـ<[A(Q O*7BJkו'3G4U*2M}GOVm"ugbq6?j+FlK$wuT.C-ih_`_/R܂2nIEaב}wWӜֺfb,jHNR5k~aqyY}WhƒvI^La2&by	Sl7Dy"Q;".Lldgt0y#LlX#,53tg=3"㠫[!sS}fQIh;{tO=ԡ3Er9AwYбX9tHI˴=3AWVhu薭'=֛IܚSKעsԒf=fܛW$#3"~,؛yxua(f-[Nzx%ۋXhYZPlMey"c+(ZS9;M++5m*-p^t~2>R3]їM)y8݅^hh71t v0eq@t&]lr\.ɥU<3TY/#%sNޗ'el<Ff땩ze[׀ަ:*G,###%jv9_EFK;(29%!#'.Ս;?ўrX٢鏹U:<꽀y5se$gTc vdz޶:tkzֻZ|gwcݯ}~7m꼡sft%Fb85Z,>1c(FsJa׺*t"p;o}c9Ftv/O#-1XOrEO?)֭/1n
DŹbAfC>gˏT~b\⊅"
<<1Kx+oҽ);R_e!ҥZ\#2'Q<J%Y⤳rSW11QD2HU}V6H,%\m8lb=t
W[A]!!dm	NMި%*jzA,t;zAL°qbdb9c~ĥI4oX]9ԲPi:Y{8?mGd
v'Y;9T9%|R1jM#ZxN?찎_[⚟Yē5ȰOtӽcK>IX>4C3
lkE";!
,n}lw&nL׌HšQwf+52p;nM'(Q8*MO:fShmNGv$w-:kdxODͱyK dMk|5qSRFUv1KhF]w^m7d{'amWTv[]QZr{GR!.ڸ'ҵjJ
]2w
n\[\V߼[tJ!mϫK^vC^oQoZvkpE65+:o}k7
VnU5Fhyt)-yݘ4`)jӻu-#0>L=xprAi2o_R箣LrQ[._Uo))
}O:̸]qUaᩰdlyZ,ٹY7xrvZw̴/)gJLnxv´}MˣBmؿn1bN.̛:l1~w$xΘy4,_s>@W]ᚘP]STq2ҟ>E>=ҮZvGn1דkbKD9>sM_DibEˮy,RpMgtTĤK1)_>YJY~fҖejRnq]CS4{䖙Yq%̉~SIO5{?uyqK7u+jMkΥkі_SEk隯Z;,[j[Urf9FGkC!'=nvP%t6nEUPWо|`Ӝauj΋w2$=/3
z	t@z۵vE_oWڔו߫mFnF6ni 41ߤRbOyͲ0YK]p_܉GWvY_<5'{?֋A]yDŽI!2$*5Z/fM'Xwl9v싵
Y>M=d!;JyOȲԱ_	`˭gk3ZoORT\"ÔkKIܾV>ֿ֪ ,mpYj^>C"X~ݶuSu$Oq+XA{>fڣzY*ݰ3TYghAɳH/hQZjDbs=cCPiϘhhApeyJ-vnE-롹}+Gڜ~']x"-:5G U);)gdg
g?IQ:jr6jadೱR΍>ꅾVWʊI`b{#D5ogϝatZh#";;Zу3|*M]ͽ{ƱaQOHFmM/SH+k١LRBYY4
\I&E!T+p(9(c:=yB >Z&`I#r1uz+0g0)ԵڠZkkwLLZ0C:gi6$5梢Nn6R]J9Z8eg=* ^L M^
kHv
_9"fiSچ_wm5V_[ume#`@\B*;`@й` qrLx»9z+pE7;BK kg`^Ȩ8k@
P7]
soR&t-Jw`t/Bu'saWiԗ˫`m8CwICsBOZ@B) !Lb#*3ye):#Ql~fs(;M	,,t 
P;i,P0FkH>D<SF75J#ި3P!h:a]gZ
W3RN?x7bBd
Q{/]DM!ya:*X<Zb
5mRj"i4càFyg`{:rV}ˬ0@ьn`jxa>g{'V;9t15&'^fhפ#NpϽGӋ)wSjt0gX[fSG#,V3$0]nn ~k0{{9Σc^nR;;K~"3i'N=‚.pd)ɐBAD52D$]Ɓp}bp	}wÃw6a@q[xdӨN
l b&`n1͒HwZb
]oV܏
.vY5__3VP$D)3I?1P~3QRw0ela`^qLp$Lx;`օْYݏwhqp[,KE}(mXAx'hPᵓQY8kh{}
|Ӊ@(=օKsz"<_8B^HAtDge@>l
bC:»>vWIx0jM3%
-NJhT29NMG
6A$V"";Ԁ4n:,uСP[;a.(89{\3{R0;(i%6l4Q+٧%:jk>Ϭȕ,Y`#쐠dN	t엳=%f`}
F0b)gKvdaBI'8$g7KBM "beQ
UG==,\,o턲!%AReuklE4pWHnWD`*|9y	fήcGh]&i~@,>)l8HKQڃ:h<Dh1(6H4Ip0hg*B?4:.KaXQ^h(uYjBty>gٍV>9~Z.}LG'4+ٟYf֯c4+/kNCxPh!O!sw._z`.QcP`@p^QX9B:;Ab Q" is likely an error (use "not P \/ Q" if not)
 0/1 (replay OK)
   +--file [../drinker.mlw]: 0/1
      +--theory Top: 0/1
         +--goal drinkers_paradox not proved
Replaying logic/einstein ... OK 2/3 (replay OK)
   +--file [../einstein.why]: 2/3
      +--theory Goals: 2/3
         +--goal Wrong not proved
Replaying logic/explicit_subst ... OK 14/14 (replay OK)
Replaying logic/ffx ... OK 7/7 (replay OK)
Replaying logic/First ... OK 2/2 (replay OK)
Replaying logic/genealogy ... FAILED (ret code=1): 7/7 (replay failed)
   goal 'Child_is_son_or_daughter', prover 'PVS 6.0': not installed
   goal 'Child_is_son_or_daughter', prover 'Isabelle 2018': High failure (1.86s),
                                                            Prover exit status: exited with status 2
                                                            prover output:
                                                            *** Unknown Isabelle tool: "why3"

                                                             instead of Valid (6.40s) (timelimit=100, memlimit=4000, steplimit=0)
   goal 'Sibling_sym', prover 'Isabelle 2018': High failure (1.82s),
                                               Prover exit status: exited with status 2
                                               prover output:
                                               *** Unknown Isabelle tool: "why3"

                                                instead of Valid (6.03s) (timelimit=100, memlimit=4000, steplimit=0)
   goal 'Sibling_is_brother_or_sister', prover 'Isabelle 2018': High failure (1.86s),
                                                                Prover exit status: exited with status 2
                                                                prover output:
                                                                *** Unknown Isabelle tool: "why3"

                                                                 instead of Valid (6.26s) (timelimit=100, memlimit=4000, steplimit=0)
   goal 'Grandparent_is_grandfather_or_grandmother', prover 'Isabelle 2018': 
High failure (1.78s),
Prover exit status: exited with status 2
prover output:
*** Unknown Isabelle tool: "why3"

 instead of Valid (6.82s) (timelimit=100, memlimit=4000, steplimit=0)
Replaying logic/hello_proof ... OK 2/3 (replay OK)
   +--file [../hello_proof.why]: 2/3
      +--theory HelloProof: 2/3
         +--goal G2 not proved
Replaying logic/lagrange_inequality ... OK 9/9 (replay OK)
Replaying logic/los_problem ... OK 1/1 (replay OK)
Replaying logic/my_cosine ... FAILED (ret code=1): 4/4 (replay failed)
   goal 'MethodError', prover 'Coq 8.9.1': High failure (0.34s),
                                           Prover exit status: exited with status 1
                                           prover output:
                                           File "/tmp/why_b2d3fc_my_cosine_T_MethodError.v", line 17, characters 15-39:
Error:
Cannot find a physical path bound to logical path matching suffix Interval.


                                            instead of Valid (1.35s) (timelimit=5, memlimit=1000, steplimit=0)
Replaying logic/real ... FAILED (ret code=1): 1/1 (replay failed)
   goal 'MethodError', prover 'Coq 8.9.1': High failure (0.30s),
                                           Prover exit status: exited with status 1
                                           prover output:
                                           File "/tmp/why_d6b037_real_T_MethodError.v", line 15, characters 15-39:
Error:
Cannot find a physical path bound to logical path matching suffix Interval.


                                            instead of Valid (1.60s) (timelimit=5, memlimit=1000, steplimit=0)
Replaying logic/scottish-private-club ... OK 1/1 (replay OK)
Replaying logic/simple ... OK 1/1 (replay OK)
Replaying logic/sorted_list ... OK 6/6 (replay OK)
Replaying logic/triangle_inequality ... OK 17/17 (replay OK)
Replaying bitvectors/bitvector ... OK 46/46 (replay OK)
Replaying bitvectors/double_of_int ... OK 63/63 (replay OK)
Replaying bitvectors/double ... OK 7/7 (replay OK)
Replaying bitvectors/neg_as_xor ... OK 13/13 (replay OK)
Replaying bitvectors/power2 ... OK 85/85 (replay OK)

=== MLCFG ===

Replaying mlcfg/arith ... OK 2/2 (replay OK)
Replaying mlcfg/basic ... OK 6/6 (replay OK)
Replaying mlcfg/break_continue ... OK 1/1 (replay OK)
Replaying mlcfg/rec ... OK 2/2 (replay OK)
Replaying mlcfg/scope ... OK 0/0 (replay OK)

Summary       : 396/403
Sessions size :  165163 8962133 total
Shapes   size :  10367 2671378 total
why3-1.6.0/examples/regtests.sh000077500000000000000000000055401440160026300164250ustar00rootroot00000000000000#!/bin/sh -eu
# regression tests for why3

REPLAYOPT=""
REGTESTS_MODE=""

while test $# != 0; do
case "$1" in
  "--force")
        REPLAYOPT="$REPLAYOPT --force"
        ;;
  "--obsolete-only")
        REPLAYOPT="$REPLAYOPT --obsolete-only"
        ;;
  "--prover")
        REPLAYOPT="$REPLAYOPT --prover $2"
        shift
        ;;
  "--reduced-mode")
        REGTESTS_MODE="REDUCED"
        ;;
  *)
        echo "$0: Unknown option '$1'"
        exit 2
esac
shift
done

TMP=$PWD/why3regtests.out
TMPERR=$PWD/why3regtests.err

# Current directory is /examples
cd `dirname $0`

# too early to do that
# REPLAYOPT="$REPLAYOPT --smoke-detector top"

res=0
export success=0
export total=0
export sessions=""
export shapes=""


run_dir () {
    if [ "$REGTESTS_MODE" = "REDUCED" ]; then
        if [ -f $1/reduced_regtests.list ]; then
            LIST=`sed $1/reduced_regtests.list -n -e "s&^\([^ #]\+\).*&$1/\1/why3session.xml&p"`
        else
            LIST=
        fi
    else
        LIST=`ls $1/*/why3session.xml`
    fi
    for f in $LIST; do
        d=`dirname $f`
        printf "Replaying $d ... "
        if ../bin/why3.opt replay -q $REPLAYOPT $2 $d 2> $TMPERR > $TMP ; then
            printf "OK"
            cat $TMP $TMPERR
            success=`expr $success + 1`
        else
            ret=$?
            printf "FAILED (ret code=$ret):"
            out=`head -1 $TMP`
            if test -z "$out" ; then
               echo "standard error: (standard output empty)"
               cat $TMPERR
            else
               cat $TMP
            fi
            res=1
        fi
        total=`expr $total + 1`
    done
    sessions="$sessions $1/*/why3session.xml"
    shapes="$shapes $1/*/why3shapes.gz"
}

echo "=== Programs already ported === MUST REPLAY AND ALL GOALS PROVED ==="
echo ""
run_dir . ""
run_dir micro-c ""
run_dir python ""
run_dir double_wp "-L double_wp"
run_dir avl "-L avl"
run_dir c_cursor "-L c_cursor"
run_dir foveoos11-cm ""
run_dir vacid_0_binary_heaps "-L vacid_0_binary_heaps"
run_dir verifythis_2016_matrix_multiplication "-L verifythis_2016_matrix_multiplication"
run_dir WP_revisited ""
run_dir prover "-L prover --debug=ignore_unused_vars"
run_dir multiprecision "-L multiprecision"
echo ""

echo "Score on ported programs : $success/$total"
echo ""

echo "=== Standard Library ==="
echo ""
run_dir stdlib ""
echo ""

echo "=== Tests ==="
echo ""
# there's no session there...
# run_dir tests
run_dir tests-provers ""
echo ""

echo "=== Check Builtin translation ==="
echo ""
run_dir check-builtin ""
echo ""

echo "=== BTS ==="
echo ""
run_dir bts ""
echo ""

echo "=== Logic ==="
echo ""
run_dir logic ""
run_dir bitvectors "-L bitvectors"
echo ""

echo "=== MLCFG ==="
echo ""
run_dir mlcfg ""
echo ""

echo "Summary       : $success/$total"
echo "Sessions size : "`wc -cl $sessions | tail -1`
echo "Shapes   size : "`wc -cl $shapes | tail -1`

exit $res
why3-1.6.0/examples/relabel.mlw000066400000000000000000000026151440160026300163550ustar00rootroot00000000000000
(* Tree relabelling.

   Given a tree t, with values at the leaves, build a new tree with the
   same structure and leaves labelled with distinct integers.
 *)

module Relabel

  use list.List
  use list.Mem
  use list.Append
  use list.Distinct

  type tree 'a =
    | Leaf 'a
    | Node (tree 'a) (tree 'a)

  function labels (t : tree 'a) : list 'a = match t with
    | Leaf x -> Cons x Nil
    | Node l r -> labels l ++ labels r
  end

  lemma labels_Leaf :
    forall x y : 'a. mem x (labels (Leaf y)) <-> x=y

  lemma labels_Node :
    forall x : 'a, l r : tree 'a.
      mem x (labels (Node l r)) <-> (mem x (labels l) \/ mem x (labels r))

  inductive same_shape (t1 : tree 'a) (t2 : tree 'b) =
    | same_shape_Leaf :
        forall x1 : 'a, x2 : 'b.
        same_shape (Leaf x1) (Leaf x2)
    | same_shape_Node :
        forall l1 r1 : tree 'a, l2 r2 : tree 'b.
        same_shape l1 l2 -> same_shape r1 r2 ->
        same_shape (Node l1 r1) (Node l2 r2)

  use int.Int
  use ref.Ref

  val r : ref int

  let fresh () ensures { !r = old !r + 1 /\ result = !r } =
    r := !r + 1; !r

  let rec relabel (t : tree 'a) : tree int
    variant { t }
    ensures { same_shape t result /\ distinct (labels result) /\
      old !r <= !r /\
      (forall x:int. mem x (labels result) -> old !r < x <= !r) }
  = match t with
    | Leaf _   -> Leaf (fresh ())
    | Node l r -> Node (relabel l) (relabel r)
    end

end
why3-1.6.0/examples/relabel/000077500000000000000000000000001440160026300156305ustar00rootroot00000000000000why3-1.6.0/examples/relabel/why3session.xml000066400000000000000000000017701440160026300206550ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/relabel/why3shapes.gz000066400000000000000000000007211440160026300202700ustar00rootroot00000000000000mOo0m.%OFMׁ%4XӴqa~I Ǽ|zc'6]EOAA^#RMJ_U0;~UM?C*&HɟU#`/[VlK1o\4m.g.ºNcq|?b+zr[P9Iݬ	g؍[]Әm>#P8^I-ڔ9H8(9(yɞ4Ѐof ssβS_WAe"-V4ǡY(V`0͎3.~cH./0#_\A476X9OBy&R
с$Q?:g贲FG;azo="mipE,
:6ZJFU"v
I+5 fCq?why3-1.6.0/examples/remove_duplicate.mlw000066400000000000000000000040201440160026300202660ustar00rootroot00000000000000

(** {1 Removing duplicate elements in an array}

    Given an array `a` of size `n`, removes its duplicate elements,
    in-place, as follows: return `r` such that `a[0..r-1]` contains the same
    elements as `a[0..n-1]` and no duplicate

*)


(** {2 Specification} *)

module Spec

  use export int.Int
  use export array.Array

  (** `v` appears in `a[0..s-1]` *)
  predicate appears (v: 'a) (a: array 'a) (s: int) =
    exists i: int. 0 <= i < s /\ a[i] = v

  (** `a[0..s-1]` contains no duplicate element *)
  predicate nodup (a: array 'a) (s: int) =
    forall i: int. 0 <= i < s -> not (appears a[i] a i)

end

(** {2 Quadratic implementation, without extra space} *)

module RemoveDuplicateQuadratic

  use Spec
  use ref.Refint

  type t
  val predicate eq (x y: t)
    ensures { result <-> x = y }

  let rec test_appears (ghost w: ref int) (v: t) (a: array t) (s: int) : bool
    requires { 0 <= s <= length a }
    ensures  { result <-> appears v a s }
    ensures  { result -> 0 <= !w < s && a[!w] = v }
    variant  { s }
  = s > 0 &&
    if eq a[s-1] v then begin w := s - 1; true end else test_appears w v a (s-1)

  let remove_duplicate (a: array t): int
    ensures { 0 <= result <= length a }
    ensures { nodup a result }
    ensures { forall v. appears v (old a) (length a) <-> appears v a result }
  = let n = length a in
    let r = ref 0 in
    let ghost from = make n 0 in
    let ghost to_  = make n 0 in
    for i = 0 to n - 1 do
      invariant { 0 <= !r <= i }
      invariant { nodup a !r }
      invariant { forall j: int. 0 <= j < !r ->
                  0 <= to_[j] < i /\ a[j] = (old a)[to_[j]] }
      invariant { forall j: int. 0 <= j < i ->
                  0 <= from[j] < !r /\ (old a)[j] = a[from[j]] }
      invariant { forall j: int. i <= j < n -> a[j] = (old a)[j] }
      let ghost w = ref 0 in
      if not (test_appears w a[i] a !r) then begin
        a[!r] <- a[i];
        from[i] <- !r;
        to_[!r] <- i;
        incr r
      end else begin
        from[i] <- !w;
        ()
      end
    done;
    !r

end
why3-1.6.0/examples/remove_duplicate/000077500000000000000000000000001440160026300175515ustar00rootroot00000000000000why3-1.6.0/examples/remove_duplicate/why3session.xml000066400000000000000000000130271440160026300225740ustar00rootroot00000000000000







 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/remove_duplicate/why3shapes.gz000066400000000000000000000061541440160026300222170ustar00rootroot00000000000000\[oݸ~8om(@oEQc$k4IwHQ$[vs$9xpF=sx|NÙ{C8sQ{GP_O<"NI}xFҺ뛱IOauY7~^k?]n~i_ՙECf:z<|Q;c)wNUNpin=zwJbjt&O6_wqwOˤY,\׮=;6ٳ4֪Kƿ%^߫KV$P>Ǯw^Ѫ"zh?nn?{ࣛÙ>aL&5H{(}sucstt1
N{c[E\7qmYŤƜGU՘SKq6i5-"nyT4azUjQ/Zhmn/ۗfz/LLc||q>(	(NGbGe_uӫR,NGUTmx9]4X	us[񥘇P<
yJ乹?M߬ݧls4h~Mހ?٥!CUd]WE
!TdB)i0NJph
2\wMܽnR~)?+8yΟ1ys5|TBsueي>*
}(UЇbB%0[E%#EN(+PnC^v@		_/Q&k,ٔUVP0a	@
Vb Vb _j +[,?v|cj!=G%Mt)lh|*G-2bifhV
ͪYЬAUChz
Y+K܆-nW{,~l~|Wt)-iFoBܜY5U%4Wj3e԰Rîau5lpnEQ)5HlSJ`B-0!7zY;K8j4lf6(uºaܜc6],5	(GK	+	'.YH9ZCqe!BDKR~ERKo񱲰O'z%I%mA-mAoN{R׼|
cD]Ot-隚H|| g6yʕNy#w-k9Z9`OtsZ>j9j9VR
Z"˲ڲ\(&JNU嵚^Q
8_p,99|΁FPݜCM"QK"QM"*Ը.}$$Hs8$۷CI"QK"	Kg~T|ܥ♂NH>!xڋnoNththCrcrcrp['49g_fYn\ewPǚJ[-~bC2hf|>RaLFc@5:UM
Ns
Gc̩aƖa(/%ܜaƚaU}ʤS$ƇK~Ŭ)4`P+Ƭ<^KAÉzMO?Q	0#'ϊ-*LNC%'Tr.˵è!~"[(<^D8"xstmxw
z9ja~e^xlhѬ+lU
U
U
V5IWh+++Q#Ɔ3}H^<,ΫhUͮӭ_vֻO]
M(Z<,&/jrԝ)@Xn)lPi['Ji,UJcn-W3uoyy~K޹\[|`SYbgU@:*_K_$ʷjiV&^w֬f=eSm^yN7[U@+ٴ
9oue;)^gCf-RsnyPozgg{VB괐@4	1X绝K	,cT4j:zm{=+a'ե`5a}(\|gD#9;׬Agu+`eA%mPz0zzCl,tHK@ؠ#FfNn̂IBq!DӃ:	=yv /!q`(tBI7r`ROg$ᬍ6 ټj{"*Q=B wq
Oٙ^6ڨ!rȂ	11
N54kH
G1܃#;Fw%3^J6yA80  not (appears a[i] a i)

end

(** {2 Quadratic implementation, without extra space} *)

module RemoveDuplicate

  use Spec
  use ref.Refint
  use array.Array

  type elt
  clone import set.SetImp as MutableSet with type elt = elt

  let remove_duplicate (a: array elt) : array elt
    requires { 1 <= length a }
    ensures  { nodup result (length result) }
    ensures  { forall x: elt.
               appears x a (length a) <-> appears x result (length result) }
  =
    let s = MutableSet.empty () in
    for i = 0 to Array.length a - 1 do
      invariant { forall x: elt. appears x a i <-> mem x s }
      MutableSet.add a[i] s
    done;
    label L in
    let r = Array.make (MutableSet.cardinal s) a[0] in
    MutableSet.clear s;
    let j = ref 0 in
    for i = 0 to Array.length a - 1 do
      invariant { forall x: elt. appears x a i <-> mem x s }
      invariant { forall x: elt. mem x s <-> appears x r !j }
      invariant { nodup r !j }
      invariant { 0 <= !j = cardinal s <= length r }
      invariant { subset s (s at L) }
      if not (MutableSet.mem a[i] s) then begin
        MutableSet.add a[i] s;
        r[!j] <- a[i];
        incr j
      end
    done;
    r

end
why3-1.6.0/examples/remove_duplicate_hash/000077500000000000000000000000001440160026300205545ustar00rootroot00000000000000why3-1.6.0/examples/remove_duplicate_hash/why3session.xml000066400000000000000000000130131440160026300235720ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/remove_duplicate_hash/why3shapes.gz000066400000000000000000000036301440160026300232160ustar00rootroot00000000000000XKoWdX@WSDTp^dZ@{_UE?5V_ݽcW?3O!mw!7W>?O_O7x;r>MgUKǟG6i~F|}M?i{]m_~/GzO.Vw>?"nKd3X
/1FW+bX|̼l
RJ^nV\Σ%hQ-Ap>+osޝDVT>x?
G|f/꧀YSNCM`J^ph)(dQa#Gz.~y-u4[*2w
	_D3%:/EugEp|*tKFpNuژsXX6\wyʽ̛|ǒfB1Pž&4rJK#l([LHzRZγ-a3zTi(W-'b:h2gf\K䭹veempx1Y{a=/JXMB؏.
wCJWKhآQԇ^sfG5|4"n5n>ZkQ$fLwB"}Hߴ75}
R+ؖvH^2~`O^)yg>%Ї9ab;UGc$Y`8~]5{ߞuH&qOj , ynfW.FvnC,p*}z}M#Oۀts3%U!E%i+m;m:v2Yd1[gRRt:A':NVIS,hփyyY:ۙ	
h@Ap
CDŴ[qqq踸0 堳bN3-ASȭwt43)a
LR)$qюV{&äWd`O@Btw-#X
u
6:ǬtZuB^uEUR*S80A@VklECXav#U𩠬%DQ+n>q3!&ns
#hO݁LS:^*C[.\1!:@k.sVӕ*)xiY΂M6ɓwI{c/WMХJ8kȚ-Vp$:zDUqE.1,7OK]/ip%jؔA$i&hjR;bX	LGcћ|f
TF+H9KJ(]MgcT/NNH	,H0VwE}{vLh'c9&Z5
խx粳#a/F:ET$iNN{C%g.xpʙ=-y~/`Zwhy3-1.6.0/examples/residual.mlw000066400000000000000000000046401440160026300165570ustar00rootroot00000000000000
(** {1 Decision of regular expression membership} *)

(** Decision algorithm based on residuals *)

module Residuals

  type char

  val predicate eq (x y : char)
    ensures { result <-> x = y }

  clone export regexp.Regexp with type char = char

  let rec accepts_epsilon (r:regexp) : bool
    variant { r }
    ensures { result <-> mem Nil r }
  = match r with
    | Empty -> false
    | Epsilon -> true
    | Char _ -> false
    | Alt r1 r2 -> accepts_epsilon r1 || accepts_epsilon r2
    | Concat r1 r2 -> accepts_epsilon r1 && accepts_epsilon r2
    | Star _ -> true
    end

  lemma inversion_mem_star_gen :
    forall c w r w' r'.
      w' = Cons c w /\ r' = Star r ->
      mem w' r' ->
      exists w1 w2. w = w1 ++ w2 /\ mem (Cons c w1) r /\ mem w2 r'

  lemma inversion_mem_star :
    forall c w r. mem (Cons c w) (Star r) ->
       exists w1 w2. w = w1 ++ w2 /\ mem (Cons c w1) r /\ mem w2 (Star r)

  (** `residual r c` denotes the set of words `w` such that `mem c.w r` *)
  let rec residual (r:regexp) (c:char) : regexp
    variant { r }
    ensures { forall w. mem w result <-> mem (Cons c w) r }
  = match r with
    | Empty -> Empty
    | Epsilon -> Empty
    | Char c' -> if eq c c' then Epsilon else Empty
    | Alt r1 r2 -> Alt (residual r1 c) (residual r2 c)
    | Concat r1 r2 ->
       if accepts_epsilon r1 then
          Alt (Concat (residual r1 c) r2) (residual r2 c)
       else Concat (residual r1 c) r2
    | Star r1 ->
      Concat (residual r1 c) r
    end

  let rec decide_mem (w:word) (r:regexp) : bool
    variant { w }
    ensures { result <-> mem w r }
  = match w with
    | Nil -> accepts_epsilon r
    | Cons c w' -> decide_mem w' (residual r c)
    end


end


module Test

  type char = int

  clone Residuals with type char = char

  let constant a : char = 65

  let constant aa : word = Cons a (Cons a Nil)

  let constant astar : regexp = Star (Char a)

  let test_astar () = decide_mem aa astar

end



module DFA

  type char
  use list.List
  type word = list char

  use map.Map

  (** automaton where states = 0..size-1, init state = 0 *)

  type state = int

  type t =
    { size : int;
      is_final_state : map state bool;
      transition : map (state,char) int;
    }

  function exec (a:t) (q:state) (w:word) : state =
    match w with
    | Nil -> q
    | Cons c r -> let q' = a.transition[q,c] in exec a q' r
    end

  function accepts (a:t) (w:word) : bool =
    a.is_final_state[exec a 0 w]

end
why3-1.6.0/examples/residual/000077500000000000000000000000001440160026300160325ustar00rootroot00000000000000why3-1.6.0/examples/residual/why3session.xml000066400000000000000000000173311440160026300210570ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
     
     
     
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/residual/why3shapes.gz000066400000000000000000000053001440160026300204700ustar00rootroot00000000000000ZKoGWR+@0.jؖ4~h4'E|&?Yw|w͏^6[og;o^}S/ Ƈz}m߾KA߽ϋۓ,Oqb!m-4OԕB<^JOz֋INcT=y˜Kwڢ[k1fחݥ1;ܿ=%ҲD}ŻM9T6|l|x"a64vlyeO$qu}=i[\^l@2wV
`Ups{qνP~bv/h*^WU0-9ǒCzٱXT
TFЏxgk(47
ŻĦ]LaO?fRf(n[2Zi?ID*#`4^j
fî|5fCo|fW%g6:;Λra7.젺Bͪy7j'l,2N685c8u;fnf_]&1,00bhC} J}:
Cv{zAMvXw`ցdO}S_ek)9@1+luvғY4(j,ʼn<=ƾ||MIC|eе^W3nu`ӅgoZ2]td^ĕMn&ilzYmsZՓeO;h1ͳ3\ԭv	MѻMbG/GGX>Ƨ`S6&I4qQQ$,nf#K*\.累2P[kP|j5Ή6i)|'`mE'.Y];.{|ۮ8:O.n"n=\ӱ>T3谫,u3K=Zr_v9|S+$Ȼ]+B~ئyE8S󑻤%#e 	9ȏQт:&Amzƙ{Su&]IyBH@(>1>,`_Hڏ7'҈9ΑG&9,%L#[)[fnMMa)mE,QK
#ETDX;μje3iڼ@]g.Ç!9xC'7
GWcׇ޿yqʋxrAX=쐱޿>iCj?Lꏘi.\]a'Vm>m8w-nB//N:UBŞ*v;(=(VGrw]K͡^3,ZNbQū`yVh^뒞po ͜vVʽaU06?1ZO2/+,˟[QlY@YQ=&:RPvUѰh8+eEl'9\cJ<#l&HkS6ٻɌ.l!jSR,\QVV\aTfgLM٬RU)3Q	M!VfHA<ujIdD3lA4u''''ړ6%F`OlCF-\&(jAX	,Fl!v; fƥ{dWI.?/L_#cZ°J)sZQf`ԵP<0$ٰ,/&I,why3-1.6.0/examples/resizable_array.mlw000066400000000000000000000107641440160026300201310ustar00rootroot00000000000000
module ResizableArraySpec

  use int.Int
  use map.Map
  use map.Const

  type rarray 'a = private {
    ghost mutable length: int;
    ghost mutable data: map int 'a
  }

  function ([]) (r: rarray 'a) (i: int) : 'a = Map.get r.data i
  val function ([<-]) (r: rarray 'a) (i: int) (v: 'a) : rarray 'a
    ensures { result.length = r.length }
    ensures { result.data = Map.set r.data i v }

  val make (len: int) (dummy: 'a) : rarray 'a
    requires { 0 <= len }
    ensures  { result.length = len }
    ensures  { result.data = Const.const dummy }
    (* ensures  { forall i: int. 0 <= i < len -> result[i] = dummy } *)

  val ([]) (r: rarray 'a) (i: int) : 'a
    requires { 0 <= i < r.length } ensures { result = r[i] }

  val ([]<-) (r: rarray 'a) (i: int) (v: 'a) : unit writes {r}
    requires { 0 <= i < r.length } ensures { r = (old r)[i <- v] }

  val resize (r: rarray 'a) (len: int) : unit writes {r}
    requires { 0 <= len }
    ensures  { r.length = len }
    ensures  { forall i: int.
               0 <= i < old r.length -> i < len -> r[i] = (old r)[i] }

  val append (r1: rarray 'a) (r2: rarray 'a) : unit writes {r1}
    ensures { r1.length = (old r1.length) + r2.length }
    ensures { forall i: int. 0 <= i < r1.length ->
               (i < old r1.length  -> r1[i] = (old r1)[i]) /\
               (old r1.length <= i -> r1[i] = r2[i - old r1.length]) }

end

module ResizableArrayImplem (* : ResizableArraySpec *)

  use int.Int
  use int.MinMax
  use array.Array as A

  type rarray 'a =
    { dummy: 'a; mutable length: int; mutable data: A.array 'a }
    invariant { 0 <= length <= A.length data }
    invariant { forall i: int. length <= i < A.length data ->
                  A.([]) data i = dummy }
    by { dummy = any 'a; length = 0; data = A.make 0 (any 'a) }

  function ([]) (r: rarray 'a) (i: int) : 'a = A.([]) r.data i

(*
function make (len: int) (dummy: 'a) : rarray 'a =
    { dummy = dummy; length = len; data = A.make len dummy }
*)

  let make (len: int) (dummy: 'a) : rarray 'a
    requires { 0 <= len }
    ensures { result.dummy = dummy }
    ensures { result.length = len }
    ensures { forall i:int. 0 <= i < len -> A.([]) result.data i = dummy }
    =
    { dummy = dummy; length = len; data = A.make len dummy }

  let ([]) (r: rarray 'a) (i: int) : 'a
    requires { 0 <= i < r.length }
    =
    A.([]) r.data i

  let ([]<-) (r: rarray 'a) (i: int) (v: 'a) : unit
    requires { 0 <= i < r.length }
    ensures { r.data.A.elts = A.Map.([<-]) (old r).data.A.elts i v }
    =
    A.([]<-) r.data i v

  let resize (r: rarray 'a) (len: int) : unit
    requires { 0 <= len }
    ensures  { r.length = len }
    ensures  { forall i: int.
                 0 <= i < old r.length -> i < len -> r[i] = (old r)[i] }
    =
    let n = A.length r.data in
    if len > n then begin
      let a = A.make (max len (2 * n)) r.dummy in
      A.blit r.data 0 a 0 n;
      r.data <- a
    end else begin
      A.fill r.data len (n - len) r.dummy
    end;
    r.length <- len

  let append (r1: rarray 'a) (r2: rarray 'a) : unit
    ensures { r1.length = old r1.length + r2.length }
    ensures { forall i: int. 0 <= i < r1.length ->
               (i < old r1.length  -> r1[i] = (old r1)[i]) /\
               (old r1.length <= i -> r1[i] = r2[i - old r1.length]) }
    =
    let n1 = length r1 in
    resize r1 (length r1 + length r2);
    A.blit r2.data 0 r1.data n1 (length r2)

  (* sanity checks for WhyML typing system *)

(*
  let test_reset1 (r: rarray) =
    let a = A.make 10 dummy in
    r.data <- a;
    A.([]) a 0 (* <-- we cannot access array a anymore *)

  let test_reset2 (r: rarray) =
     let b = r.data in
     r.data <- A.make 10 dummy;
     let x = A.([]) r.data 0 in (* <-- this is accepted *)
     let y = A.([]) b      0 in (* <-- but we cannot access array b anymore *)
     ()

  (* the same, using resize *)
  let test_reset3 (r: rarray) =
     let c = r.data in
     resize r 10;
     let x = A.([]) r.data 0 in (* <-- this is accepted *)
     let y = A.([]) c      0 in (* <-- but we cannot access array c anymore *)
     ()
*)

end

module Test

  use int.Int
  use ResizableArrayImplem

  let test1 () =
    let r = make 10 0 in
    assert { r.length = 10 };
    r[0] <- 17;
    resize r 7;
    assert { r[0] = 17 };
    assert { r.length = 7 }

  let test2 () =
    let r1 = make 10 0 in
    r1[0] <- 17;
    let r2 = make 10 0 in
    r2[0] <- 42;
    append r1 r2;
    assert { r1.length = 20 };
    assert { r1[0] = 17 };
    let x = r1[10] in
    assert { x = 42 };
    let y = r2[0] in
    assert { y = 42 };
    ()

end
why3-1.6.0/examples/resizable_array/000077500000000000000000000000001440160026300174005ustar00rootroot00000000000000why3-1.6.0/examples/resizable_array/why3session.xml000066400000000000000000000206221440160026300224220ustar00rootroot00000000000000






 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/resizable_array/why3shapes.gz000066400000000000000000000070331440160026300220430ustar00rootroot00000000000000[nWў

hx.F]r- {ޑKmMR-R9-bwUTf{/"Jc+]\}x~Ǎ{ .ݛA_`޼
lPz`/?pImCLJ܏9kw}~+n`ww~krYWx1ݯ/6~}a{ڐcMj;zۛ
`TP@XA^x‡񪴾Y?ꡰU{@Ϻ5giQA6*04=Z1}|1i{+9FG8_Be{?9.'9B1${[8D+AS?KSi}h^2ygj Y:}LW﷭7Q*i=c>mU#XH8vg*`I(p~9ޔ+7>;n'UKGSӽc.Fzp71;1rWz1H\G^ewι[|'.0>~6&/T*mE̽N9)ǃ{>P~ws~Kpzk:+1,c}7|{j%~D26铙&M85K
Oa]I	PL	4K}Ez3K@/~8 6*"͸tkif$pPvIؙ"JQYfR]PiTNYSif*mG!z7Rig*WSlI%JdLtZxF¢^ip3QWQ CT>̇x]|LLIMxaQ}%jιa
HeXaa5,>
{Lӷ*9tNb;_KX	@@M{ ,4XtF *-:6b!v!V[XTtqvHN&q(NWR([OCA=Uy# (V6˹sbf2.&P,涢.4+q*4-=?{{#w$![S&orA-%-T՜S;"S6dP&Ցw_(cHOax(|
S	b'V
Ta.,
7Ǹxɘ٭5S/^uFq,#.?eM?(P8eڻ_ߍ7
2as
|~E^z\}[w=K~Ȁ$d}%O#ƐYV7nL_ ~V.v);ޒRqO*^R'GrR.qKA/ޢ8W]lE+lm@vc8~^ \~U[t2K8:۾IἪv:iwz"^#	rKJ˞XILkܯ^I`r{e>gT>g51mM8g
CzfA?A>ȶ!ND.0Oxy=?dZRܤv|~xL~u>XNKКp73EgCI=Deo#v.q#F>{cq9?P C=k4ܼPnv+nvn*gZ;4nAێBnv/|%SOgnp.Yt#]_$ߤBգ)LlBkZ:-lxte\L8DJ[bMvM,z[_).k<&_Y|nD^ڕdN55]wz><9ONfQGaǛƒYg2GOW˳/Dn;2!7}7_ɫY3ijЁ}Ǿ`ł	bV87/*3ʿ.!3۷@[ت[;O3}ןÆE𴙱o(GӝiiwrjwߎYmg/#]66`AV:x
yl|lV9tfˎ
Fyf/8\i@9wa~+.	)2WBpkdU̢BczF Yp9X02df3OYH:FmRfd孽0d&%V	%&qVʨyh,
51U(v삥P@)q(> gu0 DPBryEi1)Xt:	\R*1I1e
1$N&bqJJ.$ţw^'bӝ-n0! u<(wG4PvLv61
aM4^%Dž@-,i&revi{:H$}3		"q䀆$Eis&;fyfIF>{7e&(-do#F	&H*MF	D`362OjX0ޅXxOTNk2)Lk	FM97@RDH!rb$C0HM"$ˊ5N[ͽ Rbr>L3Hd}5,Br!*G>4TH8(‰/csSLSNTD+v[#<0aH#e
}!!K&(i(Zd-XVD*8ehխDhUe;!%$ +vju dYI,y%*Ȉ5$%j]4FjY hf'u5,Xs
|PHt<U{!
2$G	L\Re0A#]Qt(1%DKPQ% VR͔tQ|rqJ͆.SkVZ)($Ι(솒MCʐp*
PobiF	
=**R%@I&b"-yhP0KI.%nj^0G!JWH]P}B\:4@@ڲ9coPP&8)4R&Ja[(K
 zeros }
    ensures  { ult result (64:t) }
    ensures  { eq_sub_bv a zeros zeros result }
    ensures  { nth_bv a result }
  =
    let i = ref zeros in
    while ult !i (64:t) && not (nth_bv a !i) do
      variant {64 - t'int !i}
      invariant {eq_sub_bv a zeros zeros !i}
      i := add !i one
    done;
    !i

  let rightmost_bit_trick (x: t) (ghost p : ref int) : t
    requires { x <> zeros }
    writes   { p }
    ensures  { 0 <= !p < 64 }
    ensures  { eq_sub x zeros 0 !p }
    ensures  { nth x !p }
    ensures  { eq_sub result zeros 0 !p }
    ensures  { eq_sub result zeros (!p+1) (63 - !p) }
    ensures  { nth result !p }
  =
    let ghost p_bv = rightmost_position_set x in
    ghost p := t'int p_bv;
    assert { nth_bv (neg x) p_bv };
    bw_and x (neg x)

endwhy3-1.6.0/examples/rightmostbittrick/000077500000000000000000000000001440160026300177765ustar00rootroot00000000000000why3-1.6.0/examples/rightmostbittrick/why3session.xml000066400000000000000000000063441440160026300230250ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/rightmostbittrick/why3shapes.gz000066400000000000000000000016171440160026300224430ustar00rootroot00000000000000WMo7W-m~BA
Cr/H;+YZP(EX36
bqF0Yk^4kAL1ˣ\bIoQx5+Uj~{}#_-e4ٽivOg׭±y_4	&n㪵nڸwM;lC'#=ΡZzi2+~ϩŧjq9ZixFKXZ,.>`{cB.9TtjkeH,*@
"[
Q2VRX/6*lmJ	>fr1W,AL92֒^sFKc7~Dй"zl|SW9J|
5:v2eS$Č٥H&,AI(FDJ8Jx6!,Oj@@	mR	(4#Z4!
K(`OZOFFL0c\>`l$aLʙluM%KM!愵$3yQ,jL5V2Qr=Zޜ(ޔh e.i!$ЪTe/%ErQf3![eGRO^ 16nwhy3-1.6.0/examples/ring_buffer.mlw000066400000000000000000000024401440160026300172330ustar00rootroot00000000000000
(** Simple queue implemented using a ring buffer

   From
     Developing Verified Programs with Dafny.
     K. Rustan M. Leino. Tutorial notes, ICSE 2013.

   For a similar data structure, see vstte12_ring_buffer.mlw
*)

use int.Int
use seq.Seq as S
use array.Array

type t 'a = {
  mutable data: array 'a;
  mutable m: int;
  mutable n: int;
  ghost mutable contents: S.seq 'a; (* = data[m..n[ *)
}
invariant { 0 < length data }
invariant { 0 <= m <= n <= length data }
invariant { S.length contents = n - m }
invariant { forall i. 0 <= i < m - n -> S.get contents i = data[m + i] }
by { data = Array.make 1 (any 'a); m = 0; n = 0; contents = S.empty }

let create (x: 'a) : t 'a
  ensures { S.(result.contents == empty) }
=
  { data = Array.make 10 x;
    m = 0; n = 0;
    contents = S.empty; }

let dequeue (q: t 'a) : (_r: 'a)
  requires { S.length q.contents > 0 }
  writes   { q.m, q.contents }
  ensures  { S.(q.contents == (old q.contents)[1..]) }
=
  let r = q.data[q.m] in
  q.m <- q.m + 1;
  ghost S.(q.contents <- q.contents[1..]);
  r

let enqueue (q: t 'a) (x: 'a) : unit
  requires { q.n < length q.data }
  writes   { q.data.elts, q.n, q.contents }
  ensures  { S.(q.contents == snoc (old q.contents) x) }
=
  q.data[q.n] <- x;
  q.n <- q.n + 1;
  ghost S.(q.contents <- S.snoc q.contents x)

why3-1.6.0/examples/ring_buffer/000077500000000000000000000000001440160026300165125ustar00rootroot00000000000000why3-1.6.0/examples/ring_buffer/why3session.xml000066400000000000000000000017501440160026300215350ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/ring_buffer/why3shapes.gz000066400000000000000000000015011440160026300211470ustar00rootroot00000000000000UM7W̱bQb`Qye9)Mד%%GvKOCpJu+\x~
mKѢ#9^e+݁zJrsy)|~y}z5zQ@>o$uDcۑ)Os+*3̈́MR	Y42حsHkUTKNl+B{F}a~e"kx(u s1[i] = s2[i]

  axiom extensionality:
     forall s1 s2: char_string. s1 == s2 -> s1 = s2

  (* axiomatized concatenation *)
  function app char_string char_string: char_string

  axiom app_def1:
    forall s1 s2: char_string. length (app s1 s2) = length s1 + length s2

  axiom app_def2:
    forall s1 s2: char_string, i: int.
    0 <= i < length s1 -> (app s1 s2)[i] = s1[i]

  axiom app_def3:
    forall s1 s2: char_string, i: int.
    length s1 <= i < length s1 + length s2 ->
    (app s1 s2)[i] = s2[i - length s1]

  lemma app_assoc:
    forall s1 s2 s3: char_string. app s1 (app s2 s3) == app (app s1 s2) s3

  (* axiomatized substring *)
  function sub char_string int int: char_string

  axiom sub_def1:
    forall s: char_string, ofs len: int.
    0 <= len -> 0 <= ofs <= length s -> ofs + len <= length s ->
    length (sub s ofs len) = len

  axiom sub_def2:
    forall s: char_string, ofs len: int.
    0 <= len -> 0 <= ofs <= length s -> ofs + len <= length s ->
    forall i: int. 0 <= i < len -> (sub s ofs len)[i] = s[ofs + i]

  (* substring routine *)
  val sub (s: char_string) (ofs len: int) : char_string
    requires { 0 <= len /\ 0 <= ofs <= length s /\ ofs + len <= length s }
    ensures  { result = sub s ofs len }

end

(* API *)

module Sig

  use int.Int
  use import String as S

  type rope

  function string rope: char_string
    (** a rope is a string *)

  function length rope: int

  val constant empty : rope
    ensures { length result = 0 /\ string result == S.empty }

  val is_empty (r: rope) : bool
    ensures  { result <-> string r == S.empty }

  val of_string (s: char_string) : rope
    requires { 0 <= S.length s }
    ensures  { string result == s}

  (* access to the i-th character *)
  val get (r: rope) (i: int) : char
    requires { 0 <= i < length r }
    ensures  { result = (string r)[i] }

  val concat (r1 r2: rope) : rope
    ensures  { string result == S.app (string r1) (string r2) }

  (* sub-rope construction *)
  val sub (r: rope) (ofs len: int) : rope
    requires { 0 <= len /\ 0 <= ofs <= length r /\ ofs + len <= length r }
    ensures  { string result == S.sub (string r) ofs len }

  val balance (r: rope) : rope
    ensures  { string result == string r }

end

(* Implementation *)

module Rope (* : Sig *)

  use int.Int
  use import String as S

  (* ***** Logical description of rope type **** *)
  type rope =
    | Emp
    | Str char_string int  int  (* Str s ofs len is s[ofs..ofs+len[ *)
    | App rope   rope int  (* concatenation and total length   *)

  let function length (r: rope) : int =
    match r with
    | Emp         -> 0
    | Str _ _ len -> len
    | App _ _ len -> len
    end

  (* invariant predicate for ropes *)
  predicate inv (r: rope) = match r with
    | Emp ->
        true
    | Str s ofs len ->
        0 < len /\ 0 <= ofs < S.length s /\ ofs + len <= S.length s
        (* s[ofs..ofs+len[ is a non-empty substring of s *)
    | App l r len ->
        0 < length l /\ inv l /\ 0 < length r /\ inv r /\
        len = length l + length r
        (* l and r are non-empty strings of the size (|l| + |r|) = len *)
  end

  (* the string model of a rope *)
  function string (r: rope) : char_string = match r with
    | Emp           -> S.empty
    | Str s ofs len -> S.sub s ofs len
    | App l r _     -> S.app (string l) (string r)
  end

  (* length of stored string is equal to the length of the corresponding rope *)
  lemma rope_length_is_string_length:
    forall r: rope. inv r -> S.length (string r) = length r

  (* NB: Here and below pay attention to the use of '==' predicate in
  contracts *)

  (* empty rope *)
  let constant empty : rope = Emp
    ensures { length result = 0 /\ inv result /\ string result == S.empty }

  let is_empty (r: rope) : bool
    requires { inv r }
    ensures  { result <-> string r == S.empty }
  = match r with Emp -> true | _ -> false end

  (* string conversion into a rope *)
  let of_string (s: char_string) : rope
    requires { 0 <= S.length s }
    ensures  { string result == s}
    ensures  { inv result }
  = if S.length s = 0 then Emp else Str s 0 (S.length s)

  (* access to the character of the given index i *)
  let rec get (r: rope) (i: int) : char
    requires { inv r }
    requires { 0 <= i < length r }
    ensures  { result = (string r)[i] }
    variant  { r }
  = match r with
    | Emp ->
        absurd
    | Str s ofs _ ->
       s[ofs + i]
    | App left right _   ->
        let n = length left in
        if i < n then get left i else get right (i - n)
    end

  (* concatenation of two ropes *)
  let concat (r1 r2: rope) : rope
    requires { inv r1 /\ inv r2 }
    ensures  { inv result }
    ensures  { string result == S.app (string r1) (string r2) }
  = match r1, r2 with
    | Emp, r | r, Emp -> r
    | _               -> App r1 r2 (length r1 + length r2)
    end

  (* sub-rope construction *)
  let rec sub (r: rope) (ofs len: int) : rope
    requires { inv r}
    requires { 0 <= len /\ 0 <= ofs <= length r /\ ofs + len <= length r }
    ensures  { inv result }
    ensures  { string result == S.sub (string r) ofs len }
    variant  { r }
  =
  match r with
    | Emp          -> assert { len = 0 }; Emp
    | Str s ofs' _ -> if len = 0 then Emp else Str s (ofs' + ofs) len
    | App r1 r2 _  ->
        let left  = length r1 - ofs in (* max chars to the left  *)
        let right = len - left      in (* max chars to the right *)
        if right <= 0 then sub r1 ofs len
        else if 0 >= left then sub r2 (- left) len
        else concat (sub r1 ofs left) (sub r2 0 right)
    end

end

module Balance

  use String
  use import Rope as R
  use int.Int
  use int.Fibonacci
  use int.MinMax
  use array.Array
  use ref.Ref

  (** we assume that any rope length is smaller than fib (max+1) *)
  val constant max : int (* e.g. = 100 *)
    ensures { 2 <= result }

  function string_of_array (q: array rope) (l u: int) : char_string
    (** `q[u-1] + q[u-2] + ... + q[l]` *)

  axiom string_of_array_empty:
    forall q: array rope, l: int.
    0 <= l <= length q -> string_of_array q l l == S.empty

  axiom string_of_array_concat_left:
    forall q: array rope, l u: int. 0 <= l < u <= Array.length q ->
    string_of_array q l u ==
      S.app (string_of_array q (l+1) u) (string q[l])


  let rec lemma string_of_array_concat
    (q: array rope) (l mid u: int) : unit
    requires { 0 <= l <= mid <= u <= Array.length q }
    ensures  { string_of_array q l u ==
      S.app (string_of_array q mid u) (string_of_array q l mid) }
    = variant { mid - l } if l < mid then string_of_array_concat q (l+1) mid u

  let rec lemma string_of_array_concat_right
    (q: array rope) (l u: int)
    requires { 0 <= l < u <= Array.length q }
    ensures { string_of_array q l u ==
                S.app (string q[u-1]) (string_of_array q l (u-1)) }
    = variant { u -l } if l < u-1 then string_of_array_concat_right q (l+1) u

  let lemma string_of_array_length
    (q: array rope) (l u i: int)
    requires { 0 <= l <= i < u <= Array.length q }
    requires { forall j: int. l <= j < u -> inv q[j] }
    ensures  { S.length (string_of_array q l u) >= S.length (string q[i]) }
    = assert { string_of_array q l (i+1) ==
                 S.app (string q[i]) (string_of_array q l i) };
      assert { string_of_array q l u ==
               S.app (string_of_array q (i+1) u) (string_of_array q l (i+1)) }

  let rec lemma string_of_array_eq
    (q1 q2: array rope) (l u: int)
    requires { 0 <= l <= u <= Array.length q1 = Array.length q2 }
    requires { forall j: int. l <= j < u -> q1[j] = q2[j] }
    ensures  { string_of_array q1 l u == string_of_array q2 l u }
    = variant { u - l } if l < u then string_of_array_eq q1 q2 (l+1) u

  lemma string_of_array_frame:
    forall q: array rope, l u: int. 0 <= l <= u <= Array.length q ->
    forall i: int, r: rope. (0 <= i < l \/ u <= i < Array.length q) ->
    string_of_array q l u == string_of_array q[i <- r] l u

  let rec lemma string_of_array_concat_empty
    (q: array rope) (l u: int)
    requires { 0 <= l <= u <= Array.length q }
    requires { forall j: int. l <= j < u -> q[j] = Emp }
    ensures  { string_of_array q l u == S.empty }
    = variant { u - l } if l < u then string_of_array_concat_empty q (l+1) u

  function string_of_queue (q: array rope) : char_string =
    string_of_array q 2 (Array.length q)

  let rec insert (q: array rope) (i: int) (r: rope) : unit
    requires { 2 <= i < length q = max+1 }
    requires { inv r }
    requires { forall j: int. 2 <= j <= max -> inv q[j] }
    requires { S.length (string_of_array q i (max+1)) + R.length r
               < fib (max+1) }
    ensures  { forall j: int. 2 <= j <= max -> inv q[j] }
    ensures  { forall j: int. 2 <= j < i -> q[j] = (old q)[j] }
    ensures  { string_of_array q i (max+1) ==
                 S.app (string_of_array (old q) i (max+1)) (string r) }
    variant  { max - i }
  = let r' = concat q[i] r in
    if R.length r' < fib (i+1) then begin
      q[i] <- r';
      assert {    string_of_array q       (i+1) (max+1)
               == string_of_array (old q) (i+1) (max+1) }
    end else begin
      q[i] <- Emp;
      assert {    string_of_array q       i     (max+1)
               == string_of_array (old q) (i+1) (max+1) };
      assert {   S.app (string_of_array q       i (max+1)) (string r')
              == S.app (string_of_array (old q) i (max+1)) (string r) };
      insert q (i+1) r';
      assert { string_of_array q i (max+1) == string_of_array q (i+1) (max+1) }
    end

  let rec insert_leaves (q: array rope) (r: rope) : unit
    requires { 2 < length q = max+1 }
    requires { inv r }
    requires { forall j: int. 2 <= j <= max -> inv q[j] }
    requires { S.length (string_of_queue q) + R.length r < fib (max+1) }
    ensures  { forall j: int. 2 <= j <= max -> inv q[j] }
    ensures  { string_of_queue q ==
                 S.app (string_of_queue (old q)) (string r) }
    variant  { r }
  = match r with
    | Emp              -> ()
    | Str _ _ _        -> insert q 2 r
    | App left right _ -> insert_leaves q left; insert_leaves q right
  end

  let balance (r: rope) : rope
    requires { inv r }
    requires { R.length r < fib (max+1) }
    ensures  { inv result }
    ensures  { string result == string r }
  = let q = Array.make (max+1) Emp in
    assert { string_of_queue q == S.empty };
    insert_leaves q r;
    assert { string_of_queue q == string r };
    let res = ref Emp in
    for i = 2 to max do
      invariant { inv !res }
      invariant { string !res == string_of_array q 2 i }
      res := concat q[i] !res
    done;
    !res

end
why3-1.6.0/examples/ropes/000077500000000000000000000000001440160026300153525ustar00rootroot00000000000000why3-1.6.0/examples/ropes/why3session.xml000066400000000000000000000167451440160026300204070ustar00rootroot00000000000000










 
 
 
 
 
 


 
 
 


 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/ropes/why3shapes.gz000066400000000000000000000076371440160026300200270ustar00rootroot00000000000000ZYo7~ׯx-#B0>_
6L֑mIU<93=l+U,U??_Wu`]מ\={ulw9~#=.JϛNHd@7f_[PۤZoJۻ3;=esb#(Ċ=VU2mryqpKϲIf1{&̿9??9dy3i 9iTQ~XR4)xvdqCiyZrLTPw?n7YM>p`7m8+D#Lr<}~΅DRaȷyneL?d岾y2&ы(Ookf"Ms=$&2>y-9	AI/c7eU%sQU],^@/lZlg1jYD>L7ЂY1gBbd/EB"+R2o:_#c^;Ώe/%>)֜՘JP~ehƗ*Soa3q7OeP^q4(2#FlT=3>
~&Ȕ\B Mm!]Jئ	@ζ ӟ&+(l-(`L/z"iN(i6FM?rD=k>WG?Ah|cd(r:%irqޖ%TJKIAD&lwmMX%I«46)>$KgegeB=	>RKekE4ha^Vժ5I-i`n*[;cE>"TAmw?f'K8fuj9@gҢLm[AݝGvb;7q~NFvf8eKq6NgFخg
v/p2f`-Yʐ}P'֘Nb@
GI\ElO7H,Hϡ>1}>k]x#ZxeB4B}	;U헥xk՜^H
ɡÐ)O6G3>U!̓)Ŷ5̞ۻ/GgSV鸈M	OAce9pX_Y/.GH\$3N(=ؘ!:/0o>\uIv>aąuB\X&ѥsѵO+u>(%iK't!/W1̼ncDzO4NP)JVgi̮jJ4T-pA?~e<+YU	AAY4Rpi>)@SN3	TeX8Y)@h+:tzB6'Hp'Y 𛰔Zt*:'\xdAvA#>UgiU
!*֔6z_6lֆڰmPo>6q+jjOX.?GX 9MosG,}=_Zv
w~:Vvnf3t;E#$pэ~^}OI:vW8^w #gw4v;NituUNghǻl`
oGN|9jHQPpʿ_:o@&.[Zy8w
<|M&Xz8*B4VC-Do6cwm=F[Mur(;S9a.9D2,)I28QBr$EYY%:B< =qiO3%<RNuuDŽr==*J3
!ZBEQ
EP
SXjǯa[ʍxQ#P8 \'҉DQ^ɛ%
zC`>,,<=jؖbdRHT
RH[VY:[tCZ*.^JK¦]QonE
M&y,KbOĒ?/^؎H/yLqAfg;o麻lUK/JN^!J'91t[0I	YF;T0C)9N+>HL`M0tr#FYdp0W1kkf<a#1bY'GLxg$	%h1>Kfd
B@Ӆg\
NNӅC<j70x@_Y`L"t Aa7ȋh-E4:	:g;P9#D
xQSSS4cB#bWQϴ).$ΰ$νD]DY̢X0
1H*Negˈp!)X'$sn$JW ak-a,h%AH`X^*1ѝQdIf`SXMRRp{c,]fzc{Y(JK@obX0[1jؼm9_P.V`vfmٖ\*vž͈
˰’t(CgȝĨ\g@F򗗋0NJ>h#V^0\k^^"cpCAzLbm_^ԏX;@텟 FMT,;ŕIxvѡ;x˓S(>ᶡn43jc,`:."2kBMGX#$v=#n6i1Y䁇&yG6why3-1.6.0/examples/same_fringe.mlw000066400000000000000000000045631440160026300172320ustar00rootroot00000000000000
(*
  ``Same fringe'' is a famous problem.
  Given two binary search trees, you must decide whether they contain the
  same elements. See for instance http://www.c2.com/cgi/wiki?SameFringeProblem
*)

module SameFringe

  use int.Int
  use list.List
  use list.Length
  use list.Append

  (* binary trees with elements at the nodes *)

  type elt

  val eq (x y: elt) : bool ensures { result <-> x=y }

  type tree =
    | Empty
    | Node tree elt tree

  function elements (t : tree) : list elt = match t with
    | Empty -> Nil
    | Node l x r -> elements l ++ Cons x (elements r)
  end

  (* the left spine of a tree, as a bottom-up list *)

  type enum =
    | Done
    | Next elt tree enum

  function enum_elements (e : enum) : list elt = match e with
    | Done -> Nil
    | Next x r e -> Cons x (elements r ++ enum_elements e)
  end

  (* the enum of a tree [t], prepended to a given enum [e] *)

  let rec enum t e variant { t }
    ensures { enum_elements result = elements t ++ enum_elements e }
  = match t with
    | Empty -> e
    | Node l x r -> enum l (Next x r e)
    end

  let rec eq_enum e1 e2 variant { length (enum_elements e1) }
    ensures { result=True <-> enum_elements e1 = enum_elements e2 }
  = match e1, e2 with
    | Done, Done ->
        True
    | Next x1 r1 e1, Next x2 r2 e2 ->
        eq x1 x2 && eq_enum (enum r1 e1) (enum r2 e2)
    | _ ->
        False
    end

  let same_fringe t1 t2
    ensures { result=True <-> elements t1 = elements t2 }
  = eq_enum (enum t1 Done) (enum t2 Done)

  let test1 () = enum Empty Done
  let test2 () = eq_enum Done Done
  let test3 () = same_fringe Empty Empty

  val constant a : elt
  val constant b : elt

  let leaf x = Node Empty x Empty

  let test4 () = same_fringe (Node (leaf a) b Empty) (Node Empty a (leaf b))
  let test5 () = same_fringe (Node (leaf a) b Empty) (Node Empty b (leaf a))

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    if not (test4 ()) then raise BenchFailure

end

module Test

  use int.Int
  clone SameFringe with type elt = int

  let test1 () = enum Empty Done
  let test2 () = eq_enum Done Done
  let test3 () = same_fringe Empty Empty

  constant a : int = 1
  constant b : int = 2

  let leaf x = Node Empty x Empty

  let test4 () = same_fringe (Node (leaf a) b Empty) (Node Empty a (leaf b))
  let test5 () = same_fringe (Node (leaf a) b Empty) (Node Empty b (leaf a))

end
why3-1.6.0/examples/same_fringe/000077500000000000000000000000001440160026300165015ustar00rootroot00000000000000why3-1.6.0/examples/same_fringe/why3session.xml000066400000000000000000000026471440160026300215320ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 



why3-1.6.0/examples/same_fringe/why3shapes.gz000066400000000000000000000010761440160026300211450ustar00rootroot00000000000000Tn@,d3axXdj[qbH}y]!s8rX?\OŗXw#X-EUZ(K),,կjc? (6gYYae@z>hAiাY|WnMSJ[J,Ȧ?s*n"VN
p(#Ցt'*l웾1eل2:LSh#3md&FiPY>djv
Z^ExW_mnjecvt>j7%,9k24ơTu=xr%U
GmO^ވqm)n}Aqsh\_L	Gx(|Hd6_0VXV4hW\K:AaWsi;>E"v'2$B	G`b"	*R8#^%:bW,rQgY(N
GY&A1JDq!$BH"31CD`JE@jS<ϴBkt0WY%Q&⽗*c>741h\
@ O@o3why3-1.6.0/examples/schorr_waite.mlw000066400000000000000000000277651440160026300174550ustar00rootroot00000000000000
(** Schorr-Waite algorithm

    The Schorr-Waite algorithm is the first mountain that any
    formalism for pointer aliasing should climb.
                                      -- Richard Bornat, 2000

  Author: Mário Pereira (UBI, then Université Paris Sud)

  The code, specification, and invariants below follow those of
  the following two proofs:

  - Thierry Hubert and Claude Marché, using Caduceus and Coq

    A case study of C source code verification: the Schorr-Waite algorithm.
    SEFM 2005. http://www.lri.fr/~marche/hubert05sefm.ps

  - Rustan Leino, using Dafny

    Dafny: An Automatic Program Verifier for Functional Correctness.
    LPAR-16.
    http://research.microsoft.com/en-us/um/people/leino/papers/krml203.pdf
*)

module SchorrWaite

  use seq.Seq
  use map.Map
  use ref.Ref
  use int.Int
  use list.List
  use list.Length
  use list.Append
  use set.Fset as S

  (** Why3 has no support for arbitrary pointers,
      so we introduce a small component-as-array memory model *)

  (** the type of pointers and the null pointer *)
  type loc
  val constant null: loc

  val (=) (a b: loc) : bool
    ensures { result = (a = b) }

  (** each (non-null) location holds four fields: two Boolean marks m and c
      and two pointers left and right *)
  val m: ref (map loc bool)
  val c: ref (map loc bool)
  val left: ref (map loc loc)
  val right: ref (map loc loc)

  val get_left (p: loc) : loc
    requires { p <> null }
    ensures  { result = !left[p] }

  val set_left (p: loc) (v: loc) : unit
    requires { p <> null }
    writes   { left }
    ensures  { !left = set (old !left) p v }

  val get_right (p: loc) : loc
    requires { p <> null }
    ensures  { result = !right[p] }

  val set_right (p: loc) (v: loc) : unit
    requires { p <> null }
    writes   { right }
    ensures  { !right = set (old !right) p v }

  val get_m (p: loc) : bool
    requires { p <> null }
    ensures  { result = !m[p] }

  val set_m (p: loc) (v: bool) : unit
    requires { p <> null }
    writes   { m }
    ensures  { !m = set (old !m) p v }

  val get_c (p: loc) : bool
    requires { p <> null }
    ensures  { result = !c[p] }

  val set_c (p: loc) (v: bool) : unit
    requires { p <> null }
    writes   { c }
    ensures  { !c = set (old !c) p v }

  (** for the purpose of the proof, we add a fifth, ghost, field,
      which records the path from the root (when relevant) *)
  val ghost path_from_root : ref (map loc (list loc))

  val ghost get_path_from_root (p : loc) : list loc
    ensures  { result = !path_from_root[p] }

  val ghost set_path_from_root (p: loc) (l : list loc) : unit
    requires { p <> null }
    writes   { path_from_root }
    ensures  { !path_from_root = set (old !path_from_root) p l }

  (** Stack of nodes, from the root to the current location, in
      reverse order (i.e. the current location is the first element
      in the stack) *)

  type stacknodes = Seq.seq loc

  predicate not_in_stack (n: loc) (s: stacknodes) =
    forall i: int. 0 <= i < Seq.length s -> n <> Seq.get s i

  let ghost tl_stackNodes (stack: stacknodes) : stacknodes
    requires { Seq.length stack > 0 }
    ensures  { result = stack[1..] }
    ensures  { forall n. not_in_stack n stack -> not_in_stack n result }
  = stack[1..]

  (** two lemmas about stacks *)

  let lemma cons_not_in (s: stacknodes) (n t: loc)
    requires { not_in_stack n (cons t s) }
    ensures  { not_in_stack n s }
  =
    assert { forall i: int. 0 <= i < Seq.length s ->
             Seq.get s i = Seq.get (cons t s) (i+1) }

  let lemma tl_cons (s1 s2: stacknodes) (p: loc)
    requires { Seq.length s2 > 0 }
    requires { s1 = s2[1..] }
    requires { p = Seq.get s2 0 }
    ensures  { s2 = cons p s1 }
  = assert { Seq.(==) s2 (cons p s1) }

  function last (s: stacknodes) : loc =
    Seq.get s (Seq.length s - 1)

  predicate distinct (s: stacknodes) =
    forall i j. 0 <= i < Seq.length s -> 0 <= j < Seq.length s -> i <> j ->
    Seq.get s i <> Seq.get s j

  (** Paths *)

  predicate edge (x y : loc) (left right : map loc loc) =
    x <> null /\ (left[x] = y \/ right[x] = y)

  inductive path (left right : map loc loc) (x y : loc) (p : list loc) =
  | path_nil   : forall x : loc, l r : map loc loc. path l r x x Nil
  | path_cons  : forall x y z : loc,
                 l r : (map loc loc),
                 p : list loc.
                 edge x z l r -> path l r z y p ->
                 path l r x y (Cons x p)

  let rec lemma trans_path (x y z : loc) (l r : map loc loc) (p1 p2 : list loc)
    variant  { length p1 }
    requires { path l r x y p1 }
    requires { path l r y z p2 }
    ensures  { path l r x z (p1 ++ p2) }
  = match p1 with
    | Cons _ (Cons b _ as p') -> trans_path b y z l r p' p2
    | _                       -> ()
    end

  lemma path_edge : forall x y : loc, left right : map loc loc.
    edge x y left right -> path left right x y (Cons x Nil)

  lemma path_edge_cons:
    forall n x y : loc, left right : map loc loc, pth : list loc.
    path left right n x pth -> edge x y left right ->
    path left right n y (pth ++ (Cons x Nil))

  predicate reachable (left right: map loc loc) (x y : loc) =
    exists p : list loc. path left right x y p

  (** Schorr-Waite algorithm *)

  let schorr_waite (root: loc) (ghost graph : S.fset loc) : unit
    requires { root <> null /\ S.mem root graph }
    (* graph is closed under left and right *)
    requires { forall n : loc. S.mem n graph ->
               n <> null /\
               (!left[n] = null \/ S.mem !left[n] graph) /\
               (!right[n] = null \/ S.mem !right[n] graph) }
    (* graph starts with nothing marked *)
    requires { forall x : loc. S.mem x graph -> not !m[x] }
    (* the structure of the graph is not changed *)
    ensures  { forall n : loc. S.mem n graph ->
               (old !left)[n] = !left[n] /\
               (old !right)[n] = !right[n] }
    (* all the non-null vertices reachable from root
       are marked at the end of the algorithm, and only these *)
    ensures  { forall n : loc. S.mem n graph -> !m[n] ->
               reachable (old !left) (old !right) root n }
    ensures  { !m[root] }
    ensures  { forall n : loc. S.mem n graph -> !m[n] ->
          (forall ch : loc. edge n ch !left !right -> ch <> null -> !m[ch]) }
  = let t = ref root in
    let p = ref null in
    let ghost stackNodes = ref Seq.empty in
    let ghost pth = ref Nil in
    ghost set_path_from_root !t !pth;
    let ghost unmarked_nodes = ref graph in
    let ghost c_false_nodes = ref graph in
    while !p <> null || (!t <> null && not get_m !t) do
      invariant { forall n. S.mem n graph -> not_in_stack n !stackNodes \/
                  exists i : int. Seq.get !stackNodes i = n }
      invariant { not_in_stack null !stackNodes }
      invariant { Seq.length !stackNodes = 0 <-> !p = null }
      invariant { !p <> null -> S.mem !p graph }
      invariant { Seq.length !stackNodes <> 0 -> Seq.get !stackNodes 0 = !p }
      invariant { forall n : loc. S.mem n graph -> not !m[n] ->
                  S.mem n !unmarked_nodes }
      invariant { forall n : loc. S.mem n graph -> not !c[n] ->
                  S.mem n !c_false_nodes }
      invariant { forall i. 0 <= i < Seq.length !stackNodes ->
                  S.mem (Seq.get !stackNodes i) graph }
      invariant { forall i.  0 <= i < Seq.length !stackNodes - 1 ->
                  let p1 = Seq.get !stackNodes i in
                  let p2 = Seq.get !stackNodes (i+1) in
                  (!c[p2] -> old !left[p2] = !left[p2] /\
                             old !right[p2] = p1) /\
                  (not !c[p2] -> old !left[p2] = p1 /\
                                 old !right[p2] = !right[p2]) }
      invariant { !path_from_root[root] = Nil }
      invariant { forall n : loc. S.mem n graph ->
                  not_in_stack n !stackNodes ->
                  !left[n] = old !left[n] /\
                  !right[n] = old !right[n] }
      (* something like Leino's line 74; this is useful to prove that
       * the stack is empty iff p = null *)
      invariant { Seq.length !stackNodes <> 0 ->
                  let first = last !stackNodes in
                  if !c[first] then !right[first] = null
                  else !left[first] = null }
      invariant { Seq.length !stackNodes <> 0 -> last !stackNodes = root }
      (* something like lines 75-76 from Leino's paper *)
      invariant { forall k : int. 0 <= k < Seq.length !stackNodes - 1 ->
               if !c[Seq.get !stackNodes k]
               then !right[Seq.get !stackNodes k] = Seq.get !stackNodes (k+1)
               else !left [Seq.get !stackNodes k] = Seq.get !stackNodes (k+1) }
      (* all nodes in the stack are marked
       * (I4a in Hubert and Marché and something alike line 57 in Leino) *)
      invariant { forall i. 0 <= i < Seq.length !stackNodes ->
                  !m[Seq.get !stackNodes i] }
      (* stack has no duplicates ---> line 55 from Leino's paper *)
      invariant { distinct !stackNodes }
      (* something like Leino's line 68 *)
      invariant { forall i. 0 <= i < Seq.length !stackNodes ->
                  let n = Seq.get !stackNodes i in
                  if !c[n] then !left[n] = old !left[n]
                  else !right[n] = old !right[n] }
      (* lines 80-81 from Leino's paper *)
      invariant { Seq.length !stackNodes <> 0 ->
                  if !c[!p] then old !right[!p] = !t
                  else old !left[!p] = !t }
      (* lines 78-79 from Leino's paper *)
      invariant { forall k : int. 0 < k < Seq.length !stackNodes ->
                  let n = Seq.get !stackNodes k in
                  if !c[n]
                  then Seq.get !stackNodes (k - 1) = old !right[n]
                  else Seq.get !stackNodes (k - 1) = old !left[n] }
      (* line 70 from Leino's paper *)
      invariant { !p <> null ->
                  path (old !left) (old !right) root !p !pth }
      (* line 72 from Leino's paper *)
      invariant { forall n : loc. S.mem n graph -> !m[n] ->
                  reachable (old !left) (old !right) root n }
      invariant { !p = null -> !t = root }
      (* line 70 from Leino's paper *)
      invariant { forall n : loc, pth : list loc.
                  S.mem n graph -> !m[n] ->
                  pth = !path_from_root[n] ->
                  path (old !left) (old !right) root n pth }
      (* lines 61-62 from Leinos' paper *)
      invariant { forall n : loc. S.mem n graph -> n <> null -> !m[n] ->
                  not_in_stack n !stackNodes ->
                  (!left[n] <> null -> !m[!left[n]]) /\
                  (!right[n] <> null -> !m[!right[n]]) }
      (* something like Leino's lines 57-59 *)
      invariant { forall i. 0 <= i < Seq.length !stackNodes ->
                  let n = Seq.get !stackNodes i in
                  !c[n] ->
                  (!left[n] <> null -> !m[!left[n]]) /\
                  (!right[n] <> null -> !m[!right[n]]) }
      (* termination proved using lexicographic order over a triple *)
      variant   { S.cardinal !unmarked_nodes,
                  S.cardinal !c_false_nodes,
                  Seq.length !stackNodes }
      if !t = null || get_m !t then begin
        if get_c !p then begin (* pop *)
          let q = !t in
          t := !p;
          ghost stackNodes := tl_stackNodes !stackNodes;
           p := get_right !p;
           set_right !t q;
          ghost pth := get_path_from_root !p;
        end else begin (* swing *)
          let q = !t in
          t := get_right !p;
          set_right !p (get_left !p);
          set_left !p q;
          ghost c_false_nodes := S.remove !p !c_false_nodes;
          set_c !p true;
        end
      end else begin (* push *)
        let q = !p in
        p := !t;
        ghost stackNodes := Seq.cons !p !stackNodes;
        t := get_left !t;
        set_left !p q;
        set_m !p true;
        ghost if !p <> root then pth := !pth ++ (Cons q Nil) else pth := Nil;
        ghost set_path_from_root !p !pth;
        assert { !p = Seq.get !stackNodes 0 };
        assert { path (old !left) (old !right) root !p !pth };
        set_c !p false;
        ghost c_false_nodes := S.add !p !c_false_nodes;
        ghost unmarked_nodes := S.remove !p !unmarked_nodes
      end
    done


end
why3-1.6.0/examples/schorr_waite/000077500000000000000000000000001440160026300167135ustar00rootroot00000000000000why3-1.6.0/examples/schorr_waite/why3session.xml000066400000000000000000000717021440160026300217420ustar00rootroot00000000000000








 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/schorr_waite/why3shapes.gz000066400000000000000000000443171440160026300213640ustar00rootroot00000000000000[9S,XAb"gvf-ɻ?$LުjsQWedď ۛ/1c/Qoo~ۗwGw;:ܑ~wßNtm߿_qvD7_WǼ||#w?~rwW3׽VT+~Q[}[/_mԿݻG܁Bx᫼h[ONƊɵ-'tk?QX^mmu>;Jԝ~;nb;c_pAwyuTnw
1+tnq{tt;}5\.EhOK8ʼYo^ʌ1׳m0%pJֵ躏~.ayoЉoj/L-41~'>vw|QڠHOihkc]BX^EkyPZ6,ʕVJrUҪ\i0wUz2s(؇bd)m5>`heDY&<{=kآ
-lLnbrtm=G;[[LyǧiB#[h-
чFRsӳ
[Dؒg2s-:g>ބ{
:PCbDQI?^
]`CFIlPР6
[an'd[l
@y47pnbGSUp7OO_GzWO_2߻NK^EwIb%ɉ2,n޾$ -HbHx$qv&Ix$$Qt-N<_ID$	EPTglsӓ@a~L@x\|Ӱ[x
:E)w6=™b~U|%NȲOߟ`ıʟ|WhTQSD#̗<8Ḛ8'&j-Nq'34È{V"O|B%Q]Vmm)+C#lC[͉8Ko^:naamI]r92TDQL?"u C}/d4z+S!dnq(ˤ۟ϯA+
d"Opdf8rJTȈȩ'$Zd舌xtς44ȃȸzgu
R;{t=<8IjV^N)bgT8;~1A=8{)v5>&C^J=QDQI?o__CQPDHIZ3EɌ"%ZҡKzBtc],-ŒǚK:b˛d=}ȪH
>_A~)TPgI
Th
ٍBPC
E&`?Qx/
»RDQI??R_C"]ꡡeWgCA2ݟ(eWU(қUr	5T("vSY|p ]h8i%}6l't%H]w1m3*),5S>CwhSS]aR85aЉ2,n~@E*CTƩ0[n[|آO/oIUlm.Cz=)r^&MΖ=/«"<	W;ƳDqqKBG]~g]Yw՝1zMyg1hut:f)'	]Bī؜BVO@|,ĝ$sXî,+zYZhG7e߹$C_Y-e.܇-D72a9G?z?c[r%T|Ds@
|Φ~o"~Xq+&7wo`ټO—P}j<*qٝekR/XI|~g^ݙw՝y5{ާY.w/jE'|xvVeedOYʄ(aQGleYՅa2XKRj5Xt|`aUokF(j;BAHzhs7nqsʶJe$لg7cKY5e4 aդm,Pƪi[-(c-e:N8֝,ke5<>XР??AGدO㺲PRl2m__Ժnh6['QEB_E’EžEju,V[$HXm`E*	X$HX"aEr	[$~	,[$Hؕ	VX$^˗?6io	s2dxȸ	/7pf{6l8pP&d8pUa#AH8 r!q-f;ǰµv!dgX_+XbųVM_Ru"XU!
5P+T
U
@egoVxKADhQ!3Tȟ%'T燊oSԈ
UBTpB[.p
TA.PJIɃmw,0,0$@΋.(CB^xfP/O?x!/ŷik䅮y/TⅩ[`:-0uLL -:!uR4q;۪ƇMܪ&7ܘLi
|RFD]2$:g)Չ1b>ګeeF1?cCyDdhAշݖ::`ʾK/v4xZd*TQ[kmU (H[I"jD!ˇIlQ@yaҐGH_IL"yt(<MKn3bS^Ѡ7E;;:tIFV5
ta5:LB@BT,hZ4C[¾עen8p	з}.8Hؽ81$~/!u8^p AW8p*ԓLM{;vyƟ¤ޮ͉]/WYf$CST.ygQ3?TAtP+d75'T\[Ɩmu7%ʽe13{|gkvG?Zo9jQ>_FkԈAY'j߷
ti=TH8 R!qAdFO8q:bĿx,n!Vz
}\Gs(UpVsÍ^69;2n0Rr#^$1Qݹ~"M0A"^~ߪ&Le'*n3bkj`7XtJ`57dFga2A΍.
]r7}@=|Á^/Zoj9{5r^{'t50np7x|3oj@J;fH@Ɛ>B!d!<:;Cxt
z~ͻ.CVWl%
t&[kX+ڷ ?z+bהm/{c,]M򜎸g_0J쩴=uC f/N({ǁZ>48]]Nu!rBY8넳1Q
zrelg!T2]T4Gv'N1~[,\%̄*T(!)͝if]-7'=ܞַ]z'je5$3>d!W??O}EKۂ%Ϝ)$DND:	oH"9E6p^lJ3PAL-փ$M$Ԭ0X l3.̐屈?%lj:U96sHԩHpH'URU:d!uOUETU$OUETUh'fCnb+Qa++}*(IPۉ`Ӫ(	FiPA#b;sϷSxѦ*_d|~@ӻNzRw
>x[`Nl-`s ]%6xg'Dmb"%F-628q:2vw Q1=x[l)n/irJON
*=3C*=$e 7Җ(7Ogw%Wdդh''LD.N^?ceh?Wn1C:f..4>?.VÅUpa5\9,]VÅuj>\XÅpa}AåNrfz'v"tP	{];Lo3W\"ܮZ*We<`←ԑg
E&U>R$bmմYB`PC+VsGܾVB+MJJ2yd}3^gRp.ċx
MnRt"ypυ*A7I[|`ņiA_\8pp5pao0~ A/7IE-V?!+6-+L
sY"\s&ًw++V\NcX?1W,J5
Sb'6B@T,O
,g`,MU#,l
ܛ5ݱ^[;kKx.,,Za :J$:EP"<+Є(S9lrpۅDVXS2sE~&4Ҥ"4u&Ii^$^QQWeGw[y	8pKC277ͽ->oR=b=iތ=iކ=]Ȟ,-i\=dau=a$NtraxRK"gO7œٲGeQ{"[xGy[fo-@+=_[1V̰2J|MFىNeb<^&ϥ	u`F`I~SUbƣyBfxnT2s"DxDn@w>wnLo;•Fq
~Z\!}!`-/&LD;LFˤRUx۾U0@V>Gu
0<k~8|`b|"xVzZd'{֔11Cl>g{b{ۃ9rHï|kd7	wj[d(Yq5t7e@K6밦[WoNh5b
X/fM&\\Λ6Ġyk뉤75ۺNYFƜ|,k֘Ě~lk:vv`
/ANlJx{ió$[eWR$jމR:|fܩa)=mn .o_QTn\@K
^
5hqK!*jbjFdԐїh*Ra/;SQÔ1=涮SPCHa5Kve/gA
Fgۛv@D~
(8(i÷oÌp_}2 R&F{'vBY:˻ƸIp>bDlu-Dd.nZ\a9KR
"":Dtt^ rGYV
\-wrV,ww?zO]x?}51=AZCb2;mV6"^s؍FeڽFlOA
bWW҈&މ)ww"F14Jy3ovVCxF%G#U

hqKiTó*]L4'2hS-zУQ{)piTH
46Rz˿i56DݔjY3_B;esh`_cx%R;&z'v\E~oP\ۉ.Gr(j;WCu
mύחrjcUT8h8uɗn|3v
m3Y^,~	~[wmwd9ol%,~Q0qCAw }2}l?U$I߾$϶f1e!
+T ?}Qǐ9
dOսl2t/e.ܻlS_)^;
p&^L5q?&VNc+Q'P]tjr H%xp"E~~Λ[*RQ@I!
R yp,XxXhg"|"D ["ȗN1~KV	"[ ;-ud ̉kNLyL+.n)WRyMS]+w(;#~9S)V(Uajg_^nü0Sq%-cVgn$SNцq
)R%)bP=f@'x{C^걤z,^Yz&yvV!egRӐ&ݑ,X8pd{8pClҖf[/4j >|x|I:k쌟jBD҂9b-AWDD&]l"^bo\l LUE(*iS&-,Xv"c%x,dǒxW{je\`@.U(A-/x~"Ek%h-Ң ^Y&{`z^Nǝfmy:6t).P'"O;P);Jy*v<56B JiRJeR^LIj7Wlq՛<8xp&Fm sئI·b/ۺNAZ$P!	К$))f$)PKI}!>5I\Klxީ ɫ IL	KF5v 4+nl@7(\To%Du%@IX%	%2DvP"<(!*db椯OpҢdj푷u>gkBu
%pbc,a~|AmfM0iT{Gn;ׁ-4h/%;_

VBU`ByR!-8T.G|,Y[Rp&8Lt(pBqk~/W*n(࠷uI,3IVGየQK{4#ɂ8p`«BDȔ&@/.]*|-FRl!z'vB[>
F|Bw|;
H0˻#&[bwH/|)Fl[a^IKcDcd["0Y*_ +ۓ{Y{4g,u/2{bo<]*byUD5<>z*g8bG4b{qijKЌoőH8j;э^78w|vnggqTVhG6B28^VxIEFQ/-8^2%Q
Tw  ?7E3ւuf>XI"$"aɢ$Dr7D*HNB᣾?

ŶI.HΒHf!n#&i5W$I$$*Cd&/
q<%aХA&(_WSWSW$iq5U/lK&'&/ӳٽ6jY>,Sp%
d9Uep|pL-NtVKg;
Aݲ^Y>SLL/T3_گW,`lTQĬZU/=x6¶/2B>?RZOMGOM"I)t"[`;-ul IaR~N`8
$]x,,\7)%Ky-Yג,dm`k i	f:@0UJze!
5)I8`;'} ~ߜ72/м/LGN,TZȉeY̲,z~Yցγi^lΦ
nc٬:R.z?z:nUOtIZD=):Z(i(Sd8pŒ[h8p'Gw|pO7φ7I(.*QI#n6Grpue")
o+a		`)D`Qld4aZҦ\xHX<>YϻGw/)zʽ빪s\ǹ=:NX4@Gl{׋}X?`[?aOC
Tw}܆5Sػ8"]/:{DO'Q+H{jxzā8	oVom`
U54zhdTu/FA54.ݠ8-AĹ}hlT}j*iGLܠ:n)QlPm?zj6>>%FQ*h'|jhZ[h,h| AM=kwnÇ%˞w罽yW=o/mY}ք/^r"ޔ$YJW/'|^]@;_||l)14.3|I{ٟʷ4KwO^EA!j˗^޴˗8pz;v쨲]s!*]8ʚdwan>MhX˄I.zsֈlC{|"-X}-݅{Y6=gkئDn}D5q5֝5@V>Gu
5)O,kTbͩ)Q+QIcV5(k?kNl_@Ł/|5$}%=}
l:!w{~PDZ
wZpiD{G欭})85U4}͞=GJހXb lUOUP%hTl8sƢN8qA	.[,XxqXhMކI=.1KuW
_0b{'C5*c`D}47㋼Qp>z,FX'^޵\cwzd#Ĉ0".ň.A#~}{likqLj/ɖvً(	O'x/0G-SF,I۞(XDTKrƊۑ#q+w'G&TZٔND7.{I>1GQ	#Q
5zFKqTƋ*4^\gp78BxƋ,zd8BC
\ud?
`]7Cwf>tI"H$"abK<$!#_I"ozݜpG}"CE;̷r]'Q&:R(z!nBU#qMDYAR!n
q	K	/Mz@6lKb3VlVɛ,!D<0?~r~Re얶w՝ikfI*{qo2FYV.XԲt|%eguW*yp&H{'Cx1wNVupC6i|.KZ/`B3%[pI3w\65cKpʶL/h֨	W!!Xod[v%
3})Hu']]+Mi^,014wZɇ-i`՝Y{gVݙurf,g2cSpܞIDl."_O/Yfye;U8AWj䍷播&"?-e֜eSdkVܪ4 xWH#v	0be):mMGPz=ldƤ5*%dLJg^)4oW
KJl֊
+Q";΢D()?]n'JCRt}AI|dm簺R}7Vn]tDOE-A@w%s"09B˹C9T1͖Hd=em&mlA͠M3p۳Ϫdۆ4^aB~ˮ]cbSD.Y1(U6菛L!BNW:%fm/k_(l%rgBNCǪa~opnmT79)q^ {$⾔SY|
.77rd4#օ+GȬyq4{C%7v!,(.#dZ"`1+DQHCNV2h_@ƅråèׁES1[m4!v_
dټi6qT-ŽWv2RQd2/TW~efJ%$Bq_PqbRh=hCn_\5fI,RёhN]=.ɁY6fH**Bge$|dDyhE:a\ULr,~:+ILFeDDFKvaTa.qjW:/`ĪJ
HS-{7T)uV;$qkqHNA[N5!fR-1
q>qP	G+A&B
N>T1,
cgp'O%,bJu?64P
67ϫW
4V(w4$iJu?E-fa0q&!	 HTb/d0xJ/{#r&fiŸ00@oA(AWRԤZhkj
ۈH!5+f<v-M3F(/Hh L1穹A4,(.:a|"Qc*W:j#1c.0
NDb{`9`ÃtU%:	+n.`S,0#%0<\錎jH@!Mòx,|UiK%ޠ]ŕpôLX	WwxAGXT,ãWw0jڰ΢XPckX0Vp%t%wxedPO+H9#Q6cQ,DQDj0®`83zհb00CW;iLK>9WX-1ԪeZ)P38MqVc3g6iZ5Z*`lp
Wƥ%!djU!8BZ,V
V^`o7ԪVZ͂N1 |=Z0
hXeIlhք^mՌj&qL&< Iqj5.X9ɗ:1ժen_W5Kd8'Vg^tZ7 $av)0R"Dc–_aCwth!ecX?m
рNBA	"j4qftyXPJkHRSQuǁ/Ag	j`ѧGȍZ{#+j5I$4T ШhcY(gi
|iMn͡V-'=MfG0kx3LaՆ28o6!bއ6QqSj_)άD.7
%,+VmD0<2SzX3`fK`?_*8IFh€'2ρ;HEE4({ղicd
¥L5B{~@u$™j5#
2`A|?7a~q6lR
\ެh	kAQRo-eMP-Ņ#i 	\j5:{VX7`v-f[16ỳÅ+Qda38Xf4vC]3Wxla3d0քzI[+C'XrbKtU3]bQWJ]Լ03xq0e
#~x'Ŭ0;ٽ:%X:,b#qS]wr%.`5\haM2Lauip2Lt,fJaY5Sgӎ$
f|:F!n3i&h0c!dBw	[kɘ'Qr$8k5tB»?P
g
}ztYC8e^7ӝJp䐰m62p#ܵy0q
(
@3	y8ř˲bw3N1ЇQ\vHEevD[CepȉE*+Y`if&Na;1rA&0%Kۙ	0f\nY!#d$(%CV2xipAA=d…YG
`CfŰ
PAn.@j\V60(9c/بȼ
OCfD!
pH%fka-X{ǭ/b5I 4|U01KV`xb25&7alxD =0]_9Aý#r3\Vӟ&>s!Fmڰ9z
b3	֑A)7R-PJqVwhy3-1.6.0/examples/schorr_waite_via_recursion.mlw000066400000000000000000000306561440160026300223760ustar00rootroot00000000000000
(** Schorr-Waite algorithm for general-size records.

    Author: Martin Clochard (Université Paris Sud)

    Here the proof is carried out by proving an equivalent
    recursive program. The recursive program can be justified
    to be equivalent to the looping one:
    all side-effects/exception throwing are done by running the loop body
    (which features a minor modification to exit by exception),
    so the recursive programs amounts to execute an arbitrary number
    of time the loop body. It is immediately followed by an absurd statement
    to enforce the equivalence with the loop which runs its body an
    infinite number of times.
    Although the added recursive structure can be seen to be computationally
    irrelevant, it allows to discharge details about Schorr-Waite
    stack management through a recursive procedure proof. The method
    basically make explicit the derecursification used to obtain
    Schorr-Waite algorithm.

    See example verifythis_2016_tree_traversal for details about
    the technique, applied to a similar algorithm for trees.

*)

(** Component-as-array memory model, with null pointers
    and arbitrary-sized memory blocks. *)
module Memory

  use int.Int
  use option.Option
  use map.Map
  (** Memory locations *)
  type loc
  (** Null pointer *)
  constant null : loc
  (** Marks used by Schorr-Waite *)
  type color =
    | White
    | Black (option int)
  type pmem = map loc (map int loc)
  (** Memory blocks have two parts: a marking part containing in particular
      Schorr-Waite internal management data, and a sequence of pointers
      to other memory blocks. *)
  type memory = abstract {
    (** Associate block size to location. *)
    block_size : map loc int;
    (** Pointers to other memory blocks. *)
    mutable accessor : pmem;
    (** Marks. *)
    mutable colors : map loc color;
  }
  (** Global instance for memory *)
  val memo : memory
  (** null creation *)
  val null () : loc ensures { result = null }
  (** null test *)
  val is_null (l:loc) : bool ensures { result <-> l = null }
  (** Get block size associated to a given location *)
  val get_block_size (l:loc) : int
    requires { l <> null }
    reads { memo }
    ensures { result = memo.block_size[l] /\ result >= 0 }
  (** Access to a mark *)
  val get_color (l:loc) : color
    requires { l <> null }
    reads { memo }
    ensures { result = memo.colors[l] }
  (** Set a mark. We also impose the restriction that when a block is
      marked black, the given index must be coherent with the block size.
      This impose special treatment for 0-sized memory blocks. *)
  val set_color (l:loc) (c:color) : unit
    requires { l <> null }
    requires { match c with
      | White -> true
      | Black None -> memo.block_size[l] = 0
      | Black (Some ind) -> 0 <= ind < memo.block_size[l]
      end }
    writes { memo.colors }
    ensures { memo.colors = old (memo.colors[l <- c]) }
  (** Getter/Setter for pointer buffer *)
  val get_acc (l:loc) (k:int) : loc
    requires { l <> null /\ 0 <= k < memo.block_size[l] }
    reads { memo }
    ensures { result = memo.accessor[l][k] }
  val set_acc (l:loc) (k:int) (d:loc) : unit
    requires { l <> null /\ 0 <= k < memo.block_size[l] }
    writes { memo.accessor }
    ensures { memo.accessor =
      old (memo.accessor[l <- memo.accessor[l][k <- d]]) }
  (** Take ghost snapshots of memory. *)
  val ghost snapshot_acc () : pmem
    reads { memo }
    ensures { result = memo.accessor }
  val ghost snapshot_colors () : map loc color
    reads { memo }
    ensures { result = memo.colors }

end

(** Define notions about the memory graph *)
module GraphShape

  use int.Int
  use set.Fset
  use map.Map
  use Memory

  predicate black (c:color) = c <> White

  (** Edges *)
  predicate edge (m:memory) (x y:loc) =
    x <> null /\ (exists n. 0 <= n < m.block_size[x] /\ m.accessor[x][n] = y)
  (** Paths *)
  inductive path memory (x y:loc) =
    | path_nil : forall m x. path m x x
    | path_cons : forall m x y z. edge m x y /\ path m y z -> path m x z
  (** DFS invariant. For technical reason, it must refer to different parts
     of the memory at different time. The graph structure is given
     via the initial memory, but the coloring is given via the current one. *)
  predicate well_colored_on (graph gray:fset loc) (m:memory) (cl:map loc color) =
    subset gray graph /\
    (forall x y. mem x graph /\ edge m x y /\ y <> null /\ black cl[x] ->
      mem x gray \/ black cl[y]) /\
    (forall x. mem x gray -> black cl[x])
  (** Unchanged only concerns the graph shape, not the marks *)
  predicate unchanged (m1 m2:memory) =
    forall x n. x <> null /\ 0 <= n < m1.block_size[x] ->
      m2.accessor[x][n] = m1.accessor[x][n]

end

(** Proof of Schorr-Waite algorithm *)
module SchorrWaite

  use int.Int
  use option.Option
  use set.Fset
  use map.Map
  use map.Const
  use ref.Ref
  use Memory
  use GraphShape

  let black (l: loc) : bool
    requires { l <> null }
    reads { memo }
    ensures { result <-> black memo.colors[l] }
  = match get_color l with White -> false | _ -> true end

  exception Stop

  let schorr_waite (root: loc) (ghost graph: fset loc) : unit
    (** Root belong to graph (note: for simplicity, the graph set
        may (and likely does) contain the null pointer. *)
    requires { mem root graph }
    (** Graph is closed by following edges *)
    requires { forall l n.
      mem l graph /\ l <> null /\ 0 <= n < memo.block_size[l] ->
      mem memo.accessor[l][n] graph }
    writes { memo.accessor, memo.colors }
    (** The graph starts fully unmarked. *)
    requires { forall x. mem x graph -> not black memo.colors[x] }
    (** The graph structure is left unchanged. *)
    ensures { unchanged (old memo) memo }
    (** Every non-null location reachable from the root is marked black. *)
    ensures { forall x. path (old memo) root x /\ x <> null ->
      black memo.colors[x] }
    (** Every other location is left with its previous color. *)
    ensures { forall x. not path (old memo) root x /\ x <> null ->
      memo.colors[x] = (old memo).colors[x] }
  =
    label I in
    let t = ref root in
    let p = ref (null ()) in
    (** Schorr-Waite loop body. *)
    let body () : unit
      (** Loop body specification: mindlessly repeat the underlying code. *)
      requires { !p <> null /\ (!t = null \/ black memo.colors[!t]) ->
        match memo.colors[!p] with
        | Black (Some m) -> 0 <= m < memo.block_size[!p]
        | _ -> false
        end }
      ensures { old (!p <> null \/ (!t <> null /\ not black memo.colors[!t])) }
      ensures { old (!t <> null /\ not black memo.colors[!t] /\
                     memo.block_size[!t] = 0) ->
        memo.colors = old memo.colors[!t <- Black None] /\
        !t = old !t /\ !p = old (!p) /\ memo.accessor = old memo.accessor
      }
      ensures { old (!t <> null /\ not black memo.colors[!t] /\
                     memo.block_size[!t] > 0) ->
        memo.colors = old memo.colors[!t <- Black (Some 0)] /\
        !t = old memo.accessor[!t][0] /\ !p = old (!t) /\
        memo.accessor = old memo.accessor[!t <- memo.accessor[!t][0 <- !p]] }
      ensures { old (!t = null \/ black memo.colors[!t]) ->
        match old (memo.colors[!p]) with
        | Black (Some m) ->
            let n = m + 1 in
            if n = old (memo.block_size[!p])
            then
              !t = old (!p) /\ !p = (old memo.accessor[!p])[m] /\
              memo.colors = old (memo.colors) /\
              memo.accessor =
                (old memo.accessor)[old !p <-
                                    (old memo.accessor[!p])[m <- old !t]]
            else !p = old !p /\ !t = (old memo.accessor[!p])[n] /\
              memo.colors = (old memo.colors)[old !p <- Black (Some n)] /\
              let pi = (old memo.accessor[!p])[m] in
              memo.accessor =
                (old memo.accessor)[old !p <-
                         (old memo.accessor[!p])[n <- pi][m <- old !t]]
        | _ -> false
        end }
      raises { Stop -> old(!p = null /\ (!t = null \/ black memo.colors[!t])) /\
        memo.colors = old memo.colors /\ memo.accessor = old memo.accessor }
    = (** Minor modification to the loop: it exits by exception.  *)
      if is_null !p && (is_null !t || black !t) then raise Stop;
      if is_null !t || black !t then begin
        match get_color !p with
        | Black (Some m) ->
            let s = get_block_size !p in
            let n = m + 1 in
            if n = s then begin (* Pop *)
              let q = !t in
              t := !p;
              p := get_acc !p m;
              set_acc !t m q
            end else begin (* Swing *)
              let q = !t in
              t := get_acc !p n;
              set_acc !p n (get_acc !p m);
              set_acc !p m q;
              set_color !p (Black (Some n))
            end
        | _ -> absurd
        end
      end else
        let s = get_block_size !t in
        if s = 0 then (* Mark & continue *) set_color !t (Black None)
        else begin (* Mark & Push *)
          let q = !p in
          p := !t;
          t := get_acc !t 0;
          set_acc !p 0 q;
          set_color !p (Black (Some 0))
        end
    in
    let rec aux (ghost gray:fset loc) : unit
      (* DFS invariant *)
      requires { well_colored_on graph gray (memo at I) memo.colors }
      requires { mem !t graph }
      (* Non-marked nodes have unchanged structure with
          respect to the initial one. *)
      requires { forall x n.
        x <> null /\ not black memo.colors[x] /\ 0 <= n < memo.block_size[x] ->
        memo.accessor[x][n] = (memo.accessor at I)[x][n] }
      (* 'stack frames' are maintained correctly *)
      ensures { !t = old !t /\ !p = old !p }
      (* Pointer buffer is left unchanged *)
      ensures { unchanged (old memo) memo }
      (* Maintain DFS invariant *)
      ensures { well_colored_on graph gray (memo at I) memo.colors }
      (* The top node get marked *)
      ensures { black memo.colors[!t] \/ !t = null }
      (* May not mark unreachable node, neither change marked node. *)
      ensures { forall x.
        x <> null -> not path (memo at I) !t x \/ black (old memo.colors)[x] ->
        memo.colors[x] = (old memo.colors)[x] }
      (* Never 'exit' the loop during the recursive calls *)
      raises { Stop -> false }
      (* Terminates because there is a limited number of 'grayable' nodes. *)
      variant { cardinal graph - cardinal gray }
    = label J in
      if is_null !t || black !t then () else begin
        let s = get_block_size !t in
        let ghost g2 = add !t gray in
        assert { path (memo at I) !t !t };
        body (); (* Either push or mark & continue. *)
        if s <> 0 then begin
          for i = 0 to s - 2 do (* Over all sub-blocs... *)
            (* DFS invariant. *)
            invariant { well_colored_on graph g2 (memo at I) memo.colors }
            (* Current stack frame invariants *)
            invariant { !p = !t at J }
            invariant { !t = (memo.accessor at I)[!p][i] }
            invariant { memo.colors[!p] = Black (Some i) }
            invariant { forall j. 0 <= j < s /\ j <> i ->
              memo.accessor[!p][j] = (memo.accessor at J)[!p][j] }
            invariant { memo.accessor[!p][i] = !p at J }
            (* Outside structure is unchanged. *)
            invariant { forall l n.
              l <> null /\ l <> !p /\ 0 <= n < memo.block_size[l] ->
              memo.accessor[l][n] = (memo.accessor at J)[l][n] }
            (* All nodes under !p & before i are either null or marked black. *)
            invariant { forall j. 0 <= j < i ->
              let l = memo.accessor[!p][j] in l = null \/ black memo.colors[l] }
            (* Unreachable/pre-marked blocks do not change. *)
            invariant { forall l. l <> null ->
              not path (memo at I) !p l \/ black (memo.colors at J)[l] ->
                memo.colors[l] = (memo.colors at J)[l] }
            label K in
            aux g2; (* Explore sub-bloc. *)
            body (); (* Swing to next sub-bloc. *)
            assert { !t = (memo.accessor at K)[!p][i+1]
              = (memo.accessor at J)[!p][i+1] }
          done;
          aux g2; (* Explore last sub-bloc. *)
          body (); (* Pop. *)
        end
      end in
    try aux (ghost empty); (* Explore main bloc *)
        body (); (* Exit *)
        absurd; (* Done. *)
    with Stop ->
      (* Need induction to recover path-based specification. *)
      assert { forall x y m. m = memo at I /\ x <> null /\ y <> null /\
        mem x graph /\ black memo.colors[x] ->
        ([@induction] path m x y) -> black memo.colors[y] }
    end

end
why3-1.6.0/examples/schorr_waite_via_recursion/000077500000000000000000000000001440160026300216435ustar00rootroot00000000000000why3-1.6.0/examples/schorr_waite_via_recursion/why3session.xml000066400000000000000000000425721440160026300246750ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/schorr_waite_via_recursion/why3shapes.gz000066400000000000000000000225521440160026300243110ustar00rootroot00000000000000}nIzC/8" fy,)ȒUs{9)%ݑ-{mzOW_? kvomߟo޴>x;qNMX<ßzjt+/¥r~~=Fz.oOO-*pE*?	բ|O?.nǡ^!mJ(Kk>W9HMڷULo;*;L7>-ϟ?us'Z
`kKm0>fǷTKd
q'x=_++w?IH9bb.)vF@~F/"H'}i?\zs&d0m0dL$LR`Ku<~[;lBݯ~^])pbq'g
ܩ;gwjS)pb	sehF7d9hhV7m)ѪXV?_Vh=eh+pMJ6V,.7H&y٧1m
7;n=qU=:{z\T(٣|=٣y80,afOaρ3{fԝZ(I	C;^ߴ.]*ߴ|joNo^o"t7*pp()]J0LQlrwQq)kb3\men6nﴛJۥ.2ܦE-8{dud ˆ댪Y-1@%'aW]mvfEk0yVP;>S-vڕkW/W/ޮQ*
E@JmT6i6&(|X}
7(qXcVJk﮽D{iVMnOHYI
n.mU]JsHYm/畛ra=A#e)r8{d=y^Dyu9˘],4gr8̱(
?\GG
NW@}avVqcAH;w1ryݝr^HSߕv&FnCjLX^p2Ӱ킲7|lw#Q
>owUbW͵0״GPrLG55fט]c$&1-wْ]d.D}!Z)SYlHs+׮\r\ŎTw|JOumBbb%xpmfQ'S[[ve{n3Ͳ4u'Yg%}Vrc|P>+Yt,Y?>h51/vt-yѵ]KnDl]Kѵ9Lk2V-2osqn}F:se8蠐
ہ, oCAʃj9~P!n7]v,Yg{W3fלgW]}Sbq%F)Y)Tie٢uA'拍bJ|7'CQaT@R}]tw۴?k]?TO)ӗ6qKm3?ۻՅm/-ί*__EWί\]#_ȗKɈ|pDMKze}Esrϩ8\RSU9UϩSM#^Eۅ猐"S1{U3\g7!|D89^//N>ihCx	G"Wu%(䔻&qIEv]vAGyzNfq>Pò$ԏe]v1:WVԙ(oW(K.]tyÝr'oTv8-e(
_uS]luEAsB

*eK):vӎ2^ïMWA|XqC\O}q"4;#X"3$Lmr$-OWtLP/`,[,TΘxHYa@~2Uyl@/*Ng	V.	RLjLp:GL3IO~Go>~OۏYPJ./[U7V'wa؅a.qPydYvya*M>4 j*ghT|#EQeLř#5)uD=UGuQlQ_{Xsjc4fGaQ!/3\螡qXyP17962DM5U)e@%ZAؙbi:EcC,xD(.F$8.^%-k\tSK8Te
}o~Jo(}Jg(1@5˶a?ԆAw	~)#!.RYs'@I븫!)x9e*EG9JUq<̃TZ&#kC\q(1d/3G8IJ$S8iUSWNiU}>cZUgӪ|$n5d*BF4%3
}yx$V'px()xgR.?;YLDZQP(o:f2<'{N&zNfs2Aͦds25 g9d9dLs2s2dӆd}r[{/*눴_5[łhd
)EaPX.%gdIi.pNvU0$B7(1
[-yf{>ZUK1p|lUo*M=z^~^:Qyzii?u45dwQKbd@7uƈ445#ir#i4S<ݽ.`(Oi<~{aĶ=lĮJAVЧ.(⩂"7E/(kyZPD&(rCP.(t#QoVɛ`uEBbu2Qra[$kx`v[8ֶ 8:nAvU2^@ /[ ngmAΝ`z܂/Gy|[+8"SZcö@Cf?S;,S?z3>?>#΂?OGypFω'. 0AX%K43a\֯ݎS?'$<$1ymrB`yfk63B9R	WY!1L^M'gd9'wkAL
\'sZxΟ\JWx.*jO%tiW"/@	?dSBuK{SUeD47Uh.?_-'8izii?q4
pO.
WGU?Oܰ
{3[/ڄʭml+$׃+®Fjk$L]"v%JDs??MK./G"hx?	@3~VE?>XǛ!vׄ]vMx-pja]"vx^
ŕSsB
+E+D<+D0qMbŏ˃()@z%\"7%E/)I
IsKby`U:Nּ?a22(Ťp,sER"q<)k(Q%e:V.Ueg+5ik3+[VҲhE-!%ou`s0jgԅwn\~<*7Ie(صTWEerhC\&_vbk!{,pkBCߪef
rM-S/<//K8E=pi\SF	2m8Obe)R](n`(DUN6]eo*]f,!XIwY_bf`gvba);DɎhNut#_IsѬ]JL9RYI?8YU!OPݒ#
>"VŔ2}$xlSo*yEc=+orQc9]G䲜)B<0S}GnꄇeaɊ\d6MfgGYId^H„tC8	0dCv\B&">HbTsy!n.єtSI;
9grguT7azRr<Ȏ7SE`$9[
"f%&[\c)L#A#`4%27.;M#{JфDeCKDܘ2hoj9$ 'd:$WiK?,tkC1	ߞF:|q!*l8kcYtD:tS#=Jz.o`HWa
H%Ղt;PvA9y!1_SIED4>W1GJ8Qs'g~ə3)RET~~Y>k%PVȰJyA7WZ	(WC+rX	r_	QV\M>Ʀa4b`cnĸq̨+F5^j-}Ze;5oXCnzz:ƽtzioD3G!;>Hanu{܉7'!qȅUӠ#MGKsvUJ0k#Wmsֵz2#*bzᄖ}=PhoJ'{I.G>vRYc#}3aƑ9#fUr?:ƴN1s6H޻vB^Mid~d洝<2%!΢:߫:|tUӏO+&N=K7NwK?1}/&Qэ
oQ8M$,kҪ\	?i&pCjFIww޺ONͅLЪQs'tݤGSN*%X3(ˎ[0I'[Ġ8Vh5hM޺K4Z&l@i`,hvRwjtbr٦EiГzӏNӕokw[]0	#4ϔehI(a$*;i3ٖwxh%o6@c@'L[	4BUg$SnjìD5)?bBnv`!Hp+xibfù:Zn JZfFvݤ'~42;rۄjpgO,F|
t0B”Daʥ2>Xߊɨn&ҞnҍjD!
-.뱇BW$֍}=K	A
cs	j=SQu?Q)6`BOs+10`œУX-Guh{@IY('TlH!i44-@@pZeluԢ
r]:|j9zъ[tlh$rHnʝw-t˺	氷=)说}ѮFVszd(j{Ոli;&\G32<,s/5j9DR6x1	!ԟ,{0!a
ݢdk_5sSl6]	zTyB}=
2<9YMQMPE0˒LN
aa1@M5`1sA6YKv!x:ԡF!׬c@&9(@ɮ8ی)0LN\I=G|05̪L8{YidaIuwhy3-1.6.0/examples/schorr_waite_with_ghost_monitor.mlw000066400000000000000000000225301440160026300234440ustar00rootroot00000000000000
(** proof of Schorr-Waite algorithm using a ghost monitor

The C code for Schorr-Waite is the following:

typedef struct struct_node {
  unsigned int m :1, c :1;
  struct struct_node *l, *r;
} * node;

void schorr_waite(node root) {
  node t = root;
  node p = NULL;
  while (p != NULL || (t != NULL && ! t->m)) {
    if (t == NULL || t->m) {
      if (p->c) { /* pop */
	node q = t; t = p; p = p->r; t->r = q;
      }
      else { /* swing */
	node q = t; t = p->r; p->r = p->l; p->l = q; p->c = 1;
      }
    }
    else { /* push */
      node q = p; p = t; t = t->l; p->l = q; p->m = 1; p->c = 0;
    }
  }
}

The informal specification is

- the graph structure induced by pointer `l` and `r` is restored into its original shape
- assuming that initially all the nodes reachable from `root` are unmarked (m is 0) then
  at exit all those nodes are marked.
- the nodes initially unreachable from `root` have their mark unchanged

*)

(** Component-as-array memory model, with null pointers *)
module Memory

  use int.Int
  use option.Option

  (** Memory locations *)
  type loc

  (** null pointer *)
  val constant null : loc

  (** pointer equality *)
  val (=) (l1 l2:loc) : bool
    ensures { result <-> l1 = l2 }

  type memory = abstract {
    mutable left  : loc -> loc;
    mutable right : loc -> loc;
    mutable mark  : loc -> bool;
    mutable color : loc -> bool;
  }

  predicate update (m1 m2:loc -> 'a) (l:loc) (v:'a) =
    m1 l = v /\ forall x. x<>l -> m1 x = m2 x

  (** Global instance for memory *)
  val heap : memory

  (** Getters/setters for pointers *)
  val get_l (l:loc) : loc
    requires { l <> null }
    reads { heap }
    ensures { result = heap.left l }
  val get_r (l:loc) : loc
    requires { l <> null }
    reads { heap }
    ensures { result = heap.right l }
  val get_m (l:loc) : bool
    requires { l <> null }
    reads { heap }
    ensures { result = heap.mark l }
  val get_c (l:loc) : bool
    requires { l <> null }
    reads { heap }
    ensures { result = heap.color l  }
  val set_l (l:loc) (d:loc) : unit
    requires { l <> null }
    writes { heap.left }
    ensures { update heap.left (old heap.left) l d }
  val set_r (l:loc) (d:loc) : unit
    requires { l <> null }
    writes { heap.right }
    ensures { update heap.right (old heap.right) l d }
  val set_m (l:loc) (m:bool) : unit
    requires { l <> null }
    writes { heap.mark }
    ensures { update heap.mark (old heap.mark) l m }
  val set_c (l:loc) (c:bool) : unit
    requires { l <> null }
    writes { heap.color }
    ensures { update heap.color (old heap.color) l c }

end



(** Define notions about the memory graph *)
module GraphShape

  use int.Int
  use set.Fset
  use Memory

  (** Edges *)
  predicate edge (m:memory) (x y:loc) =
    x <> null /\ (m.left x = y \/ m.right x = y)

  (** Paths *)
  inductive path memory (x y:loc) =
    | path_nil : forall m x. path m x x
    | path_cons : forall m x y z. edge m x y /\ path m y z -> path m x z

  (** DFS invariant. For technical reason, it must refer to different parts
     of the memory at different time. The graph structure is given
     via the initial memory `m`, but the coloring is given via the current one `mark`. *)
  predicate well_colored_on (graph gray:fset loc) (m:memory) (mark:loc -> bool) =
    subset gray graph /\
    (forall x. mem x gray -> mark x) /\
    (forall x y. mem x graph /\ edge m x y /\ y <> null /\ mark x ->
      mem x gray \/ mark y)

  (** Unchanged_structure only concerns the graph shape, not the marks *)
  predicate unchanged_structure (m1 m2:memory) =
    forall x. x <> null ->
      m2.left x = m1.left x /\ m2.right x = m1.right x

end




module SchorrWaite

  use int.Int
  use set.Fset
  use ref.Ref
  use Memory
  use GraphShape

  let schorr_waite (root : loc) (ghost graph : fset loc) : unit
    requires { (** Root belong to graph *)
      mem root graph }
    requires { (** Graph is closed by following edges *)
      forall l. mem l graph /\ l <> null ->
        mem (heap.left l) graph /\ mem (heap.right l) graph }
    writes { heap }
    requires { (** The graph starts fully unmarked. *)
      forall x. mem x graph -> not heap.mark x }
    ensures  { (** The graph structure is left unchanged. *)
      unchanged_structure (old heap) heap }
    ensures  { (** Every non-null location reachable from the root is marked. *)
      forall x. path (old heap) root x /\ x <> null ->
        heap.mark x }
    ensures { (** Every other location is left with its previous marking. *)
      forall x. not path (old heap) root x /\ x <> null ->
        heap.mark x = (old heap.mark) x }

=
  (* Non-memory internal state *)
  let pc = ref 0 in
  let t = ref null in
  let p = ref null in

  (** step function for low-level Schorr-Waite algorithm
  L0:
  node t = root;
  node p = NULL;
  while L1: (p != NULL || (t != NULL && ! t->m)) {
    if (t == NULL || t->m) {
      if (p->c) { /* Pop */
        node q = t; t = p; p = p->r; t->r = q;
      }
      else { /* Swing */
        node q = t; t = p->r; p->r = p->l; p->l = q; p->c = 1;
      }
    }
    else { /* Push */
      node q = p; p = t; t = t->l; p->l = q; p->m = 1; p->c = 0;
    }
  }
  L2:
  *)
  let step () : unit
    requires { 0 <= !pc < 2 }
    writes   { pc,t,p,heap }
    ensures  { old (!pc = 0) -> !pc = 1 /\ !t = root /\ !p = null /\ heap = old heap }
    ensures  { old (!pc = 1 /\ not(!p <> null \/ (!t <> null /\ not heap.mark !t))) ->
      !pc = 2 /\ !t = old !t /\ !p = old !p /\ heap = old heap }
    ensures  { old (!pc = 1 /\ (!p <> null \/ (!t <> null /\ not heap.mark !t))) ->
      !pc = 1 /\
      ( old ((!t = null \/ heap.mark !t) /\ heap.color !p) -> (* Pop *)
         (* q = t *) let q = old !t in
         (* t = p *) !t = old !p /\
         (* p = p->r *) !p = old (heap.right !p) /\
         (* t->r = q (t is old p here!) *) update heap.right (old heap.right) (old !p) q /\
         heap.left = old (heap.left) /\
         heap.mark = old (heap.mark) /\
         heap.color = old (heap.color) )
       /\
       ( old ((!t = null \/ heap.mark !t) /\ not heap.color !p) -> (* Swing *)
         (* q = t *) let q = old !t in
         (* p unchanged *) !p = old !p /\
         (* t = p->r *) !t = old (heap.right !p) /\
         (* p->r = p->l *) update heap.right (old heap.right) !p (old (heap.left !p)) /\
         (* p->l = q *) update heap.left (old heap.left) !p q /\
         (* p->c = 1 *) update heap.color (old heap.color) !p true /\
         heap.mark = old (heap.mark) )
       /\
       ( old (not (!t = null \/ heap.mark !t)) -> (* Push *)
         (* q = p *) let q = old !p in
         (* p = t *) !p = old !t /\
         (* t = t -> l *) !t = old (heap.left !t) /\
         (* p->l = q (p is old t here!) *) update heap.left (old heap.left) (old !t) q /\
         (* p->m = 1 *) update heap.mark (old heap.mark) !p true /\
         (* p->c = 0 *) update heap.color (old heap.color) !p false /\
         heap.right = old (heap.right) )
      }
  =
    if !pc = 0 then (t := root; p := null; pc := 1)
    else if !pc = 1 then
      if !p <> null || (!t <> null && not(get_m(!t)))
      then begin
        if !t = null || get_m(!t) then
        if get_c !p then (* Pop *)
          let q = !t in t := !p;  p := get_r !p; set_r !t q; pc := 1
        else (* Swing *)
          let q = !t in t := get_r !p; set_r !p (get_l !p); set_l !p q; set_c !p true; pc := 1
        else (* Push *)
          let q = !p in p := !t; t := get_l !t; set_l !p q; set_m !p true; set_c !p false; pc := 1
       end
      else pc := 2
    else absurd
  in
  let ghost initial_heap = pure {heap} in (* Copy of initial memory *)
  let rec recursive_monitor (ghost gray_nodes: fset loc) : unit
      requires { !pc = 1 }
      requires { mem !t graph }
      requires { (* assume DFS invariant *)
        well_colored_on graph gray_nodes initial_heap heap.mark }
      requires { (* Non-marked nodes have unchanged structure with respect
                    to the initial one *)
        forall x. x <> null /\ not heap.mark x ->
          heap.left x = initial_heap.left x /\ heap.right x = initial_heap.right x }

      ensures { !pc = 1 }
      ensures { !t = old !t /\ !p = old !p }
      ensures { (* Pointer buffer is overall left unchanged *)
        unchanged_structure (old heap) heap }
      ensures { (* Maintain DFS invariant *)
        well_colored_on graph gray_nodes initial_heap heap.mark }
      ensures { (* The top node get marked *)
        !t <> null -> heap.mark !t }
      ensures { (* May not mark unreachable nodes,
                   neither change marked nodes. *)
        forall x. x <> null ->
          not path initial_heap !t x \/ old heap.mark x ->
          heap.mark x = (old heap.mark) x /\
          heap.color x = (old heap.color) x
      }
      (* Terminates because there is a finite number of 'grayable' nodes. *)
      variant { cardinal graph - cardinal gray_nodes }
    = if !t = null || get_m !t then () else
      let ghost new_gray = add !t gray_nodes in
      step (); (* Push *)
      recursive_monitor new_gray; (* Traverse the left child *)
      step (); (* Swing *)
      recursive_monitor new_gray; (* Traverse the right child *)
      step () (* Pop *)
    in
    step (); (* Initialize *)
    recursive_monitor empty;
    step (); (* Exit. *)
    assert { !pc = 2 };
    (* Need induction to recover path-based specification. *)
    assert { forall x y. ([@induction] path initial_heap x y) ->
        x <> null /\ y <> null /\ mem x graph /\ heap.mark x ->
        heap.mark y }

end
why3-1.6.0/examples/schorr_waite_with_ghost_monitor/000077500000000000000000000000001440160026300227215ustar00rootroot00000000000000why3-1.6.0/examples/schorr_waite_with_ghost_monitor/why3session.xml000066400000000000000000000270511440160026300257460ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/schorr_waite_with_ghost_monitor/why3shapes.gz000066400000000000000000000132521440160026300253640ustar00rootroot00000000000000]]o8}ׯ?m`.0rk1$pCJ\;IuEJ,V9U$%?v?_}o
×!)q}?|Zq|_\ߺ+w{ŧs\7$B_~⪲Zq~rިo~AWwpw!7F9~ܰC8DݣGtҩpL
W7GWͧﻏ{"IH
h(BB8Md6 DժU/zw];tz>JZL-
Ѳ<6/0GΞ"P~YxR\: \_H+L炧_É}яzi֟xYPYuηP	꼄:_A0JZIElM-jItGx/43ݚ&stO|O
ӣ㏱n8H'qpl	BnBoB'Х[=.5Ƌ$3kzf['$s?zLr?SqS
/A{*WdQ繪,sam.,S.,\Xs
]=D!8D!Pٟ-8mtO%?
ô5"4iᓒTYsS&r/I$U$UI\'KL3'O\_S}!qF$q̡(bo/C}33M6&Wip/%䧨d9)&?vSOYN~&?@=
wJ;?;9xÙ`%*A`P6y8)`gLd(CV!Wp?p*NU	8Sngl	8E<8nҒ/1XzA4pLHAلˌGKsDmM*%&gҀ*PmR$TIh&s*TN8g2Cp\-ٮoֈj,Rvr-Ig,ٳ""jyQgyЛ()LgЋYbI/KYZ8₌[HA|'9eL6x^ו^̺Ҟ/ƖvƢm5;f4*^!tHթ:"CbrAC"w:>>2S_2EY3s^fr/STLQLQZgKS&	g=Z9rH!0ۗl5M[9agL9=0+>7͊O}R僬p?x!nO/]8!<9{&YoNqGRtړȬ$2]f)f">~'4uwN
v?Mu>kQգhohow9{o=%d<-ΊrMn+aooq<*QTx9l)obfHb~lOZ&cMeMX֬kOo?܏O.Ig>_xTB!>(7}>(
exy؍qAۿ[$
憤αH;zo|2Xr-ޖlK[ra"ϔ0qd}E3\/hǙN/z2.6.Lw޻l.K]~QXb|5~|r磡ıZe[t
9α'F{+e:z|dJ?BfO'~!y'rX
f]vdѽ]9){(Li9Hʶveɮ+]ašJ5|8p9j5YiLw&4Qcn(Of,-4CW֟mvy0|Z2vW:Ytn-':7rdJkc>7|RWȪRlOBd'z}+*JrO`U
F'UqxsC
OYo4b5Jsˉ́	:


g؝B6h/	^t3Ɠ/qX8FO-*[lK{la2[{睦{)9CqT*MDk|AةZ牾NQ>
ۑaH4MHլzڵT*k;=Z «tdbл_3&Sp;۶@WPK;	2I8є(w`dpD-:(/<lC-Up[F!k:ն`;rنiJ0KWpiI`n&﹑Top!A)jSCnF7šfٳ6`08Ѣ:N>^G>Vf݆'̩
CʉPj<5hEw	@Za!ԀIv	B'MG-ӂXo@B[k	VP,jIHZ#_ q Vuh.pFK{{՝RP5sj5|@oZCPOS@6i(3@)DP)HCcRfΩ޻@tR6 Ri`mJPEm~9ع- YN!Ңnodڇ}4(hjf$n"FI岐)Pb=T퀐uCۤ!Rs)h6/rh8@F"Pe=rzz@g]iM+Xۅ JQxZlYL8G*@7H@:]
{CoMȿ@\0vA@0HĮ*
oB5xd!R8aIliW5!]ĻO-f;n a[k1] <= a[k2] }
      (* let min = ref i in *) min := i;
      for j = i + 1 to length a - 1 do
        invariant {
          i <= !min < j && forall k: int. i <= k < j -> a[!min] <= a[k] }
        if a[j] < a[!min] then min := j
      done;
      label L in
      if !min <> i then swap a !min i;
      assert { permut_all (a at L) a }
    done

  let test1 () =
    let a = make 3 0 in
    a[0] <- 7; a[1] <- 3; a[2] <- 1;
    selection_sort a;
    a

  let test2 () ensures { result.length = 8 } =
    let a = make 8 0 in
    a[0] <- 53; a[1] <- 91; a[2] <- 17; a[3] <- -5;
    a[4] <- 413; a[5] <- 42; a[6] <- 69; a[7] <- 6;
    selection_sort a;
    a

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let a = test2 () in
    if a[0] <> -5 then raise BenchFailure;
    if a[1] <> 6 then raise BenchFailure;
    if a[2] <> 17 then raise BenchFailure;
    if a[3] <> 42 then raise BenchFailure;
    if a[4] <> 53 then raise BenchFailure;
    if a[5] <> 69 then raise BenchFailure;
    if a[6] <> 91 then raise BenchFailure;
    if a[7] <> 413 then raise BenchFailure;
    a

end
why3-1.6.0/examples/selection_sort/000077500000000000000000000000001440160026300172565ustar00rootroot00000000000000why3-1.6.0/examples/selection_sort/why3session.xml000066400000000000000000000064271440160026300223070ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/selection_sort/why3shapes.gz000066400000000000000000000037611440160026300217250ustar00rootroot00000000000000Y[k~ׯ[ItUz0Sj&g/ɿOu>؛} 6Rꪮj?ߗOs:_x4-»P僿	*/Ogt\n~{8}wwE)5u%"Ce"*?V*_h|_n\	pS礫@e7.Lvt>''r5>ݫlf#ftUP(?-`r=Y@dWAZxs.2Ǒ!G](vI]H&u/l&aGGΩ3Žm~{ߤ)wp8?zpudI	
f^gåü6x|~L0^׀@n&SF!v]xdmEQ)ȝA9F%
VχtL/D^-{(=K1qEF^p,7@6y&[~jAp‚^ƃ.6]#on
9#	)i@!lodp@lɠyt31hH-tjDɧte/:H|=;xsH<3	5{I7+7\q+yA1)L<@*n]G[G
PjYoozvI~꾕MT+4ak~_qg/'ׁg:p}qBć!OXpN/|n!=O>vvc>½NN-y5|xܭ}%f
I;nt+ٗϊy%`̓+
rIiMk4K$j{4y_)g%k[4}k^ciܼUX`9{lvoXȣÁ	#QB$o^b">E	jYWb9g_^!2/		/&%6{NH'QcIUBʫp _N(#grz{(,P]|@]^f/j7k)\JI{L1OvHc:u`=f&h1IuIlLFr'`fs\~%ٔBE$\dGrN|?Mő)n3
9[eb
*(Nxb2>=0s"`d2\:h(aFGhnd$2#d}m"d4H
dn1n:Cp>c6>Dӌ}G}GL)Ezln}L"Os
ԿEMRhhOv''[U9/*{췗KuKK,-חEܲS(3My㰋
<AY?ԐYnX/,ESWJ uHA]u@Rga^eBf8KVwq,"]d]͹jU5aY&tSϲ
Ykg3F㧢ivFV4mQEΔ[B4068 J(WlobV{#dZAѨa	Aicbpu:XUh휂Rme!%{Nv''$@h.,ƶuNFkQRijlh4J8
HMcZhtJ& @Fz7&(V4A["U Sy+&4f[ۚV6*QlLFS`:NFJo}Sgcp04ip;ML
mU	405-{$M	~4%{¡1Qv@Al<ELR{HJ*ZKT[@F c[KP!Q4y٢.BkrP1ieD6
oC%-O\O#why3-1.6.0/examples/sf.mlw000066400000000000000000000070661440160026300153640ustar00rootroot00000000000000
(* Program verification examples from the book "Software Foundations"
   http://www.cis.upenn.edu/~bcpierce/sf/

   Note: we are using int (not nat), so we need extra precondition (e.g. x >= 0)
   Note: we are also proving termination
*)

module HoareLogic

  use int.Int
  use ref.Ref

  (* Example: Slow Subtraction *)

  let slow_subtraction (x: ref int) (z: ref int)
    requires { !x >= 0 }
    ensures { !z = old !z - old !x }
  = while !x <> 0 do
      invariant { 0 <= !x /\ !z - !x = old (!z - !x) } variant { !x }
      z := !z - 1;
      x := !x - 1
    done

  (* Example: Reduce to Zero *)

  let reduce_to_zero (x: ref int)
    requires { !x >= 0 } ensures { !x = 0 }
  = while !x <> 0 do invariant { !x >= 0 } variant { !x } x := !x - 1 done

  (* Exercise: Slow Addition *)

  let slow_addition (x: ref int) (z: ref int)
    requires { !x >= 0 } ensures { !z = old !z + old !x }
  = while !x <> 0 do
      invariant { 0 <= !x /\ !z + !x = old (!z + !x) } variant { !x }
      z := !z + 1;
      x := !x - 1
    done

  (* Example: Parity *)

  inductive even int =
    | even_0 : even 0
    | even_odd : forall x:int. even x -> even (x+2)

  lemma even_noneg: forall x:int. even x -> x >= 0

  lemma even_not_odd : forall x:int. even x -> even (x+1) -> false

  let parity (x: ref int) (y: ref int)
    requires { !x >= 0 } ensures { !y=0 <-> even (old !x) }
  = y := 0;
    while !x <> 0 do
      invariant { 0 <= !x /\ (!y=0 /\ even ((old !x) - !x) \/
                              !y=1 /\ even ((old !x) - !x + 1)) }
      variant { !x }
      y := 1 - !y;
      x := !x - 1
    done

  (* Example: Finding Square Roots *)

  let sqrt (x: ref int) (z: ref int)
    requires { !x >= 0 }
    ensures { !z * !z <= !x < (!z + 1) * (!z + 1) }
  = z := 0;
    while (!z + 1) * (!z + 1) <= !x do
      invariant { 0 <= !z /\ !z * !z <= !x } variant { !x - !z * !z }
      z := !z + 1
    done

  (* Exercise: Factorial *)

  function fact int : int
  axiom fact_0 : fact 0 = 1
  axiom fact_n : forall n:int. 0 < n -> fact n = n * fact (n-1)

  let factorial (x: ref int) (y: ref int) (z: ref int)
    requires { !x >= 0 } ensures { !y = fact !x }
  = y := 1;
    z := !x;
    while !z <> 0 do
      invariant { 0 <= !z /\ !y * fact !z = fact !x } variant { !z }
      y := !y * !z;
      z := !z - 1
    done

end

module MoreHoareLogic

  use int.Int
  use option.Option
  use ref.Ref
  use list.List
  use list.HdTl
  use list.Length

  function sum (l : list int) : int = match l with
  | Nil -> 0
  | Cons x r -> x + sum r
  end

  val head (l:list 'a) : 'a
    requires { l<>Nil } ensures { Some result = hd l }

  val tail (l:list 'a) : list 'a
    requires { l<>Nil } ensures { Some result = tl l }

  let list_sum (l: ref (list int)) (y: ref int)
    ensures { !y = sum (old !l) }
  = y := 0;
    while not (is_nil !l) do
      invariant { length !l <= length (old !l) /\
                  !y + sum !l = sum (old !l) }
      variant { !l }
      y := !y + head !l;
      l := tail !l
    done

  use list.Mem
  use list.Append

  type elt
  val predicate eq (x y: elt)
    ensures { result <-> x = y }

  (* note: we avoid the use of an existential quantifier in the invariant *)
  let list_member (x : ref (list elt)) (y: elt) (z: ref int)
    ensures { !z=1 <-> mem y (old !x) }
  = z := 0;
    while not (is_nil !x) do
      invariant { length !x <= length (old !x) /\
                  (mem y !x -> mem y (old !x)) /\
                  (!z=1 /\ mem y (old !x) \/
                   !z=0 /\ (mem y (old !x) -> mem y !x)) }
      variant { !x }
      if eq y (head !x) then z := 1;
      x := tail !x
    done

end
why3-1.6.0/examples/sf/000077500000000000000000000000001440160026300146325ustar00rootroot00000000000000why3-1.6.0/examples/sf/why3session.xml000066400000000000000000000051471440160026300176610ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 



why3-1.6.0/examples/sf/why3shapes.gz000066400000000000000000000026011440160026300172710ustar00rootroot00000000000000V[kcG~?om#ͽ4`0Cy
s;]$.__̹>$#OWG)WۿRmie6wH}W{!R_$Eium5P FPDdM;vO8^-G.^$5t}wtbۖiofnnX_otpD00䜱eZ3bTeb.2	Β]ycBz<N}OuOuOHy]ȼt1
#kݤOV={0p=0R"\^2cAe.*@ZZ,yuS}|87wu&7Zt]>nTuB?WY,ߴ&s[L@ 'u@Dg9Y5~)/36U5;N=bzk,Y7o?awJf6{́u2ݰD^9-r*N&j1Ʌ2yfE\;(sK@o53	/\4*~URAö)bb
SCXa]):,)ܺ1j]PfUf@5JL
'(zS
j\(]tn%!s`\2_&Y:gZ>mk;ì|?{*Jw|{Sj΢+L??O_{=edؿY;=z(V70L䚲|Rm+Icc|펏/;eἭCTP嫱	ŝ=ll\پ`{5=O~|<7jեoszW~L_yRAˣ!.xq5Yd}ϳbemeVlgQK9]ȑcs4ahͅ:cs;.WozT;cڋZrN5fdLw3m iL$GUNQiN⾺.Gt>4̘%ע)y..!%g`K4 :*ng18lcQ{>FB31v(JnD#:usrB-&VzcnvCҩA5sVm@VQ%NX	't1-O]q+d0+s@!11?FB
q蠌v]0;IjemDAAyQwhy3-1.6.0/examples/sieve.mlw000066400000000000000000000036341440160026300160640ustar00rootroot00000000000000
(** Sieve of Eratosthenes

    Author: Martin Clochard

    See also knuth_prime_numbers.mlw in the gallery.
*)


module Sieve

  use int.Int
  use array.Array
  use ref.Ref
  use number.Prime

  predicate no_factor_lt (bnd num:int) =
    num > 1 /\ forall k l. 1 < l < bnd /\ k > 1 -> num <> k * l

  let incr (r:ref int) : unit
    ensures { !r = old !r + 1 }
  = r := !r + 1

  let sieve (n:int) : (m: array bool)
    requires { n > 1 }
    ensures  { length m = n /\ forall i. 0 <= i < n -> m[i] <-> prime i }
  = let t = Array.make n true in
    t[0] <- false;
    t[1] <- false;
    let i = ref 2 in
    while !i < n do
      invariant { 1 < !i <= n }
      invariant { forall j. 0 <= j < n -> t[j] <-> no_factor_lt !i j }
      variant { n - !i }
      if t[!i] then begin
        let s = ref (!i * !i) in
        let ghost r = ref !i in
        while !s < n do
          invariant { 1 < !r <= n /\ !s = !r * !i }
          invariant { forall j. 0 <= j < n ->
            t[j] <-> (no_factor_lt !i j /\
                      forall k. 1 < k < !r -> j <> k * !i) }
          variant { n - !r }
          t[!s] <- false;
          s := !s + !i;
          incr r
        done;
        assert { forall j. 0 <= j < n /\ t[j] ->
          (forall k l. 1 < l < !i + 1 -> j = k * l /\ k > 1 ->
            (if l = !i then k < !r && false else false) && false) &&
          no_factor_lt (!i+1) j }
      end else assert { forall j. 0 <= j < n /\ no_factor_lt !i j ->
        (forall k l. 1 < l < !i + 1 -> j = k * l /\ k > 1 ->
          (if l = !i then (forall k0 l. 1 < l < !i /\ k0 > 1 /\ !i = k0 * l ->
              j = (k*k0) * l && false) && false
                     else false) && false) && no_factor_lt (!i+1) j };
      incr i
    done;
    assert { forall j. 0 <= j < n /\ no_factor_lt n j -> prime j };
    assert { forall j. 0 <= j < n /\ prime j ->
      forall k l. 1 < l < n /\ k > 1 -> j = k * l -> l >= j && false };
    t

end

why3-1.6.0/examples/sieve/000077500000000000000000000000001440160026300153355ustar00rootroot00000000000000why3-1.6.0/examples/sieve/why3session.xml000066400000000000000000000244261440160026300203650ustar00rootroot00000000000000











 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/sieve/why3shapes.gz000066400000000000000000000072661440160026300200100ustar00rootroot00000000000000][or~_$6x
,#0|^y=5g^ɑt$>E3#i-kAnŪb?/Ϳ\74˝ow"u=.PZهX]
(wx7\W\w?p{Ƀoo;waWuXJwbg+=_w;Y{vjig
c7龶,5SKE |>?@(6oku͢9P^V!lã;alWm=Y=GK/;嫿>?LJۻ~~`#ggwSX{@Qm0߉X$VikcVдl-77o{Zb?\p!7r0&8<<Z\42WB]VT9<ȞSA.J {xg䒡=˞dPhwiG+Wԟ?~\1b'Wp~sr},+Ξ+Ί-mCvxw}=5L!):`+qB3%9;ǛG8
QmJB)
BLwR$쓀Rt|0ʚ5+kɚ#1^0|TD5ՠ=I#FjЩv4;&kSjTSOQM.F:؂`yT՞P c4'ߑ3 *$Cgަk'ڿť}Stǒ#	!WYYZr5/;0'.!>
ښϺ1mK6}Y`Lpu=
\-;X^9A]5;	Me@yg诊nNwsh7'뢰]M2ܩcOQޅ>j?aol8hσmetpCdG>1{ܞF0$zwy%#9~q]\Lrɵt7BF 55<ɻO<.Oſ0FuDn?V_Ot횋p:rGȅbWBvt޸hqj,Qa;wu_/yG )=s) 
i`g"-ͣN 뻭y!ޤ}~wx|^'	Ohj\YͳӬ\is
'hZiiG}ZչOS֧yZi
1jԴ>0|{b5E;5NK.j~%n1[MsVStj5Ea5BDez>a'(3Z@麋Ⴆ=B,DT}r]:5u+3ofyj+3~@7tq+]S
Qfb6#偩dSQPi3SZ
tE^=;Zj^Tu+D t!k)bYEJ`Ez
(t)
c.
\HZ5H^EdKRaI)Ko/ɓ&gPIUʐ.&yr)BW !*+F:IZ-	ML!*/49z˺|U\b
;T.DSk-іpK%EEEEEEEv
n(͛--phsEbU}tw9h)`	ֱ=,l@쀆}"1A>^JJ]H%7p>-^$(TTas:P@t!V!bYC0X60TpJpFg*eo]egi'f}|21fbI{OB"@bƉ\VBkTbfC8-m,
wL0(x
FQV!ZO$^0*b{{D2+zAA|J,I=#RIL5փI&f50j	ȁQivתU3hE./%l5g󂱃”DȎ45"'R1[@KCUiq!1H{3],jk$s+Xufό(\.Tf97)9qqJDdr^eu`!̡%zN̒MyH4rk_x|1G	elE帔&^/z%)[(NN.RG3Ljc8	L8h`Lps4'Ps"`,a` M+iE9sqR qVi88
F899ya7swhy3-1.6.0/examples/skew_heaps.mlw000066400000000000000000000116201440160026300170740ustar00rootroot00000000000000
(** Skew heaps

    Author: Jean-Christophe Filliâtre (CNRS)
*)

module Heap

  use int.Int

  type elt
  predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  type t

  function size t : int

  function occ elt t : int

  predicate mem (x: elt) (t: t) = occ x t > 0

  function minimum t : elt

  predicate is_minimum (x: elt) (t: t) =
    mem x t && forall e. mem e t -> le x e

  axiom min_is_min:
    forall t: t. 0 < size t -> is_minimum (minimum t) t

  val constant empty : t
    ensures { size result = 0 }
    ensures { forall e. not (mem e result) }

  val size (t: t) : int
    ensures { result = size t }

  val is_empty (t: t) : bool
    ensures { result <-> size t = 0 }

  val get_min (t: t) : elt
    requires { 0 < size t }
    ensures  { result = minimum t }

  val merge (t1 t2: t) : t
    ensures  { forall e. occ e result = occ e t1 + occ e t2 }
    ensures  { size result = size t1 + size t2 }

  val add (x: elt) (t: t) : t
    ensures  { occ x result = occ x t + 1 }
    ensures  { forall e. e <> x -> occ e result = occ e t }
    ensures  { size result = size t + 1 }

  val remove_min (t: t) : t
    requires { 0 < size t }
    ensures  { occ (minimum t) result = occ (minimum t) t - 1 }
    ensures  { forall e. e <> minimum t -> occ e result = occ e t }
    ensures  { size result = size t - 1 }

end

module SkewHeaps

  use int.Int
  use bintree.Tree
  use export bintree.Size
  use export bintree.Occ

  type elt

  val predicate le elt elt
  clone relations.TotalPreOrder with
    type t = elt, predicate rel = le, axiom .

  (* [e] is no greater than the root of [t], if any *)
  predicate le_root (e: elt) (t: tree elt) = match t with
    | Empty      -> true
    | Node _ x _ -> le e x
  end

  (* [t] is a heap *)
  predicate heap (t: tree elt) = match t with
    | Empty      -> true
    | Node l x r -> le_root x l && heap l && le_root x r && heap r
  end

  function minimum (tree elt) : elt
  axiom minimum_def: forall l x r. minimum (Node l x r) = x

  predicate is_minimum (x: elt) (t: tree elt) =
    mem x t && forall e. mem e t -> le x e

  (* the root is the smallest element *)
  let rec lemma root_is_min (t: tree elt) : unit
     requires { heap t && 0 < size t }
     ensures  { is_minimum (minimum t) t }
     variant  { t }
  = match t with
    | Empty -> absurd
    | Node l _ r ->
        if not (is_empty l) then root_is_min l;
        if not (is_empty r) then root_is_min r
    end

  let constant empty : tree elt = Empty
    ensures { heap result }
    ensures { size result = 0 }
    ensures { forall e. not (mem e result) }

  let get_min (t: tree elt) : elt
    requires { heap t && 0 < size t }
    ensures  { result = minimum t }
  =
    match t with
      | Empty      -> absurd
      | Node _ x _ -> x
    end

  let rec merge (t1 t2: tree elt) : tree elt
    requires { heap t1 && heap t2 }
    ensures  { heap result }
    ensures  { forall e. occ e result = occ e t1 + occ e t2 }
    ensures  { size result = size t1 + size t2 }
    variant  { size t1 + size t2 }
  =
    match t1, t2 with
    | Empty, _ -> t2
    | _, Empty -> t1
    | Node l1 x1 r1, Node l2 x2 r2 ->
       if le x1 x2 then
         Node (merge r1 t2) x1 l1
       else
         Node (merge r2 t1) x2 l2
    end

  let add (x: elt) (t: tree elt) : tree elt
    requires { heap t }
    ensures  { heap result }
    ensures  { occ x result = occ x t + 1 }
    ensures  { forall e. e <> x -> occ e result = occ e t }
    ensures  { size result = size t + 1 }
  =
    merge (Node Empty x Empty) t

  let remove_min (t: tree elt) : tree elt
    requires { heap t && 0 < size t }
    ensures  { heap result }
    ensures  { occ (minimum t) result = occ (minimum t) t - 1 }
    ensures  { forall e. e <> minimum t -> occ e result = occ e t }
    ensures  { size result = size t - 1 }
  =
    match t with
      | Empty      -> absurd
      | Node l _ r -> merge l r
    end

end

(* application *)

module HeapSort

  use array.Array
  use array.ArrayPermut
  use SkewHeaps
  clone export array.Sorted with type elt = elt, predicate le = le, axiom .
  use int.Int
  use ref.Ref
  use map.Occ as M
  use bintree.Occ as H

  let heapsort (a: array elt) : unit
    ensures { sorted a }
    ensures { permut_all (old a) a }
  =
    let n = length a in
    let t = ref empty in
    for i = 0 to n - 1 do
      invariant { heap !t && size !t = i }
      invariant { forall e.
                  M.occ e a.elts i n + H.occ e !t = M.occ e a.elts 0 n }
      t := add a[i] !t;
      assert { M.occ a[i] a.elts i n = 1 + M.occ a[i] a.elts (i+1) n }
    done;
    label I in
    for i = 0 to n - 1 do
      invariant { sorted_sub a 0 i }
      invariant { heap !t && size !t = n - i }
      invariant { forall j. 0 <= j < i -> forall e. mem e !t -> le a[j] e }
      invariant { forall e.
                  M.occ e a.elts 0 i + H.occ e !t = M.occ e (a.elts at I) 0 n }
      a[i] <- get_min !t;
      t := remove_min !t
    done

end
why3-1.6.0/examples/skew_heaps/000077500000000000000000000000001440160026300163535ustar00rootroot00000000000000why3-1.6.0/examples/skew_heaps/why3session.xml000066400000000000000000000211351440160026300213750ustar00rootroot00000000000000











 
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/skew_heaps/why3shapes.gz000066400000000000000000000071131440160026300210150ustar00rootroot00000000000000ZY7~_QocF^U@W$vwiKf̪jiv4RPC㋃?ms|wx7>l`7ߧ_0`K_?;A
o=iO{
o
HaŃ-Yv6ʻ9dp{nsp>,)+-IkY&.I"ao@q.5(2Ԙ)염k}Z)/y+b
[H,$MP	%B!RG
!Xk;/(<ʂ{:mu}tBQ
̳&%-\eIS<j<.z&d^k8YGh
LwL}t},]P(G@nECj!Gb{sSpϡsRB{{
8)NvNwn?8tey|y[(.Bzߕ?S9uP.{l!E4Z4^[G]Qe%/3I&\¬eiBm3
Z߾]9l+6nQEFiv~P(Qo6(fa&3M2ahh`GUmNrRuoJ
g]Jo=g<0-kZ;kUֆjZ}B8&=AO8g@w-9!TGP'6ΙKej.M,Q>\hpk֚5SI
3II߾=\PձzT\79F2Zjk隧uIt
o
bVR+:!.U,Dm.[kV6~NMI…rg\,f}GhZ,u5I,m工؀_Y1=jORX0AҺieE݅[|Qf6ONOy:^&מCb>JE)f}YVS6g}}
CzAyԭ@{2i[
	t?m[eKz;-ƅ@'!RO|f#xe:f%;q2L9vӛ|7jZ:`nwSHJ޺'xx8=o	nK%XU=1sx.Fh+:s€Iq7V4=2@D7M	
5:حv1@\ճ]ѳmzAᩝZ)[S?uq9O5yYmtI}am3
ҰȪa1L<#uMײмaV7|`]%CFϐז>+>R\Wlʐߟ³ʹo
|(Ŭ@[(p.fғrjs)II_ԋ?}S]{,Y\"BBeU(4wz7eU 8
6I].m|gj)\$Ef5k=0cx&WJ^A0u>c3W\haU`>axfx

O5jx0xM_b(~PBeK{%y+dv iE0M/
ro)*s(ځה{EW2 ]z^b1]>oQL+WդTwL@&/Rw}Jض۶cSa_gNj){) E VRo7n퀬E'/,-luœnPS
c.<^kwR+'s@BS=3.Vkeޤ+oRF\cO/FJLj]2U5urɠ+Q}n>~0u2D??/>_̫k*H|?q{6qsQҗ%oۺƸQ̟
Deۻ T.
v(g{PX@ۊ%ggTQ3\u!=UuႋiՀ{2Lp~ObC&Q|aSe_v޹p|ϴm|$}^̦'&,EYPe07zgD4hK˰8C~S3Q.R=[AǮ!.L9.#$Db*ꦽ1H
C/xԌe`;章q[KzF(w@SaLx"pfhwNpbk4`G6"-S"ہ݁فށ)NI0żSTWvD-@-r;I`gQq&F&
頸i2'.P쐿L tNJk,"\ȗI8d@3aIsITƃr\[`
VM`*D3:I2hvwҌVjɼd TW+$C@)&4l$j:	Ga438/XFpB)/2:G$#A Nil
    | Node l x r -> tree_elements l ++ Cons x (tree_elements r)
  end

  predicate mem (x: elt) (t: tree) = match t with
    | Empty -> false
    | Node l y r -> mem x l || x = y || mem x r
  end

end

(* Purely applicative iterators over binary trees *)

module Enum

  use Tree

  type enum =
    | Done
    | Next elt tree enum

  function enum_elements (e: enum) : list elt = match e with
    | Done -> Nil
    | Next x r e -> Cons x (tree_elements r ++ enum_elements e)
  end

  let rec enum t e variant {t}
    ensures { enum_elements result = tree_elements t ++ enum_elements e }
  = match t with
    | Empty -> e
    | Node l x r -> enum l (Next x r e)
    end

end

(* Mutable iterators with a Java-like API *)

module Iterator

  use Tree
  use Enum

  type iterator = { mutable it: enum }

  function elements (i: iterator) : list elt = enum_elements i.it

  let create_iterator (t: tree)
    ensures { elements result = tree_elements t }
  = { it = enum t Done }

  predicate hasNext (i: iterator) = i.it <> Done

  let hasNext (i: iterator)
    ensures { result = True <-> hasNext i }
  = match i.it with Done -> False | _ -> True end

  let next (i: iterator)
    requires { hasNext i }
    ensures { old (elements i) = Cons result (elements i) }
  = match i.it with
    | Done -> absurd
    | Next x r e -> i.it <- enum r e; x
    end

end

(* Binary search trees *)

module BSTree

  use export Tree

  predicate lt_tree (x: elt) (t: tree) =
    forall y: elt. mem y t -> y < x

  predicate gt_tree (x: elt) (t: tree) =
    forall y: elt. mem y t -> x < y

  predicate bst (t: tree) =
    match t with
    | Empty -> true
    | Node l x r -> bst l /\ bst r /\ lt_tree x l /\ gt_tree x r
    end

  let rec bst_mem (x: elt) (t: tree)
    requires { bst t } ensures { result=True <-> mem x t } variant { t }
  = match t with
    | Empty ->
        False
    | Node l y r ->
        if x < y then bst_mem x l else x = y || bst_mem x r
    end

  exception Already
    (* bst_add raises exception Already when the element is already present *)

  let rec bst_add (x: elt) (t: tree)
    requires { bst t }
    ensures { bst result /\ not (mem x t) /\
      forall y: elt. mem y result <-> y=x || mem y t }
    raises { Already -> mem x t }
    variant { t }
  = match t with
    | Empty ->
        Node Empty x Empty
    | Node l y r ->
        if x = y then raise Already;
        if x < y then Node (bst_add x l) y r else Node l y (bst_add x r)
    end

end

(* Imperative trees with add/contains/snapshot/iterator API *)

module ITree

  use export BSTree
  use export Iterator

  type itree = { mutable tree: tree } invariant { bst tree }

  let create () = { tree = Empty }

  let contains (t: itree) (x: elt)
    ensures { result=True <-> mem x t.tree }
  = bst_mem x t.tree

  let add (t: itree) (x: elt)
    ensures { (result=False <-> mem x (old t.tree)) /\
      forall y: elt. mem y t.tree <-> y=x || mem y (old t.tree) }
  = try t.tree <- bst_add x t.tree; True with Already -> False end

  let snapshot (t: itree) = { tree = t.tree }

  let iterator (t: itree)
    ensures { elements result = tree_elements t.tree }
  = create_iterator t.tree

end

module Harness

  use ITree

  let test () =
     let t = create () in
     let _ = add t 1 in
     let _ = add t 2 in
     let _ = add t 3 in
     assert { mem 2 t.tree };
     let s = snapshot t in
     let it = iterator s in
     while hasNext it do
       invariant { bst t.tree }
       variant { length (elements it) }
       let x = next it in
       let _ = add t (x * 3) in
       ()
     done

end
why3-1.6.0/examples/snapshotable_trees/000077500000000000000000000000001440160026300201075ustar00rootroot00000000000000why3-1.6.0/examples/snapshotable_trees/why3session.xml000066400000000000000000000047651440160026300231430ustar00rootroot00000000000000






 
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 



why3-1.6.0/examples/snapshotable_trees/why3shapes.gz000066400000000000000000000025031440160026300225470ustar00rootroot00000000000000VK6W6p/m׀Y;^+M;|HͦoӣNtZ/saS~:Yt߻%]Y>>:ïTTG!3Ya%=|ö)ߏIAX{|rk7R-,
xxƕ{{‹/?=e#o<Fv؇byx	n
f=S$Ŏw|
)mSHP7򧋾N.
nEd"YA
r؆nsBb"{ϖ`	H*Rm<*r9IfEIsT-e$&`)>/KW ծR{Hn
>Ǹ
-5z]e%UɤE,&A
j3#̬lޕޤlXXV,:F	;9`ۼW%/"lW|e拘ҳp=d/4DX&!2DM+W4
̫4,W(u[d*pWI>IpyVHcqWFmeG27~Q~݆o	3
.M>ÞC-?͚д6SR/^*H]c5_.aqlC,—Yjϵ;Q	[$[ow_NiuH~U[t=l9/w!̀w{eA"ILh<6x3gSΚ,F͢K 'j.Ӂ>{8e|76.mboVԻK.IXbI} M\WS\65KvwI,M)͂*(-ȹfchvVeQ=+ٮhcl6+O3b5]BeeoKҋ}9e\ıܩ)읛c
?èjhY%ÈLQl7~n4׼J^Hbd#?dѱZBMP?dc8&֭+9xl$S\>x0dڴM6$WGC
P1gQa#o1wnaS(ז
why3-1.6.0/examples/sorted_list.mlw000066400000000000000000000007061440160026300173010ustar00rootroot00000000000000(* Find a value in a sorted list of integers *)

module FindInSortedList

  use int.Int
  use list.List
  use list.Mem
  use list.SortedInt

  lemma Sorted_not_mem:
    forall x y : int, l : list int.
    x < y -> sorted (Cons y l) -> not mem x (Cons y l)

  let rec find x l
    requires { sorted l }
    variant { l }
    ensures { result=True <-> mem x l }
  = match l with
    | Nil -> False
    | Cons y r -> x = y || x > y && find x r
    end

end
why3-1.6.0/examples/sorted_list/000077500000000000000000000000001440160026300165555ustar00rootroot00000000000000why3-1.6.0/examples/sorted_list/why3session.xml000066400000000000000000000012741440160026300216010ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/sorted_list/why3shapes.gz000066400000000000000000000004221440160026300212130ustar00rootroot00000000000000mPMo +8{bD11kb<5\HIV݊m_dcB޼y
7;_xnfxwZ5AUN i4/F"%P!3(R"٫z\=o.#պs?H^&!cxO+Rg.&"u(%rYMbi]>
A96osi,flݨ 	3N`ZM%3fzn9]YC`Ȼ'{ƾBB`why3-1.6.0/examples/stackify/000077500000000000000000000000001440160026300160375ustar00rootroot00000000000000why3-1.6.0/examples/stackify/smoke_test.mlcfg000066400000000000000000000020201440160026300212200ustar00rootroot00000000000000module C206_U2_Impl
  use Type
  use mach.int.Int
  use prelude.Prelude
  use mach.int.UInt64
  clone CreusotContracts_Std1_Vec_Impl0_Model as Model0 with type t = usize
  let rec ghost function u2 (a : Type.c206_a) : ()
    ensures { true }
   = 
    ()
ends
module ProjectionToggle_Main
  use mach.int.Int32
  let rec cfg main [@cfg:stackify] () : () =
  var _0 : ();
  var _9 : bool;
  var _10 : bool;
  var _11 : int32;
  {
    _10 <- _11 = (15 : int32);
    _9 <- not _10;
    return _0
  }
end
module C217_Ex_Impl
  use seq.Seq

  function tail (self : Seq.seq int) : Seq.seq int =  self[1..]

  let rec ghost function ex (c : Seq.seq int) (a : int) : int
    variant {Seq.length c}

   = ex (tail c) a
end
module ListIndexMut_IndexMut
  type borrowed 'a = { current : 'a ; final : 'a; }
  use mach.int.UInt32
  let rec cfg index_mut [@cfg:stackify] () : borrowed uint32
   =
  var _0 : borrowed uint32;
  var _8 : bool;
  {
    goto BB1
  }
  BB1 {
    switch (_8)
      | False -> return _0
      | True -> absurd
      end
  }
end
why3-1.6.0/examples/stackify/stackify.mlcfg000066400000000000000000000001721440160026300206660ustar00rootroot00000000000000module NestedLoops
use int.Int
let cfg nested_loops [@cfg:stackify]  _x : () =
  var _a : int;
  {
    return ()
  }
 end
why3-1.6.0/examples/stackify/sum.mlcfg000066400000000000000000000046031440160026300176600ustar00rootroot00000000000000module CreusotContracts_Logic_Resolve_Impl2_Resolve_Interface
  type t   
  predicate resolve (self : t)
end
module CreusotContracts_Logic_Resolve_Impl2_Resolve
  type t   
  predicate resolve (self : t) = 
    true
end
module CreusotContracts_Logic_Resolve_Resolve_Resolve_Interface
  type self   
  predicate resolve (self : self)
end
module CreusotContracts_Logic_Resolve_Resolve_Resolve
  type self   
  predicate resolve (self : self)
end
module CreusotContracts_Logic_Resolve_Impl2
  type t   
  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve0 with type t = t
  clone CreusotContracts_Logic_Resolve_Resolve_Resolve as Resolve1 with type self = t,
  predicate resolve = Resolve0.resolve
end
module Sum_SumFirstN_Interface
  use mach.int.Int
  use mach.int.UInt32
  val sum_first_n [@cfg:stackify] (n : uint32) : uint32
    ensures { result = div (n * (n + (1 : uint32))) (2 : uint32) }
    
end
module Sum_SumFirstN
  use mach.int.Int
  use mach.int.UInt32
  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve1 with type t = ()
  clone CreusotContracts_Logic_Resolve_Impl2_Resolve as Resolve0 with type t = uint32
  let cfg sum_first_n [@cfg:stackify] (n : uint32) : uint32
    ensures { result = div (n * (n + (1 : uint32))) (2 : uint32) }
    
   = 
  var _0 : uint32;
  var n_1 : uint32;
  var sum_2 : uint32;
  var i_3 : uint32;
  var _4 : ();
  var _5 : ();
  var _6 : bool;
  var _7 : uint32;
  var _8 : uint32;
  var _9 : uint32;
  var _10 : ();
  var _11 : ();
  var _12 : ();
  {
    n_1 <- n;
    goto BB0
  }
  BB0 {
    sum_2 <- (0 : uint32);
    i_3 <- (0 : uint32);
    goto BB1
  }
  BB1 {
    (* invariant loop_bound { i_3 < n_1 + (1 : uint32) };
    invariant sum_value { sum_2 = div (i_3 * (i_3 + (1 : uint32))) (2 : uint32) };
    assume { Resolve0.resolve _7 };
    _7 <- i_3;
    assume { Resolve0.resolve _8 };
    _8 <- n_1;
    _6 <- _7 <= _8; *)
    switch (_6)
      | False -> goto BB3
      | _ -> goto BB2
      end
  }
  BB2 {
    (* assume { Resolve0.resolve _9 };
    _9 <- i_3;
    sum_2 <- sum_2 + _9;
    i_3 <- i_3 + (1 : uint32);
    _5 <- ();
    assume { Resolve1.resolve _5 }; *)
    goto BB1
  }
  BB3 {
    (* assume { Resolve0.resolve n_1 }; *)
    (* assume { Resolve0.resolve i_3 };
    _4 <- (); *)
    assume { Resolve1.resolve _4 };
    (* assume { Resolve0.resolve _0 };
    _0 <- sum_2;
    assume { Resolve0.resolve sum_2 }; *)
    return _0
  }
  
end
why3-1.6.0/examples/stackify/while_loop.mlcfg000066400000000000000000000022151440160026300212120ustar00rootroot00000000000000(*module WhileLoop

type borrowed 'a = { cur: 'a ; fin: 'a }
(*
let cfg f [@cfg:stackify] () : () =
var a : int;
{ a <- 0; return () }
*)

let cfg nested_loops [@cfg:stackify] _x : ()
  diverges
  ensures { true }

=
  var b : borrowed int;
  {
    goto BB0
  }
  BB0 {
    switch (any bool)
    | True -> goto BB1
    | False -> goto BB2
    end
  }
  BB1 {
      b <- { b with cur = 0 };
      goto BB0
  }
  BB2 {
  assert { b.fin = b.cur };
  return ()
  }
end*)

module Decrement_Test
  use mach.int.UInt32
  use mach.int.Int
  use mach.int.Int32

  type borrowed 'a = { cur: 'a ; fin: 'a }

  let cfg test [@cfg:stackify] (x : borrowed uint32) : ()
    ensures { UInt32.to_int (x.fin) = 0 }
   =
  var _0 : ();
  var x_1 : borrowed uint32 = x;
  var _3 : bool;
  var _4 : uint32;
  {
    goto BB0
  }
  BB0 {
    goto BB1
  }
  BB1 {
    invariant x { UInt32.to_int (x_1.cur) >= 0 };
    _4 <-  x_1.cur;
    _3 <- _4 > (0 : uint32);
    switch (_3)
      | False -> goto BB3
      | _ -> goto BB2
      end
  }
  BB2 {
    x_1 <- { x_1 with cur = ( x_1.cur - (1 : uint32)) };
    goto BB1
  }
  BB3 {
    assume { x_1.fin = x_1.cur };

    return _0
  }

end
why3-1.6.0/examples/stackify/while_loop/000077500000000000000000000000001440160026300202005ustar00rootroot00000000000000why3-1.6.0/examples/stackify/while_loop/why3session.xml000066400000000000000000000031261440160026300232220ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/stackify/while_loop/why3shapes.gz000066400000000000000000000007561440160026300226500ustar00rootroot00000000000000QMk0W6R!0^1tk-w7?Iz׼7捾ܳ'h`'6vߘa_3|z1nnDlふ	1m_/RK$|cJnvaMBƌ$CF];ev&݀ K/A=iaϓbnMx_)gqqO8x^4jȧqҪ|+[UoV>&a73Bֹ0+B
.W=Kj/
n:QժmždkT)&5^="Y=i%̝Uy	TZinT@qsh8y͠\EhI."8HnrҔT,E=z/McIhrVztgKWڙI;cӏ!'v RI] J?0why3-1.6.0/examples/stdlib/000077500000000000000000000000001440160026300155035ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/array/000077500000000000000000000000001440160026300166215ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/array/array_ArrayPermut_exchange_permut_sub_1.v000066400000000000000000000215421440160026300270140ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require map.Occ.
Require map.MapPermut.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType : forall (a:Type) {a_WT:WhyType a},
  WhyType (array a).
Existing Instance array_WhyType.

Parameter elts: forall {a:Type} {a_WT:WhyType a}, (array a) -> (Z -> a).

Parameter length: forall {a:Type} {a_WT:WhyType a}, (array a) -> Z.

Axiom array'invariant : forall {a:Type} {a_WT:WhyType a}, forall (self:(array
  a)), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:(array a)) (i:Z): a :=
  ((elts a1) i).

Parameter mixfix_lblsmnrb: forall {a:Type} {a_WT:WhyType a}, (array a) ->
  Z -> a -> (array a).

Axiom mixfix_lblsmnrb_spec : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(array a)) (i:Z) (v:a), ((length (mixfix_lblsmnrb a1 i
  v)) = (length a1)) /\ ((elts (mixfix_lblsmnrb a1 i
  v)) = (map.Map.set (elts a1) i v)).

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:(Z -> a)) (a2:(Z -> a))
  (l:Z) (u:Z): Prop := forall (i:Z), ((l <= i)%Z /\ (i < u)%Z) -> ((a1
  i) = (a2 i)).

(* Why3 assumption *)
Definition array_eq_sub {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array
  a)) (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\ (((0%Z <= l)%Z /\
  (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\ (u <= (length a1))%Z) /\
  (map_eq_sub (elts a1) (elts a2) l u))).

(* Why3 assumption *)
Definition array_eq {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array
  a)): Prop := ((length a1) = (length a2)) /\ (map_eq_sub (elts a1) (elts a2)
  0%Z (length a1)).

(* Why3 assumption *)
Definition exchange {a:Type} {a_WT:WhyType a} (a1:(Z -> a)) (a2:(Z -> a))
  (l:Z) (u:Z) (i:Z) (j:Z): Prop := ((l <= i)%Z /\ (i < u)%Z) /\
  (((l <= j)%Z /\ (j < u)%Z) /\ (((a1 i) = (a2 j)) /\ (((a1 j) = (a2 i)) /\
  forall (k:Z), ((l <= k)%Z /\ (k < u)%Z) -> ((~ (k = i)) -> ((~ (k = j)) ->
  ((a1 k) = (a2 k))))))).

Axiom exchange_set : forall {a:Type} {a_WT:WhyType a}, forall (a1:(Z -> a))
  (l:Z) (u:Z) (i:Z) (j:Z), ((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\
  (j < u)%Z) -> (exchange a1 (map.Map.set (map.Map.set a1 i (a1 j)) j (a1 i))
  l u i j)).

(* Why3 assumption *)
Definition exchange1 {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array a))
  (i:Z) (j:Z): Prop := ((length a1) = (length a2)) /\ (exchange (elts a1)
  (elts a2) 0%Z (length a1) i j).

(* Why3 assumption *)
Definition permut {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array a))
  (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\ (((0%Z <= l)%Z /\
  (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\ (u <= (length a1))%Z) /\
  (map.MapPermut.permut (elts a1) (elts a2) l u))).

(* Why3 assumption *)
Definition permut_sub {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array a))
  (l:Z) (u:Z): Prop := (map_eq_sub (elts a1) (elts a2) 0%Z l) /\ ((permut a1
  a2 l u) /\ (map_eq_sub (elts a1) (elts a2) u (length a1))).

(* Why3 assumption *)
Definition permut_all {a:Type} {a_WT:WhyType a} (a1:(array a)) (a2:(array
  a)): Prop := ((length a1) = (length a2)) /\ (map.MapPermut.permut (elts a1)
  (elts a2) 0%Z (length a1)).

(* Why3 goal *)
Theorem exchange_permut_sub : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(array a)) (a2:(array a)) (i:Z) (j:Z) (l:Z) (u:Z), (exchange1 a1
  a2 i j) -> (((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\ (j < u)%Z) ->
  ((0%Z <= l)%Z -> ((u <= (length a1))%Z -> (permut_sub a1 a2 l u))))).
(* Why3 intros a1 a2 i j l u h1 (h2,h3) (h4,h5) h6 h7. *)
intros a1 a2 i j l u h1 (h2,h3) (h4,h5) h6 h7.
destruct h1 as (h11,h12).
destruct h12 as (ha,(hb,(hc,(hd,he)))).
red. repeat split.
(* eq_sub *)
red. intros. apply he; omega.
assumption. assumption. omega. omega. assumption.
(* permut *)
red. intro v.

assert (Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) j (j+1)
      = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) j (j+1))%Z.
destruct (why_decidable_eq (elts a1 i) v).
rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (i+1-1)%Z; assumption.
rewrite (Occ.occ_right_add v (elts a2) j). 2: omega.
  2: ring_simplify (j+1-1)%Z; rewrite <- hc; assumption.
ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) j). 2: omega.
destruct (why_decidable_eq (elts a1 j) v).
rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
rewrite (Occ.occ_right_add v (elts a2) i). 2: omega.
  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
ring.
rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
rewrite (Occ.occ_right_no_add v (elts a2) i). 2: omega.
  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
ring.
rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (i+1-1)%Z; assumption.
rewrite (Occ.occ_right_no_add v (elts a2) j). 2: omega.
  2: ring_simplify (j+1-1)%Z; rewrite <- hc; assumption.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) j). 2: omega.
destruct (why_decidable_eq (elts a1 j) v).
rewrite Occ.occ_right_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
rewrite (Occ.occ_right_add v (elts a2) i). 2: omega.
  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
ring.
rewrite Occ.occ_right_no_add. 2: omega. 2: ring_simplify (j+1-1)%Z; assumption.
rewrite (Occ.occ_right_no_add v (elts a2) i). 2: omega.
  2: ring_simplify (i+1-1)%Z; rewrite <- hd; assumption.
ring_simplify (i+1-1)%Z. ring_simplify (j+1-1)%Z.
rewrite Occ.occ_empty. 2: omega. rewrite (Occ.occ_empty v (elts a2) i). 2: omega.
ring.

assert (c: (i < j \/ i = j \/ j < i)%Z) by omega. destruct c as [c|c].
(* i < j *)
assert (Occ.occ v (elts a1) l u = Occ.occ v (elts a1) l i + Occ.occ v (elts a1) i u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) i u = Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) (i+1) u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) (i+1) u = Occ.occ v (elts a1) (i+1) j + Occ.occ v (elts a1) j u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) j u = Occ.occ v (elts a1) j (j+1) + Occ.occ v (elts a1) (j+1) u)%Z.
  apply Occ.occ_append. omega.

assert (Occ.occ v (elts a2) l u = Occ.occ v (elts a2) l i + Occ.occ v (elts a2) i u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) i u = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) (i+1) u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) (i+1) u = Occ.occ v (elts a2) (i+1) j + Occ.occ v (elts a2) j u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) j u = Occ.occ v (elts a2) j (j+1) + Occ.occ v (elts a2) (j+1) u)%Z.
  apply Occ.occ_append. omega.

assert (Occ.occ v (elts a1) l i = Occ.occ v (elts a2) l i).
  apply Occ.occ_eq. intros. apply he; omega.
assert (Occ.occ v (elts a1) (i+1) j = Occ.occ v (elts a2) (i+1) j).
  apply Occ.occ_eq. intros; apply he; omega.
assert (Occ.occ v (elts a1) (j+1) u = Occ.occ v (elts a2) (j+1) u).
  apply Occ.occ_eq. intros; apply he; omega.

omega.

(* i = j *)
destruct c.
subst j.
apply Occ.occ_eq.
intros k hk.
assert (c: (k=i \/ k <>i)%Z) by omega. destruct c.
subst k. assumption.
apply he. omega. assumption. assumption.

(* j < i *)
assert (Occ.occ v (elts a1) l u = Occ.occ v (elts a1) l j + Occ.occ v (elts a1) j u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) j u = Occ.occ v (elts a1) j (j+1) + Occ.occ v (elts a1) (j+1) u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) (j+1) u = Occ.occ v (elts a1) (j+1) i + Occ.occ v (elts a1) i u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) i u = Occ.occ v (elts a1) i (i+1) + Occ.occ v (elts a1) (i+1) u)%Z.
  apply Occ.occ_append. omega.

assert (Occ.occ v (elts a2) l u = Occ.occ v (elts a2) l j + Occ.occ v (elts a2) j u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) j u = Occ.occ v (elts a2) j (j+1) + Occ.occ v (elts a2) (j+1) u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) (j+1) u = Occ.occ v (elts a2) (j+1) i + Occ.occ v (elts a2) i u)%Z.
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) i u = Occ.occ v (elts a2) i (i+1) + Occ.occ v (elts a2) (i+1) u)%Z.
  apply Occ.occ_append. omega.

assert (Occ.occ v (elts a1) l j = Occ.occ v (elts a2) l j).
  apply Occ.occ_eq. intros. apply he; omega.
assert (Occ.occ v (elts a1) (j+1) i = Occ.occ v (elts a2) (j+1) i).
  apply Occ.occ_eq. intros; apply he; omega.
assert (Occ.occ v (elts a1) (i+1) u = Occ.occ v (elts a2) (i+1) u).
  apply Occ.occ_eq. intros; apply he; omega.

omega.

(* eq_sub *)
red. intros. apply he; omega.
Qed.
why3-1.6.0/examples/stdlib/array/array_ArrayPermut_permut_sub_weakening_2.v000066400000000000000000000132221440160026300271770ustar00rootroot00000000000000(* This file is generated by Why3's Coq 8.4 driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require map.Map.
Require map.Occ.
Require map.MapPermut.

(* Why3 assumption *)
Definition unit := unit.

(* Why3 assumption *)
Inductive array
  (a:Type) {a_WT:WhyType a} :=
  | mk_array : Z -> (@map.Map.map Z _ a a_WT) -> array a.
Axiom array_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.
Implicit Arguments mk_array [[a] [a_WT]].

(* Why3 assumption *)
Definition elts {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): (@map.Map.map
  Z _ a a_WT) := match v with
  | (mk_array x x1) => x1
  end.

(* Why3 assumption *)
Definition length {a:Type} {a_WT:WhyType a} (v:(@array a a_WT)): Z :=
  match v with
  | (mk_array x x1) => x
  end.

(* Why3 assumption *)
Definition get {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z): a :=
  (map.Map.get (elts a1) i).

(* Why3 assumption *)
Definition set {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (i:Z)
  (v:a): (@array a a_WT) := (mk_array (length a1) (map.Map.set (elts a1) i
  v)).

(* Why3 assumption *)
Definition make {a:Type} {a_WT:WhyType a} (n:Z) (v:a): (@array a a_WT) :=
  (mk_array n (map.Map.const v: (@map.Map.map Z _ a a_WT))).

(* Why3 assumption *)
Definition map_eq_sub {a:Type} {a_WT:WhyType a} (a1:(@map.Map.map Z _
  a a_WT)) (a2:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z): Prop := forall (i:Z),
  ((l <= i)%Z /\ (i < u)%Z) -> ((map.Map.get a1 i) = (map.Map.get a2 i)).

(* Why3 assumption *)
Definition array_eq_sub {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)) (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\
  (((0%Z <= l)%Z /\ (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\
  (u <= (length a1))%Z) /\ (map_eq_sub (elts a1) (elts a2) l u))).

(* Why3 assumption *)
Definition array_eq {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)): Prop := ((length a1) = (length a2)) /\ (map_eq_sub
  (elts a1) (elts a2) 0%Z (length a1)).

(* Why3 assumption *)
Definition exchange {a:Type} {a_WT:WhyType a} (a1:(@map.Map.map Z _ a a_WT))
  (a2:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z) (i:Z) (j:Z): Prop :=
  ((l <= i)%Z /\ (i < u)%Z) /\ (((l <= j)%Z /\ (j < u)%Z) /\
  (((map.Map.get a1 i) = (map.Map.get a2 j)) /\ (((map.Map.get a1
  j) = (map.Map.get a2 i)) /\ forall (k:Z), ((l <= k)%Z /\ (k < u)%Z) ->
  ((~ (k = i)) -> ((~ (k = j)) -> ((map.Map.get a1 k) = (map.Map.get a2
  k))))))).

Axiom exchange_set : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(@map.Map.map Z _ a a_WT)) (l:Z) (u:Z) (i:Z) (j:Z),
  ((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\ (j < u)%Z) -> (exchange a1
  (map.Map.set (map.Map.set a1 i (map.Map.get a1 j)) j (map.Map.get a1 i)) l
  u i j)).

(* Why3 assumption *)
Definition exchange1 {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)) (i:Z) (j:Z): Prop := ((length a1) = (length a2)) /\
  (exchange (elts a1) (elts a2) 0%Z (length a1) i j).

(* Why3 assumption *)
Definition permut {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT)) (a2:(@array
  a a_WT)) (l:Z) (u:Z): Prop := ((length a1) = (length a2)) /\
  (((0%Z <= l)%Z /\ (l <= (length a1))%Z) /\ (((0%Z <= u)%Z /\
  (u <= (length a1))%Z) /\ (map.MapPermut.permut (elts a1) (elts a2) l u))).

(* Why3 assumption *)
Definition permut_sub {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)) (l:Z) (u:Z): Prop := (map_eq_sub (elts a1) (elts a2)
  0%Z l) /\ ((permut a1 a2 l u) /\ (map_eq_sub (elts a1) (elts a2) u
  (length a1))).

(* Why3 assumption *)
Definition permut_all {a:Type} {a_WT:WhyType a} (a1:(@array a a_WT))
  (a2:(@array a a_WT)): Prop := ((length a1) = (length a2)) /\
  (map.MapPermut.permut (elts a1) (elts a2) 0%Z (length a1)).

Axiom exchange_permut_sub : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(@array a a_WT)) (a2:(@array a a_WT)) (i:Z) (j:Z) (l:Z) (u:Z),
  (exchange1 a1 a2 i j) -> (((l <= i)%Z /\ (i < u)%Z) -> (((l <= j)%Z /\
  (j < u)%Z) -> ((0%Z <= l)%Z -> ((u <= (length a1))%Z -> (permut_sub a1 a2 l
  u))))).

(* Why3 goal *)
Theorem permut_sub_weakening : forall {a:Type} {a_WT:WhyType a},
  forall (a1:(@array a a_WT)) (a2:(@array a a_WT)) (l1:Z) (u1:Z) (l2:Z)
  (u2:Z), (permut_sub a1 a2 l1 u1) -> (((0%Z <= l2)%Z /\ (l2 <= l1)%Z) ->
  (((u1 <= u2)%Z /\ (u2 <= (length a1))%Z) -> (permut_sub a1 a2 l2 u2))).
(* Why3 intros a1 a2 l1 u1 l2 u2 h1 (h2,h3) (h4,h5). *)
intros a1 a2 l1 u1 l2 u2 h1 (h2,h3) (h4,h5).
unfold permut_sub in *.
destruct h1 as (eql,(h1,eqr)).
unfold map_eq_sub in *.
split.
(* eq left *)
intros. apply eql; omega.
split.
(* permut *)
unfold permut in *.
destruct h1 as (h1,(h1a,(h1b,h1c))).
repeat split; try assumption. omega. omega.
unfold MapPermut.permut in *.
intros v.
assert (c: (l1 <= u1 \/ u1 < l1)%Z) by omega. destruct c.
(* l1 <= u1 *)
assert (Occ.occ v (elts a1) l2 u2 = Occ.occ v (elts a1) l2 l1 + Occ.occ v (elts a1) l1 u2)%Z. 
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) l1 u2 = Occ.occ v (elts a1) l1 u1 + Occ.occ v (elts a1) u1 u2)%Z. 
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) l2 u2 = Occ.occ v (elts a2) l2 l1 + Occ.occ v (elts a2) l1 u2)%Z. 
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a2) l1 u2 = Occ.occ v (elts a2) l1 u1 + Occ.occ v (elts a2) u1 u2)%Z. 
  apply Occ.occ_append. omega.
assert (Occ.occ v (elts a1) l2 l1 = Occ.occ v (elts a2) l2 l1).
  apply Occ.occ_eq. intros; apply eql; omega.
assert (Occ.occ v (elts a1) u1 u2 = Occ.occ v (elts a2) u1 u2).
  apply Occ.occ_eq. intros; apply eqr; omega.
generalize (h1c v); omega.
(* u1 < l1 *)
apply Occ.occ_eq.
intros i hi.
assert (c: (i < l1 \/ u1 <= i)%Z) by omega. destruct c.
apply eql; omega.
apply eqr; omega.
(* eq right *)
intros; apply eqr; omega.
Qed.

why3-1.6.0/examples/stdlib/array/why3session.xml000066400000000000000000000326141440160026300216470ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
 
 
 
 
 
 
 
 


 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 


 
 
 
 
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
   
   
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/stdlib/array/why3shapes.gz000066400000000000000000000145711440160026300212710ustar00rootroot00000000000000][6~?}>?w3eu^遮M~ܑIuGn5#
7>n{soXm0EWO04%U)~G"Ș(XM`P*'"e\tV3.AjmP濋?ʸvk$u/lBUtDZhЁ IjTia%ɵu^z/K-=#rмh'&FjY47b})&M,Ū[2d?ySO\?I|eT]0v=m	P\eUVgkLUTZ--.0
Fݔe",IJ vW
Vcت	CZG`Eenػ{Yf^<	jFG$'=۴~~	i-!(0@UV*U{2t[p]Vil5~!k ar"aVYĺ%S\)sV5v]d/wA]P*]Iܬ^ǛLW8P~Qk-H{a<ö˴147$kA-y%N}O?c$jF8I: n%rW
2jl3h_O1y&QWshIGhO2h`KI5<+>۱ӜOi;5u64eNBڤC4Cxo;ҷ9a)&A2{BufeLnɱpd,l֊ZkHMgEc soRI8@ąIQ/NO9"g*ǹA]3˃'`KJu"!慷e@ᬌ%
qP{H_FJZƤSް/Z=" 	b/"Y\%MZI
VmL.qTV ]\}ZJdUEx$U)G(P9+@9̥	C);mur\ĄUyP,9XKC-څG]tPBZXv_>zTkU[yU5AN!UQD%M?Na??CqtFMk؜7㊮ȤsCb
[9UW;\Dv7Ǐ)q6HN<0S킁آcE%/^8hVq;Ֆ]	{ՐhXm8;E~IOk{4Nd<2Y]IJMct
~GM
j14p}
w9IOR/i<ǧ>on"cs7{a>ңh
j
b2=XB{(%BV2%ъeUb}rĕ3#:C)Ꮑo1ˌZCf݃蓸I1{13Zfe?NWig|4	4&4br%\ꨮ۳zM1'U/SŶ5שjt܆2-1rœ
ϐrv
)*iv>8	'D*ETXGt,bsks
ۄק&Lޘi.hqږ1V7i-vq6?U.S+2SHz[3,AO)ZEþ_~#>oiFhO~3={Cӿv٤%XԲBv{S%ҽqY0?$W
]&E44gqhy%7/k˾ʼk~
_˼lk^4ciD<u"Dzsޛn
HQYhL}3Ey#(o85,
z2X^fZk$k{4M饃Ws=x:Y3࿾fz<;ӣμp]ύ@..6|lm|n"Fܸ#
$L|_4ZdtRFL<7>&-em|nM&]X%K[_R)+FъƗ2jttn,H>^
o[pw&WT=1IJ~*әj㧢6VI\r\pZP+Nq^
b'[?|',)|Zv+Y7`_[]d.Sy@"T_=<g`15y)I#P
}3tz3jcyũ$}̏V{PkMvxܙW噼v򪢼*~	+/ix."^^dҝx63IoX}~߀ߨZ5o^s~V߀^Îe`xbiȱ+Q[C|tgɤ|_ߋ__/.6V{?QUk4wZN+TH58?ej&_TN;da'|>}ہ\
>2(~=ԋMP5>s8<p)4MZ5Nrб9($b 
r?Nvx
v9>xa	+Bأ4YI3`bVr4Fc8\g{%F7hT
g9x;x82E~b
X#
wAv 21\x[%:;B=zFkSPH5 ZwZuZ8!|Tӱ`ahuΌ)Է7ZAM0q>ޙyt`|P|0\qgB8aH~c
MG;NC#L. 2)堵,8ou0H`QLlÀ	0S#!ڍal"9j<:5GSHD2(ɀÄѡE01qxF'a%	c9fJ]zY䍄L^),<:|$
aO3Xt:0`̴Չs(ތ֛ేL
ӄd:#$.*I49«D_]l20h$cc:ZP%2bUMb1R3˄0sCVSfEoc%ac^w
z3S&1c0<%D0qF`Db/<1:Idk1d)KXxT@grv@U0b+:c7qv?[7!pFaA$3u!OKģnRD
5FL>$9?Y}2vfR
FuZ	 Jb+:<}pqrʄ1\C$D`82C#F6TGzt,RUFu8sV͈q!΄༖BblZBFǤ3F30F`AԘ3=,49p"J`bT8P Gq
">31a,e,F#T#d96
0cBCca1ahy`b f9
6	@r612,=|bfv6jHIT!ӌѕPXe~(an4p\VDZkDє7bQa&PD9E[wwhy3-1.6.0/examples/stdlib/bintree/000077500000000000000000000000001440160026300171335ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/bintree/why3session.xml000066400000000000000000000041111440160026300221500ustar00rootroot00000000000000








 
 
 


 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
  
  
  
 
 


 
 
  
  
  
 
 


 
 
  
  
  
 
 



why3-1.6.0/examples/stdlib/bintree/why3shapes.gz000066400000000000000000000007701440160026300215770ustar00rootroot00000000000000uQn!{ls` jNVWh!Ʃ6jcGvwㄕV7oհ_߲oC>YYO:%yZ:‘߶M^^^Vvj1n2rS-7d:e+]v4GcV3kSֳ$Em4\p1hOwֺ糧r`Lξkܯ;qts889~5o&՛g,}[wcјD !s+]@,&!-qF.P3o) (	k/R{p("0 9O=tpBq:.VQT/&{O٦">⑽ʂzPW







 
 
 
 
 
 



why3-1.6.0/examples/stdlib/byte_string/why3shapes.gz000066400000000000000000000012351440160026300224750ustar00rootroot00000000000000Tn0+tK 9\$!(`ĀSk1Fh4Z4Rȁ9㛍?çf7]x<7ꄓ}_}HgI7,''F
mTFh@UxtV|F.	n俰dV2,waڒ_ufe9W#*IW^z:.2^	0Gb7d.C1?	&EP!`%R%DxwOv-F甖}ڗcov-F<(j"=tө51	pu7".a0."ωidȀJfCY]P0m/ݽqF.e4::ShKR7aD
"!80ܟXx}܏ݔNR\r4d,,aRT6Xϊ**^zDي] E!/p@~P,oB#B
9eD,1v,FϠx0O)$(9{kr
NŠ+LN*pURqU
AY`HiB%̟w+y94o6to

ufQlZT^nFzo<}SRC֙z?Wwhy3-1.6.0/examples/stdlib/list/000077500000000000000000000000001440160026300164565ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/list/why3session.xml000066400000000000000000000502441440160026300215030ustar00rootroot00000000000000












 
 
 


 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 


 
 
  
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
 
 
 
 


 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
  
  
  
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 


 
 
 


 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
     
     
     
     
     
      
      
      
      
      
       
       
        
        
        
        
        
         
         
          
          
           
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
 
 


 
 
  
  
   
   
   
   
   
   
  
  
 
 


 
 
  
  
  
 
 


 
 
  
  
  
 
 



why3-1.6.0/examples/stdlib/list/why3shapes.gz000066400000000000000000000135141440160026300211220ustar00rootroot00000000000000Zێ]7}?_Ǚ6`ҘH@@^,jO*FѱѦ("oy}~?7/~JߝUG2bnxv?	J7߿?^QDvfXų6IMrtw;M<٘fQ0nl~!vީx~`z礇~X!F_L0O:^g8']|b'}7{|~-vڝ.;ٙ6;@ޝh-aZۡ:b_{As!avԯ$LUݵ3}%wz}w,]z'"0B?GL?^+W*˸)[V?t]M#PZdد"nYV8_ulA<`>ٱgƴ 6ɰH"E,nbۜn,  
ߎ!F˄"k=1%/_&5L;zRxps{Uj
x,?;0;f\.4
,‹nϠĪOC4%TK
$WYs);"*6MHq|O`a7q#ɯa*sV+H^̘1qHMr9I<
@v.X 
X:N<+nb8+gS,yM{ۯS6<1[™v	ZA8ōy8a+aN,=s"6TfJ61}*`"==Eq.8E:zmÆgjذ\Ľױ+onGyhW->CV`k3ӖDF05UhUF5+LRC{W׊C~_NA/8m9y@v^^
bR/MW&۫nV`m]B֜kFQ(^5*}z	?`
ˁa]i{t-ON>
"]IahE)[XD=ڜ1
Ψes|ǭ3ZDYFv>Yg;Bdb[w|
8U^Oܿ~K3WuNwlB?GޙeYnv,Ж"ޚ(۷qD2H/K睶›zolY8wuEtW><6{#ߙ[6$zp1#>:cދO;{~p#{;wjGn"r@f|D#d>OoGy|Z~??>cݍׯ׷m/_oy/:2f`O71Ul"BS@fq<
.vxR>4ͭ{Vx}ǻ;ZxLuW
įC(p_|@2ş?7OoKNyɧ>ܿ}ۃhoN1Pu?aݶݮi;[՝m*Yxv}T|ϗƷ?-fwa%GzpУ/g\L.7mwo1jQsi9yvn*~=?]~#]6_@wGq)2GbG	b?xX?alz%o?|)3ߏ27s?{/GO~6Gߌi7R((qɵ:%NR%ݚ/5CI9zN2R}%뢥X|辆
Я͉\id\5QJ2Ye)fe-ns4B1;-,<"e1!c͠%X\
)En%r*A!q$6k%
	jp=58՛-T9q	P|oɌpqjM\	
K4WI5"d;
Y`B#x'{ڑ2f@w3k8uN6$c1)t>+2ށuB!H42H~2SAWk7 3wCPVtƉ%X?
r(ƞV٠=d=V3
[t"eN%"$	Gp12WSYau8rk v)d+aEŀ׺mEǑuJĩY0`C*rNj[!T{Q
6	e!gS6&=^pHx86mnO-ȰRF\!B"~aAYx-
D/6I@Z`h4T bLΥWP.eFrRBgn!C6#cȌ4M8*v]BPTuH4G[Cd
6l'|6*@R, JLMK]pjVb#!q.kPt!ǹYV#ZP
- FҖѦ	Z8pVE~4kǧl+By+8="$-+xE0Up4	8*VTÊ ⅝!hDP#́8|&Z
Uz0	 ;XbuCVpM$@"k|r4	3 ]z0(	MGRiPѱ2zٲ lxȇYeؑH=Q)d_P'^NB7B{SBgSp2#rQN7|9	Hh!&2@8-J, $tS4X`/݂9`jIr,7iT9i=NS5 frʎeX5UcR	.9U,sh	$A>H^.`t=yC`Jl"eDEe`YA* %1Z8M!y=.
܀hC3~+Tд FoMDy<(3j^QpACF/yHQ=X}E}@Q*Õy&N

W(JKvGJB#+<'ĻH[ZͅjRW&Fpd)ZXMEKfS5ϸHX
"Ph0%?KDP}ˆ`U?*\	}48)xmP{bPapZ(xBAFJ/UW8`PcwU<8L4D4nK#ٴd'wIZT*.	Jo
!(TQJvѠcnS	$6]^YJP穏O `/rE`'XdyR Lj9lu
NlrDSjб*]T장
U&W\tgCer @D6̠kd1VB	qH.EҴqESS?[-Q0s
݅$@-bI%ԆR]{QH#@ԭ{՚NE14
RCfQKt -`~"i4jՄZ
`P߀Eh{)04i7l4Z9,hB2>uL}D3`x
jzBŏziF
ݢqGE6v%ǗwX2o0i.vYoZ_Q1Jw$#*EC
ݡ;N@ugW[-;Rsi^wZOзYSQ
:GDcߴy"*hgJrX 6߾JwBN\Ci6]"mKuҞR+c0JާE&e6T@֪kdDE&RA6ݔ͖>5s@{R]Z6@AEZrNGơ)ȄD	T%7dx뀰C;(PglUw"gVA쭷zerˋ´(0Ewhy3-1.6.0/examples/stdlib/mach/000077500000000000000000000000001440160026300164135ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/mach/c/000077500000000000000000000000001440160026300166355ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/mach/c/why3session.xml000066400000000000000000000122361440160026300216610ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 


 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/stdlib/pigeon/000077500000000000000000000000001440160026300167645ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/pigeon/why3session.xml000066400000000000000000000113121440160026300220020ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
  
  
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/stdlib/pigeon/why3shapes.gz000066400000000000000000000035371440160026300214340ustar00rootroot00000000000000Vn8}WqwXU.&
m(12kn;ӍٿE@,(e{i#[mWe#KڛzDu/oQt/⷏v>/?n~sY,8m:wpzXx؏zXBH)YkO5nxazxK:}k5/#5H|1$9XYM)$Jg5|.\V&ZT(e䧅Y]6Y]OEKo3m}bᚡbh?GmF]WħmU%XMU]"܏rُbYK֠
JvweQ~~O=uns=m-p~Nk}]jKiʢR(|˷Vcm׬qx_]Ϙ>SE2V47
돨zM}Vt=f-IWb]];EwGX8VË&@G

G(鮌iqTlK5愅MP幋t[j麺	>(mmϰm͍J.л_˾ߥ;Ūz/D-UTsE=YdVʒ/\[eՒrFIPL%2GtuT'!tVdr2QJK,A,#վReHbͷ3
w\3#ќF9t#N&5:qҍҬ%in:qE֎lړUuJ.D%eO+q
V[iE'Niڗ_у8
E.یoe<I#b)i*|%|{{?>S)=go+6-~(hdoj@4%Q(A䴲BD&%[tڿ'mʉ38bBQp H)E=Sm%3$UH!N1qJτhC KB>ےH>͓1)u212-ȴp0%GD3y+9dodO3uE$ 1EUݺ=.7u^hF肱*AAQ7IxD%E$fBdµ	v+Es^Tic8U<[+3&+$pHSd%;h$rA)ky>)[UjbvV;"LJr.ld3ywzm#A&YʄW'(Bw_2<Ҥa	?why3-1.6.0/examples/stdlib/pqueue/000077500000000000000000000000001440160026300170075ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/pqueue/why3session.xml000066400000000000000000000106351440160026300220340ustar00rootroot00000000000000









 
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/stdlib/pqueue/why3shapes.gz000066400000000000000000000034671440160026300214610ustar00rootroot00000000000000WK
W1E"=jT#=;/"~j.S4t~g~pc;t>?>A!;,שNsu$~ԝ{ӝO:}סIzȪ)tSɦKTzb}QPssz)*~n8V/'+I=z
γԜ{tvg#'f+#'P䰆<k'֠ثX&Ǟj,6tA9UڥKUJr7J'ECz+R2ฬy'&=Ŵ4khԡ-fZ3Ѭn-WNm
?z;9-K{#cFƾ02vgdjmt.I$Uu|ā%SƁW-V"-b|Łu9j)Q%9[\,b!L죚6?s[m`MN`2˙1L9WZIGܲhwRZ+q|a}ipr!]*?ʌy˔soU0ĺ螲fʣTDM-oL2ʤFH@':qCZyт׉9H6O*Hfس
CWAF	xn9bAD]bR0}"U1i~"$GL<*5[ 8.%LDJ(z2K }O`yȤw
l݂jA8\rV
3,-1^7([-RExœ:l2+#@8œz$
IdR
)\m5ݤL^bI)B6g8Y^r	!S3Ȅ@Il9XcIrgYbdz\}i/-Wa%H鉠$aDg,D

lrKBϽBe
pϢw©d|&P+;It}`>Ҩ2Q'RZ ɱmi7W	
Ӣ35{GNQ'oqhhW<@` RaV6(IK<ѐF9ѣv[BZЧjjlؽM	2R3A$hJzI(Sť޶why3-1.6.0/examples/stdlib/stringCheck.mlw000066400000000000000000000012051440160026300204660ustar00rootroot00000000000000module StringCheck

  use string.StringRealization as SR

  clone string.String
    with
      function concat = SR.concat,
      function length = SR.length,
      predicate lt = SR.lt,
      predicate le = SR.le,
      function s_at = SR.s_at,
      function substring = SR.substring,
      predicate prefixof = SR.prefixof,
      predicate suffixof = SR.suffixof,
      predicate contains = SR.contains,
      function indexof = SR.indexof,
      function replace = SR.replace,
      function replaceall = SR.replaceall,
      (*predicate is_digit = SR.is_digit,*)
      function to_int = SR.to_int,
      function from_int = SR.from_int

endwhy3-1.6.0/examples/stdlib/stringCheck/000077500000000000000000000000001440160026300177475ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/stringCheck/why3session.xml000066400000000000000000000211121440160026300227640ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/stdlib/stringCheck/why3shapes.gz000066400000000000000000000050571440160026300224160ustar00rootroot00000000000000XY
~ׯ8P,}"ը^@dI	=3kɧ5v"Y,6/og~s?Ƈ_AyR=}-nƏUͅJ]xᛃFԤ߿}Es.'K(8Zoʓ%nΒ̾ӒO]tZ&nv8$^W	>ǰPL_(-]il峧.Vwxinp?ͳ[1}2~_O]ȤA73קφ[N;ZbŽ_ٙ.nޥ6%}>
fǿ뛷o_|_#1:ǜqP¹Ov]P"nZ1ȋ"@	v\E"_.CR*8md'vɟnVE,KpغѵG.-/W0Ķn=fF_|)jJ̥]7	ӋbraF\BZB"~#.Aږ73.OCbΛ./=	z=_N,3(//,tX1;3""^Qkc/HxI/i),Ua}=r4k3:QZc&o!1QPZ^=d~nTZH4Kڞb;`bP-:rE"wf2ʢTorZ4/p7cɡ4rdk%Amȡ{lrָ<λfP#ezN;4
me#n0TAmgtϺ=LPvL
RAbBfh=_Ny=߭nӍpP:t:Q;q/0]PvMGA7]*]E*6#ڕis\%pǝ،Wnڶ y4iUQ>"[/<=Ŏ 6K>7͚
=cAƞOuT*F_A%n()QcR&̥J)̥9u45Sr޵W(҇3EPRɉ1(qN{hc0``[C1c4dD0/xN}`D)
=]	JuzTJ,C G!tJeџ	99{HC`~=
{HF.}F;}D}ҳىFR)N,%/4WsTg1Ŀ@KܲC|?;N#n˯5eGp5DgBՈO%Lun!
}5V557iJTtP{G\!%)~Ք~2=BVStm&q]&&$\Z=>b5k
Fi*e_fc$ӧOe`ۋv94.ʄZk(
-@	S.dTlZ⢾dĹD*
JP2%TK-5'߂U*D++?MBtsfU}M?uBRJ0QBfeTrmIŸ=$F7(d8cl:F bpN4ޑ.-uQU>Qz*(`	HuMS?iG#QWpިM9Hy
Re%ogh3!+>#1{(9u(Ej‹DF}_g:꽈^}Yf÷4\.އtc7se5蜫ϧX0NhhyMd}'5+:KZP,3PJ0?@.pnh[)ipZcTقIA~jrў9chaXct́D`K@y OjQNpb@B89?ŚW>Q"&Tx-P?]-T7|`>U|
dR!E14:#ѣ͍$5mlEhZC;싹
h*lJ4F(#[ /O5Ϲ/~f=%CaJȳ:6()#hH3фndI2R1iZLOf}1GN
e1P賘3p˂G"mRR" F) ),LUk(Fh>i1QJ%$BwT4k,=-[WLwQ)i:	g55_
f- J!kr{};6#e(|!Ktb
H	rbyo?Gq`3Ua>.EWJn=<	5"f@s2?տ'why3-1.6.0/examples/stdlib/tagset/000077500000000000000000000000001440160026300167725ustar00rootroot00000000000000why3-1.6.0/examples/stdlib/tagset/why3session.xml000066400000000000000000000427721440160026300220260ustar00rootroot00000000000000









 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/stdlib/tagset/why3shapes.gz000066400000000000000000000172111440160026300214340ustar00rootroot00000000000000]Io$7WhNe2 ZH``p;ʲi"Uc.
+KA=mooq|8~[uoEo{q?SwȼGwg]i_v>}\=ms|}6yFc&E{%]\ӽKϩ0zyWmՎeJk.Ӟ=!N_{3T:1^畏׭>}嗮fLV7{;!fGbv$F&(AJ!3-@,wMߝ&z?,<<^vE\^Me,@j=/)[a{L|
`EQ4yĝw00Sĝw{F;Cj1R.MFu/'
hmWY2Tw%sq4Φe;}3+0^gJR&)&05%VwĔ`ij:S՝'@z/Ow޽N~o^vC޽NnBC1f,k7~|t/_qg"csGckY瞏 r'z?q_~3jY`3
ΙNᠦCu}0E9/_ Tf=֓{lOVHzf*g~~b4h?̀t]1=ŒzqfϮ7X~zJ12}7flxj4{lQ,hN7c+#|HOU~AO)՜`-
2yS=|Kh}Yv[xIB貘BլKLԂ͏բZG:
+:*|Jaqnޑ'J*̸z2u[,nqoit~鐹
77gZ1]*ћOы<F_4CsvQžjx=^w;|b#[.\T|˭1Ant4SPUQAT{xИJJ*̌xݔuNe%YZUqv&ڈ)l14Bmo!I]{)MC|#H2d5Wyئ:K:keS]YǍ=a±)؍>¦`UYtd:K\a(cL=}sSq=u,Gl>AW{~UiZ|R(T4)ąʬ"BlMR
YRB*,3íң]B0	岪jdDԎ$]ڡLR/)z)eJ*f9LikeJLEVȊ2NtY`x.TW	 #0֙fh58>+X58R(VcWo`&d@&9[5=zD OKZ	=9"VXE!t@!,Wpbz%9uU6!U zd'4E.0含]C#*'u^g4&Koʏ~|]?OXK+=wy߅t]f+[sZVH>3[K5Mxq1\Uݯ3U=lUzISqPr R'$;R'P\a5/F)/JvU1SPLVUE6NL̼O\c+P)k(̤ eK4HоlS=\vL;,kZ?RT]DRTzC?όhuR
vr
qEj{5(:#u{ȨR"GM,GeGwt){2íPG}yj5'Nc1q?blK‹qhNCo8q8HMOzh'-ade^Ij|8_+5ŭƴʧ:Y4Ě5CIņLwU:)m',~fD+'evI08)v;-'Ct
ɱ|藕r	?pV-:rGX:]99I\˱iBKg,y.=q\#y:j':婰B8?ljﺅL~ػ^/^~]г8rx~/_3=Ʊ?MnR<\l
ѺtqqyTNj'-rڇRdӻ??)v_.q'rGgq؎'dr,8P#zg9KAO?+hۏ[:Jؠs8Z:Yd-miȫv5ōW)C@%7YL\;ŵǎ4w~*	NO_\w
gPL9vz=/L=dk	M_8lg(jD֮$}㠘\_hϚ\9vG_V:\S;3!2lܗP0qos&aDڝA0n'sغoNI;%@y'j+&w/cxsl?zzz+8%GlvnrxU3ߚ˝ALQKwkHnCypo*VN1Ue?Ư3yOd+PQG1
_y
o2B=__36쮩"us[n],]}yE9}gŗOExrؐIrM8Y?3U_3BsJLf=9MqzIߎi1;/Qh
b3>2TM'omr2KkTJ@.T%*McBf3r8ƺP]|uzԞT'^Sڞ`jӣBXwrƥMiϋSz1akpB榻7R@b0\Vrc״;vG(3wnԧmL-&cg_K~Fн蘚[tʟX+t6hLymi/a^RVF@-4򾠶beΚR S;Q|̍	{􏗛Eodjm8Ӝyxdaωf
#¹e*UR`NNǦ;aSb
	cRvKΖF5
4cDB咧Df@1Z:G%FHoz-;~ZM3𶱱$sT%sKj@I4G7))!e&[Fv37՘BT dCLIp{NaTzIP ,cԎ;E	ɸ&ٹD35H81c$!hH)ZHVtg4~$!R#DYhRυO&	&P}~vAKQ7(!#8X$d;AvJ
KO
pD$t/JS,Dt֢I{۪3<C
]*p XD4Kǝ z B#f'NG+cb"(+t.1A<6K
<Sz@8`'
降6,
lPoTim	Ap)lN"ɝ;Ək&Hh
i$`IB~g̒H0h(4ꌏey-YpRTpTF+RL[%v{@\Qt;vJ%)0X0	FUlp1L$[+wV,&a	̙=^f)hfCef( uN *Jv١yC'.g	Ԁ<0@y!zd1K!kLSA2G
4DIc`@(ɌU<$6ɖ2oH,uЂ?XS+NOsV[\?OfO3@,D@)c7!0g3;YpΞ_˄@VG{,5y32'xyUraЄ(<	D$)^AVc渁\6*ʶ'z3
D0H4
AZ[z2}νTY+Sz3pMGÿE(GpMWV! $LQJI Mm*Mp ֐RBg%ٺ)=8P^
2،chn2j,-#]Iq*>:ؼ	0a$r,HQ%
1l s9(%KxDl)ݸ2PW29B&N!7Vz}&cJjbk2
TH{3SZ9b$b`F	8c$Pl#S,hG}S#Ck%RCܙIT,$x%1CO;KEXeB7yd`2H€triTv3^#HHK*CDYqEGy>C.(I.{7.+BQk0:9AU7Ls	$~\8b)R?Bly`fJFd#`XƳx1Yn$QR =$	(dcI@rcSd$ot5RGrDF&-MaQXK%I(/DžCK-wIR	'L_A @<3[
H/8B8&6B]B}.EFd"AĤ$bZ.螃zz MbaQ(<nWZw5	0D!Aڮ|5G[ANr^%kvrx$?4D'[=K#\fD!tkd5\/Po)[Fr7W̽
pv²&9z#H(p|>#VT\F rpG#%o`aV2f@)iUvifXw
z,?LA
J$@}i95H\~Jق-W/ͤgWJkN]v"%|-h{K
Tf``U@JŒP[s,s
Ud,?Ƞle0v/`'nhHzxOQ`״EgřvP&yaI%%\ae(U!HT63HV\D؂	D@pvR	-elAyA7)9M;_6BnQ"N)2}~NPr
Đdc+'#Ik-IY/0٫`V'Dp)\%}w-|b$*l3R$[`C&cR$A	GPjH22c?bOΫPlFai=+$BOIc13dm! +{3\4q*,









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/stdlib/witness/why3shapes.gz000066400000000000000000000022371440160026300216430ustar00rootroot00000000000000U[k[9~?om	hF-5K1>J
N;::8iYHlͧo71_6r|8Qv_Oy?~p,Gdԝ?㷌>g
.pJ+e͹9V;ؓVwrzURg˚uKntz>]lO[Cd}?]7)s8;Y6)O#΃E}<6%T?6ޜSS=ݍU+mlLj)WpnN3l*ϖkg
~	' <
^:vra&˻jOsS=P	XWxO\Wcr(~
!:C`Ms4cII۱&-orWtmEMnuhSd#nц+na\/x͗kJ7֑׃ӯ9*?MzLgL@baB
Vv*cy.a(APʉ=loK=FUX3>	SXpއ(|qONKh~?4JRrX[5rh	t8tSp;R
8-x ŒRYTfmmwL+Y+3uo81:<|UZ;.$9M=%VOk$H$V=IS9%
~׹7x=˥(\mmdM MeuUM2+IʛPhARy=BIe.Ak TCAƺWqBҁV_qA=3"o@-rD,9gmЂ"
zu")=QƐ
$)`c<LSY{Pk2@.h3ա	zHp1a%A5x+`H#rvI%IR"9O)rsL&T*me1M4KoAcJ`8ְhɩmI']M7hV=!l`LJ([*j*>Y'-0j1 $FAb(c
,why3-1.6.0/examples/string_base64_encoding.mlw000066400000000000000000000326131440160026300212700ustar00rootroot00000000000000
(** {1 Base64 encoding}

  Implementation of the Base64 encoding algorithm.

  An encode function translates an arbitrary string intro a string
  containing only the following 64 characters.

  {h
  
      Index  Binary  Char    |    Index  Binary  Char
  0      000000  'A'     |    32     100000  'g'
  1      000001  'B'     |    33     100001  'h'
  2      000010  'C'     |    34     100010  'i'
  3      000011  'D'     |    35     100011  'j'
  4      000100  'E'     |    36     100100  'k'
  5      000101  'F'     |    37     100101  'l'
  6      000110  'G'     |    38     100110  'm'
  7      000111  'H'     |    39     100111  'n'
  8      001000  'I'     |    40     101000  'o'
  9      001001  'J'     |    41     101001  'p'
  10     001010  'K'     |    42     101010  'q'
  11     001011  'L'     |    43     101011  'r'
  12     001100  'M'     |    44     101100  's'
  13     001101  'N'     |    45     101101  't'
  14     001110  'O'     |    46     101110  'u'
  15     001111  'P'     |    47     101111  'v'
  16     010000  'Q'     |    48     110000  'w'
  17     010001  'R'     |    49     110001  'x'
  18     010010  'S'     |    50     110010  'y'
  19     010011  'T'     |    51     110011  'z'
  20     010100  'U'     |    52     110100  '0'
  21     010101  'V'     |    53     110101  '1'
  22     010110  'W'     |    54     110110  '2'
  23     010111  'X'     |    55     110111  '3'
  24     011000  'Y'     |    56     111000  '4'
  25     011001  'Z'     |    57     111001  '5'
  26     011010  'a'     |    58     111010  '6'
  27     011011  'b'     |    59     111011  '7'
  28     011100  'c'     |    60     111100  '8'
  29     011101  'd'     |    61     111101  '9'
  30     011110  'e'     |    62     111110  '+'
  31     011111  'f'     |    63     111111  '/'
  
    }

  Four characters are required to encode each sequence of 3 characters
  of the input string. The length of the encoded string is always a
  multiple of four (if needed the padding character '=' is used).

  A decode function does the inverse operation. It takes a previously
  encoded string and returns the original string.

  The main property of the algorithm is that, for every string `s`,
  `decode (encode s) = s`.

*)

module Base64
  use mach.int.Int
  use mach.int.Int63
  use string.String
  use string.Char
  use string.OCaml
  use string.StringBuffer

  (** `int2b64 i` calculates the character corresponding to index `i`
  (see table above) *)
  function int2b64 (i: int) : char =
    if 0 <= i <= 25 then chr (i + 65) else
    if 26 <= i <= 51 then chr (i - 26 + 97) else
    if 52 <= i <= 61 then chr (i - 52 + 48) else
    if i = 62 then chr 43 else if i = 63 then chr 47
    else chr 0

  let int2b64 (i: int63) : char
    requires { 0 <= i < 64 }
    ensures  { result = int2b64 i }
  =
    if 0 <= i <= 25 then chr (i + 65) else
    if 26 <= i <= 51 then chr (i - 26 + 97) else
    if 52 <= i <= 61 then chr (i - 52 + 48) else
    if i = 62 then chr 43 else if i = 63 then chr 47
    else absurd

  (** character '=' *)
  let function eq_symbol : char = chr 61

  (** `valid_b64_char c` is true, if and only if, `c` is in the table
  above *)
  predicate valid_b64_char (c: char) =
    65 <= code c <= 90 || 97 <= code c <= 122 || 48 <= code c <= 57 ||
    code c = 43 || code c = 47

  lemma int2b64_valid_4_char: forall i. 0 <= i < 64 -> valid_b64_char (int2b64 i)

  (** inverse of function `int2b64` *)
  function b642int (c: char) : int =
    if 65 <= code c <= 90  then code c - 65      else (* 0  - 25 *)
    if 97 <= code c <= 122 then code c - 97 + 26 else (* 26 - 51 *)
    if 48 <= code c <= 57  then code c - 48 + 52 else (* 52 - 61 *)
    if code c = 43         then 62               else (* 62 *)
    if code c = 47         then 63               else (* 63 *)
    if c = eq_symbol       then 0                else (* 0 *)
    64                                                (* 64 *)

  let b642int (c: char) : int63
    requires { valid_b64_char c || c = eq_symbol }
    ensures  { result = b642int c }
  = if 65 <= code c <= 90  then code c - 65      else
    if 97 <= code c <= 122 then code c - 97 + 26 else
    if 48 <= code c <= 57  then code c - 48 + 52 else
    if code c = 43         then 62               else
    if code c = 47         then 63               else
    if eq_char c eq_symbol then 0                else
    absurd

  lemma b642int_int2b64: forall i. 0 <= i < 64 -> b642int (int2b64 i) = i

  (** `get_pad s` calculates the number of padding characters in the
  string `s` (between 0 and 2) *)
  function get_pad (s: string): int =
    if length s >= 1 && s[length s - 1] = eq_symbol then
        (if length s >= 2 && s[length s - 2] = eq_symbol then 2 else 1)
    else 0

  let get_pad (s: string): int63
    ensures { result = get_pad s }
  = if length s >= 1 && eq_char s[length s - 1] eq_symbol then
        (if length s >= 2 && eq_char s[length s - 2] eq_symbol then 2 else 1)
    else 0

  (** `calc_pad s` returns the number of padding characters that will
  appear in the string that results from encoding `s` *)
  function calc_pad (s: string): int =
    if mod (length s) 3 = 1 then 2 else
      if mod (length s) 3 = 2 then 1 else 0

  lemma calc_pad_mod3: forall s. mod (length s + calc_pad s) 3 = 0

  let calc_pad (s: string): int63
    ensures { result = calc_pad s }
  = if length s % 3 = 1 then 2 else
      if length s % 3 = 2 then 1 else 0

  (** `encoding s1 s2` is true, if and only if, `s2` is a valid
  encoding of `s1` *)
  predicate encoding (s1 s2: string) =
    length s2 = div (length s1 + calc_pad s1) 3 * 4 &&
    ( forall i. 0 <= i < div (length s2) 4 ->
      let b1,b2,b3,b4 = s2[4*i], s2[4*i+1],s2[4*i+2], s2[4*i+3] in
      s1[i*3] = chr (b642int b1 * 4 + div (b642int b2) 16) &&
      (i * 3 + 1 < length s1 ->
        s1[i*3+1] = chr (mod (b642int b2) 16 * 16 + div (b642int b3) 4)) &&
      (i * 3 + 2 < length s1 ->
        s1[i*3+2] = chr (mod (b642int b3) 4 * 64 + b642int b4))) &&
    ( forall i. 0 <= i < length s2 - get_pad s2 -> valid_b64_char s2[i] ) &&
    ( get_pad s2 = 1 -> mod (b642int s2[length s2 - 2]) 4  = 0 /\
                       s2[length s2 - 1] = eq_symbol ) &&
    ( get_pad s2 = 2 -> mod (b642int s2[length s2 - 3]) 16 = 0 /\
                       s2[length s2 - 2] = s2[length s2 - 1] = eq_symbol ) &&
    calc_pad s1 = get_pad s2

  (** `valid_b64 s` is true, if and only if, `s` is a valid Base64
  string: the length of `s` is a multiple of 4, and all its characters
  (with exception to the last element or the two last elements) belong
  to the table above. If the last characters of the string are not
  valid then either the string terminates with "=" or "==". *)
  predicate valid_b64 (s: string) =
    (mod (length s) 4 = 0) &&
    (forall i. 0 <= i < length s - get_pad s -> valid_b64_char s[i]) &&
    (get_pad s = 1 -> mod (b642int s[length s - 2]) 4  = 0 &&
                      s[length s - 1] = eq_symbol) &&
    (get_pad s = 2 -> mod (b642int s[length s - 3]) 16 = 0 &&
                      s[length s - 2] = eq_symbol &&
                      s[length s - 1] = eq_symbol)

  let lemma encoding_valid_b64 (s1 s2: string)
    requires { encoding s1 s2 }
    ensures  { valid_b64 s2 }
  =
    assert { length s1 = div (length s2) 4 * 3 - get_pad s2 };
    assert { forall i. 0 <= i < div (length s1) 3 ->
      (valid_b64_char s2[i*4] && valid_b64_char s2[i*4+1] &&
      valid_b64_char s2[i*4+2] && valid_b64_char s2[i*4+3])
    };
    assert { mod (length s1) 3 <> 0 ->
      let last = div (length s1) 3 in
      valid_b64_char s2[last*4] && valid_b64_char s2[last*4+1] &&
      if last * 3 + 1 = length s1 then
        s2[last*4+2] = eq_symbol && s2[last*4+3] = eq_symbol
      else valid_b64_char s2[last*4+2] && s2[last*4+3] = eq_symbol
    };
    assert { forall i.
      (0 <= i < length s2 - get_pad s2 -> valid_b64_char s2[i]) &&
      (length s2 - get_pad s2 <= i < length s2 -> s2[i] = eq_symbol) }


  (** the decode of a string is unique *)
  let lemma decode_unique (s1 s2 s3: string)
    requires { encoding s1 s2 /\ encoding s3 s2 }
    ensures  { s1 = s3 }
  = assert { forall i. 0 <= i < div (length s1 + calc_pad s1) 3 ->
      s1[i*3] = s3[i*3] &&
      (i * 3 + 1 < length s1 -> s1[i*3+1] = s3[i*3+1]) &&
      (i * 3 + 2 < length s1 -> s1[i*3+2] = s3[i*3+2]) };
    assert { forall i. 0 <= i < length s1 -> s1[i] = s3[i] }

  (** the encode of a string is unique *)
  let lemma encode_unique (s1 s2 s3: string)
    requires { encoding s1 s2 /\ encoding s1 s3 }
    ensures  { s2 = s3 }
  = assert { length s2 = length s3 };
    assert { forall i. 0 <= i < div (length s2) 4 ->
        let a1, a2, a3 = s1[i*3], s1[i*3+1], s1[i*3+2] in
        s2[i*4] = int2b64 (div (code a1)  4) &&
        if i * 3 + 1 < length s1 then
        ( s2[i*4+1] = int2b64 (mod (code a1) 4 * 16 + div (code a2) 16) &&
          ( if i * 3 + 2 < length s1 then
              s2[i*4+2] = int2b64 (mod (code a2) 16 * 4 + div (code a3) 64) &&
              s2[i*4+3] = int2b64 (mod (code a3) 64)
            else (s2[i*4+2] = int2b64 (mod (code a2) 16 * 4) && s2[i*4+3] = eq_symbol)
          )
        )      else
        (    s2[i*4+1] = int2b64 (mod (code a1) 4 * 16)
          && s2[i*4+2] = eq_symbol
          && s2[i*4+3] = eq_symbol)
    };
    assert { forall i. 0 <= i < div (length s3) 4 ->
        let a1, a2, a3 = s1[i*3], s1[i*3+1], s1[i*3+2] in
        s3[i*4] = int2b64 (div (code a1)  4) &&
        if i * 3 + 1 < length s1 then
        ( s3[i*4+1] = int2b64 (mod (code a1) 4 * 16 + div (code a2) 16) &&
          ( if i * 3 + 2 < length s1 then
              s3[i*4+2] = int2b64 (mod (code a2) 16 * 4 + div (code a3) 64) &&
              s3[i*4+3] = int2b64 (mod (code a3) 64)
            else (s3[i*4+2] = int2b64 (mod (code a2) 16 * 4) && s3[i*4+3] = eq_symbol)
          )
        )      else
        (    s3[i*4+1] = int2b64 (mod (code a1) 4 * 16)
          && s3[i*4+2] = eq_symbol
          && s3[i*4+3] = eq_symbol)
    };
    assert { forall i. 0 <= i < div (length s2) 4 ->
                s2[i*4]   = s3[i*4]   /\ s2[i*4+1] = s3[i*4+1]
             /\ s2[i*4+2] = s3[i*4+2] /\ s2[i*4+3] = s3[i*4+3]
    };
    assert { forall i. 0 <= i < length s2 -> s2[i] = s3[i]};
    assert { eq_string s2 s3}

  let encode (s: string) : string
    ensures { encoding s result }
  = let padding = calc_pad s in
    let sp = concat s (make padding (chr 0)) in
    let ref i = 0 in
    let r = StringBuffer.create 42 in
    let ghost ref b = 0 : int in
    while i < length sp do
      variant {length sp - i}
      invariant { i = b * 3 }
      invariant { length r = b * 4 }
      invariant { 0 <= i <= length sp }
      invariant { forall j. 0 <= j < b ->
        let a1, a2, a3 = sp[j*3], sp[j*3+1], sp[j*3+2] in
        r[j*4]   = int2b64 (div (code a1)  4) &&
        r[j*4+1] = int2b64 (mod (code a1) 4 * 16 + div (code a2) 16) &&
        r[j*4+2] = int2b64 (mod (code a2) 16 * 4 + div (code a3) 64) &&
        r[j*4+3] = int2b64 (mod (code a3) 64)
      }
      let c1,c2,c3 = sp[i], sp[i+1], sp[i+2] in
      let b1 = code c1 / 4 in
      let b2 = (code c1 % 4) * 16 + code c2 / 16 in
      let b3 = (code c2 % 16) * 4 + code c3 / 64 in
      let b4 = code c3 % 64 in
      label L in
      StringBuffer.add_char r (int2b64 b1);
      StringBuffer.add_char r (int2b64 b2);
      StringBuffer.add_char r (int2b64 b3);
      StringBuffer.add_char r (int2b64 b4);
      i <- i + 3;
      ghost (b <- b + 1);
      assert { r[length r - 4] = int2b64 (div (code c1) 4)  &&
               r[length r - 3] = int2b64 (mod (code c1) 4 * 16 + div (code c2) 16) &&
               r[length r - 2] = int2b64 (mod (code c2) 16 * 4 + div (code c3) 64) &&
               r[length r - 1] = int2b64 (mod (code c3) 64) };
      assert { forall j. 0 <= j < length r - 4 -> r[j] = (r at L)[j] };
    done;
    assert { padding = 1 -> mod (b642int r[length r - 2]) 4  = 0 };
    assert { padding = 2 -> mod (b642int r[length r - 3]) 16 = 0 };
    StringBuffer.truncate r (length r - padding);
    StringBuffer.add_string r (make padding eq_symbol);
    StringBuffer.contents r

  let decode (s: string) : string
    requires { valid_b64 s }
    ensures  { encoding result s }
  = let ref i = 0 in
    let r = StringBuffer.create 42 in
    let ghost ref b = 0:int in
    while i < length s do
      variant { length s - i }
      invariant { 0 <= i <= length s }
      invariant { i = b * 4 }
      invariant { length r = b * 3 }
      invariant { forall j. 0 <= j < b ->
        let b1,b2,b3,b4 = s[4*j], s[4*j+1], s[4*j+2], s[4*j+3] in
        r[j*3]   = chr (b642int b1 * 4 + div (b642int b2) 16) &&
        r[j*3+1] = chr (mod (b642int b2) 16 * 16 + div (b642int b3) 4) &&
        r[j*3+2] = chr (mod (b642int b3) 4 * 64 + b642int b4)
      }
      label L in
      let b1,b2,b3,b4 = s[i], s[i+1], s[i+2], s[i+3] in
      let a1 = b642int b1 * 4 + b642int b2 / 16 in
      let a2 = b642int b2 % 16 * 16 + b642int b3 / 4 in
      let a3 = b642int b3 % 4 * 64 + b642int b4 in
      StringBuffer.add_char r (chr a1);
      StringBuffer.add_char r (chr a2);
      StringBuffer.add_char r (chr a3);
      i <- i + 4;
      ghost (b <- b + 1);
      assert { r[length r - 3] = chr (b642int b1 * 4 + div (b642int b2) 16) &&
               r[length r - 2] = chr (mod (b642int b2) 16 * 16 + div (b642int b3) 4) &&
               r[length r - 1] = chr (mod (b642int b3) 4 * 64 + b642int b4) };
      assert { forall j. 0 <= j < length r - 3 -> r[j] =  (r at L)[j]}
    done;
    StringBuffer.sub r 0 (length r - get_pad s)

  let decode_encode (s: string) : unit
  = let s1 = encode s in
    let s2 = decode s1 in
    assert { s = s2 }

end
why3-1.6.0/examples/string_base64_encoding/000077500000000000000000000000001440160026300205425ustar00rootroot00000000000000why3-1.6.0/examples/string_base64_encoding/Makefile000066400000000000000000000021641440160026300222050ustar00rootroot00000000000000
BENCH ?= no

ifeq ($(BENCH),yes)
  WHY3=../../bin/why3.opt
  WHY3SHARE=../../share
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
  WHY3SHARE=$(shell $(WHY3) --print-datadir)
endif

include $(WHY3SHARE)/Makefile.config

ifeq ($(BENCH),yes)
  INCLUDE += -I ../../lib/why3
endif

MAIN=main
GEN=base64
OBJ=$(GEN)

GENML = $(addsuffix .ml, $(GEN))
ML = $(addsuffix .ml, $(OBJ))
CMO = $(addsuffix .cmo, $(OBJ))
CMX = $(addsuffix .cmx, $(OBJ))

OCAMLOPT=ocamlopt -noassert -inline 1000

all: $(MAIN).$(OCAMLBEST)

extract: $(GENML)

doc:
	$(WHY3) doc ../string_base64_encoding.mlw
	$(WHY3) session html .

$(MAIN).opt: $(CMX)  $(MAIN).cmx
	$(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^

$(MAIN).cmx: $(CMX)

$(GENML): ../string_base64_encoding.mlw
	$(WHY3) extract -D ocaml64 -L .. -o $@ ../string_base64_encoding.mlw

%.cmx: %.ml
	$(OCAMLOPT) $(INCLUDE) -annot -c $<

clean::
	rm -f $(GENML) *.cm[xio] *.o *.annot $(MAIN).opt $(MAIN).byte
	rm -f gcd__*.ml*


%.cmo: %.ml
	$(JSOCAMLC) $(INCLUDE) -annot -c $<

%.cmi: %.mli
	$(JSOCAMLC) $(INCLUDE) -annot -c $<


clean::
	rm -f *.cm[io] $(NAME).byte $(NAME).js
why3-1.6.0/examples/string_base64_encoding/main.ml000066400000000000000000000012361440160026300220220ustar00rootroot00000000000000open Base64

let test t =
  let d = decode (encode t) in
  if d <> t then begin
      Format.eprintf "Failed with %s - %s@." t d; assert false
    end

let tests = [
  "";
  "a";
  "ab";
  "abc";
  "abcd";
  "908ujdas0";
  "(*^HDS)Hl;ady&*(ASD|[]\\a";
  "(*^HDS)Hl;ady&*(ASD|[]\\a'";
  "(*^HDS)Hl;ady&*(ASD|[]\\a'}";
  " dsahn fadslhnoiy90hjnIOG*)YHpn 17uOJASG87oT!@*&%#!ujb c";
  "










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
    
    
    
    
   
   
   
   
   
    
    
    
    
   
   
   
   
   
    
    
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
    
    
     
     
      
      
       
       
        
        
        
        
        
         
         
         
         
         
          
          
           
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
    
    
     
     
      
      
       
       
        
        
        
        
        
         
         
         
         
         
          
          
           
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
    
    
     
     
      
      
       
       
       
       
       
       
       
       
       
       
       
       
      
      
     
     
     
     
      
      
      
      
      
       
       
        
        
         
         
         
        
        
       
       
      
      
     
     
    
    
    
    
     
     
      
      
       
       
       
       
       
        
        
         
         
         
        
        
       
       
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
    
    
     
     
      
      
       
       
       
       
       
        
        
         
         
         
        
        
       
       
      
      
      
      
      
     
     
     
     
     
    
    
    
    
    
    
    
    
    
    
     
     
      
      
       
       
       
       
       
        
        
         
         
         
        
        
       
       
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/string_base64_encoding/why3shapes.gz000066400000000000000000000343621440160026300232120ustar00rootroot00000000000000}[~Ea_f}0PޗA6xni$__ԩ$j$`0f$?\}KX?_~|}e~7*Uފwwߗ+)kǿ}O/DPO+Z
?@׆-IJ׋
R痔Ѫ?,1'`zfo㯟+6ܶ믻w@b~aHߒ[Nw*:V"˝SS,[}SٳZ>>ESv)H0~{x׾?Oo&*hWQJN-Gn_O?
v$:jNUɑ|7Ss]iq=5’
1)~{;V>o[psxsWç
a/ʙ@?>&=zW~__ѦğX
{+޾t͂/Q:͂+㩩-u-4pnJy7ݿ~.E乤Vs	*[
bJHn}=\6j .2Sb#VG,&~Y?d	t[R8Kw7`+O2Ә l3VB#Brbni7uڝ:ݹ6wiEYq[zKf?
f@aUHYwdۻ/)]Q6$_O?|jf}`mO~r z2Zdl'"a`DdD7l`,\1[zRghKeI*>So(Nr{![LciaJ~_nicbӳ6I˙
K0l㩕2J㣷\nz;KM}RRR~ԹRR;VRX_sRH1{::6gl7chXv=]SvOi,տ^}Sϟ/08#(!XDS.~P-E2܁seqP+vfkY51J1JZg]WI~
<(1NB/I}z}zcf踋⭾%nf8xy|#}
4o,4H!y*FgjqYp'kD=ջ$[<3|!{x݊A-ea^Nw<ͻXXϷV4f˩7񳌟i~̾a;58;93x2+60|xVzkIw~[õuuզYm	G7w2r4=bNWZt\.ceE>+׏jh Nn͜j 6]s>eǞuK\	?glt/ƙ2?>L/o実5_okfht:R.F=3iwk*r^EΫu6~0Ga!C9sҚvf+2`How{$pJvC4[?O~
mO;YW}9-/e?~sìO87Rvf|Z#8.q؆͙ud\;5勽1
~3W9}Ĝ~Y[jsNmNFSY0*-ΗXvkCpFh%Վytl3/U@Z^vg	}<uX({q}^ {w|1+ᬶMl"yLyܭKm]
cs%M*1-WתoH=	hq5e[KfA.dB{!#'3̢*,i&LfP$u8\H?cG^WކOr?E6mkzҮ
/>
{2sBfK6.avmiVð44Y /q4Id:DabR;$P8@Y#r<X|N*(۴}l,rZMӊʿ-g¼~d\W"@?YӻcK{}\mh?cp9&y;rHpnY^~ƟZN^)^%?5rO>+G\\MAռNF,x䪽|Yu'x;&6{IcގpuzͬI-T8NњKN	O!c9sH
sH!CĭgЉS}8gjŜÜGsF/^8T}R}P}=>R}T}#YYo!S"WcDrUk;;jx/;L]A
2i!seaz-zZȜv2B%P|0 <
ygQUlJ.id]V#nYGv]Zm.Q{
z{UGr\yWC p|,PG6}o{C-CFZFڟhh9
?g|=sk9gLϯGr-v_fi{1k31/3NO;/3f2C2C[og2{GˑZ4*3Τ:czWhgg0RmF#NԒc8뙻 5NzwuOqiȄY3a0;L#&̒	{hsF6IPpW,AIQl-t57vsGecGo޸\~W#ucTGk$Dh}/7gv}]Oi
p,jG9{I^ν9|$f>Lnξgc?_P=Bz5<#mTj&y??NgDlhtf
%kXÒ
(z'OEMEv{NISqbqS#u՞8ct{N\F1eޟ&iN%4H{(Ic:{}RŗnO8f~BjayxrW#%gtپ
'F_

VxEgf`Gv&D5(krfk1͞%lo.ͺNbqZ:.\Gzh4Зa^P:[1.ɵg\9[1dΎ`tٯ*܍ďt_#NoQav%|Tgy.w	tV˧)QUo~oo_mov-jpui>\^>cw*
[\?]}{~WME3z,7,WOgڡuߏޭJ<r=X1wUьzv$yoYt3Mk[2G[Άu[d"âWb_c>EWb~G򖝼>+0|,r)B[t*u wIqjȁZvv%z䡶sb&}Xhfջ3uoN[ƒ.':&1V{3Fv\d3wҶi] (\}}|QY]FϪ.чK_uQȾtϨK|..tRP:.ISf6z:9K[hm}6XynR)Rl!HH]}%pv~K>|K5mD_zޑjKjsPKdeVݽvă
;֡mSRzڬ-Α66`WiUc)6{_<(UOn_wO-WoGү-Mdw<7-_d-_`sn<_fNÝ6on[S
5u^e٧ݦC^ޙ"}͏pDgdHѝUHύjKC>so'g{KT;ǯ1ǿtE^h4Nci_dPL;PX<++BQt^"7EV߬
{1{^{9늜W3q!nL&g˟0PwBW?3Խxcevz^LgN)Dr䞢VnGAG d)ܽ'*vq&#ohK{(kE(}CrmseXY6l_FY^EP;?O3=ߜq*$Db9"/B~^ΰVN9}pփ]4[Kl|1w{|Y;GUW)\:5:=ᇒ:/Q;`e+v-A,$:oVJy3nKf{їb,ۇ߳W	۽mIޞ{ے̱]Cr>hs6gy
|Ò١TK"oS޳|Fkpŭ惄4\cۙsM\೺z|pA7UM,g%3otKTϝ%Koںz+ԎeK%GqvXmXt4v~݅1R!eIN+tzVZ{͸ׄz
?!z]}<	QEwSrXry~;.,e<6d
%j_*DJNvhlYm?u/yv#9.խ>u~G]LZu=GNwKg.^&lpz6!uJgh_x>Ur[S[K'/Hl[x:~ݻ4ĵm6n$6*K4nBZCDSgG8S$ʃRGɨ	{eQiհѽ7]Xgf$`B_Hf'!9]z%u܄ّpYX}d}T/H[VG|Xvf$IvzZA]aXdlddjwۦa9ڟ/\SϦt8=z?zaϩ
SԶ|ܺ\TmƝik!'nCڏH<<{*O幀	ᲄ ب$<_**V/HMQioX<_S_{~&rkcn.vmMlչjyn=;\c[{KLu"t4"q}#[C:^,Ct+hR%\x9FyU~7	ⴣ#][
oXEk}v%,q-R
Ͽ>.SQlI¼K{]nj;tW%i97o䞎.ԝ6__|7~]~iq_kӑ伤-K.>sx{cE3k@`RIN+y#4r.'eQRN%V.]zE:\V-lLt27M%VښQ$C腼r7Hk֖\ІIAZhyk"aTT[ju6w%MJdiJUᚌ.B H+$+,"Sl%%u%blM%kR^%guJ*.*{F0ЪuZgW$Һ+7QQ&Hh)lUWvXA:Prk_;Da)`Fn *[smmTB!Lĕ7*1qzAK(Z@y$17 W͡Q(!In$[{:+(鱴''ӬPZ(I4#nԉ'+9_)>@7ZP!C쬲ՊJ,UC1jH$@6QedaP9dٸ$Hٜ[Զ1qD5^䊪
0ǭ-)/<3O9W!
Q˾Ь&Lh*nT8n>QӖR6u)N%hQA?Q*"XX9ZJc+Ss-Fr*S`H`C4[7˘c	(	Qdm0|lRDIXDkRXl%Wd(sdzozU_aI"(jQPrʧV#anA7O!TSwcY6]T7@`S

tRɱ6tw.LX\
rN|GQ:H9yHevMHh-VŲY0!
ltۥ(DŽzh CNY~
n5#S[@~F&k[	&' #f34&
n*̉#)Sl/UL7b+!]s*}/m=c
`4x?U7nU>rEMpKRhj1GԞ{"5 "HZ$balO<_k$PNK50`m/@+ @W1bR&)k8C[TP|Ls*	{iG^&\&2GפM花r`Hhxt Pa0c.g.a@ 'SФsf{x o%L5;	#aduB!:F3p@YL
:8e>'I2?gvQ]y{	=d*"W]?M;͸jkr1O%x."K(E`~"I
\%cBIbD >Vޞ:L${n>#ƒ׍tBу5s4\%UJXy
"xQNg_]-HtC<
Ct	2klp[`	-:Oi0C(I4"MN<V$ёnBdaHN+ekZCCg+YLF/߬C
!Ԓ6„
>|Xa
Ě:9^1D'DCQQT@Q!n	n+Ua\N1KbbƎ-xEbGN'MF#̻hHO(J<&[قuGr&^p|a8X	c+M 'YF$WB%<bht4ygCg+pThXWH .mTn%!Z1D"C`V#&{*_A0k0lrӵ^<%V`(q*`[r#{]WG$k~
CH6LS$&vb}=&=0$1[InK(q=1Zp:*idkPQ6>\@P3!+ntVi\uk~X+)bjlĠzLlOJ׀BhDZ%U?q%8b}v!e$\g=d}!E{m#Ȫ TNxhy/,(Bcr3j	p632Ua*cp1	(bYQZn⣴f"EotFI,dFW=]p(@f!VTws0$+4x%B> jcĒ#C"8Z-'1z]΂ԈaayQϗWQpg+p|PAk^ʢL$~\+p#g\CS0MQyz_InF~-SH.t/!6b/@$7ڜ&׼%b$Z+}Ma!7#^{*K1hX5buΠJ0OGNiݚ;&5I&5p
pPL}6Jg0JiqZG5ꖸ?X7`W#b5:jJ^
WbFX8
\iE- }L`9VуY1(@VkUYAAW+UҠ*(	Qa:';xD+#|$4U)-q[cH'=0-iE(rq^mMGY,mg/ӅAFҀ&rBڧ 21T[vZDÃb%W  TcBOԊM&YAB	+Jq[^(D僈b0BfsU)-lD9Y
ȸ&"dO"lth&rU!'aC(DsdReJj!AĶZdR2qҗ+\*	%r*Ml"x
H9K_vp.}&%kKJ:4ک5h,n#4j!Y`PSP<Cξa`Kж/mgɁB
--[ko*
aLSThRsW0Щ,b2^J2ZhʖBc!`}siP\n	T=z-X-fwMc^1eIkBJ9g]axІ~ا5r{C?\+C_@I-9"LdBlʩRxzK-4	ZUq̚+J|BUD6KjHSLhΪm		ZUEZ+T(DiLFdҪB:(8xȘELLC?@s8+ڜUg)*Y]u"矘k'B!uu6p /Ps}K.B nCF-
q{%{+r\$2w$ѻ=o]WrzMX2IψC1/j%92ǑC$b4lR]$f333;Y&^2D? 	R0
XVҏd-!VY [*`oOu9QO
_C`Plc8C=ks.1Ɉ1
ONd6Y@ᒿO	>V
Xd>47/ì1PJ	N/1b$_J}MNK
(%m*8Ϻ6TŚp
6^	iskxdu
:YE,Ԥ3nշq9K*8)]Dϫ
Nn7FP]
D-鈶V#8
myb!#Ct};gY
$/
VR9מcPVok	pl7Bd@
{擿8F$pj0FÚŮrb|rIW6Sojm$%c)QQ>D14 #)ZLo;H0yJUH$wp"/dY4W|]"cDoq!4궊8[,Ԡ%~bI
̮D tR{.{󃧾
;lvwz⾏ިcP O6e=ۄ=XȖI }RQ)eD5ͯz\c,mϪ9**,˄wD	;x^w^*zg 1h#zOMN']jB̄ZUԻnSMIEՈKI0qRhVajQ.|u!L%hC?W9Y68c@
bV^\sQ5J'rbg@a`yT#sjvu!wH)`
m3JJmJ^)6`7q29Eĩ5sФ9*I'N
Sf LR`6~9j]Q-9Ll}69h<53JnRn?DJJݷUsJ5@Ϥə™oιS|UxhqRY圩f5Gxjz
[AiK6y*"5KrH߲5"%^EZ&6irh_1ՈID&5E.!-s9O>EJAekyS-7hWJșx)rӐZ.)WMFU$HB7hfZ_ţ98Y4٨hHu)^^?SQ6 v+UF;7u8R[6<_"Gp
4#OL$PMeͣ´,5{W+ "uW-2MD$'/&浸Vr9d3GrbM6)$*՘"R-q=,$j8|:a+B7*b*Ƙec	ojlZy"1p=c_ddm:[xdO^`Qkka8EL[T'[*еlBAUDtԊtZ+Uzf}%b1M
r3ѼG6lI hZ58үU	p+КJGr7e0Ps8z
8M̷}o5t9=7q/håݮdFͪPhW%$`]E۔lH1טIg$;I{eZ;pc_֒J(:"1ByGN7ZPeN5J@ |ΓyRWbZv(PS܁'Z! Y,sVrv8Z'jCft)ڢ$|u@IFJV,H٩GZC01$}$K,րVg%!k3&kj@+1
$Ms.&Nk3fA(o	j>-%7`R-pC\_LJQak^}2nc x=	\'ĞoW&Gb*9ER=6sALo~0êPd쾊]ɒYNFl|ƙORgBWygM,w2,URDAy+JGPh5i%bS+0a9.y*|*["ryVQtJT~J*4[{>
q4mrUR"C:W'p!'j)>,=>O~,Z|榩9Y .IFiP
)@CÛ׭|%C||Y̓ZYr|Q)YOhWtC_0C[T

)s9>R+q̓[:q;/*&iJ|rd+OC@I맷*k9"R̀&;5AiLcgCUjڈ	 V3*Z0J)+ sCjjblJ`^bnPv}UXrhp"%8_^v9	>+-=(-4YRÿߩ$evj8⅗	X*\JN)c_hi+iAs)sʮebMZVd׌adQ
5E>.I~j5ܸ)^
z#]pd^#0aB(;Ckh
1|,X:Ij]*A-ZApުZ"6(}RŕEmk^32E'|fvKJR#[_;D3|՘z/&'hPE[u\

*oN[\vMhtrZK4z\RPev S'#ƌ r4pu9U|n57ϾI	4Wk*$j0߯mIee^aS@=p#3 q“n0~Ǡk
"v$(9*Ad9^yċosb4|^'B3tnD6(xi^Z{0v'4>w@TNAH
N	w`-"'S䒨6# -.sá(CJfrnMSvOfZܽP6e`z"|bdǠ"7txd#g	~E2Q+{Y@%qmQc	ǻț-g7RKky
7fJB$q.z㾟UGŜ5,>SժG>0<"
61ђAk+~G
D9'#JX61pcvz#;L
îq{b%Zk^
(9zc)bXz+yz\\G:k<2dxͱ>OOu	[thB0xU{T
;n]HHev> valid_hex_char s[i] )

(** `encoding s1 s2` is true, if and only if, `s2` is an encoding of
`s1` *)
predicate encoding (s1 s2: string) =
  length s2 = 2 * length s1 &&
  (forall i. 0 <= i < length s1 ->
             s1[i] = chr (xeh s2[2 * i] * 16 + xeh s2[2 * i + 1])) &&
  valid_hex s2

(** the encoding of a string is unique *)
lemma decode_unique: forall s1 s2 s3.
  encoding s1 s2 /\ encoding s3 s2 -> s1 = s3

let encode (s: string) : string
  ensures { encoding s result }
= let ref i = 0 in
  let r = StringBuffer.create (length s) in
  while i < OCaml.length s do
    variant { length s - i }
    invariant { 0 <= i <= length s }
    invariant { length r = 2 * i }
    invariant { forall j. 0 <= j < i  ->
                  r[2 * j] = hex (div (code s[j]) 16) &&
                  r[2 * j + 1] = hex (mod (code s[j]) 16)
    }
    invariant { forall j. 0 <= j < 2*i -> valid_hex_char r[j]}
    let v = code s[i] in
    StringBuffer.add_char r (hex (v / 16));
    StringBuffer.add_char r (hex (v % 16));
    i <- i + 1
  done;
  StringBuffer.contents r

let decode (s: string) : string
  requires { valid_hex s }
  ensures  { encoding result s }
= let ref i = 0 in
  let r = StringBuffer.create (length s / 2) in
  while i < length s do
    variant {length s - i}
    invariant { mod i 2 = 0 }
    invariant { 0 <= i <= length s }
    invariant { length r = div i 2 }
    invariant { forall j. 0 <= j < div i 2 ->
                  r[j] = chr (xeh s[2 * j] * 16 + xeh s[2 * j + 1]) }
    let v_i = xeh s[i] in
    let v_ii = xeh s[i + 1] in
    StringBuffer.add_char r (chr (v_i * 16 + v_ii));
    i <- i + 2
  done;
  StringBuffer.contents r

let decode_encode (s: string) : unit
= let s1 = encode s in
  let s2 = decode s1 in
  assert { s = s2 }why3-1.6.0/examples/string_hex_encoding/000077500000000000000000000000001440160026300202425ustar00rootroot00000000000000why3-1.6.0/examples/string_hex_encoding/why3session.xml000066400000000000000000000220451440160026300232650ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/string_hex_encoding/why3shapes.gz000066400000000000000000000060461440160026300227100ustar00rootroot00000000000000YKϯH`
ji˱GHvvRkxS&b=jjλ|lҫ¿Ͽ^{lkqݶݮ	r]YϘտV853I#sQ(H~:ڽԹ3[o6lܥZ.z\,*^5gG}Dgnq?7s_ᶯ:=?^m2/xe65[纭wɑ#p_A%>4s9'QM{lqd
cy<*[݌,̮jCfvf_MzzɝႮ|qw:n?Е>*ӗa'm+5\:J[5~xc8Q.~?w~wY񧟮7n$ϫWw{\o}?O>y
&'[<_#owy9[55$\k2cp7cx	}M"(ZaK
%AmpC.7SQʶv&uk(?n0P@8*7\PžIUv6(% 0K0%\P֢fZgvGvV#NV1jYԹ
^YM}^zad58w"/fyyQt6[7c0Nծ_/amgnA/ ;rz9}܍RyTs7SuvN_]93a}è:Z6/zs*IQ%{fԷ;o:X6<>5K(X|K!=6*)XɭG x`Vũ۵m}ncyqz@-].Ē_ohCrBߧGQAO`:Y5-/9Eq`
*&Wq3﬿-~9x` L$EgtiE8tN"d:K{5Cr7S7"biF+9_9E?9f
Oc0pm2x4tSוJ^lz-Y79FV=WL;9蜍]09d(LᬕʚJIW4+M.X?q'w%WnʸduR^k)M^ü02I*;A^qmaW	Fp!3&;JF2n^唴XB4ʋXI&@BydBL[-(M53*d9E`vib༲hheL -NH`RF[ƹ69$tIY/	f\cdPZ0,!
\م-H
f@dh+3A \evr{ B.yxx*YGשW$ӤIiй)&#b1%WR(S%9DU*
	sEv T%LJr	I!3%4WS)E0zj219.kYˀ+Hm))ɟ'(RYxy6)AH}YarlH7Ɣd;n	v% !\}p4(c%dGEdY^I7Hƒ"p6
QHŬX֢8~	>z,2%I!˨MT+P?Y]-:D&5:J!*'kԠdSD?5PqT픍|K?$T[:E1]O(
֒D,$r6|XD(e$DREO:Ɛ&tr)\٠Se:š;UV54hT&XaY.3l0@BF7YiN|8MTkwm󁱈@<Ea	IV-sY_B$*RXQNTw4eiLDP	K T@8"E^S
20)S&"yDM~P9Z#rF%Xn#j/tF2P²e``b^-:af:d2p
E6 matches pat text p }
  = let ghost n = length text in
    let m = length pat in
    for i = 0 to m - 1 do
      invariant { substring text p i == substring pat 0 i }
      assert { p + i <= n };
      if not (eq_char text[p + i] pat[i]) then return false
    done;
    true

end

module Naive

  use int.Int
  use mach.int.Int63
  use string.String
  use string.Char
  use string.OCaml
  use Spec
  use Occurs

  let search1 (pat text: string) : int63
    requires { length pat <= length text }
    ensures  { -1 <= result <= length text - length pat }
    ensures  { if result = -1 then
                 forall j. not (matches pat text j)
               else
                 matches pat text result }
  =
    let m = length pat in
    let n = length text in
    for i = 0 to n - m do
      invariant { forall j. 0 <= j < i -> substring text j m <> pat }
      if occurs pat text i then return i;
    done;
    -1

  let search2 (pat text: string) : int63
    requires { length pat <= length text }
    ensures  { -1 <= result <= length text - length pat }
    ensures  { if result = -1 then
                 forall j. not (matches pat text j)
               else
                 matches pat text result }
  =
    let m = length pat in
    let n = length text in
    for i = 0 to n - m do
      invariant { forall j. 0 <= j < i -> substring text j m <> pat }
      if sub text i m = pat then return i;
    done;
   -1

end

module BadShiftTable

  use int.Int
  use mach.int.Int63
  use string.String
  use string.Char
  use string.OCaml
  use Spec
  use Occurs

  clone fmap.MapImp as M with type key = char

  (*
   ------------------------+---+----------------
                           | C |
   -----+-----+---+--------+---+----------------
        | ... | C | ..!C.. |
        +-----+---+--------+
          0                  m
                <----sht c--->
  *)
  type bad_shift_table = {
    pat: string;
    sht: M.t int63;
  }
  invariant { forall j c. 0 <= j < length pat -> c = pat[j] ->
              M.mem c sht }
  invariant { forall c. M.mem c sht -> 1 <= sht c <= length pat + 1 }
  invariant { forall c. M.mem c sht -> forall j. 1 <= j < sht c ->
              pat[length pat - j] <> c }
  by { pat = ""; sht = M.create () }

  let make_table (pat: string) : bad_shift_table
  = let m = length pat in
    let sht = M.create () in
    for i = 0 to m - 1 do
      invariant { forall j c. 0 <= j < i -> c = pat[j] -> M.mem c sht }
      invariant { forall c. M.mem c sht -> 1 <= sht c <= m + 1 }
      invariant { forall c. M.mem c sht -> forall j. m - sht c < j < i ->
                  pat[j] <> c }
      M.add pat[i] (m - i) sht;
    done;
    { pat = pat; sht = sht }

  let lemma shift (bst: bad_shift_table) (text: string) (i: int63)
    requires { 0 <= i <= length text - length bst.pat }
    requires { M.mem text[i + length bst.pat] bst.sht }
    ensures  { forall j. i < j < i + M.find text[i + length bst.pat] bst.sht ->
               j <= length text - length bst.pat ->
               substring text j (length bst.pat) <> bst.pat }
  = let m = String.length bst.pat in
    let c = Char.get text (to_int i + m) in
    let lemma aux (j: int)
      requires { i < j < i + M.find c bst.sht }
      requires { j <= length text - m }
      ensures  { substring text j m <> bst.pat }
    = assert { (substring text j m)[i + m - j] = c };
      assert { bst.pat[m - (j - i)] <> c } in
    ()

  let lemma no_shift (bst: bad_shift_table) (text: string) (i: int63)
    requires { 0 <= i < length text - length bst.pat }
    requires { not (M.mem text[i + length bst.pat] bst.sht) }
    ensures  { forall j. i < j <= i + length bst.pat ->
               j <= length text - length bst.pat ->
               substring text j (length bst.pat) <> bst.pat }
  = let m = String.length bst.pat in
    let c = Char.get text (to_int i + m) in
    assert { forall j. 0 <= j < m -> bst.pat[j] <> c };
    let lemma aux (j: int)
      requires { i < j <= i + m }
      requires { j <= length text - m }
      ensures  { substring text j m <> bst.pat }
    = assert { (substring text j m)[i + m - j] = c } in
    ()

  let search (bst: bad_shift_table) (text: string) : int63
    requires { length bst.pat <= length text }
    ensures  { -1 <= result <= length text - length bst.pat }
    ensures  { if result = -1 then
                 forall j. not (matches bst.pat text j)
               else
                 matches bst.pat text result }
  = let pat = bst.pat in
    let m = length pat in
    let n = length text in
    let ref i = 0 in
    while i <= n - m do
      invariant { 0 <= i <= n }
      invariant { forall j. 0 <= j < i -> j <= n - m ->
                  substring text j m <> pat }
      variant   { n - m - i }
      if occurs pat text i then return i;
      if i = n - m then break;
      let c = text[i + m] in
      i <- i + if M.mem c bst.sht then (shift    bst text i; M.find c bst.sht)
                                  else (no_shift bst text i; m + 1)
    done;
   -1

end

why3-1.6.0/examples/string_search/000077500000000000000000000000001440160026300170555ustar00rootroot00000000000000why3-1.6.0/examples/string_search/why3session.xml000066400000000000000000000357011440160026300221030ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 



why3-1.6.0/examples/string_search/why3shapes.gz000066400000000000000000000125341440160026300215220ustar00rootroot00000000000000[[o;r~ׯaK`c@8Ol^kK^i|ivF: vl~~ǧ\?*|Y42އo?|WaLw?
q={DD=OO=~(޲}ڽǏg֫5RN늰o?wpǧ]X3@<00y7{уaw3}SONdU-hgyWoy?EiL8_S}2Eܯ/M>l3ba[[cnS~ZEo/x.n9#~SĤU;0i"ƟOG['­.ick#y~XіflDDVYms-܅)+nuA#hfs}3l|lf˧g?ѿk=7ahBvG+kּeŶ"\@"m1lY^,Zg=N19OLEVq-v:`Nm-JrnfMewʼnOI&xa
q[)Uj9ߏZV_)7}E榬0E_Rj9z"(N~IG&>W)-嵘/w=ƾV x^f/p8Igu^8\r]3~o'yǢ֟2uJty25kr$&	hlC8:M43ˉVM6rЯ[Ѵ4sVp2Q].Nr_HO@jjl^ԬPvf!db|PmjQtsILاSA9r8T:ޥh;>\V
 c;B8u,UiF7	j&؛5	eƨh?SbH
boۂo<
>GWS$E…	H(?ḩ$vddOa dG=I<_ۣczYj$Y5t/K7zш=`39I,`}4Ƿs|hqi:M	ӗ]އ[HG6i˫iVj@|~}ۋ3N&p~l@Ssh>9H&Fc̩uLv՚I-Nlm̴\Cʸw~1y+%-Ү%#zhLk)pVV,*+nOr ^آ?D?rduy}s-HxCIx"Ѐd
`/cj"o|59cs75f:@jBFĒeŖ"BKJKU#:/Z)K>ҥ
LJf#b^~SOPp~@XM.@xǽgiPpՌVTUQd]rsMϵ뱭]P4[nnsxΞe_V:ӤAo6@|Nb8:JIM8(G@q@T
=|_@p[Q *eRaG/:k[b1UV\eUpa+VF{xskwx10R_^:C1SlLU\W#}¿JZ#ԡw
gz@?|3T\rzwxN	u~qa7AlCg4x\vMۇcRz9!GǤ-5'rK]J!/Xx3eNb
5*絽i!0{Al""}uѦ'Ǡ)ZGbSU3Fθ7wǧJw	6Z_VW5Jg$S
ofQ"C%4fd~>*U*߭p<޼OɖS`y~liX|=6*)H%-	߻sxh#VJe!=ﮎ)k9$ī]+k'`JrYᆫM+k3U+gt/USW9l{f:+791Y[0rT%S[@t.c.|R^M<(-ݧj֤'ӨL{Yïq7dQSiRZ_=Rg`~D9.H-!Wzs*ܮ*hz!ΎthoovgkzD=ՊnIwueRRy/eYT-v#ݕPʊΆ*tQJnsP+ݘި܈
߰+jU2imL1)d9I2{߸fBĹOb]]\	lprl833G<:]svE5R@.IwQŒǴSܯrPޱ5֫e4.N5<-B`\̲H"؞RRigBmsTl*N+$[b,#}ɺ,AXN$㲁H%rᦈ-a'1],|-FE%Db*cBӞgd6'$@8["F]tدē*
!–&TF-S%$Jg´2D5a]
9$-u
.ɎH5r˲N\+f-A
,؀f2O
N$\igt֠W'RQ
,̢ƅ)VVJS%qAŗTbR%7`P|<|GH".l>W\X"PNjR,+
,yPJN0L(9edf?ǥؐ=aJ ;3E"/

g$:ͱI#x'c	EGrpi9Zn|&\NKft%8dg=+54鳓G|	X҉t,ZU;HN0`4d_Ek6ڪ2yRIii<Ɖ4+=`qOYX:zHڟ#HvFY鐙E_]oVl
B^גIad|uXWJY*sP1F0<(BR΂	Xpa	:J(%z5g7f	X0	k
FS8
͛d8r
k\Pv(B7nƑR2JM0+a,HPd:.	Ph4&6f/Wb}W
[
ºmL7_!̻?&ڎY$H8U+7Vc]9:8~wH>Q@15uC"M"XО\r,
ne*;:*Lxԑ]	F'ɎU~YrFԱd$
:;qjG
FXPZB;]f) $th)8021FIRfUA
{k<۳s0hD>'*9YcM>U_.<˛;>xX]&5zYYw`vp@5DY[GKPzKxSMJ;Z4*s>D!ZWFxywB F
G֡7r硱;W,MbAU"#UcpH!/6#jt)nI=GB%!QR^׍\P20ׅ&0Í%ҴNM*T82~H'Klƚ4%]A"Ѫg/aڟ<ʬB,Z١
a=`Q%fW~:Xڤ.Bq\⣄Y@S9f.a6EN2p!ԫXnd.hVyIErr/*PlkLH@79s@3YzX
Ka\jNS1yr>!	Z@?gYJ*1` eCzKQ.ylzzi$bA8`s:Imx1d-L|ل5Gc\w~ǥ~1Nir4$ Z"P*oy8צD*GД6uz݋9O6kGd9jMYq46^WNV@L*9DM="9y޹ˑo"RY
aFf&	A3*eF3"Tբ@VEs*ԻtIy*Q5VԱXƛs*ڌQ :V=Z-#~+n<Ң6ThW9B&ׇ7	sA2c{,*
u%MH@%*2jz@-:>ȅ-LfIl**MNR,ǾpSIb>:KFMW<7^GfLHyʠ(G{yq	5ea?G!3,%R($ھXQ}%R{@`YH!} H&*{KrGh%4Yin07STjePζ~rQQ,;Q{&6zA5=V2j)XFHEӅbRFÃ(rs1tLƼ,sz$$GNt¨kKyaˤVSt>G3n!耉bvԨ2
F2=LUN,Wwhy3-1.6.0/examples/subsequence.mlw000066400000000000000000000025621440160026300172720ustar00rootroot00000000000000
(** {1 Subsequences}

  A subsequence is a sequence that can be derived from another
  sequence by deleting some or no elements without changing the order
  of the remaining elements (Wikipedia).

  Checking whether a word is a subsequence of another word can be done in
  linear time (in the length of the second word) and is a nice example of
  an optimal greedy algorithm.

  Author: Jean-Christophe Filliâtre (CNRS)

*)

use int.Int
use map.Map
use seq.Seq

type char
type word = seq char

predicate subsequence (v u: word) (f: int -> int) =
  (* f maps v's characters to u's characters *)
  (forall i. 0 <= i < length v -> 0 <= f i < length u /\ v[i] = u[f i]) /\
  (* in a strictly increasing way *)
  (forall i j. 0 <= i < j < length v -> f i < f j)

val eq (x y: char) : bool ensures { result <-> x = y }

let is_subsequence (v u: word) : bool
  ensures { result <-> exists f. subsequence v u f }
= let rec aux i j (ghost f)
    requires { 0 <= i <= length v }
    requires { 0 <= j <= length u }
    requires { subsequence v[0..i] u[0..j] f }
    requires { forall f. subsequence v u f -> i < length v -> f i >= j }
    variant  { length u - j }
    ensures  { result <-> exists f. subsequence v u f }
  = i = length v ||
    j < length u && if eq v[i] u[j] then aux (i+1) (j+1) (Map.set f i j)
                                    else aux     i (j+1) f
  in
  aux 0 0 (fun i -> i)

why3-1.6.0/examples/subsequence/000077500000000000000000000000001440160026300165445ustar00rootroot00000000000000why3-1.6.0/examples/subsequence/why3session.xml000066400000000000000000000076011440160026300215700ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/subsequence/why3shapes.gz000066400000000000000000000025261440160026300212110ustar00rootroot00000000000000Vj#G}zf"Oa^BXoY$}[kdYgN]N.dr򜟖Ï3𾣫(h^4'zޚ~g^w\e1=W$ѺzRky;:v7=zݯtp皣حa.>¡~)=ӜVSen\Ҝ[X3vO9.|l}_|{_6 a-J%;n
ԆƥlW[&ϯG,5l
)h/fS\^oO|.cҫtmweNhWO:>/s+h,KeVN1NQםTNj5m;/ͷ9T]X|ޫhY7YL[YGFZ@ѱ?Ets7c/Vkm}9^wmWlc|y٩n(jf"`[Fڷ"WtbZT3k6{3{Ky{l jqwe;֡hzpzH;f3mHfqm@h}P#UJy3o
DGAg
`5Ќy2H#U
]3ֿ=/-]nْ
UC({W3spbR:4;-[ڋ8c~k{L|{1h3hULz+uՠK6/quoRp neROA]'	q<첔(S
(\p4Q+谠*6
RvN`C]o{^zOB!bB^&oepFGBN}P![!u.#(~p
(Oc3DPX
[rQoX&j)	چ(
Et=8\9K!.^X,Ik"^t*A8Fp3
fM8PTf8DE`FoA'(
DRfFn!%"bRS
ROe@dWI 16gӿYk3M=?),mg"K}F
KTR:0eG}JfVCўϒIkX&!
^1O.aޥRQPAYNM+\U:Nd]d` 2#z뤤./T##1?L fI,YJ@e[P!	Y
&AREG%hKKWۣїlN(|};p6D/Jwhy3-1.6.0/examples/sudoku.mlw000066400000000000000000000566441440160026300162740ustar00rootroot00000000000000
(** {1 An Efficient Sudoku Solver }

    Author: Claude Marché       (Inria)
            Guillaume Melquiond (Inria) *)


(** {2 A theory of 9x9 grids} *)

module Grid

  use int.Int
  use map.Map

  (** A grid is a map from integers to integers *)
  type grid = map int int

  (** valid indexes are 0..80 *)
  predicate is_index (i:int) = 0 <= i < 81

  (** valid values are 0..9. 0 denotes an empty cell *)
  predicate valid_values (g:grid) =
    forall i. is_index i -> 0 <= g[i] <= 9

  (** extensional equality of grids and sub-grids *)
  predicate grid_eq_sub (g1 g2:grid) (a b:int) =
    forall j. a <= j < b -> g1[j] = g2[j]

  predicate grid_eq (g1 g2:grid) = grid_eq_sub g1 g2 0 81

  lemma grid_eq_sub:
    forall g1 g2 a b. 0 <= a <= 81 /\ 0 <= b <= 81 /\
        grid_eq g1 g2 -> grid_eq_sub g1 g2 a b

  (** {3 Grid "Chunks"}

   A chunk is either a column, a row or a square.

   A chunk is defined by a starting index s and a set of 9 offsets
   {o0,..,o8}, that thus denotes a set of 9 cells {s+o0,..,s+o8} in a
   grid.

   Each cell of the grid belongs to 3 chunks, one of each kind.  For
   each cell index, there is a unique starting index respectively for
   the column, the row and the square it belongs to.

  *)

  use array.Array

  type sudoku_chunks =
    { column_start : array int;
      column_offsets : array int;
      row_start : array int;
      row_offsets : array int;
      square_start : array int;
      square_offsets : array int;
    }

  (** Chunks must point to valid indexes of the grid *)
  predicate chunk_valid_indexes (start:array int) (offsets:array int) =
    start.length = 81 /\ offsets.length = 9 /\
    forall i o:int. is_index i /\ 0 <= o < 9 ->
      is_index(start[i] + offsets[o])

  (** Chunks (of the same kind column, row or square) with distinct
      starting cells must be disjoint *)
  predicate disjoint_chunks (start:array int) (offsets:array int) =
    start.length = 81 /\ offsets.length = 9 /\
    forall i1 i2 o:int.
       is_index i1 /\ is_index i2 /\ 0 <= o < 9 ->
       let s1 = start[i1] in
       let s2 = start[i2] in
       s1 <> s2 -> i1 <> s2 + offsets[o]

  (** A sudoku grid is well formed when chunks are valid and disjoint *)
  predicate well_formed_sudoku (s:sudoku_chunks) =
    chunk_valid_indexes s.column_start s.column_offsets /\
    chunk_valid_indexes s.row_start s.row_offsets /\
    chunk_valid_indexes s.square_start s.square_offsets /\
    disjoint_chunks s.column_start s.column_offsets /\
    disjoint_chunks s.row_start s.row_offsets /\
    disjoint_chunks s.square_start s.square_offsets

  (** {3 Valid Sudoku Solutions} *)

  (** `valid_chunk g i start offsets` is true whenever the chunk
  denoted by `start,offsets` from cell `i` is "valid" in grid `g`, in
  the sense that it contains at most one occurence of each number
  between 1 and 9 *)

  predicate valid_chunk (g:grid) (i:int)
    (start:array int) (offsets:array int) =
    let s = start[i] in
    forall o1 o2 : int. 0 <= o1 < 9 /\ 0 <= o2 < 9 /\ o1 <> o2 ->
      let i1 = s + offsets[o1] in
      let i2 = s + offsets[o2] in
      1 <= Map.get g i1 <= 9 /\ 1 <= Map.get g i2 <= 9 ->
      Map.get g i1 <> Map.get g i2

  predicate valid_column (s:sudoku_chunks) (g:grid) (i:int) =
    valid_chunk g i s.column_start s.column_offsets

  predicate valid_row (s:sudoku_chunks) (g:grid) (i:int) =
    valid_chunk g i s.row_start s.row_offsets

  predicate valid_square (s:sudoku_chunks) (g:grid) (i:int) =
    valid_chunk g i s.square_start s.square_offsets

  (** `valid g` is true when all chunks are valid *)
  predicate valid (s:sudoku_chunks) (g : grid) =
    forall i : int. is_index i ->
      valid_column s g i /\ valid_row s g i /\ valid_square s g i

  (** `full g` is true when all cells are filled *)
  predicate full (g : grid) =
    forall i : int. is_index i -> 1 <= Map.get g i <= 9

  (** `included g1 g2` *)
  predicate included (g1 g2 : grid) =
    forall i : int. is_index i /\ 1 <= Map.get g1 i <= 9 ->
      Map.get g2 i = Map.get g1 i

  (** validity is monotonic w.r.t. inclusion *)
  lemma subset_valid_chunk :
    forall g h : grid. included g h ->
      forall i:int, s o:array int. is_index i /\
      chunk_valid_indexes s o /\ valid_chunk h i s o ->
        valid_chunk g i s o

  lemma subset_valid :
    forall s g h.
      well_formed_sudoku s /\ included g h /\ valid s h -> valid s g

  (** A solution of a grid `data` is a full grid `sol`
     that is valid and includes `data` *)
  predicate is_solution_for (s:sudoku_chunks) (sol:grid) (data:grid) =
    included data sol /\ full sol /\ valid s sol


end


(** {2 Concrete Values of Chunks for the Classical Sudoku Grid} *)
module TheClassicalSudokuGrid

  use Grid
  use map.Map
  use int.Int

  use array.Array

  let classical_sudoku () : sudoku_chunks
    ensures { well_formed_sudoku result }
  =
    (* column start *)
    let cs = Array.make 81 0 in
    cs[ 0]<-0; cs[ 1]<-1; cs[ 2]<-2; cs[ 3]<-3; cs[ 4]<-4; cs[ 5]<-5;
    cs[ 6]<-6; cs[ 7]<-7; cs[ 8]<-8; cs[ 9]<-0; cs[10]<-1; cs[11]<-2;
    cs[12]<-3; cs[13]<-4; cs[14]<-5; cs[15]<-6; cs[16]<-7; cs[17]<-8;
    cs[18]<-0; cs[19]<-1; cs[20]<-2; cs[21]<-3; cs[22]<-4; cs[23]<-5;
    cs[24]<-6; cs[25]<-7; cs[26]<-8; cs[27]<-0; cs[28]<-1; cs[29]<-2;
    cs[30]<-3; cs[31]<-4; cs[32]<-5; cs[33]<-6; cs[34]<-7; cs[35]<-8;
    cs[36]<-0; cs[37]<-1; cs[38]<-2; cs[39]<-3; cs[40]<-4; cs[41]<-5;
    cs[42]<-6; cs[43]<-7; cs[44]<-8; cs[45]<-0; cs[46]<-1; cs[47]<-2;
    cs[48]<-3; cs[49]<-4; cs[50]<-5; cs[51]<-6; cs[52]<-7; cs[53]<-8;
    cs[54]<-0; cs[55]<-1; cs[56]<-2; cs[57]<-3; cs[58]<-4; cs[59]<-5;
    cs[60]<-6; cs[61]<-7; cs[62]<-8; cs[63]<-0; cs[64]<-1; cs[65]<-2;
    cs[66]<-3; cs[67]<-4; cs[68]<-5; cs[69]<-6; cs[70]<-7; cs[71]<-8;
    cs[72]<-0; cs[73]<-1; cs[74]<-2; cs[75]<-3; cs[76]<-4; cs[77]<-5;
    cs[78]<-6; cs[79]<-7; cs[80]<-8;
    (* column offset *)
    let co = Array.make 9 0 in
    co[ 0]<-0; co[ 1]<-9; co[ 2]<-18; co[ 3]<-27; co[ 4]<-36; co[
    5]<-45; co[ 6]<-54; co[ 7]<-63; co[ 8]<-72;
    (* row start *)
    let rs = Array.make 81 0 in
    rs[ 0]<- 0; rs[ 1]<- 0; rs[ 2]<- 0; rs[ 3]<- 0; rs[ 4]<-0; rs[5]<-0;
    rs[ 6]<- 0; rs[ 7]<- 0; rs[ 8]<- 0; rs[ 9]<- 9; rs[10]<-9; rs[11]<-9;
    rs[12]<- 9; rs[13]<- 9; rs[14]<- 9; rs[15]<- 9; rs[16]<-9; rs[17]<-9;
    rs[18]<-18; rs[19]<-18; rs[20]<-18; rs[21]<-18; rs[22]<-18;
    rs[23]<-18; rs[24]<-18; rs[25]<-18; rs[26]<-18; rs[27]<-27;
    rs[28]<-27; rs[29]<-27; rs[30]<-27; rs[31]<-27; rs[32]<-27;
    rs[33]<-27; rs[34]<-27; rs[35]<-27; rs[36]<-36; rs[37]<-36;
    rs[38]<-36; rs[39]<-36; rs[40]<-36; rs[41]<-36; rs[42]<-36;
    rs[43]<-36; rs[44]<-36; rs[45]<-45; rs[46]<-45; rs[47]<-45;
    rs[48]<-45; rs[49]<-45; rs[50]<-45; rs[51]<-45; rs[52]<-45;
    rs[53]<-45; rs[54]<-54; rs[55]<-54; rs[56]<-54; rs[57]<-54;
    rs[58]<-54; rs[59]<-54; rs[60]<-54; rs[61]<-54; rs[62]<-54;
    rs[63]<-63; rs[64]<-63; rs[65]<-63; rs[66]<-63; rs[67]<-63;
    rs[68]<-63; rs[69]<-63; rs[70]<-63; rs[71]<-63; rs[72]<-72;
    rs[73]<-72; rs[74]<-72; rs[75]<-72; rs[76]<-72; rs[77]<-72;
    rs[78]<-72; rs[79]<-72; rs[80]<-72;
    (* row offset *)
    let ro = Array.make 9 0 in
    ro[ 0]<-0; ro[ 1]<-1; ro[ 2]<-2; ro[ 3]<-3; ro[ 4]<-4; ro[ 5]<-5;
    ro[ 6]<-6; ro[ 7]<-7; ro[ 8]<-8;
    (* square start *)
    let ss = Array.make 81 0 in
    ss[ 0]<- 0; ss[ 1]<- 0; ss[ 2]<- 0; ss[ 3]<- 3; ss[ 4]<- 3;
    ss[ 5]<- 3; ss[ 6]<- 6; ss[ 7]<- 6; ss[ 8]<- 6; ss[ 9]<- 0;
    ss[10]<- 0; ss[11]<- 0; ss[12]<- 3; ss[13]<- 3; ss[14]<- 3; ss[15]<- 6;
    ss[16]<- 6; ss[17]<- 6; ss[18]<- 0; ss[19]<- 0; ss[20]<- 0;
    ss[21]<- 3; ss[22]<- 3; ss[23]<- 3; ss[24]<- 6; ss[25]<- 6;
    ss[26]<- 6; ss[27]<-27; ss[28]<-27; ss[29]<-27; ss[30]<-30;
    ss[31]<-30; ss[32]<-30; ss[33]<-33; ss[34]<-33; ss[35]<-33;
    ss[36]<-27; ss[37]<-27; ss[38]<-27; ss[39]<-30; ss[40]<-30;
    ss[41]<-30; ss[42]<-33; ss[43]<-33; ss[44]<-33; ss[45]<-27;
    ss[46]<-27; ss[47]<-27; ss[48]<-30; ss[49]<-30; ss[50]<-30;
    ss[51]<-33; ss[52]<-33; ss[53]<-33; ss[54]<-54; ss[55]<-54;
    ss[56]<-54; ss[57]<-57; ss[58]<-57; ss[59]<-57; ss[60]<-60;
    ss[61]<-60; ss[62]<-60; ss[63]<-54; ss[64]<-54; ss[65]<-54;
    ss[66]<-57; ss[67]<-57; ss[68]<-57; ss[69]<-60; ss[70]<-60;
    ss[71]<-60; ss[72]<-54; ss[73]<-54; ss[74]<-54; ss[75]<-57;
    ss[76]<-57; ss[77]<-57; ss[78]<-60; ss[79]<-60; ss[80]<-60;
    (* square offset *)
    let sqo = Array.make 9 0 in
    sqo[0]<-0; sqo[1]<-1; sqo[2]<-2; sqo[3]<-9; sqo[4]<-10;
    sqo[5]<-11; sqo[6]<-18; sqo[7]<-19; sqo[8]<-20;
    { column_start = cs; column_offsets = co;
      row_start    = rs; row_offsets    = ro;
      square_start = ss; square_offsets = sqo; }

end



(** {2 A Sudoku Solver} *)

module Solver

  use Grid
  use array.Array
  use int.Int

  (** predicate for the loop invariant of next function *)
  predicate valid_chunk_up_to (g:grid) (i:int)
    (start:array int) (offsets:array int) (off:int) =
    let s = start[i] in
    forall o1 o2 : int.
      0 <= o1 < off /\ 0 <= o2 < off /\ o1 <> o2 ->
      let i1 = s + offsets[o1] in
      let i2 = s + offsets[o2] in
      1 <= Map.get g i1 <= 9 /\ 1 <= Map.get g i2 <= 9 ->
      Map.get g i1 <> Map.get g i2

  exception Invalid

  use array.Array

  (** `check_valid_chunk g i start offsets` checks the validity
      of the chunk that includes `i` *)
  let check_valid_chunk (g:array int) (i:int)
    (start:array int) (offsets:array int) : unit
    requires { g.length = 81 }
    requires { valid_values g.elts }
    requires { is_index i }
    requires { chunk_valid_indexes start offsets }
    ensures { valid_chunk g.elts i start offsets }
    raises { Invalid -> not (valid_chunk g.elts i start offsets) }
  =
    let s = start[i] in
    let b = Array.make 10 False in
    for off = 0 to 8 do
      invariant { valid_chunk_up_to g.elts i start offsets off }
      invariant { forall o:int. 0 <= o < off ->
         let v = g[s + offsets[o]] in
         1 <= v <= 9 -> b[v] = True }
      invariant { forall j:int. 1 <= j <= 9 ->
         b[j] = True ->
         exists o:int.
           0 <= o < off /\ Map.get g.elts (s + offsets[o]) = j }
      let v = g[s + offsets[off]] in
      if 1 <= v && v <= 9 then
         begin
           if b[v] then raise Invalid;
            b[v] <- True
         end
    done

  (** predicate for the loop invariant of next function *)
  predicate valid_up_to (s:sudoku_chunks) (g:grid) (i:int) =
    forall j : int. 0 <= j < i ->
      valid_column s g j /\ valid_row s g j /\ valid_square s g j

  (** `check_valid s g` checks if the (possibly partially filled) grid
      `g` is valid. (This function is not needed by the solver) *)
  let check_valid (s:sudoku_chunks) (g : array int) : bool
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    ensures { result <-> valid s g.elts }
  =
   try
    for i = 0 to 80 do
      invariant { valid_up_to s g.elts i }
      check_valid_chunk g i s.column_start s.column_offsets;
      check_valid_chunk g i s.row_start s.row_offsets;
      check_valid_chunk g i s.square_start s.square_offsets
    done;
    True
    with Invalid -> False
    end

  (** `full_up_to g i` is true when all cells `0..i-1` in grid `g` are
      non empty *)
  predicate full_up_to (g : grid) (i : int) = forall j :
  int. 0 <= j < i -> 1 <= Map.get g j <= 9

  lemma full_up_to_change :
    forall g i x. is_index i /\ full_up_to g i
    -> 1 <= x <= 9 -> full_up_to (Map.set g i x) (i+1)

  let rec lemma full_up_to_frame (g1 g2:grid) (i:int)
    requires { 0 <= i <= 81 }
    requires { grid_eq_sub g1 g2 0 i }
    requires { full_up_to g1 i }
    variant  { i }
    ensures  { full_up_to g2 i }
  = if i > 0 then
      begin
        assert { full_up_to g1 (i-1) };
        full_up_to_frame g1 g2 (i-1)
      end

  let lemma full_up_to_frame_all (g1 g2:grid) (i:int)
    requires { 0 <= i <= 81 }
    requires { grid_eq g1 g2 }
    requires { full_up_to g1 i }
    ensures  { full_up_to g2 i }
  = assert { grid_eq_sub g1 g2 0 i }

  let lemma valid_chunk_frame (start:array int) (offsets:array int) (g1 g2:grid) (i:int)
    requires { chunk_valid_indexes start offsets }
    requires { 0 <= i < 81 }
    requires { grid_eq g1 g2 }
    requires { valid_chunk g1 i start offsets }
    ensures  { valid_chunk g2 i start offsets }
  = ()

  let rec lemma valid_up_to_frame (s:sudoku_chunks) (g1 g2:grid) (i:int)
    requires { well_formed_sudoku s }
    requires { 0 <= i <= 81 }
    requires { grid_eq g1 g2 }
    requires { valid_up_to s g1 i }
    variant  { i }
    ensures  { valid_up_to s g2 i }
  = if i > 0 then
      begin
        assert { valid_up_to s g1 (i-1) };
        valid_up_to_frame s g1 g2 (i-1);
	valid_chunk_frame s.column_start s.column_offsets g1 g2 (i-1);
	valid_chunk_frame s.row_start s.row_offsets g1 g2 (i-1);
	valid_chunk_frame s.square_start s.square_offsets g1 g2 (i-1);
      end



(** how to prove the "hard" property : if

   `valid_up_to s g i`

and

  `h = g[i <- k`    (with 1 <= k <= 9)]

and

  `valid_column s h i /\ valid_row s h i /\ valid_square s h i`

then

  `valid_up_to s h (i+1)`

then the problem is that one should prove that for each `j` in `0..i-1` :

  `valid_column s h j /\ valid_row s h j /\ valid_square s h j`

this is true but with 2 different possible reasons:

  if `column_start j = column_start i` then
    `valid_column s h j` is true because `valid_column s h i` is true
  else
    `valid_column s h j` is true because `valid_column s g j` is true
    because `valid_column s h j` does not depend on `h[i]`

*)



  lemma valid_unchanged_chunks:
    forall g : grid, i1 i2 k:int, start offsets:array int.
      disjoint_chunks start offsets ->
      is_index i1 /\ is_index i2 /\ 1 <= k <= 9 ->
      let s1 = start[i1] in
      let s2 = start[i2] in
      let h = Map.set g i1 k in
      s1 <> s2 /\ valid_chunk g i2 start offsets ->
      valid_chunk h i2 start offsets

  lemma valid_changed_chunks:
    forall g : grid, i1 i2 k:int, start offsets:array int.
      is_index i1 /\ is_index i2 /\ 1 <= k <= 9 ->
      let s1 = start[i1] in
      let s2 = start[i2] in
      let h = Map.set g i1 k in
      s1 = s2 /\ valid_chunk h i1 start offsets ->
      valid_chunk h i2 start offsets


  let ghost valid_up_to_change (s:sudoku_chunks) (g:grid) (i x : int)
    requires {  well_formed_sudoku s }
    requires { is_index i }
    requires { valid_up_to s g i }
    requires { 1 <= x <= 9 }
    requires { valid_column s (Map.set g i x) i }
    requires { valid_row s (Map.set g i x) i }
    requires { valid_square s (Map.set g i x) i }
    ensures  { valid_up_to s (Map.set g i x) (i+1) }
  = ()


  (** {3 The main solver loop} *)
  exception SolutionFound

  let rec solve_aux (s:sudoku_chunks) (g : array int) (i : int)
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    requires { 0 <= i <= 81 }
    requires { valid_up_to s g.elts i }
    requires { full_up_to g.elts i }
    writes  { g }
    variant { 81 - i }
    ensures { grid_eq (old g).elts g.elts }
    ensures { forall h : grid. included g.elts h /\ full h -> not (valid s h) }
    raises { SolutionFound -> is_solution_for s g.elts (old g).elts }
  = if i = 81 then raise SolutionFound;
    (* assert { is_index i }; *)
    if g[i] <> 0 then
      try
        (* assert { 1 <= g[i] <= 9 }; *)
        check_valid_chunk g i s.column_start s.column_offsets;
        check_valid_chunk g i s.row_start s.row_offsets;
        check_valid_chunk g i s.square_start s.square_offsets;
        solve_aux s g (i + 1)
      with Invalid -> ()
      end
    else
      begin
      let ghost old_g = g.elts in
      for k = 1 to 9 do
        invariant { grid_eq old_g (Map.set g.elts i 0) }
        invariant { full_up_to g.elts i }
        invariant { (* for completeness *)
          forall k'. 1 <= k' < k ->
          let g' = Map.set old_g i k' in
          forall h : grid. included g' h /\ full h -> not (valid s h) }
        g[i] <- k;
	valid_up_to_frame s old_g (Map.set g.elts i 0) i;
        try
          check_valid_chunk g i s.column_start s.column_offsets;
          check_valid_chunk g i s.row_start s.row_offsets;
          check_valid_chunk g i s.square_start s.square_offsets;
            (* the hard part: see lemma valid_up_to_change *)
          assert { let grid' = Map.set old_g i k in
            grid_eq grid' g.elts &&
            valid_chunk grid' i s.column_start s.column_offsets &&
            valid_chunk grid' i s.row_start s.row_offsets &&
            valid_chunk grid' i s.square_start s.square_offsets &&
            valid_up_to s grid' (i+1) };
          valid_up_to_change s old_g i k;
          solve_aux s g (i + 1)
        with Invalid ->
          assert { (* for completeness *)
            not (valid s (Map.set old_g i k)) };
          assert { (* for completeness *)
            let g' = Map.set old_g i k in
            forall h : grid. included g' h /\ full h -> not (valid s h) }
        end
      done;
      g[i] <- 0;
      assert { (* for completeness *)
        forall h:grid. included old_g h /\ full h ->
          let k' = Map.get h i in
          let g' = Map.set old_g i k' in
          included g' h }
      end

  exception NoSolution

  let solve (s:sudoku_chunks) (g : array int)
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    writes   { g }
    ensures  { result = g }
    ensures  { is_solution_for s g.elts (old g).elts }
    raises   { NoSolution ->
      forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
  =
    try solve_aux s g 0;
        raise NoSolution
    with SolutionFound -> g
    end

  let check_then_solve (s:sudoku_chunks) (g : array int)
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    writes   { g }
    ensures  { result = g }
    ensures  { is_solution_for s g.elts (old g).elts }
    raises   { NoSolution ->
      forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
  =
    if check_valid s g then solve s g else raise NoSolution

end

(* Proof in progress
module RandomSolver

  (* a variant: solve using a random order of cells *)

  use Grid
  use array.Array
  use int.Int
  use random.Random

  use Solver

  let rec solve_aux (s:sudoku_chunks) (randoffset:int) (g : array int) (i : int)
    requires { well_formed_sudoku s }
    requires { 0 <= randoffset <= 80 }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    requires { 0 <= i <= 81 }
    requires { valid_up_to s g.elts i }
    requires { full_up_to g.elts i }
    writes  { g }
    variant { 81 - i }
    ensures { grid_eq (old g).elts g.elts }
    ensures { forall h : grid. included g.elts h /\ full h -> not (valid s h) }
    raises { SolutionFound -> is_solution_for s g.elts (old g).elts }
  = if i = 81 then raise SolutionFound;
    (* assert { is_index i }; *)
    let j = i + randoffset in
    let j = if j >= 81 then j - 81 else j in
    (* assert { is_index j }; *)
    if g[j] <> 0 then
      try
        (* assert { 1 <= g[j] <= 9 }; *)
        Solver.check_valid_chunk g j s.column_start s.column_offsets;
        check_valid_chunk g j s.row_start s.row_offsets;
        check_valid_chunk g j s.square_start s.square_offsets;
        solve_aux s randoffset g (i + 1)
      with Invalid -> ()
      end
    else
      begin
      label L in
      for k = 1 to 9 do
        invariant { grid_eq (g at L).elts (Map.set g.elts j 0) }
        invariant { full_up_to g.elts i } (* TODO i -> j *)
        invariant { (* for completeness *)
          forall k'. 1 <= k' < k ->
          let g' = Map.set (g at L).elts i k' in (* TODO i -> j *)
          forall h : grid. included g' h /\ full h -> not (valid s h) }
        g[j] <- k;
        try
          check_valid_chunk g j s.column_start s.column_offsets;
          check_valid_chunk g j s.row_start s.row_offsets;
          check_valid_chunk g j s.square_start s.square_offsets;
            (* the hard part: see lemma valid_up_to_change *)
            (* TODO i -> j *)
          assert { let grid' = Map.set (g at L).elts i k in
            grid_eq grid' g.elts &&
            valid_chunk grid' i s.column_start s.column_offsets &&
            valid_chunk grid' i s.row_start s.row_offsets &&
            valid_chunk grid' i s.square_start s.square_offsets &&
            valid_up_to s grid' (i+1) };
          assert { valid_up_to s g.elts (i+1) };
          solve_aux s randoffset g (i + 1)
        with Invalid ->
          assert { (* for completeness *)
            not (valid s (Map.set (g at L).elts i k)) };
          assert { (* for completeness *)
            let g' = Map.set (g at L).elts i k in
            forall h : grid. included g' h /\ full h -> not (valid s h) }
        end
      done;
      g[j] <- 0;
      assert { (* for completeness *)
        forall h:grid. included (g at L).elts h /\ full h ->
          let k' = Map.get h i in
          let g' = Map.set (g at L).elts i k' in
          included g' h }
      end

  exception NoSolution

  let solve (s:sudoku_chunks) (g : array int)
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    writes   { g }
    ensures  { result = g }
    ensures  { is_solution_for s g.elts (old g).elts }
    raises   { NoSolution ->
      forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
  =
    try
      let randoffset = 27 in
      solve_aux s randoffset g 0;
      raise NoSolution
    with SolutionFound -> g
    end

  let check_then_solve (s:sudoku_chunks) (g : array int)
    requires { well_formed_sudoku s }
    requires { g.length = 81 }
    requires { valid_values g.elts }
    writes   { g }
    ensures  { result = g }
    ensures  { is_solution_for s g.elts (old g).elts }
    raises   { NoSolution ->
      forall h : grid. included g.elts h /\ full h -> not (valid s h)  }
  =
    if check_valid s g then solve s g else raise NoSolution

end
*)


(** {2 Some Tests} *)

module Test

  use Grid
  use TheClassicalSudokuGrid

  use Solver
  use map.Map
  use array.Array

  (** Solving the empty grid: easy, yet not trivial *)
  let test0 ()
    raises { NoSolution -> true }
  = let a = Array.make 81 0 in
    solve (classical_sudoku()) a
(* a possible solution:
  1, 2, 3, 4, 5, 6, 7, 8, 9,
  4, 5, 6, 7, 8, 9, 1, 2, 3,
  7, 8, 9, 1, 2, 3, 4, 5, 6,
  2, 1, 4, 3, 6, 5, 8, 9, 7,
  3, 6, 5, 8, 9, 7, 2, 1, 4,
  8, 9, 7, 2, 1, 4, 3, 6, 5,
  5, 3, 1, 6, 4, 2, 9, 7, 8,
  6, 4, 2, 9, 7, 8, 5, 3, 1,
  9, 7, 8, 5, 3, 1, 6, 4, 2
*)

(** A grid known to be solvable *)
(*
2 0 9 0 0 0 0 1 0
0 0 0 0 6 0 0 0 0
0 5 3 8 0 2 7 0 0
3 0 0 0 0 0 0 0 0
0 0 0 0 7 5 0 0 3
0 4 1 2 0 8 9 0 0
0 0 4 0 9 0 0 2 0
8 0 0 0 0 1 0 0 5
0 0 0 0 0 0 0 7 6
*)

  let test1 ()
    raises { NoSolution -> true }
  = let a = Array.make 81 0 in
    a[0] <- 2;
    a[2] <- 9;
    a[7] <- 1;
    a[13] <- 6;
    a[19] <- 5;
    a[20] <- 3;
    a[21] <- 8;
    a[23] <- 2;
    a[24] <- 7;
    a[27] <- 3;
    a[40] <- 7;
    a[41] <- 5;
    a[44] <- 3;
    a[46] <- 4;
    a[47] <- 1;
    a[48] <- 2;
    a[50] <- 8;
    a[51] <- 9;
    a[56] <- 4;
    a[58] <- 9;
    a[61] <- 2;
    a[63] <- 8;
    a[68] <- 1;
    a[71] <- 5;
    a[79] <- 7;
    a[80] <- 6;
    assert { valid_values a.Array.elts };
    solve (classical_sudoku()) a

(* the solution:

  2, 6, 9, 3, 5, 7, 8, 1, 4,
  1, 8, 7, 9, 6, 4, 5, 3, 2,
  4, 5, 3, 8, 1, 2, 7, 6, 9,
  3, 7, 5, 6, 4, 9, 2, 8, 1,
  9, 2, 8, 1, 7, 5, 6, 4, 3,
  6, 4, 1, 2, 3, 8, 9, 5, 7,
  7, 1, 4, 5, 9, 6, 3, 2, 8,
  8, 3, 6, 7, 2, 1, 4, 9, 5,
  5, 9, 2, 4, 8, 3, 1, 7, 6

*)

  (** A trivially unsolvable grid *)
  let test2 ()
    raises { NoSolution -> true }
  = let a = Array.make 81 1 in
    solve (classical_sudoku()) a

end

(***
Local Variables:
compile-command: "why3 ide --extra-config ../share/strategies.conf sudoku.mlw"
End:
*)
why3-1.6.0/examples/sudoku/000077500000000000000000000000001440160026300155345ustar00rootroot00000000000000why3-1.6.0/examples/sudoku/Makefile000066400000000000000000000027051440160026300172000ustar00rootroot00000000000000
BENCH ?= no

ifeq ($(BENCH),yes)
  WHY3=../../bin/why3.opt
  WHY3SHARE=../../share
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
  WHY3SHARE=$(shell $(WHY3) --print-datadir)
endif

include $(WHY3SHARE)/Makefile.config

ifeq ($(BENCH),yes)
  INCLUDE += -I ../../lib/why3
endif

MAIN=main
GEN =sudoku
OBJ=$(GEN)

GENML = $(addsuffix .ml, $(GEN))
ML = $(addsuffix .ml, $(OBJ))
CMO = $(addsuffix .cmo, $(OBJ))
CMX = $(addsuffix .cmx, $(OBJ))

OCAMLOPT = ocamlopt -noassert -inline 1000

all: $(MAIN).opt

extract: $(GENML)

doc:
	$(WHY3) doc ../sudoku.mlw
	$(WHY3) session html .

$(MAIN).byte: $(CMO) $(MAIN).cmo
	ocamlc -g $(INCLUDE) $(BIGINTLIB).cma -o $@ $^

$(MAIN).opt: $(CMX) $(MAIN).cmx
	$(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^

$(MAIN).cmx: $(CMX)

$(GENML): ../sudoku.mlw
	$(WHY3) extract -D ocaml64 --recursive -o $@ -L .. sudoku.Test

# javascript


JSMAIN=jsmain

JSOCAMLC=ocamlfind ocamlc -package js_of_ocaml -package js_of_ocaml-ppx -package js_of_ocaml-lwt

$(JSMAIN).js: $(JSMAIN).byte
	js_of_ocaml +nat.js $(JSMAIN).byte

$(JSMAIN).byte: $(CMO) $(JSMAIN).cmo
	$(JSOCAMLC) $(INCLUDE) $(BIGINTLIB).cma -o $@ -linkpkg $^

%.cmo: %.ml
	$(JSOCAMLC) $(INCLUDE) -annot -c $<

%.cmi: %.mli
	$(JSOCAMLC) $(INCLUDE) -annot -c $<

%.cmx: %.ml
	$(OCAMLOPT) $(INCLUDE) -annot -c $<

clean::
	rm -f $(GENML) *.annot *.o *.cm[xio] $(MAIN).opt $(MAIN).byte
	rm -f sudoku__*.ml why3__*.ml
	rm -f int__Int.ml map__Map.ml array__Array.ml
why3-1.6.0/examples/sudoku/index.html000066400000000000000000000023431440160026300175330ustar00rootroot00000000000000

  
    Sudoku Solver using Why3
    
  
  
    
    Sudoku Solver
    
        
    This solver was developed and formally proved correct using
        Why3, extracted to OCaml and
        then compiled to JavaScript
        using Js_of_ocaml
    

    
    
    
    
      
      
    
    
    
    
      
      
      
    
    
    
        
    See also
          
    
        
    
  

why3-1.6.0/examples/sudoku/jsmain.ml000066400000000000000000000127501440160026300173540ustar00rootroot00000000000000

module D = Js_of_ocaml.Dom_html
module Js = Js_of_ocaml.Js
module Dom = Js_of_ocaml.Dom

let d = D.document

(* Grid Layout *)

let make_board () =
  let make_input () =
    let input =
      D.createInput ~_type:(Js.string "text") ~name:(Js.string "input") d
    in
    input##.size := 1;
    input##.maxLength := 1;
    input##.align := Js.string "center";
    let style = input##.style in
    style##.border := Js.string "none";
    style##.fontFamily := Js.string "monospace";
    style##.fontSize := Js.string "20px";
    style##.fontWeight := Js.string "bold";
    style##.paddingBottom := Js.string "5px";
    style##.paddingTop := Js.string "5px";
    style##.paddingLeft := Js.string "10px";
    style##.paddingRight := Js.string "10px";
    let enforce_digit _ =
      begin
        match Js.to_string input##.value with
        | "1" | "2" | "3" | "4" | "5"
        | "6" | "7" | "8" | "9" -> ()
        | _ -> input##.value := Js.string ""
      end;
      Js._false
    in
    input##.onchange := D.handler enforce_digit;
    input
  in
  let make_td i j input =
    let td = D.createTd d in
    td##.align := Js.string "center";
    let style = td##.style in
    style##.borderStyle := Js.string "solid";
    style##.borderColor := Js.string "#000000";
    let widths = function
      | 0 -> 3, 0 | 2 -> 1, 1 | 3 -> 1, 0
      | 5 -> 1, 1 | 6 -> 1, 0 | 8 -> 1, 3
      | _ -> 1, 0 in
    let (top, bottom) = widths i in
    let (left, right) = widths j in
    let px k = Js.string (string_of_int k ^ "px") in
    style##.borderTopWidth := px top;
    style##.borderBottomWidth := px bottom;
    style##.borderLeftWidth := px left;
    style##.borderRightWidth := px right;
    Dom.appendChild td input;
    td
  in
  let rows = Array.init 9 (fun i -> Array.init 9 (fun j -> make_input ())) in
  let table = D.createTable d in
  table##.cellPadding := Js.string "0px";
  table##.cellSpacing := Js.string "0px";
  let tbody = D.createTbody d in
  Dom.appendChild table tbody;
  ArrayLabels.iteri rows ~f:(fun i row ->
    let tr = D.createTr d in
    ArrayLabels.iteri row ~f:(fun j cell ->
      let td = make_td i j cell in
      ignore (Dom.appendChild tr td));
    ignore (Dom.appendChild tbody tr));
  (rows, table)


(* Solver *)

open Why3extract

let display_sol rows a =
  for i=0 to 8 do
    for j=0 to 8 do
      let cell = rows.(i).(j) in
      cell##.value := Js.string (Z.to_string a.(9*i+j));
      cell##.style##.backgroundColor := Js.string "#ffffff"
    done
  done

let no_sol rows =
  for i=0 to 8 do
    for j=0 to 8 do
      let cell = rows.(i).(j) in
      cell##.style##.backgroundColor := Js.string "#ff0000"
    done
  done

let solve_board rows _ =
  let sudoku = Sudoku.classical_sudoku () in
  let input_grid = Array.make 81 Z.zero in
  for i=0 to 8 do
    for j=0 to 8 do
      let cell = rows.(i).(j) in
      let v =
        match Js.to_string cell##.value with
        | "" -> 0
        | s -> Char.code s.[0] - Char.code '0'
      in
      input_grid.(9*i+j) <- Z.of_int v
    done
  done;
  begin
    try
      let a = Sudoku.solve sudoku input_grid in
      display_sol rows a
    with Sudoku.NoSolution -> no_sol rows
  end;
  Js._false

(* reset board to empty cells *)

let reset_board rows _ =
  for i=0 to 8 do
    for j=0 to 8 do
      let cell = rows.(i).(j) in
      cell##.value := Js.string "";
      cell##.style##.backgroundColor := Js.string "#ffffff";
    done
  done;
  Js._false

(* load examples *)

let load_board rows test _ =
  for i=0 to 8 do
    for j=0 to 8 do
      let cell = rows.(i).(j) in
      let v = test.(9*i+j) in
      let v = if v = 0 then "" else string_of_int v in
      cell##.value := Js.string v;
      cell##.style##.backgroundColor := Js.string "#ffffff";
    done
  done;
  Js._false

let test1 =
[| 2;0;9;0;0;0;0;1;0;
   0;0;0;0;6;0;0;0;0;
   0;5;3;8;0;2;7;0;0;
   3;0;0;0;0;0;0;0;0;
   0;0;0;0;7;5;0;0;3;
   0;4;1;2;0;8;9;0;0;
   0;0;4;0;9;0;0;2;0;
   8;0;0;0;0;1;0;0;5;
   0;0;0;0;0;0;0;7;6 |]

let test2 =
[| 7;0;0;0;0;0;0;0;8;
   0;9;0;7;0;6;0;3;0;
   0;0;1;0;0;0;9;0;0;
   0;7;0;1;0;4;0;5;0;
   0;0;0;0;6;0;0;0;0;
   0;5;0;3;0;7;0;1;0;
   0;0;2;0;0;0;1;0;0;
   0;1;0;9;0;8;0;7;0;
   8;0;0;0;0;0;0;0;6 |]

let test3 =
[| 0;0;0;0;0;0;0;0;0;
   0;0;0;0;0;3;0;8;5;
   0;0;1;0;2;0;0;0;0;
   0;0;0;5;0;7;0;0;0;
   0;0;4;0;0;0;1;0;0;
   0;9;0;0;0;0;0;0;0;
   5;0;0;0;0;0;0;7;3;
   0;0;2;0;1;0;0;0;0;
   0;0;0;0;4;0;0;0;9 |]

module Dom_html = Js_of_ocaml.Dom_html

let onload (_event : #Dom_html.event Js.t) : bool Js.t =
  let (rows, table) = make_board () in
  let solve = Js.Opt.get (d##getElementById (Js.string "solve"))
    (fun () -> assert false) in
  solve##.onclick := Dom_html.handler (solve_board rows);
  let reset = Js.Opt.get (d##getElementById (Js.string "reset"))
    (fun () -> assert false) in
  reset##.onclick := Dom_html.handler (reset_board rows);
  let sample1 = Js.Opt.get (d##getElementById (Js.string "sample1"))
    (fun () -> assert false) in
  sample1##.onclick := Dom_html.handler (load_board rows test1);
  let sample2 = Js.Opt.get (d##getElementById (Js.string "sample2"))
    (fun () -> assert false) in
  sample2##.onclick := Dom_html.handler (load_board rows test2);
  let sample3= Js.Opt.get (d##getElementById (Js.string "sample3"))
    (fun () -> assert false) in
  sample3##.onclick := Dom_html.handler (load_board rows test3);
  let board = Js.Opt.get (d##getElementById (Js.string "board"))
    (fun () -> assert false) in
  Dom.appendChild board table;
  board##.style##.padding := Js.string "40px";
  Js._false

let _ = Dom_html.window##.onload := Dom_html.handler onload
why3-1.6.0/examples/sudoku/main.ml000066400000000000000000000034611440160026300170160ustar00rootroot00000000000000
open Format

let usage () =
  eprintf "Sudoku: solve a Sudoku puzzle@.";
  eprintf "Usage: %s @." Sys.argv.(0);
  exit 2

let input =
  if Array.length Sys.argv <> 2 then usage ();
  Sys.argv.(1)

let input_grid =
  if String.length input <> 161 then usage ();
  for i=0 to 79 do
    if input.[i+i+1] <> ',' then usage ();
  done;
  let a = Array.make 81 Z.zero in
  for i=0 to 80 do
    match input.[i+i] with
      | '0'..'9' as c -> a.(i) <-
        Z.of_int (Char.code c - Char.code '0')
      | _ -> usage ()
  done;
  a

let print_grid fmt a =
  fprintf fmt "@[";
  for i=0 to 80 do
    if i mod 9 = 8
    then fprintf fmt "%s@\n" (Z.to_string a.(i))
    else fprintf fmt "%s " (Z.to_string a.(i))
  done;
  fprintf fmt "@]"

let () =
  let sudoku = Sudoku.classical_sudoku () in
  printf "Problem: %a@." print_grid input_grid;
  let a = Sudoku.solve sudoku input_grid
  in
  printf "Solution: %a@." print_grid a

(*
test:

2,0,9,0,0,0,0,1,0,0,0,0,0,6,0,0,0,0,0,5,3,8,0,2,7,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,7,5,0,0,3,0,4,1,2,0,8,9,0,0,0,0,4,0,9,0,0,2,0,8,0,0,0,0,1,0,0,5,0,0,0,0,0,0,0,7,6

that is

2 0 9 0 0 0 0 1 0
0 0 0 0 6 0 0 0 0
0 5 3 8 0 2 7 0 0
3 0 0 0 0 0 0 0 0
0 0 0 0 7 5 0 0 3
0 4 1 2 0 8 9 0 0
0 0 4 0 9 0 0 2 0
8 0 0 0 0 1 0 0 5
0 0 0 0 0 0 0 7 6

should give:

2 6 9 3 5 7 8 1 4
1 8 7 9 6 4 5 3 2
4 5 3 8 1 2 7 6 9
3 7 5 6 4 9 2 8 1
9 2 8 1 7 5 6 4 3
6 4 1 2 3 8 9 5 7
7 1 4 5 9 6 3 2 8
8 3 6 7 2 1 4 9 5
5 9 2 4 8 3 1 7 6

*)

(* other tests:

7,0,0,0,0,0,0,0,8,0,9,0,7,0,6,0,3,0,0,0,1,0,0,0,9,0,0,0,7,0,1,0,4,0,5,0,0,0,0,0,6,0,0,0,0,0,5,0,3,0,7,0,1,0,0,0,2,0,0,0,1,0,0,0,1,0,9,0,8,0,7,0,8,0,0,0,0,0,0,0,6

0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,8,5,0,0,1,0,2,0,0,0,0,0,0,0,5,0,7,0,0,0,0,0,4,0,0,0,1,0,0,0,9,0,0,0,0,0,0,0,5,0,0,0,0,0,0,7,3,0,0,2,0,1,0,0,0,0,0,0,0,0,4,0,0,0,9

*)
why3-1.6.0/examples/sudoku/why3session.xml000066400000000000000000000614311440160026300205610ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 


 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/sudoku/why3shapes.gz000066400000000000000000000221161440160026300201760ustar00rootroot00000000000000}Yo{
L7$@O|5HJs]%Wߞ_XbKwa0"׿ě?כD޹߾^u?>|{{taσ|.?wO	>}/jbqQ.X>w\ݔ{uv>Oߺء3y6t{J.ϘTOkmo+S=zϕKNR{׼p?n/
&0r>&_×ݧsQس7Lu=kgyV]`eyJ%V|)\1gjuދwR^
c,:ArvInn484ck,
N,ɔb-ޔ9X.W>|~u}⯿}nvZtgX
_\%?кprZ7PܫJjqgMDݽWS,O}ŧ]u[Ň
8b^=O'Mq%I<,3	LI/s1S9UKYcX%qZ$ς#PW\/$-uj3>
Dd
}$@Ob$f#gI1.&誂+bTPϭXiŬ5섂G]yZt\uFOB<(W/$^_:jG36W`lXxFl>xƟFWXW}P,B*f5Z*T\f`b^41B!!~Iqt6\-,bK:'lĄYUsz*
/\ؒAjצn(VŦX`MBhs¦ew&U1
cQ*
xU1
b<ߗ&~jŒ;xdδ~WR.d=MOHV,n5!EjLA9į/~}fzuzu.%<(wo

֧Q!|ڋo&eFh/d7gHpNLN'rHNKvY<$~wRr03:Re:{M|f҅#i&iVt/;RXJ]?śN>NtDjI]f%M[+a:{#dHvHGj 7)eL[ˁVF>6PO}/nn/ӊ)x?ܺ{2}{`*ޘ:hg95 }ksCןyhKEaH?f}̺ޤVzڹj|$K#cos?;JR/nW%wɰ^_7Y$\ߑϳ^^NӋ(/Y0_Z8P	IsWGLSy`4LN(Mwpi:F\erRM[ۇ6n.vW7j2x1ݧR$er)c/_S|	_1s{NHs:B"6wJ5VHυ%[ΪԮf(U̅:4$ҽ0MAR4bQZUX2ѬH>{[Gݚm>
w@\/Wyep
'W$M0׎4)e)~r/E(hI?>VWpՄ$㴉[=6rIbYSvS˧8^G9/q$_><5~Dfױ]wכ^ƖVw_ƚ^_^odPE,MկOcIrP~P2yp㽂c8W.TKQf qtyr~}EQ*^.*{AHȵ^d[9hqr*տjΘ+x^Փ!IpV_V&21VGGOɳ@*a!Z汆wϥ7".$IoM
Sh¹HG(U9\\Iϕ
5lBKVR7)^!pHzTDyBz[`\T~L]\*}G:LfEdٕ]"},׬cсQXN/V`QU`H0d~3OȻ
?
++G=/2hjz,*{>rwBciLRz"S%r3T˚ok{GR~&֞2$

aof%*qSJ%?e|󕄇

/&9j(n(~%(>ThL?Hf#*A*:OH7mn~~DP:\6;hvn`f2*wqTToc/KCGu||O+ӆΗ_*PC4K3f.\j$~ͺu5zu`(7l&L)VҌk3֗k1ֵF1ֵwi3fXWpf/Ն7ɚA7n
c̛73Cf~(#4ol곑7fhИ2ժ7~h~ߡF(QA~SZm:u){){fOk㏨)n%K3Lye~o6l/{n8qBFoE
)4Rx'pxoBL~J#F49`/4^xGZBb8Y$jՆJ
ZL?nrc_>C_6ZFJU֟FU?GmBovYU뿳DBPwVat8;xEUby$qg<@r=*~:
.hU},d<	ƭh-9J [ђ/Ad#!0rO [? dzVPVOW#'>T{?t}_쮮޵O$<s6V
@Tu@*^
Wj"Z=JO,ey]#H{+[k
JȻTH`mj[)Nn??o~ ܂57;P;[# _7h	Y8:	03q(.~(n#|9R{ʖ%.1=QrzO&0;jzّ@~-aQv==~X~)9qx+uf1~WqLy=[}#hr;>=gW˾
e`\d\m%V^["wsRo^ G_[c:[2gEggi0$qzW$MNBHA$Ok٠?sY?wy]RzCz=A 7Kq2м:ű:uB_
eaWs)ӫпD<((v_V.DBMbD?g
W箒~E֯3W@iҞߡ'_9~e)R1mV粪ngj9C/!y=0밽a{/5WHuTv*d'@,x5p.N9,Д^z(IP>P=Nzhqx$l5e 9b:K6t;S;bG㬴Zc6ANΐrIG]P}sӲ-I SJH<=fX2A3G5H~B9ŀXj;,V+IiɄ1eXvTP:oaDjsûNg:EџKD4I4O.(^QuP鼓^IER\ZQ9
Z1Q`QTVD\'0'ԜS٨uj{ijJ
s!^pS\(De	4'`x Hp[]4\qy{qc{
D&)gxq1	IӢmiGYYJQ^;sfĞ9uƄrG4.BTs5cDY`&}u ă'̜3\.cp+yjI5u+ႎ29 Ϯ6
ϥdQbR6N %"C	\sjRnם녣xCV0nϹ9:W&*t:Ҹ6]iP0J`炞2WB!턶ª5`Lt(:|np`,vBF=`he21V{E$6*0+}.(%#5_h,F%'žXFt\?LH!"m8DE	Э`q
Y߉܄.GBQ:؞Iʻrh"@S	>$
=>꾌—[C WF]#RW=X+Jb1m4&LpQC{Ėz*c -{LEEhj)9kAG4MkJx7^*1!7KUz9QC=0`{Y- LgBP|&KwPxX)\@!BMڧEfсU|t0u@4/_-/X0A>\%ˈƎ$ QdU2Q@} Rt)i&othh*}90Ka%šx6rQGHvL`p<~q9>y3ٹh:B	?gxsiaGF
N/zCD}@s>
)$ӈ6?vW̊:4QV(${#P74F.:`Fy
\A#+ f[:Azr[P-d)ab
+u"ŀD!u.d&		Kw"JkD4@A5#N]U+w}i-!  p3µ"%Y*(Dv`
_x\a
Z8Z$?H	ѥX<8Wfa9%BϢCZHrpɚ)[.
Qyi3)4B6H x_Kp[<u=/7vt=X3$OL'7a=p	 rn0(̘0#>TCxi
FM;#"mh-xhRo9E$Vl_Q*7/ 
c*\AeQjMH B Dkxa4
`YcށkvzVo\HÝ1HC}8hl!(<:X`)
T'@0~ЬҀ:_%6ڇ̍¼!N!Q|U!\D!ela)CN	#H0#d( a
!|[7G
uF}4i{1} 2K-Cd+Qt$;)a-
gj`am6-iCiO!	ȶ5"Ǝ!BiSMxSHCDK-xjBd@,"byFds$o  }dL!#Hrc0F#׎og	@XK
^]Rd*siIzʮ ֥|V/H,
bTƝE|oh{Hz$ȾJ}σ
E S(cȴ#RpGC04ۙˇ"W;da4;1)-`ȼLG[=q;;KىH~YԾ4Kq87 yHCT ,7`ɤf $pC6Fuc%HDi'_'u"8o{7֑@ny- Ch@`]i0I4,=l#uETi%Y.'7LZDh7݃CPO>EDn0g}e1[0GpHg)<#J1Xȩ:
`(ʚ7ʖ3سB0d|;o`[ӎpБ &HRR9xa!@41yM"vDd^@iF*hҶ&pxahnRꄄ֎1(RI( [F
;h	S4b[idDe	yԥV< {YoFTwB%R5o ,fD֤5CNɞS
]aJ4PJ]Rxnʴ8LFĀ@ .tT
 ZW&
1$Ao~1AH`!dH	imJD!Šh$
`HmH&:3D!eHF
t{fDKoEpԥ:eo;8.b9mNJ䑌]U^G”:u?zCш=wJi+uPR:dfh!p
ikDtK
y5P0Fu@5dD
=3*bZXCY0W!2ŠsHQPxuZiwhy3-1.6.0/examples/sumrange.mlw000066400000000000000000000302131440160026300165630ustar00rootroot00000000000000
(** {1 Range Sum Queries}

We are interested in specifying and proving correct
data structures that support efficient computation of the sum of the
values over an arbitrary range of an array.
Concretely, given an array of integers `a`, and given a range
delimited by indices `i` (inclusive) and `j` (exclusive), we wish
to compute the value: `\sum_{k=i}^{j-1} a[k]`.

In the first part, we consider a simple loop
for computing the sum in linear time.

In the second part, we introduce a cumulative sum array
that allows answering arbitrary range queries in constant time.

In the third part, we explore a tree data structure that
supports modification of values from the underlying array `a`,
with logarithmic time operations.

*)


(** {2 Specification of Range Sum} *)

module ArraySum

  use int.Int
  use array.Array

  (** `sum a i j` denotes the sum `\sum_{i <= k < j} a[k]`.
      It is axiomatizated by the two following axioms expressing
      the recursive definition

      if `i <= j` then `sum a i j = 0`

      if `i < j` then `sum a i j = a[i] + sum a (i+1) j`

  *)
  let rec function sum (a:array int) (i j:int) : int
   requires { 0 <= i <= j <= a.length }
   variant { j - i }
   = if j <= i then 0 else a[i] + sum a (i+1) j

  (** lemma for summation from the right:

      if `i < j` then `sum a i j = sum a i (j-1) + a[j-1]`

 *)
  lemma sum_right : forall a : array int, i j : int.
    0 <= i < j <= a.length  ->
    sum a i j = sum a i (j-1) + a[j-1]

end




(** {2 First algorithm, a linear one} *)

module Simple

  use int.Int
  use array.Array
  use ArraySum
  use ref.Ref

  (** `query a i j` returns the sum of elements in `a` between
      index `i` inclusive and index `j` exclusive *)
  let query (a:array int) (i j:int) : int
    requires { 0 <= i <= j <= a.length }
    ensures { result = sum a i j }
  = let s = ref 0 in
    for k=i to j-1 do
      invariant { !s = sum a i k }
      s := !s + a[k]
    done;
    !s

end




(** {2 Additional lemmas on `sum`}
  needed in the remaining code *)

module ExtraLemmas

  use int.Int
  use array.Array
  use ArraySum

  (** summation in adjacent intervals *)
  lemma sum_concat : forall a:array int, i j k:int.
    0 <= i <= j <= k <= a.length ->
    sum a i k = sum a i j + sum a j k

  (** Frame lemma for `sum`, that is `sum a i j` depends only
      of values of `a[i..j-1]` *)
  lemma sum_frame : forall a1 a2 : array int, i j : int.
    0 <= i <= j ->
    j <= a1.length ->
    j <= a2.length ->
    (forall k : int. i <= k < j -> a1[k] = a2[k]) ->
    sum a1 i j = sum a2 i j

  (** Updated lemma for `sum`: how does `sum a i j` changes when
      `a[k]` is changed for some `k` in `[i..j-1]` *)
  lemma sum_update : forall a:array int, i v l h:int.
    0 <= l <= i < h <= a.length ->
    sum (a[i<-v]) l h = sum a l h + v - a[i]


end




(** {2 Algorithm 2: using a cumulative array}

   creation of cumulative array is linear

   query is in constant time

   array update is linear

*)


module CumulativeArray

  use int.Int
  use array.Array
  use ArraySum
  use ExtraLemmas

  predicate is_cumulative_array_for (c:array int) (a:array int) =
    c.length = a.length + 1 /\
    forall i. 0 <= i < c.length -> c[i] = sum a 0 i

  (** `create a` builds the cumulative array associated with `a`. *)
  let create (a:array int) : array int
    ensures { is_cumulative_array_for result a }
  = let l = a.length in
    let s = Array.make (l+1) 0 in
    for i=1 to l do
      invariant { forall k. 0 <= k < i -> s[k] = sum a 0 k }
      s[i] <- s[i-1] + a[i-1]
    done;
    s

  (** `query c i j a` returns the sum of elements in `a` between
      index `i` inclusive and index `j` exclusive, in constant time *)
  let query (c:array int) (i j:int) (ghost a:array int): int
    requires { is_cumulative_array_for c a }
    requires { 0 <= i <= j < c.length }
    ensures { result = sum a i j }
  = c[j] - c[i]


  (** `update c i v a` updates cell `a[i]` to value `v` and updates
      the cumulative array `c` accordingly *)
  let update (c:array int) (i:int) (v:int) (ghost a:array int) : unit
    requires { is_cumulative_array_for c a }
    requires { 0 <= i < a.length }
    writes  { c, a }
    ensures { is_cumulative_array_for c a }
    ensures { a[i] = v }
    ensures { forall k. 0 <= k < a.length /\ k <> i ->
              a[k] = (old a)[k] }
  = let incr = v - c[i+1] + c[i] in
    a[i] <- v;
    for j=i+1 to c.length-1 do
      invariant { forall k. j <= k < c.length -> c[k] = sum a 0 k - incr }
      invariant { forall k. 0 <= k < j -> c[k] = sum a 0 k }
      c[j] <- c[j] + incr
    done

end






(** {2 Algorithm 3: using a cumulative tree}

  creation is linear

  query is logarithmic

  update is logarithmic

*)




module CumulativeTree

  use int.Int
  use array.Array
  use ArraySum
  use ExtraLemmas
  use int.ComputerDivision

  type indexes =
    { low : int;
      high : int;
      isum : int;
    }

  type tree = Leaf indexes | Node indexes tree tree

  let function indexes (t:tree) : indexes =
    match t with
    | Leaf ind -> ind
    | Node ind _ _ -> ind
    end

  predicate is_indexes_for (ind:indexes) (a:array int) (i j:int) =
    ind.low = i /\ ind.high = j /\
    0 <= i < j <= a.length /\
    ind.isum = sum a i j

  predicate is_tree_for (t:tree) (a:array int) (i j:int) =
    match t with
    | Leaf ind ->
        is_indexes_for ind a i j /\ j = i+1
    | Node ind l r ->
        is_indexes_for ind a i j /\
        i = l.indexes.low /\ j = r.indexes.high /\
        let m = l.indexes.high in
        m = r.indexes.low /\
        i < m < j /\ m = div (i+j) 2 /\
        is_tree_for l a i m /\
        is_tree_for r a m j
    end

  (** {3 creation of cumulative tree} *)

  let rec tree_of_array (a:array int) (i j:int) : tree
    requires { 0 <= i < j <= a.length }
    variant { j - i }
    ensures { is_tree_for result a i j }
    = if i+1=j then begin
       Leaf { low = i; high = j; isum = a[i] }
       end
      else
        begin
        let m = div (i+j) 2 in
        assert { i < m < j };
        let l = tree_of_array a i m in
        let r = tree_of_array a m j in
        let s = l.indexes.isum + r.indexes.isum in
        assert { s = sum a i j };
        Node { low = i; high = j; isum = s} l r
        end


  let create (a:array int) : tree
    requires { a.length >= 1 }
    ensures { is_tree_for result a 0 a.length }
  = tree_of_array a 0 a.length


(** {3 query using cumulative tree} *)


  let rec query_aux (t:tree) (ghost a: array int)
      (i j:int) : int
    requires { is_tree_for t a t.indexes.low t.indexes.high }
    requires { 0 <= t.indexes.low <= i < j <= t.indexes.high <= a.length }
    variant { t }
    ensures { result = sum a i j }
  = match t with
    | Leaf ind ->
      ind.isum
    | Node ind l r ->
      let k1 = ind.low in
      let k3 = ind.high in
      if i=k1 && j=k3 then ind.isum else
      let m = l.indexes.high in
      if j <= m then query_aux l a i j else
      if i >= m then query_aux r a i j else
      query_aux l a i m + query_aux r a m j
    end


  let query (t:tree) (ghost a: array int) (i j:int) : int
    requires { 0 <= i <= j <= a.length }
    requires { is_tree_for t a 0 a.length }
    ensures { result = sum a i j }
  = if i=j then 0 else query_aux t a i j


  (** frame lemma for predicate `is_tree_for` *)
  lemma is_tree_for_frame : forall t:tree, a:array int, k v i j:int.
    0 <= k < a.length ->
    k < i \/ k >= j ->
    is_tree_for t a i j ->
    is_tree_for t a[k<-v] i j

(** {3 update cumulative tree} *)


  let rec update_aux
      (t:tree) (i:int) (ghost a :array int) (v:int) : (t': tree, delta: int)
    requires { is_tree_for t a t.indexes.low t.indexes.high }
    requires { t.indexes.low <= i < t.indexes.high }
    variant { t }
    ensures {
        delta = v - a[i] /\
        t'.indexes.low = t.indexes.low /\
        t'.indexes.high = t.indexes.high /\
        is_tree_for t' a[i<-v] t'.indexes.low t'.indexes.high }
  = match t with
    | Leaf ind ->
        assert { i = ind.low };
        (Leaf { ind with isum = v }, v - ind.isum)
    | Node ind l r ->
        let m = l.indexes.high in
      if i < m then
        let l',delta = update_aux l i a v in
        assert { is_tree_for l' a[i<-v] t.indexes.low m };
        assert { is_tree_for r a[i<-v] m t.indexes.high };
        (Node {ind with isum = ind.isum + delta } l' r, delta)
      else
        let r',delta = update_aux r i a v in
        assert { is_tree_for l a[i<-v] t.indexes.low m };
        assert { is_tree_for r' a[i<-v] m t.indexes.high };
        (Node {ind with isum = ind.isum + delta} l r',delta)
    end

  let update (t:tree) (ghost a:array int) (i v:int) : tree
     requires { 0 <= i < a.length }
     requires { is_tree_for t a 0 a.length }
     writes { a }
     ensures { a[i] = v }
     ensures { forall k. 0 <= k < a.length /\ k <> i -> a[k] = (old a)[k] }
     ensures { is_tree_for result a 0 a.length }
  = let t,_ = update_aux t i a v in
    assert { is_tree_for t a[i <- v] 0 a.length };
    a[i] <- v;
    t


(** {2 complexity analysis}

  We would like to prove that `query` is really logarithmic. This is
  non-trivial because there are two recursive calls in some cases.

  So far, we are only able to prove that `update` is logarithmic

  We express the complexity by passing a "credit" as a ghost
  parameter. We pose the precondition that the credit is at least
  equal to the depth of the tree.

*)

  (** preliminaries: definition of the depth of a tree, and showing
      that it is indeed logarithmic in function of the number of its
      elements *)

  use int.MinMax

  function depth (t:tree) : int =
    match t with
    | Leaf _ -> 1
    | Node _ l r -> 1 + max (depth l) (depth r)
    end

  lemma depth_min : forall t. depth t >= 1

  use bv.Pow2int

  let rec lemma depth_is_log (t:tree) (a :array int) (k:int)
     requires { k >= 0 }
     requires { is_tree_for t a t.indexes.low t.indexes.high }
     requires { t.indexes.high - t.indexes.low <= pow2 k }
     variant { t }
     ensures { depth t <= k+1 }
  = match t with
    | Leaf _ -> ()
    | Node _ l r ->
       depth_is_log l a (k-1);
       depth_is_log r a (k-1)
    end


  (** `update_aux` function instrumented with a credit *)

  use ref.Ref

  let rec update_aux_complexity
        (t:tree) (i:int) (ghost a :array int)
        (v:int) (ghost c:ref int) : (t': tree, delta: int)
     requires { is_tree_for t a t.indexes.low t.indexes.high }
     requires { t.indexes.low <= i < t.indexes.high }
     variant { t }
     ensures { !c - old !c <= depth t }
     ensures {
        delta = v - a[i] /\
        t'.indexes.low = t.indexes.low /\
        t'.indexes.high = t.indexes.high /\
        is_tree_for t' a[i<-v] t'.indexes.low t'.indexes.high }
  = c := !c + 1;
    match t with
    | Leaf ind ->
      assert { i = ind.low };
      (Leaf { ind with isum = v }, v - ind.isum)
    | Node ind l r ->
      let m = l.indexes.high in
      if i < m then
        let l',delta = update_aux_complexity l i a v c in
        assert { is_tree_for l' a[i<-v] t.indexes.low m };
        assert { is_tree_for r a[i<-v] m t.indexes.high };
        (Node {ind with isum = ind.isum + delta } l' r, delta)
      else
        let r',delta = update_aux_complexity r i a v c in
        assert { is_tree_for l a[i<-v] t.indexes.low m };
        assert { is_tree_for r' a[i<-v] m t.indexes.high };
        (Node {ind with isum = ind.isum + delta} l r',delta) (*>*)
    end

  (** `query_aux` function instrumented with a credit *)

  let rec query_aux_complexity (t:tree) (ghost a: array int)
      (i j:int) (ghost c:ref int) : int
    requires { is_tree_for t a t.indexes.low t.indexes.high }
    requires { 0 <= t.indexes.low <= i < j <= t.indexes.high <= a.length }
    variant { t }
    ensures { !c - old !c <=
         if i = t.indexes.low /\ j = t.indexes.high then 1 else
         if i = t.indexes.low \/ j = t.indexes.high then 2 * depth t else
          4 * depth t }
    ensures { result = sum a i j }
  = c := !c + 1;
    match t with
    | Leaf ind ->
      ind.isum
    | Node ind l r ->
      let k1 = ind.low in
      let k3 = ind.high in
      if i=k1 && j=k3 then ind.isum else
      let m = l.indexes.high in
      if j <= m then query_aux_complexity l a i j c else
      if i >= m then query_aux_complexity r a i j c else
      query_aux_complexity l a i m c + query_aux_complexity r a m j c
    end

end
why3-1.6.0/examples/sumrange/000077500000000000000000000000001440160026300160435ustar00rootroot00000000000000why3-1.6.0/examples/sumrange/why3session.xml000066400000000000000000000444341440160026300210740ustar00rootroot00000000000000









 
 
 
 
 
  
  
   
   
    
    
     
     
     
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
    
   
   
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
   
   
   
   
   
    
    
    
   
   
  
  
 
 
 
 
  
  
   
   
    
    
     
     
     
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
    
   
   
  
  
 
 
 
 
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
  
  
 
 


 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/sumrange/why3shapes.gz000066400000000000000000000167101440160026300205100ustar00rootroot00000000000000][oƒ~_1o{~Y
A	fX{m9U5M$
[f_UU9?틟M	iMjD#/җL{\=hi%}nVc5t141Mch<	nezzS䴀<4_tMO~^Bhu!D?m.Cpo,u
3YzM1H_Ww#~z粉7Uq)'mRvOv.<
OxRo^,Wa^='oqޔWq
-?!r_~S$q
1M%UL]3:^Ᏸ^KvfDWQ0z'ai-5FYkEKdf:֠
r|eDyV%XZ\
xlj3n^5oB8FP݀>/Be yƳB]*BQvyik7?0F=g=3g|lV`aQ/Cm/Sy~t^}Y#A#8XbIQw"&Vƍڣ7!RLL*}r;dA?WYּޮVmՃi~uQApe
z%<1|^PR.wpV#&ܕ$p`Tn! !D>Q2B4kkE*&3UQ4Iz=jks)<1J#%
`q)W%+sĸCBHq}xy4G-r,#/ؚFJT:kiUk?t(k<.dy![Bv}W̨hf}1v@Sw	ixᯎ'uHmmO4(ZhT͗nXFOeh<ٛ4Fɝ8xsf=Qfi`UE%fX_1~jrf"\eZ>ɧxLgG;bHI1'Ĉ#V9RQd<%]Iզ	I2gE@x0+YGR3@Ve/Zq
vwPZ),T|ΰIU)ȻcQ w"3k~E-CZo(׼!DWij5Tkř`z_aq]`Zvw@`\5zgm*X}΀&!7\,ģi˭Qpj%7a%W$qQ'nJM2	DYMLh,`f;3ջX]#DfL
C&=XPIn5OS^:>Bƺ͔-ui]weK"1:)Uz\UYK?
ږ.64'ÊO3wGFR%KuLm=^|x^ůX}PT@uu-gB$_#tSªD}ƱXvkUM:lgV;'+ZabtNJ]wY+VYcΊEµI%ʆbW02LTo5G%ߧ7"ۋe#]~.pyă2LJL,&VP.BRL7..irp qiUm=}GQ>fe̳gԆj1U/w:lI6_Oϴ9$$~ iCv[i
>ރB[6߭_ս>5ma6bUXmdoU]lwʓ2=!˓;[sg&ˬ8,;f]Jrn =eHmkDu"_Ѧ4>?Yq0>AX֬޿=U0m1+7/%кG=UVOד,e-wA@#rx_@>k#hCkUJؐt=ǂuuVAeG+
EzhY
D,0)o,\O~Pa.4#a+X>Lb;DA%$yi>0S@wi'N]dFh⼣@SLMJ]TX6fܡXW~Sk XG X'hώrw߆ƺYNI_İ(6\G*`M|`A3
LvE`rNg%Oj]E롑ߓ*Z؀_lQB%oI<!I5:=:݆ShJݒW)k^v0XfI)J2t oN^з Ǹ$n-ŕ:{qȸȨ$Ƽ,%.:aM!]G=a LNog1)T)k/IGNhN@yZ~t=ɒ0>aYúgVΐLsB2M9&AuvTg#3XQOU>gq,]VVI6ە(	M^{1*v?.zG-j{m7mh[-
18%ŗW*sRՉ˳<>+1AE_U!951ùن{bulFhslF#ؐ\[ [t4i.SϪnumWU7gdgO9{g)ȌeE}rM>~aV)̶02,ȇ"'6S~pjpw\?,fW2^c c6Uή'|w17~KNJ{cW23.[X#+wX!	T
eo:r^Ⳑ('|xp1Iχ]}?Ӂ2pa%Lx=2	/G7	gL8~sYfىgo?I޼ӿ<,vז=}~z{{1|2;\Jգ\KF{wPw=ߞ.{m!7.R/a^uuiBZpq}[?_#k)V/tQpN8\uݹP2mVvqOI))֛c_?yVޟHѻgΚ,5&sEd*}?|,mL&M	'
hWL`W'Yi]MΕmݍ\lΏ՜Itՙ~Jm7vUʴ=rVcU&
7Ji'
7Rg+u	$1D̈&l3Ol^bؘf9ٸqoLlg{{eߞHӲ?0\_}OgzF5FF-nsIesewo~wȳE~X~UM#l!D!|^˦ng{#z4u?9NzCݷzi}Օ>$Wd=*ֵmǁCMQ{al0^x;JU߁6Fx|\flsa2[
t"FMm0AHXRkH-F|![WFuzQ9OdTAHe'{|9c*Em=@;ʸԦ+Jz,ИIVȞYӣVCԐXe!#)XR`}mY<8p1V%6%1)bߓ`ޔ"e߷նt6XRtnvGMMh!0\[ٌX`ġʺʓbO
Bg3rbA`:	{:_-YN
[('40u)t
;:W8ɯIW	Q2-CcWVB:gg:{kaBЕ8ӕH/iՕhnMrf}p6Du4{Պ]EHK‹{"	Xh	z!)-XP`orAe0 EE=1V*e:.T!G?3"C|Yl̯zNC=;J^V3(- X0[%A
\Gz
$\i,K +թtzGۘ#ɐ
P`dTXc
=--D3Gi
,)yyx+flǡ$ːNJ$i9G#5GrdH)^	`g\kvvlw詫%?q!CV@ڕ,kd(&0142E)X7NzẈDLE9 02\Ii%ڇtlGeҔ8!KCHP=є9
Y-b}ۢm
DC("5ew5K>R
3<=
됅J!FĆ6C)FJאQPud!z30BRgA
U@[{m{uBp_[@B -@lXx^7ꉅM.hCХFRZ$L OFma#]v	iz|-QD"+l1zK+$
 `:dK̀D$e%Bڣ[yYRyDHMZaz812/"qK#=ǂآ@yBG@բBSњ]ʠо:NbP6HrhP/q<x*0F"BxawmEMRx:W4SB):&	w6f,,(dH@	CwU@
1fMdߣ#!KgsC.&퐩&#r-K=z!iK(=+NV%$ș@Ҷ؊}f}TrB.*3JC`<1#)"!eF(¡^$8why3-1.6.0/examples/swap.mlw000066400000000000000000000034341440160026300157210ustar00rootroot00000000000000
(** Swapping two integers in-place *)

module Swap

  use int.Int
  use ref.Ref

  let swap (ref a b: int) : unit
    writes  { a, b }
    ensures { a = old b /\ b = old a }
  =
    a <- a + b;
    b <- a - b;
    a <- a - b

end

(** It also works fine with machine integers, even with overflows *)

module SwapInt32

  use int.Int
  use ref.Ref

  (** a simple model of 32-bit integers with addition, subtraction,
      and possible overflows *)

  type int32 = < range -0x8000_0000 0x7fff_ffff >

  meta coercion function int32'int

  constant width : int = int32'maxInt - int32'minInt + 1

  val (+) (a: int32) (b: int32) : int32
    ensures { result =
         if a + b < int32'minInt then a + b + width
    else if a + b > int32'maxInt then a + b - width
    else    a + b }

  val (-) (a: int32) (b: int32) : int32
    ensures { result =
         if a - b < int32'minInt then a - b + width
    else if a - b > int32'maxInt then a - b - width
    else    a - b }

  predicate in_bounds (n: int32) = int32'minInt <= n <= int32'maxInt

  (** purely applicative version first *)

  let swap (a b: int32) : (x: int32, y: int32)
    requires { in_bounds a /\ in_bounds b }
    ensures  { int32'int x = b /\ int32'int y = a }
  =
    let a = a + b in
    let b = a - b in
    let a = a - b in
    a, b

  (** then rephrased with mutable variables *)

  let swap_ref (ref a b: int32) : unit
    requires { in_bounds a /\ in_bounds b }
    writes   { a, b }
    ensures  { int32'int a = old b /\ int32'int b = old a }
  =
    a <- a + b;
    b <- a - b;
    a <- a - b

end

(** with bitwise XOR this time *)

module SwapInt32xor

  use bv.BV32
  use ref.Ref

  let swap (ref a b: t) : unit
    writes   { a, b }
    ensures  { a = old b /\ b = old a }
  = a <- bw_xor a b;
    b <- bw_xor a b;
    a <- bw_xor a b

end

why3-1.6.0/examples/swap/000077500000000000000000000000001440160026300151745ustar00rootroot00000000000000why3-1.6.0/examples/swap/why3session.xml000066400000000000000000000022371440160026300202200ustar00rootroot00000000000000







 
 
 


 
 
 
 
 
 


 
 
 



why3-1.6.0/examples/swap/why3shapes.gz000066400000000000000000000007331440160026300176370ustar00rootroot00000000000000Օn0<6䱍Wٕ"5c$
IǯI c/x~µ7U+kАFWܽ>{oߟj g=IpK-7D/X߸XmzkB,-wy>,ኆ'[8~Y[Y8m5t$/	(+g'Tp.6B.mCP1iib8	1@R©wflapȢ]܉NBZnAe{Xej{7d{65:dp/w5]]6V}zm|p٘}	8gstDDHPU` a6)bx 3i됢aJB̩xˆHR'ush-8$N*,Ryr"c$9g2y!LIwhy3-1.6.0/examples/tests-provers/000077500000000000000000000000001440160026300170625ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/bitvec.mlw000066400000000000000000000005311440160026300210560ustar00rootroot00000000000000

use bv.BV32


goal udiv_42_17 : udiv (42:t) (17:t) = (2:t)

goal urem_42_17 : urem (42:t) (17:t) = (8:t)

goal sdiv_42_17 : sdiv (42:t) (17:t) = (2:t)

goal srem_42_17 : srem (42:t) (17:t) = (8:t)


constant m42 : t = sub (0:t) (42:t)

goal sdiv_m42_17 : sdiv m42 (17:t) = sub (0:t) (2:t)

goal srem_m42_17 : srem m42 (17:t) = sub (0:t) (8:t)
why3-1.6.0/examples/tests-provers/bitvec/000077500000000000000000000000001440160026300203365ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/bitvec/why3session.xml000066400000000000000000000032501440160026300233560ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/bitvec/why3shapes.gz000066400000000000000000000003641440160026300230010ustar00rootroot00000000000000mMN1}N1K*#IEuh%nLH,{ò{5ap/xc޶s?n[הF1(`f(HUcUro0#c@Gۘv!L$m2;NⓘkSŶ!J8y+cqy=2PF6KjC(J*	ĢdF
eCk#]7$Yqwhy3-1.6.0/examples/tests-provers/bv.why000066400000000000000000000417661440160026300202400ustar00rootroot00000000000000theory CheckBV64
  use bv.BV64
  use int.Int as Int

  constant one   : t                                         = 1
  constant two   : t                                         = 2
  constant sz    : int                                       = 64
  constant mx    : int                                       = 0xFFFF_FFFF_FFFF_FFFF
  constant md    : int                                       = 0x1_0000_0000_0000_0000
  constant lastb : t                                         = 0x8000_0000_0000_0000

  goal ok_zero   : zeros                                     = (0:t)
  goal ok_ones   : ones                                      = (of_int mx)
  goal ok_zero2  : t'int zeros                               = 0
  goal ok_ones2  : t'int ones                                = mx
  goal ok_size   : size                                      = sz
  goal ok_max    : t'maxInt                                     = mx
  goal ok_tpsize : two_power_size                            = md

  goal ok1       : add ones one                              = zeros
  goal ok2       : sub zeros one                             = ones
  goal ok3       : neg ones                                  = one
  goal ok5       : mul one two                               = two
  goal ok6       : mul ones ones                             = one
  goal ok7       : udiv one two                              = zeros
  goal ok8       : urem one two                              = one
  goal ok9       : lsl_bv one one                            = two
  goal ok10      : lsl_bv ones one                           = sub ones one
  goal ok12      : lsr_bv one two                            = zeros
  goal ok13      : lsr_bv ones (sub (of_int sz) one)         = one
  goal ok14      : asr_bv one two                            = zeros
  goal ok15      : asr_bv ones two                           = ones
  goal ok16      : bw_and ones one                           = one
  goal ok17      : bw_or  ones one                           = ones
  goal ok18      : bw_xor ones one                           = sub ones one
  goal ok19      : bw_not ones                               = zeros
  goal ok20      : rotate_right_bv one one                   = lastb
  goal ok21      : rotate_right_bv ones two                  = ones
  goal ok22      : rotate_left_bv lastb one                  = one
  goal ok23      : rotate_left_bv ones two                   = ones
  goal ok24      : lsl_bv one (add (of_int sz) one)          = zeros
  goal ok25      : lsr_bv lastb (add (of_int sz) one)        = zeros
  goal ok26      : asr_bv lastb (add (of_int sz) one)        = ones
  goal ok27      : rotate_right_bv one (add (of_int sz) one) = lastb
  goal ok28      : rotate_left_bv one (add (of_int sz) one)  = two

  goal trap      : of_int md                                 = zeros

  goal smoke1    : neg lastb                                 = zeros
  goal smoke2    : udiv one zeros                            = zeros
  goal smoke3    : urem one zeros                            = zeros
  goal smoke4    : lsl_bv ones one                           = ones
  goal smoke5    : ugt (lsr_bv ones one) lastb
  goal smoke6    : ule (asr_bv lastb one) lastb
  goal smoke7    : rotate_right_bv one one                   = zeros
  goal smoke8    : rotate_left_bv lastb one                  = zeros

  (* from example/logic/bitvectors.why *)

  constant b0000  : t                                        = 0b0000
  constant b0001  : t                                        = 0b0001
  constant b0010  : t                                        = 0b0010
  constant b0011  : t                                        = 0b0011
  constant b0110  : t                                        = 0b0110
  constant b0101  : t                                        = 0b0101
  constant b0111  : t                                        = 0b0111
  constant b1100  : t                                        = 0b1100
  constant b11100 : t                                        = 0b11100

  constant size_sub_one : int                                = Int.(-) size 1

  goal g1 : bw_and b0011 b0110                               = b0010
  goal f1 : bw_and b0011 b0110                               = b0011

  goal g2 :  bw_or b0011 b0110                               = b0111
  goal f2 :  bw_or b0011 b0110                               = b0110

  goal g3 :  bw_xor b0011 b0110                              = b0101
  goal g4 :  bw_not b0011                                    = (0xFFFFFFFFFFFFFFFC:t)

  goal g3a : lsr_bv b0111 (2:t)                              = b0001
  goal g3b : lsr_bv ones (of_int size_sub_one)               = b0001
  goal f3  : lsr_bv ones (0x100000001:t)                     = (0x7FFFFFFF:t)

  goal g4a : lsl_bv b0111 (2:t)                              = b11100
  goal g4b : lsl_bv b0001 (31:t)                             = (0x80000000:t)

  goal g5a : asr_bv b0111 (2:t)                              = b0001
  goal g5b : asr_bv ones (of_int (Int.(-) size 1))           = ones

  goal g7 : t'int b11100                                   = 28
  goal f7 : t'int ones                                     = Int.(-_) 1

  goal g8a : nth_bv b0110 (2:t)                              = True
  goal g8b : nth_bv b0110 (3:t)                              = False

  goal Nth_Bv_bw_and:
    forall v1 v2 n. ult n size_bv ->
      nth_bv (bw_and v1 v2) n                                = andb (nth_bv v1 n) (nth_bv v2 n)

  goal Nth_Bv_bw_or:
    forall v1 v2 n. ult n size_bv ->
      nth_bv (bw_or v1 v2) n                                 = orb (nth_bv v1 n) (nth_bv v2 n)

  goal Nth_Bv_bw_xor:
    forall v1 v2 n. ult n size_bv ->
      nth_bv (bw_xor v1 v2) n                                = xorb (nth_bv v1 n) (nth_bv v2 n)

  goal Nth_Bv_bw_not:
    forall v n. ult n size_bv ->
      nth_bv (bw_not v) n                                    = notb (nth_bv v n)

  goal not_not : forall v:t. bw_not (bw_not v)               = v

  goal not_and : forall v1 v2:t.
    bw_not (bw_and v1 v2)                                    = bw_or (bw_not v1) (bw_not v2)

  goal Lsr_Bv_nth_bv_low: forall b n s.
    ult s size_bv -> ult n size_bv -> ult (add n s) size_bv ->
      nth_bv (lsr_bv b s) n                                  = nth_bv b (add n s)

  goal Lsr_Bv_nth_bv_high: forall b n s.
    ult s size_bv -> ult n size_bv -> uge (add n s) size_bv ->
      nth_bv (lsr_bv b s) n                                  = False

  goal Asr_Bv_nth_bv_low: forall b n s.
    ult s size_bv -> ult n size_bv -> ult (add n s) size_bv ->
       nth_bv (asr_bv b s) n                                 = nth_bv b (add n s)

  goal Asr_Bv_nth_bv_high: forall b n s.
    ult s size_bv -> ult n size_bv -> uge (add n s) size_bv ->
      nth_bv (asr_bv b s) n                                  = nth_bv b (sub size_bv one)

  goal Lsl_Bv_nth_bv_high: forall b n s.
    ult s size_bv -> ult n size_bv -> ult (sub n s) size_bv ->
      nth_bv (lsl_bv b s) n                                  = nth_bv b (sub n s)

  goal Lsl_Bv_nth_bv_low: forall b n s.
    ult s size_bv -> ult n size_bv -> uge (sub n s) size_bv ->
      nth_bv (lsl_bv b s) n                                  = False

end

theory CheckBV32
  use bv.BV32
  use int.Int as Int

  constant one   : t                                         = 1
  constant two   : t                                         = 2
  constant sz    : int                                       = 32
  constant mx    : int                                       = 0xFFFFFFFF
  constant md    : int                                       = 0x100000000
  constant lastb : t                                         = 0x80000000

  goal ok_zero   : zeros                                     = (0:t)
  goal ok_ones   : ones                                      = (of_int mx)
  goal ok_zero2  : t'int zeros                               = 0
  goal ok_ones2  : t'int ones                                = mx
  goal ok_size   : size                                      = sz
  goal ok_max    : t'maxInt                                     = mx
  goal ok_tpsize : two_power_size                            = md

  goal ok1       : add ones one                              = zeros
  goal ok2       : sub zeros one                             = ones
  goal ok3       : neg ones                                  = one
  goal ok5       : mul one two                               = two
  goal ok6       : mul ones ones                             = one
  goal ok7       : udiv one two                              = zeros
  goal ok8       : urem one two                              = one
  goal ok9       : lsl_bv one one                            = two
  goal ok10      : lsl_bv ones one                           = sub ones one
  goal ok12      : lsr_bv one two                            = zeros
  goal ok13      : lsr_bv ones (sub (of_int sz) one)         = one
  goal ok14      : asr_bv one two                            = zeros
  goal ok15      : asr_bv ones two                           = ones
  goal ok16      : bw_and ones one                           = one
  goal ok17      : bw_or  ones one                           = ones
  goal ok18      : bw_xor ones one                           = sub ones one
  goal ok19      : bw_not ones                               = zeros
  goal ok20      : rotate_right_bv one one                   = lastb
  goal ok21      : rotate_right_bv ones two                  = ones
  goal ok22      : rotate_left_bv lastb one                  = one
  goal ok23      : rotate_left_bv ones two                   = ones
  goal ok24      : lsl_bv one (add (of_int sz) one)          = zeros
  goal ok25      : lsr_bv lastb (add (of_int sz) one)        = zeros
  goal ok26      : asr_bv lastb (add (of_int sz) one)        = ones
  goal ok27      : rotate_right_bv one (add (of_int sz) one) = lastb
  goal ok28      : rotate_left_bv one (add (of_int sz) one)  = two

  goal trap      : of_int md                                 = zeros

  goal smoke1    : neg lastb                                 = zeros
  goal smoke2    : udiv one zeros                            = zeros
  goal smoke3    : urem one zeros                            = zeros
  goal smoke4    : lsl_bv ones one                           = ones
  goal smoke5    : ugt (lsr_bv ones one) lastb
  goal smoke6    : ule (asr_bv lastb one) lastb
  goal smoke7    : rotate_right_bv one one                   = zeros
  goal smoke8    : rotate_left_bv lastb one                  = zeros
end

theory CheckBV16
  use bv.BV16
  use int.Int as Int

  constant one   : t                                         = 1
  constant two   : t                                         = 2
  constant sz    : int                                       = 16
  constant mx    : int                                       = 65535
  constant md    : int                                       = 65536
  constant lastb : t                                         = 32768

  goal ok_zero   : zeros                                     = (0:t)
  goal ok_ones   : ones                                      = (of_int mx)
  goal ok_zero2  : t'int zeros                               = 0
  goal ok_ones2  : t'int ones                                = mx
  goal ok_size   : size                                      = sz
  goal ok_max    : t'maxInt                                     = mx
  goal ok_tpsize : two_power_size                            = md

  goal ok1       : add ones one                              = zeros
  goal ok2       : sub zeros one                             = ones
  goal ok3       : neg ones                                  = one
  goal ok5       : mul one two                               = two
  goal ok6       : mul ones ones                             = one
  goal ok7       : udiv one two                              = zeros
  goal ok8       : urem one two                              = one
  goal ok9       : lsl_bv one one                            = two
  goal ok10      : lsl_bv ones one                           = sub ones one
  goal ok12      : lsr_bv one two                            = zeros
  goal ok13      : lsr_bv ones (sub (of_int sz) one)         = one
  goal ok14      : asr_bv one two                            = zeros
  goal ok15      : asr_bv ones two                           = ones
  goal ok16      : bw_and ones one                           = one
  goal ok17      : bw_or  ones one                           = ones
  goal ok18      : bw_xor ones one                           = sub ones one
  goal ok19      : bw_not ones                               = zeros
  goal ok20      : rotate_right_bv one one                   = lastb
  goal ok21      : rotate_right_bv ones two                  = ones
  goal ok22      : rotate_left_bv lastb one                  = one
  goal ok23      : rotate_left_bv ones two                   = ones
  goal ok24      : lsl_bv one (add (of_int sz) one)          = zeros
  goal ok25      : lsr_bv lastb (add (of_int sz) one)        = zeros
  goal ok26      : asr_bv lastb (add (of_int sz) one)        = ones
  goal ok27      : rotate_right_bv one (add (of_int sz) one) = lastb
  goal ok28      : rotate_left_bv one (add (of_int sz) one)  = two

  goal trap      : of_int md                                 = zeros

  goal smoke1    : neg lastb                                 = zeros
  goal smoke2    : udiv one zeros                            = zeros
  goal smoke3    : urem one zeros                            = zeros
  goal smoke4    : lsl_bv ones one                           = ones
  goal smoke5    : ugt (lsr_bv ones one) lastb
  goal smoke6    : ule (asr_bv lastb one) lastb
  goal smoke7    : rotate_right_bv one one                   = zeros
  goal smoke8    : rotate_left_bv lastb one                  = zeros
end

theory CheckBV8
  use bv.BV8
  use int.Int as Int

  constant one   : t                                         = 1
  constant two   : t                                         = 2
  constant sz    : int                                       = 8
  constant mx    : int                                       = 255
  constant md    : int                                       = 256
  constant lastb : t                                         = 128

  goal ok_zero   : zeros                                     = (0:t)
  goal ok_ones   : ones                                      = (of_int mx)
  goal ok_zero2  : t'int zeros                               = 0
  goal ok_ones2  : t'int ones                                = mx
  goal ok_size   : size                                      = sz
  goal ok_max    : t'maxInt                                     = mx
  goal ok_tpsize : two_power_size                            = md

  goal ok1       : add ones one                              = zeros
  goal ok2       : sub zeros one                             = ones
  goal ok3       : neg ones                                  = one
  goal ok5       : mul one two                               = two
  goal ok6       : mul ones ones                             = one
  goal ok7       : udiv one two                              = zeros
  goal ok8       : urem one two                              = one
  goal ok9       : lsl_bv one one                            = two
  goal ok10      : lsl_bv ones one                           = sub ones one
  goal ok12      : lsr_bv one two                            = zeros
  goal ok13      : lsr_bv ones (sub (of_int sz) one)         = one
  goal ok14      : asr_bv one two                            = zeros
  goal ok15      : asr_bv ones two                           = ones
  goal ok16      : bw_and ones one                           = one
  goal ok17      : bw_or  ones one                           = ones
  goal ok18      : bw_xor ones one                           = sub ones one
  goal ok19      : bw_not ones                               = zeros
  goal ok20      : rotate_right_bv one one                   = lastb
  goal ok21      : rotate_right_bv ones two                  = ones
  goal ok22      : rotate_left_bv lastb one                  = one
  goal ok23      : rotate_left_bv ones two                   = ones
  goal ok24      : lsl_bv one (add (of_int sz) one)          = zeros
  goal ok25      : lsr_bv lastb (add (of_int sz) one)        = zeros
  goal ok26      : asr_bv lastb (add (of_int sz) one)        = ones
  goal ok27      : rotate_right_bv one (add (of_int sz) one) = lastb
  goal ok28      : rotate_left_bv one (add (of_int sz) one)  = two

  goal trap      : of_int md                                 = zeros

  goal smoke1    : neg lastb                                 = zeros
  goal smoke2    : udiv one zeros                            = zeros
  goal smoke3    : urem one zeros                            = zeros
  goal smoke4    : lsl_bv ones one                           = ones
  goal smoke5    : ugt (lsr_bv ones one) lastb
  goal smoke6    : ule (asr_bv lastb one) lastb
  goal smoke7    : rotate_right_bv one one                   = zeros
  goal smoke8    : rotate_left_bv lastb one                  = zeros
end





theory Extras

  use bv.BV64

  lemma mod_mult: forall x [@model] a [@model] b [@model].
      ule zeros x ->
      ult zeros a ->
      ult zeros b ->
      ule a (0xffff_ffff:t) ->
      ule b (0xffff_ffff:t) ->
      urem (urem x (mul a b)) a = urem x a



end
why3-1.6.0/examples/tests-provers/bv/000077500000000000000000000000001440160026300174715ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/bv/why3session.xml000066400000000000000000003636041440160026300225250ustar00rootroot00000000000000


















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/bv/why3shapes.gz000066400000000000000000000116421440160026300221350ustar00rootroot00000000000000Yo]7ϧ4e~mLjp)&l+ēO?"dIN<4%].Ūy,o~wwMzor0%~ow/m(n}SE[>aw<=&Cϯz_ajc6G9A>a7sm(?>>X=kzx|Sǧ9>ˇ[_'}kYz1Ήo˷Yn|ww{Oݏ?}zS/y^~_|WϿy9y=_~W~o{³=N[=(M波'Wl^d޳E~//8>%g7Z~Zk;}~yܯ,aK)`Ϧhuh5v>/>GRXo57y8r(>/c^<`ʳfm/oا,?}f]~tjuYi,E>?O_rw/O|#7:Byɾx1_2ZoxL[?OBu۬(O~WΦ^O?ʟ?.VuLwۇqgq_6ྂK<-UM=|8o>ײ˔]_u]r\OsUIӉ不|5oRsYvrWyjgTY/=ZR5xO{m'c1pNCXcf6ˈbg4)txŕkZfe6.).66V^y8"Wcb
'd&~qf,UGH{AXޓXԄ
s)RJuP5Yn>&H+^uL%0ky_ZMJt#qem z"Z`zTjRT[YK&P7UdiǪW&Wk4Tc3\%fqd	Kk18^ve=Ž
 
Y6{_Z2!h[	T$jr+z_ld8C%iL/g^ue"z":uUdT){%.GiZ[J=$1W'v@6aic]ҨZejaR=z W%l*g,L:Y2dn./ե=V&yJ9Y,(G&[25
FuDMk"'c.=y/Kd!䔻+eζ:j\Jԛ{,OW/3ɝaQ_8'-)r^!IV]182ꎺ^B/NAP(q{佾M[VNFjnWGd$HH=?-d'ߖ+Ȩq#%@_~J\{4TJDz"@Q>CO)DwUV#DdjWVMV)ਜJO奤å1Wm=©]i1^&h¾m
]
jtsi@{̮<9P핯zʰZ}92@>+%nHQXSvӎ,+qԀo0hN`i-]W2TGdajkmD_
z%kc>%:R mEmr*L)e!R4DŽ	``zL蠬ܑs5MKyRjBYW"6B&B\NUu+-{#0ũ5ʢڎD4W=g!a栧=&.4>0ΐ)UU
~7b6
A䪿3\;8c߭(SCctC0.|ajڊWeP>Ǟe몣yK*cxu5/ꭙ)%[r(CQ(:Ht/,5rn6ـrX10'Z;>ZZqx}r.CiVGt592e*T(L\A/FnNQ$5CmQ4TB8ep*5tt>Xy(O}t(|-hΫg0UCt(UO`"re Y),)d̃+xk5HybO'er.O2ŒиCa-է	
Zcl VĴ@rsHnveAfӴz۔1J$*ca2ڗAx	(qlOg9D&t-oDviSVMlDB+PXO0aݡYqiaIEBmdT/Hq\[A|IYȈe;)'0S7؅jC/+/Qo`u!٘"e8ʕ&`#mGB[zH|
zCB 2d1B	|E9I(dj/pjN\z&yFiZe}~yqXd*4v1P64-B"*VPI33`YD.:5ql%_c8d@_B1^Btrye.#	d
S(X/ʨ],*WT:AbʡbuBK=ȣzu
ք-%FPM2klׄpN3Pڃ"/lh&\wҾ2.-8!WPes.*7M34_uG@^&4ʈ
7:R1=f]Z+y&HD7X{n(
꽪^}au0Ne@"@W*==::I
PXГb%8	'=ӡnqF(;p:
2P#ےA{LLӖCE|,~GogetE𙰄]dH@RzMa.r`(kVqAe;BPE$feU2y;"UQ5MRS@>/u'why3-1.6.0/examples/tests-provers/ceil.why000066400000000000000000000017531440160026300205350ustar00rootroot00000000000000theory Ceil
  use real.Real
  use real.RealInfix
  use real.Truncate

  goal ceil_obvious: ceil 0.1 = 1

  lemma unity:
   forall b: real. b > 0.0 -> b = 1.0 *. b

  lemma unity2:
   forall b: real. b > 0.0 -> b /. b = (1.0 *. b) /. b

  lemma perm_div:
   forall a b:real. a > 0.0 /\ b > 0.0 -> (a *. b) /. b = a *. (b /. b)

  lemma perm_div2:
   forall a b:real. a > 0.0 /\ b > 0.0 -> a *. b /. b = a /. b *. b

  lemma div_mult_perm:
   forall b: real. b > 0.0 -> (1.0 /. b) *. b = (1.0 *. b) /. b

  lemma b_div_b_is_one:
    forall b: real. b > 0.0 -> 1.0 = b /. b

  lemma inverse_inverse_is_same:
    forall b: real. b > 0.0 -> 1.0 = (1.0 /. b) *. b

  lemma inverse_bigger_zero:
    forall b: real. b > 0.0 -> 1.0 /. b > 0.0

  lemma div_equals_mult_w_inverse:
    forall a b:real. b > 0.0 -> a /. b = a *. (1.0 /. b)

  lemma mult_bigger_zero:
    forall a b: real. a > 0.0 /\ b > 0.0 -> a *. b > 0.0

  goal ceil_never_zero:
    forall a b: real. a > 0.0 /\ b > 0.0 -> ceil (a /. b) <> 0
end
why3-1.6.0/examples/tests-provers/ceil/000077500000000000000000000000001440160026300177765ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/ceil/why3session.xml000066400000000000000000000074751440160026300230330ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/ceil/why3shapes.gz000066400000000000000000000010001440160026300224250ustar00rootroot00000000000000uKo1FW%Tj#/#Q

l8"$=pKe5͋g/qwc:^<v%%v<۟?m+jAz]nɯ*Vǎ9@ʕb^/O[jыelr	{gI5oN;Zsͫ鞍-,$͆3‡zT*it2\#dSx4nɭdCt[1S&aAAT5fT#1@D#z1!{tԺ	VR3B"G?1A7xS-)%5R&h
T\RF>2Y=]ɠ+y 646I=ݘ?%+O,a*~E(4^b(ƤP8`@!2ו8;why3-1.6.0/examples/tests-provers/coq-interval.why000066400000000000000000000002071440160026300222160ustar00rootroot00000000000000theory P

  use real.Real
  use real.PowerInt

  goal pow_eps2_max_int :
    power (1.0 + (0x7.p-50 + 0x3.p-53)) 2147483647 <= 2.0

endwhy3-1.6.0/examples/tests-provers/coq-interval/000077500000000000000000000000001440160026300214665ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/coq-interval/coqmninterval_P_pow_eps2_max_int_1.v000066400000000000000000000010261440160026300305720ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rfunctions.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.RealInfix.
Require real.PowerInt.

Require Import Interval.Tactic.

(* Why3 goal *)
Theorem pow_eps2_max_int :
  ((Reals.Rfunctions.powerRZ
    (1%R + ((7 / 1125899906842624)%R + (3 / 9007199254740992)%R)%R)%R
    2147483647%Z)
   <= 2%R)%R.
Proof.
Strategy 1000 [Rfunctions.powerRZ].
interval with (i_prec 34).
Qed.

why3-1.6.0/examples/tests-provers/coq-interval/why3session.xml000066400000000000000000000011031440160026300245010ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/tests-provers/coq-interval/why3shapes.gz000066400000000000000000000002051440160026300241230ustar00rootroot0000000000000010@=ETvc'-I]P5U'e{5<%k5for<}tC6BEh+*:@y
[
FǼ|1pԱ=	cH40KdOo`~Rkwhy3-1.6.0/examples/tests-provers/coq.why000066400000000000000000000004461440160026300204010ustar00rootroot00000000000000theory NonEmptyTypes

  type t 'a = T 'a
  type u 'a = U1 (t (u 'a)) | U2

  function f : 'a

  inductive v (c : u 'a) =
    | v1 : forall c : u 'a. v (U1 (T c))
    | v2 : v (f : u 'a)

  function id (x : 'a) : 'a
  axiom ax : forall x : 'a. id x = x

  goal g1 : exists x : 'a. id x = x

end
why3-1.6.0/examples/tests-provers/coq/000077500000000000000000000000001440160026300176445ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/coq/coq_NonEmptyTypes_g1_1.v000066400000000000000000000020141440160026300242770ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 assumption *)
Inductive t (a:Type) :=
  | T : a -> t a.
Axiom t_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (t a).
Existing Instance t_WhyType.
Implicit Arguments T [[a]].

(* Why3 assumption *)
Inductive u (a:Type) :=
  | U1 : (t (u a)) -> u a
  | U2 : u a.
Axiom u_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (u a).
Existing Instance u_WhyType.
Implicit Arguments U1 [[a]].
Implicit Arguments U2 [[a]].

Parameter f: forall {a:Type} {a_WT:WhyType a}, a.

(* Why3 assumption *)
Inductive v {a:Type} {a_WT:WhyType a}: (u a) -> Prop :=
  | v1 : forall (c:(u a)), (v (U1 (T c)))
  | v2 : (v (f : (u a))).

Parameter id: forall {a:Type} {a_WT:WhyType a}, a -> a.

Axiom ax : forall {a:Type} {a_WT:WhyType a}, forall (x:a), ((id x) = x).

(* Why3 goal *)
Theorem g1 : forall {a:Type} {a_WT:WhyType a}, exists x:a, ((id x) = x).
Proof.
exists why_inhabitant.
apply ax.
Qed.

why3-1.6.0/examples/tests-provers/coq/why3session.xml000066400000000000000000000010541440160026300226640ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/tests-provers/coq/why3shapes.gz000066400000000000000000000001551440160026300223050ustar00rootroot00000000000000R(H,H-V(K-*ϳR0SJML	33p2
]RsJ*̓RӒ̍̍LR-MRSS̍,̌M-<=4bwhy3-1.6.0/examples/tests-provers/cvc3.why000066400000000000000000000002211440160026300204440ustar00rootroot00000000000000

theory Test

  use real.Real

  lemma test1 : forall x : real. x/ 0.0 = 0.0

  lemma test2 : forall x:real. x/x=1.0

  lemma test3 : false

endwhy3-1.6.0/examples/tests-provers/cvc3/000077500000000000000000000000001440160026300177205ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/cvc3/why3session.xml000066400000000000000000000032261440160026300227430ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/cvc3/why3shapes.gz000066400000000000000000000002451440160026300223610ustar00rootroot00000000000000510=N:AbE+rG0EHܞ{gt/}̗mgۭ
y;fuzO+pD_z,")J4DxCE|>KU%VtC1dFʮc)&_1kwhy3-1.6.0/examples/tests-provers/div.why000066400000000000000000000025361440160026300204030ustar00rootroot00000000000000
theory EuclideanDivTest

  use int.Int
  use int.EuclideanDivision

  constant div_m1_2 : int = div (-1) 2
  constant mod_m1_2 : int = mod (-1) 2
  constant div_1_m2 : int = div 1 (-2)
  constant mod_1_m2 : int = mod 1 (-2)
  constant div_m1_m2 : int = div (-1) (-2)
  constant mod_m1_m2 : int = mod (-1) (-2)

  goal ok1 : div_m1_2 = -1
  goal ok2 : mod_m1_2 = 1
  goal ok3 : div_1_m2 = 0
  goal ok4 : mod_1_m2 = 1
  goal ok5 : div_m1_m2 = 1
  goal ok6 : mod_m1_m2 = 1

  goal smoke1 : div_m1_2 = 0
  goal smoke2 : mod_m1_2 = -1
  goal smoke3 : div_1_m2 = 1
  goal smoke4 : mod_1_m2 = -1
  goal smoke5 : div_m1_m2 = 0
  goal smoke6 : mod_m1_m2 = -1

end

theory ComputerDivTest

  use int.Int
  use int.ComputerDivision

  constant div_m1_2 : int = div (-1) 2
  constant mod_m1_2 : int = mod (-1) 2
  constant div_1_m2 : int = div 1 (-2)
  constant mod_1_m2 : int = mod 1 (-2)
  constant div_m1_m2 : int = div (-1) (-2)
  constant mod_m1_m2 : int = mod (-1) (-2)

  goal ok1 : div_m1_2 = 0
  goal ok2 : mod_m1_2 = -1
  goal ok3 : div_1_m2 = 0
  goal ok4 : mod_1_m2 = 1
  goal ok5 : div_m1_m2 = 0
  goal ok6 : mod_m1_m2 = -1

  goal smoke1 : div_m1_2 = -1
  goal smoke2 : mod_m1_2 = 1
  goal smoke3 : div_1_m2 = -1
  goal smoke4 : mod_1_m2 = -1
  goal smoke5 : div_m1_m2 = -1
  goal smoke6 : mod_m1_m2 = 1

  goal div_pos_neg: forall x y. x>=0 -> y<0 -> div x y <= 0


end
why3-1.6.0/examples/tests-provers/div/000077500000000000000000000000001440160026300176445ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/div/why3session.xml000066400000000000000000000717761440160026300227060ustar00rootroot00000000000000

























 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/div/why3shapes.gz000066400000000000000000000012401440160026300223010ustar00rootroot00000000000000]RGWcbMc^WtC>lle#K0vF=U/n_{>~?_m>zg?G<=^ȳ-%|-x]/|C|i|W}:--D/=|~<.??~;[,w"А2m	ǖnMĻ rݚj.iN9&6ֺd]Z))Lp ؐ65.$Tdr72l'G"#
f me
H^`A"why3-1.6.0/examples/tests-provers/div_real.why000066400000000000000000000013671440160026300214070ustar00rootroot00000000000000
theory DivTest

  use real.Real

  constant div_m1_2 : real = (-1.0) / 2.0
  constant div_1_m2 : real = 1.0 / (-2.0)
  constant div_m1_m2 : real = (-1.0) / (-2.0)

  goal ok1 : div_m1_2 = -0.5
  goal ok3 : div_1_m2 = -0.5
  goal ok5 : div_m1_m2 = 0.5

  goal smoke1 : div_m1_2 = 0.0
  goal smoke3 : div_1_m2 = 1.0
  goal smoke5 : div_m1_m2 = 0.0

  goal div_bound0: forall x y. 0.0 < x <= y -> 0.0 < x/y <= 1.0

  lemma div_le:
     forall x y z. 0.0 < y -> x <= z * y -> x/y <= z

  lemma div_lt:
     forall x y z. 0.0 < y -> x < z * y -> x/y < z

  lemma le_div:
     forall x y z. 0.0 < y -> z * y <= x -> z <= x/y

  lemma lt_div:
     forall x y z. 0.0 < y -> z * y < x -> z < x/y

  goal div_bound1: forall x y. 0.0 < x <= y -> 0.0 < x/y <= 1.0


end
why3-1.6.0/examples/tests-provers/div_real/000077500000000000000000000000001440160026300206475ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/div_real/why3session.xml000066400000000000000000000124321440160026300236710ustar00rootroot00000000000000













 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/div_real/why3shapes.gz000066400000000000000000000007401440160026300233100ustar00rootroot00000000000000mn!;Ov`Qr%j_ʀQrfխ"d03{՟wv p=݀zӯ߇_p]e_K^za
ܿOXzU߀+`AfB^qCO-R>FJ5mP^P0aqMfX]G@PSmDi߼J)4iФIr
ӑg,xJ/ze8f`Q QȆ	큒17;%v%y,QdZSh-DCə @=Ț!%TZ*US'|why3-1.6.0/examples/tests-provers/dreal.mlw000066400000000000000000000065571440160026300207070ustar00rootroot00000000000000theory Misc
  use real.RealInfix
  use real.Abs
  use real.ExpLog
  use int.Int

  (* Exp and log estimates, proved by dReal but not the other provers *)
  goal exp_limit : forall x : real. abs x <=. 25. -> exp x <=. 72004899338.
  goal log_limit : -. log (1. -. 0x1p-39) +. abs(log (1. -. 0x1p-39) *. 0x1p-36) <=. 0x1p-38

  let function exp_limit_fun (x:real)
    requires { abs x <=. 25. }
    ensures { exp x <=. 72004899338. }
  = ()

  use real.FromInt
  use int.Abs as AbsInt
  (* FromInt is not supported *)
  goal exp_limit_from_int_KO : forall x : int. AbsInt.abs x <= 25 -> exp (from_int x) <=. 72004899338.
  (* from_int 3 is simplified by 3. at the printer level *)
  goal from_int : from_int 3 <=. 4.

  use real.MinMax
  goal min_max_test : min 3. 4. >. max 1. 2.

  (* Square *)
  use real.Square
  (* Unfotunately not proved by dReal *)
  goal sqr_sqrt_KO : forall x. 0. <=. x -> sqr (sqrt x) = x
  goal sqr_sqrt_no_forall_KO : sqr (sqrt 3.) = 3.

  goal sqrt2_estimate : 1.41421356237 <=. sqrt 2. <=. 1.41421356238

  use real.PowerReal
  (* These are proved by dReal but not by CVC4/5, Alt-Ergo or Z3 *)
  goal power : forall x. pow x 2. <=. 9. -> abs x <=. 3.
  goal power2: forall x:real. x >. 2.5 -> (pow x 3.0) *. 2.0 >. 20.0

  (* This is not proved by dReal nor by any other prover *)
  goal sqr_sqrt2_KO : forall x. 0. <=. x -> pow (sqrt x) 2. = x

  (* This works because this reduces to true at the printer level *)
  goal huge_power : pow 5. 100. <=. 7.8886091e69

  (* Trigonometry *)
  use real.Trigonometry
  (* Basic axioms/lemmas, proved by dReal *)
  goal Pythagorean_identity : forall x:real. sqr (cos x) +. sqr (sin x) = 1.0
  goal Cos_le_one: forall x:real. abs (cos x) <=. 1.0
  goal Sin_le_one: forall x:real. abs (sin x) <=. 1.0
  goal Cos_sum: forall x y:real. cos (x+.y) = cos x *. cos y -. sin x *. sin y
  goal Sin_sum: forall x y:real. sin (x+.y) = sin x *. cos y +. cos x *. sin y
end

theory Quantifiers
  use int.Int
  function g (x : int) : int
  axiom g_pos : forall z. g z >= 0
  goal g2 : g 3 >= 0

  function h (x : int) : int
  axiom h_pos : forall x. x >= 0 -> h x >= 0
  goal g3: forall x. h (g x) >= 0
end

theory P
  use real.Real

  goal x_mul_x_pos :
    forall x:real. x * x >= 0.0

  function sqr (x:real) : real = x * x

  goal sqr_pos :
    forall x:real. sqr x >= 0.0
end

theory P2
  use real.Real
  use real.Square

  goal sqr_pos :
    forall x:real. sqr x >= 0.0
end

theory P3
  use real.Real
  use real.Trigonometry

  (* unprovable without cos-constant.ax, which causes failures for more interesting goals *)
  goal cos_bound :
    forall x:real. -1.0 <= cos x <= 1.0

  goal cos_bound_harder :
    forall x:real. -0.7 <= x <= 0.7 -> 0.7 <= cos x <= 1.0


  use real.Abs

  goal MethodErrorOK: forall x:real. abs x <= 0x1p-5 ->
    abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-24

  goal MethodErrorWrong: forall x:real. abs x <= 0x1p-5 ->
    abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-25
end


theory Power
  use real.RealInfix
  use real.PowerReal

  (* Here we check that we don't prove false assertions *)
  goal G_KO: false
  goal G1_KO: forall x:real. x >. 2.0 -> (pow x 3.0) *. 2.0 >. 20.0
  goal G2_KO: forall x:real. x >. 2.0 -> x >. 5.0
end


theory PolyPaverExamples
  use real.Real
  use real.ExpLog

  goal g1_KO: forall a b : real.
    -10.0 <= a <= 10.0 ->
    -10.0 <= b <= 10.0 ->
    b > a + 0.1 ->
    exp a - exp b > (b-a) * exp ((a + b) / 2.0)
end
why3-1.6.0/examples/tests-provers/dreal/000077500000000000000000000000001440160026300201515ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/dreal/dreal_PolyPaverExamples_g1_1.v000066400000000000000000000012101440160026300257300ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require real.Real.
Require real.ExpLog.

(* Why3 goal *)
Theorem g1_KO :
  forall (a:Reals.Rdefinitions.R) (b:Reals.Rdefinitions.R),
  ((-10%R)%R <= a)%R /\ (a <= 10%R)%R ->
  ((-10%R)%R <= b)%R /\ (b <= 10%R)%R -> ((a + (1 / 10)%R)%R < b)%R ->
  (((b - a)%R * (Reals.Rtrigo_def.exp ((a + b)%R / 2%R)%R))%R <
   ((Reals.Rtrigo_def.exp a) - (Reals.Rtrigo_def.exp b))%R)%R.
(* Why3 intros a b (h1,h2) (h3,h4) h5. *)
Proof.
intros a b (h1,h2) (h3,h4) h5.

Qed.

why3-1.6.0/examples/tests-provers/dreal/why3session.xml000066400000000000000000000104271440160026300231750ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 


 
 
 
 
 
 


 
 
 


 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 



why3-1.6.0/examples/tests-provers/dreal/why3shapes.gz000066400000000000000000000023331440160026300226120ustar00rootroot00000000000000Vn7}vݒԍ*Ey/ՠn6RҬNG#rG9Շxwo?.r/x6z'~$=
'n7]z^>}D
W߳΅?/ru7urȥ|q=K>~>Ы~
Fn9\۽oyRwF>;R~z؁FT#z2c;'S|`D
tPw:h	dB7a7=]kA+OY0m6<%WtaőW+C7OS'yKpguxƷ2/8ꛮ]Mm2̆o^U$KUG՝eNGEe{X!;oFgCou4|3$
7'˶"۵0|:bGi@-W7{=|_z!s/M̸ [pOr1
VO_f|,ŋU3ls9-j`Q.:>	,):c-ALF\6Z`(Qb[o9CeW.:f
+N$2@ h6&8fP %jԂ-)CAvzhA$ϕhMdBĔ5&T/HIEAk8q\zX[Ś9ks/~9r;	eq(1kdS'
dX1XnZg0*.f h'NBy+X,^rGځ%enzZpGLҠ$u%gʙ(6S٠R'tIsj!7CգSBj=N5#!ER@*U].*Z UTT6AWׁL.\[DHԇr]4zꂫkm&&L$V1t_]0{b[DER(DZc^D
K0')c
ª#TxxAĈC)@	ޕY\V&ȆE-t$z3@>U
=BUK)b$"VPL
-&0Nhtj4TctҪ9nt,ZӪ7vO
why3-1.6.0/examples/tests-provers/gappa.why000066400000000000000000000044641440160026300207130ustar00rootroot00000000000000
theory TestGappa

   use real.Real
   use real.Abs
   use real.Square
   use floating_point.Rounding
   use floating_point.Single as Single
   use floating_point.Double

  lemma Round_single_01:
    Single.round NearestTiesToEven 0.1 = 0x1.99999ap-4

  lemma Round_double_01:
    Double.round NearestTiesToEven 0.1 = 0x1.999999999999ap-4

   lemma Test00: forall x:real.  abs x <= 2.0 -> -3.0 <= x

   lemma Test01:
       forall x:double.
          -2.0 <= value x <= 2.0 ->
             abs((value x) * (value x) -
                 round NearestTiesToEven ((value x) * (value x))) <= 0x1p-52

   lemma Test02:
       forall x y:double.
          abs (value x) <= 2.0 ->
            y = x ->
             abs((value y) * (value y) -
                 round NearestTiesToEven ((value x) * (value x))) <= 0x1p-52

   lemma Test03:
       forall x y z:double.
          abs (value x) <= 2.0 ->
          value y = round NearestTiesToEven ((value x) * (value x)) ->
          z = y ->
          sqrt ((value z - (value x)*(value x))*(value y - (value x)*(value x))) <= 0x1p-52

end

theory GappaEq

  use real.Real
  use real.Abs
  use floating_point.Rounding
  use floating_point.Double

  constant a : double
  constant r : double
  function f int : double
  function g int int : double

  lemma Test1:
     value r = round NearestTiesToEven 0.1 ->
     a = r ->
     abs (value a - 0.1) <= 0x1.p-53

  lemma Test2:
     value r = round NearestTiesToEven 0.1 ->
     f 0 = r ->
     abs (value (f 0) - 0.1) <= 0x1.p-53

  lemma Test3:
     value r = round NearestTiesToEven 0.1 ->
     g 0 1 = r ->
     abs (value (g 0 1) - 0.1) <= 0x1.p-53

end



theory GappaEq2

  use real.Real

  use floating_point.Rounding
  use floating_point.Double

  constant q1 : double
  constant q2 : double
  axiom H1 : -2.0 <= value q1 <= 2.0
  axiom H2 : -2.0 <= value q2 <= 2.0

  constant result : double
  (* result = q1 * q2 *)
  axiom H :
    value result = round NearestTiesToEven (value q1 * value q2)

  goal G1 : value result - value q1 * value q2 <= 0x1.p-52

  goal G2 : forall q:double. q = result ->
     value q - value q1 * value q2 <= 0x1.p-52

  goal G3 : forall q:double. ([@lab1] q) = result ->
     value ([@lab2] q) - value q1 * value q2 <= 0x1.p-52

end

theory GappaNumbers

  use int.Int

  goal G1 : 0x1f - 0o37 = 0
  goal G2 : 0b1001 - 9 = 0

end
why3-1.6.0/examples/tests-provers/gappa/000077500000000000000000000000001440160026300201525ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/gappa/why3session.xml000066400000000000000000000041321440160026300231720ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/gappa/why3shapes.gz000066400000000000000000000012131440160026300226070ustar00rootroot00000000000000MOA+rlRWU=KO(3i(I@꿯w!PHTYivϼ[h)׺Yzs~uqG9eo*klusvN/+~^.c)*z$7Ǘ\J1Gν7!t\&
+j;YxNYʑŭp^s}Nyx{C,> ®iwLW": (0.0:Float32.t)

end

module M603_018
  use ieee_float.Float32

  constant x : t = zeroF
  constant y : t = 1.0
  constant z : t = y ./ (2.0:t)
  constant t : t = (x .+ y) ./ (2.0:t)

  let triplet (x y z : t)
    requires { x .<= z /\ z .<= y }
    requires { .-(1.0:t) .<= x /\ x .<= (10.0:t) }
    requires { y .= x .+ (1.0:t) }
    requires { roundToIntegral RTN z = x }
    requires { roundToIntegral RTP z = y }
  =
    let ghost t = (x .+ y) ./ (2.0:t) in
    assert { roundToIntegral RTN x .= x };
    assert { roundToIntegral RTN y .= y };
    assert { roundToIntegral RTN z .= x };
    assert { roundToIntegral RTN t .= x };

    assert { roundToIntegral RTP x .= x };
    assert { roundToIntegral RTP y .= y };
    assert { roundToIntegral RTP z .= y };
    assert { roundToIntegral RTP t .= y };

    assert { x .<= z /\ z .<= y };
    assert { x .<= t /\ t .<= y };
    ()

  goal G1: roundToIntegral RTN x .= x
  goal G2: roundToIntegral RTN y .= y
  goal G3: roundToIntegral RTN z .= x
  goal G4: roundToIntegral RTN t .= x

  goal G5: roundToIntegral RTP x .= x
  goal G6: roundToIntegral RTP y .= y
  goal G7: roundToIntegral RTP z .= y
  goal G8: roundToIntegral RTP t .= y

  goal G9: x .<= z /\ z .<= y
  goal G10: x .<= t /\ t .<= y

end

module M121_039_nonlinear

  use ieee_float.Float32

  constant max : t = 340282346638528859811704183484516925440.0
  constant min : t = .- max

  constant one : t = 1.0

  predicate in_range (x :t) = min .<= x .<= max

  predicate axiom_mult (a b y : t) =
     if a .<= b /\ y .<= zeroF then a .* y .>= b .* y else false

  let ghost test (a x y:t)
    requires { zeroF .<= a .<= one }
    requires { .- one .<= x .<= one }
    requires { .- one .<= y .<= one }
    requires { x .> zeroF /\ y .< zeroF /\ x .+ y .>= zeroF }
    ensures  { result .>= zeroF /\ result .<= (2.0:t) }
  =
    assert { axiom_mult a one y };
    assert { a .>= zeroF };
    assert { a .<= one };
    assert { x .> zeroF };
    assert { y .<= zeroF };
    assert { y .* a .<= zeroF };
    assert { y .* a .>= y .* one };
    assert { x .+ y .* a .>= x .+ y };
    assert { x .+ y .>= zeroF };
    assert { x .+ y .* a .>= zeroF };
    x .+ y .* a

end

module LB09_025_conversion

  use ieee_float.Float32
  use int.Int

  let ghost fti x
    requires { x .>= of_int RNE (-2147483648) /\ x .+ (of_int RNE 1) .<= of_int RNE 2147483647 }
    ensures  { of_int RNE result .>= x .- (of_int RNE 1) }
    ensures  { of_int RNE result .<= x .+ (of_int RNE 1) }
    ensures  { result = to_int RNE x }
  =
    to_int RNE x


  let ghost fti_purely_float x
    requires { x .>= (-2147483648.0:t) /\ x .< (2147483648.0:t) }
    ensures  { of_int RNE result .>= x .- (1.0:t) }
    ensures  { of_int RNE result .<= x .+ (1.0:t) }
    ensures  { result = to_int RNE x }
  =
    to_int RNE x

end



theory Literals

  use ieee_float.Float32

  goal wrong : forall x:t. x .* (0.0:t) .= (0.0:t)

  goal ok : forall x:t. t'isFinite x -> x .* (0.0:t) .= (0.0:t)

  goal more : (1.5:t) .* (0.5:t) .= (0.75:t)
  
end
why3-1.6.0/examples/tests-provers/ieee_float/000077500000000000000000000000001440160026300211565ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/ieee_float/why3session.xml000066400000000000000000000311411440160026300241760ustar00rootroot00000000000000























 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/ieee_float/why3shapes.gz000066400000000000000000000035031440160026300236170ustar00rootroot00000000000000Y[kI}_M>b`Cajo28{d;eƞrw:Uu۫].N?ߕꇫ\Χ?[.QO/'~AH}žɚtpllݴC\~>,Wߗr&?a½,LjX_Dة^Q4]1{t^Qi%o6<]:NU\ӈ٥#`ܿ3TnO		G;y!w'Bޯ{{!wB&N^Gn<<fhmnO0r<8k]r-;m_N=V;mGm[M6PКkY>]~:lв?م=
a7W.o0~vMrٮ0\c7`
v6]7wE16G	[[͍wSl/'iTJbR$ŔRHz[ &4j.F[W#r-hJI
wZBGiN]RͶMB$ȳ\=!6k$T֚۞Z;QzTZұLd!`q83PXlj)"YqDeTt^4kT^tIAL(rR4I3Rb5ӥ,!D^HvC5lmpʡR7[TcZ`@%B9V:+6"ތҪ.ՁDKY[zZW>)%BGW-I165!BB!]׉]rӈ
=.MeEqpUhM6%ΑE>-s ;PNlEQ@?4dH
4P^EͽL4e = 0.0

  function sqr (x:real) : real = x * x

  goal sqr_pos :
    forall x:real. sqr x >= 0.0

end

theory P2

  use real.Real
  use real.Square

  goal sqr_pos :
    forall x:real. sqr x >= 0.0

end

theory P3

  use real.Real
  use real.Trigonometry

  (* unprovable without cos-constant.ax, which causes failures for more interesting goals *)
  goal cos_bound :
    forall x:real. -1.0 <= cos x <= 1.0

  goal cos_bound_harder :
    forall x:real. -0.7 <= x <= 0.7 -> 0.7 <= cos x <= 1.0


  use real.Abs

  goal MethodErrorOK: forall x:real. abs x <= 0x1p-5 ->
    abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-24

  goal MethodErrorWrong: forall x:real. abs x <= 0x1p-5 ->
    abs (1.0 - 0.5 * (x * x) - cos x) <= 0x1p-25

end


theory Power

use real.RealInfix
use real.PowerReal

goal G: false

goal G1: forall x:real. x >. 2.0 -> (pow x 3.0) *. 2.0 >. 20.0

goal G2: forall x:real. x >. 2.0 -> x >. 5.0

end


theory PolyPaverExamples

  use real.Real
  use real.ExpLog

  goal g1: forall a b : real.
    -10.0 <= a <= 10.0 ->
    -10.0 <= b <= 10.0 ->
    b > a + 0.1 ->
    exp a - exp b > (b-a) * exp ((a + b) / 2.0)

end
why3-1.6.0/examples/tests-provers/metitarski/000077500000000000000000000000001440160026300212365ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/metitarski/why3session.xml000066400000000000000000000033541440160026300242630ustar00rootroot00000000000000






 
 
 
 
 
 


 
 
 


 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 


 
 
 



why3-1.6.0/examples/tests-provers/metitarski/why3shapes.gz000066400000000000000000000007421440160026300237010ustar00rootroot00000000000000P˒1+rlMd[)*.[Jɶ\pߣLeFnb;YϻttzǻK'oe#48ׇ̠ž>ʛ{i!xAЦu^haP'\GtzIE`XY1QЋrcIm22~/>Mqb7(?gۼ|Q2q=+Lw[Ki|ĭ-u< tJK\e`;|Nc6ֱv_d298iS]̧y$BPRJ-l"/sf`
CyPϋ(8IXޣ՘9E]1zMr*ױk3xԣ,LD}BDi$>,ˎ'*%`VR-:83B)pn2Fj444!.Pwhy3-1.6.0/examples/tests-provers/polypaver.why000066400000000000000000000010361440160026300216340ustar00rootroot00000000000000
theory TestReal

  (*

  Examples from http://michalkonecny.github.io/polypaver/_site/index.html

*)

  use real.Real

  goal add1 : 1.0 + 2.0 = 3.0

  goal add2 : 1.2 + 3.4 = 5.6

  use real.Square
  use real.ExpLog

  goal exp_hyp:
    forall x:real. 0.01 < x < 5.1785 ->
      (3.0 + sqr x / 11.0) * ((exp x - exp (-x))/2.0) <
        x * (2.0 + (exp x + exp (-x))/2.0 + sqr x / 11.0)

  goal g1:
    forall a b:real.
      -10.0 <= a <= 10.0 /\ -10.0 <= b <= 10.0 /\ b > a + 0.1 ->
      exp b - exp a > (b-a) * exp ((a + b) / 2.0)

end
why3-1.6.0/examples/tests-provers/polypaver/000077500000000000000000000000001440160026300211035ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/polypaver/why3session.xml000066400000000000000000000014751440160026300241320ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/polypaver/why3shapes.gz000066400000000000000000000004541440160026300235460ustar00rootroot00000000000000mN /owMߴ׊eZ@
.iZ)rj*S2G4S2u'.9UusOA/ڱ{WVcl2[$lf,1$Ot[t.d*$	UhG#Eq/Q!GG&2s:UY爢3PdxqqC܅(*,9"Dv fckH1/@why3-1.6.0/examples/tests-provers/signed_bv.mlw000066400000000000000000000011561440160026300215460ustar00rootroot00000000000000
use mach.bv.BVCheck8

let add (x y : t) : t
  requires { sle (0:t) x }
  requires { sle x (42:t) }
  requires { sle (0:t) y }
  requires { sle y (67:t) }
=
  s_add x y

let sub (x y : t) : t
  requires { sle (0:t) x }
  requires { sle x (42:t) }
  requires { sle (0:t) y }
  requires { sle y (67:t) }
=
  s_sub x y

let mul (x y : t) : t
  requires { sle (neg (10:t)) x }
  requires { sle x (10:t) }
  requires { sle (neg (7:t)) y }
  requires { sle y (7:t) }
=
  s_mul x y

let div (x y : t) : t
  requires { sle (0:t) x }
  requires { sle x (42:t) }
  requires { slt (0:t) y }
  requires { sle y (67:t) }
=
  s_div x y
why3-1.6.0/examples/tests-provers/signed_bv/000077500000000000000000000000001440160026300210225ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/signed_bv/why3session.xml000066400000000000000000000045561440160026300240540ustar00rootroot00000000000000








 
 
  
  
  
  
 
 
 
 
  
  
  
  
 
 
 
 
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/tests-provers/signed_bv/why3shapes.gz000066400000000000000000000013321440160026300234610ustar00rootroot00000000000000MO@{lfޯ
2*7_/
1
$nq9rXξ#=xDS5[Z:5t:ņfؼU)Sh\!tcMrW|+
/|b,ZUyr[jJ5,py§=Or]aCz;l	ˬbbIǸOvrɵgxvjo?y>/i52:t0!]&~x}gr}2;(t3/}Ԅ7dГ-Ʈ$pkX5mz;ݰm)Lǚ4d=q;kel|c?cdҶțQbs (HxH`a8۬dG=f&Pxi9ej0Hv*ef
LC:I*Cउ2ZDYyK,!h1(d`
/!&86HrF*Q:R)}
}<Mk%Fx-e&Fr0kRE\*JLļĔ3!LH4N+kBE̢	a%]PpNZ=PIrQzJq }%:wu:KGWC>why3-1.6.0/examples/tests-provers/strings.mlw000066400000000000000000000232371440160026300213030ustar00rootroot00000000000000
module TestString

  use string.String
  use int.Int

  goal Empty: "" = ""

  goal Empty2: empty = ""

  goal Test0: not ("a" = "b")

  constant a: string

  goal Test1:
    (if 2 + 2 = 4 then "a" = a else "b" = a) -> "a" = a
    (* this should be proved even with alt-ergo due to the sharing of
       literals *)

  goal Test2:
    let a = if 2 + 2 = 4 then "a" else "" in
    let b = if 2 + 2 = 4 then "b" else "" in
    not (a = b)

  goal Test3:
    let a = if 2 + 2 = 4 then "a" else "" in
    let b = if 2 + 2 = 4 then "a" else "" in
    a = b

  goal Test4:
    let s = "abcdef" in substring s 2 3 = "cde"

  goal TestConcat1:
    let s1 = "abc" in
    let s2 = "defg" in
    concat s1 s2 = "abcdefg"

  goal TestConcat5:
    concat "" "" = ""

  goal TestLength1: length "a" = 1
  goal TestLength2: length "ab" = 2
  goal TestLength3: length "abc" = 3
  goal TestLength4: length (concat "ab" "12") = 4
  (* TODO \xC3\xA9 is the encoding of 'é' *)
  (* TODO goal TestLength5: length "\xC3\xA9" = 2 *)

  goal TestLt1: lt "" "a"
  goal TestLt2: lt "a" "b"
  goal TestLt3: lt "ab" "b"
  goal TestLt4: lt "abcde" "b"
  goal TestLt5: lt "a" "1"
  goal TestLt6: lt "A" "a"

  goal TestLT: not (lt "" "")
  goal TestLE: not (le "A" "")

  goal TestAt1:
    s_at "abc" 3 = empty

  goal TestSubstring1:
    substring "abcdef" 1 3 = "bcd"

  goal TestSubstring2:
    substring "abcdef" 1 10 = "bcdef"

  goal containsTest1: contains "" ""

  goal substring_contains: forall s1 s2.
    contains s1 s2 -> exists i. substring s1 i (length s2) = s2

  goal TestIndefof1:
    indexof "" "" 0 = 0

  goal TestIndefof2:
    indexof "a" "" 0 = 0

  goal TestIndefof3:
    indexof "" "a" 0 = -1

  goal TestIndefof4:
    indexof "a" "" 1 = 1

  goal TestIndefof5:
    indexof "a" "" 2 = -1

  goal TestIndefof6:
    indexof "ab" "" 2 = 2

  goal TestIndefof7:
    indexof "abcdef" "c" 0 = 2

  goal TestIndefof8:
    indexof "abcdef" "c" 2 = 2

  goal TestIndefof9:
    indexof "abcdef" "c" 3 = -1

  goal TestIndefof10:
    indexof "abcdef" "cdef" 0 = 2

  goal TestIndexof11: forall s1.
    indexof s1 "" 0 = 0

  goal TestReplace1: forall s2 s3.
   s2 <> "" -> replace "" s2 s3 = ""

  goal TestReplace2: forall s1 s3. (* check standard to see if this makes sense *)
   replace s1 "" s3 = concat s3 s1

  goal TestReplace3:
   replace "abcde" "bc" "1234" = "a1234de"

  goal TestReplace4:
   replace "abcdefg" "fg" "" = "abcde"

  goal TestReplace5:
   replace "abcdefabcdef" "bc" "123" = "a123defabcdef"

  goal to_int_lt_0: forall s i.
    0 <= i < length s && lt (s_at s i) "0"
        -> to_int s = -1

  goal to_int_gt_9: forall s i.
    0 <= i < length s && lt "9" (s_at s i)
        -> to_int s = -1

  goal TestIsDigit:
    is_digit "0" && is_digit "1" && is_digit "2" && is_digit "3" &&
    is_digit "4" && is_digit "5" && is_digit "6" && is_digit "7" &&
    is_digit "8" && is_digit "9"

  goal TestIsDigit2:
    not (is_digit "00") && not (is_digit "q") && not (is_digit "-1") &&
    not (is_digit "10") && not (is_digit "!") && not (is_digit "\xAA")

  goal TestTo_int1: to_int "1" = 1
  goal TestTo_int2: to_int "11" = 11
  goal TestTo_int3: to_int "123" = 123
  goal TestTo_int4: to_int "" = -1
  goal TestTo_int5: to_int "a" = -1
  goal TestTo_int6: to_int "-1" = -1
  goal TestTo_int7: to_int "-2" = -1
  goal TestTo_int8: to_int "-11" = -1
  goal TestTo_int9: to_int "1a1" = -1

  goal TestFrom_int: from_int 1 = "1"

  goal TestProvedInAltergo1: forall s1 s2.
    length s1 = length (concat s1 s2) -> s2 = ""

  (* proved with alt-ergo but not with CVC4 *)
  goal TestProvedInAltergo2: forall s1 s2.
    prefixof s1 s2 -> exists i. substring s2 0 i = s1
  (*** TODO: axioms about to_int -- the following are not proved *)

end

module TestInput

  use string.String

  goal T0: length "this is a test" = 14
  goal T1: length "\x17" = 1
  goal T2: length "\o027" = 1
  goal T3: length "\023" = 1
  goal T4: length "\t" = 1
  goal T5: length "\\" = 1
  goal T6: length "\"" = 1
  goal T7: length "\n" = 1
  (* goal T8: length "\p" = 1 *)
  (*   goal T9: length "a *)
  (* b" = 2 *)
  goal T10: length "'" = 1
  goal T11: length "/" = 1
  goal T12: length "`" = 1
  (* à is the same as \195\160 *)
  (* goal T13: length "à" = 1 *)
  (* goal T14: length "Ϯ" = 1 *)
  (* á is the same as \195\161, \o303\o241, \xC3\xA1 *)
  (* goal T15: length "á" = 1 *)
  goal T16: length "\o303\o241" = 2
  goal T17: length "\xC3\xA1" = 2
  (* goal T18: length "\o477" = 2 *)
  goal T19: length "\xFFA" = 2
  goal T20: length "\000" = 1
  goal T21: length "\161" = 1
  goal T22: length "\r" = 1
  goal T23: length "'" = 1
  (* goal T24: length "\256" = 2 *)
  goal T25: length "this \
                    is a \
                    test" = 14
  goal T26: length "\065" = 1
  goal T27: length "\x41" = 1
  goal T28: length "\o101" = 1
  goal T29: "A" = "\065" = "\x41" = "\o101"

end

module TestRegExpr
  use string.String as S
  use string.RegExpr

  (* in_re and to_re *)
  goal TestIn1:
    in_re "a" (to_re "a")

  goal TestIn2:
    in_re "abc" (to_re "abc")

  goal TestIn3:
    not (in_re "abc" (to_re "abd"))

  lemma TestToReInRe: forall s.
    in_re s (to_re s)

  (* concat *)

  goal TestConcat1:
    let r1 = to_re "a" in
    let r2 = to_re "b" in
    in_re "ab" (concat r1 r2)

  goal TestConcat2:
    let r1 = to_re "a" in
    let r2 = to_re "b" in
    not (in_re "ba" (concat r1 r2))

  goal TestConcat3:
    let r1 = to_re "abc" in
    let r2 = to_re "def" in
    in_re "abcdef" (concat r1 r2)

  goal TestConcat4:
    let r1 = to_re "a" in
    in_re (S.concat "a" "a") (concat r1 r1)

  lemma concat: forall s1 s2.
    let r1 = to_re s1 in
    let r2 = to_re s2 in
    in_re (S.concat s1 s2) (concat r1 r2)

  goal concat_exists: forall s r1 r2.
    in_re s (concat r1 r2) -> exists s1 s2.
      S.concat s1 s2 = s && in_re s1 r1 && in_re s2 r2

  (* union *)

  goal TestUnion1:
    let r1 = to_re "a" in
    let r2 = to_re "b" in
    in_re "a" (union r1 r2) && in_re "b" (union r1 r2)

  goal TestUnion2:
    let r1 = to_re "a" in
    forall re. in_re "a" (union r1 re) && in_re "a" (union re r1)

  goal in_union1: forall s1 r1 r2.
    in_re s1 r1 -> in_re s1 (union r1 r2)

  goal in_union2: forall s1 r1 r2.
    in_re s1 r2 -> in_re s1 (union r1 r2)

  goal in_union: forall s1 r1 r2.
    in_re s1 r1 || in_re s1 r2 -> in_re s1 (union r1 r2)

  (* inter *)

  goal TestInter1:
    let r1 = to_re "a" in
    let r2 = to_re "b" in
    not (in_re "a" (inter r1 r2))

  goal TestInter2:
    let r1 = to_re "a" in
    let r = to_re "b" in
    let r2 = union r1 r in
    in_re "a" (inter r1 r2)

  lemma in_inter1: forall s1:string, r1:re, r2:re.
    in_re s1 (inter r1 r2) -> in_re s1 r1

  lemma in_inter2: forall s1:string, r1:re, r2:re.
    in_re s1 (inter r1 r2) -> in_re s1 r2

  (* star *)

  goal TestInStar1:
    let a = star (to_re "a") in
    in_re "aaa" a &&
    not (in_re "aba" a)

  goal TestInStar2:
    let a = to_re "a" in
    let b = to_re "b" in
    let ab = star (union a b) in
    in_re "a" ab &&
    in_re "b" ab &&
    in_re "babab" ab &&
    in_re "baaa" ab &&
    in_re "aaaa" ab &&
    in_re "bbbb" ab &&
    not (in_re "acaab") ab

  goal TestDigit:
    let d = union (to_re "0") (union (to_re "1") (union (to_re "2")
           (union (to_re "3") (union (to_re "4") (union (to_re "5")
           (union (to_re "6") (union (to_re "7") (union (to_re "8")
            (to_re "9"))))))))) in
    let ds = star d in
    let is_digit x = in_re x d in
    let are_digits x = in_re x ds in
    is_digit "1" && is_digit "9" && is_digit "0" &&
    not (is_digit "a") && not (is_digit "12") &&
    are_digits "0" && are_digits "4" && are_digits "9" &&
    are_digits "1850" && are_digits "10" && are_digits "000" &&
    not (are_digits "1 ") && not (are_digits " 1") &&
    not (are_digits "1a") && not (are_digits "a1") &&
    not (are_digits "a")

  goal star1: forall s re.
    in_re s re -> in_re s (star re)

  lemma star2: forall re.
    in_re S.empty (star re)

  (* plus *)

  goal TestPlus1:
    let a = plus (to_re "a") in
    in_re "a" a && in_re "aaa" a && not (in_re "b" a) &&
    not (in_re "ab" a) && not (in_re "" a)

  lemma def_plus: forall re.
    plus re = concat re (star re)

  goal plus_star: forall s r.
    in_re s (plus r) -> in_re s (star r)

  (* none, all, allchar *)

  goal TestAllChar:
    in_re "a" allchar && in_re "1" allchar && in_re "!" allchar &&
    not (in_re "aa" allchar) && not (in_re "!!" allchar)

  goal TestAll:
    in_re "as 3hoiqjndhfgasohn123^*&(T@GIGDSOA" all

  lemma allchar: forall s.
    S.length s = 1 -> in_re s allchar

  lemma in_re_none: forall s: string.
    not (in_re s none)

  lemma all_allchar: forall s.
    in_re s (star allchar)

  lemma in_re_all: forall s.
    in_re s all

  lemma union_all: forall r.
    union all r = union r all = all

  lemma inter_all: forall r.
    inter r all = inter all r = r

  lemma star_all: star all = all

  (* opt *)

  goal TestOpt1:
    let a = to_re "a" in
    in_re "a" (opt a) && in_re "" (opt a) && not (in_re "ab" (opt a))

  lemma empty_opt: forall re.
    in_re "" (opt re)

  lemma in_opt: forall s.
    in_re s (opt (to_re s))

  (* range *)

  goal TestRange1:
    in_re "b" (range "a" "c") &&
    in_re "b" (range "b" "c") &&
    in_re "b" (range "a" "b") &&
    not (in_re "d" (range "a" "c"))

  goal TestRange2:
    not (in_re "abc" (range "a" "b"))

  goal range_negative: forall s.
    not (in_re s (range "b" "a"))

  goal range_not_singleton: forall s.
    not (in_re s (range "ba" "a"))

  (* power, loop *)

  goal TestPower1:
    let a = to_re "a" in
    in_re "aa" (power 2 a)

  goal TestPower2:
    let ab = to_re "ab" in
    in_re "ababab" (power 3 ab)

  goal TestPower3: forall i.
    let ab = to_re "ab" in
    in_re "ababab" (power i ab)

  goal TestLoop1:
    let a = to_re "a" in
    in_re "aa" (loop 2 3 a)



end
why3-1.6.0/examples/tests-provers/strings/000077500000000000000000000000001440160026300205535ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/strings/why3session.xml000066400000000000000000000404331440160026300235770ustar00rootroot00000000000000












 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/strings/why3shapes.gz000066400000000000000000000100551440160026300232140ustar00rootroot00000000000000[o]GrC2q0H/AD!>q*1А2)O>wҶ,)kW^j}}8^u<>=X7m2}`,PߊGc)oSŒlo'nխ~{.TL˅sUc}xwVamؽůaK{o,{0OLgn堘>wޯkr\LO}<43emof_ZviQ:i	w?\a"TN9Vst߻>~zت.EzP/8=|wOB7qv)žpPi\Mk;NiwOww(](\]\HIts9|u9r{}9rYdc1\Znܶc0.6qm1}9r4LJFq7~w.H'ܬU1;W)>Oӝ?'O׆
kt5~WU)ׯoٸ7xe?"?2raۧD>}~ƕmYuDžk]4Ao/M:MlC->:[w&͚7GCFl
p4o,).2EX?>g7G'53T۽ɽ9Yyl{_}[?|h.xt|nM'yze??|Wߣݟ7:l%;q:z?dbZ>ף&;[%Hm{
x$EΟoj07^>R1H`yώ2J,yN}ߍ"?/=4\Xx/FVv_zRc3,MVR{3n8swW\nyR-M
BsP+;a	5M^$K¥R@ MMӄШHڦR-nނ$Ĉ$5p`5 :C
7ܵ25.uEpb
E.r[/xDdobr%wO/D*iBBj4AgYmaR=ddu#۾bn5.W9R+}/kUPX@ZlQ:	`6oP*Rij@^w`E):iU1%CDڀˆH`Y%k̨~VW
n6]yYU07ڿ`;$i6Iܫnᚩy֛EsYGvChՋg=@cֹ9WcXbTj߀񃃆|)bImTE֘Zjp!BiAjʠRxݘ@ӞsicVXR#:R3
dN#jvJ:Eul&VeEĻdDZ
B{ZhZBҕ"fL+fͫv2Td],B!/Yӑi[Gl^SRHZ/]])wV>'[E
dA5A:܂K%13N`tuH{!AD"\B^W_4piwT$vKW&DBgSUDL/޻(}6›QCW%vʯ.vۻb?_(why3-1.6.0/examples/tests-provers/zeros.mlw000066400000000000000000000006371440160026300207530ustar00rootroot00000000000000
(** Test for all provers: setting all the elements of an array to zero *)

use int.Int
use array.Array

let set_zeros (a : array int) =
  ensures { forall j: int. 0 <= j < a.length -> a[j] = 0 }
  for i = 0 to a.length - 1 do
    invariant { forall j: int. 0 <= j < i -> a[j] = 0 }
    a[i] <- 0
  done

let harness () =
  let a0 = make 42 1 in
  set_zeros a0;
  assert { length a0 = 42 };
  assert { a0[12] = 0 }
why3-1.6.0/examples/tests-provers/zeros/000077500000000000000000000000001440160026300202245ustar00rootroot00000000000000why3-1.6.0/examples/tests-provers/zeros/why3session.xml000066400000000000000000000064731440160026300232560ustar00rootroot00000000000000

















 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/tests-provers/zeros/why3shapes.gz000066400000000000000000000005231440160026300226640ustar00rootroot00000000000000]Ak!+<)G]%	’Z쬛BRC}$6|s|Zpt>?ixn!ǖޭu'>\ȷnnCܽ$&VYSY]X,g`Ytu1ADi?IO?]C\;LK`HmZ5:+`c5Oh@qTLD'= 42) then x + 3 else 0

  let f_no_lab (x:int) : int
    ensures { result <= 50 }
  = if x >= 42 then x + 3 else 0

  use ref.Ref

  let g (x : ref int) : int
    ensures { result <= 50 }
  = x := !x + 1;
    if (!x >= 42) then !x + 3 else 0

end
why3-1.6.0/examples/tests/alt-ergo-models.why000066400000000000000000000041541440160026300211140ustar00rootroot00000000000000
theory T

  use int.Int

  goal g_no_lab : forall x:int. x >= 42 -> x + 3 <= 50

  goal g_lab0 : forall x [@model:0]:int. ([@model:cond] x >= 42) ->
    ([@model:concl] x + 3 <= 50)

  goal g_lab1 : forall x [@model:1]:int. ([@model:cond] x >= 42) ->
    ([@model:concl] x + 3 <= 50)

  constant g : int

  goal g2_lab : forall x [@model:0]:int. ([@model:concl] g >= x)


end

theory ModelInt

use int.Int

goal test0 : forall x [@model:0]:int. not (0 < x < 1)

goal test1 : forall x [@model:0]:int. not (0 <= x <= 1)

use int.EuclideanDivision

goal test2 : forall x [@model:0]:int. div x x = 1

goal test_overflow:
  forall x [@model:0] y [@model:0] :  int.
     0 <= x <= 65535 /\ 0 <= y <= 65535 -> 0 <= x + y <= 65535

goal test_overflow2:
  forall x [@model:0] y [@model:0] :  int.
     -2 <= x <= 65535 /\ -2 <= y <= 65535 -> -2 <= x + y <= 65535

predicate is_int16 (x:int) = -65536 <= x <= 65535

goal test_overflow_int16:
  forall x [@model:0] y [@model:0] :  int.
     is_int16 x /\ is_int16 y -> is_int16 (x + y)

goal test_overflow_int16_alt:
  forall x [@model:0] y [@model:0] :  int.
      -65536 <= x <= 65535 /\ -65536 <= y <= 65535 -> -65536 <= x+y <= 65535

goal test_overflow_int16_bis:
  forall x [@model:0] y [@model:0] :  int.
     is_int16 x /\ is_int16 y /\
     ([@model:cond1] 0 <= x) /\ (x <= y) -> is_int16 (x + y)

predicate is_int32 (x:int) = -2147483648 <= x <= 2147483647

goal test_overflow_int32:
  forall x [@model:0] y [@model:0] :  int.
     is_int32 x /\ is_int32 y -> is_int32 (x + y)

goal test_overflow_int32_bis:
  forall x [@model:0] y [@model:0] :  int.
     is_int32 x /\ is_int32 y /\ 0 <= x <= y -> is_int32 (x + y)

goal test_overflow_int32_bis_inline:
  forall x [@model:0] y [@model:0] :  int.
     -2147483648 <= x <= 2147483647 /\ -2147483648 <= y <= 2147483647 /\ 0 <= x <= y -> -2147483648 <= x + y <= 2147483647

end

theory ModelReal

use real.Real

goal test1 : forall x [@model:0]:real. not (0.0 < x < 1.0)

goal test2 : forall x [@model:0]:real. x/x=1.0

end

theory ModelArray

use map.Map

goal t1 : forall t [@model:0] :map int int, i [@model:0] : int.
   get (set t 0 42) i = get t i

end


why3-1.6.0/examples/tests/alt-ergo-models/000077500000000000000000000000001440160026300203575ustar00rootroot00000000000000why3-1.6.0/examples/tests/alt-ergo-models/why3session.xml000066400000000000000000000066521440160026300234100ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 




 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 


 
 
 



why3-1.6.0/examples/tests/array-test.mlw000066400000000000000000000014351440160026300202030ustar00rootroot00000000000000module TestArray

  use int.Int
  use array.Array

  let test_append () =
    let a1 = make 17 2 in
    assert { a1[3] = 2 };
    a1[3] <- 4;
    assert { a1[3] = 4 };
    let a2 = make 25 3 in
    assert { a2[0] = 3 }; (* needed to prove a[17]=3 below *)
    let a  = append a1 a2 in
    assert { length a = 42 };
    assert { a[3] = 4 };
    assert { a[17] = 3 };
    ()

  let test_fill () =
    let a = make 17 True in
    fill a 10 4 False;
    assert { a[9] = True };
    assert { a[10] = False };
    assert { a[14] = True }

  let test_blit () =
    let a1 = make 17 True in
    let a2 = make 25 False in
    blit a1 10 a2 17 7;
    assert { a1[10] = True  };
    assert { a2[16] = False };
    assert { a2[17] = True  };
    assert { a2[23] = True  };
    assert { a2[24] = False }

end

why3-1.6.0/examples/tests/bitvector-test.why000066400000000000000000000014431440160026300210750ustar00rootroot00000000000000
theory TestBv32

  use bv.BV32

  lemma Test1:
    let b = bw_and zeros ones in nth b 1 = False

  lemma Test2:
    let b = lsr ones 16 in nth b 15 = True

  lemma Test3:
    let b = lsr ones 16 in nth b 16 = False

  lemma Test4:
    let b = asr ones 16 in nth b 15 = True

  lemma Test5:
    let b = asr ones 16 in nth b 16 = True

  lemma Test6:
    let b = asr (lsr ones 1) 16 in nth b 16 = False

end

theory NthConvert

  use mach.int.Int

  use bv.BV8 as BV8
  use bv.BV64 as BV64
  use bv.BVConverter_8_64 as BVC

  lemma bv8_to_bv64_low:
    forall x i. 0 <= i < 8 -> BV64.nth (BVC.toBig x) i = BV8.nth x i
        by forall i.
             BV64.nth_bv (BVC.toBig x) (BVC.toBig i) = BV8.nth_bv x i

  lemma bv8_to_bv64_high:
    forall x i. 8 <= i < 64 -> BV64.nth (BVC.toBig x) i = false
end
why3-1.6.0/examples/tests/bv-smtlib-realization.why000066400000000000000000000114601440160026300223350ustar00rootroot00000000000000
(*

run this test with:

why3 ide -C ../../why3-smt-realize.conf -P cvc4r bv-smtlib-realization.why

*)

theory BV_Check

  use int.Int
  use bv.BV8

  goal size_pos : size > 0

(* Conversions from/to integers *)

  use bv.Pow2int

  lemma two_power_size_val : two_power_size = pow2 size
  lemma max_int_val : t'maxInt = two_power_size - 1

  lemma to_uint_extensionality :
    forall v,v':t. t'int v = t'int v' -> v = v'

  lemma to_int_extensionality:
    forall v,v':t. to_int v = to_int v' -> v = v'

  lemma to_uint_bounds : forall v:t. 0 <= t'int v < two_power_size

  lemma to_uint_of_int :
    forall i. 0 <= i < two_power_size -> t'int (of_int i) = i

  lemma Of_int_zero: zeros = of_int 0

  lemma Of_int_ones: ones = of_int t'maxInt

  goal nth_out_of_bound:
    forall x n. size <= n <= t'maxInt -> nth x n = False

  goal Nth_zero: forall n:int. 0 <= n < size -> nth zeros n = False

  goal Nth_ones:
    (forall n. ult n size_bv -> nth_bv ones n = True) &&
    forall n. 0 <= n < size -> ult (of_int n) size_bv && nth ones n = True

  (** Bitwise operators *)

  goal Nth_bw_and:
    forall v1 v2:t, n:int. 0 <= n < size ->
      nth (bw_and v1 v2) n = andb (nth v1 n) (nth v2 n)

  goal Nth_bw_or:
    forall v1 v2:t, n:int. 0 <= n < size ->
      nth (bw_or v1 v2) n = orb (nth v1 n) (nth v2 n)

  goal Nth_bw_xor:
    forall v1 v2:t, n:int. 0 <= n < size ->
      nth (bw_xor v1 v2) n = xorb (nth v1 n) (nth v2 n)

  goal Nth_bw_not:
    forall v:t, n:int. 0 <= n < size ->
      nth (bw_not v) n = notb (nth v n)

  goal Lsr_nth_low:
    forall b:t,n s:int. 0 <= s -> 0 <= n -> n+s < size ->
      nth (lsr b s) n = nth b (n+s)

  goal Lsr_nth_high:
    forall b:t,n s:int. 0 <= s -> 0 <= n -> n+s >= size ->
      nth (lsr b s) n = False

  goal lsr_zero: forall x. lsr x 0 = x

  goal Asr_nth_low:
    forall b:t,n s:int. 0 <= s -> 0 <= n < size -> n+s < size ->
      nth (asr b s) n = nth b (n+s)

  goal Asr_nth_high:
    forall b:t,n s:int. 0 <= s -> 0 <= n < size -> n+s >= size ->
      nth (asr b s) n = nth b (size-1)

  goal asr_zero: forall x. asr x 0 = x

  goal Lsl_nth_high:
    forall b:t,n s:int. 0 <= s <= n < size ->
      nth (lsl b s) n = nth b (n-s)

  goal Lsl_nth_low:
    forall b:t,n s:int. 0 <= n < s ->
      nth (lsl b s) n = False

  goal lsl_zero: forall x. lsl x 0 = x

  use int.EuclideanDivision

  goal Nth_rotate_right :
    forall v n i. 0 <= i < size -> 0 <= n ->
      nth (rotate_right v n) i = nth v (mod (i + n) size)

  goal Nth_rotate_left :
    forall v n i. 0 <= i < size -> 0 <= n ->
      nth (rotate_left v n) i = nth v (mod (i - n) size)


  (* comparison operators *)

  goal ult_spec: forall x y. ult x y <-> Int.(<) (t'int x) (t'int y)

  goal ule_spec: forall x y. ule x y <-> Int.(<=) (t'int x) (t'int y)

  goal ugt_spec: forall x y. ugt x y <-> Int.(>) (t'int x) (t'int y)

  goal uge_spec: forall x y. uge x y <-> Int.(>=) (t'int x) (t'int y)

  goal slt_spec: forall x y. slt x y  <-> Int.(<) (to_int x) (to_int y)

  goal sle_spec: forall x y. sle x y <-> Int.(<=) (to_int x) (to_int y)

  goal sgt_spec: forall x y. sgt x y <-> Int.(>) (to_int x) (to_int y)

  goal sge_spec: forall x y. sge x y <-> Int.(>=) (to_int x) (to_int y)

  (** Arithmetic operators *)

  goal to_uint_add:
    forall v1 v2. t'int (add v1 v2) =  mod (Int.(+) (t'int v1) (t'int v2)) two_power_size
  goal to_uint_add_bounded:
    forall v1 v2.
      t'int v1 + t'int v2 < two_power_size ->
      t'int (add v1 v2) = t'int v1 + t'int v2

  goal to_uint_sub:
    forall v1 v2. t'int (sub v1 v2) = mod (Int.(-) (t'int v1) (t'int v2)) two_power_size
  goal to_uint_sub_bounded:
    forall v1 v2.
      0 <= t'int v1 - t'int v2 < two_power_size ->
      t'int (sub v1 v2) = t'int v1 - t'int v2

  goal to_uint_neg:
    forall v. t'int (neg v) = mod (Int.(-_) (t'int v)) two_power_size

  goal to_uint_mul:
    forall v1 v2. t'int (mul v1 v2) = mod (Int.( * ) (t'int v1) (t'int v2)) two_power_size
  goal to_uint_mul_bounded:
    forall v1 v2.
      t'int v1 * t'int v2 < two_power_size ->
      t'int (mul v1 v2) = t'int v1 * t'int v2

  goal to_uint_udiv:
    forall v1 v2. t'int (udiv v1 v2) = div (t'int v1) (t'int v2)

  goal to_uint_urem:
    forall v1 v2. t'int (urem v1 v2) = mod (t'int v1) (t'int v2)

  goal to_uint_lsr:
    forall v n : t.
      t'int (lsr_bv v n) = div (t'int v) (pow2 ( t'int n ))

  goal to_uint_lsl:
    forall v n : t.
         t'int (lsl_bv v n) = mod (Int.( * ) (t'int v) (pow2 (t'int n))) two_power_size

  (* equality goals *)

  goal eq_sub_equiv: forall a b i n:t.
      eq_sub    a b (t'int i) (t'int n)
  <-> eq_sub_bv a b i n

  goal Extensionality: forall x y : t [x == y]. x == y -> x = y

end

theory BVConverter_Check

  use bv.BVConverter_32_64

  goal toSmall_to_uint :
    forall x. in_range x -> BV64.t'int x = BV32.t'int (toSmall x)

  goal toBig_to_uint :
    forall x. BV32.t'int x = BV64.t'int (toBig x)

end
why3-1.6.0/examples/tests/bv-smtlib-realization/000077500000000000000000000000001440160026300216025ustar00rootroot00000000000000why3-1.6.0/examples/tests/bv-smtlib-realization/why3-smt-realize.conf000066400000000000000000000046051440160026300256020ustar00rootroot00000000000000[editor pvs]
command = "%l/why3-call-pvs %l pvs %f"
name = "PVS"

[editor proofgeneral-coq]
command = "emacs --eval \"(setq coq-load-path '((\\\"%l/coq-tactic\\\" \\\"Why3\\\") (\\\"%l/coq\\\" \\\"Why3\\\")))\" %f"
name = "Emacs/ProofGeneral/Coq"

[editor isabelle2015-jedit]
command = "isabelle why3 -i %f"
name = "Isabelle2015/jEdit"

[editor isabelle2014-proofgeneral]
command = "isabelle why3 -i emacs %f"
name = "Isabelle2014/Emacs/ProofGeneral"

[editor isabelle2014-jedit]
command = "isabelle why3 -i jedit %f"
name = "Isabelle2014/jEdit"

[editor coqide]
command = "coqide -R %l/coq-tactic Why3 -R %l/coq Why3 %f"
name = "CoqIDE"

[editor altgr-ergo]
command = "altgr-ergo %f"
name = "AltGr-Ergo"

[ide]
current_tab = 0
default_editor = "emacs %f"
default_prover = ""
error_color = "orange"
font_size = 10
goal_color = "gold"
hidden_prover = "Vampire,0.6,"
hidden_prover = "Eprover,1.8-001,"
hidden_prover = "PolyPaver,0.3,"
hidden_prover = "Isabelle,2015,"
hidden_prover = "Coq,8.4pl6,"
iconset = "fatcow"
intro_premises = true
max_boxes = 16
neg_premise_color = "pink"
premise_color = "chartreuse"
print_attributes = false
print_locs = false
print_time_limit = false
saving_policy = 2
tree_width = 756
verbose = 0
window_height = 880
window_width = 1511

[main]
cntexample = false
loadpath = "/home/cmarche/why3/share/theories"
loadpath = "/home/cmarche/why3/share/modules"
magic = 14
memlimit = 1000
plugin = "/home/cmarche/why3/lib/plugins/dimacs"
plugin = "/home/cmarche/why3/lib/plugins/hypothesis_selection"
plugin = "/home/cmarche/why3/lib/plugins/genequlin"
plugin = "/home/cmarche/why3/lib/plugins/tptp"
running_provers_max = 3
timelimit = 5

[prover]
command = "%l/why3-cpulimit %T %m -s cvc4-1.4 --tlimit-per=%t000 --lang=smt2 %f"
command_steps = "%l/why3-cpulimit %U %m -s cvc4-1.4 --stats --rlimit=%S --lang=smt2 %f"
driver = "/home/cmarche/why3/share/drivers/cvc4-realize.drv"
editor = ""
in_place = false
interactive = false
name = "CVC4 (realize)"
shortcut = "cvc4r"
version = "1.4"

[prover]
command = "%l/why3-cpulimit %t %m -s z3-4.4.0 -smt2 sat.random_seed=42 nlsat.randomize=false smt.random_seed=42 %f"
command_steps = "%l/why3-cpulimit %U %m -s z3-4.4.0 -smt2 sat.random_seed=42 nlsat.randomize=false smt.random_seed=42 memory_max_alloc_count=%S %f"
driver = "/home/cmarche/why3/share/drivers/z3-realize.drv"
editor = ""
in_place = false
interactive = false
name = "Z3"
shortcut = "z3r"
version = "4.4.0"
why3-1.6.0/examples/tests/bv-smtlib-realization/why3session.xml000066400000000000000000000175711440160026300246350ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 



why3-1.6.0/examples/tests/execute-tests.mlw000066400000000000000000000120311440160026300207040ustar00rootroot00000000000000module Int63Test

  use mach.int.Int63

  let t1 (): int63 = 1

  let t2 () = 2:int63

  let t3 () =
    let x:int63 = 1 in
    x

  let t4 () =
    let x:int63 = 1 in
    x + 2

  let t5 () =
    let x:int63 = 1 in
    x - 2

  let t6 () =
    let x = 10 in
    x + 2

  let t7 () =
    let x:int = 10 in
    Int.(-) x 2

  let t8 () =
    let x = 20 in
    let y = 21 in
    x < y

  let t9 () =
    let x = 20 in
    let y = 21 in
    x >= y

  let t10 () =
    let x = 20 in
    let y = 21 in
    x >= y - 1

  let t11 () =
    let x = 20 in
    let y = 21 in
    x = y - 1 && x >= y - 1 && y > x

  let t12 () =
    let x = 42 in
    x % 2 = 0

  let t13 () =
    let x = 42 in
    let y = 24 in
    let z = x + y / 2 in
    let w = z * x in
    let w = w % 10 in
    let w = -w in
    w = -8

  let t14 () =
    let x:int63 = of_int(42:int) in
    let y:int = to_int x in
    x + of_int y

  let t15 () = Int.(+) max_int63 min_int63

  (* let t16 () = zero + one + max_int + min_int *)

end

module Int31Test

  use mach.int.Int31

  let t1 (): int31 = 1

  let t2 () = 2:int31

  let t3 () =
    let x:int31 = 1 in
    x

  let t4 () =
    let x:int31 = 1 in
    x + 2

  let t5 () =
    let x:int31 = 1 in
    x - 2

  let t6 () =
    let x = 10 in
    x + 2

  let t7 () =
    let x:int = 10 in
    Int.(-) x 2

  let t8 () =
    let x = 20 in
    let y = 21 in
    x < y

  let t9 () =
    let x = 20 in
    let y = 21 in
    x >= y

  let t10 () =
    let x = 20 in
    let y = 21 in
    x >= y - 1

  let t11 () =
    let x = 20 in
    let y = 21 in
    x = y - 1 && x >= y - 1 && y > x

  let t12 () =
    let x = 42 in
    x % 2 = 0

  let t13 () =
    let x = 42 in
    let y = 24 in
    let z = x + y / 2 in
    let w = z * x in
    let w = w % 10 in
    let w = -w in
    w = -8

  let t14 () =
    let x:int31 = of_int(42:int) in
    let y:int = to_int x in
    x + of_int y

  let t15 () = Int.(+) max_int31 min_int31

  (* let t16 () = zero + one + max_int + min_int *)

end

module ByteTest

  use mach.int.Byte

  let t1 (): byte = 1

  let t2 () = 2:byte

  let t3 () =
    let x:byte = 1 in
    x

  let t4 () =
    let x:byte = 1 in
    x + 2

  let t5 () =
    let x:byte = 1 in
    x - 2

  let t6 () =
    let x = 10 in
    x + 2

  let t7 () =
    let x:int = 10 in
    Int.(-) x 2

  let t8 () =
    let x = 20 in
    let y = 21 in
    x < y

  let t9 () =
    let x = 20 in
    let y = 21 in
    x >= y

  let t10 () =
    let x = 20 in
    let y = 21 in
    x >= y - 1

  let t11 () =
    let x = 20 in
    let y = 21 in
    x = y - 1 && x >= y - 1 && y > x

  let t12 () =
    let x = 42 in
    x % 2 = 0

  let t13 () =
    let x = 42 in
    let y = 24 in
    let z = x + y / 2 in
    let w = z * x in
    let w = w % 10 in
    w = 8

  let t14 () =
    let x:byte = of_int(42:int) in
    let y:int = to_int x in
    x + of_int y

  let t15 () = Int.(+) max_byte min_byte

  (* let t16 () = zero + one + max_int + min_int *)

end

module TestArrays

  use array.Array

  let t1 () = empty ()

  let t2 () = make 10 1

end

module TestArgs

  use int.Int
  use ref.Ref

  let t1 x = x + 1
(*
why3 execute examples/tests/execute-tests.mlw "TestArgs.t1 1" --use=TestArgs
why3 execute examples/tests/execute-tests.mlw "t1 1" --use=TestArgs
*)

  let c = ref 1

  let t2 () = !c + 1
(*
why3 execute examples/tests/execute-tests.mlw "t2 ()" --use=TestArgs
why3 execute examples/tests/execute-tests.mlw "c := 42; t2 ()" --use=ref.Ref --use=TestArgs
*)

  let t3 () = c := 52
(*
why3 execute examples/tests/execute-tests.mlw "t3 ()" --use=TestArgs
*)

  let t4 () = c := !c + 1
(*
why3 execute examples/tests/execute-tests.mlw "t4 ()" --use=TestArgs
*)

  let t5 x = c := !c + x
(*
why3 execute examples/tests/execute-tests.mlw "t5 42" --use=TestArgs
*)

  type t 'a = { f1: 'a; f2: int}

  let t6 () = {f1 = ""; f2 = 2}
(*
why3 execute examples/tests/execute-tests.mlw "t6 ()" --use=TestArgs
*)

  let t7 s x = {f1 = s; f2 = x}
(*
why3 execute examples/tests/execute-tests.mlw "t7 \"hello\" 42" --use=TestArgs
*)

  let t8 s = {f1 = s; f2 = !c}
(*
why3 execute examples/tests/execute-tests.mlw 't8 "hello"' --use=TestArgs
*)

  let t9 (t: t 'a): 'a = t.f1
(*
why3 execute examples/tests/execute-tests.mlw "t9 {f1=1;f2=42}" --use=TestArgs
why3 execute examples/tests/execute-tests.mlw 't9 {f1="hello";f2=42}' --use=TestArgs
*)

  let t10 t = t.f2
(*
why3 execute examples/tests/execute-tests.mlw 't10 !t11' --use=TestArgs --use=ref.Ref
why3 execute examples/tests/execute-tests.mlw 't10 {f1="hello";f2=42}' --use=TestArgs
*)

  let t11 = ref {f1 = 1; f2 = 2}
(*
why3 execute examples/tests/execute-tests.mlw 't11 := {!t11 with f1 = 42}; t10 !t11' --use=TestArgs --use=ref.Ref
*)

  let t12 () = t9 {f1=1;f2=42}
(*
why3 execute examples/tests/execute-tests.mlw 't12 ()' --use=TestArgs
*)

end

module ShouldFail
  use random.Random
  (*
why3 execute examples/tests/execute-tests.mlw "()" --use=ShouldFail
  *)
end

module TestRac
  use int.Int

  let f (x: int) = assert {x > 0}
(*
why3 execute examples/tests/execute-tests.mlw "f 1" --use=TestRac
why3 execute examples/tests/execute-tests.mlw "f 0" --use=TestRac
*)
endwhy3-1.6.0/examples/tests/func_literals.mlw000066400000000000000000000031051440160026300207360ustar00rootroot00000000000000use int.Int
use seq.Seq

goal g1:
  let a = [| 0 => 1 |] in
  let b = [| 1 => 2 |] in
  1 = a 1 <> b 1 = 2

goal g2:
  let a = [| 0 => 1; 1 => 42 |] in
  let b = [| 1 => 2; 9 => 42 |] in
  forall x y. x > 1 && y > 1 -> a x = b y

goal g3:
  let a = [| 0 => 1; 1 => 2 |] in
  let b = [| 0 => 1; 1 => -2 |] in
  a 0 = b 0     /\
  a 1 = - (b 1) /\
  a 2 = - (b 3) /\
  a 3 = - (b 3) /\
  a 3 <> b 3

goal g4: [|1|] = [|1|]

let seq_ok1 (_: int): seq int
  ensures { result = create 4 [|0;1;2;3|] }
= create 4 [|0;1;2;3|]

let seq_ok2 (_: int): seq int
  ensures { result == create 4 [|0;1;2;3|] }
= create 4 [|0;1;2;3|]

let seq_ok3 (default: int) : seq int
  ensures { result = create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]}
= create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]

let seq_ok4 (default: int) : seq int
  ensures { result == create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]}
= create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]

use array.Init
use array.ToSeq

let array_ok1 (_: int): array int
  ensures { to_seq result = create 4 [|0;1;2;3|] }
= init 4 [|0;1;2;3|]

let array_ok2 (_: int): array int
  ensures { to_seq result == create 4 [|0;1;2;3|] }
= init 4 [|0;1;2;3|]

let array_ok3 (default: int) : array int
  ensures { to_seq result = create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]}
= init 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]

let array_ok4 (default: int) : array int
  ensures { to_seq result == create 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]}
= init 4 [|0 => 0; 1 => 1; 2 => 2; 3 => 3; _ => default |]
why3-1.6.0/examples/tests/func_literals/000077500000000000000000000000001440160026300202165ustar00rootroot00000000000000why3-1.6.0/examples/tests/func_literals/why3session.xml000066400000000000000000000142741440160026300232460ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
 
 
 
 
 
 
  
  
  
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
 
 
 
 
 
 



why3-1.6.0/examples/tests/hashtbl-test.mlw000066400000000000000000000010111440160026300205000ustar00rootroot00000000000000module TestHashtbl

  use int.Int
  use list.List
  use hashtbl.Hashtbl

  val constant k1: key
  val constant k2: key
  val constant k3: key
  axiom kdiff : k1 <> k2 /\ k1 <> k3 /\ k2 <> k3

  let test1 () =
    let h = create 17 in
    add h k1 True;
    assert { h[k1] = Cons True Nil };
    assert { h[k2] = Nil };
    let v1 = find h k1 in
    assert { v1 = True };
    add h k1 False;
    assert { h[k1] = Cons False (Cons True Nil) };
    replace h k1 True;
    assert { h[k1] = Cons True (Cons True Nil) }

end


why3-1.6.0/examples/tests/int32-test.mlw000066400000000000000000000002751440160026300200250ustar00rootroot00000000000000
module TestInt32

  use int.Int
  use mach.int.Int32BV

  let mask_111 (x: int32) : int32
    ensures { 0 <= to_int result < 8 }
  =
    of_bv (BV32.bw_and (to_bv x) (BV32.of_int 7))

end
why3-1.6.0/examples/tests/lemma_functions.mlw000066400000000000000000000027461440160026300213010ustar00rootroot00000000000000module LemmaFunction1

  use int.Int
  use ref.Refint

  function fact int : int
  axiom fact0 : fact 0 = 1
  axiom factn : forall n: int. n > 0 -> fact n = n * fact (n - 1)

  let rec lemma f (n: int) : unit variant {n}
    requires { n >= 0 }
    ensures  { fact n >= 1 }
    =
    if n > 0 then f (n-1)

  goal g: fact 42 >= 1

end

module LemmaFunction2

  use int.Int
  use array.Array
  use array.ArraySum

  let rec lemma sum_nonneg (a: array int) (l u: int) : unit
    requires { 0 <= l <= u <= length a }
    requires { forall i: int. 0 <= i < length a -> a[i] >= 0 }
    variant  { u-l }
    ensures  { sum a l u >= 0 }
  =
    if u > l then sum_nonneg a (l+1) u

  goal g1:
    forall a: array int.
    (forall i: int. 0 <= i < length a -> a[i] >= 0) ->
    sum a 0 (length a) >= 0

end




module M

  use int.Int

  type list 'a = Nil | Cons 'a (list 'a)

  function length (l:list 'a) : int =
    match l with
    | Nil -> 0
    | Cons _ r -> 1 + length r
    end


  let rec lemma_length_non_neg (l:list 'a) : unit
    variant { l }
    ensures { length l >= 0 }
  =
    match l with
    | Nil -> ()
    | Cons _ r -> lemma_length_non_neg r
    end


  let rec toy_example(l:list 'a) : unit
    (* variant { l } does not work (not a sub-term) *)
    variant { length l }
    (* works if we add the "ghost lemma_length_non_neg" *)
  =
    match l with
    | Nil -> ()
    | Cons _ Nil -> ()
    | Cons x (Cons _ r) ->
      ghost lemma_length_non_neg l;
      toy_example (Cons x r)
    end

end
why3-1.6.0/examples/tests/lemma_functions/000077500000000000000000000000001440160026300205475ustar00rootroot00000000000000why3-1.6.0/examples/tests/lemma_functions/why3session.xml000066400000000000000000000022011440160026300235620ustar00rootroot00000000000000





 
 
 
 
 
 


 
 
 
 
 
 


 
 
 
 
 
 



why3-1.6.0/examples/tests/matrix-test.mlw000066400000000000000000000004011440160026300203610ustar00rootroot00000000000000module TestMatrix

  use int.Int
  use matrix.Matrix

  let test1 () =
    let m1 = make 3 3 2 in
    assert { m1.elts 0 0 = 2 };
    set m1 0 0 4;
    assert { m1.elts 0 0 = 4 };
    assert { m1.elts 0 1 = 2 };
    assert { m1.elts 1 0 = 2 };
    ()

end

why3-1.6.0/examples/tests/pqueue-test.mlw000066400000000000000000000022131440160026300203640ustar00rootroot00000000000000module Test

  use seq.Seq
  use import pqueue.Pqueue as P

  val constant v1 : elt
  val constant v2 : elt
  axiom values: le v2 v1 /\ not (le v1 v2)

  let test0 () =
    let s = P.create () : P.t in
    assert { s = empty };
    let b = P.is_empty s in
    assert { b = True };
    let n = P.length s in
    assert { n = 0 }

  let test1 () =
    raises { P.Empty }
    let s = P.create () in
    P.push v1 s;
    let x = P.peek s in assert { x = v1 };
    P.push v2 s;
    assert { s == cons v2 (cons v1 empty) \/
             s == cons v1 (cons v2 empty) };
    let x = P.peek s in assert { x = v2 };
    ()

end

module TestNoDup

  use set.Fset
  use import pqueue.PqueueNoDup as P

  val constant v1 : elt
  val constant v2 : elt
  axiom values: le v2 v1 /\ not (le v1 v2)

  let test0 () =
    let s = P.create () : P.t in
    assert { s.elts = empty };
    let b = P.is_empty s in
    assert { b = True };
    let n = P.length s in
    assert { n = 0 }

  let test1 () =
    raises { P.Empty }
    let s = P.create () in
    P.push v1 s;
    let x = P.peek s in assert { x = v1 };
    P.push v2 s;
    let x = P.peek s in assert { x = v2 };
    ()

end
why3-1.6.0/examples/tests/queue-test.mlw000066400000000000000000000006361440160026300202130ustar00rootroot00000000000000
module Test

  use int.Int
  use seq.Seq
  use queue.Queue

  let test0 () =
    let s = create () : t 'a in
    assert { s = empty };
    let b = is_empty s in
    assert { b = True };
    let n = length s in
    assert { n = 0 }

  let test1 ()
    raises { Empty }
  = let s = create () in
    push 1 s;
    let x = peek s in assert { x = 1 };
    push 2 s;
    let x = peek s in assert { x = 1 };
    ()

end
why3-1.6.0/examples/tests/rac.mlw000066400000000000000000000271331440160026300166600ustar00rootroot00000000000000module Local

  use int.Int

  let test1 () =
    let x = 1 in
    assert { x >= 0 }; (* ok *)
    assert { forall y. y = 1 -> x = y }; (* ok *)
    assert { x = 0 } (* failure *)

  predicate p (_: unit) = false

  let test2 () =
    let ref x = () in
    assert { not p x } (* ok *)

  let test3 () =
    let ref x = 1 in
    assert { x >= 0 }; (* ok *)
    assert { x > 10 } (* failure *)

  let test4 () =
    assert { 4 >= 3 || 1 < 3 } (* ok *)

  let test5 () =
    let x = True in
    assert { x = True }
end

module Global

  use int.Int

  val ref x : int

  let test1 () =
    assert { x = 0 }; (* ok *)
    x <- x + 1;
    assert { x = 1 } (* ok *)

  let ref y = 42

  let test2 () =
    assert { y = 42 } (* ok *)
end

module Functions

  use int.Int

  let function f1_aux (x: int): int = x+100

  let ref x = 0

  let test1 () =
    let function f1_aux' (x: int) (_: int) : int = x+200 in
    assert { 101 = f1_aux 1 }; (* ok *)
    assert { 200 = f1_aux' 0 1 }; (* ok *)
    assert { f1_aux 0 = f1_aux' 0 1 } (* failure *)

 let test2 () =
    let function f1_aux (x: int) (_: int) : int = x+200 in
    assert { f1_aux 0 0 = 200 } (* ok *)

  let test3_aux (y: int) : int
    requires { y > 0 }
    ensures { result = 1 }
  = y

  let test3a () =
    test3_aux 0 (* failure in precondition *)

  let test3b () =
    let _ = test3_aux 1 in (* ok *)
    test3_aux 2 (* failure in postcondition *)

  exception E int

  let test4_aux () : unit
    raises { E j -> j = x }
  = x <- 1;
    raise (E 42)

  let test4 () =
    try test4_aux () (* failure in exceptional postcondition *)
    with E _ -> () end

  let test5_aux (d: int)
    ensures { x = old x + 1 }
  = x <- x + d

  let test5 () =
    test5_aux 1; (* ok *)
    test5_aux 2 (* failure in postcondition *)

  let test6_aux (ref x: 'a) (y: 'a)
    requires { x <> y }
    ensures { result = y }
  = x <- y;
    x

  let test6 () =
    let ref r = 1 in (* pres, posts of ref ok *)
    let _ = test6_aux r 42 in (* ok *)
    let _ = test6_aux r 42 in (* failure in precondition *)
    ()
end

module Loops
  use int.Int

  val ref x : int

  let test1 () requires { x = 0 } =
    for i = 1 to 10 do
      invariant { 0 < i <= 10 } (* ok *)
    done

  let test2 () requires { x = 0 } =
    for i = 0 to 5 do
      invariant { x = 0 || x = 1 } (* failure when i = 1, x = 2 *)
      x <- x + 1
    done

  let test3 ()  =
    while x < 10 do
      variant { 10 - x }
      invariant { 5 >= x } (* failure when x = 6 *)
      x <- x + 1
    done;
    assert { x = 100 }
end

module Aliasing
  use int.Int

  type r = { mutable value: int }

  let test1 () = (* aliasing *)
    let x = {value= 0} in
    let y = x in
    y.value <- 100;
    assert { (x.value, y.value) = (100, 100) };
    x.value, y.value

  let test2_aux (b: bool) = (* aliasing *)
    let x = {value= 0} in
    let y = x in
    (if b then
      y.value <- 100
    else
      x.value <- 111);
    assert { y.value >= 100 };
    x.value, y.value

  let test2 () =
    let x, y = test2_aux True in
    assert { (x, y) = (100, 100) };
    let x, y = test2_aux False in
    assert { (x, y) = (111, 111) }
end

module Labels
  use int.Int

  type r = { mutable value: int }

  let test1 () =
    let x = {value= 0} in
    label A in
    x.value <- x.value + 1;
    label B in
    x.value <- x.value + 1;
    assert { x.value = x.value at B + 1 = x.value at A + 2 }
end


(* TODO *)
module Chars
  use int.Int

  type char = < range 0 255 >

  val (<=) (c1 c2: char) : bool
     ensures { result <-> char'int c1 <= char'int c2 }

  val (-) (c1 c2: char) : char
     ensures { char'int result = char'int c1 - char'int c2 }

  let uppercase (c:char) =
     if (97:char) <= c <= (122:char)  then
        c - 32 else c

  let test1 () : char =
    uppercase 97
end

(* TODO *)
module Strings
  use string.OCaml
  let test1 () =
    let s = "hello" in
    concat s " world"
end

module RecordMutGhost
  use int.Int

  type t = {mutable f: int -> int; ghost n: int}

  let test () =
    let x = { f= (fun (x:int) -> x); n= 2 } in
    assert { x.n = 2 }; (* ok *)
    assert { x.f 3 = 3 }; (* ok *)
    x.f <- (let g = x.f in (fun (z: int) -> if z = 3 then 42 else g z));
    assert { x.f 3 = 42 }; (* ok *)
    1 (* + x.n *) + x.f 3
end

module PolyContext

  let poly (x: 'a) : 'a = x

  (* Call polymorphic function from context with statically concrete types *)
  let test1 () =
    let x = 42 in
    poly x

  (* Call polymorphic function from context with statically polymorphic types *)
  let poly' (x: 'a) : 'a =
    poly x (* ← *)

  let test2 () =
    let x = 42 in
    poly' x
end

module PolyRefContracts
  use int.Int
  use ref.Ref

  let test1 () = (* check contracts in ref *)
    let r = ref 0 in
    r := !r + 1

  let test2_aux (ref argref: 'a) (argx argy: 'a)
    requires { argref <> argx }
    ensures { result = argx }
    ensures { result = argy }
  = argref <- argx;
    argref

  let ref myref = 0

  let test2a () =
    test2_aux myref 1 1 (* OK *)

  let test2b () =
    test2_aux myref 0 1 (* PRE fails *)

  let test2c () =
    test2_aux myref 1 2 (* POST fails *)
end

module RecordPoly
  use int.Int
  type t1 'a = { mutable x: 'a }

  let test1 () =
    let r = {x= 1} in
    assert { r.x = 1 }; (* ok *)
    r.x <- 100;
    assert { r.x = 100 } (* ok *)

  type t2 'a = { mutable f: int -> 'a }
  let test2 () =
    let r = { f= fun (_: int) -> True } in
    assert { r.f 0 = True }; (* ok *)
    assert { r.f 1 = True }; (* ok *)
    r.f <- (let f = r.f in (fun (j: int) -> if j = 0 then False else f j));
    assert { r.f 0 = False }; (* ok *)
    assert { r.f 1 = True }; (* ok *)

  type t3 'a = { mutable elts: int -> 'a; length: int }

  let update (r: t3 'a) (i: int) (x: 'a) : unit
    requires { 0 < i < r.length }
    ensures { forall j. 0 < j < r.length -> j <> i -> r.elts j = old r.elts j }
    ensures { r.elts i = x }
  = r.elts <- let f = r.elts in (fun (j: int) -> if j = i then x else f j)

  use bool.Bool

  let test3 () =
    let r = { length= 5; elts= fun (_:int) -> True } in
    assert { r.elts 3 = True }; (* ok *)
    update r 3 False; (* post condition cannot be evaluated *)
    assert { r.elts 3 = False }; (* ok *)
    assert { r.elts 2 = True }; (* ok *)
    assert { r.elts 1 = False } (* failure *)
end

module PolyFunc
  use int.Int

  let mk v = fun (_: int) -> v

  let test1 () =
      mk 0

  type t 'a = {mutable f: int -> 'a}

  let function map_update (f: int -> 'a) (i: int) (x: 'a) =
    fun (j: int) -> if j = i then x else f j

  let ([]<-) (x: t 'a) (i: int) (v: 'a) : unit =
    x.f <- map_update x.f i v

  let test2 () =
    let x = {f= fun _ -> 0} in
    (* x.f <- map_update x.f 0 111; *)
    x[0] <- 111;
    x.f 0, x.f 1
end

module ArrayExec
  use int.Int

  type array 'a = {length: int; mutable elts: int -> 'a}

  let empty () : array 'a = {length= 0; elts= fun _ -> any 'a}

  let make (n: int) (v: 'a) : array 'a
    ensures { result.length = n }
    ensures { forall i. 0 <= i < n -> result.elts i = v }
  = {length= n; elts= fun _ -> v}

  let function map_update (f: int -> 'a) (i: int) (x: 'a) =
    fun (j: int) -> if j = i then x else f j

  let ([]) (a: array 'a) (i: int) : 'a = a.elts i

  function ([]') (a: array 'a) (i: int) : 'a = a.elts i

  let ([]<-) (a: array 'a) (i: int) (v: 'a) : unit
    = a.elts <- map_update a.elts i v

  let test1 () =
    let a = {length= 5; elts= fun (_: int) -> 0} in
    a.elts 0, a.elts 1

  let test2 () =
    let a = {length= 5; elts= fun (_: int) -> 0} in
    a.elts <- (let f = a.elts in (fun (i: int) -> if i = 0 then 11 else f i));
    a.elts 0, a.elts 1

  let test3 () =
    let a = make 10 0 in
    a[0] <- 10;
    a[0], a[1]

  let test4 () =
    let a = make 10 0 in
    assert { length a = 10 };
    let x = a[0] in
    assert { x = 0 }; (* ok *)
    a[1] <- 11;
    let x = a[0] in
    assert { x = 0 }; (* ok *)
    let x = a[1] in
    assert { x = 11 }; (* ok *)
    let x = a[2] in
    assert { x = 11 }; (* failure *)
    ()

  clone export array.Array with
    type array = array,
    val make = make,
    val empty = empty,
    val ([]) = ([]),
    val ([]<-) = ([]<-)
end

(* TODO dispatch array.Array/rac.ArrayExec by module substitution *)
module Arrays
  use array.Array

  meta compute_max_steps 10_000

  let test0 () =
    let a = make 10 0 in
    a[0] <- 10;
    a[0], a[1]

  let test1 () =
    let a = make 10 0 in
    assert { length a = 10 };
    assert { a[0] = 0 }; (* ok *)
    a[1] <- 11;
    assert { a[0] = 0 }; (* ok *)
    assert { a[1] = 11 }; (* ok *)
    assert { a[2] = 11 }; (* failure *)
    ()

  use int.Int

  let test2 () =
    let a = make 1 11 in
    assert { a.length = 42 } (* failure *)

  let test3 () =
    let a = (empty () : array int) in
    assert { a.length = 42 } (* failure *)

  let test4 () =
    let a : array int = empty () in
    assert { a.length > 0 } (* failure, cannot evaluate TODO *)
end

module Ghost
  use int.Int
  type t = {i1: int; ghost i2: int}

  let test1 () : (int, ghost int) =
    let x = {i1= 123; i2= 456} in
    assert { x.i1 = 123 /\ x.i2 = 456 };
    (x.i1, x.i2)

  let ghost f1 (x y : int) : int =
    if x = y then 123 else 456

  let ghost test2 () =
    let ghost x = f1 0 1 in
    x + 1
end

module Predicates
  use int.Int

  predicate p1 (n: int) =
    n = 123

  let test1 () =
    assert { p1 123 };
    let ghost x1 = p1 123 in
    assert { x1 };
    let ghost x2 = not p1 0 in
    assert { x2 };
    let predicate p2 (x: int) = x = 456 in
    assert { p2 456 }

  let ghost test2 () =
    let b1 = pure { true } in
    assert { b1 };
    let x = if b1 then 0 else 1 in
    assert { x = 0 };
    let b2 = p1 123 in
    assert { b2 };
    (b1, x, b2)
end

module Variants
  use int.Int
  let loop_var_ok1 () =
    let ref i = 1 in
    while i >= 0 do
      variant { i }
      i <- i - 1
    done
  let loop_var_ok2 () =
    let ref i = 1 in
    let ref j = 1 in
    while j >= 0 do
      variant { i, j }
      if i > 0 then
        i <- i - 1
      else
        j <- j - 1
    done
  let loop_var_fail1 () =
    let ref i = 2 in
    while i >= 0 do
      variant { i }
      if i > 1 then
        i <- i - 1
    done
  let loop_var_fail2 () =
    let ref i = 1 in
    let ref j = 2 in
    while j >= 0 do
      variant { i, j }
      if i > 0 then
        i <- i - 1
      else if j > 1 then
        j <- j - 1
    done

  use relations.WellFounded
  predicate p (i i_old: int) =
    i_old <= 2 /\ i > i_old
  let loop_custom_variant () =
    let ref i = 1 in
    while i >= 0 do
      variant { 2 - i with p }
      i <- i - 1
    done;
    assert { i = -1 };
    i <- 1;
    while i >= -1 do
      variant { 2 - i with p }
      i <- i - 1
    done
end

module TestUInt64
  use mach.int.UInt64
  let test () = 0 - 1
end

module Premises
  val predicate p (x: int)
  val predicate q (x: int)

  axiom a: forall x. p x -> q x

  let test1 () : unit
    requires { p 42 }
    ensures { q 42 }
  = ()
end

module FunctionVariant
  use int.Int

  let rec test1 (i: int) variant { i } (* ok *)
  = if i > 0 then test1 (i-1) else 0

  let rec test2 (i: int) variant { i }
  = if i > 0 then test2 (i-1) else test2 i (* failure *)

  let rec test3 (i: int) variant { i } (* ok *)
  = if i = 0 then 0 else test3' (i-1) (i-1)
  with test3' (i j: int) variant { i, j }
  = if j = 0 then test3 i else test3' i (j - 1)

  let rec test4 (i: int) variant { i }
  = if i = 0 then 0 else test4' (i-1) (i-1)
  with test4' (i j: int) variant { i, j }
  = test4' i (j - 1) (* failure *)

  let rec test5 (i: int) variant { i }
  = if i = 0 then 0 else test5' i i (* failure *)
  with test5' (i j: int) variant { i, j }
  = if j = 0 then test5 i else test5' i (j - 1)
end

module ArrayList
  use int.Int
  use array.Array
  use list.List
  use array.ToList

  let main () =
    let f = make 4 0 in
    to_list f 0 4
end
why3-1.6.0/examples/tests/rac.out000066400000000000000000002605671440160026300167020ustar00rootroot00000000000000
* Local
** Local.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 7, characters 13-19
Assertion is ok at "examples/tests/rac.mlw", line 8, characters 13-37
Assertion failed at "examples/tests/rac.mlw", line 9, characters 13-18
                       - Term: x = 0
                       - Variables: x -> 1
Assertion failed at "examples/tests/rac.mlw", line 9, characters 13-18
- Term: x = 0
- Variables: x -> 1
** Local.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 14, characters 16-18
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 14, characters 16-18
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 14, characters 16-18
Assertion is ok at "examples/tests/rac.mlw", line 15, characters 13-20
result: () = ()
globals: 
** Local.test3 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 18, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 18, characters 16-17
Assertion is ok at "examples/tests/rac.mlw", line 19, characters 13-19
Assertion failed at "examples/tests/rac.mlw", line 20, characters 13-19
                       - Term: x.contents > 10
                       - Variables: x -> {contents= 1}
Assertion failed at "examples/tests/rac.mlw", line 20, characters 13-19
- Term: x.contents > 10
- Variables: x -> {contents= 1}
** Local.test4 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 23, characters 13-28
result: () = ()
globals: 
** Local.test5 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `True` is ok at "examples/tests/rac.mlw", line 26, characters 12-16
Assertion is ok at "examples/tests/rac.mlw", line 27, characters 13-21
result: () = ()
globals: 

* Global
** Global.test1 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 34, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 34, characters 12-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 41, characters 14-16
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 41, characters 14-16
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 37, characters 13-18
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 38, characters 9-10
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 38, characters 9-14
Assertion is ok at "examples/tests/rac.mlw", line 39, characters 13-18
result: () = ()
globals: x -> {contents= 1}, y -> {contents= 42}
** Global.test2 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 34, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 34, characters 12-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 41, characters 14-16
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 41, characters 14-16
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 44, characters 13-19
result: () = ()
globals: x -> {contents= 0}, y -> {contents= 42}

* Functions
** Functions.test1 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 57, characters 13-27
Assertion is ok at "examples/tests/rac.mlw", line 58, characters 13-30
Assertion failed at "examples/tests/rac.mlw", line 59, characters 13-35
                       - Term: f1_aux 0 = ((f1_aux' @ 0) @ 1)
                       - Variables: 
Assertion failed at "examples/tests/rac.mlw", line 59, characters 13-35
- Term: f1_aux 0 = ((f1_aux' @ 0) @ 1)
- Variables: 
** Functions.test2 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 63, characters 13-29
result: () = ()
globals: x -> {contents= 0}
** Functions.test3a ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 7-9
Precondition of `test3_aux` failed at "examples/tests/rac.mlw", line 71, characters 4-15
                       - Defined at "examples/tests/rac.mlw", line 66, characters 15-20
                       - Term: y > 0
                       - Variables: y -> 0
Precondition of `test3_aux` failed at "examples/tests/rac.mlw", line 71, characters 4-15
- Defined at "examples/tests/rac.mlw", line 66, characters 15-20
- Term: y > 0
- Variables: y -> 0
** Functions.test3b ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 7-9
Precondition of `test3_aux` is ok at "examples/tests/rac.mlw", line 74, characters 12-23
                       - Defined at "examples/tests/rac.mlw", line 66, characters 15-20
Postcondition of `test3_aux` is ok at "examples/tests/rac.mlw", line 74, characters 12-23
                       - Defined at "examples/tests/rac.mlw", line 67, characters 14-24
Precondition of `test3_aux` is ok at "examples/tests/rac.mlw", line 75, characters 4-15
                       - Defined at "examples/tests/rac.mlw", line 66, characters 15-20
Postcondition of `test3_aux` failed at "examples/tests/rac.mlw", line 75, characters 4-15
                       - Defined at "examples/tests/rac.mlw", line 67, characters 14-24
                       - Term: result = 1
                       - Variables: result -> 2
Postcondition of `test3_aux` failed at "examples/tests/rac.mlw", line 75, characters 4-15
- Defined at "examples/tests/rac.mlw", line 67, characters 14-24
- Term: result = 1
- Variables: result -> 2
** Functions.test4 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 85, characters 18-20
Exceptional postcondition of `test4_aux` failed at "examples/tests/rac.mlw", line 85, characters 8-20
                       - Defined at "examples/tests/rac.mlw", line 80, characters 20-25
                       - Term: j = x.contents
                       - Variables: j -> 42, x -> {contents= 1}
Exceptional postcondition of `test4_aux` failed at "examples/tests/rac.mlw", line 85, characters 8-20
- Defined at "examples/tests/rac.mlw", line 80, characters 20-25
- Term: j = x.contents
- Variables: j -> 42, x -> {contents= 1}
** Functions.test5 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 90, characters 9-10
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 90, characters 9-14
Postcondition of `test5_aux` is ok at "examples/tests/rac.mlw", line 93, characters 4-15
                       - Defined at "examples/tests/rac.mlw", line 89, characters 14-27
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 90, characters 9-10
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 90, characters 9-14
Postcondition of `test5_aux` failed at "examples/tests/rac.mlw", line 94, characters 4-15
                       - Defined at "examples/tests/rac.mlw", line 89, characters 14-27
                       - Term: x.contents = (x1.contents + 1)
                       - Variables: x -> {contents= 3}, x1 -> {contents= 1}
Postcondition of `test5_aux` failed at "examples/tests/rac.mlw", line 94, characters 4-15
- Defined at "examples/tests/rac.mlw", line 89, characters 14-27
- Term: x.contents = (x1.contents + 1)
- Variables: x -> {contents= 3}, x1 -> {contents= 1}
** Functions.test6 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 53, characters 14-15
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 103, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 103, characters 16-17
Precondition of `test6_aux` is ok at "examples/tests/rac.mlw", line 104, characters 12-26
                       - Defined at "examples/tests/rac.mlw", line 97, characters 15-21
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 100, characters 4-5
Postcondition of `test6_aux` is ok at "examples/tests/rac.mlw", line 104, characters 12-26
                       - Defined at "examples/tests/rac.mlw", line 98, characters 14-24
Precondition of `test6_aux` failed at "examples/tests/rac.mlw", line 105, characters 12-26
                       - Defined at "examples/tests/rac.mlw", line 97, characters 15-21
                       - Term: not x.contents = y
                       - Variables: x -> {contents= 42}, y -> 42
Precondition of `test6_aux` failed at "examples/tests/rac.mlw", line 105, characters 12-26
- Defined at "examples/tests/rac.mlw", line 97, characters 15-21
- Term: not x.contents = y
- Variables: x -> {contents= 42}, y -> 42

* Loops
** Loops.test1 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 114, characters 26-31
Loop invariant init is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 116, characters 31-31
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 116, characters 18-29
result: () = ()
globals: x -> {contents= 0}
** Loops.test2 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `test2` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 119, characters 26-31
Loop invariant init is ok at "examples/tests/rac.mlw", line 121, characters 18-32
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 122, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 122, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 121, characters 18-32
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 122, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 122, characters 11-16
Loop invariant preservation failed at "examples/tests/rac.mlw", line 121, characters 18-32
                       - Term: x.contents = 0 || x.contents = 1
                       - Variables: x -> {contents= 2}
Loop invariant preservation failed at "examples/tests/rac.mlw", line 121, characters 18-32
- Term: x.contents = 0 || x.contents = 1
- Variables: x -> {contents= 2}
** Loops.test3 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 112, characters 12-17
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Loop invariant init is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Loop variant decrease is ok at "examples/tests/rac.mlw", line 127, characters 16-22
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Loop variant decrease is ok at "examples/tests/rac.mlw", line 127, characters 16-22
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Loop variant decrease is ok at "examples/tests/rac.mlw", line 127, characters 16-22
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Loop variant decrease is ok at "examples/tests/rac.mlw", line 127, characters 16-22
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation is ok at "examples/tests/rac.mlw", line 128, characters 18-24
Loop variant decrease is ok at "examples/tests/rac.mlw", line 127, characters 16-22
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 126, characters 10-11
Postcondition of `(<)` is ok at "examples/tests/rac.mlw", line 126, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 129, characters 11-12
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 129, characters 11-16
Loop invariant preservation failed at "examples/tests/rac.mlw", line 128, characters 18-24
                       - Term: 5 >= x.contents
                       - Variables: x -> {contents= 6}
Loop invariant preservation failed at "examples/tests/rac.mlw", line 128, characters 18-24
- Term: 5 >= x.contents
- Variables: x -> {contents= 6}

* Aliasing
** Aliasing.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `r'mk` is ok at "examples/tests/rac.mlw", line 140, characters 12-22
Assertion is ok at "examples/tests/rac.mlw", line 143, characters 13-44
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 144, characters 13-20
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 144, characters 4-11
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 144, characters 4-20
result: (int, int) = (100, 100)
globals: 
** Aliasing.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `True` is ok at "examples/tests/rac.mlw", line 157, characters 25-29
Postcondition of `r'mk` is ok at "examples/tests/rac.mlw", line 147, characters 12-22
Assertion is ok at "examples/tests/rac.mlw", line 153, characters 13-27
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 154, characters 13-20
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 154, characters 4-11
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 154, characters 4-20
Assertion is ok at "examples/tests/rac.mlw", line 158, characters 13-32
Postcondition of `False` is ok at "examples/tests/rac.mlw", line 159, characters 25-30
Postcondition of `r'mk` is ok at "examples/tests/rac.mlw", line 147, characters 12-22
Assertion is ok at "examples/tests/rac.mlw", line 153, characters 13-27
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 154, characters 13-20
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 154, characters 4-11
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 154, characters 4-20
Assertion is ok at "examples/tests/rac.mlw", line 160, characters 13-32
result: () = ()
globals: 

* Labels
** Labels.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `r'mk` is ok at "examples/tests/rac.mlw", line 169, characters 12-22
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 171, characters 15-22
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 171, characters 15-26
Postcondition of `value` is ok at "examples/tests/rac.mlw", line 173, characters 15-22
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 173, characters 15-26
Assertion is ok at "examples/tests/rac.mlw", line 174, characters 13-58
result: () = ()
globals: 

* RecordMutGhost
** RecordMutGhost.test ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 5-7
Postcondition of `t'mk` is ok at "examples/tests/rac.mlw", line 212, characters 12-43
Assertion is ok at "examples/tests/rac.mlw", line 213, characters 13-20
Assertion is ok at "examples/tests/rac.mlw", line 214, characters 13-22
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 215, characters 20-23
Assertion is ok at "examples/tests/rac.mlw", line 216, characters 13-23
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 217, characters 20-23
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 215, characters 47-52
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 217, characters 20-25
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 217, characters 4-25
result: int = 43
globals: 

* PolyContext
** PolyContext.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `poly` is ok at "examples/tests/rac.mlw", line 227, characters 4-10
                       - Defined at "examples/tests/rac.mlw", line 222, characters 26-27
Postcondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 226, characters 12-14
result: int = 42
globals: 
** PolyContext.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `poly` is ok at "examples/tests/rac.mlw", line 231, characters 4-10
                       - Defined at "examples/tests/rac.mlw", line 222, characters 26-27
Postcondition of `poly'` is ok at "examples/tests/rac.mlw", line 235, characters 4-11
                       - Defined at "examples/tests/rac.mlw", line 222, characters 26-27
Postcondition of `test2` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 234, characters 12-14
result: int = 42
globals: 

* PolyRefContracts
** PolyRefContracts.test1 ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 243, characters 12-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 243, characters 12-17
Postcondition of `contents` is ok at "WHY3DATA/stdlib/ref.mlw", line 18, characters 33-43
Postcondition of `(!)` is ok at "examples/tests/rac.mlw", line 244, characters 9-11
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 244, characters 9-15
Postcondition of `(:=)` is ok at "examples/tests/rac.mlw", line 244, characters 4-15
                       - Defined at "WHY3DATA/stdlib/ref.mlw", line 20, characters 39-44
result: () = ()
globals: myref -> {contents= 0}
** PolyRefContracts.test2a ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 7-9
Precondition of `test2_aux` is ok at "examples/tests/rac.mlw", line 256, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 247, characters 15-29
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 251, characters 4-10
Postcondition of `test2_aux` is ok at "examples/tests/rac.mlw", line 256, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 248, characters 14-27
Postcondition of `test2_aux` is ok at "examples/tests/rac.mlw", line 256, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 249, characters 14-27
result: int = 1
globals: myref -> {contents= 1}
** PolyRefContracts.test2b ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 7-9
Precondition of `test2_aux` failed at "examples/tests/rac.mlw", line 259, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 247, characters 15-29
                       - Term: not argref.contents = argx
                       - Variables: argref -> {contents= 0}, argx -> 0
Precondition of `test2_aux` failed at "examples/tests/rac.mlw", line 259, characters 4-23
- Defined at "examples/tests/rac.mlw", line 247, characters 15-29
- Term: not argref.contents = argx
- Variables: argref -> {contents= 0}, argx -> 0
** PolyRefContracts.test2c ()
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 253, characters 18-19
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 7-9
Precondition of `test2_aux` is ok at "examples/tests/rac.mlw", line 262, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 247, characters 15-29
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 251, characters 4-10
Postcondition of `test2_aux` is ok at "examples/tests/rac.mlw", line 262, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 248, characters 14-27
Postcondition of `test2_aux` failed at "examples/tests/rac.mlw", line 262, characters 4-23
                       - Defined at "examples/tests/rac.mlw", line 249, characters 14-27
                       - Term: result = argy
                       - Variables: argy -> 2, result -> 1
Postcondition of `test2_aux` failed at "examples/tests/rac.mlw", line 262, characters 4-23
- Defined at "examples/tests/rac.mlw", line 249, characters 14-27
- Term: result = argy
- Variables: argy -> 2, result -> 1

* RecordPoly
** RecordPoly.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `t1'mk` is ok at "examples/tests/rac.mlw", line 270, characters 12-18
Assertion is ok at "examples/tests/rac.mlw", line 271, characters 13-20
Assertion is ok at "examples/tests/rac.mlw", line 273, characters 13-22
result: () = ()
globals: 
** RecordPoly.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `t2'mk` is ok at "examples/tests/rac.mlw", line 277, characters 12-39
Assertion is ok at "examples/tests/rac.mlw", line 278, characters 13-25
Assertion is ok at "examples/tests/rac.mlw", line 279, characters 13-25
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 280, characters 20-23
Assertion is ok at "examples/tests/rac.mlw", line 281, characters 13-26
Assertion is ok at "examples/tests/rac.mlw", line 282, characters 13-25
result: () = ()
globals: 
** RecordPoly.test3 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `t3'mk` is ok at "examples/tests/rac.mlw", line 295, characters 12-52
Assertion is ok at "examples/tests/rac.mlw", line 296, characters 13-28
Postcondition of `False` is ok at "examples/tests/rac.mlw", line 297, characters 15-20
Precondition of `update` is ok at "examples/tests/rac.mlw", line 297, characters 4-20
                       - Defined at "examples/tests/rac.mlw", line 287, characters 15-31
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 290, characters 22-28
Postcondition of `update` is ok at "examples/tests/rac.mlw", line 297, characters 4-20
                       - Defined at "examples/tests/rac.mlw", line 288, characters 14-77
Postcondition of `update` is ok at "examples/tests/rac.mlw", line 297, characters 4-20
                       - Defined at "examples/tests/rac.mlw", line 289, characters 14-26
Assertion is ok at "examples/tests/rac.mlw", line 298, characters 13-29
Assertion is ok at "examples/tests/rac.mlw", line 299, characters 13-28
Assertion failed at "examples/tests/rac.mlw", line 300, characters 13-29
                       - Term: (r.elts @ 1) = False
                       - Variables: r -> {elts=
                                          (fun j -> if j = i then x
                                             else f j) with i = 3, x = false, f = (fun _ -> true);
                                          length= 5}
Assertion failed at "examples/tests/rac.mlw", line 300, characters 13-29
- Term: (r.elts @ 1) = False
- Variables: r -> {elts=
                   (fun j -> if j = i then x
                      else f j) with i = 3, x = false, f = (fun _ -> true);
                   length= 5}

* PolyFunc
** PolyFunc.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `mk` is ok at "examples/tests/rac.mlw", line 309, characters 6-10
Postcondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
result: int -> int = (fun _ -> v) with v = 0
globals: 
** PolyFunc.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `t'mk` is ok at "examples/tests/rac.mlw", line 320, characters 12-27
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 317, characters 22-25
Postcondition of `map_update` is ok at "examples/tests/rac.mlw", line 317, characters 11-29
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 323, characters 11-14
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 314, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 314, characters 41-44
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 323, characters 11-16
Postcondition of `f` is ok at "examples/tests/rac.mlw", line 323, characters 4-7
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 314, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 323, characters 4-9
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 323, characters 4-16
result: (int, int) = (111, 0)
globals: 

* ArrayExec
** ArrayExec.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `array'mk` is ok at "examples/tests/rac.mlw", line 349, characters 12-48
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 350, characters 14-20
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 350, characters 14-22
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 350, characters 4-10
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 350, characters 4-12
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 350, characters 4-22
Postcondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 349, character 4 to line 350, character 22
result: (int, int) = (0, 0)
globals: 
** ArrayExec.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `array'mk` is ok at "examples/tests/rac.mlw", line 353, characters 12-48
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 354, characters 23-29
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 355, characters 14-20
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 354, characters 53-58
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 354, characters 72-75
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 355, characters 14-22
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 355, characters 4-10
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 354, characters 53-58
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 355, characters 4-12
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 355, characters 4-22
result: (int, int) = (11, 0)
globals: 
** ArrayExec.test3 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `array'mk` is ok at "examples/tests/rac.mlw", line 336, characters 4-33
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 358, characters 12-21
                       - Defined at "examples/tests/rac.mlw", line 334, characters 14-31
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 358, characters 12-21
                       - Defined at "examples/tests/rac.mlw", line 335, characters 14-55
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 346, characters 27-33
Postcondition of `map_update` is ok at "examples/tests/rac.mlw", line 346, characters 16-37
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 339, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 339, characters 41-44
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 360, characters 10-14
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 339, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 360, characters 4-8
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 360, characters 4-14
result: (int, int) = (10, 0)
globals: 
** ArrayExec.test4 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `array'mk` is ok at "examples/tests/rac.mlw", line 336, characters 4-33
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 363, characters 12-21
                       - Defined at "examples/tests/rac.mlw", line 334, characters 14-31
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 363, characters 12-21
                       - Defined at "examples/tests/rac.mlw", line 335, characters 14-55
Assertion is ok at "examples/tests/rac.mlw", line 364, characters 13-26
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 365, characters 12-16
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Assertion is ok at "examples/tests/rac.mlw", line 366, characters 13-18
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 346, characters 27-33
Postcondition of `map_update` is ok at "examples/tests/rac.mlw", line 346, characters 16-37
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 339, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 339, characters 41-44
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 368, characters 12-16
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Assertion is ok at "examples/tests/rac.mlw", line 369, characters 13-18
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 339, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 370, characters 12-16
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Assertion is ok at "examples/tests/rac.mlw", line 371, characters 13-19
Postcondition of `elts` is ok at "examples/tests/rac.mlw", line 341, characters 41-47
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 339, characters 23-28
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 339, characters 41-44
Postcondition of `(@)` is ok at "examples/tests/rac.mlw", line 341, characters 41-49
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 372, characters 12-16
                       - Defined at "examples/tests/rac.mlw", line 341, characters 41-49
Assertion failed at "examples/tests/rac.mlw", line 373, characters 13-19
                       - Term: x = 11
                       - Variables: x -> 0
Assertion failed at "examples/tests/rac.mlw", line 373, characters 13-19
- Term: x = 11
- Variables: x -> 0

* Ghost
** Ghost.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `t'mk` is ok at "examples/tests/rac.mlw", line 425, characters 12-30
Assertion is ok at "examples/tests/rac.mlw", line 426, characters 13-37
Postcondition of `i2` is ok at "examples/tests/rac.mlw", line 427, characters 11-15
Postcondition of `i1` is ok at "examples/tests/rac.mlw", line 427, characters 5-9
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 427, characters 4-16
Postcondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 425, character 4 to line 427, character 16
result: (int, int) = (123, 456)
globals: 
** Ghost.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 430, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `f1` is ok at "examples/tests/rac.mlw", line 433, characters 18-24
                       - Defined at "examples/tests/rac.mlw", line 430, characters 4-30
Postcondition of `(+)` is ok at "examples/tests/rac.mlw", line 434, characters 4-9
Postcondition of `test2` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 434, characters 4-9
result: int = 457
globals: 

* Predicates
** Predicates.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 444, characters 13-19
Assertion is ok at "examples/tests/rac.mlw", line 446, characters 13-15
Postcondition of `True` is ok
Assertion is ok at "examples/tests/rac.mlw", line 448, characters 13-15
Assertion is ok at "examples/tests/rac.mlw", line 450, characters 13-19
result: () = ()
globals: 
** Predicates.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Assertion is ok at "examples/tests/rac.mlw", line 454, characters 13-15
Assertion is ok at "examples/tests/rac.mlw", line 456, characters 13-18
Assertion is ok at "examples/tests/rac.mlw", line 458, characters 13-15
Postcondition of `Tuple3` is ok at "examples/tests/rac.mlw", line 459, characters 4-15
Postcondition of `test2` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 453, character 4 to line 459, character 15
result: (bool, int, bool) = (True, 0, True)
globals: 

* Arrays
** Arrays.test0 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `make` is ok at "examples/tests/rac.mlw", line 391, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 60, characters 43-49
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 391, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 61, characters 14-55
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 391, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 62, characters 14-31
Precondition of `([]<-)` is ok at "examples/tests/rac.mlw", line 392, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 31, characters 45-62
Postcondition of `([]<-)` cannot be evaluated at "examples/tests/rac.mlw", line 392, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 32, characters 15-48
Warning: Postcondition of `([]<-)` cannot be evaluated.

Postcondition of `([]<-)` cannot be evaluated at "examples/tests/rac.mlw", line 392, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 33, characters 15-34
Warning: Postcondition of `([]<-)` cannot be evaluated.

Precondition of `([])` is ok at "examples/tests/rac.mlw", line 393, characters 10-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 393, characters 10-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Precondition of `([])` is ok at "examples/tests/rac.mlw", line 393, characters 4-8
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "examples/tests/rac.mlw", line 393, characters 4-8
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Postcondition of `Tuple2` is ok at "examples/tests/rac.mlw", line 393, characters 4-14
result: (int, int) = (10, 0)
globals: 
** Arrays.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `make` is ok at "examples/tests/rac.mlw", line 396, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 60, characters 43-49
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 396, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 61, characters 14-55
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 396, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 62, characters 14-31
Assertion is ok at "examples/tests/rac.mlw", line 397, characters 13-26
Assertion is ok at "examples/tests/rac.mlw", line 398, characters 13-21
Precondition of `([]<-)` is ok at "examples/tests/rac.mlw", line 399, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 31, characters 45-62
Postcondition of `([]<-)` cannot be evaluated at "examples/tests/rac.mlw", line 399, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 32, characters 15-48
Warning: Postcondition of `([]<-)` cannot be evaluated.

Postcondition of `([]<-)` cannot be evaluated at "examples/tests/rac.mlw", line 399, characters 4-14
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 33, characters 15-34
Warning: Postcondition of `([]<-)` cannot be evaluated.

Assertion is ok at "examples/tests/rac.mlw", line 400, characters 13-21
Assertion is ok at "examples/tests/rac.mlw", line 401, characters 13-22
Assertion failed at "examples/tests/rac.mlw", line 402, characters 13-22
                       - Term: a[2] = 11
                       - Variables: a -> [0; 11; 0; 0; 0; 0; 0; 0; 0; 0]
Assertion failed at "examples/tests/rac.mlw", line 402, characters 13-22
- Term: a[2] = 11
- Variables: a -> [0; 11; 0; 0; 0; 0; 0; 0; 0; 0]
** Arrays.test2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `make` is ok at "examples/tests/rac.mlw", line 408, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 60, characters 43-49
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 408, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 61, characters 14-55
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 408, characters 12-21
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 62, characters 14-31
Assertion failed at "examples/tests/rac.mlw", line 409, characters 13-26
                       - Term: a.length = 42
                       - Variables: a -> [11]
Assertion failed at "examples/tests/rac.mlw", line 409, characters 13-26
- Term: a.length = 42
- Variables: a -> [11]
** Arrays.test3 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 412, characters 19-21
Postcondition of `empty` is ok at "examples/tests/rac.mlw", line 412, characters 12-34
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 65, characters 14-31
Assertion failed at "examples/tests/rac.mlw", line 413, characters 13-26
                       - Term: a.length = 42
                       - Variables: a -> []
Assertion failed at "examples/tests/rac.mlw", line 413, characters 13-26
- Term: a.length = 42
- Variables: a -> []

* Variants
** Variants.loop_var_ok1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 13-15
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 465, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 465, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 466, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 466, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 468, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 468, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 467, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 466, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 466, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 468, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 468, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 467, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 466, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 466, characters 10-16
result: () = ()
globals: 
** Variants.loop_var_ok2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 13-15
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 471, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 471, characters 16-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 472, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 472, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 473, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 473, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 475, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 475, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 476, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 476, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 474, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 473, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 473, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 475, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 475, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 478, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 478, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 474, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 473, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 473, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 475, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 475, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 478, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 478, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 474, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 473, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 473, characters 10-16
result: () = ()
globals: 
** Variants.loop_var_fail1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 15-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 481, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 481, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 482, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 482, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 484, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 484, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 485, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 485, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 483, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 482, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 482, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 484, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 484, characters 9-14
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 484, character 6 to line 485, character 18
Loop variant decrease failed at "examples/tests/rac.mlw", line 483, characters 16-17
                       - Term: 0 <= i.contents /\ i1.contents < i.contents \/
                               i.contents = i1.contents /\ false
                       - Variables: i1 -> {contents= 1}, i -> {contents= 1}
Loop variant decrease failed at "examples/tests/rac.mlw", line 483, characters 16-17
- Term: 0 <= i.contents /\ i1.contents < i.contents \/
        i.contents = i1.contents /\ false
- Variables: i1 -> {contents= 1}, i -> {contents= 1}
** Variants.loop_var_fail2 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 15-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 488, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 488, characters 16-17
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 489, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 489, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 490, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 490, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 492, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 492, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 493, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 493, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 491, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 490, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 490, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 492, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 492, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 494, characters 14-15
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 494, characters 14-19
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 495, characters 13-14
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 495, characters 13-18
Loop variant decrease is ok at "examples/tests/rac.mlw", line 491, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 490, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 490, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 492, characters 9-10
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 492, characters 9-14
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 494, characters 14-15
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 494, characters 14-19
Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 494, character 11 to line 495, character 18
Loop variant decrease failed at "examples/tests/rac.mlw", line 491, characters 16-17
                       - Term: 0 <= i.contents /\ i1.contents < i.contents \/
                               i.contents = i1.contents /\
                               (0 <= j.contents /\ j1.contents < j.contents \/
                                j.contents = j1.contents /\ false)
                       - Variables: i1 -> {contents= 0},
                         i -> {contents= 0},
                         j1 -> {contents= 1},
                         j -> {contents= 1}
Loop variant decrease failed at "examples/tests/rac.mlw", line 491, characters 16-17
- Term: 0 <= i.contents /\ i1.contents < i.contents \/
        i.contents = i1.contents /\
        (0 <= j.contents /\ j1.contents < j.contents \/
         j.contents = j1.contents /\ false)
- Variables: i1 -> {contents= 0},
  i -> {contents= 0},
  j1 -> {contents= 1},
  j -> {contents= 1}
** Variants.loop_custom_variant ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 20-22
Postcondition of `ref'mk` is ok at "examples/tests/rac.mlw", line 502, characters 16-17
Postcondition of `ref` is ok at "examples/tests/rac.mlw", line 502, characters 16-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 503, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 503, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 505, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 505, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 504, characters 16-21
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 503, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 503, characters 10-16
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 505, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 505, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 504, characters 16-21
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 503, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 503, characters 10-16
Assertion is ok at "examples/tests/rac.mlw", line 507, characters 13-19
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 509, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 509, characters 10-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 511, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 511, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 510, characters 16-21
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 509, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 509, characters 10-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 511, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 511, characters 11-16
Loop variant decrease is ok at "examples/tests/rac.mlw", line 510, characters 16-21
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 509, characters 10-11
Postcondition of `(>=)` is ok at "examples/tests/rac.mlw", line 509, characters 10-17
Postcondition of `contents` is ok at "examples/tests/rac.mlw", line 511, characters 11-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 511, characters 11-16
Loop variant decrease failed at "examples/tests/rac.mlw", line 510, characters 16-21
                       - Term: p (2 - i.contents) (2 - i1.contents) \/
                               (2 - i1.contents) = (2 - i.contents) /\ false
                       - Variables: i -> {contents= (-2)},
                         i1 -> {contents= (-1)}
Loop variant decrease failed at "examples/tests/rac.mlw", line 510, characters 16-21
- Term: p (2 - i.contents) (2 - i1.contents) \/
        (2 - i1.contents) = (2 - i.contents) /\ false
- Variables: i -> {contents= (-2)}, i1 -> {contents= (-1)}

* TestUInt64
** TestUInt64.test ()
Postcondition of `max_uint64` is ok
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/mach/int.mlw", line 567, characters 29-43
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 5-7
Precondition of `(-)` failed at "examples/tests/rac.mlw", line 517, characters 16-21
                       - Defined at "WHY3DATA/stdlib/mach/int.mlw", line 67, characters 40-57
                       - Term: in_bounds (a -' b)
                       - Variables: a -> 0, b -> 1
Precondition of `(-)` failed at "examples/tests/rac.mlw", line 517, characters 16-21
- Defined at "WHY3DATA/stdlib/mach/int.mlw", line 67, characters 40-57
- Term: in_bounds (a - b)
- Variables: a -> 0, b -> 1

* Premises
** Premises.test1 ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 6-8
Precondition of `test1` cannot be evaluated at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 527, characters 15-19
Warning: Precondition of `test1` cannot be evaluated.

Postcondition of `Tuple0` is ok at "examples/tests/rac.mlw", line 529, characters 4-6
Postcondition of `test1` is ok at "command line expression to execute", line 1, characters 0-8
                       - Defined at "examples/tests/rac.mlw", line 528, characters 14-18
result: () = ()
globals: 

* FunctionVariant
** FunctionVariant.test1 2
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 536, characters 7-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 536, characters 24-29
Variant decrease is ok at "examples/tests/rac.mlw", line 535, characters 35-36
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 536, characters 7-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 536, characters 24-29
Variant decrease is ok at "examples/tests/rac.mlw", line 535, characters 35-36
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 536, characters 7-12
result: int = 0
globals: 
** FunctionVariant.test2 2
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 539, characters 7-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 539, characters 24-29
Variant decrease is ok at "examples/tests/rac.mlw", line 538, characters 35-36
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 539, characters 7-12
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 539, characters 24-29
Variant decrease is ok at "examples/tests/rac.mlw", line 538, characters 35-36
Postcondition of `(>)` is ok at "examples/tests/rac.mlw", line 539, characters 7-12
Variant decrease failed at "examples/tests/rac.mlw", line 538, characters 35-36
                       - Term: 0 <= i /\ i1 < i \/ i = i1 /\ false
                       - Variables: i1 -> 0, i -> 0
Variant decrease failed at "examples/tests/rac.mlw", line 538, characters 35-36
- Term: 0 <= i /\ i1 < i \/ i = i1 /\ false
- Variables: i1 -> 0, i -> 0
** FunctionVariant.test3 2
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 542, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 542, characters 38-43
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 542, characters 32-37
Variant decrease is ok at "examples/tests/rac.mlw", line 543, characters 35-36
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 544, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 544, characters 40-47
Variant decrease is ok at "examples/tests/rac.mlw", line 543, characters 35-36
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 544, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Variant decrease is ok at "examples/tests/rac.mlw", line 541, characters 35-36
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 542, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 542, characters 38-43
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 542, characters 32-37
Variant decrease is ok at "examples/tests/rac.mlw", line 543, characters 35-36
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 544, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Variant decrease is ok at "examples/tests/rac.mlw", line 541, characters 35-36
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 542, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
result: int = 0
globals: 
** FunctionVariant.test4 2
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 547, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 547, characters 38-43
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 547, characters 32-37
Variant decrease is ok at "examples/tests/rac.mlw", line 548, characters 35-36
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 549, characters 13-20
Variant decrease is ok at "examples/tests/rac.mlw", line 548, characters 35-36
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 549, characters 13-20
Variant decrease is ok at "examples/tests/rac.mlw", line 548, characters 35-36
Postcondition of `(-_)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 39-41
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/int.mlw", line 23, characters 35-41
Postcondition of `(-)` is ok at "examples/tests/rac.mlw", line 549, characters 13-20
Variant decrease failed at "examples/tests/rac.mlw", line 548, characters 35-36
                       - Term: 0 <= i /\ i1 < i \/
                               i = i1 /\
                               (0 <= j /\ j1 < j \/ j = j1 /\ false)
                       - Variables: i1 -> 1, i -> 1, j1 -> (-2), j -> (-1)
Variant decrease failed at "examples/tests/rac.mlw", line 548, characters 35-36
- Term: 0 <= i /\ i1 < i \/ i = i1 /\ (0 <= j /\ j1 < j \/ j = j1 /\ false)
- Variables: i1 -> 1, i -> 1, j1 -> (-2), j -> (-1)
** FunctionVariant.test5 2
Postcondition of `(=)` is ok at "examples/tests/rac.mlw", line 552, characters 7-12
                       - Defined at "WHY3DATA/stdlib/int.mlw", line 16, characters 39-55
Variant decrease failed at "examples/tests/rac.mlw", line 553, characters 35-36
                       - Term: 0 <= i /\ i1 < i \/ i = i1 /\ false
                       - Variables: i1 -> 2, i -> 2
Variant decrease failed at "examples/tests/rac.mlw", line 553, characters 35-36
- Term: 0 <= i /\ i1 < i \/ i = i1 /\ false
- Variables: i1 -> 2, i -> 2

* ArrayList
** ArrayList.main ()
Postcondition of `Tuple0` is ok at "command line expression to execute", line 1, characters 5-7
Precondition of `make` is ok at "examples/tests/rac.mlw", line 564, characters 12-20
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 60, characters 43-49
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 564, characters 12-20
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 61, characters 14-55
Postcondition of `make` is ok at "examples/tests/rac.mlw", line 564, characters 12-20
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 62, characters 14-31
Precondition of `to_list` is ok at "examples/tests/rac.mlw", line 565, characters 4-17
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 378, characters 15-38
Postcondition of `(<=)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 7-13
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 49-54
Variant decrease is ok at "WHY3DATA/stdlib/array.mlw", line 379, characters 15-20
Precondition of `to_list1` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 38-57
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 378, characters 15-38
Postcondition of `(<=)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 7-13
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 49-54
Variant decrease is ok at "WHY3DATA/stdlib/array.mlw", line 379, characters 15-20
Precondition of `to_list1` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 38-57
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 378, characters 15-38
Postcondition of `(<=)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 7-13
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 49-54
Variant decrease is ok at "WHY3DATA/stdlib/array.mlw", line 379, characters 15-20
Precondition of `to_list1` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 38-57
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 378, characters 15-38
Postcondition of `(<=)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 7-13
Postcondition of `(+)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 49-54
Variant decrease is ok at "WHY3DATA/stdlib/array.mlw", line 379, characters 15-20
Precondition of `to_list1` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 38-57
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 378, characters 15-38
Postcondition of `(<=)` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 7-13
Postcondition of `Nil` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 19-22
Precondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Postcondition of `Cons` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 28-57
Precondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Postcondition of `Cons` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 28-57
Precondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Postcondition of `Cons` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 28-57
Precondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 23, characters 45-62
Postcondition of `([])` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 33-37
                       - Defined at "WHY3DATA/stdlib/array.mlw", line 24, characters 15-28
Postcondition of `Cons` is ok at "WHY3DATA/stdlib/array.mlw", line 380, characters 28-57
Postcondition of `to_list` is ok at "examples/tests/rac.mlw", line 565, characters 4-17
result: list int = (Cons 0 (Cons 0 (Cons 0 (Cons 0 Nil))))
globals: 
why3-1.6.0/examples/tests/random-test.mlw000066400000000000000000000002421440160026300203400ustar00rootroot00000000000000module Test

  use random.Random

  let test1 () =
    init 42;
    let x = random_int 10 in
    init 42;
    let y = random_int 10 in
    assert { x = y }

end

why3-1.6.0/examples/tests/regexp-test.why000066400000000000000000000004031440160026300203610ustar00rootroot00000000000000theory Test

  clone regexp.Regexp with type char = int

  lemma empty_is_empty: forall w: word. not (mem w Empty)

  constant a: int = 0
  constant b: int = 1
  constant c: int = 2

  goal G: mem (Cons a (Cons b Nil)) (Concat (Char a) (Star (Char b)))

end

why3-1.6.0/examples/tests/replay.mlw000066400000000000000000000001051440160026300173750ustar00rootroot00000000000000use int.Int

lemma l : (forall x. x + x = 2 * x) /\ (forall x. x = 0)why3-1.6.0/examples/tests/replay/000077500000000000000000000000001440160026300166605ustar00rootroot00000000000000why3-1.6.0/examples/tests/replay/why3session.xml000066400000000000000000000012361440160026300217020ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/tests/stack-test.mlw000066400000000000000000000007241440160026300201720ustar00rootroot00000000000000
module Test

  use int.Int
  use list.List
  use stack.Stack

  let test0 () =
    let s = Stack.create () : Stack.t 'a in
    assert { s.elts = Nil };
    let b = Stack.is_empty s in
    assert { b = True };
    let n = Stack.length s in
    assert { n = 0 }

  let test1 () raises { Empty }
  = let s = Stack.create () in
    Stack.push 1 s;
    let x = Stack.top s in assert { x = 1 };
    Stack.push 2 s;
    let x = Stack.top s in assert { x = 2 };
    ()

end

why3-1.6.0/examples/tests/test_elim.mlw000066400000000000000000000010661440160026300200750ustar00rootroot00000000000000
module UnusedAbs

use int.Int
use int.Abs

let f (x:int) : int
  ensures { result > x }
  = x+1

end

module UnusedBV

use bv.BV32

let f (x:t) : t
  requires { ugt (1000:t) x }
  ensures { ugt result x }
  = add x (1:t)

end

module MatchPair

use int.Int

goal g :
  forall x:int.
  match (x,x+1) with (a,b) -> a < b end


end

module DefMatchPair

use int.Int

predicate f (x:int) =
  match (x,x+1) with (a,b) -> a < b end

goal g :
  forall x:int. f x

end


module Ref

use int.Int
use ref.Ref

let f (x: ref int) : int
  ensures { result > !x }
  = !x+1

end
why3-1.6.0/examples/tests/test_elim/000077500000000000000000000000001440160026300173515ustar00rootroot00000000000000why3-1.6.0/examples/tests/test_elim/why3session.xml000066400000000000000000000061441440160026300223760ustar00rootroot00000000000000







 
 
  
  
  
  
 
 


 
 
  
  
  
  
 
 


 
 
  
  
  
  
 
 


 
 
  
  
  
  
   
   
   
   
  
  
 
 
  
  
  
  
 
 


 
 
  
  
  
  
 
 
  
  
  
  
 
 



why3-1.6.0/examples/tests/test_elim/why3shapes.gz000066400000000000000000000006071440160026300220140ustar00rootroot00000000000000n1sKb;v*."ٱJW-oOf{IW=yǟW^.a[:lݲݮEض hc?2p~S7򒽁	zZ%Stui) Q\Le&F@N ZQJdja4ODSQNFE;XF@b4cb݌S\SFWsoT"D`{K@#%.J0P%5oCenaJʭϖ!iJ_ @ ,D@^	$+VN; 0)


type u = { a : bool; b : int }
predicate f (x : u) = match x with { a = a } -> a = True end /\ x.a = True
lemma L: f { a = True; b = 12 }
why3-1.6.0/examples/tests/test_projections/000077500000000000000000000000001440160026300207625ustar00rootroot00000000000000why3-1.6.0/examples/tests/test_projections/why3session.xml000066400000000000000000000013341440160026300240030ustar00rootroot00000000000000






 
 
 
 
 
 



why3-1.6.0/examples/tests/times2float.mlw000066400000000000000000000002661440160026300203420ustar00rootroot00000000000000

use ieee_float.Float32

let f (x: Float32.t) : Float32.t
   requires { lt (0.0:t) x /\ lt x (1000.0:t) }
   ensures  { not (eq (add RNE x x) result) }
 = mul RNE x (2.0:Float32.t)
why3-1.6.0/examples/tests/times2float/000077500000000000000000000000001440160026300176155ustar00rootroot00000000000000why3-1.6.0/examples/tests/times2float/why3session.xml000066400000000000000000000016021440160026300226340ustar00rootroot00000000000000








 
 
 
 
 



why3-1.6.0/examples/there_and_back_again.mlw000066400000000000000000000051411440160026300210140ustar00rootroot00000000000000
(* Two puzzles from Danvy and Goldberg's ``There and back again''
   http://www.brics.dk/RS/02/12/BRICS-RS-02-12.pdf‎
*)

(* Computing a symbolic convolution:
     Given two lists [x1 , x2 , ..., xn−1 , xn ] and
     [y1 , y2 , ..., yn−1 , yn ], where n is not known in advance,
     write a function that constructs
     [(x1 , yn ), (x2 , yn−1 ), ..., (xn−1 , y2 ), (xn , y1 )]
     in n recursive calls and with no auxiliary list.
*)

module Convolution

  use int.Int
  use list.List
  use list.Length
  use list.Append
  use list.Reverse
  use list.Combine

  let rec convolution_rec (x y: list 'a) : (list ('a, 'a), list 'a)
    variant  { x }
    requires { length x <= length y }
    ensures  { let r, ys = result in exists y0: list 'a.
               y = y0 ++ ys && length y0 = length x &&
               r = combine x (reverse y0) }
  = match x with
    | Nil ->
        Nil, y
    | Cons x0 xs ->
        match convolution_rec xs y with
        | r, Cons y0 ys -> Cons (x0, y0) r, ys
        | _ -> absurd end
    end

  let convolution (x y: list 'a) : list ('a, 'a)
    requires { length x = length y }
    ensures  { result = combine x (reverse y) }
  = let r, _ = convolution_rec x y in r

end

(* Detecting a palindrome:
     Given a list of length n, where n is not known in advance,
     determine whether this list is a palindrome in ceil(n/2) recursive
     calls and with no auxiliary list.
*)

module Palindrome

  use int.Int
  use option.Option
  use list.List
  use list.Length
  use list.Append
  use list.Nth
  use list.NthLength
  use list.NthLengthAppend

  predicate pal (x: list 'a) (n: int) =
    forall i: int. 0 <= i < n -> nth i x = nth (n - 1 - i) x

  exception Exit

  type elt
  val predicate eq (x y: elt)
    ensures { result <-> x = y }

  let rec palindrome_rec (x y: list elt): list elt
    requires { length x >= length y }
    variant { x }
    ensures { exists x0: list elt. length x0 = length y && x = x0 ++ result }
    ensures { pal x (length y) }
    raises  { Exit -> exists i: int. 0 <= i < length y &&
                      nth i x <> nth (length y - 1 - i) x }
  = match x, y with
    | _, Nil ->
        x
    | Cons _  xs, Cons _ Nil ->
        xs
    | Cons x0 xs, Cons _ (Cons _ ys) ->
        match palindrome_rec xs ys with
        | Cons x1 xs ->
            assert { nth (length y - 1) x = Some x1 };
            if eq x0 x1 then xs else raise Exit
        | Nil -> absurd
        end
    | _ -> absurd
    end

  let palindrome (x: list elt) : bool
    ensures { result=True <-> pal x (length x) }
  = match palindrome_rec x x with _ -> True
    | exception Exit -> False end

end
why3-1.6.0/examples/there_and_back_again/000077500000000000000000000000001440160026300202725ustar00rootroot00000000000000why3-1.6.0/examples/there_and_back_again/there_and_back_again_Palindrome_VC_palindrome_rec_1.v000066400000000000000000000047601440160026300325650ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Nth.
Require option.Option.
Require list.NthLength.
Require list.Append.
Require list.NthLengthAppend.

(* Why3 assumption *)
Definition pal {a:Type} {a_WT:WhyType a} (x:Init.Datatypes.list a)
    (n:Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
  ((list.Nth.nth i x) = (list.Nth.nth ((n - 1%Z)%Z - i)%Z x)).

Axiom elt : Type.
Parameter elt_WhyType : WhyType elt.
Existing Instance elt_WhyType.

Parameter eq: elt -> elt -> Prop.

Axiom eq'spec : forall (x:elt) (y:elt), eq x y <-> (x = y).

(* Why3 goal *)
Theorem palindrome_rec'vc :
  forall (x:Init.Datatypes.list elt) (y:Init.Datatypes.list elt),
  ((list.Length.length y) <= (list.Length.length x))%Z ->
  forall (x1:elt) (x2:Init.Datatypes.list elt),
  (y = (Init.Datatypes.cons x1 x2)) ->
  forall (x3:elt) (x4:Init.Datatypes.list elt),
  (x2 = (Init.Datatypes.cons x3 x4)) ->
  forall (x5:elt) (x6:Init.Datatypes.list elt),
  (x = (Init.Datatypes.cons x5 x6)) ->
  (exists i:Numbers.BinNums.Z,
   ((0%Z <= i)%Z /\ (i < (list.Length.length x4))%Z) /\
   ~ ((list.Nth.nth i x6) =
      (list.Nth.nth (((list.Length.length x4) - 1%Z)%Z - i)%Z x6))) ->
  exists i:Numbers.BinNums.Z,
  ((0%Z <= i)%Z /\ (i < (list.Length.length y))%Z) /\
  ~ ((list.Nth.nth i x) =
     (list.Nth.nth (((list.Length.length y) - 1%Z)%Z - i)%Z x)).
Proof.
intros x y h1 x1 x2 h2 x3 x4 h3 x5 x6 h4 (i,(hi1,hi2)).
subst.
exists (i+1)%Z; intuition.
unfold Length.length. fold Length.length.
omega.
unfold Length.length in *. fold Length.length in *.
assert (Nth.nth (i+1) (x5 :: x6) = Nth.nth i x6).
  unfold Nth.nth; fold Nth.nth.
  generalize (Zeq_bool_eq (i+1) 0).
  destruct (Zeq_bool (i+1) 0).
  intuition.
  elimtype False.
  omega.
  intuition.
  replace (i+1-1)%Z with i by omega. auto.
replace (1 + (1 + Length.length x4) - 1 - (i + 1))%Z
         with (1 + Length.length x4 - 1 - i)%Z
  in H1 by omega.
assert (Nth.nth (1 + Length.length x4 - 1 - i) (x5 :: x6) =
        Nth.nth (Length.length x4 - 1 - i) x6).
    unfold Nth.nth; fold Nth.nth.
  generalize (Zeq_bool_eq (1 + Length.length x4 - 1 - i) 0).
    destruct (Zeq_bool (1 + Length.length x4 - 1 - i) 0).
  intuition; elimtype False; omega.
  intuition.
  replace (1 + Length.length x4 - 1 - i - 1)%Z with (Length.length x4 - 1 - i)%Z
  by omega; auto.
congruence.
Qed.
why3-1.6.0/examples/there_and_back_again/why3session.xml000066400000000000000000000102701440160026300233120ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/there_and_back_again/why3shapes.gz000066400000000000000000000027011440160026300227320ustar00rootroot00000000000000WMoFW&(3]$CZ"ْwvEꠇDff߼7=ܹth?aުͯMvw7Kױ}g[_ܻn?rۯ);fbߧ#akrq٭~ɲ(\}m:=sCH=۷|BO[$9In}l=ٰ)HÞ
}j25N3G]فf8zS<0 b~Sq' bvX=!t0#0Tp`ăbŀl0T1̆EYO-:$pMͻ}K}mQ5XTv"KHt,xւuC\~ÂV`BAfz}{vi}ܩJ:NcN{q-Ԭ9,0+NPpнϓկ=oR'jrV-谢+8JzPC)4t>އ;!CI%T2HtR-ܟtZ,ۖχ+/ЯǕYx[x>C{7Krj:o|F]p^OHܦ=sr̞ĈǮz3Xѯ{ᭋ7!a毂7m={oW=I׎1@"PPtwAg7S_GPKϯ@$t*=gJK=ٳί?ð4FiTcMUUǧ5YQ)<5Zr,3qN|掩ȬOZ(a\o㞲8g|C=3(-D8j4LK$ːQ-Ϻ?
꙳'.3S3:~%	J-
p;CJ]FYMa,5G@n9heJdMQb2B$2,)
U˗%AO;.NfD5Z%&k$3i^{7A1Ȗ%%`RpJ0FA:zY9x1BE̎
Qx SCU1"ޑ3Xo-ܴD(MJ}T2tƇH10PG)tQ4
'a	$I5D.jf))XaZTT.FQ@ЪlC$a<:gƊaeh{QwQ؀I8ȶ(X)L+Nd=g8"%mDV&O>PYІnO4jHse
YS<9Bl&%&KJa1l v*eБP,Fwhy3-1.6.0/examples/three_idem_ring.mlw000066400000000000000000000110611440160026300200660ustar00rootroot00000000000000(** {1 Three idempotent rings are commutative }

Author: Quentin Garchery (LRI, Université Paris-Sud)
*)



(** {2 Definitions} *)

use int.Int

clone export algebra.Ring with
  axiom .

(** Define multiplication by an integer recursively *)
let rec ghost function mul (x : t) (n : int) : t
  requires { n >= 0 }
  variant { n }
=
  if n = 0 then pure{zero} else let r = mul x (n-1) in pure {x + r}

(** We get lemmas from the why3 library *)
clone int.Exponentiation with type t = t,
  constant one = zero, function ( * ) = (+), function power = mul,
  lemma .


(** {2 General results about rings} *)

(** First results : *)

lemma simpl_left :
  forall x y z. x + y = x + z -> y = z
  by (-x) + (x + y) = (-x) + (x + z)

lemma simpl_right :
  forall x y z. y + x = z + x -> y = z
  by y + x + (-x) = z + x + (-x)

lemma zero_star_l :
  forall x. zero * x = zero

lemma zero_star_r :
  forall x. x * zero = zero

lemma neg_star_r :
  forall x y. x * (-y) = - (x * y)
  by x * y + x * (-y) = x * y + (- (x * y))

lemma neg_star_l :
  forall x y. (-x) * y = - (x * y)
  by x * y + (-x) * y = x * y + (- (x * y))

lemma neg_neg :
  forall x. - (- x) = x

(** Lemmas about nullable elements : *)

predicate null (x : t) (n : int) = mul x n = zero

lemma null_add :
  forall x x' n. 0 <= n -> null x n -> null x' n -> null (x + x') n

let rec lemma mul_star_l (x y : t) (n : int)
  requires { 0 <= n }
  variant { n }
  ensures { mul (x * y) n = (mul x n) * y }
=
  if n <> 0 then mul_star_l x y (n-1)

let rec lemma mul_star_r (x y : t) (n : int)
  requires { 0 <= n }
  variant { n }
  ensures { mul (x * y) n = x * (mul y n) }
=
  if n <> 0 then mul_star_r x y (n-1)

lemma null_star_l :
  forall x y n. 0 <= n -> null x n -> null (x * y) n

lemma null_star_r :
  forall x y n. 0 <= n -> null y n -> null (x * y) n

lemma null_mul_congr :
  forall x k km. k > 0 -> km > 0 -> null x k -> mul x (Int.(+) km k) = mul x km


(** {2 ThreeIdem axiom specific results} *)

(** We now add the following axiom and want to prove the commutative property : *)

axiom ThreeIdem : forall x. x * x * x = x

(** Split the problem in two :
one where the ring has characteritic 2
and another where the ring has characteristic 3 *)

(** First show that the characteristic of the ring divides 6 ... *)
lemma all_null6 :
  forall x. null x 6
  by (x + x) * (x + x) * (x + x) = mul (x * x * x) 8
  so mul x 8 = zero + x + x /\ mul x 8 = mul x 6 + x + x

(** ... use it to show we can split the problem in two ...*)
lemma all_split :
  forall x. (exists y z. x = y + z /\ null y 2 /\ null z 3)
  by let y = mul x 3 in
     let z = mul (-x) 2 in
     x = y + z /\ null y 2 /\ null z 3

(** ... and show that the two problems are independent *)
lemma free_split :
  forall x. null x 2 -> null x 3 -> x = zero

(** Show the commutative property in characteristic 2 : *)

lemma null_2_idem :
  forall x. null x 2 -> x * x = x
  by (x + x * x) * (x + x * x) = zero
  so (x + x * x) * (x + x * x) * (x + x * x) = zero
  so x + x * x = zero

lemma null2_comm :
  forall x y. null x 2 -> null y 2 -> x * y = y * x
  by (x + y) * (x + y) = x * x + y * y + x * y + y * x
  so x + y = x + y + x * y + y * x

(** Show the commutative property in characteristic 3 : *)

lemma swap_equality :
  forall x y. null x 3 -> null y 3 ->
              y * y * x + y * x * y + x * y * y = zero
  by (forall x y. y * y * x + y * x * y + x * y * y +
                  x * x * y + x * y * x + y * x * x = zero
     by ((x + y) * (x + y) * (x + y) = x * x * x + y * y * y + y * y * x +
         y * x * y + x * y * y + x * x * y + x * y * x + y * x * x
     so x + y + zero = x + y + (y * y * x +
        y * x * y + x * y * y + x * x * y + x * y * x + y * x * x)))
  so y * y * x + y * x * y + x * y * y + x * x * y + x * y * x + y * x * x = zero
  so (y * y * x + y * x * y + x * y * y +
      (- (x * x * y)) + (- (x * y * x)) + (- (y * x * x)) = zero
     by (-y) * (-y) * x + (-y) * x * (-y) + x * (-y) * (-y) +
        x * x * (-y) + x * (-y) * x + (-y) * x * x = zero)
  so mul (y * y * x) 2 + mul (y * x * y) 2 + mul (x * y * y) 2 = zero
  so mul (y * y * x) 4 + mul (y * x * y) 4 + mul (x * y * y) 4 = zero

lemma null3_comm :
  forall x y. null x 3 -> null y 3 -> x * y = y * x
  by y * x + y * y * x * y + y * x * y * y = x * y + y * y * x * y + y * x * y * y

(** Finally, combine the previous results to show the commutative property. *)

lemma commutative :
  forall x y. x * y = y * x
  by exists x2 x3 y2 y3. x = x2 + x3 /\ y = y2 + y3 /\ null x2 2 /\ null y2 2 /\
                         null x3 3 /\ null y3 3
  so x2 * y3 = zero /\ y3 * x2 = zero /\ x3 * y2 = zero /\ y2 * x3 = zero

why3-1.6.0/examples/three_idem_ring/000077500000000000000000000000001440160026300173465ustar00rootroot00000000000000why3-1.6.0/examples/three_idem_ring/why3session.xml000066400000000000000000000166121440160026300223740ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/three_idem_ring/why3shapes.gz000066400000000000000000000055271440160026300220170ustar00rootroot00000000000000Zn}W1 B0_
o0h14]dX/~.W>~zӏ;7=eLlo|A]g쬆@-ګYϺvvxv"\~&tE·C7Sx&׍z3IӨ!>vuǫY$^=*5z%Wx}>🏿Ev|4ly|8{xC1oX6>щMBWoy[&$&Yv=s}V~J闌2rY9fu'u۔wi.=DtͲDH$FY$co33P#7c7BnMV"Heƺ&YMM&6 N[YѬ⭱o.^\tzVjVWܴ)C3D[_v<:VviՋ|	+"-e4υݙl2n+Y֨]]lqY 9mᴙSt/vņC?1dč%Hnk;-^-EJ2bFb4d`WnFi>9||۸GS#;`nsjb޶oì!mAJj~چqo_6b7֮fvg~b5t7[²m7[\X0KF˖,\
n|Ye>:\m{M
]P;[`d֨+]uOGU;{຃>6etB}IԷ|rj5[B$_yڸv蛑M]ff1&crv'aY^G7R.i3<UoӷSMކbʋ齦+Jrdz!WwAOᖾM@˧1|6fp_s@K!(
'	\?;?h<՜aƉ?N6"
sxXS;CF{{C|5]wICKxt~۪;m՝oYPF
[`Cut-r";'+Nj+c9tH_mmF[wگ}]
呹9ichY.!~͞DNcdi8ズ^?:׽#78BvTg/ ɋ`8htg*l,ae^l}CՖɭ$rkm	-ެAR(v%XJn䁷bjКEcry[?FV9Xce&$MRL'ryU+Ug*c'gVR?E8eCdNYIH.LtoXR͈	D^KJR-d>T	{q9˪tBD48}EB̧96s&>(8}!إ#ZcW?,}\ѺTs{^WèQ{wfiRE{$<3L2Q{Ĝ%eedlBܛ9#wI/LjmaŒ
%8g70k#L/D$1EEع%+ܪ\l>'9mbv,q8sU!j5UבqBlkT!R
JWbZ50mfgff ek,&Bއ6 (S.mem x (vertices g) /\ S.mem y (vertices g))

  (** direct predecessors *)
  function preds graph vertex: S.fset vertex

  axiom preds_def:  forall g:graph. forall v:vertex. forall u:vertex.
   S.mem (u,v) (edges g) <-> S.mem u (preds g v)

  (** direct successors *)
  function succs graph vertex: S.fset vertex
  axiom succs_def:  forall g:graph. forall v:vertex. forall u:vertex.
   S.mem (u,v) (edges g) <-> S.mem v (succs g u)

  type msort = M.map vertex int

  predicate sort (g: graph) (m:msort) =
    forall v:vertex. forall u:vertex.
    S.mem (u,v) (edges g) ->
    (M.get m u) < (M.get m v)

end

module ImpmapNoDom

  use map.Map
  use map.Const

  type key

  type t 'a = abstract { mutable contents: map key 'a }

  val function create (x: 'a): t 'a
    ensures { result.contents = const x }

  val function ([]) (m: t 'a) (k: key): 'a
    ensures { result = m.contents[k] }

  val ghost function ([<-]) (m: t 'a) (k: key) (v: 'a): t 'a
    ensures { result.contents = m.contents[k <- v] }

  val ([]<-) (m: t 'a) (k: key) (v: 'a): unit
    writes { m }
    ensures { m = (old m)[k <- v] }

end

(** static topological sorting by depth-first search *)
module Static

  use ref.Ref
  use Graph
  use set.Fset as Fset

  clone set.SetImp as S with type elt = vertex
  clone set.SetApp as SA with type elt = vertex
  clone ImpmapNoDom with type key = vertex

  val ghost function defined_sort (m: t int): Fset.fset vertex
    ensures { forall v: vertex [Fset.mem v result].
              Fset.mem v result <-> 0 <= m[v] }

  val get_preds (g: graph) (v: vertex): S.set
    ensures { result.S.to_fset = preds g v }

  val get_vertices (g: graph): S.set
    ensures { result.S.to_fset = vertices g }

  predicate partial_sort (g: graph) (m: t int) =
    forall v:vertex. forall u:vertex.
    Fset.mem (u,v) (edges g) -> 0 <= m[v] -> 0 <= m[u] < m[v]

  exception Cycle_found

  predicate inv (g: graph) (m: t int) (next: int) =
    Fset.subset (defined_sort m) (vertices g) &&
    0 <= next &&
    partial_sort g m &&
    forall v:vertex. Fset.mem v (defined_sort m) -> m[v] < next

  let rec dfs (g: graph) (v: vertex) (seen: SA.set) (values: t int) (next: ref int): unit
    requires { inv g values !next }
    requires { Fset.mem v (vertices g) }
    requires { Fset.subset seen.SA.to_fset (vertices g) }
    variant { Fset.cardinal (vertices g) - SA.cardinal seen }
    ensures { Fset.subset (defined_sort (old values)) (defined_sort values) }
    ensures { 0 <= values[v] <= !next}
    ensures { inv g values !next }
    ensures { forall x:vertex. SA.mem x seen -> old values[x] = values[x] }
    raises  { Cycle_found -> true }
  =
    if SA.mem v seen then raise Cycle_found;
    if values[v] < 0 then begin
      let p = get_preds g v in
      let seen = SA.add v seen in
      while not (S.is_empty p) do
        invariant { inv g values !next }
        invariant { Fset.subset (Fset.diff (preds g v) p.S.to_fset) (defined_sort values) }
        invariant { Fset.subset (defined_sort (old values)) (defined_sort values) }
        invariant { Fset.subset p.S.to_fset (preds g v) }
        invariant { forall x:vertex. SA.mem x seen -> values[x] = old values[x] }
        variant { S.cardinal p }
        let u = S.choose_and_remove p in
        dfs g u seen values next
      done;
      values[v] <- !next;
      next := !next + 1
    end

  let topo_order (g:graph): t int
    raises  { Cycle_found -> true }
    ensures { sort g result.contents }
  =
    let next = ref 0 in
    let values = create (-1) in
    let p = get_vertices g in
    while not (S.is_empty p) do
      invariant { inv g values !next }
      invariant { Fset.subset p.S.to_fset (vertices g) }
      invariant { Fset.subset (Fset.diff (vertices g) p.S.to_fset) (defined_sort values) }
      variant { S.cardinal p }
      let u = S.choose_and_remove p in
      dfs g u (SA.empty ()) values next
    done;
    values

end

module Online_graph
  use export Graph

  val function add_edge (g: graph) (u v: vertex): graph
    ensures { forall x.
      preds result x = if x = v then S.add u (preds g v) else preds g x }
    ensures { forall x.
      succs result x = if x = u then S.add v (succs g u) else succs g x }

end

(**
A New Approach to Incremental Topological Ordering
   Michael A. Bender, Jeremy T. Fineman, Seth Gilbert
*)
module Online_Basic

  use ref.Ref
  use Online_graph
  use set.Fset

  clone set.SetImp as S with type elt = vertex
  clone set.SetApp as SA with type elt = vertex
  clone import ImpmapNoDom as M with type key = vertex

  val get_succs (g: graph) (v: vertex): S.set
    ensures { result.S.to_fset = succs g v }

  exception Cycle_found

  type t = {
    mutable graph : graph;
    mutable values: M.t int;
  }

  predicate inv (g:t) = sort g.graph g.values.contents

  let create (g: graph): t
     requires { forall x: vertex. Fset.is_empty (preds g x) }
     ensures  { result.graph = g }
     ensures  { inv result }
  = { graph = g; values = create 0 }

  let rec dfs (g: t) (v: vertex) (seen: SA.set) (min_depth: int): unit
    requires { inv g }
    requires { Fset.mem v (vertices g.graph) }
    requires { Fset.subset seen.SA.to_fset (vertices g.graph) }
    raises  { Cycle_found -> true }
    variant { Fset.cardinal (vertices g.graph) - SA.cardinal seen }
    ensures { min_depth <= g.values[v] }
    ensures { inv g }
    ensures { forall x:vertex. SA.mem x seen -> g.values[x] = old g.values[x] }
    ensures { forall x:vertex. old g.values[x] <= g.values[x] }
  =
    if SA.mem v seen then raise Cycle_found;
    if g.values[v] < min_depth then begin
      let p = get_succs g.graph v in
      let seen = SA.add v seen in
      while not (S.is_empty p) do
        invariant { inv g }
        invariant { forall s:vertex. Fset.mem s (succs g.graph v) -> not (S.mem s p) -> min_depth < g.values[s] }
        invariant { S.subset p.S.to_fset (succs g.graph v) }
        invariant { forall x:vertex. SA.mem x seen -> g.values[x] = old g.values[x] }
        invariant { forall x:vertex. old g.values[x] <= g.values[x] }
        variant { S.cardinal p }
        let u = S.choose_and_remove p in
        dfs g u seen (min_depth + 1)
      done;
      g.values[v] <- min_depth;
    end

  let add_edge (g: t) (x y: vertex): unit
    requires { inv g }
    requires { Fset.mem x (vertices g.graph) }
    requires { Fset.mem y (vertices g.graph) }
    ensures  { inv g }
    ensures  { g.graph = add_edge (old g.graph) x y }
    raises   { Cycle_found -> true }
  =
    let seen = SA.empty () in
    let seen = SA.add x seen in
    dfs g y seen (g.values[x] + 1);
    g.graph <- add_edge g.graph x y

end
why3-1.6.0/examples/topological_sorting/000077500000000000000000000000001440160026300203035ustar00rootroot00000000000000why3-1.6.0/examples/topological_sorting/why3session.xml000066400000000000000000000354601440160026300233330ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/topological_sorting/why3shapes.gz000066400000000000000000000133061440160026300227460ustar00rootroot00000000000000]]oܸ}ϯXٗ~9cL=-R$`$HVSUHvq{/>Ļwy.ow~nN@?t@wv~`rp!{w.xÁqX&Bu(QQ@(*!wq`Ϝ~,Ow~wĭ*y?܄xjݼ_|bMt3+087́M։nPx`~8MyoY
CSbS1wq/
g{@jN/D°ano_઻qÛ&e0[-B,z^mź_; @0zڸn+2	3Un@͹,3JG9YRWO3WcOe&]LuuW!zt?)pqmU?lVw/}Ksf~8y*5JMRUUa<^btoj3uhwhОA(~%nww^X\o7x'H(u[)ttBfcnCEPbh1vv>PӬӬ>\E7N=fe ƾ~V2Ⱥ'?\\\~\3fB,_tl9Wׁi@:?Ve9nj	
?BYM5OrzNarc#|ut|cW/x=?/e>w?M2U*q`^<}\yCi7.7ezzY`s9>c
OkE9(#û|儗-@Wȓ>
y
:z"OgQęVoŝ{B_?U,-usKQ,kuZDoәlqE뿲.Ő8n×iùJ>a|8"_wՖ_aݣgBWPz: IzS);
҆N6jl8= AȪ5w{vrC_W翺ɷM.O_`?]e7K22+!I*zͶjz\7LZ^$7'բ'Yfq&M>Z.$=Ly&M4SfL)$]NLZjc6_x;ar쮜rX002H7:m:+=H:v}MGE	1eK3klۓDʳRsk	(_}Kb~I)"%!*L::-R*W[zcSSfpvԲ]^r"q&;ÿBS=[>qZϷwCg'yJw6S~1
21&E'_"l8B8Ko-7&f/nFYK'loLjR#E,.Z@\.ev/jӪ1A
&sn˸I19؝ӫfV-qv4ga[D/D\&|&:AsԜ:Q3Ώٲ,Ӳs6
rqEMGeKˎ̈́:ӴgY髃iiᎊ͔wthtǀMLI-ϖV~oʹ9}f3)֒.rv|97XuznR8^V<yas~G^,m		{'O!|#xueHӧroD}P͏|}r[}>}Uc7[BƓn<˧w{5/dCii63zn,яlPL'	z±(?yyDOYM)T6wv^Wc~blPޔShd:nΗd6-XwML^О9#A ;^8[þ@Q(/([ۤckD .3vYN,:U9N&r|juiܳN}=h-ݾ-?y-5fo_["j
F1nl|ᢂh2;r|Q/<_>BEo^^^/^wVvVvVnO03		`B* ;5:5ojV-tuuG gl`-9Bk>zn[v'Ӗӹ@6˧t5W|9ΧIuY&<.ȊҢOYYYrXYٛIfbuMLOUضqKlA7|bәtMlډ]sw_M-A
,{гk?a=FÕ39vPaeTO+~șO,WYo~c~~~/y7b9B4L[~Kl>iwa{<$F;/7yD,硿r|ҙəڙ̿y,(gk-.deZihM2[/}?EyY'lܡ"9]hTO.7G,^hE7=Xz.ĒX>_y-+-_]77!
{l'5[WsIjC=7gSyG^=MNWVј5ј1BјUXLU3o}j`8Z,[-YeH{nAuHͷC|juI;mo0ZeU?"tUzı&+⌡ V3qu$'Nn/js˧өܷ*o{:<7/[LOLWm\vFv$jtk0kȫD
bD:﷫K/Q17mH?WNn([[a{֬4yv8.Ơu(/GDyoR=B՗〺ŞJ7(Suq<{\DO+
kۑ=σj̟07j.'OPo
s:"<"O;Z~1?o}1}::z5\uy]z]7jO>y&⽶f`nH3%.)S;;c;#oHe	MlB$Z[0V&hE`4):%;$2Q
mjU1eJ!䠣'cDQoBAEFyG(S|R'jtu7B$MŔaZi7"$H
B FaL=$/84Olp!:t?=
!&6IPm5kX
ȱ8uZAFĘh4Qf"0zŬCP~XI9Ϊ6pʔOi
::Bڐu]@Wj:;8e՜zIgMr-B-hQQb0DI4OǠrLkaީ44O
G-ђȋZҁ9,j:P42@Bٝi)gwBD]́CGBBBx܀hFYn.9)xD
*5p<*=C"DTptk\j	RBSEoHӈh{:/tj1@>%t)U,h`Ӂ&#R'|&Fa9Ezp'$PWq!5H7ITim"p;SV|"h@ր#$Jm>060Dw*R"A|I)kZ;AXDS>(faraa׬r*x\EYC(UReZ;Ŕ]">[&
PXEi;C£9)jК	LR{	KZ`e3- repX@A
	tbfi!U܋$4rZB/,YRwN0+et	XY1Mq2$`
>xm?(§H^"'@4GYݲ8 c@,(qfA+hͲGlb#u>.-9<#T`::vK*"Gn)K6nE.ۨ
p	:Bb!2!ࣈC,q'ȶИ#K" ?\uVyI-qoѵrh5^曭MitJR"EKQL%q'vN![`HPVW)^.'@P Cר$ ktg<)G	y8x\#hTX|4CI0!hfq l\9sv P2YGc"] 0

  axiom f_range: forall x. 0 <= x < m -> 0 <= f x < m

  (* given some initial value x0 *)
  val constant x0: int
    ensures { 0 <= result < m }

  (* we can build the infinite sequence defined by x{i+1} = f(xi) *)
  function x (i: int): int = iter f i x0

  let rec lemma x_in_range (n: int)
    requires { 0 <= n } ensures { 0 <= x n < m }
    variant  { n }
  = if n > 0 then x_in_range (n - 1)

  (* First, we prove the existence of mu and lambda, with a ghost program.
     Starting with x0, we repeatedly apply f, storing the elements in
     a sequence, until we find a repetition. *)
  let ghost periodicity () : (mu:int, lambda:int)
    ensures { 0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
              x (mu + lambda) = x mu }
    ensures { forall i j. 0 <= i < j < mu + lambda -> x i <> x j }
  = let s = ref (singleton x0) in
    let cur = ref x0 in
    for k = 1 to m do
      invariant { 1 <= length !s = k <= m /\ !cur = !s[length !s - 1] }
      invariant { forall i. 0 <= i < length !s -> !s[i] = x i }
      invariant { distinct !s }
      cur := f !cur;
      (* look for a repetition *)
      for mu = 0 to length !s - 1 do
        invariant { forall i. 0 <= i < mu -> !s[i] <> !cur }
        if !cur = !s[mu] then return (mu, length !s - mu)
      done;
      s := snoc !s !cur;
      if k = m then pigeonhole (m+1) m (pure { fun i -> !s[i] })
    done;
    absurd

  (* Then we can state the condition for two elements to be equal. *)
  let lemma equality (mu lambda: int)
    requires { 0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
               x (mu + lambda) = x mu }
    requires { forall i j. 0 <= i < j < mu + lambda -> x i <> x j }
    ensures  { forall r n. r > n >= 0 ->
               x r = x n <-> n >= mu /\ exists k. k >= 1 /\ r-n = k*lambda }
  = let rec lemma plus_lambda (n: int) variant { n }
      requires { mu <= n }
      ensures  { x (n + lambda) = x n } =
      if n > mu then plus_lambda (n - 1) in
    let rec lemma plus_lambdas (n k: int) variant { k }
      requires { mu <= n } requires { 0 <= k }
      ensures  { x (n + k * lambda) = x n } =
      if k > 0 then begin
        plus_lambdas n (k - 1); plus_lambda (n + (k - 1) * lambda) end in
    let decomp (i: int) : (qi:int, mi:int)
      requires { i >= mu }
      ensures  { i = mu + qi * lambda + mi && qi >= 0 &&
                 0 <= mi < lambda && x i = x (mu + mi) } =
      let qi = div (i - mu) lambda in
      let mi = mod (i - mu) lambda in
      plus_lambdas (mu + mi) qi;
      qi, mi in
    let lemma equ (r n: int)
      requires { r > n >= 0 } requires { x r = x n }
      ensures  { n >= mu /\ exists k. k >= 1 /\ r-n = k*lambda } =
      if n < mu then (if r >= mu then let _ = decomp r in absurd)
      else begin
        let qr,mr = decomp r in let qn, mn = decomp n in
        assert { mr = mn };
        assert { r-n = (qr-qn) * lambda }
      end in
    ()

  (* Finally, we implement the tortoise and hare algorithm that computes
     the values of mu and lambda in time O(mu+lambda) and constant space *)
  let tortoise_and_hare () : (mu:int, lambda:int)
    ensures { 0 <= mu < m /\ 1 <= lambda <= m /\ mu + lambda <= m /\
              x (mu + lambda) = x mu }
    ensures { forall i j. 0 <= i < j < mu + lambda -> x i <> x j }
  = [@vc:do_not_keep_trace] (* traceability info breaks the proofs *)
    let mu, lambda = periodicity () in
    equality mu lambda;
    (* the first loop implements the tortoise and hare,
       and finds the smallest n >= 1 such that x n = x (2n), in O(mu+lambda) *)
    let tortoise = ref (f x0) in
    let hare = ref (f (f x0)) in
    let n = ref 1 in
    while !tortoise <> !hare do
      invariant {
        1 <= !n <= mu+lambda /\ !tortoise = x !n /\ !hare = x (2 * !n) /\
        forall i. 1 <= i < !n -> x i <> x (2*i) }
      variant { mu + lambda - !n }
      tortoise := f !tortoise;
      hare     := f (f !hare);
      incr n;
      if !n > mu + lambda then begin
        let m = lambda - mod mu lambda in
        let i = mu + m in
        assert { 2*i - i = (div mu lambda + 1) * lambda };
        absurd
      end
    done;
    let n = !n in
    assert { n >= mu };
    assert { exists k. k >= 1 /\ n = k * lambda >= 1 };
    assert { forall j. j >= mu -> x j = x (j + n) };
    let xn = !tortoise in
    (* then a second loop finds mu and lambda, in O(mu) *)
    let i   = ref 0  in
    let xi  = ref x0 in (* = x i     *)
    let xni = ref xn in (* = x (n+i) *)
    let lam = ref 0  in (* 0 or lambda *)
    while !xi <> !xni do
      invariant { 0 <= !i <= mu }
      invariant { !xi = x !i /\ !xni = x (n + !i) }
      invariant { forall j. 0 <= j < !i -> x j <> x (n + j) }
      invariant { if !lam = 0 then forall j. 0 < j < !i -> x (n + j) <> x n
                  else !lam = lambda }
      variant   { mu - !i }
      if !lam = 0 && !i > 0 && !xni = xn then lam := !i;
      xi  := f !xi;
      xni := f !xni;
      incr i;
    done;
    let m = !i in
    assert { m = mu };
    let l = if !lam = 0 then n else !lam in
    assert { l = lambda };
    m, l

end
why3-1.6.0/examples/tortoise_and_hare/000077500000000000000000000000001440160026300177135ustar00rootroot00000000000000why3-1.6.0/examples/tortoise_and_hare/why3session.xml000066400000000000000000000575321440160026300227470ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
     
     
      
      
      
      
      
       
       
        
        
        
        
        
         
         
         
         
         
          
          
          
          
          
           
           
            
            
            
            
            
            
           
           
           
           
           
          
          
         
         
        
        
       
       
      
      
     
     
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
       
       
        
        
        
       
       
       
       
       
      
      
     
     
     
     
     
    
    
    
    
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/tortoise_and_hare/why3shapes.gz000066400000000000000000000160201440160026300223520ustar00rootroot00000000000000[n9}Wt0}h#\Pˠ^
-K
dnU*ْk[L&F SZSxvy	`7t8~aawYȖf=9XztD7dYq`5.]iRkxޟb\<+ҨS>PePDzgj1w1}Ӥ}s(E
$f@^L\AKis]SmPA+wMikn7tysOȧf7~)6!W}*_q8c
hf|'0jIn÷EUǮ|ٟZ}a;ä6,?Aƀߘ5>9;CB[otP2a{2c/Oy7%9-Vd&-c;=&7~ ]e0I~8,=qrP6~sd@yH|AA#K݈k{2t_nn<e-Rn6\ZD \.##|asU[qˇqutG~&ˍi^0#%(I6$uZEp?Z(/-B:EdHFjSߙds_o=d/RmL%F6"moi-3	=	{1-yhDB\9]9hbp:<n|QpIyv\ʳ+Cqb;,]d=$CC+qsThp65$.)jp8~V^]MKj>|;˫ɹ^C
-DoO6DoE&zGE');݂{q\mrŠ۔BX*YuYLζ`?|0m`7цBr~)|p~KY{3~^Wz,|mPNx~gx|Be?/hŒ
GS]DdsBI\ct6z#ZV",QSZ-4t:O6yK'T\vًcAPj*DkB])րJMІw)m^HA遑豑^=w;=5c3=Eﯺ7hk75xArI<p'fDO[%x}1)z&lӼhQtּ1@=L)Z_mʎ(Cr3(]o%jVGfR&%]b8J,a	$|AKkڶk
(j8lTs{_ji]BۿPc$P@cQDEʎOuS XI/QiCt!.N7ϗeXy)h#v\y-6ߦ=Emev[ MqYlӛ]	\ﯮ[,!%&U3Kt00ޏysG2E?Tod>%O_UūCt[:Ǝ7Ak߉?U
m1~jƉzM0XoTv쯛ɞb}~[IW'M4СHWn&u8ht͈fo1oN-6ٞ~gf17mfoތ3kzy3:]0l?aGx8
z40b:}/y6tOi77
iNe]n/nH#^|5Z	F
E]^Rn;04lϲm:{5-<;פN"'Rd4Ψ=ӖԶU=u
"е'~5Uy{BQg~TC;vgKji/Nivj۫KnXԶ5{lbG͏;lvv
Ϝڔdރo!VrP[h1	-fB軇i(ɍWm<\)7)Ӿ{$U:Z9z(}6g-X[{A(gż9.O|>o=R"$-D~,DnH8S`z1?c!&DD3g6Kݷ4`=Qx"nsiR`}jxJ:8ol:F'35>nx
gA
sdʍYkxCPSC)N
WFD?m=խB
/9(LJ~(E	zcւP'M==tx;WJ(~н{8ɧHTʝPχ֢OO]Z
/8؎Si-MlJ?ӞSq}*Tlx݌!do[^JEKaj}A_w;$RMZe'49wcfTwޠ&N6fr8qm	|ǒ|fMÜYBi"sqm't[l=.C!c!ĸo2a_jpm4,
bNkQn%bLT*s,e!<3%`.ʬZkY.Eam	
L+cƬ=8)*gSRVgDrxlL|!_sk7ѸDuNUJ+o<1\j͘`be<_ƍFm횛cLl3[ V]O<T6d2DrO[lZLRD`z ڛGP$DE;ji##OzqC")5;iT!0Xƿlʍ`Q
\,ieLWWdW)j`^shhS
j-*C6Lx!uZNO?GMʔV*6^[dcMH+~#rUܙp6rUH}݋,	ngUbrc-*~D:EdH*eHRq*2ߑ^L[1bFO@
&Ơ6>	NUTET]q3J&HŚ- \Ց{rLҍLj8d[Da>"9d`{ƛspPM2A $DU;m7~AټĀ)dY4ͺQVJJX7/^Ve_E5˘/+[uMt·?w`1UhU,U|gN,=
\-J_rsȫsߙ+B>h'e#mAVߙk)%:9\dE|Cܨ+i,3,F墈t̬قX+hLRɢBz(&:a#xADQhC_D-N@U6AþCQu6+-B'zhJ
<UL2H;$$/JX/+mG;obbQ]ca)X!_4؂&F1 QQ$pqJYSYq87T"AdeXʡ(f	ǢjkEY$:_'pm;GDJD\POښ`Ep$@QUP4!.2R=jhtJİ|XkO{Aȁb܁A,YbM2Xm	Aщe$NxaAxCyKiDRx)dN2 `欲QZGM)<4	 `Aw}XYڦFBb-lpiR].EXXEεA6rBWXRa'"*ȫL
=^u$\R
 'K6PO\wn|`hx쥱&=)֠{
5hm
޿ ϊ^<N94IG`2N?1(KbZNJ`)>
Ѧ0GgUJt;s_"3(}
ۨNX| w"`?r9 1`nE	w5
pkX;B~A,Hn&j\L_Oh`r.i;}v`%U1zws6n(XרIgl:%fz lOC$R=Ad`vybŏ
aGO,9d%j_>M@IOY>d<1,bX>ٝf'E퉷nO|@YZO<`Lh䧕ʉfu}yu)ȟ"x䛼9㍿~}wb-K\7
iͺ=}?@/<ۯA=x/wT۽
Vw9uq!ۇvy_&x3M'lfYa_nibFX%W*vo	txVj,{u;Bq9_orJ{J?Тo׋^ʎ]_3Na{܎j{_&OeRu{N}wN5D0ݐj?nZkc6Su4[f;
ysm]iW;t߁M펑rwۗӕbhsKVz^>o<9pFMvn>[!ӗf"4Oayoh^h0U"5-gLDaj\Wkj9} _ԏ:u@{,/㦮DpGφ,|ձo
Ώq!&sǡkX'7l	_RNBqDmP75^-kk"ZihK}ȯۉI4l`:1-RwPwhDa3Ba\]Ȇ@~KdϦG9Wt10+ANv'7JN$aIv-~HZ+nlט+׳c`.7_~T	ؿ@>sM$ḣy玦;f{n|y։ZK-ĵמ;>*1/~ݙ]aMۛGUqw̉n;醣/gMo7»^U]x9޾.}z(b,|pTxOHf3-rm0WwFG5]_{ٻ>fB"_vC'AnbC/-Iۦ$tl<_saka6Q`k01_޲;3WaL*Z"Mq	gdS2(ι
VBtΌFh()=MrAąA]:kpRI:B_njBnvpH=2[
SMs>vK3UƼip")TJ(39ת2K2ŨR1B<08DX
&`yrCٸXIv#.0ngŚI(r,')UY_s%rbp^I- {A#*)ϴ,9nJL&dGЌ]76kJږbȒ	8d1(,1ޕ \XH4
Yy|2/v!ِh}"	q)%$2!t.9a+3nLZ9Jz=颍yQfq,*OJ^feAMW@
-rYc
VW"&mT~QcU]2ig)")V.c2+X$GnH%fcKf,3/	=S|!1Ȗu21[rLXOpYbQbF
D;lq4WT*NJ-A!kc>$S!7LPBÅQT>
D݂	VTg(g[v":03X0 1)-"S^cr2AUìp>#F`"L$CTЙT`b-QVE"@^u\ cʌ%f)x U1\4W"BJ.d*"ku8<#+@-'<7 n
    | Plus e1 e2 -> eval_expr e1 + eval_expr e2
    | Minus e1 e2 -> eval_expr e1 - eval_expr e2
    | Mult e1 e2 -> eval_expr e1 * eval_expr e2
    end

end

theory StackMachine

  type asm = Push int | Add | Sub | Mul

  use export int.Int
  use export list.List

  function compute (s:list int) (a:list asm) : list int =
    match a with
    | Nil -> s
    | Cons a r ->
      match a,s with
      | Push n, _                  -> compute (Cons n s) r
      | Add, (Cons n1 (Cons n2 s)) -> compute (Cons (n2+n1) s) r
      | Sub, (Cons n1 (Cons n2 s)) -> compute (Cons (n2-n1) s) r
      | Mul, (Cons n1 (Cons n2 s)) -> compute (Cons (n2*n1) s) r
      | _ -> s
      end
    end

end


module Compiler
  
  use export list.Append
  use Expr
  use StackMachine
  
  function compile (e:expr) : list asm =
    match e with
    | Cte n -> Cons (Push n) Nil
    | Plus e1 e2 -> compile e1 ++ (compile e2 ++ Cons Add Nil)
    | Minus e1 e2 -> compile e1 ++ (compile e2 ++ Cons Sub Nil)
    | Mult e1 e2 -> compile e1 ++ (compile e2 ++ Cons Mul Nil)
    end

  let rec lemma soundness_gen (e:expr) (s:list int) (r:list asm)
    variant { e }
    ensures { compute s (compile e ++ r) = compute (Cons (eval_expr e) s) r }
  = match e with
    | Cte n -> 
      assert { compile e ++ r = Cons (Push n) r }
    | Plus e1 e2 ->
      soundness_gen e1 s (compile e2 ++ Cons Add r);
      soundness_gen e2 (Cons (eval_expr e1) s) (Cons Add r)
    | Minus e1 e2 ->
      soundness_gen e1 s (compile e2 ++ Cons Sub r);
      soundness_gen e2 (Cons (eval_expr e1) s) (Cons Sub r)
    | Mult e1 e2 ->
      soundness_gen e1 s (compile e2 ++ Cons Mul r);
      soundness_gen e2 (Cons (eval_expr e1) s) (Cons Mul r)
    end
  
  let lemma soundness (e:expr)
    ensures { compute Nil (compile e) = (Cons (eval_expr e) Nil) }
  =
    assert { compute Nil (compile e) = compute Nil (compile e ++ Nil) }

end
why3-1.6.0/examples/toy_compiler/000077500000000000000000000000001440160026300167275ustar00rootroot00000000000000why3-1.6.0/examples/toy_compiler/why3session.xml000066400000000000000000000053541440160026300217560ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 



why3-1.6.0/examples/toy_compiler/why3shapes.gz000066400000000000000000000020201440160026300213610ustar00rootroot00000000000000WQ6~ׯ־HDI=dB6@m?/N|=6BRǏ><4y?w۟l»m?nכ칗aa˟;.{aae_VH>l:Jb]ć͝޵Ւ"	"8aۻ&a5*HUQjHzF%QxB5z.ቖma1uT#q$j.I`^ma2	fPq0_l2=('WߣsXҌCNGOŹa.i=<-JE2T»c2
ŦkEyT-a&-x5yT'%,ptS[93.}&ȝS-G'Dڶ<>LS>y^v-q)h"0riK`ց	eJ4v%?C7why3-1.6.0/examples/tree_height.mlw000066400000000000000000000161351440160026300172400ustar00rootroot00000000000000
(** Computing the height of a tree in CPS style
    (author: Jean-Christophe Filliâtre) *)

module HeightCPS

  use int.Int
  use int.MinMax
  use bintree.Tree
  use bintree.Height

  let rec height_cps (t: tree 'a) (k: int -> 'b) : 'b
    variant { t }
    ensures { result = k (height t) }
  = match t with
    | Empty -> k 0
    | Node l _ r ->
        height_cps l (fun hl ->
        height_cps r (fun hr ->
        k (1 + max hl hr)))
    end

  let height (t: tree 'a) : int
    ensures { result = height t }
  = height_cps t (fun h -> h)

end

(** with a while loop, manually obtained by compiling out recursion *)

module Iteration

  use int.Int
  use int.MinMax
  use list.List
  use bintree.Tree
  use bintree.Size
  use bintree.Height
  use ref.Ref

  type cont 'a = Id | Kleft (tree 'a) (cont 'a) | Kright int (cont 'a)

  type what 'a = Argument (tree 'a) | Result int

  let predicate is_id (k: cont 'a) =
    match k with Id -> true | _ -> false end

  let predicate is_result (w: what 'a) =
    match w with Result _ -> true | _ -> false end

  function evalk (k: cont 'a) (r: int) : int =
    match k with
    | Id         -> r
    | Kleft  l k -> evalk k (1 + max (height l) r)
    | Kright x k -> evalk k (1 + max x r)
    end

  function evalw (w: what 'a) : int =
    match w with
    | Argument t -> height t
    | Result   x -> x
    end

  function sizek (k: cont 'a) : int =
    match k with
    | Id         -> 0
    | Kleft  t k -> 3 + 4 * size t + sizek k
    | Kright _ k -> 1 + sizek k
    end

  lemma sizek_nonneg: forall k: cont 'a. sizek k >= 0

  function sizew (w: what 'a) : int =
    match w with
    | Argument t -> 1 + 4 * size t
    | Result   _ -> 0
    end

  lemma helper1: forall t: tree 'a. 4 * size t >= 0
  lemma sizew_nonneg: forall w: what 'a. sizew w >= 0

  let height1 (t: tree 'a) : int
    ensures { result = height t }
  =
    let w = ref (Argument t) in
    let k = ref Id in
    while not (is_id !k && is_result !w) do
      invariant { evalk !k (evalw !w) = height t }
      variant   { sizek !k + sizew !w }
      match !w, !k with
      | Argument Empty,        _ -> w := Result 0
      | Argument (Node l _ r), _ -> w := Argument l; k := Kleft r !k
      | Result _, Id             -> absurd
      | Result v, Kleft r k0     -> w := Argument r; k := Kright v k0
      | Result v, Kright hl k0   -> w := Result (1 + max hl v); k := k0
      end
    done;
    match !w with Result r -> r | _ -> absurd end

end

(** Computing the height of a tree with an explicit stack
    (code: Andrei Paskevich / proof: Jean-Christophe Filliâtre) *)

module HeightStack

  use int.Int
  use int.MinMax
  use list.List
  use bintree.Tree
  use bintree.Size
  use bintree.Height

  type stack 'a = list (int, tree 'a)

  function heights (s: stack 'a) : int =
    match s with
    | Nil            -> 0
    | Cons (h, t) s' -> max (h + height t) (heights s')
    end

  function sizes (s: stack 'a) : int =
    match s with
    | Nil            -> 0
    | Cons (_, t) s' -> size t + sizes s'
    end

  lemma sizes_nonneg: forall s: stack 'a. sizes s >= 0

  let rec height_stack (m: int) (s: stack 'a) : int
    requires { m >= 0 }
    variant  { sizes s, s }
    ensures  { result = max m (heights s) }
  = match s with
    | Nil                     -> m
    | Cons (h, Empty) s'      -> height_stack (max m h) s'
    | Cons (h, Node l _ r) s' -> height_stack m (Cons (h+1,l) (Cons (h+1,r) s'))
   end

  let height1 (t: tree 'a) : int
    ensures { result = height t }
  = height_stack 0 (Cons (0, t) Nil)

end

(** Computing the height of a tree with a small amount of memory:
    Stack size is only proportional to the logarithm of the tree size.
    (author: Martin Clochard) *)

module HeightSmallSpace

  use int.Int
  use int.MinMax
  use int.ComputerDivision
  use option.Option
  use bintree.Tree
  use bintree.Size
  use bintree.Height

  (** Count number of leaves in a tree. *)
  function leaves (t: tree 'a) : int = 1 + size t

  (** `height_limited acc depth lim t`:
       Compute the `height t` if the number of leaves in `t` is at most `lim`,
         fails otherwise. `acc` and `depth` are accumulators.
         For maintaining the limit within the recursion, this routine
         also send back the difference between the number of leaves and
         the limit in case of success.
       Method: find out one child with number of leaves at most `lim/2` using
         recursive calls. If no such child is found, the tree has at
         least `lim+1` leaves, hence fails. Otherwise, accumulate the result
         of the recursive call for that child and make a recursive tail-call
         for the other child, using the computed difference in order to
         update `lim`. Since non-tail-recursive calls halve the limit,
         the space complexity is logarithmic in `lim`.
       Note that as is, this has a degenerate case:
         if the small child is extremely small, we may waste a lot
         of computing time on the large child to notice it is large,
         while in the end processing only the small child until the
         tail-recursive call. Analysis shows that this results in
         super-polynomial time behavior (recursion T(N) = T(N/2)+T(N-1))
       To mitigate this, we perform recursive calls on all `lim/2^k` limits
         in increasing order (see process_small_child subroutine), until
         one succeed or maximal limits both fails. This way,
         the time spent by a single phase of the algorithm is representative
         of the size of the processed set of nodes.
         Time complexity: open
   *)
  let rec height_limited (acc depth lim: int) (t:tree 'a) : option (int,int)
    requires { 0 < lim /\ 0 <= acc }
    returns  { None -> leaves t > lim
      | Some (res,dl) -> res = max acc (depth + height t)
                         /\ lim = leaves t + dl /\ 0 <= dl }
    variant { lim }
  = match t with
    | Empty -> Some (max acc depth,lim-1)
    | Node l _ r ->
      let rec process_small_child (limc: int) : option (int,int,tree 'a)
        requires { 0 <= limc < lim }
        returns  { None -> leaves l > limc /\ leaves r > limc
          | Some (h,sz,rm) -> height t = 1 + max h (height rm)
                              /\ leaves t = leaves rm + sz
                              /\ 0 < sz <= limc }
        variant { limc }
      = if limc = 0 then None else
        match process_small_child (div limc 2) with
        | (Some _) as s -> s
        | None -> match height_limited 0 0 limc l with
        | Some (h,dl) -> Some (h,limc-dl,r)
        | None -> match height_limited 0 0 limc r with
        | Some (h,dl) -> Some (h,limc-dl,l)
        | None -> None
        end end end
      in
      let limc = div lim 2 in
      match process_small_child limc with
      | None -> None
      | Some (h,sz,rm) ->
        height_limited (max acc (depth + h + 1)) (depth+1) (lim-sz) rm
      end
    end

  use ref.Ref

  let height (t: tree 'a) : int
    ensures { result = height t }
  = let lim = ref 1 in
    while true do
      invariant { !lim > 0 }
      variant { leaves t - !lim }
      match height_limited 0 0 !lim t with
      | None -> lim := !lim * 2
      | Some (h,_) -> return h
      end
    done; absurd


endwhy3-1.6.0/examples/tree_height/000077500000000000000000000000001440160026300165115ustar00rootroot00000000000000why3-1.6.0/examples/tree_height/why3session.xml000066400000000000000000000162141440160026300215350ustar00rootroot00000000000000











 
 
 
 
 
 


 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 


 
 
 
 
 
 



why3-1.6.0/examples/tree_height/why3shapes.gz000066400000000000000000000061271440160026300211570ustar00rootroot00000000000000Zn}$6 Y[`;@B/,ue=XY$NbG3
F$c5S7}nC\}m/
g
?62>4bp٨Ef\pF}"]KnЗQwtzvczܤ|l|ˉ5N!q-B|8rIO@l(h.(E=#w:&ԇ9 4BTSSO?l5I5/7JnNѪٮݺCkgh2zraCqV,o틩?ryhS""wu83_V[-拈;>L<CHϻ\$|MVW77ptXWeܷǀ܄Wg;H5MvY(2%w
@voDž_}wW(ݦv컞*չ$w<<w~t3})ѿ|fVlr>P<ՄOapKjJ<@
`|8p
"p!dj$Kne;`zSlɛ3٦ӑppy6ȷ5HSg5e6Wy}{>Qw]C7yaoŃ2'6飀׍'h#,k3_O*+R9{ݳkSjvȱ7\ȑdg~&~YcMT+7YP]ky>gkl:Qi
;XvV}6뮧멛{^y=uycGogsA>]ʋ57'ԄnGo
Zo


N9E\y:Nëߚvwv'_X^'VgD~WwmmsA%
E׃ۇa:A][ji#۳KKmĴo=ju:>hfWgѻCNR%bL)AfSse3:IJn#[79s_s5#@Pp(
\pݭDM+:Si,	sEJOe

I6KTWo
}}֝y|(zۻ<Q_iT&:K=c"]ѥQvw!#쮲TNqqV+MCoP lF17
6QlD>%' ;JVX
S5}̆cdƄcB%V3WjLcsJI/oX~J!L͡Z;$xPw,t#LtT1VH|"VLB'beG	9`ܦ7%u
	
	K90b(ta30
P'uɁG/B6
eDFT񸚬kA&L_泳Sm	W9|`77׹ؘnpTau.b.z=ewV|*W:9G2y=5VK+II@(
uRZF¹.kuăK)KTRgg(I_h0aRYĤLNصs	pyt	Qت%O3!CyO!"V(Ed)LZȦbW
%Qi-LݹHU6JdCIm.U@Lec<l"pE+dD/
6XB^dB$Xxd5PzS6Euudg[0+o[P1ǢS*djmŬIb*$L!Zkd@!cR 9H%#F=aĄB;EvPDIVO<5U3
R`ey0JMX^{X{k]:Ή\ 90g8 xj-VjBVSZ(3ir6lgaMҥMbGQOMHo-*t$-`aP0ܖCmw9s@`ʘR0S2'ɛ9Uч$-faBD2`ҭRbE$PQ6g'r`Zs<^“Ec'QTksT,I	1Sq9Fr|T"\ɦ5Ȓ Thv<:G
Y HiJ\uL[6eۨd*9%J|6lcIm,BQF5S
=<№)~ 0 ->
                  let h = height result in power 2 (h-1) <= n < power 2 h) }
  =
    if hi = lo then
      Empty
    else
      let mid = lo + div (hi - lo) 2 in
      let left = tree_of_array_aux a lo mid in
      let right = tree_of_array_aux a (mid+1) hi in
      Node left a[mid] right

  let tree_of_array (a: array 'a) : tree 'a
    ensures { inorder result = to_list a 0 (length a) }
    ensures { size result > 0 -> let h = height result in
                power 2 (h-1) <= size result < power 2 h }
  =
    tree_of_array_aux a 0 (length a)

end
why3-1.6.0/examples/tree_of_array/000077500000000000000000000000001440160026300170435ustar00rootroot00000000000000why3-1.6.0/examples/tree_of_array/why3session.xml000066400000000000000000000130721440160026300220660ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
     
     
      
      
      
     
     
     
     
      
      
      
     
     
    
    
   
   
   
   
    
    
    
    
    
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
     
     
      
      
      
     
     
    
    
   
   
  
  
 
 
 
 
 



why3-1.6.0/examples/tree_of_array/why3shapes.gz000066400000000000000000000036661440160026300215160ustar00rootroot00000000000000W[k#~ׯf1tu
3Oy	+Iޓ_{FҌ,9eըcwi|OrW?Os@~Y!~;7x`M
U\mM/8ffV&In*B 8Gu=6wPEo[~GvܱrĴn;|vR}[lǟAdNSk/px?pؔ	>%QG,X*RL/tNcLlfjfli3IۧϻCٻ/7u~xZ=mS>܉\\~wtxAȧ>]4ƒp-MmR_k?λ\ql5Ɣ{Wyt-aG:!?
C%Y>9p*s-f/M^og,g+W-n' KjD~XLXbbW}z"#O$N~{#p_*g

(SjB]	|2fQ>Q!uv6Kk}{zp+~scbώj^h?_
CgKMz:P#6i4:ljk|ݤV47!l@ܲFf^Wϛ_Y?du(uщ	92u:Qn:*׻nQ(}&5`+z@ű.iaZ ZʠӱCr]}"9CANJ~ܑ\˂.X	:NpDǪMJ*zgR_tzpFk(v[CjӡZG;߱O'$ciڢB^E.0j(vqm1N=d]*=<3+JP gm!xtWu>I	ja%i;ٳ>,_(W4t
bn˂uݝeNos'Q:D)â?;14|Q~B@hXAqpwHZY7/۳,F-c)Լ١FǴ>B4]Vb,9VZ6zZHft1eݪljV&
*edm%M:y!$*d 2Q!jJ&D9Gd`$T/N#d.Dc(tA+(5:
3
27ҴRR1Ms칌Aq-B.[.ZNrւm@UrLʉB╥(F.
6eIa+i0iyZZ#dEFNLLbA팢p tňԇy
L##IG=aᆌC\gHK!u.+Y΀\D4qZ`KIVBpEq&9dhS0U_SB,Z G`uN3Q"W(AfԢ5%&@6B\+$*nikN{9hi)HX`56x\\ci?kmc76)-&rRJF\"gi(gт40`{>EuZpM9PfM#hY3E4hhͫ+|)FgIO7Ys?y(h^ބwhy3-1.6.0/examples/tree_of_list.mlw000066400000000000000000000024131440160026300174210ustar00rootroot00000000000000
(** Build a tree of logarithmic height from a list, in linear time,
    while preserving the order of elements

    Author: Jean-Christophe Filliâtre (CNRS)
*)

module TreeOfList

  use int.Int
  use int.ComputerDivision
  use int.Power
  use list.List
  use list.Append
  use list.Length
  use bintree.Tree
  use bintree.Size
  use bintree.Inorder
  use bintree.InorderLength
  use bintree.Height

  type elt

  let rec tree_of_list_aux (n: int) (l: list elt) : (tree elt, list elt)
    requires { 0 <= n <= length l }
    variant  { n }
    ensures  { let t, l' = result in
               inorder t ++ l' = l && size t = n &&
               (n > 0 -> let h = height t in power 2 (h-1) <= n < power 2 h) }
  =
    if n = 0 then
      Empty, l
    else
      let n = n - 1 in
      let n1 = div n 2 in
      let left, l = tree_of_list_aux n1 l in
      match l with
      | Nil -> absurd
      | Cons x l -> let right, l = tree_of_list_aux (n - n1) l in
                    Node left x right, l
      end

  let tree_of_list (l: list elt) : tree elt
    ensures { inorder result = l }
    ensures { size result > 0 -> let h = height result in
                power 2 (h-1) <= size result < power 2 h }
  =
    let t, l = tree_of_list_aux (length l) l in
    assert { l = Nil };
    t

end
why3-1.6.0/examples/tree_of_list/000077500000000000000000000000001440160026300167005ustar00rootroot00000000000000why3-1.6.0/examples/tree_of_list/why3session.xml000066400000000000000000000052501440160026300217220ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
 



why3-1.6.0/examples/tree_of_list/why3shapes.gz000066400000000000000000000022421440160026300213400ustar00rootroot00000000000000Uێ7}W[Fb7@d}
P#)1|IR=M!")yx~ӹ*UuO
.!v/{vXC}l/ؿG7=mlL͵!VǾ.K}w7|2v^dx:7Th?}Jb>wx.`	^1p[^VQ_C;$x~$EHqYVbЮ.oÚy9E#"sJTX!J?oweu>Ǫ?gW?U0_|q*[D.sOm(~U9bD#<Ͽn(kxVe0
fFw$ #K>jn %kbq'tZaF"FhcejaxDQaK*#
IJ$A\!UxZo}Q2HCk shuffle (Cons x a) b (Cons x c)
  | Shuffle_cons_right:
      forall x: 'a, a b c: list 'a.
      shuffle a b c -> shuffle a (Cons x b) (Cons x c)

  lemma shuffle_nil_nil_nil: shuffle Nil Nil (Nil: list 'a)

  lemma shuffle_sym:
     forall a b c: list 'a. shuffle a b c -> shuffle b a c

  lemma shuffle_length:
    forall a b c: list 'a. shuffle a b c -> length a + length b = length c

  (* the list l is composed of n blocks, each being 0,1,...,m-1 *)
  predicate suit_ordered (l: list int) =
    forall i j: int. 0 <= i < n -> 0 <= j < m -> nth (i * m + j) l = Some j

  (* the list l is a sequence of n blocks,
     each being a permutation of 0,1,...,m-1 *)
  predicate suit_sorted (l: list int) =
    (forall i v: int. nth i l = Some v -> 0 <= v < m) /\
    (forall i j1 j2: int. 0 <= i < n -> 0 <= j1 < m -> 0 <= j2 < m ->
     nth (i * m + j1) l <> nth (i * m + j2) l)

  (* TODO: prove it! *)
  axiom gilbreath_card_trick:
    forall a: list int. length a = n * m -> suit_ordered a ->
    forall c d: list int. a = c ++ d ->
    forall b: list int. shuffle c (reverse d) b -> suit_sorted b

end

(* a program implementing the card trick using stacks *)
module GilbreathCardTrick

  use GilbreathCardTrickPure
  use stack.Stack

  let shuffle (a b: t int)
    ensures { a.elts = Nil /\ b.elts = Nil /\
      shuffle (reverse (old a.elts)) (reverse (old b.elts)) result.elts }
  = let c = create () in
    let ghost a' = create () in
    let ghost b' = create () in
    while not (is_empty a && is_empty b) do
      invariant { reverse (old a.elts) = reverse a.elts ++ a'.elts }
      invariant { reverse (old b.elts) = reverse b.elts ++ b'.elts }
      invariant { shuffle a'.elts b'.elts c.elts }
      variant   { length a + length b }
      if not (is_empty a) && (is_empty b || any bool) then begin
        ghost (push (safe_top a) a');
        push (safe_pop a) c
      end else begin
        ghost (push (safe_top b) b');
        push (safe_pop b) c
      end
    done;
    c

  let card_trick (a: t int)
    requires { length a = n*m /\ suit_ordered a.elts }
    ensures { length result = n*m && suit_sorted result.elts }
  = (* cut a into c;d and reverse d in d_ *)
    let d_ = create () in
    let cut = any int ensures { 0 <= result <= n*m } in
    for i = 1 to cut do
      invariant { length a = n*m-i+1 /\ length d_ = i-1 /\
                  old a.elts = reverse d_.elts ++ a.elts }
      push (safe_pop a) d_
    done;
    assert { old a.elts = reverse d_.elts ++ a.elts };
    (* then suffle c (that is a) and d_ to get b *)
    shuffle a d_

end
why3-1.6.0/examples/unraveling_a_card_trick/000077500000000000000000000000001440160026300210615ustar00rootroot00000000000000why3-1.6.0/examples/unraveling_a_card_trick/why3session.xml000066400000000000000000000045251440160026300241070ustar00rootroot00000000000000








 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 



why3-1.6.0/examples/unraveling_a_card_trick/why3shapes.gz000066400000000000000000000021471440160026300235250ustar00rootroot00000000000000V[k+7~cЌ%)P9Oe_\j9pJ	7|Mro~Yw{Ʒ?ݗK]ׯ:`
_;X0C7l:,G8وFu
k "_]]`-?~O2~PO}K|LY'}\˥2j!éS'%4oDNvEEJL8
3f
@a$Q AqoSbWdU.bxOeim1e9d#
jtf'`r{w!*%kbArZX?ՠNLñX5UU_
^6xF^pBr>Q2
qD]`L}11E#/vFȹS_L3yVRÆF9uZ=W_))}2_}6y>lΏl-3[G7#yy0ƢyXݲ}wtk.E,Z2#s_m#]`4X3k>	㔧Lռ0ʹ%iMlo)9.tSn&GpbFvMg]?%6>>s>t~"MwK1P[:
=W}vAyMq7GGQ'3ηmP°UmGWujK]w}Dzw6]tmßEJL6Ht#hժiBp)2'h㭰	hz	P$:͝:J=T$#y6 2bpGBh	*{N:BDH&yflLɑ/{b".[rE˴ȱZjn	ȖTP113MLRɉrE*8Z9\;#Q1cPxk?1S-
gtuAXeڨ9,$mFȭes\r/('J :h+:C^kaP3-A>XJ!yGe$VE5š%GPoE
why3-1.6.0/examples/use_api/000077500000000000000000000000001440160026300156475ustar00rootroot00000000000000why3-1.6.0/examples/use_api/clone.ml000066400000000000000000000153071440160026300173070ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some MLW modules using the API
In particular, it tests the clone feature
(Inspired from mlw_tree.ml)

******************)

open Why3

let () = Debug.set_flag Debug.stack_trace
let config = Whyconf.init_config None
let main = Whyconf.get_main config
let env = Env.create_env (Whyconf.loadpath main)
open Ptree

let () = Typing.open_file env [] (* empty pathname *)
let mk_ident s = { id_str = s; id_ats = []; id_loc = Loc.dummy_position }
let () = Typing.open_module (mk_ident "Test")


(* Auxiliary functions (same as mlw_tree.ml) *)
let mk_qid l =
  let rec aux l =
    match l with
      | [] -> assert false
      | [x] -> Qident(mk_ident x)
      | x::r -> Qdot(aux r,mk_ident x)
  in
  aux (List.rev l)

let use_import (f, m) =
  let m = mk_ident m in
  let loc = Loc.dummy_position in
  Typing.add_decl loc (Ptree.Duseimport (loc,true, [Qdot (Qident (mk_ident f), m), None]))

let use_int_Int = use_import ("int","Int")

let mk_expr e = { expr_desc = e; expr_loc = Loc.dummy_position }

let mk_term t = { term_desc = t; term_loc = Loc.dummy_position }

let mk_pat p = { pat_desc = p; pat_loc = Loc.dummy_position }
let pat_var id = mk_pat (Pvar id)

let mk_var id = mk_term (Tident (Qident id))

let param0 = [Loc.dummy_position, None, false, Some (PTtuple [])]
let param1 id ty = [Loc.dummy_position, Some id, false, Some ty]

let mk_const i =
  Constant.(ConstInt Number.{ il_kind = ILitDec; il_int = BigInt.of_int i })

let mk_tconst i = mk_term (Tconst (mk_const i))

let mk_econst i = mk_expr (Econst (mk_const i))

let mk_tapp f l = mk_term (Tidapp(f,l))

let mk_eapp f l = mk_expr (Eidapp(f,l))

let mk_evar x = mk_expr(Eident(Qident x))

let eq_symb = mk_qid [Ident.op_infix "="]
let int_type_id = mk_qid ["int"]
let int_type = PTtyapp(int_type_id,[])

let a = mk_ident "a"

(* type a = < range 22 46 > *)
let type_a : Ptree.decl =
  let c22 = BigInt.of_int 22 in
  let c46 = BigInt.of_int 46 in
  Dtype [{
    td_loc = Loc.dummy_position;
    td_ident = a;
    td_params = [];
    td_vis = Public;
    td_mut = false;
    td_inv = [];
    td_wit = None;
    td_def = TDrange (c22, c46);
  }]

(*
  let f2 (b : 'a) =
     ensures {result = false}
     true
*)
let d2 : Ptree.decl =
  let id_b = mk_ident "_b" in
  let pre = mk_term Ttrue in
  let result = mk_ident "result" in
  let post = mk_tapp eq_symb [mk_var result; mk_term Tfalse] in
  let spec = {
    sp_pre = [pre];
    sp_post = [Loc.dummy_position,[pat_var result,post]];
    sp_xpost = [];
    sp_reads = [];
    sp_writes = [];
    sp_alias = [];
    sp_variant = [];
    sp_checkrw = false;
    sp_diverge = false;
    sp_partial = false;
  }
  in
  let body: expr = mk_expr Etrue in
  let f1 =
    Efun(param1 id_b (PTtyvar a), None,  mk_pat Pwild,
         Ity.MaskVisible, spec, body)
  in
  Dlet(mk_ident "f2",false,Expr.RKnone, mk_expr f1)

(*
  let f3 (b : a) =
     ensures {a'int b  = 42}
     true
*)
let d3 : Ptree.decl =
  let id_b = mk_ident "b" in
  let pre = mk_term Ttrue in
  let a_int = mk_qid ["a'int"] in
  let result = mk_ident "_result" in
  let post = mk_tapp eq_symb [mk_tapp a_int [mk_var id_b];
                              mk_tconst 42] in
  let spec = {
    sp_pre = [pre];
    sp_post = [Loc.dummy_position,[pat_var result,post]];
    sp_xpost = [];
    sp_reads = [];
    sp_writes = [];
    sp_alias = [];
    sp_variant = [];
    sp_checkrw = false;
    sp_diverge = false;
    sp_partial = false;
  }
  in
  let body: expr = mk_evar id_b in
  let f1 =
    Efun(param1 id_b (PTtyapp (Qident a, [])), None,  mk_pat Pwild,
         Ity.MaskVisible, spec, body)
  in
  Dlet(mk_ident "f3",false,Expr.RKnone, mk_expr f1)



(*
  let f1 (b : a) =
    requires {a'int b = 42}
    ensures {a'int result = a'int b}
    (42:a)
*)
let d1 : Ptree.decl =
  let id_b = mk_ident "b" in
  let a_int = mk_qid ["a'int"] in
  let pre = mk_tapp eq_symb [mk_tapp a_int [mk_var id_b];
                             mk_tconst 42] in
  let result = mk_ident "result" in
  let post = mk_tapp eq_symb [mk_tapp a_int [mk_var result];
                              mk_tapp a_int [mk_var id_b]] in
  let spec = {
    sp_pre = [pre];
    sp_post = [Loc.dummy_position,[pat_var result,post]];
    sp_xpost = [];
    sp_reads = [];
    sp_writes = [];
    sp_alias = [];
    sp_variant = [];
    sp_checkrw = false;
    sp_diverge = false;
    sp_partial = false;
  }
  in
  let body: expr = mk_expr (Ecast (mk_econst 42, PTtyapp (Qident a, []))) in
  let f1 =
    Efun(param1 id_b (PTtyapp (Qident a, [])), None,  mk_pat Pwild,
         Ity.MaskVisible, spec, body)
  in
  Dlet(mk_ident "f1",false,Expr.RKnone, mk_expr f1)


(* Add those declarations *)
let () = Typing.add_decl Loc.dummy_position type_a
let () = Typing.add_decl Loc.dummy_position d2
let () = Typing.add_decl Loc.dummy_position d3
let () = Typing.add_decl Loc.dummy_position d1

let () = Typing.close_module Loc.dummy_position

(* New module is clone of this one *)
let () = Typing.open_module (mk_ident "Test1")

(*
module Test1
  clone Test as T
end
*)
let clone_decl : Ptree.decl =
  Dcloneimport (Loc.dummy_position, false, Qident (mk_ident "Test"), Some (mk_ident "T"),[])

let () = Typing.add_decl Loc.dummy_position clone_decl

let () = Typing.close_module Loc.dummy_position

(* End of file *)
let mods : Pmodule.pmodule Wstdlib.Mstr.t = Typing.close_file ()

open Format

let () =
  printf "Theory are:@.";
  Wstdlib.Mstr.iter
    (fun _ m ->
      printf "%a@." Pretty.print_theory m.Pmodule.mod_theory) mods

(* Only use of this is to test clone_export *)
let auto_clone task th =
  Task.clone_export task th Theory.empty_inst

let my_tasks : Task.task list =
  let mods =
    Wstdlib.Mstr.fold
      (fun _ m acc ->
        let th = m.Pmodule.mod_theory in
        (* Automatically clone all theories *)
        let task =
          auto_clone None th
        in
        List.rev_append
          (Task.split_theory m.Pmodule.mod_theory None task) acc)
      mods []
  in
  List.rev mods

let () =
  printf "Tasks are:@.";
  let _ =
    List.fold_left
      (fun i t -> printf "Task %d: %a@." i Pretty.print_task t; i+1)
      1 my_tasks
  in ()
why3-1.6.0/examples/use_api/counterexample.ml000066400000000000000000000164571440160026300212510ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some goals based on logic.ml using the API and calls
CVC4 to query counterexamples for them

Note: the comments of the form BEGIN{id} and END{id} are there for automatic extraction
of the chapter "The Why3 API" of the manual
******************)

(* opening the Why3 library *)
open Why3

(* a ground propositional goal: true or false *)
let fmla_true : Term.term = Term.t_true
let fmla_false : Term.term = Term.t_false

(* printing it *)
open Format

(* a propositional goal: A implies (A and B) *)

(* BEGIN{ce_declarepropvars} *)
let make_attribute (name: string) : Ident.attribute =
  Ident.create_attribute ("model_trace:" ^ name)
let prop_var_A : Term.lsymbol =
  (* [user_position file line left_col right_col] *)
  let loc = Loc.user_position "myfile.my_ext" 28 0 28 1  in
  let attrs = Ident.Sattr.singleton (make_attribute "my_A") in
  Term.create_psymbol (Ident.id_fresh ~attrs ~loc "A") []
(* END{ce_declarepropvars} *)
let prop_var_B : Term.lsymbol =
  let loc = Loc.user_position "myfile.my_ext2" 101 0 101 1  in
  let attrs = Ident.Sattr.singleton (make_attribute "my_B") in
  Term.create_psymbol (Ident.id_fresh ~attrs ~loc "B") []

(* BEGIN{ce_adaptgoals} *)
let atom_A : Term.term = Term.ps_app prop_var_A []
let atom_B : Term.term = Term.ps_app prop_var_B []
(* Voluntarily wrong verification condition *)
let fmla2 : Term.term =
  Term.t_implies atom_A (Term.t_and atom_A atom_B)
(* We add a location and attribute to indicate the start of a goal *)
let fmla2 : Term.term =
  let loc = Loc.user_position "myfile.my_ext" 42 28 42 91  in
  let attrs = Ident.Sattr.singleton Ity.annot_attr in
  (* Note that this remove any existing attribute/locations on fmla2 *)
  Term.t_attr_set ~loc attrs fmla2
(* END{ce_adaptgoals} *)

let () = printf "@[formula 2 is:@ %a@]@." Pretty.print_term fmla2

let task2 = None
let task2 = Task.add_param_decl task2 prop_var_A
let task2 = Task.add_param_decl task2 prop_var_B
(* BEGIN{ce_nobuiltin} *)
let task2 = Task.add_meta task2 Driver.meta_get_counterexmp [Theory.MAstr ""]
(* END{ce_nobuiltin} *)
let goal_id2 = Decl.create_prsymbol (Ident.id_fresh "goal2")
let task2 = Task.add_prop_decl task2 Decl.Pgoal goal_id2 fmla2
let () = printf "@[task 2 created:@\n%a@]@." Pretty.print_task task2


(* To call a prover, we need to access the Why configuration *)

(* reads the default config file *)
let config = Whyconf.init_config None
(* the [main] section of the config file *)
let main : Whyconf.main = Whyconf.get_main config
(* all the provers detected, from the config file *)
let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config

(* BEGIN{ce_get_cvc4ce} *)
(* One alternative for CVC4 with counterexamples in the config file *)
let cvc4 : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "CVC4,1.7,counterexamples" in
  (* All provers alternative counterexamples that have the name CVC4 and version 1.7 *)
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
    eprintf "Prover CVC4 1.7 not installed or not configured@.";
    exit 1
  end else
    snd (Whyconf.Mprover.max_binding provers)
(* END{ce_get_cvc4ce} *)

(* builds the environment from the [loadpath] *)
let env : Env.env = Env.create_env (Whyconf.loadpath main)

(* loading the CVC4 driver *)
let cvc4_driver : Driver.driver =
  try
    Driver.load_driver_for_prover main env cvc4
  with e ->
    eprintf "Failed to load driver for CVC4,1.7: %a@."
      Exn_printer.exn_printer e;
    exit 1

(* calls CVC4 *)
let result1 : Call_provers.prover_result =
  Call_provers.wait_on_call
    (Driver.prove_task
       ~limit:Call_provers.empty_limit
       ~config:main
       ~command:(Whyconf.get_complete_command cvc4 ~with_steps:false)
    cvc4_driver task2)

(* BEGIN{ce_callprover} *)
(* prints CVC4 answer *)
let () = printf "@[On task 1, CVC4,1.7 answers %a@."
    (Call_provers.print_prover_result ?json:None) result1

let () = printf "Model is %t@."
    (fun fmt ->
       match Check_ce.select_model_last_non_empty
                result1.Call_provers.pr_models with
       | Some m -> Json_base.print_json fmt (Model_parser.json_model m)
       | None -> fprintf fmt "unavailable")
(* END{ce_callprover} *)

(* Construct program:
   module M =
     let f (x: int) = assert { x <> 42 }
   end *)
let mlw_file =
  let loc () = (* The counterexample selections requires unique locations *)
    Mlw_printer.id_loc () in
  let open Ptree in
  let open Ptree_helpers in
  let let_f =
    let equ = Qident (ident ~loc:(loc ()) Ident.op_equ) in
    let t_x = tvar ~loc:(loc ()) (Qident (ident "x")) in
    let t_42 = tconst ~loc:(loc ()) 42 in
    let t = term ~loc:(loc ()) (Tidapp (equ, [t_x; t_42])) in
    let t = term ~loc:(loc ()) (Tnot t) in
    let body = expr ~loc:(loc ()) (Eassert (Expr.Assert, t)) in
    let pty_int = PTtyapp (Qident (ident "int"), []) in
    let arg = loc (), Some (ident ~loc:(loc ()) "x"), false, Some pty_int in
    let efun =
      Efun ([arg], None, pat Ptree.Pwild, Ity.MaskVisible, empty_spec, body) in
    let e = expr ~loc:(loc ()) efun in
    Dlet (ident "f", false, Expr.RKnone, e) in
  Decls [let_f]

let pm =
  let pms = Typing.type_mlw_file env [] "myfile.mlw" mlw_file in
  Wstdlib.Mstr.find "" pms

let task =
  match Task.split_theory pm.Pmodule.mod_theory None None with
  | [task] -> task
  | _ -> failwith "Not exactly one task"

let {Call_provers.pr_models= models} =
  Call_provers.wait_on_call
    (Driver.prove_task ~limit:Call_provers.empty_limit
       ~config:main
       ~command:(Whyconf.get_complete_command cvc4 ~with_steps:false)
       cvc4_driver task)

let () = print_endline "\n== Check CE"

(* BEGIN{check_ce} *)
let () =
  let rac = Pinterp.mk_rac ~ignore_incomplete:false
      (Rac.Why.mk_check_term_lit config env ~why_prover:"alt-ergo" ()) in
  let model, clsf = Opt.get_exn (Failure "No good model found")
      (Check_ce.select_model ~check_ce:true rac env pm models) in
  printf "%a@." (Check_ce.print_model_classification
                   ~check_ce:true ?verb_lvl:None ?json:None) (model, clsf)
(* END{check_ce} *)

let () = print_endline "\n== RAC execute giant steps\n"

(* BEGIN{check_ce_giant_step} *)
let () =
  let rac = Pinterp.mk_rac ~ignore_incomplete:false
    (Rac.Why.mk_check_term_lit config env ~why_prover:"alt-ergo" ()) in
  let rac_results = Check_ce.get_rac_results ~only_giant_step:true
    rac env pm models in
  let strategy = Check_ce.best_non_empty_giant_step_rac_result in
  let _,res = Opt.get_exn (Failure "No good model found")
    (Check_ce.select_model_from_giant_step_rac_results ~strategy rac_results) in
  printf "%a@." (Check_ce.print_rac_result ?verb_lvl:None) res
(* END{check_ce_giant_step} *)
why3-1.6.0/examples/use_api/create_session.ml000066400000000000000000000065231440160026300212150ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds a new session from a given file.

To each goal is added as many proof attempts as provers
found in the configuration.


******************)

open Format

(* opening the Why3 library *)
open Why3

(* access to the Why configuration *)

(* reads the default config file *)
let config = Whyconf.init_config None
(* the [main] section of the config file *)
let main : Whyconf.main = Whyconf.get_main config
(* all the provers detected, from the config file *)
let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config

(* builds the environment from the [loadpath] *)
let env : Env.env = Env.create_env (Whyconf.loadpath main)

(* loading the drivers *)
let provers =
  Whyconf.Mprover.fold
    (fun _ p acc ->
      try
        let d = Driver.load_driver_for_prover main env p in
        (p,d)::acc
      with e ->
        let p = p.Whyconf.prover in
        eprintf "Failed to load driver for %s %s: %a@."
          p.Whyconf.prover_name p.Whyconf.prover_version
          Exn_printer.exn_printer e;
        exit 1)
    provers
    []

(* create an empty session in the current directory *)
let session = Session_itp.empty_session "."

(* creates a controller on top of this session *)
let controller = Controller_itp.create_controller config env session

(* adds a file in the new session *)
let file : Session_itp.file =
  let file_name = "examples/logic/hello_proof.why" in
  try
    Controller_itp.add_file controller file_name;
    let path = Sysutil.relativize_filename (Session_itp.get_dir session) file_name in
    Session_itp.find_file_from_path session path
  with
  | Controller_itp.Errors_list le ->
      eprintf "@[Error while reading file@ '%s':@ %a@.@]" file_name
              (Pp.print_list Pp.space Exn_printer.exn_printer) le;
      exit 1

(* explore the theories in that file *)
let theories = Session_itp.file_theories file
let () = printf "%d theories found in session@." (List.length theories)

(* save the session on disk. *)
let () = Session_itp.save_session session


(* add proof attempts for each goals in the theories *)
let add_proofs_attempts g =
  List.iter
    (fun (p,_driver) ->
      let _pa : Session_itp.proofAttemptID =
        Session_itp.graft_proof_attempt
          ~limit:{Call_provers.empty_limit with
                  Call_provers.limit_time = 5.;
                               limit_mem = 1000 }
          session g p.Whyconf.prover
      in ())
    provers

let () =
  List.iter
    (fun th -> List.iter add_proofs_attempts (Session_itp.theory_goals th))
    theories

(* save the session on disk. note: the prover have not been run yet ! *)
let () = Session_itp.save_session session
why3-1.6.0/examples/use_api/logic.ml000066400000000000000000000251331440160026300173020ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some goals using the API and calls
the alt-ergo prover to check them

Note: the comments of the form BEGIN{id} and END{id} are there for automatic extraction
of the chapter "The Why3 API" of the manual
******************)

(* BEGIN{opening} *)
(* opening the Why3 library *)
open Why3

(* a ground propositional goal: true or false *)
let fmla_true : Term.term = Term.t_true
let fmla_false : Term.term = Term.t_false
let fmla1 : Term.term = Term.t_or fmla_true fmla_false
(* END{opening} *)

(* BEGIN{printformula} *)
(* printing it *)
open Format
let () = printf "@[formula 1 is:@ %a@]@." Pretty.print_term fmla1
(* END{printformula} *)


(* a propositional goal: A and B implies A *)

(* BEGIN{declarepropvars} *)
let prop_var_A : Term.lsymbol =
  Term.create_psymbol (Ident.id_fresh "A") []
let prop_var_B : Term.lsymbol =
  Term.create_psymbol (Ident.id_fresh "B") []
(* END{declarepropvars} *)
(* BEGIN{declarepropatoms} *)
let atom_A : Term.term = Term.ps_app prop_var_A []
let atom_B : Term.term = Term.ps_app prop_var_B []
let fmla2 : Term.term =
  Term.t_implies (Term.t_and atom_A atom_B) atom_A
let () = printf "@[formula 2 is:@ %a@]@." Pretty.print_term fmla2
(* END{declarepropatoms} *)

(* BEGIN{buildtask} *)
(* building the task for formula 1 alone *)
let task1 : Task.task = None (* empty task *)
let goal_id1 : Decl.prsymbol = Decl.create_prsymbol (Ident.id_fresh "goal1")
let task1 : Task.task = Task.add_prop_decl task1 Decl.Pgoal goal_id1 fmla1
(* END{buildtask} *)

(* BEGIN{printtask} *)
(* printing the task *)
let () = printf "@[task 1 is:@\n%a@]@." Pretty.print_task task1
(* END{printtask} *)

(* BEGIN{buildtask2} *)
(* task for formula 2 *)
let task2 = None
let task2 = Task.add_param_decl task2 prop_var_A
let task2 = Task.add_param_decl task2 prop_var_B
let goal_id2 = Decl.create_prsymbol (Ident.id_fresh "goal2")
let task2 = Task.add_prop_decl task2 Decl.Pgoal goal_id2 fmla2
let () = printf "@[task 2 created:@\n%a@]@." Pretty.print_task task2
(* END{buildtask2} *)



(* To call a prover, we need to access the Why configuration *)

(* BEGIN{getconf} *)
(* reads the default config file *)
let config : Whyconf.config = Whyconf.init_config None
(* the [main] section of the config file *)
let main : Whyconf.main = Whyconf.get_main config
(* all the provers detected, from the config file *)
let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config
(* END{getconf} *)

(* BEGIN{getanyaltergo} *)
(* One prover named Alt-Ergo in the config file *)
let alt_ergo : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "Alt-Ergo" in
  (* all provers that have the name "Alt-Ergo" *)
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
      eprintf "Prover Alt-Ergo not installed or not configured@.";
      exit 1
    end else begin
      printf "Versions of Alt-Ergo found:";
      Whyconf.(Mprover.iter (fun k _ -> printf " %s" k.prover_version) provers);
      printf "@.";
      (* returning an arbitrary one *)
      snd (Whyconf.Mprover.max_binding provers)
    end
(* END{getanyaltergo} *)

(* BEGIN{getaltergo200} *)
(* Specific version 2.3.3 of Alt-Ergo in the config file *)
let _ : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "Alt-Ergo,2.3.3" in
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
      eprintf "Prover Alt-Ergo 2.3.3 not installed or not configured, using version %s instead@."
        Whyconf.(alt_ergo.prover.prover_version) ;
    alt_ergo (* we don't want to fail this time *)
  end else
    snd (Whyconf.Mprover.max_binding provers)
(* END{getaltergo200} *)

(* BEGIN{getdriver} *)
(* builds the environment from the [loadpath] *)
let env : Env.env = Env.create_env (Whyconf.loadpath main)

(* loading the Alt-Ergo driver *)
let alt_ergo_driver : Driver.driver =
  try
    Driver.load_driver_for_prover main env alt_ergo
  with e ->
    eprintf "Failed to load driver for alt-ergo: %a@."
      Exn_printer.exn_printer e;
    exit 1
(* END{getdriver} *)

(* BEGIN{callprover} *)
(* calls Alt-Ergo *)
let result1 : Call_provers.prover_result =
  Call_provers.wait_on_call
    (Driver.prove_task
       ~limit:Call_provers.empty_limit
       ~config:main
       ~command:alt_ergo.Whyconf.command
       alt_ergo_driver
       task1)

(* prints Alt-Ergo answer *)
let () = printf "@[On task 1, Alt-Ergo answers %a@."
    (Call_provers.print_prover_result ?json:None) result1
(* END{callprover} *)

(* BEGIN{calltimelimit} *)
let result2 : Call_provers.prover_result =
  Call_provers.wait_on_call
    (Driver.prove_task
       ~command:alt_ergo.Whyconf.command
       ~config:main
       ~limit:{Call_provers.empty_limit with Call_provers.limit_time = 10.}
       alt_ergo_driver
       task2)

let () = printf "@[On task 2, Alt-Ergo answers %a in %5.2f seconds@."
  Call_provers.print_prover_answer result1.Call_provers.pr_answer
  result1.Call_provers.pr_time
(* END{calltimelimit} *)



(*

An arithmetic goal: 2+2 = 4

*)

(* BEGIN{buildfmla} *)
let two  : Term.term = Term.t_nat_const 2
let four : Term.term = Term.t_nat_const 4
let int_theory : Theory.theory = Env.read_theory env ["int"] "Int"
let plus_symbol : Term.lsymbol =
  Theory.ns_find_ls int_theory.Theory.th_export ["infix +"]
let two_plus_two : Term.term = Term.t_app_infer plus_symbol [two;two]
let fmla3 : Term.term = Term.t_equ two_plus_two four
(* END{buildfmla} *)

(* BEGIN{buildtermalt} *)
let two_plus_two : Term.term = Term.fs_app plus_symbol [two;two] Ty.ty_int
(* END{buildtermalt} *)

(* BEGIN{buildtaskimport} *)
let task3 = None
let task3 = Task.use_export task3 int_theory
let goal_id3 = Decl.create_prsymbol (Ident.id_fresh "goal3")
let task3 = Task.add_prop_decl task3 Decl.Pgoal goal_id3 fmla3
(* END{buildtaskimport} *)

(*
let () = printf "@[task 3 created:@\n%a@]@." Pretty.print_task task3
*)
let () = printf "@[task 3 created@]@."

let result3 =
  Call_provers.wait_on_call
    (Driver.prove_task
       ~limit:Call_provers.empty_limit
       ~config:main
       ~command:alt_ergo.Whyconf.command
       alt_ergo_driver
       task3)

let () = printf "@[On task 3, Alt-Ergo answers %a@."
  (Call_provers.print_prover_result ?json:None) result3

(* quantifiers: let's build "forall x:int. x*x >= 0" *)
(* BEGIN{quantfmla1} *)
let zero : Term.term = Term.t_nat_const 0
let mult_symbol : Term.lsymbol =
  Theory.ns_find_ls int_theory.Theory.th_export ["infix *"]
let ge_symbol : Term.lsymbol =
  Theory.ns_find_ls int_theory.Theory.th_export ["infix >="]
(* END{quantfmla1} *)

(* BEGIN{quantfmla2} *)
let var_x : Term.vsymbol =
  Term.create_vsymbol (Ident.id_fresh "x") Ty.ty_int
(* END{quantfmla2} *)

(* BEGIN{quantfmla3} *)
let x : Term.term = Term.t_var var_x
let x_times_x : Term.term = Term.t_app_infer mult_symbol [x;x]
let fmla4_aux : Term.term = Term.ps_app ge_symbol [x_times_x;zero]
(* END{quantfmla3} *)

(* BEGIN{quantfmla4} *)
let fmla4 : Term.term = Term.t_forall_close [var_x] [] fmla4_aux
(* END{quantfmla4} *)

let task4 = None
let task4 = Task.use_export task4 int_theory
let goal_id4 = Decl.create_prsymbol (Ident.id_fresh "goal4")
let task4 = Task.add_prop_decl task4 Decl.Pgoal goal_id4 fmla4

let result4 =
  Call_provers.wait_on_call
    (Driver.prove_task
       ~limit:Call_provers.empty_limit
       ~config:main
       ~command:alt_ergo.Whyconf.command
       alt_ergo_driver
       task4)

let () = printf "@[On task 4, Alt-Ergo answers %a@."
  (Call_provers.print_prover_result ?json:None) result4

(* build a theory with all these goals *)

(* create a theory *)
let () = printf "@[creating theory 'My_theory'@]@."

(* BEGIN{buildth1} *)
let my_theory : Theory.theory_uc =
  Theory.create_theory (Ident.id_fresh "My_theory")
(* END{buildth1} *)

(* add declarations of goals *)

let () = printf "@[adding goal 1@]@."
(* BEGIN{buildth2} *)
let decl_goal1 : Decl.decl =
  Decl.create_prop_decl Decl.Pgoal goal_id1 fmla1
let my_theory : Theory.theory_uc = Theory.add_decl my_theory decl_goal1
(* END{buildth2} *)

let () = printf "@[adding goal 2@]@."
(* BEGIN{buildth3} *)
let my_theory : Theory.theory_uc =
  Theory.add_param_decl my_theory prop_var_A
let my_theory : Theory.theory_uc =
  Theory.add_param_decl my_theory prop_var_B
let decl_goal2 : Decl.decl =
  Decl.create_prop_decl Decl.Pgoal goal_id2 fmla2
let my_theory : Theory.theory_uc = Theory.add_decl my_theory decl_goal2
(* END{buildth3} *)

(* BEGIN{buildth4} *)
(* helper function: [use th1 th2] insert the equivalent of a
   "use import th2" in theory th1 under construction *)
let use th1 th2 =
  let name = th2.Theory.th_name in
  Theory.close_scope
    (Theory.use_export (Theory.open_scope th1 name.Ident.id_string) th2)
    ~import:true
(* END{buildth4} *)

let () = printf "@[adding goal 3@]@."
(* use import int.Int *)
(* BEGIN{buildth5} *)
let my_theory : Theory.theory_uc = use my_theory int_theory
let decl_goal3 : Decl.decl =
  Decl.create_prop_decl Decl.Pgoal goal_id3 fmla3
let my_theory : Theory.theory_uc = Theory.add_decl my_theory decl_goal3
(* END{buildth5} *)

let () = printf "@[adding goal 4@]@."
(* BEGIN{buildth6} *)
let decl_goal4 : Decl.decl =
  Decl.create_prop_decl Decl.Pgoal goal_id4 fmla4
let my_theory : Theory.theory_uc = Theory.add_decl my_theory decl_goal4
(* END{buildth6} *)

(* closing the theory *)
(* BEGIN{buildth7} *)
let my_theory : Theory.theory = Theory.close_theory my_theory
(* END{buildth7} *)

(* printing the result *)
(* BEGIN{printtheory} *)
let () = printf "@[my new theory is as follows:@\n@\n%a@]@."
                Pretty.print_theory my_theory
(* END{printtheory} *)

(* getting set of task from a theory *)
(* BEGIN{splittheory} *)
let my_tasks : Task.task list =
  List.rev (Task.split_theory my_theory None None)
(* END{splittheory} *)

(* BEGIN{printalltasks} *)
let () =
  printf "Tasks are:@.";
  let _ =
    List.fold_left
      (fun i t -> printf "Task %d: %a@." i Pretty.print_task t; i+1)
      1 my_tasks
  in ()
(* END{printalltasks} *)







(*
Local Variables:
compile-command: "make -C ../.. test-api-logic.byte"
End:
*)
why3-1.6.0/examples/use_api/mlw_expr.ml000066400000000000000000000116071440160026300200430ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some MLW modules, using parse trees instead of direct
API calls

******************)

(* BEGIN{buildenv} *)
open Why3
let config : Whyconf.config = Whyconf.init_config None
let main : Whyconf.main = Whyconf.get_main config
let env : Env.env = Env.create_env (Whyconf.loadpath main)
(* END{buildenv} *)

(*

declaration of
BEGIN{source2}
     let f2 () : int
        requires { true }
        ensures { result >= 0 }
      = let x = ref 42 in !x
END{source2}

*)

(* BEGIN{code2_import} *)
let int_module : Pmodule.pmodule =
  Pmodule.read_module env ["int"] "Int"

let ge_int : Term.lsymbol =
  Theory.ns_find_ls int_module.Pmodule.mod_theory.Theory.th_export
    [Ident.op_infix ">="]

let ref_module : Pmodule.pmodule =
  Pmodule.read_module env ["ref"] "Ref"

let ref_type : Ity.itysymbol =
  Pmodule.ns_find_its ref_module.Pmodule.mod_export ["ref"]

(* the "ref" function *)
let ref_fun : Expr.rsymbol =
  Pmodule.ns_find_rs ref_module.Pmodule.mod_export ["ref"]

(* the "!" function *)
let get_fun : Expr.rsymbol =
  Pmodule.ns_find_rs ref_module.Pmodule.mod_export [Ident.op_prefix "!"]

(* END{code2_import} *)


(* BEGIN{code2} *)
let d2 =
  let id = Ident.id_fresh "f" in
  let post =
    let result =
      Term.create_vsymbol (Ident.id_fresh "result") Ty.ty_int
    in
    let post = Term.ps_app ge_int [Term.t_var result; Term.t_nat_const 0] in
    Ity.create_post result post
  in
  let body =
    (* building expression "ref 42" *)
    let e =
      let c0 = Expr.e_const (Constant.int_const_of_int 42) Ity.ity_int in
      let refzero_type = Ity.ity_app ref_type [Ity.ity_int] [] in
      Expr.e_app ref_fun [c0] [] refzero_type
    in
    (* building the first part of the let x = ref 42 *)
    let id_x = Ident.id_fresh "x" in
    let letdef, var_x = Expr.let_var id_x e in
    (* building expression "!x" *)
    let bang_x = Expr.e_app get_fun [Expr.e_var var_x] [] Ity.ity_int in
    (* the complete body *)
    Expr.e_let letdef bang_x
  in
  let arg_unit =
    let unit = Ident.id_fresh "unit" in
    Ity.create_pvsymbol unit Ity.ity_unit
  in
  let def,_rs = Expr.let_sym id
      (Expr.c_fun [arg_unit] [] [post] Ity.Mxs.empty Ity.Mpv.empty body) in
  Pdecl.create_let_decl def

(* END{code2} *)

(* BEGIN{createmodule} *)
let mod2 =
  let uc : Pmodule.pmodule_uc =
    Pmodule.create_module env (Ident.id_fresh "MyModule")
  in
  let uc = Pmodule.use_export uc int_module in
  let uc = Pmodule.use_export uc ref_module in
  let uc = Pmodule.add_pdecl ~vc:true uc d2 in
  Pmodule.close_module uc
(* END{createmodule} *)

(* Checking the VCs *)

(* BEGIN{checkingvcs} *)
let my_tasks : Task.task list =
  Task.split_theory mod2.Pmodule.mod_theory None None

open Format

let () =
  printf "Tasks are:@.";
  let _ =
    List.fold_left
      (fun i t -> printf "Task %d: %a@." i Pretty.print_task t; i+1)
      1 my_tasks
  in ()

let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config

let alt_ergo : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "Alt-Ergo" in
  (* all provers that have the name "Alt-Ergo" *)
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
    eprintf "Prover Alt-Ergo not installed or not configured@.";
    exit 1
  end else
    snd (Whyconf.Mprover.max_binding provers)

let alt_ergo_driver : Driver.driver =
  try
    Driver.load_driver_for_prover main env alt_ergo
  with e ->
    eprintf "Failed to load driver for alt-ergo: %a@."
      Exn_printer.exn_printer e;
    exit 1

let () =
  let _ =
    List.fold_left
      (fun i t ->
       let r =
         Call_provers.wait_on_call
           (Driver.prove_task
              ~limit:Call_provers.empty_limit
              ~config:main
              ~command:alt_ergo.Whyconf.command
              alt_ergo_driver
              t)
       in
       printf "@[On task %d, alt-ergo answers %a@."
              i (Call_provers.print_prover_result ?json:None) r;
       i+1
      )
      1 my_tasks
  in ()
(* END{checkingvcs} *)

(*
Local Variables:
compile-command: "ocaml -I ../../lib/why3 unix.cma nums.cma str.cma dynlink.cma -I `ocamlfind query menhirLib` menhirLib.cmo -I `ocamlfind query camlzip` zip.cma ../../lib/why3/why3.cma mlw_tree.ml"
End:
*)
why3-1.6.0/examples/use_api/mlw_tree.ml000066400000000000000000000240501440160026300200200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some MLW modules, using parse trees instead of direct
API calls

******************)

(* BEGIN{buildenv} *)
open Why3
let config : Whyconf.config = Whyconf.init_config None
let main : Whyconf.main = Whyconf.get_main config
let env : Env.env = Env.create_env (Whyconf.loadpath main)
open Ptree
open Ptree_helpers
(* END{buildenv} *)

(* declaration of
  BEGIN{source1}
module M1
  use int.Int
  goal g : 2 + 2 = 4
end
  END{source1}
 *)

(* BEGIN{code1} *)
let mod_M1 =
  (* use int.Int *)
  let use_int_Int = use ~import:false (["int";"Int"]) in
  (* goal g : 2 + 2 = 4 *)
  let g =
    let two = tconst 2 in
    let four = tconst 4 in
    let add_int = qualid ["Int";Ident.op_infix "+"] in
    let two_plus_two = tapp add_int [two ; two] in
    let eq_int = qualid ["Int";Ident.op_infix "="] in
    let goal_term = tapp eq_int  [four ; two_plus_two] in
    Dprop(Decl.Pgoal, ident "g", goal_term)
  in
  (ident "M1",[use_int_Int ; g])
(* END{code1} *)


(* declaration of
  BEGIN{source2}
module M2
  let f (x:int) : int
    requires { x=6 }
    ensures { result=42 }
   = x*7
end
  END{source2}
 *)

(* BEGIN{code2} *)
let eq_symb = qualid [Ident.op_infix "="]
let int_type_id = qualid ["int"]
let int_type = PTtyapp(int_type_id,[])
let mul_int = qualid ["Int";Ident.op_infix "*"]

let mod_M2 =
  (* use int.Int *)
  let use_int_Int = use ~import:false (["int";"Int"]) in
  (* f *)
  let f =
    let id_x = ident "x" in
    let pre = tapp eq_symb [tvar (Qident id_x); tconst 6] in
    let result = ident "result" in
    let post = tapp eq_symb [tvar (Qident result); tconst 42] in
    let spec = {
      sp_pre = [pre];
      sp_post = [Loc.dummy_position,[pat_var result,post]];
      sp_xpost = [];
      sp_reads = [];
      sp_writes = [];
      sp_alias = [];
      sp_variant = [];
      sp_checkrw = false;
      sp_diverge = false;
      sp_partial = false;
    }
    in
    let body = eapp mul_int [evar (Qident id_x); econst 7] in
    let f =
      Efun(one_binder ~pty:int_type "x", None, pat Pwild,
           Ity.MaskVisible, spec, body)
    in
    Dlet(ident "f",false,Expr.RKnone, expr f)
  in
  (ident "M2",[use_int_Int ; f])
(* END{code2} *)


(* declaration of
  BEGIN{source3}
module M3
  let f() : int
     requires { true }
     ensures { result >= 0 }
   = let x = ref 42 in !x
end
  END{source3}
 *)

(* BEGIN{code3} *)
let ge_int = qualid ["Int";Ident.op_infix ">="]

let mod_M3 =
  (* use int.Int *)
  let use_int_Int = use ~import:false (["int";"Int"]) in
  (* use ref.Ref *)
  let use_ref_Ref = use ~import:false (["ref";"Ref"]) in
  (* f *)
  let f =
    let result = ident "result" in
    let post = term(Tidapp(ge_int,[tvar (Qident result);tconst 0])) in
    let spec = {
      sp_pre = [];
      sp_post = [Loc.dummy_position,[pat_var result,post]];
      sp_xpost = [];
      sp_reads = [];
      sp_writes = [];
      sp_alias = [];
      sp_variant = [];
      sp_checkrw = false;
      sp_diverge = false;
      sp_partial = false;
    }
    in
    let body =
      let e1 = eapply (evar (qualid ["Ref";"ref"])) (econst 42) in
      let id_x = ident "x" in
      let qid = qualid ["Ref";Ident.op_prefix "!"] in
      let e2 = eapply (evar qid) (evar (Qident id_x)) in
      expr(Elet(id_x,false,Expr.RKnone,e1,e2))
    in
    let f = Efun(unit_binder (),None,pat Pwild,Ity.MaskVisible,spec,body)
    in
    Dlet(ident "f",false,Expr.RKnone, expr f)
  in
  (ident "M3",[use_int_Int ; use_ref_Ref ; f])
(* END{code3} *)

(* declaration of
  BEGIN{source4}
module M4
  let f (a:array int) : unit
    requires { a.length >= 1 }
    ensures { a[0] = 42 }
   = a[0] <- 42
end
  END{source4}
 *)

(* BEGIN{code4} *)

let array_int_type = PTtyapp(qualid ["Array";"array"],[int_type])

let length = qualid ["Array";"length"]

let array_get = qualid ["Array"; Ident.op_get ""]

let array_set = qualid ["Array"; Ident.op_set ""]

let mod_M4 =
  (* use int.Int *)
  let use_int_Int = use ~import:false (["int";"Int"]) in
  (* use array.Array *)
  let use_array_Array = use ~import:false (["array";"Array"]) in
  (* use f *)
  let f =
    let id_a = ident "a" in
    let pre =
      tapp ge_int [tapp length [tvar (Qident id_a)]; tconst 1]
    in
    let post =
      tapp eq_symb [tapp array_get [tvar (Qident id_a); tconst 0];
                       tconst 42]
    in
    let spec = {
      sp_pre = [pre];
      sp_post = [Loc.dummy_position,[pat Pwild,post]];
      sp_xpost = [];
      sp_reads = [];
      sp_writes = [];
      sp_alias = [];
      sp_variant = [];
      sp_checkrw = false;
      sp_diverge = false;
      sp_partial = false;
    }
    in
    let body =
      eapp array_set [evar (Qident id_a); econst 0; econst 42]
    in
    let f = Efun(one_binder ~pty:array_int_type "a",
                 None,pat Pwild,Ity.MaskVisible,spec,body)
    in
    Dlet(ident "f", false, Expr.RKnone, expr f)
  in
  (ident "M4",[use_int_Int ; use_array_Array ; f])
(* END{code4} *)

(* The following example is not in the manual
 * it shows how to use Ptree API for scope/import declarations
module M5
  scope S
      function f (x : int) : int = x
  end

  import S
  goal g : f 2 = 2
end
*)

let mod_M45 =
  (* use int.Int *)
  let use_int_Int = use ~import:false (["int";"Int"]) in
  (* scope S *)
  let scope_S =
    (* f *)
    let f =
      let logic = {
        ld_loc = Loc.dummy_position;
        ld_ident = ident "f";
        ld_params = [(Loc.dummy_position,Some (ident "x"),false,int_type)] ;
        ld_type = Some int_type;
        ld_def = Some (tvar (Qident (ident "x"))) ;
      } in
      Dlogic([logic])
    in
    Dscope(Loc.dummy_position,false,ident "S",[f])
  in
  (* import S *)
  let import_S = Dimport (qualid ["S"]) in
  (* goal g : f 2 = 2 *)
  let g =
    let two = tconst 2 in
    let eq_int = qualid ["Int";Ident.op_infix "="] in
    let f_of_two = tapp (qualid ["f"]) [two] in
    let goal_term = tapp eq_int [f_of_two ; two] in
    Dprop(Decl.Pgoal,ident "g",goal_term)
  in
  (ident "M45",[use_int_Int ; scope_S ; import_S ; g])

(* BEGIN{getmodules} *)
let mlw_file = Modules [mod_M1 ; mod_M2 ; mod_M3 ; mod_M4]
(* END{getmodules} *)

open Format

let () = printf "%a@." (Mlw_printer.pp_mlw_file ~attr:true) mlw_file

(* BEGIN{topdownf} *)
let mlw_file =
  let uc = F.create () in
  let uc = F.begin_module uc "M5" in
  let uc = F.use uc ~import:false ["int";"Int"] in
  let uc = F.use uc ~import:false ["array";"Array"] in
  let uc = F.begin_let uc "f" (one_binder ~pty:array_int_type "a") in
  let id_a = Qident (ident "a") in
  let pre = tapp ge_int [tapp length [tvar id_a]; tconst 1] in
  let uc = F.add_pre uc pre in
  let post =
    tapp eq_symb [tapp array_get [tvar id_a; tconst 0];
                  tconst 42]
  in
  let uc = F.add_post uc post in
  let body = eapp array_set [evar id_a; econst 0; econst 42] in
  let uc = F.add_body uc body in
  let uc = F.end_module uc in
  F.get_mlw_file uc
(* END{topdownf} *)

let () = printf "%a@." (Mlw_printer.pp_mlw_file ~attr:true) mlw_file

(* BEGIN{topdowni} *)
let mlw_file =
  I.begin_module "M6";
  I.use ~import:false ["int";"Int"];
  I.use ~import:false ["array";"Array"];
  I.begin_let "f" (one_binder ~pty:array_int_type "a");
  let id_a = Qident (ident "a") in
  let pre = tapp ge_int [tapp length [tvar id_a]; tconst 1] in
  I.add_pre pre;
  let post =
    tapp eq_symb [tapp array_get [tvar id_a; tconst 0];
                  tconst 42]
  in
  I.add_post post;
  let body = eapp array_set [evar id_a; econst 0; econst 42] in
  I.add_body body;
  I.end_module ();
  I.get_mlw_file ()
(* END{topdowni} *)


(* Printing back the mlw file *)

(* BEGIN{mlwprinter} *)
let () = printf "%a@." (Mlw_printer.pp_mlw_file ~attr:true) mlw_file
(* END{mlwprinter} *)

(* BEGIN{typemodules} *)
let mods = Typing.type_mlw_file env [] "myfile.mlw" mlw_file
(* END{typemodules} *)

(* BEGIN{typemoduleserror} *)
let _mods =
  try
    Typing.type_mlw_file env [] "myfile.mlw" mlw_file
  with Loc.Located (loc, e) -> (* A located exception [e] *)
    let msg = asprintf "%a" Exn_printer.exn_printer e in
    printf "%a@."
      (Mlw_printer.with_marker ~msg loc (Mlw_printer.pp_mlw_file ~attr:true))
      mlw_file;
    exit 1
(* END{typemoduleserror} *)

(* Checking the VCs *)

(* BEGIN{checkingvcs} *)
let my_tasks : Task.task list =
  let mods =
    Wstdlib.Mstr.fold
      (fun _ m acc ->
       List.rev_append
         (Task.split_theory m.Pmodule.mod_theory None None) acc)
      mods []
  in List.rev mods



let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config

let alt_ergo : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "Alt-Ergo" in
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
    eprintf "Prover Alt-Ergo not installed or not configured@.";
    exit 1
  end else
    snd (Whyconf.Mprover.max_binding provers)

let alt_ergo_driver : Driver.driver =
  try
    Driver.load_driver_for_prover main env alt_ergo
  with e ->
    eprintf "Failed to load driver for alt-ergo: %a@."
      Exn_printer.exn_printer e;
    exit 1

let () =
  List.iteri (fun i t ->
      let call =
        Driver.prove_task ~limit:Call_provers.empty_limit
          ~config:main
          ~command:alt_ergo.Whyconf.command alt_ergo_driver t in
      let r = Call_provers.wait_on_call call in
      printf "@[On task %d, alt-ergo answers %a@." (succ i)
        (Call_provers.print_prover_result ?json:None) r)
    my_tasks
(* END{checkingvcs} *)

(*
Local Variables:
compile-command: "make -C ../.. test-api-mlw_tree"
End:
*)
why3-1.6.0/examples/use_api/mlw_tree_infer_invs.ml000066400000000000000000000170251440160026300222460ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*******************

This file builds some MLW modules, using parse trees instead of direct
API calls

******************)

open Why3
let config = Whyconf.init_config None
let main : Whyconf.main = Whyconf.get_main config
let env : Env.env = Env.create_env (Whyconf.loadpath main)
open Ptree

let mk_ident s = { id_str = s; id_ats = []; id_loc = Loc.dummy_position }

let mk_qualid l =
  let rec aux l =
    match l with
      | [] -> assert false
      | [x] -> Qident(mk_ident x)
      | x::r -> Qdot(aux r,mk_ident x)
  in
  aux (List.rev l)

let use_import l =
  let qid_id_opt = (mk_qualid l, None) in
  Duseimport(Loc.dummy_position,false,[qid_id_opt])

let mk_expr e = { expr_desc = e; expr_loc = Loc.dummy_position }

let mk_term t = { term_desc = t; term_loc = Loc.dummy_position }

let mk_pat p = { pat_desc = p; pat_loc = Loc.dummy_position }

let mk_var id = mk_term (Tident (Qident id))

let param1 id ty = [Loc.dummy_position, Some id, false, Some ty]

let mk_const i =
  Constant.(ConstInt Number.{ il_kind = ILitDec; il_int = BigInt.of_int i })

let mk_tconst i = mk_term (Tconst (mk_const i))

let mk_econst i = mk_expr (Econst (mk_const i))

let mk_tapp f l = mk_term (Tidapp(f,l))

let mk_eapp f l = mk_expr (Eidapp(f,l))

let mk_apply e1 e2 = mk_expr (Eapply(e1,e2))

let mk_evar x = mk_expr(Eident(x))

(*BEGIN{helper2}*)
(* ... *)
let pat_wild = mk_pat Pwild
let pat_var id = mk_pat (Pvar id)

let mk_ewhile e1 i v e2 = mk_expr (Ewhile (e1,i,v,e2))
(*END{helper2}*)

(* declaration of
  BEGIN{source1}
module M1
  use int.Int
  use ref.Refint
  let f [@infer] (x:ref int) : unit
    requires { !x <= 100 }
    ensures  { !x = 100 }
  = while (!x < 100) do
      variant { 100 - !x }
      incr x
    done
end
  END{source1}
 *)

(* BEGIN{code1} *)
let int_type_id  = mk_qualid ["int"]
let int_type     = PTtyapp(int_type_id,[])
let ref_int_type = PTtyapp (mk_qualid ["ref"], [int_type])
let ref_access   = mk_qualid ["Refint"; Ident.op_prefix "!"]
let ref_assign   = mk_qualid ["Refint"; Ident.op_infix ":="]
let ref_int_incr = mk_qualid ["Refint"; "incr"]
let l_int        = mk_qualid ["Int";Ident.op_infix "<"]
let le_int       = mk_qualid ["Int";Ident.op_infix "<="]
let plus_int     = mk_qualid ["Int";Ident.op_infix "+"]
let minus_int    = mk_qualid ["Int";Ident.op_infix "-"]
let eq_symb      = mk_qualid [Ident.op_infix "="]

let mod_M1 =
  (* use int.Int *)
  let use_int_Int    = use_import (["int";"Int"]) in
  let use_ref_Refint = use_import (["ref";"Refint"]) in
  (* f *)
  let f =
    let id_x  = mk_ident "x" in
    let var_x = mk_var id_x in
    let t_x   = mk_tapp ref_access [var_x] in
    let pre   = mk_tapp le_int [t_x; mk_tconst 100] in
    let post  = mk_tapp eq_symb [t_x; mk_tconst 100] in
    let spec  = {
      sp_pre     = [pre];
      sp_post    = [Loc.dummy_position,[pat_var (mk_ident "result"), post]];
      sp_xpost   = [];
      sp_reads   = [];
      sp_writes  = [];
      sp_alias   = [];
      sp_variant = [];
      sp_checkrw = false;
      sp_diverge = false;
      sp_partial = false;
    }
    in
    let var_x      = mk_evar (Qident id_x) in
    (* !x *)
    let e_x        = mk_eapp ref_access [var_x] in
    (* !x < 100 *)
    let while_cond = mk_eapp l_int [e_x; mk_econst 100] in
    (* 100 - !x *)
    let while_vari = mk_tapp minus_int [mk_tconst 100; t_x], None in
    (* incr x *)
    let incr       = mk_apply (mk_evar ref_int_incr) var_x in
    (* while (!x < 100) do variant { 100 - !x } incr x done *)
    let while_loop = mk_ewhile while_cond [] [while_vari] incr in
    let f =
      Efun(param1 id_x ref_int_type, None, mk_pat Pwild,
           Ity.MaskVisible, spec, while_loop)
    in
    let attr = ATstr (Ident.create_attribute "infer") in
    let id = { (mk_ident "f") with id_ats = [attr] } in
    Dlet(id,false,Expr.RKnone, mk_expr f)
  in
  (mk_ident "M1",[use_int_Int; use_ref_Refint; f])
(* END{code1} *)

(*BEGIN{flags}*)
(* let () = Debug.set_flag Infer_cfg.infer_print_ai_result *)
(* let () = Debug.set_flag Infer_cfg.infer_print_cfg *)
(* let () = Debug.set_flag Infer_loop.print_inferred_invs *)
(*END{flags}*)

let mlw_file = Modules [ mod_M1 ]

(* Printing back the mlw file *)

let () = Format.printf "%a@." (Mlw_printer.pp_mlw_file ~attr:true) mlw_file

(*BEGIN{inv_hook}*)
let print_to_std invs =
  let print_inv fmt (_,t) = Pretty.print_term fmt t in
  Format.printf "The following invariants were generated:@\n%a@."
    (Pp.print_list Pp.newline2 print_inv) invs

let print_to_file invs =
  let print_inv fmt (_,t) = Pretty.print_term fmt t in
  let fmt = Format.formatter_of_out_channel (open_out "inferred_invs.out") in
  Format.fprintf fmt "Generated invariants:@\n%a@."
    (Pp.print_list Pp.newline2 print_inv) invs

let inv_terms = ref []

let save_invs invs =
  inv_terms := List.map snd invs

let () =
  Infer_loop.register_hook (fun i ->
      print_to_std i; print_to_file i; save_invs i)
(*END{inv_hook}*)

let mods =
  try
    Typing.type_mlw_file env [] "myfile.mlw" mlw_file
  with Loc.Located (loc, e) -> (* A located exception [e] *)
    let msg = Format.asprintf "%a" Exn_printer.exn_printer e in
    Format.printf "%a@."
      (Mlw_printer.with_marker ~msg loc (Mlw_printer.pp_mlw_file ~attr:true))
      mlw_file;
    exit 1

(* Checking the VCs *)

let my_tasks : Task.task list =
  let mods =
    Wstdlib.Mstr.fold
      (fun _ m acc ->
       List.rev_append
         (Task.split_theory m.Pmodule.mod_theory None None) acc)
      mods []
  in List.rev mods

open Format

let () =
  printf "Tasks are:@.";
  let _ =
    List.fold_left
      (fun i t -> printf "Task %d: %a@." i Pretty.print_task t; i+1)
      1 my_tasks
  in ()

let provers : Whyconf.config_prover Whyconf.Mprover.t =
  Whyconf.get_provers config

let alt_ergo : Whyconf.config_prover =
  let fp = Whyconf.parse_filter_prover "Alt-Ergo" in
  (** all provers that have the name "Alt-Ergo" *)
  let provers = Whyconf.filter_provers config fp in
  if Whyconf.Mprover.is_empty provers then begin
    eprintf "Prover Alt-Ergo not installed or not configured@.";
    exit 1
  end else
    snd (Whyconf.Mprover.max_binding provers)

let alt_ergo_driver : Driver.driver =
  try
    Driver.load_driver_for_prover main env alt_ergo
  with e ->
    eprintf "Failed to load driver for alt-ergo: %a@."
      Exn_printer.exn_printer e;
    exit 1

let () =
  let _ =
    List.fold_left
      (fun i t ->
       let r =
         Call_provers.wait_on_call
           (Driver.prove_task ~limit:Call_provers.empty_limit
                              ~command:alt_ergo.Whyconf.command
                              alt_ergo_driver t)
       in
       printf "@[On task %d, alt-ergo answers %a@."
              i (Call_provers.print_prover_result ?json:None) r;
       i+1
      )
      1 my_tasks
  in ()

(* make sure the why3 lib is installed: do "make install-lib"
   in the why3 root directory *)
(*
Local Variables:
compile-command: "ocamlfind ocamlopt -linkpkg -package why3 mlw_tree_infer_invs.ml"
End:
*)
why3-1.6.0/examples/use_api/oracles/000077500000000000000000000000001440160026300172775ustar00rootroot00000000000000why3-1.6.0/examples/use_api/oracles/test-api-clone.stdout000066400000000000000000000705311440160026300233750ustar00rootroot00000000000000Theory are:
theory Test
  (* use why3.BuiltIn.BuiltIn *)
  
  (* use why3.Bool.Bool *)
  
  (* use why3.Unit.Unit *)
  
  (* use int.Int *)
  
  type a = 
  
  function a'int a : int
  
  constant a'maxInt : int = 46
  
  constant a'minInt : int = 22
  
  (* meta range_type type a, function a'int *)
  
  (* meta model_projection function a'int *)
  
  goal f2'vc : let result'unused = True in false
  
  goal f3'vc : forall b:a. let _result'unused = b in a'int b = 42
  
  goal f1'vc :
    forall b:a. a'int b = 42 -> (let result'unused = (42:a) in 42 = a'int b)
end

theory Test1
  (* use why3.BuiltIn.BuiltIn *)
  
  (* use why3.Bool.Bool *)
  
  (* use why3.Unit.Unit *)
  
  (* use int.Int *)
  
  type a1 = 
  
  function a'int1 a1 : int
  
  constant a'maxInt1 : int = 46
  
  constant a'minInt1 : int = 22
  
  (* meta range_type type a1, function a'int1 *)
  
  (* meta model_projection function a'int1 *)
  
  (* clone Test with type a = a1, constant a'minInt = a'minInt1,
    constant a'maxInt = a'maxInt1, function a'int = a'int1,  *)
end

Tasks are:
Task 1: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          type a = 
          
          function a'int a : int
          
          constant a'maxInt : int = 46
          
          constant a'minInt : int = 22
          
          (* meta range_type type a, function a'int *)
          
          (* meta model_projection function a'int *)
          
          (* clone Test with type a1 = a, constant a'minInt1 = a'minInt,
            constant a'maxInt1 = a'maxInt, function a'int1 = a'int,  *)
          
          type a1 = 
          
          function a'int1 a1 : int
          
          constant a'maxInt1 : int = 46
          
          constant a'minInt1 : int = 22
          
          (* meta range_type type a1, function a'int1 *)
          
          (* meta model_projection function a'int1 *)
          
          goal f2'vc : let result'unused = True in false
end

Task 2: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          type a = 
          
          function a'int a : int
          
          constant a'maxInt : int = 46
          
          constant a'minInt : int = 22
          
          (* meta range_type type a, function a'int *)
          
          (* meta model_projection function a'int *)
          
          (* clone Test with type a1 = a, constant a'minInt1 = a'minInt,
            constant a'maxInt1 = a'maxInt, function a'int1 = a'int,  *)
          
          type a1 = 
          
          function a'int1 a1 : int
          
          constant a'maxInt1 : int = 46
          
          constant a'minInt1 : int = 22
          
          (* meta range_type type a1, function a'int1 *)
          
          (* meta model_projection function a'int1 *)
          
          goal f3'vc : forall b:a1. let _result'unused = b in a'int1 b = 42
end

Task 3: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          type a = 
          
          function a'int a : int
          
          constant a'maxInt : int = 46
          
          constant a'minInt : int = 22
          
          (* meta range_type type a, function a'int *)
          
          (* meta model_projection function a'int *)
          
          (* clone Test with type a1 = a, constant a'minInt1 = a'minInt,
            constant a'maxInt1 = a'maxInt, function a'int1 = a'int,  *)
          
          type a1 = 
          
          function a'int1 a1 : int
          
          constant a'maxInt1 : int = 46
          
          constant a'minInt1 : int = 22
          
          (* meta range_type type a1, function a'int1 *)
          
          (* meta model_projection function a'int1 *)
          
          goal f1'vc :
            forall b:a1.
             a'int1 b = 42 -> (let result'unused = (42:a1) in 42 = a'int1 b)
end

why3-1.6.0/examples/use_api/oracles/test-api-counterexample.stdout000066400000000000000000000105351440160026300253260ustar00rootroot00000000000000formula 2 is: A -> A /\ B
task 2 created:
theory Task
  predicate A
  
  predicate B
  
  (* meta get_counterexmp *)
  
  goal goal2 : A -> A /\ B
end

On task 1, CVC4,1.7 answers Unknown (sat) (0.0xs, xx steps)
Model is [{"filename": "myfile.my_ext",
           "model":
            [{"is_vc_line": false,
              "line": "28",
              "model_elements":
               [{"attrs": ["model_trace:my_A"],
                 "kind": "other",
                 "location":
                  {"end-char": 1,
                   "end-line": 28,
                   "file-name": "myfile.my_ext",
                   "start-char": 0,
                   "start-line": 28},
                 "lsymbol":
                  {"attrs": ["model_trace:my_A"],
                   "loc":
                    {"end-char": 1,
                     "end-line": 28,
                     "file-name": "myfile.my_ext",
                     "start-char": 0,
                     "start-line": 28},
                   "name": "A"},
                 "value":
                  {"value_concrete_term": {"type": "Boolean", "val": true},
                   "value_term": "Ttrue",
                   "value_type": null}}]},
             {"is_vc_line": true,
              "line": "42",
              "model_elements":
               [{"attrs": ["model_trace:my_A"],
                 "kind": "other",
                 "location":
                  {"end-char": 91,
                   "end-line": 42,
                   "file-name": "myfile.my_ext",
                   "start-char": 28,
                   "start-line": 42},
                 "lsymbol":
                  {"attrs": ["model_trace:my_A"],
                   "loc":
                    {"end-char": 91,
                     "end-line": 42,
                     "file-name": "myfile.my_ext",
                     "start-char": 28,
                     "start-line": 42},
                   "name": "A_vc_constant"},
                 "value":
                  {"value_concrete_term": {"type": "Boolean", "val": true},
                   "value_term": "Ttrue",
                   "value_type": null}},
                {"attrs": ["model_trace:my_B"],
                 "kind": "other",
                 "location":
                  {"end-char": 91,
                   "end-line": 42,
                   "file-name": "myfile.my_ext",
                   "start-char": 28,
                   "start-line": 42},
                 "lsymbol":
                  {"attrs": ["model_trace:my_B"],
                   "loc":
                    {"end-char": 91,
                     "end-line": 42,
                     "file-name": "myfile.my_ext",
                     "start-char": 28,
                     "start-line": 42},
                   "name": "B_vc_constant"},
                 "value":
                  {"value_concrete_term": {"type": "Boolean", "val": false},
                   "value_term": "Tfalse",
                   "value_type": null}}]}]},
          {"filename": "myfile.my_ext2",
           "model":
            [{"is_vc_line": false,
              "line": "101",
              "model_elements":
               [{"attrs": ["model_trace:my_B"],
                 "kind": "other",
                 "location":
                  {"end-char": 1,
                   "end-line": 101,
                   "file-name": "myfile.my_ext2",
                   "start-char": 0,
                   "start-line": 101},
                 "lsymbol":
                  {"attrs": ["model_trace:my_B"],
                   "loc":
                    {"end-char": 1,
                     "end-line": 101,
                     "file-name": "myfile.my_ext2",
                     "start-char": 0,
                     "start-line": 101},
                   "name": "B"},
                 "value":
                  {"value_concrete_term": {"type": "Boolean", "val": false},
                   "value_term": "Tfalse",
                   "value_type": null}}]}]}]

== Check CE

The program does not comply to the verification goal, for example during the
  following execution:
File .:
  Line 0:
    Execution of main function `f` with env:
      x = 42
  Line 5:
    Property failure at assertion with:
      x = 42

== RAC execute giant steps

FAILURE (assertion at line 5, characters 0-0)
File .:
  Line 0:
    Execution of main function `f` with env:
      x = 42
  Line 5:
    Property failure at assertion with:
      x = 42
why3-1.6.0/examples/use_api/oracles/test-api-create_session.stdout000066400000000000000000000000341440160026300252720ustar00rootroot000000000000001 theories found in session
why3-1.6.0/examples/use_api/oracles/test-api-logic.stdout000066400000000000000000000440371440160026300233740ustar00rootroot00000000000000formula 1 is: true \/ false
formula 2 is: A /\ B -> A
task 1 is:
theory Task
  goal goal1 : true \/ false
end

task 2 created:
theory Task
  predicate A
  
  predicate B
  
  goal goal2 : A /\ B -> A
end

Versions of Alt-Ergo found: 
On task 1, Alt-Ergo answers Valid (0.0xs, xx steps)
On task 2, Alt-Ergo answers Valid in  0.0x seconds
task 3 created
On task 3, Alt-Ergo answers Valid (0.0xs, xx steps)
On task 4, Alt-Ergo answers Valid (0.0xs, xx steps)
creating theory 'My_theory'
adding goal 1
adding goal 2
adding goal 3
adding goal 4
my new theory is as follows:

theory My_theory
  (* use why3.BuiltIn.BuiltIn *)
  
  goal goal1 : true \/ false
  
  predicate A
  
  predicate B
  
  goal goal2 : A /\ B -> A
  
  (* use int.Int *)
  
  goal goal3 : (2 + 2) = 4
  
  goal goal4 : forall x:int. (x * x) >= 0
end

Tasks are:
Task 1: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          predicate A
          
          predicate B
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          goal goal4 : forall x:int. (x * x) >= 0
end

Task 2: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          predicate A
          
          predicate B
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          goal goal3 : (2 + 2) = 4
end

Task 3: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          predicate A
          
          predicate B
          
          goal goal2 : A /\ B -> A
end

Task 4: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          goal goal1 : true \/ false
end

why3-1.6.0/examples/use_api/oracles/test-api-mlw_expr.stdout000066400000000000000000000211701440160026300241250ustar00rootroot00000000000000Tasks are:
Task 1: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          axiom Assoc :
            forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          axiom Unit_def_l : forall x:int. (zero + x) = x
          
          axiom Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          axiom Inv_def_l : forall x:int. ((- x) + x) = zero
          
          axiom Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          axiom Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          axiom Assoc5 :
            forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          axiom Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          axiom Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          axiom Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          axiom Unitary : forall x:int. (one * x) = x
          
          axiom NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Trans :
            forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          axiom Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          axiom ZeroLessOne : zero <= one
          
          axiom CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          axiom CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* meta remove_unused:dependency prop CompatOrderMult,
            function ( * ) *)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          type ref 'a =
            | Ref'mk (contents:'a)
          
          (* use why3.Ref.Ref *)
          
          function (!) (r:ref 'a) : 'a = r.contents
          
          (* use ref.Ref1 *)
          
          goal f'vc :
            let ref'result'unused = Ref'mk 42 in
            let (!)'result'unused = 42 in 42 >= 0
end

On task 1, alt-ergo answers Valid (0.0xs, xx steps)
why3-1.6.0/examples/use_api/oracles/test-api-mlw_tree.stdout000066400000000000000000000016721440160026300241130ustar00rootroot00000000000000module M1
  use int.Int
  
  goal g: Int.( = ) 4 (Int.( + ) 2 2)
end

module M2
  use int.Int
  
  let f (x : int)
    requires { x = 6 }
    ensures { result = 42 }
  = Int.( * ) x 7
end

module M3
  use int.Int
  use ref.Ref
  
  let f (_ : ())
    ensures { Int.( >= ) result 0 }
  = let x = Ref.ref 42 in Ref.( ! ) x
end

module M4
  use int.Int
  use array.Array
  
  let f (a : Array.array int)
    requires { Int.( >= ) (a.Array.length) 1 }
    ensures { (Array.( [] ) a 0) = 42 }
  = Array.( []<- ) a 0 42
end
module M5
  use int.Int
  use array.Array
  
  let f (a : Array.array int)
    requires { Int.( >= ) (a.Array.length) 1 }
    ensures { (Array.( [] ) a 0) = 42 }
  = Array.( []<- ) a 0 42
end
module M6
  use int.Int
  use array.Array
  
  let f (a : Array.array int)
    requires { Int.( >= ) (a.Array.length) 1 }
    ensures { (Array.( [] ) a 0) = 42 }
  = Array.( []<- ) a 0 42
end
On task 1, alt-ergo answers Valid (0.0xs, xx steps)
why3-1.6.0/examples/use_api/oracles/test-api-mlw_tree_infer_invs.stdout000066400000000000000000000223701440160026300263330ustar00rootroot00000000000000module M1
  use int.Int
  use ref.Refint
  
  let f [@infer] (x : ref int)
    requires { Int.( <= ) (Refint.( ! ) x) 100 }
    ensures { (Refint.( ! ) x) = 100 }
  = while Int.( < ) (Refint.( ! ) x) 100 do
      variant { Int.( - ) 100 (Refint.( ! ) x) }
      Refint.incr x
    done
end
The following invariants were generated:
forall w1:int. contents x <= 100
Tasks are:
Task 1: theory Task
          type int
          
          type real
          
          type string
          
          predicate (=) 'a 'a
          
          (* use why3.BuiltIn.BuiltIn *)
          
          type bool =
            | True
            | False
          
          (* use why3.Bool.Bool *)
          
          type tuple0 =
            | Tuple0
          
          (* use why3.Tuple0.Tuple01 *)
          
          type unit = unit
          
          (* use why3.Unit.Unit *)
          
          constant zero : int = 0
          
          constant one : int = 1
          
          function (-_) int : int
          
          function (+) int int : int
          
          function ( * ) int int : int
          
          predicate (<) int int
          
          function (-) (x:int) (y:int) : int = x + (- y)
          
          predicate (>) (x:int) (y:int) = y < x
          
          predicate (<=) (x:int) (y:int) = x < y \/ x = y
          
          predicate (>=) (x:int) (y:int) = y <= x
          
          Assoc : forall x:int, y:int, z:int. ((x + y) + z) = (x + (y + z))
          
          (* clone algebra.Assoc with type t = int, function op = (+),
            prop Assoc1 = Assoc,  *)
          
          Unit_def_l : forall x:int. (zero + x) = x
          
          Unit_def_r : forall x:int. (x + zero) = x
          
          (* clone algebra.Monoid with type t1 = int, constant unit = zero,
            function op1 = (+), prop Unit_def_r1 = Unit_def_r,
            prop Unit_def_l1 = Unit_def_l, prop Assoc2 = Assoc,  *)
          
          Inv_def_l : forall x:int. ((- x) + x) = zero
          
          Inv_def_r : forall x:int. (x + (- x)) = zero
          
          (* clone algebra.Group with type t2 = int, function inv = (-_),
            constant unit1 = zero, function op2 = (+),
            prop Inv_def_r1 = Inv_def_r, prop Inv_def_l1 = Inv_def_l,
            prop Unit_def_r2 = Unit_def_r, prop Unit_def_l2 = Unit_def_l,
            prop Assoc3 = Assoc,  *)
          
          Comm : forall x:int, y:int. (x + y) = (y + x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = (+),
            prop Comm1 = Comm,  *)
          
          (* meta AC function (+) *)
          
          (* clone algebra.CommutativeGroup with type t4 = int,
            function inv1 = (-_), constant unit2 = zero, function op4 = (+),
            prop Comm2 = Comm, prop Inv_def_r2 = Inv_def_r,
            prop Inv_def_l2 = Inv_def_l, prop Unit_def_r3 = Unit_def_r,
            prop Unit_def_l3 = Unit_def_l, prop Assoc4 = Assoc,  *)
          
          Assoc5 : forall x:int, y:int, z:int. ((x * y) * z) = (x * (y * z))
          
          (* clone algebra.Assoc with type t = int, function op = ( * ),
            prop Assoc1 = Assoc5,  *)
          
          Mul_distr_l :
            forall x:int, y:int, z:int. (x * (y + z)) = ((x * y) + (x * z))
          
          Mul_distr_r :
            forall x:int, y:int, z:int. ((y + z) * x) = ((y * x) + (z * x))
          
          (* clone algebra.Ring with type t5 = int, function ( *') = ( * ),
            function (-'_) = (-_), function (+') = (+),
            constant zero1 = zero, prop Mul_distr_r1 = Mul_distr_r,
            prop Mul_distr_l1 = Mul_distr_l, prop Assoc6 = Assoc5,
            prop Comm3 = Comm, prop Inv_def_r3 = Inv_def_r,
            prop Inv_def_l3 = Inv_def_l, prop Unit_def_r4 = Unit_def_r,
            prop Unit_def_l4 = Unit_def_l, prop Assoc7 = Assoc,  *)
          
          Comm4 : forall x:int, y:int. (x * y) = (y * x)
          
          (* clone algebra.Comm with type t3 = int, function op3 = ( * ),
            prop Comm1 = Comm4,  *)
          
          (* meta AC function ( * ) *)
          
          (* clone algebra.CommutativeRing with type t6 = int,
            function ( *'') = ( * ), function (-''_) = (-_),
            function (+'') = (+), constant zero2 = zero, prop Comm5 = Comm4,
            prop Mul_distr_r2 = Mul_distr_r, prop Mul_distr_l2 = Mul_distr_l,
            prop Assoc8 = Assoc5, prop Comm6 = Comm,
            prop Inv_def_r4 = Inv_def_r, prop Inv_def_l4 = Inv_def_l,
            prop Unit_def_r5 = Unit_def_r, prop Unit_def_l5 = Unit_def_l,
            prop Assoc9 = Assoc,  *)
          
          Unitary : forall x:int. (one * x) = x
          
          NonTrivialRing : not zero = one
          
          (* clone algebra.UnitaryCommutativeRing with type t7 = int,
            constant one1 = one, function ( *''') = ( * ),
            function (-'''_) = (-_), function (+''') = (+),
            constant zero3 = zero, prop NonTrivialRing1 = NonTrivialRing,
            prop Unitary1 = Unitary, prop Comm7 = Comm4,
            prop Mul_distr_r3 = Mul_distr_r, prop Mul_distr_l3 = Mul_distr_l,
            prop Assoc10 = Assoc5, prop Comm8 = Comm,
            prop Inv_def_r5 = Inv_def_r, prop Inv_def_l5 = Inv_def_l,
            prop Unit_def_r6 = Unit_def_r, prop Unit_def_l6 = Unit_def_l,
            prop Assoc11 = Assoc,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          Refl : forall x:int. x <= x
          
          (* clone relations.Reflexive with type t9 = int,
            predicate rel1 = (<=), prop Refl1 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          Trans : forall x:int, y:int, z:int. x <= y -> y <= z -> x <= z
          
          (* clone relations.Transitive with type t10 = int,
            predicate rel2 = (<=), prop Trans1 = Trans,  *)
          
          (* clone relations.PreOrder with type t11 = int,
            predicate rel3 = (<=), prop Trans2 = Trans, prop Refl2 = Refl,
             *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          Antisymm : forall x:int, y:int. x <= y -> y <= x -> x = y
          
          (* clone relations.Antisymmetric with type t12 = int,
            predicate rel4 = (<=), prop Antisymm1 = Antisymm,  *)
          
          (* clone relations.PartialOrder with type t13 = int,
            predicate rel5 = (<=), prop Antisymm2 = Antisymm,
            prop Trans3 = Trans, prop Refl3 = Refl,  *)
          
          (* clone relations.EndoRelation with type t8 = int,
            predicate rel = (<=),  *)
          
          Total : forall x:int, y:int. x <= y \/ y <= x
          
          (* clone relations.Total with type t14 = int,
            predicate rel6 = (<=), prop Total1 = Total,  *)
          
          (* clone relations.TotalOrder with type t15 = int,
            predicate rel7 = (<=), prop Total2 = Total,
            prop Antisymm3 = Antisymm, prop Trans4 = Trans,
            prop Refl4 = Refl,  *)
          
          ZeroLessOne : zero <= one
          
          CompatOrderAdd :
            forall x:int, y:int, z:int. x <= y -> (x + z) <= (y + z)
          
          CompatOrderMult :
            forall x:int, y:int, z:int.
             x <= y -> zero <= z -> (x * z) <= (y * z)
          
          (* clone algebra.OrderedUnitaryCommutativeRing with type t16 = int,
            predicate (<=') = (<=), constant one2 = one,
            function ( *'''') = ( * ), function (-''''_) = (-_),
            function (+'''') = (+), constant zero4 = zero,
            prop CompatOrderMult1 = CompatOrderMult,
            prop CompatOrderAdd1 = CompatOrderAdd,
            prop ZeroLessOne1 = ZeroLessOne, prop Total3 = Total,
            prop Antisymm4 = Antisymm, prop Trans5 = Trans,
            prop Refl5 = Refl, prop NonTrivialRing2 = NonTrivialRing,
            prop Unitary2 = Unitary, prop Comm9 = Comm4,
            prop Mul_distr_r4 = Mul_distr_r, prop Mul_distr_l4 = Mul_distr_l,
            prop Assoc12 = Assoc5, prop Comm10 = Comm,
            prop Inv_def_r6 = Inv_def_r, prop Inv_def_l6 = Inv_def_l,
            prop Unit_def_r7 = Unit_def_r, prop Unit_def_l7 = Unit_def_l,
            prop Assoc13 = Assoc,  *)
          
          (* use int.Int *)
          
          type ref 'a =
            | Ref'mk (contents:'a)
          
          (* use why3.Ref.Ref *)
          
          function (!) (r:ref 'a) : 'a = contents r
          
          (* use ref.Ref1 *)
          
          (* use ref.Refint *)
          
          goal f'vc :
            forall x:int.
             let x'unused = Ref'mk x in
             x <= 100 ->
             x <= 100 /\
             (forall x1:int.
               let x2 = Ref'mk x1 in
               x1 <= 100 ->
               (let x'unused'unused = x2 in
                if x1 < 100
                then let r'unused'unused = x2 in
                     forall x3:int.
                      let x'unused1 = Ref'mk x3 in
                      x3 = (x1 + 1) ->
                      (0 <= (100 - x1) /\ (100 - x3) < (100 - x1)) /\
                      x3 <= 100
                else x1 = 100))
end

On task 1, alt-ergo answers Valid (0.0xs, 8 steps)
why3-1.6.0/examples/use_api/oracles/test-api-transform.stdout000066400000000000000000000000001440160026300242700ustar00rootroot00000000000000why3-1.6.0/examples/use_api/transform.ml000066400000000000000000000034251440160026300202200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)


open Why3

(* push negations down *)

(* BEGIN{negate} *)
open Term

let rec negate (t:term) : term =
  match t.t_node with
  | Ttrue -> t_false
  | Tfalse -> t_true
  | Tnot t -> t
  | Tbinop(Tand,t1,t2) -> t_or (negate t1) (negate t2)
  | Tbinop(Tor,t1,t2) -> t_and (negate t1) (negate t2)
  | Tquant(Tforall,tq) ->
     let vars,triggers,t' = t_open_quant tq in
     let tq' = t_close_quant vars triggers (negate t') in
     t_exists tq'
  | Tquant(Texists,tq) ->
     let vars,triggers,t' = t_open_quant tq in
     let tq' = t_close_quant vars triggers (negate t') in
     t_forall tq'
  | _ -> t_not t

let rec traverse (t:term) : term =
  match t.t_node with
  | Tnot t -> t_map traverse (negate t)
  | _ -> t_map traverse t
(* END{negate} *)

(* BEGIN{register} *)
let negate_goal pr t = [Decl.create_prop_decl Decl.Pgoal pr (traverse t)]

let negate_trans = Trans.goal negate_goal

let () = Trans.register_transform
           "push_negations_down" negate_trans
           ~desc:"In the current goal,@ push negations down,@ \
                  across logical connectives."
(* END{register} *)
why3-1.6.0/examples/vacid_0_binary_heaps/000077500000000000000000000000001440160026300202535ustar00rootroot00000000000000why3-1.6.0/examples/vacid_0_binary_heaps/abstract_heap.mlw000066400000000000000000000013031440160026300235710ustar00rootroot00000000000000
module AbstractHeap

(**** logic declarations *****)

use int.Int
use bag.Bag
use bag_of_integers.Bag_integers

(* abstract interface for heaps *)

type logic_heap
function model (h:logic_heap): (bag int)

use ref.Ref

val create (sz:int) : ref logic_heap
  requires { 0 <= sz }
  ensures  { model !result = empty_bag }

val insert (this:ref logic_heap) (e:int) : unit writes {this}
  ensures  { model !this = add e (model (old !this)) }

val extractMin (this:ref logic_heap) : int writes {this}
  requires { model !this <> empty_bag }
  ensures  { result = min_bag (model (old !this)) /\
    model (old !this) = add result (model !this) /\
    card (model (old !this)) = (card (model !this)) + 1
  }

end
why3-1.6.0/examples/vacid_0_binary_heaps/bag_of_integers.why000066400000000000000000000011131440160026300241150ustar00rootroot00000000000000theory Bag_integers

(* minimum element of a bag of integers *)

use int.Int
use int.MinMax
use export bag.Bag

function min_bag (bag int) : int

axiom Min_bag_singleton : forall x:int. min_bag (singleton x) = x

axiom Min_bag_union : forall x y:bag int.
      min_bag (union x y) = min (min_bag x) (min_bag y)

lemma Min_bag_union1 : forall x y: bag int, a: int.
     x = (add a y) -> min_bag x = min a (min_bag y)

lemma Min_bag_union2 : forall x : bag int, a: int.
     a <= min_bag x -> a <= min_bag (add a x)

end

(*
Local Variables:
compile-command: "why3ide -I . proofs"
End:
*)
why3-1.6.0/examples/vacid_0_binary_heaps/elements.why000066400000000000000000000033451440160026300226250ustar00rootroot00000000000000theory Elements

use int.Int
use bag.Bag
use export map.Map

type array 'a = map int 'a

(* [elements a i j] is the bag of elements in a[i..j[ *)
function elements (a:array 'a) (i j:int) : bag 'a

axiom Elements_empty : forall a:array 'a, i j:int.
     i >= j -> (elements a i j) = empty_bag

axiom Elements_add : forall a:array 'a, i j :int.
       i < j ->
       (elements a i j) = (add a[j-1] (elements a i (j-1)))

lemma Elements_singleton : forall a:array 'a, i j:int.
     j = i + 1 ->
       (elements a i j) = (singleton a[i])

lemma Elements_union : forall a:array 'a, i j k:int.
     i <= j <= k  ->
      (elements a i k) = (union (elements a i j) (elements a j k))

lemma Elements_add1 : forall a:array 'a, i j :int.
      i < j ->
      (elements a i j) = (add a[i] (elements a (i+1) j))

lemma Elements_remove_last: forall a:array 'a, i j :int.
      i < j-1 ->
      (elements a i (j-1)) = diff (elements a i j) (singleton a[j-1])

lemma Occ_elements: forall a:array 'a, i j n:int.
       i <= j < n ->
         nb_occ a[j] (elements a i n) > 0

let rec lemma elements_set_outside (a:array 'a) (i j:int)
  requires { i <= j }
  variant { j - i }
  ensures { forall k : int. (k < i || k >= j) ->
            forall e:'a. (elements (a[k <- e]) i j) = (elements a i j) }
= if j > i then elements_set_outside a i (j-1)

lemma Elements_set_inside : forall a:array 'a, i j n: int, e:'a, b:bag 'a.
       i <= j < n ->
       (elements a i n) = add a[j] b ->
       (elements (a[j <- e]) i n) = add e b

lemma Elements_set_inside2 : forall a:array 'a, i j n: int, e:'a.
       i <= j < n ->
       elements a[j <- e] i n =
          add e (diff (elements a i n) (singleton (a[j])))

end

(*
Local Variables:
compile-command: "why3ide -I . elements"
End:
*)why3-1.6.0/examples/vacid_0_binary_heaps/heap.why000066400000000000000000000057531440160026300217330ustar00rootroot00000000000000
module Appmap

  use map.Map
  use map.Const

  type key

  type t 'a = abstract { contents: map key 'a }

  val function create (x: 'a): t 'a
    ensures { result.contents = const x }

  val function ([]) (m: t 'a) (k: key): 'a
    ensures { result = m.contents[k] }

  val function ([<-]) (m: t 'a) (k: key) (v: 'a): t 'a
    ensures { result.contents = m.contents[k <- v] }

end

theory Heap

use int.Int
use int.ComputerDivision

function left(i:int) : int = 2*i+1
function right(i:int) : int = 2*i+2
function parent(i:int) : int = div (i-1) 2

lemma Parent_inf: forall i:int. 0 < i -> parent i < i
lemma Left_sup: forall i:int. 0 <= i -> i < left i
lemma Right_sup: forall i:int. 0 <= i -> i < right i
lemma Parent_right:forall i:int. 0 <= i -> parent (right i) = i
lemma Parent_left:forall i:int. 0 <= i ->  parent (left i) = i
lemma Inf_parent: forall i j: int. 0 < j <= right i -> parent j <= i
lemma Child_parent:forall i:int. 0 < i ->
        i = left (parent i) || i = right (parent i)
lemma Parent_pos: forall j: int. 0 < j -> 0 <= parent j

predicate parentChild (i: int) (j: int) =
    0 <= i < j -> (j = left i) || (j = right i)


clone import Appmap as A with type key = int
type map = A.t int
type logic_heap = (map, int)

predicate is_heap_array (a: map) (idx: int) (sz: int) =
    0 <= idx -> forall i j: int.
      idx <= i < j < sz ->
      parentChild i j ->
      a[i] <= a[j]

predicate is_heap (h : logic_heap) =
   let (a, sz) = h in sz >= 0 /\ is_heap_array a 0 sz

lemma Is_heap_when_no_element :
  forall a:map, idx  n: int.  0 <= n <= idx -> is_heap_array a idx n

lemma Is_heap_sub :
  forall a:map, i n :int.
    is_heap_array a i n ->
     forall j: int.  i <= j <= n -> is_heap_array a i j

lemma Is_heap_sub2 :
  forall a:map, n :int.
    is_heap_array a 0 n ->
     forall j: int.  0 <= j <= n -> is_heap_array a j n

lemma Is_heap_when_node_modified :
  forall a:map, n e idx i:int. 0 <= i < n ->
     is_heap_array a idx n ->
     (i > 0 -> a[parent i] <= e ) ->
     (left i < n -> e <= a[left i]) ->
     (right i < n -> e <= a[right i]) ->
     is_heap_array (a[i <- e]) idx n

lemma Is_heap_add_last :
  forall a:map, n e:int. n > 0 ->
    is_heap_array a 0 n /\ (e >= a[parent n]) ->
    is_heap_array (a[n <- e]) 0 (n + 1)

lemma Parent_inf_el:
     forall a: map, n: int.
       is_heap_array a 0 n ->
        forall j:int. 0 < j < n  -> a[parent j] <= a[j]

lemma Left_sup_el:
     forall a: map, n: int.
       is_heap_array a 0 n ->
        forall j: int. 0 <= j < n  -> left j < n ->
          a[j] <= a[left j]

lemma Right_sup_el:
     forall a: map, n: int.
       is_heap_array a 0 n ->
        forall j: int. 0 <= j < n -> right j < n ->
           a[j] <= a[right j]

let rec lemma is_heap_relation (a:map) (n :int) (j:int)
   requires { n > 0 }
   requires { is_heap_array a 0 n }
   requires { 0 <= j < n }
   variant { j }
   ensures  { a[0] <= a[j] }
 = if j > 0 then begin
     is_heap_relation a n (parent j)
   end

end

(*
Local Variables:
compile-command: "why3ide -I . proofs"
End:
*)
why3-1.6.0/examples/vacid_0_binary_heaps/heap_implem.mlw000066400000000000000000000105571440160026300232640ustar00rootroot00000000000000
module Implementation

use int.Int
use int.ComputerDivision
(*use map.Map*)

use heap_model.Model
use bag_of_integers.Bag_integers
use elements.Elements
use heap.Heap

let rec lemma is_heap_min (a:map) (n :int)
  requires { n > 0 }
  requires { is_heap_array a 0 n }
  variant { n }
  ensures { A.([]) a 0 = min_bag (model (a, n)) }
= if n > 1 then is_heap_min a (n-1)

use ref.Ref

(* implementation of heaps *)
let create () : ref logic_heap
  ensures { is_heap !result /\ model !result = empty_bag }
  = let x = (A.create 0, 0) in ref x

exception Break

let insert (this : ref logic_heap) (e : int) : unit
  requires { is_heap !this }
  ensures { is_heap !this /\ model !this = add e (model (old !this)) }
= let (a, n) = !this in
  let arr = ref a in
  let i = ref n in
  try
  while !i > 0 do
    invariant {
      0 <= !i <= n /\
      (!i = n ->
         is_heap_array !arr 0 n  /\
         model (!arr, n) = model (a, n)) /\
      (!i < n ->
         is_heap_array !arr 0 (n + 1) /\
         A.([]) !arr !i > e /\
         model (!arr, n+1) = add (A.([]) !arr !i) (model (a, n)))
    }
    variant { !i }
    let parent = div (!i - 1) 2 in
    let p = A.([]) !arr parent in
    if (e >= p) then raise Break;
    arr := A.([<-]) !arr !i p;
    i := parent
  done
  with Break -> ()
  end;
  arr := A.([<-]) !arr !i e;
  this := (!arr, n + 1);
  assert { 0 < !i < n -> is_heap !this };
  assert { !i < n -> model !this = add e (model (a,n)) }

let extractMin (this : ref logic_heap) : int
requires { model !this <> empty_bag /\ is_heap !this }
ensures { is_heap !this /\
  result = min_bag (model (old !this)) /\
  model (old !this) = add result (model !this) }
= let (a, n) = !this in
  assert {n > 0};
  let min = A.([]) a 0 in
  let n' = n-1 in
  let last = A.([]) a n' in
  assert { n' > 0 -> nb_occ last (diff (model (a,n))
                        (singleton min)) > 0 } ;
  let arr = ref a in
  let i = ref 0 in
  try
    while !i < n' do
      invariant {
        0 <= !i /\
        (n' > 0 -> !i < n') /\
        is_heap_array !arr 0 n' /\
        (!i = 0 -> !arr = a) /\
        (n' > 0 ->
          elements !arr.A.contents 0 n' =
            add (A.([]) !arr !i) (diff (diff (model (a,n))
                 (singleton last))
               (singleton min))) /\
        (!i > 0 -> A.([]) !arr (parent !i) < last) }
      variant {n' - !i}
      let left = 2 * !i + 1 in
      let right = 2 * !i + 2 in
      if (left >= n') then raise Break;
      let smaller = ref left in
      if right < n' then
        if A.([]) !arr left > A.([]) !arr right then smaller := right;
      if last <= A.([]) !arr !smaller then raise Break;
      arr := A.([<-]) !arr !i (A.([]) !arr !smaller);
      i := !smaller
    done;
    assert { n' = 0 }
  with Break -> ()
  end;
  if !i < n' then
    begin
      arr := A.([<-]) !arr !i last;
      assert { !i > 0 -> is_heap_array !arr 0 n' };
      assert { is_heap_array !arr 0 n' };
      assert { n' > 0 -> elements !arr.A.contents 0 n' =
                  (diff (model (a,n)) (singleton min)) }
    end;
  this := (!arr, n');
  min

(*

let extractMin0 (this : ref logic_heap) : int
requires { model !this <> empty_bag }
ensures  { model !this = diff (model (old !this)) (singleton result) }
= let (a, n) = !this in
  assert {n > 0};
  let min = a[0] in
  let n' = n-1 in
  let last = a[n'] in
  assert { n' > 0 -> nb_occ last (diff (model (a,n))
                        (singleton min)) > 0 } ;
  let arr = ref a in
  let i = ref 0 in
  try
    while ( !i < n') do
      invariant {
        0 <= !i /\
        (n' > 0 -> !i < n') /\
        (!i = 0 -> !arr = a) /\
        (n' > 0 ->
          elements !arr 0 n' =
            add !arr[!i] (diff (diff (model (a,n))
                 (singleton last))
               (singleton min))) /\
        (!i > 0 -> !arr[parent !i] < last) }
      variant {n' - !i}
      let left = 2 * !i + 1 in
      let right = 2 * !i + 2 in
      if (left >= n') then raise Break;
      let smaller = ref left in
      if right < n' then
        if !arr[left] > !arr[right]
          then smaller := right;
      if last <= !arr[!smaller] then raise Break;
      arr := !arr[!i <- !arr[!smaller]];
      i := !smaller
    done;
    assert { n' = 0 }
  with Break -> ()
  end;
  if !i < n' then
    begin
      arr := !arr[!i <- last];
      assert { n' > 0 -> elements !arr 0 n' =
                  (diff (model (a,n)) (singleton min)) }
    end;
  this := (!arr, n');
  min
*)

end
why3-1.6.0/examples/vacid_0_binary_heaps/heap_model.why000066400000000000000000000012321440160026300230770ustar00rootroot00000000000000theory Model

use int.Int
(*use map.Map*)

use bag.Bag
use elements.Elements
use heap.Heap

function model (h:logic_heap): (bag int) =
   let (a,n) = h in elements a.A.contents 0 n

lemma Model_empty :
   forall a: map. model (a,0) = empty_bag

lemma Model_singleton : forall a: map. model (a,1) = singleton(A.([]) a 0)

lemma Model_set :
  forall a: map, v: int, i n: int.
    0 <= i < n ->
        add (A.([]) a i) (model (A.([<-]) a i v, n)) =
        add v (model (a, n))

lemma Model_add_last:
 forall a: map, n: int. n >= 0 ->
   model (a, n+1) = add (A.([]) a n) (model (a, n))

end

(*
Local Variables:
compile-command: "why3ide -I . heap_model.why"
End:
*)
why3-1.6.0/examples/vacid_0_binary_heaps/heapsort.mlw000066400000000000000000000022511440160026300226210ustar00rootroot00000000000000
module HeapSort

(**** logic declarations *****)
use int.Int
use elements.Elements
use bag.Bag
use bag_of_integers.Bag_integers

use ref.Ref
use array.Array
use array.IntArraySorted
use abstract_heap.AbstractHeap

let rec lemma min_of_sorted (a: int -> int) (i n: int)
   requires { 0 <= i < n }
   requires { M.sorted_sub a 0 n }
   variant  { n }
   ensures  { min_bag (elements a i n) = a i }
 = if n > 0 && i < n - 1 then min_of_sorted a i (n-1)

(* heap sort *)

let heapSort (a : array int)
  requires { length a >= 0 }
  ensures  { sorted a /\
    elements a.elts 0 (length a) =
      elements (old a.elts) 0 (length a) }
= let len = length a in
  let h = create len in

   for i = 0 to len-1 do
    invariant
      { 0 <= i <= len /\
        card (model !h) = i /\
	model !h = elements a.elts 0 i }
  insert h a[i]
  done;

  for i = 0 to len-1 do
   invariant
     { 0 <= i <= len /\
       card (model !h) = len - i /\
       elements (old a.elts) 0 len =
         union (model !h) (elements a.elts 0 i) /\
       sorted_sub a 0 i /\
       forall j:int. 0 <= j < i -> a[j] <= min_bag (model !h)
     }
   a[i] <- extractMin h;
   assert { a[i] <=  min_bag (model !h) }
  done

end
why3-1.6.0/examples/vacid_0_binary_heaps/proofs/000077500000000000000000000000001440160026300215635ustar00rootroot00000000000000why3-1.6.0/examples/vacid_0_binary_heaps/proofs/elements_Elements_Elements_add1_1.v000066400000000000000000000137621440160026300304000ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.MinMax.
Require map.Map.

Axiom bag : forall (a:Type), Type.
Parameter bag_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (bag a).
Existing Instance bag_WhyType.

Parameter nb_occ: forall {a:Type} {a_WT:WhyType a}, a -> (bag a) -> Z.

Axiom occ_non_negative :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (0%Z <= (nb_occ x b))%Z.

(* Why3 assumption *)
Definition mem {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : Prop :=
  (0%Z < (nb_occ x b))%Z.

(* Why3 assumption *)
Definition eq_bag {a:Type} {a_WT:WhyType a} (a1:bag a) (b:bag a) : Prop :=
  forall (x:a), ((nb_occ x a1) = (nb_occ x b)).

Axiom bag_extensionality :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), (eq_bag a1 b) -> (a1 = b).

Parameter empty_bag: forall {a:Type} {a_WT:WhyType a}, bag a.

Axiom occ_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((nb_occ x (empty_bag : bag a)) = 0%Z).

Axiom is_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), (forall (x:a), ((nb_occ x b) = 0%Z)) ->
  (b = (empty_bag : bag a)).

Parameter singleton: forall {a:Type} {a_WT:WhyType a}, a -> bag a.

Axiom occ_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  ((x = y) /\ ((nb_occ y (singleton x)) = 1%Z)) \/
  (~ (x = y) /\ ((nb_occ y (singleton x)) = 0%Z)).

Axiom occ_singleton_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), (x = y) -> ((nb_occ y (singleton x)) = 1%Z).

Axiom occ_singleton_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), ~ (x = y) -> ((nb_occ y (singleton x)) = 0%Z).

Parameter union:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom occ_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (a1:bag a) (b:bag a),
  ((nb_occ x (union a1 b)) = ((nb_occ x a1) + (nb_occ x b))%Z).

Axiom Union_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), ((union a1 b) = (union b a1)).

Axiom Union_identity :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a), ((union a1 (empty_bag : bag a)) = a1).

Axiom Union_assoc :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a),
  ((union a1 (union b c)) = (union (union a1 b) c)).

Axiom bag_simpl_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union c b)) ->
  (a1 = c).

Axiom bag_simpl_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union a1 c)) ->
  (b = c).

(* Why3 assumption *)
Definition add {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : bag a :=
  union (singleton x) b.

Axiom occ_add_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), (x = y) ->
  ((nb_occ y (add x b)) = ((nb_occ y b) + 1%Z)%Z).

Axiom occ_add_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), ~ (x = y) ->
  ((nb_occ y (add x b)) = (nb_occ y b)).

Parameter card: forall {a:Type} {a_WT:WhyType a}, (bag a) -> Z.

Axiom Card_nonneg :
  forall {a:Type} {a_WT:WhyType a}, forall (x:bag a), (0%Z <= (card x))%Z.

Axiom Card_empty :
  forall {a:Type} {a_WT:WhyType a}, ((card (empty_bag : bag a)) = 0%Z).

Axiom Card_zero_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a), ((card x) = 0%Z) -> (x = (empty_bag : bag a)).

Axiom Card_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((card (singleton x)) = 1%Z).

Axiom Card_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a) (y:bag a), ((card (union x y)) = ((card x) + (card y))%Z).

Axiom Card_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (b:bag a), ((card (add x b)) = (1%Z + (card b))%Z).

Parameter diff:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom Diff_occ :
  forall {a:Type} {a_WT:WhyType a},
  forall (b1:bag a) (b2:bag a) (x:a),
  ((nb_occ x (diff b1 b2)) =
   (ZArith.BinInt.Z.max 0%Z ((nb_occ x b1) - (nb_occ x b2))%Z)).

Axiom Diff_empty_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff b (empty_bag : bag a)) = b).

Axiom Diff_empty_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff (empty_bag : bag a) b) = (empty_bag : bag a)).

Axiom Diff_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), ((diff (add x b) (singleton x)) = b).

Axiom Diff_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (b1:bag a) (b2:bag a),
  ((diff (diff b b1) b2) = (diff (diff b b2) b1)).

Axiom Add_diff :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (mem x b) -> ((add x (diff b (singleton x))) = b).

Parameter choose: forall {a:Type} {a_WT:WhyType a}, (bag a) -> a.

Axiom choose_mem :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ~ ((empty_bag : bag a) = b) -> mem (choose b) b.

(* Why3 assumption *)
Definition array (a:Type) := Z -> a.

Parameter elements:
  forall {a:Type} {a_WT:WhyType a}, (Z -> a) -> Z -> Z -> bag a.

Axiom Elements_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j <= i)%Z ->
  ((elements a1 i j) = (empty_bag : bag a)).

Axiom Elements_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (i < j)%Z ->
  ((elements a1 i j) = (add (a1 (j - 1%Z)%Z) (elements a1 i (j - 1%Z)%Z))).

Axiom Elements_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j = (i + 1%Z)%Z) ->
  ((elements a1 i j) = (singleton (a1 i))).

Axiom Elements_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z) (k:Z), ((i <= j)%Z /\ (j <= k)%Z) ->
  ((elements a1 i k) = (union (elements a1 i j) (elements a1 j k))).

(* Why3 goal *)
Theorem Elements_add1 {a:Type} {a_WT:WhyType a} :
  forall (a1:Z -> a) (i:Z) (j:Z), (i < j)%Z ->
  ((elements a1 i j) = (add (a1 i) (elements a1 (i + 1%Z)%Z j))).
Proof.
intros a1 i j h1.
unfold add.
pattern (elements a1 i j);
  rewrite (Elements_union _ _ (i+1)%Z);
  auto with zarith.
rewrite Elements_singleton; auto with zarith.
Qed.

why3-1.6.0/examples/vacid_0_binary_heaps/proofs/elements_Elements_Elements_set_inside_1.v000066400000000000000000000204221440160026300317040ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.MinMax.
Require map.Map.

Axiom bag : forall (a:Type), Type.
Parameter bag_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (bag a).
Existing Instance bag_WhyType.

Parameter nb_occ:
  forall {a:Type} {a_WT:WhyType a}, a -> bag a -> Numbers.BinNums.Z.

Axiom occ_non_negative :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (0%Z <= (nb_occ x b))%Z.

(* Why3 assumption *)
Definition mem {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : Prop :=
  (0%Z < (nb_occ x b))%Z.

(* Why3 assumption *)
Definition eq_bag {a:Type} {a_WT:WhyType a} (a1:bag a) (b:bag a) : Prop :=
  forall (x:a), ((nb_occ x a1) = (nb_occ x b)).

Axiom bag_extensionality :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), eq_bag a1 b -> (a1 = b).

Parameter empty_bag: forall {a:Type} {a_WT:WhyType a}, bag a.

Axiom occ_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((nb_occ x (empty_bag : bag a)) = 0%Z).

Axiom is_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), (forall (x:a), ((nb_occ x b) = 0%Z)) ->
  (b = (empty_bag : bag a)).

Parameter singleton: forall {a:Type} {a_WT:WhyType a}, a -> bag a.

Axiom occ_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  (x = y) /\ ((nb_occ y (singleton x)) = 1%Z) \/
  ~ (x = y) /\ ((nb_occ y (singleton x)) = 0%Z).

Axiom occ_singleton_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), (x = y) -> ((nb_occ y (singleton x)) = 1%Z).

Axiom occ_singleton_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), ~ (x = y) -> ((nb_occ y (singleton x)) = 0%Z).

Parameter union: forall {a:Type} {a_WT:WhyType a}, bag a -> bag a -> bag a.

Axiom occ_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (a1:bag a) (b:bag a),
  ((nb_occ x (union a1 b)) = ((nb_occ x a1) + (nb_occ x b))%Z).

Axiom Union_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), ((union a1 b) = (union b a1)).

Axiom Union_identity :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a), ((union a1 (empty_bag : bag a)) = a1).

Axiom Union_assoc :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a),
  ((union a1 (union b c)) = (union (union a1 b) c)).

Axiom bag_simpl_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union c b)) ->
  (a1 = c).

Axiom bag_simpl_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union a1 c)) ->
  (b = c).

(* Why3 assumption *)
Definition add {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : bag a :=
  union (singleton x) b.

Axiom occ_add_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), (x = y) ->
  ((nb_occ y (add x b)) = ((nb_occ y b) + 1%Z)%Z).

Axiom occ_add_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), ~ (x = y) ->
  ((nb_occ y (add x b)) = (nb_occ y b)).

Parameter card: forall {a:Type} {a_WT:WhyType a}, bag a -> Numbers.BinNums.Z.

Axiom Card_nonneg :
  forall {a:Type} {a_WT:WhyType a}, forall (x:bag a), (0%Z <= (card x))%Z.

Axiom Card_empty :
  forall {a:Type} {a_WT:WhyType a}, ((card (empty_bag : bag a)) = 0%Z).

Axiom Card_zero_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a), ((card x) = 0%Z) -> (x = (empty_bag : bag a)).

Axiom Card_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((card (singleton x)) = 1%Z).

Axiom Card_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a) (y:bag a), ((card (union x y)) = ((card x) + (card y))%Z).

Axiom Card_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (b:bag a), ((card (add x b)) = (1%Z + (card b))%Z).

Parameter diff: forall {a:Type} {a_WT:WhyType a}, bag a -> bag a -> bag a.

Axiom Diff_occ :
  forall {a:Type} {a_WT:WhyType a},
  forall (b1:bag a) (b2:bag a) (x:a),
  ((nb_occ x (diff b1 b2)) =
   (ZArith.BinInt.Z.max 0%Z ((nb_occ x b1) - (nb_occ x b2))%Z)).

Axiom Diff_empty_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff b (empty_bag : bag a)) = b).

Axiom Diff_empty_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff (empty_bag : bag a) b) = (empty_bag : bag a)).

Axiom Diff_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), ((diff (add x b) (singleton x)) = b).

Axiom Diff_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (b1:bag a) (b2:bag a),
  ((diff (diff b b1) b2) = (diff (diff b b2) b1)).

Axiom Add_diff :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), mem x b -> ((add x (diff b (singleton x))) = b).

Parameter choose: forall {a:Type} {a_WT:WhyType a}, bag a -> a.

Axiom choose_mem :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ~ ((empty_bag : bag a) = b) -> mem (choose b) b.

(* Why3 assumption *)
Definition array (a:Type) := Numbers.BinNums.Z -> a.

Parameter elements:
  forall {a:Type} {a_WT:WhyType a}, (Numbers.BinNums.Z -> a) ->
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> bag a.

Axiom Elements_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (j <= i)%Z -> ((elements a1 i j) = (empty_bag : bag a)).

Axiom Elements_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (i < j)%Z ->
  ((elements a1 i j) = (add (a1 (j - 1%Z)%Z) (elements a1 i (j - 1%Z)%Z))).

Axiom Elements_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (j = (i + 1%Z)%Z) -> ((elements a1 i j) = (singleton (a1 i))).

Axiom Elements_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (k:Numbers.BinNums.Z),
  (i <= j)%Z /\ (j <= k)%Z ->
  ((elements a1 i k) = (union (elements a1 i j) (elements a1 j k))).

Axiom Elements_add1 :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (i < j)%Z -> ((elements a1 i j) = (add (a1 i) (elements a1 (i + 1%Z)%Z j))).

Axiom Elements_remove_last :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (i < (j - 1%Z)%Z)%Z ->
  ((elements a1 i (j - 1%Z)%Z) =
   (diff (elements a1 i j) (singleton (a1 (j - 1%Z)%Z)))).

Axiom Occ_elements :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (i <= j)%Z /\ (j < n)%Z -> (0%Z < (nb_occ (a1 j) (elements a1 i n)))%Z.

Axiom elements_set_outside :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z),
  (i <= j)%Z -> forall (k:Numbers.BinNums.Z), (k < i)%Z \/ (j <= k)%Z ->
  forall (e:a), ((elements (map.Map.set a1 k e) i j) = (elements a1 i j)).

(* Why3 goal *)
Theorem Elements_set_inside {a:Type} {a_WT:WhyType a} :
  forall (a1:Numbers.BinNums.Z -> a) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (e:a) (b:bag a),
  (i <= j)%Z /\ (j < n)%Z -> ((elements a1 i n) = (add (a1 j) b)) ->
  ((elements (map.Map.set a1 j e) i n) = (add e b)).
(* Why3 intros a1 i j n e b (h1,h2) h3. *)
Proof.
rename a into X.
intros a i j n e b Hi H.
apply bag_simpl_left with (a1:=(add (a j) empty_bag)).
replace (add e b) with (union b (add e empty_bag)).
2: rewrite Union_comm ; unfold add ; rewrite Union_identity; auto.
rewrite Union_assoc.
unfold add; rewrite Union_identity.
unfold add in H; rewrite <- H; clear H.
rewrite (Elements_union _ _ j); auto with zarith.
rewrite elements_set_outside; auto with zarith.
pattern (elements (Map.set a j e) j n); rewrite Elements_add1; auto with zarith.
rewrite elements_set_outside; auto with zarith.
rewrite (Elements_union _ i j n); auto with zarith.
rewrite (proj1 (Map.set'def _ _ _ _)); auto with zarith.
pattern (elements a j n); rewrite Elements_add1; auto with zarith.
(* AC1 equality *)
rewrite Union_identity.
rewrite Union_assoc.
pattern (union (singleton (a j)) (elements a i j)); rewrite Union_comm.
rewrite <- Union_assoc.
rewrite <- Union_assoc.
apply f_equal.
unfold add.
rewrite <- Union_assoc.
apply f_equal.
apply Union_comm.
Qed.

why3-1.6.0/examples/vacid_0_binary_heaps/proofs/elements_Elements_Elements_union_1.v000066400000000000000000000143551440160026300307160ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.MinMax.
Require map.Map.

Axiom bag : forall (a:Type), Type.
Parameter bag_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (bag a).
Existing Instance bag_WhyType.

Parameter nb_occ: forall {a:Type} {a_WT:WhyType a}, a -> (bag a) -> Z.

Axiom occ_non_negative :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (0%Z <= (nb_occ x b))%Z.

(* Why3 assumption *)
Definition mem {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : Prop :=
  (0%Z < (nb_occ x b))%Z.

(* Why3 assumption *)
Definition eq_bag {a:Type} {a_WT:WhyType a} (a1:bag a) (b:bag a) : Prop :=
  forall (x:a), ((nb_occ x a1) = (nb_occ x b)).

Axiom bag_extensionality :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), (eq_bag a1 b) -> (a1 = b).

Parameter empty_bag: forall {a:Type} {a_WT:WhyType a}, bag a.

Axiom occ_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((nb_occ x (empty_bag : bag a)) = 0%Z).

Axiom is_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), (forall (x:a), ((nb_occ x b) = 0%Z)) ->
  (b = (empty_bag : bag a)).

Parameter singleton: forall {a:Type} {a_WT:WhyType a}, a -> bag a.

Axiom occ_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  ((x = y) /\ ((nb_occ y (singleton x)) = 1%Z)) \/
  (~ (x = y) /\ ((nb_occ y (singleton x)) = 0%Z)).

Axiom occ_singleton_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), (x = y) -> ((nb_occ y (singleton x)) = 1%Z).

Axiom occ_singleton_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), ~ (x = y) -> ((nb_occ y (singleton x)) = 0%Z).

Parameter union:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom occ_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (a1:bag a) (b:bag a),
  ((nb_occ x (union a1 b)) = ((nb_occ x a1) + (nb_occ x b))%Z).

Axiom Union_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), ((union a1 b) = (union b a1)).

Axiom Union_identity :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a), ((union a1 (empty_bag : bag a)) = a1).

Axiom Union_assoc :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a),
  ((union a1 (union b c)) = (union (union a1 b) c)).

Axiom bag_simpl_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union c b)) ->
  (a1 = c).

Axiom bag_simpl_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union a1 c)) ->
  (b = c).

(* Why3 assumption *)
Definition add {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : bag a :=
  union (singleton x) b.

Axiom occ_add_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), (x = y) ->
  ((nb_occ y (add x b)) = ((nb_occ y b) + 1%Z)%Z).

Axiom occ_add_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), ~ (x = y) ->
  ((nb_occ y (add x b)) = (nb_occ y b)).

Parameter card: forall {a:Type} {a_WT:WhyType a}, (bag a) -> Z.

Axiom Card_nonneg :
  forall {a:Type} {a_WT:WhyType a}, forall (x:bag a), (0%Z <= (card x))%Z.

Axiom Card_empty :
  forall {a:Type} {a_WT:WhyType a}, ((card (empty_bag : bag a)) = 0%Z).

Axiom Card_zero_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a), ((card x) = 0%Z) -> (x = (empty_bag : bag a)).

Axiom Card_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((card (singleton x)) = 1%Z).

Axiom Card_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a) (y:bag a), ((card (union x y)) = ((card x) + (card y))%Z).

Axiom Card_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (b:bag a), ((card (add x b)) = (1%Z + (card b))%Z).

Parameter diff:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom Diff_occ :
  forall {a:Type} {a_WT:WhyType a},
  forall (b1:bag a) (b2:bag a) (x:a),
  ((nb_occ x (diff b1 b2)) =
   (ZArith.BinInt.Z.max 0%Z ((nb_occ x b1) - (nb_occ x b2))%Z)).

Axiom Diff_empty_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff b (empty_bag : bag a)) = b).

Axiom Diff_empty_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff (empty_bag : bag a) b) = (empty_bag : bag a)).

Axiom Diff_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), ((diff (add x b) (singleton x)) = b).

Axiom Diff_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (b1:bag a) (b2:bag a),
  ((diff (diff b b1) b2) = (diff (diff b b2) b1)).

Axiom Add_diff :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (mem x b) -> ((add x (diff b (singleton x))) = b).

Parameter choose: forall {a:Type} {a_WT:WhyType a}, (bag a) -> a.

Axiom choose_mem :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ~ ((empty_bag : bag a) = b) -> mem (choose b) b.

(* Why3 assumption *)
Definition array (a:Type) := Z -> a.

Parameter elements:
  forall {a:Type} {a_WT:WhyType a}, (Z -> a) -> Z -> Z -> bag a.

Axiom Elements_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j <= i)%Z ->
  ((elements a1 i j) = (empty_bag : bag a)).

Axiom Elements_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (i < j)%Z ->
  ((elements a1 i j) = (add (a1 (j - 1%Z)%Z) (elements a1 i (j - 1%Z)%Z))).

Axiom Elements_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j = (i + 1%Z)%Z) ->
  ((elements a1 i j) = (singleton (a1 i))).

(* Why3 goal *)
Theorem Elements_union {a:Type} {a_WT:WhyType a} :
  forall (a1:Z -> a) (i:Z) (j:Z) (k:Z), ((i <= j)%Z /\ (j <= k)%Z) ->
  ((elements a1 i k) = (union (elements a1 i j) (elements a1 j k))).
Proof.
intros a1 i j k (h1,h2).
apply Zlt_lower_bound_ind with (z := j)
     (P := fun k => elements a1 i k = union (elements a1 i j) (elements a1 j k)); auto.
intros x H_ind H.
assert (h: (j = x \/ j < x)%Z) by omega.
  destruct h.
  (*  j = x *)
  subst x.
   rewrite (Elements_empty _ j); auto.
   rewrite Union_identity; auto.
   (* j < x *)
   rewrite (Elements_add _ j); auto.
   rewrite (Elements_add _ i); auto with zarith.
   unfold add.
   rewrite H_ind with (y := (x - 1)%Z); auto with zarith.
   apply bag_extensionality.
   intro z.
   repeat rewrite occ_union; auto with zarith.
Qed.

why3-1.6.0/examples/vacid_0_binary_heaps/proofs/elements_Elements_Occ_elements_1.v000066400000000000000000000150101440160026300303170ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require int.MinMax.
Require map.Map.

Axiom bag : forall (a:Type), Type.
Parameter bag_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (bag a).
Existing Instance bag_WhyType.

Parameter nb_occ: forall {a:Type} {a_WT:WhyType a}, a -> (bag a) -> Z.

Axiom occ_non_negative :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (0%Z <= (nb_occ x b))%Z.

(* Why3 assumption *)
Definition mem {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : Prop :=
  (0%Z < (nb_occ x b))%Z.

(* Why3 assumption *)
Definition eq_bag {a:Type} {a_WT:WhyType a} (a1:bag a) (b:bag a) : Prop :=
  forall (x:a), ((nb_occ x a1) = (nb_occ x b)).

Axiom bag_extensionality :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), (eq_bag a1 b) -> (a1 = b).

Parameter empty_bag: forall {a:Type} {a_WT:WhyType a}, bag a.

Axiom occ_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((nb_occ x (empty_bag : bag a)) = 0%Z).

Axiom is_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), (forall (x:a), ((nb_occ x b) = 0%Z)) ->
  (b = (empty_bag : bag a)).

Parameter singleton: forall {a:Type} {a_WT:WhyType a}, a -> bag a.

Axiom occ_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a),
  ((x = y) /\ ((nb_occ y (singleton x)) = 1%Z)) \/
  (~ (x = y) /\ ((nb_occ y (singleton x)) = 0%Z)).

Axiom occ_singleton_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), (x = y) -> ((nb_occ y (singleton x)) = 1%Z).

Axiom occ_singleton_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (y:a), ~ (x = y) -> ((nb_occ y (singleton x)) = 0%Z).

Parameter union:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom occ_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (a1:bag a) (b:bag a),
  ((nb_occ x (union a1 b)) = ((nb_occ x a1) + (nb_occ x b))%Z).

Axiom Union_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a), ((union a1 b) = (union b a1)).

Axiom Union_identity :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a), ((union a1 (empty_bag : bag a)) = a1).

Axiom Union_assoc :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a),
  ((union a1 (union b c)) = (union (union a1 b) c)).

Axiom bag_simpl_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union c b)) ->
  (a1 = c).

Axiom bag_simpl_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:bag a) (b:bag a) (c:bag a), ((union a1 b) = (union a1 c)) ->
  (b = c).

(* Why3 assumption *)
Definition add {a:Type} {a_WT:WhyType a} (x:a) (b:bag a) : bag a :=
  union (singleton x) b.

Axiom occ_add_eq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), (x = y) ->
  ((nb_occ y (add x b)) = ((nb_occ y b) + 1%Z)%Z).

Axiom occ_add_neq :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a) (y:a), ~ (x = y) ->
  ((nb_occ y (add x b)) = (nb_occ y b)).

Parameter card: forall {a:Type} {a_WT:WhyType a}, (bag a) -> Z.

Axiom Card_nonneg :
  forall {a:Type} {a_WT:WhyType a}, forall (x:bag a), (0%Z <= (card x))%Z.

Axiom Card_empty :
  forall {a:Type} {a_WT:WhyType a}, ((card (empty_bag : bag a)) = 0%Z).

Axiom Card_zero_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a), ((card x) = 0%Z) -> (x = (empty_bag : bag a)).

Axiom Card_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a), ((card (singleton x)) = 1%Z).

Axiom Card_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:bag a) (y:bag a), ((card (union x y)) = ((card x) + (card y))%Z).

Axiom Card_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (x:a) (b:bag a), ((card (add x b)) = (1%Z + (card b))%Z).

Parameter diff:
  forall {a:Type} {a_WT:WhyType a}, (bag a) -> (bag a) -> bag a.

Axiom Diff_occ :
  forall {a:Type} {a_WT:WhyType a},
  forall (b1:bag a) (b2:bag a) (x:a),
  ((nb_occ x (diff b1 b2)) =
   (ZArith.BinInt.Z.max 0%Z ((nb_occ x b1) - (nb_occ x b2))%Z)).

Axiom Diff_empty_right :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff b (empty_bag : bag a)) = b).

Axiom Diff_empty_left :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ((diff (empty_bag : bag a) b) = (empty_bag : bag a)).

Axiom Diff_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), ((diff (add x b) (singleton x)) = b).

Axiom Diff_comm :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (b1:bag a) (b2:bag a),
  ((diff (diff b b1) b2) = (diff (diff b b2) b1)).

Axiom Add_diff :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a) (x:a), (mem x b) -> ((add x (diff b (singleton x))) = b).

Parameter choose: forall {a:Type} {a_WT:WhyType a}, (bag a) -> a.

Axiom choose_mem :
  forall {a:Type} {a_WT:WhyType a},
  forall (b:bag a), ~ ((empty_bag : bag a) = b) -> mem (choose b) b.

(* Why3 assumption *)
Definition array (a:Type) := Z -> a.

Parameter elements:
  forall {a:Type} {a_WT:WhyType a}, (Z -> a) -> Z -> Z -> bag a.

Axiom Elements_empty :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j <= i)%Z ->
  ((elements a1 i j) = (empty_bag : bag a)).

Axiom Elements_add :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (i < j)%Z ->
  ((elements a1 i j) = (add (a1 (j - 1%Z)%Z) (elements a1 i (j - 1%Z)%Z))).

Axiom Elements_singleton :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (j = (i + 1%Z)%Z) ->
  ((elements a1 i j) = (singleton (a1 i))).

Axiom Elements_union :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z) (k:Z), ((i <= j)%Z /\ (j <= k)%Z) ->
  ((elements a1 i k) = (union (elements a1 i j) (elements a1 j k))).

Axiom Elements_add1 :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (i < j)%Z ->
  ((elements a1 i j) = (add (a1 i) (elements a1 (i + 1%Z)%Z j))).

Axiom Elements_remove_last :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:Z -> a) (i:Z) (j:Z), (i < (j - 1%Z)%Z)%Z ->
  ((elements a1 i (j - 1%Z)%Z) =
   (diff (elements a1 i j) (singleton (a1 (j - 1%Z)%Z)))).

(* Why3 goal *)
Theorem Occ_elements {a:Type} {a_WT:WhyType a} :
  forall (a1:Z -> a) (i:Z) (j:Z) (n:Z), ((i <= j)%Z /\ (j < n)%Z) ->
  (0%Z < (nb_occ (a1 j) (elements a1 i n)))%Z.
Proof.
intros a1 i j n (h1,h2).
rewrite (Elements_union _ _ j); auto with zarith.
rewrite occ_union.
rewrite (Elements_add1 _ j n); auto with zarith.
rewrite occ_add_eq with (y := a1 j); auto.
generalize (occ_non_negative (elements a1 i j) (a1 j)).
generalize (occ_non_negative (elements a1 (j+1)n) (a1 j)).
omega.
Qed.

why3-1.6.0/examples/vacid_0_binary_heaps/proofs/why3session.xml000066400000000000000000000750361440160026300246160ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 





 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 





 
 
 
 
 
 





 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 





 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 





 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 








 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vacid_0_binary_heaps/proofs/why3shapes.gz000066400000000000000000000234511440160026300242300ustar00rootroot00000000000000}]o9~vwcnlaA}E6nXʪ,ْe@U$#N Y/wwKsq~؅Dom^D~U*vՎ޶UM}ڥgˮc7~c3^<ߟ_]+|
/SrU@߾t{^뛗&ݯS{ȿww{F"ߛ$t8[)Jxvv}k/ϴt_,?\Ҹߗ_'UifAW{v/7w}ʿr'|p62"!2t5o랳qF:>f}~_4Ov}7J-jb;z7spgˡ\\}A߾K?1Cr_U<…ҞeTκuUv/_#^A:"N:^:OPf CWO`r|囻AfuX?Ay4\hj7KpjC,F?ޡo@T@U[s{x;[iX(̡jZŐU䓝N?0DduZmo?p/G+RJ#/5Wۦ6E1oBl4wDZB.gntLy@KC'xTBiB6#ax8Bs6B;#N/E6hhWh/w\HH_H[?|44_4n0Ht E"S|E)@D/xbv+1FXr\{֗?ßC:U,6oqZy}X5[~rGbM:cS+>A0t]` ts>\6@!1;qF/XesC`OE{deubaxn5~hohZ8X
:ꃹ)ҭ15yQU-&Ceȫv[9]g*45Wh
Ma<|
-IeGd}U3˶M1\}T-w~r\
h*;R&Epͫ5)IDSOژګ~N̶wôem d_=8ǨPîvmj9~}=sºIV!HJ?O(<p#j[5?!9/6Ԋt4"m40HbiMY:YC->sw5ԡ>#QXK%}/(Pj{:l}5^&Ro X^\?
,;@Rd ,9E4+D'OprdgZ:$_3v-l@̢.VjzOsHYh]բi#0U,icM=u[íۙUKN~CwmnD!#vn6?՟Z~,D@UǼmিTTe/eB78r3Vwzg=ڻ4:4*^7z22; cd=e"cO0)!'M<<u.ݭjoQ{2}tn^'Ď4{w@:@m¾.ɓoNi:ɲT5ZN]o6^ D'
FG˫!ݖrrBWc[.H/y/4M1ŜU+Sa$Kh͇VWaHŴ('Wa`tW@KPuAG%z4[#
"]$/9)?bv)nNs۔z1mӋbCZvuNBu_QR0^.u;j'RDg[SI]yj6oZ\1uIGm*oUmUj9^=EX]v'җiM
W
oY1yN}Wݰ6g?S'kD㧇tB.U%N/C[|ٙ1Cоo;Eq۽<9KI~W[H=WĜ$֟(TgCbSVݗGgYcǎ}#nNVsEo󚫧r<^78km;
jmt@X\Q^}mI6V̝}i;5T	qVvYoj@baG!zO3<0xx~xGm	ZChv;[EOM1fB6~+z.;8OOAꦺ>]'b;<yӜ3#F/AA93?KQgԀӀ	F<s>g65j65dDAЗykUt``*`ۭXnMݨlwCfݘ@"kui}zi}ضE~T^Mfmwi\m㏚e`[_5SׇĀ׀穁_ƍ~ƇpQRkyS[ћ`vZ?>7Z'[_H6[ejiO==`Kcy%6vQ>vmD۽~޲*QǚxMshn2-Si;L~hǓQ{ %H2=?nJdoćQgha:?t:9xupJY1=E]4px}a}gz=V8z!JxJU}Zg9uCUJֵ*㘻p?ʡDEMOv8|tWp?cG_CI34Ϩ{&G~zuY7;8sbޞw(\QPi,8p߁>k7õk~9*Iٓ  e y #5@@G]_?XWN:űV;-Ai'Y4Ӷm-Kԩ|עU݌*{ҽGl7?m+|W={SuKѤenb;zl]}lg-}PA?usكE>Xd3oވޮp1)\ ; 6Hd O"ZD0`$΂`Ob'
13f"@k4ű
v|
7o}xs~Ċ{ A![
{#n:a&umzv V3h̛6TZ-TZͳTꓞ A8	>}*'rYr~hN-׏,`x|͊>ÊRJyRȰ"f->D%3Irjv|n,](j>y6T7{wG\Im\MgP+8_G_e>6}pg_53>MQ#߯3?\8$2HdwH"{ A^%<>|I{i=ƣi@J.U??	>1@Á^9=>׸4{΢s^BaόX황f֟pR_χf?'>zxϿ>~8pgc݇nwg@yRՋY}vy`wRjX/6^9RàAM_N?ϦiWߖ6ô}\&mW>~vpW뒤u
L˫PO2I+~xӲV#'NB@[T{8|ޮí[|1x!_C>I_gvcx /DTR6ߵ?w>R\wD%X3s
>/؀]	Or/t:NWT>4q8pϩ%D	<ǶV>887Ze`p`$#$_"$-޾, ?t{Zv^Vv^vޔ$He>sTv"]~Q٩QNM=Ge+;?
<oCo㍇gz<ڨxv/xtBWv5Ḿ&lkdh|\vY[<1̼-qޓcڽ}kfngϹn؆9WØ"2p={]&O;i6Du7̄\yשjLE߫ug)4	QT*DQt/ݵ(B}Z4aBiL:Gyɯم4i5&LΩCtjJV,/嵸Xk-^O^)4uѓ	9[!uЧ$;q4p3P&D
X\4ɜsq&lҗ\KsqK9Ed0Bq
世r%)4x'ir@	.9`U
Ϟ%h'w%W\BMDa}rܡA"S5"t)[K'Tf"wVT4E
據h,\S
(-J=W)EHECEn`4	wVX]̸0#CjjFxe')<$yREpM6RZ8p@1kه0┍>+Mj'm8-sRn0ZvB#YO8*HL*	`N
'G57GP3FgHr1XS R5.$2%Gch'1Uyyt	D1d*$D,P,
*^NrPHR:d
WL&Y>sa.%@?+f|*Dp"ȵSBC,I6Prfm`[ZͮZp>PS\`FO	_M^Mg%&ڔxtkGNArmBX@S	B'4x@qB3i^TOkaXL&D1WOn	GrvHfrj5i99C@W%O:*VZ3dbdaL"x@F4@O#sP#@PRA+Z{_NH_{~% *o]HUZ֟bh=OapTq2@hް7?Er0@3<~`QpAeM `bgvxɽg k},`}	+׬Qq"P.=E,,2ek'.,/-!*5YDA&бe2)yP	2ٱ8
Z;_DxgRZJ2EKM*&./0C6W1y,&J(p>ˉ(B88Rm8Ť&B>0aD4&IMMĬȘ[[Hc
 7x
*f/{xTH0.:	FDC8F!RZØ.࣌bH&HהXd;1 DGOb]d6h@)xS$k]U1F a%7J	06DgBvF7)M?wp8{/YbPP,]jw蒄F9"TJ	Uy@D(UtDml	gg.tyEP	ўO^t&#`\Z]ƣȋAkV"h(JS²Ўb8)I:Tb,yHK/_
'J!E	_+TMB<srHc'dDj#xz&
g<7
Ʉ"dA]d#임,5DSxz	B0\]vBgxgGZ+'h0"Pe._69r&.6SALs@͂G`w4Aט 	'}+gh4p_4咣|F]Qf[iGBَRLU<$˒G
6mmUhcUJx9{b|D\@BD*^|(lNp&ۺːUV$/$2WF{ԪDLM
uxE(k
2vhE[PMօUT8d$Du
05
j3
O}HU3Ҧe, 2	怵DDf]NsF*2UA~P.<'lBDI#pչ&,AtPɂOLptPT7d7ȃ}DJ V1
Ҩ4R$C4Da iAV$Ȳ9Wڮ7[$\b5xrL☈@RB48mJ!|0Z&if J""ɦ6D%hD\K;Phw[bNj+hb8c[O4'U=HJI$aK.Py
n'?lȊHb‚4d9|Iyz	T".d/tTLB:JR1pB:F=rVpz X2B7JggfE2
z,renC8ŝIa8BsDU
C]YD#*`ɏ!tf*+.
T<T0W6Dx͍B\"X&cccdHJHjT QGEXX$M=J*Dn[i5(TwP\0Ny	GaSe_p,4!H%!?DU씨we!sxF lAh0H"A Mҽf	%!1hf3&Tb4څ<;%@3FAԽe݀%0βhVkd):T%-';cFxJĒ@'Mَc&πف*_p&-;dAH.>#FJAG% IvQ$֣
$I4M-wf:ɝQgh^ޠrC̝h"[M;LIDҦ)
PAa69g&'Ju[6	G+J8jN.l&
*94Ł
멃4=[00(tS;
h@
u!
M^	\sPaYEGC1LÍ=H$ȨMA.S^0d`C7{q2r3j)0$[btHumn3B4ftRѨRAN(4߅@KBu*zܕ@Cb"̀3GQzf7$4]ޡX#@҉5YdidAyB܅勶%$&۬q id
Mrxt;JB0Q#E⠌Zz	^
P4ޣkhnB GA0IȚ`h
vFL{qT012(sȍ̹QV 0 cXd+P%!RvN7Y:zFԁh!NHDt@ .t8"&CiX3ɠ77s,L
Ap7$H^Gk6V9uEʤPW4XtFvaAo)@}G+p%2
jIkT\lϱi>RHdxtj!5r9X(Ơnhlc(Qj$JCQ8[nhebpqG텯^U0	Xb*83ˠx/|G*cȂ*L!ZEBG=h/a`!Wy]l萤1}wCARS\"w1U
	Ld$l	HoX,Z@Tah纒	GY%:7b9%Dn>ԮK4Mp`@zR]7Cu(A$"-$Ԓ
5hOK,*)Χ&2*LdDSeEYДL##He>kl7TCS(hIP*rI$ҠuÄ]B(Y`v:$EI3
'.tឰFqQg0 7qd"вn6GV6y'^Q+#!hFx&y(;1*hQ* *p=|
Z2HMdjoH>U/ܺA,Tf2JJTB`S .rMK>mSUJFb]0QkE>,"DM`B60n?`ߋwhy3-1.6.0/examples/vacid_0_binary_heaps/test_harness.mlw000066400000000000000000000012111440160026300234710ustar00rootroot00000000000000
module TestHarness

(**** logic declarations *****)

use int.Int
use bag.Bag
use bag_of_integers.Bag_integers
use elements.Elements

use ref.Ref
use heapsort.HeapSort
use array.Array

let testHarness () =

  let arr = Array.make 3 0 in
  arr[0] <- 42;
  arr[1] <- 13;
  arr[2] <- 42;

  heapSort arr;

  assert { arr[0] <= arr[1] <= arr[2] };

  assert { (elements arr.elts 0 3) =
        union (singleton 13) (union (singleton 42) (singleton 42)) };

  assert { arr[0] = min_bag (elements arr.elts 0 3) };

  assert { arr[0] = 13 };

  assert { arr[1] = min_bag (elements arr.elts 1 3) };

  assert { arr[1] = 42 };

  assert { arr[2] = 42 }

end
why3-1.6.0/examples/vacid_0_build_maze.mlw000066400000000000000000000115141440160026300204450ustar00rootroot00000000000000
(* Building a perfect maze using the union-find data structure
   (from the VACID-0 Benchmarks http://vacid.codeplex.com/)

   Jean-Christophe Filliâtre (CNRS)
   Andrei Paskevich (Univ Paris Sud) *)

theory UnionFind_pure

  use int.Int

  type uf_pure

  predicate repr uf_pure int int
  function size uf_pure : int
  function num uf_pure : int

  axiom Repr_function_1:
    forall u:uf_pure, x:int.
    0 <= x < size u -> exists y:int. 0 <= y < size u /\ repr u x y

  axiom Repr_function_2:
    forall u:uf_pure, x y z:int.
    0 <= x < size u -> repr u x y -> repr u x z -> y = z

  predicate same (u:uf_pure) (x y:int) =
    forall r:int. repr u x r <-> repr u y r

  predicate same_reprs (u1 u2 : uf_pure) =
     forall x r:int. repr u1 x r <-> repr u2 x r

  axiom OneClass :
    forall u:uf_pure. num u = 1 ->
    forall x y:int. 0 <= x < size u -> 0 <= y < size u -> same u x y

end

module UnionFind_sig

  use int.Int
  use export UnionFind_pure

  type uf = private { ghost mutable state : uf_pure }

  val create (n:int) : uf
    requires { 0 <= n }
    ensures { num result.state = n /\ size result.state = n /\
      forall x:int. 0 <= x < n -> repr result.state x x }

  val find (u:uf) (x:int) : int writes {u}
    requires { 0 <= x < size u.state }
    ensures { repr u.state x result /\
      size u.state = size (old u.state) /\
      num u.state = num (old u.state) /\
      same_reprs u.state (old u.state) }

  val union (u:uf) (a:int) (b:int) : unit writes {u}
    requires { 0 <= a < size u.state /\
               0 <= b < size u.state /\ not same u.state a b }
    ensures { same u.state a b /\
      size u.state = size (old u.state) /\
      num u.state = num (old u.state) - 1 /\
      forall x y:int. 0 <= x < size u.state -> 0 <= y < size u.state ->
        same u.state x y <->
        same (old u.state) x y \/
        same (old u.state) x a /\ same (old u.state) b y \/
        same (old u.state) x b /\ same (old u.state) a y }

  val get_num_classes (u:uf) : int ensures { result = num u.state }

end

theory Graph

  type vertex

  type graph

  inductive path graph vertex vertex =
    | Path_refl : forall g:graph, x:vertex. path g x x
    | Path_sym  : forall g:graph, x y:vertex. path g x y -> path g y x
    | Path_trans:
        forall g:graph, x y z:vertex. path g x y -> path g y z -> path g x z

end

module Graph_sig

  use int.Int
  use ref.Ref

  clone export Graph with type vertex = int

  val graph : ref graph

  val num_edges : ref int

  val add_edge (a:int) (b:int) : unit writes {num_edges,graph}
    requires { not path !graph a b }
    ensures { !num_edges = old !num_edges + 1 /\
      (forall x y:int.
        path !graph x y <->
        path (old !graph) x y \/
        path (old !graph) x a /\ path (old !graph) b y \/
        path (old !graph) x b /\ path (old !graph) a y) }

end

module BuildMaze

  use int.Int
  use ref.Ref

  use UnionFind_sig
  use Graph_sig

  val rand (s:int) : int requires { 0 < s } ensures { 0 <= result < s }

  lemma Ineq1 :
    forall n x y:int. 0 <= n -> 0 <= x < n -> 0 <= y < n -> 0 <= x*n+y < n*n

  let add_edge_and_union (u: uf) (a:int) (b:int)
    requires { 0 <= a < size u.state /\ 0 <= b < size u.state /\
      not same u.state a b /\ not path !graph a b /\
      forall x y:int.
        0 <= x < size u.state -> 0 <= y < size u.state ->
        same u.state x y <-> path !graph x y }
    ensures { !num_edges = old !num_edges + 1 /\
      same u.state a b /\
      size u.state = size (old u.state) /\
      num u.state = num (old u.state) - 1 /\
      (forall x y:int.
         0 <= x < size u.state -> 0 <= y < size u.state ->
         same u.state x y <-> path !graph x y) }
  = add_edge a b;
    union u a b

let build_maze (n:int)
  requires { 1 <= n /\ !num_edges = 0 /\
    forall x y:int. x=y <-> path !graph x y }
  diverges (* termination is only almost sure,
              assuming rand is well distributed.
              See http://toccata.lri.fr/gallery/RandomWalk.en.html *)
  ensures { !num_edges = n*n-1 /\
    forall x y:int. 0 <= x < n*n -> 0 <= y < n*n -> path !graph x y }
  = let u = create (n*n) in
    assert { forall x y:int. 0 <= x < n*n -> 0 <= y < n*n ->
      same u.state x y -> (repr u.state x y && repr u.state x x && x = y) };
    while get_num_classes u > 1 do
      invariant {
        1 <= num u.state /\
        num u.state + !num_edges = size u.state = n*n /\
        forall x y:int. 0 <= x < n*n -> 0 <= y < n*n ->
                        (same u.state x y <-> path !graph x y) }
      let x = rand n in
      let y = rand n in
      let d = rand 2 in
      let w = if d = 0 then x+1 else x in
      let z = if d = 0 then y else y+1 in
      if w < n && z < n then begin
        let a = y * n + x in
        assert { 0 <= a < n*n };
        let b = w * n + z in
        assert { 0 <= b < n*n };
        if find u a <> find u b then
          add_edge_and_union u a b
      end
    done

end
why3-1.6.0/examples/vacid_0_build_maze/000077500000000000000000000000001440160026300177225ustar00rootroot00000000000000why3-1.6.0/examples/vacid_0_build_maze/why3session.xml000066400000000000000000000023331440160026300227430ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vacid_0_build_maze/why3shapes.gz000066400000000000000000000013541440160026300223650ustar00rootroot00000000000000UMk0W)i4`Ze5ȶ
ۤi,l$lR(ӛH:gm{.ٷ+nRK,<;,"܅҇Iovz|"Qq;wxTX,Z=t`]Y#4IqsaU*du7ڢRn,p+Z!lB false
    | Node _ l k' v' r -> (k = k' /\ v = v') \/ memt l k v \/ memt r k v
    end

  lemma memt_color :
    forall l r : tree, k k' : key, v v' : value, c c' : color.
    memt (Node c l k v r) k' v' -> memt (Node c' l k v r) k' v'

  (* binary search tree *)

  use int.Int

  predicate lt_tree (x : key) (t : tree) =
    forall k : key. forall v : value. memt t k v -> k < x

  predicate gt_tree (x : key) (t : tree) =
    forall k : key. forall v : value. memt t k v -> x < k

  lemma lt_leaf: forall x: key. lt_tree x Leaf

  lemma gt_leaf: forall x: key. gt_tree x Leaf

  lemma lt_tree_node:
    forall x y: key, v: value, l r: tree, c: color.
    lt_tree x l -> lt_tree x r -> y < x -> lt_tree x (Node c l y v r)

  lemma gt_tree_node:
    forall x y: key, v: value, l r: tree, c: color.
    gt_tree x l -> gt_tree x r -> x < y -> gt_tree x (Node c l y v r)

  lemma lt_node_lt:
    forall x y: key, v: value, l r: tree, c: color.
    lt_tree x (Node c l y v r) -> y < x

  lemma gt_node_gt:
    forall x y: key, v: value, l r: tree, c: color.
    gt_tree x (Node c l y v r) -> x < y

  lemma lt_left:
    forall x y: key, v: value, l r: tree, c : color.
    lt_tree x (Node c l y v r) -> lt_tree x l

  lemma lt_right:
    forall x y: key, v: value,  l r: tree, c: color.
    lt_tree x (Node c l y v r) -> lt_tree x r

  lemma gt_left:
    forall x y: key, v: value, l r: tree, c: color.
    gt_tree x (Node c l y v r) -> gt_tree x l

  lemma gt_right:
    forall x y: key, v: value, l r: tree, c: color.
    gt_tree x (Node c l y v r) -> gt_tree x r

  lemma lt_tree_not_in:
    forall x: key, t: tree. lt_tree x t -> forall v: value. not (memt t x v)

  lemma lt_tree_trans:
    forall x y: key. x < y -> forall t: tree. lt_tree x t -> lt_tree y t

  lemma gt_tree_not_in :
    forall x: key, t: tree. gt_tree x t -> forall v: value. not (memt t x v)

  lemma gt_tree_trans :
    forall x y: key. y < x -> forall t: tree. gt_tree x t -> gt_tree y t

  predicate bst (t : tree) =
    match t with
    | Leaf -> true
    | Node _ l k _ r -> bst l /\ bst r /\ lt_tree k l /\ gt_tree k r
    end

  lemma bst_Leaf : bst Leaf

  lemma bst_left:
    forall k: key, v: value, l r: tree, c: color. bst (Node c l k v r) -> bst l

  lemma bst_right:
    forall k: key, v: value, l r: tree, c: color. bst (Node c l k v r) -> bst r

  lemma bst_color:
    forall c c': color, k: key, v: value, l r: tree.
    bst (Node c l k v r) -> bst (Node c' l k v r)

  lemma rotate_left:
    forall kx ky: key, vx vy: value, a b c: tree, c1 c2 c3 c4: color.
    bst (Node c1 a kx vx (Node c2 b ky vy c)) ->
    bst (Node c3 (Node c4 a kx vx b) ky vy c)

  lemma rotate_right:
    forall kx ky: key, vx vy: value, a b c: tree, c1 c2 c3 c4: color.
    bst (Node c3 (Node c4 a kx vx b) ky vy c) ->
    bst (Node c1 a kx vx (Node c2 b ky vy c))

  (* [rbtree n t]: red black tree invariant
     [t] is a properly balanced red-black tree, i.e. it
      satisfies the following two invariants:
      - a red node has no red son
      - any path from the root to a leaf has exactly [n] black nodes
   *)

  predicate is_not_red (t : tree) =
    match t with
    | Node Red _ _ _ _ -> false
    | Leaf | Node Black _ _ _ _ -> true
    end

  predicate rbtree (n : int) (t : tree) =
    match t with
    | Leaf ->
        n = 0
    | Node Red   l _ _ r ->
        rbtree n l /\ rbtree n r /\ is_not_red l /\ is_not_red r
    | Node Black l _ _ r ->
        rbtree (n-1) l /\ rbtree (n-1) r
    end

  lemma rbtree_Leaf:
    rbtree 0 Leaf

  lemma rbtree_Node1:
    forall k:key, v:value. rbtree 0 (Node Red Leaf k v Leaf)

  lemma rbtree_left:
    forall x: key, v: value, l r: tree, c: color.
    (exists n: int. rbtree n (Node c l x v r)) -> exists n: int. rbtree n l

  lemma rbtree_right:
    forall x: key, v: value, l r: tree, c: color.
    (exists n: int. rbtree n (Node c l x v r)) -> exists n: int. rbtree n r

  (* lookup *)

  exception Not_found

  let rec find (t : tree) (k : key) : value
    requires { bst t }
    variant { t }
    ensures { memt t k result }
    raises { Not_found -> forall v : value. not (memt t k v) }
  = match t with
    | Leaf -> raise Not_found
    | Node _ l k' v r ->
        if k = k' then v
        else if k < k' then find l k
        else (* k > k' *) find r k
    end

  (* insertion *)

  (** `almost_rbtree n t`: `t` may have one red-red conflict at its root;
      it satisfies `rbtree n` everywhere else *)

  predicate almost_rbtree (n : int) (t : tree) =
    match t with
    | Leaf ->
        n = 0
    | Node Red   l _ _ r ->
        rbtree n l /\ rbtree n r
    | Node Black l _ _ r ->
        rbtree (n-1) l /\ rbtree (n-1) r
    end

  lemma rbtree_almost_rbtree:
    forall n: int, t: tree. rbtree n t -> almost_rbtree n t

  lemma rbtree_almost_rbtree_ex:
    forall s: tree.
    (exists n: int. rbtree n s) -> exists n: int. almost_rbtree n s

  lemma almost_rbtree_rbtree_black:
    forall x: key, v: value, l r: tree, n: int.
    almost_rbtree n (Node Black l x v r) -> rbtree n (Node Black l x v r)

  (** `lbalance c x l r` acts as a black node constructor,
      solving a possible red-red conflict on `l`, using the following
      schema:

      B (R (R a x b) y c) z d
      B (R a x (R b y c)) z d -> R (B a x b) y (R c z d)
      B a x b -> B a x b

      The result is not necessarily a black node. *)

  let lbalance (l : tree) (k : key) (v : value) (r : tree)
    requires { lt_tree k l /\ gt_tree k r /\ bst l /\ bst r }
    ensures { bst result /\
      (forall n : int. almost_rbtree n l -> rbtree n r -> rbtree (n+1) result)
      /\
      forall k':key, v':value.
        memt result k' v' <->
        if k' = k then v' = v else (memt l k' v' \/ memt r k' v') }
  = match l with
    | Node Red (Node Red a kx vx b) ky vy c
    | Node Red a kx vx (Node Red b ky vy c) ->
        Node Red (Node Black a kx vx b) ky vy (Node Black c k v r)
    | _ ->
        Node Black l k v r
    end

  (** `rbalance l x r` is similar to `lbalance`, solving a possible red-red
      conflict on `r`. The balancing schema is similar:

      B a x (R (R b y c) z d)
      B a x (R b y (R c z d)) -> R (B a x b) y (R c z d)
      B a x b -> B a x b
   *)

  let rbalance (l : tree) (k : key) (v : value) (r : tree)
    requires { lt_tree k l /\ gt_tree k r /\ bst l /\ bst r }
    ensures { bst result /\
      (forall n : int. almost_rbtree n r -> rbtree n l -> rbtree (n+1) result)
      /\
      forall k':key, v':value.
        memt result k' v' <->
        if k' = k then v' = v else (memt l k' v' \/ memt r k' v') }
  = match r with
    | Node Red (Node Red b ky vy c) kz vz d
    | Node Red b ky vy (Node Red c kz vz d) ->
        Node Red (Node Black l k v b) ky vy (Node Black c kz vz d)
    | _ ->
        Node Black l k v r
    end

  (* `insert x s` inserts `x` in tree `s`, resulting in a possible top red-red
     conflict when `s` is red. *)

  let rec insert (t : tree) (k : key) (v : value) : tree
    requires { bst t /\ exists n: int. rbtree n t }
    variant { t }
    ensures { bst result /\
      (forall n : int. rbtree n t -> almost_rbtree n result /\
         (is_not_red t -> rbtree n result)) /\
      memt result k v /\
      forall k':key, v':value.
      memt result k' v' <-> if k' = k then v' = v else memt t k' v' }
  = match t with
    | Leaf ->
        Node Red Leaf k v Leaf
    | Node Red l k' v' r ->
        if k < k' then Node Red (insert l k v) k' v' r
        else if k' < k then Node Red l k' v' (insert r k v)
        else (* k = k' *) Node Red l k' v r
    | Node Black l k' v' r ->
        if k < k' then lbalance (insert l k v) k' v' r
        else if k' < k then rbalance l k' v' (insert r k v)
        else (* k = k' *) Node Black l k' v r
    end

  (* finally `add x s` calls `insert` and recolors the root as black *)

  let add (t : tree) (k : key) (v : value) : tree
    requires { bst t /\ exists n:int. rbtree n t }
    ensures { bst result /\ (exists n:int. rbtree n result) /\
      memt result k v /\
      forall k':key, v':value.
      memt result k' v' <-> if k' = k then v' = v else memt t k' v' }
  = match insert t k v with
    | Node _ l k' v' r -> Node Black l k' v' r
    | Leaf -> absurd
    end

end

module Vacid0

  (* the VACID-0 interface = mutable map with default value*)

  use ref.Ref
  use RedBlackTree

  type rbt = (value, tree)

  predicate inv (r : rbt) =
    let (_, t) = r in bst t /\ exists n : int. rbtree n t

  let function default (r : rbt) : value =
    let (d, _) = r in d

  predicate mem (r : rbt) (k : key) (v : value) =
    let (d, t) = r in
    memt t k v \/ (v = d /\ forall v':value. not (memt t k v'))

  let create (d : int)
    ensures { inv !result /\
      default !result = d /\
      forall k:key, v:value. mem !result k v <-> v = d }
  = let x = (d, Leaf) in ref x (* BUG: ref (d, Leaf) *)

  let replace (m : ref rbt) k v
    requires { inv !m }
    ensures { inv !m /\
      default !m = default (old !m) /\
      forall k':key, v':value.
      mem !m k' v' <-> if k' = k then v' = v else mem (old !m) k' v' }
  = let (d, t) = !m in
    m := (d, add t k v)

  let lookup (m : ref rbt) k
    requires { inv !m }
    ensures { mem !m k result }
  = let (d, t) = !m in
    try find t k with Not_found -> d end

  (* the easy way: implements `remove` using `replace` *)
  let remove (m : ref rbt) k
    requires { inv !m }
    ensures { inv !m /\
      default !m = default (old !m) /\
      forall k':key, v':value.
      mem !m k' v' <-> if k' = k then v' = default !m else mem (old !m) k' v' }
  = replace m k (default !m)

end
why3-1.6.0/examples/vacid_0_red_black_trees/000077500000000000000000000000001440160026300207175ustar00rootroot00000000000000why3-1.6.0/examples/vacid_0_red_black_trees/vacid_0_red_black_trees_RedBlackTree_VC_add_1.v000066400000000000000000000163271440160026300316030ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

(* Why3 assumption *)
Definition key := Numbers.BinNums.Z.

(* Why3 assumption *)
Definition value := Numbers.BinNums.Z.

(* Why3 assumption *)
Inductive color :=
  | Red : color
  | Black : color.
Axiom color_WhyType : WhyType color.
Existing Instance color_WhyType.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : color -> tree -> Numbers.BinNums.Z -> Numbers.BinNums.Z -> tree ->
      tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint memt (t:tree) (k:Numbers.BinNums.Z)
  (v:Numbers.BinNums.Z) {struct t}: Prop :=
  match t with
  | Leaf => False
  | Node _ l k' v' r => (k = k') /\ (v = v') \/ memt l k v \/ memt r k v
  end.

Axiom memt_color :
  forall (l:tree) (r:tree) (k:Numbers.BinNums.Z) (k':Numbers.BinNums.Z)
    (v:Numbers.BinNums.Z) (v':Numbers.BinNums.Z) (c:color) (c':color),
  memt (Node c l k v r) k' v' -> memt (Node c' l k v r) k' v'.

(* Why3 assumption *)
Definition lt_tree (x:Numbers.BinNums.Z) (t:tree) : Prop :=
  forall (k:Numbers.BinNums.Z), forall (v:Numbers.BinNums.Z), memt t k v ->
  (k < x)%Z.

(* Why3 assumption *)
Definition gt_tree (x:Numbers.BinNums.Z) (t:tree) : Prop :=
  forall (k:Numbers.BinNums.Z), forall (v:Numbers.BinNums.Z), memt t k v ->
  (x < k)%Z.

Axiom lt_leaf : forall (x:Numbers.BinNums.Z), lt_tree x Leaf.

Axiom gt_leaf : forall (x:Numbers.BinNums.Z), gt_tree x Leaf.

Axiom lt_tree_node :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  lt_tree x l -> lt_tree x r -> (y < x)%Z -> lt_tree x (Node c l y v r).

Axiom gt_tree_node :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  gt_tree x l -> gt_tree x r -> (x < y)%Z -> gt_tree x (Node c l y v r).

Axiom lt_node_lt :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  lt_tree x (Node c l y v r) -> (y < x)%Z.

Axiom gt_node_gt :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  gt_tree x (Node c l y v r) -> (x < y)%Z.

Axiom lt_left :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  lt_tree x (Node c l y v r) -> lt_tree x l.

Axiom lt_right :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  lt_tree x (Node c l y v r) -> lt_tree x r.

Axiom gt_left :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  gt_tree x (Node c l y v r) -> gt_tree x l.

Axiom gt_right :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree) (c:color),
  gt_tree x (Node c l y v r) -> gt_tree x r.

Axiom lt_tree_not_in :
  forall (x:Numbers.BinNums.Z) (t:tree), lt_tree x t ->
  forall (v:Numbers.BinNums.Z), ~ memt t x v.

Axiom lt_tree_trans :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (x < y)%Z ->
  forall (t:tree), lt_tree x t -> lt_tree y t.

Axiom gt_tree_not_in :
  forall (x:Numbers.BinNums.Z) (t:tree), gt_tree x t ->
  forall (v:Numbers.BinNums.Z), ~ memt t x v.

Axiom gt_tree_trans :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (y < x)%Z ->
  forall (t:tree), gt_tree x t -> gt_tree y t.

(* Why3 assumption *)
Fixpoint bst (t:tree) {struct t}: Prop :=
  match t with
  | Leaf => True
  | Node _ l k _ r => bst l /\ bst r /\ lt_tree k l /\ gt_tree k r
  end.

Axiom bst_Leaf : bst Leaf.

Axiom bst_left :
  forall (k:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (l:tree) (r:tree)
    (c:color),
  bst (Node c l k v r) -> bst l.

Axiom bst_right :
  forall (k:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (l:tree) (r:tree)
    (c:color),
  bst (Node c l k v r) -> bst r.

Axiom bst_color :
  forall (c:color) (c':color) (k:Numbers.BinNums.Z) (v:Numbers.BinNums.Z)
    (l:tree) (r:tree),
  bst (Node c l k v r) -> bst (Node c' l k v r).

Axiom rotate_left :
  forall (kx:Numbers.BinNums.Z) (ky:Numbers.BinNums.Z) (vx:Numbers.BinNums.Z)
    (vy:Numbers.BinNums.Z) (a:tree) (b:tree) (c:tree) (c1:color) (c2:color)
    (c3:color) (c4:color),
  bst (Node c1 a kx vx (Node c2 b ky vy c)) ->
  bst (Node c3 (Node c4 a kx vx b) ky vy c).

Axiom rotate_right :
  forall (kx:Numbers.BinNums.Z) (ky:Numbers.BinNums.Z) (vx:Numbers.BinNums.Z)
    (vy:Numbers.BinNums.Z) (a:tree) (b:tree) (c:tree) (c1:color) (c2:color)
    (c3:color) (c4:color),
  bst (Node c3 (Node c4 a kx vx b) ky vy c) ->
  bst (Node c1 a kx vx (Node c2 b ky vy c)).

(* Why3 assumption *)
Definition is_not_red (t:tree) : Prop :=
  match t with
  | Node Red _ _ _ _ => False
  | Leaf|(Node Black _ _ _ _) => True
  end.

(* Why3 assumption *)
Fixpoint rbtree (n:Numbers.BinNums.Z) (t:tree) {struct t}: Prop :=
  match t with
  | Leaf => (n = 0%Z)
  | Node Red l _ _ r =>
      rbtree n l /\ rbtree n r /\ is_not_red l /\ is_not_red r
  | Node Black l _ _ r => rbtree (n - 1%Z)%Z l /\ rbtree (n - 1%Z)%Z r
  end.

Axiom rbtree_Leaf : rbtree 0%Z Leaf.

Axiom rbtree_Node1 :
  forall (k:Numbers.BinNums.Z) (v:Numbers.BinNums.Z),
  rbtree 0%Z (Node Red Leaf k v Leaf).

Axiom rbtree_left :
  forall (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (l:tree) (r:tree)
    (c:color),
  (exists n:Numbers.BinNums.Z, rbtree n (Node c l x v r)) ->
  exists n:Numbers.BinNums.Z, rbtree n l.

Axiom rbtree_right :
  forall (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (l:tree) (r:tree)
    (c:color),
  (exists n:Numbers.BinNums.Z, rbtree n (Node c l x v r)) ->
  exists n:Numbers.BinNums.Z, rbtree n r.

(* Why3 assumption *)
Definition almost_rbtree (n:Numbers.BinNums.Z) (t:tree) : Prop :=
  match t with
  | Leaf => (n = 0%Z)
  | Node Red l _ _ r => rbtree n l /\ rbtree n r
  | Node Black l _ _ r => rbtree (n - 1%Z)%Z l /\ rbtree (n - 1%Z)%Z r
  end.

Axiom rbtree_almost_rbtree :
  forall (n:Numbers.BinNums.Z) (t:tree), rbtree n t -> almost_rbtree n t.

Axiom rbtree_almost_rbtree_ex :
  forall (s:tree), (exists n:Numbers.BinNums.Z, rbtree n s) ->
  exists n:Numbers.BinNums.Z, almost_rbtree n s.

Axiom almost_rbtree_rbtree_black :
  forall (x:Numbers.BinNums.Z) (v:Numbers.BinNums.Z) (l:tree) (r:tree)
    (n:Numbers.BinNums.Z),
  almost_rbtree n (Node Black l x v r) -> rbtree n (Node Black l x v r).

(* Why3 goal *)
Theorem add'vc :
  forall (t:tree) (k:Numbers.BinNums.Z) (v:Numbers.BinNums.Z),
  bst t /\ (exists n:Numbers.BinNums.Z, rbtree n t) -> forall (o:tree),
  bst o /\
  (forall (n:Numbers.BinNums.Z), rbtree n t ->
   almost_rbtree n o /\ (is_not_red t -> rbtree n o)) /\
  memt o k v /\
  (forall (k':Numbers.BinNums.Z) (v':Numbers.BinNums.Z),
   memt o k' v' \/ ((k' = k) -> (v' = v)) /\ (~ (k' = k) -> memt t k' v') ->
   memt o k' v' /\ ((k' = k) /\ (v' = v) \/ ~ (k' = k) /\ memt t k' v')) ->
  forall (result:tree),
  match o with
  | Node x x1 x2 x3 x4 => (result = (Node Black x1 x2 x3 x4))
  | Leaf => False
  end -> exists n:Numbers.BinNums.Z, rbtree n result.
Proof.
intros t k v (_,(n,h2)) o (_,(h4,_)).
destruct o. easy.
intros _ ->.
specialize (h4 n h2).
destruct c.
(* c = Red *)
exists (n+1)%Z.
simpl.
replace (n+1-1)%Z with n by ring.
apply h4.
(* c = Black *)
now exists n.
Qed.why3-1.6.0/examples/vacid_0_red_black_trees/why3session.xml000066400000000000000000000321401440160026300237370ustar00rootroot00000000000000













 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vacid_0_red_black_trees/why3shapes.gz000066400000000000000000000131051440160026300233570ustar00rootroot00000000000000\[o7~ׯ[vg^x1k`rdȺݭ{H*!y!?rS|5=~{Kup_O1u#DG;j\__>=uwcJq;6QQQQQq^mCX[LU?C/QQ1RQmk{sK-{x<cÀc>S=%wIIY##׷@Jqqq҉FT1HNNN@]N4A궹u'e'aM?Ucwvt\^چa:NJ\i$%;%:˽lXSEi#T]^u+-
wtv_֝Vx0Vt1}vr:"Y;c;2fD14՝cB~ҫBW}2n-}XA[L1S!eooqR*<%^)cxHӏ_%NM(""(­rw~^coWk2]SJP@ՏΔRooue&P	Äʯ5%`eBn2h咉hU7ݝv47uhߕ_enS0KAہ3Le~xws<|~ygoޥ+2Lmh|ޅ-MKR__܍/V*1TzU]z_G*3RFdjT\^6EV=P)Pb*I-D3⍪2uu~?jп2A7A4ػҰd+
ŅJR-n1=x3ףAռWZ<_4̎ݽ}pӂ?{wug枹{Y6O{ٸg[:/O?|sßF܃\iW/N_B	h~kqGv8H}ZK~mt-Jۮ9^Fugywd
Z9B5e; ^$m~w'/oyAΠ"zS|Sgu5Fwyv}9N+ZܡnT6?W?֟#jC1qt=;Z*)ޞl!GRC>h
3ߐbԢu@#bJؔߨm1*Q}t1:֚[h[[	Uʦm>K17ѡ,F1(FiY?wc10f0VN0VzͷW{X.G[VUNR\_ǧ˘crӼvvs$<}zLsE*'j2Xo:j-BWȋMQ×_?mJM!Zb7}u $%ի0Vj޵w6-d7(k[Jl%峤d|ʅzIR5Q\ d}㫤LMAMJԅ"+Aa7J[XNkSTC0wHC|*9tʹ.UO%
Lk{QֆˍdrrХZMǖ"jU;w?ǧsҊ%z=`tx1Fq&,6;D]f0ƫjVQ4-Uazm㱽x!IEqծheL^jƋ6&Ōl/A	/x	Joз9TK0;xag%/
JMm&W/6DZˍdrrŚun\"+"1\{Õ6x
2eUO)CW xW N~&YŒ
HH	._wSi}J3TDoT~Bz:DU#PWWkjB9H5G:jc`G
.
.b%H;/=TF\ltսJ5K60l_eHeT3ƈm1f&cMQr/@m3c~cj/#.W\6bS{RiUs*mTTLگ{bJ1)ma	~R5a>-5-2TұNi;	KOWKEIzd4bGښ6~7+O뮷]`rŴ4WITqɛt&e/U\lAlAdwO5CWkM"WV+4#>tk{mՑʲǗOuPB';u}t>~m߹ǔáʪ!Y*?{JӕֱK~\!.6Yfҽ)Dzx櫐 fv+OsnXtlXǛӃ[Ϩws{X
'xhX닕o{+Ц#.Bn"{Kxxӆ
{Llh
M5YOow,ۆޱ1d֐k9';~]/3/_N+6ZJ'4W %!*'yKc!dsX!FDŽFB3C5LY DF
dQ|+*MdL)c iFZ-]N'&} >\^z,f	Q0FF?4k+HDzRK(,R}k&A[(LBCJW
>,H^C-|F{,u|IRw"YXCE3F,NTā1
V)[40H
u]ƐI4`\VpsYFr:e0RpQ;pȐY
XcN:ּ`<+h4:)SF		au9b;<$VyH"W6I
$E0GF-pR
dU'Sb}TZ3PVR,IN
:2] egʝA'z`S(-bTy09O)Đj!$mǠuF's
•-TU9F9O%Q*
jnP+fQ8l󤙁FpJS!&+D`GEXkQ e\L;o\٩?5
#H$;JyF/$)#TB"A,flofswhy3-1.6.0/examples/vacid_0_sparse_array.mlw000066400000000000000000000104761440160026300210330ustar00rootroot00000000000000module SparseArray

(*
      If the sparse array contains three elements x y z, at index
      a b c respectively, then the three arrays look like this:

              b     a      c
values +-----+-+---+-+----+-+----+
       |     |y|   |x|    |z|    |
       +-----+-+---+-+----+-+----+

index  +-----+-+---+-+----+-+----+
       |     |1|   |0|    |2|    |
       +-----+-+---+-+----+-+----+

        0 1 2  n=3
back   +-+-+-+-------------------+
       |a|b|c|                   |
       +-+-+-+-------------------+

*)

  use int.Int
  use array.Array

  constant maxlen : int = 1000

  type sparse_array 'a = { values : array 'a;
                           index  : array int;
                           back   : array int;
                   mutable card   : int;
                           def    : 'a; }
  invariant {
    0 <= card <= length values <= maxlen /\
    length values = length index = length back /\
    forall i : int.
      0 <= i < card ->
      0 <= back[i] < length values /\ index[back[i]] = i
  } by {
    values = make 0 (any 'a);
    index  = make 0 0;
    back   = make 0 0;
    card   = 0;
    def    = any 'a
  }

  predicate is_elt (a: sparse_array 'a) (i: int) =
    0 <= a.index[i] < a.card /\ a.back[a.index[i]] = i

  function value (a: sparse_array 'a) (i: int) : 'a =
    if is_elt a i then
      a.values[i]
    else
      a.def

  function length (a: sparse_array 'a) : int = Array.length a.values

  (* creation *)

  val malloc (n:int) : array 'a ensures { Array.length result = n }

  let create (sz: int) (d: 'a)
    requires { 0 <= sz <= maxlen }
    ensures { result.card = 0 /\ result.def = d /\ length result = sz }
  = { values = malloc sz;
      index  = malloc sz;
      back   = malloc sz;
      card   = 0;
      def    = d }

  (* access *)

  let test (a: sparse_array 'a) i
    requires { 0 <= i < length a }
    ensures { result=True <-> is_elt a i }
  = 0 <= a.index[i] < a.card && a.back[a.index[i]] = i

  let get (a: sparse_array 'a) i
    requires { 0 <= i < length a }
    ensures { result = value a i }
  = if test a i then
      a.values[i]
    else
      a.def

  (* assignment *)

  use map.MapInjection as MI

  lemma permutation :
    forall a: sparse_array 'a.
    (* sparse_array invariant *)
      Array.(0 <= a.card <= Array.length a.values <= maxlen /\
      length a.values = length a.index = length a.back /\
      forall i : int.
        0 <= i < a.card ->
        0 <= a.back[i] < length a.values /\ a.index[a.back[i]] = i) ->
    (* sparse_array invariant *)
    a.card = a.length ->
    forall i: int. 0 <= i < a.length -> is_elt a i
      by MI.surjective a.back.elts a.card
      so exists j. 0 <= j < a.card /\ a.back[j] = i


  let set (a: sparse_array 'a) i v
    requires { 0 <= i < length a }
    ensures { value a i = v /\
      forall j:int. j <> i -> value a j = value (old a) j }
  = a.values[i] <- v;
    if not (test a i) then begin
      assert { a.card < length a };
      a.index[i] <- a.card;
      a.back[a.card] <- i;
      a.card <- a.card + 1
    end

end

module Harness

  use SparseArray

  type elt
  val constant default : elt

  val constant c1 : elt
  val constant c2 : elt

  let harness () =
    let a = create 10 default in
    let b = create 20 default in
    let get_a_5 = get a 5 in assert { get_a_5 = default };
    let get_b_7 = get b 7 in assert { get_b_7 = default };
    set a 5 c1;
    set b 7 c2;
    let get_a_5 = get a 5 in assert { get_a_5 = c1 };
    let get_b_7 = get b 7 in assert { get_b_7 = c2 };
    let get_a_7 = get a 7 in assert { get_a_7 = default };
    let get_b_5 = get b 5 in assert { get_b_5 = default };
    let get_a_0 = get a 0 in assert { get_a_0 = default };
    let get_b_0 = get b 0 in assert { get_b_0 = default };
    ()

  val predicate (!=) (x y : elt)
    ensures { result <-> x <> y }

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let a = create 10 default in
    let b = create 20 default in
    if get a 5 != default then raise BenchFailure;
    if get b 7 != default then raise BenchFailure;
    set a 5 c1;
    set b 7 c2;
    if get a 5 != c1 then raise BenchFailure;
    if get b 7 != c2 then raise BenchFailure;
    if get a 7 != default then raise BenchFailure;
    if get b 5 != default then raise BenchFailure;
    if get a 0 != default then raise BenchFailure;
    if get b 0 != default then raise BenchFailure

end
why3-1.6.0/examples/vacid_0_sparse_array/000077500000000000000000000000001440160026300203025ustar00rootroot00000000000000why3-1.6.0/examples/vacid_0_sparse_array/why3session.xml000066400000000000000000000067411440160026300233320ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 



why3-1.6.0/examples/vacid_0_sparse_array/why3shapes.gz000066400000000000000000000052561440160026300227520ustar00rootroot00000000000000]]B}kr]
E 4/ž]n,9Ik+)&ep]p>>me|'}g7i?:%`8|!yƔe
U?q^رfBڎNG,D㱓
̤0$a&2dxdL&Z2>g|?Ri?v:gStyy=?]Y/;(92/RY%)ț*'0ƂƑp]ѯ@W$M+ie8Ey踚!q.+~WAag<53?1 h|62o6 ty@t~#{`3BaO}ݾ$)Ni?\H&}$t1{-:ҿkR<HR[r	m)oǢn%#):6S)8S2MT>*e"zlk\7txtP0chCfE?]7KFIJ#eӬ4+ɳ7j>xegRϒ/ۄ5esIKͥEǢë~71
T_AV j,F5Ө۪\cK	U٨;թ~NEO$I~,YXxVIтՌ60o	k"Kމxs\ǻ"T`oO$U'Nq0.:yRVE^%זl@a<>"9{_b3=fyLAx c"UU@P%qyyJx
珗ks)ZY݆2)H1hW֖;Rcs"4s5)ۚUM5K9lsMٖ-M<R^?Imtm1*E#fkm#&<te@2n.%aXTc=eY<4eSyT8hd$/X\KnOP<kMȋTBD
~PB1?w@okw*&ݯtl<1?剩yzT<1/C|Ep=Xr~XԚ^F'f
!+ܭP33
G
ApTP7H6
GS	idlIS4qRGXusgilpLI@/tYYNy:;k&q]ţv5*mVwURT[VP>R.Qb LB*Ōc&=OP,\+,WZ&Ey㢼H&lpnh&)!
Pڕ`Wg
Ŕ(??eCTYHV/qUNh8z#~X%m28AZuJ!hCj8uR_;n4ˌ_yQ|OvIғj=fGP޾CćF/3&~5Y|,DfE̘GYuTYUNgd.<@@)4D ADу<"9 {{a~;?G/0X-zBqu<$=}M'ƭ{I2Sw#I	т@fz/^Uu,+why3-1.6.0/examples/verifythis_2015_dancing_links.mlw000066400000000000000000000072521440160026300224770ustar00rootroot00000000000000
(**

{1 VerifyThis @ ETAPS 2015 competition, Challenge 3: Dancing Links}

{h

The following is the original description of the verification task,
reproduced verbatim from
the competition web site.


    DANCING LINKS (90 minutes)
==========================

Dancing links is a technique introduced in 1979 by Hitotumatu and
Noshita and later popularized by Knuth. The technique can be used to
efficiently implement a search for all solutions of the exact cover
problem, which in its turn can be used to solve Tiling, Sudoku,
N-Queens, and other problems.

The technique
-------------

Suppose x points to a node of a doubly linked list; let L[x] and R[x]
point to the predecessor and successor of that node. Then the operations

L[R[x]] := L[x];
R[L[x]] := R[x];

remove x from the list. The subsequent operations

L[R[x]] := x;
R[L[x]] := x;

will put x back into the list again.

A graphical illustration of the process is available at
http://formal.iti.kit.edu/~klebanov/DLX.png


Verification task
-----------------

Implement the data structure with these operations, and specify and
verify that they behave in the way described above.

    }

The following is the solution by Jean-Christophe Filliâtre (CNRS)
and Guillaume Melquiond (Inria) who entered the competition as "team Why3".

*)

module DancingLinks

  use int.Int
  use ref.Ref
  use array.Array

  (** we model the data structure with two arrays, nodes being
      represented by array indices *)
  type dll = { prev: array int; next: array int; ghost n: int }
    invariant { length prev = length next = n }
    by { prev = make 0 0; next = make 0 0; n = 0 }

  (** node `i` is a valid node i.e. it has consistent neighbors *)
  predicate valid_in (l: dll) (i: int) =
    0 <= i < l.n /\ 0 <= l.prev[i] < l.n /\ 0 <= l.next[i] < l.n /\
    l.next[l.prev[i]] = i /\
    l.prev[l.next[i]] = i

  (** node `i` is ready to be put back in a list *)
  predicate valid_out (l: dll) (i: int) =
    0 <= i < l.n /\ 0 <= l.prev[i] < l.n /\ 0 <= l.next[i] < l.n /\
    l.next[l.prev[i]] = l.next[i] /\
    l.prev[l.next[i]] = l.prev[i]

  use seq.Seq as S
  function nth (s: S.seq 'a) (i: int) : 'a = S.([]) s i

  (** Representation predicate: Sequence `s` is the list of indices of
      a valid circular list in `l`.
      We choose to model circular lists, since this is the way the
      data structure is used in Knuth's dancing links algorithm. *)
  predicate is_list (l: dll) (s: S.seq int) =
    forall k: int. 0 <= k < S.length s ->
      0 <= nth s k < l.n /\
      l.prev[nth s k] = nth s (if k = 0 then S.length s - 1 else k - 1) /\
      l.next[nth s k] = nth s (if k = S.length s - 1 then 0 else k + 1) /\
      (forall k': int. 0 <= k' < S.length s -> k <> k' -> nth s k <> nth s k')

  (** Note: the code below works fine even when the list has one element
      (necessarily `i` in that case). *)
  let remove (l: dll) (i: int) (ghost s: S.seq int)
    requires { valid_in l i }
    requires { is_list l (S.cons i s) }
    ensures  { valid_out l i }
    ensures  { is_list l s }
  =
    l.prev[l.next[i]] <- l.prev[i];
    l.next[l.prev[i]] <- l.next[i];
    assert { forall k: int. 0 <= k < S.length s ->
       nth (S.cons i s) (k + 1) = nth s k } (* to help SMT with triggers *)

  let put_back (l: dll) (i: int) (ghost s: S.seq int)
    requires { valid_out l i } (* `i` is ready to be reinserted *)
    requires { is_list l s }
    requires { 0 < S.length s } (* `s` must contain at least one element *)
    requires { l.next[i] = nth s 0 <> i } (* do not link `i` to itself *)
    ensures  { valid_in l i }
    ensures  { is_list l (S.cons i s) }
  =
    l.prev[l.next[i]] <- i;
    l.next[l.prev[i]] <- i

end
why3-1.6.0/examples/verifythis_2015_dancing_links/000077500000000000000000000000001440160026300217505ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2015_dancing_links/why3session.xml000066400000000000000000000047341440160026300250000ustar00rootroot00000000000000






 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/verifythis_2015_dancing_links/why3shapes.gz000066400000000000000000000017551440160026300244200ustar00rootroot00000000000000WM6Wئ
`낤ƨkH}l-)]_Lq{O}}J~XȚ
/+ЉZ5]dN,VbX(cN1#\ݡ6ߦG]C:ˢG:犫
_utn;TO~[NRE'&caTzۥz[a7uͅ3+?j\(jXodn^'98Tg
is^z
$+YA%.i}D3wUF)Яu.w~K:Bs3HpE0.{m39]7&}^f^=U}Gz^VC^U͖>ѳk⧚wG|1;d@ތ9+AYr#w>g$Uw@d<-Km{o{yZ'oC}wJbi+TBu=)rh?L! #d:[[
6#b2y%^Iu)jMN	3*Iq^#KAeMnvjvBfB(,ז+159jDŽ+fhm~$u$9!cbNrbB.A#qE0XөBD2:98Y͸%ᄜyA.y]#[Bi$why3-1.6.0/examples/verifythis_2015_parallel_gcd.mlw000066400000000000000000000172601440160026300223050ustar00rootroot00000000000000
(**

{1 VerifyThis @ ETAPS 2015 competition, Challenge 2: Parallel GCD}

{h

The following is the original description of the verification task,
reproduced verbatim from
the competition web site.


    PARALLEL GCD (60 minutes)
=========================

Algorithm description
---------------------

Various parallel GCD algorithms exist. In this challenge, we consider a
simple Euclid-like algorithm with two parallel threads. One thread
subtracts in one direction, the other thread subtracts in the other
direction, and eventually this procedure converges on GCD.


Implementation
--------------

In pseudocode, the algorithm is described as follows:

(
  WHILE a != b DO
      IF a>b THEN a:=a-b ELSE SKIP FI
  OD
||
  WHILE a != b DO
       IF b>a THEN b:=b-a ELSE SKIP FI
  OD
);
OUTPUT a


Verification tasks
------------------

Specify and verify the following behaviour of this parallel GCD algorithm:

Input:  two positive integers a and b
Output: a positive number that is the greatest common divisor of a and b

Feel free to add synchronisation where appropriate, but try to avoid
blocking of the parallel threads.


Sequentialization
-----------------

If your tool does not support reasoning about parallel threads, you may
verify the following pseudocode algorithm:

WHILE a != b DO
    CHOOSE(
         IF a > b THEN a := a - b ELSE SKIP FI,
         IF b > a THEN b := b - a ELSE SKIP FI
    )
OD;
OUTPUT a


    }

The following is the solution by Jean-Christophe Filliâtre (CNRS)
and Guillaume Melquiond (Inria) who entered the competition as "team Why3".

Since Why3 has no support for threads, we prove the sequential
implementation. We do not prove termination, which would require some
fairness hypothesis (in that case, you can prove that the code
terminates with probability 1).

*)

module ParallelGCD

  use int.Int
  use number.Gcd
  use ref.Ref

  (** the following lemma is easily derived from a more general
      lemma in library [number.Gcd], namely [gcd_euclid].*)
  lemma gcd_sub: forall a b: int. gcd a b = gcd a (b - a)

  let parallel_gcd (a0 b0: int) : int
    requires { 0 < a0 /\ 0 < b0 }
    diverges
    ensures  { result = gcd a0 b0 }
  =
    let a = ref a0 in
    let b = ref b0 in
    while !a <> !b do
      invariant { 0 < !a <= a0 /\ 0 < !b <= b0 }
      invariant { gcd !a !b = gcd a0 b0 }
      if any bool then
        if !a > !b then a := !a - !b else ()
      else
        if !b > !a then b := !b - !a else ()
    done;
    !a

end

(** Threads interleaving.
    Code and invariants by Rustan Leino.
    Termination argument by Martin Clochard and Léon Gondelman.
    Proof by Martin Clochard and Léon Gondelman.
    *)
module Interleaving

  use int.Int
  use number.Gcd
  use ref.Ref

  lemma gcd_sub: forall a b: int. gcd a b = gcd a (b - a)

  (* Representation of a thread: two local variables
    (register copies of the globals) and a program counter:

     ReadA:
       local_a <- a
     ReadB:
       local_b <- b
     Compare:
       if local_a = local_b goto Halt;
       if local_a > local_b a := local_a - local_b;
       goto ReadA;
     Halt:

     For the sake of simplicity, every section is considered atomic.
     (strictly speaking, section Compare is not, but it interacts
      atomically with memory so it would be equivalent)
   *)
  type state = ReadA | ReadB | Compare | Halt

  type thread = {
    mutable local_a: int; (* local copy of a *)
    mutable local_b: int; (* local copy of b *)
    mutable state  : state;
  }

  (* Thread invariant. *)
  predicate inv (th: thread) (d a b: int) =
    0 < a /\ 0 < b /\ gcd a b = d /\
    match th.state with
    | ReadA -> true
    | ReadB -> th.local_a = a (* No other thread can write in a. *)
    | Compare -> th.local_a = a && b <= th.local_b &&
                  (th.local_b <= th.local_a -> th.local_b = b)
                (* Other thread may have overwritten b, but only in a decreasing
                   decreasing fashion, and only once under a. *)
    | Halt -> th.local_a = a = b (* Final state is stable. *)
    end

  (* Does running this thread make any progress toward the result? *)
  predicate progress_thread (th: thread) (a b: int) =
    a > b \/ (a = b /\ th.state <> Halt)

  (* Decreasing ordering on program counter *)
  function state_index (s: state) : int = match s with
    | ReadA -> 7
    | ReadB -> 5
    | Compare -> 3
    | Halt -> 2
    end

  (* Synchronisation status. *)
  predicate sync (th: thread) (b: int) =
    match th.state with Compare -> th.local_b = b | _ -> true end

  (* Convert status into an index. *)
  function sync_index (th: thread) (b: int) : int =
    if sync th b then 0 else 42

  (* Thread progression index: if running this thread should make any
     progression toward the result, then it will have the following shape:
     - A first (optional) loop run for synchronization.
     - A second synchronized run until effective progress *)
  function prog_index (th: thread) (b: int) : int =
    sync_index th b + state_index th.state

  val create_thread () : thread
    ensures { result.state = ReadA }

  (* Fair scheduler modelisation: Each time it switches between threads,
     it also writes down the maximal time remaining before it
     will switch to the other.
     If it does not switch, this timeout decreases. *)
  val ghost scheduled : ref bool
  val ghost timer : ref int

  val schedule () : bool
    writes  { scheduled, timer }
    ensures { !scheduled = old !scheduled -> 0 <= !timer < old !timer }
    ensures { result = !scheduled }

  (* Execution of one thread step. *)
  let step (th: thread) (ghost d: int) (a b: ref int)
    requires { inv th d !a !b }
    writes   { th, a }
    ensures  { inv th d !a !b }
    ensures  { 0 < !a <= old !a }
    ensures  { old !a > !a -> old !a >= !a + !b }
    ensures  { progress_thread th !a !b ->
      prog_index (old th) !b > prog_index th !b \/ !a < old !a }
  =
    match th.state with
    | ReadA ->
        th.local_a <- !a; th.state <- ReadB
    | ReadB ->
        th.local_b <- !b; th.state <- Compare
    | Compare ->
        if th.local_a = th.local_b then
          th.state <- Halt
        else begin
          if th.local_a > th.local_b then a := th.local_a - th.local_b;
          th.state <- ReadA
        end
    | Halt ->
        ()
    end

  let can_progress (s : state)
    ensures { result = True <-> s <> Halt }
  = match s with Halt -> False | _ -> True end

  let parallel_gcd (a0 b0: int) : int
    requires { 0 < a0 /\ 0 < b0 }
    ensures  { result = gcd a0 b0 }
  =
    (* shared variables *)
    let a = ref a0 in
    let b = ref b0 in
    let ghost d = gcd a0 b0 in
    (* two threads *)
    let th1 = create_thread () in
    let th2 = create_thread () in
    while can_progress th1.state || can_progress th2.state do
      invariant { inv th1 d !a !b /\ inv th2 d !b !a }
      variant { (* global progress in the algorithm *)
                !a + !b
                ,
                (* progress in one of the two threads *)
                begin if !a = !b
                then prog_index th2 !a + prog_index th1 !b
                else if !a < !b
                then prog_index th2 !a
                else prog_index th1 !b end
                ,
                (* no progress in both threads, but the scheduler
                   switches to the non-progressing thread *)
                begin if progress_thread th1 !a !b
                then if !scheduled then 1 else 0
                else if progress_thread th2 !b !a
                then if !scheduled then 0 else 1
                else 0 end
                ,
                (* the scheduler is still running the non-progressing thread *)
                !timer }
      if schedule () then step th1 d a b else step th2 d b a
    done;
    !a

end
why3-1.6.0/examples/verifythis_2015_parallel_gcd/000077500000000000000000000000001440160026300215565ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2015_parallel_gcd/why3session.xml000066400000000000000000000214141440160026300246000ustar00rootroot00000000000000











 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2015_parallel_gcd/why3shapes.gz000066400000000000000000000057001440160026300242200ustar00rootroot00000000000000[Yo~ط$Q}ZA
}ڋ"Cn랝c/Ivꫫkff|;-.>}g?c9~9ӣڒ#x.Ŀ\tCqor˯W]q>N.gϿby<*ۏmǔt^۹ۋs
_fϛ6}ZpA+VnHzA }oo~	}0|_;Aץ|y|?AQ޷&0PyGW6y-2^}NvXl+Xmz6/ '˓g9d?|	y0`N
]eƌG\^E)ԹR7xtD.9\5.iT']LVܓ;:ͩS_)*}'R]U'_\i9byӺN?3z{Up+2E~j]R@95QǗAׯנR3\IMf"Z\lI\ujdi'W=7;C<*_pB3;UKS0Sa{[{B][IRk'uϹV}X7u\tw
{~@s]iيI-@ߑo%
v޷BlV2!1NLʎjN8f;%fq8=+
Ti≷xZ8N}>Qɶ'r||ږjyw=^\O;OSAjw:}LvGR{HԼdQ:褖INdE7͎SraυÀ$CRBnn?Ktv_f.Q=eWNeu5
/C~T׵6b7\LxUcOk&La^F9^E놰X	Ry{\4J8~i0>և?o+jړ635X*k3ᰶ.^l}ƗC窝oj~^ۚ9`Pbzi%zU-v}3}`^ַb"jt=#櫧:XE\KHs>*R}VиiK_jY6k񂚡ľYD}
t_|>Um
eO1n-MN#[z8[okg;j6|P1rOzn
QlC\gzoޕ!Gݺ6_R}Kj{n\܏k
N~tlXjl{o?Z;HOu?>oz[wmU3%ؐ{p-ϥ?ùNb=;߷ɾaU3}=nu=Gwlx
1Ir/ݞkz˻yJܩnROO
ݎi݀vzO7`6JgDa0%YS)B@LVȔ$#+>BWKb2D:
d,jeݷ8&.`%3,VWg(e}")bUs	xІ738*o-˜
!o4ERoȞQu"(`-: "nc`ڂQNZS8,QRĂƢH8;H6"u 7;ʨL5F(
J!*iYlQmyH&in	W
"
Y*Gq)1nB^#UO ++A
Wmt68U6Owhy3-1.6.0/examples/verifythis_2015_relaxed_prefix.mlw000066400000000000000000000100451440160026300226670ustar00rootroot00000000000000
(**

{1 VerifyThis @ ETAPS 2015 competition, Challenge 1: Relaxed Prefix}

{h

The following is the original description of the verification task,
reproduced verbatim from
the competition web site.


    RELAXED PREFIX (60 minutes)
===========================


Description
-----------

Verify a function isRelaxedPrefix determining if a list _pat_ (for
pattern) is a relaxed prefix of another list _a_.

The relaxed prefix property holds iff _pat_ is a prefix of _a_ after
removing at most one element from _pat_.


Examples
--------

pat = {1,3}   is a relaxed prefix of a = {1,3,2,3} (standard prefix)

pat = {1,2,3} is a relaxed prefix of a = {1,3,2,3} (remove 2 from pat)

pat = {1,2,4} is not a relaxed prefix of a = {1,3,2,3}.


Implementation notes
--------------------

You can implement lists as arrays, e.g., of integers. A reference
implementation is given below. It may or may not contain errors.


public class Relaxed {

    public static boolean isRelaxedPrefix(int[] pat, int[] a) {
        int shift = 0;

        for(int i=0; i<pat.length; i++) {
            if (pat[i]!=a[i-shift])
                if (shift==0) shift=1;
                    else return false;
        }
        return true;
    }


    public static void main(String[] argv) {
        int[] pat = {1,2,3};
        int[] a1 = {1,3,2,3};
        System.out.println(isRelaxedPrefix(pat, a1));
    }

}



Advanced verification task (if you get bored)
---------------------------------------------

Implement and verify a function relaxedContains(pat, a) returning
whether _a_ contains _pat_ in the above relaxed sense, i.e., whether
_pat_ is a relaxed prefix of any suffix of _a_.

    }

The following is the solution by Jean-Christophe Filliâtre (CNRS)
and Guillaume Melquiond (Inria) who entered the competition as "team Why3".

*)

module RelaxedPrefix

  use int.Int
  use ref.Ref
  use array.Array

  type char
  val eq (x y : char) : bool ensures { result = True <-> x = y }

  (** `a1[ofs1..ofs1+len]` and `a2[ofs2..ofs2+len]` are valid sub-arrays
      and they are equal *)
  predicate eq_array (a1: array char) (ofs1: int)
                     (a2: array char) (ofs2: int) (len: int) =
    0 <= len /\ 0 <= ofs1 /\ 0 <= ofs2 /\
    ofs1 + len <= length a1 /\ ofs2 + len <= length a2 /\
    forall i: int. 0 <= i < len -> a1[ofs1 + i] = a2[ofs2 + i]

  (** The target property. *)

  predicate is_relaxed_prefix (pat a: array char) =
    let n = length pat in
       eq_array pat 0 a 0 n
    \/ exists i: int. 0 <= i < n /\
                      eq_array pat 0 a 0 i /\
                      eq_array pat (i+1) a i (n - i - 1)

  (** This exception is used to exit the loop as soon as the target
      property is no more possible. *)

  exception NoPrefix

  (** Note regarding the code: the suggested pseudo-code is buggy, as it
      may access `a` out of bounds. We fix it by strengthening the
      test in the conditional. *)

  let is_relaxed_prefix (pat a: array char) : bool
    ensures { result <-> is_relaxed_prefix pat a }
  =
    let n = length pat in
    let m = length a in
    try
      let shift = ref 0 in
      let ghost ignored = ref 0 in
      for i = 0 to n - 1 do
        invariant { 0 <= !shift <= 1 }
        invariant { !shift = 1 -> 0 <= !ignored < i }
        invariant { m + !shift >= i }
        invariant {
          if !shift = 0 then eq_array pat 0 a 0 i
          else eq_array pat 0 a 0 !ignored /\
               eq_array pat (!ignored + 1) a !ignored (i - !ignored - 1) /\
               not (eq_array pat 0 a 0 i) /\
               (!ignored < m -> pat[!ignored] <> a[!ignored]) }
        if i - !shift >= m || not (eq pat[i] a[i - !shift]) then begin
          if !shift = 1 then begin
            assert { forall j. eq_array pat 0 a 0 j ->
              eq_array pat (j+1) a j (n-j-1) ->
              !ignored > j -> pat[j+1+(i-j-1)] = a[j+(i-j-1)]
            };
            raise NoPrefix
          end;
          ignored := i;
          shift := 1;
        end;
      done;
      True
    with NoPrefix ->
      False
    end

end
why3-1.6.0/examples/verifythis_2015_relaxed_prefix/000077500000000000000000000000001440160026300221465ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2015_relaxed_prefix/why3session.xml000066400000000000000000000071711440160026300251740ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2015_relaxed_prefix/why3shapes.gz000066400000000000000000000026621440160026300246140ustar00rootroot00000000000000Ko6M`_E(`xO)R͢	!)imI
T!A7{s\o寵Rw-kU9Y>
'ᜎswju~ϖ=jp퇆ƋWzRk%zvfr/ib,nݥkȈkxOW.~s;uN&]ԛ=sFݻFX$<
W
2	[rᆦZkw8
x'2KG
gsKK)iE?8pf2G>AjI4ܸCgE/=6R	YeH]餁&\W6!~~i6b5:Hci&JTWQ@&!,ݗM!(pvԗjZE{6CB+RM-x(*E.B:32S(KMu@m-dTn[{%2R{`L/`dƞtځiz~̇fۮaQ$*W_LџLTQHo.e!F2Rh)Cw6}v=U	If7TDDwʯ){|ЫdT#\lb@|BӲE,Ro*)x
Fz6aI32rf3:HfTތR:g_iًqf#W8=gvӬӶ^uu5l=ۗ`K`>pF^q]^-^y:"c̳"Uqˋb*tPg"f/ a*+]@RczܔE-ݖaKɔvRYRJ-GE{}N>`1{X8b8y!6mz,@xhj~պ>IPU)	oyRdB7+[
5A0v̄5aU1y0r(9rE%HIT1&aS\kdAR,Ō4uiaʮSd+ Ԓ{G#-mՍbK~h]P& h1G,#%M>Vy^8hQÖbc[&72>JK"
X-#-ԜpVu8,(
dR*FJǚ
xRλvȌ5Y
+
tr\	:J;d%62ZP1Ҍ&e5UqS)Hŋ.ΈֹbTWBr:L^kfC*jb)ˆ@Vl#UP
%R[9pk'2* w8kIM
Ch͘IRid>%'W
 Bv X"RDFt&why3-1.6.0/examples/verifythis_2016_matrix_multiplication/000077500000000000000000000000001440160026300235675ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/README000066400000000000000000000053601440160026300244530ustar00rootroot00000000000000
This is a complete solution to Verifythis 2016 challenge 1.

A self-contained solution to task 1 can be found in file naive.mlw
Other files solve task 2 and 3:
- sum_extended.mlw prove a few extra lemmas on top of what
  the standard library already gives
- matrices.mlw contains the theories of matrices, matrix arithmetic,
  and block product. Except for providing the requested program,
  it solves task 2.
- matrices_ring_simp.mlw is a support file for proof by reflection
  of matrix algebraic equations
- strassen.mlw is the implementation of Strassen's Algorithm for task 3.
  It also contains the program associated to task 2 (assoc_proof).

To replay proofs:
- Install Why3 development version from the git source repository
  (at the time this file was written, it would not replay with the
   release version due to known incompleteness bug in compute)
- Install SMT solvers Alt-Ergo 1.01, CVC4 1.4 and Z3 4.4.1
- Run why3 replay -L . FILE to replay the session associated to FILE.


Challenge text:


Challenge 1: Matrix Multiplication

Consider the following pseudocode algorithm, which is naive implementation of matrix multiplication. For simplicity we assume that the matrices are square.

 int[][] matrixMultiply(int[][] A, int[][] B) {
    int n = A.length;

    // initialise C
    int[][] C = new int[n][n];

    for (int i = 0; i < n; i++) {
           for (int k = 0; k < n; k++) {
                   for (int j = 0; j < n; j++) {
                       C[i][j] += A[i][k] * B[k][j];
                   }
           }
    }
    return C;
 }

Tasks.
1. Provide a specification to describe the behaviour of this algorithm, and prove
   that it correctly implements its specification.

2. Show that matrix multiplication is associative, i.e., the order in which
   matrices are multiplied can be disregarded: A(BC) = (AB)C. To show this,
   you should write a program that performs the two different computations,
   and then prove that the result of the two computations is always the same.

3. [Optional, if time permits] In the literature, there exist many proposals
   for more efficient matrix multiplication algorithms. Strassen’s algorithm
   was one of the first. The key idea of the algorithm is to use a recursive
   algorithm that reduces the number of multiplications on submatrices
   (from 8 to 7), see https://en.wikipedia.org/wiki/Strassen_algorithm for an
   explanation. A relatively clean Java implementation (and Python and C++)
   can be found here: https://martin-thoma.com/strassen-algorithm-in-python-java-cpp/.
   Prove that the naive algorithm above has the same behaviour as Strassen’s
   algorithm. Proving it for a restricted case, like a 2x2 matrix should be
   straightforward, the challenge is to prove it for arbitrary matrices with size 2^n.
why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices.mlw000066400000000000000000000225411440160026300261230ustar00rootroot00000000000000theory MatrixGen

  use int.Int

  type mat 'a

  function rows (mat 'a) : int

  function cols (mat 'a) : int

  axiom rows_and_cols_nonnegative:
    forall m: mat 'a. 0 <= rows m /\ 0 <= cols m

  function get (mat 'a) int int : 'a

  function set (mat 'a) int int 'a : mat 'a

  axiom set_def1:
    forall m: mat 'a, i j: int, v: 'a. 0 <= i < rows m -> 0 <= j < cols m ->
    rows (set m i j v) = rows m

  axiom set_def2:
    forall m: mat 'a, i j: int, v: 'a. 0 <= i < rows m -> 0 <= j < cols m ->
    cols (set m i j v) = cols m

  axiom set_def3:
    forall m: mat 'a, i j: int, v: 'a. 0 <= i < rows m -> 0 <= j < cols m ->
    get (set m i j v) i j = v

  axiom set_def4:
    forall m: mat 'a, i j: int, v: 'a. 0 <= i < rows m -> 0 <= j < cols m ->
    forall i' j': int. 0 <= i' < rows m /\ 0 <= j' < cols m /\
      (i <> i' \/ j <> j') ->
      get (set m i j v) i' j' = get m i' j'

  predicate (==) (m1 m2: mat 'a) =
    rows m1 = rows m2 && cols m1 = cols m2 &&
    forall i j: int. 0 <= i < rows m1 -> 0 <= j < cols m1 ->
    get m1 i j = get m2 i j

  axiom extensionality:
    forall m1 m2: mat 'a. m1 == m2 -> m1 = m2

  predicate (===) (a b: mat 'a) =
    rows a = rows b /\ cols a = cols b

end


theory Matrix

  use int.Int

  type mat 'a

  function rows (mat 'a) : int

  function cols (mat 'a) : int

  function get (mat 'a) int int : 'a

  function create (r c: int) (f: int -> int -> 'a) : mat 'a

  axiom create_rows:
    forall r c: int, f: int -> int -> 'a.
    0 <= r -> rows (create r c f) = r

  axiom create_cols:
  forall r c: int, f: int -> int -> 'a.
    0 <= c -> cols (create r c f) = c

  axiom create_get:
    forall r c: int, f: int -> int -> 'a, i j: int.
    0 <= i < r -> 0 <= j < c -> get (create r c f) i j = f i j

  function set (m:mat 'a) (x y:int) (z:'a) : mat 'a =
    create m.rows m.cols (fun x1 y1 -> if x1 = x && y1 = y then z else get m x1 y1)

  clone export MatrixGen with type mat 'a = mat 'a,
    function rows = rows,
    function cols = cols,
    function get = get,
    function set = set,
    lemma set_def1,
    lemma set_def2,
    lemma set_def3,
    lemma set_def4,
    axiom rows_and_cols_nonnegative,
    axiom extensionality

  use int.Int

end

module MatrixArithmetic

  use int.Int
  use int.Sum
  use sum_extended.Sum_extended
  use Matrix

  (* Zero matrix *)
  constant zerof : int -> int -> int = fun _ _ -> 0

  function zero (r c: int) : mat int = create r c zerof

  (* Matrix addition *)
  function add2f (a b: mat int) : int -> int -> int =
    fun x y -> get a x y + get b x y

  function add (a b: mat int) : mat int =
    create (rows a) (cols a) (add2f a b)

  (* Matrix additive inverse *)
  function opp2f (a: mat int) : int -> int -> int =
    fun x y -> - get a x y

  function opp (a: mat int) : mat int =
    create (rows a) (cols a) (opp2f a)

  function sub (a b: mat int) : mat int =
    add a (opp b)

  (* Matrix multiplication *)
  function mul_atom (a b: mat int) (i j:int) : int -> int =
    fun k -> get a i k  * get b k j

  function mul_cell (a b: mat int): int -> int -> int =
    fun i j -> sum (mul_atom a b i j) 0 (cols a)

  function mul (a b: mat int) : mat int =
    create (rows a) (cols b) (mul_cell a b)

  lemma zero_neutral:
    forall a. add a (zero a.rows a.cols) =  a
           by add a (zero a.rows a.cols) == a

  lemma add_commutative:
    forall a b. a === b ->
          add a b =  add b a
      by  add a b == add b a

  lemma add_associative:
    forall a b c. a === b === c ->
       add a (add b c) =  add (add a b) c
    by add a (add b c) == add (add a b) c

  lemma add_opposite:
    forall a. add a (opp a) =  zero a.rows a.cols
           by add a (opp a) == zero a.rows a.cols

  lemma opp_involutive:
    forall m. opp (opp m) = m

  lemma opposite_add: forall m1 m2.
    m1 === m2 -> opp (add m1 m2) = add (opp m1) (opp m2)

  function ft1 (a b c: mat int) (i j: int)  : int -> int -> int =
                fun k -> smulf (mul_atom a b i k) (get c k j)

  function ft2 (a b c: mat int) (i j: int) : int -> int -> int =
                fun k -> smulf (mul_atom b c k j) (get a i k)

  let lemma mul_assoc_get (a b c: mat int) (i j: int)
    requires { cols a = rows b }
    requires { cols b = rows c }
    requires { 0 <= i < (rows a) /\ 0 <= j < (cols c) }
    ensures  { get (mul (mul a b) c) i j = get (mul a (mul b c)) i j }
  = let ft1 = ft1 a b c i j in
    let ft2 = ft2 a b c i j in
    fubini ft1 ft2 0 (cols b) 0 (cols a);
    sum_ext (mul_atom (mul a b) c i j) (sumf ft1 0 (cols a)) 0 (cols b);
    assert { get (mul (mul a b) c) i j = sum (sumf ft1 0 (cols a)) 0 (cols b) };
    sum_ext (mul_atom a (mul b c) i j) (sumf ft2 0 (cols b)) 0 (cols a);
    assert { get (mul a (mul b c)) i j = sum (sumf ft2 0 (cols b)) 0 (cols a) }

   lemma mul_assoc:
     forall a b c. cols a = rows b -> cols b = rows c ->
     let ab = mul a b in
     let bc = mul b c in
     let a_bc = mul a bc in
     let ab_c = mul ab c in
        a_bc =  ab_c
     by a_bc == ab_c

  let lemma mul_distr_right_get (a b c: mat int) (i j: int)
    requires { 0 <= i < rows a /\ 0 <= j < cols c }
    requires { cols b = rows c}
    requires { a === b }
    ensures  { get (mul (add a b) c) i j = get (add (mul a c) (mul b c)) i j }
  = let mac = mul_atom a c i j in
    let mbc = mul_atom b c i j in
    assert { get (add (mul a c) (mul b c)) i j =
             get (mul a c) i j + get (mul b c) i j =
             sum (addf mac mbc) 0 (cols b) };
    sum_ext (addf mac mbc) (mul_atom (add a b) c i j) 0 (cols b)

  lemma mul_distr_right:
     forall a b c.  a === b -> cols b = rows c ->
       mul (add a b) c = add (mul a c) (mul b c)
         by mul (add a b) c == add (mul a c) (mul b c)

  let lemma mul_distr_left_get (a b c: mat int) (i j : int)
    requires { 0 <= i < rows a /\ 0 <= j < cols c }
    requires { cols a = rows b }
    requires { b === c }
    ensures  { get (mul a (add b c)) i j = get (add (mul a b) (mul a c)) i j }
  = let mab = mul_atom a b i j in
    let mac = mul_atom a c i j in
    assert { get (add (mul a b) (mul a c)) i j =
             get (mul a b) i j + get (mul a c) i j =
             sum (addf mab mac) 0 (cols a) };
    sum_ext (addf mab mac) (mul_atom a (add b c) i j) 0 (cols a)

  lemma mul_distr_left:
    forall a b c.  b === c -> cols a = rows b ->
          mul a (add b c) =  add (mul a b) (mul a c)
       by mul a (add b c) == add (mul a b) (mul a c)

  lemma mul_zero_right:
    forall a c. 0 <= c -> mul a (zero a.cols c) = zero a.rows c

  lemma mul_zero_left:
    forall a r. 0 <= r -> mul (zero r a.rows) a = zero r a.cols

  lemma mul_opp:
    forall a b. a.cols = b.rows ->
    let oa = opp a in
    let ob = opp b in
    let ab = mul a b in
    let oab = opp ab in
    mul oa b = oab = mul a ob
    by add (mul oa b) (add ab oab) = oab = add (mul a ob) (add ab oab)

end

module BlockMul

  use int.Int
  use int.Sum
  use sum_extended.Sum_extended
  use Matrix
  use MatrixArithmetic

  function ofs2 (a: mat int) (ai aj: int) : int -> int -> int
    = fun i j -> get a (ai + i) (aj + j)

  function block (a: mat int) (r dr c dc: int) : mat int =
    create dr dc (ofs2 a r c)

  predicate c_blocks (a a1 a2: mat int) =
    0 <= a1.cols <= a.cols /\ a1 = block a 0 a.rows 0 a1.cols /\
    a2 = block a 0 a.rows a1.cols (a.cols - a1.cols)

  predicate r_blocks (a a1 a2: mat int) =
    0 <= a1.rows <= a.rows /\ a1 = block a 0 a1.rows 0 a.cols /\
    a2 = block a a1.rows (a.rows - a1.rows) 0 a.cols

  let rec ghost block_mul_ij (a a1 a2 b b1 b2: mat int) (k: int) : unit
    requires { a.cols = b.rows /\ a1.cols = b1.rows}
    requires { 0 <= k <= a.cols }
    requires { c_blocks a a1 a2 /\ r_blocks b b1 b2 }
    ensures  { forall i j. 0 <= i < a.rows -> 0 <= j < b.cols ->
                 0 <= k <= a1.cols ->
                   sum (mul_atom a b i j) 0 k = sum (mul_atom a1 b1 i j) 0 k }
    ensures  { forall i j. 0 <= i < a.rows -> 0 <= j < b.cols ->
                a1.cols <= k <= a.cols ->
                  sum (mul_atom a b i j) 0 k  =
	            sum (mul_atom a1 b1 i j) 0 a1.cols +
		    sum (mul_atom a2 b2 i j) 0 (k - a1.cols) }
    variant { k }
  = if 0 < k then begin
      let k = k - 1 in
      assert { forall i j. 0 <= i < a.rows -> 0 <= j < b.cols ->
     	        mul_atom a b i j k = if k < a1.cols then mul_atom a1 b1 i j k
	        else  mul_atom a2 b2 i j (k - a1.cols) };
      block_mul_ij a a1 a2 b b1 b2 k
    end

  let lemma mul_split (a a1 a2 b b1 b2: mat int) : unit
    requires { a.cols = b.rows /\ a1.cols = b1.rows}
    requires { c_blocks a a1 a2 /\ r_blocks b b1 b2 }
    ensures  {add (mul a1 b1) (mul a2 b2) = mul a b }
  = block_mul_ij a a1 a2 b b1 b2 a.cols;
    assert { add (mul a1 b1) (mul a2 b2) == mul a b }

  let lemma mul_block_cell (a b: mat int) (r dr c dc i j: int) : unit
    requires { a.cols = b.rows }
    requires { 0 <= r /\ r + dr <= a.rows }
    requires { 0 <= c /\ c + dc <= b.cols }
    requires { 0 <= i < dr /\ 0 <= j < dc }
    ensures  { ofs2 (mul a b) r c i j =
               get (mul (block a r dr 0 a.cols) (block b 0 b.rows c dc)) i j }
  = let a' = block a r dr 0 a.cols in
    let b' = block b 0 b.rows c dc in
    sum_ext (mul_atom a b (i + r) (j + c)) (mul_atom a' b' i j) 0 a.cols

  lemma mul_block:
    forall a b: mat int, r dr c dc: int.
    a.cols = b.rows -> 0 <= r <= r + dr <= a.rows ->
    0 <= c <= c + dc <= b.cols ->
    let a' = block a r dr 0 a.cols in
    let b' = block b 0 b.rows c dc in
    let m' = block (mul a b) r dr c dc in
       m' =  mul a' b'
    by m' == mul a' b'

end

why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices/000077500000000000000000000000001440160026300253765ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices/why3session.xml000066400000000000000000000240301440160026300304150ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices/why3shapes.gz000066400000000000000000000076351440160026300300510ustar00rootroot00000000000000\Yo$9r~ׯУx/cL
{F
I*U]IqGԿS}g}x._"^ŇyƧ:AjU|q
fzm7!RğO-;8hlMgrlTz>
R
Ri&ձ4XsPo3ܬ/ϟC\Gm&dӌf7^"ƦĠ I5(8FtJLTg@,Ѡ̠ܠV~Go~X'NXCodKDC.e
vc)WGIٜO{}+A42O#$n6FOʈ/q]8!6Ue /ee<np3C|satՃ4݉i|pF_F
OP,vE_vkmlOK\Cvy~"mvXfki'~zrtйaFw58bip?ħOv(W>sG=f@-C;7]S؆(Vq,S3:^$PWy}dXVs&9vaVbs]Bf,RHY"fGz)g|{EdVZeOGQ]l)^K9&F=X_?>Xepepo#7_,7sK4uKDEYv^^sٮm[d᲋>C}$n'qfҹ뷦ڽVb&6R}9>ל'ugM[Rk^Ɒn}*̞;'{lYu۳}CnZwmvfЩ_
}`Us#*1..]9H$$ىY'40En$Kzʒg!ն}rsV1drx:s:OxVJ7+dY_L{}`7w6_p&7M{mjj[lrYhqhϳogtՍzAτgd:VOEb<:.'sTpEq'sn'0#%[燎rTZ:VTfޥ 3=ysjbihh>Dr>"~zC8Hu/Mu5Rӄ]gVtG&|E6Ra+Dşc"n`ryb7+'˝:eR [`douX>ZǦm|>~Olb=6yQuSvzi#rBg|<]sǜ7YL}{믷wO&ﳺ@P?y*>1/y:Џ%WK
rQyLo7y戡GsK]!<3ih;BJ1YeGw4ŐT>j);8OKIzs9U)^E	x*u̫Ի9v<
	Ѱxz*x{UaGϼj9Ə:/'UU'긥U[\H}Ru'/ċ;@:}9fjOJڰS3AvI|`z}ew 5޶B:^_74=Ẉ_aG*u9Zi}aMڜيzSF}QǻW=<&i|ǭ_-lVb%#$L8]
|sմ{r>У&pm	B{;ɚ9h{$w|3Wbjx8F~T>xUX[EQ;X؜힜^É^ߟED9;=׏^elcSmYWcx66e/ybVG_8GAϲb3̈́
SVa,hs]?ͤ_0ss7}RB(RKUHd^%rJFe`;&BD")MZ@B5RHM
A0$(m'DIOEFi$m)/^ŢAxSh	@RX.$Z,53d+ɥf;).J6ʈ&R˕0.5Ț|$F%焀)CZ:DpUHXP1 hϥXs$bZtl;$1!)-e	4"wV=P*D90L*(l.ƧVH;gE	a]()`deefXNbD䲬
aZl^үAGK1e"``g:*;5%ö2yidNpFLܣG7VmU
4+EycGA.(@K&**T1ޱD/@]w"8J0.M@)UfgTt$0KjmrR
P}1RH;]cZ\s54֐ӥr7cQ+aHl&3#'&Y	w7A;gGzEˉZrI˒+@/@DrŢWVVL["PMG+cG8$ͥh(4r]S3ւȦLyUԂSْ3h>Q
ɓDؠ=aoL
Ŵ='?k)AZk]	VE`pr8K!UHDjcszdIlD6BxA4a!sDX+U 3[VlB̈́ZBƓΏ|g!2/!h(d>rԜ0h=lpHJƞ,)Dr!	"\"iHiPY_AW%Z$}dKH6^AhLN("EPPMS(,h8m9Ÿrq( 
XA7JR$'0CA7Z'HREQVրϠL7HkbHI{5piB2q!c[h¾쉜5ZdI Uz>qV
$Z2y6#FBM.i;⤒Rzi@b|#*KaP!rYʀp'S
:EȈ.Ƅe_ '
-r=CBBS$D|XcpS7לPpΘ6hYL=[}	!C5XRW}ʵJ*7Q[GrQ6
A%
Lp8!d&RAuZsP*
a(;lEԚ&eH_L0YBw,j9Tpjˀ̈D9;++BikMEJ6i6ty\
De2Py3'k~idE l
)du(\XFt9XަlgԹ5\·g	jUC"J8_ 8^9uHPEЄ,Bԋvn":BECI.!s ,AO^2kƃ,,! "IP#C1!P/ 
G4Tt7+V}IBQ^zvkmvt#^3dLL">
]Twhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices_ring_simp.mlw000066400000000000000000000375111440160026300301750ustar00rootroot00000000000000(* Symbolic computation on matrix expressions. *)
module Symb

  use int.Int
  use list.List
  use matrices.Matrix
  use matrices.MatrixArithmetic

  scope LOCAL

    type mono = {
      m_prod : list int;
      m_pos : bool;
    }

    function l_mdl (f:int -> mat int) (l:list int) : mat int =
      match l with
      | Nil -> zero (-1) (-1)
      | Cons x Nil -> f x
      | Cons x q -> mul (f x) (l_mdl f q)
      end
    meta rewrite_def function l_mdl
    predicate l_vld (f:int -> mat int) (r c:int) (l:list int) =
      match l with
      | Nil -> false
      | Cons x Nil -> rows (f x) = r && cols (f x) = c
      | Cons x q -> rows (f x) = r && l_vld f (cols (f x)) c q
      end
    meta rewrite_def predicate l_vld
    let rec lemma l_mdl_ok (f:int -> mat int) (r c:int) (l:list int) : unit
      requires { l_vld f r c l }
      ensures { let rs = l_mdl f l in rows rs = r /\ cols rs = c }
      variant { l }
    = match l with
      | Nil -> absurd
      | Cons _ Nil -> ()
      | Cons x q -> l_mdl_ok f (cols (f x)) c q
      end
    function m_mdl (f:int -> mat int) (m:mono) : mat int =
      let m0 = l_mdl f m.m_prod in
      if m.m_pos then m0 else opp m0
    meta rewrite_def function m_mdl
    let lemma m_mdl_ok (f:int -> mat int) (r c:int) (m:mono) : unit
      requires { l_vld f r c m.m_prod }
      ensures { let rs = m_mdl f m in rows rs = r /\ cols rs = c }
    = l_mdl_ok f r c m.m_prod

    function lm_mdl (f:int -> mat int) (r c:int) (l:list mono) : mat int =
      match l with
      | Nil -> zero r c
      | Cons x q -> add (lm_mdl f r c q) (m_mdl f x)
      end
    function lm_mdl_simp (f:int -> mat int) (r c:int) (l:list mono) : mat int =
      match l with
      | Nil -> zero r c
      | Cons x Nil -> m_mdl f x
      | Cons x q -> add (lm_mdl_simp f r c q) (m_mdl f x)
      end
    meta rewrite_def function lm_mdl_simp
    predicate lm_vld (f:int -> mat int) (r c:int) (l:list mono) =
      match l with
      | Nil -> true
      | Cons x q -> l_vld f r c x.m_prod && lm_vld f r c q
      end
    meta rewrite_def predicate lm_vld
    let rec lemma lm_mdl_ok (f:int -> mat int) (r c:int) (l:list mono) : unit
      requires { lm_vld f r c l /\ r >= 0 /\ c >= 0 }
      ensures { let rs = lm_mdl f r c l in rows rs = r /\ cols rs = c }
      variant { l }
    = match l with
      | Nil -> ()
      | Cons _ q -> lm_mdl_ok f r c q
      end
    let rec ghost lm_mdl_same (f:int -> mat int) (r c:int) (l:list mono) : unit
      requires { lm_vld f r c l }
      ensures { lm_mdl_simp f r c l = lm_mdl f r c l }
      variant { l }
    = match l with
      | Nil -> ()
      | Cons _ Nil -> ()
      | Cons _ q -> lm_mdl_same f r c q
      end

    function l_compare (l1 l2:list int) : int = match l1, l2 with
      | Nil, Nil -> 0
      | Nil, _ -> (-1)
      | _, Nil -> 1
      | Cons x q, Cons y r ->
        if x < y then (-1) else if x > y then 1 else l_compare q r
      end
    meta rewrite_def function l_compare
    let rec ghost l_compare_zero (l1 l2:list int) : unit
      requires { l_compare l1 l2 = 0 }
      ensures { l1 = l2 }
      variant { l1 }
    = match l1, l2 with
      | Nil, Nil -> ()
      | Cons _ q, Cons _ r -> l_compare_zero q r
      | _ -> absurd
      end

    predicate m_lower (m1 m2:mono) =
      let cmp = l_compare m1.m_prod m2.m_prod in
      cmp < 0 || (cmp = 0 && (m1.m_pos -> m2.m_pos))
    meta rewrite_def predicate m_lower

    function m_collapse (l:list mono) (m:mono) : list mono = match l with
    | Nil -> Cons m Nil
    | Cons x q ->
      if not x.m_pos && m.m_pos && l_compare m.m_prod x.m_prod = 0
      then q
      else Cons m l
    end
    meta rewrite_def function m_collapse
    let ghost m_collapse_ok (f:int -> mat int) (r c:int)
                            (l:list mono) (m:mono) : list mono
      requires { lm_vld f r c l /\ l_vld f r c m.m_prod }
      requires { r >= 0 /\ c >= 0 }
      ensures { result = m_collapse l m /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = add (lm_mdl f r c l) (m_mdl f m) }
    = let res = m_collapse l m in
      match l with
      | Nil -> ()
      | Cons x q ->
        if not x.m_pos && m.m_pos && l_compare m.m_prod x.m_prod = 0
        then begin
          l_compare_zero m.m_prod x.m_prod;
          assert { lm_mdl f r c q =
            add (m_mdl f m) (add (lm_mdl f r c q) (m_mdl f x)) }
          end
      end;
      res

    function lm_collapse (acc l:list mono) : list mono = match l with
      | Nil -> acc
      | Cons x q -> lm_collapse (m_collapse acc x) q
      end
    meta rewrite_def function lm_collapse
    let rec ghost lm_collapse_ok (f:int -> mat int) (r c:int)
                                 (acc l:list mono) : list mono
      requires { lm_vld f r c acc /\ lm_vld f r c l }
      requires { r >= 0 /\ c >= 0 }
      ensures { result = lm_collapse acc l /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = add (lm_mdl f r c acc) (lm_mdl f r c l) }
      variant { l }
    = match l with
      | Nil -> acc
      | Cons x q -> lm_collapse_ok f r c (m_collapse_ok f r c acc x) q
      end

    function cat_rev (acc l:list 'a) : list 'a = match l with
      | Nil -> acc
      | Cons x q -> cat_rev (Cons x acc) q
      end
    meta rewrite_def function cat_rev
    let rec ghost cat_rev_ok (f:int -> mat int) (r c:int)
      (acc l:list mono) : list mono
      requires { lm_vld f r c acc /\ lm_vld f r c l }
      requires { r >= 0 /\ c >= 0 }
      ensures { result = cat_rev acc l /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = add (lm_mdl f r c acc) (lm_mdl f r c l) }
      variant { l }
    = match l with
      | Nil -> acc
      | Cons x q -> cat_rev_ok f r c (Cons x acc) q
      end

    function lm_dump (x:mono) (acc l:list mono) : (list mono,list mono) =
      match l with
      | Nil -> (acc, Nil)
      | Cons y q ->
        if m_lower x y then (acc, l) else lm_dump x (m_collapse acc y) q
      end
    meta rewrite_def function lm_dump
    let rec ghost lm_dump_ok (f:int -> mat int) (r c:int)
      (x:mono) (acc l:list mono) : (list mono,list mono)
      requires { r >= 0 /\ c >= 0 }
      requires { lm_vld f r c acc /\ lm_vld f r c l }
      ensures { result = lm_dump x acc l }
      ensures { let (acc2,l2) = result in
        lm_vld f r c acc2 /\ lm_vld f r c l2 /\
        add (lm_mdl f r c acc2) (lm_mdl f r c l2) =
        add (lm_mdl f r c acc) (lm_mdl f r c l) }
      variant { l }
    = match l with
      | Nil -> (acc, Nil)
      | Cons y q ->
        if m_lower x y then (acc, l)
        else lm_dump_ok f r c x (m_collapse_ok f r c acc y) q
      end

    function lm_merge (acc l1 l2:list mono) : list mono = match l1 with
      | Nil -> cat_rev Nil (lm_collapse acc l2)
      | Cons x q ->
        let (acc,l2) = lm_dump x acc l2 in
        lm_merge (m_collapse acc x) q l2
      end
    meta rewrite_def function lm_merge
    let rec ghost lm_merge_ok (f:int -> mat int) (r c:int)
      (acc l1 l2:list mono) : list mono
      requires { r >= 0 /\ c >= 0 /\ lm_vld f r c acc }
      requires { lm_vld f r c l1 /\ lm_vld f r c l2 }
      ensures { result = lm_merge acc l1 l2 /\ lm_vld f r c result }
      ensures { lm_mdl f r c result =
        add (lm_mdl f r c acc) (add (lm_mdl f r c l1) (lm_mdl f r c l2)) }
      variant { l1 }
    = match l1 with
      | Nil -> cat_rev_ok f r c Nil (lm_collapse_ok f r c acc l2)
      | Cons x q -> let (acc,l2) = lm_dump_ok f r c x acc l2 in
        lm_merge_ok f r c (m_collapse_ok f r c acc x) q l2
      end

    function cat (l1 l2:list 'a) : list 'a = match l1 with
      | Nil -> l2
      | Cons x q -> Cons x (cat q l2)
      end
    meta rewrite_def function cat

    let rec ghost cat_ok (f:int -> mat int) (r k c:int)
                         (l1 l2:list int) : list int
      requires { r >= 0 /\ k >= 0 /\ c >= 0 }
      requires { l_vld f r k l1 /\ l_vld f k c l2 }
      ensures { result = cat l1 l2 /\ l_vld f r c result }
      ensures { l_mdl f result = mul (l_mdl f l1) (l_mdl f l2) }
      variant { l1 }
    = match l1, l2 with
      | Nil, _ | _, Nil -> absurd
      | Cons x Nil, _ -> Cons x l2
      | Cons x q, _ -> Cons x (cat_ok f (cols (f x)) k c q l2)
      end

    function m_mul (m1 m2:mono) : mono =
      { m_pos = (m1.m_pos <-> m2.m_pos); m_prod = cat m1.m_prod m2.m_prod }
    meta rewrite_def function m_mul
    let ghost m_mul_ok (f:int -> mat int) (r k c:int) (m1 m2:mono) : mono
      requires { r >= 0 /\ k >= 0 /\ c >= 0 }
      requires { l_vld f r k m1.m_prod /\ l_vld f k c m2.m_prod }
      ensures { result = m_mul m1 m2 /\ l_vld f r c result.m_prod }
      ensures { m_mdl f result = mul (m_mdl f m1) (m_mdl f m2) }
    = { m_pos = (if m1.m_pos then m2.m_pos else not m2.m_pos);
        m_prod = cat_ok f r k c m1.m_prod m2.m_prod }

    function m_distribute (m:mono) (l:list mono) : list mono = match l with
      | Nil -> Nil
      | Cons x q -> Cons (m_mul m x) (m_distribute m q)
      end
    meta rewrite_def function m_distribute
    let rec ghost m_distribute_ok (f:int -> mat int) (r k c:int)
                                  (m:mono) (l:list mono) : list mono
      requires { r >= 0 /\ k >= 0 /\ c >= 0 }
      requires { l_vld f r k m.m_prod /\ lm_vld f k c l }
      ensures { result = m_distribute m l /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = mul (m_mdl f m) (lm_mdl f k c l) }
      variant { l }
    = match l with
      | Nil -> Nil
      | Cons x q -> Cons (m_mul_ok f r k c m x) (m_distribute_ok f r k c m q)
      end

    function lm_distribute (l1 l2:list mono) : list mono = match l1 with
      | Nil -> Nil
      | Cons x q -> lm_merge Nil (m_distribute x l2) (lm_distribute q l2)
      end
    meta rewrite_def function lm_distribute
    let rec ghost lm_distribute_ok (f:int -> mat int) (r k c:int)
                                   (l1 l2:list mono) : list mono
      requires { r >= 0 /\ k >= 0 /\ c >= 0 }
      requires { lm_vld f r k l1 /\ lm_vld f k c l2 }
      ensures { result = lm_distribute l1 l2 /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = mul (lm_mdl f r k l1) (lm_mdl f k c l2) }
      variant { l1 }
    = match l1 with
      | Nil -> Nil
      | Cons x q ->
        lm_merge_ok f r c Nil (m_distribute_ok f r k c x l2)
                              (lm_distribute_ok f r k c q l2)
      end

    function lm_opp (l:list mono) : list mono = match l with
    | Nil -> Nil
    | Cons x q ->
        lm_merge Nil (Cons { x with m_pos = not x.m_pos } Nil)
                     (lm_opp q)
    end
    meta rewrite_def function lm_opp
    let rec ghost lm_opp_ok (f:int -> mat int) (r c:int)
                            (l:list mono) : list mono
      requires { r >= 0 /\ c >= 0 /\ lm_vld f r c l }
      ensures { result = lm_opp l /\ lm_vld f r c result }
      ensures { lm_mdl f r c result = opp (lm_mdl f r c l) }
      variant { l }
    = match l with
      | Nil -> Nil
      | Cons x q -> let m2 = { x with m_pos = not x.m_pos } in
        lm_merge_ok f r c Nil (Cons m2 Nil) (lm_opp_ok f r c q);
      end

    constant empty : int -> mat int = zero 0
  end

  type env = {
    mutable ev_f : int -> mat int;
    mutable ev_c : int;
  }

  type expr = {
    e_body : list LOCAL.mono;
    e_rows : int;
    e_cols : int;
  }

  predicate (-->) (x y:'a) = [@rewrite] x = y
  meta rewrite_def predicate (-->)

  predicate e_vld (env:env) (e:expr) =
    e.e_rows >= 0 /\ e.e_cols >= 0 /\
    LOCAL.lm_vld env.ev_f e.e_rows e.e_cols e.e_body
  meta rewrite_def predicate e_vld
  function e_mdl (env:env) (e:expr) : mat int =
    LOCAL.lm_mdl_simp env.ev_f e.e_rows e.e_cols e.e_body
  meta rewrite_def function e_mdl

  function extends (f:int -> mat int) (c:int) (v:mat int) : int -> mat int =
    fun n -> if n <> c then f n else v
  lemma extends_rw : forall f c v n.
    extends f c v n = if n <> c then f n else v
  meta rewrite lemma extends_rw

  let ghost symb_env () : env
    ensures { result.ev_c --> 0 }
  = { ev_f = LOCAL.empty; ev_c = 0 }

  function symb_mat (m:mat int) (n:int) : expr =
    { e_rows = m.rows; e_cols = m.cols;
      e_body = Cons { LOCAL.m_pos = true; LOCAL.m_prod = Cons n Nil } Nil }
  meta rewrite_def function symb_mat
  let ghost symb_reg (ghost env:env) (m:mat int) : expr
    writes { env }
    ensures { env.ev_c --> old env.ev_c + 1 }
    ensures { env.ev_f --> extends (old env.ev_f) (old env.ev_c) m }
    ensures { result --> symb_mat m (old env.ev_c) }
    ensures { e_vld env result }
  = let id = env.ev_c in
    env.ev_f <- extends env.ev_f id m; env.ev_c <- id + 1;
    symb_mat m id

  function symb_opp (e:expr) : expr =
    { e_rows = e.e_rows; e_cols = e.e_cols; e_body = LOCAL.lm_opp e.e_body }
  meta rewrite_def function symb_opp

  let ghost symb_opp (env:env) (e:expr) : expr
    requires { e_vld env e }
    ensures { e_vld env result }
    ensures { result --> symb_opp e }
    ensures { e_mdl env result = opp (e_mdl env e) }
  = let (r,c) = (e.e_rows,e.e_cols) in
    LOCAL.lm_mdl_same env.ev_f r c e.e_body;
    let res = { e_rows = r; e_cols = c;
      e_body = LOCAL.lm_opp_ok env.ev_f r c e.e_body } in
    LOCAL.lm_mdl_same env.ev_f r c res.e_body;
    res

  function symb_add (e1 e2:expr) : expr =
    { e_rows = e1.e_rows; e_cols = e1.e_cols;
      e_body = LOCAL.lm_merge Nil e1.e_body e2.e_body }
  meta rewrite_def function symb_add

  let ghost symb_add (env:env) (e1 e2:expr) : expr
    requires { e_vld env e1 /\ e_vld env e2 }
    requires { e1.e_rows = e2.e_rows /\ e1.e_cols = e2.e_cols }
    ensures { e_vld env result }
    ensures { result --> symb_add e1 e2 }
    ensures { e_mdl env result = add (e_mdl env e1) (e_mdl env e2) }
  = let (r,c) = (e1.e_rows, e1.e_cols) in
    LOCAL.lm_mdl_same env.ev_f r c e1.e_body;
    LOCAL.lm_mdl_same env.ev_f r c e2.e_body;
    let res = { e_rows = r; e_cols = c;
        e_body = LOCAL.lm_merge_ok env.ev_f r c Nil e1.e_body e2.e_body } in
    LOCAL.lm_mdl_same env.ev_f r c res.e_body;
    res

  function symb_sub (e1 e2:expr) : expr =
    symb_add e1 (symb_opp e2)
  meta rewrite_def function symb_sub

  let ghost symb_sub (env:env) (e1 e2:expr) : expr
    requires { e_vld env e1 /\ e_vld env e2 }
    requires { e1.e_rows = e2.e_rows /\ e1.e_cols = e2.e_cols }
    ensures { e_vld env result }
    ensures { result --> symb_sub e1 e2 }
    ensures { e_mdl env result = sub (e_mdl env e1) (e_mdl env e2) }
  = symb_add env e1 (symb_opp env e2)

  function symb_mul (e1 e2:expr) : expr =
    { e_rows = e1.e_rows; e_cols = e2.e_cols;
      e_body = LOCAL.lm_distribute e1.e_body e2.e_body }
  meta rewrite_def function symb_mul

  let ghost symb_mul (env:env) (e1 e2:expr) : expr
    requires { e_vld env e1 /\ e_vld env e2 }
    requires { e1.e_cols = e2.e_rows }
    ensures { e_vld env result }
    ensures { result --> symb_mul e1 e2 }
    ensures { e_mdl env result = mul (e_mdl env e1) (e_mdl env e2) }
  = let (r,k,c) = (e1.e_rows,e1.e_cols,e2.e_cols) in
    LOCAL.lm_mdl_same env.ev_f r k e1.e_body;
    LOCAL.lm_mdl_same env.ev_f k c e2.e_body;
    let res = { e_rows = r; e_cols = c;
        e_body = LOCAL.lm_distribute_ok env.ev_f r k c e1.e_body e2.e_body } in
    LOCAL.lm_mdl_same env.ev_f r c res.e_body;
    res

  meta compute_max_steps 0x1000000

  let harness (a11 a12 a22 b11 b21 b22:mat int) : unit
    requires { a11 === a12 === a22 === b11 === b21 === b22 }
    requires { a11.rows = a11.cols }
  = let env = symb_env () in
    let e_a11 = symb_reg env a11 in
    let e_a12 = symb_reg env a12 in
    let e_a22 = symb_reg env a22 in
    let e_b11 = symb_reg env b11 in
    let e_b21 = symb_reg env b21 in
    let e_b22 = symb_reg env b22 in
    let x1 = symb_mul env (symb_add env e_a11 e_a22)
                          (symb_add env e_b11 e_b22) in
    let x4 = symb_mul env e_a22 (symb_sub env e_b21 e_b11) in
    let x5 = symb_mul env (symb_add env e_a11 e_a12) e_b22 in
    let x7 = symb_mul env (symb_sub env e_a12 e_a22)
                          (symb_add env e_b21 e_b22) in
    let m11 = symb_add env (symb_sub env (symb_add env x1 x4) x5) x7 in
    let gm11 = symb_add env (symb_mul env e_a11 e_b11)
                            (symb_mul env e_a12 e_b21) in
    assert { e_mdl env m11 = e_mdl env gm11 }

end
why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices_ring_simp/000077500000000000000000000000001440160026300274455ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices_ring_simp/why3session.xml000066400000000000000000000325201440160026300324670ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
   
   
  
  
 
 



why3-1.6.0/examples/verifythis_2016_matrix_multiplication/matrices_ring_simp/why3shapes.gz000066400000000000000000000253771440160026300321230ustar00rootroot00000000000000}[8E9;8,0O|5t54|_ARRrR`0cD0H_/ç.N}ռn87p򫻦әOcwO_.>.;]R/pS*3S
QufgK4P|ST{Zys˭_vySVY@rPFMλWWp񓫞J`RCTʃ\vOÙ9/J7'>$ux:T|z.Ka4MWY75B))(0#S׾RCW;o3ef15dO_7}y_髓_npӑG#b'WgUM|3_<`T= sEɭpI;(:&	˵MK3w']ywwrKy'Y2)J>ތ,$0aA|P0)|nRtJ#Ư#K8Y~,$qxxL	RM'uY@pSlMվTMU_ypZu~k4YxD6;JY$B]:?ugz/5~A޺p̛`WhFifG	kl[`A%%ǔ(4Ttuɐ<i`Hf)tpXT+4W44s!'_xE8YYq`ԭ񔓅[Q9qdhd4ç~NhU딀݄3z:Iˣ)ǖ:6S-7#IMMJ^s`SRX'׭JE?!ŏ9+eyK}yB3>@Aohyev27RW&#DLXקSYw&ѹ_h63}y0ll;m%˟xQ5vF)xuJJ}o,Sa(Xg~E\(܆q)6d!}0'Lt5xAGH^г<.A(
=O,CA'pg59pt\*H(Aјك#	y&PS)nrpmi>WsU&"E3ihݭjQd8
ujh:e>o
#YsJ';H0np/"P_w|z~2`z鮂G/hwEX.͹vmH^i}|1y`02ֲ`Ɩ\g&ˑDHƨҰО3*+ DZb@^Ys]w*t((-SUf\',X>r!JK`Ɏ74z@h[1㶋Xdʻ)ob_Wa(χ *j'75xF@Ue>6Y'.TFu%fqlf`-_	}!cWzxϫ2peSɫ̮#%q	
L6UTMtk(B4Ef|h|%ڣvFRBL;OXiu:;4j½ECHoIA:a
LeO^&E(Yq\4-։g6*(	ݲ|I3w

n&n6+TLq6L/VL|܁+B/d@EW`tRV}ƤJԶKNJaZ{vjsr[!>^K%94$k:I
R
R,[']wt+ܱl
QfXԉ6ۺx.
 	aӤ/8xZ7_;zhJMF𚛃nL\MWM /(}%TDq)6WܦҖ05ZXT_R,]zW"N\=*tkT(%V;93Zj_A4GO"F
E)(vD(XWy1UK8Ò*!nbUn)m,c͓{+ eNYRQ#jl+!{WdK}}*{gEJ5	TFb2+\y}pr)֚khGgKZp24j˙ERr/v.M	b	dMF?RH@@릡0R9.p|}](C~E?{|\p$t1wEIݔ7:?y~,A[J/az2
4Sxiߔ|zof)H,;rܕLt3t&I7\(M	b/~iU6&?7i9O5Ulu_qsnN.(dR0Y4TLiF]5<}X_ZK%pݞ>#qm:AOܐAv$OR9)}̒-1-$A$M}Vh&VEܴ]$֨0T-f~δ"_o=)FJ(osY溴&:mHڴ XZyJ/'B6Op%tKSV{F^F듟Kpyx~x/Y)2y!+\;​.~|ͱDr%ʻd)yiV['HղegJWVc0T=jgYgSiPVjjYq/bF	`1-_2/|ږ9[lW&q6eF)62f2V3㹊hx&%FW@ J
o
yyo5"74.xjN\ju5HxE+6xӔb#LL).-ߗ9t3sY21̞Ag完隵^2Yk*BffvvRG;)Ѯ̧WfܞtgiDJ&wRh@GL*T+q6LYRFy;)c
߄L}2pE9e(S%*|.qa3qCDw⛸=r7$n,qCLbd3fmK'ӬB*Rɺ2RS}o1~RRTvclg]?r0%ei)lxeDJj)_7nuÔ?[X8ouڊPb,TGou"IA4]})ߵາ/k+[8}7Ny뒲WN)ovMNsV`S-NxYϋ}7lg	v3`{w}ipE?cߛ!Wws5Y2o+veHOY(os,):j혦Dbo)ȦDu(VKO.*2N9pp_[__m뫰9@1~Dɫq՗׽K|2/SFE]=wr<%c怃Eu߹sr;'?8^BtˊfܟC<"s3.ʌNDqQrv(`oƇMy4\ M/iΚ'%@F͓2E	wL @g\Dϋ\䀋.6%i5OB#z$3/}iVXq`ŋ
l	
0q?>`l.`_j\p=pML&\nKq+4[;,7	w+{MWar*z()Z֗/uTmkZl'䆲l^X*m.l{
WP,؃_'l=폢w폢I,6GE|VQ)7_zDYŁ-ʦ]bj.6{Wg};$Le]#bsRsPY_mm`*T6piRVޅ1Vc`L1'1Lwe*Kp󫝹Όy8^)ad;VVr~;5v׺`j++lѧb?P^%˄k֬?֔!llUW,FKł;eDԩG~+NӭjSkȮe0R.d$_yѥ(10Zڍvڹ۷_lNJ-}lP9iYi.HgN}{F+D]e4֧pMt[DW=ՊkS7mW+bswXDzsE<ѺhRzRFY#,Q#n?욉a,ߵFX*5rߑ$Xuص;.6W{arNԗCw쿆a5~~qPc_$ģ}mݙݵCfZK{{k+%J)(osɬMNVk>$R
$lCG4lV;VƗ֙AUkdԇ:É9]Pšd8ϊИD4=mZ9)ԨniTyǁz0kf/Gilh9`tDDNLGl:Nvt&qǕiSq;})+
t
'Xͣ46ղR=ȧ2w7gOOyYD3Es{ӄ,J"@ YS#aVW!z-`E,Vk
oj񾅂WbTVx%\T<+[W·$|Js$L.%LWfu>抾j>>}ywsp3u|Vה`HQ2OI[Um"ks׉Q;|JQO*OI5l"P7QrfiVS>+)ٮ)G)GO9Vg^{fH
DGس&g]9I٬-5~n̾a9kyMCt*Ozٷl̾EB_e|m#%||=ڦq>{{(ƀ7x^q(s"ZJcQ$b[;>
Ql	hdߚQqvK5l:Ȯuz\Swd-6#5}@xA(R~-#сXe:6ʛKy#[EIӌVuiYjr'ȉۥ&ue:%sKAH4H$(ph՚Ki7Ĵ$(/N/[4H)Ļ0;NtRt;خ9
,oбm[	HD/F脶5wz-L$f>2ʞmMl
@54	8
%t1`
@`}pF,sj{4X6F7ܗ7'N DA\EXPAVӶӠFNyMo`̣j1+UOy?Z`!7<2Ɉ=3Pe/[5Kr/qi@ћAd
e0A^*d7!zl#\HmxQDFNv\0w$Go1@O3'OV#wx&G㸓5x:P׶
/$-FҴ=HV  0ˍ'00`3r(@9,"0
	-ƿziDckJ1B#uj`I]c˜T҅⠤4`X0xY'}5TOo$c/m#Qpq:'[iI
$n:@tCq\U$Dwhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/naive.mlw000066400000000000000000000031031440160026300254070ustar00rootroot00000000000000module MatrixMultiplication

  use int.Int
  use int.Sum
  use map.Map
  use matrix.Matrix

  function mul_atom (a b: matrix int) (i j: int) : int -> int =
    fun k -> a.elts[i][k] * b.elts[k][j]
  predicate matrix_product (m a b: matrix int) =
    forall i j. 0 <= i < m.rows -> 0 <= j < m.columns ->
      m.elts[i][j] = sum (mul_atom a b i j) 0 a.columns

  let mult_naive (a b: matrix int) : matrix int
    requires { a.columns = b.rows }
    ensures { result.rows = a.rows /\ result.columns = b.columns }
    ensures { matrix_product result a b }
  = let rs = make (rows a) (columns b) 0 in
    for i = 0 to a.rows - 1 do
      invariant { forall i0 j0. i <= i0 < rows a /\ 0 <= j0 < columns b ->
        rs.elts[i0][j0] = 0 }
      invariant { forall i0 j0. 0 <= i0 < i /\ 0 <= j0 < columns b ->
        rs.elts[i0][j0] = sum (mul_atom a b i0 j0) 0 a.columns }
      label M in
      for k = 0 to rows b - 1 do
        invariant { forall i0 j0. 0 <= i0 < rows a /\ 0 <= j0 < columns b ->
          i0 <> i -> rs.elts[i0][j0] = (rs at M).elts[i0][j0] }
        invariant { forall j0. 0 <= j0 < columns b ->
          rs.elts[i][j0] = sum (mul_atom a b i j0) 0 k }
        label I in
        for j = 0 to columns b - 1 do
          invariant { forall i0 j0. 0 <= i0 < rows a /\ 0 <= j0 < columns b ->
            (i0 <> i \/ j0 >= j) -> rs.elts[i0][j0] = (rs at I).elts[i0][j0] }
          invariant { forall j0. 0 <= j0 < j ->
             rs.elts[i][j0] = sum (mul_atom a b i j0) 0 (k+1) }
          set rs i j (get rs i j + get a i k * get b k j)
        done;
      done;
    done;
    rs


endwhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/naive/000077500000000000000000000000001440160026300246715ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/naive/why3session.xml000066400000000000000000000101441440160026300277110ustar00rootroot00000000000000






 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2016_matrix_multiplication/naive/why3shapes.gz000066400000000000000000000057631440160026300273440ustar00rootroot00000000000000[]oݸ}ׯHΐF ^JPN?CRH^vmıhsp8_~9~_ۻ__; &v.7裸͇ξ:>}kwuOvA
\&F?Z.o&FEbm)7'_K[/k[r6Sbj7OO/^ӧG@]Hv*qA00>׶f`PKݿ쫁2oXjb&~d-Y}EfQ!)ыUwaaB	ZA`4@6
ޤ8Hx[oQG'zM *8B>iPOlţO,U;lmW.߅#J {"0^`	<xkU)!6/QWium'g%dcM> +tyICb(
1&NXl3mOO"jKB@25RMXj5P)GMA)lj
AMaSS^jT4SNU}bNjA"mAja6VN ?&m7_b7K+0wvHHHKG
9#H֑HH)H"dC!%H`	_zH!Т!-Hԫ#6(#$ެaeue[AqkBEHA?Gqa%L;FqT߷>gLlK\!ԏU,llbEXHcni-Ilras2[
śbY*'bĮX)8Ru>m(VnX2HMB$3Ț20QB$/8qzہ={dV칟?G̤CEOHfڛ~![2Rf,ퟣQfҞ^2[fyTԑ Rf41*2rZf|q)3^ʰEL:vx3,espBxR;#	G'^i
q3%wdtZm>/pлqr9ރ)jR+ kyN.@J'4Z,ŷ,OnG|1@?}/Y+`W#i'~ɟ?)O(	z݈8 >iߟtm96Cyk7W]
.x>~阯Zub_epcۇM{+w'M6Yv}/v{Mxwbi56/ev`a=N~-zL6lUE9gXs)liu2wj2FzdzWy+YN3]ϴL0l{8}ZsȌ@Yi&ȸPފnQܘ%3yBhiLX0^΁6[4%pN/H#`K-eE8fGNq\bI-{i`hgyV3\$Ar#-YFzQFX?ivF4DegoM7+g`J	Ge)
ҿy-Kd*MD	gKVn{-rZ,O6XtFknht+\F!Ñݴ[&]H4xȉOF%k빞d4*`(D'2տ
XmY$y\&9Fr1+!8|v"hC;JFujGpC8g2Gslfdin&/1

%kyEhB\$
5(3/Jkтfc󼸃ڰZfsj$s^#gGhTgvF=kGgH#0cF3Fu_ܱ^=Ewhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/strassen.mlw000066400000000000000000000402711440160026300261560ustar00rootroot00000000000000module MatrixMultiplication

  use int.Int
  use int.Sum
  use ref.Ref
  use map.Map
  use import matrices.Matrix as F
  use matrices.MatrixArithmetic
  use matrices.BlockMul
  use matrices_ring_simp.Symb
  use matrix.Matrix

  let blit (src tar: matrix 'a) (src_r tar_r dr src_c tar_c dc: int) : unit
    requires { 0 <= src_r <= src_r + dr <= src.rows }
    requires { 0 <= src_c <= src_c + dc <= src.columns }
    requires { 0 <= tar_r <= tar_r + dr <= tar.rows }
    requires { 0 <= tar_c <= tar_c + dc <= tar.columns }
    ensures  { forall i j. tar_r <= i < tar_r + dr -> tar_c <= j < tar_c + dc ->
      tar.elts[i][j] = src.elts[i + (src_r - tar_r)][j + (src_c - tar_c)] }
    ensures  { forall i j. 0 <= i < tar.rows -> 0 <= j < tar.columns ->
           not (tar_r <= i < tar_r + dr /\ tar_c <= j < tar_c + dc) ->
                tar.elts[i][j] = (old tar).elts[i][j] }
  =
   label I in
   for i = tar_r to tar_r + dr - 1 do
     invariant { forall i j. 0 <= i < tar.rows -> 0 <= j < tar.columns ->
                 not (tar_r <= i < tar_r + dr /\ tar_c <= j < tar_c + dc) ->
                 tar.elts[i][j] = (tar at I).elts[i][j] }
     invariant { forall i' j'. tar_r <= i' < i -> tar_c <= j' < tar_c + dc ->
                 tar.elts[i'][j'] =
                 src.elts[i' + (src_r - tar_r)][j' + (src_c - tar_c)] }
     label L in
     for j = tar_c to tar_c + dc - 1 do
       invariant { forall i' j'. 0 <= i' < tar.rows -> 0 <= j' < tar.columns ->
                   (i' <> i \/ not (tar_c <= j' < tar_c + dc)) ->
                   tar.elts[i'][j'] = (tar at L).elts[i'][j']}
       invariant { forall j'. tar_c <= j' < j -> tar.elts[i][j'] =
                   src.elts[i + (src_r - tar_r)][j' + (src_c - tar_c)] }
       set tar i j (get src (i + (src_r - tar_r)) (j + (src_c - tar_c)))
     done;
   done

  let ghost function mdl (m: matrix 'a) : mat {'a} =
    create m.rows m.columns m.elts

  type with_symb = {
    phy : matrix int;
    ghost sym : expr;
  }

  predicate with_symb_vld (env:env) (ws:with_symb) =
    e_mdl env ws.sym = ws.phy.mdl /\ e_vld env ws.sym /\
    ws.sym.e_rows = ws.phy.mdl.F.rows /\
    ws.sym.e_cols = ws.phy.mdl.F.cols
  meta rewrite_def predicate with_symb_vld

  let block (a: matrix int) (r dr c dc: int) : matrix int
    requires { 0 <= r <= r + dr <= a.mdl.F.rows }
    requires { 0 <= c <= c + dc <= a.mdl.F.cols }
    ensures  { result.mdl = block a.mdl r dr c dc }
    ensures  { result.mdl.F.rows = dr /\ result.mdl.F.cols = dc }
  = let res = make dr dc 0 in
    blit a res r 0 dr c 0 dc;
    assert { res.mdl == block a.mdl r dr c dc };
    res

  let block_ws (ghost env:env) (a:matrix int) (r dr c dc: int) : with_symb
    requires { 0 <= r <= r + dr <= a.mdl.F.rows }
    requires { 0 <= c <= c + dc <= a.mdl.F.cols }
    ensures { let rm = result.phy.mdl in
      rm = block a.mdl r dr c dc /\ rm.F.rows = dr /\ rm.F.cols = dc }
    ensures { result.sym --> symb_mat result.phy.mdl (old env.ev_c) }
    ensures { env.ev_f --> extends (old env.ev_f) (old env.ev_c) result.phy.mdl }
    ensures { env.ev_c --> old env.ev_c + 1 }
    ensures { with_symb_vld env result }
  = let m = block a r dr c dc in
    { phy = m;
      sym = ghost symb_reg env m.mdl }

  let add (a b: matrix int) : matrix int
    requires { a.mdl === b.mdl }
    ensures  { result.mdl = add a.mdl b.mdl }
    ensures  { result.mdl === a.mdl }
  = let res = make a.rows a.columns 0 in
    for i = 0 to a.rows - 1 do
      invariant { forall i' j'. 0 <= i' < i -> 0 <= j' < a.columns ->
                   res.elts[i'][j'] = a.elts[i'][j'] + b.elts[i'][j'] }
      label L in
      for j = 0 to a.columns - 1 do
        invariant { forall i' j'. 0 <= i' < i -> 0 <= j' < a.columns ->
                      res.elts[i'][j'] = (res at L).elts[i'][j'] }
        invariant { forall j'.  0 <= j' < j ->
                      res.elts[i][j'] = a.elts[i][j'] + b.elts[i][j'] }
        set res i j (get a i j + get b i j)
      done;
    done;
    assert { res.mdl == add a.mdl b.mdl };
    res

  let add_ws (ghost env:env) (a b:with_symb) : with_symb
    requires { a.phy.mdl === b.phy.mdl }
    requires { with_symb_vld env a /\ with_symb_vld env b }
    ensures { result.phy.mdl = add a.phy.mdl b.phy.mdl }
    ensures { result.sym --> symb_add a.sym b.sym }
    ensures { with_symb_vld env result }
  = { phy = add a.phy b.phy;
      sym = ghost symb_add env a.sym b.sym }

  let sub (a b: matrix int): matrix int
    requires { a.mdl === b.mdl }
    ensures  { result.mdl = sub a.mdl b.mdl }
    ensures  { result.mdl === a.mdl}
   = let res = make a.rows a.columns 0 in
    for i = 0 to a.rows - 1 do
      invariant { forall i' j'. 0 <= i' < i -> 0 <= j' < a.columns ->
                   res.elts[i'][j'] = a.elts[i'][j'] - b.elts[i'][j'] }
      label L in
      for j = 0 to a.columns - 1 do
        invariant { forall i' j'. 0 <= i' < i -> 0 <= j' < a.columns ->
                      res.elts[i'][j'] = (res at L).elts[i'][j'] }
        invariant { forall j'.  0 <= j' < j ->
                      res.elts[i][j'] = a.elts[i][j'] - b.elts[i][j'] }
        set res i j (get a i j - get b i j)
      done;
    done;
    assert { res.mdl == sub a.mdl b.mdl };
    res

  let sub_ws (ghost env:env) (a b:with_symb) : with_symb
    requires { a.phy.mdl === b.phy.mdl }
    requires { with_symb_vld env a /\ with_symb_vld env b }
    ensures { result.phy.mdl = sub a.phy.mdl b.phy.mdl }
    ensures { result.sym --> symb_sub a.sym b.sym }
    ensures { with_symb_vld env result }
  = { phy = sub a.phy b.phy;
      sym = ghost symb_sub env a.sym b.sym }

  let mult_ijk (a b:matrix int) : matrix int
    requires { a.mdl.F.cols = b.mdl.F.rows }
    ensures { result.mdl.F.rows = a.mdl.F.rows }
    ensures { result.mdl.F.cols = b.mdl.F.cols }
    ensures { result.mdl = mul a.mdl b.mdl }
  = let r = rows a in
    let c = columns b in
    let m = rows b in
    let rs = make r c 0 in
    for i = 0 to r - 1 do
      invariant { forall i0 j0. 0 <= i0 < i /\ 0 <= j0 < c ->
        rs.elts[i0][j0] = mul_cell a.mdl b.mdl i0 j0 }
      invariant { forall i0 j0. i <= i0 < r /\ 0 <= j0 < c ->
                    rs.elts[i0][j0] = 0 }
      label M in
      for j = 0 to c - 1 do
        invariant { forall i0 j0.
          0 <= i0 < r /\ 0 <= j0 < c /\ (i0 <> i \/ j0 >= j) ->
            rs.elts[i0][j0] = (rs at M).elts[i0][j0] }
        invariant { forall j0. 0 <= j0 < j ->
                      rs.elts[i][j0] = mul_cell a.mdl b.mdl i j0 }
        label I in
        for k = 0 to m - 1 do
          invariant { forall i0 j0. 0 <= i0 < r /\ 0 <= j0 < c /\
                        (i0 <> i \/ j0 <> j) ->
                           rs.elts[i0][j0] = (rs at I).elts[i0][j0] }
          invariant { rs.elts[i][j] = sum (mul_atom a.mdl b.mdl i j) 0 k }
          set rs i j (get rs i j + get a i k * get b k j)
        done
      done;
    done;
    assert { rs.mdl == mul a.mdl b.mdl };
    rs

 let mult_ikj (a b:matrix int) : matrix int
    requires { a.mdl.F.cols = b.mdl.F.rows }
    ensures { result.mdl.F.rows = a.mdl.F.rows }
    ensures { result.mdl.F.cols = b.mdl.F.cols }
    ensures { result.mdl = mul a.mdl b.mdl }
  = let r = rows a in
    let c = columns b in
    let m = rows b in
    let rs = make r c 0 in
    for i = 0 to r - 1 do
      invariant { forall i0 j0. 0 <= i0 < i /\ 0 <= j0 < c ->
                    rs.elts[i0][j0] = mul_cell a.mdl b.mdl i0 j0 }
      invariant { forall i0 j0. i <= i0 < r /\ 0 <= j0 < c ->
                    rs.elts[i0][j0] = 0 }
      label M in
      for k = 0 to m - 1 do
        invariant { forall i0 j0. 0 <= i0 < r /\ 0 <= j0 < c /\ i0 <> i ->
                      rs.elts[i0][j0] = (rs at M).elts[i0][j0] }
        invariant { forall j0. 0 <= j0 < c ->
                      rs.elts[i][j0] = sum (mul_atom a.mdl b.mdl i j0) 0 k }
        label I in
        for j = 0 to c - 1 do
          invariant { forall i0 j0.
            0 <= i0 < r /\ 0 <= j0 < c /\ (i0 <> i \/ j0 >= j) ->
              rs.elts[i0][j0] = (rs at I).elts[i0][j0] }
          invariant { forall j0. 0 <= j0 < j ->
              rs.elts[i][j0] = sum (mul_atom a.mdl b.mdl i j0) 0 (k+1) }
          set rs i j (get rs i j + get a i k * get b k j)
        done;
      done;
    done;
    assert { rs.mdl == mul a.mdl b.mdl };
    rs

  let assoc_proof (a b c:matrix int) : unit
    requires { a.mdl.F.cols = b.mdl.F.rows /\ b.mdl.F.cols = c.mdl.F.rows }
  = let ab = mult_ikj a b in
    let bc = mult_ikj b c in
    let ab_c = mult_ikj ab c in
    let a_bc = mult_ikj a bc in
    assert { ab_c.mdl = a_bc.mdl };
    assert { ab_c.rows = a_bc.rows && ab_c.columns = a_bc.columns &&
      forall i j. 0 <= i < ab_c.rows /\ 0 <= j < ab_c.columns ->
        ab_c.elts[i][j] = F.get ab_c.mdl i j = a_bc.elts[i][j] }

  let mul_naive (a b: matrix int)
    requires { a.mdl.F.cols = b.mdl.F.rows }
    ensures { result.mdl.F.rows = a.mdl.F.rows }
    ensures { result.mdl.F.cols = b.mdl.F.cols }
    ensures { result.mdl = mul a.mdl b.mdl }
  = mult_ijk a b

  let ghost double_block (a:matrix int) (r1 dr1 c1 dc1 r2 dr2 c2 dc2:int) : unit
    requires { 0 <= r1 <= r1 + dr1 <= a.mdl.F.rows }
    requires { 0 <= c1 <= c1 + dc1 <= a.mdl.F.cols }
    requires { 0 <= r2 <= r2 + dr2 <= dr1 }
    requires { 0 <= c2 <= c2 + dc2 <= dc1 }
    ensures { block (block a.mdl r1 dr1 c1 dc1) r2 dr2 c2 dc2 =
      block a.mdl (r1+r2) dr2 (c1+c2) dc2 }
    (* ensures { F.cols (block a.mdl r1 dr1 c1 dc1) = dc1 } *)
    (* ensures { F.rows (block a.mdl r1 dr1 c1 dc1) = dr1 } *)
  = assert { block (block a.mdl r1 dr1 c1 dc1) r2 dr2 c2 dc2 ==
      block a.mdl (r1+r2) dr2 (c1+c2) dc2 }

  let padding (a: matrix int) (r c: int) : matrix int
    requires { a.mdl.F.rows <= r }
    requires { a.mdl.F.cols <= c }
    ensures  { result.mdl.F.rows = r }
    ensures  { result.mdl.F.cols = c }
    ensures  { a.mdl = block result.mdl 0 a.mdl.F.rows 0 a.mdl.F.cols }
    ensures  { let dr = (r - a.mdl.F.rows) in
               zero dr a.mdl.F.cols =
               block result.mdl a.mdl.F.rows dr 0 a.mdl.F.cols }
    ensures  { let dc = (c - a.mdl.F.cols) in
               zero a.mdl.F.rows dc =
               block result.mdl 0 a.mdl.F.rows a.mdl.F.cols dc }
  = let res = make r c 0 in
    let nr = a.rows in
    let nc = a.columns in
    blit a res 0 0 nr 0 0 nc;
    assert { let dc = c - nc in zero nr dc == block res.mdl 0 nr nc dc };
    assert { let dr = r - nr in zero dr nc == block res.mdl nr dr 0 nc };
    assert {                         a.mdl == block res.mdl 0  nr 0 nc };
    res


  use int.EuclideanDivision
  use number.Parity

  let rec strassen (a b: matrix int) (ghost flag:int) : matrix int
    requires { a.mdl.F.cols = b.mdl.F.rows }
    requires { flag >= 0 }
    requires { flag = 0 ->
      a.mdl.F.rows = 1 \/ a.mdl.F.cols = 1 \/ b.mdl.F.cols = 1 \/
      (even a.mdl.F.rows /\ even a.mdl.F.cols /\ even b.mdl.F.cols) }
    ensures { result.mdl = mul a.mdl b.mdl }
    ensures { result.mdl.F.rows = a.mdl.F.rows }
    ensures { result.mdl.F.cols = b.mdl.F.cols }
    variant { a.mdl.F.rows + a.mdl.F.cols + b.mdl.F.cols + 3 * flag, flag }
  = let cut_off = begin ensures { result >= 1 } 42 end in
    let (rw, md, cl)= (a.rows, a.columns, b.columns) in
    assert { rw = a.mdl.F.rows /\ md = a.mdl.F.cols /\ cl = b.mdl.F.cols };
    if rw <= cut_off || md <= cut_off || cl <= cut_off
    then mul_naive a b else
    let div2 (n: int) : (int,int)
      requires { 0 <= n }
      returns { (q,r) -> n = 2 * q + r /\ 0 <= r <= 1 /\ n + r = 2 * (q+r) }
    = (div n 2,mod n 2) in
    let (qr, rr) = div2 rw in
    let (qm, rm) = div2 md in
    let (qc, rc) = div2 cl in
    if rr <> 0 || rm <> 0 || rc <> 0
    then begin (* Padding *)
      let (rw', md', cl') = (rw + rr, md + rm, cl + rc) in
      let ap = padding a rw' md' in
      let bp = padding b md' cl' in
      let m  = strassen ap bp 0 in
      ghost (double_block ap 0 rw  0 md' 0  rw 0  md;
             double_block ap 0 rw  0 md' 0  rw md rm;
             double_block bp 0 md' 0 cl  0  md 0  cl;
             double_block bp 0 md' 0 cl  md rm 0  cl);
      assert { c_blocks (block ap.mdl 0 rw  0 md') a.mdl (zero rw rm) };
      assert { r_blocks (block bp.mdl 0 md' 0 cl ) b.mdl (zero rm cl) };
      block m 0 rw 0 cl
    end else begin
      (* Regular Strassen multiplication *)
      let ghost gm   = mul_naive a b in
      let ghost gm11 = block gm 0 qr 0 qc in
      let ghost gm12 = block gm 0 qr qc qc in
      let ghost gm21 = block gm qr qr 0 qc in
      let ghost gm22 = block gm qr qr qc qc in
      let (m11, m12, m21, m22) = begin
        ensures { let (m11, m12, m21, m22) = result in
              mdl m11 = mdl gm11 /\ mdl m12 = mdl gm12 /\
              mdl m21 = mdl gm21 /\ mdl m22 = mdl gm22 }
        let ghost e = symb_env () in
        let mul_ws (a b: with_symb) : with_symb
          requires { with_symb_vld e a /\ with_symb_vld e b }
          requires { a.phy.mdl.F.rows = qr /\ a.phy.mdl.F.cols = qm }
          requires { b.phy.mdl.F.rows = qm /\ b.phy.mdl.F.cols = qc }
          ensures { with_symb_vld e result }
          ensures { result.phy.mdl = mul a.phy.mdl b.phy.mdl }
          ensures { result.sym --> symb_mul a.sym b.sym }
        = let ghost flag = if qr = 1 || qm = 1 || qc = 1 then 0 else 1 in
          let r = strassen a.phy b.phy flag in
          { phy = r; sym = ghost symb_mul e a.sym b.sym }
        in
        (* a blocks *)
        let a11 = block_ws e a 0 qr 0 qm in
        let a12 = block_ws e a 0 qr qm qm in
        let a21 = block_ws e a qr qr 0 qm in
        let a22 = block_ws e a qr qr qm qm in
        ghost (double_block a 0 qr 0 md 0 qr 0 qm;
               double_block a 0 qr 0 md 0 qr qm qm;
               double_block a qr qr 0 md 0 qr 0 qm;
               double_block a qr qr 0 md 0 qr qm qm);
        assert { c_blocks (block a.mdl 0 qr 0 md) a11.phy.mdl a12.phy.mdl };
        assert { c_blocks (block a.mdl qr qr 0 md) a21.phy.mdl a22.phy.mdl };
        (* b blocks *)
        let b11 = block_ws e b 0 qm 0 qc in let b12 = block_ws e b 0 qm qc qc in
        let b21 = block_ws e b qm qm 0 qc in let b22 = block_ws e b qm qm qc qc in
        ghost (double_block b 0 md 0 qc 0 qm 0 qc;
               double_block b 0 md 0 qc qm qm 0 qc;
               double_block b 0 md qc qc 0 qm 0 qc;
               double_block b 0 md qc qc qm qm 0 qc);
        assert { r_blocks (block b.mdl 0 md 0 qc) b11.phy.mdl b21.phy.mdl };
        assert { r_blocks (block b.mdl 0 md qc qc) b12.phy.mdl b22.phy.mdl };
        let ghost egm11 = (add_ws e (mul_ws a11 b11) (mul_ws a12 b21)).sym in
        let ghost egm21 = (add_ws e (mul_ws a21 b11) (mul_ws a22 b21)).sym in
        let ghost egm12 = (add_ws e (mul_ws a11 b12) (mul_ws a12 b22)).sym in
        let ghost egm22 = (add_ws e (mul_ws a21 b12) (mul_ws a22 b22)).sym in
        assert { gm11.mdl = e_mdl e egm11 /\ gm21.mdl = e_mdl e egm21 };
        assert { gm12.mdl = e_mdl e egm12 /\ gm22.mdl = e_mdl e egm22 };
        (* x1 ... x7 *)
        let x1  = mul_ws (add_ws e a11 a22) (add_ws e b11 b22) in
        let x2  = mul_ws (add_ws e a21 a22) b11 in
        let x3  = mul_ws a11 (sub_ws e b12 b22) in
        let x4  = mul_ws a22 (sub_ws e b21 b11) in
        let x5  = mul_ws (add_ws e a11 a12) b22 in
        let x6  = mul_ws (sub_ws e a21 a11) (add_ws e b11 b12) in
        let x7  = mul_ws (sub_ws e a12 a22) (add_ws e b21 b22) in
        (* m11 ... m22 *)
        let m11 = add_ws e (sub_ws e (add_ws e x1 x4) x5) x7 in
        let m12 = add_ws e x3 x5 in
        let m21 = add_ws e x2 x4 in
        let m22 = add_ws e (add_ws e (sub_ws e x1 x2) x3) x6 in
        assert { e_mdl e m11.sym = e_mdl e egm11 /\
                 e_mdl e m12.sym = e_mdl e egm12 /\
                 e_mdl e m21.sym = e_mdl e egm21 /\
                 e_mdl e m22.sym = e_mdl e egm22 };
        (m11.phy, m12.phy, m21.phy, m22.phy)
      end in
      let res = make a.rows b.columns 0 in
      blit m11 res 0 0 qr 0 0 qc;
      blit m12 res 0 0 qr 0 qc qc;
      blit m21 res 0 qr qr 0 0 qc;
      blit m22 res 0 qr qr 0 qc qc;
      assert { res.mdl == gm.mdl by
              forall i j. 0 <= i < rw -> 0 <= j < cl ->
              res.elts[i][j] = F.get gm.mdl i j by
              if i < qr then
                if j < qc then res.elts[i][j] = F.get m11.mdl i j
                else res.elts[i][j] = F.get m12.mdl i (j - qc)
              else
                if j < qc then res.elts[i][j] = F.get m21.mdl (i - qr) j
                else res.elts[i][j] = F.get m22.mdl (i - qr) (j - qc) };
      res
    end

endwhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/strassen/000077500000000000000000000000001440160026300254315ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/strassen/why3session.xml000066400000000000000000001762361440160026300304700ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2016_matrix_multiplication/strassen/why3shapes.gz000066400000000000000000001026241440160026300300760ustar00rootroot00000000000000[6.cԁ؅)B6$rVrmZן )u&flWJ#w_Ow?ݷ4j~뽹j~ye=P(M(}{^t<	wT^_5?{՚g53{4k_IbCvE_4Oyv{^E~Jjd\߄ 0$:m=89	/qIoȒpL*g2\̕˨rVjj'{s2#(j@s%dx<
:jyx<п'4p2=9£P݇p/{	{@@OWcjIpn/G
f	$Q};< wDM$?7fjqrxAzv9`n9s3J,qs:	f&̓~PSߺ{Qs~:^@	fQ7e*j.W&	?:/yֱ;&9TO\3naBЌPz'ə]=~T{{.y3BjGEUtxxl0pLk7UbǫlPߓTL_/ǿ:ߛ	, QeՀTaz;nCaO?aL_rK1³TGuWџ~RМfsv-:Z]Fkr3ZghUϏ?_~~{Edh2Z睉֎WIh=bC}
@kGTL0hG\˓僛nJAzK~\wtv]su#k AX_9OhrdiqV绻?}˧oW2Z8cFne6hG>Ϧ~S	o{_Κ	C
>ࣹ#<f:ca;Y 8vX':w~{ww|u9EaρpsΩ|]C@7#-`-)I1:JçGM֝=eop
	NRn%s-I4lÚel
ֻ/Pj@9zOp܈Sy`^WVXIyJ|NmcnK9P4+`ɐgR	
ԓ t\䲄ٞ\׽`̜fr1f)en)C4GyJgdbQB02%s~gY-|U#
n#yJCJ9wK1OCu	.W"MW"GP礇p!£Brh9Ȅ16'|P2M%(9:.[*08rsxBwP<æޗ?y^}~.S9fv\?}vq]ffƘ69-"ɌUq.媘{~E:uEuĢhf¤i&F='X^zfјp`s"/ĢvϢ]fQ9^A̢,dG\EGa05
v~jf=%".YcR%XI'$8	xq9ab
Ǯ1U`j𧙍[u񩈷'euZBjv%3\Y}(Ttƾ(b8˰yVBk_rC.(TA3JrFZy[)f}\.'Ih=HlGQg7w8h&8CsNfr$I:	o8JX?a\G#'<1^60;v q+$u 9HQ/UeB>;v)Ir$I ec7)긨Ӊ#Hg&9!EI򢐲~ )q>ǀ1Rƃs.)."q@{k9Hz+Į[&)n8Y
yç]psfM/K+%~P/Jr"AaSb5# 8Fc|13?k#ظQ9H4/\M9n
ѿlP>M%(8/A۶uy(*f	_"1,=#J]	{aw{h
lÈ2;ۦлۭv.Z5Z~
WxqӸ_>|j~F<89l<3`izi̒G= w#r:\F|(?{f{rʁR}؛)͓'O2"mJD{}SShJ-6OQ5mJMc1,q'.o~>8nXY6uFz>ߛOntÿ{a6~=wlQ5 7aۛkV3)c*ޫ=
p㎑bi:~?*aC+kqYm<F(F!jIHg^
Sa_̜
^32=7co^n7?[c QbF2:W?gX
:SVF_[7n%Eszхyϰ2f/ҥĢˁТ>]j^t-N{#Jzq;ќFa!ыnn
M4In6
'/ 	EЄC?`0zXPFHU-=S(Ť1OQ
I
#%9beMuY񉨮a`9DH(P ǀ.Qt#y9jH9.,xXҕ׿Y]aOÊ፹4MXB{x(-[L@IuIK&F'6\`7ܡޤ$Ût?QnDu&T^z
כ^0YZzɶpdLO	bZJ n
\(p"&E|S@D'W( Q@⍁9WNl.}3WO[?ׅ_?>]ТEAW/h(Q0`cD?ځ_/h((QPijDD1_.|]w_ZV@E7ۏD( bFN^ 
@=x@|dx Hmῦpv?h4(PQ{sF(0b
Do vM}%dmkYxx*
3'vLWF7td^-Qƛ4@**
Tx+P1GV:gۇ(bd1X4PE3+|AZD+
\Q@ehp

Fq

D*h (40@4bZU3>?b4HB-$lɎ[b@
Tĺa|4h @.M
:4Bh(PCCP}*Ѕʭy7B$Oongw<1c99%N562P:z]Xԛe)b]1
{&z}}]s,̹9=Ad{4?f.\?Nhx5.N
3"UΠ^/]+
.\x3͞L31SCm#+|(Pea{0`q	iGzj(;\XHgߜգQ9?{Qq<#_@1SYOd;qŅRKlSW!2{ˊzxuOӷnۏ}>셅:vϿ|GWM3eŒ	[D%m]-~Tq$;$(HPCĺTغ UbNBHu8q
|/0s{S܈9^?.'>|v]0{a/
<\(Pp]Fd7p^A3ƣ_9?\N=ź2%(SlQ0.\
\\vM$&H0
5M8>qBd^YW߱Y\TL3D7(XQmaY!^Ylzqt/oo=P>|ޏq$_*HgU#c1!+ȫ
RH5\pO7cu,)E;^Qr&/|	[Ë	&V[K:ak=:Yu=bIeAU6(XQ`͸ڌuWX&eLDi#T3ߝF0QQq!T)bTQSE{Qz FAo1:PК(6qIh^l&mrF#ldЈiD܌)_q{(JRL
z
J05*`)`Դ~#@A)^RDˆo
F(F1":9y@Do"ΰ8$NsN`Va؅?a(HQ +A(Q0{`_o(0Q`[370Vĕua܅`] EAOo(Q0`ī(Q @Oac37.]xF)
R|gHY
H( qAx)_&
L|O0k$eg
sm[b=Wyhy0$n
n(&p#:lpEo,&,`:gw@+
V!1錘bxMO;Nt^u	C%sXC5bF=T䊦͝+wHdA\QX#7D)LA+quaZY
}54^5`0fZuYLfWfxx!tݿ4jqԔ{x^.Nœx-_/N✨':ǎ9kz{q ⪦jdI3͵tU_Xo~~49#klĮPP_^s~ĭ\"3cܳ=|붮OWi;Ty{_~ۻȧ_8.wݳߛrw=7ۏnC<44-,Q^6"HQ$(ClD$IUYf&Tc^sGdY
edɳΑdWi;{#Y*r%yN"KHY{,ޜ$SCQ^tE8
<g䧑% #,Tc^sG9Y
a-9g.O钑xs^EĄ)4`u^<,4d2q3iĉG)qƼx犏)ʈc&1SvqsjE)4lu$sxȶ3KB4BZHY=$J,8@-}"̐j!GvA	Poc\
h)5]T1r=?uRZvKh׫	i4g94uzWSɳʹmƼx犏hg#iSvj'OIjm..D6NuRZ-MfaHqs:hKmDz1/޹#m60mbu]P*mg/n(?Ҧ q3WZJhALf/NQK\'і@in&@87f81Ei+>!3o(#N_'$3WZJhALv/NQ׸N8#uՁz&EӵDغ_YXS@
-?ГXI|c)3JʠK|%sq|hBfY˦hbhn0'kqH6S%$~&\e?9Hc8S%NhQX.
8(MږO^ۖ}~E#%<#%kږOVmُsқٺ3n⿲׺פAzѪ
&XʎHR-EZI5*	MRrp%(wIDv0uQ
Rn	~}J[%M)miܩhN,^9Xd4e1E/G#&gręS=WǜYEP$(r$x^ftIU`⣼tu&'IjԐ[Hj!jt`׳GEN
V2|NF)*B"jJK*JO!إ2WE%Wpʇ`5yQє NшS48Eo6ׄv?)-5?+Z 3Anif7sDy7}ㇰoľaF}#?!{9⤀E,VEWIa*6-$w~<
 [ !|A&]tpm,=tڜwx5]}iNj?~x5l1^ͼX`붵ƫti6d,Ow]_j
XgZQetg\>^~Hj`%5QI+j\ExQZaQDkJOFH*- E,-
nXS\#5qNS:ū͖Wk:ĺu,o[tz!%n[SjԘOkOOܶ>p\l8"mb=+.Ud8KY[OvS2W!9O/sjmܴ`qcfXS
JD(iJ{,6=u^r
*=Γ=R,%/D	=2BlAI5z0-0J4q]Q0|<,
Xbc,嫠-PEW
EUb,[TD4MlQEU.ZToO#F͞;ojAEr-gS3lK*jߟBh0[0ӡlk0[lrl[4*g|[MrLtWnLɑh095ɬICwL,7_z5k5uXun|جiX*3b͆,^[8x
/^M%_3Cғ,^/]E!OOV	'ݾfrvNϧ*\#;ӷ~N>/'uϼ}MbL5| h6M]wX9KvL$whirQrD+XĢ'^VO|k.
\xpۇ+>\-
ZjHc٬EG!@,50*
TxcP+|BE	1uFvVP;kyՃ5M|B_1>$OFz<	Z-:!VgNYvB\dž"4
eG,aP6Vqwc9BzV:-yKg1oQdTQ;0\XE_Qܥ+k:1pJt<ɏj;炶1wXv66F>"ʹV
ND]68v6FbӅicL%q,8Um	o[FG={xۙ_nvV$/]FF=Um,x
gIVp)Em#;>4W 5S)y^q
.=Q"1sUJa֦i0fxHD=Ml!R!rccj+hQТ+GGŸ(QFfg5ΊnE'37	[wY{zƇ5k	lINOLz.a>(o%֍1oιrnA[v/,wcGn2F#.xy㫹ooc^6͆F
Ccv77:TcNO	;jenpSCnpBŞ7uj>9Xk$;7)Ίy]"MgƼܲ7q~r5EҚђ|lQ]Eo
X(`qo,
Xx`"b3M $Z,-	Iɵ.P1$(PQAp
LbqZ3Rb~*q.	\X)R`R2o/iuS @F71 7
8pxZ;j3Q}GQ9kk;}G-;j}G׎F_;?ySQrs;j=	Y9.p(
F`c6@0+i0rxuD	UHzg,Vc31Qwը]e1#IG-xQ-R>,\0\I)_=Zj&ξ=	|;ƚBcFJ
u>L(]EsJ!l)Df ,h9&{%<; O"IDȍ6u\/-}OMKSs\/r-Jb^N:ox@r<>ŗմe5-rYM`=K=O~0/u5u5DRtE2)wcj.ef\/tgr(`݌ }s
Tf7iSZ2E
'B]B`B1єG+!F#hdk/5gF*
G(*:Dld^Pb+Fb{FVr V~~jD?JSO;
vxIH즼J즙?MyutT"ӶM*uUm	My즼vS(Mi)P;N\f
*ux04pJldi{D^&g{#:oM/ĨEtνv$CxmW*w'O
<d"Qy.
\vp&d3
fn@щwlÏ#=rf!1fA^sİsfY)wrNqS~xNmzKovᇂΝAi~%]uR{ۓUdNi~Ӝh:S<7^u4Ź=Z{Ph7,=KEŧ%1g+tO,dQLjENWgu#~ӼƘq1Zj{vV6*jFر?c;0.`֢3V4q)sft9,:,]CT0&/ށa.Kg1O4y86_@^{B6m-86\ՋIOs/&)߁Dt=YT%5ڮu^1&qfHdD+ma@MzGz=Ѩy4f4stG&L㺀G/	ᄐ٣=5oԼ5ѼɟؼivW:s77W/e:
2ob,m,ܥ
WB&fu~[(ݢehRWMC
<0dzȲpG_=%z
TB{f5pXX*b=DžrG ?wĩ$Z'+q䍋(wDR,$
,d6?QiQXH"B.XdmbL
5ǙXy`[%WZ]UKbHrB E!t]@2QM\(p^(xz"
xJFV(`Q5EY#:1h-r Z5- @A/=:Gq$~A=O8qZggp	\xHsϣyM9r`Ü3حDȁJ\>0\>zKnHxMti%oa7AX*R7AS+[^g'nKŲbxؖb:5[=8LKUSZ*TyRg^C<⧦
Wg!$J.X	toPg^:vӥ7Ac9:8y6WksӢP~<;81_:8"9j|="#{(3_*
[&@&Oy]Gs^Q^\(oALUa*6y,C;>?5g?uw_힌eX[;	^b95[2RY>Qri/smr$Tvr?'v{D.pT}-1嶦]nEƉ橴*~ɜu=Р9_MkWkB!t'3RLP.(`Q5uCgn.
\xpcʆfUDYBW#c&+ːF3'EY.P !@|xNa=:p/&N맵)=qt5xދh^d͒\N~jw{w7HN~:'tOgoLƫU`"/W:SNZjC侏*햬m~t}0-#-5]OH,;8vt96lm!$gϞ픻\#n9=#
#MU	JOB%9 \GĒHV(~jɐMis
L|}_;t/khiI%BB=iySˢ\
*۽L?˧ivsb4|A]a	N^I$3EeF;ؓ9uL׹Kv/3{{q=`,^nrnY}=1pvv/I>*U8#/s9=nh/sN7nї;=[^
vN[E+EPEDڄ.ݣӢPq*"WDZ""t3AAnL|۽Dfz{}j^/;D_a֑8RQHu•UX.jWQju
(cC:E4(Pp-BS)K[EW=ˏ(pQUE{Y{(]=1N\(P   >ZGgHo8i'Nmq3,8_:{|ke4L{|/r^b{.q|y:t.rO:WBFiԛ-iԛ4dh|0Q8um(NHy%,Q'ZL{r=|^$o#ky/Q|OX|='ӌgYVY9k:Zt]R*"w%*k$*hE|k+/16=&/e'zi20y'O.'&/?và/
^f @Y4Eo.X[p)eQbIYW@/cO1_m
ÇFˑܸ3wϜH!Uxn:ű(Z_űSqY8BS8v|Hn8X|URމyJU=y7購Lܖȼ,zMHT RTS
JG}[}-3tvE8:M,Ԓ'?
~~̄s~4f곍1S
-;M۫1S2BZYՔ2cL356f-LqJ10+T(6fjʘYrzf9,JBRQ~$Hω!"ik,ggPOʥgH|E]ck,-X4ivV"k,fEj
z3rlve6VoLX
 P.q	yƦ
lkBX9NQ*V!+i UٚPDxdX9/b"ܻEE4yٚD^8u.
*lT66I5&¥"ME-}{j)S˕I
1qDAC$D.R @e %db5̬VE7TdBFxL(QnJmījX'ft1ː׻@/7ɭفxlVKU-\H`lx[IwFNO~]K]DղIȍtБ
A:;G6wz?'>mƎuJH<0pӤv˜I@{:#G
~:mzv(.>-u{%1juμsov(u:k
Q4Pz:˹'ޱEi0Fr
1;UǨ4
Dxh67[n`mԬyhLn(6n`mo`%Z$ܜA<0ӶQip4PbvF~2oC#`^*C=4ZC] ZL
rc@; 686V^M)2gA8%gǧ)ٜϕ'(ؐV^K@KOBш, ЊY[Ģ6,N@K.qNS'į
Ta88yQ۵a5
Bye$@u)b)fA@р!	I,<&eXԉ4 ?
~(~fYa-4cZLq*gmhFS
i-gU_L4mfҴؤi4-jǩ&MR8|GIR&MhZT3SϒJ	!"D0OTD0OPnxEځQ?JTTx0慇-\%3nlj7DEfU<)ID+{C
QYzw,*ʏ?\n@?0E?Dx eR,
Xx`V8'Dt"$扔R\) R@ Ys-c8 |MfX!.'ϋ[ S-W6W+|^z[gkP&Sv·Խ·
-,~f*Tr8 2n{o2e݋Oa_X)G,4NgQ:!Vip	:Kgtz)E3'dݖ9A+4c]lj{ücJ-n+f,ق.b@51R/`@=R`cB^["-ǫ9"b
>hF)r] @HCj(`QՃJzYIBYaz$=
ѣ`H!J%X
Y/`Qk*Y5}r-8S?ܼEvE}$_spȎ8>oq>-oP[.LVRo-V|q>u!3(6M?yzz?m\'k/$mx$>{cx/.ŗJnT6+˵x$%os_*yK]*yx$"AxrYnbn*;PI+9+r)F6Y9

V+%E:;F-("FNLq
FzWl@zI;0Xv!*QA
nɝ2Y*h.*0if
td&V1
*="bmdN:yI2V]%2Nk2=AAb(bxyFI8%O(Q"@$"cW-G(Z
!C
YW	h*HP6&?>OeǕ=<_[jVOг&4	z~y-uyDYsOЩg'T0ywy\N[Uل,,Mɨlb0oVCfpGY'8ّ5Rә1#Ԟ{պuvh@&R:RVRөӁkgfk:p]A۽sG-4}!r$JZRԼ*݁:/>wUOqh&n/0jF;\;C5RK3N9}ʽUFbT0NmP{kqTEgxX^8{ୣ1mI==ao[6"GNj2%[wb{Su1렑N1|tSXvoًbxR'|z𤚟x=N)#W}*0NDVC.C
]vͯrKUIff[q7?A!	uZt6>bjT6ߡ
oAUx^+De]5UuUy]U\WUqxr;7uq5vqϾʹ=я=w&||
>_p}qx6`u^=C`@Y1xaOi+_:W/epslo\Pz֡ؔ}v}=D]P]Nǡ"=W52a[$`9UW٫{P\ƅW:+IanA'O[C\-}u4{i;`_؝/(=O'Zu;v^v&el.
\1ȄH)@Q
JH@`X(`"~4.=y~{~M(;q߄=goટI?}#u,b71H
G#h8P*)WrhXΨx9
*}D`E+r;.(XQucE0;fTĴsΟH~rfRhe'_
#aƥGnb3K9̑ %G).›t|!)#qI3w_K̤ڣFhCyKڣf4CK.㒞Z˙X4"`Q#ipIаpɣV3.iLDbX۫V(X񺱂,
X^ Xt(xQ]lr `D;Tm Z޳G5DgQ"Rd)i,,nK-D))GuS$K(SU(3CFd9?fRڴmS8Qcod1a^t:XD]0G2iV+dZ!$ݧ#djh$]o?/oKw3Së `6?
((P֠`~(PP`@kG;#:&
#!lc
<xOzUAJL
[*lZw}A?٠Xbe!ӸLFl~0[:?=f8GGl1[XG	[L[i‘iDt< Y6%j -F&GlQapBDl!POl!Fl~yQ[eglGl!1[h	[-L!k30e'm~yWԑ 5PR
rW^
G6n^48с}wF|`/C6BF((?@C
ov^!jV!]@lW(r{⡷c0lW(+hlW1A *0Z	x(	YL,#@!P[>GLpC}*:UE=AMw`%PrG\1t [F"U;tM7J(&x;[SQ1m[v)فw77VV׺;4xT{<0%j-w7j7\vlk;[8P1[4U֭h4MmcŴp~lXǎw==;x5Uo۪+TŠ~)+hKz'oR|t*Su՜c۲N]BaFkL53iCߘީ`+!
:p1Bb ZCUkc1}͏P0p_i{mr[3.C%ھa>b1	,;VwjuhUm0vv,`T/͡9G[UuSaя4]_U}Չ3"j.}׿7.vJn+،,ֿiALa@@%Tdoa7iX,:ga wM;eHXޱ^goVT`{CVQ(ŭRtНv 1#uJjX&
Dm|1m{L+|8;ȚIK;]W$k+d:qñ>*`#lR/HInhKuBenacV pAh	_]\rAt	Ky8pEe9z0m3wLus5Pw^-r
%źǶU
5-cU6Ug@p‚`
3Y8[4T:+Z0t7Zc^'RV
TNpSkCW7`:Xl-x'%I5]}<6 uv @;VS
 Q	S@:Sb 6®&@`mm
vY^jRoAQnD`u`ghw`JXhkhv(AX >Z4HsӂB:L]۝nP
[ y Z
`@A>qvk+;VTw>0+crlQ:~$$#A40;a(q@_$c*Fae]%;:
0
&E(`Y0* Jâçug&021Ȳ6.[:X8M\
kٝM\˜@8!څ
hMNu@٨MoA;[̝gXvH*}@*рw?h0p8VX3}tun,5XZ4aG;w@;4Tv\1[5P@ 8$-EkĨLك܂TOB
=k@M8Nu@t;圔J`rXK@Ӱ{W
ZVi@2qp]y0i!Z?[AfQSPnȃtm;p @<
:u% 0@0X8üFH]^j-)!yg/`%KTg	,h2-T"8qT@/ٵ3 Gukuu(
L/zXXW&U<?H0R	_UNeo@p^5ZEuGE3q{d};@W-c뤴X1sM'{\S`z,{57HaA;{ ,t
T8Q{Sn`u|2	b1Sy+lɀN<6V:KWeTb
C0 vh- lc`
d Thd	آB9`+pǁDucV`f1#ctxa;'RwGos0ٗU2nx6Ań͕>(m
N(a߅!B?AVc"ꌰ0FA2 Pr
02öuTǠ# p]v7`IGN>S
AŮ.`Azj	Z6H, r  um/lÜB]CI
3hr;$	(!0bPKmN$:Խ*5@
G	j캝(I9ˆ
i@g )	(ˁR
jC 3FC?CwoATC庁#;126h$: (G[H,rG4xsP^@)E$0^Prؤ*`p
AffAz_.x
-Pǡ4]u
{.^2K(gA]jQn[7Ajgr_K
!p	T/g_{=Ps{taVmm
0m9kaWӃ	]CsELuhPNv@#ARDolS 
Iq+
RS';:K@y")`
TG@:i@ J AX:;rUú9wr{H	)sUN3zz0b%1}waZ[ )tgr~-`bp
4hJ4nNıU-yzPAjw*S̽q2P
S98I9#v]D;eweɒ6?N1G 	okp=O?3&SkiU2#\"wP9k‹!0GpHhE(@`tщ苷@J bqb{|b(8!zc뚾oqj*Y
͡E
v8ÛLw$D9w=~3kk".>}>(nN() VNXo@rϚ/1?":WqH/ܻ(R0TqG^1, \gAVTho޵܇l0w02X-t.v? @ĥC#./W'rǭC F=dUƫq^E<ᓓۊw(>3/J%(bDĂ$@Ddc荫~P-p`:֊o㪸s•*hvvvv`3v;qY
v;NaS)v
;(>E`'	섫y	v\E++\]



22>닰c;deeee%%%.W..|$%إ,/c[S'C
[pvdܕ`%9I9mgxf% F?)vΠw9]v6Eì"%*g4.[|SE@5
п`u];8#\|s	7Ve}xרO>p]@brpmA[g]աSa$ghNTAt'xՉFv7;KR^E|+{Ȋ߇!};{;9
fohe?tqW>Mɑ&|qqyPỢj_Wj~kp581qE&ron*3]rr-uƹWkN	z]'")%}[A
V_Uy}anOMt܂\+ϛcU/Ļ}S`I{C~x[B8WT%Hbrak"
Tb8K&ulp~@TlQƔ#}]9!wV+E]H+fvY Td)_1.N1>?Kc;+Gո{{k}iLb)bz=ts1YTòq-:L~uDٱ.'Vx∜FTо X#*CttgI9`r:c}-E>
g(s=sJXn*2`lc;y_U>}'K'HxCy,kY0Kh&ޗR67DT
f8_4@軩ܾ`$O~rIehEӼ.YW\ܴgw&rT<{(Lt):t­e):'Y@&mu$}21j:gj̩Lr,J}I0(FiLǝ>b/u3iW`|%
,X}*tu32
Hs<ә/NqSO3")j:a."YKa-><(<0O(:QH{ŧN1y)LqRwMIׯׯ~_ectKLQn:4Qj!z	V+4c@nQäl$	fH]kB﯅g.M[?
6ued)W%V>ntn۪9aYځ)Np
w.=ͩuNkمCۿ2p5#Zԋ՟혮vjR'f;հ6ۺ9>dm(.Ⱥv~jr,ծ:{GRL
Y/ `D3ng̎h>/Җۻ(;һ}sR92SΪ=|?)I=wViW2ƭh_?n
TnⴲG~+5XM!',=9~ҽӮǙ:[N^i6ēXr|Y{ 
RQB0|n:E?+Xc>q+251߲AΝ5*1oj
}ߏ'L=fhmlչ7M?WiRS/敏A(4kŊ`Sd
quX  
: +2)v'ɛ>Ͷmg,&Z,?SXv:Rko&|TGAe"ϵSZm쾳H,ޱMKV~Wƅ1S$.f|26f,,W|d=/݋ ="m}t沘1ise2>p|H7-e}XF29V޲<,J4槳VXa]bx;^/YXNep'	0>Iouw~*T
>?v[{ɪpSx[*q}wlLL]7;,V?˼_E8:ٵc0ܦ۴}r'ѿc,?7aJNᛅݥ9m!c+%QĉsiS׮A\mE_ڌQ>rVP&9+A;g0MEwc]ReV[)Qׯ.(*2MohOzx;{nXgDK$vA{TSpb-´FҷNO x
Jxo⳸4E
k/ֽXo:B\ƻ14_@e]MoǼno,:Og Dn
?vaPٖs^[biK9=l W 	MjqǶNdb6wthb9u3Kt[]?v	 <\8;9ϊwS,,_!N+
"÷ܫM;Ƶʋ/zXg0>{{{Vl4C-}l{@gMb={kUkg2y4o8˚-N` I)X|ws
2`69t]ny>ൠ',6(.WW/օNl[c!u>dHp>>]O3KݭIpC%;2Áߐp1}ꚕǫ$=@1mJ;m9s2;|PyL"5g[Zlk;~Ri8va.^7\18sm) ;w=L6UT\eqӧnaD	0Ma#ahdn7ơUvh)@5z@
Ms#RQ9Bγ/VO	8[, +J%9f*=0%e1%V.{r[R:de=]hkgnqh9\8_/~7ya(X~+4Uѱs:0N[̀dFAHz)>`"?kzQg&ۓ}pm;'A?hbMxGc236D־\'0W8kN%V7٢務)+[?Huij\,;ʂ`0`iWo0[p櫶(VK9f2d5`b:nע++"Q;P4CV^Zsݾמ”ޜ]UJ{+6hґY
і1Cm{{!;l,{愾?w/^끬'#@)L|8heοiE腇Qrhkع<wb+ht.%הk6#3ǀYC|V{nqu+Uqjwװ>[<ivQن0
]IW٦gS:31A/ ``k-2|OBJ;*WVZVISND8k*@5ikg[N[ħO݅Y~4fwhy3-1.6.0/examples/verifythis_2016_matrix_multiplication/sum_extended.mlw000066400000000000000000000024301440160026300267730ustar00rootroot00000000000000module Sum_extended

  use int.Int
  use int.Sum

  function addf (f g:int -> int) : int -> int = fun x -> f x + g x

  function smulf (f:int -> int) (l:int) : int -> int = fun x -> l * f x

  let rec lemma sum_mult (f:int -> int) (a b l:int) : unit
    ensures { sum (smulf f l) a b = l * sum f a b }
    variant { b - a }
  = if b > a then sum_mult f a (b-1) l


  let rec lemma sum_add (f g:int -> int) (a b:int) : unit
    ensures { sum (addf f g) a b = sum f a b + sum g a b }
    variant { b - a }
  = if b > a then sum_add f g a (b-1)


  function sumf (f:int -> int -> int) (a b:int) : int -> int = fun x -> sum (f x) a b

  let rec lemma fubini (f1 f2: int -> int -> int) (a b c d: int) : unit
    requires { forall x y. a <= x < b /\ c <= y < d -> f1 x y = f2 y x }
    ensures  { sum (sumf f1 c d) a b = sum (sumf f2 a b) c d }
    variant  { b - a }
  = if b <= a
    then assert { forall x. sumf f2 a b x = 0 }
    else begin
      fubini f1 f2 a (b-1) c d;
      assert { let ha = addf (sumf f2 a (b-1)) (f1 (b-1)) in
        sum (sumf f2 a b) c d = sum ha c d
        by forall y. c <= y < d -> sumf f2 a b y = ha y }
    end

   let ghost sum_ext (f g: int -> int) (a b: int) : unit
     requires {forall i. a <= i < b -> f i = g i }
     ensures  { sum f a b  = sum g a b }
   = ()

end
why3-1.6.0/examples/verifythis_2016_matrix_multiplication/sum_extended/000077500000000000000000000000001440160026300262535ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_matrix_multiplication/sum_extended/why3session.xml000066400000000000000000000033651440160026300313020ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/verifythis_2016_matrix_multiplication/sum_extended/why3shapes.gz000066400000000000000000000015341440160026300307160ustar00rootroot00000000000000UM7W̱ݢH}"FcеH"j 
<ޠ?floh9'=~2va?>Lw*]= 0YloHL`_iTg3ֻ`gvqߎ%ux*k
wx8ߜ&LALPm]W{֟~_Ҕ`&e4,;Xqn
T *Il̡:ɻmmxomnh]W`rqXGnTB8`?w2rjUQsKjn=PLC<ñ%JbE̯9r _9/%xPCO{ꜙk5?oTPٵ&V'nJB)sᙚm/+k:*?_{W/+2O(C4\{g|M1N@P:A%:N:fzjg6狇Kmj66xq9̱qav\Ud\V&XM\u0	ݺҦ]Eq~
b/W+O9doوVuЋU" = 3Lu=G#2YMkɁPƸTҀBt7
HZ2HMܺ.Y툨$K!Ν]rZz3h
e
e@IHv=M*ir^\bgM6$ov&ũsCRIH/u9>b)	gV7w{p=؆P*
why3-1.6.0/examples/verifythis_2016_tree_traversal.mlw000066400000000000000000000611431440160026300227160ustar00rootroot00000000000000
(**

{1 VerifyThis @ ETAPS 2016 competition, Challenge 2: Binary Tree Traversal}

{h

The following is the original description of the verification task,
reproduced verbatim from
the competition web site


    
Challenge 2: Binary Tree Traversal

Consider a binary tree:

  class Tree {
    Tree left, right, parent;
    bool mark;
  }

We are given a binary tree with the following properties:
It is well formed, in the sense that following a child pointer (left or right) and then following a parent pointer brings us to the original node. Moreover, the parent pointer of the root is null.
It has at least one node, and each node has 0 or 2 children.
We do not know the initial value of the mark fields.

Our goal is to set all mark fields to true. The algorithm below (Morris 1979) works in time linear in the number of nodes, as usual, but uses only a constant amount of extra space.

  void markTree(Tree root) {
    Tree x, y;
    x = root;
    do {
          x.mark = true;
          if (x.left == null && x.right == null) {
                  y = x.parent;
          } else {
                y = x.left;
                x.left = x.right;
                x.right = x.parent;
                x.parent = y;
          }
          x = y;
    } while (x != null);
  }

Tasks. Prove that:
upon termination of the algorithm, all mark fields are set
the tree shape does not change
the code does not crash, and
the code terminates.

As a bonus, prove that the nodes are visited in depth-first order

    }

The following is a solution by Martin Clochard (Université Paris-Sud)
who entered the competition.

*)

(** Component-as-array memory model with null pointers. *)
module Memory

  use map.Map
  (** `loc` is the type of memory locations (e.g pointers) *)
  type loc
  val predicate eq (x y:loc) ensures { result <-> x = y }
  (** Kinds of pointer fields. *)
  type kind = Parent | Left | Right
  (** Convenience alias for a pointer field table. *)
  type pmem = map kind (map loc loc)
  type memory = abstract {
    mutable accessor : pmem;
    mutable mark : map loc bool;
  }
  (** `memo` represent memory. *)
  val memo : memory
  (** the memory model has a `null` pointer. *)
  constant null : loc
  val null () : loc ensures { result = null }
  val is_null (l:loc) : bool ensures { result <-> l = null }
  (** Memory getter & setters. non-null preconditions to
      check absence of null pointer access. *)
  val get_mark (l:loc) : bool
    requires { l <> null }
    reads { memo }
    ensures { result = memo.mark[l] }
  val set_mark (l:loc) (b:bool) : unit
    requires { l <> null }
    writes { memo.mark }
    ensures { memo.mark = (old memo).mark[l <- b] }
  val get_acc (p:kind) (l:loc) : loc
    requires { l <> null }
    reads { memo }
    ensures { result = memo.accessor[p][l] }
  val set_acc (p:kind) (l d:loc) : unit
    requires { l <> null }
    writes { memo.accessor }
    ensures { memo.accessor =
      (old memo).accessor[p <- (old memo).accessor[p][l <- d]] }
  (** Ghost global accessors. Those are technical tools
      to create ghost witnesses of past states. *)
  val ghost get_all_accs () : pmem
    reads { memo }
    ensures { result = memo.accessor }
  val ghost get_all_marks () : map loc bool
    reads { memo }
    ensures { result = memo.mark }

  (** Non-deterministic initialization. In the original alorithm,
      the variable y starts uninitialized. *)
  type non_det_magic
  type non_det = abstract { mutable non_det_field : non_det_magic }
  val non_det : non_det
  val anyloc () : loc writes { non_det }

end

(** In module `TreeShape` we describe the correlation between
    the memory and the binary tree model. We also gives
    elements of the algorithm specification, and prove
    some frame/separation properties. *)
module TreeShape

  use int.Int
  use set.Set
  use map.Map
  use bintree.Tree
  use bintree.Size
  use Memory

  (** The described structure can be modeled as a tree of locations *)
  type treel = tree loc

  (** `is_tree memo t c p` describe the fact that `c` points to
      a well-formed tree modeled by `t`, whose root parent node is `p`.  *)
  predicate is_tree (memo:pmem) (t:treel) (c p:loc) = match t with
    | Empty -> c = null
    | Node l m r -> c <> null /\ c = m /\ memo[Parent][c] = p /\
      let cl = memo[Left][c] in
      let cr = memo[Right][c] in
      (cl = null <-> cr = null) /\
      is_tree memo l cl c /\ is_tree memo r cr c
    end

  (** `footprint t` is the memory footprint of `t`, e.g the set of
      locations occuring in the tree. *)
  function footprint (t:treel) : set loc = match t with
    | Empty -> empty
    | Node l m r -> add m (union (footprint l) (footprint r))
    end

  (** `ext s memo1 memo2` mean that the pointer fields associated to
      locations in set `s` are identical in memo1 and memo2. *)
  predicate ext (s:set loc) (memo1 memo2:pmem) =
    forall k x. mem x s -> memo1[k][x] = memo2[k][x]
  (** `unchanged memo1 memo2` mean that all pointer fields in
      `memo1` and `memo2` are identical. *)
  predicate unchanged (memo1 memo2:pmem) =
    forall k x. memo1[k][x] = memo2[k][x]
  (** `was_marked t memo1 memo2` mean that `memo2` is the update
      of `memo1` obtained by marking all elements in `t`. *)
  predicate was_marked (t:treel) (memo1 memo2:map loc bool) =
    (forall l. mem l (footprint t) -> memo2[l]) /\
    (forall l. not mem l (footprint t) -> memo2[l] = memo1[l])

  (** General extensionality property. *)
  let rec ghost ext_set (s:set loc) (memo1 memo2:pmem)
                                    (t:treel) (c p:loc) : unit
    requires { ext s memo1 memo2 }
    requires { subset (footprint t) s }
    requires { is_tree memo1 t c p }
    ensures { is_tree memo2 t c p }
    variant { t }
  = let ghost rc = ext_set s memo1 memo2 in
    match t with
    | Empty -> ()
    | Node l _ r -> rc l (memo1[Left][c]) c; rc r (memo1[Right][c]) c
    end

  (** Specialized for our use case. *)
  let ghost ext_cur (memo1:pmem) (t:treel) (c p:loc) : unit
    reads { memo }
    requires { ext (footprint t) memo1 memo.accessor }
    requires { is_tree memo1 t c p }
    ensures { is_tree memo.accessor t c p }
  = ext_set (footprint t) memo1 (get_all_accs ()) t c p

  (** The tree model corresponding to a given pointer is unique. *)
  let rec ghost unicity (memo:pmem) (t1 t2:treel) (c p1 p2:loc) : unit
    requires { is_tree memo t1 c p1 /\ is_tree memo t2 c p2 }
    ensures { t1 = t2 }
    variant { t1 }
  = match t1, t2 with
    | Empty, Empty -> ()
    | Empty, _ | _, Empty -> absurd
    | Node l1 _ r1, Node l2 _ r2 ->
        unicity memo l1 l2 (memo[Left][c]) c c;
        unicity memo r1 r2 (memo[Right][c]) c c
    end

  (** In a non-empty well formed tree, the top pointer
      cannot occur in the child subtree. Otherwise,
      their would be an infinite branch in the tree,
      which is impossible in our inductive tree setting. *)
  let ghost not_below (memo:pmem) (lf rg:treel) (c p:loc) : unit
    requires { is_tree memo (Node lf c rg) c p }
    ensures { not mem c (footprint lf) /\ not mem c (footprint rg) }
  = let t0 = Node lf c rg in
    let rec aux (t:treel) (c2 p2:loc) : unit
      requires { size t < size t0 }
      requires { is_tree memo t c2 p2 }
      ensures { not mem c (footprint t) }
      variant { t }
    = match t with
      | Empty -> ()
      | Node l _ r ->
        if eq c2 c then (unicity memo t t0 c p2 p;absurd);
        aux l (memo[Left][c2]) c2; aux r (memo[Right][c2]) c2
      end in
    aux lf (memo[Left][c]) c; aux rg (memo[Right][c]) c

  (** Algorithm phases.
      `GoLeft` mean that the algorithm will try to explore the left
        subtree
      `GoRight` mean that the algorithm will explore the right subtree
      `GoBack` mean that the algorithm will go back to the parent node
      `Finish` mean that the alogrithm will exit *)
  type phase =
    | GoLeft
    | GoRight
    | GoBack
    | Finish

  function next_phase (ph:phase) : phase =
    match ph with
    | GoLeft -> GoRight
    | GoRight -> GoBack
    | GoBack -> GoLeft
    | Finish -> Finish
    end
  (** `rotated memo1 memo2 ph c` describe how `c` is rotated in
      `memo2` with respect to its initial position in `memo1` for
      current phase `ph`. In final phase, it is not rotated but
      null instead. *)
  predicate rotated (memo1 memo2:pmem) (ph:phase) (c:loc) =
    (forall k x. x <> c -> memo1[k][x] = memo2[k][x]) /\
    (ph <> Finish -> c <> null) /\
    match ph with
    | GoLeft -> unchanged memo1 memo2
    | GoRight -> memo2[Left][c] = memo1[Right][c] /\
        memo2[Right][c] = memo1[Parent][c] /\
        memo2[Parent][c] = memo1[Left][c]
    | GoBack -> memo1[Left][c] = memo2[Right][c] /\
        memo1[Right][c] = memo2[Parent][c] /\
        memo1[Parent][c] = memo2[Left][c]
    | Finish -> c = null
    end

end

(** In this module, we prove the algorithm by modifying
    the code to put it in recursive form. We justify that
    our limited usage of recursion makes the code equivalent
    to the one proposed in the challenge. *)
module Recursive

  use map.Map
  use bintree.Tree
  use ref.Ref
  use Memory
  use TreeShape

  (** Recursion-based proof of the algorithm.
      The principal idea is the following: in its recursive
      fashion, the algorithm is a standard tree traversal
      (which is easy to prove correct).
      Hence we nest the algorithm inside a recursive procedure
      to link it with its recursive version. However,
      the obtained algorithm does not really need the call stack
      to run. Here is how we achieve this:
      - We create a non-recursive sub-routine `bloc` corresponding to
        one turn of the while loop in the challenge's code.
        It uses an exception to simulate exit.
        Also, this sub-routine does not have any non-ghost argument,
        so calling `bloc` really amounts to advancing in the loop execution.
      - We forbids use of any side-effect in the recursive procedure
        except those obtained by calling `bloc`. Hence calling
        the recursive procedure is equivalent to run a certain
        amounts of turns in the loop execution.
        Note that since we will prove that the recursive procedure
        terminates, it might not run a finite amount of turns and diverges
        afterward.
      - After the topmost call to the recursive procedure,
        we add an infinite loop who only calls `bloc` at every turns.
        This call and the loop are enclosed in an exception catching
        construction to detect loop termination.
      Hence it is justifiable that the algorithm with
      the recursive procedure is equivalent (in the sense that
      they have the same side-effects) as an infinite loop of `bloc` calls,
      encapsulated in an exception catching expression. And this
      algorithm is evidently equivalent to the original challenge code.
    *)

  exception Stop

  let markTree (ghost t:treel) (root:loc) : unit
    (* Requires a well-formed non-empty tree *)
    requires { is_tree memo.accessor t root null /\ root <> null }
    writes { memo, non_det }
    (* Tree shape is unchanged *)
    ensures { is_tree memo.accessor t root null }
    ensures { unchanged (old memo).accessor memo.accessor }
    (* All nodes are marked. *)
    ensures { was_marked t (old memo).mark memo.mark }
  = let x = ref (anyloc ()) in (* ==> Tree x, y *)
    let y = ref (anyloc ()) in
    x := root; (* ==> x = root *)
    let entered = ref false in
    (* ^ Used to encode the do { .. } while() loop as a while() {..}.
       Iterations will set the flag. *)
    let ghost z = ref (null ()) in (* Store previously explored node. *)
    (* Loop body. `mem0` is memory state at start of recursive call,
       `ph` is phase. *)
    let bloc (ghost mem0:pmem) (ghost ph:phase) : unit
      (* current node `!x` is rotated correctly with
         respect to the phase. *)
      requires { rotated mem0 memo.accessor ph !x }
      requires { ph = Finish -> !entered }
      writes { memo, x, y, z, entered }
      (* Caracterise `x` and `z` reference updates. *)
      ensures { !z = !(old x) /\ !x = memo.accessor[Parent][!z] }
      (* `Finish` phase never ends normally *)
      ensures { ph <> Finish /\ !entered }
      (* Node is marked, and other nodes do not change. *)
      ensures { memo.mark[!z] }
      ensures { forall l. l <> !z -> memo.mark[l] = (old memo).mark[l] }
      (* Describe phase shift. *)
      ensures {
        if (old memo).accessor[Left][!z] = null
           = (old memo).accessor[Right][!z]
        then memo.accessor = (old memo).accessor
        else rotated mem0 memo.accessor (next_phase ph) !z }
      (* In `Finish` phase, the code throws `Stop` without changing
         anything. *)
      raises { Stop -> ph = Finish /\ memo = old memo }
    = if !entered && is_null !x then raise Stop; (* ==> do { BODY         *)
      entered := true;                           (*  } while (x != null); *)
      (ghost z := !x);
      set_mark !x true; (* ==> x.mark = true; *)
      if is_null (get_acc Left !x) && is_null (get_acc Right !x)
         (* ==> if (x.left = null && x.right == null) { *)
      then y := get_acc Parent !x (* ==> y = x.parent *)
      else begin (* ==> } else { *)
        y := get_acc Left !x; (* ==> y = x.left; *)
        set_acc Left !x (get_acc Right !x); (* ==> x.left = x.right; *)
        set_acc Right !x (get_acc Parent !x); (* ==> x.right = x.parent; *)
        set_acc Parent !x !y; (* ==> x.parent = y; *)
      end; (* ==> } *)
      x := !y (* ==> x = y; *)
    in
    (* 'Recursive proof', corresponding to the
        expected depth-first traversal. *)
    let rec aux (ghost t:treel) : unit
      requires { !x <> null }
      requires { is_tree memo.accessor t !x !z }
      writes { memo, x, y, z, entered }
      ensures { unchanged (old memo).accessor memo.accessor }
      ensures { !x = old !z /\ !z = old !x }
      ensures { was_marked t (old memo).mark memo.mark }
      ensures { !entered }
      raises { Stop -> false }
      variant { t }
    = let ghost mem0 = get_all_accs () in
      let ghost _c = !x in
      let _lf = get_acc Left !x in
      let _rg = get_acc Right !x in
      let lf, rg = ghost match t with
        | Empty -> absurd
        | Node l _ r -> l, r
        end in
      (ghost not_below mem0 lf rg _c !z);
      bloc mem0 GoLeft;
      let b = begin ensures { result <-> _lf = null /\ _rg = null }
        ensures { result -> lf = Empty /\ rg = Empty }
        is_null _lf && is_null _rg end in
      if not b then begin
        (ghost ext_cur mem0 lf _lf _c);
        aux lf;
        bloc mem0 GoRight;
        (ghost ext_cur mem0 rg _rg _c);
        aux rg;
        bloc mem0 GoBack
      end
    in
    let ghost mem0 = get_all_accs () in
    try aux t;
      label I in
      while true do
        invariant { memo = (memo at I) }
        invariant { rotated mem0 memo.accessor Finish !x /\ !entered }
        variant { 0 }
        bloc mem0 Finish
      done
    with Stop -> (ghost ext_cur mem0 t root (null ())); () end

end

(** In this module we provide a proof of the initial algorithm by
    derecursiving the previous one *)
module Iterative

  use int.Int
  use map.Map
  use map.Const
  use bintree.Tree
  use bintree.Size
  use option.Option
  use ref.Ref
  use Memory
  use TreeShape

  (** Snapshot of all relevant memory values in the program *)
  type snap = {
    pointers : pmem;
    cursor : loc;
    parent : loc;
    marks : map loc bool;
  }

  (** Stack frame in the recursive version. Fields are
      assigned as the code pointer increase. *)
  type frame = {
    (* Memory & ghost argument at call site (pc>=0). *)
    memo0 : snap;
    tree : treel;
    (* right & left trees/pointers (pc>=1) *)
    tleft : treel;
    pleft : loc;
    tright : treel;
    pright : loc;
    (* Memory after first bloc call (pc>=2) *)
    memo1 : snap;
    (* Memory after first recursive call (pc >= 4) *)
    memo2 : snap;
    (* Memory after second bloc call (pc >= 5) *)
    memo3 : snap;
    (* Memory after second recursive call (pc >= 6) *)
    memo4 : snap;
  }

  (** Find out current memory state with respect to code pointer. *)
  function frame_memo (f:frame) (pc:int) : snap =
    if pc <= 0 then f.memo0
    else if pc <= 1 then f.memo1
    else if pc <= 2 then f.memo2
    else if pc <= 3 then f.memo3
    else f.memo4

  (** Postcondition relation for `bloc` calls. *)
  predicate bloc_rel (mem0:pmem) (ph:phase) (s1 s2:snap) =
    s2.parent = s1.cursor /\ s2.cursor = s2.pointers[Parent][s2.parent] /\
    s2.marks[s2.parent] /\
    (forall l. l <> s2.parent -> s2.marks[l] = s1.marks[l]) /\
    if s1.pointers[Left][s1.cursor] = null = s1.pointers[Right][s1.cursor]
    then s2.pointers = s1.pointers
    else rotated mem0 s2.pointers (next_phase ph) s2.parent

  (** postcondition relation for recursive (`aux`) calls. *)
  predicate rec_rel (t:treel) (s1 s2:snap) =
    unchanged s1.pointers s2.pointers /\
    s2.cursor = s1.parent /\ s2.parent = s1.cursor /\
    was_marked t s1.marks s2.marks

  (** Call stack *)
  type stack =
    | Bottom
    | Running stack int frame
    | Done

  (** Describe a valid call stack. Mostly precise which relation
      between states holds. Note that in the previous version,
      Why3 did that part for us via the weakest precondition calculus. *)
  predicate is_stack (t:treel) (stop scur:snap)
                     (s:stack) (calls:option treel) =
    match s with
    | Bottom -> stop = scur /\ calls = Some t
    | Running s pc f ->
        0 <= pc <= 4 /\
        (* Correctness of caller stack. *)
        let m0 = f.memo0 in
        is_stack t stop m0 s (Some f.tree) /\
        (* Precondition for recursive call. *)
        m0.cursor <> null /\ is_tree m0.pointers f.tree m0.cursor m0.parent /\
        (* Initially obtained pointers & subtrees. *)
        f.tree = Node f.tleft m0.cursor f.tright /\
        f.pleft = m0.pointers[Left][m0.cursor] /\
        f.pright = m0.pointers[Right][m0.cursor] /\
        (* First bloc run, if completed normally. *)
        (pc >= 1 -> bloc_rel m0.pointers GoLeft m0 f.memo1 /\
                    f.pleft <> null /\ f.pright <> null) /\
        (* First recursive call. *)
        (pc >= 2 -> rec_rel f.tleft f.memo1 f.memo2) /\
        (* Second bloc run. *)
        (pc >= 3 -> bloc_rel m0.pointers GoRight f.memo2 f.memo3) /\
        (* Second recursive call. *)
        (pc >= 4 -> rec_rel f.tright f.memo3 f.memo4) /\
        (* Current memory state. *)
        frame_memo f pc = scur /\
        match calls with
        | None -> pc <> 1 /\ pc <> 3
        | Some u ->
            if pc = 1 then u = f.tleft else pc = 3 /\ u = f.tright
        end
    | Done -> rec_rel t stop scur /\ calls = None
    end

  (** Termination argument. In fully general cases, we would need
     a lexicographic ordering but here an integer size suffice. *)
  constant large_enough : int = 100
  function stack_size (st:stack) : int = match st with
    | Bottom -> 1
    | Done -> 0
    | Running s pc f ->
        stack_size s + (large_enough - pc) + if pc = 0
        then large_enough * (size f.tleft + size f.tright)
        else if pc <= 2
        then large_enough * size f.tright
        else 0
    end

  let rec lemma stack_size_pos (st:stack) : unit
    requires { exists t stop scur calls. is_stack t stop scur st calls }
    ensures { stack_size st >= 0 }
    variant { st }
  = match st with Running s _ _ -> stack_size_pos s | _ -> () end

  (** Create a stack frame for a recursive call *)
  let ghost opening (t ct:treel) (stop scur:snap) (ghost st:ref stack)
    requires { is_stack t stop scur !st (Some ct) }
    requires { is_tree scur.pointers ct scur.cursor scur.parent }
    requires { scur.cursor <> null }
    writes { st }
    ensures { is_stack t stop scur !st None }
    ensures { stack_size !st <= stack_size !(old st) +
                                large_enough * size ct }
  = match ct with
    | Empty -> absurd
    | Node lf _ rg ->
      let f = {
        memo0 = scur; tree = ct; tleft = lf; tright = rg;
        pleft = scur.pointers[Left][scur.cursor];
        pright = scur.pointers[Right][scur.cursor];
        memo1 = scur; memo2 = scur; memo3 = scur; memo4 = scur;
      } in
      st := Running !st 0 f
    end

  (** Remove a stack frame at end of recursive call simulation *)
  let ghost closing (t ct:treel) (stop sprev scur:snap)
                    (ghost st:ref stack) : unit
    requires { is_stack t stop sprev !st (Some ct) }
    requires { rec_rel ct sprev scur }
    writes { st }
    ensures { is_stack t stop scur !st None }
    ensures { stack_size !st < stack_size !(old st) }
  = match !st with
    | Bottom -> st := Done
    | Done -> absurd
    | Running s pc f ->
      let f = if pc = 1 then { f with memo2 = scur }
      else { f with memo4 = scur } in
      st := Running s (pc+1) f
    end

  (** Advance code pointer when a bloc is run. Takes care to
      open/close new frame as needed. *)
  let ghost continuing (t:treel) (stop sprev scur:snap)
                       (ghost st:ref stack)
    requires { is_stack t stop sprev !st None }
    requires { match !st with
      | Bottom | Done -> false
      | Running _ pc f ->
          let ph =
            if pc = 0 then GoLeft else if pc = 2 then GoRight else GoBack in
          bloc_rel f.memo0.pointers ph sprev scur
      end }
    writes { st }
    ensures { is_stack t stop scur !st None }
    ensures { stack_size !st < stack_size !(old st) }
  = match !st with
    | Bottom | Done -> absurd
    | Running s pc f ->
      not_below f.memo0.pointers f.tleft f.tright
                f.memo0.cursor f.memo0.parent;
      if pc = 0 then
        if is_null f.pleft && is_null f.pright
        then begin
          st := s;
          assert { match f.tleft, f.tright with
            Empty, Empty  -> true | _ -> false end };
          closing t f.tree stop f.memo0 scur st
        end else begin
          let f = { f with memo1 = scur } in
          st := Running s (pc+1) f;
          ext_set (footprint f.tleft) f.memo0.pointers scur.pointers
                  f.tleft f.pleft f.memo0.cursor;
          opening t f.tleft stop scur st;
        end
      else if pc = 2 then begin
        let f = { f with memo3 = scur } in
        st := Running s (pc+1) f;
        ext_set (footprint f.tright) f.memo0.pointers scur.pointers
                f.tright f.pright f.memo0.cursor;
        opening t f.tright stop scur st;
      end else if pc = 4 then begin
        st := s;
        assert { unchanged scur.pointers f.memo0.pointers };
        closing t f.tree stop f.memo0 scur st
      end
    end

  (** The main algorithm. *)
  let markTree (ghost t:treel) (root:loc) : unit
    (* Requires a well-formed non-empty tree *)
    requires { is_tree memo.accessor t root null /\ root <> null }
    writes { memo, non_det }
    (* Tree shape is unchanged *)
    ensures { is_tree memo.accessor t root null }
    ensures { unchanged (old memo).accessor memo.accessor }
    (* All nodes are marked. *)
    ensures { was_marked t (old memo).mark memo.mark }
  = let x = ref (anyloc ()) in (* ==> Tree x, y *)
    let y = ref (anyloc ()) in
    let ghost z = ref (null ()) in
    let ghost snapshot () : snap
      ensures { result.pointers = memo.accessor }
      ensures { result.cursor = !x }
      ensures { result.parent = !z }
      ensures { result.marks = memo.mark }
    = { pointers = get_all_accs ();
        cursor = !x; parent = !z;
        marks = get_all_marks () } in
    x := root; (* ==> x = root; *)
    let ghost stop = snapshot () in
    let ghost scur = ref stop in
    let ghost st = ref Bottom in
    ghost opening t t stop stop st;
    let entered = ref false in (* encode do-while loop. *)
    while not (begin ensures { result <-> !x = null }
        !entered && is_null !x end)
    do (* ==> do { BODY } while(x != null); *)
      invariant { !x = null -> !entered }
      invariant { !scur.pointers = memo.accessor }
      invariant { !scur.cursor = !x }
      invariant { !scur.parent = !z }
      invariant { !scur.marks = memo.mark }
      invariant { is_stack t stop !scur !st None }
      variant { stack_size !st }
      entered := true;
      (ghost z := !x);
      set_mark !x true; (* ==> x.mark = true; *)
      if is_null (get_acc Left !x) && is_null (get_acc Right !x)
        (* ==> if (x.left == null && x.right == null) { *)
      then begin
        y := get_acc Parent !x; (* ==> y = x.parent; *)
      end
      else begin (* ==> } else { *)
        y := get_acc Left !x; (* ==> y = x.left; *)
        set_acc Left !x (get_acc Right !x); (* ==> x.left = x.right; *)
        set_acc Right !x (get_acc Parent !x); (* ==> x.right = x.parent; *)
        set_acc Parent !x !y; (* ==> x.parent = y; *)
      end; (* ==> } *)
      x := !y; (* ==> x = y; *)
      let ghost sprev = !scur in
      ghost scur := snapshot ();
      ghost continuing t stop sprev !scur st;
    done; (* ==> end 'do while' *)
    ghost (match !st with Done -> () | _ -> absurd end);
    ghost ext_cur stop.pointers t root (null ())

end
why3-1.6.0/examples/verifythis_2016_tree_traversal/000077500000000000000000000000001440160026300221705ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2016_tree_traversal/why3session.xml000066400000000000000000000426011440160026300252130ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/verifythis_2016_tree_traversal/why3shapes.gz000066400000000000000000000175771440160026300246510ustar00rootroot00000000000000]ksܸ_o|5Uo*d+.gT%E$~&M!{,MsH_m?{3sh뇻wb'wj>8aw\%;.Ҧ竟yE͎tἣ-
^!tNn*;nwl>>ΰMx1WwM
Tl
.q-+R[EmVnvQE#CǍ07ljƢd-N_X.=ovΆ3y{u+k|x2:W^'/qg{|Atq5^?_{wdՄ=~
r!ɠ
ر	v?dH0[؉j0r7!GR`cP~;n	+/d˺x>TTFY΃4ҋfyw}]=)owt߮[%up/.hqIs0Jr|9KXbٜ홁R\K1B^^>ܽAB,Līxsc8|M"s:ieanfRZ*Ųfb#hjf{
Dpy@'Nz~ʘ.)8̘cOΓ_JG举yx77$?/SWy;t`TwoPtJҐ'4AQ.]_qv;ޖUnCx=d`VYh\'|^\}n/OnZlF'[C3Eڹ*`KZID.> M	onoێ
9Mc"m>%SUwwp7b2|E:?<z
ϻcYµĊ5ۓ}ڤ@P!PRr2"ey	5ѰXo&lS9*R.Ao3	s{|$Ut\iVt89''ЯD-E$l_$G]9R9r#Wn/>Ii7q.V3)$ȌmhhXS?k>!bX@|&ϦOkL(>pEqEIEi~a_p@3x'^ʋʋUnvpc#+*>?"iZcUfgx8<8/Fsb*;+;O?VaY`@g}bҲrbҲc:rgL8<@|}S5zpU2|0?`̬P*RX1[fX|DՉGtbzg!N<M%xx9i
T*WW-Jى-\R)Xo+f&D>vFi$DP#Ddc6 ֎HSY-~w}CKhijۛyq -!wJΓ$l<LRWN_=ƞW}0S%J%R(jQJ<ˣ?u痿6%ܗ\ǒOX-'LxGix|{ ʑ"g&($쬁`|Dsivu1%4K	L$)i\2זI)&̛4HODFhW婣D6~6z4v-܄їG:"Q	~)Ιs&sWV~aV=]뇳>vwMOiSXcd_?Y=$pRRR[hh+C>ܿ&XG  &EAB]wc3wװyl|)td0['̤ħD33[U
T5xjptF,i#-)+qk
[~08<0.'0#rzvl'`w(e]>&MMGs\v)LU_Z=kSYkuZAZ$IU0TaxPƢ.?e'ocB.)50֚U
>G
l!97=$g]A?2Ff8r.2[*DUw9C-p+9@dOYA]T6u>Bg$F#U1b9b
1rYܧQ3SU
T5xjЬΔ->p%WgR9;?}(3&0gcpasiw@y~0ф8_;N׊ QiáOӵeș f~et`"\-zZr)i&?~+V|6Gl,NV?*	H=9E/|G29%ԾUva[7Ñ	J8ÞKGpp?ИgZ->WUe/?_pdpvdY8
Gea9SdRQbdE~ۻxn!{tʂʂg˂
t/Ӕ~VViJ0DEw+,z63l5!bbi1kq4cr3)7t!=1*~Q妜_p>|1w6GnnNܞN+8*gNж~+,yivΆ3_&׏!t}}c۾:8;WTd'w4my5?<<ܼA
oql˸GzS+F_k|߫?_a ouy34|Q~8Oh6D&"aN$	]xLzO~<EC
1ݧo.{;
%MV")L?/>JI 2_gg2Ypܑ|ޕ7,Լ
?,{
L&#2WW,f
]>%ȫ*7`߃^!dR`6c>i!<=]L(\m|{gISHz
Eݹ4Lq&*.iċD޳yObou-1=>AdK&_7w۷Wڔj^-RZxI=
<Co`It^օezC7ca`ӫ[[6V.L/
6l.
<730;hyz爲
h7eC*Ţ-\PgJˢC>I8EFjџCs=	@F~$.),D24EMn/C'5_vb|D/1j
iYxRMnUV1 0p\󲢴V+H?.ՖVo˪GE?y]\ѺKK4X}u_,<~u__,uS3E?su	+KTV~u)TYٸYM"֧񣢟@U߿(4
@Q\<EO6ͧ6NpbYOȭFH>g#l+f#|bzQMff9Nu-?+a]q.r<}p"- MsyHB
K^墋Tֱ#hzM7M@i5NOӣ=^;ϖYP]NP^NZL*GB7Whkf~
$ύ;eg\s#ު,~_?o ^=$iޓ<;6Ռ[,f9=_ptlD<
j2Ƅ ;O9Ow:$}=Z?~/m'uh{N^횭9[iBj\_zxko@X֧xKLkGnJKOjI3v[~e{.N#WcW҈t`
DqaȨcdD9eM/"zuqM	ȻV
WfR!޶g56`2A3y!ms9#yo>0gB5N
vP^
SƷp)=ul9}T#T.yҽǞoY_&2&*3"ZlQWo"Hg_p.םwKv|;&bEurp#Brǭd>xW͠TkYi]G)L@xX*Z+%d{+Aζg7\R(zd&zÙMlc=Q:Mqm^+ͅq"_5	Cdr0hu:kqk:L]DjQ*&X3Ȩ$Uu
;n]D"x
o<t"ziziL_w-sQp.bpE{nڡt댶bi-zN:bq{c?6pie8)&Zk}5@stGSb2mI5hC?Dl	R18i&qA
)[NT6rzLvpl*/[%ږLFvQ}B
)|
,XXhLDbQӬaPm{˵emVD"DA3uSh@*n ʲvaa^XW,EdXL[Dx Z+&
u0B2
MIκv##@Iɵmڎ-Cm=g]8dr^dɲi.2^ćӝMS\xN%`<"p*-iA8@ՈfHCuRB$C+`a䬍I
^RIj>TqNH	mjLQK%
(AHZX'v"0+\P$!+!3Z{7TRFJHZPלN
TޓA!p!r`s>Y0\]s큸XRۛ@8:vRo([sd})F$ڠkZ@7 a[i]) l h

  val maximum_subarray (a: array int) : (s: int, lo: int, hi: int)
    ensures { 0 <= lo <= hi <= length a /\ s = array_sum a lo hi /\
              forall l h. 0 <= l <= h <= length a -> s >= array_sum a l h }

  (* sum of a submatrix *)

  function col (m: matrix int) (j i: int) : int = m.elts i j

  function matrix_sum (m: matrix int) (rl rh cl ch: int) : int
    = sum (fun j -> sum (col m j) rl rh) cl ch

  let maximum_submatrix (m: matrix int) :
      (s: int, rlo: int, rhi: int, clo: int, chi: int)
    ensures { (* this is a legal submatrix *)
              0 <= rlo <= rhi <= rows m /\
              0 <= clo <= chi <= columns m /\
              (* s is its sum *)
              s = matrix_sum m rlo rhi clo chi /\
              (* and it is maximal *)
              forall rl rh. 0 <= rl <= rh <= rows m ->
              forall cl ch. 0 <= cl <= ch <= columns m ->
              s >= matrix_sum m rl rh cl ch }
  = let a = Array.make m.columns 0 in
    let maxsum = ref 0 in
    let rlo = ref 0 in
    let rhi = ref 0 in
    let clo = ref 0 in
    let chi = ref 0 in
    for rl = 0 to rows m - 1 do
      invariant { 0 <= !rlo <= !rhi <= rows m }
      invariant { 0 <= !clo <= !chi <= columns m }
      invariant { !maxsum = matrix_sum m !rlo !rhi !clo !chi >= 0 }
      invariant { forall rl' rh. 0 <= rl' < rl -> rl' <= rh <= rows m ->
                  forall cl ch. 0 <= cl <= ch <= columns m ->
                  !maxsum >= matrix_sum m rl' rh cl ch }
      fill a 0 (columns m) 0;
      for rh = rl + 1 to rows m do
        invariant { 0 <= !rlo <= !rhi <= rows m }
        invariant { 0 <= !clo <= !chi <= columns m }
        invariant { !maxsum = matrix_sum m !rlo !rhi !clo !chi >= 0 }
        invariant { forall rl' rh'. 0 <= rl' <= rh' <= rows m ->
                    (rl' < rl \/ rl' = rl /\ rh' < rh) ->
                    forall cl ch. 0 <= cl <= ch <= columns m ->
                    !maxsum >= matrix_sum m rl' rh' cl ch }
        invariant { forall j. 0 <= j < columns m ->
                    a[j] = sum (col m j) rl (rh - 1) }
        (* update array a *)
        for c = 0 to columns m -1 do
          invariant { forall j. 0 <= j < c ->
                      a[j] = sum (col m j) rl rh }
          invariant { forall j. c <= j < columns m ->
                      a[j] = sum (col m j) rl (rh - 1) }
          a[c] <- a[c] + get m (rh - 1) c
        done;
        (* then use Kadane algorithme on array a *)
        let sum, lo, hi = maximum_subarray a in
        assert { sum = matrix_sum m rl rh lo hi };
        assert { forall cl ch. 0 <= cl <= ch <= columns m ->
                 sum >= matrix_sum m rl rh cl ch
                 by array_sum a cl ch = matrix_sum m rl rh cl ch };
        (* update the maximum if needed *)
        if sum > !maxsum then begin
          maxsum := sum;
          rlo := rl; rhi := rh;
          clo := lo; chi := hi
        end
      done;
    done;
    !maxsum, !rlo, !rhi, !clo, !chi

end
why3-1.6.0/examples/verifythis_2017_maximum_sum_submatrix/000077500000000000000000000000001440160026300236065ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2017_maximum_sum_submatrix/why3session.xml000066400000000000000000000220051440160026300266250ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2017_maximum_sum_submatrix/why3shapes.gz000066400000000000000000000123111440160026300262440ustar00rootroot00000000000000[8v+-.c(tFe%QFn=(JKUymAKEs>9<ӽO/ָ_'oZo?jɱqwtq?{|omkKuO!1㿼k^ֽro=-}
wBS(,\u>xFbc!v&-O̗td%?x:*דBqVB|JQ	4ԚcM9	^Or%pT6_(8hMtz
~C'Ecr17+TQɲVVaP/67|a%&]/ݪE	jgѪq"	hbjqUVVV(yS\dja!8Uݪ_U.En6p_FE7L:ugnVhe+tMEgbS_|UAUC}Ub
)fI$F9ƁB
Ɣkb|y'HPj"ƺXL*Ð%16aq
&bDC/'FBk ka kb)~ɀϛ8j^\y/,ECL78x~E^lH0XtŬS}brF0yb)FR΋5/ҔTS3OYLцm^SsŨ֘LGZ7[
.z "nT	 3BOu,j
ALяH
3Ӡf`0F4/	v1XAS==EM(	mCMGZU)GK-]gqNdBO]tcP#]x1rXś7soboXm7X_mO0ȃ]oaaպo}xH|aصrFq/b9K/⋽_6j5c1.{,"|'b'FK=àңދė%UO[RbKj/[|I^M$;m; v@nѴqw>vʟ$;v6lnـ/VhEVƝq,Sqg6YQ亃?cPG0u9Xoѽ}#{V_
iګbZjO57Yh7!,MPm$gb:z
zhጤK,/s>nԼXJ7Ǹ`t>|:|1:<:Yv>|q1S//>H]{9l)Sb@hܑ1NFcwԶ^lXRQx>	m*VlZՋٕ<<}{	QrSuxd66潒aZe9ƭK$<C==w1tY/³KɫnԼ+߄b٪@oZZZZ沭w?*}ɘVK|Θd̗84昝(A9;~-Ɯ1c=gsb%KXr=lH|mpm_mU](fW1h2k>TJpb!Y2
Z_o}C?ޥ<2)*0-IK]ym!Y+GJ|FowH!}Bb[Gyr|h@ʴVzU^m~
b=k^;&s49&ZpΫܥ1;wkCwN_;wmd?Ɛ#yy;q1"c(g
Cxk9W`jlk]	7-lJWʮ@5:cM>gZtWX(竖]	4W>a;ˢ2@3s]99z`^ˊȹKQ% u VW^ȇ08L_(f!t2\)$}aG֘ZXD8uS͛"@Çx>ѡ%Mϰne|N6+Cך,O]R
.ORE$M&˅&c9qL	4a9&i*$.Ιtz
A9TscjyaӄүJSbNo/a`GȎ!B6
E]ƻ"v
bGl`g~<~qY*MA$K(ߑ;j,P֏P'	9?!nS'埐;[:rrDZsX}0/|R?ac5cK_#LK?	u+[ԉ	AA0-Wa7'[ʭa&(@WI9_[XOCrhWNݕhWŷϮ?gC5eW]TRzt}TVZuV}E]R̮C+SK|rه$@)^4LbNgiѾpxzC*Z[cPrֳ1p|Iqʾ[$]f,޿cmf9r(mҼTZ9jEX-bAgL"Ljts,,~Q:> OiL!Gy6hêY
n{
:-:tlů\-:#ybEgP1Y_BâwmRx]w_|.@F2+vV)-v7fnicr캁big,wp7Q"ӣ3pF\/߰fT9qm?@2""f]xx1SG7g	dCQˌLǑ1cVJ@$t\p	MDbǃ
ީΘs6$s	quR%rn
3;9H{DI㜕Ni}׍PA}h#.HSKNx/AƅXP1э MH:bF(=q@sϜ\C,X;jABKE8
rX(iNdʠ)Nu݁hW#Ղ#	A 
joiu'"GGh|ah4
 8k	0~0݁FM{F09C39X3J<ȇQP7L4+<:¡̍: a[j] <= result }
= if length a = 0 then 0
  else
  let m = ref a[0] in
  let i = ref 0 in
  while !i < length a do
    variant   { length a - !i }
    invariant { 0 <= !i <= length a }
    invariant { forall j. 0 <= j < !i -> a[j] <= !m }
    if a[!i] > !m then m := a[!i];
    incr i
  done;
  !m

function aux (a:int -> int) (m i:int) : int = i * (m - Map.get a i)

lemma aux_pos :
  forall a m i. 0 <= i < length a -> a[i] <= m -> aux a.elts m i >= 0

function entropy (a:array int) (m:int) : int = sum (aux a.elts m) 0 (length a)

let rec lemma entropy_pos (a:array int) (m i:int)
  requires { 0 <= i <= length a }
  requires { forall j. 0 <= j < i <= length a -> a[j] <= m }
  ensures { sum (aux a.elts m) 0 i >= 0 }
  variant { i }
=
  if i > 0
  then begin
       entropy_pos a m (i-1);
       assert { aux a.elts m (i-1) >= 0 };
       assert { sum (aux a.elts m) 0 i
                = sum (aux a.elts m) 0 (i-1) + aux a.elts m (i-1) };
       end
  else ()

let lemma decompose_entropy (a:int -> int) (i j m n:int)
  requires { 0 <= i < j < n }
  ensures  { sum (aux a m) 0 n
             = sum (aux a m) 0 i + sum (aux a m) (j+1) n
               + sum (aux a m) (i+1) j + aux a m i + aux a m j }
=  let decomp (i j k: int)
     requires { 0 <= i <= j <= k <= n }
     ensures  { sum (aux a m) i k = sum (aux a m) i j + sum (aux a m) j k }
   = () in
   decomp 0 i n; decomp i (j+1) n; decomp i j (j+1); decomp i (i+1) j

let lemma inst_ext (a1 a2: int -> int) (a b m:int)
  requires { forall i. a <= i < b -> Map.get a1 i = Map.get a2 i }
  ensures { sum (aux a1 m) a b = sum (aux a2 m) a b }
= assert { forall i. a <= i < b -> (aux a1 m) i = (aux a2 m) i }

let my_swap (a:array int) (i j:int) (ghost m:int)
  requires { a[i] > a[j] }
  requires { 0 <= i < j < length a }
  writes   { a }
  ensures  { exchange (old a) a i j }
  ensures  { entropy a m < entropy (old a) m }
= let ghost a1 = a.elts in
  decompose_entropy a1 i j m a.length;
  swap a i j;
  let ghost a2 = a.elts in
  assert { a[i] * i + a[j] * j > a[i] * j + a[j] * i
           by a[j] - a[i] > 0 /\ j - i > 0
           so a[i] * i + a[j] * j - (a[i] * j + a[j] * i)
              = (a[j] - a[i]) * (j-i)
              > 0 };
  decompose_entropy a2 i j m a.length;
  assert { aux a2 m i + aux a2 m j < aux a1 m i + aux a1 m j
           by (old a)[i] = a[j]
           so (old a)[j] = a[i]
           so aux a2 m i + aux a2 m j
              = (m - a[i]) * i + (m - a[j]) * j
              = m * (i+j) - (a[i] * i + a[j] * j)
              < m * (i+j) - (a[i] * j + a[j] * i)
              = (m - a[j]) * i + (m - a[i]) * j
              = aux a1 m i + aux a1 m j
           };
  inst_ext a1 a2 0 i m; inst_ext a1 a2 (i+1) j m; inst_ext a1 a2 (j+1) a.length m

let rec lemma local_order_implies_sort_sub (a:array int) (i j:int)
  requires { forall k. i <= k < j - 1 -> a[k] <= a[k+1] }
  requires { 0 <= i <= j <= length a }
  ensures  { sorted_sub a i j }
  variant  { j - i }
= if i < j - 1
  then begin
    local_order_implies_sort_sub a (i+1) j;
    assert { forall k l. i <= k <= l < j -> a[k] <= a[l]
             by k = l \/  i = k < l \/  i+1 <= k < j };
    end

let odd_even_sort (a: array int)
    requires { length a > 0 }
    ensures  { sorted a }
    ensures  { permut_all (old a) a }
=
  let ghost m = array_max a in
  let ok = ref false in
  while not !ok do
    variant   { entropy a m + (if !ok then 0 else 1) }
    invariant { permut_all (old a) a }
    invariant { !ok -> sorted a }
    ok := true;
    label L in
    let i = ref 1 in
    while !i < length a - 1 do
      variant   { length a - !i }
      invariant { permut_all (old a) a }
      invariant { 0 <= !i <= length a }
      invariant { odd !i }
      invariant { !ok -> entropy a m = entropy (a at L) m }
      invariant { !ok -> forall j. 0 <= j < !i -> odd j
                      -> a[j] <= a[j+1] }
      invariant { not !ok -> entropy a m < entropy (a at L) m }
      if a[!i] > a[!i+1]
      then begin my_swap a !i (!i+1) m; ok := false end;
      i := !i + 2
    done;
    let i = ref 0 in
    while !i < length a - 1 do
      variant   { length a - !i }
      invariant { permut_all (old a) a }
      invariant { 0 <= !i <= length a }
      invariant { even !i }
      invariant { !ok -> entropy a m = entropy (a at L) m }
      invariant { !ok -> forall j. 0 <= j < length a - 1 /\ odd j
                      -> a[j] <= a[j+1] }
      invariant { !ok -> forall j. 0 <= j < !i /\ even j
                      -> a[j] <= a[j+1] }
      invariant { not !ok -> entropy a m < entropy (a at L) m }
      if a[!i] > a[!i+1]
      then begin my_swap a !i (!i+1) m; ok := false end;
      i := !i + 2
    done;
  done;why3-1.6.0/examples/verifythis_2017_odd_even_sort_rearranging/000077500000000000000000000000001440160026300243605ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2017_odd_even_sort_rearranging/why3session.xml000066400000000000000000000501211440160026300273770ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2017_odd_even_sort_rearranging/why3shapes.gz000066400000000000000000000206211440160026300270210ustar00rootroot00000000000000][o6}f"1aFeQ
Jft7lEuf*"}n?pT?ׅېɭi#݇ܐ+c]݆]ϗBٴwO@=imrjc}GpYz羄?~ߵo1ӧſܗ{GQj
{Qr}w1uas4h↪ƍy/55Do*
cD"5vNyB)bte26. cyv+X݊<{xh#qATRlv9|~wW7%mι~wÆm&
-2:8cc/¯>-ĉ;F4fyzwiS>@FhCZ+!bu^aww^\[-کM=g{Quۯ@_pGaBZp]G9_f5__RS7䚥0Gb3j7Ƙ5U׬ͣUnڤѢ"mKq't+N0^W\sa&bdCU
[ѩ//|񄾸Z4}2B>:>厌?{.\#p1wtNf"6찝'^eQwOāT˧~:ȃd}srk0-d)̎qYXU"913-#MsT&QJ|KS]g4`MkEFLYT#gCBqldTD`z0'Vjj\}{f{YmDU))NHSRW4+R*9Qgʭ1gJ5Jᰳ
sFcL)\HEcrҌ x)LR&rR( @.Zx+ r)LUUI
4va*H]n/OO\K.';WM]:;TڌR8r1
ZAZ
sV<5|R8ljCv)qg]N)\2=21J4'mɱpsll|N|byN-eJScF͂SQVJUv*])-f?WӀ tՎô{y9#r6|s_(
%eֶ4RˇQHC__gS4'kof)(.z{>`NZ>Ae@9JFΩ^HZ'
M|H-XHVېLk)nSM!}8"WCTEVh=`pV-ՊӅ\mmn\֨
ӢQMݗ?;[):륭K;6-@2M%oT)tdELfmTu2}ERw%JTURfj-u]^s|8HK?nctVf6*j<'eD:]|_~!=)v)U͍\eU]/V	uǞTğαm}},%XN(48@jqlgzv}Q0FQvaxf`_:'׍PjZ1'X4j`o.|1K=Z;.xڮ59Otv)
_*he_qt^݄0o]o6RAh*4]G萑#6LZJ2ݖ	s0GeۍܨghuF~߬uL]֩fXƟ5¸Y.^kkk;`%?3^Yl1"@It7ٖB-o],5^	!f 5("e߯5$S<_I-.ԥ:;Ezw='y%imdD[!*WW2MMFf\6B$³]
|!6WGDma~Gn@4!i;$#+D!&p7/w/tRМRyJAtJ)hN)螔<5SJAsJA)m)EClm2d [;ce!.oI\fwuGsqxggFu8R:;'[fys}Ī1Rò1O4}:KMAcO>^^577O@361BLj҇DIA&ߛ/.`=Vdt5K&M,ގX+V*M_&([kI%uEՃ*3EUB=US%*9SQ6*aT	J	nҾQZ9.d w$#;"PddT=2jsaMF2rœW)FS7[~ɗ7b93~ykXܽڧ(x|ZbqR,O{<_/_v/0qqq-pK7=ض7qh͉x9@$|&M318IM*T4xsRqvdGb0WGMc{̛&tz7y~

Y>?]j22#ã
edϳUh}s{B۳UΔl:=[gUS<[t$6hZѴiEl=;9ue*LIpIxzBBEe3V6e6&5@[;,^n0lɚ_퉽yd3>LmLDIA&߉\zelJ,wa/w5~Ut	ޥ=Zzoiy})f=@vfe*}IT]t[*,[S+{޻Cڷ3h|ΎP_VwRSDdroM[v{νC[\wĔbӗKX}H0xTC#d7HZK'Nukǂp嬴6\B{
ﬗ
 
K.
FxÔq]iup\9ØA2u)oąB*F
HgЬȀԅ`B^(0,Yo`T2|4YB-uc'sA	\ipIɍN[.:G$'}F%e7^x^
p´TA04/^N+C)}
6g1@/C S^A S}{(ԚsCo{ցc|/t
&
}'8L$
G
n;^R,	{1v
#qn`D;B6g;lJ=zw
egZX!ƃ:{z
L09vc	;r*,N`gV#ҴbS΃ǁ/&d3rͤ`0\J-ýW\wڋ3'c7=+V0R3i&pI<au2vJnȁ0sQG@p\Jv0[`4j1@"Qn}B4]ځAT#B茈Z֊@(N"b	z
fz0)CRQqI[KsN("<ce>|FTuH'`BZbx{"As<6H{F]Lb\* Cլ׌XK-5>q0ClfCpN=SwPWFp-bC ҥ.10i$_FF
bZj6,#/
D-^qR1p*,
`)D?Lb\/(Ez*Px0hjS6b	bjSs`wDH$>Qv+:x#$wHEN$Z`	 ێTFt}`p:Zl6CL"FpwwL:%[,|J	D>Fdl Iu!)^![ó(?O1>2Y/< zdfp7H2Y$Hb)^2D	9	K"if2U|D2CG0=BLEFNmJ==hm|:Ay!RNz13ZȋELSB}̹D'V)
lxlc
a!TԄzr^@@|ȿl<Ŝ!tzj|`ъ@1a/lIS?J=XbP327q"c̚=VtLsG7Icӡ!MG*):]~W3H:3B8zt3c0QYvVp! ЬZkXz̹b0TWXL4
[k";ZHGQPJdjُ]ze^)'o
\)FPhhФ(3>1(Tq5)h Αe qz;^lxBvhđu,U\Í'&!lB$A>M
rBLp̛3UpK$H)*YB"gL4:^̨yK EDҌzb^9ס::#Daxoi<*Aٮ"wvt*h)bD^;!(pOzD"

2\2ybpVƂ	I
x0}`
2&i8	l
=	^ix@,"c&AJsHx:IO~LWL@%"2H=tdoc1/Ue@f8eIYckHov\`6B{s%xdZ Œz2(ALuH1uP\W
>3`&R3L1v`)R!euD`x@%xe
C{#keaD@)[pI4+45{U+B^R]M~$ w)lSqkb{9 ϶SO,R!/˸kBqG- ="9@5ka]xp=csz=f&1&_Mc8͝w; AWsO{ýƱ:܇g5!+Hs4|8`Vqv@W[ys@Sk:eh!Lz5-BĠ7	1Tq
AsgbIwhy3-1.6.0/examples/verifythis_2017_odd_even_transposition_sort.mlw000066400000000000000000000061661440160026300255270ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2017 competition
   Challenge 3: Odd-Even Transposition Sort}

See https://formal.iti.kit.edu/ulbrich/verifythis2017/

Author: Jean-Christophe Filliâtre (CNRS)
*)

(* note: this is only a solution for the sequential (single processor) version
   of the challenge *)

module Challenge3

  use int.Int
  use int.ComputerDivision
  use ref.Refint
  use array.Array
  use array.IntArraySorted
  use array.ArraySwap
  use array.ArrayPermut
  use array.Inversions

  (* odd-sorted up to n exclusive *)
  predicate odd_sorted (a: array int) (n: int) =
    forall i. 0 <= i -> 2*i + 2 < n -> a[2*i+1] <= a[2*i+2]

  (* even-sorted up to n exclusive *)
  predicate even_sorted (a: array int) (n: int) =
    forall i. 0 <= i -> 2*i + 1 < n -> a[2*i] <= a[2*i+1]

  let lemma odd_even_sorted (a: array int) (n: int)
    requires { 0 <= n <= length a }
    requires { odd_sorted a n }
    requires { even_sorted a n }
    ensures  { sorted_sub a 0 n }
  = if n > 0 && length a > 0 then
    for i = 1 to n - 1 do
      invariant { sorted_sub a 0 i }
      assert { forall j. 0 <= j < i -> a[j] <= a[i]
                  by a[i-1] <= a[i]
                  by i-1 = 2 * div (i-1) 2 \/
                     i-1 = 2 * div (i-1) 2 + 1 }
    done

  (* note: program variable "sorted" renamed into "is_sorted"
     (clash with library predicate "sorted" on arrays) *)
  let odd_even_transposition_sort (a: array int)
    ensures { sorted a }
    ensures { permut_all (old a) a }
  = let is_sorted = ref false in
    while not !is_sorted do
      invariant { permut_all (old a) a }
      invariant { !is_sorted -> sorted a }
      variant   { (if !is_sorted then 0 else 1), inversions a }
      is_sorted := true;
      let i = ref 1 in
      let ghost half_i = ref 0 in
      label L in
      while !i < length a - 1 do
        invariant { 0 <= !half_i /\ 0 <= !i = 2 * !half_i + 1 }
        invariant { permut_all (old a) a }
        invariant { odd_sorted a !i }
        invariant { if !is_sorted then inversions a = inversions (a at L)
                                  else inversions a < inversions (a at L) }
        variant   { length a - !i }
        if a[!i] > a[!i+1] then begin
          swap a !i (!i+1);
          is_sorted := false;
        end;
        i := !i + 2;
        ghost half_i := !half_i + 1
      done;
      assert { odd_sorted a (length a) };
      i := 0;
      ghost half_i := 0;
      while !i < length a - 1 do
        invariant { 0 <= !half_i /\ 0 <= !i = 2 * !half_i }
        invariant { 0 <= !i }
        invariant { permut_all (old a) a }
        invariant { !is_sorted -> odd_sorted a (length a) }
        invariant { even_sorted a !i }
        invariant { if !is_sorted then inversions a = inversions (a at L)
                                  else inversions a < inversions (a at L) }
        invariant { !is_sorted \/ inversions a < inversions (a at L) }
        variant   { length a - !i }
        if a[!i] > a[!i+1] then begin
          swap a !i (!i+1);
          is_sorted := false;
        end;
        i := !i + 2;
        ghost half_i := !half_i + 1
      done;
      assert { !is_sorted -> even_sorted a (length a) }
    done

end
why3-1.6.0/examples/verifythis_2017_odd_even_transposition_sort/000077500000000000000000000000001440160026300247755ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2017_odd_even_transposition_sort/why3session.xml000066400000000000000000000265171440160026300300300ustar00rootroot00000000000000







 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2017_odd_even_transposition_sort/why3shapes.gz000066400000000000000000000065021440160026300274400ustar00rootroot00000000000000][o6}_1oۢH^z-xmځ38޴4MH'^wΡſϷvw}ϵY"|_ET䗃?
淼ݵ͍w.y^ww~`.|/ClsC꧱Nil5݈ꃿ;lV5(|}!xkvxh0j!|0ρ/7wH
EmXͱ~\u>b@{Na|G~two;68\G7%iToOC~r3ۻx}v_j'\ejGIv!P{,P;ۜ[4}[^2|%G-hB8\,wX%MYV]ThU߽ͯ .M.cg{oz۲Mp	$i:;[UEr*ff,)1yHݚbG&hZ6{|'=qj/_w5ݢ㝻C/(XgH}YUz[NjaqPbȎ\=zp|QL-A47p7孅.DKoͷUʿ
oontj=ი2AW;???;NcQjN׃b7#:^pKyt0բawmkQX;ݠpi`
`T7CߴAb.qIyWQ{_k蘨8m*


s)K&ۼj#i5movwڿ׮u]]/P$OOٓGx]N]N/VNЕb9ztŢωLDh9H7q5м/DV:3;33)\ѹڹDYV?SR}6HՐI4m!9;Vfr'ɶSS\\(ܝoooǯ w
v
>ȝ_330.ʙ\ ۳[TEB|O{WP\5l;[TOd8$EN2Ō5z=>mi¦
͸QftܰǫiSMgՖ{i2yu[k_em@'fG/{-
k_t+يijnYoEuI&cKߍ=^1XG#5tQ]5ukiTڦ)$
ەޕޕ,EjAw/
km#tGba(C{Y>Un7n$IW'	'OX4HgOHn#ߠ#vNѝ9/j0 rnL7GuSSiOOg^Ij*gi4FO3(JJJJȚդmw	^,;‹q'lIt&LLbTUu	^';n#F|6T-۝;EwgEI?aq2y.rN=~_-Jc;Dw!N$}kkkikovO=7=I,}AWzwG;ُ>&=/1ӗ>.=2Zf
VХ{=Pis	>G㆝ۚTtAٶfO^arW+l|Q{_a+lh}npq]oݍ}}
ՊyJ"GVX1
aSӺThz"UP&_ r"P=#ΐu4rDzΑdR6vcڇVt.꒝^:HMg`2`t5!c2䂷,hYdPVD/{s	6s)%)L<@g,dK	,54FpQ5Ў9$NS/^#!KVx+j`KEWY,TSLQ&1Pa Z$>70HmHUa9C\*`L)Rmexd'0d`d+vd*LS8cG5a4)^uZj	Y3֑S
E4FrX PurVZrL=(#ER'UNdSEJ0B`'1TN`]S[*:.Ek``(xj*zX
$&e)&@Fʨ1+ӘpAT(M%BEzBed;Ygݲ`Yxܔ 0	 0K(Y6eQYPv4O5%sa\Wb)ru*%TLJ1=h$eIwq*[nB:i%c0">-5ɇr@|%	X\	Sá;g`\K
(aXB-5BjvTHhL9t^MpHslt#CF"15sn]]D ,  k`K
/@|1UA´#:04"H+|LT`ԈO<%LOT@ɖA!MlJҴ a[k] <= a[l] }
    ensures { permut_all (old a) a }
  = let i = ref 0 in (* i is running index (inc by 2 every iteration)*)
    while !i < length a - 1 do
      invariant { 0 <= !i <= length a }
      invariant { forall k l. 0 <= k <= l < !i -> a[k] <= a[l] }
      invariant { permut_all (old a) a }
      variant   { length a - !i }
      let x = ref a[!i] in (* let x and y hold the next to elements in A *)
      let y = ref a[!i + 1] in
      if !x < !y then (* ensure that x is not smaller than y *)
        begin let tmp = !x in x := !y; y := tmp end (* swap x and y *)
        else begin
          label L in
          assert { exchange (a at L) a[(!i-1)+1 <- !y][(!i-1)+2 <- !x]
                   ((!i-1)+1) ((!i-1)+2) }
        end;
      let j = ref (!i - 1) in
      (* j is the index used to find the insertion point *)
      while !j >= 0 && a[!j] > !x do (* find the insertion point for x *)
        invariant { -1 <= !j < !i }
        invariant { forall k l.
                    0 <= k <= l <= !j                         -> a[k] <= a[l] }
        invariant { forall k l.
                    0 <= k      <= !j -> !j+2 <      l < !i+2 -> a[k] <= a[l] }
        invariant { forall k l.
                                         !j+2 < k <= l < !i+2 -> a[k] <= a[l] }
        invariant { forall   l.
                                         !j+2 <      l < !i+2 -> !x   <  a[l] }
        invariant { permut_all (old a) a[!j+1 <- !y][!j+2 <- !x] }
        variant   { !j }
        label L in
        a[!j + 2] <- a[!j]; (* shift existing content by 2 *)
        assert { exchange (a at L)[!j+2 <- !x] a[!j <- !x] !j (!j + 2) };
        assert { exchange (a at L)[!j+1 <- !y][!j+2 <- !x]
                           a[!j+1 <- !y][!j <- !x] !j (!j + 2) };
        assert { exchange (a at L)[!j+1 <- !y][!j+2 <- a[!j]][!j <- !x]
                          a[!j <- !y][!j+1 <- !x][!j+2 <- a[!j]] !j (!j + 1) };
        j := !j - 1
      done;
      a[!j + 2] <- !x; (* store x at its insertion place *)
      (* A[j+1] is an available space now *)
      while !j >= 0 && a[!j] > !y do (* #ind the insertion point for y *)
        invariant { -1 <= !j < !i }
        invariant { forall k l.
                    0 <= k <= l <= !j                         -> a[k] <= a[l] }
        invariant { forall k l.
                    0 <= k      <= !j -> !j+1 <      l < !i+2 -> a[k] <= a[l] }
        invariant { forall k l.
                                         !j+1 < k <= l < !i+2 -> a[k] <= a[l] }
        invariant { forall   l.
                                         !j+1 <      l < !i+2 -> !y   <= a[l] }
        invariant { permut_all (old a) a[!j+1 <- !y] }
        variant   { !j }
        label L in
        a[!j + 1] <- a[!j]; (* shift existing content by 1 *)
        assert { exchange (a at L)[!j+1 <- !y] a[!j <- !y] !j (!j + 1) };
        j := !j - 1
      done;
      a[!j + 1] <- !y; (* store y at its insertion place *)

      i := !i + 2
   done;
   if !i = length a  - 1 then begin (* if length(A) is odd, an extra  *)
     let y = a[!i] in (* single insertion is needed for *)
     let j = ref (!i - 1) in (* the last element *)
     while !j >= 0 && a[!j] > y do
       invariant { -1 <= !j < !i }
       invariant { forall k l.
                 0 <= k <= l <= !j                             -> a[k] <= a[l] }
       invariant { forall k l.
                 0 <= k      <= !j -> !j+1 <      l < length a -> a[k] <= a[l] }
       invariant { forall k l.
                                      !j+1 < k <= l < length a -> a[k] <= a[l] }
       invariant { forall   l.
                                      !j+1 <      l < length a -> y    <  a[l] }
       invariant { permut_all (old a) a[!j+1 <- y] }
       variant { !j }
       label L in
       a[!j+1] <- a[!j];
       assert { exchange (a at L)[!j+1 <- y] a[!j <- y] !j (!j + 1) };
       j := !j - 1
     done;
     a[!j + 1] <- y
   end

end
why3-1.6.0/examples/verifythis_2017_pair_insertion_sort/000077500000000000000000000000001440160026300232435ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2017_pair_insertion_sort/why3session.xml000066400000000000000000000503711440160026300262710ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2017_pair_insertion_sort/why3shapes.gz000066400000000000000000000266661440160026300257230ustar00rootroot00000000000000}َ9f	wQ* рP4ׂ]d+sx/7s3Wf{Bn-=.$7?}xc?}c#y_Wwo>|WC}/?v:~Ϗf=G|~_3.=&Sr:^_?
COX0Wx_KWo@ͣ={{zam[Ε7}w=?|Ag?}ߛ~>Ƿ&Ozw͗J?n-!uj-=?z­[?|/_pGeVRêzR{6$!YI*^u^ViIRig
o㽕߻5}k;,6(?2|~E7kofZ!QS<}G
Ml2E[hdKr#VjDuvReL]RKdJiw?MGF.{nr>J@L
EvH!NT1_̿Deҫ'crp.묲ev|cvHk~VqB#y7Z@]f22QMuƅG.obyEFx[sGx.8ܝQH;D.Q&,]F#0v+uLJ-R;Z`	va.Z2RVfYn0Kք{7	'bFog;
jSFـq	Z@^5;I7-ϵG.o|	[m7dQM%cdE9{g@Jɻvl`-S!Ju!A6nTyx\*`oDM:$
D=؟?ϟ|cK#c$8H%vE5X3XRRmJ=rA./\NxgL(ᅾ?Bo܇77oP-}a9칮區m&8(L#}JA?㰼ˁǏ\^9sO3?Bn:x/^	4?%
(6ylMܝdu^ *pZ;$h]9w<ʰw<ёl
2!!6@~ N 	$ܛ@.שLC Ν8B ?ryMUv@aЏ
s$N0
s7p%ryw0g'97s\6s@Jr6EaT'iQ+#/9Jۍ3o3'e޷qf.ֶǙkuχg<3-#uԛgaH.[ߍIg]'g!{#Yo<
n1+z$JQȐ)lSW5oizVer0;rK{y۩qUlRa(e;F0zm
4^SSAKk*T-_(Ј3A萦P"^MyޟP9jRs\֙UEm^ޒ2{0m%0@.y6!ʶA@8ƵlS'S 4Cm.Eʨ[ 
DMio""TAzO]P{%HY.넶H.d9 [ XZCE rxpbX5GW^ht3vٕ@(|?:#Tb!͇'GҹnjY>H5-#&;I\<H:ڛiL!l劦q޽49_`Zʽ
Đ@TU=UTĹ&xn6\Yc+WKuRAzEVՕrbqb+ed咒19\G̕p	/?AfԳ!}Gv1xn^Oll_}oB	̳e1o#ˏXOulD`8;rC*u vm%`u41y?`PR-C<7' (Db@jm!L(}xE7]xcneT=c&	3	aڱ|qԇLzECi&?$*q"yl\K5@|.m"}ڬWB =P*_
.l˖JVP_m
UNCPRcJ

F4syJh2m؛F&Fw	OE
	6J!
DlD&@;
}H*l"~gkˡ
C3Ql>Q,;f'f|0CN:iV?ADyK~5ۼԺwК򅘦H*ȦuyUHHw}/lʃMR*lʵ.d9H)_(MkPxSz:Sh/lzA@C2TS~fAVH	ZD9+θ\M͒nh9&u1E"[BMvz*|r}tyS~jZ`u!'n}kU:X
Ƭ=u%ϳ^<)?5-Ժ7w95x^_8wruטFu!1j&Hh1j+^{u'|#(J;$&hVj	Q4o`F>	z4q
O;KU~GaO7Wh-6E}Zl
)Tخ,J?k|辝I!;rY|gof{,178::'%;{nogK?Imx>YRO~HIFt!'=DwgIPdfW@𹕮$9dVo&:{CQ$}HT$Ѹ9KM[%=eRȓcmFTS~[N`a6Wݚ*!Df6>JW˜]v_wb~`1zH)$wFc(
yg<:KN:
fԧ?&nHzٕlR:B.S\eZwej485ctG.(ȿmBB~+Bq1#=M2B鱉__g5\l3c2g2>7P0]ڸ[nRK4ΆFUTg׭vζ9vWő79`[nr}UOhfD#=7wf4ˤO.*͵lSagQi.[@z\T:ʢ	gJ@'-yyIR+
Y{;&+4
_dluJDw7f{:\	&.4!÷ ҮδZF>ӚiopC_?c&8h[jY@&,3_P럕Lz8`]^<>)R~{I{*tP}#0u;Sl٠~O̵pp6\\Xݛ3ulwo>:urV8 .(/-SΖa\°6t+alpסНk]@ن\l^	p,
3al7t	c667fzCq2w	ې1Xcu*rFSxf
o:-rFYrgִP%8XuĉaۨhX .vQ4%l'+5P$;+AXɑwk-yv֑w-s'PF޹NWVWiw/qr?ƹB18j+|rlnى9XӰX5;fsvIf6C	\+Z1:vlM.P7/(:Jubo8V+ۓJf+}zO&xDc{{2qٲ'SaJ=JL{2ݜZ4.b&{am24`j{lٙ	ݍ1ޔ,~w&R;DtsD!q,^r1˛WB.+C_^ku;$h2}cxN2K^r&/$Z[]
d^o|AxcheT| xKaxwEJЕ7	C3a9	8'v/|~L̀o&^ew7FhsW2`y{dC:	0	M#IP>$B(땹<I>f/<$*q"{l\)\`n$QlD6չ.m&~%99O
j䕩F^ly!e5z
r
x*N(.>6wHhf={G`+a#6#mQ-EBSd34v"\V-l%b>&p	o!>O6CS$o\֮-6ND
D~L@MFC:R@HZ!#9ni=LF.TRBzY6k⼿&&.#BGݽ#{aSk"VaSu!AJB9lZۤ#YB{aӻg.P?js):C.g]ާ"
c<4B҅V.|bgHSsK>qpsC*ueti`=,S\^Wz"IzO	,.1|TjGC;XR(́_q?r[|u]V	v}ruנFu!1kM'iPp=>K5׌{":kԺKڬդÀi#}0,'[~:Gg&BN	MN2GR'
A<J&hѥjY}_']9_YE% HLT^AZB*2-V>xoinZ[^\HU˫{A2z}!ͪ/m|sgz{VsUU^U)|/\
܇O)j+Q7~_9w_oӚud5կY9a.Z2Tk5KԮd5Z_s=&ɒ#֯X2,}S4XcّD痌3עCh.IƾzO=vTigo!ɳ/N"-sIUܛ.:It F#7ۚInN:YcB|`e**rbqre6jiwDV5i~e[Gz_ֹ,Q|U::<?hـ|,[=IR8
l$O!5.5USytH*4`ii_>˻ZΫg_rb#:%JzoA` =ݾ6|NA^].C"a4b{w2c
	5Ъ	7Q	CF[6<_y!lHWO(ij4:
91{cL,n{)	_*X8­\֨?=UWrpw7rnsI(Y\8}ᗏg39?LO;N]{yō^dr\E$,hј>\zoγKf㴗8!f#pBUEdE?[-R2j"iUyL̳1Ɗf*gNNVYX6;&*{WW}FRʖIBRkx=ݏmFFM|.g㨵+=m֪UNWYZk{PLBlfsA<|lCN;-H6Ə_v
AkMҴxUܲ,2,łN˧7?|ۇO._>}9ov:vsUꍐ_'=um?H-f%J(9kw{!'/zfeuC!y 6,֌Ι0ycD!uZ8YO&r6X1ʿ1'C-q(dOxcil8jYl|pw0
sZ
jj
kg?uK전vP!xrDF.ᕖAFKPfB!ѝa-%U
hL{@3RF/IiDS
n$ÌM79[& iV\Ƣɔ2 ]ffhncG~ YP:G
S臱]9E2)92+x,H3sD{3$%hXvt4h~	ԡ)q%e Xt丨·e,,uL]3/&;J^<@G^aD[	#6 ᣄ90+^VU'OV0~&Ap00
<9
$;3AњSo~X@ E2`&\:=Ŷ}6?0"nbF,gvrj0	yFBLm?
{'O*>V,2O0zX_ .x*?.O<-xK9GہԘ@奃y`A"d+'!2Hkx)7,4T?g+!~6ҧnQ;x$7zDR,a`bX{9H:93
ph9EW@n0$:-Z(y$&HT#%bB13	t:*RQ5+D{	um`PPR
aN(`,BO `XChhq̌pRX3ɬWm1Sޒh;nZvу̲0DGt>t=螊X*hF%e6B,a49@JP1wa`B!RM3@Q-!a	
^@F;i* `:!CgP@zg|/(;
pE +ȂA{0`-.PK43!F0V5x:zs6hIF*`=Z%F0?U/ԑZ7(-2@CHTS<cy$F/0gTLؓ=>L\zh=82:@G0	y9X>ZohzXzҍR]79kMA{8P0P*Y,H[:XZN=ECa[P&nG7@4G-.&:Ђ
w=7kZ Nil
    | Cons x xs -> if n = 0 then Nil
                   else Cons x (take (n-1) xs) end

  let function empty (h: int) : buf 'a =
    { h = h; xs = Nil }

  let function add (x: 'a) (b: buf 'a) : buf 'a =
    { b with xs = Cons x b.xs }

  let function get (b: buf 'a) : list 'a =
    take b.h b.xs

  (* the following lemma is useful to verify both Caterpillar and
     RealTime implementations below *)

  use list.Append
  use list.Length

  let rec lemma take_lemma (l1 l2 l3: list 'a) (n: int)
    requires { 0 <= n <= length l1 }
    ensures  { take n (l1 ++ l2) = take n (l1 ++ l3) }
    variant  { l1 }
  = match l1 with Nil -> ()
    | Cons _ ll1 -> if n > 0 then take_lemma ll1 l2 l3 (n-1) end

end

(* task 1 *)
module Caterpillar

  use Spec
  use list.Append
  use list.Length

  type cat 'a = {
    ch: int;
    xs: list 'a;
    xs_len: int;
    ys: list 'a;
    ghost b: buf 'a; (* the model is the default implementation *)
  } invariant {
    b.h = ch /\
    xs_len = length xs < ch /\
    forall len. 0 <= len <= ch -> take len (xs ++ ys) = take len b.xs
  } by {
    ch = 1; xs = Nil; xs_len = 0; ys = Nil; b = empty 1
  }

  (* for the three operations, the postcondition uses the default
  implementation *)

  let cat_empty (h: int) : cat 'a
    requires { 0 < h }
    ensures  { result.b = empty h }
  = { ch = h; xs = Nil; xs_len = 0; ys = Nil;
      b = empty h }

  let cat_add (x: 'a) (c: cat 'a) : cat 'a
    ensures { result.b = add x c.b }
  = if c.xs_len = c.ch - 1 then
      { c with xs = Nil; xs_len = 0; ys = Cons x c.xs;
        b = add x c.b }
    else
      { c with xs = Cons x c.xs; xs_len = 1 + c.xs_len;
        b = add x c.b }

  let cat_get (c: cat 'a) : list 'a
    ensures { result = get c.b }
  = take c.ch (c.xs ++ c.ys)

end

(* task 2 *)

(* important note: Why3 assumes a garbage collector and so it makes
   little sense to implement the real time solution in Why3.

   Yet I stayed close to the C++ code, with a queue to_delete where
   lists are added when discarded and then destroyed progressively
   (at most two conses at a time) in process_queue.

   The C++ code seems to be missing the insertion into to_delete,
   which I added to rt_add; see my comment below.
*)

module RealTime

  use Spec
  use list.Append
  use list.Length

  (* For technical reasons, the global queue cannot contain
     polymorphic values, to we assume values to be of some
     abstract type "elt". Anyway, the C++ code assumes integer
     elements. *)
  type elt

  (* not different from the Caterpillar implementation
     replacing 'a with elt everywhere *)
  type rt = {
    ch: int;
    xs: list elt;
    xs_len: int;
    ys: list elt;
    ghost b: buf elt; (* the model is the default implementation *)
  } invariant {
    b.h = ch /\
    xs_len = length xs < ch /\
    forall len. 0 <= len <= ch -> take len (xs ++ ys) = take len b.xs
  } by {
    ch = 1; xs = Nil; xs_len = 0; ys = Nil; b = empty 1
  }

  (* garbage collection *)
  use queue.Queue as Q
    (* note: when translating Why3 to OCaml, this module is mapped
       to OCaml's Queue module, where push and pop are O(1) *)

  val to_delete: Q.t (list elt)

  let de_allocate (l: list elt)
  = match l with Nil -> () | Cons _ xs -> Q.push xs to_delete end

  let process_queue ()
  = try
      if not (Q.is_empty to_delete) then de_allocate (Q.pop to_delete);
      if not (Q.is_empty to_delete) then de_allocate (Q.pop to_delete)
    with Q.Empty -> absurd end

  (* no difference wrt Caterpillar *)
  let rt_empty (h: int) : rt
    requires { 0 < h }
    ensures  { result.b = empty h }
  = { ch = h; xs = Nil; xs_len = 0; ys = Nil;
      b = empty h }

  (* no difference wrt Caterpillar *)
  let rt_get (c: rt) : list elt
    ensures { result = get c.b }
  = take c.ch (c.xs ++ c.ys)

  (* this is where we introduce explicit garbage collection
     1. process_queue is called first (as in the C++ code)
     2. when ys is discarded, it is added to the queue (which
        seems to be missing in the C++ code) *)
  let rt_add (x: elt) (c: rt) : rt
    ensures { result.b = add x c.b }
  = process_queue ();
    if c.xs_len = c.ch - 1 then begin
      Q.push c.ys to_delete;
      { c with xs = Nil; xs_len = 0; ys = Cons x c.xs;
        b = add x c.b }
    end else
      { c with xs = Cons x c.xs; xs_len = 1 + c.xs_len;
        b = add x c.b }

end
why3-1.6.0/examples/verifythis_2017_tree_buffer/000077500000000000000000000000001440160026300214375ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2017_tree_buffer/why3session.xml000066400000000000000000000152261440160026300244650ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
 
 


 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2017_tree_buffer/why3shapes.gz000066400000000000000000000043771440160026300241120ustar00rootroot00000000000000Xˎc+Ll YW	 "t¬5-ٱ>Ou<3c=A$SUŢUxW.<
?x0`OO%y?}[ơ{}>އ(-_^$:O%=p)&hgA=	_swO%f«p
(AF`Ηmm@SO6kƿy[oX{Rߋg64?*)f@n$1=njT?‹{^i|u_YQsI>f
ct[С|C)\
%6{ڟiqWe+t` JSԥo/*PSݏ#5-Xe["Yi}A0	oAqԭ["Mn%ҌDt"G64C.P
_]_'֠Ѵ\"Vz0ASk$Bm\Z2S84LM~8nPAnk#p_fOQ
H4o((u1~uËAA)|dA~㛏3y;c{K$2!i3cmLN$Ф]+YGC'[4

-x=S\mYizvno1[s<]n>fJc;7#5Ղf삫Ot	Ado$~Voq{O[g
)%>|JkX75*ƀTjuMͥM'S:w7;<ϝs7rϽ>͑Zζm9Xmμt|?&/xD$NDbu"/ljlFQO6K)8i߼r=v/	;HOM`%|Pyzmz722x&oS1L#c|mGH)\ZI
]RA1}y8DĨf/.9:w5$HNʪPRuf|
V{}vћj4T
*MuHNH b,'P6%2AIf 3&[J@,
}lU&bRQAI)+KIF쥺rWqJʐk%DŽw$:VV)@#V\rPhH5ɨBMl41	2!WŰg	Y]k5*ɕbH)jrIVkU-qLũVyK&)N8{F&K&k*JUCbeQ㴻MPT"qbUȕ2.(	6)`*;G9&lu56{|Хw]:I"(^I:XQVΔGVa$4Kv+H)&Ag/AG6Mv4)5wJxIhN(BR~%jOHHo]`WUN2אw﨓(HYD*Hye,zn^mU)+l:b0l{vǢbpuJa
|M@2S3(spY'
18y>]S$),︟Ys5o[`U-D;ȔdN!v+y@ZW)F>,UEU0pdV.XXdoH:$XhT.T.
Q&F2VKBqI@}$CW'3)%{:MkU+CYnL%emұ FbEXm{sIX"why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_1.mlw000066400000000000000000000150771440160026300251440ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2018 competition
   Challenge 3: Array-Based Queuing Lock}

Author: Martin Clochard (LRI, Université Paris Sud)
*)

use int.Int
use int.ComputerDivision
use import seq.Seq as S
use array.Array
use ref.Ref

val constant k : int ensures { result > 0 }
val constant n : int ensures { result > 0 }

(* Model of bounded arithmetic.
   Note: bincrement only model the incrementation behind fetch_and_add,
   not the atomic operation itself. *)
type bounded_int = private { ghost bmodel : int }
invariant { 0 <= bmodel < k * n } by { bmodel = 0 }
val constant bzero : bounded_int
  ensures { result.bmodel = 0 }
val bincrement (b:bounded_int) : bounded_int
  ensures { let v = b.bmodel + 1 in
    result.bmodel = if v = k * n then 0 else v }
val bmodn (b:bounded_int) : int
  ensures { result = mod b.bmodel n }

(* Minor ghost wrapping of the model to get rid of k from the model,
   while keeping the same operational meaning. *)
type bounded_int2 = {
  value : bounded_int;
  ghost model : int;
} invariant { 0 <= model < n }
invariant { model = mod value.bmodel n }
by { value = bzero; model = 0 }
type ticket = { tvalue : int } invariant { 0 <= tvalue < n }

let zero () : bounded_int2
  ensures { result.model = 0 }
= { value = bzero; model = 0 }
let increment (b:bounded_int2) : bounded_int2
  ensures { let v = b.model + 1 in
    result.model = if v = n then 0 else v }
= let ghost v0 = b.model in
  let ghost v1 = if v0+1 = n then 0 else v0 + 1 in
  let ghost v2 = b.value.bmodel in
  assert { mod (v2+1) n = v1 by exists q.
    v2 = n * q + v0 so q >= 0 so v2 + 1 = n * q + (v0+1)
    so if v0+1 < n then v0+1 = mod (v2+1) n else
      v2+1 = n * (q+1) + 0 so 0 = mod (v2+1) n };
  { value = bincrement b.value; model = v1 }
let modn (b:bounded_int2) : ticket
  ensures { result.tvalue = b.model }
= { tvalue = bmodn b.value }
let tinc (t:ticket) : ticket
  ensures { let v = t.tvalue + 1 in result.tvalue = if v = n then 0 else v }
= { tvalue = mod (t.tvalue + 1) n }

(* Break down the thread state between each operation that affect or
   read the global state *)
type thread_state =
  | AcqFetched ticket (* Corresponds to control point right after the fetch. *)
  | Granted ticket (* Corresponds to observation that pass was true.
    If it was false, there may be intermediate steps, but they do not
    rely on global state --> state equivalent to lock granted. *)
  | RelSet ticket (* Corresponds to the pass = false operation. *)
  | Released ticket (* Corresponds to a released state.
    for technical reasons, we keep the last ticket used here
    (which is defaulted to the thread id at the beginning *)

function ticket (s:thread_state) : int = match s with
  | AcqFetched t | Granted t | RelSet t | Released t -> t.tvalue
  end

predicate released (s:thread_state) = match s with
  | Released _ -> true | _ -> false
  end

(* For verification of task 2: log of request/acquire events
   identified by thread id. *)
type event =
  | Request int
  | Acquire int

type hidden = private mutable {}
val hidden : hidden

(* scheduler. *)
val schedule () : int
  writes { hidden }
  ensures { 0 <= result < n }

(* if a thread is in a granted or released state,
   check whether it begins an acquire or release. Otherwise,
   the state stays the same. *)
val acqrel (id: int) : bool
  writes { hidden }

(* Model execution of concurrent program. *)
let main () : unit
  diverges
= (* Model of the pass buffer. The begin-end block with post-condition
     hide the fact that the array was technically initialized. *)
  let pass = begin ensures { result.length = n } make n false end in
  (* Model of the next variable. *)
  let next = ref (zero ()) in
  (* Thread state. *)
  let state = make n (Released { tvalue = 0 }) in
  (* Additional reciprocal map for the cyclically allocated tickets. *)
  let tmap = make n 0 in
  for i = 0 to n - 1 do
    invariant { forall j. 0 <= j < i -> match state[j] with
      | Released t -> t.tvalue = j
      | _ -> false end }
    invariant { forall j. 0 <= j < i -> tmap[j] = j }
    state[i] <- Released { tvalue = i };
    tmap[i] <- i
  done;
  (* Extra variable for verification: index of the currently held ticket. *)
  let current = ref (modn (zero ())) in
  (* Event log (for second task). *)
  (* let log = ref empty in *)
  (* Initialisation, done before the threads are executed. *)
  for i = 1 to n - 1 do
    invariant { forall j. 1 <= j < i -> not pass[j] }
    pass[i] <- false;
  done;
  pass[0] <- true;
  while true do
    invariant { forall i. 0 <= i < n /\ pass[i] -> i = !current.tvalue }
    invariant { forall i. 0 <= i < n -> match state[i] with
      | Granted t -> t.tvalue = !current.tvalue /\ pass[t.tvalue]
      | RelSet t -> t.tvalue = !current.tvalue /\ not pass[t.tvalue]
      | _ -> true
      end
    }
    invariant { forall i. 0 <= i < n -> 0 <= tmap[i] < n }
    invariant { forall i. 0 <= i < n -> ticket state[tmap[i]] = i }
    invariant { forall i. 0 <= i < n -> tmap[ticket state[i]] = i }
    invariant { !next.model < !current.tvalue ->
      (forall i. 0 <= i < !next.model \/ !current.tvalue <= i < n ->
        not released state[tmap[i]])
      /\ (forall i. !next.model <= i < !current.tvalue ->
        released state[tmap[i]]) }
    invariant { !next.model > !current.tvalue ->
      (forall i. !current.tvalue <= i < !next.model ->
        not released state[tmap[i]])
      /\ (forall i. 0 <= i < !current.tvalue \/ !next.model <= i < n ->
        released state[tmap[i]]) }
    invariant { !next.model = !current.tvalue ->
      forall i j. 0 <= i < j < n ->
        released state[tmap[i]] <-> released state[tmap[j]] }
    (* Invariant corresponding to Task 1, slightly strengthened. *)
    invariant { forall i j. 0 <= i < j < n ->
      match state[i], state[j] with
      | (Granted _ | RelSet _), (Granted _ | RelSet _) -> false
      | _ -> true end
    }
    let id = schedule () in
    match state[id] with
    | AcqFetched ticket ->
      if pass[ticket.tvalue] then state[id] <- Granted ticket
    | Granted ticket -> if acqrel id then begin
        state[id] <- RelSet ticket;
        pass[ticket.tvalue] <- false;
      end
    | RelSet ticket ->
        state[id] <- Released ticket;
        pass[(tinc ticket).tvalue] <- true;
        current := tinc !current;
    | Released told -> if acqrel id then begin
        let ticket = modn !next in
        let id2 = tmap[ticket.tvalue] in
        match state[id2] with
        | Released _ -> state[id2] <- Released told;
          tmap[ticket.tvalue] <- id;
          tmap[told.tvalue] <- id2
        | _ -> absurd
        end;
        state[id] <- AcqFetched ticket;
        next := increment !next
      end
    end
  done

why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_1/000077500000000000000000000000001440160026300244115ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_1/why3session.xml000066400000000000000000000550731440160026300274430ustar00rootroot00000000000000











 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_1/why3shapes.gz000066400000000000000000000357671440160026300270730ustar00rootroot00000000000000[9SԛFBcd	ZڨW#azJ3jO?ނyt$Us2IFFߦ_9}v}~м뻇珟rl?wt{|Є8N~__۷ݏہ6jDӧww۵]
[߶]?f2w	ܹ#޿Xg~`ۯ؟}0e=yShwm+N<ׯ^x#[zfkڛ-Qy|hŃ{7m;=hB>?>_~Ǵ{-D߭M~x>M3Yڃlw^~kh;ߍB'Ƿ_uC
7UBۏ<̃}xW'$%0>rVy$~O5YںȝҚ/7Q_bxHWdEY^n0[@X\"
c4>cmx^v݃>_+&.xct^E2N7to>[ ^'Fv%z+ʝI}{X_??y}сEhҩ^\:kr4qM?= ˤw~Z]/S4ǺMvQ1ߵúOڏt)\Jo2,T~[.1(1X:~<<;~͆5qp?__˸OmtcΗ.m&N.䂷Hu$/OR|x4I񧞤ܬg--h>A^`$>s頻`mi'#K	Y߉d,ggf<=كofԳGfݶuԻ*qx)|QTH]%U
4bjVa5j7a'֟D:	pezYEuIwv&+כ߭"@saOtІW4]K/N|Lύvxl1wDT
3bR^T
p.N:RXsYQDj.PFjdU"-r
9;Kg,L>ge`2py*eAl%A8	Zd*h0ˉ''VNmEV|pNl>8SV}OR\$6כc
)2u{3Vzcބ"O7MoFz#՛.pN7lSٳQ\P\-.(x }]ބ󫆩T(5XWjfl]6{1NaDSj*8~"
/f־Ia1&27d>cL19eǘc"r'wގa.ܱNuR\Dn.n|fAK]l.AۧEte7*E	u,uQ,Mvx]T.He]ܒDd%:
?^.v"ڲ]z&J2C/: MfLEV806)38ct2Xqa_e.侄pK?Bd«Rpe4{
.L
49C~O(?R
Zylj\A%ttgѼ_HѲj
uEOѲұѐE'Rxمef-@h	Ob2Ea?M"h^Vej'}t"±uoRUhi+BzUΨn(ޜ9#hsf7i>O4)`7gDnΈL,`A&c,JsdjHpœ'Y3nHOI()sF|*sFsFf|fsnI}FyGO3UfpȌWفXSUYU#P^&:ɰo;w;ԥ<%E
npr<:yHv$)+*z6UN{GmStFw]w&dSȰفd6rlF鐡#	_Yd$}/aI}E՜G.d8qGO_Ȑyd(a18%mO;2dpKd
J@FUOim_(K #d6@Ee_
6Y	4nyN`b?	|qBNqB16-_ӜH?E~9s)j8!Ħ;5NH	A
N+8ſ$'@o`(8aSNxNsBa^.ͪ:X8мa],

8\I3 Det,,F"f6ǭIIFDsv+eM++]jWfSa݄DY{{Jق0)<Z LղN?ѤQaV']LY8wg0)EX"X1B
u9tjE$Qrvn$"RԊhuEf]Xet}݂ChW
+]+(U~EbEyMW	+"VD:]iY >UnLEjicX]bX%auCX@OB5G-|h
&Rsoo#e"#!Up35`^Mk`tex"546X^p0NZ┿2KHDhcHՍ>GEޝyN	JGLHO}#*ShO0w~LFJ1uz]7hsjM5T+P|
'U>ФE
q*j(QZ4GEDEE7T8V϶Ϗ>Gh	T4.=BN|!N@3XMTL\nf̾.Տ*t
:r|oɢe
y*Rs i ={W,IJ ~K@IJtzR 9T V'") VAFվG(J.QyrI]NAE=xJ){}DH.ٵǷ=~r4,!j)1ĵ6aIMH`IS`\%:х[oJƭKT.J
_tߒc)
b?&K!lG,
FAJ),4籴dɾk[(9˖Vfb˦5X	J!+{ʟ[wS *…p!2r
Xp)"Hq2	is
.&?`r,E)x}Ww\l}	RAUV\N&"=K4],Nuyߕ0k:[$œ'Z^ۛ30g挲dAJ8}#N*G>a\IkœI=j!q@ۼQՂ,Oyd%d>-nhim-gTqG4Ckt9T
FR)TH>&+O~4PQs'Pq!oy PQ@
FK& v@F+jVVM$4gűXq!Sdp |2$d)_}IgLlbIXYYץќ^c">)}Vl9++XQ#@Ɋ"eEpW>ծo y,6Q&O,_PITt{Lk7>n
$|+=r0,!jZ[ZנDg`g~{o~r(2)(]Λދ|kybϓ6oto>LRa"	,|9[O+3|*a`d)L/G}ʚѹ5,rX,kO_9X[Oj%xsTxsTxCiP>Ӽ)*o^]͛/sRbNAxl^(Sls0"$E<)R8)I[\OW!*1`\>|TKwKϭ#_;0^^_L"*G\Cls8켋Y9no=ɝ~Gz5g'H-*ӜwwXf,뉇 ߕ@j46Rsoo}E,rzP+*Z_YJ9_"^ED dxq;cB/X>5uzJ^ОT{k]J((QQ+sMP*xTt7A9TU77AI}&*(5_L Bܯ7D_k23ޣ=1y+vM:_CB{-Iӯ"Wn(3΃
7gY25oQklXYx:9jհt\f'Ua)wJ*aHu]WI\/S:%
8tڏT=?bB-/8'@w		ܽ΍v	Y>
ʖdB_Ζ7erkJtARt&ٍ-dr:dg.:ᗰ(uI
PK}u~>TMCNbP	Tĩߞهrš'T"X'a``՚[3[|bہ56|i_*vȍh2w:yQu“NU
*=z2=H|)҃0tN'~yE:.{yD`'*$"'M3,+E V9t{QyGơۋʿo9A"m>9.:L*4_?b1T\Rr}k5-WT||HvP=+pqaCZYhyJ\J4PNiců(/le^sMW ~R^

:^ŭ&*VPh*H~Sx~Ưh?#Q&hJ'	zWXwɢª<
-~+_C|BV4'µѡJqgb_9*O'ˊF4٪496@(hR+P$}j5+=/l
Ѥ
irPUl>2r`[ ܈p# WڃPU0+?izPy5p#T`Bu<	9E#""-oVr2.?j?9ze]&Tt'Ϛ9DC"3;*]əWo:"mĊarjUZ)"صݗkK!_wǛk09މoFQFa:&ɩ:InC$w6S0Y2װ+]@p}`Mo_J\64 p
=HKƀnp|q*R#HM#tTfU*q0
*/*pA8v
e\UK)ӼGuEZˤE4A1qq\m~fP!>=.IP?p8^vcb6 ާ}
Pہ]ȝ/L7]PCNEnVF(AS?q,~4*ɼ\b !ಌ(y>+%Yw4eF#sL.$Y[v5jiZ~b
,YJ8\Z}AE#ҩT	k:jVy9-ŋFA$aKDUV:FY6Z.]+UirqYfM{HA#]+FACo
iЈZ&(FD5SLs0D5Fip
Ws *.`TSetU;˩ídN JӨJb_f`I%vGO,t]j`%@BhJ#w9x	WJүIsbu9Qi6!+--V䦮$BQ_pikƠq0`2
pqjn`eKe,Qwq;R`|&6i`˶10.Npu{5y eg/jۗ&ʡԍ./G}:5rbFe2mUb^暧OڛBrūwхLjdB+^l?t1ū`C܄QR{PD;uFZ}.5ukraru
%"Beԡ䆩ST֯ɳ~6qZ*zîY"_Yt֯dYroGMNwap=XqgSW'g8foq*˓L#SRLC|օC7T\4z/qPҜZ_cűO#c$y(tɊ;MIgYfOXqcU86y|:15>kTh"r+.ǧN½Wfm
JIՓ"zlHe;+Bi(9ˊ%Ԩ+n
8U茏s?Vg,FgbtE'K7k;(YA&YRVPJXk(r0L%=x}(tɊaBبӬXƊSk7R`-b>n[=S>Mm';
b>ͭ4vL2($_@P)J9~_S80#7J}MlbBR161s?Y)GB	"fJZGtYiA4Er*+DGg)*ɊTR)jrT*İRW3N%"a#F6؍t.a#{($A
J0gK]#0*#&$z;Z,# L+aN&^OnCF[dƊ_#-H&6U}3Kql'	Fe	T!F0)pq)_¢%KgNg
66-mK4]+l=T\!NN"9qila+lBޢŻ6s %1&`Ԧ*r>6-l{¦Mc6viچ0j9v>N,
Ν9,K\Iˁ=v;G5V*=Aun{n{Mwx4ußo?<~vyxݑE3EDej_P婒2/9-/ɰl}$KNKZƯ\Qr:}/g[#F]rz'XmC%wUXyjY[|C0?շґ+1bbo
_젌d~1ܫe.N[(
<KfYk}@g0XK2`ɽq*TI{$Sqk6d$UW&*vEiRHG:<4Ə+LwEB[
~TTGMW~TՒ8(
{PPc$ʏI%Rd;]Bln
n%n~	WaP{0Y>4XL'AA8mbc}"$zE׽&IaWV 
3FYP";ۛDE|RQs^k~Ee7_%H+2l.!MU7U76ߕ-2Q/-iIQq5T-I p[s8T{e[,C
:8	]uAǭ&tEmB=0x=0*(5@]j~uQQ@P+|=0*>V=LYy]WT-'u4GűPQl2\T8T[eZ,C:HHw_$AyLYu90;ieEIoNmm/*:RTۚ!R9EJ.CT=4'T
VJv|9VNQIER)#Oa5P"rSi:W,
ޓG˖R#< b "IV-qM+$ؔ[]u_e+E%NJklJ~U*9pԩ;VSH!}TQ>K:>=ג
PGWhsq>
<1bOa5PK'G	H*}:ûlzȏ'|5Z;զMkpJ3YZ;Is
4=Y"lC"5jlDR5:xҖtk\T,`g	,SeL%7PUܛh6y$.~݈iR|%1JjٯJNt"=U4i$m5
fjQ|Y@t-U _^a8`?MoQMC%QMN43$Rinlѽb";Y8CvD'U;5kx¸aT1ʂIAzVin88c`%~FOtSØN)w/z^Q
]Z8Hg
/z~f<1lj0YL\Eo4}/WھҦ,t:˼iF3MϺF(tYr/σH9e2*;43%t/E/ЇFtE˹v@*ŁiٲI6V@|;&^8En(Z/aj\E!S?+cMF^͂kV)xLLʆAC(FfMAVNL3U=MרQm#mBtGhrQ$ln;6	,qV1^NU hΒxi8O6L=73k1
Ϙe%#016ivɘ^Amz?yMu%8=-	Ѡ/tP=[9VyVZ{*6
r 3B0כN`|jl Y4{mѿ^x5@5a1'h)P.$UsB51I0볆wգugCpuNXl:a1mX:5L=F`lAihlFQVX
`P8+3Jg+Dfc3*y@
.21gyQ47Puv\Vo%~jppqA`3cILӶX	_Xj)q\Y.3.m`Q`ńVTZն-d%Lq161Bӊbp750`º:';V/]pA9ia	cbU
@!C&0%"4]mkWz01aЄqi$+ieV!-RSDf9nc0703h*K]?-рu`^9.㸜V7

1a$LzZ~vLhY+;Q.bC
NJAW_B״3KI}7̶vǬ꤆(YN+=H@ `ھo%͗
)$ƹqa|,3}XLsVH@/N0`4^HI>A'aPbQմd,oƹ1Н|tLGi!ApfWbЋiBJ0Wî0Oo=`qq=1/P:Ԙ&7Y`kk#˵L7fjf lt s[i] s[j]

predicate consecutive (l: seq tick) =
  forall i. 0 < i < length l -> l[i].v = l[i-1].v + 1
(*
| Consecutive_Nil : consecutive Nil
  | Consecutive_One : forall t. consecutive (Cons t Nil)
  | Consecutive_Two : forall t1 t2 l.
                      t2.v = t1.v + 1 -> consecutive (Cons t2 l)
                                      -> consecutive (Cons t1 (Cons t2 l))
*)

function last (l: seq tick) : option tick =
  if length l = 0 then None else Some l[length l - 1]
(*
= match l with
  | Nil -> None
  | Cons x Nil -> Some x
  | Cons _ l -> last l
  end
*)

let lemma last_push (l: seq tick) (x:tick)
  ensures { last (l ++ (cons x empty)) = Some x }
= ()

let lemma consecutive_last_push (l: seq tick) (x:tick)
  requires { consecutive l }
  requires { match last l with
             | None -> true
             | Some y -> x.v = y.v + 1 end }
  ensures  { consecutive (l ++ (cons x empty)) }
= ()

function hd (l: seq tick) : option tick =
  if length l = 0 then None else Some l[0]

lemma hd_push:
  forall l,x:tick. hd l = None \/ hd (l ++ (cons x empty)) = hd l

let rec lemma consecutive_implies_sorted (l: seq tick) (i j: int)
  requires { consecutive l }
  requires { 0 <= i < j < length l }
  ensures  { lt l[i] l[j] }
  variant  { j - i }
= if i+1 < j then consecutive_implies_sorted l (i+1) j

(*
  we associate a program counter to each thread

  I: idle
  function acquire
    A1: var my_ticket = fetch_and_add (next,1)
    A2: while not pass[my_ticket] do () done;
    A3: return my_ticket

  W: working (with lock)
  function release(my_ticket)
    R1: pass[my_ticket] = false
    R2: pass[my_ticket+1 mod N] = true
*)

type pc = A1 | A2 | A3 | R1 | R2 | I | W

predicate has_ticket (pc:pc) =
  match pc with
    | A1 | I -> false
    | _ -> true
  end

predicate has_lock (pc:pc) =
  match pc with
    | A3 | W | R1 | R2 -> true
    | _ -> false
  end

type nondet_source
type rng = abstract { mutable source : nondet_source }
val random : rng

val scheduler () : int
  ensures { 0 <= result < n }
  writes  { random }

use array.NumOfEq
use queue.Queue
use array.Array

let lemma numof_equiv (a1 a2: array 'a) (v:'a) (l u: int)
  requires { forall i. l <= i < u -> a1[i]=v <-> a2[i]=v }
  ensures  { numof a1 v l u = numof a2 v l u }
= ()

let lemma numof_add (a: array 'a) (v:'a) (l u: int) (i:int)
  requires { l <= i < u }
  requires { a[i] <> v }
  ensures  { numof a[i <- v] v l u = numof a v l u + 1 }
= assert { numof a[i<-v] v l i = numof a v l i };
  assert { numof a[i<-v] v i (i+1) = 1 + numof a v i (i+1) };
  assert { numof a[i<-v] v (i+1) u = numof a v (i+1) u }

lemma mod_diff:
  forall a b c:int. c > 0 -> mod a c = mod b c -> mod (a-b) c = 0
         by a = c * (div a c) + mod a c
         so b = c * (div b c) + mod b c
         so a - b = c * (div a c - div b c) + 0
         so mod (a-b) c = mod 0 c = 0

let main () : unit
  diverges
=
  let pass = Array.make (k*n) false in
  pass[0] <- true;
  let next = ref { v = 0; b = 0 } in
  let pcs = Array.make n I in
  let memo : array (option tick) = Array.make n None in
      (* value of my_ticket if set *)
  let owners : array (option int) = Array.make (k*n) None in
      (* who owns which ticket *)
  let ghost lock_holder : ref int = ref (-1) in
  let ghost waiting_list = Queue.create () in
  let ghost active_tick = ref None in
  while true do
    invariant { [@expl:safety]
                forall th. 0 <= th < n -> th <> !lock_holder ->
                not has_lock (pcs[th]) }
    invariant { -1 <= !lock_holder < n }
    invariant { forall b. 0 <= b < k*n ->
                       match owners[b] with
                          | None -> true
                          | Some th -> 0 <= th < n
                                       /\ match memo[th] with
                                          | None -> false
                                          | Some tick -> tick.b = b end
                       end }
    invariant { forall tick. pass[tick.b] ->
                  match owners[tick.b] with
                    | None -> !lock_holder = -1
                    | Some th ->  !lock_holder = -1 \/ !lock_holder = th end }
    invariant { 0 <= !lock_holder < n ->
                match pcs[!lock_holder] with
                | A3 | W | R1 ->
                  match memo[!lock_holder] with
                    | None -> false
                    | Some tick -> pass[tick.b] end
                | R2 -> forall b. 0 <= b < k * n -> not pass[b]
                | _ -> false end }
    invariant { forall b1 b2. 0 <= b1 < k*n -> 0 <= b2 < k*n ->
                       pass[b1] = true /\ pass[b2] = true ->
                       b1 = b2 }
    invariant { 0 <= !lock_holder < n ->
                  has_lock (pcs[!lock_holder]) /\
                  match memo[!lock_holder] with
                    | None -> false
                    | Some tick -> !active_tick = Some tick end }
    invariant { forall th. 0 <= th < n ->
                       match memo[th] with
                         | Some tick -> owners[tick.b] = Some th
                         | None -> true end }
    invariant { forall th. 0 <= th < n ->
                          (memo[th] <> None <->
                          has_ticket (pcs[th])) }
    invariant { forall tick. mem tick waiting_list ->
                       match owners[tick.b] with
                         | None -> false
                         | Some th -> pcs[th] = A2
                                      /\ memo[th] = Some tick end }
    invariant { forall th. 0 <= th < n ->
                       match memo[th] with
                         | Some tick -> mem tick waiting_list
                                        \/ !active_tick = Some tick
                         | None -> true end }
    invariant { forall th. 0 <= th < n -> not has_lock pcs[th] ->
                       match memo[th] with
                         | None -> pcs[th] <> A2
                         | Some tick -> mem tick waiting_list end }
    invariant { consecutive waiting_list } (* also implies unicity *)
    invariant { S.length waiting_list = numof pcs A2 0 n }
    invariant { forall tick. mem tick waiting_list ->
                       !next.v - S.length waiting_list <= tick.v < !next.v }
    invariant { match last waiting_list with
                      | None -> true
                      | Some t -> t.v = !next.v - 1 end}
    invariant { match hd waiting_list with
                      | None -> true
                      | Some t -> t.v = !next.v - S.length waiting_list end }
    invariant { match !active_tick with
                      | None -> !lock_holder = -1
                      | Some tick ->
                          (match hd waiting_list with
                             | None -> !next.v = tick.v + 1
                             | Some t -> t.v = tick.v + 1 end)
                          /\ tick.v = !next.v - S.length waiting_list - 1
                          /\ 0 <= !lock_holder < n
                          /\ memo[!lock_holder] = Some tick end }
    invariant { 0 <= S.length waiting_list <= n }
   (* invariant { length waiting_list = n \/ owners[!next.b] = None } *)
    invariant { [@expl:liveness]
              !lock_holder = - 1 ->
                 (* someone is in the critical section... *)
                 ((if S.length waiting_list = 0
                   then false
                   else let tick = S.get waiting_list 0 in
                        pass[tick.b] = true)
                 (* ...or someone has a ticket to the critical section... *)
              \/ (exists th. 0 <= th < n /\ memo[th] = None
                                         /\ pass[!next.b] = true)
                                         /\ waiting_list = empty)
                 (* ...or someone can take one *) }
    let th = scheduler () in (*choose a thread*)
    (* make it progress by 1 step *)
    label Step in
    match pcs[th] with
      | I ->
          pcs[th] <- A1
      | A1 ->
          let tick = fetch_and_add next in
          assert { is_none owners[tick.b]
                   by S.length waiting_list <= n < 2*n - 1 <= k*n - 1
                   so ((forall tick'. mem tick' waiting_list
                                    -> (tick'.b <> tick.b)
                                    by 0 < tick.v - tick'.v < k*n
                                    so mod (tick.v - tick'.v) (k*n) <> 0
                                    so mod tick.v (k*n) <> mod tick'.v (k*n)))
                   so forall th'. owners[tick.b] = Some th' -> false
                                 by match memo[th'] with
                                   | None -> false
                                   | Some tick' -> false
                                       by tick'.b = tick.b
                                       so not mem tick' waiting_list
                                       so !active_tick = Some tick'
                                       so 0 < tick.v - tick'.v < k*n
                                       so mod (tick.v - tick'.v) (k*n) <> 0
                                       so mod tick.v (k*n) <> mod tick'.v (k*n)
                                       end };
          assert { forall th. 0 <= th < n -> memo[th] <> Some tick };
          owners[tick.b] <- Some th;
          memo[th] <- Some tick;
          pcs[th] <- A2;
          assert { numof pcs A2 0 n = numof pcs A2 0 n at Step + 1 };
          assert { !lock_holder = !lock_holder at Step <> th };
          assert { forall tick'. mem tick' waiting_list ->
                          tick'.b <> tick.b /\ owners[tick'.b] <> Some th };
          assert { forall tick'. mem tick' waiting_list ->
                          match owners[tick'.b] with
                            | None -> false
                            | Some th' ->
                                pcs[th'] = A2
                                /\ memo[th'] = Some tick'
                              by th <> th'
                              so pcs[th'] = pcs[th'] at Step
                              so memo[th'] = memo[th'] at Step end };
          push tick waiting_list;
          assert { consecutive waiting_list
                   by waiting_list
                      = waiting_list at Step ++ (cons tick empty) };
          assert { match !active_tick with
                      | None -> !lock_holder = -1
                      | Some tick' ->
                          (match hd waiting_list with
                             | None -> false
                             | Some t ->
                               t.v = tick'.v + 1
                               by match hd waiting_list at Step with
                               | None -> t = tick
                                         so
                                         tick.v = !next.v at Step = tick'.v + 1
                               | Some t -> t.v = tick'.v + 1
                                           /\ hd waiting_list = Some t end
                           end)
                   end };
           assert { !lock_holder = -1 ->
                     if S.length waiting_list = 0 then
                       false
                     else
                       let t1 = S.get waiting_list 0 in
                         pass[t1.b]
                         by
                         if S.length (waiting_list at Step) = 0
                         then pass[t1.b]
                                  by (t1 = tick /\
                                  pass[tick.b] by pass[!next.b at Step])
                         else let t = S.get (waiting_list at Step) 0 in pass[t1.b] by t=t1 so pass[t.b]
                  };
           assert { match hd waiting_list with
                    | None -> true
                    | Some t ->
                        if t = tick
                        then t.v = !next.v - S.length waiting_list
                             by waiting_list at Step = empty
                             so S.length waiting_list = 1
                        else t.v = !next.v - S.length waiting_list
                             by hd waiting_list at Step = Some t
                             so t.v = !next.v - S.length waiting_list at Step
                    end };
      | A2 ->
          match memo[th] with
          | None -> absurd
          | Some tick ->
             if pass[tick.b]
             then begin
               active_tick := Some tick;
               assert { !lock_holder = - 1 };
               lock_holder := th;
               pcs[th] <- A3; (* progress only with lock *)
               let ghost tick' = safe_pop waiting_list in
               assert { pass[tick'.b] };
               assert { [@expl:fairness] tick=tick'
                        by tick.b = tick'.b
                        so mem tick waiting_list at Step
                        so mem tick' waiting_list at Step };
               assert { not mem tick waiting_list
                        by waiting_list at Step
                           = cons tick waiting_list
                        so consecutive waiting_list at Step
                        so consecutive waiting_list
                        so if S.length waiting_list = 0
                           then not mem tick waiting_list
                           else let x = S.get waiting_list 0 in
                                let l = waiting_list[1 .. ] in
                                not mem tick waiting_list
                                    by tick.v < x.v
                                    so (forall t. mem t l -> lt x t
                                        by forall i. 0 <= i < S.length l ->
                                           t = S.([]) l i ->
                                           (lt x t
                                           by t = S.([]) waiting_list (i+1))) };
              assert { forall tick1 tick2. mem tick1 waiting_list at Step
                                        -> mem tick2 waiting_list at Step
                                        -> tick1.v < tick2.v
                                        -> tick1.b <> tick2.b
                       by S.length waiting_list at Step <= n < 2*n - 1 <= k*n - 1
                       so 0 < tick2.v - tick1.v < k*n
                       so mod (tick2.v - tick1.v) (k*n) <> 0
                       so mod tick1.v (k*n) <> mod tick2.v (k*n) };
              assert { forall t. mem t waiting_list ->
                          match owners[t.b] with
                            | None -> false
                            | Some n ->
                                (pcs[n] = A2
                                /\ memo[n] = Some t)
                              by t <> tick
                              so t.b <> tick.b
                              so th <> n
                              so pcs[n] = pcs[n] at Step
                              so memo[n] = memo[n] at Step end };
              assert { numof pcs A2 0 n at Step = numof pcs A2 0 n + 1
                       by numof pcs A2 0 n at Step
                          = numof pcs[th <- A2] A2 0 n };
              assert { forall t. mem t waiting_list ->
                       !next.v - S.length waiting_list <= t.v
                       by mem t waiting_list at Step
                       so t <> tick
                       so waiting_list at Step
                          = cons tick waiting_list
                       so !next.v - S.length waiting_list at Step = tick.v
                       so !next.v - S.length waiting_list at Step < t.v };
              assert { if S.length waiting_list = 0
                       then true
                       else let t = S.get waiting_list 0 in
                            let l = waiting_list[1 .. ] in
                         hd waiting_list = Some t
                         /\ t.v = !next.v - S.length waiting_list
                         by waiting_list at Step
                            = cons tick (cons t l)
                         so consecutive waiting_list at Step
                         so t.v = tick.v + 1 };
               end
          end
      | A3 -> pcs[th] <- W
      | W -> pcs[th] <- R1 (* move to release *)
      | R1 ->
          match memo[th] with
            | None -> absurd
            | Some tick ->
                assert { forall b'. 0 <= b' < k*n -> pass[b'] -> b' = tick.b };
                pass[tick.b] <- false;
                pcs[th] <- R2
          end
      | R2 ->
          match memo[th] with
            | None -> absurd
            | Some tick ->
                let nt = mod (tick.b + 1) (k*n) in
                assert { forall b. 0 <= b < k*n -> not pass[b]
                         by !active_tick = Some tick };
                lock_holder := -1;
                pass[nt] <- true;
                assert { forall b. 0 <= b < k*n -> pass[b] -> b = nt };
                memo[th] <- None;
                assert { owners[tick.b] = Some th };
                owners[tick.b] <- None;
                active_tick := None;
                pcs[th] <- I;
                assert { nt = mod (tick.v + 1) (k*n)
                         by let d = div tick.v (k*n) in
                            tick.v = (k*n) * d + tick.b
                         so mod (tick.v + 1) (k*n)
                            = mod ((k*n) * d + (tick.b + 1)) (k*n)
                            = mod (tick.b + 1) (k*n) = nt };
                assert { if S.length waiting_list = 0
                         then pass[!next.b] = true
                                  by !next.v = tick.v + 1
                                  so !next.b = nt
                                  /\
                                  exists th. memo[th] = None
                         else let x = S.get waiting_list 0 in
                              pass[x.b]
                                       by x.v = tick.v + 1
                                       so x.b = nt
                        };
                assert { forall th'. 0 <= th' < n ->
                         th <> th' ->
                         match memo[th'] with
                           | None -> true
                           | Some tick1 -> mem tick1 waiting_list
                             by waiting_list = waiting_list at Step
                             so (mem tick1 waiting_list at Step
                                \/ !active_tick at Step = Some tick1)
                             so tick <> tick1
                             so !active_tick at Step <> Some tick1
                         end };
          end
      end
  done



end
why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_2/000077500000000000000000000000001440160026300244125ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_2/why3session.xml000066400000000000000000001700751440160026300274440ustar00rootroot00000000000000








 
 
 
 
 
  
  
   
   
    
    
     
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
      
      
      
      
      
       
       
       
       
       
       
      
      
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2018_array_based_queuing_lock_2/why3shapes.gz000066400000000000000000000471531440160026300270640ustar00rootroot00000000000000Yo$G.^t4p/@4P	s~|F*iT%M3%#IVI=$Sd_f^>\?OW/2,?7/2n?b5owspQ?؛^^}??_K݇[-{X֟^/1jq[1_)1]|_L%e3-]6'?};W9Q`vS%6r\-7mfܛ+AU7?/y$y[.c3}!_hL%~;S;)s˒7}77ܐQ8bsѐ&}G=;}k#䨊-~>ΝGz~rj5I[sdj尞iVuO~}?㟀U[p'c|3.Ͽ~U/VV>o~z_ utzk;ulNX<vwe/ܔr㌿/w%F߼_|9ȫxÓi%K?{^輔:^?{^wwǰ{S_ojײzaA`]}闏lq8}j}o[3='L@KW?nG
7Qvߘc.9-y{%/OYV*,>>:1_j(.[#w'Kj;r'5($Zԙ‡<7'jhh|tMcA^5r_*ؼQyNn:'f:ch 0͝NDQPχS١^hrPCqW}>EUO\vO_BvY(yW4$	iةAO߽=t~}mVƯ>ԏI7>M6|γYc;:su\ǭpɱOӝs5ѯgCw5:S}503=f}3w?O}MNj}daUx/4>3q?xwdA?ӻHH$r$^;E ZP8t#
hu%(9D%[uKp;^7uEIs0;X/)3Ɛ <ùToPN^Or-+&]{z].q}ȾVBAm;=F^w)enO)B+Q,(f)B9R6)݅PG!T鹸AeWfXM=zݵ~xw+7'\ĉa]=VٷKN:27l]ʼ?caa0AĀd#d-:AZ1َqOT=͜{B_{_v2H^`vvF\O3~O۽BpnJXO~Џyu՜-2MvAl30bþ03=2t,u;Y3|Z>c:1Q7P2򀒙nok$mޚ=iƐJ?F_6oE͕~O?ˮݒEe!?O(fE߮H
lY9S6[w"ʥqkʓ;F=yQ6ȯA4%[s<20qv ՇSHưcD]:Pq%hkعG.va){1?|||f?xAbQ/1?Trj{jcWXcicBL泣Yk0ix~]D$dبu׆!-6zeάgNgݷ،;J'-6{L+SbXfo,6ab#q<|1P&ǃ}$Y[#|EF}E?ȢWF3?|3$K_c&YBkƀ7~ɫ=7x4=COծ
*vQ%wuˠm;i|2
,Ǵt98G:WVJWzԋ~\?ͽ3L-I>m@tOus}h7Ӽ9	=v{uw;w[~O}]x֫cm[Vuo{I;,ai웛tSgv	sQ77E`2҈=txd_ڞmy`sާ<\~*z糲/r3v/tsftcFB_?3.Nf>~q$d+87{i~ݦO?XqݓxT>Gk4Ὤ
(|v>n=s$_3w<"#k+י=_zk~ G߹K[~מ{Gt1;::у/;
΍5ɹSS<{ɩ?M>_9s/gƸƚ
xi3X~ޝM =*
G;p`8:
G5g>Y1
n[;לa߬4ccr9.׶gN$,ۃ'?bu)!?pb`FY>}g{{!3tgetffӌCW鞽{8Ks03.1ov͑܎awYhtt䥺Pf3)ޞ0I
x΂8NƇ-	?N@ґ?T⒛-#u(^%J#ٱ;.[Q$%y+PNhвSNqcS/7aOéA'b+N
7?ٟX2nb5:(oIM-˼[1;%wqZQpsXGXՓg'l4j뼇=//}e{ùO_0kPLL1H1ӝ׫C'Hw⍕vU]8_^T=:waac]IR&(pl4}RxR=::fd.1BDaQ4j;J^Ю=JVܤբY`]kwг	ܑ/d\͐xe4VrjEM+rͳ˕Tپ4oج4[d-ĎCfӬN1D=HQyyQi<"@D̂Na6K'p`,l cjS:̓rya`S30@qokk@lfې76$&=q"{~ZE<5rKMnz<^%נ9p?ϵÚHol_ryv=Ǣ>E1{?Ku$H+
ȕ+WhF-8iB:MD{.(9Q#aR-;Qw:,cT]^N}16ypˋ/6ZY
<u!LG2Z!iIܱ$mW$ݷccuD.6_$C'i,(yt0]M+"w;:t~} 7^q&h?yy.pSn^rr|GALKrqLأ$F86zb;ڭrprf\cE:qΏ8VOثNKo	3;,%5g>[‚.%ܑĜ˭ߕ/Эck?9G/QcGڭL{_"Lxc4فpb?*oOST|{^O{ O~"vMw8hKLYmSޣG4ʓh	[\P=x-.uB;Z|ː!)7ZϏP>|u&fx0Tc9OODs01SޯPTa</8]eqpCvC@z$"]ջsO8cGs0qJHx"Q.lYDN$nuJWOf0B:FxjȻ2XqCݛH߃yaƱNKK'xϢmZ;Qi!x
`fGI	M1ȏ%/ƗN2ڝijV
6A*{Z{K=֚Vl#vvcE'wb8DύJo<<&;܆MK3cOdۻRNVnm[8q>y|;7œ{;_FmcCM˫:=s_zPrcNeS&nsdLDf~gW:pܬ/CR9uayݎT<0v=O}Ɠg'UrB5u|Fz`]Ը=yf173SV/al)Eco.79!棬}ޮn~s6{+p
?eD>rn
y>!`4n\o*9Z/Nso.NN'e(:}nuzd93ӗj~JY{gq|:U\luп;Ӕcsc7_'R?-#Wg&0v4oa<<a{ߜa'1wg`"61߱r(teɶv3
s4;V.eW->ՠ]M/?jPvVWY
.͜~utZݨbz<Vt9=sroTy\Qe:\F))[oӕSݮ,VJ8d'trS,y,r%n?yޫ{&gBOslAswB1'<܅}/"b{?PQO^\%ZދJ3?:η|
Yr2qNe_NiIW[ɁeolL̷Cw6?_>x?C܋aB=G&ny7m:=$t}Y9'
ݷSrwd7QN_F{"oNv<ل9]_p{f8찟|gr9oxO4Ó4y
muȟ V%ӵs|yrm6*)b
Z6c?mX`iE#T؟N3ꃏ|sAMw.i`DVf#{4z]cX"atS=^IJ5稄oH}Mm 4-C$գJ?hSZV)6߹}:$꬇>?L\,3n86YUq38v8d^4p|.yoΘs`ϐvF4^g{b)>wArGFJk>
-vGa`>{ҏ&/?>Le<ِlw#;1>pyMK9˿
NcDz;>jĬyf$h&){
NS1V>7s/.54)dV[fx^jUT
!$,7ߜюz
+=Jrm*@E(2M0s&R([NZQK2BPB(9[4ke ?
s.l(xa]-kɝ2BQa$Q	oһҼfP0UQ5^֦cȤrEZ)joHk%#-_+'~RT(A$ŇR]6U^+VѶ =HFE-dD2XMbJUj[	|_P*S,)(늬-ΊZX-o*߽Uv
MB*4ر5Jr.x+f XlAMZ"5Ukrf袖B%|UBLᅤ奭j[
k+`=T@
/:u@U*aJg\@N7J#H)LhМrXRSo$ȠjDRئ\UT岦+uDQVurԥe-Lxpj- zڪn5WـB:awa
_8KNY
[duX,EIX(쭙ө}	Ji5<ӟفY8cb*9Ll$6qZK>T@=eUz9L{o-_8ێPتq.H Q-`dZ֪QŪ
a€1]ce(?4lM	Ef%֦%g16[xT)ƛ9ԐFf0,U-Ƿ$^#VQ1%بF*<,Qo[%:Y-!Fy
\ʠ^/ӝ<WIs%czw7o*OX)+*/+>fάzo6'0{]0'JomA|޵}6'oAW|V{x <
fD>/?6	+:ąqǍX( S"`
JZUie=S>
5n1whYb	DAh%lxa$02ªr"^-E+a4D}5&*R=RL)P}	.FJ҉Vd1\܈Xc4HFoi>@>]0,?(c/?{d*NC{;i9Dr:oq"1X1JsoO1Bm)ek$k.ry\q´J,y
b"WdwWq!$[|+cXv5b^%4^a?%ͨdMC-
cȫ_ܔ|FU)U~Z` rJç7=+UjJj@9"bЯ5zU':ǒ#veLWb"psR_fxSl"O3fBҢ/tcf%Fi8
Ő5Y7ܷ)Tcз)ku [ġلiLs~S6>Wp2f8
Iy:$4Ƨ=W|M48aȁLLRkQjfBdށ~g)S*eٲIxFcpxzv,
{urAbKК#C.eT)(U/NS1X:adE׈}iD(M0KENH0~Dr
"f;&%{AV
[!u4*v lwziȄ,\uU[$y"D6LKLɭ2I
[E
PґA;02楢[J$I:bVoo1$-tKh~EX	NehK[bbD/%
e(v?,,r	#ԜbUr|-F ͂VGR> !]R
6asUC.J>
lo#DP!ӑzZYt/$1:Q9Rpq֋L:+2F>I1I15]kLd, y~@D,5&|s^aRHӝ?рt[D&SR@	҂s
Hb):AˠQ.B?YzraTJtkUTnjkI`*E$t-"©VP9|B¨nFZQr(rkЕTbv	D$%Hv"*[v$JtI4P-FDa)z)8RM3(5]G#{);'*[ƒ8G0:,YjErJ飰h
5F$Y%ͤi#GC$c|0*!c}	N9U$FCQ%BXpvZ:挪%b9˜RӐ(KHU/dey_Ŗ]M@:FZN_8ZUX8Cl>L!fcDI͏hqZ!%.BjYx|Y2#^bVW Hv)d45jR\bq5cSk-`!@4|5\b?,X~Lؿ:dd^JtUCbVc^ W^RFEG	7JTz`RUeY{QoV	2X!(u	Ƶ}@B9{Q>ӈBy09sN(po819xU@~l)%xg!D0|rtĞ^ď{dr#BcW|v'4YDEU2XcjβV1kylʚJTŔ"DZQ9ΡZ\q<,^F۠4Yd[mBƞ°?%NJ:RXg*;`K
zLUϗ);[RK.55٪28B|WD9jB;-.||^sի6I(PCJM$;=y[SRrJi&Y̋	hc+t۝qRKsUJC{6u=?8-
w-1F_vFZ,q(ՄA!]bn"f؂&|rϗLHk9WFi˒Uk,=_l+aRl^,rqq/l扵
0Rh%7/#kJ%DXFFҭ#HqhoA9IFK	BTz-K,7D_\T#%,gu1X+^yB5VA;v-Y\v[C^q1Ȧ79gJc^RLEr5	بp@Vex٭Ot檕69pD͏Eתrez,I?r|UADmſ?eLf.}0R"=R+98mL!J]o8(@VqK"=7 SP. e͕hWLRIvKFR!9<^OS-)B
)G[U$kjʩ#ӳ/Md<,pTDiK3#t9&XMRK1Z*H11"$Vc|4R
BJ:$'3T`||r5TkkShU1ڜTBBIJ-Fc{|EE"NfWzX#[1sD[vŚJ
!/'r-LPڸ*_2M`Ȥk>0  d?8C.W-Ma/PV4_٤ iQdVWcWUn~d,PqAR}=w̭/3EY
W ⽦]1-Cv@g$IG2FaHT\C̭ʰoC3'9 U3ZVA!dEVks/VkO~n=rβ'?lLK18%tߔ3'?w2i1*i,f{/r3<-;gk$)R-Yu|CR)Oqfe-}kBs–
'  EsP
}iGW`L(nrV)c1gS_|V@5
Ě\G'pR0xj흤g<66%",6RȚEe(}'ƸeaG-Fg .3OwoD5`lH`9-4W?y|hE@y+
gľݮN(VJ:*2W?yZSH%uRT]%ˆd'U59L%se!4B<^5FJcALRsB1*,p~;>vZ4Ɛ[BIV*ՁLDj8B;g"'|ѫ|)xs -T49
okLa":oL%?<*sRj
RL
AlN g	ʱBκlHxOtXEE󒊲Z M*G_GKLr3~>PGGH,RVg!}	xJf&'L/y/ڃy)Þ1^3p(6؈#;%b3G&h|T-UlmJa~;I\iXi@Tm*1٘bV?y)0dBP9pբ+I0mX>%l#1YJR^xC25\o;埗F`x
_j+3}Y./'njStAƇQ11%ͯ@I"RB)Aű6ZGb=$TU
(D
"ܠDPnQK-\8elt؊OSx\#xW":(قq.)
,R5 WŠKNx'jU0ʅ]dC#t&Eɺ$?^WBJ+Б%WAe_h9WNXW6h-Dr)׌肎~tR]1׊1xRHlTL6*dƘ%akE?(rR*f2SMe
(3"VcI-VKLh@Fך1@]\<{3TZ(j+P(6Ј"yA4AGQ>ϾMQ96H+H**05Dy"Ό3";sE^%PkSl^!2m0bVW4/::ZZMLss|%QHA&׎ZpN2e\Ydv	Wl/"Ejd,RK73ZG]}3հ_/)|tZ{9yW]} ʘ:JFۜ
"qqp̮^.#Ȓ"ZcK1%H#Q]u1ƃc8aw-fd1#귰8ٓ\TLk]-NQ
b=bY!oȊZXzp>5CJ'=(G#}^x+l+oIEN	{ZM6\HV4Mc'֗9X?.3rB}fIufbhv$LdJTF M]q~&I ].#)OW:.pWSRA5bS'.iDoG]i]BQQXCVW̿hi%_Rc51G/kU`LLDl,$[3VF`!6o9\s8vUԳ9dgwz?*:6why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_1.mlw000066400000000000000000000306421440160026300241160ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2018 competition
   Challenge 2: Le rouge et le noir}

Author: Raphaël Rieu-Helft (LRI, Université Paris Sud)
*)

module ColoredTiles

use int.Int
use set.Fset
use seq.Seq

type color = Red | Black

type coloring = seq color

predicate tworedneighbors (c: coloring) (i:int)
  = ((c[i-2] = Red /\ c[i-1] = Red /\ 2 <= i)
     \/ (c[i-1] = Red /\ c[i+1] = Red /\ 1 <= i <= length c - 2)
     \/ (c[i+1] = Red /\ c[i+2] = Red /\ i <= length c - 3))

predicate valid (c:coloring) =
  forall i. 0 <= i < length c -> c[i] = Red -> tworedneighbors c i

function black (_n:int) : color = Black
function red (_n:int) : color = Red

function colorings0 : fset coloring = add (create 0 black) Fset.empty
function colorings1 : fset coloring = add (create 1 black) Fset.empty
function colorings2 : fset coloring = add (create 2 black) Fset.empty
function colorings3: fset coloring =
         add (create 3 red) (add (create 3 black) Fset.empty)

lemma valid_contr:
  forall c i. valid c -> 0 <= i < length c -> not (tworedneighbors c i) -> c[i] = Black

lemma colo_0 : forall c: coloring. length c = 0 ->
      (valid c <-> mem c colorings0 by Seq.(==) c (create 0 black))

lemma colo_1 : forall c: coloring. length c = 1 ->
      (valid c <-> mem c colorings1
                   by c[0] = Black
                   so Seq.(==) c (create 1 black))

lemma colo_2 : forall c: coloring. length c = 2 ->
      (valid c <-> mem c colorings2
                   by c[0] = Black = c[1]
                   so Seq.(==) c (create 2 black)
                   so c = create 2 black)

lemma colo_3 : forall c: coloring. length c = 3 ->
      (valid c <-> mem c colorings3
                   by if c[0] = Black
                      then (c[0]=c[1]=c[2]=Black
                            so c == create 3 black
                            so c = create 3 black)
                      else (c[0]=c[1]=c[2]=Red
                            so c == create 3 red
                            so c = create 3 red))

let lemma valid_split_fb (c:coloring) (k: int)
  requires { 3 <= k < length c }
  requires { forall i. 0 <= i < k -> c[i] = Red }
  requires { valid c[k+1 ..] }
  ensures  { valid c }
= let c' = c[k+1 ..] in
  assert { forall i. k+1 <= i < length c -> c[i] = Red ->
             (tworedneighbors c i
              by c'[i - (k+1)] = Red
              so [@case_split] tworedneighbors c' (i - (k+1))) }

let lemma valid_restrict (c: coloring) (k: int)
  requires { valid c }
  requires { 0 <= k < length c }
  requires { c[k] = Black }
  ensures  { valid c[k+1 ..] }
= ()

(*1st black tile starting at i *)
let rec function first_black_tile (c:coloring) : int
  ensures { 0 <= result <= length c }
  ensures { forall j. 0 <= j < result <= length c
            -> c[j] = Red }
  ensures { result < length c -> c[result] = Black }
  ensures { valid c -> result = 0 \/ 3 <= result }
  variant { length c }
= if Seq.length c = 0 then 0
  else match c[0] with
       | Black -> 0
       | Red ->
           assert { valid c -> c[1]=Red /\ c[2] = Red };
           let r = first_black_tile c[1 ..] in
           assert { forall j. 1 <= j < 1+r
                    -> c[j] = Red
                       by c[1 ..][j-1] = Red };
           1+r end

let rec function addleft (nr:int) (c:coloring) : coloring
  variant { nr }
  ensures { nr >= 0 -> Seq.length result = Seq.length c + nr + 1 }
= if nr <= 0 then cons Black c
  else cons Red (addleft (nr-1) c)

(* add nr red tiles and a black tile to the left of each coloring *)
function mapaddleft (s:fset coloring) (nr:int) : fset coloring
=  map (addleft nr) s

lemma addleft_fb:
  forall c nr. 0 <= nr -> first_black_tile (addleft nr c) = nr

lemma mapaddleft_fb:
  forall s c nr. 0 <= nr -> mem c (mapaddleft s nr) -> first_black_tile c = nr

predicate reciprocal (f: 'a -> 'b) (g: 'b -> 'a)
  = forall y. g (f y) = y

let lemma bij_image (u: fset 'a) (f: 'a -> 'b) (g: 'b -> 'a)
  requires { reciprocal f g }
  ensures  { subset u (map g (map f u)) }
= assert { forall x. mem x u -> mem (f x) (map f u)
                     -> mem (g (f x)) (map g (map f u))
                     -> mem x (map g (map f u)) }

let lemma bij_cardinal (u: fset 'a) (f: 'a -> 'b) (g: 'b -> 'a)
  requires { reciprocal f g }
  ensures  { cardinal (map f u) = cardinal u }
= assert { cardinal (map f u) <= cardinal u };
  assert { cardinal (map g (map f u)) <= cardinal (map f u) };
  assert { cardinal u <= cardinal (map g (map f u)) }

function rmleft (nr:int) (c:coloring) : coloring = c[nr+1 ..]

use seq.FreeMonoid

lemma ext: forall c1 c2: coloring. Seq.(==) c1 c2 -> c1 = c2
lemma app_eq: forall c1 c2 c3 c4: coloring. c1 = c2 -> c3 = c4 -> c1 ++ c3 = c2 ++ c4

let rec lemma addleft_result (c:coloring) (nr:int)
  requires { 0 <= nr }
  ensures  { addleft nr c = (Seq.create nr red) ++ (cons Black c) }
  variant  { nr }
= if nr = 0 then assert { addleft nr c = (Seq.create nr red) ++ (cons Black c) }
  else begin
    let cnr = create nr red in
    let cnrm = create (nr - 1) red in
    addleft_result c (nr-1);
    assert { addleft (nr-1) c = cnrm ++ cons Black c };
    assert { cons Red cnrm = cnr
               by Seq.(==) (cons Red cnrm) cnr };
    assert { addleft nr c = cnr ++ cons Black c
             by addleft nr c
                = cons Red (addleft (nr-1) c)
                = cons Red (cnrm ++ cons Black c)
                = (cons Red cnrm) ++ cons Black c
                = cnr ++ cons Black c }
  end

let lemma addleft_bijective (nr:int)
  requires { 0 <= nr }
  ensures  { reciprocal (addleft nr) (rmleft nr) }
= assert { forall c i. 0 <= i < length c -> (rmleft nr (addleft nr c))[i] = c[i] };
  assert { forall c. Seq.(==) (rmleft nr (addleft nr c)) c }

let lemma mapaddleft_card (s: fset coloring) (nr: int)
  requires { 0 <= nr }
  ensures  { cardinal (mapaddleft s nr) = cardinal s }
= addleft_bijective nr;
  bij_cardinal s (addleft nr) (rmleft nr)

let lemma addleft_valid (c:coloring) (nr:int)
  requires { nr = 0 \/ 3 <= nr }
  requires { valid c }
  ensures  { valid (addleft nr c) }
= addleft_result c nr;
  if nr = 0 then assert { valid (addleft 0 c) }
  else valid_split_fb (addleft nr c) nr

let lemma mapaddleft_valid (s: fset coloring) (nr: int)
  requires { forall c. mem c s -> valid c }
  requires { nr = 0 \/ 3 <= nr }
  ensures  { forall c. mem c (mapaddleft s nr) -> valid c }
= assert { forall c. mem c (mapaddleft s nr) ->
                     valid c
                     by mem c (map (addleft nr) s)
                     so (exists y. mem y s /\ c = addleft nr y) }

let lemma mapaddleft_length (s: fset coloring) (nr: int) (l1 l2: int)
  requires { forall c. mem c s -> Seq.length c = l1 }
  requires { 0 <= nr }
  requires { l2 = l1 + nr + 1 }
  ensures  { forall c. mem c (mapaddleft s nr) -> Seq.length c = l2 }
= ()

let rec ghost disjoint_union (s1 s2: fset coloring) : fset coloring
  requires { forall x. mem x s1 -> not mem x s2 }
  ensures  { result = union s1 s2 }
  ensures  { cardinal result = cardinal s1 + cardinal s2 }
  variant  { cardinal s1 }
= if is_empty s1
  then begin
    assert { union s1 s2 = s2
             by (forall x. mem x (union s1 s2)
                -> mem x s1 \/ mem x s2 -> mem x s2)
             so subset (union s1 s2) s2 };
    s2
  end
  else
    let x = pick s1 in
    let s1' = remove x s1 in
    let s2' = add x s2 in
    let u = disjoint_union s1' s2' in
    assert { u = union s1 s2
             by u = union s1' s2'
             so (forall y. (mem y s2' <-> (mem y s2 \/ y = x)))
             so (forall y. ((mem y s1' \/ y = x) <-> mem y s1))
             so (forall y. mem y u <-> mem y s1' \/ mem y s2'
                       <-> mem y s1' \/ mem y s2 \/ y = x
                       <-> mem y s1 \/ mem y s2
                       <-> mem y (union s1 s2))
             so (forall y. mem y u <-> mem y (union s1 s2))
             so Fset.(==) u (union s1 s2)};
    u

use array.Array

let enum () : (count: array int, ghost sets: array (fset coloring))
  ensures { Array.length count = 51 = Array.length sets
            /\ (forall i. 0 <= i <= 50 ->
               (forall c: coloring. Seq.length c = i ->
                          (valid c <-> mem c (sets[i]))))
            /\ (forall i. 0 <= i < 50 ->
                          count[i] = cardinal (sets[i])) }
= let count = Array.make 51 0 in
  let ghost sets : array (fset coloring) = Array.make 51 Fset.empty in
  count[0] <- 1;
  sets[0] <- colorings0;
  assert { forall c. ((Seq.length c = 0 /\ valid c) <-> mem c (sets[0])) };
  count[1] <- 1;
  sets[1] <- colorings1;
  assert { forall i c. (i=0 \/ i=1)
           -> ((Seq.length c = i /\ valid c) <-> mem c (sets[i])) };
  count[2] <- 1;
  sets[2] <- colorings2;
  assert { forall i c. (i=0 \/ i=1 \/ i=2)
           -> ((Seq.length c = i /\ valid c) <-> mem c (sets[i])) };
  count[3] <- 2;
  sets[3] <- colorings3;
  assert { sets[3] = colorings3 };
  assert { forall i c. (i=0 \/ i=1 \/ i=2 \/ i = 3)
           -> ((Seq.length c = i /\ valid c) <-> mem c (sets[i])) };
  assert { cardinal colorings3 = 2 };
  for n = 4 to 50 do
    invariant { forall c i. 0 <= i < n -> Seq.length c = i ->
                         valid c -> mem c (sets[i]) }
    invariant { forall c i. 0 <= i < n -> mem c (sets[i]) ->
                         (Seq.length c = i /\ valid c) }
    invariant { forall i. 0 <= i < n ->
                         count[i] = cardinal (sets[i]) }
    label StartLoop in
    (* colorings with first_black_tile = 0 *)
    count[n] <- count[n-1];
    mapaddleft_valid (sets[n-1]) 0;
    sets[n] <- mapaddleft (sets[n-1]) 0;
    assert { forall i. 0 <= i < n -> sets[i] = sets[i] at StartLoop };
    assert { forall i. 0 <= i < n -> count[i] = count[i] at StartLoop };
    assert { forall c. Seq.length c = n -> valid c -> first_black_tile c < 3 ->
                       mem c sets[n]
                       by first_black_tile c = 0
                       so valid c[1 ..]
                       so mem c[1 ..] (sets[n-1])
                       so addleft 0 c[1 ..] = c
                       so mem c (mapaddleft sets[n-1] 0) };
    for k = 3 to n-1 do
      invariant { forall c i. 0 <= i < n -> Seq.length c = i ->
                           valid c -> mem c (sets[i]) }
      invariant { forall c i. 0 <= i < n -> mem c (sets[i]) ->
                             (Seq.length c = i /\ valid c) }
      invariant { forall i. 0 <= i < n ->
                            count[i] = cardinal (sets[i]) }
      invariant { forall c. (mem c (sets[n]) <->
                            (Seq.length c = n /\ valid c
                            /\ first_black_tile c < k)) }
      invariant { count[n] = cardinal (sets[n]) }
      label InnerLoop in
      (* colorings with first_black_tile = k *)
      count[n] <- count [n] + count [n-k-1];
      mapaddleft_length (sets[n-k-1]) k (n-k-1) n;
      mapaddleft_valid  (sets[n-k-1]) k;
      mapaddleft_card   (sets[n-k-1]) k;
      let ghost ns = mapaddleft sets[n-k-1] k in
      assert { forall c. mem c ns -> first_black_tile c = k };
      assert { forall c. Seq.length c = n -> valid c -> first_black_tile c = k
                         -> mem c ns
                         by valid c[k+1 ..]
                         so mem c[k+1 ..] (sets[n-k-1])
                         so let c' = addleft k c[k+1 ..] in
                            ((forall i. 0 <= i < n -> Seq.get c i = Seq.get c' i)
                             by c[k+1 ..] = c'[k+1 ..])
                         so Seq.(==) c' c
                         so c' = c
                         so mem c (mapaddleft sets[n-k-1] k) };
      sets[n] <- disjoint_union (sets[n]) ns;
      assert { forall i. 0 <= i < n -> sets[i] = sets[i] at InnerLoop };
      assert { forall i. 0 <= i < n -> count[i] = count[i] at InnerLoop };
    done;
    (* coloring with first_black_tile = n *)
    label LastAdd in
    let ghost r = Seq.create n red in
    let ghost sr = Fset.singleton r in
    assert { forall c. mem c sets[n] -> first_black_tile c < n };
    assert { first_black_tile r = n };
    assert { valid r /\ Seq.length r = n };
    count[n] <- count[n]+1;
    sets[n] <- disjoint_union (sets[n]) sr;
    assert { forall c. mem c sets[n] -> valid c /\ Seq.length c = n
                       by [@case_split] mem c (sets[n] at LastAdd) \/ mem c sr };
    assert { forall c. Seq.length c = n -> first_black_tile c = n ->
                       mem c sets[n]
                       by (forall k. 0 <= k < n -> Seq.get c k = Red)
                       so c == r so c = r };
    assert { forall i. 0 <= i < n -> sets[i] = sets[i] at LastAdd };
    assert { forall i. 0 <= i < n -> count[i] = count[i] at LastAdd };
  done;
  count, sets

end
why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_1/000077500000000000000000000000001440160026300233705ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_1/why3session.xml000066400000000000000000001163021440160026300264130ustar00rootroot00000000000000








 
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 
 
 
  
  
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
   
   
   
   
   
    
    
    
   
   
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
      
      
       
       
        
        
        
        
        
        
       
       
      
      
      
      
      
      
      
       
       
        
        
        
        
        
        
        
       
       
      
      
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
      
      
       
       
        
        
         
         
         
        
        
        
        
        
       
       
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_1/why3shapes.gz000066400000000000000000000364651440160026300260460ustar00rootroot00000000000000}o7w{7Ȃb0&b/EgFDN${vfvsd9l̙|bXUrKy{}s.pnx?_r_/S_oexmj?v~Rb/:LH(6Kx[+󍸑!R7ELo~zs{k%7b(~PQuD^	$dq#[jyFߘөC֩ӻfN%1[δVVAw
V"pLYa')  9g&٫
g~6tӢKA-|MHV|߄]ORoo?Hn/~z;ѷ$߿_{P3^.:}۹B,!=}'<Λ77GY:խM]3|(*4᷑?'Fߺy3	=L7
8O"lox9(3Iy'YǯL:JgExK`St}an+nrImwugHg#/ES=L4%Ztx6h\zSlW(Y
^ܢhLwm@nF0P^ujttp=
tjhѯ;Ӑh
gUijHZ=p		Yƭ)S~Z̜W31.˚mj2ݸqYJ5JtZZW.o!u	ɗk^{a>p}Bz xM]d6\J_\_\u7]!+yF@Ŷ͆bp1q+jUF;fUlc!9CZ7#
+w/nF>>]HF
a$2-\,.	hF=%Lo9TG|׋K	oo5)ވIjFE>ʗt"?FnVM"E˺fc-FJ>@pvZ.hTDk^S3}*1R0]@r&UX&R@I#BOW`TO3f۾Grx9K
<{>w53%s?͖9]dS7Tut\&!lY5Ц-47]}]͹\]͹z[]5_(hfձ>oNݞ4],pֆdSy|v!JתT}1vFk3:$4gį&xGu!㴏}|tydGEMX
GV8PuW;7)xp_Mi}ZO&s=S%aQEXTâG!us;}\Y%R%7 seioZEoLoOCw(Gk^ע
oߖ^xN.5sݿCyS+ʟF/B8?Sc kR\^]U#y4y<-뺳~;a=LT]3@Ail)f|ӧ}Xb^#>A=]̏'OPc 04*6*3XU͚g5弧Syla[!?ݞ~c="J2|m#CSX#ix[1jq
ksqi͔?`Hư3p3"ӷ1[q3	߅wx
Sk2jK
n`Rp'P#^/
yJu'5ʊsc%io
jj׮5MAsW9AdJbےhl:f&qX>]6ᙶ;i7q9T\n;Vi)_>‘!>.t
x(jzXʽ8gL}imxj?ݟxm:ս	1H%it97rNYΆqbh1q-v6c}plĦʚQ׷?-cd7Ob_'zfOu˙}ݐT^ж$s~ha4HEQH?,7Cm!ZSdFGfr;yۀ˾J⻩ Kir}ea|ȼܛ6yuꋧ>ѯq>
x1CtwEjM6]M2ƒO;JմTT:fF~<:>N>Vա(\Ѧ=۞aeˎ2	|(:zѮLx+pIˀ߷B{'}sk酖e}S5]w%_JvDǦ×_7Ӷd~>_m\;n!^Dx93㻥dW}ۛۻ߷Acuj}WB4Tn khGN*?:-J~!{WCO_m/_!TSwۑ`z[k~gkW!Pvu9ڭv+#wk;#OW=}mv|_?.L NL}yd݆eo˻=`;:&88?F_O,v4*6x?
5{;oˠ@OF$ɯ;3\i~z@K-%hyȮsc٤,9n4GKIA%+v'63՞Mb.čk!_FEjF'P3w3ܐyxRPݡ܊דBIJr$&& 7|+jn4sj__jζw?T
j V
۵F,=o`=ߘu}!3|]<ZNf6b֐*漸;Zz贾ͦAA55?rki4.hf}u_ТuAk|ݛyEғ1qSHȤo?/~W[G1\uj_Z.sӂc]+QCrjHDܸf$nZun
.D+E|~-e9+:9Wϗl`BA|8bOp}̮/~|_ěVFz	N݂
ہM"ֆJ/:ltZɷJ
##;R+2hV@׃8sk]ir\vs
cش~8s1}Ooxp^_~ -}(i{AGAHcU㱶|]ߔo+pO5ހ23-f&3+_h4&Nz:T6 ^F7o~AZ6p{wvU/.B-[K'[n}y(N(Ƈήv.ݹԭHɤ7NL
4cPÊq{g\9<̊ON>ZXV>je`kbg
-z%5Z.`udmq }rrfVFuhB4
MWRS,VGعu_ѲʕVH.סˍF*d)&I
g,>|)Ǔbl	+uMvu+Mvs/gQR.ݖ:U֖j15^MDqj}ZB'AjΪcEF/o<>h4$:߇=mLNխU'om~-
wFS/Fsm
ѴenKX@iFj{i0ٺe竩ogȓ{>oi6ǿכx0%#>Q_x3RrW-۬)|N9/1ضiIOk!bYG|{x>Uk>	c%	fP`؞Vz)_71-{Yw?4k9feΠ&6އHIFsyrMJʱsd-!&ݼ)Dݴ7'nfj5^%p	YڮNv4Q0Ϸ_z0Ռb3A5j0?n}&
>Y8ĺ]=393rq
SfO33gDs'866Á
Zt#md)߭xmJ!`ڱ\tʏuُxms|O!bḛHDq>j`dVja([?@hr
rYSf(&Ni'R+V2Ov\
ZǽpNF';2EW88ՕklAq>PSu\ޟ/fL\/\îv>Drt]dK	>8j9PnZغ?(BzDecqE$>N~SW~p݁lj̗ūkYO]\u)˕zX\[>\ʡɸ\I V֛
уpռЭԣ/"Wz-,c{3g:珘peO\mdlx@
D`ǕNHςlAۏz]zxtZM -79 8Z-zLZi&f^fc\fWK=7c^bsqzq&/`|o>AFڟ ߈Fᄙih3UF丧XB\n`'Ofk
-˧>~_,ewRnփyG~HG5zV9$[VRZ=mjDD}n0n_E!@#y[\/{9i5?mw6.Ǡr]|F;4bތ(Fɻ1jFM_icЫݹAi7xΖO\vA,cR(񪧫eR3D|	]qvta&SB7,׃K:W.trZ&Vx,^ɭ3eͪca[m75ų^h}iϺK0f	b;Xz<\7kj{X1,iWܨ#*%byqn~7o޽xS/Z_9m]kIVuJw14ZwO_n¥#7]9fٰ4j)uf@`Q(U&nW}_%/575ԲXKqyTwSY`dusȣ/S~s+~C4D
LG;z!vxaWm<-jޢaҏRDl-[ǡ&郟T6j!OO
aiiy#Hz	.7x͉PZq^žv\3PPR͋6lge2,9.+B
6H[Ru
>Kp^@`%G'dku^*1*R+К$Vr&	NHRN:WFaQz/5s^L>j@YkUh2FϜ(hNjʬT0:
vkלT
lăO\E1S,k	rk6;MHdg
;"VۈWRJ`4ڏu>qVLǟb#F03a`DO0
ayB4T<,S4"P%o=#/FԷe!8-t/n"VzYrUF"߇GɊ9XN!(V֎cQoƥ5
zu#B6)ЀӦHBp QG0H~6TXNĮyƃUrD'e*\97hz3
jP2rde&tJ plbz0v5ݪk\ΝFΑf /h"R!ʮuFG"<8]:*)/"}42I&;&Qy0Q4 K]`hԊ.>LDT0f1dD.Y 8Ў;;bRjA
[$)S^pdR5zҿ3!	T%rZ_<	G{LEW np^ !zq3sVDtڔor
#3"-~0I/WNufLjsҶZd{Ԕ)}܎.f
ݸ6]F:\ּiP-~oEAZ}[{KH'Ab8]J+&{hfZCQ{:1q2xJ	.qGNa>dH'PIreA&Һn's|x_£!Pp٧ugAw{ztÞAvlY",":JxfGg^|a5\$H- )<NN#'z%-!
݂s z?^0ˆg{*e,B
^	)г=#'sQ5ғA.4 L~|2s(DG,#fg̫`B"eXdi92<<ܤzƁ5F=0s䊋RYNNKD(V\U4?chSg."D}
@C4kZELf%$їD
&\??EQ3UC6o{c2Sd&>E<0^Yw9gMVdg׍"ڵ@ҹ4TO"頥Cl1-"̒e*e4Vf~+T8C3Z3UI͉eHna5RZˤW	e*}ԔI:}\ZeJ|Zd%:j5tZ|̓'
;m7pV2"1B_XPbҦer'e~@RC&;w^ɟ2KKegɴ%
.$䡥~tq8Ue/49Ҫe%G*J[um{L:aמ)ysMt𕆥A0kyMQ s	Ki;ֱӖ9(Vh)=MUH%M|pV9`{-)N:h_{LkJ)Y{
٦u3R	oTZH2"CjF4Q	jPA柗bfUbvH$1QX'4 DMۑ4 
*'C)J&R1i);
f_`ai]]yi ZKdڗi@q@历G	wJGY^vYZU3 Ҁb1"T7|R¥|ɘ>uQYPcyz(*K|IUdvIZn;zVi1ɓP	%衍y%8CMI
DZzt³#k>$jDDg$K$?eTK̑qnp7/W@`8=\*8Yb"h%|Blk"ɞ^дӋ%'q@r%vp
megNr.)dtOo=5pis;CG'1cEw)D׊>BaOZ~鏭\X\g2a+SbW	3?"׵A shwF\[)J*Z/^Bu1uHR41j2Ѻ$mq j8?ssFj'}հ)R#IYL:ꉱO`yѥuJ] gU]J^]F8{3?S0%	,EsIx63?3teXW,82"Vm]@AsRM/:DgZq2z!~ޗ|@fNb!X,٧)ηUN.$Xй\0tL)L<1/G+3kU41QR:pDs#_+XujUjRTBd*tb\J,lHkq9}%uՕ5ܮZx'b!̴cə,&-Tzm8fxE)[}Drix
ڸVr	ʑAH#1
If#p&:0Htt9/t,
\ՠCnBY£ϥLRg}IRZq: g
ṣ)BIj,/IjN(aEalJ=̮h1b	m]g,;3UDULUp҃6Fc/['q2Ɇb$]I9}mh.fs>撵,&)(F3xhkK)dA>)G˱n`=3YI$)b^LC2!i23;Oe);!q琧hCjP:;řO=].Qea糔ap6b}-}ӧʴIȠAށ$yﵪH;|OՙWpe*يL/c L1ꬁrTa1,լzbI5Mȁx'3NjEKgQ+cBa*:TL1>"Wŀ3o۳M܁􍚒\Aic~߅'Eajm୚vL*Z_8+}@-yd;pdl.qU9a9[ӗT<:(_EX'k16kZR6K0(;6E#˘X~OTR'Yccgl
&x*Z(+YAg,m>B{dEF גw3ßceV;/}pf5}F}f3?ē)!1}p]z:ijY$9
,zI_V2P&98۳cPK$3QH|V]E;e
 
12!Rr3;๶ Jϕt+{s味iK^3C\`xӚfbTe"xYA`^Kf&xS?9b[LFL1VT$+ϲxVY#\"Sh1%neo[e1F’gRJuʧ*k΅,c\%Y*#*ۦE%
mBfC)^Y5,hT4z9K<V"RȽb}A>8	;Ig|璔eO"*
J&)EGHy[bV?K_M,MZ핕>(]ۻ>Kg&˼/	Ό$+PKUHLTIɟ%%ej1FS`3Ƨ,c܍a8sg޹Ӊ>ԖReycL,$6mJ@>o2&c<} M
Vg|I^3Dr
AGqUaP>PRAsUUyK^Iid͐i0`0g9}§N9HɍUQJix>Wn
3Ċgг\(`Wą@uĘd$U}u7Yp]p0=&/EhXNmxѝ:4C([-tBw;
9ZȧJJ-!`WFR&	$!0tlg49\i•UV}f<L)Y1v	R(DvmC`,1[w!\EFHQd&;1hA$-b5ʎ*03]f`d1([u4FQ65
能0ҖB9zSƓv8Ϡ ,%\պѩ.Y0Z:sY#w:#^ 58:s&+S%hSN,gxF`Jô
-rsų0
nႋqQ)) ^YAœG8s%^ CLzSr(!"#ҞGBy~ v2`ZoT*T?!a8{Gy,%PtHYF!9~D#NVvSҤYJIHT9r!/A
\b$^=2jlrNb'g:kׇkW:lbNi+A~se1Add޸ȼ%1ȏCU{khYXkaiRD(cmBN2g},T2&- 9V߫Yr[rΫ(EV5Z,[WQ kk!hXI ]hARC#̙7Jpe+ڊT}ڔ/@&#h
;mc5Z3o/tutiQR,\~o_why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_2.mlw000066400000000000000000000162451440160026300241220ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2018 competition
   Challenge 2: Le rouge et le noir}

Author: Martin Clochard (LRI, Université Paris Sud)
*)

use int.Int
use import set.Fset as F

(* The part about bijections, preservation of finiteness and cardinality,
   should be moved somewhere in stdlib. *)
predicate bijection (p:fset 'a) (q:'b -> bool) (f:'a -> 'b) (g:'b -> 'a) =
  (forall x. mem x p -> q (f x) /\ g (f x) = x)
  /\ (forall x. q x -> mem (g x) p /\ f (g x) = x)

let rec ghost bij_preserve (p:fset 'a) (q:'b -> bool)
                           (f:'a -> 'b) (g:'b -> 'a) : fset 'b
  requires { bijection p q f g }
  ensures  { forall x. q x <-> mem x result }
  ensures  { cardinal p = cardinal result }
  variant  { cardinal p }
= if cardinal p = 0 then empty else
  let x = pick p in
  add (f x) (bij_preserve (remove x p) (fun y -> pure { q y /\ y <> f x}) f g)

let rec ghost disjoint_union (p q:fset 'a) : unit
  requires { forall x. not (mem x p /\ mem x q) }
  ensures  { cardinal (union p q) = cardinal p + cardinal q }
  variant  { cardinal p }
= if cardinal p = 0 then assert { union p q == q } else
  let x = pick p in
  assert { union (remove x p) q == remove x (union p q) };
  disjoint_union (remove x p) q

(* Abstraction layer over the integers. Reduce to standard integers
   after ghost code erasure (=ghost wrapping of integers operation for
   proof purposes). *)
type cardinal 'a = {
  card : int;
  ghost cset : fset 'a;
} invariant { card = cardinal cset }
by { card = 0; cset = empty }

let czero () : cardinal 'a
  ensures { result.cset = empty }
  ensures { result.card = 0 }
= { card = 0; cset = empty }
let cone (ghost x:'a) : cardinal 'a
  ensures { result.cset = singleton x }
  ensures { result.card = 1 }
= { card = 1; cset = singleton x }

(* reduce to identity after ghost code erasure. *)
let cmap (ghost q:'b -> bool)
         (ghost f:'a -> 'b)
         (ghost g:'b -> 'a) (i:cardinal 'a) : cardinal 'b
  requires { bijection i.cset q f g }
  ensures { forall x. mem x result.cset <-> q x }
  ensures { result.card = i.card }
= { card = i.card; cset = bij_preserve i.cset q f g }

(* reduce to integer addition after ghost code erasure. *)
let cadd (i1 i2:cardinal 'a) : cardinal 'a
  requires { forall x. not (mem x i1.cset /\ mem x i2.cset) }
  ensures  { result.cset = union i1.cset i2.cset }
  ensures  { result.card = i1.card + i2.card }
= ghost disjoint_union i1.cset i2.cset;
  { card = i1.card + i2.card; cset = union i1.cset i2.cset }

(* Specification of colorings:
   sequence of tiles that can be obtained by catenating unit black tiles
   or large (>=3 units) red tiles, with red tiles being non-consecutive. *)
type color = Red | Black
use import seq.Seq as S
constant black : seq color = singleton Black
function red (n:int) : seq color = create n (fun _ -> Red)
(* color is color of first square. Default to black for empty sequence,
   as a black tile does not give any constraints. *)
inductive valid_coloring_f color (seq color) =
  | ValidEmpty : valid_coloring_f Black empty
  | ValidBlack : forall c s.
    valid_coloring_f c s -> valid_coloring_f Black (black++s)
  | ValidRed : forall n s. n >= 3 /\ valid_coloring_f Black s ->
    valid_coloring_f Red (red n ++ s)

predicate valid_coloring (s:seq color) =
  valid_coloring_f Red s \/ valid_coloring_f Black s

predicate valid_coloring_l (n:int) (s:seq color) =
  valid_coloring s /\ s.length = n

predicate valid_coloring_inter (n:int) (m:int) (s:seq color) =
  valid_coloring_l n s /\ exists i. 0 <= i < m /\ s[i] = Black

predicate valid_coloring_at (n:int) (m:int) (s:seq color) =
  valid_coloring_l n s /\ s[m] = Black /\ forall i. 0 <= i < m -> s[i] = Red

use array.Array


let main () : unit
= let count = Array.make 51 (czero ()) in
  count[0] <- cone S.empty;
  assert { forall s. mem s count[0].cset <-> valid_coloring_l 0 s };
  count[1] <- cone (black ++ S.empty);
  assert { forall s. mem s count[1].cset <-> valid_coloring_l 1 s };
  count[2] <- cone (black ++ (black ++ S.empty));
  assert { forall s. mem s count[2].cset <-> valid_coloring_l 2 s };
  count[3] <- { card = 2;
                cset = F.add (red 3 ++ S.empty)
                             (F.singleton (black ++ (black ++
                                                    (black ++ S.empty)))); };
  assert { forall s. mem s count[3].cset <-> valid_coloring_l 3 s };
  for n = 4 to 50 do
    invariant { forall i s. 0 <= i < n ->
      valid_coloring_l i s <-> mem s count[i].cset }
    label L in
    let ghost q = pure { valid_coloring_inter n 3 } in
    let ghost f = pure { fun (s:seq color) -> black ++ s } in
    let ghost g = pure { fun (s:seq color) -> s[1 ..] } in
    assert { bijection count[n-1].cset q f g
      by (forall s. valid_coloring_l (n-1) s ->
        (valid_coloring_inter n 3 (black ++ s)
         by 0 <= 0 < (black ++ s).S.length /\ S.get (black++s) 0 = Black)
        /\ g (f s) == s)
      /\ (forall s. valid_coloring_inter n 3 s ->
        (valid_coloring_l (n-1) s[1 ..]
         /\ f (g s) == s)
        by (exists c s'. s = black ++ s' /\ valid_coloring_f c s'
          so s' == s[1 ..])
        \/ (false by exists i s'. 3 <= i /\ s = red i ++ s')
      ) };
    count[n] <- cmap q f g count[n-1];
    for k = 3 to n - 1 do
      invariant { forall i. 0 <= i < n -> count[i] = (count[i] at L) }
      invariant { forall s.
        valid_coloring_inter n k s <-> mem s count[n].cset
      }
      let ghost q = pure { valid_coloring_at n k } in
      let ghost f = pure { fun (s:seq color) -> red k ++ (black ++ s) } in
      let ghost g = pure { fun (s:seq color) -> s[k+1 ..] } in
      assert { bijection count[n-k-1].cset q f g
        by (forall s. g (f s) == s
          by forall i. 0 <= i < s.S.length ->
            S.get (g (f s)) i = S.get (f s) (i+k+1) = S.get s i)
        so (forall s. valid_coloring_l (n-k-1) s ->
          valid_coloring_at n k (f s) /\ g (f s) = s
        ) /\ (forall s. valid_coloring_at n k s ->
          valid_coloring_l (n-k-1) (g s) /\ f (g s) = s
          by (false by exists s'. s = black ++ s'
            so 0 <= 0 < k /\ S.get s 0 = Black)
          \/ (exists i s'.
            3 <= i /\ s = red i ++ s' /\ valid_coloring_f Black s'
            so s' <> empty so exists c s''.
              s' = black ++ s'' /\ valid_coloring_f c s''
            so (i = k by not (i < k so S.get s i = Black)
                      /\ not (i > k so S.get s k = Red))
            so s'' = g s by s = f s'')
        ) };
      count[n] <- cadd count[n] (cmap q f g count[n-k-1])
    done;
    count[n] <- cadd count[n] (cone (red n));
    assert { forall s. valid_coloring_l n s ->
      s = red n \/ valid_coloring_inter n n s
      by (exists s'. s = black ++ s'
        so 0 <= 0 < n /\ S.get s 0 = Black so valid_coloring_inter n n s)
      \/ (exists i s'. 3 <= i /\ s = red i ++ s' /\ valid_coloring_f Black s'
        so if i = n then s == red n else
        (s' <> empty by s'.S.length > 0)
        so exists s''. s' = black ++ s'' so 0 <= i < n /\ S.get s i = Black
        so valid_coloring_inter n n s
      )
    };
    assert { valid_coloring_l n (red n) by red n == red n ++ empty }
  done;
  (* Property asked by the problem. *)
  assert { forall s. valid_coloring_l 50 s <-> mem s count[50].cset };
  assert { count[50].card = cardinal count[50].cset }
why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_2/000077500000000000000000000000001440160026300233715ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_2/why3session.xml000066400000000000000000000403401440160026300264120ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2018_le_rouge_et_le_noir_2/why3shapes.gz000066400000000000000000000252651440160026300260430ustar00rootroot00000000000000ێ)r
|Xl1ۍ8nYeKec~~.2CRrR3&HF_o?GKǧTUM}|_;p?]ۆP}~~;?t?Vo\U?U=v7E$>ĺk޷!6_|~<lU(rQƒg\

N	YLWUSKR]Ss]]T_;VݗVVFguv\(ёMc-}ea>fY*|L-ݮSa%ꮄ_,$XfiRB# Z{(Xtk
By/C>?݇߻Қާ՛Uv;NL5CU}o*q%Agxհāѻ}aC3e1ŜJ1bҌj,:%Ǐ4ڲ(bTsڻh֪=#ty;|ELBƨhI=Әj>>9ܰ ]qBѴw)}pPcg/6߂
_Ggs6)?N^7ҙIGBc\JxHcd[j=z1,x ?%)~FyEC-o/iF4)PwIBrL9ng5_n6hz?|6x=n?>;?HI)u6Ԕ&2b	 !AW,T9?ow6~}zyz;${J:8ik@.؁\G.ucC9.Phb9rWџE;a`j͜,rrB-?& F+(u\
	BdXC͉s#MH	jV5{UMRӺiYM(#_t
]!b"h,gTdqlC^KNˆ⣡xɯkrPu2~|׈ܬI?P㍢t9Ds\m
M*jEW &M5Qϔ(M5Nӛ"Rnئ"~zG4Tao~j{!`{T߅/9֐љ}O'UHX(ag.|$a)&5ICoTYR}!$~`ϱ6
$A5acAӵ"Cϋ/tG:ɕ&ƖttVMt(zAѬ}4kbY_sԜTtt^~:T萆64IUOi VДD`@DRJh	rj|=S
'nR-
׆JÐNB׼tŜ.9(]I揊*	20걈9TO_UEpS}Wȕ&U8515T:MT"Xo7ilb}@1SLfx:[9rw37$/K0n?!p@)qW\U
6lxx`\Q!c
w)_܎Vp]M[$܎J!r%
c{ Qsd<-)|J¦$h#
e_C`J"(>fx@%v
 DSuɏ`orG+Xʃ`)p)!$"r!bâe+X
4"	Yno@x%+s(<.v:(EHC$,p<~>ӧOH1cx93=v둕7+I5b?!iS۫q="`k!#D tE<Y	TM?c69]+;Kay/gKSdK`KR #[L!-٢bs-٢2[tdgd[S~2J؋
l)#[M+F`I˲elZJyEЕF
u7
r[`IZjye,QKԜ%KTf,0D_3ZbxlrieBj\W/֔cW(]OOYve}>3O{Y"
{ige s7|ˬop7|=hE̝eM9G/xj|&o@ô!'tvg;6vl
1,hZH7oU_x7DY:EXPa9&n	ѹEĤ'==iXĀ	xRFqaab^LTg]	a@6';E	#aX	_0b F"Ȅ0r0"QaԜ0jF n߱~>-NC恿p?mbl;lb[S[ؼ[,y[a;߂Şڂ-Xl܂e)3}Df_ȃa@}>r_ ob,y`!@d#<@/:&2,(My$IG:zc_
ذ#~6
YbMɋMƆJPW
=`CϱOaCglUƆyylv
{
6cEl,.
?`ϱOaÏpᨧsl
7y;Dɑ^qz*KAgea-%&8p0PJ6'J2F̡qf==t
+̱r\gN1tkCkK+Z^zb^
C7SC..]\ie^~↡]ܩC.z2tqL5&Y̴4\Z\[YDhЈ
h?LסQ,gڵL'vO4.rL7,gr;r˙N4˙nXtLwj9L3-gL7_^^2m2ƨ/mxx.ky7*Aۈ7tNVcN}
1p
1r&("fvj mU,F:arAuq=~.*E`Zdաt$<;x~"c*r|^"Nh9__iSrm!Û??G+0{/F7oFdoe/ρns6lx'!Sd34L "idUiMHsA.(N,]>	֦A<,\M7.@óqA,hV
O$c|Pw&֘c`i3f1ñp"ة}>3tf̠mWl[2^3fsCIC[z13ům
D̸6r>ml9?l
3AVpi
<MB_sA,*p"hyetڰ~RZ}m֥em"W8LfZ<*4A5AV҂N{sevSN@>;+`#FHiv?`cƂW‚;،DF=UG%;oN<ښy8@SU34WL1p|yS\Baҿ<6x
1p^F@j^_|
+LfE|Ѵ+^qkcEBY+hi0YSGpx_WYƕ>#BWɴ060Ƕ13P9k-CŞONpŹ}mP)O=m:*Jt2
>s:#r!SEPŗTY;|S,`EfYq	2K]ϩ5qVCGfۢՎl9/6ơ-.\3Oӑwbuܕ<0|s{)>1^}:oF|r0zu|9$GA8b2yY6|N)B>\*?)JM%QE{ކ>ySq7w,SX=~@]vx
'e?oᤛ1p_,kۇdm~9'=HKX&Lw|8x
4N .1`cƀo7S'WJMy`c^ja0'IĄc?A)LD0M=6|oݔ;U5XZ.Z NƉɉ;;o4'wq
MA4dJ$̧ޝi
ұ3 R,)HjE2#M'Sɇq7I$eh`|棜u8]
26?ʊG@%S07xSKOo?F&4d#(rV?D-цƒ:v+BZ[H묟KQ-uBZӶzei[H봅t0'2LJ!ap."+
!Q"P
?)4E)%IO;d4VƖM~ETL[Bi("Vʨ)ꖙA2V7
QM|1e
)HBXCF4Ȩ- eIO1Gn'ջ36flQ`aѨ˰#|	i׮,*ʹT),UV^^zKUR5QfF,Us	TE&Q
DTTHĂc&TY*(K]{oâ \&P P.'.9qYI\NˣמARR
q69Ș1&wlrDbEAqrDYb69b'B+:b9wYiw7 D>{㔈'G0]'GdrDS&pbM09RANf)eY-Ơ՛J؍B+tUWBu[7U׷]e{ǘm-cn[g7N5I4Եm4Էr/n]z)e{L4FFLco^ݸJZ6	޷IHFѲo6mYǔo
loLijWrh$ns~wLxeGѲ^Q
\Q^6Yv}TLt]z-{nBLÙ[uu%);i*Z1ESz3P|/XQ0qۦZw"ʇFv놱
MTq6}%Q[!&}55FWNRuV轠[uWb}UF&n*̡R~
5n*'8Z4LV-i&ӵUװJ*PT%W;!ZβPcҔTM(w(K1sMߢ-(M)&*U&$Q^{yz\bJNUIن1ޢNknW)M%ie4^ j4\rQAj17|o^v{mkr^f{r{eԡJ+Wl/^D&^j/^R*i`T9({#Уq*a0zԍ3(
j,mMף텬tcf/*-kᘳT2jվ}8գTV*fPwֲlVZI54=Ơk+8bh-jk_u
nK^uIDŽ:y=(0=X׬eC\ځ1s.@/o>HJucGC
pS-|V+A1)M$<4+j.ekzҴbRYnu ZV=̃T,Ŵ:W))޴M{.>kcMSyImxW0kh%UShIiEkjbMz؞.JDI5_)X^7fmh;RLl9@h9o}1M$輸ΐk6q/4tijt1u7lkwd<`uu艠lm!#GߠFI`SېU|ۡKmЯ	-wZvm0OGцh#t7aԕT݇*u=:rf͢#M_CjIUquU,jeF˖Gu(LP^9sХyတ3GZ䕲1Ԛ>kH7G)6B8,om+ʣӫ4Iq>Ixl92s=f›g5n!>imנ-Ŵ1M]_W
1QG2ꐐ{d}zjNճfgAAPG4i4C`\ e0=
|K2(G'^TtVUDZ VAжD	P`N7ڽ	l%7=\*R\\M}hEy]߱@R˅^5h"h P{8ܪ
iJe]1<:&J-?Z79`DUKQ]/U	n&	
)rs=Lc	ĶVpcIA#	nEW-U+^C6:	Il΢ӈ^OiEg*^YH4-rb]pA"p/4Dm׭EW##8Ǡ/	JWޑs <~cG`ƌNf/
j-3p3=J_4JL~C]n3-9LQ]%b
5ꅡ@V41t]*[ŨT,gQV&@N	n
*^kUtަCFθZ71**'pZ]Vx9#GW~)G
Aj9zm$tOp&=btLcXâ~<jэPĒZn;iy%^X\eb)'
7
SZCg0^Bgx!%=⬫S? 21%#Ul-6WJ{X`	cTjr\YKanWDT6?Fwui0ַ7
#ʆ
EEYT=*k`U6A-,MW@cTYd@Y|*Y3倪zvwhy3-1.6.0/examples/verifythis_2018_mind_the_gap_1.mlw000066400000000000000000000046201440160026300225310ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2018 competition
   Challenge 1: Mind the gap}

Author: Martin Clochard (LRI, Université Paris Sud)
*)

use int.Int
use import seq.Seq as S
use array.Array

type char
val constant any_char : char

(* gap buffer model: content (buffer content) + l (location in buffer). *)
type gap_buffer = {
  mutable a : array char;
  mutable l : int;
  mutable r : int;
  mutable ghost content : seq char;
} invariant { 0 <= l <= r <= a.length }
invariant { a.length = content.S.length + r - l }
invariant { forall i. 0 <= i < l -> S.get content i = a.elts i }
invariant { forall i. l <= i < content.S.length ->
                        S.get content i = a.elts (i+r-l) }
by { a = make 0 any_char; l = 0; r = 0; content = S.empty }

let left (g:gap_buffer) : unit
  ensures  { g.l = old (if g.l = 0 then g.l else g.l - 1) }
  ensures  { g.content = old g.content }
= if g.l <> 0 then begin
    g.l <- g.l - 1;
    g.r <- g.r - 1;
    g.a[g.r]<- g.a[g.l]
  end

let right (g:gap_buffer) : unit
  ensures { g.l = old (if g.l = g.content.S.length then g.l else g.l + 1) }
  ensures { g.content = old g.content }
= if g.r <> g.a.length then begin
    g.a[g.l] <- g.a[g.r];
    g.l <- g.l + 1;
    g.r <- g.r + 1
  end

let delete (g:gap_buffer) : unit
  ensures { if old g.l = 0 then g = old g else
    g.l = old g.l - 1 /\
    g.content = old (g.content[.. g.l - 1] ++ g.content[g.l ..]) }
= if g.l <> 0 then begin
    ghost (g.content <- g.content[.. g.l - 1] ++ g.content[g.l ..]);
    g.l <- g.l - 1;
  end

(* Send back the capacity increment without modifying buffer.
   Implemented by a constant (K) in the problem statement.
   This version is more general and account for the standard doubling pattern
   as well. *)
val growth (_g:gap_buffer) : int ensures { result > 0 }

(* Since it is an internal primitive, it is fine to refer to r as well. *)
let grow (g:gap_buffer) : unit
  ensures { g.l = old g.l /\ g.content = old g.content }
  ensures { g.l < g.r }
= let k = growth g in
  let b = Array.make (g.a.length + k) any_char in
  Array.blit g.a 0 b 0 g.l;
  Array.blit g.a g.r b (g.r + k) (g.a.length - g.r);
  g.r <- g.r + k;
  g.a <- b

let insert (g:gap_buffer) (x:char) : unit
  ensures { g.l = old g.l + 1 }
  ensures { g.content = old (g.content[.. g.l] ++ cons x g.content[g.l ..]) }
= if g.l = g.r then grow g;
  ghost (g.content <- g.content[.. g.l] ++ cons x g.content[g.l ..]);
  g.a[g.l] <- x;
  g.l <- g.l + 1


why3-1.6.0/examples/verifythis_2018_mind_the_gap_1/000077500000000000000000000000001440160026300220065ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_mind_the_gap_1/why3session.xml000066400000000000000000000024531440160026300250320ustar00rootroot00000000000000






 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/verifythis_2018_mind_the_gap_1/why3shapes.gz000066400000000000000000000034241440160026300244510ustar00rootroot00000000000000X[k#7~c&Jvi(LRc9	x[\t4g7(,F:7Iw~n?:}}9'l1kR*oԤ5?C275%הCa7*7MR|dha7zGFf6:]~{}o_vI-`l!0Т[2J?/}qx,zyzy>3u9׳D竫Yjr1K
mwbqOh<+sKjVWg#8I_9ߜa,Ʒe5㿮'78InX*A $ñ`an۫Y>HI_'\]6[:)en2tLƠY	uC#L$.iC} jv|RHIcp4=8a&@u%h-j=+6~`6?siɢBix1f[!S9{n.ax{fGf  KuIC:
vtt	7 ւi Z0
s^}ეpp&{b˶jqIS
j&^.0`&0:\5

*XRU䤁AW)cf"a/.g芘K+`Q:B7+DmJiK|F4y94mպZ{ qds\_ȯ6lF:	pZ_Sև'&ԴkjQYE-
_izuuI27q8ɰ{YFt@btm mԬ.EQ&^ֿq'<{bˡj$c8'}I8P#)_-)4ImR[]_[ (lc6R]+-Ib<=W8hœ}k^Zٞf2떄1vsY8`]WgZ^V!%qb"bQhDlK
|vWYC_+<}D/#H8\CBI8`@4$P_ZMceE.qַj58Fca:ho|h
anYMzILjw{ean=Ѩ31q\e
zoY[Ut :u(ŻZr9c!='W6Zȹ*2Z[AOl1Jmwhy3-1.6.0/examples/verifythis_2018_mind_the_gap_2.mlw000066400000000000000000000060201440160026300225260ustar00rootroot00000000000000(**

{1 VerifyThis @ ETAPS 2018 competition
   Challenge 1: Mind the gap}

Author: Raphaël Rieu-Helft (LRI, Université Paris Sud)
*)

module GapBuffer

  use int.Int
  use seq.Seq
  use map.Map
  use array.Array

  type char
  val constant dummy_char : char

  type buffer =  {
    mutable data : array char;
    mutable l : int;
    mutable r : int
  } invariant { 0 <= l <= r <= data.length }
  by { data = make 1 dummy_char; l = 0; r = 0 }

  function len_contents (b:buffer) : int
    = b.data.length - b.r + b.l

  function contents (b:buffer) : int -> char
    = fun i -> if 0 <= i < b.l then b.data.elts i
               else if b.l <= i <= len_contents b
                    then b.data.elts (i+b.r-b.l)
                    else dummy_char

  function cursor_pos (b:buffer) : int = b.l

  predicate same_contents (b1 b2:buffer)
  = len_contents b1 = len_contents b2
      /\ forall i. 0 <= i < len_contents b1 ->
                   contents b1 i = contents b2 i

  val b: buffer

  let left ()
    ensures { if old b.l = 0
              then b = old b
              else cursor_pos b = cursor_pos (old b) - 1 }
    ensures { same_contents b (old b) }
  = if b.l <> 0
    then begin
      b.l <- b.l - 1;
      b.r <- b.r - 1;
      b.data[b.r] <- b.data[b.l]
    end

  let right ()
    ensures { if old b.r = old b.data.length
              then b = old b
              else cursor_pos b = cursor_pos (old b) + 1 }
    ensures { same_contents b (old b) }
  = if b.r <> b.data.length
    then begin
      b.data[b.l] <- b.data[b.r];
      b.l <- b.l + 1;
      b.r <- b.r + 1
    end

  let constant k = 42

  let grow ()
    ensures { b.l = old b.l }
    ensures { b.r = old b.r + k }
    ensures { same_contents b (old b) }
  = let ndata = Array.make (b.data.length + k) dummy_char in
    Array.blit b.data 0 ndata 0 b.l;
    Array.blit b.data b.r ndata (b.r + k) (b.data.length - b.r);
    b.r <- b.r + k;
    b.data <- ndata


  predicate contents_inserted (newb oldb: buffer) (x:char) (pos:int)
  = len_contents newb = len_contents oldb + 1
    /\ 0 <= pos <= len_contents oldb
    /\ (forall i. 0 <= i < pos -> contents newb i = contents oldb i)
    /\ contents newb pos = x
    /\ (forall i. pos < i < len_contents newb ->
                  contents newb i = contents oldb (i-1))

  let insert (x:char)
    ensures  { cursor_pos b = old cursor_pos b + 1 }
    ensures  { contents_inserted b (old b) x (old b.l) }
  =
    if b.l = b.r then grow ();
    b.data[b.l] <- x;
    b.l <- b.l + 1


  predicate contents_deleted (newb oldb: buffer) (pos:int)
  = len_contents newb = len_contents oldb - 1
    /\ 0 <= pos < len_contents oldb
    /\ (forall i. 0 <= i < pos -> contents newb i = contents oldb i)
    /\ (forall i. pos <= i < len_contents newb ->
                  contents newb i = contents oldb (i+1))
  let delete ()
    ensures { if cursor_pos (old b) = 0
              then b = old b
              else cursor_pos b = old cursor_pos b - 1
                   /\ contents_deleted b (old b) (old b.l - 1) }
  = if b.l <> 0
    then b.l <- b.l - 1
    else ()


end
why3-1.6.0/examples/verifythis_2018_mind_the_gap_2/000077500000000000000000000000001440160026300220075ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_mind_the_gap_2/why3session.xml000066400000000000000000000147151440160026300250370ustar00rootroot00000000000000







 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2018_mind_the_gap_2/why3shapes.gz000066400000000000000000000055351440160026300244570ustar00rootroot00000000000000XYo~_1
X;-@jJFkͯOkzZ Y:X,V}U~9|q4<>?㨎̝0г{a&S{B)"=ݺ_?󘟇sJn觵\tgt']cׁVʸN8['N4
78Xluvݻ:z1O1y||:ap҄7+0;fjZwL(rt~K:7Ʒc7@䶉eFg}K?>k%D><=0i^}ӹ/'UF)z롇K=iϷd]p*笨|HA_HqHu<&'647"zzP={er
Xiâ׃]rCKer4CDV&y$	,&n@ю]o6KNJe'z>N.}xtwܿi.1J5PwR>W|1F>B>54$m;mc˽E
>ZlXokKëvf7oͫpp퍏Gr[W~"ov"墮$PWJ䩊J͎j
m*zO&M`cKt"tCKL4+&@u{0%mDehrAX՜zL՞H/*,$&CQNPpva'>6jm~<P%&:RjJ;<'zjz7
\v*|@k4oCZk̽Y.
fRvNZ
_!$RE@Un0h.[TѶCrFкKM6+(xJ-YƲ	,ȱP4{a5B&8Eb]<2ANEV>G0x%,gZ V(	[b3S2	BO|ːX:nL9$١& {:&|dJ9,[EӡQKÅLɞ+M%2dzfB)w0ABZbe"YŹD'
NIxr7}l#<Ey2P|g,gP)MG;I~>P4ܛ)QBGoqNK.EfYO;gwR24q٢R։SZ	T$`s6V{)(ڒy'ft@ɗɫ	t$b"@ZAPZvPD
	Y:CAjgb^G<%S>dDMG""iT5g$}SKHy3L$8"F~BwR[Jy+'x#?PIU"A2Mf쨡ӬX/@,#"R4Q	*BȔjYV@Bb!儱'40tvtRߎ
!3!!DZJ)1
nXA؛Z B"Z!jk^*	ELS©*H5԰KʌT'jT@!~JuJvJ_āp~H 1F
(SJ2%:iT8
XGI&Lۦ}E(;8h#//S]VF/4*Q:*(蛣uٖƱBJP2'C'+&i?(ir`ˆG
&P@y[T} why3-1.6.0/examples/verifythis_2018_register_allocation.mlw000066400000000000000000000200301440160026300237150ustar00rootroot00000000000000(** {1 VerifyThis @ ETAPS 2018 competition extra challenge : Register allocation }

Author: Quentin Garchery (LRI, Université Paris-Sud)

*)

(** {2 Import sets and maps } *)

use int.Int
use option.Option

(** Assume there is a type of variables with decidable equality. *)

type var
val eq (x y : var) : bool
    ensures { result <-> x = y }

use set.Fset
clone set.SetApp as Svar with type elt = var, val eq = eq

(** We represent dictionaries as maps:

       • the interference relation G between variables will be of type 

       • the result dictionary A will be of type 
*)

use fmap.Fmap as D
clone fmap.MapApp as Dvar with type key = var, val eq = eq


(** {2 Define functions on relations and dictionaries } *)

(** Define the remove (rem) operation on the interference relation.  *)

val map_remove (v : var) (g : Dvar.t Svar.set) : Dvar.t Svar.set
    ensures MapRemDomain { forall k. D.mem k result <-> D.mem k g }
    ensures MapRemValue { forall k. D.mem k result ->
                          D.find k result == Svar.remove v (D.find k g) }
    ensures MapRemSize { Dvar.size result = Dvar.size g }

let function rem (v : var) (g : Dvar.t Svar.set) : Dvar.t Svar.set
    requires RemReq { D.mem v g }
    ensures RemRemove { not D.mem v result }
    ensures RemDomain { forall k. D.mem k result <-> k <> v /\ D.mem k g }
    ensures RemValue { forall k. D.mem k result -> D.find k result == Svar.remove v (D.find k g) }
    ensures RemSize { Dvar.size result = Dvar.size g - 1 }
=
    let remv = Dvar.remove v g in
    map_remove v remv

(** Define the merge operation on the interference relation. *)

let function replace (v u : var) (s : Svar.set) : Svar.set
    requires ReplaceDiff { v <> u }
    ensures ReplaceTarget { mem u result = (mem u s \/ mem v s) }
    ensures ReplaceRemove { not mem v result }
    ensures ReplaceOther { forall w. w <> u -> w <> v -> mem w result = mem w s }
  =
    if Svar.mem v s
    then Svar.add u (Svar.remove v s)
    else s

val map_replace (v u : var) (g : Dvar.t Svar.set) : Dvar.t Svar.set
    ensures ReplaceDomain { forall k. D.mem k result <-> D.mem k g }
    ensures ReplaceValue { forall k. D.mem k result ->
                                     D.find k result == replace v u (D.find k g) }
    ensures ReplaceSize { Dvar.size result = Dvar.size g }


let function merge (v u : var) (g : Dvar.t Svar.set) : Dvar.t Svar.set
    requires MergeReq1 { v <> u }
    requires MergeReq2 { D.mem v g /\ D.mem u g }
    ensures MergeDomain { forall k. D.mem k result <-> k <> v /\ D.mem k g }
    ensures MergeValue { D.find u result == union (replace v u (D.find u g))
                                                  (replace v u (D.find v g)) }
    ensures MergeValueDiff { forall k. D.mem k result -> k <> u ->
                             D.find k result == replace v u (D.find k g) }
    ensures MergeSize { Dvar.size result = Dvar.size g - 1 }
=
    let g1 = map_replace v u g in
    let gu = if Dvar.mem u g1 then Dvar.find u g1 else Svar.empty () in
    let gv = if Dvar.mem v g1 then Dvar.find v g1 else Svar.empty () in
    let g2 = Dvar.add u (Svar.union gu gv) g1 in
    assert { Dvar.size g2 = Dvar.size g };
    Dvar.remove v g2


(** Define the available operation on the result dictionary. *)

let rec function all_from (s : Svar.set) (a : Dvar.t var) : Svar.set
    variant { cardinal s }
    ensures AllFrom { forall v. mem v result <->
                                exists k. mem k s /\ D.mapsto k v a }
=
   if Svar.is_empty s
   then Svar.empty ()
   else let k = Svar.choose s in
        let sk = Svar.remove k s in
        let allk = all_from sk a in
        if Dvar.mem k a
        then Svar.add (Dvar.find k a) allk
        else allk

let available (s : Svar.set) (a : Dvar.t var) (r : Svar.set) : option var
    ensures Available
            { match result with
              | None -> forall u. mem u r ->
                                  exists v. mem v s /\ D.mapsto v u a
              | Some res -> mem res r /\
                            forall v. mem v s -> D.mem v a ->
                                      res <> D.find v a
              end }
=
    let free_r = Svar.diff r (all_from s a) in
    if Svar.is_empty free_r
    then None
    else Some (Svar.choose free_r)


(** We also define the identity dictionary built from a given set. *)

let rec init (r : Svar.set) : Dvar.t var
    variant { cardinal r }
    ensures InitDomain { forall u. Dvar.mem u result <-> mem u r }
    ensures InitValue  { forall u. Dvar.mem u result -> Dvar.find u result = u }
=
   if Svar.is_empty r
   then Dvar.create ()
   else let u = Svar.choose r in
        let initu = init (Svar.remove u r) in
        Dvar.add u u initu


(** {2 Functions given : pick and coalesce } *)

val pick (g : Dvar.t Svar.set ) (r : Svar.set) : option var
    ensures Pick { match result with
                   | None -> forall v. D.mem v g -> mem v r
                   | Some v -> D.mem v g /\ not mem v r
                   end }

val coalesce (g : Dvar.t Svar.set) (v : var) : option var
    ensures Coalesce { match result with
                       | None -> true
                       | Some u -> u <> v /\ Dvar.mem u g /\ not mem v (Dvar.find u g)
                       end }

(** {2 Define properties of our data structures } *)

predicate no_collision (g : Dvar.t Svar.set) (a : Dvar.t var) =
    forall u v. Dvar.mem u g -> Dvar.mem v g -> Dvar.mem u a -> Dvar.mem v a ->
                mem v (Dvar.find u g) ->
                Dvar.find u a <> Dvar.find v a

predicate irrefl (g : Dvar.t Svar.set) =
     forall u. Dvar.mem u g -> not mem u (Dvar.find u g)

predicate sym (g : Dvar.t Svar.set) =
     forall u v. Dvar.mem u g -> Dvar.mem v g ->
                 mem v (Dvar.find u g) -> mem u (Dvar.find v g)

(** Symmetry is preserved by merge in our use case. *)

lemma sym_merge :
      forall v u g. sym g -> irrefl g -> Dvar.mem u g -> Dvar.mem v g ->
                    v <> u -> not mem v (Dvar.find u g) ->
                    sym (merge v u g)
      by forall x y. let mg = merge v u g in
      	 Dvar.mem x mg -> Dvar.mem y mg ->
         mem x (Dvar.find y mg) -> not (mem y (Dvar.find x mg)) -> false
	 by if x = u then if y = u then false else false
            else if y = u then false else false


(** {2 Iterated Register Coalescing algorithm } *)

(** We assume that the variables in the A dictionary have already been replaced
    by their corresponding register so that we don't need a parameter for A.
    This is the same as assuming that A is injective. We show that this is a
    needed property by giving a counterexample. Assume that variables v₁, v₂ and
    v₃ are such that v₁ and v₂ are mapped to register r₁ in A. Also assume that
    variable v₃ is not yet assigned a register and that v₂ and v₃ interfere.
    Then, by coalescing v₁ and v₃, we see that v₃ is assigned r₁, hence the
    contradiction. *)

let rec irc (g : Dvar.t Svar.set) (r : Svar.set) : Dvar.t var
    requires InclReg { forall v. mem v r -> Dvar.mem v g }
    requires Irrefl { irrefl g }
    requires Sym { sym g }
    variant { Dvar.size g }
    ensures ResDomain { forall u. Dvar.mem u result <-> Dvar.mem u g }
    ensures ResImage { forall u v. Dvar.mapsto u v result -> Dvar.mem v g }
    ensures ResInit { forall k. mem k r -> Dvar.mapsto k k result }
    ensures NoCollision { no_collision g result
    by forall u v. Dvar.mem u g -> Dvar.mem v g -> Dvar.mem u result -> Dvar.mem v result ->
                   mem v (Dvar.find u g) ->
                   Dvar.find u result = Dvar.find v result -> false
           }
=
    let ghost ref gr = 0 in
    match pick g r with
    | None -> init r
    | Some v -> match coalesce g v with
                | None ->
                    let s = Dvar.find v g in
                    let a = irc (rem v g) r in
                    match available s a r with
                    | Some av -> Dvar.add v av a
                    | None -> gr <- 1; Dvar.add v v a end
                | Some u ->
                    let a = irc (merge v u g) r in
                    Dvar.add v (Dvar.find u a) a
                end
    end

why3-1.6.0/examples/verifythis_2018_register_allocation/000077500000000000000000000000001440160026300232015ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2018_register_allocation/why3session.xml000066400000000000000000000233611440160026300262260ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
 
 



why3-1.6.0/examples/verifythis_2018_register_allocation/why3shapes.gz000066400000000000000000000115441440160026300256460ustar00rootroot00000000000000[Yo$7~ׯxp!4Ыd:ZG%dh;Z`D0w0ÿpWwyN\+s)N.~:wp}~;q7=^opKB~?*wl-{ܸr#}هsآ$O׏I`vʼ"E|_'Bɴ<|+:a|{xw#:+g߰on>`2Or-/G0(*ֶ|WY%QUcļPd?50,eF;@vEma/}o^꼖|URSΩ)]+&/+b|w^r
FI]U2SEYƒcɚ4ٲ:r-KܗJӎz\
e蒵9_%<~Mynuen$7	-
a?PFJsI;Km{?"l8Rbq"'ZaE[fD;sOچKn?읍FS{vOsyz}
Rf/j2͜C>u1Y{l2խ<>=a.'ddtX3ApqCoa<0;`y.O>sCl;t]KrWpں\!짦.i]DZ^^o潶,?qҧw4Gٽ2ҪC?+TC{ZB^UmG~udNR1YQ &9]6Me蔽H2Ĺa** W+>_ƚtBT/x
/:}Ӵ'y}[\ЬEBJ۴s֙)̂X61~݈S^fa	Ě>
o`$?<]0j<z!ku0Cw
v{oZG!2;)m֑2Ũf3%
nRQY3+4*5i&T	CMh
BmxD<l@ި~dg5ͥxih\pq8x9݈a7	2M(
3;ze~nU{Jns:QCB@HS]通;愰N,d;_cc2߻,؟ϫ;6|YGKW<1H2nmw:d㙘Г\'31z2煞,LAB"cY*?Y7ѹNRZ*sR&aXrpupRO9 z+Ym:~
u679Wt~CxEC9?*+;+:_eHP =I蕅5솅z//{&S^
g6!A~g7A&:Ш@GiBMRB~&>ȼ1}?|H#H(nfalc
z
`]En1kx1?mbA6n@5=fp?0/-҅3Gl2EC&UIEfQ1CH16x.TbA~pޯ9Jυ4Z[\'YɛGOkVMbB*Lu)gl>>b}`ky@z[L|4	P٨<I1#ۈ6'ƙ|8_? "[Гp" e^Jp*{	IĠ,8މ!O#O€̓xI!TNwhy3-1.6.0/examples/verifythis_2019_cartesian_trees.mlw000066400000000000000000000317551440160026300230600ustar00rootroot00000000000000(** {1 VerifyThis @ ETAPS 2019 competition Challenge 2: Cartesian Trees }

Author: Quentin Garchery (LRI, Université Paris Sud)
*)

use int.Int
use list.ListRich
use array.Array
use exn.Exn


(** {2 PART A : All nearest smaller value} *)

clone list.Sorted as Decr with type t = int, predicate le = (>=)

(** Implement the stack with a list *)

let function destruct l
  requires { not is_nil l }
=
  match l with
  | Cons h t -> h, t end

let function peek l
  requires { not is_nil l }
  ensures { mem result l }
=
  let h, _ = destruct l in
  h

let function tail l
  requires { not is_nil l }
=
  let _, t = destruct l in
  t

lemma destruct_peek_tail :
  forall l : list 'a. not is_nil l -> l = Cons (peek l) (tail l)

(** Compute the sequence of left neighbors *)

let smaller_left (s : array int) : array int
  (* Task 1 : left neighbor has smaller index *)
  ensures { forall y. 0 <= y < s.length -> result[y] < y }
  (* Task 2 : left neighbor has smaller value *)
  ensures { forall y. 0 <= y < s.length -> 0 <= result[y] ->
                      s[result[y]] < s[y] }
  (* Task 3 : no smaller value between an element and its left neighbor *)
  ensures { forall x z. 0 <= x < s.length ->
                        result[x] < z < x -> s[z] >= s[x] }
ensures { result.length = s.length }
=
  let n = s.length in
  let left = make n (-1) in
  let ref my_stack = Nil in
  for x = 0 to s.length - 1 do
      (* To show that the access are correct *)
      invariant { forall z. mem z my_stack -> 0 <= z < x }
      (* Good formation of the stack *)
      invariant { is_nil my_stack -> x = 0 }
      invariant { not is_nil my_stack -> peek my_stack = x-1 }
      invariant { Decr.sorted my_stack }
      (* Task 1 *)
      invariant { forall y. 0 <= y < x -> left[y] < y }
      (* Task 2 *)
      invariant { forall y. 0 <= y < x -> 0 <= left[y] ->
                            s[left[y]] < s[y] }
      (* Show that we only need to look in the stack to find the nearest smaller value *)
      invariant { forall z. 0 <= z < x ->
                  exists y. z <= y < x /\ mem y my_stack /\ s[y] <= s[z] }
      (* Task 3 *)
      invariant { forall y z. 0 <= y < x -> left[y] < z < y ->
                               s[z] >= s[y] }
      label BeforeLoop in
      while not is_nil my_stack && s[peek my_stack] >= s[x] do
            (* Good formation of the stack *)
            invariant { forall z. mem z my_stack -> 0 <= z < x }
            invariant { Decr.sorted my_stack }
            (* Remember that what was removed from the stack was too big *)
            invariant { forall z. mem z (my_stack at BeforeLoop) ->
                                  s[z] >= s[x] \/ mem z my_stack }
            (* Make sure that stack elements at the right of the current top of the stack
               were previously removed *)
            invariant { forall z. not is_nil my_stack ->
                                  mem z my_stack -> z <= peek my_stack }
            (* Task 3 *)
            invariant { forall z. not is_nil my_stack ->
                                  peek my_stack < z < x -> s[z] >= s[x] }
            invariant { forall z. is_nil my_stack -> 0 <= z < x ->
                                  s[z] >= s[x] }
            variant { Length.length my_stack }
            my_stack <- tail my_stack
      done;
      assert { not is_nil my_stack -> s[peek my_stack] < s[x] };
      if is_nil my_stack
      then left[x] <- -1
      else left[x] <- peek my_stack;
      assert { 0 <= left[x] -> s[left[x]] < s[x] };
      my_stack <- Cons x my_stack
  done;
  left

(** Same thing but for closest smaller right value :
 when there is no such value, return an integer greater than the length *)

val smaller_right (s : array int) : array int
  (* Task 1 : right neighbor has greater index *)
  ensures { forall y. 0 <= y < s.length -> result[y] > y }
  (* Task 2 : right neighbor has smaller value *)
  ensures { forall y. 0 <= y < s.length -> result[y] < s.length ->
                      s[result[y]] < s[y] }
  (* Task 3 : no smaller value between an element and its right neighbor *)
  ensures { forall x z. 0 <= x < s.length ->
                        x < z < result[x] -> s[z] >= s[x] }
  ensures { result.length = s.length }


(** {2 PART B : Construction of a Cartesian Tree} *)


use option.Option

type dir = { left : option int;
           right : option int }

type dirs = array dir

predicate parent (t : dirs) (p s : int) =
 t[p].left = Some s \/ t[p].right = Some s

inductive descendant dirs int int =
 | Self : forall t p s. p = s -> descendant t p s
 | Son_left  : forall t p s1 s2. descendant t p s1 -> t[s1].left  = Some s2 ->
               descendant t p s2
 | Son_right : forall t p s1 s2. descendant t p s1 -> t[s1].right = Some s2 ->
               descendant t p s2

predicate is_smallest (a : array int) (i : int) =
 0 <= i < a.length /\
 forall j. 0 <= j < a.length -> a[i] <= a[j]

(** Construct an array storing the eventual sons of a node *)

let construct_dirs (a : array int) : dirs
  requires { forall i j. 0 <= i < j < a.length -> a[i] <> a[j] }
  ensures { result.length = a.length }
  (* Task 2 ++, heap property :
     left and right sons have greater value than the parent
     left son is on the left in the array, right son is on the right
     between indices of parent and son there is no smaller value *)
  ensures { forall j v. 0 <= j < a.length ->
                  (result[j].left = Some v ->
                  a[v] > a[j] /\ 0 <= v < j /\ forall x. v < x < j -> a[x] > a[j]) /\
                  (result[j].right = Some v ->
                  a[v] > a[j] /\ j < v < a.length /\ forall x. j < x < v -> a[x] > a[j]) }
  ensures { forall p s. 0 <= p < a.length -> descendant result p s ->
            0 <= s < a.length /\ a[s] >= a[p] }
  (* Task3, in-order traversal :
     every "left-descendant" is located on the left in the array
     every "right-descendant" is located on the right in the array *)
  ensures { forall p1 p2 s. 0 <= p1 < a.length -> descendant result p2 s ->
            (result[p1].left  = Some p2 -> s < p1) /\
            (result[p1].right = Some p2 -> s > p1) }
  (* Task 1, well-formedness *)
  (* Every non-minimal element has a parent *)
  ensures { forall i k. 0 <= i < a.length -> 0 <= k < a.length -> a[k] < a[i] ->
            exists sm. 0 <= sm < a.length /\ parent result sm i }
  ensures { forall i. 0 <= i < a.length ->
            (is_smallest a i \/
            (exists sm. 0 <= sm < a.length /\ parent result sm i)) }
  (* Every element has at most one parent *)
  ensures { forall p1 p2 s. 0 <= p1 < a.length -> 0 <= p2 < a.length -> 0 <= s < a.length ->
            parent result p1 s -> parent result p2 s -> p1 = p2 }
  (* No cycles *)
  ensures { forall p1 p2 s. 0 <= p1 < a.length -> 0 <= p2 < a.length -> 0 <= s < a.length ->
            parent result p1 p2 -> descendant result p2 s -> p1 <> s }
=
  let n = a.length in
  let s_left = smaller_left a in
  let s_right = smaller_right a in
  let dirs = Array.make n {left = None; right = None} in
  for i = 0 to n-1 do
      (* Task 2 ++ *)
      invariant { forall j v. 0 <= j < a.length ->
                  (dirs[j].left = Some v ->
                  a[v] > a[j] /\ 0 <= v < j /\ forall x. v < x < j -> a[x] >= a[j]) /\
                  (dirs[j].right = Some v ->
                  a[v] > a[j] /\ j < v < a.length /\ forall x. j < x < v -> a[x] >= a[j]) }
      (* Show that once a parent is set-up in , it does not change *)
      invariant { forall j. 0 <= j < i ->
                  if s_left[j] >= 0 && s_right[j] >= n
                  then dirs[s_left[j]].right = Some j
                  else if s_left[j] < 0 && s_right[j] < n
                  then dirs[s_right[j]].left = Some j
                  else if s_left[j] >= 0 && s_right[j] < n
                  then if a[s_left[j]] > a[s_right[j]]
                       then dirs[s_left[j]].right = Some j
                       else dirs[s_right[j]].left = Some j
                  else true
                 }
      invariant { forall j p. 0 <= j < a.length -> 0 <= p < a.length ->
                  (dirs[p].right = Some j -> p = s_left[j] /\
                  (s_right[j] < n -> a[s_left[j]] > a[s_right[j]]) ) /\
                  (dirs[p].left  = Some j -> p = s_right[j] /\
                  (s_left[j] >= 0 -> a[s_left[j]] <= a[s_right[j]])) }
      let li = s_left[i] in
      let ri = s_right[i] in
      if li >= 0
      then if ri < n
           then if a[li] > a[ri]
                then dirs[li] <- { dirs[li] with right = Some i }
                else dirs[ri] <- { dirs[ri] with left  = Some i }
           else dirs[li] <- { dirs[li] with right = Some i }
      else if ri < n
           then dirs[ri] <- { dirs[ri] with left  = Some i }
  done;
  dirs


(** The function  finds the parent of a node and is used to define .
This last lemma function is useful to show that every node is reachable from the root *)

let par (a : array int) (dirs : array dir) (j : int)
  requires { exists sm. 0 <= sm < a.length /\ parent dirs sm j }
  requires { a.length = dirs.length }
  requires { forall j v. 0 <= j < a.length ->
                  (dirs[j].left = Some v ->
                  a[v] > a[j] /\ 0 <= v < j /\ forall x. v < x < j -> a[x] > a[j]) /\
                  (dirs[j].right = Some v ->
                  a[v] > a[j] /\ j < v < a.length /\ forall x. j < x < v -> a[x] > a[j]) }
  ensures { 0 <= result < a.length }
  ensures { parent dirs result j }
=
  assert { not a.length = 0 };
  let ref res = 0 in
  for i = 0 to a.length - 1 do
      invariant { 0 <= res < a.length }
      invariant { parent dirs res j \/ exists sm. i <= sm < a.length /\ parent dirs sm j }
      match dirs[i].left with
      | Some jl -> if jl = j then res <- i
      | None -> ()
      end;
      match dirs[i].right with
      | Some jr -> if jr = j then res <- i
      | None -> ()
      end
  done;
  res


let rec lemma all_descendant_root a dirs root j
  variant { a[j] - a[root] }
  requires { a.length = dirs.length }
  requires { forall j v. 0 <= j < a.length ->
                  (dirs[j].left = Some v ->
                  a[v] > a[j] /\ 0 <= v < j /\ forall x. v < x < j -> a[x] > a[j]) /\
                  (dirs[j].right = Some v ->
                  a[v] > a[j] /\ j < v < a.length /\ forall x. j < x < v -> a[x] > a[j]) }
  requires { forall i j. 0 <= i < j < a.length -> a[i] <> a[j] }
  requires { 0 <= j < a.length /\ 0 <= root < a.length }
  requires { is_smallest a root }
  requires { forall i. 0 <= i < a.length ->
            (is_smallest a i \/
            (exists sm. 0 <= sm < a.length /\ parent dirs sm i)) }
  ensures { descendant dirs root j }
=
  if a[j] <> a[root]
  then all_descendant_root a dirs root (par a dirs j)

(** Finds the root of the direction tree : it's the smallest element in the array *)

let find_smaller a =
  ensures { match result with
            | Some mv -> is_smallest a mv
            | None -> a.length = 0
            end }
  let ref m = None in
  for i = 0 to a.length - 1 do
      invariant { match m with
            | Some mv -> 0 <= mv < a.length /\ forall j. 0 <= j < i -> a[mv] <= a[j]
            | None -> i = 0
            end }
      match m with
      | Some mv -> if a[mv] > a[i] then m <- Some i
      | _ -> m <- Some i
      end
  done;
  m

(** The other way to define descendant. Useful here because it follows the definition of
  *)

lemma other_descendant :
 forall t p1 p2 s. parent t p1 p2 -> descendant t p2 s ->
                   descendant t p1 s

lemma inv_other_descendant :
 forall t p1 s. descendant t p1 s ->
 p1 = s \/
 exists p2. parent t p1 p2 /\ descendant t p2 s

clone list.Sorted as StrictIncr with type t = int, predicate le = (<)

(** In-order traversal, we store the indices we traversed *)

let rec traversal (a : array int) dirs top (ghost s : int) (ghost e)
  variant { e - s }
  requires { dirs.length = a.length }
  requires { 0 <= s <= e <= a.length }
  requires { forall p1 p2 s. 0 <= p1 < a.length -> descendant dirs p2 s ->
             (dirs[p1].left  = Some p2 -> s < p1) /\
             (dirs[p1].right = Some p2 -> s > p1) }
  requires { forall i j. 0 <= i < j < a.length -> a[i] <> a[j] }
  requires { match top with
             | Some top -> forall son. descendant dirs top son <-> s <= son < e
             | None -> s = e end }
  ensures { forall x. mem x result <-> s <= x < e }
  ensures { StrictIncr.sorted result }
=
  match top with
  | None -> Nil
  | Some top ->
         assert { s <= top < e by descendant dirs top top };
         let dir = dirs[top] in
         traversal a dirs dir.left s top ++
         Cons top (
         traversal a dirs dir.right (top+1) e)
  end

(** We traverse the tree  in-order from the root ,
 and we collect the indices. Last 2 arguments of  are ghost.

 We show that the result is the list [0..(a.length-1)], the in-order traversal of
 the tree traverses elements from 0 to (a.length-1)
*)

let in_order a
  requires { forall i j. 0 <= i < j < a.length -> a[i] <> a[j] }
  ensures { forall x. mem x result <-> 0 <= x < a.length }
  ensures { StrictIncr.sorted result }
=
  traversal a (construct_dirs a) (find_smaller a) 0 a.length
why3-1.6.0/examples/verifythis_2019_cartesian_trees/000077500000000000000000000000001440160026300223245ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2019_cartesian_trees/why3session.xml000066400000000000000000001276111440160026300253540ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
     
     
     
    
    
   
   
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
    
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
     
     
    
    
    
    
    
   
   
  
  
 
 
 
 
 
 
 
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
   
   
    
    
    
   
   
   
   
    
    
    
    
    
    
   
   
   
   
    
    
    
    
    
     
     
     
     
     
      
      
      
     
     
    
    
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2019_cartesian_trees/why3shapes.gz000066400000000000000000000402141440160026300247650ustar00rootroot00000000000000}Yoe7~ު/ 	42<\e\ru|AjqJ~*+O9C?xϹ[|	/·"$<_]gQ&u,yёm=#~ݯ>݆v{*7uɕ`8}{kdDƶzݠw#/η_E`^U>9nw{h~YH?kKI~hLDm_*֤VSmjp@Ig4
߽{V?:_*_VF;|ُ/PR!ٗȦL97|93r9Divm2zDݸݚ=C7uabAFQ}rkˮ>VCw#ܠ+m-ؽ0i:Vc*gƃr=vg~]؁`Z
|~9蔬-}%F }a$q?ξC;{~>^syHN¨.Fuq1/0
:
w}L~tKj+gg??esۏw)Ruk߶%8v8=?wKEWb*j|VbCxx'㮍!c%{f]_ٖ]y3YOyZch?Omh!mrɼ9"3LPR_RS</qH6Z하 -	&@a;o=*M>wRͻ녴c-`ˍ`g	`X;JwCM>Cֺs@)غV^8O
lU%zaHP[sz*}Q]Q޳}r0˺GÍ7t0efVI&JD5b*&
 .wETUc_jY|:jb_M/\OQYLP$~R9u\M&DjM
j7ǶW'vqsޘ)Wk\=I<ۑT
i,T2
7&X4}Oh(4nNвZnh^ZoDVQTqVOsП	??Ty\J4m\ᢦĤ~LM7̕EE1x&Pn5wA׵.@ȥo:N0>WêaыڦCr*[6ӽdpa#aGCiw0G٢Kn?Ͽ\q"5Ze?63XX2vqz4&?-~GٛCwZA3d>TgMda]}#BV:&7rE4P
\@nq>ٻɪP~@\v{WnI0:>l=NwyYǯo?>vW0W{g͠䬸g8+3̳O)^ڿBY-
UYRVM-!69v#KPnh|HZQCY@
yBZoajR<Cp?!:Dٳ=J]T^0eS|կV(v BxwP6U6dMM?W834CsR^:?>h?Mi͎jtiP8~tgz@/0O=I'|ȳ<2T!P({䏫L~jyg4QDUPt0Xzˠpݲ'PϯB96Ak&C"BUVޡf]Vj?~bf	1]LqLV>֕.ށf+{%/h|⛊ԤOթLRu-ZvB?a`q9Bޝy|,nCM^
4uT,ػ[&"h\=)1vt߯|oXF):+6UY'\\ysO|
[s$_'
u56:ljtgq68;Ev^姖=F0֐:`hmzM
;ZJ~iE~3<үQQDc"]g9mh#ϋ%$iEUv#FXX5FmeNz2jk~'Zlk~Ay#Vvz\~|٭Ⱥ=mDUUr,ج6j7n.%l*Hnt`=iV#]Sj_"wBlu䜌hXea u.:/N*s7NGoџ[(2Mun[}Sر外6̘X/PQYR73)l\8G޼65ɏ]Wn-@5=tWq̾J)W`y፤mD
Z8yZGTzƭ&ݺteu7G1B}+oe2$+Z'lj̦+vEE"&K+j6 a_/f޼׭m4v=-o]@=;u|b7uWvRF>7:9İT&=+׷}FTѶ}5ǖk)v\mjݛ*/o:s	ᯎX܎w2n[o*TcؙdU.̶iFqaWpCT|XET|1 Ym]BC5D۠RmwdJC֝oK(S.:=_}i]E>Q{دu^W>En~T}wpldSoi$tdiţ11SB]핲 娮w(8o]Ԇ]H3/gWa:y=s){4(dLչ^45A5(~rOINW2{uj.k-'/zĢI٤XxihF1{Zl6
(amo@!H>Z-cnE_ÑL6]>-8ˣxJsei-r^^ƒa<|^̰S㉜Դ-+ێ3ϟXgZgLX%9%}ն_!C?ן
/ull7PN0_<vkۢ@~-nC|jPpr?MaܤuwrwCyuJF;un	脝YtpYEhx
5_>$}~X>utr}._tmlE?U Iϖ/p^bu,oYd#̇i)X>
Zq"j,OG=(('m(3Lߡ|ׁуG7?A=t8r(n@.1SEӰij+75.lfyViv{օN-.O[0UximLiG?߽S9;d2|yâ--m׾M[LO=a"Н?j,VibmV}tاFTFgytJEq㝨Ҿlonty]czemv+]@ڀrUW.N{s14z	S{BLJnЎvn/
.U_3]aqo+~U*(]sIHҝqrs92r^"nw%VZ[\+>znrz|*~48jQO6b]_/w\/ Y/*KmegseVIoVhjeפnmMO3F*Oکh1h,5_oi}a1o7H}-"4_	ޏU~gȮdQvo_[SMG[o:iU=4#{4 5bz9u't	޷a!箚i	aoՙl>u"3nPz$75aj3sH8$szB-8~,p\:p9-s
k&]&5]ĂOc}"^fls,<1֬;Qu"^92󍷏jX!ߖ&JĈ	L{cS[,࿴2_}滯{(^9pǛICHzEz޹7g9{$Z|xi3j+75^pp3nf30GW7߆3rd]lؿ
yF[t-Щ}mڇ.֠mmZ-M˩_7qXVm2:+uk57ۺ;NFX]]J(L6SFs
~4ds.›\d&ϚC"Tz?yHlCDyAuwmg55!w9#(m8AFθe!Qvؖ}5xs[#`޵8mMg1~cߞⵦ29n[ݯvl?'gfM[VPcuhYzm=o2+Lv,n	5b~40K᧜uW7ze(ԄBA![|	#:XlƉ[
F۹%z+y:e1yK.
㫬&Y׀V|#|;n1\Zږʚ`wq^lfXyLn#rsFtzʏM8t4|
F|QT(,7kivK!X?Sι\j;ezK[m|ToFbiUs֯m31]]|wksK?XIiۢ^e!	s`״$4f\^/?ͪu,6eي3'Sa%%s VO3܎nZzVoAWe:_5OmSaKiEϣҾ+ӗLfiqT-$~kPM&'7Fo+(|6]}=]_Efad]|_^ke׋rXɚqY{c-uldCQl=P+7N޸	7S5'І@5'TnsvxE`
gP\}p|ÃM}?}ٍɛ|г䱸MIEf&n-~UbR+UUkboNt̾ޠIۿuNmwD~Se5TƩ7ï歙ADP*d}iFdzg+|?sUVl6olj.fh|3!m&cbcV6zL؋{ۤ^65QSwJ5NI|X<U92aFx3V}V_mu0dXN,>}8^߯ƶɇ%^b0<{b]'Ƚ bc~6YР.me?/{85MS+ĶV=
Dku]טKx0mj}Z}5|*uq
oT6PuQ~NЂ߇=5f|_άCVmzUӰ	&,#X̦lQl:Oq^DKR;vk·}TK$w;r楝s#Ts
&%⊯|h^=j2
myZ37-hmQN+/0\v1=@M>a4=s֏v4}phXm4G׏nhd™$r*f痕aYM#Ɔ|6qkݢo+nhgG$zZU
C»YZlqQKPÙR-'Okss5@lCїIBn
[Mtv+Y$S4w87lz}Mfz;ta1nאp}>lix}ǖcƤǗ*X2L(54äA"5|@SSSoF.h{Z)]w
>UG[WNѶ|1-=ŬN3]Vۅ6||>xӱ;ԈSVӮs]5s7P{Ěȁuqqe\g;-rd\?<kּWsRfӼKh^ܡ9P溇5=Ma$X\gT?jc-zjǜv6Ѻ1z˄v]~quP}1cdz/ԳiLXbUjN
)x&v7{ԓkj=zδfs,sr,fj!_'o|=zֵrAqbZXRk{qn?t)OggNXl!$B:W,XNȜI{-EùRWJ)J"X\dD>wWʜ;+brR.xK0\\q~ٕD%9eJ+F`\Je0`SE[=<$5rzBAEX)mܠ顖ePYq
T_+y.ĕW]q)#H.ɜ(Y8-\4PPWB>HaD.sq
]	{%c,FY]bFŹHf(ɺ),ɮ,\pLpea0
K^I˟h8
UTGj=x1D.e@+v%tW>tR	7*!>:J])yD'\g@yX2ƥubMM8J+J+宔RJ釹dȘP`:RqB+ )
CZsC}y(|=|Qu,p&J+^%FJ1ᆠYЏ@4(O_UBe(Y;dz
7l(J!8D>#g_LJ~`*Pb^!q80#ʚ+ʊ+˯,2p[&L#&Fxedbz[_7:KgaҴOB%O00oǯ;
'&5D
s	Ns,S4,T?$D|3͟d2
Xƌnw0",L@3O{E)8Z)
9%1QNG(6k*)\ס;9"TE+x,6hЊ6N1k3he%VצgK	7˘#YצuHV1ɅP*Eqa
µlk%!dxUq6>њ69$7yF(E#L~=}Y'ɽN1 `exdNϴM>tTT>VzDLe6;b/!4"sh*`J	C5%AD$`J%	!=GI)=Ԫ>W;`*+R)S|¨Wb)CSI
WX߅Rt'P4pGո]a&
^6p+zKLZJ๷BVft*)D+B072M0!x#76G< T؃+	yeSVŠqEР-hAGxZPHAoDd9n
CiL
`1⏢T	
6\Al]䘍ӱt/6xjija)!C:Т4b1
ːZ"Zg0'`udiu
msmat-uD2EE5)I/mӪ+c# :yJRdr`0e?L#ż)J!~Ő2b4nП}rr
8lFjSYدLKP1$J(PVaAR.^Γr
^Đ
ƖZ$f"*~x[i`<-,>fa:MS%9+SXα@Ж"ڵ!H:-V;M`tWR#άފ䐝gJ 4*& ^+n͂"M1eUrDNAb̂
#ҥUȑa.0&)&^2@
(T2ɘ!U`4LX6eYEw޸ pj|;:C*HstFG>Ia!%Y3ba~4/1
pFEH AdF{1\3U$yc
Hf^Vm
pچ %YS~C!>x?/{L-F|".t~RIz~[])D3x&\|b%		e4ΦR\`FT^8wcdvB|4hJ!oSnfmul6 p4ã+ȆT0:>	2h;0īz@#YćA[RҴ^R1H4v@j+1P._w,	3\RJU3Ϟ홿9G1ٝ;#(oWYF5rcANBt9=LD𓒒	!0x%`R-*f_cD2ijFHuG}Lx<@`_%?5}!?6H.B.bݦMclk-	2Bo, v	ҴWu84\
&#GؙsVG'T`%CU,!Q21(6$
3OLwg'5odF=MFՋzz	' @1u)KDq`+C%iL,Q+BA9\aR]du])NPԠ<9VA"pQbgaFP TN+2/:4XmWO(JJ2	i7&eC_WR	D@hE$UzDR4tKxK rAW=``mbp߅m(K{`,,#vM6_S""41'[%7VmDkXEP*	#MYdBPNqIp kPC'aPY698&B ;L̬2/S\I+2y}/#gQr6`a-J`,.>A;=9a%WiW_mY( 2˽|7gQi+H;c\.EEPJMYYGK)sy_
1b2[rNq"3|b;a
ݙ)32Ĝ68e=_\|	Ӹ&%s]k[$iww!`	f3L-c:X%Ȅ؀%kku5S	t@IwO9rYmf8oKWO*-ssu̩ɰ:cl
T,v.BH'38]LJsCo*kF!?ByS94{16ph-sxc@7A
9wVL#FP.Is)SKC+`a>7|xa0ɪ8ӫ_$"c9액R%9f6"TJ+
vOW .Z٘DXk.lGġ#2i߆Z-!6Pvv>s.1/8K
3yXoK*/GW3M,ћLYz)iIW7qB6Iu6(VތF$ct%UC-ϴ6߭ҧߊFݠh]4!Pz/(	z1ӛ-m!`ؗ5BIBOt^r\n<"J+L
1isq14|NҨT[ĭ&AA<9	Y0->0kHX
-O?PJAZo`EvpCQ( w\Vr;uӪrTU;FUzL3Ҿ\NЃY{"4k5Df	lꍣ6{(˖"i5Iap߲lܶʔ\͉l"eU\a)3;ˍk*hJzhN3!jp$X3X:T
E[t'>.(why3-1.6.0/examples/verifythis_2019_ghc_sort.mlw000066400000000000000000000304411440160026300215040ustar00rootroot00000000000000(** {1 VerifyThis @ ETAPS 2019 competition Challenge 1: Monotonic Segments and GHC sort }

Author: Quentin Garchery (LRI, Université Paris-Sud)
*)


use int.Int
use seq.Seq
use seq.OfList
use seq.FreeMonoid
use array.Array
use map.Occ
use list.ListRich
use bool.Bool
use exn.Exn


(** {2 PART A : Monotonic Segments} *)


clone list.Sorted as StrictIncr with type t = int, predicate le = (<)
clone list.RevSorted with type t = int, predicate le = (<=)

use list.FoldRight

let function eqb (b1 b2 : bool) : bool
  ensures { result <-> b1 = b2 }
=
  andb (implb b1 b2) (implb b2 b1)

(** Use a type invariant that ensures that the sequence represents the list.
  It is useful to get a nice specification when dealing with first and last
  elements of the list (begin-to-end property) *)
type list_seq = {
  list : list int;
  ghost seq : seq int
} invariant {
  seq = of_list (reverse list)
} by {
  list = Nil;
  seq = Seq.empty
}

let constant nil : list_seq
= { list = Nil;
    seq = Seq.empty }

let extend a lseq
  ensures { result.list = Cons a lseq.list }
=
  { list = Cons a lseq.list;
    seq = snoc lseq.seq a }

(** Compute the monotonic cutpoints of a sequence *)

let cutpoints (s : array int)
  requires { Array.length s > 0 }
  (* Begin-to-end property *)
  ensures { get result.seq 0 = 0 }
  ensures { get result.seq (Seq.length result.seq - 1) = Array.length s }
  (* Non-empty property *)
  ensures { length result.list >= 2 }
  (* Within bounds property *)
  ensures { forall z. mem z result.list -> 0 <= z <= Array.length s }
  (* Monotonic property *)
  ensures { forall k. 0 <= k < Seq.length result.seq - 1 ->
                      let ck = get result.seq k in
                      let ck1 = get result.seq (k+1) in
                      (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] < s[z2]) \/
                      (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] >= s[z2]) }
  (* For the next part, we also need the cutpoints list to be decreasing *)
  ensures { forall i j. 0 <= i < j < Seq.length result.seq ->
            get result.seq i <= get result.seq j }
=
  let n = s.length in
  let ref cut = extend 0 nil in
  let ref x = 0 in
  let ref y = 1 in
  let ref increasing = True in
  while y < n do
        variant { n - y }
        invariant { y = x + 1 }
        invariant { 0 < y <= n+1 }
        invariant { Seq.length cut.seq > 0 }
        invariant { get cut.seq 0 = 0 }
        invariant { get cut.seq (Seq.length cut.seq - 1) = x }
        invariant { forall z. mem z cut.list -> 0 <= z <= n }
        invariant { forall k. 0 <= k < Seq.length cut.seq - 1 ->
                    let ck = get cut.seq k in
                    let ck1 = get cut.seq (k+1) in
                    (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] < s[z2]) \/
                    (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] >= s[z2])}
        invariant { forall i j. 0 <= i < j < Seq.length cut.seq ->
                    get cut.seq i <= get cut.seq j }
        label StartLoop in
        increasing <- (s[x] < s[y]);
        while y < n && eqb (s[y-1] < s[y]) increasing do
              variant { n - y }
              invariant { y at StartLoop <= y <= n }
              invariant { (forall z1 z2. x <= z1 < z2 < y -> s[z1] < s[z2]) \/
                          (forall z1 z2. x <= z1 < z2 < y -> s[z1] >= s[z2]) }
              y <- y + 1
        done;
        cut <- extend y cut;
        assert { get (cut.seq at StartLoop) (Seq.length cut.seq - 2) = x };
        assert { forall k. 0 <= k < Seq.length cut.seq - 2 ->
                 get cut.seq k at StartLoop = get cut.seq k /\
                 get cut.seq (k+1) at StartLoop = get cut.seq (k+1) };
        x <- y;
        y <- x+1;
  done;
  label AfterLoop in
  if x < n then cut <- extend n cut;
  assert { get cut.seq (Seq.length cut.seq - 1) = n };
  assert { forall k. 0 <= k < Seq.length cut.seq - 2 ->
           get cut.seq k at AfterLoop = get cut.seq k /\
           get cut.seq (k+1) at AfterLoop = get cut.seq (k+1) };
  cut


(** {2 PART B : GHC Sort} *)


lemma reverse_sorted_incr :
  forall l. Decr.sorted l -> Incr.sorted (reverse l)
  by Decr.sorted l /\ Incr.sorted Nil /\ compat l Nil

let rec lemma lt_le_sorted (l : list int)
  variant { l }
  requires { StrictIncr.sorted l}
  ensures { Incr.sorted l }
=
  match l with
  | Cons _ (Cons h2 t) -> lt_le_sorted (Cons h2 t)
  | _ -> ()
  end

(** Get an ordered list from a monotonic list *)
let function order l
  requires { StrictIncr.sorted l \/ Decr.sorted l }
  ensures { Incr.sorted result }
  ensures { permut l result }
=
  match l with
  | Nil -> l
  | Cons _ Nil -> l
  | Cons h1 (Cons h2 _) ->
      if h1 < h2
      then (assert { Incr.sorted l by StrictIncr.sorted l }; l)
      else (assert { Decr.sorted l }; reverse l)
  end

(** Get a monotonic list from two cutpoints in the array *)
let rec list_from (a : array int) s e
  variant { e - s }
  requires { 0 <= s <= Array.length a }
  requires { 0 <= e <= Array.length a }
  requires { (forall z1 z2. s <= z1 < z2 < e -> a[z1] < a[z2]) \/
             (forall z1 z2. s <= z1 < z2 < e -> a[z1] >= a[z2]) }
  ensures { forall x. num_occ x result = occ x a.elts s e }
  ensures { forall x. mem x result -> exists z. s <= z < e /\ a[z] = x }
  ensures { (forall z1 z2. s <= z1 < z2 < e -> a[z1] < a[z2]) -> StrictIncr.sorted result }
  ensures { (forall z1 z2. s <= z1 < z2 < e -> a[z1] >= a[z2]) -> Decr.sorted result }
  ensures { StrictIncr.sorted result \/ Decr.sorted result }
=
  if s >= e then Nil
  else Cons a[s] (list_from a (s+1) e)

let rec lemma occ_slice (a : array 'a) (c1 c2 c3 : int)
  variant { c3 - c2 }
  requires { 0 <= c1 <= c2 <= c3 <= Array.length a }
  ensures { forall x. occ x a.elts c1 c3 = occ x a.elts c1 c2 + occ x a.elts c2 c3 }
= if c3 <> c2 then occ_slice a c1 c2 (c3-1)

(** Get sorted lists from the cutpoints *)
let rec sorted_lists (s: array int) (cutp : list_seq)
  requires { length cutp.list > 0 }
  (* This is where we need cutpoints to be sorted *)
  requires { forall x y. 0 <= x < y < Seq.length cutp.seq -> get cutp.seq x <= get cutp.seq y }
  requires { forall z. mem z cutp.list -> 0 <= z <= Array.length s }
  requires { forall k. 0 <= k < Seq.length cutp.seq - 1 ->
                      let ck = get cutp.seq k in
                      let ck1 = get cutp.seq (k+1) in
                      (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] < s[z2]) \/
                      (forall z1 z2. ck <= z1 < z2 < ck1 -> s[z1] >= s[z2]) }
  variant { cutp.list }
  ensures { forall l. mem l result -> Incr.sorted l }
  ensures { forall x. let first = get cutp.seq 0 in
                      let last  = get cutp.seq (Seq.length cutp.seq - 1) in
                      num_occ x (fold_right (++) result Nil) = occ x s.elts first last }
=
  let ls = cutp.list in
  let seq = cutp.seq in
  match ls with
  | Nil | Cons _ Nil -> Nil
  | Cons h1 (Cons h2 t) ->
      assert { let k = Seq.length cutp.seq - 2 in
               h2 = get cutp.seq k /\ h1 = get cutp.seq (k+1) };
      let seqi = list_from s h2 h1 in
      let lseq = { list = Cons h2 t; seq = seq[0..(length seq - 1)] } in
      (* occ_slice s.elts (get seq 0) (get lseq.seq (Seq.length lseq.seq - 1)) *)
      (*               (get seq (Seq.length seq - 1)); *)
      assert { Incr.sorted (order seqi) };
      Cons (order seqi) (sorted_lists s lseq)
  end

(** The merge of mergesort ! *)
let rec merge l1 l2
  variant { length l1 + length l2 }
  requires { Incr.sorted l1 }
  requires { Incr.sorted l2 }
  ensures { Incr.sorted result }
  ensures { permut result (l1 ++ l2) }
=
  match l1, l2 with
  | Nil, l | l, Nil -> l
  | Cons h1 t1, Cons h2 t2 ->
    if h1 < h2
    then (assert { forall x. mem x (t1 ++ l2) -> h1 <= x };
         Cons h1 (merge t1 l2))
    else (assert { forall x. mem x (l1 ++ t2) -> h2 <= x };
         Cons h2 (merge l1 t2))
  end

(** Merge pair by pair for efficiency *)
let rec merge_pair ls
  variant { length ls }
  requires { forall l. mem l ls -> Incr.sorted l }
  ensures { length result <= length ls }
  ensures { length ls > 1 -> 0 < length result < length ls }
  ensures { forall l. mem l result -> Incr.sorted l }
  ensures { permut (fold_right (++) result Nil) (fold_right (++) ls Nil) }
=
  match ls with
  | Nil | Cons _ Nil -> ls
  | Cons l1 (Cons l2 r) -> Cons (merge l1 l2) (merge_pair r)
  end

(** Repeat previous merge *)
let rec mergerec ls
  requires { forall l. mem l ls -> Incr.sorted l }
  variant { length ls }
  ensures { Incr.sorted result }
  ensures { permut result (fold_right (++) ls Nil) }
=
  match ls with
  | Nil -> Nil
  | Cons l Nil -> l
  | Cons _ (Cons _ _) -> mergerec (merge_pair ls)
  end

use seq.Occ as SO
use seq.OfList
(** Show that the result of  has the same length has the initial array *)
(** By induction, when increasing the size of the sub-array by one, we remove the new
 element in the corresponding array (use  to find the index to remove) *)
let rec find (seq : seq int) (v : int) (s e : int)
  variant { e - s }
  requires { 0 <= s < e <= Seq.length seq }
  requires { SO.occ v seq s e >= 1 }
  ensures { s <= result < e /\ get seq result = v }
=
  if get seq s = v then s
  else find seq v (s+1) e

let rec lemma same_occs_same_lengths (a : array int) (seq : seq int) (s : int)
  variant { Array.length a - s }
  requires { 0 <= s <= Array.length a }
  requires { forall x. occ x a.elts s (Array.length a) = SO.occ x seq 0 (Seq.length seq) }
  ensures { Seq.length seq = Array.length a - s }
=
  let na = Array.length a in
  let ns = Seq.length seq in
  if s = na
  then (assert { ns > 0 -> SO.occ (get seq 0) seq 0 ns > 0 }; ())
  else (assert { ns = 0 -> false by SO.occ a[s] seq 0 ns = 0 };
       let i = find seq a[s] 0 ns in
       let rem_as = seq[0..i] ++ seq[i+1..ns] in (* seq where a[s] is removed *)
       assert { forall x. (if x = a[s]
                then SO.occ x seq 0 ns = SO.occ x rem_as 0 (ns-1) + 1
                else SO.occ x seq 0 ns = SO.occ x rem_as 0 (ns-1))
                by seq == Seq.(++) seq[0..i] (Seq.(++) seq[i..i+1] seq[i+1..ns])
                so SO.occ x seq 0 ns = SO.occ x seq[0..i] 0 i +
                                       SO.occ x seq[i..i+1] 0 1 +
                                       SO.occ x seq[i+1..ns] 0 (ns-i-1)
                so SO.occ x rem_as 0 (ns-1) = SO.occ x seq[0..i] 0 i +
                                              SO.occ x seq[i+1..ns] 0 (ns-i-1) };
       same_occs_same_lengths a rem_as (s+1))

let rec lemma num_occ_seq_occ (l : list 'a) (x : 'a)
  variant { l }
  ensures { num_occ x l = SO.occ x (of_list l) 0 (length l) }
=
  match l with
  | Nil -> ()
  | Cons h t -> assert { of_list l = Seq.(++) (singleton h) (of_list t) /\
                         if x = h
                         then SO.occ x (singleton h) 0 1 = 1
                         else SO.occ x (singleton h) 0 1 = 0 };
                num_occ_seq_occ t x
  end

let sort_to_list a =
  requires { Array.length a > 0 }
  ensures { Incr.sorted result }
  ensures { forall x. occ x a.elts 0 (Array.length a) = num_occ x result }
  ensures { length result = Array.length a }
  let res = mergerec (sorted_lists a (cutpoints a)) in
  same_occs_same_lengths a (of_list res) 0;
  res

use array.IntArraySorted
use array.ArrayPermut
use option.Option
use list.NthNoOpt

(** Copy a list in an array, element by element, starting at a given index *)
let rec copy_list (l : list int) (a : array int) (s : int) : unit
  variant { l }
  requires { s >= 0 }
  requires { length l = Array.length a - s }
  ensures { forall x. s <= x < Array.length a -> a[x] = nth (x - s) l }
  ensures { forall x. 0 <= x < s -> a[x] = (old a)[x] }
  ensures { forall x. occ x a.elts s (Array.length a) = num_occ x l }
=
  match l with
  | Nil -> ()
  | Cons h t -> a[s] <- h; copy_list t a (s+1)
  end

let rec lemma mem_nth_in_bounds (l : list 'a) (j : int)
  requires { 0 <= j < length l }
  ensures { mem (nth j l) l }
=
  match l with
  | Nil -> ()
  | Cons _ t -> if j > 0 then mem_nth_in_bounds t (j-1)
  end

(** Useful to deduce sorted on arrays from sorted on lists *)
let rec lemma sorted_list_nth (l : list int) (i j : int)
  variant { l }
  requires { Incr.sorted l }
  requires { 0 <= i <= j < length l }
  ensures { nth i l <= nth j l }
=
  match l with
  | Nil -> ()
  | Cons _ t -> if i > 0 then sorted_list_nth t (i-1) (j-1)
  end

let ghc_sort a
  ensures { sorted a }
  ensures { permut_all a (old a) }
=
  if Array.length a = 0 then ()
  else let l = sort_to_list a in
       assert { length l = Array.length a };
       copy_list l a 0


why3-1.6.0/examples/verifythis_2019_ghc_sort/000077500000000000000000000000001440160026300207615ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2019_ghc_sort/why3session.xml000066400000000000000000001144611440160026300240100ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
   
   
   
   
  
  
  
  
  
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2019_ghc_sort/why3shapes.gz000066400000000000000000000366371440160026300234400ustar00rootroot00000000000000}[o9zf~Y#@ꗅ^VKr[n"Hf29e[5]d`07kzo^#//BGq!w/n^yJ?^_\paN]_سk^nՅGpKxCp/O}!!'"U/(5`׿K_b>#_I嫩XhBZtҪ
\BN>s`p^k\+|k8璁Ss5\d{aT%b@^5hF
U8xyrW$ʺ~j4!<\]%yy'Jڵ?܂y^jt3FtHbQw//_[<]ޒjh-%Km{	黽2`HQ-x*DIŒ	TXjtͲ9o:%tڥB@QB<8sX2{拚Ёsg?A65};(
hK;WdhdQ.(omn&Ze7|;t~nХL2}X"נ3OiEkF~KM10'M(:_6j`Ք?`4Lߧ_׿]M7~D˫}N7WL;%OW>~oƦS7?y!=5'[b]pY$5x5UO> u{R鷫nT8el߾〯eg*]k.]%TԵ׬9kS[~/\Y+3r2:U!G.O62!vP+}H0a)`X
BЯ1",Bʚ
<׬6ex(zp_k>gl絡	V<l5R_
:t.!J`v)$e8@Xυwfp&$˛:B>!i#a5h0YyUM+]+76]7Ů~-oQŃB`y}UֆKk־qqzW]k3t\l,b	p{^d9 TYk[sJTDi$ՖdձzZ#>Riڏ[:MgُoRl)R&~eyH6TI{f{"VhT!ٚzɬdVkXnF[ḧVemfZ^%ݲ-u{lA"s`^_n_9؇
WwI;hGsD<=Ȥ6^hv/]܎Weq6myQkIW۸g6
NU*ݶfelVik2t,,_X_8s3sxY8R?+^C4#=I+K}kKinOn.Fjߩ۷
}hZ%vֱ6=uLv싎฼rv:RCr\qwBP3
g/\Qvlrvx^rwIW7KnYWp-&9V}"Xs$_ڀ-vNd#э]}
;t]Յ7rHyvY凩䅏l0	<3|eAVA
Knuz}ee1}^-]}`,hPqZt`m̫ú2|.}"U	Q6
T:=k&85>_Q5lN.I'Y!~ZL:5v yH5dMg v^&7;AvSy!f
p,=$\O~\fɏ3Uqd(Q!N6{m~S7yӻTE7U=CŮTKHyRfp
F:p޵~osbi^Mto
]]lѸvZ%`,ľ~?/~=1=+6)+݇{k,pKJǵtlV7mH\\K&#q:-!7ja"Kӿ-7qcʩ|%̐ӫt3J~Zcx~q4W27k~N|}lMCNEs6nb;;vvZ5c+_\#UpC~{{2Y@Ku=odY-SpŎ[@n6k#x}yc$/rꪛ}j޼($p^I<}5aXpB`Fmt-uYKe<5v{i`*[>Fm(?z	c_uU{{ŖH]
VrU׳OSrZR[)eWrlTK
[C췈k-ꠀ$umx..]pʎV	.̾H2e1r,#z+A",	je=s)yѮ^aN!4ofq9W2؅]`8sxn\@^bs͚T28
m28;2k2X+KoЖ}YDZdc]jpTiIvyz/\Ryz
5-ג4|KLEO!54A"!aw_Q9:R6Q%2UF6Y$J		
؀%y]jܲD^]:[eWlu-l&eG_>R㛛c^Hk''"2;RQn߷e89Z'A\/ufS5){S=%2Cy6N5jwm-3ooGևjED
EK|`ZUֱCx:d1>lͰ<by2Dd
we,d
!;wå}*fz.vVq1cJ2bPI'JUy]6OI40/kmR)xg	T-N4p
+?%.ۦS
'w.rԥt9@9e2h͓W[,ԂF1|ݼ~پِ蛹m&mHWWӗuojgrmM$M,kX_kp<\X2G,cu50_o4>_޼_oDoNΠ)XK?5(䮋Wt=Q[Q-"'vR@\>pP?0뾠U;gv=
%%>[>
qS	W=
,dD/oNYX;L}<ҧdm.Kq8v	ladu`OT긓^˪{bY6ZEGJ6䬧kZ
%dۈsuarN_|]dukf=HNmʝ7zDAWJ$u~
vw&VǶMr(r*%J߽jY,MG4*m0h@q>Ll^rtэ'vJ9S-?F/v4asH)H(~w4[6mȯ8D~~8$g#PY'aIL9’p%$=(JU#1zum}Fغ#,j5Vj=hͣe|LE	,v`i?s
l/`p%߮T8ЃaD
nåma_5uYן=EYlJԻEJ؇	nrӶkaeGYՙî㎬eqrYm5¦kȬ-Y(Cu(`+:\k41268^\xqYa}C$UU&(
6nHH{u|ؽe7c˺=mJ޳ؓBb5gc]_py,UJV&'/2h=4=(!^E*nU_uS~zޔD/g(.>b|+ב٭Fl#}oޥk=p?2@2ZlF@""5Jm~_QYgΓ6xb[gdԈQ9E4lYif;
Mɟ#6jt+6խKv9/[l$xieYiư?e$!x6%{)}u
X6y:ȝ\rӛl;w|
77>~`hZ|k:
yǺ˶wh>褾JNCRjChy+wa',/fܴRscm)@,%MWtb[~m?%뚿ϧk.fʹ^R8?Ѻk=]<@Zs!(^{qg9.T9gd7fI'WXJ]P۳cq|az^H9v1_}X{&.Xҥp
6HLPY*-)ܴN*m
QK/W
zXOg:Z}y|hKߖrۼ]T`ʹnBiG.	ɹki۳sj;di{~}dq42.m+w9FB	NA^Kc3U/:ϵًVJݗUK'k>r|E/S?XtJcS>؃ˏTOk+C]ruךݬ՝	;Ğ5_\ˏD0FCl}7Ϊ%jp0FKTmnR8vwc.krڻ3l([.׫cx\*r*OJg9r崟8VUfxxU,)0ږߝr'Qmh6Q挵jd8\oL8oEوeӮ[~>_r·8A1Jy;Sy@^mk9{rՉteerᔣ9w"=+2+u4]Jz	N&#vUhc]ζ㲻S6aK9
/2U솊m7w
eR}e_TحoO	wgڲry	Y'Ie:]S&FvyeSC(	ϴ PuwP܂uC+қRP~ݯZ$,#s–i3dȬz>AnY`,㶘UŬYuqX/tXmkeW5ZA܁+Jߋ^2wI*[IDjщd=ߝ-Go_rv]N]#p:z}-R\ottc
R%JK٭^)>lWôleZ?ܿt!rirs?tϿdҎ=@uF+[0LNw:
mXQmS 
WD;R9q[yJۃ(t8%T,}~|d9Z,x~1Jnu^B]Xac]juɝ;v=TZ˻s֓:ǷtE{lYu΀|u7NSv=,QŋNL-:~˵6l'i]Ho3lv,	q,|lz7Y:Q&xZ-_ڗ[ϛ#|XA)zJy{tn\9E	,uh#kRsGlZ.8Lr~Oq*<.%~eQ?[sc
w$ntmf/|N躻+ k>vבBni3eB]G++_ݦݜHޝryyռXtZSZA-{y\o\Cu^[[JMՔBmɴhkmƢծQ#EVycԳ^CcÔRN4XLrdNBI4	90.C
1SRJqOé?uv)+hndĨtyÜ	*RSiN>^!g0k3EҟJw'3
aҘ0LTh곪VL+2q,Fxé}fEn1<!N[1ؗVZyjũ&jܩsjQF>8%cce:4"%>NfAR7-HΏwrCH6˄7JB(Eq"?y)`SOV}9qAO@#Y 	Γ1q6X0<~iRIf9|>6^bsƥ'kz"`0H9,&Ǥ	4*UQR9V)ЯyYgR~h/w=\#3HcFQp
I;Ȣ&1P5$P| -WB(c?7kGXx`3uBO1aq
c6r0Й/%1V 0nr2!Lf44zQE7< sIE3x8/%T	;UA%q4S(݂Ccक{+Ww%X%XX*~bu&1JoBYY97cqS99jnJ)DX"6HC!R]|*q:j	Mr)P
SCZ	y18ap(oѕ` NS$޶	h+i(!j1=Y<{l81c3X$QUpZkNdqv!6dT[SXus8Lr)+;wBqU$#8[&0)xo&y&N0TCT>1IA)aԣ!9C~*QяLOg`0Ĭb*_lah^}*G@
D10>˩H*
d5`!
j֕U/J0\ɘ	F04SSx*Er\O=Z5pUxfڠ fS"6Ϩm)!AӼ{D`I!̥{"QT4d=0Lʥi, VIE zG̵~d<}pD!Ռ	C{4'9j+ڊ>b@%
#;݄&A
xk!{0	1sf;f7*A)'d`0>fe$Up-t~sz
d
q]:4M@ĩ
GJJ8YU~`_8sZUԄ8`Ǩ!b
8_iFg&W1TL58J%7BzTJF#af3(]mP(I:Y>N&±'?G8κR| p[>j410#pBPPlB
Mb6VX0DP:Nd?A)'+86iQUxȤ[",Q^alfP	9)ΥI}$A`M(UaƁd~١$ZA<5ُg%>h}%ܥK?+/$!W]U1P+V?8Ia|(F8_IynRJasxоfYtNVE7i6_yӺcC+|9svF>|9g"E>|,YgDR:Ny6NC%rW30P`Y,4|(?	BS&ZIhlݣcJŭϦ^f/;RVYrV"kCmzFMN׀V
P(%CCYlZpGGKk!c
"YﳮC<&CI8{A.>.f_UklFGZYa}&svMvϨ1H,WcH
y>c4vM`NCnYf MϨB?
g&3Zl:Z\RC,`x	yD<5Y>'kSh"\s()`O3y}ΔA;G+'/EUvO1~(}d}`ʤCN#Ш69Y_"M
+SIJ)'5Ή69Y_NCup$y<~j/\0ТNs:yJQԴ}z*@N$>褢"3qm`ByiVdXf\zN*FEJf5_7 #cI77RhLgDN#1Ti·hYGU&ʹzN*?pp*d+,-̳K>ӖI*T>7!8e>nqsBj˪=NbZD+En0L(M~N*eZ~8YLMN0PXpA!]"p( ?oM~N$=tc
|63dsJ&heLRTŗ~N֗;f+|2D1E</!A)+'&!|msh	|p6'P]0)d})4N&AK3L8d}fLsBNs	C<	8
Y+$[7iH1Ӣ%C@&G:$&K@S? a"nt>aOV$??nȧ|S2b29Zth 3#Y~am^gG&J㲘qyeїGMұU썃F
1K'(ٌk$m(I3M)΃Y073hGHaq`A>
4v*:SLڏf'OѶ#V9)Z44I'!ڴUA=Ç=Jͳ쥄[4ŵNap>f0_`DcЙz
s2g
!gP2ɐJI!;aHd@C2$+HA1<)'Ajw(-"8ie;1K.+lhrcGWIg^ʎbv:a0JxL
KQ5rK0@gвxXd	+F72zljǡaZ,q%O'CvS:킠fE:1.ʿ:f8gPaOgD0i_Vo2P6BҊY4{؋O^BUR3aJI8yM+_j3%C9ilM2c.k	"B&/FxP6'_'hjH
Ęň$H!p'L5̳`os?%ٚmYh"
09D'8ڗrHjzL1YfLv6!ֿϭF'1i8cɎBH]]өg,t!:Ksg}anag$thLc
:?6s(iP<-#$sOHF8n$hkET]O=7B=->F#|!bt\ن=&Qf6&VZ(I98ڄ11WDѯZl(0G6'?2AGt@Сq)FNh9!HI^`d٩,b,:?QN"i!Ӥ\9h˯D,i!JvG=aӴ`e.fzf	1Ȧ#m,?L>@D1w^9h%
V`_3X	͝Ҩ@7=C0Z-$ʣTMhR^O0eUYduU;{tJX7EFǨf	F
E#)urt
[F[ʐS+5t_RNѕEzsŀVg ]0vi1iHjD;Sɪ1g2-iqR
d7M5pS&ti:>J3'IM#-&0!R|#BG?ُOV 4lm(恎Y6_
Ħ_%!a0P2vd|(%KgWLM9t$"\)d^*	1Q_5fPX!f0^mĊ0CB<6&
|1ܾY.[/`95sId/1h>Mb^+5Cf2	=I	1OͣrVhKirŒ`]dexZ荇=zIqP
#7a/N^*"|o'p}%7x2%ۻ6#Tg'`&Hr:Qf'K"tUeã*
y
z5.74#TN͑nB9piv6tN9_udS1
95V|Vi~OTT͕ф@uNkl
z(@G5eG/À'09^::yt3lOc8mp`ETf+A.why3-1.6.0/examples/verifythis_2021_dll_to_bst.mlw000066400000000000000000000154311440160026300220140ustar00rootroot00000000000000
(**
{1 VerifyThis @ ETAPS 2021 competition
   Challenge 2: DLL to BST}
   See https://www.pm.inf.ethz.ch/research/verifythis.html

   Authors:
   - Jean-Christophe Filliâtre (CNRS)
   - Andrei Paskevich (Univ. Paris-Saclay)

   Summary:

   - all tasks verified

   - balanced tree: we show 2^(h-1) <= size(t) < 2^h where h is the height
     of the returned tree t, which implies h = O(log(size(t)))

   - There are no pointer-based data structures in Why3, so we devised a
     customed memory model for this problem (see type `loc` and maps
     `prev` and `next` below).

   - The only precondition of `dll_to_bst`, namely

       requires { dll prev next s head 0 (length s) }

     states that, in the initial memory state, head points to a
     well-formed doubly-linked list, whose contents (locations of list
     cells) is represented by (injective) sequence s.

   - The fact that the tree is a BST follows from the postcondition of
     `dll_to_bst`

       ensures  { inorder s t == s }

     that states that the nodes of t, taken in order, are exactly
     the cells of the input list.

*)

use int.Int
use int.ComputerDivision
use fmap.Fmap
use seq.Seq
use bintree.Tree
use bintree.Size

(*** SPECIFICATION STARTS HERE ********************************************)

type loc

val eq (x y: loc) : bool ensures { result <-> x = y }

clone fmap.MapImp as I with type key = loc, val eq = eq

let ([]) = I.find
let ([]<-) (l: loc) (m: I.t 'a) (v: 'a) : unit
  requires { I.mem l m }
  ensures  { m = add l v (old m) }
= I.add l v m

val constant null: loc

val data: I.t int
val prev: I.t loc
val next: I.t loc

predicate valid (prev next: fmap loc loc) (s: seq loc)
= forall i . 0 <= i < length s ->
    s[i] <> null /\ mem s[i] prev /\ mem s[i] next /\
    forall j . i < j < length s -> s[i] <> s[j]

predicate dll (prev next: fmap loc loc) (s: seq loc) (head: loc) (lo hi: int)
= valid prev next s /\
  0 <= lo <= hi <= length s /\
  (head = if lo = length s then null else s[lo]) /\
  (forall i . lo <= i < hi - 1 -> next s[i] = s[i+1]) /\
  (forall i . lo <  i < hi     -> prev s[i] = s[i-1]) /\
  (lo < hi -> next s[hi - 1] = if hi = length s then null else s[hi]) /\
  (lo < hi -> prev s[lo] = if lo = 0 then null else s[lo-1])

predicate tree (prev next: fmap loc loc) (s: seq loc) (root: loc) (t: tree int) (lo hi: int)
= valid prev next s /\
  0 <= lo <= hi <= length s /\
  match t with
  | Empty ->
      root = null /\ lo = hi
  | Node l p r ->
      lo <= p < hi /\ root = s[p] /\
      tree prev next s (prev root) l lo p /\
      tree prev next s (next root) r (p + 1) hi
  end

(*** SPECIFICATION STOPS HERE **********************************************)
(*** beyond this point, the only thing you need to read are the contracts
     for functions `size` and `dll_to_bst` *)

let rec lemma tree_frame (prev next prev' next': fmap loc loc) (s: seq loc) (root: loc) (t: tree int) (lo hi: int)
  requires { tree prev next s root t lo hi }
  requires { valid prev' next' s }
  requires { forall i. lo <= i < hi -> prev' s[i] = prev s[i] /\ next' s[i] = next s[i] }
  ensures  { tree prev' next' s root t lo hi }
  variant  { t }
= match t with
  | Empty -> ()
  | Node l p r ->
      tree_frame prev next prev' next' s (prev.contents root) l lo p;
      tree_frame prev next prev' next' s (next.contents root) r (p + 1) hi
  end

use bintree.Height
use int.Power

let rec dll_to_bst_rec (ghost s: seq loc)
  (head: loc) (ghost ihead: int) (n: int)
: (root: loc, right: loc, ghost t: tree int)
  requires { dll prev next s head ihead (ihead + n) }
  ensures  { right = if ihead + n = length s then null else s[ihead + n] }
  ensures  { tree prev next s root t ihead (ihead + n) }
  ensures  { Fmap.S.(domain prev == old (domain prev)) }
  ensures  { Fmap.S.(domain next == old (domain next)) }
  ensures  { forall i. 0 <= i < ihead -> prev s[i] = old prev s[i] }
  ensures  { forall i. ihead + n <= i < length s -> prev s[i] = old prev s[i] }
  ensures  { forall i. 0 <= i < ihead -> next s[i] = old next s[i] }
  ensures  { forall i. ihead + n <= i < length s -> next s[i] = old next s[i] }
  ensures  { n > 0 -> let h = height t in power 2 (h - 1) <= n < power 2 h }
  variant  { n }
= if n = 0 then return null, head, Empty;
  let nl = div n 2 in
  let left, root, l = dll_to_bst_rec s head ihead nl in
  root[prev] <- left;
  let temp, right, r = dll_to_bst_rec s root[next] (ihead + nl + 1) (n - nl - 1) in
  root[next] <- temp;
  root, right, Node l (ihead + nl) r

let rec lemma tree_size (prev next: fmap loc loc) (s: seq loc) (root: loc) (t: tree int) (lo hi: int)
  requires { tree prev next s root t lo hi }
  ensures  { size t = hi - lo }
  variant  { t }
= match t with
  | Empty -> ()
  | Node l p r ->
      tree_size prev next s (prev.contents root) l lo p;
      tree_size prev next s (next.contents root) r (p + 1) hi
  end

function inorder (s: seq loc) (t: tree int) : seq loc
= match t with
  | Empty      -> empty
  | Node l p r -> inorder s l ++ cons s[p] (inorder s r)
  end

let rec lemma tree_inorder (prev next: fmap loc loc) (s: seq loc) (root: loc) (t: tree int) (lo hi: int)
  requires { tree prev next s root t lo hi }
  ensures  { inorder s t == s[lo..hi] }
  variant  { t }
= match t with
  | Empty -> ()
  | Node l p r ->
      tree_inorder prev next s (prev.contents root) l lo p;
      tree_inorder prev next s (next.contents root) r (p + 1) hi
  end

(* recursive `size` *)

let rec size (ghost s: seq loc) (head: loc) (ghost ihead: int): int
  requires { dll prev next s head ihead (length s) }
  ensures  { result = length s - ihead }
  variant  { length s - ihead }
= if eq head null then 0 else 1 + size s head[next] (ihead + 1)

let dll_to_bst (ghost s: seq loc) (head: loc) : (root: loc, ghost t: tree int)
  requires { dll prev next s head 0 (length s) }
  ensures  { tree prev next s root t 0 (length s) }
  ensures  { size t = length s }
  ensures  { inorder s t == s }
  ensures  { length s > 0 -> let h = height t in
              power 2 (h - 1) <= length s < power 2 h }
= let n = size s head 0 in
  let root, _, t = dll_to_bst_rec s head 0 n in
  root, t

(* iterative `size` *)

let size_alt (ghost s: seq loc) (head: loc) : int
  requires { dll prev next s head 0 (length s) }
  ensures  { result = length s }
= let ref p = head in
  let ref len = 0 in
  while not (eq p null) do
    invariant { dll prev next s p len (length s) }
    variant   { length s - len }
    p <- p[next];
    len <- len + 1
  done;
  len

let dll_to_bst_alt (ghost s: seq loc) (head: loc) : (root: loc, ghost t: tree int)
  requires { dll prev next s head 0 (length s) }
  ensures  { tree prev next s root t 0 (length s) }
  ensures  { size t = length s }
  ensures  { inorder s t == s }
  ensures  { length s > 0 -> let h = height t in
              power 2 (h - 1) <= length s < power 2 h }
= let n = size_alt s head in
  let root, _, t = dll_to_bst_rec s head 0 n in
  root, t
why3-1.6.0/examples/verifythis_2021_dll_to_bst/000077500000000000000000000000001440160026300212675ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2021_dll_to_bst/why3session.xml000066400000000000000000000435471440160026300243240ustar00rootroot00000000000000












 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
     
     
     
     
     
     
     
     
     
     
    
    
    
    
     
     
     
     
     
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
    
    
    
    
    
    
   
   
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2021_dll_to_bst/why3shapes.gz000066400000000000000000000133501440160026300237310ustar00rootroot00000000000000[[o9~[f&@ɠ2`X4xߏRJ*IVއn$"|_.>tK~|Zǥ˟/[v7ko|pbe|hRާI4㏯nh|[Y??/.{O?{y}Ԟk*>=~?h\Lgwvg7uē	"U>e]X~yx7G6e?e1<.7~OgW:51F:߃`й{V32ޯo~3w_r?}}zԘ֟Q7&1m	W}NZ#!蘴%Q/d[$wssyDVkGy6;<2~v."9z7
+q#b,Й%p]DTNUG@O#//6Yߌ@|zHXɕZYI.^|?])mo`6/r@3̐m54Z6گbaPHcj<Ļ)m&nBP+["W;I{m.V$,A0X&4llo0&xUMaUÐ(}c2$s}]v_Wt45~Dב #]%jwme+++y7^Ϩ$Jϩ4ȺѨ	r{b*rWceJ@x󣯃O~}.Q=}
la1n#ɧ/~}703671K_jJκU_7U|
t<Д0m#8?+?Fۼͯ3O_rzľ>θO5Ԧb9ۛyo9NqvqOPGap`CgAwOD)(Uq4o lj40Pgu
hMv*nSzm~bOf*AQ`GHjoyb_Lft];Ӂ'?QxzRߏ4P9j5L?|jw3'ٓ-}urqwk~#uG
wh bz!SqJan;xȿ]Sfį2_E
8M||ƮVvyc	`gCb?1fR5y"kBa<Q1aKS=:f[U17HzUm`@x֌re컮SVѧQϓ`͎#e#jgi<i8vI/^WCv]7YmDmFoSsqnK{^4|:9)#qK67Hyɞo'Br.˃|6m#visDft{GCnPe{tFË?9ʷ"?<ᩞ#MÙ3LzXvϫUXa^Poxh4ёN_e?=8HpЯ
1	T&H^eM^,soD3#PsI2&yFkk¿;17Rl̽XCbj0o)w3v{Oxc@Miz^NG;G˩k:z\~_Ap`D郇[vN_8t}{4dc bTy8[[ہjb!ct{۝\=Λ˱R}"{niW*ݎ6mJն^%^)EN}=ڨC:JWxpDm >!ĄI-ۺwqF֝ `lC\7l+f.WwF8شb)[Up+$质
Psōׇ,*YԿ]%R|%
MMBv.U[
YːG/*/٢H!x5	^ƥ]@郷+Wpf_Az9Fx%@ q*w%jȋ)?ԻL\].u\D-^Ƕ;r6]MdWQg#XzG7X.PIj׎\lrdk]5	sƼ>2xj!mwq#J=?9ιǔдdҝUWckSß19pn&@pӂ$^t`sKSP%UE{2YB/vh1=IHJ`^V
g}AsGyVPΒ^?W.g+@.%DM&v?^b& n4}kkZ<4GɄ]`Sv`NwfvZ4)zVW>[͔nWCt+RPu{ﻛ/ͷޡokI=o)|tnGCNIo=ڨxQQ=5sMg]CF|CZw9.9/Bj՛ۡm:iw>@7:ކm$`г	w=7BÚA_CĤb:-6ڥZ
>o9{5tޛ{Uvzhځ…:PA|ʯaڪȃ
løYnYʃ[9rȩ:1ОKvԳ['=!$k[zZبuMݯ£/7Ma~4N/E%h{b]Q6-|gN3E[P+تmsyjܴuumSW&tWG;XEfxözML]ZOmF??p_G-1%˒lBDa\X&-/مR
S()<.D$EKE,1OlX*$lRfc//f-R2gvB8nZ\]^.#.invŔ%gE*."eVupF O"kM*zI:rŒt%	኉b+"6E+5^r5,Bɐx=4/E!KʌW8#
s3I(ktxRd
7>Q"bV,(&<(b,d9V}dDh3WB-\jVZ%%]qoL2sRF!㰸SuNCˁtLN'C`:Yb^DqF A2,S9JLBFD%|sم!^)	^TK`*H'l&y#
	,SL7HULt8rARX/%5Cf斂0z)No7^UШc%E9P0
=qlxmdlN68k+D9	8=
'Dp"VxEƔ?B	I,0.
V0:T6Q%-,Є*Ru*Ɍ!.Xe26bܵ|ijr)ڌ|3Ba%
B ĔLENDnY"4XMĿr{VHYR!*Q٬յS.\&+aoRe<8&"4f\6Fp$WDsu8VK-Z,5-5R-ǹW<[J )踥IY!|GҤjY3Hs"bZBRN#QL7#^J
5+UFcUЕBX]^JG	@"CCSq*5#{jF,
 tEDB1F5^J3rz:
̢"QB9 ffk
"мgD3ȡN1<AwAgĂЄlG[FP]5I\LK˗AI>2p&	cBi,ȥgMQ1trh2
d\RD}5K{\!hHYd]ԥh]0EՀS"-]:tzɥKGKd!TMFZÁ1+LsVukYqpd.#,УZz|m+CIipK;Of:!8ZtС=gv`Yմv+v$RZсVgT`DDcނuY-rJUϢRQg4k9{39QR2c'5c߂5$T`[3c@J&鵖IM.h29&$d@	7ٰoZKL
Ѡ]N $ShI,:-X{W`st!<:S@PjXIr#tg,dI.}'\W+uhǝ,Eأ~PNXBBD3^o&zcTH[l%GzTI=t#zJlyLmB0psQMtwm0nW\oA+mhBǛ$"uԾЃlzrxb}ޤL'*"
E	U2%# b)w)ۄ#seFKMPkVĎ
,W^C"":FSKL
5Pc
X8edXB)^xՖ.[![尿R4uB k;Svd 5[
#Puz іYYT@Fӓam
-JFB	|~{%k+%Bq֩;1YR5 I41^>A_(G#g5io4v?g)r!Qh,g؉JgD-wL !Ȥv:dL䲊&Q	^_y(ژ9%d7-N$SD\%[2+裠_D}1&aQ{-%X-V51L)
#Wu1"bJYvvY}ˆ5:K]Rv/xtaiC$R(%:*Lf
Q=Y}qdf]Hy~T(RJ5B-	KcYTj}cz&ŽPDw$WNBvfj<I4eNeQ!JEsm&!/گbd=L$n衱ƍא̊w,1)첊P*sfh(=pTPCNJJ&f
LhmB2E
1473SC;iIE:գ9[K-ЫN`~UP
UAҜ$gAx*Qm]why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_1.mlw000066400000000000000000000305021440160026300255360ustar00rootroot00000000000000
(**
{1 VerifyThis @ ETAPS 2021 competition
   Challenge 1: Lexicographic Permutations}
   See https://www.pm.inf.ethz.ch/research/verifythis.html

   Authors:
   - Jean-Christophe Filliâtre (CNRS)
   - Andrei Paskevich (Univ. Paris-Saclay)

   Summary:

   - all tasks verified

   - only one change in the code, due to the absence of do/while loop in Why3

   - main idea for proving termination: show that the set of all permutations
     is finite, by building a finite over-approximation of that set
     (see function `all_permutations` below)

*)

use int.Int
use import array.Array as A
use import seq.Seq as S
use int.NumOf as N

(*** SPECIFICATION STARTS HERE ********************************************)

type elt = int

type permutation = seq elt

(* lexicographic order on permutations *)
predicate lt (p q: permutation) =
  length p = length q > 0 /\
  exists i. 0 <= i < length p /\
    (forall j. 0 <= j < i -> p[j] = q[j]) /\
    p[i] < q[i]

(* lt is a total order *)

let lemma lt_trans (p q r: permutation)
  requires { lt p q } requires { lt q r } ensures { lt p r }
= ()

let lemma lt_asym (p q: permutation)
  requires { lt p q } requires { lt q p } ensures { false }
= ()

let lemma lt_total (p q: permutation) : bool
  requires { length p = length q }
  ensures  { if result then lt p q else p = q \/ lt q p }
= let n = length p in
  for i = 0 to n-1 do
    invariant { forall j. 0 <= j < i -> p[j] = q[j] }
    if p[i] < q[i] then return true;
    if p[i] > q[i] then return false;
  done;
  return false

(* number of occurrences in a (sub-)sequence *)

function iseq (x: 'a) (s: seq 'a) : int->bool =
  fun i -> s[i] = x

function occ (x: 'a) (s: seq 'a) (l u: int) : int =
  N.numof (iseq x s) l u

function occ_all (x: 'a) (s: seq 'a) : int =
  occ x s 0 (length s)

predicate is_permutation_of (p a: seq elt) =
  length p = length a /\
  forall x. occ_all x p = occ_all x a

(*** SPECIFICATION STOPS HERE **********************************************)
(*** beyond this point, the only thing you need to read are the contracts
     for functions `next` and `permut` *)

predicate descending (s: seq elt) (lo hi: int)
= 0 <= lo <= hi <= length s /\
  forall i j. lo <= i <= j < hi -> s[i] >= s[j]

predicate ascending (s: seq elt) (lo hi: int)
= 0 <= lo <= hi <= length s /\
  forall i j. lo <= i <= j < hi -> s[i] <= s[j]

let function to_seq (a: array elt) : (s: seq elt)
  ensures { length s = A.length a }
  ensures { forall i. 0 <= i < length s -> s[i] = A.(a[i]) }
= let ref s = empty in
  for k = 0 to A.length a - 1 do
    invariant { length s = k }
    invariant { forall i. 0 <= i < k -> s[i] = A.(a[i]) }
    s <- snoc s A.(a[k])
  done;
  return s

lemma is_permutation_of_refl:
  forall p. is_permutation_of p p
lemma is_permutation_of_sym :
  forall p q. is_permutation_of p q -> is_permutation_of q p
lemma is_permutation_of_tran:
  forall p q r. is_permutation_of p q -> is_permutation_of q r ->
                is_permutation_of p r

let lemma occ_id (s1 s2: seq elt) (l u: int)
  requires { 0 <= l <= u <= length s1 = length s2 }
  requires { forall i. l <= i < u -> s1[i] = s2[i] }
  ensures  { forall x. occ x s1 l u = occ x s2 l u }
= ()

let lemma occ_split (s: seq elt) (l mid u: int)
  requires { 0 <= l <= mid <= u <= length s }
  ensures  { forall x. occ x s l u = occ x s l mid + occ x s mid u }
= ()

let lemma occ_at (s: seq elt) (l i u: int)
  requires { 0 <= l <= i < u <= length s }
  ensures  { forall x. occ x s l u =
               occ x s l i + (if x = s[i] then 1 else 0) + occ x s (i+1) u }
= occ_split s l i u;
  occ_split s i (i+1) u

let lemma occ_none (v: elt) (s: seq elt) (l u: int)
  requires { 0 <= l <= u <= length s }
  requires { forall k. l <= k < u -> s[k] <> v }
  ensures  { occ v s l u = 0 }
= ()

let lemma descending_is_last (s p: seq elt)
  requires { descending s 0 (length s) }
  requires { is_permutation_of p s }
  ensures  { not (lt s p) }
= let n = length s in
  for i = 0 to n-1 do
    invariant { forall j. 0 <= j < i -> s[j] = p[j] }
    if s[i] > p[i] then return;
    if s[i] < p[i] then (
      let y = p[i] in
      occ_at s 0 i n;
      occ_at p 0 i n;
      assert { occ y s (i+1) n > 0 };
      assert { exists k. i < k < n /\ s[k] = y };
      return
    );
  done

let lemma ascending_is_first (s p: seq elt)
  requires { ascending s 0 (length s) }
  requires { is_permutation_of p s }
  ensures  { not (lt p s) }
= let n = length s in
  for i = 0 to n-1 do
    invariant { forall j. 0 <= j < i -> s[j] = p[j] }
    if s[i] < p[i] then return;
    if s[i] > p[i] then (
      let y = p[i] in
      occ_at s 0 i n;
      occ_at p 0 i n;
      assert { occ y s (i+1) n > 0 };
      assert { exists k. i < k < n /\ s[k] = y };
      return
    );
  done

let swap (a: array elt) (i j: int)
  requires  { 0 <= i < A.length a }
  requires  { 0 <= j < A.length a }
  ensures   { A.(a[i] = old a[j]) }
  ensures   { A.(a[j] = old a[i]) }
  ensures   { forall k. 0 <= k < A.length a ->
                k <> i -> k <> j -> A.(a[k] = old a[k]) }
  ensures   { is_permutation_of (to_seq a) (to_seq (old a)) }
= A.(
  let temp = a[i] in
  a[i] <- a[j];
  a[j] <- temp
  );
  let ghost s1 = pure { to_seq (old a) } in
  let ghost s2 = pure { to_seq      a  } in
  let ghost n = A.length a in
  if i <= j then
    if i = j then ()
    else (occ_id s1 s2 0 i;
          occ_at s1 0 i n; occ_at s2 0 i n;
          occ_at s1 (i+1) j n; occ_at s2 (i+1) j n;
          occ_id s1 s2 (i+1) j;
          occ_id s1 s2 (j+1) n)
  else (occ_id s1 s2 0 j;
          occ_at s1 0 j n; occ_at s2 0 j n;
          occ_at s1 (j+1) i n; occ_at s2 (j+1) i n;
          occ_id s1 s2 (j+1) i;
          occ_id s1 s2 (i+1) n);
  ()

let next (ghost a0: seq elt) (a: array elt) : bool
  (* TASK 1 enforced by Why3 *)
  (* TASK 2 ensured by absence of `diverges` clause *)
  requires { A.length a = length a0 }
  requires { is_permutation_of (to_seq a) a0 }
  (* TASK 3 *)
  ensures  { is_permutation_of (to_seq a) a0 }
  (* TASK 4 *)
  ensures  { not result -> forall i. 0 <= i < A.length a -> A.(a[i] = old a[i]) }
  ensures  { not result -> forall p. is_permutation_of p a0 ->
                            not (lt (to_seq a) p) }
  (* TASK 5 *)
  ensures  { result -> lt (to_seq (old a)) (to_seq a) }
  ensures  { result -> forall p. is_permutation_of p a0 ->
                         not (lt (to_seq (old a)) p /\ lt p (to_seq a)) }
= label Init in
  let n = A.length a in
  let ref i = n - 1 in
  while i > 0 && A.(a[i-1] >= a[i]) do
    invariant { -1 <= i < n } variant { i }
    invariant { i = -1 /\ n = 0 \/ i >= 0 /\ descending (to_seq a) i n }
    i <- i - 1
  done;
  if i <= 0 then return false;
  let ghost i0 = i - 1 in
  let ghost x = A.(a[i0]) in
  let ref j = n - 1 in
  while A.(a[j] <= a[i-1]) do
    invariant { i <= j < n } variant { j }
    invariant { forall k. j < k < n -> A.(a[k]) <= x }
    j <- j - 1
  done;
  let ghost z = A.(a[j]) in
  swap a (i-1) j;
  assert { is_permutation_of (to_seq a) a0 };
  assert { lt (to_seq (old a)) (to_seq a) };
  j <- n - 1;
  label L in
  while i < j do
    invariant { i0 < i && i0 < j < n } variant { j - i }
    invariant { is_permutation_of (to_seq a) a0 }
    invariant { forall k. 0 <= k < i0 -> A.(a[k] = a[k] at Init) }
    invariant { A.(a[i0] = z) }
    invariant { i - i0 = n - j }
    invariant { forall k. i <= k <= j -> A.(a[k] = a[k] at L) }
    invariant { forall k. 0 < k < i-i0 -> A.(a[i0+k] = a[n-k] at L)
                                        /\ A.(a[n-k] = a[i0+k] at L) }
    swap a i j;
    i <- i + 1;
    j <- j - 1
  done;
  assert { forall k. i0 < k < n -> A.(a[k] = a[n - (k - i0)] at L) };
  assert { ascending (to_seq a) (i0+1) n };
  let lemma is_next (p: permutation)
    requires { is_permutation_of p a0 }
    requires { lt (to_seq (a at Init)) p }
    requires { lt p (to_seq a) }
    ensures  { false }
  = assert { forall k. 0 <= k < i0 -> p[k] = A.(a[k] at Init) };
    assert { x <= p[i0] <= z };
    let a1 = pure { to_seq (a at Init) } in
    let v = p[i0] in
    if v = x then (
      for l = i0+1 to n - 1 do
        invariant { forall k. i0+1 <= k < l -> p[k] = a1[k] }
        if p[l] <> a1[l] then (
          assert { a1[l] < p[l] };
          occ_id a1 p 0 l; occ_split a1 0 l n; occ_split p 0 l n;
          occ_at a1 0 l n; occ_at p 0 l n;
          assert { occ p[l] a1 l n = occ p[l] p l n > 0 };
          return;
        )
      done
    ) else if v = z then (
      let a2 = to_seq a in
      for l = i0+1 to n - 1 do
        invariant { forall k. i0+1 <= k < l -> p[k] = a2[k] }
        if p[l] <> a2[l] then (
          assert { is_permutation_of p a2 };
          assert { a2[l] > p[l] };
          occ_id a2 p 0 l; occ_split a2 0 l n; occ_split p 0 l n;
          occ_at a2 0 l n; occ_at p 0 l n;
          (* if l <= j0 then (occ_split a2 l j0 n; occ_split p 0 j0 n); *)
          assert { occ p[l] a2 l n = occ p[l] p l n };
          assert { occ p[l] p l n > 0 };
          assert { occ p[l] a2 (l+1) n > 0 };
          occ_none p[l] a2 (l+1) n;
          return;
        )
      done
    )
    else (
      occ_split p  0 i0 n;
      occ_split a1 0 i0 n;
      occ_id p a1 0 i0;
      assert { occ v p i0 n = occ v a1 i0 n > 0 };
      occ_none v a1 i0 n;
    )
  in
  return true

val sort (a: array elt) : unit
  writes  { a }
  ensures { forall i j. 0 <= i <= j < A.length a -> A.(a[i] <= a[j]) }
  ensures { is_permutation_of (to_seq a) (to_seq (old a)) }
(* NOTE we could provide an implementation here,
        but this was not part of the tasks *)

use import set.Fset as FS

(* this is actually an over-approximation of the sets of all permutations
   of s, namely the set of all sequences of length |s| made with elements
   of s *)
let ghost function
  all_permutations (s: permutation) : (all: fset permutation)
  ensures { forall p. is_permutation_of p s -> mem p all }
= let n = length s in
  let rec enum (k: int) : fset permutation
    requires { 0 <= k <= n }
    ensures  { forall p.
                 length p = k /\ (forall i. 0 <= i < k -> occ_all p[i] s > 0)
                 -> mem p result }
    variant  { k }
  =
    if k = 0 then return FS.singleton empty;
    let now = enum (k - 1) in
    let ref acc = FS.empty in
    for j = 0 to n - 1 do
      invariant { forall p.
                 length p = k /\ (forall i. 0 <= i < k -> occ_all p[i] s > 0)
                 /\ occ p[0] s 0 j > 0
                 -> mem p acc }
      acc <- FS.union acc (FS.map (cons s[j]) now)
    done;
    return acc
  in
  let all = enum n in
  let lemma final (p: permutation) : unit
    requires { is_permutation_of p s } ensures { mem p all }
  = assert { forall i. 0 <= i < n -> occ_all p[i] s > 0
      by occ_all p[i] p = occ p[i] p 0 i + 1 + occ p[i] p (i+1) n > 0 };
    ()
  in
  return all

let permut (a: array elt) : seq permutation
  (* TASK 6 enforced by Why3 *)
  (* TASK 7 ensured by absence of `diverges` clause *)
  (* TASKS 8,9,10 *)
  ensures { (* result only contains permutation of a *)
            forall i. 0 <= i < length result ->
              is_permutation_of result[i] (to_seq (old a)) }
  ensures { (* result is sorted in strict ascending order *)
            forall i j. 0 <= i < j < length result -> lt result[i] result[j] }
  ensures { (* result contains any permutation of a *)
            forall p. is_permutation_of p (to_seq (old a)) ->
              exists i. 0 <= i < length result /\ result[i] = p }
= let ghost a0 = to_seq a in
  let ghost all = all_permutations a0 in
  let ref result = empty in
  sort a;
  (* CHANGE: no do/while loop => unroll once *)
  result <- snoc result (to_seq a);
  let ghost ref last = to_seq a in
  let ghost ref sresult = FS.singleton (to_seq a) in
  while next a0 a do
    invariant { length result > 0 }
    invariant { is_permutation_of (to_seq a) a0 }
    invariant { forall i. 0 <= i < length result ->
                  is_permutation_of result[i] a0 }
    invariant { last = result[length result - 1] = to_seq a }
    invariant { is_permutation_of last a0 }
    invariant { forall i j. 0 <= i < j < length result ->
                  lt result[i] result[j] }
    invariant { forall p. is_permutation_of p a0 -> lt p last ->
                  exists i. 0 <= i < length result - 1 /\ result[i] = p }
    invariant { forall p. mem p sresult <->
                  exists i. 0 <= i < length result /\ result[i] = p }
    invariant { subset sresult all }
    variant   { cardinal all - cardinal sresult }
    result <- snoc result (to_seq a);
    last <- to_seq a;
    sresult <- FS.add (to_seq a) sresult
  done;
  return result

why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_1/000077500000000000000000000000001440160026300250155ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_1/why3session.xml000066400000000000000000001135701440160026300300440ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
    
   
   
  
  
  
  
   
   
    
    
    
    
    
    
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
   
   
    
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
      
      
      
      
      
      
     
     
    
    
    
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
    
    
   
   
   
   
    
    
     
     
     
     
     
     
    
    
    
    
    
   
   
  
  
 
 



why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_1/why3shapes.gz000066400000000000000000000325461440160026300274670ustar00rootroot00000000000000}[o9޺{
^~Y#,JeŢURtϯ/ȼe[vYrO&#$;]?so{nؕ_~%N=?{uN_އS.ՕlmZ
mq1oM4^UMb:&ppAw'?M}a߰Pz+FW"iw0 n;\??ۼy^j~ &Zx܀-޽/٥{˂VZtCi]+
;pnEo}C5sPK"׽e˳ͦWF5j'qT+!s!~.%n9j?+BLp
p
wFW(#
Eo|kAIhW2tS7svqc3?hFqftH+~Do9j
ԑ]	Npo	9+n]@D"1a~dT2j*817lT)RKa.R[K(is%yJ6.S3+L!-^ۻԫ]_Y&#rlM0R-OLP&k{7^I٠6rN)@{&}%$i,_.s@ۭ女%DK3?
t%Y3T|s^q4;{~Dz 1w)]]qC=toYul
QQ4nۜfM@&?ICHi]bD-
M'7'D~z6ځP,wC!B*QnT&&1Xf0T
K\TԁK^@'j,tqgj5pNUH(:=Wj.>Xy%0.._	oQ%[j_Hތ]Qd3ӳq|jmD\rO4$ͥSLd"GF|\᮴g-\@(R]Obo7oD g_\yk6Sg|cp{Fxz{|θ	=b)R,T\ܳYJi<C*EŤEJHXCRSZ'	n9l}:@mrt!}M.*qB\wv@b?2b3բ8)-rξX Ijsj0\W@	+?d~ح7k$'o绵N&vIC*p?$zpl
=[A o"o"&o"~Ɏ8e??bR
TWPz8Ҷmf5fl}:ufh*k78k%~>[Xd&Kr3?a
?%X
gS0;C4':XE:8ͽX

t-s9 |Ik4˛pxr[gn|Ik>*ȉB\|96uTkfee/
}#[0!ٷcIx>$~ڞNoB&{*/5axXܯ`Ţ],sy@,hSׯ(L,{>]lj]71t)9Umw
ñ~YxܡdvS0?=I6"dF&;CgPtޤYPjAxQz=!WU냜>^p0#_uzUz)Z3Ou=QhJ&p_OzJwi
\Ӕ`
\lA޲
EQkhͶl`k;Ǭ(.^Z^[Qb̂畺TJ6Kwh3&ݵ0?/7pGO:ӥr((j ./܉mc8	H#p6%;Ǩ1@SX޶t,k(f1c0K0A+/eG/5kP#o"7hzD4QAkӬ57LE4[H?^N1[8%αhrHcpm}K&
baJC[lA)E(4h(4]D-f|&wjZ*qF78͞xiy"cCDx'Uć-ndm8I5.7J
Rq{Ξȵ_qsX\qS]\cBG\cGc\cˆ͖kŮ0;&a1W[	]fCK٬LD+2ezh& 9\Àx&tm6~jӫz^w69|Wb*@^j,4q?ޫ~v_ZSbV.Z}I{奄&=ma`˔f!(t5-@N%vmhոr|IW|:EAҽov;ݞ%7S̎Kɴ
v6<-Z5]uv'ǢYA]j^{P	ɱh-u=53Wx[s}b~Ȭ^qbv?0hw-ͫ%F׼/"ek3٬`lZIiH^O_ZTFn`=MBxׇ*q=tY4i<9DRqqwe.}	e{os6cm֝i=Q!%sXn{qXc(()"_Hg2m9&xؿA!
7I{fA#ժ+Xr{1Ͷuϻ!;mb'ݏ%$jK|=g[zxIq,$]HXmg`wß:[>gx=^Z}]r{bc>/zX-rzm$6
Ibža#ssqf\`:6~|˕=kGdϮmhO猹C@]s;o5)IDA
x,/lJ/?$,%&]M"9yI6-xdyWt$UZĶ3'کX.3YTp-:ȖbۉAj,P̋zB}Ʈ&>rb7݈VH~-Fl'rqre@,҉	׳NسI\NI'd 1\"+MaH+hɄ&JO&;R,*^#IB4pie`ED]*TIb+G23glгz3l~a\IvPF:iTf璦9;7LQMM錑t?]KOW.6͔lu ꓲ7m\47>%oɏv`D:	oG+A$YdKQܴkX	YMnVZ 
`7]f7m7jjmD.VZy(0?f{;CнHߵӲxK۾ntjZn%~K=yޛn*.Y.=t|sh71|rkP0]=g<}7o{ژT6uҫ_hҮv-$8_FA?Tw;#k/g" ڸʸDcuo&|Bҭn;%WiǚHJZ5BWƼ24LD.a]RN|$mj.*Y-(q7}3
7gCt_vq7A-?a6/ŭT`E5?ۏC[}*>w{,B"N~׬YZp406y?&2f/VGP2>E;W*]~ {o>|8Jo;.qh(fDS=65u`bJ(x؞sSk{]^vtJWJ>Sp3*zybyg۬ʩY?x9otч+>-pѲmZr]Ni/WGHw򬽧٬$/jX'Mؔl6^ڃ6t9yE5-66m@ykM[^$}$tّPoiN!.{q;фt|uNU@r.ȁ*rh3ŦAkuS3=7#=X^YC6dx(oUԅMK8~CM3_{uz6S2_v?nNh蕛YQH{G8*ٶx/%'~ٞPJ_Onz
l{*Vb-E6IZz͵kK%oATZa]Ŧ6M%fmL_%hڔ%MVCqLL	E'QinWzQv	X1Czoض|
*[9#$r67
:gV ʳBDn%"DD8ٶ<
89lj#mrq=Mv&]QmyŨ0j97}rn6Z<3{q=;4cZ]O~ΘD$WYRw2^iZHpvkk.&]Oٯ(F,F8q޶,dpAYvRpAX}HZy!qBҺ"f*k8}$[.U:W?0hނ;_/gbcNGr|؁	u(NDigF+Ћ]uiur[_6es,-S{d<aǡ㣆O>88=0m6:yѳ-d=l㶕|[*8՟՟^-Ґ`>勶|[A؏b=#ݑH+>a"ayD9}y%UF!ۼ]MLO-pf[u
kGiߍەۡ>[4B9]i4YzL3ѶrV{[izglS5=Ҋ
x4y_wrӓI"iPz_4N2O0m^)e6ۭWDρծ8EFODtt
9zdND&9cՌ^lm%h7e)灈伯yMZ.@N|^4^y5}?+Z]PJL Մj5Tlzҳf#|8k\gmSŌ~99n~*ē(:%.s	jU^]1WVxa*ysJY$LDs* ^`K֊)WxDsa5dW%iR%"QkP֝p~ٹ?wܴ&{`/k*D	ܜs}9\LM-FyA	Wj^_PEj*9V1+t!{rU'JLHՉD V b
\ryƌ$ZdI[0ʵ,L9dz/u62Ӆ(AzQuĤ'pvZtdLЀX
KZQ[Kq.e}`fbU(,8YomSaL&ol֚cxkwJ0㼂^ӌ+)iHsitY0ɝ'eJ
Y9hgٝ(v.t	͐^Akͅ5,V'J+~}P-'O6Q
wXƃAEJ+yD.gsvRjVZUDB*'Ɯ@1GdnaJ#ua2PgFmͦi)?r~".r-paESV$i皟k6) ,|PMu"iY+%J)
?n}չ
&SJX		ʕ/#-34j?~pqD2'"+CJf=V
;Qh'4ϤSᙬ6s ޙ(kI"
^&6bϝ&)fg4I͓)\#Ӻ$Re:_mYQ("Vn
DzCR~qYRꔵ1%ɣN@JĚsA@{32%U]Rg@[Vn#jJaQ5B
>:e<
81ߪ"09&;:\ZiIGhI-xKxHrJ^/G󰔂`,xk)B(P^A5a	y+X0C*d	1p*s'~\9_j,'7O6J9aފZx`I¥0TF51>&s҄f#3kl50xD)S2:eBW+dh*%DVHse9QP(xn5y>,e2bXK
hdj`GEv\4*D#
,˄$S>bWyʥPv5N;uGÇY1rx#/=?;wy
ɊMMdB%,:}չOTdv)CPJ7ܛ'èOH[l7EQȤ.Xc)`+sYB.ĝJyXcV?Ę}@হx7J01B<1S:)v<8	B Tr"kؑ?3(R"xT6$q2.N'ʳ/MtȔAk3uq`bRO:$0Wp8sGЄg_+hҠ(%c@1dXhdǖ X[}&sU	"(,d$]R~/a5)!EA䮞cB.˜<"B.4dX'D()3x&BU뾎&hI1_^ƘUcTƢ)+zu4_F3oO%`HwxzcGʠ+¸ԥMw8}b`:EvH\vfě]QZŕQń4LHĬ·.
hP_
7SvA&$5>Ovtu|5R!.R}dA4SM)3OM U:w >qjιcsOQV3B@X^!8߆܅K(Za)b*|AlN\1!ƣtҩM<)fYx V18f3fER*⺄k>f9< L<#N0QOG_{X5t(Ͱ:Z#"N^gN=*店P{
ePxTp5N&95:Cڏ)8㒬< S!1BI<Z>D(
Ѥ}EYQ<:PQ'	Zdzxn,C_
jgQ@d%ԨЊѱyn!).l{E#KQ~0
@45#>
W)`
.TIOʵCc>QaAH	Ibd)28dGdY`*`JZmvхj
%m>C@g-rRu3F
DE=7(;,1V	W
/'DJNfb^*Ŏ̬!`KiG*-aBYӐ7D('1e'|6H⽂_hN˛3Ld1GD"ڧ⒃VVO]bxdIApK&!&3( #d'(<7cTDX1jutF'cĐ$xNkrLuv	2|0h~>*d}%x`LXd4	 F/ٖhJ!
GӖ;_>낃!9Rh5T4eiIp$!`e^(qÑ"N%:@攌bZh%
­>GjpR@["oyOB!B22
)dJqxYH'
/#sdq4x@
WbUBD`쫒upWhkK&?{Kr9`_4KWR2"9N}9y#E Aj\"%'|ŸG*H	O6p’+|TKL2ᗬwE;O!OD&%ɴ0	
Atɀ%҈Db;1DD&!+^1Zi'js.
λ"45*&D 
qe67I c»"g+4ً?Z`N΂YB6`hRJgRPfmE}!@:h)-!@8ڶ=MC֛-0t|5x{	+s<#
d:0ZM̶_O[t$X(Aiabu,RzqM6I]p-h|9DZIXU
H:Cno*̹p]ˊxD&iebYv./==&e
љk!M29TXrK晰_Ne4(yJ`>#HaXiYDzQkMi$Bo80lH)hi,%y+va",\0\:$Lg`IUqpP$$↫X[K6rd2%j獤允X	E!p֪8mI6)5%WY[=-T_d{bj͙!ӱtדZ%+P>
b^/dey|+!wHf9ðTIUdko(,ү1ǹ:1*r76k@7{	[S]{4
(FZ-s_
0<g<@L*zi?HmfL@mK-]BC_E'em'4M˴H[8=sW܃4OK:
#)7f5GL	X̙bvz/+2+%%j$ AdKXQ28zYdzA	û.	5:FXN'hw JNWmm$7RtC+g
n]i8@gKbmOp:FEY:ή1VNYiT`\I.rbLMŹ		Y.bh']I.՜:D.7t΁0d=ӤgͩֆXP9\tr
Np&S-Ϟ[aYE	r*$nK
3M
ȋػ+|+'٤O٤Žrr:;pa-Wh:݊YP؜9s
g{9\*YW%COsY*]N:AV0Mc/HǞ[!K*V2"ϻ$P*yp$ 
~;s=}O U)4&V͇S>3ABLEX:hYrZ0ijN's0j:!d2GkT~d:h3.+t:Zքh8i9cDގtVOLs+kfA1myq
hO$+f9VJ	4,+$$ϖjTZY
ɮm d,tܟ6A삄bDBOr5>YJ,‡@bubrJ%׈Rѭ1J:)٥R<\pcў	;
8:
'	
Zt G\N}<z/S&dLIY!pLC[z8*Xt@HkzD QB%7^zQ
e)	%tr<3^pլc7
8ja,d1.!{HL'M_(1 $+vwY}"^X+Q$X0?8GRϣ2AyeC_U3?E:[Y;v^~2*4Ÿ/F鉌J6jwg%
"])#9|*LĘQ#(n}bHVDqAgDD(2Pt:2>&=n,D/NGȔ!
AJ?4})mM[\\$:S@dK_+mC/E3ϗ*C"!R['u!wi-scS7g^32la,eI)ڼ\x`jprc"gtev!jg郻.#eNl!NA cnh\p)2Wh1xzUGXc5ZhZsxפӮgr
k|u@p:@!6IA%RC_;=F=rN5daκ@GYܝ}N6UD%"tFJ:@hR ?U2*y5Qpp]" U`+TK4?^f	x
܊)!iA2~tZ1$
bR1C13d"-nMAGYDy5dR٤U$]>};@}\fDRI}JF_tHEY
"@SHGL\a)fɇg$h.ǚx0ΐT "ACh` RS=)A3Ne 1rVM&h2% iXYM[Q|XbeLz^"y+"^rOFdT0P(H"gmE0Gp1bmd6@	"<%}tMbHf!ItB.,)A"a Moc:FeΤM~O"RW!	Q(KKEƍw&!R ^(D܌T/m_lD0(*DK~[\M4iJF~ⱒ's}(j0W)HȌҲXJemϯr4'#9CO]B+})ldYsNMN6CWS+lbT⹳Yn_y	{}ap*ƦϝdrBs[Yb,9۬}5dϝM07dŋR0ՇTܒJM
岃U5}p0klD3}Ϛ}7o[A	8%$X_>sUQ%C/{AzBgDyxչY>%?	ŒAҧlmY7 CcPUDG2F`aPCwhy3-1.6.0/examples/verifythis_2021_lexicographic_permutations_2.mlw000066400000000000000000000356071440160026300255520ustar00rootroot00000000000000
(**
{1 VerifyThis @ ETAPS 2021 competition
   Challenge 1: Lexicographic Permutations}
   See https://www.pm.inf.ethz.ch/research/verifythis.html

   Authors:
   - Quentin Garchery (Université Paris-Saclay)
   - Xavier Denis (Université Paris-Saclay)
*)


module ArrayListConversions
   use int.Int
   use array.Array
   use export array.ArrayEq
   use list.List as L
   use list.Nth
   use list.Length as L
   use option.Option


let rec function to_list_from (i : int) (a : array int) : L.list int
    variant { length a - i }
    requires { 0 <= i <= length a }
    ensures { L.length result = length a - i }
    ensures { forall k. 0 <= k < length a - i -> nth k result = Some a[k+i] }
    =
    if i = length a then L.Nil else L.Cons a[i] (to_list_from (i+1) a)

let function to_list a = to_list_from 0 a

let lemma to_list_array_eq (a1 a2 : array int) : unit
    requires { array_eq a1 a2 }
    ensures { to_list a1 = to_list a2 }
    =
    let rec lemma to_list_array_eq_from (a1 a2 : array int) (i : int) : unit
        variant { length a1 - i }
        requires { 0 <= i <= length a1}
        requires { array_eq a1 a2 }
        ensures { to_list_from i a1 = to_list_from i a2 }
        =
        if i < length a1 then to_list_array_eq_from a1 a2 (i+1) in
    to_list_array_eq_from a1 a2 0

let function of_list (l : L.list int) : array int
    ensures { length result = L.length l }
    ensures { forall k. 0 <= k < L.length l -> nth k l = Some result[k] }
    =
    let a = make (L.length l) 0 in
    let rec update_from l' i
        variant { l' }
        writes { a }
        requires { 0 <= i }
        requires { L.length l' = L.length l - i }
        requires { forall k. 0 <= k < L.length l' -> nth (k+i) l = nth k l' }
        ensures { forall k. i <= k < L.length l -> nth k l = Some a[k] }
        ensures { forall k. 0 <= k < i -> a[k] = old a[k] }
        =
        match l' with
        | L.Nil -> ()
        | L.Cons v t ->
          a[i] <- v;
          assert { forall k. 0 < k < L.length t ->
                   nth (k+i+1) l = nth k t
                   by nth ((k+1)+i) l = nth (k+1) l' };
          update_from t (i+1)
        end in
    update_from l 0;
    a

let rec lemma eq_nth (l1 l2 : L.list 'a)
    requires { L.length l1 = L.length l2 }
    requires { forall k. 0 <= k < L.length l1 -> nth k l1 = nth k l2 }
    ensures { l1 = l2 }
    =
    match l1, l2 with
    | L.Cons a1 t1, L.Cons a2 t2 ->
      assert { a1 = a2 && L.length t1 = L.length t2 };
      assert { forall k. 0 <= k < L.length t1 ->
               nth k t1 = nth k t2
               by nth (k+1) l1 = nth (k+1) l2 };
      eq_nth t1 t2
    | L.Nil, L.Nil -> ()
    | _ -> assert {false}; ()
    end


lemma of_to_list : forall a. array_eq (of_list (to_list a)) a

lemma to_of_list : forall l. to_list (of_list l) = l

meta remove_prop axiom eq_nth

end

module BoxedIntArrays
use int.Int
use int.Abs
use int.MinMax
use int.Power
use array.Array
use array.ArrayPermut

predicate boxed (u : int) (a : array int) =
   forall i. 0 <= i < length a -> 2 * abs a[i] < u

lemma boxed_permut : forall a a' u.
      boxed u a ->
      permut_all a a' ->
      boxed u a'

let function greater a
    ensures { result >= 0 }
    ensures { forall i. 0 <= i < length a -> 2 * abs a[i] < result }
    =
    let rec function great a l
        variant { length a - l }
        requires { 0 <= l <= length a }
        ensures { result >= 0 }
        ensures { forall i. l <= i < length a -> 2 * abs a[i] < result }
        =
        if l = length a then 0
        else let r = great a (l+1) in
             max r (2 * abs a[l] + 1) in
    great a 0

lemma boxed_greater : forall a.
      boxed (greater a) a

let function maxi base (a : array int)
    requires { boxed base a }
    =
    power base (length a)

end

module Permut

use int.Int
use array.Array
use array.ArrayPermut
use array.ArrayExchange
use array.ArrayEq

use array.IntArraySorted
clone array.Sorted as Decr with type elt = int, predicate le = (>=)

predicate le (a1 a2 : array int) =
   length a1 = length a2 &&
   exists i. 0 <= i <= length a1 &&
   (forall j. 0 <= j < i -> a1[j] = a2[j])
   && (i < length a1 -> a1[i] < a2[i])

predicate lt (a1 a2 : array int) =
   le a1 a2 && not array_eq a1 a2

let rec function find_eq (a1 a2 : array int) (i : int) : int
    variant { length a1 - i }
    requires { length a1 = length a2 }
    requires { 0 <= i <= length a1 }
    requires { array_eq_sub a1 a2 0 i }
    ensures { 0 <= result <= length a1 }
    ensures { array_eq_sub a1 a2 0 result }
    ensures { result < length a1 -> a1[result] <> a2[result] }
    =
    if i = length a1 || a1[i] <> a2[i] then i
    else find_eq a1 a2 (i+1)

lemma lt_trans : forall a1 a2 a3 : array int.
      lt a1 a2 -> lt a2 a3 -> lt a1 a3
      by let i = find_eq a1 a2 0 in
         let j = find_eq a2 a3 0 in
         i < length a1 && j < length a1
         so i <= j -> array_eq_sub a1 a3 0 i && a1[i] < a3[i]
         so j < i -> array_eq_sub a1 a3 0 j && a1[j] < a3[j]

let function find_le a1 a2
    ensures { result <-> le a1 a2 }
    =
    length a1 = length a2 &&
    let i = find_eq a1 a2 0 in
    i = length a1 || a1[i] < a2[i]

lemma eq_le_compat : forall a1 a2 b1 b2 : array int.
      array_eq a1 b1 -> array_eq a2 b2 ->
      le a1 a2 -> le b1 b2
      by let i = find_eq a1 a2 0 in
         array_eq_sub b1 b2 0 i &&
         i < length a1 ->
         b1[i] <= b2[i]

lemma eq_lt_compat : forall a1 a2 b1 b2 : array int.
      array_eq a1 b1 -> array_eq a2 b2 ->
      lt a1 a2 -> lt b1 b2

lemma le_or_lt : forall a1 a2 : array int.
      length a1 = length a2 ->
      le a1 a2 \/ lt a2 a1
      by not le a1 a2 ->
         let i = find_eq a1 a2 0 in
         i < length a1 && a1[i] > a2[i]
         && array_eq_sub a1 a2 0 i

lemma lt_not_le : forall a1 a2 : array int.
      lt a1 a2 -> not le a2 a1
      by let i = find_eq a1 a2 0 in
         i < length a1 && a1[i] < a2[i]
         && array_eq_sub a1 a2 0 i

let lemma eq_sub_permut (a1 a2 : array int) (u : int)
    requires { permut_all a1 a2 }
    requires { array_eq_sub a1 a2 0 u }
    ensures { permut_sub a1 a2 u (length a1) }
    =
    let rec lemma eq_sub_permut_ind (a1 a2 : array int) (i1 i2 i3 : int)
        variant { i2 - i1 }
        requires { i1 <= i2 <= i3 }
        requires { permut_sub a1 a2 i1 i3 }
        requires { array_eq_sub a1 a2 i1 i2 }
        ensures { permut_sub a1 a2 i2 i3 }
        =
        if i1 < i2 then
        eq_sub_permut_ind a1 a2 (i1+1) i2 i3 in
    eq_sub_permut_ind a1 a2 0 u (length a1)


lemma le_permut_sorted : forall a1 a2 i.
      length a1 = length a2 ->
      permut_sub a1 a2 i (length a1) ->
      sorted_sub a1 i (length a1) ->
      le a1 a2
      by let i' = find_eq a1 a2 0 in
         i' >= i
         so i' < length a1 -> permut_sub a1 a2 i' (length a1)
         so a1[i'] <= a2[i']

lemma le_permut_decr_sorted : forall a1 a2 i.
      length a1 = length a2 ->
      permut_sub a1 a2 i (length a1) ->
      Decr.sorted_sub a1 i (length a1) ->
      le a2 a1
      by let i' = find_eq a1 a2 0 in
         i' >= i
         so i' < length a1 -> permut_sub a1 a2 i' (length a1)
         so a1[i'] >= a2[i']

let next (a : array int)
    writes { a }
    ensures { permut_all a (old a) }
    ensures { not result -> a = old a &&
              forall a'. permut_all a a' -> le a a' -> array_eq a a'
              by Decr.sorted a }
    ensures { result ->
              lt (old a) a &&
              forall a'. permut_all (old a) a' ->
              lt (old a) a' -> le a a' }
    =
    let ref i = length a - 1 in
    while (i > 0 && a[i-1] >= a[i]) do
          variant { i }
          invariant { i <= length a - 1}
          invariant { Decr.sorted_sub a i (length a) }
          i <- i-1
    done;
    if i <= 0 then false else
    begin
    let ref j = length a - 1 in
    while (a[j] <= a[i-1]) do
          variant { j }
          invariant { i <= j <= length a - 1 }
          invariant { forall k. j < k < length a -> a[k] <= a[i-1] }
          j <- j-1
    done;

    assert { a[j] > a[i-1] };
    assert { forall k. i <= k < length a -> a[k] > a[i-1] -> a[k] >= a[j] };
    let ghost i0 = i in

    let ref temp = a[i-1] in
    a[i-1] <- a[j];
    a[j] <- temp;
    assert { exchange a (old a) (i-1) j };
    j <- length a - 1;

    label L in
    while (i a[k1] <= a[k2] }
          invariant { forall k1 k2. i <= k1 < k2 < j+1 -> a[k1] >= a[k2] }
          invariant { forall k1 k2. j+1 <= k1 < k2 < length a -> a[k1] <= a[k2] }
          invariant { forall k1 k2. i0 <= k1 < i -> i <= k2 <= j ->
                      a[k1] <= a[k2] }
          invariant { forall k1 k2. i <= k1 <=j -> j < k2 < length a ->
                      a[k1] <= a[k2] }
          invariant { forall k1 k2. i0 <= k1 < i -> j < k2 < length a ->
                      a[k1] <= a[k2] }
          label StartLoop in
          temp <- a[i];
          a[i] <- a[j];
          a[j] <- temp;
          assert { exchange a (a at StartLoop) i j };
          i <- i+1;
          j <- j-1
    done;
    assert { sorted_sub a i0 (length a) };
    assert { forall a'. permut_all (old a) a' ->
              lt (old a) a' -> le a a'
              by let i = find_eq (old a) a' 0 in
                 if i = length a
                 then array_eq (old a) a' so le a a'
                 else if i < i0-1
                 then a'[i] > (old a)[i] so le a a'
                 else if i > i0-1
                 then a'[i0-1] = (old a)[i0-1] < a[i0-1] so false
                 else i = i0-1
                 so if a'[i0-1] <> a[i0-1]
                    then (old a)[i0-1] < a'[i0-1]
                         so permut_sub (old a) a' (i0 -1) (length a)
                         so a[i0-1] <= a'[i0-1]
                         so le a a'
                    else array_eq_sub a a' 0 (i0-1)
                         so array_eq_sub a a' 0 i0
                         so permut_sub a a' i0 (length a)
                         so le a a' };
    true
    end

use queue.Queue as Queue
use list.List as L
use int.Abs
use int.Power

use BoxedIntArrays

val sort (a : array int) : unit
    writes { a }
    ensures { permut_all a (old a) }
    ensures { sorted a }

let rec function as_num base a i
    variant { length a - i }
    requires { boxed base a }
    requires { 0 <= i <= length a }
    ensures { 2 * abs result < power base (length a - i) }
    =
    if i = length a then 0
    else begin
    let rest = as_num base a (i+1) in
    assert { 2 * abs (a[i] * power base (length a - 1 - i) + rest) <=
             2 * abs a[i] * power base (length a - 1 - i) + 2 * abs rest <
             (2 * abs a[i] + 1) * power base (length a - 1 - i) <=
             base * power base (length a - 1 - i) <=
             power base (length a - i)
             by (forall x y : int. x >= 0 -> y >= 0 -> x * y >= 0)
             so forall x y z : int. x <= y -> z >= 0 -> x * z <= y * z
                by (y - x) * z >= 0 };
    a[i] * power base (length a - 1 - i) + rest end

let function as_number base a
    requires { boxed base a }
    ensures { abs result <= maxi base a }
    =
    as_num base a 0

let rec lemma as_number_ind (a a' : array int) (base i j : int)
    variant { j - i }
    requires { 0 <= i <= j < length a }
    requires { boxed base a }
    requires { boxed base a' }
    requires { array_eq_sub a a' 0 j }
    requires { a[j] < a'[j] }
    ensures { as_num base a i < as_num base a' i }
    =
    if i < j then (assert { a[i] = a'[i] }; as_number_ind a a' base (i+1) j) else
    assert { as_num base a i = a[i] * power base (length a - 1 - i) +
                               as_num base a (i+1) /\
             as_num base a' i = a'[i] * power base (length a - 1 - i) +
                                as_num base a' (i+1) /\
             2 * (as_num base a (i+1) - as_num base a' (i+1)) <=
             2 * abs (as_num base a (i+1)) + 2 * abs (as_num base a' (i+1)) <
             2 * power base (length a - 1 - i) <=
             2 * (a'[i] - a[i]) * power base (length a - 1 - i) }

let lemma as_number_strict a a' base
    requires { length a = length a'}
    requires { boxed base a }
    requires { boxed base a' }
    requires { lt a a' }
    ensures { as_number base a < as_number base a' }
    =
    let n = length a in
    for i = 0 to n - 1 do
        invariant { array_eq_sub a a' 0 i }
        if a[i] <> a'[i] then (as_number_ind a a' base 0 i; return)
    done

use seq.Seq
use seq.Mem
use ArrayListConversions

lemma seq_snoc_mem : forall s : seq 'a, x y.
      mem x (snoc s y) <-> mem x s \/ x = y

let permut (a : Array.array int) : Queue.t (L.list int)
    ensures { forall i1 i2. 0 <= i1 < i2 < length result ->
              lt (of_list result[i1]) (of_list result[i2]) }
    ensures { forall a'. permut_all a a' -> mem (to_list a') result }
    =
    let ghost base = greater a in
    let res = Queue.create () in
    if length a = 0 then
    begin Queue.push L.Nil res;
          assert { forall a'. permut_all a a' -> mem (to_list a') res };
          res end
    else begin
    sort a;
    let ref cont = true in
    let ghost ref cont_int = 1 in
    assert { forall a'. permut_all a' a -> lt a' a -> false
             by permut_sub a a' 0 (Array.length a) };
    while cont do
          invariant { permut_all a (old a) }
          invariant { boxed base a }
          invariant { cont_int = 1 <-> cont }
          invariant { cont -> forall a'. permut_all a' a -> lt a' a ->
                      mem (to_list a') res }
          invariant { not cont -> forall a'. permut_all a' a -> le a' a ->
                      mem (to_list a') res}
          invariant { cont -> forall a'. mem (to_list a') res -> lt a' a }
          invariant { not cont -> forall a'. permut_all a a' -> le a a' ->
                      array_eq a a' }
          invariant { forall i1 i2. 0 <= i1 < i2 < length res ->
                      lt (of_list res[i1]) (of_list res[i2]) }
          variant { cont_int, maxi base a - as_number base a }
          label SL in
          Queue.push (to_list a) res;
          cont <- next a;
          if cont then begin
          assert { forall a'. permut_all a' a -> lt a' a ->
                   mem (to_list a') res
                   by not le a a'
                   so le a' (a at SL) };
          assert { forall a'. mem (to_list a') res -> lt a' a
                   by le a a' -> lt (a at SL) a'
                      so not mem (to_list a') (res at SL)
                      so to_list a' = to_list (a at SL)
                      so lt a' a };
          () end
          else cont_int <- 0;
          assert { boxed base a };
          assert { forall i1 i2. 0 <= i1 < i2 < length res ->
                      lt (of_list res[i1]) (of_list res[i2])
                      by i2 = length res - 1 ->
                         array_eq (of_list res[i2]) (a at SL)
                         && lt (of_list res[i1]) (a at SL)};

    done;
    res
    end

end
why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_2/000077500000000000000000000000001440160026300250165ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_2/why3session.xml000066400000000000000000001030311440160026300300340ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2021_lexicographic_permutations_2/why3shapes.gz000066400000000000000000000315301440160026300274600ustar00rootroot00000000000000}[o7~A/1B0s_^g8Vb+[$뺷Kl'rOE.$_W9unogixu_{0\oĮw
/˫{~`ủbV*7wQ7.=ycGώ:z
ҍ^tJKK\A^^=pqF'p	~lA!}s3mk]R5\}۪')fP{CM/ߔ^VF?7Bk˳/oX_|vJ6:"x}{qptnȽ
o9Yp1}*7;o5҈˻7T܍{oۨ0?} 3!ό~J|bxz,yS^5
!bu6.U;߃skܿ[^%5q};7h~2F|Fzze&yNȦߵ4(ڄzf֨:&-'V.ŦK͑ZK\4oȍB6!uhxeX"9;NNn؄tTEZsIm73-MմѠRb;KN3$#Pl1Z0xjUն+4DeW DBgd.%U+r,ԢA' K՘*pVWـm",p3k^
^ZZޙM2xb
6fWF:֍
xI^pRŊIߊ&$#,st:=#ak'o6*k!i6#Jx\=Z+,C7դ2)/;^7leAcPЄ/gی7=Bm8r(
ިINn#l0]		w}5,Nק}k57grd37//N@ynnmսVv48RZ>%:-5+{GMC@y~"lz\	޻VL݃;ս~P@+\A;E'@u}7JnTIHt]8yӮOJLz%)ęmDNm>M_yߡI؍jnΐ#F?srE||?^N_F!י20Ts5e
tp
7mhnwd]@luMz~Q}H;/N)w9C/mʘh{`msqS(^^5ۋUo脨xqM'I|1Ufɂ5_'Z\V{x﷫^Ԛѽw{[PHgfХ[bZc^i `LF"_5h
ە2쬗5} v6үެ%ǭd-~39#T@50J6 }ԔO7!)}mZo6E<<ՂljJd|]*fUE#|>1M^7w}'[fUߒEv^$Ϟ.7ҷMtU[΍
@)=/o?ᒮ4e;id^&zA[btM'jNb.bG7Fo6-Qぶ'[=r{_|.\|aV+q҆0ݗJW"M9
*4՘oiM_'%^HUhmV=xrC=XZWanUྺUʴV{`n|Aixs#
[*;m5Ug3ө&MmrujBuڠ.|s\C?hacҏвz43c	Op<^^l;ЇANΑྻ;\vU㺲L74iB=vcM5SQ/2?NhL"Akg[>PBf$s`!ObMҔ<"Šhmi%ɣ+yS
x;S6遚>_qڈ
-u+ƪSz=MA+M${`$kYS?sH,̬̲ytr}Djh\l=0HX7Hmn4md?U'
_YmE_kn}2m/z1/VIዱXLz	T;P
&'=Y|HۓOxl8c.͓w+n!=ҡ#ߔ}0=iւlf>uϊ"B	DW,=}wozƲ"-mhgY#IwMɿQP+uz9z~e  .';l/-\9'fI] ~c t᱘y,x,:Takf^syd6mbc"}gpτ ?"NcQޗwn*o}99>\bX;FFkY~ՓbNo,?-F˾HZh[pG%v%_-!yC+CX2=K>}{ATa
1tfQ4fCk`^twFN=ά1B94>N_ҲTO^m|#޴ݔOۀ	ZYWoxͭ
ig
mevn\}[G: UhY@cXCo.u/v46ռXM`uۗm}U҂<'SE
=QNQqҝΡbnzN
1ug/{5O~	1edt|J"{!|bΏ=b.EΌdB	Fz`56`;S!	ќKVSfVfehk/+u%ęMJ1idtExIzO";/2R)o5Ίw"乴W]V1`RMRzSx>K:褬=ʏ쓱&ʲeD-xџ~%W]q{W\]qyNe@qLrṲT[SI6lkpPWCX.k#^C(OJυJ{!PL2DEQY9ɳ10 #DUy%ŕW]	r.`Qr)R' &蔰<x
"CI|Fk.`fVK)BL{! 'BQQ+~ؕx)CU%&0^sÃ=WJܲVѰbQXPeͼASksNš gыʽ\q%R=񁐭&bX*	LECA$Y
Wʼ/9G[UN@S*T؁,\&}0|Iϐ̢yΒQآvO|֎|0XmG 1I
ng6Q5+".S
*;&X"昵PZ+Q6Be/
gE]xDSfv0l:ʉ+=I㢂2>CMdB2$w
ᰮI0+#2liq7Yb$͓YfxV\YNtǬ`hKǴ ZKC]ۀ+OUv^xģd`Т!7dXw2	\ў}U؟LoՕX./+:kpՃ'J$6Q2l~/E裇kW֜hQUPv،m
R&l\S[e13=\lȵبSUJGfÔ-Mώ:N:%_P"W8~ݹWN]94An8d0Zx4#xkb*լM`DFA	Z3p,ݕ"'(3"5pB8-u`12r&-Pԭ H(3ۢ SRky 8΍܇u"A4rp4XEgD$Ī2i
m(.<\a>CCb!GgzBT!9UXV"܁8"Iu! WJ8NC*uKR@DѲ%h\KgQ,}2=
* |9@rddGEB`§r4}Ԍ48PG⥇dHiZ#DZ+br)r*e8#	r\p"+^sd6;gJ
U9峊zD$CV%Uìj 9g;Hj9ُl62.kt#V2jF##$K
M*^Y,[Qc]NFE@LXQpz'tĽv9WRf{Yޑk5H|@Lj"W"ϥ!8̏!=MB9tzC3BFi!Gmt<#>Bw|1VihR&gTc
٘8	 H!"uhܧ0 C>FAVFA*B G#D&Pl	T尪M=W2~vFߐIy#+?_ja=s@Q*% Yſ4
?:HC"/H!=,Ɍ5zqXä"bU`dBPk>+i)z]U@<+Z#]Q
P[8XthxDT1x6BcC"B&2N*xh?Y4ݞ7ҩN#C(L.c-iE0	N{BLJN*&-ā)mi?VjCWŜB/R*$m۔tqmDC	Ff9Ѷ\Th! |T9&iIP)&$0ȷ_1LE0,PUdHiWΆjU6R0BlP@S9Yْ\-VUpR-RqhB{$&pЄEiz&I{Z$Vk@"qJD:l:EO	y u9"%{=Z$qC~7WH:xňA:2itv\${TeIX"oqE>vT)xuqV&iK)ۇػ6S3Z%ٹfAXZLvgKI`,0bAg+/YC{r#"蔭2B['7sԕl'^t4AD5CR	G`tmtAh!" 5:fƤ23Qj5OֶE~FH^:V&x(E4}.Z? R\P)
oLSh,:{P"NU )QbF	tEg:ASV]f!vRuj;Ia?+<xI((PQc;EFB.?'NWL"DŽ+"QNgn;{ύӑA_L_FpigTe>Fl1a%*hiyPR\VyqҖ֘1@E0ݑYLY_	]?GPXx-d~+oNc>CrJrL|Pd[	Ag6C\N"+
.XkQtʨv솤qRWYyTͪM5c8j!Tta)#oc,QӦTĨ@/)dODj/9D7NɷH&A+BJG~.r>ϕG!OZ?Ʊ7sEϋg\!00{HӐ=%`{$OŧLJ87KyytEHhA$2/OʮZ
{R£C!l
#H}Ȉdp)	B@ّtRe!EV8CtԿF|1̱d#[UWDt0$<_)t_i1RԹOʁZd#hp,v4AK2Zp#h/'yOt:"@bblL.s:55љV)@u⏋B	V	I+_#T*L*T>
:qMk0K5X:7&;_
HVOG6Fi4&h+ sɎv7"i
:-=pVx[:I~ik:]p*@qZl`tiB2ɶ^$D8V%$'yqK#.ex~%BVKPE?Z9R7I$Zk`3Jcy=YbM2m-GөcDǂu&YqHF|dI;Q	
/Ur΅P:c(lӑU7"(*tͣ.X#TEĻQ
B~fcc0(|/
L-KHwf5Zf
SPYtRf)ͣ"ҧQ6L7,E7g3xDډ7Dǐ>VcK&J"ļ25T	_!V:biQ;W}-әx!#$5 'a = fun i -> m.M.elts i j

  function moccf (x:'a) (e:int -> int -> 'a) (c:int) : int -> int =
    fun (i:int) -> occ x (e i) 0 c
  function mocc (x:'a) (e:int -> int -> 'a) (r c:int) : int =
    sum (moccf x e c) 0 r

  let rec ghost transpose_count (x:'a) (e1 e2:int -> int -> 'a) (r c:int) : unit
    requires { 0 <= r && 0 <= c }
    requires { forall i j:int. 0 <= i < r /\ 0 <= j < c ->
      e1 i j = e2 j i }
    ensures { mocc x e1 r c = mocc x e2 c r }
    variant { r }
  = if r = 0 then begin
      assert { mocc x e2 c r = 0
        by forall j:int. 0 <= j && j < c ->
          moccf x e2 r j = 0
      }
    end else begin
      let rm = r - 1 in
      let f = pure{moccf x e2 r} in
      let g = pure{moccf x e2 rm} in
      let rec ghost scan (j:int) : unit
        requires { 0 <= j <= c }
        ensures  { sum f 0 j = sum g 0 j + occ x (e1 rm) 0 j }
        variant { j }
      = if j <> 0 then scan (j-1)
      in
      scan c;
      transpose_count x e1 e2 rm c
    end

  val sort(a: array int) : unit
    writes { a }
    ensures { forall i j:int. 0 <= i <= j < a.length ->
      a[i] <= a[j] }
    ensures { permut a.elts (old a).elts 0 a.length }

  let ghost permut_swap (a b:int -> 'a)(x y l u:int)
    requires { l <= x < u && l <= y < u }
    requires { forall i:int. l <= i <= u && i <> x && i <> y ->
      a i = b i }
    requires { a x = b y && a y = b x }
    ensures { permut a b l u }
  = let c = MP.(a[x <- a y][y <- a x]) in
    assert { MP.(a == a[x <- a x][y <- a y]) };
    assert { permut a c l u };
    assert { forall i: int. l <= i < u -> b i = c i };
    assert { permut b c l u }

  function compose (g:'b -> 'c) (f:'a -> 'b) : 'a -> 'c =
    fun x -> g (f x)

  let rec ghost numoff_occ (a:int -> 'a) (l u:int) (p q:'a -> bool) (x:'a)
    requires { l <= u }
    requires { p x }
    requires { forall y:'a. q y <-> p y /\ y <> x }
    ensures { numof (compose p a) l u = numof (compose q a) l u + occ x a l u }
    variant { u - l }
  = if l <> u then numoff_occ a (l+1) u p q x

  let rec ghost permut_numoff (a b:int -> 'a) (l u:int) (p:'a -> bool)
    requires { l <= u }
    requires { permut a b l u }
    ensures { numof (compose p a) l u = numof (compose p b) l u }
    variant { numof (compose p b) l u, numof (compose p a) l u}
  = if pure {numof (compose p a) l u } = 0 then begin
      if pure {numof (compose p b) l u} <> 0 then permut_numoff b a l u p
    end else begin
      let rec find (i:int) : int
        requires { i <= u }
        requires { numof (compose p a) i u > 0 }
        ensures { i <= result <= u }
        ensures { compose p a result }
        ensures { occ (a result) a i u > 0 }
        variant { u - i }
      = if compose p a i then i else find (i+1)
      in
      let j = find l in
      let v = a j in
      let q = MP.(p[v <- false]) in
      numoff_occ a l u p q v;
      numoff_occ b l u p q v;
      permut_numoff a b l u q
    end

  let sort_row(m : M.matrix int) (i: int) (ascending: bool) : unit
    requires { 0 <= i < m.M.rows }
    writes { m }
    ensures { forall j k:int.
      0 <= j /\ j < m.M.rows /\ 0 <= k < m.M.columns /\ j <> i ->
      m.M.elts j k = (old m).M.elts j k }
    ensures { forall j k: int. 0 <= j <= k < m.M.columns ->
      let a = m.M.elts i j in let b = m.M.elts i k in
      if ascending then a <= b else b <= a }
    ensures { permut (m.M.elts i) ((old m).M.elts i) 0 m.M.columns }
  =
    let a = make m.M.columns 0 in
    for j = 0 to m.M.columns - 1 do
      invariant { forall k:int. 0 <= k < j ->
        a.elts k = m.M.elts i k }
      a[j]<- M.get m i j
    done;
    assert { permut a.elts (m.M.elts i) 0 a.length };
    sort a;
    label L in
    if not(ascending) then begin
      let ref u = 0 in
      let ref v = a.length - 1 in
      while u < v do
        invariant { 0 <= u <= v + 1 <= a.length }
        invariant { u + v = a.length - 1 }
        invariant { forall j:int. u <= j <= v ->
          a.elts j = (a.elts at L) j
        }
        invariant { forall j:int. 0 <= j < u \/ v < j < a.length ->
          a.elts j = (a.elts at L) (a.length - 1 - j)
        }
        invariant { permut (a.elts at L) a.elts 0 a.length }
        variant { v - u }
        let e = a.elts in
        let tmp = a[v] in
        a[v] <- a[u];
        a[u] <- tmp;
        permut_swap a.elts e u v 0 a.length;
        u <- u + 1;
        v <- v - 1
      done
    end;
    for j = 0 to m.M.columns - 1 do
      invariant { forall k:int. 0 <= k < j ->
        a.elts k = m.M.elts i k }
      invariant { forall k l:int.
        0 <= k < m.M.rows /\ 0 <= l < m.M.columns /\ k <> i ->
        m.M.elts k l = (m at L).M.elts k l }
      M.set m i j a[j]
    done;
    assert { permut a.elts (m.M.elts i) 0 a.length }

 let sort_column(m : M.matrix int) (j: int) : unit
    requires { 0 <= j < m.M.columns }
    writes { m }
    ensures { forall i k:int.
      0 <= i /\ i < m.M.rows /\ 0 <= k < m.M.columns /\ k <> j ->
      m.M.elts i k = (old m).M.elts i k }
    ensures { forall i k: int. 0 <= i <= k < m.M.rows ->
      m.M.elts i j <= m.M.elts k j }
    ensures { permut (column m j) (column (old m) j) 0 m.M.rows }
  = let a = make m.M.rows 0 in
    for i = 0 to m.M.rows - 1 do
      invariant { forall k:int. 0 <= k < i ->
        a.elts k = m.M.elts k j }
      a[i]<- M.get m i j
    done;
    assert { permut a.elts (column m j) 0 a.length };
    sort a;
    label L in
    for i = 0 to m.M.rows - 1 do
      invariant { forall k:int. 0 <= k < i ->
        a.elts k = m.M.elts k j }
      invariant { forall k l:int.
        0 <= k < m.M.rows /\ 0 <= l < m.M.columns /\ l <> j ->
        m.M.elts k l = (m at L).M.elts k l }
      M.set m i j a[i]
    done;
    assert { permut a.elts (column m j) 0 a.length }

  (* Isolate the loops sorting all rows/columns in isolated functions
     for modular verification (also makes easier to verify alternative
     implementation with transpose) *)
  let sort_all_rows(m : M.matrix int) : unit
    writes { m }
    ensures { forall i:int. 0 <= i < m.M.rows ->
      permut (m.M.elts i) ((old m).M.elts i) 0 m.M.columns }
    ensures { forall i j k:int. 0 <= i < m.M.rows /\
      0 <= j <= k < m.M.columns ->
      let a = m.M.elts i j in let b = m.M.elts i k in
      if mod i 2 = 0 then a <= b else b <= a }
  = label L in
    for tid = 0 to m.M.rows - 1 do
      invariant { forall i:int. 0 <= i < m.M.rows ->
        permut (m.M.elts i) ((m at L).M.elts i) 0 m.M.columns }
      invariant { forall i j k:int. 0 <= i < tid /\
        0 <= j <= k < m.M.columns ->
        let a = m.M.elts i j in let b = m.M.elts i k in
        if mod i 2 = 0 then a <= b else b <= a }
      label L2 in
      let ascending = mod tid 2 = 0 in
      sort_row m tid ascending;
      assert { forall i:int. 0 <= i < m.M.rows ->
        permut (m.M.elts i) ((m at L2).M.elts i) 0 m.M.columns }
    done

  val transpose (m: M.matrix int) : unit
    requires { m.M.rows = m.M.columns }
    writes { m }
    ensures { forall i j:int. 0 <= i < m.M.rows /\
      0 <= j < m.M.columns -> (old m).M.elts i j = m.M.elts j i }

  let sort_all_columns (m : M.matrix int) : unit
    writes { m }
    ensures { forall j:int. 0 <= j < m.M.columns ->
      permut (column m j) (column (old m) j) 0 m.M.rows }
    ensures { forall i j k:int. 0 <= i <= k < m.M.rows /\
      0 <= j < m.M.columns ->
      m.M.elts i j <= m.M.elts k j }
  = label L in
    if any bool ensures { result \/ m.M.rows = m.M.columns } then begin
      for tid = 0 to m.M.columns - 1 do
        invariant { forall j:int. 0 <= j < m.M.columns ->
          permut (column m j) (column (old m) j) 0 m.M.rows }
        invariant { forall i j k:int. 0 <= i <= k < m.M.rows /\
          0 <= j < tid -> m.M.elts i j <= m.M.elts k j }
        label L2 in
        sort_column m tid;
        assert { forall j:int. 0 <= j < m.M.columns ->
          permut (column m j) (column (m at L2) j) 0 m.M.rows }
      done
    end else begin
      let n = m.M.rows in
      transpose m;
      assert { forall j:int. 0 <= j < n ->
        permut (column (old m) j) (m.M.elts j) 0 n
        by forall i:int. 0 <= i < n ->
        column (old m) j i = m.M.elts j i
      };
      for tid = 0 to m.M.columns - 1 do
        invariant { forall j:int. 0 <= j < n ->
          permut (m.M.elts j) (column (old m) j) 0 n }
        invariant { forall i j k:int. 0 <= i <= k < n /\
          0 <= j < tid -> m.M.elts j i <= m.M.elts j k }
        label L2 in
        sort_row m tid true;
        assert { forall j:int. 0 <= j < n ->
          permut (m.M.elts j) ((m.M.elts at L2) j) 0 n }
      done;
      let et2 = pure{m.M.elts} in
      transpose m;
      assert {
        forall j:int. 0 <= j < n ->
          permut (column m j) (et2 j) 0 n
          by forall i:int. 0 <= i < n ->
          column m j i = et2 j i
      }
    end

  predicate below_column (e:int -> int -> int) (col v row:int) =
    e row col <= v
  predicate above_column (e:int -> int -> int) (col v row:int) =
    e row col > v

  let shear_sort(m: M.matrix int) : unit
    ensures {
      forall i j1 j2 k:int.
        0 <= i < k < m.M.rows &&
        0 <= j1 < m.M.columns && 0 <= j2 < m.M.columns ->
        m.M.elts i j1 <= m.M.elts k j2
    }
    ensures {
      forall i j k:int.
        0 <= i < m.M.rows && 0 <= j <= k < m.M.columns ->
        if mod i 2 = 0 then m.M.elts i j <= m.M.elts i k else
        m.M.elts i k <= m.M.elts i j
    }
    ensures {
      forall x:int.
        mocc x (old m.M.elts) m.M.rows m.M.columns
        = mocc x m.M.elts m.M.rows m.M.columns
    }
    writes { m }
  = label L0 in
    let n = m.M.rows in
    let ghost c = m.M.columns in
    (* FIX: n need to be non-zero for the log to be computable ! *)
    if n <> 0 then
    (* Compute log_2(n). *)
    let ref l = 0 in
    let ref p = n - 1 in
    while p <> 0 do
      invariant { l >= 0 && p >= 0 }
      invariant { l <> 0 -> power 2 (l-1) <= n }
      invariant { p * power 2 l < n <= power 2 l * (p+1) }
      variant { p }
      l <- l + 1;
      let ghost q = p in
      p <- div p 2;
      assert { 2 * p <= q <= 2 * p + 1 };
      assert { p * power 2 l
               = (2 * p) * power 2 (l-1)
               <= q * power 2 (l-1) < n };
      assert { (p+1) * power 2 l
               = (2 * p + 2) * power 2 (l-1)
               >= (q + 1) * power 2 (l-1) >= n }
    done;
    (* Check against defining property of ceil(log2(n)) *)
    assert { power 2 l >= n };
    assert { l <> 0 -> power 2 (l-1) <= n };
    (* Maximum width of the gap between zero rows and one rows
       under 0-1 abstractions. *)
    let ghost ref k = n in
    let ghost ref zeros = pure { fun (_:int) -> 0 } in
    let ghost ref ones = pure { fun (_:int) -> n } in
    let ghost column_sorted () : unit
      requires { forall v:int. 0 <= zeros v <= ones v <= n }
      requires { forall v:int. ones v <= zeros v + 1 }
      requires { forall v i j:int.
        0 <= i < zeros v /\ 0 <= j < c ->
        m.M.elts i j <= v }
      requires { forall v i j:int.
        ones v <= i < n /\ 0 <= j < c ->
        m.M.elts i j > v }
      ensures { forall i j1 j2 k:int.
        0 <= i < k < n && 0 <= j1 < c && 0 <= j2 < c ->
        m.M.elts i j1 <= m.M.elts k j2 }
    =
      let rec lemma aux (i j1 j2 k:int)
        requires { 0 <= i < k < n && 0 <= j1 < c && 0 <= j2 < c }
        ensures { m.M.elts i j1 <= m.M.elts k j2 }
      = let v = m.M.elts k j2 in
        if m.M.elts i j1 > v then begin
          assert { ones v >= i &&
            zeros v <= k + 1 &&
            false }
        end
      in ()
    in
    (* Repeat l+1 times. *)
    for ind = 0 to l do
      invariant { forall v:int. 0 <= zeros v <= ones v <= n }
      invariant { forall v:int. ones v <= zeros v + k }
      invariant { forall v i j:int.
        0 <= i < zeros v /\ 0 <= j < c ->
        m.M.elts i j <= v (* p(v)(m.M.elts i j) = 0 *) }
      invariant { forall v i j:int.
        ones v <= i < n /\ 0 <= j < c ->
        m.M.elts i j > v (* p(v)(m.M.elts i j) = 1 *) }
      invariant { k > 0 }
      invariant { (k-1) * power 2 ind < n <= k * power 2 ind }
      invariant { ind > l ->
        forall i j k:int.
        0 <= i < n /\ 0 <= j <= k < c ->
        let a = m.M.elts i j in
        let b = m.M.elts i k in
        if mod i 2 = 0 then a <= b else b <= a }
      invariant { forall x:int.
        mocc x (m.M.elts at L0) n c
        = mocc x m.M.elts n c }
      let e0 = m.M.elts in
      sort_all_rows m;
      let e = m.M.elts in
      assert { forall v i j:int. 0 <= i < zeros v /\ 0 <= j < c ->
        e i j <= v
        by occ (e i j) (e i) 0 c > 0
        so occ (e i j) (e0 i) 0 c > 0
        so exists k. 0 <= k /\ k < c /\ e0 i k = e i j
        so e0 i k <= v
      };
      assert { forall v i j:int.
        ones v <= i < n /\ 0 <= j < c ->
        e i j > v
        by occ (e i j) (e i) 0 c > 0
        so occ (e i j) (e0 i) 0 c > 0
        so exists k. 0 <= k /\ k < c /\ e0 i k = e i j
        so e0 i k > v
      };
      assert { forall x:int.
        mocc x e0 n c = mocc x e n c
        by forall i:int. 0 <= i < n ->
          moccf x e0 c i = moccf x e c i
      };
      let zs = zeros in
      let os = ones in
      let kd = div (k+1) 2 in
      let ghost function nzo (v:int) : (int,int)
        ensures { match result with nz, no ->
          0 <= nz <= no <= n &&
          no <= nz + kd &&
          forall j:int. 0 <= j < c ->
            numof (below_column e j v) 0 n >= nz /\
            numof (above_column e j v) 0 n >= n - no
          end
        }
      =
        let z = zs v in
        let rec lemma fillz (i:int) (j:int)
          requires { 0 <= i <= z /\ 0 <= j < c }
          ensures { numof (below_column e j v) 0 i >= i }
          variant { i }
        = if i <> 0 then begin
            assert { below_column e j v (i-1) };
            assert { numof (below_column e j v) (i-1) i = 1 };
            fillz (i-1) j
          end
        in
        let o = os v in
        let rec lemma fillo (i:int) (j:int)
          requires { o <= i <= n /\ 0 <= j < c }
          ensures { numof (above_column e j v) i n >= n - i }
          variant { n - i }
        = if i <> n then begin
            assert { above_column e j v i };
            assert { numof (above_column e j v) i (i+1) = 1 };
            fillo (i+1) j
          end
        in
        let ref nz = z in
        let ref no = o in
        let ref index = z in
        while index + 1 < o do
          invariant { z <= index /\ index <= o }
          invariant { nz >= z /\ no <= o }
          invariant { index - z = 2 * (nz - z + o - no) }
          invariant { forall j:int. 0 <= j < c ->
            numof (below_column e j v) 0 index >= nz /\
            numof (above_column e j v) 0 index
            + numof (above_column e j v) o n >= n - no }
          variant { o - index }
          let rec select (r1 r2:int -> int) (b:bool) : bool
            requires { forall j k:int. 0 <= j <= k < c ->
              if b then r1 j <= r1 k else r1 k <= r1 j }
            requires { forall j k:int. 0 <= j <= k < c ->
              if b then r2 k <= r2 j else r2 j <= r2 k }
            ensures { result -> forall i:int. 0 <= i < c ->
              r1 i <= v || r2 i <= v }
            ensures { not(result) -> forall i:int. 0 <= i < c ->
              r1 i > v || r2 i > v }
            variant { if b then 0 else 1 }
          =
            if not(b) then select r2 r1 true else
            let ref i = 0 in
            while i <> c && r1 i <= v && r2 i > v do
              invariant { 0 <= i <= c }
              invariant { forall j:int. 0 <= j < i ->
                r1 j <= v && r2 j > v }
              variant { c - i }
              i <- i + 1
            done;
            i = c || r2 i <= v
          in
          if select (e index) (e (index + 1)) (mod index 2 = 0) then begin
            nz <- nz + 1;
            assert { forall j:int. 0 <= j < c ->
              numof (below_column e j v) index (index+2) > 0 }
          end else begin
            no <- no - 1;
            assert { forall j:int. 0 <= j < c ->
              numof (above_column e j v) index (index+2) > 0 }
          end;
          index <- index + 2
        done;
        nz, no
      in
      let ghost function newz (v:int) : int
        ensures { result = match nzo v with (x,_) -> x end }
      = match nzo v with (x,_) -> x end
      in
      let ghost function newo (v:int) : int
        ensures { result = match nzo v with (_,y) -> y end }
      = match nzo v with (_,y) -> y end
      in
      let lemma newzo (v:int)
        ensures { let nz = newz v in let no = newo v in
          0 <= nz <= no <= n &&
          no <= nz + kd &&
          forall j:int. 0 <= j < c ->
            numof (below_column e j v) 0 n >= nz /\
            numof (above_column e j v) 0 n >= n - no
        }
      = let (x,y) = nzo v in assert { newz v = x /\ newo v = y }
      in
      let cl1 = pure {column m} in
      assert { forall v j:int. 0 <= j < c ->
        MP.(below_column e j v == compose ((>=) v) (cl1 j))
        /\ MP.(above_column e j v == compose ((<) v) (cl1 j)) };
      if ind = l then column_sorted ();
      zeros <- pure{newz};
      ones <- pure{newo};
      sort_all_columns m;
      label L in
      let cl2 = pure {column m} in
      let rec lemma column_permutation (x:int) : unit
        ensures { mocc x (m.M.elts at L) n c = mocc x e n c }
      = transpose_count x e cl1 n c;
        transpose_count x (pure{m.M.elts at L}) cl2 n c;
        assert { mocc x cl1 c n = mocc x cl2 c n
          by forall j:int. 0 <= j < c ->
            moccf x cl1 n j = moccf x cl2 n j }
      in
      if ind = l then begin
        let lemma column_preserved (j:int)
          requires { 0 <= j < c }
          ensures { forall i:int. 0 <= i < n ->
            m.M.elts i j = e i j }
        = let rec ghost no_occ (m:int -> int) (i:int) (x:int) : unit
            requires { 0 <= i <= n }
            requires { forall u v:int. i <= u <= v < n ->
              m u <= m v }
            requires { forall u:int. i <= u < n -> m u > x }
            ensures { occ x m i n = 0 }
            variant { n - i }
          = if i <> n then no_occ m (i+1) x
          in
          let rec ghost scan (i:int) : unit
            requires { 0 <= i <= n }
            requires { permut (cl1 j) (cl2 j) i n }
            ensures { forall k:int. i <= k < n ->
              cl1 j k = cl2 j k }
            variant { n - i }
          = if i <> n then
            let u = cl1 j i in let v = cl2 j i in
            if u < v then no_occ (cl2 j) i u else
            if v < u then no_occ (cl1 j) i v else
            scan (i+1)
          in
          scan 0
        in
        ()
      end;
      let e = m.M.elts in
      assert { forall v j:int. 0 <= j < c ->
        MP.(below_column e j v == compose ((>=) v) (cl2 j))
        /\ MP.(above_column e j v == compose ((<) v) (cl2 j)) };
      let rec ghost auxT (v i j:int) : unit
        requires { 0 <= i < n }
        requires { numof (below_column e j v) (i+1) n > 0 /\ 0 <= j < c }
        requires { cl2 j i > v }
        ensures { false }
        variant { n - i }
      =
        auxT v (i+1) j
      in
      let lemma auxT1 (v i j:int) : unit
        requires { 0 <= i < zeros v }
        requires { 0 <= j < c }
        ensures { cl2 j i <= v }
      = if cl2 j i > v then begin
          permut_numoff (cl1 j) (cl2 j) 0 n ((>=) v);
          assert {
            let a = numof (below_column e j v) 0 i in
            let b = numof (below_column e j v) i n in
            numof (below_column e j v) 0 n = a + b
            && a <= i
            && b > 0
          };
          auxT v i j
        end
      in
      let rec ghost auxB (v i j:int) : unit
        requires { 0 <= i < n }
        requires { numof (above_column e j v) 0 i > 0 /\ 0 <= j < c }
        requires { cl2 j i <= v }
        ensures { false }
        variant { i }
      =
        auxB v (i-1) j
      in
      let lemma auxB1 (v i j:int) : unit
        requires { ones v <= i < n }
        requires { 0 <= j < c }
        ensures { cl2 j i > v }
      = if cl2 j i <= v then begin
          permut_numoff (cl1 j) (cl2 j) 0 n ((<) v);
          assert {
            let a = numof (above_column e j v) 0 (i+1) in
            let b = numof (above_column e j v) (i+1) n in
            numof (above_column e j v) 0 n = a + b
            && b <= n - i
            && a > 0
          };
          auxB v i j
        end
      in
      assert { 2 * kd <= k+1 <= 2 * kd + 1 };
      assert { (kd-1) * power 2 (ind+1)
               = (2 * kd - 2) * power 2 ind
               <= (k-1) * power 2 ind < n };
      assert { kd * power 2 (ind+1)
               = 2 * kd * power 2 ind
               >= k * power 2 ind >= n };
      k <- kd
    done;
    column_sorted ()



end

(* Duplicated from Why3's gallery. *)
module Quicksort

  use int.Int
  use ref.Ref
  use array.Array
  use array.IntArraySorted
  use array.ArraySwap
  use array.ArrayPermut
  use array.ArrayEq

  predicate qs_partition (a1 a2: array int) (l m r: int) (v: int) =
    permut_sub a1 a2 l r /\
    (forall j: int. l <= j < m -> a2[j] < v) /\
    (forall j: int. m < j < r -> v <= a2[j]) /\
    a2[m] = v

  (* partitioning à la Bentley, that is

     l            i          m          r
    +-+----------+----------+----------+
    |v|   < v    |    ?     |   >= v   |
    +-+----------+----------+----------+     *)

  let rec quick_rec (a: array int) (l: int) (r: int) : unit
    requires { 0 <= l <= r <= length a }
    ensures  { sorted_sub a l r }
    ensures  { permut_sub (old a) a l r }
    variant  { r - l }
  = if l + 1 < r then begin
      let v = a[l] in
      let m = ref l in
      label L in
      for i = l + 1 to r - 1 do
        invariant { a[l] = v /\ l <= !m < i }
        invariant { forall j:int. l < j <= !m -> a[j] < v }
        invariant { forall j:int. !m < j <  i -> a[j] >= v }
        invariant { permut_sub (a at L) a l r }
        label K in
        if a[i] < v then begin
          m := !m + 1;
          swap a i !m;
          assert { permut_sub (a at K) a l r }
        end
      done;
      label M in
      swap a l !m;
      assert { qs_partition (a at M) a l !m r v };
      label N in
      quick_rec a l !m;
      assert { qs_partition (a at N) a l !m r v };
      label O in
      quick_rec a (!m + 1) r;
      assert { qs_partition (a at O) a l !m r v };
      assert { qs_partition (a at N) a l !m r v };
    end

  let quicksort (a: array int) =
    ensures { sorted a }
    ensures { permut_all (old a) a }
    quick_rec a 0 (length a)

end

(* Instantiate leftover sort routine. *)
module ShearSortComplete
  use Quicksort

  clone ShearSort with val sort = quicksort

end

why3-1.6.0/examples/verifythis_2021_shearsort/000077500000000000000000000000001440160026300211545ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2021_shearsort/why3session.xml000066400000000000000000001675431440160026300242140ustar00rootroot00000000000000











 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
 



why3-1.6.0/examples/verifythis_2021_shearsort/why3shapes.gz000066400000000000000000001061721440160026300236230ustar00rootroot00000000000000ێ[9.|
X<e$J@fC
R9ct]mfߌ)x1i;sʹ+%ri-.2`˛}Ϳw>o/6o7}nӚZl՗_|_ZOkOoZ߬6oͯw](Zfk
l}_Mb҅5bn͏Ӗ?tM2Po˦[f~G
ގ5S_
,J/-~˛nyr^Oè|㷵Ŗn~/.|Aj,XBj^]uw_?!+s^[Yj+|ŶVmJ[\bEKh}{oAwgNۭ~'ƊjbEiX9!wwBژd5ϭZ]7oPޝ䥽ͺ)MTH
oZ/9W+(0L/!cFn{+v(Y7ݼ0c&oͯ)S^~[zŋ9/`&ӽVnPSTS(cPCcek^˛՚Ż84|<|˧͇~&c_<@WeThmo%:|X(

^ƯɨMQu!~8TWo|B^~_mIn"UuUz]UڪN9V^U?K&sX|]k56PROú7ݤJ_Cqxoūg{)]=m^T=!~=+f7%02&w?7{~nϫ{f- qb8G7B;UJ8y:d|h;!	]~>x_OO:qM3l5NÔ@`;heNwj0g3@
$0FhG6׸ȆO7޸k&i]N">lK*Ϛ͙Db`^"w=&	8Ǟ
k]a}1~G[b;IgzLJq)6/$}n.#[e;~Ae2
MY^NRZDŐ]OˏFuvuYP/dkd/S#ׯau	sW>b:R
'Oz̘~}1Y>fLs`=h|kY]yr
03hD$Q9u'S&T"7ͣ~`2'|>B&GAf*H2JA&3o#B7Yl޽]K/m}B?IӧyA\ݯ_>{xC!Q|oc$-qmᣭڀ1>חQo7chd͉/Ǐy!bͯBŪo"XSiy5]*>5mysq(mͯ[o^vt,ݣ{L*	z'ۊ{YhH=ل\ߑxݗ"`Et)rs(rd
1Riyߛ,8}g"MȦ{jQDez87`ζ,,%/7v?}!_Ï-w.SNƢ
U2*nl#UCh}E2MΖЯ.hn渋Wb_mq{@q_͏[l5+/G :IшKSE;ksDbX"^Ho_@T"Uս~}/X5q(n~)fŸ4ʍ3ĭƸ߈{qQds׸%,H>HR	*3]q^1,u6< 7i(=|%cT5.#MscM %4A@)4>
@!tL<㉌t-@Gh#|%舧h#:x"Y#σ=t8#|C0F iad)l0F(M-n:E:0dVH'0*y%d":!H% R@5R %C̣Z! Y
q>+AkJkƮ)Ȯ)]SM5̔D.+}aJ.I7M}MbƦz"ldpK1D.*HrE1),5.U S%0/`N/!{W++[WRWWRWZWWVΗ^}
WBW꫞HUQUEUUPX=D@.a@2}ҡL	;;!@=wXKö(wUZICl6J;U#^"b&fiDȍ4n#}jUz\	~]cr/.͞@3/D:RT[J[JjRTpK)R-[J!-|%z
jR
mqKGB,(e\"3O	BAcAz~ =%,qe힃72AeuрQ$:gnY&[gYcS/y1,YLYLqOT[cmkV)Pޱll(闰8ֱMtXb6qlWUichyUN:S`Ϳzk'j̷#Kyz~
_6 ڱd
.ק	xvussqe.+1e
x,%TҠ幔kަƷ~F`If^]dlͮQzT[p`P9aRt>ΐO
yo8jƸ=~z5I
g'⌘J:"OXL=!v,Au,%k.RĶ"H$y-"/a{S! x>0p2zDV`؆RcMOEzy\KaOv^n?`7MPm/l!bӗFޠfM+KAjAQplUm]?3 piy<.\"K4g-OD8DNGqնC0*3L&_^]tByw
f@.	O
n:FO~?r6~QMMN/vqG9ھu!㦚v1*`X.@cڴqɮM6Nx~̀5ꆱ2d080Oq.f8#xbBr+νݼp%X^
Lj"
aeKe*qzk*Ej1ѝ1ܛܔt	7jBw
<[-A7TXcQ

gAЈPVMg^y!!Sr5L3Y0h`GpWpJ9|MY
b/*b.5XO-}cxYI??1 "_||x$o2u!b8GfA_q۠/}YjS}6苣-7A_x%苟ؕGv=rdW3vB"B}Bخ+	n"0TE˱rcT=RPp$
	p6	pb
JdF0}Gͻ >hM-:׷s)D+^dmAX
V('BS~Qď.#rRNdrʹN:=e1r;`Ѵ4ە^
粱"V604S
,ovhm)i	@AhIt_
9h	/h[Ҹ/Ee>1/әYYuT)fmhlamE$~-U6]&;/\zF1OtR(i	ݎcXOo>;?[O^ тq񽇿+1.ĸऀsN	Š;+#[SCaUa9ϒv)%*6Ŵ~kDqj7ϣTfڅWev츠j]Os)UzkՂ*7NjiȒWq3Jku4	];_UKgm{͢miGed{R"GU-ܾdAD׏
-@Ą?mBkAVDl\qV3f,X:KJx=};\o?Kr9MǬ\WDE?Cj/:eek*Jla-p٧Z֍mpHx,M уw&qzO~TϵdڒUj}#iɁߡYPR썫QVejG`P
Em*PbGegd}TU2r&>../,/	C&>}w\Yh(/)鲜@Po<>ȃQnv e-v]=Z\=&>349,ra1BGqD`EQgux!yOvwT \M!kcpPtˁho$~nߋ&ʀf~<
1$0%Լ>]IIy0D'
GB^"kBXxdM!dv<T}&c=l:Q_CO-/]m!h>ފ]-CڮP-Zڑv]WݳtuH|)bMZ!	RPbMlu4vdG+	=e4qM1",AuH.fIQH+%x&yˣr.+zVaћeVv-m+k~=ٝ!.K?U
zLDhh-j7e6{`fgKPZ߈-4PO4}dh@7FD\DzélsHzvD@Or%Y$l6b5
9uj|5yXb%J=Tw-V֐uh}A#ESV)awgeeIx5ѥė.yDhu腰}=*=r/|xr CdD:BsrMcQ-9ryʶC[5TWGAGwJhz0/ҹapvF1i.G	iֲ
YW{?'%OYJ.'	B{4a3\QE|}Q٣/utOuDXR}lO.nb{ublĻCmIPy&𤪁,"Ƭ>+a%gx'rUrԢwe0$P!g@V8ˠǁ~hz&zI$OׂF'@/)I3pXU@9`aҶ=+)eK\T~prн\SQPY>fIQ{-QaawQIZEQMQ;iVd@P"R갫gJ$ZcV@-H+RQVw1<u3U^뤶5d}Gym"Y(,^Srɨ؜Z}4ISf#hb(jg0Qྮ@l}hfUoǥ$[>@L/hA_?,\<^`ynnc/#ydgdV	Dlt5vO$9۽yI[@Dj SBDU"PO+H횤$]LEYҐ$7^
F]'xɢƐT9tȓc1ɑ&?l##P49sʙL}&&*u6,VMK%ɥ{?K-jSW$i{6oˌHr\Ilu=b"5H~Ik}+džd;.ʙkIkʈ֔RN8+ m$J"t8D+nSjZBIECd1ۼNr"#xl][Niɳ|\
bitHs`7U9ȝv?w|o[hZlFquorQSjW#r?N,>?ġYg!K812,~uS]%zoP߽cOJMWsanwkշJϭZBDE	￰dpN1N_T",LD`(Gq2#fpně
cd<6o]+dۨ,OW~k|u*7
81{C#ĦDS;A.!Ƈ=!B
pg!qߐ(=ȩG &^K0tSZI(U@)NR_˴X$g>C/cX|mp}B5\'V<&IlTixLao3ΘJ/uH>pJ'k5GA"'O >i|PxM"=")
Y[*
;gfz=W2JCY`+>*Hd'(k8FJAEIGõQzr7}gH`br(l:ѬU"ELN4HW"pm#ٰlXADV]T{5,O#pjY_b1%m|Z)0c%c&ᐏ4מ!<ۮPpdU{i!}<G3X,Ud{6bD9Mz`UPH բ0ĊVkhP#|Fad3~*Q7vԭulēj_^?n;ËoGIn1,^"t~C6zbEB-E{A0,pB ֭+_+綐}+gε	is%m{:_(IV tut8ؿn+—n=2ת.[qA3]\T{/G}Qp6
Met)S6b6DnX#!+rKvy1Ƅc碟Xa2U܀
XiCVh=v.g.^w^w境;Ѽr1Yyc
.;S)ux~^A.7r㹃nH-Zt=sjXs[03G9s5##z
g#
\#/s
ҀPHCe7ޠ}ppp=i6Z4RQM
"J@EF[Vb4IW
I,FH'
KdQ42Ns.sIE
4xC"
J+_4$0DG&gsfYp3L
3)|P 	'y()b&fRx>R_D0L/.T#&"Xʏ\|EJm+؎%]_ `@INX%|kn{|}+ѲZV7/B˪R	22=lk—Eh3XLΫ5|wZ
*K-XR3
ݫ΀"f)⛧op0pH;0F*Ր0D`Hf@E6-a@hz0jҴap0xKj!z#°9*J(hN.HJW'#
}E(ӸeCF"G*ZȄ¨vkJ+DqϷ9a愙2PG@G
ߎo&fR") ;f"`&Mcy|F,fEp
<\qft0l2pjpIv5upu!\-7\nõ
QVjp=\Pq\/47ӻ ѦuÕI']&TCd1
Ѻz6(@
&Vp5_"ظ9&_j"fxq)30Sˣrp$-
'r59HC·J['ay7Ial谯bQck=g#|k
/Pj6=DJ겖^ozyJv'Ll>·(w0#M;6ir;2e|f6S*6\6Z~?p:Iԏt>\m@8'JC*1{ȘpFpFށ|wk;vQYFQ#eFDLI}QX;z")ikCn;0/te-;Zu*…;Uc6f"CP1-	a:xA0m0p*qwZ_6jSl"m&٨bxǦҊww`>>`+a''{knZҋŌ3J/gǝL0˫(L)9&L6׏6o-oqB2Մ42|mgCdI@	ťGzm/5t`1؛QۜaeΛc@Or{UeFH32B+X`p#S5F-j]S~	YŠüi!
p@W	3B"cMi{#mm
jFH!yA&EҔ? 24B."bEXͤ0L

c/p=gbfh5w&CX>ȦB.ߴTt.L-49NA>(2Q!8c~.x^~Sd\ŘXS,LE.H[ Vka-[0VvȊ"_;ġI .q w8i
A\;!?n7S0=X%-N_	4hO߇ؒ"/U:0InRsU}
E!9^T+\*rhnITp%C9px02њA9Ae 59F@T|pD.T
bLjPQs&s2G[>'gK`=kJ8 '	
X[,d1\[KfÐIar]g
k:Ӱ=>b(E"WeJ*Hn'#-2}
17y=!4ɉBͨɉV֗E0VO 1D|4213!IrFHեe@#qР$
s)e~>*E*W|J#&եHn@ϧ2W4h
=FL_\ҚgD4;Z3jreшAgGtUEzDV"WD.#:NI${Apѻɶu!z~~L&_/DN^$t)ҹFw@
|zfb6wK)*}*Og)\qb,k &Z3jr^WXW}c:yzl-tZPb1ß xEf:uȊ:L~KD'L)2$ŀR<ѱklIç`h
1MPGY7TԴ9QV<59RGSeQGe:6<Т"^DswmN9F?>/EKk[hZɵۉDr-[~
kFwu"(_L},+Ϝe^ZКEYWf4eEYW|h
tӸ[u[uEuo՝[%d/x[M"zYb0`Pnb,uڳ-|:A?#/;(pW۰![?d*nCPn(|(,
qT_clDbcVjCnvsYRrUER6t1RY7)WUwK~*#gAkJ	w#}1DhGoqqb@l,3gϨ٨'jF^ RXB
#DCި%H@Մõan,!{MˆJrU
WqHcI$1¸4zFK?[SlG( @W]2T^ȵ\q
p
t2/gkCZp5c>0"c$zp%ұ\uR@CdzH$
2=c\>YVks(#稶z2I)X]'$P&ڻbNJ>0ᱦ9j9sM?tMHdQBU'?d&R8$aP&§⏋q3e6sdzX36m%hCN
{8s>2~fr}eLcn-㚦vԽ+XB|umL6'Y/	G^=_gu]Gn(.Vl"2wTuVL\kKUV{Bq2#^\%	(.ՄPr9&
Ў"	H("	XĊbC<PUs&yp7|٤ރ[.Z惕j	Xf	%h:@gٝ@Ϫgr薌m/xEGBV?|OX	1Ao:=}CJt%Ăvdy]l]-<U/)X;vDE!.m|=<̶紵?;03)AEl痀fϨQrQO[b
L3-̴Jh!d	7S~L3Eb)hK%hg BivJPْ7As98.L5<'Ԃf~'kmz/kV~ݖ1\!:Wcv>yn0f_@'<+
Ū
uY=V8fϘ1`Wu&fRHao6#f9rwOArp93,Rd{UeM.˯M./\{303X ׋ok(1aZT^KH':_~Tpj̪@RJMiPGTVk]Qfp…*t
7Ҡ"nS/@j1ZCP5:v8[Z]Ӛ=e"dkVƯ/0s9gH[mg\m*Hr7!Ζm1u--	GhpC<.-Xj]ٸ}iF
:c7>.h~}/䞐=|p9ě5	Qg;`g	8r%OuG	 b܃"KkD=BD{@К=@xP@*@5T:bԓD0Ui7̍_񨆓J=]*ބ)^'8ωJiRB;BTM!jD!eJ!@'Y[B#⠧4WB)FEіB=>Rb
,ZDX,	J.q2;geU"kc̴yW}EG{@i(0y)-%Gٵc8†	vĎX>U2@>}	}i/UKXn`Zk0X3\c7ࢡb@
yÖmL2 0H@fr] 3
OV	
$f\3DۀwoH(-#D ߅UUn/CD
kQaPz?QJT@eMn(Mu3xyn+.Zw9P"Y]g8jM&15:#{[mhH`疕8+2)P}VkqE|TN@ZZ*)e@4tCq@\C n6DPyeIOșCB+)j?gmM}YZ[n*IEt	rB
$2h>DlE`Kd@7z V`^8y\fc3Cb8|ef
x
B:ESx
ټ8Լ||×[_	4Dx.XH{8` 6M& Ѽ1	f9}==qBbDgSQA:qL1qL8f8'ٴ[nB0{Vbs)\0!kx3p{[]jw,ND_{YD7L͠A?EEI
a92}>5\b
GXր5+M+JG{J Z}?:jրKC]q]<2(UH)r$rZ&bN0s)k6K&8]dKrhgzmЯJ+i9TTr.G2ъU	O&wdMUv]#J\c&DB]1#aa91
yUM}!e,q)C}FU
CD$m"6~83Hdj(S3t4S*(0W`^A0 t*]~fhc!ۄL,"AM؁{Ӑ=؀=Gm.N-/$9 9"yzA
z}~E<(5؀(59L칧sJT:g:%/Š,!84a`wm[5't*8,
>k>(añ}Sc5nUzz{YGr@Fv";Z!ca1xxn
UI)~vI䜿xl[^d
cSȬ@uod
pHFD'fuWff)D>1|ќg%2!Uw!eu-JMu)C%B'5=? gc?ĥ;چ G+,ε
ᘝf5@9Y+~i!.,#+d7D3h
hUY%hQcgfiLVޚ8?]#4;))5eNHK'xq?37Ŀя8Bu9bvv)5ٱ{9!mxjx#passW%.Ԑ?V_g[.w럙`TS&=}2Ҕ	I`S&ZDžC72n1.MpfMʄQ.f-p9oBLu;H$ꁘꑘΙ=sfo(oewr*vMyݗ&'&=ѝB.fpsy'زU8VA#pj,zN,i	(
2U^%/]zNk5t؂n>^!$~,ҁ*׉Fg^aOMU/r^H({܀sW2e0#Ӑh,E,Ew{x̘1?c%b> /*ztsrIrME17vP!LCwfԀwof)-@)#
0OtЍtSqy"6^ƋBWLkuZqp&Xj)l#ƢJfbua0k?kG94tNa7
c/h"jT|zv5\p|zZj<'tĐnc\`#)Sp
\P69s*Nqn2흄.G<4)W$*IXWn'A/|vz>2-qpaIL'q@3%̔0S˧	:.JͶQ1<}NV7.􌜐O<(Jy(פ&LtNF4zcZt[}9qxKE]{z;ya2g@cŖ?߄2@ /(C;&~ϢܷWY)`]a`悙f.x%\"9W3D0#DL˙f	@x[͌03
${*kZϿ
A\qn.H7DftC΀$h
݊m@sޞia/kY2ŀMG>	ĀHTx#Ul2±0NE6
Ge	_F|*ç>"X?gΜ0s	-',⚠b_dI˾txvnD̥SҰ6XDWR9z⁃K02ZF/16BSQ7FH
—^&"Aro)j.
85RCs{©.(@ARRO3P)8 :؎qdpifH'<-K
ޘCqFn
̂x~n
hurSpJn
l 7,t1FII=|lLh"sa{{4܂.)(TjKءSĠL5TG}o6KQrIrQC qWD@Tu\QyO;c*1-vO}N\z \$pKju.v=&ZCQgF-)⹂6EƏpDTDWeߡvPj*TB5Z[
Y}"j=u:QMIn7"[ޣ;u'<2]G*R#0csB9*O2L{!{K!&ěwwd`!/^o~XuM(OSY͜1s/3Pu3_ 3g$[e噺r^M$3wG2hu:s3W(Xݳ3gB 3gD1,Ob攙SgNY9ExTJ84&̙F4r	*Q	Hc:=R(8" f?
ł4h6Cs4r(2gk	zaRtDM[ɺSc ֑r!F~(Ϫ$D-p!T4j"T*Ap5Dv@j(~3Pjbjj`PKTIPM5qIk2!9{MRMLAj'A=t@
G(-&A JSҟnԍR]t~j});k(`g_'<ϲ^p%d
1
؊Bl*(raB\`!TJwS@Vux("y()dRaB'g
1l(0СFsCM!&`	L,G;!hٿ,*O fj(lm7he0gr Cij'uBLB_.9\B!aj&f"x}DA5oDlC+}!3o̼=0ڤ6qErz},I˩?`.1	PU(x.X;9,*3jHWSi@zfApPka r$1-#bT0yFl Iai"ZLŪf]4\
5
RPMH&'J:2)(-Wky01K8s>Zd
!snT\aRifsƙwiR,yСfBXmԐ+bb"2
+4!PU\Aƴblc'!Jtv\W,͂7y zHE!c,1yc1'/B1Ɛ'k!
cL!c,c9ˁ`bZRl-!cC&}1YVwkCƐRNu!wڷ:pҤR:p>'c?)l%a.4ea
ki!K(J}'ԖzKRȰ>!0xkwOOk}`,,ݖ4_()Suf,1ELTQ7d_\ҵ%1#(Z2qaD78ӯ:m>c5sxY+~w^Dq`Il/̟XP~ow>T(4`RS 1Hu[B j}MX4M=Q6L0g.	j%$QCW̬0
m31pqF=\ly8cd,!K%C$	W1

˃,Թ2X&T_-rd0i`2}*e2Y&+jOLGx2"BBUESU8)'S+UXUTU&Vl~\tۀ{?	F2SC
0y
u]?\"3K(.pɾU>EcQ2rU@Z.3`
%pIo#= JX90Mؾ((Cj
ҫ,X`PhUh_,j`
*B*+F)b%VUXeSi%fEͥg
\beY#wrEU%jǞCW(-<.lnFiBh-A?]}WL{<oO5pZ=g@5:.IuO%S'`(Z'
z	I1)A+ih~bzL.Gq.̖U./x"E:Zz#Qf[I	RgE^bd׎~\
չv]9J/chpf\G[l/? ѻ
ܸGَ*ۘ5yߐ+pg8M?=ᆲ{SW꾖=X`43o-s:LCSA}k)(
4L`QNYܠf6be*A,
Ҽǂ?`C5l.e!`qu[UEE#V09\a:!BaLQ
4Rn0X8m~}/]PnhĢLZ~f9# ymBn[rWa2R2˓OkHX_x;Z(0
޽%o +`Im6~!k?>qoξ.ճdd7ŷx;)Û_VE
pL.r5. .=׽69-"`WHއR%u|h.cw8"0c"S˝7Lc`"aS7#CߟD-XxZ@$U:i !rU*)g@yKgv	)ZDp
{XQK""&1;v4[]V2)kD>FAS-)?j5~TA뿽yͿx?>6ƃB[!3t5
U	PTa?P2xJjY%lK6yTU&oV{jVg<wA{wh_h}L,a+Ĥ7Ia Fˇ7iVݸ)1bw[{0zF[2w|7ٍwNUҏoa¼垢{ڥ29?vxTNz=7zR(=zO=9g<9y7/T;/Lm7Adm6;%0=~%;#ar8J~` q4Mz'+|c߰I{
1Z?LA{yo;{ g9e4Wʷeǝ՞]9)y|e m2?+x=mPt=fYFKv;3.ﵵ;TlI}f?kjGe`~=\	ϓy|aR}wϽ>hkGɇ0@žOO{tfrH4[bแt
H
ȌRv&zl),Հ
37
%m4zrQG-V0$o:n,Z%Uf]ݐxݩi+L[p*pir	9L߰p|

L,)%`o6pF%WƒS5
#]%5;_5[=es	+\}X,:"X/jv20/Qx1gN
lSy2$+G^*g.K1Br;֨\~~q74LloXp`Hdj#&䡀Lb*Q%/DVĚfweϹ0Bcͱ+<̙Az,hn1z$
&Dr
>Vnv#.=P&5\W(F,&`T+RAz tr/
DfbiqZa?$xJjAT6&֘LF7xؖж6S-o@Cw5WtHP[iӍ"/%,N,r1x@mg*&Pڸwcj孀#gp.#T<sx"ht<aXǶkG{\xV`2UӑAa}928=M)^+aR!1EJfFa	8DqyCGӳ#:hJe0PR-W~~
Â;Uhp%&84BB$%?=&NmzTR|ak.@N._UHNߐ/<`sp%IjI0+k|K[D!-Q 2aLL7ħo_Ӂ%	Ş?^lDo\q6)yj*=EaN)3ie䝂*/vɿ=SX$*'O~$ogSd©20og|ޮ)9%Y2Fԛ`1/RQHJEU:XyhH٥?4@a˵*@$49
S;ֲ֑GI
kf}7V6Cmj|9nŗ&O;\J]{/ƇX/NVrpaf"@%X<_n3RWQ̻>w;0'`WD)fG( M{JD@m|AgfXE6#tj^ws``XJi>üLuM#QUepҤ1])+?&BY0
pɤ$gSUb
;57"}1
iABʪeX~Gk3X"_~9z0hB(YA`^A;>X~Y}ۃT/$Cm[j@ӄ.06[ᖕH2d_yJDH7zrmqoްaL7ˎ!tuL&hziFH
:VmEf3':XISz8M2>+,;ROJ#mLlH,nu[FၩU_H-h4ä&!g
"J(lwh~~#2Fg-Vo,f]I%BR8∘4`c
#o0[LRb53tW7EVтuCݍ"1ǣW`+}msX
K(QD*OI7ꨓIiȧ|9чw[	4 l\h{],iTRQH<؀Rޢ` 6D@uҶ}JiQ~\_ca|р@ffЪNRDgd|?:I#|^<)rY:{*E94
S8tIU8|	c>9߉u\*HP17JT)C$⚞TZ	47eژ%4.BLy/Oc '~Q#`!o7>	YYWF9O՟"\>Bn|R}3L>X:Sr}(,|lfFY,Rz82|*S:@2j>\.&ܡ:Cc)xsT""H!WQG&~w%4Я r	aJ!ʦCRi>ѝԾ}/EHr7[u쎔/_t<.\&k:aF-,*I`drahj?m̧;7̴'HDq"o ɚ{x6n}4ߍi	=$zPf:>՗K.\r770rjMJs|`-׏ib%[?&O@t79I8l*kIs֩E59y]]oϷ"6c Y,SG:)-$3`Tv4@EkD:@؁Yыגpn3L;q4]C9=„tDiA51xS5XPtnm}].2>'7r"K@ޗHWi>"Xl՞&N%Ũf;+g.F`
dd.=
R]\%";\hxCxVo`Hҍ0η+hGFWn$-
Pާ57tak!k|\=|{U,(*-:2
@x.`BI;lϨ)}/Q(s)pG *
^Y4Ξڕ}%n(""ov!z%S(Ҵ.*5f77XVXd1@ߧX&/0[d6H4n7,8	FH:o`w{?<JnBEDǺb*zWzSWw6-V)Max{N,H@	3u0EWt΂Pf(\ 6VM!x]1$ʯ;Yr\iAa`:pV"zb%-Lbp9KjIt'~F]_c&`IsVIʿ%1bx= ]Q׉Z"gNO{w\'SV#?B1l`ѯR%in7$A&Dp*y//Q&}S:R1s|W{{Kf+kNU'}>ye.UbQ־qLuˡV5;K5v=_֨cH$\F@0ko?%e8Jt=~S&Pe;Ů
7M̍Qt/%r9%ȃ+:#BI?g"AdhV:J٧4|GPtQ18c1$͌͌s͌%/zbB`9/T)c|_lEӖ(L,滚M@I˸- 
6ߝtOA\AAWl7P,tNdSzP'adly;ⅺTiUgeu#퀼F?4ܯI  r}j;jvÃHD0\|IۅYԻB1
Z$ڶ\NYeJo^:$co98vQzfzQN7~A
u	}iz)oUwǭ5hSAc߸t2Wq?"6/آ7`K[luRO#I"cYT	L^ڔ!N~@Fdp@4@tw4un]R!I"ɳ

Κ>^$bE{$;y 3
D&!Abdarm	/-{sb];SԇwY5w:sQHҗPCH"
ޟ0U,'1J/fBԞ6~?oVtq1!{۾KǷ:t
ѽt/+FhwyK`;>.9UtENׄ8s3ow.DDD8lJ occ x (m i) 0 m.columns) 0 m.rows

predicate lt (i j k l: int)
= i < k \/
  i = k /\ if mod i 2 = 0 then j < l else l < j

predicate snake_order (m: matrix int)
= let rw = m.rows in
  let cl = m.columns in
  forall i j k l.
  0 <= i < rw -> 0 <= j < cl ->
  0 <= k < rw -> 0 <= l < cl ->
  lt i j k l -> m i j <= m k l

function inversions (m: matrix int) : int
= sum (fun i ->
    sum (fun j ->
      sum (fun k ->
           numof (fun l -> lt i j k l /\ m i j > m k l) 0 m.columns)
        0 m.rows)
      0 m.columns)
    0 m.rows

(*** SPECIFICATION STOPS HERE **********************************************)
(*** beyond this point, the only thing you need to read are the contracts
     for functions `sort_row`, `sort_column`, `shearsort` below *)

let lemma inv_nonneg (m: matrix int)
  ensures { 0 <= inversions m }
= let zero = pure { fun (_:int) -> 0 } in
  assert { forall i j k.
    zero k <= numof (fun l -> lt i j k l /\ m i j > m k l) 0 m.columns };
  assert { forall i j.
    zero j <= sum (fun k ->
           numof (fun l -> lt i j k l /\ m i j > m k l) 0 m.columns)
        0 m.rows };
  assert { forall i.
    zero i <= sum (fun j -> sum (fun k ->
           numof (fun l -> lt i j k l /\ m i j > m k l) 0 m.columns)
        0 m.rows)
      0 m.columns };
  assert { 0 = sum zero 0 m.rows <= inversions m };
  ()

predicate sorted_row (m: matrix int) (row: int) (ascending: bool) =
  0 <= row < m.rows /\
  if ascending then
               forall j l. 0 <= j <= l < m.columns -> m row j <= m row l
             else
               forall j l. 0 <= j <= l < m.columns -> m row j >= m row l

val sort_row (m: matrix int) (row: int) (ascending: bool) : unit
  requires { 0 <= row < m.rows }
  writes   { m }
  ensures  { (* frame *)
             forall i j. 0 <= i < m.rows ->  0 <= j < m.columns ->
               i <> row -> m i j = old m i j }
  ensures  { forall x. mocc x m = mocc x (old m) }
  ensures  { sorted_row m row ascending }
  ensures  { inversions m <= old inversions m }

predicate sorted_column (m: matrix int) (column: int) =
  0 <= column < m.columns /\
  forall i k. 0 <= i <= k < m.rows -> m i column <= m k column

val sort_column (m: matrix int) (column: int) : (nochange: bool)
  requires { 0 <= column < m.columns }
  writes   { m }
  ensures  { (* frame *)
             forall i j. 0 <= i < m.rows -> 0 <= j < m.columns ->
               j <> column -> m i j = old m i j }
  ensures  { forall x. mocc x m = mocc x (old m) }
  ensures  { nochange -> forall i. 0 <= i < m.rows ->
               m i column = old m i column }
  ensures  { sorted_column m column }
  ensures  { inversions m <= old inversions m }
  ensures  { not nochange -> inversions m < old inversions m }

let shearsort (n: int) (m: matrix int) : unit
  requires { m.rows = m.columns = n }
  writes   { m }
  (* TASK 3 *)
  ensures  { snake_order m }
  (* TASK 2 *)
  ensures  { forall x. mocc x m = mocc x (old m) }
= label Init in
  while true do (* <-- CHANGE instead of ceil(log(n))+1 steps *)
    invariant  { forall x. mocc x m = mocc x (old m) }
    variant    { inversions m }
    label L1 in
    for i = 0 to n - 1 do
      invariant  { forall k. 0 <= k < i -> sorted_row m k (mod k 2 = 0) }
      invariant  { forall x. mocc x m = mocc x (old m) }
      invariant  { inversions m <= (inversions m at L1) }
      sort_row m i (mod i 2 = 0)
    done;
    label L2 in
    let ref nochange = true in
    for j = 0 to n - 1 do
      invariant  { nochange ->
                   forall i j. 0 <= i < m.rows -> 0 <= j < m.columns ->
                     m i j = (m i j at L2) }
      invariant  { forall l. 0 <= l < j -> sorted_column m l }
      invariant  { forall x. mocc x m = mocc x (old m) }
      invariant  { inversions m <= (inversions m at L2) }
      invariant  { not nochange -> inversions m < (inversions m at L2) }
      let nch = sort_column m j in
      if not nch then nochange <- false
    done;
    if nochange then break
  done;
  let lemma ordered (i j k l: int)
    requires { 0 <= i < n } requires { 0 <= j < n }
    requires { 0 <= k < n } requires { 0 <= l < n }
    requires { lt i j k l } ensures  { m i j <= m k l }
  = if i = k then return;
    assert { sorted_column m j };
    assert { sorted_column m l };
    if j <= l then (
      if mod i 2 = 0 then
        assert { m i j <= m i l <= m k l }
      else (
        assert { mod (i+1) 2 = 0 };
        assert { sorted_row m (i+1) true };
        assert { m i j <= m (i+1) j <= m (i+1) l <= m k l }
      )
    )
  in
  ()

(* Notes

The verification tasks for shearsort are:

1. Verify that shearsort terminates, and is memory safe.
   PARTIAL: memory safety DONE (enforced by Why3)
            termination using hypotheses over number of inversions

2. Verify that shearsort permutes the input matrix.
   DONE

3. Verify that shearsort sorts the matrix in a snake-like manner.
   DONE

4. Verify that (parallel) shearsort satisfies the same specification
   as sequenti al shearsort, in which all parallel for-loops are replaced
   by sequential ones.

5. Verify that shearsort and alternative-shearsort satisfy the same
   specification.

6. Extra: give implementations to sort-row, sort-column and transpose,
   and verify these as well.

*)
why3-1.6.0/examples/verifythis_2021_shearsort_modified/000077500000000000000000000000001440160026300230145ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_2021_shearsort_modified/why3session.xml000066400000000000000000000360321440160026300260400ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
      
      
       
       
       
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
    
    
     
     
     
     
     
     
     
     
      
      
       
       
        
        
        
       
       
       
       
       
       
       
       
       
       
       
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/verifythis_2021_shearsort_modified/why3shapes.gz000066400000000000000000000110321440160026300254510ustar00rootroot00000000000000Zn$}W[y'p`)WX44I>G<{$Y7׾Uw=?_o?+3?|?+=~8d2bmo*ĠpuNlW'Dⓡ8x]7A@;
)\2?5&H SL6Sw foڭ~<@Ӹ|64+)W:3/Nȝ8=e^7c0+F~s\~y?}}x0<4l6-_q@W%.of/*	6蘰doӌOoP..cw؁qr+|okyZc;Tاxwƀ?[p`Aہ1AdA{ǚNfY|G@Θ(_F{=>"![[4[m~$`qRm6uz:a@M6aZOGw~6mDkxI3WN{xqsw
WWWȨc4.Fho#EjD*ǜ~܇+<&1a_-<k!6#.#zuD+hŘB|4|b^V9zjgpΟjFSW?&Q?fqGb5ۑl8BAMe%ã>Dʰ!Up]pM
v\XC̭^v^碟&#&v?wqQ6W~_M*9@w0|1#_Lfxf=n1I,U=
]'z\o	s8Hn&ᡗPf=wU>F=_|Ei=
C—髜oo/lܩzR@Tr</r"-Y^p)~\qҞ6TK~mLgh5'-
6m-ts.y?LO;ΧN~G&Y[.,PiL|~Je×&3Ξ` \rS͸2M3G7T?f_O̬ǯS4ւMcVN''RgN:ӈ=!چ
لnndX`BP{E0;:D
T"ϿVM}}88XOWs
HWyڕ?liXanf0HoӦObX58-N[dJ\r~x* m%Q̧I(F~XF|*3/'=O}4ƟnU=
%h+_*%9EW+49r~k]ԙͅKW
.~~i[ջw#&%j;?\1<~Čco8íO/%N2x*Z[z_f/sƌ#Z;vbK(H&hw~9?4thW#TZ|ڴuWqa,T=[s_\()QMԞ3x+vu.BQ,9ZE8oKuː%7%x%31O{oHt"#5WB"*qVX:2]#Vk[XI
 JT"XHmmʙ,YeI쒦X>Xk^]g
ٶy!duFL%/MZ≊෎6Pa&)EX
1Bv:i.ȗuvxdlG'aD+R6y Řs6&%+`H#Qwd;2'J1fV1lBqq֥ˎjq,	T`JgAS6q,P7Ҥ."1U[l uAX]mMIBDJ2Nj$NgKD9Ev(inx=;vQgU8(A
ɠ
$$uu?"rX[J6|ăZĐ<>iU::h~NNNjbct4UbHZ-瑇`%)oW%E@I0/)+HhgC2MvUdL.KϢ
F`)g8wZOC% }j)@6|P5%z*qEʚ
Bb!S$AL/]s%B7d|!4*ذNNc'bIH&Jkk&1>AJΜkbyg+d"s(D%x:ސTɔ_'6MaYP#P Lktg# 6eoʚU)5$XY䰬333cOg*B`p\rBQљΩU89d#,g;k:;:wڃt^J
*G7hAAc/䋨ҔqZ Lgb*xH']t1zeJ&^B)dcEPjnQ	rGlPNr_:z5QQ,ByRȜ2b&:ټPW޸tů$㽩|]TfkBܠJ	\Jw3jPiP%PJ£֓EbGJ<.
x@[,>e 10QiUQ뼼?)2D].Y!ǣo	V1KfBV2@xveD|m7Ȃ%VkIdM_F&m=:YQ2%2qW%"ΡJ*Il2I/wHX:+*|	>\QArȬ^"%TQ#[niϢ	u,Ʌŧl^!+
Zr)i}AnBKN@B)	%ENFFSȪ
}	^}E6'((1e3>?š %{J։14$
qTeFPZ#?@f"(^smʞ$	2)^?s\rT:!dn"s7U}Sb&gпee
boa5]Xrkhxx}EABlp4"sbUB/ý<#J
',NW;tjěBB	MF]kDiٛBL(\`9E(Co{ЅRV"%EyEM-(sGQ\b+kR6	B.K!_iߪj`I\F!!
5Ҽ}wx%i-ԏvTk57iīv>CEF(v{M߷j/o1(qz"T
ܷk"rXv6`Y
xoQ[eYFd!e3Bjb$.X`~O(\X#	\?oocOwhy3-1.6.0/examples/verifythis_PrefixSumRec.mlw000066400000000000000000000164611440160026300216030ustar00rootroot00000000000000(**

 {1 The VerifyThis competition at FM2012: Problem 2}

  see {h this web page}

*)

module PrefixSumRec

   use int.Int
   use int.ComputerDivision
   use int.Power

   use map.Map
   use array.Array
   use array.ArraySum

(** {2 Preliminary lemmas on division by 2 and power of 2} *)

  (** Needed for the proof of phase1_frame and phase1_frame2 *)
  lemma Div_mod_2:
    forall x:int. x >= 0 -> x >= 2 * div x 2 >= x-1

  (** The step must be a power of 2 *)
  predicate is_power_of_2 (x:int) = exists k:int. (k >= 0 /\ x = power 2 k)

  (* needed *)
  lemma is_power_of_2_1:
    forall x:int. is_power_of_2 x -> x > 1 -> 2 * div x 2 = x

(**

{2 Modeling the "upsweep" phase }

*)

  (** Shortcuts *)
  function go_left (left right:int) : int =
    let space = right - left in left - div space 2

  function go_right (left right:int) : int =
    let space = right - left in right - div space 2

(**
   Description in a purely logic way the effect of the first phase
     "upsweep" of the algorithm.  The second phase "downsweep" then
     traverses the array in the same way than the first phase. Hence,
     the inductive nature of this definition is not an issue. *)

  inductive phase1 (left:int) (right:int) (a0: array int) (a: array int) =
    | Leaf : forall left right:int, a0 a : array int.
       right = left + 1 ->
       a[left] = a0[left] ->
       phase1 left right a0 a
    | Node : forall left right:int, a0 a : array int.
       right > left + 1 ->
       phase1 (go_left left right) left a0 a ->
       phase1 (go_right left right) right a0 a ->
       a[left] = sum a0 (left-(right-left)+1) (left+1) ->
       phase1 left right a0 a

  (** Frame properties of the "phase1" inductive *)

  (** frame lemma for "phase1" on fourth argument.
     needed to prove both upsweep, downsweep and compute_sums
   *)
  let rec lemma phase1_frame (left right:int) (a0 a a' : array int) : unit
    requires { forall i:int. left-(right-left) < i < right ->
               a[i] = a'[i]}
    requires { phase1 left right a0 a }
    variant { right-left }
    ensures { phase1 left right a0 a' } =
    if right > left + 1 then begin
       phase1_frame (go_left left right) left a0 a a';
       phase1_frame (go_right left right) right a0 a a'
    end

  (** frame lemma for "phase1" on third argument.
     needed to prove upsweep and compute_sums
   *)
  let rec lemma phase1_frame2 (left right:int) (a0 a0' a : array int) : unit
    requires { forall i:int. left-(right-left) < i < right ->
               a0[i] = a0'[i]}
    requires { phase1 left right a0 a }
    variant { right-left }
    ensures { phase1 left right a0' a } =
    if right > left + 1 then begin
       phase1_frame2 (go_left left right) left a0 a0' a;
       phase1_frame2 (go_right left right) right a0 a0' a
    end


(** {2 The upsweep phase}

  First function: modify partially the table and compute some
      intermediate partial sums

*)

  let rec upsweep (left right: int) (a: array int)
    requires { 0 <= left < right < a.length }
    requires { -1 <= left - (right - left) }
    requires { is_power_of_2 (right - left) }
    variant { right - left }
    ensures { phase1 left right (old a) a }
    ensures { let space = right - left in
      a[right] = sum (old a) (left-space+1) (right+1) /\
      (forall i: int. i <= left-space -> a[i] = (old a)[i]) /\
      (forall i: int. i > right -> a[i] = (old a)[i]) }
  = let space = right - left in
    if right > left+1 then begin
      upsweep (left - div space 2) left a;
      upsweep (right - div space 2) right a;
      assert { phase1 (left - div space 2) left (old a) a };
      assert { phase1 (right - div space 2) right (old a) a };
      assert { a[left] = sum (old a) (left-(right-left)+1) (left+1) };
      assert { a[right] = sum (old a) (left+1) (right+1) }
    end;
    a[right] <- a[left] + a[right];
    assert {
      right > left+1 -> phase1 (left - div space 2) left (old a) a };
    assert {
      right > left+1 -> phase1 (right - div space 2) right (old a) a }

(** {2 The downsweep phase} *)

  (** The property we ultimately want to prove *)
  predicate partial_sum (left:int) (right:int) (a0 a : array int) =
    forall i : int. (left-(right-left)) < i <= right -> a[i] = sum a0 0 i

  (** Second function: complete the partial using the remaining intial
      value and the partial sum already computed *)
  let rec downsweep (left right: int) (ghost a0 : array int) (a : array int)
    requires { 0 <= left < right < a.length }
    requires { -1 <= left - (right - left) }
    requires { is_power_of_2 (right - left) }
    requires { a[right] = sum a0 0 (left-(right-left) + 1) }
    requires { phase1 left right a0 a }
    variant  { right - left }
    ensures { partial_sum left right a0 a }
    ensures { forall i: int. i <= left-(right-left) -> a[i] = (old a)[i] }
    ensures { forall i: int. i > right -> a[i] = (old a)[i] }
  = let tmp = a[right] in
    assert { a[right] = sum a0 0 (left-(right-left) + 1) };
    assert { a[left] = sum a0 (left-(right-left)+1) (left+1) };
    a[right] <- a[right] + a[left];
    a[left] <- tmp;
    assert { a[right] = sum a0 0 (left + 1) };
    if right > left+1 then
    let space = right - left in
    assert { phase1 (go_left left right) left a0 (old a) };
    assert { phase1 (go_right left right) right a0 (old a) };
    assert { phase1 (go_right left right) right a0 a };
    downsweep (left - div space 2) left a0 a;
    assert { phase1 (go_right left right) right a0 a };
    downsweep (right - div space 2) right a0 a;
    assert { partial_sum (left - div space 2) left a0 a };
    assert { partial_sum (right - div space 2) right a0 a }

(** {2 The main procedure} *)

  let compute_sums a
    requires { a.length >= 2 }
    requires { is_power_of_2 a.length }
    ensures { forall i : int. 0 <= i < a.length -> a[i] = sum (old a) 0 i }
  = let a0 = ghost (copy a) in
    let l = a.length in
    let left = div l 2 - 1 in
    let right = l - 1 in
    upsweep left right a;
    (* needed for the precondition of downsweep *)
    assert { phase1 left right a0 a };
    a[right] <- 0;
    downsweep left right a0 a;
    (* needed to prove the post-condition *)
    assert { forall i : int.
      left-(right-left) < i <= right -> a[i] = sum a0 0 i }


(** {2 A simple test} *)


  let test_harness () =
    let a = make 8 0 in
    (* needed for the precondition of compute_sums *)
    assert { power 2 3 = a.length };
    a[0] <- 3; a[1] <- 1; a[2] <- 7; a[3] <- 0;
    a[4] <- 4; a[5] <- 1; a[6] <- 6; a[7] <- 3;
    compute_sums a;
    assert { a[0] = 0 };
    assert { a[1] = 3 };
    assert { a[2] = 4 };
    assert { a[3] = 11 };
    assert { a[4] = 11 };
    assert { a[5] = 15 };
    assert { a[6] = 16 };
    assert { a[7] = 22 }


  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let a = make 8 0 in
    (* needed for the precondition of compute_sums *)
    assert { power 2 3 = a.length };
    a[0] <- 3; a[1] <- 1; a[2] <- 7; a[3] <- 0;
    a[4] <- 4; a[5] <- 1; a[6] <- 6; a[7] <- 3;
    compute_sums a;
    if a[0] <> 0 then raise BenchFailure;
    if a[1] <> 3 then raise BenchFailure;
    if a[2] <> 4 then raise BenchFailure;
    if a[3] <> 11 then raise BenchFailure;
    if a[4] <> 11 then raise BenchFailure;
    if a[5] <> 15 then raise BenchFailure;
    if a[6] <> 16 then raise BenchFailure;
    if a[7] <> 22 then raise BenchFailure;
    a

end
why3-1.6.0/examples/verifythis_PrefixSumRec/000077500000000000000000000000001440160026300210525ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_PrefixSumRec/why3session.xml000066400000000000000000001062731440160026300241030ustar00rootroot00000000000000














 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/verifythis_PrefixSumRec/why3shapes.gz000066400000000000000000000155431440160026300235220ustar00rootroot00000000000000}nI3]hePU@bA~U-TIꞾ_⑙R"%[<##/0W__W?^eW叏wzWz<+^?o}r_
?cfC^C4W߆x{G,ʾ%͟e?]	Zop\+.•/q]JDDtM/#/hwT'e~R|p{wΧtUHWtM4>,d4ghCj.++t+vteXDDRRW}1}hM7rbg.Yxfx:הܺE*n]yڢc_^O/U	Ug	"Ps#
q0Yn}֯)Ћ:+A]x>{d̙&qP1Y.o$e 
u?!HAԀP8*%XQr{y0в5)O{5g&d~&-)۹Tu}6.b
eblf|;;mE'v9,M5Q0"m\	v·AOK[6mXWY;Z|RMܖ%%6פRκ&KMUM*^[nMRޯx)w]Efhz?qX0_°s	[AڞڸEy{JTikS5dnm5,tv[秥VŤfot+զeVoFՏ=TK(2+6=gup cgl)V-\\
\}M4`7`E\Oxxx~^\77_ßvC)`KUbX?>XU!)ChM!V4T*v?bA{= -?f>cВ+DZ%[l
ZſhۙUfiMlf`@~>5˹B&nmk/bм%B5 ճ6v3z!!mUf#kMfЛa~;185mibpV}3r00dXX1dX@40|vHHzw7nݍ绑w#n.yߞTDTJvxv(dh_j
z!ON\|3 iWW\{SʼT:c
}9)f?eWdwv&ٚ٩-Iv8\m?~Z<߰[X?l;-)T+j]^AM_#~mµZ;C1C7Q_2
z5.X;cy)4tg]a#{cl#`tEwVX^}E6zPJ?K:,Q6I[S|U竨}}髈m??GɧtC}nJJD/vY!;z[ܹ?y>Aנ)I!sz§6rN6`uP`P_v3ujogiܨRfGۚcy!(N]TE
99-!
^@6%z<&ߚڗq5ʬD/jG+=	xi>˻txh著jҭ{O9|r!Nž}{偟X=2>3O.$K+
Μ]jϯITgwe[N}[+}뼷;Ms[m8z,wo7K>=0op^-/MiՒ,=d4!ל^(Իl}HW7Ϊ:W7jzayގb-EODOU×o_oO}_|wrOJ~}{`^Q^f!߫oX[m
zP}-piYhŌ#`w桽SbNbo/3D}/	l;oD+xTx/k5"QYF.(Y:W6'jPU]mVɛcodxlb{#۟R~U^k[
zM9ۇWzZo?њFo?ɞd[VSɯ]M_M0S=!p_+x;9ˊ/M>}6|o_Sr
77_馄/n_!j։=vJU\Ci&1%-
p6v&6}+\KGĵ_3_ t	YBVz^oBvlMjHڧhuw׵z,6!kSOͬTM/W]bV%6*guQΓwԫS;m>tfM|`\̟']EL*M]ymյC9(]\]<$.)tNE'dk:zF֟cbcf%-M&{r\jz $DnɉɖK/:~>N:5}9ݓ['kw^gt&Ҝd;Y,,XXv'&['±q7
Ǽ7 = @Z4tt@@wt!}~@=/~X410óz```	3333333OÌ[)S|uxOxG	o3:dǚɶ	"~	̎N<\"~	_'m5~2AX9S]M M M wH^'hJTd<]etu%z
mpކq'Z},cu;ȭW?u{\޸4KS}իKŔI٢9ro+lT6{Se%[tTH2eHN瘸
OMeq&`(Bi}93B(0SL{i3]7(kgL\NJ;Ʉ֎Z,Itˀ>KҮ-
]DQlLiw%%4d-=ٖ>Y,Wr'cuHY=BM)s#]q0	Ga.xÛ23D`yN:	F&kaZ^F7>L/.Ii&#@Yq6yʐ{FG.6$y9J*:r
(DҙǢ,bQ",eUKgd3xW.'ύ=flݠ3zJSb&L!)CASgtN;5sJ1.cV,[C:ic4{(A('뒙zUIhsfNIbUdo=e]&;-~Њ]xv1ĩXT;Dxa]IudQdۨ/)L=PeCD@QSLX1d]e'KrGlx
旼`?sLlDnh4LW:2%}Ҍ&e)0L2.hc(7g_vYdm	:8&»;X%d}aУV#\q»i~I'twKaPJEb!D²`ufũ:7YS@]Y	ԉ!DW"M)4@6̕.䄌FP
{@kcbc-+u@o92&5|3(ez3Dx@P"[c| ܀pP܅̹&9
Ъ
u@o6dp9yal
XIW=\`6bM1$M+Wu2IDx_41Ms'Ėeg%dAjui
57}#Ia<<`=-T+wE%
Cr. "9/ɔ\ ̤wZ-<6k
UbJ"- {8
EqJ{.iqA/C\x{^ZCn	7imqڀX37P;<.GV+ʉ0K7L`tpO
@`9iR>LQ=p	)fL(8A23n7pȰJ9Y 
%]u.ЌqdX5H@*ZMOQ!9ףA,5;bĺABB6!jPRzz{h4؃|WH3rH7""Q3$<p*LAHbPSW9iOcn+[d-dl5-}֨PI'lܫle>ၫhF'"DtGS]ob8(ex[!Zrw>`ƠC	%Z)$j3d<v:љ('wv]C8
uQRB/c86 N *wY-	UQAQIcBU<0B#X!D6Wqͣ| pRz1#*RPQQ	vP
U CdEHSJ{!@Y\!$>Tlno7QG [8j;#
jgà6(Bw0}"dŋ	!"͆3QO!!S	4xwa)$`Rg&
U'eG^Sf	

%@~2A(vaV"-OJ)-IFʃr&l&WPH'D+Pum*#CEIB
"o3SS&C'w+qrE3Fу(Q9{7< U,YT
JU-
:2gb*b
kT!)NpL#&u'7dk4($J<4u;p䔡60["Tmcj;)P#MRS0RSۈ"\(<	G"MCmDoctmDoqnUA*y[6bW 
i00i=<(Qe[@
yn6+Sb6bwPS2d$oS25Dy 缏J&j8fF'H"	án"6(\Hb[\ܨ
86DuVPI	zxc,why3-1.6.0/examples/verifythis_fm2012_LRS.mlw000066400000000000000000000360001440160026300206450ustar00rootroot00000000000000(**

{1 VerifyThis@fm2012 competition, Challenge 1: Longest Repeated Substring}

{h
The following is the original description of the verification task,
reproduced verbatim. A reference
implementation in Java (based on code by Robert Sedgewick and
Kevin Wayne) was also given. The Why3 implementation below follows the
Java implementation as faithfully as possible.


    Longest Common Prefix (LCP) - 45 minutes

VERIFICATION TASK
-----------------

Longest Common Prefix (LCP) is an algorithm used for text querying. In
the following, we model text as an integer array. You may use other
representations (e.g., Java Strings), if your system supports them.

LCP can be implemented with the pseudocode given below. Formalize and
verify the following informal specification for LCP.

Input:  an integer array a, and two indices x and y into this array
Output: length of the longest common prefix of the subarrays of a
        starting at x and y respectively.

Pseudocode:

    int lcp(int[] a, int x, int y) {
        int l = 0;
        while (x+l<a.length && y+l<a.length && a[x+l]==a[y+l]) {
            l++;
        }
        return l;
    }


ADVANCED
========

BACKGROUND
----------

Together with a suffix array, LCP can be used to solve interesting text
problems, such as finding the longest repeated substring (LRS) in a text.

A suffix array (for a given text) is an array of all suffixes of the
text. For the text [7,8,8,6], the suffix array is
[[7,8,8,6],
   [8,8,6],
     [8,6],
       [6]]

Typically, the suffixes are not stored explicitly as above but
represented as pointers into the original text. The suffixes in a suffix
array  are sorted in lexicographical order. This way, occurrences of
repeated substrings in the original text are neighbors in the suffix
array.

For the above, example (assuming pointers are 0-based integers), the
sorted suffix array is:

[3,0,2,1]

VERIFICATION TASK
-----------------

The attached Java code contains an implementation of a suffix array
(SuffixArray.java), consisting essentially of a lexicographical
comparison on arrays, a sorting routine, and LCP.

The client code (LRS.java) uses these to solve the LRS problem. Verify
that it does so correctly.

    }

*)



(** {2 First module: longest common prefix}

    it corresponds to the basic part of the challenge

*)

module LCP

use export int.Int
use array.Array

(** `is_common_prefix a x y l` is true when the prefixes of length `l`
    at respective positions `x` and `y` in array `a` are identical. In
    other words, the array parts `a[x..x+l-1]` and `a[y..y+l-1]` are equal
    *)
predicate is_common_prefix (a:array int) (x y l:int) =
  0 <= l /\ x+l <= a.length /\ y+l <= a.length /\
  (forall i:int. 0 <= i < l -> a[x+i] = a[y+i])

(** This lemma helps for the proof of `lcp` (but is not mandatory) and
    is needed later (for `le_trans`) *)
lemma not_common_prefix_if_last_char_are_different:
  forall a:array int, x y:int, l:int.
    0 <= l /\ x+l < a.length /\ y+l < a.length /\ a[x+l] <> a[y+l] ->
      not is_common_prefix a x y (l+1)

(** `is_longest_common_prefix a x y l` is true when `l` is the maximal
    length such that prefixes at positions `x` and `y` in array `a`
    are identical. *)
predicate is_longest_common_prefix (a:array int) (x y l:int) =
  is_common_prefix a x y l /\
  forall m:int. l < m -> not (is_common_prefix a x y m)

(** This lemma helps to proving `lcp` (but again is not mandatory),
    and is needed for proving `lcp_sym` and `le_trans` lemmas, and
    the post-condition of `compare` function in the "absurd" case *)

lemma longest_common_prefix_succ:
  forall a:array int, x y l:int.
    is_common_prefix a x y l /\ not (is_common_prefix a x y (l+1)) ->
    is_longest_common_prefix a x y l

use export ref.Refint

(** the first function, that computes the longest common prefix *)
let lcp (a:array int) (x y:int) : int
  requires { 0 <= x <= a.length }
  requires { 0 <= y <= a.length }
  ensures { is_longest_common_prefix a x y result }
  = let n = a.length in
    let l = ref 0 in
    while x + !l < n && y + !l < n && a[x + !l] = a[y + !l] do
      invariant { is_common_prefix a x y !l }
      variant { n - !l }
      incr l
    done;
    !l

end

module LCP_test

(** test harness for lcp *)

use array.Array
use LCP

(*
let test () =
  let arr = Array.make 4 0 in
  arr[0]<-1; arr[1]<-2; arr[2]<-2; arr[3]<-5;
  let x = lcp arr 1 2 in
  assert { is_common_prefix arr 1 2 1};
  assert { not is_common_prefix arr 1 2 2};
  check { x = 1 };
  (* int[] brr = {1,2,3,5}; *)
  let brr = Array.make 4 0 in
  brr[0]<-1; brr[1]<-2; brr[2]<-3; brr[3]<-5;
  let x = lcp brr 1 2 in
  assert { is_common_prefix brr 1 2 0};
  assert { not is_common_prefix brr 1 2 1};
  check { x = 0 };
  (* int[] crr = {1,2,3,5}; *)
  let crr = Array.make 4 0 in
  crr[0]<-1; crr[1]<-2; crr[2]<-3; crr[3]<-5;
  let x = lcp crr 2 3 in
  assert { is_common_prefix crr 2 3 0};
  assert { not is_common_prefix crr 2 3 1};
  check { x = 0 };
  (* int[] drr = {1,2,3,3}; *)
  let drr = Array.make 4 0 in
  drr[0]<-1; drr[1]<-2; drr[2]<-3; drr[3]<-3;
  let x = lcp drr 2 3 in
  assert { is_common_prefix drr 2 3 1};
  assert { not is_common_prefix drr 2 3 2};
  check {x = 1}
*)

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let arr = Array.make 4 0 in
    arr[0]<-1; arr[1]<-2; arr[2]<-2; arr[3]<-5;
    let x = lcp arr 1 2 in
    if x <> 1 then raise BenchFailure;
    x

end


(** {2 Second module: sorting suffixes } *)
module SuffixSort

  use int.Int
  use ref.Refint
  use array.Array
  use LCP

  (** order by prefix *)
  predicate lt (a : array int) (x y:int) =
     let n = a.length in
     0 <= x <= n /\ 0 <= y <= n /\
     exists l:int. LCP.is_common_prefix a x y l /\
     (y+l < n /\ (x+l = n \/ a[x+l] < a[y+l]))



(** comparison function, that decides the order of prefixes *)
let compare (a:array int) (x y:int) : int
  requires { 0 <= x <= a.length }
  requires { 0 <= y <= a.length }
  ensures { result = 0 -> x = y }
  ensures { result < 0 -> lt a x y }
  ensures { result > 0 -> lt a y x }
  =
  if x = y then 0 else
  let n = a.length in
  let l = LCP.lcp a x y in
  if x + l = n then -1 else
  if y + l = n then 1 else
  if a[x + l] < a[y + l] then -1 else
  if a[x + l] > a[y + l] then 1 else
  absurd

  use map.MapInjection as Inj
  (** `range a` is true when for each `i`, `a[i]` is between `0` and
      `a.length-1` *)
  predicate range (a:array int) = Inj.range a.elts a.length

  (** for the `permut` predicate (permutation of elements) *)
  use array.ArrayPermut

  predicate le (a : array int) (x y:int) = x = y \/ lt a x y

  (* needed for le_trans (for cases x = y /\ le y z and le x y /\ y = z) *)
  lemma lcp_same_index :
    forall a:array int, x:int.
      0 <= x <= a.length -> LCP.is_longest_common_prefix a x x (a.length - x)

  lemma le_trans : forall a:array int, x y z:int.
    le a x y /\ le a y z -> le a x z

  (** spec of sorted in increasing prefix order *)
  use map.Map as Map

  predicate sorted_sub (a:array int) (data:Map.map int int) (l u:int) =
    forall i1 i2 : int. l <= i1 <= i2 < u ->
      le a (Map.get data i1) (Map.get data i2)

  predicate sorted (a : array int) (data:array int) =
    sorted_sub a data.elts 0 data.length

let sort (a:array int) (data : array int)
  requires { data.length = a.length }
  requires { range data }
  ensures { sorted a data }
  ensures { permut_all (old data) data }
  =
   for i = 0 to data.length - 1 do
     invariant { permut_all (old data) data   }
     invariant { sorted_sub a data.elts 0 i  }
     invariant { range data }
     let j = ref i in
     while !j > 0 && compare a data[!j-1] data[!j] > 0 do
       invariant { 0 <= !j <= i }
       invariant { range data }
       invariant { permut_all (old data) data   }
       invariant { sorted_sub a data.elts 0 !j }
       invariant { sorted_sub a data.elts !j (i+1) }
       invariant { forall k1 k2:int. 0 <= k1 < !j /\ !j+1 <= k2 <= i ->
                     le a data[k1] data[k2] }
       variant { !j }
       label L in
       let b = !j - 1 in
       let t = data[!j] in
       data[!j] <- data[b];
       data[b] <- t;
       assert { exchange (data at L) data (!j-1) !j };
       decr j
     done;
     (* needed to prove the invariant `sorted_sub a data.elts 0 i` *)
     assert { !j > 0 -> le a data[!j-1] data[!j] }
   done


end


module SuffixSort_test

  use int.Int
  use array.Array
  use LCP
  use SuffixSort

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let arr = Array.make 4 0 in
    (* [7,8,8,6] *)
    arr[0]<-7; arr[1]<-8; arr[2]<-8; arr[3]<-6;
    let suf = Array.make 4 0 in
    for i = 0 to 3 do 
      invariant { forall j:int. 0 <= j < i -> suf[j] = j }
      suf[i] <- i 
    done;
    SuffixSort.sort arr suf;
    (* should be [3,0,2,1] *)
    if suf[0] <> 3 then raise BenchFailure;
    if suf[1] <> 0 then raise BenchFailure;
    if suf[2] <> 2 then raise BenchFailure;
    if suf[3] <> 1 then raise BenchFailure;
    suf

end




(** {2 Third module: Suffix Array Data Structure } *)


module SuffixArray

use int.Int
use array.Array
use LCP
use SuffixSort
use map.Map as Map
use map.MapInjection as Inj

predicate permutation (m:Map.map int int) (u : int) =
  Inj.range m u /\ Inj.injective m u

type suffixArray = {
    values : array int;
    suffixes : array int;
}
invariant { values.length = suffixes.length /\
  permutation suffixes.elts suffixes.length /\
  SuffixSort.sorted values suffixes }
by { values = make 0 0; suffixes = make 0 0 }

let select (s:suffixArray) (i:int) : int
  requires { 0 <= i < s.values.length }
  ensures { result = s.suffixes[i] }
  = s.suffixes[i]

use array.ArrayPermut

(** needed to establish invariant in function `create` *)
lemma permut_permutation : forall a1 a2:array int.
  permut_all a1 a2 /\ permutation a1.elts a1.length ->
    permutation a2.elts a2.length

(** constructor of suffixArray structure *)
let create (a:array int) : suffixArray
  ensures { result.values = a }
= let n = a.length in
  let suf = Array.make n 0 in
  for i = 0 to n-1 do
    invariant { forall j:int. 0 <= j < i -> suf[j] = j }
    suf[i] <- i done;
  SuffixSort.sort a suf;
  { values = a; suffixes = suf }

let lcp (s:suffixArray) (i:int) : int
  requires { 0 < i < s.values.length }
  ensures { LCP.is_longest_common_prefix s.values
              s.suffixes[i-1] s.suffixes[i] result }
= LCP.lcp s.values s.suffixes[i] s.suffixes[i-1]

end




module SuffixArray_test

use int.Int
use array.Array
use SuffixArray

(*
let test () =
  let arr = Array.make 4 0 in
  arr[0]<-1; arr[1]<-2; arr[2]<-2; arr[3]<-5;
  let sa = create arr in
  assert { sa.suffixes[0] = 0 };
  assert { sa.suffixes[1] = 1 };
  assert { sa.suffixes[2] = 2 };
  assert { sa.suffixes[3] = 3 };
  let x = lcp sa 1 in
  check {x = 0};
  (* int[] brr = {1,2,3,5}; *)
  let brr = Array.make 4 0 in
  brr[0]<-1; brr[1]<-2; brr[2]<-3; brr[3]<-5;
  let sa = create brr in
  let x = lcp sa 1 in
  check {x = 0 (* TODO *)};
  (* int[] crr = {1,2,3,5}; *)
  let crr = Array.make 4 0 in
  crr[0]<-1; crr[1]<-2; crr[2]<-3; crr[3]<-5;
  let sa = create crr in
  let x = lcp sa 2 in
  check {x = 0 (* TODO *)};
  (* int[] drr = {1,2,3,3}; *)
  let drr = Array.make 4 0 in
  drr[0]<-1; drr[1]<-2; drr[2]<-3; drr[3]<-3;
  let sa = create drr in
  let x = lcp sa 2 in
  check {x = 0 (* TODO *)}
*)

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let arr = Array.make 4 0 in
    (* [7,8,8,6] *)
    arr[0]<-7; arr[1]<-8; arr[2]<-8; arr[3]<-6;
    let sa = create arr in
    if sa.suffixes[0] <> 3 then raise BenchFailure;
    if sa.suffixes[1] <> 0 then raise BenchFailure;
    if sa.suffixes[2] <> 2 then raise BenchFailure;
    if sa.suffixes[3] <> 1 then raise BenchFailure;
    sa

end


(** {2 Fourth module: Longest Repeated Substring} *)

module LRS

  use int.Int
  use ref.Ref
  use array.Array
  use map.MapInjection as Inj
  use LCP
  use SuffixSort
  use SuffixArray


(** additional properties relating `le` and `longest_common_prefix` *)

(* needed for `lrs` function, last before last assert *)
lemma lcp_sym :
  forall a:array int, x y l:int.
     0 <= x <= a.length /\ 0 <= y <= a.length ->
       LCP.is_longest_common_prefix a x y l ->
       LCP.is_longest_common_prefix a y x l


(** allows CVC to prove the next lemma *)
lemma le_le_common_prefix:
    forall a:array int, x y z l:int.
     SuffixSort.le a x y /\ SuffixSort.le a y z ->
     LCP.is_common_prefix a x z l -> LCP.is_common_prefix a y z l

(** proved by Alt-Ergo and CVC. But only by Alt-Ergo if previous lemma is removed *)
  lemma le_le_longest_common_prefix:
    forall a:array int, x y z l m :int.
     SuffixSort.le a x y /\ SuffixSort.le a y z ->
     LCP.is_longest_common_prefix a x z l /\
     LCP.is_longest_common_prefix a y z m
       -> l <= m


  val solStart : ref int
  val solLength : ref int
  val ghost solStart2 : ref int

  let lrs (a:array int) : unit
    requires { a.length > 0 }
    ensures { 0 <= !solLength <= a.length }
    ensures { 0 <= !solStart <= a.length }
    ensures { 0 <= !solStart2 <= a.length /\ !solStart <> !solStart2 /\
              LCP.is_longest_common_prefix a !solStart !solStart2 !solLength }
    ensures { forall x y l:int.
                0 <= x < y < a.length /\
                LCP.is_longest_common_prefix a x y l ->
                !solLength >= l }
  =
    let sa = SuffixArray.create a in
    solStart := 0;
    solLength := 0;
    solStart2 := a.length;
    for i=1 to a.length - 1 do
      invariant { 0 <= !solLength <= a.length }
      invariant { 0 <= !solStart <= a.length }
      invariant {
           0 <= !solStart2 <= a.length /\ !solStart <> !solStart2 /\
           LCP.is_longest_common_prefix a !solStart !solStart2 !solLength }
      invariant { forall j k l:int.
                  0 <= j < k < i /\
                  LCP.is_longest_common_prefix a
                    sa.SuffixArray.suffixes[j] sa.SuffixArray.suffixes[k] l ->
                  !solLength >= l }
      let l = SuffixArray.lcp sa i in
      if l > !solLength then begin
         solStart := SuffixArray.select sa i;
         solStart2 := SuffixArray.select sa (i-1);
         solLength := l
      end
    done;
    (** the following assert needs `lcp_sym` lemma *)
    assert { forall j k l:int.
                0 <= j < a.length /\ 0 <= k < a.length /\ j <> k /\
                 LCP.is_longest_common_prefix a
                 sa.SuffixArray.suffixes[j] sa.SuffixArray.suffixes[k] l ->
              !solLength >= l};
    (* we state explicitly that sa.suffixes is surjective *)
    assert { forall x y:int.
                0 <= x < y < a.length ->
                exists j k : int.
                  0 <= j < a.length /\ 0 <= k < a.length /\ j <> k /\
                  x = sa.SuffixArray.suffixes[j] /\
                  y = sa.SuffixArray.suffixes[k] };
    ()

end


module LRS_test

  use int.Int
  use array.Array
  use ref.Ref
  use LRS

  exception BenchFailure

  let bench () raises { BenchFailure -> true } =
    let arr = Array.make 4 0 in
    (* [7,8,8,6] *)
    arr[0]<-7; arr[1]<-8; arr[2]<-8; arr[3]<-6;
    lrs arr;
    if !solStart <> 1 then raise BenchFailure;
    if !solLength <> 1 then raise BenchFailure;
    !solStart, !solLength

end
why3-1.6.0/examples/verifythis_fm2012_LRS/000077500000000000000000000000001440160026300201255ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_fm2012_LRS/why3session.xml000066400000000000000000000442321440160026300231520ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
 


 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
     
     
      
      
       
       
       
      
      
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
   
   
  
  
  
  
  
 
 


 
 
 



why3-1.6.0/examples/verifythis_fm2012_LRS/why3shapes.gz000066400000000000000000000201751440160026300225720ustar00rootroot00000000000000][o~ׯ_‚yكy
lvː__6#: ̰dUfN~Mӿ|o7~y[{{Y^^E._uy_Ö,_x?bR{GKg{ޟ/}Kۄ|Kv6\[{%/cջUzwoW'^%oȃ-浗	tJ26c.ڈ=4C=	%s-At{8mn>k4Z.5D4Aw~{e꧴25f9"yE~Ͽ߃@j
8LLxip/~%/KXnK-UAX:/nGG7VOY&F?f^S064r(/S;$\7WOq?^?
wY
NF` kBXy$Q_Q	ǓQ4$ޮhBmw17B5,5 :RiV	xN8E+oZAx	23o6f}3-ۘx1q-eAU[[\WA_:F֡NĽKF|hs)dirS	|F& $qm
+U	K"çDD@@g@}}!.Oo5Afѷ\~_npKu?POrbXȇ[M@~]p}hn(2/4_OLd7J
06Qz7/"ˬ#b3SRoi.>OJ!׏EB9sgk',6* wT8FZS->n0r`Sakagl`
¯!0Gʦ%{OPx s2IPHPF)LZ0XpY]srܸ\>#
#ʩq-GMZr9-'kq9nV7(x𰳮E9)^:~>=}ѼE/`wȼSmlh879mQzA;D3~‚3:b>#6{íyVI,q:ۇ6_-Qv64qÛ~HIT&F/%L&_X~/$FL5C#.To;θMPN$~dddrؙdM2_Fj;H6Jg+$t7`7\ֽ_B
Q}  Ά3n 
UDQA&,E3?מ`d׺tMQ9$㳍ŹIv[ReЀ˾}PfV+Km87uu
,(Ke[5vY\1r5Z+_̽āt<ܴle8Sԫlh87u'@
N9Ns[[{&-x)װjZ7ڔkS|fmj6~ӻM6{mb%TrSM%*IֽMe7To֥E2
^M:"d$ٯgyt__$]rae>ջh]o>Gvc[vcۍlݶsg䰡?B*TVVۧho;θʹlx~`V}zB
=W}/ToVsxI&_
&ub?S|+Ŀl/AnB9fpzӝQIߟ6{f;+gf^8~e9c73vriv/_ؽݧn?DUdu쀐Su|krҷ

gP#퇇Bt:d5lXm|)6'X}wWp[=ISlzl

;ڱM^my*gӎtӏ'krC{s&f&x:865=Udtb{U\ZZk5cJk״zZ=z^iŚV@Zy2NM*:TYfU*YeτN\;Eg=UQ\gKWlzPt>rOةh>td@y
sXSa&0(cZx].d͹I/'zq' >I4Uz[hF9rB|sl/bdsI'ݾNS1K$`WHdҗ1ERU0tdz\A2gC(=vx!Q¾%\O	7Qj&=\,YEգ&lo!\Sf{
|n>|)!I!RB?%L0$k0\∖,0F¿ͼssVfD(L
H(רOU$[vP	"IdQ)<,q:
9'򛪬n6_?.狊#ȩyՇcJáYu<^39ǎ^eЩCC,HgX
U
H.^Ͳ#>4M-:~X2Қ]:4GZAi=MvOQRZ_3(nP6eY
eyj/rE6ѩFK#Q+kyY
CXHrԚeջ(wpb¿;jnt7]߬1oVO|4j1f5?L9|YM%|Wެءi{đCw}o4_.jWt_IzP-is>_rT+b_k58*c!7^*Q[񣆌b&Վ!:`yj~tRʢ_ڢ߿>`|ծM<4My	[Ϸ>p	;{Rܣ%7?}):`u<ľ7KVS*GW\сiW6%&_|X$A$  i	$3Q{=9KQ3z۠mڋMԾgZTh{[H0ƹw1BdڧXCVWXOdoo"#Y&jMjǛFy^7k[mٶ.mm}E\GWmcW0㓛oR=Jc8Z>*I׺пr`ӟM~,y"\L%"ԻK>^44	t8hjaԯ%y+l2L2vHmUcrMnLL>SB\觗Caݦ1_IcERo43KBX_l=i%[AS3̰p2εt~aWq%MnGw7}nnOIOt#b	ꯇ!4h_ϑ秔mNn8"iϗGLj°ѝQ` HaV'G|4nj/wn$?3(zOTi鑅>\\ibjFeQ˘attk7z5YE5v0sm}kLoTF7$'f.l]WmZiwU:U36cj{j{(LpCu_/(,&GʣHiX>kc^s
Im	}3H\VZ[BmѰOF;+L_{wn?J1˅>n8erqzG-3:5ѕ[PCh@gx<[ʣZo^7ܤzjӟ&q,;h˄],^y=[wr`aCUDc{v6!l|$fLڴ{Pl6'4;t?>.G3r}
(P֑Gey󙚨<&y?-F5u$#Z]Ar2VtvdΗ82G@s7;2D%|c6MlPFEcL=tk|jJeP5.6Y\|k3&63Y&ڤTϧ^HàtΛI+]N])Ss0k+sA+W1ř6ziL+&B;Ulg	IFxl=&
eU6Xs,&5T)T˶d:g[+q4u:R_HŠ&%{EHZz宴mIzu*t'mS:嘤u`z4Mb1T-NY[Zec(u"jѹBuBD}bt
h'M|S]@,T#hI][F"N:Z[dZ]X#)}RldrI3`	3B5<9	uR:-t1b1	ݩ=md6xZAH\PD*v]0.Cb\jc-$I+smKi`dPX'^yP#h`d
9w_hu`LubԀ&@PME08[#,dDM໵z\Ӫ$"Z0sف'-2=lPٶGeSTOYa]:B`AVKnAh!u]Ⱥ]{/h#V7D㭇,p!AYH`Ős>t^
4%Al!Rw"Euִjj81ft)$1`FbLk	v`VJ&CA@MVTR]:x5BZٙƈvMX$G8ݵX;-	FE}20:^qVI,&+%Lpx!,
J
<HY`HE-J9bUFjZh7R/*9(.qsdcK{]dG,yMAX{*mV֟ZuaG=?B	xXa2v+ov4Bt>5%&/m~v@2\dZfa
v-ݐM@"0iM\:46D0D
ia!`A4\]brZQ)ZXUϫjVDPqMrņ:T@˜c!2'Air#A]i `#'xɷ,ttJ_xn'T˱	D2GE(pmIQ8hb@PUED
Ē%L.0+03`<9$0a.&{07jTΰFG*@)Z]1hF"rwE6m0(J8uި 
?GHek
9KEa$`#VVSJ,B/s
n,7f]S_!G
Kx+	!]"FH?/Va׈}[q`@Ly3u%EH߂n"¦"YgSLjӂ	0U87ultWOGi@fthis web page}

   Author: Jean-Christophe Filliâtre *)

(*
Iterative deletion in a binary search tree - 90 minutes


VERIFICATION TASK
-----------------

Given: a pointer t to the root of a non-empty binary search tree (not
necessarily balanced). Verify that the following procedure removes the
node with the minimal key from the tree. After removal, the data
structure should again be a binary search tree.


(Tree, int) search_tree_delete_min (Tree t) {
   Tree tt, pp, p;
   int m;
   p = t->left;
   if (p == NULL) {
       m = t->data; tt = t->right; dispose (t); t = tt;
   } else {
       pp = t; tt = p->left;
       while (tt != NULL) {
           pp = p; p = tt; tt = p->left;
       }
       m = p->data; tt = p->right; dispose(p); pp->left= tt;
   }
   return (t,m);
}

Note: When implementing in a garbage-collected language, the call to
dispose() is superfluous.
*)

(* Why3 has no pointer data structures, so we model the heap *)
module Memory

  use export map.Map
  use export ref.Ref

  type loc
  val constant null: loc
  val predicate eq_loc (x y:loc)
    ensures { result <-> x = y }

  type node = { left: loc; right: loc; data: int; }
  type memory = map loc node

  (* the global variable mem contains the current state of the memory *)
  val mem: ref memory

  (* accessor functions to ensure safety i.e. no null loc dereference *)
  let get_left (p: loc) : loc =
    requires { p <> null }
    ensures  { result = !mem[p].left }
    !mem[p].left
  let get_right (p: loc) : loc =
    requires { p <> null }
    ensures  { result = !mem[p].right }
    !mem[p].right
  let get_data (p: loc) : int =
    requires { p <> null }
    ensures  { result = !mem[p].data }
    !mem[p].data

  val set_left (p: loc) (v:loc) : unit
    requires { p <> null }
    writes { mem }
    ensures  { !mem[p] = { (old !mem)[p] with left = v } }
    ensures  { forall q. q <> p -> !mem[q] = (old !mem)[q] }
(* FIXME: This expression makes a ghost modification in the non-ghost variable mem

  = mem := set !mem p { !mem[p] with left = v }
*)

end

module Treedel

  use Memory
  use bintree.Tree
  use bintree.Inorder
  use list.List
  use list.Mem
  use list.Append
  use list.Distinct

  function root (t: tree loc) : loc =
    match t with
    | Empty -> null
    | Node _ p _ -> p
    end

  (* there is a binary tree t in memory m *)
  predicate istree (m: memory) (t: tree loc) =
    match t with
    | Empty -> true
    | Node l p r -> p <> null
      /\ istree m l /\ istree m r
      /\ root l = m[p].left /\ root r = m[p].right
    end

  let rec lemma extensionality (m m': memory) (t: tree loc) : unit
    requires { istree m t }
    requires { forall p. Mem.mem p (inorder t) ->
      m[p].left = m'[p].left /\ m[p].right = m'[p].right }
    ensures  { istree m' t }
    variant { t }
  = let rc = extensionality m m' in
    match t with Empty -> () | Node l _ r -> rc l; rc r end

  (* degenerated zipper for a left descent (= list of pairs) *)
  type zipper 'a =
    | Top
    | Left (zipper 'a) 'a (tree 'a)

  let rec function zip (t: tree 'a) (z: zipper 'a) : tree 'a
  = match z with
    | Top -> t
    | Left z x r -> zip (Node t x r) z
    end

  function inorderz (z: zipper 'a) : list 'a =
    match z with
    | Top -> Nil
    | Left z x r -> Cons x (inorder r) ++ inorderz z
    end

  lemma inorder_zip:
     forall z [@induction]: zipper 'a, t: tree 'a.
       inorder (zip t z) = inorder t ++ inorderz z

  let ghost tree_left (t: tree loc) : tree loc
    requires { t <> Empty }
    ensures  { match t with Empty -> false | Node l _ _ -> result = l end }
  = match t with Empty -> absurd | Node l _ _ -> l end

  let ghost tree_right (t: tree loc) : tree loc
    requires { t <> Empty }
    ensures  { match t with Empty -> false | Node _ _ r -> result = r end }
  = match t with Empty -> absurd | Node _ _ r -> r end

  lemma distinct_break_append :
    forall l1 [@induction] l2:list 'a.
    distinct (l1 ++ l2) ->
    distinct l1 /\ distinct l2 /\ forall x. Mem.mem x l1 -> not Mem.mem x l2

  let rec ghost in_zip_tree (m: memory) (t: tree loc) (z: zipper loc) : unit
    requires { istree m (zip t z) }
    ensures  { istree m t }
    variant  { z }
  = match z with Top -> () | Left z p r -> in_zip_tree m (Node t p r) z end

  let rec ghost subst_zip_tree (m m': memory)
                               (t1 t2: tree loc) (z: zipper loc) : unit
    requires { istree m (zip t1 z) /\ istree m' t2 }
    requires { root t1 = root t2 }
    requires { distinct (inorder (zip t1 z)) }
    requires { forall x. m[x] <> m'[x] -> Mem.mem x (inorder t1) }
    ensures  { istree m' (zip t2 z) /\ root (zip t1 z) = root (zip t2 z) }
    variant  { z }
  = match z with
    | Top -> ()
    | Left z p r ->
      let t3 = Node t1 p r in
      in_zip_tree m t3 z;
      assert { forall q. Mem.mem q (inorder r) \/ q = p ->
        m[q] = m'[q] by Mem.mem q (Cons p (inorder r)) /\ distinct (inorder t3)
      };
      extensionality m m' r;
      subst_zip_tree m m' t3 (Node t2 p r) z
    end

  let lemma main_lemma (m: memory) (pp p: loc)
                       (ppr pr: tree loc) (z: zipper loc) : unit
    requires { let it = zip (Node (Node Empty p pr) pp ppr) z in
      istree m it /\ distinct (inorder it) }
    ensures { let m' = m[pp <- { m[pp] with left = m[p].right }] in
      let t1 = Node (Node Empty p pr) pp ppr in
      let t2 = Node pr pp ppr in
      istree m' (zip t2 z) /\ root (zip t1 z) = root (zip t2 z)
    }
  = let m' = m[pp <- { m[pp] with left = m[p].right }] in
    let t1 = Node (Node Empty p pr) pp ppr in
    in_zip_tree m t1 z;
    assert { let l = inorder pr ++ Cons pp (inorder ppr) in
      distinct l by distinct (inorder t1) so inorder t1 = Cons p l };
    extensionality m m' pr;
    extensionality m m' ppr;
    subst_zip_tree m m' t1 (Node pr pp ppr) z

  (* specification is as follows: if t is a tree and its list of locs
     is x::l then, at the end of execution, its list is l and m = x.data *)
  let search_tree_delete_min
    (t: loc) (ghost it: tree loc) (ghost ot: ref (tree loc))
    : (loc, int)
    requires { t <> null }
    requires { istree !mem it /\ t = root it }
    requires { distinct (inorder it) }
    ensures  { forall p. !mem[p].data = old !mem[p].data }
    ensures  { let (t', m) = result in istree !mem !ot /\ root !ot = t' /\
               match inorder it with
               | Nil -> false
               | Cons p l -> m = !mem[p].data /\ inorder !ot = l end }
    =
    label I in
    let p = ref (get_left t) in
    if eq_loc !p null then begin
      let m = get_data t in
      let tt = get_right t in
      ghost match it with Empty -> absurd
        | Node l _ r -> assert { l = Empty }; ot := r end;
      (tt, m)
    end else begin
      let pp = ref t in
      let tt = ref (get_left !p) in
      let ghost zipper = ref Top in
      let ghost ppr = ref (tree_right it) in
      let ghost subtree = ref (tree_left it) in
      while not (eq_loc !tt null) do
        invariant { !pp <> null /\ !mem[!pp].left = !p }
        invariant { !p <> null /\ !mem[!p].left = !tt }
        invariant { let pt = Node !subtree !pp !ppr in
                    istree !mem pt /\ zip pt !zipper = it }
        invariant { forall p. !mem[p].data = (!mem[p].data at I) }
        variant { !subtree }
        assert { istree !mem !subtree /\ root !subtree = !p };
        ghost zipper := Left !zipper !pp !ppr;
        ghost ppr := tree_right !subtree;
        ghost subtree := tree_left !subtree;
        pp := !p;
        p := !tt;
        tt := get_left !p
      done;
      assert { istree !mem !subtree /\ root !subtree = !p };
      assert { !pp <> !p };
      let m = get_data !p in
      tt := get_right !p;
      set_left !pp !tt;
      let ghost pl = tree_left !subtree in assert { pl = Empty };
      let ghost z = Left !zipper !pp !ppr in
      ghost ot := zip (tree_right !subtree) z;
      (t, m)
    end

end
why3-1.6.0/examples/verifythis_fm2012_treedel/000077500000000000000000000000001440160026300211115ustar00rootroot00000000000000why3-1.6.0/examples/verifythis_fm2012_treedel/why3session.xml000066400000000000000000000354151440160026300241410ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
 
 



why3-1.6.0/examples/verifythis_fm2012_treedel/why3shapes.gz000066400000000000000000000125741440160026300235620ustar00rootroot00000000000000]nH+MBHaF榠m"]8,U=]_?'dR6YEsνW5/HwW7Pיǚo.6rθܚ\oku9b~}}~R/fg|{gz\*u]צZ]{=٭Jg/_z?Cx_k4b-qbEfv8r_CXPMEL.t6^;Wc\m:W]οޥp{lctOmzӼ׏}7M~o|8~Ocxo십><ܜf,0_
Il)}QԲ]ny\=S2vMI7SS#e=e(m5Ǧ{t'{wuLM	T6N{l;\Mkϫk\s׭vZܶW[eihSxŸ@,QT\gowտ@;^88)]NoK}M{mF^Pdcvg/^땾H7!Galx&]F	g_)=jfܪ7`Ral3xUKӮfs0unϦ|nڎ_
nU5j즍rk;6_1wSdu'^~ZZ3[PRɰt+{t$ܶng|MMRċ'Iӣ_3͆]s䟜'.mOo^VLbWޡ~aJU4Q[45	燛5k10PͺCO.'ū.IN+8lWc9tv;ͬ2:)ye#p(ՠMuK@mnlE7h=neoHc;@YS"Z'=z^aTmvY:ox g1hZ5pMl2]Ԥ$-ze),_&Voʲ|6”3_	l69̖)x_qbo̾z:ʂ+kjϲIK7ti|l{/zc>ӭT	eEn8;ךwrƖ.پ#QCZ|)%
u=SA"NG,wuq8٧IdZ1	>moc	k;aNX	;aʳ}S-/[yj궫2UY:}⦷Srha$=۩y|jcM[@t[}OӬ@n5+7]M#ͯȤ+֜\^sw}/wɕz߬6nT{X!ݭWM+'?\;\d~Ƿ7o:_onLЛqaK_l5!VfSS}MJ)ǩ>uʶ?AV'jaM9D6&:s<︮uzB"`k6b|n,tC?1ZK^coIOOTls5{4<?_Ȓbzr5<
!>>jR>,$\,'ZӫWo
ؚ}X0Sp/R=pܿlq$%ZS;*UxHѕeáQ@Uf3n(S{$P5]qɪ)V{}ت,.nChDѮQhЮ*b+]ɫBZ/yb.O9Q3/朩0х@a Y/PfPXvm5gK'PeD)iQbXl^&3+F-\o}38_hFSghsG12S9Xm&]0b.fIqA%@ӚUH7y 3`OO5I%)zNRC
6eHEuyJ1 /['efdQ)K43{29!)3?${-Q=@ƐN&;򎆼!&
EOCNh(P*
q43
v,IƠ#mR^k0}<%t7oCGveqyBjhlXndy@@F2[Mu>lg&|K1S{.iW/@S(gOíeu?2a:	{c7ʼ
ZzvZ;^"-ÙMoX1V#ƊAHg32RGFv)qv7eaॊ*h`%'
6P&fL8mt/G1̈́g9T9A,`L6T"ʌ,8ll&s$KqsGRfr&Ǚ+
XX`@81(cհar|WǛFL$"Ҧȹ	&`>cpDHx#:kDaR5LݪDD5TP	]B^0bBk>b ',P5nURHn@Ky-Kd(U02h
`/VԼMi/Y\7$##EY\Id5YpPP5= length rear = lenr }
    by { front = Nil; lenf = 0; rear = Nil; lenr = 0 }

  function sequence (q: queue 'a) : list 'a =
    q.front ++ reverse q.rear

  let constant empty : queue 'a =
    { front = Nil; lenf = 0; rear = Nil; lenr = 0 }
    ensures { sequence result = Nil }

  let head (q: queue 'a) : 'a
    requires { sequence q <> Nil }
    ensures  { hd (sequence q) = Some result }
  = let Cons x _ = q.front in x

  let create (f: list 'a) (lf: int) (r: list 'a) (lr: int) : queue 'a
    requires { lf = length f /\ lr = length r }
    ensures  { sequence result = f ++ reverse r }
  = if lf >= lr then
      { front = f; lenf = lf; rear = r; lenr = lr }
    else
      let f = f ++ reverse r in
      { front = f; lenf = lf + lr; rear = Nil; lenr = 0 }

  let tail (q: queue 'a) : queue 'a
    requires { sequence q <> Nil }
    ensures  { tl (sequence q) = Some (sequence result) }
  = let Cons _ r = q.front in
    create r (q.lenf - 1) q.rear q.lenr

  let enqueue (x: 'a) (q: queue 'a) : queue 'a
    ensures { sequence result = sequence q ++ Cons x Nil }
  = create q.front q.lenf (Cons x q.rear) (q.lenr + 1)

end
why3-1.6.0/examples/vstte10_aqueue/000077500000000000000000000000001440160026300170755ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_aqueue/why3session.xml000066400000000000000000000026121440160026300221160ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vstte10_aqueue/why3shapes.gz000066400000000000000000000012421440160026300215340ustar00rootroot00000000000000TM0WїB
!0{i}bM`7:.I^KP"h4ޛq>U#kˏɟLG:-rkpr=.֎.c0^S:\Y9)stN5:EX)w!|T!/HL]-t
ս
ov*- Kw=7&hчv':yD耴@vE;R{ǝliq]Nfl'
d^@wSaM;e[j:i33Jz
OfKE@KD=!ϱ}hSYA`iAG8V=̊XΤ9&CM&C77Q!H1;(cLqA/	ӜcE򖧩ajW.\<]$OfahKA̴xШGMː:02"Lw{J@ˠPZ
#y
[q(z˭1]o`kV[[Du`lDW܂Pk_k%7= }(J<5{
     b[a[j]] = j }
      b[a[i]] <- i
    done

  (* variant where array b is returned /\ with additional post *)

  let inverting2 (a: array int) (n: int) : array int
    requires { n = length a /\ injective a n /\ range a n }
    ensures  { length result = n /\ injective result n /\
               forall i. 0 <= i < n -> result[a[i]] = i }
  = let b = make n 0 in
    for i = 0 to n - 1 do
      invariant { forall j. 0 <= j < i -> b[a[j]] = j }
      b[a[i]] <- i
    done;
    b

end

module Test

  use array.Array
  use InvertingAnInjection

  let test () =
    let a = make 10 0 in
    a[0] <- 9;
    a[1] <- 3;
    a[2] <- 8;
    a[3] <- 2;
    a[4] <- 7;
    a[5] <- 4;
    a[6] <- 0;
    a[7] <- 1;
    a[8] <- 5;
    a[9] <- 6;
    assert {
      a[0] = 9 &&
      a[1] = 3 &&
      a[2] = 8 &&
      a[3] = 2 &&
      a[4] = 7 &&
      a[5] = 4 &&
      a[6] = 0 &&
      a[7] = 1 &&
      a[8] = 5 &&
      a[9] = 6
    };
    let b = inverting2 a 10 in
    assert {
      b[0] = 6 &&
      b[1] = 7 &&
      b[2] = 3 &&
      b[3] = 1 &&
      b[4] = 5 &&
      b[5] = 8 &&
      b[6] = 9 &&
      b[7] = 4 &&
      b[8] = 2 &&
      b[9] = 0
    }

end
why3-1.6.0/examples/vstte10_inverting/000077500000000000000000000000001440160026300176155ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_inverting/vstte10_inverting_InvertingAnInjection_VC_inverting2_1.v000066400000000000000000000054151440160026300325320ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require map.Occ.
Require map.MapInjection.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition injective (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  map.MapInjection.injective (elts a) n.

(* Why3 assumption *)
Definition surjective (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) :
    Prop :=
  map.MapInjection.surjective (elts a) n.

(* Why3 assumption *)
Definition range (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  map.MapInjection.range (elts a) n.

(* Why3 goal *)
Theorem inverting2'vc :
  forall (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  (n = (length a)) /\ injective a n /\ range a n ->
  let b := make n 0%Z in
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb b i) = 0%Z)) /\
  ((length b) = n) ->
  let o := (n - 1%Z)%Z in
  (0%Z <= (o + 1%Z)%Z)%Z -> forall (b1:array Numbers.BinNums.Z),
  ((length b1) = (length b)) ->
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < (o + 1%Z)%Z)%Z ->
   ((mixfix_lbrb b1 (mixfix_lbrb a j)) = j)) ->
  injective b1 n.
Proof.
intros a n (h1,(h2,h3)) b (h4,h5) o h6 b1 h7 h8.
assert (MapInjection.surjective (elts a) n).
now apply MapInjection.injective_surjective.
intros i j H0 H1.
destruct (H i H0) as (i1, (Hi1, <-)).
destruct (H j H1) as (j1, (Hj1, <-)).
unfold o, mixfix_lbrb in h8.
rewrite h8 by omega.
rewrite h8 by omega.
intros H2.
contradict H2.
now rewrite H2.
Qed.
vstte10_inverting_WP_InvertingAnInjection_WP_parameter_inverting_1.v000066400000000000000000000052721440160026300350560ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_inverting(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require map.Occ.
Require map.MapInjection.

Axiom array : forall (a:Type), Type.
Parameter array_WhyType :
  forall (a:Type) {a_WT:WhyType a}, WhyType (array a).
Existing Instance array_WhyType.

Parameter elts:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a.

Parameter length:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z.

Axiom array'invariant :
  forall {a:Type} {a_WT:WhyType a},
  forall (self:array a), (0%Z <= (length self))%Z.

(* Why3 assumption *)
Definition mixfix_lbrb {a:Type} {a_WT:WhyType a} (a1:array a)
    (i:Numbers.BinNums.Z) : a :=
  elts a1 i.

Parameter mixfix_lblsmnrb:
  forall {a:Type} {a_WT:WhyType a}, array a -> Numbers.BinNums.Z -> a ->
  array a.

Axiom mixfix_lblsmnrb'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (a1:array a) (i:Numbers.BinNums.Z) (v:a),
  ((length (mixfix_lblsmnrb a1 i v)) = (length a1)) /\
  ((elts (mixfix_lblsmnrb a1 i v)) = (map.Map.set (elts a1) i v)).

Parameter make:
  forall {a:Type} {a_WT:WhyType a}, Numbers.BinNums.Z -> a -> array a.

Axiom make'spec :
  forall {a:Type} {a_WT:WhyType a},
  forall (n:Numbers.BinNums.Z) (v:a), (0%Z <= n)%Z ->
  (forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
   ((mixfix_lbrb (make n v) i) = v)) /\
  ((length (make n v)) = n).

(* Why3 assumption *)
Definition injective (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  map.MapInjection.injective (elts a) n.

(* Why3 assumption *)
Definition surjective (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) :
    Prop :=
  map.MapInjection.surjective (elts a) n.

(* Why3 assumption *)
Definition range (a:array Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  map.MapInjection.range (elts a) n.

(* Why3 goal *)
Theorem inverting'vc :
  forall (a:array Numbers.BinNums.Z) (b:array Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z),
  ((n = (length a)) /\ ((length a) = (length b))) /\
  injective a n /\ range a n ->
  let o := (n - 1%Z)%Z in
  (0%Z <= (o + 1%Z)%Z)%Z -> forall (b1:array Numbers.BinNums.Z),
  ((length b1) = (length b)) ->
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < (o + 1%Z)%Z)%Z ->
   ((mixfix_lbrb b1 (mixfix_lbrb a j)) = j)) ->
  injective b1 n.
Proof.
intros a b n ((h1,h2),(h3,h4)) o h5 b1 h6 h7.
assert (MapInjection.surjective (elts a) n).
now apply MapInjection.injective_surjective.
intros i j h8 h9.
destruct (H i h8) as (i1,(Hi1,<-)).
destruct (H j h9) as (j1,(Hj1,<-)).
unfold o, mixfix_lbrb in h7.
rewrite h7 by omega.
rewrite h7 by omega.
intro h10.
contradict h10.
now rewrite h10.
Qed.
why3-1.6.0/examples/vstte10_inverting/why3session.xml000066400000000000000000000150271440160026300226420ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/vstte10_inverting/why3shapes.gz000066400000000000000000000042641440160026300222630ustar00rootroot00000000000000Zn9}ǝY,*s Io}a˱#$!SN]~Iy^?Թ;7(G~e`.Ѝ:py?cvR8?޹OiȖݧnvnѾj2o4YQhzT3}_2-׽cnӿ	x?b^,8*l-Mg]p|W'w.}:˝c:Md(_T~S.^H!;QtUl*PSxKPp~xżp!GCMM{8į`=SDi4Ot2lwI>zSNW
O:իN
XS,HbWEp?vX[Η+5C*pQ̀2
-X5lJw7
:3Yegל;aW#FT_Y媲aM~:L&JВ%F]̀VoVA,%X`it'(|Z_&VƊSDCwfңY`G=,,-Ɉ+J-ijGB'D%PSzkOT/XӢ-M|2aTpYY7k:Ve`[3f/:B$7[Bj
{@`O#lhfݟ6wKcֵw#خ́fo"+hĄ`o`駩
|E ~%j¯~5_??7u̊@o!f.AK׬7blgEA`q<``]i /]+rR
}7 ^yW{^K@/0g?ؤ?Z{`I:IA4lL.wzxq!+|XHeࡾ|X<1czuAb	O)6rpcS@z'lHm]T/MsKS"t0A6l(m]),&?e;2nmm,'J6a*,YKe8+g2.Ù29(YH~a	7mT_q[?fyɱ}Q㱼.xNYKFyDx[@|H.(` 30@RXjVr	$eȗHC/CX˙K@(7Eoq6i-oQע^Q/7%~f`(-W<W|2\pWÕWex/8rK2VFCNH b6,Xgӎ+E[M)
5XZ ^yˑ)x)vLdptRj5#IYik+9.ϴ%^=j=ԔШtP[7K{(,%UKd&.zg
$
XF!t2`Pvhf˄cQpi	M-@y-&UI.A,EIf a[i] >= 0 }
    ensures  { sum <= n * max }
  = let ref sum = 0 in
    let ref max = 0 in
    for i = 0 to n - 1 do
      invariant { sum <= i * max }
      if max < a[i] then max <- a[i];
      sum <- sum + a[i]
    done;
    sum, max

end

module MaxAndSum2

  use int.Int
  use ref.Ref
  use array.Array
  use array.ArraySum

  predicate is_max (a: array int) (l h: int) (m: int) =
    (forall k. l <= k < h -> a[k] <= m) &&
    ((h <= l && m = 0) ||
     (l <  h && exists k. l <= k < h && m = a[k]))

  let max_sum (a: array int) (n: int) : (s: int, m: int)
    requires { n = length a /\ forall i. 0 <= i < n -> a[i] >= 0 }
    ensures  { s = sum a 0 n /\ is_max a 0 n m /\ s <= n * m }
  = let ref s = 0 in
    let ref m = 0 in
    for i = 0 to n - 1 do
      invariant { s = sum a 0 i }
      invariant { is_max a 0 i m }
      invariant { s <= i * m }
      if m < a[i] then m <- a[i];
      s <- s + a[i]
    done;
    s, m

end

module TestCase

  use int.Int
  use MaxAndSum2
  use array.Array
  use array.ArraySum

  exception BenchFailure

  let test () =
    let n = 10 in
    let a = make n 0 in
    a[0] <- 9;
    a[1] <- 5;
    a[2] <- 0;
    a[3] <- 2;
    a[4] <- 7;
    a[5] <- 3;
    a[6] <- 2;
    a[7] <- 1;
    a[8] <- 10;
    a[9] <- 6;
    let s, m = max_sum a n in
    assert { s = 45 };
    assert { m = 10 };
    s, m

  let test_case () raises { BenchFailure -> true } =
    let s, m = test () in
    (* bench of --exec *)
    if s <> 45  then raise BenchFailure;
    if m <> 10  then raise BenchFailure;
    s,m

end
why3-1.6.0/examples/vstte10_max_sum/000077500000000000000000000000001440160026300172615ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_max_sum/Makefile000066400000000000000000000021201440160026300207140ustar00rootroot00000000000000
BENCH ?= no

ifeq ($(BENCH),yes)
  WHY3=../../bin/why3.opt
  WHY3SHARE=../../share
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
  WHY3SHARE=$(shell $(WHY3) --print-datadir)
endif

include $(WHY3SHARE)/Makefile.config

ifeq ($(BENCH),yes)
  INCLUDE += -I ../../lib/why3
endif

MAIN=main
OBJ=vstte10_max_sum

ML  = $(addsuffix .ml, $(OBJ))
CMO = $(addsuffix .cmo, $(OBJ))
CMX = $(addsuffix .cmx, $(OBJ))

OCAMLOPT=ocamlopt -noassert -inline 1000

all: $(MAIN).$(OCAMLBEST)

extract: $(ML)

doc:
	$(WHY3) doc ../vstte10_max_sum.mlw
	$(WHY3) session html .

$(MAIN).byte: $(CMO)  $(MAIN).cmo
	ocamlc $(INCLUDE) $(BIGINTLIB).cma -o $@ $^

$(MAIN).opt: $(CMX)  $(MAIN).cmx
	$(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^

$(MAIN).cmx: $(CMX)

$(ML): ../vstte10_max_sum.mlw
	$(WHY3) extract -D ocaml64 -o $@ $^

%.cmx: %.ml
	$(OCAMLOPT) $(INCLUDE) -annot -c $<

%.cmo: %.ml
	ocamlc $(INCLUDE) -annot -c $<

%.cmi: %.mli
	ocamlc $(INCLUDE) -annot -c $<

clean::
	rm -f $(ML) *.cm[xio] *.o *.annot $(MAIN).opt $(MAIN).byte
	rm -f why3__*.ml* vstte10_max_sum__*.ml* int__*.ml*
why3-1.6.0/examples/vstte10_max_sum/main.ml000066400000000000000000000002001440160026300205270ustar00rootroot00000000000000
open Format

let () =
  let (s,m) = Vstte10_max_sum.test () in
  printf "sum=%s, max=%s@."
    (Z.to_string s) (Z.to_string m)
why3-1.6.0/examples/vstte10_max_sum/why3session.xml000066400000000000000000000150551440160026300223070ustar00rootroot00000000000000









 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
    
    
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 



why3-1.6.0/examples/vstte10_max_sum/why3shapes.gz000066400000000000000000000041761440160026300217310ustar00rootroot00000000000000Zn[}?_	d<
jˆ~}ynt$ƠL=D>gss}#Eo6_}>m>޼|Ȯ/o2,'u-Ttnց`#mUy
_xno+(a
&m*P
+*a9``7r+7M:{'u}W/,euڛeja'bW)Rcts^_?#bR!&B,?6aspx;w8z?T$㄃yE?FD~s8~|q5ӭxz>Կ0V.ӡrTOHfpL7MxLH_[ZO[ϖtOD=ִ6z''x̩z0s&MMk[g/Ҧw^hᖿ{lr$ؼ0[ٜ(P'hk1E=f6FbWN8-Qk}yhp#h'ƀw:|=W_%C/ywM7z31xw~5810L^38'._Sy\dO.!wjK\rvą5\.xDM^M«K\
PT(+=o퇌Jrr˥\^,ϋd?rj{YNm۳~ٞ[>3^nx=}l}mdOT=(6jl(W$8
l^&/Oh\0vC;6p'l6X\pR^'#%	%BKe(RNr9ImNNPSIJJ@™VB,,I%2Q(NK9|$-%T,ĆԎĎhGl禩`ZJ@Yrr#Ce6O/&]akE9\K).JB`i\h%봳.hzFhu*Enrx\4CIb.Uh\Dfi9ɃZ!%S1c]v
y-,8zBj2VN`YUXp-'@uJ kJ$Hd{+why3-1.6.0/examples/vstte10_queens.mlw000066400000000000000000000144121440160026300176330ustar00rootroot00000000000000(*
   VSTTE'10 competition http://www.macs.hw.ac.uk/vstte10/Competition.html
   Problem 4: N-queens

   Author: Jean-Christophe Filliatre (CNRS)
   Tool:   Why3 (see http://why3.lri.fr/)
*)

module NQueens

  use int.Int
  use array.Array

  predicate eq_board (b1 b2: array int) (pos: int) =
    forall q. 0 <= q < pos -> b1[q] = b2[q]

  lemma eq_board_set:
    forall b: array int, pos q i: int.
    pos <= q -> eq_board b b[q <- i] pos

  lemma eq_board_sym:
    forall b1 b2: array int, pos: int.
    eq_board b1 b2 pos -> eq_board b2 b1 pos

  lemma eq_board_trans:
    forall b1 b2 b3: array int, pos: int.
    eq_board b1 b2 pos -> eq_board b2 b3 pos -> eq_board b1 b3 pos

  lemma eq_board_extension:
    forall b1 b2: array int, pos: int.
    eq_board b1 b2 pos -> b1[pos] = b2[pos] -> eq_board b1 b2 (pos+1)

  predicate consistent_row (board: array int) (pos: int) (q: int) =
    board[q] <> board[pos] /\
    board[q] - board[pos] <> pos - q /\
    board[pos] - board[q] <> pos - q

  lemma consistent_row_eq:
    forall b1 b2: array int, pos: int.
    eq_board b1 b2 (pos+1) -> forall q: int. 0 <= q < pos ->
      consistent_row b1 pos q -> consistent_row b2 pos q

  predicate is_consistent (board: array int) (pos: int) =
    forall q. 0 <= q < pos -> consistent_row board pos q

  exception Inconsistent int

  let check_is_consistent (board: array int) (pos: int) : bool
    requires { 0 <= pos < length board }
    ensures { result <-> is_consistent board pos }
  = try
      for q = 0 to pos - 1 do
        invariant { forall j. 0 <= j < q -> consistent_row board pos j }
        let bq   = board[q]   in
        let bpos = board[pos] in
        if bq        = bpos    then raise (Inconsistent q);
        if bq - bpos = pos - q then raise (Inconsistent q);
        if bpos - bq = pos - q then raise (Inconsistent q)
      done;
      True
    with Inconsistent q ->
      assert { not (consistent_row board pos q) };
      False
    end

  predicate is_board (board: array int) (pos: int) =
    forall q. 0 <= q < pos -> 0 <= board[q] < length board

  predicate solution (board: array int) (pos: int) =
    is_board board pos /\
    forall q. 0 <= q < pos -> is_consistent board q

  lemma solution_eq_board:
    forall b1 b2: array int, pos: int. length b1 = length b2 ->
    eq_board b1 b2 pos -> solution b1 pos -> solution b2 pos

  exception Solution

  let rec bt_queens (board: array int) (n: int) (pos: int) : unit
    variant  { n - pos }
    requires { length board = n /\ 0 <= pos <= n /\ solution board pos }
    ensures  { eq_board board (old board) pos }
    ensures  { forall b:array int. length b = n -> is_board b n ->
                 eq_board board b pos -> not (solution b n) }
    raises   { Solution -> solution board n }
  = if pos = n then raise Solution;
    for i = 0 to n - 1 do
      invariant { eq_board board (old board) pos }
      invariant { forall b:array int. length b = n -> is_board b n ->
            eq_board board b pos -> 0 <= b[pos] < i -> not (solution b n) }
      board[pos] <- i;
      if check_is_consistent board pos then bt_queens board n (pos + 1)
    done

  let queens (board: array int) (n: int) : unit
    requires { length board = n }
    ensures  { forall b:array int. length b = n -> is_board b n ->
               not (solution b n) }
    raises   { Solution -> solution board n }
  = bt_queens board n 0


  exception BenchFailure

  let test8 () raises { BenchFailure -> true } =
    let a = Array.make 8 0 in
    try
      queens a 8;
      raise BenchFailure
    with Solution -> a
    end

  (** variant: counting solutions (not part of the competition)

      TODO: prove soundness i.e. we indeed count the number of solutions *)

  use ref.Refint

  let rec count_bt_queens (board: array int) (n: int) (pos: int) : (_r: int)
    variant  { n - pos }
    requires { length board = n /\ 0 <= pos <= n /\ solution board pos }
    ensures  { eq_board board (old board) pos }
  = if pos = n then
      1
    else begin
      let s = ref 0 in
      for i = 0 to n - 1 do
        invariant { eq_board board (old board) pos }
        board[pos] <- i;
        if check_is_consistent board pos then
          s += count_bt_queens board n (pos+1)
      done;
      !s
    end

  let count_queens (board: array int) (n: int) : (_r: int)
    requires { length board = n }
    ensures  { true }
  = count_bt_queens board n 0

  let test_count_8 () =
    let a = Array.make 8 0 in
    count_queens a 8

end

(** counting solutions with 63-bit machine integers *)

module NQueens63

  use int.Int
  use ref.Refint
  use seq.Seq
  use mach.array.Array63
  use mach.int.Int63

  predicate is_board (board: array int63) (pos: int) =
    forall q. 0 <= q < pos -> 0 <= board[q] < (length board)

  exception MInconsistent

  let check_is_consistent (board: array int63) (pos: int63) : bool
    requires { 0 <= pos < (length board) }
    requires { is_board board (pos + 1) }
  = try
      let q = ref 0 in
      while !q < pos do
        invariant { 0 <= !q <= pos }
        invariant { is_board board (pos + 1) }
        variant   { pos - !q }
        let bq   = board[!q]   in
        let bpos = board[pos] in
        if bq        = bpos     then raise MInconsistent;
        if bq - bpos = pos - !q then raise MInconsistent;
        if bpos - bq = pos - !q then raise MInconsistent;
        q := !q + 1
      done;
      True
    with MInconsistent ->
      False
    end

  use mach.peano.Peano as P

  let rec count_bt_queens
    (solutions: ref P.t) (board: array int63) (n: int63) (pos: int63) : unit
    requires { (length board) = n }
    requires { 0 <= pos <= n }
    requires { is_board board (pos) }
    variant  { n - pos }
    ensures  { is_board board (pos) }
  =
    if pos = n then
      solutions := P.succ !solutions
    else
      let i = ref 0 in
      while !i < n do
        invariant { 0 <= !i <= n }
        invariant { is_board board (pos) }
        variant   { n - !i }
        board[pos] <- !i;
        if check_is_consistent board pos then
          count_bt_queens solutions board n (pos + 1);
        i := !i + 1
      done

  let count_queens (n: int63) : (_p: P.t)
    requires { n >= 0 }
    ensures  { true }
  =
    let solutions = ref P.zero in
    let board = Array63.make n 0 in
    count_bt_queens solutions board n 0;
    !solutions

  let test_count_8 () =
    let n = 8 in
    count_queens n

end

why3-1.6.0/examples/vstte10_queens/000077500000000000000000000000001440160026300171105ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_queens/why3session.xml000066400000000000000000000131621440160026300221330ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vstte10_queens/why3shapes.gz000066400000000000000000000054541440160026300215600ustar00rootroot00000000000000Z[~ׯ[x
ۀP@!Ož\n#9%9M;Ht9@k;Ù!___~e[8_ǿlN66a
o޾yІmW?b&)h~L@5$!JrJ
xkJPן/5<^Χ5T4T6T`|
	^oQJD80OPt|?Ο޾%t`I|00H0nmITnovk_;ٷ

c/\`lnX&ybďdQCs,U#g{M䆱??Hs'!&Y1q'ѠSՔ1W8q춾IƏ`t5P#=L>fUuw:POW	3,^>(v62]Ya`3NjiOGdph2&Ŗ}p\1^E3V2aHbqa}|͞Wl"pyc:!0vEg&}9'c
'4c>CCSd7c:HұóX/do
#%|c{)t/E:0#ֆKk=>̱s,)[fUY`Uk‡s:ƛd
%Xt_B<,}!u(4*bFQQTi1cm?D2[|wO³Ix>IL
r_jrgwִ bep0
Uuhҙe䜞aڏ<~L{+~ԛ=TtQ_7Z()YtЌN؂Fyퟡ^SW|.fT4Kz
pSc^#=30d}I-+)OZ&%u.N:Iīex ^%Gn"~"TC1F,bt\X&,.
 TX@E4YgX8/Ý`>ou"DT.C*aS,\@*;RjL!bϭOdgP°`mdۀa8=9nLia\L"ࣽ!CFS+(s(jT볬b| X]Q+*&ok#A@N92@r=$Iכk3ٽu1%%7{-Nמ^\We=xr3V"DţM6'[V0
Eۃ=_Iӂ
<~oa
<&/(75|M^@/{k+_,_S_җw|Xj1,,2v4=um2s)KUx(cCMWEFd ׇ:EoIu*7=$ dj,{|J1_\CS2G0VԽB~\Z	V>Cݬa^xDNǡ!nJl7eiFDZDoJY+v\B? 
y|3_V~܀,$
h}_KCOaER~ 7eG!zk\'cYEQa17&r2b*~WR6Nej	ȈfapX?R#}%{f'
-Meh	if9y2nN?_J
ITWƭ0o	{,ܡ#4G [lG谁H'Pi;B!T%[g@ُ<(j2%U*
%;ShHN Zb;Aהh0 Ĵ&^JƃJBeQ#oЪDXdHVS1à ;PfflJHt1ThS*`0-cbF1.8\>fM$A3Ӣ)2m0̶"JĴNRSѭ%RR*OYqB9%;ˍ~BJ'[@I<D 6I%i|BP{V|.fͱ˼XXT8NXUĎ)RCV
u`5t~Վs	Q	+ lZ-]s%ǰT!㬷:8uw,Mvr
~HupZ
ż;<#omb	850bk
E+Ip{Ȑa}NcƄ3EQ/xܖp	j"e7a-'"[UlȌ.j{2why3-1.6.0/examples/vstte10_search_list.mlw000066400000000000000000000034411440160026300206330ustar00rootroot00000000000000(*
   VSTTE'10 competition http://www.macs.hw.ac.uk/vstte10/Competition.html
   Problem 3: searching a linked list

   Author: Jean-Christophe Filliatre (CNRS)
   Tool:   Why3 (see http://why3.lri.fr/)
*)

module SearchingALinkedList

  use int.Int
  use option.Option
  use list.List
  use list.Length
  use list.Nth

  predicate zero_at (l: list int) (i: int) =
    nth i l = Some 0 /\ forall j. 0 <= j < i -> nth j l <> Some 0

  predicate no_zero (l: list int) =
    forall j. 0 <= j < length l -> nth j l <> Some 0

  let rec search (i: int) (l: list int) : int
    variant { l }
    ensures { (i <= result < i + length l /\ zero_at l (result - i)) \/
              (result = i + length l /\ no_zero l) }
  = match l with
    | Nil      -> i
    | Cons x r -> if x = 0 then i else search (i+1) r
    end

  let search_list (l: list int) : int
    ensures { (0 <= result < length l /\ zero_at l result) \/
              (result = length l /\ no_zero l) }
  = search 0 l


  (* imperative version, with a loop *)

  use ref.Ref
  use list.HdTl

  let head (l: list 'a) : 'a
    requires { l <> Nil } ensures { hd l = Some result }
  = match l with Nil -> absurd | Cons h _ -> h end

  let tail (l: list 'a) : list 'a
    requires { l <> Nil } ensures { tl l = Some result }
  = match l with Nil -> absurd | Cons _ t -> t end

  let search_loop (l: list int) : int
    ensures { (0 <= result < length l /\ zero_at l result) \/
              (result = length l /\ no_zero l) }
  = let i = ref 0 in
    let s = ref l in
    while not (is_nil !s) && head !s <> 0 do
      invariant {
        0 <= !i /\ !i + length !s = length l /\
        (forall j. 0 <= j -> nth j !s = nth (!i + j) l) /\
         forall j. 0 <= j < !i -> nth j l <> Some 0 }
      variant { !s }
      i := !i + 1;
      s := tail !s
    done;
    !i

end
why3-1.6.0/examples/vstte10_search_list/000077500000000000000000000000001440160026300201105ustar00rootroot00000000000000vstte10_search_list_WP_SearchingALinkedList_WP_parameter_search_loop_1.v000066400000000000000000000054741440160026300360410ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_search_list(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Nth.
Require option.Option.
Require list.HdTl.

(* Why3 assumption *)
Definition zero_at (l:Init.Datatypes.list Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) : Prop :=
  ((list.Nth.nth i l) = (Init.Datatypes.Some 0%Z)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))).

(* Why3 assumption *)
Definition no_zero (l:Init.Datatypes.list Numbers.BinNums.Z) : Prop :=
  forall (j:Numbers.BinNums.Z),
  (0%Z <= j)%Z /\ (j < (list.Length.length l))%Z ->
  ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z)).

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Parameter if_term: Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom if_term'def :
  forall (o:Numbers.BinNums.Z),
  ((o = 0%Z) -> ((if_term o) = Init.Datatypes.true)) /\
  (~ (o = 0%Z) -> ((if_term o) = Init.Datatypes.false)).

Require Import Lia.

(* Why3 goal *)
Theorem search_loop'vc :
  forall (l:Init.Datatypes.list Numbers.BinNums.Z),
  forall (s:Init.Datatypes.list Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\
  ((i + (list.Length.length s))%Z = (list.Length.length l)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z ->
   ((list.Nth.nth j s) = (list.Nth.nth (i + j)%Z l))) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))) ->
  list.List.is_nil s <-> (s = Init.Datatypes.nil) ->
  forall (o:Init.Datatypes.bool),
  ~ list.List.is_nil s /\
  (exists o1:Numbers.BinNums.Z,
   ((list.HdTl.hd s) = (Init.Datatypes.Some o1)) /\
   ((o1 = 0%Z) /\ (o = Init.Datatypes.false) \/
    ~ (o1 = 0%Z) /\ (o = Init.Datatypes.true))) \/
  list.List.is_nil s /\ (o = Init.Datatypes.false) ->
  ~ (o = Init.Datatypes.true) ->
  ((0%Z <= i)%Z /\ (i < (list.Length.length l))%Z) /\ zero_at l i \/
  (i = (list.Length.length l)) /\ no_zero l.
(* Why3 intros l s i (h1,(h2,(h3,h4))) h5 o h6 h7. *)
Proof.
intros l s i (h1,(h2,(h3,h4))) _ o h6 h7.
destruct s.
destruct h6.
now elim (proj1 H).
rewrite Zplus_0_r in h2.
right.
apply (conj h2).
intros j h6.
apply h4.
now rewrite h2.
left.
split.
apply (conj h1).
rewrite <- h2.
change (Length.length (cons z s))%Z with (1 + Length.length s)%Z.
generalize (Length.Length_nonnegative s).
lia.
simpl in h6.
split.
intuition.
generalize (h3 0%Z (Z.le_refl 0)).
ring_simplify (i+0)%Z.
intros <-.
simpl.
now destruct H1 ; intuition ; subst.
easy.
Qed.
vstte10_search_list_WP_SearchingALinkedList_WP_parameter_search_loop_3.v000066400000000000000000000052301440160026300360310ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_search_list(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Nth.
Require option.Option.
Require list.HdTl.

(* Why3 assumption *)
Definition zero_at (l:Init.Datatypes.list Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) : Prop :=
  ((list.Nth.nth i l) = (Init.Datatypes.Some 0%Z)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))).

(* Why3 assumption *)
Definition no_zero (l:Init.Datatypes.list Numbers.BinNums.Z) : Prop :=
  forall (j:Numbers.BinNums.Z),
  (0%Z <= j)%Z /\ (j < (list.Length.length l))%Z ->
  ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z)).

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 goal *)
Theorem search_loop'vc :
  forall (l:Init.Datatypes.list Numbers.BinNums.Z),
  forall (s:Init.Datatypes.list Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\
  ((i + (list.Length.length s))%Z = (list.Length.length l)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z ->
   ((list.Nth.nth j s) = (list.Nth.nth (i + j)%Z l))) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))) ->
  list.List.is_nil s <-> (s = Init.Datatypes.nil) ->
  forall (o:Init.Datatypes.bool),
  ~ list.List.is_nil s /\
  (exists o1:Numbers.BinNums.Z,
   ((list.HdTl.hd s) = (Init.Datatypes.Some o1)) /\
   ((o1 = 0%Z) /\ (o = Init.Datatypes.false) \/
    ~ (o1 = 0%Z) /\ (o = Init.Datatypes.true))) \/
  list.List.is_nil s /\ (o = Init.Datatypes.false) ->
  (o = Init.Datatypes.true) -> forall (i1:Numbers.BinNums.Z),
  (i1 = (i + 1%Z)%Z) -> forall (o1:Init.Datatypes.list Numbers.BinNums.Z),
  ((list.HdTl.tl s) = (Init.Datatypes.Some o1)) ->
  forall (s1:Init.Datatypes.list Numbers.BinNums.Z), (s1 = o1) ->
  forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z ->
  ((list.Nth.nth j s1) = (list.Nth.nth (i1 + j)%Z l)).
(* Why3 intros l s i (h1,(h2,(h3,h4))) h5 o h6 h7 i1 h8 o1 h9 s1 h10 j h11. *)
Proof.
intros l s i (h1,(h2,(h3,h4))) h5 o h6 h7 i1 h8 o1 h9 s1 h10 j h11.
subst.
destruct s.
easy.
injection h9. clear h9.
intros.
subst.
assert (hj: (0 <= j+1)%Z) by omega.
replace (i + 1 + j)%Z with (i + (j + 1))%Z by ring.
rewrite <- (h3 _ hj).
destruct (Nth.nth'def (j+1)%Z (cons z o1)) as [_ ->].
now ring_simplify (j+1-1)%Z.
omega.
Qed.

vstte10_search_list_WP_SearchingALinkedList_WP_parameter_search_loop_4.v000066400000000000000000000057741440160026300360470ustar00rootroot00000000000000why3-1.6.0/examples/vstte10_search_list(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Nth.
Require option.Option.
Require list.HdTl.

(* Why3 assumption *)
Definition zero_at (l:Init.Datatypes.list Numbers.BinNums.Z)
    (i:Numbers.BinNums.Z) : Prop :=
  ((list.Nth.nth i l) = (Init.Datatypes.Some 0%Z)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))).

(* Why3 assumption *)
Definition no_zero (l:Init.Datatypes.list Numbers.BinNums.Z) : Prop :=
  forall (j:Numbers.BinNums.Z),
  (0%Z <= j)%Z /\ (j < (list.Length.length l))%Z ->
  ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z)).

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

Parameter if_term: Numbers.BinNums.Z -> Init.Datatypes.bool.

Axiom if_term'def :
  forall (o:Numbers.BinNums.Z),
  ((o = 0%Z) -> ((if_term o) = Init.Datatypes.true)) /\
  (~ (o = 0%Z) -> ((if_term o) = Init.Datatypes.false)).

Require Import Lia.

(* Why3 goal *)
Theorem search_loop'vc :
  forall (l:Init.Datatypes.list Numbers.BinNums.Z),
  forall (s:Init.Datatypes.list Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\
  ((i + (list.Length.length s))%Z = (list.Length.length l)) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z ->
   ((list.Nth.nth j s) = (list.Nth.nth (i + j)%Z l))) /\
  (forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i)%Z ->
   ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z))) ->
  list.List.is_nil s <-> (s = Init.Datatypes.nil) ->
  forall (o:Init.Datatypes.bool),
  ~ list.List.is_nil s /\
  (exists o1:Numbers.BinNums.Z,
   ((list.HdTl.hd s) = (Init.Datatypes.Some o1)) /\
   ((o1 = 0%Z) /\ (o = Init.Datatypes.false) \/
    ~ (o1 = 0%Z) /\ (o = Init.Datatypes.true))) \/
  list.List.is_nil s /\ (o = Init.Datatypes.false) ->
  (o = Init.Datatypes.true) -> forall (i1:Numbers.BinNums.Z),
  (i1 = (i + 1%Z)%Z) -> forall (o1:Init.Datatypes.list Numbers.BinNums.Z),
  ((list.HdTl.tl s) = (Init.Datatypes.Some o1)) ->
  forall (s1:Init.Datatypes.list Numbers.BinNums.Z), (s1 = o1) ->
  forall (j:Numbers.BinNums.Z), (0%Z <= j)%Z /\ (j < i1)%Z ->
  ~ ((list.Nth.nth j l) = (Init.Datatypes.Some 0%Z)).
(* Why3 intros l s i (h1,(h2,(h3,h4))) h5 o h6 h7 i1 h8 o1 h9 s1 h10 j
        (h11,h12). *)
Proof.
intros l s i (h1,(h2,(h3,h4))) h5 o h6 h7 i1 h8 o1 h9 s1 h10 j (h11,h12).
subst.
destruct s.
easy.
injection h9. clear h9.
intros ->.
assert (h: (j < i \/ j= i)%Z) by lia; destruct h as [h| ->].
now apply h4.
destruct h6 as [[_ [x [H5 [[_ H6]|[H6 _]]]]]|[H _]] ; try easy.
specialize (h3 0%Z (Z.le_refl 0)).
rewrite Zplus_0_r in h3.
rewrite <- h3.
simpl.
simpl in H5.
rewrite H5.
contradict H6.
now injection H6.
Qed.
why3-1.6.0/examples/vstte10_search_list/why3session.xml000066400000000000000000000105261440160026300231340ustar00rootroot00000000000000









 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
 
 



why3-1.6.0/examples/vstte10_search_list/why3shapes.gz000066400000000000000000000024541440160026300225550ustar00rootroot00000000000000ݏ4W
8#ZQxu寰h˝_IۅC:ixx\WM]:Zկp{:X
sw7
6l徻5GSnם\MŨXDQ,b5*."YjQw'ix`w[)i`=˸m/uo`~Oݏڶ>d皪nǚ&VVa#ތ@w
l/5lP3U/uNݸHO-ڤ!k;B9B[rEuݞLےu2&QBۡ_/.B1_R
Һon;Jݹ_`#u5NnelQ"H㴽TU#C>Ye`6.[B^F*sN%pO=pL`邞tI\
fE0;f
U}66 {r}WC!Ґ}O$KX`!sXaG>4[`/K^%3,yK>3,e
,S`9,[`ǘ6b
Nzܭ?e&0`&^2Ӆ.̜)̋38(`giJ,gg"’	հ{ٷS*0?ń0̎f?ʏwIJ"3]:ז o9UFr)W%/eV]kz/0m9FPFNr>:UY؟7}u2]L?fU@X\#$N{a(K\
AI
O
6^d{u'ي@/x:.W%yr%i콇|4VJoS`O1s-6$#ꔌy=FUXLhkhVE%IĆh"<6HbA.'k1UK@s1!b
V("#8IiVŰmR:/uGL
mkiQ>\AlWm0L!EfBXm)Zpa4Ѫ#JkC<YY|#rY2@R&GLڥ0--Vcb
Bs[P|֊6ʈM6	5hIr@AD0PP!YGH̱Ƣ;why3-1.6.0/examples/vstte12_bfs.mlw000066400000000000000000000105741440160026300171140ustar00rootroot00000000000000
(* The 2nd Verified Software Competition (VSTTE 2012)
   https://sites.google.com/site/vstte2012/compet

   Problem 5:
   Shortest path in a graph using breadth-first search *)

theory Graph

  use int.Int
  use export set.Fset

  type vertex

  val predicate eq (x y: vertex)
    ensures { result <-> x = y }

  function succ vertex : fset vertex

  (* there is a path of length n from v1 to v2 *)
  inductive path (v1 v2: vertex) (n: int) =
    | path_empty:
        forall v: vertex. path v v 0
    | path_succ:
        forall v1 v2 v3: vertex, n: int.
        path v1 v2 n -> mem v3 (succ v2) -> path v1 v3 (n+1)

  (* path length is non-negative *)
  lemma path_nonneg:
    forall v1 v2: vertex, n: int. path v1 v2 n -> n >= 0

  (* a non-empty path has a last but one node *)
  lemma path_inversion:
    forall v1 v3: vertex, n: int. n >= 0 ->
    path v1 v3 (n+1) ->
    exists v2: vertex. path v1 v2 n /\ mem v3 (succ v2)

  (* a path starting in a set S that is closed under succ ends up in S *)
  lemma path_closure:
    forall s: fset vertex.
    (forall x: vertex. mem x s ->
       forall y: vertex. mem y (succ x) -> mem y s) ->
    forall v1 v2: vertex, n: int. path v1 v2 n ->
    mem v1 s -> mem v2 s

  predicate shortest_path (v1 v2: vertex) (n: int) =
    path v1 v2 n /\
    forall m: int. m < n -> not (path v1 v2 m)

end

module BFS

  use int.Int
  use Graph
  clone set.SetImp as B with type elt = vertex, val eq = eq
  use ref.Refint

  exception Found int

  (* global invariant *)
  predicate inv (s t: vertex) (visited current next: fset vertex) (d: int) =
    (* current *)
    subset current visited /\
    (forall x: vertex. mem x current -> shortest_path s x d) /\
    (* next *)
    subset next visited /\
    (forall x: vertex. mem x next -> shortest_path s x (d + 1)) /\
    (* visited *)
    (forall x: vertex, m: int. path s x m -> m <= d -> mem x visited) /\
    (forall x: vertex. mem x visited ->
       exists m: int. path s x m /\ m <= d+1) /\
    (* nodes at distance d+1 are either in next or not yet visited *)
    (forall x: vertex. shortest_path s x (d + 1) ->
       mem x next \/ not (mem x visited)) /\
    (* target t *)
    (mem t visited -> mem t current \/ mem t next)

  (* visited\current\next is closed under succ *)
  predicate closure (visited current next: fset vertex) (x: vertex) =
    mem x visited -> not (mem x current) -> not (mem x next) ->
    forall y: vertex. mem y (succ x) -> mem y visited

  function (!!) (s: B.set) : fset vertex = B.to_fset s

  val pick_succ (v: vertex) : B.set
    ensures { !!result = succ v }

  (* function fill_next fills set next with the unvisited successors of v *)
  let fill_next (s t v: vertex) (visited current next: B.set) (d:ref int)
    requires { inv s t !!visited !!current !!next !d /\
      shortest_path s v !d /\
      (forall x: vertex. x<> v -> closure !!visited !!current !!next x) }
    ensures { inv s t !!visited !!current !!next !d /\
      subset (succ v) !!visited  /\
      (forall x: vertex. closure !!visited !!current !!next x) }
  = let acc = pick_succ v in
    while not (B.is_empty acc) do
      invariant {
        inv s t !!visited !!current !!next !d /\
        subset !!acc (succ v) /\
        subset (diff (succ v) !!acc) !!visited /\
        (forall x: vertex. x <> v -> closure !!visited !!current !!next x)
      }
      variant { cardinal !!acc }
      let w = B.choose_and_remove acc in
      if not (B.mem w visited) then begin
        B.add w visited;
        B.add w next
      end
    done

  let bfs (s: vertex) (t: vertex)
    ensures { forall d: int. not (path s t d) }
    raises { Found r -> shortest_path s t r }
    diverges (* the set of reachable nodes may be infinite *)
  = let visited = B.empty () in
    let current = ref (B.empty ()) in
    let next    = ref (B.empty ()) in
    B.add s visited;
    B.add s !current;
    let d = ref 0 in
    while not (B.is_empty !current) do
      invariant {
        inv s t !!visited !! !current !! !next !d /\
        (is_empty !! !current -> is_empty !! !next) /\
        (forall x: vertex. closure !!visited !! !current !! !next x) /\
        0 <= !d
      }
      let v = B.choose_and_remove !current in
      if eq v t then raise (Found !d);
      fill_next s t v visited !current !next d;
      if B.is_empty !current then begin
        (current.contents, next.contents) <- (!next, B.empty ());
        incr d
      end
    done;
    assert { not (mem t !!visited) }

end
why3-1.6.0/examples/vstte12_bfs/000077500000000000000000000000001440160026300163645ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_bfs/vstte12_bfs_BFS_VC_bfs_1.v000066400000000000000000000123571440160026300230610ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.
Require set.SetImp.

Axiom vertex : Type.
Parameter vertex_WhyType : WhyType vertex.
Existing Instance vertex_WhyType.

Parameter eq: vertex -> vertex -> Prop.

Axiom eq'spec : forall (x:vertex) (y:vertex), eq x y <-> (x = y).

Parameter succ: vertex -> set.Fset.fset vertex.

(* Why3 assumption *)
Inductive path: vertex -> vertex -> Numbers.BinNums.Z -> Prop :=
  | path_empty : forall (v:vertex), path v v 0%Z
  | path_succ :
      forall (v1:vertex) (v2:vertex) (v3:vertex) (n:Numbers.BinNums.Z),
      path v1 v2 n -> set.Fset.mem v3 (succ v2) -> path v1 v3 (n + 1%Z)%Z.

Axiom path_nonneg :
  forall (v1:vertex) (v2:vertex) (n:Numbers.BinNums.Z), path v1 v2 n ->
  (0%Z <= n)%Z.

Axiom path_inversion :
  forall (v1:vertex) (v3:vertex) (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  path v1 v3 (n + 1%Z)%Z ->
  exists v2:vertex, path v1 v2 n /\ set.Fset.mem v3 (succ v2).

Axiom path_closure :
  forall (s:set.Fset.fset vertex),
  (forall (x:vertex), set.Fset.mem x s ->
   (forall (y:vertex), set.Fset.mem y (succ x) -> set.Fset.mem y s)) ->
  forall (v1:vertex) (v2:vertex) (n:Numbers.BinNums.Z), path v1 v2 n ->
  set.Fset.mem v1 s -> set.Fset.mem v2 s.

(* Why3 assumption *)
Definition shortest_path (v1:vertex) (v2:vertex) (n:Numbers.BinNums.Z) : Prop :=
  path v1 v2 n /\ (forall (m:Numbers.BinNums.Z), (m < n)%Z -> ~ path v1 v2 m).

Axiom set : Type.
Parameter set_WhyType : WhyType set.
Existing Instance set_WhyType.

Parameter to_fset: set -> set.Fset.fset vertex.

Parameter choose: set -> vertex.

Axiom choose'spec :
  forall (s:set), ~ set.Fset.is_empty (to_fset s) ->
  set.Fset.mem (choose s) (to_fset s).

(* Why3 assumption *)
Inductive ref (a:Type) :=
  | ref'mk : a -> ref a.
Axiom ref_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (ref a).
Existing Instance ref_WhyType.
Arguments ref'mk {a}.

(* Why3 assumption *)
Definition contents {a:Type} {a_WT:WhyType a} (v:ref a) : a :=
  match v with
  | ref'mk x => x
  end.

(* Why3 assumption *)
Definition inv (s:vertex) (t:vertex) (visited:set.Fset.fset vertex)
    (current:set.Fset.fset vertex) (next:set.Fset.fset vertex)
    (d:Numbers.BinNums.Z) : Prop :=
  set.Fset.subset current visited /\
  (forall (x:vertex), set.Fset.mem x current -> shortest_path s x d) /\
  set.Fset.subset next visited /\
  (forall (x:vertex), set.Fset.mem x next -> shortest_path s x (d + 1%Z)%Z) /\
  (forall (x:vertex) (m:Numbers.BinNums.Z), path s x m -> (m <= d)%Z ->
   set.Fset.mem x visited) /\
  (forall (x:vertex), set.Fset.mem x visited ->
   (exists m:Numbers.BinNums.Z, path s x m /\ (m <= (d + 1%Z)%Z)%Z)) /\
  (forall (x:vertex), shortest_path s x (d + 1%Z)%Z ->
   set.Fset.mem x next \/ ~ set.Fset.mem x visited) /\
  (set.Fset.mem t visited -> set.Fset.mem t current \/ set.Fset.mem t next).

(* Why3 assumption *)
Definition closure (visited:set.Fset.fset vertex)
    (current:set.Fset.fset vertex) (next:set.Fset.fset vertex) (x:vertex) :
    Prop :=
  set.Fset.mem x visited -> ~ set.Fset.mem x current ->
  ~ set.Fset.mem x next -> forall (y:vertex), set.Fset.mem y (succ x) ->
  set.Fset.mem y visited.

(* Why3 goal *)
Theorem bfs'vc :
  forall (s:vertex) (t:vertex), forall (visited:set),
  ((to_fset visited) = (set.Fset.empty : set.Fset.fset vertex)) /\
  ((set.Fset.cardinal (to_fset visited)) = 0%Z) -> forall (o:set),
  ((to_fset o) = (set.Fset.empty : set.Fset.fset vertex)) /\
  ((set.Fset.cardinal (to_fset o)) = 0%Z) -> forall (o1:set),
  ((to_fset o1) = (set.Fset.empty : set.Fset.fset vertex)) /\
  ((set.Fset.cardinal (to_fset o1)) = 0%Z) -> forall (visited1:set),
  ((to_fset visited1) = (set.Fset.add s (to_fset visited))) /\
  (set.Fset.mem s (to_fset visited) /\
   ((set.Fset.cardinal (to_fset visited1)) =
    (set.Fset.cardinal (to_fset visited))) \/
   ~ set.Fset.mem s (to_fset visited) /\
   ((set.Fset.cardinal (to_fset visited1)) =
    ((set.Fset.cardinal (to_fset visited)) + 1%Z)%Z)) ->
  forall (current:set),
  ((to_fset current) = (set.Fset.add s (to_fset o))) /\
  (set.Fset.mem s (to_fset o) /\
   ((set.Fset.cardinal (to_fset current)) = (set.Fset.cardinal (to_fset o))) \/
   ~ set.Fset.mem s (to_fset o) /\
   ((set.Fset.cardinal (to_fset current)) =
    ((set.Fset.cardinal (to_fset o)) + 1%Z)%Z)) ->
  forall (d:Numbers.BinNums.Z) (next:set) (current1:set) (visited2:set),
  inv s t (to_fset visited2) (to_fset current1) (to_fset next) d /\
  (set.Fset.is_empty (to_fset current1) -> set.Fset.is_empty (to_fset next)) /\
  (forall (x:vertex),
   closure (to_fset visited2) (to_fset current1) (to_fset next) x) /\
  (0%Z <= d)%Z -> set.Fset.is_empty (to_fset current1) ->
  ~ set.Fset.mem t (to_fset visited2) -> forall (d1:Numbers.BinNums.Z),
  ~ path s t d1.
Proof.
intros s t1 visited h1 o h2 o1 h3 visited1 h4 current h5 d next current1
visited2 (h6,(h7,(h8,h9))) h10 h11 d1 H.
assert (Fset.mem t1 (to_fset visited2)).
apply path_closure with s d1; auto.
unfold closure in h8.
intros x hx.
apply h8.
intuition.
rewrite (Fset.empty_is_empty _ h10). apply Fset.is_empty_empty.
rewrite (Fset.empty_is_empty _ (h7 h10)). apply Fset.is_empty_empty.
red in h6; decompose [and] h6.
apply H4 with 0%Z.
apply path_empty.
assumption.
exact (h11 H0).
Qed.why3-1.6.0/examples/vstte12_bfs/why3session.xml000066400000000000000000000241631440160026300214120ustar00rootroot00000000000000










 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
 
 


 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
    
    
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
     
    
    
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
  
  
  
  
   
   
    
    
     
     
      
      
      
      
      
      
      
      
      
      
      
      
      
      
       
       
       
      
      
      
      
      
      
      
      
      
      
      
     
     
    
    
   
   
   
   
   
   
   
    
    
     
     
     
    
    
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/vstte12_bfs/why3shapes.gz000066400000000000000000000110401440160026300210200ustar00rootroot00000000000000\Yo9~ׯP?cˠ^
&0dG*ٲ=k` d/wxws.½8?ՅNjdvvCth><ªК>aܯ޽ EsA]C4܎PwmAyi#&@i}NIןeJ;.x@31
;tlt<;P=3J0r?|Q=-44b5WE8
'c~nIن/^ցfF0Gw}.T0Y~?bJbЕLW"؆X-Սroط'8e.EAnߤp kwswA?2QyҮd\lAMJPxxtww=5[,˜srL:~{oɆbouWooo?\ݸyLFqu95ba1P>KuP'fҮ|.V%o}U;M燻o߇.ܼwoNzo/fvVWUGb5ڍB|(ijB4m|xc)OqAYpAիg&1<W{i]V}y!_ww}i}?cK)7N*}胳HnuޗaO5h-*Бzq@2cZS*qݚVeYg9W]'^ۊHk?ug5L=ԭ.Y׶#Z{4$fp$n޾};ll^:g<|;\+L~u!ґQc3>Gd7repײJJn{?2c߹LQvM[Ŗ\qz=Uf4/!%m#AV6ݯ]u_m@[AAKK3r#Nv\ulMޱ;dF҅+
x>,n$\tOK40e'UaU2f`6d}&tYg03%+pWo,
V^+asvɟ='8T]j5,CrEJ2,eTM#
%p^8ib.	v_d2&r K2M6y턲L<=W!=ucHOuj~ҫCcH=F!^]oUB]|fv퉐]`{DbjĔ|-24Čj+]EgO3[5ˑuÙCđ[n͋LwǠHswDE1hZ1hkaTʶG6к2WcG9*k`!umrޓמ$BiOc)em6﵈h9z
}
T_xR~Q=kmr=/7!ﭧ[ϧdDfS-;7+t.NAR
nBdOdWeb!ƛbځ(LBTK+D~JGJ\nrQIMmc4+Ƹ9Iyjv\Ra!!U`n:K}*ozMϣf@dgC/QHWG!uB?Zݛsqv3]蛴1N#5Kš~g,qEuVf+Q'rvk|P}}P}
\!ʊWỞ
8:(}+ܮxF|BlѬoּ[XM_C>DZldV?h_%{v
JR2u/?/ŦJ*QK4UL UZU
|,2'f_5@9vXOuR"Q;nqyd,A0v,~e倌eAr,Vs!c^q_!]=HyeDNEik0YFJ5!0[bI*C4X8%>F(R-Y)MV&ᨑ6He& c[I!i
<!e^2]kyQk&jR*Boe!ԊiM`EmDMnµj9UQ lMw!Y*W\X!tdĭm
cZS/D4PКTSw+Lև+eԀsRH%QEjZ֖zA/)T:%[-gqcրF("ÕD;F"1$0ʆLIP^Xi20E!KZx*ɼnOS*"ʶ&Sh%QL%hhbI)6fZOBpB%g4b½R$HJ4\6\47BNff&&FF2gBM˸P`@jIXD,S8
Op(l
FYnCwؐWp661)&gj[(
I9p~Ό3rH'dElS߶Y/ya.7y]hqc*QEȧpH' x = y }
  = match x, y with
    | S, S -> True
    | K, K -> True
    | App x1 x2, App y1 y2 -> eq x1 y1 && eq x2 y2
    | _, _ -> False
    end

  (* specification of the CBV reduction *)

  predicate is_value (t: term) = match t with
    | K | S -> true
    | App K v | App S v -> is_value v
    | App (App S v1) v2 -> is_value v1 /\ is_value v2
    | _ -> false
  end

  (* contexts *)

  type context = Hole | Left context term | Right term context

  predicate is_context (c: context) = match c with
    | Hole -> true
    | Left c _ -> is_context c
    | Right v c -> is_value v && is_context c
  end

  function subst (c: context) (t: term) : term = match c with
    | Hole -> t
    | Left c1 t2 -> App (subst c1 t) t2
    | Right v1 c2 -> App v1 (subst c2 t)
  end

  (* one step reduction
     (the notion of context is inlined in the following definition) *)

  inductive (-->) (t1 t2: term) =
    | red_K:
       forall c: context. is_context c ->
       forall v1 v2: term. is_value v1 -> is_value v2 ->
       subst c (App (App K v1) v2) --> subst c v1
    | red_S:
       forall c: context. is_context c ->
       forall v1 v2 v3: term. is_value v1 -> is_value v2 -> is_value v3 ->
       subst c (App (App (App S v1) v2) v3) -->
       subst c (App (App v1 v3) (App v2 v3))

  clone relations.ReflTransClosure
    with type t = term, predicate rel = (-->)
  predicate (-->*) (t1 t2: term) = relTR t1 t2

  type zipper = ZHole | ZLeft context term | ZRight term context

  let rec function subst_c (c ct:context) : context
    ensures { is_context c /\ is_context ct -> is_context result }
  = match c with
    | Hole -> ct
    | Left c1 t2 -> Left (subst_c c1 ct) t2
    | Right v1 c2 -> Right v1 (subst_c c2 ct)
    end

  lemma subst_c_commute : forall c [@induction] ct t.
    subst c (subst ct t) = subst (subst_c c ct) t

  (* task 1: implement CBV reduction *)

  let rec reduction (ghost c:context) (t: term) : term
    diverges (* there are non-normalizable terms... *)
    requires { is_context c }
    ensures { subst c t -->* subst c result }
    ensures { is_value result }
  = match t with
    | S -> S
    | K -> K
    | App t1 t2 ->
      let v1 = reduction (subst_c c (Left Hole t2)) t1 in
      let v2 = reduction (subst_c c (Right v1 Hole)) t2 in
      match v1 with
      | K | S | App S _ -> App v1 v2
      | App K v3 -> v3
      | App (App S v3) v4 -> reduction c (App (App v3 v2) (App v4 v2))
      | _ -> absurd
      end
    end

  exception BenchFailure

  let constant i = App (App S K) K

  let test_SKK ()
    diverges (* would be hard to prove terminating *)
    raises { BenchFailure -> true }
  = let t1 = reduction Hole (App i i) in
    if not (eq t1 i) then raise BenchFailure;
    let t2 = reduction Hole (App (App (App (App K K) K) K) K) in
    if not (eq t2 K) then raise BenchFailure;
    t1, t2

  (* an irreducible term is a value *)
  predicate irreducible (t: term) = forall t': term. not (t-->t')

  exception Fail
  let rec ghost reduce_step (c:context) (t:term) : term
    requires { is_context c }
    ensures  { subst c t --> subst c result }
    raises   { Fail -> is_value t }
    variant  { t }
  = match t with
    | App t1 t2 ->
      try App (reduce_step (subst_c c (Left Hole t2)) t1) t2 with Fail ->
      try App t1 (reduce_step (subst_c c (Right t1 Hole)) t2) with Fail ->
      match t1 with
      | App K v -> v
      | App (App S v1) v2 -> App (App v1 t2) (App v2 t2)
      | _ -> raise Fail
      end end end
    | _ -> raise Fail
    end

  let rec lemma value_in_context (c:context) (t:term) : unit
    requires { is_value (subst c t) }
    ensures  { is_value t }
    variant  { c }
  = match c with
    | Hole -> ()
    | Left cl _ -> value_in_context cl t
    | Right _ cr -> value_in_context cr t
    end

  let lemma irreducible_is_value (t:term) : unit
    ensures { irreducible t <-> is_value t }
  = try let _ = reduce_step Hole t in () with Fail -> () end

  (* task 2 *)

  use int.Int

  inductive only_K (t: term) =
    | only_K_K:
        only_K K
    | only_K_App:
        forall t1 t2: term. only_K t1 -> only_K t2 -> only_K (App t1 t2)

  let rec reduction2 (ghost c:context) (t: term) : term
    requires { only_K t /\ is_context c }
    ensures { only_K result /\ is_value result }
    ensures { subst c t -->* subst c result }
    variant { t }
  = match t with
    | K -> K
    | App t1 t2 ->
      let v1 = reduction2 (subst_c c (Left Hole t2)) t1 in
      let v2 = reduction2 (subst_c c (Right v1 Hole)) t2 in
      match v1 with
      | K -> App v1 v2
      | App K v3 -> v3
      | _ -> absurd
      end
    | _ -> absurd
    end

  (* task 3 *)

  let rec function ks (n: int) : term
    requires { n >= 0 }
    ensures  { only_K result }
    variant { n }
  = if n = 0 then K else App (ks (n-1)) K

  use number.Parity

  let rec reduction3 (ghost c:context) (ghost n:int) (t: term) : term
    requires { n >= 0 /\ t = ks n /\ is_context c }
    variant { n }
    ensures { subst c t -->* subst c result }
    ensures { is_value result }
    ensures { even n -> result = K }
    ensures { odd n -> result = App K K }
  = match t with
    | K -> K
    | App t1 t2 ->
      let v1 = reduction3 (subst_c c (Left Hole t2)) (n-1) t1 in
      let v2 = reduction3 (subst_c c (Right v1 Hole)) 0 t2 in
      match v1 with
      | K -> App v1 v2
      | App K v3 -> v3
      | _ -> absurd
      end
    | _ -> absurd
    end

  let lemma ks_even_odd (n:int) : unit
    requires { n >= 0 }
    ensures  { ks (2*n) -->* K }
    ensures  { ks (2*n+1) -->* App K K }
  = let _ = reduction3 Hole (2*n) (ks (2*n)) in
    let _ = reduction3 Hole (2*n+1) (ks (2*n+1)) in
    ()

end
why3-1.6.0/examples/vstte12_combinators/000077500000000000000000000000001440160026300201325ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_combinators/Makefile000066400000000000000000000027171440160026300216010ustar00rootroot00000000000000
BENCH ?= no

ifeq ($(BENCH),yes)
  WHY3=../../bin/why3.opt
  WHY3SHARE=../../share
else
  ifeq ($(BINDIR),)
    WHY3=why3
  else
    WHY3=$(BINDIR)/why3
  endif
  WHY3SHARE=$(shell $(WHY3) --print-datadir)
endif

include $(WHY3SHARE)/Makefile.config

ifeq ($(BENCH),yes)
  INCLUDE += -I ../../lib/why3
endif

MAIN=main
GEN=vstte12_combinators
OBJ=$(GEN) parse

GENML = $(addsuffix .ml, $(GEN))
ML = $(addsuffix .ml, $(OBJ))
CMO = $(addsuffix .cmo, $(OBJ))
CMX = $(addsuffix .cmx, $(OBJ))

OCAMLOPT=ocamlopt -noassert -inline 1000

all: $(MAIN).$(OCAMLBEST)

extract: $(GENML)

doc:
	$(WHY3) doc ../vstte12_combinators.mlw
	$(WHY3) session html .

$(MAIN).opt: $(CMX)  $(MAIN).cmx
	$(OCAMLOPT) $(INCLUDE) $(BIGINTLIB).cmxa -o $@ $^

$(MAIN).cmx: $(CMX)

$(GENML): ../vstte12_combinators.mlw
	$(WHY3) extract -D ocaml64 -o $@ $<

%.cmx: %.ml
	$(OCAMLOPT) $(INCLUDE) -annot -c $<

clean::
	rm -f $(GENML) *.cm[xio] *.o *.annot $(MAIN).opt $(MAIN).byte
	rm -f vstte12_combinators__*.ml*

# javascript


JSMAIN=jsmain

JSOCAMLC=ocamlfind ocamlc -package js_of_ocaml -package js_of_ocaml-ppx -package js_of_ocaml-lwt

$(JSMAIN).js: $(JSMAIN).byte
	js_of_ocaml --pretty --noinline +nat.js $(JSMAIN).byte


$(JSMAIN).byte: $(CMO) jsmain.ml
#	$(JSOCAMLC) $(INCLUDE) -o $@ -linkpkg $^
	$(JSOCAMLC) $(INCLUDE) $(BIGINTLIB).cma -o $@ -linkpkg $^


%.cmo: %.ml
	$(JSOCAMLC) $(INCLUDE) -annot -c $<

%.cmi: %.mli
	$(JSOCAMLC) $(INCLUDE) -annot -c $<


clean::
	rm -f *.cm[io] $(NAME).byte $(NAME).js
why3-1.6.0/examples/vstte12_combinators/index.html000066400000000000000000000010231440160026300221230ustar00rootroot00000000000000


  
    Interpreter for combinator terms
  
  
    
    Interpreter for combinator terms
    
    
    Enter a combinator term in the text area below
    
    
    
  

why3-1.6.0/examples/vstte12_combinators/jsmain.ml000066400000000000000000000037671440160026300217620ustar00rootroot00000000000000


(*let () = Firebug.console##info (Js.string "debut de jsmain.ml")*)

(* computation part  *)

let compute_result text =
  try
    let t = Parse.parse_term text in
    let u = Vstte12_combinators.reduction t in
    Format.fprintf Format.str_formatter
      "the normal form is %a" Parse.pr u;
    Format.flush_str_formatter ()
  with Parse.SyntaxError -> "syntax error"






(* HTML rendering *)

module Html = Js_of_ocaml.Dom_html
module Js = Js_of_ocaml.Js
module Dom = Js_of_ocaml.Dom

let node x = (x : #Dom.node Js.t :> Dom.node Js.t)

let (<|) e l = List.iter (fun c -> Dom.appendChild e c) l; node e

let html_of_string (d : Html.document Js.t) (s:string) =
  d##createElement (Js.string "p") <|
      [node (d##createTextNode (Js.string s))]

let replace_child p n =
  Js.Opt.iter (p##.firstChild) (fun c -> Dom.removeChild p c);
  Dom.appendChild p n

let onload (_event : #Html.event Js.t) : bool Js.t =
  let d = Html.document in
  let body =
    Js.Opt.get (d##getElementById(Js.string "test"))
      (fun () -> assert false) in
  let textbox = Html.createTextarea d in
  textbox##.rows := 20; textbox##.cols := 100;
  let preview = Html.createDiv d in
  preview##.style##.border := Js.string "1px black";
  preview##.style##.padding := Js.string "5px";
  Dom.appendChild body textbox;
  Dom.appendChild body (Html.createBr d);
  Dom.appendChild body preview;
  let rec dyn_preview old_text n =
    let text = Js.to_string (textbox##.value) in
    let n =
      if text <> old_text then
        begin
          begin try
                  let rendered =
                    html_of_string d (compute_result text)
                  in
                  replace_child preview rendered
            with _ -> ()
          end;
          20
        end
      else
        max 0 (n - 1)
    in
    Lwt.bind
      (Js_of_ocaml_lwt.Lwt_js.sleep (if n = 0 then 0.5 else 0.1))
      (fun () -> dyn_preview text n)
  in
  let (_ : 'a Lwt.t) = dyn_preview "" 0 in Js._false

let (_ : unit) = Html.window##.onload := Html.handler onload
why3-1.6.0/examples/vstte12_combinators/main.ml000066400000000000000000000011161440160026300214070ustar00rootroot00000000000000
open Format

let usage () =
  eprintf "Reduction of combinator terms@.";
  eprintf "Usage: %s @." Sys.argv.(0);
  exit 2

let input =
  if Array.length Sys.argv <> 2 then usage ();
  Sys.argv.(1)

let input_term =
  if input = "go" then
    let i = Vstte12_combinators.i in
    Vstte12_combinators.App(i,i)
  else
    try Parse.parse_term input
    with _ ->
      begin
        eprintf "syntax error@.";
        usage ()
      end

let () =
  let a = Vstte12_combinators.reduction input_term in
  printf "The normal form of %a is %a@."
    Parse.pr input_term Parse.pr a
why3-1.6.0/examples/vstte12_combinators/parse.ml000066400000000000000000000015331440160026300216000ustar00rootroot00000000000000
open Format
open Vstte12_combinators

let rec pr fmt t =
  match t with
  | S -> fprintf fmt "S"
  | K -> fprintf fmt "K"
  | App(t1,t2) -> fprintf fmt "(%a %a)" pr t1 pr t2

exception SyntaxError

let rec parse_term s i =
  match String.get s i with
    | 'S' -> S, i+1
    | 'K' -> K, i+1
    | 'I' -> Vstte12_combinators.i, i+1
    | '(' ->
      let t1,i1 = parse_term s (i+1) in
      begin
        match String.get s i1 with
        | ' ' ->
          let t2,i2 = parse_term s (i1+1) in
          begin
            match String.get s i2 with
              | ')' -> App(t1,t2),i2+1
              | _ -> raise SyntaxError
          end
        | _ -> raise SyntaxError
      end
    | _ -> raise SyntaxError

let parse_term s =
  try
    let t,i = parse_term s 0 in
    if i <> String.length s then raise SyntaxError;
    t
  with _ -> raise SyntaxError
why3-1.6.0/examples/vstte12_combinators/why3session.xml000066400000000000000000000047061440160026300231610ustar00rootroot00000000000000







 
 
 
 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vstte12_combinators/why3shapes.gz000066400000000000000000000041611440160026300225740ustar00rootroot00000000000000Xmo9_᏷]H.
[`S@k4ix:4ׇgxN?fUD%n}$7ԽV"gq8*qX'n*S)+<,V}zRhܪσ
?7b$TR옐xH{s.{Uݭo/yrEߛUx?^Av#3	|zs._|w9[]&IY[`;>'Y?SXIMt)K_%pUiyTq5Lڍ+ jt^M0Qkج(3kvXD\psv&n)v
uNÑ/N۳fCyGxޑ&+2;^e>?bͲmp)"Aפ8'W!uCjHEӝh*T4Ȑo
KLvE۪%[n]cfQCt\5XRb_ȋ,ZgwOR(0&͂yxFTj (Q;(ycoe3JQHmr	AgZLs^E(<#29;"P<_.5v11o 9#f~%ZҚ-k2KLj6&7/9)ƯF]Qʊ,4"CxOB
Ǔ1](yLJ@sh(<07F$~]ގeě
_N#|9)G"UgOs߶q|~t_<;"-GX´@M n+*6d e\F|1L#2%)MZ"I$'вʹ1|UµaRج|	tEE1xJSB2x<98";J/r4_؇AjMѐDz6854$fʄQAfɥR+|D.&F]K0S/J\Q5/tːA6\c>;Œ8wP"
c4,^EFLd'Wj1+ÿ,.)hކmu)X~
lVS4wmm܊pT;s-^hvm[-#Zz+CQmDkU+U9]@Xj{yA;I뵔[)&ɶwJnMMpj-ĭյl\Rc_5{ʤF(Mz+޷J7?DӑA~-VGhm
)kZ o皦n܂-)4M5lAbIN5^ Zk[PCMOAajW\y
m8Jg,֡7rGy5UXNQnQ@why3-1.6.0/examples/vstte12_ring_buffer.mlw000066400000000000000000000166231440160026300206330ustar00rootroot00000000000000
(* The 2nd Verified Software Competition (VSTTE 2012)
   https://sites.google.com/site/vstte2012/compet

   Problem 3:
   Queue data structure implemented using a ring buffer

   Alternative solution using a model stored in a ghost field *)

module RingBuffer

  use int.Int
  use option.Option
  use list.List
  use import list.NthLengthAppend as L
  use import array.Array as A

  type buffer 'a = {
    mutable first: int;
    mutable len  : int;
            data : array 'a;
    ghost mutable sequence: list 'a;
  }
  invariant {
    let size = A.length data in
    0 <= first <  size /\
    0 <= len   <= size /\
    len = L.length sequence /\
    forall i: int. 0 <= i < len ->
      (first + i < size ->
         nth i sequence = Some data[first + i]) /\
      (0 <= first + i - size ->
         nth i sequence = Some data[first + i - size])
  }
  by { first = 0; len = 0; data = make 1 (any 'a); sequence = Nil }

  (* total capacity of the buffer *)
  function size (b: buffer 'a) : int = A.length b.data

  (* length = number of elements *)
  function length (b: buffer 'a) : int = b.len

  (* code *)

  let create (n: int) (dummy: 'a) : buffer 'a
    requires { n > 0 }
    ensures  { size result = n }
    ensures  { result.sequence = Nil }
  = { first = 0; len = 0; data = make n dummy; sequence = Nil }

  let length (b: buffer 'a) : int
    ensures { result = length b }
  = b.len

  let clear (b: buffer 'a) : unit
    writes  { b.len, b.sequence }
    ensures { length b = 0 }
    ensures { b.sequence = Nil }
  = ghost (b.sequence <- Nil);
    b.len <- 0

  let push (b: buffer 'a) (x: 'a) : unit
    requires { length b < size b }
    writes   { b.data.elts, b.len, b.sequence }
    ensures  { length b = (old (length b)) + 1 }
    ensures  { b.sequence = (old b.sequence) ++ Cons x Nil }
  = ghost (b.sequence <- b.sequence ++ Cons x Nil);
    let i = b.first + b.len in
    let n = A.length b.data in
    b.data[if i >= n then i - n else i] <- x;
    b.len <- b.len + 1

  let head (b: buffer 'a) : 'a
    requires { length b > 0 }
    ensures  { match b.sequence with Nil -> false | Cons x _ -> result = x end }
  = b.data[b.first]

  let pop (b: buffer 'a) : 'a
    requires { length b > 0 }
    writes   { b.first, b.len, b.sequence }
    ensures  { length b = (old (length b)) - 1 }
    ensures  { match old b.sequence with
               | Nil -> false
               | Cons x l -> result = x /\ b.sequence = l end }
  = ghost match b.sequence with Nil -> absurd | Cons _ s -> b.sequence <- s end;
    let r = b.data[b.first] in
    b.len <- b.len - 1;
    let n = A.length b.data in
    b.first <- b.first + 1;
    if b.first = n then b.first <- 0;
    r
end

module Harness

  use RingBuffer
  use list.List

  let harness () =
    let b = create 10 0 in
    push b 1;
    push b 2;
    push b 3;
    let x = pop b in assert { x = 1 };
    let x = pop b in assert { x = 2 };
    let x = pop b in assert { x = 3 };
    ()

  let harness2 () =
    let b = create 3 0 in
    push b 1;
    assert { sequence b = Cons 1 Nil };
    push b 2;
    assert { sequence b = Cons 1 (Cons 2 Nil) };
    push b 3;
    assert { sequence b = Cons 1 (Cons 2 (Cons 3 Nil)) };
    let x = pop b in assert { x = 1 };
    assert { sequence b = Cons 2 (Cons 3 Nil) };
    push b 4;
    assert { sequence b = Cons 2 (Cons 3 (Cons 4 Nil)) };
    let x = pop b in assert { x = 2 };
    assert { sequence b = Cons 3 (Cons 4 Nil) };
    let x = pop b in assert { x = 3 };
    assert { sequence b = Cons 4 Nil };
    let x = pop b in assert { x = 4 };
    ()

  use int.Int

  let test (x: int) (y: int) (z: int) =
    let b = create 2 0 in
    push b x;
    push b y;
    assert { sequence b = Cons x (Cons y Nil) };
    let h = pop b in assert { h = x };
    assert { sequence b = Cons y Nil };
    push b z;
    assert { sequence b = Cons y (Cons z Nil) };
    let h = pop b in assert { h = y };
    let h = pop b in assert { h = z }

end

(** With sequences instead of lists *)

module RingBufferSeq

  use int.Int
  use import seq.Seq as S
  use import array.Array as A

  type buffer 'a = {
    mutable first: int;
    mutable len  : int;
            data : array 'a;
    ghost mutable sequence: S.seq 'a;
  }
  invariant {
    let size = A.length data in
    0 <= first <  size /\
    0 <= len   <= size /\
    len = S.length sequence /\
    forall i: int. 0 <= i < len ->
      (first + i < size ->
         S.get sequence i = data[first + i]) /\
      (0 <= first + i - size ->
         S.get sequence i = data[first + i - size])
  }
  by { first = 0; len = 0; data = make 1 (any 'a); sequence = S.empty }

  (* total capacity of the buffer *)
  function size (b: buffer 'a) : int = A.length b.data

  (* length = number of elements *)
  function length (b: buffer 'a) : int = b.len

  (* code *)

  let create (n: int) (dummy: 'a) : buffer 'a
    requires { n > 0 }
    ensures  { size result = n }
    ensures  { result.sequence = S.empty }
  = { first = 0; len = 0; data = make n dummy; sequence = S.empty }

  let length (b: buffer 'a) : int
    ensures { result = length b }
  = b.len

  let clear (b: buffer 'a) : unit
    writes  { b.len, b.sequence }
    ensures { length b = 0 }
    ensures { b.sequence = S.empty }
  = ghost (b.sequence <- S.empty);
    b.len <- 0

  let push (b: buffer 'a) (x: 'a) : unit
    requires { length b < size b }
    writes   { b.data.elts, b.len, b.sequence }
    ensures  { length b = (old (length b)) + 1 }
    ensures  { b.sequence = S.snoc (old b.sequence) x }
  = ghost (b.sequence <- S.snoc b.sequence x);
    let i = b.first + b.len in
    let n = A.length b.data in
    b.data[if i >= n then i - n else i] <- x;
    b.len <- b.len + 1

  let head (b: buffer 'a) : 'a
    requires { length b > 0 }
    ensures  { result = S.get b.sequence 0 }
  = b.data[b.first]

  let pop (b: buffer 'a) : 'a
    requires { length b > 0 }
    writes   { b.first, b.len, b.sequence }
    ensures  { length b = (old (length b)) - 1 }
    ensures  { result = S.get (old b.sequence) 0 }
    ensures  { b.sequence = (old b.sequence)[1..] }
  = ghost (b.sequence <- b.sequence[1..]);
    let r = b.data[b.first] in
    b.len <- b.len - 1;
    let n = A.length b.data in
    b.first <- b.first + 1;
    if b.first = n then b.first <- 0;
    r
end

module HarnessSeq

  use seq.Seq
  use RingBufferSeq

  let harness () =
    let b = create 10 0 in
    push b 1;
    push b 2;
    push b 3;
    let x = pop b in assert { x = 1 };
    let x = pop b in assert { x = 2 };
    let x = pop b in assert { x = 3 };
    ()

  let harness2 () =
    let b = create 3 0 in
    push b 1;
    assert { sequence b == cons 1 empty };
    push b 2;
    assert { sequence b == cons 1 (cons 2 empty) };
    push b 3;
    assert { sequence b == cons 1 (cons 2 (cons 3 empty)) };
    let x = pop b in assert { x = 1 };
    assert { sequence b == cons 2 (cons 3 empty) };
    push b 4;
    assert { sequence b == cons 2 (cons 3 (cons 4 empty)) };
    let x = pop b in assert { x = 2 };
    assert { sequence b == cons 3 (cons 4 empty) };
    let x = pop b in assert { x = 3 };
    assert { sequence b == cons 4 empty };
    let x = pop b in assert { x = 4 };
    ()

  use int.Int

  let test (x: int) (y: int) (z: int) =
    let b = create 2 0 in
    push b x;
    push b y;
    assert { sequence b == cons x (cons y empty) };
    let h = pop b in assert { h = x };
    assert { sequence b == cons y empty };
    push b z;
    assert { sequence b == cons y (cons z empty) };
    let h = pop b in assert { h = y };
    let h = pop b in assert { h = z }

end
why3-1.6.0/examples/vstte12_ring_buffer/000077500000000000000000000000001440160026300201025ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_ring_buffer/why3session.xml000066400000000000000000000166101440160026300231260ustar00rootroot00000000000000










 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
 
 


 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 


 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/vstte12_ring_buffer/why3shapes.gz000066400000000000000000000105131440160026300225420ustar00rootroot00000000000000[[o~ׯǜ=50X@B^;
p$INΞ_*^gƻY[`]$UR{9~Oǧs?voq6Ik!cky|BBfIK^c}6ԭ/6B9m8R$0A9(=kݏIb'~<.$ħ}ʃ)>ǡǧA`rF^Tr'DQ Ԛ&"h귡ɸ]zZy^c8ē‰Ҡ6D3?ο'KغAB/wkX4?zRsEA[liz"s-дvPveRU;.PÇ~/M9>竦HzA
ipM4W駩z,Gt^;ۘG"mFB)C-&HuݖOjvyX qHEnZb
	$GBA[kN0]U-juY*qc(%7zZt	$e:+#+|nC	ғٔ)YW}U#dˏ>(wrHTP,tqa1%U*v9@1*63IEFU=}+=,Ӑ]qT)?*Z?ALTTtP'u. [B>
!]rǼT$$_3(3(N!o+Ql?	8@%48mC)Cq]||ƇO3	X|"f߬]UWt+[yLP<^`8E>>^]5}€5'!6`b97͡(CTUp()KB1Dm]UZ)
!IjdG8`Jå3s>
[ANEy +.5ˇ~x+Fh	#ۋ.&-R}QWxDhZMúpsM\\*y5˲5Xf(^o57-=Հ{%ޯkѷ
9χ}@maO2C_/j]j$G˷Ǘo/XmM@+xZjż,)bɭ]_veu1dy(ӈ}_/;4ih:ZɯX6+
0;0R6s36
4[a/lXKbKZ(5ZraxoUhZ_zruСk:plPAwС:zeVjZ-y>j׆IPK\A!k^~IPWeTuԢt΋IR&AE`q߇vE;2pTY
?䞠nP⢾(wt\ſK[͓ko,qGvPrjqsWhmžѼ%KU)z|	o#zuѡ[Gl%wEʦޱQOL
~0rmprLsOQ{Kʽ (q{0Q
N/^\qѬ_"n	b箔,@@{pd\5%ZȖ-A|s ;lEok[3ENEQQ\%Q$^rWI͇, %.;1)\6"T'y$[$XD1ogpi`k=ťvlp]å4|Za&]PXݫ83Uv/sXg\s`ϬXib]7ӧ8%y;tKa"ST8#WK	%u$>`zCyY(ef
-^`&~[arL)Gt7`
_ ުCwKmucE6raC Qp,G3dَ,ѹԂmSK{`q[zǺ_Y\ǠqYq/`t1g2Erm$䍻6/9-b!!r9sh8*mFkoSkI7G{39ppemKzzyTh9@	`K7T+h.(>}	RɞlW0Ga휭D[Ku(֍Pllk
6f	6]PNWq1ƋQF~xV6j	oC?YhQ-7}Z4<=zo_&Ew:+EL
gs#3™}[/l~~GdYm>XxWkxԲ)?jMaml~R%~XIjlep	y6c˻4NApͳIalU#R*:Im#seӳ1
g(mu2TF'2.ɌǙ5N:cS=?#q߂CowFI٤IYl?'n}䕓t_4bWI[lOOR=N5q,RS,◬QnW#d-_'oK2.Jbs7Y\]Y3%F9&/sVM"W>فiQ,8FcLuWڃ'01QCNLJdM
Y-рE2
& 6Ico3Γ0%1A4AQz]UH1Z+͈HH`8R8뉨1vRH8F?B:8Ɂziԣh<9YԚ&ҪNIBqGsPg\QhEᑤaFk%J}r8',"v0O-G( Cons d Nil
    | Node l r -> depths (d+1) l ++ depths (d+1) r
    end

  (* lemmas on depths *)

  lemma depths_head:
    forall t: tree, d: int.
    match depths d t with Cons x _ -> x >= d | Nil -> false end

  let rec lemma depths_unique (t1 t2: tree) (d: int) (s1 s2: list int)
    requires { depths d t1 ++ s1 = depths d t2 ++ s2 }
    variant { t1 }
    ensures { t1 = t2 && s1 = s2 }
  = let d' = d+1 in
    match t1,t2 with
    | Leaf,Leaf -> ()
    | Node t11 t12, Node t21 t22 ->
      depths_unique t11 t21 d' (depths d' t12 ++ s1) (depths d' t22 ++ s2);
      depths_unique t12 t22 d' s1 s2
    | Leaf, (Node t _) | (Node t _), Leaf ->
      match depths d' t with
      | Nil -> absurd
      | Cons x _ -> assert { x >= d' }
      end
    end

  lemma depths_prefix:
    forall t: tree, d1 d2: int, s1 s2: list int.
    depths d1 t ++ s1 = depths d2 t ++ s2 -> d1 = d2

  lemma depths_prefix_simple:
    forall t: tree, d1 d2: int.
    depths d1 t = depths d2 t -> d1 = d2

  let rec lemma depths_subtree (t1 t2: tree) (d1 d2:int) (s1:list int)
    requires { depths d1 t1 ++ s1 = depths d2 t2 }
    variant { t1 }
    ensures { d1 >= d2 }
  = assert { depths d2 t2 = depths d2 t2 ++ Nil };
    match t1 with
    | Leaf -> ()
    | Node t3 t4 ->
        depths_subtree t3 t2 (d1+1) d2 (depths (d1+1) t4 ++ s1)
    end

  lemma depths_unique2:
    forall t1 t2: tree, d1 d2: int.
    depths d1 t1 = depths d2 t2 -> d1 = d2 && t1 = t2

end

module TreeReconstruction

  use export Tree
  use list.Length
  use list.HdTlNoOpt

  exception Failure
    (* used to signal the algorithm's failure i.e. there is no tree *)

  let rec build_rec (d: int) (s: list int) : (t: tree, s': list int)
    variant { length s, hd s - d }
    ensures { s = depths d t ++ s' }
    raises  { Failure -> forall t: tree, s' : list int. depths d t ++ s' <> s }
  = match s with
    | Nil ->
        raise Failure
    | Cons h t ->
        if h < d then raise Failure;
        if h = d then
          Leaf, t
        else
          let l, s = build_rec (d+1) s in
          let r, s = build_rec (d+1) s in
          Node l r, s
    end

  let build (s: list int) : tree
    ensures { depths 0 result = s }
    raises  { Failure -> forall t: tree. depths 0 t <> s }
  = let t, s = build_rec 0 s in
    match s with
    | Nil -> t
    | _ -> raise Failure
    end

end

module Harness

  use TreeReconstruction

  let harness ()
    ensures { result = Node Leaf (Node (Node Leaf Leaf) Leaf) }
    raises  { Failure -> false }
  = build (Cons 1 (Cons 3 (Cons 3 (Cons 2 Nil))))

  let harness2 () : (_:tree)
    ensures { false } raises { Failure -> true }
  = build (Cons 1 (Cons 3 (Cons 2 (Cons 2 Nil))))

end

(*
  A variant implementation proposed by Jayadev Misra

  Given the input list [x1; x2; ...; xn], we first turn it into the
  list of pairs [(x1, Leaf); (x2, Leaf); ...; (xn, Leaf)].  Then,
  repeatedly, we scan this list from left to right, looking for two
  consecutive pairs (v1, t1) and (v2, t2) with v1 = v2.  Then we
  replace them with the pair (v1-1, Node t1 t2) and we start again.
  We stop when there is only one pair left (v,t). Then we must have v=0.

  The implementation below achieves linear complexity using a zipper
  data structure to traverse the list of pairs. The left list contains
  the elements already traversed (thus on the left), in reverse order,
  and the right list contains the elements yet to be traversed.

*)

(* Proving termination is quite easy and we do it first (though we could,
   obviously, do it together with proving correctness) *)

module ZipperBasedTermination

  use Tree
  use list.Length
  use list.Reverse

  exception Failure

  let rec tc (left: list (int, tree)) (right: list (int, tree)) : tree
    variant { length left + length right, length right }
    raises  { Failure }
  = match left, right with
    | _, Nil ->
        raise Failure
    | Nil, Cons (v, t) Nil ->
        if v = 0 then t else raise Failure
    | Nil, Cons (v, t) right' ->
        tc (Cons (v, t) Nil) right'
    | Cons (v1, t1) left', Cons (v2, t2) right' ->
        if v1 = v2 then tc left' (Cons (v1 - 1, Node t1 t2) right')
        else tc (Cons (v2, t2) left) right'
    end

end

(* Now soundness and completeness *)

module ZipperBased

  use Tree
  use list.Length
  use list.Reverse

  (* the following function generalizes function [depths] to a forest, that
     is a list of pairs (depth, tree) *)

  function forest_depths (f: list (int, tree)) : list int = match f with
  | Nil -> Nil
  | Cons (d, t) r -> depths d t ++ forest_depths r
  end

  (* an obvious lemma on [forest_depths] *)

  lemma forest_depths_append:
    forall f1 f2: list (int, tree).
    forest_depths (f1 ++ f2) = forest_depths f1 ++ forest_depths f2

  (* to prove completeness, one needs an invariant over the list [left].
     The main ingredient is predicate [greedy] below, which states that
     [d] is distinct from all depths along the left branch of [d1, t1]. *)

  predicate greedy (d: int) (d1: int) (t1: tree) =
    d <> d1 /\ match t1 with Leaf -> true | Node l1 _ -> greedy d (d1+1) l1 end

  (* then we extend it to a list of pairs [(dn,tn); ...; (d2,t2); (d1,t1)]
     as follows: [greedy d2 d1 t1], [greedy d3 d2 t2], etc.
     this is inductive predicate [g] *)

  inductive g (l: list (int, tree)) =
    | Gnil: g Nil
    | Gone: forall d: int, t: tree. g (Cons (d, t) Nil)
    | Gtwo: forall d1 d2: int, t1 t2: tree, l: list (int, tree).
        greedy d1 d2 t2 -> g (Cons (d1, t1) l) ->
        g (Cons (d2, t2) (Cons (d1, t1) l))

  (* an easy lemma on [g] *)

  lemma g_append:
    forall l1 [@induction] l2: list (int, tree). g (l1 ++ l2) -> g l1

  (* key lemma for completeness: whenever we fail because [right] is empty,
     we have to prove that there is no solution

     Note: the proof first generalizes the statement as follows:
       forest_depths ((d1,t1) :: l) <> depths d t + s
     whenever d < d1 (see the corresponding Coq file) *)

  lemma depths_length: forall t d. length (depths d t) >= 1
  lemma forest_depths_length: forall l. length (forest_depths l) >= 0
  lemma g_tail: forall l1 l2: list (int, tree). g (l1 ++ l2) -> g l2

  lemma key_lemma : forall t l d d1 t1 s. d < d1 ->
    1 <= length l -> g (reverse (Cons (d1, t1) l)) ->
    not (forest_depths (Cons (d1, t1) l) = (depths d t) ++ s)

  lemma right_nil:
    forall l: list (int, tree). length l >= 2 -> g l ->
    forall t: tree, d: int.
    forest_depths (reverse l) <> depths d t

  (* key lemma for soundness: preservation of the invariant when we move
     a tree from [right] to [left] *)

  lemma main_lemma:
    forall l: list (int, tree), d1 d2: int, t1 t2: tree. d1 <> d2 ->
    g (Cons (d1, t1) l) ->
    match t2 with Node l2 _ -> greedy d1 (d2+1) l2 | Leaf -> true end ->
    g (Cons (d2, t2) (Cons (d1, t1) l))

  (* finally, we need a predicate to state that a forest [l] contains only
     leaves *)

  predicate only_leaf (l: list (int, tree)) = match l with
    | Nil -> true
    | Cons (_, t) r -> t = Leaf /\ only_leaf r
  end

  exception Failure

  let rec tc (left: list (int, tree)) (right: list (int, tree)) : tree
    requires { (* list [left] satisfies the invariant *)
      g left /\
      (* when [left] has one element, it can't be a solution *)
      match left with Cons (d1, _) Nil -> d1 <> 0 \/ right <> Nil
                    | _                -> true                    end /\
      (* apart (possibly) from its head, all elements in [right] are leaves;
         moreover the left branch of [right]'s head already satisfies
         invariant [g] when consed to [left] *)
      match right with
        | Cons (d2, t2) right' -> only_leaf right' /\
            match t2 with Node l2 _ -> g (Cons (d2+1, l2) left)
                        | Leaf      -> true end
        | Nil -> true end }
    variant { length left + 2 * length right }
    ensures { depths 0 result = forest_depths (reverse left ++ right) }
    raises { Failure ->
      forall t: tree. depths 0 t <> forest_depths (reverse left ++ right) }
  = match left, right with
    | _, Nil ->
        raise Failure
    | Nil, Cons (v, t) Nil ->
        if v = 0 then t else raise Failure
    | Nil, Cons (v, t) right' ->
        tc (Cons (v, t) Nil) right'
    | Cons (v1, t1) left', Cons (v2, t2) right' ->
        if v1 = v2 then tc left' (Cons (v1 - 1, Node t1 t2) right')
        else tc (Cons (v2, t2) left) right'
    end

  (* Getting function [build] from [tc] is easy: from the list
     [x1; x2; ...; xn] we simply build the list of pairs
     [(x1, Leaf); (x2, Leaf); ...; (xn, Leaf)].
     Function [map_leaf] below does this. *)

  let rec function map_leaf (l: list int) : list (int, tree) =
    match l with
    | Nil -> Nil
    | Cons d r -> Cons (d, Leaf) (map_leaf r)
    end

  (* two lemmas on [map_leaf] *)

  lemma map_leaf_depths:
    forall l: list int. forest_depths (map_leaf l) = l

  lemma map_leaf_only_leaf:
    forall l: list int. only_leaf (map_leaf l)

  let build (s: list int)
    ensures { depths 0 result = s }
    raises  { Failure -> forall t: tree. depths 0 t <> s }
  = tc Nil (map_leaf s)

end
why3-1.6.0/examples/vstte12_tree_reconstruction/000077500000000000000000000000001440160026300217125ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction/vstte12_tree_reconstruction_Harness_VC_harness2_1.v000066400000000000000000000071571440160026300337030ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.HdTlNoOpt.
Require list.Append.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Numbers.BinNums.Z)
  (t:tree) {struct t}: Init.Datatypes.list Numbers.BinNums.Z :=
  match t with
  | Leaf => Init.Datatypes.cons d Init.Datatypes.nil
  | Node l r =>
      Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r)
  end.

Axiom depths_head :
  forall (t:tree) (d:Numbers.BinNums.Z),
  match depths d t with
  | Init.Datatypes.cons x _ => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

Lemma depths_length: 
  forall t d, (Length.length (depths d t) >= 1)%Z.
Proof.
  induction t; simpl; intuition.
  rewrite Append.Append_length.
  generalize (IHt1 (d+1))%Z.
  generalize (IHt2 (d+1))%Z.
  omega.
Qed.

(* Why3 goal *)
Theorem harness2'vc :
  forall (us:tree),
  ~ ((depths 0%Z us) =
     (Init.Datatypes.cons 1%Z
      (Init.Datatypes.cons 3%Z
       (Init.Datatypes.cons 2%Z (Init.Datatypes.cons 2%Z Init.Datatypes.nil))))).
Proof.
intro result.
intuition.
destruct result; simpl in H.
discriminate H.
destruct result1; simpl in H.
injection H. intro H1.
destruct result2; simpl in H1.
discriminate H1.
destruct result2_1; simpl in H1.
discriminate H1.
destruct result2_1_1; simpl in H1.
injection H1. intro H2.
destruct result2_1_2; simpl in H2.
discriminate H2.
clear H H1.
generalize (depths_length result2_1_2_1 4).
generalize (depths_length result2_1_2_2 4).
generalize (depths_length result2_2 2).
generalize (f_equal Length.length H2).
simpl.
do 2 (rewrite Append.Append_length).
omega.
(* 4 trees, 3 ints *)
clear H.
generalize (depths_length result2_1_1_1 4).
generalize (depths_length result2_1_1_2 4).
generalize (depths_length result2_1_2 3).
generalize (depths_length result2_2 2).
generalize (f_equal Length.length H1).
simpl.
do 3 (rewrite Append.Append_length).
omega.

destruct result1_1; simpl in H.
discriminate H.
destruct result1_1_1; simpl in H.
discriminate H.
(* 5 trees, 4 ints *)
generalize (depths_length result1_1_1_1 4).
generalize (depths_length result1_1_1_2 4).
generalize (depths_length result1_1_2 3).
generalize (depths_length result1_2 2).
generalize (depths_length result2 1).
generalize (f_equal Length.length H).
simpl.
do 4 (rewrite Append.Append_length).
omega.

Qed.
why3-1.6.0/examples/vstte12_tree_reconstruction/vstte12_tree_reconstruction_Harness_VC_harness_1.v000066400000000000000000000050601440160026300336100ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.HdTlNoOpt.
Require list.Append.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Numbers.BinNums.Z)
  (t:tree) {struct t}: Init.Datatypes.list Numbers.BinNums.Z :=
  match t with
  | Leaf => Init.Datatypes.cons d Init.Datatypes.nil
  | Node l r =>
      Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r)
  end.

Axiom depths_head :
  forall (t:tree) (d:Numbers.BinNums.Z),
  match depths d t with
  | Init.Datatypes.cons x _ => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 goal *)
Theorem harness'vc :
  forall (result:tree),
  ((depths 0%Z result) =
   (Init.Datatypes.cons 1%Z
    (Init.Datatypes.cons 3%Z
     (Init.Datatypes.cons 3%Z (Init.Datatypes.cons 2%Z Init.Datatypes.nil))))) ->
  (result = (Node Leaf (Node (Node Leaf Leaf) Leaf))).
Proof.
intuition.

rewrite <- (Append.Append_l_nil (depths 0 result)) in H.
rewrite <- (Append.Append_l_nil (cons 1%Z (cons 3%Z (cons 3%Z (cons 2%Z nil))))) in H.
assert (cons 1%Z (cons 3%Z (cons 3%Z (cons 2%Z nil))) = depths 0 (Node Leaf (Node (Node Leaf Leaf) Leaf))) by reflexivity.
rewrite H0 in H.
generalize (depths_unique _ _ _ _ _ H); intuition.

Qed.why3-1.6.0/examples/vstte12_tree_reconstruction/vstte12_tree_reconstruction_Harness_VC_harness_2.v000066400000000000000000000044021440160026300336100ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.HdTlNoOpt.
Require list.Append.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Numbers.BinNums.Z)
  (t:tree) {struct t}: Init.Datatypes.list Numbers.BinNums.Z :=
  match t with
  | Leaf => Init.Datatypes.cons d Init.Datatypes.nil
  | Node l r =>
      Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r)
  end.

Axiom depths_head :
  forall (t:tree) (d:Numbers.BinNums.Z),
  match depths d t with
  | Init.Datatypes.cons x _ => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 goal *)
Theorem harness'vc :
  ~ (forall (t:tree),
     ~ ((depths 0%Z t) =
        (Init.Datatypes.cons 1%Z
         (Init.Datatypes.cons 3%Z
          (Init.Datatypes.cons 3%Z
           (Init.Datatypes.cons 2%Z Init.Datatypes.nil)))))).
Proof.
intuition.
apply (H (Node Leaf (Node (Node Leaf Leaf) Leaf))).
reflexivity.

Qed.
vstte12_tree_reconstruction_TreeReconstruction_VC_build_rec_1.v000066400000000000000000000056131440160026300362600ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.HdTlNoOpt.
Require list.Append.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Numbers.BinNums.Z)
  (t:tree) {struct t}: Init.Datatypes.list Numbers.BinNums.Z :=
  match t with
  | Leaf => Init.Datatypes.cons d Init.Datatypes.nil
  | Node l r =>
      Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r)
  end.

Axiom depths_head :
  forall (t:tree) (d:Numbers.BinNums.Z),
  match depths d t with
  | Init.Datatypes.cons x _ => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 goal *)
Theorem build_rec'vc :
  forall (d:Numbers.BinNums.Z) (s:Init.Datatypes.list Numbers.BinNums.Z),
  forall (x:Numbers.BinNums.Z) (x1:Init.Datatypes.list Numbers.BinNums.Z),
  (s = (Init.Datatypes.cons x x1)) -> ~ (x < d)%Z -> ~ (x = d) ->
  forall (l:tree) (s1:Init.Datatypes.list Numbers.BinNums.Z),
  (s = (Init.Datatypes.app (depths (d + 1%Z)%Z l) s1)) ->
  (forall (t:tree) (s':Init.Datatypes.list Numbers.BinNums.Z),
   ~ ((Init.Datatypes.app (depths (d + 1%Z)%Z t) s') = s1)) ->
  forall (t:tree) (s':Init.Datatypes.list Numbers.BinNums.Z),
  ~ ((Init.Datatypes.app (depths d t) s') = s).
Proof.
(*intros d s x x1 h1 h2 h3 o o1 h4 h5 t s'.*)
intros d s x x1 h1 h2 h3 result result1 h4 h5 t s'.
subst.
intuition.
destruct t as [_|t1 t2].
(* t = Leaf *)
simpl in H.
injection H.
omega.
(* t = Node t1 t2 *)
simpl in H.
rewrite <- Append.Append_assoc in H.
rewrite h4 in H.
generalize (depths_unique _ _ _ _ _ H).
intuition.
subst t1.
apply (h5 t2 s'); intuition.
Qed.vstte12_tree_reconstruction_TreeReconstruction_VC_build_rec_2.v000066400000000000000000000051731440160026300362620ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.HdTlNoOpt.
Require list.Append.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Numbers.BinNums.Z)
  (t:tree) {struct t}: Init.Datatypes.list Numbers.BinNums.Z :=
  match t with
  | Leaf => Init.Datatypes.cons d Init.Datatypes.nil
  | Node l r =>
      Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r)
  end.

Axiom depths_head :
  forall (t:tree) (d:Numbers.BinNums.Z),
  match depths d t with
  | Init.Datatypes.cons x _ => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z)
    (s2:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z)
    (s1:Init.Datatypes.list Numbers.BinNums.Z),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Numbers.BinNums.Z) (d2:Numbers.BinNums.Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 goal *)
Theorem build_rec'vc :
  forall (d:Numbers.BinNums.Z) (s:Init.Datatypes.list Numbers.BinNums.Z),
  forall (x:Numbers.BinNums.Z) (x1:Init.Datatypes.list Numbers.BinNums.Z),
  (s = (Init.Datatypes.cons x x1)) -> ~ (x < d)%Z -> ~ (x = d) ->
  (forall (t:tree) (s':Init.Datatypes.list Numbers.BinNums.Z),
   ~ ((Init.Datatypes.app (depths (d + 1%Z)%Z t) s') = s)) ->
  forall (t:tree) (s':Init.Datatypes.list Numbers.BinNums.Z),
  ~ ((Init.Datatypes.app (depths d t) s') = s).
Proof.
intros d s x x1 h1 h2 h3 h4 t s'.
subst.
intuition.
destruct t as [_|t1 t2].
(* t = Leaf *)
simpl in H.
injection H.
omega.
(* t = Node t1 t2 *)
simpl in H.
rewrite <- Append.Append_assoc in H.
apply (h4 _ _ H).

Qed.
vstte12_tree_reconstruction_WP_ZipperBased_forest_depths_append_1.v000066400000000000000000000042421440160026300371120ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Z) (t:tree) {struct t}: (list Z) :=
  match t with
  | Leaf => (Init.Datatypes.cons d Init.Datatypes.nil)
  | Node l r =>
      (Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r))
  end.

Axiom depths_head :
  forall (t:tree) (d:Z),
  match depths d t with
  | (Init.Datatypes.cons x _) => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Z) (d2:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Z) (d2:Z), ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z) (s1:(list Z)),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 assumption *)
Fixpoint forest_depths (f:(list (Z* tree)%type)) {struct f}: (list Z) :=
  match f with
  | Init.Datatypes.nil => Init.Datatypes.nil
  | (Init.Datatypes.cons (d, t) r) =>
      (Init.Datatypes.app (depths d t) (forest_depths r))
  end.

(* Why3 goal *)
Theorem forest_depths_append :
  forall (f1:(list (Z* tree)%type)) (f2:(list (Z* tree)%type)),
  ((forest_depths (Init.Datatypes.app f1 f2)) =
   (Init.Datatypes.app (forest_depths f1) (forest_depths f2))).
(* Why3 intros f1 f2. *)
induction f1; simpl; auto.
destruct a.
intro f2.
rewrite IHf1.
rewrite Append.Append_assoc; auto.
Qed.

vstte12_tree_reconstruction_WP_ZipperBased_right_nil_1.v000066400000000000000000000114421440160026300346710ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Z) (t:tree) {struct t}: (list Z) :=
  match t with
  | Leaf => (Init.Datatypes.cons d Init.Datatypes.nil)
  | Node l r =>
      (Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r))
  end.

Axiom depths_head :
  forall (t:tree) (d:Z),
  match depths d t with
  | (Init.Datatypes.cons x _) => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Z) (d2:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Z) (d2:Z), ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z) (s1:(list Z)),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 assumption *)
Fixpoint forest_depths (f:(list (Z* tree)%type)) {struct f}: (list Z) :=
  match f with
  | Init.Datatypes.nil => Init.Datatypes.nil
  | (Init.Datatypes.cons (d, t) r) =>
      (Init.Datatypes.app (depths d t) (forest_depths r))
  end.

Axiom forest_depths_append :
  forall (f1:(list (Z* tree)%type)) (f2:(list (Z* tree)%type)),
  ((forest_depths (Init.Datatypes.app f1 f2)) =
   (Init.Datatypes.app (forest_depths f1) (forest_depths f2))).

(* Why3 assumption *)
Fixpoint greedy (d:Z) (d1:Z) (t1:tree) {struct t1}: Prop :=
  ~ (d = d1) /\
  match t1 with
  | Leaf => True
  | Node l1 _ => greedy d (d1 + 1%Z)%Z l1
  end.

(* Why3 assumption *)
Inductive g: (list (Z* tree)%type) -> Prop :=
  | Gnil : g Init.Datatypes.nil
  | Gone :
      forall (d:Z) (t:tree),
      g (Init.Datatypes.cons (d, t) Init.Datatypes.nil)
  | Gtwo :
      forall (d1:Z) (d2:Z) (t1:tree) (t2:tree) (l:(list (Z* tree)%type)),
      (greedy d1 d2 t2) -> (g (Init.Datatypes.cons (d1, t1) l)) ->
      g (Init.Datatypes.cons (d2, t2) (Init.Datatypes.cons (d1, t1) l)).

Axiom g_append :
  forall (l1:(list (Z* tree)%type)) (l2:(list (Z* tree)%type)),
  (g (Init.Datatypes.app l1 l2)) -> g l1.

Axiom depths_length :
  forall (t:tree) (d:Z), (1%Z <= (list.Length.length (depths d t)))%Z.

Axiom forest_depths_length :
  forall (l:(list (Z* tree)%type)),
  (0%Z <= (list.Length.length (forest_depths l)))%Z.

Axiom g_tail :
  forall (l1:(list (Z* tree)%type)) (l2:(list (Z* tree)%type)),
  (g (Init.Datatypes.app l1 l2)) -> g l2.

Axiom key_lemma :
  forall (t:tree) (l:(list (Z* tree)%type)) (d:Z) (d1:Z) (t1:tree)
    (s:(list Z)),
  (d < d1)%Z -> (1%Z <= (list.Length.length l))%Z ->
  (g (Lists.List.rev (Init.Datatypes.cons (d1, t1) l))) ->
  ~ ((forest_depths (Init.Datatypes.cons (d1, t1) l)) =
     (Init.Datatypes.app (depths d t) s)).

(* Why3 goal *)
Theorem right_nil :
  forall (l:(list (Z* tree)%type)), (2%Z <= (list.Length.length l))%Z ->
  (g l) -> forall (t:tree) (d:Z),
  ~ ((forest_depths (Lists.List.rev l)) = (depths d t)).
(* Why3 intros l h1 h2 t d. *)
intros l H hg.
replace l with (List.rev (List.rev l)) in H, hg. 2:apply Reverse.reverse_reverse.
generalize H; clear H. generalize hg; clear hg.
generalize (List.rev l). clear l.

destruct l.
(* l = Nil => contradiction *)
intros.
simpl in H. omega.
(* l = Cons *)
intros. destruct p as (d1, t1).
intros eq.
assert (d < d1)%Z.
  simpl in eq.
  assert (d <= d1)%Z. apply (depths_subtree _ _ _ _ _ eq).
  assert (d <> d1)%Z. intro.
  subst.
  assert (depths d1 t = app (depths d1 t) nil). auto with *.
  assert (t = t1). rewrite H1 in eq. generalize (depths_unique _ _ _ _ _ eq).
   intuition.
  subst.
  assert (forest_depths l = nil). rewrite H1 in eq at 2.
    generalize (depths_unique _ _ _ _ _ eq). intuition.
  simpl in H.
  destruct l. simpl in H. omega.
  assert (cons p l = nil).
  destruct (cons p l); auto.
  simpl in H2. destruct p0. 
    generalize (depths_head t z). destruct (depths z t). intuition.
    simpl in H2. discriminate H2.
  discriminate H3.
  omega.
generalize eq; clear eq.
replace (depths d t) with (app (depths d t) nil).
   2:rewrite Append.Append_l_nil; trivial.
apply key_lemma; auto.
simpl in H. 
rewrite Append.Append_length in H.
rewrite Reverse.Reverse_length in H. simpl in H.
omega.
Qed.
vstte12_tree_reconstruction_ZipperBased_key_lemma_2.v000066400000000000000000000154321440160026300342530ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_tree_reconstruction(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.

(* Why3 assumption *)
Inductive tree :=
  | Leaf : tree
  | Node : tree -> tree -> tree.
Axiom tree_WhyType : WhyType tree.
Existing Instance tree_WhyType.

(* Why3 assumption *)
Fixpoint depths (d:Z) (t:tree) {struct t}: (list Z) :=
  match t with
  | Leaf => (Init.Datatypes.cons d Init.Datatypes.nil)
  | Node l r =>
      (Init.Datatypes.app (depths (d + 1%Z)%Z l) (depths (d + 1%Z)%Z r))
  end.

Axiom depths_head :
  forall (t:tree) (d:Z),
  match depths d t with
  | (Init.Datatypes.cons x _) => (d <= x)%Z
  | Init.Datatypes.nil => False
  end.

Axiom depths_unique :
  forall (t1:tree) (t2:tree) (d:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d t1) s1) =
   (Init.Datatypes.app (depths d t2) s2)) ->
  (t1 = t2) /\ (s1 = s2).

Axiom depths_prefix :
  forall (t:tree) (d1:Z) (d2:Z) (s1:(list Z)) (s2:(list Z)),
  ((Init.Datatypes.app (depths d1 t) s1) =
   (Init.Datatypes.app (depths d2 t) s2)) ->
  (d1 = d2).

Axiom depths_prefix_simple :
  forall (t:tree) (d1:Z) (d2:Z), ((depths d1 t) = (depths d2 t)) -> (d1 = d2).

Axiom depths_subtree :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z) (s1:(list Z)),
  ((Init.Datatypes.app (depths d1 t1) s1) = (depths d2 t2)) -> (d2 <= d1)%Z.

Axiom depths_unique2 :
  forall (t1:tree) (t2:tree) (d1:Z) (d2:Z),
  ((depths d1 t1) = (depths d2 t2)) -> (d1 = d2) /\ (t1 = t2).

(* Why3 assumption *)
Fixpoint forest_depths (f:(list (Z* tree)%type)) {struct f}: (list Z) :=
  match f with
  | Init.Datatypes.nil => Init.Datatypes.nil
  | (Init.Datatypes.cons (d, t) r) =>
      (Init.Datatypes.app (depths d t) (forest_depths r))
  end.

Axiom forest_depths_append :
  forall (f1:(list (Z* tree)%type)) (f2:(list (Z* tree)%type)),
  ((forest_depths (Init.Datatypes.app f1 f2)) =
   (Init.Datatypes.app (forest_depths f1) (forest_depths f2))).

(* Why3 assumption *)
Fixpoint greedy (d:Z) (d1:Z) (t1:tree) {struct t1}: Prop :=
  ~ (d = d1) /\
  match t1 with
  | Leaf => True
  | Node l1 _ => greedy d (d1 + 1%Z)%Z l1
  end.

(* Why3 assumption *)
Inductive g: (list (Z* tree)%type) -> Prop :=
  | Gnil : g Init.Datatypes.nil
  | Gone :
      forall (d:Z) (t:tree),
      g (Init.Datatypes.cons (d, t) Init.Datatypes.nil)
  | Gtwo :
      forall (d1:Z) (d2:Z) (t1:tree) (t2:tree) (l:(list (Z* tree)%type)),
      (greedy d1 d2 t2) -> (g (Init.Datatypes.cons (d1, t1) l)) ->
      g (Init.Datatypes.cons (d2, t2) (Init.Datatypes.cons (d1, t1) l)).

Axiom g_append :
  forall (l1:(list (Z* tree)%type)) (l2:(list (Z* tree)%type)),
  (g (Init.Datatypes.app l1 l2)) -> g l1.

Axiom depths_length :
  forall (t:tree) (d:Z), (1%Z <= (list.Length.length (depths d t)))%Z.

Axiom forest_depths_length :
  forall (l:(list (Z* tree)%type)),
  (0%Z <= (list.Length.length (forest_depths l)))%Z.

Axiom g_tail :
  forall (l1:(list (Z* tree)%type)) (l2:(list (Z* tree)%type)),
  (g (Init.Datatypes.app l1 l2)) -> g l2.

(* Why3 goal *)
Theorem key_lemma :
  forall (t:tree) (l:(list (Z* tree)%type)) (d:Z) (d1:Z) (t1:tree)
    (s:(list Z)),
  (d < d1)%Z -> (1%Z <= (list.Length.length l))%Z ->
  (g (Lists.List.rev (Init.Datatypes.cons (d1, t1) l))) ->
  ~ ((forest_depths (Init.Datatypes.cons (d1, t1) l)) =
     (Init.Datatypes.app (depths d t) s)).
(* Why3 intros t l d d1 t1 s h1 h2 h3. *)
Proof.
induction t; simpl.
(* t = Leaf *)
intros.
generalize (depths_head t1 d1).
destruct (depths d1 t1); intuition.
simpl in H3. injection H3.
intros; omega.
(* t = Node _ _ *)
rename t1 into left, IHt1 into IHleft,
       t2 into right, IHt2 into IHright.
destruct l.
(* l = Nil *)
simpl; intros; omega.
(* l = Cons _ *)
destruct p as (d2, t2).
intros d d1 t1 s hdd1 hlen hg.
assert (hg2: g (app (List.rev l) (cons (d2, t2) nil))).
  simpl in hg. apply g_append with ((d1,t1)::nil)%list. assumption.
assert (hg12: g (app (cons (d2, t2) nil) (cons (d1, t1) nil))).
  simpl in hg. rewrite <- Append.Append_assoc in hg.
  apply g_tail with (List.rev l); assumption.
inversion hg12. subst. clear H5.
assert (ineq: (d1 <> d2)).
  destruct t2; simpl in H1; omega.
intros eq.
assert (case: (d2 < d1 \/ d1 < d2)%Z) by omega. destruct case as [case|case].
(* d2 < d1 *)
assert (L0: (forall t2 d1 d2, greedy d1 d2 t2 -> d2 < d1 ->
   match depths d2 t2 with cons x _ => x < d1 | Nil  => False end)%Z).
  induction t0.
  simpl; intros; omega.
  simpl.
  clear IHt0_2.
  intros d0 d3 (diseq, gr) lt.
  assert (d0 <> d3+1)%Z. 
    destruct t0_1; simpl in gr; omega.
  assert (d3+1 < d0)%Z.
    omega.
  generalize (IHt0_1 d0 (d3+1)%Z gr H0).
  destruct (depths (d3 + 1) t0_1).
  intuition.
  simpl; auto.
assert (L1: forall t d1 t1 l s d, (d < d1)%Z ->
  app (depths d1 t1) l = app (depths d t) s -> 
  match l with cons x _ => (x >= d1)%Z | Nil => True end).
  clear L0 case eq ineq H1 hg12 hg2 hg hlen hdd1.
  clear s t1 d1 d l t2 d2 IHright IHleft right left.
  induction t; simpl.
  intros.
  generalize (depths_head t1 d1).
  destruct (depths d1 t1).
  intuition.
  destruct l; auto.
  simpl in H0. injection H0; intros; omega.
  intros.
  assert (case2: (d+1 = d1 \/ d+1 < d1)%Z) by omega. destruct case2.
  rewrite H1 in *.
  assert (l = app (depths d1 t2) s).
    rewrite <- Append.Append_assoc in H0.
    generalize (depths_unique _ _ _ _ _ H0); intros; intuition.
  generalize (depths_head t2 d1).
  subst l. destruct (depths d1 t2).
  intuition. simpl. omega. 
  clear IHt2.
  apply (IHt1 d1 t0 l (app (depths (d+1) t2) s) (d+1))%Z; auto.
  rewrite Append.Append_assoc; assumption.

generalize eq.
pose (l0 := (app (depths d2 t2) (forest_depths l))).
generalize (depths_head t2 d2).
generalize (L0 t2 d1 d2 H1 case); clear L0.
generalize (L1 (Node left right) d1 t1 l0 s d hdd1 eq).
subst l0.
destruct (depths d2 t2).
intuition.
simpl.
intros; omega.

(* d1 < d2 *)
assert (case2: (d+1 = d1 \/ d+1 < d1)%Z) by omega. destruct case2.
(* d+1 = d1 *)
rewrite H in *.
assert (t1 = left).
  rewrite <- Append.Append_assoc in eq.
  generalize (depths_unique _ _ _ _ _ eq); intuition.
subst t1.
assert (forest_depths (cons (d2, t2) l) = app (depths d1 right) s).
  rewrite <- Append.Append_assoc in eq.
  generalize (depths_unique _ _ _ _ _ eq); intuition.
clear eq.
destruct l.
(* l = Nil => contradiction *)
simpl in H0.
assert (d1 >= d2)%Z.
  rewrite Append.Append_l_nil in H0. symmetry in H0.
  generalize (depths_subtree _ _ _ _ _ H0); omega.
omega.
(* l = Cons _ _ *)
clear IHleft.
apply (IHright (cons p l) d1 d2 t2 s); auto.
replace (Length.length (p::l)) with (1+Length.length l)%Z.
  generalize (Length.Length_nonnegative l).
  omega.
  trivial.
(* d+1 < d1 *)
clear IHright.
apply (IHleft (cons (d2, t2) l) (d+1) d1 t1 (app (depths (d+1) right) s))%Z; auto.
simpl. simpl in eq. rewrite <- Append.Append_assoc in eq. assumption.
Qed.
why3-1.6.0/examples/vstte12_tree_reconstruction/why3session.xml000066400000000000000000000253531440160026300247420ustar00rootroot00000000000000










 
 
  
  
  
 
 
 
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 


 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
 


 
 
  
  
  
  
  
  
 
 
 
 
 


 
 
 


 
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
 



why3-1.6.0/examples/vstte12_tree_reconstruction/why3shapes.gz000066400000000000000000000076771440160026300243730ustar00rootroot00000000000000[[o#7~ׯ9Y Y.c0Eؼ̱=;bn],q6;IxfŪ绋syWyx]\]֩NƫO5\>?}xd'&d0i&:'HхC3BS.]aO?k.NӫAa";?.zhF[l#7/u41 [:V77M%h6/uhj[&}gl;dyO.Y+1n^]#mVD|؈n)t.5ti.kh73UhݛCxg\1 =-Ep12#DFr4|
0MGl#BM0$	)цT[#0xRS*݆&}!B~gX&	~20h!;@Y1VsxEM%fYlHo8 -mUCz{LP;mϠ#9`ٴ]>~JxrS>L 6ۙP
d'_|>}w x"n2?/e.ˁF3		%]mhu{^s! q[Ǜ	d7_.~|{CeD(;s||'\޼QR߅pm,*jɺgWImrYWia|ۚM'֖K@SI_rg~;qj@//VVwCZ{TH
;yԚ\1lO_Ysf~<.zf':
(sRG_lv38X}<s㋎];S1YJȇ	9榕LtNT'/࣐mG5ɿ8T~2RPQP۩Z^k2W{%zSBT
~boq?KxߩU|ߎhm˦CgaڳrMQ>BkQɅCyo/W/@8>i[Δmї>mj'c@׏ίѕr3&eWa^Qm v
⩄+̽=KCCG)={h-l9b<ۦX~n]:(mg(p3d_hhnDg+
=:5420xp_yշ+弧B*ڍ
|`'.9Yp/fQ_O~wߞLk%b/n7$G~WO_[LpB}.
X{+Fc5e83lގ

gaO1&ɓ޼=1+2~6%¤SHv7ӝ%{
9njT|6cSC4]`{+&*:{_-{njMAnأBfY]^=
2E=/x?~.Hgώ}:>O%7b}wq/K'=oY0~Q0;'oKnYo4kh"bZQт{پ-(ѝ,Vhf
NQWl-)w??A
/0ŋXo8upe~&r;i,UڳUU	{<ڭh񲣝<[oB陉r0c8eI^nt|
0ڝe6}݌
lS)wS(	ꮤ\qtoqcܙP@\WpO
>y]281;s;1ko/a?ѮQNf\Yko~`rt	6$mwX)@
bt3u3IsW<PxMGm! \j~UnGDXzwc^'݆~2sV7UxX޷]~N?Dzk}U_gGxerbJ{ݺ>'au%oVfSM.-=vs%6'Bx(cwR<~6)"bDHT*X#&
%p!BlHXYF4HL(Ƀ[	O(.d'cﴹY	\	쌔	ܵDQ._}"Y3&Bxu%lvJ՜OD?}ֽ֚ha^ڨɈXa;|BI™R]ˉxQ'_L/{D2>i\0^(ٛ4>f[uzrZBX/OCP&DX4Q[LvƁ0:ZLpՈ,`vc)H}/e{~]xm3L'"8I**^|\M\*)&	XT/*~`Y%#Op_!R	tk]_*΁>jmo5EUZOd)(&h/\^h+F^90R%p@Խ, P}dAy"O]	ܐJFLWكATM 4jKY/kvX$#2ΣDԬ̩cD"h;G=]˱72GF:SC@WnDDPYR$rO ǗX"w7|@<(3q舃("8-F"J^C8tB)@Kf])"n+oXlGc˄aЊ$Pvs|wIN HʠHQQy*/n.7.
>b-oPųmwǗGYsVB
GJ((խ㴑TZglE0ŷk4$R`M=!w9BAHp
8
e-М)їX@(8
(l}6(zH**sSc_l=Nz(&G]"[:{ܗ6DHSdޤl?κ@Fzc	"XYg	^Wi2qvs7u*:~u	y95ǹA=q8Y~\&x4}
fqBM nDӊvLTh%MAk?)To-CFtj-;κFXjO
)~"	Q[w玳N"H49E4@6ۭ"ē ~B.NgB1sp9tHl 1űC(g۾{Y le a[i1] a[i2]

  let two_way_sort (a: array bool)
    ensures { sorted a }
    ensures { permut_all (old a) a }
  = let i = ref 0 in
    let j = ref (length a - 1) in
    while !i < !j do
      invariant { 0 <= !i /\ !j < length a }
      invariant { forall k: int. 0 <= k < !i -> a[k] = False }
      invariant { forall k: int. !j < k < length a -> a[k] = True }
      invariant { permut_all (old a) a }
      variant   { !j - !i }
      if not a[!i] then incr i
      else if a[!j] then decr j
      else begin swap a !i !j; incr i; decr j end
    done

end
why3-1.6.0/examples/vstte12_two_way_sort/000077500000000000000000000000001440160026300203525ustar00rootroot00000000000000why3-1.6.0/examples/vstte12_two_way_sort/why3session.xml000066400000000000000000000011201440160026300233640ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/vstte12_two_way_sort/why3shapes.gz000066400000000000000000000006531440160026300230160ustar00rootroot00000000000000}SMo0+m4)i=T*&GCFtZP?;yzߪvTUكSE˪Qk
3Α:%PM500d2 9@+-q;.+(	>R
zKTE4?:Z,>;f	&;ScScU8O path m i j k
  | Path_cons:
      forall m: matrix bool, i x j k: int.
      0 <= x < k -> path m i x k -> path m x j k -> path m i j k

  lemma weakening:
    forall m i j k1 k2. 0 <= k1 <= k2 ->
    path m i j k1 -> path m i j k2

  lemma decomposition:
    forall m k. 0 <= k -> forall i j. path m i j (k+1) ->
      (path m i j k \/ (path m i k k /\ path m k j k))

  let transitive_closure (m: matrix bool) : matrix bool
    requires { m.rows = m.columns }
    ensures  { let n = m.rows in
               forall x y: int. 0 <= x < n -> 0 <= y < n ->
               result.elts x y <-> path m x y n }
  =
    let t = copy m in
    let n = m.rows in
    for k = 0 to n - 1 do
      invariant { forall x y. 0 <= x < n -> 0 <= y < n ->
                  t.elts x y <-> path m x y k }
      for i = 0 to n - 1 do
        invariant { forall x y. 0 <= x < n -> 0 <= y < n ->
                    t.elts x y <->
                    if x < i
                    then path m x y (k+1)
                    else path m x y k }
        for j = 0 to n - 1 do
          invariant { forall x y. 0 <= x < n -> 0 <= y < n ->
                      t.elts x y <->
                      if x < i \/ (x = i /\ y < j)
                      then path m x y (k+1)
                      else path m x y k }
          set t i j (get t i j || get t i k && get t k j)
        done
      done
    done;
    t

end
why3-1.6.0/examples/warshall_algorithm/000077500000000000000000000000001440160026300201055ustar00rootroot00000000000000why3-1.6.0/examples/warshall_algorithm/warshall_algorithm_WarshallAlgorithm_decomposition_1.v000066400000000000000000000040541440160026300330420ustar00rootroot00000000000000(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.

(* Why3 assumption *)
Definition unit := unit.

Axiom matrix : forall (a:Type), Type.
Parameter matrix_WhyType : forall (a:Type) {a_WT:WhyType a},
  WhyType (matrix a).
Existing Instance matrix_WhyType.

Parameter elts: forall {a:Type} {a_WT:WhyType a}, (matrix a) -> (Z -> (Z ->
  a)).

Parameter rows: forall {a:Type} {a_WT:WhyType a}, (matrix a) -> Z.

Parameter columns: forall {a:Type} {a_WT:WhyType a}, (matrix a) -> Z.

Axiom matrix'invariant : forall {a:Type} {a_WT:WhyType a},
  forall (self:(matrix a)), (0%Z <= (rows self))%Z /\
  (0%Z <= (columns self))%Z.

(* Why3 assumption *)
Definition valid_index {a:Type} {a_WT:WhyType a} (a1:(matrix a)) (r:Z)
  (c:Z): Prop := ((0%Z <= r)%Z /\ (r < (rows a1))%Z) /\ ((0%Z <= c)%Z /\
  (c < (columns a1))%Z).

(* Why3 assumption *)
Inductive path: (matrix bool) -> Z -> Z -> Z -> Prop :=
  | Path_empty : forall (m:(matrix bool)) (i:Z) (j:Z) (k:Z), ((((elts m) i)
      j) = true) -> (path m i j k)
  | Path_cons : forall (m:(matrix bool)) (i:Z) (x:Z) (j:Z) (k:Z),
      ((0%Z <= x)%Z /\ (x < k)%Z) -> ((path m i x k) -> ((path m x j k) ->
      (path m i j k))).

Axiom weakening : forall (m:(matrix bool)) (i:Z) (j:Z) (k1:Z) (k2:Z),
  ((0%Z <= k1)%Z /\ (k1 <= k2)%Z) -> ((path m i j k1) -> (path m i j k2)).

Hint Constructors path.

(* Why3 goal *)
Theorem decomposition : forall (m:(matrix bool)) (k:Z), (0%Z <= k)%Z ->
  forall (i:Z) (j:Z), (path m i j (k + 1%Z)%Z) -> ((path m i j k) \/ ((path m
  i k k) /\ (path m k j k))).
(* Why3 intros m k h1 i j h2. *)
intros m k hk i j h.
remember (k+1)%Z as t in h.
induction h.
left; apply Path_empty; auto.
subst k0; intuition.
assert (case: (x=k \/ x < k)%Z) by omega. destruct case.
subst; eauto.
left; eauto.
assert (case: (x=k \/ x < k)%Z) by omega. destruct case.
subst x.
right; eauto.
right; eauto.
assert (case: (x=k \/ x < k)%Z) by omega. destruct case.
subst; eauto.
right; eauto.
Qed.

why3-1.6.0/examples/warshall_algorithm/why3session.xml000066400000000000000000000104411440160026300231250ustar00rootroot00000000000000









 
 
  
  
  
  
  
  
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/warshall_algorithm/why3shapes.gz000066400000000000000000000044741440160026300225560ustar00rootroot00000000000000ZYo~_1.;5"ȀjlF)b5ֱ,xd_]^J?]J+(	RƊ:e+'l%+%A2
^QgX/&Ax1M8=!H!KFIDBr1F3D ج!㫷TSDb 0"$(V 2`Nx;1'Wq OFxOS(\O!Sh=y^B=&cP`2(D,-E#3dJ#r#ɏxgn(OIbTy&DCy_M'cƦ30lJ[ctd;,A؄	L4+l2Mz&j>io	xIzRލ{OTK;)[[W&`	׃E
ޡH~OJLmH@&ۈo#6mqf ti	漇9ru^z9ݧy[CC"Dj#'|x\_K~-)֒Gвcckkɬ3t;xd\[K|TDYJ=ג*9YKL\YKʼ󵤜%盷wi92:ߌO|pX&..eP
Aa4\g^ty̓˃ճay<J}̤\`v#ƚlɬ-˓.~ёT-bIgd~y@&ox{po"
oI-7;m7D#W9uƽk3k3
tOw['H2W"Ur6y 

N@Nċz~`y]Eh-B3Eh^]er	+^n@SKY1S(nWtZ\= 0 && w0 >= 0 && b0 + w0 >= 1 }
    ensures  { result <-> odd b0 }
  =
    let ref b = b0 in
    let ref w = w0 in
    while b + w >= 2 do
      invariant { b >= 0 && w >= 0 && b + w >= 1 }
      invariant { odd b <-> odd b0 }
      variant   { b + w }
      let x, y = any (x: int, y: int) ensures {
        0 <= x && 0 <= y && x + y = 2 && x <= b && y <= w } in
      if x = 0 || y = 0 then begin (* same color -> insert a white *)
        b <- b - x;
        w <- w - y + 1
      end else begin (* different color -> insert a black *)
        b <- b - x + 1;
        w <- w - y
      end
    done;
    b > 0

end
why3-1.6.0/examples/white_and_black_balls/000077500000000000000000000000001440160026300204755ustar00rootroot00000000000000why3-1.6.0/examples/white_and_black_balls/why3session.xml000066400000000000000000000011341440160026300235140ustar00rootroot00000000000000






 
 
 



why3-1.6.0/examples/white_and_black_balls/why3shapes.gz000066400000000000000000000006051440160026300231360ustar00rootroot00000000000000}RMO0W!JVMBJ=NNYjvcwcpig}_ic]T}QiWF;W6u9?SjiP5ڠ`tgFs}QwQωZA("`EzjLB0&@ozczcuc5ޕjjH1vDaaV1̏.>0)NKmŮO$>7@)fwĹ-=iG
|qs&0"MZN~D΂rl"Wx˲jy}׶=nvEQ8y"h[$Zm+
/gwhy3-1.6.0/examples/word_common_factor.mlw000066400000000000000000000022011440160026300206170ustar00rootroot00000000000000
(** {2 Common factor of two words}

    If `a ++ b = b ++ a` then `a` and `b` are powers of a common word.

    Authors: Jean-Christophe Filliâtre (CNRS)
             Andrei Paskevich (Univ Paris-Sud)

*)

use int.Int
use seq.Seq
use seq.FreeMonoid

type char
type word = seq char

let rec function power (w: word) (n: int) : word
  requires { n >= 0 }
  variant  { n }
  = if n = 0 then empty else w ++ power w (n - 1)

let rec lemma power_add (w: word) (n1 n2: int)
  requires { n1 >= 0 && n2 >= 0 }
  variant  { n1 }
  ensures  { power w (n1 + n2) == power w n1 ++ power w n2 }
  = if n1 > 0 then power_add w (n1 - 1) n2

let rec common_factor (a b: word) : (w: word, ka: int, kb: int)
  requires { a ++ b == b ++ a }
  ensures  { ka >= 0 /\ a == power w ka }
  ensures  { kb >= 0 /\ b == power w kb }
  variant  { length a, length b }
  = if length a = 0 then b, 0, 1
    else if length b = 0 then a, 1, 0
    else if length a <= length b then begin
      let c = b[length a ..] ensures { b == a ++ result } in
      let w, ka, kc = common_factor a c in
      w, ka, ka + kc
    end else
      let w, ka, kb = common_factor b a in
      w, kb, ka
why3-1.6.0/examples/word_common_factor/000077500000000000000000000000001440160026300201035ustar00rootroot00000000000000why3-1.6.0/examples/word_common_factor/why3session.xml000066400000000000000000000066551440160026300231370ustar00rootroot00000000000000








 
 
 
 
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
   
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/examples/word_common_factor/why3shapes.gz000066400000000000000000000026261440160026300225510ustar00rootroot00000000000000WYoF~ׯ[
>
+Q$}	RFc%~oΏKͻ+6(v4nx
6CI|SǧXTEim _aS
%?]eP4|y骖jrC^ҿix?ӻC@o"TB/Klpp9d~87軇p8#Er^W2cw:L?m~m7_n{6GV8/l$yhx2BS$|]Q۲K+"\2^+)xs8#ᛃo~74]YK9SO?{egmR}HihxdbTҍ3uUӱl6"r(WY_7̌Mb=|:?::-GGC1xNscq$/蕓^DA;>q/+$T$kJ_H)tHOJz<L~"ios(EGQ?nD)CIa"_ ^XHI)r$&$jfńǒ>}NcA)'Ec2M_7ńM}kI'<3uӯ5o
P]kQLuw
ɦ1$ĕÿk<'FayWpB4B6_Q$*&j_LEvWY,B4ќnw>ә(c#y#؀dEQ𒶰Iv3IuLIkb?$w:II((o,)ZsK|Kd]KϤj&B=WfVi@u^8 jK+*BRXCkʹ%a+*^
QLixM%⬒ja0BcElYRZQRTR4fU^	,ʁQP+R^Q8%h
'FpN>lX<O%h|hV‬
DRĂ Uom@yHܸR	vt[Ũf6 ʹ_r5'0d뭈^JE4	1d^rR1ܔb:t^)p2?]@e{pwhy3-1.6.0/examples/wrap_lines.mlw000066400000000000000000000134241440160026300171120ustar00rootroot00000000000000
(** This micro challenge was proposed by Mattias Ulbrich (KIT)
    during his KeY tutorial at VerifyThis 2021. *)

module WrapLines

  use int.Int
  use array.Array

  type char

  val constant space: char
  val constant newline: char

  val (=) (x y: char) : bool ensures { result <-> x = y }

  (* Returns the index in s that has value c and
     is at least from, if it exists, and -1 otherwise. *)
  let index_of (s: array char) (c: char) (from: int) : int
    requires { 0 <= from <= length s }
    ensures  { result = -1 /\
                (forall i. from <= i < length s -> s[i] <> c)
            \/ from <= result < length s /\ s[result] = c /\
                (forall i. from <= i < result -> s[i] <> c) }
  = let ref k = from in
    while k < length s do
      invariant { from <= k <= length s }
      invariant { forall i. from <= i < k -> s[i] <> c }
      variant   { length s - k }
      if s[k] = c then return k;
      k <- k + 1
    done;
    return -1

  (* Every line (but the last) has at least line_length characters: *)
  predicate at_least_line_length (s: array char) (line_length: int)
  = forall i j. -1 <= i < j < length s ->
    (i = -1 \/ i <= 0 /\ s[i] = newline) -> s[j] = newline -> j - i >= line_length

  let wrap_lines (s: array char) (line_length: int) : unit
    (* initially, no newline at all *)
    requires { forall i. 0 <= i < length s -> s[i] <> newline }
    (* the only changes in s are turning ' ' into '\n' *)
    ensures  { forall i. 0 <= i < length s -> s[i] <> old s[i] ->
                old s[i] = space /\ s[i] = newline }
    ensures  { at_least_line_length s line_length }
  = let ref last_nl = -1 in
    let ref last_sp = index_of s space 0 in
    while last_sp <> -1 do
      invariant { -1 <= last_nl < length s }
      invariant { last_sp = -1
              \/ last_nl < last_sp < length s /\ s[last_sp] = space }
      invariant { forall i. last_nl < i < length s -> s[i] = old s[i] }
      invariant { forall i. 0 <= i < length s -> s[i] <> old s[i] ->
                    old s[i] = space /\ s[i] = newline }
      invariant { forall i. last_nl < i < last_sp -> s[i] <> newline }
      invariant { at_least_line_length s line_length }
      variant   { if last_sp = -1 then 0 else length s - last_sp }
      if last_sp - last_nl > line_length then (
        s[last_sp] <- newline;
        last_nl <- last_sp
      );
      last_sp <- index_of s space (last_sp + 1)
    done

  (*
    Implement a wrap_lines method such that
    * The original file may already contain '\n'
    * Every line has at most L characters or does not have a space
    * If there is an introduced newline character there is no space or
        newline that could have given a longer line.
  *)

  let wrap_lines_plus (s: array char) (line_length : int) : unit
    requires { line_length >= 0 }
    (* we only convert spaces into newlines *)
    ensures  { forall i. 0 <= i < length s -> s[i] <> old s[i] ->
                old s[i] = space /\ s[i] = newline }
    (* no line segment longer than line_length characters has a space *)
    ensures  { forall i. 0 <= i < length s - line_length ->
                (forall j. i <= j <= i + line_length -> s[j] <> newline) ->
                (forall j. i <= j <= i + line_length -> s[j] <> space) }
    (* no line is broken by an introduced newline if there is
       a further breakpoint (newline, space or EOF) within
       (line_length + 1) characters in the original file *)
    ensures  { forall i. -1 <= i < length s -> (0 <= i -> s[i] = newline) ->
                forall j. i < j <= length s -> j <= i + line_length + 1 ->
                  (j < length s -> old s[j] = space \/ old s[j] = newline) ->
                    forall k. i < k < j -> s[k] = old s[k] }
  = let ref last_nl = -1 in (* last seen newline or -1 *)
    let ref last_sp = -1 in (* last seen space, newline or -1 *)
    (* scan the file and at each breakpoint, decide whether we
       should have broken the line at the last space character *)
    for ind = 0 to length s - 1 do
      invariant { -1 <= last_nl <= last_sp < ind }
      invariant { 0 <= last_nl -> s[last_nl] = newline }
      invariant { last_nl < last_sp -> s[last_sp] = space }
      invariant { forall i. last_nl < i < ind -> s[i] <> newline }
      invariant { forall i. last_sp < i < ind -> s[i] <> space }
      invariant { forall i. 0 <= i < ind -> s[i] <> old s[i] ->
                    old s[i] = space /\ s[i] = newline }
      invariant { forall i. ind <= i < length s -> s[i] = old s[i] }
      invariant { forall i. 0 <= i < last_sp - line_length ->
                    (forall j. i <= j <= i + line_length -> s[j] <> newline) ->
                    (forall j. i <= j <= i + line_length -> s[j] <> space) }
      invariant { forall i. -1 <= i < length s -> (0 <= i -> s[i] = newline) ->
                  forall j. i < j <= length s -> j <= i + line_length + 1 ->
                    (j < length s -> old s[j] = space \/ old s[j] = newline) ->
                      forall k. i < k < j -> s[k] = old s[k] }
      if s[ind] = newline then begin
        if last_nl < last_sp && last_nl + line_length + 1 < ind then
        begin
          s[last_sp] <- newline;
        end;
        last_nl <- ind;
        last_sp <- ind;
      end else
      if s[ind] = space then begin
        if last_nl < last_sp && last_nl + line_length + 1 < ind then
        begin
          s[last_sp] <- newline;
          last_nl <- last_sp;
        end;
        last_sp <- ind;
      end
    done;
    if last_nl < last_sp && last_nl + line_length + 1 < length s then
      s[last_sp] <- newline

end

module WrapLinesOCaml

  use int.Int
  use string.Char
  use string.OCaml
  use array.Array

  let constant space: char = chr 32
  let constant newline: char = chr 10

  clone export WrapLines with
    type char = char, val space = space,
    val newline = newline, val (=) = eq_char

end
why3-1.6.0/examples/wrap_lines/000077500000000000000000000000001440160026300163655ustar00rootroot00000000000000why3-1.6.0/examples/wrap_lines/why3session.xml000066400000000000000000000456171440160026300214220ustar00rootroot00000000000000








 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 
 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
   
   
   
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 


 
 
  
  
  
 
 
 
 
  
  
  
 
 
 
 
  
  
  
 
 



why3-1.6.0/examples/wrap_lines/why3shapes.gz000066400000000000000000000142121440160026300210250ustar00rootroot00000000000000Zn\9}W20Ҁzknmz9̴$JL`D0	^?ۻumk?ԏotҎ↙_kzXۏj\ϟh=J o^tO22yW仏=`_JB~׸`5rK>kշ4
9D.g/WLwGKS#{v:ʍh&IA#04d.ֿnxMdFGϵmhUƧqGӗ|4{u̴`22~ox??}EDe1lgCiśI;;jgħKZ8ܼq;4ߍ[t˷7X\}׻d_n?!lːxY\!qйsbN2wS}[gfA{e4si4?(t˖ɘ4KWyG5]M}w;<=S֘/Nz-uc>Y׬wt^_? %_[N1G)fonφQ#{\"+#E+7_3q`iFRͤ;e0U}#q/);WrCR)͞~f
񄑝Tn
fSagtq?-[^[_#w]C;£^o4I3R#uJz#r4@tb|B
}K]C5M۵kht}aLv5>ܙۨA«{K^\CSJͮj/{uδopx֖QKnTз[mKfĻAlpyax෉/M2cٸnAu筀K9vZ;uK9Y]T^wsNg&>w/
I>ա8֫Ns&uUoub
xv4kGM~d@}GwspCMʣ
o1+?O\ӽgn]L~ua]?F)Aiԃl۫3ν>9!߯x$>v-`vp[2=ӣ߻>ku:~Ν=.)\J?˩:'%`‘H8##ORiD@/#$\<{&(d54+i]3@I.3NvMpiS6TWk.:{4>|stc[T~jUZg֯&{T./.8Ni_q[rR7W+
b?ɻ|t諶rYfOK[(xtՉ7\|=%\/!=7|{zhv8U<ojjlh؜3*Fk6Wu&;d:^U_;B?qRx\ht*sĿm;q&C"GΆ{K͞_u;^R߄]~t%ӥ;zLڟ虵;-;.~ҭұ4{w3ݼ\)~O+seSy-?[eyOp?{ho\Zfxs.-]LG}ۗfR70MM u͆/4Y)&&LL+6ƴ~/?֗F><-&Ie1i.7=[o&קOvn|›3<\o#U|fiVxkJ0f!qw_?}xehLf|{W,s%~5Kz.D?>8?C?WWMDFYJuQFc|vV7R!k2W! C5ID4UMpd4õ:AĕR.fk VsF$A䡥Z
"~rR	
/SAl
S+E
M7iu5$*/HcO$Kb?;jWt]BFifk6%ٔMɤ`%1DBY7vwcF:|#:?hw*/a-N{њT[Β`qcŖ7;
A.C-hS'sTb%]2(Gd^.p{,oFM.x[8#g]Jx!%BJbt`oBAZkGR^Ah,ʼn
,m&]=o-	d5NuYWdӜ&ءth2xkq4)قVT]Q͕\}.>!x>"X(p @"[C(nEGF."k%k-cT@}\
v	Yj,H}و:0T\CHY*K(yU:C}i
V
`JC0
< `[ficA&SJ\4CZX`7fS[n;[R-Y!QJK
hJ#,ԴPq]_'ȇ܌\29	
(ikQ̐GIUSŐb5a@_I5Md^ 8VXn\!?VVyTlSPWL/30
L整ҊES
bz(Y:ɋp(ȱn(RtL!& HR"[JuvnNY"HFe5CIg&FHuI
rS,ˌFΏY8l@ayQ2w
vZW$@x "ŚCGO3bF2e`W`XQC%MBmFXף`.211ȅwKT	P?n ??yjPv "=v#FlgJ-9LXFkUZzO*4%ZԨ8"C
/!/GK)!w<TA*ZnڢNiP5tD 0t1ԄNh&P$.-^V*BKgC^5E-2v1#%2+e6CA'
:TV1!%(~Ũ93HQ5ZlW&"7lT(tC$_v̏յ$r2dXE!ܪ![9;ۘ9Gɏ?ՠ_El,C>dBG/#SZRh@%tV[I}~}qI8#(fYeOR2An4y[
Y=c\$a?{O_Gh:t*7BHUɰsœ؝|1MƖ[93xC}%!vȆf{52RA9_BJ(1;
_j42AK8%t!J Y>"|:A-+-JYhKZ(	A-³%)heTM~ud-ZPcZ$BD(g3`xZfRnJ<PIᗔ9!燑*+2j^DkZUCu0#=vdtSFI9*#G#Y92AywI{T]V< !G/G
WEBQ&d=dB[_]G΃V`SO&8Ѝ&I)2g@kU栓q&Y-зl^>dcp9ƚK.
M&'ek/zN=_̾T>%)~_\ouP~-KЋTp2"-X/6i;:J
)=j5L
zn)ѷ&%ȡ٧
V#WsUBРnRt/:RaBz4"؄zo@hW_@+np]j{!M4-A7Y)]v;΂ߤR_B9"Kh6M@}eq)),W77&KZEM0mHPƞ()HI2BIa_i~u{3#oXk4ȄNTi]BE#tAN7 |ˆRϗ7@ժ2RtU+/>G,R.:sl.$7J:;%UC|HŽߕXG&W=uO+Y;E?.e<[mBI9yҔ:޻0sfz&TRQZPmaI&Bg"yebIMv* _c5XX_.%qUu񑯲M`69!i)A7+d|ףTP],(= 읒u|)5h^XlzNJZW
5_why3-1.6.0/examples/zeros.mlw000066400000000000000000000052671440160026300161170ustar00rootroot00000000000000
(** Setting all the elements of an array to zero *)

module SetZeros

  use int.Int
  use array.Array

  let set_zeros (a : array int) =
    ensures { forall j: int. 0 <= j < a.length -> a[j] = 0 }
    for i = 0 to a.length - 1 do
      invariant { forall j: int. 0 <= j < i -> a[j] = 0 }
      a[i] <- 0
    done

  let harness () =
    let a0 = make 42 1 in
    set_zeros a0;
    assert { length a0 = 42 };
    assert { a0[12] = 0 }

end

(** Checking that an array contains only zeros *)

module AllZeros

  use int.Int
  use array.Array
  use ref.Refint

  predicate all_zeros (a: array int) (hi: int) =
    forall i: int. 0 <= i < hi -> a[i] = 0

  (** with a for loop (a bit naive, since it always scans the whole array) *)

  let all_zeros1 (a: array int) : bool
    ensures { result <-> all_zeros a a.length }
  =
    let res = ref True in
    for i = 0 to length a - 1 do
      invariant { !res <-> all_zeros a i }
      if a[i] <> 0 then res := False
    done;
    !res

  (** with a while loop, stopping as early as possible *)

  let all_zeros2 (a: array int) : bool
    ensures { result <-> all_zeros a a.length }
  =
    let res = ref True in
    let i = ref 0 in
    while !res && !i < length a do
      invariant { 0 <= !i <= a.length }
      invariant { !res <-> all_zeros a !i }
      variant   { a.length - !i }
      res := (a[!i] = 0);
      incr i
    done;
    !res

  (** no need for a Boolean variable, actually *)

  let all_zeros3 (a: array int) : bool
    ensures { result <-> all_zeros a a.length }
  =
    let i = ref 0 in
    while !i < length a && a[!i] = 0 do
      invariant { 0 <= !i <= a.length }
      invariant { all_zeros a !i }
      variant   { a.length - !i }
      incr i
    done;
    !i = length a

  (** with a recursive function *)

  let all_zeros4 (a: array int) : bool
    ensures { result <-> all_zeros a a.length }
  =
    let rec check_from (i: int) : bool
      requires { 0 <= i <= a.length }
      requires { all_zeros a i }
      variant  { a.length - i }
      ensures  { result <-> all_zeros a a.length }
    = i = length a || a[i] = 0 && check_from (i+1)
    in
    check_from 0

  (** divide-and-conqueer *)

  predicate zero_interval (a: array int) (lo hi: int) =
    forall i: int. lo <= i < hi -> a[i] = 0

  use int.ComputerDivision

  let all_zeros5 (a: array int) : bool
    ensures { result <-> all_zeros a a.length }
  =
    let rec check_between (lo hi: int) : bool
      requires { 0 <= lo <= hi <= a.length }
      variant  { hi - lo }
      ensures  { result <-> zero_interval a lo hi }
    =
      hi <= lo ||
      let mid = lo + div (hi - lo) 2 in
      a[mid] = 0 && check_between lo mid && check_between (mid+1) hi
    in
    check_between 0 (Array.length a)

end
why3-1.6.0/examples/zeros/000077500000000000000000000000001440160026300153645ustar00rootroot00000000000000why3-1.6.0/examples/zeros/why3session.xml000066400000000000000000000030131440160026300204010ustar00rootroot00000000000000






 
 
 
 
 
 


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 



why3-1.6.0/examples/zeros/why3shapes.gz000066400000000000000000000022011440160026300200170ustar00rootroot00000000000000VMo6WvSf`ž
]EnIk9wԷMvXÙ7o)!<ٿ%\~mF`?6ҞSSG`?pv|z_$3kyPh=:POY.qqn@QISq=,)QS6|pfHGDC"&p	Ruk0z
5c)_KdRBT!”n-@"ZbQaAؓ=?²SBcOAwYMYS^q;fQ;LPⰲ;_LvlR}Ls)TogI]Z/-%$'	yjACFiH$i"{g/hƠ,;%\+[	?lJ>fr.LD=z
hLBnd'}*CvPGF}LKI\(
кG5b8,3q' Bڪgq؍
5z*HΚ6%[o6Ŭ.7۶@L֠FDLfSY5[!F5p:4kM}fw;$z2ѼmFl4˺x(9oZ%?Mc=4B6$
:ug8;&?Iz#k~K֨QC?tGϩsݚzD/?u1?(0#y1:S{8q@O/L@4ʑEyc,󅲥Ҷxтq%:}"xKł(Vy;K,{Ƞ)ޅ-~dR/Zol۲r/2F`
}W(	Lz2߹N:nwJny"
  interface export "#include "
  syntax type int32  "int32_t"
  syntax literal int32 "%c"

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  remove module

end

module mach.int.Int32BV
  prelude export "#include "
  interface export "#include "
  syntax val to_bv "%1" prec 0
  syntax val of_bv "%1" prec 0
end

module mach.int.Int32GMP

  syntax val bxor    "%1 ^ %2"   prec 9 9 8

end

module mach.int.UInt32Gen

  prelude export "#include "
  interface export "#include "
  syntax type uint32 "uint32_t"

  syntax val max_uint32 "0xffffffff" prec 0
  syntax val length "32"             prec 0

  remove module

end

module mach.int.UInt32BV
  syntax val to_bv "%1" prec 0
  syntax val of_bv "%1" prec 0
end

module mach.int.UInt32

  prelude export "#include "
  interface export "#include "
  syntax literal uint32 "%cU"

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  remove module

end

module mach.int.UInt32GMP

  interface "\
    \nstruct __add32_with_carry_result {\
    \n  uint32_t __field_0;\
    \n  uint32_t __field_1;\
    \n};\
    \n\
    \nstruct __add32_with_carry_result\
    \nadd32_with_carry(uint32_t x, uint32_t y, uint32_t c);\
    \n\
    \nstruct __sub32_with_borrow_result {\
    \n  uint32_t __field_0;\
    \n  uint32_t __field_1;\
    \n};\
    \n\
    \nstruct __sub32_with_borrow_result\
    \nsub32_with_borrow(uint32_t x, uint32_t y, uint32_t b);\
    \n\
    \nstruct __mul32_double_result {\
    \n  uint32_t __field_0;\
    \n  uint32_t __field_1;\
    \n};\
    \n\
    \nstruct __mul32_double_result\
    \nmul32_double(uint32_t x, uint32_t y);\
    \n\
    \nstruct __add32_3_result {\
    \n  uint32_t __field_0;\
    \n  uint32_t __field_1;\
    \n};\
    \n\
    \nstruct __add32_3_result\
    \nadd32_3(uint32_t x, uint32_t y, uint32_t z);\
    \n\
    \nstruct __lsld32_result {\
    \n  uint32_t __field_0;\
    \n  uint32_t __field_1;\
    \n};\
    \n\
    \nstruct __lsld32_result\
    \nlsld32(uint32_t x, uint32_t cnt);\
  "

  syntax literal uint32 "%cU"

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  syntax val add_with_carry "add32_with_carry"
  syntax val sub_with_borrow "sub32_with_borrow"
  syntax val mul_double "mul32_double"
  syntax val add3 "add32_3"
  syntax val lsld "lsld32"

  syntax val add_mod "%1 + %2" prec 4 4 3
  syntax val sub_mod "%1 - %2" prec 4 4 3
  syntax val minus_mod "-%1"   prec 2 1
  syntax val mul_mod "%1 * %2" prec 3 3 2

  syntax val div2by1
         "(uint32_t)((((uint64_t)%1) | (((uint64_t)%2) << 32))/(uint64_t)(%3))"
         prec 2

  syntax val lsl "%1 << %2" prec 5 5 2
  syntax val lsr "%1 >> %2" prec 5 5 2

  syntax val is_msb_set "%1 & 0x80000000U" prec 8 8

  syntax val count_leading_zeros "__builtin_clz(%1)" prec 1 15
  syntax val count_trailing_zeros "__builtin_ctz(%1)" prec 1 15

  syntax val of_int32 "(uint32_t)%1" prec 2 2
  syntax val to_int32 "(int32_t)%1" prec 2 2

end

blacklist "__builtin_clz" "__builtin_ctz" "add32_with_carry" "sub32_with_borrow"
blacklist "mul32_double" "add32_3" "lsld32"

module mach.int.Int64

  syntax type int64  "int64_t"
  syntax literal int64 "INT64_C(%c)"

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  remove module

end

module mach.int.UInt64Gen

  prelude export "#include "
  interface export "#include "
  syntax type uint64 "uint64_t"

  syntax val max_uint64 "0xffffffffffffffff" prec 0
  syntax val length "64" prec 0

  remove module

end

module mach.int.UInt64

  syntax literal uint64 "UINT64_C(%c)"

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  remove module

end

module mach.int.UInt64GMP

  interface "\
    \nstruct __add64_with_carry_result {\
    \n  uint64_t __field_0;\
    \n  uint64_t __field_1;\
    \n};\
    \n\
    \nstatic inline struct __add64_with_carry_result\
    \nadd64_with_carry(uint64_t x, uint64_t y, uint64_t c)\
    \n{\
    \n  struct __add64_with_carry_result result;\
    \n  uint64_t r = x + y + c;\
    \n  result.__field_0 = r;\
    \n  if (r == x) result.__field_1 = c;\
    \n  else result.__field_1 = (r < x);\
    \n  return result;\
    \n}\
    \n\
    \nstruct __sub64_with_borrow_result {\
    \n  uint64_t __field_0;\
    \n  uint64_t __field_1;\
    \n};\
    \n\
    \nstatic inline struct __sub64_with_borrow_result\
    \nsub64_with_borrow(uint64_t x, uint64_t y, uint64_t b)\
    \n{\
    \n  struct __sub64_with_borrow_result result;\
    \n  uint64_t r = x - y - b;\
    \n  result.__field_0 = r;\
    \n  if (r > x) result.__field_1 = 1;\
    \n  else if (r == x) result.__field_1 = b;\
    \n  else result.__field_1 = 0;\
    \n  return result;\
    \n}\
    \n\
    \nstruct __add64_3_result {\
    \n  uint64_t __field_0;\
    \n  uint64_t __field_1;\
    \n};\
    \n\
    \nstatic inline struct __add64_3_result\
    \nadd64_3(uint64_t x, uint64_t y, uint64_t z)\
    \n{\
    \n  struct __add64_3_result result;\
    \n  uint64_t r, c1, c2;\
    \n  r = x + y;\
    \n  c1 = r < y;\
    \n  r += z;\
    \n  c2 = r < z;\
    \n  result.__field_1 = c1 + c2;\
    \n  result.__field_0 = r;\
    \n  return result;\
    \n}\
    \n\
    \nstruct __lsld64_result {\
    \n  uint64_t __field_0;\
    \n  uint64_t __field_1;\
    \n};\
    \n\
    \nstatic inline struct __lsld64_result\
    \nlsld64(uint64_t x, uint64_t cnt)\
    \n{\
    \n  struct __lsld64_result result;\
    \n  result.__field_1 = x >> (64 - cnt);\
    \n  result.__field_0 = x << cnt;\
    \n  return result;\
    \n}\
  "

  syntax literal uint64 "UINT64_C(%c)"

  syntax val uint64_max "0xffffffffffffffffUL" prec 0

  syntax val (+)     "%1 + %2"   prec 4 4 3
  syntax val (-)     "%1 - %2"   prec 4 4 3
  syntax val (-_)    "-%1"       prec 2 1
  syntax val ( * )   "%1 * %2"   prec 3 3 2
  syntax val (/)     "%1 / %2"   prec 3 3 2
  syntax val (%)     "%1 % %2"   prec 3 3 2
  syntax val (=)     "%1 == %2"  prec 7 7 6
  syntax val (<=)    "%1 <= %2"  prec 6 6 5
  syntax val (<)     "%1 < %2"   prec 6 6 5
  syntax val (>=)    "%1 >= %2"  prec 6 6 5
  syntax val (>)     "%1 > %2"   prec 6 6 5

  syntax val add_with_carry "add64_with_carry"
  syntax val sub_with_borrow "sub64_with_borrow"
  syntax val add3 "add64_3"
  syntax val lsld "lsld64"

  syntax val add_mod "%1 + %2" prec 4 4 3
  syntax val sub_mod "%1 - %2" prec 4 4 3
  syntax val minus_mod "-%1"   prec 2 1
  syntax val mul_mod "%1 * %2" prec 3 3 2

  syntax val lsl "%1 << %2" prec 5 5 2
  syntax val lsr "%1 >> %2" prec 5 5 2
  syntax val lsl_mod "%1 << %2" prec 5 5 2
  syntax val lsr_mod "%1 >> %2" prec 5 5 2

  syntax val is_msb_set "%1 & 0x8000000000000000UL" prec 8 7

  syntax val count_leading_zeros "__builtin_clzll(%1)" prec 1 15
  syntax val count_trailing_zeros "__builtin_ctzll(%1)" prec 1 15

  syntax val to_int32 "(int32_t)%1" prec 2 2
  syntax val of_int32 "(uint64_t)%1" prec 2 2
  syntax val to_uint32 "(uint32_t)%1" prec 2 2
  syntax val of_uint32 "(uint64_t)%1" prec 2 2
  syntax val to_int64 "(int64_t)%1" prec 2 2
  syntax val of_int64 "(uint64_t)%1" prec 2 2

  syntax val of_int "%1" prec 0

end

blacklist "__builtin_clzll" "_builtin_ctzll" "add64_with_carry"
blacklist "sub64_with_borrow" "mul64_double" "add64_3" "lsld64"

module bv.BV32
  syntax type t      "uint32_t"
  syntax literal t   "%cu"
  syntax val  zeros  "0u" prec 0
  syntax val  one    "1u" prec 0
  syntax val  ones   "0xFFFFFFFFu" prec 0
  syntax val  eq     "%1 == %2" prec 7 7 6
  syntax val  bw_and "%1 & %2" prec 8 7 7
  syntax val  bw_or  "%1 | %2" prec 10 10 9
  syntax val  bw_xor "%1 ^ %2" prec 9 9 8
  syntax val  bw_not "~%1" prec 2 2 1
  (* no extraction of lsr, asr, lsl, to_uint, of_int, to_int (use type `int`) *)
  syntax val  add    "%1 + %2" prec 4 4 3
  syntax val  sub    "%1 - %2" prec 4 4 3
  syntax val  neg    "-%1" prec 2 1
  syntax val  mul    "%1 * %2" prec 3 3 2
  syntax val  udiv   "%1 / %2" prec 3 3 2
  syntax val  urem   "%1 % %2" prec 3 3 2
  syntax val  lsr_bv  "%1 >> %2" prec 5 5 2
  syntax val  asr_bv  "%1 >> %2" prec 5 5 2
  syntax val  lsl_bv  "%1 << %2" prec 5 5 2
end

module mach.array.Array32

  syntax val ([]) "%1[%2]" prec 1 1 15
  syntax val ([]<-) "%1[%2] = %3" prec 1 1 15 14

end

module bool.Bool

  (* FIXME: use bitwise operators instead ? *)
  (* requiring higher-than-needed precedence for arguments
     avoids Wparentheses *)
  syntax val orb  "%1 || %2" prec 12 5 5
  syntax val andb "%1 && %2" prec 11 5 5
  syntax val xorb "%1 ^ %2" prec 9 5 5
  syntax val notb "!%1" prec 2 2 1

end

module mach.c.C

  interface "#include "
  interface "#include "
  interface "#include "
  interface "#include "
  interface
  "#define IGNORE2(x,y) do { (void)(x); (void)(y); } while (0)"
  interface
  "#define IGNORE3(x,y,z) do { (void)(x); (void)(y); (void)(z); } while (0)"

  syntax type ptr "%1 *"
  syntax type bool "int"

  syntax val malloc "malloc(%1 * sizeof(%v0))" prec 1 3
  syntax val free   "free(%1)" prec 1 15
  syntax val realloc "realloc(%1, %2 * sizeof(%v0))" prec 1 15 3

  syntax val salloc "alloca(%1 * sizeof(%v0))" prec 1 3
  syntax val sfree  "(void)%1" prec 2 2

  (* syntax val is_null "(%1) == NULL" *)
  syntax val is_not_null "%1" prec 0
  syntax val null "NULL" prec 0

  syntax val incr "%1 + %2" prec 4 4 3

  syntax val get "*%1"        prec 2 2
  syntax val get_ofs "%1[%2]" prec 1 1 15

  syntax val set "*%1 = %2"  prec 14 2 14
  syntax val set_ofs "%1[%2] = %3" prec 14 14 15 14

  syntax val incr_split "%1 + %2" prec 4 4 3
  syntax val decr_split "%1 - %2" prec 4 4 3
  syntax val join "IGNORE2"
  syntax val join_r "IGNORE2"

  syntax val c_assert "assert (%1)" prec 1 15

  syntax val print_space "printf(\" \")" prec 1
  syntax val print_newline "printf(\"\\n\")" prec 1
  syntax val print_uint32 "printf(\"%#010x\",%1)" prec 1 15

end

blacklist "printf" "alloca"

module mach.c.UChar

  syntax literal uchar "%c"
  syntax type uchar "unsigned char"
  syntax val of_uint64 "(unsigned char)%1" prec 2 2
  syntax val to_uint64 "(uint64_t)%1" prec 2 2
  syntax val of_int32  "(unsigned char)%1" prec 2 2
  syntax val to_int32  "(int32_t)%1" prec 2 2
  syntax val (=)  "%1 == %2"  prec 7 7 6
  syntax val (<=) "%1 <= %2"  prec 6 6 5
  syntax val (<)  "%1 < %2"   prec 6 6 5
  syntax val (>=) "%1 >= %2"  prec 6 6 5
  syntax val (>)  "%1 > %2"   prec 6 6 5

  syntax val of_char "(unsigned char)%1" prec 2 2
  syntax val to_char "(char)%1" prec 2 2

  syntax val open_from_charptr "(unsigned char *)%1" prec 2 2
  syntax val close_from_charptr "IGNORE2"

  remove module

end

module mach.c.SChar

  syntax literal schar "%c"
  syntax type schar "signed char"
  syntax val (<=) "%1 <= %2"  prec 6 6 5
  syntax val (<)  "%1 < %2"   prec 6 6 5
  syntax val (>=) "%1 >= %2"  prec 6 6 5
  syntax val (>)  "%1 > %2"   prec 6 6 5

end

module string.Char

  syntax type char "char"

end

module mach.c.String

  prelude export "#include "
  interface export "#include "
  syntax type string "char *"

  syntax val get "%1[%2]" prec 1 1 15
  syntax val zero_char "'\\0'" prec 0
  syntax val zero_num "'0'" prec 0
  syntax val nine_num "'9'" prec 0
  syntax val small_a "'a'" prec 0
  syntax val small_z "'z'" prec 0
  syntax val big_a "'A'" prec 0
  syntax val big_z "'Z'" prec 0
  syntax val minus_char "'-'" prec 0
  syntax val code "%1" prec 0
  syntax val length "strlen"
  syntax val strlen "strlen"
  syntax val (=) "%1 == %2"  prec 7 7 6

end

module mach.fxp.Fxp

  syntax val fxp_add "%1 + %2" prec 4 4 3
  syntax val fxp_sub "%1 - %2" prec 4 4 3
  syntax val fxp_mul "%1 * %2" prec 3 3 2
  syntax val fxp_lsl "%1 << %2" prec 5 5 2
  syntax val fxp_lsr "%1 >> %2" prec 5 5 2
  syntax val fxp_asr "(uint64_t)((int64_t)%1 >> %2)" prec 2 1 2
  syntax val fxp_asr' "(uint64_t)((int64_t)%1 >> %2)" prec 2 1 2

end

(* exclude some stdlib modules from extraction *)

module array.Array
  remove module
end

module bool.Bool
  remove module
end

module map.Map
  remove module
end

module map.Const
  remove module
end

module number.Divisibility
  remove module
end

module int.Int
  remove module
end

module int.Abs
  remove module
end

module int.ComputerDivision
  remove module
end

module int.EuclideanDivision
  remove module
end

module int.MinMax
  remove module
end

module int.Power
  remove module
end

module real.Real
  remove module
end

module real.ExpLog
  remove module
end

module real.RealInfix
  remove module
end

module real.Square
  remove module
end

module mach.int.Unsigned
  remove module
end
why3-1.6.0/extraction_drivers/cakeml.drv000066400000000000000000000052751440160026300203040ustar00rootroot00000000000000
(** CakeML driver *)

printer "cakeml"

module BuiltIn
  syntax type int "int"
end

module HighOrd
  syntax type (->) "%1 -> %2"
  syntax val  ( @ )  "%1 %2"
end

module option.Option
  syntax type     option "%1 option"
  syntax val None   "NONE"
  syntax val Some   "SOME %1"
end

module Bool
  syntax type     bool  "bool"
  syntax val True  "true"
  syntax val False "false"
end

module bool.Ite
  syntax val ite "(if %1 then %2 else %3)"
end

module bool.Bool
  syntax val andb  "%1 andalso %2"
  syntax val orb   "%1 orelse %2"
  syntax val xorb  "%1 <> %2"
  syntax val notb  "not %1"
  syntax val implb "not %1 orelse %2"
end

module list.List
  syntax type     list "%1 list"
  syntax val Nil  "[]"
  syntax val Cons "%1 :: %2"
  syntax val is_nil "%1 = []"
end

module list.Length
  syntax val length "List.length %1"
end

module Ref
  syntax type     ref      "%1 ref"
  syntax val contents "!%1"
  syntax val      ref      "ref %1"
end

module ref.Ref
  syntax val      (!_)     "!%1"
  syntax val      (:=)     "%1 := %2"
end

module ref.Refint
  syntax val incr "%1 := !%1 + 1"
  syntax val decr "%1 := !%1 - 1"
  syntax val (+=) "%1 := !%1 + %2"
  syntax val (-=) "%1 := !%1 - %2"
  syntax val ( *= ) "%1 := !%1 * %2"
end

module int.Int
  syntax val zero "0"
  syntax val one  "1"

  syntax val (<)   "%1 < %2"
  syntax val (<=)  "%1 <= %2"
  syntax val (>)   "%1 > %2"
  syntax val (>=)  "%1 >= %2"
  syntax val       (=)   "%1 = %2"

  syntax val  (+)   "%1 + %2"
  syntax val  (-)   "%1 - %2"
  syntax val  ( * ) "%1 * %2"
  syntax val  (-_)  "~%1"
end

module int.EuclideanDivision
  syntax val div "%1 div %2"
  syntax val mod "%1 mod %2"
end

(* not implemented in CakeML *)
(* module int.ComputerDivision *)
(*   syntax val div "quot (%1, %2)" *)
(*   syntax val mod "%1 rem %2" *)
(* end *)

module array.Array
  syntax type array "%1 array"

  (* syntax exception OutOfBounds "Why3__Array.OutOfBounds" *) (* FIXME *)

  syntax val ([])          "Array.sub %1 %2"
  syntax val ([]<-)        "Array.update %1 %2 %3"
  syntax val length        "Array.length %1"
  syntax val defensive_get "Array.sub %1 %2"
  syntax val defensive_set "Array.update %1 %2 %3"
  syntax val make          "Array.array %1 %2"
  syntax val empty         "Array.arrayEmpty %1"
  (* syntax val append        "Array.append %1 %2" *)
  (* syntax val sub           "Array.sub %1 (Z.to_int %2) (Z.to_int %3)" *)
  (* syntax val copy          "Array.copy %1" *)
  (* syntax val fill          "Array.fill %1 (Z.to_int %2) (Z.to_int %3) %4" *)
  (* syntax val blit          "Array.blit %1 (Z.to_int %2) %3 (Z.to_int %4) (Z.to_int %5)" *)
end

(* module mach.int.Int *)
(*   syntax val ( / ) "Z.div %1 %2" *)
(*   syntax val ( % ) "Z.rem %1 %2" *)
(* end *)
why3-1.6.0/extraction_drivers/ocaml-unsafe-int.drv000066400000000000000000000156621440160026300222130ustar00rootroot00000000000000
(** OCaml driver with Why3 type int being mapped to OCaml type int.

    This is of course unsafe, yet useful to run your code when you
    have an independent argument for the absence of arithmetic
    overflows. *)

printer "ocaml-unsafe-int"

theory BuiltIn
  syntax type int "int"
  syntax predicate  (=)   "(%1 = %2)"
end

(* import "ocaml-no-arith.drv" *)

(* int *)

theory int.Int
  syntax constant zero "0"
  syntax constant one  "1"

  syntax predicate (<)  "(%1 < %2)"
  syntax predicate (<=) "(%1 <= %2)"
  syntax predicate (>)  "(%1 > %2)"
  syntax predicate (>=) "(%1 >= %2)"

  syntax function (+)   "(%1 + %2)"
  syntax function (-)   "(%1 - %2)"
  syntax function ( * ) "(%1 * %2)"
  syntax function (-_)  "(- %1)"
end

theory int.ComputerDivision
  syntax function div "(%1 / %2)"
  syntax function mod "(%1 mod %2)"
end

(* FIXME: avoid Stdlib using a black list of reserved OCaml names *)

theory int.Abs
  syntax function abs "Stdlib.abs"
end

theory int.MinMax
  syntax function min "Stdlib.min"
  syntax function max "Stdlib.max"
end

(* TODO
   - int.EuclideanDivision
   - number.Gcd
*)

theory int.Power
  prelude "let rec power x n = if n = 0 then 1 else x * power x (n-1)"
  syntax function power "power"
end

theory int.Fact
  prelude "let rec fact n = if n <= 1 then 1 else n * fact (n-1)"
  syntax function fact "fact"
end

theory int.Fibonacci
  prelude "let rec fib n = if n <= 1 then n else fib (n-2) + fib (n-1)"
  syntax function fib "(fib %1)"
end

(* WhyML *)

module Ref
  syntax type     ref      "%1 ref"
  syntax function contents "!%1"
  syntax val      ref      "ref"
end

module ref.Ref
  syntax val      (!_)     "!%1"
  syntax val      (:=)     "%1 := %2"
end

module stack.Stack
  syntax type      t        "(%1 Stack.t)"
  syntax val       create   "Stack.create"
  syntax val       push     "Stack.push"
  syntax exception Empty    "Stack.Empty"
  syntax val       pop      "Stack.pop"
  syntax val       top      "Stack.top"
  syntax val       safe_pop "Stack.pop"
  syntax val       safe_top "Stack.top"
  syntax val       clear    "Stack.clear"
  syntax val       copy     "Stack.copy"
  syntax val       is_empty "Stack.is_empty"
  syntax val       length   "Stack.length"
end

module queue.Queue
  syntax type      t         "(%1 Queue.t)"
  syntax val       create    "Queue.create"
  syntax val       push      "Queue.push"
  syntax exception Empty     "Queue.Empty"
  syntax val       pop       "Queue.pop"
  syntax val       peek      "Queue.peek"
  syntax val       safe_pop  "Queue.pop"
  syntax val       safe_peek "Queue.peek"
  syntax val       clear     "Queue.clear"
  syntax val       copy      "Queue.copy"
  syntax val       is_empty  "Queue.is_empty"
  syntax val       length    "Queue.length"
  syntax val       transfer  "Queue.transfer"
end

module array.Array
  syntax type array "(%1 array)"

  syntax function ([]) "(%1.(%2))"

  syntax exception OutOfBounds "(Invalid_argument \"index out of bounds\")"

  syntax val ([])          "Array.unsafe_get"
  syntax val ([]<-)        "Array.unsafe_set"
  syntax val length        "Array.length"
  syntax val defensive_get "Array.get"
  syntax val defensive_set "Array.set"
  syntax val make          "Array.make"
  syntax val empty         "(%1; [||])"
  syntax val append        "Array.append"
  syntax val sub           "Array.sub"
  syntax val copy          "Array.copy"
  syntax val fill          "Array.fill"
  syntax val blit          "Array.blit"
end

module matrix.Matrix
  syntax type matrix "(%1 array array)"

  syntax exception OutOfBounds "(Invalid_argument \"index out of bounds\")"

  syntax function rows     "Array.length"
  syntax function columns  "(Array.length %1.(0))"
  syntax val rows          "Array.length"
  syntax val columns       "(fun m -> Array.length m.(0))"
  syntax val get           "(fun m i j -> m.(i).(j))"
  syntax val set           "(fun m i j v -> m.(i).(j) <- v)"
  syntax val defensive_get "(fun m i j -> m.(i).(j))"
  syntax val defensive_set "(fun m i j v -> m.(i).(j) <- v)"
  syntax val make          "Array.make_matrix"
  syntax val copy          "(Array.map Array.copy)"
end

module mach.int.Int31
  syntax val of_int   "%1"

  syntax function to_int "(%1)"

  syntax type     int31     "int"
  syntax val      ( + )     "( + )"
  syntax val      ( - )     "( - )"
  syntax val      (-_)      "( ~- )"
  syntax val      ( * )     "( * )"
  syntax val      ( / )     "( / )"
  syntax val      ( % )     "(mod)"
  syntax val      (=)       "(=)"
  syntax val      (<=)      "(<=)"
  syntax val      (<)       "(<)"
  syntax val      (>=)      "(>=)"
  syntax val      (>)       "(>)"
end
module mach.int.Int63
  syntax val      of_int   "%1"

  syntax function to_int "(%1)"

  syntax type     int63     "int"
  syntax val      ( + )     "( + )"
  syntax val      ( - )     "( - )"
  syntax val      (-_)      "( ~- )"
  syntax val      ( * )     "( * )"
  syntax val      ( / )     "( / )"
  syntax val      ( % )     "(mod)"
  syntax val      (=)       "(=)"
  syntax val      (<=)      "(<=)"
  syntax val      (<)       "(<)"
  syntax val      (>=)      "(>=)"
  syntax val      (>)       "(>)"
end
module mach.int.Refint63
  syntax val incr "Stdlib.incr"
  syntax val decr "Stdlib.decr"
  syntax val (+=) "(fun r v -> Stdlib.(:=) r (Stdlib.(!) r + v))"
  syntax val (-=) "(fun r v -> Stdlib.(:=) r (Stdlib.(!) r - v))"
  syntax val ( *= ) "(fun r v -> Stdlib.(:=) r (Stdlib.(!) r * v))"
end
module mach.int.MinMax63
  syntax val min "Stdlib.min"
  syntax val max "Stdlib.max"
end

(* TODO
   other mach.int.XXX modules *)

module mach.array.Array31
  syntax type array  "(%1 array)"

  syntax val  make   "Array.make"
  syntax val  ([])   "Array.get"
  syntax val  ([]<-) "Array.set"
  syntax val  length "Array.length"
  syntax val  append "Array.append"
  syntax val  sub    "Array.sub"
  syntax val  copy   "Array.copy"
  syntax val  fill   "Array.fill"
  syntax val  blit   "Array.blit"
  syntax val  self_blit "Array.blit"
end
module mach.array.Array63
  syntax type array   "(%1 array)"

  syntax val  make   "Array.make"
  syntax val  ([])   "Array.get"
  syntax val  ([]<-) "Array.set"
  syntax val  length "Array.length"
  syntax val  append "Array.append"
  syntax val  sub    "Array.sub"
  syntax val  copy   "Array.copy"
  syntax val  fill   "Array.fill"
  syntax val  blit   "Array.blit"
  syntax val  self_blit "Array.blit"
end
module mach.matrix.Matrix63
  syntax type matrix "(%1 array array)"

  syntax exception OutOfBounds "(Invalid_argument \"index out of bounds\")"

  syntax function rows     "Array.length"
  syntax function columns  "(Array.length %1.(0))"
  syntax val rows          "Array.length"
  syntax val columns       "(fun m -> Array.length m.(0))"
  syntax val get           "(fun m i j -> m.(i).(j))"
  syntax val set           "(fun m i j v -> m.(i).(j) <- v)"
  syntax val defensive_get "(fun m i j -> m.(i).(j))"
  syntax val defensive_set "(fun m i j v -> m.(i).(j) <- v)"
  syntax val make          "Array.make_matrix"
  syntax val copy          "(Array.map Array.copy)"
end
why3-1.6.0/extraction_drivers/ocaml64.drv000066400000000000000000000424331440160026300203120ustar00rootroot00000000000000
(** OCaml driver for 64-bit architecture *)

printer "ocaml"

module BuiltIn
  syntax type int "Z.t"
  syntax type string "string"
end

module HighOrd
  syntax type (->) "%1 -> %2"
  syntax val  ( @ )  "%1 %2" prec 4 4 3
end

module option.Option
  syntax type      option  "%1 option"
  syntax val  None    "None"
  syntax val  Some    "Some %1" prec 4 3
end

module Bool
  syntax type     bool  "bool"
  syntax val True  "true"
  syntax val False "false"
end

module bool.Ite
  syntax val ite "if %1 then %2 else %3" prec 16 15 15 15
end

module bool.Bool
  syntax val andb  "%1 && %2"      prec 12 11 12
  syntax val orb   "%1 || %2"      prec 13 12 13
  syntax val xorb  "%1 <> %2"      prec 11 11 10
  syntax val notb  "not %1"        prec 4 3
  syntax val implb "not %1 || %2"  prec 13 3 13
end

module list.List
  syntax type     list "%1 list"
  syntax val Nil  "[]"
  syntax val Cons "%1 :: %2"        prec 9 8 9
end

module list.Length
  syntax val length "Z.of_int (List.length %1)" prec 4 3
end

module list.Append
  syntax val (++) "List.append"
end

module list.Reverse
  syntax val reverse "List.rev"
end

module list.RevAppend
  syntax val rev_append "List.rev_append"
end

module list.Combine
  syntax val combine "List.combine"
end

module Ref
  syntax type     ref      "%1 ref"
  syntax val contents "Stdlib.contents" prec 1 0
  syntax val      ref      "ref"
end

module ref.Ref
  syntax val      (!_)     "!%1"      prec 1 0
  syntax val      (:=)     "%1 := %2" prec 15 14 15
end

module ref.Refint
  syntax val incr "(fun r -> r := Z.succ !r) %1" prec 4 3
  syntax val decr "(fun r -> r := Z.pred !r) %1" prec 4 3
  syntax val (+=) "(fun r v -> r := Z.add !r v) %1 %2" prec 4 3 3
  syntax val (-=) "(fun r v -> r := Z.sub !r v) %1 %2" prec 4 3 3
  syntax val ( *= ) "(fun r v -> r := Z.mul !r v) %1 %2" prec 4 3 3
end

module null.Null

  syntax type t           "%1"
  syntax val  create_null "(fun () -> Obj.magic (ref 0))"
  syntax val  eq_null     "(==)"
  syntax val  create      "(fun x -> x)"
  syntax val  get         "(fun x -> x)"

end

module int.Int
  syntax val zero "Z.zero"
  syntax val one  "Z.one"

  syntax val (<)   "Z.lt"
  syntax val (<=)  "Z.leq"
  syntax val (>)   "Z.gt"
  syntax val (>=)  "Z.geq"
  syntax val (=)   "Z.equal"

  syntax val  (+)   "Z.add"
  syntax val  (-)   "Z.sub"
  syntax val  ( * ) "Z.mul"
  syntax val  (-_)  "Z.neg"
end

module int.Abs
  syntax val abs "Z.abs"
end

module int.MinMax
  syntax val min "Z.min"
  syntax val max "Z.max"
end

module int.EuclideanDivision
  syntax val div "Z.ediv"
  syntax val mod "Z.erem"
end

module int.ComputerDivision
  syntax val div "Z.div"
  syntax val mod "Z.rem"
end

module stack.Stack
  syntax type      t        "%1 Stack.t"
  syntax val       create   "Stack.create"
  syntax val       push     "Stack.push"
  syntax exception Empty    "Stack.Empty"
  syntax val       pop      "Stack.pop"
  syntax val       top      "Stack.top"
  syntax val       safe_pop "Stack.pop"
  syntax val       safe_top "Stack.top"
  syntax val       clear    "Stack.clear"
  syntax val       copy     "Stack.copy"
  syntax val       is_empty "Stack.is_empty"
  syntax val       length   "Z.of_int (Stack.length %1)" prec 4 3
end

module queue.Queue
  syntax type      t         "%1 Queue.t"
  syntax val       create    "Queue.create"
  syntax val       push      "Queue.push"
  syntax exception Empty     "Queue.Empty"
  syntax val       pop       "Queue.pop"
  syntax val       peek      "Queue.peek"
  syntax val       safe_pop  "Queue.pop"
  syntax val       safe_peek "Queue.peek"
  syntax val       clear     "Queue.clear"
  syntax val       copy      "Queue.copy"
  syntax val       is_empty  "Queue.is_empty"
  syntax val       length    "Z.of_int (Queue.length %1)" prec 4 3
  syntax val       transfer  "Queue.transfer"
end

module set.SetAppInt
  prelude export "module SetAppInt = Set.Make(Z)\n"
  prelude export
  "let interval l r =\
   \n  let rec aux acc l r =\
   \n    if Z.leq r l then acc\
   \n    else aux (SetAppInt.add l acc) (Z.add l Z.one) r\
   \n  in aux SetAppInt.empty l r\n"

  syntax type set      "SetAppInt.t"
  syntax val  (==)     "SetAppInt.equal %1 %2" prec 4 3 3
  syntax val  subset   "SetAppInt.subset %1 %2" prec 4 3 3
  syntax val  empty    "%1; SetAppInt.empty" prec 17 16
  syntax val  is_empty "SetAppInt.is_empty %1" prec 4 3
  syntax val  add      "SetAppInt.add %1 %2" prec 4 3 3
  syntax val  mem      "SetAppInt.mem %1 %2" prec 4 3 3
  syntax val  remove   "SetAppInt.remove %1 %2" prec 4 3 3
  syntax val  union    "SetAppInt.union %1 %2" prec 4 3 3
  syntax val  inter    "SetAppInt.inter %1 %2" prec 4 3 3
  syntax val  diff     "SetAppInt.diff %1 %2" prec 4 3 3
  syntax val  choose   "SetAppInt.choose %1" prec 4 3
  syntax val  disjoint "SetAppInt.disjoint %1 %2" prec 4 3 3
  syntax val  cardinal "Z.of_int (SetAppInt.cardinal %1)" prec 4 3
  syntax val  min_elt  "SetAppInt.min_elt %1" prec 4 3
  syntax val  max_elt  "SetAppInt.max_elt %1" prec 4 3
  syntax val  interval "interval %1 %2" prec 4 3 3
end

module set.SetImpInt
  syntax type set      "(Z.t, unit) Hashtbl.t"
  syntax val  empty    "(fun () -> Hashtbl.create 8) %1" prec 4 3
  syntax val  is_empty "Hashtbl.length %1 = 0" prec 11 3
  syntax val  add      "Hashtbl.replace %2 %1 ()" prec 4 3 3
  syntax val  mem      "Hashtbl.mem %2 %1" prec 4 3 3
  syntax val  remove   "Hashtbl.remove %2 %1" prec 4 3 3
  syntax val  cardinal "Z.of_int (Hashtbl.length %1)" prec 4 3
  syntax val  clear    "Hashtbl.clear"
  (* TODO: disjoint, choose_and_remove, choose, singleton, subset, == *)
end

module fmap.MapAppInt
  prelude "module MapAppInt = Map.Make(Z)"
  syntax type t        "%1 MapAppInt.t"
  syntax val  create   "%1; MapAppInt.empty" prec 17 16
  syntax val  is_empty "MapAppInt.is_empty"
  syntax val  add      "MapAppInt.add"
  syntax val  find     "MapAppInt.find"
  syntax val  find_exn "MapAppInt.find"
  syntax val  mem      "MapAppInt.mem"
  syntax val  remove   "MapAppInt.remove"
  syntax val  size     "Z.of_int (MapAppInt.cardinal %1)" prec 4 3
end

module fmap.MapImpInt
  (* prelude "let create () = Hashtbl.create 8" *)
  syntax type t        "(Z.t, %1) Hashtbl.t"
  syntax val  create   "(fun () -> Hashtbl.create 8) %1" prec 4 3
  syntax val  is_empty "Hashtbl.length %1 = 0" prec 11 3
  syntax val  add      "Hashtbl.replace %3 %1 %2" prec 4 3 3 3
  syntax val  find     "Hashtbl.find %2 %1" prec 4 3 3
  syntax val  find_exn "Hashtbl.find %2 %1" prec 4 3 3
  syntax val  mem      "Hashtbl.mem %2 %1" prec 4 3 3
  syntax val  remove   "Hashtbl.remove %2 %1" prec 4 3 3
  syntax val  size     "Z.of_int (Hashtbl.length %1)" prec 4 3
  syntax val  clear    "Hashtbl.clear"
end

module array.Array
  syntax type array "%1 array"

  (* syntax exception OutOfBounds "Why3__Array.OutOfBounds" *) (* FIXME *)

  syntax val ([])          "%1.(Z.to_int %2)" prec 2 1 3
  syntax val ([]<-)        "%1.(Z.to_int %2) <- %3" prec 15 2 1 15
  syntax val length        "Z.of_int (Array.length %1)" prec 4 3
  syntax val defensive_get "%1.(Z.to_int %2)" prec 2 1 3
  syntax val defensive_set "%1.(Z.to_int %2) <- %3" prec 15 2 1 15
  syntax val empty         "(%1; [||])"
  syntax val make          "Array.make (Z.to_int %1) %2" prec 4 3 3
  syntax val append        "Array.append"
  syntax val sub           "Array.sub %1 (Z.to_int %2) (Z.to_int %3)" prec 4 3 3 3
  syntax val copy          "Array.copy"
  syntax val fill          "Array.fill %1 (Z.to_int %2) (Z.to_int %3) %4" prec 4 3 3 3
  syntax val blit          "Array.blit %1 (Z.to_int %2) %3 (Z.to_int %4) (Z.to_int %5)" prec 4
end

module array.Init
  syntax val init "Array.init (Z.to_int %1) (fun i -> %2 (Z.of_int i))" prec 4 3 14
end

module matrix.Matrix
  syntax type matrix "%1 array array"

  (* syntax exception OutOfBounds "Why3__Matrix.OutOfBounds" *) (* FIXME *)

  syntax val get           "%1.(Z.to_int %2).(Z.to_int %3)" prec 2 1 3 3
  syntax val set           "%1.(Z.to_int %2).(Z.to_int %3) <- %4" prec 15 1 3 3 14
  syntax val rows          "Z.of_int (Array.length %1)" prec 4 3
  syntax val columns       "Z.of_int (Array.length %1.(0))" prec 4 1
  syntax val defensive_get "%1.(Z.to_int %2).(Z.to_int %3)" prec 2 1 3 3
  syntax val defensive_set "%1.(Z.to_int %2).(Z.to_int %3) <- %4" prec 15 1 3 3 14
  syntax val make          "Array.make_matrix (Z.to_int %1) (Z.to_int %2) %3" prec 4 3 3 3
  syntax val copy          "Array.map Array.copy %1" prec 4 3
end

module mach.int.Int
  syntax val ( / ) "Z.div"
  syntax val ( % ) "Z.rem"
end

module mach.int.Int32
  syntax type     int32     "int"

  syntax literal   int32    "%1"

  syntax val of_int "Z.to_int"
  syntax val to_int "Z.of_int"

  syntax val min_int32 "Z.of_int 0x7fff_ffff"
  syntax val max_int32 "Z.of_int (-0x8000_0000)"
  syntax val      ( + )     "%1 + %2"   prec 8 8 7
  syntax val      ( - )     "%1 - %2"   prec 8 8 7
  syntax val      (-_)      "- %1"      prec 5 4
  syntax val      ( * )     "%1 * %2"   prec 7 7 6
  syntax val      ( / )     "%1 / %2"   prec 7 7 6
  syntax val      ( % )     "%1 mod %2" prec 7 7 6
  syntax val      (=)       "%1 = %2"   prec 11 11 10
  syntax val      (<=)      "%1 <= %2"  prec 11 11 10
  syntax val      (<)       "%1 < %2"   prec 11 11 10
  syntax val      (>=)      "%1 >= %2"  prec 11 11 10
  syntax val      (>)       "%1 > %2"   prec 11 11 10
end

module mach.int.Int63
  syntax type     int63     "int"

  syntax literal   int63    "%1"

  syntax val of_int "Z.to_int"
  syntax val to_int "Z.of_int"

  syntax val min_int63 "Z.of_int min_int" prec 4
  syntax val max_int63 "Z.of_int max_int" prec 4
  syntax val min_int   "min_int"
  syntax val max_int   "max_int"
  syntax val zero      "0"
  syntax val one       "1"
  syntax val      ( + )     "%1 + %2"   prec 8 8 7
  syntax val      ( - )     "%1 - %2"   prec 8 8 7
  syntax val      (-_)      "- %1"      prec 5 4
  syntax val      ( * )     "%1 * %2"   prec 7 7 6
  syntax val      ( / )     "%1 / %2"   prec 7 7 6
  syntax val      ( % )     "%1 mod %2" prec 7 7 6
  syntax val      (=)       "%1 = %2"   prec 11 11 10
  syntax val      (<=)      "%1 <= %2"  prec 11 11 10
  syntax val      (<)       "%1 < %2"   prec 11 11 10
  syntax val      (>=)      "%1 >= %2"  prec 11 11 10
  syntax val      (>)       "%1 > %2"   prec 11 11 10

(*  syntax val      to_bv     "(fun x -> x)"
  syntax val      of_bv     "(fun x -> x)"*)
end

module mach.int.Random63
  syntax val s             "REMOVE"
  syntax val init          "Random.init"
  syntax val self_init     "Random.self_init"
  syntax val random_bool   "Random.bool"
  syntax val random_int63  "Random.int"
end

module mach.int.State63
  remove module
end

module mach.peano.Peano
  syntax type t      "int"
  syntax val  to_int "Z.of_int"
  syntax val  zero   "0"
  syntax val  one    "1"
  syntax val  succ   "%1 + 1"   prec 8 8 7
  syntax val  pred   "%1 - 1"   prec 8 8 7
  syntax val  lt     "%1 < %2"  prec 11 11 10
  syntax val  le     "%1 <= %2" prec 11 11 10
  syntax val  gt     "%1 > %2"  prec 11 11 10
  syntax val  ge     "%1 >= %2" prec 11 11 10
  syntax val  eq     "%1 = %2"  prec 11 11 10
  syntax val  ne     "%1 <> %2" prec 11 11 10
  syntax val  neg    "- %1"     prec 5 4
  syntax val  abs    "abs"
  syntax val  add    "%1 + %2 (*%3 %4*)"  prec 8 8 7
  syntax val  sub    "%1 - %2 (*%3 %4*)"  prec 8 8 7
  syntax val  mul    "%1 * %2 (*%3 %4*)"  prec 7 7 6
  syntax val  of_int "Z.to_int %1 (*%2 %3*)"
end

module mach.peano.ComputerDivision
  syntax val  div    "%1 / %2"  prec 7 7 6
  syntax val  mod    "%1 mod %2" prec 7 7 6
end

module mach.peano.MinMax
  syntax val  max    "max"
  syntax val  min    "min"
end

module mach.peano.Int63
  syntax val  defensive_to_int63    "%1"
  syntax val  to_int63    "%1"
  syntax val  of_int63    "%1"
end

module mach.onetime.OneTime
  syntax type t      "int"
  syntax val  to_int "Z.of_int"
  syntax val  zero   "0 (*%1*)"
  syntax val  one    "1 (*%1*)"
    (* note: it is safe to ignore the argument of `zero` and `one`, of
       type unit, thanks to the A-normal form of WhyML code. *)
  syntax val  succ   "%1 + 1"   prec 8 8 7
  syntax val  pred   "%1 - 1"   prec 8 8 7
  syntax val  lt     "%1 < %2"  prec 11 11 10
  syntax val  le     "%1 <= %2" prec 11 11 10
  syntax val  gt     "%1 > %2"  prec 11 11 10
  syntax val  ge     "%1 >= %2" prec 11 11 10
  syntax val  eq     "%1 = %2"  prec 11 11 10
  syntax val  ne     "%1 <> %2" prec 11 11 10

  syntax val to_peano "%1"
  syntax val transfer "%1"
  syntax val neg      "-%1"     prec 5 4
  syntax val abs      "abs %1"
  syntax val add      "%1 + %2" prec 8 8 7
  syntax val sub      "%1 - %2" prec 8 8 7
  syntax val split    "(%1-%2, %2)" prec 0 13 13
end

module string.Char
  syntax type char "char"
end

module string.OCaml
  syntax val (=)    "%1 = %2" prec 11 11 10
  syntax val eq_char "%1 = %2" prec 11 11 10
  syntax val length "String.length %1" prec 4 3
  syntax val get    "String.get %1 %2" prec 4 3 3
  syntax val ([])   "String.get %1 %2" prec 4 3 3
  syntax val sub    "String.sub %1 %2 %3" prec 4 3 3 3
  syntax val concat "%1 ^ %2" prec 4 3 4
  syntax val code   "Char.code %1" prec 4 3 3
  syntax val chr    "Char.chr %1" prec 4 3 3
  syntax val make   "String.make %1 %2" prec 4 3 3
end

module string.StringBuffer
  syntax type buffer    "Buffer.t"
  syntax val create     "Buffer.create %1" prec 4 3
  syntax val length     "Buffer.length %1" prec 4 3
  syntax val contents   "Buffer.contents %1" prec 4 3
  syntax val clear      "Buffer.clear %1" prec 4 3
  syntax val reset      "Buffer.reset %1" prec 4 3
  syntax val sub        "Buffer.sub %1 %2 %3" prec 4 3 3 3
  syntax val add_char   "Buffer.add_char %1 %2" prec 4 3 3
  syntax val add_string "Buffer.add_string %1 %2" prec 4 3 3
  syntax val truncate   "Buffer.truncate %1 %2" prec 4 3 3
end

module io.StdIO
  syntax val print_string "Stdlib.print_string"
  syntax val print_char "Stdlib.print_char"
  syntax val print_int "Stdlib.print_string (Z.to_string %1)" prec 4 3
  syntax val print_newline "Stdlib.print_newline"
end

module random.Random
  syntax val random_int    "Z.of_int (Random.int (Z.to_int %1))" prec 4 3
end

module mach.int.Refint63
  syntax val incr "incr"
  syntax val decr "decr"
  syntax val (+=) "(fun r v -> r := !r + v) %1 %2" prec 4 3 3
  syntax val (-=) "(fun r v -> r := !r - v) %1 %2" prec 4 3 3
  syntax val ( *= ) "(fun r v -> r := !r * v) %1 %2" prec 4 3 3
end
module mach.int.MinMax63
  syntax val min "Stdlib.min"
  syntax val max "Stdlib.max"
end

module mach.array.Array32
  syntax type      array         "(%1 array)"

  syntax exception OutOfBounds   "Invalid_argument \"index out of bounds\""
  syntax val       make          "Array.make"
  syntax val       ([])          "%1.(%2)" prec 2 1 18
  syntax val       ([]<-)        "%1.(%2) <- %3" prec 15 1 18 15
  syntax val       defensive_get "%1.(%2)" prec 2 1 18
  syntax val       defensive_set "%1.(%2) <- %3" prec 15 1 18 15
  syntax val       length        "Array.length"
  syntax val       append        "Array.append"
  syntax val       sub           "Array.sub"
  syntax val       copy          "Array.copy"
  syntax val       fill          "Array.fill"
  syntax val       blit          "Array.blit"
  syntax val       self_blit     "Array.blit %1 %2 %1 %3 %4" prec 4 3 3 3 3 3
end

module mach.array.Array63
  syntax type      array         "(%1 array)"

  syntax exception OutOfBounds   "Invalid_argument \"index out of bounds\""
  syntax val       make          "Array.make"
  syntax val       ([])          "%1.(%2)" prec 2 1 18
  syntax val       ([]<-)        "%1.(%2) <- %3" prec 15 1 18 15
  syntax val       defensive_get "%1.(%2)" prec 2 1 18
  syntax val       defensive_set "%1.(%2) <- %3" prec 15 1 18 15
  syntax val       length        "Array.length %1" prec 4 3
  syntax val       append        "Array.append"
  syntax val       sub           "Array.sub"
  syntax val       copy          "Array.copy"
  syntax val       fill          "Array.fill"
  syntax val       blit          "Array.blit"
  syntax val       self_blit     "Array.blit %1 %2 %1 %3 %4" prec 4 3 3 3 3 3
  syntax val       init          "Array.init"
end

module mach.array.ArrayInt63
  syntax type array63 "(int array)"
  syntax val  make   "Array.make"
  syntax val  init   "Array.init"
  syntax val  ([])   "%1.(%2)" prec 2 1 18
  syntax val  ([]<-) "%1.(%2) <- %3" prec 15 1 18 15
  syntax val  length "Array.length %1" prec 4 3
  syntax val  copy   "Array.copy"
  syntax val  sub    "Array.sub"
end

module mach.matrix.Matrix63
  syntax type matrix "(%1 array array)"

  (* syntax exception OutOfBounds "(Invalid_argument \"index out of bounds\")" *)

  syntax val rows     "Array.length"
  syntax val columns  "Array.length %1.(0)" prec 4 1
  syntax val rows          "Array.length"
  syntax val columns       "Array.length %1.(0)" prec 4 1
  syntax val get           "%1.(%2).(%3)" prec 2 1 18 18
  syntax val set           "%1.(%2).(%3) <- %4" prec 15 1 18 18 15
  syntax val defensive_get "%1.(%2).(%3)" prec 2 1 18 18
  syntax val defensive_set "%1.(%2).(%3) <- %4" prec 15 1 18 18 15
  syntax val make          "Array.make_matrix"
  syntax val copy          "Array.map Array.copy %1" prec 4 3
end

module ocaml.Sys
  syntax val max_array_length "Sys.max_array_length"
end

module ocaml.Exceptions
  syntax exception Exit             "Stdlib.Exit"
  syntax exception Not_found        "Not_found"
  syntax exception Invalid_argument "Invalid_argument"
end

module ocaml.Pervasives
  syntax exception AssertFailure    "REMOVE"
  syntax val       ocaml_assert     "assert"
  syntax val       succ             "succ"
  syntax val       pred             "pred"
end
why3-1.6.0/install-sh000077500000000000000000000354631440160026300144230ustar00rootroot00000000000000#!/bin/sh
# install - install a program, script, or datafile

scriptversion=2014-09-12.12; # UTC

# This originates from X11R5 (mit/util/scripts/install.sh), which was
# later released in X11R6 (xc/config/util/install.sh) with the
# following copyright and license.
#
# Copyright (C) 1994 X Consortium
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to
# deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
# sell copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
# X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
# AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC-
# TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Except as contained in this notice, the name of the X Consortium shall not
# be used in advertising or otherwise to promote the sale, use or other deal-
# ings in this Software without prior written authorization from the X Consor-
# tium.
#
#
# FSF changes to this file are in the public domain.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# 'make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.

tab='	'
nl='
'
IFS=" $tab$nl"

# Set DOITPROG to "echo" to test this script.

doit=${DOITPROG-}
doit_exec=${doit:-exec}

# Put in absolute file names if you don't have them in your path;
# or use environment vars.

chgrpprog=${CHGRPPROG-chgrp}
chmodprog=${CHMODPROG-chmod}
chownprog=${CHOWNPROG-chown}
cmpprog=${CMPPROG-cmp}
cpprog=${CPPROG-cp}
mkdirprog=${MKDIRPROG-mkdir}
mvprog=${MVPROG-mv}
rmprog=${RMPROG-rm}
stripprog=${STRIPPROG-strip}

posix_mkdir=

# Desired mode of installed file.
mode=0755

chgrpcmd=
chmodcmd=$chmodprog
chowncmd=
mvcmd=$mvprog
rmcmd="$rmprog -f"
stripcmd=

src=
dst=
dir_arg=
dst_arg=

copy_on_change=false
is_target_a_directory=possibly

usage="\
Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE
   or: $0 [OPTION]... SRCFILES... DIRECTORY
   or: $0 [OPTION]... -t DIRECTORY SRCFILES...
   or: $0 [OPTION]... -d DIRECTORIES...

In the 1st form, copy SRCFILE to DSTFILE.
In the 2nd and 3rd, copy all SRCFILES to DIRECTORY.
In the 4th, create DIRECTORIES.

Options:
     --help     display this help and exit.
     --version  display version info and exit.

  -c            (ignored)
  -C            install only if different (preserve the last data modification time)
  -d            create directories instead of installing files.
  -g GROUP      $chgrpprog installed files to GROUP.
  -m MODE       $chmodprog installed files to MODE.
  -o USER       $chownprog installed files to USER.
  -s            $stripprog installed files.
  -t DIRECTORY  install into DIRECTORY.
  -T            report an error if DSTFILE is a directory.

Environment variables override the default commands:
  CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG
  RMPROG STRIPPROG
"

while test $# -ne 0; do
  case $1 in
    -c) ;;

    -C) copy_on_change=true;;

    -d) dir_arg=true;;

    -g) chgrpcmd="$chgrpprog $2"
        shift;;

    --help) echo "$usage"; exit $?;;

    -m) mode=$2
        case $mode in
          *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*)
            echo "$0: invalid mode: $mode" >&2
            exit 1;;
        esac
        shift;;

    -o) chowncmd="$chownprog $2"
        shift;;

    -s) stripcmd=$stripprog;;

    -t)
        is_target_a_directory=always
        dst_arg=$2
        # Protect names problematic for 'test' and other utilities.
        case $dst_arg in
          -* | [=\(\)!]) dst_arg=./$dst_arg;;
        esac
        shift;;

    -T) is_target_a_directory=never;;

    --version) echo "$0 $scriptversion"; exit $?;;

    --) shift
        break;;

    -*) echo "$0: invalid option: $1" >&2
        exit 1;;

    *)  break;;
  esac
  shift
done

# We allow the use of options -d and -T together, by making -d
# take the precedence; this is for compatibility with GNU install.

if test -n "$dir_arg"; then
  if test -n "$dst_arg"; then
    echo "$0: target directory not allowed when installing a directory." >&2
    exit 1
  fi
fi

if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then
  # When -d is used, all remaining arguments are directories to create.
  # When -t is used, the destination is already specified.
  # Otherwise, the last argument is the destination.  Remove it from $@.
  for arg
  do
    if test -n "$dst_arg"; then
      # $@ is not empty: it contains at least $arg.
      set fnord "$@" "$dst_arg"
      shift # fnord
    fi
    shift # arg
    dst_arg=$arg
    # Protect names problematic for 'test' and other utilities.
    case $dst_arg in
      -* | [=\(\)!]) dst_arg=./$dst_arg;;
    esac
  done
fi

if test $# -eq 0; then
  if test -z "$dir_arg"; then
    echo "$0: no input file specified." >&2
    exit 1
  fi
  # It's OK to call 'install-sh -d' without argument.
  # This can happen when creating conditional directories.
  exit 0
fi

if test -z "$dir_arg"; then
  if test $# -gt 1 || test "$is_target_a_directory" = always; then
    if test ! -d "$dst_arg"; then
      echo "$0: $dst_arg: Is not a directory." >&2
      exit 1
    fi
  fi
fi

if test -z "$dir_arg"; then
  do_exit='(exit $ret); exit $ret'
  trap "ret=129; $do_exit" 1
  trap "ret=130; $do_exit" 2
  trap "ret=141; $do_exit" 13
  trap "ret=143; $do_exit" 15

  # Set umask so as not to create temps with too-generous modes.
  # However, 'strip' requires both read and write access to temps.
  case $mode in
    # Optimize common cases.
    *644) cp_umask=133;;
    *755) cp_umask=22;;

    *[0-7])
      if test -z "$stripcmd"; then
        u_plus_rw=
      else
        u_plus_rw='% 200'
      fi
      cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;;
    *)
      if test -z "$stripcmd"; then
        u_plus_rw=
      else
        u_plus_rw=,u+rw
      fi
      cp_umask=$mode$u_plus_rw;;
  esac
fi

for src
do
  # Protect names problematic for 'test' and other utilities.
  case $src in
    -* | [=\(\)!]) src=./$src;;
  esac

  if test -n "$dir_arg"; then
    dst=$src
    dstdir=$dst
    test -d "$dstdir"
    dstdir_status=$?
  else

    # Waiting for this to be detected by the "$cpprog $src $dsttmp" command
    # might cause directories to be created, which would be especially bad
    # if $src (and thus $dsttmp) contains '*'.
    if test ! -f "$src" && test ! -d "$src"; then
      echo "$0: $src does not exist." >&2
      exit 1
    fi

    if test -z "$dst_arg"; then
      echo "$0: no destination specified." >&2
      exit 1
    fi
    dst=$dst_arg

    # If destination is a directory, append the input filename; won't work
    # if double slashes aren't ignored.
    if test -d "$dst"; then
      if test "$is_target_a_directory" = never; then
        echo "$0: $dst_arg: Is a directory" >&2
        exit 1
      fi
      dstdir=$dst
      dst=$dstdir/`basename "$src"`
      dstdir_status=0
    else
      dstdir=`dirname "$dst"`
      test -d "$dstdir"
      dstdir_status=$?
    fi
  fi

  obsolete_mkdir_used=false

  if test $dstdir_status != 0; then
    case $posix_mkdir in
      '')
        # Create intermediate dirs using mode 755 as modified by the umask.
        # This is like FreeBSD 'install' as of 1997-10-28.
        umask=`umask`
        case $stripcmd.$umask in
          # Optimize common cases.
          *[2367][2367]) mkdir_umask=$umask;;
          .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;;

          *[0-7])
            mkdir_umask=`expr $umask + 22 \
              - $umask % 100 % 40 + $umask % 20 \
              - $umask % 10 % 4 + $umask % 2
            `;;
          *) mkdir_umask=$umask,go-w;;
        esac

        # With -d, create the new directory with the user-specified mode.
        # Otherwise, rely on $mkdir_umask.
        if test -n "$dir_arg"; then
          mkdir_mode=-m$mode
        else
          mkdir_mode=
        fi

        posix_mkdir=false
        case $umask in
          *[123567][0-7][0-7])
            # POSIX mkdir -p sets u+wx bits regardless of umask, which
            # is incompatible with FreeBSD 'install' when (umask & 300) != 0.
            ;;
          *)
            # $RANDOM is not portable (e.g. dash);  use it when possible to
            # lower collision chance
            tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$
            trap 'ret=$?; rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null; exit $ret' 0

            # As "mkdir -p" follows symlinks and we work in /tmp possibly;  so
            # create the $tmpdir first (and fail if unsuccessful) to make sure
            # that nobody tries to guess the $tmpdir name.
            if (umask $mkdir_umask &&
                $mkdirprog $mkdir_mode "$tmpdir" &&
                exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1
            then
              if test -z "$dir_arg" || {
                   # Check for POSIX incompatibilities with -m.
                   # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
                   # other-writable bit of parent directory when it shouldn't.
                   # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
                   test_tmpdir="$tmpdir/a"
                   ls_ld_tmpdir=`ls -ld "$test_tmpdir"`
                   case $ls_ld_tmpdir in
                     d????-?r-*) different_mode=700;;
                     d????-?--*) different_mode=755;;
                     *) false;;
                   esac &&
                   $mkdirprog -m$different_mode -p -- "$test_tmpdir" && {
                     ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"`
                     test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1"
                   }
                 }
              then posix_mkdir=:
              fi
              rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir"
            else
              # Remove any dirs left behind by ancient mkdir implementations.
              rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null
            fi
            trap '' 0;;
        esac;;
    esac

    if
      $posix_mkdir && (
        umask $mkdir_umask &&
        $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir"
      )
    then :
    else

      # The umask is ridiculous, or mkdir does not conform to POSIX,
      # or it failed possibly due to a race condition.  Create the
      # directory the slow way, step by step, checking for races as we go.

      case $dstdir in
        /*) prefix='/';;
        [-=\(\)!]*) prefix='./';;
        *)  prefix='';;
      esac

      oIFS=$IFS
      IFS=/
      set -f
      set fnord $dstdir
      shift
      set +f
      IFS=$oIFS

      prefixes=

      for d
      do
        test X"$d" = X && continue

        prefix=$prefix$d
        if test -d "$prefix"; then
          prefixes=
        else
          if $posix_mkdir; then
            (umask=$mkdir_umask &&
             $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break
            # Don't fail if two instances are running concurrently.
            test -d "$prefix" || exit 1
          else
            case $prefix in
              *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;;
              *) qprefix=$prefix;;
            esac
            prefixes="$prefixes '$qprefix'"
          fi
        fi
        prefix=$prefix/
      done

      if test -n "$prefixes"; then
        # Don't fail if two instances are running concurrently.
        (umask $mkdir_umask &&
         eval "\$doit_exec \$mkdirprog $prefixes") ||
          test -d "$dstdir" || exit 1
        obsolete_mkdir_used=true
      fi
    fi
  fi

  if test -n "$dir_arg"; then
    { test -z "$chowncmd" || $doit $chowncmd "$dst"; } &&
    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } &&
    { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false ||
      test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1
  else

    # Make a couple of temp file names in the proper directory.
    dsttmp=$dstdir/_inst.$$_
    rmtmp=$dstdir/_rm.$$_

    # Trap to clean up those temp files at exit.
    trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0

    # Copy the file name to the temp name.
    (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") &&

    # and set any options; do chmod last to preserve setuid bits.
    #
    # If any of these fail, we abort the whole thing.  If we want to
    # ignore errors from any of these, just make sure not to ignore
    # errors from the above "$doit $cpprog $src $dsttmp" command.
    #
    { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } &&
    { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } &&
    { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } &&
    { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } &&

    # If -C, don't bother to copy if it wouldn't change the file.
    if $copy_on_change &&
       old=`LC_ALL=C ls -dlL "$dst"     2>/dev/null` &&
       new=`LC_ALL=C ls -dlL "$dsttmp"  2>/dev/null` &&
       set -f &&
       set X $old && old=:$2:$4:$5:$6 &&
       set X $new && new=:$2:$4:$5:$6 &&
       set +f &&
       test "$old" = "$new" &&
       $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1
    then
      rm -f "$dsttmp"
    else
      # Rename the file to the real destination.
      $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null ||

      # The rename failed, perhaps because mv can't rename something else
      # to itself, or perhaps because mv is so ancient that it does not
      # support -f.
      {
        # Now remove or move aside any old file at destination location.
        # We try this two ways since rm can't unlink itself on some
        # systems and the destination file might be busy for other
        # reasons.  In this case, the final cleanup might fail but the new
        # file should still install successfully.
        {
          test ! -f "$dst" ||
          $doit $rmcmd -f "$dst" 2>/dev/null ||
          { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null &&
            { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; }
          } ||
          { echo "$0: cannot unlink or rename $dst" >&2
            (exit 1); exit 1
          }
        } &&

        # Now rename the file to the real destination.
        $doit $mvcmd "$dsttmp" "$dst"
      }
    fi || exit 1

    trap '' 0
  fi
done

# Local variables:
# eval: (add-hook 'write-file-hooks 'time-stamp)
# time-stamp-start: "scriptversion="
# time-stamp-format: "%:y-%02m-%02d.%02H"
# time-stamp-time-zone: "UTC"
# time-stamp-end: "; # UTC"
# End:
why3-1.6.0/lib/000077500000000000000000000000001440160026300131525ustar00rootroot00000000000000why3-1.6.0/lib/coq/000077500000000000000000000000001440160026300137345ustar00rootroot00000000000000why3-1.6.0/lib/coq/BuiltIn.v000066400000000000000000000037721440160026300155020ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

Require Export ZArith.
Require Export Rbase.

Require Import ClassicalEpsilon.

Class WhyType T := {
  why_inhabitant : T ;
  why_decidable_eq : forall x y : T, { x = y } + { x <> y }
}.

Notation int := Z.
Notation IZR := IZR (only parsing).

Global Instance int_WhyType : WhyType int.
Proof.
split.
exact Z0.
exact Z.eq_dec.
Qed.

Notation real := R.

Global Instance real_WhyType : WhyType real.
Proof.
split.
exact R0.
intros x y.
destruct (total_order_T x y) as [[H|H]|H] ;
  try (left ; exact H) ; right.
now apply Rlt_not_eq.
now apply Rgt_not_eq.
Qed.

Global Instance tuple_WhyType : forall T {T' : WhyType T} U {U' : WhyType U}, WhyType (T * U).
Proof.
intros T WT U WU.
split.
split ; apply why_inhabitant.
intros (x1,x2) (y1,y2).
destruct (why_decidable_eq x1 y1) as [H1|H1].
destruct (why_decidable_eq x2 y2) as [H2|H2].
left.
now apply f_equal2.
right.
now injection.
right.
now injection.
Qed.

Global Instance unit_WhyType : WhyType unit.
Proof.
split.
exact tt.
intros [] [].
now left.
Qed.

Global Instance bool_WhyType : WhyType bool.
Proof.
split.
exact false.
exact Bool.bool_dec.
Qed.

Global Instance func_WhyType : forall (a:Type) {a_WT:WhyType a} (b:Type) {b_WT:WhyType b}, WhyType (a -> b).
Proof.
intros.
repeat split.
exact (fun _ => why_inhabitant).
intros x y.
apply excluded_middle_informative.
Qed.
why3-1.6.0/lib/coq/HighOrd.v000066400000000000000000000017301440160026300154500ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

Require Import BuiltIn.

Definition func : forall (a:Type) (b:Type), Type.
Proof.
intros a b.
exact (a -> b).
Defined.

Definition infix_at: forall {a:Type} {b:Type}, (a -> b) -> a -> b.
Proof.
intros a b f x.
exact (f x).
Defined.

Definition pred (a: Type) := a -> bool.
why3-1.6.0/lib/coq/WellFounded.v000066400000000000000000000016441440160026300163400ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

Require Import BuiltIn.

Definition acc {a:Type} (r:a -> a -> bool) : a -> Prop :=
  Acc (fun y x => r y x = true).

Definition well_founded {a:Type} (r:a -> a -> bool) : Prop :=
  well_founded (fun y x => r y x = true).
why3-1.6.0/lib/coq/_CoqProject000066400000000000000000000000121440160026300160600ustar00rootroot00000000000000-R . Why3
why3-1.6.0/lib/coq/bool/000077500000000000000000000000001440160026300146675ustar00rootroot00000000000000why3-1.6.0/lib/coq/bool/Bool.v000066400000000000000000000042321440160026300157520ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 goal *)
Lemma andb'def :
  forall (x:Init.Datatypes.bool) (y:Init.Datatypes.bool),
  ((Init.Datatypes.andb x y) =
   match x with
   | Init.Datatypes.true => y
   | Init.Datatypes.false => Init.Datatypes.false
   end).
Proof.
intros x y.
apply refl_equal.
Qed.

(* Why3 goal *)
Lemma orb'def :
  forall (x:Init.Datatypes.bool) (y:Init.Datatypes.bool),
  ((Init.Datatypes.orb x y) =
   match x with
   | Init.Datatypes.false => y
   | Init.Datatypes.true => Init.Datatypes.true
   end).
Proof.
intros x y.
apply refl_equal.
Qed.

(* Why3 goal *)
Lemma notb'def :
  forall (x:Init.Datatypes.bool),
  ((Init.Datatypes.negb x) =
   match x with
   | Init.Datatypes.false => Init.Datatypes.true
   | Init.Datatypes.true => Init.Datatypes.false
   end).
Proof.
intros x.
apply refl_equal.
Qed.

(* Why3 goal *)
Lemma xorb'def :
  forall (x:Init.Datatypes.bool) (y:Init.Datatypes.bool),
  ((Init.Datatypes.xorb x y) =
   match x with
   | Init.Datatypes.false => y
   | Init.Datatypes.true => Init.Datatypes.negb y
   end).
Proof.
intros x y.
destruct x; destruct y; auto.
Qed.

(* Why3 goal *)
Lemma implb'def :
  forall (x:Init.Datatypes.bool) (y:Init.Datatypes.bool),
  ((Init.Datatypes.implb x y) =
   match x with
   | Init.Datatypes.false => Init.Datatypes.true
   | Init.Datatypes.true => y
   end).
Proof.
now intros [|] [|].
Qed.

why3-1.6.0/lib/coq/bv/000077500000000000000000000000001440160026300143435ustar00rootroot00000000000000why3-1.6.0/lib/coq/bv/BV_Gen.v000066400000000000000000002042651440160026300156430ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require WellFounded.
Require bool.Bool.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require bv.Pow2int.

Require Import Lia.

Local Parameter last_bit : nat.
(* Important notice: do not remove 'Local' above, otherwise 'why3 realize' will
   assume it comes from Why3 and will remove it. We use 'Parameter' instead of
  'Variable' to avoid a Coq warning *)

Definition size_nat: nat := S last_bit.

(* Why3 goal *)
Definition size : Numbers.BinNums.Z.
  exact (Z.of_nat size_nat).
Defined.

Lemma size_int_S : size = Z.succ (Z.of_nat last_bit).
  unfold size, size_nat.
  rewrite Nat2Z.inj_succ; trivial.
Qed.

(* Why3 goal *)
Lemma size_pos : (0%Z < size)%Z.
  rewrite size_int_S; lia.
Qed.

Require Import Bool.Bvector.

(* Why3 goal *)
Definition t : Type.
  exact (Bvector size_nat).
Defined.

Fixpoint nth_aux {l} (v : Vector.t bool l) (m : Z) : bool :=
  match v with
    | Vector.nil _ => false
    | Vector.cons _ b _ tl => if Z.eq_dec m 0 then b else nth_aux tl (Z.pred m)
  end.

(* nth helper lemmas *)

Lemma nth_cons {l} (v : Vector.t bool l) (m : Z) b : (m <> -1)%Z ->
  nth_aux (Vector.cons bool b l v) (Z.succ m) = nth_aux v m.
  intro; simpl.
  case Z.eq_dec; intro.
  assert False by lia; easy.
  rewrite <- Zpred_succ; easy.
Qed.

Lemma nth_cons_pred {l} (v : Vector.t bool l) (m : Z) b : (m <> 0)%Z ->
  nth_aux (Vector.cons bool b l v) m = nth_aux v (Z.pred m).
  intro.
  rewrite Zsucc_pred with (n := m), <- Zpred_succ; apply nth_cons; lia.
Qed.

Lemma nth_high : forall {l} (v : Vector.t bool l) m, (m >= (Z.of_nat l))%Z -> nth_aux v m = false.
  induction v.
  easy.
  rewrite Nat2Z.inj_succ.
  intros; rewrite nth_cons_pred by lia.
  apply IHv; lia.
Qed.

Lemma nth_low : forall {l} (v : Vector.t bool l) m, (m < 0)%Z -> nth_aux v m = false.
  induction v.
  easy.
  intros; rewrite nth_cons_pred by lia.
  apply IHv; lia.
Qed.

Lemma nth_zeros_is_hd : forall {l} (b : Vector.t bool (S l)), nth_aux b 0 = Vector.hd b.
  apply Vector.rectS; easy.
Qed.

Lemma nth_predl_is_last : forall {l} (b : Vector.t bool (S l)), nth_aux b (Z.of_nat l) = Vector.last b.
  apply Vector.rectS.
  easy.
  intros.
  rewrite Nat2Z.inj_succ, nth_cons by lia.
  easy.
Qed.

Lemma nth_const {l} (m : Z) b: (0 <= m < Z.of_nat l)%Z -> nth_aux (Vector.const b l) m = b.
  revert b m.
  induction l.
  simpl.
  intros; assert False by lia; easy.
  rewrite Nat2Z.inj_succ; intros; simpl.
  case (Z.eq_dec m 0); intro.
  easy.
  apply IHl; lia.
Qed.

Lemma nth_aux_map : forall {l} (f : bool -> bool) (v : Vector.t bool l) m,
                       (0 <= m < Z.of_nat l)%Z ->
                       f (nth_aux v m) = nth_aux (Vector.map f v) m.
  induction v.
  simpl; intros; assert False by lia; easy.
  rewrite Nat2Z.inj_succ; intros; simpl.
  case (Z.eq_dec m 0); intro.
  easy.
  apply IHv; lia.
Qed.

Lemma nth_aux_map2 : forall {l} (f : bool -> bool -> bool) (v1 v2 : Vector.t bool l) m,
                       (0 <= m < Z.of_nat l)%Z ->
                       f (nth_aux v1 m) (nth_aux v2 m) = nth_aux (Vector.map2 f v1 v2) m.
  intros l f v1 v2; pattern l, v1, v2.
  apply Vector.rect2.
  simpl; intros; assert False by lia; easy.
  intros.
  rewrite Nat2Z.inj_succ in H0; simpl.
  case (Z.eq_dec m 0); intro.
  easy.
  apply H; lia.
Qed.

Lemma nth_aux_tl : forall {l} (v : Vector.t bool (S l)) m, (m <> -1)%Z -> nth_aux (Vector.tl v) m = nth_aux v (Z.succ m).
  intros l v; pattern l, v.
  apply Vector.rectS.
  simpl.
  intros; case Z.eq_dec.
  intro; assert False by lia; easy.
  trivial.
  intros.
  simpl (Vector.tl (a :: v0)).
  symmetry; apply nth_cons; lia.
Qed.

Lemma nth_aux_shiftout_last : forall {l} (v : Vector.t bool (S l)), nth_aux (Vector.shiftout v) (Z.of_nat l) = false.
  intros l v; pattern l, v.
  apply Vector.rectS; intros.
  easy.
  rewrite Nat2Z.inj_succ.
  assert (Vector.shiftout (a :: v0) = a :: (Vector.shiftout v0)) by easy.
  rewrite H0, nth_cons by lia.
  apply H.
Qed.

Lemma nth_aux_shiftout_not_last : forall {l} (v : Vector.t bool (S l)) m, (m <> Z.of_nat l)%Z -> nth_aux (Vector.shiftout v) m = nth_aux v m.
  intros l v; pattern l, v.
  apply Vector.rectS; intros.
  simpl; case Z.eq_dec; easy.
  simpl; case Z.eq_dec; trivial.
  intro; apply H.
  rewrite Nat2Z.inj_succ in H0; lia.
Qed.

Lemma nth_aux_shiftin_false : forall {l} (v : Vector.t bool l) m, nth_aux (Vector.shiftin false v) m = nth_aux v m.
  induction v; intro; simpl; case (Z.eq_dec m 0); trivial.
Qed.

Lemma nth_aux_shiftin_low : forall {l} (v : Vector.t bool l) m b, 0 < l -> (0 <= m < Z.of_nat l)%Z -> nth_aux (Vector.shiftin b v) m = nth_aux v m.
  induction v; intros.
  easy.
  simpl; case Z.eq_dec.
  easy.
  rewrite Nat2Z.inj_succ in H0.
  intro; apply IHv; lia.
Qed.

Lemma nth_aux_shiftin_high : forall {l} (v : Vector.t bool l) b, nth_aux (Vector.shiftin b v) (Z.of_nat l) = b.
  induction v.
  easy.
  unfold Vector.shiftin.
  fold (@Vector.shiftin bool).
  rewrite Nat2Z.inj_succ.
  intro; rewrite nth_cons by lia.
  apply IHv.
Qed.

(* end of nth helpers *)

(* Why3 goal *)
Definition nth : t -> Numbers.BinNums.Z -> Init.Datatypes.bool.
  exact nth_aux.
Defined.

Lemma nth_aux_out_of_bound : forall {l} (v : Vector.t bool l) (n : Z), ((n < 0%Z)%Z \/
  (Z.of_nat l <= n)%Z) -> ((nth_aux v n) = false).
induction v.
simpl; auto.
simpl.
intros.
case Z.eq_dec.
intros; elimtype False; destruct H.
lia.
subst n0.
auto with zarith.
intro; rewrite IHv;auto.
destruct H.
left; auto with zarith.
right.
rewrite Zpos_P_of_succ_nat in H.
lia.
Qed.

(* Why3 goal *)
Lemma nth_out_of_bound :
  forall (x:t) (n:Numbers.BinNums.Z), (n < 0%Z)%Z \/ (size <= n)%Z ->
  ((nth x n) = Init.Datatypes.false).
intros.
unfold nth.
rewrite nth_aux_out_of_bound; auto with zarith.
Qed.

Definition zeros_aux {l} : Vector.t bool l.
  exact (Vector.const false l).
Defined.

Global Instance t_WhyType : WhyType t.
Proof.
split.
exact zeros_aux.
intros x y.
eapply (VectorEq.eq_dec _ eqb).
apply eqb_true_iff.
Qed.

(* Why3 goal *)
Definition zeros : t.
  exact zeros_aux.
Defined.

Lemma Nth_zeros_aux : forall {l} (n:Z), ((@nth_aux l zeros_aux n) = false).
  induction l.
  easy.
  simpl.
  intro n; case (Z.eq_dec n 0); easy.
Qed.

(* Why3 goal *)
Lemma Nth_zeros :
  forall (n:Numbers.BinNums.Z), ((nth zeros n) = Init.Datatypes.false).
intros n; apply Nth_zeros_aux.
Qed.

Definition one_aux l : Vector.t bool (S l).
  exact (Vector.cons bool true l (Vector.const false l)).
Defined.

(* Why3 goal *)
Definition one : t.
  exact (one_aux last_bit).
Defined.

Definition ones_aux l : Vector.t bool l.
  exact (Vector.const true l).
Defined.

(* Why3 goal *)
Definition ones : t.
  exact (ones_aux size_nat).
Defined.

(* Why3 goal *)
Lemma Nth_ones :
  forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z /\ (n < size)%Z ->
  ((nth ones n) = Init.Datatypes.true).
  intros; apply nth_const; easy.
Qed.

(* Why3 goal *)
Definition bw_and : t -> t -> t.
  exact (Vector.map2 (fun x y => x && y)).
Defined.

(* Why3 goal *)
Lemma Nth_bw_and :
  forall (v1:t) (v2:t) (n:Numbers.BinNums.Z), (0%Z <= n)%Z /\ (n < size)%Z ->
  ((nth (bw_and v1 v2) n) = (Init.Datatypes.andb (nth v1 n) (nth v2 n))).
  symmetry.
  apply nth_aux_map2 with (f := fun x y => x && y); easy.
Qed.

(* Why3 goal *)
Definition bw_or : t -> t -> t.
  exact (Vector.map2 (fun x y => x || y)).
Defined.

(* Why3 goal *)
Lemma Nth_bw_or :
  forall (v1:t) (v2:t) (n:Numbers.BinNums.Z), (0%Z <= n)%Z /\ (n < size)%Z ->
  ((nth (bw_or v1 v2) n) = (Init.Datatypes.orb (nth v1 n) (nth v2 n))).
  symmetry.
  apply nth_aux_map2; easy.
Qed.

(* Why3 goal *)
Definition bw_xor : t -> t -> t.
  exact (Vector.map2 (fun x y => xorb x y)).
Defined.

(* Why3 goal *)
Lemma Nth_bw_xor :
  forall (v1:t) (v2:t) (n:Numbers.BinNums.Z), (0%Z <= n)%Z /\ (n < size)%Z ->
  ((nth (bw_xor v1 v2) n) = (Init.Datatypes.xorb (nth v1 n) (nth v2 n))).
  symmetry.
  apply nth_aux_map2; easy.
Qed.

(* Why3 goal *)
Definition bw_not : t -> t.
  exact (Vector.map (fun x => negb x)).
Defined.

(* Why3 goal *)
Lemma Nth_bw_not :
  forall (v:t) (n:Numbers.BinNums.Z), (0%Z <= n)%Z /\ (n < size)%Z ->
  ((nth (bw_not v) n) = (Init.Datatypes.negb (nth v n))).
  symmetry.
  apply nth_aux_map; easy.
Qed.

(* Why3 goal *)
Definition lsr : t -> Numbers.BinNums.Z -> t.
  exact (fun v m => BshiftRl_iter last_bit v (Z.to_nat m)).
Defined.

Lemma bshiftRl_iter_nth : forall b s m,
                                (0 <= Z.of_nat s)%Z ->
                                (0 <= m)%Z ->
   nth_aux (BshiftRl_iter last_bit b s) m = nth_aux b (m + Z.of_nat s).
  induction s.
  simpl.
  intros; rewrite <- Zplus_0_r_reverse; easy.
  rewrite Nat2Z.inj_succ; intros.
  simpl BshiftRl_iter.
  unfold BshiftRl, Bhigh.
  rewrite nth_aux_tl by lia.
  rewrite nth_aux_shiftin_false.
  rewrite <- Zplus_succ_r_reverse, <- Z.add_succ_l.
  apply IHs; lia.
Qed.

(* Why3 goal *)
Lemma Lsr_nth_low :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z), (0%Z <= s)%Z ->
  (0%Z <= n)%Z -> ((n + s)%Z < size)%Z ->
  ((nth (lsr b s) n) = (nth b (n + s)%Z)).
intros b n s h1 h2 h3.
rewrite <-Z2Nat.id with (n := s) at 2; auto.
apply bshiftRl_iter_nth; lia.
Qed.

(* Why3 goal *)
Lemma Lsr_nth_high :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z), (0%Z <= s)%Z ->
  (0%Z <= n)%Z -> (size <= (n + s)%Z)%Z ->
  ((nth (lsr b s) n) = Init.Datatypes.false).
  intros b n s h1 h2 h3.
  unfold nth,lsr.
  cut (nth_aux b (n + Z.of_nat (Z.to_nat s)) = false).
  intro.
  rewrite <-H.
  apply bshiftRl_iter_nth; lia.
  rewrite Z2Nat.id by lia.
  apply nth_out_of_bound; lia.
Qed.

(* Why3 goal *)
Lemma lsr_zeros : forall (x:t), ((lsr x 0%Z) = x).
auto.
Qed.

(* Why3 goal *)
Definition asr : t -> Numbers.BinNums.Z -> t.
  exact (fun v m => BshiftRa_iter last_bit v (Z.to_nat m)).
Defined.

Definition eq_aux {l} (v1 v2 : Vector.t bool l): Prop := forall (n:Z), ((0%Z <= n)%Z /\
  (n < (Z.of_nat l))%Z) -> ((nth_aux v1 n) = (nth_aux v2 n)).

Lemma eq_aux_cons : forall {l} v1 v2 b b',  b = b' /\ @eq_aux l v1 v2 <-> eq_aux (b :: v1) (b' :: v2).
  intros; unfold eq_aux.
  rewrite Nat2Z.inj_succ.
  split; intros.
  simpl; case Z.eq_dec; intro.
  easy.
  apply H; lia.
  split.
  apply (H 0%Z); lia.
  intros.
  rewrite <- (nth_cons v1 n b) by lia.
  rewrite <- (nth_cons v2 n b') by lia.
  apply H; lia.
Qed.

Lemma Extensionality_aux : forall {l} (x y : Vector.t bool l), eq_aux x y -> x = y.
  intros l x y; pattern l, x, y.
  apply Vector.rect2.
  easy.
  intros.
  apply (eq_aux_cons v1 v2 a b) in H0; destruct H0.
  apply H in H1.
  rewrite H0, H1; trivial.
Qed.

(* Vector helper lemmas *)

Lemma singleton_is_singl : forall b : Vector.t bool 1, b = [ Vector.hd b ].
  intro; apply Extensionality_aux; unfold eq_aux; intros.
  change (Z.of_nat 1) with 1%Z in H; assert (n = 0%Z) as e by lia; rewrite e; simpl.
  apply nth_zeros_is_hd.
Qed.

Lemma shiftrepeat_is_shiftin : forall {l} (v : Vector.t bool (S l)), Vector.shiftrepeat v = Vector.shiftin (Vector.last v) v.
  apply Vector.rectS.
  easy.
  intros; simpl.
  rewrite H; trivial.
Qed.

Lemma last_tail_shiftreapeat : forall {l} (v : Vector.t bool (S l)), Vector.last (Vector.tl (Vector.shiftrepeat v)) = Vector.last v.
  apply Vector.caseS; intros.
  induction n.
  apply Vector.case0 with (v := t0); easy.
  simpl.
  apply Vector.shiftrepeat_last.
Qed.

(* end of Vector helpers *)

Lemma BshiftRa_iter_nth_low : forall (b:t) (s:nat) (n:Z),
  (0%Z <= n < (size - (Z.of_nat s)))%Z ->
  (nth_aux (BshiftRa_iter last_bit b s) n) = (nth_aux b (n + Z.of_nat s)%Z).
  induction s.
  simpl.
  intros; rewrite <- Zplus_0_r_reverse; easy.
  rewrite Nat2Z.inj_succ; intros.
  simpl BshiftRa_iter.
  unfold BshiftRa, Bhigh.
  rewrite nth_aux_tl by lia.
  rewrite shiftrepeat_is_shiftin.
  rewrite nth_aux_shiftin_low.
  rewrite <- Zplus_succ_r_reverse, <- Z.add_succ_l.
  apply IHs; lia.
  lia.
  fold size_nat; fold size; lia.
Qed.

(* Why3 goal *)
Lemma Asr_nth_low :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z), (0%Z <= s)%Z ->
  (0%Z <= n)%Z /\ (n < size)%Z -> ((n + s)%Z < size)%Z ->
  ((nth (asr b s) n) = (nth b (n + s)%Z)).
  unfold nth, lsr.
  intros.
  assert ((n + s)%Z = (n + Z.of_nat (Z.to_nat s))%Z).
  rewrite Z2Nat.id with (n := s); lia.
  rewrite H2.
  apply BshiftRa_iter_nth_low; lia.
Qed.

Lemma bshiftra_iter_last : forall {l} (v : Bvector (S l)) s, Vector.last (BshiftRa_iter l v s) = Vector.last v.
  induction s.
  easy.
  simpl; unfold BshiftRa, Bhigh.
  rewrite last_tail_shiftreapeat.
  apply IHs.
Qed.

Lemma BhiftRa_iter_nth_high : forall (b:t) (s:nat) (n:Z),
  (0%Z <= n < size)%Z ->
  (size <= n + Z.of_nat s)%Z -> ((nth_aux (BshiftRa_iter last_bit b s) n) = nth_aux b
  (size - 1%Z))%Z.
  induction s.
  simpl BshiftRa_iter.
  simpl (Z.of_nat 0).
  intros.
  assert (n = size - 1)%Z by lia; rewrite H1; trivial.
  rewrite Nat2Z.inj_succ; intros.
  simpl BshiftRa_iter.
  unfold BshiftRa, Bhigh.
  rewrite nth_aux_tl by lia.
  rewrite shiftrepeat_is_shiftin.
  case (Z.eq_dec (Z.succ n) size).
  intro; unfold size in e.
  rewrite e, nth_aux_shiftin_high.
  rewrite bshiftra_iter_last.
  rewrite size_int_S, Z.sub_1_r, <- Zpred_succ.
  symmetry; apply nth_predl_is_last.
  intro; rewrite nth_aux_shiftin_low.
  apply IHs; lia.
  lia.
  fold size_nat; fold size; lia.
Qed.

(* Why3 goal *)
Lemma Asr_nth_high :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z), (0%Z <= s)%Z ->
  (0%Z <= n)%Z /\ (n < size)%Z -> (size <= (n + s)%Z)%Z ->
  ((nth (asr b s) n) = (nth b (size - 1%Z)%Z)).
  unfold nth, asr.
  intros.
  apply BhiftRa_iter_nth_high.
  lia.
  rewrite Z2Nat.id; lia.
Qed.

(* Why3 goal *)
Lemma asr_zeros : forall (x:t), ((asr x 0%Z) = x).
auto.
Qed.

(* Why3 goal *)
Definition lsl : t -> Numbers.BinNums.Z -> t.
  exact (fun v m => BshiftL_iter last_bit v (Z.to_nat m)).
Defined.

Lemma bshiftL_iter_nth_high : forall {l} v s m, (0 <= Z.of_nat s)%Z -> (Z.of_nat s <= m)%Z -> (m < Z.succ (Z.of_nat l))%Z -> nth_aux (BshiftL_iter l v s) m = nth_aux v (m - Z.of_nat s).
  induction s; intros.
  simpl.
  rewrite <-Zminus_0_l_reverse; reflexivity.
  simpl.
  case Z.eq_dec; intro.
  symmetry; apply nth_low.
  rewrite e; simpl; apply Pos2Z.neg_is_neg.
  rewrite Nat2Z.inj_succ in H, H0.
  case (Z.eq_dec (Z.pred m) (Z.of_nat l));intro.
  assert False by lia; easy.
  rewrite nth_aux_shiftout_not_last by lia.
  rewrite Zpos_P_of_succ_nat, Z.sub_succ_r, <- Z.sub_pred_l.
  apply IHs; lia.
Qed.

(* Why3 goal *)
Lemma Lsl_nth_high :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z),
  (0%Z <= s)%Z /\ (s <= n)%Z /\ (n < size)%Z ->
  ((nth (lsl b s) n) = (nth b (n - s)%Z)).
  intros.
  unfold lsl, nth.
  rewrite <-Z2Nat.id with (n := s) at 2 by lia.
  destruct H.
  destruct H0.
  apply (bshiftL_iter_nth_high b (Z.to_nat s) n).
  auto with zarith.
  rewrite Z2Nat.id; lia.
  rewrite size_int_S in H1.
  lia.
Qed.

Lemma Lsl_nth_low_aux : forall {l} x b (n : int),
                          (0 <= n < Z.of_nat x)%Z -> nth_aux (BshiftL_iter l b x) n = false.
  induction x.
  simpl; intros; assert False by lia; easy.
  rewrite Nat2Z.inj_succ; intros.
  simpl.
  case Z.eq_dec;intro.
  trivial.
  case (Z.eq_dec (Z.pred n) (Z.of_nat l));intro.
  apply nth_high; lia.
  rewrite nth_aux_shiftout_not_last by auto.
  apply IHx; lia.
Qed.

(* Why3 goal *)
Lemma Lsl_nth_low :
  forall (b:t) (n:Numbers.BinNums.Z) (s:Numbers.BinNums.Z),
  (0%Z <= n)%Z /\ (n < s)%Z -> ((nth (lsl b s) n) = Init.Datatypes.false).
  intros.
  apply Lsl_nth_low_aux.
  rewrite Z2Nat.id; lia.
Qed.

(* Why3 goal *)
Lemma lsl_zeros : forall (x:t), ((lsl x 0%Z) = x).
auto.
Qed.

Lemma max_int_nat : forall l, (0 <= Pow2int.pow2 (Z.of_nat l) - 1)%Z.
  intro.
  rewrite Z.sub_1_r.
  apply Zlt_0_le_0_pred.
  apply Pow2int.pow2pos.
  lia.
Qed.

Fixpoint bvec_to_nat n (v : Bvector n) {struct v} : nat :=
  match v with
    | Vector.nil _ => O
    | Vector.cons _ false n v => 2 * bvec_to_nat n v
    | Vector.cons _ true n v => 1 + 2 * bvec_to_nat n v
  end.

Lemma bvec_to_nat_zeros : forall {l}, bvec_to_nat l (Vector.const false l) = 0.
  induction l; [easy|simpl; lia].
Qed.

Definition twos_complement n (v : Bvector n) : Z.
destruct n.
exact 0%Z.
exact (match Bsign _ v with
        | false => Z.of_nat (bvec_to_nat _ v)
        | true  => (Z.of_nat (bvec_to_nat _ v) - Pow2int.pow2 (Z.of_nat (S n)))%Z
       end).
Defined.

Require Arith.Div2.

Fixpoint nat_to_bvec (length val : nat) {struct length} : Bvector length :=
  match length as x return Bvector x with
    | O => Bnil
    | S length =>
      Bcons (Z.odd (Z.of_nat val)) length (nat_to_bvec length (Div2.div2 val))
  end.

Lemma Nat_to_bvec_zeros : forall {n}, Vector.const false n = nat_to_bvec n 0.
  induction n.
  easy.
  simpl.
  unfold Bcons.
  rewrite IHn; trivial.
Qed.

Lemma bvec_to_nat_extensionality : forall {m} (v v' : Bvector m),
 (bvec_to_nat m v) = (bvec_to_nat m v') -> v = v'.
  unfold Bvector.
  intros m v v'.
  pattern m,v,v'.
  apply Vector.rect2.
  trivial.
  case a, b; intros.
  rewrite H; auto; inversion H0; lia.
  inversion H0; assert False; lia.
  inversion H0; assert False; lia.
  rewrite H; auto; inversion H0; lia.
Qed.

(* pow2 helper lemmas *)

Lemma id_lt_pow2: forall n, (Z.of_nat (S n) < Pow2int.pow2 (Z.of_nat (S n)))%Z.
  intro.
  induction n.
  easy.
  rewrite Nat2Z.inj_succ.
  apply Z.le_lt_trans with (m := (2 * Z.of_nat (S n))%Z).
  rewrite Nat2Z.inj_succ; lia.
  apply Z.lt_le_trans with (m := (2 * Pow2int.pow2 (Z.of_nat (S n)))%Z).
  lia.
  rewrite two_p_S by lia.
  unfold Pow2int.pow2; lia.
Qed.

Lemma pow2_lt_mono_nat : forall i j : nat, (i < j) -> (Pow2int.pow2 (Z.of_nat i) < Pow2int.pow2 (Z.of_nat j))%Z.
  intros.
  unfold Pow2int.pow2; rewrite two_p_equiv, two_p_equiv.
  apply Z.pow_lt_mono_r; lia.
Qed.

Lemma pow2_le_mono_nat : forall i j : nat, (i <= j) -> (Pow2int.pow2 (Z.of_nat i) <= Pow2int.pow2 (Z.of_nat j))%Z.
  intros.
  unfold Pow2int.pow2; rewrite two_p_equiv, two_p_equiv.
  apply Z.pow_le_mono_r; lia.
Qed.

Lemma pow2_le_mono_pos : forall i j : positive, (Pos.le i j) -> (Pow2int.pow2 (Zpos i) <= Pow2int.pow2 (Zpos j))%Z.
  intros.
  rewrite <- positive_nat_Z, <- positive_nat_Z.
  apply pow2_le_mono_nat.
  apply Pos2Nat.inj_le; trivial.
Qed.

Lemma pow2_pos : forall i : positive, (2 <= Pow2int.pow2 (Z.pos i))%Z.
  intros.
  rewrite <- Pow2int.Power_1.
  apply pow2_le_mono_pos.
  apply Pos.le_1_l.
Qed.

(* end of pow2 helpers *)

(* arithmetic helper lemmas *)

Lemma lem_time2 : forall a b, a < b -> 1 + 2 * a < 2 * b.
  intros; lia.
Qed.

Lemma le_le_le: forall x y z t, (t <= z)%Z -> (x <= y <= t)%Z -> (x <= y <= z)%Z.
  split; [easy|apply Int.Trans with (y := t0); easy].
Qed.

Lemma le_lt_le: forall x y z t, (t <= z)%Z -> (x <= y < t)%Z -> (x <= y <= z)%Z.
  split; [easy|apply Int.Trans with (y := t0); [apply Z.lt_le_incl, H0|easy]].
Qed.

Lemma factor_sub : forall n m p, (n * m - n * p = n * (m - p))%Z.
  intros.
  rewrite Int.infix_mn'def, Int.infix_mn'def, Zopp_mult_distr_r.
  apply Zred_factor4.
Qed.

Lemma lt_sym: forall x y, (x < y)%Z <-> (y > x)%Z.
  intro; split; lia.
Qed.

(* end of arithmetic helpers *)

Lemma bvec_to_nat_range : forall {n} v, bvec_to_nat n v < Z.to_nat (Pow2int.pow2 (Z.of_nat n)).
  induction v.
  simpl bvec_to_nat; auto.
  apply Nat.le_lt_trans with (m := 1 + (bvec_to_nat n v * 2)).
  simpl; case h; lia.
  rewrite Nat2Z.inj_succ, <- Z.add_1_r, Pow2int.Power_s by lia.
  rewrite Z2Nat.inj_mul.
  assert (Z.to_nat 2 = 2) by easy; rewrite H.
  rewrite mult_comm.
  apply lem_time2.
  easy.
  easy.
  apply Zlt_le_weak, Pow2int.pow2pos; lia.
Qed.

Lemma twos_complement_neg : forall {n} v, Bsign n v = true -> (twos_complement (S n) v < 0)%Z.
  intros.
  unfold twos_complement.
  rewrite H.
  apply Z.lt_sub_0.
  apply Z.lt_le_trans with (m := Pow2int.pow2 (Z.of_nat (S n))).
  rewrite Z2Nat.inj_lt.
  rewrite Nat2Z.id.
  apply bvec_to_nat_range.
  lia.
  apply Zlt_le_weak, Pow2int.pow2pos; lia.
  lia.
Qed.

Lemma twos_complement_pos : forall {n} v, Bsign n v = false -> (twos_complement (S n) v >= 0)%Z.
  intros.
  unfold twos_complement; rewrite H; lia.
Qed.



Lemma twos_complement_extensionality : forall {m} (v v' : Bvector m),
  (twos_complement m v = twos_complement m v' -> v = v').

  destruct m.
  (* v = v' = nil *)
  - simpl. intros. apply Vector.case0; eauto.
    symmetry. apply Vector.case0; eauto.
  (* Non empty vector *)
  - intros.
    assert (Bsign m v = Bsign m v').
    { unfold twos_complement in H. destruct Bsign.
      destruct Bsign. reflexivity.
      assert (Z.of_nat (bvec_to_nat (S m) v') >= 0 /\
              Z.of_nat (bvec_to_nat (S m) v') < 0)%Z.
      {
        split.
        + lia.
        + rewrite <- H. generalize (bvec_to_nat_range v). intros.
          eapply Z.lt_sub_0. rewrite <- Z2Nat.id.
          apply inj_lt. assumption.
          eapply Z.le_trans. apply (max_int_nat (S m)).
          lia.
      }
      lia.
      destruct Bsign.
      (* TODO improve this (copy/paste) *)
      assert (Z.of_nat (bvec_to_nat (S m) v) >= 0 /\
              Z.of_nat (bvec_to_nat (S m) v) < 0)%Z.
      {
        split.
        + lia.
        + rewrite H. generalize (bvec_to_nat_range v'). intros.
          eapply Z.lt_sub_0. rewrite <- Z2Nat.id.
          apply inj_lt. assumption.
          eapply Z.le_trans. apply (max_int_nat (S m)).
          lia.
      }
      lia.
      reflexivity.
    }
    unfold twos_complement in H. rewrite <- H0 in H.
    destruct Bsign.
    apply bvec_to_nat_extensionality. apply Z.sub_cancel_r in H.
    apply Nat2Z.inj in H. assumption.

    apply bvec_to_nat_extensionality.
    apply Nat2Z.inj in H. assumption.
Qed.

(* even / odd helper lemmas *)

Lemma odd_is_odd : forall n : nat, Even.odd n <-> Z.odd (Z.of_nat n) = true.
  intro.
  rewrite Zodd_bool_iff, Zodd_ex_iff, Even.odd_equiv.
  unfold Nat.Odd.
  split; intro; destruct H.
  exists (Z.of_nat x); lia.
  rewrite <-Z2Nat.id with (n := x) in H by lia.
  exists (Z.to_nat x); lia.
Qed.

Lemma even_not_odd : forall n : nat, Even.even n <-> not (Even.odd n).
  intro; split; intro.
  intro; apply Even.not_even_and_odd with (n := n); easy.
  case (Even.even_or_odd n); easy.
Qed.

Lemma even_is_even : forall n : nat, Even.even n <-> Z.even (Z.of_nat n) = true.
  intro.
  rewrite even_not_odd, odd_is_odd, Zeven.Zeven_odd_bool, negb_true_iff, not_true_iff_false; easy.
Qed.

Lemma case_odd : forall (i : nat), (Z.odd (Z.of_nat i) = true) + (Z.odd (Z.of_nat i) = false).
  induction i.
  right; simpl; easy.
  rewrite Nat2Z.inj_succ.
  destruct IHi.
  right; rewrite Z.odd_succ, <- Z.negb_odd; rewrite e; trivial.
  left; rewrite Z.odd_succ, <- Z.negb_odd; rewrite e; trivial.
Qed.

Lemma odd_even_le : forall n m, Z.even n = true -> Z.odd m = true -> (n <= m)%Z -> (n < m)%Z.
  intros.
  case (Z_le_lt_eq_dec n m); trivial.
  intro; assert False.
  rewrite e, <- Z.negb_odd, negb_true_iff, H0 in H; easy.
  easy.
Qed.

Lemma pow2_is_even : forall n, (n > 0)%Z -> Z.even (Pow2int.pow2 n) = true.
  intros.
  unfold Pow2int.pow2.
  rewrite two_p_equiv, Z.even_pow by lia; easy.
Qed.

Lemma max_int_is_odd : forall n, (n > 0)%Z -> Z.odd (Pow2int.pow2 n - 1) = true.
  intros.
  rewrite Z.sub_1_r, Z.odd_pred.
  apply pow2_is_even; trivial.
Qed.

(* end of even / odd helpers *)

Lemma bvec_to_nat_nat_to_bvec : forall {n} i, (Z.of_nat i <= Pow2int.pow2 (Z.of_nat n) - 1)%Z ->
  bvec_to_nat n (nat_to_bvec n i) = i.
  induction n.
  simpl; intro; lia.
  destruct i; intros.
  simpl.
  rewrite <- Nat_to_bvec_zeros, bvec_to_nat_zeros; trivial.
  unfold nat_to_bvec, Bcons, bvec_to_nat.
  case (case_odd (S i)); intro.
  assert (Even.even i).
  rewrite even_not_odd, odd_is_odd.
  rewrite Nat2Z.inj_succ, Z.odd_succ, <- Z.negb_odd, negb_true_iff in e.
  rewrite e; easy.
  rewrite e.
  apply Nat.succ_inj_wd.
  change (2 * bvec_to_nat n (nat_to_bvec n (Div2.div2 (S i))) = i).
  rewrite IHn.
  rewrite <- Div2.even_div2, <- Nat.double_twice, <- Div2.even_double by easy; trivial.
  rewrite Z.mul_le_mono_pos_l with (p := 2%Z) by easy.
  rewrite Z.add_le_mono_l with (p := 1%Z) by easy.
  apply Z.le_trans with (m := Z.of_nat (S i)).
  rewrite <- Div2.even_div2, <- Nat2Z.inj_mul with (n:= 2), <- Nat.double_twice, <- Div2.even_double, Nat2Z.inj_succ by trivial; lia.
  apply Z.le_trans with (m := (Pow2int.pow2 (Z.of_nat (S n)) - 1)%Z); trivial.
  rewrite Nat2Z.inj_succ, <- Z.add_1_r, Pow2int.Power_s; lia.
  rewrite e.
  change (2 * bvec_to_nat n (nat_to_bvec n (Div2.div2 (S i))) = S i).
  rewrite IHn.
  rewrite  <- Nat.double_twice, <- Div2.even_double; trivial.
  rewrite even_not_odd, odd_is_odd, e; auto.
  rewrite Z.mul_le_mono_pos_l with (p := 2%Z) by easy.
  apply Z.le_trans with (m := Z.of_nat (S i)).
  rewrite <- Nat2Z.inj_mul with (n := 2), <- Nat.double_twice, <- Div2.even_double.
  lia.
  rewrite even_not_odd, odd_is_odd, not_true_iff_false; trivial.
  apply odd_even_le, Z.lt_le_pred in H.
  apply Z.le_trans with (m := (Pow2int.pow2 (Z.of_nat (S n)) - 2)%Z).
  lia.
  rewrite Nat2Z.inj_succ, <- Z.add_1_r, Pow2int.Power_s; lia.
  rewrite Zeven.Zeven_odd_bool, e; easy.
  unfold Pow2int.pow2.
  rewrite Z.sub_1_r, Z.odd_pred, Nat2Z.inj_succ.
  rewrite pow2_is_even by lia; easy.
Qed.

Lemma Nat_to_bvec_ones : forall {n}, Vector.const true n = nat_to_bvec n (Z.to_nat (Pow2int.pow2 (Z.of_nat n) - 1)).
  induction n.
  easy.
  unfold nat_to_bvec.
  rewrite Z2Nat.id by (apply max_int_nat).
  rewrite max_int_is_odd by easy.
  fold nat_to_bvec.
  assert ((Div2.div2 (Z.to_nat (Pow2int.pow2 (Z.of_nat (S n)) - 1))) = (Z.to_nat (Pow2int.pow2 (Z.of_nat n) - 1))).
  apply eq_add_S.
  rewrite Div2.odd_div2.
  rewrite <- Z2Nat.inj_succ by (apply max_int_nat).
  rewrite Z.sub_1_r, <- Zsucc_pred, Nat2Z.inj_succ, <- Z.add_1_r.
  rewrite Pow2int.Power_s by lia.
  rewrite Z2Nat.inj_mul, Div2.div2_double.
  rewrite <- Z2Nat.inj_succ by (apply max_int_nat).
  rewrite Z.sub_1_r, <- Zsucc_pred; trivial.
  easy.
  apply Z.lt_le_incl, Pow2int.pow2pos; lia.
  rewrite odd_is_odd.
  rewrite Z2Nat.id by (apply max_int_nat).
  apply max_int_is_odd; easy.
  rewrite H, <- IHn; auto.
Qed.

Import EuclideanDivision.

(* mod helper lemmas *)

Lemma mod1_nat : forall x y, 0 < y -> 0 <= mod1 x y.
  intros.
  unfold mod1, div.
  case Z_le_dec; intro.
  apply Zle_minus_le_0, Z_mult_div_ge; lia.
  destruct n; apply Z.mod_pos_bound; trivial.
Qed.

Lemma mod1_nat_high_bound_lt: forall u v, 0 < v -> mod1 u v < v.
  intros.
  rewrite <- Z.abs_eq by lia.
  apply Mod_bound; lia.
Qed.

Lemma mod1_nat_high_bound_le: forall u v, 0 <= v ->
                                       mod1 u (v + 1) <= v.
  intros.
  rewrite Zpred_succ, <- Z.lt_le_pred.
  apply mod1_nat_high_bound_lt; lia.
Qed.

Lemma mod1_out : forall x y, 0 <= x < y -> mod1 x y = x.
  intros; unfold mod1.
  rewrite Div_inf; lia.
Qed.

Lemma mod_mod_mult: forall a b c, b > 0 -> c > 0 -> ((a mod (c * b)) mod b) = a mod b.
  intros.
  rewrite Z.mul_comm.
  rewrite Z.rem_mul_r by lia.
  rewrite <-Zplus_mod_idemp_r.
  rewrite Z.mul_comm, Z_mod_mult, Zplus_0_r.
  apply Zmod_mod.
Qed.

(* end of mod helpers *)

Fixpoint rotate_right_aux {l} (b : Vector.t bool (S l)) (p : nat) : Vector.t bool (S l) :=
match p with
  | O => b
  | S q => let prev := rotate_right_aux b q in
            (Vector.shiftin (Vector.hd prev) (Vector.tl prev))
end.

Fixpoint rotate_left_aux {l} (b : Vector.t bool (S l)) (p : nat) : Vector.t bool (S l) :=
match p with
  | O => b
  | S q => let prev := rotate_left_aux b q in
            ((Vector.last prev) :: (Vector.shiftout prev))
end.

Lemma mod1_is_mod : forall x y, y > 0 -> mod1 x y = Zmod x y.
  intros; unfold mod1, div.
  case Z_le_dec; intro.
  rewrite Z.mod_eq by lia; trivial.
  destruct n; apply Z_mod_lt; lia.
Qed.

Lemma mod1_succ_low : forall x y, y > 0 -> mod1 x y < (Z.pred y) -> mod1 (Z.succ x) y = Z.succ (mod1 x y).
  intros x y H.
  rewrite mod1_is_mod, mod1_is_mod by trivial.
  rewrite Z.mod_eq, Z.mod_eq by lia.
  intro; cut (Z.succ x / y = x / y).
  intro e; rewrite e; lia.
  rewrite Z.div_unique_pos with (a := Z.succ x) (b := y) (r := (x mod y) + 1) (q := x / y).
  trivial.
  rewrite <- Z.mod_eq in H0 by lia.
  split; [apply Z.le_le_succ_r, Z_mod_lt; trivial|lia].
  rewrite <- Zplus_assoc_reverse, <- Z_div_mod_eq by lia; lia.
Qed.

Lemma mod1_succ_high : forall x y, y > 0 -> mod1 x y = (Z.pred y) -> mod1 (Z.succ x) y = 0.
  intros x y H.
  rewrite mod1_is_mod, mod1_is_mod by lia; intro.
  rewrite <- Z.add_1_r, Zplus_mod, H0.
  case (Z.eq_dec y 1); intro e.
  rewrite e; easy.
  rewrite Zmod_1_l by lia.
  rewrite Z.add_1_r, <- Zsucc_pred.
  apply Z_mod_same_full.
Qed.

Lemma mod1_add : forall x y, y > 0 -> mod1 (x + y) y = mod1 x y.
  intros.
  rewrite mod1_is_mod, mod1_is_mod by lia.
  rewrite <- Z.mul_1_l with (n := x + y), <- Zred_factor4, Z.mul_1_l.
  apply Z.mod_add; lia.
Qed.

Lemma Nth_rotate_aux_left :
  forall {l} (v : Vector.t bool (S l)) (n : nat) (i : nat),
    (Z.of_nat i < Z.succ (Z.of_nat l))%Z ->
    ((nth_aux (rotate_left_aux v n) (Z.of_nat i))
     = (nth_aux v (mod1 (Z.of_nat i - Z.of_nat n)%Z (Z.succ (Z.of_nat l))))).
  induction n; intros.
  simpl.
  rewrite <- Zminus_0_l_reverse, mod1_out; auto with zarith.
  case (Z.eq_dec (Z.of_nat i) 0); intros.
  rewrite e.
  rewrite <-mod1_add by auto with zarith.
  rewrite Z.sub_0_l, Int.Comm, Z.add_opp_r.
  rewrite Nat2Z.inj_succ, Z.sub_succ_r, <-Z.sub_pred_l, <-Zpred_succ.
  rewrite <-IHn by lia.
  simpl.
  symmetry; apply nth_predl_is_last.

  rewrite Nat2Z.inj_succ, Z.sub_succ_r, <-Z.sub_pred_l.
  rewrite <-Nat2Z.inj_pred by auto with zarith.
  rewrite <-IHn by (rewrite Nat2Z.inj_pred; lia).
  rewrite Nat2Z.inj_pred by auto with zarith.
  simpl.
  destruct Z.eq_dec; try easy.
  apply nth_aux_shiftout_not_last; auto with zarith.
Qed.

Lemma Nth_rotate_aux_right : forall {l} (v : Vector.t bool (S l)) (n:nat) (i:nat),
  (Z.of_nat i < (Z.succ (Z.of_nat l))) ->
  (nth_aux (rotate_right_aux v n) (Z.of_nat i)) = (nth_aux v (mod1 ((Z.of_nat i) + (Z.of_nat n)) (Z.succ (Z.of_nat l)))).
  induction n.
  simpl; intros; rewrite <- Zplus_0_r_reverse, mod1_out; [trivial|lia].
  intros; rewrite Nat2Z.inj_succ, <-Z.add_succ_comm, <-Nat2Z.inj_succ.
  case (Z.eq_dec (Z.of_nat i) (Z.of_nat l)); intro e.
  rewrite Nat2Z.inj_succ, e.
  simpl (rotate_right_aux v (S n)).
  rewrite nth_aux_shiftin_high.
  rewrite Z.add_comm, mod1_add by lia.
  rewrite <-nth_zeros_is_hd.
  apply (IHn 0%nat); simpl; lia.
  rewrite <-IHn by (rewrite Nat2Z.inj_succ; lia).
  simpl (rotate_right_aux v (S n)).
  rewrite nth_aux_shiftin_low by lia.
  rewrite Nat2Z.inj_succ.
  apply nth_aux_tl; lia.
Qed.

Lemma bvec_to_nat_tl: forall {l} v, Z.of_nat (bvec_to_nat l (Vector.tl v)) = Z.of_nat (bvec_to_nat (S l) v) / 2.
  apply Vector.rectS; intros.
  simpl.
  symmetry; case a.
  apply Zdiv_1_l; lia.
  apply Zdiv_0_l.
  simpl (Vector.tl (a :: v)).
  case a.
  change (Z.of_nat (bvec_to_nat (S n) v) =
   Z.of_nat (S (2 * bvec_to_nat (S n) v)) / 2).
  rewrite Nat2Z.inj_succ, Nat2Z.inj_mul, Z.mul_comm, <-Z.add_1_l.
  rewrite Z.div_add, Zdiv_1_l by lia; lia.
  change (Z.of_nat (bvec_to_nat (S n) v) =
   Z.of_nat (2 * bvec_to_nat (S n) v) / 2).
  rewrite Nat2Z.inj_mul, Z.mul_comm, Z_div_mult_full; lia.
Qed.

Lemma bvec_to_nat_shiftin: forall {l} v, bvec_to_nat (S l) (Vector.shiftin false v) = bvec_to_nat l v.
  induction v.
  easy.
  case h; simpl; rewrite IHv; easy.
Qed.

Lemma bvec_to_nat_shiftout_mod1 : forall {l} v, Z.of_nat (bvec_to_nat l (Vector.shiftout v)) = (Z.of_nat (bvec_to_nat (S l) v)) mod (Pow2int.pow2 (Z.of_nat l)).
  intros.
  revert l v.
  apply Vector.rectS; intros.
  simpl.
  symmetry; apply Zmod_1_r.
  case a.
  change (Z.of_nat (S (2 * bvec_to_nat n (Vector.shiftout v))) = (Z.of_nat (S (2 * bvec_to_nat (S n) v))) mod (Pow2int.pow2 (Z.of_nat (S n)))).
  rewrite Nat2Z.inj_succ with (n := n), <-Z.add_1_r with (n := Z.of_nat n), Pow2int.Power_s by lia.
  rewrite Nat2Z.inj_succ, Nat2Z.inj_succ, <-Z.add_1_l, <-Z.add_1_l, Nat2Z.inj_mul, Nat2Z.inj_mul.
  rewrite Z.rem_mul_r.
  rewrite Zmod_odd.
  assert (Z.odd (1 + Z.of_nat 2 * Z.of_nat (bvec_to_nat (S n) v)) = true) by (rewrite Z.odd_add_mul_2; easy).
  rewrite H0.
  rewrite Int.Comm1 with (y := Z.of_nat (bvec_to_nat (S n) v)), Z_div_plus_full, Zdiv_1_l by easy.
  rewrite H; easy.
  lia.
  apply Pow2int.pow2pos; lia.
  change (Z.of_nat (2 * bvec_to_nat n (Vector.shiftout v)) = (Z.of_nat (2 * bvec_to_nat (S n) v)) mod (Pow2int.pow2 (Z.of_nat (S n)))).
  rewrite Nat2Z.inj_succ with (n := n), <-Z.add_1_r with (n := Z.of_nat n), Pow2int.Power_s by lia.
  rewrite Nat2Z.inj_mul, Nat2Z.inj_mul.
  rewrite Zmult_mod_distr_l.
  rewrite H; trivial.
Qed.

(* Why3 goal *)
Definition rotate_right : t -> Numbers.BinNums.Z -> t.
  exact (fun b p => rotate_right_aux b (Z.to_nat p)).
Defined.

(* Why3 goal *)
Lemma Nth_rotate_right :
  forall (v:t) (n:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\ (i < size)%Z -> (0%Z <= n)%Z ->
  ((nth (rotate_right v n) i) =
   (nth v (int.EuclideanDivision.mod1 (i + n)%Z size))).
  intros v n i h1 h2.
  revert h2; revert n.
  apply Z_of_nat_prop.
  destruct h1.
  revert H0.
  pattern i.
  apply Z_of_nat_prop; auto.
  unfold nth, rotate_right, size, size_nat.
  intro n.
  rewrite Nat2Z.inj_succ.
  intros. rewrite Nat2Z.id.
  apply Nth_rotate_aux_right; auto.
Qed.

(* Why3 goal *)
Definition rotate_left : t -> Numbers.BinNums.Z -> t.
  exact (fun b p => rotate_left_aux b (Z.to_nat p)).
Defined.

(* Why3 goal *)
Lemma Nth_rotate_left :
  forall (v:t) (n:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\ (i < size)%Z -> (0%Z <= n)%Z ->
  ((nth (rotate_left v n) i) =
   (nth v (int.EuclideanDivision.mod1 (i - n)%Z size))).
  intros v n i h1 h2.
  revert h2; revert n.
  apply Z_of_nat_prop.
  destruct h1.
  revert H0.
  pattern i.
  apply Z_of_nat_prop; auto.
  unfold nth, rotate_left, size, size_nat.
  intro n.
  rewrite Nat2Z.inj_succ.
  intros. rewrite Nat2Z.id.
  apply Nth_rotate_aux_left; auto.
Qed.

(* Why3 goal *)
Definition two_power_size : Numbers.BinNums.Z.
  exact (Pow2int.pow2 size)%Z.
Defined.

(* Why3 goal *)
Definition max_int : Numbers.BinNums.Z.
  exact (Pow2int.pow2 size - 1)%Z.
Defined.

(* Why3 goal *)
Lemma two_power_size_val : (two_power_size = (bv.Pow2int.pow2 size)).
  trivial.
Qed.

(* Why3 goal *)
Lemma max_int_val : (max_int = (two_power_size - 1%Z)%Z).
  trivial.
Qed.

(* Why3 goal *)
Definition is_signed_positive : t -> Prop.
  exact (fun v => if Bsign _ v then False else True).
Defined.

(* Why3 goal *)
Definition to_uint : t -> Numbers.BinNums.Z.
  exact (fun x => Z.of_nat (bvec_to_nat size_nat x)).
Defined.

Lemma max_int_S : (two_power_size = max_int + 1)%Z.
  rewrite max_int_val; auto with zarith.
Qed.

(* Why3 goal *)
Definition of_int : Numbers.BinNums.Z -> t.
  exact (fun x => nat_to_bvec size_nat (Z.to_nat x)).
Defined.

(* Why3 goal *)
Definition to_int : t -> Numbers.BinNums.Z.
  exact (twos_complement size_nat).
Defined.

(* Why3 goal *)
Lemma to_int'def :
  forall (x:t),
  (is_signed_positive x -> ((to_int x) = (to_uint x))) /\
  (~ is_signed_positive x ->
   ((to_int x) = (-(two_power_size - (to_uint x))%Z)%Z)).
Proof.
  intros. split.
  - unfold to_int, to_uint,is_signed_positive, twos_complement, size_nat.
    intros.
    assert (Bsign last_bit x = false).
    {
      destruct Bsign; try (now destruct H); auto.
    }
    rewrite H0. reflexivity.

  - unfold two_power_size, to_int, to_uint,is_signed_positive,
           twos_complement, size, size_nat.
    intros.
    assert (Bsign last_bit x = true).
    {
      destruct Bsign; try (now destruct H); auto.
    }
    rewrite H0. ring.
Qed.

(* Why3 goal *)
Lemma to_uint_extensionality :
  forall (v:t) (v':t), ((to_uint v) = (to_uint v')) -> (v = v').
  unfold to_uint.
  intros v v'.
  rewrite Nat2Z.inj_iff.
  apply bvec_to_nat_extensionality.
Qed.

(* Why3 goal *)
Lemma to_int_extensionality :
  forall (v:t) (v':t), ((to_int v) = (to_int v')) -> (v = v').
  apply twos_complement_extensionality.
Qed.

(* Why3 assumption *)
Definition uint_in_range (i:Numbers.BinNums.Z) : Prop :=
  (0%Z <= i)%Z /\ (i <= max_int)%Z.

(* Why3 goal *)
Lemma to_uint_bounds :
  forall (v:t), (0%Z <= (to_uint v))%Z /\ ((to_uint v) < two_power_size)%Z.
  intros v.
  unfold to_uint, uint_in_range.
  split.
  lia.
  assert (two_power_size = Z.of_nat (Z.to_nat two_power_size)).
  rewrite Z2Nat.id.
  easy.
  unfold two_power_size, size.
  transitivity (Pow2int.pow2 (Z.of_nat size_nat) - 1);[apply max_int_nat|lia].
  rewrite H.
  apply inj_lt.
  apply bvec_to_nat_range.
Qed.

Lemma uint_in_range_power : forall (v:Z), uint_in_range v <-> (0 <= v < two_power_size).
  unfold uint_in_range, max_int, two_power_size.
  split; intros; auto with zarith.
Qed.

(* to_uint helper lemmas *)

Lemma to_uint_lsr_aux : forall (v:t) (n:nat), ((to_uint (lsr v
  (Z.of_nat n))) = (div (to_uint v) (Pow2int.pow2 (Z.of_nat n)))).
  unfold div.
  intros; case Z_le_dec; [|intro e; destruct e; apply Z_mod_lt, lt_sym, Pow2int.pow2pos; lia].
  revert v n.
  induction n; intro.
  simpl.
  assert (lsr v 0 = v) as H by easy; rewrite H; symmetry; apply Zdiv_1_r.
  unfold lsr.
  rewrite Nat2Z.id.
  simpl BshiftRl_iter.
  unfold BshiftRl, Bhigh, to_uint, div.
  rewrite bvec_to_nat_tl.
  rewrite bvec_to_nat_shiftin.
  rewrite Nat2Z.inj_succ, <-Z.add_1_r, Pow2int.Power_s by lia.
  rewrite Z.mul_comm, <-Zdiv_Zdiv.
  rewrite <- Nat2Z.id with (n := n).
  change (to_uint (lsr v (Z.of_nat n)) / 2 =
          to_uint v / Pow2int.pow2 (Z.of_nat (Z.to_nat (Z.of_nat n))) / 2).
  rewrite Nat2Z.id.
  rewrite IHn.
  lia.
  apply Z_mod_lt, lt_sym, Pow2int.pow2pos; lia.
  apply Z.lt_le_incl, Pow2int.pow2pos; lia.
  lia.
Qed.

Lemma size_in_range: uint_in_range size.
  unfold uint_in_range, max_int, size, size.
  split; [lia|apply Z.lt_le_pred, id_lt_pow2].
Qed.

Lemma mod1_in_range : forall x, uint_in_range (mod1 x two_power_size).
  split;[|apply Zlt_succ_le;rewrite <-Z.add_1_r, <-max_int_S];
  apply Mod_bound; easy.
Qed.

Lemma mod1_in_range2 : forall x, 0 <= mod1 x two_power_size < two_power_size.
  intro; apply Mod_bound; easy.
Qed.

Lemma to_uint_nat : forall v, (0 <= to_uint v)%Z.
  apply to_uint_bounds.
Qed.

Lemma to_uint_lsl_aux : forall (v:t) (n:nat), ((to_uint (lsl v
  (Z.of_nat n))) = (mod1 ((to_uint v) * (Pow2int.pow2 (Z.of_nat n)))%Z
  two_power_size)).
Proof.
  intros v n.
  rewrite mod1_is_mod by easy.
  induction n.
  simpl.
  apply Zmod_unique with (q := 0).
  apply to_uint_bounds.
  assert (lsl v 0 = v) as H by easy; rewrite H; lia.
  unfold lsl.
  rewrite Nat2Z.id.
  unfold BshiftL, Bcons, to_uint.
  simpl BshiftL_iter.
  rewrite <- Nat2Z.id with (n := n).
  change (Z.of_nat (2 * bvec_to_nat last_bit (Vector.shiftout (lsl v (Z.of_nat n)))) = (Z.of_nat (bvec_to_nat size_nat v) * Pow2int.pow2 (Z.of_nat (S (Z.to_nat (Z.of_nat n)))))  mod two_power_size)%Z.
  rewrite Nat2Z.id.
  rewrite Nat2Z.inj_mul.
  rewrite bvec_to_nat_shiftout_mod1.
  change (2 * ((to_uint (lsl v (Z.of_nat n))) mod (Pow2int.pow2 (Z.of_nat last_bit))) = (to_uint v * Pow2int.pow2 (Z.of_nat (S n))) mod two_power_size).
  unfold two_power_size.
  rewrite size_int_S, Nat2Z.inj_succ, <-Z.add_1_r, Pow2int.Power_s by lia.
  rewrite Zmult_assoc, Int.Comm1 with (y := 2), <-Z.add_1_r, Pow2int.Power_s by lia.
  rewrite Zmult_assoc_reverse, Zmult_mod_distr_l.
  rewrite Z.mul_cancel_l by lia.
  rewrite IHn.
  unfold two_power_size.
  rewrite size_int_S, <-Z.add_1_r, Pow2int.Power_s by lia.
  apply mod_mod_mult.
  apply lt_sym, Pow2int.pow2pos; lia.
  lia.
Qed.
(* end of to_uint helpers *)

(* Why3 goal *)
Lemma to_uint_of_int :
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < two_power_size)%Z ->
  ((to_uint (of_int i)) = i).
  intros i h1; destruct h1.
  unfold to_uint, of_int.
  rewrite bvec_to_nat_nat_to_bvec.
  apply Z2Nat.id; easy.
  rewrite Z2Nat.id; [fold size; fold two_power_size; lia|easy].
Qed.

(* Why3 goal *)
Definition size_bv : t.
  exact (of_int size).
Defined.

(* Why3 goal *)
Lemma to_uint_size_bv : ((to_uint size_bv) = size).
  apply to_uint_of_int.
  rewrite max_int_S.
  destruct size_in_range; auto with zarith.
Qed.

Lemma Of_int_zeros: zeros = of_int 0.
apply Nat_to_bvec_zeros.
Qed.

(* Why3 goal *)
Lemma to_uint_zeros : ((to_uint zeros) = 0%Z).
  rewrite Of_int_zeros.
  apply to_uint_of_int; easy.
Qed.

Lemma to_uint_one_aux : forall {l}, bvec_to_nat (S l) (one_aux l) = 1%nat.
  intro l.
  simpl.
  rewrite bvec_to_nat_zeros.
  auto with zarith.
Qed.

Lemma Of_int_one_aux : forall {l}, one_aux l = nat_to_bvec (S l) 1%nat.
  intro l.
  apply bvec_to_nat_extensionality.
  rewrite bvec_to_nat_nat_to_bvec.
  apply to_uint_one_aux.
  pose proof (id_lt_pow2 l).
  zify.
  auto with zarith.
Qed.

(* Why3 goal *)
Lemma to_uint_one : ((to_uint one) = 1%Z).
  unfold to_uint, one.
  simpl.
  rewrite bvec_to_nat_zeros.
  auto with zarith.
Qed.

Lemma Of_int_one : one = of_int 1.
  apply Of_int_one_aux.
Qed.

Lemma Of_int_ones: ones = of_int max_int.
  apply Nat_to_bvec_ones.
Qed.

(* Why3 goal *)
Lemma to_uint_ones : ((to_uint ones) = max_int).
  rewrite Of_int_ones.
  apply to_uint_of_int.
  rewrite max_int_S.
  destruct size_in_range; auto with zarith.
Qed.

(* Why3 assumption *)
Definition ult (x:t) (y:t) : Prop := ((to_uint x) < (to_uint y))%Z.

(* Why3 goal *)
Definition ult_closure : t -> t -> Init.Datatypes.bool.
Proof.
intros x y.
case (Z_lt_dec (to_uint x) (to_uint y)); intro H.
exact true.
exact false.
Defined.

(* Why3 goal *)
Lemma ult_closure_def :
  forall (y:t) (y1:t),
  ((ult_closure y y1) = Init.Datatypes.true) <-> ult y y1.
Proof.
intros y y1.
unfold ult_closure, ult.
case (Z_lt_dec (to_uint y) (to_uint y1)); intro H.
split; auto.
split; auto.
discriminate.
Qed.

(* Why3 goal *)
Lemma ult_wf : WellFounded.well_founded ult_closure.
Proof.
intros x.
remember (to_uint x) as x'.
assert (H := Z.lt_wf 0 x').
revert x Heqx'.
induction H as [x' _].
intros x ->.
constructor.
intros y HR.
apply (H (to_uint y)).
2: easy.
split.
apply to_uint_bounds.
now apply -> ult_closure_def.
Qed.

(* Why3 assumption *)
Definition ule (x:t) (y:t) : Prop := ((to_uint x) <= (to_uint y))%Z.

(* Why3 assumption *)
Definition ugt (x:t) (y:t) : Prop := ((to_uint y) < (to_uint x))%Z.

(* Why3 goal *)
Definition ugt_closure : t -> t -> Init.Datatypes.bool.
Proof.
intros x y.
case (Z_lt_dec (to_uint y) (to_uint x)); intro H.
exact true.
exact false.
Defined.

(* Why3 goal *)
Lemma ugt_closure_def :
  forall (y:t) (y1:t),
  ((ugt_closure y y1) = Init.Datatypes.true) <-> ugt y y1.
Proof.
intros y y1.
unfold ugt_closure,ugt.
case (Z_lt_dec (to_uint y1) (to_uint y)); intro H.
split; auto.
split; auto; discriminate.
Qed.

(* Why3 goal *)
Lemma ugt_wf : WellFounded.well_founded ugt_closure.
Proof.
intros x.
remember (to_uint x) as x'.
assert (H := Z.gt_wf two_power_size x').
revert x Heqx'.
induction H as [x' _].
intros x ->.
constructor.
intros y HR.
apply (H (to_uint y)).
2: easy.
split.
now apply -> ugt_closure_def.
apply Zlt_le_weak, to_uint_bounds.
Qed.

(* Why3 assumption *)
Definition uge (x:t) (y:t) : Prop := ((to_uint y) <= (to_uint x))%Z.

(* Why3 assumption *)
Definition slt (v1:t) (v2:t) : Prop := ((to_int v1) < (to_int v2))%Z.

(* Why3 goal *)
Definition slt_closure : t -> t -> Init.Datatypes.bool.
Proof.
intros x y.
case (Z_lt_dec (to_int x) (to_int y)); intro H.
exact true.
exact false.
Defined.

(* Why3 goal *)
Lemma slt_closure_def :
  forall (y:t) (y1:t),
  ((slt_closure y y1) = Init.Datatypes.true) <-> slt y y1.
Proof.
intros y y1.
unfold slt_closure,slt.
case (Z_lt_dec (to_int y) (to_int y1)); intro H.
split; auto.
split; auto; discriminate.
Qed.

(* Why3 goal *)
Lemma slt_wf : WellFounded.well_founded slt_closure.
Proof.
intros x.
remember (to_int x) as x'.
assert (H := Z.lt_wf (-two_power_size) x').
revert x Heqx'.
induction H as [x' _].
intros x ->.
constructor.
intros y HR.
apply (H (to_int y)).
2: easy.
split.
2: now apply -> slt_closure_def.
clear.
generalize (to_int'def y).
unfold is_signed_positive.
destruct Bsign ; generalize (to_uint_bounds y) ; lia.
Qed.

(* Why3 assumption *)
Definition sle (v1:t) (v2:t) : Prop := ((to_int v1) <= (to_int v2))%Z.

(* Why3 assumption *)
Definition sgt (v1:t) (v2:t) : Prop := ((to_int v2) < (to_int v1))%Z.

(* Why3 goal *)
Definition sgt_closure : t -> t -> Init.Datatypes.bool.
Proof.
intros x y.
case (Z_lt_dec (to_int y) (to_int x)); intro H.
exact true.
exact false.
Defined.

(* Why3 goal *)
Lemma sgt_closure_def :
  forall (y:t) (y1:t),
  ((sgt_closure y y1) = Init.Datatypes.true) <-> sgt y y1.
Proof.
intros y y1.
unfold sgt_closure,sgt.
case (Z_lt_dec (to_int y1) (to_int y)); intro H.
split; auto.
split; auto; discriminate.
Qed.

(* Why3 goal *)
Lemma sgt_wf : WellFounded.well_founded sgt_closure.
Proof.
intros x.
remember (to_int x) as x'.
assert (H := Z.gt_wf two_power_size x').
revert x Heqx'.
induction H as [x' _].
intros x ->.
constructor.
intros y HR.
apply (H (to_int y)).
2: easy.
split.
now apply -> sgt_closure_def.
clear.
generalize (to_int'def y).
unfold is_signed_positive.
destruct Bsign ; generalize (to_uint_bounds y) ; lia.
Qed.

(* Why3 assumption *)
Definition sge (v1:t) (v2:t) : Prop := ((to_int v2) <= (to_int v1))%Z.

Lemma zeros_sign_aux: forall A n (h: A), Vector.last (Vector.const h (S n)) = h.
  induction n; eauto.
Qed.

Lemma zeros_sign_false: Bsign last_bit zeros = false.
  apply zeros_sign_aux.
Qed.

(* Why3 goal *)
Lemma positive_is_ge_zeros :
  forall (x:t), is_signed_positive x <-> sge x zeros.
Proof.
  intros.
  unfold is_signed_positive, sge, to_int, twos_complement, size_nat.
  rewrite zeros_sign_false. destruct Bsign.
  intuition.
  unfold zeros, zeros_aux, size_nat in *. rewrite bvec_to_nat_zeros in H.
  generalize (bvec_to_nat_range x). intros.
  simpl (Z.of_nat 0) in H.
  assert (Pow2int.pow2 (Z.of_nat (S last_bit)) <= Z.of_nat (bvec_to_nat (S last_bit) x)).
  lia. unfold size_nat in *.
  apply Z2Nat.inj_le in H1.
  rewrite Nat2Z.id in H1; lia.
  eapply Z.le_trans. apply (max_int_nat (S last_bit)). lia.
  lia.

  intuition.
  unfold zeros, zeros_aux.
  rewrite bvec_to_nat_zeros. simpl. lia.
Qed.

(* Why3 goal *)
Definition add : t -> t -> t.
  exact (fun v v' => of_int (mod1 (to_uint v + to_uint v') two_power_size)).
Defined.

(* Why3 goal *)
Lemma to_uint_add :
  forall (v1:t) (v2:t),
  ((to_uint (add v1 v2)) =
   (int.EuclideanDivision.mod1 ((to_uint v1) + (to_uint v2))%Z
    two_power_size)).
  intros v1 v2.
  apply to_uint_of_int.
  apply mod1_in_range2.
Qed.

(* Why3 goal *)
Lemma to_uint_add_bounded :
  forall (v1:t) (v2:t),
  (((to_uint v1) + (to_uint v2))%Z < two_power_size)%Z ->
  ((to_uint (add v1 v2)) = ((to_uint v1) + (to_uint v2))%Z).
  intros v1 v2 h1.
  rewrite <-(mod1_out (to_uint v1 + to_uint v2) two_power_size).
  apply to_uint_add.
  split; [apply OMEGA2; apply to_uint_nat|auto].
Qed.

(* Why3 goal *)
Definition sub : t -> t -> t.
  exact (fun v v' => of_int (mod1 (to_uint v - to_uint v') two_power_size)).
Defined.

(* Why3 goal *)
Lemma to_uint_sub :
  forall (v1:t) (v2:t),
  ((to_uint (sub v1 v2)) =
   (int.EuclideanDivision.mod1 ((to_uint v1) - (to_uint v2))%Z
    two_power_size)).
  intros v1 v2.
  apply to_uint_of_int, mod1_in_range2.
Qed.

(* Why3 goal *)
Lemma to_uint_sub_bounded :
  forall (v1:t) (v2:t),
  (0%Z <= ((to_uint v1) - (to_uint v2))%Z)%Z /\
  (((to_uint v1) - (to_uint v2))%Z < two_power_size)%Z ->
  ((to_uint (sub v1 v2)) = ((to_uint v1) - (to_uint v2))%Z).
  intros v1 v2 (h1,h2).
  rewrite <-(mod1_out (to_uint v1 - to_uint v2) two_power_size) by auto.
  apply to_uint_sub.
Qed.

(* Why3 goal *)
Definition neg : t -> t.
  exact (fun v => of_int (mod1 (- to_uint v) two_power_size)).
Defined.

(* Why3 goal *)
Lemma to_uint_neg :
  forall (v:t),
  ((to_uint (neg v)) =
   (int.EuclideanDivision.mod1 (-(to_uint v))%Z two_power_size)).
  intros v.
  apply to_uint_of_int, mod1_in_range2.
Qed.

(* Why3 goal *)
Definition mul : t -> t -> t.
  exact (fun v v' => of_int (mod1 (to_uint v * to_uint v') two_power_size)).
Defined.

(* Why3 goal *)
Lemma to_uint_mul :
  forall (v1:t) (v2:t),
  ((to_uint (mul v1 v2)) =
   (int.EuclideanDivision.mod1 ((to_uint v1) * (to_uint v2))%Z
    two_power_size)).
  intros v1 v2.
  apply to_uint_of_int, mod1_in_range2.
Qed.

(* Why3 goal *)
Lemma to_uint_mul_bounded :
  forall (v1:t) (v2:t),
  (((to_uint v1) * (to_uint v2))%Z < two_power_size)%Z ->
  ((to_uint (mul v1 v2)) = ((to_uint v1) * (to_uint v2))%Z).
  intros v1 v2 h1.
  rewrite <-(mod1_out (to_uint v1 * to_uint v2) two_power_size).
  apply to_uint_mul.
  split.
  apply Z.mul_nonneg_nonneg; apply to_uint_nat.
  easy.
Qed.

(* Why3 goal *)
Definition udiv : t -> t -> t.
  exact (fun v v' => of_int (div (to_uint v) (to_uint v'))).
Defined.

(* Why3 goal *)
Lemma to_uint_udiv :
  forall (v1:t) (v2:t),
  ((to_uint (udiv v1 v2)) =
   (int.EuclideanDivision.div (to_uint v1) (to_uint v2))).
Proof.
  intros v1 v2.
  apply to_uint_of_int.
  case (Z.eq_dec (to_uint v2) 0); intro.
  unfold div.
  case Z_le_dec.
  intros _.
  rewrite e, Zdiv_0_r.
  split; [easy|apply Pow2int.pow2pos;easy].
  rewrite e, Zmod_0_r.
  intros H.
  elim H.
  try easy; apply to_uint_nat.
  split.
  apply Div_bound; split;[|apply Z.le_neq;split;[|auto]];apply to_uint_nat.
  apply (Z.le_lt_trans _ (to_uint v1)).
  apply Div_bound; split;[|apply Z.le_neq;split;[|auto]];apply to_uint_nat.
  apply to_uint_bounds.
Qed.

(* Why3 goal *)
Definition urem : t -> t -> t.
  exact (fun v v' => of_int (mod1 (to_uint v) (to_uint v'))).
Defined.

(* Why3 goal *)
Lemma to_uint_urem :
  forall (v1:t) (v2:t),
  ((to_uint (urem v1 v2)) =
   (int.EuclideanDivision.mod1 (to_uint v1) (to_uint v2))).
  intros v1 v2.
  apply to_uint_of_int.
  case (Z.eq_dec (to_uint v2) 0); intro.
  rewrite e.
  unfold uint_in_range, mod1; simpl.
  rewrite <- Zminus_0_l_reverse; apply to_uint_bounds.
  split.
  apply Mod_bound; trivial.
  apply (Z.lt_trans _ (Z.abs (to_uint v2))).
  apply Mod_bound; trivial.
  rewrite Z.abs_eq; apply to_uint_bounds.
Qed.

(* abstract sdiv and srem while we have no realization yet *)
Definition sdiv_abstract : t -> t -> t.
  admit.
Admitted.

Definition srem_abstract : t -> t -> t.
  admit.
Admitted.



(* Why3 goal *)
Definition sdiv : t -> t -> t.
Proof.
  exact sdiv_abstract.
Defined.

(* Why3 goal *)
Definition srem : t -> t -> t.
Proof.
  exact srem_abstract.
Defined.

(* Why3 goal *)
Definition lsr_bv : t -> t -> t.
  exact (fun v w => lsr v (to_uint w)).
Defined.

(* Why3 goal *)
Lemma lsr_bv_is_lsr :
  forall (x:t) (n:t), ((lsr_bv x n) = (lsr x (to_uint n))).
  easy.
Qed.

(* Why3 goal *)
Lemma to_uint_lsr :
  forall (v:t) (n:t),
  ((to_uint (lsr_bv v n)) =
   (int.EuclideanDivision.div (to_uint v) (bv.Pow2int.pow2 (to_uint n)))).
  intros v n.
  apply to_uint_lsr_aux.
Qed.

(* Why3 goal *)
Definition asr_bv : t -> t -> t.
  exact (fun v w => asr v (to_uint w)).
Defined.

(* Why3 goal *)
Lemma asr_bv_is_asr :
  forall (x:t) (n:t), ((asr_bv x n) = (asr x (to_uint n))).
  easy.
Qed.

(* Why3 goal *)
Definition lsl_bv : t -> t -> t.
  exact (fun v w => lsl v (to_uint w)).
Defined.

(* Why3 goal *)
Lemma lsl_bv_is_lsl :
  forall (x:t) (n:t), ((lsl_bv x n) = (lsl x (to_uint n))).
  easy.
Qed.

(* Why3 goal *)
Lemma to_uint_lsl :
  forall (v:t) (n:t),
  ((to_uint (lsl_bv v n)) =
   (int.EuclideanDivision.mod1
    ((to_uint v) * (bv.Pow2int.pow2 (to_uint n)))%Z two_power_size)).
  intros v n.
  apply to_uint_lsl_aux.
Qed.

(* Why3 goal *)
Definition rotate_right_bv : t -> t -> t.
  exact (fun b p => rotate_right b (to_uint p)).
Defined.

(* Why3 goal *)
Definition rotate_left_bv : t -> t -> t.
  exact (fun b p => rotate_left b (to_uint p)).
Defined.

(* Why3 goal *)
Lemma rotate_left_bv_is_rotate_left :
  forall (v:t) (n:t), ((rotate_left_bv v n) = (rotate_left v (to_uint n))).
trivial.
Qed.

(* Why3 goal *)
Lemma rotate_right_bv_is_rotate_right :
  forall (v:t) (n:t), ((rotate_right_bv v n) = (rotate_right v (to_uint n))).
trivial.
Qed.

(* Why3 goal *)
Definition nth_bv : t -> t -> Init.Datatypes.bool.
  exact (fun v w => nth v (to_uint w)).
Defined.

Lemma and_zeros : forall {l} (x:Vector.t bool l),
                   Vector.map2 (fun a b => a && b) x zeros_aux = zeros_aux.
  induction x; auto.
  simpl.
  rewrite andb_false_r.
  fold (@zeros_aux n).
  rewrite IHx; reflexivity.
Qed.

Lemma nth_bv_def_aux : forall {l} (x:Vector.t bool (S l)) (i:Z),
                         nth_aux x 0 = true <-> (Vector.map2 (fun a b => a && b) x (one_aux l)) <> zeros_aux.
  intros.
  rewrite Of_int_one_aux.
  destruct x.
  simpl.
  split; [easy|auto].
  rewrite nth_zeros_is_hd; unfold Vector.hd.
  simpl.
  rewrite <-Nat_to_bvec_zeros, and_zeros.
  rewrite andb_true_r.
  split; intro.
  rewrite H; easy.
  revert H; case h; auto.
Qed.

(* Why3 goal *)
Lemma nth_bv_def :
  forall (x:t) (i:t),
  ((nth_bv x i) = Init.Datatypes.true) <->
  ~ ((bw_and (lsr_bv x i) one) = zeros).
  intros; unfold nth_bv.
  case (Z_lt_ge_dec (to_uint i) size); intro.
  rewrite <-(Zplus_0_l (to_uint i)).
  rewrite <-Lsr_nth_low; auto with zarith.
  fold (lsr_bv x i).
  set (lsr_bv x i).
  apply (nth_bv_def_aux t0 0).
  apply to_uint_bounds.
  unfold nth.
  rewrite (nth_high x (to_uint i)); auto.
  assert (tmmp: forall x i, to_uint i >= size -> lsr_bv x i = zeros_aux).
    intros.
    apply Extensionality_aux; unfold eq_aux; intros.
    unfold lsr_bv, zeros_aux.
    rewrite nth_const by auto.
    apply Lsr_nth_high.
    unfold size in H; auto with zarith.
    easy.
    auto with zarith.
  rewrite tmmp by auto.
  split; intro.
  assert False by easy; auto.
  destruct H.
  apply Extensionality_aux; unfold eq_aux; intros.
  rewrite Nth_bw_and by auto.
  unfold nth, zeros, zeros_aux.
  rewrite nth_const by auto.
  easy.
Qed.

(* Why3 goal *)
Lemma Nth_bv_is_nth :
  forall (x:t) (i:t), ((nth x (to_uint i)) = (nth_bv x i)).
  trivial.
Qed.

(* Why3 goal *)
Lemma Nth_bv_is_nth2 :
  forall (x:t) (i:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\ (i < two_power_size)%Z ->
  ((nth_bv x (of_int i)) = (nth x i)).
  intros x i h1.
  rewrite <-Nth_bv_is_nth.
  rewrite to_uint_of_int by auto.
  reflexivity.
Qed.

(* Why3 goal *)
Definition eq_sub_bv : t -> t -> t -> t -> Prop.
  exact (fun a b i n =>
           let mask := (lsl_bv (sub (lsl_bv (of_int 1%Z) n) (of_int 1%Z)) i)
           in ((bw_and b mask) = (bw_and a mask))).
Defined.

(* Why3 goal *)
Lemma eq_sub_bv_def :
  forall (a:t) (b:t) (i:t) (n:t),
  let mask := lsl_bv (sub (lsl_bv one n) one) i in
  eq_sub_bv a b i n <-> ((bw_and b mask) = (bw_and a mask)).
  rewrite Of_int_one.
  easy.
Qed.

(* Why3 assumption *)
Definition eq_sub (a:t) (b:t) (i:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) :
    Prop :=
  forall (j:Numbers.BinNums.Z), (i <= j)%Z /\ (j < (i + n)%Z)%Z ->
  ((nth a j) = (nth b j)).

Lemma in_range_1 : uint_in_range 1.
  split; auto with zarith.
  change (Z.succ 0 <= max_int)%Z; apply Zlt_le_succ.
  unfold max_int, size, size.
  apply Zlt_succ_pred.
  apply Z.le_lt_trans with (m := Z.of_nat (S last_bit)).
  rewrite Nat2Z.inj_succ; auto with zarith.
  apply id_lt_pow2.
Qed.

Lemma in_range_1' : 0 <= 1 < two_power_size.
  split; auto with zarith.
  rewrite max_int_S, Z.add_1_r.
  apply Zle_lt_succ, in_range_1.
Qed.

Lemma max_int_neq_1 : max_int + 1 <> 0.
  intro; symmetry in H; revert H.
  apply Z.lt_neq, Zle_lt_succ, max_int_nat.
Qed.

(* mask (S n) = lsl (mask n) 1 + 1 *)
Lemma mask_succ :
  forall n,
    sub (lsl (of_int 1) (Z.of_nat (S n))) (of_int 1%Z)
    = add (lsl (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) (Z.of_nat 1)) (of_int 1%Z).
  intro; apply to_uint_extensionality.
  rewrite to_uint_add.
  rewrite to_uint_lsl_aux.
  assert (Pow2int.pow2 (Z.of_nat 1) = 2) as tmp by auto with zarith; rewrite tmp.
  symmetry; rewrite to_uint_sub; symmetry.
  rewrite to_uint_of_int by (apply in_range_1').
  rewrite mod1_is_mod,mod1_is_mod,mod1_is_mod by easy.
  rewrite Z.mul_mod_idemp_l by easy.
  rewrite Z.mul_sub_distr_r.
  rewrite <- Zminus_mod_idemp_l.
  rewrite to_uint_lsl_aux.
  rewrite mod1_is_mod by easy.
  rewrite Z.mul_mod_idemp_l by easy.
  rewrite Zmult_assoc_reverse, (Int.Comm1 (Pow2int.pow2 (Z.of_nat n)) 2).
  rewrite <-Pow2int.Power_s by lia.
  rewrite <-mod1_is_mod with (x := to_uint (of_int 1) * Pow2int.pow2 (Z.of_nat n + 1)) by easy.
  rewrite Z.add_1_r with (n := Z.of_nat n).
  rewrite <- Nat2Z.inj_succ.
  rewrite <-to_uint_lsl_aux.
  rewrite Zplus_mod_idemp_l.
  rewrite <-Z.sub_sub_distr.
  assert (1 * 2 - 1 = to_uint (of_int 1)).
  simpl; symmetry; apply to_uint_of_int; apply in_range_1'.
  rewrite H.
  rewrite <-mod1_is_mod by easy.
  apply to_uint_sub.
Qed.

Definition add_aux {l} (v w : Vector.t bool l) : Vector.t bool l :=
     nat_to_bvec l (Z.to_nat (mod1
        (Z.of_nat (bvec_to_nat l v) + Z.of_nat (bvec_to_nat l w))
        (Pow2int.pow2 (Z.of_nat l)))).

Lemma mask_succ_tmp :
  forall n,
    add (lsl (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) (Z.of_nat 1)) (of_int 1%Z)
    = bw_or (lsl (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) (Z.of_nat 1)) (of_int 1%Z).
  intro.

  assert (add_and_or :
    forall v, nth v 0 = false ->
              add v (of_int 1) = bw_or v (of_int 1)).
  assert (add_is_add_aux : forall v w, add v w = add_aux v w) by auto.
  assert (add_and_or_aux :
      forall {l} v, @nth_aux l v 0 = false ->
                    add_aux v (nat_to_bvec l 1)
                    = Vector.map2 (fun x y => x || y) v (nat_to_bvec l 1)).
      destruct v; auto.
      intro.
      assert (h = false) as hf by auto; rewrite hf.
      simpl.
      unfold add_aux.
      change (
          nat_to_bvec (S n0)
                      (Z.to_nat
                         (mod1
                            (Z.of_nat (2 * (bvec_to_nat n0 v)) +
                             Z.of_nat (1 + 2 * (bvec_to_nat n0 (nat_to_bvec n0 0))))
                            (Pow2int.pow2 (Z.of_nat (S n0))))) =
          true :: Vector.map2 (fun x y : bool => x || y) v (nat_to_bvec n0 0)).
      rewrite <-Nat_to_bvec_zeros, bvec_to_nat_zeros.
      change (Z.of_nat (1 + 2 * 0)) with 1.
      set (mod1 (Z.of_nat (2 * bvec_to_nat n0 v) + 1)
           (Pow2int.pow2 (Z.of_nat (S n0)))).
      simpl nat_to_bvec.
      rewrite Z2Nat.id by (apply mod1_nat, Z.lt_le_pred, max_int_nat).
      assert (H0: Z.odd z = true).
        subst z.
        rewrite Zodd_mod, mod1_is_mod by auto with zarith.
        rewrite Nat2Z.inj_succ, <- Z.add_1_r, Pow2int.Power_s by auto with zarith.
        rewrite Int.Comm1, (mod_mod_mult _ 2 _)by auto with zarith.
        rewrite <-Zodd_mod, Int.Comm, Nat2Z.inj_mul, Z.odd_add_mul_2; trivial.
      rewrite H0.
      cut (nat_to_bvec n0 (Div2.div2 (Z.to_nat z))
           = Vector.map2 (fun x y : bool => x || y) v (Vector.const false n0)).
      intro t; rewrite t; trivial.
      case (Z_lt_le_dec (Z.of_nat (2 * bvec_to_nat n0 v) + 1) (Pow2int.pow2 (Z.of_nat (S n0)))); intro.
      subst z.
      revert H0.
      rewrite mod1_out by auto with zarith.
      rewrite Z.add_1_r.
      intro.
      rewrite <-Nat2Z.inj_succ, Nat2Z.id.
      rewrite Z.odd_succ, <-even_is_even in H0.
      rewrite <-(Div2.even_div2 _ H0), Div2.div2_double.
      assert (nat_to_bvec_bvec_to_nat:
        forall {l} v, nat_to_bvec l (bvec_to_nat l v) = v).
        intros; apply bvec_to_nat_extensionality.
        apply bvec_to_nat_nat_to_bvec.
        apply Z.lt_le_pred.
        rewrite <-Z2Nat.id by (transitivity (Pow2int.pow2 (Z.of_nat l0) - 1);
             [apply max_int_nat|auto with zarith]).
        apply inj_lt, bvec_to_nat_range.
      rewrite nat_to_bvec_bvec_to_nat.
      assert (tmp2:
        forall {l} v,
          Vector.map2 (fun x y : bool => x || y) v (Vector.const false l) = v).
        induction v0; auto.
        simpl.
        rewrite orb_false_r.
        rewrite IHv0; trivial.
      symmetry; apply tmp2.
      absurd (Z.of_nat (bvec_to_nat n0 v) < Pow2int.pow2 (Z.of_nat n0)).
      apply Zle_not_lt.
      rewrite Nat2Z.inj_succ in l.
      rewrite <- Z.add_1_r, Pow2int.Power_s in l by auto with zarith.
      apply Zle_lt_succ in l.
      rewrite <-Z.add_1_r, Zplus_assoc_reverse, Nat2Z.inj_mul in l.
      simpl (1 + 1) in l.
      rewrite Zred_factor3 in l.
      rewrite <-(Z.mul_lt_mono_pos_l 2) in l by lia.
      rewrite Z.add_1_l in l.
      apply Zlt_succ_le in l; trivial.
      rewrite Z2Nat.inj_lt, Nat2Z.id.
      apply (bvec_to_nat_range v).
      auto with zarith.
      transitivity (Pow2int.pow2 (Z.of_nat n0) - 1).
      apply max_int_nat.
      auto with zarith.
    intros.
    rewrite add_is_add_aux.
    apply add_and_or_aux.
    trivial.
  simpl.
  apply add_and_or.
  intros; apply Lsl_nth_low; auto with zarith.
Qed.

Lemma mask_succ_2 :
  forall n,
    sub (lsl (of_int 1) (Z.of_nat (S n))) (of_int 1%Z)
  = bw_or (lsl (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) (Z.of_nat 1)) (of_int 1%Z).
  intro; rewrite mask_succ.
  apply mask_succ_tmp.
Qed.

Lemma nth_bit_pred_high :
  forall n i,
    to_uint i < size ->
    to_uint i < Z.of_nat n ->
    nth_bv (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) i = true.
Proof.
  induction n;intros.
  assert (Z.of_nat 0 <= to_uint i) by apply to_uint_bounds.
  lia.
  rewrite <-Nth_bv_is_nth.
  rewrite mask_succ_2; simpl.
  unfold bw_or, nth.
  rewrite <-nth_aux_map2.
  2: split; auto with zarith; apply to_uint_bounds.

  apply orb_true_iff.
  case (Z_lt_le_dec (to_uint i) 1); intro.
  right.
  assert (to_uint i = 0).
    assert (H' := to_uint_bounds i).
    lia.
  rewrite H1; apply nth_zeros_is_hd.

  left.
  rewrite Lsl_nth_high; auto with zarith.

  assert (to_uint i - 1 = to_uint (sub i (of_int 1))).
  rewrite to_uint_sub by auto with zarith.
  rewrite to_uint_of_int by (apply in_range_1').
  rewrite mod1_out; trivial.
  split; auto with zarith.
  apply (Z.lt_trans _ (to_uint i)).
  lia.
  apply to_uint_bounds.

  rewrite H1, Nth_bv_is_nth.
  apply IHn; rewrite <-H1; rewrite Nat2Z.inj_succ in H0; lia.
Qed.

  Lemma one_nth: forall {l},
    nat_to_bvec (S l) 1
    = Vector.cons bool true l (Vector.const false _).
    intro.
    change (Bcons (Z.odd (Z.of_nat 1)) l (nat_to_bvec l (Div2.div2 1)) = true :: Vector.const false l).
    assert (Z.odd (Z.of_nat 1) = true) by auto with zarith.
    rewrite H.
    assert (Div2.div2 1 = 0%nat) by auto with zarith.
    rewrite H0.
    assert (nat_to_bvec l 0 = Vector.const false l).
    induction l.
    auto.
    change (Bcons (Z.odd (Z.of_nat 0)) l (nat_to_bvec l (Div2.div2 0)) = false :: Vector.const false l).
    rewrite <-IHl; auto.
    rewrite H1; trivial.
  Qed.

Lemma nth_bit_pred_low :
  forall n i,
    to_uint i >= Z.of_nat n ->
    nth_bv (sub (lsl (of_int 1%Z) (Z.of_nat n)) (of_int 1%Z)) i = false.
  induction n;intros.
  assert (lsl (of_int 1) (Z.of_nat 0) = of_int 1) as h by auto with zarith; rewrite h.
  assert (sub (of_int 1) (of_int 1) = of_int 0).
  apply to_uint_extensionality.
  rewrite to_uint_sub, to_uint_of_int, to_uint_of_int.
  apply mod1_out.
  split; [lia|apply Pow2int.pow2pos, Z.lt_le_incl, size_pos].
  split; [lia|apply Pow2int.pow2pos, Z.lt_le_incl, size_pos].
  apply in_range_1'.
  rewrite H0, <-Of_int_zeros.
  apply Nth_zeros.

  rewrite Nat2Z.inj_succ in H.
  rewrite <-Nth_bv_is_nth, mask_succ_2; simpl.

  unfold bw_or, nth.
  case (Z_lt_ge_dec (to_uint i) size); intro.
  rewrite <-nth_aux_map2 by (split; auto with zarith).

  apply orb_false_iff.
  split.
  rewrite Lsl_nth_high; auto with zarith.
  assert (to_uint i - 1 = to_uint (sub i (of_int 1))).
  rewrite to_uint_sub by auto with zarith.
  rewrite to_uint_of_int by (apply in_range_1').
  rewrite mod1_out; trivial.
  split; auto with zarith.
  apply (Z.lt_trans _ (to_uint i)).
  lia.
  apply to_uint_bounds.
  rewrite H0,Nth_bv_is_nth.
  apply IHn.
  rewrite <-H0; lia.
  assert (to_uint i > 0) by lia.
  unfold of_int, size, size_nat.
  rewrite one_nth.
  rewrite nth_cons_pred by auto with zarith.
  apply Nth_zeros_aux.
  apply nth_aux_out_of_bound.
  fold size; lia.
Qed.

Lemma mask_correctness :
  forall (i:t) (n:t),
    let mask := lsl_bv (sub (lsl_bv (of_int 1%Z) n) (of_int 1%Z)) i in
    forall (j:Z),
      (j < size -> (to_uint i) <= j -> j < (to_uint i + to_uint n)%Z -> nth mask j = true)
   /\ (j < to_uint i \/ j >= to_uint i + to_uint n -> nth mask j = false).
Proof.
  split;intros.
  rewrite lsl_bv_is_lsl.
  assert (a := to_uint_bounds i).
  assert (u := size_in_range).
  rewrite uint_in_range_power in u.
  rewrite Lsl_nth_high; auto with zarith.
  assert (j - to_uint i = to_uint (sub (of_int j) i)).
  rewrite to_uint_sub by lia.
  rewrite to_uint_of_int by (split; auto with zarith).
  rewrite mod1_out by auto with zarith; trivial.
  rewrite H2.
  rewrite Nth_bv_is_nth by lia.
  apply nth_bit_pred_high; auto with zarith.
  rewrite <-H2.
  fold (to_uint n); auto with zarith.
  destruct H.
  case (Z_lt_le_dec j 0); intro.
  apply nth_low; easy.
  rewrite lsl_bv_is_lsl.
  apply Lsl_nth_low; auto with zarith.

  rewrite lsl_bv_is_lsl.
  assert (u := to_uint_bounds i).
  assert (v := to_uint_bounds n).
  pose size_in_range as w; rewrite uint_in_range_power in w.
  assert (0 <= j) by auto with zarith.

  case (Z_lt_ge_dec j size); intro.
  case (Z_lt_ge_dec j (to_uint i)); intro.

  apply Lsl_nth_low; auto.

  rewrite Lsl_nth_high; auto with zarith.
  rewrite lsl_bv_is_lsl.
  assert (j - to_uint i = to_uint (sub (of_int j) i)).
  rewrite to_uint_sub.
  rewrite to_uint_of_int by (unfold uint_in_range; auto with zarith).
  rewrite mod1_out; auto with zarith.
  rewrite H1.
  rewrite Nth_bv_is_nth.
  apply nth_bit_pred_low.
  fold (to_uint n).
  rewrite <-H1; auto with zarith.

  apply nth_high; auto.
Qed.

(* Why3 goal *)
Lemma eq_sub_equiv :
  forall (a:t) (b:t) (i:t) (n:t),
  eq_sub a b (to_uint i) (to_uint n) <-> eq_sub_bv a b i n.
Proof.
  intros a b i n.
  unfold eq_sub, eq_sub_bv.
  transitivity (eq_aux (bw_and b (lsl_bv (sub (lsl_bv (of_int 1) n) (of_int 1)) i))
                       (bw_and a (lsl_bv (sub (lsl_bv (of_int 1) n) (of_int 1)) i))); unfold eq_aux.
  split; intros.

  fold nth; rewrite Nth_bw_and, Nth_bw_and by auto.
  case (Z_lt_ge_dec n0 (to_uint i + to_uint n)); intro.
  case (Z_le_gt_dec (to_uint i) n0); intro.

  rewrite H; auto.

  rewrite (match (mask_correctness i n n0) with conj a b => b (or_introl (Z.gt_lt _ _ g)) end).
  rewrite andb_false_r, andb_false_r; reflexivity.

  rewrite (match (mask_correctness i n n0) with conj a b => b (or_intror g) end).
  rewrite andb_false_r, andb_false_r; reflexivity.

  case (Z_lt_ge_dec j size); intro.

  assert (u := to_uint_bounds i); unfold uint_in_range in u.
  assert (0 <= j < Z.of_nat size_nat) by auto with zarith.
  pose (H j H1).
  fold nth in e; rewrite Nth_bw_and, Nth_bw_and in e by auto.
  destruct H0.
  rewrite (match (mask_correctness i n j) with conj a b => a l H0 H2 end) in e.
  rewrite andb_true_r, andb_true_r in e.
  auto.

  unfold nth, nth; rewrite nth_high, nth_high by auto with zarith; reflexivity.

  split.
  apply Extensionality_aux.
  intro e; rewrite e; reflexivity.
Qed.

(* Why3 goal *)
Lemma Extensionality : forall (x:t) (y:t), eq_sub x y 0%Z size -> (x = y).
  intros x y.
  apply Extensionality_aux.
Qed.

why3-1.6.0/lib/coq/bv/Pow2int.v000066400000000000000000000147361440160026300161070ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

(* Why3 goal *)
Definition pow2 : Numbers.BinNums.Z -> Numbers.BinNums.Z.
  exact (two_p).
Defined.

(* Why3 goal *)
Lemma Power_0 : ((pow2 0%Z) = 1%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma Power_s :
  forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((pow2 (n + 1%Z)%Z) = (2%Z * (pow2 n))%Z).
  apply two_p_S.
Qed.

(* Why3 goal *)
Lemma Power_1 : ((pow2 1%Z) = 2%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma Power_sum :
  forall (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z <= n)%Z /\ (0%Z <= m)%Z ->
  ((pow2 (n + m)%Z) = ((pow2 n) * (pow2 m))%Z).
  unfold pow2.
  intros n m [H1 H2].
  apply two_p_is_exp; easy.
Qed.

(* Why3 goal *)
Lemma pow2pos :
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z -> (0%Z < (pow2 i))%Z.
  intros i h1.
  Require Import Zorder.
  apply Z.gt_lt.
  auto using two_p_gt_ZERO.
Qed.

(* Why3 goal *)
Lemma pow2_0 : ((pow2 0%Z) = 1%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_1 : ((pow2 1%Z) = 2%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_2 : ((pow2 2%Z) = 4%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_3 : ((pow2 3%Z) = 8%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_4 : ((pow2 4%Z) = 16%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_5 : ((pow2 5%Z) = 32%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_6 : ((pow2 6%Z) = 64%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_7 : ((pow2 7%Z) = 128%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_8 : ((pow2 8%Z) = 256%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_9 : ((pow2 9%Z) = 512%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_10 : ((pow2 10%Z) = 1024%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_11 : ((pow2 11%Z) = 2048%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_12 : ((pow2 12%Z) = 4096%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_13 : ((pow2 13%Z) = 8192%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_14 : ((pow2 14%Z) = 16384%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_15 : ((pow2 15%Z) = 32768%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_16 : ((pow2 16%Z) = 65536%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_17 : ((pow2 17%Z) = 131072%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_18 : ((pow2 18%Z) = 262144%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_19 : ((pow2 19%Z) = 524288%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_20 : ((pow2 20%Z) = 1048576%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_21 : ((pow2 21%Z) = 2097152%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_22 : ((pow2 22%Z) = 4194304%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_23 : ((pow2 23%Z) = 8388608%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_24 : ((pow2 24%Z) = 16777216%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_25 : ((pow2 25%Z) = 33554432%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_26 : ((pow2 26%Z) = 67108864%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_27 : ((pow2 27%Z) = 134217728%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_28 : ((pow2 28%Z) = 268435456%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_29 : ((pow2 29%Z) = 536870912%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_30 : ((pow2 30%Z) = 1073741824%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_31 : ((pow2 31%Z) = 2147483648%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_32 : ((pow2 32%Z) = 4294967296%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_33 : ((pow2 33%Z) = 8589934592%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_34 : ((pow2 34%Z) = 17179869184%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_35 : ((pow2 35%Z) = 34359738368%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_36 : ((pow2 36%Z) = 68719476736%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_37 : ((pow2 37%Z) = 137438953472%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_38 : ((pow2 38%Z) = 274877906944%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_39 : ((pow2 39%Z) = 549755813888%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_40 : ((pow2 40%Z) = 1099511627776%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_41 : ((pow2 41%Z) = 2199023255552%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_42 : ((pow2 42%Z) = 4398046511104%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_43 : ((pow2 43%Z) = 8796093022208%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_44 : ((pow2 44%Z) = 17592186044416%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_45 : ((pow2 45%Z) = 35184372088832%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_46 : ((pow2 46%Z) = 70368744177664%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_47 : ((pow2 47%Z) = 140737488355328%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_48 : ((pow2 48%Z) = 281474976710656%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_49 : ((pow2 49%Z) = 562949953421312%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_50 : ((pow2 50%Z) = 1125899906842624%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_51 : ((pow2 51%Z) = 2251799813685248%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_52 : ((pow2 52%Z) = 4503599627370496%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_53 : ((pow2 53%Z) = 9007199254740992%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_54 : ((pow2 54%Z) = 18014398509481984%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_55 : ((pow2 55%Z) = 36028797018963968%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_56 : ((pow2 56%Z) = 72057594037927936%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_57 : ((pow2 57%Z) = 144115188075855872%Z).
  easy.

Qed.

(* Why3 goal *)
Lemma pow2_58 : ((pow2 58%Z) = 288230376151711744%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_59 : ((pow2 59%Z) = 576460752303423488%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_60 : ((pow2 60%Z) = 1152921504606846976%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_61 : ((pow2 61%Z) = 2305843009213693952%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_62 : ((pow2 62%Z) = 4611686018427387904%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_63 : ((pow2 63%Z) = 9223372036854775808%Z).
  easy.
Qed.

(* Why3 goal *)
Lemma pow2_64 : ((pow2 64%Z) = 18446744073709551616%Z).
  easy.
Qed.

why3-1.6.0/lib/coq/floating_point/000077500000000000000000000000001440160026300167505ustar00rootroot00000000000000why3-1.6.0/lib/coq/floating_point/Double.v000066400000000000000000000204231440160026300203520ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.Abs.
Require real.FromInt.
Require floating_point.Rounding.
Require floating_point.DoubleFormat.

Require Import floating_point.GenFloat.

(* Why3 goal *)
Definition round :
  floating_point.Rounding.mode -> Reals.Rdefinitions.R ->
  Reals.Rdefinitions.R.
Proof.
exact (round 53 1024).
Defined.

(* Why3 goal *)
Definition value :
  floating_point.DoubleFormat.double -> Reals.Rdefinitions.R.
Proof.
exact (value 53 1024).
Defined.

(* Why3 goal *)
Definition exact :
  floating_point.DoubleFormat.double -> Reals.Rdefinitions.R.
Proof.
exact (exact 53 1024).
Defined.

(* Why3 goal *)
Definition model :
  floating_point.DoubleFormat.double -> Reals.Rdefinitions.R.
Proof.
exact (model 53 1024).
Defined.

(* Why3 assumption *)
Definition round_error (x:floating_point.DoubleFormat.double) :
    Reals.Rdefinitions.R :=
  Reals.Rbasic_fun.Rabs ((value x) - (exact x))%R.

(* Why3 assumption *)
Definition total_error (x:floating_point.DoubleFormat.double) :
    Reals.Rdefinitions.R :=
  Reals.Rbasic_fun.Rabs ((value x) - (model x))%R.

(* Why3 assumption *)
Definition no_overflow (m:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R) : Prop :=
  ((Reals.Rbasic_fun.Rabs (round m x)) <=
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.

Lemma max_double_eq: (179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368 = max 53 1024)%R.
Proof.
unfold max, Defs.F2R.
simpl Raux.bpow.
now rewrite <- mult_IZR.
Qed.

(* Why3 goal *)
Lemma Bounded_real_no_overflow :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs x) <=
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R ->
  no_overflow m x.
Proof.
unfold no_overflow.
rewrite max_double_eq.
exact (Bounded_real_no_overflow 53 1024 (refl_equal true) (refl_equal true)).
Qed.

(* Why3 goal *)
Lemma Round_monotonic :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R)
    (y:Reals.Rdefinitions.R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof.
now apply Round_monotonic.
Qed.

(* Why3 goal *)
Lemma Round_idempotent :
  forall (m1:floating_point.Rounding.mode) (m2:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R),
  ((round m1 (round m2 x)) = (round m2 x)).
Proof.
now apply Round_idempotent.
Qed.

(* Why3 goal *)
Lemma Round_value :
  forall (m:floating_point.Rounding.mode)
    (x:floating_point.DoubleFormat.double),
  ((round m (value x)) = (value x)).
Proof.
now apply Round_value.
Qed.

(* Why3 goal *)
Lemma Bounded_value :
  forall (x:floating_point.DoubleFormat.double),
  ((Reals.Rbasic_fun.Rabs (value x)) <=
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
Proof.
rewrite max_double_eq.
now apply Bounded_value.
Qed.

(* Why3 goal *)
Lemma Exact_rounding_for_integers :
  forall (m:floating_point.Rounding.mode) (i:Numbers.BinNums.Z),
  ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z ->
  ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
Proof.
intros m i Hi.
now apply Exact_rounding_for_integers.
Qed.

(* Why3 goal *)
Lemma Round_down_le :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Down x) <= x)%R.
Proof.
now apply Round_down_le.
Qed.

(* Why3 goal *)
Lemma Round_up_ge :
  forall (x:Reals.Rdefinitions.R),
  (x <= (round floating_point.Rounding.Up x))%R.
Proof.
now apply Round_up_ge.
Qed.

(* Why3 goal *)
Lemma Round_down_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Down (-x)%R) =
   (-(round floating_point.Rounding.Up x))%R).
Proof.
now apply Round_down_neg.
Qed.

(* Why3 goal *)
Lemma Round_up_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Up (-x)%R) =
   (-(round floating_point.Rounding.Down x))%R).
Proof.
now apply Round_up_neg.
Qed.

(* Why3 goal *)
Definition round_logic :
  floating_point.Rounding.mode -> Reals.Rdefinitions.R ->
  floating_point.DoubleFormat.double.
Proof.
exact (round_logic 53 1024 (refl_equal true) (refl_equal true)).
Defined.

(* Why3 goal *)
Lemma Round_logic_def :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R),
  no_overflow m x -> ((value (round_logic m x)) = (round m x)).
Proof.
unfold no_overflow.
rewrite max_double_eq.
exact (Round_logic_def 53 1024 (refl_equal true) (refl_equal true)).
Qed.

(* Why3 assumption *)
Definition of_real_post (m:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R) (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (round m x)) /\ ((exact res) = x) /\ ((model res) = x).

(* Why3 assumption *)
Definition add_post (m:floating_point.Rounding.mode)
    (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double)
    (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (round m ((value x) + (value y))%R)) /\
  ((exact res) = ((exact x) + (exact y))%R) /\
  ((model res) = ((model x) + (model y))%R).

(* Why3 assumption *)
Definition sub_post (m:floating_point.Rounding.mode)
    (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double)
    (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (round m ((value x) - (value y))%R)) /\
  ((exact res) = ((exact x) - (exact y))%R) /\
  ((model res) = ((model x) - (model y))%R).

(* Why3 assumption *)
Definition mul_post (m:floating_point.Rounding.mode)
    (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double)
    (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (round m ((value x) * (value y))%R)) /\
  ((exact res) = ((exact x) * (exact y))%R) /\
  ((model res) = ((model x) * (model y))%R).

(* Why3 assumption *)
Definition div_post (m:floating_point.Rounding.mode)
    (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double)
    (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (round m ((value x) / (value y))%R)) /\
  ((exact res) = ((exact x) / (exact y))%R) /\
  ((model res) = ((model x) / (model y))%R).

(* Why3 assumption *)
Definition neg_post (x:floating_point.DoubleFormat.double)
    (res:floating_point.DoubleFormat.double) : Prop :=
  ((value res) = (-(value x))%R) /\
  ((exact res) = (-(exact x))%R) /\ ((model res) = (-(model x))%R).

(* Why3 assumption *)
Definition lt (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double) : Prop :=
  ((value x) < (value y))%R.

(* Why3 assumption *)
Definition gt (x:floating_point.DoubleFormat.double)
    (y:floating_point.DoubleFormat.double) : Prop :=
  ((value y) < (value x))%R.

why3-1.6.0/lib/coq/floating_point/DoubleFormat.v000066400000000000000000000020331440160026300215200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

Require Import floating_point.GenFloat.

(* Why3 goal *)
Definition double : Type.
exact (t 53 1024).
Defined.

Global Instance double_WhyType : WhyType double.
Proof.
apply t_WhyType.
Qed.
why3-1.6.0/lib/coq/floating_point/GenFloat.v000066400000000000000000000237621440160026300206500ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Import ZArith.
Require Import Rbase.
Require Import Rbasic_fun.
Require int.Int.
Require real.Real.
Require real.Abs.
Require real.FromInt.
Require floating_point.Rounding.

Require Import Lia.
Require Import Flocq.Core.Core.
Require Import Flocq.IEEE754.BinarySingleNaN.
Require Import int.Abs.

Section GenFloat.
Global Coercion B2R_coercion prec emax := @B2R prec emax.

Variable prec emax : Z.
Hypothesis Hprec : Zlt_bool 0 prec = true.
Hypothesis Hemax : Zlt_bool prec emax = true.
Let emin := (3 - emax - prec)%Z.
Notation fexp := (FLT_exp emin prec).

Lemma Hprec': (0 < prec)%Z. revert Hprec. now case Zlt_bool_spec. Qed.
Lemma Hemax': (prec < emax)%Z. revert Hemax. now case Zlt_bool_spec. Qed.

Instance Hprec'' : Prec_gt_0 prec := Hprec'.

Record t : Set := mk_fp {
  binary : binary_float prec emax;
  value := (binary : R);
  exact : R;
  model : R
}.

Lemma t_inv :
  forall x xe xm y ye ym,
  (x = y -> xe = ye -> xm = ym -> False) ->
  (mk_fp x xe xm <> mk_fp y ye ym).
Proof.
intros x xe xm y ye ym H H'.
apply H.
exact (f_equal binary H').
exact (f_equal exact H').
exact (f_equal model H').
Qed.

Lemma t_WhyType : WhyType t.
Proof with
match goal with
| _ => try ( right ; apply t_inv ; easy )
end.
split.
split.
apply B754_zero.
exact false.
exact R0.
exact R0.
intros x y.
destruct x as (x,xv,xe,xm).
destruct y as (y,yv,ye,ym).
destruct (Req_EM_T xe ye) as [He|He]...
destruct (Req_EM_T xm ym) as [Hm|Hm]...
rewrite He, Hm.
destruct x as [xs|xs| |xs xm' xe' xH] ;
  destruct y as [ys|ys| |ys ym' ye' yH]...
clear.
destruct (Bool.bool_dec xs ys) as [->|Hs].
now left.
right.
apply t_inv.
intros H _ _.
now injection H.
clear.
destruct (Bool.bool_dec xs ys) as [->|Hs].
now left.
right.
apply t_inv.
intros H _ _.
now injection H.
now left.
destruct (Req_EM_T xv yv) as [Hv|Hv].
left.
apply f_equal3 ; try easy.
now apply B2R_inj.
right.
apply t_inv.
intros H _ _.
apply Hv.
now apply f_equal.
Qed.

Record t_strict: Set := mk_fp_strict {
  datum :> t;
  finite : is_finite (binary datum) = true
}.

Import Rounding.
Definition rnd_of_mode (m:mode) :=
  match m with
  |  NearestTiesToEven => mode_NE
  |  ToZero            => mode_ZR
  |  Up                => mode_UP
  |  Down              => mode_DN
  |  NearestTiesToAway => mode_NA
  end.

Definition r_to_fp rnd x : binary_float prec emax :=
  let r := round radix2 fexp (round_mode rnd) x in
  let m := Ztrunc (scaled_mantissa radix2 fexp r) in
  let e := cexp radix2 fexp r in
  binary_normalize prec emax Hprec' Hemax' rnd m e false.

Theorem r_to_fp_correct :
  forall rnd x,
  let r := round radix2 fexp (round_mode rnd) x in
  (Rabs r < bpow radix2 emax)%R ->
  is_finite (r_to_fp rnd x) = true /\
  r_to_fp rnd x = r :>R.
Proof with auto with typeclass_instances.
intros rnd x r Bx.
unfold r_to_fp. fold r.
generalize (binary_normalize_correct prec emax Hprec' Hemax' rnd (Ztrunc (scaled_mantissa radix2 fexp r)) (cexp radix2 fexp r) false).
unfold r.
elim generic_format_round...
fold emin r.
rewrite round_generic...
rewrite Rlt_bool_true with (1 := Bx).
now split.
apply generic_format_round...
Qed.

Theorem r_to_fp_format :
  forall rnd x,
  FLT_format radix2 emin prec x ->
  (Rabs x < bpow radix2 emax)%R ->
  r_to_fp rnd x = x :>R.
Proof with auto with typeclass_instances.
intros rnd x Fx Bx.
assert (Gx: generic_format radix2 fexp x).
apply generic_format_FLT.
apply Fx.
pattern x at 2 ; rewrite <- round_generic with (rnd := round_mode rnd) (2 := Gx)...
refine (proj2 (r_to_fp_correct _ _ _)).
rewrite round_generic...
Qed.

Definition r_to_fp_aux (m:mode) (r r1 r2:R) :=
  mk_fp (r_to_fp (rnd_of_mode m) r) r1 r2.

(* Why3 goal *)
Definition round: floating_point.Rounding.mode -> R -> R.
exact (fun m => round radix2 fexp (round_mode (rnd_of_mode m))).
Defined.

(* Why3 assumption *)
Definition round_error(x:t): R := (Rabs ((value x) - (exact x))%R).

(* Why3 assumption *)
Definition total_error(x:t): R := (Rabs ((value x) - (model x))%R).

(* Why3 goal *)
Definition max: R.
exact (F2R (Float radix2 (Zpower 2 prec - 1) (emax - prec))).
Defined.

(* Why3 assumption *)
Definition no_overflow(m:floating_point.Rounding.mode) (x:R): Prop :=
  ((Rabs (round m x)) <= max)%R.

(* Why3 goal *)
Lemma Bounded_real_no_overflow : forall (m:floating_point.Rounding.mode)
  (x:R), ((Rabs x) <= max)%R -> (no_overflow m x).
Proof with auto with typeclass_instances.
intros m x Hx.
apply Rabs_le.
assert (generic_format radix2 fexp max).
apply generic_format_F2R.
intros H.
unfold cexp.
rewrite mag_F2R with (1 := H).
rewrite (mag_unique _ _ prec).
ring_simplify (prec + (emax - prec))%Z.
unfold FLT_exp.
rewrite Z.max_l.
apply Z.le_refl.
unfold emin.
generalize Hprec' Hemax' ; clear ; lia.
rewrite <- abs_IZR, Z.abs_eq, <- 2!IZR_Zpower.
split.
apply IZR_le.
apply Zlt_succ_le.
change (2 ^ prec - 1)%Z with (Z.pred (2^prec))%Z.
rewrite <- Zsucc_pred.
apply lt_IZR.
change 2%Z with (radix_val radix2).
rewrite 2!IZR_Zpower.
apply bpow_lt.
apply Zlt_pred.
apply Zlt_le_weak.
exact Hprec'.
generalize Hprec' ; clear ; lia.
apply IZR_lt.
apply Zlt_pred.
apply Zlt_le_weak.
exact Hprec'.
generalize Hprec' ; clear ; lia.
apply Zlt_succ_le.
change (2 ^ prec - 1)%Z with (Z.pred (2^prec))%Z.
rewrite <- Zsucc_pred.
change 2%Z with (radix_val radix2).
apply Zpower_gt_0.
apply Zlt_le_weak.
exact Hprec'.
generalize (Rabs_le_inv _ _ Hx).
split.
apply round_ge_generic...
now apply generic_format_opp.
apply H0.
apply round_le_generic...
apply H0.
Qed.

(* Why3 goal *)
Lemma Round_monotonic : forall (m:floating_point.Rounding.mode) (x:R) (y:R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof with auto with typeclass_instances.
intros m x y Hxy.
apply round_le with (3 := Hxy)...
Qed.

(* Why3 goal *)
Lemma Round_idempotent : forall (m1:floating_point.Rounding.mode)
  (m2:floating_point.Rounding.mode) (x:R), ((round m1 (round m2
  x)) = (round m2 x)).
Proof with auto with typeclass_instances.
intros m1 m2 x.
apply round_generic...
apply generic_format_round...
Qed.

(* Why3 goal *)
Lemma Round_value : forall (m:floating_point.Rounding.mode) (x:t), ((round m
  (value x)) = (value x)).
Proof with auto with typeclass_instances.
intros m x.
apply round_generic...
apply generic_format_B2R.
Qed.

(* Why3 goal *)
Lemma Bounded_value : forall (x:t), ((Rabs (value x)) <= max)%R.
Proof with auto with typeclass_instances.
intros x.
replace max with (pred radix2 fexp (bpow radix2 emax)).
apply pred_ge_gt...
apply generic_format_abs.
apply generic_format_B2R.
apply generic_format_bpow.
unfold FLT_exp, emin.
zify ; generalize Hprec' Hemax' ; lia.
apply abs_B2R_lt_emax.
rewrite pred_eq_pos.
unfold pred_pos.
rewrite mag_bpow.
ring_simplify (emax+1-1)%Z.
rewrite Req_bool_true by easy.
unfold FLT_exp, emin.
rewrite Z.max_l.
unfold max, F2R; simpl.
pattern emax at 1; replace emax with (prec+(emax-prec))%Z by ring.
rewrite bpow_plus.
change 2%Z with (radix_val radix2).
rewrite minus_IZR, IZR_Zpower.
simpl; ring.
apply Zlt_le_weak.
exact Hprec'.
generalize Hprec' Hemax' ; lia.
apply bpow_ge_0.
Qed.

(* Why3 goal *)
Definition max_representable_integer: Z.
exact (Zpower 2 prec).
Defined.

(* Why3 goal *)
Lemma Exact_rounding_for_integers : forall (m:floating_point.Rounding.mode)
  (i:Z), (((-max_representable_integer)%Z <= i)%Z /\
  (i <= max_representable_integer)%Z) -> ((round m (IZR i)) = (IZR i)).
Proof with auto with typeclass_instances.
intros m z Hz.
apply round_generic...
assert (Z.abs z <= max_representable_integer)%Z.
apply Abs_le with (1:=Hz).
destruct (Zle_lt_or_eq _ _ H) as [Bz|Bz] ; clear H Hz.
apply generic_format_FLT.
exists (Float radix2 z 0).
unfold F2R ; simpl.
now rewrite Rmult_1_r.
easy.
simpl; unfold emin; generalize Hprec' Hemax'; lia.
unfold max_representable_integer in Bz.
change 2%Z with (radix_val radix2) in Bz.
apply generic_format_abs_inv.
rewrite <- abs_IZR, Bz, IZR_Zpower.
apply generic_format_bpow.
unfold FLT_exp, emin.
clear Bz; generalize Hprec' Hemax'; zify.
lia.
apply Zlt_le_weak.
apply Hprec'.
Qed.

(* Why3 goal *)
Lemma Round_down_le : forall (x:R), ((round floating_point.Rounding.Down
  x) <= x)%R.
Proof with auto with typeclass_instances.
intros x.
apply round_DN_pt...
Qed.

(* Why3 goal *)
Lemma Round_up_ge : forall (x:R), (x <= (round floating_point.Rounding.Up
  x))%R.
Proof with auto with typeclass_instances.
intros x.
apply round_UP_pt...
Qed.

(* Why3 goal *)
Lemma Round_down_neg : forall (x:R), ((round floating_point.Rounding.Down
  (-x)%R) = (-(round floating_point.Rounding.Up x))%R).
Proof.
intros x.
apply round_opp.
Qed.

(* Why3 goal *)
Lemma Round_up_neg : forall (x:R), ((round floating_point.Rounding.Up
  (-x)%R) = (-(round floating_point.Rounding.Down x))%R).
Proof.
intros x.
pattern x at 2 ; rewrite <- Ropp_involutive.
rewrite Round_down_neg.
now rewrite Ropp_involutive.
Qed.

(* Why3 goal *)
Definition round_logic: floating_point.Rounding.mode -> R -> t.
exact (fun m r => r_to_fp_aux m r r r).
Defined.

(* Why3 goal *)
Lemma Round_logic_def : forall (m:floating_point.Rounding.mode) (x:R),
  (no_overflow m x) -> ((value (round_logic m x)) = (round m x)).
Proof.
intros m x h1.
unfold value, round_logic.
simpl.
apply r_to_fp_correct.
apply Rle_lt_trans with (1 := h1).
replace emax with (prec + (emax - prec))%Z by ring.
rewrite bpow_plus.
apply Rmult_lt_compat_r.
apply bpow_gt_0.
simpl.
rewrite <- IZR_Zpower.
apply IZR_lt.
apply Zlt_pred.
apply Zlt_le_weak.
exact Hprec'.
Qed.

End GenFloat.
why3-1.6.0/lib/coq/floating_point/Rounding.v000066400000000000000000000020641440160026300207260ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 assumption *)
Inductive mode :=
  | NearestTiesToEven : mode
  | ToZero : mode
  | Up : mode
  | Down : mode
  | NearestTiesToAway : mode.
Axiom mode_WhyType : WhyType mode.
Existing Instance mode_WhyType.

why3-1.6.0/lib/coq/floating_point/Single.v000066400000000000000000000163021440160026300203620ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.Abs.
Require real.FromInt.
Require floating_point.Rounding.
Require floating_point.SingleFormat.

Require Import floating_point.GenFloat.

(* Why3 goal *)
Definition round :
  floating_point.Rounding.mode -> Reals.Rdefinitions.R ->
  Reals.Rdefinitions.R.
Proof.
exact (round 24 128).
Defined.

(* Why3 goal *)
Definition value :
  floating_point.SingleFormat.single -> Reals.Rdefinitions.R.
Proof.
exact (value 24 128).
Defined.

(* Why3 goal *)
Definition exact :
  floating_point.SingleFormat.single -> Reals.Rdefinitions.R.
Proof.
exact (exact 24 128).
Defined.

(* Why3 goal *)
Definition model :
  floating_point.SingleFormat.single -> Reals.Rdefinitions.R.
Proof.
exact (model 24 128).
Defined.

(* Why3 assumption *)
Definition round_error (x:floating_point.SingleFormat.single) :
    Reals.Rdefinitions.R :=
  Reals.Rbasic_fun.Rabs ((value x) - (exact x))%R.

(* Why3 assumption *)
Definition total_error (x:floating_point.SingleFormat.single) :
    Reals.Rdefinitions.R :=
  Reals.Rbasic_fun.Rabs ((value x) - (model x))%R.

(* Why3 assumption *)
Definition no_overflow (m:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R) : Prop :=
  ((Reals.Rbasic_fun.Rabs (round m x)) <=
   340282346638528859811704183484516925440%R)%R.

Lemma max_single_eq: (340282346638528859811704183484516925440 = max 24 128)%R.
Proof.
unfold max, Defs.F2R.
simpl Raux.bpow.
now rewrite <- mult_IZR.
Qed.

(* Why3 goal *)
Lemma Bounded_real_no_overflow :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs x) <= 340282346638528859811704183484516925440%R)%R ->
  no_overflow m x.
Proof.
unfold no_overflow.
rewrite max_single_eq.
exact (Bounded_real_no_overflow 24 128 (refl_equal true) (refl_equal true)).
Qed.

(* Why3 goal *)
Lemma Round_monotonic :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R)
    (y:Reals.Rdefinitions.R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof.
apply Round_monotonic.
easy.
Qed.

(* Why3 goal *)
Lemma Round_idempotent :
  forall (m1:floating_point.Rounding.mode) (m2:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R),
  ((round m1 (round m2 x)) = (round m2 x)).
Proof.
now apply Round_idempotent.
Qed.

(* Why3 goal *)
Lemma Round_value :
  forall (m:floating_point.Rounding.mode)
    (x:floating_point.SingleFormat.single),
  ((round m (value x)) = (value x)).
Proof.
now apply Round_value.
Qed.

(* Why3 goal *)
Lemma Bounded_value :
  forall (x:floating_point.SingleFormat.single),
  ((Reals.Rbasic_fun.Rabs (value x)) <=
   340282346638528859811704183484516925440%R)%R.
Proof.
rewrite max_single_eq.
now apply Bounded_value.
Qed.

(* Why3 goal *)
Lemma Exact_rounding_for_integers :
  forall (m:floating_point.Rounding.mode) (i:Numbers.BinNums.Z),
  ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z ->
  ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
Proof.
intros m i Hi.
now apply Exact_rounding_for_integers.
Qed.

(* Why3 goal *)
Lemma Round_down_le :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Down x) <= x)%R.
Proof.
now apply Round_down_le.
Qed.

(* Why3 goal *)
Lemma Round_up_ge :
  forall (x:Reals.Rdefinitions.R),
  (x <= (round floating_point.Rounding.Up x))%R.
Proof.
now apply Round_up_ge.
Qed.

(* Why3 goal *)
Lemma Round_down_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Down (-x)%R) =
   (-(round floating_point.Rounding.Up x))%R).
Proof.
now apply Round_down_neg.
Qed.

(* Why3 goal *)
Lemma Round_up_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round floating_point.Rounding.Up (-x)%R) =
   (-(round floating_point.Rounding.Down x))%R).
Proof.
now apply Round_up_neg.
Qed.

(* Why3 goal *)
Definition round_logic :
  floating_point.Rounding.mode -> Reals.Rdefinitions.R ->
  floating_point.SingleFormat.single.
Proof.
exact (round_logic 24 128 (refl_equal true) (refl_equal true)).
Defined.

(* Why3 goal *)
Lemma Round_logic_def :
  forall (m:floating_point.Rounding.mode) (x:Reals.Rdefinitions.R),
  no_overflow m x -> ((value (round_logic m x)) = (round m x)).
Proof.
unfold no_overflow.
rewrite max_single_eq.
exact (Round_logic_def 24 128 (refl_equal true) (refl_equal true)).
Qed.

(* Why3 assumption *)
Definition of_real_post (m:floating_point.Rounding.mode)
    (x:Reals.Rdefinitions.R) (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (round m x)) /\ ((exact res) = x) /\ ((model res) = x).

(* Why3 assumption *)
Definition add_post (m:floating_point.Rounding.mode)
    (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single)
    (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (round m ((value x) + (value y))%R)) /\
  ((exact res) = ((exact x) + (exact y))%R) /\
  ((model res) = ((model x) + (model y))%R).

(* Why3 assumption *)
Definition sub_post (m:floating_point.Rounding.mode)
    (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single)
    (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (round m ((value x) - (value y))%R)) /\
  ((exact res) = ((exact x) - (exact y))%R) /\
  ((model res) = ((model x) - (model y))%R).

(* Why3 assumption *)
Definition mul_post (m:floating_point.Rounding.mode)
    (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single)
    (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (round m ((value x) * (value y))%R)) /\
  ((exact res) = ((exact x) * (exact y))%R) /\
  ((model res) = ((model x) * (model y))%R).

(* Why3 assumption *)
Definition div_post (m:floating_point.Rounding.mode)
    (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single)
    (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (round m ((value x) / (value y))%R)) /\
  ((exact res) = ((exact x) / (exact y))%R) /\
  ((model res) = ((model x) / (model y))%R).

(* Why3 assumption *)
Definition neg_post (x:floating_point.SingleFormat.single)
    (res:floating_point.SingleFormat.single) : Prop :=
  ((value res) = (-(value x))%R) /\
  ((exact res) = (-(exact x))%R) /\ ((model res) = (-(model x))%R).

(* Why3 assumption *)
Definition lt (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single) : Prop :=
  ((value x) < (value y))%R.

(* Why3 assumption *)
Definition gt (x:floating_point.SingleFormat.single)
    (y:floating_point.SingleFormat.single) : Prop :=
  ((value y) < (value x))%R.

why3-1.6.0/lib/coq/floating_point/SingleFormat.v000066400000000000000000000020321440160026300215260ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

Require Import floating_point.GenFloat.

(* Why3 goal *)
Definition single : Type.
exact (t 24 128).
Defined.

Global Instance single_WhyType : WhyType single.
Proof.
apply t_WhyType.
Qed.
why3-1.6.0/lib/coq/for_drivers/000077500000000000000000000000001440160026300162605ustar00rootroot00000000000000why3-1.6.0/lib/coq/for_drivers/ComputerOfEuclideanDivision.v000066400000000000000000000071271440160026300240600ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.

Require Import Lia.

Lemma on_pos_euclidean_is_div:
  forall n d, (int.EuclideanDivision.div n (Zpos d)) = Z.div n (Zpos d).
Proof.
intros n d.
unfold EuclideanDivision.div.
assert (0 < Z.pos d)%Z by reflexivity.
destruct (Z.mod_pos_bound n (Zpos d) H).
case (Z_le_dec 0 (n mod (Zpos d))); intros H2.
* reflexivity.
* destruct (H2 H0).
Qed.

(* Why3 goal *)
Lemma cdiv_cases :
  forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
  ((0%Z <= n)%Z -> (0%Z < d)%Z ->
   ((ZArith.BinInt.Z.quot n d) = (int.EuclideanDivision.div n d))) /\
  ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
   ((ZArith.BinInt.Z.quot n d) = (-(int.EuclideanDivision.div (-n)%Z d))%Z)) /\
  ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
   ((ZArith.BinInt.Z.quot n d) = (-(int.EuclideanDivision.div n (-d)%Z))%Z)) /\
  ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
   ((ZArith.BinInt.Z.quot n d) = (int.EuclideanDivision.div (-n)%Z (-d)%Z))).
Proof.
  intros n d.
  destruct d as [|d|d]; destruct n as [|n|n]; intuition (try discriminate; try contradiction).
    + assert (NZ_d:((Zpos d) <> 0)%Z) by discriminate.
      rewrite (Z.quot_div (Z.pos n) (Z.pos d) NZ_d).
      rewrite on_pos_euclidean_is_div.
      rewrite Z.mul_1_l.
      reflexivity.
    + assert (NZ_d:((Zpos d) <> 0)%Z) by discriminate.
      rewrite (Z.quot_div (Z.neg n) (Z.pos d) NZ_d).
      rewrite on_pos_euclidean_is_div.
      reflexivity.
    + assert (NZ_d:((Z.neg d) <> 0)%Z) by discriminate.
      rewrite (Z.quot_div (Z.pos n) (Z.neg d) NZ_d).
      simpl.
      rewrite on_pos_euclidean_is_div.
      reflexivity.
    + assert (NZ_d:((Z.neg d) <> 0)%Z) by discriminate.
      rewrite (Z.quot_div (Z.neg n) (Z.neg d) NZ_d).
      simpl.
      rewrite on_pos_euclidean_is_div.
      destruct (Z.pos n / Z.pos d)%Z;reflexivity.
Qed.

(* Why3 goal *)
Lemma cmod_cases :
  forall (n:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
  ((0%Z <= n)%Z -> (0%Z < d)%Z ->
   ((ZArith.BinInt.Z.rem n d) = (int.EuclideanDivision.mod1 n d))) /\
  ((n <= 0%Z)%Z -> (0%Z < d)%Z ->
   ((ZArith.BinInt.Z.rem n d) = (-(int.EuclideanDivision.mod1 (-n)%Z d))%Z)) /\
  ((0%Z <= n)%Z -> (d < 0%Z)%Z ->
   ((ZArith.BinInt.Z.rem n d) = (int.EuclideanDivision.mod1 n (-d)%Z))) /\
  ((n <= 0%Z)%Z -> (d < 0%Z)%Z ->
   ((ZArith.BinInt.Z.rem n d) =
    (-(int.EuclideanDivision.mod1 (-n)%Z (-d)%Z))%Z)).
Proof.
  intros n d.
  unfold int.EuclideanDivision.mod1.
  assert (Z.rem n d = n - (d * (Z.quot n d)))%Z.
  assert (H:= Z.quot_rem' n d).
  lia.
  rewrite H.
  assert (H2:=cdiv_cases n d).
  intuition idtac.
  + rewrite H1.
    reflexivity.
  + rewrite H4.
    rewrite Z.mul_opp_r.
    ring.
  + rewrite H1.
    rewrite Z.mul_opp_r.
    rewrite Z.mul_opp_l.
    reflexivity.
  + rewrite H4.
    rewrite Z.mul_opp_l.
    ring.
Qed.

why3-1.6.0/lib/coq/ieee_float/000077500000000000000000000000001440160026300160305ustar00rootroot00000000000000why3-1.6.0/lib/coq/ieee_float/Float32.v000066400000000000000000001122141440160026300174320ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require Reals.R_sqrt.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.RealInfix.
Require real.Abs.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require bv.Pow2int.
Require ieee_float.RoundingMode.
Require ieee_float.GenericFloat.

Require Import Lia.
Import Flocq.Core.Core.
Import Flocq.IEEE754.BinarySingleNaN.
Import ieee_float.RoundingMode.
Import ieee_float.GenericFloat.

(* Why3 goal *)
Definition t : Type.
Proof.
  exact (t 8 24).
Defined.

(* Why3 goal *)
Definition t'real : t -> Reals.Rdefinitions.R.
Proof.
  apply B2R.
Defined.

(* Why3 goal *)
Definition t'isFinite : t -> Prop.
Proof.
  apply is_finite.
Defined.

(* Why3 goal *)
Lemma t'axiom :
  forall (x:t), t'isFinite x ->
  ((-340282346638528859811704183484516925440%R)%R <= (t'real x))%R /\
  ((t'real x) <= 340282346638528859811704183484516925440%R)%R.
Proof.
intros x _.
apply Rabs_le_inv.
change 340282346638528859811704183484516925440%Z with (16777215 * 20282409603651670423947251286016)%Z.
rewrite mult_IZR.
change (Rbasic_fun.Rabs (B2R x) <= F2R (Float radix2 (Zpower radix2 24 - 1) (127 - 23)))%R.
destruct x as [s|s| |s m e H] ;
  try (simpl ; rewrite Rbasic_fun.Rabs_R0 ; now apply F2R_ge_0).
simpl.
rewrite <- F2R_Zabs.
rewrite abs_cond_Zopp.
apply andb_prop in H.
destruct H as [H1 H2].
apply Zeq_bool_eq in H1.
apply Zle_bool_imp_le in H2.
rewrite Digits.Zpos_digits2_pos in H1.
apply Rmult_le_compat.
now apply (IZR_le 0).
apply bpow_ge_0.
apply IZR_le.
apply (Z.lt_le_pred (Z.abs (Zpos m)) (Zpower radix2 24)).
apply Digits.Zpower_gt_Zdigits.
revert H1.
generalize (Digits.Zdigits radix2 (Z.pos m)).
unfold SpecFloat.fexp, FLT_exp, sb.
intros ; lia.
now apply bpow_le.
Qed.

(* Why3 goal *)
Lemma eb_gt_1 : (1%Z < 8%Z)%Z.
Proof.
now simpl.
Qed.

(* Why3 goal *)
Lemma sb_gt_1 : (1%Z < 24%Z)%Z.
Proof.
now simpl.
Qed.

(* Why3 goal *)
Definition zeroF : t.
Proof.
  apply zeroF.
Defined.

(* Why3 goal *)
Definition add : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply add.
Defined.

(* Why3 goal *)
Definition sub : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply sub.
Defined.

(* Why3 goal *)
Definition mul : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply mul.
Defined.

(* Why3 goal *)
Definition div : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply div.
Defined.

(* Why3 goal *)
Definition abs : t -> t.
Proof.
  now apply abs.
Defined.

(* Why3 goal *)
Definition neg : t -> t.
Proof.
  now apply neg.
Defined.

(* Why3 goal *)
Definition fma : ieee_float.RoundingMode.mode -> t -> t -> t -> t.
Proof.
  now apply fma.
Defined.

(* Why3 goal *)
Definition sqrt : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  now apply GenericFloat.sqrt.
Defined.

(* Why3 goal *)
Definition roundToIntegral : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  now apply roundToIntegral.
Defined.

(* Why3 goal *)
Definition min : t -> t -> t.
Proof.
  now apply min.
Defined.

(* Why3 goal *)
Definition max : t -> t -> t.
Proof.
  now apply max.
Defined.

(* Why3 goal *)
Definition le : t -> t -> Prop.
Proof.
  apply le.
Defined.

(* Why3 goal *)
Definition lt : t -> t -> Prop.
Proof.
  apply lt.
Defined.

(* Why3 goal *)
Definition eq : t -> t -> Prop.
Proof.
  apply eq.
Defined.

(* Why3 goal *)
Definition is_normal : t -> Prop.
Proof.
  apply is_normal.
Defined.

(* Why3 goal *)
Definition is_subnormal : t -> Prop.
Proof.
  apply is_subnormal.
Defined.

(* Why3 goal *)
Definition is_zero : t -> Prop.
Proof.
  apply is_zero.
Defined.

(* Why3 goal *)
Definition is_infinite : t -> Prop.
Proof.
  apply is_infinite.
Defined.

(* Why3 goal *)
Definition is_nan : t -> Prop.
Proof.
  apply is_nan.
Defined.

(* Why3 goal *)
Definition is_positive : t -> Prop.
Proof.
  apply is_positive.
Defined.

(* Why3 goal *)
Definition is_negative : t -> Prop.
Proof.
  apply is_negative.
Defined.

(* Why3 assumption *)
Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.

(* Why3 assumption *)
Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.

(* Why3 assumption *)
Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.

(* Why3 goal *)
Lemma is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
Proof.
  apply is_not_nan1.
Qed.

(* Why3 goal *)
Lemma is_not_finite :
  forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
Proof.
  apply is_not_finite.
Qed.

(* Why3 goal *)
Lemma zeroF_is_positive : is_positive zeroF.
Proof.
  apply zeroF_is_positive.
Qed.

(* Why3 goal *)
Lemma zeroF_is_zero : is_zero zeroF.
Proof.
  apply zeroF_is_zero.
Qed.

(* Why3 goal *)
Lemma zero_to_real :
  forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
Proof.
  apply zero_to_real.
Qed.

(* Why3 goal *)
Definition of_int : ieee_float.RoundingMode.mode -> Numbers.BinNums.Z -> t.
Proof.
  now apply z_to_fp.
Defined.

(* Why3 goal *)
Definition to_int : ieee_float.RoundingMode.mode -> t -> Numbers.BinNums.Z.
Proof.
  now apply fp_to_z.
Defined.

(* Why3 goal *)
Lemma zero_of_int :
  forall (m:ieee_float.RoundingMode.mode), (zeroF = (of_int m 0%Z)).
Proof.
  apply zero_of_int.
Qed.

(* Why3 goal *)
Definition round :
  ieee_float.RoundingMode.mode -> Reals.Rdefinitions.R ->
  Reals.Rdefinitions.R.
Proof.
  apply (round 8 24).
Defined.

(* Why3 goal *)
Definition max_real : Reals.Rdefinitions.R.
Proof.
  apply 340282346638528859811704183484516925440%R.
Defined.

(* Why3 goal *)
Definition max_int : Numbers.BinNums.Z.
Proof.
  apply 340282346638528859811704183484516925440%Z.
Defined.

(* Why3 goal *)
Lemma max_int_spec :
  (max_int =
   ((bv.Pow2int.pow2 (bv.Pow2int.pow2 (8%Z - 1%Z)%Z)) -
    (bv.Pow2int.pow2 ((bv.Pow2int.pow2 (8%Z - 1%Z)%Z) - 24%Z)%Z))%Z).
Proof.
now simpl.
Qed.

(* Why3 goal *)
Lemma max_real_int : (max_real = (BuiltIn.IZR max_int)).
Proof.
now apply IZR_eq.
Qed.

Lemma max_real_cst :
  GenericFloat.max_real 8 24 = max_real%R.
Proof.
    rewrite <- max_real_is_F2R.
  change (F2R (Float radix2 _ _)) with (IZR 16777215 * IZR (Zpower 2 104))%R.
  now rewrite <- mult_IZR.
Qed.

(* Why3 assumption *)
Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
  ((-max_real)%R <= x)%R /\ (x <= max_real)%R.

(* Why3 assumption *)
Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.

(* Why3 goal *)
Lemma is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
Proof.
  unfold t'isFinite, in_range.
  intros x Hx.
  rewrite <- max_real_cst.
  now apply is_finite1.
Qed.

(* Why3 assumption *)
Definition no_overflow (m:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R) : Prop :=
  in_range (round m x).

(* Why3 goal *)
Lemma Bounded_real_no_overflow :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R),
  in_range x -> no_overflow m x.
Proof.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply (Bounded_real_no_overflow 8 24).
Qed.

(* Why3 goal *)
Lemma Round_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R)
    (y:Reals.Rdefinitions.R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof.
  apply Round_monotonic.
Qed.

(* Why3 goal *)
Lemma Round_idempotent :
  forall (m1:ieee_float.RoundingMode.mode) (m2:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R),
  ((round m1 (round m2 x)) = (round m2 x)).
Proof.
  apply Round_idempotent.
Qed.

(* Why3 goal *)
Lemma Round_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((round m (t'real x)) = (t'real x)).
Proof.
  apply Round_to_real.
Qed.

(* Why3 goal *)
Lemma Round_down_le :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN x) <= x)%R.
Proof.
  apply Round_down_le.
Qed.

(* Why3 goal *)
Lemma Round_up_ge :
  forall (x:Reals.Rdefinitions.R),
  (x <= (round ieee_float.RoundingMode.RTP x))%R.
Proof.
  apply Round_up_ge.
Qed.

(* Why3 goal *)
Lemma Round_down_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN (-x)%R) =
   (-(round ieee_float.RoundingMode.RTP x))%R).
Proof.
  apply Round_down_neg.
Qed.

(* Why3 goal *)
Lemma Round_up_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTP (-x)%R) =
   (-(round ieee_float.RoundingMode.RTN x))%R).
Proof.
  apply Round_up_neg.
Qed.

(* Why3 goal *)
Lemma pow2sb1 : (16777216%Z = (bv.Pow2int.pow2 24%Z)).
Proof.
now simpl.
Qed.

(* Why3 assumption *)
Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-16777216%Z)%Z <= i)%Z /\ (i <= 16777216%Z)%Z.

(* Why3 goal *)
Lemma Exact_rounding_for_integers :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
Proof.
  intros m i h1.
  now apply Exact_rounding_for_integers.
Qed.

(* Why3 assumption *)
Definition same_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.

(* Why3 assumption *)
Definition diff_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.

(* Why3 goal *)
Lemma feq_eq :
  forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
  eq x y -> (x = y).
Proof.
  apply feq_eq.
Qed.

(* Why3 goal *)
Lemma eq_feq :
  forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
Proof.
  apply eq_feq.
Qed.

(* Why3 goal *)
Lemma eq_refl : forall (x:t), t'isFinite x -> eq x x.
Proof.
  apply eq_refl.
Qed.

(* Why3 goal *)
Lemma eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
Proof.
  apply eq_sym.
Qed.

(* Why3 goal *)
Lemma eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
Proof.
  apply eq_trans.
Qed.

(* Why3 goal *)
Lemma eq_zero : eq zeroF (neg zeroF).
Proof.
  apply eq_zero.
Qed.

(* Why3 goal *)
Lemma eq_to_real_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  eq x y <-> ((t'real x) = (t'real y)).
Proof.
  apply eq_to_real_finite.
Qed.

(* Why3 goal *)
Lemma eq_special :
  forall (x:t) (y:t), eq x y ->
  is_not_nan x /\
  is_not_nan y /\
  (t'isFinite x /\ t'isFinite y \/
   is_infinite x /\ is_infinite y /\ same_sign x y).
Proof.
  apply eq_special.
Qed.

(* Why3 goal *)
Lemma lt_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  lt x y <-> ((t'real x) < (t'real y))%R.
Proof.
  apply lt_finite.
Qed.

(* Why3 goal *)
Lemma le_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  le x y <-> ((t'real x) <= (t'real y))%R.
Proof.
  apply le_finite.
Qed.

(* Why3 goal *)
Lemma le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
Proof.
  apply le_lt_trans.
Qed.

(* Why3 goal *)
Lemma lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
Proof.
  apply lt_le_trans.
Qed.

(* Why3 goal *)
Lemma le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
Proof.
  apply le_ge_asym.
Qed.

(* Why3 goal *)
Lemma not_lt_ge :
  forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
Proof.
  apply not_lt_ge.
Qed.

(* Why3 goal *)
Lemma not_gt_le :
  forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
Proof.
 apply not_gt_le.
Qed.

(* Why3 goal *)
Lemma le_special :
  forall (x:t) (y:t), le x y ->
  t'isFinite x /\ t'isFinite y \/
  is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
Proof.
  apply le_special.
Qed.

(* Why3 goal *)
Lemma lt_special :
  forall (x:t) (y:t), lt x y ->
  t'isFinite x /\ t'isFinite y \/
  is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
  is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
Proof.
  apply lt_special.
Qed.

(* Why3 goal *)
Lemma lt_lt_finite :
  forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
Proof.
  apply lt_lt_finite.
Qed.

(* Why3 goal *)
Lemma positive_to_real :
  forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
Proof.
  apply positive_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_positive :
  forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
Proof.
  apply to_real_positive.
Qed.

(* Why3 goal *)
Lemma negative_to_real :
  forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
Proof.
  apply negative_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_negative :
  forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
Proof.
  apply to_real_negative.
Qed.

(* Why3 goal *)
Lemma negative_xor_positive :
  forall (x:t), ~ (is_positive x /\ is_negative x).
Proof.
  apply negative_xor_positive.
Qed.

(* Why3 goal *)
Lemma negative_or_positive :
  forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
Proof.
  apply negative_or_positive.
Qed.

(* Why3 goal *)
Lemma diff_sign_trans :
  forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
Proof.
  apply diff_sign_trans.
Qed.

(* Why3 goal *)
Lemma diff_sign_product :
  forall (x:t) (y:t),
  t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
  diff_sign x y.
Proof.
  apply diff_sign_product.
Qed.

(* Why3 goal *)
Lemma same_sign_product :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
  (0%R <= ((t'real x) * (t'real y))%R)%R.
Proof.
  apply same_sign_product.
Qed.

(* Why3 assumption *)
Definition product_sign (z:t) (x:t) (y:t) : Prop :=
  (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).

(* Why3 assumption *)
Definition overflow_value (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  match m with
  | ieee_float.RoundingMode.RTN =>
      (is_positive x -> t'isFinite x /\ ((t'real x) = max_real)) /\
      (~ is_positive x -> is_infinite x)
  | ieee_float.RoundingMode.RTP =>
      (is_positive x -> is_infinite x) /\
      (~ is_positive x -> t'isFinite x /\ ((t'real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RTZ =>
      (is_positive x -> t'isFinite x /\ ((t'real x) = max_real)) /\
      (~ is_positive x -> t'isFinite x /\ ((t'real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RNA|ieee_float.RoundingMode.RNE => is_infinite x
  end.

(* Why3 assumption *)
Definition sign_zero_result (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  is_zero x ->
  match m with
  | ieee_float.RoundingMode.RTN => is_negative x
  | _ => is_positive x
  end.

(* Why3 goal *)
Lemma add_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) + (t'real y))%R ->
  t'isFinite (add m x y) /\
  ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply add_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma add_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (add m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply add_finite_rev.
Qed.

(* Why3 goal *)
Lemma add_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (add m x y) ->
  no_overflow m ((t'real x) + (t'real y))%R /\
  ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply add_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma sub_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) - (t'real y))%R ->
  t'isFinite (sub m x y) /\
  ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply sub_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma sub_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (sub m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply sub_finite_rev.
Qed.

(* Why3 goal *)
Lemma sub_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (sub m x y) ->
  no_overflow m ((t'real x) - (t'real y))%R /\
  ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply sub_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma mul_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) * (t'real y))%R ->
  t'isFinite (mul m x y) /\
  ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply mul_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma mul_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (mul m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply mul_finite_rev.
Qed.

(* Why3 goal *)
Lemma mul_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (mul m x y) ->
  no_overflow m ((t'real x) * (t'real y))%R /\
  ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply mul_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma div_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> ~ is_zero y -> no_overflow m ((t'real x) / (t'real y))%R ->
  t'isFinite (div m x y) /\
  ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3 h4.
  apply div_finite ; try easy.
  unfold no_overflow, in_range in h4.
  now rewrite <- max_real_cst in h4.
Qed.

(* Why3 goal *)
Lemma div_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (div m x y) ->
  t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
  t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
Proof.
  apply div_finite_rev.
Qed.

(* Why3 goal *)
Lemma div_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (div m x y) ->
  t'isFinite y ->
  no_overflow m ((t'real x) / (t'real y))%R /\
  ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply div_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma neg_finite :
  forall (x:t), t'isFinite x ->
  t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
Proof.
  apply neg_finite.
Qed.

(* Why3 goal *)
Lemma neg_finite_rev :
  forall (x:t), t'isFinite (neg x) ->
  t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
Proof.
  apply neg_finite_rev.
Qed.

(* Why3 goal *)
Lemma abs_finite :
  forall (x:t), t'isFinite x ->
  t'isFinite (abs x) /\
  ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
  is_positive (abs x).
Proof.
  apply abs_finite.
Qed.

(* Why3 goal *)
Lemma abs_finite_rev :
  forall (x:t), t'isFinite (abs x) ->
  t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
Proof.
  apply abs_finite_rev.
Qed.

(* Why3 goal *)
Lemma abs_universal : forall (x:t), ~ is_negative (abs x).
Proof.
  apply abs_universal.
Qed.

(* Why3 goal *)
Lemma fma_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t), t'isFinite x ->
  t'isFinite y -> t'isFinite z ->
  no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
  t'isFinite (fma m x y z) /\
  ((t'real (fma m x y z)) =
   (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
Proof.
  intros m x y z h1 h2 h3 h4.
  apply fma_finite ; try easy.
  unfold no_overflow, in_range in h4.
  now rewrite <- max_real_cst in h4.
Qed.

(* Why3 goal *)
Lemma fma_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  t'isFinite (fma m x y z) -> t'isFinite x /\ t'isFinite y /\ t'isFinite z.
Proof.
  now apply fma_finite_rev.
Qed.

(* Why3 goal *)
Lemma fma_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (fma m x y z) ->
  no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
  ((t'real (fma m x y z)) =
   (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
Proof.
  intros m x y z h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply fma_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma sqrt_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  (0%R <= (t'real x))%R ->
  t'isFinite (sqrt m x) /\
  ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
Proof.
  apply sqrt_finite.
Qed.

(* Why3 goal *)
Lemma sqrt_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite (sqrt m x) ->
  t'isFinite x /\
  (0%R <= (t'real x))%R /\
  ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
Proof.
  apply sqrt_finite_rev.
Qed.

(* Why3 assumption *)
Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
  is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.

(* Why3 goal *)
Lemma add_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := add m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
   same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y ->
   (same_sign x y -> same_sign r x) /\
   (~ same_sign x y -> sign_zero_result m r)).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply add_special.
Qed.

(* Why3 goal *)
Lemma sub_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := sub m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
   same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y ->
   (diff_sign x y -> same_sign r x) /\
   (~ diff_sign x y -> sign_zero_result m r)).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply sub_special.
Qed.

(* Why3 goal *)
Lemma mul_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := mul m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_infinite r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
   overflow_value m r) /\
  (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply mul_special.
Qed.

(* Why3 goal *)
Lemma div_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := div m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_zero r) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_nan r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
   overflow_value m r) /\
  (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
  (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply div_special.
Qed.

(* Why3 goal *)
Lemma neg_special :
  forall (x:t),
  (is_nan x -> is_nan (neg x)) /\
  (is_infinite x -> is_infinite (neg x)) /\
  (~ is_nan x -> diff_sign x (neg x)).
Proof.
  apply neg_special.
Qed.

(* Why3 goal *)
Lemma abs_special :
  forall (x:t),
  (is_nan x -> is_nan (abs x)) /\
  (is_infinite x -> is_infinite (abs x)) /\
  (~ is_nan x -> is_positive (abs x)).
Proof.
  apply abs_special.
Qed.

(* Why3 goal *)
Lemma fma_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  let r := fma m x y z in
  (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ is_infinite y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
   is_infinite r /\ same_sign r z) /\
  (is_infinite x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (t'isFinite x /\
   t'isFinite y /\
   t'isFinite z /\
   ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
   same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
   overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
   (product_sign z x y -> same_sign r z) /\
   (~ product_sign z x y ->
    ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
    ((m = ieee_float.RoundingMode.RTN) -> is_negative r) /\
    (~ (m = ieee_float.RoundingMode.RTN) -> is_positive r))).
Proof.
  intros m x y z r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply fma_special.
Qed.

(* Why3 goal *)
Lemma sqrt_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  let r := sqrt m x in
  (is_nan x -> is_nan r) /\
  (is_plus_infinity x -> is_plus_infinity r) /\
  (is_minus_infinity x -> is_nan r) /\
  (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
  (is_zero x -> same_sign r x) /\
  (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
Proof.
  apply sqrt_special.
Qed.

(* Why3 goal *)
Lemma of_int_add_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i + j)%Z ->
  eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_add_exact.
Qed.

(* Why3 goal *)
Lemma of_int_sub_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i - j)%Z ->
  eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_sub_exact.
Qed.

(* Why3 goal *)
Lemma of_int_mul_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i * j)%Z ->
  eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_mul_exact.
Qed.

(* Why3 goal *)
Lemma Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
Proof.
  apply Min_r.
Qed.

(* Why3 goal *)
Lemma Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
Proof.
  apply Min_l.
Qed.

(* Why3 goal *)
Lemma Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
Proof.
  apply Max_r.
Qed.

(* Why3 goal *)
Lemma Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
Proof.
  apply Max_l.
Qed.

(* Why3 goal *)
Definition is_int : t -> Prop.
Proof.
  apply is_int.
Defined.

(* Why3 goal *)
Lemma zeroF_is_int : is_int zeroF.
Proof.
  apply zeroF_is_int.
Qed.

(* Why3 goal *)
Lemma of_int_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:Numbers.BinNums.Z),
  in_int_range x -> is_int (of_int m x).
Proof.
  intros m x h1.
  now apply of_int_is_int.
Qed.

(* Why3 goal *)
Lemma big_float_is_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), t'isFinite i ->
  le i (neg (of_int m 16777216%Z)) \/ le (of_int m 16777216%Z) i -> is_int i.
Proof.
  now apply big_float_is_int.
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  is_int (roundToIntegral m x).
Proof.
  now apply roundToIntegral_is_int.
Qed.

(* Why3 goal *)
Lemma eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
Proof.
  apply eq_is_int.
Qed.

(* Why3 goal *)
Lemma add_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (add m x y) -> is_int (add m x y).
Proof.
  now apply add_int.
Qed.

(* Why3 goal *)
Lemma sub_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (sub m x y) -> is_int (sub m x y).
Proof.
  now apply sub_int.
Qed.

(* Why3 goal *)
Lemma mul_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (mul m x y) -> is_int (mul m x y).
Proof.
  now apply mul_int.
Qed.

(* Why3 goal *)
Lemma fma_int :
  forall (x:t) (y:t) (z:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_int z -> t'isFinite (fma m x y z) -> is_int (fma m x y z).
Proof.
  now apply fma_int.
Qed.

(* Why3 goal *)
Lemma neg_int : forall (x:t), is_int x -> is_int (neg x).
Proof.
  apply neg_int.
Qed.

(* Why3 goal *)
Lemma abs_int : forall (x:t), is_int x -> is_int (abs x).
Proof.
  apply abs_int.
Qed.

(* Why3 goal *)
Lemma is_int_of_int :
  forall (x:t) (m:ieee_float.RoundingMode.mode)
    (m':ieee_float.RoundingMode.mode),
  is_int x -> eq x (of_int m' (to_int m x)).
Proof.
  now apply is_int_of_int.
Qed.

(* Why3 goal *)
Lemma is_int_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  in_int_range (to_int m x).
Proof.
  now apply is_int_to_int.
Qed.

(* Why3 goal *)
Lemma is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
Proof.
  apply is_int_is_finite.
Qed.

(* Why3 goal *)
Lemma int_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((t'real x) = (BuiltIn.IZR (to_int m x))).
Proof.
  apply int_to_real.
Qed.

(* Why3 goal *)
Lemma truncate_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), is_int i ->
  eq (roundToIntegral m i) i.
Proof.
  now apply truncate_int.
Qed.

(* Why3 goal *)
Lemma truncate_neg :
  forall (x:t), t'isFinite x -> is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  apply truncate_neg.
Qed.

(* Why3 goal *)
Lemma truncate_pos :
  forall (x:t), t'isFinite x -> is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  apply truncate_pos.
Qed.

(* Why3 goal *)
Lemma ceil_le :
  forall (x:t), t'isFinite x ->
  le x (roundToIntegral ieee_float.RoundingMode.RTP x).
Proof.
  now apply ceil_le.
Qed.

(* Why3 goal *)
Lemma ceil_lest :
  forall (x:t) (y:t), le x y /\ is_int y ->
  le (roundToIntegral ieee_float.RoundingMode.RTP x) y.
Proof.
  now apply ceil_lest.
Qed.

(* Why3 goal *)
Lemma ceil_to_real :
  forall (x:t), t'isFinite x ->
  ((t'real (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (BuiltIn.IZR (real.Truncate.ceil (t'real x)))).
Proof.
  now apply ceil_to_real.
Qed.

(* Why3 goal *)
Lemma ceil_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (real.Truncate.ceil (t'real x))).
Proof.
  now apply ceil_to_int.
Qed.

(* Why3 goal *)
Lemma floor_le :
  forall (x:t), t'isFinite x ->
  le (roundToIntegral ieee_float.RoundingMode.RTN x) x.
Proof.
  now apply floor_le.
Qed.

(* Why3 goal *)
Lemma floor_lest :
  forall (x:t) (y:t), le y x /\ is_int y ->
  le y (roundToIntegral ieee_float.RoundingMode.RTN x).
Proof.
  now apply floor_lest.
Qed.

(* Why3 goal *)
Lemma floor_to_real :
  forall (x:t), t'isFinite x ->
  ((t'real (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (BuiltIn.IZR (real.Truncate.floor (t'real x)))).
Proof.
  now apply floor_to_real.
Qed.

(* Why3 goal *)
Lemma floor_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (real.Truncate.floor (t'real x))).
Proof.
  now apply floor_to_int.
Qed.

(* Why3 goal *)
Lemma RNA_down :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  now apply RNA_down.
Qed.

(* Why3 goal *)
Lemma RNA_up :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  now apply RNA_up.
Qed.

(* Why3 goal *)
Lemma RNA_down_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  now apply RNA_down_tie.
Qed.

(* Why3 goal *)
Lemma RNA_up_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  now apply RNA_up_tie.
Qed.

(* Why3 goal *)
Lemma to_int_roundToIntegral :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  ((to_int m x) = (to_int m (roundToIntegral m x))).
Proof.
  now apply to_int_roundToIntegral.
Qed.

(* Why3 goal *)
Lemma to_int_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> le x y -> ((to_int m x) <= (to_int m y))%Z.
Proof.
  apply to_int_monotonic.
Qed.

(* Why3 goal *)
Lemma to_int_of_int :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((to_int m (of_int m i)) = i).
Proof.
  intros m i h1.
  now apply to_int_of_int.
Qed.

(* Why3 goal *)
Lemma eq_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  eq x y -> ((to_int m x) = (to_int m y)).
Proof.
  apply eq_to_int.
Qed.

(* Why3 goal *)
Lemma neg_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((to_int m (neg x)) = (-(to_int m x))%Z).
Proof.
  apply neg_to_int.
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  t'isFinite (roundToIntegral m x).
Proof.
  now apply roundToIntegral_is_finite.
Qed.

(* Why3 goal *)
Lemma max_int_def : (max_int = 340282346638528859811704183484516925440%Z).
Proof.
  trivial.

Qed.

(* Why3 goal *)
Lemma max_real_def : (max_real = 340282346638528859811704183484516925440%R).
Proof.
  trivial.

Qed.

(* Why3 goal *)
Lemma round_bound_ne :
  forall (x:Reals.Rdefinitions.R),
  no_overflow ieee_float.RoundingMode.RNE x ->
  (((x - ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
    (1 / 1427247692705959881058285969449495136382746624)%R)%R
   <= (round ieee_float.RoundingMode.RNE x))%R /\
  ((round ieee_float.RoundingMode.RNE x) <=
   ((x + ((1 / 16777216)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
    (1 / 1427247692705959881058285969449495136382746624)%R)%R)%R.
intros x h1.
Admitted.

(* Why3 goal *)
Lemma round_bound :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R),
  no_overflow m x ->
  (((x - ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
    (1 / 713623846352979940529142984724747568191373312)%R)%R
   <= (round m x))%R /\
  ((round m x) <=
   ((x + ((1 / 8388608)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
    (1 / 713623846352979940529142984724747568191373312)%R)%R)%R.
intros m x h1.
Admitted.

why3-1.6.0/lib/coq/ieee_float/Float64.v000066400000000000000000001207011440160026300174370ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require Reals.R_sqrt.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.RealInfix.
Require real.Abs.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require bv.Pow2int.
Require ieee_float.RoundingMode.
Require ieee_float.GenericFloat.

Require Import Lia.
Import Flocq.Core.Core.
Import Flocq.IEEE754.BinarySingleNaN.
Import ieee_float.RoundingMode.
Import ieee_float.GenericFloat.

(* Why3 goal *)
Definition t : Type.
Proof.
  exact (t 11 53).
Defined.

(* Why3 goal *)
Definition t'real : t -> Reals.Rdefinitions.R.
Proof.
  apply B2R.
Defined.

(* Why3 goal *)
Definition t'isFinite : t -> Prop.
Proof.
  apply is_finite.
Defined.

(* Why3 goal *)
Lemma t'axiom :
  forall (x:t), t'isFinite x ->
  ((-179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R
   <= (t'real x))%R /\
  ((t'real x) <=
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R)%R.
Proof.
intros x _.
apply Rabs_le_inv.
change 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%Z
  with (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)%Z.
rewrite mult_IZR.
change (Rbasic_fun.Rabs (B2R x) <= F2R (Float radix2 (Zpower radix2 53 - 1) (1023 - 52)))%R.
destruct x as [s|s| |s m e H] ;
  try (simpl ; rewrite Rbasic_fun.Rabs_R0 ; now apply F2R_ge_0).
simpl.
rewrite <- F2R_Zabs.
rewrite abs_cond_Zopp.
apply andb_prop in H.
destruct H as [H1 H2].
apply Zeq_bool_eq in H1.
apply Zle_bool_imp_le in H2.
rewrite Digits.Zpos_digits2_pos in H1.
apply Rmult_le_compat.
now apply (IZR_le 0).
apply bpow_ge_0.
apply IZR_le.
apply (Z.lt_le_pred (Z.abs (Zpos m)) (Zpower radix2 53)).
apply Digits.Zpower_gt_Zdigits.
revert H1.
generalize (Digits.Zdigits radix2 (Z.pos m)).
unfold SpecFloat.fexp, FLT_exp, sb.
intros ; lia.
now apply bpow_le.
Qed.

(* Why3 goal *)
Lemma eb_gt_1 : (1%Z < 11%Z)%Z.
Proof.
now simpl.
Qed.

(* Why3 goal *)
Lemma sb_gt_1 : (1%Z < 53%Z)%Z.
Proof.
now simpl.
Qed.

(* Why3 goal *)
Definition zeroF : t.
Proof.
  apply zeroF.
Defined.

(* Why3 goal *)
Definition add : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply add.
Defined.

(* Why3 goal *)
Definition sub : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply sub.
Defined.

(* Why3 goal *)
Definition mul : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply mul.
Defined.

(* Why3 goal *)
Definition div : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  now apply div.
Defined.

(* Why3 goal *)
Definition abs : t -> t.
Proof.
  now apply abs.
Defined.

(* Why3 goal *)
Definition neg : t -> t.
Proof.
  now apply neg.
Defined.

(* Why3 goal *)
Definition fma : ieee_float.RoundingMode.mode -> t -> t -> t -> t.
Proof.
  now apply fma.
Defined.

(* Why3 goal *)
Definition sqrt : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  now apply GenericFloat.sqrt.
Defined.

(* Why3 goal *)
Definition roundToIntegral : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  now apply roundToIntegral.
Defined.

(* Why3 goal *)
Definition min : t -> t -> t.
Proof.
  now apply min.
Defined.

(* Why3 goal *)
Definition max : t -> t -> t.
Proof.
  now apply max.
Defined.

(* Why3 goal *)
Definition le : t -> t -> Prop.
Proof.
  apply le.
Defined.

(* Why3 goal *)
Definition lt : t -> t -> Prop.
Proof.
  apply lt.
Defined.

(* Why3 goal *)
Definition eq : t -> t -> Prop.
Proof.
  apply eq.
Defined.

(* Why3 goal *)
Definition is_normal : t -> Prop.
Proof.
  apply is_normal.
Defined.

(* Why3 goal *)
Definition is_subnormal : t -> Prop.
Proof.
  apply is_subnormal.
Defined.

(* Why3 goal *)
Definition is_zero : t -> Prop.
Proof.
  apply is_zero.
Defined.

(* Why3 goal *)
Definition is_infinite : t -> Prop.
Proof.
  apply is_infinite.
Defined.

(* Why3 goal *)
Definition is_nan : t -> Prop.
Proof.
  apply is_nan.
Defined.

(* Why3 goal *)
Definition is_positive : t -> Prop.
Proof.
  apply is_positive.
Defined.

(* Why3 goal *)
Definition is_negative : t -> Prop.
Proof.
  apply is_negative.
Defined.

(* Why3 assumption *)
Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.

(* Why3 assumption *)
Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.

(* Why3 assumption *)
Definition is_not_nan (x:t) : Prop := t'isFinite x \/ is_infinite x.

(* Why3 goal *)
Lemma is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
Proof.
  apply is_not_nan1.
Qed.

(* Why3 goal *)
Lemma is_not_finite :
  forall (x:t), ~ t'isFinite x <-> is_infinite x \/ is_nan x.
Proof.
  apply is_not_finite.
Qed.

(* Why3 goal *)
Lemma zeroF_is_positive : is_positive zeroF.
Proof.
  apply zeroF_is_positive.
Qed.

(* Why3 goal *)
Lemma zeroF_is_zero : is_zero zeroF.
Proof.
  apply zeroF_is_zero.
Qed.

(* Why3 goal *)
Lemma zero_to_real :
  forall (x:t), is_zero x <-> t'isFinite x /\ ((t'real x) = 0%R).
Proof.
  apply zero_to_real.
Qed.

(* Why3 goal *)
Definition of_int : ieee_float.RoundingMode.mode -> Numbers.BinNums.Z -> t.
Proof.
  now apply z_to_fp.
Defined.

(* Why3 goal *)
Definition to_int : ieee_float.RoundingMode.mode -> t -> Numbers.BinNums.Z.
Proof.
  now apply fp_to_z.
Defined.

(* Why3 goal *)
Lemma zero_of_int :
  forall (m:ieee_float.RoundingMode.mode), (zeroF = (of_int m 0%Z)).
Proof.
  apply zero_of_int.
Qed.

(* Why3 goal *)
Definition round :
  ieee_float.RoundingMode.mode -> Reals.Rdefinitions.R ->
  Reals.Rdefinitions.R.
Proof.
  apply (round 11 53).
Defined.

(* Why3 goal *)
Definition max_real : Reals.Rdefinitions.R.
Proof.
  apply 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R.
Defined.

(* Why3 goal *)
Definition max_int : Numbers.BinNums.Z.
Proof.
  apply 179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%Z.
Defined.

(* Why3 goal *)
Lemma max_int_spec :
  (max_int =
   ((bv.Pow2int.pow2 (bv.Pow2int.pow2 (11%Z - 1%Z)%Z)) -
    (bv.Pow2int.pow2 ((bv.Pow2int.pow2 (11%Z - 1%Z)%Z) - 53%Z)%Z))%Z).
Proof.
now simpl.
Qed.

(* Why3 goal *)
Lemma max_real_int : (max_real = (BuiltIn.IZR max_int)).
Proof.
now apply IZR_eq.
Qed.

Lemma max_real_cst :
  GenericFloat.max_real 11 53 = max_real%R.
Proof.
  rewrite <- max_real_is_F2R.
  change (F2R (Float radix2 _ _)) with (IZR 9007199254740991 * IZR (Zpower 2 971))%R.
  now rewrite <- mult_IZR.
Qed.

(* Why3 assumption *)
Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
  ((-max_real)%R <= x)%R /\ (x <= max_real)%R.

(* Why3 assumption *)
Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.

(* Why3 goal *)
Lemma is_finite : forall (x:t), t'isFinite x -> in_range (t'real x).
Proof.
  unfold t'isFinite, in_range.
  intros x Hx.
  rewrite <- max_real_cst.
  now apply is_finite1.
Qed.

(* Why3 assumption *)
Definition no_overflow (m:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R) : Prop :=
  in_range (round m x).

(* Why3 goal *)
Lemma Bounded_real_no_overflow :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R),
  in_range x -> no_overflow m x.
Proof.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply (Bounded_real_no_overflow 11 53).
Qed.

(* Why3 goal *)
Lemma Round_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R)
    (y:Reals.Rdefinitions.R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof.
  apply Round_monotonic.
Qed.

(* Why3 goal *)
Lemma Round_idempotent :
  forall (m1:ieee_float.RoundingMode.mode) (m2:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R),
  ((round m1 (round m2 x)) = (round m2 x)).
Proof.
  apply Round_idempotent.
Qed.

(* Why3 goal *)
Lemma Round_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((round m (t'real x)) = (t'real x)).
Proof.
  apply Round_to_real.
Qed.

(* Why3 goal *)
Lemma Round_down_le :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN x) <= x)%R.
Proof.
  apply Round_down_le.
Qed.

(* Why3 goal *)
Lemma Round_up_ge :
  forall (x:Reals.Rdefinitions.R),
  (x <= (round ieee_float.RoundingMode.RTP x))%R.
Proof.
  apply Round_up_ge.
Qed.

(* Why3 goal *)
Lemma Round_down_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN (-x)%R) =
   (-(round ieee_float.RoundingMode.RTP x))%R).
Proof.
  apply Round_down_neg.
Qed.

(* Why3 goal *)
Lemma Round_up_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTP (-x)%R) =
   (-(round ieee_float.RoundingMode.RTN x))%R).
Proof.
  apply Round_up_neg.
Qed.

(* Why3 goal *)
Lemma pow2sb1 : (9007199254740992%Z = (bv.Pow2int.pow2 53%Z)).
Proof.
now simpl.
Qed.

(* Why3 assumption *)
Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-9007199254740992%Z)%Z <= i)%Z /\ (i <= 9007199254740992%Z)%Z.

(* Why3 goal *)
Lemma Exact_rounding_for_integers :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
Proof.
  intros m i h1.
  now apply Exact_rounding_for_integers.
Qed.

(* Why3 assumption *)
Definition same_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.

(* Why3 assumption *)
Definition diff_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.

(* Why3 goal *)
Lemma feq_eq :
  forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> ~ is_zero x ->
  eq x y -> (x = y).
Proof.
  apply feq_eq.
Qed.

(* Why3 goal *)
Lemma eq_feq :
  forall (x:t) (y:t), t'isFinite x -> t'isFinite y -> (x = y) -> eq x y.
Proof.
  apply eq_feq.
Qed.

(* Why3 goal *)
Lemma eq_refl : forall (x:t), t'isFinite x -> eq x x.
Proof.
  apply eq_refl.
Qed.

(* Why3 goal *)
Lemma eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
Proof.
  apply eq_sym.
Qed.

(* Why3 goal *)
Lemma eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
Proof.
  apply eq_trans.
Qed.

(* Why3 goal *)
Lemma eq_zero : eq zeroF (neg zeroF).
Proof.
  apply eq_zero.
Qed.

(* Why3 goal *)
Lemma eq_to_real_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  eq x y <-> ((t'real x) = (t'real y)).
Proof.
  apply eq_to_real_finite.
Qed.

(* Why3 goal *)
Lemma eq_special :
  forall (x:t) (y:t), eq x y ->
  is_not_nan x /\
  is_not_nan y /\
  (t'isFinite x /\ t'isFinite y \/
   is_infinite x /\ is_infinite y /\ same_sign x y).
Proof.
  apply eq_special.
Qed.

(* Why3 goal *)
Lemma lt_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  lt x y <-> ((t'real x) < (t'real y))%R.
Proof.
  apply lt_finite.
Qed.

(* Why3 goal *)
Lemma le_finite :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y ->
  le x y <-> ((t'real x) <= (t'real y))%R.
Proof.
  apply le_finite.
Qed.

(* Why3 goal *)
Lemma le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
Proof.
  apply le_lt_trans.
Qed.

(* Why3 goal *)
Lemma lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
Proof.
  apply lt_le_trans.
Qed.

(* Why3 goal *)
Lemma le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
Proof.
  apply le_ge_asym.
Qed.

(* Why3 goal *)
Lemma not_lt_ge :
  forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
Proof.
  apply not_lt_ge.
Qed.

(* Why3 goal *)
Lemma not_gt_le :
  forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
Proof.
 apply not_gt_le.
Qed.

(* Why3 goal *)
Lemma le_special :
  forall (x:t) (y:t), le x y ->
  t'isFinite x /\ t'isFinite y \/
  is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
Proof.
  apply le_special.
Qed.

(* Why3 goal *)
Lemma lt_special :
  forall (x:t) (y:t), lt x y ->
  t'isFinite x /\ t'isFinite y \/
  is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
  is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
Proof.
  apply lt_special.
Qed.

(* Why3 goal *)
Lemma lt_lt_finite :
  forall (x:t) (y:t) (z:t), lt x y -> lt y z -> t'isFinite y.
Proof.
  apply lt_lt_finite.
Qed.

(* Why3 goal *)
Lemma positive_to_real :
  forall (x:t), t'isFinite x -> is_positive x -> (0%R <= (t'real x))%R.
Proof.
  apply positive_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_positive :
  forall (x:t), t'isFinite x -> (0%R < (t'real x))%R -> is_positive x.
Proof.
  apply to_real_positive.
Qed.

(* Why3 goal *)
Lemma negative_to_real :
  forall (x:t), t'isFinite x -> is_negative x -> ((t'real x) <= 0%R)%R.
Proof.
  apply negative_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_negative :
  forall (x:t), t'isFinite x -> ((t'real x) < 0%R)%R -> is_negative x.
Proof.
  apply to_real_negative.
Qed.

(* Why3 goal *)
Lemma negative_xor_positive :
  forall (x:t), ~ (is_positive x /\ is_negative x).
Proof.
  apply negative_xor_positive.
Qed.

(* Why3 goal *)
Lemma negative_or_positive :
  forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
Proof.
  apply negative_or_positive.
Qed.

(* Why3 goal *)
Lemma diff_sign_trans :
  forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
Proof.
  apply diff_sign_trans.
Qed.

(* Why3 goal *)
Lemma diff_sign_product :
  forall (x:t) (y:t),
  t'isFinite x /\ t'isFinite y /\ (((t'real x) * (t'real y))%R < 0%R)%R ->
  diff_sign x y.
Proof.
  apply diff_sign_product.
Qed.

(* Why3 goal *)
Lemma same_sign_product :
  forall (x:t) (y:t), t'isFinite x /\ t'isFinite y /\ same_sign x y ->
  (0%R <= ((t'real x) * (t'real y))%R)%R.
Proof.
  apply same_sign_product.
Qed.

(* Why3 assumption *)
Definition product_sign (z:t) (x:t) (y:t) : Prop :=
  (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).

(* Why3 assumption *)
Definition overflow_value (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  match m with
  | ieee_float.RoundingMode.RTN =>
      (is_positive x -> t'isFinite x /\ ((t'real x) = max_real)) /\
      (~ is_positive x -> is_infinite x)
  | ieee_float.RoundingMode.RTP =>
      (is_positive x -> is_infinite x) /\
      (~ is_positive x -> t'isFinite x /\ ((t'real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RTZ =>
      (is_positive x -> t'isFinite x /\ ((t'real x) = max_real)) /\
      (~ is_positive x -> t'isFinite x /\ ((t'real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RNA|ieee_float.RoundingMode.RNE => is_infinite x
  end.

(* Why3 assumption *)
Definition sign_zero_result (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  is_zero x ->
  match m with
  | ieee_float.RoundingMode.RTN => is_negative x
  | _ => is_positive x
  end.

(* Why3 goal *)
Lemma add_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) + (t'real y))%R ->
  t'isFinite (add m x y) /\
  ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply add_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma add_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (add m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply add_finite_rev.
Qed.

(* Why3 goal *)
Lemma add_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (add m x y) ->
  no_overflow m ((t'real x) + (t'real y))%R /\
  ((t'real (add m x y)) = (round m ((t'real x) + (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply add_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma sub_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) - (t'real y))%R ->
  t'isFinite (sub m x y) /\
  ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply sub_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma sub_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (sub m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply sub_finite_rev.
Qed.

(* Why3 goal *)
Lemma sub_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (sub m x y) ->
  no_overflow m ((t'real x) - (t'real y))%R /\
  ((t'real (sub m x y)) = (round m ((t'real x) - (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply sub_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma mul_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> no_overflow m ((t'real x) * (t'real y))%R ->
  t'isFinite (mul m x y) /\
  ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  apply mul_finite ; try easy.
  unfold no_overflow, in_range in h3.
  now rewrite <- max_real_cst in h3.
Qed.

(* Why3 goal *)
Lemma mul_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (mul m x y) -> t'isFinite x /\ t'isFinite y.
Proof.
  apply mul_finite_rev.
Qed.

(* Why3 goal *)
Lemma mul_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (mul m x y) ->
  no_overflow m ((t'real x) * (t'real y))%R /\
  ((t'real (mul m x y)) = (round m ((t'real x) * (t'real y))%R)).
Proof.
  intros m x y h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply mul_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma div_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> ~ is_zero y -> no_overflow m ((t'real x) / (t'real y))%R ->
  t'isFinite (div m x y) /\
  ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3 h4.
  apply div_finite ; try easy.
  unfold no_overflow, in_range in h4.
  now rewrite <- max_real_cst in h4.
Qed.

(* Why3 goal *)
Lemma div_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  t'isFinite (div m x y) ->
  t'isFinite x /\ t'isFinite y /\ ~ is_zero y \/
  t'isFinite x /\ is_infinite y /\ ((t'real (div m x y)) = 0%R).
Proof.
  apply div_finite_rev.
Qed.

(* Why3 goal *)
Lemma div_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (div m x y) ->
  t'isFinite y ->
  no_overflow m ((t'real x) / (t'real y))%R /\
  ((t'real (div m x y)) = (round m ((t'real x) / (t'real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply div_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma neg_finite :
  forall (x:t), t'isFinite x ->
  t'isFinite (neg x) /\ ((t'real (neg x)) = (-(t'real x))%R).
Proof.
  apply neg_finite.
Qed.

(* Why3 goal *)
Lemma neg_finite_rev :
  forall (x:t), t'isFinite (neg x) ->
  t'isFinite x /\ ((t'real (neg x)) = (-(t'real x))%R).
Proof.
  apply neg_finite_rev.
Qed.

(* Why3 goal *)
Lemma abs_finite :
  forall (x:t), t'isFinite x ->
  t'isFinite (abs x) /\
  ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))) /\
  is_positive (abs x).
Proof.
  apply abs_finite.
Qed.

(* Why3 goal *)
Lemma abs_finite_rev :
  forall (x:t), t'isFinite (abs x) ->
  t'isFinite x /\ ((t'real (abs x)) = (Reals.Rbasic_fun.Rabs (t'real x))).
Proof.
  apply abs_finite_rev.
Qed.

(* Why3 goal *)
Lemma abs_universal : forall (x:t), ~ is_negative (abs x).
Proof.
  apply abs_universal.
Qed.

(* Why3 goal *)
Lemma fma_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t), t'isFinite x ->
  t'isFinite y -> t'isFinite z ->
  no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
  t'isFinite (fma m x y z) /\
  ((t'real (fma m x y z)) =
   (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
Proof.
  intros m x y z h1 h2 h3 h4.
  apply fma_finite ; try easy.
  unfold no_overflow, in_range in h4.
  now rewrite <- max_real_cst in h4.
Qed.

(* Why3 goal *)
Lemma fma_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  t'isFinite (fma m x y z) -> t'isFinite x /\ t'isFinite y /\ t'isFinite z.
Proof.
  now apply fma_finite_rev.
Qed.

(* Why3 goal *)
Lemma fma_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  ieee_float.RoundingMode.to_nearest m -> t'isFinite (fma m x y z) ->
  no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R /\
  ((t'real (fma m x y z)) =
   (round m (((t'real x) * (t'real y))%R + (t'real z))%R)).
Proof.
  intros m x y z h1 h2.
  unfold no_overflow, in_range.
  rewrite <- max_real_cst.
  now apply fma_finite_rev_n.
Qed.

(* Why3 goal *)
Lemma sqrt_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  (0%R <= (t'real x))%R ->
  t'isFinite (sqrt m x) /\
  ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
Proof.
  apply sqrt_finite.
Qed.

(* Why3 goal *)
Lemma sqrt_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite (sqrt m x) ->
  t'isFinite x /\
  (0%R <= (t'real x))%R /\
  ((t'real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (t'real x)))).
Proof.
  apply sqrt_finite_rev.
Qed.

(* Why3 assumption *)
Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
  is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.

(* Why3 goal *)
Lemma add_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := add m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) + (t'real y))%R ->
   same_sign_real r ((t'real x) + (t'real y))%R /\ overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y ->
   (same_sign x y -> same_sign r x) /\
   (~ same_sign x y -> sign_zero_result m r)).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply add_special.
Qed.

(* Why3 goal *)
Lemma sub_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := sub m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) - (t'real y))%R ->
   same_sign_real r ((t'real x) - (t'real y))%R /\ overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y ->
   (diff_sign x y -> same_sign r x) /\
   (~ diff_sign x y -> sign_zero_result m r)).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply sub_special.
Qed.

(* Why3 goal *)
Lemma mul_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := mul m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_infinite r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ no_overflow m ((t'real x) * (t'real y))%R ->
   overflow_value m r) /\
  (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply mul_special.
Qed.

(* Why3 goal *)
Lemma div_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := div m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (t'isFinite x /\ is_infinite y -> is_zero r) /\
  (is_infinite x /\ t'isFinite y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_nan r) /\
  (t'isFinite x /\
   t'isFinite y /\ ~ is_zero y /\ ~ no_overflow m ((t'real x) / (t'real y))%R ->
   overflow_value m r) /\
  (t'isFinite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
  (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply div_special.
Qed.

(* Why3 goal *)
Lemma neg_special :
  forall (x:t),
  (is_nan x -> is_nan (neg x)) /\
  (is_infinite x -> is_infinite (neg x)) /\
  (~ is_nan x -> diff_sign x (neg x)).
Proof.
  apply neg_special.
Qed.

(* Why3 goal *)
Lemma abs_special :
  forall (x:t),
  (is_nan x -> is_nan (abs x)) /\
  (is_infinite x -> is_infinite (abs x)) /\
  (~ is_nan x -> is_positive (abs x)).
Proof.
  apply abs_special.
Qed.

(* Why3 goal *)
Lemma fma_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  let r := fma m x y z in
  (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (t'isFinite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (is_infinite x /\ t'isFinite y /\ ~ is_zero y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ is_infinite y /\ t'isFinite z ->
   is_infinite r /\ product_sign r x y) /\
  (t'isFinite x /\ t'isFinite y /\ is_infinite z ->
   is_infinite r /\ same_sign r z) /\
  (is_infinite x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (t'isFinite x /\
   t'isFinite y /\
   t'isFinite z /\
   ~ no_overflow m (((t'real x) * (t'real y))%R + (t'real z))%R ->
   same_sign_real r (((t'real x) * (t'real y))%R + (t'real z))%R /\
   overflow_value m r) /\
  (t'isFinite x /\ t'isFinite y /\ t'isFinite z ->
   (product_sign z x y -> same_sign r z) /\
   (~ product_sign z x y ->
    ((((t'real x) * (t'real y))%R + (t'real z))%R = 0%R) ->
    ((m = ieee_float.RoundingMode.RTN) -> is_negative r) /\
    (~ (m = ieee_float.RoundingMode.RTN) -> is_positive r))).
Proof.
  intros m x y z r.
  unfold no_overflow, in_range, overflow_value.
  rewrite <- max_real_cst.
  now apply fma_special.
Qed.

(* Why3 goal *)
Lemma sqrt_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  let r := sqrt m x in
  (is_nan x -> is_nan r) /\
  (is_plus_infinity x -> is_plus_infinity r) /\
  (is_minus_infinity x -> is_nan r) /\
  (t'isFinite x /\ ((t'real x) < 0%R)%R -> is_nan r) /\
  (is_zero x -> same_sign r x) /\
  (t'isFinite x /\ (0%R < (t'real x))%R -> is_positive r).
Proof.
  apply sqrt_special.
Qed.

(* Why3 goal *)
Lemma of_int_add_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i + j)%Z ->
  eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_add_exact.
Qed.

(* Why3 goal *)
Lemma of_int_sub_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i - j)%Z ->
  eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_sub_exact.
Qed.

(* Why3 goal *)
Lemma of_int_mul_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i * j)%Z ->
  eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  now apply of_int_mul_exact.
Qed.

(* Why3 goal *)
Lemma Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
Proof.
  apply Min_r.
Qed.

(* Why3 goal *)
Lemma Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
Proof.
  apply Min_l.
Qed.

(* Why3 goal *)
Lemma Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
Proof.
  apply Max_r.
Qed.

(* Why3 goal *)
Lemma Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
Proof.
  apply Max_l.
Qed.

(* Why3 goal *)
Definition is_int : t -> Prop.
Proof.
  apply is_int.
Defined.

(* Why3 goal *)
Lemma zeroF_is_int : is_int zeroF.
Proof.
  apply zeroF_is_int.
Qed.

(* Why3 goal *)
Lemma of_int_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:Numbers.BinNums.Z),
  in_int_range x -> is_int (of_int m x).
Proof.
  intros m x h1.
  now apply of_int_is_int.
Qed.

(* Why3 goal *)
Lemma big_float_is_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), t'isFinite i ->
  le i (neg (of_int m 9007199254740992%Z)) \/
  le (of_int m 9007199254740992%Z) i -> is_int i.
Proof.
  now apply big_float_is_int.
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  is_int (roundToIntegral m x).
Proof.
  now apply roundToIntegral_is_int.
Qed.

(* Why3 goal *)
Lemma eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
Proof.
  apply eq_is_int.
Qed.

(* Why3 goal *)
Lemma add_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (add m x y) -> is_int (add m x y).
Proof.
  now apply add_int.
Qed.

(* Why3 goal *)
Lemma sub_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (sub m x y) -> is_int (sub m x y).
Proof.
  now apply sub_int.
Qed.

(* Why3 goal *)
Lemma mul_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> t'isFinite (mul m x y) -> is_int (mul m x y).
Proof.
  now apply mul_int.
Qed.

(* Why3 goal *)
Lemma fma_int :
  forall (x:t) (y:t) (z:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_int z -> t'isFinite (fma m x y z) -> is_int (fma m x y z).
Proof.
  now apply fma_int.
Qed.

(* Why3 goal *)
Lemma neg_int : forall (x:t), is_int x -> is_int (neg x).
Proof.
  apply neg_int.
Qed.

(* Why3 goal *)
Lemma abs_int : forall (x:t), is_int x -> is_int (abs x).
Proof.
  apply abs_int.
Qed.

(* Why3 goal *)
Lemma is_int_of_int :
  forall (x:t) (m:ieee_float.RoundingMode.mode)
    (m':ieee_float.RoundingMode.mode),
  is_int x -> eq x (of_int m' (to_int m x)).
Proof.
  now apply is_int_of_int.
Qed.

(* Why3 goal *)
Lemma is_int_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  in_int_range (to_int m x).
Proof.
  now apply is_int_to_int.
Qed.

(* Why3 goal *)
Lemma is_int_is_finite : forall (x:t), is_int x -> t'isFinite x.
Proof.
  apply is_int_is_finite.
Qed.

(* Why3 goal *)
Lemma int_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((t'real x) = (BuiltIn.IZR (to_int m x))).
Proof.
  apply int_to_real.
Qed.

(* Why3 goal *)
Lemma truncate_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), is_int i ->
  eq (roundToIntegral m i) i.
Proof.
  now apply truncate_int.
Qed.

(* Why3 goal *)
Lemma truncate_neg :
  forall (x:t), t'isFinite x -> is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  apply truncate_neg.
Qed.

(* Why3 goal *)
Lemma truncate_pos :
  forall (x:t), t'isFinite x -> is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  apply truncate_pos.
Qed.

(* Why3 goal *)
Lemma ceil_le :
  forall (x:t), t'isFinite x ->
  le x (roundToIntegral ieee_float.RoundingMode.RTP x).
Proof.
  now apply ceil_le.
Qed.

(* Why3 goal *)
Lemma ceil_lest :
  forall (x:t) (y:t), le x y /\ is_int y ->
  le (roundToIntegral ieee_float.RoundingMode.RTP x) y.
Proof.
  now apply ceil_lest.
Qed.

(* Why3 goal *)
Lemma ceil_to_real :
  forall (x:t), t'isFinite x ->
  ((t'real (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (BuiltIn.IZR (real.Truncate.ceil (t'real x)))).
Proof.
  now apply ceil_to_real.
Qed.

(* Why3 goal *)
Lemma ceil_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (real.Truncate.ceil (t'real x))).
Proof.
  now apply ceil_to_int.
Qed.

(* Why3 goal *)
Lemma floor_le :
  forall (x:t), t'isFinite x ->
  le (roundToIntegral ieee_float.RoundingMode.RTN x) x.
Proof.
  now apply floor_le.
Qed.

(* Why3 goal *)
Lemma floor_lest :
  forall (x:t) (y:t), le y x /\ is_int y ->
  le y (roundToIntegral ieee_float.RoundingMode.RTN x).
Proof.
  now apply floor_lest.
Qed.

(* Why3 goal *)
Lemma floor_to_real :
  forall (x:t), t'isFinite x ->
  ((t'real (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (BuiltIn.IZR (real.Truncate.floor (t'real x)))).
Proof.
  now apply floor_to_real.
Qed.

(* Why3 goal *)
Lemma floor_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (real.Truncate.floor (t'real x))).
Proof.
  now apply floor_to_int.
Qed.

(* Why3 goal *)
Lemma RNA_down :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  now apply RNA_down.
Qed.

(* Why3 goal *)
Lemma RNA_up :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  now apply RNA_up.
Qed.

(* Why3 goal *)
Lemma RNA_down_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  now apply RNA_down_tie.
Qed.

(* Why3 goal *)
Lemma RNA_up_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  now apply RNA_up_tie.
Qed.

(* Why3 goal *)
Lemma to_int_roundToIntegral :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  ((to_int m x) = (to_int m (roundToIntegral m x))).
Proof.
  now apply to_int_roundToIntegral.
Qed.

(* Why3 goal *)
Lemma to_int_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  t'isFinite y -> le x y -> ((to_int m x) <= (to_int m y))%Z.
Proof.
  apply to_int_monotonic.
Qed.

(* Why3 goal *)
Lemma to_int_of_int :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((to_int m (of_int m i)) = i).
Proof.
  intros m i h1.
  now apply to_int_of_int.
Qed.

(* Why3 goal *)
Lemma eq_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), t'isFinite x ->
  eq x y -> ((to_int m x) = (to_int m y)).
Proof.
  apply eq_to_int.
Qed.

(* Why3 goal *)
Lemma neg_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((to_int m (neg x)) = (-(to_int m x))%Z).
Proof.
  apply neg_to_int.
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), t'isFinite x ->
  t'isFinite (roundToIntegral m x).
Proof.
  now apply roundToIntegral_is_finite.
Qed.

(* Why3 goal *)
Lemma max_int_def :
  (max_int =
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%Z).
Proof.
  trivial.

Qed.

(* Why3 goal *)
Lemma max_real_def :
  (max_real =
   179769313486231570814527423731704356798070567525844996598917476803157260780028538760589558632766878171540458953514382464234321326889464182768467546703537516986049910576551282076245490090389328944075868508455133942304583236903222948165808559332123348274797826204144723168738177180919299881250404026184124858368%R).
Proof.
  trivial.

Qed.

(* Why3 goal *)
Lemma round_bound_ne :
  forall (x:Reals.Rdefinitions.R),
  no_overflow ieee_float.RoundingMode.RNE x ->
  (((x - ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
    (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R
   <= (round ieee_float.RoundingMode.RNE x))%R /\
  ((round ieee_float.RoundingMode.RNE x) <=
   ((x + ((1 / 9007199254740992)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
    (1 / 404804506614621236704990693437834614099113299528284236713802716054860679135990693783920767402874248990374155728633623822779617474771586953734026799881477019843034848553132722728933815484186432682479535356945490137124014966849385397236206711298319112681620113024717539104666829230461005064372655017292012526615415482186989568)%R)%R)%R.
intros x h1.
Admitted.

(* Why3 goal *)
Lemma round_bound :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R),
  no_overflow m x ->
  (((x - ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R -
    (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R
   <= (round m x))%R /\
  ((round m x) <=
   ((x + ((1 / 4503599627370496)%R * (Reals.Rbasic_fun.Rabs x))%R)%R +
    (1 / 202402253307310618352495346718917307049556649764142118356901358027430339567995346891960383701437124495187077864316811911389808737385793476867013399940738509921517424276566361364466907742093216341239767678472745068562007483424692698618103355649159556340810056512358769552333414615230502532186327508646006263307707741093494784)%R)%R)%R.
intros m x h1.
Admitted.

why3-1.6.0/lib/coq/ieee_float/GenericFloat.v000066400000000000000000004570331440160026300205750ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require Reals.R_sqrt.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.RealInfix.
Require real.Abs.
Require real.FromInt.
Require real.Truncate.
Require real.Square.
Require bv.Pow2int.
Require ieee_float.RoundingMode.

Require Import Psatz.
Require Import ZArith Reals.
Require Import Flocq.Core.Core.
Require Import Flocq.IEEE754.BinarySingleNaN.
Require Import Flocq.Calc.Bracket.
Require Import Flocq.Calc.Round.
Require Import Flocq.Prop.Plus_error.
Require Flocq.Prop.Sterbenz.
Import real.Truncate.
Import ieee_float.RoundingMode.

Arguments B754_zero {prec} {emax}.
Arguments B754_infinity {prec} {emax}.
Arguments B754_nan {prec} {emax}.
Arguments B754_finite {prec} {emax}.

Local Open Scope R_scope.

Definition mode_to_IEEE : mode -> BinarySingleNaN.mode.
  exact (fun m =>
           match m with
           | RNE => mode_NE
           | RNA => mode_NA
           | RTP => mode_UP
           | RTN => mode_DN
           | RTZ => mode_ZR
           end).
Defined.

Coercion mode_to_IEEE : mode >-> BinarySingleNaN.mode.

Section GenericFloat.

Variable eb_pos sb_pos : positive.

(* Why3 goal *)
Definition eb : Numbers.BinNums.Z.
Proof.
  exact (Z.pos eb_pos).
Defined.

(* Why3 goal *)
Definition sb : Numbers.BinNums.Z.
Proof.
  exact (Z.pos sb_pos).
Defined.

Hypothesis Heb : Zlt_bool 1 eb = true.
Hypothesis Hsbb : Zlt_bool 1 sb = true.

(* Why3 goal *)
Lemma eb_gt_1 : (1%Z < eb)%Z.
Proof.
  rewrite Zlt_is_lt_bool.
  apply Heb.
Qed.

(* Why3 goal *)
Lemma sb_gt_1 : (1%Z < sb)%Z.
Proof.
  rewrite Zlt_is_lt_bool.
  apply Hsbb.
Qed.

(* power of infinities *)
Definition emax : Z.
Proof.
  exact (radix2 ^ (eb - 1))%Z.
Defined.

(* Why3 goal *)
Definition t : Type.
Proof.
  exact (binary_float sb emax).
Defined.

(* Why3 goal *)
Definition zeroF : t.
Proof.
  exact (B754_zero false).
Defined.

Definition emin := (3 - emax - sb)%Z.
Notation fexp := (FLT_exp emin sb).

Lemma Hsb : Zlt_bool 0 sb = true.
Proof.
  auto with zarith.
Qed.

Lemma Hsb': (0 < sb)%Z.
Proof.
  unfold sb; auto with zarith.
Qed.

Hypothesis Hemax : Zlt_bool sb emax = true.

Lemma Hemax': (sb < emax)%Z.
Proof.
  rewrite Zlt_is_lt_bool.
  apply Hemax.
Qed.

Instance Hsb'' : Prec_gt_0 sb := Hsb'.

Lemma fexp_Valid : Valid_exp fexp.
Proof.
  apply (fexp_correct _ _ Hsb'').
Qed.

Definition r_to_fp rnd x : binary_float sb emax :=
  let r := round radix2 fexp (round_mode rnd) x in
  let m := Ztrunc (scaled_mantissa radix2 fexp r) in
  let e := cexp radix2 fexp r in
  binary_normalize sb emax Hsb' Hemax' rnd m e false.

Theorem r_to_fp_correct :
  forall rnd x,
  let r := round radix2 fexp (round_mode rnd) x in
  (Rabs r < bpow radix2 emax)%R ->
  is_finite (r_to_fp rnd x) = true /\
  B2R (r_to_fp rnd x) = r.
Proof with auto with typeclass_instances.
intros rnd x r Bx.
unfold r_to_fp. fold r.
generalize (binary_normalize_correct sb emax Hsb' Hemax' rnd (Ztrunc (scaled_mantissa radix2 fexp r)) (cexp radix2 fexp r) false).
unfold r.
elim generic_format_round...
fold emin r.
rewrite round_generic...
rewrite Rlt_bool_true with (1 := Bx).
now split.
apply generic_format_round...
Qed.

Theorem r_to_fp_format :
  forall rnd x,
  FLT_format radix2 emin sb x ->
  (Rabs x < bpow radix2 emax)%R ->
  B2R (r_to_fp rnd x) = x.
Proof with auto with typeclass_instances.
intros rnd x Fx Bx.
assert (Gx: generic_format radix2 fexp x).
apply generic_format_FLT.
apply Fx.
pattern x at 2 ; rewrite <- round_generic with (rnd := round_mode rnd) (2 := Gx)...
refine (proj2 (r_to_fp_correct _ _ _)).
rewrite round_generic...
Qed.

Lemma max_eb_bounded : SpecFloat.bounded sb emax (2 ^ sb_pos - 1) (emax - sb) = true.
Proof.
  assert (0 <= sb - 1)%Z.
  apply Zlt_0_le_0_pred, Hsb'.
  unfold SpecFloat.bounded; apply Bool.andb_true_iff; split.
  unfold SpecFloat.canonical_mantissa, SpecFloat.fexp, FLT_exp, SpecFloat.emin.
  apply Zeq_bool_true.
  rewrite Digits.Zpos_digits2_pos.
  rewrite (Digits.Zdigits_unique radix2 _ sb).
  assert (sb + (emax - sb) - sb = emax - sb)%Z by ring; rewrite H0.
  apply Zmax_left.
  assert (1 < emax)%Z.
  apply Z.le_lt_trans with (m := sb).
  change (Z.succ 0 <= sb)%Z; apply Zgt_le_succ; easy.
  apply Hemax'.
  auto with zarith.
  rewrite Z.abs_eq by auto with zarith.
  change ((2 ^ (sb - 1) <= Z.pos (2 ^ sb_pos - 1) < 2 ^ sb)%Z).
  assert (Z.pos (2 ^ sb_pos - 1) = 2 ^ sb -1)%Z.
  rewrite Pos2Z.inj_sub, Pos2Z.inj_pow.
  fold sb; reflexivity.
  apply Pos.pow_gt_1; easy.
  rewrite H0.
  split; auto with zarith.
  assert (sb = Z.succ (sb - 1)) by auto with zarith.
  rewrite H1 at 2.
  rewrite Z.pow_succ_r by trivial.
  assert (1 <= 2 ^ (sb - 1))%Z.
  apply Z.lt_pred_le, (Zpower_gt_0 radix2 (sb - 1)); trivial.
  lia.
  apply Zle_bool_true; auto with zarith.
Qed.

Definition max_value: t.
Proof.
  exact (B754_finite false (2 ^ sb_pos - 1) (emax - sb) max_eb_bounded).
Defined.

(* Why3 goal *)
Definition add : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  exact (@Bplus sb emax Hsb' Hemax').
Defined.

(* Why3 goal *)
Definition sub : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  exact (@Bminus sb emax Hsb' Hemax').
Defined.

(* Why3 goal *)
Definition mul : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  exact (@Bmult sb emax Hsb' Hemax').
Defined.

(* Why3 goal *)
Definition div : ieee_float.RoundingMode.mode -> t -> t -> t.
Proof.
  exact (@Bdiv sb emax Hsb' Hemax').
Defined.

(* Why3 goal *)
Definition abs : t -> t.
Proof.
  exact (@Babs sb emax).
Defined.

(* Why3 goal *)
Definition neg : t -> t.
Proof.
  exact (@Bopp sb emax).
Defined.

(* Why3 goal *)
Definition fma : ieee_float.RoundingMode.mode -> t -> t -> t -> t.
Proof.
  exact (@Bfma sb emax Hsb' Hemax').
Defined.

(* Why3 goal *)
Definition sqrt : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  exact (@Bsqrt sb emax Hsb' Hemax').
Defined.

Definition z_to_fp m x := binary_normalize sb emax Hsb' Hemax' (mode_to_IEEE m) x 0 false.

Definition fp_to_z: mode -> t -> Z.
Proof.
  exact (fun m x => match m with
         | RNA => ZnearestA
         | RNE => ZnearestE
         | RTP => Zceil
         | RTN => Zfloor
         | RTZ => Ztrunc
         end (B2R x)).
Defined.

(* Why3 goal *)
Definition roundToIntegral : ieee_float.RoundingMode.mode -> t -> t.
Proof.
  exact (fun m x =>
           match x with
             | B754_zero b => x
             | B754_infinity b => x
             | B754_nan => x
             | B754_finite b ma e _ =>
               let x_int := fp_to_z m x in
               match Z.eq_dec x_int 0%Z with
               | left _ => B754_zero b
               | right _ => z_to_fp RTZ x_int
               end
           end).
Defined.

(* Why3 goal *)
Definition min : t -> t -> t.
Proof.
  exact (fun x y => match Bcompare x y with
           | Some Lt => x
           | Some Gt | Some Eq => y
           | None => B754_nan
         end).
Defined.

(* Why3 goal *)
Definition max : t -> t -> t.
Proof.
  exact (fun x y => match Bcompare x y with
           | Some Lt => y
           | Some Gt | Some Eq => x
           | None => B754_nan
         end).
Defined.

(* Why3 goal *)
Definition le : t -> t -> Prop.
Proof.
  exact (fun a b => match Bcompare a b with Some Lt | Some Eq => True | _ => False end).
Defined.

Hint Unfold le.

(* Why3 goal *)
Definition lt : t -> t -> Prop.
Proof.
  exact (fun a b => Bcompare a b = Some Lt).
Defined.

Hint Unfold lt.

Lemma gt_bcompare : forall {x y}, lt y x <-> Bcompare x y = Some Gt.
Proof.
  intros x y.
  rewrite Bcompare_swap.
  unfold lt.
  destruct Bcompare.
  destruct c; simpl; split; intro h; inversion h; auto.
  split; intro h; inversion h; auto.
Qed.

(*
Lemma ge_bcompare : forall {x y}, le y x <-> Bcompare _ _ x y = Some Gt \/ Bcompare _ _ x y = Some Eq.
Proof.
  intros x y.
  unfold le.
  rewrite <-gt_bcompare.
  assert (Bcompare _ _ y x = Some Eq <-> Bcompare _ _ x y = Some Eq).
  rewrite Bcompare_swap.
  destruct Bcompare; try (split; now auto).
  destruct c; simpl; split; intro h; inversion h; auto.
  rewrite H; reflexivity.
Qed.
*)

(* Why3 goal *)
Definition eq : t -> t -> Prop.
Proof.
  exact (fun a b => Bcompare a b = Some Eq).
Defined.

Hint Unfold eq.

Lemma le_correct: forall x y, le x y <-> lt x y \/ eq x y.
Proof.
  intros x y; unfold lt, le, eq.
  destruct Bcompare as [[ | | ] | ] ; split ; try easy.
  now right.
  now left.
  now intros [|].
  now intros [|].
Qed.

Lemma lt_le: forall {x y}, lt x y -> le x y.
Proof.
  intros x y.
  rewrite le_correct; auto.
Qed.

Lemma eq_zero_iff: forall {x}, eq zeroF x <-> x = zeroF \/ x = neg zeroF.
Proof.
  intro; unfold eq; destruct x; simpl; try destruct s; simpl.
  split; auto.
  split; auto.
  split; [easy| intro h; destruct h; easy].
  split; [easy| intro h; destruct h; easy].
  split; [easy| intro h; destruct h; easy].
  split; [easy| intro h; destruct h; easy].
  split; [easy| intro h; destruct h; easy].
Qed.

(* Why3 goal *)
Definition is_normal : t -> Prop.
Proof.
  exact (fun x => match x with
                    | B754_zero _ => True
                    | B754_finite _ _ e _ => (emin < e)%Z
                    | _ => False
        end).
Defined.

(* Why3 goal *)
Definition is_subnormal : t -> Prop.
Proof.
  exact (fun x => match x with
                    | B754_finite _ _ e _ => (emin = e)%Z
                    | _ => False
        end).
Defined.

(* Why3 goal *)
Definition is_zero : t -> Prop.
Proof.
  exact (fun x => eq zeroF x).
Defined.

Lemma zero_is_zero: forall {b}, is_zero (B754_zero b).
Proof.
  easy.
Qed.

Lemma is_zero_B754_zero :
  forall x, is_zero x <-> exists b, x = B754_zero b.
Proof.
  intro.
  unfold is_zero; rewrite eq_zero_iff.
  unfold zeroF.
  simpl neg.
  split; intro h; destruct h; auto; try easy.
  exists false; assumption.
  exists true; assumption.
  destruct x0;[right|left];auto.
Qed.

Lemma zero_or_not : forall x, ~ is_zero x \/ is_zero x.
Proof.
  destruct x.
  - now right.
  - left. now destruct s.
  - now left.
  - left. now destruct s.
Qed.

(* Why3 goal *)
Definition is_infinite : t -> Prop.
Proof.
  exact (fun x => match x with
                  | B754_infinity _ => True
                  | _ => False
                  end).
Defined.

Coercion is_true : bool >-> Sortclass.

Lemma eq_infinite_dist: forall {x y}, eq x y -> is_infinite x -> is_infinite y.
Proof.
  intros; destruct x, y; try easy; destruct s; easy.
Qed.

(* Why3 goal *)
Definition is_nan : t -> Prop.
Proof.
  exact is_nan.
Defined.

Lemma is_infinite_not_nan: forall {x}, is_infinite x -> ~ is_nan x.
Proof.
  intro x; destruct x; easy.
Qed.

Lemma le_infinity: forall {x}, ~ is_nan x -> le x (B754_infinity false).
Proof.
  intros.
  unfold le.
  destruct x; try easy.
  + now destruct s.
  + now elim H.
Qed.

Lemma is_nan_dec: forall x, {is_nan x} + {~ is_nan x}.
Proof.
  intro; destruct x; compute; intuition.
Qed.

Lemma eq_not_nan_refl: forall {x : t}, ~ is_nan x -> eq x x.
Proof.
  intros; destruct x; auto.
  destruct s; auto.
  destruct H; easy.
  unfold eq.
  rewrite Bcompare_correct by easy.
  now rewrite Rcompare_Eq.
Qed.

Lemma eq_not_nan: forall {x y}, eq x y -> ~ is_nan x /\ ~ is_nan y.
Proof.
  intros; destruct x; destruct y; easy.
Qed.

Lemma lt_not_nan: forall {x y}, lt x y -> ~ is_nan x /\ ~ is_nan y.
Proof.
  intros; destruct x, y; easy.
Qed.

Lemma le_or_lt_or_nan: forall x y, le x y \/ lt y x \/ is_nan x \/ is_nan y.
Proof.
  unfold is_nan, le, lt.
  intros x y.
  rewrite Bcompare_swap.
  case_eq (Bcompare y x).
  intros [| |] ; try now left.
  now (right ; left).
  destruct x, y; auto; easy.
Qed.

(* Why3 goal *)
Definition is_positive : t -> Prop.
Proof.
  exact (fun x => match x with
                    | B754_zero false => True
                    | B754_finite false _ e _ => True
                    | B754_infinity false => True
                    | _ => False
        end).
Defined.

Hint Unfold is_positive.

Lemma is_positive_Bsign: forall x, ~ is_nan x -> (is_positive x <-> Bsign x = false).
Proof.
  split.
  destruct x; try destruct s; try easy.
  destruct x; try destruct s; try easy.
  contradict H; easy.
Qed.

Lemma is_positive_correct: forall x, is_positive x <-> lt zeroF x \/ x = B754_zero false.
Proof.
  split.
  intro h; destruct x; try destruct s; auto; easy.
  intro h; destruct h; destruct x; try destruct s; easy.
Qed.

(* Why3 goal *)
Definition is_negative : t -> Prop.
Proof.
  exact (fun x => match x with
                    | B754_zero true => True
                    | B754_finite true _ e _ => True
                    | B754_infinity true => True
                    | _ => False
        end).
Defined.

Hint Unfold is_negative.

Lemma is_negative_Bsign: forall x, ~ is_nan x -> (is_negative x <-> Bsign x = true).
Proof.
  split.
  destruct x; try destruct s; easy.
  destruct x; try destruct s; easy.
Qed.

Lemma is_negative_correct: forall x, is_negative x <-> lt x zeroF \/ x = B754_zero true.
Proof.
  split.
  intro h; destruct x; try destruct s; auto; easy.
  intro h; destruct h; destruct x; try destruct s; easy.
Qed.

(* Why3 goal *)
Definition is_finite : t -> Prop.
Proof.
  exact is_finite.
Defined.

Lemma not_nan: forall x, ~ (is_nan x) -> {is_finite x} + {is_infinite x}.
Proof.
  unfold is_nan, is_finite.
  intro x; try destruct x; simpl; intro; auto.
Qed.

Lemma is_finite_not_nan: forall {x}, is_finite x -> ~ is_nan x.
Proof.
  intro x; destruct x; easy.
Qed.

Lemma Finite_Infinite_Nan_dec: forall x:t, {is_finite x} + {is_infinite x} + {is_nan x}.
Proof.
  intro x; destruct x; simpl.
  left; left; easy.
  left; right; easy.
  right; easy.
  left; left; easy.
Qed.

Lemma eq_finite_dist: forall {x y}, eq x y -> is_finite x -> is_finite y.
Proof.
  intros; destruct x, y; try easy; destruct s0; easy.
Qed.

Lemma bounded_floats :
  forall x:t, (is_finite x) ->
              Bcompare (abs x) max_value = Some Lt
           \/ Bcompare (abs x) max_value = Some Eq.
Proof.
  destruct x; try easy; auto; (* simpl; *) intros.
  destruct (andb_prop _ _ e0) as (H1,H2).
  generalize (Zeq_bool_eq _ _ H1); clear H1; intro H1.
  generalize (Zle_bool_imp_le _ _ H2); clear H2; intro H2.
  destruct (Z_le_lt_eq_dec _ _ H2); clear H2.
  unfold Bcompare.
  simpl; rewrite (Zcompare_Lt _ _ l); auto.
  unfold Bcompare.
  simpl; rewrite (Zcompare_Eq _ _ e1).
  unfold SpecFloat.fexp, FLT_exp, SpecFloat.emin in H1.
  rewrite Digits.Zpos_digits2_pos in H1.
  assert (3 - emax - sb <= Digits.Zdigits radix2 (Z.pos m) + e - sb)%Z.
  rewrite e1.
  pose sb_gt_1. pose Hemax'.
  assert (Z.pos m <> 0)%Z. pose (Pos2Z.is_pos m); auto with zarith.
  pose (Digits.Zdigits_gt_0 radix2 (Z.pos m) H0).
  auto with zarith.
  rewrite <-Z.max_l_iff in H0.
  rewrite H0 in H1; clear H0.
  assert (Digits.Zdigits radix2 (Z.pos m) = sb) by auto with zarith; clear H1.
  pose (Digits.Zdigits_correct radix2 (Z.pos m)).
  rewrite H0 in a.
  replace (Z.abs (Z.pos m)) with (Z.pos m) in a by auto with zarith.
  destruct a. clear H1.
  assert (Z.pos m = radix2 ^ sb - 1 \/ Z.pos m < radix2 ^ sb - 1)%Z by lia.
  destruct H1.
  right.
  replace (radix2 ^ sb)%Z with (Z.pos 2 ^ Z.pos sb_pos)%Z in H1 by auto.
  rewrite <-Pos2Z.inj_pow, <-Pos2Z.inj_sub, <-Zpos_eq_iff in H1.
  rewrite H1.
  rewrite Pcompare_refl; reflexivity.
  apply Pos.pow_gt_1; easy.
  left.
  rewrite nat_of_P_lt_Lt_compare_complement_morphism. reflexivity.
  apply Pos2Nat.inj_lt.
  replace (radix2 ^ sb)%Z with (Z.pos 2 ^ Z.pos sb_pos)%Z in H1 by auto.
  rewrite <-Pos2Z.inj_pow, <-Pos2Z.inj_sub in H1.
  auto with zarith.
  apply Pos.pow_gt_1; easy.
Qed.

Lemma bounded_floats_le: forall x, is_finite x -> le (abs x) max_value.
Proof.
  intros x Fx.
  unfold le.
  now destruct (bounded_floats x Fx) as [-> | ->].
Qed.

Lemma is_finite_B: forall (x:t),
    is_finite x ->
    exists b, x = B754_zero b \/ exists b m e p, x = B754_finite b m e p.
Proof.
  intro x.
  destruct x; try easy; intros.
  exists s; auto.
  exists s; right.
  exists s, m, e, e0; trivial.
Qed.

(* Why3 assumption *)
Definition is_plus_infinity (x:t) : Prop := is_infinite x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_infinity (x:t) : Prop := is_infinite x /\ is_negative x.

(* Why3 assumption *)
Definition is_plus_zero (x:t) : Prop := is_zero x /\ is_positive x.

(* Why3 assumption *)
Definition is_minus_zero (x:t) : Prop := is_zero x /\ is_negative x.

(* Why3 assumption *)
Definition is_not_nan (x:t) : Prop := is_finite x \/ is_infinite x.

(* Why3 goal *)
Lemma is_not_nan1 : forall (x:t), is_not_nan x <-> ~ is_nan x.
Proof.
  unfold is_not_nan; split; intro H.
  destruct H; [apply is_finite_not_nan|apply is_infinite_not_nan];trivial.
  destruct (not_nan _ H); auto.
Qed.

(* Why3 goal *)
Lemma is_not_finite :
  forall (x:t), ~ is_finite x <-> is_infinite x \/ is_nan x.
Proof.
intros x.
destruct x; split; intro h; try easy.
contradict h; easy.
destruct h as [h|h]; contradict h; easy.
left; easy.
right; easy.
contradict h; easy.
destruct h as [h|h]; contradict h; easy.
Qed.

(* Why3 goal *)
Definition to_real : t -> Reals.Rdefinitions.R.
Proof.
  exact B2R.
Defined.

Lemma Some_ext: forall {T} (a b:T), Some a = Some b <-> a = b.
Proof.
  intros; split; intro H;[inversion H|rewrite H]; reflexivity.
Qed.

Lemma to_real_eq: forall {x:t} {y:t}, is_finite x -> is_finite y ->
                                      (eq x y <-> to_real x = to_real y).
Proof.
  intros x y h1 h2.
  unfold eq.
  rewrite (Bcompare_correct _ _ x y h1 h2), Some_ext.
  split; intro H; [apply (Rcompare_Eq_inv _ _ H)|
                   apply (Rcompare_Eq _ _ H)].
Qed.

Lemma to_real_eq_alt: forall {x y}, eq x y -> to_real x = to_real y.
Proof.
  destruct x, y; try destruct s; try destruct s0; unfold eq, Bcompare; simpl; try easy.
  - destruct (Z_dec e e1) as [[s|s]|s].
    + rewrite Zcompare_Lt by auto; intro; easy.
    + apply Z.gt_lt in s.
      rewrite Zcompare_Gt by auto; intro; easy.
    + rewrite Zcompare_Eq by auto; intro.
      inversion H.
      rewrite <-ZC4 in H1.
      apply Pcompare_Eq_eq in H1.
      destruct m; simpl; subst; auto.
  - destruct (Z_dec e e1) as [[s|s]|s].
    + rewrite Zcompare_Lt by auto; intro; easy.
    + apply Z.gt_lt in s.
      rewrite Zcompare_Gt by auto; intro; easy.
    + rewrite Zcompare_Eq by auto; intro.
      inversion H.
      apply Pcompare_Eq_eq in H1.
      destruct m; simpl; subst; auto.
Qed.

Lemma le_to_real: forall (x:t) (y:t), is_finite x -> is_finite y ->
  (le x y <-> (to_real x <= to_real y)%R).
Proof.
intros x y h1 h2.
unfold le.
rewrite (Bcompare_correct _ _ x y h1 h2).
split; intro H.
- apply Rnot_lt_le.
  intros H'.
  now rewrite Rcompare_Gt in H.
- case Rcompare_spec; try easy.
  now apply Rle_not_lt.
Qed.

(* Why3 goal *)
Lemma zeroF_is_positive : is_positive zeroF.
Proof.
easy.
Qed.

(* Why3 goal *)
Lemma zeroF_is_zero : is_zero zeroF.
Proof.
  apply eq_refl; easy.
Qed.

Lemma zeroF_to_real : ((to_real zeroF) = 0%R).
Proof.
easy.
Qed.

Lemma B754_zero_to_real: forall {b}, to_real (B754_zero b) = 0%R.
Proof.
  intro b.
  rewrite <-(to_real_eq_alt zero_is_zero).
  apply zeroF_to_real.
Qed.

(* Why3 goal *)
Lemma zero_to_real :
  forall (x:t), is_zero x <-> is_finite x /\ ((to_real x) = 0%R).
Proof.
  unfold is_zero.
  assert (is_finite zeroF) by easy.
  intros x; split; intro H0.
  assert (is_finite x) by apply (eq_finite_dist H0 H).
  split; auto.
  symmetry.
  rewrite <-(to_real_eq H H1); auto.
  destruct H0.
  rewrite to_real_eq; auto.
Qed.

(* Why3 goal *)
Notation of_int := z_to_fp.

(* Why3 goal *)
Notation to_int := fp_to_z.

Lemma to_int_zeroF: forall m, to_int m zeroF = 0%Z.
Proof.
  intro m.
  destruct (valid_rnd_round_mode m) as (_,b).
  pose proof (b 0%Z) as H; simpl in H.
  destruct m; simpl; auto.
Qed.

(* add to theory ? *)
Lemma to_int_eq: forall {m x y}, eq x y -> to_int m x = to_int m y.
Proof.
  destruct x, y; try destruct s; try destruct s0; unfold eq, Bcompare; simpl; try easy.
  - destruct (Z_dec e e1) as [[s|s]|s].
    + rewrite Zcompare_Lt by auto; intro; easy.
    + apply Z.gt_lt in s.
      rewrite Zcompare_Gt by auto; intro; easy.
    + rewrite Zcompare_Eq by auto; intro.
      inversion H.
      rewrite <-ZC4 in H1.
      apply Pcompare_Eq_eq in H1.
      destruct m; simpl; subst; auto.
  - destruct (Z_dec e e1) as [[s|s]|s].
    + rewrite Zcompare_Lt by auto; intro; easy.
    + apply Z.gt_lt in s.
      rewrite Zcompare_Gt by auto; intro; easy.
    + rewrite Zcompare_Eq by auto; intro.
      inversion H.
      apply Pcompare_Eq_eq in H1.
      destruct m; simpl; subst; auto.
Qed.

Lemma to_int_B754_zero: forall {b m}, to_int m (B754_zero b) = 0%Z.
Proof.
  intros b m.
  rewrite <-(to_int_eq zero_is_zero).
  apply to_int_zeroF.
Qed.

(* add to theory ? *)
Lemma to_int_le: forall {x y m}, is_finite x -> is_finite y -> le x y -> (to_int m x <= to_int m y)%Z.
Proof.
  intros.
  destruct m;

  [destruct (valid_rnd_round_mode mode_NE)|
   destruct (valid_rnd_NA)|
   destruct (valid_rnd_UP)|
   destruct (valid_rnd_DN)|
   destruct (valid_rnd_ZR)];
  apply Zrnd_le;
  apply le_to_real; auto.
Qed.

(* Why3 goal *)
Lemma zero_of_int :
  forall (m:ieee_float.RoundingMode.mode), (zeroF = (of_int m 0%Z)).
Proof.
auto.
Qed.

(* Why3 goal *)
Definition round :
  ieee_float.RoundingMode.mode -> Reals.Rdefinitions.R ->
  Reals.Rdefinitions.R.
Proof.
  exact (fun m => round radix2 fexp (round_mode m)).
Defined.

(* Why3 goal *)
Definition max_real : Reals.Rdefinitions.R.
Proof.
  exact ((1 - bpow radix2 (- sb)) * bpow radix2 emax)%R.
Defined.

Lemma max_real_is_F2R: @F2R radix2 {| Fnum := Z.pos (2 ^ sb_pos - 1); Fexp := emax - sb |} = max_real.
Proof.
  unfold F2R.
  unfold Fnum, Fexp.
  rewrite Pos2Z.inj_sub, Pos2Z.inj_pow, minus_IZR.
  fold sb.
  change 2%Z with (radix_val radix2).
  rewrite IZR_Zpower by easy.
  rewrite Int.infix_mn'def, bpow_plus.
  rewrite Rmult_comm, Rmult_assoc, Rmult_comm, Rmult_minus_distr_l.
  rewrite <-bpow_plus.
  replace (- sb + sb)%Z with 0%Z by auto with zarith.
  rewrite Rmult_1_r.
  reflexivity.
  apply Pos.pow_gt_1; easy.
Qed.

Lemma min_real_is_F2R: @F2R radix2 {| Fnum := Z.neg (2 ^ sb_pos - 1); Fexp := emax - sb |} = Ropp max_real.
Proof.
  rewrite <-max_real_is_F2R.
  rewrite <- Operations.F2R_opp.
  unfold Operations.Fopp.
  reflexivity.
Qed.

Lemma max_value_to_real: to_real max_value = max_real.
Proof.
  unfold B2R; simpl.
  apply max_real_is_F2R.
Qed.

Lemma max_real_alt : (max_real = bpow radix2 emax - bpow radix2 (emax - sb))%R.
Proof.
  unfold max_real.
  rewrite Rmult_minus_distr_r, Rmult_1_l.
  rewrite <-bpow_plus.
  replace (- sb + emax)%Z with (emax - sb)%Z by auto with zarith.
  reflexivity.
Qed.

Lemma max_real_lt_bpow_radix2_emax : (max_real < bpow radix2 emax)%R.
Proof.
  rewrite max_real_alt.
  generalize (bpow_gt_0 radix2 (emax - sb)).
  lra.
Qed.

Lemma max_real_ge_6 : (6 <= max_real)%R.
Proof.
  rewrite max_real_alt.
  assert (2 <= sb)%Z by (pose proof sb_gt_1; auto with zarith).
  assert (sb + 1 <= emax)%Z by (pose proof Hemax'; auto with zarith).
  assert (8 <= bpow radix2 emax)%R.
    apply (bpow_le radix2 3).
    lia.
  unfold Zminus.
  rewrite bpow_plus.
  assert (bpow radix2 emax * bpow radix2 (-sb) <= bpow radix2 emax * / 4)%R.
    apply Rmult_le_compat_l.
    apply bpow_ge_0.
    apply (bpow_le radix2 _ (-2)).
    now apply Z.opp_le_mono.
  lra.
Qed.

Lemma max_real_generic_format: generic_format radix2 fexp max_real.
Proof.
  rewrite <-max_value_to_real.
  apply generic_format_B2R.
Qed.

(* Why3 goal *)
Definition max_int : Numbers.BinNums.Z.
Proof.
  exact (2 ^ emax - 2 ^ (emax - sb))%Z.
Defined.

(* Why3 goal *)
Lemma max_int_spec :
  (max_int =
   ((bv.Pow2int.pow2 (bv.Pow2int.pow2 (eb - 1%Z)%Z)) -
    (bv.Pow2int.pow2 ((bv.Pow2int.pow2 (eb - 1%Z)%Z) - sb)%Z))%Z).
Proof.
  rewrite two_p_equiv, two_p_equiv, two_p_equiv.
  now unfold max_int, emax.
Qed.

(* Why3 goal *)
Lemma max_real_int : (max_real = (BuiltIn.IZR max_int)).
Proof.
  unfold max_int.
  rewrite minus_IZR.
  change 2%Z with (radix_val radix2).
  rewrite IZR_Zpower, IZR_Zpower by (pose Hsb'; pose Hemax'; auto with zarith).
  apply max_real_alt.
Qed.

(* Why3 assumption *)
Definition in_range (x:Reals.Rdefinitions.R) : Prop :=
  ((-max_real)%R <= x)%R /\ (x <= max_real)%R.

(* Why3 assumption *)
Definition in_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-max_int)%Z <= i)%Z /\ (i <= max_int)%Z.

Lemma in_range_bpow_radix2_emax: forall x, in_range x -> (Rabs x < bpow radix2 emax)%R.
Proof.
  unfold in_range; intros.
  apply Rle_lt_trans with (r2:= max_real).
  apply Abs.Abs_le; apply H.
  apply max_real_lt_bpow_radix2_emax.
Qed.

Lemma is_finite_abs : forall x:t, is_finite x -> is_finite (abs x).
Proof.
  destruct x; try easy.
Qed.

(* Why3 goal *)
Lemma is_finite1 : forall (x:t), is_finite x -> in_range (to_real x).
Proof.
  intros x h1.
  apply Rabs_le_inv.
  rewrite <-max_value_to_real.
  apply Rcompare_not_Lt_inv.
  pose (is_finite_abs x h1).
  pose (bounded_floats x h1).
  rewrite Bcompare_correct in o; try easy.
  unfold abs in o.
  rewrite B2R_Babs in o.
  unfold to_real.
  intro H0.
  destruct o as [H|H]; inversion H as (H1);
  rewrite Rcompare_sym in H1; apply CompOpp_iff in H1;
  simpl in H0; rewrite H0 in H1;
  inversion H1.
Qed.

Lemma Rabs_round_max_real_emax:
  forall {m} {x}, Rabs (round m x) <= max_real <-> Rabs (round m x) < bpow radix2 emax.
Proof.
  intros m x; split; intro h.
  - apply Rle_lt_trans with (r2 := max_real).
    apply h.
    apply max_real_lt_bpow_radix2_emax.
  - destruct (r_to_fp_correct m x h).
    unfold round.
    rewrite <-H0, Abs.Abs_le.
    apply (is_finite1 _ H).
Qed.

(* Why3 assumption *)
Definition no_overflow (m:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R) : Prop :=
  in_range (round m x).

Lemma no_overflow_Rabs_round_max_real: forall {m} {x}, no_overflow m x <-> Rabs (round m x) <= max_real.
Proof.
  intro x.
  split; intro h; apply Abs.Abs_le; easy.
Qed.

Lemma no_overflow_Rabs_round_emax: forall {m} {x}, no_overflow m x <-> Rabs (round m x) < bpow radix2 emax.
Proof.
  intros m x.
  apply (iff_trans no_overflow_Rabs_round_max_real Rabs_round_max_real_emax).
Qed.

Lemma IZR_alt: forall {x}, @F2R radix2 {| Fnum := x; Fexp := 0 |} = IZR x.
Proof.
  intros; unfold F2R, Fnum, Fexp, FLT_exp.
  assert (bpow radix2 0 = 1) as bpow_0 by easy.
  rewrite bpow_0, Rmult_1_r.
  reflexivity.
Qed.

Lemma of_int_correct :
  forall {m} {x},
    no_overflow m (IZR x) ->
      to_real (of_int m x) = round m (IZR x) /\ is_finite (of_int m x) /\
      Bsign (of_int m x) =
      match (x ?= 0)%Z with
      | Eq => false
      | Lt => true
      | Gt => false
      end.
Proof.
  intros m x h1.
  generalize (binary_normalize_correct sb emax Hsb' Hemax' m x 0 false).
  simpl.
  rewrite Rlt_bool_true.
  - intro; destruct H; destruct H0.
    rewrite IZR_alt in H1.
    split.
    rewrite IZR_alt in H; auto.
    split; auto.
    rewrite <- Rcompare_IZR.
    exact H1.

  - apply no_overflow_Rabs_round_emax.
    rewrite IZR_alt; apply h1.
Qed.

(* Why3 goal *)
Lemma Bounded_real_no_overflow :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R),
  in_range x -> no_overflow m x.
Proof.
intros m x h1.
rewrite no_overflow_Rabs_round_max_real.
apply abs_round_le_generic.
apply fexp_Valid.
apply valid_rnd_round_mode.
apply max_real_generic_format.
rewrite Abs.Abs_le; easy.
Qed.

(* Why3 goal *)
Lemma Round_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:Reals.Rdefinitions.R)
    (y:Reals.Rdefinitions.R),
  (x <= y)%R -> ((round m x) <= (round m y))%R.
Proof.
  intros m x y h1.
  apply round_le.
  apply fexp_Valid.
  apply valid_rnd_round_mode.
  apply h1.
Qed.

Lemma round_lt : forall {x y} {m:mode}, round m x < round m y -> x < y.
Proof.
  intros x y m h.
  case (Rlt_dec x y); auto.
  intro.
  apply Rnot_lt_le in n.
  apply (Round_monotonic m) in n.
  apply RIneq.Rle_not_lt in n.
  contradict h; assumption.
Qed.

(* Why3 goal *)
Lemma Round_idempotent :
  forall (m1:ieee_float.RoundingMode.mode) (m2:ieee_float.RoundingMode.mode)
    (x:Reals.Rdefinitions.R),
  ((round m1 (round m2 x)) = (round m2 x)).
Proof with auto with typeclass_instances.
intros m1 m2 x.
apply round_generic...
apply generic_format_round...
Qed.

(* Why3 goal *)
Lemma Round_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  ((round m (to_real x)) = (to_real x)).
Proof with auto with typeclass_instances.
intros m x h.
apply round_generic...
apply generic_format_B2R.
Qed.

(* Why3 goal *)
Lemma Round_down_le :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN x) <= x)%R.
Proof with auto with typeclass_instances.
intros x.
apply round_DN_pt...
Qed.

(* Why3 goal *)
Lemma Round_up_ge :
  forall (x:Reals.Rdefinitions.R),
  (x <= (round ieee_float.RoundingMode.RTP x))%R.
Proof with auto with typeclass_instances.
intros x.
apply round_UP_pt...
Qed.

(* Why3 goal *)
Lemma Round_down_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTN (-x)%R) =
   (-(round ieee_float.RoundingMode.RTP x))%R).
Proof.
intros x.
apply round_opp.
Qed.

(* Why3 goal *)
Lemma Round_up_neg :
  forall (x:Reals.Rdefinitions.R),
  ((round ieee_float.RoundingMode.RTP (-x)%R) =
   (-(round ieee_float.RoundingMode.RTN x))%R).
Proof.
intros x.
pattern x at 2 ; rewrite <- Ropp_involutive.
rewrite Round_down_neg.
now rewrite Ropp_involutive.
Qed.

(* Why3 goal *)
Definition pow2sb : Numbers.BinNums.Z.
Proof.
  exact (Zpower 2 sb).
Defined.

(* Why3 goal *)
Lemma pow2sb1 : (pow2sb = (bv.Pow2int.pow2 sb)).
Proof.
  now rewrite two_p_equiv.
Qed.

(* Why3 assumption *)
Definition in_safe_int_range (i:Numbers.BinNums.Z) : Prop :=
  ((-pow2sb)%Z <= i)%Z /\ (i <= pow2sb)%Z.

Lemma max_rep_int_bounded: SpecFloat.bounded sb emax (shift_pos (sb_pos - 1) 1) 1 = true.
Proof.
  unfold SpecFloat.bounded.
  apply Bool.andb_true_iff; split.
  unfold SpecFloat.canonical_mantissa.
  apply Zeq_bool_true.
  rewrite Digits.Zpos_digits2_pos, shift_pos_correct.
  rewrite Zmult_1_r, Z.pow_pos_fold.
  rewrite Digits.Zdigits_Zpower by easy.
  rewrite Pos2Z.inj_sub by exact sb_gt_1.
  fold sb.
  unfold SpecFloat.fexp, FLT_exp, SpecFloat.emin.
  replace (sb - 1 + 1 + 1 - sb)%Z with 1%Z by ring.
  apply Z.max_l.
  pose sb_gt_1; pose Hemax'; lia.
  apply Zle_bool_true.
  pose Hemax'; pose Hsbb; lia.
Qed.

Definition Bmax_rep_int: t.
Proof.
  exact (B754_finite false _ _ max_rep_int_bounded).
Defined.

Lemma IZR_pow2sb: IZR pow2sb = bpow radix2 sb.
Proof.
  easy.
Qed.

Lemma Bmax_rep_int_to_real: to_real Bmax_rep_int = IZR pow2sb.
Proof.
  rewrite IZR_pow2sb.
  unfold B2R; simpl.
  rewrite shift_pos_correct.
  rewrite Z.pow_pos_fold.
  unfold F2R.
  unfold Fnum, Fexp.
  rewrite Zmult_1_r.
  change 2%Z with (radix_val radix2).
  rewrite IZR_Zpower by easy.
  rewrite <-bpow_plus.
  rewrite Pos2Z.inj_sub by exact sb_gt_1.
  replace (Z.pos sb_pos - 1 + 1)%Z with (Z.pos sb_pos).
  reflexivity.
  ring.
Qed.

Lemma pow2sb_lt_max_int: (pow2sb <= max_int)%Z.
Proof.
  apply le_IZR.
  rewrite <-max_real_int, <-Bmax_rep_int_to_real.
  now apply is_finite1.
Qed.

Lemma rep_int_in_range:
  forall i, (- pow2sb <= i <= pow2sb)%Z ->
            in_range (IZR i).
Proof.
  intros.
  rewrite <-Z.abs_le in H.
  pose (IZR_le _ _ H).
  rewrite <-Rabs_Zabs in r.
  unfold in_range.
  apply Rabs_le_inv.
  apply Rle_trans with (r2 := IZR pow2sb); auto.

  rewrite <-Bmax_rep_int_to_real, <-max_value_to_real.
  apply le_to_real; try easy.

  assert (is_finite Bmax_rep_int) by easy.
  pose (bounded_floats _ H0).
  rewrite le_correct.
  easy.
Qed.

(* Why3 goal *)
Lemma Exact_rounding_for_integers :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((round m (BuiltIn.IZR i)) = (BuiltIn.IZR i)).
Proof with auto with typeclass_instances.
intros m z Hz.
apply round_generic...
assert (Z.abs z <= pow2sb)%Z.
apply Z.abs_le with (1:=Hz).
destruct (Zle_lt_or_eq _ _ H) as [Bz|Bz] ; clear H Hz.
apply generic_format_FLT.
exists (Float radix2 z 0).
unfold F2R ; simpl.
now rewrite Rmult_1_r.
easy.
simpl; unfold emin; generalize Hsb' Hemax'; lia.
unfold pow2sb in Bz.
change 2%Z with (radix_val radix2) in Bz.
apply generic_format_abs_inv.
rewrite <- abs_IZR, Bz, IZR_Zpower.
apply generic_format_bpow.
unfold FLT_exp, emin.
clear Bz; generalize Hsb' Hemax'.
lia.
apply Zlt_le_weak.
apply Hsb'.
Qed.

Lemma in_safe_int_range_no_overflow : forall m {i}, in_safe_int_range i -> no_overflow m (IZR i).
Proof.
  intros m i h.
  apply Bounded_real_no_overflow.
  unfold in_safe_int_range in h.
  unfold in_range.
  rewrite max_real_int, <- FromInt.Neg.
  pose proof pow2sb_lt_max_int.
  split; apply IZR_le; auto with zarith.
Qed.

(* Why3 assumption *)
Definition same_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_positive y \/ is_negative x /\ is_negative y.

Hint Unfold same_sign.

Lemma same_sign_refl: forall {x}, ~ is_nan x -> same_sign x x.
Proof.
  unfold is_nan, same_sign.
  intros x h.
  destruct x; try easy; try (destruct s; now auto).
  now contradict h.
Qed.

(* Why3 assumption *)
Definition diff_sign (x:t) (y:t) : Prop :=
  is_positive x /\ is_negative y \/ is_negative x /\ is_positive y.

Hint Unfold same_sign.

(* Why3 goal *)
Lemma feq_eq :
  forall (x:t) (y:t), is_finite x -> is_finite y -> ~ is_zero x -> eq x y ->
  (x = y).
Proof.
intros x y h1 h2 h3 h4.
destruct x, y; try easy.

destruct s, s0; try easy.
destruct s, s0; try easy.

revert h3 h4.
case (Bool.bool_dec s s0); intro h; [rewrite h;clear h|destruct s, s0; try easy; destruct h;reflexivity].
intros h3 h4. clear h1.

destruct (Z_dec e e1) as [He|He].

- unfold eq, Bcompare in h4; simpl in h4.
  destruct He.
  rewrite (Zcompare_Lt _ _ l) in h4.
  destruct s, s0; try easy.
  rewrite (Zcompare_Gt _ _ (Z.gt_lt _ _ g)) in h4.
  destruct s, s0; try easy.

- destruct He.
  case (Pos.eq_dec m m0); intro.
  + destruct e1.
    assert (forall x y: bool, x = y \/ x <> y) by
        (intros; case (Bool.bool_dec x y); auto).
    destruct (Eqdep_dec.eq_proofs_unicity H e0 e2).
    reflexivity.

  + unfold eq, Bcompare in h4; simpl in h4.
    destruct s0.
    * rewrite Z.compare_refl, Some_ext, Pos.compare_cont_antisym in h4.
      rewrite (Pos.compare_eq _ _ h4) in n.
      destruct n; reflexivity.

    * rewrite Z.compare_refl, Some_ext in h4.
      rewrite (Pos.compare_eq _ _ h4) in n.
      destruct n; reflexivity.
Qed.

Lemma to_real_refl: forall {x:t} {y:t}, is_finite x -> is_finite y ->
                                        to_real x = to_real y -> same_sign x y ->
                                        x = y.
Proof.
  intros x y h1 h2 h3 h4.
  destruct x, y; try easy.
  + destruct s, s0, h4; easy.
  + symmetry in h3.
    apply eq_0_F2R in h3.
    destruct s0; contradict h3; easy.
  + apply eq_0_F2R in h3.
    destruct s; contradict h3; easy.
  + apply feq_eq; auto.
    rewrite eq_zero_iff; intro.
    destruct H; easy.
    apply to_real_eq; auto.
Qed.

(* Why3 goal *)
Lemma eq_feq :
  forall (x:t) (y:t), is_finite x -> is_finite y -> (x = y) -> eq x y.
Proof.
intros x y h1 h2 h3.
rewrite h3.
apply (eq_not_nan_refl (is_finite_not_nan h2)).
Qed.

(* Why3 goal *)
Lemma eq_refl : forall (x:t), is_finite x -> eq x x.
Proof.
intros x h1.
apply (eq_not_nan_refl (is_finite_not_nan h1)).
Qed.

(* Why3 goal *)
Lemma eq_sym : forall (x:t) (y:t), eq x y -> eq y x.
Proof.
intros x y.
unfold eq; intro h; rewrite Bcompare_swap, h; easy.
Qed.

(* Why3 goal *)
Lemma eq_trans : forall (x:t) (y:t) (z:t), eq x y -> eq y z -> eq x z.
Proof.
  intros x y z h1 h2.
  destruct x, y, z; auto; try destruct s; try destruct s0; try destruct s1; auto; try easy;
  apply to_real_eq in h1; try (split;easy);
  apply to_real_eq in h2; try (split;easy);
  apply to_real_eq; try (split;easy);
  apply (eq_trans h1 h2).
Qed.

(* Why3 goal *)
Lemma eq_zero : eq zeroF (neg zeroF).
Proof.
easy.
Qed.

(* Why3 goal *)
Lemma eq_to_real_finite :
  forall (x:t) (y:t), is_finite x /\ is_finite y ->
  eq x y <-> ((to_real x) = (to_real y)).
Proof.
intros x y (h1,h2).
apply (to_real_eq h1 h2).
Qed.

(* Why3 goal *)
Lemma eq_special :
  forall (x:t) (y:t), eq x y ->
  is_not_nan x /\
  is_not_nan y /\
  (is_finite x /\ is_finite y \/
   is_infinite x /\ is_infinite y /\ same_sign x y).
Proof.
  intros x y h1.
  rewrite is_not_nan1, is_not_nan1.
  destruct (eq_not_nan h1) as (h2,h3).
  split; [auto|split;auto].
  destruct (not_nan _ h2); [left|right].
  - split; [apply i|apply (eq_finite_dist h1 i)].
  - split; [apply i|split;[apply (eq_infinite_dist h1 i)|]].
    destruct x, y; try destruct s; try destruct s0; auto; easy.
Qed.

(* Why3 goal *)
Lemma lt_finite :
  forall (x:t) (y:t), is_finite x /\ is_finite y ->
  lt x y <-> ((to_real x) < (to_real y))%R.
Proof.
intros x y (h1,h2).
unfold lt.
rewrite (Bcompare_correct _ _ x y h1 h2), Some_ext.
split; intro H; [apply (Rcompare_Lt_inv _ _ H)|
                 apply (Rcompare_Lt _ _ H)].
Qed.

(* Why3 goal *)
Lemma le_finite :
  forall (x:t) (y:t), is_finite x /\ is_finite y ->
  le x y <-> ((to_real x) <= (to_real y))%R.
Proof.
intros x y (h1,h2).
now apply le_to_real.
Qed.

Lemma lt_eq_trans : forall {x y z:t}, lt x y -> eq y z -> lt x z.
Proof.
  intros x y z h1 h2.
  destruct x, y, z; try easy; try (destruct s, s0, s1; easy).
  set (x:=B754_finite s m e e0);
    set (y:=B754_finite s0 m0 e1 e2);
    set (z:=B754_finite s1 m1 e3 e4); fold x y z in h1, h2.
  pose proof (Bcompare_correct sb emax x y).
  pose proof (Bcompare_correct sb emax y z).
  pose proof (Bcompare_correct sb emax x z).
  unfold lt in h1.
  rewrite H in h1 by easy; clear H.
  unfold eq in h2.
  rewrite H0 in h2 by easy; clear H0.
  unfold lt.
  rewrite H1 by easy; clear H1.
  apply f_equal, Rcompare_Lt.
  apply Rlt_le_trans with (B2R (B754_finite s0 m0 e1 e2)).
  + apply Rcompare_Lt_inv.
    now injection h1.
  + apply Rcompare_not_Gt_inv.
    inversion h1; inversion h2.
    destruct Rcompare; try easy.
    destruct Rcompare; try easy;
    simpl; rewrite H1; discriminate.
Qed.

Lemma eq_lt_trans : forall {x y z:t}, eq x y -> lt y z -> lt x z.
Proof.
  intros x y z h1 h2.
  destruct x, y, z; try easy; try (destruct s, s0, s1; easy).
  set (x:=B754_finite s m e e0);
    set (y:=B754_finite s0 m0 e1 e2);
    set (z:=B754_finite s1 m1 e3 e4); fold x y z in h1, h2.
  pose proof (Bcompare_correct sb emax x y).
  pose proof (Bcompare_correct sb emax y z).
  pose proof (Bcompare_correct sb emax x z).
  unfold eq in h1.
  unfold lt in h2.
  rewrite H in h1 by easy; clear H.
  rewrite H0 in h2 by easy; clear H0.
  unfold lt.
  rewrite H1 by easy; clear H1.
  apply f_equal, Rcompare_Lt.
  apply Rle_lt_trans with (B2R (B754_finite s0 m0 e1 e2)).
  + apply Rcompare_not_Gt_inv.
    inversion h1; inversion h2.
    destruct Rcompare; try easy;
    simpl; rewrite H0; discriminate.
  + apply Rcompare_Lt_inv.
    now injection h2.
Qed.

Lemma lt_lt_trans : forall {x y z:t}, lt x y -> lt y z -> lt x z.
Proof.
  intros x y z h1 h2.
  destruct x, y, z; try easy; try (destruct s, s0, s1; easy).
  set (x:=B754_finite s m e e0);
    set (y:=B754_finite s0 m0 e1 e2);
    set (z:=B754_finite s1 m1 e3 e4); fold x y z in h1, h2.
  pose proof (Bcompare_correct sb emax x y).
  pose proof (Bcompare_correct sb emax y z).
  pose proof (Bcompare_correct sb emax x z).
  unfold lt in h1, h2.
  rewrite H in h1 by easy; clear H.
  rewrite H0 in h2 by easy; clear H0.
  unfold lt.
  rewrite H1 by easy; clear H1.
  apply f_equal, Rcompare_Lt.
  apply Rlt_trans with (B2R (B754_finite s0 m0 e1 e2)).
  + apply Rcompare_Lt_inv.
    now injection h1.
  + apply Rcompare_Lt_inv.
    now injection h2.
Qed.

(* Why3 goal *)
Lemma le_lt_trans : forall (x:t) (y:t) (z:t), le x y /\ lt y z -> lt x z.
Proof.
  intros x y z (h,h1).
  apply le_correct in h.
  destruct h as [h|h].
  apply (lt_lt_trans h h1).
  apply (eq_lt_trans h h1).
Qed.

(* Why3 goal *)
Lemma lt_le_trans : forall (x:t) (y:t) (z:t), lt x y /\ le y z -> lt x z.
Proof.
  intros x y z (h1,h2).
  apply le_correct in h2.
  destruct h2 as [h2|h2].
  apply (lt_lt_trans h1 h2).
  apply (lt_eq_trans h1 h2).
Qed.

(* Why3 goal *)
Lemma le_ge_asym : forall (x:t) (y:t), le x y /\ le y x -> eq x y.
Proof.
intros x y.
unfold le, eq.
destruct x, y; intros (h,h1); auto; try easy; try (destruct s,s0,h,h1; easy).
set (x:=B754_finite s m e e0);
  set (y:=B754_finite s0 m0 e1 e2);
  fold x y in h, h1.
pose proof (Bcompare_correct sb emax x y).
pose proof (Bcompare_correct sb emax y x).
rewrite H in h by easy.
rewrite H0 in h1 by easy.
rewrite H by easy.
f_equal.
apply Rcompare_Eq.
apply Rle_antisym.
+ apply Rcompare_not_Gt_inv.
  now destruct Rcompare.
+ apply Rcompare_not_Gt_inv.
  now destruct (Rcompare (B2R y) (B2R x)).
Qed.

Lemma Some_ext_op: forall {T} (a b:T), Some a <> Some b <-> a <> b.
Proof.
  intros; split; intro H.
  intro h.
  apply (H (f_equal _ h)).
  intro h; injection h; auto.
Qed.

(* Why3 goal *)
Lemma not_lt_ge :
  forall (x:t) (y:t), ~ lt x y /\ is_not_nan x /\ is_not_nan y -> le y x.
Proof.
  intros x y.
  rewrite is_not_nan1; rewrite is_not_nan1.
  unfold is_nan.
  destruct x, y; intros (h,(h1,h2)); try (try destruct s; try destruct s0; try easy; elim h1; auto; easy).
  revert h.
  unfold le, lt.
  rewrite Bcompare_swap.
  rewrite Bcompare_correct by easy.
  now destruct Rcompare as [| |].
Qed.

(* Why3 goal *)
Lemma not_gt_le :
  forall (x:t) (y:t), ~ lt y x /\ is_not_nan x /\ is_not_nan y -> le x y.
Proof.
  intros x y.
  rewrite is_not_nan1; rewrite is_not_nan1.
  unfold is_nan.
  destruct x, y; intros (h,(h1,h2)); auto; try (try destruct s; try destruct s0; try easy; elim h1; auto; easy).
  revert h.
  unfold le, lt.
  rewrite Bcompare_swap.
  rewrite Bcompare_correct by easy.
  now destruct Rcompare as [| |].
Qed.

(* Why3 goal *)
Lemma le_special :
  forall (x:t) (y:t), le x y ->
  is_finite x /\ is_finite y \/
  is_minus_infinity x /\ is_not_nan y \/ is_not_nan x /\ is_plus_infinity y.
Proof.
  intros x y h.
  rewrite is_not_nan1; rewrite is_not_nan1.
  unfold le in h.
  unfold is_nan, is_finite.
  destruct x, y; auto; try easy; try (destruct s, s0; auto; destruct h; auto; easy).
  - right; right. destruct s0, h; split; easy.
  - right; left. destruct s, h; split; easy.
  - right. destruct s, s0, h; try easy.
    + left; split; easy.
    + left; split; easy.
    + right; split; easy.
  - right; left. destruct s, h; split; easy.
  - right; right. destruct s, s0, h; split; easy.
Qed.

(* Why3 goal *)
Lemma lt_special :
  forall (x:t) (y:t), lt x y ->
  is_finite x /\ is_finite y \/
  is_minus_infinity x /\ is_not_nan y /\ ~ is_minus_infinity y \/
  is_not_nan x /\ ~ is_plus_infinity x /\ is_plus_infinity y.
Proof.
  intros x y h.
  rewrite is_not_nan1; rewrite is_not_nan1.
  unfold lt in h.
  unfold is_nan, is_finite.
  unfold is_plus_infinity, is_minus_infinity.
  destruct x, y; auto; try easy; try (destruct s, s0; easy).

  - right; right. destruct s0; split; try split; easy.
  - right; left. destruct s; split; try split; easy.
  - right; right. destruct s, s0; split; try split; easy.
  - right; left. destruct s; split; try split; easy.
  - right; right. destruct s, s0; split; try split; easy.
Qed.

(* Why3 goal *)
Lemma lt_lt_finite :
  forall (x:t) (y:t) (z:t), lt x y -> lt y z -> is_finite y.
Proof.
intros x y z h1 h2.
destruct x, y, z; try easy; destruct s, s0, s1; easy.
Qed.

(* Why3 goal *)
Lemma positive_to_real :
  forall (x:t), is_finite x -> is_positive x -> (0%R <= (to_real x))%R.
Proof.
  intros x h1 h2.
  assert (is_finite zeroF) as zero_is_finite by easy.
  rewrite <-zeroF_to_real; apply (le_to_real _ _ zero_is_finite h1).
  apply le_correct.
  generalize (is_positive_correct x); intro H. destruct H, H; auto.
  rewrite H; auto.
Qed.

Lemma non_zero_positive_to_real : forall {x:t},
    is_finite x -> ~ is_zero x -> is_positive x ->
     0 < to_real x.
Proof.
  intros x h1 h2 h3.
  rewrite <-zeroF_to_real; apply lt_finite.
  split; easy.
  destruct x; try easy.
  contradict h2; easy.
  simpl in h3.
  destruct s; simpl; easy.
Qed.

Lemma is_positive_to_int: forall {x} {m:mode}, is_finite x -> is_positive x -> (0 <= to_int m x)%Z.
Proof.
  intros x m h h1.
  rewrite <-(to_int_zeroF m).
  destruct (valid_rnd_round_mode m) as (h2,_).
  destruct m; simpl in h2; apply h2; now apply positive_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_positive :
  forall (x:t), is_finite x -> (0%R < (to_real x))%R -> is_positive x.
Proof.
  intros x h1 h2.
  assert (is_finite zeroF) as zero_is_finite by easy.
  rewrite <-zeroF_to_real, <-(lt_finite _ _ (conj zero_is_finite h1)) in h2.
  generalize (is_positive_correct x); intro H; destruct H; auto.
Qed.

(* Why3 goal *)
Lemma negative_to_real :
  forall (x:t), is_finite x -> is_negative x -> ((to_real x) <= 0%R)%R.
Proof.
  intros x h1 h2.
  assert (is_finite zeroF) as zero_is_finite by easy.
  rewrite <-zeroF_to_real; apply (le_to_real _ _ h1 zero_is_finite).
  apply le_correct.
  generalize (is_negative_correct x); intro H; destruct H, H; auto.
  rewrite H; auto.
Qed.

Lemma non_zero_negative_to_real : forall {x:t},
    is_finite x -> ~ is_zero x -> is_negative x ->
     to_real x < 0.
Proof.
  intros x h1 h2 h3.
  rewrite <-zeroF_to_real; apply lt_finite.
  split; easy.
  destruct x; try easy.
  contradict h2; easy.
  simpl in h3.
  destruct s; simpl; easy.
Qed.

Lemma is_negative_to_int: forall {x} {m:mode}, is_finite x -> is_negative x -> (to_int m x <= 0)%Z.
Proof.
  intros x m h h1.
  rewrite <-(to_int_zeroF m).
  destruct (valid_rnd_round_mode m) as (h2,_).
  destruct m; simpl in h2; apply h2; now apply negative_to_real.
Qed.

(* Why3 goal *)
Lemma to_real_negative :
  forall (x:t), is_finite x -> ((to_real x) < 0%R)%R -> is_negative x.
Proof.
  intros x h1 h2.
  assert (is_finite zeroF) as zero_is_finite by easy.
  rewrite <-zeroF_to_real, <-(lt_finite _ _ (conj h1 zero_is_finite)) in h2.
  generalize (is_negative_correct x); intro H; destruct H; auto.
Qed.

(* Why3 goal *)
Lemma negative_xor_positive :
  forall (x:t), ~ (is_positive x /\ is_negative x).
Proof.
intros x.
destruct x; try destruct s; easy.
Qed.

(* Why3 goal *)
Lemma negative_or_positive :
  forall (x:t), is_not_nan x -> is_positive x \/ is_negative x.
Proof.
intros x h1.
destruct x; try destruct s; simpl; auto; now elim h1.
Qed.

(* Why3 goal *)
Lemma diff_sign_trans :
  forall (x:t) (y:t) (z:t), diff_sign x y /\ diff_sign y z -> same_sign x z.
Proof.
  unfold diff_sign, same_sign.
  intros x y z (h1,h2).
  pose proof (negative_xor_positive y) as H.
  destruct h1 as [(h,h1)|(h,h1)], h2 as [(h2,h3)|(h2,h3)].
  - contradict H; split; easy.
  - left; split; easy.
  - right; split; easy.
  - contradict H; split; easy.
Qed.

(* Why3 goal *)
Lemma diff_sign_product :
  forall (x:t) (y:t),
  is_finite x /\ is_finite y /\ (((to_real x) * (to_real y))%R < 0%R)%R ->
  diff_sign x y.
Proof.
intros x y (h1,(h2,h3)).
unfold diff_sign.
case (Rcase_abs (to_real y)); intro; [left|right].
- split; [apply to_real_positive; try easy|apply to_real_negative; easy].
  apply Rmult_lt_reg_r with (r := (-to_real y)); lra.
- destruct r.
  + split; [apply to_real_negative; try easy|apply to_real_positive; easy].
    apply Rmult_lt_reg_r with (r := (to_real y)); lra.
  + rewrite H in h3; lra.
Qed.

(* Why3 goal *)
Lemma same_sign_product :
  forall (x:t) (y:t), is_finite x /\ is_finite y /\ same_sign x y ->
  (0%R <= ((to_real x) * (to_real y))%R)%R.
Proof.
intros x y (h1,(h2,h3)).
unfold same_sign in h3.
destruct h3 as [(h3,h4)|(h3,h4)].
- apply (positive_to_real _ h1) in h3.
  apply (positive_to_real _ h2) in h4.
  apply Rmult_le_pos; auto.
- apply (negative_to_real _ h1) in h3.
  apply (negative_to_real _ h2) in h4.
  rewrite <-Rmult_opp_opp.
  apply Rmult_le_pos; lra.
Qed.

(* Why3 assumption *)
Definition product_sign (z:t) (x:t) (y:t) : Prop :=
  (same_sign x y -> is_positive z) /\ (diff_sign x y -> is_negative z).

(* Why3 assumption *)
Definition overflow_value (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  match m with
  | ieee_float.RoundingMode.RTN =>
      (is_positive x -> is_finite x /\ ((to_real x) = max_real)) /\
      (~ is_positive x -> is_infinite x)
  | ieee_float.RoundingMode.RTP =>
      (is_positive x -> is_infinite x) /\
      (~ is_positive x -> is_finite x /\ ((to_real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RTZ =>
      (is_positive x -> is_finite x /\ ((to_real x) = max_real)) /\
      (~ is_positive x -> is_finite x /\ ((to_real x) = (-max_real)%R))
  | ieee_float.RoundingMode.RNA|ieee_float.RoundingMode.RNE => is_infinite x
  end.

(* Why3 assumption *)
Definition sign_zero_result (m:ieee_float.RoundingMode.mode) (x:t) : Prop :=
  is_zero x ->
  match m with
  | ieee_float.RoundingMode.RTN => is_negative x
  | _ => is_positive x
  end.

(* Why3 goal *)
Lemma add_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  is_finite y -> no_overflow m ((to_real x) + (to_real y))%R ->
  is_finite (add m x y) /\
  ((to_real (add m x y)) = (round m ((to_real x) + (to_real y))%R)).
Proof.
intros m x y h1 h2 h3.
generalize (Bplus_correct sb emax Hsb'' Hemax' m x y h1 h2); rewrite Rlt_bool_true.
intro; split; easy.
apply (in_range_bpow_radix2_emax _ h3).
Qed.

(* Why3 goal *)
Lemma add_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  is_finite (add m x y) -> is_finite x /\ is_finite y.
Proof.
intros m x y h1.
destruct x, y; try easy; destruct s, s0; try easy;
  simpl in h1; unfold is_finite in h1; now rewrite is_finite_build_nan in h1.
Qed.

(* Why3 goal *)
Lemma add_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> is_finite (add m x y) ->
  no_overflow m ((to_real x) + (to_real y))%R /\
  ((to_real (add m x y)) = (round m ((to_real x) + (to_real y))%R)).
Proof.
intros m x y h1 h2.
destruct (add_finite_rev m x y h2).
assert (no_overflow m (to_real x + to_real y)).
2: split; [easy|apply add_finite; easy].
pose proof max_real_ge_6.
destruct x, y; try easy; try (rewrite B754_zero_to_real).
apply Bounded_real_no_overflow; rewrite (@B754_zero_to_real s0); split; lra.
apply Bounded_real_no_overflow; rewrite Rplus_0_l; apply is_finite1; auto.
apply Bounded_real_no_overflow; rewrite Rplus_0_r; apply is_finite1; auto.
set (x := B754_finite s m0 e e0).
set (y := B754_finite s0 m1 e1 e2).
fold x y in h2, H, H0.
destruct (Rlt_le_dec (Rabs (round m (to_real x + to_real y))) (bpow radix2 emax)).
rewrite no_overflow_Rabs_round_emax; assumption.
pose proof (Bplus_correct sb emax Hsb'' Hemax' m x y H H0).
change (Bplus m) with (add m) in H2.
rewrite Rlt_bool_false in H2; auto.
destruct m, h1; try easy.
destruct (add RNE x y); easy.
destruct (add RNA x y); easy.
Qed.

(* Why3 goal *)
Lemma sub_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  is_finite y -> no_overflow m ((to_real x) - (to_real y))%R ->
  is_finite (sub m x y) /\
  ((to_real (sub m x y)) = (round m ((to_real x) - (to_real y))%R)).
Proof.
intros m x y h1 h2 h3.
generalize (Bminus_correct sb emax Hsb'' Hemax' m x y h1 h2); rewrite Rlt_bool_true.
intro; split; easy.
apply (in_range_bpow_radix2_emax _ h3).
Qed.

(* Why3 goal *)
Lemma sub_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  is_finite (sub m x y) -> is_finite x /\ is_finite y.
Proof.
  intros m x y h1.
  destruct x, y; try easy; destruct s, s0; try easy;
    simpl in h1; unfold is_finite in h1; now rewrite is_finite_build_nan in h1.
Qed.

(* Why3 goal *)
Lemma sub_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> is_finite (sub m x y) ->
  no_overflow m ((to_real x) - (to_real y))%R /\
  ((to_real (sub m x y)) = (round m ((to_real x) - (to_real y))%R)).
Proof.
intros m x y h1 h2.
destruct (sub_finite_rev m x y h2).
assert (no_overflow m (to_real x - to_real y)).
2: split; [easy|apply sub_finite; easy].
pose proof max_real_ge_6.
destruct x, y; try easy; try (rewrite B754_zero_to_real).
apply Bounded_real_no_overflow; rewrite (@B754_zero_to_real s0); split; lra.
apply Bounded_real_no_overflow.
unfold to_real.
rewrite Rminus_0_l, <- B2R_Bopp.
apply is_finite1, is_finite_Bopp.
apply Bounded_real_no_overflow; rewrite Rminus_0_r; apply is_finite1; auto.
set (x := B754_finite s m0 e e0).
set (y := B754_finite s0 m1 e1 e2).
fold x y in h2, H, H0.
destruct (Rlt_le_dec (Rabs (round m (to_real x - to_real y))) (bpow radix2 emax)).
rewrite no_overflow_Rabs_round_emax; assumption.
pose proof (Bminus_correct sb emax Hsb'' Hemax' m x y H H0).
change (Bminus m) with (sub m) in H2.
rewrite Rlt_bool_false in H2; auto.
destruct m, h1; try easy.
destruct (sub RNE x y); easy.
destruct (sub RNA x y); easy.
Qed.

(* Why3 goal *)
Lemma mul_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  is_finite y -> no_overflow m ((to_real x) * (to_real y))%R ->
  is_finite (mul m x y) /\
  ((to_real (mul m x y)) = (round m ((to_real x) * (to_real y))%R)).
Proof.
intros m x y h1 h2 h3.
generalize (Bmult_correct sb emax Hsb'' Hemax' m x y); rewrite Rlt_bool_true, h1, h2.
intro; split; easy.
apply (in_range_bpow_radix2_emax _ h3).
Qed.

(* Why3 goal *)
Lemma mul_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  is_finite (mul m x y) -> is_finite x /\ is_finite y.
Proof.
  intros m x y h1.
  destruct x, y; try easy; destruct s, s0; try easy;
    simpl in h1; unfold is_finite in h1; now rewrite is_finite_build_nan in h1.
Qed.

(* Why3 goal *)
Lemma mul_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> is_finite (mul m x y) ->
  no_overflow m ((to_real x) * (to_real y))%R /\
  ((to_real (mul m x y)) = (round m ((to_real x) * (to_real y))%R)).
Proof.
intros m x y h1 h2.
destruct (mul_finite_rev m x y h2).
assert (no_overflow m (to_real x * to_real y)).
2: split; [easy|apply mul_finite; easy].
pose proof max_real_ge_6.
destruct x, y; try easy; try (rewrite B754_zero_to_real).
apply Bounded_real_no_overflow; rewrite (@B754_zero_to_real s0); split; lra.
unfold no_overflow; rewrite Rmult_0_l, <-zeroF_to_real, Round_to_real, zeroF_to_real; auto; split; lra.
unfold no_overflow; rewrite Rmult_0_r, <-zeroF_to_real, Round_to_real, zeroF_to_real; auto; split; lra.
set (x := B754_finite s m0 e e0).
set (y := B754_finite s0 m1 e1 e2).
fold x y in h2, H, H0.
destruct (Rlt_le_dec (Rabs (round m (to_real x * to_real y))) (bpow radix2 emax)).
rewrite no_overflow_Rabs_round_emax; assumption.
pose proof (Bmult_correct sb emax Hsb'' Hemax' m x y).
change (Bmult m) with (mul m) in H2.
rewrite Rlt_bool_false in H2; auto.
destruct m, h1; try easy.
destruct (mul RNE x y); easy.
destruct (mul RNA x y); easy.
Qed.

(* Why3 goal *)
Lemma div_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  is_finite y -> ~ is_zero y ->
  no_overflow m ((to_real x) / (to_real y))%R ->
  is_finite (div m x y) /\
  ((to_real (div m x y)) = (round m ((to_real x) / (to_real y))%R)).
Proof.
  intros m x y h1 h2 h3 h4.
  assert (is_finite zeroF) as zero_is_finite by easy.
  rewrite (to_real_eq zero_is_finite h2) in h3.
  apply not_eq_sym in h3.
  generalize (Bdiv_correct sb emax Hsb'' Hemax' m x y h3); rewrite Rlt_bool_true, h1.
  intro; split; easy.
  apply (in_range_bpow_radix2_emax _ h4).
Qed.

(* Why3 goal *)
Lemma div_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  is_finite (div m x y) ->
  is_finite x /\ is_finite y /\ ~ is_zero y \/
  is_finite x /\ is_infinite y /\ ((to_real (div m x y)) = 0%R).
Proof.
  intros m x y h1.
  destruct x, y; try easy;
    simpl in h1; unfold is_finite in h1; try now rewrite is_finite_build_nan in h1.
  right; destruct s, s0; easy.
  left; destruct s, s0; split; try split; easy.
  right; destruct s, s0; split; try split; easy.
  left; destruct s, s0; split; try split; easy.
Qed.

(* Why3 goal *)
Lemma div_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  ieee_float.RoundingMode.to_nearest m -> is_finite (div m x y) ->
  is_finite y ->
  no_overflow m ((to_real x) / (to_real y))%R /\
  ((to_real (div m x y)) = (round m ((to_real x) / (to_real y))%R)).
Proof.
  intros m x y h1 h2 h3.
  destruct (div_finite_rev m x y h2) as [(h4,(h5,h6))|(h4,(h5,h6))].
  + assert (no_overflow m (to_real x / to_real y)).
    2: split; [easy|apply div_finite; easy].
    pose proof max_real_ge_6.
    destruct x, y; try easy; try (rewrite B754_zero_to_real).
    rewrite Real.infix_sl'def, Rmult_0_l.
    apply Bounded_real_no_overflow; split; lra.
    set (x := B754_finite s m0 e e0).
    set (y := B754_finite s0 m1 e1 e2).
    fold x y in h2, h3,h4,h5,h6.
    destruct (Rlt_le_dec (Rabs (round m (to_real x / to_real y))) (bpow radix2 emax)).
    rewrite no_overflow_Rabs_round_emax; assumption.
    assert (to_real y <> 0) by (rewrite zero_to_real in h6; auto).
    pose proof (Bdiv_correct sb emax Hsb'' Hemax' m x y H0).
    change (Bdiv m) with (div m) in H1.
    rewrite Rlt_bool_false in H1; auto.
    destruct m, h1; try easy.
    destruct (div RNE x y); easy.
    destruct (div RNA x y); easy.
  + destruct y; easy.
Qed.

(* Why3 goal *)
Lemma neg_finite :
  forall (x:t), is_finite x ->
  is_finite (neg x) /\ ((to_real (neg x)) = (-(to_real x))%R).
Proof.
intros x h1.
split.
unfold neg, is_finite.
rewrite is_finite_Bopp; apply h1.
apply B2R_Bopp.
Qed.

(* Why3 goal *)
Lemma neg_finite_rev :
  forall (x:t), is_finite (neg x) ->
  is_finite x /\ ((to_real (neg x)) = (-(to_real x))%R).
Proof.
  intros x h1.
  assert (is_finite x) by now destruct x.
  split; [easy| apply neg_finite; auto].
Qed.

(* Why3 goal *)
Lemma abs_finite :
  forall (x:t), is_finite x ->
  is_finite (abs x) /\
  ((to_real (abs x)) = (Reals.Rbasic_fun.Rabs (to_real x))) /\
  is_positive (abs x).
Proof.
  intros x h1.
  pose proof (is_finite_abs x h1).
  split;[assumption|split].
  apply B2R_Babs.
  pose proof (is_finite_not_nan h1).
  pose proof (Bsign_Babs sb emax x).
  apply is_positive_Bsign.
  apply (is_finite_not_nan H).
  apply H1.
Qed.

(* add to theory ? *)
Lemma abs_le: forall {x y}, le (neg y) x /\ le x y -> le (abs x) y.
Proof.
  intros x y.
  destruct (Finite_Infinite_Nan_dec y) as [[hy|hy]|hy].
  + destruct (Finite_Infinite_Nan_dec x) as [[hx|hx]|hx].

    * pose proof (is_finite_abs _ hx).
      destruct (neg_finite _ hy).
      rewrite (le_to_real (abs x) y) by auto.
      rewrite (le_to_real (neg y) x) by auto.
      rewrite le_to_real by auto.
      rewrite H1 by auto.
      destruct (abs_finite _ hx) as (_,(u,_)).
      rewrite u.
      apply Rabs_le.

    * intros (a,b).
      destruct (le_special _ _ b) as [H|[H|H]].
      - destruct x; easy.
      - pose proof (le_special _ _ a).
        unfold is_minus_infinity, is_plus_infinity in H0.
        destruct H0, H0, x, y; auto; try easy; destruct s, s0; auto.
      - destruct y; unfold is_plus_infinity in H; easy.

    * intros (a,b).
      destruct (le_special _ _ b) as [H|[H|H]];
        unfold is_minus_infinity in H;
        destruct x; easy.

  + intros (a,b).

    destruct (Finite_Infinite_Nan_dec x) as [[hx|hx]|hx].
    * destruct (le_special _ _ b) as [H|[H|H]].
      - destruct y; easy.
      - unfold is_minus_infinity in H; destruct x; easy.
      - destruct y, H as (H,(_,H')); try destruct s; try easy.
        assert (~ is_nan x) by (rewrite <-is_not_nan1; assumption).
        apply le_infinity.
        destruct x; easy.
    * destruct x, y; try easy.
      destruct s; try easy.
      now destruct s0.
    * now destruct x.

  + intros (_,a).
    destruct y; try easy.
    now destruct x.
Qed.

(* Why3 goal *)
Lemma abs_finite_rev :
  forall (x:t), is_finite (abs x) ->
  is_finite x /\ ((to_real (abs x)) = (Reals.Rbasic_fun.Rabs (to_real x))).
Proof.
intros x h1.
assert (is_finite x) by now destruct x.
split; [easy| apply abs_finite; auto].
Qed.

(* Why3 goal *)
Lemma abs_universal : forall (x:t), ~ is_negative (abs x).
Proof.
intros x.
now destruct x.
Qed.

(* Why3 goal *)
Lemma fma_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t), is_finite x ->
  is_finite y -> is_finite z ->
  no_overflow m (((to_real x) * (to_real y))%R + (to_real z))%R ->
  is_finite (fma m x y z) /\
  ((to_real (fma m x y z)) =
   (round m (((to_real x) * (to_real y))%R + (to_real z))%R)).
Proof.
intros m x y z h1 h2 h3 h4.
Admitted.

(* Why3 goal *)
Lemma fma_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  is_finite (fma m x y z) -> is_finite x /\ is_finite y /\ is_finite z.
Proof.
intros m x y z h1.
Admitted.

(* Why3 goal *)
Lemma fma_finite_rev_n :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  ieee_float.RoundingMode.to_nearest m -> is_finite (fma m x y z) ->
  no_overflow m (((to_real x) * (to_real y))%R + (to_real z))%R /\
  ((to_real (fma m x y z)) =
   (round m (((to_real x) * (to_real y))%R + (to_real z))%R)).
Proof.
intros m x y z h1 h2.
Admitted.

(* Why3 goal *)
Lemma sqrt_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  (0%R <= (to_real x))%R ->
  is_finite (sqrt m x) /\
  ((to_real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (to_real x)))).
Proof.
  intros m x h1 h2.
  destruct (Bsqrt_correct sb emax Hsb' Hemax' m x) as (g,(g1,g2)).
  split; auto.
  destruct x; try destruct s; try easy.
  contradict h2.
  apply Rlt_not_le, non_zero_negative_to_real; easy.
Qed.

(* Why3 goal *)
Lemma sqrt_finite_rev :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite (sqrt m x) ->
  is_finite x /\
  (0%R <= (to_real x))%R /\
  ((to_real (sqrt m x)) = (round m (Reals.R_sqrt.sqrt (to_real x)))).
Proof.
  intros m x h1.
  assert (is_finite x).
    destruct x; try destruct s ; try easy;
    simpl in h1; unfold is_finite in h1;
    now rewrite is_finite_build_nan in h1.
  split; [easy|].
  assert (0 <= to_real x).
  { destruct x ; try destruct s; try easy.
    apply Rle_refl.
    apply Rle_refl.
    now apply F2R_ge_0. }
  split; [easy| apply sqrt_finite; auto].
Qed.

(* Why3 assumption *)
Definition same_sign_real (x:t) (r:Reals.Rdefinitions.R) : Prop :=
  is_positive x /\ (0%R < r)%R \/ is_negative x /\ (r < 0%R)%R.

Lemma sign_FF_overflow : forall m b,
    sign_SF (binary_overflow sb emax m b) = b.
Proof.
  intros m b.
  unfold binary_overflow.
  destruct (overflow_to_inf m b); auto.
Qed.

Lemma sign_FF_B2FF : forall x:t, sign_SF (B2SF x) = Bsign x.
Proof.
  now destruct x.
Qed.

(* Why3 goal *)
Lemma add_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := add m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_finite x /\ is_infinite y -> is_infinite r /\ same_sign r y) /\
  (is_infinite x /\ is_finite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y -> is_nan r) /\
  (is_finite x /\
   is_finite y /\ ~ no_overflow m ((to_real x) + (to_real y))%R ->
   same_sign_real r ((to_real x) + (to_real y))%R /\ overflow_value m r) /\
  (is_finite x /\ is_finite y ->
   (same_sign x y -> same_sign r x) /\
   (~ same_sign x y -> sign_zero_result m r)).
Proof.
intros m x y r.
  unfold same_sign, diff_sign, same_sign, same_sign_real.
  split;[intro h|split;[intros (h,h1)|split;[intros (h,h1)|split;[intros (h,(h1,h2))|split;[intros (h,(h1,h2))|split;[intros (h,(h1,h2))|split;[intro h|intro h]]]]]]].
  - destruct x, y; try easy; destruct s, s0, h; easy.
  - destruct x, y; try easy; destruct s0; auto; easy.
  - destruct x, y; try easy; destruct s; auto; easy.
  - destruct x, y; try easy; destruct s, s0; destruct h2 as [(h2,h3)|(h2,h3)]; auto; easy.
  - destruct x, y; try easy; destruct s, s0; destruct h2 as [(h2,h3)|(h2,h3)]; auto; easy.
  - rewrite no_overflow_Rabs_round_max_real, Rabs_round_max_real_emax in h2.
    apply Rnot_lt_le in h2.
    pose proof (Bplus_correct sb emax Hsb' Hemax' m x y h h1).
    rewrite Rlt_bool_false in H by auto.
    destruct H.
    split.

    + destruct x, y; try easy.
      * destruct s, s0, m; simpl in H; easy.
      * rewrite B754_zero_to_real at 1 2.
        rewrite Rplus_0_l.
        rewrite <-(@B754_zero_to_real false) at 1 2.
        destruct s0;[right;split;[easy|]|left;split;[easy|]]; apply lt_finite; easy.
      * rewrite B754_zero_to_real at 1 2.
        rewrite Rplus_0_r.
        rewrite <-(@B754_zero_to_real false) at 1 2.
        destruct s;[right;split;[easy|]|left;split;[easy|]]; apply lt_finite; easy.
      * change (Bplus m (B754_finite s m0 e e0) (B754_finite s0 m1 e1 e2)) with r in H.
        pose proof (sign_FF_overflow m (Bsign (B754_finite s m0 e e0))).
        rewrite <-H in H1.
        rewrite sign_FF_B2FF in H1.
        simpl Bsign at 2 in H1.
        assert (~is_nan r).
        { simpl binary_overflow in H.
          unfold binary_overflow in H.
          destruct overflow_to_inf in H;
            destruct r; try easy;
              destruct n; easy. }

        simpl in H0. {
        destruct s;rewrite <-H0;[right|left]; split.

        - rewrite <-is_negative_Bsign in H1; auto.
        - assert (to_real (B754_finite true m0 e e0) < 0) by
              (apply non_zero_negative_to_real; easy).
          assert (to_real (B754_finite true m1 e1 e2) < 0) by
              (apply non_zero_negative_to_real; easy).
          lra.
        - rewrite <-is_positive_Bsign in H1; auto.
        - assert (0 < to_real (B754_finite false m0 e e0)) by
              (apply non_zero_positive_to_real; easy).
          assert (0 < to_real (B754_finite false m1 e1 e2)) by
              (apply non_zero_positive_to_real; easy).
          lra. }

    + change (Bplus m x y) with r in H.
      assert (H':=H).
      apply (f_equal sign_SF) in H'.
      rewrite sign_FF_B2FF, sign_FF_overflow in H'.
      destruct m; simpl;
        unfold binary_overflow in H;
        simpl in H.
      * destruct r; try easy; destruct n; easy.
      * destruct r; try easy; destruct n; easy.
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto). {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H'; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
          now apply Pos.pow_gt_1.
        - split.
          destruct r; easy.
          intro.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign in H2; auto; easy. }
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto). {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          intro.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign in H2; auto. rewrite H' in H2; easy.
          destruct r; try easy; destruct n; easy.
        - split.
          intro; split.
          destruct r; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
          + assert (~is_nan r) by
                (destruct r; try easy; destruct n; easy).
            rewrite is_positive_Bsign; easy. }
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto).
        assert (~is_nan r) by
            (destruct H1, r; try easy; destruct n; easy).
        rewrite is_positive_Bsign; auto. {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          rewrite H'; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
        - split.
          + intro; split.
            destruct r; try easy; destruct n; easy.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
            * unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H; auto.
            *  rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
               now apply Pos.pow_gt_1.
           + easy. }
  - destruct H.
    pose proof (Bplus_correct sb emax Hsb' Hemax' m x y H H0).
    destruct (Rlt_le_dec (Rabs (round m (to_real x + to_real y))) (bpow radix2 emax)).
    + rewrite Rlt_bool_true in H1; auto.
      destruct H1 as (h1,(h2,h3)).
      change (Bplus m x y) with r in h1, h2, h3.
      assert (~is_nan r) by (destruct r; easy).
      destruct h as [(h,h')|(h,h')];[left|right];split;auto.
      * rewrite is_positive_Bsign; auto.
        destruct y; try destruct s; destruct x; try destruct s; try easy.
        rewrite Rcompare_Gt in h3; auto.
        assert (0 < B2R (B754_finite false m0 e e0)) by
            (apply non_zero_positive_to_real; easy).
        assert (0 < B2R (B754_finite false m1 e1 e2)) by
            (apply non_zero_positive_to_real; easy).
        lra.
      * rewrite is_negative_Bsign; auto.
        destruct y; try destruct s; destruct x; try destruct s; try easy.
        rewrite Rcompare_Lt in h3; auto.
        assert (B2R (B754_finite true  m0 e e0) < 0) by
            (apply non_zero_negative_to_real; easy).
        assert (B2R (B754_finite true m1 e1 e2) < 0) by
            (apply non_zero_negative_to_real; easy).
        lra.
    + rewrite Rlt_bool_false in H1; auto.
      destruct H1 as (h1,h2).
      change (Bplus m x y) with r in h1.
      destruct (is_nan_dec r).
      destruct x; try destruct s; destruct y; try destruct s; try easy; destruct m;
        unfold binary_overflow in h1; simpl in h1;
          destruct r; try easy; destruct n; easy.

      rewrite is_positive_Bsign; auto.
      rewrite is_negative_Bsign; auto.
      apply (f_equal sign_SF) in h1.
      rewrite sign_FF_B2FF, sign_FF_overflow in h1.
      assert (~is_nan x) by (destruct x; easy).
      rewrite is_positive_Bsign in h; auto.
      rewrite is_negative_Bsign in h; auto.
      destruct h as [(h,h')|(h,h')];rewrite h in h1, h2;[left|right];split;auto.
      rewrite is_positive_Bsign; auto.
      rewrite is_negative_Bsign; auto.
  - intuition.
    unfold sign_zero_result; intro.
    unfold is_zero in H2.
    rewrite eq_zero_iff in H2.
    pose proof (Bplus_correct sb emax Hsb' Hemax' m x y H0 H1).
    destruct (Rlt_dec (Rabs (round m (to_real x + to_real y))) (bpow radix2 emax)) as [r0|r0];
      [rewrite Rlt_bool_true in H4; auto; clear r0|
       rewrite Rlt_bool_false in H4].
    + destruct H4 as (h1,(h2,h)).

      assert (to_real x + to_real y = 0).
      { cut (not (to_real x + to_real y <> 0)).
        lra.
        intros H9.
        apply (round_plus_neq_0 radix2 fexp (round_mode m)) in H9.
        apply H9.
        destruct H2 as [H2|H2]; apply (f_equal to_real) in H2.
        rewrite zeroF_to_real in H2.
        rewrite <-H2; auto.
        assert (is_finite zeroF) as zero_is_finite by easy.
        destruct (neg_finite zeroF zero_is_finite).
        rewrite H5, zeroF_to_real, Ropp_0 in H2.
        rewrite <-H2; auto.
        apply generic_format_B2R.
        apply generic_format_B2R. }

      rewrite Rcompare_Eq in h; auto.
      replace (add m x y) with r in h by auto.

      assert (~is_nan r) by (destruct H2, r; easy).

      destruct x ; try destruct s; destruct y ; try destruct s;
        try (simpl in H; contradict H; now auto);
        try (destruct m; simpl in r; easy);
        simpl in h;
        destruct m; try (rewrite is_positive_Bsign; auto);
          rewrite is_negative_Bsign; auto.

    + destruct H4.
      unfold binary_overflow in H4.
      change (Bplus m x y) with r in H4.
      destruct H2 as [H2|H2]; rewrite H2 in H4; simpl in H4;
        destruct overflow_to_inf in H4; easy.

    + apply Rnot_lt_le; assumption.
Qed.

Lemma no_overflow_or_not: forall m x, no_overflow m x \/ ~ no_overflow m x.
Proof.
  intros m x.
  rewrite no_overflow_Rabs_round_emax.
  destruct (Rlt_dec (Rabs (round m x)) (bpow radix2 emax));[left|right]; assumption.
Qed.

Lemma add_finite_rev_n' : forall (m:mode) (x:t) (y:t),
    is_finite (add m x y) ->
    (no_overflow m ((to_real x) + (to_real y))%R
     /\ to_real (add m x y) = round m ((to_real x) + (to_real y))%R)
    \/ to_real (add m x y) = max_real \/ to_real (add m x y) =-  max_real .
Proof.
intros m x y h1.
destruct (add_finite_rev m x y h1).

destruct (no_overflow_or_not m (to_real x + to_real y));[left|right].

split; [auto|apply add_finite; easy].
destruct (add_special m x y) as (_,(_,(_,(_,(_,(h,_)))))).
assert (is_finite x /\ is_finite y /\ ~ no_overflow m (to_real x + to_real y)) by auto.
apply h in H2; clear h.
destruct H2.
destruct (add m x y); try destruct s; destruct m; simpl in *; try easy;
  try (destruct H3; destruct H4; now auto);
  destruct H3, H3; auto.
Qed.

(* Why3 goal *)
Lemma sub_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := sub m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_finite x /\ is_infinite y -> is_infinite r /\ diff_sign r y) /\
  (is_infinite x /\ is_finite y -> is_infinite r /\ same_sign r x) /\
  (is_infinite x /\ is_infinite y /\ same_sign x y -> is_nan r) /\
  (is_infinite x /\ is_infinite y /\ diff_sign x y ->
   is_infinite r /\ same_sign r x) /\
  (is_finite x /\
   is_finite y /\ ~ no_overflow m ((to_real x) - (to_real y))%R ->
   same_sign_real r ((to_real x) - (to_real y))%R /\ overflow_value m r) /\
  (is_finite x /\ is_finite y ->
   (diff_sign x y -> same_sign r x) /\
   (~ diff_sign x y -> sign_zero_result m r)).
Proof.
  intros m x y r.
  unfold same_sign, diff_sign, same_sign, same_sign_real.
  split;[intro h|split;[intros (h,h1)|split;[intros (h,h1)|split;[intros (h,(h1,h2))|split;[intros (h,(h1,h2))|split;[intros (h,(h1,h2))|split;[intro h|intro h]]]]]]].
  - destruct x, y; try easy; destruct s, s0; destruct h; easy.
  - destruct x, y; try easy; destruct s, s0; auto; easy.
  - destruct x, y; try easy; destruct s, s0; auto; easy.
  - destruct x, y; try easy; destruct s, s0; destruct h2 as [(h2,h3)|(h2,h3)]; auto; easy.
  - destruct x, y; try easy; destruct s, s0; destruct h2 as [(h2,h3)|(h2,h3)]; auto; easy.
  - rewrite no_overflow_Rabs_round_max_real, Rabs_round_max_real_emax in h2.
    apply Rnot_lt_le in h2.
    pose proof (Bminus_correct sb emax Hsb' Hemax' m x y h h1).
    rewrite Rlt_bool_false in H by auto.
    destruct H.
    split.

    + destruct x, y; try easy.
      * destruct s, s0, m; simpl in H; easy.
      * rewrite B754_zero_to_real at 1 2.
        rewrite Rminus_0_l.
        rewrite <-(@B754_zero_to_real false) at 1 2.
        destruct (neg_finite (B754_finite s0 m0 e e0)) as (_,h3); auto.
        rewrite <-h3.
        destruct s0;[left;split;[easy|]|right;split;[easy|]]; apply lt_finite; easy.
      * rewrite B754_zero_to_real at 1 2.
        rewrite Rminus_0_r.
        rewrite <-(@B754_zero_to_real false) at 1 2.
        destruct s;[right;split;[easy|]|left;split;[easy|]]; apply lt_finite; easy.
      * change (Bminus m (B754_finite s m0 e e0) (B754_finite s0 m1 e1 e2)) with r in H.
        pose proof (sign_FF_overflow m (Bsign (B754_finite s m0 e e0))).
        rewrite <-H in H1.
        rewrite sign_FF_B2FF in H1.
        simpl Bsign at 2 in H1.
        assert (~is_nan r).
        { simpl binary_overflow in H.
          unfold binary_overflow in H.
          destruct overflow_to_inf in H;
            destruct r; try easy;
              destruct n; easy. }

        simpl in H0.
        apply Bool.negb_sym in H0. {

        destruct s; simpl in H0;rewrite H0 in *;[right|left];split.

        - rewrite <-is_negative_Bsign in H1; auto.
        - assert (to_real (B754_finite true m0 e e0) < 0) by
              (apply non_zero_negative_to_real; easy).
          assert (0 < to_real (B754_finite false m1 e1 e2)) by
              (apply non_zero_positive_to_real; easy).
          lra.
        - rewrite <-is_positive_Bsign in H1; auto.
        - assert (0 < to_real (B754_finite false m0 e e0)) by
              (apply non_zero_positive_to_real; easy).
          assert (to_real (B754_finite true m1 e1 e2) < 0) by
              (apply non_zero_negative_to_real; easy).
          lra. }

    + change (Bminus m x y) with r in H.
      assert (H':=H).
      apply (f_equal sign_SF) in H'.
      rewrite sign_FF_B2FF, sign_FF_overflow in H'.
      destruct m; simpl;
        unfold binary_overflow in H;
        simpl in H.
      * destruct r; try easy; destruct n; easy.
      * destruct r; try easy; destruct n; easy.
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto). {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H'; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
        - split.
          destruct r; easy.
          intro.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign in H2; auto; easy. }
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto). {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          intro.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign in H2; auto. rewrite H' in H2; easy.
          destruct r; try easy; destruct n; easy.
        - split.
          intro; split.
          destruct r; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
              now apply Pos.pow_gt_1.
          + assert (~is_nan r) by
                (destruct r; try easy; destruct n; easy).
            rewrite is_positive_Bsign; easy. }
      * assert (Bsign x = true \/ Bsign x = false) by
            (destruct x ; try destruct s; simpl; auto).
        assert (~is_nan r) by
            (destruct H1, r; try easy; destruct n; easy).
        rewrite is_positive_Bsign; auto. {
        destruct H1; rewrite H1 in H', H0, H; simpl in H.
        - split.
          rewrite H'; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
        - split.
          + intro; split.
            destruct r; try easy; destruct n; easy.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H.
            * unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H; auto.
            *  rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
               now apply Pos.pow_gt_1.
          + easy. }
  - destruct H.
    pose proof (Bminus_correct sb emax Hsb' Hemax' m x y H H0).
    destruct (Rlt_le_dec (Rabs (round m (to_real x - to_real y))) (bpow radix2 emax)).
    + rewrite Rlt_bool_true in H1; auto.
      destruct H1 as (h1,(h2,h3)).
      change (Bminus m x y) with r in h1, h2, h3.
      assert (~is_nan r) by (destruct r; easy).
      destruct h as [(h,h')|(h,h')];[left|right];split;auto.
      * rewrite is_positive_Bsign; auto.
        destruct y; try destruct s; destruct x; try destruct s; try easy.
        rewrite Rcompare_Gt in h3; auto.
        assert (B2R (B754_finite true m0 e e0) < 0) by
            (apply non_zero_negative_to_real; easy).
        assert (0 < B2R (B754_finite false m1 e1 e2)) by
            (apply non_zero_positive_to_real; easy).
        lra.
      * rewrite is_negative_Bsign; auto.
        destruct y; try destruct s; destruct x; try destruct s; try easy.
        rewrite Rcompare_Lt in h3; auto.
        assert (0 < B2R (B754_finite false m0 e e0)) by
            (apply non_zero_positive_to_real; easy).
        assert (B2R (B754_finite true m1 e1 e2) < 0) by
            (apply non_zero_negative_to_real; easy).
        lra.
    + rewrite Rlt_bool_false in H1; auto.
      destruct H1 as (h1,h2).
      change (Bminus m x y) with r in h1.
      destruct (is_nan_dec r).
      destruct x; try destruct s; destruct y; try destruct s; try easy; destruct m;
        unfold binary_overflow in h1; simpl in h1;
          destruct r; try easy; destruct n; easy.

      rewrite is_positive_Bsign; auto.
      rewrite is_negative_Bsign; auto.
      apply (f_equal sign_SF) in h1.
      rewrite sign_FF_B2FF, sign_FF_overflow in h1.
      assert (~is_nan x) by (destruct x; easy).
      assert (~is_nan y) by (destruct y; easy).
      rewrite is_positive_Bsign in h,h; auto.
      rewrite is_negative_Bsign in h,h; auto.
      destruct h as [(h,h')|(h,h')];rewrite h in h1, h2;[left|right];split;auto.
      rewrite is_positive_Bsign; auto.
      rewrite is_negative_Bsign; auto.
  - intuition.
    unfold sign_zero_result; intro.
    unfold is_zero in H2.
    rewrite eq_zero_iff in H2.
    pose proof (Bminus_correct sb emax Hsb' Hemax' m x y H0 H1).
    destruct (Rlt_dec (Rabs (round m (to_real x - to_real y))) (bpow radix2 emax)) as [r0|r0];
      [rewrite Rlt_bool_true in H4; auto; clear r0|
       rewrite Rlt_bool_false in H4].
    + destruct H4 as (h1,(h2,h)).

      assert (to_real x - to_real y = 0).
      { cut (not (to_real x - to_real y <> 0)).
        lra.
        intros H9.
        apply (round_plus_neq_0 radix2 fexp (round_mode m)) in H9.
        apply H9.
        destruct H2 as [H2|H2]; apply (f_equal to_real) in H2.
        rewrite zeroF_to_real in H2.
        rewrite <-H2; auto.
        assert (is_finite zeroF) as zero_is_finite by easy.
        destruct (neg_finite zeroF zero_is_finite).
        rewrite H5, zeroF_to_real, Ropp_0 in H2.
        rewrite <-H2; auto.
        apply generic_format_B2R.
        destruct (neg_finite y) as (_,h3); auto; rewrite <-h3.
        apply generic_format_B2R. }

      rewrite Rcompare_Eq in h; auto.
      change (Bminus m x y) with r in h.

      assert (~is_nan r) by (destruct H2, r; easy).

      destruct x ; try destruct s; destruct y ; try destruct s;
        try (simpl in H; contradict H; now auto);
        try (destruct m; simpl in r; easy);
        simpl in h;
        destruct m; try (rewrite is_positive_Bsign; auto);
          rewrite is_negative_Bsign; auto.

    + destruct H4.
      unfold binary_overflow in H4.
      change (Bminus m x y) with r in H4.
      destruct H2 as [H2|H2]; rewrite H2 in H4; simpl in H4;
        destruct overflow_to_inf in H4; easy.

    + apply Rnot_lt_le; assumption.
Qed.

Lemma sub_finite_rev_n' : forall (m:mode) (x:t) (y:t),
    is_finite (sub m x y) ->
    (no_overflow m ((to_real x) - (to_real y))%R
     /\ to_real (sub m x y) = round m ((to_real x) - (to_real y))%R)
    \/ to_real (sub m x y) = max_real \/ to_real (sub m x y) =-  max_real .
Proof.
intros m x y h1.
destruct (sub_finite_rev m x y h1).
destruct (no_overflow_or_not m (to_real x - to_real y));[left|right].
split; [auto|apply sub_finite; easy].
destruct (sub_special m x y) as (_,(_,(_,(_,(_,(h,_)))))).
assert (is_finite x /\ is_finite y /\ ~ no_overflow m (to_real x - to_real y)) by auto.
apply h in H2; clear h.
destruct H2.
destruct (sub m x y); try destruct s; destruct m; simpl in *; try easy;
  try (destruct H3; destruct H4; now auto);
  destruct H3, H3; auto.
Qed.

(* Why3 goal *)
Lemma mul_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := mul m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (is_finite x /\ is_infinite y /\ ~ is_zero x -> is_infinite r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (is_infinite x /\ is_finite y /\ ~ is_zero y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_infinite r) /\
  (is_finite x /\
   is_finite y /\ ~ no_overflow m ((to_real x) * (to_real y))%R ->
   overflow_value m r) /\
  (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold product_sign, same_sign, diff_sign.
  intuition.
  - destruct x; easy.
  - destruct x, y; easy.
  - destruct x, y; try destruct s; easy.
  - destruct x, y; try destruct s; try easy; contradict H2; easy.
  - destruct x, y; try destruct s0; easy.
  - destruct x, y; try destruct s0; try easy; contradict H2; easy.
  - destruct x, y; easy.
  - rewrite no_overflow_Rabs_round_max_real, Rabs_round_max_real_emax in H2.
    apply Rnot_lt_le in H2.
    pose proof (Bmult_correct sb emax Hsb' Hemax' m x y).
    rewrite Rlt_bool_false in H1 by auto.
    change (Bmult m x y) with r in H1.
    assert (H1':=H1).
    apply (f_equal sign_SF) in H1'.
    rewrite sign_FF_B2FF, sign_FF_overflow in H1'.
    destruct m; simpl;
      unfold binary_overflow in H1;
      simpl in H1.
    * destruct r; try easy; destruct n; easy.
    * destruct r; try easy; destruct n; easy.
    * assert (Bsign x = true \/ Bsign x = false) by
          (destruct x ; try destruct s; simpl; auto).
      assert (Bsign y = true \/ Bsign y = false) by
          (destruct y; try destruct s; simpl; auto). {
        destruct H3, H4; rewrite H3, H4 in H1', H1; simpl in H1, H1'.
        - split.
          destruct r; easy.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H1.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H1; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
          intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H1.
          + unfold to_real. rewrite <-min_real_is_F2R, <- SF2R_B2SF, H1; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1.
        - split.
          destruct r; easy.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy. }
    * assert (Bsign x = true \/ Bsign x = false) by
          (destruct x ; try destruct s; simpl; auto).
      assert (Bsign y = true \/ Bsign y = false) by
          (destruct y; try destruct s; simpl; auto). {
      destruct H3, H4; rewrite H3, H4 in H1', H1; simpl in H1, H1'.
      - split.
        { intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H1.
          + unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H1; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1. }
        assert (~is_nan r) by
            (destruct r; try easy; destruct n; easy).
        rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
      - split.
        assert (~is_nan r) by
            (destruct r; try easy; destruct n; easy).
        rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
        destruct r; try easy; destruct n; easy.
      - split.
        assert (~is_nan r) by
            (destruct r; try easy; destruct n; easy).
        rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
        destruct r; try easy; destruct n; easy.
      - split.
        { intro; split.
          destruct r; try easy; destruct n; easy.
          replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H1.
          + unfold to_real. rewrite <-max_real_is_F2R, <- SF2R_B2SF, H1; auto.
          + rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
            now apply Pos.pow_gt_1. }
        assert (~is_nan r) by
            (destruct r; try easy; destruct n; easy).
        rewrite is_positive_Bsign, H1'; intro h; contradict h; easy. }
    * assert (Bsign x = true \/ Bsign x = false) by
          (destruct x ; try destruct s; simpl; auto).
      assert (Bsign y = true \/ Bsign y = false) by
          (destruct y; try destruct s; simpl; auto).
      replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H1.
      { unfold to_real. rewrite <-min_real_is_F2R,<-max_real_is_F2R, <- SF2R_B2SF, H1; auto.
        destruct H3, H4; rewrite H3, H4 in *; simpl in *.
        - split.
          intro; split; [destruct r; easy|auto].
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
          intro; split; [destruct r; try easy; destruct n; easy|auto].
        - split.
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy.
          intro; split; [destruct r; try easy; destruct n; easy|auto].
        - split.
          intro; split; [destruct r; easy|auto].
          assert (~is_nan r) by
              (destruct r; try easy; destruct n; easy).
          rewrite is_positive_Bsign, H1'; intro h; contradict h; easy. }
      rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto.
      now apply Pos.pow_gt_1.
  - pose proof (Bmult_correct sb emax Hsb' Hemax' m x y).
    destruct (Rlt_le_dec (Rabs (round m (to_real x * to_real y))) (bpow radix2 emax));
    [rewrite Rlt_bool_true in H1; auto| rewrite Rlt_bool_false in H1; auto].
    + destruct H1 as (h1, (h2, h3)).
      rewrite is_positive_Bsign; auto.
      unfold r, mul, Hsb''.
      rewrite h3.
      destruct x; try destruct s; destruct y; try destruct s; easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H1.
      rewrite sign_FF_B2FF, sign_FF_overflow in H1.
      rewrite is_positive_Bsign; auto.
      destruct x; try destruct s; destruct y; try destruct s; easy.
  - pose proof (Bmult_correct sb emax Hsb' Hemax' m x y).
    destruct (Rlt_le_dec (Rabs (round m (to_real x * to_real y))) (bpow radix2 emax));
    [rewrite Rlt_bool_true in H1; auto| rewrite Rlt_bool_false in H1; auto].
    + destruct H1 as (h1, (h2, h3)).
      rewrite is_positive_Bsign; auto.
      unfold r, mul, Hsb''.
      rewrite h3.
      destruct x; try destruct s; destruct y; try destruct s; easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H1.
      rewrite sign_FF_B2FF, sign_FF_overflow in H1.
      rewrite is_positive_Bsign; auto.
      destruct x; try destruct s; destruct y; try destruct s; easy.
  - pose proof (Bmult_correct sb emax Hsb' Hemax' m x y).
    destruct (Rlt_le_dec (Rabs (round m (to_real x * to_real y))) (bpow radix2 emax));
    [rewrite Rlt_bool_true in H1; auto| rewrite Rlt_bool_false in H1; auto].
    + destruct H1 as (h1, (h2, h3)).
      rewrite is_negative_Bsign; auto.
      unfold r, mul, Hsb''.
      rewrite h3.
      destruct x; try destruct s; destruct y; try destruct s; auto.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H1.
      rewrite sign_FF_B2FF, sign_FF_overflow in H1.
      rewrite is_negative_Bsign; auto.
      destruct x; try destruct s; destruct y; try destruct s; auto.
  - pose proof (Bmult_correct sb emax Hsb' Hemax' m x y).
    destruct (Rlt_le_dec (Rabs (round m (to_real x * to_real y))) (bpow radix2 emax));
    [rewrite Rlt_bool_true in H1; auto| rewrite Rlt_bool_false in H1; auto].
    + destruct H1 as (h1, (h2, h3)).
      rewrite is_negative_Bsign; auto.
      unfold r, mul, Hsb''.
      rewrite h3.
      destruct x; try destruct s; destruct y; try destruct s; auto.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H1.
      rewrite sign_FF_B2FF, sign_FF_overflow in H1.
      rewrite is_negative_Bsign; auto.
      destruct x; try destruct s; destruct y; try destruct s; auto.
Qed.

Lemma mul_finite_rev_n' : forall (m:mode) (x:t) (y:t),
    is_finite (mul m x y) ->
    (no_overflow m ((to_real x) * (to_real y))%R
     /\ to_real (mul m x y) = round m ((to_real x) * (to_real y))%R)
    \/ to_real (mul m x y) = max_real \/ to_real (mul m x y) =-  max_real .
Proof.
intros m x y h1.
destruct (mul_finite_rev m x y h1).
destruct (no_overflow_or_not m (to_real x * to_real y));[left|right].
split; [auto|apply mul_finite; easy].
destruct (mul_special m x y) as (_,(_,(_,(_,(_,(_,(h,_))))))).
assert (is_finite x /\ is_finite y /\ ~ no_overflow m (to_real x * to_real y)) by auto.
apply h in H2; clear h.
destruct (mul m x y); try destruct s; destruct m; simpl in *; try easy;
  try (destruct H2; destruct H3; now auto);
  destruct H2, H2; auto.
Qed.

(* Why3 goal *)
Lemma div_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t),
  let r := div m x y in
  (is_nan x \/ is_nan y -> is_nan r) /\
  (is_finite x /\ is_infinite y -> is_zero r) /\
  (is_infinite x /\ is_finite y -> is_infinite r) /\
  (is_infinite x /\ is_infinite y -> is_nan r) /\
  (is_finite x /\
   is_finite y /\
   ~ is_zero y /\ ~ no_overflow m ((to_real x) / (to_real y))%R ->
   overflow_value m r) /\
  (is_finite x /\ is_zero y /\ ~ is_zero x -> is_infinite r) /\
  (is_zero x /\ is_zero y -> is_nan r) /\ (~ is_nan r -> product_sign r x y).
Proof.
  intros m x y r.
  unfold product_sign, same_sign, diff_sign.
  intuition.
  - destruct x; easy.
  - destruct x, y; easy.
  - destruct x, y; try destruct s; easy.
  - destruct x, y; try destruct s; try easy; contradict H2; easy.
  - destruct x, y; try destruct s0; easy.
  - assert (to_real y <> 0) by (rewrite zero_to_real in H1; auto).
    pose proof (Bdiv_correct sb emax Hsb' Hemax' m x y H2).
    rewrite Rlt_bool_false in H4.
    + unfold binary_overflow in H4.
      change (Bdiv m x y) with r in H4; auto.
      destruct m; simpl in *.
      * now destruct r.
      * now destruct r.
      * destruct (xorb (Bsign x) (Bsign y)); simpl in H4. {
          split; intro.
          - destruct r; try destruct s; easy.
          - split; [destruct r; try easy; destruct b, n in H4; easy|].
            apply (f_equal (SF2R radix2)) in H4.
            rewrite SF2R_B2SF in H4.
            simpl in H4.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H4 by
                (rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto;
                 now apply Pos.pow_gt_1).
            rewrite <-min_real_is_F2R; assumption. }
        split; intro; [destruct r; easy|].
        destruct r; try easy.
        destruct s; try easy.
        simpl in H5; contradict H5; auto.
      * destruct (xorb (Bsign x) (Bsign y)); simpl in H4. {
        split; intro.
        - destruct r; try destruct s; easy.
        - now destruct r. }
        { split; intro.
          + split;[destruct r; easy|].
            apply (f_equal (SF2R radix2)) in H4.
            rewrite SF2R_B2SF in H4.
            simpl in H4.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H4 by
                (rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto;
                 now apply Pos.pow_gt_1).
            rewrite <-max_real_is_F2R; assumption.
          + destruct r; try easy; try (destruct n; easy).
            destruct s; try easy.
            simpl in H5; contradict H5; auto. }
      * { destruct (xorb (Bsign x) (Bsign y)); simpl in H4;
        split; intro.
          - destruct r; try destruct s; easy.
          - split;[destruct r; try destruct s; try easy; destruct n; easy|].
            apply (f_equal (SF2R radix2)) in H4.
            rewrite SF2R_B2SF in H4.
            simpl in H4.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H4 by
                (rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto;
                 now apply Pos.pow_gt_1).
            rewrite <-min_real_is_F2R; assumption.
          - split; [destruct r; try easy| ].
            apply (f_equal (SF2R radix2)) in H4.
            rewrite SF2R_B2SF in H4.
            simpl in H4.
            replace (Z.pow_pos 2 sb_pos - 1)%Z with (Z.pos (2 ^ sb_pos - 1)) in H4 by
                (rewrite Pos2Z.inj_sub, Pos2Z.inj_pow_pos; auto;
                 now apply Pos.pow_gt_1).
            rewrite <-max_real_is_F2R; assumption.
          - contradict H5.
            destruct r; try destruct s; easy. }
    + clear H4.
      rewrite no_overflow_Rabs_round_emax in H3.
      apply Rge_le, Rnot_lt_ge; assumption.
  - destruct x, y; try easy.
    rewrite is_zero_B754_zero in H2; destruct H2; exists s; reflexivity.
    rewrite is_zero_B754_zero in H2; destruct H2; exists s; reflexivity.
    rewrite is_zero_B754_zero in H; destruct H; inversion H.
    rewrite is_zero_B754_zero in H; destruct H; inversion H.
  - rewrite is_zero_B754_zero in H0; destruct H0.
    rewrite is_zero_B754_zero in H1; destruct H1.
    destruct x, y; easy.
  - destruct x ; try destruct s; destruct y ; try destruct s; try easy.
    now elim H.
    now elim H.
    set (x:=B754_finite false m0 e e0);
      set (y:=B754_finite false m1 e1 e2); fold x y in r, H0, H2.
    assert (to_real y <> 0).
    { assert (0 < to_real y) by
          (apply non_zero_positive_to_real; easy).
      apply not_eq_sym, Rlt_not_eq; lra. }
    pose proof (Bdiv_correct sb emax Hsb' Hemax' m x y H1).
    destruct (Rlt_le_dec (Rabs (round m (to_real x / to_real y))) (bpow radix2 emax));
      [rewrite Rlt_bool_true in H3|rewrite Rlt_bool_false in H3];auto.
    + destruct H3 as (_,(_,h)).
      rewrite is_positive_Bsign; auto.
      unfold r, div, Hsb''.
      rewrite h.
      easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H3.
      rewrite sign_FF_B2FF, sign_FF_overflow in H3.
      rewrite is_positive_Bsign; auto.
  - destruct x ; try destruct s; destruct y ; try destruct s; try easy.
    now elim H.
    now elim H.
    set (x:=B754_finite true m0 e e0);
      set (y:=B754_finite true m1 e1 e2); fold x y in r, H0, H2.
    assert (to_real y <> 0).
    { assert (to_real y < 0) by
          (apply non_zero_negative_to_real; easy).
      apply Rlt_not_eq; lra. }
    pose proof (Bdiv_correct sb emax Hsb' Hemax' m x y H1).
    destruct (Rlt_le_dec (Rabs (round m (to_real x / to_real y))) (bpow radix2 emax));
      [rewrite Rlt_bool_true in H3|rewrite Rlt_bool_false in H3];auto.
    + destruct H3 as (_,(_,h)).
      rewrite is_positive_Bsign; auto.
      unfold r, div, Hsb''.
      rewrite h.
      easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H3.
      rewrite sign_FF_B2FF, sign_FF_overflow in H3.
      rewrite is_positive_Bsign; auto.
  - destruct x ; try destruct s; destruct y ; try destruct s; try easy.
    now elim H.
    now elim H.
    set (x:=B754_finite false m0 e e0);
      set (y:=B754_finite true m1 e1 e2); fold x y in r, H0, H2.
    assert (to_real y <> 0).
    { assert (to_real y < 0) by
          (apply non_zero_negative_to_real; easy).
      apply Rlt_not_eq; lra. }
    pose proof (Bdiv_correct sb emax Hsb' Hemax' m x y H1).
    destruct (Rlt_le_dec (Rabs (round m (to_real x / to_real y))) (bpow radix2 emax));
      [rewrite Rlt_bool_true in H3|rewrite Rlt_bool_false in H3];auto.
    + destruct H3 as (_,(_,h)).
      rewrite is_negative_Bsign; auto.
      unfold r, div, Hsb''.
      rewrite h.
      easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H3.
      rewrite sign_FF_B2FF, sign_FF_overflow in H3.
      rewrite is_negative_Bsign; auto.
  - destruct x; try destruct s; destruct y; try destruct s; try easy.
    now elim H.
    now elim H.
    set (x:=B754_finite true m0 e e0);
      set (y:=B754_finite false m1 e1 e2); fold x y in r, H0, H2.
    assert (to_real y <> 0).
    { assert (0 < to_real y) by
          (apply non_zero_positive_to_real; easy).
      apply not_eq_sym, Rlt_not_eq; lra. }
    pose proof (Bdiv_correct sb emax Hsb' Hemax' m x y H1).
    destruct (Rlt_le_dec (Rabs (round m (to_real x / to_real y))) (bpow radix2 emax));
      [rewrite Rlt_bool_true in H3|rewrite Rlt_bool_false in H3];auto.
    + destruct H3 as (_,(_,h)).
      rewrite is_negative_Bsign; auto.
      unfold r, div, Hsb''.
      rewrite h.
      easy.
      now apply Bool.not_true_is_false.
    + apply (f_equal sign_SF) in H3.
      rewrite sign_FF_B2FF, sign_FF_overflow in H3.
      rewrite is_negative_Bsign; auto.
Qed.

(* Why3 goal *)
Lemma neg_special :
  forall (x:t),
  (is_nan x -> is_nan (neg x)) /\
  (is_infinite x -> is_infinite (neg x)) /\
  (~ is_nan x -> diff_sign x (neg x)).
Proof.
  intros x.
  split; [|split]; intro.
  - destruct x; easy.
  - destruct x; easy.
  - unfold diff_sign.
    destruct x.
    destruct s;[right|left]; easy.
    destruct s;[right|left]; easy.
    contradict H; easy.
    destruct s;[right|left]; easy.
Qed.

(* Why3 goal *)
Lemma abs_special :
  forall (x:t),
  (is_nan x -> is_nan (abs x)) /\
  (is_infinite x -> is_infinite (abs x)) /\
  (~ is_nan x -> is_positive (abs x)).
Proof.
  intros x.
  split;[|split];intro.
  - destruct x; easy.
  - destruct x; easy.
  - destruct x; try easy.
    contradict H; easy.
Qed.

(* add to theory ? *)
Lemma abs_le_inv: forall {x y}, le (abs x) y -> le (neg y) x /\ le x y.
Proof.
  intros x y.
  destruct (Finite_Infinite_Nan_dec y) as [[hy|hy]|hy].
  + destruct (Finite_Infinite_Nan_dec x) as [[hx|hx]|hx].

    * pose proof (is_finite_abs _ hx).
      destruct (neg_finite _ hy).
      rewrite (le_to_real (abs x) y) by auto.
      rewrite (le_to_real (neg y) x) by auto.
      rewrite le_to_real by auto.
      rewrite H1 by auto.
      destruct (abs_finite _ hx) as (_,(u,_)).
      rewrite u.
      apply Rabs_le_inv.

    * intros a.
      pose proof (abs_special x) as (_,(b,_)); pose proof (b hx); clear b.
      destruct (le_special _ _ a) as [H1|[H1|H1]].
      - destruct x; easy.
      - unfold is_minus_infinity in H1.
        destruct H1, H1, x, y; try easy; destruct b0, b1; easy.
      - destruct y; unfold is_plus_infinity in H1; easy.

    * intros a.
      pose proof (abs_special x) as (b,_); pose proof (b hx); clear b.
      destruct (le_special _ _ a) as [H1|[H1|H1]];
        unfold is_minus_infinity, is_not_nan in H1;
        destruct (abs x), H1; easy.

  + intros a.

    destruct (Finite_Infinite_Nan_dec x) as [[hx|hx]|hx].
    * pose proof (is_finite_abs _ hx).
      destruct (le_special _ _ a) as [H1|[H1|H1]].
      - destruct y; easy.
      - unfold is_minus_infinity in H1; destruct x; easy.
      - destruct y, H1; try easy.
        unfold is_plus_infinity in H1; destruct s; try easy.
        destruct x ; try destruct s; split; easy.
    * unfold Bcompare.
      destruct x, y; try easy; destruct s, s0; simpl; split; auto; easy.
    * now destruct x.
  + intros a.
    destruct y; unfold le, Bcompare in a; try easy.
    destruct x; try destruct s0; split; easy.
Qed.

(* Why3 goal *)
Lemma fma_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t) (z:t),
  let r := fma m x y z in
  (is_nan x \/ is_nan y \/ is_nan z -> is_nan r) /\
  (is_zero x /\ is_infinite y -> is_nan r) /\
  (is_infinite x /\ is_zero y -> is_nan r) /\
  (is_finite x /\ ~ is_zero x /\ is_infinite y /\ is_finite z ->
   is_infinite r /\ product_sign r x y) /\
  (is_finite x /\ ~ is_zero x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ is_finite y /\ ~ is_zero y /\ is_finite z ->
   is_infinite r /\ product_sign r x y) /\
  (is_infinite x /\ is_finite y /\ ~ is_zero y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_infinite x /\ is_infinite y /\ is_finite z ->
   is_infinite r /\ product_sign r x y) /\
  (is_finite x /\ is_finite y /\ is_infinite z ->
   is_infinite r /\ same_sign r z) /\
  (is_infinite x /\ is_infinite y /\ is_infinite z ->
   (product_sign z x y -> is_infinite r /\ same_sign r z) /\
   (~ product_sign z x y -> is_nan r)) /\
  (is_finite x /\
   is_finite y /\
   is_finite z /\
   ~ no_overflow m (((to_real x) * (to_real y))%R + (to_real z))%R ->
   same_sign_real r (((to_real x) * (to_real y))%R + (to_real z))%R /\
   overflow_value m r) /\
  (is_finite x /\ is_finite y /\ is_finite z ->
   (product_sign z x y -> same_sign r z) /\
   (~ product_sign z x y ->
    ((((to_real x) * (to_real y))%R + (to_real z))%R = 0%R) ->
    ((m = ieee_float.RoundingMode.RTN) -> is_negative r) /\
    (~ (m = ieee_float.RoundingMode.RTN) -> is_positive r))).
Proof.
intros m x y z r.
Admitted.

Lemma fma_finite_rev_n' : forall (m:mode) (x:t) (y:t) (z:t),
    is_finite (fma m x y z) ->
    (no_overflow m (to_real x * to_real y + to_real z)%R
     /\ to_real (fma m x y z) = round m (to_real x * to_real y + to_real z)%R)
    \/ to_real (fma m x y z) = max_real \/ to_real (fma m x y z) =-  max_real .
Proof.
intros m x y z h1.
destruct (fma_finite_rev m x y z h1) as (H,(H0,H1)).

destruct (no_overflow_or_not m (to_real x * to_real y + to_real z));[left|right].

split; [auto|apply fma_finite; easy].
destruct (fma_special m x y z) as (_,(_,(_,(_,(_,(_,(_,(_,(_,(_,(h,_))))))))))).
assert (is_finite x /\ is_finite y /\ is_finite z /\ ~ no_overflow m (to_real x * to_real y + to_real z)) by auto.
apply h in H3; clear h.
destruct (fma m x y z); try destruct s; destruct m; simpl in *; try easy;
  try (destruct H3; destruct H4; destruct H4; now auto);
  destruct H3; destruct H4; destruct H5; auto.
Qed.

(* Why3 goal *)
Lemma sqrt_special :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  let r := sqrt m x in
  (is_nan x -> is_nan r) /\
  (is_plus_infinity x -> is_plus_infinity r) /\
  (is_minus_infinity x -> is_nan r) /\
  (is_finite x /\ ((to_real x) < 0%R)%R -> is_nan r) /\
  (is_zero x -> same_sign r x) /\
  (is_finite x /\ (0%R < (to_real x))%R -> is_positive r).
Proof.
  intros m x r.
  unfold sqrt in r.
  intuition.
  - destruct x; easy.
  - unfold is_plus_infinity in *.
    destruct x ; try destruct s; easy.
  - unfold is_minus_infinity in H.
    destruct x ; try destruct s; easy.
  - destruct x ; try destruct s; try easy.
    rewrite B754_zero_to_real in H1; lra.
    rewrite B754_zero_to_real in H1; lra.
    apply (to_real_negative _ H0) in H1.
    rewrite is_negative_Bsign in H1 by easy.
    easy.
  - unfold same_sign.
    rewrite is_zero_B754_zero in H; destruct H.
    destruct x; try easy.
    destruct s;[right|left];split;auto.
    simpl in r; unfold r; auto.
    simpl in r; unfold r; auto.
  - destruct (Bsqrt_correct sb emax Hsb' Hemax' m x) as (_,(h1,h2));
      fold r in h1, h2.
    destruct x; try easy.
    rewrite B754_zero_to_real in H1 at 1; lra.
    apply (to_real_positive _ H0) in H1.
    rewrite is_positive_Bsign in H1 by easy.
    simpl in H1.
    destruct s; try easy.
    assert (not (is_nan r)) by (destruct r; easy).
    rewrite (is_positive_Bsign _ H).
    apply h2.
    now apply Bool.not_true_is_false.
Qed.

Lemma in_int_range_no_overflow : forall m {i}, in_int_range i -> no_overflow m (IZR i).
Proof.
  intros m i h.
  apply Bounded_real_no_overflow.
  unfold in_int_range in h.
  unfold in_range.
  rewrite max_real_int, <- FromInt.Neg.
  pose proof pow2sb_lt_max_int.
  split; apply IZR_le; auto with zarith.
Qed.

(* Why3 goal *)
Lemma of_int_add_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i + j)%Z ->
  eq (of_int m (i + j)%Z) (add n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  assert (h1':= in_safe_int_range_no_overflow m h1).
  assert (h2':= in_safe_int_range_no_overflow m h2).
  assert (h3':= in_safe_int_range_no_overflow n h3).
  assert (h3'':= in_safe_int_range_no_overflow m h3).
  assert (is_finite (of_int m i)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m j)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int n (i+j)%Z)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m (i+j)%Z)) by (apply of_int_correct; assumption).
  destruct (of_int_correct h1') as (f,_).
  destruct (of_int_correct h2') as (g,_).
  destruct (add_finite n (of_int m i) (of_int m j)); auto.
  simpl; rewrite f, g, Exact_rounding_for_integers, Exact_rounding_for_integers; auto.
  rewrite <-plus_IZR; assumption.
  destruct (of_int_correct h3'') as (h,_).
  rewrite to_real_eq, H4, f, g, h; auto.
  repeat rewrite Exact_rounding_for_integers; auto.
  rewrite <-plus_IZR, Exact_rounding_for_integers; auto; reflexivity.
Qed.

(* Why3 goal *)
Lemma of_int_sub_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i - j)%Z ->
  eq (of_int m (i - j)%Z) (sub n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  assert (h1':= in_safe_int_range_no_overflow m h1).
  assert (h2':= in_safe_int_range_no_overflow m h2).
  assert (h3':= in_safe_int_range_no_overflow n h3).
  assert (h3'':= in_safe_int_range_no_overflow m h3).
  assert (is_finite (of_int m i)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m j)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int n (i-j)%Z)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m (i-j)%Z)) by (apply of_int_correct; assumption).
  destruct (of_int_correct h1') as (f,_).
  destruct (of_int_correct h2') as (g,_).
  destruct (sub_finite n (of_int m i) (of_int m j)); auto.
  simpl; rewrite f, g, Exact_rounding_for_integers, Exact_rounding_for_integers; auto.
  rewrite <-minus_IZR; assumption.
  destruct (of_int_correct h3'') as (h,_).
  rewrite to_real_eq, H4, f, g, h; auto.
  repeat rewrite Exact_rounding_for_integers; auto.
  rewrite <-minus_IZR, Exact_rounding_for_integers; auto; reflexivity.
Qed.

(* Why3 goal *)
Lemma of_int_mul_exact :
  forall (m:ieee_float.RoundingMode.mode) (n:ieee_float.RoundingMode.mode)
    (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  in_safe_int_range i -> in_safe_int_range j ->
  in_safe_int_range (i * j)%Z ->
  eq (of_int m (i * j)%Z) (mul n (of_int m i) (of_int m j)).
Proof.
  intros m n i j h1 h2 h3.
  assert (h1':= in_safe_int_range_no_overflow m h1).
  assert (h2':= in_safe_int_range_no_overflow m h2).
  assert (h3':= in_safe_int_range_no_overflow n h3).
  assert (h3'':= in_safe_int_range_no_overflow m h3).
  assert (is_finite (of_int m i)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m j)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int n (i*j)%Z)) by (apply of_int_correct; assumption).
  assert (is_finite (of_int m (i*j)%Z)) by (apply of_int_correct; assumption).
  destruct (of_int_correct h1') as (f,_).
  destruct (of_int_correct h2') as (g,_).
  destruct (mul_finite n (of_int m i) (of_int m j)); auto.
  simpl; rewrite f, g,
         Exact_rounding_for_integers, Exact_rounding_for_integers; auto.
  rewrite <-mult_IZR; assumption.
  destruct (of_int_correct h3'') as (h,_).
  rewrite to_real_eq, H4, f, g, h; auto.
  repeat rewrite Exact_rounding_for_integers; auto.
  rewrite <-mult_IZR, Exact_rounding_for_integers; auto; reflexivity.
Qed.

(* Why3 goal *)
Lemma Min_r : forall (x:t) (y:t), le y x -> eq (min x y) y.
Proof.
intros x y h1.
unfold min.
apply le_correct in h1.
destruct h1;
pose (Bcompare_swap _ _ y x);
rewrite H in e;
unfold min; rewrite e; simpl.
apply (eq_not_nan_refl (proj1 (lt_not_nan H))).
apply (eq_not_nan_refl (proj1 (eq_not_nan H))).
Qed.

(* Why3 goal *)
Lemma Min_l : forall (x:t) (y:t), le x y -> eq (min x y) x.
Proof.
intros x y h1.
apply le_correct in h1.
destruct h1; unfold min; rewrite H; simpl.
apply (eq_not_nan_refl (proj1 (lt_not_nan H))).
pose (Bcompare_swap _ _ x y); rewrite H in e; apply e.
Qed.

(* Why3 goal *)
Lemma Max_r : forall (x:t) (y:t), le y x -> eq (max x y) x.
Proof.
intros x y h1.
apply le_correct in h1.
destruct h1;
pose (Bcompare_swap _ _ y x);
rewrite H in e;
unfold max; rewrite e; simpl.
apply (eq_not_nan_refl (proj2 (lt_not_nan H))).
apply (eq_not_nan_refl (proj2 (eq_not_nan H))).
Qed.

(* Why3 goal *)
Lemma Max_l : forall (x:t) (y:t), le x y -> eq (max x y) y.
Proof.
intros x y h1.
apply le_correct in h1.
destruct h1; unfold max; rewrite H; simpl.
apply (eq_not_nan_refl (proj2 (lt_not_nan H))).
apply H.
Qed.

Definition is_intR: R -> Prop.
Proof.
 exact (fun x => x = IZR (Zfloor x)).
Defined.

Lemma is_intR_equiv: forall {x}, (exists i:int, x = IZR i) -> is_intR x.
Proof.
  unfold is_intR.
  intros x h; destruct h.
  rewrite H, Zfloor_IZR; reflexivity.
Qed.

Lemma is_intR_IZR: forall i, is_intR (IZR i).
Proof.
  intro i; apply is_intR_equiv; exists i; reflexivity.
Qed.

Lemma is_intR_FIX_format: forall {x}, is_intR x <-> FIX_format radix2 0%Z x.
Proof.
  intro x; split; intro.
  exists ({| Fnum := Zfloor x; Fexp := 0 |}); simpl; auto.
  unfold F2R, Fnum, Fexp; simpl.
  rewrite Rmult_1_r; assumption.
  destruct H.
  unfold F2R in H.
  rewrite H0 in H; simpl in H.
  rewrite Rmult_1_r in H.
  apply is_intR_equiv.
  exists (Fnum f); assumption.
Qed.

Lemma is_intR_round: forall {x m}, is_intR x -> is_intR (round m x).
Proof.
  intros x m h.
  rewrite is_intR_FIX_format.
  apply FIX_format_generic.
  apply generic_round_generic.
  apply FIX_exp_valid.
  apply fexp_Valid.
  apply valid_rnd_round_mode.
  apply generic_format_FIX.
  rewrite <-is_intR_FIX_format; assumption.
Qed.

(* Why3 goal *)
Definition is_int : t -> Prop.
Proof.
 exact (fun x => is_finite x /\ is_intR (to_real x)).
Defined.

Hint Unfold is_int.

Lemma is_int_or_not: forall (x:t), is_int x \/ ~ is_int x.
Proof.
  intro x.
  destruct x.
  - left.
    split.
    easy.
    rewrite B754_zero_to_real.
    unfold is_intR.
    rewrite Zfloor_IZR; auto.
  - right; intro h; destruct h; easy.
  - right; intro h; destruct h; easy.
  - set (x := (B754_finite s m e e0)).
    unfold is_int, is_intR.
    destruct (Req_dec (to_real x) (IZR (floor (to_real x)))).
    left.
    rewrite H, Zfloor_IZR; easy.
    right.
    intro h; destruct h; auto.
Qed.

Lemma Bmax_rep_int_is_int: is_int Bmax_rep_int.
Proof.
  split. easy.
  rewrite Bmax_rep_int_to_real.
  apply is_intR_IZR.
Qed.

Lemma B754_zero_is_int : forall {b}, (is_int (B754_zero b)).
Proof.
  split. easy.
  rewrite B754_zero_to_real.
  unfold is_intR.
  now rewrite Zfloor_IZR.
Qed.

Lemma max_value_is_int : is_int max_value.
Proof.
  split. easy.
  unfold is_intR.
  rewrite max_value_to_real, max_real_int.
  rewrite Floor_int.
  reflexivity.
Qed.

(* TODO: add to theory *)
Lemma neg_is_int : forall {x}, is_int x -> is_int (neg x).
Proof.
  intros x (h,g).
  destruct (neg_finite _ h).
  split; auto.
  rewrite H0.
  rewrite g.
  unfold is_intR.
  rewrite <- opp_IZR at 2.
  rewrite Zfloor_IZR.
  symmetry; apply opp_IZR.
Qed.

(* Why3 goal *)
Lemma zeroF_is_int : is_int zeroF.
Proof.
  apply B754_zero_is_int.
Qed.

(* Why3 goal *)
Lemma of_int_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:Numbers.BinNums.Z),
  in_int_range x -> is_int (of_int m x).
Proof.
  intros m x (h1,h2).
  assert (no_overflow m (IZR x)) as h3.
  apply Bounded_real_no_overflow.
  unfold in_range.
  rewrite max_real_int.
  rewrite <-opp_IZR.
  split; apply IZR_le; assumption.
  destruct (of_int_correct h3) as (h4,(h5,_)).
  split; auto.
  rewrite h4.
  apply is_intR_round.
  apply is_intR_IZR.
Qed.

Lemma int_to_real_ : forall {m:mode} {x:t}, (is_int x) ->
  ((to_real x) = (BuiltIn.IZR (to_int m x))).
Proof.
intros m x h1.
destruct h1.
assert (is_intR (to_real x)) by assumption.
unfold is_intR in H0.
unfold to_int.
fold (to_real x).
case m;
  [auto|
   destruct valid_rnd_NA|
   destruct valid_rnd_UP|
   destruct valid_rnd_DN|
   destruct valid_rnd_ZR]; rewrite H0;
rewrite Zrnd_IZR; try easy.
apply valid_rnd_N.
Qed.

(* TODO: add to theory? *)
Lemma neg_int_to_int : forall {x} {m:mode}, is_int x -> to_int m (neg x) = (- (to_int m x))%Z.
Proof.
  intros x m h.
  apply eq_IZR.
  rewrite FromInt.Neg, <-(int_to_real_ h), <-(int_to_real_ (neg_is_int h)).
  destruct h.
  apply neg_finite; auto.
Qed.

Lemma Bmax_rep_int_to_int: forall {m}, to_int m Bmax_rep_int = pow2sb.
Proof.
  intro m.
  apply eq_IZR.
  rewrite <-int_to_real_.
  apply Bmax_rep_int_to_real.
  apply Bmax_rep_int_is_int.
Qed.

Lemma pow2sb_finite : forall (m:mode), is_finite (of_int m pow2sb).
Proof.
  intro.
  apply of_int_correct.
  apply Bounded_real_no_overflow.
  apply rep_int_in_range.
  split; auto with zarith.
  unfold pow2sb.
  assert (0 <= 2 ^ sb)%Z by (apply Z.pow_nonneg; auto with zarith).
  auto with zarith.
Qed.

Lemma Bmax_rep_int_of_int: forall {m:mode}, Bmax_rep_int = of_int m pow2sb.
Proof.
  intro m.
  pose proof pow2sb_finite.
  apply feq_eq; try easy.
  rewrite to_real_eq; try easy.

  assert (- pow2sb <= pow2sb <= pow2sb)%Z.
  split; auto with zarith.
  assert (0 < pow2sb)%Z.
  apply (Z.pow_pos_nonneg 2 sb).
  easy.
  apply Z.lt_le_incl, Hsb'.
  auto with zarith.

  destruct (@of_int_correct m pow2sb) as (f,_); auto.
  apply Bounded_real_no_overflow.
  apply rep_int_in_range; auto.

  rewrite f, Bmax_rep_int_to_real.
  symmetry.
  apply Exact_rounding_for_integers; auto.
Qed.

(* Why3 goal *)
Lemma big_float_is_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), is_finite i ->
  le i (neg (of_int m pow2sb)) \/ le (of_int m pow2sb) i -> is_int i.
Proof.
  intros m i h1 h2.
  destruct i; try easy.
  apply B754_zero_is_int.
  split; auto.
  rewrite <-Bmax_rep_int_of_int in h2.
  unfold to_real, B2R, F2R,Fnum,Fexp.

  assert (1 <= e)%Z.
  { unfold le, Bcompare in h2; simpl SpecFloat.SFcompare in h2.
    destruct s.
    destruct h2 as [h2|h2]. 2: easy.
    destruct (Z_lt_le_dec e 1%Z); auto.
    rewrite Zcompare_Lt in h2; auto.
    easy.
    destruct h2 as [h2|h2]. easy.
    destruct e; try easy.
    pose proof (Pos2Z.is_pos p).
    auto with zarith. }

  rewrite <- IZR_Zpower by auto with zarith.
  rewrite <- mult_IZR.
  apply is_intR_IZR.
Qed.

Lemma max_value_to_int : forall m, to_int m max_value = max_int.
Proof.
  intro m.
  apply eq_IZR.
  rewrite <-max_real_int, <-int_to_real_, max_value_to_real.
  reflexivity.
  unfold is_int.

  apply max_value_is_int.
Qed.

Lemma neg_to_int_max_value : forall {m}, (- to_int m max_value)%Z = to_int m (neg max_value).
Proof.
  intro m.
  destruct (valid_rnd_round_mode m).
  pose proof max_value_is_int as H.
  pose proof (neg_is_int H).
  apply eq_IZR.
  rewrite Ropp_Ropp_IZR.
  rewrite <-int_to_real_, <-int_to_real_  by auto.
  now destruct (neg_finite max_value) as (_,h).
Qed.

Lemma is_finite_range_to_int : forall {x} m, (is_finite x) -> (in_range (IZR (to_int m x))).
Proof.
  intros x m h1.
  apply Rabs_le_inv.
  rewrite Abs.Abs_le, max_real_int, <-opp_IZR, <-(max_value_to_int m), neg_to_int_max_value.

  pose proof (bounded_floats_le _ h1).
  pose proof (abs_le_inv H) as (H1,H2).
  now split; apply IZR_le; apply to_int_le.
Qed.

Lemma is_finite_to_int: forall {x} (m1 m2:mode), is_finite x -> no_overflow m1 (IZR (to_int m2 x)).
Proof.
  intros x m1 m2 h;
  apply (Bounded_real_no_overflow m1 _ (is_finite_range_to_int m2 h)).
Qed.

Lemma is_finite_to_int2: forall {x} m, is_finite x -> (- max_int <= to_int m x <= max_int)%Z.
Proof.
  intros x m h.
  rewrite <-(@max_value_to_int m).
  rewrite (@neg_to_int_max_value m).
  pose proof (bounded_floats_le _ h).
  apply abs_le_inv in H.
  destruct H.
  now split; apply to_int_le.
Qed.

Lemma roundToIntegral_finite: forall m {x}, is_finite x -> is_finite (roundToIntegral m x).
Proof.
  intros m x h; destruct x; auto.
  unfold roundToIntegral.
  destruct Z.eq_dec; auto.
  apply of_int_correct.
  apply (is_finite_to_int RTZ m h).
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  is_int (roundToIntegral m x).
Proof.
  intros m x h1.
  destruct x; try easy.
  + apply zeroF_is_int.
  + simpl.
    destruct Z.eq_dec.
    split;[apply h1|].
    simpl; unfold is_intR.
    now rewrite Zfloor_IZR.
    change (is_int (of_int RTZ (to_int m (B754_finite s m0 e e0)))).
    apply of_int_is_int.
    apply is_finite_to_int2.
    assumption.
Qed.

(* Why3 goal *)
Lemma eq_is_int : forall (x:t) (y:t), eq x y -> is_int x -> is_int y.
Proof.
  intros x y h1 (h2,h3).
  unfold is_int.
  split; [apply (eq_finite_dist h1); auto|].
  unfold is_intR in *.
  apply to_real_eq_alt in h1.
  rewrite h1 in *; assumption.
Qed.

(* Why3 goal *)
Lemma add_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_finite (add m x y) -> is_int (add m x y).
Proof.
intros x y m (h1,h1') (h2,h2') h3.
destruct (add_finite_rev_n' m x y h3).
+ destruct H.
  unfold is_int.
  split; auto.
  rewrite H0.
  apply is_intR_round.
  apply is_intR_equiv.
  exists (floor (to_real x) + floor (to_real y))%Z.
  unfold is_intR in h1', h2'; rewrite h1', h2' at 1.
  symmetry; apply plus_IZR.
+ split; auto.
  rewrite max_real_int in H.
  destruct H; apply is_intR_equiv.
  exists max_int; assumption.
  exists (- max_int)%Z.
  now rewrite opp_IZR.
Qed.

(* Why3 goal *)
Lemma sub_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_finite (sub m x y) -> is_int (sub m x y).
Proof.
intros x y m (h1,h1') (h2,h2') h3.
destruct (sub_finite_rev_n' m x y h3).
+ destruct H.
  unfold is_int.
  split; auto.
  rewrite H0.
  apply is_intR_round.
  apply is_intR_equiv.
  exists (floor (to_real x) - floor (to_real y))%Z.
  unfold is_intR in h1', h2'; rewrite h1', h2' at 1.
  symmetry; apply minus_IZR.
+ split; auto.
  rewrite max_real_int in H.
  destruct H; apply is_intR_equiv.
  exists max_int; assumption.
  exists (- max_int)%Z.
  now rewrite opp_IZR.
Qed.

(* Why3 goal *)
Lemma mul_int :
  forall (x:t) (y:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_finite (mul m x y) -> is_int (mul m x y).
Proof.
intros x y m (h1,h1') (h2,h2') h3.
destruct (mul_finite_rev_n' m x y h3).
+ destruct H.
  unfold is_int.
  split; auto.
  rewrite H0.
  apply is_intR_round.
  apply is_intR_equiv.
  exists (floor (to_real x) * floor (to_real y))%Z.
  unfold is_intR in h1', h2'; rewrite h1', h2' at 1.
  symmetry; apply mult_IZR.
+ split; auto.
  rewrite max_real_int in H.
  destruct H; apply is_intR_equiv.
  exists max_int; assumption.
  exists (- max_int)%Z.
  now rewrite opp_IZR.
Qed.

(* Why3 goal *)
Lemma fma_int :
  forall (x:t) (y:t) (z:t) (m:ieee_float.RoundingMode.mode), is_int x ->
  is_int y -> is_int z -> is_finite (fma m x y z) -> is_int (fma m x y z).
Proof.
intros x y z m (h1,h1') (h2,h2') (h3,h3') h4.
destruct (fma_finite_rev_n' m x y z h4).
+ destruct H.
  unfold is_int.
  split; auto.
  rewrite H0.
  apply is_intR_round.
  apply is_intR_equiv.
  exists (floor (to_real x) * floor (to_real y) + floor (to_real z))%Z.
  unfold is_intR in h1', h2', h3'; rewrite h1', h2', h3' at 1.
  rewrite plus_IZR, mult_IZR; reflexivity.
+ split; auto.
  rewrite max_real_int in H.
  destruct H; apply is_intR_equiv.
  exists max_int; assumption.
  exists (- max_int)%Z.
  rewrite opp_IZR; assumption.
Qed.

(* Why3 goal *)
Lemma neg_int : forall (x:t), is_int x -> is_int (neg x).
Proof.
intros x (h1,h2).
destruct (neg_finite x h1).
split; try easy.
unfold is_intR in *.
rewrite H0.
rewrite h2 at 2.
rewrite <- opp_IZR, Zfloor_IZR, opp_IZR.
apply f_equal, h2.
Qed.

(* Why3 goal *)
Lemma abs_int : forall (x:t), is_int x -> is_int (abs x).
Proof.
intros x (h1,h2).
destruct (abs_finite x h1) as (h3,(h4,h5)).
split; try easy.
unfold is_intR in *.
rewrite h4.
rewrite h2 at 2.
rewrite <- abs_IZR, Zfloor_IZR, abs_IZR.
apply f_equal, h2.
Qed.

(* Why3 goal *)
Lemma is_int_of_int :
  forall (x:t) (m:ieee_float.RoundingMode.mode)
    (m':ieee_float.RoundingMode.mode),
  is_int x -> eq x (of_int m' (to_int m x)).
Proof.
  intros x m m' h1.
  assert (h1':=h1).
  destruct h1 as (h1,h2).
  assert (no_overflow m' (IZR (to_int m x))) by
      (apply is_finite_to_int; auto).
  destruct (of_int_correct H) as (h3,(h4,h5)); auto.
  rewrite to_real_eq; auto.
  rewrite h3, <-int_to_real_; auto.
  symmetry; apply Round_to_real; auto.
Qed.

(* Why3 goal *)
Lemma is_int_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  in_int_range (to_int m x).
Proof.
intros m x h1.
pose proof (@int_to_real_ m x h1).
unfold in_int_range.
destruct h1.
apply is_finite1 in H0.
unfold in_range in H0.
destruct H0.
split; apply le_IZR; try rewrite FromInt.Neg; rewrite <-max_real_int, <-H; auto.
Qed.

(* Why3 goal *)
Lemma is_int_is_finite : forall (x:t), is_int x -> is_finite x.
Proof.
intros x (h,_); assumption.
Qed.

(* Why3 goal *)
Lemma int_to_real :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((to_real x) = (BuiltIn.IZR (to_int m x))).
Proof.
intros m x.
apply int_to_real_.
Qed.

Lemma of_int_to_real : forall (m:mode) (x:Z), (no_overflow m
  (BuiltIn.IZR x)) -> ((to_real (of_int m x)) = (round m
  (BuiltIn.IZR x))).
Proof.
  intros m x h1.
  apply (of_int_correct h1).
Qed.

(* TODO: add to theory ? *)
Lemma to_real_roundToIntegral: forall {x} m, is_finite x -> to_real (roundToIntegral m x) = IZR (to_int m x).
Proof.
  intros x m h.
  unfold roundToIntegral.
  destruct Z.eq_dec.

  destruct x; try easy.
  rewrite B754_zero_to_real, e; auto.
  rewrite B754_zero_to_real, e; auto.

  destruct x; try easy.
  contradict n.
  apply to_int_B754_zero.

  set (x:= B754_finite s m0 e e0); fold x in h, h.
  change (to_real (of_int RTZ (to_int m x)) = IZR (to_int m x)).

  assert (is_finite Bmax_rep_int) by auto.
  destruct (neg_finite _ H) as (H0,_).

  assert (((le (neg Bmax_rep_int) x) /\ (le x Bmax_rep_int))
       \/ ((le x (neg Bmax_rep_int)) \/ (le Bmax_rep_int x))) as h1.
  destruct (le_or_lt_or_nan x Bmax_rep_int) as [h1|[h1|[h1|h1]]].
  + destruct (le_or_lt_or_nan (neg Bmax_rep_int) x) as [h2|[h2|[h2|h2]]].
    - left; split; easy.
    - right; left; apply lt_le; auto.
    - destruct (neg Bmax_rep_int); easy.
    - destruct x; easy.
  + right; right; apply lt_le; auto.
  + destruct x; easy.
  + destruct Bmax_rep_int; easy.

  + destruct h1.
    - destruct H1.
      apply (@to_int_le _ _ m H0 h) in H1.
      apply (@to_int_le _ _ m h H) in H2.
      rewrite (neg_int_to_int Bmax_rep_int_is_int) in H1.
      rewrite Bmax_rep_int_to_int in H1, H2.
      rewrite of_int_to_real.
      rewrite Exact_rounding_for_integers; auto.
      unfold in_safe_int_range; auto.
      apply Bounded_real_no_overflow.
      apply rep_int_in_range; auto.
    - rewrite (@Bmax_rep_int_of_int m) in H1.
      pose proof (big_float_is_int m _ h H1).
      rewrite of_int_to_real.
      rewrite <-int_to_real; auto.
      rewrite Round_to_real; auto.
      apply Bounded_real_no_overflow.
      apply is_finite_range_to_int; auto.
Qed.

(* Why3 goal *)
Lemma truncate_int :
  forall (m:ieee_float.RoundingMode.mode) (i:t), is_int i ->
  eq (roundToIntegral m i) i.
Proof.
  intros m i (h1,h2).
  pose proof (roundToIntegral_finite m h1).
  rewrite eq_to_real_finite; auto.
  rewrite to_real_roundToIntegral; auto.
  symmetry.
  apply int_to_real; auto.
Qed.

(* Why3 goal *)
Lemma truncate_neg :
  forall (x:t), is_finite x -> is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  intros x h1 h2.
  destruct x; try easy.
  simpl roundToIntegral.
  pose proof (negative_to_real _ h1 h2).
  pose proof (Ztrunc_ceil _ H).
  simpl in H0.
  rewrite H0.
  reflexivity.
Qed.

(* Why3 goal *)
Lemma truncate_pos :
  forall (x:t), is_finite x -> is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RTZ x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  intros x h1 h2.
  destruct x; try easy.
  simpl roundToIntegral.
  pose proof (positive_to_real _ h1 h2).
  pose proof (Ztrunc_floor _ H).
  simpl in H0.
  rewrite H0.
  reflexivity.
Qed.

(* Why3 goal *)
Lemma ceil_le :
  forall (x:t), is_finite x ->
  le x (roundToIntegral ieee_float.RoundingMode.RTP x).
Proof.
intros x h1.
pose proof (roundToIntegral_finite RTP h1).
rewrite le_to_real; auto.
rewrite to_real_roundToIntegral; auto.
simpl.
apply Zceil_ub.
Qed.

(* Why3 goal *)
Lemma ceil_lest :
  forall (x:t) (y:t), le x y /\ is_int y ->
  le (roundToIntegral ieee_float.RoundingMode.RTP x) y.
Proof.
intros x y (h1,h2).
destruct (le_special _ _ h1) as [h|[h|h]]; try easy.
- destruct h.
  pose proof (roundToIntegral_finite RTP H).
  rewrite le_to_real; auto.
  rewrite to_real_roundToIntegral; auto.
  simpl.
  rewrite (int_to_real RTP _ h2).
  apply IZR_le, Zceil_glb.
  rewrite <- (int_to_real RTP _ h2).
  apply le_to_real; auto.
- destruct h as (h,_).
  unfold is_minus_infinity in h.
  destruct x; easy.
- unfold is_plus_infinity in h.
  destruct h, h2, y; try easy.
Qed.

(* Why3 goal *)
Lemma ceil_to_real :
  forall (x:t), is_finite x ->
  ((to_real (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (BuiltIn.IZR (real.Truncate.ceil (to_real x)))).
Proof.
  intros x h.
  rewrite to_real_roundToIntegral; auto.
Qed.

(* Why3 goal *)
Lemma ceil_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTP x)) =
   (real.Truncate.ceil (to_real x))).
Proof.
  intros m x h.
  unfold to_int.
  rewrite to_real_roundToIntegral; auto.
  destruct (valid_rnd_round_mode m) as (_,h').
  destruct m; apply (h' (to_int RTP x)).
Qed.

(* Why3 goal *)
Lemma floor_le :
  forall (x:t), is_finite x ->
  le (roundToIntegral ieee_float.RoundingMode.RTN x) x.
Proof.
  intros x h1.
  pose proof (roundToIntegral_finite RTN h1).
  rewrite le_to_real; auto.
  rewrite to_real_roundToIntegral; auto.
  simpl.
  apply Zfloor_lb.
Qed.

(* Why3 goal *)
Lemma floor_lest :
  forall (x:t) (y:t), le y x /\ is_int y ->
  le y (roundToIntegral ieee_float.RoundingMode.RTN x).
Proof.
  intros x y (h1,h2).
  destruct (le_special _ _ h1) as [h|[h|h]]; try easy.
  - destruct h.
    pose proof (roundToIntegral_finite RTN H0).
    rewrite le_to_real; auto.
    rewrite to_real_roundToIntegral; auto.
    simpl.
    rewrite (int_to_real RTN _ h2).
    apply IZR_le, Zfloor_lub.
    rewrite <- (int_to_real RTN _ h2).
    apply le_to_real; auto.
  - destruct h2 as (h2,_).
    unfold is_minus_infinity in h.
    destruct y; easy.
  - unfold is_plus_infinity in h.
    destruct h; destruct H; destruct H0, h2, x; try easy.
Qed.

(* Why3 goal *)
Lemma floor_to_real :
  forall (x:t), is_finite x ->
  ((to_real (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (BuiltIn.IZR (real.Truncate.floor (to_real x)))).
Proof.
  intros x h.
  rewrite to_real_roundToIntegral; auto.
Qed.

(* Why3 goal *)
Lemma floor_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  ((to_int m (roundToIntegral ieee_float.RoundingMode.RTN x)) =
   (real.Truncate.floor (to_real x))).
Proof.
  intros m x h.
  unfold to_int.
  rewrite to_real_roundToIntegral; auto.
  destruct (valid_rnd_round_mode m) as (_,h').
  destruct m; apply (h' (to_int RTN x)).
Qed.

Lemma same_sign_roundToIntegral:
  forall {x} (m:mode), ~ is_nan x -> same_sign (roundToIntegral m x) x.
Proof.
  intros x m h.
  unfold same_sign.
  destruct x; try (now elim h); try (destruct s; simpl; now auto); clear h.
  set (x:=B754_finite s m0 e e0).
  assert (no_overflow RTZ (IZR (to_int m x))) by
      now apply is_finite_to_int.
  destruct (of_int_correct H) as (_,(_,h1)); clear H.
  assert (is_finite x) as h2 by easy.
  pose proof (roundToIntegral_finite m h2).
  destruct s; simpl;[right|left];split;auto.
  + apply is_negative_Bsign; auto.
    change (~ is_nan (roundToIntegral m x)); destruct (roundToIntegral m x); easy.
    assert (to_int m x <= 0)%Z.
    apply is_negative_to_int; easy.
    destruct (Z_le_lt_eq_dec _ _ H0).
    - rewrite Zcompare_Lt in h1 by auto.
      destruct Z.eq_dec; auto.
    - destruct Z.eq_dec; auto.
  + apply is_positive_Bsign; auto.
    change (~ is_nan (roundToIntegral m x)); destruct (roundToIntegral m x); easy.
    assert (0 <= to_int m x)%Z.
    apply is_positive_to_int; easy.
    destruct (Z_le_lt_eq_dec _ _ H0).
    - rewrite Zcompare_Gt in h1 by auto.
      destruct Z.eq_dec; auto.
    - symmetry in e1.
      destruct Z.eq_dec; easy.
Qed.

Lemma same_sign_roundToIntegral2:
  forall {x} {m m':mode}, ~ is_nan x -> same_sign (roundToIntegral m x) (roundToIntegral m' x).
Proof.
  intros x m m' h.
  pose proof (same_sign_roundToIntegral m h).
  pose proof (same_sign_roundToIntegral m' h).
  unfold same_sign in *.
  pose proof (negative_xor_positive x).
  destruct H as [(H,H')|(H,H')], H0 as [(H0,H0')|(H0,H0')]; auto.
  contradict H1; auto.
  contradict H1; auto.
Qed.

Lemma no_overflow_to_real_min_RTN:
  forall x, is_finite x -> no_overflow RNE (to_real x - to_real (roundToIntegral RTN x)).
Proof.
  intros x h.
  rewrite to_real_roundToIntegral; auto.
  unfold to_int.
  apply Bounded_real_no_overflow.
  pose proof (Zfloor_ub (to_real x)).
  pose proof (Zfloor_lb (to_real x)).
  unfold in_range.
  pose proof max_real_ge_6.
  fold (to_real x).
  split; lra.
Qed.

Lemma ceil_lb: forall x, ((IZR (ceil x) - 1) < x).
Proof.
  intro.
  case (Req_dec (IZR (Zfloor x)) x); intro.
  rewrite <-H, Zceil_IZR, H; simpl; lra.
  rewrite (Zceil_floor_neq _ H).
  rewrite plus_IZR; simpl.
  pose proof (Zfloor_lb x).
  destruct (Rle_lt_or_eq_dec _ _ H0); try easy.
  lra.
Qed.

Lemma no_overflow_to_real_RTP_min:
  forall x, is_finite x -> no_overflow RNE (to_real (roundToIntegral RTP x) - to_real x).
Proof.
  intros x h.
  rewrite to_real_roundToIntegral; auto.
  unfold to_int.
  apply Bounded_real_no_overflow.
  pose proof (Zceil_ub (to_real x)).
  pose proof (ceil_lb (to_real x)).
  unfold in_range.
  pose proof max_real_ge_6.
  fold (to_real x).
  split; lra.
Qed.

(* Why3 goal *)
Lemma RNA_down :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  intros x h.
  destruct x; try easy.
  set (x:=(B754_finite s m e e0)); fold x in h.
  assert (forall m', is_finite (roundToIntegral m' x)) as h1.
  intro m'.
  apply roundToIntegral_finite; try easy.
  apply to_real_refl; try easy.
  2: apply same_sign_roundToIntegral2; easy.

  rewrite to_real_roundToIntegral, to_real_roundToIntegral; try easy.
  f_equal.
  unfold to_int.
  apply Znearest_imp.
  rewrite Rabs_pos_eq.
  2: pose proof (Zfloor_lb (to_real x)); fold (to_real x); lra.

  assert (is_finite x) as x_fin by easy.
  pose proof (no_overflow_to_real_min_RTN _ x_fin) as h2.
  pose proof (no_overflow_to_real_RTP_min _ x_fin) as h3.

  assert (is_finite (roundToIntegral RTN x)) as rtn_fin by auto.
  assert (is_finite (roundToIntegral RTP x)) as rtp_fin by auto.
  destruct (sub_finite _ _ _ x_fin rtn_fin h2) as (h4,h4').
  destruct (sub_finite _ _ _ rtp_fin x_fin h3) as (h5,h5').
  clear x_fin h2 h3 rtn_fin rtp_fin.

  rewrite lt_finite in h; auto.
  rewrite h4' in h; auto.
  rewrite h5' in h; auto.

  fold (to_real x).
  case (Req_dec (IZR (Zfloor (to_real x))) (to_real x)); intro.
  lra.

  apply round_lt in h.
  rewrite to_real_roundToIntegral, to_real_roundToIntegral in h; try easy.
  unfold to_int in h.
  rewrite Zceil_floor_neq, plus_IZR in h; auto.
  fold (to_real x) in h.
  lra.
Qed.

(* Why3 goal *)
Lemma RNA_up :
  forall (x:t),
  lt
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  intros x h.
  destruct x; try easy.
  set (x:=(B754_finite s m e e0)); fold x in h.
  assert (forall m', is_finite (roundToIntegral m' x)) as h1.
  intro m'.
  apply roundToIntegral_finite; try easy.
  apply to_real_refl; try easy.
  2: apply same_sign_roundToIntegral2; easy.

  rewrite to_real_roundToIntegral, to_real_roundToIntegral; try easy.
  f_equal.
  unfold to_int.
  apply Znearest_imp.
  rewrite Rabs_left1.
  2: pose proof (Zceil_ub (to_real x)); fold (to_real x); lra.
  rewrite Ropp_minus_distr.

  assert (is_finite x) as x_fin by easy.
  pose proof (no_overflow_to_real_min_RTN _ x_fin) as h2.
  pose proof (no_overflow_to_real_RTP_min _ x_fin) as h3.

  assert (is_finite (roundToIntegral RTN x)) as rtn_fin by auto.
  assert (is_finite (roundToIntegral RTP x)) as rtp_fin by auto.
  destruct (sub_finite _ _ _ x_fin rtn_fin h2) as (h4,h4').
  destruct (sub_finite _ _ _ rtp_fin x_fin h3) as (h5,h5').
  clear x_fin h2 h3 rtn_fin rtp_fin.

  rewrite lt_finite in h; auto.
  rewrite h4' in h; auto.
  rewrite h5' in h; auto.

  fold (to_real x).
  case (Req_dec (IZR (Zceil (to_real x))) (to_real x)); intro.
  lra.

  apply round_lt in h.
  rewrite to_real_roundToIntegral, to_real_roundToIntegral in h; try easy.
  unfold to_int in h.
  assert (IZR (floor (to_real x)) <> to_real x).
  intro.
  rewrite <-H0 in H.
  rewrite Zceil_IZR in H.
  auto.

  rewrite Zceil_floor_neq, plus_IZR in h; auto.
  rewrite Zceil_floor_neq, plus_IZR; auto.
  fold (to_real x) in h; lra.
Qed.

Lemma sterbenz_round: forall x y m,
    to_real y / 2 <= to_real x <= 2 * to_real y ->
    round m (to_real x - to_real y) = to_real x - to_real y.
Proof.
  intros x y m h.
  assert (generic_format radix2 fexp (to_real x - to_real y)).
  { apply Sterbenz.sterbenz.
    apply fexp_Valid.
    apply fexp_monotone.
    apply generic_format_B2R.
    apply generic_format_B2R.
    exact h. }
  apply round_generic; auto.
  apply valid_rnd_round_mode.
Qed.

Lemma sterbenz_round_opp: forall x y m,
    to_real y / 2 <= to_real x <= 2 * to_real y ->
    round m (to_real y - to_real x) = to_real y - to_real x.
Proof.
  intros x y m h.
  assert (generic_format radix2 fexp (to_real y - to_real x)).
  { replace (to_real y - to_real x) with (- (to_real x - to_real y)) by ring.
    apply generic_format_opp.
    apply Sterbenz.sterbenz.
    apply fexp_Valid.
    apply fexp_monotone.
    apply generic_format_B2R.
    apply generic_format_B2R.
    exact h. }
  apply round_generic; auto.
  apply valid_rnd_round_mode.
Qed.

Lemma sterbenz_round_2: forall x y m, is_finite y -> is_finite x ->
    2 * to_real y <= to_real x <= to_real y / 2 ->
    round m (to_real x - to_real y) = to_real x - to_real y.
Proof.
  intros x y m h h' h2.
  replace (to_real x - to_real y) with (-to_real y - (- to_real x)) by field.
  destruct (neg_finite _ h) as (_,h1); rewrite <-h1;
  destruct (neg_finite _ h') as (_,h1'); rewrite <-h1'.
  apply sterbenz_round_opp.
  rewrite h1, h1'.
  destruct h2.
  assert (forall x, -x = -1*x) as h2 by (intro; ring).
  split.
  - rewrite h2, (h2 (to_real x)).
    rewrite Real.assoc_mul_div by (apply Rgt_not_eq; lra).
    apply Rmult_le_compat_neg_l; lra.
  - rewrite h2, (h2 (to_real y)).
    replace (2 * (-1 * to_real y)) with (-1 * (2 * to_real y)) by field.
    apply Rmult_le_compat_neg_l; lra.
Qed.

Lemma RTN_not_far: forall x,
    is_finite x -> 1 <= to_real x ->
    to_real (roundToIntegral RTN x) / 2 <= to_real x <= 2 * to_real (roundToIntegral RTN x).
Proof.
  intros x h h1.
  rewrite floor_to_real; auto.
  pose proof (Zfloor_lb (to_real x));
  pose proof (Zfloor_ub (to_real x)).
  split. lra.
  apply Rlt_le.
  apply Rlt_le_trans with (r2 := IZR (floor (to_real x)) + 1); auto.
  assert (1 <= IZR (floor (to_real x))).
  { pose proof (Rle_lt_trans _ _ _ h1 H0).
    rewrite <- plus_IZR in H1.
    apply lt_IZR in H1.
    apply IZR_le.
    auto with zarith. }
  lra.
Qed.

Lemma RTN_not_far_opp: forall x,
    is_finite x -> to_real x <= -/2 ->
    2 * to_real (roundToIntegral RTN x) <= to_real x <= to_real (roundToIntegral RTN x) / 2.
Proof.
  intros x h h1.
  rewrite floor_to_real; auto.
  pose proof (Zfloor_lb (to_real x));
  pose proof (Zfloor_ub (to_real x)).
  split. lra.
  destruct (Rle_lt_dec (to_real x) (-1)). lra.
  assert (IZR (floor (to_real x)) = -1).
  { assert (IZR (floor(to_real x)) < 0) by lra.
    assert (-2 < IZR (floor (to_real x))) by lra.
    apply lt_IZR in H1; apply lt_IZR in H2.
    now replace (floor (to_real x)) with (-1)%Z by lia. }
  lra.
Qed.

Lemma RTP_not_far: forall x,
    is_finite x -> /2 <= to_real x ->
    to_real x / 2 <= to_real (roundToIntegral RTP x) <= 2 * to_real x.
Proof.
  intros x h h1.
  rewrite ceil_to_real; auto.
  pose proof (ceil_lb (to_real x));
  pose proof (Zceil_ub (to_real x)).
  split. lra.
  destruct (Rle_lt_dec 1 (to_real x) ); try lra.
  assert (IZR (ceil (to_real x)) = 1).
  { assert (0 < IZR (ceil( to_real x))) by lra.
    assert (IZR (ceil(to_real x)) < 2) by lra.
    apply lt_IZR in H1; apply lt_IZR in H2.
    now replace (ceil (to_real x)) with 1%Z by lia. }
  lra.
Qed.

Lemma RTP_not_far_opp: forall x,
    is_finite x -> to_real x <= -1 ->
    2 * to_real x <= to_real (roundToIntegral RTP x) <= to_real x / 2.
Proof.
  intros x h h1.
  rewrite ceil_to_real; auto.
  pose proof (ceil_lb (to_real x));
  pose proof (Zceil_ub (to_real x)).
  split. lra.
  apply Rmult_le_reg_r with (r:=2); try lra.
  replace (to_real x / 2 * 2) with (to_real x) by field.
  apply Rlt_le.
  apply Rle_lt_trans with (r2 := IZR (ceil (to_real x)) - 1); auto.
  assert (IZR (ceil (to_real x)) <= -1).
  { pose proof (Rlt_le_trans _ _ _ H h1).
    rewrite <- (minus_IZR _ 1) in H1.
    apply (lt_IZR _ (-1)) in H1.
    apply (IZR_le _ (-1)).
    auto with zarith. }
  lra.
Qed.

Lemma round_plus_weak: forall x y m,
    Rabs (to_real x + to_real y) <= Rmin (Rabs (to_real x)) (Rabs (to_real y)) ->
    round m (to_real x + to_real y) = to_real x + to_real y.
Proof.
  intros x y m h.
  assert (generic_format radix2 fexp (to_real x + to_real y)).
  { apply Sterbenz.generic_format_plus_weak.
    apply fexp_Valid.
    apply fexp_monotone.
    apply generic_format_B2R.
    apply generic_format_B2R.
    exact h. }
  apply round_generic; auto.
  apply valid_rnd_round_mode.
Qed.

Lemma half_bounded: SpecFloat.bounded sb emax (shift_pos (sb_pos - 1) 1) (- sb) = true.
Proof.
  unfold SpecFloat.bounded.
  apply Bool.andb_true_iff; split.
  unfold SpecFloat.canonical_mantissa.
  apply Zeq_bool_true.
  rewrite Digits.Zpos_digits2_pos, shift_pos_correct.
  rewrite Zmult_1_r, Z.pow_pos_fold.
  rewrite Digits.Zdigits_Zpower by easy.
  rewrite Pos2Z.inj_sub by exact sb_gt_1.
  fold sb.
  unfold SpecFloat.fexp, FLT_exp, SpecFloat.emin.
  replace (sb - 1 + 1 + - sb)%Z with 0%Z by ring.
  apply Z.max_l.
  pose sb_gt_1; pose Hemax'; lia.
  apply Zle_bool_true.
  pose Hemax'; pose sb_gt_1; lia.
Qed.

Definition half: t.
Proof.
  exact (B754_finite false _ _ half_bounded).
Defined.

Lemma half_to_real : ((to_real half) = (05 / 10)%R).
Proof.
  unfold B2R, half; simpl.
  rewrite shift_pos_correct.
  rewrite Z.pow_pos_fold.
  unfold F2R.
  unfold Fnum, Fexp.
  rewrite Zmult_1_r.
  change 2%Z with (radix_val radix2).
  rewrite IZR_Zpower by easy.
  rewrite <-bpow_plus.
  rewrite Pos2Z.inj_sub by exact sb_gt_1.
  rewrite <-Pos2Z.opp_pos.
  replace (Z.pos sb_pos - 1 + - Z.pos sb_pos)%Z with (- 1)%Z by ring.
  unfold bpow.
  change (Z.pow_pos radix2 1)%Z with 2%Z.
  field.
Qed.

Lemma eq_diff_floor_ceil: forall {x}, eq (sub RNE x (roundToIntegral RTN x)) (sub RNE (roundToIntegral RTP x) x) -> to_real x - IZR (floor (to_real x)) = IZR (ceil (to_real x)) - to_real x.
Proof.
  intros x h.
  destruct x; try easy.
  - rewrite B754_zero_to_real.
    rewrite Zfloor_IZR, Zceil_IZR; auto.
  - simpl.
    rewrite Zfloor_IZR, Zceil_IZR; auto.
  - set (x:=(B754_finite s m e e0)); fold x in h.
    assert (forall m', is_finite (roundToIntegral m' x)) as h1 by
          (intro m'; apply roundToIntegral_finite; easy).

    assert (is_finite x) as x_fin by easy.
    pose proof (no_overflow_to_real_min_RTN _ x_fin) as h2.
    pose proof (no_overflow_to_real_RTP_min _ x_fin) as h3.

    assert (is_finite (roundToIntegral RTN x)) as rtn_fin by auto.
    assert (is_finite (roundToIntegral RTP x)) as rtp_fin by auto.
    destruct (sub_finite _ _ _ x_fin rtn_fin h2) as (h4,h4').
    destruct (sub_finite _ _ _ rtp_fin x_fin h3) as (h5,h5').
    clear h2 h3 rtn_fin rtp_fin.

    assert (h':=h).
    rewrite to_real_eq in h; auto.
    rewrite h4' in h; auto.
    rewrite h5' in h; auto.
    clear h4' h5'.

    destruct (Rle_lt_dec 1 (to_real x));[|destruct (Rle_lt_dec (to_real x) (-1))].

    + destruct (RTN_not_far x); auto.
      destruct (RTP_not_far x); auto; try lra.
      rewrite sterbenz_round, sterbenz_round in h by auto.
      rewrite to_real_roundToIntegral, to_real_roundToIntegral in h; auto.

    + destruct (RTN_not_far_opp x); auto; try lra.
      destruct (RTP_not_far_opp x); auto.
      rewrite sterbenz_round_2, sterbenz_round_2 in h by auto.
      rewrite to_real_roundToIntegral, to_real_roundToIntegral in h; auto.

    + destruct (Rle_lt_dec (to_real x) 0).
      destruct r1.
      * assert (floor (to_real x) = (-1)%Z).
            (apply Zfloor_imp; simpl IZR; split; lra).
        assert (ceil (to_real x) = 0%Z) by
            (apply Zceil_imp; simpl IZR; split; lra).

        revert h.
        rewrite (to_real_roundToIntegral RTP) by easy.
        unfold to_int.
        fold (to_real x).
        rewrite H1.
        rewrite Rminus_0_l.
        rewrite <-(proj2 (neg_finite _ x_fin)).
        rewrite (Round_to_real RNE) by easy.
        rewrite (proj2 (neg_finite _ x_fin)).

        { destruct (Rle_lt_dec (to_real x) (-/2)).
        - assert (
               round RNE (to_real x - to_real (roundToIntegral RTN x)) =
               to_real x - to_real (roundToIntegral RTN x)) as aux1.
           { rewrite Real.infix_mn'def, <-(proj2 (neg_finite _ (h1 RTN))).
             apply round_plus_weak.
             rewrite (proj2 (neg_finite _ (h1 RTN))).
             rewrite to_real_roundToIntegral; auto.
             unfold to_int.
             fold (to_real x).
             rewrite H0.
             rewrite <- opp_IZR; simpl IZR.
             rewrite Rabs_pos_eq, Rabs_left, Rabs_pos_eq, Rmin_left ; lra. }
           rewrite aux1.
           now rewrite to_real_roundToIntegral.

        - clear r r0.
           rewrite to_real_roundToIntegral by easy.
           unfold to_int.
           fold (to_real x).
           rewrite H0.
           replace (to_real x - -1) with (to_real x+1) by ring.
           pose proof (Rplus_lt_compat_r 1 _ _ r1).
           apply Rlt_le in H2.
           replace (-/2+1) with (5/10) in H2 by field.
           rewrite <-half_to_real in H2.
           apply (Round_monotonic RNE) in H2.
           rewrite Round_to_real in H2 by easy.
           rewrite half_to_real in H2.
           intros.
           lra. }
      * assert (floor (to_real x) = 0%Z) by
            (apply Zfloor_imp; simpl IZR; split; lra).
        assert (ceil (to_real x) = 0%Z) by
            (apply Zceil_imp; simpl IZR; split; lra).
        rewrite H0, H1, H; auto.

      * assert (floor (to_real x) = 0%Z) by
            (apply Zfloor_imp; simpl IZR; split; lra).
        assert (ceil (to_real x) = 1%Z) by
            (apply Zceil_imp; simpl IZR; split; lra).

        revert h.
        rewrite (to_real_roundToIntegral RTN) by easy.
        unfold to_int.
        fold (to_real x).
        rewrite H.
        replace (to_real x - 0) with (to_real x) by (simpl IZR ; ring).
        rewrite (Round_to_real RNE) by easy.

        { destruct (Rle_lt_dec (/2) (to_real x)).
        - assert (
               round RNE (to_real (roundToIntegral RTP x) - to_real x) =
               to_real (roundToIntegral RTP x) - to_real x) as aux1.
           { rewrite Real.infix_mn'def, <-(proj2 (neg_finite _ x_fin)).
             apply round_plus_weak.
             rewrite (proj2 (neg_finite _ x_fin)).
             rewrite to_real_roundToIntegral by easy.
             unfold to_int.
             fold (to_real x).
             rewrite H0.
             rewrite Rabs_pos_eq, Rabs_pos_eq, Rabs_left, Rmin_right; lra. }
           rewrite aux1.
           now rewrite to_real_roundToIntegral.

        - clear r r0.
           rewrite to_real_roundToIntegral by easy.
           unfold to_int.
           fold (to_real x).
           rewrite H0.
           pose proof (Ropp_lt_contravar _ _ r2).
           pose proof (Rplus_lt_compat_l 1 _ _ H1).
           apply Rlt_le in H2.
           replace (1+-/2) with (5/10) in H2 by field.
           rewrite <-half_to_real in H2.
           rewrite <-Real.infix_mn'def in H2.
           apply (Round_monotonic RNE) in H2.
           rewrite Round_to_real in H2 by easy.
           rewrite half_to_real in H2.
           intros.
           lra. }
Qed.

(* Why3 goal *)
Lemma RNA_down_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x))
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x) ->
  is_negative x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTN x)).
Proof.
  intros x h h'.
  destruct x; try easy.
  set (x:=(B754_finite s m e e0)); fold x in h, h'.
  assert (forall m', is_finite (roundToIntegral m' x)) as h1 by
        (intro m'; apply roundToIntegral_finite; easy).
  apply to_real_refl; auto.
  2: apply same_sign_roundToIntegral2; easy.
  apply eq_diff_floor_ceil in h.

  rewrite to_real_roundToIntegral, to_real_roundToIntegral; try easy.
  f_equal.
  unfold to_int.
  fold (to_real x).

  destruct (is_int_or_not x).
  rewrite (int_to_real RTZ _ H).
  destruct (valid_rnd_round_mode RNA) as (_,H').
  simpl in H'.
  rewrite H', Zfloor_IZR; reflexivity.

  unfold Znearest.
  rewrite Rcompare_Eq.
  rewrite Zle_bool_false; auto.
  apply lt_IZR.
  apply Rle_lt_trans with (r2:=to_real x).
  apply Zfloor_lb.
  rewrite <-zeroF_to_real.
  apply lt_finite; try easy.
  rewrite is_negative_correct in h'.
  destruct h'; easy.

  rewrite Zceil_floor_neq in h.
  rewrite plus_IZR in h.
  lra.

  unfold is_int in H.
  apply Decidable.not_and in H.
  destruct H.
  now elim H.
  now apply not_eq_sym.
  now left.
Qed.

(* Why3 goal *)
Lemma RNA_up_tie :
  forall (x:t),
  eq
  (sub ieee_float.RoundingMode.RNE
   (roundToIntegral ieee_float.RoundingMode.RTP x) x)
  (sub ieee_float.RoundingMode.RNE x
   (roundToIntegral ieee_float.RoundingMode.RTN x)) ->
  is_positive x ->
  ((roundToIntegral ieee_float.RoundingMode.RNA x) =
   (roundToIntegral ieee_float.RoundingMode.RTP x)).
Proof.
  intros x h h'.
  destruct x; try easy.
  set (x:=(B754_finite s m e e0)); fold x in h, h'.
  assert (forall m', is_finite (roundToIntegral m' x)) as h1 by
        (intro m'; apply roundToIntegral_finite; easy).
  apply to_real_refl; auto.
  2: apply same_sign_roundToIntegral2; easy.
  apply eq_sym, eq_diff_floor_ceil in h.

  rewrite to_real_roundToIntegral, to_real_roundToIntegral; try easy.
  f_equal.
  unfold to_int.
  fold (to_real x).

  destruct (is_int_or_not x).
  rewrite (int_to_real RTZ _ H).
  destruct (valid_rnd_round_mode RNA) as (_,H').
  simpl in H'.
  rewrite H', Zceil_IZR; reflexivity.

  unfold Znearest.
  rewrite Rcompare_Eq.
  rewrite Zle_bool_true; auto.
  apply non_zero_positive_to_real in h'; try easy.
  apply Zfloor_lub.
  lra.
  unfold is_zero.
  unfold eq. simpl.
  now destruct s.

  rewrite Zceil_floor_neq in h.
  rewrite plus_IZR in h.
  lra.

  unfold is_int in H.
  apply Decidable.not_and in H.
  destruct H.
  now elim H.
  now apply not_eq_sym.
  now left.
Qed.

(* Why3 goal *)
Lemma to_int_roundToIntegral :
  forall (m:ieee_float.RoundingMode.mode) (x:t),
  ((to_int m x) = (to_int m (roundToIntegral m x))).
Proof.
  intros m x.
  destruct x; try easy.
  unfold to_int at 2.
  rewrite to_real_roundToIntegral by easy.
  destruct (valid_rnd_round_mode m) as (_,h).
  pose proof (h (to_int m (B754_finite s m0 e e0))).
  now destruct m.
Qed.

(* Why3 goal *)
Lemma to_int_monotonic :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  is_finite y -> le x y -> ((to_int m x) <= (to_int m y))%Z.
Proof.
intros m x y h1 h2 h3.
now apply to_int_le.
Qed.

(* Why3 goal *)
Lemma to_int_of_int :
  forall (m:ieee_float.RoundingMode.mode) (i:Numbers.BinNums.Z),
  in_safe_int_range i -> ((to_int m (of_int m i)) = i).
Proof.
intros m i (h1,h2).
apply eq_IZR.
rewrite <-int_to_real.
rewrite of_int_to_real.
apply Exact_rounding_for_integers; auto.
unfold in_safe_int_range; auto.
apply Bounded_real_no_overflow, rep_int_in_range; auto.
apply of_int_is_int.
pose proof pow2sb_lt_max_int.
unfold in_int_range; auto with zarith.
Qed.

(* Why3 goal *)
Lemma eq_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t) (y:t), is_finite x ->
  eq x y -> ((to_int m x) = (to_int m y)).
Proof.
intros m x y h1 h2.
apply to_int_eq, h2.
Qed.

(* Why3 goal *)
Lemma neg_to_int :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_int x ->
  ((to_int m (neg x)) = (-(to_int m x))%Z).
Proof.
intros m x h1.
apply neg_int_to_int; auto.
Qed.

(* Why3 goal *)
Lemma roundToIntegral_is_finite :
  forall (m:ieee_float.RoundingMode.mode) (x:t), is_finite x ->
  is_finite (roundToIntegral m x).
Proof.
intros m x h1.
apply roundToIntegral_finite, h1.
Qed.

End GenericFloat.
why3-1.6.0/lib/coq/ieee_float/RoundingMode.v000066400000000000000000000021551440160026300206140ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 assumption *)
Inductive mode :=
  | RNE : mode
  | RNA : mode
  | RTP : mode
  | RTN : mode
  | RTZ : mode.
Axiom mode_WhyType : WhyType mode.
Existing Instance mode_WhyType.

(* Why3 assumption *)
Definition to_nearest (m:mode) : Prop := (m = RNE) \/ (m = RNA).

why3-1.6.0/lib/coq/int/000077500000000000000000000000001440160026300145265ustar00rootroot00000000000000why3-1.6.0/lib/coq/int/Abs.v000066400000000000000000000031331440160026300154220ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

Require Import Lia.

(* Why3 comment *)
(* abs is replaced with (ZArith.BinInt.Z.abs x) by the coq driver *)

(* Why3 goal *)
Lemma abs'def :
  forall (x:Numbers.BinNums.Z),
  ((0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = x)) /\
  (~ (0%Z <= x)%Z -> ((ZArith.BinInt.Z.abs x) = (-x)%Z)).
Proof.
intros x.
split ; intros H.
now apply Z.abs_eq.
apply Zabs_non_eq.
apply Znot_gt_le.
contradict H.
apply Zlt_le_weak.
now apply Z.gt_lt.
Qed.

(* Why3 goal *)
Lemma Abs_le :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((ZArith.BinInt.Z.abs x) <= y)%Z <-> ((-y)%Z <= x)%Z /\ (x <= y)%Z.
Proof.
intros x y.
lia.
Qed.

(* Why3 goal *)
Lemma Abs_pos :
  forall (x:Numbers.BinNums.Z), (0%Z <= (ZArith.BinInt.Z.abs x))%Z.
Proof.
exact Zabs_pos.
Qed.

why3-1.6.0/lib/coq/int/ComputerDivision.v000066400000000000000000000121411440160026300202170ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.

Require Import Zquot Lia.

(* Why3 comment *)
(* div is replaced with (ZArith.BinInt.Z.quot x x1) by the coq driver *)

(* Why3 comment *)
(* mod1 is replaced with (ZArith.BinInt.Z.rem x x1) by the coq driver *)

(* Why3 goal *)
Lemma Div_mod :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ~ (y = 0%Z) ->
  (x = ((y * (ZArith.BinInt.Z.quot x y))%Z + (ZArith.BinInt.Z.rem x y))%Z).
Proof.
intros x y _.
apply Z.quot_rem'.
Qed.

(* Why3 goal *)
Lemma Div_bound :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (0%Z < y)%Z ->
  (0%Z <= (ZArith.BinInt.Z.quot x y))%Z /\
  ((ZArith.BinInt.Z.quot x y) <= x)%Z.
Proof.
intros x y (Hx,Hy).
split.
now apply Z.quot_pos.
destruct (Z.eq_dec y 1) as [H|H].
rewrite H, Z.quot_1_r.
apply Z.le_refl.
destruct (Zle_lt_or_eq 0 x Hx) as [H'|H'].
apply Zlt_le_weak.
apply Z.quot_lt with (1 := H').
lia.
now rewrite <- H', Zquot_0_l.
Qed.

(* Why3 goal *)
Lemma Mod_bound :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ~ (y = 0%Z) ->
  ((-(ZArith.BinInt.Z.abs y))%Z < (ZArith.BinInt.Z.rem x y))%Z /\
  ((ZArith.BinInt.Z.rem x y) < (ZArith.BinInt.Z.abs y))%Z.
Proof.
intros x y Zy.
destruct (Zle_or_lt 0 x) as [Hx|Hx].
refine ((fun H => conj (Z.lt_le_trans _ 0 _ _ (proj1 H)) (proj2 H)) _).
clear -Zy ; lia.
now apply Zrem_lt_pos.
refine ((fun H => conj (proj1 H) (Z.le_lt_trans _ 0 _ (proj2 H) _)) _).
clear -Zy ; lia.
apply Zrem_lt_neg with (2 := Zy).
now apply Zlt_le_weak.
Qed.

(* Why3 goal *)
Lemma Div_sign_pos :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (0%Z < y)%Z -> (0%Z <= (ZArith.BinInt.Z.quot x y))%Z.
Proof.
intros x y (Hx, Hy).
now apply Z.quot_pos.
Qed.

(* Why3 goal *)
Lemma Div_sign_neg :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (x <= 0%Z)%Z /\ (0%Z < y)%Z -> ((ZArith.BinInt.Z.quot x y) <= 0%Z)%Z.
Proof.
intros x y (Hx, Hy).
generalize (Z.quot_pos (-x) y).
rewrite Zquot_opp_l.
lia.
Qed.

(* Why3 goal *)
Lemma Mod_sign_pos :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ ~ (y = 0%Z) -> (0%Z <= (ZArith.BinInt.Z.rem x y))%Z.
Proof.
intros x y (Hx, Zy).
now apply Zrem_lt_pos.
Qed.

(* Why3 goal *)
Lemma Mod_sign_neg :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (x <= 0%Z)%Z /\ ~ (y = 0%Z) -> ((ZArith.BinInt.Z.rem x y) <= 0%Z)%Z.
Proof.
intros x y (Hx, Zy).
now apply Zrem_lt_neg.
Qed.

(* Why3 goal *)
Lemma Rounds_toward_zero :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ~ (y = 0%Z) ->
  ((ZArith.BinInt.Z.abs ((ZArith.BinInt.Z.quot x y) * y)%Z) <=
   (ZArith.BinInt.Z.abs x))%Z.
Proof.
intros x y Zy.
rewrite Zmult_comm.
generalize (Z.mul_quot_le x y).
generalize (Z.mul_quot_ge x y).
lia.
Qed.

(* Why3 goal *)
Lemma Div_1 :
  forall (x:Numbers.BinNums.Z), ((ZArith.BinInt.Z.quot x 1%Z) = x).
Proof.
exact Z.quot_1_r.
Qed.

(* Why3 goal *)
Lemma Mod_1 :
  forall (x:Numbers.BinNums.Z), ((ZArith.BinInt.Z.rem x 1%Z) = 0%Z).
Proof.
exact Z.rem_1_r.
Qed.

(* Why3 goal *)
Lemma Div_inf :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (x < y)%Z -> ((ZArith.BinInt.Z.quot x y) = 0%Z).
Proof.
exact Z.quot_small.
Qed.

(* Why3 goal *)
Lemma Mod_inf :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (x < y)%Z -> ((ZArith.BinInt.Z.rem x y) = x).
Proof.
exact Z.rem_small.
Qed.

(* Why3 goal *)
Lemma Div_mult :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (0%Z < x)%Z /\ (0%Z <= y)%Z /\ (0%Z <= z)%Z ->
  ((ZArith.BinInt.Z.quot ((x * y)%Z + z)%Z x) =
   (y + (ZArith.BinInt.Z.quot z x))%Z).
Proof.
intros x y z (Hx&Hy&Hz).
rewrite (Zplus_comm y).
rewrite <- Z_quot_plus.
now rewrite Zplus_comm, Zmult_comm.
apply Zmult_le_0_compat with (2 := Hz).
apply Zplus_le_0_compat with (1 := Hz).
apply Zmult_le_0_compat with (1 := Hy).
now apply Zlt_le_weak.
intros H.
now rewrite H in Hx.
Qed.

(* Why3 goal *)
Lemma Mod_mult :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (0%Z < x)%Z /\ (0%Z <= y)%Z /\ (0%Z <= z)%Z ->
  ((ZArith.BinInt.Z.rem ((x * y)%Z + z)%Z x) = (ZArith.BinInt.Z.rem z x)).
Proof.
intros x y z (Hx&Hy&Hz).
rewrite Zplus_comm, Zmult_comm.
apply Z_rem_plus.
apply Zmult_le_0_compat with (2 := Hz).
apply Zplus_le_0_compat with (1 := Hz).
apply Zmult_le_0_compat with (1 := Hy).
now apply Zlt_le_weak.
Qed.

why3-1.6.0/lib/coq/int/Div2.v000066400000000000000000000022721440160026300155240ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

Require Import Lia.
Require Import int.EuclideanDivision.

(* Why3 goal *)
Lemma div2 :
  forall (x:Numbers.BinNums.Z),
  exists y:Numbers.BinNums.Z,
  (x = (2%Z * y)%Z) \/ (x = ((2%Z * y)%Z + 1%Z)%Z).
Proof.
intros x.
exists (div x 2).
refine (_ (Mod_bound x 2 _) (Div_mod x 2 _)) ; try easy.
intros H1 H2.
simpl in H1.
lia.
Qed.

why3-1.6.0/lib/coq/int/EuclideanDivision.v000066400000000000000000000150611440160026300203160ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.

Require Import Lia.

(* Why3 goal *)
Definition div : Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
Proof.
intros x y.
case (Z_le_dec 0 (Zmod x y)) ; intros H.
exact (Z.div x y).
exact (Z.div x y + 1)%Z.
Defined.

(* Why3 goal *)
Definition mod1 :
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> Numbers.BinNums.Z.
Proof.
intros x y.
exact (x - y * div x y)%Z.
Defined.

(* Why3 goal *)
Lemma Div_mod :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ~ (y = 0%Z) ->
  (x = ((y * (div x y))%Z + (mod1 x y))%Z).
Proof.
intros x y Zy.
unfold mod1, div.
case Z_le_dec ; intros H ; ring.
Qed.

(* Why3 goal *)
Lemma Mod_bound :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ~ (y = 0%Z) ->
  (0%Z <= (mod1 x y))%Z /\ ((mod1 x y) < (ZArith.BinInt.Z.abs y))%Z.
Proof.
intros x y Zy.
assert (H := Zabs_spec y).
assert (H1 := Z_mod_neg x y).
assert (H2 := Z_mod_lt x y).
unfold mod1, div.
case Z_le_dec ; intros H0.
rewrite Zmult_comm, <- Zmod_eq_full with (1 := Zy).
lia.
replace (x - y * (x / y + 1))%Z with (x - x / y * y - y)%Z by ring.
rewrite <- Zmod_eq_full with (1 := Zy).
lia.
Qed.

(* Why3 goal *)
Lemma Div_unique :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (q:Numbers.BinNums.Z),
  (0%Z < y)%Z -> ((q * y)%Z <= x)%Z /\ (x < ((q * y)%Z + y)%Z)%Z ->
  ((div x y) = q).
Proof.
intros x y q h1 (h2,h3).
assert (h:(~(y=0))%Z) by lia.
generalize (Mod_bound x y h); intro h0.
rewrite Z.abs_eq in h0; auto with zarith.
generalize (Div_mod x y h); clear h; intro h.
assert (cases:(div x y = q \/ (div x y <= q - 1 \/ div x y >= q+1))%Z) by lia.
destruct cases as [h4 | [h5 | h6]]; auto.
assert (y * div x y <= y * (q - 1))%Z.
 apply  Zmult_le_compat_l; auto with zarith.
replace (y*(q-1))%Z with (q*y - y)%Z in H by ring.
elimtype False.
lia.
assert (y * div x y >= y * (q + 1))%Z.
 apply  Zmult_ge_compat_l; auto with zarith.
replace (y*(q+1))%Z with (q*y + y)%Z in H by ring.
elimtype False.
lia.
Qed.

(* Why3 goal *)
Lemma Div_bound :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (0%Z < y)%Z -> (0%Z <= (div x y))%Z /\ ((div x y) <= x)%Z.
Proof.
intros x y (Hx,Hy).
unfold div.
case Z_le_dec ; intros H.
split.
apply Z_div_pos with (2 := Hx).
now apply Z.lt_gt.
destruct (Z.eq_dec y 1) as [H'|H'].
rewrite H', Zdiv_1_r.
apply Z.le_refl.
rewrite <- (Zdiv_1_r x) at 2.
apply Zdiv_le_compat_l with (1 := Hx).
lia.
elim H.
apply Z_mod_lt.
now apply Z.lt_gt.
Qed.

(* Why3 goal *)
Lemma Mod_1 : forall (x:Numbers.BinNums.Z), ((mod1 x 1%Z) = 0%Z).
Proof.
intros x.
unfold mod1, div.
rewrite Zmod_1_r, Zdiv_1_r, Zmult_1_l.
apply Zminus_diag.
Qed.

(* Why3 goal *)
Lemma Div_1 : forall (x:Numbers.BinNums.Z), ((div x 1%Z) = x).
Proof.
intros x.
unfold div.
now rewrite Zmod_1_r, Zdiv_1_r.
Qed.

(* Why3 goal *)
Lemma Div_inf :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (x < y)%Z -> ((div x y) = 0%Z).
Proof.
intros x y Hxy.
unfold div.
case Z_le_dec ; intros H.
now apply Zdiv_small.
elim H.
now rewrite Zmod_small.
Qed.

(* Why3 goal *)
Lemma Div_inf_neg :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z < x)%Z /\ (x <= y)%Z -> ((div (-x)%Z y) = (-1%Z)%Z).
Proof.
intros x y Hxy.
assert (h: (x < y \/ x = y)%Z) by lia.
destruct h.
(* case 0 < x < y *)
assert (h1: (x mod y = x)%Z).
  rewrite Zmod_small; auto with zarith.
assert (h2: ((-x) mod y = y - x)%Z).
  rewrite Z_mod_nz_opp_full.
  rewrite h1; auto.
rewrite h1; auto with zarith.
unfold div.
case Z_le_dec; auto with zarith.
intros h3.
rewrite Z_div_nz_opp_full; auto with zarith.
rewrite Zdiv_small; auto with zarith.

(* case x = y *)
subst.
assert (h1: (y mod y = 0)%Z).
  rewrite Z_mod_same_full; auto with zarith.
assert (h2: ((-y) mod y = 0)%Z).
  rewrite Z_mod_zero_opp_full; auto with zarith.
unfold div.
case Z_le_dec; rewrite h2; auto with zarith.
intro.
rewrite Z_div_zero_opp_full; auto with zarith.
rewrite Z_div_same_full; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Mod_0 :
  forall (y:Numbers.BinNums.Z), ~ (y = 0%Z) -> ((mod1 0%Z y) = 0%Z).
Proof.
intros y Hy.
unfold mod1, div.
rewrite Zmod_0_l.
simpl.
now rewrite Zdiv_0_l, Zmult_0_r.
Qed.

(* Why3 goal *)
Lemma Div_1_left :
  forall (y:Numbers.BinNums.Z), (1%Z < y)%Z -> ((div 1%Z y) = 0%Z).
Proof.
intros y Hy.
rewrite Div_inf; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Div_minus1_left :
  forall (y:Numbers.BinNums.Z), (1%Z < y)%Z -> ((div (-1%Z)%Z y) = (-1%Z)%Z).
Proof.
intros y Hy.
unfold div.
assert (h1: (1 mod y = 1)%Z).
apply Zmod_1_l; auto.
assert (h2: ((-(1)) mod y = y-1)%Z).
  rewrite Z_mod_nz_opp_full; auto with zarith.
case Z_le_dec; auto with zarith.
intro.
rewrite Z_div_nz_opp_full; auto with zarith.
rewrite Zdiv_small; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Mod_1_left :
  forall (y:Numbers.BinNums.Z), (1%Z < y)%Z -> ((mod1 1%Z y) = 1%Z).
Proof.
intros y Hy.
unfold mod1.
rewrite Div_1_left; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Mod_minus1_left :
  forall (y:Numbers.BinNums.Z), (1%Z < y)%Z ->
  ((mod1 (-1%Z)%Z y) = (y - 1%Z)%Z).
Proof.
intros y Hy.
unfold mod1.
rewrite Div_minus1_left; auto with zarith.
Qed.

Open Scope Z_scope.

(* Why3 goal *)
Lemma Div_mult :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (0%Z < x)%Z -> ((div ((x * y)%Z + z)%Z x) = (y + (div z x))%Z).
Proof.
intros x y z h.
unfold div.
destruct (Z_le_dec 0 (z mod x)).
destruct (Z_le_dec 0 ((x*y+z) mod x)).
rewrite Zmult_comm.
rewrite Z_div_plus_full_l; auto with zarith.
generalize (Z_mod_lt (x * y + z) x); auto with zarith.
generalize (Z_mod_lt z x); auto with zarith.
Qed.

(* Why3 goal *)
Lemma Mod_mult :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (0%Z < x)%Z -> ((mod1 ((x * y)%Z + z)%Z x) = (mod1 z x)).
Proof.
intros x y z h.
unfold mod1.
rewrite Div_mult.
ring.
auto with zarith.
Qed.

why3-1.6.0/lib/coq/int/Exponentiation.v000066400000000000000000000075571440160026300177370ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

Section Exponentiation.

(* Why3 goal *)
Variable t : Type.
Hypothesis t_WhyType : WhyType t.
Existing Instance t_WhyType.

(* Why3 goal *)
Variable one: t.

(* Why3 goal *)
Variable infix_as: t -> t -> t.

(* Why3 goal *)
Hypothesis Assoc :
  forall (x:t) (y:t) (z:t),
  ((infix_as (infix_as x y) z) = (infix_as x (infix_as y z))).

(* Why3 goal *)
Hypothesis Unit_def_l : forall (x:t), ((infix_as one x) = x).

(* Why3 goal *)
Hypothesis Unit_def_r : forall (x:t), ((infix_as x one) = x).

(* Why3 goal *)
Definition power : t -> Numbers.BinNums.Z -> t.
intros x n.
exact (iter_nat (Z.abs_nat n) t (fun acc => infix_as x acc) one).
Defined.

(* Why3 goal *)
Lemma Power_0 : forall (x:t), ((power x 0%Z) = one).
Proof.
easy.
Qed.

(* Why3 goal *)
Lemma Power_s :
  forall (x:t) (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((power x (n + 1%Z)%Z) = (infix_as x (power x n))).
Proof.
intros x n h1.
unfold power.
fold (Z.succ n).
now rewrite Zabs_nat_Zsucc.
Qed.

(* Why3 goal *)
Lemma Power_s_alt :
  forall (x:t) (n:Numbers.BinNums.Z), (0%Z < n)%Z ->
  ((power x n) = (infix_as x (power x (n - 1%Z)%Z))).
Proof.
intros x n h1.
rewrite <- Power_s; auto with zarith.
apply f_equal.
ring.
Qed.

(* Why3 goal *)
Lemma Power_1 : forall (x:t), ((power x 1%Z) = x).
Proof.
exact Unit_def_r.
Qed.

(* Why3 goal *)
Lemma Power_sum :
  forall (x:t) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  (0%Z <= m)%Z -> ((power x (n + m)%Z) = (infix_as (power x n) (power x m))).
Proof.
intros x n m Hn Hm.
revert n Hn.
apply natlike_ind.
apply sym_eq, Unit_def_l.
intros n Hn IHn.
replace (Z.succ n + m)%Z with ((n + m) + 1)%Z by ring.
rewrite Power_s by auto with zarith.
rewrite IHn.
now rewrite <- Assoc, <- Power_s.
Qed.

(* Why3 goal *)
Lemma Power_mult :
  forall (x:t) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  (0%Z <= m)%Z -> ((power x (n * m)%Z) = (power (power x n) m)).
Proof.
intros x n m Hn Hm.
revert m Hm.
apply natlike_ind.
now rewrite Zmult_0_r, 2!Power_0.
intros m Hm IHm.
replace (n * Z.succ m)%Z with (n + n * m)%Z by ring.
rewrite Power_sum by auto with zarith.
rewrite IHm.
now rewrite <- Power_s.
Qed.

(* Why3 goal *)
Lemma Power_comm1 :
  forall (x:t) (y:t), ((infix_as x y) = (infix_as y x)) ->
  forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((infix_as (power x n) y) = (infix_as y (power x n))).
Proof.
intros x y comm.
apply natlike_ind.
now rewrite Power_0, Unit_def_r, Unit_def_l.
intros n Hn IHn.
unfold Z.succ.
rewrite (Power_s _ _ Hn).
rewrite Assoc.
rewrite IHn.
rewrite <- Assoc.
rewrite <- Assoc.
now rewrite comm.
Qed.

(* Why3 goal *)
Lemma Power_comm2 :
  forall (x:t) (y:t), ((infix_as x y) = (infix_as y x)) ->
  forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((power (infix_as x y) n) = (infix_as (power x n) (power y n))).
Proof.
intros x y comm.
apply natlike_ind.
rewrite 3!Power_0.
now rewrite Unit_def_r.
intros n Hn IHn.
unfold Z.succ.
rewrite 3!(Power_s _ _ Hn).
rewrite IHn.
rewrite <- Assoc.
rewrite (Assoc x).
rewrite <- (Power_comm1 _ _ comm _ Hn).
now rewrite <- 2!Assoc.
Qed.

End Exponentiation.
why3-1.6.0/lib/coq/int/Int.v000066400000000000000000000106001440160026300154440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 comment *)
(* prefix_mn is replaced with (-x)%Z by the coq driver *)

(* Why3 comment *)
(* infix_pl is replaced with (x + x1)%Z by the coq driver *)

(* Why3 comment *)
(* infix_as is replaced with (x * x1)%Z by the coq driver *)

(* Why3 comment *)
(* infix_ls is replaced with (x < x1)%Z by the coq driver *)

(* Why3 goal *)
Lemma infix_mn'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x - y)%Z = (x + (-y)%Z)%Z).
Proof.
intros x y.
reflexivity.
Qed.

(* Why3 goal *)
Lemma infix_lseq'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (x <= y)%Z <-> (x < y)%Z \/ (x = y).
Proof.
exact Zle_lt_or_eq_iff.
Qed.

(* Why3 goal *)
Lemma Assoc :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (((x + y)%Z + z)%Z = (x + (y + z)%Z)%Z).
Proof.
intros x y z.
apply sym_eq.
apply Zplus_assoc.
Qed.

(* Why3 goal *)
Lemma Unit_def_l : forall (x:Numbers.BinNums.Z), ((0%Z + x)%Z = x).
Proof.
exact Zplus_0_l.
Qed.

(* Why3 goal *)
Lemma Unit_def_r : forall (x:Numbers.BinNums.Z), ((x + 0%Z)%Z = x).
Proof.
exact Zplus_0_r.
Qed.

(* Why3 goal *)
Lemma Inv_def_l : forall (x:Numbers.BinNums.Z), (((-x)%Z + x)%Z = 0%Z).
Proof.
exact Zplus_opp_l.
Qed.

(* Why3 goal *)
Lemma Inv_def_r : forall (x:Numbers.BinNums.Z), ((x + (-x)%Z)%Z = 0%Z).
Proof.
exact Zplus_opp_r.
Qed.

(* Why3 goal *)
Lemma Comm :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ((x + y)%Z = (y + x)%Z).
Proof.
exact Zplus_comm.
Qed.

(* Why3 goal *)
Lemma Assoc1 :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (((x * y)%Z * z)%Z = (x * (y * z)%Z)%Z).
Proof.
intros x y z.
apply sym_eq.
apply Zmult_assoc.
Qed.

(* Why3 goal *)
Lemma Mul_distr_l :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  ((x * (y + z)%Z)%Z = ((x * y)%Z + (x * z)%Z)%Z).
Proof.
intros x y z.
apply Zmult_plus_distr_r.
Qed.

(* Why3 goal *)
Lemma Mul_distr_r :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (((y + z)%Z * x)%Z = ((y * x)%Z + (z * x)%Z)%Z).
Proof.
intros x y z.
apply Zmult_plus_distr_l.
Qed.

(* Why3 goal *)
Lemma Comm1 :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ((x * y)%Z = (y * x)%Z).
Proof.
exact Zmult_comm.
Qed.

(* Why3 goal *)
Lemma Unitary : forall (x:Numbers.BinNums.Z), ((1%Z * x)%Z = x).
Proof.
exact Zmult_1_l.
Qed.

(* Why3 goal *)
Lemma NonTrivialRing : ~ (0%Z = 1%Z).
Proof.
discriminate.
Qed.

(* Why3 goal *)
Lemma Refl : forall (x:Numbers.BinNums.Z), (x <= x)%Z.
Proof.
intros x.
apply Z.le_refl.
Qed.

(* Why3 goal *)
Lemma Trans :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (x <= y)%Z -> (y <= z)%Z -> (x <= z)%Z.
Proof.
exact Z.le_trans.
Qed.

(* Why3 goal *)
Lemma Antisymm :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (x <= y)%Z ->
  (y <= x)%Z -> (x = y).
Proof.
exact Zle_antisym.
Qed.

(* Why3 goal *)
Lemma Total :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (x <= y)%Z \/ (y <= x)%Z.
Proof.
intros x y.
destruct (Zle_or_lt x y) as [H|H].
left.
assumption.
right.
now apply Zlt_le_weak.
Qed.

(* Why3 goal *)
Lemma ZeroLessOne : (0%Z <= 1%Z)%Z.
Proof.
apply Zle_lt_or_eq_iff.
now left.
Qed.

(* Why3 goal *)
Lemma CompatOrderAdd :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (x <= y)%Z -> ((x + z)%Z <= (y + z)%Z)%Z.
Proof.
exact Zplus_le_compat_r.
Qed.

(* Why3 goal *)
Lemma CompatOrderMult :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  (x <= y)%Z -> (0%Z <= z)%Z -> ((x * z)%Z <= (y * z)%Z)%Z.
Proof.
exact Zmult_le_compat_r.
Qed.

why3-1.6.0/lib/coq/int/MinMax.v000066400000000000000000000054471440160026300161200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

Require Import Lia.

(* Why3 comment *)
(* min is replaced with (ZArith.BinInt.Z.min x x1) by the coq driver *)

(* Why3 goal *)
Lemma min'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x <= y)%Z -> ((ZArith.BinInt.Z.min x y) = x)) /\
  (~ (x <= y)%Z -> ((ZArith.BinInt.Z.min x y) = y)).
Proof.
intros x y.
split ; intros H.
now apply Z.min_l.
apply Z.min_r.
lia.
Qed.

(* Why3 comment *)
(* max is replaced with (ZArith.BinInt.Z.max x x1) by the coq driver *)

(* Why3 goal *)
Lemma max'def :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x <= y)%Z -> ((ZArith.BinInt.Z.max x y) = y)) /\
  (~ (x <= y)%Z -> ((ZArith.BinInt.Z.max x y) = x)).
Proof.
intros x y.
split ; intros H.
now apply Z.max_r.
apply Z.max_l.
lia.
Qed.

(* Why3 goal *)
Lemma Min_r :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (y <= x)%Z ->
  ((ZArith.BinInt.Z.min x y) = y).
Proof.
exact Z.min_r.
Qed.

(* Why3 goal *)
Lemma Max_l :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (y <= x)%Z ->
  ((ZArith.BinInt.Z.max x y) = x).
Proof.
exact Z.max_l.
Qed.

(* Why3 goal *)
Lemma Min_comm :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((ZArith.BinInt.Z.min x y) = (ZArith.BinInt.Z.min y x)).
Proof.
exact Z.min_comm.
Qed.

(* Why3 goal *)
Lemma Max_comm :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((ZArith.BinInt.Z.max x y) = (ZArith.BinInt.Z.max y x)).
Proof.
exact Z.max_comm.
Qed.

(* Why3 goal *)
Lemma Min_assoc :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  ((ZArith.BinInt.Z.min (ZArith.BinInt.Z.min x y) z) =
   (ZArith.BinInt.Z.min x (ZArith.BinInt.Z.min y z))).
Proof.
intros x y z.
apply eq_sym, Z.min_assoc.
Qed.

(* Why3 goal *)
Lemma Max_assoc :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  ((ZArith.BinInt.Z.max (ZArith.BinInt.Z.max x y) z) =
   (ZArith.BinInt.Z.max x (ZArith.BinInt.Z.max y z))).
Proof.
intros x y z.
apply eq_sym, Z.max_assoc.
Qed.

why3-1.6.0/lib/coq/int/NumOf.v000066400000000000000000000255441440160026300157530ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.

Require Import Lia.

Fixpoint numof_aux (f : Z -> bool) (a : Z) (n : nat) : Z :=
  match n with
    | S n => (numof_aux f a n + (if f (a + (Z.of_nat n)) then 1%Z else 0%Z))%Z
    | 0 => 0%Z
  end.

(* Why3 goal *)
Definition numof :
  (Numbers.BinNums.Z -> Init.Datatypes.bool) -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z -> Numbers.BinNums.Z.
Proof.
  exact (fun f a b => numof_aux f a (Z.to_nat (b - a))).
Defined.

(* Why3 goal *)
Lemma numof'def :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  ((b <= a)%Z -> ((numof p a b) = 0%Z)) /\
  (~ (b <= a)%Z ->
   (((p (b - 1%Z)%Z) = Init.Datatypes.true) ->
    ((numof p a b) = (1%Z + (numof p a (b - 1%Z)%Z))%Z)) /\
   (~ ((p (b - 1%Z)%Z) = Init.Datatypes.true) ->
    ((numof p a b) = (numof p a (b - 1%Z)%Z)))).
Proof.
intros p a b.
unfold numof.
split ; intros h1.
- assert (Z.to_nat (b - a) = 0).
  revert h1.
  rewrite <-Z.le_sub_0.
  now destruct (b - a)%Z.
  now rewrite H.
- rewrite S_pred with (m := 0) (n := Z.to_nat (b - a)).
  2: apply (Z2Nat.inj_lt 0); lia.
  rewrite <- Z2Nat.inj_pred.
  simpl numof_aux.
  rewrite Z2Nat.id by lia.
  replace (a + Z.pred (b - a))%Z with (b - 1)%Z by (unfold Z.pred ; ring).
  replace (Z.pred (b - a)) with (b - 1 - a)%Z by (unfold Z.pred ; ring).
  split ; intros h2.
  rewrite h2.
  apply Zplus_comm.
  apply Bool.not_true_is_false in h2.
  rewrite h2.
  apply Zplus_0_r.
Qed.

Lemma Numof_empty :
  forall p a b, (b <= a)%Z -> numof p a b = 0%Z.
Proof.
  intros p a b h1.
  now apply numof'def.
Qed.

(* Why3 goal *)
Lemma Numof_bounds :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (a < b)%Z -> (0%Z <= (numof p a b))%Z /\ ((numof p a b) <= (b - a)%Z)%Z.
Proof.
  intros p a b h1.
  unfold numof.
  set (x := Z.to_nat (b - a)).
  rewrite <-Z2Nat.id with (n := (b - a)%Z) by lia.
  change (0 <= numof_aux p a x <= Z.of_nat x)%Z.
  induction x.
  split ; apply Z.le_refl.
  rewrite Nat2Z.inj_succ; simpl numof_aux.
  case (p (a + Z.of_nat x)%Z); lia.
Qed.

(* Why3 goal *)
Lemma Numof_append :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (a <= b)%Z /\ (b <= c)%Z ->
  ((numof p a c) = ((numof p a b) + (numof p b c))%Z).
Proof.
  intros p a b c (h1,h2).
  pattern c.
  apply Zlt_lower_bound_ind with (z := b); auto.
  intros.
  case (Z.eq_dec b x).
  intro e; rewrite e.
  rewrite Numof_empty with (a := x) (b := x); lia.
  intro H6.
  refine (_ (proj2 (numof'def p a x) _)).
  intros [H1 H2].
  refine (_ (proj2 (numof'def p b x) _)).
  intros [H3 H4].
  destruct (Bool.bool_dec (p (x - 1)%Z) true) as [H5|H5].
  rewrite H1, H3, H ; auto with zarith.
  rewrite H2, H4, H ; auto with zarith.
  clear -H0 H6 ; lia.
  clear -h1 H0 H6 ; lia.
Qed.

Lemma numof_succ: forall p a, numof p a (a + 1) = (if p a then 1%Z else 0%Z).
Proof.
  intros.
  unfold numof.
  replace (a + 1 - a)%Z with 1%Z by ring.
  simpl.
  rewrite <-Zplus_0_r_reverse.
  trivial.
Qed.

Lemma numof_pred: forall p a, numof p (a - 1) a = (if p (a - 1)%Z then 1%Z else 0%Z).
Proof.
  intros.
  replace (numof p (a - 1) a)%Z with (numof p (a - 1) ((a - 1) + 1))%Z.
  apply numof_succ.
  apply f_equal.
  ring.
Qed.

(* Why3 goal *)
Lemma Numof_left_no_add :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (a < b)%Z -> ~ ((p a) = Init.Datatypes.true) ->
  ((numof p a b) = (numof p (a + 1%Z)%Z b)).
Proof.
  intros p a b h1 h2.
  rewrite Numof_append with (b := (a+1)%Z) by lia.
  rewrite (numof_succ p a).
  apply Bool.not_true_is_false in h2.
  rewrite h2; trivial.
Qed.

(* Why3 goal *)
Lemma Numof_left_add :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (a < b)%Z -> ((p a) = Init.Datatypes.true) ->
  ((numof p a b) = (1%Z + (numof p (a + 1%Z)%Z b))%Z).
Proof.
  intros p a b h1 h2.
  rewrite Numof_append with (b := (a+1)%Z) by lia.
  rewrite (numof_succ p a).
  rewrite h2; trivial.
Qed.

(* Why3 goal *)
Lemma Empty :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (forall (n:Numbers.BinNums.Z), (a <= n)%Z /\ (n < b)%Z ->
   ~ ((p n) = Init.Datatypes.true)) ->
  ((numof p a b) = 0%Z).
Proof.
  intros p a b.
  case (Z_lt_le_dec a b); intro; [|intro; apply Numof_empty]; auto.
  pattern b.
  apply Zlt_lower_bound_ind with (z := a); auto with zarith; intros.
  case (Z.eq_dec a x); intro e.
  rewrite e; apply Numof_empty; lia.
  rewrite Numof_append with (b := (x - 1)%Z) by lia.
  assert (numof p (x - 1) x = 0)%Z.
  rewrite numof_pred.
  assert (a <= (x - 1)%Z < x)%Z as H2 by lia.
  generalize (H1 (x - 1)%Z H2).
  intro H3; apply Bool.not_true_is_false in H3; rewrite H3; trivial.
  rewrite H2.
  rewrite H; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Full :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (a <= b)%Z ->
  (forall (n:Numbers.BinNums.Z), (a <= n)%Z /\ (n < b)%Z ->
   ((p n) = Init.Datatypes.true)) ->
  ((numof p a b) = (b - a)%Z).
Proof.
  intros p a b h1.
  pattern b.
  apply Zlt_lower_bound_ind with (z := a); auto with zarith; intros.
  case (Z.eq_dec a x); intro e.
  rewrite e; rewrite Zminus_diag; apply Numof_empty; lia.
  rewrite Numof_append with (b := (x - 1)%Z) by lia.
  assert (numof p (x - 1) x = 1)%Z.
  rewrite numof_pred.
  assert (a <= (x - 1)%Z < x)%Z as H2 by lia.
  generalize (H1 (x - 1)%Z H2).
  intro; rewrite H3; trivial.
  rewrite H2.
  rewrite H; auto with zarith.
Qed.

Lemma numof_nat: forall p a b, (0 <= numof p a b)%Z.
Proof.
  intros.
  case (Z_lt_le_dec a b); intro; [|rewrite Numof_empty; auto with zarith].
  pattern b.
  apply Zlt_lower_bound_ind with (z := a) (x := b); auto with zarith; intros.
  case (Z.eq_dec a x); intro e.
  rewrite e; rewrite Numof_empty; lia.
  rewrite Numof_append with (b := (x - 1)%Z) by lia.
  apply Z.add_nonneg_nonneg.
  apply H; lia.
  rewrite numof_pred.
  case (p (x - 1)%Z); easy.
Qed.

Lemma numof_pos: forall p a b k, (a <= k < b)%Z -> p k = true -> (0 < numof p a b)%Z.
Proof.
  intros p a b k h.
  generalize h; pattern b.
  apply Zlt_lower_bound_ind with (z := (a + 1)%Z) (x := b); auto with zarith; intros.
  rewrite Z.add_1_r in H0; apply Zle_succ_gt in H0.
  rewrite Numof_append with (b := (x - 1)%Z) by lia.
  case (Z.eq_dec k (x-1)); intro e.
  rewrite e in H1.
  apply Z.add_nonneg_pos.
  apply numof_nat.
  rewrite numof_pred, H1; easy.
  apply Z.add_pos_nonneg.
  apply H; auto with zarith.
  apply numof_nat.
Qed.

(* Why3 goal *)
Lemma numof_increasing :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (k:Numbers.BinNums.Z),
  (i <= j)%Z /\ (j <= k)%Z -> ((numof p i j) <= (numof p i k))%Z.
Proof.
intros p i j k (h1,h2).
rewrite (Numof_append p i j k) by lia.
rewrite <-Z.le_sub_le_add_l, Zminus_diag.
apply numof_nat.
Qed.

(* Why3 goal *)
Lemma numof_strictly_increasing :
  forall (p:Numbers.BinNums.Z -> Init.Datatypes.bool) (i:Numbers.BinNums.Z)
    (j:Numbers.BinNums.Z) (k:Numbers.BinNums.Z) (l:Numbers.BinNums.Z),
  (i <= j)%Z /\ (j <= k)%Z /\ (k < l)%Z -> ((p k) = Init.Datatypes.true) ->
  ((numof p i j) < (numof p i l))%Z.
Proof.
intros p i j k l (h1,(h2,h3)) h4.
rewrite (Numof_append p i j l) by lia.
rewrite <-Z.lt_sub_lt_add_l, Zminus_diag.
apply numof_pos with (k := k); auto with zarith.
Qed.

(* Why3 goal *)
Lemma numof_change_any :
  forall (p1:Numbers.BinNums.Z -> Init.Datatypes.bool)
    (p2:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (forall (j:Numbers.BinNums.Z), (a <= j)%Z /\ (j < b)%Z ->
   ((p1 j) = Init.Datatypes.true) -> ((p2 j) = Init.Datatypes.true)) ->
  ((numof p1 a b) <= (numof p2 a b))%Z.
Proof.
  intros p1 p2 a b.
  case (Z_lt_le_dec a b); intro; [|rewrite Numof_empty, Numof_empty; lia].
  pattern b.
  apply Zlt_lower_bound_ind with (z := a); auto with zarith; intros.
  case (Z.eq_dec a x); intro eq.
  rewrite eq; rewrite Numof_empty, Numof_empty; lia.
  rewrite Numof_append with (b := (x-1)%Z) by lia.
  rewrite Numof_append with (p := p2) (b := (x-1)%Z) by lia.
  apply Z.add_le_mono.
  apply H; auto with zarith.
  rewrite numof_pred, numof_pred.
  case (Bool.bool_dec (p1 (x - 1)%Z) true); intro e.
  rewrite e, H1; auto with zarith.
  apply Bool.not_true_is_false in e; rewrite e.
  case (p2 (x -1 )%Z); easy.
Qed.

(* Why3 goal *)
Lemma numof_change_some :
  forall (p1:Numbers.BinNums.Z -> Init.Datatypes.bool)
    (p2:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (a <= i)%Z /\ (i < b)%Z ->
  (forall (j:Numbers.BinNums.Z), (a <= j)%Z /\ (j < b)%Z ->
   ((p1 j) = Init.Datatypes.true) -> ((p2 j) = Init.Datatypes.true)) ->
  ~ ((p1 i) = Init.Datatypes.true) -> ((p2 i) = Init.Datatypes.true) ->
  ((numof p1 a b) < (numof p2 a b))%Z.
Proof.
  intros p1 p2 a b i (h1,h2) h3 h4 h5.
  generalize (Z_le_lt_eq_dec _ _ (numof_change_any p1 p2 a b h3)).
  intro H; destruct H; trivial.
  cut False; auto with zarith.
  rewrite Numof_append with (b := i) in e by lia.
  rewrite Numof_append with (p := p2) (b := i) in e by lia.
  rewrite (Numof_left_add _ _ _ h2 h5), (Numof_left_no_add _ _ _ h2 h4) in e.
  assert (forall j : int, (a <= j < i)%Z -> p1 j = true -> p2 j = true) by auto with zarith.
  generalize (numof_change_any p1 p2 _ _ H).
  assert (forall j : int, ((i + 1) <= j < b)%Z -> p1 j = true -> p2 j = true) by auto with zarith.
  generalize (numof_change_any p1 p2 _ _ H0).
  lia.
Qed.

Lemma le_ge_eq: forall a b, (a <= b)%Z /\ (b <= a)%Z -> (a = b)%Z.
Proof.
  auto with zarith.
Qed.

(* Why3 goal *)
Lemma numof_change_equiv :
  forall (p1:Numbers.BinNums.Z -> Init.Datatypes.bool)
    (p2:Numbers.BinNums.Z -> Init.Datatypes.bool) (a:Numbers.BinNums.Z)
    (b:Numbers.BinNums.Z),
  (forall (j:Numbers.BinNums.Z), (a <= j)%Z /\ (j < b)%Z ->
   ((p1 j) = Init.Datatypes.true) <-> ((p2 j) = Init.Datatypes.true)) ->
  ((numof p2 a b) = (numof p1 a b)).
Proof.
intros p1 p2 a b h1.
apply le_ge_eq.
split; apply numof_change_any; intros; now apply h1.
Qed.

why3-1.6.0/lib/coq/int/Power.v000066400000000000000000000073761440160026300160260ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.

Require Import Lia.
Require Import Exponentiation.

(* Why3 goal *)
Notation power := Zpower.

Lemma power_is_exponentiation :
  forall x n, (0 <= n)%Z -> power x n = Exponentiation.power _ 1%Z Zmult x n.
Proof.
intros x [|n|n] H.
easy.
2: now elim H.
unfold Exponentiation.power, power, Zpower_pos.
now rewrite iter_nat_of_P.
Qed.

(* Why3 goal *)
Lemma Power_0 : forall (x:Numbers.BinNums.Z), ((power x 0%Z) = 1%Z).
Proof.
intros x.
apply refl_equal.
Qed.

(* Why3 goal *)
Lemma Power_s :
  forall (x:Numbers.BinNums.Z) (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((power x (n + 1%Z)%Z) = (x * (power x n))%Z).
Proof.
intros x n h1.
rewrite Zpower_exp.
change (power x 1) with (x * 1)%Z.
ring.
now apply Z.le_ge.
easy.
Qed.

(* Why3 goal *)
Lemma Power_s_alt :
  forall (x:Numbers.BinNums.Z) (n:Numbers.BinNums.Z), (0%Z < n)%Z ->
  ((power x n) = (x * (power x (n - 1%Z)%Z))%Z).
Proof.
intros x n h1.
rewrite <- Power_s by lia.
apply f_equal.
ring.
Qed.

(* Why3 goal *)
Lemma Power_1 : forall (x:Numbers.BinNums.Z), ((power x 1%Z) = x).
Proof.
exact Zmult_1_r.
Qed.

(* Why3 goal *)
Lemma Power_sum :
  forall (x:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z <= n)%Z -> (0%Z <= m)%Z ->
  ((power x (n + m)%Z) = ((power x n) * (power x m))%Z).
Proof.
intros x n m Hn Hm.
now apply Zpower_exp; apply Z.le_ge.
Qed.

(* Why3 goal *)
Lemma Power_mult :
  forall (x:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z <= n)%Z -> (0%Z <= m)%Z ->
  ((power x (n * m)%Z) = (power (power x n) m)).
Proof.
intros x n m Hn Hm.
rewrite 3!power_is_exponentiation ; auto with zarith.
apply Power_mult ; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Power_comm1 :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x * y)%Z = (y * x)%Z) -> forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  (((power x n) * y)%Z = (y * (power x n))%Z).
Proof.
intros x y h1 n h2.
apply Zmult_comm.
Qed.

(* Why3 goal *)
Lemma Power_comm2 :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((x * y)%Z = (y * x)%Z) -> forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((power (x * y)%Z n) = ((power x n) * (power y n))%Z).
Proof.
intros x y h1 n h2.
rewrite 3!power_is_exponentiation ; auto with zarith.
apply Power_comm2 ; auto with zarith.
Qed.

(* Why3 goal *)
Lemma Power_non_neg :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z <= x)%Z /\ (0%Z <= y)%Z -> (0%Z <= (power x y))%Z.
Proof.
intros x y (h1,h2).
now apply Z.pow_nonneg.
Qed.

(* Why3 goal *)
Lemma Power_pos :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  (0%Z < x)%Z /\ (0%Z <= y)%Z -> (0%Z < (power x y))%Z.
Proof.
intros x y (h1,h2).
eapply Z.pow_pos_nonneg; eauto.
Qed.

Open Scope Z_scope.

(* Why3 goal *)
Lemma Power_monotonic :
  forall (x:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z < x)%Z /\ (0%Z <= n)%Z /\ (n <= m)%Z -> ((power x n) <= (power x m))%Z.
Proof.
intros.
apply Z.pow_le_mono_r; auto with zarith.
Qed.

why3-1.6.0/lib/coq/list/000077500000000000000000000000001440160026300147075ustar00rootroot00000000000000why3-1.6.0/lib/coq/list/Append.v000066400000000000000000000056471440160026300163210ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.

(* Why3 goal *)
Lemma infix_plpl'def {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  ((Init.Datatypes.app l1 l2) =
   match l1 with
   | Init.Datatypes.nil => l2
   | Init.Datatypes.cons x1 r1 =>
       Init.Datatypes.cons x1 (Init.Datatypes.app r1 l2)
   end).
Proof.
now intros [|h1 q1] l2.
Qed.

Require Import Lists.List.

(* Why3 goal *)
Lemma Append_assoc {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (l3:Init.Datatypes.list a),
  ((Init.Datatypes.app l1 (Init.Datatypes.app l2 l3)) =
   (Init.Datatypes.app (Init.Datatypes.app l1 l2) l3)).
Proof.
intros l1 l2 l3.
apply app_assoc.
Qed.

(* Why3 goal *)
Lemma Append_l_nil {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a),
  ((Init.Datatypes.app l Init.Datatypes.nil) = l).
Proof.
intros l.
apply app_nil_r.
Qed.

(* Why3 goal *)
Lemma Append_length {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  ((list.Length.length (Init.Datatypes.app l1 l2)) =
   ((list.Length.length l1) + (list.Length.length l2))%Z).
Proof.
intros l1 l2.
rewrite 3!Length.length_std.
now rewrite app_length, inj_plus.
Qed.

(* Why3 goal *)
Lemma mem_append {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  list.Mem.mem x (Init.Datatypes.app l1 l2) <->
  list.Mem.mem x l1 \/ list.Mem.mem x l2.
Proof.
intros x l1 l2.
split.
intros H.
apply Mem.mem_std in H.
apply in_app_or in H.
destruct H as [H|H].
left.
now apply Mem.mem_std.
right.
now apply Mem.mem_std.
intros H.
apply Mem.mem_std.
apply in_or_app.
destruct H as [H|H].
left.
now apply Mem.mem_std.
right.
now apply Mem.mem_std.
Qed.

(* Why3 goal *)
Lemma mem_decomp {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l:Init.Datatypes.list a), list.Mem.mem x l ->
  exists l1:Init.Datatypes.list a, exists l2:Init.Datatypes.list a,
  (l = (Init.Datatypes.app l1 (Init.Datatypes.cons x l2))).
Proof.
intros x l h1.
apply in_split.
now apply Mem.mem_std.
Qed.

why3-1.6.0/lib/coq/list/Combine.v000066400000000000000000000026061440160026300164560ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require list.List.

(* Why3 comment *)
(* combine is replaced with (Lists.List.combine x x1) by the coq driver *)

(* Why3 goal *)
Lemma combine'def {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (x:Init.Datatypes.list a) (y:Init.Datatypes.list b),
  match (x, y) with
  | (Init.Datatypes.cons x0 x1, Init.Datatypes.cons y0 y1) =>
      ((Lists.List.combine x y) =
       (Init.Datatypes.cons (x0, y0) (Lists.List.combine x1 y1)))
  | _ => ((Lists.List.combine x y) = Init.Datatypes.nil)
  end.
Proof.
now intros [|xh xt] [|yh yt].
Qed.

why3-1.6.0/lib/coq/list/Distinct.v000066400000000000000000000037131440160026300166630ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.

(* Why3 assumption *)
Inductive distinct {a:Type} {a_WT:WhyType a}: Init.Datatypes.list a ->
  Prop :=
  | distinct_zero : distinct Init.Datatypes.nil
  | distinct_one :
      forall (x:a), distinct (Init.Datatypes.cons x Init.Datatypes.nil)
  | distinct_many :
      forall (x:a) (l:Init.Datatypes.list a), ~ list.Mem.mem x l ->
      distinct l -> distinct (Init.Datatypes.cons x l).

(* Why3 goal *)
Lemma distinct_append {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  distinct l1 -> distinct l2 ->
  (forall (x:a), list.Mem.mem x l1 -> ~ list.Mem.mem x l2) ->
  distinct (Init.Datatypes.app l1 l2).
Proof.
intros l1 l2 h1 h2 h3.
induction l1 as [|l1h l1t IHl1].
exact h2.
simpl.
inversion h1 ; subst.
- apply distinct_many with (2 := h2).
  apply h3.
  now left.
- apply distinct_many.
  contradict H1.
  apply Append.mem_append in H1.
  destruct H1 as [H1|H1].
  exact H1.
  elim h3 with (2 := H1).
  now left.
  apply IHl1 with (1 := H2).
  intros x Hx.
  apply h3.
  now right.
Qed.

why3-1.6.0/lib/coq/list/HdTl.v000066400000000000000000000026031440160026300157320ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require list.List.
Require option.Option.

(* Why3 assumption *)
Definition hd {a:Type} {a_WT:WhyType a} (l:Init.Datatypes.list a) :
    Init.Datatypes.option a :=
  match l with
  | Init.Datatypes.nil => Init.Datatypes.None
  | Init.Datatypes.cons h _ => Init.Datatypes.Some h
  end.

(* Why3 assumption *)
Definition tl {a:Type} {a_WT:WhyType a} (l:Init.Datatypes.list a) :
    Init.Datatypes.option (Init.Datatypes.list a) :=
  match l with
  | Init.Datatypes.nil => Init.Datatypes.None
  | Init.Datatypes.cons _ t => Init.Datatypes.Some t
  end.

why3-1.6.0/lib/coq/list/HdTlNoOpt.v000066400000000000000000000027511440160026300167160ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require list.List.

(* Why3 goal *)
Definition hd {a:Type} {a_WT:WhyType a} : Init.Datatypes.list a -> a.
intros [|h _].
exact why_inhabitant.
exact h.
Defined.

(* Why3 goal *)
Lemma hd_cons {a:Type} {a_WT:WhyType a} :
  forall (x:a) (r:Init.Datatypes.list a),
  ((hd (Init.Datatypes.cons x r)) = x).
Proof.
now intros x r.
Qed.

(* Why3 goal *)
Definition tl {a:Type} {a_WT:WhyType a} :
  Init.Datatypes.list a -> Init.Datatypes.list a.
intros [|_ t].
exact nil.
exact t.
Defined.

(* Why3 goal *)
Lemma tl_cons {a:Type} {a_WT:WhyType a} :
  forall (x:a) (r:Init.Datatypes.list a),
  ((tl (Init.Datatypes.cons x r)) = r).
Proof.
now intros x r.
Qed.

why3-1.6.0/lib/coq/list/Length.v000066400000000000000000000035101440160026300163160ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.

Require Import Lia.

(* Why3 assumption *)
Fixpoint length {a:Type} {a_WT:WhyType a}
  (l:Init.Datatypes.list a) {struct l}: Numbers.BinNums.Z :=
  match l with
  | Init.Datatypes.nil => 0%Z
  | Init.Datatypes.cons _ r => (1%Z + (length r))%Z
  end.

Lemma length_std :
  forall {a:Type} {a_WT:WhyType a} (l:list a),
  length l = Z_of_nat (List.length l).
Proof.
intros a a_WT l.
induction l.
easy.
change (1 + length l = Z_of_nat (S (List.length l)))%Z.
now rewrite inj_S, Zplus_comm, IHl.
Qed.

(* Why3 goal *)
Lemma Length_nonnegative {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a), (0%Z <= (length l))%Z.
Proof.
intros l.
rewrite length_std.
apply Zle_0_nat.
Qed.

(* Why3 goal *)
Lemma Length_nil {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a),
  ((length l) = 0%Z) <-> (l = Init.Datatypes.nil).
Proof.
intros [|h t] ; split ; try easy.
unfold length. fold length.
intros H.
exfalso.
generalize (Length_nonnegative t).
lia.
Qed.

why3-1.6.0/lib/coq/list/List.v000066400000000000000000000030671440160026300160170ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 assumption *)
Definition is_nil {a:Type} {a_WT:WhyType a} (l:Init.Datatypes.list a) : Prop :=
  match l with
  | Init.Datatypes.nil => True
  | Init.Datatypes.cons _ _ => False
  end.

(* Why3 goal *)
Lemma is_nil'spec {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a), is_nil l <-> (l = Init.Datatypes.nil).
Proof.
intros l.
split.
now destruct l.
now intros ->.
Qed.

Global Instance list_WhyType : forall T {T_WT : WhyType T}, WhyType (list T).
Proof.
split.
apply nil.
induction x as [|xh x] ; intros [|yh y] ; try (now right).
now left.
destruct (IHx y) as [->|E].
destruct (why_decidable_eq xh yh) as [->|Eh].
now left.
right.
contradict Eh.
now injection Eh.
right.
contradict E.
now injection E.
Qed.
why3-1.6.0/lib/coq/list/Mem.v000066400000000000000000000025051440160026300156160ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require list.List.

(* Why3 assumption *)
Fixpoint mem {a:Type} {a_WT:WhyType a} (x:a)
  (l:Init.Datatypes.list a) {struct l}: Prop :=
  match l with
  | Init.Datatypes.nil => False
  | Init.Datatypes.cons y r => (x = y) \/ mem x r
  end.

Lemma mem_std :
  forall {a:Type} {a_WT:WhyType a} (x:a) (l:list a),
  mem x l <-> List.In x l.
Proof.
intros a a_WT x l.
induction l as [|h q].
easy.
simpl.
split ; intros [H|H].
now left.
right.
now apply IHq.
now left.
right.
now apply IHq.
Qed.
why3-1.6.0/lib/coq/list/Nth.v000066400000000000000000000032071440160026300156310ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require option.Option.

(* Why3 goal *)
Definition nth {a:Type} {a_WT:WhyType a} :
  Numbers.BinNums.Z -> Init.Datatypes.list a -> Init.Datatypes.option a.
exact (fix nth n l := match l with nil => None | cons h t => if Zeq_bool n Z0 then Some h else nth (n - 1)%Z t end).
Defined.

(* Why3 goal *)
Lemma nth'def {a:Type} {a_WT:WhyType a} :
  forall (n:Numbers.BinNums.Z) (l:Init.Datatypes.list a),
  match l with
  | Init.Datatypes.nil => ((nth n l) = Init.Datatypes.None)
  | Init.Datatypes.cons x r =>
      ((n = 0%Z) -> ((nth n l) = (Init.Datatypes.Some x))) /\
      (~ (n = 0%Z) -> ((nth n l) = (nth (n - 1%Z)%Z r)))
  end.
Proof.
intros n l.
revert n.
induction l.
easy.
intros n.
split.
intros ->.
easy.
simpl.
generalize (Zeq_bool_if n 0).
now case Zeq_bool.
Qed.

why3-1.6.0/lib/coq/list/NthHdTl.v000066400000000000000000000031731440160026300164070ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Nth.
Require option.Option.
Require list.HdTl.

Require Import Lia.

(* Why3 goal *)
Lemma Nth_tl {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  ((list.HdTl.tl l1) = (Init.Datatypes.Some l2)) ->
  forall (i:Numbers.BinNums.Z), ~ (i = (-1%Z)%Z) ->
  ((list.Nth.nth i l2) = (list.Nth.nth (i + 1%Z)%Z l1)).
Proof.
intros [|x1 l1] l2 h1 i h2.
easy.
simpl.
generalize (Zeq_bool_if (i + 1) 0).
case Zeq_bool.
intro H.
exfalso.
lia.
intros _.
simpl in h1.
inversion h1.
apply (f_equal (fun i => Nth.nth i l2)).
exact (Zpred_succ i).
Qed.

(* Why3 goal *)
Lemma Nth0_head {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a), ((list.Nth.nth 0%Z l) = (list.HdTl.hd l)).
Proof.
now intros [|h t].
Qed.

why3-1.6.0/lib/coq/list/NthLength.v000066400000000000000000000043641440160026300170000ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Nth.
Require option.Option.

Require Import Lia.

(* Why3 goal *)
Lemma nth_none_1 {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (i:Numbers.BinNums.Z), (i < 0%Z)%Z ->
  ((list.Nth.nth i l) = Init.Datatypes.None).
Proof.
intros l.
induction l as [|h q].
easy.
intros i H.
simpl.
generalize (Zeq_bool_if i 0).
case Zeq_bool.
intros H'.
now rewrite H' in H.
intros _.
apply IHq.
lia.
Qed.

(* Why3 goal *)
Lemma nth_none_2 {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (i:Numbers.BinNums.Z),
  ((list.Length.length l) <= i)%Z ->
  ((list.Nth.nth i l) = Init.Datatypes.None).
Proof.
intros l.
induction l as [|h q].
easy.
intros i H.
unfold Length.length in H.
fold Length.length in H.
simpl.
generalize (Zeq_bool_if i 0).
case Zeq_bool.
intros H'.
rewrite H' in H.
exfalso.
generalize (Length.Length_nonnegative q).
lia.
intros _.
apply IHq.
lia.
Qed.

(* Why3 goal *)
Lemma nth_none_3 {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (i:Numbers.BinNums.Z),
  ((list.Nth.nth i l) = Init.Datatypes.None) ->
  (i < 0%Z)%Z \/ ((list.Length.length l) <= i)%Z.
Proof.
intros l.
induction l as [|h q].
intros i _.
simpl.
lia.
intros i.
simpl (Nth.nth i (h :: q)).
change (Length.length (h :: q)) with (1 + Length.length q)%Z.
generalize (Zeq_bool_if i 0).
case Zeq_bool.
easy.
intros Hi H.
specialize (IHq _ H).
lia.
Qed.

why3-1.6.0/lib/coq/list/NthLengthAppend.v000066400000000000000000000043161440160026300201250ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Nth.
Require option.Option.
Require list.NthLength.
Require list.Append.

Require Import Lia.

(* Why3 goal *)
Lemma nth_append_1 {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (i:Numbers.BinNums.Z),
  (i < (list.Length.length l1))%Z ->
  ((list.Nth.nth i (Init.Datatypes.app l1 l2)) = (list.Nth.nth i l1)).
Proof.
intros l1.
induction l1 as [|x l1].
intros l2 i.
apply NthLength.nth_none_1.
intros l2 i Hi.
simpl.
generalize (Zeq_bool_if i 0).
case Zeq_bool.
easy.
intros _.
apply IHl1.
assert (i < 1 + Length.length l1)%Z by exact Hi.
lia.
Qed.

(* Why3 goal *)
Lemma nth_append_2 {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (i:Numbers.BinNums.Z),
  ((list.Length.length l1) <= i)%Z ->
  ((list.Nth.nth i (Init.Datatypes.app l1 l2)) =
   (list.Nth.nth (i - (list.Length.length l1))%Z l2)).
Proof.
intros l1.
induction l1 as [|x l1].
intros l2 i _.
simpl.
now rewrite Zminus_0_r.
intros l2 i.
change (Length.length (x :: l1)) with (1 + Length.length l1)%Z.
intros Hi.
replace (i - (1 + Length.length l1))%Z with ((i - 1) - Length.length l1)%Z by ring.
simpl.
generalize (Zeq_bool_if i 0).
case Zeq_bool.
intros Hi'.
exfalso.
generalize (Length.Length_nonnegative l1).
lia.
intros _.
apply IHl1.
lia.
Qed.

why3-1.6.0/lib/coq/list/NthNoOpt.v000066400000000000000000000031311440160026300166050ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.

(* Why3 goal *)
Definition nth {a:Type} {a_WT:WhyType a} :
  Numbers.BinNums.Z -> Init.Datatypes.list a -> a.
exact (fix nth n l := match l with nil => why_inhabitant | cons h t => if Zeq_bool n Z0 then h else nth (n - 1)%Z t end).
Defined.

(* Why3 goal *)
Lemma nth_cons_0 {a:Type} {a_WT:WhyType a} :
  forall (x:a) (r:Init.Datatypes.list a),
  ((nth 0%Z (Init.Datatypes.cons x r)) = x).
Proof.
now intros x r.
Qed.

(* Why3 goal *)
Lemma nth_cons_n {a:Type} {a_WT:WhyType a} :
  forall (x:a) (r:Init.Datatypes.list a) (n:Numbers.BinNums.Z),
  (0%Z < n)%Z -> ((nth n (Init.Datatypes.cons x r)) = (nth (n - 1%Z)%Z r)).
Proof.
intros x r n h1.
simpl.
generalize (Zeq_bool_if n 0).
case Zeq_bool ; try easy.
now intros ->.
Qed.

why3-1.6.0/lib/coq/list/NumOcc.v000066400000000000000000000061641440160026300162710ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.

Require Import Lia.

(* Why3 goal *)
Definition num_occ {a:Type} {a_WT:WhyType a} :
  a -> Init.Datatypes.list a -> Numbers.BinNums.Z.
intros x.
exact (fix num_occ (l : list a) : int :=
  match l with
  | nil => 0
  | cons y r => (if why_decidable_eq x y then 1 else 0) + num_occ r
  end)%Z.
Defined.

(* Why3 goal *)
Lemma num_occ'def {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l:Init.Datatypes.list a),
  match l with
  | Init.Datatypes.nil => ((num_occ x l) = 0%Z)
  | Init.Datatypes.cons y r =>
      ((x = y) -> ((num_occ x l) = (1%Z + (num_occ x r))%Z)) /\
      (~ (x = y) -> ((num_occ x l) = (0%Z + (num_occ x r))%Z))
  end.
Proof.
intros x [|y r].
easy.
split ; intros H.
change ((if why_decidable_eq x y then 1 else 0) + num_occ x r = 1 + num_occ x r)%Z.
now case why_decidable_eq.
change ((if why_decidable_eq x y then 1 else 0) + num_occ x r = 0 + num_occ x r)%Z.
now case why_decidable_eq.
Qed.

(* Why3 goal *)
Lemma Num_Occ_NonNeg {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l:Init.Datatypes.list a), (0%Z <= (num_occ x l))%Z.
Proof.
intros x l.
induction l as [|lh lt IHl].
easy.
simpl.
case why_decidable_eq ; intros H.
lia.
easy.
Qed.

(* Why3 goal *)
Lemma Mem_Num_Occ {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l:Init.Datatypes.list a),
  list.Mem.mem x l <-> (0%Z < (num_occ x l))%Z.
Proof.
intros x l.
induction l as [|lh lt IHl].
now split.
simpl.
case why_decidable_eq ; intros H ; split.
intros _.
clear.
generalize (Num_Occ_NonNeg x lt).
lia.
now left.
intros [H'|H'] ; try easy.
now apply IHl.
right.
now apply IHl.
Qed.

(* Why3 goal *)
Lemma Append_Num_Occ {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  ((num_occ x (Init.Datatypes.app l1 l2)) =
   ((num_occ x l1) + (num_occ x l2))%Z).
Proof.
intros x l1 l2.
induction l1 as [|l1h l1t IHl1].
easy.
simpl.
rewrite IHl1.
rewrite Zplus_assoc.
now case why_decidable_eq.
Qed.

(* Why3 goal *)
Lemma reverse_num_occ {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l:Init.Datatypes.list a),
  ((num_occ x l) = (num_occ x (Lists.List.rev l))).
intros x l.
induction l; simpl.
auto.
rewrite Append_Num_Occ.
rewrite <- IHl.
ring_simplify.
simpl (num_occ x (a0 :: nil))%list.
ring.
Qed.

why3-1.6.0/lib/coq/list/Permut.v000066400000000000000000000122461440160026300163570ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.
Require list.NumOcc.

Require Import Lia.

(* Why3 assumption *)
Definition permut {a:Type} {a_WT:WhyType a} (l1:Init.Datatypes.list a)
    (l2:Init.Datatypes.list a) : Prop :=
  forall (x:a), ((list.NumOcc.num_occ x l1) = (list.NumOcc.num_occ x l2)).

(* Why3 goal *)
Lemma Permut_refl {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a), permut l l.
Proof.
now intros l.
Qed.

(* Why3 goal *)
Lemma Permut_sym {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut l1 l2 -> permut l2 l1.
Proof.
now intros l1 l2 h1.
Qed.

(* Why3 goal *)
Lemma Permut_trans {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (l3:Init.Datatypes.list a),
  permut l1 l2 -> permut l2 l3 -> permut l1 l3.
Proof.
intros l1 l2 l3 h1 h2 x.
now rewrite h1.
Qed.

(* Why3 goal *)
Lemma Permut_cons {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut l1 l2 ->
  permut (Init.Datatypes.cons x l1) (Init.Datatypes.cons x l2).
Proof.
intros x l1 l2 h1 y.
simpl.
now rewrite h1.
Qed.

(* Why3 goal *)
Lemma Permut_swap {a:Type} {a_WT:WhyType a} :
  forall (x:a) (y:a) (l:Init.Datatypes.list a),
  permut (Init.Datatypes.cons x (Init.Datatypes.cons y l))
  (Init.Datatypes.cons y (Init.Datatypes.cons x l)).
Proof.
intros x y l z.
simpl.
ring.
Qed.

(* Why3 goal *)
Lemma Permut_cons_append {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut (Init.Datatypes.app (Init.Datatypes.cons x l1) l2)
  (Init.Datatypes.app l1 (Init.Datatypes.cons x l2)).
Proof.
intros x l1 l2 y.
induction l1 as [|l1h l1t IHl1].
easy.
simpl in IHl1 |- *.
rewrite <- IHl1.
ring.
Qed.

(* Why3 goal *)
Lemma Permut_assoc {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (l3:Init.Datatypes.list a),
  permut (Init.Datatypes.app (Init.Datatypes.app l1 l2) l3)
  (Init.Datatypes.app l1 (Init.Datatypes.app l2 l3)).
Proof.
intros l1 l2 l3 y.
now rewrite List.app_assoc.
Qed.

(* Why3 goal *)
Lemma Permut_append {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a)
    (k1:Init.Datatypes.list a) (k2:Init.Datatypes.list a),
  permut l1 k1 -> permut l2 k2 ->
  permut (Init.Datatypes.app l1 l2) (Init.Datatypes.app k1 k2).
Proof.
intros l1 l2 k1 k2 h1 h2 y.
rewrite 2!NumOcc.Append_Num_Occ.
now apply f_equal2.
Qed.

(* Why3 goal *)
Lemma Permut_append_swap {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut (Init.Datatypes.app l1 l2) (Init.Datatypes.app l2 l1).
Proof.
intros l1 l2 y.
rewrite 2!NumOcc.Append_Num_Occ.
apply Zplus_comm.
Qed.

(* Why3 goal *)
Lemma Permut_mem {a:Type} {a_WT:WhyType a} :
  forall (x:a) (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut l1 l2 -> list.Mem.mem x l1 -> list.Mem.mem x l2.
Proof.
intros x l1 l2 h1 h2.
apply NumOcc.Mem_Num_Occ.
rewrite <- h1.
now apply NumOcc.Mem_Num_Occ.
Qed.

(* Why3 goal *)
Lemma Permut_length {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a),
  permut l1 l2 -> ((list.Length.length l1) = (list.Length.length l2)).
Proof.
intros l1 l2 h1.
revert l2 h1.
induction l1 as [|l1h l1t IHl1].
- destruct l2 as [|l2h l2t].
  easy.
  intros H.
  specialize (H l2h).
  contradict H.
  simpl.
  case why_decidable_eq ; intros H.
  generalize (NumOcc.Num_Occ_NonNeg l2h l2t).
  lia.
  now elim H.
- intros l2 H.
  assert (H': Mem.mem l1h l2).
    apply NumOcc.Mem_Num_Occ.
    specialize (H l1h).
    simpl in H.
    destruct (why_decidable_eq l1h l1h) as [_|H'].
    2: now elim H'.
    generalize (NumOcc.Num_Occ_NonNeg l1h l1t).
    lia.
  destruct (Append.mem_decomp _ _ H') as [l2a [l2b Hl2]].
  rewrite Hl2.
  rewrite Append.Append_length.
  change (1 + Length.length l1t = Length.length l2a + (1 + Length.length l2b))%Z.
  rewrite (IHl1 (l2a ++ l2b)%list).
  rewrite Append.Append_length.
  ring.
  rewrite Hl2 in H.
  assert (H1 := Permut_cons_append l1h l2a l2b).
  apply Permut_sym in H1.
  generalize (Permut_trans _ _ _ H H1).
  change ((l1h :: l2a) ++ l2b)%list with (l1h :: (l2a ++ l2b))%list.
  generalize (l2a ++ l2b)%list.
  clear.
  intros l H y.
  specialize (H y).
  simpl in H.
  lia.
Qed.

why3-1.6.0/lib/coq/list/RevAppend.v000066400000000000000000000054621440160026300167710ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.
Require list.Reverse.

(* Why3 goal *)
Lemma rev_append'def {a:Type} {a_WT:WhyType a} :
  forall (s:Init.Datatypes.list a) (t:Init.Datatypes.list a),
  ((Lists.List.rev_append s t) =
   match s with
   | Init.Datatypes.cons x r =>
       Lists.List.rev_append r (Init.Datatypes.cons x t)
   | Init.Datatypes.nil => t
   end).
Proof.
intros s t.
destruct s; simpl; auto.
Qed.

(* Why3 goal *)
Lemma rev_append_append_l {a:Type} {a_WT:WhyType a} :
  forall (r:Init.Datatypes.list a) (s:Init.Datatypes.list a)
    (t:Init.Datatypes.list a),
  ((Lists.List.rev_append (Init.Datatypes.app r s) t) =
   (Lists.List.rev_append s (Lists.List.rev_append r t))).
Proof.
intros r s.
induction r as [|rh rt IHr].
easy.
now simpl.
Qed.

(* Why3 goal *)
Lemma rev_append_length {a:Type} {a_WT:WhyType a} :
  forall (s:Init.Datatypes.list a) (t:Init.Datatypes.list a),
  ((list.Length.length (Lists.List.rev_append s t)) =
   ((list.Length.length s) + (list.Length.length t))%Z).
Proof.
intros s.
induction s as [|sh st IHs].
easy.
intros t.
simpl List.rev_append.
rewrite IHs.
change (Length.length (sh :: t)) with (1 + Length.length t)%Z.
change (Length.length (sh :: st)) with (1 + Length.length st)%Z.
ring.
Qed.

(* Why3 goal *)
Lemma rev_append_def {a:Type} {a_WT:WhyType a} :
  forall (r:Init.Datatypes.list a) (s:Init.Datatypes.list a),
  ((Lists.List.rev_append r s) = (Init.Datatypes.app (Lists.List.rev r) s)).
Proof.
induction r; simpl.
now auto.
intro s; rewrite IHr.
rewrite <- Append.Append_assoc.
simpl. reflexivity.
Qed.

(* Why3 goal *)
Lemma rev_append_append_r {a:Type} {a_WT:WhyType a} :
  forall (r:Init.Datatypes.list a) (s:Init.Datatypes.list a)
    (t:Init.Datatypes.list a),
  ((Lists.List.rev_append r (Init.Datatypes.app s t)) =
   (Lists.List.rev_append (Lists.List.rev_append s r) t)).
Proof.
intros r s t.
revert r.
induction s as [|sh st IHs].
easy.
intros r.
simpl.
now rewrite <- IHs.
Qed.

why3-1.6.0/lib/coq/list/Reverse.v000066400000000000000000000060511440160026300165130ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require list.List.
Require list.Length.
Require list.Mem.
Require list.Append.

(* Why3 goal *)
Lemma reverse'def {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a),
  ((Lists.List.rev l) =
   match l with
   | Init.Datatypes.nil => Init.Datatypes.nil
   | Init.Datatypes.cons x r =>
       Init.Datatypes.app (Lists.List.rev r)
       (Init.Datatypes.cons x Init.Datatypes.nil)
   end).
Proof.
now intros [|x l].
Qed.

(* Why3 goal *)
Lemma reverse_append {a:Type} {a_WT:WhyType a} :
  forall (l1:Init.Datatypes.list a) (l2:Init.Datatypes.list a) (x:a),
  ((Init.Datatypes.app (Lists.List.rev (Init.Datatypes.cons x l1)) l2) =
   (Init.Datatypes.app (Lists.List.rev l1) (Init.Datatypes.cons x l2))).
Proof.
intros l1 l2 x.
simpl.
now rewrite <- List.app_assoc.
Qed.

(* Why3 goal *)
Lemma reverse_cons {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (x:a),
  ((Lists.List.rev (Init.Datatypes.cons x l)) =
   (Init.Datatypes.app (Lists.List.rev l)
    (Init.Datatypes.cons x Init.Datatypes.nil))).
intros l x.
simpl.
auto.
Qed.

(* Why3 goal *)
Lemma cons_reverse {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (x:a),
  ((Init.Datatypes.cons x (Lists.List.rev l)) =
   (Lists.List.rev
    (Init.Datatypes.app l (Init.Datatypes.cons x Init.Datatypes.nil)))).
intros l x.
now rewrite List.rev_unit.
Qed.

(* Why3 goal *)
Lemma reverse_reverse {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a), ((Lists.List.rev (Lists.List.rev l)) = l).
Proof.
intros l.
apply List.rev_involutive.
Qed.

(* Why3 goal *)
Lemma reverse_mem {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a) (x:a),
  list.Mem.mem x l <-> list.Mem.mem x (Lists.List.rev l).
intros l x.
induction l; simpl; intuition.
rewrite Append.mem_append.
right; simpl; now intuition.
rewrite Append.mem_append.
now auto.
assert (Mem.mem x (List.rev l) \/ Mem.mem x (a0 :: nil))%list.
rewrite <- Append.mem_append; assumption.
intuition; simpl in *.
intuition.
Qed.

(* Why3 goal *)
Lemma Reverse_length {a:Type} {a_WT:WhyType a} :
  forall (l:Init.Datatypes.list a),
  ((list.Length.length (Lists.List.rev l)) = (list.Length.length l)).
Proof.
intros l.
rewrite 2!Length.length_std.
now rewrite List.rev_length.
Qed.

why3-1.6.0/lib/coq/map/000077500000000000000000000000001440160026300145115ustar00rootroot00000000000000why3-1.6.0/lib/coq/map/Const.v000066400000000000000000000020051440160026300157630ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require map.Map.

(* Why3 assumption *)
Definition const {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} 
    (v:b) : a -> b :=
  fun (us:a) => v.

why3-1.6.0/lib/coq/map/Map.v000066400000000000000000000034471440160026300154250ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.

Require Import ClassicalEpsilon.

(* Why3 assumption *)
Definition map (a:Type) (b:Type) := a -> b.

Global Instance map_WhyType : forall (a:Type) {a_WT:WhyType a} (b:Type) {b_WT:WhyType b}, WhyType (map a b).
Proof.
intros.
repeat split.
exact (fun _ => why_inhabitant).
intros x y.
apply excluded_middle_informative.
Qed.

(* Why3 goal *)
Definition set {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  (a -> b) -> a -> b -> a -> b.
Proof.
intros m x y.
intros x'.
destruct (why_decidable_eq x x') as [H|H].
exact y.
exact (m x').
Defined.

(* Why3 goal *)
Lemma set'def {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (x:a) (v:b) (y:a),
  ((y = x) -> ((set f x v y) = v)) /\ (~ (y = x) -> ((set f x v y) = (f y))).
Proof.
intros f x v y.
unfold set.
case why_decidable_eq.
intros <-.
split ; try easy ; intros H ; now elim H. (* TODO: replace by easy after 8.4 *)
intros H.
split ; intros H'.
now elim H.
easy.
Qed.

why3-1.6.0/lib/coq/map/MapInjection.v000066400000000000000000000224561440160026300172710ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require map.Occ.

(* preliminaries *)

Definition into (n:nat) (f:nat -> nat) :=
  forall i:nat, i < n -> f i < n.

Definition injection (n:nat) (f:nat -> nat) :=
  forall i j:nat, i < n -> j < n ->
     f i = f j -> i = j.

Definition surjection (n:nat) (f:nat -> nat) :=
  forall i:nat, i < n ->
    exists j:nat, j < n /\ f j = i.

Require Import Lia Peano_dec.

Theorem injective_implies_surjective:
  forall n:nat,
  forall f:nat -> nat,
  into n f ->
  injection n f ->
  surjection n f.
Proof.
induction n.
(* case n = 0 *)
unfold surjection; intros.
elimtype False; lia.
(* case n > 0 *)
intros f Hinto Hinj.
pose (k := f n).
assert (Hbound_k: k < S n) by (apply Hinto; lia).
(* transposition n <-> k *)
pose (trans i :=
  if eq_nat_dec i n then k else
    if eq_nat_dec i k then n else i).
pose (g i := trans (f i)).

(* first step: g maps [0;n[ to [0;n[ *)

assert (Ginto: into n g).
  unfold into, g, trans; intros.
  destruct (eq_nat_dec (f i) n).
  (* f i = n *)
  assert (h : k < n \/ k = n) by lia.
  destruct h; auto.
  elimtype False.
  clear g trans; subst.
  assert (f i = i) by (apply Hinj; auto with * ).
  lia.
  (* f i <> n *)
  destruct (eq_nat_dec (f i) k).
  (* f i = k *)
  elimtype False.
  assert (i = n) by (apply Hinj; auto with * ).
  lia.
  (* f i <> k *)
  assert (f i < S n) by (apply Hinto; lia).
  lia.

(* second step: trans is injective *)

assert (trans_inj: injection (S n) trans).
  unfold injection, trans; intros.
  destruct (eq_nat_dec i n).
  (* i = n *)
  destruct (eq_nat_dec j n); auto with *.
  (* i = n and j <> n *)
  destruct (eq_nat_dec j k); lia.
  (* i <> n *)
  destruct (eq_nat_dec i k); auto with *.
  destruct (eq_nat_dec j n); auto with *.
  destruct (eq_nat_dec j k); lia.
  (* i <> n and i <> k *)
  destruct (eq_nat_dec j n); auto with *.
  destruct (eq_nat_dec j k); lia.

(* third step: g is injective on [0;n[  *)
assert (Ginj: injection n g).
  red; intros.
  apply Hinj; auto with *.

(* fourth step: g is surjective (by induction hypothesis) *)

assert (Gsurj: surjection n g).
  apply IHn with (f:=g); auto.

(* fifth step: f = trans o g *)

assert (f_is_trans_o_g: forall i, f i = trans (g i)).
  intro i; unfold g, trans.
  destruct (eq_nat_dec (f i) n).
  destruct (eq_nat_dec k n); auto with *.
  destruct (eq_nat_dec k k); auto with *.
  destruct (eq_nat_dec (f i) k).
  destruct (eq_nat_dec n n); auto with *.
  destruct (eq_nat_dec (f i) n); auto with *.
  destruct (eq_nat_dec (f i) k); auto with *.

(* conclusion *)
red; intros.
assert (h: i = k \/ i <> k) by lia.
destruct h.
(* case i = k: the preimage is n *)
exists n; auto.
(* case i <> k *)
assert (h: i = n \/ i <> n) by lia.
destruct h.
(* case i = n: the preimage is the preimage of k by g *)
elim Gsurj with (i:=k).
intros x (h1,h2).
exists x.
split; auto.
rewrite f_is_trans_o_g.
rewrite h2.
unfold trans.
destruct (eq_nat_dec k n); auto with *.
destruct (eq_nat_dec k k); auto with *.
lia.
(* case i <> n and i <> k:
   the preimage is the preimage of i by g
 *)
elim Gsurj with (i:=i).
intros x (h1,h2).
exists x.
split; auto.
rewrite f_is_trans_o_g.
rewrite h2.
unfold trans.
destruct (eq_nat_dec i n); auto with *.
destruct (eq_nat_dec i k); auto with *.
lia.
Qed.



(* lifting the theorem to Z *)

Require Import ZArith.
Open Scope Z_scope.

Theorem lifting:
  forall n:Z,
  forall f:Z -> Z,
    (forall x:Z, 0 <= x < n -> 0 <= f x < n) ->
    exists g:nat -> nat,
      forall i:nat, Z_of_nat i < n -> Z_of_nat (g i) = f (Z_of_nat i).
Proof.
intros n f Hpos.
exists (fun n => Z.abs_nat (f (Z_of_nat n))).
intros i Hi_inf_n.
rewrite inj_Zabs_nat.
rewrite Z.abs_eq; auto.
generalize (Hpos (Z_of_nat i)); auto with *.
Qed.

Theorem Zinjective_implies_surjective:
  forall n:Z,
  forall f:Z -> Z,
  (forall i:Z, 0 <= i < n -> 0 <= f i < n) ->
  (forall i j:Z, 0 <= i < n -> 0 <= j < n -> f i = f j -> i = j) ->
  forall i:Z, 0 <= i < n -> exists k:Z, 0 <= k < n /\ f k = i.
Proof.
intros n f Hinto.
elim (lifting n f Hinto).
intros g Heq_g_f Hinj i Hi_inf_n.
assert (n_pos: 0 <= n) by lia.
elim (Z_of_nat_complete_inf n n_pos).
intros m Heq_n_m.

(* g is into *)

assert (Hinto_g: into m g).
  red; intros i0 Hinter.
  assert (0 <= f (Z_of_nat i0) < n) by (apply Hinto; lia).
  apply inj_lt_rev; auto with *.
  rewrite Heq_g_f; auto with *.

(* g is injective *)

assert (Hinj_g: injection m g).
  red; intros i0 j0 Hinter_i Hinter_j Heq_gi_gj.
  apply inj_eq_rev.
  apply Hinj; auto with *.
  repeat rewrite <- Heq_g_f; auto with *.

(* conclusion *)
generalize (injective_implies_surjective m g Hinto_g Hinj_g).
intro Hsurj_g.
assert (i_pos: 0 <= i) by lia.
elim (Z_of_nat_complete_inf i i_pos).
intros j Heq_j_i.
elim (Hsurj_g j); auto with *.
intros x (inter_x, eq_x).
exists (Z_of_nat x).
split; auto with *.
rewrite <- Heq_g_f; lia.
Qed.




(* Why3 assumption *)
Definition injective (a:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z),
  (0%Z <= i)%Z /\ (i < n)%Z -> (0%Z <= j)%Z /\ (j < n)%Z -> ~ (i = j) ->
  ~ ((a i) = (a j)).

(* Why3 assumption *)
Definition surjective (a:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
  exists j:Numbers.BinNums.Z, ((0%Z <= j)%Z /\ (j < n)%Z) /\ ((a j) = i).

(* Why3 assumption *)
Definition range (a:Numbers.BinNums.Z -> Numbers.BinNums.Z)
    (n:Numbers.BinNums.Z) : Prop :=
  forall (i:Numbers.BinNums.Z), (0%Z <= i)%Z /\ (i < n)%Z ->
  (0%Z <= (a i))%Z /\ ((a i) < n)%Z.

(* Why3 goal *)
Lemma injective_surjective :
  forall (a:Numbers.BinNums.Z -> Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  injective a n -> range a n -> surjective a n.
Proof.
unfold injective, range, surjective.
intros a n h1 h2.
intros.
apply Zinjective_implies_surjective; auto.
intros.
assert (h: (i0 = j \/ i0 <> j)%Z) by lia.
destruct h; auto.
red in h1.
elimtype False; apply h1 with i0 j; clear h1; auto.
Qed.

Import Occ.

(* Why3 goal *)
Lemma injection_occ :
  forall (m:Numbers.BinNums.Z -> Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  injective m n <->
  (forall (v:Numbers.BinNums.Z), ((map.Occ.occ v m 0%Z n) <= 1%Z)%Z).
Proof.
intros m n; split.
(* -> *)
intros inj v.
assert (case: (occ v m 0 n <= 1 \/ occ v m 0 n >= 2)%Z) by lia. destruct case.
trivial.
destruct (occ_exists v m 0 n) as (i,(hi1,hi2)). lia.
assert (0 <= occ v m 0 i)%Z.
  generalize (occ_bounds v m 0 i). lia.
assert (case: (occ v m 0 i = 0 \/ occ v m 0 i > 0)%Z) by lia. destruct case.
assert (0 < occ v m (i+1) n)%Z.
assert (occ v m 0 n = occ v m 0 i + occ v m i n)%Z.
  apply occ_append; lia.
  assert (occ v m i n = occ v m i (i+1) + occ v m (i+1) n)%Z.
  apply occ_append; lia.
  assert (occ v m i (i+1) = 1)%Z.
  rewrite occ_right_add.
  replace (i+1-1)%Z with i by lia.
  rewrite occ_empty; lia.
  lia.
  replace (i+1-1)%Z with i by lia. auto.
  lia.
destruct (occ_exists v m (i+1) n) as (j,(hj1,hj2)). lia.
elim (inj i j); lia.
destruct (occ_exists v m 0 i) as (j,(hj1,hj2)). lia.
elim (inj i j); lia.

(* <- *)
intros Hocc i j hi hj neq eq.
pose (v := m i).
assert (occ v m 0 n >= 2)%Z.
assert (occ v m 0 n = occ v m 0 i + occ v m i n)%Z.
  apply occ_append; lia.
  assert (occ v m i n = occ v m i (i+1) + occ v m (i+1) n)%Z.
  apply occ_append; lia.
  assert (occ v m i (i+1) = 1)%Z.
  rewrite occ_right_add.
  replace (i+1-1)%Z with i by lia.
  rewrite occ_empty; lia.
  lia.
  replace (i+1-1)%Z with i by lia. auto.
assert (case: (j < i \/ i+1 <= j)%Z) by lia. destruct case.
assert (occ v m 0 i >= 1)%Z.
  assert (occ v m 0 i = occ v m 0 j + occ v m j i)%Z.
  apply occ_append; lia.
  assert (occ v m j i = occ v m j (j+1) + occ v m (j+1) i)%Z.
  apply occ_append; lia.
  assert (occ v m j (j+1) = 1)%Z.
  rewrite occ_right_add.
  replace (j+1-1)%Z with j by lia.
  rewrite occ_empty; lia.
  lia.
  replace (j+1-1)%Z with j by lia. auto.
  generalize (occ_bounds v m (i+1) n).
  generalize (occ_bounds v m 0 j).
  generalize (occ_bounds v m (j+1) i).
  lia.
  generalize (occ_bounds v m (i+1) n).
lia.
assert (occ v m (i+1) n >= 1)%Z.
  assert (occ v m (i+1) n = occ v m (i+1) j + occ v m j n)%Z.
  apply occ_append; lia.
  assert (occ v m j n = occ v m j (j+1) + occ v m (j+1) n)%Z.
  apply occ_append; lia.
  assert (occ v m j (j+1) = 1)%Z.
  rewrite occ_right_add.
  replace (j+1-1)%Z with j by lia.
  rewrite occ_empty; lia.
  lia.
  replace (j+1-1)%Z with j by lia. auto.
  generalize (occ_bounds v m (j+1) n).
  generalize (occ_bounds v m 0 i).
  generalize (occ_bounds v m (i+1) j).
  lia.
  generalize (occ_bounds v m 0 i).
  lia.
generalize (Hocc v); lia.
Qed.

why3-1.6.0/lib/coq/map/MapPermut.v000066400000000000000000000041211440160026300166100ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.
Require map.Occ.

(* Why3 assumption *)
Definition permut {a:Type} {a_WT:WhyType a} (m1:Numbers.BinNums.Z -> a)
    (m2:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) :
    Prop :=
  forall (v:a), ((map.Occ.occ v m1 l u) = (map.Occ.occ v m2 l u)).

(* Why3 goal *)
Lemma permut_trans {a:Type} {a_WT:WhyType a} :
  forall (a1:Numbers.BinNums.Z -> a) (a2:Numbers.BinNums.Z -> a)
    (a3:Numbers.BinNums.Z -> a),
  forall (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z), permut a1 a2 l u ->
  permut a2 a3 l u -> permut a1 a3 l u.
Proof.
intros a1 a2 a3 l u h1 h2.
unfold permut in *.
intros. transitivity (Occ.occ v a2 l u); auto.
Qed.

(* Why3 goal *)
Lemma permut_exists {a:Type} {a_WT:WhyType a} :
  forall (a1:Numbers.BinNums.Z -> a) (a2:Numbers.BinNums.Z -> a)
    (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  permut a1 a2 l u -> (l <= i)%Z /\ (i < u)%Z ->
  exists j:Numbers.BinNums.Z, ((l <= j)%Z /\ (j < u)%Z) /\ ((a1 j) = (a2 i)).
Proof.
intros a1 a2 l u i h1 Hi.
pose (v := a2 i).
assert (0 < map.Occ.occ v a2 l u)%Z.
  apply map.Occ.occ_pos. assumption.
rewrite <- h1 in H.
generalize (map.Occ.occ_exists v a1 l u H).
intros (j, (hj1,hj2)).
exists j; intuition.
Qed.

why3-1.6.0/lib/coq/map/Occ.v000066400000000000000000000302231440160026300154040ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require map.Map.

Require Import Lia.

(* Why3 goal *)
Definition occ {a:Type} {a_WT:WhyType a} :
  a -> (Numbers.BinNums.Z -> a) -> Numbers.BinNums.Z -> Numbers.BinNums.Z ->
  Numbers.BinNums.Z.
Proof.
intros v m l u.
induction (Z.to_nat (u-l)) as [|delta occ_].
exact Z0.
exact ((if why_decidable_eq (m (l + Z_of_nat delta)%Z) v then 1 else 0) + occ_)%Z.
Defined.

Lemma occ_equation :
  forall {a:Type} {a_WT:WhyType a} v m l u,
  (l < u)%Z ->
  occ v m l u =
  ((if why_decidable_eq (m (u - 1)%Z) v then 1 else 0) + occ v m l (u - 1))%Z.
Proof.
intros a a_WT v m l u Hlu.
assert (0 < u - l)%Z as h1' by lia.
unfold occ.
replace (u - 1 - l)%Z with (u - l - 1)%Z by ring.
replace (u - 1)%Z with (l + (u - l - 1))%Z by ring.
rewrite <- (Z2Nat.id (u - l - 1)) by lia.
rewrite (Z2Nat.inj_sub _ 1) by easy.
destruct (u - l)%Z ; try easy.
simpl.
assert (exists n, Pos.to_nat p = S n) as [n ->].
  exists (Z.to_nat (Z.pred (Zpos p))).
  rewrite Z2Nat.inj_pred.
  apply (S_pred _ O).
  apply Pos2Nat.is_pos.
simpl.
now rewrite <- minus_n_O, Nat2Z.id.
Qed.

Require Import Zwf.

Lemma occ_equation' :
  forall {a:Type} {a_WT:WhyType a} v m l u,
  (l < u)%Z ->
  occ v m l u =
  ((if why_decidable_eq (m l) v then 1 else 0) + occ v m (l + 1) u)%Z.
Proof.
intros a a_WT v m l u Hlu.
induction u using (well_founded_induction (Zwf_well_founded l)).
destruct (Z_lt_le_dec (l + 1) u) as [Hlu'|Hlu'].
rewrite Zplus_comm.
rewrite occ_equation with (1 := Hlu).
rewrite occ_equation with (1 := Hlu').
rewrite <- Zplus_assoc.
apply f_equal.
rewrite Zplus_comm.
apply H.
clear -Hlu' ; unfold Zwf ; lia.
clear -Hlu' ; lia.
replace u with (l + 1)%Z.
unfold occ.
rewrite Z.add_simpl_l.
rewrite <- Zminus_diag_reverse.
simpl.
now rewrite (Zplus_0_r l).
clear -Hlu Hlu' ; lia.
Qed.

(* Why3 goal *)
Lemma occ_empty {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (u <= l)%Z -> ((occ v m l u) = 0%Z).
Proof.
intros v m l u h1.
assert (u - l <= 0)%Z as h1' by lia.
unfold occ.
destruct (u - l)%Z ; try reflexivity.
now elim h1'.
Qed.

(* Why3 goal *)
Lemma occ_right_no_add {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (l < u)%Z -> ~ ((m (u - 1%Z)%Z) = v) ->
  ((occ v m l u) = (occ v m l (u - 1%Z)%Z)).
Proof.
intros v m l u h1 h2.
rewrite occ_equation with (1 := h1).
now destruct why_decidable_eq as [H|H].
Qed.

(* Why3 goal *)
Lemma occ_right_add {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (l < u)%Z -> ((m (u - 1%Z)%Z) = v) ->
  ((occ v m l u) = (1%Z + (occ v m l (u - 1%Z)%Z))%Z).
Proof.
intros v m l u h1 h2.
rewrite occ_equation with (1 := h1).
now destruct why_decidable_eq as [H|H].
Qed.

(* Why3 goal *)
Lemma occ_left_no_add {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (l < u)%Z -> ~ ((m l) = v) -> ((occ v m l u) = (occ v m (l + 1%Z)%Z u)).
Proof.
intros v m l u h1 h2.
rewrite occ_equation' with (1 := h1).
now destruct why_decidable_eq as [H|H].
Qed.

(* Why3 goal *)
Lemma occ_left_add {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (l < u)%Z -> ((m l) = v) ->
  ((occ v m l u) = (1%Z + (occ v m (l + 1%Z)%Z u))%Z).
Proof.
intros v m l u h1 h2.
rewrite occ_equation' with (1 := h1).
now destruct why_decidable_eq as [H|H].
Qed.

(* Why3 goal *)
Lemma occ_bounds {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (l <= u)%Z -> (0%Z <= (occ v m l u))%Z /\ ((occ v m l u) <= (u - l)%Z)%Z.
Proof.
intros v m l u h1.
cut (0 <= u - l)%Z. 2: lia.
replace (occ v m l u) with (occ v m l (l + (u - l)))%Z.
pattern (u - l)%Z; apply Z_lt_induction. 2: lia.
intros.
assert (h: (x = 0 \/ x <> 0)%Z) by lia. destruct h.
now rewrite occ_empty; lia.
destruct (why_decidable_eq (m (l + (x-1))%Z) v).
rewrite occ_right_add.
generalize (H (x-1)%Z); clear H; intros.
assert (0 <= occ v m l (l + (x - 1)) <= x-1)%Z.
apply H; lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
lia.
lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
trivial.
rewrite occ_right_no_add.
assert (0 <= occ v m l (l + (x - 1)) <= x-1)%Z.
apply H; lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
lia.
lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
trivial.
replace (l + (u-l))%Z with u by ring. trivial.
Qed.

(* Why3 goal *)
Lemma occ_append {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (mid:Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (l <= mid)%Z /\ (mid <= u)%Z ->
  ((occ v m l u) = ((occ v m l mid) + (occ v m mid u))%Z).
Proof.
intros v m l mid u (h1,h2).
cut (0 <= u - mid)%Z. 2: lia.
replace (occ v m l u) with (occ v m l (mid + (u - mid)))%Z.
replace (occ v m mid u) with (occ v m mid (mid + (u - mid)))%Z.
pattern (u - mid)%Z; apply Z_lt_induction. 2: lia.
intros.
assert (h: (x = 0 \/ x <> 0)%Z) by lia. destruct h.
rewrite (occ_empty _ _ mid (mid+x)%Z).
subst x. ring_simplify ((mid+0)%Z). ring.
lia.
destruct (why_decidable_eq (m (mid + (x-1))%Z) v).
rewrite (occ_right_add _ _ l (mid+x))%Z.
rewrite (occ_right_add _ _ mid (mid+x))%Z.
generalize (H (x-1)%Z); clear H; intros.
assert ((occ v m l (mid+(x-1)) = (occ v m l mid) + occ v m mid (mid + (x - 1)))%Z).
apply H; lia.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring.
lia. lia.
trivial.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring. trivial.
lia.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring. trivial.

rewrite (occ_right_no_add _ _ l (mid+x))%Z.
rewrite (occ_right_no_add _ _ mid (mid+x))%Z.
generalize (H (x-1)%Z); clear H; intros.
assert ((occ v m l (mid+(x-1)) = (occ v m l mid) + occ v m mid (mid + (x - 1)))%Z).
apply H; lia.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring.
lia. lia.
trivial.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring. trivial.
lia.
replace (mid + x - 1)%Z with (mid+(x-1))%Z by ring. trivial.

replace (mid + (u-mid))%Z with u by ring. trivial.
replace (mid + (u-mid))%Z with u by ring. trivial.
Qed.

(* Why3 goal *)
Lemma occ_neq {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z -> ~ ((m i) = v)) ->
  ((occ v m l u) = 0%Z).
Proof.
intros v m l u.
assert (h: (u < l \/ 0 <= u - l)%Z) by lia. destruct h.
rewrite occ_empty. trivial. lia.
replace u with (l + (u - l))%Z. 2:ring.
generalize H.
pattern (u - l)%Z; apply Z_lt_induction. 2: lia.
clear H; intros.
assert (h: (x = 0 \/ x <> 0)%Z) by lia. destruct h.
now rewrite occ_empty; lia.
destruct (why_decidable_eq (m (l + (x-1))%Z) v).
assert (m (l + (x - 1)) <> v)%Z.
  apply H1; lia.
intuition.
rewrite occ_right_no_add.
replace (l+x-1)%Z with (l+(x-1))%Z by ring.
apply H; intuition.
apply (H1 i). lia. assumption.
lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
trivial.
Qed.

(* Why3 goal *)
Lemma occ_exists {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z),
  (0%Z < (occ v m l u))%Z ->
  exists i:Numbers.BinNums.Z, ((l <= i)%Z /\ (i < u)%Z) /\ ((m i) = v).
Proof.
intros v m l u h1.
assert (h: (u < l \/ 0 <= u - l)%Z) by lia. destruct h.
rewrite occ_empty in h1. elimtype False; lia. lia.
generalize h1.
replace u with (l + (u - l))%Z. 2:ring.
generalize H.
pattern (u - l)%Z; apply Z_lt_induction. 2: lia.
clear H; intros.
assert (h: (x = 0 \/ x <> 0)%Z) by lia. destruct h.
rewrite occ_empty in h0. elimtype False; lia. lia.
destruct (why_decidable_eq (m (l + (x-1))%Z) v).
exists (l+(x-1))%Z. split. lia. now trivial.
destruct (H (x-1))%Z as (i,(hi1,hi2)). lia. lia.
rewrite occ_right_no_add in h0.
replace (l + (x - 1))%Z with (l+x-1)%Z by ring. trivial.
lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring. trivial.
exists i. split. lia. assumption.
Qed.

(* Why3 goal *)
Lemma occ_pos {a:Type} {a_WT:WhyType a} :
  forall (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) (i:Numbers.BinNums.Z),
  (l <= i)%Z /\ (i < u)%Z -> (0%Z < (occ (m i) m l u))%Z.
Proof.
intros m l u i (h1,h2).
pose (v := m i). fold v.
assert (occ v m l u = occ v m l i + occ v m i u)%Z.
  apply occ_append. lia.
assert (occ v m i u = occ v m i (i+1) + occ v m (i+1) u)%Z.
  apply occ_append. lia.
assert (occ v m i (i + 1) = 1)%Z.
rewrite occ_right_add.
  ring_simplify (i+1-1)%Z. rewrite occ_empty. ring. lia. lia.
ring_simplify (i+1-1)%Z. auto.
assert (0 <= occ v m l i <= i -l)%Z. apply occ_bounds. lia.
assert (0 <= occ v m i (i+1) <= (i+1)-i)%Z. apply occ_bounds. lia.
assert (0 <= occ v m (i+1) u <= u - (i+1))%Z. apply occ_bounds. lia.
lia.
Qed.

(* Why3 goal *)
Lemma occ_eq {a:Type} {a_WT:WhyType a} :
  forall (v:a) (m1:Numbers.BinNums.Z -> a) (m2:Numbers.BinNums.Z -> a)
    (l:Numbers.BinNums.Z) (u:Numbers.BinNums.Z),
  (forall (i:Numbers.BinNums.Z), (l <= i)%Z /\ (i < u)%Z ->
   ((m1 i) = (m2 i))) ->
  ((occ v m1 l u) = (occ v m2 l u)).
Proof.
intros v m1 m2 l u h1.
assert (h: (u < l \/ 0 <= u - l)%Z) by lia. destruct h.
rewrite occ_empty.
rewrite occ_empty. trivial.
lia. lia.
generalize h1.
replace u with (l + (u - l))%Z. 2:ring.
generalize H.
pattern (u - l)%Z; apply Z_lt_induction. 2: lia.
clear H; intros.
assert (h: (x = 0 \/ x <> 0)%Z) by lia. destruct h.
rewrite occ_empty. rewrite occ_empty. trivial. lia. lia.
destruct (why_decidable_eq (m1 (l + (x-1))%Z) v).
rewrite occ_right_add.
rewrite (occ_right_add v m2).
apply f_equal.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
apply H. lia. lia. intros. apply h0. lia. lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
rewrite <- h0. trivial. lia. lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring. assumption.

rewrite occ_right_no_add.
rewrite (occ_right_no_add v m2).
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
apply H. lia. lia. intros. apply h0. lia. lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring.
rewrite <- h0. trivial. lia. lia.
replace (l + x - 1)%Z with (l+(x-1))%Z by ring. assumption.
Qed.

Lemma occ_single {a:Type} {a_WT:WhyType a} :
  forall (m:Z -> a) (i:Z) (x:a),
  occ x m i (i + 1) = if why_decidable_eq (m i) x then 1%Z else 0%Z.
Proof.
intros m i x.
rewrite occ_equation'.
unfold occ, nat_rect.
rewrite Z.sub_diag.
apply Zplus_0_r.
apply Z.lt_succ_diag_r.
Qed.

Lemma occ_set {a:Type} {a_WT:WhyType a} :
  forall (m:Z -> a) (l:Z) (u:Z) (i:Z) (x:a) (y:a),
  (l <= i < u)%Z ->
  occ y (map.Map.set m i x) l u = (occ y m l u +
  (if why_decidable_eq x y then 1 else 0) -
  if why_decidable_eq (m i) y then 1 else 0)%Z.
Proof.
intros m l u i x y H.
rewrite 2!(occ_append _ _ l i u) by lia.
rewrite 2!(occ_append _ _ i (i + 1) u) by lia.
rewrite 2!occ_single.
rewrite (proj1 (Map.set'def _ _ _ _) eq_refl).
rewrite 2!(occ_eq _ (Map.set m i x) m).
ring.
intros j H1.
apply Map.set'def.
lia.
intros j H1.
apply Map.set'def.
lia.
Qed.

(* Why3 goal *)
Lemma occ_exchange {a:Type} {a_WT:WhyType a} :
  forall (m:Numbers.BinNums.Z -> a) (l:Numbers.BinNums.Z)
    (u:Numbers.BinNums.Z) (i:Numbers.BinNums.Z) (j:Numbers.BinNums.Z) 
    (x:a) (y:a) (z:a),
  (l <= i)%Z /\ (i < u)%Z -> (l <= j)%Z /\ (j < u)%Z -> ~ (i = j) ->
  ((occ z (map.Map.set (map.Map.set m i x) j y) l u) =
   (occ z (map.Map.set (map.Map.set m i y) j x) l u)).
Proof.
intros m l u i j x y z h1 h2 h3.
rewrite 4!occ_set by assumption.
apply not_eq_sym in h3.
rewrite 2!(proj2 (Map.set'def _ _ _ _) h3).
ring.
Qed.

why3-1.6.0/lib/coq/number/000077500000000000000000000000001440160026300152245ustar00rootroot00000000000000why3-1.6.0/lib/coq/number/Coprime.v000066400000000000000000000062511440160026300170150ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require number.Parity.
Require number.Divisibility.
Require number.Gcd.
Require number.Prime.

(* Why3 assumption *)
Definition coprime (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) : Prop :=
  ((number.Gcd.gcd a b) = 1%Z).

Lemma coprime_is_Zrel_prime :
  forall a b, coprime a b <-> Znumtheory.rel_prime a b.
intros.
unfold coprime.
unfold Znumtheory.rel_prime.
split; intro h.
rewrite <- h; apply Znumtheory.Zgcd_is_gcd.
apply Znumtheory.Zis_gcd_gcd; auto with zarith.
Qed.

(* Why3 goal *)
Lemma prime_coprime :
  forall (p:Numbers.BinNums.Z),
  number.Prime.prime p <->
  (2%Z <= p)%Z /\
  (forall (n:Numbers.BinNums.Z), (1%Z <= n)%Z /\ (n < p)%Z -> coprime n p).
intros p.
(*
Znumtheory.prime_intro:
  forall p : int,
  (1 < p)%Z ->
  (forall n : int, (1 <= n < p)%Z -> Znumtheory.rel_prime n p) ->
  Znumtheory.prime p
*)
rewrite Prime.prime_is_Zprime.
split.
intro h; inversion h; clear h.
split; auto with zarith.
intros n h.
rewrite coprime_is_Zrel_prime.
apply H0; auto.
intros (h1,h2).
constructor; auto with zarith.
intros n h.
rewrite <- coprime_is_Zrel_prime.
apply h2; auto.
Qed.

(* Why3 goal *)
Lemma Gauss :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  number.Divisibility.divides a (b * c)%Z /\ coprime a b ->
  number.Divisibility.divides a c.
intros a b c (h1,h2).
apply Znumtheory.Gauss with b; auto.
rewrite <- coprime_is_Zrel_prime; auto.
Qed.

(* Why3 goal *)
Lemma Euclid :
  forall (p:Numbers.BinNums.Z) (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
  number.Prime.prime p /\ number.Divisibility.divides p (a * b)%Z ->
  number.Divisibility.divides p a \/ number.Divisibility.divides p b.
intros p a b (h1,h2).
apply Znumtheory.prime_mult; auto.
now rewrite <- Prime.prime_is_Zprime.
Qed.

(* Why3 goal *)
Lemma gcd_coprime :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  coprime a b -> ((number.Gcd.gcd a (b * c)%Z) = (number.Gcd.gcd a c)).
intros a b c h1.
apply Z.gcd_unique.
- apply Z.gcd_nonneg.
- apply Gcd.gcd_def1.
- apply Divisibility.divides_multl.
  apply Gcd.gcd_def2.
- intros q h2 h3.
  apply Gcd.gcd_def3.
  trivial.
  apply Gauss with b; split; auto.
  rewrite coprime_is_Zrel_prime.
  rewrite coprime_is_Zrel_prime in h1.
  now apply Znumtheory.rel_prime_div with (2:=h2).
Qed.

why3-1.6.0/lib/coq/number/Divisibility.v000066400000000000000000000143531440160026300200650ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require number.Parity.

(* Hack so that Why3 does not override the notation below.

(* Why3 assumption *)
Definition divides (d:Numbers.BinNums.Z) (n:Numbers.BinNums.Z) : Prop :=
  ((d = 0%Z) -> (n = 0%Z)) /\
  (~ (d = 0%Z) -> ((ZArith.BinInt.Z.rem n d) = 0%Z)).

(* Why3 goal *)
Lemma divides'spec :
  forall (d:Numbers.BinNums.Z) (n:Numbers.BinNums.Z),
  divides d n <-> (exists q:Numbers.BinNums.Z, (n = (q * d)%Z)).
Proof.
intros d n.

Qed.

*)

Require Import Znumtheory.
Notation divides := Z.divide (only parsing).

(* Why3 goal *)
Lemma divides_refl : forall (n:Numbers.BinNums.Z), divides n n.
Proof.
exact Z.divide_refl.
Qed.

(* Why3 goal *)
Lemma divides_1_n : forall (n:Numbers.BinNums.Z), divides 1%Z n.
Proof.
exact Zone_divide.
Qed.

(* Why3 goal *)
Lemma divides_0 : forall (n:Numbers.BinNums.Z), divides n 0%Z.
Proof.
exact Zdivide_0.
Qed.

(* Why3 goal *)
Lemma divides_left :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides (c * a)%Z (c * b)%Z.
Proof.
exact Zmult_divide_compat_l.
Qed.

(* Why3 goal *)
Lemma divides_right :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides (a * c)%Z (b * c)%Z.
Proof.
exact Zmult_divide_compat_r.
Qed.

(* Why3 goal *)
Lemma divides_oppr :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a b ->
  divides a (-b)%Z.
Proof.
exact Zdivide_opp_r.
Qed.

(* Why3 goal *)
Lemma divides_oppl :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a b ->
  divides (-a)%Z b.
Proof.
exact Zdivide_opp_l.
Qed.

(* Why3 goal *)
Lemma divides_oppr_rev :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides (-a)%Z b ->
  divides a b.
Proof.
exact Zdivide_opp_l_rev.
Qed.

(* Why3 goal *)
Lemma divides_oppl_rev :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a (-b)%Z ->
  divides a b.
Proof.
exact Zdivide_opp_r_rev.
Qed.

(* Why3 goal *)
Lemma divides_plusr :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides a c -> divides a (b + c)%Z.
Proof.
exact Zdivide_plus_r.
Qed.

(* Why3 goal *)
Lemma divides_minusr :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides a c -> divides a (b - c)%Z.
Proof.
exact Zdivide_minus_l.
Qed.

(* Why3 goal *)
Lemma divides_multl :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides a (c * b)%Z.
Proof.
intros a b c.
apply Zdivide_mult_r.
Qed.

(* Why3 goal *)
Lemma divides_multr :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides a (b * c)%Z.
Proof.
exact Zdivide_mult_l.
Qed.

(* Why3 goal *)
Lemma divides_factorl :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a (b * a)%Z.
Proof.
exact Zdivide_factor_l.
Qed.

(* Why3 goal *)
Lemma divides_factorr :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a (a * b)%Z.
Proof.
exact Zdivide_factor_r.
Qed.

(* Why3 goal *)
Lemma divides_n_1 :
  forall (n:Numbers.BinNums.Z), divides n 1%Z -> (n = 1%Z) \/ (n = (-1%Z)%Z).
Proof.
exact Zdivide_1.
Qed.

(* Why3 goal *)
Lemma divides_antisym :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a b ->
  divides b a -> (a = b) \/ (a = (-b)%Z).
Proof.
exact Z.divide_antisym.
Qed.

(* Why3 goal *)
Lemma divides_trans :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  divides a b -> divides b c -> divides a c.
Proof.
exact Z.divide_trans.
Qed.

(* Why3 goal *)
Lemma divides_bounds :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), divides a b ->
  ~ (b = 0%Z) -> ((ZArith.BinInt.Z.abs a) <= (ZArith.BinInt.Z.abs b))%Z.
Proof.
exact Zdivide_bounds.
Qed.

Import EuclideanDivision.

(* Why3 goal *)
Lemma mod_divides_euclidean :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  ((int.EuclideanDivision.mod1 a b) = 0%Z) -> divides b a.
Proof.
intros a b Zb H.
exists (div a b).
rewrite (Div_mod a b Zb) at 1.
rewrite H.
ring.
Qed.

(* Why3 goal *)
Lemma divides_mod_euclidean :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  divides b a -> ((int.EuclideanDivision.mod1 a b) = 0%Z).
Proof.
intros a b Zb H.
assert (Zmod a b = Z0).
now apply Zdivide_mod.
unfold mod1, div.
rewrite H0.
case Z_le_dec ; intros H1.
rewrite (Z_div_exact_full_2 a b Zb H0) at 1.
apply Zminus_diag.
now elim H1.
Qed.

(* Why3 goal *)
Lemma mod_divides_computer :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  ((ZArith.BinInt.Z.rem a b) = 0%Z) -> divides b a.
Proof.
intros a b Zb H.
exists (Z.quot a b).
rewrite Zmult_comm.
now apply Zquot.Z_quot_exact_full.
Qed.

(* Why3 goal *)
Lemma divides_mod_computer :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  divides b a -> ((ZArith.BinInt.Z.rem a b) = 0%Z).
Proof.
intros a b Zb (q,H).
rewrite H.
apply Zquot.Z_rem_mult.
Qed.

(* Why3 goal *)
Lemma even_divides :
  forall (a:Numbers.BinNums.Z), number.Parity.even a <-> divides 2%Z a.
Proof.
split ;
  intros (q,H) ; exists q ; now rewrite Zmult_comm.
Qed.

(* Why3 goal *)
Lemma odd_divides :
  forall (a:Numbers.BinNums.Z), number.Parity.odd a <-> ~ divides 2%Z a.
Proof.
split.
intros H.
contradict H.
apply Parity.even_not_odd.
now apply <- even_divides.
intros H.
destruct (Parity.even_or_odd a).
elim H.
now apply -> even_divides.
exact H0.
Qed.

why3-1.6.0/lib/coq/number/Gcd.v000066400000000000000000000105661440160026300161200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require number.Parity.
Require number.Divisibility.

Import Znumtheory.

(* Why3 goal *)
Notation gcd := Z.gcd (only parsing).

(* Why3 goal *)
Lemma gcd_nonneg :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), (0%Z <= (gcd a b))%Z.
Proof.
exact Zgcd_is_pos.
Qed.

(* Why3 goal *)
Lemma gcd_def1 :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
  number.Divisibility.divides (gcd a b) a.
Proof.
intros a b.
apply Zgcd_is_gcd.
Qed.

(* Why3 goal *)
Lemma gcd_def2 :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
  number.Divisibility.divides (gcd a b) b.
Proof.
intros a b.
apply Zgcd_is_gcd.
Qed.

(* Why3 goal *)
Lemma gcd_def3 :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
  number.Divisibility.divides x a -> number.Divisibility.divides x b ->
  number.Divisibility.divides x (gcd a b).
Proof.
intros a b x.
apply Zgcd_is_gcd.
Qed.

(* Why3 goal *)
Lemma gcd_unique :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (d:Numbers.BinNums.Z),
  (0%Z <= d)%Z -> number.Divisibility.divides d a ->
  number.Divisibility.divides d b ->
  (forall (x:Numbers.BinNums.Z), number.Divisibility.divides x a ->
   number.Divisibility.divides x b -> number.Divisibility.divides x d) ->
  (d = (gcd a b)).
Proof.
intros.
apply sym_eq.
apply Zis_gcd_gcd.
exact H.
now constructor.
Qed.

(* Why3 goal *)
Lemma Assoc :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z) (z:Numbers.BinNums.Z),
  ((gcd (gcd x y) z) = (gcd x (gcd y z))).
Proof.
exact Zgcd_ass.
Qed.

(* Why3 goal *)
Lemma Comm :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), ((gcd x y) = (gcd y x)).
Proof.
exact Z.gcd_comm.
Qed.

(* Why3 goal *)
Lemma gcd_0_pos :
  forall (a:Numbers.BinNums.Z), (0%Z <= a)%Z -> ((gcd a 0%Z) = a).
Proof.
intros a H.
rewrite <- (Z.abs_eq a H) at 2.
apply Zgcd_0.
Qed.

(* Why3 goal *)
Lemma gcd_0_neg :
  forall (a:Numbers.BinNums.Z), (a < 0%Z)%Z -> ((gcd a 0%Z) = (-a)%Z).
Proof.
intros a H.
rewrite <- Zabs_non_eq.
apply Zgcd_0.
now apply Zlt_le_weak.
Qed.

(* Why3 goal *)
Lemma gcd_opp :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z),
  ((gcd a b) = (gcd (-a)%Z b)).
Proof.
intros a b.
apply Zis_gcd_gcd.
apply Zgcd_is_pos.
apply Zis_gcd_minus.
apply Zis_gcd_sym.
apply Zgcd_is_gcd.
Qed.

(* Why3 goal *)
Lemma gcd_euclid :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (q:Numbers.BinNums.Z),
  ((gcd a b) = (gcd a (b - (q * a)%Z)%Z)).
Proof.
intros a b c.
apply Zis_gcd_gcd.
apply Zgcd_is_pos.
apply Zis_gcd_sym.
apply Zis_gcd_for_euclid with c.
apply Zgcd_is_gcd.
Qed.

(* Why3 goal *)
Lemma Gcd_computer_mod :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  ((gcd b (ZArith.BinInt.Z.rem a b)) = (gcd a b)).
Proof.
intros a b _.
rewrite (Z.gcd_comm a b).
rewrite (gcd_euclid b a (Z.quot a b)).
apply f_equal.
rewrite (Z.quot_rem' a b) at 2.
ring.
Qed.

(* Why3 goal *)
Lemma Gcd_euclidean_mod :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z), ~ (b = 0%Z) ->
  ((gcd b (int.EuclideanDivision.mod1 a b)) = (gcd a b)).
Proof.
intros a b Zb.
rewrite (Z.gcd_comm a b).
rewrite (gcd_euclid b a (EuclideanDivision.div a b)).
apply f_equal.
rewrite (EuclideanDivision.Div_mod a b Zb) at 2.
ring.
Qed.

(* Why3 goal *)
Lemma gcd_mult :
  forall (a:Numbers.BinNums.Z) (b:Numbers.BinNums.Z) (c:Numbers.BinNums.Z),
  (0%Z <= c)%Z -> ((gcd (c * a)%Z (c * b)%Z) = (c * (gcd a b))%Z).
Proof.
intros a b c H.
apply Zis_gcd_gcd.
apply Zmult_le_0_compat with (1 := H).
apply Zgcd_is_pos.
apply Zis_gcd_mult.
apply Zgcd_is_gcd.
Qed.

why3-1.6.0/lib/coq/number/Parity.v000066400000000000000000000063111440160026300166640ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.ComputerDivision.

(* Why3 assumption *)
Definition even (n:Numbers.BinNums.Z) : Prop :=
  exists k:Numbers.BinNums.Z, (n = (2%Z * k)%Z).

(* Why3 assumption *)
Definition odd (n:Numbers.BinNums.Z) : Prop :=
  exists k:Numbers.BinNums.Z, (n = ((2%Z * k)%Z + 1%Z)%Z).

Lemma even_is_Zeven :
  forall n, even n <-> Zeven n.
Proof.
intros n.
refine (conj _ (Zeven_ex n)).
intros (k,H).
rewrite H.
apply Zeven_2p.
Qed.

Lemma odd_is_Zodd :
  forall n, odd n <-> Zodd n.
Proof.
intros n.
refine (conj _ (Zodd_ex n)).
intros (k,H).
rewrite H.
apply Zodd_2p_plus_1.
Qed.

(* Why3 goal *)
Lemma even_or_odd : forall (n:Numbers.BinNums.Z), even n \/ odd n.
Proof.
intros n.
destruct (Zeven_odd_dec n).
left.
now apply <- even_is_Zeven.
right.
now apply <- odd_is_Zodd.
Qed.

(* Why3 goal *)
Lemma even_not_odd : forall (n:Numbers.BinNums.Z), even n -> ~ odd n.
Proof.
intros n H1 H2.
apply (Zeven_not_Zodd n).
now apply -> even_is_Zeven.
now apply -> odd_is_Zodd.
Qed.

(* Why3 goal *)
Lemma odd_not_even : forall (n:Numbers.BinNums.Z), odd n -> ~ even n.
Proof.
intros n H1.
contradict H1.
now apply even_not_odd.
Qed.

(* Why3 goal *)
Lemma even_odd : forall (n:Numbers.BinNums.Z), even n -> odd (n + 1%Z)%Z.
Proof.
intros n H.
apply <- odd_is_Zodd.
apply Zeven_plus_Zodd.
now apply -> even_is_Zeven.
easy.
Qed.

(* Why3 goal *)
Lemma odd_even : forall (n:Numbers.BinNums.Z), odd n -> even (n + 1%Z)%Z.
Proof.
intros n H.
apply <- even_is_Zeven.
apply Zodd_plus_Zodd.
now apply -> odd_is_Zodd.
easy.
Qed.

(* Why3 goal *)
Lemma even_even : forall (n:Numbers.BinNums.Z), even n -> even (n + 2%Z)%Z.
Proof.
intros n H.
apply <- even_is_Zeven.
apply Zeven_plus_Zeven.
now apply -> even_is_Zeven.
easy.
Qed.

(* Why3 goal *)
Lemma odd_odd : forall (n:Numbers.BinNums.Z), odd n -> odd (n + 2%Z)%Z.
Proof.
intros n H.
apply <- odd_is_Zodd.
apply Zodd_plus_Zeven.
now apply -> odd_is_Zodd.
easy.
Qed.

(* Why3 goal *)
Lemma even_2k : forall (k:Numbers.BinNums.Z), even (2%Z * k)%Z.
Proof.
intros k.
now exists k.
Qed.

(* Why3 goal *)
Lemma odd_2k1 : forall (k:Numbers.BinNums.Z), odd ((2%Z * k)%Z + 1%Z)%Z.
Proof.
intros k.
now exists k.
Qed.

(* Why3 goal *)
Lemma even_mod2 :
  forall (n:Numbers.BinNums.Z),
  even n <-> ((ZArith.BinInt.Z.rem n 2%Z) = 0%Z).
Proof.
intros n.
rewrite even_is_Zeven.
rewrite <- Zeven_bool_iff.
rewrite Zquot.Zeven_rem.
now rewrite Z.eqb_eq.
Qed.

why3-1.6.0/lib/coq/number/Prime.v000066400000000000000000000111671440160026300164750ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require int.Abs.
Require int.EuclideanDivision.
Require int.ComputerDivision.
Require number.Parity.
Require number.Divisibility.

Require Import Lia Znumtheory.

(* Why3 assumption *)
Definition prime (p:Numbers.BinNums.Z) : Prop :=
  (2%Z <= p)%Z /\
  (forall (n:Numbers.BinNums.Z), (1%Z < n)%Z /\ (n < p)%Z ->
   ~ number.Divisibility.divides n p).

Lemma prime_is_Zprime :
  forall p, prime p <-> Znumtheory.prime p.
Proof.
intros p.
apply iff_trans with (2 := prime_alt p).
unfold prime, prime'.
intuition.
Qed.

(* Why3 goal *)
Lemma not_prime_1 : ~ prime 1%Z.
Proof.
intros (H1,_).
now elim H1.
Qed.

(* Why3 goal *)
Lemma prime_2 : prime 2%Z.
Proof.
apply <- prime_is_Zprime.
apply prime_2.
Qed.

(* Why3 goal *)
Lemma prime_3 : prime 3%Z.
Proof.
apply <- prime_is_Zprime.
apply prime_3.
Qed.

(* Why3 goal *)
Lemma prime_divisors :
  forall (p:Numbers.BinNums.Z), prime p -> forall (d:Numbers.BinNums.Z),
  number.Divisibility.divides d p ->
  (d = 1%Z) \/ (d = (-1%Z)%Z) \/ (d = p) \/ (d = (-p)%Z).
Proof.
intros p Hp d Hd.
apply -> prime_is_Zprime in Hp.
destruct (prime_divisors p Hp d Hd) ; intuition.
Qed.

(* Why3 goal *)
Lemma small_divisors :
  forall (p:Numbers.BinNums.Z), (2%Z <= p)%Z ->
  (forall (d:Numbers.BinNums.Z), (2%Z <= d)%Z -> prime d ->
   (1%Z < (d * d)%Z)%Z /\ ((d * d)%Z <= p)%Z ->
   ~ number.Divisibility.divides d p) ->
  prime p.
Proof.
intros p Hp H.
apply <- prime_is_Zprime.
destruct (prime_dec p) as [Pp|Pp].
exact Pp.
elimtype False.
(* *)
assert (exists d, (2 <= d)%Z /\ (d * d <= p)%Z /\ prime d /\ Z.divide d p).
clear H.
assert (Hp' : (0 <= p)%Z) by lia.
revert p Hp' Hp Pp.
apply (Zlt_0_ind (fun p => 2 <= p -> ~ Znumtheory.prime p -> (exists d : Z, 2 <= d /\ d * d <= p /\ prime d /\ (d | p)))%Z).
intros p IH _ Hp Pp.
destruct (not_prime_divide p) as (x,(Hx1,Hx2)).
clear -Hp ; lia.
exact Pp.
destruct (Zle_or_lt (x * x) p) as [Hx|Hx].
destruct (prime_dec x) as [Px|Px].
exists x.
split.
clear -Hx1 ; lia.
split.
exact Hx.
split.
now apply <- prime_is_Zprime.
exact Hx2.
destruct (IH x) as (y&Hy1&Hy2&Hy3&Hy4).
clear -Hx1 ; lia.
clear -Hx1 ; lia.
exact Px.
exists y.
refine (conj Hy1 (conj _ (conj Hy3 _))).
apply Z.le_trans with (1 := Hy2).
apply Z.le_trans with (2 := Hx).
rewrite <- (Zmult_1_r x) at 1.
apply Zmult_le_compat_l.
now apply Zlt_le_weak.
clear -Hx1 ; lia.
now apply Z.divide_trans with x.
case Hx2.
intros q Hq1.
assert (Hq2 : (2 <= q)%Z).
apply (Zlt_le_succ 1).
apply Zmult_lt_reg_r with x.
clear -Hx1 ; lia.
now rewrite Zmult_1_l, <- Hq1.
destruct (prime_dec q) as [Pq|Pq].
exists q.
split.
exact Hq2.
split.
rewrite Hq1.
apply Zmult_le_compat_l.
apply Zlt_le_weak.
apply Zmult_lt_reg_r with x.
clear -Hx1 ; lia.
now rewrite <- Hq1.
clear -Hq2 ; lia.
split.
now apply <- prime_is_Zprime.
exists x.
now rewrite Zmult_comm.
destruct (IH q) as (y&Hy1&Hy2&Hy3&Hy4).
split.
clear -Hq2 ; lia.
rewrite <- (Zmult_1_r q), Hq1.
apply Zmult_lt_compat_l.
clear -Hq2 ; lia.
clear -Hx1 ; lia.
exact Hq2.
exact Pq.
exists y.
refine (conj Hy1 (conj _ (conj Hy3 _))).
apply Z.le_trans with (1 := Hy2).
rewrite <- (Zmult_1_r q), Hq1.
apply Zmult_le_compat_l.
clear -Hx1 ; lia.
clear -Hq2 ; lia.
apply Z.divide_trans with (1 := Hy4).
exists x.
now rewrite Zmult_comm.
destruct H0 as (y&Hy1&Hy2&Hy3&Hy4).
apply (H y) ; try easy.
split.
apply Z.lt_le_trans with (2 * 2)%Z.
easy.
now apply Zmult_le_compat.
exact Hy2.
Qed.

(* Why3 goal *)
Lemma even_prime :
  forall (p:Numbers.BinNums.Z), prime p -> number.Parity.even p -> (p = 2%Z).
Proof.
intros p Pp (q,Hq).
generalize (proj2 Pp q).
assert (Z.divide q p).
now exists 2%Z.
intros.
refine (_ (fun H1 => H0 H1 H) (proj1 Pp)).
lia.
Qed.

(* Why3 goal *)
Lemma odd_prime :
  forall (p:Numbers.BinNums.Z), prime p -> (3%Z <= p)%Z ->
  number.Parity.odd p.
Proof.
intros p Pp Hp.
apply <- Divisibility.odd_divides.
apply proj2 in Pp.
apply Pp.
lia.
Qed.

why3-1.6.0/lib/coq/option/000077500000000000000000000000001440160026300152445ustar00rootroot00000000000000why3-1.6.0/lib/coq/option/Option.v000066400000000000000000000027771440160026300167200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 assumption *)
Definition is_none {a:Type} {a_WT:WhyType a} (o:Init.Datatypes.option a) :
    Prop :=
  match o with
  | Init.Datatypes.None => True
  | Init.Datatypes.Some _ => False
  end.

(* Why3 goal *)
Lemma is_none'spec {a:Type} {a_WT:WhyType a} :
  forall (o:Init.Datatypes.option a), is_none o <-> (o = Init.Datatypes.None).
Proof.
intros o.
split.
now destruct o.
now intros ->.
Qed.

Global Instance option_WhyType : forall T {T_WT : WhyType T}, WhyType (option T).
Proof.
split.
apply @None.
intros [x|] [y|] ; try (now right) ; try (now left).
destruct (why_decidable_eq x y) as [E|E].
left.
now apply f_equal.
right.
contradict E.
now injection E.
Qed.
why3-1.6.0/lib/coq/real/000077500000000000000000000000001440160026300146575ustar00rootroot00000000000000why3-1.6.0/lib/coq/real/Abs.v000066400000000000000000000055751440160026300155670ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rbasic_fun.
Require BuiltIn.
Require real.Real.

Import Rbasic_fun.

(* Why3 comment *)
(* abs is replaced with (Reals.Rbasic_fun.Rabs x) by the coq driver *)

(* Why3 goal *)
Lemma abs'def :
  forall (x:Reals.Rdefinitions.R),
  ((0%R <= x)%R -> ((Reals.Rbasic_fun.Rabs x) = x)) /\
  (~ (0%R <= x)%R -> ((Reals.Rbasic_fun.Rabs x) = (-x)%R)).
Proof.
intros x.
split ; intros H.
apply Rabs_right.
now apply Rle_ge.
apply Rabs_left.
now apply Rnot_le_lt.
Qed.

(* Why3 goal *)
Lemma Abs_le :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs x) <= y)%R <-> ((-y)%R <= x)%R /\ (x <= y)%R.
intros x y.
unfold Rabs.
case Rcase_abs ; intros H ; (split ; [intros H0;split | intros (H0,H1)]).
rewrite <- (Ropp_involutive x).
now apply Ropp_le_contravar.
apply Rlt_le.
apply Rlt_le_trans with (1 := H).
apply Rle_trans with (2 := H0).
rewrite <- Ropp_0.
apply Ropp_le_contravar.
now apply Rlt_le.
rewrite <- (Ropp_involutive y).
now apply Ropp_le_contravar.
apply Rge_le in H.
apply Rle_trans with (2 := H).
apply Rle_trans with (Ropp x).
now apply Ropp_le_contravar.
rewrite <- Ropp_0.
now apply Ropp_le_contravar.
exact H0.
exact H1.
Qed.

(* Why3 goal *)
Lemma Abs_pos :
  forall (x:Reals.Rdefinitions.R), (0%R <= (Reals.Rbasic_fun.Rabs x))%R.
exact Rabs_pos.
Qed.

(* Why3 goal *)
Lemma Abs_sum :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs (x + y)%R) <=
   ((Reals.Rbasic_fun.Rabs x) + (Reals.Rbasic_fun.Rabs y))%R)%R.
exact Rabs_triang.
Qed.

(* Why3 goal *)
Lemma Abs_prod :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs (x * y)%R) =
   ((Reals.Rbasic_fun.Rabs x) * (Reals.Rbasic_fun.Rabs y))%R).
exact Rabs_mult.
Qed.

(* Why3 goal *)
Lemma triangular_inequality :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs (x - z)%R) <=
   ((Reals.Rbasic_fun.Rabs (x - y)%R) + (Reals.Rbasic_fun.Rabs (y - z)%R))%R)%R.
intros x y z.
replace (x - z)%R with ((x - y) + (y - z))%R by ring.
apply Rabs_triang.
Qed.

why3-1.6.0/lib/coq/real/ExpLog.v000066400000000000000000000045101440160026300162440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require BuiltIn.
Require real.Real.

Import Rtrigo_def.
Import Rpower.

(* Why3 comment *)
(* exp is replaced with (Reals.Rtrigo_def.exp x) by the coq driver *)

(* Why3 goal *)
Lemma Exp_zero : ((Reals.Rtrigo_def.exp 0%R) = 1%R).
exact exp_0.
Qed.

Require Import Exp_prop.

(* Why3 goal *)
Lemma Exp_sum :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.exp (x + y)%R) =
   ((Reals.Rtrigo_def.exp x) * (Reals.Rtrigo_def.exp y))%R).
exact exp_plus.
Qed.

(* Why3 comment *)
(* log is replaced with (Reals.Rpower.ln x) by the coq driver *)

(* Why3 goal *)
Lemma Log_one : ((Reals.Rpower.ln 1%R) = 0%R).
exact ln_1.
Qed.

(* Why3 goal *)
Lemma Log_mul :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  (0%R < x)%R /\ (0%R < y)%R ->
  ((Reals.Rpower.ln (x * y)%R) =
   ((Reals.Rpower.ln x) + (Reals.Rpower.ln y))%R).
intros x y (Hx,Hy).
now apply ln_mult.
Qed.

(* Why3 goal *)
Lemma Log_exp :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rpower.ln (Reals.Rtrigo_def.exp x)) = x).
exact ln_exp.
Qed.

(* Why3 goal *)
Lemma Exp_log :
  forall (x:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rtrigo_def.exp (Reals.Rpower.ln x)) = x).
exact exp_ln.
Qed.

(* Why3 assumption *)
Definition log2 (x:Reals.Rdefinitions.R) : Reals.Rdefinitions.R :=
  ((Reals.Rpower.ln x) / (Reals.Rpower.ln 2%R))%R.

(* Why3 assumption *)
Definition log10 (x:Reals.Rdefinitions.R) : Reals.Rdefinitions.R :=
  ((Reals.Rpower.ln x) / (Reals.Rpower.ln 10%R))%R.

why3-1.6.0/lib/coq/real/FromInt.v000066400000000000000000000041441440160026300164270ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require real.Real.

(* Why3 comment *)
(* from_int is replaced with (BuiltIn.IZR x) by the coq driver *)

(* Why3 goal *)
Lemma Zero : ((BuiltIn.IZR 0%Z) = 0%R).
Proof.
split.
Qed.

(* Why3 goal *)
Lemma One : ((BuiltIn.IZR 1%Z) = 1%R).
Proof.
split.
Qed.

(* Why3 goal *)
Lemma Add :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((BuiltIn.IZR (x + y)%Z) = ((BuiltIn.IZR x) + (BuiltIn.IZR y))%R).
Proof.
exact plus_IZR.
Qed.

(* Why3 goal *)
Lemma Sub :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((BuiltIn.IZR (x - y)%Z) = ((BuiltIn.IZR x) - (BuiltIn.IZR y))%R).
Proof.
exact minus_IZR.
Qed.

(* Why3 goal *)
Lemma Mul :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((BuiltIn.IZR (x * y)%Z) = ((BuiltIn.IZR x) * (BuiltIn.IZR y))%R).
Proof.
exact mult_IZR.
Qed.

(* Why3 goal *)
Lemma Neg :
  forall (x:Numbers.BinNums.Z), ((BuiltIn.IZR (-x)%Z) = (-(BuiltIn.IZR x))%R).
Proof.
exact opp_IZR.
Qed.

(* Why3 goal *)
Lemma Injective :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z),
  ((BuiltIn.IZR x) = (BuiltIn.IZR y)) -> (x = y).
Proof.
exact eq_IZR.
Qed.

(* Why3 goal *)
Lemma Monotonic :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (x <= y)%Z ->
  ((BuiltIn.IZR x) <= (BuiltIn.IZR y))%R.
Proof.
exact (IZR_le).
Qed.

why3-1.6.0/lib/coq/real/MinMax.v000066400000000000000000000074311440160026300162440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require real.Real.

Require Import Rbasic_fun.

(* Why3 comment *)
(* min is replaced with (Reals.Rbasic_fun.Rmin x x1) by the coq driver *)

(* Why3 goal *)
Lemma min'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x <= y)%R -> ((Reals.Rbasic_fun.Rmin x y) = x)) /\
  (~ (x <= y)%R -> ((Reals.Rbasic_fun.Rmin x y) = y)).
Proof.
intros x y.
split ; intros H.
now apply Rmin_left.
apply Rmin_right.
now apply Rlt_le, Rnot_le_lt.
Qed.

(* Why3 comment *)
(* max is replaced with (Reals.Rbasic_fun.Rmax x x1) by the coq driver *)

(* Why3 goal *)
Lemma max'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x <= y)%R -> ((Reals.Rbasic_fun.Rmax x y) = y)) /\
  (~ (x <= y)%R -> ((Reals.Rbasic_fun.Rmax x y) = x)).
Proof.
intros x y.
split ; intros H.
now apply Rmax_right.
apply Rmax_left.
now apply Rlt_le, Rnot_le_lt.
Qed.

(* Why3 goal *)
Lemma Min_r :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (y <= x)%R ->
  ((Reals.Rbasic_fun.Rmin x y) = y).
exact Rmin_right.
Qed.

(* Why3 goal *)
Lemma Max_l :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (y <= x)%R ->
  ((Reals.Rbasic_fun.Rmax x y) = x).
exact Rmax_left.
Qed.

(* Why3 goal *)
Lemma Min_comm :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rmin x y) = (Reals.Rbasic_fun.Rmin y x)).
exact Rmin_comm.
Qed.

(* Why3 goal *)
Lemma Max_comm :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rmax x y) = (Reals.Rbasic_fun.Rmax y x)).
exact Rmax_comm.
Qed.

(* Why3 goal *)
Lemma Min_assoc :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rmin (Reals.Rbasic_fun.Rmin x y) z) =
   (Reals.Rbasic_fun.Rmin x (Reals.Rbasic_fun.Rmin y z))).
Proof.
intros x y z.
destruct (Rle_or_lt x y) as [Hxy|Hxy].
rewrite Rmin_left with (1 := Hxy).
destruct (Rle_or_lt x z) as [Hxz|Hxz].
rewrite Rmin_left with (1 := Hxz).
apply eq_sym, Rmin_left.
now apply Rmin_case.
rewrite (Rmin_right y z).
reflexivity.
apply Rlt_le.
now apply Rlt_le_trans with x.
rewrite (Rmin_right x y) by now apply Rlt_le.
apply eq_sym, Rmin_right.
apply Rlt_le.
apply Rle_lt_trans with (2 := Hxy).
apply Rmin_l.
Qed.

(* Why3 goal *)
Lemma Max_assoc :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rmax (Reals.Rbasic_fun.Rmax x y) z) =
   (Reals.Rbasic_fun.Rmax x (Reals.Rbasic_fun.Rmax y z))).
Proof.
intros x y z.
destruct (Rle_or_lt x y) as [Hxy|Hxy].
rewrite Rmax_right with (1 := Hxy).
apply eq_sym, Rmax_right.
apply Rle_trans with (1 := Hxy).
apply Rmax_l.
rewrite (Rmax_left x y) by now apply Rlt_le.
destruct (Rle_or_lt x z) as [Hxz|Hxz].
rewrite Rmax_right with (1 := Hxz).
rewrite Rmax_right.
apply eq_sym, Rmax_right.
apply Rlt_le.
now apply Rlt_le_trans with x.
apply Rle_trans with (1 := Hxz).
apply Rmax_r.
rewrite Rmax_left.
apply eq_sym, Rmax_left.
apply Rmax_case ; now apply Rlt_le.
now apply Rlt_le.
Qed.

why3-1.6.0/lib/coq/real/PowerInt.v000066400000000000000000000103131440160026300166130ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rfunctions.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.RealInfix.

Require Import Lia.
Require Import Exponentiation.
Import Rfunctions.

(* Why3 comment *)
(* power is replaced with (Reals.Rfunctions.powerRZ x x1) by the coq driver *)

Lemma power_is_exponentiation :
  forall x n, (0 <= n)%Z -> powerRZ x n = Exponentiation.power _ R1 Rmult x n.
Proof.
intros x [|n|n] H.
easy.
2: now elim H.
unfold Exponentiation.power, powerRZ.
simpl.
induction (nat_of_P n).
easy.
simpl.
now rewrite IHn0.
Qed.

(* Why3 goal *)
Lemma Power_0 :
  forall (x:Reals.Rdefinitions.R), ((Reals.Rfunctions.powerRZ x 0%Z) = 1%R).
Proof.
intros x.
easy.
Qed.

(* Why3 goal *)
Lemma Power_s :
  forall (x:Reals.Rdefinitions.R) (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((Reals.Rfunctions.powerRZ x (n + 1%Z)%Z) =
   (x * (Reals.Rfunctions.powerRZ x n))%R).
Proof.
intros x n h1.
rewrite 2!power_is_exponentiation by auto with zarith.
now apply Power_s.
Qed.

(* Why3 goal *)
Lemma Power_s_alt :
  forall (x:Reals.Rdefinitions.R) (n:Numbers.BinNums.Z), (0%Z < n)%Z ->
  ((Reals.Rfunctions.powerRZ x n) =
   (x * (Reals.Rfunctions.powerRZ x (n - 1%Z)%Z))%R).
Proof.
intros x n h1.
rewrite <- Power_s.
apply f_equal.
ring.
lia.
Qed.

(* Why3 goal *)
Lemma Power_1 :
  forall (x:Reals.Rdefinitions.R), ((Reals.Rfunctions.powerRZ x 1%Z) = x).
Proof.
exact Rmult_1_r.
Qed.

(* Why3 goal *)
Lemma Power_sum :
  forall (x:Reals.Rdefinitions.R) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z <= n)%Z -> (0%Z <= m)%Z ->
  ((Reals.Rfunctions.powerRZ x (n + m)%Z) =
   ((Reals.Rfunctions.powerRZ x n) * (Reals.Rfunctions.powerRZ x m))%R).
Proof.
intros x n m h1 h2.
rewrite 3!power_is_exponentiation by auto with zarith.
apply Power_sum ; auto with real.
Qed.

(* Why3 goal *)
Lemma Power_mult :
  forall (x:Reals.Rdefinitions.R) (n:Numbers.BinNums.Z) (m:Numbers.BinNums.Z),
  (0%Z <= n)%Z -> (0%Z <= m)%Z ->
  ((Reals.Rfunctions.powerRZ x (n * m)%Z) =
   (Reals.Rfunctions.powerRZ (Reals.Rfunctions.powerRZ x n) m)).
Proof.
intros x n m h1 h2.
rewrite 3!power_is_exponentiation by auto with zarith.
apply Power_mult ; auto with real.
Qed.

(* Why3 goal *)
Lemma Power_comm1 :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x * y)%R = (y * x)%R) -> forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  (((Reals.Rfunctions.powerRZ x n) * y)%R =
   (y * (Reals.Rfunctions.powerRZ x n))%R).
Proof.
intros x y h1 n h2.
apply Rmult_comm.
Qed.

(* Why3 goal *)
Lemma Power_comm2 :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x * y)%R = (y * x)%R) -> forall (n:Numbers.BinNums.Z), (0%Z <= n)%Z ->
  ((Reals.Rfunctions.powerRZ (x * y)%R n) =
   ((Reals.Rfunctions.powerRZ x n) * (Reals.Rfunctions.powerRZ y n))%R).
Proof.
intros x y h1 n h2.
rewrite 3!power_is_exponentiation by auto with zarith.
apply Power_comm2 ; auto with real.
Qed.

(* Why3 goal *)
Lemma Pow_ge_one :
  forall (x:Reals.Rdefinitions.R) (n:Numbers.BinNums.Z),
  (0%Z <= n)%Z /\ (1%R <= x)%R -> (1%R <= (Reals.Rfunctions.powerRZ x n))%R.
Proof.
intros x n (h1,h2).
generalize h1.
pattern n; apply Z_lt_induction; auto.
clear n h1; intros n Hind h1.
assert (h: (n = 0 \/ 0 < n)%Z) by lia.
destruct h.
subst n; rewrite Power_0; auto with *.
replace n with ((n-1)+1)%Z by ring.
rewrite Power_s; auto with zarith.
assert (h : (1 <= powerRZ x (n-1))%R).
apply Hind; lia.
replace 1%R with (1*1)%R by auto with real.
apply Rmult_le_compat; auto with real.
Qed.

why3-1.6.0/lib/coq/real/PowerReal.v000066400000000000000000000067021440160026300167530ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.Rtrigo_def.
Require Reals.Rpower.
Require Reals.R_sqrt.
Require BuiltIn.
Require int.Int.
Require int.Power.
Require real.Real.
Require real.FromInt.
Require real.Square.
Require real.ExpLog.

Import Rpower.

(* Why3 comment *)
(* pow is replaced with (Reals.Rpower.Rpower x x1) by the coq driver *)

(* Why3 goal *)
Lemma Pow_def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rpower.Rpower x y) =
   (Reals.Rtrigo_def.exp (y * (Reals.Rpower.ln x))%R)).
Proof.
easy.
Qed.

(* Why3 goal *)
Lemma Pow_pos :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (0%R < x)%R ->
  (0%R < (Reals.Rpower.Rpower x y))%R.
Proof.
intros x y h1.
apply Exp_prop.exp_pos.
Qed.

(* Why3 goal *)
Lemma Pow_plus :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (0%R < z)%R ->
  ((Reals.Rpower.Rpower z (x + y)%R) =
   ((Reals.Rpower.Rpower z x) * (Reals.Rpower.Rpower z y))%R).
Proof.
intros x y z h1.
now apply Rpower_plus.
Qed.

(* Why3 goal *)
Lemma Pow_mult :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (0%R < x)%R ->
  ((Reals.Rpower.Rpower (Reals.Rpower.Rpower x y) z) =
   (Reals.Rpower.Rpower x (y * z)%R)).
Proof.
intros x y z h1.
now apply Rpower_mult.
Qed.

(* Why3 goal *)
Lemma Pow_x_zero :
  forall (x:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rpower.Rpower x 0%R) = 1%R).
Proof.
intros x h1.
now apply Rpower_O.
Qed.

(* Why3 goal *)
Lemma Pow_x_one :
  forall (x:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rpower.Rpower x 1%R) = x).
Proof.
intros x h1.
now apply Rpower_1.
Qed.

(* Why3 goal *)
Lemma Pow_one_y :
  forall (y:Reals.Rdefinitions.R), ((Reals.Rpower.Rpower 1%R y) = 1%R).
Proof.
intros y.
unfold Rpower.
rewrite ln_1.
rewrite Rmult_0_r.
now apply  Rtrigo_def.exp_0.
Qed.

(* Why3 goal *)
Lemma Pow_x_two :
  forall (x:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rpower.Rpower x 2%R) = (Reals.RIneq.Rsqr x)).
Proof.
intros x h1.
rewrite (Rpower_pow 2) by easy.
simpl.
now rewrite Rmult_1_r.
Qed.

(* Why3 goal *)
Lemma Pow_half :
  forall (x:Reals.Rdefinitions.R), (0%R < x)%R ->
  ((Reals.Rpower.Rpower x (1 / 2)%R) = (Reals.R_sqrt.sqrt x)).
Proof.
intros x h1.
unfold Rdiv. rewrite Rmult_1_l.
now apply Rpower_sqrt.
Qed.

(* Why3 goal *)
Lemma pow_from_int :
  forall (x:Numbers.BinNums.Z) (y:Numbers.BinNums.Z), (0%Z < x)%Z ->
  (0%Z <= y)%Z ->
  ((Reals.Rpower.Rpower (BuiltIn.IZR x) (BuiltIn.IZR y)) =
   (BuiltIn.IZR (int.Power.power x y))).
Proof.
intros x y h1 h2.
rewrite <- Z2Nat.id with (1 := h2).
rewrite <- pow_IZR.
rewrite <- INR_IZR_INZ.
apply Rpower_pow.
now apply (IZR_lt 0).
Qed.

why3-1.6.0/lib/coq/real/Real.v000066400000000000000000000143731440160026300157410ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.

(* Why3 comment *)
(* prefix_mn is replaced with (-x)%R by the coq driver *)

(* Why3 comment *)
(* infix_pl is replaced with (x + x1)%R by the coq driver *)

(* Why3 comment *)
(* infix_as is replaced with (x * x1)%R by the coq driver *)

(* Why3 comment *)
(* infix_ls is replaced with (x < x1)%R by the coq driver *)

(* Why3 goal *)
Lemma infix_lseq'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  (x <= y)%R <-> (x < y)%R \/ (x = y).
Proof.
intros x y.
reflexivity.
Qed.

(* Why3 goal *)
Lemma Assoc :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (((x + y)%R + z)%R = (x + (y + z)%R)%R).
Proof.
exact Rplus_assoc.
Qed.

(* Why3 goal *)
Lemma Unit_def_l : forall (x:Reals.Rdefinitions.R), ((0%R + x)%R = x).
Proof.
exact Rplus_0_l.
Qed.

(* Why3 goal *)
Lemma Unit_def_r : forall (x:Reals.Rdefinitions.R), ((x + 0%R)%R = x).
Proof.
exact Rplus_0_r.
Qed.

(* Why3 goal *)
Lemma Inv_def_l : forall (x:Reals.Rdefinitions.R), (((-x)%R + x)%R = 0%R).
Proof.
exact Rplus_opp_l.
Qed.

(* Why3 goal *)
Lemma Inv_def_r : forall (x:Reals.Rdefinitions.R), ((x + (-x)%R)%R = 0%R).
Proof.
exact Rplus_opp_r.
Qed.

(* Why3 goal *)
Lemma Comm :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x + y)%R = (y + x)%R).
Proof.
exact Rplus_comm.
Qed.

(* Why3 goal *)
Lemma Assoc1 :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (((x * y)%R * z)%R = (x * (y * z)%R)%R).
Proof.
exact Rmult_assoc.
Qed.

(* Why3 goal *)
Lemma Mul_distr_l :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ((x * (y + z)%R)%R = ((x * y)%R + (x * z)%R)%R).
Proof.
intros x y z.
apply Rmult_plus_distr_l.
Qed.

(* Why3 goal *)
Lemma Mul_distr_r :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (((y + z)%R * x)%R = ((y * x)%R + (z * x)%R)%R).
Proof.
intros x y z.
apply Rmult_plus_distr_r.
Qed.

(* Why3 goal *)
Lemma Comm1 :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x * y)%R = (y * x)%R).
Proof.
exact Rmult_comm.
Qed.

(* Why3 goal *)
Lemma Unitary : forall (x:Reals.Rdefinitions.R), ((1%R * x)%R = x).
Proof.
exact Rmult_1_l.
Qed.

(* Why3 goal *)
Lemma NonTrivialRing : ~ (0%R = 1%R).
Proof.
apply not_eq_sym.
exact R1_neq_R0.
Qed.

(* Why3 comment *)
(* inv is replaced with (/ x)%R by the coq driver *)

(* Why3 goal *)
Lemma Inverse :
  forall (x:Reals.Rdefinitions.R), ~ (x = 0%R) -> ((x * (/ x)%R)%R = 1%R).
Proof.
exact Rinv_r.
Qed.

(* Why3 goal *)
Lemma infix_mn'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x - y)%R = (x + (-y)%R)%R).
Proof.
intros x y.
reflexivity.
Qed.

(* Why3 goal *)
Lemma infix_sl'def :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((x / y)%R = (x * (/ y)%R)%R).
Proof.
intros x y.
reflexivity.
Qed.

(* Why3 goal *)
Lemma add_div :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ~ (z = 0%R) -> (((x + y)%R / z)%R = ((x / z)%R + (y / z)%R)%R).
Proof.
intros.
field.
assumption.
Qed.

(* Why3 goal *)
Lemma sub_div :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ~ (z = 0%R) -> (((x - y)%R / z)%R = ((x / z)%R - (y / z)%R)%R).
Proof.
intros.
field.
assumption.
Qed.

(* Why3 goal *)
Lemma neg_div :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), ~ (y = 0%R) ->
  (((-x)%R / y)%R = (-(x / y)%R)%R).
Proof.
intros.
field.
assumption.
Qed.

(* Why3 goal *)
Lemma assoc_mul_div :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ~ (z = 0%R) -> (((x * y)%R / z)%R = (x * (y / z)%R)%R).
Proof.
intros x y z _.
apply Rmult_assoc.
Qed.

(* Why3 goal *)
Lemma assoc_div_mul :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ~ (y = 0%R) /\ ~ (z = 0%R) -> (((x / y)%R / z)%R = (x / (y * z)%R)%R).
Proof.
intros x y z (Zy, Zz).
unfold Rdiv.
rewrite Rmult_assoc.
now rewrite Rinv_mult_distr.
Qed.

(* Why3 goal *)
Lemma assoc_div_div :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  ~ (y = 0%R) /\ ~ (z = 0%R) -> ((x / (y / z)%R)%R = ((x * z)%R / y)%R).
Proof.
intros x y z (Zy, Zz).
field.
now split.
Qed.

(* Why3 goal *)
Lemma Refl : forall (x:Reals.Rdefinitions.R), (x <= x)%R.
Proof.
exact Rle_refl.
Qed.

(* Why3 goal *)
Lemma Trans :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (x <= y)%R -> (y <= z)%R -> (x <= z)%R.
Proof.
exact Rle_trans.
Qed.

(* Why3 goal *)
Lemma Antisymm :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
  (y <= x)%R -> (x = y).
Proof.
exact Rle_antisym.
Qed.

(* Why3 goal *)
Lemma Total :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  (x <= y)%R \/ (y <= x)%R.
Proof.
intros x y.
destruct (Rle_or_lt x y) as [H|H].
now left.
right.
now apply Rlt_le.
Qed.

(* Why3 goal *)
Lemma ZeroLessOne : (0%R <= 1%R)%R.
Proof.
exact Rle_0_1.
Qed.

(* Why3 goal *)
Lemma CompatOrderAdd :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (x <= y)%R -> ((x + z)%R <= (y + z)%R)%R.
Proof.
intros x y z.
exact (Rplus_le_compat_r z x y).
Qed.

(* Why3 goal *)
Lemma CompatOrderMult :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R)
    (z:Reals.Rdefinitions.R),
  (x <= y)%R -> (0%R <= z)%R -> ((x * z)%R <= (y * z)%R)%R.
Proof.
intros x y z H Zz.
now apply Rmult_le_compat_r.
Qed.

why3-1.6.0/lib/coq/real/RealInfix.v000066400000000000000000000015601440160026300167310ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require real.Real.

why3-1.6.0/lib/coq/real/Square.v000066400000000000000000000041341440160026300163100ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require BuiltIn.
Require real.Real.

(* Why3 goal *)
Lemma sqr'def :
  forall (x:Reals.Rdefinitions.R), ((Reals.RIneq.Rsqr x) = (x * x)%R).
Proof.
intros x.
reflexivity.
Qed.

Import R_sqrt.

(* Why3 comment *)
(* sqrt is replaced with (Reals.R_sqrt.sqrt x) by the coq driver *)

(* Why3 goal *)
Lemma Sqrt_positive :
  forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
  (0%R <= (Reals.R_sqrt.sqrt x))%R.
intros x _.
apply sqrt_pos.
Qed.

(* Why3 goal *)
Lemma Sqrt_square :
  forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
  ((Reals.RIneq.Rsqr (Reals.R_sqrt.sqrt x)) = x).
exact sqrt_sqrt.
Qed.

(* Why3 goal *)
Lemma Square_sqrt :
  forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
  ((Reals.R_sqrt.sqrt (x * x)%R) = x).
exact sqrt_square.
Qed.

(* Why3 goal *)
Lemma Sqrt_mul :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  (0%R <= x)%R /\ (0%R <= y)%R ->
  ((Reals.R_sqrt.sqrt (x * y)%R) =
   ((Reals.R_sqrt.sqrt x) * (Reals.R_sqrt.sqrt y))%R).
intros x y (hx & hy); now apply sqrt_mult.
Qed.

(* Why3 goal *)
Lemma Sqrt_le :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  (0%R <= x)%R /\ (x <= y)%R ->
  ((Reals.R_sqrt.sqrt x) <= (Reals.R_sqrt.sqrt y))%R.
intros x y (h1 & h2); apply sqrt_le_1; auto.
apply Rle_trans with x; auto.
Qed.

why3-1.6.0/lib/coq/real/Trigonometry.v000066400000000000000000000124251440160026300175540ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require Reals.R_sqrt.
Require Reals.Rbasic_fun.
Require Reals.Rtrigo_def.
Require Reals.Rtrigo1.
Require Reals.Ratan.
Require BuiltIn.
Require real.Real.
Require real.Abs.
Require real.Square.

Require Import Reals.

(* Why3 comment *)
(* cos is replaced with (Reals.Rtrigo_def.cos x) by the coq driver *)

(* Why3 comment *)
(* sin is replaced with (Reals.Rtrigo_def.sin x) by the coq driver *)

(* Why3 goal *)
Lemma Pythagorean_identity :
  forall (x:Reals.Rdefinitions.R),
  (((Reals.RIneq.Rsqr (Reals.Rtrigo_def.cos x)) +
    (Reals.RIneq.Rsqr (Reals.Rtrigo_def.sin x)))%R
   = 1%R).
Proof.
intros x.
rewrite Rplus_comm.
apply sin2_cos2.
Qed.

(* Why3 goal *)
Lemma Cos_le_one :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs (Reals.Rtrigo_def.cos x)) <= 1%R)%R.
Proof.
intros x.
apply Abs.Abs_le.
apply COS_bound.
Qed.

(* Why3 goal *)
Lemma Sin_le_one :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rbasic_fun.Rabs (Reals.Rtrigo_def.sin x)) <= 1%R)%R.
Proof.
intros x.
apply Abs.Abs_le.
apply SIN_bound.
Qed.

(* Why3 goal *)
Lemma Cos_0 : ((Reals.Rtrigo_def.cos 0%R) = 1%R).
Proof.
apply cos_0.
Qed.

(* Why3 goal *)
Lemma Sin_0 : ((Reals.Rtrigo_def.sin 0%R) = 0%R).
Proof.
apply sin_0.
Qed.

(* Why3 comment *)
(* pi is replaced with Reals.Rtrigo1.PI by the coq driver *)

(* Why3 goal *)
Lemma Pi_double_precision_bounds :
  ((884279719003555 / 281474976710656)%R < Reals.Rtrigo1.PI)%R /\
  (Reals.Rtrigo1.PI < (7074237752028441 / 2251799813685248)%R)%R.
Proof.
replace PI with (4 * (PI / 4))%R by field.
rewrite <- atan_1.
admit. (* to avoid a dependency on CoqInterval *)
(*
Require Import Interval_tactic.
split ; interval with (i_prec 55). 
*)
Admitted.

(* Why3 goal *)
Lemma Cos_pi : ((Reals.Rtrigo_def.cos Reals.Rtrigo1.PI) = (-1%R)%R).
Proof.
apply cos_PI.
Qed.

(* Why3 goal *)
Lemma Sin_pi : ((Reals.Rtrigo_def.sin Reals.Rtrigo1.PI) = 0%R).
Proof.
apply sin_PI.
Qed.

(* Why3 goal *)
Lemma Cos_pi2 :
  ((Reals.Rtrigo_def.cos ((1 / 2)%R * Reals.Rtrigo1.PI)%R) = 0%R).
Proof.
replace (1 / 2 * PI)%R with (PI / 2)%R by field.
apply cos_PI2.
Qed.

(* Why3 goal *)
Lemma Sin_pi2 :
  ((Reals.Rtrigo_def.sin ((1 / 2)%R * Reals.Rtrigo1.PI)%R) = 1%R).
Proof.
replace (1 / 2 * PI)%R with (PI / 2)%R by field.
apply sin_PI2.
Qed.

(* Why3 goal *)
Lemma Cos_plus_pi :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.cos (x + Reals.Rtrigo1.PI)%R) =
   (-(Reals.Rtrigo_def.cos x))%R).
Proof.
intros x.
apply neg_cos.
Qed.

(* Why3 goal *)
Lemma Sin_plus_pi :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.sin (x + Reals.Rtrigo1.PI)%R) =
   (-(Reals.Rtrigo_def.sin x))%R).
Proof.
intros x.
apply neg_sin.
Qed.

(* Why3 goal *)
Lemma Cos_plus_pi2 :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.cos (x + ((1 / 2)%R * Reals.Rtrigo1.PI)%R)%R) =
   (-(Reals.Rtrigo_def.sin x))%R).
Proof.
intros x.
rewrite cos_sin.
replace (PI / 2 + (x + 1 / 2 * PI))%R with (x + PI)%R by field.
apply neg_sin.
Qed.

(* Why3 goal *)
Lemma Sin_plus_pi2 :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.sin (x + ((1 / 2)%R * Reals.Rtrigo1.PI)%R)%R) =
   (Reals.Rtrigo_def.cos x)).
Proof.
intros x.
rewrite cos_sin.
apply f_equal.
field.
Qed.

(* Why3 goal *)
Lemma Cos_neg :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.cos (-x)%R) = (Reals.Rtrigo_def.cos x)).
Proof.
intros x.
apply cos_neg.
Qed.

(* Why3 goal *)
Lemma Sin_neg :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.sin (-x)%R) = (-(Reals.Rtrigo_def.sin x))%R).
Proof.
intros x.
apply sin_neg.
Qed.

(* Why3 goal *)
Lemma Cos_sum :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.cos (x + y)%R) =
   (((Reals.Rtrigo_def.cos x) * (Reals.Rtrigo_def.cos y))%R -
    ((Reals.Rtrigo_def.sin x) * (Reals.Rtrigo_def.sin y))%R)%R).
Proof.
intros x y.
apply cos_plus.
Qed.

(* Why3 goal *)
Lemma Sin_sum :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R),
  ((Reals.Rtrigo_def.sin (x + y)%R) =
   (((Reals.Rtrigo_def.sin x) * (Reals.Rtrigo_def.cos y))%R +
    ((Reals.Rtrigo_def.cos x) * (Reals.Rtrigo_def.sin y))%R)%R).
Proof.
intros x y.
apply sin_plus.
Qed.

(* Why3 goal *)
Lemma tan'def :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo1.tan x) =
   ((Reals.Rtrigo_def.sin x) / (Reals.Rtrigo_def.cos x))%R).
Proof.
intros x.
apply eq_refl.
Qed.

(* Why3 comment *)
(* atan is replaced with (Reals.Ratan.atan x) by the coq driver *)

(* Why3 goal *)
Lemma Tan_atan :
  forall (x:Reals.Rdefinitions.R),
  ((Reals.Rtrigo1.tan (Reals.Ratan.atan x)) = x).
Proof.
intros x.
apply atan_right_inv.
Qed.

why3-1.6.0/lib/coq/real/Truncate.v000066400000000000000000000116341440160026300166400ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require int.Int.
Require real.Real.
Require real.FromInt.

Require Import Flocq.Core.Core.
Require Import Lra.

(* Why3 goal *)
Notation truncate := Ztrunc.

(* Why3 goal *)
Lemma Truncate_int :
  forall (i:Numbers.BinNums.Z), ((truncate (BuiltIn.IZR i)) = i).
Proof.
  exact Ztrunc_IZR.
Qed.

(* Why3 goal *)
Lemma Truncate_down_pos :
  forall (x:Reals.Rdefinitions.R), (0%R <= x)%R ->
  ((BuiltIn.IZR (truncate x)) <= x)%R /\
  (x < (BuiltIn.IZR ((truncate x) + 1%Z)%Z))%R.
Proof.
  intros x h.
  rewrite (Ztrunc_floor x h).
  split.
  apply Zfloor_lb.
  rewrite plus_IZR; simpl.
  apply Zfloor_ub.
Qed.

(* Why3 goal *)
Lemma Truncate_up_neg :
  forall (x:Reals.Rdefinitions.R), (x <= 0%R)%R ->
  ((BuiltIn.IZR ((truncate x) - 1%Z)%Z) < x)%R /\
  (x <= (BuiltIn.IZR (truncate x)))%R.
Proof.
  intros x h.
  rewrite (Ztrunc_ceil x h).
  split;[|apply Zceil_ub].
  case (Req_dec (IZR (Zfloor x)) x); intro.
  rewrite <-H, Zceil_IZR, H, minus_IZR; simpl.
  lra.
  rewrite (Zceil_floor_neq _ H).
  rewrite minus_IZR, plus_IZR; simpl.
  pose proof (Zfloor_lb x).
  destruct (Rle_lt_or_eq_dec _ _ H0); try easy.
  lra.
Qed.

(* Why3 goal *)
Lemma Real_of_truncate :
  forall (x:Reals.Rdefinitions.R),
  ((x - 1%R)%R <= (BuiltIn.IZR (truncate x)))%R /\
  ((BuiltIn.IZR (truncate x)) <= (x + 1%R)%R)%R.
Proof.
  intro x.
  destruct (Rle_lt_dec x 0).
  + rewrite Ztrunc_ceil; auto.
    destruct (Req_dec (IZR (Zfloor x)) x).
    rewrite <-H at 2 3; rewrite Zceil_IZR, H; split; lra.
    rewrite Zceil_floor_neq; auto.
    pose proof (Zfloor_lb x);
      pose proof (Zfloor_ub x).
    rewrite plus_IZR; split; lra.
  + rewrite Ztrunc_floor by lra.
    pose proof (Zfloor_lb x);
      pose proof (Zfloor_ub x).
    split; lra.
Qed.

(* Why3 goal *)
Lemma Truncate_monotonic :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
  ((truncate x) <= (truncate y))%Z.
Proof.
  apply Ztrunc_le.
Qed.

(* Why3 goal *)
Lemma Truncate_monotonic_int1 :
  forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
  (x <= (BuiltIn.IZR i))%R -> ((truncate x) <= i)%Z.
Proof.
  intros x i h.
  destruct (Rle_lt_dec x 0).
  + rewrite Ztrunc_ceil; auto.
    apply Zceil_glb; assumption.
  + rewrite Ztrunc_floor by lra.
    apply le_IZR.
    apply Rle_trans with (r2:=x);[apply Zfloor_lb|assumption].
Qed.

(* Why3 goal *)
Lemma Truncate_monotonic_int2 :
  forall (x:Reals.Rdefinitions.R) (i:Numbers.BinNums.Z),
  ((BuiltIn.IZR i) <= x)%R -> (i <= (truncate x))%Z.
Proof.
  intros x i h.
  destruct (Rle_lt_dec x 0).
  + rewrite Ztrunc_ceil; auto.
    apply le_IZR.
    apply Rle_trans with (r2:=x);[assumption|apply Zceil_ub].
  + rewrite Ztrunc_floor by lra.
    apply Zfloor_lub; assumption.
Qed.

(* Why3 goal *)
Notation floor := Zfloor.

(* Why3 goal *)
Notation ceil := Zceil.

(* Why3 goal *)
Lemma Floor_int :
  forall (i:Numbers.BinNums.Z), ((floor (BuiltIn.IZR i)) = i).
Proof.
  exact Zfloor_IZR.
Qed.

(* Why3 goal *)
Lemma Ceil_int : forall (i:Numbers.BinNums.Z), ((ceil (BuiltIn.IZR i)) = i).
Proof.
  exact Zceil_IZR.
Qed.

(* Why3 goal *)
Lemma Floor_down :
  forall (x:Reals.Rdefinitions.R),
  ((BuiltIn.IZR (floor x)) <= x)%R /\
  (x < (BuiltIn.IZR ((floor x) + 1%Z)%Z))%R.
Proof.
  intro x.
  split.
  apply Zfloor_lb.
  rewrite plus_IZR.
  apply Zfloor_ub.
Qed.

Lemma ceil_lb: forall x, ((IZR (ceil x) - 1) < x)%R.
Proof.
  intro.
  case (Req_dec (IZR (Zfloor x)) x); intro.
  rewrite <-H, Zceil_IZR, H; simpl; lra.
  rewrite (Zceil_floor_neq _ H).
  rewrite plus_IZR; simpl.
  pose proof (Zfloor_lb x).
  destruct (Rle_lt_or_eq_dec _ _ H0); try easy.
  lra.
Qed.

(* Why3 goal *)
Lemma Ceil_up :
  forall (x:Reals.Rdefinitions.R),
  ((BuiltIn.IZR ((ceil x) - 1%Z)%Z) < x)%R /\ (x <= (BuiltIn.IZR (ceil x)))%R.
Proof.
intro x.
split; [|apply Zceil_ub].
rewrite minus_IZR.
apply ceil_lb.
Qed.

(* Why3 goal *)
Lemma Floor_monotonic :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
  ((floor x) <= (floor y))%Z.
Proof.
  apply Zfloor_le.
Qed.

(* Why3 goal *)
Lemma Ceil_monotonic :
  forall (x:Reals.Rdefinitions.R) (y:Reals.Rdefinitions.R), (x <= y)%R ->
  ((ceil x) <= (ceil y))%Z.
Proof.
  apply Zceil_le.
Qed.

why3-1.6.0/lib/coq/set/000077500000000000000000000000001440160026300145275ustar00rootroot00000000000000why3-1.6.0/lib/coq/set/Cardinal.v000066400000000000000000000763711440160026300164510ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Set.
Require map.Map.
Require map.Const.

Require Import Lia.

(* Why3 goal *)
Definition is_finite {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> Prop.
Proof.
intros f.
(* Weak Finite Sets seems difficult to use here because they are defined as a
   functor which takes the type as argument. For the type a here, we would need
   to define the module during proof (or inside section) which is not possible.
   When it becomes possible, it would be much better to use Weak Finite Sets.
*)
(* We take a list to represent sets because it is simple and convenient. 
   This is naive though and could easily be improved. The list is supposed to have
   no duplication (for cardinal). *)
exact (exists l: List.list a, List.NoDup l /\ forall e, List.In e l <-> f e = true). 
Defined.

(* Why3 goal *)
Lemma is_finite_empty {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), set.Set.is_empty s -> is_finite s.
Proof.
intros s h1.
exists List.nil.
split. constructor.
split; intros Hemp.
+ destruct Hemp.
+ destruct (h1 e Hemp).
Qed.

(* Why3 goal *)
Lemma is_finite_subset {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s2 -> set.Set.subset s1 s2 -> is_finite s1.
Proof.
intros s1 s2 h1 h2.
destruct h1 as [l2 [Hdup h1]].
revert s1 s2 h1 h2.
(* The idea is to build the new list by induction. Two cases exists: the new element of s2 
   is in s1 too or not *)
induction l2; intros.
+ exists nil. 
  split; [|split].
  - constructor. 
  - eauto. 
  - intros. eapply h2 in H. eapply h1. assumption.
+ destruct (List.in_dec why_decidable_eq a0 l2).
  - eapply IHl2; eauto. { inversion Hdup; eauto. }
    split; intros.
    * destruct (why_decidable_eq a0 e). 
      ++ eapply h1. left. auto.
      ++ eapply h1; eauto. right. eauto.
    * destruct (h1 e). destruct H1; eauto. subst. assumption.
  - assert (Hdup2: List.NoDup l2). { inversion Hdup; eauto. } 
    destruct (Bool.bool_dec (s1 a0) true).
    * destruct (IHl2 Hdup2 (fun x => if why_decidable_eq x a0 then false else s1 x) 
                           (fun x => if why_decidable_eq x a0 then false else s2 x)).
      ++ intros. split; intros. destruct why_decidable_eq; eauto. subst. intuition.
         eapply h1. right. assumption.
         destruct why_decidable_eq; eauto. inversion H. eapply h1 in H. destruct H. destruct n0; auto. assumption.
      ++ intros x H1. unfold set.Set.mem in *. destruct why_decidable_eq. auto. eapply h2. apply H1.
      ++ exists (List.cons a0 x). split; [| split]; intros.
         -- destruct H. constructor; [| eauto]. intro Habs. eapply H0 in Habs.
            destruct why_decidable_eq. inversion Habs. auto.
         -- destruct H0; try subst; eauto. eapply H in H0. destruct why_decidable_eq; eauto.
            inversion H0.
         -- destruct H as [Hdup3 H]. specialize (H e0). destruct why_decidable_eq. left. auto. right. eapply H. assumption. 
    * destruct (IHl2 Hdup2 s1 (fun x => if why_decidable_eq x a0 then false else s2 x)).
      ++ split; intros. destruct why_decidable_eq. subst. intuition. eapply h1. right. assumption.
         destruct why_decidable_eq. inversion H. eapply h1 in H. destruct H; try subst; intuition.
      ++ intros e H. unfold set.Set.mem in *. destruct why_decidable_eq. subst.
         intuition.
         eapply h2. eapply H.
      ++ exists x. auto.
Qed.

(* Why3 goal *)
Lemma is_finite_add {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool), is_finite s ->
  is_finite (map.Map.set s x Init.Datatypes.true).
Proof.
intros x s h1.
destruct h1 as [l1 [Hdup h1]].
destruct (List.in_dec why_decidable_eq x l1).
- exists l1. split; eauto. intros. unfold Map.set. destruct why_decidable_eq. 
  subst. intuition. apply h1.
- exists (List.cons x l1). 
  split; [| split]; intros.
  + constructor; eauto.
  + destruct H. eapply Map.set'def; eauto.
    eapply h1 in H. unfold Map.set. destruct why_decidable_eq; eauto.
  + unfold Map.set in *. destruct why_decidable_eq. left. auto.
    right. eapply h1; eauto.
Qed.

(* Why3 goal *)
Lemma is_finite_add_rev {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool),
  is_finite (map.Map.set s x Init.Datatypes.true) -> is_finite s.
Proof.
intros x s h1.
eapply is_finite_subset; eauto.
intros e H. unfold Map.set, set.Set.mem in *. destruct why_decidable_eq; eauto. 
Qed.

(* Why3 goal *)
Lemma is_finite_singleton {a:Type} {a_WT:WhyType a} :
  forall (x:a),
  is_finite
  (map.Map.set
   (map.Const.const Init.Datatypes.false : a -> Init.Datatypes.bool) x
   Init.Datatypes.true).
Proof.
intros x.
exists (List.cons x List.nil).
unfold Map.set. 
split; [|split]; intros.
+ constructor. intro Habs. inversion Habs. constructor.
+ destruct why_decidable_eq; intuition.
  destruct H as [Hsubst | []]. subst. destruct n; reflexivity.
+ destruct why_decidable_eq; intuition.
  left. assumption.
  inversion H.
Qed.

(* Why3 goal *)
Lemma is_finite_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool), is_finite s ->
  is_finite (map.Map.set s x Init.Datatypes.false).
Proof.
intros x s h1.
eapply is_finite_subset; eauto. 
eapply set.Set.subset_remove.
Qed.

(* Why3 goal *)
Lemma is_finite_remove_rev {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool),
  is_finite (map.Map.set s x Init.Datatypes.false) -> is_finite s.
Proof.
intros x s h1.
destruct h1 as [l1 [Hdup h1]].
destruct (Bool.bool_dec (s x) true) as [Heq | Heq].
+ exists (List.cons x l1).
  split.
  - constructor; auto. intro Habs. eapply h1 in Habs. unfold Map.set in Habs. 
    destruct why_decidable_eq; intuition.
  - unfold Map.set in h1. intros. specialize (h1 e). destruct why_decidable_eq; [| intuition]. subst.
    split; intuition. destruct H1; eauto.
+ exists l1.
  split; [auto|]. intros. specialize (h1 e). replace (Map.set s x false e) with (s e) in h1.
  eauto.
  unfold Map.set. destruct why_decidable_eq. subst. destruct (s e); intuition.
  reflexivity.
Qed.

(* Unnecessary lemma *)
Lemma NoDup_exists: forall {A} (eq_dec: forall x y: A, {x = y} + {x <> y}) P (Pdec: forall e, {P e} + {~ P e}) (l: List.list A), 
  exists l1, List.NoDup l1 /\ forall e, List.In e l1 <-> (List.In e l /\ P e).
Proof.
induction l.
- exists List.nil. split. constructor. intros. intuition. inversion H.
- destruct IHl. destruct H.
  destruct (List.in_dec eq_dec a l). 
  + exists x. split; eauto. intros. rewrite H0.
    split; intuition. inversion H2; eauto. subst. assumption.
  + destruct (Pdec a). 
    ++ exists (List.cons a x). split. constructor; eauto.
       rewrite H0. intro Habs. destruct Habs; eauto.
       intros. simpl. rewrite H0. intuition. subst. assumption.
    ++ exists x. split; eauto. intros. rewrite H0. intuition. simpl in H2. destruct H2; try subst; intuition. 
Qed.

(* Why3 goal *)
Lemma is_finite_union {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s1 -> is_finite s2 -> is_finite (set.Set.union s1 s2).
Proof.
intros s1 s2 h1 h2.
destruct h1 as [l1 [Hdup1 h1]].
destruct h2 as [l2 [Hdup2 h2]].

assert (exists l, List.NoDup l /\ 
  forall x, List.In x l <-> List.In x (List.app l1 l2) /\ True).
{ eapply NoDup_exists. eapply why_decidable_eq. eauto. }
destruct H as [l [Hdup H]].
exists l.
split; eauto.
intros. generalize (List.in_app_iff l1 l2 e); intros.
rewrite H. clear H. unfold set.Set.union. rewrite Bool.orb_true_iff.
rewrite H0.
transitivity (List.In e l1 \/ s2 e = true). rewrite or_iff_compat_l; eauto. intuition.
rewrite or_iff_compat_r; eauto. reflexivity.
Qed.

(* Why3 goal *)
Lemma is_finite_union_rev {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite (set.Set.union s1 s2) -> is_finite s1 /\ is_finite s2.
Proof.
intros s1 s2 h1.
split; eapply is_finite_subset; eauto.
+ apply set.Set.subset_union_1.
+ apply set.Set.subset_union_2.
Qed.

(* Why3 goal *)
Lemma is_finite_inter_left {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s1 -> is_finite (set.Set.inter s1 s2).
Proof.
intros s1 s2 h1.
eapply is_finite_subset; eauto.
eapply set.Set.subset_inter_1.
Qed.

(* Why3 goal *)
Lemma is_finite_inter_right {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s2 -> is_finite (set.Set.inter s1 s2).
Proof.
intros s1 s2 h1.
eapply is_finite_subset; eauto.
eapply set.Set.subset_inter_2.
Qed.

(* Why3 goal *)
Lemma is_finite_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s1 -> is_finite (set.Set.diff s1 s2).
Proof.
intros s1 s2 h1.
eapply is_finite_subset; eauto.
eapply set.Set.subset_diff.
Qed.

(* Why3 goal *)
Lemma is_finite_map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (s:a -> Init.Datatypes.bool), is_finite s ->
  is_finite (set.Set.map f s).
Proof.
intros f s h1.
destruct h1 as [l1 [Hdup1 h1]].
assert (exists l, List.NoDup l /\ 
          forall e, List.In e l <-> List.In e (List.map f l1) /\ True).
{ eapply NoDup_exists. eapply why_decidable_eq. eauto. }
destruct H as [l [Hdupl H]].
exists l. 
split.
- assumption.
- intros. rewrite (set.Set.map'def f s e).
  rewrite H. 
  rewrite (List.in_map_iff f l1 e).
  split; intros. destruct H0. destruct H0.
  rewrite h1 in H0. exists x. intuition.
  destruct H0. 
  split.
  exists x. rewrite h1. intuition.
  constructor. 
Qed.

Lemma NoDup_app: forall {A} l l'
  (Hnotin: forall e: A, List.In e l -> ~ List.In e l'),
  List.NoDup l -> List.NoDup l' -> List.NoDup (List.app l l').
Proof.
induction l; intros.
+ simpl. assumption.
+ simpl. apply List.NoDup_cons.
  - rewrite List.in_app_iff. intuition.
    rewrite List.NoDup_cons_iff in H. intuition.
    apply (Hnotin a). apply List.in_eq. assumption.
  - apply IHl. intros e He. apply (Hnotin e). apply List.in_cons. assumption.
    rewrite List.NoDup_cons_iff in H. intuition.
    assumption.
Qed.

Lemma nodup_prod {T1 T2} (l1 : list T1) (l2 : list T2):
  List.NoDup l1 -> List.NoDup l2 ->
  List.NoDup (List.list_prod l1 l2).
Proof.
  induction l1.
  intros _ _. apply List.NoDup_nil.
  intros h1 h2. simpl.
  apply NoDup_app.
  intros e He. destruct e as [x1 x2].
  rewrite List.in_prod_iff.
  rewrite List.in_map_iff in He.
  destruct He as [x [Ha _]].
  assert (a = x1).
  change a with (fst (a, x)). change x1 with (fst (x1, x2)).
  rewrite Ha. reflexivity.
  rewrite <- H.
  rewrite List.NoDup_cons_iff in h1.
  intuition.
  apply List.NoDup_map_inv with T2 (fun (p : T1 * T2) => let (a, y) := p in y).
  rewrite List.map_map. rewrite List.map_id. assumption.
  apply IHl1. rewrite List.NoDup_cons_iff in h1. intuition.
  assumption.
Qed.

(* Why3 goal *)
Lemma is_finite_product {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (s1:a -> Init.Datatypes.bool) (s2:b -> Init.Datatypes.bool),
  is_finite s1 -> is_finite s2 -> is_finite (set.Set.product s1 s2).
Proof.
  intros s1 s2 h1 h2.
  destruct h1 as [l1 [ndl1 h1]].
  destruct h2 as [l2 [ndl2 h2]].
  exists (List.list_prod l1 l2).
  split. apply nodup_prod. assumption. assumption.
  intro e.
  destruct e as [x y].
  fold (set.Set.mem (x, y) (set.Set.product s1 s2)).
  rewrite set.Set.product_def.
  rewrite List.in_prod_iff, h1, h2.
  intuition.
Qed.

(* Why3 goal *)
Definition cardinal {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> Numbers.BinNums.Z.
Proof.
intros f.
(* There are no algorithms that decide at some point that the set is infinite *)
destruct (ClassicalEpsilon.excluded_middle_informative (is_finite f)).
+ (* Case when the set is finite. Take the length of a list with No duplication *)
  unfold is_finite in i. 
  assert (Hdef: {l : list a | is_finite f -> List.NoDup l /\ 
                    (forall e : a, List.In e l <-> f e = true)}).
  eapply (ClassicalEpsilon.classical_indefinite_description). 
  constructor. apply List.nil.
  destruct Hdef as (l, Hdef).
  apply (Z.of_nat (List.length l)).
+ (* Case when set is infinite: default value = 0 *)
  apply Z.zero.
Defined.

Lemma cardinal_list {a} {a_WT:WhyType a} (l : list a) s :
  List.NoDup l -> (forall e, List.In e l <-> s e = true) ->
  (cardinal s = Z_of_nat (length l))%Z.
Proof.
  intros H1 H2.
  unfold cardinal.
  assert (is_finite s).
  exists l. intuition.
  destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
  destruct ClassicalEpsilon.classical_indefinite_description.
  specialize (a0 i). clear H i. destruct a0 as [G1 G2].
  assert (length x <= length l).
  apply List.NoDup_incl_length. assumption.
  intros e H. rewrite H2. rewrite G2 in H. assumption.
  assert (length l <= length x).
  apply List.NoDup_incl_length. assumption.
  intros e h. rewrite G2. rewrite H2 in h. assumption.
  lia.
Qed.

(* Why3 goal *)
Lemma cardinal_nonneg {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), (0%Z <= (cardinal s))%Z.
Proof.
intros s.
unfold cardinal. destruct ClassicalEpsilon.excluded_middle_informative.
destruct ClassicalEpsilon.classical_indefinite_description.
lia.
reflexivity.
Qed.

(* Why3 goal *)
Lemma cardinal_empty {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), is_finite s ->
  set.Set.is_empty s <-> ((cardinal s) = 0%Z).
Proof.
intros s h1.
unfold cardinal. assert (Hsav := h1). destruct h1. 
destruct ClassicalEpsilon.excluded_middle_informative as [Hfin | Hnfin].
- destruct ClassicalEpsilon.classical_indefinite_description as (l, Hex).
  specialize (Hex Hfin).
  split; intros. 
  * unfold set.Set.is_empty, set.Set.mem in H0. 
    destruct l.
    + reflexivity.
    + destruct (H0 a0). eapply Hex. left. reflexivity.
  * unfold set.Set.is_empty, set.Set.mem. intros e Habs. eapply Hex in Habs.
    destruct l. destruct Habs. inversion H0.
- intuition. 
Qed.

(* Why3 goal *)
Lemma cardinal_add {a:Type} {a_WT:WhyType a} :
  forall (x:a), forall (s:a -> Init.Datatypes.bool), is_finite s ->
  (set.Set.mem x s ->
   ((cardinal (map.Map.set s x Init.Datatypes.true)) = (cardinal s))) /\
  (~ set.Set.mem x s ->
   ((cardinal (map.Map.set s x Init.Datatypes.true)) =
    ((cardinal s) + 1%Z)%Z)).
Proof.
intros x s h1.
split; intros.
- rewrite <- (set.Set.extensionality s (Map.set s x true)). reflexivity. intro.
  unfold set.Set.mem, Map.set in *. destruct why_decidable_eq; try subst; intuition.
- assert (is_finite (Map.set s x true)). { apply is_finite_add. assumption. }
  unfold cardinal.
  destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
  destruct ClassicalEpsilon.classical_indefinite_description.
  destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
  destruct ClassicalEpsilon.classical_indefinite_description.
  specialize (a0 H0). specialize (a1 h1).
  assert (Hnat: length x0 = S (length x1)). 
  { (* Here we base the proof on the fact that the first list where one cons x is the 
       same length as the second one because they have the same elements and NoDup. *)
    assert (List.NoDup (List.cons x x1)). 
    { constructor. intro Habs. apply H. eapply a1 in Habs. assumption. apply a1. }
    assert (forall e, List.In e (x :: x1) <-> List.In e x0). 
    {
      intros. simpl. destruct a0 as (Hdupx0, Heq0). rewrite Heq0. destruct a1 as (Hdupx1, Heq1).
      rewrite Heq1. unfold Map.set. destruct why_decidable_eq; intuition. 
    }
    assert (length x0 <= length (List.cons x x1) /\ (length (List.cons x x1) <= length x0)).  
    {
      split.
      + eapply List.NoDup_incl_length; eauto. apply a0. intros e Hincl. eapply H2. assumption.
      + eapply List.NoDup_incl_length; eauto. intros e Hincl. eapply H2. assumption.
    }
    intuition.
  }
  rewrite Hnat. rewrite Nat2Z.inj_succ. ring. 
Qed.

(* Why3 goal *)
Lemma cardinal_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a), forall (s:a -> Init.Datatypes.bool), is_finite s ->
  (set.Set.mem x s ->
   ((cardinal (map.Map.set s x Init.Datatypes.false)) =
    ((cardinal s) - 1%Z)%Z)) /\
  (~ set.Set.mem x s ->
   ((cardinal (map.Map.set s x Init.Datatypes.false)) = (cardinal s))).
Proof.
intros x s h1.
split.
- intros.
  pose (s' := Map.set s x false).
  fold s'. 
  assert (Map.set s' x true = s). 
  { 
    apply set.Set.extensionality. intro e.
    unfold s', set.Set.mem. unfold Map.set. destruct why_decidable_eq. subst. intuition.
    intuition.
  }
  rewrite <- H0.
  assert (~ set.Set.mem x s'). 
  { unfold s'. unfold Map.set, set.Set.mem.
    destruct why_decidable_eq; intuition. 
  }
  eapply cardinal_add in H1. rewrite H1. ring.
  unfold s'. eapply is_finite_remove. assumption.
- intros.
  assert (Map.set s x false = s).
  {
    apply set.Set.extensionality. intro. unfold Map.set, set.Set.mem.
    destruct why_decidable_eq; intuition. subst. eauto.
  }
  rewrite H0. reflexivity.
Qed.

(* Why3 goal *)
Lemma cardinal_subset {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s2 -> set.Set.subset s1 s2 -> ((cardinal s1) <= (cardinal s2))%Z.
Proof.
intros s1 s2 h1 h2.
assert (is_finite s1).
{
  eapply is_finite_subset; eauto.
}
(* Remove ClassicalEpsilon noise *)
unfold cardinal.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 H). specialize (a1 h1).
destruct a0 as [Hdupx Heqx]. destruct a1 as [Hdupx0 Heqx0].
(* Same goal without ClassicalEpsilon indirection *)
assert (List.length x <= List.length x0).
{
  eapply List.NoDup_incl_length; eauto.
  intros e H1.
  eapply Heqx0. eapply Heqx in H1. unfold set.Set.subset, set.Set.mem in h2. eapply h2 in H1. assumption.
}
lia.
Qed.

(* Why3 goal *)
Lemma subset_eq {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s2 -> set.Set.subset s1 s2 -> ((cardinal s1) = (cardinal s2)) ->
  (s1 = s2).
Proof.
intros s1 s2 h1 h2 h3.
assert (is_finite s1). 
{
  eapply is_finite_subset; eauto.
}
unfold cardinal in h3.
(* Remove classical epsilon noise *)
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 H). specialize (a1 h1).
rename x into l1.
rename x0 into l2.
destruct a0 as [Hdup1 Heq1].
destruct a1 as [Hdup2 Heq2].
assert (List.incl l1 l2).
{
  intros e H1. eapply Heq2. eapply h2. eapply Heq1. assumption.
}
eapply set.Set.extensionality. intro.
unfold set.Set.mem.
unfold set.Set.subset in h2.
rewrite <- Heq2, <- Heq1.
assert (List.length l1 = List.length l2).
{
  lia.
}
split. eauto.
eapply List.NoDup_length_incl; eauto. lia.
Qed.

(* Why3 goal *)
Lemma cardinal1 {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), ((cardinal s) = 1%Z) -> forall (x:a),
  set.Set.mem x s -> (x = (set.Set.pick s)).
Proof.
intros s h1 x h2.
unfold cardinal in *.
destruct ClassicalEpsilon.excluded_middle_informative.
* destruct ClassicalEpsilon.classical_indefinite_description.
  specialize (a0 i). 
  assert (H: ~ set.Set.is_empty s). { unfold set.Set.is_empty. intro. eapply H. eassumption. } 
  specialize (set.Set.pick_def s H). intros. unfold set.Set.mem in *.
  destruct x0. 
  + inversion h1.
  + destruct x0.
    - simpl in a0. eapply a0 in h2. eapply a0 in H0. intuition. subst. reflexivity.
    - simpl in h1; contradict h1; lia.
* inversion h1.
Qed.

Lemma length_prop: forall {A} (eq_dec: forall x y: A, {x = y} + {x <> y}) lu li (lui: List.list A), 
  List.NoDup lu -> List.NoDup li -> List.NoDup lui ->
  List.incl li lu -> (forall e, List.In e lui <-> List.In e lu /\ not (List.In e li)) ->
  List.length lui = List.length lu - List.length li.
Proof.
induction lu; intros.
+ assert (lui = List.nil). destruct lui; eauto. specialize (H3 a); eauto. intuition. destruct H4.
  left. reflexivity. destruct H4.
  subst. reflexivity.
+ destruct (List.in_dec eq_dec a li).
  * destruct (List.in_split a li i) as [li' [li'' Hlieq]].
    assert (List.length lui = List.length lu - List.length (List.app li' li'')).
    { 
      eapply IHlu; eauto.
      - inversion H; eauto.
      - rewrite Hlieq in H0. eapply List.NoDup_remove_1; eauto.
      - intro. intros. specialize (H2 a0). rewrite Hlieq in H2.
        simpl in H2. rewrite List.in_app_iff in H2. simpl in H2.
        destruct (eq_dec a a0). 
        * subst. eapply List.NoDup_remove_2 in H0; intuition.
        * destruct H2.
          ++ eapply List.in_app_iff in H4. intuition. 
          ++ destruct n; eauto.
          ++ assumption.
     - intros. rewrite H3. simpl. rewrite List.in_app_iff.
       rewrite Hlieq. rewrite List.in_app_iff. simpl. intuition.
       subst. inversion H. intuition.
   }
   rewrite Hlieq. rewrite List.app_length. simpl length.
   rewrite H4. rewrite List.app_length. lia.
  * assert (List.In a lui). { eapply H3. split. left. reflexivity. assumption. }
    destruct (List.in_split a lui H4) as [lui' [lui'' Hlui]].
    assert (length (List.app lui' lui'') = length lu - length li).
    {
      eapply IHlu; eauto.
      - inversion H. assumption.
      - rewrite Hlui in H1.  eapply List.NoDup_remove_1; eauto.
      - intros e Hincl. specialize (H2 e Hincl). simpl in H2. intuition. subst.
        intuition.
      - intros. destruct (eq_dec a e).
        -- split; intros. assert False. rewrite Hlui in H1. eapply List.NoDup_remove_2 in H1. destruct H1. 
           subst. assumption. destruct H6.
           inversion H. subst. destruct H8. apply H5.
        -- rewrite Hlui in H3. specialize (H3 e).
           rewrite List.in_app_iff in H3. simpl in H3.
           rewrite List.in_app_iff. clear - H3 n0. intuition.
    }
    rewrite Hlui. rewrite List.app_length. simpl length. rewrite List.app_length in H5.
    assert (List.length li <= List.length lu).
    {
      eapply List.NoDup_incl_length; eauto.
      intros e Hincl. specialize (H2 e Hincl). simpl in H2. intuition. subst.
      intuition.
    }
  lia.
Qed.

(* Why3 goal *)
Lemma cardinal_union {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s1 -> is_finite s2 ->
  ((cardinal (set.Set.union s1 s2)) =
   (((cardinal s1) + (cardinal s2))%Z - (cardinal (set.Set.inter s1 s2)))%Z).
Proof.
intros s1 s2 h1 h2.
assert (is_finite (set.Set.union s1 s2)). { apply is_finite_union; eauto. }
assert (is_finite (set.Set.inter s1 s2)). { apply is_finite_inter_left; eauto. }
unfold cardinal.
(* Remove classical epsilon noise *)
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 H). specialize (a1 h1). specialize (a2 h2). specialize (a3 H0).
destruct a0 as [Hdup_un Heq_un].
destruct a1 as [Hdups2 Heqs2].
destruct a2 as [Hdups1 Heqs1].
destruct a3 as [Hdup_int Heq_int].
rename x into lun. rename x0 into l1. rename x1 into l2. rename x2 into lint.
(* In terms of list, we create the list that has elements of union - intersection. 
   And we create the union of (l1 - intersection) and (l2 - intersection).
   We obtain a list equality. We can deduce the length equation from that. *)
assert (exists lun_lint, List.NoDup lun_lint /\
  forall e, List.In e lun_lint <-> (List.In e lun /\ not (List.In e lint))).
{
  eapply NoDup_exists. eapply why_decidable_eq. intros. 
  destruct (List.in_dec why_decidable_eq e lint); eauto.
}
destruct H1 as [lun_lint [Hduplun_lint Heqlun_lint]].
assert (List.length lun_lint = List.length lun - List.length lint).
{
eapply length_prop; eauto. apply why_decidable_eq.
intro. intros. eapply Heq_un. eapply set.Set.union'def. eapply Heq_int in H1.
eapply set.Set.inter'def in H1. intuition.
}

assert (exists l1_lint, List.NoDup l1_lint /\
  forall e, List.In e l1_lint <-> (List.In e l1 /\ not (List.In e lint))).
{
  eapply NoDup_exists. eapply why_decidable_eq. intros. 
  destruct (List.in_dec why_decidable_eq e lint); eauto.
}
destruct H2 as [l1_lint [Hdupl1_lint Heql1_lint]].
assert (List.length l1_lint = List.length l1 - List.length lint).
{
  eapply length_prop; eauto. apply why_decidable_eq.
  intro. intros. eapply Heqs2. eapply Heq_int in H2.
  eapply set.Set.inter'def in H2. intuition.
}
assert (exists l2_lint, List.NoDup l2_lint /\
  forall e, List.In e l2_lint <-> (List.In e l2 /\ not (List.In e lint))).
{
  eapply NoDup_exists. eapply why_decidable_eq. intros. 
  destruct (List.in_dec why_decidable_eq e lint); eauto.
}
destruct H3 as [l2_lint [Hdupl2_lint Heql2_lint]].
assert (List.length l2_lint = List.length l2 - List.length lint).
{
  eapply length_prop; eauto. apply why_decidable_eq.
  intro. intros. eapply Heqs1. eapply Heq_int in H3.
  eapply set.Set.inter'def in H3. intuition.
}
assert (List.NoDup (List.app l1_lint l2_lint) /\
  forall e, List.In e lun_lint <-> List.In e (List.app l1_lint l2_lint)).
{
  split. 
  - eapply NoDup_app; eauto. 
    + intros. rewrite Heql2_lint. eapply Heql1_lint in H4.
      rewrite Heqs2 in H4. rewrite Heq_int in H4. rewrite Heq_int.
      rewrite Heqs1. rewrite set.Set.inter'def in H4. rewrite set.Set.inter'def.
      unfold set.Set.mem in *. intuition.
  - intros. rewrite List.in_app_iff. rewrite Heqlun_lint.
  rewrite Heql1_lint. rewrite Heql2_lint. rewrite Heq_un, Heqs2, Heqs1, Heq_int.
  rewrite set.Set.union'def. rewrite set.Set.inter'def. unfold set.Set.mem.
  clear - s1. intuition.
}
assert (List.length (List.app l1_lint l2_lint) = List.length lun_lint).
{
  assert (List.length (List.app l1_lint l2_lint) <= List.length lun_lint).
  eapply List.NoDup_incl_length; intuition. intro. apply H6.
  assert (List.length (List.app l1_lint l2_lint) >= List.length lun_lint).
  eapply List.NoDup_incl_length; intuition. intro. apply H7.
  lia.
}

assert (length l1 >= length lint).
{
  eapply List.NoDup_incl_length; intuition. intros e Hincl. eapply Heq_int in Hincl.
  eapply Heqs2. eapply set.Set.inter'def in Hincl. intuition.
}
assert (length l2 >= length lint).
{
  eapply List.NoDup_incl_length; intuition. intros e Hincl. eapply Heq_int in Hincl.
  eapply Heqs1. eapply set.Set.inter'def in Hincl. intuition.
}
assert (length lun >= length lint).
{
  eapply List.NoDup_incl_length; intuition. intros e Hincl. eapply Heq_int in Hincl.
  eapply Heq_un. eapply set.Set.inter'def in Hincl. eapply set.Set.union'def. intuition.
}
rewrite List.app_length in H5. lia.
Qed.

(* Why3 goal *)
Lemma cardinal_inter_disjoint {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  set.Set.disjoint s1 s2 -> ((cardinal (set.Set.inter s1 s2)) = 0%Z).
Proof.
intros s1 s2 h1.
eapply set.Set.disjoint_inter_empty in h1.
unfold set.Set.is_empty, set.Set.mem in h1.
unfold cardinal.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 i). destruct a0.
destruct x. reflexivity.
destruct (h1 a0). eapply H0. left. reflexivity.
Qed.

(* Why3 goal *)
Lemma cardinal_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  is_finite s1 ->
  ((cardinal (set.Set.diff s1 s2)) =
   ((cardinal s1) - (cardinal (set.Set.inter s1 s2)))%Z).
Proof.
intros s1 s2 h1.
assert (is_finite (set.Set.inter s1 s2)). { apply is_finite_inter_left; eauto. }
assert (is_finite (set.Set.diff s1 s2)). { apply is_finite_diff; eauto. }
unfold cardinal.
(* Remove classical epsilon noise *)
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 i). specialize (a1 i0). specialize (a2 i1).
destruct a0, a1, a2.
assert (List.length x = List.length x0 - List.length x1).
{
  eapply length_prop; eauto.
  - apply why_decidable_eq.
  - intros e Hin. eapply H6 in Hin. eapply H4. eapply set.Set.inter'def in Hin.
    apply Hin.
  - intros. rewrite H6. rewrite H4. rewrite H2. rewrite set.Set.diff'def.
    rewrite set.Set.inter'def. intuition.
}
assert (List.length x0 >= List.length x1).
eapply List.NoDup_incl_length; intuition.
{
  intros e Hincl. eapply H4. eapply H6 in Hincl. rewrite set.Set.inter'def in Hincl.
  intuition.
}
lia.
Qed.

(* Why3 goal *)
Lemma cardinal_map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (s:a -> Init.Datatypes.bool), is_finite s ->
  ((cardinal (set.Set.map f s)) <= (cardinal s))%Z.
Proof.
intros f s h1.
assert (is_finite (set.Set.map f s)). { eapply is_finite_map. assumption. }
unfold cardinal.
(* Remove classical epsilon noise *)
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a0 i). specialize (a1 i0).
destruct a0, a1.
assert (List.length x <= List.length x0).
{
  eapply le_trans with (List.length (List.map f x0)).
  - assert (List.incl x (List.map f x0)).
    { intro. intros. eapply H1 in H4. rewrite set.Set.map'def in H4.
      destruct H4. destruct H4. subst.
      eapply List.in_map. eapply H3; eauto.
    }
    eapply List.NoDup_incl_length; eauto.
  - rewrite List.map_length; eauto.
}
lia.
Qed.

(* Why3 goal *)
Lemma cardinal_product {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (s1:a -> Init.Datatypes.bool) (s2:b -> Init.Datatypes.bool),
  is_finite s1 -> is_finite s2 ->
  ((cardinal (set.Set.product s1 s2)) = ((cardinal s1) * (cardinal s2))%Z).
Proof.
  intros s1 s2 h1 h2.
  destruct h1 as [l1 [ndl1 h1]].
  destruct h2 as [l2 [ndl2 h2]].
  remember (List.list_prod l1 l2) as l.
  assert (List.NoDup l).
  rewrite Heql. apply nodup_prod; assumption.
  assert (forall e, List.In e l <-> set.Set.product s1 s2 e = true).
  intro e. fold (set.Set.mem e (set.Set.product s1 s2)).
  destruct e as [x1 x2]. rewrite set.Set.product_def.
  rewrite Heql. rewrite List.in_prod_iff, h1, h2.
  intuition.
  rewrite cardinal_list with l (set.Set.product s1 s2); [|assumption|assumption].
  rewrite cardinal_list with l1 s1; [|assumption|assumption].
  rewrite cardinal_list with l2 s2; [|assumption|assumption].
  rewrite Heql. rewrite List.prod_length.
  rewrite Nat2Z.inj_mul. reflexivity.
Qed.

why3-1.6.0/lib/coq/set/Fset.v000066400000000000000000000370171440160026300156270ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.

Require Import ClassicalEpsilon Lia.
Require Logic.ProofIrrelevance.
Require set.Set set.Cardinal.

(* Why3 goal *)
Definition fset : forall (a:Type), Type.
Proof.
intros.
(* "apply (sig Cardinal.is_finite)." is not possible: a is not Why3Type *) 
apply (sig (fun (f: a -> bool) => exists l: List.list a, List.NoDup l /\ forall e, List.In e l <-> f e = true)).
Defined.

Global Instance set_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (fset a).
Proof.
intros.
split.
exists (fun _ => false).
exists nil. split; [ apply List.NoDup_nil | intuition; discriminate H ].
intros x y.
apply excluded_middle_informative.
Qed.

(* Why3 goal *)
Definition mem {a:Type} {a_WT:WhyType a} : a -> fset a -> Prop.
Proof.
intros. destruct X0 as (f, P).
apply (set.Set.mem X f).
Defined.

(* Why3 assumption *)
Definition infix_eqeq {a:Type} {a_WT:WhyType a} (s1:fset a) (s2:fset a) :
    Prop :=
  forall (x:a), mem x s1 <-> mem x s2.

(* Why3 goal *)
Lemma extensionality {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), infix_eqeq s1 s2 -> (s1 = s2).
Proof.
intros s1 s2 h1.
unfold infix_eqeq in h1. unfold mem in h1.
destruct s1, s2.
assert (x = x0).
eapply set.Set.extensionality. intro. eauto.
subst.
assert (e = e0).
(* TODO maybe provable on such property ? *)
apply Logic.ProofIrrelevance.proof_irrelevance.
subst. reflexivity.
Qed.

(* Why3 assumption *)
Definition subset {a:Type} {a_WT:WhyType a} (s1:fset a) (s2:fset a) : Prop :=
  forall (x:a), mem x s1 -> mem x s2.

(* Why3 goal *)
Lemma subset_refl {a:Type} {a_WT:WhyType a} : forall (s:fset a), subset s s.
Proof.
intros s.
destruct s. eapply set.Set.subset_refl.
Qed.

(* Why3 goal *)
Lemma subset_trans {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a) (s3:fset a), subset s1 s2 -> subset s2 s3 ->
  subset s1 s3.
Proof.
intros s1 s2 s3 h1 h2.
destruct s1, s2, s3.
eapply set.Set.subset_trans; eauto.
Qed.

(* Why3 assumption *)
Definition is_empty {a:Type} {a_WT:WhyType a} (s:fset a) : Prop :=
  forall (x:a), ~ mem x s.

(* Why3 goal *)
Definition empty {a:Type} {a_WT:WhyType a} : fset a.
Proof.
exists (fun x => false). 
apply Cardinal.is_finite_empty. unfold set.Set.is_empty.
unfold set.Set.mem. intuition.
Defined.

(* Why3 goal *)
Lemma is_empty_empty {a:Type} {a_WT:WhyType a} : is_empty (empty : fset a).
Proof.
unfold empty, is_empty, mem, set.Set.mem. intuition.
Qed.

(* Why3 goal *)
Lemma empty_is_empty {a:Type} {a_WT:WhyType a} :
  forall (s:fset a), is_empty s -> (s = (empty : fset a)).
Proof.
intros s h1.
eapply extensionality. intro. unfold empty, is_empty, mem, set.Set.mem in *.
destruct s. intuition. destruct (h1 _ H). 
Qed.

(* Why3 goal *)
Definition add {a:Type} {a_WT:WhyType a} : a -> fset a -> fset a.
Proof.
intros e f.
destruct f as (f, H).
exists (map.Map.set f e true).
apply Cardinal.is_finite_add. assumption.
Defined.

(* Why3 goal *)
Lemma add_def {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:fset a) (y:a), mem y (add x s) <-> mem y s \/ (y = x).
Proof.
intros x s y.
unfold mem. unfold add. destruct s.
unfold Map.set, set.Set.mem. destruct why_decidable_eq; intuition.
Qed.

(* Why3 goal *)
Lemma mem_singleton {a:Type} {a_WT:WhyType a} :
  forall (x:a) (y:a), mem y (add x (empty : fset a)) -> (y = x).
Proof.
intros x y h1.
unfold empty, mem, add, Map.set, set.Set.mem in *.
destruct why_decidable_eq; inversion h1; eauto.
Qed.

(* Why3 goal *)
Definition remove {a:Type} {a_WT:WhyType a} : a -> fset a -> fset a.
Proof.
intros e f.
destruct f as (f, H).
exists (Map.set f e false). eapply Cardinal.is_finite_remove.
assumption.
Defined.

(* Why3 goal *)
Lemma remove_def {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:fset a) (y:a), mem y (remove x s) <-> mem y s /\ ~ (y = x).
Proof.
intros x s y.
unfold mem, remove, set.Set.mem, Map.set. destruct s.
destruct why_decidable_eq; intuition.
Qed.

(* Why3 goal *)
Lemma add_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:fset a), mem x s -> ((add x (remove x s)) = s).
Proof.
intros x s h1.
apply extensionality.
intro.
unfold mem, add, remove, mem in *.
destruct s.
rewrite set.Set.add_remove; eauto.
reflexivity.
Qed.

(* Why3 goal *)
Lemma remove_add {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:fset a), ((remove x (add x s)) = (remove x s)).
Proof.
intros x s.
apply extensionality.
intro.
unfold mem, add, remove in *.
destruct s.
rewrite set.Set.remove_add; eauto.
reflexivity.
Qed.

(* Why3 goal *)
Lemma subset_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:fset a), subset (remove x s) s.
Proof.
intros x s.
unfold mem, remove in *.
destruct s.
apply set.Set.subset_remove; eauto.
Qed.

(* Why3 goal *)
Definition union {a:Type} {a_WT:WhyType a} : fset a -> fset a -> fset a.
Proof.
intros f1 f2.
destruct f1 as (f1, H1).
destruct f2 as (f2, H2).
exists (set.Set.union f1 f2). eapply Cardinal.is_finite_union; eauto.
Defined.

(* Why3 goal *)
Lemma union_def {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a) (x:a),
  mem x (union s1 s2) <-> mem x s1 \/ mem x s2.
Proof.
intros s1 s2 x.
unfold mem, union.
destruct s1, s2.
eapply set.Set.union'def.
Qed.

(* Why3 goal *)
Lemma subset_union_1 {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset s1 (union s1 s2).
Proof.
intros s1 s2.
unfold mem, union.
destruct s1, s2.
eapply set.Set.subset_union_1.
Qed.

(* Why3 goal *)
Lemma subset_union_2 {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset s2 (union s1 s2).
Proof.
intros s1 s2.
unfold mem, union.
destruct s1, s2.
eapply set.Set.subset_union_2.
Qed.

(* Why3 goal *)
Definition inter {a:Type} {a_WT:WhyType a} : fset a -> fset a -> fset a.
Proof.
intros f1 f2.
destruct f1 as (f1, H1).
destruct f2 as (f2, H2).
exists (set.Set.inter f1 f2). eapply Cardinal.is_finite_inter_left; eauto.
Defined.

(* Why3 goal *)
Lemma inter_def {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a) (x:a),
  mem x (inter s1 s2) <-> mem x s1 /\ mem x s2.
Proof.
intros s1 s2 x.
unfold mem, inter.
destruct s1, s2.
eapply set.Set.inter'def.
Qed.

(* Why3 goal *)
Lemma subset_inter_1 {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset (inter s1 s2) s1.
Proof.
intros s1 s2.
unfold mem, inter.
destruct s1, s2.
eapply set.Set.subset_inter_1.
Qed.

(* Why3 goal *)
Lemma subset_inter_2 {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset (inter s1 s2) s2.
Proof.
intros s1 s2.
unfold mem, inter.
destruct s1, s2.
eapply set.Set.subset_inter_2.
Qed.

(* Why3 goal *)
Definition diff {a:Type} {a_WT:WhyType a} : fset a -> fset a -> fset a.
Proof.
intros f1 f2.
destruct f1 as (f1, H1).
destruct f2 as (f2, H2).
exists (set.Set.diff f1 f2). eapply Cardinal.is_finite_diff; eauto.
Defined.

(* Why3 goal *)
Lemma diff_def {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a) (x:a),
  mem x (diff s1 s2) <-> mem x s1 /\ ~ mem x s2.
Proof.
intros s1 s2 x.
unfold mem, diff.
destruct s1, s2.
eapply set.Set.diff'def.
Qed.

(* Why3 goal *)
Lemma subset_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset (diff s1 s2) s1.
Proof.
intros s1 s2.
unfold mem, diff.
destruct s1, s2.
eapply set.Set.subset_diff.
Qed.

(* Why3 goal *)
Definition pick {a:Type} {a_WT:WhyType a} : fset a -> a.
Proof.
intros f.
destruct f as (f, H).
apply (set.Set.pick f).
Defined.

(* Why3 goal *)
Lemma pick_def {a:Type} {a_WT:WhyType a} :
  forall (s:fset a), ~ is_empty s -> mem (pick s) s.
Proof.
intros s h1.
unfold mem, pick.
destruct s.
eapply set.Set.pick_def.
intuition.
Qed.

(* Why3 assumption *)
Definition disjoint {a:Type} {a_WT:WhyType a} (s1:fset a) (s2:fset a) : Prop :=
  forall (x:a), ~ mem x s1 \/ ~ mem x s2.

(* Why3 goal *)
Lemma disjoint_inter_empty {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), disjoint s1 s2 <-> is_empty (inter s1 s2).
Proof.
intros s1 s2.
unfold disjoint, mem, is_empty, inter.
destruct s1, s2.
simpl. eapply set.Set.disjoint_inter_empty.
Qed.

(* Why3 goal *)
Lemma disjoint_diff_eq {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), disjoint s1 s2 <-> ((diff s1 s2) = s1).
Proof.
intros s1 s2.
split; intros.
- apply extensionality. intro.
  unfold diff, disjoint, mem, is_empty, inter in *.
  destruct s1, s2.
  eapply set.Set.disjoint_diff_eq in H. rewrite H. reflexivity.
- assert (forall e, mem e (diff s1 s2) <-> mem e s1).
  rewrite H. intuition.
  clear H.
  unfold diff, disjoint, mem, is_empty, inter in *.
  destruct s1, s2.
  intros. apply set.Set.disjoint_diff_eq.
  apply set.Set.extensionality. intro. eapply H0.
Qed.

(* Why3 goal *)
Lemma disjoint_diff_s2 {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), disjoint (diff s1 s2) s2.
Proof.
intros s1 s2.
unfold disjoint, mem, is_empty, inter.
destruct s1, s2.
eapply set.Set.disjoint_diff_s2.
Qed.

Lemma filter_NoDup: forall {A} (l: list A) f, List.NoDup l -> List.NoDup (List.filter f l).
Proof.
induction l; intros.
- constructor.
- simpl. destruct (f a); eauto. econstructor; eauto.
  rewrite List.filter_In. intro. inversion H. intuition.
  eapply IHl; eauto. inversion H; eauto.
  eapply IHl. inversion H; eauto.
Qed.

(* Why3 goal *)
Definition filter {a:Type} {a_WT:WhyType a} :
  fset a -> (a -> Init.Datatypes.bool) -> fset a.
Proof.
intros s filter.
destruct s as (f, H).
exists (fun x => filter x && f x)%bool.
destruct H as (l, Hl).
exists (List.filter filter l).
split.
apply filter_NoDup; eauto. apply Hl.
intros.
rewrite List.filter_In. rewrite Bool.andb_true_iff. destruct Hl. rewrite H0. intuition.
Defined.

(* Why3 goal *)
Lemma filter_def {a:Type} {a_WT:WhyType a} :
  forall (s:fset a) (p:a -> Init.Datatypes.bool) (x:a),
  mem x (filter s p) <-> mem x s /\ ((p x) = Init.Datatypes.true).
Proof.
intros s p x.
unfold mem, filter.
destruct s. unfold set.Set.mem.
rewrite Bool.andb_true_iff. intuition.
Qed.

(* Why3 goal *)
Lemma subset_filter {a:Type} {a_WT:WhyType a} :
  forall (s:fset a) (p:a -> Init.Datatypes.bool), subset (filter s p) s.
Proof.
intros s p.
unfold subset, filter, mem, set.Set.mem.
destruct s.
intros.
rewrite Bool.andb_true_iff in H. intuition.
Qed.

(* Why3 goal *)
Definition map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  (a -> b) -> fset a -> fset b.
Proof.
intros map fs.
destruct fs as (fs, H).
exists (set.Set.map map fs).
eapply Cardinal.is_finite_map.
assumption.
Defined.

(* Why3 goal *)
Lemma map_def {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (u:fset a) (y:b),
  mem y (map f u) <-> (exists x:a, mem x u /\ (y = (f x))).
Proof.
intros f u y.
unfold map, mem.
destruct u.
eapply set.Set.map'def.
Qed.

(* Why3 goal *)
Lemma mem_map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (u:fset a), forall (x:a), mem x u -> mem (f x) (map f u).
Proof.
intros f u x h1.
unfold map, mem.
destruct u.
eapply set.Set.mem_map.
assumption.
Qed.

(* Why3 goal *)
Definition cardinal {a:Type} {a_WT:WhyType a} : fset a -> Numbers.BinNums.Z.
Proof.
intros fs.
destruct fs as (fs, H).
eapply (Cardinal.cardinal fs).
Defined.

(* Why3 goal *)
Lemma cardinal_nonneg {a:Type} {a_WT:WhyType a} :
  forall (s:fset a), (0%Z <= (cardinal s))%Z.
Proof.
intros s.
unfold cardinal. destruct s.
eapply Cardinal.cardinal_nonneg.
Qed.

(* Why3 goal *)
Lemma cardinal_empty {a:Type} {a_WT:WhyType a} :
  forall (s:fset a), is_empty s <-> ((cardinal s) = 0%Z).
Proof.
intros s.
unfold cardinal. destruct s.
eapply Cardinal.cardinal_empty.
assumption.
Qed.

(* Why3 goal *)
Lemma cardinal_add {a:Type} {a_WT:WhyType a} :
  forall (x:a), forall (s:fset a),
  (mem x s -> ((cardinal (add x s)) = (cardinal s))) /\
  (~ mem x s -> ((cardinal (add x s)) = ((cardinal s) + 1%Z)%Z)).
Proof.
intros x s.
unfold cardinal. destruct s.
eapply Cardinal.cardinal_add.
assumption.
Qed.

(* Why3 goal *)
Lemma cardinal_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a), forall (s:fset a),
  (mem x s -> ((cardinal (remove x s)) = ((cardinal s) - 1%Z)%Z)) /\
  (~ mem x s -> ((cardinal (remove x s)) = (cardinal s))).
Proof.
intros x s.
unfold cardinal. destruct s.
eapply Cardinal.cardinal_remove.
assumption.
Qed.

(* Why3 goal *)
Lemma cardinal_subset {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset s1 s2 ->
  ((cardinal s1) <= (cardinal s2))%Z.
Proof.
intros s1 s2 h1.
unfold cardinal. destruct s1, s2.
eapply Cardinal.cardinal_subset; assumption.
Qed.

(* Why3 goal *)
Lemma subset_eq {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), subset s1 s2 ->
  ((cardinal s1) = (cardinal s2)) -> (s1 = s2).
Proof.
intros s1 s2 h1 h2.
apply extensionality. intro.
unfold cardinal, subset, mem in *.
destruct s1, s2.
eapply Cardinal.subset_eq in h2; eauto.
rewrite h2. reflexivity.
Qed.

(* Why3 goal *)
Lemma cardinal1 {a:Type} {a_WT:WhyType a} :
  forall (s:fset a), ((cardinal s) = 1%Z) -> forall (x:a), mem x s ->
  (x = (pick s)).
Proof.
intros s h1 x h2.
unfold mem, pick in *.
destruct s.
eapply Cardinal.cardinal1; eauto.
Qed.

(* Why3 goal *)
Lemma cardinal_union {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a),
  ((cardinal (union s1 s2)) =
   (((cardinal s1) + (cardinal s2))%Z - (cardinal (inter s1 s2)))%Z).
Proof.
intros s1 s2.
unfold cardinal, union, inter in *.
destruct s1, s2.
eapply Cardinal.cardinal_union; eauto.
Qed.

(* Why3 goal *)
Lemma cardinal_inter_disjoint {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a), disjoint s1 s2 ->
  ((cardinal (inter s1 s2)) = 0%Z).
Proof.
intros s1 s2 h1.
unfold cardinal, inter, disjoint, mem in *.
destruct s1, s2.
eapply Cardinal.cardinal_inter_disjoint; eauto.
Qed.

(* Why3 goal *)
Lemma cardinal_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:fset a) (s2:fset a),
  ((cardinal (diff s1 s2)) = ((cardinal s1) - (cardinal (inter s1 s2)))%Z).
Proof.
intros s1 s2.
unfold cardinal, inter, disjoint, mem in *.
destruct s1, s2.
eapply Cardinal.cardinal_diff; eauto.
Qed.

(* Why3 goal *)
Lemma cardinal_filter {a:Type} {a_WT:WhyType a} :
  forall (s:fset a) (p:a -> Init.Datatypes.bool),
  ((cardinal (filter s p)) <= (cardinal s))%Z.
Proof.
intros s p.
unfold cardinal, filter in *.
destruct s.
unfold Cardinal.cardinal.

destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
- destruct ClassicalEpsilon.classical_indefinite_description.
  destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
  destruct ClassicalEpsilon.classical_indefinite_description.
  specialize (a1 i0). specialize (a0 i).
  destruct a0, a1.
  assert (length x0 <= length x1).
  {
   eapply List.NoDup_incl_length; eauto.
   intro. intros. rewrite H2. rewrite H0 in H3. rewrite Bool.andb_true_iff in H3.
   apply H3.
  }
  lia.
- destruct ClassicalEpsilon.classical_indefinite_description.
  destruct ClassicalEpsilon.excluded_middle_informative; [| intuition].
  unfold Z.zero. lia.
Qed.

(* Why3 goal *)
Lemma cardinal_map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (s:fset a), ((cardinal (map f s)) <= (cardinal s))%Z.
Proof.
intros f s.
unfold cardinal, inter, disjoint, mem in *.
destruct s.
eapply Cardinal.cardinal_map; eauto.
Qed.

why3-1.6.0/lib/coq/set/FsetInduction.v000066400000000000000000000025631440160026300175020ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.

(* Why3 goal *)
Definition t : Type.
Proof.
(* Example bool *)
apply bool.
Defined.

(* Why3 goal *)
Definition p : set.Fset.fset t -> Prop.
Proof.
intros f.
apply True.
Defined.

(* Why3 goal *)
Lemma Induction :
  (forall (s:set.Fset.fset t), set.Fset.is_empty s -> p s) ->
  (forall (s:set.Fset.fset t), p s -> (forall (t1:t), p (set.Fset.add t1 s))) ->
  forall (s:set.Fset.fset t), p s.
Proof.
intros h1 h2 s.
(* TODO make something interesting *)
unfold p. constructor.
Qed.

why3-1.6.0/lib/coq/set/FsetInt.v000066400000000000000000000201231440160026300162700ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.

Require Import Lia.

(* Why3 goal *)
Definition min_elt : set.Fset.fset Numbers.BinNums.Z -> Numbers.BinNums.Z.
Proof.
intros.
destruct X as (fs, H).
(* We use the list to define the algorithm *)
eapply ClassicalEpsilon.constructive_indefinite_description in H.
destruct H as (l, Hl).
destruct l.
- apply Z.zero. (* If the list is empty the result is unspecified *)
- apply (List.fold_left (fun acc x => if Z_le_dec acc x then acc else x) l z).
Defined.

(* Why3 goal *)
Lemma min_elt_def :
  forall (s:set.Fset.fset Numbers.BinNums.Z), ~ set.Fset.is_empty s ->
  set.Fset.mem (min_elt s) s /\
  (forall (x:Numbers.BinNums.Z), set.Fset.mem x s -> ((min_elt s) <= x)%Z).
Proof.
intros s h1.
unfold min_elt, Fset.is_empty, Fset.mem, set.Set.mem in *. 
destruct s. simpl.
destruct ClassicalEpsilon.constructive_indefinite_description as [l [Hdupl Heql]].
destruct l.
{ destruct h1. intros. intro. apply Heql in H. destruct H. }
assert (forall l z,
  forall x, List.In x l -> List.fold_left (fun x1 acc : int => if Z_le_dec x1 acc then x1 else acc) l z <= x)%Z.
{
induction l0; intros.
{ destruct H. }
assert (forall l z, List.fold_left (fun x1 acc : int => if Z_le_dec x1 acc then x1 else acc) l z <= z)%Z.
{
  induction l1; intros; simpl; eauto. lia.
  simpl. destruct Z_le_dec. eauto. eapply Z.le_trans with a0; eauto. lia.
}
simpl. destruct Z_le_dec.
destruct (Z_le_dec z0 x0).
eapply Z.le_trans with z0. eapply H0. assumption.
simpl in H. destruct H.  subst. lia.
eapply IHl0; eauto.

destruct (Z_le_dec a x0).
eapply Z.le_trans with a. eapply H0. assumption.
simpl in H. destruct H. subst. lia.
eapply IHl0; eauto.
}

assert (forall l z, List.In (List.fold_left (fun x acc => if Z_le_dec x acc then x else acc) l z) l \/
  List.fold_left (fun x acc => if Z_le_dec x acc then x else acc) l z = z).
{
  induction l0; intros.
  + simpl. right. reflexivity.
  + simpl. destruct Z_le_dec.
    - specialize (IHl0 z0). intuition.
    - specialize (IHl0 a). intuition.
}

split.
rewrite <- Heql. simpl. specialize (H0 l z). intuition.

intros. eapply Heql in H1. eapply (H (List.cons z l) z) in H1; eauto. simpl in H1.
destruct Z_le_dec. assumption.
lia.
Qed.

(* Why3 goal *)
Definition max_elt : set.Fset.fset Numbers.BinNums.Z -> Numbers.BinNums.Z.
Proof.
intros.
apply (- min_elt (Fset.map (fun x => - x) X))%Z.
Defined.

(* Why3 goal *)
Lemma max_elt_def :
  forall (s:set.Fset.fset Numbers.BinNums.Z), ~ set.Fset.is_empty s ->
  set.Fset.mem (max_elt s) s /\
  (forall (x:Numbers.BinNums.Z), set.Fset.mem x s -> (x <= (max_elt s))%Z).
Proof.
intros s h1.
unfold max_elt.
assert (~ Fset.is_empty (Fset.map (fun x : int => (- x)%Z) s))%Z.
{ unfold Fset.is_empty in *.
intro. destruct h1. intros. intro. specialize (H (-x)%Z).
apply H. eapply Fset.mem_map. assumption.
}
specialize (min_elt_def (Fset.map (fun x => -x)%Z s) H).
intros. destruct H0.
split.
clear H1 H h1.
rewrite Fset.map_def in H0. destruct H0.
destruct H. rewrite H0. replace ( - - x)%Z with x. assumption.
ring.

intros. clear H0. clear h1 H.
assert (min_elt (Fset.map (fun x => - x) s) <= -x)%Z.
{
  eapply H1; eauto. apply Fset.mem_map. assumption.
}
lia.
Qed.

Fixpoint seqZ l len : list Numbers.BinNums.Z :=
  match len with
  | S n => List.cons l (seqZ (l + 1)%Z n)
  | O => List.nil
  end.

Lemma seqZ_le: forall len x l, List.In x (seqZ l len) -> (l <= x)%Z.
Proof.
induction len; simpl; intuition.
eapply IHlen in H0; intuition.
Qed.

Lemma seqZ_le2: forall len x l, List.In x (seqZ l len) -> (x < l + Z.of_nat len)%Z.
Proof.
induction len; simpl; intuition idtac.
- subst. lia.
- eapply IHlen in H0. lia.
Qed.

Lemma seqZ_rev: forall len x l, (l <= x < l + Z.of_nat len)%Z -> List.In x (seqZ l len).
Proof.
induction len; intros; simpl in *.
+ lia.
+ destruct (Z.eq_dec l x); eauto.
  right. eapply IHlen; eauto. lia.
Qed.

Lemma seqZ_In_iff: forall l len x, List.In x (seqZ l len) <-> (l <= x <  l + Z.of_nat len)%Z.
Proof.
split.
intros. eauto using seqZ_le, seqZ_le2.
eapply seqZ_rev.
Qed.

Lemma seqZ_NoDup: forall len l, List.NoDup (seqZ l len).
Proof.
induction len; intros.
+ constructor.
+ simpl. constructor; eauto.
  intro Habs. eapply seqZ_le in Habs. lia.
Qed.

Lemma seqZ_length: forall len l, List.length (seqZ l len) = len.
Proof.
induction len; eauto.
intros. simpl. rewrite IHlen. reflexivity.
Qed.

Lemma interval_proof :
  forall l r : int, exists s : list int,
  List.NoDup s /\
  forall e : int, List.In e s <->
   (if Z_le_dec l e then if Z_lt_dec e r then true else false else false) = true.
Proof.
intros l r.
destruct (Z_le_dec l r).
+ exists (seqZ l (Z.to_nat (r - l))%Z).
  split. 
  - eapply seqZ_NoDup.
  - intros.
    rewrite seqZ_In_iff.
    rewrite Z2Nat.id; [|lia].
    destruct Z_le_dec.
    * destruct Z_lt_dec. split; intros; [reflexivity|].
      intuition.
      intuition ; try inversion H.
    * intuition ; try inversion H.
+ exists List.nil. 
  split.
  - constructor.
  - intros.
    destruct Z_le_dec; try destruct Z_lt_dec; intuition.
    lia.
    inversion H.
    inversion H.
Qed.

(* Why3 goal *)
Definition interval :
  Numbers.BinNums.Z -> Numbers.BinNums.Z -> set.Fset.fset Numbers.BinNums.Z.
Proof.
intros l r.
exists (fun x =>
  if Z_le_dec l x then
    if Z_lt_dec x r then true else false
  else false).
apply interval_proof.
Defined.

(* Why3 goal *)
Lemma interval_def :
  forall (l:Numbers.BinNums.Z) (r:Numbers.BinNums.Z) (x:Numbers.BinNums.Z),
  set.Fset.mem x (interval l r) <-> (l <= x)%Z /\ (x < r)%Z.
Proof.
intros l r x.
unfold interval, Fset.mem, set.Set.mem.
destruct Z_le_dec; try destruct Z_lt_dec; intuition; try inversion H.
Qed.

Lemma interval_is_finite: forall l r, 
  Cardinal.is_finite (fun x : int => 
    if Z_le_dec l x then if Z_lt_dec x r then true 
    else false else false).
Proof.
intros. 
unfold Cardinal.is_finite.
destruct (Z_le_dec l r).
+ exists (seqZ l (Z.to_nat (r - l)%Z)).
  split. apply seqZ_NoDup.
  intros. rewrite seqZ_In_iff.
  rewrite Z2Nat.id; [|lia].
  destruct Z_le_dec; try destruct Z_lt_dec; intuition; try inversion H.
+ exists nil. split. constructor.
  simpl. intros. destruct Z_le_dec; try destruct Z_lt_dec; intuition.
Qed.


(* Why3 goal *)
Lemma cardinal_interval :
  forall (l:Numbers.BinNums.Z) (r:Numbers.BinNums.Z),
  ((l <= r)%Z -> ((set.Fset.cardinal (interval l r)) = (r - l)%Z)) /\
  (~ (l <= r)%Z -> ((set.Fset.cardinal (interval l r)) = 0%Z)).
Proof.
intros l r.
unfold interval, Fset.mem, set.Set.mem, Fset.cardinal, Cardinal.cardinal.
assert (H := interval_is_finite l r).
destruct ClassicalEpsilon.excluded_middle_informative; [| intuition]. 
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a i).
split.
+ intros.
  destruct a. 
  assert (length (seqZ l (Z.to_nat (r - l)%Z)) = length x).
  {
    eapply Nat.le_antisymm.
    + eapply List.NoDup_incl_length. eapply seqZ_NoDup. intro. rewrite H2.
      rewrite seqZ_In_iff. destruct Z_le_dec; try destruct Z_lt_dec; intuition idtac.
      rewrite Z2Nat.id in H5; lia.
    + eapply List.NoDup_incl_length. assumption. intro. rewrite H2.
      rewrite seqZ_In_iff. destruct Z_le_dec; try destruct Z_lt_dec; intuition (try discriminate).
      rewrite Z2Nat.id; lia.
  }
  rewrite <- H3. rewrite seqZ_length. rewrite Z2Nat.id; lia.
+ intros. destruct a. 
  destruct x. reflexivity.
  specialize (H2 z). contradict H2. destruct Z_le_dec. 
  destruct Z_lt_dec. lia. intuition. intuition.
Qed.

why3-1.6.0/lib/coq/set/FsetSum.v000066400000000000000000000271541440160026300163150ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.

Require Import Lia.

(* Why3 goal *)
Definition sum {a:Type} {a_WT:WhyType a} :
  set.Fset.fset a -> (a -> Numbers.BinNums.Z) -> Numbers.BinNums.Z.
Proof.
intros fs conv.
destruct fs as (f, H).
(* We use the list to define the algorithm *)
eapply ClassicalEpsilon.constructive_indefinite_description in H.
destruct H as (l, H).
apply (List.fold_left (fun acc x => conv x + acc)%Z l 0%Z).
Defined.

(* Why3 goal *)
Lemma sum_def_empty {a:Type} {a_WT:WhyType a} :
  forall (s:set.Fset.fset a) (f:a -> Numbers.BinNums.Z),
  set.Fset.is_empty s -> ((sum s f) = 0%Z).
Proof.
intros s f h1.
unfold sum, Fset.is_empty, Fset.mem, set.Set.mem in *. destruct s.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct x0. 
+ reflexivity.
+ destruct a0. destruct (h1 a1).
  apply H0. left. reflexivity.
Qed.

Lemma fold_left_symm: forall {A} {B} l i s (conv: B -> A) 
  (Hsymm: forall a (b: A), s a b = s b a)
  (Hassoc: forall a b c, s (s a b) c = s a (s b c)) v,
  s (List.fold_left (fun acc x => s (conv x) acc) l i) v = 
  List.fold_left (fun acc x => s (conv x) acc) l (s i v).
Proof.
induction l; intros.
+ simpl. reflexivity.
+ simpl. rewrite IHl; eauto.
  rewrite Hassoc. reflexivity.
Qed.

Lemma fold_left_iff_symm: forall {A} {B} l l1 i (s: A -> A -> A) (conv: B -> A)
  (Hsymm: forall a b, s a b = s b a)
  (Hassoc: forall a b c, s (s a b) c = s a (s b c))
  (Heq: forall e, List.In e l <-> List.In e l1)
  (Hdup: List.NoDup l) (Hdup': List.NoDup l1),
  List.fold_left (fun acc x => s (conv x) acc) l i = 
  List.fold_left (fun acc x => s (conv x) acc) l1 i.
Proof.
induction l; intros.
+ destruct l1. reflexivity. specialize (Heq b). destruct Heq. destruct H0. 
  left. reflexivity.
+ simpl.
  destruct (List.in_split a l1) as [l1' [l1'' Hsplit]].
  - eapply Heq. left. reflexivity.
  - rewrite (IHl (List.app l1' l1'')); eauto.
    * rewrite Hsplit. rewrite List.fold_left_app.
      rewrite List.fold_left_app. simpl. rewrite (Hsymm (conv a) (List.fold_left _ _ _)). 
      rewrite fold_left_symm; eauto. rewrite Hsymm. reflexivity.
    * intros. rewrite List.in_app_iff. rewrite Hsplit in Heq.
      specialize (Heq e). rewrite List.in_app_iff in Heq. simpl in Heq.
      split; intros.
      ++ intuition. subst. inversion Hdup; intuition. subst. inversion Hdup; intuition.
      ++ destruct H. destruct Heq. assert (a = e \/ List.In e l). apply H1. auto. destruct H2; eauto. 
         subst. eapply List.NoDup_remove_2 in Hdup'. rewrite List.in_app_iff in Hdup'. destruct Hdup'; eauto.
         destruct Heq. assert (a = e \/ List.In e l). apply H1. auto. destruct H2; eauto. 
         subst. eapply List.NoDup_remove_2 in Hdup'. rewrite List.in_app_iff in Hdup'. destruct Hdup'; eauto.
    * inversion Hdup; auto.
    * rewrite Hsplit in Hdup'. eapply List.NoDup_remove_1; eauto.
Qed. 

(* Why3 goal *)
Lemma sum_add {a:Type} {a_WT:WhyType a} :
  forall (s:set.Fset.fset a) (f:a -> Numbers.BinNums.Z) (x:a),
  (set.Fset.mem x s -> ((sum (set.Fset.add x s) f) = (sum s f))) /\
  (~ set.Fset.mem x s ->
   ((sum (set.Fset.add x s) f) = ((sum s f) + (f x))%Z)).
Proof.
intros s f x.
unfold sum, Fset.mem, set.Set.mem, Fset.add.
destruct s as (sf, H).
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct a0 as (Hx0dup, Hx0eq). destruct a1 as (Hx1dup, Hx1eq).
split. intros.
+ eapply fold_left_iff_symm; eauto.
  * intuition.
  * intuition.
  * intros. rewrite Hx0eq. rewrite Hx1eq. unfold Map.set. 
    destruct why_decidable_eq; try subst; intuition.
+ intros.
  assert (List.In x x0). { eapply Hx0eq. unfold Map.set. destruct why_decidable_eq; eauto. }
  destruct (List.in_split x x0 H1) as [x0' [x0'' Hx0]].
  rewrite Hx0. rewrite List.fold_left_app. simpl. 
  rewrite (Zplus_comm (f x)). symmetry. 
  erewrite <- (fold_left_iff_symm (List.app x0' x0'')); eauto.
  * rewrite List.fold_left_app. rewrite fold_left_symm.
    ++ auto.
    ++ intuition.
    ++ intuition.
  * intuition.
  * intuition.
  * intros. rewrite List.in_app_iff. rewrite Hx0 in Hx0eq.
    specialize (Hx0eq e). rewrite List.in_app_iff in Hx0eq. simpl in Hx0eq.
    unfold Map.set in *. split; intros.
    ++ destruct H2.
       ** apply Hx1eq. destruct why_decidable_eq.
          -- subst. eapply List.NoDup_remove_2 in Hx0dup. intuition.
          -- intuition.
       ** eapply Hx1eq. destruct why_decidable_eq.
          -- subst. eapply List.NoDup_remove_2 in Hx0dup. intuition.
          -- intuition.
    ++ eapply Hx1eq in H2.
       destruct why_decidable_eq.
       -- subst. destruct H0. assumption.
       -- intuition.
  * rewrite Hx0 in Hx0dup. eapply List.NoDup_remove_1 in Hx0dup; eauto.
Qed.

(* Why3 goal *)
Lemma sum_remove {a:Type} {a_WT:WhyType a} :
  forall (s:set.Fset.fset a) (f:a -> Numbers.BinNums.Z) (x:a),
  (set.Fset.mem x s ->
   ((sum (set.Fset.remove x s) f) = ((sum s f) - (f x))%Z)) /\
  (~ set.Fset.mem x s -> ((sum (set.Fset.remove x s) f) = (sum s f))).
Proof.
intros s f x.
split; intros.
+ assert (s = Fset.add x (Fset.remove x s)).
  {
    apply Fset.extensionality. intro. rewrite Fset.add_remove; eauto. reflexivity.
  }
  rewrite H0 at 2. destruct (sum_add (Fset.remove x s) f x).
  rewrite H2. ring.
  rewrite Fset.remove_def. intuition.
+ assert (s = Fset.remove x s). 
  {
    apply Fset.extensionality. intro. 
    rewrite Fset.remove_def. intuition. subst. destruct H; assumption.
  }
  rewrite <- H0. reflexivity.
Qed.

Lemma sum_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:set.Fset.fset a) (s2:set.Fset.fset a),
  forall (f:a -> Numbers.BinNums.Z),
  Fset.subset s1 s2 -> 
    (sum s2 f - sum s1 f = sum (set.Fset.diff s2 s1) f)%Z.
Proof.
intros.
assert (sum s2 f = sum (Fset.diff s2 s1) f + sum s1 f)%Z.
{
  unfold sum, Fset.diff, Fset.union, Fset.subset, Fset.disjoint, 
    Fset.inter, Fset.mem, set.Set.mem, Fset.add in *.
destruct s1 as (sf1, H1).
destruct s2 as (sf2, H2).
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct a1 as (Hdidup, Hdieq).
destruct a0 as (Hx0dup, Hx0eq).
destruct a2 as (Hx1dup, Hx1eq).
  rewrite fold_left_symm; try now intuition.
  rewrite Z.add_0_l. rewrite <- List.fold_left_app.
  eapply fold_left_iff_symm; eauto.
  + intuition.
  + intuition.
  + intros. rewrite List.in_app_iff. rewrite Hx1eq. rewrite Hx0eq.
    rewrite Hdieq. rewrite set.Set.diff'def. unfold set.Set.mem.
    split; intros.
    - destruct (Bool.bool_dec (sf1 e) true); intuition.
    - intuition.
  + eapply Cardinal.NoDup_app; eauto.
    - intros. rewrite Hx1eq in H0. rewrite Hdieq. rewrite set.Set.diff'def.
      intuition.
}
lia.
Qed.

Lemma sum_union_disj {a:Type} {a_WT:WhyType a} :
  forall (s1:set.Fset.fset a) (s2:set.Fset.fset a),
  forall (f:a -> Numbers.BinNums.Z)
    (Hdisj: set.Fset.disjoint s1 s2),
  (sum (set.Fset.union s1 s2) f) = ((sum s1 f) + (sum s2 f))%Z.
Proof.
intros s1 s2 f Hdisj.
unfold sum, Fset.union, Fset.disjoint, Fset.inter, Fset.mem, set.Set.mem, Fset.add in *.
destruct s1 as (sf1, H1).
destruct s2 as (sf2, H2).
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct ClassicalEpsilon.constructive_indefinite_description.
destruct a0 as (Hundup, Huneq).
destruct a1 as (Hx0dup, Hx0eq).
destruct a2 as (Hx1dup, Hx1eq).
  rewrite fold_left_symm; try now intuition.
  rewrite Z.add_0_l. rewrite <- List.fold_left_app.
  eapply fold_left_iff_symm; eauto.
  + intuition.
  + intuition.
  + intros. rewrite List.in_app_iff. rewrite Hx1eq. rewrite Hx0eq. rewrite Huneq.
    rewrite set.Set.union'def. clear - e. intuition.
  + eapply Cardinal.NoDup_app; eauto.
    * intros. intro. apply Hx0eq in H0. apply Hx1eq in H.
      specialize (Hdisj e). intuition.
Qed.

(* Why3 goal *)
Lemma sum_union {a:Type} {a_WT:WhyType a} :
  forall (s1:set.Fset.fset a) (s2:set.Fset.fset a),
  forall (f:a -> Numbers.BinNums.Z),
  ((sum (set.Fset.union s1 s2) f) =
   (((sum s1 f) + (sum s2 f))%Z - (sum (set.Fset.inter s1 s2) f))%Z).
Proof.
intros s1 s2 f.
assert (sum (Fset.union s1 s2) f - sum (Fset.inter s1 s2) f = 
  (sum s1 f - sum (Fset.inter s1 s2) f) + (sum s2 f - sum (Fset.inter s1 s2) f))%Z.
{
  rewrite sum_diff; [rewrite sum_diff; [rewrite sum_diff |] |].
  + assert (Fset.diff (Fset.union s1 s2) (Fset.inter s1 s2) = 
          Fset.union (Fset.diff s1 (Fset.inter s1 s2)) (Fset.diff s2 (Fset.inter s1 s2))).
    {
      eapply Fset.extensionality. intro e.
      rewrite Fset.union_def. rewrite Fset.diff_def. rewrite Fset.diff_def. rewrite Fset.diff_def.
      rewrite Fset.union_def. rewrite Fset.inter_def. intuition.
    }
    rewrite H.
    pose (s1' := Fset.diff s1 (Fset.inter s1 s2)). fold s1'.
    pose (s2' := Fset.diff s2 (Fset.inter s1 s2)). fold s2'.
    eapply sum_union_disj.
    unfold s1', s2'. intro. rewrite Fset.diff_def. rewrite Fset.diff_def.
    rewrite Fset.inter_def. tauto.
  + eapply Fset.subset_inter_2.
  + eapply Fset.subset_inter_1.
  + eapply Fset.subset_trans with s1. eapply Fset.subset_inter_1.
    eapply Fset.subset_union_1.
}
lia.
Qed.

(* Why3 goal *)
Lemma sum_eq {a:Type} {a_WT:WhyType a} :
  forall (s:set.Fset.fset a),
  forall (f:a -> Numbers.BinNums.Z) (g:a -> Numbers.BinNums.Z),
  (forall (x:a), set.Fset.mem x s -> ((f x) = (g x))) ->
  ((sum s f) = (sum s g)).
Proof.
intros s f g h1.
unfold sum, Fset.mem, set.Set.mem in *.
destruct s as (sf, H).
destruct ClassicalEpsilon.constructive_indefinite_description.
clear H.
assert (forall e, List.In e x -> f e = g e).
{
  intros. rewrite h1. reflexivity. apply a0. assumption.
}
assert (forall l (f: int -> a -> int) g a 
  (Heq: forall e acc, List.In e l -> f acc e = g acc e),
  List.fold_left f l a = List.fold_left g l a).
{
  induction l; simpl; intros; eauto.
  rewrite Heq; eauto.
}
erewrite H0; eauto. 
intros. simpl. rewrite H; eauto.
Qed.

(* Why3 goal *)
Lemma cardinal_is_sum {a:Type} {a_WT:WhyType a} :
  forall (s:set.Fset.fset a),
  ((set.Fset.cardinal s) = (sum s (fun (us:a) => 1%Z))).
Proof.
intros s.
unfold sum, Fset.mem, set.Set.mem, Fset.cardinal in *.
destruct s as (sf, H).
destruct ClassicalEpsilon.constructive_indefinite_description.
unfold Cardinal.cardinal.
destruct ClassicalEpsilon.excluded_middle_informative; [|intuition].
destruct ClassicalEpsilon.classical_indefinite_description.
specialize (a1 H).
assert (Z.of_nat (length x0) = Z.of_nat (length x)).
{
  erewrite (Cardinal.length_prop why_decidable_eq x nil x0); eauto.
  + simpl. rewrite Nat.sub_0_r. reflexivity.
  + apply a0.
  + constructor.
  + apply a1.
  + intros e Habs. inversion Habs.
  + intros. simpl. destruct a1, a0. rewrite H1, H3. intuition.
}
rewrite H0.
clear -x.
induction x; eauto.
assert (Z.of_nat (length (a0 :: x)) = Z.of_nat (length x) + 1)%Z.
simpl. rewrite Zpos_P_of_succ_nat. ring.
rewrite H.
rewrite IHx. rewrite @fold_left_symm; eauto.
intuition.
intuition.
Qed.

why3-1.6.0/lib/coq/set/Set.v000066400000000000000000000305541440160026300154600ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require map.Map.
Require map.Const.

Require Import ClassicalEpsilon.

Lemma predicate_extensionality:
  forall A (P Q : A -> bool),
    (forall x, P x = Q x) -> P = Q.
Admitted.

(* Why3 assumption *)
Definition set (a:Type) := a -> Init.Datatypes.bool.

Global Instance set_WhyType : forall (a:Type) {a_WT:WhyType a}, WhyType (set a).
Proof.
intros.
split.
exact (fun _ => false).
intros x y.
apply excluded_middle_informative.
Qed.

(* Why3 assumption *)
Definition mem {a:Type} {a_WT:WhyType a} (x:a) (s:a -> Init.Datatypes.bool) :
    Prop :=
  ((s x) = Init.Datatypes.true).

Hint Unfold mem.

(* Why3 assumption *)
Definition infix_eqeq {a:Type} {a_WT:WhyType a} (s1:a -> Init.Datatypes.bool)
    (s2:a -> Init.Datatypes.bool) : Prop :=
  forall (x:a), mem x s1 <-> mem x s2.

Notation "x == y" := (infix_eqeq x y) (at level 70, no associativity).

(* Why3 goal *)
Lemma extensionality {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  infix_eqeq s1 s2 -> (s1 = s2).
Proof.
intros s1 s2 h1.
apply predicate_extensionality.
intros x.
generalize (h1 x).
unfold mem.
intros [h2 h3].
destruct (s1 x).
now rewrite h2.
destruct (s2 x).
now apply h3.
easy.
Qed.

(* Why3 assumption *)
Definition subset {a:Type} {a_WT:WhyType a} (s1:a -> Init.Datatypes.bool)
    (s2:a -> Init.Datatypes.bool) : Prop :=
  forall (x:a), mem x s1 -> mem x s2.

(* Why3 goal *)
Lemma subset_refl {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), subset s s.
Proof.
now intros s x.
Qed.

(* Why3 goal *)
Lemma subset_trans {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool)
    (s3:a -> Init.Datatypes.bool),
  subset s1 s2 -> subset s2 s3 -> subset s1 s3.
Proof.
intros s1 s2 s3 h1 h2 x H.
now apply h2, h1.
Qed.

(* Why3 assumption *)
Definition is_empty {a:Type} {a_WT:WhyType a} (s:a -> Init.Datatypes.bool) :
    Prop :=
  forall (x:a), ~ mem x s.

(* Why3 goal *)
Lemma is_empty_empty {a:Type} {a_WT:WhyType a} :
  is_empty (map.Const.const Init.Datatypes.false : a -> Init.Datatypes.bool).
Proof.
now intros x.
Qed.

(* Why3 goal *)
Lemma empty_is_empty {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), is_empty s ->
  (s = (map.Const.const Init.Datatypes.false : a -> Init.Datatypes.bool)).
Proof.
intros s h1.
apply predicate_extensionality.
unfold is_empty in h1; unfold Const.const.
unfold mem in h1.
intros x. generalize (h1 x).
destruct (s x); intuition.
Qed.

(* Why3 goal *)
Lemma mem_singleton {a:Type} {a_WT:WhyType a} :
  forall (x:a) (y:a),
  mem y
  (map.Map.set
   (map.Const.const Init.Datatypes.false : a -> Init.Datatypes.bool) x
   Init.Datatypes.true) ->
  (y = x).
Proof.
intros x y h1.
unfold mem, Map.set, Const.const in h1.
destruct (why_decidable_eq x y) as [->|H] ; intuition.
discriminate h1.
Qed.

(* Why3 goal *)
Lemma add_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool), mem x s ->
  ((map.Map.set (map.Map.set s x Init.Datatypes.false) x Init.Datatypes.true)
   = s).
Proof.
intros x s h1.
apply extensionality; intro y.
unfold mem, Map.set. unfold mem in h1.
destruct (why_decidable_eq x y) as [->|H] ; intuition.
Qed.

(* Why3 goal *)
Lemma remove_add {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool),
  ((map.Map.set (map.Map.set s x Init.Datatypes.true) x Init.Datatypes.false)
   = (map.Map.set s x Init.Datatypes.false)).
Proof.
intros x s.
apply extensionality; intro y.
unfold mem, Map.set.
destruct (why_decidable_eq x y) as [->|H] ; intuition.
Qed.

(* Why3 goal *)
Lemma subset_remove {a:Type} {a_WT:WhyType a} :
  forall (x:a) (s:a -> Init.Datatypes.bool),
  subset (map.Map.set s x Init.Datatypes.false) s.
Proof.
intros x s y.
unfold mem, Map.set.
destruct (why_decidable_eq x y) as [->|H] ; intuition.
Qed.

(* Why3 goal *)
Definition union {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> (a -> Init.Datatypes.bool) ->
  a -> Init.Datatypes.bool.
Proof.
intros s1 s2.
exact (fun x => orb (s1 x) (s2 x)).
Defined.

(* Why3 goal *)
Lemma union'def {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool) (x:a),
  ((union s1 s2 x) = Init.Datatypes.true) <-> mem x s1 \/ mem x s2.
Proof.
intros s1 s2 x.
apply Bool.orb_true_iff.
Qed.

(* Why3 goal *)
Lemma subset_union_1 {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  subset s1 (union s1 s2).
Proof.
intros s1 s2.
unfold subset, union.
unfold mem.
intros x hx.
apply Bool.orb_true_iff. intuition.
Qed.

(* Why3 goal *)
Lemma subset_union_2 {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  subset s2 (union s1 s2).
Proof.
intros s1 s2.
unfold subset, union.
unfold mem.
intros x hx.
apply Bool.orb_true_iff. intuition.
Qed.

(* Why3 goal *)
Definition inter {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> (a -> Init.Datatypes.bool) ->
  a -> Init.Datatypes.bool.
Proof.
intros s1 s2.
exact (fun x => andb (s1 x) (s2 x)).
Defined.

(* Why3 goal *)
Lemma inter'def {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool) (x:a),
  ((inter s1 s2 x) = Init.Datatypes.true) <-> mem x s1 /\ mem x s2.
Proof.
intros s1 s2 x.
apply Bool.andb_true_iff.
Qed.

(* Why3 goal *)
Lemma subset_inter_1 {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  subset (inter s1 s2) s1.
Proof.
intros s1 s2.
unfold subset, inter.
unfold mem.
intros x hx.
apply Bool.andb_true_iff in hx. intuition.
Qed.

(* Why3 goal *)
Lemma subset_inter_2 {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  subset (inter s1 s2) s2.
Proof.
intros s1 s2.
unfold subset, inter.
unfold mem.
intros x hx.
apply Bool.andb_true_iff in hx. intuition.
Qed.

(* Why3 goal *)
Definition diff {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> (a -> Init.Datatypes.bool) ->
  a -> Init.Datatypes.bool.
Proof.
intros s1 s2.
exact (fun x => andb (s1 x) (negb (s2 x))).
Defined.

(* Why3 goal *)
Lemma diff'def {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool) (x:a),
  ((diff s1 s2 x) = Init.Datatypes.true) <-> mem x s1 /\ ~ mem x s2.
Proof.
intros s1 s2 x.
unfold mem, diff.
rewrite Bool.not_true_iff_false.
rewrite <- Bool.negb_true_iff.
apply Bool.andb_true_iff.
Qed.

(* Why3 goal *)
Lemma subset_diff {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  subset (diff s1 s2) s1.
Proof.
intros s1 s2 x.
unfold mem.
rewrite diff'def. intuition.
Qed.

(* Why3 goal *)
Definition complement {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> a -> Init.Datatypes.bool.
Proof.
intros s.
exact (fun x => negb (s x)).
Defined.

(* Why3 goal *)
Lemma complement'def {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool) (x:a),
  ((complement s x) = Init.Datatypes.true) <-> ~ mem x s.
Proof.
intros s x.
unfold mem, complement.
rewrite Bool.not_true_iff_false.
apply Bool.negb_true_iff.
Qed.

(* Why3 goal *)
Definition pick {a:Type} {a_WT:WhyType a} : (a -> Init.Datatypes.bool) -> a.
Proof.
intros s.
assert (i: inhabited a) by (apply inhabits, why_inhabitant).
exact (epsilon i (fun x => mem x s)).
Defined.

(* Why3 goal *)
Lemma pick_def {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool), ~ is_empty s -> mem (pick s) s.
Proof.
intros s h1.
unfold pick.
apply epsilon_spec.
now apply not_all_not_ex.
Qed.

(* Why3 assumption *)
Definition disjoint {a:Type} {a_WT:WhyType a} (s1:a -> Init.Datatypes.bool)
    (s2:a -> Init.Datatypes.bool) : Prop :=
  forall (x:a), ~ mem x s1 \/ ~ mem x s2.

(* Why3 goal *)
Lemma disjoint_inter_empty {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  disjoint s1 s2 <-> is_empty (inter s1 s2).
Proof.
intros s1 s2.
unfold disjoint, is_empty, inter.
unfold mem.
intuition.
destruct (H x); intuition.
apply H1.
rewrite Bool.andb_true_iff in H0. intuition.
apply H1.
rewrite Bool.andb_true_iff in H0. intuition.
generalize (H x).
rewrite Bool.andb_true_iff.
destruct (s1 x); destruct (s2 x); intuition.
Qed.

(* Why3 goal *)
Lemma disjoint_diff_eq {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  disjoint s1 s2 <-> ((diff s1 s2) = s1).
Proof.
intros s1 s2.
unfold disjoint, diff.
unfold mem.
intuition.
apply (extensionality _ s1). unfold infix_eqeq.
unfold mem.
intuition.
destruct (H x); intuition.
rewrite Bool.andb_true_iff in H0. intuition.
rewrite Bool.andb_true_iff in H0. intuition.
rewrite Bool.andb_true_iff.
intuition.
destruct (H x); intuition.
rewrite <- H.
rewrite Bool.andb_true_iff.
destruct (s2 x); intuition.
Qed.

(* Why3 goal *)
Lemma disjoint_diff_s2 {a:Type} {a_WT:WhyType a} :
  forall (s1:a -> Init.Datatypes.bool) (s2:a -> Init.Datatypes.bool),
  disjoint (diff s1 s2) s2.
Proof.
intros s1 s2.
unfold disjoint, diff.
unfold mem.
intros x.
rewrite Bool.andb_true_iff.
destruct (s2 x); intuition.
Qed.

(* Why3 goal *)
Definition product {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  (a -> Init.Datatypes.bool) -> (b -> Init.Datatypes.bool) ->
  (a* b)%type -> Init.Datatypes.bool.
Proof.
  intros sx sy xy.
  destruct xy as [x y].
  exact (andb (sx x) (sy y)).
Defined.

(* Why3 goal *)
Lemma product_def {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (s1:a -> Init.Datatypes.bool) (s2:b -> Init.Datatypes.bool) 
    (x:a) (y:b),
  mem (x, y) (product s1 s2) <-> mem x s1 /\ mem y s2.
Proof.
intros s1 s2 x y.
apply Bool.andb_true_iff.
Qed.

(* Why3 goal *)
Definition filter {a:Type} {a_WT:WhyType a} :
  (a -> Init.Datatypes.bool) -> (a -> Init.Datatypes.bool) ->
  a -> Init.Datatypes.bool.
Proof.
  intros s1 s2 e.
  exact (andb (s1 e) (s2 e)).
Defined.

(* Why3 goal *)
Lemma filter_def {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool) (p:a -> Init.Datatypes.bool) (x:a),
  mem x (filter s p) <-> mem x s /\ ((p x) = Init.Datatypes.true).
Proof.
intros s p x.
apply Bool.andb_true_iff.
Qed.

(* Why3 goal *)
Lemma subset_filter {a:Type} {a_WT:WhyType a} :
  forall (s:a -> Init.Datatypes.bool) (p:a -> Init.Datatypes.bool),
  subset (filter s p) s.
Proof.
intros s p x H.
destruct (andb_prop _ _ H) as [H1 _].
exact H1.
Qed.

(* Why3 goal *)
Definition map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  (a -> b) -> (a -> Init.Datatypes.bool) -> b -> Init.Datatypes.bool.
Proof.
intros f s y.
set (P := fun (x:a) => mem x s /\ y = f x).
assert (inhabited a).
destruct a_WT.
exact (inhabits why_inhabitant).
set (x := epsilon H P).
destruct b_WT.
destruct (why_decidable_eq y (f x)).
exact (s x).
exact false.
Defined.

(* Why3 goal *)
Lemma map'def {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (u:a -> Init.Datatypes.bool) (y:b),
  ((map f u y) = Init.Datatypes.true) <->
  (exists x:a, mem x u /\ (y = (f x))).
Proof.
intros f u y.
unfold map, mem.
destruct b_WT.
destruct a_WT.
set (P := fun (x:a) => u x = true /\ y = f x).
set (inh := (inhabits why_inhabitant0)).
generalize (epsilon_spec inh P).
set (x := epsilon inh P).
destruct (classic (exists x, P x)).
destruct (why_decidable_eq y (f x)).
intuition.
unfold P in H1. intuition.
intuition.
unfold P in H1. intuition.
destruct (why_decidable_eq y (f x)).
intuition.
exists x; unfold P; intuition.
intuition.
discriminate H1.
Qed.

(* Why3 goal *)
Lemma mem_map {a:Type} {a_WT:WhyType a} {b:Type} {b_WT:WhyType b} :
  forall (f:a -> b) (u:a -> Init.Datatypes.bool), forall (x:a), mem x u ->
  mem (f x) (map f u).
Proof.
intros f u x h1.
generalize (map'def f u (f x)).
intuition.
apply H1.
exists x; intuition.
Qed.

why3-1.6.0/lib/coq/set/SetApp.v000066400000000000000000000031631440160026300161150ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.

(* Why3 goal *)
Definition elt : Type.
Proof.
(* TODO find something more interesting *)
exact Z.
Defined.

(* Why3 goal *)
Definition set : Type.
Proof.
exact (set.Fset.fset elt).
Defined.

(* Why3 goal *)
Definition to_fset : set -> set.Fset.fset elt.
Proof.
exact (fun x => x).
Defined.

(* Why3 goal *)
Definition mk : set.Fset.fset elt -> set.
Proof.
exact (fun x => x).
Defined.

(* Why3 goal *)
Lemma mk'spec : forall (s:set.Fset.fset elt), ((to_fset (mk s)) = s).
Proof.
trivial.
Qed.

(* Why3 goal *)
Definition choose : set -> elt.
Proof.
exact Fset.pick.
Defined.

(* Why3 goal *)
Lemma choose'spec :
  forall (s:set), ~ set.Fset.is_empty (to_fset s) ->
  set.Fset.mem (choose s) (to_fset s).
Proof.
apply Fset.pick_def.
Qed.

why3-1.6.0/lib/coq/set/SetAppInt.v000066400000000000000000000031441440160026300165670ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.
Require set.FsetInt.
Require set.SetApp.

(* Why3 goal *)
Definition set : Type.
Proof.
exact (Fset.fset Z).
Defined.

(* Why3 goal *)
Definition to_fset : set -> set.Fset.fset Numbers.BinNums.Z.
Proof.
exact (fun x => x).
Defined.

(* Why3 goal *)
Definition mk : set.Fset.fset Numbers.BinNums.Z -> set.
Proof.
exact (fun x => x).
Defined.

(* Why3 goal *)
Lemma mk'spec :
  forall (s:set.Fset.fset Numbers.BinNums.Z), ((to_fset (mk s)) = s).
Proof.
trivial.
Qed.

(* Why3 goal *)
Definition choose : set -> Numbers.BinNums.Z.
Proof.
exact Fset.pick.
Defined.

(* Why3 goal *)
Lemma choose'spec :
  forall (s:set), ~ set.Fset.is_empty (to_fset s) ->
  set.Fset.mem (choose s) (to_fset s).
Proof.
apply Fset.pick_def.
Qed.

why3-1.6.0/lib/coq/set/SetImp.v000066400000000000000000000032501440160026300161170ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.

(* Why3 goal *)
Definition elt : Type.
Proof.
(* TODO find something more interesting. *)
apply bool.
Defined.

(* Why3 goal *)
Definition set : Type.
Proof.
(* TODO find something more interesting. *)
apply bool.
Defined.

(* Why3 goal *)
Definition to_fset : set -> set.Fset.fset elt.
Proof.
(* TODO find something more interesting. *)
intros. exists (fun _ => false).
exists nil. intuition.
constructor. inversion H.
Defined.

(* Why3 goal *)
Definition choose : set -> elt.
Proof.
(* TODO find something more interesting. *)
intros. apply true.
Defined.

(* Why3 goal *)
Lemma choose'spec :
  forall (s:set), ~ set.Fset.is_empty (to_fset s) ->
  set.Fset.mem (choose s) (to_fset s).
Proof.
intros s h1.
destruct h1. unfold to_fset, Fset.is_empty, Fset.mem, set.Set.mem.
intuition.
Qed.

why3-1.6.0/lib/coq/set/SetImpInt.v000066400000000000000000000031771440160026300166020ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This file is generated by Why3's Coq-realize driver *)
(* Beware! Only edit allowed sections below    *)
Require Import BuiltIn.
Require BuiltIn.
Require HighOrd.
Require int.Int.
Require set.Fset.
Require set.FsetInt.
Require set.SetImp.

(* Why3 goal *)
Definition set : Type.
Proof.
(* TODO find something more interesting. *)
apply bool.
Defined.

(* Why3 goal *)
Definition to_fset : set -> set.Fset.fset Numbers.BinNums.Z.
Proof.
(* TODO find something more interesting. *)
intros. exists (fun _ => false).
exists nil. intuition.
constructor. inversion H.
Defined.

(* Why3 goal *)
Definition choose : set -> Numbers.BinNums.Z.
Proof.
(* TODO find something more interesting. *)
intros. apply Z.zero.
Defined.

(* Why3 goal *)
Lemma choose'spec :
  forall (s:set), ~ set.Fset.is_empty (to_fset s) ->
  set.Fset.mem (choose s) (to_fset s).
Proof.
intros s h1.
destruct h1. unfold to_fset, Fset.is_empty, Fset.mem, set.Set.mem.
intuition.
Qed.

why3-1.6.0/lib/coq/version.in000066400000000000000000000000151440160026300157450ustar00rootroot00000000000000@COQVERSION@
why3-1.6.0/lib/isabelle/000077500000000000000000000000001440160026300147325ustar00rootroot00000000000000why3-1.6.0/lib/isabelle/ROOT.2019000066400000000000000000000002551440160026300160340ustar00rootroot00000000000000chapter Why3

session Why3 = "HOL-Word" +
  options [document = false]
  sessions
    "HOL-Library"
    "HOL-Decision_Procs"
    "HOL-Computational_Algebra"
  theories Why3
why3-1.6.0/lib/isabelle/ROOT.2021-1000066400000000000000000000002461440160026300161630ustar00rootroot00000000000000chapter Why3

session Why3 = HOL +
  options [document = false]
  sessions
    "HOL-Library"
    "HOL-Decision_Procs"
    "HOL-Computational_Algebra"
  theories Why3
why3-1.6.0/lib/isabelle/Tools/000077500000000000000000000000001440160026300160325ustar00rootroot00000000000000why3-1.6.0/lib/isabelle/Tools/use_server000077500000000000000000000026231440160026300201450ustar00rootroot00000000000000#!/usr/bin/env bash
#
# DESCRIPTION: Use Isabelle server when executing command


## diagnostics

PRG="$(basename "$0")"

function usage()
{
  echo
  echo "Usage: isabelle $PRG [OPTIONS] COMMAND"
  echo
  echo "  Options are:"
  echo "    -d           include session directory"
  echo "    -i           include session"
  echo "    -s           name of session (default Why3)"
  echo
  echo "Use Isabelle server when executing COMMAND."
  exit 1
}

function fail()
{
  echo "$1" >&2
  exit 2
}


## main

SESSION_DIRS=()
INCLUDE_SESSIONS=()
SESSION=Why3

while getopts "d:i:s:" OPT
do
  case "$OPT" in
    s)
      SESSION="$OPTARG"
      ;;
    d)
      SESSION_DIRS+=("-d" "$OPTARG")
      ;;
    i)
      INCLUDE_SESSIONS+=("-i" "$OPTARG")
      ;;
    \?)
      usage
      ;;
  esac
done

shift $(($OPTIND - 1))

SERVER=$("$ISABELLE_TOOL" server -s)

if [ $? -ne 0 ]
then
  exit 2
fi

TMP1=${SERVER##[^=]*= }
ISABELLE_ADDRESS=${TMP1%%:[^:]*}
TMP2=${TMP1##[^:]*:}
ISABELLE_PORT=${TMP2%% [^ ]*}
TMP3=${TMP2##[^ ]* (password \"}
ISABELLE_PASSWORD=${TMP3%%\"[^\"]*}

export ISABELLE_ADDRESS
export ISABELLE_PORT
export ISABELLE_PASSWORD

ISABELLE_SESSION_ID=$(isabelle_client "${SESSION_DIRS[@]}" "${INCLUDE_SESSIONS[@]}" -s "${SESSION}")

if [ $? -ne 0 ]
then
  fail "$ISABELLE_SESSION_ID"
fi

export ISABELLE_SESSION_ID

"$@"

RET1=$?

isabelle_client -x

RET2=$?

if [ $RET1 -ne 0 ]
then
  exit $RET1
else
  exit $RET2
fi
why3-1.6.0/lib/isabelle/Tools/why3000077500000000000000000000035421440160026300166560ustar00rootroot00000000000000#!/usr/bin/env bash
#
# DESCRIPTION: process files generated by Why3


## diagnostics

PRG="$(basename "$0")"

function usage()
{
  echo
  echo "Usage: isabelle $PRG [OPTIONS] WHY3_FILE"
  echo
  echo "  Options are:"
  echo "    -b           batch mode"
  echo "    -i           interactive mode"
  echo
  echo "Process files generated by Why3."
  exit 1
}

function fail()
{
  echo "$1" >&2
  exit 2
}


## utilities

function make_theory()
{
  BNAME=`basename "$1"`

  if [ ! -e "$1.thy" ]; then
    echo -e "theory $BNAME\nimports Why3.Why3\nbegin\n\nwhy3_open \"$BNAME.xml\"\n" > "$1.thy"
    sed \
      -e 's/]*>/why3_vc \1\n\n/g' \
      -e 's/<[^l][^>]*>//g' \
      "$1.xml" >> "$1.thy"
    echo -e "why3_end\n\nend" >> "$1.thy"
  fi
}


## process command line

while getopts "bi" OPT
do
  case "$OPT" in
    b)
      BATCH=true
      ;;
    i)
      INTERACTIVE=true
      ;;
    \?)
      usage
      ;;
  esac
done


## main

shift $(($OPTIND - 1))

[ "$#" != 1 ] && usage

NAME=`dirname "$1"`/`basename "$1" .xml`

if [ "$ISABELLE_WHY3_SESSION" ]; then
  SESSION="$ISABELLE_WHY3_SESSION"
else
  SESSION=Why3
fi

if [ "$ISABELLE_WHY3_SESSION_DIR" ]; then
  SESSION_DIR=("-d" "$ISABELLE_WHY3_SESSION_DIR")
else
  SESSION_DIR=()
fi

if [ "$BATCH" = true ]; then
  if [ "$ISABELLE_ADDRESS" ]; then
    isabelle_client -t "$NAME"
  else
    "$ISABELLE_TOOL" process "${SESSION_DIR[@]}" -l "$SESSION" -T "$NAME"
  fi
elif [ "$INTERACTIVE" = true ]; then
  make_theory "$NAME"
  if [ -f "$JEDIT_SETTINGS/$WHY3_JEDIT_SERVER" ]; then
    "$ISABELLE_TOOL" java -jar "$(platform_path "$JEDIT_HOME/dist/jedit.jar")" \
      "-settings=$(platform_path "$JEDIT_SETTINGS")" "-server=$WHY3_JEDIT_SERVER" \
      -reuseview -wait "$(platform_path "${NAME}.thy")"
  else
    "$ISABELLE_TOOL" jedit "${SESSION_DIR[@]}" -l "$SESSION" "${NAME}.thy"
  fi
else
  usage
fi
why3-1.6.0/lib/isabelle/Tools/why3_jedit000077500000000000000000000015171440160026300200350ustar00rootroot00000000000000#!/usr/bin/env bash
#
# DESCRIPTION: Isabelle/jEdit with Why3 session and server port


## diagnostics

PRG="$(basename "$0")"

function usage()
{
  echo
  echo "Usage: isabelle $PRG [ARGS...]"
  echo
  echo "Start Isabelle/jEdit with Why3 session and server port, for quick invocation"
  echo "via why3ide."
  exit 1
}

function fail()
{
  echo "$1" >&2
  exit 2
}


## main

SESSION=Why3
SESSION_DIR=()

while getopts "l:d:" OPT
do
  case "$OPT" in
    l)
      SESSION="$OPTARG"
      ;;
    d)
      SESSION_DIR=("-d" "$OPTARG")
      ;;
    \?)
      usage
      ;;
  esac
done

shift $(($OPTIND - 1))

SERVER_FILE="$JEDIT_SETTINGS/$WHY3_JEDIT_SERVER"

if [ -f "$SERVER_FILE" ]; then
  fail "Server already running: \"$SERVER_FILE\""
else
  exec "$ISABELLE_TOOL" jedit "-j-server=$WHY3_JEDIT_SERVER" "${SESSION_DIR[@]}" -l "$SESSION" "$@"
fi
why3-1.6.0/lib/isabelle/Why3.thy000066400000000000000000000002001440160026300163020ustar00rootroot00000000000000theory Why3
imports
  Why3_Map
  Why3_Set
  Why3_List
  Why3_Int
  Why3_Bool
  Why3_Number
(* Why3_BV *)
  Why3_Real
begin

end
why3-1.6.0/lib/isabelle/Why3_BV.thy.2019000066400000000000000000000736421440160026300173070ustar00rootroot00000000000000theory Why3_BV
imports
  Why3_Int
  "HOL-Word.Word"
begin

abbreviation (input) pow2 :: "int \ int"
where "pow2 i \ 2 ^ nat i"

why3_open "bv/Pow2int.xml"
  constants
    pow2=pow2

why3_vc Power_0 by simp

why3_vc Power_s using assms by (simp add: Power_s)

why3_vc Power_1 by simp

why3_vc Power_sum using assms by (simp add: Power_sum)

why3_vc pow2pos using assms by simp

why3_vc pow2_0 by simp
why3_vc pow2_1 by simp
why3_vc pow2_2 by simp
why3_vc pow2_3 by simp
why3_vc pow2_4 by simp
why3_vc pow2_5 by simp
why3_vc pow2_6 by simp
why3_vc pow2_7 by simp
why3_vc pow2_8 by simp
why3_vc pow2_9 by simp
why3_vc pow2_10 by simp
why3_vc pow2_11 by simp
why3_vc pow2_12 by simp
why3_vc pow2_13 by simp
why3_vc pow2_14 by simp
why3_vc pow2_15 by simp
why3_vc pow2_16 by simp
why3_vc pow2_17 by simp
why3_vc pow2_18 by simp
why3_vc pow2_19 by simp
why3_vc pow2_20 by simp
why3_vc pow2_21 by simp
why3_vc pow2_22 by simp
why3_vc pow2_23 by simp
why3_vc pow2_24 by simp
why3_vc pow2_25 by simp
why3_vc pow2_26 by simp
why3_vc pow2_27 by simp
why3_vc pow2_28 by simp
why3_vc pow2_29 by simp
why3_vc pow2_30 by simp
why3_vc pow2_31 by simp
why3_vc pow2_32 by simp
why3_vc pow2_33 by simp
why3_vc pow2_34 by simp
why3_vc pow2_35 by simp
why3_vc pow2_36 by simp
why3_vc pow2_37 by simp
why3_vc pow2_38 by simp
why3_vc pow2_39 by simp
why3_vc pow2_40 by simp
why3_vc pow2_41 by simp
why3_vc pow2_42 by simp
why3_vc pow2_43 by simp
why3_vc pow2_44 by simp
why3_vc pow2_45 by simp
why3_vc pow2_46 by simp
why3_vc pow2_47 by simp
why3_vc pow2_48 by simp
why3_vc pow2_49 by simp
why3_vc pow2_50 by simp
why3_vc pow2_51 by simp
why3_vc pow2_52 by simp
why3_vc pow2_53 by simp
why3_vc pow2_54 by simp
why3_vc pow2_55 by simp
why3_vc pow2_56 by simp
why3_vc pow2_57 by simp
why3_vc pow2_58 by simp
why3_vc pow2_59 by simp
why3_vc pow2_60 by simp
why3_vc pow2_61 by simp
why3_vc pow2_62 by simp
why3_vc pow2_63 by simp
why3_vc pow2_64 by simp

why3_end


lemma rotate1_nth:
  assumes "0 < length xs"
  shows "rotate1 xs ! (i mod length xs) = xs ! (Suc i mod length xs)"
proof (cases xs)
  case Nil
  with `0 < length xs` show ?thesis by simp
next
  case (Cons y ys)
  with mod_less_divisor [of "Suc (length ys)" i]
  show ?thesis
    by (auto simp add: nth_append mod_Suc simp del: mod_less_divisor)
qed

lemma rotl_nth:
  "word_rotl j w !! ((i + j) mod len_of TYPE('a)) = (w::'a::len word) !! (i mod len_of TYPE('a))"
proof (induct j arbitrary: w i)
  case 0
  show ?case by simp
next
  case (Suc n)
  from Suc [of "of_bl (rotate1 (to_bl w))" "Suc i"]
    rotate1_nth [of "to_bl w" "len_of TYPE('a) - Suc (Suc i mod len_of TYPE('a))"]
  show ?case
    by (simp add: word_rotl_def rotate1_rotate_swap word_bl.Abs_inverse
      rev_nth test_bit_bl word_size Suc_diff_Suc)
      (simp add: mod_Suc)
qed

lemma rotater1_rotater_swap: "rotater1 (rotater n xs) = rotater n (rotater1 xs)"
  by (simp add: rotater_def funpow_swap1)

lemma length_rotater1 [simp]: "length (rotater1 xs) = length xs"
  by (simp add: rotater1_def split: list.split)

lemma rotater1_nth:
  assumes "0 < length xs"
  shows "rotater1 xs ! (Suc i mod length xs) = xs ! (i mod length xs)"
proof (cases xs rule: rev_cases)
  case Nil
  with `0 < length xs` show ?thesis by simp
next
  case (snoc ys y)
  with mod_less_divisor [of "Suc (length ys)" i]
  show ?thesis
    by (auto simp add: rotate1_rl' nth_append mod_Suc simp del: mod_less_divisor)
qed

lemma rotr_nth:
  "word_rotr j w !! (i mod len_of TYPE('a)) = (w::'a::len word) !! ((i + j) mod len_of TYPE('a))"
proof (induct j arbitrary: w)
  case 0
  show ?case by simp
next
  case (Suc n)
  from Suc [of "of_bl (rotater1 (to_bl w))"]
    rotater1_nth [of "to_bl w" "len_of TYPE('a) - Suc (Suc (i + n) mod len_of TYPE('a))", symmetric]
  show ?case
    by (simp add: word_rotr_def rotater1_rotater_swap word_bl.Abs_inverse
      rev_nth test_bit_bl word_size Suc_diff_Suc)
      (simp add: mod_Suc)
qed

lemma uint_pow: "uint ((b::'a::len word) ^ n) = uint b ^ n mod 2 ^ len_of TYPE('a)"
  by (induct n) (simp_all add: mod_pos_pos_trivial uint_word_ariths mod_mult_right_eq)


lemma eq_sub_equiv_aux:
  "(\j. uint i \ j \ j < uint i + uint n \
      (0 \ j \ a !! nat j) = (0 \ j \ b !! nat j)) =
   (b AND (mask (unat n) << unat i) = a AND (mask (unat n) << unat i))"
  apply (simp add: word_eq_iff word_ops_nth_size word_size nth_shiftl)
  apply (rule iffI)
  apply (rule allI)
  apply (drule_tac x="int na" in spec)
  apply (auto simp add: uint_nat)[1]
  apply (rule allI)
  apply (drule_tac x="nat j" in spec)
  apply (auto simp add: uint_nat test_bit_bin)
  done


lemma int_minus_mod: "((i::int) - j) mod n = (i + (n - j mod n)) mod n"
proof -
  have "(i + (n - j mod n)) mod n = (i mod n + (n - j mod n) mod n) mod n"
    by (simp only: mod_add_eq)
  also have "(n - j mod n) mod n = (n mod n - j mod n) mod n"
    by simp
  finally show ?thesis by (simp add: pull_mods [symmetric])
qed

lemma nat_minus_mod:
  assumes "0 < (n::nat)"
  shows "((n - i mod n) + i) mod n = 0"
proof -
  have "((n - i mod n) + i) mod n = (i + (n - i mod n)) mod n"
    by (simp add: add_ac)
  also have "\ = (i mod n + (n - i mod n)) mod n"
    by (simp add: pull_mods [symmetric])
  also from assms have "\ = (n mod n + (i mod n - i mod n)) mod n"
    by (simp add: add_ac)
  finally show ?thesis by simp
qed

lemma nat_minus_mod':
  assumes "0 < (n::nat)"
  shows "(i + (n - j mod n) + j) mod n = i mod n"
proof -
  have "(i + (n - j mod n) + j) mod n = (i + ((n - j mod n) + j)) mod n"
    by (simp add: add_ac)
  also have "\ = (i mod n + ((n - j mod n) + j) mod n) mod n"
    by (simp add: pull_mods [symmetric])
  also note nat_minus_mod [OF assms]
  finally show ?thesis by simp
qed


definition bv_nth :: "'a::len0 word \ int \ bool"
where "bv_nth bv i \ 0 \ i \ bv !! nat i"

abbreviation (input) nth_bv :: "'a::len0 word \ 'a word \ bool"
where "nth_bv bv bv' \ bv !! unat bv'"

abbreviation (input) lsr :: "'a::len0 word \ int \ 'a word"
where "lsr v i \ v >> nat i"

abbreviation (input) lsr_bv :: "'a::len0 word \ 'a word \ 'a word"
where "lsr_bv v n \ v >> unat n"

abbreviation (input) asr :: "'a::len word \ int \ 'a word"
where "asr v i \ v >>> nat i"

abbreviation (input) asr_bv :: "'a::len word \ 'a word \ 'a word"
where "asr_bv v n \ v >>> unat n"

abbreviation (input) lsl :: "'a::len0 word \ int \ 'a word"
where "lsl v i \ v << nat i"

abbreviation (input) lsl_bv :: "'a::len0 word \ 'a word \ 'a word"
where "lsl_bv v n \ v << unat n"

abbreviation (input) rotate_left :: "'a::len0 word \ int \ 'a word"
where "rotate_left v n \ word_rotl (nat n) v"

abbreviation (input) rotate_right :: "'a::len0 word \ int \ 'a word"
where "rotate_right v n \ word_rotr (nat n) v"

abbreviation (input) rotate_left_bv :: "'a::len0 word \ 'a word \ 'a word"
where "rotate_left_bv v n \ word_rotl (unat n) v"

abbreviation (input) rotate_right_bv :: "'a::len0 word \ 'a word \ 'a word"
where "rotate_right_bv v n \ word_rotr (unat n) v"

definition eq_sub_bv :: "'a::len word \ 'a word \ 'a word \ 'a word \ bool" where
  eq_sub_bv_defn: "eq_sub_bv a b i n =
    (b AND (mask (unat n) << unat i) = a AND (mask (unat n) << unat i))"

definition size_bv :: "'a::len word" where
  "size_bv = of_nat LENGTH('a)"

definition is_signed_positive :: "'a::len word \ bool" where
  "is_signed_positive w = (0 \ sint w)"

lemma to_int_eq:
  "sint (x::'a::len word) =
   (if is_signed_positive x then uint x else - (2 ^ LENGTH('a) - uint x))"
proof (cases "0 \ sint x")
  case True
  note sint_lt [of x]
  also have "(2::int) ^ (LENGTH('a) - 1) < 2 ^ LENGTH('a)"
    by (rule power_strict_increasing) simp_all
  finally have "sint x < 2 ^ LENGTH('a)" .
  with True show ?thesis
    by (simp add: is_signed_positive_def uint_sint bintrunc_mod2p mod_pos_pos_trivial)
next
  case False
  from sint_ge [of x]
  have "- sint x \ 2 ^ (LENGTH('a) - 1)" by simp
  also have "(2::int) ^ (LENGTH('a) - 1) < 2 ^ LENGTH('a)"
    by (rule power_strict_increasing) simp_all
  finally have "- sint x < 2 ^ LENGTH('a)" .
  then have "- (2 ^ LENGTH('a)) < sint x" by simp
  moreover from False have "0 < - sint x" by simp
  ultimately have "- sint x = - sint x mod 2 ^ LENGTH('a)"
    by (simp add: mod_pos_pos_trivial)
  also have "sint x mod 2 ^ LENGTH('a) \ 0"
  proof
    assume "sint x mod 2 ^ LENGTH('a) = 0"
    then obtain y where y: "sint x = y * 2 ^ LENGTH('a)" by auto
    with False have "\ 0 \ y" by auto
    then have "y \ - 1" by simp
    then have "y * 2 ^ LENGTH('a) \ - 1 * 2 ^ LENGTH('a)"
      by (rule mult_right_mono) simp
    with y have "sint x \ - (2 ^ LENGTH('a))" by simp
    with \- (2 ^ LENGTH('a)) < sint x\ show False by simp
  qed
  then have "- sint x mod 2 ^ LENGTH('a) = 2 ^ LENGTH('a) - sint x mod 2 ^ LENGTH('a)"
    by (simp add: zmod_zminus1_eq_if)
  finally show ?thesis using False
    by (simp add: is_signed_positive_def uint_sint bintrunc_mod2p)
qed

type_synonym word8 = "8 word"

why3_open "bv/BV8.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and=bitAND
    bw_or=bitOR
    bw_xor=bitXOR
    bw_not=bitNOT
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word8

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def test_bit_bin)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftr nat_add_distrib)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftr)
    (simp add: test_bit_bin nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff nat_less_iff)

why3_vc asr_zeros by (simp add: sshiftr_def)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by simp

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by simp

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_lt [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def word_of_int uint_word_of_int mod_pos_pos_trivial)

why3_vc nth_bv_def
  by (simp add: word_eq_iff word_ops_nth_size word_size nth_shiftr)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def unat_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_def to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: max_word_eq)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (simp_all add: uint_div ediv_def order.strict_iff_order)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by (simp add: unat_def)

why3_vc rotate_right_bv_is_rotate_right by (simp add: unat_def)

why3_vc lsr_bv_is_lsr by (simp add: unat_def)

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n unat_def)

why3_vc asr_bv_is_asr by (simp add: unat_def)

why3_vc lsl_bv_is_lsl by (simp add: unat_def)

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_t2n unat_def
    uint_word_ariths mult_ac uint_pow pull_mods [symmetric])

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def word_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_def)

why3_end


type_synonym word16 = "16 word"

why3_open "bv/BV16.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and=bitAND
    bw_or=bitOR
    bw_xor=bitXOR
    bw_not=bitNOT
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word16

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def test_bit_bin)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftr nat_add_distrib)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftr)
    (simp add: test_bit_bin nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff nat_less_iff)

why3_vc asr_zeros by (simp add: sshiftr_def)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by simp

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by simp

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_lt [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def word_of_int uint_word_of_int mod_pos_pos_trivial)

why3_vc nth_bv_def
  by (simp add: word_eq_iff word_ops_nth_size word_size nth_shiftr)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def unat_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_def to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: max_word_eq)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (simp_all add: uint_div ediv_def order.strict_iff_order)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by (simp add: unat_def)

why3_vc rotate_right_bv_is_rotate_right by (simp add: unat_def)

why3_vc lsr_bv_is_lsr by (simp add: unat_def)

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n unat_def)

why3_vc asr_bv_is_asr by (simp add: unat_def)

why3_vc lsl_bv_is_lsl by (simp add: unat_def)

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_t2n unat_def
    uint_word_ariths mult_ac uint_pow pull_mods [symmetric])

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def word_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_def)

why3_end


type_synonym word32 = "32 word"

why3_open "bv/BV32.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and=bitAND
    bw_or=bitOR
    bw_xor=bitXOR
    bw_not=bitNOT
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word32

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def test_bit_bin)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftr nat_add_distrib)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftr)
    (simp add: test_bit_bin nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff nat_less_iff)

why3_vc asr_zeros by (simp add: sshiftr_def)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by simp

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by simp

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_lt [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def word_of_int uint_word_of_int mod_pos_pos_trivial)

why3_vc nth_bv_def
  by (simp add: word_eq_iff word_ops_nth_size word_size nth_shiftr)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def unat_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_def to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: max_word_eq)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (simp_all add: uint_div ediv_def order.strict_iff_order)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by (simp add: unat_def)

why3_vc rotate_right_bv_is_rotate_right by (simp add: unat_def)

why3_vc lsr_bv_is_lsr by (simp add: unat_def)

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n unat_def)

why3_vc asr_bv_is_asr by (simp add: unat_def)

why3_vc lsl_bv_is_lsl by (simp add: unat_def)

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_t2n unat_def
    uint_word_ariths mult_ac uint_pow pull_mods [symmetric])

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def word_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_def)

why3_end


type_synonym word64 = "64 word"

why3_open "bv/BV64.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and=bitAND
    bw_or=bitOR
    bw_xor=bitXOR
    bw_not=bitNOT
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word64

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def test_bit_bin)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def word_ops_nth_size word_size)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftr nat_add_distrib)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftr)
    (simp add: test_bit_bin nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def nth_sshiftr word_size)
    (simp add: nat_add_distrib [symmetric] le_nat_iff nat_less_iff)

why3_vc asr_zeros by (simp add: sshiftr_def)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def nth_shiftl nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by simp

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by simp

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_lt [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def word_of_int uint_word_of_int mod_pos_pos_trivial)

why3_vc nth_bv_def
  by (simp add: word_eq_iff word_ops_nth_size word_size nth_shiftr)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def unat_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_def to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: max_word_eq)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs bintrunc_mod2p mod_pos_pos_trivial)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (simp_all add: uint_div ediv_def order.strict_iff_order)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by (simp add: unat_def)

why3_vc rotate_right_bv_is_rotate_right by (simp add: unat_def)

why3_vc lsr_bv_is_lsr by (simp add: unat_def)

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n unat_def)

why3_vc asr_bv_is_asr by (simp add: unat_def)

why3_vc lsl_bv_is_lsl by (simp add: unat_def)

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_t2n unat_def
    uint_word_ariths mult_ac uint_pow pull_mods [symmetric])

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def word_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_def)

why3_end


why3_open "bv/BVConverter_32_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_16_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_16_32.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV32.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_32.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV32.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_16.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV16.ule_def ucast_def uint_word_of_int mod_pos_pos_trivial)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end

endwhy3-1.6.0/lib/isabelle/Why3_BV.thy.2021-1000066400000000000000000000725711440160026300174360ustar00rootroot00000000000000theory Why3_BV
imports
  Why3_Int
  "HOL-Library.Word"
begin

abbreviation (input) pow2 :: "int \ int"
where "pow2 i \ 2 ^ nat i"

why3_open "bv/Pow2int.xml"
  constants
    pow2=pow2

why3_vc Power_0 by simp

why3_vc Power_s using assms by (simp add: Power_s)

why3_vc Power_1 by simp

why3_vc Power_sum using assms by (simp add: Power_sum)

why3_vc pow2pos using assms by simp

why3_vc pow2_0 by simp
why3_vc pow2_1 by simp
why3_vc pow2_2 by simp
why3_vc pow2_3 by simp
why3_vc pow2_4 by simp
why3_vc pow2_5 by simp
why3_vc pow2_6 by simp
why3_vc pow2_7 by simp
why3_vc pow2_8 by simp
why3_vc pow2_9 by simp
why3_vc pow2_10 by simp
why3_vc pow2_11 by simp
why3_vc pow2_12 by simp
why3_vc pow2_13 by simp
why3_vc pow2_14 by simp
why3_vc pow2_15 by simp
why3_vc pow2_16 by simp
why3_vc pow2_17 by simp
why3_vc pow2_18 by simp
why3_vc pow2_19 by simp
why3_vc pow2_20 by simp
why3_vc pow2_21 by simp
why3_vc pow2_22 by simp
why3_vc pow2_23 by simp
why3_vc pow2_24 by simp
why3_vc pow2_25 by simp
why3_vc pow2_26 by simp
why3_vc pow2_27 by simp
why3_vc pow2_28 by simp
why3_vc pow2_29 by simp
why3_vc pow2_30 by simp
why3_vc pow2_31 by simp
why3_vc pow2_32 by simp
why3_vc pow2_33 by simp
why3_vc pow2_34 by simp
why3_vc pow2_35 by simp
why3_vc pow2_36 by simp
why3_vc pow2_37 by simp
why3_vc pow2_38 by simp
why3_vc pow2_39 by simp
why3_vc pow2_40 by simp
why3_vc pow2_41 by simp
why3_vc pow2_42 by simp
why3_vc pow2_43 by simp
why3_vc pow2_44 by simp
why3_vc pow2_45 by simp
why3_vc pow2_46 by simp
why3_vc pow2_47 by simp
why3_vc pow2_48 by simp
why3_vc pow2_49 by simp
why3_vc pow2_50 by simp
why3_vc pow2_51 by simp
why3_vc pow2_52 by simp
why3_vc pow2_53 by simp
why3_vc pow2_54 by simp
why3_vc pow2_55 by simp
why3_vc pow2_56 by simp
why3_vc pow2_57 by simp
why3_vc pow2_58 by simp
why3_vc pow2_59 by simp
why3_vc pow2_60 by simp
why3_vc pow2_61 by simp
why3_vc pow2_62 by simp
why3_vc pow2_63 by simp
why3_vc pow2_64 by simp

why3_end


lemma rotate1_nth:
  assumes "0 < length xs"
  shows "rotate1 xs ! (i mod length xs) = xs ! (Suc i mod length xs)"
proof (cases xs)
  case Nil
  with `0 < length xs` show ?thesis by simp
next
  case (Cons y ys)
  with mod_less_divisor [of "Suc (length ys)" i]
  show ?thesis
    by (auto simp add: nth_append mod_Suc simp del: mod_less_divisor)
qed

lemma word_rotl_0: "word_rotl 0 w = w"
  by transfer simp

lemma word_rotr_0: "word_rotr 0 w = w"
  by transfer simp

lemma rotl_nth:
  "bit (word_rotl j w) (((i + j) mod len_of TYPE('a))) = bit (w::'a::len word) (i mod len_of TYPE('a))"
proof -
  have "bit (word_rotl j w) (((i + j) mod len_of TYPE('a))) =
    bit (word_roti (- int j) w) (((i + j) mod len_of TYPE('a)))"
    by (simp add: word_rotl_0 word_rotr_0)
  then show ?thesis
    apply (simp only: bit_word_roti_iff)
    apply (simp add: zmod_int mod_diff_left_eq)
    apply (simp add: zmod_int [symmetric])
    done
qed

lemma rotr_nth:
  "bit (word_rotr j w) (i mod len_of TYPE('a)) = bit (w::'a::len word) ((i + j) mod len_of TYPE('a))"
  by (simp add: bit_word_rotr_iff mod_add_left_eq)

lemma uint_pow: "uint ((b::'a::len word) ^ n) = uint b ^ n mod 2 ^ len_of TYPE('a)"
  by (induct n) (simp_all add: uint_word_ariths mod_mult_right_eq)

context
  includes bit_operations_syntax
begin

lemma eq_sub_equiv_aux:
  "(\j. uint i \ j \ j < uint i + uint n \
      (0 \ j \ bit a (nat j)) = (0 \ j \ bit b (nat j))) =
   ((b::('a::len) word) AND (push_bit (unat i) (mask (unat n))) = a AND (push_bit (unat i) (mask (unat n))))"
  apply (simp add: bit_eq_iff bit_and_iff bit_push_bit_iff)
  apply (rule iffI)
  apply (rule allI)
  apply (drule_tac x="int na" in spec)
  apply (auto simp add: uint_nat bit_mask_iff simp del: of_nat_unat)[1]
  apply (rule allI)
  apply (drule_tac x="nat j" in spec)
  apply (auto simp add: uint_nat bit_mask_iff simp del: of_nat_unat dest: bit_imp_le_length)
  done

end

lemma int_minus_mod: "((i::int) - j) mod n = (i + (n - j mod n)) mod n"
proof -
  have "(i + (n - j mod n)) mod n = (i mod n + (n - j mod n) mod n) mod n"
    by (simp only: mod_add_eq)
  also have "(n - j mod n) mod n = (n mod n - j mod n) mod n"
    by simp
  finally show ?thesis by (simp add: mod_minus_eq mod_add_eq)
qed

lemma nat_minus_mod:
  assumes "0 < (n::nat)"
  shows "((n - i mod n) + i) mod n = 0"
proof -
  have "((n - i mod n) + i) mod n = (i + (n - i mod n)) mod n"
    by (simp add: add_ac)
  also have "\ = (i mod n + (n - i mod n)) mod n"
    by (simp add: mod_add_left_eq)
  also from assms have "\ = (n mod n + (i mod n - i mod n)) mod n"
    by (simp add: add_ac)
  finally show ?thesis by simp
qed

lemma nat_minus_mod':
  assumes "0 < (n::nat)"
  shows "(i + (n - j mod n) + j) mod n = i mod n"
proof -
  have "(i + (n - j mod n) + j) mod n = (i + ((n - j mod n) + j)) mod n"
    by (simp add: add_ac)
  also have "\ = (i mod n + ((n - j mod n) + j) mod n) mod n"
    by (simp add: mod_add_left_eq mod_add_right_eq)
  also note nat_minus_mod [OF assms]
  finally show ?thesis by simp
qed


definition bv_nth :: "'a::len word \ int \ bool"
where "bv_nth bv i \ 0 \ i \ bit bv (nat i)"

abbreviation (input) nth_bv :: "'a::len word \ 'a word \ bool"
where "nth_bv bv bv' \ bit bv (unat bv')"

abbreviation (input) lsr :: "'a::len word \ int \ 'a word"
where "lsr v i \ drop_bit (nat i) v"

abbreviation (input) lsr_bv :: "'a::len word \ 'a word \ 'a word"
where "lsr_bv v n \ drop_bit (unat n) v"

abbreviation (input) asr :: "'a::len word \ int \ 'a word"
where "asr v i \ signed_drop_bit (nat i) v"

abbreviation (input) asr_bv :: "'a::len word \ 'a word \ 'a word"
where "asr_bv v n \ signed_drop_bit (unat n) v"

abbreviation (input) lsl :: "'a::len word \ int \ 'a word"
where "lsl v i \ push_bit (nat i) v"

abbreviation (input) lsl_bv :: "'a::len word \ 'a word \ 'a word"
where "lsl_bv v n \ push_bit (unat n) v"

abbreviation (input) rotate_left :: "'a::len word \ int \ 'a word"
where "rotate_left v n \ word_rotl (nat n) v"

abbreviation (input) rotate_right :: "'a::len word \ int \ 'a word"
where "rotate_right v n \ word_rotr (nat n) v"

abbreviation (input) rotate_left_bv :: "'a::len word \ 'a word \ 'a word"
where "rotate_left_bv v n \ word_rotl (unat n) v"

abbreviation (input) rotate_right_bv :: "'a::len word \ 'a word \ 'a word"
where "rotate_right_bv v n \ word_rotr (unat n) v"

context
  includes bit_operations_syntax
begin

definition eq_sub_bv :: "'a::len word \ 'a word \ 'a word \ 'a word \ bool" where
  eq_sub_bv_defn: "eq_sub_bv a b i n =
    (b AND (push_bit (unat i) (mask (unat n))) = a AND (push_bit (unat i) (mask (unat n))))"

end

definition size_bv :: "'a::len word" where
  "size_bv = of_nat LENGTH('a)"

definition is_signed_positive :: "'a::len word \ bool" where
  "is_signed_positive w = (0 \ sint w)"

lemma to_int_eq:
  "sint (x::'a::len word) =
   (if is_signed_positive x then uint x else - (2 ^ LENGTH('a) - uint x))"
proof (cases "0 \ sint x")
  case True
  note sint_lt [of x]
  also have "(2::int) ^ (LENGTH('a) - 1) < 2 ^ LENGTH('a)"
    by (rule power_strict_increasing) simp_all
  finally have "sint x < 2 ^ LENGTH('a)" .
  with True show ?thesis
    by (simp add: is_signed_positive_def uint_sint take_bit_eq_mod)
next
  case False
  from sint_ge [of x]
  have "- sint x \ 2 ^ (LENGTH('a) - 1)" by simp
  also have "(2::int) ^ (LENGTH('a) - 1) < 2 ^ LENGTH('a)"
    by (rule power_strict_increasing) simp_all
  finally have "- sint x < 2 ^ LENGTH('a)" .
  then have "- (2 ^ LENGTH('a)) < sint x" by simp
  moreover from False have "0 < - sint x" by simp
  ultimately have "- sint x = - sint x mod 2 ^ LENGTH('a)"
    by simp
  also have "sint x mod 2 ^ LENGTH('a) \ 0"
  proof
    assume "sint x mod 2 ^ LENGTH('a) = 0"
    then obtain y where y: "sint x = y * 2 ^ LENGTH('a)" by auto
    with False have "\ 0 \ y" by auto
    then have "y \ - 1" by simp
    then have "y * 2 ^ LENGTH('a) \ - 1 * 2 ^ LENGTH('a)"
      by (rule mult_right_mono) simp
    with y have "sint x \ - (2 ^ LENGTH('a))" by simp
    with \- (2 ^ LENGTH('a)) < sint x\ show False by simp
  qed
  then have "- sint x mod 2 ^ LENGTH('a) = 2 ^ LENGTH('a) - sint x mod 2 ^ LENGTH('a)"
    by (simp add: zmod_zminus1_eq_if)
  finally show ?thesis using False
    by (simp add: is_signed_positive_def uint_sint take_bit_eq_mod)
qed

lemma shiftr_div_2n: "uint (drop_bit n v) = uint v div 2 ^ n"
  apply (auto simp add: uint_div_distrib uint_pow exp_mod_exp drop_bit_eq_div)
  apply (rule div_pos_pos_trivial)
  apply simp
  apply (rule less_le_trans)
  apply (rule uint_bounded)
  apply simp
  apply (rule div_pos_pos_trivial)
  apply simp
  apply (rule less_le_trans)
  apply (rule uint_bounded)
  apply (rule power_increasing)
  apply simp_all
  done

lemma shiftl_aux: "uint (push_bit n (v::'a word)) = (uint v * 2 ^ n) mod 2 ^ LENGTH('a::len)"
  by (auto simp add: uint_word_ariths uint_pow mod_mult_right_eq push_bit_eq_mult)
    (simp add:
       mod_mult_eq [of "uint v", symmetric]
       power_mod [of 2 2 n, symmetric]
       power_mult_distrib [symmetric])

type_synonym word8 = "8 word"

abbreviation (input) max_word :: "'a::len word"
where "max_word \ - 1"

why3_open "bv/BV8.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and="and"
    bw_or=or
    bw_xor=xor
    bw_not=not
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word8

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def dest: bit_imp_le_length)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def bit_and_iff)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def bit_or_iff)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def bit_xor_iff)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def bit_not_iff nat_less_iff)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq nat_add_distrib add_ac)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq)
    (simp add: bit_word.rep_eq nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric] add_ac)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric])

why3_vc asr_zeros by (simp add: bit_signed_drop_bit_iff)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by (simp add: word_uint_eq_iff)

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by (simp add: signed_word_eqI)

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_ge_0 [of v] uint_bounded [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def uint_word_of_int)

why3_vc nth_bv_def
  by (simp add: bit_eq_iff bit_and_iff)
    (simp add: bit_1_iff bit_drop_bit_eq del: bit_0)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_eq_nat_uint to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: uint_word_ariths)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (auto simp add: uint_div ediv_def)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by simp

why3_vc rotate_right_bv_is_rotate_right by simp

why3_vc lsr_bv_is_lsr by simp

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n)

why3_vc asr_bv_is_asr by simp

why3_vc lsl_bv_is_lsl by simp

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_aux)

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def bit_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_eq_exp_minus_1)

why3_end


type_synonym word16 = "16 word"

why3_open "bv/BV16.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and="and"
    bw_or=or
    bw_xor=xor
    bw_not=not
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word16

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def dest: bit_imp_le_length)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def bit_and_iff)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def bit_or_iff)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def bit_xor_iff)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def bit_not_iff nat_less_iff)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq nat_add_distrib add_ac)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq)
    (simp add: bit_word.rep_eq nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric] add_ac)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric])

why3_vc asr_zeros by (simp add: bit_signed_drop_bit_iff)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by (simp add: word_uint_eq_iff)

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by (simp add: signed_word_eqI)

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_ge_0 [of v] uint_bounded [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def uint_word_of_int)

why3_vc nth_bv_def
  by (simp add: bit_eq_iff bit_and_iff)
    (simp add: bit_1_iff bit_drop_bit_eq del: bit_0)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_eq_nat_uint to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: uint_word_ariths)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (auto simp add: uint_div ediv_def)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by simp

why3_vc rotate_right_bv_is_rotate_right by simp

why3_vc lsr_bv_is_lsr by simp

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n)

why3_vc asr_bv_is_asr by simp

why3_vc lsl_bv_is_lsl by simp

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_aux)

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def bit_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_eq_exp_minus_1)

why3_end


type_synonym word32 = "32 word"

why3_open "bv/BV32.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and="and"
    bw_or=or
    bw_xor=xor
    bw_not=not
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word32

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def dest: bit_imp_le_length)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def bit_and_iff)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def bit_or_iff)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def bit_xor_iff)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def bit_not_iff nat_less_iff)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq nat_add_distrib add_ac)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq)
    (simp add: bit_word.rep_eq nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric] add_ac)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric])

why3_vc asr_zeros by (simp add: bit_signed_drop_bit_iff)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by (simp add: word_uint_eq_iff)

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by (simp add: signed_word_eqI)

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_ge_0 [of v] uint_bounded [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def uint_word_of_int)

why3_vc nth_bv_def
  by (simp add: bit_eq_iff bit_and_iff)
    (simp add: bit_1_iff bit_drop_bit_eq del: bit_0)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_eq_nat_uint to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: uint_word_ariths)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (auto simp add: uint_div ediv_def)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by simp

why3_vc rotate_right_bv_is_rotate_right by simp

why3_vc lsr_bv_is_lsr by simp

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n)

why3_vc asr_bv_is_asr by simp

why3_vc lsl_bv_is_lsl by simp

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_aux)

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def bit_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_eq_exp_minus_1)

why3_end


type_synonym word64 = "64 word"

why3_open "bv/BV64.xml"
  constants
    zeros=zero_class.zero
    ones=max_word
    bw_and="and"
    bw_or=or
    bw_xor=xor
    bw_not=not
    add=plus
    sub=minus
    neg=uminus
    mul=times
    udiv=divide
    urem=modulo
    lsr=lsr
    asr=asr
    lsl=lsl
    lsr_bv=lsr_bv
    asr_bv=asr_bv
    lsl_bv=lsl_bv
    rotate_left=rotate_left
    rotate_right=rotate_right
    rotate_left_bv=rotate_left_bv
    rotate_right_bv=rotate_right_bv
    nth=bv_nth
    nth_bv=nth_bv
    tqtint=uint
    of_int=of_int
    eq_sub_bv=eq_sub_bv
    size_bv=size_bv
    one=one_class.one
    is_signed_positive=is_signed_positive
  types
    t=word64

why3_vc nth_out_of_bound
  using assms
  by (auto simp add: bv_nth_def dest: bit_imp_le_length)

why3_vc Nth_zeros by (simp add: bv_nth_def)

why3_vc Nth_ones
  using assms
  by (simp add: bv_nth_def)

why3_vc Nth_bw_and
  using assms
  by (simp add: bv_nth_def bit_and_iff)

why3_vc Nth_bw_or
  using assms
  by (simp add: bv_nth_def bit_or_iff)

why3_vc Nth_bw_xor
  using assms
  by (simp add: bv_nth_def bit_xor_iff)

why3_vc Nth_bw_not
  using assms
  by (simp add: bv_nth_def bit_not_iff nat_less_iff)

why3_vc Lsr_nth_low
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq nat_add_distrib add_ac)

why3_vc Lsr_nth_high
  using assms
  by (simp add: bv_nth_def bit_drop_bit_eq)
    (simp add: bit_word.rep_eq nat_add_distrib [symmetric] nat_less_iff)

why3_vc lsr_zeros by simp

why3_vc Asr_nth_low
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric] add_ac)

why3_vc Asr_nth_high
  using assms
  by (simp add: bv_nth_def bit_signed_drop_bit_iff)
    (auto simp add: nat_add_distrib [symmetric])

why3_vc asr_zeros by (simp add: bit_signed_drop_bit_iff)

why3_vc Lsl_nth_high
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_diff_distrib nat_less_iff nat_le_eq_zle)

why3_vc Lsl_nth_low
  using assms
  by (simp add: bv_nth_def bit_push_bit_iff nat_le_eq_zle)

why3_vc lsl_zeros by simp

why3_vc to_uint_extensionality using assms by (simp add: word_uint_eq_iff)

why3_vc to_intqtdef by (simp add: to_int_eq)

why3_vc to_int_extensionality using assms by (simp add: signed_word_eqI)

why3_vc positive_is_ge_zeros
  by (simp add: is_signed_positive_def sge_def)

why3_vc to_uint_bounds
  using uint_ge_0 [of v] uint_bounded [of v]
  by simp_all

why3_vc to_uint_of_int
  using assms
  by (simp add: uint_in_range_def uint_word_of_int)

why3_vc nth_bv_def
  by (simp add: bit_eq_iff bit_and_iff)
    (simp add: bit_1_iff bit_drop_bit_eq del: bit_0)

why3_vc Nth_bv_is_nth
  by (simp add: bv_nth_def)

why3_vc Nth_bv_is_nth2
  using assms
  by (simp add: bv_nth_def unat_eq_nat_uint to_uint_of_int uint_in_range_def)

why3_vc to_uint_size_bv by (simp add: size_bv_def)

why3_vc to_uint_zeros by simp

why3_vc to_uint_one by simp

why3_vc to_uint_ones by (simp add: uint_word_ariths)

why3_vc to_uint_add
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_add_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_sub
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_sub_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_neg
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod emod_def)

why3_vc to_uint_mul_bounded
  using assms
  by (simp add: uint_word_arith_bintrs take_bit_eq_mod)

why3_vc to_uint_udiv
  by (cases "uint v2 = 0")
    (auto simp add: uint_div ediv_def)

why3_vc to_uint_urem
  by (simp add: uint_mod emod_def)

why3_vc Nth_rotate_left
  using assms rotl_nth [of "nat n" v "nat i + (size v - nat n mod size v)"]
  by (simp add: emod_def bv_nth_def word_size nat_minus_mod' int_minus_mod
    nat_mod_distrib nat_add_distrib nat_diff_distrib del: add_diff_assoc)

why3_vc Nth_rotate_right
  using assms rotr_nth [of "nat n" v "nat i"]
  by (simp add: emod_def bv_nth_def nat_mod_distrib nat_add_distrib)

why3_vc rotate_left_bv_is_rotate_left by simp

why3_vc rotate_right_bv_is_rotate_right by simp

why3_vc lsr_bv_is_lsr by simp

why3_vc to_uint_lsr
  by (simp add: ediv_def shiftr_div_2n)

why3_vc asr_bv_is_asr by simp

why3_vc lsl_bv_is_lsl by simp

why3_vc to_uint_lsl
  by (simp add: emod_def shiftl_aux)

why3_vc Extensionality
  using assms
  by (simp add: eq_sub_def bv_nth_def bit_eq_iff all_nat)

why3_vc eq_sub_equiv
  by (simp add: eq_sub_equiv_aux eq_sub_def eq_sub_bv_defn bv_nth_def)

why3_vc eq_sub_bv_def
  by (simp add: eq_sub_bv_defn mask_eq_exp_minus_1)

why3_end


why3_open "bv/BVConverter_32_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_16_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_64.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV64.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_16_32.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV32.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_32.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV32.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end


why3_open "bv/BVConverter_8_16.xml"
  constants
    toBig = ucast
    toSmall = ucast

why3_vc toSmall_to_uint
  using assms
  by (simp add: BV16.ule_def ucast_eq uint_word_of_int del: of_int_uint)

why3_vc toBig_to_uint
  by (simp add: uint_up_ucast is_up)

why3_end

endwhy3-1.6.0/lib/isabelle/Why3_Bool.thy000066400000000000000000000005621440160026300172700ustar00rootroot00000000000000theory Why3_Bool
imports Why3_Setup
begin

section \ Basic theory of Booleans \

why3_open "bool/Bool.xml"

why3_vc andbqtdef by (simp split: bool.split)

why3_vc orbqtdef by (simp split: bool.split)

why3_vc xorbqtdef by (simp split: bool.split)

why3_vc notbqtdef by (simp split: bool.split)

why3_vc implbqtdef by (simp split: bool.split)

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Int.thy000066400000000000000000000207231440160026300171300ustar00rootroot00000000000000theory Why3_Int
imports Why3_Setup
begin

section \ Integers and the basic operators \

why3_open "int/Int.xml"

why3_vc Comm by simp

why3_vc Comm1 by simp

why3_vc Assoc by simp

why3_vc Assoc1 by simp

why3_vc Unitary by simp

why3_vc Inv_def_l by simp

why3_vc Inv_def_r by simp

why3_vc Unit_def_l by simp

why3_vc Unit_def_r by simp

why3_vc Mul_distr_l by (simp add: ring_distribs)

why3_vc Mul_distr_r by (simp add: ring_distribs)

why3_vc infix_mnqtdef by simp

why3_vc NonTrivialRing by simp

why3_vc infix_lseqqtdef by auto

why3_vc Refl by simp

why3_vc Trans using assms by simp

why3_vc Total by auto

why3_vc Antisymm using assms by simp

why3_vc ZeroLessOne by simp

why3_vc CompatOrderAdd using assms by simp

why3_vc CompatOrderMult using assms by (rule mult_right_mono)

why3_end


section \ Absolute Value \

why3_open "int/Abs.xml"

why3_vc absqtdef by simp

why3_vc Abs_le by auto

why3_vc Abs_pos by simp

why3_end


section \ Minimum and Maximum \

why3_open "int/MinMax.xml"

why3_vc Max_l using assms by simp

why3_vc Max_comm by simp

why3_vc Max_assoc by simp

why3_vc Min_r using assms by simp

why3_vc Min_comm by simp

why3_vc Min_assoc by simp

why3_vc maxqtdef by auto

why3_vc minqtdef by auto

why3_end


section \ Euclidean Division \

definition ediv :: "int \ int \ int" (infixl "ediv" 70) where
  "a ediv b = sgn b * (a div \b\)"

definition emod :: "int \ int \ int" (infixl "emod" 70) where
  "a emod b = a mod \b\"

why3_open "int/EuclideanDivision.xml"
  constants
    div = ediv
    mod = emod

why3_vc Div_1 by (simp add: ediv_def)

why3_vc Div_1_left using assms by (simp add: ediv_def div_pos_pos_trivial)

why3_vc Div_inf using assms by (simp add: ediv_def div_pos_pos_trivial)

why3_vc Div_inf_neg
  using assms
  by (cases "x = y") (simp_all add: ediv_def
    zdiv_zminus1_eq_if div_pos_pos_trivial mod_pos_pos_trivial)

why3_vc Div_mod
  by (simp add: ediv_def emod_def mult.assoc [symmetric] abs_sgn)

why3_vc Div_mult using assms by (simp add: ediv_def add.commute)

why3_vc Div_bound
proof -
  from assms show ?C1
    by (simp add: ediv_def pos_imp_zdiv_nonneg_iff)

  show ?C2
  proof (cases "x = 0")
    case False
    show ?thesis
    proof (cases "y = 1")
      case False
      with assms `x \ 0` have "x div y < x"
        by (simp add: int_div_less_self)
      with assms show ?thesis by (simp add: ediv_def)
    qed (simp add: ediv_def)
  qed (simp add: ediv_def)
qed

why3_vc Div_minus1_left
  using assms
  by (simp only: zdiv_zminus1_eq_if ediv_def)
    (simp add: div_pos_pos_trivial mod_pos_pos_trivial)

why3_vc Mod_0 by (simp add: emod_def)

why3_vc Mod_1 by (simp add: emod_def)

why3_vc Mod_1_left using assms by (simp add: emod_def mod_pos_pos_trivial)

why3_vc Mod_minus1_left
  using assms
  by (simp only: emod_def zmod_zminus1_eq_if) (simp add: mod_pos_pos_trivial)

why3_vc Mod_mult using assms by (simp add: emod_def add.commute)

why3_vc Mod_bound using assms by (simp_all add: emod_def)

why3_vc Div_unique using assms
 proof -
  have h0: "y \ 0" using assms by auto
  have h1: "x = y * (x ediv y) + (x emod y)" using h0 Div_mod by blast
  have h2: "0 \ x emod y \ x emod y < y" using assms H1 h0 Mod_bound zabs_def
    by (metis abs_sgn monoid_mult_class.mult.right_neutral sgn_pos)
  have h3: "x - y < y * (x ediv y)" using h1 h2 by linarith
  have h4: "y * (x ediv y) \ x" using h1 h2 by linarith
  show ?thesis
  proof (cases "x ediv y > q")
   assume a:"q < x ediv y"
   have h5: "x ediv y \ q + 1" using a by linarith
   have h6: "y * (x ediv y) >= y * (q + 1)" by (metis H1 h5 le_less mult_left_mono)
   have h7: "y * (x ediv y) >= q * y + y" by (metis Comm1 Mul_distr_l h6 monoid_mult_class.mult.right_neutral)
   thus "x ediv y = q" using H3 h1 h2 h7 by linarith
   next
   assume a:"\ q < x ediv y"
   show "x ediv y = q"
   proof (cases "x ediv y < q")
    assume b:"x ediv y < q"
    have h5: "x ediv y \ q - 1" using b by linarith
    have h6: "y * (x ediv y) <= y * (q - 1)" by (metis H1 h5 le_less mult_left_mono)
    have h7: "y * (x ediv y) <= q * y - y" by (metis Comm1 h6 int_distrib(4) monoid_mult_class.mult.right_neutral)
    thus "x ediv y = q" using H2 h3 h7 by linarith
    next
    assume b:"\ x ediv y < q"
    show ?thesis using a b by linarith
   qed
  qed
qed

why3_end

section \ Computer Division \

definition cdiv :: "int \ int \ int" (infixl "cdiv" 70) where
  "a cdiv b = sgn a * sgn b * (\a\ div \b\)"

definition cmod :: "int \ int \ int" (infixl "cmod" 70) where
  "a cmod b = sgn a * (\a\ mod \b\)"

why3_open "int/ComputerDivision.xml"
  constants
    div = cdiv
    mod = cmod

why3_vc Div_1 by (simp add: cdiv_def mult_sgn_abs)

why3_vc Div_inf using assms by (simp add: cdiv_def div_pos_pos_trivial)

why3_vc Div_sign_neg
  using assms
  by (cases "x = 0") (simp_all add: cdiv_def
    zdiv_zminus1_eq_if div_nonpos_pos_le0 pos_imp_zdiv_neg_iff)

why3_vc Div_sign_pos
  using assms
  by (cases "x = 0")
    (simp_all add: cdiv_def pos_imp_zdiv_nonneg_iff)

why3_vc Div_mod
proof -
  have "y * (sgn x * sgn y * (\x\ div \y\)) + sgn x * (\x\ mod \y\) =
    sgn x * (y * sgn y * (\x\ div \y\) + \x\ mod \y\)"
    by (simp add: ring_distribs)
  then show ?thesis
    by (cases "x = 0") (simp_all add: cdiv_def cmod_def abs_sgn
      sgn_mult [symmetric] order.strict_iff_order)
qed

why3_vc Div_mult
proof (cases "y = 0")
  case False
  with assms show ?thesis
    by (cases "z = 0")
      (simp_all add: cdiv_def add.commute add_pos_pos)
qed simp

why3_vc Div_bound
proof -
  from assms show ?C1
    by (simp add: cdiv_def pos_imp_zdiv_nonneg_iff sgn_if)

  show ?C2
  proof (cases "x = 0")
    case False
    show ?thesis
    proof (cases "y = 1")
      case False
      with assms `x \ 0` have "x div y < x"
        by (simp add: int_div_less_self)
      with assms show ?thesis by (simp add: cdiv_def sgn_if)
    qed (simp add: cdiv_def sgn_if)
  qed (simp add: cdiv_def)
qed

why3_vc Mod_1 by (simp add: cmod_def)

why3_vc Mod_inf using assms by (simp add: cmod_def mod_pos_pos_trivial sgn_if)

why3_vc Mod_mult
proof (cases "y = 0")
  case False
  with assms show ?thesis
    by (cases "z = 0") (simp_all add: cmod_def add.commute add_pos_pos)
qed simp

why3_vc Mod_bound
proof -
  from assms show ?C1
    by (auto simp add: cmod_def sgn_if intro: less_le_trans [of _ 0])

  from assms show ?C2
    by (auto simp add: cmod_def sgn_if intro: le_less_trans [of _ 0])
qed

why3_vc Mod_sign_neg using assms by (simp add: cmod_def sgn_if)

why3_vc Mod_sign_pos using assms by (simp add: cmod_def sgn_if)

why3_vc Rounds_toward_zero
proof (cases "x = 0")
  case False
  then have "\sgn x\ = 1" by (simp add: sgn_if)
  have "sgn x * sgn y * (\x\ div \y\) * y =
    sgn x * (y * sgn y * (\x\ div \y\))" (is "?l = ?r")
    by simp
  then have "\?l\ = \?r\" by (simp (no_asm_simp))
  also note abs_sgn [symmetric]
  also note abs_mult
  also have "\y\ * (\x\ div \y\) \ \y\ * (\x\ div \y\) + \x\ mod \y\"
    by (rule add_increasing2) (simp_all add: assms)
  with assms have "\\y\ * (\x\ div \y\)\ \ \\y\ * (\x\ div \y\) + \x\ mod \y\\"
    by (simp add: pos_imp_zdiv_nonneg_iff)
  finally show ?thesis using `\sgn x\ = 1`
    by (simp add: cdiv_def)
qed (simp add: cdiv_def)

why3_end


section \ Division by 2 \

why3_open "int/Div2.xml"

why3_vc div2
  by (rule exI [of _ "x div 2"]) auto

why3_end


section \ Power of an integer to an integer \

why3_open "int/Power.xml"

why3_vc Power_0 by simp

why3_vc Power_1 by simp

why3_vc Power_s using assms by (simp add: nat_add_distrib)

why3_vc Power_s_alt using assms by (simp add: nat_diff_distrib power_Suc [symmetric])

why3_vc Power_sum using assms by (simp add: nat_add_distrib power_add)

why3_vc Power_mult using assms by (simp add: nat_mult_distrib power_mult)

why3_vc Power_comm1 by (simp add: power_mult_distrib)

why3_vc Power_comm2 by (simp add: power_mult_distrib)

why3_vc Power_non_neg using assms by simp

why3_vc Power_pos using assms by simp

why3_vc Power_monotonic using assms by (simp add: power_increasing)

why3_end

end
why3-1.6.0/lib/isabelle/Why3_List.thy000066400000000000000000000136151440160026300173130ustar00rootroot00000000000000theory Why3_List
imports Why3_Setup
begin

section \ Length of a list \

why3_open "list/Length.xml"

why3_vc lengthqtdef by (cases l) simp_all

why3_vc Length_nil by simp

why3_vc Length_nonnegative by simp

why3_end


section \ Membership in a list \

why3_open "list/Mem.xml"

why3_vc memqtdef by (simp split: list.split)

why3_end


section \ Nth element of a list \

why3_open "list/Nth.xml"

lemma nth_eq: "0 \ i \ nat i < length xs \ nth i xs = Some (xs ! nat i)"
  by (induct xs arbitrary: i) (auto simp add: nat_diff_distrib)

why3_vc is_noneqtspec
  by (simp add: is_none_def split: option.split)

why3_end


why3_open "list/NthNoOpt.xml"

why3_vc nth_cons_0 by simp

why3_vc nth_cons_n
  using assms
  by (simp add: nat_diff_distrib)

why3_end


why3_open "list/NthLength.xml"

why3_vc nth_none_1
  using assms
  by (induct l arbitrary: i) simp_all

why3_vc nth_none_2
  using assms
  by (induct l arbitrary: i) simp_all

why3_vc nth_none_3
  using assms
proof (induct l arbitrary: i)
  case Nil
  then show ?case by simp arith
next
  case (Cons x xs)
  show ?case
  proof (cases "i < 0")
    case False
    with Cons have "0 < i" by (simp split: if_split_asm)
    with Cons have "Nth.nth (i - 1) xs = None" by simp
    then have "i - 1 < 0 \ int (length xs) \ i - 1"
      by (rule Cons)
    with `0 < i` show ?thesis by auto
  qed simp
qed

why3_vc is_noneqtspec
  by (simp add: is_none_def split: option.split)

why3_end


section \ Head and tail \

why3_open "list/HdTl.xml"

why3_vc is_noneqtspec
  by (simp add: is_none_def split: option.split)

why3_end


why3_open "list/HdTlNoOpt.xml"

why3_vc hd_cons by simp

why3_vc tl_cons by simp

why3_end


section \ Relation between head, tail, and nth \

why3_open "list/NthHdTl.xml"

why3_vc Nth_tl
  using assms
  by (simp add: tl_def split: list.split_asm)

why3_vc Nth0_head
  by (simp add: hd_def split: list.split)

why3_vc is_noneqtspec
  by (simp add: is_none_def split: option.split)

why3_end


section \ Appending two lists \

why3_open "list/Append.xml"

why3_vc infix_plplqtdef by (simp split: list.split)

why3_vc Append_assoc by simp

why3_vc Append_l_nil by simp

why3_vc Append_length by simp

why3_vc mem_append by simp

why3_vc mem_decomp
  using assms
  by (simp add: in_set_conv_decomp)

why3_end


why3_open "list/NthLengthAppend.xml"

why3_vc nth_append_1
proof (cases "0 \ i")
  case True
  with assms have "nat i < length l1" by simp
  with True show ?thesis
    by (simp add: nth_eq nth_append)
next
  case False
  then show ?thesis by (simp add: nth_none_1)
qed

why3_vc nth_append_2
proof (cases "nat i < length (l1 @ l2)")
  case True
  with assms show ?thesis
    by (auto simp add: nth_eq nth_append nat_diff_distrib)
next
  case False
  with assms show ?thesis by (simp add: nth_none_2)
qed

why3_vc is_noneqtspec
  by (simp add: is_none_def split: option.split)

why3_end


section \ Reversing a list \

why3_open "list/Reverse.xml"

why3_vc reverseqtdef by (simp split: list.split)

why3_vc Reverse_length by simp

why3_vc reverse_append by simp

why3_vc reverse_reverse by simp

why3_vc reverse_mem by simp

why3_vc reverse_cons by simp

why3_vc cons_reverse by simp

why3_end


section \ Reverse append \

why3_open "list/RevAppend.xml"

why3_vc rev_append_append_l
  by (induct r arbitrary: t) simp_all

why3_vc rev_append_append_r
proof (induct s arbitrary: r)
  case (Cons x xs)
  show ?case by (simp add: Cons [symmetric])
qed simp

why3_vc rev_append_length
  by (induct s arbitrary: t) simp_all

why3_vc rev_append_def
  by (induct r arbitrary: s) simp_all

why3_end


section \ Zip \

why3_open "list/Combine.xml"

why3_end


section \ List with pairwise distinct elements \

why3_open "list/Distinct.xml"

why3_vc distinct_zero by simp

why3_vc distinct_one by simp

why3_vc distinct_many using assms by simp

why3_vc distinct_append using assms by auto

why3_end


section \ Number of occurrences in a list \

why3_open "list/NumOcc.xml"

why3_vc Num_Occ_NonNeg
  by (induct l) simp_all

why3_vc Mem_Num_Occ
proof (induct l)
  case (Cons y ys)
  from Num_Occ_NonNeg [of y ys]
  have "0 < 1 + num_occ y ys" by simp
  with Cons show ?case by simp
qed simp

why3_vc Append_Num_Occ
  by (induct l1) simp_all

why3_vc reverse_num_occ
  by (induct l) (simp_all add: Append_Num_Occ)

why3_end


section \ Permutation of lists \

why3_open "list/Permut.xml"

why3_vc Permut_refl by (simp add: permut_def)

why3_vc Permut_sym using assms by (simp add: permut_def)

why3_vc Permut_trans using assms by (simp add: permut_def)

why3_vc Permut_cons using assms by (simp add: permut_def)

why3_vc Permut_swap by (simp add: permut_def)

why3_vc Permut_cons_append by (simp add: permut_def Append_Num_Occ)

why3_vc Permut_assoc by (simp add: permut_def)

why3_vc Permut_append using assms by (simp add: permut_def Append_Num_Occ)

why3_vc Permut_append_swap by (simp add: permut_def Append_Num_Occ)

why3_vc Permut_mem using assms by (simp add: permut_def Mem_Num_Occ)

why3_vc Permut_length
  using assms
proof (induct l1 arbitrary: l2)
  case Nil
  then show ?case
  proof (cases l2)
    case (Cons x xs)
    with Nil Num_Occ_NonNeg [of x xs]
    show ?thesis by (auto simp add: permut_def dest: spec [of _ x])
  qed simp
next
  case (Cons x xs)
  from `permut (x # xs) l2` have "x \ set l2"
    by (rule Permut_mem) simp
  then obtain ys zs where "l2 = ys @ x # zs"
    by (auto simp add: in_set_conv_decomp)
  with Cons have "permut (x # xs) (ys @ x # zs)" by simp
  moreover have "permut (ys @ x # zs) ((x # zs) @ ys)"
    by (rule Permut_append_swap)
  ultimately have "permut (x # xs) ((x # zs) @ ys)"
    by (rule Permut_trans)
  then have "permut xs (zs @ ys)" by (simp add: permut_def)
  then have "int (length xs) = int (length (zs @ ys))" by (rule Cons)
  with `l2 = ys @ x # zs` show ?case by simp
qed

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Map.thy.2019000066400000000000000000000125001440160026300174770ustar00rootroot00000000000000theory Why3_Map
imports Why3_Setup
begin

section \ Generic Maps \

why3_open "map/Map.xml"

why3_vc setqtdef by auto

why3_end


section \ Constant Maps \

definition abs_const :: "'a \ ('b \ 'a)" where
  "abs_const v y = v"

why3_open "map/Const.xml"
  constants
    const=abs_const

why3_vc constqtdef
  by (simp add: abs_const_def)

why3_end

section \ Number of occurrences \

definition occ :: "'a \ (int \ 'a) \ int \ int \ int" where
  "occ v m l u = int (card (m -` {v} \ {l.. {u - 1}" by auto
  with assms show ?thesis by (simp add: occ_def)
qed

why3_vc occ_right_add
proof -
  from assms have "{l.. {u - 1}" by auto
  with assms show ?thesis by (simp add: occ_def)
qed

why3_vc occ_bounds
proof -
  have "card ({l.. m -` {v}) \ card {l.. m -` {v})"
    by (blast intro: card_Diff_subset_Int)
  ultimately have "card {l.. m -` {v})"
    by simp
  with assms show ?C2
    by (simp add: occ_def Int_commute)
qed (simp add: occ_def)

why3_vc occ_append
proof -
  from assms have "{l.. {mid.. {l.. (m -` {v} \ {mid.. ({l.. {mid.. {l.. {l.. {i} else m -` {z} - {i})"
  by auto

why3_vc occ_exchange
  using assms
  by (simp add: occ_def vimage_update insert_Diff_if card_insert)
    (auto simp add: Diff_Int_distrib2 card_Diff_subset_Int)

why3_vc occ_left_add
proof -
  from assms have "{l.. {l + 1.. {l + 1.. Injectivity and surjectivity for maps (indexed by integers) \

why3_open "map/MapInjection.xml"

why3_vc injective_surjective
proof -
  have "finite {0.. {0.. a ` {0..i j. 0 \ i \ i < n \ 0 \ j \ j < n \ i \ j \ m i \ m j"
  show "\v. int (card (m -` {v} \ {0.. 1"
  proof
    fix v
    let ?S = "m -` {v} \ {0.. 1"
    proof (rule ccontr)
      assume "\ int (card ?S) \ 1"
      with card_le_Suc_iff [of 1 ?S]
      obtain x S where "?S = insert x S"
        "x \ S" "1 \ card S" "finite S"
        by auto
      with card_le_Suc_iff [of 0 S]
      obtain x' S' where "S = insert x' S'" by auto
      with `?S = insert x S` `x \ S`
      have "m x = v" "m x' = v" "x \ x'" "0 \ x" "x < n" "0 \ x'" "x' < n"
        by auto
      with H show False by auto
    qed
  qed
next
  assume H: "\v. int (card (m -` {v} \ {0.. 1"
  show "\i j. 0 \ i \ i < n \ 0 \ j \ j < n \ i \ j \ m i \ m j"
  proof (intro strip notI)
    fix i j
    let ?S = "m -` {m i} \ {0.. i \ i < n" "0 \ j \ j < n" "i \ j" "m i = m j"
    have "finite ?S" by simp
    moreover from `0 \ i \ i < n` have "i \ ?S" by simp
    ultimately have S: "card ?S = Suc (card (?S - {i}))"
      by (rule card.remove)
    have "finite (?S - {i})" by simp
    moreover from `0 \ j \ j < n` `i \ j` `m i = m j`
    have "j \ ?S - {i}" by simp
    ultimately have "card (?S - {i}) = Suc (card (?S - {i} - {j}))"
      by (rule card.remove)
    with S have "\ int (card ?S) \ 1" by simp
    with H show False by simp
  qed
qed

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Map.thy.2021-1000066400000000000000000000125071440160026300176350ustar00rootroot00000000000000theory Why3_Map
imports Why3_Setup
begin

section \ Generic Maps \

why3_open "map/Map.xml"

why3_vc setqtdef by auto

why3_end


section \ Constant Maps \

definition abs_const :: "'a \ ('b \ 'a)" where
  "abs_const v y = v"

why3_open "map/Const.xml"
  constants
    const=abs_const

why3_vc constqtdef
  by (simp add: abs_const_def)

why3_end

section \ Number of occurrences \

definition occ :: "'a \ (int \ 'a) \ int \ int \ int" where
  "occ v m l u = int (card (m -` {v} \ {l.. {u - 1}" by auto
  with assms show ?thesis by (simp add: occ_def)
qed

why3_vc occ_right_add
proof -
  from assms have "{l.. {u - 1}" by auto
  with assms show ?thesis by (simp add: occ_def)
qed

why3_vc occ_bounds
proof -
  have "card ({l.. m -` {v}) \ card {l.. m -` {v})"
    by (blast intro: card_Diff_subset_Int)
  ultimately have "card {l.. m -` {v})"
    by simp
  with assms show ?C2
    by (simp add: occ_def Int_commute)
qed (simp add: occ_def)

why3_vc occ_append
proof -
  from assms have "{l.. {mid.. {l.. (m -` {v} \ {mid.. ({l.. {mid.. {l.. {l.. {i} else m -` {z} - {i})"
  by auto

why3_vc occ_exchange
  using assms
  by (simp add: occ_def vimage_update insert_Diff_if card.insert_remove)
    (auto simp add: Diff_Int_distrib2 card_Diff_subset_Int)

why3_vc occ_left_add
proof -
  from assms have "{l.. {l + 1.. {l + 1.. Injectivity and surjectivity for maps (indexed by integers) \

why3_open "map/MapInjection.xml"

why3_vc injective_surjective
proof -
  have "finite {0.. {0.. a ` {0..i j. 0 \ i \ i < n \ 0 \ j \ j < n \ i \ j \ m i \ m j"
  show "\v. int (card (m -` {v} \ {0.. 1"
  proof
    fix v
    let ?S = "m -` {v} \ {0.. 1"
    proof (rule ccontr)
      assume "\ int (card ?S) \ 1"
      with card_le_Suc_iff [of 1 ?S]
      obtain x S where "?S = insert x S"
        "x \ S" "1 \ card S" "finite S"
        by auto
      with card_le_Suc_iff [of 0 S]
      obtain x' S' where "S = insert x' S'" by auto
      with `?S = insert x S` `x \ S`
      have "m x = v" "m x' = v" "x \ x'" "0 \ x" "x < n" "0 \ x'" "x' < n"
        by auto
      with H show False by auto
    qed
  qed
next
  assume H: "\v. int (card (m -` {v} \ {0.. 1"
  show "\i j. 0 \ i \ i < n \ 0 \ j \ j < n \ i \ j \ m i \ m j"
  proof (intro strip notI)
    fix i j
    let ?S = "m -` {m i} \ {0.. i \ i < n" "0 \ j \ j < n" "i \ j" "m i = m j"
    have "finite ?S" by simp
    moreover from `0 \ i \ i < n` have "i \ ?S" by simp
    ultimately have S: "card ?S = Suc (card (?S - {i}))"
      by (rule card.remove)
    have "finite (?S - {i})" by simp
    moreover from `0 \ j \ j < n` `i \ j` `m i = m j`
    have "j \ ?S - {i}" by simp
    ultimately have "card (?S - {i}) = Suc (card (?S - {i} - {j}))"
      by (rule card.remove)
    with S have "\ int (card ?S) \ 1" by simp
    with H show False by simp
  qed
qed

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Number.thy000066400000000000000000000206531440160026300176300ustar00rootroot00000000000000theory Why3_Number
imports
  Why3_Int
  "HOL-Computational_Algebra.Primes"
begin

section \ Parity properties \

why3_open "number/Parity.xml"

why3_vc evenqtdef by arith

why3_vc oddqtdef by arith

why3_vc even_or_odd by auto

why3_vc even_not_odd using assms by simp

why3_vc odd_not_even using assms by simp

why3_vc even_odd using assms by simp

why3_vc odd_even using assms by simp

why3_vc even_even using assms by simp

why3_vc odd_odd using assms by simp

why3_vc even_2k by simp

why3_vc odd_2k1 by simp

why3_vc even_mod2
  by (auto simp add: evenqtdef cmod_def sgn_if minus_equation_iff [of n])

why3_end


section \ Divisibility \

why3_open "number/Divisibility.xml"

why3_vc dividesqtdef
  by (auto simp add: cmod_def sgn_if minus_equation_iff [of n])

why3_vc divides_refl by simp

why3_vc divides_1_n by simp

why3_vc divides_0 by simp

why3_vc divides_left using assms by simp

why3_vc divides_right using assms by simp

why3_vc divides_oppr using assms by simp

why3_vc divides_oppl using assms by simp

why3_vc divides_oppr_rev using assms by simp

why3_vc divides_oppl_rev using assms by simp

why3_vc divides_plusr using assms by simp

why3_vc divides_minusr using assms by simp

why3_vc divides_multl using assms by simp

why3_vc divides_multr using assms by simp

why3_vc divides_factorl by simp

why3_vc divides_factorr by simp

why3_vc divides_n_1 using assms by auto

why3_vc divides_antisym
  using assms
  by (auto dest: zdvd_antisym_abs)

why3_vc divides_trans using assms by (rule dvd_trans)

why3_vc divides_bounds using assms by (simp add: dvd_imp_le_int)

why3_vc mod_divides_euclidean
  using assms
  by (auto simp add: emod_def split: if_split_asm)

why3_vc divides_mod_euclidean
  using assms
  by (simp add: emod_def dvd_eq_mod_eq_0 zabs_def zmod_zminus2_eq_if)

why3_vc mod_divides_computer
  using assms
  by (auto simp add: cmod_def zabs_def sgn_0_0 zmod_zminus1_eq_if
    not_sym [OF less_imp_neq [OF pos_mod_bound]]
    split: if_split_asm)

why3_vc divides_mod_computer
  using assms
  by (simp add: cmod_def dvd_eq_mod_eq_0 zabs_def
    zmod_zminus1_eq_if zmod_zminus2_eq_if)

why3_vc even_divides ..

why3_vc odd_divides ..

why3_vc dividesqtspec
  by (simp add: dvd_def mult.commute)

why3_end


section \ Greatest Common Divisor \

why3_open "number/Gcd.xml"

why3_vc gcd_nonneg by simp

why3_vc gcd_def1 by simp

why3_vc gcd_def2 by simp

why3_vc gcd_def3 using assms by (rule gcd_greatest)

why3_vc gcd_unique using assms
  by (simp add: gcd_unique_int [symmetric])

why3_vc Comm by (rule gcd.commute)

why3_vc Assoc by (rule gcd.assoc)

why3_vc gcd_0_pos using assms by simp

why3_vc gcd_0_neg using assms by simp

why3_vc gcd_opp by simp

why3_vc gcd_euclid
  using gcd_add_mult [of a "- q" b]
  by (simp add: algebra_simps)

why3_vc Gcd_computer_mod
  using assms gcd_add_mult [of b "- 1" "a mod b"]
  by (simp add: cmod_def zabs_def gcd_red_int [symmetric] sgn_if algebra_simps del: gcd_mod_right)
    (simp add: zmod_zminus2_eq_if gcd_red_int [of a b] del: gcd_mod_right)

why3_vc Gcd_euclidean_mod
  using assms gcd_add_mult [of b "- 1" "a mod b"]
  by (simp add: emod_def zabs_def gcd_red_int [symmetric] algebra_simps del: gcd_mod_right)
    (simp add: zmod_zminus2_eq_if gcd_red_int [of a b] del: gcd_mod_right)

why3_vc gcd_mult using assms
  by (simp add: gcd_mult_distrib_int [symmetric])

why3_end


section \ Prime numbers \

why3_open "number/Prime.xml"

why3_vc primeqtdef
  by (auto simp add: prime_int_iff')

why3_vc not_prime_1 by simp

why3_vc prime_2 by simp

why3_vc prime_3 by simp

why3_vc prime_divisors
  using assms
  by (auto simp add: prime_int_altdef dest: spec [of _ "\d\"])

lemma small_divisors_aux:
  "1 < (n::nat) \ n < p \ n dvd p \ \d. prime d \ d * d \ p \ d dvd p"
proof (induct n rule: less_induct)
  case (less n)
  then obtain m where "p = n * m" by (auto simp add: dvd_def)
  show ?case
  proof (cases "prime n")
    case True
    show ?thesis
    proof (cases "n \ m")
      case True
      with `p = n * m` `prime n`
      show ?thesis by auto
    next
      case False
      then have "m < n" by simp
      moreover from `n < p` `p = n * m` have "1 < m" by simp
      moreover from `1 < n` `n < p` `p = n * m` have "m < p" by simp
      moreover from `p = n * m` have "m dvd p" by simp
      ultimately show ?thesis by (rule less)
    qed
  next
    case False
    with `1 < n` obtain k where "k dvd n" "k \ 1" "k \ n"
      by (auto simp add: prime_nat_iff)
    with `1 < n` have "k \ n" by (simp add: dvd_imp_le)
    with `k \ n` have "k < n" by simp
    moreover from `k dvd n` `1 < n` have "k \ 0" by (rule_tac notI) simp
    with `k \ 1` have "1 < k" by simp
    moreover from `k < n` `n < p` have "k < p" by simp
    moreover from `k dvd n` `n dvd p` have "k dvd p" by (rule dvd_trans)
    ultimately show ?thesis by (rule less)
  qed
qed

why3_vc small_divisors
  unfolding primeqtdef
proof
  show "2 \ p" by fact

  show "\n. 1 < n \ n < p \ \ n dvd p"
  proof (intro strip)
    fix n
    assume "1 < n \ n < p"
    show "\ n dvd p"
    proof
      assume "n dvd p"
      with `1 < n \ n < p`
      have "1 < nat n" "nat n < nat p" "nat n dvd nat p"
        by (simp_all add: nat_dvd_iff)
      then have "\d. prime d \ d * d \ nat p \ d dvd (nat p)"
        by (rule small_divisors_aux)
      with `2 \ p` obtain d
        where d: "prime (int d)" "int d * int d \ p" "int d dvd p"
        by (auto simp add: int_dvd_int_iff [symmetric] le_nat_iff)
      from `prime (int d)` have "2 \ int d" by (simp add: prime_ge_2_int)
      then have "2 \ int d" by simp
      with `2 \ int d` have "2 * 2 \ int d * int d"
        by (rule mult_mono) simp_all
      with d assms `2 \ int d` show False by auto
    qed
  qed
qed

why3_vc even_prime
proof -
  from `prime p` have "0 \ p" by (simp add: primeqtdef)
  from `prime p` have "2 \ p" by (simp add: prime_ge_2_int)
  with `prime p` `even p` `0 \ p` show ?thesis
    by (auto simp add: order_le_less prime_odd_int)
qed

why3_vc odd_prime
proof -
  from `prime p` have "2 \ p" by (simp add: prime_ge_2_int)
  with `prime p` `3 \ p` show ?thesis
    by (auto simp add: order_le_less prime_odd_int)
qed

why3_end


section \ Coprime numbers \

why3_open "number/Coprime.xml"

why3_vc coprimeqtdef by (rule coprime_iff_gcd_eq_1)

why3_vc prime_coprime
proof -
  have "(\n. 1 < n \ n < p \ \ n dvd p) =
    (\n. 1 \ n \ n < p \ coprime n p)"
  proof
    assume H: "\n. 1 < n \ n < p \ \ n dvd p"
    show "\n. 1 \ n \ n < p \ coprime n p"
    proof (intro strip)
      fix n
      assume H': "1 \ n \ n < p"
      {
        fix d
        assume "0 \ d" "d dvd n" "d dvd p"
        with H' have "d \ 0" by auto
        have "d = 1"
        proof (rule ccontr)
          assume "d \ 1"
          with `0 \ d` `d \ 0` have "1 < d" by simp
          moreover from `d dvd p` H' have "d \ p" by (auto dest: zdvd_imp_le)
          moreover from `d dvd n` H' have "d \ p" by (auto dest: zdvd_imp_le)
          ultimately show False using `d dvd p` H by auto
        qed
      }
      then show "coprime n p"
        by (auto simp add: coprime_iff_gcd_eq_1)
    qed
  next
    assume H: "\n. 1 \ n \ n < p \ coprime n p"
    show "\n. 1 < n \ n < p \ \ n dvd p"
    proof (intro strip notI)
      fix n
      assume H': "1 < n \ n < p" "n dvd p"
      then have "1 \ n \ n < p" by simp
      with H have "coprime n p" by simp
      with H' show False by (simp add: coprime_iff_gcd_eq_1)
    qed
  qed
  then show ?thesis by (simp add: primeqtdef)
qed

why3_vc Gauss
proof -
  from assms
  have "coprime a b" "a dvd c * b" by (simp_all add: mult.commute)
  then show ?thesis by (simp add: coprime_dvd_mult_left_iff)
qed

why3_vc Euclid
  using assms
  by (simp add: prime_dvd_multD)

why3_vc gcd_coprime
proof -
  have "gcd a (b * c) = gcd (b * c) a" by (simp add: gcd.commute)
  also from assms have "coprime a b" by (simp add: gcd.commute coprime_iff_gcd_eq_1)
  then have "gcd (b * c) a = gcd c a" by (simp add: gcd_mult_left_left_cancel)
  finally show ?thesis by (simp add: gcd.commute)
qed

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Real.thy000066400000000000000000000151331440160026300172600ustar00rootroot00000000000000theory Why3_Real
imports
  Why3_Setup
  Complex_Main
  "HOL-Decision_Procs.Approximation"
begin

section \ Real numbers and the basic unary and binary operators \

why3_open "real/Real.xml"

why3_vc infix_lseqqtdef by auto

why3_vc Assoc by auto

why3_vc Unit_def_l by auto

why3_vc Unit_def_r by auto

why3_vc Inv_def_l by auto

why3_vc Inv_def_r by auto

why3_vc Comm by simp

why3_vc Assoc1 by simp

why3_vc Mul_distr_l by (simp add: algebra_simps)

why3_vc Mul_distr_r by (simp add: Rings.comm_semiring_class.distrib)

why3_vc infix_mnqtdef by auto

why3_vc Comm1 by auto

why3_vc Unitary by auto

why3_vc NonTrivialRing by auto

why3_vc Inverse by (simp add: assms)

why3_vc add_div by (simp add: Fields.division_ring_class.add_divide_distrib)

why3_vc sub_div by (simp add: Fields.division_ring_class.diff_divide_distrib)

why3_vc neg_div by auto

why3_vc assoc_mul_div by auto

why3_vc assoc_div_mul by auto

why3_vc assoc_div_div by auto

why3_vc Refl by auto

why3_vc Trans
  using assms
  by auto

why3_vc Antisymm
  using assms
  by auto

why3_vc Total by auto

why3_vc ZeroLessOne by auto

why3_vc CompatOrderAdd
  using assms
  by auto

why3_vc CompatOrderMult
  using assms
  by (simp add: Rings.ordered_semiring_class.mult_right_mono)

why3_vc infix_slqtdef by (simp add: Real.divide_real_def)

why3_end

section \ Alternative Infix Operators \

why3_open "real/RealInfix.xml"

why3_end

section \ Absolute Value \

why3_open "real/Abs.xml"

why3_vc Abs_le by auto

why3_vc Abs_pos by auto

why3_vc Abs_sum by auto

why3_vc absqtdef by (simp add: Real.abs_real_def)

why3_vc Abs_prod by (simp add: abs_mult)

why3_vc triangular_inequality by (simp add: Real.abs_real_def)

why3_end

section \ Minimum and Maximum \

why3_open "real/MinMax.xml"

why3_vc Max_l
  using assms
  by auto

why3_vc Min_r
  using assms
  by auto

why3_vc maxqtdef by auto

why3_vc minqtdef by auto

why3_vc Max_comm by auto

why3_vc Min_comm by auto

why3_vc Max_assoc by auto

why3_vc Min_assoc by auto

why3_end

section \ Injection of integers into reals \

why3_open "real/FromInt.xml"
  constants
    from_int = of_int

why3_vc Add by auto

why3_vc Mul by auto

why3_vc Neg by auto

why3_vc One by auto

why3_vc Sub by auto

why3_vc Zero by auto

why3_vc Monotonic using assms by auto

why3_vc Injective using assms by auto

why3_end

section \ Various truncation functions \

(* truncate: rounds towards zero *)

definition truncate :: "real \ int" where
  "truncate x = (if x \ 0 then floor x else ceiling x)"

why3_open "real/Truncate.xml"
  constants
  truncate = truncate
  floor = floor
  ceil = ceiling

subsection \ Roundings up and down \

why3_vc Ceil_up
  by (simp_all add: ceiling_correct)

why3_vc Ceil_int by auto

why3_vc Floor_int by auto

why3_vc Floor_down
  by (simp_all add: floor_correct [simplified])

why3_vc Ceil_monotonic
  using assms
  by (simp add:ceiling_mono)

why3_vc Floor_monotonic
  using assms
  by (simp add:floor_mono)

subsection \ Rounding towards zero \

why3_vc Real_of_truncate
  using floor_correct [of x] ceiling_correct [of x]
  by (simp_all add: truncate_def del: of_int_floor_le le_of_int_ceiling)

why3_vc Truncate_int by (simp add: truncate_def)

why3_vc Truncate_up_neg
  using assms ceiling_correct [of x]
  by (simp_all add: truncate_def)

why3_vc Truncate_down_pos
  using assms floor_correct [of x]
  by (simp_all add: truncate_def)

why3_vc Truncate_monotonic
  using assms
  unfolding truncate_def
  by (simp add: floor_mono ceiling_mono order_trans [of "\x\" 0 "\y\"])

why3_vc Truncate_monotonic_int1
  using assms
  by (simp add: truncate_def floor_le_iff ceiling_le_iff)

why3_vc Truncate_monotonic_int2
  using assms
  by (simp add: truncate_def le_floor_iff le_ceiling_iff)

why3_end

section \ Square and Square Root \

why3_open "real/Square.xml"
  constants
    sqrt = sqrt

why3_vc Sqrt_le
  using assms
  by auto

why3_vc Sqrt_mul by (simp add: NthRoot.real_sqrt_mult)

why3_vc Sqrt_square
  using assms
  by (simp add: sqr_def)

why3_vc Square_sqrt
  using assms
  by auto

why3_vc Sqrt_positive
  using assms
  by auto

why3_end

section \ Exponential and Logarithm \

why3_open "real/ExpLog.xml"
  constants
    exp = exp
    log = ln

why3_vc Exp_log
  using assms
  by auto

why3_vc Exp_sum by (simp add: Transcendental.exp_add)

why3_vc Log_exp by auto

why3_vc Log_mul
  using assms
  by (simp add: Transcendental.ln_mult)

why3_vc Log_one by auto

why3_vc Exp_zero by auto

why3_end

section \ Power of a real to an integer \

(* TODO: clones int.Exponentiation which is not yet realized *)

why3_open "real/PowerInt.xml"

why3_vc Power_0 by auto

why3_vc Power_1 by auto

why3_vc Power_s
  using assms
  by (simp add: nat_add_distrib)

why3_vc Power_sum
  using assms
  by (simp add: nat_add_distrib power_add)

why3_vc Pow_ge_one using assms by auto

why3_vc Power_mult
  using assms
  by (simp add: nat_mult_distrib power_mult)

why3_vc Power_comm1 by simp

why3_vc Power_comm2 by (simp add: semiring_normalization_rules(30))

why3_vc Power_s_alt
proof -
  have "nat n = Suc (nat (n - 1))" using assms by auto
  then show ?thesis by simp
qed

why3_end

section \ Power of a real to a real exponent \

(* TODO: no power to a real exponent in Isabelle? *)

section \ Trigonometric Functions \

abbreviation (input)
  "why3_divide \ divide"

why3_open "real/Trigonometry.xml"
  constants
    cos = cos
    sin = sin
    pi = pi
    atan = arctan

why3_vc Cos_0 by auto

why3_vc Sin_0 by auto

why3_vc Cos_pi by auto

why3_vc Sin_pi by auto

why3_vc Cos_neg by auto

why3_vc Cos_pi2 by auto

why3_vc Cos_sum by (simp add: Transcendental.cos_add)

why3_vc Sin_neg by auto

why3_vc Sin_pi2 by auto

why3_vc Sin_sum by (simp add: Transcendental.sin_add)

why3_vc tanqtdef by (simp add: Transcendental.tan_def)

why3_vc Tan_atan by (simp add: Transcendental.tan_arctan)

why3_vc Cos_le_one by auto

why3_vc Sin_le_one by auto

why3_vc Cos_plus_pi by auto

why3_vc Pi_double_precision_bounds
proof -
  have "884279719003555 / 281474976710656 < pi"
    by (approximation 57)
  then show ?C1 by simp
  have "pi < 7074237752028441 / 2251799813685248"
    by (approximation 55)
  then show ?C2 by simp
qed

why3_vc Sin_plus_pi by auto

why3_vc Cos_plus_pi2 by (simp add: Transcendental.minus_sin_cos_eq)

why3_vc Sin_plus_pi2 by (simp add: sin_add)

why3_vc Pythagorean_identity
  by (simp add: sqr_def)

why3_end

section \ Hyperbolic Functions \

(* TODO: missing acosh *)

section \ Polar Coordinates \

(* TODO: missing atan2 *)

end
why3-1.6.0/lib/isabelle/Why3_Set.thy000066400000000000000000000156351440160026300171370ustar00rootroot00000000000000theory Why3_Set
imports
  Why3_Setup
  Why3_Map
  "HOL-Library.FSet"
begin

section \ Potentially infinite sets \

definition complement :: "('a \ bool) \ 'a \ bool" where
  "complement S v = Not (S v)"

definition mapi :: "('a \ 'b) \ ('a \ bool) \ ('b \ bool)" where
  "mapi f s x = Set.member x (image f (Collect s))"

definition filteri :: " ('a \ bool) \ ('a \ bool) \ 'a \ bool" where
  "filteri f s x = conj (s x) (f x)"

definition product :: "('a \ bool) \ ('b \ bool) \ ('a \ 'b \ bool)" where
  "product s1 s2 p = conj (s1 (fst p)) (s2 (snd p))"

why3_open "set/Set.xml"
  constants
    empty = bot
    add = insert
    remove = Set.remove
    union = sup
    inter = inf
    diff = minus
    complement = complement
    pick = Eps
    all = top
    map = mapi
    filter = filteri
    product = product

why3_vc diffqtdef by (simp add: mem_def)

why3_vc interqtdef by (simp add: mem_def)

why3_vc is_empty_empty by (simp add: constqtdef mem_def set.Set.is_empty_def)

why3_vc unionqtdef by (simp add: mem_def)

why3_vc add_remove
  using assms
  by (simp add: fun_upd_idem_iff mem_def)

why3_vc remove_add by auto

why3_vc pick_def
  using assms
  by (auto simp add: mem_def is_empty_def intro: someI_ex)

why3_vc subset_diff
  by (simp add: mem_def diffqtdef subset_def)

why3_vc subset_refl
  by (simp add: subset_def)

why3_vc subset_trans
  using assms
  by (simp add: subset_def)

why3_vc subset_remove
  by (simp add: mem_def remove_def subset_def)

why3_vc complementqtdef
  by (simp add: mem_def complement_def)

why3_vc extensionality
  using assms
  by (auto simp add: infix_eqeq_def mem_def)

why3_vc mapqtdef by (simp add: mem_def mapi_def image_iff)

why3_vc mem_map
  using assms
  by (meson facts.mapqtdef mem_def)

why3_vc mem_singleton
  by (metis assms constqtdef fun_upd_other mem_def) 

why3_vc empty_is_empty
  using assms
  by (meson extensionality infix_eqeq_def is_empty_empty set.Set.is_empty_def)

why3_vc subset_inter_1
  by (simp add: set.Set.subset_def mem_def)

why3_vc subset_inter_2
  by (simp add: set.Set.subset_def mem_def)

why3_vc subset_union_1
  by (simp add: set.Set.subset_def mem_def)

why3_vc subset_union_2
  by (simp add: set.Set.subset_def mem_def)

why3_vc disjoint_diff_eq
  by (smt diffqtdef disjoint_def extensionality infix_eqeq_def mem_def)

why3_vc disjoint_diff_s2
  by (simp add: disjoint_def mem_def)

why3_vc disjoint_inter_empty
  by (simp add: disjoint_def mem_def set.Set.is_empty_def)

why3_vc filter_def
  by (metis filteri_def mem_def)

why3_vc subset_filter
  by (simp add: filter_def subset_def)

why3_vc product_def
  by (simp add: product_def mem_def)

why3_end


section \ Finite sets \

definition fremove :: "'a \ 'a fset \ 'a fset" where
  "fremove x A = A - {|x|}"

definition fchoose :: "'a fset \ 'a" where
  "fchoose S = (\x. x |\| S)"

definition is_empty :: "'a fset \ bool" where
  "is_empty S = (S = fempty)"

definition filter :: "'a fset \ ('a \ bool) \ 'a fset" where
  "filter S p = ffilter p S"

why3_open "set/Fset.xml"
  constants
    mem = fmember
    empty = bot
    add = finsert
    remove = fremove
    union = sup
    inter = inf
    diff = minus
    choose = fchoose
    all = top
    pick = fchoose
    filter = filter
    map = fimage
  types
    fset = fset

why3_vc add_def by auto

why3_vc add_remove
  using assms
  by (auto simp add: fremove_def)

why3_vc remove_add by (simp add: fremove_def)

why3_vc map_def by auto

why3_vc mem_map by (simp add: assms)

why3_vc inter_def by simp

why3_vc union_def by simp

why3_vc remove_def by (auto simp add: fremove_def)

why3_vc diff_def by auto

why3_vc pick_def
  using assms
  by (auto simp add: fchoose_def is_empty_def intro: someI_ex)

why3_vc subset_diff by (simp add: Fset.subset_def)

why3_vc subset_refl by (simp add: Fset.subset_def)

why3_vc subset_trans 
  using assms
  by (simp add: Fset.subset_def)

why3_vc subset_remove by (auto simp add: Fset.subset_def fremove_def)

why3_vc subset_eq
  using assms fcard_seteq
  by (metis Fset.subset_def eq_imp_le fsubsetI of_nat_eq_iff)

why3_vc extensionality
  using assms
  by (simp add:  Fset.infix_eqeq_def fset_eqI)

why3_vc cardinal1
proof (cases s rule: fset_strong_cases)
  case 1
  with assms
  show ?thesis by (simp add: fcard_fempty)
next
  case (2 s' x)
  show ?thesis
  proof (cases s' rule: fset_strong_cases)
    case 1
    with `s = finsert x s'` assms
    show ?thesis by (simp add: fchoose_def)
  next
    case (2 s'' y)
    with `s = finsert x s'` assms
    show ?thesis by (auto simp add: fcard_finsert_if fchoose_def
      split: if_split_asm)
  qed
qed

why3_vc cardinal_add by (auto simp add: fcard_finsert_if finsert_absorb)

why3_vc cardinal_empty by (simp add: is_empty_def)

why3_vc cardinal_nonneg by simp

lemma cardinal_remove_in: 
  "x |\| s \ int (fcard (fremove x s)) = int (fcard s) - 1"
  by (smt cardinal_add(2) fminus_finsert_absorb fremove_def set_finsert)

lemma cardinal_remove_out:
  "x |\| s \ int (fcard (fremove x s)) = int (fcard s)"
  by (simp add: fremove_def)

why3_vc cardinal_remove by (auto simp add: cardinal_remove_out cardinal_remove_in)

why3_vc cardinal_subset
  using assms
  by (simp add: Fset.subset_def fcard_mono fsubsetI)

why3_vc filter_def by (simp add: Why3_Set.filter_def)

why3_vc cardinal_map
  apply (simp add: fcard_def card_def)
  by (metis card_def card_image_le finite_fset)

why3_vc cardinal_diff
  by (metis fcard_funion_fsubset fcard_mono fminus_finter2 inf.idem inf_commute inf_sup_ord(1) of_nat_diff)
(*  by (smt fcard_funion_fsubset fcard_mono finter_lower1 fminus_finter2 inf.idem inf_commute int_ops(6) of_nat_mono)*)

why3_vc mem_singleton
  using assms by auto

why3_vc subset_filter
  by (simp add: Fset.subset_def Why3_Set.filter_def)

why3_vc cardinal_union
  by (smt fcard_funion_finter of_nat_add)

why3_vc empty_is_empty
  by (meson Fset.is_empty_def assms bot.extremum_uniqueI fsubsetI)

why3_vc is_empty_empty
  by (simp add: cardinal_empty)

why3_vc subset_inter_1
  by (simp add: Fset.subset_def)

why3_vc subset_inter_2
  by (simp add: Fset.subset_def)

why3_vc subset_union_1
  by (simp add: Fset.subset_def)

why3_vc subset_union_2
  by (simp add: Fset.subset_def)

why3_vc cardinal_filter
  using cardinal_subset subset_filter by blast

why3_vc disjoint_diff_eq
  by (smt Fset.disjoint_def Fset.facts.diff_def fsubsetI fsubset_antisym)

why3_vc  disjoint_diff_s2
  by (simp add: Fset.facts.disjoint_diff_eq)

why3_vc disjoint_inter_empty
  by (metis Fset.facts.disjoint_diff_eq Fset.facts.empty_is_empty Fset.facts.is_empty_empty fminus_disjoint fminus_triv) 

why3_vc cardinal_inter_disjoint
  by (meson Fset.facts.disjoint_inter_empty assms cardinal_empty)

why3_end

end
why3-1.6.0/lib/isabelle/Why3_Setup.thy000066400000000000000000000003701440160026300174720ustar00rootroot00000000000000theory Why3_Setup
imports Main
keywords
  "why3_open" :: thy_load and
  "why3_end" "why3_consts" "why3_types" "why3_thms" "why3_defs" :: thy_decl and
  "why3_vc" :: thy_goal and "why3_status" :: diag
begin

ML_file "why3.ML"

setup Why3.setup

end
why3-1.6.0/lib/isabelle/etc/000077500000000000000000000000001440160026300155055ustar00rootroot00000000000000why3-1.6.0/lib/isabelle/etc/settings000066400000000000000000000002461440160026300172720ustar00rootroot00000000000000# -*- shell-script -*- :mode=shellscript:

WHY3_ISABELLE_HOME="$COMPONENT"
WHY3_JEDIT_SERVER="server-Why3"
ISABELLE_TOOLS="$ISABELLE_TOOLS:$WHY3_ISABELLE_HOME/Tools"
why3-1.6.0/lib/isabelle/realizations000066400000000000000000000053751440160026300173730ustar00rootroot00000000000000d6f515877e060baa1e5c3b961ebc1fef8481077d  int/Abs.xml
4798314a713999989fbfe357e32c863af664b171  int/ComputerDivision.xml
0bf9f4b49f0fd082d03011649520773c6c779365  int/Div2.xml
bf46afb573d8c617c16343bde51d43ef8a0455ab  int/EuclideanDivision.xml
7164924205b1ec7085ec3177436b1127eadb0479  int/Int.xml
8947d7b8d73ca2cd6333024c23b2fa0f5453c562  int/MinMax.xml
9e550b757adffdb78db010e8aa14b85a065b3c60  int/Power.xml
f882849e4118c2f3b657599a39c91708884bba22  bool/Bool.xml
eb7eab45667a1fb9e101975e05f7e9e46c871b15  real/Real.xml
f80da4609433de4d5ccb6ebbbe0fa954c5ed5187  real/RealInfix.xml
95e10201024c51a32ce015927413cbbdcdb46136  real/Abs.xml
2b9040160f6aab64348cf3008365574f02026bb3  real/MinMax.xml
3cc6bd97503e596fae70c51ef1d5401a62114b94  real/FromInt.xml
62beb9d22a9b5a94aaa55b8865e49320f5c776ff  real/Truncate.xml
9ec1794c5e35cee3bc4d71a42be74fc89fb342fb  real/Square.xml
6dc1b60c6ee9c4740643b7b5242808fadb22eae0  real/ExpLog.xml
d9ee378db053cfaaf753de9f664bbb83004b621b  real/Trigonometry.xml
da4b981eb0a086bafef4994a856470521dc76f3a  real/PowerInt.xml
0ed4c61a5065a61910f70b1c2071ac01310fbc37  number/Divisibility.xml
7543f13d887b95912e75f4286bb897ce6fa1c2a1  number/Gcd.xml
dda3028c2500c663d193e634efd37ce62a19447b  number/Parity.xml
4b2c2b7a76c5e07740a349b9a2e220c09a6d4e93  number/Prime.xml
6220fcca885e371361612aa1ae79f744a9725c5b  number/Coprime.xml
45a12fb57ec7dfa939a76438abac525a4a80908f  set/Set.xml
b69dbb0d084bf4eeea3a5538e7a4f054e05e6ef0  set/Fset.xml
1ba510a17cfe80684c2b65ce7b7a0625a56ab1c2  map/Map.xml
b4dbdfd0529dd93c0f5d7f5980be19a79d4e570b  map/Const.xml
b774668e3edc7290afd2af25f3d3acc97b176376  map/Occ.xml
5fc59b90cccec35328bb6f68194e58e366aacab0  map/MapPermut.xml
c97709c7c873bfbaebb707d5b0fe73bf0227f53b  map/MapInjection.xml
d0676b0436915fdc08c5e1a41e8f5fca0d083431  list/List.xml
9d4c7d17d52390704aa03d9e822fba5fdf9b7330  list/Length.xml
d1c8d961045dd5cde490a2e13b9642d4543d9315  list/Mem.xml
ced4512415ca6a09755640fdf8eaee06bedad7e3  list/Nth.xml
1162498dc351c96b45d9b4baf947b508de218694  list/NthNoOpt.xml
5f9f51c5f11258527726aa0c5bd1170a34d4af35  list/NthLength.xml
0820068f8334137249ff44e042d7bbc4bab86ebc  list/HdTl.xml
1baa2e8880329031a27366b9a0f93a0a74c3c1ae  list/NthHdTl.xml
83cd5aed99a330436046243a6fef5b61dbceb5f0  list/Append.xml
660baeb1612da02aa854d8b1bb6b6020890652b7  list/NthLengthAppend.xml
599981a776db69963cad84843234748ff9af5620  list/Reverse.xml
d22ece3391e0afbcc5d968c2ca1adb42e0893c79  list/HdTlNoOpt.xml
9f17f45865d620f6e83cff99bc8bde424767dd74  list/RevAppend.xml
9b4b44b399d0a3dd984bd28052e973ccf40ccb43  list/Combine.xml
015c4c7c0a410f0d9437031e6d231604fbca7ffb  list/Distinct.xml
5645487a4e3ec5c5caed7b281f458f1c9cdeea26  list/NumOcc.xml
70188a9eb4e534636169ac4a26fcf3d532ab0d96  list/Permut.xml
0b0dc7516afdb64d691c14d202a63cd997eba4b5  bv/Pow2int.xml
why3-1.6.0/lib/isabelle/why3.ML.2019000066400000000000000000001270721440160026300164610ustar00rootroot00000000000000signature WHY3 =
sig
  val add_why3_const: string * string -> theory -> theory
  val add_why3_type: string * string -> theory -> theory
  val add_why3_thm: string * thm list -> theory -> theory
  val add_why3_def: string * thm list -> theory -> theory
  val setup: theory -> theory
end

structure Why3: WHY3 =
struct

(**** XML utilities ****)

fun get_opt_att s atts = AList.lookup (op =) atts s;

fun get_att s atts = (case get_opt_att s atts of
    SOME x => x
  | NONE => error ("Missing attribute " ^ s));

fun get_att_default x s atts = (case get_opt_att s atts of
    SOME y => y
  | NONE => x);

fun get_name atts = get_att "name" atts;

fun get_name'' atts =
  case (get_opt_att "path" atts, get_opt_att "altname" atts) of
    (SOME s, SOME s') => SOME (s, s')
  | _ => NONE;

fun get_name' atts = (get_name atts, get_name'' atts);

fun get_opt_name atts =
  case get_opt_att "name" atts of
    NONE => NONE
  | SOME name => SOME (name, get_name'' atts);

fun variant fs (XML.Elem ((s, atts), ts)) =
      (case AList.lookup (op =) fs s of
         SOME f => (f atts ts handle General.Match =>
           error ("Failed to parse element " ^ s))
       | NONE => error ("Bad element: " ^ s))
  | variant _ _ = error "Element expected";

fun elem s f (XML.Elem ((s', atts), ts)) =
      if s = s' then f atts ts
      else error ("Element " ^ s ^ " expected")
  | elem _ _ _ = error "Element expected";

fun optional _ x [] = x
  | optional f _ [x] = f x;

fun option _ [] = NONE
  | option f [x] = SOME (f x);

fun get_bool s atts = (case get_att_default "false" s atts of
    "false" => false
  | "true" => true
  | _ => error "Bad value for boolean attribute");

fun strip_whspc (XML.Elem (p, ts)) =
      SOME (XML.Elem (p, map_filter strip_whspc ts))
  | strip_whspc (txt as XML.Text s) =
      if forall Symbol.is_blank (raw_explode s)
      then NONE else SOME txt;

fun parse_xml s =
  (case strip_whspc (XML.parse s) of
     SOME x => x
   | NONE => error "Bad input");


(**** terms and types ****)

(* replace occurrences of dummy_pattern by distinct variables *)
fun replace_dummies (Const (@{const_name Pure.dummy_pattern}, T)) used =
      let val (x, used') = Name.variant "x" used
      in (Free (x, T), used') end
  | replace_dummies (t $ u) used =
      let
        val (t', used') = replace_dummies t used;
        val (u', used'') = replace_dummies u used';
      in (t' $ u', used'') end
  | replace_dummies t used = (t, used);

fun make_case t ps =
  Syntax.const @{const_name case_guard} $ @{term True} $ t $
  fold_rev (fn (l, r) => fn u =>
      let val (l', _) = replace_dummies l
        (Name.context |>
         Term.declare_term_frees l |>
         Term.declare_term_frees r)
      in
        Syntax.const @{const_name case_cons} $
        fold (fn p => fn b =>
            Syntax.const @{const_name case_abs} $
            Term.absfree p b)
          (Term.add_frees l' [])
          (Syntax.const @{const_name case_elem} $ l' $ r) $ u
      end)
    ps (Syntax.const @{const_name case_nil});

val get_tvar = prefix "'" o get_name;

fun typ f = variant
  [("type", fn atts => fn Ts => Type (f atts, map (typ f) Ts)),
   ("tvar", fn atts => fn [] => TFree (get_tvar atts, dummyS)),
   ("fun", fn _ => fn Ts as _ :: _ => op ---> (split_last (map (typ f) Ts))),
   ("pred", fn _ => fn Ts => map (typ f) Ts ---> @{typ bool}),
   ("prodt", K
      (fn [] => HOLogic.unitT
        | Ts => foldr1 HOLogic.mk_prodT (map (typ f) Ts)))];

fun term f g = variant
  [("const", fn atts => fn Ts =>
      Const (f atts, optional (typ g) dummyT Ts)),
   ("var", fn atts => fn Ts =>
      Free (get_name atts, optional (typ g) dummyT Ts)),
   ("abs", fn atts => fn [T, t] =>
      Term.absfree (get_name atts, typ g T) (term f g t)),
   ("app", fn _ => fn t :: ts => list_comb (term f g t, map (term f g) ts)),
   ("num", fn atts => fn Ts => HOLogic.mk_number
      (optional (typ g) dummyT Ts)
      (case Int.fromString (get_att "val" atts) of SOME i => i)),
   ("case", fn _ => fn t :: ps => make_case (term f g t)
      (map (elem "pat" (K (fn [l, r] => (term f g l, term f g r)))) ps)),
   ("prod", K
      (fn [] => HOLogic.unit
        | ts => foldr1 (fn (t, u) => Syntax.const @{const_name Pair} $ t $ u)
            (map (term f g) ts)))];


(**** declarations ****)

type name' = (string * string) option
type name = string * name'

datatype decl =
    Lemma of name * term list * term list
  | Axiom of name * term list
  | Typedecl of name * string list * typ option
  | Param of name * typ
  | Definition of name' * term
  | Datatype of (name * string list * (name * (name option * typ) list) list) list
  | Inductive of bool * (name * typ * (name * term) list) list
  | Function of (name' * term list) list

fun err_unfinished () = error "An unfinished Why3 environment is still open.";
fun err_no_env () = error "No Why3 environment is currently open.";

type tables =
  {consts: string Symtab.table,
   types: string Symtab.table,
   thms: thm list Symtab.table,
   defs: thm list Symtab.table}

val empty_tables =
  {consts = Symtab.empty,
   types = Symtab.empty,
   thms = Symtab.empty,
   defs = Symtab.empty};

fun map_consts f {consts, types, thms, defs} =
  {consts = f consts, types = types, thms = thms, defs = defs};

fun map_types f {consts, types, thms, defs} =
  {consts = consts, types = f types, thms = thms, defs = defs};

fun map_thms f {consts, types, thms, defs} =
  {consts = consts, types = types, thms = f thms, defs = defs};

fun map_defs f {consts, types, thms, defs} =
  {consts = consts, types = types, thms = thms, defs = f defs};

fun merge_tables
  ({consts = consts1, types = types1, thms = thms1, defs = defs1},
   {consts = consts2, types = types2, thms = thms2, defs = defs2}) =
  {consts = Symtab.merge (op =) (consts1, consts2),
   types = Symtab.merge (op =) (types1, types2),
   thms = Symtab.merge (eq_list Thm.eq_thm_strict) (thms1, thms2),
   defs = Symtab.merge (eq_list Thm.eq_thm_strict) (defs1, defs2)};

structure Why3_Data = Theory_Data
(
  type T =
    {theories: tables Symtab.table,
     env:
       {thyname: string,
        decls: (decl * Timing.timing) list,
        vcs: (thm list option * term list * term list) Symtab.table} option}
  val empty : T = {theories = Symtab.empty, env = NONE}
  val extend = I
  fun merge ({theories = theories1, env = NONE},
        {theories = theories2, env = NONE}) =
        {theories = Symtab.join (K merge_tables) (theories1, theories2),
         env = NONE}
    | merge _ = err_unfinished ()
)

fun lookup_vc thy name =
  (case Why3_Data.get thy of
     {env = SOME {vcs, ...}, ...} => Symtab.lookup vcs name
   | _ => NONE);

val is_closed = is_none o #env o Why3_Data.get;

fun mk_vc name_concl prems concls =
  (Element.Assumes (map_index (fn (i, t) =>
     ((Binding.name ("H" ^ string_of_int (i + 1)), []), [(t, [])])) prems),
   Element.Shows (map_index (fn (i, t) =>
     (if name_concl then (Binding.name ("C" ^ string_of_int (i + 1)), [])
      else Binding.empty_atts,
      [(t, [HOLogic.mk_Trueprop
          (Var (("C", i + 1), HOLogic.boolT))])])) concls));

fun get_vc thy vc_name =
  (case lookup_vc thy vc_name of
    SOME (proved, prems, concls) =>
      if is_some proved then
        error ("The verification condition " ^
          quote vc_name ^ " has already been proved.")
      else mk_vc false prems concls
  | NONE => error ("There is no verification condition " ^
      quote vc_name ^ "."));

fun pp_vcs msg vcs = Pretty.big_list msg (map (Pretty.str o fst) vcs);

fun pp_open_vcs [] = Pretty.str "All verification conditions have been proved."
  | pp_open_vcs vcs = pp_vcs
      "The following verification conditions remain to be proved:" vcs;

fun partition_vcs vcs = Symtab.fold_rev
  (fn (name, (SOME thms, ps, cs)) =>
        apfst (cons (name, (thms, ps, cs)))
    | (name, (NONE, ps, cs)) =>
        apsnd (cons (name, (ps, cs))))
  vcs ([], []);

fun insert_break prt = Pretty.blk (0, [Pretty.fbrk, prt]);

fun print_open_vcs f vcs =
  (Pretty.writeln (f (pp_open_vcs (snd (partition_vcs vcs)))); vcs);

fun mark_proved name thms = Why3_Data.map (fn
    {theories,
     env = SOME {thyname, decls, vcs}} =>
      {theories = theories,
       env = SOME {thyname = thyname, decls = decls,
         vcs = print_open_vcs insert_break (Symtab.map_entry name
           (fn (_, ps, cs) => (SOME thms, ps, cs)) vcs)}}
  | x => x);

fun add_name kind sel th (p as (x, _)) tab =
  Symtab.map_default (th, empty_tables) (sel (Symtab.update_new p)) tab
  handle Symtab.DUP _ =>
    error ("The " ^ kind ^ " " ^ x ^ " is already defined.");

fun add_item add opt_thyname p = Why3_Data.map
  (fn {theories, env} =>
     {theories = add
        (case (env, opt_thyname) of
           (SOME {thyname, ...}, NONE) => thyname
         | (NONE, SOME thyname) => thyname
         | (NONE, NONE) => err_no_env ()
         | (SOME _, SOME _) => err_unfinished ())
        p theories,
      env = env});

fun add_item_intern add intrn s thy = add_item add NONE (s, intrn thy s) thy;

val add_const = add_item_intern (add_name "constant" map_consts) Sign.intern_const;
val add_type = add_item_intern (add_name "type" map_types) Sign.intern_type;

val add_const_raw = add_item (add_name "constant" map_consts);
val add_type_raw = add_item (add_name "type" map_types);
val add_thm_raw = add_item (add_name "theorem" map_thms);
val add_def_raw = add_item (add_name "definition" map_defs);

fun add_qualified add prep (s, x) thy =
  (Long_Name.is_qualified s orelse
   error ("Qualified name expected, but " ^ s ^ " was found");
   add (SOME (Long_Name.qualifier s))
     (Long_Name.base_name s, prep (Proof_Context.init_global thy) x) thy);

val add_why3_const = add_qualified add_const_raw (fn ctxt => fn cname =>
  fst (dest_Const (Proof_Context.read_const {proper = true, strict = false} ctxt cname)));

val add_why3_type = add_qualified add_type_raw (fn ctxt => fn tyname =>
  fst (dest_Type (Proof_Context.read_type_name {proper = true, strict = false} ctxt tyname)));

val add_why3_thm = add_qualified add_thm_raw (K I);
val add_why3_thm_cmd = add_qualified add_thm_raw Attrib.eval_thms;

val add_why3_def = add_qualified add_def_raw (K I);
val add_why3_def_cmd = add_qualified add_def_raw Attrib.eval_thms;

fun lookup_name kind sel tab s s' = (case Symtab.lookup tab s of
    NONE => error ("The theory " ^ s ^ " was not found")
  | SOME tab' => (case Symtab.lookup (sel tab') s' of
        NONE => error ("The " ^ kind ^ " " ^ s' ^
          " was not found in theory " ^ s)
      | SOME name => name));

fun lookup_const tab = lookup_name "constant" #consts tab;
fun lookup_type tab = lookup_name "type" #types tab;

fun lookup_name' sel thy (SOME (s, s')) =
      (case Symtab.lookup (#theories (Why3_Data.get thy)) s of
         NONE => NONE
       | SOME tab' => (case Symtab.lookup (sel tab') s' of
             NONE => NONE
           | SOME name => SOME name))
  | lookup_name' _ _ NONE = NONE;

fun lookup_const' thy = lookup_name' #consts thy;
fun lookup_type' thy = lookup_name' #types thy;
fun lookup_thm thy = lookup_name' #thms thy;
fun lookup_def thy = lookup_name' #defs thy;

fun prep_name lookup ctxt atts =
  (case Why3_Data.get (Proof_Context.theory_of ctxt) of
     {theories, env = SOME {thyname, ...}} =>
       let val name = get_name atts
       in case (get_bool "local" atts, get_opt_att "path" atts) of
           (false, NONE) => name
         | (true, _) => lookup theories thyname name
         | (_, SOME thyname') => lookup theories thyname' name
       end
   | _ => err_no_env ());

fun read_type ctxt x = Syntax.check_typ ctxt
  (typ (prep_name lookup_type ctxt) x);

fun read_term ctxt x = Syntax.check_term ctxt
  (term (prep_name lookup_const ctxt) (prep_name lookup_type ctxt) x);

fun read_prop ctxt x = HOLogic.mk_Trueprop (read_term ctxt x);

fun prep_datatypes ctxt dts =
  let val ctxt' = fold (fn ((s, _), args, _) =>
    Typedecl.basic_typedecl {final = true} (Binding.name s, length args, NoSyn) #>
    snd #> Local_Theory.background_theory (add_type s)) dts ctxt
  in map (fn (b, args, constrs) =>
    (b, args, map (apsnd (map (apsnd (read_type ctxt')))) constrs)) dts
  end;

fun read_statement ctxt f atts [prems, concls] = f
  (get_name' atts,
   elem "prems" (K (map (read_prop ctxt))) prems,
   elem "concls" (K (map (read_prop ctxt))) concls);

val read_ty_params = elem "params" (K (map (elem "param" (K o get_tvar))));

val gen_head_of_eqn =
  HOLogic.dest_Trueprop #> HOLogic.dest_eq #> fst #> head_of;

val head_of_eqn = gen_head_of_eqn #> dest_Free;
val head_of_eqn' = gen_head_of_eqn #> dest_Const;

(* split up term containing case combinators into several terms *)
fun expand_cases ctxt t =
  let
    fun rename fmap = Term.map_aterms
      (fn Free (s, T) => Free (the_default s (AList.lookup (op =) fmap s), T)
        | t => t);

    fun rename_case used (l, r) =
      let val (fmap, _) = fold_map
        (fn s => apfst (pair s) o Name.variant s)
        (Term.add_free_names l []) used
      in (rename fmap l, rename fmap r) end;

    fun strip_case used t =
      if null (loose_bnos t)
      then (case Case_Translation.strip_case ctxt false t of
          SOME (u as Free _, ps) => SOME (u, map (rename_case used) ps)
        | _ => NONE)
      else NONE;

    fun mk_ctxt f = Option.map (fn (x, ps) => (x, map (apsnd f) ps));

    fun strip_case' used t = (case strip_case used t of
        NONE => (case t of
            t1 $ t2 => (case strip_case' used t1 of
                NONE => mk_ctxt (fn u => t1 $ u) (strip_case' used t2)
              | p => mk_ctxt (fn u => u $ t2) p)
          | Abs (s, T, r) => mk_ctxt (fn u => Abs (s, T, u))
              (strip_case' used r)
          | _ => NONE)
      | p => p);

    fun expand t =
      (case strip_case' (Term.declare_term_frees t Name.context) t of
         NONE => [t]
       | SOME (x, ps) => maps (fn (l, r) =>
           expand (Term.subst_atomic [(x, l)] r)) ps)
  in expand t end;

fun read_decl ctxt = variant
  [("lemma", read_statement ctxt Lemma),
   ("axiom", read_statement ctxt (fn (name, prems, concls) =>
      Axiom (name, map (fn concl =>
        Logic.list_implies (prems, concl)) concls))),
   ("typedecl", fn atts => fn params :: rhs => Typedecl
      (get_name' atts,
       read_ty_params params,
       option (read_type ctxt) rhs)),
   ("param", fn atts => fn [ty] => Param
      (get_name' atts, read_type ctxt ty)),
   ("definition", fn atts => fn [t] =>
      Definition (get_name'' atts, read_prop ctxt t)),
   ("datatypes", fn _ => fn xs => Datatype (prep_datatypes ctxt
      (map (elem "datatype" (fn atts => fn [params, constrs] =>
         (get_name' atts,
          read_ty_params params,
          elem "constrs"
            (K (map (elem "constr" (fn atts => fn ys =>
               (get_name' atts,
                map (elem "carg" (fn atts => fn [z] =>
                  (get_opt_name atts, z))) ys))))) constrs))) xs))),
   ("inductive", fn atts => fn xs => Inductive
      (get_bool "coind" atts,
       map (elem "pred" (fn atts => fn ty :: rls =>
         (get_name' atts,
          read_type ctxt ty,
          map (elem "rule" (fn atts => fn [prems, concl] =>
            (get_name' atts,
             Logic.list_implies
               (elem "prems" (K (map (read_prop ctxt))) prems,
                read_prop ctxt concl)))) rls))) xs)),
   ("function", fn _ => fn xs => Function
      (map (elem "eqn" (fn atts => fn [t] =>
         (get_name'' atts, expand_cases ctxt (read_prop ctxt t)))) xs))];


(**** pretty printing ****)

fun string_of_status NONE = "(* unproved *)"
  | string_of_status (SOME _) = "(* proved *)";

fun pretty_typ s [] = Pretty.str s
  | pretty_typ s [v] = Pretty.block
      [Pretty.str v, Pretty.brk 1, Pretty.str s]
  | pretty_typ s vs = Pretty.block
      [Pretty.list "(" ")" (map Pretty.str vs), Pretty.brk 1, Pretty.str s];

fun blocks prfx1 prfx2 xs f = fst (fold_map (fn x => fn prfx =>
    (Pretty.block (Pretty.str prfx :: Pretty.brk 1 :: f x),
     prfx2))
  xs prfx1);

fun pretty_decl (p, f) ctxt (Lemma ((s, _), prems, concls)) =
      let
        val SOME (opt, _, _) = lookup_vc (Proof_Context.theory_of ctxt) s;
        val ctxt' = fold Variable.auto_fixes (prems @ concls) ctxt;
        val (context, stmt) = mk_vc true prems concls
      in
        if p opt then
          SOME (Pretty.big_list ("lemma " ^ s ^ ": " ^ f opt)
            (Element.pretty_ctxt ctxt' context @
             Element.pretty_stmt ctxt' stmt))
        else NONE
      end
  | pretty_decl _ ctxt (Axiom ((s, _), ts)) =
      let val ctxt' = fold Variable.auto_fixes ts ctxt
      in SOME (Pretty.block
        ([Pretty.str "axiomatization where", Pretty.brk 1,
          Pretty.str s, Pretty.str ":", Pretty.brk 1] @
         separate (Pretty.brk 1)
           (map (Pretty.quote o Syntax.pretty_term ctxt') ts)))
      end
  | pretty_decl _ ctxt (Typedecl ((s, _), args, opt_rhs)) = SOME (Pretty.block
      (case opt_rhs of
         NONE => [Pretty.str "typedecl", Pretty.brk 1,
           pretty_typ s args]
       | SOME T => [Pretty.str "type_synonym", Pretty.brk 1,
           pretty_typ s args, Pretty.str " =", Pretty.brk 1,
           Pretty.quote (Syntax.pretty_typ ctxt T)]))
  | pretty_decl _ ctxt (Param ((s, _), T)) = SOME (Pretty.block
      [Pretty.str "axiomatization", Pretty.brk 1,
       Pretty.str s, Pretty.str " ::", Pretty.brk 1,
       Pretty.quote (Syntax.pretty_typ ctxt T)])
  | pretty_decl _ ctxt (Definition (_, eqn)) =
      let
        val ctxt' = Variable.auto_fixes eqn ctxt;
        val (s, T) = head_of_eqn eqn
      in SOME (Pretty.block [Pretty.str "definition ", Pretty.str s,
        Pretty.str " ::", Pretty.brk 1,
        Pretty.quote (Syntax.pretty_typ ctxt' T),
        Pretty.str " where", Pretty.fbrk,
        Pretty.quote (Syntax.pretty_term ctxt' eqn)])
      end
  | pretty_decl _ ctxt (Datatype dts) = SOME (Pretty.chunks
      (blocks "datatype" "and" dts (fn ((s, _), args, constrs) =>
         [pretty_typ s args,
          Pretty.str " =", Pretty.brk 1] @
          Pretty.separate " |"
            (map (fn ((s', _), cargs) => Pretty.block
                 (separate (Pretty.brk 1) (Pretty.str s' :: (map
                    (fn (NONE, T) => Pretty.quote (Syntax.pretty_typ ctxt T)
                      | (SOME (sel, _), T) => Pretty.enclose "(" ")"
                          [Pretty.str sel, Pretty.str " :", Pretty.brk 1,
                           Pretty.quote (Syntax.pretty_typ ctxt T)]) cargs))))
               constrs))))
  | pretty_decl _ ctxt (Inductive (coind, preds)) =
      let val ctxt' = fold (fold (Variable.auto_fixes o snd) o #3) preds ctxt
      in
        SOME (Pretty.chunks
          (blocks ((coind ? prefix "co") "inductive") "and" preds
             (fn ((s, _), T, _) =>
                [Pretty.str s, Pretty.str " ::", Pretty.brk 1,
                 Pretty.quote (Syntax.pretty_typ ctxt' T)]) @
           Pretty.str "where" ::
           blocks " " "|" (maps #3 preds) (fn ((s, _), t) =>
             [Pretty.str s, Pretty.str ":",
              Pretty.brk 1, Pretty.quote (Syntax.pretty_term ctxt' t)])))
      end
  | pretty_decl _ ctxt (Function eqnss) =
      let val ctxt' = fold (fold Variable.auto_fixes o snd) eqnss ctxt
      in
        SOME (Pretty.chunks
          (blocks "fun" "and" eqnss (fn (_, t :: _) =>
             let val (s, T) = head_of_eqn t
             in
               [Pretty.str s, Pretty.str " ::", Pretty.brk 1,
                Pretty.quote (Syntax.pretty_typ ctxt' T)]
             end) @
           Pretty.str "where" ::
           blocks " " "|" (maps snd eqnss)
             (single o Pretty.quote o Syntax.pretty_term ctxt')))
      end;

fun path_of_decl (Lemma ((_, SOME (s, _)), _, _)) = s
  | path_of_decl (Axiom ((_, SOME (s, _)), _)) = s
  | path_of_decl (Typedecl ((_, SOME (s, _)), _, _)) = s
  | path_of_decl (Param ((_, SOME (s, _)), _)) = s
  | path_of_decl (Definition (SOME (s, _), _)) = s
  | path_of_decl (Datatype (((_, SOME (s, _)), _, _) :: _)) = s
  | path_of_decl (Inductive (_, ((_, SOME (s, _)), _, _) :: _)) = s
  | path_of_decl (Function ((SOME (s, _), _) :: _)) = s
  | path_of_decl _ = "local";

val why3_timing = Attrib.setup_config_bool @{binding "why3_timing"} (K false);

fun pretty_decl_timing sel ctxt (d, (tm, tm')) =
  case pretty_decl sel ctxt d of
    NONE => NONE
  | SOME pr => SOME
      (if Config.get ctxt why3_timing then
         Pretty.chunks2
           [pr, Pretty.enclose "(" ")"
              [Pretty.str (Timing.message tm),
               Pretty.str ",", Pretty.brk 1, Pretty.str "total: ",
               Pretty.str (Timing.message tm')]]
       else pr);

fun sum_timing
  {elapsed = elapsed1, cpu = cpu1, gc = gc1}
  {elapsed = elapsed2, cpu = cpu2, gc = gc2} =
  {elapsed = elapsed1 + elapsed2, cpu = cpu1 + cpu2, gc = gc1 + gc2};

val zero_timing = {elapsed = Time.zeroTime, cpu = Time.zeroTime, gc = Time.zeroTime};

fun pretty_decls thy sel decls =
  let
    val ctxt = Proof_Context.init_global thy;
    val decls' = AList.coalesce (op =)
      (fst (fold_map (fn (d, tm) => fn tm' =>
         let val tm'' = sum_timing tm tm'
         in ((path_of_decl d, (d, (tm, tm''))), tm'') end)
         decls zero_timing))
  in
    Pretty.chunks2 (maps (fn (s, ds) =>
      Pretty.str ("(**** " ^ s ^ " ****)") ::
      map_filter (pretty_decl_timing sel ctxt) ds) decls')
  end;

fun add_type_names (Type (s, Ts)) = insert (op =) (Long_Name.base_name s) #> fold add_type_names Ts
  | add_type_names _ = I;

val add_term_names = fold_term_types
  (fn (Const (s, _)) =>
        apfst (insert (op =) (Long_Name.base_name s)) oo apsnd o add_type_names
    | _ => apsnd o add_type_names);

fun add_decl_names (Lemma (_, prems, concls)) =
      fold add_term_names prems #> fold add_term_names concls
  | add_decl_names (Axiom (_, ts)) = fold add_term_names ts
  | add_decl_names (Typedecl ((s, _), _, opT)) =
      apsnd (insert (op =) s #> (case opT of SOME T => add_type_names T | _ => I))
  | add_decl_names (Param ((s, _), T)) =
      apfst (insert (op =) s) #> apsnd (add_type_names T)
  | add_decl_names (Definition (_, eqn)) =
      apfst (insert (op =) (fst (head_of_eqn eqn))) #> add_term_names eqn
  | add_decl_names (Datatype dts) = fold (fn ((tyname, _), _, constrs) =>
      apsnd (insert (op =) tyname) #> fold (fn ((cname, _), cargs) =>
        apfst (insert (op =) cname) #> fold
          (fn (NONE, T) => apsnd (add_type_names T)
            | (SOME (sel, _), T) => apfst (insert (op =) sel) #> apsnd (add_type_names T))
          cargs) constrs) dts
  | add_decl_names (Inductive (_, preds)) = fold (fn ((s, _), _, intrs) =>
      apfst (insert (op =) s) #> fold (add_term_names o snd) intrs) preds
  | add_decl_names (Function eqnss) = fold (fn (_, eqns) =>
      apfst (insert (op =) (fst (head_of_eqn (hd eqns)))) #>
      fold add_term_names eqns) eqnss;

fun mk_decl_filter (p, s) = filter (fn (decl, _) => p s (add_decl_names decl ([], [])));

fun has_cname s (cnames, _) = exists (String.isSubstring s) cnames;
fun has_tyname s (_, tynames) = exists (String.isSubstring s) tynames;
fun has_name s names = has_cname s names orelse has_tyname s names;

fun show_status thy (flt, sel) =
  (case Why3_Data.get thy of
     {env = SOME {decls, ...}, ...} => Pretty.writeln (pretty_decls thy sel (flt decls))
   | _ => ());


(**** processing declarations ****)

fun rename_const ps = map_aterms
  (fn t as Const (p as (_, T)) => (case AList.lookup (op =) ps p of
          SOME s => Free (s, T)
        | NONE => t)
    | t => t);

fun string_of_id (SOME (s, s')) = s ^ "." ^ s';

fun lookup_list sel lookup xs =
  let val ps = map (fn x => (x, lookup (sel x))) xs
  in
    if forall (is_none o snd) ps then NONE
    else SOME (map
      (fn (x, SOME y) => (x, y)
        | (x, NONE) =>
            error ("No association given for " ^ string_of_id (sel x)))
      ps)
  end;

fun fact_binding s = Binding.qualify false "facts" (Binding.name s);

fun err_decl thy s decl =
  error (Pretty.string_of (Pretty.blk (0,
    [Pretty.str s, Pretty.fbrk, Pretty.fbrk,
     the (pretty_decl (K true, K "") (Proof_Context.init_global thy) decl)])));

fun make_record_aux rname cname
      ({fields as (fname, _) :: _, extension = (ext_name, _),
        args, select_convs, ...} : Record.info) thy =
      let
        val fields' = map fst fields @ [Long_Name.map_base_name (K "more") fname];
        val [a, b] = Name.variant_list (map fst args) ["'a", "'b"];
        val aT = TFree (a, @{sort type});
        val bT = TFree (b, @{sort type});
        val argsT = map TFree args;
        val rT = Type (ext_name, argsT @ [aT]);
        val rT' = Type (ext_name, argsT @ [HOLogic.unitT]);
        val fld_names = map (Long_Name.base_name o fst) fields;
        val Us = map snd fields;
        val Ts = Us @ [aT];
        val fT = Ts ---> bT;
        val fN = singleton (Name.variant_list fld_names) "f";
        val f = Free (fN, fT);
        val x = Free ("x", rT);
        val xs' = map Free (fld_names ~~ Us);
        val xs = xs' @ [Free ("more", aT)];

        val ((_, (_, case_def)), lthy1) = thy |> Named_Target.theory_init |>
          Specification.definition NONE [] []
            (Binding.empty_atts,
             HOLogic.mk_Trueprop (HOLogic.mk_eq
               (Free (rname ^ "_case", fT --> rT --> bT) $ f $ x,
                list_comb (f, map2 (fn s => fn T => Const (s, rT --> T) $ x) fields' Ts))));

        val case_eq = Goal.prove_sorry lthy1 (fN :: "more" :: fld_names) []
          (HOLogic.mk_Trueprop (HOLogic.mk_eq
             (Free (rname ^ "_case", fT --> rT --> bT) $ f $
                list_comb (Const (ext_name, Ts ---> rT), xs),
              list_comb (f, xs))))
          (fn {context, ...} =>
             simp_tac (put_simpset HOL_basic_ss context addsimps (case_def :: select_convs)) 1);

        val case_name = Sign.intern_const (Proof_Context.theory_of lthy1) (rname ^ "_case")
      in
        lthy1 |>
        Local_Theory.note
          ((Binding.name (rname ^ "_case_eq"),
           [Attrib.internal (K Simplifier.simp_add)]), [case_eq]) |> snd |>
        Specification.abbreviation Syntax.mode_input NONE []
          (Logic.mk_equals
             (list_comb (Free (cname, Us ---> rT'), xs'),
              list_comb (Const (ext_name, Us ---> HOLogic.unitT --> rT'),
                xs' @ [HOLogic.unit]))) false |>
        Local_Theory.exit_global |>
        Context.theory_map (Case_Translation.register
          (Const (case_name, fT --> rT --> bT)) [Const (ext_name, Ts ---> rT)])
      end
  | make_record_aux _ _ _ _ = error "make_record_aux: internal error";

fun make_record rname args cname flds thy =
  let val thy' = Record.add_record {overloaded = false}
    (args, Binding.name rname) NONE
    (map (fn (fname, T) => (Binding.name fname, T, NoSyn)) flds) thy;
  in
    make_record_aux rname cname
      (Record.the_info thy' (Sign.full_name thy' (Binding.name rname))) thy'
  end;

fun add_axioms s [t] =
      Specification.axiom ((fact_binding s, []), t) #> snd
  | add_axioms s ts =
      fold_map Specification.axiom
        (map_index (fn (i, t) =>
           ((fact_binding (s ^ "_" ^ string_of_int (i + 1)), []), t)) ts) #> snd

fun dest_record thy [((s, _), args, [((cname, _), cargs)])] =
      let val tyname = Sign.full_name thy (Binding.name s)
      in
        if forall (fn (sel, T) => is_some sel andalso not (exists_subtype
          (fn Type (tyname', _) => tyname = tyname' | _ => false) T)) cargs
        then SOME (s, args, cname, map (apfst (fst o the)) cargs)
        else NONE
      end
  | dest_record _ _ = NONE;

fun get_dt_spec thy err s =
  case Ctr_Sugar.ctr_sugar_of_global thy s of
    SOME {T, ctrs, selss, ...} =>
      let
        val ctrs' = map (apsnd binder_types o dest_Const) ctrs;
        val selss' = (case selss of
            [] => map (map (K NONE) o snd) ctrs'
          | _ => map (map (SOME o fst o dest_Const)) selss)
      in
        (snd (dest_Type T),
         map2 (fn (cname, cargs) => fn sels => (cname, sels ~~ cargs)) ctrs' selss',
         NONE)
      end
  | NONE => (case Record.get_info thy s of
      SOME (info as {args, fields, ...}) =>
        (map TFree args, [("", map (apfst SOME) fields)], SOME info)
    | NONE => err ());

val why3_records = Attrib.setup_config_bool @{binding "why3_records"} (K true);

fun add_inductive_global flags cnames_syn pnames pre_intros monos thy =
  thy |>
  Named_Target.theory_init |>
  Inductive.add_inductive flags cnames_syn pnames pre_intros monos |> snd |>
  Local_Theory.exit |>
  Proof_Context.theory_of;

fun mk_decl _ (decl as Axiom ((s, id), ts)) thy =
      (case lookup_thm thy id of
         NONE =>
           (add_axioms s ts thy, true)
       | SOME thms =>
           if length thms = length ts andalso
             forall (Pattern.matches thy o apfst Thm.prop_of) (thms ~~ ts)
           then (thy, false)
           else err_decl thy ("Failed to match axiom " ^ string_of_id id) decl)
  | mk_decl realize (Typedecl ((s, id), args, opt_rhs)) thy =
      (case opt_rhs of
         NONE =>
           if realize then (thy, false) else
           (case lookup_type' thy id of
              NONE =>
                (thy |> Named_Target.theory_map (Typedecl.typedecl {final = true}
                   (Binding.name s, map (rpair dummyS) args, NoSyn) #> snd) |>
                 add_type s,
                 true)
            | SOME s' => (add_type_raw NONE (s, s') thy, false))
       | SOME T =>
           (thy |> Named_Target.theory_map (Typedecl.abbrev
              (Binding.name s, args, NoSyn) T #> snd) |>
            add_type s,
            true))
  | mk_decl realize (Param ((s, id), T)) thy =
      if realize then (thy, false) else
      (case lookup_const' thy id of
         NONE =>
           (thy |> Specification.axiomatization
              [(Binding.name s, SOME T, NoSyn)] [] [] [] |> snd |>
            add_const s,
            true)
       | SOME s' => (add_const_raw NONE (s, s') thy, false))
  | mk_decl _ (decl as Definition (id, eqn)) thy =
      let val (s, _) = head_of_eqn eqn
      in
        case lookup_def thy id of
          NONE =>
            (thy |> Named_Target.theory_map (Specification.definition
               NONE [] [] (Binding.empty_atts, eqn) #> snd) |>
             add_const s,
             true)
        | SOME [th] =>
            let val p as (s', _) = head_of_eqn' (Thm.prop_of th)
              handle TERM _ => err_decl thy
                ("Bad equation for " ^ string_of_id id) decl
            in
              if Pattern.matches thy (rename_const [(p, s)] (Thm.prop_of th), eqn)
              then (add_const_raw NONE (s, s') thy, false)
              else err_decl thy
                ("Failed to match definition " ^ string_of_id id) decl
            end
        | _ => err_decl thy ("Single theorem expected for " ^ string_of_id id) decl
      end
  | mk_decl _ (decl as Datatype dts) thy =
      (case lookup_list (snd o #1) (lookup_type' thy) dts of
         NONE =>
           (case (Config.get_global thy why3_records, dest_record thy dts) of
              (true, SOME (s, args, s', cargs)) =>
                (thy |> make_record s (map (rpair @{sort type}) args) s' cargs |>
                 add_type s |>
                 add_const s' |>
                 fold (add_const o fst) cargs,
                 true)
            | _ =>
                (thy |> Named_Target.theory_map
                   (BNF_FP_Def_Sugar.co_datatypes BNF_Util.Least_FP BNF_LFP.construct_lfp
                      (Ctr_Sugar.default_ctr_options,
                       map (fn ((s, _), args, constrs) =>
                         (((((map (fn arg => (SOME Binding.empty, (TFree (arg, @{sort type}),
                              @{sort type}))) args, Binding.name s), NoSyn),
                            map (fn ((s', _), cargs) =>
                              (((Binding.empty, Binding.name s'),
                                map (fn (NONE, T) => (Binding.empty, T)
                                      | (SOME (sel, _), T) => (Binding.name sel, T)) cargs),
                               NoSyn)) constrs),
                           (Binding.empty, Binding.empty, Binding.empty)),
                          [])) dts)) |>
                 fold (fn ((s, _), _, constrs) => add_type s #>
                   fold (add_const o fst o fst) constrs #>
                   fold add_const (map_filter (Option.map fst o fst) (snd (hd constrs)))) dts,
                 true))
       | SOME dts' =>
           let val tcmap = map (fn (((s, _), _, _), s') =>
             (Sign.full_name thy (Binding.name s), s')) dts'
           in
             (fold (fn (((tyname, id), args, constrs), tyname') =>
                let
                  val (args', constrs', opt_info) = get_dt_spec thy
                    (fn () => err_decl thy (string_of_id id ^
                       "must be mapped to a datatype or record type") decl) tyname';
                  fun err () = err_decl thy
                    ("Failed to match type " ^ string_of_id id) decl;
                  val _ =
                    length args = length args' andalso
                    length constrs = length constrs' orelse err ();
                  val tvmap = args ~~ args';

                  fun rename (Type (tc, Ts)) = Type
                        (the_default tc (AList.lookup (op =) tcmap tc),
                         map rename Ts)
                    | rename (T as TFree (a, _)) =
                        (the_default T (AList.lookup (op =) tvmap a))
                    | rename T = T
                in
                  add_type_raw NONE (tyname, tyname') #>
                  rpair [] #>
                  fold2 (fn ((cname, _), cargs) => fn (cname', cargs') =>
                    if map (rename o snd) cargs = map snd cargs'
                    then
                      apfst (case opt_info of
                          NONE => add_const_raw NONE (cname, cname')
                        | SOME info =>
                            make_record_aux tyname cname info #>
                            add_const cname) #>
                      fold2
                        (fn (NONE, _) => K I
                          | (SOME (sel, _), _) =>
                               (fn (NONE, _) => err_decl thy
                                     ("Missing selector " ^ sel ^
                                      " for type " ^ string_of_id id) decl
                                 | (SOME sel', _) => (fn p as (thy', sel_map) =>
                                     (case AList.lookup (op =) sel_map sel of
                                        NONE =>
                                          (add_const_raw NONE (sel, sel') thy',
                                           (sel, sel') :: sel_map)
                                      | SOME sel'' =>
                                          if sel' = sel'' then p
                                          else err_decl thy
                                            ("Inconsistent selector " ^ sel ^
                                             " for type " ^ string_of_id id) decl))))
                        cargs cargs'
                    else err ()) constrs constrs' #>
                  fst
                end) dts' thy,
              false)
           end)
  | mk_decl _ (decl as Inductive (coind, preds)) thy =
      (case lookup_list (snd o #1) (lookup_def thy) preds of
         NONE =>
           (thy |> add_inductive_global
              {quiet_mode = true, verbose = false,
               alt_name = Binding.empty, coind = coind,
               no_elim = false, no_ind = false, skip_mono = false}
              (map (fn ((s, _), T, _) => ((Binding.name s, T), NoSyn)) preds) []
              (maps (map (apfst (rpair [] o Binding.name o fst)) o #3) preds) [] |>
            fold (add_const o fst o #1) preds,
            true)
       | SOME preds' =>
           let val cmap = map (fn (((s, id), _, _), th :: _) =>
             (th |> Thm.concl_of |> HOLogic.dest_Trueprop |> head_of |>
              dest_Const handle TERM _ =>
                err_decl thy ("Bad introduction rule for " ^ string_of_id id) decl,
              s)) preds'
           in
             app (fn (((_, id), _, intrs), intrs') =>
               if length intrs = length intrs' andalso
                 ListPair.all (fn ((_, t), th) =>
                     Pattern.matches thy (rename_const cmap (Thm.prop_of th), t))
                   (intrs, intrs')
               then ()
               else err_decl thy
                 ("Failed to match predicate " ^ string_of_id id) decl) preds';
             (fold (add_const_raw NONE o swap o apfst fst) cmap thy, false)
           end)
  | mk_decl _ (decl as Function eqnss) thy =
      let val eqnss' = map (head_of_eqn o hd o snd) eqnss
      in
        case lookup_list fst (lookup_def thy) eqnss of
          NONE =>
            (thy |> Named_Target.theory_map (Function_Fun.add_fun
               (map (fn (s, T) => (Binding.name s, SOME T, NoSyn)) eqnss')
               (map (fn t => ((Binding.empty_atts, t), [], [])) (maps snd eqnss))
               Function_Fun.fun_config) |>
             fold (add_const o fst) eqnss',
             true)
        | SOME eqnss'' =>
            let val cmap = map2 (fn ((id, _), th :: _) => fn (s, _) =>
              (th |> Thm.prop_of |> head_of_eqn' handle TERM _ =>
                 err_decl thy ("Bad equation for " ^ string_of_id id) decl,
               s)) eqnss'' eqnss'
            in
              app (fn ((id, eqns), eqns') =>
                if length eqns = length eqns' andalso
                  ListPair.all (fn (t, th) =>
                      Pattern.matches thy (rename_const cmap (Thm.prop_of th), t))
                    (eqns, eqns')
                then ()
                else err_decl thy
                  ("Failed to match function " ^ string_of_id id) decl) eqnss'';
              (fold (add_const_raw NONE o swap o apfst fst) cmap thy, false)
            end
      end
  | mk_decl _ _ thy = (thy, true);

fun init_decls thyname consts types = Why3_Data.map
  (fn {theories, env = NONE} =>
        {theories = Symtab.update_new
           (thyname,
            {consts = Symtab.make consts,
             types = Symtab.make types,
             thms = Symtab.empty,
             defs = Symtab.empty})
           theories handle Symtab.DUP _ =>
             error ("Theory " ^ thyname ^ " has already been loaded."),
         env = SOME
           {thyname = thyname,
            decls = [],
            vcs = Symtab.empty}}
    | _ => err_unfinished ());

fun put_decls decls = Why3_Data.map
  (fn {theories, env = SOME {thyname, ...}} =>
        {theories = theories,
         env = SOME
           {thyname = thyname,
            decls = decls,
            vcs = print_open_vcs I (fold
              (fn (Lemma ((s, _), ps, cs), _) => Symtab.update_new (s, (NONE, ps, cs))
                | _ => I) decls Symtab.empty
              handle Symtab.DUP k => error ("Verification condition " ^ k ^
                " has already been declared."))}}
    | _ => err_no_env ());

fun close incomplete thy =
  thy |>
  Why3_Data.map (fn
      {theories, env = SOME {thyname, vcs, ...}} =>
        let
          val (proved, unproved) = partition_vcs vcs;
          val _ = Thm.consolidate (maps (#1 o snd) proved)
        in
          (if null unproved
           then writeln ("Finished Why3 theory " ^ thyname)
           else (if incomplete then warning else error)
             (Pretty.string_of (pp_open_vcs unproved));
           {theories = theories, env = NONE})
        end
    | _ => err_no_env ()) |>
  Sign.parent_path;

val why3_warn_axioms = Attrib.setup_config_bool @{binding "why3_warn_axioms"} (K true);

fun unrealized_axioms thy decls =
  if Config.get_global thy why3_warn_axioms then
    (case filter (fn (Axiom _, _) => true | _ => false) decls of
       [] => ()
     | decls' => warning (Pretty.string_of (Pretty.chunks2
         [Pretty.str "Unrealized axioms", pretty_decls thy (K true, K "") decls'])))
  else ();

fun process_decls consts types x path = elem "theory" (fn atts =>
  (fn imports :: xs => elem "realized" (fn _ => fn rs => fn thy =>
        let
          val thyname = get_name atts;
          val realize = get_bool "realize" atts;
          val _ =
            realize orelse
            Path.is_basic path andalso
            let val (path', ext) = Path.split_ext path
            in
              Path.implode path' = Context.theory_name thy andalso
              ext = "xml"
            end orelse
            error "Name of Why3 file does not match name of theory";
          val (ds, thy') = thy |>
            Sign.add_path thyname |>
            init_decls thyname consts types |>
            pair [] |>
            fold (fn x => fn (ds, thy) =>
              let
                val d = read_decl (Named_Target.theory_init thy) x;
                val (tm, (thy', b)) = Timing.timing (mk_decl realize d) thy
              in ((b ? cons (d, tm)) ds, thy') end) xs |>
            apfst rev;
          val _ = unrealized_axioms thy' ds
        in put_decls ds thy' end) imports
    | _ => error "Bad theory specification")) x


(**** commands ****)

fun why3_open ((files, consts), types) thy =
  let val ([{src_path, lines, ...}: Token.file], thy') = files thy;
  in process_decls
    (map (apsnd (Sign.intern_const thy)) consts)
    (map (apsnd (Sign.intern_type thy)) types)
    (parse_xml (cat_lines lines)) src_path thy'
  end;

fun prove_vc vc_name lthy =
  let
    val thy = Proof_Context.theory_of lthy;
    val (ctxt, stmt) = get_vc thy vc_name
  in
    Specification.theorem true Thm.theoremK NONE
      (fn thmss => (Local_Theory.background_theory
         (mark_proved vc_name (flat thmss))))
      (fact_binding vc_name, []) [] [ctxt] stmt false lthy
  end;

val _ =
  Outer_Syntax.command @{command_keyword "why3_open"}
    "open a new Why3 environment and load a Why3-generated .xml file"
    (Resources.provide_parse_files "why3_open" --
     Scan.optional (Parse.reserved "constants" |-- Parse.!!! (Scan.repeat1
       (Parse.name --| Args.$$$ "=" -- Parse.!!! Parse.name))) [] --
     Scan.optional (Parse.reserved "types" |-- (Scan.repeat1
       (Parse.name --| Args.$$$ "=" -- Parse.!!! Parse.name))) [] >>
     (Toplevel.theory o why3_open));

val _ =
  Outer_Syntax.command @{command_keyword "why3_vc"}
    "enter into proof mode for a specific verification condition"
    (Parse.name >> (fn name =>
      (Toplevel.local_theory_to_proof NONE NONE (prove_vc name))));

val _ =
  Outer_Syntax.command @{command_keyword "why3_status"}
    "show the name and state of all loaded verification conditions"
    (Scan.optional
       ((   Args.$$$ "cname" >> K has_cname
         || Args.$$$ "tyname" >> K has_tyname
         || Args.$$$ "name" >> K has_name) --|
        Args.colon -- Args.name >> mk_decl_filter) I --
     Scan.optional
       (Args.parens
          (   Args.$$$ "proved" >> K (is_some, K "")
           || Args.$$$ "unproved" >> K (is_none, K "")))
       (K true, string_of_status) >> (fn args =>
        Toplevel.keep (fn state => show_status (Toplevel.theory_of state) args)))

val _ =
  Outer_Syntax.command @{command_keyword "why3_end"}
    "close the current Why3 environment"
    (Scan.optional (@{keyword "("} |-- Parse.!!!
         (Parse.reserved "incomplete" --| @{keyword ")"}) >> K true) false >>
       (Toplevel.theory o close));

val _ =
  Outer_Syntax.command @{command_keyword "why3_consts"}
    "associate Why3 constants with constants"
    (Scan.repeat1 (Parse.name --| Args.$$$ "=" -- Parse.name) >>
       (Toplevel.theory o fold add_why3_const));

val _ =
  Outer_Syntax.command @{command_keyword "why3_types"}
    "associate Why3 types with types"
    (Scan.repeat1 (Parse.name --| Args.$$$ "=" -- Parse.name) >>
       (Toplevel.theory o fold add_why3_type));

val _ =
  Outer_Syntax.command @{command_keyword "why3_thms"}
    "associate Why3 axioms with theorems"
    (Parse.and_list1 (Parse.name --| Args.$$$ "=" -- Parse.thms1) >>
       (Toplevel.theory o fold add_why3_thm_cmd));

val _ =
  Outer_Syntax.command @{command_keyword "why3_defs"}
    "associate Why3 definitions with definitions"
    (Parse.and_list1 (Parse.name --| Args.$$$ "=" -- Parse.thms1) >>
       (Toplevel.theory o fold add_why3_def_cmd));

val setup = Theory.at_end (fn thy =>
  let
    val _ = is_closed thy
      orelse error ("Found the end of the theory, " ^
        "but the last Why3 environment is still open.")
  in NONE end);

end;
why3-1.6.0/lib/isabelle/why3.ML.2021-1000066400000000000000000001270631440160026300166100ustar00rootroot00000000000000signature WHY3 =
sig
  val add_why3_const: string * string -> theory -> theory
  val add_why3_type: string * string -> theory -> theory
  val add_why3_thm: string * thm list -> theory -> theory
  val add_why3_def: string * thm list -> theory -> theory
  val setup: theory -> theory
end

structure Why3: WHY3 =
struct

(**** XML utilities ****)

fun get_opt_att s atts = AList.lookup (op =) atts s;

fun get_att s atts = (case get_opt_att s atts of
    SOME x => x
  | NONE => error ("Missing attribute " ^ s));

fun get_att_default x s atts = (case get_opt_att s atts of
    SOME y => y
  | NONE => x);

fun get_name atts = get_att "name" atts;

fun get_name'' atts =
  case (get_opt_att "path" atts, get_opt_att "altname" atts) of
    (SOME s, SOME s') => SOME (s, s')
  | _ => NONE;

fun get_name' atts = (get_name atts, get_name'' atts);

fun get_opt_name atts =
  case get_opt_att "name" atts of
    NONE => NONE
  | SOME name => SOME (name, get_name'' atts);

fun variant fs (XML.Elem ((s, atts), ts)) =
      (case AList.lookup (op =) fs s of
         SOME f => (f atts ts handle General.Match =>
           error ("Failed to parse element " ^ s))
       | NONE => error ("Bad element: " ^ s))
  | variant _ _ = error "Element expected";

fun elem s f (XML.Elem ((s', atts), ts)) =
      if s = s' then f atts ts
      else error ("Element " ^ s ^ " expected")
  | elem _ _ _ = error "Element expected";

fun optional _ x [] = x
  | optional f _ [x] = f x;

fun option _ [] = NONE
  | option f [x] = SOME (f x);

fun get_bool s atts = (case get_att_default "false" s atts of
    "false" => false
  | "true" => true
  | _ => error "Bad value for boolean attribute");

fun strip_whspc (XML.Elem (p, ts)) =
      SOME (XML.Elem (p, map_filter strip_whspc ts))
  | strip_whspc (txt as XML.Text s) =
      if forall Symbol.is_blank (raw_explode s)
      then NONE else SOME txt;

fun parse_xml s =
  (case strip_whspc (XML.parse s) of
     SOME x => x
   | NONE => error "Bad input");


(**** terms and types ****)

(* replace occurrences of dummy_pattern by distinct variables *)
fun replace_dummies (Const (@{const_name Pure.dummy_pattern}, T)) used =
      let val (x, used') = Name.variant "x" used
      in (Free (x, T), used') end
  | replace_dummies (t $ u) used =
      let
        val (t', used') = replace_dummies t used;
        val (u', used'') = replace_dummies u used';
      in (t' $ u', used'') end
  | replace_dummies t used = (t, used);

fun make_case t ps =
  Syntax.const @{const_name case_guard} $ @{term True} $ t $
  fold_rev (fn (l, r) => fn u =>
      let val (l', _) = replace_dummies l
        (Name.context |>
         Term.declare_term_frees l |>
         Term.declare_term_frees r)
      in
        Syntax.const @{const_name case_cons} $
        fold (fn p => fn b =>
            Syntax.const @{const_name case_abs} $
            Term.absfree p b)
          (Term.add_frees l' [])
          (Syntax.const @{const_name case_elem} $ l' $ r) $ u
      end)
    ps (Syntax.const @{const_name case_nil});

val get_tvar = prefix "'" o get_name;

fun typ f = variant
  [("type", fn atts => fn Ts => Type (f atts, map (typ f) Ts)),
   ("tvar", fn atts => fn [] => TFree (get_tvar atts, dummyS)),
   ("fun", fn _ => fn Ts as _ :: _ => op ---> (split_last (map (typ f) Ts))),
   ("pred", fn _ => fn Ts => map (typ f) Ts ---> @{typ bool}),
   ("prodt", K
      (fn [] => HOLogic.unitT
        | Ts => foldr1 HOLogic.mk_prodT (map (typ f) Ts)))];

fun term f g = variant
  [("const", fn atts => fn Ts =>
      Const (f atts, optional (typ g) dummyT Ts)),
   ("var", fn atts => fn Ts =>
      Free (get_name atts, optional (typ g) dummyT Ts)),
   ("abs", fn atts => fn [T, t] =>
      Term.absfree (get_name atts, typ g T) (term f g t)),
   ("app", fn _ => fn t :: ts => list_comb (term f g t, map (term f g) ts)),
   ("num", fn atts => fn Ts => HOLogic.mk_number
      (optional (typ g) dummyT Ts)
      (case Int.fromString (get_att "val" atts) of SOME i => i)),
   ("case", fn _ => fn t :: ps => make_case (term f g t)
      (map (elem "pat" (K (fn [l, r] => (term f g l, term f g r)))) ps)),
   ("prod", K
      (fn [] => HOLogic.unit
        | ts => foldr1 (fn (t, u) => Syntax.const @{const_name Pair} $ t $ u)
            (map (term f g) ts)))];


(**** declarations ****)

type name' = (string * string) option
type name = string * name'

datatype decl =
    Lemma of name * term list * term list
  | Axiom of name * term list
  | Typedecl of name * string list * typ option
  | Param of name * typ
  | Definition of name' * term
  | Datatype of (name * string list * (name * (name option * typ) list) list) list
  | Inductive of bool * (name * typ * (name * term) list) list
  | Function of (name' * term list) list

fun err_unfinished () = error "An unfinished Why3 environment is still open.";
fun err_no_env () = error "No Why3 environment is currently open.";

type tables =
  {consts: string Symtab.table,
   types: string Symtab.table,
   thms: thm list Symtab.table,
   defs: thm list Symtab.table}

val empty_tables =
  {consts = Symtab.empty,
   types = Symtab.empty,
   thms = Symtab.empty,
   defs = Symtab.empty};

fun map_consts f {consts, types, thms, defs} =
  {consts = f consts, types = types, thms = thms, defs = defs};

fun map_types f {consts, types, thms, defs} =
  {consts = consts, types = f types, thms = thms, defs = defs};

fun map_thms f {consts, types, thms, defs} =
  {consts = consts, types = types, thms = f thms, defs = defs};

fun map_defs f {consts, types, thms, defs} =
  {consts = consts, types = types, thms = thms, defs = f defs};

fun merge_tables
  ({consts = consts1, types = types1, thms = thms1, defs = defs1},
   {consts = consts2, types = types2, thms = thms2, defs = defs2}) =
  {consts = Symtab.merge (op =) (consts1, consts2),
   types = Symtab.merge (op =) (types1, types2),
   thms = Symtab.merge (eq_list Thm.eq_thm_strict) (thms1, thms2),
   defs = Symtab.merge (eq_list Thm.eq_thm_strict) (defs1, defs2)};

structure Why3_Data = Theory_Data
(
  type T =
    {theories: tables Symtab.table,
     env:
       {thyname: string,
        decls: (decl * Timing.timing) list,
        vcs: (thm list option * term list * term list) Symtab.table} option}
  val empty : T = {theories = Symtab.empty, env = NONE}
  val extend = I
  fun merge ({theories = theories1, env = NONE},
        {theories = theories2, env = NONE}) =
        {theories = Symtab.join (K merge_tables) (theories1, theories2),
         env = NONE}
    | merge _ = err_unfinished ()
)

fun lookup_vc thy name =
  (case Why3_Data.get thy of
     {env = SOME {vcs, ...}, ...} => Symtab.lookup vcs name
   | _ => NONE);

val is_closed = is_none o #env o Why3_Data.get;

fun mk_vc name_concl prems concls =
  (Element.Assumes (map_index (fn (i, t) =>
     ((Binding.name ("H" ^ string_of_int (i + 1)), []), [(t, [])])) prems),
   Element.Shows (map_index (fn (i, t) =>
     (if name_concl then (Binding.name ("C" ^ string_of_int (i + 1)), [])
      else Binding.empty_atts,
      [(t, [HOLogic.mk_Trueprop
          (Var (("C", i + 1), HOLogic.boolT))])])) concls));

fun get_vc thy vc_name =
  (case lookup_vc thy vc_name of
    SOME (proved, prems, concls) =>
      if is_some proved then
        error ("The verification condition " ^
          quote vc_name ^ " has already been proved.")
      else mk_vc false prems concls
  | NONE => error ("There is no verification condition " ^
      quote vc_name ^ "."));

fun pp_vcs msg vcs = Pretty.big_list msg (map (Pretty.str o fst) vcs);

fun pp_open_vcs [] = Pretty.str "All verification conditions have been proved."
  | pp_open_vcs vcs = pp_vcs
      "The following verification conditions remain to be proved:" vcs;

fun partition_vcs vcs = Symtab.fold_rev
  (fn (name, (SOME thms, ps, cs)) =>
        apfst (cons (name, (thms, ps, cs)))
    | (name, (NONE, ps, cs)) =>
        apsnd (cons (name, (ps, cs))))
  vcs ([], []);

fun insert_break prt = Pretty.blk (0, [Pretty.fbrk, prt]);

fun print_open_vcs f vcs =
  (Pretty.writeln (f (pp_open_vcs (snd (partition_vcs vcs)))); vcs);

fun mark_proved name thms = Why3_Data.map (fn
    {theories,
     env = SOME {thyname, decls, vcs}} =>
      {theories = theories,
       env = SOME {thyname = thyname, decls = decls,
         vcs = print_open_vcs insert_break (Symtab.map_entry name
           (fn (_, ps, cs) => (SOME thms, ps, cs)) vcs)}}
  | x => x);

fun add_name kind sel th (p as (x, _)) tab =
  Symtab.map_default (th, empty_tables) (sel (Symtab.update_new p)) tab
  handle Symtab.DUP _ =>
    error ("The " ^ kind ^ " " ^ x ^ " is already defined.");

fun add_item add opt_thyname p = Why3_Data.map
  (fn {theories, env} =>
     {theories = add
        (case (env, opt_thyname) of
           (SOME {thyname, ...}, NONE) => thyname
         | (NONE, SOME thyname) => thyname
         | (NONE, NONE) => err_no_env ()
         | (SOME _, SOME _) => err_unfinished ())
        p theories,
      env = env});

fun add_item_intern add intrn s thy = add_item add NONE (s, intrn thy s) thy;

val add_const = add_item_intern (add_name "constant" map_consts) Sign.intern_const;
val add_type = add_item_intern (add_name "type" map_types) Sign.intern_type;

val add_const_raw = add_item (add_name "constant" map_consts);
val add_type_raw = add_item (add_name "type" map_types);
val add_thm_raw = add_item (add_name "theorem" map_thms);
val add_def_raw = add_item (add_name "definition" map_defs);

fun add_qualified add prep (s, x) thy =
  (Long_Name.is_qualified s orelse
   error ("Qualified name expected, but " ^ s ^ " was found");
   add (SOME (Long_Name.qualifier s))
     (Long_Name.base_name s, prep (Proof_Context.init_global thy) x) thy);

val add_why3_const = add_qualified add_const_raw (fn ctxt => fn cname =>
  fst (dest_Const (Proof_Context.read_const {proper = true, strict = false} ctxt cname)));

val add_why3_type = add_qualified add_type_raw (fn ctxt => fn tyname =>
  fst (dest_Type (Proof_Context.read_type_name {proper = true, strict = false} ctxt tyname)));

val add_why3_thm = add_qualified add_thm_raw (K I);
val add_why3_thm_cmd = add_qualified add_thm_raw Attrib.eval_thms;

val add_why3_def = add_qualified add_def_raw (K I);
val add_why3_def_cmd = add_qualified add_def_raw Attrib.eval_thms;

fun lookup_name kind sel tab s s' = (case Symtab.lookup tab s of
    NONE => error ("The theory " ^ s ^ " was not found")
  | SOME tab' => (case Symtab.lookup (sel tab') s' of
        NONE => error ("The " ^ kind ^ " " ^ s' ^
          " was not found in theory " ^ s)
      | SOME name => name));

fun lookup_const tab = lookup_name "constant" #consts tab;
fun lookup_type tab = lookup_name "type" #types tab;

fun lookup_name' sel thy (SOME (s, s')) =
      (case Symtab.lookup (#theories (Why3_Data.get thy)) s of
         NONE => NONE
       | SOME tab' => (case Symtab.lookup (sel tab') s' of
             NONE => NONE
           | SOME name => SOME name))
  | lookup_name' _ _ NONE = NONE;

fun lookup_const' thy = lookup_name' #consts thy;
fun lookup_type' thy = lookup_name' #types thy;
fun lookup_thm thy = lookup_name' #thms thy;
fun lookup_def thy = lookup_name' #defs thy;

fun prep_name lookup ctxt atts =
  (case Why3_Data.get (Proof_Context.theory_of ctxt) of
     {theories, env = SOME {thyname, ...}} =>
       let val name = get_name atts
       in case (get_bool "local" atts, get_opt_att "path" atts) of
           (false, NONE) => name
         | (true, _) => lookup theories thyname name
         | (_, SOME thyname') => lookup theories thyname' name
       end
   | _ => err_no_env ());

fun read_type ctxt x = Syntax.check_typ ctxt
  (typ (prep_name lookup_type ctxt) x);

fun read_term ctxt x = Syntax.check_term ctxt
  (term (prep_name lookup_const ctxt) (prep_name lookup_type ctxt) x);

fun read_prop ctxt x = HOLogic.mk_Trueprop (read_term ctxt x);

fun prep_datatypes ctxt dts =
  let val ctxt' = fold (fn ((s, _), args, _) =>
    Typedecl.basic_typedecl {final = true} (Binding.name s, length args, NoSyn) #>
    snd #> Local_Theory.background_theory (add_type s)) dts ctxt
  in map (fn (b, args, constrs) =>
    (b, args, map (apsnd (map (apsnd (read_type ctxt')))) constrs)) dts
  end;

fun read_statement ctxt f atts [prems, concls] = f
  (get_name' atts,
   elem "prems" (K (map (read_prop ctxt))) prems,
   elem "concls" (K (map (read_prop ctxt))) concls);

val read_ty_params = elem "params" (K (map (elem "param" (K o get_tvar))));

val gen_head_of_eqn =
  HOLogic.dest_Trueprop #> HOLogic.dest_eq #> fst #> head_of;

val head_of_eqn = gen_head_of_eqn #> dest_Free;
val head_of_eqn' = gen_head_of_eqn #> dest_Const;

(* split up term containing case combinators into several terms *)
fun expand_cases ctxt t =
  let
    fun rename fmap = Term.map_aterms
      (fn Free (s, T) => Free (the_default s (AList.lookup (op =) fmap s), T)
        | t => t);

    fun rename_case used (l, r) =
      let val (fmap, _) = fold_map
        (fn s => apfst (pair s) o Name.variant s)
        (Term.add_free_names l []) used
      in (rename fmap l, rename fmap r) end;

    fun strip_case used t =
      if null (loose_bnos t)
      then (case Case_Translation.strip_case ctxt false t of
          SOME (u as Free _, ps) => SOME (u, map (rename_case used) ps)
        | _ => NONE)
      else NONE;

    fun mk_ctxt f = Option.map (fn (x, ps) => (x, map (apsnd f) ps));

    fun strip_case' used t = (case strip_case used t of
        NONE => (case t of
            t1 $ t2 => (case strip_case' used t1 of
                NONE => mk_ctxt (fn u => t1 $ u) (strip_case' used t2)
              | p => mk_ctxt (fn u => u $ t2) p)
          | Abs (s, T, r) => mk_ctxt (fn u => Abs (s, T, u))
              (strip_case' used r)
          | _ => NONE)
      | p => p);

    fun expand t =
      (case strip_case' (Term.declare_term_frees t Name.context) t of
         NONE => [t]
       | SOME (x, ps) => maps (fn (l, r) =>
           expand (Term.subst_atomic [(x, l)] r)) ps)
  in expand t end;

fun read_decl ctxt = variant
  [("lemma", read_statement ctxt Lemma),
   ("axiom", read_statement ctxt (fn (name, prems, concls) =>
      Axiom (name, map (fn concl =>
        Logic.list_implies (prems, concl)) concls))),
   ("typedecl", fn atts => fn params :: rhs => Typedecl
      (get_name' atts,
       read_ty_params params,
       option (read_type ctxt) rhs)),
   ("param", fn atts => fn [ty] => Param
      (get_name' atts, read_type ctxt ty)),
   ("definition", fn atts => fn [t] =>
      Definition (get_name'' atts, read_prop ctxt t)),
   ("datatypes", fn _ => fn xs => Datatype (prep_datatypes ctxt
      (map (elem "datatype" (fn atts => fn [params, constrs] =>
         (get_name' atts,
          read_ty_params params,
          elem "constrs"
            (K (map (elem "constr" (fn atts => fn ys =>
               (get_name' atts,
                map (elem "carg" (fn atts => fn [z] =>
                  (get_opt_name atts, z))) ys))))) constrs))) xs))),
   ("inductive", fn atts => fn xs => Inductive
      (get_bool "coind" atts,
       map (elem "pred" (fn atts => fn ty :: rls =>
         (get_name' atts,
          read_type ctxt ty,
          map (elem "rule" (fn atts => fn [prems, concl] =>
            (get_name' atts,
             Logic.list_implies
               (elem "prems" (K (map (read_prop ctxt))) prems,
                read_prop ctxt concl)))) rls))) xs)),
   ("function", fn _ => fn xs => Function
      (map (elem "eqn" (fn atts => fn [t] =>
         (get_name'' atts, expand_cases ctxt (read_prop ctxt t)))) xs))];


(**** pretty printing ****)

fun string_of_status NONE = "(* unproved *)"
  | string_of_status (SOME _) = "(* proved *)";

fun pretty_typ s [] = Pretty.str s
  | pretty_typ s [v] = Pretty.block
      [Pretty.str v, Pretty.brk 1, Pretty.str s]
  | pretty_typ s vs = Pretty.block
      [Pretty.list "(" ")" (map Pretty.str vs), Pretty.brk 1, Pretty.str s];

fun blocks prfx1 prfx2 xs f = fst (fold_map (fn x => fn prfx =>
    (Pretty.block (Pretty.str prfx :: Pretty.brk 1 :: f x),
     prfx2))
  xs prfx1);

fun pretty_decl (p, f) ctxt (Lemma ((s, _), prems, concls)) =
      let
        val SOME (opt, _, _) = lookup_vc (Proof_Context.theory_of ctxt) s;
        val ctxt' = fold Proof_Context.augment (prems @ concls) ctxt;
        val (context, stmt) = mk_vc true prems concls
      in
        if p opt then
          SOME (Pretty.big_list ("lemma " ^ s ^ ": " ^ f opt)
            (Element.pretty_ctxt ctxt' context @
             Element.pretty_stmt ctxt' stmt))
        else NONE
      end
  | pretty_decl _ ctxt (Axiom ((s, _), ts)) =
      let val ctxt' = fold Proof_Context.augment ts ctxt
      in SOME (Pretty.block
        ([Pretty.str "axiomatization where", Pretty.brk 1,
          Pretty.str s, Pretty.str ":", Pretty.brk 1] @
         separate (Pretty.brk 1)
           (map (Pretty.quote o Syntax.pretty_term ctxt') ts)))
      end
  | pretty_decl _ ctxt (Typedecl ((s, _), args, opt_rhs)) = SOME (Pretty.block
      (case opt_rhs of
         NONE => [Pretty.str "typedecl", Pretty.brk 1,
           pretty_typ s args]
       | SOME T => [Pretty.str "type_synonym", Pretty.brk 1,
           pretty_typ s args, Pretty.str " =", Pretty.brk 1,
           Pretty.quote (Syntax.pretty_typ ctxt T)]))
  | pretty_decl _ ctxt (Param ((s, _), T)) = SOME (Pretty.block
      [Pretty.str "axiomatization", Pretty.brk 1,
       Pretty.str s, Pretty.str " ::", Pretty.brk 1,
       Pretty.quote (Syntax.pretty_typ ctxt T)])
  | pretty_decl _ ctxt (Definition (_, eqn)) =
      let
        val ctxt' = Proof_Context.augment eqn ctxt;
        val (s, T) = head_of_eqn eqn
      in SOME (Pretty.block [Pretty.str "definition ", Pretty.str s,
        Pretty.str " ::", Pretty.brk 1,
        Pretty.quote (Syntax.pretty_typ ctxt' T),
        Pretty.str " where", Pretty.fbrk,
        Pretty.quote (Syntax.pretty_term ctxt' eqn)])
      end
  | pretty_decl _ ctxt (Datatype dts) = SOME (Pretty.chunks
      (blocks "datatype" "and" dts (fn ((s, _), args, constrs) =>
         [pretty_typ s args,
          Pretty.str " =", Pretty.brk 1] @
          Pretty.separate " |"
            (map (fn ((s', _), cargs) => Pretty.block
                 (separate (Pretty.brk 1) (Pretty.str s' :: (map
                    (fn (NONE, T) => Pretty.quote (Syntax.pretty_typ ctxt T)
                      | (SOME (sel, _), T) => Pretty.enclose "(" ")"
                          [Pretty.str sel, Pretty.str " :", Pretty.brk 1,
                           Pretty.quote (Syntax.pretty_typ ctxt T)]) cargs))))
               constrs))))
  | pretty_decl _ ctxt (Inductive (coind, preds)) =
      let val ctxt' = fold (fold (Proof_Context.augment o snd) o #3) preds ctxt
      in
        SOME (Pretty.chunks
          (blocks ((coind ? prefix "co") "inductive") "and" preds
             (fn ((s, _), T, _) =>
                [Pretty.str s, Pretty.str " ::", Pretty.brk 1,
                 Pretty.quote (Syntax.pretty_typ ctxt' T)]) @
           Pretty.str "where" ::
           blocks " " "|" (maps #3 preds) (fn ((s, _), t) =>
             [Pretty.str s, Pretty.str ":",
              Pretty.brk 1, Pretty.quote (Syntax.pretty_term ctxt' t)])))
      end
  | pretty_decl _ ctxt (Function eqnss) =
      let val ctxt' = fold (fold Proof_Context.augment o snd) eqnss ctxt
      in
        SOME (Pretty.chunks
          (blocks "fun" "and" eqnss (fn (_, t :: _) =>
             let val (s, T) = head_of_eqn t
             in
               [Pretty.str s, Pretty.str " ::", Pretty.brk 1,
                Pretty.quote (Syntax.pretty_typ ctxt' T)]
             end) @
           Pretty.str "where" ::
           blocks " " "|" (maps snd eqnss)
             (single o Pretty.quote o Syntax.pretty_term ctxt')))
      end;

fun path_of_decl (Lemma ((_, SOME (s, _)), _, _)) = s
  | path_of_decl (Axiom ((_, SOME (s, _)), _)) = s
  | path_of_decl (Typedecl ((_, SOME (s, _)), _, _)) = s
  | path_of_decl (Param ((_, SOME (s, _)), _)) = s
  | path_of_decl (Definition (SOME (s, _), _)) = s
  | path_of_decl (Datatype (((_, SOME (s, _)), _, _) :: _)) = s
  | path_of_decl (Inductive (_, ((_, SOME (s, _)), _, _) :: _)) = s
  | path_of_decl (Function ((SOME (s, _), _) :: _)) = s
  | path_of_decl _ = "local";

val why3_timing = Attrib.setup_config_bool @{binding "why3_timing"} (K false);

fun pretty_decl_timing sel ctxt (d, (tm, tm')) =
  case pretty_decl sel ctxt d of
    NONE => NONE
  | SOME pr => SOME
      (if Config.get ctxt why3_timing then
         Pretty.chunks2
           [pr, Pretty.enclose "(" ")"
              [Pretty.str (Timing.message tm),
               Pretty.str ",", Pretty.brk 1, Pretty.str "total: ",
               Pretty.str (Timing.message tm')]]
       else pr);

fun sum_timing
  {elapsed = elapsed1, cpu = cpu1, gc = gc1}
  {elapsed = elapsed2, cpu = cpu2, gc = gc2} =
  {elapsed = elapsed1 + elapsed2, cpu = cpu1 + cpu2, gc = gc1 + gc2};

val zero_timing = {elapsed = Time.zeroTime, cpu = Time.zeroTime, gc = Time.zeroTime};

fun pretty_decls thy sel decls =
  let
    val ctxt = Proof_Context.init_global thy;
    val decls' = AList.coalesce (op =)
      (fst (fold_map (fn (d, tm) => fn tm' =>
         let val tm'' = sum_timing tm tm'
         in ((path_of_decl d, (d, (tm, tm''))), tm'') end)
         decls zero_timing))
  in
    Pretty.chunks2 (maps (fn (s, ds) =>
      Pretty.str ("(**** " ^ s ^ " ****)") ::
      map_filter (pretty_decl_timing sel ctxt) ds) decls')
  end;

fun add_type_names (Type (s, Ts)) = insert (op =) (Long_Name.base_name s) #> fold add_type_names Ts
  | add_type_names _ = I;

val add_term_names = fold_term_types
  (fn (Const (s, _)) =>
        apfst (insert (op =) (Long_Name.base_name s)) oo apsnd o add_type_names
    | _ => apsnd o add_type_names);

fun add_decl_names (Lemma (_, prems, concls)) =
      fold add_term_names prems #> fold add_term_names concls
  | add_decl_names (Axiom (_, ts)) = fold add_term_names ts
  | add_decl_names (Typedecl ((s, _), _, opT)) =
      apsnd (insert (op =) s #> (case opT of SOME T => add_type_names T | _ => I))
  | add_decl_names (Param ((s, _), T)) =
      apfst (insert (op =) s) #> apsnd (add_type_names T)
  | add_decl_names (Definition (_, eqn)) =
      apfst (insert (op =) (fst (head_of_eqn eqn))) #> add_term_names eqn
  | add_decl_names (Datatype dts) = fold (fn ((tyname, _), _, constrs) =>
      apsnd (insert (op =) tyname) #> fold (fn ((cname, _), cargs) =>
        apfst (insert (op =) cname) #> fold
          (fn (NONE, T) => apsnd (add_type_names T)
            | (SOME (sel, _), T) => apfst (insert (op =) sel) #> apsnd (add_type_names T))
          cargs) constrs) dts
  | add_decl_names (Inductive (_, preds)) = fold (fn ((s, _), _, intrs) =>
      apfst (insert (op =) s) #> fold (add_term_names o snd) intrs) preds
  | add_decl_names (Function eqnss) = fold (fn (_, eqns) =>
      apfst (insert (op =) (fst (head_of_eqn (hd eqns)))) #>
      fold add_term_names eqns) eqnss;

fun mk_decl_filter (p, s) = filter (fn (decl, _) => p s (add_decl_names decl ([], [])));

fun has_cname s (cnames, _) = exists (String.isSubstring s) cnames;
fun has_tyname s (_, tynames) = exists (String.isSubstring s) tynames;
fun has_name s names = has_cname s names orelse has_tyname s names;

fun show_status thy (flt, sel) =
  (case Why3_Data.get thy of
     {env = SOME {decls, ...}, ...} => Pretty.writeln (pretty_decls thy sel (flt decls))
   | _ => ());


(**** processing declarations ****)

fun rename_const ps = map_aterms
  (fn t as Const (p as (_, T)) => (case AList.lookup (op =) ps p of
          SOME s => Free (s, T)
        | NONE => t)
    | t => t);

fun string_of_id (SOME (s, s')) = s ^ "." ^ s';

fun lookup_list sel lookup xs =
  let val ps = map (fn x => (x, lookup (sel x))) xs
  in
    if forall (is_none o snd) ps then NONE
    else SOME (map
      (fn (x, SOME y) => (x, y)
        | (x, NONE) =>
            error ("No association given for " ^ string_of_id (sel x)))
      ps)
  end;

fun fact_binding s = Binding.qualify false "facts" (Binding.name s);

fun err_decl thy s decl =
  error (Pretty.string_of (Pretty.blk (0,
    [Pretty.str s, Pretty.fbrk, Pretty.fbrk,
     the (pretty_decl (K true, K "") (Proof_Context.init_global thy) decl)])));

fun make_record_aux rname cname
      ({fields as (fname, _) :: _, extension = (ext_name, _),
        args, select_convs, ...} : Record.info) thy =
      let
        val fields' = map fst fields @ [Long_Name.map_base_name (K "more") fname];
        val [a, b] = Name.variant_list (map fst args) ["'a", "'b"];
        val aT = TFree (a, @{sort type});
        val bT = TFree (b, @{sort type});
        val argsT = map TFree args;
        val rT = Type (ext_name, argsT @ [aT]);
        val rT' = Type (ext_name, argsT @ [HOLogic.unitT]);
        val fld_names = map (Long_Name.base_name o fst) fields;
        val Us = map snd fields;
        val Ts = Us @ [aT];
        val fT = Ts ---> bT;
        val fN = singleton (Name.variant_list fld_names) "f";
        val f = Free (fN, fT);
        val x = Free ("x", rT);
        val xs' = map Free (fld_names ~~ Us);
        val xs = xs' @ [Free ("more", aT)];

        val ((_, (_, case_def)), lthy1) = thy |> Named_Target.theory_init |>
          Specification.definition NONE [] []
            (Binding.empty_atts,
             HOLogic.mk_Trueprop (HOLogic.mk_eq
               (Free (rname ^ "_case", fT --> rT --> bT) $ f $ x,
                list_comb (f, map2 (fn s => fn T => Const (s, rT --> T) $ x) fields' Ts))));

        val case_eq = Goal.prove_sorry lthy1 (fN :: "more" :: fld_names) []
          (HOLogic.mk_Trueprop (HOLogic.mk_eq
             (Free (rname ^ "_case", fT --> rT --> bT) $ f $
                list_comb (Const (ext_name, Ts ---> rT), xs),
              list_comb (f, xs))))
          (fn {context, ...} =>
             simp_tac (put_simpset HOL_basic_ss context addsimps (case_def :: select_convs)) 1);

        val case_name = Sign.intern_const (Proof_Context.theory_of lthy1) (rname ^ "_case")
      in
        lthy1 |>
        Local_Theory.note
          ((Binding.name (rname ^ "_case_eq"),
           [Attrib.internal (K Simplifier.simp_add)]), [case_eq]) |> snd |>
        Specification.abbreviation Syntax.mode_input NONE []
          (Logic.mk_equals
             (list_comb (Free (cname, Us ---> rT'), xs'),
              list_comb (Const (ext_name, Us ---> HOLogic.unitT --> rT'),
                xs' @ [HOLogic.unit]))) false |>
        Local_Theory.exit_global |>
        Context.theory_map (Case_Translation.register
          (Const (case_name, fT --> rT --> bT)) [Const (ext_name, Ts ---> rT)])
      end
  | make_record_aux _ _ _ _ = error "make_record_aux: internal error";

fun make_record rname args cname flds thy =
  let val thy' = Record.add_record {overloaded = false}
    (args, Binding.name rname) NONE
    (map (fn (fname, T) => (Binding.name fname, T, NoSyn)) flds) thy;
  in
    make_record_aux rname cname
      (Record.the_info thy' (Sign.full_name thy' (Binding.name rname))) thy'
  end;

fun add_axioms s [t] =
      Specification.axiom ((fact_binding s, []), t) #> snd
  | add_axioms s ts =
      fold_map Specification.axiom
        (map_index (fn (i, t) =>
           ((fact_binding (s ^ "_" ^ string_of_int (i + 1)), []), t)) ts) #> snd

fun dest_record thy [((s, _), args, [((cname, _), cargs)])] =
      let val tyname = Sign.full_name thy (Binding.name s)
      in
        if forall (fn (sel, T) => is_some sel andalso not (exists_subtype
          (fn Type (tyname', _) => tyname = tyname' | _ => false) T)) cargs
        then SOME (s, args, cname, map (apfst (fst o the)) cargs)
        else NONE
      end
  | dest_record _ _ = NONE;

fun get_dt_spec thy err s =
  case Ctr_Sugar.ctr_sugar_of_global thy s of
    SOME {T, ctrs, selss, ...} =>
      let
        val ctrs' = map (apsnd binder_types o dest_Const) ctrs;
        val selss' = (case selss of
            [] => map (map (K NONE) o snd) ctrs'
          | _ => map (map (SOME o fst o dest_Const)) selss)
      in
        (snd (dest_Type T),
         map2 (fn (cname, cargs) => fn sels => (cname, sels ~~ cargs)) ctrs' selss',
         NONE)
      end
  | NONE => (case Record.get_info thy s of
      SOME (info as {args, fields, ...}) =>
        (map TFree args, [("", map (apfst SOME) fields)], SOME info)
    | NONE => err ());

val why3_records = Attrib.setup_config_bool @{binding "why3_records"} (K true);

fun add_inductive_global flags cnames_syn pnames pre_intros monos thy =
  thy |>
  Named_Target.theory_init |>
  Inductive.add_inductive flags cnames_syn pnames pre_intros monos |> snd |>
  Local_Theory.exit |>
  Proof_Context.theory_of;

fun mk_decl _ (decl as Axiom ((s, id), ts)) thy =
      (case lookup_thm thy id of
         NONE =>
           (add_axioms s ts thy, true)
       | SOME thms =>
           if length thms = length ts andalso
             forall (Pattern.matches thy o apfst Thm.prop_of) (thms ~~ ts)
           then (thy, false)
           else err_decl thy ("Failed to match axiom " ^ string_of_id id) decl)
  | mk_decl realize (Typedecl ((s, id), args, opt_rhs)) thy =
      (case opt_rhs of
         NONE =>
           if realize then (thy, false) else
           (case lookup_type' thy id of
              NONE =>
                (thy |> Named_Target.theory_map (Typedecl.typedecl {final = true}
                   (Binding.name s, map (rpair dummyS) args, NoSyn) #> snd) |>
                 add_type s,
                 true)
            | SOME s' => (add_type_raw NONE (s, s') thy, false))
       | SOME T =>
           (thy |> Named_Target.theory_map (Typedecl.abbrev
              (Binding.name s, args, NoSyn) T #> snd) |>
            add_type s,
            true))
  | mk_decl realize (Param ((s, id), T)) thy =
      if realize then (thy, false) else
      (case lookup_const' thy id of
         NONE =>
           (thy |> Specification.axiomatization
              [(Binding.name s, SOME T, NoSyn)] [] [] [] |> snd |>
            add_const s,
            true)
       | SOME s' => (add_const_raw NONE (s, s') thy, false))
  | mk_decl _ (decl as Definition (id, eqn)) thy =
      let val (s, _) = head_of_eqn eqn
      in
        case lookup_def thy id of
          NONE =>
            (thy |> Named_Target.theory_map (Specification.definition
               NONE [] [] (Binding.empty_atts, eqn) #> snd) |>
             add_const s,
             true)
        | SOME [th] =>
            let val p as (s', _) = head_of_eqn' (Thm.prop_of th)
              handle TERM _ => err_decl thy
                ("Bad equation for " ^ string_of_id id) decl
            in
              if Pattern.matches thy (rename_const [(p, s)] (Thm.prop_of th), eqn)
              then (add_const_raw NONE (s, s') thy, false)
              else err_decl thy
                ("Failed to match definition " ^ string_of_id id) decl
            end
        | _ => err_decl thy ("Single theorem expected for " ^ string_of_id id) decl
      end
  | mk_decl _ (decl as Datatype dts) thy =
      (case lookup_list (snd o #1) (lookup_type' thy) dts of
         NONE =>
           (case (Config.get_global thy why3_records, dest_record thy dts) of
              (true, SOME (s, args, s', cargs)) =>
                (thy |> make_record s (map (rpair @{sort type}) args) s' cargs |>
                 add_type s |>
                 add_const s' |>
                 fold (add_const o fst) cargs,
                 true)
            | _ =>
                (thy |> Named_Target.theory_map
                   (BNF_FP_Def_Sugar.co_datatypes BNF_Util.Least_FP BNF_LFP.construct_lfp
                      (Ctr_Sugar.default_ctr_options,
                       map (fn ((s, _), args, constrs) =>
                         (((((map (fn arg => (SOME Binding.empty, (TFree (arg, @{sort type}),
                              @{sort type}))) args, Binding.name s), NoSyn),
                            map (fn ((s', _), cargs) =>
                              (((Binding.empty, Binding.name s'),
                                map (fn (NONE, T) => (Binding.empty, T)
                                      | (SOME (sel, _), T) => (Binding.name sel, T)) cargs),
                               NoSyn)) constrs),
                           (Binding.empty, Binding.empty, Binding.empty)),
                          [])) dts)) |>
                 fold (fn ((s, _), _, constrs) => add_type s #>
                   fold (add_const o fst o fst) constrs #>
                   fold add_const (map_filter (Option.map fst o fst) (snd (hd constrs)))) dts,
                 true))
       | SOME dts' =>
           let val tcmap = map (fn (((s, _), _, _), s') =>
             (Sign.full_name thy (Binding.name s), s')) dts'
           in
             (fold (fn (((tyname, id), args, constrs), tyname') =>
                let
                  val (args', constrs', opt_info) = get_dt_spec thy
                    (fn () => err_decl thy (string_of_id id ^
                       "must be mapped to a datatype or record type") decl) tyname';
                  fun err () = err_decl thy
                    ("Failed to match type " ^ string_of_id id) decl;
                  val _ =
                    length args = length args' andalso
                    length constrs = length constrs' orelse err ();
                  val tvmap = args ~~ args';

                  fun rename (Type (tc, Ts)) = Type
                        (the_default tc (AList.lookup (op =) tcmap tc),
                         map rename Ts)
                    | rename (T as TFree (a, _)) =
                        (the_default T (AList.lookup (op =) tvmap a))
                    | rename T = T
                in
                  add_type_raw NONE (tyname, tyname') #>
                  rpair [] #>
                  fold2 (fn ((cname, _), cargs) => fn (cname', cargs') =>
                    if map (rename o snd) cargs = map snd cargs'
                    then
                      apfst (case opt_info of
                          NONE => add_const_raw NONE (cname, cname')
                        | SOME info =>
                            make_record_aux tyname cname info #>
                            add_const cname) #>
                      fold2
                        (fn (NONE, _) => K I
                          | (SOME (sel, _), _) =>
                               (fn (NONE, _) => err_decl thy
                                     ("Missing selector " ^ sel ^
                                      " for type " ^ string_of_id id) decl
                                 | (SOME sel', _) => (fn p as (thy', sel_map) =>
                                     (case AList.lookup (op =) sel_map sel of
                                        NONE =>
                                          (add_const_raw NONE (sel, sel') thy',
                                           (sel, sel') :: sel_map)
                                      | SOME sel'' =>
                                          if sel' = sel'' then p
                                          else err_decl thy
                                            ("Inconsistent selector " ^ sel ^
                                             " for type " ^ string_of_id id) decl))))
                        cargs cargs'
                    else err ()) constrs constrs' #>
                  fst
                end) dts' thy,
              false)
           end)
  | mk_decl _ (decl as Inductive (coind, preds)) thy =
      (case lookup_list (snd o #1) (lookup_def thy) preds of
         NONE =>
           (thy |> add_inductive_global
              {quiet_mode = true, verbose = false,
               alt_name = Binding.empty, coind = coind,
               no_elim = false, no_ind = false, skip_mono = false}
              (map (fn ((s, _), T, _) => ((Binding.name s, T), NoSyn)) preds) []
              (maps (map (apfst (rpair [] o Binding.name o fst)) o #3) preds) [] |>
            fold (add_const o fst o #1) preds,
            true)
       | SOME preds' =>
           let val cmap = map (fn (((s, id), _, _), th :: _) =>
             (th |> Thm.concl_of |> HOLogic.dest_Trueprop |> head_of |>
              dest_Const handle TERM _ =>
                err_decl thy ("Bad introduction rule for " ^ string_of_id id) decl,
              s)) preds'
           in
             app (fn (((_, id), _, intrs), intrs') =>
               if length intrs = length intrs' andalso
                 ListPair.all (fn ((_, t), th) =>
                     Pattern.matches thy (rename_const cmap (Thm.prop_of th), t))
                   (intrs, intrs')
               then ()
               else err_decl thy
                 ("Failed to match predicate " ^ string_of_id id) decl) preds';
             (fold (add_const_raw NONE o swap o apfst fst) cmap thy, false)
           end)
  | mk_decl _ (decl as Function eqnss) thy =
      let val eqnss' = map (head_of_eqn o hd o snd) eqnss
      in
        case lookup_list fst (lookup_def thy) eqnss of
          NONE =>
            (thy |> Named_Target.theory_map (Function_Fun.add_fun
               (map (fn (s, T) => (Binding.name s, SOME T, NoSyn)) eqnss')
               (map (fn t => ((Binding.empty_atts, t), [], [])) (maps snd eqnss))
               Function_Fun.fun_config) |>
             fold (add_const o fst) eqnss',
             true)
        | SOME eqnss'' =>
            let val cmap = map2 (fn ((id, _), th :: _) => fn (s, _) =>
              (th |> Thm.prop_of |> head_of_eqn' handle TERM _ =>
                 err_decl thy ("Bad equation for " ^ string_of_id id) decl,
               s)) eqnss'' eqnss'
            in
              app (fn ((id, eqns), eqns') =>
                if length eqns = length eqns' andalso
                  ListPair.all (fn (t, th) =>
                      Pattern.matches thy (rename_const cmap (Thm.prop_of th), t))
                    (eqns, eqns')
                then ()
                else err_decl thy
                  ("Failed to match function " ^ string_of_id id) decl) eqnss'';
              (fold (add_const_raw NONE o swap o apfst fst) cmap thy, false)
            end
      end
  | mk_decl _ _ thy = (thy, true);

fun init_decls thyname consts types = Why3_Data.map
  (fn {theories, env = NONE} =>
        {theories = Symtab.update_new
           (thyname,
            {consts = Symtab.make consts,
             types = Symtab.make types,
             thms = Symtab.empty,
             defs = Symtab.empty})
           theories handle Symtab.DUP _ =>
             error ("Theory " ^ thyname ^ " has already been loaded."),
         env = SOME
           {thyname = thyname,
            decls = [],
            vcs = Symtab.empty}}
    | _ => err_unfinished ());

fun put_decls decls = Why3_Data.map
  (fn {theories, env = SOME {thyname, ...}} =>
        {theories = theories,
         env = SOME
           {thyname = thyname,
            decls = decls,
            vcs = print_open_vcs I (fold
              (fn (Lemma ((s, _), ps, cs), _) => Symtab.update_new (s, (NONE, ps, cs))
                | _ => I) decls Symtab.empty
              handle Symtab.DUP k => error ("Verification condition " ^ k ^
                " has already been declared."))}}
    | _ => err_no_env ());

fun close incomplete thy =
  thy |>
  Why3_Data.map (fn
      {theories, env = SOME {thyname, vcs, ...}} =>
        let
          val (proved, unproved) = partition_vcs vcs;
          val _ = Thm.consolidate (maps (#1 o snd) proved)
        in
          (if null unproved
           then writeln ("Finished Why3 theory " ^ thyname)
           else (if incomplete then warning else error)
             (Pretty.string_of (pp_open_vcs unproved));
           {theories = theories, env = NONE})
        end
    | _ => err_no_env ()) |>
  Sign.parent_path;

val why3_warn_axioms = Attrib.setup_config_bool @{binding "why3_warn_axioms"} (K true);

fun unrealized_axioms thy decls =
  if Config.get_global thy why3_warn_axioms then
    (case filter (fn (Axiom _, _) => true | _ => false) decls of
       [] => ()
     | decls' => warning (Pretty.string_of (Pretty.chunks2
         [Pretty.str "Unrealized axioms", pretty_decls thy (K true, K "") decls'])))
  else ();

fun process_decls consts types x path = elem "theory" (fn atts =>
  (fn imports :: xs => elem "realized" (fn _ => fn rs => fn thy =>
        let
          val thyname = get_name atts;
          val realize = get_bool "realize" atts;
          val _ =
            realize orelse
            Path.is_basic path andalso
            let val (path', ext) = Path.split_ext path
            in
              Path.implode path' = Context.theory_name thy andalso
              ext = "xml"
            end orelse
            error "Name of Why3 file does not match name of theory";
          val (ds, thy') = thy |>
            Sign.add_path thyname |>
            init_decls thyname consts types |>
            pair [] |>
            fold (fn x => fn (ds, thy) =>
              let
                val d = read_decl (Named_Target.theory_init thy) x;
                val (tm, (thy', b)) = Timing.timing (mk_decl realize d) thy
              in ((b ? cons (d, tm)) ds, thy') end) xs |>
            apfst rev;
          val _ = unrealized_axioms thy' ds
        in put_decls ds thy' end) imports
    | _ => error "Bad theory specification")) x


(**** commands ****)

fun why3_open ((file, consts), types) thy =
  let val ({src_path, lines, ...}: Token.file, thy') = file thy;
  in process_decls
    (map (apsnd (Sign.intern_const thy)) consts)
    (map (apsnd (Sign.intern_type thy)) types)
    (parse_xml (cat_lines lines)) src_path thy'
  end;

fun prove_vc vc_name lthy =
  let
    val thy = Proof_Context.theory_of lthy;
    val (ctxt, stmt) = get_vc thy vc_name
  in
    Specification.theorem true Thm.theoremK NONE
      (fn thmss => (Local_Theory.background_theory
         (mark_proved vc_name (flat thmss))))
      (fact_binding vc_name, []) [] [ctxt] stmt false lthy
  end;

val _ =
  Outer_Syntax.command @{command_keyword "why3_open"}
    "open a new Why3 environment and load a Why3-generated .xml file"
    (Resources.provide_parse_file --
     Scan.optional (Parse.reserved "constants" |-- Parse.!!! (Scan.repeat1
       (Parse.name --| Args.$$$ "=" -- Parse.!!! Parse.name))) [] --
     Scan.optional (Parse.reserved "types" |-- (Scan.repeat1
       (Parse.name --| Args.$$$ "=" -- Parse.!!! Parse.name))) [] >>
     (Toplevel.theory o why3_open));

val _ =
  Outer_Syntax.command @{command_keyword "why3_vc"}
    "enter into proof mode for a specific verification condition"
    (Parse.name >> (fn name =>
      (Toplevel.local_theory_to_proof NONE NONE (prove_vc name))));

val _ =
  Outer_Syntax.command @{command_keyword "why3_status"}
    "show the name and state of all loaded verification conditions"
    (Scan.optional
       ((   Args.$$$ "cname" >> K has_cname
         || Args.$$$ "tyname" >> K has_tyname
         || Args.$$$ "name" >> K has_name) --|
        Args.colon -- Args.name >> mk_decl_filter) I --
     Scan.optional
       (Args.parens
          (   Args.$$$ "proved" >> K (is_some, K "")
           || Args.$$$ "unproved" >> K (is_none, K "")))
       (K true, string_of_status) >> (fn args =>
        Toplevel.keep (fn state => show_status (Toplevel.theory_of state) args)))

val _ =
  Outer_Syntax.command @{command_keyword "why3_end"}
    "close the current Why3 environment"
    (Scan.optional (@{keyword "("} |-- Parse.!!!
         (Parse.reserved "incomplete" --| @{keyword ")"}) >> K true) false >>
       (Toplevel.theory o close));

val _ =
  Outer_Syntax.command @{command_keyword "why3_consts"}
    "associate Why3 constants with constants"
    (Scan.repeat1 (Parse.name --| Args.$$$ "=" -- Parse.name) >>
       (Toplevel.theory o fold add_why3_const));

val _ =
  Outer_Syntax.command @{command_keyword "why3_types"}
    "associate Why3 types with types"
    (Scan.repeat1 (Parse.name --| Args.$$$ "=" -- Parse.name) >>
       (Toplevel.theory o fold add_why3_type));

val _ =
  Outer_Syntax.command @{command_keyword "why3_thms"}
    "associate Why3 axioms with theorems"
    (Parse.and_list1 (Parse.name --| Args.$$$ "=" -- Parse.thms1) >>
       (Toplevel.theory o fold add_why3_thm_cmd));

val _ =
  Outer_Syntax.command @{command_keyword "why3_defs"}
    "associate Why3 definitions with definitions"
    (Parse.and_list1 (Parse.name --| Args.$$$ "=" -- Parse.thms1) >>
       (Toplevel.theory o fold add_why3_def_cmd));

val setup = Theory.at_end (fn thy =>
  let
    val _ = is_closed thy
      orelse error ("Found the end of the theory, " ^
        "but the last Why3 environment is still open.")
  in NONE end);

end;
why3-1.6.0/lib/pvs/000077500000000000000000000000001440160026300137625ustar00rootroot00000000000000why3-1.6.0/lib/pvs/floating_point/000077500000000000000000000000001440160026300167765ustar00rootroot00000000000000why3-1.6.0/lib/pvs/floating_point/Double.pvs000066400000000000000000000075061440160026300207520ustar00rootroot00000000000000Double: THEORY
 BEGIN
  IMPORTING int@Int
  IMPORTING real@Real
  IMPORTING real@Abs
  IMPORTING real@FromInt
  IMPORTING Rounding
  IMPORTING DoubleFormat
  % do not edit above this line
  
  % Why3 round
  round(x:Rounding.mode, x1:real): real
  
  % Why3 round_logic
  round_logic(x:Rounding.mode, x1:real): DoubleFormat.double
  
  % Why3 value
  value(x:DoubleFormat.double): real
  
  % Why3 exact
  exact(x:DoubleFormat.double): real
  
  % Why3 model
  model(x:DoubleFormat.double): real
  
  % Why3 round_error
  round_error(x:DoubleFormat.double): real = abs((value(x) - exact(x)))
  
  % Why3 total_error
  total_error(x:DoubleFormat.double): real = abs((value(x) - model(x)))
  
  % Why3 no_overflow
  no_overflow(m:Rounding.mode, x:real): bool = (abs(round(m,
    x)) <= DoubleFormat.max_double)
  
  % Why3 bounded_real_no_overflow
  bounded_real_no_overflow: LEMMA FORALL (m:Rounding.mode, x:real):
    (abs(x) <= DoubleFormat.max_double) => no_overflow(m, x)
  
  % Why3 round_monotonic
  round_monotonic: LEMMA FORALL (m:Rounding.mode, x:real, y:real):
    (x <= y) => (round(m, x) <= round(m, y))
  
  % Why3 round_idempotent
  round_idempotent: LEMMA FORALL (m1:Rounding.mode, m2:Rounding.mode,
    x:real): (round(m1, round(m2, x)) = round(m2, x))
  
  % Why3 round_value
  round_value: LEMMA FORALL (m:Rounding.mode, x:DoubleFormat.double):
    (round(m, value(x)) = value(x))
  
  % Why3 bounded_value
  bounded_value: LEMMA FORALL (x:DoubleFormat.double):
    (abs(value(x)) <= DoubleFormat.max_double)
  
  % Why3 exact_rounding_for_integers
  exact_rounding_for_integers: LEMMA FORALL (m:Rounding.mode, i:int):
    (((-DoubleFormat.max_int) <= i) AND (i <= DoubleFormat.max_int)) =>
    (round(m, (i :: real)) = (i :: real))
  
  % Why3 round_down_le
  round_down_le: LEMMA FORALL (x:real): (round(Rounding.down, x) <= x)
  
  % Why3 round_up_ge
  round_up_ge: LEMMA FORALL (x:real): (round(Rounding.up, x) >= x)
  
  % Why3 round_down_neg
  round_down_neg: LEMMA FORALL (x:real): (round(Rounding.down,
    (-x)) = (-round(Rounding.up, x)))
  
  % Why3 round_up_neg
  round_up_neg: LEMMA FORALL (x:real): (round(Rounding.up,
    (-x)) = (-round(Rounding.down, x)))
  
  % Why3 of_real_post
  of_real_post(m:Rounding.mode, x:real, res:DoubleFormat.double): bool =
    (value(res) = round(m, x)) AND ((exact(res) = x) AND (model(res) = x))
  
  % Why3 add_post
  add_post(m:Rounding.mode, x:DoubleFormat.double, y:DoubleFormat.double,
    res:DoubleFormat.double): bool = (value(res) = round(m,
    (value(x) + value(y)))) AND ((exact(res) = (exact(x) + exact(y))) AND
    (model(res) = (model(x) + model(y))))
  
  % Why3 sub_post
  sub_post(m:Rounding.mode, x:DoubleFormat.double, y:DoubleFormat.double,
    res:DoubleFormat.double): bool = (value(res) = round(m,
    (value(x) - value(y)))) AND ((exact(res) = (exact(x) - exact(y))) AND
    (model(res) = (model(x) - model(y))))
  
  % Why3 mul_post
  mul_post(m:Rounding.mode, x:DoubleFormat.double, y:DoubleFormat.double,
    res:DoubleFormat.double): bool = (value(res) = round(m,
    (value(x) * value(y)))) AND ((exact(res) = (exact(x) * exact(y))) AND
    (model(res) = (model(x) * model(y))))
  
  % Why3 div_post
  div_post(m:Rounding.mode, x:DoubleFormat.double, y:DoubleFormat.double,
    res:DoubleFormat.double): bool = (value(res) = round(m,
    real@Real.infix_sl(value(x), value(y)))) AND
    ((exact(res) = real@Real.infix_sl(exact(x), exact(y))) AND
    (model(res) = real@Real.infix_sl(model(x), model(y))))
  
  % Why3 neg_post
  neg_post(x:DoubleFormat.double, res:DoubleFormat.double): bool =
    (value(res) = (-value(x))) AND ((exact(res) = (-exact(x))) AND
    (model(res) = (-model(x))))
  
  % Why3 lt
  lt(x:DoubleFormat.double, y:DoubleFormat.double): bool =
    (value(x) <  value(y))
  
  % Why3 gt
  gt(x:DoubleFormat.double, y:DoubleFormat.double): bool =
    (value(x) >  value(y))
  
  
 END Double
 why3-1.6.0/lib/pvs/floating_point/DoubleFormat.pvs000066400000000000000000000010311440160026300221060ustar00rootroot00000000000000DoubleFormat: THEORY
 BEGIN
  % do not edit above this line
  
  % Why3 double
  double: TYPE+
  
  % Why3 max_double
  max_double: real =
    (9007199254740991 * 19958403095347198116563727130368385660674512604354575415025472424372118918689640657849579654926357010893424468441924952439724379883935936607391717982848314203200056729510856765175377214443629871826533567445439239933308104551208703888888552684480441575071209068757560416423584952303440099278848)
  
  % Why3 max_int
  max_int: int = 9007199254740992
  
  
 END DoubleFormat
 why3-1.6.0/lib/pvs/floating_point/Rounding.pvs000066400000000000000000000004101440160026300213100ustar00rootroot00000000000000Rounding: THEORY
 BEGIN
  % do not edit above this line
  
  % Why3 mode
  mode: DATATYPE
   BEGIN
    nearesttiestoeven: nearesttiestoeven?
    tozero: tozero?
    up: up?
    down: down?
    nearesttiestoaway: nearesttiestoaway?
   END mode
  
  
 END Rounding
 why3-1.6.0/lib/pvs/floating_point/Single.pvs000066400000000000000000000075061440160026300207610ustar00rootroot00000000000000Single: THEORY
 BEGIN
  IMPORTING int@Int
  IMPORTING real@Real
  IMPORTING real@Abs
  IMPORTING real@FromInt
  IMPORTING Rounding
  IMPORTING SingleFormat
  % do not edit above this line
  
  % Why3 round
  round(x:Rounding.mode, x1:real): real
  
  % Why3 round_logic
  round_logic(x:Rounding.mode, x1:real): SingleFormat.single
  
  % Why3 value
  value(x:SingleFormat.single): real
  
  % Why3 exact
  exact(x:SingleFormat.single): real
  
  % Why3 model
  model(x:SingleFormat.single): real
  
  % Why3 round_error
  round_error(x:SingleFormat.single): real = abs((value(x) - exact(x)))
  
  % Why3 total_error
  total_error(x:SingleFormat.single): real = abs((value(x) - model(x)))
  
  % Why3 no_overflow
  no_overflow(m:Rounding.mode, x:real): bool = (abs(round(m,
    x)) <= SingleFormat.max_single)
  
  % Why3 bounded_real_no_overflow
  bounded_real_no_overflow: LEMMA FORALL (m:Rounding.mode, x:real):
    (abs(x) <= SingleFormat.max_single) => no_overflow(m, x)
  
  % Why3 round_monotonic
  round_monotonic: LEMMA FORALL (m:Rounding.mode, x:real, y:real):
    (x <= y) => (round(m, x) <= round(m, y))
  
  % Why3 round_idempotent
  round_idempotent: LEMMA FORALL (m1:Rounding.mode, m2:Rounding.mode,
    x:real): (round(m1, round(m2, x)) = round(m2, x))
  
  % Why3 round_value
  round_value: LEMMA FORALL (m:Rounding.mode, x:SingleFormat.single):
    (round(m, value(x)) = value(x))
  
  % Why3 bounded_value
  bounded_value: LEMMA FORALL (x:SingleFormat.single):
    (abs(value(x)) <= SingleFormat.max_single)
  
  % Why3 exact_rounding_for_integers
  exact_rounding_for_integers: LEMMA FORALL (m:Rounding.mode, i:int):
    (((-SingleFormat.max_int) <= i) AND (i <= SingleFormat.max_int)) =>
    (round(m, (i :: real)) = (i :: real))
  
  % Why3 round_down_le
  round_down_le: LEMMA FORALL (x:real): (round(Rounding.down, x) <= x)
  
  % Why3 round_up_ge
  round_up_ge: LEMMA FORALL (x:real): (round(Rounding.up, x) >= x)
  
  % Why3 round_down_neg
  round_down_neg: LEMMA FORALL (x:real): (round(Rounding.down,
    (-x)) = (-round(Rounding.up, x)))
  
  % Why3 round_up_neg
  round_up_neg: LEMMA FORALL (x:real): (round(Rounding.up,
    (-x)) = (-round(Rounding.down, x)))
  
  % Why3 of_real_post
  of_real_post(m:Rounding.mode, x:real, res:SingleFormat.single): bool =
    (value(res) = round(m, x)) AND ((exact(res) = x) AND (model(res) = x))
  
  % Why3 add_post
  add_post(m:Rounding.mode, x:SingleFormat.single, y:SingleFormat.single,
    res:SingleFormat.single): bool = (value(res) = round(m,
    (value(x) + value(y)))) AND ((exact(res) = (exact(x) + exact(y))) AND
    (model(res) = (model(x) + model(y))))
  
  % Why3 sub_post
  sub_post(m:Rounding.mode, x:SingleFormat.single, y:SingleFormat.single,
    res:SingleFormat.single): bool = (value(res) = round(m,
    (value(x) - value(y)))) AND ((exact(res) = (exact(x) - exact(y))) AND
    (model(res) = (model(x) - model(y))))
  
  % Why3 mul_post
  mul_post(m:Rounding.mode, x:SingleFormat.single, y:SingleFormat.single,
    res:SingleFormat.single): bool = (value(res) = round(m,
    (value(x) * value(y)))) AND ((exact(res) = (exact(x) * exact(y))) AND
    (model(res) = (model(x) * model(y))))
  
  % Why3 div_post
  div_post(m:Rounding.mode, x:SingleFormat.single, y:SingleFormat.single,
    res:SingleFormat.single): bool = (value(res) = round(m,
    real@Real.infix_sl(value(x), value(y)))) AND
    ((exact(res) = real@Real.infix_sl(exact(x), exact(y))) AND
    (model(res) = real@Real.infix_sl(model(x), model(y))))
  
  % Why3 neg_post
  neg_post(x:SingleFormat.single, res:SingleFormat.single): bool =
    (value(res) = (-value(x))) AND ((exact(res) = (-exact(x))) AND
    (model(res) = (-model(x))))
  
  % Why3 lt
  lt(x:SingleFormat.single, y:SingleFormat.single): bool =
    (value(x) <  value(y))
  
  % Why3 gt
  gt(x:SingleFormat.single, y:SingleFormat.single): bool =
    (value(x) >  value(y))
  
  
 END Single
 why3-1.6.0/lib/pvs/floating_point/SingleFormat.pvs000066400000000000000000000004001440160026300221140ustar00rootroot00000000000000SingleFormat: THEORY
 BEGIN
  % do not edit above this line
  
  % Why3 single
  single: TYPE+
  
  % Why3 max_single
  max_single: real = (33554430 * 10141204801825835211973625643008)
  
  % Why3 max_int
  max_int: int = 16777216
  
  
 END SingleFormat
 why3-1.6.0/lib/pvs/int/000077500000000000000000000000001440160026300145545ustar00rootroot00000000000000why3-1.6.0/lib/pvs/int/Abs.prf000066400000000000000000000021301440160026300157660ustar00rootroot00000000000000(Abs
 (abs_le 0
  (abs_le-1 nil 3551211503 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil))
   shostak)))

why3-1.6.0/lib/pvs/int/Abs.pvs000066400000000000000000000004131440160026300160110ustar00rootroot00000000000000Abs: THEORY
 BEGIN
  IMPORTING Int
  % do not edit above this line
  
  % Why3 abs_le
  abs_le: LEMMA FORALL (x:int, y:int): (abs(x) <= y) <=> (((-y) <= x) AND
    (x <= y))
  
  % Obsolete chunk abs_pos
  % abs_pos: LEMMA FORALL (x:int): (abs1(x) >= 0)
  
 END Abs
 why3-1.6.0/lib/pvs/int/ComputerDivision.prf000066400000000000000000000054711440160026300205770ustar00rootroot00000000000000(ComputerDivision
 (div_mod 0
  (div_mod-1 nil 3551625251 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (/= const-decl "boolean" notequal nil)
    (sgn const-decl "int" real_defs nil)
    (abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (div const-decl "integer" div "ints/")
    (rem const-decl "{k | abs(k) < abs(j)}" rem "ints/")
    (int_abs_is_nonneg application-judgement "{j: nonneg_int | j >= i}"
     real_defs nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (minus_odd_is_odd application-judgement "odd_int" integers nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   shostak))
 (div_bound 0
  (div_bound-1 nil 3551625260
   ("" (grind) (("1" (postpone) nil nil) ("2" (postpone) nil nil)) nil)
   nil shostak))
 (mod_bound 0
  (mod_bound-1 nil 3551625904 ("" (default-strategy)) nil shostak))
 (div_sign_pos 0
  (div_sign_pos-1 nil 3551625906 ("" (default-strategy)) nil shostak))
 (div_sign_neg 0
  (div_sign_neg-1 nil 3551625906 ("" (default-strategy)) nil shostak))
 (mod_sign_pos 0
  (mod_sign_pos-1 nil 3551625906 ("" (default-strategy)) nil shostak))
 (mod_sign_neg 0
  (mod_sign_neg-1 nil 3551625907 ("" (default-strategy)) nil shostak))
 (rounds_toward_zero 0
  (rounds_toward_zero-1 nil 3551625313
   ("" (grind)
    (("1" (postpone) nil nil) ("2" (postpone) nil nil)
     ("3" (postpone) nil nil) ("4" (postpone) nil nil)
     ("5" (postpone) nil nil) ("6" (postpone) nil nil)
     ("7" (postpone) nil nil) ("8" (postpone) nil nil))
    nil)
   nil shostak))
 (div_1 0 (div_1-1 nil 3551625908 ("" (default-strategy)) nil shostak))
 (mod_1 0 (mod_1-1 nil 3551625908 ("" (default-strategy)) nil shostak))
 (div_inf 0
  (div_inf-1 nil 3551625909 ("" (default-strategy)) nil shostak))
 (mod_inf 0
  (mod_inf-1 nil 3551625909 ("" (default-strategy)) nil shostak))
 (div_mult 0
  (div_mult-1 nil 3551625910 ("" (default-strategy)) nil shostak))
 (mod_mult 0
  (mod_mult-1 nil 3551625910 ("" (default-strategy)) nil shostak)))

why3-1.6.0/lib/pvs/int/ComputerDivision.pvs000066400000000000000000000037561440160026300206240ustar00rootroot00000000000000ComputerDivision: THEORY
 BEGIN
  IMPORTING Int
  IMPORTING Abs
  % do not edit above this line
  
  IMPORTING ints@div, ints@rem
  
  div_total(x: int): int
  
  % Why3 div
  div(x:int,
    x1:int): MACRO int =  IF x1 /= 0 THEN div(x, x1) ELSE div_total(x) ENDIF
  
  % Why3 mod1
  mod1(x:int, x1:int): int
  
  mod_total(x: int): int
  
  % Why3 div_mod
  div_mod: LEMMA FORALL (x:int, y:int): (NOT (y = 0)) => (x = ((y * div(x,
    y)) + mod1(x, y)))
  
  % Why3 div_bound
  div_bound: LEMMA FORALL (x:int, y:int): ((x >= 0) AND (y >  0)) =>
    ((0 <= div(x, y)) AND (div(x, y) <= x))
  
  % Why3 mod_bound
  mod_bound: LEMMA FORALL (x:int, y:int): (NOT (y = 0)) =>
    (((-abs(y)) <  mod1(x, y)) AND (mod1(x, y) <  abs(y)))
  
  % Why3 div_sign_pos
  div_sign_pos: LEMMA FORALL (x:int, y:int): ((x >= 0) AND (y >  0)) =>
    (div(x, y) >= 0)
  
  % Why3 div_sign_neg
  div_sign_neg: LEMMA FORALL (x:int, y:int): ((x <= 0) AND (y >  0)) =>
    (div(x, y) <= 0)
  
  % Why3 mod_sign_pos
  mod_sign_pos: LEMMA FORALL (x:int, y:int): ((x >= 0) AND NOT (y = 0)) =>
    (mod1(x, y) >= 0)
  
  % Why3 mod_sign_neg
  mod_sign_neg: LEMMA FORALL (x:int, y:int): ((x <= 0) AND NOT (y = 0)) =>
    (mod1(x, y) <= 0)
  
  % Why3 rounds_toward_zero
  rounds_toward_zero: LEMMA FORALL (x:int, y:int): (NOT (y = 0)) =>
    (abs((div(x, y) * y)) <= abs(x))
  
  % Why3 div_1
  div_1: LEMMA FORALL (x:int): (div(x, 1) = x)
  
  % Why3 mod_1
  mod_1: LEMMA FORALL (x:int): (mod1(x, 1) = 0)
  
  % Why3 div_inf
  div_inf: LEMMA FORALL (x:int, y:int): ((0 <= x) AND (x <  y)) => (div(x,
    y) = 0)
  
  % Why3 mod_inf
  mod_inf: LEMMA FORALL (x:int, y:int): ((0 <= x) AND (x <  y)) => (mod1(x,
    y) = x)
  
  % Why3 div_mult
  div_mult: LEMMA FORALL (x:int, y:int, z:int): ((x >  0) AND ((y >= 0) AND
    (z >= 0))) => (div(((x * y) + z), x) = (y + div(z, x)))
  
  % Why3 mod_mult
  mod_mult: LEMMA FORALL (x:int, y:int, z:int): ((x >  0) AND ((y >= 0) AND
    (z >= 0))) => (mod1(((x * y) + z), x) = mod1(z, x))
  
  
 END ComputerDivision
 why3-1.6.0/lib/pvs/int/EuclideanDivision.prf000066400000000000000000000042661440160026300206730ustar00rootroot00000000000000(EuclideanDivision
 (div_mod 0
  (div_mod-1 nil 3551625869 ("" (default-strategy))
   ((mod const-decl "{k | abs(k) < abs(j)}" tmod "ints/")
    (tdiv const-decl "integer" tdiv "ints/"))
   shostak))
 (div_bound 0
  (div_bound-1 nil 3551625870 ("" (default-strategy)) nil shostak))
 (mod_bound 0
  (mod_bound-1 nil 3551625870
   ("" (default-strategy)
    (("1" (postpone) nil nil) ("2" (postpone) nil nil)
     ("3" (postpone) nil nil))
    nil)
   nil shostak))
 (mod_1 0
  (mod_1-1 nil 3551625870 ("" (default-strategy))
   ((mod const-decl "{k | abs(k) < abs(j)}" tmod "ints/")
    (tdiv const-decl "integer" tdiv "ints/"))
   shostak))
 (div_1 0
  (div_1-1 nil 3551625870 ("" (default-strategy))
   ((tdiv const-decl "integer" tdiv "ints/")
    (rat_div_nzrat_is_rat application-judgement "rat" rationals nil)
    (int nonempty-type-eq-decl nil integers nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (div_inf 0
  (div_inf-1 nil 3551625870 ("" (default-strategy)) nil shostak))
 (div_inf_neg 0
  (div_inf_neg-1 nil 3551625870 ("" (default-strategy)) nil shostak))
 (mod_0 0
  (mod_0-1 nil 3551625871 ("" (default-strategy))
   ((mod const-decl "{k | abs(k) < abs(j)}" tmod "ints/")
    (tdiv const-decl "integer" tdiv "ints/"))
   shostak))
 (div_1_left 0
  (div_1_left-1 nil 3551625871 ("" (default-strategy)) nil shostak))
 (div_minus1_left 0
  (div_minus1_left-1 nil 3551625871 ("" (default-strategy)) nil
   shostak))
 (mod_1_left 0
  (mod_1_left-1 nil 3551625871 ("" (default-strategy)) nil shostak))
 (mod_minus1_left 0
  (mod_minus1_left-1 nil 3551625871 ("" (default-strategy)) nil
   shostak)))

why3-1.6.0/lib/pvs/int/EuclideanDivision.pvs000066400000000000000000000034541440160026300207120ustar00rootroot00000000000000EuclideanDivision: THEORY
 BEGIN
  IMPORTING Int
  IMPORTING Abs
  % do not edit above this line
  
  IMPORTING ints@tdiv, ints@tmod
  
  div_total(x: int): int
  
  % Why3 div
  div(x:int,
    x1:int): MACRO int =  IF x1 /= 0 THEN tdiv(x, x1) ELSE div_total(x) ENDIF
  
  % Why3 mod1
  mod1(x:int, x1:int): int
  
  mod_total(x: int): int
  
  % Why3 div_mod
  div_mod: LEMMA FORALL (x:int, y:int): (NOT (y = 0)) => (x = ((y * div(x,
    y)) + mod1(x, y)))
  
  % Why3 div_bound
  div_bound: LEMMA FORALL (x:int, y:int): ((x >= 0) AND (y >  0)) =>
    ((0 <= div(x, y)) AND (div(x, y) <= x))
  
  % Why3 mod_bound
  mod_bound: LEMMA FORALL (x:int, y:int): (NOT (y = 0)) => ((0 <= mod1(x,
    y)) AND (mod1(x, y) <  abs(y)))
  
  % Why3 mod_1
  mod_1: LEMMA FORALL (x:int): (mod1(x, 1) = 0)
  
  % Why3 div_1
  div_1: LEMMA FORALL (x:int): (div(x, 1) = x)
  
  % Why3 div_inf
  div_inf: LEMMA FORALL (x:int, y:int): ((0 <= x) AND (x <  y)) => (div(x,
    y) = 0)
  
  % Why3 div_inf_neg
  div_inf_neg: LEMMA FORALL (x:int, y:int): ((0 <  x) AND (x <= y)) =>
    (div((-x), y) = (-1))
  
  % Why3 mod_0
  mod_0: LEMMA FORALL (y:int): (NOT (y = 0)) => (mod1(0, y) = 0)
  
  % Why3 div_1_left
  div_1_left: LEMMA FORALL (y:int): (y >  1) => (div(1, y) = 0)
  
  % Why3 div_minus1_left
  div_minus1_left: LEMMA FORALL (y:int): (y >  1) => (div((-1), y) = (-1))
  
  % Why3 mod_1_left
  mod_1_left: LEMMA FORALL (y:int): (y >  1) => (mod1(1, y) = 1)
  
  % Why3 mod_minus1_left
  mod_minus1_left: LEMMA FORALL (y:int): (y >  1) => (mod1((-1),
    y) = (y - 1))
  
  % Why3 div_mult
  div_mult: LEMMA FORALL (x:int, y:int, z:int): (x >  0) =>
    (div(((x * y) + z), x) = (y + div(z, x)))
  
  % Why3 mod_mult
  mod_mult: LEMMA FORALL (x:int, y:int, z:int): (x >  0) =>
    (mod1(((x * y) + z), x) = mod1(z, x))
  
  
 END EuclideanDivision
 why3-1.6.0/lib/pvs/int/Int.prf000066400000000000000000000154461440160026300160310ustar00rootroot00000000000000(Int
 (unit_def 0
  (unit_def-1 nil 3551114638 ("" (grind) nil nil)
   ((zero const-decl "int" Int nil)) shostak))
 (assoc 0
        (assoc-1 nil 3551114663 ("" (grind) nil nil)
         ((int_plus_int_is_int application-judgement "int" integers
           nil))
         shostak))
 (inv_def 0
  (inv_def-1 nil 3551114670 ("" (grind) nil nil)
   ((zero const-decl "int" Int nil)
    (minus_int_is_int application-judgement "int" integers nil))
   shostak))
 (comm 0 (comm-1 nil 3551114676 ("" (grind) nil nil) nil shostak))
 (assoc1 0
  (assoc1-1 nil 3551114692 ("" (grind) nil nil)
   ((mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   shostak))
 (mul_distr 0
  (mul_distr-1 nil 3551114708 ("" (grind) nil nil)
   ((mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil))
   shostak))
 (comm1 0 (comm1-1 nil 3551114723 ("" (grind) nil nil) nil shostak))
 (unitary 0
  (unitary-1 nil 3551114731 ("" (grind) nil nil)
   ((one const-decl "int" Int nil)) shostak))
 (nontrivialring 0
  (nontrivialring-1 nil 3551114740 ("" (grind) nil nil)
   ((zero const-decl "int" Int nil) (one const-decl "int" Int nil))
   shostak))
 (refl 0
  (refl-1 nil 3551114750 ("" (grind) nil nil)
   ((infix_lseq const-decl "bool" Int nil)) shostak))
 (trans 0
  (trans-1 nil 3551114763 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (infix_lseq const-decl "bool" Int nil))
   shostak))
 (antisymm 0
  (antisymm-1 nil 3551114771 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (infix_lseq const-decl "bool" Int nil))
   shostak))
 (total 0
  (total-1 nil 3551114779 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (infix_lseq const-decl "bool" Int nil))
   shostak))
 (zerolessone 0
  (zerolessone-1 nil 3551114789 ("" (grind) nil nil)
   ((zero const-decl "int" Int nil) (one const-decl "int" Int nil)
    (infix_lseq const-decl "bool" Int nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil))
   shostak))
 (compatorderadd 0
  (compatorderadd-1 nil 3551114796 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (int_plus_int_is_int application-judgement "int" integers nil)
    (infix_lseq const-decl "bool" Int nil))
   shostak))
 (compatordermult 0
  (compatordermult-1 nil 3551114806
   ("" (grind)
    (("" (auto-rewrite-theory "real_props") (("" (assert) nil nil))
      nil))
    nil)
   ((real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (both_sides_times_pos_lt1 formula-decl nil real_props nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (zero const-decl "int" Int nil)
    (infix_lseq const-decl "bool" Int nil))
   shostak)))

why3-1.6.0/lib/pvs/int/Int.pvs000066400000000000000000000036401440160026300160430ustar00rootroot00000000000000Int: THEORY
 BEGIN
  % do not edit above this line
  
  % Obsolete chunk unit_def
  % unit_def: LEMMA FORALL (x:int): (infix_pl(x, zero) = x)
  
  % Obsolete chunk assoc
  % assoc: LEMMA FORALL (x:int, y:int, z:int): (infix_pl(infix_pl(x, y),
  %   z) = infix_pl(x, infix_pl(y, z)))
  
  % Obsolete chunk inv_def
  % inv_def: LEMMA FORALL (x:int): (infix_pl(x, prefix_mn(x)) = zero)
  
  % Obsolete chunk comm
  % comm: LEMMA FORALL (x:int, y:int): (infix_pl(x, y) = infix_pl(y, x))
  
  % Obsolete chunk assoc1
  % assoc1: LEMMA FORALL (x:int, y:int, z:int): (infix_as(infix_as(x, y),
  %   z) = infix_as(x, infix_as(y, z)))
  
  % Obsolete chunk mul_distr
  % mul_distr: LEMMA FORALL (x:int, y:int, z:int): (infix_as(x, infix_pl(y,
  %   z)) = infix_pl(infix_as(x, y), infix_as(x, z)))
  
  % Obsolete chunk comm1
  % comm1: LEMMA FORALL (x:int, y:int): (infix_as(x, y) = infix_as(y, x))
  
  % Obsolete chunk unitary
  % unitary: LEMMA FORALL (x:int): (infix_as(one, x) = x)
  
  % Obsolete chunk nontrivialring
  % nontrivialring: LEMMA NOT (zero = one)
  
  % Obsolete chunk refl
  % refl: LEMMA FORALL (x:int): infix_lseq(x, x)
  
  % Obsolete chunk trans
  % trans: LEMMA FORALL (x:int, y:int, z:int): infix_lseq(x, y) =>
  %   (infix_lseq(y, z) => infix_lseq(x, z))
  
  % Obsolete chunk antisymm
  % antisymm: LEMMA FORALL (x:int, y:int): infix_lseq(x, y) => (infix_lseq(y,
  %   x) => (x = y))
  
  % Obsolete chunk total
  % total: LEMMA FORALL (x:int, y:int): infix_lseq(x, y) OR infix_lseq(y, x)
  
  % Obsolete chunk zerolessone
  % zerolessone: LEMMA infix_lseq(zero, one)
  
  % Obsolete chunk compatorderadd
  % compatorderadd: LEMMA FORALL (x:int, y:int, z:int): infix_lseq(x, y) =>
  %   infix_lseq(infix_pl(x, z), infix_pl(y, z))
  
  % Obsolete chunk compatordermult
  % compatordermult: LEMMA FORALL (x:int, y:int, z:int): infix_lseq(x, y) =>
  %   (infix_lseq(zero, z) => infix_lseq(infix_as(x, z), infix_as(y, z)))
  
 END Int
 why3-1.6.0/lib/pvs/int/MinMax.prf000066400000000000000000000233121440160026300164570ustar00rootroot00000000000000(MinMax
 (max_is_ge 0
  (max_is_ge-1 nil 3551211318 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil))
   shostak))
 (max_is_some 0
  (max_is_some-1 nil 3551211339 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil))
   shostak))
 (min_is_le 0
  (min_is_le-1 nil 3551211351 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil))
   shostak))
 (min_is_some 0
  (min_is_some-1 nil 3551211366 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil))
   shostak))
 (max_x 0
  (max_x-1 nil 3551211390 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil))
   shostak))
 (max_y 0
  (max_y-1 nil 3551211393 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil))
   shostak))
 (min_x 0
  (min_x-1 nil 3551211397 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil))
   shostak))
 (min_y 0
  (min_y-1 nil 3551211425 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil))
   shostak))
 (max_sym 0
  (max_sym-1 nil 3551211430 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (max const-decl "{p: real | p >= m AND p >= n}" real_defs nil))
   shostak))
 (min_sym 0
  (min_sym-1 nil 3551211433 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (min const-decl "{p: real | p <= m AND p <= n}" real_defs nil))
   shostak)))

why3-1.6.0/lib/pvs/int/MinMax.pvs000066400000000000000000000020231440160026300164740ustar00rootroot00000000000000MinMax: THEORY
 BEGIN
  IMPORTING Int
  % do not edit above this line
  
  % Why3 max_is_ge
  max_is_ge: LEMMA FORALL (x:int, y:int): (max(x, y) >= x) AND
    (max(x, y) >= y)
  
  % Why3 max_is_some
  max_is_some: LEMMA FORALL (x:int, y:int): (max(x, y) = x) OR
    (max(x, y) = y)
  
  % Why3 min_is_le
  min_is_le: LEMMA FORALL (x:int, y:int): (x >= min(x, y)) AND
    (y >= min(x, y))
  
  % Why3 min_is_some
  min_is_some: LEMMA FORALL (x:int, y:int): (min(x, y) = x) OR
    (min(x, y) = y)
  
  % Why3 max_x
  max_x: LEMMA FORALL (x:int, y:int): (x >= y) => (max(x, y) = x)
  
  % Why3 max_y
  max_y: LEMMA FORALL (x:int, y:int): (y >= x) => (max(x, y) = y)
  
  % Why3 min_x
  min_x: LEMMA FORALL (x:int, y:int): (y >= x) => (min(x, y) = x)
  
  % Why3 min_y
  min_y: LEMMA FORALL (x:int, y:int): (x >= y) => (min(x, y) = y)
  
  % Why3 max_sym
  max_sym: LEMMA FORALL (x:int, y:int): (x >= y) => (max(x, y) = max(y, x))
  
  % Why3 min_sym
  min_sym: LEMMA FORALL (x:int, y:int): (x >= y) => (min(x, y) = min(y, x))
  
  
 END MinMax
 why3-1.6.0/lib/pvs/real/000077500000000000000000000000001440160026300147055ustar00rootroot00000000000000why3-1.6.0/lib/pvs/real/Abs.prf000066400000000000000000000037641440160026300161350ustar00rootroot00000000000000(Abs
 (abs_sum 0
  (abs_sum-1 nil 3551212620 ("" (default-strategy))
   ((abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_plus_real_is_real application-judgement "real" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (abs_prod 0
  (abs_prod-1 nil 3551212620
   ("" (default-strategy)
    (("1" (grind)
      (("1" (auto-rewrite-theory "real_props") (("1" (grind) nil nil))
        nil))
      nil)
     ("2" (postpone) nil nil) ("3" (postpone) nil nil)
     ("4" (postpone) nil nil))
    nil)
   nil shostak))
 (triangular_inequality 0
  (triangular_inequality-1 nil 3551212620 ("" (default-strategy))
   ((abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_minus_real_is_real application-judgement "real" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak)))

why3-1.6.0/lib/pvs/real/Abs.pvs000066400000000000000000000011711440160026300161440ustar00rootroot00000000000000Abs: THEORY
 BEGIN
  IMPORTING Real
  % do not edit above this line
  
  % Why3 abs_sum
  abs_sum: LEMMA FORALL (x:real, y:real): (abs((x + y)) <= (abs(x) + abs(y)))
  
  % Why3 abs_prod
  abs_prod: LEMMA FORALL (x:real, y:real): (abs((x * y)) = (abs(x) * abs(y)))
  
  % Why3 triangular_inequality
  triangular_inequality: LEMMA FORALL (x:real, y:real, z:real):
    (abs((x - z)) <= (abs((x - y)) + abs((y - z))))
  
  % Obsolete chunk abs_le
  % abs_le: LEMMA FORALL (x:real, y:real): (abs1(x) <= y) <=> (((-y) <= x) AND
  %   (x <= y))
  
  % Obsolete chunk abs_pos
  % abs_pos: LEMMA FORALL (x:real): (abs1(x) >= 0)
  
 END Abs
 why3-1.6.0/lib/pvs/real/ExpLog.prf000066400000000000000000000102051440160026300166120ustar00rootroot00000000000000(ExpLog
 (exp_zero 0
  (exp_zero-1 nil 3552165298 ("" (default-strategy))
   ((exp_0 formula-decl nil ln_exp "lnexp/")) shostak))
 (exp_sum 0
  (exp_sum-1 nil 3552165298 ("" (grind) (("" (postpone) nil nil)) nil)
   nil shostak))
 (log_TCC1 0
  (log_TCC1-1 nil 3552164963 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil))
   nil))
 (log_one 0
  (log_one-1 nil 3552165298 ("" (default-strategy))
   ((real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (ln_1 formula-decl nil ln_exp "lnexp/"))
   shostak))
 (log_mul_TCC1 0
  (log_mul_TCC1-1 nil 3552164963 ("" (grind) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_times_real_is_real application-judgement "real" reals nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil))
   nil))
 (log_mul_TCC2 0
  (log_mul_TCC2-1 nil 3552164963 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil))
   nil))
 (log_mul 0
  (log_mul-1 nil 3552165298 ("" (default-strategy)) nil shostak))
 (log_exp_TCC1 0
  (log_exp_TCC1-1 nil 3552164963 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil))
   nil))
 (log_exp 0
  (log_exp-1 nil 3552165298 ("" (default-strategy))
   ((real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (exp_log 0
  (exp_log-1 nil 3552165298 ("" (default-strategy)) nil shostak)))

why3-1.6.0/lib/pvs/real/ExpLog.pvs000066400000000000000000000016611440160026300166410ustar00rootroot00000000000000ExpLog: THEORY
 BEGIN
  IMPORTING Real
  % do not edit above this line
  
  IMPORTING lnexp@ln_exp
  
  % Why3 exp
  exp(x:real): MACRO real = exp(x)
  
  % Why3 exp_zero
  exp_zero: LEMMA (exp(0) = 1)
  
  % Why3 exp_sum
  exp_sum: LEMMA FORALL (x:real, y:real): (exp((x + y)) = (exp(x) * exp(y)))
  
  % Why3 e
  e: real = exp(1)
  
  log_total(x: real): real

  % Why3 log
  log(x:real): MACRO real = IF x > 0 THEN ln(x) ELSE log_total(x) ENDIF
  
  % Why3 log_one
  log_one: LEMMA (log(1) = 0)
  
  % Why3 log_mul
  log_mul: LEMMA FORALL (x:real, y:real): ((x >  0) AND (y >  0)) =>
    (log((x * y)) = (log(x) + log(y)))
  
  % Why3 log_exp
  log_exp: LEMMA FORALL (x:real): (log(exp(x)) = x)
  
  % Why3 exp_log
  exp_log: LEMMA FORALL (x:real): (x >  0) => (exp(log(x)) = x)
  
  % Why3 log2
  log2(x:real): real = Real.infix_sl(log(x), log(2))
  
  % Why3 log10
  log10(x:real): real = Real.infix_sl(log(x), log(10))
  
  
 END ExpLog
 
why3-1.6.0/lib/pvs/real/FromInt.prf000066400000000000000000000006471440160026300170030ustar00rootroot00000000000000(FromInt
 (zero 0 (zero-1 nil 3551213833 ("" (default-strategy)) nil shostak))
 (one 0 (one-1 nil 3551213833 ("" (default-strategy)) nil shostak))
 (sub 0
  (sub-1 nil 3551213833 ("" (default-strategy))
   ((minus_odd_is_odd application-judgement "odd_int" integers nil))
   shostak))
 (mul 0 (mul-1 nil 3551213834 ("" (default-strategy)) nil shostak))
 (neg 0 (neg-1 nil 3551213834 ("" (default-strategy)) nil shostak)))

why3-1.6.0/lib/pvs/real/FromInt.pvs000066400000000000000000000012521440160026300170150ustar00rootroot00000000000000FromInt: THEORY
 BEGIN
  IMPORTING int@Int
  IMPORTING Real
  % do not edit above this line
  
  % Obsolete chunk zero
  % zero: LEMMA (from_int(0) = 0)
  
  % Obsolete chunk one
  % one: LEMMA (from_int(1) = 1)
  
  % Obsolete chunk add1
  % add1: LEMMA FORALL (x:int, y:int):
  %   (from_int((x + y)) = (from_int(x) + from_int(y)))
  
  % Obsolete chunk sub
  % sub: LEMMA FORALL (x:int, y:int):
  %   (from_int((x - y)) = (from_int(x) - from_int(y)))
  
  % Obsolete chunk mul
  % mul: LEMMA FORALL (x:int, y:int):
  %   (from_int((x * y)) = (from_int(x) * from_int(y)))
  
  % Obsolete chunk neg
  % neg: LEMMA FORALL (x:int): (from_int((-x)) = (-from_int(x)))
  
 END FromInt
 why3-1.6.0/lib/pvs/real/MinMax.prf000066400000000000000000000054421440160026300166140ustar00rootroot00000000000000(MinMax
 (max_is_ge 0
  (max_is_ge-1 nil 3551212581 ("" (default-strategy))
   ((max const-decl "{p: real | p >= m AND p >= n}" real_defs nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (max_is_some 0
  (max_is_some-1 nil 3551212581 ("" (default-strategy))
   ((max const-decl "{p: real | p >= m AND p >= n}" real_defs nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (min_is_le 0
  (min_is_le-1 nil 3551212581 ("" (default-strategy))
   ((min const-decl "{p: real | p <= m AND p <= n}" real_defs nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (min_is_some 0
  (min_is_some-1 nil 3551212581 ("" (default-strategy))
   ((min const-decl "{p: real | p <= m AND p <= n}" real_defs nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak)))

why3-1.6.0/lib/pvs/real/MinMax.pvs000066400000000000000000000011111440160026300166220ustar00rootroot00000000000000MinMax: THEORY
 BEGIN
  IMPORTING Real
  % do not edit above this line
  
  % Obsolete chunk max_is_ge
  % max_is_ge: LEMMA FORALL (x:real, y:real): (max1(x, y) >= x) AND (max1(x,
  %   y) >= y)
  
  % Obsolete chunk max_is_some
  % max_is_some: LEMMA FORALL (x:real, y:real): (max1(x, y) = x) OR (max1(x,
  %   y) = y)
  
  % Obsolete chunk min_is_le
  % min_is_le: LEMMA FORALL (x:real, y:real): (min1(x, y) <= x) AND (min1(x,
  %   y) <= y)
  
  % Obsolete chunk min_is_some
  % min_is_some: LEMMA FORALL (x:real, y:real): (min1(x, y) = x) OR (min1(x,
  %   y) = y)
  
 END MinMax
 why3-1.6.0/lib/pvs/real/PowerInt.prf000066400000000000000000000326101440160026300171670ustar00rootroot00000000000000(PowerInt
 (power_TCC1 0
  (power_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_0_TCC1 0
  (power_0_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((/= const-decl "boolean" notequal nil)) nil))
 (power_0 0
  (power_0-1 nil 3552165759 ("" (grind))
   ((expt def-decl "real" exponentiation nil)
    (^ const-decl "real" exponentiation nil))
   shostak))
 (power_s_TCC1 0
  (power_s_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (int_plus_int_is_int application-judgement "int" integers nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_s 0
  (power_s-1 nil 3552165759 ("" (grind))
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (real_times_real_is_real application-judgement "real" reals nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (expt def-decl "real" exponentiation nil)
    (^ const-decl "real" exponentiation nil)
    (int_plus_int_is_int application-judgement "int" integers nil)
    (minus_int_is_int application-judgement "int" integers nil))
   shostak))
 (power_s_alt_TCC1 0
  (power_s_alt_TCC1-1 nil 3575890745 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (real_gt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_1_TCC1 0
  (power_1_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((/= const-decl "boolean" notequal nil)) nil))
 (power_1 0
  (power_1-1 nil 3552165759 ("" (grind))
   ((expt def-decl "real" exponentiation nil)
    (^ const-decl "real" exponentiation nil))
   shostak))
 (power_sum_TCC1 0
  (power_sum_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (int_plus_int_is_int application-judgement "int" integers nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_sum_TCC2 0
  (power_sum_TCC2-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_sum 0 (power_sum-1 nil 3552165759 ("" (grind)) nil shostak))
 (power_mult_TCC1 0
  (power_mult_TCC1-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_mult_TCC2 0
  (power_mult_TCC2-1 nil 3552165738 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil))
 (power_mult 0
  (power_mult-1 nil 3552165759
   ("" (auto-rewrite-theory "real_props")
    (("" (grind)
      (("" (auto-rewrite-theory "exponentiation")
        (("" (use "expt_times_aux")
          (("" (replace -1)
            (("" (expand "expt") (("" (grind) nil nil)) nil)) nil))
          nil))
        nil))
      nil))
    nil)
   ((neg_times_lt formula-decl nil real_props nil)
    (pos_times_ge formula-decl nil real_props nil)
    (/= const-decl "boolean" notequal nil)
    (zero_times3 formula-decl nil real_props nil)
    (^ const-decl "real" exponentiation nil)
    (expt def-decl "real" exponentiation nil)
    (mult_divides1 application-judgement "(divides(n))" divides nil)
    (mult_divides2 application-judgement "(divides(m))" divides nil)
    (minus_int_is_int application-judgement "int" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (expt_times_aux formula-decl nil exponentiation nil)
    (x!1 skolem-const-decl "real" PowerInt nil)
    (= const-decl "[T, T -> boolean]" equalities nil)
    (>= const-decl "bool" reals nil)
    (nat nonempty-type-eq-decl nil naturalnumbers nil)
    (nzreal nonempty-type-eq-decl nil reals nil)
    (zero_le_zero formula-decl nil real_props nil)
    (expt_1n_aux formula-decl nil exponentiation nil)
    (expt_minus_aux formula-decl nil exponentiation nil)
    (int_minus_int_is_int application-judgement "int" integers nil)
    (posnat_expt application-judgement "posnat" exponentiation nil)
    (nat_expt application-judgement "nat" exponentiation nil)
    (zero_times1 formula-decl nil real_props nil)
    (nnint_times_nnint_is_nnint application-judgement "nonneg_int"
     integers nil)
    (even_times_int_is_even application-judgement "even_int" integers
     nil))
   shostak))
 (power_mult2_TCC1 0
  (power_mult2_TCC1-1 nil 3575890745 ("" (subtype-tcc) nil nil)
   ((boolean nonempty-type-decl nil booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (number nonempty-type-decl nil numbers nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (rational_pred const-decl "[real -> boolean]" rationals nil)
    (rational nonempty-type-from-decl nil rationals nil)
    (integer_pred const-decl "[rational -> boolean]" integers nil)
    (int nonempty-type-eq-decl nil integers nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_times_real_is_real application-judgement "real" reals nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (/= const-decl "boolean" notequal nil))
   nil)))

why3-1.6.0/lib/pvs/real/PowerInt.pvs000066400000000000000000000024741440160026300172150ustar00rootroot00000000000000PowerInt: THEORY
 BEGIN
  IMPORTING int@Int
  IMPORTING Real
  % do not edit above this line
  
  % Why3 infix_sldt
  infix_sldt(x:real, y:real): real = Real.infix_sl(x, y)
  
  % Why3 inv
  inv(x:real): real = Real.inv(x)
  
  power_total(x: int) : real
  
  % Why3 power
  power(x:real,
    x1:int): MACRO real =  IF x = 0 AND x1 < 0 THEN power_total(x1) ELSE x^x1 ENDIF
  
  % Why3 power_0
  power_0: LEMMA FORALL (x:real): (power(x, 0) = 1)
  
  % Why3 power_s
  power_s: LEMMA FORALL (x:real, n:int): (n >= 0) => (power(x,
    (n + 1)) = (x * power(x, n)))
  
  % Why3 power_s_alt
  power_s_alt: LEMMA FORALL (x:real, n:int): (n >  0) => (power(x,
    n) = (x * power(x, (n - 1))))
  
  % Why3 power_1
  power_1: LEMMA FORALL (x:real): (power(x, 1) = x)
  
  % Why3 power_sum
  power_sum: LEMMA FORALL (x:real, n:int, m:int): (0 <= n) => ((0 <= m) =>
    (power(x, (n + m)) = (power(x, n) * power(x, m))))
  
  % Why3 power_mult
  power_mult: LEMMA FORALL (x:real, n:int, m:int): (0 <= n) => ((0 <= m) =>
    (power(x, (n * m)) = power(power(x, n), m)))
  
  % Why3 power_mult2
  power_mult2: LEMMA FORALL (x:real, y:real, n:int): (0 <= n) =>
    (power((x * y), n) = (power(x, n) * power(y, n)))
  
  % Why3 pow_ge_one
  pow_ge_one: LEMMA FORALL (x:real, n:int): ((0 <= n) AND (1 <= x)) =>
    (1 <= power(x, n))
  
  
 END PowerInt
 why3-1.6.0/lib/pvs/real/Real.prf000066400000000000000000000022251440160026300163020ustar00rootroot00000000000000(Real
 (add_div 0
  (add_div-1 nil 3551212368 ("" (default-strategy))
   ((infix_sl const-decl "real" Real nil)
    (/= const-decl "boolean" notequal nil))
   shostak))
 (sub_div 0
  (sub_div-1 nil 3551212368 ("" (default-strategy))
   ((infix_sl const-decl "real" Real nil)
    (/= const-decl "boolean" notequal nil))
   shostak))
 (neg_div 0
  (neg_div-1 nil 3551212369 ("" (default-strategy))
   ((infix_sl const-decl "real" Real nil)
    (/= const-decl "boolean" notequal nil)
    (nzreal_div_nzreal_is_nzreal application-judgement "nzreal"
     real_types nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (real_times_real_is_real application-judgement "real" reals nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak)))

why3-1.6.0/lib/pvs/real/Real.pvs000066400000000000000000000063331440160026300163270ustar00rootroot00000000000000Real: THEORY
 BEGIN
  % do not edit above this line
  
  % Why3 inv
  inv(x:real): MACRO real = IF x /= 0 THEN 1/x ELSE 0 ENDIF  % make it total using 0
  
  % Why3 infix_sl
  infix_sl(x:real, y:real): real = (x * inv(y))
  
  % Why3 add_div
  add_div: LEMMA FORALL (x:real, y:real, z:real): (NOT (z = 0)) =>
    (infix_sl((x + y), z) = (infix_sl(x, z) + infix_sl(y, z)))
  
  % Why3 sub_div
  sub_div: LEMMA FORALL (x:real, y:real, z:real): (NOT (z = 0)) =>
    (infix_sl((x - y), z) = (infix_sl(x, z) - infix_sl(y, z)))
  
  % Why3 neg_div
  neg_div: LEMMA FORALL (x:real, y:real): (NOT (y = 0)) => (infix_sl((-x),
    y) = (-infix_sl(x, y)))
  
  % Obsolete chunk unit_def
  % unit_def: LEMMA FORALL (x:real): (infix_pl(x, zero) = x)
  
  % Obsolete chunk assoc
  % assoc: LEMMA FORALL (x:real, y:real, z:real): (infix_pl(infix_pl(x, y),
  %   z) = infix_pl(x, infix_pl(y, z)))
  
  % Obsolete chunk inv_def
  % inv_def: LEMMA FORALL (x:real): (infix_pl(x, prefix_mn(x)) = zero)
  
  % Obsolete chunk comm
  % comm: LEMMA FORALL (x:real, y:real): (infix_pl(x, y) = infix_pl(y, x))
  
  % Obsolete chunk assoc1
  % assoc1: LEMMA FORALL (x:real, y:real, z:real): (infix_as(infix_as(x, y),
  %   z) = infix_as(x, infix_as(y, z)))
  
  % Obsolete chunk mul_distr
  % mul_distr: LEMMA FORALL (x:real, y:real, z:real): (infix_as(x, infix_pl(y,
  %   z)) = infix_pl(infix_as(x, y), infix_as(x, z)))
  
  % Obsolete chunk comm1
  % comm1: LEMMA FORALL (x:real, y:real): (infix_as(x, y) = infix_as(y, x))
  
  % Obsolete chunk unitary
  % unitary: LEMMA FORALL (x:real): (infix_as(one, x) = x)
  
  % Obsolete chunk nontrivialring
  % nontrivialring: LEMMA NOT (zero = one)
  
  % Obsolete chunk inverse
  % inverse: LEMMA FORALL (x:real): (NOT (x = zero)) => (infix_as(x,
  %   inv(x)) = one)
  
  % Obsolete chunk assoc_mul_div
  % assoc_mul_div: LEMMA FORALL (x:real, y:real, z:real): (NOT (z = zero)) =>
  %   (infix_sl(infix_as(x, y), z) = infix_as(x, infix_sl(y, z)))
  
  % Obsolete chunk assoc_div_mul
  % assoc_div_mul: LEMMA FORALL (x:real, y:real, z:real): ((NOT (y = zero)) AND
  %   NOT (z = zero)) => (infix_sl(infix_sl(x, y), z) = infix_sl(x, infix_as(y,
  %   z)))
  
  % Obsolete chunk assoc_div_div
  % assoc_div_div: LEMMA FORALL (x:real, y:real, z:real): ((NOT (y = zero)) AND
  %   NOT (z = zero)) => (infix_sl(x, infix_sl(y, z)) = infix_sl(infix_as(x,
  %   z), y))
  
  % Obsolete chunk refl
  % refl: LEMMA FORALL (x:real): infix_lseq(x, x)
  
  % Obsolete chunk trans
  % trans: LEMMA FORALL (x:real, y:real, z:real): infix_lseq(x, y) =>
  %   (infix_lseq(y, z) => infix_lseq(x, z))
  
  % Obsolete chunk antisymm
  % antisymm: LEMMA FORALL (x:real, y:real): infix_lseq(x, y) => (infix_lseq(y,
  %   x) => (x = y))
  
  % Obsolete chunk total
  % total: LEMMA FORALL (x:real, y:real): infix_lseq(x, y) OR infix_lseq(y, x)
  
  % Obsolete chunk zerolessone
  % zerolessone: LEMMA infix_lseq(zero, one)
  
  % Obsolete chunk compatorderadd
  % compatorderadd: LEMMA FORALL (x:real, y:real, z:real): infix_lseq(x, y) =>
  %   infix_lseq(infix_pl(x, z), infix_pl(y, z))
  
  % Obsolete chunk compatordermult
  % compatordermult: LEMMA FORALL (x:real, y:real, z:real): infix_lseq(x, y) =>
  %   (infix_lseq(zero, z) => infix_lseq(infix_as(x, z), infix_as(y, z)))
  
 END Real
 why3-1.6.0/lib/pvs/real/Square.prf000066400000000000000000000044461440160026300166660ustar00rootroot00000000000000(Square
 (sqrt_positive 0
  (sqrt_positive-1 nil 3552163066 ("" (default-strategy))
   ((real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (sqrt_square 0
  (sqrt_square-1 nil 3552163066 ("" (default-strategy))
   ((sqr const-decl "real" Square nil)
    (real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (nnreal_times_nnreal_is_nnreal application-judgement "nnreal"
     real_types nil)
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (square_sqrt 0
  (square_sqrt-1 nil 3552163066 ("" (default-strategy))
   ((real_ge_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (real_times_real_is_real application-judgement "real" reals nil)
    (sqrt_square formula-decl nil sqrt "reals/")
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (bool nonempty-type-eq-decl nil booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (sqrt_mul 0
  (sqrt_mul-1 nil 3552163067
   ("" (default-strategy) (("" (postpone) nil nil)) nil) nil shostak))
 (sqrt_le 0
  (sqrt_le-1 nil 3552163067 ("" (default-strategy)) nil shostak)))

why3-1.6.0/lib/pvs/real/Square.pvs000066400000000000000000000014551440160026300167040ustar00rootroot00000000000000Square: THEORY
 BEGIN
  IMPORTING Real
  % do not edit above this line
  
  IMPORTING reals@sqrt
  
  % Why3 sqr
  sqr(x:real): real = (x * x)
  
  sqrt_total(x:real): real
  
  % Why3 sqrt
  sqrt(x:real): MACRO real = IF x >= 0 THEN sqrt(x) ELSE sqrt_total(x) ENDIF
  
  % Why3 sqrt_positive
  sqrt_positive: LEMMA FORALL (x:real): (x >= 0) => (sqrt(x) >= 0)
  
  % Why3 sqrt_square
  sqrt_square: LEMMA FORALL (x:real): (x >= 0) => (sqr(sqrt(x)) = x)
  
  % Why3 square_sqrt
  square_sqrt: LEMMA FORALL (x:real): (x >= 0) => (sqrt((x * x)) = x)
  
  % Why3 sqrt_mul
  sqrt_mul: LEMMA FORALL (x:real, y:real): ((x >= 0) AND (y >= 0)) =>
    (sqrt((x * y)) = (sqrt(x) * sqrt(y)))
  
  % Why3 sqrt_le
  sqrt_le: LEMMA FORALL (x:real, y:real): ((0 <= x) AND (x <= y)) =>
    (sqrt(x) <= sqrt(y))
  
  
 END Square
 why3-1.6.0/lib/pvs/real/Trigonometry.prf000066400000000000000000000061751440160026300201310ustar00rootroot00000000000000(Trigonometry
 (pythagorean_identity 0
  (pythagorean_identity-1 nil 3552164504 ("" (default-strategy)) nil
   shostak))
 (cos_le_one 0
  (cos_le_one-1 nil 3552164504 ("" (default-strategy))
   ((abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (cos_range application-judgement "trig_range" trig_basic "trig/")
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (sin_le_one 0
  (sin_le_one-1 nil 3552164505 ("" (default-strategy))
   ((abs const-decl "{n: nonneg_real | n >= m AND n >= -m}" real_defs
         nil)
    (real_le_is_total_order name-judgement "(total_order?[real])"
     real_props nil)
    (minus_real_is_real application-judgement "real" reals nil)
    (real_lt_is_strict_total_order name-judgement
     "(strict_total_order?[real])" real_props nil)
    (sin_range application-judgement "trig_range" trig_basic "trig/")
    (real nonempty-type-from-decl nil reals nil)
    (real_pred const-decl "[number_field -> boolean]" reals nil)
    (number_field nonempty-type-from-decl nil number_fields nil)
    (number_field_pred const-decl "[number -> boolean]" number_fields
     nil)
    (number nonempty-type-decl nil numbers nil)
    (NOT const-decl "[bool -> bool]" booleans nil)
    (boolean nonempty-type-decl nil booleans nil))
   shostak))
 (cos_0 0 (cos_0-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (sin_0 0 (sin_0-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (pi_interval 0
  (pi_interval-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (cos_pi 0
  (cos_pi-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (sin_pi 0
  (sin_pi-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (cos_pi2 0
  (cos_pi2-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (sin_pi2 0
  (sin_pi2-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (cos_plus_pi 0
  (cos_plus_pi-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (sin_plus_pi 0
  (sin_plus_pi-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (cos_plus_pi2 0
  (cos_plus_pi2-1 nil 3552164505 ("" (default-strategy)) nil shostak))
 (sin_plus_pi2 0
  (sin_plus_pi2-1 nil 3552164506 ("" (default-strategy)) nil shostak))
 (cos_neg 0
  (cos_neg-1 nil 3552164506 ("" (default-strategy)) nil shostak))
 (sin_neg 0
  (sin_neg-1 nil 3552164506 ("" (default-strategy)) nil shostak))
 (cos_sum 0
  (cos_sum-1 nil 3552164506 ("" (default-strategy)) nil shostak))
 (sin_sum 0
  (sin_sum-1 nil 3552164506 ("" (default-strategy)) nil shostak))
 (tan_atan 0
  (tan_atan-1 nil 3552164506 ("" (default-strategy)) nil shostak)))

why3-1.6.0/lib/pvs/real/Trigonometry.pvs000066400000000000000000000053751440160026300201530ustar00rootroot00000000000000Trigonometry: THEORY
 BEGIN
  IMPORTING Real
  IMPORTING Abs
  IMPORTING Square
  % do not edit above this line
  
  IMPORTING trig@trig_basic
  
  % Why3 cos
  cos(x:real): MACRO real = cos(x)
  
  % Why3 sin
  sin(x:real): MACRO real = sin(x)
  
  % Why3 pythagorean_identity
  pythagorean_identity: LEMMA FORALL (x:real):
    ((Square.sqr(cos(x)) + Square.sqr(sin(x))) = 1)
  
  % Why3 cos_le_one
  cos_le_one: LEMMA FORALL (x:real): (abs(cos(x)) <= 1)
  
  % Why3 sin_le_one
  sin_le_one: LEMMA FORALL (x:real): (abs(sin(x)) <= 1)
  
  % Why3 cos_0
  cos_0: LEMMA (cos(0) = 1)
  
  % Why3 sin_0
  sin_0: LEMMA (sin(0) = 0)
  
  % Why3 pi
  pi: MACRO real = pi
  
  % Why3 pi_interval
  pi_interval: LEMMA ((314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038196 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) <  pi) AND
    (pi <  (314159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462294895493038197 / 100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000))
  
  % Why3 cos_pi
  cos_pi: LEMMA (cos(pi) = (-1))
  
  % Why3 sin_pi
  sin_pi: LEMMA (sin(pi) = 0)
  
  % Why3 cos_pi2
  cos_pi2: LEMMA (cos(((05 / 10) * pi)) = 0)
  
  % Why3 sin_pi2
  sin_pi2: LEMMA (sin(((05 / 10) * pi)) = 1)
  
  % Why3 cos_plus_pi
  cos_plus_pi: LEMMA FORALL (x:real): (cos((x + pi)) = (-cos(x)))
  
  % Why3 sin_plus_pi
  sin_plus_pi: LEMMA FORALL (x:real): (sin((x + pi)) = (-sin(x)))
  
  % Why3 cos_plus_pi2
  cos_plus_pi2: LEMMA FORALL (x:real):
    (cos((x + ((05 / 10) * pi))) = (-sin(x)))
  
  % Why3 sin_plus_pi2
  sin_plus_pi2: LEMMA FORALL (x:real): (sin((x + ((05 / 10) * pi))) = cos(x))
  
  % Why3 cos_neg
  cos_neg: LEMMA FORALL (x:real): (cos((-x)) = cos(x))
  
  % Why3 sin_neg
  sin_neg: LEMMA FORALL (x:real): (sin((-x)) = (-sin(x)))
  
  % Why3 cos_sum
  cos_sum: LEMMA FORALL (x:real, y:real):
    (cos((x + y)) = ((cos(x) * cos(y)) - (sin(x) * sin(y))))
  
  % Why3 sin_sum
  sin_sum: LEMMA FORALL (x:real, y:real):
    (sin((x + y)) = ((sin(x) * cos(y)) + (cos(x) * sin(y))))
  
  % Why3 tan
  tan(x:real): real = Real.infix_sl(sin(x), cos(x))
  
  IMPORTING trig@atan
  
  % Why3 atan
  atan(x:real): real = atan(x)
  
  % Why3 tan_atan
  tan_atan: LEMMA FORALL (x:real): (tan(atan(x)) = x)
  
  
 END Trigonometry
 why3-1.6.0/lib/pvs/version.in000066400000000000000000000000151440160026300157730ustar00rootroot00000000000000@PVSVERSION@
why3-1.6.0/lib/why3-call-pvs000077500000000000000000000002301440160026300155040ustar00rootroot00000000000000#!/bin/sh

if test -z "$PVS_LIBRARY_PATH"; then
    export PVS_LIBRARY_PATH=$1
else
    export PVS_LIBRARY_PATH=$1:$PVS_LIBRARY_PATH
fi
shift
exec "$@"
why3-1.6.0/lib/why3/000077500000000000000000000000001440160026300140445ustar00rootroot00000000000000why3-1.6.0/lib/why3/META.in000066400000000000000000000003401440160026300151170ustar00rootroot00000000000000description = "Why3 library"
version = "@VERSION@"
archive(byte) = "why3.cma"
archive(native) = "why3.cmxa"
plugin(native) = "why3.cmxs"
requires = "menhirLib @RELIB@ unix num dynlink @ZIPLIB@ @MLMPFR@ @INFERPKG@ @SEXPLIB@"
why3-1.6.0/lib/why3/why3.ml000066400000000000000000000000721440160026300152670ustar00rootroot00000000000000(* This file is a stub for ocamldep. Do not delete it. *)
why3-1.6.0/plugins/000077500000000000000000000000001440160026300140655ustar00rootroot00000000000000why3-1.6.0/plugins/cfg/000077500000000000000000000000001440160026300146245ustar00rootroot00000000000000why3-1.6.0/plugins/cfg/cfg_ast.mli000066400000000000000000000040701440160026300167360ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3

type ident = Ptree.ident

type label = Ptree.ident

type cfg_instr = {
    cfg_instr_desc : cfg_instr_desc;
    cfg_instr_loc  : Loc.position;
  }

and cfg_term = {
    cfg_term_desc : cfg_term_desc;
    cfg_term_loc : Loc.position;
  }

and cfg_instr_desc =
  | CFGinvariant of (ident * Ptree.term) list
  (** named invariants *)
  | CFGexpr of Ptree.expr
  (** any other regular WhyML expressions *)

and cfg_term_desc =
  | CFGgoto of label
  (** goto a label "goto L" *)
  | CFGswitch of Ptree.expr * switch_branch list
  (** pattern-matching *)
  | CFGreturn of Ptree.expr
  (** return from a cfg *)
  | CFGabsurd
  (** unreachable *)

and switch_branch = Ptree.pattern * cfg_term
(** pattern -> regular WhyML expression ; goto ident *)

and block = (cfg_instr list * cfg_term)

type cfg_fundef =
  { cf_name: ident;
    cf_args: Ptree.binder list;
    cf_retty: Ptree.pty;
    cf_mask: Ity.mask;
    cf_pat: Ptree.pattern;
    cf_spec: Ptree.spec;
    cf_attrs: Ptree.attr list;
    cf_locals: (bool * ident * Ptree.pty * Ptree.expr option) list;
    cf_block0: block;
    cf_blocks: (label * block) list;
  }

type cfg_decl =
  | Dmlw_decl of Ptree.decl
  | Dletcfg of cfg_fundef
  | Dreccfg of cfg_fundef list
  | Dscope of Loc.position * bool * ident * cfg_decl list

type cfg_file = (ident * cfg_decl list) list
  (** a list of modules containing lists of declarations *)
why3-1.6.0/plugins/cfg/cfg_lexer.mli000066400000000000000000000014041440160026300172640ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

val parse_channel : string -> in_channel -> Cfg_ast.cfg_file
why3-1.6.0/plugins/cfg/cfg_lexer.mll000066400000000000000000000202101440160026300172630ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(* This is a copy of [src/parser/lexer.mll], with the following minor changes:

* [open Parser_tokens] -> [open Cfg_parser]

* addition of keywords:

  [
    "cfg", CFG;
    "goto", GOTO;
  ]

*)

{
  open Why3
  open Cfg_parser

  let keywords = Hashtbl.create 97
  let () =
    List.iter
      (fun (x,y) -> Hashtbl.add keywords x y)
      [
        "cfg", CFG;
        "goto", GOTO;
        "var", VAR;
        "switch", SWITCH;
        "absurd", ABSURD;
        "return", RETURN;
        "abstract", ABSTRACT;
        "alias", ALIAS;
        "any", ANY;
        "as", AS;
        "assert", ASSERT;
        "assume", ASSUME;
        "at", AT;
        "axiom", AXIOM;
        "begin", BEGIN;
        "break", BREAK;
        "by", BY;
        "check", CHECK;
        "clone", CLONE;
        "coinductive", COINDUCTIVE;
        "constant", CONSTANT;
        "continue", CONTINUE;
        "diverges", DIVERGES;
        "do", DO;
        "done", DONE;
        "downto", DOWNTO;
        "else", ELSE;
        "end", END;
        "ensures", ENSURES;
        "epsilon", EPSILON;
        "exception", EXCEPTION;
        "exists", EXISTS;
        "export", EXPORT;
        "false", FALSE;
        "float", FLOAT; (* contextual *)
        "for", FOR;
        "forall", FORALL;
        "fun", FUN;
        "function", FUNCTION;
        "ghost", GHOST;
        "goal", GOAL;
        "if", IF;
        "import", IMPORT;
        "in", IN;
        "inductive", INDUCTIVE;
        "invariant", INVARIANT;
        "label", LABEL;
        "lemma", LEMMA;
        "let", LET;
        "match", MATCH;
        "meta", META;
        "module", MODULE;
        "mutable", MUTABLE;
        "not", NOT;
        "old", OLD;
        "partial", PARTIAL;
        "predicate", PREDICATE;
        "private", PRIVATE;
        "pure", PURE;
        "raise", RAISE;
        "raises", RAISES;
        "range", RANGE; (* contextual *)
        "reads", READS;
        "rec", REC;
        "ref", REF; (* contextual *)
        "requires", REQUIRES;
        "returns", RETURNS;
        "scope", SCOPE;
        "so", SO;
        "then", THEN;
        "theory", THEORY;
        "to", TO;
        "true", TRUE;
        "try", TRY;
        "type", TYPE;
        "use", USE;
        "val", VAL;
        "variant", VARIANT;
        "while", WHILE;
        "with", WITH;
        "writes", WRITES;
      ]
}

let space = [' ' '\t' '\r']
let quote = '\''

let bin     = ['0' '1']
let oct     = ['0'-'7']
let dec     = ['0'-'9']
let hex     = ['0'-'9' 'a'-'f' 'A'-'F']

let bin_sep = ['0' '1' '_']
let oct_sep = ['0'-'7' '_']
let dec_sep = ['0'-'9' '_']
let hex_sep = ['0'-'9' 'a'-'f' 'A'-'F' '_']

let lalpha = ['a'-'z']
let ualpha = ['A'-'Z']
let alpha  = ['a'-'z' 'A'-'Z']

let suffix = (alpha | quote* dec_sep)* quote*
let lident = ['a'-'z' '_'] suffix
let uident = ['A'-'Z'] suffix

let core_suffix = quote alpha suffix
let core_lident = lident core_suffix+
let core_uident = uident core_suffix+

let op_char_1 = ['=' '<' '>' '~']
let op_char_2 = ['+' '-']
let op_char_3 = ['*' '/' '\\' '%']
let op_char_4 = ['!' '$' '&' '?' '@' '^' '.' ':' '|' '#']
let op_char_34 = op_char_3 | op_char_4
let op_char_234 = op_char_2 | op_char_34
let op_char_1234 = op_char_1 | op_char_234

let op_char_pref = ['!' '?']

rule token = parse
  | "[##" space* ("\"" ([^ '\010' '\013' '"' ]* as file) "\"")?
    space* (dec+ as line) space* (dec+ as char) space* "]"
      { Lexlib.update_loc lexbuf file (int_of_string line) (int_of_string char);
        token lexbuf }
  | "[#" space* "\"" ([^ '\010' '\013' '"' ]* as file) "\"" space*
    (dec+ as bline) space* (dec+ as bchar) space*
    (dec+ as eline) space* (dec+ as echar) space* "]"
      { POSITION (Loc.user_position file
                    (int_of_string bline) (int_of_string bchar)
                    (int_of_string eline) (int_of_string echar)) }
  | "[@" space* ([^ ' ' '\n' ']']+ (' '+ [^ ' ' '\n' ']']+)* as lbl) space* ']'
      { ATTRIBUTE lbl }
  | '\n'
      { Lexing.new_line lexbuf; token lexbuf }
  | space+
      { token lexbuf }
  | '_'
      { UNDERSCORE }
  | lident as id
      { try Hashtbl.find keywords id with Not_found -> LIDENT id }
  | core_lident as id
      { CORE_LIDENT id }
  | uident as id
      { UIDENT id }
  | core_uident as id
      { CORE_UIDENT id }
  | dec dec_sep* as s
      { INTEGER Number.(int_literal ILitDec ~neg:false (Lexlib.remove_underscores s)) }
  | '0' ['x' 'X'] (hex hex_sep* as s)
      { INTEGER Number.(int_literal ILitHex ~neg:false (Lexlib.remove_underscores s)) }
  | '0' ['o' 'O'] (oct oct_sep* as s)
      { INTEGER Number.(int_literal ILitOct ~neg:false (Lexlib.remove_underscores s)) }
  | '0' ['b' 'B'] (bin bin_sep* as s)
      { INTEGER Number.(int_literal ILitBin ~neg:false (Lexlib.remove_underscores s)) }
  | (dec+ as i) ".."
      { Lexlib.backjump lexbuf 2; INTEGER Number.(int_literal ILitDec ~neg:false i) }
  | '0' ['x' 'X'] (hex+ as i) ".."
      { Lexlib.backjump lexbuf 2; INTEGER Number.(int_literal ILitHex ~neg:false i) }
  | (dec+ as i)     ("" as f)    ['e' 'E'] (['-' '+']? dec+ as e)
  | (dec+ as i) '.' (dec* as f) (['e' 'E'] (['-' '+']? dec+ as e))?
  | (dec* as i) '.' (dec+ as f) (['e' 'E'] (['-' '+']? dec+ as e))?
      { REAL (Number.real_literal ~radix:10 ~neg:false ~int:i ~frac:f ~exp:(Opt.map Lexlib.remove_leading_plus e)) }
  | '0' ['x' 'X'] (hex+ as i) ("" as f) ['p' 'P'] (['-' '+']? dec+ as e)
  | '0' ['x' 'X'] (hex+ as i) '.' (hex* as f)
        (['p' 'P'] (['-' '+']? dec+ as e))?
  | '0' ['x' 'X'] (hex* as i) '.' (hex+ as f)
        (['p' 'P'] (['-' '+']? dec+ as e))?
      { REAL (Number.real_literal ~radix:16 ~neg:false ~int:i ~frac:f ~exp:(Opt.map Lexlib.remove_leading_plus e)) }
  | "(*)"
      { Lexlib.backjump lexbuf 2; LEFTPAR }
  | "(*"
      { Lexlib.comment lexbuf; token lexbuf }
  | "'" (lalpha suffix as id)
      { QUOTE_LIDENT id }
  | ","
      { COMMA }
  | "("
      { LEFTPAR }
  | ")"
      { RIGHTPAR }
  | "{"
      { LEFTBRC }
  | "}"
      { RIGHTBRC }
  | ":"
      { COLON }
  | ";"
      { SEMICOLON }
  | "->"
      { ARROW }
  | "->'"
      { Lexlib.backjump lexbuf 1; ARROW }
  | "<-"
      { LARROW }
  | "<->"
      { LRARROW }
  | "&&"
      { AMPAMP }
  | "||"
      { BARBAR }
  | "/\\"
      { AND }
  | "\\/"
      { OR }
  | "."
      { DOT }
  | ".."
      { DOTDOT }
  | "&"
      { AMP }
  | "|"
      { BAR }
  | "<"
      { LT }
  | ">"
      { GT }
  | "<>"
      { LTGT }
  | "="
      { EQUAL }
  | "-"
      { MINUS }
  | "["
      { LEFTSQ }
  | "]"
      { RIGHTSQ }
  | "]" (quote+ as s)
      { RIGHTSQ_QUOTE s }
  | ")" ('\'' alpha suffix core_suffix* as s)
      { RIGHTPAR_QUOTE s }
  | ")" ('_' alpha suffix core_suffix* as s)
      { RIGHTPAR_USCORE s }
  | "[|"
      { LEFTSQBAR }
  | "|]"
      { BARRIGHTSQ }
  | op_char_pref op_char_4* quote* as s
      { OPPREF s }
  | op_char_1234* op_char_1 op_char_1234* quote* as s
      { OP1 s }
  | op_char_234* op_char_2 op_char_234* quote* as s
      { OP2 s }
  | op_char_34* op_char_3 op_char_34* quote* as s
      { OP3 s }
  | op_char_4+ as s
      { OP4 s }
  | "\""
      { STRING (Lexlib.string lexbuf) }
  | eof
      { EOF }
  | _ as c
      { Lexlib.illegal_character c lexbuf }

{

  let () = Exn_printer.register (fun fmt exn -> match exn with
  | Cfg_parser.Error -> Format.pp_print_string fmt "syntax error"
  | _ -> raise exn)

  let parse_channel file c =
    let lb = Lexing.from_channel c in
    Loc.set_file file lb;
    try
      Cfg_parser.cfgfile token lb
    with
      Cfg_parser.Error as e -> raise (Loc.Located (Loc.extract (lb.Lexing.lex_start_p,lb.Lexing.lex_curr_p),e))

}
why3-1.6.0/plugins/cfg/cfg_main.ml000066400000000000000000000116421440160026300167250ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Cfg_paths
open Cfg_ast
open Why3
open Pmodule
open Ptree

let has_stackify = ref false
let stackify = ref (fun _ -> failwith "stackify not compiled. Install `ocamlgraph` to enable.")

let set_stackify f =
  stackify := f;
  has_stackify := true

let stackify_attr = Ident.create_attribute "cfg:stackify"
let subregion_attr = Ident.create_attribute "cfg:subregion_analysis"

let has_attr id attr =
  List.exists (function ATstr a -> Ident.attr_equal a attr | _ -> false) id.id_ats

let translate_cfg_fundef (cf : cfg_fundef) =
  if has_attr cf.cf_name stackify_attr
  then !stackify cf else Cfg_paths.translate_cfg_fundef cf

let translate_letcfg d =
  let loc = Loc.dummy_position in
  let (id, ghost, rk, args, retty, pat, mask, spec, body) = translate_cfg_fundef d in
  let r =
    Dlet (id, ghost, rk, Ptree_helpers.expr ~loc (Efun (args, retty, pat, mask, spec, body)))
  in
  Debug.dprintf Cfg_paths.debug "%a@." (Mlw_printer.pp_decl ~attr:true) r;
  r

let translate_reccfg ds =
  let translated_fundefs = List.map translate_cfg_fundef ds in
  Drec translated_fundefs

let rec translate_decl d acc =
  match d with
  | Dmlw_decl d -> d :: acc
  | Dletcfg d -> translate_letcfg d :: acc
  | Dreccfg l -> translate_reccfg l :: acc
  | Cfg_ast.Dscope (l, b, i, ds) ->
      Ptree.Dscope (l, b, i, List.fold_right translate_decl ds []) :: acc

let translate (m, dl) = (m, List.fold_right translate_decl dl [])

module Typing = struct
  open Theory
  open Pmodule
  open Typing
  open Unsafe
  open Wstdlib
  open Ident

  let update_any kind e =
    match e.expr_desc with
    | Ptree.Eany (pl, _, pty, pat, msk, sp) ->
        { e with expr_desc = Ptree.Eany (pl, kind, pty, pat, msk, sp) }
    | _ -> e

  let add_decl muc env file d =
    let vc = muc.muc_theory.uc_path = [] && Debug.test_noflag debug_type_only in
    match d with
    | Ptree.Dlet (id, gh, kind, e) ->
        let e = update_any kind e in
        let ld = (create_user_prog_id id, gh, kind, dexpr muc Dexpr.denv_empty e) in
        let ld = Dexpr.let_defn ~keep_loc:true ld in
        let ld =
          if has_attr id subregion_attr then Subregion_analysis.transform_letdefn muc ld else ld
        in
        add_pdecl ~vc muc (Pdecl.create_let_decl ld)
    | Ptree.Drec fdl ->
        let fst = List.hd fdl in
        let (id, _, _ ,_ , _, _, _ , _ , _) = fst in
        let _, rd = drec_defn muc Dexpr.denv_empty fdl in
        let rd = Dexpr.rec_defn ~keep_loc:true rd in
        let rd =
          if has_attr id subregion_attr then Subregion_analysis.transform_letdefn muc rd else rd
        in
        add_pdecl ~vc muc (Pdecl.create_let_decl rd)
    | _ -> add_decl muc env file d

  let type_module file env loc path (id, dl) =
    let muc = create_module env ~path (create_user_id id) in
    (* Technically, `add_pdecl` will do this, but if we don't do it upfront it breaks
         the sub-region analysis (name tbd) as we won't have imported ref. Since mlcfg always
       uses refs, we just import it straight up *)
    let muc = use_export muc ref_module in
    let add_decl_env_file muc d = add_decl muc env file d in
    let muc = List.fold_left add_decl_env_file muc dl in
    let m = Loc.try1 ~loc Pmodule.close_module muc in
    let file = Mstr.add m.mod_theory.th_name.id_string m file in
    file

  let type_mlw_file env path filename mlw_file =
    if Debug.test_flag Glob.flag then Glob.clear filename;
    let file = Mstr.empty in
    let loc = Loc.user_position filename 0 0 0 0 in
    let file =
      match mlw_file with
      | Ptree.Decls decls ->
          type_module file env loc path ({ id_str = ""; id_ats = []; id_loc = loc }, decls)
      | Ptree.Modules m_or_t ->
          let type_module_env_loc_path file (id, dl) = type_module file env loc path (id, dl) in
          List.fold_left type_module_env_loc_path file m_or_t
    in
    file
end

let read_channel env _path file c =
  let f : Cfg_ast.cfg_file = Cfg_lexer.parse_channel file c in
  let ptree = Modules (List.map translate f) in
  Debug.dprintf debug "%a@." (Mlw_printer.pp_mlw_file ~attr:true) ptree;
  let mm = Typing.type_mlw_file env [] (file ^ ".mlw") ptree in
  mm

let () =
  Env.register_format mlw_language "mlcfg" [ "mlcfg"; "stdout" ] read_channel
    ~desc:"whyml extended with functions implemented by control-flow-graphs"
why3-1.6.0/plugins/cfg/cfg_main.mli000066400000000000000000000014311440160026300170710ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Cfg_ast
open Why3

val set_stackify :
  (cfg_fundef -> Ptree.fundef) -> unit
why3-1.6.0/plugins/cfg/cfg_parser.mly000066400000000000000000000061411440160026300174640ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

%{

  open Why3
  open Cfg_ast

  let floc s e = Loc.extract (s,e)

  let mk_cfginstr d s e = { cfg_instr_desc = d; cfg_instr_loc = floc s e }
  let mk_cfgterm d s e = { cfg_term_desc = d; cfg_term_loc = floc s e }

%}

(* extra tokens *)
%token CFG GOTO VAR SWITCH

%start cfgfile
%type  cfgfile
%type  sequence
%type  cases

%%

cfgfile:
  | ml=cfgmodule* EOF { ml }
;

cfgmodule:
  | id=module_head_parsing_only dl=cfgdecl* END
    { (id,dl) }

cfgdecl:
  | scope_head_parsing_only cfgdecl* END
      { let loc,import,qid = $1 in (Cfg_ast.Dscope(loc,import,qid,$2))}
  | IMPORT uqualid { (Dmlw_decl (Dimport $2)) }
  | d = pure_decl | d = prog_decl | d = meta_decl { Dmlw_decl d }
  | use_clone_parsing_only { Dmlw_decl $1 }
  | LET CFG f=recdefn { Dletcfg f }
  | LET REC CFG dl=with_list1(recdefn) { Dreccfg dl }
;

recdefn:
  | cf_name=attrs(lident_rich) cf_args=binders COLON ret=return_named sp=spec EQUAL
      cf_attrs=attr* cf_locals=vardecls cf_block0=block cf_blocks=labelblock*
    { let cf_pat, cf_retty, cf_mask = ret in
      let cf_spec = apply_return cf_pat sp in
      { cf_name; cf_args; cf_retty; cf_pat; cf_mask; cf_spec; cf_attrs;
        cf_locals; cf_block0; cf_blocks } }
;

vardecls:
  | /* epsilon */ { [] }
  | vardecl vardecls { $1 @ $2 }
;

vardecl:
  | g=ghost_opt VAR vl=attrs(lident_nq)* COLON t=ty init=init_opt SEMICOLON
    { List.map (fun id -> (g,id,t, init)) vl }
;

init_opt:
| /* epsilon */ { None }
| EQUAL contract_expr { Some($2) }

ghost_opt:
  | /* epsilon */ { false }
  | GHOST         { true }

labelblock:
  | id = attrs(uident) b=block  { (id,b) }
;

block:
  | LEFTBRC sequence RIGHTBRC { $2 }
;

sequence:
  | terminator { ([], $1) }
  | x=instr SEMICOLON xl = sequence { (x :: fst xl, snd xl) }
;

instr:
  | contract_expr
    { mk_cfginstr (CFGexpr $1) $startpos $endpos }
  | INVARIANT ident LEFTBRC term RIGHTBRC
    { mk_cfginstr (CFGinvariant [$2,$4]) $startpos $endpos }
;

terminator :
  | GOTO uident
    { mk_cfgterm (CFGgoto $2) $startpos $endpos }
  | SWITCH LEFTPAR contract_expr RIGHTPAR cases END
    { mk_cfgterm (CFGswitch ($3,$5)) $startpos $endpos }
  | RETURN contract_expr
    { mk_cfgterm (CFGreturn $2) $startpos $endpos }
  | ABSURD
    { mk_cfgterm CFGabsurd $startpos $endpos }
;

cases:
  | BAR match_case(terminator)
    { [$2] }
  | BAR match_case(terminator) cases
    { $2 :: $3 }
;
why3-1.6.0/plugins/cfg/cfg_paths.ml000066400000000000000000000166361440160026300171300ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Cfg_ast
open Ptree

let debug = Debug.register_flag "cfg" ~desc:"CFG plugin debug flag"
let unit_type = PTtuple []
let mk_id ~loc name = { id_str = name; id_ats = []; id_loc = loc }
let mk_expr ~loc d = { expr_desc = d; expr_loc = loc }
let mk_unit ~loc = mk_expr ~loc (Etuple [])
let mk_check ~loc t = mk_expr ~loc (Eassert (Expr.Check, t))
let mk_assume ~loc t = mk_expr ~loc (Eassert (Expr.Assume, t))
let mk_seq ~loc e1 e2 = mk_expr ~loc (Esequence (e1, e2))
let mk_pat ~loc d = { pat_desc = d; pat_loc = loc }
let pat_wild ~loc = mk_pat ~loc Pwild

let empty_spec =
  {
    sp_pre = [];
    sp_post = [];
    sp_xpost = [];
    sp_reads = [];
    sp_writes = [];
    sp_alias = [];
    sp_variant = [];
    sp_checkrw = false;
    sp_diverge = false;
    sp_partial = false;
  }

let pp_id fmt id = Format.pp_print_string fmt id.id_str

let rec pp_qid fmt qid =
  match qid with
  | Qident id -> pp_id fmt id
  | Qdot (q, id) -> Format.fprintf fmt "%a.%a" pp_qid q pp_id id

let rec pp_pty fmt t =
  match t with
  | PTtyapp (qid, l) -> Format.fprintf fmt "@[%a %a@]" pp_qid qid (Pp.print_list Pp.semi pp_pty) l
  | _ -> Format.pp_print_string fmt ""

let divergent_attr = ATstr (Ident.create_attribute "vc:divergent")

exception CFGError of string

let () =
  Exn_printer.register (fun fmt exn ->
      match exn with
      | CFGError msg -> Format.fprintf fmt "CFG translation error: %s" msg
      | _ -> raise exn)

let translate_cfg preconds block (blocks : (label * block) list) =
  let blocks =
    List.fold_left (fun acc (l, b) -> Wstdlib.Mstr.add l.id_str b acc) Wstdlib.Mstr.empty blocks
  in
  let thestartlabel = "start" in
  let visited_entry_points = ref [ thestartlabel ] in
  let funs = ref [] in

  let rec translate_term startlabel visited_terms (t : cfg_term) : Ptree.expr =
    let loc = t.cfg_term_loc in
    if List.memq t visited_terms then begin
      let msg = "cycle without invariant" in
      let msg =
        if startlabel = thestartlabel then msg else msg ^ " starting from `" ^ startlabel ^ "`"
      in
      raise (Loc.Located (loc, CFGError msg))
    end;
    match t.cfg_term_desc with
    | CFGgoto l -> translate_goto startlabel (t :: visited_terms) l
    | CFGreturn e -> e
    | CFGabsurd -> mk_expr ~loc:t.cfg_term_loc Eabsurd
    | CFGswitch (e, cases) ->
        let branches =
          List.map
            (fun (pat, l) ->
              let e = translate_term startlabel (t :: visited_terms) l in
              (pat, e))
            cases
        in
        mk_expr ~loc (Ematch (e, branches, []))
  and translate_goto startlabel visited_terms (l : label) : Ptree.expr =
    let bl =
      try Wstdlib.Mstr.find l.id_str blocks
      with Not_found ->
        raise (Loc.Located (l.id_loc, CFGError ("label " ^ l.id_str ^ " not found for goto")))
    in
    traverse_block startlabel visited_terms bl
  and traverse_block startlabel visited_terms (blk : block) : Ptree.expr =
    let instrs, term = blk in
    begin
      match instrs with
      | [] -> translate_term startlabel visited_terms term
      | i :: rem ->
          let loc = i.cfg_instr_loc in
          let traverse_block = traverse_block startlabel visited_terms in
          begin
            match (i.cfg_instr_desc, rem) with
            | CFGinvariant l1, { cfg_instr_desc = CFGinvariant l2 } :: rem ->
                traverse_block ({ i with cfg_instr_desc = CFGinvariant (l1 @ l2) } :: rem, term)
            | CFGinvariant l, _ ->
                let id = match l with [] -> assert false | (id, _) :: _ -> id in
                let l =
                  List.map
                    (fun (id, t) ->
                      let attr = ATstr (Ident.create_attribute ("hyp_name:" ^ id.id_str)) in
                      (* TODO : add also an "expl:" *)
                      { t with term_desc = Tattr (attr, t) })
                    l
                in
                if not (List.mem id.id_str !visited_entry_points) then begin
                  visited_entry_points := id.id_str :: !visited_entry_points;
                  traverse_from_entry_point id.id_str l (rem, term)
                end;
                let k =
                  mk_expr ~loc
                    (Eidapp (Qident (mk_id ~loc ("_from_" ^ id.id_str)), [ mk_unit ~loc ]))
                in
                List.fold_right
                  (fun t acc ->
                    let e = mk_check ~loc:t.term_loc t in
                    mk_seq ~loc e acc)
                  l k
            | CFGexpr e1, _ ->
                let e2 = traverse_block (rem, term) in
                mk_seq ~loc e1 e2
          end
    end
  and traverse_from_entry_point startlabel preconds (block : block) =
    let e = traverse_block startlabel [] (block : block) in
    funs := (startlabel, preconds, e) :: !funs
  in

  traverse_from_entry_point thestartlabel preconds (block : block);
  !funs

let e_ref = mk_expr ~loc:Loc.dummy_position Eref

let declare_local (ghost, id, ty, init) body =
  let loc = id.id_loc in
  Debug.dprintf debug "declaring local variable %a of type %a@." pp_id id pp_pty ty;
  let e : expr =
    match init with
    | Some e -> e
    | None ->
        mk_expr ~loc (Eany ([], Expr.RKnone, Some ty, pat_wild ~loc, Ity.MaskVisible, empty_spec))
  in
  let e = mk_expr ~loc (Eapply (e_ref, e)) in
  let id = { id with id_ats = ATstr Pmodule.ref_attr :: id.id_ats } in
  mk_expr ~loc:id.id_loc (Elet (id, ghost, Expr.RKnone, e, body))

let build_path_function retty pat mask postconds (startlabel, preconds, body) : Ptree.fundef =
  let body =
    List.fold_left
      (fun acc t ->
        let loc = t.term_loc in
        let e = mk_assume ~loc t in
        mk_seq ~loc e acc)
      body preconds
  in
  let loc = Loc.dummy_position in
  let spec = { empty_spec with sp_post = postconds } in
  let id = mk_id ~loc ("_from_" ^ startlabel) in
  let arg = (loc, None, false, Some unit_type) in
  (id, false, Expr.RKnone, [ arg ], Some retty, pat, mask, spec, body)


let translate_cfg_fundef cf =
  Debug.dprintf debug "translating cfg function `%s`@." cf.cf_name.id_str;
  Debug.dprintf debug "return type is `%a`@." pp_pty cf.cf_retty;
  let funs = translate_cfg cf.cf_spec.sp_pre cf.cf_block0 cf.cf_blocks in
  let loc = Loc.dummy_position in
  let body =
    mk_expr ~loc (Eidapp(Qident (mk_id ~loc "_from_start"),[mk_unit ~loc]))
  in
  let defs =
    List.map (build_path_function cf.cf_retty cf.cf_pat cf.cf_mask cf.cf_spec.sp_post) funs
  in
  let body = mk_expr ~loc (Erec(defs,body)) in
  let body = List.fold_right declare_local cf.cf_locals body in
  (* ignore termination *)
  let body = mk_expr ~loc (Eattr(divergent_attr,body)) in
  let body = List.fold_right (fun a e -> mk_expr ~loc (Eattr(a, e))) cf.cf_attrs body in
  (cf.cf_name, false, Expr.RKnone, cf.cf_args, Some cf.cf_retty, cf.cf_pat,
   cf.cf_mask, cf.cf_spec, body)
why3-1.6.0/plugins/cfg/cfg_paths.mli000066400000000000000000000014571440160026300172740ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Ptree

val debug : Debug.flag

val translate_cfg_fundef :
  Cfg_ast.cfg_fundef -> fundef
why3-1.6.0/plugins/cfg/cfg_stackify.ml000066400000000000000000000163621440160026300176220ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Stackify
open Cfg_ast
open Ptree

let debug = Debug.register_flag "cfg" ~desc:"CFG plugin debug flag"
let unit_type = PTtuple []
                  [@@warning "-32"]

let mk_id ~loc name =
  { id_str = name; id_ats = []; id_loc = loc }

let mk_expr ~loc d =
  { expr_desc = d; expr_loc = loc }

let mk_unit ~loc =
  mk_expr ~loc (Etuple [])

let mk_check ~loc t =
  mk_expr ~loc (Eassert(Expr.Check,t))
              [@@warning "-32"]

let mk_assume ~loc t =
  mk_expr ~loc (Eassert(Expr.Assume,t))
              [@@warning "-32"]

let mk_seq ~loc e1 e2 = mk_expr ~loc (Esequence(e1,e2))

let mk_pat ~loc d =
  { pat_desc = d; pat_loc = loc }

let pat_wild ~loc = mk_pat ~loc Pwild

let empty_spec =
  {
    sp_pre = [];
    sp_post = [];
    sp_xpost = [];
    sp_reads = [];
    sp_writes = [];
    sp_alias = [];
    sp_variant = [];
    sp_checkrw = false;
    sp_diverge = false;
    sp_partial = false;
  }

let pp_id fmt id = Format.pp_print_string fmt id.id_str

let rec pp_qid fmt qid =
  match qid with
  | Qident id -> pp_id fmt id
  | Qdot (q, id) -> Format.fprintf fmt "%a.%a" pp_qid q pp_id id

let rec pp_pty fmt t =
  match t with
  | PTtyapp (qid, l) -> Format.fprintf fmt "@[%a %a@]" pp_qid qid (Pp.print_list Pp.semi pp_pty) l
  | _ -> Format.pp_print_string fmt ""

let divergent_attr = ATstr Vc.nt_attr

exception CFGError of string
              [@@warning "-38"]

let () =
  Exn_printer.register (fun fmt exn ->
      match exn with
      | CFGError msg -> Format.fprintf fmt "CFG translation error: %s" msg
      | _ -> raise exn)

let mk_loop_continue entry : Ptree.expr = mk_expr ~loc:entry.id_loc (Eraise (Qident entry, None))

let mk_loop_expr entry invariants (e : Ptree.expr) : Ptree.expr =
  let continue = mk_expr ~loc:Loc.dummy_position (Eoptexn (entry, Ity.MaskVisible, e)) in
  let invariants =
    List.map
      (fun (id, t) ->
        let attr = ATstr (Ident.create_attribute ("hyp_name:" ^ id.id_str)) in
        { term_loc = t.term_loc; term_desc = Tattr (attr, t) })
      invariants
  in
  let infinite_loop =
    mk_expr ~loc:entry.id_loc
      (Ewhile (mk_expr ~loc:Loc.dummy_position Etrue, invariants, [], continue))
  in
  (* adding a "absurd" after the infinite loop to avoid generation of
     meaningless VCs *)
  let absurd = mk_expr ~loc:Loc.dummy_position Eabsurd in
  mk_expr ~loc:entry.id_loc (Esequence (infinite_loop, absurd))

let mk_scope_break entry ?(loc = entry.id_loc) () = mk_expr ~loc (Eraise (Qident entry, None))

let mk_scope_expr entry inner outer =
  mk_seq ~loc:Loc.dummy_position
    (mk_expr ~loc:entry.id_loc (Eoptexn (entry, Ity.MaskVisible, inner)))
    outer

let translate_instr (i : Cfg_ast.cfg_instr) : Ptree.expr =
  match i.cfg_instr_desc with
  | CFGinvariant _inv -> mk_unit ~loc:Loc.dummy_position (* temporary *)
  | CFGexpr e -> e

let rec translate_term subst (t : Cfg_ast.cfg_term) : Ptree.expr =
  match t.cfg_term_desc with
  | CFGgoto l -> begin
      match List.find_opt (fun (l', _) -> l'.id_str = l.id_str) subst with
      | Some (_, e) -> e
      | _ -> mk_scope_break l ~loc:t.cfg_term_loc ()
    end
  | CFGreturn e ->
      mk_expr ~loc:t.cfg_term_loc (Eraise (Qident (mk_id ~loc:Loc.dummy_position "Return"), Some e))
  | CFGswitch (e, brs) ->
      (* TODO: why arent we using fall and can we remove it? *)
      let mk_switch _fall branches =
        let branches = List.map (fun (pat, term) -> (pat, translate_term subst term)) branches in
        mk_expr ~loc:t.cfg_term_loc (Ematch (e, branches, []))
      in
      let rec duplicates p xs =
        match xs with
        | x :: xs -> if List.exists (p x) xs then x :: duplicates p xs else duplicates p xs
        | [] -> []
      in
      let dup_targets = duplicates (fun a b -> a.id_str = b.id_str) (targets t) in
      let here, subst =
        List.partition (fun (a, _) -> List.exists (fun b -> b.id_str = a.id_str) dup_targets) subst
      in

      List.fold_left (fun acc (l, e) -> mk_scope_expr l acc e) (mk_switch subst brs) here
  | CFGabsurd -> mk_expr ~loc:t.cfg_term_loc Eabsurd

let translate_block subst (instrs, term) : Ptree.expr =
  List.fold_right
    (fun i t -> mk_seq ~loc:Loc.dummy_position (translate_instr i) t)
    instrs (translate_term subst term)

let rec translate_exp subst (es : Stackify.exp_tree) : Ptree.expr =
  match es with
  | Scope (lbl, usage, bound, inner) ->
      (* invariant: a scope must be followed by at least one block *)
      let entry = lbl in
      let outer = translate_exp subst bound in
      (* print_exp_structure' inner; *)
      let scope =
        match usage with
        | One -> translate_exp ((entry, outer) :: subst) inner
        | Multi -> mk_scope_expr entry (translate_exp subst inner) outer
      in
      scope
  | Loop (invs, body) ->
      let label = fst (entry body) in
      let loop_continue = mk_loop_continue label in
      let loop_body = mk_loop_expr label invs (translate_exp [ (label, loop_continue) ] body) in
      List.fold_left (fun acc (l, e) -> mk_scope_expr l acc e) loop_body subst
  | Block (_, blk) -> translate_block subst blk

let translate_cfg block (blocks : (label * block) list) =
  let startlabel = mk_id ~loc:Loc.dummy_position "start" in
  let s = stackify ((startlabel, block) :: blocks) startlabel in
  let e = translate_exp [] s in
  e

let e_ref = mk_expr ~loc:Loc.dummy_position Eref

let declare_local (ghost, id, ty, init) body =
  let loc = id.id_loc in
  Debug.dprintf debug "declaring local variable %a of type %a@." pp_id id pp_pty ty;
  let e : expr =
    match init with
    | Some e -> e
    | None ->
        mk_expr ~loc (Eany ([], Expr.RKnone, Some ty, pat_wild ~loc, Ity.MaskVisible, empty_spec))
  in
  let e = mk_expr ~loc (Eapply (e_ref, e)) in
  let id = { id with id_ats = ATstr Pmodule.ref_attr :: id.id_ats } in
  mk_expr ~loc:id.id_loc (Elet (id, ghost, Expr.RKnone, e, body))

let translate_cfg_fundef cf =
  Debug.dprintf debug "translating cfg function `%s`@." cf.cf_name.id_str;
  Debug.dprintf debug "return type is `%a`@." pp_pty cf.cf_retty;
  let body = translate_cfg cf.cf_block0 cf.cf_blocks in
  let loc = Loc.dummy_position in
  let body =
    List.fold_right declare_local cf.cf_locals body
  in
  let body = mk_seq ~loc body (mk_expr ~loc Eabsurd) in
  let body = mk_expr ~loc (Eoptexn(mk_id ~loc "Return", cf.cf_mask, body)) in
  (* ignore termination *)
  let body = mk_expr ~loc (Eattr(divergent_attr,body)) in
  let body = List.fold_right (fun a e -> mk_expr ~loc (Eattr(a, e))) cf.cf_attrs body in
  (cf.cf_name, false, Expr.RKnone, cf.cf_args, Some cf.cf_retty, cf.cf_pat, cf.cf_mask, cf.cf_spec, body)

open Cfg_main

let () = set_stackify translate_cfg_fundef
why3-1.6.0/plugins/cfg/cfg_stackify.mli000066400000000000000000000013071440160026300177640ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/cfg/examples/000077500000000000000000000000001440160026300164425ustar00rootroot00000000000000why3-1.6.0/plugins/cfg/examples/if.mlcfg000066400000000000000000000005411440160026300200520ustar00rootroot00000000000000module IfCfg

use int.Int

let cfg if_stmt (b : bool) : int 
ensures { b = true -> result = 6 } 
ensures { b = false -> result = 11 }
=
var r : int; 
{ r <- 0; goto S }
S { switch (b) 
	| True -> goto L1
	| False -> goto R1
	end
}
Return { r <- r + 1; return r }

R1 { r <- 10; goto R2 }
L1 { r <- 5; goto L2}
R2 { goto Return }

L2 { goto Return }
end
why3-1.6.0/plugins/cfg/examples/if/000077500000000000000000000000001440160026300170405ustar00rootroot00000000000000why3-1.6.0/plugins/cfg/examples/if/why3session.xml000066400000000000000000000010561440160026300220620ustar00rootroot00000000000000






 
 
 



why3-1.6.0/plugins/cfg/examples/if/why3shapes.gz000066400000000000000000000002001440160026300214700ustar00rootroot00000000000000];1661VVA͉̌zN.k6ou7Ddw^;7vBT1i=G/k54i`F\BoI
?why3-1.6.0/plugins/cfg/examples/max_array.mlcfg000066400000000000000000000021661440160026300214440ustar00rootroot00000000000000
module MaxArray

  use int.Int

  use array.Array

  let cfg compute_max (a:array int) : (max: int, ghost ind:int)
    requires { length a > 0 }
    ensures  { 0 <= ind < length a }
    ensures  { forall i. 0 <= i < length a -> a[ind] >= a[i] }
  =
  (* simulation of the C code: (from ACSL Manual, section 2.4.2 Loop invariants)

   i = 0;
   goto L;
   do {
      if (t[i] > m) { L: m = t[i]; }
      /*@ invariant
        @  0 <= i < n && m == \max(0,i,\lambda integer k; t[k]);
        @*/
      i++;
      }
    while (i < n);
    return m;

  *)
  var i m: int;
  ghost var ind: int;
  {
    i <- 0;
    goto L
  }
  L {
    m <- a[i];
    ind <- i;
    goto L1
  }
  L1 {
    invariant i_bounds   { 0 <= i < length a };
    invariant ind_bounds { 0 <= ind < length a };
    invariant m_and_ind  { m = a[ind] };
    invariant m_is_max   { forall j. 0 <= j <= i -> m >= a[j] };
                           (* (yes, j <= i, not j < i !) *)
    i <- i + 1;
    switch (i < length a)
    | True  -> goto L2
    | False -> return (m, ind)
    end
  }
  L2 {
    switch (a[i] > m)
    | True  -> goto L
    | False -> goto L1
    end
  }
end
why3-1.6.0/plugins/cfg/examples/max_array/000077500000000000000000000000001440160026300204255ustar00rootroot00000000000000why3-1.6.0/plugins/cfg/examples/max_array/why3session.xml000066400000000000000000000107361440160026300234540ustar00rootroot00000000000000







 
 
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
 
 



why3-1.6.0/plugins/cfg/examples/nested_loops.mlcfg000066400000000000000000000016311440160026300221530ustar00rootroot00000000000000module NestedLoops
use int.Int
(*

	The CFG has this form

		  S
		  |
		  v
	+-->1-----> 5
	|   |
	|   v
	4<--2-->3
		  ^		|
		  |		|
		  +---+

	It corresponds to a program  along the lines of

	while C {
		while D {
			// some code
		}
	}

	The stackification algorithm should lead to an order along the lines
	of S, 1, 2, 3, 4, 5
	
*)


let cfg nested_loops (b : bool) : () = 
{goto L1 }
L1 {
	switch (b) 
	| True -> goto L2
	| False -> goto L5
	end
}
L2 {
	invariant inner { true };
	switch (not b)
	| True -> goto L3
	| False -> goto L4
	end
}
L3 {
	goto L2
}
L4 {
	goto L1
}
L5 {
	return ()
}

let cfg chain () : () =
var x : int;
{ x <- 0; goto L1 }
L1 { x <- 5; goto L2 }
L2 { x <- 10; return () }


let cfg simple_loop () : int =
var x : int;
{ x <- 0; goto L0 }
L0 { x<- 3; switch (x < 10)
			| True -> goto R
			| False -> goto L1
			end
}
L1 { x <- 10; goto L0 }
S { return x }
R { x <- x + 1; goto S }

end
why3-1.6.0/plugins/cfg/examples/simple_loop.mlcfg000066400000000000000000000003611440160026300217760ustar00rootroot00000000000000module SimpleLoop
use int.Int
let cfg simple_loop () : int =
var x : int;
{ x <- 0; goto L0 }
L0 { x<- 3; switch (x < 10)
			| True -> goto R
			| False -> goto L1
			end
}
L1 { x <- 10; goto L0 }
S { return x }
R { x <- x + 1; goto S }
end
why3-1.6.0/plugins/cfg/stackify.ml000066400000000000000000000126621440160026300170020ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Cfg_ast
open Ptree

(* Todo use labeled graph *)
module G = Graph.Imperative.Digraph.Concrete (struct
  type t = label

  let equal a b = a.id_str = b.id_str

  let compare a b = String.compare a.id_str b.id_str

  let hash a = Hashtbl.hash a.id_str
end)

module Dom = Graph.Dominator.Make (G)
module Topo = Graph.WeakTopological.Make (G)

let rec targets (t : cfg_term) : label list =
  match t.cfg_term_desc with
  | CFGgoto l -> [ l ]
  | CFGswitch (_, brs) -> List.fold_left (fun acc (_, a) -> targets a @ acc) [] brs
  | CFGreturn _ -> []
  | CFGabsurd -> []

type labeled_block = label * block

type usage = Multi | One

type exp_tree =
  | Scope of label * usage * exp_tree * exp_tree
  | Loop of (ident * Ptree.term) list * exp_tree
  | Block of labeled_block

let rec _print_exp_structure' exp =
  match exp with
  | Scope (lbl, _, tgt, exp) ->
      Format.printf "Scope( %s = " lbl.id_str;
      _print_exp_structure' tgt;
      Format.printf " in ";
      _print_exp_structure' exp;
      Format.printf ")"
  | Loop (_, exp) ->
      Format.printf "Loop[  ";
      _print_exp_structure' exp;
      Format.printf "]"
  | Block (l, _) -> Format.printf "Block(%s)" l.id_str

let graph_from_blocks (bl : (label * block) list) : G.t =
  let g = G.create () in
  List.iter
    (fun (source, (_, t)) ->
      let target_label = targets t in
      G.add_vertex g source;
      List.iter (fun target -> G.add_edge g source target) target_label)
    bl;
  g

exception NotReducible of (string * string)

exception NotConnected of G.V.t list

let () =
  Exn_printer.register (fun fmt exn ->
      match exn with
      | NotReducible (n1, n2) ->
          Format.fprintf fmt
            "CFG is not a reducible graph. The nodes %s %s belong to a cycle with multiple entries"
            n1 n2
      | NotConnected s ->
          Format.fprintf fmt
            "CFG is not a connected graph. The following nodes are not reachable from the start \
             block: ";
          List.iter (fun el -> Format.printf "%s" el.id_str) s
      | _ -> raise exn)

module Sint = Extset.Make (struct
  type t = label

  let compare a b = String.compare a.id_str b.id_str
end)

let _graph_is_reducible (g : G.t) (dom : G.V.t -> G.V.t -> bool) (entry : label) =
  let visited = ref Sint.empty in
  let to_visit = Stack.create () in
  Stack.push entry to_visit;

  while not (Stack.is_empty to_visit) do
    let node = Stack.pop to_visit in
    visited := Sint.add node !visited;

    G.iter_succ
      (fun succ ->
        if not (Sint.mem succ !visited) then Stack.push succ to_visit
        else if (* back-edge *)
                not (dom succ node) then raise (NotReducible (succ.id_str, node.id_str)))
      g node
  done;
  (* graph is connected *)
  let unreached =
    G.fold_vertex (fun v u -> if not (Sint.mem v !visited) then Sint.add v u else u) g Sint.empty
  in
  if not (Sint.is_empty unreached) then raise (NotConnected (Sint.elements unreached));
  ()

let rec entry e =
  match e with Block b -> b | Loop (_, h) -> entry h | Scope (_, _, _, h) -> entry h
(* unused | _ -> assert false *)

let mk_scope label usage tgt body = Scope (label, usage, tgt, body)

let rec treeify_from_components pred dom (prev : exp_tree option) blocks
    (wto : label Graph.WeakTopological.t) : exp_tree =
  Option.get
    (Graph.WeakTopological.fold_left
       (fun prev c ->
         let e = treeify_component pred dom blocks c in
         let lbl = fst (entry e) in
         let forward_preds = List.filter (fun pred -> not (dom lbl pred)) (pred lbl) in
         let usage = if List.length forward_preds > 1 then Multi else One in
         match prev with Some prev -> Some (mk_scope lbl usage e prev) | None -> Some e)
       prev wto)

and treeify_component pred dom blocks (wto : label Graph.WeakTopological.element) : exp_tree =
  let open Graph.WeakTopological in
  match wto with
  | Vertex b -> Block (List.find (fun (l, _) -> l.id_str = b.id_str) blocks)
  | Component (v, b) ->
      let rec split_invariants = function
        | { cfg_instr_desc = CFGinvariant is } :: xs ->
            let invs, stmts = split_invariants xs in
            (is @ invs, stmts)
        | [] -> ([], [])
        | a -> ([], a)
      in
      let l, (s, t) = List.find (fun (l, _) -> l.id_str = v.id_str) blocks in
      let invariants, stmts = split_invariants s in

      Loop (invariants, treeify_from_components pred dom (Some (Block (l, (stmts, t)))) blocks b)

and treeify pred dom cs = treeify_from_components pred dom None cs

let stackify (bl : labeled_block list) (entry : label) : exp_tree =
  let g = graph_from_blocks bl in
  let idom = Dom.compute_idom g entry in
  let dom = Dom.idom_to_dom idom in

  (* graph_is_reducible g dom entry; *)
  let comps = Topo.recursive_scc g entry in
  let t = treeify (G.pred g) dom bl comps in
  t
why3-1.6.0/plugins/cfg/stackify.mli000066400000000000000000000020671440160026300171510ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Cfg_ast

type labeled_block = label * block

type usage = Multi | One

type exp_tree =
  | Scope of label * usage * exp_tree * exp_tree
  | Loop  of (Ptree.ident * Ptree.term) list * exp_tree
  | Block of labeled_block


val entry : exp_tree -> labeled_block

val targets : cfg_term -> label list

val stackify : labeled_block list -> label -> exp_tree
why3-1.6.0/plugins/cfg/subregion_analysis.ml000066400000000000000000000405201440160026300210570ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Pmodule
open Pdecl
open Ity
open Expr
open Term
open Ident

type domain_elt =
  | Union of ity * domain_elt list
  | Variable of pvsymbol
  | Proj of ity * rsymbol * domain_elt
  | Bot

let rec ity_of d : ity =
  match d with
  | Variable p -> p.pv_ity
  | Proj (_, v, p) -> (
      let inner_ty = ity_of p in
      match inner_ty.ity_node with
      | Ityvar _ -> assert false
      | Ityapp (s, tl, rl) | Ityreg { reg_its = s; reg_args = tl; reg_regs = rl } ->
          let isb = its_match_regs s tl rl in
          ity_full_inst isb v.rs_cty.cty_result)
  | Bot -> assert false
  | Union (cty, _) -> cty

let fields ity =
  match ity.ity_node with
  | Ityapp (s, _, _) -> s.its_mfields @ s.its_ofields
  | Ityreg r -> r.reg_its.its_mfields @ r.reg_its.its_ofields
  | Ityvar _ -> assert false

(* Smart constructors *)

let mk_proj ty elt f =
  match elt with
  | Union (_, flds) ->
      let fld_nms = fields (ity_of elt) in
      let rec go nms vals =
        match (nms, vals) with
        | nm :: nms, v :: vals -> if pv_equal nm (fd_of_rs f) then v else go nms vals
        | _, _ -> failwith "mk_proj: field not part of type"
      in
      go fld_nms flds
  | Bot -> Bot
  | _ -> Proj (ty, f, elt)

let unfold known v =
  let ity = ity_of v in
  let sym =
    match ity.ity_node with Ityapp (sym, _, _) -> sym | Ityreg r -> r.reg_its | _ -> assert false
  in

  let def =
    try find_its_defn known sym
    with _ ->
      Format.eprintf "Could not find %a\n " print_its sym;
      assert false
  in
  if List.length def.itd_constructors <> 1 then Bot
  else Union (ity_purify ity, List.map (fun f -> mk_proj ity v f) def.itd_fields)

let rec merge known l r =
  (* Format.printf "merging %a  %a\n" print_elt l print_elt r; *)
  match (l, r) with
  | Union (ty1, l1), Union (ty2, l2) ->
      if ity_equal ty1 ty2 then Union (ty1, List.map2 (merge known) l1 l2)
      else (
        Format.eprintf "cannot merge %a with %a\n" print_ity ty1 print_ity ty2;
        assert false)
  | Variable v1, Variable v2 -> if pv_equal v1 v2 then Variable v1 else Bot
  | Proj (c, f1, p1), Proj (_, f2, p2) -> if f1 = f2 then mk_proj c (merge known p1 p2) f1 else Bot
  | Variable _, _ -> Bot
  | _, Variable _ -> Bot
  | _, Bot -> Bot
  | Bot, _ -> Bot
  | Proj _, Union _ -> merge known (unfold known l) r
  | Union _, Proj _ -> merge known l (unfold known r)

let rec update known l fld fld_ty v =
  (* Format.printf "update %a . %a  = %a \n" print_elt l print_pv fld print_elt v; *)
  match l with
  | Union (ty, flds) ->
      let rec worker flds regs =
        match (flds, regs) with
        | f :: fs, r :: rs -> if f = fld then v :: rs else r :: worker fs rs
        | _, _ -> assert false
      in
      Union (ty, worker (fields ty) flds)
  | Bot -> Bot
  | Variable _ -> update known (unfold known l) fld fld_ty v
  | _ -> assert false

let rec is_projection elt =
  match elt with Variable _ -> true | Proj (_, _, p) -> is_projection p | _ -> false

(* requires the term to be a projection *)
let rec to_term elt : term =
  match elt with
  | Variable v -> t_var v.pv_vs
  | Proj (_, fld, p) -> t_app_infer (ls_of_rs fld) [ to_term p ]
  | _ -> assert false

let rec generate_equality known f v (k : term -> term) : term list =
  match (f, v) with
  | Variable f, v when is_projection v -> [ ps_app ps_equ [ k (t_var f.pv_vs); k (to_term v) ] ]
  | f, Variable v when is_projection f -> [ ps_app ps_equ [ k (to_term f); k (t_var v.pv_vs) ] ]
  | Union (_, vls), Union (_, vls') ->
      let rec go vls vls' acc =
        match (vls, vls') with
        | v :: vls, v' :: vls' -> go vls vls' (generate_equality known v v' k @ acc)
        | [], [] -> acc
        | _, _ -> failwith "unreachable"
      in
      go vls vls' []
  | Proj (_, fld, p), Proj (_, fld', p') ->
      if rs_equal fld fld' then
        generate_equality known p p' (fun s -> k (t_app_infer (ls_of_rs fld) [ s ]))
      else []
  | Bot, Bot -> []
  (* others *)
  | _, Bot -> []
  | Bot, _ -> []
  | Union _, _ -> generate_equality known f (unfold known v) k
  | _, Union _ -> generate_equality known (unfold known f) v k
  (* | Variable _, _ -> generate_equality known (unfold known f) v k
     | Proj _, _ -> generate_equality known (unfold known f) v k
     | _, Variable _ -> generate_equality known f (unfold known v) k
     | _, Proj _ -> generate_equality known f (unfold known v) k
  *)
  | _, _ -> assert false (* unreachable *)

(* The domain maps symbols to their symbolic value *)
type domain = domain_elt Mpv.t

module FreshNames = struct
  open Ity

  type t = rsymbol Mrs.t * pvsymbol Mpv.t

  let empty = (Mrs.empty, Mpv.empty)
  let pv (_, m) k def = match Mpv.find_opt k m with Some v -> v | None -> def
  let pv2 (_, m) k def = match Mpv.find_opt k m with Some v -> v | None -> def
  let add_pv (m1, m2) k v = (m1, Mpv.add k v m2)
  let rs (m, _) k def = match Mrs.find_opt k m with Some v -> v | None -> def
  let merge_rs (m1, m2) (m1' : rsymbol Mrs.t) = (Mrs.set_union m1' m1, m2)
  let add_rs (m1, m2) k v = (Mrs.add k v m1, m2)
end

let find m k def = match Mpv.find_opt k m with Some v -> v | None -> def

let merge_domains known d1 d2 =
  Mpv.merge
    (fun _ a b ->
      match (a, b) with Some a, Some b -> Some (merge known a b) | None, b -> b | a, None -> a)
    d1 d2

let rec analyze muc (st : FreshNames.t) (regions : domain) (e : expr) : domain_elt * expr * domain =
  let attrs = e.e_attrs in
  let d, e, r = inner muc st regions e in
  (d, e_attr_push attrs e, r)

and analyze_assign muc st regions (v, f, t) : domain * (_ * _ * _) =
  let t_val = find regions t (Variable (FreshNames.pv2 st t t)) in
  let v_val = find regions v (Variable (FreshNames.pv2 st v v)) in

  let cty' = cty_apply f.rs_cty [ FreshNames.pv2 st v v ] [] t.pv_ity in
  let e = (e_var (FreshNames.pv2 st v v), f, e_var (FreshNames.pv2 st t t)) in
  let v_val' = update muc.muc_known v_val (fd_of_rs f) cty' t_val in
  let regions = Mpv.add v v_val' regions in
  (regions, e)

and inner muc st regions e =
  match e.e_node with
  | Evar v -> (Bot, e_var (FreshNames.pv st v v), regions)
  | Econst _ -> (Bot, e, regions)
  | Elet (def, e) ->
      let st, def', regions = analyze_letdefn muc st regions def in
      let dom, e, regions = analyze muc st regions e in
      let regions = match def with LDvar (p, _) -> Mpv.remove p regions | _ -> regions in
      (dom, e_let def' e, regions)
  | Eexec (ce, _) ->
      let dom, e = analyze_cexp muc st regions ce in
      (dom, e_exec e, regions)
  | Eassign es ->
      let regions, es =
        Lists.map_fold_left (fun regions asgn -> analyze_assign muc st regions asgn) regions es
      in

      (Bot, e_assign es, regions)
  | Eif (s, i, e) ->
      let _, s, regions = analyze muc st regions s in

      let d, i, regions' = analyze muc st regions i in
      let d', e, regions'' = analyze muc st regions e in

      let d = merge muc.muc_known d d' in
      let regions = merge_domains muc.muc_known regions' regions'' in

      (d, e_if s i e, regions)
  | Ematch (scrut, brs, exn_brs) ->
      let _, scrut, regions = analyze muc st regions scrut in
      (* push the value of the scrutinee into branches *)
      let dom_reg, brs =
        if brs = [] then (None, [])
        else
          let dom_reg, brs =
            List.split
              (List.map
                 (fun br ->
                   let dom, br, reg = analyze_br muc st regions br in
                   ((dom, reg), br))
                 brs)
          in

          let dom, regions =
            List.fold_left
              (fun (dom_acc, reg_acc) (dom, reg) ->
                let dom' = merge muc.muc_known dom_acc dom in
                let reg' = merge_domains muc.muc_known reg_acc reg in
                (dom', reg'))
              (Bot, Mpv.empty) dom_reg
          in

          (Some (dom, regions), brs)
      in

      let e_dom_reg, exn_brs =
        if not (Mxs.is_empty exn_brs) then
          let (dom, reg), e_brs =
            Mxs.mapi_fold
              (fun _ ebr (dom_acc, reg_acc) ->
                let dom, ebr, regions = analyze_e_br muc st regions ebr in
                let dom' = merge muc.muc_known dom_acc dom in
                let reg' = merge_domains muc.muc_known regions reg_acc in
                ((dom', reg'), ebr))
              exn_brs (Bot, Mpv.empty)
          in
          (Some (dom, reg), e_brs)
        else (None, exn_brs)
      in

      let dom, regions =
        match (dom_reg, e_dom_reg) with
        | Some (dom1, reg1), Some (dom2, reg2) ->
            (merge muc.muc_known dom1 dom2, merge_domains muc.muc_known reg1 reg2)
        | None, Some (dom, reg) -> (dom, reg)
        | Some (dom, reg), None -> (dom, reg)
        | None, None -> assert false
      in

      (dom, e_match scrut brs exn_brs, regions)
  | Ewhile (cond, inv, var, body) ->
      let inv =
        List.map
          (fun i ->
            t_v_map (fun v -> t_var (FreshNames.pv st (restore_pv v) (restore_pv v)).pv_vs) i)
          inv
      in
      let _, cond, regions = analyze muc st regions cond in
      let _, body, body_regions = analyze muc st Mpv.empty body in

      (* Bind all the mutated variables *)
      let old_vals =
        List.map
          (fun k ->
            let k = FreshNames.pv st k k in
            let_var (Ident.id_clone k.pv_vs.vs_name) ~ghost:true (e_pure (t_var k.pv_vs)))
          (Mpv.keys body_regions)
      in
      let lets, vars = List.split old_vals in

      let eqs =
        List.fold_right
          (fun (k, v) acc -> generate_equality muc.muc_known (Variable k) v (fun k -> k) @ acc)
          (List.combine vars (Mpv.values body_regions))
          []
      in
      let regions = merge_domains muc.muc_known regions body_regions in

      let body =
        List.fold_left
          (fun body eq ->
            let ld, _ = let_var (Ident.id_fresh "_") (e_assert Assume eq) in
            e_let ld body)
          body eqs
      in
      let loop = e_while cond inv var body in
      let loop =
        List.fold_left
          (fun loop eq ->
            let ld, _ = let_var (Ident.id_fresh "_") loop in
            e_let ld (e_assert Assume eq))
          loop eqs
      in
      let loop = List.fold_left (fun loop ld -> e_let ld loop) loop lets in

      (Bot, loop, regions)
  | Efor (ix, (l, dir, u), iix, invs, body) ->
      let invs =
        List.map
          (fun i ->
            t_v_map (fun v -> t_var (FreshNames.pv st (restore_pv v) (restore_pv v)).pv_vs) i)
          invs
      in
      let _, body, body_regions = analyze muc st Mpv.empty body in

      (* Bind all the mutated variables *)
      let old_vals =
        List.map
          (fun k ->
            let k = FreshNames.pv st k k in
            let_var (Ident.id_clone k.pv_vs.vs_name) ~ghost:true (e_pure (t_var k.pv_vs)))
          (Mpv.keys body_regions)
      in
      let lets, vars = List.split old_vals in

      let eqs =
        List.fold_right
          (fun (k, v) acc -> generate_equality muc.muc_known (Variable k) v (fun k -> k) @ acc)
          (List.combine vars (Mpv.values body_regions))
          []
      in
      let regions = merge_domains muc.muc_known regions body_regions in

      let body =
        List.fold_left
          (fun body eq ->
            let ld, _ = let_var (Ident.id_fresh "_") (e_assert Assume eq) in
            e_let ld body)
          body eqs
      in

      let loop =
        e_for ix (e_var (FreshNames.pv st l l)) dir (e_var (FreshNames.pv st u u)) iix invs body
      in

      let loop =
        List.fold_left
          (fun loop eq ->
            let ld, _ = let_var (Ident.id_fresh "_") loop in
            e_let ld (e_assert Assume eq))
          loop eqs
      in
      let loop = List.fold_left (fun loop ld -> e_let ld loop) loop lets in

      (Bot, loop, regions)
  | Eraise (x, inner) ->
      let _, e', regions = analyze muc st regions inner in
      (Bot, e_raise x e' e.e_ity, regions)
  | Eexn (x, expr) ->
      (* generate equations here as well *)
      let dom, expr, regions = analyze muc st Mpv.empty expr in
      let exn = e_exn x expr in
      (dom, exn, regions)
  | Eassert (k, t) ->
      let t = t_v_map (fun v -> t_var (FreshNames.pv st (restore_pv v) (restore_pv v)).pv_vs) t in
      (Bot, e_assert k t, regions)
  | Eghost e ->
      let dom, expr, regions = analyze muc st regions e in
      (dom, e_ghostify true expr, regions)
  | Epure t ->
      let t = t_v_map (fun v -> t_var (FreshNames.pv st (restore_pv v) (restore_pv v)).pv_vs) t in
      (Bot, e_pure t, regions)
  | Eabsurd -> (Bot, e, regions)

and analyze_letdefn muc st (regions : domain) (l : let_defn) : FreshNames.t * let_defn * domain =
  match l with
  | LDvar (nm, exp) ->
      let dom, exp, regions = analyze muc st regions exp in
      let letdef, nm' = let_var (Ident.id_clone nm.pv_vs.vs_name) ~ghost:nm.pv_ghost exp in

      (FreshNames.add_pv st nm nm', letdef, Mpv.add nm dom regions)
  | LDsym (r, ce) -> begin
      match ce.c_node with
      | Cfun e ->
          let _, e, _ = analyze muc FreshNames.empty Mpv.empty e in
          let cty = ce.c_cty in
          let f = c_fun cty.cty_args cty.cty_pre cty.cty_post cty.cty_xpost cty.cty_oldies e in
          let def, sym =
            let_sym
              (Ident.id_clone ~attrs:r.rs_name.id_attrs r.rs_name)
              ~ghost:(cty_ghost cty) ~kind:(rs_kind r) f
          in

          (FreshNames.add_rs st r sym, def, regions)
      | _ -> (st, l, regions)
    end
  | LDrec rdl ->
      let defs =
        List.map
          (fun def ->
            let f =
              begin
                match def.rec_fun.c_node with
                | Cfun e ->
                    let _, e, _ = analyze muc st Mpv.empty e in
                    let cty = def.rec_fun.c_cty in
                    c_fun cty.cty_args cty.cty_pre cty.cty_post cty.cty_xpost cty.cty_oldies e
                | _ -> def.rec_fun
              end
            in
            (def.rec_rsym, f, def.rec_varl, rs_kind def.rec_sym))
          rdl
      in
      let def, rdl' = let_rec defs in

      let subst =
        List.fold_left2 (fun sm d d' -> Mrs.add d.rec_sym d'.rec_sym sm) Mrs.empty rdl rdl'
      in

      (FreshNames.merge_rs st subst, def, regions)

and analyze_cexp muc st regions (c : cexp) : domain_elt * cexp =
  match c.c_node with
  | Capp (r, args) ->
      let region =
        match r.rs_field with
        | Some _ -> (
            match args with
            | [ a ] ->
                let var = find regions a (Variable (FreshNames.pv st a a)) in
                mk_proj c.c_cty.cty_result var r
            | _ -> failwith "projection applied to more than one arg")
        | None ->
            (* check if r is a record constructor *)
            if Strings.has_suffix "'mk" r.rs_name.id_string then
              Union
                ( c.c_cty.cty_result,
                  List.map (fun x -> find regions x (Variable (FreshNames.pv st x x))) args )
            else Bot
      in
      let vl = List.map (fun v -> FreshNames.pv st v v) args in
      let al = List.map (fun v -> v.pv_ity) c.c_cty.cty_args in
      let r = FreshNames.rs st r r in
      (region, c_app r vl al c.c_cty.cty_result)
  | Cpur (l, args) ->
      let vl = List.map (fun v -> FreshNames.pv st v v) args in
      let al = List.map (fun v -> v.pv_ity) c.c_cty.cty_args in
      (Bot, c_pur l vl al c.c_cty.cty_result)
  | Cfun expr ->
      let _, e, _ = analyze muc st regions expr in
      let cty = c.c_cty in
      (Bot, c_fun cty.cty_args cty.cty_pre cty.cty_post cty.cty_xpost cty.cty_oldies e)
  | Cany -> (Bot, c)

and analyze_br muc st regions (b : reg_branch) =
  let pat, e = b in
  let dom, e, reg = analyze muc st regions e in
  (dom, (pat, e), reg)

and analyze_e_br muc st regions (b : exn_branch) =
  let pat, e = b in
  let dom, e, reg = analyze muc st regions e in
  (dom, (pat, e), reg)

let transform_letdefn muc l =
  let _, def, _ = analyze_letdefn muc FreshNames.empty Mpv.empty l in
  def
why3-1.6.0/plugins/cfg/subregion_analysis.mli000066400000000000000000000014361440160026300212330ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3

val transform_letdefn: Pmodule.pmodule_uc -> Expr.let_defn -> Expr.let_defn
why3-1.6.0/plugins/microc/000077500000000000000000000000001440160026300153415ustar00rootroot00000000000000why3-1.6.0/plugins/microc/README000066400000000000000000000013231440160026300162200ustar00rootroot00000000000000A plugin to verify programs written in a (microscopic) fragment of C.
Designed for teaching purposes.

See tests/microc/*.c for examples.

Differences/limitations wrt C:
- types are limited to integers and arrays of integers
- integers of type 'int' only, and assumed to be of arbitrary precision
- arrays can be stack allocated or passed as arguments, but cannot be returned
- scanf is limited to scanf("%d", &x)
- a call to printf is ignored (but arguments are evaluated first)
- rand() returns a nonnegative integer, but with no upper limit (no RAND_MAX);
  not an issue when used in expressions such as a+rand()%(b-a+1)
- assignments expressions do not have a value (so one cannot write x=y=0)

Todo:
- lemma function?
why3-1.6.0/plugins/microc/mc_ast.mli000066400000000000000000000041151440160026300173130ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3

type ident = Ptree.ident

type unop =
  | Uneg (* -e *)
  | Unot (* !e *)

type binop =
  | Badd | Bsub | Bmul | Bdiv | Bmod    (* + - * / % *)
  | Beq | Bneq | Blt | Ble | Bgt | Bge  (* == != < <= > >= *)
  | Band | Bor                          (* && || *)

type ty =
  | Tvoid
  | Tint
  | Tarray

type loop_annotation =
  Ptree.invariant * Ptree.variant

type expr = {
  expr_desc: expr_desc;
  expr_loc : Loc.position;
}

and expr_desc =
  | Eunit
  | Eint of string
  | Estring of string
  | Eaddr of ident
  | Eident of ident
  | Ebinop of binop * expr * expr
  | Eunop of unop * expr
  | Ecall of ident * expr list
  | Eget of expr * expr  (* e1[e2] *)

and stmt = {
  stmt_desc: stmt_desc;
  stmt_loc : Loc.position;
}

and stmt_desc =
  | Sskip
  | Sif of expr * stmt * stmt
  | Sreturn of expr
  | Svar of ty * ident * expr
  | Sassign of ident * expr
  | Swhile of expr * loop_annotation * stmt
  (* | Sfor of stmt * expr * stmt * loop_annotation * block *)
  | Seval of expr
  | Sset of expr * expr * expr (* e1[e2] = e3 *)
  | Sassert of Expr.assertion_kind * Ptree.term
  | Sbreak
  | Slabel of ident
  | Sblock of stmt list

type param =
  ty * ident

type decl =
  | Dinclude of ident
  | Dfun     of ty * ident * param list * Ptree.spec * stmt
  | Dlogic   of ty option * ident * param list * Ptree.term option
  | Dprop    of Decl.prop_kind * ident * Ptree.term

type file = decl list
why3-1.6.0/plugins/microc/mc_lexer.mli000066400000000000000000000016431440160026300176460ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

val parse : string -> in_channel -> Mc_ast.file
val parse_term : Lexing.lexbuf -> Why3.Ptree.term
val parse_term_list : Lexing.lexbuf -> Why3.Ptree.term list
val parse_list_ident : Lexing.lexbuf -> Why3.Ptree.ident list
why3-1.6.0/plugins/microc/mc_lexer.mll000066400000000000000000000121551440160026300176510ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

{
  open Lexing
  open Mc_ast
  open Mc_parser

  exception Lexing_error of string

  let () = Why3.Exn_printer.register (fun fmt exn -> match exn with
  | Lexing_error s -> Format.fprintf fmt "syntax error: %s" s
  | _ -> raise exn)

  type state = Code | OneLineSpec | MultiLineSpec
  let state = ref Code

  let id_or_kwd =
    let h1 = Hashtbl.create 32 in
    List.iter (fun (s, tok) -> Hashtbl.add h1 s tok)
      ["if", IF; "else", ELSE;
       "return", RETURN; "while", WHILE;
       "for", FOR; "break", BREAK;
       "void", VOID; "int", INT; "scanf", SCANF;
      ];
    let h2 = Hashtbl.create 32 in
    List.iter (fun (s, tok) -> Hashtbl.add h2 s tok)
      ["true", TRUE; "false", FALSE;
       "forall", FORALL; "exists", EXISTS; "then", THEN; "let", LET; "in", LET;
       "at", AT; "old", OLD;
       "invariant", INVARIANT; "variant", VARIANT;
       "assert", ASSERT; "assume", ASSUME; "check", CHECK;
       "lemma", LEMMA; "axiom", AXIOM; "goal", GOAL;
       "requires", REQUIRES; "ensures", ENSURES;
       "label", LABEL; "function", FUNCTION; "predicate", PREDICATE;
      ];
    fun s ->
      try Hashtbl.find h1 s with Not_found ->
      if !state = Code then IDENT s else
      try Hashtbl.find h2 s with Not_found -> IDENT s

  let string_buffer = Buffer.create 1024

}

let letter = ['a'-'z' 'A'-'Z']
let digit = ['0'-'9']
let ident = letter (letter | digit | '_')*
let integer = ['0'-'9']+
let space = ' ' | '\t'
let comment = "//" [^'@''\n'] [^'\n']*

rule next_token = parse
  | '\n'    { new_line lexbuf;
              if !state = OneLineSpec then state := Code;
              next_token lexbuf }
  | space+  { next_token lexbuf }
  | "//\n"  { new_line lexbuf; next_token lexbuf }
  | comment { next_token lexbuf }
  | '#' space* "include" space* '<' ([^ '>' '\n']* as file) '>' space* '\n'
            { new_line lexbuf; INCLUDE file }
  | "/*"    { comment lexbuf }
  | "*/"    { if !state <> MultiLineSpec
              then raise (Lexing_error "no comment to be closed");
              state := Code;
              next_token lexbuf }
  | "//@"   { state := OneLineSpec; next_token lexbuf }
  | "/*@"   { state := MultiLineSpec; next_token lexbuf }
  | "@"     { if !state <> MultiLineSpec
              then raise (Lexing_error "illegal character '@'");
              next_token lexbuf }
  | ident as id
            { id_or_kwd id }
  | '+'     { PLUS }
  | '-'     { MINUS }
  | '*'     { TIMES }
  | "/"     { DIV }
  | '%'     { MOD }
  | '='     { EQUAL }
  | "+="    { PLUSEQUAL }
  | "-="    { MINUSEQUAL }
  | "*="    { TIMESEQUAL }
  | "/="    { DIVEQUAL }
  | "=="    { CMP Beq }
  | "!="    { CMP Bneq }
  | "<"     { CMP Blt }
  | "<="    { CMP Ble }
  | ">"     { CMP Bgt }
  | ">="    { CMP Bge }
  | '('     { LEFTPAR }
  | ')'     { RIGHTPAR }
  | '['     { LEFTSQ }
  | ']'     { RIGHTSQ }
  | '{'     { LBRC }
  | '}'     { RBRC }
  | ','     { COMMA }
  | ':'     { COLON }
  | ';'     { SEMICOLON }
  | "&&"    { AND }
  | "||"    { OR }
  | "!"     { NOT }
  | "++"    { PLUSPLUS }
  | "--"    { MINUSMINUS }
  | '&'     { AMPERSAND }
  (* logic symbols *)
  | "->"    { ARROW }
  | "<-"    { LARROW }
  | "<->"   { LRARROW }
  | "."     { DOT }
  | integer as s
            { INTEGER s }
  | '"'     { STRING (string lexbuf) }
  | eof     { EOF }
  | _ as c  { raise (Lexing_error ("illegal character: " ^ String.make 1 c)) }

(* skip a comment, then resume next_token *)
and comment = parse
  | "*/" { next_token lexbuf }
  | '\n' { new_line lexbuf; comment lexbuf }
  | _    { comment lexbuf }
  | eof  { raise (Lexing_error "unterminated comment") }

and string = parse
  | '"'
      { let s = Buffer.contents string_buffer in
	Buffer.reset string_buffer;
	s }
  | "\\n"
      { Buffer.add_char string_buffer '\n';
	string lexbuf }
  | "\\\""
      { Buffer.add_char string_buffer '"';
	string lexbuf }
  | _ as c
      { Buffer.add_char string_buffer c;
	string lexbuf }
  | eof
      { raise (Lexing_error "unterminated string") }

{

  let parse file c =
    let lb = Lexing.from_channel c in
    Why3.Loc.set_file file lb;
    Why3.Loc.with_location (Mc_parser.file next_token) lb

  (* Entries for transformations: similar to lexer.mll *)
  let build_parsing_function entry lb = Why3.Loc.with_location (entry next_token) lb

  let parse_term = build_parsing_function Mc_parser.term_eof

  let parse_term_list = build_parsing_function Mc_parser.term_comma_list_eof

  let parse_list_ident = build_parsing_function Mc_parser.ident_comma_list_eof

}
why3-1.6.0/plugins/microc/mc_main.ml000066400000000000000000000307111440160026300173000ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Pmodule
open Mc_ast
open Ptree
open Wstdlib

let debug = Debug.register_flag "micro-C"
  ~desc:"micro-C plugin debug flag"

let mk_id ~loc name =
  { id_str = name; id_ats = []; id_loc = loc }

let infix  ~loc s = Qident (mk_id ~loc (Ident.op_infix s))
let prefix ~loc s = Qident (mk_id ~loc (Ident.op_prefix s))
let get_op ~loc   = Qident (mk_id ~loc (Ident.op_get ""))
let set_op ~loc   = Qident (mk_id ~loc (Ident.op_set ""))

let mk_expr ~loc d =
  { expr_desc = d; expr_loc = loc }
let mk_pat ~loc d =
  { pat_desc = d; pat_loc = loc }
let mk_unit ~loc =
  mk_expr ~loc (Etuple [])
let mk_var ~loc id =
  mk_expr ~loc (Eident (Qident id))
let mk_ref ~loc e =
  mk_expr ~loc (Eidapp (Qident (mk_id ~loc "ref"), [e]))
let array_set ~loc a i v =
  mk_expr ~loc (Eidapp (set_op ~loc, [a; i; v]))
let constant ~loc i =
  mk_expr ~loc (Econst (Constant.int_const_of_int i))
let constant_s ~loc s =
  let int_lit = Number.(int_literal ILitDec ~neg:false s) in
  mk_expr ~loc (Econst (Constant.ConstInt int_lit))
let break ~loc =
  Qident (mk_id ~loc "Break")
let break_handler ~loc =
  [break ~loc, None, mk_unit ~loc]
let return ~loc =
  Qident (mk_id ~loc "Return")
let return_handler ~loc =
  let x = mk_id ~loc "x" in
  [return ~loc, Some (mk_pat ~loc (Pvar x)), mk_var ~loc x]
let array_id ~loc id = Qdot (Qident (mk_id ~loc "Array"), id)

let set_ref id =
  { id with id_ats = ATstr Pmodule.ref_attr :: id.id_ats }

type env = {
  vars: ident Mstr.t;
}

let empty_env =
  { vars = Mstr.empty }

let add_var env (_, id) =
  { vars = Mstr.add id.id_str id env.vars }

let rec has_stmt p s =
  p s || begin match s.stmt_desc with
    | Sskip | Sbreak  | Sreturn _ | Svar _ | Sassign _ | Slabel _
    | Seval _ | Sset _ | Sassert _ -> false
    | Sif (_, s1, s2) -> has_stmt p s1 || has_stmt p s2
    | Swhile (_, _, s) -> has_stmt p s
    | Sblock sl -> has_stmtl p sl end
and has_stmtl p bl = List.exists (has_stmt p) bl

let has_break = has_stmt (fun s -> s.stmt_desc = Sbreak)
let has_return = has_stmt (function { stmt_desc = Sreturn _ } -> true | _ -> false)

let rec expr_has_call id e = match e.Mc_ast.expr_desc with
  | Eunit | Eint _ | Estring _ | Eaddr _ | Mc_ast.Eident _ -> false
  | Eget (e1, e2) | Ebinop (_, e1, e2) ->
    expr_has_call id e1 || expr_has_call id e2
  | Eunop (_, e1) -> expr_has_call id e1
  | Ecall (f, el) -> id.id_str = f.id_str || List.exists (expr_has_call id) el

let rec stmt_has_call id s = match s.stmt_desc with
  | Sskip | Sbreak | Slabel _ | Sassert _ -> false
  | Sreturn e | Svar (_, _, e) | Sassign (_, e) | Seval e -> expr_has_call id e
  | Sset (e1, e2, e3) ->
    expr_has_call id e1 || expr_has_call id e2 || expr_has_call id e3
  | Sif (e, s1, s2) -> expr_has_call id e || stmt_has_call id s1 || stmt_has_call id s2
  | Swhile (e, _, s) -> expr_has_call id e || stmt_has_call id s
  | Sblock bl -> block_has_call id bl
and block_has_call id = has_stmtl (stmt_has_call id)

let rec expr env ({Mc_ast.expr_loc = loc; Mc_ast.expr_desc = d } as e) =
  match d with
  | Mc_ast.Eunit ->
    mk_unit ~loc
  | Mc_ast.Eint s ->
    constant_s ~loc s
  | Mc_ast.Estring _s ->
    mk_unit ~loc (*FIXME*)
  | Mc_ast.Eaddr id | Mc_ast.Eident id
    when not (Mstr.mem id.id_str env.vars) ->
     Loc.errorm ~loc "unbound variable %s" id.id_str
  | Mc_ast.Eaddr id ->
     mk_expr ~loc (Eident (Qident id))
  | Mc_ast.Eident id ->
    if not (Mstr.mem id.id_str env.vars) then
      Loc.errorm ~loc "unbound variable %s" id.id_str;
    mk_expr ~loc (Eident (Qident id))
  | Mc_ast.Ebinop (Mc_ast.Badd | Mc_ast.Bsub | Mc_ast.Bmul |
                   Mc_ast.Bdiv | Mc_ast.Bmod as op, e1, e2) ->
    let e1 = expr env e1 in
    let e2 = expr env e2 in
    mk_expr ~loc (match op with
      | Mc_ast.Badd -> Eidapp (infix ~loc "+", [e1; e2])
      | Mc_ast.Bsub -> Eidapp (infix ~loc "-", [e1; e2])
      | Mc_ast.Bmul -> Eidapp (infix ~loc "*", [e1; e2])
      | Mc_ast.Bdiv -> Eidapp (infix ~loc "/", [e1; e2])
      | Mc_ast.Bmod -> Eidapp (infix ~loc "%", [e1; e2])
      | _ -> assert false)
  | Mc_ast.Ebinop _ | Mc_ast.Eunop (Mc_ast.Unot, _) ->
     mk_expr ~loc (Eif (bool env e, constant ~loc 1, constant ~loc 0))
  | Mc_ast.Eunop (Mc_ast.Uneg, e) ->
    mk_expr ~loc (Eidapp (prefix ~loc "-", [expr env e]))
  | Mc_ast.Ecall ({id_str = "printf"}, el) ->
     let el = match el with
       | {Mc_ast.expr_desc=Estring _} :: el -> el
       | _ :: _ -> Loc.errorm ~loc "first argument of printf must be a string"
       | [] -> Loc.errorm ~loc "two few arguments to function printf" in
    let eval res e =
      mk_expr ~loc
        (Elet (mk_id ~loc "_", false, Expr.RKnone, expr env e, res)) in
    List.fold_left eval (mk_unit ~loc) el
  | Mc_ast.Ecall (id, el) ->
     let el = if el = [] then [mk_unit ~loc] else List.map (expr env) el in
     mk_expr ~loc (Eidapp (Qident id, el))
  | Mc_ast.Eget (e1, e2) ->
    mk_expr ~loc (Eidapp (get_op ~loc, [expr env e1; expr env e2]))

and bool env ({Mc_ast.expr_loc = loc; Mc_ast.expr_desc = d } as e) =
  match d with
  | Mc_ast.Ebinop (Mc_ast.Band | Mc_ast.Bor as op, e1, e2) ->
    let e1 = bool env e1 in
    let e2 = bool env e2 in
    mk_expr ~loc (match op with
      | Mc_ast.Band -> Eand (e1, e2)
      | Mc_ast.Bor  -> Eor  (e1, e2)
      | _ -> assert false)
  | Mc_ast.Ebinop (Mc_ast.Beq | Mc_ast.Bneq | Mc_ast.Blt |
                   Mc_ast.Ble | Mc_ast.Bgt | Mc_ast.Bge as op, e1, e2) ->
    let e1 = expr env e1 in
    let e2 = expr env e2 in
    mk_expr ~loc (match op with
      | Mc_ast.Beq  -> Eidapp (infix ~loc "=", [e1; e2])
      | Mc_ast.Bneq ->
         Enot (mk_expr ~loc (Eidapp (infix ~loc "=", [e1; e2])))
      | Mc_ast.Blt  -> Eidapp (infix ~loc "<", [e1; e2])
      | Mc_ast.Ble  -> Eidapp (infix ~loc "<=", [e1; e2])
      | Mc_ast.Bgt  -> Eidapp (infix ~loc ">", [e1; e2])
      | Mc_ast.Bge  -> Eidapp (infix ~loc ">=", [e1; e2])
      | _ -> assert false)
  | Mc_ast.Eunop (Mc_ast.Unot, e) ->
    mk_expr ~loc (Enot (bool env e))
  | _ ->
     let e = Eidapp (infix ~loc "=", [expr env e; constant ~loc 0]) in
     mk_expr ~loc (Enot (mk_expr ~loc e))

let no_params ~loc = [loc, None, false, Some (PTtuple [])]

let rec stmt env {Mc_ast.stmt_loc = loc; Mc_ast.stmt_desc = d } =
  match d with
  | Mc_ast.Sskip ->
    mk_unit ~loc
  | Mc_ast.Seval e ->
     let dummy = mk_id ~loc "_" in
     mk_expr ~loc (Elet (dummy, false, Expr.RKnone, expr env e, mk_unit ~loc))
  | Mc_ast.Sif (e, s1, s2) ->
    mk_expr ~loc (Eif (bool env e, stmt env s1, stmt env s2))
  | Mc_ast.Sreturn e ->
    mk_expr ~loc (Eraise (return ~loc, Some (expr env e)))
  | Mc_ast.Svar _ ->
     assert false
  | Mc_ast.Sassign (id, _)
    when not (Mstr.mem id.id_str env.vars) ->
     Loc.errorm ~loc "unbound variable %s" id.id_str
  | Mc_ast.Sassign (id, e) ->
    let e = expr env e in
    let x = let loc = id.id_loc in mk_expr ~loc (Eident (Qident id)) in
    mk_expr ~loc (Einfix (x, mk_id ~loc (Ident.op_infix ":="), e))
  | Mc_ast.Sset (e1, e2, e3) ->
    array_set ~loc (expr env e1) (expr env e2) (expr env e3)
  | Mc_ast.Sassert (k, t) ->
    mk_expr ~loc (Eassert (k, t))
  | Mc_ast.Swhile (e, (inv, var), s) ->
    let loop = mk_expr ~loc
      (Ewhile (bool env e, inv, var, stmt env s)) in
    if has_break s then mk_expr ~loc (Ematch (loop, [], break_handler ~loc))
    else loop
  | Mc_ast.Sbreak ->
    mk_expr ~loc (Eraise (break ~loc, None))
  | Mc_ast.Slabel _ ->
    mk_unit ~loc (* ignore lonely marks *)
  | Mc_ast.Sblock bl ->
     block env ~loc bl

and block env ~loc = function
  | [] ->
    mk_unit ~loc
  | { stmt_loc = loc; stmt_desc = Slabel id } :: sl ->
    mk_expr ~loc (Elabel (id, block env ~loc sl))
  | { Mc_ast.stmt_loc = loc; stmt_desc = Mc_ast.Svar (ty, id, e) } :: sl ->
    let e = expr env e in (* check e *before* adding id to environment *)
    let env = add_var env (ty, id) in
    let ee = mk_ref ~loc e in
    mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone, ee, block env ~loc sl))
  | ({ Mc_ast.stmt_loc = loc } as s) :: sl ->
    let s = stmt env s in
    if sl = [] then s else mk_expr ~loc (Esequence (s, block env ~loc sl))

let type_unit loc = PTtyapp (Qident (mk_id ~loc "unit"), [])
let type_int loc = PTtyapp (Qident (mk_id ~loc "int"), [])
let type_array loc ty = PTtyapp (array_id ~loc (mk_id ~loc "array"), [ty])

let type_ loc = function
  | Tvoid -> type_unit loc
  | Tint -> type_int loc
  | Tarray -> type_array loc (type_int loc)

let logic_param (ty, id) =
  id.id_loc, Some id, false, type_ id.id_loc ty

let decl = function
  | Mc_ast.Dinclude _ ->
     ()
  | Mc_ast.Dfun (ty, id, idl, sp, bl) ->
    (* f(x1,...,xn): body ==>
      let f x1 ... xn =
        let x1 = ref x1 in ... let xn = ref xn in
        try body with Return x -> x *)
    let loc = id.id_loc in
    let rty = type_ loc ty in
    let env' = List.fold_left add_var empty_env idl in
    let body = stmt env' bl in
    let body =
      if not (has_return bl) then begin
        if ty <> Tvoid then Loc.errorm ~loc "missing return";
        body end else
      mk_expr ~loc (Ematch (body, [], return_handler ~loc)) in
    let local bl = function
      | Tint, id ->
        let loc = id.id_loc in
        let ref = mk_ref ~loc (mk_var ~loc id) in
        mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone, ref, bl))
      | Tarray, _ -> bl
      | Tvoid, _ -> assert false in
    let body = List.fold_left local body idl in
    let param (ty, id) =
      id.id_loc, Some id, false, Some (type_ id.id_loc ty) in
    let params = if idl = [] then no_params ~loc else List.map param idl in
    let p = mk_pat ~loc Pwild in
    let d = if stmt_has_call id bl then
      Drec ([id, false, Expr.RKnone, params, Some rty,
             p, Ity.MaskVisible, sp, body])
    else
      let e = Efun (params, Some rty, p, Ity.MaskVisible, sp, body) in
      Dlet (id, false, Expr.RKnone, mk_expr ~loc e) in
    Typing.add_decl loc d
  | Mc_ast.Dlogic (ty, id, idl, def) ->
    let d = { ld_loc = id.id_loc;
              ld_ident = id;
              ld_params = List.map logic_param idl;
              ld_type = Opt.map (type_ id.id_loc) ty;
              ld_def = def } in
    Typing.add_decl id.id_loc (Dlogic [d])
  | Mc_ast.Dprop (pk, id, t) ->
     Typing.add_decl id.id_loc (Dprop (pk, id, t))

let translate dl =
  List.iter decl dl

let read_channel env path file c =
  let f : Mc_ast.file = Mc_lexer.parse file c in
  Debug.dprintf debug "%s parsed successfully.@." file;
  let file = Filename.basename file in
  let file = Filename.chop_extension file in
  let name = Strings.capitalize file in
  Debug.dprintf debug "building module %s.@." name;
  Typing.open_file env path;
  let loc = Loc.user_position file 0 0 0 0 in
  Typing.open_module (mk_id ~loc name);
  let use_import (f, m) =
    let m = mk_id ~loc m in
    let qid = Qdot (Qident (mk_id ~loc f), m) in
    let decl = Ptree.Duseimport(loc,false,[(qid,None)]) in
    Typing.add_decl loc decl in
  List.iter use_import
    ["int", "Int"; "ref", "Refint"; "microc", "MicroC"];
  translate f;
  Typing.close_module loc;
  let mm = Typing.close_file () in
  if path = [] && Debug.test_flag debug then begin
    let add_m _ m modm = Ident.Mid.add m.mod_theory.Theory.th_name m modm in
    let print_m _ m = Pmodule.print_module Format.err_formatter m in
    Ident.Mid.iter print_m (Mstr.fold add_m mm Ident.Mid.empty)
  end;
  mm

let () =
  Env.register_format mlw_language "micro-C" ["c"] read_channel
    ~desc:"micro-C format"

(* Add an extension of task printing *)
let () = Itp_server.add_registered_lang "micro-C"
    (fun _ -> Mc_printer.microc_ext_printer)

(* Add transformation arguments parsing *)
let () = Args_wrapper.set_argument_parsing_functions "micro-C"
    ~parse_term:(fun _ lb -> Mc_lexer.parse_term lb)
    ~parse_term_list:(fun _ lb -> Mc_lexer.parse_term_list lb)
    ~parse_list_ident:(fun lb -> Mc_lexer.parse_list_ident lb)
    (* TODO for qualids, add a similar funciton *)
    ~parse_qualid:(fun lb -> Lexer.parse_qualid lb)
    ~parse_list_qualid:(fun lb -> Lexer.parse_list_qualid lb)
why3-1.6.0/plugins/microc/mc_main.mli000066400000000000000000000013071440160026300174500ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/microc/mc_parser.mly000066400000000000000000000331041440160026300200400ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

%{
  open Why3
  open Ptree
  open Mc_ast

  exception Unsupported of string

  let () = Exn_printer.register (fun fmt exn -> match exn with
    | Error -> Format.pp_print_string fmt "syntax error"
    | Unsupported s -> Format.fprintf fmt "unsupported feature: %s" s
    | _ -> raise exn)

  let floc s e = Loc.extract (s,e)
  let mk_id id s e = { id_str = id; id_ats = []; id_loc = floc s e }
  let mk_pat  d s e = { pat_desc  = d; pat_loc  = floc s e }
  let mk_term d s e = { term_desc = d; term_loc = floc s e }
  let mk_expr loc d = { expr_desc = d; expr_loc = loc }
  let mk_stmt loc d = { stmt_desc = d; stmt_loc = loc }
  let postop op loc = { id_str = "__post" ^ op; id_ats = []; id_loc = loc }
  let preop op loc = { id_str = "__pre" ^ op; id_ats = []; id_loc = loc }
  let arrpostop op loc = { id_str = "__arrpost" ^ op; id_ats=[]; id_loc = loc }
  let arrpreop op loc = { id_str = "__arrpre" ^ op; id_ats=[]; id_loc = loc }
  let assignop loc op =
    { id_str = Ident.op_infix op; id_ats = []; id_loc = loc }
  let arr_assignop loc op =
    let s = match op with
      | "+=" -> "__array_add"
      | "-=" -> "__array_sub"
      | "*=" -> "__array_mul"
      | "/=" -> "__array_div"
      | s -> raise (Unsupported ("no such operator " ^ s)) in
    { id_str = s; id_ats = []; id_loc = loc }

  let variant_union v1 v2 = match v1, v2 with
    | _, [] -> v1
    | [], _ -> v2
    | _, ({term_loc = loc},_)::_ -> Loc.errorm ~loc
        "multiple `variant' clauses are not allowed"

  let get_op s e = Qident (mk_id (Ident.op_get "") s e)
  let upd_op s e = Qident (mk_id (Ident.op_update "") s e)

  let empty_spec = {
    sp_pre     = [];    sp_post    = [];  sp_xpost  = [];
    sp_reads   = [];    sp_writes  = [];  sp_alias  = [];
    sp_variant = [];
    sp_checkrw = false; sp_diverge = false; sp_partial = false;
  }

  let spec_union s1 s2 = {
    sp_pre     = s1.sp_pre @ s2.sp_pre;
    sp_post    = s1.sp_post @ s2.sp_post;
    sp_xpost   = s1.sp_xpost @ s2.sp_xpost;
    sp_reads   = s1.sp_reads @ s2.sp_reads;
    sp_writes  = s1.sp_writes @ s2.sp_writes;
    sp_alias   = s1.sp_alias @ s2.sp_alias;
    sp_variant = variant_union s1.sp_variant s2.sp_variant;
    sp_checkrw = s1.sp_checkrw || s2.sp_checkrw;
    sp_diverge = s1.sp_diverge || s2.sp_diverge;
    sp_partial = s1.sp_partial || s2.sp_partial;
  }

  let type_int s e = PTtyapp (Qident (mk_id "int" s e), [])
  let type_array s e =
    let array = Qdot (Qident (mk_id "Array" s e), mk_id "array" s e) in
    PTtyapp (array, [type_int s e])

%}

%token  INCLUDE
%token  INTEGER
%token  STRING
%token  CMP
%token  IDENT
%token IF ELSE RETURN WHILE FOR AND OR NOT
%token BREAK
%token EOF
%token LEFTPAR RIGHTPAR LEFTSQ RIGHTSQ COMMA EQUAL SEMICOLON LBRC RBRC
%token PLUS MINUS TIMES DIV MOD
%token VOID INT
%token PLUSPLUS MINUSMINUS PLUSEQUAL MINUSEQUAL TIMESEQUAL DIVEQUAL
%token AMPERSAND SCANF
(* annotations *)
%token LEMMA AXIOM GOAL COLON
%token INVARIANT VARIANT ASSUME ASSERT CHECK REQUIRES ENSURES LABEL
%token FUNCTION PREDICATE TRUE FALSE
%token ARROW LARROW LRARROW FORALL EXISTS DOT THEN LET IN OLD AT

(* precedences *)

%nonassoc IN
%nonassoc no_else
%nonassoc DOT ELSE
%right ARROW LRARROW
%right OR
%right AND
%nonassoc NOT
%right CMP
%left PLUS MINUS
%left TIMES DIV MOD
%nonassoc unary_minus prec_prefix_op

%start file
(* Transformations entries *)
%start  term_eof
%start  term_comma_list_eof
%start  ident_comma_list_eof

%type  file
%type  stmt

%%

file:
| dl=decl* EOF
    { dl }
;

decl:
| include_ { $1 }
| def      { $1 }
| func     { $1 }
| prop     { $1 }

include_:
| f=INCLUDE
  { Dinclude (mk_id f $startpos $endpos) }

func:
| FUNCTION INT id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  SEMICOLON
  { Dlogic (Some Tint, id, l, None) }
| FUNCTION INT id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  EQUAL t=term SEMICOLON
  { Dlogic (Some Tint, id, l, Some t) }
| PREDICATE id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  SEMICOLON
 { Dlogic (None, id, l, None) }
| PREDICATE id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  EQUAL t=term SEMICOLON
 { Dlogic (None, id, l, Some t) }

prop:
| LEMMA id=ident COLON t=term SEMICOLON
  { Dprop (Decl.Plemma, id, t) }
| AXIOM id=ident COLON t=term SEMICOLON
  { Dprop (Decl.Paxiom, id, t) }
| GOAL id=ident COLON t=term SEMICOLON
  { Dprop (Decl.Pgoal, id, t) }

def:
| ty=return_type f=ident LEFTPAR x=separated_list(COMMA, param) RIGHTPAR
  sbl=block_with_spec
    { let s, bl = sbl in Dfun (ty, f, x, s, bl) }
;

block_with_spec:
| s=non_empty_spec  bl=block
   { s, bl }
| LBRC s=spec l=list(stmt) RBRC
   { s, mk_stmt (floc $startpos $endpos) (Sblock l) }
;

return_type:
| VOID { Tvoid }
| INT  { Tint }
;

param:
| INT id=ident
   { Tint, id }
| INT id=ident LEFTSQ RIGHTSQ
   { Tarray, id }
;

spec:
| (* epsilon *)  { empty_spec }
| non_empty_spec { $1 }
;

non_empty_spec:
| single_spec                { $1 }
| single_spec non_empty_spec { spec_union $1 $2 }
;

single_spec:
| REQUIRES t=term SEMICOLON
    { { empty_spec with sp_pre = [t] } }
| ENSURES e=ensures SEMICOLON
    { { empty_spec with sp_post = [floc $startpos(e) $endpos(e), e] } }
| variant
    { { empty_spec with sp_variant = $1 } }

ensures:
| term
    { let id = mk_id "result" $startpos $endpos in
      [mk_pat (Pvar id) $startpos $endpos, $1] }

expr:
| d = expr_desc
   { mk_expr (floc $startpos $endpos) d }
;

expr_desc:
| c = INTEGER
    { Eint c }
| s = STRING
    { Estring s }
| id = ident
    { Eident id }
| id=ident op=incdec
    { let loc = floc $startpos $endpos in
      Ecall (postop op loc, [mk_expr loc (Eaddr id)]) }
| op=incdec id=ident
    { let loc = floc $startpos $endpos in
      Ecall (preop op loc, [mk_expr loc (Eaddr id)]) }
| id=ident LEFTSQ e2 = expr RIGHTSQ
    { Eget (mk_expr (floc $startpos(id) $endpos(id)) (Eident id), e2) }
| id=ident LEFTSQ e2 = expr RIGHTSQ op=incdec
    { let loc = floc $startpos $endpos in
      let e1 = mk_expr (floc $startpos(id) $endpos(id)) (Eident id) in
      Ecall (arrpostop op loc, [e1; e2]) }
| op=incdec id=ident LEFTSQ e2 = expr RIGHTSQ
    { let loc = floc $startpos $endpos in
      let e1 = mk_expr (floc $startpos(id) $endpos(id)) (Eident id) in
      Ecall (arrpreop op loc, [e1; e2]) }
| MINUS e1 = expr %prec unary_minus
    { Eunop (Uneg, e1) }
| NOT e1 = expr
    { Eunop (Unot, e1) }
| e1 = expr o = binop e2 = expr
    { Ebinop (o, e1, e2) }
| f = ident LEFTPAR e = separated_list(COMMA, expr) RIGHTPAR
    { Ecall (f, e) }
| SCANF LEFTPAR s=STRING COMMA AMPERSAND id=ident RIGHTPAR
    { if s <> "%d" then raise (Unsupported "scanf is limited to \"%d\"");
      let id = mk_expr (floc $startpos $endpos) (Eaddr id) in
      Ecall (mk_id "scanf" $startpos $endpos, [id]) }
| LEFTPAR e = expr RIGHTPAR
   { e.expr_desc }
;

incdec:
| PLUSPLUS   { "inc" }
| MINUSMINUS { "dec" }
;

%inline binop:
| PLUS  { Badd }
| MINUS { Bsub }
| TIMES { Bmul }
| DIV   { Bdiv }
| MOD   { Bmod }
| c=CMP { c    }
| AND   { Band }
| OR    { Bor  }
;

located(X):
| X { mk_stmt (floc $startpos $endpos) $1 }
;

stmt:
| simple_stmt { $1 }
| block       { $1 }
;

block:
| located(block_desc) { $1 }
;

block_desc:
| LBRC l = list(stmt) RBRC { Sblock l }
;

loop_body:
| a=loop_annotation  s=simple_stmt
  { a, s }
| LBRC a=loop_annotation l=list(stmt) RBRC
  { a, mk_stmt (floc $startpos $endpos) (Sblock l) }
| a=non_empty_loop_annotation LBRC l=list(stmt) RBRC
  { a, mk_stmt (floc $startpos $endpos) (Sblock l) }

loop_annotation:
| (* epsilon *)
    { [], [] }
| non_empty_loop_annotation
   { $1 }
;

non_empty_loop_annotation:
| invariant loop_annotation
    { let (i, v) = $2 in ($1::i, v) }
| variant loop_annotation
    { let (i, v) = $2 in (i, variant_union $1 v) }

invariant:
| INVARIANT i=term SEMICOLON { i }

variant:
| VARIANT l=comma_list1(term) SEMICOLON { List.map (fun t -> t, None) l }

simple_stmt: located(simple_stmt_desc) { $1 };

simple_stmt_desc:
| SEMICOLON
    { Sskip }
| RETURN e = expr SEMICOLON
    { Sreturn e }
| INT id=ident SEMICOLON
    { let any_int = mk_id "any_int" $startpos $endpos in
      let loc = floc $startpos $endpos in
      let e = mk_expr loc (Ecall (any_int, [mk_expr loc Eunit])) in
      Svar (Tint, id, e) }
| INT id=ident LEFTSQ e=expr RIGHTSQ SEMICOLON
    { let alloc_array = mk_id "alloc_array" $startpos $endpos in
      let loc = floc $startpos $endpos in
      let e = mk_expr loc (Ecall (alloc_array, [e])) in
      Svar (Tarray, id, e) }
| k=assertion_kind t = term SEMICOLON
    { Sassert (k, t) }
| BREAK SEMICOLON
    { Sbreak }
| LABEL id=ident SEMICOLON
    { Slabel id }
| IF LEFTPAR c = expr RIGHTPAR s1 = stmt %prec no_else
    { Sif (c, s1, mk_stmt (floc $startpos $endpos) Sskip) }
| IF LEFTPAR c = expr RIGHTPAR s1 = stmt ELSE s2=stmt
    { Sif (c, s1, s2) }
| WHILE LEFTPAR e=expr RIGHTPAR b=loop_body
    { let iv, l = b in Swhile (e, iv, l) }
| FOR LEFTPAR e1=expr_stmt SEMICOLON e=expr SEMICOLON e2=expr_stmt
  RIGHTPAR b=loop_body
   { let loc = floc $startpos $endpos in
     let iv, l = b in
     Sblock [e1;
             mk_stmt loc (Swhile (e, iv, mk_stmt loc (Sblock [l; e2])))]
   }
| s=expr_stmt_desc SEMICOLON
   { s }
;

expr_stmt: located(expr_stmt_desc) { $1 };

expr_stmt_desc:
| INT id=ident EQUAL e = expr
    { Svar (Tint, id, e) }
| id = ident EQUAL e = expr
    { Sassign (id, e) }
| id = ident op=assignop e = expr
    { let loc = floc $startpos $endpos in
      let id = mk_expr loc (Eaddr id) in
      Seval (mk_expr loc (Ecall (assignop loc op, [id; e]))) }
| id=ident LEFTSQ e2 = expr RIGHTSQ EQUAL e3 = expr
    { let e1 = mk_expr (floc $startpos(id) $endpos(id)) (Eident id) in
      Sset (e1, e2, e3) }
| id=ident LEFTSQ e2 = expr RIGHTSQ op=assignop e3 = expr
    { let loc = floc $startpos $endpos in
      let e1 = mk_expr (floc $startpos(id) $endpos(id)) (Eident id) in
      Seval (mk_expr loc (Ecall (arr_assignop loc op, [e1; e2; e3]))) }
| e = expr
    { Seval e }
;

assignop:
| PLUSEQUAL  { "+=" }
| MINUSEQUAL { "-=" }
| TIMESEQUAL { "*=" }
| DIVEQUAL   { "/=" }
;

assertion_kind:
| ASSERT  { Expr.Assert }
| ASSUME  { Expr.Assume }
| CHECK   { Expr.Check }

ident:
  id = IDENT { mk_id id $startpos $endpos }
;

/* logic */

mk_term(X): d = X { mk_term d $startpos $endpos }

term: t = mk_term(term_) { t }

term_:
| term_arg_
    { match $1 with (* break the infix relation chain *)
      | Tinfix (l,o,r) -> Tinnfix (l,o,r)
      | Tbinop (l,o,r) -> Tbinnop (l,o,r)
      | d -> d }
| NOT term
    { Tnot $2 }
| OLD LEFTPAR t=term RIGHTPAR
    { Tat (t, mk_id Dexpr.old_label $startpos($1) $endpos($1)) }
| AT LEFTPAR t=term COMMA l=ident RIGHTPAR
    { Tat (t, l) }
| o = prefix_op ; t = term %prec prec_prefix_op
    { Tidapp (Qident o, [t]) }
| l = term ; o = bin_op ; r = term
    { Tbinop (l, o, r) }
| l = term ; o = infix_op_1 ; r = term
    { Tinfix (l, o, r) }
| l = term ; o = infix_op_234 ; r = term
    { Tidapp (Qident o, [l; r]) }
| IF term THEN term ELSE term
    { Tif ($2, $4, $6) }
| LET id=ident EQUAL t1=term IN t2=term
    { Tlet (id, t1, t2) }
| q=quant l=comma_list1(binder) DOT t=term
    { let var (id, ty) = id.id_loc, Some id, false, Some ty in
      Tquant (q, List.map var l, [], t) }
| id=ident LEFTPAR l=separated_list(COMMA, term) RIGHTPAR
    { Tidapp (Qident id, l) }

quant:
| FORALL  { Dterm.DTforall }
| EXISTS  { Dterm.DTexists }

binder:
| id=ident                { id, type_int   $startpos $endpos }
| id=ident LEFTSQ RIGHTSQ { id, type_array $startpos $endpos }

term_arg: mk_term(term_arg_) { $1 }

term_arg_:
| ident       { Tident (Qident $1) }
| INTEGER     { Tconst (Constant.ConstInt Number.(int_literal ILitDec ~neg:false $1)) }
| TRUE        { Ttrue }
| FALSE       { Tfalse }
| term_sub_                 { $1 }

term_sub_:
| LEFTPAR term RIGHTPAR                             { $2.term_desc }
| term_arg LEFTSQ term RIGHTSQ
    { Tidapp (get_op $startpos($2) $endpos($2), [$1;$3]) }
| term_arg LEFTSQ term LARROW term RIGHTSQ
    { Tidapp (upd_op $startpos($2) $endpos($2), [$1;$3;$5]) }

%inline bin_op:
| ARROW   { Dterm.DTimplies }
| LRARROW { Dterm.DTiff }
| OR      { Dterm.DTor }
| AND     { Dterm.DTand }

%inline infix_op_1:
| c=CMP  { let op = match c with
          | Beq  -> "="
          | Bneq -> "<>"
          | Blt  -> "<"
          | Ble  -> "<="
          | Bgt  -> ">"
          | Bge  -> ">="
          | Badd|Bsub|Bmul|Bdiv|Bmod|Band|Bor -> assert false in
           mk_id (Ident.op_infix op) $startpos $endpos }

%inline prefix_op:
| MINUS { mk_id (Ident.op_prefix "-")  $startpos $endpos }

%inline infix_op_234:
| DIV    { mk_id "div" $startpos $endpos }
| MOD    { mk_id "mod" $startpos $endpos }
| PLUS   { mk_id (Ident.op_infix "+") $startpos $endpos }
| MINUS  { mk_id (Ident.op_infix "-") $startpos $endpos }
| TIMES  { mk_id (Ident.op_infix "*") $startpos $endpos }

comma_list1(X):
| separated_nonempty_list(COMMA, X) { $1 }

(* parsing of a single term *)
term_eof:
| term EOF { $1 }

ident_comma_list_eof:
| comma_list1(ident) EOF { $1 }

term_comma_list_eof:
| comma_list1(term) EOF { $1 }
why3-1.6.0/plugins/microc/mc_printer.ml000066400000000000000000000042431440160026300200400ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Pretty
open Format
open Term

(* microc print_binop *)
let print_binop fmt = function
  | Tand           -> pp_print_string fmt "&&"
  | Tor            -> pp_print_string fmt "||"
  | Timplies       -> pp_print_string fmt "->"
  | Tiff           -> pp_print_string fmt "<->"

let rec microc_ext_printer print_any fmt a =
  match a with
  | Pp_term (t, pri) ->
      begin match t.t_node with
        | Tapp (ls, [t1; t2]) when ls_equal ls ps_equ ->
            (* == *)
            fprintf fmt (protect_on (pri > 0) "@[%a == %a@]")
              (microc_ext_printer print_any) (Pp_term (t1, 0))
              (microc_ext_printer print_any) (Pp_term (t2, 0))
        | Tnot {t_node = Tapp (ls, [t1; t2]) } when ls_equal ls ps_equ ->
            (* != *)
            fprintf fmt (protect_on (pri > 0) "@[%a != %a@]")
              (microc_ext_printer print_any) (Pp_term (t1, 0))
              (microc_ext_printer print_any) (Pp_term (t2, 0))
        | Tnot t1 ->
            (* ! *)
            fprintf fmt (protect_on (pri > 0) "@[! %a@]")
              (microc_ext_printer print_any) (Pp_term (t1, 1))
        | Tbinop (b, f1, f2) ->
            (* &&, || *)
            let p = prio_binop b in
            fprintf fmt (protect_on (pri > p) "@[%a %a@ %a@]")
              (microc_ext_printer print_any) (Pp_term (f1, (p + 1)))
              print_binop b
              (microc_ext_printer print_any) (Pp_term (f2, p))
        | _ -> print_any fmt a
      end
  | _ -> print_any fmt a
why3-1.6.0/plugins/microc/mc_printer.mli000066400000000000000000000016201440160026300202050ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3

(* This function is used as an extension of printing of task for microc *)
val microc_ext_printer: (Format.formatter -> Pretty.any_pp -> unit) ->
  Format.formatter -> Pretty.any_pp -> unit
why3-1.6.0/plugins/microc/test.c000066400000000000000000000011321440160026300164610ustar00rootroot00000000000000
#include 
#include 

//@ function int x();
//@ assume x() < 2;

int foo(int a[]) {
  //@ requires length(a) >= 1; ensures  a[0] == old(a[0]);
  a[0] /= 1;
}

int main()
{
  int x = 42;
  //@ label L;
  //@ assert x == 42;
  x = x+1;
  //@ assert at(x, L) == 42;
  while (x > 0) {
    //@ invariant x >= 0;
    //@ variant x;
    x--;
  }
  //@ assert x == 0;
  int a[10];
  a[0] = 41;
  //@ label ICI;
  foo(a);
  //@ assert a[0] == 42;
  //@ assert at(a[0], ICI) == 41;
}



/* Local Variables: */
/* compile-command: "make -C ../.. && why3 prove -P alt-ergo test.c" */
/* End: */
why3-1.6.0/plugins/parser/000077500000000000000000000000001440160026300153615ustar00rootroot00000000000000why3-1.6.0/plugins/parser/dimacs.mli000066400000000000000000000013071440160026300173250ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/parser/dimacs.mll000066400000000000000000000113031440160026300173250ustar00rootroot00000000000000(**************************************************************************)
(*                                                                        *)
(*  This file is part of Frama-C.                                         *)
(*                                                                        *)
(*  Copyright (C) 2013                                                    *)
(*    CEA (Commissariat à l'énergie atomique et aux énergies              *)
(*         alternatives)                                                  *)
(*                                                                        *)
(*  you can redistribute it and/or modify it under the terms of the GNU   *)
(*  Lesser General Public License as published by the Free Software       *)
(*  Foundation, version 2.1.                                              *)
(*                                                                        *)
(*  It is distributed in the hope that it will be useful,                 *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *)
(*  GNU Lesser General Public License for more details.                   *)
(*                                                                        *)
(*  See the GNU Lesser General Public License version 2.1                 *)
(*  for more details (enclosed in the file licenses/LGPLv2.1).            *)
(*                                                                        *)
(**************************************************************************)


{
open Why3
open Wstdlib

let get_indice i =
  if i > 0 then (i-1)*2
  else if i < 0 then (-i-1)*2+1
  else assert false

let init_vars th_uc nb_var =
  let a = Array.make (nb_var*2) Term.t_true in
  let th = ref th_uc in
  for i = nb_var downto -nb_var do
    if i <> 0 then
      if i > 0 then
        let id = Ident.id_fresh (Printf.sprintf "x%i" i) in
        let ls = Term.create_psymbol id [] in
        th := Theory.add_param_decl !th ls;
        a.(get_indice i) <- (Term.ps_app ls [])
      else if i < 0 then
        a.(get_indice i) <- Term.t_not a.(get_indice (-i))
  done;
  !th,a


let get_lit vars i =
  let i = int_of_string i in
  vars.(get_indice i)

exception SyntaxError of string

let syntax_error s = raise (SyntaxError s)

let () = Exn_printer.register (fun fmt e -> match e with
  | SyntaxError s -> Format.pp_print_string fmt s
  | _ -> raise e)

}

let newline = '\n'
let space = [' ' '\t' '\r']+
let digit = ['0'-'9']
let sign = '-' | '+'
let integer = sign? digit+

rule find_header = parse
| newline  { Lexing.new_line lexbuf; find_header lexbuf }
| space    { find_header lexbuf }
| 'p'
    space+ "cnf"
    space+ (digit+ as nb_var)
    space+ (digit+ as nb_cls) { int_of_string nb_var,
                                int_of_string nb_cls }
| 'c' [^'\n']* '\n'  { Lexing.new_line lexbuf; find_header lexbuf }
| _
      { syntax_error "Can't find header" }

and clause vars acc = parse
| newline  { Lexing.new_line lexbuf; clause vars acc lexbuf }
| space { clause vars acc lexbuf }
| '0'  { List.rev acc }
| integer as i { clause vars ((get_lit vars i)::acc) lexbuf }
| _ { syntax_error "Bad clause" }

and file th_uc vars n = parse
| newline  { Lexing.new_line lexbuf; file th_uc vars n lexbuf }
| space { file th_uc vars n lexbuf }
| '0'  { file th_uc vars n lexbuf }
| integer as i { let l = clause vars [get_lit vars i] lexbuf in
                 let t = List.fold_left (fun acc t ->
                   Term.t_or acc t
                 ) Term.t_false l in
                 let pr = Decl.create_prsymbol
                   (Ident.id_fresh ("Cl"^(string_of_int n))) in
                 let th_uc = Theory.add_prop_decl th_uc Decl.Paxiom pr t in
                 file th_uc vars (n+1) lexbuf
               }
| 'c' [^'\n']* ('\n' | eof)  { Lexing.new_line lexbuf;
                               file th_uc vars n lexbuf }
| eof { th_uc }
| _ { syntax_error "Bad clauses" }

{

let parse th_uc filename cin =
  let lb = Lexing.from_channel cin in
  Loc.set_file filename lb;
  Loc.with_location (fun lexbuf ->
    let nb_vars, _ = find_header lexbuf in
    let th_uc, vars = init_vars th_uc nb_vars in
    file th_uc vars 0 lexbuf) lb

let parse _env _path filename cin =
  let th_uc = Theory.create_theory (Ident.id_fresh "Cnf") in
  let th_uc = parse th_uc filename cin in
  let pr = Decl.create_prsymbol (Ident.id_fresh "false") in
  let th_uc = Theory.add_prop_decl th_uc Decl.Pgoal pr Term.t_false in
  Mstr.singleton "Cnf" (Theory.close_theory th_uc)

let () = Env.register_format Env.base_language "dimacs" ["cnf"] parse
  ~desc:"@[Parser for dimacs format.@]"
}

(*
Local Variables:
compile-command: "unset LANG; make -C ../.."
End:
*)
why3-1.6.0/plugins/parser/genequlin.ml000066400000000000000000000111041440160026300176770ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*
*)


open Why3

(**************)
(*

  This plugin generate randomly linear arithmetic problems from a
  source file.Here an exemple :
========
2
5 5 5
15 5 5
5 15 5
5 5 15
========

  The first line give the seed to use. Each other lines corresond to one goal :
    - the first number give the number of variables
    - the second the number of equation
    - the third the absolute maximun of the constants used

  For compiling it :
   make example_plugins.opt
   cp examples/plugins/genequlin.cmxs plugins
   bin/why3config --detect-plugins

  For testing it :
   bin/why3ide examples/plugins/test.equlin

*)

open Theory
open Term
open Wstdlib

open Ident

(** read one line *)
let scanf s =
  let invar = String.index_from s 0 ' ' in
  let im = String.index_from s (invar+1) ' ' in
  int_of_string (String.sub s 0 invar),
  int_of_string (String.sub s (invar+1) (im-(invar+1))),
  int_of_string (String.sub s (im+1) ((String.length s) - (im+1)))


(** the main function *)
let read_channel env path filename cin =
  (* Find the int theory and the needed operation *)
  let th_int = Env.read_theory env ["int"] "Int" in
  let leq = ns_find_ls th_int.th_export [op_infix "<"] in
  let plus_symbol = ns_find_ls th_int.th_export [op_infix "+"] in
  let neg_symbol = ns_find_ls th_int.th_export [op_prefix "-"] in
  let mult_symbol = ns_find_ls th_int.th_export [op_infix "*"] in

  let zero = t_nat_const 0 in
  let t_int_const n =
    if n >= 0 then t_nat_const n else
      t_app_infer neg_symbol [t_nat_const (-n)]
  in

  (* create a contraint : polynome <= constant *)
  let create_lit lvar k lits _ =
    let left = List.fold_left (fun acc e ->
      let const = (Random.int k) - (k/2) in
      let monome = t_app mult_symbol [e;t_int_const const]
        (Some Ty.ty_int) in
      t_app plus_symbol [acc;monome] (Some Ty.ty_int)) zero lvar in
    let rconst = (Random.int k) - (k/2) in
    t_and_simp lits (t_app leq [left;t_int_const rconst] None) in

  (* create a set of constraints *)
  let create_fmla nvar m k =
    let lvar = Util.mapi (fun _ -> create_vsymbol (id_fresh "x") Ty.ty_int)
      1 nvar in
    let lt = List.map t_var lvar in
    let lits = Util.foldi (create_lit lt k) t_true 1 m in
    t_forall_close lvar [] (t_implies_simp lits t_false) in

  (* read the first line *)
  let line = ref 0 in
  begin try
    let seed = input_line cin in
    Random.init (int_of_string seed)
  with _ ->
    Printf.eprintf "error file %s line 1\n" filename;
    exit 1
  end;
  (* Create the theory *)
  let th_uc_loc = Loc.user_position filename 1 0 1 1 in
  let th_uc = create_theory ~path (id_user "EqLin" th_uc_loc) in
  let th_uc = Theory.use_export th_uc th_int in
  (* Read one line and add it to the theory *)
  let fold th_uc s =
    let nvar,m,k =
      try
        incr line;
        (* Dont use scanf because I don't know how to link it in plugin
            (without segfault) *)
        (* Scanf.sscanf s "%i %i %i" (fun nvar m k -> nvar,m,k) *)
        scanf s
    with _ -> Printf.eprintf "Error file %s line %i" filename !line;exit 1 in
    let loc = Loc.user_position filename (!line+1) 0 (!line+1) (String.length s) in
    let goal_id = Decl.create_prsymbol
      (Ident.id_user (Printf.sprintf "goal%i" !line) loc) in
    let fmla = create_fmla nvar m k in
    let th_uc = Theory.add_prop_decl th_uc Decl.Pgoal goal_id fmla in
    th_uc in
  (* Read all the file *)
  let th_uc = Sysutil.fold_channel fold th_uc cin in
  (* Return the map with the theory *)
  Mstr.singleton "EquLin" (close_theory th_uc)

let () = Env.register_format Env.base_language "equlin" ["equlin"] read_channel
  ~desc:"@[Generate@ random@ linear@ arithmetic@ problems.@ \
    The@ first@ line@ gives@ the@ seed.@ Each@ other@ line@ \
    describes@ a@ goal@ and@ contains@ three@ numbers:@]@\n  \
    @[- @[the@ number@ of@ variables@]@\n\
      - @[the@ number@ of@ equations@]@\n\
      - @[the@ maximum@ absolute@ value@ of@ coefficients.@]@]"
why3-1.6.0/plugins/parser/genequlin.mli000066400000000000000000000013071440160026300200540ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/printer/000077500000000000000000000000001440160026300155505ustar00rootroot00000000000000why3-1.6.0/plugins/printer/.keepme000066400000000000000000000000001440160026300170050ustar00rootroot00000000000000why3-1.6.0/plugins/python/000077500000000000000000000000001440160026300154065ustar00rootroot00000000000000why3-1.6.0/plugins/python/README000066400000000000000000000007241440160026300162710ustar00rootroot00000000000000A plugin to verify programs written in a (microscopic) fragment of Python.
Designed for teaching purposes.

See tests/python/*.py for examples.

Limitations wrt Python:
- types are limited to integers and lists of integers
- a list is not resizable (i.e. it is a mere array)
- a function must return an integer or nothing

Todo:
- function/predicate with a definition (currently not supported);
  note: we would need to provide the type (int/array) of the arguments


why3-1.6.0/plugins/python/py_ast.mli000066400000000000000000000046761440160026300174250ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3

type ident = Ptree.ident

type unop =
  | Uneg (* -e *)
  | Unot (* not e *)

type binop =
  | Badd | Bsub | Bmul | Bdiv | Bmod    (* + - * / % *)
  | Beq | Bneq | Blt | Ble | Bgt | Bge  (* == != < <= > >= *)
  | Band | Bor                          (* && || *)

type typ = Ptree.pty

type is_function = bool

type expr = {
  expr_desc: expr_desc;
  expr_loc : Loc.position;
}

and expr_desc =
  | Enone
  | Ebool of bool
  | Eint of string
  | Estring of string
  | Eident of ident
  | Ebinop of binop * expr * expr
  | Econd of expr * expr * expr (* e1 if e2 else e3 *)
  | Eunop of unop * expr
  | Ecall of ident * expr list
  | Edot of expr * ident * expr list
  | Elist of expr list   (* [e1, e2, ..., en] *)
  | Etuple of expr list   (* e1, e2, ..., en *)
  | Emake of expr * expr (* [e1] * e2 *)
  | Eget of expr * expr  (* e1[e2] *)

and stmt = {
  stmt_desc: stmt_desc;
  stmt_loc : Loc.position;
}

and stmt_desc =
  | Sblock of block
  | Sif of expr * block * block
  | Sreturn of expr
  | Spass of typ option * Ptree.spec
  | Sassign of expr * expr
  | Swhile of expr * Ptree.invariant * Ptree.variant * block
  | Sfor of ident * expr * Ptree.invariant * block
  | Seval of expr
  | Sset of expr * expr * expr (* e1[e2] = e3 *)
  | Sassert of Expr.assertion_kind * Ptree.term
  | Scall_lemma of ident * Ptree.term list
  | Sbreak
  | Scontinue
  | Slabel of ident

and block = decl list

and decl =
  | Dimport of ident * ident list
  | Ddef of ident * (ident * typ option) list * typ option * Ptree.spec
             * block * is_function
  | Dconst of ident * expr
  | Dstmt of stmt
  | Dlogic of ident * (ident * typ) list * typ option * Ptree.term option
              * Ptree.term option
  | Dprop of Decl.prop_kind * ident * Ptree.term

type file = block
why3-1.6.0/plugins/python/py_lexer.mli000066400000000000000000000016431440160026300177440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

val parse : string -> in_channel -> Py_ast.file
val parse_term : Lexing.lexbuf -> Why3.Ptree.term
val parse_term_list : Lexing.lexbuf -> Why3.Ptree.term list
val parse_list_ident : Lexing.lexbuf -> Why3.Ptree.ident list
why3-1.6.0/plugins/python/py_lexer.mll000066400000000000000000000130601440160026300177430ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

{
  open Lexing
  open Py_ast
  open Py_parser

  exception Lexing_error of string

  let () = Why3.Exn_printer.register (fun fmt exn -> match exn with
  | Lexing_error s -> Format.fprintf fmt "syntax error: %s" s
  | _ -> raise exn)

  let id_or_kwd =
    let h = Hashtbl.create 32 in
    List.iter (fun (s, tok) -> Hashtbl.add h s tok)
      ["def", DEF; "if", IF; "else", ELSE; "elif", ELIF;
       "return", RETURN; "while", WHILE; "pass", PASS;
       "for", FOR; "in", IN;
       "and", AND; "or", OR; "not", NOT;
       "True", TRUE; "False", FALSE; "None", NONE;
       "from", FROM; "import", IMPORT; "break", BREAK; "continue", CONTINUE;
       (* annotations *)
       "forall", FORALL; "exists", EXISTS; "then", THEN; "let", LET;
       "old", OLD; "at", AT; "variant", VARIANT; "call", CALL;
       "by", BY; "so", SO;
      ];
   fun s -> try Hashtbl.find h s with Not_found -> IDENT s

  let annotation =
    let h = Hashtbl.create 32 in
    List.iter (fun (s, tok) -> Hashtbl.add h s tok)
      ["invariant", INVARIANT; "variant", VARIANT;
       "assert", ASSERT; "assume", ASSUME; "check", CHECK;
       "requires", REQUIRES; "ensures", ENSURES;
       "axiom", AXIOM; "lemma", LEMMA; "call", CALL; "constant", CONSTANT;
       "label", LABEL; "function", FUNCTION; "predicate", PREDICATE;
      ];
    fun s -> try Hashtbl.find h s with Not_found ->
      raise (Lexing_error ("no such annotation '" ^ s ^ "'"))

  let string_buffer = Buffer.create 1024

  let stack = ref [0]  (* indentation stack *)

  let rec unindent n = match !stack with
    | m :: _ when m = n -> []
    | m :: st when m > n -> stack := st; END :: unindent n
    | _ -> raise (Lexing_error "bad indentation")

  let update_stack n =
    match !stack with
    | m :: _ when m < n ->
      stack := n :: !stack;
      [NEWLINE; BEGIN]
    | _ ->
      NEWLINE :: unindent n

}

let letter = ['a'-'z' 'A'-'Z']
let digit = ['0'-'9']
let ident = (letter | '_')+ (letter | digit | '_')*
let integer = ['0'-'9']+
let space = ' ' | '\t'
let comment = "#" [^'@''\n'] [^'\n']*

rule next_tokens = parse
  | '\n' | "#\n"
            { new_line lexbuf; update_stack (indentation lexbuf) }
  | space+ | comment
            { next_tokens lexbuf }
  | "\\" space* '\n' space* "#@"?
            { next_tokens lexbuf }
  | "#@" space* (ident as id)
            { [annotation id] }
  | "#@"    { raise (Lexing_error "expecting an annotation") }
  | ident as id
            { [id_or_kwd id] }
  | (ident ("'" ident)+) as id
            { [QIDENT id] }
  | "'" (ident as id)
            { [TVAR id] }
  | '+'     { [PLUS] }
  | "+="    { [PLUSEQUAL] }
  | "-="    { [MINUSEQUAL] }
  | "*="    { [TIMESEQUAL] }
  | "//="   { [DIVEQUAL] }
  | "%="    { [MODEQUAL] }
  | '-'     { [MINUS] }
  | '*'     { [TIMES] }
  | "//"    { [DIV] }
  | '%'     { [MOD] }
  | '='     { [EQUAL] }
  | "=="    { [CMP Beq] }
  | "!="    { [CMP Bneq] }
  | "<"     { [CMP Blt] }
  | "<="    { [CMP Ble] }
  | ">"     { [CMP Bgt] }
  | ">="    { [CMP Bge] }
  | '('     { [LEFTPAR] }
  | ')'     { [RIGHTPAR] }
  | '['     { [LEFTSQ] }
  | ']'     { [RIGHTSQ] }
  | '{'     { [LEFTBR] }
  | '}'     { [RIGHTBR] }
  | ','     { [COMMA] }
  | ':'     { [COLON] }
  (* logic symbols *)
  | "->"    { [ARROW] }
  | "<-"    { [LARROW] }
  | "<->"   { [LRARROW] }
  | "."     { [DOT] }
  | integer as s
            { [INTEGER s] }
  | '"'     { [STRING (string lexbuf)] }
  | eof     { NEWLINE :: unindent 0 @ [EOF] }
  | _ as c  { raise (Lexing_error ("illegal character: " ^ String.make 1 c)) }

(* count the indentation, i.e. the number of space characters from bol *)
and indentation = parse
  | (space+ | comment | '#')* '\n'
      (* skip empty lines *)
      { new_line lexbuf; indentation lexbuf }
  | space* as s
      { String.length s }

and string = parse
  | '"'
      { let s = Buffer.contents string_buffer in
	Buffer.reset string_buffer;
	s }
  | "\\n"
      { Buffer.add_char string_buffer '\n';
	string lexbuf }
  | "\\\""
      { Buffer.add_char string_buffer '"';
	string lexbuf }
  | _ as c
      { Buffer.add_char string_buffer c;
	string lexbuf }
  | eof
      { raise (Lexing_error "unterminated string") }

{

  let next_token =
    let tokens = Queue.create () in
    fun lb ->
      if Queue.is_empty tokens then begin
	let l = next_tokens lb in
	List.iter (fun t -> Queue.add t tokens) l
      end;
      Queue.pop tokens

  let parse file c =
    let lb = Lexing.from_channel c in
    Why3.Loc.set_file file lb;
    stack := [0];  (* reinitialise indentation stack *)
    Why3.Loc.with_location (Py_parser.file next_token) lb

  (* Entries for transformations: similar to lexer.mll *)
  let build_parsing_function entry lb = Why3.Loc.with_location (entry next_token) lb

  let parse_term = build_parsing_function Py_parser.term_eof

  let parse_term_list = build_parsing_function Py_parser.term_comma_list_eof

  let parse_list_ident = build_parsing_function Py_parser.ident_comma_list_eof


}
why3-1.6.0/plugins/python/py_main.ml000066400000000000000000000605451440160026300174060ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Why3
open Pmodule
open Py_ast
open Ptree
open Wstdlib

let debug = Debug.register_flag "python"
  ~desc:"mini-python plugin debug flag"

(* NO! this will be executed at plugin load, thus
disabling the warning for ALL WHY3 USERS even if they don't
use the python front-end
let () = Debug.set_flag Dterm.debug_ignore_unused_var
*)

let mk_id ~loc name =
  { id_str = name; id_ats = []; id_loc = loc }

let mk_prime id =
  { id with id_str = id.id_str ^ "'" }
let mk_prime_n =
  let n = ref 0 in
  fun id -> incr n; { id with id_str = id.id_str ^ "'" ^ string_of_int !n }

let id_infix ~loc s = mk_id ~loc (Ident.op_infix s)
let infix  ~loc s = Qident (id_infix ~loc s)
let prefix ~loc s = Qident (mk_id ~loc (Ident.op_prefix s))
let get_op ~loc   = Qident (mk_id ~loc (Ident.op_get ""))
let set_op ~loc   = Qident (mk_id ~loc (Ident.op_set ""))

let mk_expr ~loc d =
  { expr_desc = d; expr_loc = loc }
let mk_pat ~loc d =
  { pat_desc = d; pat_loc = loc }
let mk_unit ~loc =
  mk_expr ~loc (Etuple [])
let mk_var ~loc id =
  mk_expr ~loc (Eident (Qident id))
let mk_pure t =
  mk_expr ~loc:t.term_loc (Epure t)

let mk_ref ~loc e =
  mk_expr ~loc (Eapply (mk_expr ~loc Eref, e))
let mk_lref ~loc id =
  mk_expr ~loc (Easref (Qident id))

let array_set ~loc a i v =
  mk_expr ~loc (Eidapp (set_op ~loc, [a; i; v]))
let constant ~loc i =
  mk_expr ~loc (Econst (Constant.int_const_of_int i))
let constant_s ~loc s =
  let int_lit = Number.(int_literal ILitDec ~neg:false s) in
  mk_expr ~loc (Econst (Constant.ConstInt int_lit))
let len ~loc =
  Qident (mk_id ~loc "len")

let break_id    = "'Break"
let continue_id = "'Continue"
let return_id   = "'Return"

let array_make ~loc n v =
  mk_expr ~loc (Eidapp (Qdot (Qident (mk_id ~loc "Python"), mk_id ~loc "make"),
                        [n; v]))
let array_empty ~loc =
  mk_expr ~loc (Eidapp (Qdot (Qident (mk_id ~loc "Python"), mk_id ~loc "empty"), [mk_unit ~loc]))
let set_ref id =
  { id with id_ats = ATstr Pmodule.ref_attr :: id.id_ats }

let empty_spec = {
  sp_pre     = [];
  sp_post    = [];
  sp_xpost   = [];
  sp_reads   = [];
  sp_writes  = [];
  sp_alias   = [];
  sp_variant = [];
  sp_checkrw = false;
  sp_diverge = false;
  sp_partial = false;
}

type env = {
  vars: ident Mstr.t;
}

let empty_env =
  { vars = Mstr.empty }

let is_const (e: Py_ast.expr list) =
  match List.nth e 2 with
  | {Py_ast.expr_desc=Eint "1";_}  -> 1
  | {Py_ast.expr_desc=Eunop (Uneg, {Py_ast.expr_desc=Eint "1";_});_} -> -1
  | _ -> 0

let add_var env id =
  { vars = Mstr.add id.id_str id env.vars }
let add_param env (id, _) =
  add_var env id

let for_vars ~loc x =
  let x = x.id_str in
  mk_id ~loc (x ^ "'index"), mk_id ~loc (x ^ "'list")

let rec has_stmt p = function
  | Dstmt s -> p s || begin match s.stmt_desc with
      | Sbreak | Scontinue  | Sreturn _ | Sassign _ | Slabel _ | Spass _
      | Seval _ | Sset _ | Sblock _ | Sassert _ | Swhile _ | Scall_lemma _
      -> false
    | Sif (_, bl1, bl2) -> has_stmtl p bl1 || has_stmtl p bl2
    | Sfor (_, _, _, bl) -> has_stmtl p bl end
  | _ -> false
and has_stmtl p bl = List.exists (has_stmt p) bl

let rec expr_has_call id e = match e.Py_ast.expr_desc with
  | Enone | Ebool _ | Eint _ | Estring _ | Py_ast.Eident _ -> false
  | Emake (e1, e2) | Eget (e1, e2) | Ebinop (_, e1, e2) ->
    expr_has_call id e1 || expr_has_call id e2
  | Econd(c,e1,e2) -> expr_has_call id c || expr_has_call id e1 || expr_has_call id e2
  | Eunop (_, e1) -> expr_has_call id e1
  | Edot (e, f, el) -> id.id_str = f.id_str || List.exists (expr_has_call id) (e::el)
  | Ecall (f, el) -> id.id_str = f.id_str || List.exists (expr_has_call id) el
  | Elist el -> List.exists (expr_has_call id) el
  | Py_ast.Etuple el -> List.exists (expr_has_call id) el

let rec stmt_has_call id s = match s.stmt_desc with
  | Sbreak | Scontinue | Slabel _ | Sassert _ | Spass _ -> false
  | Sreturn e | Sassign (_, e) | Seval e -> expr_has_call id e
  | Sblock s -> block_has_call id s
  | Scall_lemma (f, _) -> id.id_str = f.id_str
  | Sset (e1, e2, e3) ->
    expr_has_call id e1 || expr_has_call id e2 || expr_has_call id e3
  | Sif (e, s1, s2) -> expr_has_call id e || block_has_call id s1 || block_has_call id s2
  | Sfor (_, e, _, s) | Swhile (e, _, _, s) -> expr_has_call id e || block_has_call id s
and block_has_call id = has_stmtl (stmt_has_call id)

let rec is_list (e: Py_ast.expr) =
  match e.Py_ast.expr_desc with
  | Py_ast.Ecall (f, _) when f.id_str = "slice" -> true
  | Py_ast.Ebinop (Py_ast.Badd, e, _) -> is_list e
  | Py_ast.Edot (_, m, _) -> m.id_str = "copy"
  | Py_ast.Elist _ | Py_ast.Emake _ -> true
  | _ -> false

let rec expr env {Py_ast.expr_loc = loc; Py_ast.expr_desc = d } = match d with
  | Py_ast.Enone ->
    mk_unit ~loc
  | Py_ast.Ebool b ->
    mk_expr ~loc (if b then Etrue else Efalse)
  | Py_ast.Eint s ->
    constant_s ~loc s
  | Py_ast.Estring _s ->
    mk_unit ~loc (*FIXME*)
  | Py_ast.Eident id ->
    if not (Mstr.mem id.id_str env.vars) then
      Loc.errorm ~loc "unbound variable %s" id.id_str;
     mk_expr ~loc (Eident (Qident id))
  | Py_ast.Econd (c, e1, e2) ->
    let c = expr env c and e1 = expr env e1 and e2 = expr env e2 in
    mk_expr ~loc (Eif(c,e1,e2))
  | Py_ast.Ebinop (op, e1, e2) ->
    let isl = is_list e1 in
    let e1 = expr env e1 in
    let e2 = expr env e2 in
    mk_expr ~loc (match op with
      | Py_ast.Band -> Eand (e1, e2)
      | Py_ast.Bor  -> Eor  (e1, e2)
      | Py_ast.Badd when isl ->
         let id = mk_id ~loc "add_list" in
         Eidapp (Qident id, [e1; e2])
      | Py_ast.Badd -> Eidapp (infix ~loc "+",  [e1; e2])
      | Py_ast.Bsub -> Eidapp (infix ~loc "-",  [e1; e2])
      | Py_ast.Bmul -> Eidapp (infix ~loc "*",  [e1; e2])
      | Py_ast.Bdiv -> Eidapp (infix ~loc "//", [e1; e2])
      | Py_ast.Bmod -> Eidapp (infix ~loc "%",  [e1; e2])
      | Py_ast.Beq  -> Einnfix (e1, id_infix ~loc "=",  e2)
      | Py_ast.Bneq -> Einnfix (e1, id_infix ~loc "<>", e2)
      | Py_ast.Blt  -> Einnfix (e1, id_infix ~loc "<",  e2)
      | Py_ast.Ble  -> Einnfix (e1, id_infix ~loc "<=", e2)
      | Py_ast.Bgt  -> Einnfix (e1, id_infix ~loc ">",  e2)
      | Py_ast.Bge  -> Einnfix (e1, id_infix ~loc ">=", e2)
    )
  | Py_ast.Eunop (Py_ast.Uneg, e) ->
    mk_expr ~loc (Eidapp (prefix ~loc "-", [expr env e]))
  | Py_ast.Eunop (Py_ast.Unot, e) ->
    mk_expr ~loc (Enot (expr env e))

  | Py_ast.Edot (e, f, el) ->
    let el = List.map (expr env) (e::el) in
    let id = Qdot (Qident (mk_id ~loc "Python"), f) in
    mk_expr ~loc (Eidapp (id, el))

  | Py_ast.Ecall ({id_str="slice"} as id, [e1;e2;e3]) ->

    let zero = expr env ({Py_ast.expr_loc = loc; Py_ast.expr_desc = Eint "0"}) in
    let e1' = mk_id ~loc "e1'" in
    let e1_var = mk_var ~loc e1' in

    let len = mk_expr ~loc (Eidapp (Qident (mk_id ~loc "len"), [e1_var])) in

    let e2, e3 = match e2, e3 with
      | {Py_ast.expr_desc=Py_ast.Enone}, {Py_ast.expr_desc=Py_ast.Enone} -> zero, len
      | _                              , {Py_ast.expr_desc=Py_ast.Enone} -> expr env e2, len
      | {Py_ast.expr_desc=Py_ast.Enone}, _                               -> zero, expr env e3
      | _                              , _                               -> expr env e2, expr env e3
    in

    let id = Qdot (Qident (mk_id ~loc "Python"), id) in

    mk_expr ~loc (Elet (e1', false, Expr.RKnone, expr env e1,
      mk_expr ~loc (Eidapp (id, [e1_var;e2;e3]))
    ))

  | Py_ast.Ecall ({id_str="range"} as id, els) when List.length els < 4 ->
    let zero = {Py_ast.expr_loc = loc; Py_ast.expr_desc = Eint "0"} in
    let from_to_step, id = match els with
                        | [e]        -> [zero; e], id
                        | [e1;e2]    -> [e1; e2], id
                        | [e1;e2;e3] -> [e1; e2; e3], mk_id ~loc "range3"
                        | _          -> assert false
    in
    let el = List.map (expr env) from_to_step in
    mk_expr ~loc (Eidapp (Qident id, el))

  | Py_ast.Ecall ({id_str="print"}, el) ->
    let eval res e =
      mk_expr ~loc (Elet (mk_id ~loc "_", false, Expr.RKnone, expr env e, res)) in
    List.fold_left eval (mk_unit ~loc) el
  | Py_ast.Ecall (id, el) ->
    let el = if el = [] then [mk_unit ~loc] else List.map (expr env) el in
    mk_expr ~loc (Eidapp (Qident id, el))
  | Py_ast.Emake (e1, e2) -> (* [e1]*e2 *)
    array_make ~loc (expr env e2) (expr env e1)
  | Py_ast.Elist [] ->
    array_empty ~loc
  | Py_ast.Elist (e :: el) ->
    let n = 1 + List.length el in
    let n = constant ~loc n in
    let e = expr env e in
    let id = mk_id ~loc "new array" in
    mk_expr ~loc (Elet (id, false, Expr.RKnone, array_make ~loc n e,
    let i = ref 0 in
    let init seq e =
      incr i; let i = constant ~loc !i in
      let assign = array_set ~loc (mk_var ~loc id) i (expr env e) in
      mk_expr ~loc (Esequence (assign, seq)) in
    List.fold_left init (mk_var ~loc id) el))
  | Py_ast.Eget (e1, e2) ->
    mk_expr ~loc (Eidapp (get_op ~loc, [expr env e1; expr env e2]))
  | Py_ast.Etuple el -> mk_expr ~loc (Etuple (List.map (expr env) el))

let no_params ~loc = [loc, None, false, Some (PTtuple [])]

let mk_for_params exps loc env =

  let mk_op1 op ub = mk_expr ~loc (Eidapp (infix ~loc op, [expr env ub; constant ~loc 1])) in
  let mk_minus1 ub = mk_op1 "-" ub in
  let mk_plus1 ub = mk_op1 "+" ub in

  match exps with
  | [e1] ->
      let zero = {Py_ast.expr_loc = loc; Py_ast.expr_desc = Eint "0"} in
      expr env zero, mk_minus1 e1, Expr.To
  | [e1;e2] ->
      expr env e1, mk_minus1 e2, Expr.To
  | [e1;e2;_] ->
      begin match is_const exps with
      |  1 -> expr env e1, mk_minus1 e2, Expr.To
      | -1 -> expr env e1, mk_plus1 e2, Expr.DownTo
      | _  -> assert false
      end
  | _ -> assert false

let rec new_vars env (e: Py_ast.expr) =
  match e.Py_ast.expr_desc with
  | Py_ast.Eident id ->
      if Mstr.mem id.id_str env.vars then [] else [id]
  | Py_ast.Etuple el ->
      List.sort_uniq compare (List.concat (List.map (new_vars env) el))
  | _ -> []

(*
  (r1,..)..(rn,..) := e1,...em
  ==> match e1,...em with (r'1,..)..(r'n,..) ->
      r1 := r'1; .. let ri := r'i in ...
 *)

let rec build_pat1 (e1: Py_ast.expr) =
  let loc = e1.Py_ast.expr_loc in
  match e1.Py_ast.expr_desc with
  | Py_ast.Etuple el1 ->
      mk_pat ~loc (Ptuple (List.map build_pat1 el1))
  | Py_ast.Eident id ->
      mk_pat ~loc:id.id_loc (Pvar (mk_prime id))
  | _ ->
      let id = mk_id ~loc "_" in
      mk_pat ~loc (Pvar (mk_prime_n id))

let rec build_pat2 (e1: Py_ast.expr) (e2: expr) =
  let loc = e1.Py_ast.expr_loc in
  match e1.Py_ast.expr_desc, e2.expr_desc with
  | Py_ast.Etuple el1, Etuple el2 ->
      if List.length el1 = List.length el2 then
        mk_pat ~loc (Ptuple (List.map2 build_pat2 el1 el2))
      else
        Loc.errorm ~loc "illegal assignment"
  | Py_ast.Etuple el1, _ ->
      mk_pat ~loc (Ptuple (List.map build_pat1 el1))
  | Py_ast.Eident id, _ ->
      mk_pat ~loc:id.id_loc (Pvar (mk_prime id))
  | _ ->
      let id = mk_id ~loc "_" in
      mk_pat ~loc:id.id_loc (Pvar (mk_prime_n id))

let rec flatten_updates (e: Py_ast.expr) (p: pattern) =
  match e.Py_ast.expr_desc, p.pat_desc with
  | Py_ast.Etuple le, Ptuple lp -> List.concat (List.map2 flatten_updates le lp)
  | _, Pvar _ -> [e, p]
  | _ -> failwith "flatten_updates"

let rec gen_updates env lp cnt =
  match lp with
  | [] -> cnt
  | ({ Py_ast.expr_desc = Py_ast.Eident id },
     { pat_desc = Pvar id'; pat_loc = loc }) :: lp'
        when Mstr.mem id.id_str env.vars ->
      let a = mk_expr ~loc (Eassign [mk_lref ~loc id, None, mk_var ~loc id']) in
      mk_expr ~loc (Esequence (a, gen_updates env lp' cnt))
  | ({ Py_ast.expr_desc = Py_ast.Eident id},
     { pat_desc = Pvar id'; pat_loc = loc }) :: lp' ->
      mk_expr ~loc
        (Elet (set_ref id, false, Expr.RKnone, mk_ref ~loc (mk_var ~loc id'),
               gen_updates env lp' cnt))
  | ({ Py_ast.expr_desc = Eget (e1,e2) },
     { pat_desc = Pvar id'; pat_loc = loc }) :: lp' ->
      let a =
        array_set ~loc:e1.Py_ast.expr_loc (expr env e1) (expr env e2) (mk_var ~loc id') in
      mk_expr ~loc (Esequence (a, gen_updates env lp' cnt))
  | (e,_) :: _ ->
      Loc.errorm ~loc:e.Py_ast.expr_loc "invalid lhs in assignment"

let rec stmt env {Py_ast.stmt_loc = loc; Py_ast.stmt_desc = d } =
  match d with
  | Py_ast.Sblock s ->
    block env ~loc s
  | Py_ast.Seval e ->
    let id = mk_id ~loc "_'" in
    mk_expr ~loc (Elet (id, false, Expr.RKnone, expr env e, mk_unit ~loc))
  | Py_ast.Scall_lemma (f, lt) ->
    let id = mk_id ~loc "_'" in
    let call = Eidapp (Qident f, List.map mk_pure lt) in
    mk_expr ~loc
      (Elet (id, false, Expr.RKnone, mk_expr ~loc call, mk_unit ~loc))
  | Py_ast.Sif (e, s1, s2) ->
    mk_expr ~loc (Eif (expr env e, block env ~loc s1, block env ~loc s2))
  | Py_ast.Sreturn e ->
    mk_expr ~loc (Eraise (Qident (mk_id ~loc return_id), Some (expr env e)))
  | Py_ast.Sassign (lhs, e) ->
     (*
       r1,...rn = e1,...en ==>
       match e1,... en with r1',... rn' -> r1:=r1'; ... rn := rn'
      *)
     let e = expr env e in
     let p = build_pat2 lhs e in
     let lp = flatten_updates lhs p in
     let u = gen_updates env lp (mk_unit ~loc) in
     mk_expr ~loc (Ematch (e, [p, u], []))

  | Py_ast.Sset (e1, e2, e3) ->
    array_set ~loc (expr env e1) (expr env e2) (expr env e3)
  | Py_ast.Sassert (k, t) ->
    mk_expr ~loc (Eassert (k, t))
  | Py_ast.Swhile (e, inv, var, s) ->
    let id_b = mk_id ~loc break_id in
    let id_c = mk_id ~loc continue_id in
    let body = block env ~loc s in
    let body = mk_expr ~loc (Eoptexn (id_c, Ity.MaskVisible, body)) in
    let loop = mk_expr ~loc (Ewhile (expr env e, inv, var, body)) in
    mk_expr ~loc (Eoptexn (id_b, Ity.MaskVisible, loop))
  | Py_ast.Sbreak ->
    mk_expr ~loc (Eraise (Qident (mk_id ~loc break_id), None))
  | Py_ast.Scontinue ->
    mk_expr ~loc (Eraise (Qident (mk_id ~loc continue_id), None))
  | Py_ast.Slabel _ ->
    mk_unit ~loc (* ignore lonely marks *)
  | Py_ast.Spass (ty, sp) ->
     mk_expr ~loc
       (Eany ([], Expr.RKnone, ty, mk_pat ~loc Pwild, Ity.MaskVisible, sp))
    (* make a special case for
         for id in range(e1, [e2, e3]) *)
  | Py_ast.Sfor (id, {Py_ast.expr_desc=Ecall ({id_str="range"}, exps)},
                 inv, body)
    when (List.length exps = 3 && (let c = is_const exps in c = -1 || c = 1)) ->
    let lb, ub, direction = mk_for_params exps loc env in
    let body = block ~loc (add_var env id) body in
    let body =
      mk_expr ~loc (Eoptexn (mk_id ~loc continue_id, Ity.MaskVisible, body)) in
    let body = mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone,
                                   mk_ref ~loc (mk_var ~loc id), body)) in
    let loop = mk_expr ~loc (Efor (id, lb, direction, ub, inv, body)) in
    mk_expr ~loc (Eoptexn (mk_id ~loc break_id, Ity.MaskVisible, loop))

  | Py_ast.Sfor (id, {Py_ast.expr_desc=Ecall ({id_str="range"}, exps)},
                 inv, body)
    when (List.length exps < 3) ->
    let lb, ub, direction = mk_for_params exps loc env in
    let body = block ~loc (add_var env id) body in
    let body =
      mk_expr ~loc (Eoptexn (mk_id ~loc continue_id, Ity.MaskVisible, body)) in
    let body = mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone,
                                   mk_ref ~loc (mk_var ~loc id), body)) in
    let loop = mk_expr ~loc (Efor (id, lb, direction, ub, inv, body)) in
    mk_expr ~loc (Eoptexn (mk_id ~loc break_id, Ity.MaskVisible, loop))
  (* otherwise, translate
       for id in e:
         #@ invariant inv
         body
    to
       let l = e in
       for i'index = 0 to len(l)-1 do
         invariant { I }
         let id = ref l[i'index] in
         body
       done
    *)
  | Py_ast.Sfor (id, e, inv, body) ->
    let e = expr env e in
    let i, l = for_vars ~loc id in
    let lb = constant ~loc 0 in
    let lenl = mk_expr ~loc (Eidapp (len ~loc, [mk_var ~loc l])) in
    let ub = mk_expr ~loc (Eidapp (infix ~loc "-", [lenl; constant ~loc 1])) in
    let li = mk_expr ~loc (Eidapp (get_op ~loc, [mk_var ~loc l; mk_var ~loc i])) in
    let body = block ~loc (add_var env id) body in
    let body = mk_expr ~loc (Eoptexn (mk_id ~loc continue_id, Ity.MaskVisible, body)) in
    let body = mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone,
                                   mk_ref ~loc li, body)) in
    let loop = mk_expr ~loc (Efor (i, lb, Expr.To, ub, inv, body)) in
    let loop = mk_expr ~loc (Elet (l, false, Expr.RKnone, e, loop)) in
    mk_expr ~loc (Eoptexn (mk_id ~loc break_id, Ity.MaskVisible, loop))

and block env ~loc = function
  | [] ->
    mk_unit ~loc
  | Dstmt { stmt_loc = loc; stmt_desc = Slabel id } :: sl ->
    mk_expr ~loc (Elabel (id, block env ~loc sl))
  | Dstmt { Py_ast.stmt_loc=loc; stmt_desc = Py_ast.Sassign (lhs, e) } :: sl ->
     let ids = new_vars env lhs in
     let env' =  List.fold_left add_var env ids in
     let e = expr env e in
     let p = build_pat2 lhs e in
     let lp = flatten_updates lhs p in
     let u = gen_updates env lp (block env' ~loc sl) in
     mk_expr ~loc (Ematch (e, [p, u], []))
  | Dstmt ({ Py_ast.stmt_loc = loc } as s) :: sl ->
    let s = stmt env s in
    if sl = [] then s else mk_expr ~loc (Esequence (s, block env ~loc sl))
  | Ddef (id, idl, ty, sp, bl, fct) :: sl ->
    (* f(x1,...,xn): body ==>
      let f x1 ... xn =
        let x1 = ref x1 in ... let xn = ref xn in
        try body with Return x -> x *)
    let param (id, ty) = id.id_loc, Some id, false, ty in
    let params = if idl = [] then no_params ~loc else List.map param idl in
    let p = mk_pat ~loc Pwild in
    let is_rec = block_has_call id bl in
    let s = block env ~loc sl in
    (match bl with
       | [Py_ast.Dstmt {stmt_desc=Py_ast.Sreturn e}] when fct ->
           let env' = List.fold_left add_param empty_env idl in
           let e = expr env' e in
           let d =
             if is_rec then
               Drec ([id,false,Expr.RKfunc,params,ty,p,Ity.MaskVisible,sp,e])
             else
               let e = Efun (params, ty, p, Ity.MaskVisible, sp, e) in
               Dlet (id, false, Expr.RKfunc, mk_expr ~loc e) in
           Typing.add_decl id.id_loc d;
           s
       | _ ->
           let env' = List.fold_left add_param env idl in
           let body = block env' ~loc:id.id_loc bl in
           let body =
             let loc = id.id_loc in
             let id = mk_id ~loc return_id in
             { body with expr_desc = Eoptexn (id, Ity.MaskVisible, body) } in
           let local bl (id, _) =
             let loc = id.id_loc in
             let ref = mk_ref ~loc (mk_var ~loc id) in
             mk_expr ~loc (Elet (set_ref id, false, Expr.RKnone, ref, bl)) in
           let body = List.fold_left local body idl in
           let kind = if fct then Expr.RKlocal else Expr.RKnone in
           let e =
             if is_rec then
               Erec ([id, false, kind, params, ty, p, Ity.MaskVisible, sp, body], s)
             else
               let e = Efun (params, ty, p, Ity.MaskVisible, sp, body) in
               Elet (id, false, kind, mk_expr ~loc e, s)
           in
           mk_expr ~loc e)
  | (Py_ast.Dimport _ | Py_ast.Dlogic _) :: sl ->
    block env ~loc sl
  | Py_ast.Dconst (id, e) :: sl ->
    let e = expr env e in
    let d = Dlet (id, false, Expr.RKfunc, e) in
    Typing.add_decl id.id_loc d;
    let e = Elet (id, false, Expr.RKnone, e,
                  block ~loc (add_var env id) sl) in
    mk_expr ~loc e
  | Py_ast.Dprop (pk, id, t) :: sl ->
    Typing.add_decl id.id_loc (Dprop (pk, id, t));
    block env ~loc sl

let logic_param (id, ty) =
  id.id_loc, Some id, false, ty

let logic = function
  | Py_ast.Dlogic (id, idl, ty, None, def) ->
    let d = { ld_loc = id.id_loc;
              ld_ident = id;
              ld_params = List.map logic_param idl;
              ld_type = ty;
              ld_def = def } in
    Typing.add_decl id.id_loc (Dlogic [d])
  | Py_ast.Dlogic (id, idl, Some ty, Some var, Some def) ->
     let loc = id.id_loc in
     let p = mk_pat ~loc (Pvar id) in
     let s = { Ptree_helpers.empty_spec with sp_variant = [var,None] } in
     let e = mk_expr ~loc (Epure def) in
     let pl = List.map (fun (id,ty) -> loc,Some id,false,Some ty) idl in
     let dr =
       Drec ([id, true, Expr.RKfunc, pl, Some ty, p, Ity.MaskVisible, s, e]) in
     Typing.add_decl id.id_loc dr
  | Py_ast.Dlogic (id, idl, None, _, def) ->
    let d = { ld_loc = id.id_loc;
              ld_ident = id;
              ld_params = List.map logic_param idl;
              ld_type = None;
              ld_def = def } in
    Typing.add_decl id.id_loc (Dlogic [d])
  | _ -> ()

let translate ~loc dl =
  List.iter logic dl;
  let bl = block empty_env ~loc dl in
  let p = mk_pat ~loc Pwild in
  let fd = Efun (no_params ~loc, None, p, Ity.MaskVisible, empty_spec, bl) in
  let main = Dlet (mk_id ~loc "main", false, Expr.RKnone, mk_expr ~loc fd) in
  Typing.add_decl loc main

let read_channel env path file c =
  let f : Py_ast.file = Py_lexer.parse file c in
  Debug.dprintf debug "%s parsed successfully.@." file;
  let loc = Loc.user_position file 0 0 0 0 in
  let file = Filename.basename file in
  let file = Filename.chop_extension file in
  let name = Strings.capitalize file in
  Debug.dprintf debug "building module %s.@." name;
  Typing.open_file env path;
  Typing.open_module (mk_id ~loc name);
  let use_import (f, m) =
    let m = mk_id ~loc m in
    let qid = Qdot (Qident (mk_id ~loc f), m) in
    let decl = Ptree.Duseimport(loc,false,[(qid,None)]) in
    Typing.add_decl loc decl in
  List.iter use_import
    ["int", "Int"; "ref", "Refint"; "python", "Python"];
  translate ~loc f;
  Typing.close_module loc;
  let mm = Typing.close_file () in
  if path = [] && Debug.test_flag debug then begin
    let add_m _ m modm = Ident.Mid.add m.mod_theory.Theory.th_name m modm in
    let print_m _ m = Pmodule.print_module Format.err_formatter m in
    Ident.Mid.iter print_m (Mstr.fold add_m mm Ident.Mid.empty)
  end;
  mm

let () =
  Env.register_format mlw_language "python" ["py"] read_channel
    ~desc:"mini-Python format"

(* Python pretty-printer, to print tasks with a little bit
   of Python syntax *)

open Term
open Format
open Pretty

(* python print_binop *)
let print_binop ~asym fmt = function
  | Tand when asym -> pp_print_string fmt "&&"
  | Tor when asym  -> pp_print_string fmt "||"
  | Tand           -> pp_print_string fmt "and"
  | Tor            -> pp_print_string fmt "or"
  | Timplies       -> pp_print_string fmt "->"
  | Tiff           -> pp_print_string fmt "<->"

(* Register the transformations functions *)
let rec python_ext_printer print_any fmt a =
  match a with
  | Pp_term (t, pri) ->
      begin match t.t_node with
        | Tapp (ls, [t1; t2]) when ls_equal ls ps_equ ->
            (* == *)
            fprintf fmt (protect_on (pri > 0) "@[%a == %a@]")
              (python_ext_printer print_any) (Pp_term (t1, 0))
              (python_ext_printer print_any) (Pp_term (t2, 0))
        | Tnot {t_node = Tapp (ls, [t1; t2]) } when ls_equal ls ps_equ ->
            (* != *)
            fprintf fmt (protect_on (pri > 0) "@[%a != %a@]")
              (python_ext_printer print_any) (Pp_term (t1, 0))
              (python_ext_printer print_any) (Pp_term (t2, 0))
        | Tbinop (b, f1, f2) ->
            (* and, or *)
            let asym = Ident.Sattr.mem asym_split f1.t_attrs in
            let p = prio_binop b in
            fprintf fmt (protect_on (pri > p) "@[%a %a@ %a@]")
              (python_ext_printer print_any) (Pp_term (f1, (p + 1)))
              (print_binop ~asym) b
              (python_ext_printer print_any) (Pp_term (f2, p))
        | _ -> print_any fmt a
      end
  | _ -> print_any fmt a

let () = Itp_server.add_registered_lang "python" (fun _ -> python_ext_printer)

let () = Args_wrapper.set_argument_parsing_functions "python"
    ~parse_term:(fun _ lb -> Py_lexer.parse_term lb)
    ~parse_term_list:(fun _ lb -> Py_lexer.parse_term_list lb)
    ~parse_list_ident:(fun lb -> Py_lexer.parse_list_ident lb)
    (* TODO for qualids, add a similar funciton *)
    ~parse_qualid:(fun lb -> Lexer.parse_qualid lb)
    ~parse_list_qualid:(fun lb -> Lexer.parse_list_qualid lb)
why3-1.6.0/plugins/python/py_main.mli000066400000000000000000000013071440160026300175460ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/python/py_parser.mly000066400000000000000000000360621440160026300201440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

%{
  open Why3
  open Ptree
  open Py_ast

  let () = Exn_printer.register (fun fmt exn -> match exn with
    | Error -> Format.pp_print_string fmt "syntax error"
    | _ -> raise exn)

  let floc s e = Loc.extract (s,e)
  let mk_id id s e = { id_str = id; id_ats = []; id_loc = floc s e }
  let mk_pat  d s e = { pat_desc  = d; pat_loc  = floc s e }
  let mk_term d s e = { term_desc = d; term_loc = floc s e }
  let mk_expr loc d = { expr_desc = d; expr_loc = loc }
  let mk_stmt loc d = Dstmt { stmt_desc = d; stmt_loc = loc }
  let mk_var id = mk_expr id.id_loc (Eident id)

  let variant_union v1 v2 = match v1, v2 with
    | _, [] -> v1
    | [], _ -> v2
    | _, ({term_loc = loc},_)::_ -> Loc.errorm ~loc
        "multiple `variant' clauses are not allowed"

  let get_op s e = Qident (mk_id (Ident.op_get "") s e)
  let upd_op s e = Qident (mk_id (Ident.op_update "") s e)

  let empty_spec = {
    sp_pre     = [];    sp_post    = [];  sp_xpost  = [];
    sp_reads   = [];    sp_writes  = [];  sp_alias  = [];
    sp_variant = [];
    sp_checkrw = false; sp_diverge = false; sp_partial = false;
  }

  let spec_union s1 s2 = {
    sp_pre     = s1.sp_pre @ s2.sp_pre;
    sp_post    = s1.sp_post @ s2.sp_post;
    sp_xpost   = s1.sp_xpost @ s2.sp_xpost;
    sp_reads   = s1.sp_reads @ s2.sp_reads;
    sp_writes  = s1.sp_writes @ s2.sp_writes;
    sp_alias   = s1.sp_alias @ s2.sp_alias;
    sp_variant = variant_union s1.sp_variant s2.sp_variant;
    sp_checkrw = s1.sp_checkrw || s2.sp_checkrw;
    sp_diverge = s1.sp_diverge || s2.sp_diverge;
    sp_partial = s1.sp_partial || s2.sp_partial;
  }

  let fresh_type_var =
    let r = ref 0 in
    fun loc -> incr r;
      PTtyvar { id_str = "a" ^ string_of_int !r; id_loc = loc; id_ats = [] }

  let logic_type loc = function
  | None    -> fresh_type_var loc
  | Some ty -> ty

  let logic_param loc (id, ty) = id, logic_type loc ty

%}

%token  INTEGER
%token  STRING
%token  CMP
%token  IDENT QIDENT TVAR
%token DEF IF ELSE ELIF RETURN WHILE FOR IN AND OR NOT NONE TRUE FALSE PASS
%token FROM IMPORT BREAK CONTINUE
%token EOF
%token LEFTPAR RIGHTPAR LEFTSQ RIGHTSQ COMMA EQUAL COLON BEGIN END NEWLINE
       PLUSEQUAL MINUSEQUAL TIMESEQUAL DIVEQUAL MODEQUAL
       LEFTBR RIGHTBR
%token PLUS MINUS TIMES DIV MOD
(* annotations *)
%token INVARIANT VARIANT ASSUME ASSERT CHECK REQUIRES ENSURES LABEL
%token FUNCTION PREDICATE AXIOM LEMMA CONSTANT CALL
%token ARROW LARROW LRARROW FORALL EXISTS DOT THEN LET OLD AT BY SO

(* precedences *)

%nonassoc IN
%nonassoc DOT ELSE
%right ARROW LRARROW BY SO
%nonassoc IF
%right OR
%right AND
%nonassoc NOT
%right CMP
%left PLUS MINUS
%left TIMES DIV MOD
%nonassoc unary_minus prec_prefix_op
%nonassoc LEFTSQ

%start file
(* Transformations entries *)
%start  term_eof
%start  term_comma_list_eof
%start  ident_comma_list_eof

%type  file
%type  stmt

%%

file:
| NEWLINE* EOF
    { [] }
| NEWLINE? dl=nonempty_list(decl) NEWLINE? EOF
    { dl }
;

decl:
| import { $1 }
| def    { $1 }
| stmt   { $1 }
| func   { $1 }
| prop   { $1 }
| const  { $1 }

import:
| FROM m=ident IMPORT l=separated_list(COMMA, ident) NEWLINE
  { Dimport (m, l) }

const:
| CONSTANT NEWLINE id = ident EQUAL e = expr NEWLINE
  { Dconst (id,e) }

prop:
| LEMMA id=ident COLON t=term NEWLINE
  { Dprop (Decl.Plemma, id, t) }
| AXIOM id=ident COLON t=term NEWLINE
  { Dprop (Decl.Paxiom, id, t) }

func:
| FUNCTION id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  ty=option(function_type) var = option(fp_variant) def=option(logic_body)
  NEWLINE
  { let loc = floc $startpos $endpos in
    Dlogic (id, List.map (logic_param loc) l, Some (logic_type loc ty),
            var, def) }
| PREDICATE id=ident LEFTPAR l=separated_list(COMMA, param) RIGHTPAR
  var=option(fp_variant) def=option(logic_body) NEWLINE
  { let loc = floc $startpos $endpos in
    Dlogic (id, List.map (logic_param loc) l, None, var, def) }

fp_variant:
| LEFTBR VARIANT v=term RIGHTBR { v }

logic_body:
| EQUAL t=term
  { t }

param:
| id=ident ty=option(param_type)
  { id, ty }

param_type:
| COLON ty=typ
  { ty }

function_type:
| ARROW ty=typ
  { ty }

/* Note: "list" is a legal type annotation in Python; we make it a
 * polymorphic type "list 'a" in WhyML  */
typ:
| id=type_var
  { PTtyvar id }
| id=ident
  { if id.id_str = "list"
    then PTtyapp (Qident id, [fresh_type_var (floc $startpos $endpos)])
    else PTtyapp (Qident id, []) }
| id=ident LEFTSQ tyl=separated_nonempty_list(COMMA, typ) RIGHTSQ
    {
      if id.id_str = "Tuple" then PTtuple tyl else PTtyapp (Qident id, tyl)
    }

def:
| fct = as_funct
  DEF f = ident LEFTPAR x = separated_list(COMMA, param) RIGHTPAR
  ty=option(function_type) COLON NEWLINE BEGIN s=spec l=body END
    {
      if f.id_str = "range" then
        let loc = floc $startpos $endpos in
        Loc.errorm ~loc "micro Python does not allow shadowing 'range'"
      else if fct && ty = None then
        let loc = floc $startpos $endpos in
        Loc.errorm ~loc "a logical function should not return a unit type"
      else Ddef (f, x, ty, s, l ty s, fct)
    }
;

as_funct:
| FUNCTION NEWLINE { true  }
| (* epsilon *)    { false }
;

body:
| nonempty_list(stmt)
  { fun _ _ -> $1 }
| PASS NEWLINE
  { fun ty s -> [mk_stmt (floc $startpos $endpos) (Spass (ty, s))] }

spec:
| (* epsilon *)     { empty_spec }
| single_spec spec  { spec_union $1 $2 }

single_spec:
| REQUIRES t=term NEWLINE
    { { empty_spec with sp_pre = [t] } }
| ENSURES e=ensures NEWLINE
    { { empty_spec with sp_post = [floc $startpos(e) $endpos(e), e] } }
| variant
    { { empty_spec with sp_variant = $1 } }

ensures:
| term
    { let id = mk_id "result" $startpos $endpos in
      [mk_pat (Pvar id) $startpos $endpos, $1] }
;

expr_dot:
| d = expr_dot_
   { mk_expr (floc $startpos $endpos) d }
;

expr_dot_:
| id = ident
    { Eident id }
| LEFTPAR e = expr RIGHTPAR
    { e.expr_desc }
;

expr:
| d = expr_desc
   { mk_expr (floc $startpos $endpos) d }
;

/*
expr_desc:
  e = expr_nt { e.expr_desc }
| e1 = expr_nt COMMA el = separated_list(COMMA, expr_nt)
    { Etuple (e1::el) }
;
*/
expr_desc:
  e = expr_nt_desc { e }
| e = expr_nt COMMA el = separated_list(COMMA, expr_nt) { Etuple (e::el) }
;

expr_nt:
| d = expr_nt_desc
   { mk_expr (floc $startpos $endpos) d }
;

expr_nt_desc:
| NONE
    { Enone }
| TRUE
    { Ebool true }
| FALSE
    { Ebool false }
| c = INTEGER
    { Eint c }
| s = STRING
    { Estring s }
| e1 = expr_nt LEFTSQ e2 = expr_nt RIGHTSQ
    { Eget (e1, e2) }
| e1 = expr_nt LEFTSQ e2=option(expr_nt) COLON e3=option(expr_nt) RIGHTSQ
    {
      let f = mk_id "slice" $startpos $endpos in
      let none = mk_expr (floc $startpos $endpos) Enone in
      let e2, e3 = match e2, e3 with
        | None, None -> none, none
        | Some e, None -> e, none
        | None, Some e -> none, e
        | Some e, Some e' -> e, e'
      in
      Ecall(f,[e1;e2;e3])
    }
| MINUS e1 = expr_nt %prec unary_minus
    { Eunop (Uneg, e1) }
| NOT e1 = expr_nt
    { Eunop (Unot, e1) }
| e1 = expr_nt o = binop e2 = expr_nt
    { Ebinop (o, e1, e2) }
| e1 = expr_nt TIMES e2 = expr_nt
    { match e1.expr_desc with
      | Elist [e1] -> Emake (e1, e2)
      | _ -> Ebinop (Bmul, e1, e2) }
| e=expr_dot DOT f=ident LEFTPAR el=separated_list(COMMA, expr_nt) RIGHTPAR
    {
      match f.id_str with
      | "pop" | "append" | "reverse" | "clear" | "copy" | "sort" ->
        Edot (e, f, el)
      | m -> let loc = floc $startpos $endpos in
             Loc.errorm ~loc "The method '%s' is not implemented" m
    }
| f = ident LEFTPAR e = separated_list(COMMA, expr_nt) RIGHTPAR
    { Ecall (f, e) }
| LEFTSQ l = separated_list(COMMA, expr_nt) RIGHTSQ
    { Elist l }
| e1=expr_nt IF c=expr_nt ELSE e2=expr_nt
    { Econd(c,e1,e2) }
| e=expr_dot_
    { e }
;

%inline binop:
| PLUS  { Badd }
| MINUS { Bsub }
| DIV   { Bdiv }
| MOD   { Bmod }
| c=CMP { c    }
| AND   { Band }
| OR    { Bor  }
;

located(X):
| X { mk_stmt (floc $startpos $endpos) $1 }
;

suite:
| s = simple_stmt NEWLINE
    { [s] }
| NEWLINE BEGIN l = nonempty_list(stmt) END
    { l }
;

stmt:
| located(stmt_desc)      { $1 }
| s = simple_stmt NEWLINE { s }

stmt_desc:
| IF c = expr_nt COLON s1 = suite s2=else_branch
    { Sif (c, s1, s2) }
| WHILE e = expr_nt COLON b=loop_body
    { let i, v, l = b in Swhile (e, i, v, l) }
| FOR x = ident IN e = expr COLON b=loop_body
    { let i, _, l = b in Sfor (x, e, i, l) }
;

else_branch:
| /* epsilon */
    { [] }
| ELSE COLON s2=suite
    { s2 }
| ELIF c=expr_nt COLON s1=suite s2=else_branch
    { [mk_stmt (floc $startpos $endpos) (Sif (c, s1, s2))] }


loop_body:
| s = simple_stmt NEWLINE
  { [], [], [s] }
| NEWLINE BEGIN a=loop_annotation l=nonempty_list(stmt) END
  { fst a, snd a, l }

loop_annotation:
| (* epsilon *)
    { [], [] }
| invariant loop_annotation
    { let (i, v) = $2 in ($1::i, v) }
| variant loop_annotation
    { let (i, v) = $2 in (i, variant_union $1 v) }

invariant:
| INVARIANT i=term NEWLINE { i }

variant:
| VARIANT l=comma_list1(term) NEWLINE { List.map (fun t -> t, None) l }

simple_stmt: located(simple_stmt_desc) { $1 };

simple_stmt_desc:
| RETURN e = expr
    { Sreturn e }
| lhs = expr EQUAL rhs = expr { Sassign (lhs, rhs) }
| id=ident o=binop_equal e=expr_nt
    { let loc = floc $startpos $endpos in
      Sassign (mk_var id,
               mk_expr loc (Ebinop (o, mk_expr loc (Eident id), e))) }
| e0 = expr_nt LEFTSQ e1 = expr_nt RIGHTSQ o=binop_equal e2 = expr
    {
      let loc = floc $startpos $endpos in
      let mk_expr_floc = mk_expr loc in
      let id = mk_id "'i" $startpos $endpos in
      let expr_id = mk_expr_floc (Eident id) in
      let a = mk_id "'a" $startpos $endpos in
      let expr_a = mk_expr_floc (Eident a) in
      let operation =
        mk_expr_floc (Ebinop (o, mk_expr_floc (Eget(expr_a, expr_id)), e2)) in
      let s1 =
        Dstmt ({ stmt_desc = Sassign (mk_var a, e0); stmt_loc = loc }) in
      let s2 =
        Dstmt ({ stmt_desc = Sassign (mk_var id, e1); stmt_loc = loc }) in
      let s3 =
        Dstmt ({ stmt_desc = Sset (expr_a, expr_id, operation);
                 stmt_loc = loc }) in
      Sblock [s1; s2; s3]
    }
| k=assertion_kind t = term
    { Sassert (k, t) }
| e = expr
    { Seval e }
| CALL f = ident LEFTPAR e = separated_list(COMMA, term) RIGHTPAR
    { Scall_lemma (f, e) }
| BREAK
    { Sbreak }
| CONTINUE
    { Scontinue }
| LABEL id=ident
    { Slabel id }
;

%inline binop_equal:
| PLUSEQUAL  { Badd }
| MINUSEQUAL { Bsub }
| DIVEQUAL   { Bdiv }
| TIMESEQUAL { Bmul }
| MODEQUAL   { Bmod }
;

assertion_kind:
| ASSERT  { Expr.Assert }
| ASSUME  { Expr.Assume }
| CHECK   { Expr.Check }

ident:
| id = IDENT { mk_id id $startpos $endpos }
;
quote_ident:
| id = QIDENT { mk_id id $startpos $endpos }
;
type_var:
| id = TVAR { mk_id id $startpos $endpos }
;

/* logic */

mk_term(X): d = X { mk_term d $startpos $endpos }

term_tuple: t = mk_term(term_tuple_) { t }

term_tuple_:
| t = term ; COMMA; lt=separated_list(COMMA, term)
    { Ttuple (t::lt) }
| t = term_ { t }

term: t = mk_term(term_) { t }

term_:
| term_arg_
    { match $1 with (* break the infix relation chain *)
      | Tinfix (l,o,r) -> Tinnfix (l,o,r)
      | Tbinop (l,o,r) -> Tbinnop (l,o,r)
      | d -> d }
| NOT term
    { Tnot $2 }
| OLD LEFTPAR t=term RIGHTPAR
    { Tat (t, mk_id Dexpr.old_label $startpos($1) $endpos($1)) }
| AT LEFTPAR t=term COMMA l=ident RIGHTPAR
    { Tat (t, l) }
| o = prefix_op ; t = term %prec prec_prefix_op
    { Tidapp (Qident o, [t]) }
| l = term ; o = bin_op ; r = term
    { Tbinop (l, o, r) }
| l = term ; o = infix_op_1 ; r = term
    { Tinfix (l, o, r) }
| l = term ; o = infix_op_234 ; r = term
    { Tidapp (Qident o, [l; r]) }
| IF term THEN term ELSE term
    { Tif ($2, $4, $6) }
| LET id=ident EQUAL t1=term IN t2=term
    { Tlet (id, t1, t2) }
| q=quant l=comma_list1(param) DOT t=term
    { let var (id, ty) = id.id_loc, Some id, false, ty in
      Tquant (q, List.map var l, [], t) }
| id=ident LEFTPAR l=separated_list(COMMA, term) RIGHTPAR
    { Tidapp (Qident id, l) }

quant:
| FORALL  { Dterm.DTforall }
| EXISTS  { Dterm.DTexists }

term_arg: mk_term(term_arg_) { $1 }

term_arg_:
| quote_ident { Tident (Qident $1) }
| ident       { Tident (Qident $1) }
| INTEGER     { Tconst (Constant.ConstInt Number.(int_literal ILitDec ~neg:false $1)) }
| NONE        { Ttuple [] }
| TRUE        { Ttrue }
| FALSE       { Tfalse }
| term_sub_                 { $1 }

term_sub_:
| LEFTPAR term_tuple RIGHTPAR                             { $2.term_desc }
| term_arg LEFTSQ term RIGHTSQ
    { Tidapp (get_op $startpos($2) $endpos($2), [$1;$3]) }
| term_arg LEFTSQ term LARROW term RIGHTSQ
    { Tidapp (upd_op $startpos($2) $endpos($2), [$1;$3;$5]) }
| e1 = term_arg LEFTSQ e2=option(term) COLON e3=option(term) RIGHTSQ
    {
      let slice = mk_id "slice" $startpos $endpos in
      let len = mk_id "len" $startpos $endpos in
      let z = Tconst (Constant.int_const_of_int 0) in
      let l = Tidapp(Qident len, [e1]) in
      let z = mk_term z $startpos $endpos in
      let l = mk_term l $startpos $endpos in
      let e2, e3 = match e2, e3 with
        | None, None -> z, l
        | Some e, None -> e, l
        | None, Some e -> z, e
        | Some e, Some e' -> e, e'
      in
      Tidapp(Qident slice,[e1;e2;e3])
    }

%inline bin_op:
| ARROW   { Dterm.DTimplies }
| LRARROW { Dterm.DTiff }
| OR      { Dterm.DTor }
| AND     { Dterm.DTand }
| BY      { Dterm.DTby }
| SO      { Dterm.DTso }

%inline infix_op_1:
| c=CMP  { let op = match c with
          | Beq  -> "="
          | Bneq -> "<>"
          | Blt  -> "<"
          | Ble  -> "<="
          | Bgt  -> ">"
          | Bge  -> ">="
          | Badd|Bsub|Bmul|Bdiv|Bmod|Band|Bor -> assert false in
           mk_id (Ident.op_infix op) $startpos $endpos }

%inline prefix_op:
| MINUS { mk_id (Ident.op_prefix "-")  $startpos $endpos }

%inline infix_op_234:
| DIV    { mk_id (Ident.op_infix "//") $startpos $endpos }
| MOD    { mk_id (Ident.op_infix "%") $startpos $endpos }
| PLUS   { mk_id (Ident.op_infix "+") $startpos $endpos }
| MINUS  { mk_id (Ident.op_infix "-") $startpos $endpos }
| TIMES  { mk_id (Ident.op_infix "*") $startpos $endpos }

comma_list1(X):
| separated_nonempty_list(COMMA, X) { $1 }

(* Parsing of a list of qualified identifiers for the ITP *)

(* parsing of a single term *)

term_eof:
| term NEWLINE EOF { $1 }

ident_comma_list_eof:
| comma_list1(ident) NEWLINE EOF { $1 }

term_comma_list_eof:
| comma_list1(term) NEWLINE EOF { $1 }
(* we use single_term to avoid conflict with tuples, that
   do not need parentheses *)
why3-1.6.0/plugins/tptp/000077500000000000000000000000001440160026300150545ustar00rootroot00000000000000why3-1.6.0/plugins/tptp/tptp_ast.mli000066400000000000000000000051241440160026300174170ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

type loc = Why3.Loc.position

type atomic_word = string
type variable = string
type distinct = string

type defined_type =
  | DTtype   | DTprop   | DTuniv   | DTint
  | DTrat    | DTreal   | DTdummy (* placeholder *)

type defined_func =
  | DFumin   | DFsum    | DFdiff   | DFprod
  | DFquot   | DFquot_e | DFquot_t | DFquot_f
  | DFrem_e  | DFrem_t  | DFrem_f
  | DFfloor  | DFceil   | DFtrunc  | DFround
  | DFtoint  | DFtorat  | DFtoreal

type defined_pred =
  | DPtrue   | DPfalse  | DPdistinct
  | DPless   | DPlesseq | DPgreater | DPgreatereq
  | DPisint  | DPisrat

type defined_word =
  | DT of defined_type
  | DF of defined_func
  | DP of defined_pred

(** Formula *)

type binop =
  | BOequ | BOnequ | BOimp  | BOpmi
  | BOand | BOor   | BOnand | BOnor

type quant = Qforall | Qexists

type num_integer = string
type num_rational = string * string
type num_real = string * string option * string option

type number =
  | Nint  of num_integer
  | Nrat  of num_rational
  | Nreal of num_real

type expr = { e_node : expr_node ; e_loc : loc }

and expr_node =
  | Elet of expr * expr
  | Eite of expr * expr * expr
  | Eqnt of quant * tyvar list * expr
  | Ebin of binop * expr * expr
  | Enot of expr
  | Eequ of expr * expr
  | Eapp of atomic_word * expr list
  | Edef of defined_word * expr list
  | Evar of variable
  | Edob of distinct
  | Enum of number

and tyvar = variable * expr

type top_type = tyvar list * (expr list * expr)

type top_formula =
  | LogicFormula of expr
  | TypedAtom of atomic_word * top_type
  | Sequent of expr list * expr list

(** Top level *)

type kind = TFF | FOF | CNF

type name = string
type file = string

type role =
  | Axiom | Hypothesis | Definition  | Assumption | Corollary
  | Lemma | Theorem    | Conjecture  | Negated_conjecture | Type

type input =
  | Formula of kind * name * role * top_formula * loc
  | Include of file * name list * loc

type tptp_file = input list

why3-1.6.0/plugins/tptp/tptp_lexer.mli000066400000000000000000000025561440160026300177550ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

exception FileNotFound of string

val load: string -> Tptp_ast.tptp_file
(** [load filename] loads and parses the file named [filename]. It
    also expands other included files in that file. As specified by
    the TPTP standard
    (http://www.cs.miami.edu/~tptp/TPTP/TR/TPTPTR.shtml), files
    included with relative path names are searched first under the
    directory of the main file, and if not found there then searched
    under the directory specified in the $TPTP environment variable.

    If the file, or one of its included file, is not found in the
    file system, then exception [FileNotFound s] is raised, where
    [s] is the name of the file not found.  *)
why3-1.6.0/plugins/tptp/tptp_lexer.mll000066400000000000000000000166321440160026300177600ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

{
  open Format
  open Lexing
  open Tptp_ast
  open Tptp_parser

  open Why3

  (* lexical errors *)

  exception IllegalLexeme of string
  exception UnterminatedComment
  exception UnknownDDW of string
  exception UnknownDW of string

  let () = Exn_printer.register (fun fmt e -> match e with
    | IllegalLexeme s -> fprintf fmt "illegal lexeme %s" s
    | UnterminatedComment -> pp_print_string fmt "unterminated comment"
    | UnknownDDW s -> fprintf fmt "unknown system_word %s" s
    | UnknownDW s -> fprintf fmt "unknown defined_word %s" s
    | _ -> raise e)

  let defwords = Hashtbl.create 97
  let () = List.iter (fun (x,y) -> Hashtbl.add defwords x y) [
    "ceiling", DWORD (DF DFceil);
    "difference", DWORD (DF DFdiff);
    "distinct", DWORD (DP DPdistinct);
    "false", DWORD (DP DPfalse);
    "floor", DWORD (DF DFfloor);
    "greater", DWORD (DP DPgreater);
    "greatereq", DWORD (DP DPgreatereq);
    "i", DWORD (DT DTuniv);
    "int", DWORD (DT DTint);
    "is_int", DWORD (DP DPisint);
    "is_rat", DWORD (DP DPisrat);
    "ite_f", ITE_F;
    "ite_t", ITE_T;
    "iType", DWORD (DT DTuniv);
    "let_tt", LET_TT;
    "let_ft", LET_FT;
    "let_tf", LET_TF;
    "let_ff", LET_FF;
    "less", DWORD (DP DPless);
    "lesseq", DWORD (DP DPlesseq);
    "o", DWORD (DT DTprop);
    "oType", DWORD (DT DTprop);
    "product", DWORD (DF DFprod);
    "quotient", DWORD (DF DFquot);
    "quotient_e", DWORD (DF DFquot_e);
    "quotient_t", DWORD (DF DFquot_t);
    "quotient_f", DWORD (DF DFquot_f);
    "rat", DWORD (DT DTrat);
    "real", DWORD (DT DTreal);
    "remainder_e", DWORD (DF DFrem_e);
    "remainder_t", DWORD (DF DFrem_t);
    "remainder_f", DWORD (DF DFrem_f);
    "round", DWORD (DF DFround);
    "sum", DWORD (DF DFsum);
    "to_int", DWORD (DF DFtoint);
    "to_rat", DWORD (DF DFtorat);
    "to_real", DWORD (DF DFtoreal);
    "true", DWORD (DP DPtrue);
    "truncate", DWORD (DF DFtrunc);
    "tType", DWORD (DT DTtype);
    "uminus", DWORD (DF DFumin);
  ]

  let keywords = Hashtbl.create 97
  let () = List.iter (fun (x,y) -> Hashtbl.add keywords x y) [
    "assumption", ASSUMPTION;
    "axiom", AXIOM;
    "cnf", CNFK;
    "conjecture", CONJECTURE;
    "corollary", COROLLARY;
    "definition", DEFINITION;
    "fof", FOFK;
    "hypothesis", HYPOTHESIS;
    "include", INCLUDE;
    "lemma", LEMMA;
    "negated_conjecture", NEGATED_CONJECTURE;
    "tff", TFFK;
    "theorem", THEOREM;
    "type", TYPE;
  ]

  let comment_start_loc = ref Loc.dummy_position

  let loc lb = Loc.extract (lexeme_start_p lb, lexeme_end_p lb)
}

let newline = '\n'
let space = [' ' '\t' '\r']

let lalpha = ['a'-'z']
let ualpha = ['A'-'Z']
let digit  = ['0'-'9']
let nzero  = ['1'-'9']

let alnum = lalpha | ualpha | digit | '_'
let lword = lalpha alnum*
let uword = ualpha alnum*

let positive = nzero digit*
let natural  = '0' | positive

let sq_char = [' '-'&' '('-'[' ']'-'~'] | '\\' ['\\' '\'']
let do_char = [' '-'!' '#'-'[' ']'-'~'] | '\\' ['\\' '"']

rule token = parse
  | newline
      { new_line lexbuf; token lexbuf }
  | space+
      { token lexbuf }
  | lword as id
      { try Hashtbl.find keywords id with Not_found -> LWORD id }
  | uword as id
      { UWORD id }
  | '\'' (lword as id) '\''
      { LWORD id }
  | '\'' sq_char+ '\'' as sq
      { SINGLE_QUOTED sq }
  | '"' (do_char* as dob) '"'
      { DISTINCT_OBJECT dob }
  | "$_"
      { DWORD (DT DTdummy) }
  | '$' (lword as id)
      { try Hashtbl.find defwords id with Not_found -> raise (UnknownDW id) }
  | "$$" (lword as id)
      { raise (UnknownDDW id) }
  | '+'? (natural as s)
      { INTPOSNUM s }
  | '-'  (natural as s)
      { INTNEGNUM s }
  | '+'? (natural as n) '/' (positive as d)
      { RATPOSNUM (n,d) }
  | '-'  (natural as n) '/' (positive as d)
      { RATNEGNUM (n,d) }
  | '+'? (natural as i) ('.' (digit+ as f))? (['e' 'E'] ('+'? (natural as e)))?
  | '+'? (natural as i) ('.' (digit+ as f))? (['e' 'E'] ('-'   natural as e))?
      { REALPOSNUM (i,f,e) }
  | '-'  (natural as i) ('.' (digit+ as f))? (['e' 'E'] ('+'? (natural as e)))?
  | '-'  (natural as i) ('.' (digit+ as f))? (['e' 'E'] ('-'   natural as e))?
      { REALNEGNUM (i,f,e) }
  | "/*/"
      { raise (IllegalLexeme "/*/") }
  | "/*"
      { comment_start_loc := loc lexbuf; comment_block lexbuf; token lexbuf }
  | "%"
      { comment_start_loc := loc lexbuf; comment_line  lexbuf; token lexbuf }
  | "."
      { DOT }
  | ","
      { COMMA }
  | ":"
      { COLON }
  | "("
      { LEFTPAR }
  | ")"
      { RIGHTPAR }
  | "["
      { LEFTSQ }
  | "]"
      { RIGHTSQ }
  | "-->"
      { LONGARROW }
  | "<="
      { LARROW }
  | "=>"
      { RARROW }
  | "<=>"
      { LRARROW }
  | "<~>"
      { NLRARROW }
  | "~&"
      { NAMP }
  | "~|"
      { NBAR }
  | "~"
      { TILDE }
  | "&"
      { AMP }
  | "|"
      { BAR }
  | "="
      { EQUAL }
  | "!="
      { NEQUAL }
  | "*"
      { STAR }
  | ">"
      { GT }
  | "!>"
      { PI }
  | "!"
      { BANG }
  | "?"
      { QUES }
  | eof
      { EOF }
  | _ as c
      { Lexlib.illegal_character c lexbuf }

and comment_block = parse
  | "*/"
      { () }
  | newline
      { new_line lexbuf; comment_block lexbuf }
  | eof
      { raise (Loc.Located (!comment_start_loc, UnterminatedComment)) }
  | _
      { comment_block lexbuf }

and comment_line = parse
  | newline
      { new_line lexbuf; () }
  | eof
      { () }
  | _
      { comment_line lexbuf }

{

let parse file c =
  let lb = Lexing.from_channel c in
  Loc.set_file file lb;
  Loc.with_location (tptp_file token) lb

exception FileNotFound of string

let load file =
  let dir = Filename.dirname file in
  let tptplib =
    try Some (Sys.getenv "TPTP")
    with Not_found -> None
  in
  let rec aux file =
    let ch,file =
      try (open_in file, file)
      with Sys_error _ ->
        if not (Filename.is_relative file) then raise (FileNotFound file) else
        try let f = Filename.concat dir file in (open_in f,f)
        with Sys_error _ ->
          match tptplib with
          | None ->
            raise (FileNotFound (file ^ " (warning: $TPTP was not set)"))
          | Some d ->
            try let f = Filename.concat d file in (open_in f,f)
            with Sys_error _ -> raise (FileNotFound file)
    in
    let ast = parse file ch in
    close_in ch;
    let ast =
      List.fold_left
        (fun acc d ->
          match d with
          | Formula _ -> d::acc
          | Include(file,_,_) ->
            let ast = aux file in
            List.rev_append ast acc)
        [] ast
    in List.rev ast
  in aux file

  let read_channel env path file c =
    let ast = parse file c in
    Tptp_typing.typecheck env path ast

  let () = Env.register_format Env.base_language "tptp" ["p";"ax"] read_channel
    ~desc:"TPTP format (CNF FOF FOFX TFF)"

}

(*
Local Variables:
compile-command: "unset LANG; make -C ../.. test"
End:
*)
why3-1.6.0/plugins/tptp/tptp_parser.mly000066400000000000000000000173051440160026300201500ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

%{
open Tptp_ast

let mk_expr n s e = { e_node = n; e_loc = Why3.Loc.extract (s,e) }

let remove_quotes s = String.sub s 1 (String.length s - 2)

exception UnsupportedRole of string

let () = Why3.Exn_printer.register (fun fmt exn -> match exn with
  | UnsupportedRole s -> Format.fprintf fmt "unsupported role %s" s
  | Error -> Format.pp_print_string fmt "syntax error"
  | _ -> raise exn)
%}

(* tokens *)

%token  LWORD UWORD
%token  DWORD
%token  SINGLE_QUOTED DISTINCT_OBJECT
%token  INTPOSNUM
%token  INTNEGNUM
%token  RATPOSNUM
%token  RATNEGNUM
%token  REALPOSNUM
%token  REALNEGNUM

(* keywords *)

%token ASSUMPTION AXIOM CNFK CONJECTURE COROLLARY DEFINITION FOFK
%token HYPOTHESIS INCLUDE LEMMA NEGATED_CONJECTURE TFFK
%token THEOREM TYPE

(* symbols *)

%token DOT COMMA COLON LEFTPAR RIGHTPAR LEFTSQ RIGHTSQ
%token LONGARROW LARROW RARROW LRARROW NLRARROW NAMP NBAR
%token TILDE EQUAL NEQUAL STAR GT PI BANG QUES BAR AMP
%token LET_TT LET_FT LET_TF LET_FF ITE_T ITE_F

%token EOF

(* entry points *)

%start  tptp_file
%%

tptp_file:
| input* EOF { $1 }

input:
| kind LEFTPAR name COMMA role COMMA top_formula annotation RIGHTPAR DOT
  { Formula ($1, $3, $5, $7, Why3.Loc.extract ($startpos, $endpos)) }
| INCLUDE LEFTPAR SINGLE_QUOTED formula_selection RIGHTPAR DOT
  { Include (remove_quotes $3, $4, Why3.Loc.extract ($startpos, $endpos)) }

kind:
| TFFK { TFF }
| FOFK { FOF }
| CNFK { CNF }

role:
| AXIOM               { Axiom }
| HYPOTHESIS          { Hypothesis }
| DEFINITION          { Definition }
| ASSUMPTION          { Assumption }
| LEMMA               { Lemma }
| THEOREM             { Theorem }
| CONJECTURE          { Conjecture }
| COROLLARY           { Corollary }
| NEGATED_CONJECTURE  { Negated_conjecture }
| TYPE                { Type }
| LWORD               { raise (UnsupportedRole $1) }

top_formula:
| formula     { LogicFormula $1 }
| typed_atom  { $1 }
| sequent     { $1 }

(* formula and term *)

expr(X):
| X { mk_expr $1 $startpos $endpos }

formula:
| expr(nonassoc_formula)  { $1 }
| expr(or_formula)        { $1 }
| expr(and_formula)       { $1 }
| unitary_formula         { $1 }

nonassoc_formula:
| unitary_formula nassoc unitary_formula  { Ebin ($2,$1,$3) }

or_formula:
| unitary_formula BAR unitary_formula     { Ebin (BOor,$1,$3) }
| expr(or_formula) BAR unitary_formula    { Ebin (BOor,$1,$3) }

and_formula:
| unitary_formula AMP unitary_formula     { Ebin (BOand,$1,$3) }
| expr(and_formula) AMP unitary_formula   { Ebin (BOand,$1,$3) }

unitary_formula:
| expr(unitary_formula_)    { $1 }
| LEFTPAR formula RIGHTPAR  { $2 }

unitary_formula_:
| ITE_F LEFTPAR formula COMMA formula COMMA formula RIGHTPAR
  { Eite ($3,$5,$7) }
| LET_FF LEFTPAR expr(formula_def) COMMA formula RIGHTPAR
  { Elet ($3,$5) }
| LET_TF LEFTPAR expr(term_def) COMMA formula RIGHTPAR
  { Elet ($3,$5) }
| quant LEFTSQ varlist RIGHTSQ COLON unitary_formula
  { Eqnt ($1,$3,$6) }
| TILDE unitary_formula
  { Enot $2 }
| term NEQUAL term
  { Enot (mk_expr (Eequ ($1,$3)) $startpos $endpos) }
| term EQUAL term
  { Eequ ($1,$3) }
| plain_term
  { $1 }

term:
| expr(term_) { $1 }

term_:
| ITE_T LEFTPAR formula COMMA term COMMA term RIGHTPAR
  { Eite ($3,$5,$7) }
| LET_FT LEFTPAR expr(formula_def) COMMA term RIGHTPAR
  { Elet ($3,$5) }
| LET_TT LEFTPAR expr(term_def) COMMA term RIGHTPAR
  { Elet ($3,$5) }
| DISTINCT_OBJECT
  { Edob $1 }
| pos_number
  { Enum $1 }
| neg_number
  { Edef (DF DFumin, [mk_expr (Enum $1) $startpos $endpos]) }
| plain_term
  { $1 }

plain_term:
| DWORD paren_list(term)        { Edef ($1,$2) }
| atomic_word paren_list(term)  { Eapp ($1,$2) }
| var_term                      { $1 }

var_term:
| UWORD { Evar $1 }

formula_def:
| BANG LEFTSQ varlist RIGHTSQ COLON expr(formula_def) { Eqnt (Qforall,$3,$6) }
| formula_def_inner                                   { $1 }

term_def:
| BANG LEFTSQ varlist RIGHTSQ COLON expr(term_def)    { Eqnt (Qforall,$3,$6) }
| term_def_inner                                      { $1 }

formula_def_inner:
| expr(def_lhs) LRARROW formula       { Ebin (BOequ,$1,$3) }
| LEFTPAR formula_def_inner RIGHTPAR  { $2 }

term_def_inner:
| expr(def_lhs) EQUAL term        { Eequ ($1,$3) }
| LEFTPAR term_def_inner RIGHTPAR { $2 }

def_lhs:
| atomic_word paren_list(expr(var_term)) { Eapp ($1,$2) }

varlist:
| comma_list(typed_var) { $1 }

typed_var:
| UWORD
  { $1, mk_expr (Edef (DT DTuniv, [])) $startpos $endpos }
| UWORD COLON atomic_type
  { $1, $3 }

(* typed_atom *)

typed_atom:
| untyped_atom COLON top_type  { TypedAtom ($1,$3) }
| LEFTPAR typed_atom RIGHTPAR  { $2 }

untyped_atom:
| atomic_word { $1 }

top_type:
| atomic_type               { [],([],$1) }
| mapping_type              { [],$1 }
| quantified_type           { $1 }
| LEFTPAR top_type RIGHTPAR { $2 }

quantified_type:
| PI LEFTSQ varlist RIGHTSQ COLON monotype  { $3,$6 }

monotype:
| atomic_type                    { [],$1 }
| LEFTPAR mapping_type RIGHTPAR  { $2 }

mapping_type:
| unitary_type GT atomic_type    { $1,$3 }

unitary_type:
| atomic_type                  { [$1] }
| LEFTPAR xprod_type RIGHTPAR  { $2 }

xprod_type:
| atomic_type STAR atomic_type  { [$1;$3] }
| xprod_type STAR atomic_type   { $1 @ [$3] }

(* atomic type *)

atomic_type:
| expr(atomic_type_)  { $1 }

atomic_type_:
| DWORD                               { Edef ($1,[]) }
| atomic_word paren_list(atomic_type) { Eapp ($1,$2) }
| var_term                            { $1 }

(* sequent *)

sequent:
| tuple LONGARROW tuple     { Sequent ($1,$3) }
| LEFTPAR sequent RIGHTPAR  { $2 }

tuple:
| LEFTSQ fl = separated_list(COMMA,formula) RIGHTSQ  { fl }

(* misc *)

quant:
| BANG      { Qforall }
| QUES      { Qexists }

nassoc:
| LARROW    { BOpmi }
| RARROW    { BOimp }
| LRARROW   { BOequ }
| NLRARROW  { BOnequ }
| NAMP      { BOnand }
| NBAR      { BOnor }

pos_number:
| INTPOSNUM  { Nint $1 }
| RATPOSNUM  { Nrat $1 }
| REALPOSNUM { Nreal $1 }

neg_number:
| INTNEGNUM  { Nint $1 }
| RATNEGNUM  { Nrat $1 }
| REALNEGNUM { Nreal $1 }

atomic_word:
| LWORD          { $1 }
| SINGLE_QUOTED  { $1 }
| reserved_word  { $1 }

reserved_word:
| ASSUMPTION          { "assumption" }
| AXIOM               { "axiom" }
| CNFK                { "cnf" }
| CONJECTURE          { "conjecture" }
| DEFINITION          { "definition" }
| FOFK                { "fof" }
| HYPOTHESIS          { "hypothesis" }
| INCLUDE             { "include" }
| LEMMA               { "lemma" }
| NEGATED_CONJECTURE  { "negated_conjecture" }
| TFFK                { "tff" }
| THEOREM             { "theorem" }
| TYPE                { "type" }

(* TODO: add support for annotations *)
annotation:
| (* epsilon *) { () }

formula_selection:
| (* epsilon *)                         { [] }
| COMMA LEFTSQ comma_list(name) RIGHTSQ { $3 }

name:
| atomic_word { $1 }
| INTPOSNUM   { $1 }
| INTNEGNUM   { "-" ^ $1 }

paren_list(X):
| (* epsilon *)                   { [] }
| LEFTPAR comma_list(X) RIGHTPAR  { $2 }

comma_list(X):
| separated_nonempty_list(COMMA,X)  { $1 }
why3-1.6.0/plugins/tptp/tptp_printer.ml000066400000000000000000000433311440160026300201440ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Format

open Why3
open Pp
open Ident
open Ty
open Term
open Decl
open Printer

let bls = ["true";"false"]

let ident_printer =
  let san = sanitizer char_to_alpha char_to_alnumus in
  create_ident_printer bls ~sanitizer:san

let pr_printer =
  let san = sanitizer char_to_lalpha char_to_alnumus in
  create_ident_printer bls ~sanitizer:san

let print_symbol fmt id =
  let san = Strings.uncapitalize in
  pp_print_string fmt (id_unique ~sanitizer:san ident_printer id)

let print_tvar fmt {tv_name = id} =
  let san = Strings.capitalize in
  pp_print_string fmt (id_unique ~sanitizer:san ident_printer id)

let print_var fmt {vs_name = id} =
  let san = Strings.capitalize in
  pp_print_string fmt (id_unique ~sanitizer:san ident_printer id)

let print_pr fmt pr =
  pp_print_string fmt (id_unique pr_printer pr.pr_name)

let forget_var v = forget_id ident_printer v.vs_name
let forget_tvar v = forget_id ident_printer v.tv_name

type tptp_format = FOF | TFF0 | TFF1

type tptp_number = TPTP | MetiTarski

type info = {
  info_syn : syntax_map;
  info_fmt : tptp_format;
  info_num : tptp_number;
  info_srt : ty Mty.t ref;
  info_urg : string list ref;
  info_rules : Decl.Spr.t;
}

let complex_type = Wty.memoize 3 (fun ty ->
  let s = Pp.string_of_wnl Pretty.print_ty ty in
  create_tysymbol (id_fresh s) [] NoDef)

let rec print_type info fmt ty = match ty.ty_node with
  | Tyvar _ when info.info_fmt = TFF0 ->
      unsupported "TFF0 does not support polymorphic types"
  | Tyvar tv -> print_tvar fmt tv
  | Tyapp (ts, tl) ->
      begin match query_syntax info.info_syn ts.ts_name, tl with
      | Some s, _ -> syntax_arguments s (print_type info) fmt tl
      | None, [] -> print_symbol fmt ts.ts_name
      | None, _ when info.info_fmt = TFF0 ->
          begin match Mty.find_opt ty !(info.info_srt) with
          | Some ty -> print_type info fmt ty
          | None ->
              let ts = complex_type ty in let cty = ty_app ts [] in
              let us = Pp.sprintf "@[tff(%s, type,@ %a:@ $tType).@]@\n@\n"
                (id_unique pr_printer ts.ts_name) print_symbol ts.ts_name in
              info.info_srt := Mty.add ty cty !(info.info_srt);
              info.info_urg := us :: !(info.info_urg);
              print_type info fmt cty
          end
      | None, tl ->
          fprintf fmt "@[%a(%a)@]" print_symbol ts.ts_name
            (print_list comma (print_type info)) tl
      end

let print_type info fmt ty = try print_type info fmt ty
  with Unsupported s -> raise (UnsupportedType (ty,s))

let number_format = {
    Number.long_int_support = `Default;
    Number.negative_int_support = `Default;
    Number.dec_int_support = `Default;
    Number.hex_int_support = `Unsupported;
    Number.oct_int_support = `Unsupported;
    Number.bin_int_support = `Unsupported;
    Number.negative_real_support = `Default;
    Number.dec_real_support = `Default;
    Number.hex_real_support = `Unsupported;
    Number.frac_real_support =
      `Custom
        ((fun fmt i -> fprintf fmt "$to_real(%s)" i),
         (fun fmt i n -> fprintf fmt "$quotient($to_real(%s),$to_real(%s))" i n));
}

let number_format_metitarski = {
    number_format with
    Number.frac_real_support =
      `Custom
        ((fun fmt i -> pp_print_string fmt i),
         (fun fmt i n -> fprintf fmt "(%s / %s)" i n));
  }

let print_const info fmt c =
  let supported = match info.info_num with
    | TPTP -> number_format
    | MetiTarski -> number_format_metitarski in
  Constant.(print supported unsupported_escape) fmt c

let rec print_app info fmt ls tl oty =
  match query_syntax info.info_syn ls.ls_name with
  | Some s -> syntax_arguments s (print_term info) fmt tl
  | None ->
      let sbs = ls_app_inst ls tl oty in
      if Mtv.is_empty sbs && tl = [] then
        print_symbol fmt ls.ls_name
      else begin
        let cm = if Mtv.is_empty sbs || tl = [] then "" else ", " in
        fprintf fmt "%a(%a%s%a)"
          print_symbol ls.ls_name
          (print_iter2 Mtv.iter comma nothing nothing (print_type info)) sbs
          cm
          (print_list comma (print_term info)) tl
      end

and print_term info fmt t = match t.t_node with
  | Tvar v ->
      print_var fmt v
  | Tapp (ls, tl) ->
      print_app info fmt ls tl t.t_ty
  | Tconst c ->
      print_const info fmt c
  | Tlet (t1,tb) ->
      let v,t2 = t_open_bound tb in
      fprintf fmt "$let_tt(%a@ =@ %a,@ %a)"
        print_symbol v.vs_name (print_term info) t1 (print_term info) t2;
      forget_var v
  | Tif (f1,t1,t2) ->
      fprintf fmt "$ite_t(%a,@ %a,@ %a)"
        (print_fmla info) f1 (print_term info) t1 (print_term info) t2
  | Tcase _ -> unsupportedTerm t
      "TPTP does not support pattern matching, use eliminate_algebraic"
  | Teps _ -> unsupportedTerm t
      "TPTP does not support epsilon-terms"
  | Tquant _ | Tbinop _ | Tnot _ | Ttrue | Tfalse -> raise (TermExpected t)

and print_fmla info fmt f = match f.t_node with
  | Tapp (ls, tl) ->
      print_app info fmt ls tl f.t_ty
  | Tbinop (op, f1, f2) ->
      let s = match op with
        | Tand -> "&" | Tor -> "|" | Timplies -> "=>" | Tiff -> "<=>" in
      fprintf fmt "(%a@ %s %a)" (print_fmla info) f1 s (print_fmla info) f2
  | Tnot f ->
      fprintf fmt "~@ %a" (print_fmla info) f
  | Ttrue ->
      pp_print_string fmt "$true"
  | Tfalse ->
      pp_print_string fmt "$false"
  | Tquant (q, fq) ->
      let q = match q with Tforall -> "!" | Texists -> "?" in
      let vl, _tl, f = t_open_quant fq in
      let print_vsty fmt vs =
        if info.info_fmt = FOF then print_var fmt vs
        else fprintf fmt "%a:@,%a" print_var vs (print_type info) vs.vs_ty in
      fprintf fmt "%s[%a]:@ %a" q
        (print_list comma print_vsty) vl (print_fmla info) f;
      List.iter forget_var vl
  | Tlet (t1,tb) ->
      let v,t2 = t_open_bound tb in
      fprintf fmt "$let_tf(%a@ =@ %a,@ %a)"
        print_symbol v.vs_name (print_term info) t1 (print_fmla info) t2;
      forget_var v
  | Tif (f1,t1,t2) ->
      fprintf fmt "$ite_f(%a,@ %a,@ %a)"
        (print_fmla info) f1 (print_fmla info) t1 (print_fmla info) t2
  | Tcase _ -> unsupportedTerm f
      "TPTP does not support pattern matching, use eliminate_algebraic"
  | Tvar _ | Tconst _ | Teps _ -> raise (FmlaExpected f)

let print_tvarg fmt tv = fprintf fmt "%a : $tType" print_tvar tv
let print_tvargs fmt tvs = print_iter1 Stv.iter comma print_tvarg fmt tvs

let star fmt _ = fprintf fmt " *@ "

let print_fmla info fmt f =
  let tvs = t_ty_freevars Stv.empty f in
  if Stv.is_empty tvs then print_fmla info fmt f else
  fprintf fmt "![%a]:@ %a" print_tvargs tvs (print_fmla info) f;
  Stv.iter forget_tvar tvs

let print_decl info fmt d = match d.d_node with
  | Dtype _ when info.info_fmt = FOF -> ()
  | Dtype { ts_def = Alias _ } -> ()
  | Dtype { ts_args = _::_ } when info.info_fmt = TFF0 -> ()
  | Dtype ts when query_syntax info.info_syn ts.ts_name <> None -> ()
  | Dtype ts ->
      let print_arg fmt _ = pp_print_string fmt "$tType" in
      let print_sig fmt ts = match ts.ts_args with
        | [] -> pp_print_string fmt "$tType"
        | [_] -> fprintf fmt "$tType >@ $tType"
        | tl -> fprintf fmt "(%a) >@ $tType" (print_list star print_arg) tl
      in
      fprintf fmt "@[tff(%s, type,@ %a:@ %a).@]@\n@\n"
        (id_unique pr_printer ts.ts_name)
        print_symbol ts.ts_name print_sig ts
  | Dparam _ when info.info_fmt = FOF -> ()
  | Dparam ls when query_syntax info.info_syn ls.ls_name <> None -> ()
  | Dparam ls ->
      let print_type = print_type info in
      let print_val fmt = function
        | Some ty -> print_type fmt ty
        | None -> fprintf fmt "$o" in
      let print_sig fmt ls = match ls.ls_args with
        | [] -> print_val fmt ls.ls_value
        | [ty] -> fprintf fmt "%a >@ %a"
            print_type ty print_val ls.ls_value
        | tl -> fprintf fmt "(%a) >@ %a"
            (print_list star print_type) tl print_val ls.ls_value in
      let print_sig fmt ls =
        let tvs = List.fold_left ty_freevars Stv.empty ls.ls_args in
        let tvs = oty_freevars tvs ls.ls_value in
        if Stv.is_empty tvs then
          print_sig fmt ls
        else if ls.ls_args = [] then
          fprintf fmt "!>[%a]:@ %a" print_tvargs tvs print_sig ls
        else
          fprintf fmt "!>[%a]:@ (%a)" print_tvargs tvs print_sig ls;
        Stv.iter forget_tvar tvs
      in
      fprintf fmt "@[tff(%s, type,@ %a:@ %a).@]@\n@\n"
        (id_unique pr_printer ls.ls_name)
        print_symbol ls.ls_name print_sig ls
  | Ddata _ -> unsupportedDecl d
      "TPTP does not support algebraic datatypes, use eliminate_algebraic"
  | Dlogic _ -> unsupportedDecl d
      "Definitions are not supported, use eliminate_definition"
  | Dind _ -> unsupportedDecl d
      "TPTP does not support inductive predicates, use eliminate_inductive"
  | Dprop (Paxiom, pr, _) when Mid.mem pr.pr_name info.info_syn -> ()
  | Dprop (Paxiom, pr, f) ->
(*
    Format.eprintf "Dprop for %s: rewrite rules:" pr.pr_name.id_string;
    Spr.iter (fun pr -> Format.eprintf " %s" pr.pr_name.id_string) info.info_rules;
    Format.eprintf "@.";
*)
    let annotation = if Spr.mem pr info.info_rules then ",rewrite" else "" in
    let head = if info.info_fmt = FOF then "fof" else "tff" in
    fprintf fmt "@[%s(%a, axiom,@ %a%s).@]@\n@\n"
      head print_pr pr (print_fmla info) f annotation
  | Dprop (Pgoal, pr, f) ->
      let head = if info.info_fmt = FOF then "fof" else "tff" in
      fprintf fmt "@[%s(%a, conjecture,@ %a).@]@\n"
        head print_pr pr (print_fmla info) f
  | Dprop (Plemma, _, _) -> assert false

let print_decls fm nm =
(*
  Format.eprintf "rewrite rules:";
  Spr.iter (fun pr -> Format.eprintf " %s" pr.pr_name.id_string) rew_rules;
  Format.eprintf "@.";
*)
  let print_decl (sm,fm,rr,ct) fmt d =
    let info = { info_syn = sm;
                 info_fmt = fm;
                 info_num = nm;
                 info_srt = ref ct;
                 info_urg = ref [];
                 info_rules = rr } in
    try print_decl info fmt d;
        (sm,fm,rr,!(info.info_srt)), !(info.info_urg)
    with Unsupported s -> raise (UnsupportedDecl (d,s)) in
  let print_decl = Printer.sprint_decl print_decl in
  let print_decl task acc = print_decl task.Task.task_decl acc in
  Discriminate.on_syntax_map (fun sm ->
  Trans.on_tagged_pr Compute.meta_rewrite (fun rr ->
    Trans.fold print_decl ((sm,fm,rr,Mty.empty),[])))

let print_task fm nm =
  let print_decls = print_decls fm nm in
  fun args ?old:_ fmt task ->
    (* In trans-based p-printing [forget_all] is a no-no *)
    (* forget_all ident_printer; *)
    print_prelude fmt args.prelude;
    print_th_prelude task fmt args.th_prelude;
    let rec print = function
      | x :: r -> print r; Pp.string fmt x
      | [] -> () in
    print (snd (Trans.apply print_decls task));
    pp_print_flush fmt ()

let () =
  register_printer "tptp-tff0" (print_task TFF0 TPTP) ~desc:"TPTP TFF0 format";
  register_printer "tptp-tff1" (print_task TFF1 TPTP) ~desc:"TPTP TFF1 format";
  register_printer "tptp-fof"  (print_task FOF  TPTP) ~desc:"TPTP FOF format"

let () =
  register_printer "metitarski" (print_task FOF MetiTarski)
    ~desc:"MetiTarski TPTP format"

(** DFG input format for SPASS >= 3.8
    (with the help of Daniel Wand)

    TODO:
    - type arguments for polymorphic functions and predicates
    - data types
  *)

let is_type info d = match d.d_node with
  | Dtype ts -> query_syntax info.info_syn ts.ts_name = None
  | Ddata _ -> unsupportedDecl d "no data types"
  | _ -> false
let is_function info d = match d.d_node with
  | Dparam ls ->
      ls.ls_value <> None && query_syntax info.info_syn ls.ls_name = None
  | _ -> false
let is_predicate info d = match d.d_node with
  | Dparam ls ->
      ls.ls_value = None &&  query_syntax info.info_syn ls.ls_name = None
  | _ -> false

let ls_arity fmt d = match d.d_node with
  | Dparam ls ->
      let ntv = Stv.cardinal (ls_ty_freevars ls) in
      let na = List.length ls.ls_args in
      if ntv = 0 then fprintf fmt "(%a, %d)" print_symbol ls.ls_name na
      else fprintf fmt "(%a, %d+%d)" print_symbol ls.ls_name ntv na
  | _ -> assert false
let type_arity fmt d = match d.d_node with
  | Dtype ts ->
      let ntv = List.length ts.ts_args in
      if ntv = 0 then print_symbol fmt ts.ts_name
      else fprintf fmt "(%a, %d)" print_symbol ts.ts_name ntv
  | _ -> assert false

let ls_type kind info fmt d = match d.d_node with
  | Dparam ls ->
      fprintf fmt "%s(@[%a" kind print_symbol ls.ls_name;
      let tvs = ls_ty_freevars ls in
      if not (Stv.is_empty tvs) then
        fprintf fmt ", [%a]" (print_list comma print_tvar) (Stv.elements tvs);
      begin match ls.ls_value, ls.ls_args with
        | None, [] -> ()
        | None, _ ->
            fprintf fmt ", %a" (print_list comma (print_type info)) ls.ls_args
        | Some ty, [] -> fprintf fmt ", %a" (print_type info) ty
        | Some ty, _ ->
            fprintf fmt ", (%a) %a" (print_list comma (print_type info))
              ls.ls_args (print_type info) ty
      end;
      fprintf fmt "@]).@\n";
      Stv.iter forget_tvar tvs
  | _ -> assert false

let rec print_app info fmt ls tl oty =
  match query_syntax info.info_syn ls.ls_name with
  | Some s -> syntax_arguments s (print_term info) fmt tl
  | None ->
      print_symbol fmt ls.ls_name;
      let sbs = ls_app_inst ls tl oty in
      if not (Mtv.is_empty sbs) then
        fprintf fmt "<%a>"
          (print_iter2 Mtv.iter comma nothing nothing (print_type info)) sbs;
      if tl <> [] then
        fprintf fmt "(%a)"
          (print_list comma (print_term info)) tl

and print_term info fmt t = match t.t_node with
  | Tvar v ->
      print_var fmt v
  | Tapp (ls, tl) ->
      print_app info fmt ls tl t.t_ty
  | Tconst c ->
      Constant.(print number_format unsupported_escape) fmt c
  | Tlet _ -> unsupportedTerm t
      "DFG does not support let, use eliminate_let"
  | Tif _ -> unsupportedTerm t
      "DFG does not support if, use eliminate_if"
  | Tcase _ -> unsupportedTerm t
      "TPTP does not support pattern matching, use eliminate_algebraic"
  | Teps _ -> unsupportedTerm t
      "TPTP does not support epsilon-terms"
  | Tquant _ | Tbinop _ | Tnot _ | Ttrue | Tfalse -> raise (TermExpected t)

let rec print_fmla info fmt f = match f.t_node with
  | Tapp (ls, tl) ->
      print_app info fmt ls tl f.t_ty
  | Tbinop (op, f1, f2) ->
      let s = match op with
        | Tand -> "and" | Tor -> "or"
        | Timplies -> "implies" | Tiff -> "equiv" in
      fprintf fmt "%s(%a,@ %a)" s (print_fmla info) f1 (print_fmla info) f2
  | Tnot f ->
      fprintf fmt "not(%a)" (print_fmla info) f
  | Ttrue ->
      pp_print_string fmt "true"
  | Tfalse ->
      pp_print_string fmt "false"
  | Tquant (q, fq) ->
      let q = match q with Tforall -> "forall" | Texists -> "exists" in
      let vl, _tl, f = t_open_quant fq in
      let print_vsty fmt vs =
        fprintf fmt "%a:@,%a" print_var vs (print_type info) vs.vs_ty in
      fprintf fmt "%s([%a],@ %a)" q
        (print_list comma print_vsty) vl (print_fmla info) f;
      List.iter forget_var vl
  | Tlet _ -> unsupportedTerm f
      "DFG does not support let, use eliminate_let"
  | Tif _ -> unsupportedTerm f
      "DFG does not support if, use eliminate_if"
  | Tcase _ -> unsupportedTerm f
      "DFG does not support pattern matching, use eliminate_algebraic"
  | Tvar _ | Tconst _ | Teps _ -> raise (FmlaExpected f)

let print_axiom info fmt d = match d.d_node with
  | Dprop (Paxiom, pr, _) when Mid.mem pr.pr_name info.info_syn -> ()
  | Dprop (Paxiom, pr, f) ->
      fprintf fmt "@[formula(%a, %a).@]@\n"
        (print_fmla info) f print_pr pr
  | _ -> ()

let print_dfg args ?old:_ fmt task =
  forget_all ident_printer;
  forget_all pr_printer;
  fprintf fmt "@[begin_problem(why3).@\n@\n";
  print_prelude fmt args.prelude;
  print_th_prelude task fmt args.th_prelude;
  fprintf fmt "list_of_descriptions.@\n";
  fprintf fmt
    "name({**}). author({**}). status(unknown). description({**}).@\n";
  fprintf fmt "end_of_list.@\n@\n";
  let info = {
    info_syn = get_syntax_map task;
    info_fmt = FOF;
    info_num = TPTP;
    info_urg = ref [];
    info_srt = ref Mty.empty ;
    info_rules = Spr.empty;
  } in
  let dl = Task.task_decls task in
  let tl = List.filter (is_type info) dl in
  let fl = List.filter (is_function info) dl in
  let pl = List.filter (is_predicate info) dl in
  (* arities *)
  fprintf fmt "list_of_symbols.@\n";
  fprintf fmt "functions [@[%a@]].@\n" (print_list comma ls_arity) fl;
  fprintf fmt "predicates [@[%a@]].@\n" (print_list comma ls_arity) pl;
  fprintf fmt "sorts [@[%a@]].@\n" (print_list comma type_arity) tl;
  fprintf fmt "end_of_list.@\n@\n";
  (* types *)
  fprintf fmt "list_of_declarations.@\n";
  List.iter (ls_type "function" info fmt) fl;
  List.iter (ls_type "predicate" info fmt) pl;
  fprintf fmt "end_of_list.@\n@\n";

  fprintf fmt "list_of_formulae(axioms).@\n";
  List.iter (print_axiom info fmt) dl;
  fprintf fmt "end_of_list.@\n@\n";
  fprintf fmt "list_of_formulae(conjectures).@\n";

  let f = Task.task_goal_fmla task in
  fprintf fmt "@[formula(%a, %a)@].@\n" (print_fmla info) f
    print_pr (Task.task_goal task);
  fprintf fmt "end_of_list.@\n@\n";
  fprintf fmt "end_problem.@\n"

let () =
  register_printer "dfg" print_dfg ~desc:"First-order monomorphic DFG format"
why3-1.6.0/plugins/tptp/tptp_printer.mli000066400000000000000000000013071440160026300203120ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/plugins/tptp/tptp_typing.ml000066400000000000000000000621311440160026300177720ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

open Format
open Tptp_ast

open Why3
open Wstdlib
open Ident
open Ty
open Term
open Decl
open Theory

let error = Loc.error
let errorm = Loc.errorm

exception DuplicateVar of string
exception TypeExpected
exception TermExpected
exception FmlaExpected
exception InvalidDummy
exception MalformedLet
exception DependentTy
exception NonNumeric
exception BadArity

let () = Exn_printer.register (fun fmt e -> match e with
  | DuplicateVar s -> fprintf fmt "variable %s is used twice" s
  | TypeExpected -> pp_print_string fmt "type expression expected"
  | TermExpected -> pp_print_string fmt "term expression expected"
  | FmlaExpected -> pp_print_string fmt "formula expression expected"
  | InvalidDummy -> pp_print_string fmt "unexpected type placeholder"
  | MalformedLet -> pp_print_string fmt "malformed let-expression"
  | DependentTy  -> pp_print_string fmt "dependent type"
  | NonNumeric   -> pp_print_string fmt "non-numeric argument"
  | BadArity     -> pp_print_string fmt "bad arity"
  | _ -> raise e)

type symbol =
  | STSko of ty
  | STVar of tvsymbol
  | SVar  of vsymbol
  | SType of tysymbol
  | SFunc of tvsymbol list * tvsymbol list * Stv.t * lsymbol
  | SPred of tvsymbol list * tvsymbol list * Stv.t * lsymbol
  | SletF of tvsymbol list * Stv.t * vsymbol list * term
  | SletP of tvsymbol list * Stv.t * vsymbol list * term
  | Sdobj of lsymbol
  | Suse  of theory

(* dead code
type env = symbol Mstr.t

type implicit = symbol Hstr.t
*)

(** Defined symbols : arithmetic etc... *)

type denv = {
  de_env   : Env.env;

  th_univ  : theory;
  ts_univ  : tysymbol;
  ty_univ  : ty;

  th_ghost : theory;
  ts_ghost : tysymbol;
  fs_ghost : lsymbol;

  th_int   : theory;
  th_real  : theory;
  th_rat   : theory;
  ts_rat   : tysymbol;
}

let make_denv env =
  let get_theory s = Env.read_theory env ["tptp"] s in
  let th_univ = get_theory "Univ" in
  let th_ghost = get_theory "Ghost" in
  let th_rat = get_theory "Rat" in
  let ts_univ = ns_find_ts th_univ.th_export ["iType"] in
  { de_env   = env;

    th_univ  = th_univ;
    ts_univ  = ts_univ;
    ty_univ  = ty_app ts_univ [];

    th_ghost = th_ghost;
    ts_ghost = ns_find_ts th_ghost.th_export ["gh"];
    fs_ghost = ns_find_ls th_ghost.th_export ["gh"];

    th_int   = get_theory "Int";
    th_real  = get_theory "Real";
    th_rat   = th_rat;
    ts_rat   = ns_find_ts th_rat.th_export ["rat"];
  }

let add_theory env impl th =
  let s = "$th$" ^ th.th_name.id_string in
  if not (Mstr.mem s env) then Hstr.replace impl s (Suse th)

let defined_ty ~loc denv env impl dw tyl =
  let ts = match dw with
    | DT DTuniv -> denv.ts_univ
    | DT DTint -> ts_int
    | DT DTreal -> ts_real
    | DT DTrat -> add_theory env impl denv.th_rat; denv.ts_rat
    | DT DTdummy -> error ~loc InvalidDummy
    | DT (DTtype|DTprop) | DF _ | DP _ -> error ~loc TypeExpected
  in
  Loc.try2 ~loc ty_app ts tyl

let defined_arith ~loc denv env impl dw tl =
  let ts = match tl with
    | { t_ty = Some {ty_node = Tyapp (ts,[]) }}::_ -> ts
    | _::_ -> error ~loc NonNumeric
    | [] -> error ~loc BadArity in
  let get_theory s = Env.read_theory denv.de_env ["tptp"] s in
  let get_int_theory = function
    | DF DFquot -> errorm ~loc "$quotient/2 is not defined on $int"
    | DF (DFquot_e|DFrem_e) -> get_theory "IntDivE"
    | DF (DFquot_t|DFrem_t) -> get_theory "IntDivT"
    | DF (DFquot_f|DFrem_f) -> get_theory "IntDivF"
    | DF (DFfloor|DFceil|DFtrunc|DFround|DFtoint)
    | DP (DPisint|DPisrat) -> get_theory "IntTrunc"
    | DF DFtorat -> get_theory "IntToRat"
    | DF DFtoreal -> get_theory "IntToReal"
    | _ -> denv.th_int in
  let get_rat_theory = function
    | DF (DFquot_e|DFrem_e) -> get_theory "RatDivE"
    | DF (DFquot_t|DFrem_t) -> get_theory "RatDivT"
    | DF (DFquot_f|DFrem_f) -> get_theory "RatDivF"
    | DF (DFfloor|DFceil|DFtrunc|DFround|DFtoint) -> get_theory "RatTrunc"
    | DF DFtoreal -> get_theory "RatToReal"
    | _ -> denv.th_rat in
  let get_real_theory = function
    | DF (DFquot_e|DFrem_e) -> get_theory "RealDivE"
    | DF (DFquot_t|DFrem_t) -> get_theory "RealDivT"
    | DF (DFquot_f|DFrem_f) -> get_theory "RealDivF"
    | DF (DFfloor|DFceil|DFtrunc|DFround|DFtoint)
    | DP (DPisint|DPisrat) -> get_theory "RealTrunc"
    | DF DFtorat -> get_theory "RealToRat"
    | _ -> denv.th_real in
  let th =
    if ts_equal ts ts_int then get_int_theory dw else
    if ts_equal ts denv.ts_rat then get_rat_theory dw else
    if ts_equal ts ts_real then get_real_theory dw else
    error ~loc NonNumeric
  in
  add_theory env impl th;
  let ls = match dw with
    | DF DFumin -> ns_find_ls th.th_export [op_prefix "-"]
    | DF DFsum -> ns_find_ls th.th_export [op_infix "+"]
    | DF DFdiff -> ns_find_ls th.th_export [op_infix "-"]
    | DF DFprod -> ns_find_ls th.th_export [op_infix "*"]
    | DF DFquot -> ns_find_ls th.th_export [op_infix "/"]
    | DF DFquot_e -> ns_find_ls th.th_export ["div"]
    | DF DFquot_t -> ns_find_ls th.th_export ["div_t"]
    | DF DFquot_f -> ns_find_ls th.th_export ["div_f"]
    | DF DFrem_e -> ns_find_ls th.th_export ["mod"]
    | DF DFrem_t -> ns_find_ls th.th_export ["mod_t"]
    | DF DFrem_f -> ns_find_ls th.th_export ["mod_f"]
    | DF DFfloor -> ns_find_ls th.th_export ["floor"]
    | DF DFceil -> ns_find_ls th.th_export ["ceiling"]
    | DF DFtrunc -> ns_find_ls th.th_export ["truncate"]
    | DF DFround -> ns_find_ls th.th_export ["round"]
    | DF DFtoint -> ns_find_ls th.th_export ["to_int"]
    | DF DFtorat -> ns_find_ls th.th_export ["to_rat"]
    | DF DFtoreal -> ns_find_ls th.th_export ["to_real"]
    | DP DPless -> ns_find_ls th.th_export [op_infix "<"]
    | DP DPlesseq -> ns_find_ls th.th_export [op_infix "<="]
    | DP DPgreater -> ns_find_ls th.th_export [op_infix ">"]
    | DP DPgreatereq -> ns_find_ls th.th_export [op_infix ">="]
    | DP DPisint -> ns_find_ls th.th_export ["is_int"]
    | DP DPisrat -> ns_find_ls th.th_export ["is_rat"]
    | DP (DPtrue|DPfalse|DPdistinct) | DT _ -> assert false
  in
  Loc.try2 ~loc t_app_infer ls tl

let defined_expr ~loc is_fmla denv env impl dw tl = match dw, tl with
  | (DT DTdummy), _ -> error ~loc InvalidDummy
  | (DF _|DT _), _ when is_fmla -> error ~loc FmlaExpected
  | (DP _|DT _), _ when not is_fmla -> error ~loc TermExpected
  | (DP DPtrue|DP DPfalse), _::_ -> error ~loc BadArity
  | DP DPtrue, [] -> t_true
  | DP DPfalse, [] -> t_false
  | DP DPdistinct, _ ->
      let rec dist acc = function
        | t::tl ->
            let add acc s = t_and_simp acc (t_neq t s) in
            dist (List.fold_left add acc tl) tl
        | _ -> acc
      in
      Loc.try2 ~loc dist t_true tl
  | _ -> defined_arith ~loc denv env impl dw tl

(** TPTP environment *)

let find_tv ~loc env impl s =
  let tv = try Mstr.find s env with Not_found ->
    try Hstr.find impl s with Not_found ->
      let tv = STVar (create_tvsymbol (id_user s loc)) in
      Hstr.add impl s tv;
      tv in
  match tv with
    | STVar tv -> ty_var tv
    | STSko ty -> ty
    | _ -> error ~loc TypeExpected

let find_vs ~loc denv env impl s =
  let vs = try Mstr.find s env with Not_found ->
    try Hstr.find impl s with Not_found ->
      let vs = SVar (create_vsymbol (id_user s loc) denv.ty_univ) in
      Hstr.add impl s vs;
      vs in
  match vs with
    | SVar vs -> t_var vs
    | _ -> error ~loc TermExpected

let find_ts ~loc env impl s args =
  let ts = try Mstr.find s env with Not_found ->
    try Hstr.find impl s with Not_found ->
      let args = List.map (fun _ -> create_tvsymbol (id_fresh "a")) args in
      let ss = if s = "int" || s = "real" then "_" ^ s else s in
      let ts = SType (create_tysymbol (id_user ss loc) args NoDef) in
      Hstr.add impl s ts;
      ts in
  match ts with
    | SType ts -> ts
    | _ -> error ~loc TypeExpected

let find_fs ~loc denv env impl s args =
  try Mstr.find s env with Not_found ->
    try Hstr.find impl s with Not_found ->
      let args = List.map (fun _ -> denv.ty_univ) args in
      let fs = create_fsymbol (id_user s loc) args denv.ty_univ in
      let fs = SFunc ([],[],Stv.empty,fs) in
      Hstr.add impl s fs;
      fs

let find_ps ~loc denv env impl s args =
  try Mstr.find s env with Not_found ->
    try Hstr.find impl s with Not_found ->
      let args = List.map (fun _ -> denv.ty_univ) args in
      let ps = create_psymbol (id_user s loc) args in
      let ps = SPred ([],[],Stv.empty,ps) in
      Hstr.add impl s ps;
      ps

let find_dobj ~loc denv env impl s =
  let ds = "$do$" ^ s in
  let fs = try Mstr.find ds env with Not_found ->
    try Hstr.find impl ds with Not_found ->
      let id = id_user ("do_" ^ s) loc in
      let fs = Sdobj (create_fsymbol id [] denv.ty_univ) in
      Hstr.add impl ds fs;
      fs in
  match fs with
    | Sdobj fs -> fs_app fs [] denv.ty_univ
    | _ -> assert false (* impossible *)

let ty_check loc s ty1 t =
  Loc.try3 ~loc ty_match s ty1 (Opt.get t.t_ty)

let rec ty denv env impl { e_loc = loc; e_node = n } = match n with
  | Eapp (aw,al) ->
      let ts = find_ts ~loc env impl aw al in
      let tyl = List.map (ty denv env impl) al in
      Loc.try2 ~loc ty_app ts tyl
  | Edef (dw,al) ->
      let tyl = List.map (ty denv env impl) al in
      defined_ty ~loc denv env impl dw tyl
  | Evar v ->
      find_tv ~loc env impl v
  | Elet _ | Eite _ | Eqnt _ | Ebin _
  | Enot _ | Eequ _ | Edob _ | Enum _ -> error ~loc TypeExpected

let t_int_const s =
  let int_lit = Number.(int_literal ILitDec ~neg:false s) in
  t_const (Constant.ConstInt int_lit) ty_int

(* unused
let t_real_const r = t_const (Number.ConstReal r)
*)

let rec term denv env impl { e_loc = loc; e_node = n } = match n with
  | Eapp (aw,al) ->
      begin match find_fs ~loc denv env impl aw al with
        | SFunc (tvl,gl,mvs,fs) -> ls_args denv env impl loc fs tvl gl mvs al
        | SletF (tvl,mvs,vl,e) -> let_args denv env impl loc e tvl mvs vl al
        | SVar v -> t_var v
        | _ -> error ~loc TermExpected
      end
  | Edef (dw,al) ->
      let tl = List.map (term denv env impl) al in
      defined_expr ~loc false denv env impl dw tl
  | Evar v ->
      find_vs ~loc denv env impl v
  | Edob s ->
      find_dobj ~loc denv env impl s
  | Enum (Nint s) -> t_int_const s
  | Enum (Nreal (i,f,e)) ->
      let real_lit = Number.(real_literal ~radix:10 ~neg:false ~int:i
                               ~frac:(Opt.get_def "0" f) ~exp:e) in
      t_const (Constant.ConstReal real_lit) ty_real
  | Enum (Nrat (n,d)) ->
      let n = t_int_const n and d = t_int_const d in
      let frac = ns_find_ls denv.th_rat.th_export ["frac"] in
      add_theory env impl denv.th_rat;
      t_app_infer frac [n;d]
  | Elet (def,e) ->
      let env,s = let_defn denv env impl def in
      begin match Mstr.find s env with
        | SletF ([],_,[],t) ->
            let id = id_user s def.e_loc in
            let vs = create_vsymbol id (Opt.get t.t_ty) in
            let env = Mstr.add s (SVar vs) env in
            let t1 = term denv env impl e in
            t_let_close vs t t1
        | _ ->
            term denv env impl e
      end
  | Eite (e1,e2,e3) ->
      (* we can't fix the polarity of the condition here,
         hence type quantifiers are forbidden in terms *)
      let cn,_ = fmla denv env impl None [] e1 in
      let th = term denv env impl e2 in
      let el = term denv env impl e3 in
      t_if cn th el
  | Eqnt _ | Ebin _ | Enot _ | Eequ _ -> error ~loc TermExpected

and fmla denv env impl pol tvl { e_loc = loc; e_node = n } = match n with
  | Eapp (aw,al) ->
      begin match find_ps ~loc denv env impl aw al with
        | SPred (tvl,gl,mvs,ps) -> ls_args denv env impl loc ps tvl gl mvs al
        | SletP (tvl,mvs,vl,e) -> let_args denv env impl loc e tvl mvs vl al
        | _ -> error ~loc FmlaExpected
      end, false
  | Edef (dw,al) ->
      let tl = List.map (term denv env impl) al in
      defined_expr ~loc true denv env impl dw tl, false
  | Elet (def,e) ->
      let env,s = let_defn denv env impl def in
      begin match Mstr.find s env with
        | SletF ([],_,[],t) ->
            let id = id_user s def.e_loc in
            let vs = create_vsymbol id (Opt.get t.t_ty) in
            let env = Mstr.add s (SVar vs) env in
            let f,b = fmla denv env impl pol tvl e in
            t_let_close vs t f, b
        | _ ->
            fmla denv env impl pol tvl e
      end
  | Eqnt (quant,vl,e1) ->
      let vlist (env,pol,tvl,vl,b) (s,e) =
        let loc = e.e_loc in
        if e.e_node = Edef (DT DTtype, []) then
          match pol,quant with
            | None, _ ->
                errorm ~loc "Invalid type quantifier"
            | Some true, Qexists  (* goals *)
            | Some false, Qforall (* premises *) ->
                let tv = create_tvsymbol (id_user s loc) in
                Mstr.add s (STVar tv) env, pol, tv::tvl, vl, true
            | Some true, Qforall  (* goals *)
            | Some false, Qexists (* premises *) ->
                let _,ln,cn,_,_ = Loc.get loc in
                let sk = Format.sprintf "_%s_%d_%d" s ln cn in
                let ts = create_tysymbol (id_user sk loc) tvl NoDef in
                let tv = ty_app ts (List.map ty_var tvl) in
                Hstr.add impl sk (SType ts);
                Mstr.add s (STSko tv) env, pol, tvl, vl, true
        else
          let ty = ty denv env impl e in
          let vs = create_vsymbol (id_user s loc) ty in
          Mstr.add s (SVar vs) env, None, [], vs::vl, b
      in
      let env,pol,tvl,vl,b = List.fold_left vlist (env,pol,tvl,[],false) vl in
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let quant = match quant with
        | Qforall -> Tforall
        | Qexists -> Texists in
      t_quant_close quant (List.rev vl) [] f1, b || b1
  | Eite (e1,e2,e3) ->
      (* here we can treat type quantifiers in 'if' conditions,
         since [if C then T else E == (C => T) /\ (C \/ E)], but
         as for now we won't do it to stay consistent with terms *)
      let cn,_  = fmla denv env impl None [] e1 in
      let th,b1 = fmla denv env impl pol tvl e2 in
      let el,b2 = fmla denv env impl pol tvl e3 in
      t_if cn th el, b1 || b2
  | Ebin (BOequ,e1,e2) ->
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let f2,b2 = fmla denv env impl pol tvl e2 in
      if b1 || b2 then
        let g1,_ = fmla denv env impl (Opt.map not pol) tvl e1 in
        let g2,_ = fmla denv env impl (Opt.map not pol) tvl e2 in
        t_and (t_implies g1 f2) (t_implies g2 f1), true
      else
        t_iff f1 f2, false
  | Ebin (BOnequ,e1,e2) ->
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let f2,b2 = fmla denv env impl pol tvl e2 in
      if b1 || b2 then
        let g1,_ = fmla denv env impl (Opt.map not pol) tvl e1 in
        let g2,_ = fmla denv env impl (Opt.map not pol) tvl e2 in
        t_not (t_and (t_implies f1 g2) (t_implies f2 g1)), true
      else
        t_not (t_iff f1 f2), false
  | Ebin (BOimp,e1,e2) ->
      let f1,b1 = fmla denv env impl (Opt.map not pol) tvl e1 in
      let f2,b2 = fmla denv env impl pol tvl e2 in
      t_implies f1 f2, b1 || b2
  | Ebin (BOpmi,e1,e2) ->
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let f2,b2 = fmla denv env impl (Opt.map not pol) tvl e2 in
      t_implies f2 f1, b1 || b2
  | Ebin (BOand,e1,e2) ->
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let f2,b2 = fmla denv env impl pol tvl e2 in
      t_and f1 f2, b1 || b2
  | Ebin (BOor,e1,e2) ->
      let f1,b1 = fmla denv env impl pol tvl e1 in
      let f2,b2 = fmla denv env impl pol tvl e2 in
      t_or f1 f2, b1 || b2
  | Ebin (BOnand,e1,e2) ->
      let f1,b1 = fmla denv env impl (Opt.map not pol) tvl e1 in
      let f2,b2 = fmla denv env impl (Opt.map not pol) tvl e2 in
      t_not (t_and f1 f2), b1 || b2
  | Ebin (BOnor,e1,e2) ->
      let f1,b1 = fmla denv env impl (Opt.map not pol) tvl e1 in
      let f2,b2 = fmla denv env impl (Opt.map not pol) tvl e2 in
      t_not (t_or f1 f2), b1 || b2
  | Enot e1 ->
      let f1,b1 = fmla denv env impl (Opt.map not pol) tvl e1 in
      t_not f1, b1
  | Eequ (e1,e2) ->
      let t1 = term denv env impl e1 in
      let t2 = term denv env impl e2 in
      t_equ t1 t2, false
  | Evar _ | Edob _ | Enum _ -> error ~loc FmlaExpected

and let_defn denv env impl { e_node = n ; e_loc = loc } =
  let rec newenv env tvl vl = function
    | [] -> env, List.rev tvl, List.rev vl
    | (s,{ e_node = Edef (DT DTtype, []); e_loc = loc })::al ->
        if vl <> [] then errorm ~loc "Invalid type quantifier";
        let tv = create_tvsymbol (id_user s loc) in
        let env = Mstr.add s (STVar tv) env in
        newenv env (tv::tvl) vl al
    | (s,e)::al ->
        let ty = ty denv env impl e in
        let vs = create_vsymbol (id_user s e.e_loc) ty in
        let env = Mstr.add s (SVar vs) env in
        newenv env tvl (vs::vl) al
  in
  let rec check ss vl al = match vl,al with
    | [],[] -> ()
    | (v,_)::vl, { e_node = Evar u }::al when u = v ->
        let ss = Sstr.change (fun b ->
          not (b && error ~loc (DuplicateVar v))) v ss in
        check ss vl al
    | _,_ -> error ~loc MalformedLet in
  let dig vl d isf e = match d.e_node with
    | Eapp (s,al) ->
        check Sstr.empty vl al;
        let enw,tvl,vl = newenv env [] [] vl in
        let fvs s v = ty_freevars s v.vs_ty in
        let tvs = List.fold_left fvs Stv.empty vl in
        let add s v = if Stv.mem v tvs then s else Stv.add v s in
        let mvs = List.fold_left add Stv.empty tvl in
        if isf then
          let f,_ = fmla denv enw impl None [] e in
          Mstr.add s (SletP (tvl,mvs,vl,f)) env, s
        else
          let t = term denv enw impl e in
          Mstr.add s (SletF (tvl,mvs,vl,t)) env, s
    | _ -> assert false (* impossible *) in
  let rec down vl = function
    | Eqnt (Qforall,ul,d) -> down (vl @ ul) d.e_node
    | Ebin (BOequ,e1,e2) -> dig vl e1 true e2
    | Eequ (e1,e2) -> dig vl e1 false e2
    | _ -> assert false (* impossible *) in
  down [] n

and ls_args denv env impl loc fs tvl gl mvs al =
  let rec args tvm tvl al = match tvl,al with
    | (tv::tvl),({e_node = Edef (DT DTdummy,[]); e_loc = loc}::al) ->
        if Stv.mem tv mvs then error ~loc InvalidDummy;
        args tvm tvl al
    | (tv::tvl),(a::al) ->
        let ty = ty denv env impl a in
        let tvm = Mtv.add tv ty tvm in
        args tvm tvl al
    | [],al ->
        let ghost v =
          fs_app denv.fs_ghost [] (ty_app denv.ts_ghost [Mtv.find v tvm]) in
        let tl = List.map ghost gl @ List.map (term denv env impl) al in
        let tvm = List.fold_left2 (ty_check loc) tvm fs.ls_args tl in
        let ty = Opt.map (ty_inst tvm) fs.ls_value in
        t_app fs tl ty
    | _ -> error ~loc BadArity
  in
  args Mtv.empty tvl al

and let_args denv env impl loc e tvl mvs vl al =
  let rec args tvm vm tvl vl al = match tvl,vl,al with
    | (tv::tvl),_,({e_node = Edef (DT DTdummy,[]); e_loc = loc}::al) ->
        if Stv.mem tv mvs then error ~loc InvalidDummy;
        args tvm vm tvl vl al
    | (tv::tvl),_,(a::al) ->
        let ty = ty denv env impl a in
        let tvm = Mtv.add tv ty tvm in
        args tvm vm tvl vl al
    | _,(v::vl),(a::al) ->
        let t = term denv env impl a in
        let tvm = ty_check loc tvm v.vs_ty t in
        let vm = Mvs.add v t vm in
        args tvm vm tvl vl al
    | [],[],[] ->
        t_ty_subst tvm vm e
    | _ -> error ~loc BadArity
  in
  args Mtv.empty Mvs.empty tvl vl al

let typedecl denv env impl loc s (tvl,(el,e)) =
  if e.e_node = Edef (DT DTtype, []) then
    (* type constructor *)
    if tvl <> [] then error ~loc DependentTy else
    let ntv { e_node = n ; e_loc = loc } = match n with
      | Edef (DT DTtype, []) -> create_tvsymbol (id_fresh "a")
      | _ -> error ~loc DependentTy
    in
    let ss = if s = "int" || s = "real" then "_" ^ s else s in
    let ts = create_tysymbol (id_user ss loc) (List.map ntv el) NoDef in
    Hstr.add impl s (SType ts)
  else
    (* function/predicate symbol *)
    let ntv (s, { e_node = n ; e_loc = loc }) = match n with
      | Edef (DT DTtype, []) -> create_tvsymbol (id_fresh s)
      | _ -> error ~loc DependentTy
    in
    let tvl = List.map ntv tvl in
    let add e v =
      let s = v.tv_name.id_string in
      Mstr.add_new (DuplicateVar s) s (STVar v) e
    in
    let env = List.fold_left add env tvl in
    let tyl = List.map (ty denv env impl) el in
    let tvs = List.fold_left ty_freevars Stv.empty tyl in
    let add s v = if Stv.mem v tvs then s else Stv.add v s in
    let mvs = List.fold_left add Stv.empty tvl in
    let ghost v = ty_app denv.ts_ghost [ty_var v] in
    if e.e_node = Edef (DT DTprop, []) then
      let gvl = List.filter (fun v -> not (Stv.mem v tvs)) tvl in
      let tyl = List.map ghost gvl @ tyl in
      let ls = create_psymbol (id_user s loc) tyl in
      if gvl <> [] then add_theory env impl denv.th_ghost;
      Hstr.add impl s (SPred (tvl,gvl,mvs,ls))
    else
      let tyv = ty denv env impl e in
      let tvs = ty_freevars tvs tyv in
      let gvl = List.filter (fun v -> not (Stv.mem v tvs)) tvl in
      let tyl = List.map ghost gvl @ tyl in
      let ls = create_fsymbol (id_user s loc) tyl tyv in
      if gvl <> [] then add_theory env impl denv.th_ghost;
      Hstr.add impl s (SFunc (tvl,gvl,mvs,ls))

let flush_impl ~strict env uc impl =
  let update_th _ e uc = match e with
    | Suse th ->
        let uc = open_scope uc th.th_name.id_string in
        let uc = use_export uc th in
        close_scope uc ~import:false
    | _ -> uc
  in
  let update s e (env,uc) = match e with
    | SType ts ->
        Mstr.add s e env, add_ty_decl uc ts
    | SFunc (_,_,_,ls) | SPred (_,_,_,ls) ->
        Mstr.add s e env, add_param_decl uc ls
    | STVar tv when strict ->
        errorm ?loc:tv.tv_name.id_loc "Unbound type variable %s" s
    | SVar vs when strict ->
        errorm ?loc:vs.vs_name.id_loc "Unbound variable %s" s
    | STVar _ | SVar _ -> env,uc
    | Sdobj ls ->
        let uc = add_param_decl uc ls in
        let t = t_app ls [] ls.ls_value in
        let add _ s f = match s with
          | Sdobj fs -> t_and_simp f (t_neq (t_app fs [] fs.ls_value) t)
          | _ -> f in
        let f = Mstr.fold add env t_true in
        let uc = if t_equal f t_true then uc else
          let id = ls.ls_name.id_string ^ "'def" in
          let pr = create_prsymbol (id_fresh id) in
          add_prop_decl uc Paxiom pr f in
        Mstr.add s e env, uc
    | Suse _ ->
        Mstr.add s e env, uc
    (* none of these is possible in implicit *)
    | SletF _ | SletP _ | STSko _ -> assert false
  in
  let uc = Hstr.fold update_th impl uc in
  let res = Hstr.fold update impl (env,uc) in
  Hstr.clear impl;
  res

let typecheck lib path ast =
  (* initial environment *)
  let env  = Mstr.empty in
  let denv = make_denv lib in
  let impl = Hstr.create 17 in
  add_theory env impl denv.th_univ;
  (* parsing function *)
  let conj = ref [] in
  let input (env,uc) = function
    (* type declarations *)
    | Formula (_,_,Type,TypedAtom (s,e),loc) ->
        typedecl denv env impl loc s e;
        flush_impl ~strict:true env uc impl
    | Formula (_,_,Type,_,loc)
    | Formula (_,_,_,TypedAtom _,loc) ->
        errorm ~loc "Invalid type declaration"
    (* logical formulas *)
    | Formula (_,_,_,Sequent _,loc) -> (* TODO *)
        errorm ~loc "Sequents are not supported"
    | Formula (k,s,r,LogicFormula e,loc) ->
        let strict = k <> CNF in
        let goal = r = Conjecture in
        let f,_ = fmla denv env impl (Some goal) [] e in
        let f = if strict then f else
          let q = if goal then Texists else Tforall in
          let vl = Mvs.keys (t_vars f) in
          t_quant_close q vl [] f in
        let env,uc = flush_impl ~strict env uc impl in
        let pr = create_prsymbol (id_user s loc) in
        if goal then conj := (pr, f) :: !conj;
        env, if goal then uc else add_prop_decl uc Paxiom pr f
    (* includes *)
    | Include (_,_,loc) ->
        errorm ~loc "Inclusion is not supported"
  in
  (* FIXME: localize the identifier *)
  let uc = create_theory ~path (id_fresh "T") in
  let _,uc = List.fold_left input (env,uc) ast in
  (* In presence of conjectures, TPTP requires us to prove
     their conjunction, but no conjectures means |- false.
     This is awkward, and most provers treat conjectures
     disjunctively, as in a sequent. We follow TPTP here. *)
  let pr_false = create_prsymbol (id_fresh "contradiction") in
  let uc = match !conj with
    | g :: gl ->
        let combine (_, f) (pr, g) = pr, t_and g f in
        let pr, goal = List.fold_left combine g gl in
        if Stv.is_empty (t_ty_freevars Stv.empty goal) then
          add_prop_decl uc Pgoal pr goal
        else (* Why3 does not support polymorphic goals *)
          let uc = add_prop_decl uc Paxiom pr (t_not goal) in
          add_prop_decl uc Pgoal pr_false t_false
    | [] -> add_prop_decl uc Pgoal pr_false t_false
  in
  Mstr.singleton "T" (close_theory uc)
why3-1.6.0/plugins/tptp/tptp_typing.mli000066400000000000000000000014741440160026300201460ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

val typecheck : Why3.Env.env -> Why3.Env.pathname ->
  Tptp_ast.tptp_file -> Why3.Theory.theory Why3.Wstdlib.Mstr.t

why3-1.6.0/plugins/transform/000077500000000000000000000000001440160026300161005ustar00rootroot00000000000000why3-1.6.0/plugins/transform/hypothesis_selection.ml000066400000000000000000000556661440160026300227200ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

(*s Transformation which removes most hypothesis, only keeping the one
a graph-based heuristic finds close enough to the goal *)

open Why3
open Ident
open Term
open Decl
open Task

(* lots of modules and functors applications to be used later *)

module Int_Dft = struct
  type t = int
  let compare = Stdlib.compare
  let default = max_int
end

module GP = Graph.Persistent.Digraph.ConcreteLabeled(
  struct
    type t = lsymbol
    let compare = ls_compare
    let hash = ls_hash
    let equal = ls_equal
  end)(Int_Dft)

(** a way to compare/hash expressions *)
module ExprNode = struct
    type t = Term.term
    let compare = t_compare
    let hash = t_hash
    let equal = t_equal
end
module GC = Graph.Persistent.Graph.Concrete(ExprNode)
module Sls = Set.Make(GP.V)
module Sexpr = Set.Make(ExprNode)

(** prints the given expression, transforming spaces into _ *)
let string_of_expr_node node =
  let white_space = Re.Str.regexp "[ ()]" in
  let translate x = Re.Str.global_replace white_space "_" x in
  let repr = Format.asprintf "@[%a@]" Pretty.print_term node in
  translate repr

(* for debugging (graph printing) purposes *)
module Dot_ = Graph.Graphviz.Dot(struct
                          include GC
                          let graph_attributes _ = []
                          let default_vertex_attributes _ = []
                          let vertex_attributes _ = []
                          let vertex_name x = string_of_expr_node (GC.V.label x)
                          let get_subgraph _ = None
                          let default_edge_attributes _ = []
                          let edge_attributes _ = []
                        end)



(** some useful things *)
module Util = struct
  let print_clause fmt = Format.fprintf fmt "@[[%a]@]"
    (Pp.print_list Pp.comma Pretty.print_term)
  let print_clauses fmt = Format.fprintf fmt "[%a]@."
    (Pp.print_list Pp.comma print_clause)

  (** [combinator] applied to all combinaisons of elements
      of [left] and [right] *)
  let map_complete combinator left right =
    let explorer left_elt =
      List.map (fun right_elt -> combinator left_elt right_elt) right in
    List.flatten (List.map explorer left)

(** all combinaisons of elements of [left] and [right],
    folded with [combinator] starting with [acc] *)
  let fold_complete combinator acc left right =
    let explorer acc left_elt =
      List.fold_left
        (fun acc right_elt -> combinator acc left_elt right_elt)
        acc right in
    List.fold_left explorer acc left

  (** given two lists of sets of expr, returns the list made from their union.
      It is like zipping the lists with Sexpr.union. *)
  let rec merge_list l1 l2 = match l1,l2 with
    | x::xs,y::ys -> (Sexpr.union x y) :: merge_list xs ys
    | _,[] -> l1
    | [],_ -> l2
end


(** module used to reduce formulae to Normal Form *)
module NF = struct (* add memoization, one day ? *)
  (* TODO ! *)
  (** all quantifiers in prenex form, currently just identity *)
  let prenex_fmla fmla =
    Format.eprintf "prenex_fmla: @[%a@]@." Pretty.print_term fmla;
    fmla

  (** creates a fresh non-quantified formula, representing a quantified formula *)
  let create_fmla (vars:Term.vsymbol list) : Term.term =
    let pred = create_psymbol (id_fresh "temoin")
      (List.map (fun var -> var.vs_ty) vars) in
    ps_app pred (List.map t_var vars)


  (** transforms a formulae into its Normal Form as a list of clauses.
      The first argument is a hastable from formulae to formulae.
      A clause is a list of formulae, so this function returns a list
      of list of formulae. *)
  let rec transform fmlaTable fmla =
    Format.eprintf "transform: @[%a@]@." Pretty.print_term fmla;
    match fmla.t_node with
    | Tquant (_,f_bound) ->
        let var,_,f =  t_open_quant f_bound in
        traverse fmlaTable fmla var f
    | Tbinop (_,_,_) ->
        let clauses = split fmla in
        Format.eprintf "split: @[%a@]@." Util.print_clause clauses;
        begin match clauses with
          | [f] -> begin match f.t_node with
              | Tbinop (Tor,f1,f2) ->
                  let left = transform fmlaTable f1 in
                  let right = transform fmlaTable f2 in
                  Util.map_complete List.append left right
              | _ -> [[f]]
            end
          | _ -> List.concat (List.map (transform fmlaTable) clauses)
        end
    | Tnot f -> handle_not fmlaTable fmla f
    | Tapp (_,_) -> [[fmla]]
    | Ttrue | Tfalse -> [[fmla]]
    | Tif (_,_,_) -> failwith "if formulae not handled"
    | Tlet (_,_) -> failwith "let formulae not handled"
    | Tcase (_,_) -> failwith "case formulae not handled"
    | Tvar _ | Tconst _ | Teps _ -> raise (FmlaExpected fmla)

  (** travers prefix quantifiers until it reaches a non-quantified formula,
      collecting bounded vars encountered *)
  and traverse fmlaTable old_fmla vars fmla = match fmla.t_node with
    | Tquant (_,f_bound) ->
        let var,_,f = t_open_quant f_bound in
        traverse fmlaTable old_fmla (var@vars) f
    | _ ->
        if Hterm.mem fmlaTable fmla then
          [[Hterm.find fmlaTable fmla]]
        else
          let new_fmla = create_fmla vars in
          Hterm.add fmlaTable old_fmla new_fmla;
          Hterm.add fmlaTable new_fmla new_fmla;
          [[new_fmla]]

  (** skips prenex quantifiers *)
  and skipPrenex fmlaTable fmla = match fmla.t_node with
    | Tquant (_,f_bound) ->
        let _,_,f = t_open_quant f_bound in
        skipPrenex fmlaTable f
    | _ -> transform fmlaTable fmla

(** logical binary operators splitting *)
  and split f = match f.t_node with
    | Tbinop (Timplies,{t_node = Tbinop (Tor, h1, h2)},f2) ->
        (split (t_binary Timplies h1 f2)) @ (split (t_binary Timplies h2 f2))
    | Tbinop (Timplies,f1,f2) ->
        let clauses = split f2 in
        if List.length clauses >= 2 then
          List.concat
            (List.map (fun f -> split (t_binary Timplies f1 f)) clauses)
        else split (t_or (t_not f1) f2)
    | Tbinop (Tand,f1,f2) -> [f1; f2]
    | _ -> [f]

  (** negation operator handling (with de morgan rules) *)
  and handle_not fmlaTable old_f f = match f.t_node with
    | Tquant (Tforall,f_bound) ->
        let vars,triggers,f1 = t_open_quant f_bound in
        transform fmlaTable (t_exists_close vars triggers (t_not f1))
    | Tnot f1 -> transform fmlaTable f1
    | Tbinop (Tand,f1,f2) ->
        transform fmlaTable (t_or (t_not f1) (t_not f2))
    | Tbinop (Tor,f1,f2) ->
        transform fmlaTable (t_and (t_not f1) (t_not f2))
    | Tbinop (Timplies,f1,f2) ->
        transform fmlaTable (t_and f1 (t_not f2))
    | Tbinop (Tiff,f1,f2) ->
        transform fmlaTable (t_or (t_and f1 (t_not f2)) (t_and (t_not f1) f2))
    | _ -> [[old_f]] (* default case *)

  (** the function to use to effectively transform into a normal form *)
  let make_clauses fmlaTable prop =
    let prenex_fmla = prenex_fmla prop in
    let clauses = skipPrenex fmlaTable prenex_fmla in
    Format.eprintf "==>@ @[%a@]@.@." Util.print_clauses clauses;
    clauses
end


(** module used to compute the graph of relations between constants *)
module GraphConstant = struct

  (** memoizing for formulae and terms, and then expressions *)
  let findF fTbl fmla = try
    Hterm.find fTbl fmla
  with Not_found ->
    let new_v = GC.V.create fmla in
    Hterm.add fTbl fmla new_v;
    (* Format.eprintf "generating new vertex: %a@."
      Pretty.print_term fmla; *)
    new_v

  let findT tTbl term = try
    Hterm.find tTbl term
  with Not_found ->
    let new_v = GC.V.create term in
    Hterm.add tTbl term new_v;
    (* Format.eprintf "generating new vertex: %a@."
      Pretty.print_term fmla; *)
    new_v

  (** analyse dynamic dependencies in one atomic formula, from the bottom *)
  let rec analyse_fmla_base fTbl tTbl gc fmla =
    let gc,_ = analyse_fmla fTbl tTbl (gc,[]) fmla in gc

  (** recursive function used by the previous function *)
  and analyse_fmla fTbl tTbl (gc,vertices) fmla = match fmla.t_node with
    | Tapp (_,terms) ->
        let gc,sub_vertices =
          List.fold_left (analyse_term fTbl tTbl) (gc,[]) terms in
        (* make a clique with [sub_vertices] elements *)
        let gc = Util.fold_complete GC.add_edge gc sub_vertices sub_vertices in
        let pred_vertex = findF fTbl fmla in
        (* add edges between [pred_vertex] and [sub_vertices] *)
        let gc = List.fold_left
          (fun gc term_vertex -> GC.add_edge gc pred_vertex term_vertex)
          gc sub_vertices in
        (gc, pred_vertex :: vertices)
    | _ -> TermTF.t_fold (analyse_term fTbl tTbl) (analyse_fmla fTbl tTbl)
        (gc,vertices) fmla

  (** explore terms. mutually recursive with the previous function *)
  and analyse_term fTbl tTbl (gc,vertices) term = match term.t_node with
    | Tvar _ | Tconst _ ->
        let vertex = findT tTbl term in
        (gc,vertex::vertices)
    | Tapp (_,terms) ->
        let gc,sub_vertices =
          List.fold_left (analyse_term fTbl tTbl) (gc,[]) terms in
        (* make a clique with [sub_vertices] elements *)
        let gc = Util.fold_complete GC.add_edge gc sub_vertices sub_vertices in
        let func_vertex = findT tTbl term in
        (* add edges between [func_vertex] and [sub_vertices] *)
        let gc = List.fold_left
          (fun gc term_vertex -> GC.add_edge gc func_vertex term_vertex)
          gc sub_vertices in
        (gc, func_vertex :: vertices)
    | _ -> TermTF.t_fold (analyse_term fTbl tTbl) (analyse_fmla fTbl tTbl)
        (gc,vertices) term

(** analyse a single clause by folding analyse_fmla_base over it *)
  let analyse_clause fTbl tTbl gc clause =
    List.fold_left (analyse_fmla_base fTbl tTbl) gc clause

  (** analyses a list of clauses :
      - fold over clauses with analyse_clause *)
  let analyse_clauses fTbl tTbl gc clauses =
    List.fold_left (analyse_clause fTbl tTbl) gc clauses

end

(** module used to compute the directed graph of predicates *)
module GraphPredicate = struct
  exception Exit of lsymbol

  (** test for negative formulae *)
  let is_negative = function
    | { t_node = Tnot _ } -> true
    | _ -> false

  (** assuming the formula looks like p(t1,t2...),
      returns the symbol p *)
  let extract_symbol fmla =
    let rec search = function
      | { t_node = Tapp(p,_) } -> raise (Exit p)
      | f -> TermTF.t_map (fun t->t) search f in
    try ignore (search fmla);
      Format.eprintf "invalid formula: ";
      Pretty.print_term Format.err_formatter fmla; assert false
    with Exit p -> p

  let find symbTbl x = try
    Hls.find symbTbl x
  with Not_found ->
    let new_v = GP.V.create x in
    Hls.add symbTbl x new_v;
    (* Format.eprintf "generating new vertex: %a@." Pretty.print_ls x; *)
    new_v

  (** analyse a single clause, and creates an edge between every positive
      litteral and every negative litteral of [clause] in [gp] graph. *)
  let analyse_clause symbTbl gp clause =
    let get_symbol x = find symbTbl (extract_symbol x) in
    let negative,positive = List.partition is_negative clause in
    let negative = List.map get_symbol negative in
    let positive = List.map get_symbol positive in
    let n = List.length clause in
    let add left gp right =
      try
        let old = GP.find_edge gp left right in
        if GP.E.label old <= n
        then gp (* old edge is fine *)
        else
          let new_gp = GP.remove_edge_e gp old in
          assert (not (GP.mem_edge new_gp left right));
          GP.add_edge_e gp (GP.E.create left n right)
      with Not_found ->
        let e = GP.E.create left n right in
        GP.add_edge_e gp e in
    List.fold_left (* add an edge from every negative to any positive *)
      (fun gp left ->
       List.fold_left (add left) gp positive) gp negative

  let analyse_clauses symbTbl gp clauses =
    List.fold_left (analyse_clause symbTbl) gp clauses

  (** add a symbol to the graph as a new vertex *)
  let add_symbol symbTbl gp lsymbol =
    GP.add_vertex gp (find symbTbl lsymbol)

end

(** module that makes the final selection *)
module Select = struct

  (** gets all predicates symbols of the formula *)
  let get_predicates fmla =
    let id acc _ = acc in
    let rec explore acc fmla = match fmla.t_node with
      | Tapp (pred,_) -> pred::acc
      | _ -> TermTF.t_fold id explore acc fmla
    in explore [] fmla

  (** gets all predicate symbols from a clause *)
  let get_clause_predicates acc clause =
    let rec fmla_get_pred ?(pos=true) acc fmla = match fmla.t_node with
      | Tnot f -> fmla_get_pred ~pos:false acc f
      | Tapp (pred,_) -> (pred, (if pos then `Positive else `Negative))::acc
      | _ -> failwith "bad formula in get_predicates !"
    in List.fold_left (fmla_get_pred ?pos:None) acc clause

  (** get all sub-formulae *)
  let get_sub_fmlas fTbl tTbl fmla =
    let rec gather_sub_fmla fTbl tTbl acc fmla = match fmla.t_node with
      | Tapp (_,terms) ->
          let acc = List.fold_left (gather_sub_term fTbl tTbl) acc terms in
          GraphConstant.findF fTbl fmla :: acc
      | _ -> TermTF.t_fold (gather_sub_term fTbl tTbl)
          (gather_sub_fmla fTbl tTbl) acc fmla
    and gather_sub_term fTbl tTbl acc term = match term.t_node with
      | Tapp (_,terms) ->
          let acc = List.fold_left (gather_sub_term fTbl tTbl) acc terms in
          GraphConstant.findT tTbl term :: acc
      | Tconst _ | Tvar _ -> GraphConstant.findT tTbl term :: acc
      | _ -> TermTF.t_fold (gather_sub_term fTbl tTbl)
          (gather_sub_fmla fTbl tTbl) acc term in
    gather_sub_fmla fTbl tTbl [] fmla

  (** get the predecessors of [positive] in the graph [gp], at distance <= [i]*)
  let rec get_predecessors i gp acc positive =
    if i < 0 then acc
    else
      let acc = Sls.add positive acc in
      List.fold_left (follow_edge gp i)
        acc (GP.pred_e gp positive)
  and follow_edge ?(forward=false) gp i acc edge =
    let f = if forward then get_successors else get_predecessors in
    f (i - GP.E.label edge) gp acc
      ((if forward then GP.E.dst else GP.E.src) edge)
  and get_successors j gp acc negative =
    if j < 0 then acc
    else
      let acc = Sls.add negative acc in
      List.fold_left (follow_edge ~forward:true gp j)
        acc (GP.succ_e gp negative)

  exception FixPoint
  exception Exit of Sexpr.t list

  (** builds the list of reachable nodes in a non-directed graph (of constants)*)
  let build_relevant_variables gc goal_clause =
    let rec add_literal acc f = match f.t_node with
      | Tnot f -> add_literal acc f
      | Tapp _ -> Sexpr.add f acc
      | _ -> failwith "bad literal in the goal clause" in
    let l0 = List.fold_left add_literal Sexpr.empty goal_clause in

    (* explore one more step *)
    let rec one_step cur =
      let step = Sexpr.fold explore cur [cur;cur] in
      Format.eprintf "one step made !@.";
      step

    (* explores the neighbours of [vertex] *)
    and explore vertex l = match l with [_next_cur;cur] ->

      (* [changed] indicates whether a vertex has been added;
         [v] is a vertex *)
      let find_odd v ((acc,_changed) as old) =
        if Sexpr.mem v acc then old else
          let count = GC.fold_pred
            (fun v2 count -> if Sexpr.mem v2 acc then count+1 else count)
            gc v 0 in (* how many predecessors in acc ? *)
          if count >= 2 then (Sexpr.add v acc,true) else old in
      let find_even prev_step v ((acc,_changed) as old) =
        if Sexpr.mem v prev_step || Sexpr.mem v acc then old else
          if GC.fold_pred (fun v2 bool -> bool || (Sexpr.mem v2 acc))
            gc v false (* connected to a vertex in acc ? *)
          then (Sexpr.add v acc, true) else old in
      let next_cur_odd,has_changed = (* compute 2^n+1 elts *)
        GC.fold_succ find_odd gc vertex (cur,false) in
      let next_cur_even,has_changed = (* compute 2^n+2 elts *)
        GC.fold_succ (find_even next_cur_odd)
          gc vertex (cur,has_changed) in
      if has_changed then [next_cur_even;next_cur_odd]
      else raise FixPoint

      | _ -> assert false (*only not to have warnings on non-exhaustive match*)

    (* iterates [one_step] until an exception is raised *)
    and control cur acc =
      let next_acc = try
        let next_step = one_step cur in
        next_step @ acc (* next step contains *2* steps *)
      with FixPoint ->
        Format.eprintf "[control]: fixpoint reached";
        raise (Exit acc) in
      control (List.hd next_acc) next_acc in
    try
      ignore (control l0 [l0]);
      [l0] (* never returns. this is an odd step (step 1) *)
    with Exit answer ->
      List.rev answer

  (* TODO : be more clear... *)
  (** determines if a proposition is pertinent w.r.t the given goal formula,
      from data stored in the graph [gp] given.
      [i] is the parameter of predicate graph ([gp]) based filtering.
      [j] is the parameter for dynamic constants ([gc]) dependency filtering *)
  let is_pertinent_predicate symTbl goal_clauses ?(i=4) gp fmla =
    let is_negative = function
      | (_,`Negative) -> true
      | (_,`Positive) -> false in
    let find_secure symbTbl x =
      try Hls.find symbTbl x
      with Not_found ->
        Format.eprintf "failure finding %a !@." Pretty.print_ls x;
        raise Not_found in
    let goal_predicates =
      List.fold_left get_clause_predicates [] goal_clauses in
    let predicates = get_predicates fmla in
    let negative,positive = List.partition is_negative goal_predicates in
    let negative,positive = List.map fst negative, List.map fst positive in
    let negative = List.map (find_secure symTbl) negative in (* to be optimized ? *)
    let positive = List.map (find_secure symTbl) positive in
    let predicates = List.map (find_secure symTbl) predicates in
    (* list of negative predecessors of any positive predicate of the goal,
       at distance <= i *)
    let predecessors = List.fold_left (get_predecessors i gp) Sls.empty positive in
    let successors = List.fold_left (get_successors i gp) Sls.empty negative in
    (* a predicates is accepted iff all its predicates are close enough in
       successors or predecessors lists *)
    List.for_all
      (fun x -> if Sls.mem x predecessors || Sls.mem x successors
       then true else begin Format.eprintf "%a not close enough (dist %d)@."
           Pretty.print_ls (GP.V.label x) i; false end)
      predicates

  (** tests whether a formula is pertinent according to the dynamic
      dependency criterion (using the undirected graph gc). *)
  let is_pertinent_dynamic fTbl tTbl goal_clauses ?(j=4) gc =
    let relevant_variables = (* ideally, there should be only one goal clause *)
      List.fold_left Util.merge_list []
        (List.map (build_relevant_variables gc) goal_clauses) in
    function fmla ->
      let rec is_close_enough x l count = match (l,count) with
        | _,n when n < 0 -> false
        | y::_,_ when Sexpr.mem x y -> true
        | _::ys,count -> is_close_enough x ys (count-1)
        | _,_ ->
            false (* case where the fmla is not reachable from goal vars *) in
      let is_acceptable fmla = is_close_enough fmla relevant_variables j in
      let sub_fmlas = get_sub_fmlas fTbl tTbl fmla in
      let sub_fmlas = List.map GC.V.label sub_fmlas in
      List.for_all is_acceptable sub_fmlas

  (** preprocesses the goal formula and the graph, and returns a function
      that will accept or not axioms according to their relevance.
      This is the function directly used to filter axioms. *)
  let filter fTbl tTbl symTbl goal_clauses (gc,gp) decl =
    match decl.d_node with
      | Dtype _ | Ddata _ | Dparam _ | Dlogic _ | Dind _ -> [decl]
      | Dprop (Paxiom,_,fmla) -> (* filter only axioms *)
          Format.eprintf "filter: @[%a@]@." Pretty.print_term fmla;
          let goal_exprs = goal_clauses in
          let return_value =
            if is_pertinent_predicate symTbl goal_clauses gp fmla &&
              is_pertinent_dynamic fTbl tTbl goal_exprs gc fmla
            then [decl] else [] in
          if return_value = [] then Format.eprintf "NO@.@."
          else Format.eprintf "YES@.@.";
          return_value
      | Dprop(_,_,_) -> [decl]
end

(** persistent incremental tables *)
let fmlaTable = Hterm.create 17
let fTbl = Hterm.create 17
let tTbl = Hterm.create 17
let symbTbl = Hls.create 17

(** collects data on predicates and constants in task *)
let collect_info =
  let analyse_prop is_goal gc gp prop =
    let clauses = NF.make_clauses fmlaTable prop in
    (if is_goal then Some clauses else None),
    GraphConstant.analyse_clauses fTbl tTbl gc clauses,
    GraphPredicate.analyse_clauses symbTbl gp clauses
  in
  let update task_head (last_clauses,gc,gp) =
    assert (last_clauses = None);
    match task_head.task_decl.Theory.td_node with
    | Theory.Decl {d_node = Dprop (Pgoal,_,prop_decl)} ->
        analyse_prop true gc gp prop_decl
    | Theory.Decl {d_node = Dprop (_,_,prop_decl)} ->
        analyse_prop false gc gp prop_decl
    | Theory.Decl {d_node = Dparam ls} ->
        None, gc, GraphPredicate.add_symbol symbTbl gp ls
    | Theory.Decl {d_node = Dlogic dl} ->
        let add_symbol gp (ls,_) =
          GraphPredicate.add_symbol symbTbl gp ls in
        let gp = List.fold_left add_symbol gp dl in
        let add_ld (_,gc,gp) (_,ld) =
          analyse_prop false gc gp (Decl.ls_defn_axiom ld) in
        List.fold_left add_ld (None,gc,gp) dl
    | Theory.Decl {d_node = Dind (_,il)} ->
        let add_symbol gp (ls,_) =
          GraphPredicate.add_symbol symbTbl gp ls in
        let gp = List.fold_left add_symbol gp il in
        let add_id (_,gc,gp) (_,prop) =
          analyse_prop false gc gp prop in
        let add_id (_,gc,gp) (_,il) =
          List.fold_left add_id (None,gc,gp) il in
        List.fold_left add_id (None,gc,gp) il
    | _ -> None,gc,gp
  in
  Trans.fold update (None, GC.empty, GP.empty)

(** the transformation, made from applying collect_info and
then mapping Select.filter *)
let transformation task =
  (* first, collect data in 2 graphes *)
  let (last_clauses,gc,gp) = Trans.apply collect_info task in
  Format.eprintf "graph: @\n@\n%a@\n@." Dot_.fprint_graph gc;
  (* get the goal *)
  let goal_clauses = match last_clauses with
    | None -> failwith "no goal !"
    | Some clauses -> clauses in
  (* filter one declaration at once *)
  Trans.apply
    (Trans.decl
       (Select.filter fTbl tTbl symbTbl goal_clauses (gc,gp)) None) task

(** the transformation to be registered *)
let hypothesis_selection = Trans.store transformation

let () = Trans.register_transform "hypothesis_selection" hypothesis_selection
  ~desc:"Hypothesis@ selection."

(*
Local Variables:
  compile-command: "unset LANG; make"
End:
vim:foldmethod=indent:foldnestmax=1
*)
why3-1.6.0/plugins/transform/hypothesis_selection.mli000066400000000000000000000013071440160026300230500ustar00rootroot00000000000000(********************************************************************)
(*                                                                  *)
(*  The Why3 Verification Platform   /   The Why3 Development Team  *)
(*  Copyright 2010-2023 --  Inria - CNRS - Paris-Saclay University  *)
(*                                                                  *)
(*  This software is distributed under the terms of the GNU Lesser  *)
(*  General Public License version 2.1, with the special exception  *)
(*  on linking described in file LICENSE.                           *)
(*                                                                  *)
(********************************************************************)

why3-1.6.0/share/000077500000000000000000000000001440160026300135065ustar00rootroot00000000000000why3-1.6.0/share/bash/000077500000000000000000000000001440160026300144235ustar00rootroot00000000000000why3-1.6.0/share/bash/why3000066400000000000000000000102171440160026300152410ustar00rootroot00000000000000# bash completion for Why3

# To use this script you should have bash-completion package installed
# Put it in /etc/bash_completion.d or just source it from your .bashrc

_why3()
{
    local cur prev words cword split

    if declare -F _init_completion > /dev/null ; then
        _init_completion -s || return
    else
        _get_comp_words_by_ref -n = cur prev words cword
    fi

    case "$prev" in
        -T|--theory)
            # this only completes the first '-T' option
            # also, we cannot complete library theories
            ${split:-false} || cword=$((cword-1))
            words=("${words[@]:0:$cword}" --print-namespace)
            theories=$(${words[@]} 2>/dev/null | sed -n -e 's/^\([^ ][^-]*\).*/\1/p')
            COMPREPLY=( $( compgen -W "$theories" -- "$cur" ) )
            return 0
            ;;
        -G|--goal)
            ${split:-false} || cword=$((cword-1))
            words=("${words[@]:0:$cword}" --print-namespace)
            goals=$(${words[@]} 2>/dev/null | sed -n -e 's/.*-goal //p')
            COMPREPLY=( $( compgen -W "$goals" -- "$cur" ) )
            return 0
            ;;
        -C|--config|--extra-config)
            _filedir
            return 0
            ;;
        -L|--library|-I)
            _filedir -d
            return 0
            ;;
        -P|--prover)
            provers=$($1 config list-provers | sed -n -e 's/^\([^ ]\+\).*/\1/p' | uniq)
            COMPREPLY=( $( compgen -W "$provers" -- "$cur" ) )
            return 0
            ;;
        -F|--format)
            formats=$($1 show formats | sed -n -e 's/^\([^ ]\+\).*/\1/p')
            COMPREPLY=( $( compgen -W "$formats" -- "$cur" ) )
            return 0
            ;;
        -t|--timelimit|-m|--memlimit)
            return 0
            ;;
        -a|--apply-transform)
            transforms=$($1 show transformations | grep -e '^  [^ ]')
            COMPREPLY=( $( compgen -W "$transforms" -- "$cur" ) )
            return 0
            ;;
        -M|--meta)
            metas=$($1 show metas |
                grep -e '^[^ ]\+\( (flag)\)\?\( \[string\]\)\?$' |
                sed -e 's/ (flag)//;s/ \[string\]/=/')
            COMPREPLY=( $( compgen -W "$metas" -- "$cur") )
            return 0
            ;;
        -D|--driver)
            _filedir
            return 0
            ;;
        -o|--output)
            _filedir -d
            return 0
            ;;
        --install-plugin)
            _filedir
            return 0
            ;;
        add-prover)
            ids=$($1 config list-supported-provers)
            COMPREPLY=( $( compgen -W "$ids" -- "$cur") )
            return 0
            ;;
        --smoke-detector)
            COMPREPLY=( $( compgen -W 'none top deep' -- "$cur" ) )
            return 0
            ;;
        --debug)
            flags=$($1 --list-debug-flags | sed -n -e 's/^\([^ ]\+\).*/\1/p')
            COMPREPLY=( $( compgen -W "$flags" -- "$cur" ) )
            return 0
            ;;
        --filter-prover)
            provers=$($1 config list-provers | sed -n -e 's/^\([^ ]\+\).*/\1/p' | uniq)
            COMPREPLY=( $( compgen -W "$provers" -- "$cur" ) )
            return 0
            ;;
        --filter-obsolete|--filter-archived|--filter-verified-goal|--filter-verified)
            COMPREPLY=( $( compgen -W 'yes no all' -- "$cur" ) )
            return 0
            ;;
        --style)
            COMPREPLY=( $( compgen -W 'simpletree table' -- "$cur" ) )
            return 0
            ;;
        config|session|show)
            cmds=$($1 $prev --help | sed -n -e 's/^  \([^ ]\+\).*/\1/p')
            COMPREPLY=( $( compgen -W "$cmds --help -h" -- "$cur" ) )
            return 0
            ;;
    esac

    case "$cur" in
        -*) words[cword]="--help"
            opts=$(_parse_help "${words[@]}")
            COMPREPLY=( $( compgen -W "$opts" -- "$cur" ) )
            [[ $COMPREPLY == *= ]] && compopt -o nospace
            return 0
            ;;
    esac

    if [ $cword -eq 1 ] ; then
        cmds=$($1 --help 2>&1 | sed -n -e 's/^  \([a-z]\+\).*/\1/p')
        COMPREPLY=( $( compgen -W "$cmds" -- "$cur" ) )
        return 0
    fi

    _filedir

} && complete -F _why3 why3 why3.opt why3.byte
why3-1.6.0/share/ce-models.json000066400000000000000000000755021440160026300162620ustar00rootroot00000000000000{
    "$schema": "https://json-schema.org/draft/2020-12/schema",
    "title": "Model_parser.json_model",
    "type": "array",
    "items": {
        "type": "object",
        "properties": {
            "filename": {
                "type": "string"
            },
            "model": {
                "$comment": "list of counterexample model values, sorted by file and line number",
                "type": "array",
                "items": {
                    "type": "object",
                    "properties": {
                        "is_vc_line": {
                            "$comment": "true if the current line corresponds to the source code element from which the VC originates",
                            "type": "boolean"
                        },
                        "line": {
                            "type": "string"
                        },
                        "model_elements": {
                            "$comment": "see src/core/model_parser.mli for a description of the model_element type",
                            "type": "array",
                            "items": {
                                "type": "object",
                                "properties": {
                                    "attrs": {
                                        "type": "array",
                                        "items": {
                                            "type": "string"
                                        }
                                    },
                                    "kind": {
                                        "type": "string"
                                    },
                                    "location": {
                                        "$ref": "#/$defs/location"
                                    },
                                    "lsymbol": {
                                        "type": "object",
                                        "properties": {
                                            "name": {
                                                "type": "string"
                                            },
                                            "attrs": {
                                                "type": "array",
                                                "items": {
                                                    "type": "string"
                                                }
                                            },
                                            "loc": {
                                                "$ref": "#/$defs/location"
                                            }
                                        }
                                    },
                                    "value": {
                                        "type": "object",
                                        "properties": {
                                            "value_concrete_term": {
                                                "$ref": "#/$defs/concrete_term"
                                            },
                                            "value_term": {
                                                "$ref": "#/$defs/term"
                                            },
                                            "value_type": {
                                                "$ref": "#/$defs/type"
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    },
    "$defs": {
        "location": {
            "oneOf": [
                {
                    "type": "string",
                    "pattern": "^NO_LOC$"
                },
                {
                    "type": "object",
                    "properties": {
                        "file-name": {
                            "type": "string"
                        },
                        "start-line": {
                            "type": "number"
                        },
                        "start-char": {
                            "type": "number"
                        },
                        "end-line": {
                            "type": "number"
                        },
                        "end-char": {
                            "type": "number"
                        }
                    }
                }
            ]
        },
        "type": {
            "oneOf": [
                {
                    "type": "null"
                },
                {
                    "type": "object",
                    "properties": {
                        "Tyvar": {
                            "type": "string"
                        }
                    },
                    "required": ["Tyvar"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tyapp": {
                            "type": "object",
                            "properties": {
                                "ty_symbol": {
                                    "type": "string"
                                },
                                "ty_args": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#"
                                    }
                                }
                            },
                            "required": ["ty_symbol","ty_args"]
                        }
                    },
                    "required": ["Tyapp"]
                }
            ]
        },
        "vsymbol": {
            "type": "object",
            "properties": {
                "vs_name": {
                    "type": "string"
                },
                "vs_type": {
                    "$ref": "#/$defs/type"
                }
            },
            "required": ["vs_name","vs_type"]
        },
        "term": {
            "oneOf": [
                {
                    "type": "object",
                    "properties": {
                        "Tvar": {
                            "$ref": "#/$defs/vsymbol"
                        }
                    },
                    "required": ["Tvar"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tconst": {
                            "type": "object",
                            "properties": {
                                "const_type": {
                                    "type": "string"
                                },
                                "const_value": {
                                    "type": "string"
                                }
                            },
                            "required": ["const_type","const_value"]
                        }
                    },
                    "required": ["Tconst"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tapp": {
                            "type": "object",
                            "properties": {
                                "app_ls": {
                                    "type": "string"
                                },
                                "app_args": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#"
                                    }
                                }
                            },
                            "required": ["app_ls","app_args"]
                        }
                    },
                    "required": ["Tapp"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tif": {
                            "type": "object",
                            "properties": {
                                "if": {
                                    "$ref": "#"
                                },
                                "then": {
                                    "$ref": "#"
                                },
                                "else": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["if","then","else"]
                        }
                    },
                    "required": ["Tif"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Teps": {
                            "type": "object",
                            "properties": {
                                "eps_vs": {
                                    "$ref": "#/$defs/vsymbol"
                                },
                                "eps_t": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["eps_vs","eps_t"]
                        }
                    },
                    "required": ["Teps"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tfun": {
                            "type": "object",
                            "properties": {
                                "fun_args": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#/$defs/vsymbol"
                                    }
                                },
                                "fun_body": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["fun_args","fun_body"]
                        }
                    },
                    "required": ["Tfun"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tquant": {
                            "type": "object",
                            "properties": {
                                "quant": {
                                    "type": "string"
                                },
                                "quant_vs": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#/$defs/vsymbol"
                                    }
                                },
                                "quant_t": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["quant","quant_vs","quant_t"]
                        }
                    },
                    "required": ["Tquant"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tbinop": {
                            "type": "object",
                            "properties": {
                                "binop": {
                                    "type": "string"
                                },
                                "binop_t1": {
                                    "$ref": "#"
                                },
                                "binop_t2": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["binop","binop_t1","binop_t2"]
                        }
                    },
                    "required": ["Tbinop"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tnot": {
                            "$ref": "#"
                        }
                    },
                    "required": ["Tnot"]
                },
                {
                    "type": "string",
                    "pattern": "^Ttrue$"
                },
                {
                    "type": "string",
                    "pattern": "^Tfalse$"
                },
                {
                    "type": "object",
                    "properties": {
                        "Tlet": {
                            "type": "string"
                        }
                    },
                    "required": ["Tlet"]
                },
                {
                    "type": "object",
                    "properties": {
                        "Tcase": {
                            "type": "string"
                        }
                    },
                    "required": ["Tcase"]
                }
            ]
        },
        "concrete_bv": {
            "type": "object",
            "properties": {
                "bv_value_as_decimal": {
                    "type": "string"
                },
                "bv_length": {
                    "type": "number"
                },
                "bv_verbatim": {
                    "type": "string"
                }
            },
            "required": ["bv_value_as_decimal","bv_length","bv_verbatim"]
        },
        "concrete_real": {
            "type": "object",
            "properties": {
                "real_value": {
                    "type": "string"
                },
                "real_verbatim": {
                    "type": "string"
                }
            },
            "required": ["real_value","real_verbatim"]
        },
        "concrete_term": {
            "oneOf": [
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Var$"
                        },
                        "val": {
                            "type": "string"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Boolean$"
                        },
                        "val": {
                            "type": "boolean"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^String$"
                        },
                        "val": {
                            "type": "string"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Integer$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "int_value": {
                                    "type": "string"
                                },
                                "int_verbatim": {
                                    "type": "string"
                                }
                            },
                            "required": ["int_value","int_verbatim"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Real$"
                        },
                        "val": {
                            "$ref": "#/$defs/concrete_real"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^BitVector$"
                        },
                        "val": {
                            "$ref": "#/$defs/concrete_bv"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Fraction$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "frac_num": {
                                    "$ref": "#/$defs/concrete_real"
                                },
                                "frac_den": {
                                    "$ref": "#/$defs/concrete_real"
                                },
                                "frac_verbatim": {
                                    "type": "string"
                                }
                            },
                            "required": ["frac_num","frac_den","frac_verbatim"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Float$"
                        },
                        "val": {
                            "oneOf": [
                                {
                                    "type": "object",
                                    "properties": {
                                        "float_type": {
                                            "type": "string",
                                            "pattern": "^Infinity"
                                        }
                                    },
                                    "required": ["float_type"]
                                },
                                {
                                    "type": "object",
                                    "properties": {
                                        "float_type": {
                                            "type": "string",
                                            "pattern": "^Plus_zero"
                                        }
                                    },
                                    "required": ["float_type"]
                                },
                                {
                                    "type": "object",
                                    "properties": {
                                        "float_type": {
                                            "type": "string",
                                            "pattern": "^Minus_zero"
                                        }
                                    },
                                    "required": ["float_type"]
                                },
                                {
                                    "type": "object",
                                    "properties": {
                                        "float_type": {
                                            "type": "string",
                                            "pattern": "^NaN"
                                        }
                                    },
                                    "required": ["float_type"]
                                },
                                {
                                    "type": "object",
                                    "properties": {
                                        "float_type": {
                                            "type": "string",
                                            "pattern": "^Float_value"
                                        },
                                        "float_sign": {
                                            "$ref": "#/$defs/concrete_bv"
                                        },
                                        "float_exp": {
                                            "$ref": "#/$defs/concrete_bv"
                                        },
                                        "float_mant": {
                                            "$ref": "#/$defs/concrete_bv"
                                        },
                                        "float_hex": {
                                            "type": "string"
                                        }
                                    },
                                    "required": ["float_type","float_sign","float_exp","float_mant","float_hex"]
                                }
                            ]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Apply$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "app_ls": {
                                    "type": "string"
                                },
                                "app_args": {
                                    "type": "array",
                                    "items": {
                                        "$ref": "#"
                                    }
                                }
                            },
                            "required": ["app_ls","app_args"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^If$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "if": {
                                    "$ref": "#"
                                },
                                "then": {
                                    "$ref": "#"
                                },
                                "else": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["if","then","else"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Epsilon$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "eps_var": {
                                    "type": "string"
                                },
                                "eps_t": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["eps_var","eps_t"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Function$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "fun_args": {
                                    "type": "array",
                                    "items": {
                                        "type": "string"
                                    }
                                },
                                "fun_body": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["fun_args","fun_body"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Quant$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "quant": {
                                    "type": "string"
                                },
                                "quant_vars": {
                                    "type": "array",
                                    "items": {
                                        "type": "string"
                                    }
                                },
                                "quant_t": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["quant","quant_vars","quant_t"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Binop$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "binop": {
                                    "type": "string"
                                },
                                "binop_t1": {
                                    "$ref": "#"
                                },
                                "binop_t2": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["binop","binop_t1","binop_t2"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Not$"
                        },
                        "val": {
                            "$ref": "#"
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^FunctionLiteral$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "funliteral_elts": {
                                    "type": "array",
                                    "items": {
                                        "type": "object",
                                        "properties": {
                                            "indice": {
                                                "$ref": "#"
                                            },
                                            "value": {
                                                "$ref": "#"
                                            }
                                        },
                                        "required": ["indice","value"]
                                    }
                                },
                                "funliteral_others": {
                                    "$ref": "#"
                                }
                            },
                            "required": ["array_elts","array_others"]
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Record$"
                        },
                        "val": {
                            "type": "array",
                            "items": {
                                "type": "object",
                                "properties": {
                                    "field": {
                                        "type": "string"
                                    },
                                    "value":{
                                        "$ref": "#"
                                    }
                                },
                                "required": ["field","value"]
                            }
                        }
                    },
                    "required": ["type","val"]
                },
                {
                    "type": "object",
                    "properties": {
                        "type": {
                            "type": "string",
                            "pattern": "^Proj$"
                        },
                        "val": {
                            "type": "object",
                            "properties": {
                                "proj_name": {
                                    "type": "string"
                                },
                                "proj_value":{
                                    "$ref": "#"
                                }
                            },
                            "required": ["proj_name","proj_value"]
                        }
                    },
                    "required": ["type","val"]
                }
            ]
        }
    }
}why3-1.6.0/share/emacs/000077500000000000000000000000001440160026300145765ustar00rootroot00000000000000why3-1.6.0/share/emacs/why3.el000066400000000000000000000150071440160026300160150ustar00rootroot00000000000000;; why3.el - GNU Emacs mode for Why3

(defvar why3-mode-map
  (let ((map (make-sparse-keymap)))
    ;; (define-key map "\C-c\C-c" 'why3-generate-obligations) **)
    ;; (define-key map "\C-c\C-a" 'why3-find-alternate-file) **)
    ;; (define-key map "\C-c\C-v" 'why3-viewer) **)
    (define-key map [(control return)] 'font-lock-fontify-buffer)
    map))

(setq auto-mode-alist
      (append
       '(("\\.\\(why\\|mlw\\)\\'" . why3-mode))
       auto-mode-alist))

;; font-lock

(defun why3-regexp-opt (l)
  (regexp-opt l 'words))

;; keep synchronized with src/parser/lexer.mll
(defconst why3-font-lock-keywords-1
  (list
   `(,(why3-regexp-opt
       '("absurd" "alias" "assert" "assume"
         "check" "diverges" "ensures" "invariant"
         "raises" "reads" "requires" "returns"
         "variant" "writes")) . font-lock-type-face)
   `(,(why3-regexp-opt
       '("abstract" "any" "as" "at" "axiom"
         "begin" "break" "by"
         "clone" "coinductive" "constant" "continue"
         "do" "done" "downto"
         "else" "end" "epsilon" "exception" "exists" "export"
         "false" "float" "for" "forall" "fun" "function"
         "ghost" "goal" "if" "import" "in" "inductive"
         "label" "lemma" "let"
         "match" "meta" "module" "mutable" "not"
         "old" "partial" "predicate" "private" "pure"
         "raise" "range" "rec" "ref" "return"
         "scope" "so" "then" "theory" "to" "true" "try" "type"
         "use" "val" "while" "with")) . font-lock-keyword-face)
   )
  "Minimal highlighting for Why3 mode")

(defvar why3-font-lock-keywords why3-font-lock-keywords-1
  "Default highlighting for Why3 mode")

(defvar why3-indent 2
  "How many spaces to indent in why3 mode.")
(make-variable-buffer-local 'why3-indent)

;; syntax

(defvar why3-mode-syntax-table
  (let ((st (make-syntax-table)))
    ; identifiers
    (modify-syntax-entry ?' "w" st)
    (modify-syntax-entry ?_ "w" st)
    ; strings
    (modify-syntax-entry ?\" "\"" st)
    ; comments
    (modify-syntax-entry ?\( "()1n" st)
    (modify-syntax-entry ?\) ")(4n" st)
    (modify-syntax-entry ?* ". 23" st)
    st)
  "Syntax table for why3-mode")

;indentation

;http://www.emacswiki.org/emacs/ModeTutorial
(defun why3-indent-line ()
  "Indent current line as why3 logic"
  (interactive)
  (save-excursion
    (beginning-of-line)
    ;(debug)
    (if (bobp)  ; Check for rule 1
        (indent-line-to 0)
      (let ((not-indented t) cur-indent)
        (if (looking-at "^[ \t]*end") ; Check for rule 2
            (progn
              (save-excursion
                (forward-line -1)
                (setq cur-indent (- (current-indentation) why3-indent)))
              (if (< cur-indent 0)
                  (setq cur-indent 0)))
          (progn
            (if (looking-at "^[ \t]*\\(logic\\|type\\|prop\\)") ; check for clone
                (progn
                  (save-excursion
                    (forward-line -1)
                    (if (looking-at "^[ \t]*\\(logic\\|type\\|prop\\).*,[ \t]*$")
                        (progn
                          (setq cur-indent (current-indentation))
                          (setq not-indented nil))
                      (if (looking-at "^[ \t]*clone.*with ")
                          (progn
                            (setq cur-indent (+ (current-indentation) why3-indent))
                            (setq not-indented nil)
                            ))))))
        ;For the definition its very badly done...
          (if (looking-at "^[ \t]*$")
	      ;; (save-excursion
	      ;; 	(forward-line -1)
	      ;; 	(setq cur-indent (current-indentation))
	      ;; 	(setq not-indented nil))
              (progn
                (setq cur-indent 0)
                (setq not-indented nil))
	    (if (not
		 (looking-at "^[ \t]*(\*.*"))
            (if (not
                 (looking-at "^[ \t]*\\(logic\\|type\\|axiom\\|goal\\|lemma\\|inductive\\|use\\|theory\\|clone\\)"))
                (save-excursion
                  (condition-case nil
                      (save-excursion
                        (backward-up-list)
                        (setq cur-indent (+ (current-column) 1))
                        (setq not-indented nil))
                    (error
                     (forward-line -1)
                     (if (looking-at
                          "^[ \t]*\\(logic\\|type\\|axiom\\|goal\\|lemma\\|inductive\\)")
                         (setq cur-indent (+ (current-indentation) why3-indent))
                       (setq cur-indent (current-indentation)))
                     (setq not-indented nil)))))))
          ;For inside theory or namespace
          (save-excursion
            (while not-indented
              (forward-line -1)
              (if (looking-at "^[ \t]*end") ; Check for rule 3
                  (progn
                    (setq cur-indent (current-indentation))
                    (setq not-indented nil))
                                        ; Check for rule 4
                (if (looking-at "^[ \t]*\\(theory\\|namespace\\)")
                    (progn
                      (setq cur-indent (+ (current-indentation) why3-indent))
                      (setq not-indented nil))
                  (if (bobp) ; Check for rule 5
                      (setq not-indented nil)))))))
        (if cur-indent
            (indent-line-to cur-indent)
          (indent-line-to 0)))))))

; compile will propose "why3 ide file" if no Makefile is present

(add-hook 'why3-mode-hook
          (lambda ()
            (unless (file-exists-p "Makefile")
              (set (make-local-variable 'compile-command)
                   (let ((file (file-name-nondirectory buffer-file-name)))
                     (format "why3 ide %s" file))))))

(defconst why3--syntax-propertize
  (syntax-propertize-rules
    ; attributes: [@foo]
    ("\\(\\[\\)@[^]]*\\(]\\)" (1 "!]") (2 "!["))
    ; star: (*)
    ("\\((\\)\\*\\()\\)" (1 "()") (2 ")("))
  ))

(defvar compilation-first-column)
(defvar compilation-error-screen-columns)

;; setting the mode
(define-derived-mode why3-mode
  prog-mode "Why3"
  "Major mode for editing WhyML programs.

\\{why3-mode-map}"
  ; hilight
  (setq-local font-lock-defaults '(why3-font-lock-keywords))
  (setq-local font-lock-multiline t)
  ; indentation
  ;(setq-local indent-line-function 'why3-indent-line)
  ; error locations
  (setq-local compilation-first-column 0)
  (setq-local compilation-error-screen-columns nil)
  ; OCaml style comments for comment-region, comment-dwim, etc.
  (setq-local comment-start "(*")
  (setq-local comment-end   "*)")
  (setq-local syntax-propertize-function why3--syntax-propertize))

(provide 'why3)
why3-1.6.0/share/images/000077500000000000000000000000001440160026300147535ustar00rootroot00000000000000why3-1.6.0/share/images/fatcow.rc000066400000000000000000000014651440160026300165720ustar00rootroot00000000000000[iconset fatcow]
name = "FatCow"
license = "readme-fatcow.txt"
default = "delete"
undone = "bullet_white"
scheduled = "control_pause_blue"
running = "control_play_blue"
valid = "accept"
unknown = "help"
invalid = "exclamation"
timeout = "time_delete"
outofmemory = "database_delete"
steplimitexceeded = "brick_delete"
failure = "bomb"
valid_obs = "bullet_green"
unknown_obs = "bullet_blue"
invalid_obs = "bullet_red"
timeout_obs = "time_delete"
outofmemory_obs = "database_delete"
steplimitexceeded_obs = "brick_delete"
failure_obs = "bullet_black"
yes = "accept"
no = "delete"
file = "package"
theory = "folder"
goal = "script"
prover = "magic_wand_2"
transf = "multitool"
#TODO change metas
metas = "ddr_memory"
editor = "pencil"
replay = "update"
cancel = "cancel"
reload = "delete"
remove = "delete"
cleaning = "bin"
why3-1.6.0/share/images/fatcow/000077500000000000000000000000001440160026300162365ustar00rootroot00000000000000why3-1.6.0/share/images/fatcow/accept.png000066400000000000000000000035071440160026300202100ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڜWYl\2g';N$nBR(1XPQPҠPH"A"TUQ&X6 PҐiˌ=^flwYq&^r^ϽoG:PIxƒ?^
5Kxۿbq=z?v(c_:\:XftT$hrcfQ0M'#8iN(9xᏏ=Xơ!BҰ,i0"gFp&31LI}O[~K#n1EL9-
vTSNs8B}Fj!`{>ÂySqsHi&d93I*1lZC!;&f1+hZIbç2`tRi[X2x]^8$aLBJQ67?`9'a|& (r|6G,a7zsNbwE>ïGW@[*(єRh܆H|T69z|04>Yh} nz6͏$Pvmۋ*3O~ThmCYF8!غ3X	
̈́#4wmD#7֩Ĕ;'Eo=-e>Y/yyǃ8Ljns͛p:""6oZ2'vn>vteA6*O#NO36p[F4.[iݭ"r7Y}I-oVA16T	Q)C+" og˽CgqKOUgJEA!AnE΀HgнGAw8jD^˹zMkz~-ݶ|_{J$֡]gA[4~v=#[Ek咜[SZfg[遣{.#Џ!G|r6+g)Ⱥ4Zي&D*ZkYptF6Ȉt0%8\j]~=8xD(_~b9SBl
˄Ř4zr&:r)`'|(Zrndl&	>^XK8P'\ee[Kȃ[κ8{01	G,Qc{kT fbLV'z]hBڂ-bwIQ^vQZ`O>s8xlٰG7h!-!eE0׶*ev96)mȔ	\vҧ"#6t)I6\t-[%o=rvQY.zeO`fsƳMpWd
	Vai"5h(uTVai	!
Rl[3xHfjIxIĻv὜E'y:?>OeNьEB]ڽ].4r#Mz#1|1p=aQt.o|G,7I5IYAG]X	h6ɖڝNKymTJ-,^y_U
sB39IENDB`why3-1.6.0/share/images/fatcow/bin.png000066400000000000000000000035641440160026300175240ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڬW]lTkڻ[XPl.Dۄ8$EiW*QE>DKU*G/Uۗ%C{Mzm]߽3LǍ4:{37s̅i'oq4#GSZ(zl(Gmt8͛Q_ͳOOy	O7ڒ÷nllRw?(A9DB`^E6&6Zo}	~<=-OG45L$u]:xo`VӀā_t_3+0.;l¢id~C(鋨vᅗ_շoB)ECu=o܈$qC'y*2;b}2?V@?	/ߏv,.޾ǘz=[Zw`{#x/7~g>.|qF
0#L%y?55!$Dy`dWЎ?:t)f:>`PC۶eܵbO6w#6wֶW]{*(ΩK8O]W+!xӗEa'1E'''e/xL1gMxBt~#G^p?Q-8vS,]2g%kkkPGхR3P(Á|>ttvum6ͺXR;/R)*VDC2F	ǹQAg<cyl#[**+e04	f)$	K:0'%d,nYhgUBIyagn	.:xBe@^\Vشc#wdP	բ!@5E*3L		~pNmn:(0;E#Flĕ=O$(|4
ABhԖE6x3S+I1!"cYq%]hkE,Zw+++
uQihhfs0u	jP?d|_	 D>F’l\u╦)N@ll.Cwc2d=_ŅńnHo?="i&Jq2y[֘[
+so%
hg7suC%Y
Bvʫ;[RpJ`fo4,\t6m,kuS(^yjD#O]?skXSvm/5Y	j===|{Hdm} ΖiN
LJsjt:E{>EAO3樖l`?S*;cZ/wC|MeH[*JoCXp<@ZU)fFPVdQY@>N\YJ78t3IENDB`why3-1.6.0/share/images/fatcow/bomb.png000066400000000000000000000040371440160026300176670ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڼWil\>ofx(mR M(N@T!DUG+U!,R6DbQ~UH!	[Xǁ$؃'>={}MIȏott-~=;ĥ=ix[WKO_l
DŽe3eнƷ&ggDۖko&ա%w	s
ƦjHIݾԃ?7CLOQL@=N]!7xᖚxo!'r=+cx^T]*7ࢗ*>i17UVuwP]ShhѱQK40޾	PN>׺5qf*n삨CEjoG0`7FFFX? W_ҎO@.$;~}Ҟ	냆rmUuhfs'$sP4\JOCŲ
 !LR!͂81%iO??"Y	0ABr)뾥g[WAY'hZw*ؾm3|q0zŶ,lmN	??H%HB䭅搣zrٰ2A,!
w^WnWCC}=$@"	A
n.{'Id6v׋my[} pz_`jtf`b_`T-H9{qiX
D"#Xht]0
W؄ۚxM+\2pOnjJwkKXzua-Y8;)a
jP]]	_~9^8,D&Y>o`H}ƞ057lki=(|p	s\_ڮgkq"EH$1of㻐@cCN{L,"ʲ|W<g{ ף)PeqHa:A'X.4$}uCG3zB^dC8adEF
lPÇ`~~dYA22D
!=bh	4
6I9 I
wEHL4Ib *P]p1\,4(o]f"s,Ϲ|)aEJD!P@2b$AfԎQZXKzIG\aE*|H./(K=+	p|	0#azՒF/iR7\+<Ty!6VQ%,\X4Ѐ+ƍ1s/`20{A]a-Ø*Ed#^gՍ:˗^_?KoKxޅtrNK0LnQj 7zj0${	rDcG-)At3'i|bFCW,BZGFNRU5E@AwD!@mK6"+&@?tPV{A  1-,wBvf@]NC݃{`&ڷlQ$L 	3g(EXI|soz(I
m϶l;ִV.
CqbFA<.v)ziou\3%r%!4!ءgaUqT[Ḃјܔ'J~2uS78n<4p2aU.xR(vLbԈ4GQQq4X`ͥL?U)PK)2\cGW̃%yH 6Bk!5A)Q#C^
'I'j'V.ѺBQ.CUubq@Jw;QU:^Q
Z$ |0Nbȝ3f:,,81@2M$9cְ3#(
r~=Du:5*%ܱH,̦\&W8PZjhY|	/G3?ZSK8tɝODJoۙnL,0
e*0AՐ!ӎՙ;(,@8}eK5fo0R+3J*R]0TM:pL&W撀S/`et{)RTX^D,oضWr.BSLЖpQYT=\0|ߠa,|bB$Fo'),GQw'^m	l6(9M0یQYyKލ[WPr4*_xc<}mo>yG0X5nd
{DJ#ck|.(h'%[~S0)Cg`/gN:ߦݽ:zze4 4,P:1]@oo30HMtG
    -\0?|oVѫ{YZ\X"n%QK&$'TWD;v;և';q4P~TDhI7T7OHD1p`1:MY.EKQ@QŽ/,[l)y~JjHF
qd)udu,3NEŐ<^0XcskQR0sOOmqĈ&),+vq>:~9PC(J%;s$|Hߔ{;@<Ά;?;ɘVG[Åv?}w{*[.(]\dtfMqwח"MʗH&6q`pۙ?"uU曭]wwg,*)d6Y2&}iS3nw|69#&a{k*<U@r.u-?ںަgT7E8e=]VqKig!U0׏
Nُ?z	9t3YꂭQCr2yEZ_v^&b?$8+`IENDB`why3-1.6.0/share/images/fatcow/bullet_black.png000066400000000000000000000014021440160026300213640ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxVoQeRi	-bP詢!lb/&_zAmRo(1MjxDBPPY
H),ÊY˾do|`dY:8hnax5q_;zVVWVm݄hvv q2[.FP(x_7~h0*	e)T+fA9X,'X VHԋSl([چP(._⟁[-bV9b("DcA|ǦO`=:,**v.N[莣	QRLn93XĔJht1BOZRܺh$hBD4hE/=VWSCdμ	j4j_>ИIENDB`why3-1.6.0/share/images/fatcow/bullet_blue.png000066400000000000000000000014301440160026300212400ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxVOHQ?u5
:X"!:t
ZnS:DHԥCtP$aɰKQbB&3e]w˼Ǿy24a+[<GT[zqTLs aK..o@cfEEb[XcH?*`!-=ױ]UA7tXK~%@1"eGc1`.>^b(ٹǃGFKms쑸hNkGRŖލ~)yOк</uNI&GC<F2r=q`w}ˡ~~M{yxe*Qm(H /G^}ɰYw_MrH;	;_(uAIENDB`why3-1.6.0/share/images/fatcow/bullet_green.png000066400000000000000000000013441440160026300214150ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxVKSa~sΎLEPABƢxAMX7v^T@tc?Q`BEH[4Sgs[[眩ωA};i9$y\PB͝hGpaLy3hBBE	+'\%@>Ս>֋'ǁFxmD:h/?Bb1u:Z)I
\\>skO?BzNl9Gpygık8^7tI k/_߉DiFCVn!S1TQe090"nuxJAb2eIk1cs0ھ4T~ә7ek=c"J3=
2Q\
j3Xi}s9k
i2AhUbp9넀Cd((+א9sa.pbDUIԆ6jkh-3Ocx6|JieDZ1~®8JmU&Jv}KLNYr3"p	Y(I%pXrp*AܿjǛP$	]?6Td$IENDB`why3-1.6.0/share/images/fatcow/bullet_red.png000066400000000000000000000014131440160026300210640ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxVkQG5M#X"UKz(ijA(WA*E,ORD"4Z%41Whvlk)J@#yd73o6L\.@F`U<>-&$!o1茅֊0~9
b5XIX&@=r^p\Ɔ	<|ܣ712[)@<[P}|hߒ4vx8?m
`ӧ;:y6OqEx>RǹR|QS*|lf@Sfp6#qt|c@bPYp8ĵq>H5\*%AP+oFyLj0N)v.0N\lv(ViZnr1&iz$@zKC\s Tl*{/LRIQjBqK>kz0]ь%!#3h=|ȷju3Éy|D9
n;l!Mt:
KˬΌFњ@VDjlkb|dfr5>~Fj,-
@k4"XeeU	sa6ռ^^{Őkqn'l/`oneIENDB`why3-1.6.0/share/images/fatcow/bullet_white.png000066400000000000000000000012661440160026300214400ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<XIDATxV?`IK4rZ]	c<8KA.B
p?9sT/}/@&^*}_rQ&R@)`X3䆮c￱,~3mU:a:)rR(I!xyl6wS/4MKudz1GDЫT۶U9gF[UVg+ZHŠ9GFm]Gzp@`	hN6Z.B2~6pߙ	՜r4UYid[TD?'\Ο_E˱E) Mdr&BK]f_iԁ!!ns!]Tk/$@>b
0o#B:6jniq:6WN>~$E/|0^S!b"Мl#q)&-=^szJO`0x+O+ jb$1Krgݗҁ۫4%=r_x	KUWkIENDB`why3-1.6.0/share/images/fatcow/cancel.png000066400000000000000000000032611440160026300201730ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<SIDATxڔWklU>>iKZI*a|'Mc"'5!j5JH0P^	DYM`R`۲3ٝ}ingvy|{F@˿ﶎ0̔?[s/SeN|5Z.n4?:#`y0440u
t|8轡L@W72W
-Ӻt|n3PCNZW$0N&6Pe
m0:7l:l0L]r/\>~"Q)-ϬIõ
/`V?DWuCA\=_D)ϭ9O=7,r֐,ȱmZ)XC*!/rU:>{.hUï䁌cBAh :%Nԝ;
t{fWiLztė: ӊSˬ<<ϗaRrO.Rr0|a|2L5%ʑ ޥ}<kJc/yT85zw9J$b ؘNﻳk|0ͷDKaXa0&op$
ΣqMA9!]A(@4]%i$&◮ 1B	0rZݵ3=\)|<ޕ^آ!PE1@,0v5(֠cI$ӕןܡe@̄-ҋtHl-	6a
Cw'\4pR1Ⱦ=^fɒ2	m{@&]NUHP=5 !Y!]M9Ho}SJpnCNJidHtt#gܵDJw,/UIaY>ge"RQf]'%Lb.c"#eҕӓ
-KQïA5ɐ,.(JVV@6'1~7m1[@m磙m@p4}@b6	;*6|Vֹ~-` zȭ_?UAD7=`Zu3@Aݸdbz&@kj)&v\7MKpE&Q
wxK&Z*5.(?0zi$ꔣB@ΞgyXXi?PxX(
u>T)Fqg b	Ƚ
YvN"w~3mM"ǿcg\1rEa7I-v~
h2a]$lFN*ݪ]x)8rD0$uJN1ry#NCbΝYsx:A(idMڝѓgWP&ܖ\ nM5&ñ,lHC9##`:7=6ndAt55ZjSrNuC'`|my%hw{לnk:a^3'"(&$'GԭƔ?HJ9gU4+TG]$*kF3a_?P`~zq@50E"]0V?,,`IENDB`why3-1.6.0/share/images/fatcow/control_pause_blue.png000066400000000000000000000036521440160026300226360ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<LIDATxڜW{LSg?~-H0ET4#1>٦q3Ƹe-F=٦&1=Lf2TdL'NS*UiQ@w|Z|͹{wxu;DJq@_@효{;{.Z.Ew;`AL$k "DOUɀkw9YM0 YuxJVw;VO$0!z2ABJu#R_B țS	Ok'!sG=ߍ#O
յѿGFs;N]{tf1_xO_jVQ29ș8n:y%7d
YO
cݧaܱ@"ޛǠr
4-fJL7zu!dm!;LXvɲկgC+n#/Prh C7#w7y,WaifBmj9EKf6\C+x2E
6V+_dD_1./ݹtlE.v\7Z3#SU&,MYI7Vt0`5P	=C:H&݋O9`zڿd(ND<1gGEC2,}6;51VJ2;y1w!U3]hMW=i	ހ
+Eƭa%n)=5 
DAn6A"^|н6Fx$mz7"UCXchmWęxo^"9vq0It8k,PIX2f:*JF3xqrEpݾ;WU{$YIE*mxs2Ix!Э8>{Pڛn
'x DHnԀŹpG_Ʃ/ޞByb7ASP'6SkV|TcݫYt)G8sx&
NHO4x'cor=}/A-/6
IN*rފ=g0HI`P}?-^|yNiJ$;҈'۴is͎G~Iߔϖ.B1M4cw+KzR-mi'
VZ'`R5F.[d2VSW@O]5|1V Pj"H@<]i]١h7غ3[_pfV3} 
@5cT>H2%# ?Ӊ6LB_
7Ùv]5 tz5C@ك^nQ`hsiz?wN]/j͗ HR_7Rd}9M1ER8zgρIENDB`why3-1.6.0/share/images/fatcow/control_play_blue.png000066400000000000000000000036631440160026300224700ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<UIDATxڜW{L}s@"LQˬ*vvٺ.Kivkc-ɲ6lgKLu1bKVf
z(t}߷.xp=0gt'tQzT0~GDE]{-eYʒH܆(6Ed+nu?o!I)d%+!g\嬛	% FDR[Qy]x9GMO( b8yY'aUٽb~Y~oaoD8I,x~L'AN주uqc)h_n
0@C	&nH4 5˭|FUŔ]'31qre27D&E˟}C)ܲ$w
ٌqv^;7ӥDNb*Y0d|\<n8"̢
,(c^u'}d@׭YJYbF
\{CX7涫RPW3|)G>|*wP|uϮBЇ$nAVnXvijȗؐj;GNv@uN-9ա
]L_Js2NγfI6[HT5u7n'GE(A=η>r/ q>˜䫘e̚֍I:&3)7OĜ4zێ5Ω4A=x!fz
k,)P@tӜ
xZ>||h򕌯zd=Y/..j6=7'ݜHf]8ЊwvmCN"r`mq7#+ynRh\ԮӨ~yδvYAR"DjƲ)Lk>k&յɞL2
5wG[yәv&_S~rnXZ'͙<Ty~3VɗR/N֋񑡮@Vھj']>A%x[eݾ0	#rѾwojuO~%+64B:!IQ'o0d'٨8~N=E<Me#jbpIENDB`why3-1.6.0/share/images/fatcow/database_delete.png000066400000000000000000000034631440160026300220400ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڬWYlTe{lSHT6Dj>hAc.1
>d&$nq	J
"H*-t:L;xN7sz{￝s&^Ⅽo_y7iBeYV2i޿y/npKoOab145ŠiZyD#J#N#_4玧Q7}F;/^PiE݅g{gSR	:\6{DjdUS;ۗ-*F]pڰ:]]Y~*a1xY.ln`6ܼF=6G~J280Gʹz`~bpI2kkAqt&X˨뀦C5FPs+c8:_G$IF5CF5	QTqd|ഋ]LJH$3T2%Y<4BQ@7tʱJŐwmΤqtZLhͥ<UhF8~BcQ)tRd2p2YbU\7F=tE"S8+VƱ??yMlL%B#[
4b 
DBaBCPxG
%*%Ĕt&Q"VZl>a:hEp5Da$	l}i	&2.)E̖lS|9f}~I)KlŦpMCpqd|'-TH
1!ˣ,K)HA󸩮Âc,)
	4TUO

CC_E
KNr
VQ:U[(C3WqͦVƂBtcl~h;ރwns+	7?\qyv,-]Gjͦ0p}kki}9̴Y
oDlӭЂAW+"sve߰n+!tTxO)Py~оiTAנڻlUkc՗j~=r?;Qٹ7:7n@NȊTq9nSR|.}q]<
1A@A?T߱C/_	|`ϡE4B;8O,A"qw>-蝨`y,UjB՞ IENDB`why3-1.6.0/share/images/fatcow/ddr_memory.png000066400000000000000000000015651440160026300211140ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxWMhAf6JZ	=xQDz
M zh&x*Xm
AK$PtZ&mb҃`^^fas4r(hh
h
h
hFue;QfL7^hR~x_̽UUqpTvn0cY&16˕r=m8#Tq]pkr]>;m@
~!|(I#xt?KR@z6WsżcfZ*d|:L+TMStΕT5ljxt3U'89Dr5/=	p}ՉH{Ղo?V5n2g!sJbd$0`k0tAU8,N+CCtv8դOщ\x1gNWOmBFk9e\x.I@.K>~RL .t]EmE.k*	EoEg8	 wڋUX
ɷnAC{ cG{M C	<|kSR1ڏX>4_@}8znLaH) Brr"IT0;:{MYZ_z\'LxRdl9s;2|G:!ѷu
bO?>yZDHJƙ~%5akM}d;vWMu"rSd2cdRb?!6%ˠ?MM_4@eIENDB`why3-1.6.0/share/images/fatcow/delete.png000066400000000000000000000035361440160026300202150ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڬW[lgz/^Y8NHlQcJR(K!} !QU*!E*X%HI[)!ik'N|O^_\8矱c>Z{g9w.`׫}"4x>}?OQ>r6Qk+|׏tmUG@5qIsX,O]Euީ\';vP:JD~s2GK'PVeb>KC?!w+v:oNO?FyhՉq8{4k]聱w?b	5A-7QL<=;|h탧=~
` C˨$.<vį׏'f);?y5{{Oa^
 r!?CY4سyxw"qszsc\nUb:}[`}!HD͉P؅%ZE@/b~)K?9lr'oür"oҾ݋t	0DX[;:`yGbs=L0zeۗU\p$!lC%.F&tsM>҂oj~7MjxZx'lDJ7?#B:[clvh8WmlB_%"D!(uXmFDR;HYf4DwWRf)}|ۦo:'V%3AN؅b{yg띠+4=LNqZ(
4iwɗGr/s8HvfCշjFB=$E#;ߗ={Q]-WQ@R:_ zH&$ѵIzbRUH$3Cv_NWF^!v݌
0WҎIENDB`why3-1.6.0/share/images/fatcow/exclamation.png000066400000000000000000000037311440160026300212540ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<{IDATxڜW]lWk{7kg؉cC(NR&E
@KR"*x/< #⣃ga@ש[yboٰ4I@1q+Y,~:BW&~D^>:M *LDn.Rb2=LJK+A9B[HFz@t:=N'(a/D9 .5Q.=?q׋\!׮, 06]d@R5ChdBK!$1)&ӫ*gY7p9$`	@#{z3UKsUܖ!+-g PSmKTetpRؓy3hJB8Ybuʣ:tDS)lvr}aי$UMbN%Sb-?BL_E6u"u{X0obrQݵd[y^9bƈ6-@mqe4U%ip5l
",(J5Q
#k XX<ÿҝ(7?B
~
Z˾wx̪hz{yE)+%cqP蚰꺁9z[a=<
(>ɏn-tn5@:$_iRsH3/z%4d
uDIЈ0
Wo9Ǻ@F2֊9J18^B'zʩ6Hm3nB݃kא˷o$3ˬ[XZˋ3HF(`%jWvVQɪz6+#og:Y]|v*CβAH\lŦduZ|m
<׎o"EH+So2.*u4`@#"xru0~Z,B[Fdo+҂(hHzNi4B\nڒ#9cCcA[JH]X;mfS/	izwԻaNXE)	
oyhjhp}}T	w
R*..g#k|`4d=(e{1=a\$W?f+aBBDs'lEW2\L(Dh޺Ep:BS3ROL>1+4zӊ۹LJ\S&UŽdQ|\Mxal!W{}OqBe*k*j6uϳ֩u".$}-+3u@LIENDB`why3-1.6.0/share/images/fatcow/folder.png000066400000000000000000000020761440160026300202240ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxWoG}3S!/ $$*b*T!UwDUVS䀐ʩVDTp,p*m4vC8Nnul'Zy$z5{~3J)X4osրO9kBJ0^:VXLt}mm`sf{GGCybe4KCw_̞YXP2U3@+l8ӌmbϬ"0ɥ0W1G~_h&.5_-vύ%B%0(/1Um~լmTh^eM%lо%/
 
.
L)݅ԴI{r-qĞ	2c[ں_YZFbKKh%BS5e]UuuzGhMS>ѽChFg䋕k|5ZI2 ׇ{8ת{ވW8eZ6qmHՏ5~6zn&5?#`{`eOQO{8.f
|ˇf
;= 
	{wP9XgM .I!Vؓ~l슍Ȅ*u׈ql&q_,qvl b85eMcs[?3%ĺcGC:=z3W0tzkMc'6reH6q)x?fXZ(d'>>8s#Ae&(º8>='f5\m/oq+{3.
ϟYȾң,nqO0/NcI}7uX˓^{Y3{H'fq p)IO6sӈ&­d霟
NP]ewqiK=FLqN{}@hΣ/@׿6o`s[h	IENDB`why3-1.6.0/share/images/fatcow/help.png000066400000000000000000000043371440160026300177030ustar00rootroot00000000000000PNG


IHDR  szztEXtSoftwareAdobe ImageReadyqe<IDATxڜWkpT>6!l@SGiJV?NXgl?iEeM[#3t-
I ,	
lv7w{
!9s%ߺ%;Ig$d\ё&?U^J7꿫ֵve+4{ 0ryē:&04:0zۋ'U(OY^xXvvyZ!HD$ə8z%֗z~h>-YPSX8q)D0aG=O
UX^mUD/>Ǩ?46|-hXn=5hY(yHE6ga
r@'/⋳xo_Qƽ#yOX[Th"@(4KT:cqgzV>@)aȲk'.1Tofg{7mX
|`CU#*2 K%,2d7>h
>Ԍd:ɸ3NCY&W۵ʖ7֨bQ}O9Y
uQ-BOYcfu$դ)d*v?ur`C:{4s.0n$4>4THJx9Vd|ːӢa|!\n66PAn+R%oq.lGwYYwo^c
a\*VԌ0:GSGE\Sa͇D"C^$6G K+c?O$0M)I}j{ęB_ںWę)ARR!,nLC.i\u*q!>y#HsNUf!Jw
ӧva۲`x.|mi`>0L?>vS$!ei#.xΗOsW6ۛ*t&IN7һZHs$zeɶM4ջ55:-bT0\8f4/jlhWТܺ'Wj
U.idFD=z+]m$;xQSu:<	WG	FI<_@Ą`aJVgAsmfrYYVޕ0vsP^ίP edk=n6	7D1m*9Xqb(t8[EmyR'[sK1+ٿs0QHqpvv8jh|ܾeX&kfv
_?a޾AuuI3'}۟_rvt7mW9fl||@kz<\%\J9*CVٰ
/t`%$˚&E&XKTxYYoYMP[I5E iYl#Eb.mL#hlPA:FK
6 ~st:/97ww>ei
EQQ۾ڵ	^rMMvQW[GHOL9IĢk™^tm,L[~E0Pz5ys&dp;-ތ`E	n߆mm`X|jyYO1~u:p߃:Ex٧0;
]'Nhg7|ǯ5FX]]XRRi}D	JK gː
li`6 '`6SNP
h<2ҥKKK\prٲe
RO)`iHkVfP,PBrvx\rP__%7!^vt'"R/B(S.YI8f|Fs. +l0&$$lve?0fmh~VkjXd "144=Ux=>d,UHD4	3!"о O贏˿`=h
KMRTA&Wt	dgp©l]~ģj㘛z˯Z X~k1ԫA!|)yjtObtwL Jt]
w^&,~:xjn
Ue(X(H.!2,Lk%»|--쿊ě`̌Zw$3Me*VZW}Ql
.K}-n⃂/(-uU[ZӚvƚl'd2s=g2dfgw&sws	RJVxQ#A0PbB9k|ґ#Ϗ1fMKI&.Gv.
<}\qtْ=/~z2Ztj+U`0xA
3Ųetgmͥ-V_AcAm74dC!ો^>u] b0cPro"ff6*iOZZ&Lfj}DM5ijK[k j'FƠ,w{2{!(c;Oz>gvɋ^ֱ`\/%8&Njڔ_GSS5,w/߯[
Ł@JN{ChcT	hjD/S'5Vf,Xִ(9Q_]XN({ۏ~1L?AfOE预5t\J2yb9b^|q,W6,S)F7nU0{ܮ	v>UuSD2N&'l+ٸwV;<F
UBA)AEk*$Ͳꁶ#(ۖª.I<.w˗&F̆E%&)ИbC-h0ύOHFJVq
iO3Ef4}4Gfz?ܾ୭P'%#(1ف҃pB;}ɐ$R8܍%
=ޥI'	ׇDI|"K%HN2@g]f69yyڏ ݋o

39s"QFEkU%5cuUVW7Zӟ=8o^ᬫpS!NZr^Ff3F൳P{!_GSoj'Oπu	.'MJ=ckikq{X=MM uP{#*&O"vV%6 pt/ev9iHTOf̝zQYY['1ѓ%%%]ݘr]I*. #NܸRKyh롽1dU C$,
{
tii8s,֯_FM-r<<(.^3n(.\ekʰXa;~*~Ly]8ixtc0Ŷ)B]{gff,н
trSxZdTW 11Z[4
bHM0@x!SsrqVBOnZ	.Gvmb
h5Z*B>n͸qHR4#p

K/~̟7HB{K+Ji3x%cώW1Hɳ %́h#gg8F(&&Nܨ`~~:c۶f[;fNK ;3QY"a[tdf!$0LeZ`LJ
	D_{ر[KJpAt0wt[8}Li̘HA#fq SS(!FU8[[[Zy$eJe(}?v@{M-2ᣡ^,|0_'b(51y>e)!
	S'M:
|6rΡ0$dI7ΝW"#7:z)K(X  +w_PYȌ(tc=H3Кh1jjH\hʨ2Om؀bkܜT@$i)-,U(HB'[]ߩz)8K٪PۨdϏfRLv)C‰`	.q+mvv+*N%'{:3hE2i͛7mԊEEIj6e.,V%m.Vj}kw 6<8~4vr~A(xH٩*h}}}XHa[ALa`յ;,ftx *;14<#T-Kzx-')A!˙^jEuM5|TG_a~qhhHуk^OER1`%\<'|0\;f\%%VD]**G?<4HqŊN@`/_Y$6VG}'N4i
(GhMke,]NN'hX1y7&چ~叏Ӓ	DINHHNLL*᠔U#%!*…u}ONrn'Qu!Rv	M7zgˤ9*ZOԢy1X=33stZobT,@r|н=~mFrJ݌Yi(00~T((J3qC3A$/&MFFF
]NGp⥔FU5[^qEB>44I/lfdVP.6zJG~sq22UWW[I*gN*#gɔ8.>:)D$]$=^p\~s^GvDklDt\};|{j2)
@K%
Io|/!'0>=wBpe{Y	Ow}G#Ni}O?l6wDw=s'>ֽ7婭$(eb#Og^"M'S)-qE:s!xvi>@
ҟME,ope\xm}Ѐ˕BM=Gx@4HS}
!1p \g-E=AP(ڭ=;|#'b*`"G?  x7XD8|~o`cI޺O'm\KSlbɑc3I"  p "XA$l\Y%%]K=w^vJ $F	AA3Ȇp7VܽЊCm/Y@N'((GR'1TI4^о1RԷ=YV/m+ӌB (B@czvuH>t4{VK*e(֭6umOnu?!Ye݂aq$$bD44xX00bl_'876PLS;Jչh-b2Nt&aq/#BMBwg%x:M0ED8nG.Mhi4bJ*
 ,CtzbO0qswpVQrw#25A<SqWGĄxbS΄l	D_:|/92>_xOJLZT:k[0XT9GS=սQʳ?1@=tNi?YeIRf,p^ʌ~Z}b	|0_?
68nkUTA}-fಛIe{R[HaL@KTXEqò<1kҖ,6}@(ne5啲ᄖIRahZFވ
qB^<<>A((pNh[T{rJMj\p-d3`䤪fF	}j\ȱ6U`/sгl
0!AպaUYg@E]%5MԈwÄ$FcBc!V?-OR$˽h`_Nš
k3-Ť@z;6rZ
O947TΌFqng)b4g#`S)xdnArT~ϝ.GyiZ}<jѫ|wAEPW	X	-kU[pԜ텦hM)er\?>\8n_241rtGhӃD06(@*
:|Ht4F=L1TZxak~ENJd1:IH[0aECt|#
n,vlhTw֡|	}RORl.r
ڷ?[Fl>k?iam䁭;Pfs@nXl1b13{7ľR_k::a/5B8eW[D~罍KR&tr+;OwsJˁt
i:`:讬RL&)DU\GsyFnRMv:bZ9ZEQyMUm+m^o!nwiMjIc'N"ðʅouvYtv
NwMVk9u6fB4|'_z*,{Q8R{=Qi~dlʚP;]Nf	uheҹ{}=47H:H|a6R({U
}O'6a4G`X*);!@d%Nra۰$ץDjbX݃إ؇.tW[-m6$˚a.31/SS<r-֢^Ѭ[onx)n
\`S6ڋ`x!
^@:h|'~Ih5;P&ÝM5en9~RЧZ?hYgvĠpZV:3Xhi
=f7!8~w=F%EKjRh)3qEGHE2W޿HC-KlpTVępaKͷu:]~Z]F.`a^5צC;Hj@M0ZR
@CZCZδrRl1y|H9p7j.



  
  
  
    
      
        image/svg+xml
        
        
      
    
  
  
    
    
    
      
      
      
      
    
    
      
      
      
        
        
      
    
  

why3-1.6.0/share/images/src/logo.svg000066400000000000000000000121151440160026300172230ustar00rootroot00000000000000



  
    
  
  
    
      
    
    
      
    
    
      
    
  
  
    
      
        image/svg+xml
        
        
      
    
  
  
    
    
    
      
      
      
      
    
  

why3-1.6.0/share/images/src/transformation.svg000066400000000000000000002252331440160026300213400ustar00rootroot00000000000000



  
  
    
    
    
    
    
      
      
      
    
    
    
    
    
    
    
    
    
    
    
      
      
      
      
        
      
      
      
      
        
        
      
    
    
    
    
  
  
    
      
        image/svg+xml
        
        
      
    
  
  
  
  
  
  
    
      
      
      
    
    
          
  
  
      
  
  
    
  
  
  
  
    
    
  

why3-1.6.0/share/images/src/why3-approved.png000066400000000000000000000402201440160026300207560ustar00rootroot00000000000000PNG


IHDR\bKGDe	pHYs+tIME';54B IDATxtS~+2` !$m&G=stTMΆ6a|9u쀍oԂCf78tgw5$sf44%)	Id~Yt^IduelKWW|>|i[-044L3A34LL34LL344L+68Fڛ*'C|мl|A	%=~o*ˤ3!FY'@`9K0afmù'8*TIFLвs6$PTM%Txx00[NUqfbN
MSI쑞`3s<\`LAM7G36&
d`Cv-GD)GJ[kBg` p7]$vɜݩ-S{6N9rL`^Np'eBBs,Y:yb4a8P@{W|	Zh,~D,tr3
!d?2|;|4" H>hfB_ЙiH9,		<&2b^%X4~qY)Sy1ƄWN)uA&p71h	y
)N2E-
SS;Nn2b08 Y
AcY$YrxBN~HxOE7>Uʛ4+V^=xd!aH$`E1eUB8&BreG^I@XNfkHHg3Зw=:Uµsu`}!{6_lj
Qܘ8G`-sC8bˁe}.6R
:?jbɬM&%{^,3#Ѭ6` ǰsk R7PKU[n܊zTMz4ںMxS	=\Tfu~gngyrHkB(I2q?Ҡ=KŦ˒>T{)Y~vcY88RI@RFf?ٞfӣ-TGU	fGI(`Vc~ym,B8qMɧָ>z?{ww?uVLs/
fIuG‡ӒS)e2̆P/d
Npv?ޫY7;d6s4n܊E'Qby29RByU4ނi=*Mb\U6,NbװgUQԑOl?0G騭;!9?{p'
b(=Vv[G5!JVanQc⅞1zHc~ŵN'eCOsAxcejA\JJJצGU>FbOumtՐJh=(Qy/*4Azw@)e"W;;/ޢѴ 0AxEӸpq%ںd})!DyN4CE^ kt]y[QF6ĤYPjaTbĒiBi*)H9dv:m''sP9;D@i
-|
;=sQZ%8e(9,%2Ẹc-G!{u~O	ZEUĐ>Q
K!i)K0-*> 8mXxe| %7?2^3R/l9$wT-
xY>&-@먊R8Uwan	瑩i4Jk]	U{Gm="owk'ys
0˴dw@ZWP7lԸ5U#mt!ӄV]cXPYqhoxQ^v^wLbyT-cC
k\E-$5p;ݍNaw㻊ʖ}xnn(M!t#Te6cOLvt +?A?ǡp.?M/LSW`$TbV4dl?i20z7ho05Fze&r
%:yKT<
|FlԘI2Iik&cUd!+\Z,WRcH9|WmZo^BM=wv~ ʋ%5"{	{a}w"QE)?xvz@"l#
`L.U}KaG*-^T?)xkpw@$R$rS
ӱ
u(ׁZMb3fXD\Voen-À= ԑ2tߺq+l-8N)GVGZ"~|^G6MI-OBPc\،&&^(cmZw,51.{p=)^Z^xwˆ:تfϳ6^1lM\l@WNzEޱWVO%Ѵ\ZHT6i_(bHFu"dj@&#>zv"n)s/
"pf_[q^pkbLl=ʵ

Q+eȢ砘[jrWlW'AάlKQ^m9Z6ԙcV69ҘVLt@QF9C
j{wVM=qeR?͈קĨ9΍	4f
/T9Z4aqQĦ6^;o?YY{rB	ަ$	ǐ6=x38[{ ρ34Nd-[G;c=ل̰-JZ:b	WAKѤUӞiZ+U|̼Zeǁʞ׮;i5AlL1Q˞t+RCk{4L( Wt #C#G6c2Q]SOm@N?W(q$oI*u)V$Jg?Y	uD2E2YhZ1)DYB7V=m8Hz
[GƷ"YL,"	)fTh؈Gc#9vHlӭjcZP]*zU(5.n"n+AuMNA2H@La`۶:X,u!O+o[[ضDz5{L`P=M}doS<87#gUykhd6X|@i2,Y\>֧
pAY\Qys걻|{gJ)aM*r3'w+ңy.])fxc;=czp9kXs΢:~9K2
ᄈsJ׃JLNJ3sr$QlmxJatW^/7փV,1oX.7GϪ睊o΢JlU)U?+r#sf0bR|Hxfd;=뱻]P#pf{Zٚ56l%@`[J~?w=2<=(sIC|])}|9]:hҚKų:kkup\%gVbwϾzY/H+
%?_yUU˵wC*Nq1Po#՜.dgߣqP	 MU`p2i6^./ۊUYLd\cY, H}z( gVnE{é"_з+E\lqz茠[Nx5!cˆ:yq\|mݏ$wný&lK0XW(_{ٍNhiإܱ1l^/찼I=||VvKŞ2q9жq?JuY3I?{	/h
R+pطa׳FF((pHs7|(k yxahФC/)hj8Dhj {g)Zy<Кq[kz=<1qӥÿؼd^s/;Pn0O%XlY[ʾ<#_NJm~f/ۊ]w09 P
	Zܛ!hlf;=QjC[9;?x@P6,̷5/rr'Au?rSym%ZFq˶W˖GSz=M0@R<HNe`|YfqZ-irHhiD_s*HcQ
D5h7Vx3(7nB}9-(!s3	8`^f7r٢إ}Em
ZY46
۵q9N%nyu0`_)lϽ4K-b
#-E27UP@7YJ++`
6W9/MMQΦj|@U![2hCް8R4Y5y> H.Vg+ٌ8g{w"M"%XB8:廤+FoZlu9{,W,g#5plw=laH*
jv4)Ӥl*FWh~,x}%/a#AH,Zٚrޞ (W0bL#jX
q?R=$}Qy5.*,Q[6ŴFZQ-9+׊Z{Olؑ?].tp4Ur+Jҧ0zHbRKN79>TW?w9nX"W{ơo?HN=oFł9iEYekAU>ujw	>LhZ7nE8|:=\?Yր-
K\%۰sNw?[|HT0*@܀W4m[[
]S-Ū0W؆yzXD"OVa!KO|ҫ3e6Vh0i	].;](?e #’UL%Dwc_nC܄O9_S"q+Gd>ͥ	fݵr-}J@"Q*2?v't\_W;›lCIX^c͘!YLB"Ü#X2u..0iPXȟbAIֻ	lca]OI3)ލ%_nF9[sr_fesS;EJcIx-0f;CG~s/
rvR>E^+ (rNzLMu?\W Tװd;>Œ#>aw?>?<ѫQ5<|~@#pA"5l҇KP!r){DEH=.tа/ۏQʮg;qݫ} q!)<C@p(Y$ݦ:hB]p<e#|FIrJ0i(0lٶg#
cxX!~p6W@ qЊ&?CY{oI &a n&ه`Dra$G@qPTa?(iB܁FV]04hV`֔.ãۊ9d0޵I2[a #T?xW@# 25z4	>NToz\oVE[QTI:0GxE+V҉)Ob-2r(qgZքRDp ʈPR0'^AGdF(PRҫ{L	@Q3+uYڈ9*,@vmRa.JZ,	$ݸjXd~2k4ǭC@zaj!d-<ڙ}+\wnleyޔ?['0>(~	
ZjQf݌k,?oQELpnA <-U/\gp
Yj3Xr/[lqRsvG>XC(`P!b3nQ90BeLH1p/*h}ㄎV/c?&`<)[[~^cE0I
W#2WtE*sKu2V~SS/Rgɵ#xAH{#cǯNdo߁W_śo2~j1X(oDk
qAPHF\^ ?^^@I8g;P~
:%MF0IpWbx8>(5kmsWU;U݈(jӝcGCya>٫x%\*Aoa|?KqUJgUiVV@Q}4x֟Л0Iqoc*/GB!cG+SGN%!
?-]aXA:>9z
M\Qm{}-sLtcFf60LrobQT!2qIʝ(s\/CbSbv2hΞ1r,Cc/.2#D8_qdnE(4Jb(HVq1l3`N_Q!8U~~! 	nAӜC!0K-U|o$Ъs:Y|x &HI #!&lYG}ꨑ<%b3A˶g;{gH0a5Fm?/~+H=\MЊdz
IHOq?eU0IkBfVmH+FJ_c@!;{MLЊz}bs$ǖ??\_Sw0~feo6߂OG>ŕW
y>e~H&h3HlPHs?5,dWFP.CD0A+O
.R#/ܜ1Mwb	F0FOqEbZK
gXz"4iƣp!7a+j6͍v'ME'>hLBv&V>yy&D1IopW椃p>j1C	!1^6U!b&[}ÆDya D8cǸ9hqdd`Qgn@f[ce"ԏ峯T@ {<;GӃo[[
>b4Y_$gЉ4{va0ꑭY@MI&q`E~qrM4B
ttHK,OS|o4Тᣱl>craW(a_O|?k4=tKPuLYZ~ڠ) 
<ˇp-
+ts')nOP»cXq -د$>iq,.H?=OC<kV}ApٓUUYo`)v攮gSluB<(Y"dOShn!ӾcEëWb!n	6n[[[A9Lm1P' ̣a B4a\a#zK틷DhkXŗ$sm[YhU>?](s|s||F x~h{WUYuMhAIdv@喥}@7)źeQc,.'Fr?hQӳ {p%Mr){mkanQCOXҕy~FdK^@cmyڞhr&Ws8-Wb)~2kr-I]jIV(a	^]]@[h~OoNJk!aF3l#/ix}čصq!vm-ne?umS^YhA
5z ںõ4T'W-I{g3My>ј^m~p\aEN֮*Q"|gR'A;M>\M=fy_yȌƙ&NW<|9ڸ.Kָp+g%d6ToʻEooRKa#QzZAcm:G/U21G@	hݸP=kX~Yٶ ()	 lphVx9bv1xC.~~5m[[
{flӾcu^BMtBj`wbwhݸU\LȡFB=XC3HfacF
7J	7$9]QO^Ys
mmuyY4̜[v<ںEꪤR볨\OOT
rDZ[M2Axt7(5ͰZk
Vx/=7^	7lqc]Zyٮ;bV듊‚2^Ix7-86oƶ/%3x@EpQȭc=wx>:ƙ46XP)PtQÊ,[ ~*/g{31.s]ɧEۦbdj̝g.7:G6'NN͔cD1=Y6CG:bsz5fQ̛S_/|/Ƭ۶ոcI~]Zq98 ;d2Blo8.>sr}:Fw(Jq
Z4\TUWSlםa^_;O*ʬx{{͞5X`w	#/o/aqRofEM%{}E԰¿%<9o{ӳsgwS!~=	*i#˼ތPű
hG
^m{ͱ$`>\@.޴m3҆L
8>$Z흊0*K:Mb,,
 HE`u5ه^ly^.Y:
ۦжq?"ںK{AR뿹mm5s+~
5iru(HcPrͲ
4r5&oQ{5@\8}ucIWAH~0uAXA;o?3ގb,-ho8%#zָ㱿I=Pʛeף7YմIueᢃ-HrD{Ëy%øl;k\x7ua~VάqmkQ6g.ҭe&i껟5TQGU iRi̍7:h;4P^),d=-1qs-7,Lho8;tƄ-%0QxR^LB!+
!TL7vNgD9O7FwN>V&۴zn_|BYZ̵ׁApi."Sݶ5݉Gj:j2Bzϖ
ubN&qalUוHS doS<ܹZB6.In^_2{-,:izh񌏙ݶ֒rkqձ]>23ӳgJں`O
p"ChiI^Vd`*mBsZ;=Ǽ`B=u#{A7y1!
P`l[3׸(ׂJ"`l,
n2)!+ aCPμSycC8YGF)d16
iopr^T;_(?
Np\|1T吶q@$|Cg[|1?z?C/|pqe'c,|$7g
h1,EȞ&a[)
yDZU06k
#hEcIR޳tMBFe^`OuFÝt,o⃴zXuFUmB(TK֍[wRCwX䳽^Y\C|PsɏD8K]0SPAp!˫G2~|•S!PHoYꪛ«lÜVؽE[xrqBS0L9\R|Hh1CnP? |	'Dga5.NanqPM]ępNJQvKy}g٤b21>.m;h"XS<}I9eCUhzƆpfͬHiox1-Xmj|i;	s.=zYXbݢ	g>NLv:e'kToU(_D
Owգ/1*ޜ-
“驈<ߋp4BX5udfBƗƏٽM`pZUl[c6ԛ'O^Tl~|rP*Afb6PnAIK}&Zkݸ%'5Ln/Fd|*cMkg3Dž+3L+
16dhP"PgyVƭPPm
>G^4&<5oڰ1<t8FqqLh4ҎG
̸kjVV+ROpZMXn/Yiʚ1ᢎ׊*CBeM*Blk\Tz<G8roW%z-۰1O] *	$AyHnE d"Do:j	+M%_Ko9{cg%٤aRS}h*84{A| +*ЦJZR%IɌB
uB~wܞWnl\^	U>m0}MamO=b"8Qy^"-wy4aEMln6^|eιzgfc:
8pB0#zVcQɴaˍiJfM|Bou@Sbd1HJ{۸[\Q7&ͨ'Z~6\L*C&NmB'ywL) {3)Md=bzG"CoGAL7LT|~L)R%SV-Ņz1|gO8Sl[S
󃪙D+<;&v:XTq2˧0	m[Y@!+z:ONڐƭzfퟋVF0rg)a0
F=Ofc8kA}P}`Bf	 18#yNo+ә^~[1%p7UCc	\&hqt.SWϚ~U)iA
emQ\6Ǧ@L`}w7DЧXmVoL:Jo;l4	>Sp)B	p	< ԝ0dS-雠'p^nG;@_"gB+#Ѓ騉Ihmp2Zqap|ɀ%֐O3g"!ʹxH	Ûx@=gwJ[T4Hf	,U
_NӽX=fMlJѼ=sJ36i$\V,nb2-=R7D'E
Pp	N)t$i )\jUv	4Ԧ*pHRE6!
2,1!B3"H`.߯C@4J+{u3#ݼ4l@g*/c6M)?p:2N'3X}3QTM3As.D$	 (}(@"曂Vr4!+ʹB1h׀202sqL(`z,)r49L3A3ʹ5jL3A344L34LL34L3A344L34
ar|IDAT?K-IENDB`why3-1.6.0/share/images/src/why3-approved.xcf000066400000000000000000001321341440160026300207600ustar00rootroot00000000000000gimp xcf fileB%B%gimp-image-grid(style solid)
(fgcolor (color-rgba 0.000000 0.000000 0.000000 1.000000))
(bgcolor (color-rgba 1.000000 1.000000 1.000000 1.000000))
(xspacing 10.000000)
(yspacing 10.000000)
(spacing-unit inches)
(xoffset 0.000000)
(yoffset 0.000000)
(offset-unit inches)
+Screenshot_20180327_141133.png	

Vr=!K/0AReZgxdZ@;::::42343-,+*('
&%$
#"!!   !""##;99:931232-,+*('{%n$~#|#R"
!|n{ enss{n|{w{{	n{en
R|{neR|e  !""##h;ehh9`hh:h:h:`hh`h4fhhh`1`hh`h3ehhehf3fh``hh`2`hfhe-eheh`,h`h+fhfhh*hfh`(`hh`hh'`hhehec`%`heeh`Tghhe$hfh`chhf#`hhhchh#`hefh@hh"`heh
fhh!`hefhcgT`hhgh hehMfhhgTghhg[hfh[ghh`ehhThhchh`]hhcfhh`ghh`ghhgheh`	Tghh`chheh`h`MghhcThh`h``he
@fhheghhhheehhghhfhchhehh`ghh`h`hhTghhhhMghhfhhf@fhc`hhMhe`h`hh`h`hh h`h` hh!hehh"hh"hh#hh`#@;09 9@9@`9@3P@ 1 20@0P3p2p@0	,00+` `+pP *p
(``'@00	h%00:$  P# `w#0p	"0	!0p
w:h 0`
+:IP`Ih:``whXp@
hh@0
:h0
+:0

@0	
p`w0`h :@ +PPw@	+0@@@` @0 @   @!@	!#$#%

!	#+
(,/6779;	~##$	!	"*
',/.{~|ss~&w~ss~~snn~|RssesnesnssRR{|{Re||n|eR{RR	|s|	s{{
R{nseses	wRw{
sRn{|Rn{~|RRs{~nn{{enR~nnsRR|wRR~e{R~nne{e{e~Reseew{wRwnnw~~|n4R6Rw2sn2{R3s{5w<<=e;Res{~~{se%ew~~s
s~wen~{nnw~se~{ee{{{RId-[
Rw|eJ}{Qxn"{~RR}}O~qs~RM|}O}p eRR}}O~p wnU}}O~pRRZ|}O~r nw\}}O~r#h`#`hhfh`hfhhehhh%h`fhhfh``hh`h
!h	hf``h	hhh`hhfh`"`hhhfhh`*hh`hhf	'h`hhe,h/h`.`cc[hh`[cc&h`]ghhgc[[cc[hhThhTehhgghhechhghhc@[[M[hhTMhh[T[[@ehhf@ghh`ghhechhg`hh@ghhgMchhgghhcTcMhhghhe@hh`@hh@	c[cgg	ghhe[`ghhgehhf`hhe
h@fhh`chhgT[hhM[hhMfhh[	]hh@ghhf]hhgghh`ghhchhg
[fhehh@hTfhhf`hhc@Thh`fhhcchhg@ghhg@[`ghhfchhfThhTehhech``hhMThh@hcThhTghhf[@@ghhcghh]fhhfghhg@hhgffg@ehhgfhhcchhgcMhh`@chhgTThhM`hhgM`Mchhg@Meghhg[ghhcMhhMghhe]eghh`hgfc]@]hhTghheghhT]ccTghhc4@ghhg5@ehh]2[chhgT2e`hhe@3g[g`5h]<he<hg<hgM;f@M[`ceffec`[M%M]cfgffcc[
[cfhfc]MTcgge`TT]eggc[Mcge`MM`egc`ff`@Rgql$
@]cgcMRhhpnb"`gc@Rhhinlib[gc@Uiinliid Mef@Rjhhinlihi` ]gTUhhinlihhia@ce@Sghhinlihhiic Tg]Uhhinlihhihc# @@#@p@ P`@ 0@`@`@$@pp@@@  	@@@ p@@@@а ``p@"@  @p@*@@ А`	  P				 0	'@@	+@+hwI@I&XIII	::wII+I:+I:II
hw
h+ww:w+h	wIw	Ihh
h:I+I+I	XXh
I:hw:hwIh::hh+:::IwXҕ+h::+h+h++I++XhXX::Xw:45X2I:2h3Ih5X<<<+;+IhhI+%+XôI
IÕX+:h::XI+h++hhhE";
Xwҕ+9Qh:QI҆!:R+":RX:$:T%:U:X':U<;=1.013&	$"
!
 "#$
%'(
)	*+,-./01123347788889<=<;:<0-/02%	#!e w~	R~~
Rnnenns{wRsss
RR 
R"	)*+,-./01122345n4{3e~|R1~{R/R|w/Re.n|-	~R,
ws+h77[S;74ZMD7!EJA<<=>=R~+*wR)nR)n){={=|~={=n%RR$p n$o {|#pn"pR"q |~!nR nn len"enep s	p R
p{|r re
r(
w|
}k
yhezl3|{zn e
zk	ykRyk~szk{~zksyjRzk{jyjzjsyhsyhs{hsk s<s<s<e<==<e<s<{~<~s<R<<e<{=e<<n<n<@fc+ce*]f@)Tf@)Tf)`e=`e=c>c`=fT%@f@$a Te$ib `c#hi`fT"hiid@f"hihb c"haf@ hihbTc hih`eMhb"MehbfMhihd [ehi` f@
hia`c
hic fhihceMhgiid(
]chgiid
fhgikdfMhgjkg3c`
hgjlh Me	hgike"ghgikef@hgikec[hikh`chikh[ehlj@fhikhghikjghikjfhijjf[hikhf[ikhf[khf[h f[<f[<f[<fM<g=h=g<Mf<[e<`c<c[<f@<g<Me<`=eM<g<Tc<cT<f*)X(:(:(h(h'w&h=:%$T:$Shw#R:"R"Qw!O Q: P+Q+Q+RIR	Thw
UU+W
Xw
J


B+WwhV+
V	VV
IVhVIWVWWWIXIXIXIV I<I<I<+<==<+<I<h<I<<<+<h=+<<:<:<








																												













				
																						
				
hf`hhhh`hhhhfhhehhhfhhhh`hhhhehhheff
fhhh
hh
hefhfhehhhhhfhhfhhhhh`
hehf
hffh
fheh
hh
hh
hh
hfhh	fhfh	hh
hh	hh	hhehh	hhfhh	hh	hh	hfhhh	hh	hh	hh	hh	hh	hh	hh	hh	hh	fhhhhh	hh	hh	hhfhh	hhehh	`hh	hh
fhfh	hfhh	hh
h`he	hh
P `` @P 0  P``	` 0 
0pp
p 
  0p`p0  P
``P 
0P
pp
P0
 
 		@@	p	pP	@@	 		 0	@@	@P			`P@@@@@@@@@@@@@@@@@@@@p`				@P	@@ 0		@@	pP	p		@@	0	 
	,	,	,
,
+
+
++***)))
(
(''&&%%$$##""!    !"#$%&'
(	)+,-./065	#n	$	${
$R
$~s
$R
%~{%R%w~&e
&n&|'n'R's(''&&%%$$##""!  Rn | R!
e!w|"Re#%&'
(	)+,-./064	hh#Tc	hh$g	hh$`
hh$@f
hhe$c[
fhff$@f
eh`h%c`hh%@fheff%]cfhhh&fM
`hh&Tfhfe&chfhh'fT`hh'@fhh'[fh`h(hh`'hh'hh&hehh&hh%hfh%hh$hfh$hh#hh#ehh"hh"hh!hfh h`hh fhheh`h`hfhfhhheh``h`ehhhhhfhe`hh`h``h`ehehhhchh@fhhhfTghhhehchh `hhh@ehh!h`h
Mfhhf!h`hf]ghc"eh`h@M#ehhfh%hh`&hh`'heehe
(`hf`hf	)`hfh+hh,h`ehh-fhe`hh.ehffhe/`hhh0fhefhf5ehf`hh5`hhehh`	@@#:	`@	"	 "h
"
 0$I
p`Pp	"
0#h#0pP
#XP $+
$: p0
$w`p %:% `@%IP&	%` % $0@`$ # P`#@" P`"@	! @!0  @   @P	@P0@P
P@00@`	`P
0 00`@``@p:0`w  `	! `+! pXw"0
+#0 p	%  `
&  @	' 000(PP)p+` 
,0@-P0	-0Pp0. 0p0PP50p 4 0=<:+ a{~f6 a|~f5 c|~f4d|~f3 c|~f2c|~f1a|~f0e|~f/c|~f.d|	~f-f{
~f,h|
~f+g{~fRm|
~fg~
~f|Cn~f{9m~f
s9m
~f
Rn:n	~fRs:n~f{5m~f{6m~f~0n~f~R1n~f{e#o~fR|#n~fRp~fw|o~fso~feen~fsnnzdn{"aQ!es sw{eR{wRs~~snns~s
nRs~
~sRRRsss6|{3Rs2nR1ww|e)R|nn&||e#ssR!eenn~{snnw~n~{eeRwR
swss	R~|ns~s
|~w~sRsw{~wsw~ss~s|{Rew~sR~ssn~~|RnR|~R{w~RnnR{~en~s{
{s	wRwe{wR
e{R{ne{we~~nss{ss~{{nw{~
ns-~{n+ hkhgkf6 kkhhkf5 mkhhkf4-nlhhkf3 mlhhkf2-mlhhkf1-kkhhkf00kkhhkf/0mjhhkf.0kjh	hkf-0lkh
hkf,0kkih
hkf+



  
    text/x-why3
    *.mlw;*.why
    (*
    *)
  

  
    

    
  
     Description   Name   Arguments   Result  
    
  
    
     Concatenate
        concat        string string        string
  
    
     Length
       length       string               int
  
    
     Get string of length 1
       s_at         string int            string
  
    
     Get substring
       substring   string int int        string
  
    
     Index of substring
       indexof     string string int     int
  
    
     Replace first occurrence
       replace     string string string  string
  
    
     Replace all occurrences
       replaceall  string string string  string
  
    
     String to int
       to_int       string                int
  
    
     Int to string
       from_int     int                   string
  
    
     Comparison less than
       lt           string string 
  
    
     Comparison less or equal than
       le           string string 
  
    
     Check if it a prefix
       prefixof    string string 
  
    
     Check if it is a suffix
       suffixof    string string 
  
    
     Check if contains
       contains    string string 
  
    
     Check if it is a digit
       is_digit     string 
  
    



    }
   *)


  constant empty : string = ""
  (** the empty string. *)

  function concat string string : string
  (** `concat s1 s2` is the concatenation of `s1` and `s2`.  *)

  axiom concat_assoc: forall s1 s2 s3.
    concat (concat s1 s2) s3 = concat s1 (concat s2 s3)

  axiom concat_empty: forall s.
    concat s empty = concat empty s = s

  function length string : int
  (** `length s` is the length of the string `s`. *)

  (* axiom length_nonneg: forall s. length s >= 0 *)

  axiom length_empty: length "" = 0

  axiom length_concat: forall s1 s2.
    length (concat s1 s2) = length s1 + length s2

  predicate lt string string
  (** `lt s1 s2` returns `True` iff `s1` is lexicographically smaller
  than `s2`. *)

  axiom lt_empty: forall s.
    s <> empty -> lt empty s

  axiom lt_not_com: forall s1 s2.
    lt s1 s2 -> not (lt s2 s1)

  axiom lt_ref: forall s1. not (lt s1 s1)

  axiom lt_trans: forall s1 s2 s3.
    lt s1 s2 && lt s2 s3 -> lt s1 s3

  predicate le string string
  (** `le s1 s2` returns `True` iff `s1` is lexicographically smaller
  or equal than `s2`. *)

  axiom le_empty: forall s.
    le empty s

  axiom le_ref: forall s1.
    le s1 s1

  axiom lt_le: forall s1 s2.
    lt s1 s2 -> le s1 s2

  axiom lt_le_eq: forall s1 s2.
    le s1 s2 -> lt s1 s2 || s1 = s2

  axiom le_trans: forall s1 s2 s3.
    le s1 s2 && le s2 s3 -> le s1 s3

  function s_at string int : string
  (** `s_at s i` is:

       (1) `empty`, if either `i < 0` or `i >= length s`;

       (2) the string of length `1` containing the character of
           position `i` in string `s`, if `0 <= i < length s`. *)

  axiom at_out_of_range: forall s i.
    i < 0 || i >= length s -> s_at s i = empty

  axiom at_empty: forall i.
    s_at empty i = empty

  axiom at_length: forall s i.
    let j = s_at s i in
    if 0 <= i < length s then length j = 1 else length j = 0

  axiom concat_at: forall s1 s2.
    let s = concat s1 s2 in
    forall i. (0 <= i < length s1 -> s_at s i = s_at s1 i) &&
              (length s1 <= i < length s -> s_at s i = s_at s2 (i - length s1))

  function substring string int int : string
  (** `substring s i x` is:

      (1) the `empty` string if `i < 0`, `i >= length s`, or `x <= 0`;

      (2) the substring of `s` starting at `i` and of length
          `min x (length s - i)`. *)

  axiom substring_out_of_range: forall s i x.
    i < 0 || i >= length s -> substring s i x = empty

  axiom substring_of_length_zero_or_less: forall s i x.
    x <= 0 -> substring s i x = ""

  axiom substring_of_empty: forall i x.
    substring "" i x = ""

  axiom substring_smaller: forall s i x.
    length (substring s i x) <= length s

  axiom substring_smaller_x: forall s i x.
    x >= 0 -> length (substring s i x) <= x

  axiom substring_length: forall s i x.
    x >= 0 && 0 <= i < length s ->
      if i + x > length s then
        length (substring s i x) = length s - i
      else length (substring s i x) = x

  axiom substring_at: forall s i.
    s_at s i = substring s i 1

  axiom substring_substring:
    forall s ofs len ofs' len'.
    0 <= ofs <= length s -> 0 <= len -> ofs + len <= length s ->
    0 <= ofs' <= len -> 0 <= len' -> ofs' + len' <= len ->
    substring (substring s ofs len) ofs' len' = substring s (ofs + ofs') len'

  axiom concat_substring:
    forall s ofs len len'.
    0 <= ofs <= length s -> 0 <= len -> ofs + len <= length s ->
    0 <= len' -> 0 <= ofs + len + len' <= length s ->
    concat (substring s ofs len) (substring s (ofs+len) len') =
    substring s ofs (len + len')

  predicate prefixof string string
  (** `prefixof s1 s2` is `True` iff `s1` is a prefix of `s2`. *)

  axiom prefixof_substring: forall s1 s2.
    prefixof s1 s2 <-> s1 = substring s2 0 (length s1)

  axiom prefixof_concat: forall s1 s2.
    prefixof s1 (concat s1 s2)

  axiom prefixof_empty: forall s2.
    prefixof "" s2

  axiom prefixof_empty2: forall s1.
    s1 <> empty -> not (prefixof s1 "")

  predicate suffixof string string
  (** `suffixof s1 s2` is `True` iff `s1` is a suffix of `s2`. *)

  axiom suffixof_substring: forall s1 s2.
    suffixof s1 s2 <-> s1 = substring s2 (length s2 - length s1) (length s1)

  axiom suffixof_concat: forall s1 s2.
    suffixof s2 (concat s1 s2)

  axiom suffixof_empty: forall s2.
    suffixof "" s2

  axiom suffixof_empty2: forall s1.
    s1 <> empty -> not (suffixof s1 "")

  predicate contains string string
  (** `contains s1 s2` is `True` iff `s1` contains `s2`. *)

  axiom contains_prefixof: forall s1 s2.
    prefixof s1 s2 -> contains s2 s1

  axiom contains_suffixof: forall s1 s2.
    suffixof s1 s2 -> contains s2 s1

  axiom contains_empty: forall s2.
    contains "" s2 <-> s2 = empty

  axiom contains_empty2: forall s1.
    contains s1 ""

  axiom contains_substring: forall s1 s2 i.
    substring s1 i (length s2) = s2 -> contains s1 s2

  (*** The following should hold, but are not proved by SMT provers *)
  (*** axiom substring_contains: forall s1 s2.
    contains s1 s2 -> exists i. substring s1 i (length s2) = s2 *)

  axiom contains_concat: forall s1 s2.
    contains (concat s1 s2) s1 && contains (concat s1 s2) s2

  axiom contains_at: forall s1 s2 i.
    s_at s1 i = s2 -> contains s1 s2

  (*** The following should hold, but are not proved by SMT provers *)
  (*** axiom at_contains: forall s1 s2.
    contains s1 s2 && length s2 = 1 -> exists i. s_at s1 i = s2 *)

  function indexof string string int : int
  (** `indexof s1 s2 i` is:

      (1) the first occurence of `s2` in `s1` after `i`, if `0 <= i <=
          length s1` (note: the result is `i`, if `s2 = empty` and `0
          <= i <= length s1`);

      (2) `-1`, if `i < 0`, `i > length s1`, or `0 <= i <= length s1`
          and `s2` does not occur in `s1` after `i`.  *)

  axiom indexof_empty: forall s i.
    0 <= i <= length s -> indexof s "" i = i

  axiom indexof_empty1: forall s i.
    let j = indexof "" s i in
    j = -1 || (s = "" && i = j = 0)

  axiom indexof_contains: forall s1 s2.
    let j = indexof s1 s2 0 in
    contains s1 s2 ->
      0 <= j <= length s1 && substring s1 j (length s2) = s2

  axiom contains_indexof: forall s1 s2 i.
    indexof s1 s2 i >= 0 -> contains s1 s2

  axiom not_contains_indexof: forall s1 s2 i.
    not (contains s1 s2)  -> indexof s1 s2 i = -1

  axiom substring_indexof: forall s1 s2 i.
    let j = indexof s1 s2 i in
    j >= 0 -> substring s1 j (length s2) = s2

  axiom indexof_out_of_range: forall i s1 s2.
    not (0 <= i <= length s1) -> indexof s1 s2 i = -1

  axiom indexof_in_range: forall s1 s2 i.
    let j = indexof s1 s2 i in
    0 <= i <= length s1 -> j = -1 || i <= j <= length s1

  axiom indexof_contains_substring: forall s1 s2 i.
    0 <= i <= length s1 && contains (substring s1 i (length s1 - i)) s2 ->
      i <= indexof s1 s2 i <= length s1

  function replace string string string : string
  (** `replace s1 s2 s3` is:

      (1) `concat s3 s1`, if `s2 = empty`;

      (2) the string obtained by replacing the first occurrence of `s2`
          (if any) by `s3` in `s1`. *)

  axiom replace_empty: forall s1 s3.
    replace s1 "" s3 = concat s3 s1

  axiom replace_not_contains: forall s1 s2 s3.
    not (contains s1 s2) -> replace s1 s2 s3 = s1

  axiom replace_empty2: forall s2 s3.
    let s4 = replace empty s2 s3 in
    if s2 = empty then s4 = s3 else s4 = empty

  axiom replace_substring_indexof: forall s1 s2 s3.
    let j = indexof s1 s2 0 in
    replace s1 s2 s3 =
      if j < 0 then s1 else
        concat (concat (substring s1 0 j) s3)
               (substring s1 (j + length s2) (length s1 - j - length s2))

  (*** Not in SMT-LIB standard, but in CVC4 *)
  function replaceall string string string : string
  (** `replaceall s1 s2 s3` is:

      (1) `s1`, if `s2 = empty`;

      (2) the string obtained by replacing all occurences of `s2` by
          `s3` in `s1`. *)

  axiom replaceall_empty1: forall s1 s3.
    replaceall s1 "" s3 = s1

  axiom not_contains_replaceall: forall s1 s2 s3.
    not (contains s1 s2) -> replaceall s1 s2 s3 = s1

  function to_int string : int
  (** `to_int s` is:

      (1) an `int` consisting on the digits of `s`, if `s` contains
          exclusively ascii characters in the range 0x30 ... 0x39;

      (2) `-1`, if `s` contains a character that is not in the range
          0x30 ... 0x39. *)

  axiom to_int_gt_minus_1: forall s. to_int s >= -1

  axiom to_int_empty: to_int "" = -1

  (*** The following lemmas should hold, but CVC4 is not able to prove them *)
  (*** axiom to_int_only_digits: forall s.
        s <> empty &&
          (forall i. 0 <= i < length s -> le "0" (s_at s i) && le (s_at s i) "9")
            -> to_int s >= 0 *)

  (*** axiom to_int_lt_0: forall s i.
         0 <= i < length s && lt (s_at s i) "0"
             -> to_int s = -1 *)

  (*** In SMT-Lib now *)
  predicate is_digit (s:string) = 0 <= to_int s <= 9 && length s = 1
  (** `is_digit s` returns `True` iff `s` is of length `1` and
      corresponds to a decimal digit, that is, to a code point in the
      range 0x30 ... 0x39 *)

  function from_int int : string
  (** `from_int i` is:

      (1) the corresponding string in the decimal notation if `i >= 0`;

      (2) `empty`, if `i < 0`. *)

  axiom from_int_negative: forall i.
    i < 0 <-> from_int i = empty

  axiom from_int_to_int: forall i.
    if i >= 0 then to_int (from_int i) = i else to_int (from_int i) = -1

end

(** {2 Characters} *)

module Char

  use String
  use int.Int

  (** to be mapped into the OCaml char type. *)
  type char = abstract {
    contents: string;
  } invariant {
    length contents = 1
  }

  axiom char_eq: forall c1 c2.
    c1.contents = c2.contents -> c1 = c2

  function code char : int

  axiom code: forall c. 0 <= code c < 256

  function chr (n: int) : char

  axiom code_chr: forall n. 0 <= n < 256 -> code (chr n) = n

  axiom chr_code: forall c. chr (code c) = c

  function get (s: string) (i: int) : char

  axiom get: forall s i.
    0 <= i < length s -> (get s i).contents = s_at s i

  axiom substring_get:
    forall s ofs len i.
    0 <= ofs <= length s -> 0 <= len -> ofs + len <= length s -> 0 <= i < len ->
    get (substring s ofs len) i = get s (ofs + i)

  lemma concat_first: forall s1 s2.
    let s3 = concat s1 s2 in
    forall i. 0 <= i < length s1 ->
      get s3 i = get s1 i

  lemma concat_second: forall s1 s2.
    let s3 = concat s1 s2 in
    forall i. length s1 <= i < length s1 + length s2 ->
      get s3 i = get s2 (i - length s1)

  function ([]) (s: string) (i: int) : char = get s i

  predicate eq_string (s1 s2: string) = length s1 = length s2 &&
    (forall i. 0 <= i < length s1 -> get s1 i = get s2 i)

  axiom extensionality [@W:non_conservative_extension:N]:
    forall s1 s2. eq_string s1 s2 -> s1 = s2

  function make (size: int) (v: char) : string

  axiom make_length: forall size v. size >= 0 ->
    length (make size v) = size

  axiom make_contents: forall size v. size >= 0 ->
    (forall i. 0 <= i < size -> get (make size v) i = v)

end

(** {3 Programming API}

  The following program functions are mapped to OCaml's functions.
  See also module `io.StdIO`. *)

module OCaml

  use int.Int
  use mach.int.Int63
  use String
  use Char

  (* In OCaml max_string_length is 144_115_188_075_855_863 *)

  val eq_char (c1 c2: char) : bool
    ensures { result <-> c1 = c2 }

  val get (s: string) (i: int63) : char
    requires { 0 <= i < length s }
    ensures  { result = get s i }

  let ([]) (s: string) (i: int63) : char
    requires { 0 <= i < length s }
    ensures  { result = get s i }
  = get s i

  val code (c: char) : int63
    ensures { result = code c }

  val chr (n: int63) : char
    requires { 0 <= n < 256 }
    ensures  { result = chr n }

  val (=) (x y: string) : bool
    ensures { result <-> x = y }

  val partial length (s: string) : int63
    ensures { result = length s >= 0 }

  val sub (s: string) (start: int63) (len: int63) : string
    requires { 0 <= start <= length s }
    requires { 0 <= len <= length s - start }
    ensures  { result = substring s start len }

  val concat (s1 s2: string) : string
    ensures  { result = concat s1 s2 }

  val make (size: int63) (v: char) : string
    requires { 0 <= size }
    ensures  { result = make size v }

end

(** The following module is extracted to OCaml's Buffer *)

module StringBuffer

  use int.Int
  use mach.int.Int63
  use String
  use Char
  use OCaml

  type buffer = abstract {
    mutable str: string;
  }
  meta coercion function str

  val create (_: int63) : buffer
    ensures { result.str = "" }

  val length (b: buffer) : int63
    ensures { result = length b.str }

  val contents (b: buffer) : string
    ensures { result = b.str }

  val clear (b: buffer) : unit
    writes  { b }
    ensures { b.str = "" }

  val reset (b: buffer) : unit
    writes  { b }
    ensures { b.str = "" }

  val sub (b: buffer) (ofs len: int63) : string
    requires { 0 <= ofs /\ 0 <= len /\ ofs + len <= length b.str }
    ensures  { result = substring b.str ofs len }

  val add_char (b: buffer) (c: char) : unit
    writes   { b }
    ensures  { b.str = concat (old b.str) c.Char.contents }

  val add_string (b: buffer) (s: string) : unit
    writes   { b }
    ensures  { b.str = concat (old b.str) s }

  val truncate (b: buffer) (n: int63) : unit
    requires { 0 <= n <= length b.str }
    writes   { b }
    ensures  { b.str = substring (old b.str) 0 n }

end

(** {2 String realization}

This module is intended for string realization. It clones the `String`
module replacing axioms by goals.

*)

module StringRealization

  clone export String
    with goal .
  (** trick to remove axioms from the `String` theory. See file
     `examples/stdlib/stringCheck.mlw` *)

end

(** {2 Regular expressions} *)

module RegExpr

  use String as S

  type re
  (** type for regular expressions *)

  function to_re string : re
  (** string to regular expression injection *)

  predicate in_re string re
  (** regular expression membership *)

  function concat re re : re
  (** regular expressions concatenation, left associativity *)

  function union re re : re
  (** regular expressions union, left associativity *)

  function inter re re : re
  (** regular expressions intersection, left associativity *)

  function star re : re
  (** Kleene closure *)

  function plus re : re
  (** Kleene cross *)
  (*** forall re. plus re = concat re (star re) *)

  constant none : re
  (** the empty set of strings *)

  constant allchar : re
  (** the set of all strings of length 1 *)

  constant all : re = star allchar
  (** the set of all strings *)

  function opt re : re
  (** regular expression option *)
  (*** forall re. opt re = union re (to_re "") *)

  function range string string : re
  (** `range s1 s2` is the set of singleton strings such that all
  element `s` of `range s1 s2` satisfies the condition `Str.<= s1 s`
  and `Str.<= s s2`. *)

  function power int re : re
  (** `power n r` is the `n`th power of `r`; `n` must be an
      integer literal. *)
  (*** power 0 e = to_re ""
     power n e = concat e (power (n-1) e) *)

  function loop int int re : re
  (** `loop n1 n2 r = if n1 > ne then none else
                    if n1 = n2 then power n1 r else
                    union (power n1 e) (loop (n1+1) n2 e)` *)
  (*** `n1` and `n2` must be literals. *)

end
why3-1.6.0/stdlib/tptp.mlw000066400000000000000000000075551440160026300154110ustar00rootroot00000000000000module Univ
  type iType
end

module Ghost
  type gh 'a

  constant gh : gh 'a
end

module Int
  use export int.Int
end

module IntTrunc
  function floor (x : int) : int = x
  function ceiling (x : int) : int = x
  function truncate (x : int) : int = x
  function round (x : int) : int = x

  function to_int (x : int) : int = x

  predicate is_int int = true
  predicate is_rat int = true
end

module IntDivE
  use export int.EuclideanDivision
end

module IntDivT
  (* TODO: divide and truncate *)
  function div_t (x y : int) : int
  function mod_t (x y : int) : int
end

module IntDivF
  (* TODO: divide and floor *)
  function div_f (x y : int) : int
  function mod_f (x y : int) : int
end

module Rat
  use int.Int as Int

  type rat

  predicate (< ) (x y : rat)
  predicate (> ) (x y : rat) = y < x
  predicate (<=) (x y : rat) = x < y \/ x = y
  predicate (>=) (x y : rat) = y <= x

  clone export algebra.OrderedField
    with type t = rat, predicate (<=) = (<=)

  function frac (n d : int) : rat

  function numerator rat : int
  function denominator rat : int

  axiom inversion : forall r : rat. r = frac (numerator r) (denominator r)
  axiom dpositive : forall r : rat. Int.(>) (denominator r) 0

  axiom frac_zero : forall d : int. d <> 0 -> frac 0 d = zero
  axiom frac_unit : forall d : int. d <> 0 -> frac d d = one

  axiom nume_zero : numerator zero = 0
  axiom deno_zero : denominator zero = 1

  axiom nume_unit : numerator one = 1
  axiom deno_unit : denominator one = 1

  axiom proportion : forall n1 n2 d1 d2 : int. d1 <> 0 -> d2 <> 0 ->
    (frac n1 d1 = frac n2 d2 <-> Int.(*) n1 d2 = Int.(*) n2 d1)

  function to_rat (x : rat) : rat = x

  predicate is_int (r : rat) = denominator r = 1
  predicate is_rat rat = true
end

module RatTrunc
  use Rat

  (* TODO: axiomatize *)
  function floor (x : rat) : rat
  function ceiling (x : rat) : rat
  function truncate (x : rat) : rat
  function round (x : rat) : rat

  function to_int (x : rat) : int = numerator (floor x)
end

module RatDivE
  use Rat

  (* TODO: euclidean division *)
  function div (x y : rat) : rat
  function mod (x y : rat) : rat
end

module RatDivT
  use Rat

  (* TODO: divide and truncate *)
  function div_t (x y : rat) : rat
  function mod_t (x y : rat) : rat
end

module RatDivF
  use Rat

  (* TODO: divide and floor *)
  function div_f (x y : rat) : rat
  function mod_f (x y : rat) : rat
end

module Real
  use export real.Real
  function to_real (x : real) : real = x
end

module RealTrunc
  use Real
  use real.FromInt as FromInt
  use real.Truncate as Truncate

  function floor (x : real) : real = FromInt.from_int (Truncate.floor x)
  function ceiling (x : real) : real = FromInt.from_int (Truncate.ceil x)
  function truncate (x : real) : real = FromInt.from_int (Truncate.truncate x)

  (* TODO : axiomatize *)
  function round (x : real) : real

  function to_int (x : real) : int = Truncate.floor x

  predicate is_int (r : real) = r = FromInt.from_int (Truncate.truncate r)
  predicate is_rat (r : real) =
    exists n d : int. d <> 0 /\ r * FromInt.from_int d = FromInt.from_int n
end

module RealDivE
  (* TODO: euclidean division *)
  function div (x y : real) : real
  function mod (x y : real) : real
end

module RealDivT
  (* TODO: divide and truncate *)
  function div_t (x y : real) : real
  function mod_t (x y : real) : real
end

module RealDivF
  (* TODO: divide and floor *)
  function div_f (x y : real) : real
  function mod_f (x y : real) : real
end

module IntToRat
  use Rat

  function to_rat (x : int) : rat = frac x 1
end

module IntToReal
  use real.FromInt as FromInt

  function to_real (x : int) : real = FromInt.from_int x
end

module RealToRat
  use Rat

  (* TODO: axiomatize *)
  function to_rat (x : real) : rat
end

module RatToReal
  use Rat
  use real.Real
  use real.FromInt as FromInt

  function to_real (x : rat) : real =
    FromInt.from_int (numerator x) / FromInt.from_int (denominator x)
end
why3-1.6.0/stdlib/tree.mlw000066400000000000000000000022351440160026300153470ustar00rootroot00000000000000
(** {1 Polymorphic n-ary trees} *)

(** {2 Basic theory with polymorphic lists of children} *)

module Tree

  use list.List

  type forest 'a = list (tree 'a)
  with tree 'a   = Node 'a (forest 'a)

end

(** {2 Tree size} *)

module Size

  use Tree
  use list.List
  use int.Int

  let rec function size_forest (f: forest 'a) : int
    ensures { result >= 0 }
  = match f with
    | Nil      -> 0
    | Cons t f -> size_tree t + size_forest f
    end
  with function size_tree (t: tree 'a) : int
    ensures { result > 0 }
  = match t with
    | Node _ f -> 1 + size_forest f
    end

end

(** {2 Forests} *)

module Forest

  use int.Int

  type forest 'a =
    | E
    | N 'a (forest 'a) (forest 'a)

end

(** {2 Forest size} *)

module SizeForest

  use Forest
  use int.Int

  let rec function size_forest (f: forest 'a) : int
    ensures { result >= 0 }
  = match f with
    | E -> 0
    | N _ f1 f2 -> 1 + size_forest f1 + size_forest f2
    end

end

(** {2 Membership in a forest} *)

module MemForest

  use Forest

  predicate mem_forest (n: 'a) (f: forest 'a) = match f with
    | E -> false
    | N i f1 f2 -> i = n || mem_forest n f1 || mem_forest n f2
    end

endwhy3-1.6.0/stdlib/witness.mlw000066400000000000000000000034241440160026300161050ustar00rootroot00000000000000
(** {1 Witnesses of existential proofs} *)

(** {2 Non-constructive existence of a witness} *)

module Witness

  val ghost function witness (p: 'a -> bool) : 'a
    requires { exists x. p x }
    ensures  { p result }

end

(** {2 Constructive existence of a witness}

    Given a predicate `p` over integers and the existence of
    a nonnegative integer `n` such that `p n`, one can build
    a witness using a linear search starting from 0.

    The difficulty here is to prove termination. We use a custom
    variant predicate and we prove the accessibility of all
    integers for which there exists a witnes above.

    This proof is adapted from Coq's standard library
    (file ConstructiveEpsilon.v contributed by Yevgeniy Makarov
    and Jean-François Monin).
*)

module Nat

  use int.Int
  use relations.WellFounded

  (** since a custom variant relation has to be a toplevel predicate symbol,
      we store the predicate `p` inside the variant expression *)
  predicate r (x y: ((int->bool),int)) =
    let p, x = x in
    let q, y = y in
    p = q && x = y+1 > 0 && not (p y)

  let function witness (p: int -> bool) : int
    requires { exists n. n >= 0 /\ p n }
    ensures  { result >= 0 /\ p result }
  = let lemma l1 (x: int)
      requires { x >= 0 /\ p x } ensures { acc r (p,x) }
      = let lemma l11 (y: (int->bool,int))
          requires { r y (p,x) } ensures { acc r y } = () in
      () in
    let rec lemma l2 (x n: int) variant { n }
      requires { x >= 0 /\ n >= 0 /\ p (x + n) }
      ensures  { acc r (p,x) }
      = if n > 0 then l2 (x+1) (n-1) in
    let rec search (n: int) : int
      requires { n >= 0 /\ exists x. x >= n && p x }
      variant  { (p,n) with r }
      ensures  { result >= 0 /\ p result }
      = if p n then n else search (n+1) in
    search 0

end
why3-1.6.0/configure0000755000000000000000000065167114401600263014331 0ustar00rootroot00000000000000#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.71 for Why3 1.6.0.
#
#
# Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation,
# Inc.
#
#
# This configure script is free software; the Free Software Foundation
# gives unlimited permission to copy, distribute and modify it.
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##

# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
as_nop=:
if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '${1+"$@"}'='"$@"'
  setopt NO_GLOB_SUBST
else $as_nop
  case `(set -o) 2>/dev/null` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi



# Reset variables that may have inherited troublesome values from
# the environment.

# IFS needs to be set, to space, tab, and newline, in precisely that order.
# (If _AS_PATH_WALK were called with IFS unset, it would have the
# side effect of setting IFS to empty, thus disabling word splitting.)
# Quoting is to prevent editors from complaining about space-tab.
as_nl='
'
export as_nl
IFS=" ""	$as_nl"

PS1='$ '
PS2='> '
PS4='+ '

# Ensure predictable behavior from utilities with locale-dependent output.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE

# We cannot yet rely on "unset" to work, but we need these variables
# to be unset--not just set to an empty or harmless value--now, to
# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh).  This construct
# also avoids known problems related to "unset" and subshell syntax
# in other old shells (e.g. bash 2.01 and pdksh 5.2.14).
for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH
do eval test \${$as_var+y} \
  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done

# Ensure that fds 0, 1, and 2 are open.
if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi
if (exec 3>&2)            ; then :; else exec 2>/dev/null; fi

# The user is always right.
if ${PATH_SEPARATOR+false} :; then
  PATH_SEPARATOR=:
  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
      PATH_SEPARATOR=';'
  }
fi


# Find who we are.  Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
  *[\\/]* ) as_myself=$0 ;;
  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    test -r "$as_dir$0" && as_myself=$as_dir$0 && break
  done
IFS=$as_save_IFS

     ;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
  as_myself=$0
fi
if test ! -f "$as_myself"; then
  printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
  exit 1
fi


# Use a proper internal environment variable to ensure we don't fall
  # into an infinite loop, continuously re-executing ourselves.
  if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
    _as_can_reexec=no; export _as_can_reexec;
    # We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
  *v*x* | *x*v* ) as_opts=-vx ;;
  *v* ) as_opts=-v ;;
  *x* ) as_opts=-x ;;
  * ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2
exit 255
  fi
  # We don't want this to propagate to other subprocesses.
          { _as_can_reexec=; unset _as_can_reexec;}
if test "x$CONFIG_SHELL" = x; then
  as_bourne_compatible="as_nop=:
if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '\${1+\"\$@\"}'='\"\$@\"'
  setopt NO_GLOB_SUBST
else \$as_nop
  case \`(set -o) 2>/dev/null\` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi
"
  as_required="as_fn_return () { (exit \$1); }
as_fn_success () { as_fn_return 0; }
as_fn_failure () { as_fn_return 1; }
as_fn_ret_success () { return 0; }
as_fn_ret_failure () { return 1; }

exitcode=0
as_fn_success || { exitcode=1; echo as_fn_success failed.; }
as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
if ( set x; as_fn_ret_success y && test x = \"\$1\" )
then :

else \$as_nop
  exitcode=1; echo positional parameters were not saved.
fi
test x\$exitcode = x0 || exit 1
blah=\$(echo \$(echo blah))
test x\"\$blah\" = xblah || exit 1
test -x / || exit 1"
  as_suggested="  as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
  as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
  eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
  test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1"
  if (eval "$as_required") 2>/dev/null
then :
  as_have_required=yes
else $as_nop
  as_have_required=no
fi
  if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null
then :

else $as_nop
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
as_found=false
for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
  as_found=:
  case $as_dir in #(
	 /*)
	   for as_base in sh bash ksh sh5; do
	     # Try only shells that exist, to save several forks.
	     as_shell=$as_dir$as_base
	     if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
		    as_run=a "$as_shell" -c "$as_bourne_compatible""$as_required" 2>/dev/null
then :
  CONFIG_SHELL=$as_shell as_have_required=yes
		   if as_run=a "$as_shell" -c "$as_bourne_compatible""$as_suggested" 2>/dev/null
then :
  break 2
fi
fi
	   done;;
       esac
  as_found=false
done
IFS=$as_save_IFS
if $as_found
then :

else $as_nop
  if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
	      as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null
then :
  CONFIG_SHELL=$SHELL as_have_required=yes
fi
fi


      if test "x$CONFIG_SHELL" != x
then :
  export CONFIG_SHELL
             # We cannot yet assume a decent shell, so we have to provide a
# neutralization value for shells without unset; and this also
# works around shells that cannot unset nonexistent variables.
# Preserve -v and -x to the replacement shell.
BASH_ENV=/dev/null
ENV=/dev/null
(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
case $- in # ((((
  *v*x* | *x*v* ) as_opts=-vx ;;
  *v* ) as_opts=-v ;;
  *x* ) as_opts=-x ;;
  * ) as_opts= ;;
esac
exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
# Admittedly, this is quite paranoid, since all the known shells bail
# out after a failed `exec'.
printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2
exit 255
fi

    if test x$as_have_required = xno
then :
  printf "%s\n" "$0: This script requires a shell more modern than all"
  printf "%s\n" "$0: the shells that I found on your system."
  if test ${ZSH_VERSION+y} ; then
    printf "%s\n" "$0: In particular, zsh $ZSH_VERSION has bugs and should"
    printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later."
  else
    printf "%s\n" "$0: Please tell bug-autoconf@gnu.org about your system,
$0: including any error possibly output before this
$0: message. Then install a modern shell, or manually run
$0: the script under such a shell if you do have one."
  fi
  exit 1
fi
fi
fi
SHELL=${CONFIG_SHELL-/bin/sh}
export SHELL
# Unset more variables known to interfere with behavior of common tools.
CLICOLOR_FORCE= GREP_OPTIONS=
unset CLICOLOR_FORCE GREP_OPTIONS

## --------------------- ##
## M4sh Shell Functions. ##
## --------------------- ##
# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
  { eval $1=; unset $1;}
}
as_unset=as_fn_unset


# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
  return $1
} # as_fn_set_status

# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
  set +e
  as_fn_set_status $1
  exit $1
} # as_fn_exit
# as_fn_nop
# ---------
# Do nothing but, unlike ":", preserve the value of $?.
as_fn_nop ()
{
  return $?
}
as_nop=as_fn_nop

# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{

  case $as_dir in #(
  -*) as_dir=./$as_dir;;
  esac
  test -d "$as_dir" || eval $as_mkdir_p || {
    as_dirs=
    while :; do
      case $as_dir in #(
      *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
      *) as_qdir=$as_dir;;
      esac
      as_dirs="'$as_qdir' $as_dirs"
      as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_dir" : 'X\(//\)[^/]' \| \
	 X"$as_dir" : 'X\(//\)$' \| \
	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X"$as_dir" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
      test -d "$as_dir" && break
    done
    test -z "$as_dirs" || eval "mkdir $as_dirs"
  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"


} # as_fn_mkdir_p

# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
  test -f "$1" && test -x "$1"
} # as_fn_executable_p
# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null
then :
  eval 'as_fn_append ()
  {
    eval $1+=\$2
  }'
else $as_nop
  as_fn_append ()
  {
    eval $1=\$$1\$2
  }
fi # as_fn_append

# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null
then :
  eval 'as_fn_arith ()
  {
    as_val=$(( $* ))
  }'
else $as_nop
  as_fn_arith ()
  {
    as_val=`expr "$@" || test $? -eq 1`
  }
fi # as_fn_arith

# as_fn_nop
# ---------
# Do nothing but, unlike ":", preserve the value of $?.
as_fn_nop ()
{
  return $?
}
as_nop=as_fn_nop

# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
  as_status=$1; test $as_status -eq 0 && as_status=1
  if test "$4"; then
    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
  fi
  printf "%s\n" "$as_me: error: $2" >&2
  as_fn_exit $as_status
} # as_fn_error

if expr a : '\(a\)' >/dev/null 2>&1 &&
   test "X`expr 00001 : '.*\(...\)'`" = X001; then
  as_expr=expr
else
  as_expr=false
fi

if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
  as_basename=basename
else
  as_basename=false
fi

if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
  as_dirname=dirname
else
  as_dirname=false
fi

as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
	 X"$0" : 'X\(//\)$' \| \
	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X/"$0" |
    sed '/^.*\/\([^/][^/]*\)\/*$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`

# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits


  as_lineno_1=$LINENO as_lineno_1a=$LINENO
  as_lineno_2=$LINENO as_lineno_2a=$LINENO
  eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
  test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
  # Blame Lee E. McMahon (1931-1989) for sed's syntax.  :-)
  sed -n '
    p
    /[$]LINENO/=
  ' <$as_myself |
    sed '
      s/[$]LINENO.*/&-/
      t lineno
      b
      :lineno
      N
      :loop
      s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
      t loop
      s/-\n.*//
    ' >$as_me.lineno &&
  chmod +x "$as_me.lineno" ||
    { printf "%s\n" "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }

  # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
  # already done that, so ensure we don't try to do so again and fall
  # in an infinite loop.  This has already happened in practice.
  _as_can_reexec=no; export _as_can_reexec
  # Don't try to exec as it changes $[0], causing all sort of problems
  # (the dirname of $[0] is not the place where we might find the
  # original and so on.  Autoconf is especially sensitive to this).
  . "./$as_me.lineno"
  # Exit status is that of the last command.
  exit
}


# Determine whether it's possible to make 'echo' print without a newline.
# These variables are no longer used directly by Autoconf, but are AC_SUBSTed
# for compatibility with existing Makefiles.
ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
  case `echo 'xy\c'` in
  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
  xy)  ECHO_C='\c';;
  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
       ECHO_T='	';;
  esac;;
*)
  ECHO_N='-n';;
esac

# For backward compatibility with old third-party macros, we provide
# the shell variables $as_echo and $as_echo_n.  New code should use
# AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively.
as_echo='printf %s\n'
as_echo_n='printf %s'


rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
  rm -f conf$$.dir/conf$$.file
else
  rm -f conf$$.dir
  mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
  if ln -s conf$$.file conf$$ 2>/dev/null; then
    as_ln_s='ln -s'
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
    as_ln_s='cp -pR'
  fi
else
  as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null

if mkdir -p . 2>/dev/null; then
  as_mkdir_p='mkdir -p "$as_dir"'
else
  test -d ./-p && rmdir ./-p
  as_mkdir_p=false
fi

as_test_x='test -x'
as_executable_p=as_fn_executable_p

# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"

# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"

as_awk_strverscmp='
  # Use only awk features that work with 7th edition Unix awk (1978).
  # My, what an old awk you have, Mr. Solaris!
  END {
    while (length(v1) && length(v2)) {
      # Set d1 to be the next thing to compare from v1, and likewise for d2.
      # Normally this is a single character, but if v1 and v2 contain digits,
      # compare them as integers and fractions as strverscmp does.
      if (v1 ~ /^[0-9]/ && v2 ~ /^[0-9]/) {
	# Split v1 and v2 into their leading digit string components d1 and d2,
	# and advance v1 and v2 past the leading digit strings.
	for (len1 = 1; substr(v1, len1 + 1) ~ /^[0-9]/; len1++) continue
	for (len2 = 1; substr(v2, len2 + 1) ~ /^[0-9]/; len2++) continue
	d1 = substr(v1, 1, len1); v1 = substr(v1, len1 + 1)
	d2 = substr(v2, 1, len2); v2 = substr(v2, len2 + 1)
	if (d1 ~ /^0/) {
	  if (d2 ~ /^0/) {
	    # Compare two fractions.
	    while (d1 ~ /^0/ && d2 ~ /^0/) {
	      d1 = substr(d1, 2); len1--
	      d2 = substr(d2, 2); len2--
	    }
	    if (len1 != len2 && ! (len1 && len2 && substr(d1, 1, 1) == substr(d2, 1, 1))) {
	      # The two components differ in length, and the common prefix
	      # contains only leading zeros.  Consider the longer to be less.
	      d1 = -len1
	      d2 = -len2
	    } else {
	      # Otherwise, compare as strings.
	      d1 = "x" d1
	      d2 = "x" d2
	    }
	  } else {
	    # A fraction is less than an integer.
	    exit 1
	  }
	} else {
	  if (d2 ~ /^0/) {
	    # An integer is greater than a fraction.
	    exit 2
	  } else {
	    # Compare two integers.
	    d1 += 0
	    d2 += 0
	  }
	}
      } else {
	# The normal case, without worrying about digits.
	d1 = substr(v1, 1, 1); v1 = substr(v1, 2)
	d2 = substr(v2, 1, 1); v2 = substr(v2, 2)
      }
      if (d1 < d2) exit 1
      if (d1 > d2) exit 2
    }
    # Beware Solaris /usr/xgp4/bin/awk (at least through Solaris 10),
    # which mishandles some comparisons of empty strings to integers.
    if (length(v2)) exit 1
    if (length(v1)) exit 2
  }
'

test -n "$DJDIR" || exec 7<&0 &1

# Name of the host.
# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
# so uname gets run too.
ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`

#
# Initializations.
#
ac_default_prefix=/usr/local
ac_clean_files=
ac_config_libobj_dir=.
LIBOBJS=
cross_compiling=no
subdirs=
MFLAGS=
MAKEFLAGS=

# Identity of this package.
PACKAGE_NAME='Why3'
PACKAGE_TARNAME='why3'
PACKAGE_VERSION='1.6.0'
PACKAGE_STRING='Why3 1.6.0'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''

ac_subst_vars='LTLIBOBJS
LIBOBJS
enable_relocation
WHY3INCLUDE
WHY3LIB
enable_why3_lib
LOCALDIR
enable_local
FRAMAC_INCLUDE
FRAMAC_LIBDIR
FRAMAC_SHARE
FRAMAC_VERSION
enable_frama_c
enable_emacs_compilation
enable_pdf_doc
enable_doc
enable_stackify
enable_hypothesis_selection
ISABELLEVERSION
enable_isabelle_libs
PVSVERSION
enable_pvs_libs
COQVERSION
COQLIB
coq_compat_version
enable_coq_fp_libs
enable_coq_libs
RELIB
REINCLUDE
enable_re
MENHIRINCLUDE
ZIPLIB
ZIPINCLUDE
enable_zip
INFERPKG
INFERLIB
INFERINCLUDE
enable_bddinfer
enable_infer
BIGINTPKG
BIGINTLIB
BIGINTINCLUDE
enable_zarith
old_mpfr
enable_mpfr
MLMPFR
NUMINCLUDE
SEXPLIBPPX
SEXPLIB
enable_pp_sexp
enable_ppx
META_OCAMLGRAPH
JSOFOCAMLPKG
enable_js_of_ocaml
enable_web_ide
GTKVERSION
LABLGTKPKG
enable_ide
STATMEMPROFPKG
enable_statmemprof
enable_ocamlfind
OCAMLGRAPHLIB
OCAMLINSTALLLIB
OCAMLLIB
OCAMLVERSION
OCAMLBEST
STRIP
EXE
enable_verbose_make
VERSION
FRAMAC
ISABELLE
PVS
COQDEP
COQC
menhirlib_cmo
EMACS
LATEX
SPHINX
OCAMLFIND
MENHIR
OCAMLDOCOPT
OCAMLDOC
OCAMLYACC
OCAMLLEXDOTOPT
OCAMLLEX
OCAMLDEPDOTOPT
OCAMLDEP
OCAMLOPTDOTOPT
OCAMLCDOTOPT
OCAMLOPT
OCAMLC
INSTALL_DATA
INSTALL_SCRIPT
INSTALL_PROGRAM
MKDIR_P
OBJEXT
EXEEXT
ac_ct_CC
CPPFLAGS
LDFLAGS
CFLAGS
CC
EDITOR
target_alias
host_alias
build_alias
LIBS
ECHO_T
ECHO_N
ECHO_C
DEFS
mandir
localedir
libdir
psdir
pdfdir
dvidir
htmldir
infodir
docdir
oldincludedir
includedir
runstatedir
localstatedir
sharedstatedir
sysconfdir
datadir
datarootdir
libexecdir
sbindir
bindir
program_transform_name
prefix
exec_prefix
PACKAGE_URL
PACKAGE_BUGREPORT
PACKAGE_STRING
PACKAGE_VERSION
PACKAGE_TARNAME
PACKAGE_NAME
PATH_SEPARATOR
SHELL'
ac_subst_files=''
ac_user_opts='
enable_option_checking
enable_verbose_make
enable_local
enable_relocation
enable_native_code
enable_why3_lib
enable_zarith
enable_ocamlfind
enable_zip
enable_infer
enable_bddinfer
enable_js_of_ocaml
enable_re
enable_pp_sexp
enable_ide
enable_web_ide
enable_coq_libs
enable_pvs_libs
enable_isabelle_libs
enable_mpfr
enable_hypothesis_selection
enable_stackify
enable_doc
enable_html_pdf
enable_frama_c
enable_statmemprof
enable_emacs_compilation
'
      ac_precious_vars='build_alias
host_alias
target_alias
EDITOR
CC
CFLAGS
LDFLAGS
LIBS
CPPFLAGS'


# Initialize some variables set by options.
ac_init_help=
ac_init_version=false
ac_unrecognized_opts=
ac_unrecognized_sep=
# The variables have the same names as the options, with
# dashes changed to underlines.
cache_file=/dev/null
exec_prefix=NONE
no_create=
no_recursion=
prefix=NONE
program_prefix=NONE
program_suffix=NONE
program_transform_name=s,x,x,
silent=
site=
srcdir=
verbose=
x_includes=NONE
x_libraries=NONE

# Installation directory options.
# These are left unexpanded so users can "make install exec_prefix=/foo"
# and all the variables that are supposed to be based on exec_prefix
# by default will actually change.
# Use braces instead of parens because sh, perl, etc. also accept them.
# (The list follows the same order as the GNU Coding Standards.)
bindir='${exec_prefix}/bin'
sbindir='${exec_prefix}/sbin'
libexecdir='${exec_prefix}/libexec'
datarootdir='${prefix}/share'
datadir='${datarootdir}'
sysconfdir='${prefix}/etc'
sharedstatedir='${prefix}/com'
localstatedir='${prefix}/var'
runstatedir='${localstatedir}/run'
includedir='${prefix}/include'
oldincludedir='/usr/include'
docdir='${datarootdir}/doc/${PACKAGE_TARNAME}'
infodir='${datarootdir}/info'
htmldir='${docdir}'
dvidir='${docdir}'
pdfdir='${docdir}'
psdir='${docdir}'
libdir='${exec_prefix}/lib'
localedir='${datarootdir}/locale'
mandir='${datarootdir}/man'

ac_prev=
ac_dashdash=
for ac_option
do
  # If the previous option needs an argument, assign it.
  if test -n "$ac_prev"; then
    eval $ac_prev=\$ac_option
    ac_prev=
    continue
  fi

  case $ac_option in
  *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
  *=)   ac_optarg= ;;
  *)    ac_optarg=yes ;;
  esac

  case $ac_dashdash$ac_option in
  --)
    ac_dashdash=yes ;;

  -bindir | --bindir | --bindi | --bind | --bin | --bi)
    ac_prev=bindir ;;
  -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
    bindir=$ac_optarg ;;

  -build | --build | --buil | --bui | --bu)
    ac_prev=build_alias ;;
  -build=* | --build=* | --buil=* | --bui=* | --bu=*)
    build_alias=$ac_optarg ;;

  -cache-file | --cache-file | --cache-fil | --cache-fi \
  | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
    ac_prev=cache_file ;;
  -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
  | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
    cache_file=$ac_optarg ;;

  --config-cache | -C)
    cache_file=config.cache ;;

  -datadir | --datadir | --datadi | --datad)
    ac_prev=datadir ;;
  -datadir=* | --datadir=* | --datadi=* | --datad=*)
    datadir=$ac_optarg ;;

  -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
  | --dataroo | --dataro | --datar)
    ac_prev=datarootdir ;;
  -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
  | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
    datarootdir=$ac_optarg ;;

  -disable-* | --disable-*)
    ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid feature name: \`$ac_useropt'"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"enable_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval enable_$ac_useropt=no ;;

  -docdir | --docdir | --docdi | --doc | --do)
    ac_prev=docdir ;;
  -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
    docdir=$ac_optarg ;;

  -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
    ac_prev=dvidir ;;
  -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
    dvidir=$ac_optarg ;;

  -enable-* | --enable-*)
    ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid feature name: \`$ac_useropt'"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"enable_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval enable_$ac_useropt=\$ac_optarg ;;

  -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
  | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
  | --exec | --exe | --ex)
    ac_prev=exec_prefix ;;
  -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
  | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
  | --exec=* | --exe=* | --ex=*)
    exec_prefix=$ac_optarg ;;

  -gas | --gas | --ga | --g)
    # Obsolete; use --with-gas.
    with_gas=yes ;;

  -help | --help | --hel | --he | -h)
    ac_init_help=long ;;
  -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
    ac_init_help=recursive ;;
  -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
    ac_init_help=short ;;

  -host | --host | --hos | --ho)
    ac_prev=host_alias ;;
  -host=* | --host=* | --hos=* | --ho=*)
    host_alias=$ac_optarg ;;

  -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
    ac_prev=htmldir ;;
  -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
  | --ht=*)
    htmldir=$ac_optarg ;;

  -includedir | --includedir | --includedi | --included | --include \
  | --includ | --inclu | --incl | --inc)
    ac_prev=includedir ;;
  -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
  | --includ=* | --inclu=* | --incl=* | --inc=*)
    includedir=$ac_optarg ;;

  -infodir | --infodir | --infodi | --infod | --info | --inf)
    ac_prev=infodir ;;
  -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
    infodir=$ac_optarg ;;

  -libdir | --libdir | --libdi | --libd)
    ac_prev=libdir ;;
  -libdir=* | --libdir=* | --libdi=* | --libd=*)
    libdir=$ac_optarg ;;

  -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
  | --libexe | --libex | --libe)
    ac_prev=libexecdir ;;
  -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
  | --libexe=* | --libex=* | --libe=*)
    libexecdir=$ac_optarg ;;

  -localedir | --localedir | --localedi | --localed | --locale)
    ac_prev=localedir ;;
  -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
    localedir=$ac_optarg ;;

  -localstatedir | --localstatedir | --localstatedi | --localstated \
  | --localstate | --localstat | --localsta | --localst | --locals)
    ac_prev=localstatedir ;;
  -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
  | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
    localstatedir=$ac_optarg ;;

  -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
    ac_prev=mandir ;;
  -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
    mandir=$ac_optarg ;;

  -nfp | --nfp | --nf)
    # Obsolete; use --without-fp.
    with_fp=no ;;

  -no-create | --no-create | --no-creat | --no-crea | --no-cre \
  | --no-cr | --no-c | -n)
    no_create=yes ;;

  -no-recursion | --no-recursion | --no-recursio | --no-recursi \
  | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
    no_recursion=yes ;;

  -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
  | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
  | --oldin | --oldi | --old | --ol | --o)
    ac_prev=oldincludedir ;;
  -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
  | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
  | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
    oldincludedir=$ac_optarg ;;

  -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
    ac_prev=prefix ;;
  -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
    prefix=$ac_optarg ;;

  -program-prefix | --program-prefix | --program-prefi | --program-pref \
  | --program-pre | --program-pr | --program-p)
    ac_prev=program_prefix ;;
  -program-prefix=* | --program-prefix=* | --program-prefi=* \
  | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
    program_prefix=$ac_optarg ;;

  -program-suffix | --program-suffix | --program-suffi | --program-suff \
  | --program-suf | --program-su | --program-s)
    ac_prev=program_suffix ;;
  -program-suffix=* | --program-suffix=* | --program-suffi=* \
  | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
    program_suffix=$ac_optarg ;;

  -program-transform-name | --program-transform-name \
  | --program-transform-nam | --program-transform-na \
  | --program-transform-n | --program-transform- \
  | --program-transform | --program-transfor \
  | --program-transfo | --program-transf \
  | --program-trans | --program-tran \
  | --progr-tra | --program-tr | --program-t)
    ac_prev=program_transform_name ;;
  -program-transform-name=* | --program-transform-name=* \
  | --program-transform-nam=* | --program-transform-na=* \
  | --program-transform-n=* | --program-transform-=* \
  | --program-transform=* | --program-transfor=* \
  | --program-transfo=* | --program-transf=* \
  | --program-trans=* | --program-tran=* \
  | --progr-tra=* | --program-tr=* | --program-t=*)
    program_transform_name=$ac_optarg ;;

  -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
    ac_prev=pdfdir ;;
  -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
    pdfdir=$ac_optarg ;;

  -psdir | --psdir | --psdi | --psd | --ps)
    ac_prev=psdir ;;
  -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
    psdir=$ac_optarg ;;

  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
  | -silent | --silent | --silen | --sile | --sil)
    silent=yes ;;

  -runstatedir | --runstatedir | --runstatedi | --runstated \
  | --runstate | --runstat | --runsta | --runst | --runs \
  | --run | --ru | --r)
    ac_prev=runstatedir ;;
  -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
  | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
  | --run=* | --ru=* | --r=*)
    runstatedir=$ac_optarg ;;

  -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
    ac_prev=sbindir ;;
  -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
  | --sbi=* | --sb=*)
    sbindir=$ac_optarg ;;

  -sharedstatedir | --sharedstatedir | --sharedstatedi \
  | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
  | --sharedst | --shareds | --shared | --share | --shar \
  | --sha | --sh)
    ac_prev=sharedstatedir ;;
  -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
  | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
  | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
  | --sha=* | --sh=*)
    sharedstatedir=$ac_optarg ;;

  -site | --site | --sit)
    ac_prev=site ;;
  -site=* | --site=* | --sit=*)
    site=$ac_optarg ;;

  -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
    ac_prev=srcdir ;;
  -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
    srcdir=$ac_optarg ;;

  -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
  | --syscon | --sysco | --sysc | --sys | --sy)
    ac_prev=sysconfdir ;;
  -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
  | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
    sysconfdir=$ac_optarg ;;

  -target | --target | --targe | --targ | --tar | --ta | --t)
    ac_prev=target_alias ;;
  -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
    target_alias=$ac_optarg ;;

  -v | -verbose | --verbose | --verbos | --verbo | --verb)
    verbose=yes ;;

  -version | --version | --versio | --versi | --vers | -V)
    ac_init_version=: ;;

  -with-* | --with-*)
    ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid package name: \`$ac_useropt'"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"with_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval with_$ac_useropt=\$ac_optarg ;;

  -without-* | --without-*)
    ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
    # Reject names that are not valid shell variable names.
    expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
      as_fn_error $? "invalid package name: \`$ac_useropt'"
    ac_useropt_orig=$ac_useropt
    ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'`
    case $ac_user_opts in
      *"
"with_$ac_useropt"
"*) ;;
      *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
	 ac_unrecognized_sep=', ';;
    esac
    eval with_$ac_useropt=no ;;

  --x)
    # Obsolete; use --with-x.
    with_x=yes ;;

  -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
  | --x-incl | --x-inc | --x-in | --x-i)
    ac_prev=x_includes ;;
  -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
  | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
    x_includes=$ac_optarg ;;

  -x-libraries | --x-libraries | --x-librarie | --x-librari \
  | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
    ac_prev=x_libraries ;;
  -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
  | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
    x_libraries=$ac_optarg ;;

  -*) as_fn_error $? "unrecognized option: \`$ac_option'
Try \`$0 --help' for more information"
    ;;

  *=*)
    ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
    # Reject names that are not valid shell variable names.
    case $ac_envvar in #(
      '' | [0-9]* | *[!_$as_cr_alnum]* )
      as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
    esac
    eval $ac_envvar=\$ac_optarg
    export $ac_envvar ;;

  *)
    # FIXME: should be removed in autoconf 3.0.
    printf "%s\n" "$as_me: WARNING: you should use --build, --host, --target" >&2
    expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
      printf "%s\n" "$as_me: WARNING: invalid host type: $ac_option" >&2
    : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
    ;;

  esac
done

if test -n "$ac_prev"; then
  ac_option=--`echo $ac_prev | sed 's/_/-/g'`
  as_fn_error $? "missing argument to $ac_option"
fi

if test -n "$ac_unrecognized_opts"; then
  case $enable_option_checking in
    no) ;;
    fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
    *)     printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
  esac
fi

# Check all directory arguments for consistency.
for ac_var in	exec_prefix prefix bindir sbindir libexecdir datarootdir \
		datadir sysconfdir sharedstatedir localstatedir includedir \
		oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
		libdir localedir mandir runstatedir
do
  eval ac_val=\$$ac_var
  # Remove trailing slashes.
  case $ac_val in
    */ )
      ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
      eval $ac_var=\$ac_val;;
  esac
  # Be sure to have absolute directory names.
  case $ac_val in
    [\\/$]* | ?:[\\/]* )  continue;;
    NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
  esac
  as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
done

# There might be people who depend on the old broken behavior: `$host'
# used to hold the argument of --host etc.
# FIXME: To remove some day.
build=$build_alias
host=$host_alias
target=$target_alias

# FIXME: To remove some day.
if test "x$host_alias" != x; then
  if test "x$build_alias" = x; then
    cross_compiling=maybe
  elif test "x$build_alias" != "x$host_alias"; then
    cross_compiling=yes
  fi
fi

ac_tool_prefix=
test -n "$host_alias" && ac_tool_prefix=$host_alias-

test "$silent" = yes && exec 6>/dev/null


ac_pwd=`pwd` && test -n "$ac_pwd" &&
ac_ls_di=`ls -di .` &&
ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
  as_fn_error $? "working directory cannot be determined"
test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
  as_fn_error $? "pwd does not report name of working directory"


# Find the source files, if location was not specified.
if test -z "$srcdir"; then
  ac_srcdir_defaulted=yes
  # Try the directory containing this script, then the parent directory.
  ac_confdir=`$as_dirname -- "$as_myself" ||
$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_myself" : 'X\(//\)[^/]' \| \
	 X"$as_myself" : 'X\(//\)$' \| \
	 X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X"$as_myself" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
  srcdir=$ac_confdir
  if test ! -r "$srcdir/$ac_unique_file"; then
    srcdir=..
  fi
else
  ac_srcdir_defaulted=no
fi
if test ! -r "$srcdir/$ac_unique_file"; then
  test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
  as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
fi
ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
ac_abs_confdir=`(
	cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
	pwd)`
# When building in place, set srcdir=.
if test "$ac_abs_confdir" = "$ac_pwd"; then
  srcdir=.
fi
# Remove unnecessary trailing slashes from srcdir.
# Double slashes in file names in object file debugging info
# mess up M-x gdb in Emacs.
case $srcdir in
*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
esac
for ac_var in $ac_precious_vars; do
  eval ac_env_${ac_var}_set=\${${ac_var}+set}
  eval ac_env_${ac_var}_value=\$${ac_var}
  eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
  eval ac_cv_env_${ac_var}_value=\$${ac_var}
done

#
# Report the --help message.
#
if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
\`configure' configures Why3 1.6.0 to adapt to many kinds of systems.

Usage: $0 [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print \`checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for \`--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or \`..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [$ac_default_prefix]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, \`make install' will install all the files in
\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc.  You can specify
an installation prefix other than \`$ac_default_prefix' using \`--prefix',
for instance \`--prefix=\$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --runstatedir=DIR       modifiable per-process data [LOCALSTATEDIR/run]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/why3]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]
_ACEOF

  cat <<\_ACEOF
_ACEOF
fi

if test -n "$ac_init_help"; then
  case $ac_init_help in
     short | recursive ) echo "Configuration of Why3 1.6.0:";;
   esac
  cat <<\_ACEOF

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --enable-verbose-make   verbose makefile recipes
  --enable-local          use Why3 in the build directory (no installation)
  --enable-relocation     allow for later relocation of Why3 installation
  --disable-native-code   use only the byte-code compiler
  --disable-why3-lib      use an already installed Why3
  --disable-zarith        use Nums instead of Zarith for computations
  --disable-ocamlfind     do not use Ocamlfind
  --disable-zip           do not use LZ compression to store session files
  --enable-infer          use apron and fixpoint to infer loop invariants
  --enable-bddinfer       use apron and BDDs to infer loop invariants
  --disable-js-of-ocaml   do not use js-of-ocaml
  --disable-re            use Str instead of Re for regular expressions
  --disable-pp-sexp       disable S-expression output for why3pp
  --disable-ide           do not build Why3 IDE
  --disable-web-ide       do not build Why3 Web IDE
  --disable-coq-libs      do not build Coq realizations
  --disable-pvs-libs      do not build PVS realizations
  --disable-isabelle-libs do not build Isabelle realizations
  --disable-mpfr          disable support for MPFR
  --disable-hypothesis-selection
                          do not support hypothesis selection
  --disable-stackify      disable structure reconstruction algorithm for MLCFG
  --disable-doc           do not build documentation
  --disable-pdf-doc       do not build PDF documentation
  --enable-frama-c        enable Frama-C plugin
  --enable-statmemprof    enable statistical memory profiling
  --disable-emacs-compilation
                          do not compile why3.elc

Some influential environment variables:
  EDITOR      default editor
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L if you have libraries in a
              nonstandard directory 
  LIBS        libraries to pass to the linker, e.g. -l
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I if
              you have headers in a nonstandard directory 

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to the package provider.
_ACEOF
ac_status=$?
fi

if test "$ac_init_help" = "recursive"; then
  # If there are subdirs, report their specific --help.
  for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
    test -d "$ac_dir" ||
      { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
      continue
    ac_builddir=.

case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
  ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'`
  # A ".." for each directory in $ac_dir_suffix.
  ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
  case $ac_top_builddir_sub in
  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
  esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix

case $srcdir in
  .)  # We are building in place.
    ac_srcdir=.
    ac_top_srcdir=$ac_top_builddir_sub
    ac_abs_top_srcdir=$ac_pwd ;;
  [\\/]* | ?:[\\/]* )  # Absolute name.
    ac_srcdir=$srcdir$ac_dir_suffix;
    ac_top_srcdir=$srcdir
    ac_abs_top_srcdir=$srcdir ;;
  *) # Relative name.
    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
    ac_top_srcdir=$ac_top_build_prefix$srcdir
    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix

    cd "$ac_dir" || { ac_status=$?; continue; }
    # Check for configure.gnu first; this name is used for a wrapper for
    # Metaconfig's "Configure" on case-insensitive file systems.
    if test -f "$ac_srcdir/configure.gnu"; then
      echo &&
      $SHELL "$ac_srcdir/configure.gnu" --help=recursive
    elif test -f "$ac_srcdir/configure"; then
      echo &&
      $SHELL "$ac_srcdir/configure" --help=recursive
    else
      printf "%s\n" "$as_me: WARNING: no configuration information is in $ac_dir" >&2
    fi || ac_status=$?
    cd "$ac_pwd" || { ac_status=$?; break; }
  done
fi

test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
  cat <<\_ACEOF
Why3 configure 1.6.0
generated by GNU Autoconf 2.71

Copyright (C) 2021 Free Software Foundation, Inc.
This configure script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it.
_ACEOF
  exit
fi

## ------------------------ ##
## Autoconf initialization. ##
## ------------------------ ##

# ac_fn_c_try_compile LINENO
# --------------------------
# Try to compile conftest.$ac_ext, and return whether this succeeded.
ac_fn_c_try_compile ()
{
  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
  rm -f conftest.$ac_objext conftest.beam
  if { { ac_try="$ac_compile"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_compile") 2>conftest.err
  ac_status=$?
  if test -s conftest.err; then
    grep -v '^ *+' conftest.err >conftest.er1
    cat conftest.er1 >&5
    mv -f conftest.er1 conftest.err
  fi
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; } && {
	 test -z "$ac_c_werror_flag" ||
	 test ! -s conftest.err
       } && test -s conftest.$ac_objext
then :
  ac_retval=0
else $as_nop
  printf "%s\n" "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

	ac_retval=1
fi
  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
  as_fn_set_status $ac_retval

} # ac_fn_c_try_compile
ac_configure_args_raw=
for ac_arg
do
  case $ac_arg in
  *\'*)
    ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
  esac
  as_fn_append ac_configure_args_raw " '$ac_arg'"
done

case $ac_configure_args_raw in
  *$as_nl*)
    ac_safe_unquote= ;;
  *)
    ac_unsafe_z='|&;<>()$`\\"*?[ ''	' # This string ends in space, tab.
    ac_unsafe_a="$ac_unsafe_z#~"
    ac_safe_unquote="s/ '\\([^$ac_unsafe_a][^$ac_unsafe_z]*\\)'/ \\1/g"
    ac_configure_args_raw=`      printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;;
esac

cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by Why3 $as_me 1.6.0, which was
generated by GNU Autoconf 2.71.  Invocation command line was

  $ $0$ac_configure_args_raw

_ACEOF
exec 5>>config.log
{
cat <<_ASUNAME
## --------- ##
## Platform. ##
## --------- ##

hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
uname -m = `(uname -m) 2>/dev/null || echo unknown`
uname -r = `(uname -r) 2>/dev/null || echo unknown`
uname -s = `(uname -s) 2>/dev/null || echo unknown`
uname -v = `(uname -v) 2>/dev/null || echo unknown`

/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
/bin/uname -X     = `(/bin/uname -X) 2>/dev/null     || echo unknown`

/bin/arch              = `(/bin/arch) 2>/dev/null              || echo unknown`
/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null       || echo unknown`
/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
/usr/bin/hostinfo      = `(/usr/bin/hostinfo) 2>/dev/null      || echo unknown`
/bin/machine           = `(/bin/machine) 2>/dev/null           || echo unknown`
/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null       || echo unknown`
/bin/universe          = `(/bin/universe) 2>/dev/null          || echo unknown`

_ASUNAME

as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    printf "%s\n" "PATH: $as_dir"
  done
IFS=$as_save_IFS

} >&5

cat >&5 <<_ACEOF


## ----------- ##
## Core tests. ##
## ----------- ##

_ACEOF


# Keep a trace of the command line.
# Strip out --no-create and --no-recursion so they do not pile up.
# Strip out --silent because we don't want to record it for future runs.
# Also quote any args containing shell meta-characters.
# Make two passes to allow for proper duplicate-argument suppression.
ac_configure_args=
ac_configure_args0=
ac_configure_args1=
ac_must_keep_next=false
for ac_pass in 1 2
do
  for ac_arg
  do
    case $ac_arg in
    -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
    -q | -quiet | --quiet | --quie | --qui | --qu | --q \
    | -silent | --silent | --silen | --sile | --sil)
      continue ;;
    *\'*)
      ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
    esac
    case $ac_pass in
    1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
    2)
      as_fn_append ac_configure_args1 " '$ac_arg'"
      if test $ac_must_keep_next = true; then
	ac_must_keep_next=false # Got value, back to normal.
      else
	case $ac_arg in
	  *=* | --config-cache | -C | -disable-* | --disable-* \
	  | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
	  | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
	  | -with-* | --with-* | -without-* | --without-* | --x)
	    case "$ac_configure_args0 " in
	      "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
	    esac
	    ;;
	  -* ) ac_must_keep_next=true ;;
	esac
      fi
      as_fn_append ac_configure_args " '$ac_arg'"
      ;;
    esac
  done
done
{ ac_configure_args0=; unset ac_configure_args0;}
{ ac_configure_args1=; unset ac_configure_args1;}

# When interrupted or exit'd, cleanup temporary files, and complete
# config.log.  We remove comments because anyway the quotes in there
# would cause problems or look ugly.
# WARNING: Use '\'' to represent an apostrophe within the trap.
# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
trap 'exit_status=$?
  # Sanitize IFS.
  IFS=" ""	$as_nl"
  # Save into config.log some information that might help in debugging.
  {
    echo

    printf "%s\n" "## ---------------- ##
## Cache variables. ##
## ---------------- ##"
    echo
    # The following way of writing the cache mishandles newlines in values,
(
  for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
    eval ac_val=\$$ac_var
    case $ac_val in #(
    *${as_nl}*)
      case $ac_var in #(
      *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      esac
      case $ac_var in #(
      _ | IFS | as_nl) ;; #(
      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
      *) { eval $ac_var=; unset $ac_var;} ;;
      esac ;;
    esac
  done
  (set) 2>&1 |
    case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
    *${as_nl}ac_space=\ *)
      sed -n \
	"s/'\''/'\''\\\\'\'''\''/g;
	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
      ;; #(
    *)
      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
      ;;
    esac |
    sort
)
    echo

    printf "%s\n" "## ----------------- ##
## Output variables. ##
## ----------------- ##"
    echo
    for ac_var in $ac_subst_vars
    do
      eval ac_val=\$$ac_var
      case $ac_val in
      *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
      esac
      printf "%s\n" "$ac_var='\''$ac_val'\''"
    done | sort
    echo

    if test -n "$ac_subst_files"; then
      printf "%s\n" "## ------------------- ##
## File substitutions. ##
## ------------------- ##"
      echo
      for ac_var in $ac_subst_files
      do
	eval ac_val=\$$ac_var
	case $ac_val in
	*\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
	esac
	printf "%s\n" "$ac_var='\''$ac_val'\''"
      done | sort
      echo
    fi

    if test -s confdefs.h; then
      printf "%s\n" "## ----------- ##
## confdefs.h. ##
## ----------- ##"
      echo
      cat confdefs.h
      echo
    fi
    test "$ac_signal" != 0 &&
      printf "%s\n" "$as_me: caught signal $ac_signal"
    printf "%s\n" "$as_me: exit $exit_status"
  } >&5
  rm -f core *.core core.conftest.* &&
    rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
    exit $exit_status
' 0
for ac_signal in 1 2 13 15; do
  trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
done
ac_signal=0

# confdefs.h avoids OS command line length limits that DEFS can exceed.
rm -f -r conftest* confdefs.h

printf "%s\n" "/* confdefs.h */" > confdefs.h

# Predefined preprocessor variables.

printf "%s\n" "#define PACKAGE_NAME \"$PACKAGE_NAME\"" >>confdefs.h

printf "%s\n" "#define PACKAGE_TARNAME \"$PACKAGE_TARNAME\"" >>confdefs.h

printf "%s\n" "#define PACKAGE_VERSION \"$PACKAGE_VERSION\"" >>confdefs.h

printf "%s\n" "#define PACKAGE_STRING \"$PACKAGE_STRING\"" >>confdefs.h

printf "%s\n" "#define PACKAGE_BUGREPORT \"$PACKAGE_BUGREPORT\"" >>confdefs.h

printf "%s\n" "#define PACKAGE_URL \"$PACKAGE_URL\"" >>confdefs.h


# Let the site file select an alternate cache file if it wants to.
# Prefer an explicitly selected file to automatically selected ones.
if test -n "$CONFIG_SITE"; then
  ac_site_files="$CONFIG_SITE"
elif test "x$prefix" != xNONE; then
  ac_site_files="$prefix/share/config.site $prefix/etc/config.site"
else
  ac_site_files="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
fi

for ac_site_file in $ac_site_files
do
  case $ac_site_file in #(
  */*) :
     ;; #(
  *) :
    ac_site_file=./$ac_site_file ;;
esac
  if test -f "$ac_site_file" && test -r "$ac_site_file"; then
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;}
    sed 's/^/| /' "$ac_site_file" >&5
    . "$ac_site_file" \
      || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "failed to load site script $ac_site_file
See \`config.log' for more details" "$LINENO" 5; }
  fi
done

if test -r "$cache_file"; then
  # Some versions of bash will fail to source /dev/null (special files
  # actually), so we avoid doing that.  DJGPP emulates it as a regular file.
  if test /dev/null != "$cache_file" && test -f "$cache_file"; then
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
printf "%s\n" "$as_me: loading cache $cache_file" >&6;}
    case $cache_file in
      [\\/]* | ?:[\\/]* ) . "$cache_file";;
      *)                      . "./$cache_file";;
    esac
  fi
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
printf "%s\n" "$as_me: creating cache $cache_file" >&6;}
  >$cache_file
fi

# Test code for whether the C compiler supports C89 (global declarations)
ac_c_conftest_c89_globals='
/* Does the compiler advertise C89 conformance?
   Do not test the value of __STDC__, because some compilers set it to 0
   while being otherwise adequately conformant. */
#if !defined __STDC__
# error "Compiler does not advertise C89 conformance"
#endif

#include 
#include 
struct stat;
/* Most of the following tests are stolen from RCS 5.7 src/conf.sh.  */
struct buf { int x; };
struct buf * (*rcsopen) (struct buf *, struct stat *, int);
static char *e (p, i)
     char **p;
     int i;
{
  return p[i];
}
static char *f (char * (*g) (char **, int), char **p, ...)
{
  char *s;
  va_list v;
  va_start (v,p);
  s = g (p, va_arg (v,int));
  va_end (v);
  return s;
}

/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default.  It has
   function prototypes and stuff, but not \xHH hex character constants.
   These do not provoke an error unfortunately, instead are silently treated
   as an "x".  The following induces an error, until -std is added to get
   proper ANSI mode.  Curiously \x00 != x always comes out true, for an
   array size at least.  It is necessary to write \x00 == 0 to get something
   that is true only with -std.  */
int osf4_cc_array ['\''\x00'\'' == 0 ? 1 : -1];

/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
   inside strings and character constants.  */
#define FOO(x) '\''x'\''
int xlc6_cc_array[FOO(a) == '\''x'\'' ? 1 : -1];

int test (int i, double x);
struct s1 {int (*f) (int a);};
struct s2 {int (*f) (double a);};
int pairnames (int, char **, int *(*)(struct buf *, struct stat *, int),
               int, int);'

# Test code for whether the C compiler supports C89 (body of main).
ac_c_conftest_c89_main='
ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]);
'

# Test code for whether the C compiler supports C99 (global declarations)
ac_c_conftest_c99_globals='
// Does the compiler advertise C99 conformance?
#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L
# error "Compiler does not advertise C99 conformance"
#endif

#include 
extern int puts (const char *);
extern int printf (const char *, ...);
extern int dprintf (int, const char *, ...);
extern void *malloc (size_t);

// Check varargs macros.  These examples are taken from C99 6.10.3.5.
// dprintf is used instead of fprintf to avoid needing to declare
// FILE and stderr.
#define debug(...) dprintf (2, __VA_ARGS__)
#define showlist(...) puts (#__VA_ARGS__)
#define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__))
static void
test_varargs_macros (void)
{
  int x = 1234;
  int y = 5678;
  debug ("Flag");
  debug ("X = %d\n", x);
  showlist (The first, second, and third items.);
  report (x>y, "x is %d but y is %d", x, y);
}

// Check long long types.
#define BIG64 18446744073709551615ull
#define BIG32 4294967295ul
#define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0)
#if !BIG_OK
  #error "your preprocessor is broken"
#endif
#if BIG_OK
#else
  #error "your preprocessor is broken"
#endif
static long long int bignum = -9223372036854775807LL;
static unsigned long long int ubignum = BIG64;

struct incomplete_array
{
  int datasize;
  double data[];
};

struct named_init {
  int number;
  const wchar_t *name;
  double average;
};

typedef const char *ccp;

static inline int
test_restrict (ccp restrict text)
{
  // See if C++-style comments work.
  // Iterate through items via the restricted pointer.
  // Also check for declarations in for loops.
  for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i)
    continue;
  return 0;
}

// Check varargs and va_copy.
static bool
test_varargs (const char *format, ...)
{
  va_list args;
  va_start (args, format);
  va_list args_copy;
  va_copy (args_copy, args);

  const char *str = "";
  int number = 0;
  float fnumber = 0;

  while (*format)
    {
      switch (*format++)
	{
	case '\''s'\'': // string
	  str = va_arg (args_copy, const char *);
	  break;
	case '\''d'\'': // int
	  number = va_arg (args_copy, int);
	  break;
	case '\''f'\'': // float
	  fnumber = va_arg (args_copy, double);
	  break;
	default:
	  break;
	}
    }
  va_end (args_copy);
  va_end (args);

  return *str && number && fnumber;
}
'

# Test code for whether the C compiler supports C99 (body of main).
ac_c_conftest_c99_main='
  // Check bool.
  _Bool success = false;
  success |= (argc != 0);

  // Check restrict.
  if (test_restrict ("String literal") == 0)
    success = true;
  char *restrict newvar = "Another string";

  // Check varargs.
  success &= test_varargs ("s, d'\'' f .", "string", 65, 34.234);
  test_varargs_macros ();

  // Check flexible array members.
  struct incomplete_array *ia =
    malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10));
  ia->datasize = 10;
  for (int i = 0; i < ia->datasize; ++i)
    ia->data[i] = i * 1.234;

  // Check named initializers.
  struct named_init ni = {
    .number = 34,
    .name = L"Test wide string",
    .average = 543.34343,
  };

  ni.number = 58;

  int dynamic_array[ni.number];
  dynamic_array[0] = argv[0][0];
  dynamic_array[ni.number - 1] = 543;

  // work around unused variable warnings
  ok |= (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == '\''x'\''
	 || dynamic_array[ni.number - 1] != 543);
'

# Test code for whether the C compiler supports C11 (global declarations)
ac_c_conftest_c11_globals='
// Does the compiler advertise C11 conformance?
#if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L
# error "Compiler does not advertise C11 conformance"
#endif

// Check _Alignas.
char _Alignas (double) aligned_as_double;
char _Alignas (0) no_special_alignment;
extern char aligned_as_int;
char _Alignas (0) _Alignas (int) aligned_as_int;

// Check _Alignof.
enum
{
  int_alignment = _Alignof (int),
  int_array_alignment = _Alignof (int[100]),
  char_alignment = _Alignof (char)
};
_Static_assert (0 < -_Alignof (int), "_Alignof is signed");

// Check _Noreturn.
int _Noreturn does_not_return (void) { for (;;) continue; }

// Check _Static_assert.
struct test_static_assert
{
  int x;
  _Static_assert (sizeof (int) <= sizeof (long int),
                  "_Static_assert does not work in struct");
  long int y;
};

// Check UTF-8 literals.
#define u8 syntax error!
char const utf8_literal[] = u8"happens to be ASCII" "another string";

// Check duplicate typedefs.
typedef long *long_ptr;
typedef long int *long_ptr;
typedef long_ptr long_ptr;

// Anonymous structures and unions -- taken from C11 6.7.2.1 Example 1.
struct anonymous
{
  union {
    struct { int i; int j; };
    struct { int k; long int l; } w;
  };
  int m;
} v1;
'

# Test code for whether the C compiler supports C11 (body of main).
ac_c_conftest_c11_main='
  _Static_assert ((offsetof (struct anonymous, i)
		   == offsetof (struct anonymous, w.k)),
		  "Anonymous union alignment botch");
  v1.i = 2;
  v1.w.k = 5;
  ok |= v1.i != 5;
'

# Test code for whether the C compiler supports C11 (complete).
ac_c_conftest_c11_program="${ac_c_conftest_c89_globals}
${ac_c_conftest_c99_globals}
${ac_c_conftest_c11_globals}

int
main (int argc, char **argv)
{
  int ok = 0;
  ${ac_c_conftest_c89_main}
  ${ac_c_conftest_c99_main}
  ${ac_c_conftest_c11_main}
  return ok;
}
"

# Test code for whether the C compiler supports C99 (complete).
ac_c_conftest_c99_program="${ac_c_conftest_c89_globals}
${ac_c_conftest_c99_globals}

int
main (int argc, char **argv)
{
  int ok = 0;
  ${ac_c_conftest_c89_main}
  ${ac_c_conftest_c99_main}
  return ok;
}
"

# Test code for whether the C compiler supports C89 (complete).
ac_c_conftest_c89_program="${ac_c_conftest_c89_globals}

int
main (int argc, char **argv)
{
  int ok = 0;
  ${ac_c_conftest_c89_main}
  return ok;
}
"


# Auxiliary files required by this configure script.
ac_aux_files="install-sh"

# Locations in which to look for auxiliary files.
ac_aux_dir_candidates="${srcdir}${PATH_SEPARATOR}${srcdir}/..${PATH_SEPARATOR}${srcdir}/../.."

# Search for a directory containing all of the required auxiliary files,
# $ac_aux_files, from the $PATH-style list $ac_aux_dir_candidates.
# If we don't find one directory that contains all the files we need,
# we report the set of missing files from the *first* directory in
# $ac_aux_dir_candidates and give up.
ac_missing_aux_files=""
ac_first_candidate=:
printf "%s\n" "$as_me:${as_lineno-$LINENO}: looking for aux files: $ac_aux_files" >&5
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
as_found=false
for as_dir in $ac_aux_dir_candidates
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
  as_found=:

  printf "%s\n" "$as_me:${as_lineno-$LINENO}:  trying $as_dir" >&5
  ac_aux_dir_found=yes
  ac_install_sh=
  for ac_aux in $ac_aux_files
  do
    # As a special case, if "install-sh" is required, that requirement
    # can be satisfied by any of "install-sh", "install.sh", or "shtool",
    # and $ac_install_sh is set appropriately for whichever one is found.
    if test x"$ac_aux" = x"install-sh"
    then
      if test -f "${as_dir}install-sh"; then
        printf "%s\n" "$as_me:${as_lineno-$LINENO}:   ${as_dir}install-sh found" >&5
        ac_install_sh="${as_dir}install-sh -c"
      elif test -f "${as_dir}install.sh"; then
        printf "%s\n" "$as_me:${as_lineno-$LINENO}:   ${as_dir}install.sh found" >&5
        ac_install_sh="${as_dir}install.sh -c"
      elif test -f "${as_dir}shtool"; then
        printf "%s\n" "$as_me:${as_lineno-$LINENO}:   ${as_dir}shtool found" >&5
        ac_install_sh="${as_dir}shtool install -c"
      else
        ac_aux_dir_found=no
        if $ac_first_candidate; then
          ac_missing_aux_files="${ac_missing_aux_files} install-sh"
        else
          break
        fi
      fi
    else
      if test -f "${as_dir}${ac_aux}"; then
        printf "%s\n" "$as_me:${as_lineno-$LINENO}:   ${as_dir}${ac_aux} found" >&5
      else
        ac_aux_dir_found=no
        if $ac_first_candidate; then
          ac_missing_aux_files="${ac_missing_aux_files} ${ac_aux}"
        else
          break
        fi
      fi
    fi
  done
  if test "$ac_aux_dir_found" = yes; then
    ac_aux_dir="$as_dir"
    break
  fi
  ac_first_candidate=false

  as_found=false
done
IFS=$as_save_IFS
if $as_found
then :

else $as_nop
  as_fn_error $? "cannot find required auxiliary files:$ac_missing_aux_files" "$LINENO" 5
fi


# These three variables are undocumented and unsupported,
# and are intended to be withdrawn in a future Autoconf release.
# They can cause serious problems if a builder's source tree is in a directory
# whose full name contains unusual characters.
if test -f "${ac_aux_dir}config.guess"; then
  ac_config_guess="$SHELL ${ac_aux_dir}config.guess"
fi
if test -f "${ac_aux_dir}config.sub"; then
  ac_config_sub="$SHELL ${ac_aux_dir}config.sub"
fi
if test -f "$ac_aux_dir/configure"; then
  ac_configure="$SHELL ${ac_aux_dir}configure"
fi

# Check that the precious variables saved in the cache have kept the same
# value.
ac_cache_corrupted=false
for ac_var in $ac_precious_vars; do
  eval ac_old_set=\$ac_cv_env_${ac_var}_set
  eval ac_new_set=\$ac_env_${ac_var}_set
  eval ac_old_val=\$ac_cv_env_${ac_var}_value
  eval ac_new_val=\$ac_env_${ac_var}_value
  case $ac_old_set,$ac_new_set in
    set,)
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
printf "%s\n" "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,set)
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
printf "%s\n" "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
      ac_cache_corrupted=: ;;
    ,);;
    *)
      if test "x$ac_old_val" != "x$ac_new_val"; then
	# differences in whitespace do not lead to failure.
	ac_old_val_w=`echo x $ac_old_val`
	ac_new_val_w=`echo x $ac_new_val`
	if test "$ac_old_val_w" != "$ac_new_val_w"; then
	  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
printf "%s\n" "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
	  ac_cache_corrupted=:
	else
	  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
printf "%s\n" "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
	  eval $ac_var=\$ac_old_val
	fi
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}:   former value:  \`$ac_old_val'" >&5
printf "%s\n" "$as_me:   former value:  \`$ac_old_val'" >&2;}
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}:   current value: \`$ac_new_val'" >&5
printf "%s\n" "$as_me:   current value: \`$ac_new_val'" >&2;}
      fi;;
  esac
  # Pass precious variables to config.status.
  if test "$ac_new_set" = set; then
    case $ac_new_val in
    *\'*) ac_arg=$ac_var=`printf "%s\n" "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
    *) ac_arg=$ac_var=$ac_new_val ;;
    esac
    case " $ac_configure_args " in
      *" '$ac_arg' "*) ;; # Avoid dups.  Use of quotes ensures accuracy.
      *) as_fn_append ac_configure_args " '$ac_arg'" ;;
    esac
  fi
done
if $ac_cache_corrupted; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;}
  as_fn_error $? "run \`${MAKE-make} distclean' and/or \`rm $cache_file'
	    and start over" "$LINENO" 5
fi
## -------------------- ##
## Main body of script. ##
## -------------------- ##

ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu



# verbosemake

# Check whether --enable-verbose-make was given.
if test ${enable_verbose_make+y}
then :
  enableval=$enable_verbose_make;
else $as_nop
  enable_verbose_make=no
fi


# LOCAL_CONF

# Check whether --enable-local was given.
if test ${enable_local+y}
then :
  enableval=$enable_local;
else $as_nop
  enable_local=no
fi


# RELOCATABLE INSTALLATION

# Check whether --enable-relocation was given.
if test ${enable_relocation+y}
then :
  enableval=$enable_relocation;
else $as_nop
  enable_relocation=no
fi


# NATIVE

# Check whether --enable-native-code was given.
if test ${enable_native_code+y}
then :
  enableval=$enable_native_code;
else $as_nop
  enable_native_code=yes
fi


# WHY3LIB

# Check whether --enable-why3-lib was given.
if test ${enable_why3_lib+y}
then :
  enableval=$enable_why3_lib;
else $as_nop
  enable_why3_lib=yes
fi


# Zarith

# Check whether --enable-zarith was given.
if test ${enable_zarith+y}
then :
  enableval=$enable_zarith;
else $as_nop
  enable_zarith=check
fi


# ocamlfind

# Check whether --enable-ocamlfind was given.
if test ${enable_ocamlfind+y}
then :
  enableval=$enable_ocamlfind;
else $as_nop
  enable_ocamlfind=check
fi


# camlzip

# Check whether --enable-zip was given.
if test ${enable_zip+y}
then :
  enableval=$enable_zip;
else $as_nop
  enable_zip=check
fi


# infer

# Check whether --enable-infer was given.
if test ${enable_infer+y}
then :
  enableval=$enable_infer;
else $as_nop
  enable_infer=no
fi


# bddinfer

# Check whether --enable-bddinfer was given.
if test ${enable_bddinfer+y}
then :
  enableval=$enable_bddinfer;
else $as_nop
  enable_bddinfer=no
fi


# js_of_ocaml

# Check whether --enable-js_of_ocaml was given.
if test ${enable_js_of_ocaml+y}
then :
  enableval=$enable_js_of_ocaml;
else $as_nop
  enable_js_of_ocaml=check
fi


# re

# Check whether --enable-re was given.
if test ${enable_re+y}
then :
  enableval=$enable_re;
else $as_nop
  enable_re=check
fi


# pp_sexp

# Check whether --enable-pp-sexp was given.
if test ${enable_pp_sexp+y}
then :
  enableval=$enable_pp_sexp;
else $as_nop
  enable_pp_sexp=yes
fi


# IDE

# Check whether --enable-ide was given.
if test ${enable_ide+y}
then :
  enableval=$enable_ide;
else $as_nop
  enable_ide=check
fi


# Check whether --enable-web_ide was given.
if test ${enable_web_ide+y}
then :
  enableval=$enable_web_ide;
else $as_nop
  enable_web_ide=check
fi


# Coq libraries

# Check whether --enable-coq-libs was given.
if test ${enable_coq_libs+y}
then :
  enableval=$enable_coq_libs;
else $as_nop
  enable_coq_libs=yes
fi


# PVS libraries

# Check whether --enable-pvs-libs was given.
if test ${enable_pvs_libs+y}
then :
  enableval=$enable_pvs_libs;
else $as_nop
  enable_pvs_libs=yes
fi


# Isabelle libraries

# Check whether --enable-isabelle-libs was given.
if test ${enable_isabelle_libs+y}
then :
  enableval=$enable_isabelle_libs;
else $as_nop
  enable_isabelle_libs=yes
fi


# MLMPFR

# Check whether --enable-mpfr was given.
if test ${enable_mpfr+y}
then :
  enableval=$enable_mpfr;
else $as_nop
  enable_mpfr=check
fi


# hypothesis selection

# Check whether --enable-hypothesis-selection was given.
if test ${enable_hypothesis_selection+y}
then :
  enableval=$enable_hypothesis_selection;
else $as_nop
  enable_hypothesis_selection=check
fi


# stackify

# Check whether --enable-stackify was given.
if test ${enable_stackify+y}
then :
  enableval=$enable_stackify;
else $as_nop
  enable_stackify=check
fi


# documentation

# Check whether --enable-doc was given.
if test ${enable_doc+y}
then :
  enableval=$enable_doc;
else $as_nop
  enable_doc=yes
fi


# Check whether --enable-html-pdf was given.
if test ${enable_html_pdf+y}
then :
  enableval=$enable_html_pdf;
else $as_nop
  enable_pdf_doc=yes
fi


# Experimental Jessie3 Frama-C plugin, disabled by default

# Check whether --enable-frama-c was given.
if test ${enable_frama_c+y}
then :
  enableval=$enable_frama_c;
else $as_nop
  enable_frama_c=no
     reason_frama_c=" (disabled by default)"
fi


# profiling with statememprof

# Check whether --enable-statmemprof was given.
if test ${enable_statmemprof+y}
then :
  enableval=$enable_statmemprof;
else $as_nop
  enable_statmemprof=no
     reason_statmemprof=" (disabled by default)"
fi


# Emacs compilation

# Check whether --enable-emacs-compilation was given.
if test ${enable_emacs_compilation+y}
then :
  enableval=$enable_emacs_compilation;
else $as_nop
  enable_emacs_compilation=yes
fi


# default editor



# either relocation or local, not both
if test "$enable_relocation" = yes -a "$enable_local" = yes ; then
   as_fn_error $? "cannot use --enable-relocation and --enable-local at the same time." "$LINENO" 5
fi

# Check for arch/OS

{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking executable suffix" >&5
printf %s "checking executable suffix... " >&6; }
if uname -s | grep -q CYGWIN ; then
  EXE=.exe
  STRIP='echo "no strip "'
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: .exe " >&5
printf "%s\n" ".exe " >&6; }
elif uname -s | grep -q MINGW ; then
  EXE=.exe
  STRIP=strip
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: .exe " >&5
printf "%s\n" ".exe " >&6; }
else
  EXE=
  STRIP=strip
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: " >&5
printf "%s\n" "" >&6; }
fi










ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu
if test -n "$ac_tool_prefix"; then
  # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
set dummy ${ac_tool_prefix}gcc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}gcc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
printf "%s\n" "$CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


fi
if test -z "$ac_cv_prog_CC"; then
  ac_ct_CC=$CC
  # Extract the first word of "gcc", so it can be a program name with args.
set dummy gcc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_ac_ct_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="gcc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
ac_ct_CC=$ac_cv_prog_ac_ct_CC
if test -n "$ac_ct_CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
printf "%s\n" "$ac_ct_CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi

  if test "x$ac_ct_CC" = x; then
    CC=""
  else
    case $cross_compiling:$ac_tool_warned in
yes:)
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
    CC=$ac_ct_CC
  fi
else
  CC="$ac_cv_prog_CC"
fi

if test -z "$CC"; then
          if test -n "$ac_tool_prefix"; then
    # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
set dummy ${ac_tool_prefix}cc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}cc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
printf "%s\n" "$CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


  fi
fi
if test -z "$CC"; then
  # Extract the first word of "cc", so it can be a program name with args.
set dummy cc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
else
  ac_prog_rejected=no
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    if test "$as_dir$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
       ac_prog_rejected=yes
       continue
     fi
    ac_cv_prog_CC="cc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

if test $ac_prog_rejected = yes; then
  # We found a bogon in the path, so make sure we never use it.
  set dummy $ac_cv_prog_CC
  shift
  if test $# != 0; then
    # We chose a different compiler from the bogus one.
    # However, it has the same basename, so the bogon will be chosen
    # first if we set CC to just the basename; use the full file name.
    shift
    ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@"
  fi
fi
fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
printf "%s\n" "$CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


fi
if test -z "$CC"; then
  if test -n "$ac_tool_prefix"; then
  for ac_prog in cl.exe
  do
    # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
set dummy $ac_tool_prefix$ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
printf "%s\n" "$CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    test -n "$CC" && break
  done
fi
if test -z "$CC"; then
  ac_ct_CC=$CC
  for ac_prog in cl.exe
do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_ac_ct_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="$ac_prog"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
ac_ct_CC=$ac_cv_prog_ac_ct_CC
if test -n "$ac_ct_CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
printf "%s\n" "$ac_ct_CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


  test -n "$ac_ct_CC" && break
done

  if test "x$ac_ct_CC" = x; then
    CC=""
  else
    case $cross_compiling:$ac_tool_warned in
yes:)
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
    CC=$ac_ct_CC
  fi
fi

fi
if test -z "$CC"; then
  if test -n "$ac_tool_prefix"; then
  # Extract the first word of "${ac_tool_prefix}clang", so it can be a program name with args.
set dummy ${ac_tool_prefix}clang; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$CC"; then
  ac_cv_prog_CC="$CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_CC="${ac_tool_prefix}clang"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
CC=$ac_cv_prog_CC
if test -n "$CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
printf "%s\n" "$CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


fi
if test -z "$ac_cv_prog_CC"; then
  ac_ct_CC=$CC
  # Extract the first word of "clang", so it can be a program name with args.
set dummy clang; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_ac_ct_CC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$ac_ct_CC"; then
  ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_ac_ct_CC="clang"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
ac_ct_CC=$ac_cv_prog_ac_ct_CC
if test -n "$ac_ct_CC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
printf "%s\n" "$ac_ct_CC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi

  if test "x$ac_ct_CC" = x; then
    CC=""
  else
    case $cross_compiling:$ac_tool_warned in
yes:)
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
ac_tool_warned=yes ;;
esac
    CC=$ac_ct_CC
  fi
else
  CC="$ac_cv_prog_CC"
fi

fi


test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "no acceptable C compiler found in \$PATH
See \`config.log' for more details" "$LINENO" 5; }

# Provide some information about the compiler.
printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
set X $ac_compile
ac_compiler=$2
for ac_option in --version -v -V -qversion -version; do
  { { ac_try="$ac_compiler $ac_option >&5"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_compiler $ac_option >&5") 2>conftest.err
  ac_status=$?
  if test -s conftest.err; then
    sed '10a\
... rest of stderr output deleted ...
         10q' conftest.err >conftest.er1
    cat conftest.er1 >&5
  fi
  rm -f conftest.er1 conftest.err
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }
done

cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{

  ;
  return 0;
}
_ACEOF
ac_clean_files_save=$ac_clean_files
ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
# Try to create an executable without -o first, disregard a.out.
# It will help us diagnose broken compilers, and finding out an intuition
# of exeext.
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
printf %s "checking whether the C compiler works... " >&6; }
ac_link_default=`printf "%s\n" "$ac_link" | sed 's/ -o *conftest[^ ]*//'`

# The possible output files:
ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"

ac_rmfiles=
for ac_file in $ac_files
do
  case $ac_file in
    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
    * ) ac_rmfiles="$ac_rmfiles $ac_file";;
  esac
done
rm -f $ac_rmfiles

if { { ac_try="$ac_link_default"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_link_default") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }
then :
  # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
# in a Makefile.  We should not override ac_cv_exeext if it was cached,
# so that the user can short-circuit this test for compilers unknown to
# Autoconf.
for ac_file in $ac_files ''
do
  test -f "$ac_file" || continue
  case $ac_file in
    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
	;;
    [ab].out )
	# We found the default executable, but exeext='' is most
	# certainly right.
	break;;
    *.* )
	if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no;
	then :; else
	   ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
	fi
	# We set ac_cv_exeext here because the later test for it is not
	# safe: cross compilers may not add the suffix if given an `-o'
	# argument, so we may need to know it at that point already.
	# Even if this section looks crufty: it has the advantage of
	# actually working.
	break;;
    * )
	break;;
  esac
done
test "$ac_cv_exeext" = no && ac_cv_exeext=

else $as_nop
  ac_file=''
fi
if test -z "$ac_file"
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
printf "%s\n" "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error 77 "C compiler cannot create executables
See \`config.log' for more details" "$LINENO" 5; }
else $as_nop
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
printf %s "checking for C compiler default output file name... " >&6; }
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
printf "%s\n" "$ac_file" >&6; }
ac_exeext=$ac_cv_exeext

rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
ac_clean_files=$ac_clean_files_save
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
printf %s "checking for suffix of executables... " >&6; }
if { { ac_try="$ac_link"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_link") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }
then :
  # If both `conftest.exe' and `conftest' are `present' (well, observable)
# catch `conftest.exe'.  For instance with Cygwin, `ls conftest' will
# work properly (i.e., refer to `conftest.exe'), while it won't with
# `rm'.
for ac_file in conftest.exe conftest conftest.*; do
  test -f "$ac_file" || continue
  case $ac_file in
    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
    *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
	  break;;
    * ) break;;
  esac
done
else $as_nop
  { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "cannot compute suffix of executables: cannot compile and link
See \`config.log' for more details" "$LINENO" 5; }
fi
rm -f conftest conftest$ac_cv_exeext
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
printf "%s\n" "$ac_cv_exeext" >&6; }

rm -f conftest.$ac_ext
EXEEXT=$ac_cv_exeext
ac_exeext=$EXEEXT
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */
#include 
int
main (void)
{
FILE *f = fopen ("conftest.out", "w");
 return ferror (f) || fclose (f) != 0;

  ;
  return 0;
}
_ACEOF
ac_clean_files="$ac_clean_files conftest.out"
# Check that the compiler produces executables we can run.  If not, either
# the compiler is broken, or we cross compile.
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
printf %s "checking whether we are cross compiling... " >&6; }
if test "$cross_compiling" != yes; then
  { { ac_try="$ac_link"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_link") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }
  if { ac_try='./conftest$ac_cv_exeext'
  { { case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_try") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }; }; then
    cross_compiling=no
  else
    if test "$cross_compiling" = maybe; then
	cross_compiling=yes
    else
	{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error 77 "cannot run C compiled programs.
If you meant to cross compile, use \`--host'.
See \`config.log' for more details" "$LINENO" 5; }
    fi
  fi
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
printf "%s\n" "$cross_compiling" >&6; }

rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
ac_clean_files=$ac_clean_files_save
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
printf %s "checking for suffix of object files... " >&6; }
if test ${ac_cv_objext+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{

  ;
  return 0;
}
_ACEOF
rm -f conftest.o conftest.obj
if { { ac_try="$ac_compile"
case "(($ac_try" in
  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
  *) ac_try_echo=$ac_try;;
esac
eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
printf "%s\n" "$ac_try_echo"; } >&5
  (eval "$ac_compile") 2>&5
  ac_status=$?
  printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
  test $ac_status = 0; }
then :
  for ac_file in conftest.o conftest.obj conftest.*; do
  test -f "$ac_file" || continue;
  case $ac_file in
    *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
    *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
       break;;
  esac
done
else $as_nop
  printf "%s\n" "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

{ { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "cannot compute suffix of object files: cannot compile
See \`config.log' for more details" "$LINENO" 5; }
fi
rm -f conftest.$ac_cv_objext conftest.$ac_ext
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
printf "%s\n" "$ac_cv_objext" >&6; }
OBJEXT=$ac_cv_objext
ac_objext=$OBJEXT
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5
printf %s "checking whether the compiler supports GNU C... " >&6; }
if test ${ac_cv_c_compiler_gnu+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{
#ifndef __GNUC__
       choke me
#endif

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
  ac_compiler_gnu=yes
else $as_nop
  ac_compiler_gnu=no
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
ac_cv_c_compiler_gnu=$ac_compiler_gnu

fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; }
ac_compiler_gnu=$ac_cv_c_compiler_gnu

if test $ac_compiler_gnu = yes; then
  GCC=yes
else
  GCC=
fi
ac_test_CFLAGS=${CFLAGS+y}
ac_save_CFLAGS=$CFLAGS
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
printf %s "checking whether $CC accepts -g... " >&6; }
if test ${ac_cv_prog_cc_g+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  ac_save_c_werror_flag=$ac_c_werror_flag
   ac_c_werror_flag=yes
   ac_cv_prog_cc_g=no
   CFLAGS="-g"
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
  ac_cv_prog_cc_g=yes
else $as_nop
  CFLAGS=""
      cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :

else $as_nop
  ac_c_werror_flag=$ac_save_c_werror_flag
	 CFLAGS="-g"
	 cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */

int
main (void)
{

  ;
  return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"
then :
  ac_cv_prog_cc_g=yes
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
   ac_c_werror_flag=$ac_save_c_werror_flag
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
printf "%s\n" "$ac_cv_prog_cc_g" >&6; }
if test $ac_test_CFLAGS; then
  CFLAGS=$ac_save_CFLAGS
elif test $ac_cv_prog_cc_g = yes; then
  if test "$GCC" = yes; then
    CFLAGS="-g -O2"
  else
    CFLAGS="-g"
  fi
else
  if test "$GCC" = yes; then
    CFLAGS="-O2"
  else
    CFLAGS=
  fi
fi
ac_prog_cc_stdc=no
if test x$ac_prog_cc_stdc = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5
printf %s "checking for $CC option to enable C11 features... " >&6; }
if test ${ac_cv_prog_cc_c11+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  ac_cv_prog_cc_c11=no
ac_save_CC=$CC
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */
$ac_c_conftest_c11_program
_ACEOF
for ac_arg in '' -std=gnu11
do
  CC="$ac_save_CC $ac_arg"
  if ac_fn_c_try_compile "$LINENO"
then :
  ac_cv_prog_cc_c11=$ac_arg
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam
  test "x$ac_cv_prog_cc_c11" != "xno" && break
done
rm -f conftest.$ac_ext
CC=$ac_save_CC
fi

if test "x$ac_cv_prog_cc_c11" = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
printf "%s\n" "unsupported" >&6; }
else $as_nop
  if test "x$ac_cv_prog_cc_c11" = x
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
printf "%s\n" "none needed" >&6; }
else $as_nop
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5
printf "%s\n" "$ac_cv_prog_cc_c11" >&6; }
     CC="$CC $ac_cv_prog_cc_c11"
fi
  ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11
  ac_prog_cc_stdc=c11
fi
fi
if test x$ac_prog_cc_stdc = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5
printf %s "checking for $CC option to enable C99 features... " >&6; }
if test ${ac_cv_prog_cc_c99+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  ac_cv_prog_cc_c99=no
ac_save_CC=$CC
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */
$ac_c_conftest_c99_program
_ACEOF
for ac_arg in '' -std=gnu99 -std=c99 -c99 -qlanglvl=extc1x -qlanglvl=extc99 -AC99 -D_STDC_C99=
do
  CC="$ac_save_CC $ac_arg"
  if ac_fn_c_try_compile "$LINENO"
then :
  ac_cv_prog_cc_c99=$ac_arg
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam
  test "x$ac_cv_prog_cc_c99" != "xno" && break
done
rm -f conftest.$ac_ext
CC=$ac_save_CC
fi

if test "x$ac_cv_prog_cc_c99" = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
printf "%s\n" "unsupported" >&6; }
else $as_nop
  if test "x$ac_cv_prog_cc_c99" = x
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
printf "%s\n" "none needed" >&6; }
else $as_nop
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5
printf "%s\n" "$ac_cv_prog_cc_c99" >&6; }
     CC="$CC $ac_cv_prog_cc_c99"
fi
  ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99
  ac_prog_cc_stdc=c99
fi
fi
if test x$ac_prog_cc_stdc = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5
printf %s "checking for $CC option to enable C89 features... " >&6; }
if test ${ac_cv_prog_cc_c89+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  ac_cv_prog_cc_c89=no
ac_save_CC=$CC
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h.  */
$ac_c_conftest_c89_program
_ACEOF
for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
do
  CC="$ac_save_CC $ac_arg"
  if ac_fn_c_try_compile "$LINENO"
then :
  ac_cv_prog_cc_c89=$ac_arg
fi
rm -f core conftest.err conftest.$ac_objext conftest.beam
  test "x$ac_cv_prog_cc_c89" != "xno" && break
done
rm -f conftest.$ac_ext
CC=$ac_save_CC
fi

if test "x$ac_cv_prog_cc_c89" = xno
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
printf "%s\n" "unsupported" >&6; }
else $as_nop
  if test "x$ac_cv_prog_cc_c89" = x
then :
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
printf "%s\n" "none needed" >&6; }
else $as_nop
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
printf "%s\n" "$ac_cv_prog_cc_c89" >&6; }
     CC="$CC $ac_cv_prog_cc_c89"
fi
  ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89
  ac_prog_cc_stdc=c89
fi
fi

ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
ac_compiler_gnu=$ac_cv_c_compiler_gnu



  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a race-free mkdir -p" >&5
printf %s "checking for a race-free mkdir -p... " >&6; }
if test -z "$MKDIR_P"; then
  if test ${ac_cv_path_mkdir+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_prog in mkdir gmkdir; do
	 for ac_exec_ext in '' $ac_executable_extensions; do
	   as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext" || continue
	   case `"$as_dir$ac_prog$ac_exec_ext" --version 2>&1` in #(
	     'mkdir ('*'coreutils) '* | \
	     'BusyBox '* | \
	     'mkdir (fileutils) '4.1*)
	       ac_cv_path_mkdir=$as_dir$ac_prog$ac_exec_ext
	       break 3;;
	   esac
	 done
       done
  done
IFS=$as_save_IFS

fi

  test -d ./--version && rmdir ./--version
  if test ${ac_cv_path_mkdir+y}; then
    MKDIR_P="$ac_cv_path_mkdir -p"
  else
    # As a last resort, use the slow shell script.  Don't cache a
    # value for MKDIR_P within a source directory, because that will
    # break other packages using the cache if that directory is
    # removed, or if the value is a relative name.
    MKDIR_P="$ac_install_sh -d"
  fi
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5
printf "%s\n" "$MKDIR_P" >&6; }


  # Find a good install program.  We prefer a C program (faster),
# so one script is as good as another.  But avoid the broken or
# incompatible versions:
# SysV /etc/install, /usr/sbin/install
# SunOS /usr/etc/install
# IRIX /sbin/install
# AIX /bin/install
# AmigaOS /C/install, which installs bootblocks on floppy discs
# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag
# AFS /usr/afsws/bin/install, which mishandles nonexistent args
# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff"
# OS/2's system install, which has a completely different semantic
# ./install, which can be erroneously created by make from ./install.sh.
# Reject install programs that cannot install multiple files.
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5
printf %s "checking for a BSD-compatible install... " >&6; }
if test -z "$INSTALL"; then
if test ${ac_cv_path_install+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    # Account for fact that we put trailing slashes in our PATH walk.
case $as_dir in #((
  ./ | /[cC]/* | \
  /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \
  ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \
  /usr/ucb/* ) ;;
  *)
    # OSF1 and SCO ODT 3.0 have their own names for install.
    # Don't use installbsd from OSF since it installs stuff as root
    # by default.
    for ac_prog in ginstall scoinst install; do
      for ac_exec_ext in '' $ac_executable_extensions; do
	if as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext"; then
	  if test $ac_prog = install &&
	    grep dspmsg "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
	    # AIX install.  It has an incompatible calling convention.
	    :
	  elif test $ac_prog = install &&
	    grep pwplus "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then
	    # program-specific install script used by HP pwplus--don't use.
	    :
	  else
	    rm -rf conftest.one conftest.two conftest.dir
	    echo one > conftest.one
	    echo two > conftest.two
	    mkdir conftest.dir
	    if "$as_dir$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir/" &&
	      test -s conftest.one && test -s conftest.two &&
	      test -s conftest.dir/conftest.one &&
	      test -s conftest.dir/conftest.two
	    then
	      ac_cv_path_install="$as_dir$ac_prog$ac_exec_ext -c"
	      break 3
	    fi
	  fi
	fi
      done
    done
    ;;
esac

  done
IFS=$as_save_IFS

rm -rf conftest.one conftest.two conftest.dir

fi
  if test ${ac_cv_path_install+y}; then
    INSTALL=$ac_cv_path_install
  else
    # As a last resort, use the slow shell script.  Don't cache a
    # value for INSTALL within a source directory, because that will
    # break other packages using the cache if that directory is
    # removed, or if the value is a relative name.
    INSTALL=$ac_install_sh
  fi
fi
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5
printf "%s\n" "$INSTALL" >&6; }

# Use test -z because SunOS4 sh mishandles braces in ${var-val}.
# It thinks the first close brace ends the variable substitution.
test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}'

test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}'

test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644'




# Check for Ocaml compilers

# we first look for ocamlc in the path; if not present, we fail
# Extract the first word of "ocamlc", so it can be a program name with args.
set dummy ocamlc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLC"; then
  ac_cv_prog_OCAMLC="$OCAMLC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLC="ocamlc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLC" && ac_cv_prog_OCAMLC="no"
fi
fi
OCAMLC=$ac_cv_prog_OCAMLC
if test -n "$OCAMLC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLC" >&5
printf "%s\n" "$OCAMLC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLC" = no ; then
   as_fn_error $? "cannot find ocamlc." "$LINENO" 5
fi

# we extract Ocaml version number
OCAMLVERSION=`$OCAMLC -v | sed -n -e 's|.*version *\(.*\)$|\1|p'`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: ocaml version is $OCAMLVERSION" >&5
printf "%s\n" "$as_me: ocaml version is $OCAMLVERSION" >&6;}

as_arg_v1=$OCAMLVERSION
as_arg_v2=4.08.0
awk "$as_awk_strverscmp" v1="$as_arg_v1" v2="$as_arg_v2" /dev/null
case $? in #(
  1) :
    as_fn_error $? "You need Objective Caml 4.08.0 or higher." "$LINENO" 5 ;; #(
  0) :
     ;; #(
  2) :
     ;; #(
  *) :
     ;;
esac

# Ocaml library path
# old way: OCAMLLIB=`$OCAMLC -v | tail -1 | cut -f 4 -d ' ' | tr -d '\\r'`
OCAMLLIB=`$OCAMLC -where | tr -d '\\r'`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: ocaml library path is $OCAMLLIB" >&5
printf "%s\n" "$as_me: ocaml library path is $OCAMLLIB" >&6;}

# then we look for ocamlopt; if not present, we issue a warning
# if the version is not the same, we also discard it
# we set OCAMLBEST to "opt" or "byte", whether ocamlopt is available or not
# Extract the first word of "ocamlopt", so it can be a program name with args.
set dummy ocamlopt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLOPT"; then
  ac_cv_prog_OCAMLOPT="$OCAMLOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLOPT="ocamlopt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLOPT" && ac_cv_prog_OCAMLOPT="no"
fi
fi
OCAMLOPT=$ac_cv_prog_OCAMLOPT
if test -n "$OCAMLOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLOPT" >&5
printf "%s\n" "$OCAMLOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


OCAMLBEST=byte
if test "$OCAMLOPT" = no ; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find ocamlopt; bytecode compilation only." >&5
printf "%s\n" "$as_me: WARNING: cannot find ocamlopt; bytecode compilation only." >&2;}
else
        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking ocamlopt version" >&5
printf %s "checking ocamlopt version... " >&6; }
	TMPVERSION=`$OCAMLOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'`
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlopt discarded." >&5
printf "%s\n" "differs from ocamlc; ocamlopt discarded." >&6; }
	    OCAMLOPT=no
	else
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ok" >&5
printf "%s\n" "ok" >&6; }
	    OCAMLBEST=opt
	fi
fi

# checking for native-code
if test "$enable_native_code" != yes || test "$OCAMLBEST" = byte ; then
    enable_native_code=no
    OCAMLBEST=byte
    OCAMLOPT=no
fi

# checking for ocamlc.opt
# Extract the first word of "ocamlc.opt", so it can be a program name with args.
set dummy ocamlc.opt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLCDOTOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLCDOTOPT"; then
  ac_cv_prog_OCAMLCDOTOPT="$OCAMLCDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLCDOTOPT="ocamlc.opt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLCDOTOPT" && ac_cv_prog_OCAMLCDOTOPT="no"
fi
fi
OCAMLCDOTOPT=$ac_cv_prog_OCAMLCDOTOPT
if test -n "$OCAMLCDOTOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLCDOTOPT" >&5
printf "%s\n" "$OCAMLCDOTOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLCDOTOPT" != no ; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking ocamlc.opt version" >&5
printf %s "checking ocamlc.opt version... " >&6; }
	TMPVERSION=`$OCAMLCDOTOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'`
	if test "$TMPVERSION" != "$OCAMLVERSION" ; then
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlc.opt discarded." >&5
printf "%s\n" "differs from ocamlc; ocamlc.opt discarded." >&6; }
	else
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ok" >&5
printf "%s\n" "ok" >&6; }
	    OCAMLC=$OCAMLCDOTOPT
	fi
fi

# checking for ocamlopt.opt
if test "$OCAMLOPT" != no ; then
    # Extract the first word of "ocamlopt.opt", so it can be a program name with args.
set dummy ocamlopt.opt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLOPTDOTOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLOPTDOTOPT"; then
  ac_cv_prog_OCAMLOPTDOTOPT="$OCAMLOPTDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLOPTDOTOPT="ocamlopt.opt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLOPTDOTOPT" && ac_cv_prog_OCAMLOPTDOTOPT="no"
fi
fi
OCAMLOPTDOTOPT=$ac_cv_prog_OCAMLOPTDOTOPT
if test -n "$OCAMLOPTDOTOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLOPTDOTOPT" >&5
printf "%s\n" "$OCAMLOPTDOTOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    if test "$OCAMLOPTDOTOPT" != no ; then
	{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking ocamlc.opt version" >&5
printf %s "checking ocamlc.opt version... " >&6; }
	TMPVER=`$OCAMLOPTDOTOPT -v | sed -n -e 's|.*version *\(.*\)$|\1|p'`
	if test "$TMPVER" != "$OCAMLVERSION" ; then
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: differs from ocamlc; ocamlopt.opt discarded." >&5
printf "%s\n" "differs from ocamlc; ocamlopt.opt discarded." >&6; }
	else
	    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: ok" >&5
printf "%s\n" "ok" >&6; }
	    OCAMLOPT=$OCAMLOPTDOTOPT
	fi
    fi
fi

# ocamldep, ocamllex and ocamlyacc should also be present in the path
# Extract the first word of "ocamldep", so it can be a program name with args.
set dummy ocamldep; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLDEP+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLDEP"; then
  ac_cv_prog_OCAMLDEP="$OCAMLDEP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDEP="ocamldep"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDEP" && ac_cv_prog_OCAMLDEP="no"
fi
fi
OCAMLDEP=$ac_cv_prog_OCAMLDEP
if test -n "$OCAMLDEP"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLDEP" >&5
printf "%s\n" "$OCAMLDEP" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLDEP" = no ; then
   as_fn_error $? "cannot find ocamldep." "$LINENO" 5
else
   # Extract the first word of "ocamldep.opt", so it can be a program name with args.
set dummy ocamldep.opt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLDEPDOTOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLDEPDOTOPT"; then
  ac_cv_prog_OCAMLDEPDOTOPT="$OCAMLDEPDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDEPDOTOPT="ocamldep.opt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDEPDOTOPT" && ac_cv_prog_OCAMLDEPDOTOPT="no"
fi
fi
OCAMLDEPDOTOPT=$ac_cv_prog_OCAMLDEPDOTOPT
if test -n "$OCAMLDEPDOTOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLDEPDOTOPT" >&5
printf "%s\n" "$OCAMLDEPDOTOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$OCAMLDEPDOTOPT" != no ; then
      OCAMLDEP=$OCAMLDEPDOTOPT
   fi
fi

# Extract the first word of "ocamllex", so it can be a program name with args.
set dummy ocamllex; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLLEX+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLLEX"; then
  ac_cv_prog_OCAMLLEX="$OCAMLLEX" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLLEX="ocamllex"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLLEX" && ac_cv_prog_OCAMLLEX="no"
fi
fi
OCAMLLEX=$ac_cv_prog_OCAMLLEX
if test -n "$OCAMLLEX"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLLEX" >&5
printf "%s\n" "$OCAMLLEX" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLLEX" = no ; then
   as_fn_error $? "cannot find ocamllex." "$LINENO" 5
else
    # Extract the first word of "ocamllex.opt", so it can be a program name with args.
set dummy ocamllex.opt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLLEXDOTOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLLEXDOTOPT"; then
  ac_cv_prog_OCAMLLEXDOTOPT="$OCAMLLEXDOTOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLLEXDOTOPT="ocamllex.opt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLLEXDOTOPT" && ac_cv_prog_OCAMLLEXDOTOPT="no"
fi
fi
OCAMLLEXDOTOPT=$ac_cv_prog_OCAMLLEXDOTOPT
if test -n "$OCAMLLEXDOTOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLLEXDOTOPT" >&5
printf "%s\n" "$OCAMLLEXDOTOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    if test "$OCAMLLEXDOTOPT" != no ; then
	OCAMLLEX=$OCAMLLEXDOTOPT
    fi
fi

# Extract the first word of "ocamlyacc", so it can be a program name with args.
set dummy ocamlyacc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLYACC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLYACC"; then
  ac_cv_prog_OCAMLYACC="$OCAMLYACC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLYACC="ocamlyacc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLYACC" && ac_cv_prog_OCAMLYACC="no"
fi
fi
OCAMLYACC=$ac_cv_prog_OCAMLYACC
if test -n "$OCAMLYACC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLYACC" >&5
printf "%s\n" "$OCAMLYACC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLYACC" = no ; then
   as_fn_error $? "cannot find ocamlyacc." "$LINENO" 5
fi

# Extract the first word of "ocamldoc", so it can be a program name with args.
set dummy ocamldoc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLDOC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLDOC"; then
  ac_cv_prog_OCAMLDOC="$OCAMLDOC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDOC="ocamldoc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDOC" && ac_cv_prog_OCAMLDOC="true"
fi
fi
OCAMLDOC=$ac_cv_prog_OCAMLDOC
if test -n "$OCAMLDOC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLDOC" >&5
printf "%s\n" "$OCAMLDOC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$OCAMLDOC" != true ; then
    # Extract the first word of "ocamldoc.opt", so it can be a program name with args.
set dummy ocamldoc.opt; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLDOCOPT+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLDOCOPT"; then
  ac_cv_prog_OCAMLDOCOPT="$OCAMLDOCOPT" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLDOCOPT="ocamldoc.opt"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLDOCOPT" && ac_cv_prog_OCAMLDOCOPT="no"
fi
fi
OCAMLDOCOPT=$ac_cv_prog_OCAMLDOCOPT
if test -n "$OCAMLDOCOPT"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLDOCOPT" >&5
printf "%s\n" "$OCAMLDOCOPT" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    if test "$OCAMLDOCOPT" != no ; then
	OCAMLDOC=$OCAMLDOCOPT
    fi
fi

# Extract the first word of "menhir", so it can be a program name with args.
set dummy menhir; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_MENHIR+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$MENHIR"; then
  ac_cv_prog_MENHIR="$MENHIR" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_MENHIR="menhir"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_MENHIR" && ac_cv_prog_MENHIR="no"
fi
fi
MENHIR=$ac_cv_prog_MENHIR
if test -n "$MENHIR"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MENHIR" >&5
printf "%s\n" "$MENHIR" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


if test "$MENHIR" = no ; then
   as_fn_error $? "cannot find menhir." "$LINENO" 5
fi

MENHIRVERSION=`$MENHIR --version | sed -n -e 's,.*version *\(.*\)$,\1,p'`
as_arg_v1=$MENHIRVERSION
as_arg_v2=20170418
awk "$as_awk_strverscmp" v1="$as_arg_v1" v2="$as_arg_v2" /dev/null
case $? in #(
  1) :
    as_fn_error $? "You need Menhir 20170418 or higher." "$LINENO" 5 ;; #(
  0) :
     ;; #(
  2) :
     ;; #(
  *) :
     ;;
esac

found_ocamlfind=no
if test "$enable_ocamlfind" != no; then
   # Extract the first word of "ocamlfind", so it can be a program name with args.
set dummy ocamlfind; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_OCAMLFIND+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$OCAMLFIND"; then
  ac_cv_prog_OCAMLFIND="$OCAMLFIND" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_OCAMLFIND="ocamlfind"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_OCAMLFIND" && ac_cv_prog_OCAMLFIND="no"
fi
fi
OCAMLFIND=$ac_cv_prog_OCAMLFIND
if test -n "$OCAMLFIND"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OCAMLFIND" >&5
printf "%s\n" "$OCAMLFIND" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$OCAMLFIND" = no; then
      reason_ocamlfind=" (not found)"
   else
      OCAMLFINDLIB=$(ocamlfind printconf stdlib)
      if test "$OCAMLFINDLIB" != "$OCAMLLIB"; then
         found_ocamlfind=no
         reason_ocamlfind=" (incompatible with OCaml)"
         echo "but your ocamlfind is not compatible with your ocamlc:"
         echo "ocamlfind: $OCAMLFINDLIB, ocamlc: $OCAMLLIB"
      else
         found_ocamlfind=yes
      fi
   fi
fi

if test "$found_ocamlfind" = no; then
   if test "$enable_ocamlfind" = yes; then
      as_fn_error $? "cannot use ocamlfind." "$LINENO" 5
   fi
   enable_ocamlfind=no
fi

if test "$enable_ocamlfind" != no; then
   #if ocamlfind is used it gives the install path for ocaml library
   OCAMLINSTALLLIB=$($OCAMLFIND printconf destdir)
   enable_ocamlfind=yes
else
   OCAMLINSTALLLIB=$OCAMLLIB
   OCAMLFIND=no
fi

if test "$enable_why3_lib" = yes ; then
   WHY3LIB=
else
   if test "$enable_ocamlfind" = no; then
      as_fn_error $? "cannot use --disable-why3-lib without ocamlfind." "$LINENO" 5
   fi
   WHY3LIB=why3
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Why3 using ocamlfind" >&5
printf %s "checking for Why3 using ocamlfind... " >&6; }
   DIR=$($OCAMLFIND query why3 2> /dev/null)
   if test -n "$DIR"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
      WHY3INCLUDE="-I $DIR"
   else
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      as_fn_error $? "cannot use --disable-why3-lib without an installed Why3." "$LINENO" 5
   fi
fi

if test "$enable_local" = no; then
   LOCALDIR=''
else
   LOCALDIR="${PWD}"
fi

# ppx
if test "$enable_ocamlfind" = yes; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for compiler-libs using ocamlfind" >&5
printf %s "checking for compiler-libs using ocamlfind... " >&6; }
  COMPILERLIBS=$($OCAMLFIND query compiler-libs 2> /dev/null)
  if test -n "$COMPILERLIBS"; then
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
    enable_ppx=yes
  else
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
    enable_ppx=no
    reason_ppx=" (compiler-libs not found)"
  fi
else
  enable_ppx=no
fi

# checking for sphinx
if test "$enable_doc" = yes; then
   # Extract the first word of "sphinx-build", so it can be a program name with args.
set dummy sphinx-build; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_SPHINX+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$SPHINX"; then
  ac_cv_prog_SPHINX="$SPHINX" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_SPHINX="sphinx-build"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_SPHINX" && ac_cv_prog_SPHINX="no"
fi
fi
SPHINX=$ac_cv_prog_SPHINX
if test -n "$SPHINX"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $SPHINX" >&5
printf "%s\n" "$SPHINX" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$SPHINX" = no; then
      enable_doc=no
      enable_pdf_doc=no
      reason_doc=" (sphinx-build not found)"
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find sphinx-build, documentation disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find sphinx-build, documentation disabled." >&2;}
   fi
else
   enable_pdf_doc=no
fi

# checking for rubber or latexmk or pdflatex
if test "$enable_pdf_doc" = yes; then
   for ac_prog in latexmk rubber pdflatex
do
  # Extract the first word of "$ac_prog", so it can be a program name with args.
set dummy $ac_prog; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_LATEX+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$LATEX"; then
  ac_cv_prog_LATEX="$LATEX" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_LATEX="$ac_prog"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

fi
fi
LATEX=$ac_cv_prog_LATEX
if test -n "$LATEX"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $LATEX" >&5
printf "%s\n" "$LATEX" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


  test -n "$LATEX" && break
done
test -n "$LATEX" || LATEX="no"

   if test "$LATEX" = no; then
      enable_pdf_doc=no
      reason_pdf_doc=" ((rubber|latexmk|pdflatex) not found)"
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find any latex compiler, PDF documentation disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find any latex compiler, PDF documentation disabled." >&2;}
   fi
fi

# checking for emacs
if test "$enable_emacs_compilation" = yes ; then
   # Extract the first word of "emacs", so it can be a program name with args.
set dummy emacs; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_EMACS+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$EMACS"; then
  ac_cv_prog_EMACS="$EMACS" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_EMACS="emacs"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_EMACS" && ac_cv_prog_EMACS="no"
fi
fi
EMACS=$ac_cv_prog_EMACS
if test -n "$EMACS"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $EMACS" >&5
printf "%s\n" "$EMACS" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$EMACS" = no ; then
      enable_emacs_compilation=no
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find emacs, compilation of why3.elc disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find emacs, compilation of why3.elc disabled." >&2;}
   fi
fi

# checking for Num
# (ocamlfind cannot be trusted here, since the default installation path is $OCAMLLIB)
found_num=no
if test "$enable_ocamlfind" = yes; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for num using ocamlfind" >&5
printf %s "checking for num using ocamlfind... " >&6; }
   DIR=$($OCAMLFIND query num 2> /dev/null)
   if test -z "$DIR"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      as_fn_error $? "cannot find library Num using ocamlfind." "$LINENO" 5
   fi
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
   NUMPKG=num
   NUMINCLUDE="-I $DIR"
   found_num=yes
   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/nums.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/nums.cma" >&5
printf %s "checking for $DIR/nums.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/nums.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_num=no
fi

   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/num.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/num.cmi" >&5
printf %s "checking for $DIR/num.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/num.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_num=no
fi

fi
if test "$found_num" = no; then
   DIR="$OCAMLLIB"
   NUMINCLUDE=
   found_num=yes
   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/nums.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/nums.cma" >&5
printf %s "checking for $DIR/nums.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/nums.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_num=no
fi

   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/num.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/num.cmi" >&5
printf %s "checking for $DIR/num.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/num.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_num=no
fi

fi
if test "$found_num" = no; then
   as_fn_error $? "cannot find library Num." "$LINENO" 5
fi

# checking for Zarith
if test "$enable_zarith" = no; then
   reason_zarith=" (disabled by user)"
else
   DIR=
   found_zarith=yes
   if test "$enable_ocamlfind" = yes; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for zarith using ocamlfind" >&5
printf %s "checking for zarith using ocamlfind... " >&6; }
      DIR=$($OCAMLFIND query zarith 2> /dev/null)
      if test -n "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
         BIGINTINCLUDE="-I $DIR"
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
         found_zarith=no
      fi
   else
      BIGINTINCLUDE="-I +zarith"
      DIR="$OCAMLLIB/zarith"
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/zarith.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/zarith.cma" >&5
printf %s "checking for $DIR/zarith.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/zarith.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_zarith=no
fi

   fi
   if test -n "$DIR"; then
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/z.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/z.cmi" >&5
printf %s "checking for $DIR/z.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/z.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_zarith=no
fi

   fi
   if test "$found_zarith" = no; then
      if test "$enable_zarith" = yes; then
         as_fn_error $? "cannot find library zarith." "$LINENO" 5
      fi
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library zarith, using Nums instead." >&5
printf "%s\n" "$as_me: WARNING: cannot find library zarith, using Nums instead." >&2;}
      enable_zarith=no
      reason_zarith=" (zarith not found)"
   fi
fi

if test "$enable_zarith" != no; then
   BIGINTLIB=zarith
   BIGINTPKG=zarith
   enable_zarith=yes
else
   BIGINTLIB=nums
   BIGINTPKG=num
   BIGINTINCLUDE="$NUMINCLUDE"
fi

# checking for apron for bddinfer
if test "$enable_bddinfer" = yes; then
   if test "$enable_ocamlfind" = yes; then
      # gmp is a dependency of apron
      INFERINCLUDE=$($OCAMLFIND query -separator ' ' -i-format apron 2> /dev/null)
   fi
   if test -n "$INFERINCLUDE"; then
      echo "ocamlfind found apron in $INFERINCLUDE"
      INFERLIB="apron"
      INFERPKG="zarith apron apron.polkaMPQ"
   else
      enable_bddinfer=no
      reason_bddinfer=" (apron not found)"
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Lib apron not found, bddinfer will not be built." >&5
printf "%s\n" "$as_me: WARNING: Lib apron not found, bddinfer will not be built." >&2;}
   fi
else
  reason_bddinfer=" (disabled by default)"
fi

# checking for apron and fixpoint
if test "$enable_infer" = yes; then
   if test "$enable_ocamlfind" = yes; then
      # gmp is a dependency of apron
      INFERINCLUDE=$($OCAMLFIND query apron camllib 2> /dev/null)
   fi
   if test -n "$INFERINCLUDE"; then
      echo "ocamlfind found apron, camllib in $INFERINCLUDE"
      INFERINCLUDE=$($OCAMLFIND query fixpoint 2> /dev/null)
      if test -n "$INFERINCLUDE"; then
         echo "ocamlfind found fixpoint in $INFERINCLUDE"
         INFERINCLUDE="$($OCAMLFIND query -separator ' ' -i-format apron fixpoint camllib gmp 2> /dev/null)"
         INFERLIB="apron fixpoint"
         INFERPKG="apron fixpoint apron.boxMPQ apron.octMPQ apron.polkaMPQ"
      else
         enable_infer=no
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Lib fixpoint not found, infer will not be built." >&5
printf "%s\n" "$as_me: WARNING: Lib fixpoint not found, infer will not be built." >&2;}
         reason_infer=" (fixpoint not found)"
      fi
   else
      enable_infer=no
      reason_infer=" (apron or camllib not found)"
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Lib apron or camllib not found, infer will not be built." >&5
printf "%s\n" "$as_me: WARNING: Lib apron or camllib not found, infer will not be built." >&2;}
   fi
else
  reason_infer=" (disabled by default)"
fi

# checking for camlzip
if test "$enable_zip" = no; then
   reason_zip=" (disabled by user)"
else
   DIR=
   found_zip=yes
   if test "$enable_ocamlfind" = yes; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for camlzip using ocamlfind" >&5
printf %s "checking for camlzip using ocamlfind... " >&6; }
      DIR=$($OCAMLFIND query zip 2> /dev/null)
      if test -n "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
         ZIPINCLUDE="-I $DIR"
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
         found_zip=no
      fi
   else
      ZIPINCLUDE="-I +zip"
      DIR="$OCAMLLIB/zip"
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/zip.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/zip.cma" >&5
printf %s "checking for $DIR/zip.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/zip.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_zip=no
fi

   fi
   if test -n "$DIR"; then
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/zip.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/zip.cmi" >&5
printf %s "checking for $DIR/zip.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/zip.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_zip=no
fi

   fi
   if test "$found_zip" = no; then
      if test "$enable_zip" = yes; then
         as_fn_error $? "cannot find library camlzip." "$LINENO" 5
      fi
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library camlzip; sessions files will not be compressed." >&5
printf "%s\n" "$as_me: WARNING: cannot find library camlzip; sessions files will not be compressed." >&2;}
      enable_zip=no
      reason_zip=" (camlzip not found)"
   fi
fi

if test "$enable_zip" != no; then
   ZIPLIB=zip
   enable_zip=yes
else
   ZIPLIB=
   ZIPINCLUDE=
fi

# checking for menhirlib
found_menhirlib=yes
DIR=
if test "$enable_ocamlfind" = yes; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for menhirLib using ocamlfind" >&5
printf %s "checking for menhirLib using ocamlfind... " >&6; }
   DIR=$($OCAMLFIND query menhirLib 2> /dev/null)
   if test -n "$DIR"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
      MENHIRINCLUDE="-I $DIR"
   else
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      found_menhirlib=no
   fi
else
   MENHIRINCLUDE="-I +menhirLib"
   DIR="$OCAMLLIB/menhirLib"
   menhirlib_cmo=
   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/menhirLib.cmo" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/menhirLib.cmo" >&5
printf %s "checking for $DIR/menhirLib.cmo... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/menhirLib.cmo"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :
  menhirlib_cmo=yes
fi

   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/menhirLib.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/menhirLib.cma" >&5
printf %s "checking for $DIR/menhirLib.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/menhirLib.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :
  menhirlib_cmo=no
fi

   if test -z "$menhirlib_cmo"; then found_menhirlib=no; fi
fi
if test -n "$DIR"; then
   as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/menhirLib.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/menhirLib.cmi" >&5
printf %s "checking for $DIR/menhirLib.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/menhirLib.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_menhirlib=no
fi

fi
if test "$found_menhirlib" = no; then
   as_fn_error $? "cannot find library menhirLib." "$LINENO" 5
fi


# checking for re
if test "$enable_re" = no; then
   reason_re=" (disabled by user)"
else
   found_re=yes
   DIR=
   if test "$enable_ocamlfind" = yes; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for re using ocamlfind" >&5
printf %s "checking for re using ocamlfind... " >&6; }
      DIR=$($OCAMLFIND query re 2> /dev/null)
      if test -n "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
         REINCLUDE="-I $DIR"
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
         found_re=no
      fi
   else
      REINCLUDE="-I +re"
      DIR="$OCAMLLIB/re"
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/re.cmx" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/re.cmx" >&5
printf %s "checking for $DIR/re.cmx... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/re.cmx"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_re=no
fi

   fi
   if test -n "$DIR"; then
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/re.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/re.cmi" >&5
printf %s "checking for $DIR/re.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/re.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_re=no
fi

   fi
   if test "$found_re" = no; then
      if test "$enable_re" = yes; then
         as_fn_error $? "cannot find library re." "$LINENO" 5
      fi
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library re, using Str instead." >&5
printf "%s\n" "$as_me: WARNING: cannot find library re, using Str instead." >&2;}
      enable_re=no
      reason_re=" (re not found)"
   fi
fi

if test "$enable_re" != no; then
   RELIB=re
   enable_re=yes
else
   REINCLUDE=
   RELIB=str
fi

# checking for lablgtk3
if test "$enable_ide" = no ; then
   reason_ide=" (disabled by user)"
fi
if test "$enable_ide" != no -a "$enable_ocamlfind" = no; then
   if test "$enable_ide" = yes; then
      as_fn_error $? "cannot build IDE without ocamlfind." "$LINENO" 5
   fi
   enable_ide=no
   reason_ide=" (ocamlfind not available)"
fi

found_lablgtk=no
if test "$enable_ide" != no; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for lablgtk3 using ocamlfind" >&5
printf %s "checking for lablgtk3 using ocamlfind... " >&6; }
   DIR=$($OCAMLFIND query lablgtk3 2> /dev/null)
   if test -n "$DIR"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
      found_lablgtk=yes
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/gtkButton.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/gtkButton.cmi" >&5
printf %s "checking for $DIR/gtkButton.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/gtkButton.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_lablgtk=no
fi

   else
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      found_lablgtk=no
   fi
   if test "$found_lablgtk" = yes; then
      GTKVERSION=3
      PKGS_SOURCEVIEW="lablgtk3-sourceview3 lablgtk3.sourceview3 lablgtksourceview3"
   fi
fi

# checking for lablgtksourceview
found_lablgtksourceview=no
if test "$found_lablgtk" = yes; then
   for p in $PKGS_SOURCEVIEW; do
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $p using ocamlfind" >&5
printf %s "checking for $p using ocamlfind... " >&6; }
      DIR=$($OCAMLFIND query $p 2> /dev/null)
      if test -n "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
         as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/gSourceView$GTKVERSION.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/gSourceView$GTKVERSION.cmi" >&5
printf %s "checking for $DIR/gSourceView$GTKVERSION.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/gSourceView$GTKVERSION.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  p=
fi

         if test -n "$p"; then
            PKG_SOURCEVIEW=$p
            break
         fi
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      fi
   done
   if test -n "$PKG_SOURCEVIEW"; then
      found_lablgtksourceview=yes
   fi
fi

if test "$enable_ide" != no -a "$found_lablgtk" = no; then
   if test "$enable_ide" = yes; then
      as_fn_error $? "cannot build IDE without lablgtk3." "$LINENO" 5
   fi
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library lablgtk3, IDE disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find library lablgtk3, IDE disabled." >&2;}
   enable_ide=no
   reason_ide=" (lablgtk3 not found)"
fi

if test "$enable_ide" != no -a "$found_lablgtksourceview" = no; then
   if test "$enable_ide" = yes; then
      as_fn_error $? "cannot build IDE without lablgtksourceview." "$LINENO" 5
   fi
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library lablgtksourceview, IDE disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find library lablgtksourceview, IDE disabled." >&2;}
   enable_ide=no
   reason_ide=" (lablgtksourceview not found)"
fi

if test "$enable_ide" != no; then
   enable_ide=yes
   LABLGTKPKG="lablgtk$GTKVERSION $PKG_SOURCEVIEW"
fi

if test "$enable_hypothesis_selection" != no -o "$enable_stackify" != no; then
   found_ocamlgraph=yes
   DIR=
   if test "$enable_ocamlfind" = yes; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ocamlgraph using ocamlfind" >&5
printf %s "checking for ocamlgraph using ocamlfind... " >&6; }
      DIR=$($OCAMLFIND query ocamlgraph 2> /dev/null)
      if test -n "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
         OCAMLGRAPHLIB="$DIR"
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
         found_ocamlgraph=no
      fi
   else
      OCAMLGRAPHLIB="+ocamlgraph"
      DIR="$OCAMLLIB/ocamlgraph"
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/graph.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/graph.cma" >&5
printf %s "checking for $DIR/graph.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/graph.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_ocamlgraph=no
fi

   fi
   if test -n "$DIR"; then
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/graph.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/graph.cmi" >&5
printf %s "checking for $DIR/graph.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/graph.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop
  found_ocamlgraph=no
fi

   fi
fi

if test "$enable_hypothesis_selection" = no; then
   reason_hypothesis_selection=" (disabled by user)"
elif test "$found_ocamlgraph" = no; then
   if test "$enable_hypothesis_selection" = yes; then
      as_fn_error $? "cannot enable hypothesis selection without ocamlgraph." "$LINENO" 5
   fi
   enable_hypothesis_selection=no
   reason_hypothesis_selection=" (ocamlgraph not found)"
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library ocamlgraph, hypothesis selection disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find library ocamlgraph, hypothesis selection disabled." >&2;}
fi

if test "$enable_hypothesis_selection" != no; then
   META_OCAMLGRAPH="ocamlgraph"
   enable_hypothesis_selection=yes
else
   META_OCAMLGRAPH=
   OCAMLGRAPHLIB=
fi

if test "$enable_stackify" = no; then
   reason_stackify=" (disabled by user)"
elif test "$found_ocamlgraph" = no; then
   if test "$enable_stackify" = yes; then
      as_fn_error $? "cannot enable stackify without ocamlgraph." "$LINENO" 5
   fi
   enable_stackify=no
   reason_stackify=" (ocamlgraph not found)"
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cannot find library ocamlgraph, stackify disabled." >&5
printf "%s\n" "$as_me: WARNING: cannot find library ocamlgraph, stackify disabled." >&2;}
fi

if test "$enable_stackify" != no; then
   META_OCAMLGRAPH="ocamlgraph"
   enable_stackify=yes
else
   META_OCAMLGRAPH=
   OCAMLGRAPHLIB=
fi

# MLMPFR
found_mlmpfr=no
if test "$enable_mpfr" = no; then
   reason_mpfr=" (disabled by user)"
elif test "$enable_ocamlfind" != yes; then
   reason_mpfr=" (ocamlfind not available)"
elif test "$enable_js_of_ocaml" = yes -o "$enable_web_ide" = yes; then
   if test "$enable_mpfr" = yes; then
      as_fn_error $? "cannot enable support for both MPFR and Javascript." "$LINENO" 5
   fi
   reason_mpfr=" (incompatible with js_of_ocaml) "
else
   found_mlmpfr=yes
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for mlmpfr" >&5
printf %s "checking for mlmpfr... " >&6; }
   DIR=$($OCAMLFIND query mlmpfr 2> /dev/null)
   if test -n "$DIR"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
      old_mpfr=no
      echo "ocamlfind found mlmpfr in $DIR"
      # Test that MPFR version is higher than 4.0.0 (because of
      # Faithful constructor incompatibility).
      MPFRVERSION=$($OCAMLFIND query -format "%v" mlmpfr 2> /dev/null)
      as_arg_v1=$MPFRVERSION
as_arg_v2=4.0.0
awk "$as_awk_strverscmp" v1="$as_arg_v1" v2="$as_arg_v2" /dev/null
case $? in #(
  1) :

         found_mlmpfr=no
         reason_mpfr=" (mlmpfr >= 4.0.0 not found)" ;; #(
  0) :
     ;; #(
  2) :
     ;; #(
  *) :
     ;;
esac
      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/mpfr.cmi" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/mpfr.cmi" >&5
printf %s "checking for $DIR/mpfr.cmi... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/mpfr.cmi"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :
  old_mpfr=yes
fi

      as_ac_File=`printf "%s\n" "ac_cv_file_$DIR/mlmpfr.cma" | $as_tr_sh`
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $DIR/mlmpfr.cma" >&5
printf %s "checking for $DIR/mlmpfr.cma... " >&6; }
if eval test \${$as_ac_File+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  test "$cross_compiling" = yes &&
  as_fn_error $? "cannot check for file existence when cross compiling" "$LINENO" 5
if test -r "$DIR/mlmpfr.cma"; then
  eval "$as_ac_File=yes"
else
  eval "$as_ac_File=no"
fi
fi
eval ac_res=\$$as_ac_File
	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
printf "%s\n" "$ac_res" >&6; }
if eval test \"x\$"$as_ac_File"\" = x"yes"
then :

else $as_nop

         found_mlmpfr=no
         reason_mpfr=" (mlmpfr not found)"
fi

   else
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
      reason_mpfr=" (mlmpfr not found)"
      found_mlmpfr=no
   fi
fi

if test "$enable_mpfr" != no -a "$found_mlmpfr" = no; then
   if test "$enable_mpfr" = yes; then
      as_fn_error $? "cannot enable MPFR support without mlmpfr." "$LINENO" 5
   fi
   enable_mpfr=no
fi

if test "$enable_mpfr" != no; then
   enable_mpfr=yes
   MLMPFR=mlmpfr
fi

# checking for js_of_ocaml
found_js_of_ocaml=no
if test "$enable_js_of_ocaml" = no; then
   reason_js_of_ocaml=" (disabled by user)"
elif test "$enable_mpfr" = yes; then
   reason_js_of_ocaml=" (incompatible with MPFR support)"
elif test "$enable_ocamlfind" != yes; then
   reason_js_of_ocaml=" (ocamlfind not available)"
else
   found_js_of_ocaml=yes
   for p in js_of_ocaml js_of_ocaml-ppx; do
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $p" >&5
printf %s "checking for $p... " >&6; }
      DIR=$($OCAMLFIND query $p 2> /dev/null)
      if test -z "$DIR"; then
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
         found_js_of_ocaml=no
         reason_js_of_ocaml=" ($p not found)"
         break
      else
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
      fi
   done
fi

if test "$enable_js_of_ocaml" != no -a "$found_js_of_ocaml" = no; then
   if test "$enable_js_of_ocaml" = yes; then
      as_fn_error $? "cannot enable Javascript support without ocamlfind." "$LINENO" 5
   fi
   enable_js_of_ocaml=no
fi

if test "$enable_js_of_ocaml" != no; then
   enable_js_of_ocaml=yes
   JSOFOCAMLPKG="js_of_ocaml js_of_ocaml-ppx"
fi

# Web IDE
if test "$enable_web_ide" = no; then
   reason_web_ide=" (disabled by user)"
elif test "$enable_js_of_ocaml" != yes; then
   if test "$enable_web_ide" = yes; then
      as_fn_error $? "cannot enable web IDE without Javascript support." "$LINENO" 5
   fi
   enable_web_ide=no
   reason_web_ide=" (Javascript support not available)"
else
   enable_web_ide=yes
fi

# checking for statmemprof
if test "$enable_statmemprof" = yes; then
   if test "$enable_ocamlfind" != yes; then
      enable_statmemprof=no
      reason_statmemprof=" (ocamlfind not available)"
   else
      DIR=$($OCAMLFIND query statmemprof-emacs 2> /dev/null)
      if test -z "$DIR"; then
         enable_statmemprof=no
         reason_statmemprof=" (statmemprof-emacs not found)"
      fi
      STATMEMPROFPKG=statmemprof-emacs
   fi
fi

# ppx_sexp_conv (only with ocamlfind)
SEXPLIBPPX=
SEXPLIB=
if test "$enable_pp_sexp" = no; then
    reason_pp_sexp=" (disabled by user)"
else
    if test "$enable_ocamlfind" != yes; then
        enable_pp_sexp=no
        reason_pp_sexp=" (ocamlfind not available)"
    elif test "$enable_ppx" != yes; then
        enable_pp_sexp=no
        reason_pp_sexp=" (requires ppx)"
    else
        for p in ppx_sexp_conv sexplib ppx_deriving; do
            { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $p using ocamlfind" >&5
printf %s "checking for $p using ocamlfind... " >&6; }
            DIR=$($OCAMLFIND query $p 2> /dev/null)
            if test -z "$DIR"; then
               { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
               enable_pp_sexp=no
               reason_pp_sexp=" ($p not found)"
               break
            else
               { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
            fi
        done
    fi
    if test "$enable_pp_sexp" = yes; then
        SEXPLIBPPX="ppx_sexp_conv"
        SEXPLIB="sexplib sexplib.num"
    fi
fi

# Coq

enable_coq_support=yes
enable_coq_fp_libs=yes

coq_compat_version=

if test "$enable_coq_libs" = no; then
   enable_coq_support=no
   reason_coq_support=" (disabled by user)"
fi

if test "$enable_coq_support" = yes; then
   # Extract the first word of "coqc", so it can be a program name with args.
set dummy coqc; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_COQC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$COQC"; then
  ac_cv_prog_COQC="$COQC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_COQC="coqc"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_COQC" && ac_cv_prog_COQC="no"
fi
fi
COQC=$ac_cv_prog_COQC
if test -n "$COQC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $COQC" >&5
printf "%s\n" "$COQC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$COQC" = no ; then
      enable_coq_support=no
      reason_coq_support=" (coqc not found)"
   fi
fi

if test "$enable_coq_support" = yes; then
   COQLIB=`$COQC -where | sed -e 's|\\\|/|g' -e 's| |\\ |g'`
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking Coq version" >&5
printf %s "checking Coq version... " >&6; }
   COQVERSION=`$COQC -v | sed -n -e 's|.*version  *\([^ ]*\).*|\1|p'`
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $COQVERSION" >&5
printf "%s\n" "$COQVERSION" >&6; }

   case $COQVERSION in
      8.7*)
         coq_compat_version="COQ87"
         enable_coq_fp_libs=no
         ;;
      8.8*)
         coq_compat_version="COQ88"
         enable_coq_fp_libs=no
         ;;
      8.9*)
         coq_compat_version="COQ89"
         enable_coq_fp_libs=no
         ;;
      8.10*)
         coq_compat_version="COQ810"
         enable_coq_fp_libs=no
         ;;
      8.11*)
         coq_compat_version="COQ811"
         ;;
      8.12*)
         coq_compat_version="COQ812"
         ;;
      8.13*)
         coq_compat_version="COQ813"
         ;;
      8.14*)
         coq_compat_version="COQ814"
         ;;
      8.15*)
         coq_compat_version="COQ815"
         ;;
      8.16*)
         coq_compat_version="COQ816"
         ;;
      *)
         enable_coq_support=no
         { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: You need Coq 8.7 or later; Coq discarded." >&5
printf "%s\n" "$as_me: WARNING: You need Coq 8.7 or later; Coq discarded." >&2;}
         reason_coq_support=" (need version >= 8.7)"
         ;;
   esac
   if test "$enable_coq_fp_libs" = no; then
      reason_coq_fp_libs= " (Coq < 8.11)"
   fi
fi

if test "$enable_coq_support" = yes; then
   # Extract the first word of "coqdep", so it can be a program name with args.
set dummy coqdep; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_COQDEP+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$COQDEP"; then
  ac_cv_prog_COQDEP="$COQDEP" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_COQDEP="coqdep"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_COQDEP" && ac_cv_prog_COQDEP="no"
fi
fi
COQDEP=$ac_cv_prog_COQDEP
if test -n "$COQDEP"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $COQDEP" >&5
printf "%s\n" "$COQDEP" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$COQDEP" = no; then
      enable_coq_support=no
      reason_coq_support=" (coqdep not found)"
   fi
fi

if test "$enable_coq_support" = no; then
   enable_coq_libs=no
   enable_coq_fp_libs=no
   COQVERSION=
fi

if test "$enable_coq_fp_libs" = yes; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for Flocq" >&5
printf %s "checking for Flocq... " >&6; }
   if  echo "Require Import Flocq.Version BinNat." \
            "Goal (30400 <= Flocq_version)%N. easy. Qed." > conftest.v
       "$COQC" conftest.v > conftest.err
then :
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5
printf "%s\n" "yes" >&6; }
else $as_nop
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
       enable_coq_fp_libs=no
       reason_coq_fp_libs=" (Flocq >= 3.4 not found)"
fi
   rm -f conftest.v conftest.vo conftest.err
fi

# PVS

if test "$enable_pvs_libs" = no; then
    enable_pvs_support=no
    reason_pvs_support=" (disabled by user)"
else
    # Extract the first word of "pvs", so it can be a program name with args.
set dummy pvs; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_PVS+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$PVS"; then
  ac_cv_prog_PVS="$PVS" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_PVS="pvs"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_PVS" && ac_cv_prog_PVS="no"
fi
fi
PVS=$ac_cv_prog_PVS
if test -n "$PVS"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PVS" >&5
printf "%s\n" "$PVS" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    if test "$PVS" = no ; then
        enable_pvs_support=no
        reason_pvs_support=" (pvs not found)"
    else
        PVSLIB=`$PVS -where`
        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking PVS version" >&5
printf %s "checking PVS version... " >&6; }
        PVSVERSION=`$PVS -version | sed -n -e 's|.*Version *\([^ ]*\)$|\1|p'`
        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PVSVERSION" >&5
printf "%s\n" "$PVSVERSION" >&6; }
        case $PVSVERSION in
          6.*|7.*)
	        enable_pvs_support=yes
                ;;
          *)
                enable_pvs_support=no
	        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: You need PVS 6.0 or higher; PVS discarded." >&5
printf "%s\n" "$as_me: WARNING: You need PVS 6.0 or higher; PVS discarded." >&2;}
                reason_pvs_support=" (need version 6.0 or higher)"
                ;;
        esac
    fi
fi

if test "$enable_pvs_support" = no; then
   enable_pvs_libs=no
   PVSVERSION=
fi

# Isabelle

# Default version used for generation of realization in the case Isabelle is not
# detected or Why3 is compiled with disable-isabelle.
ISABELLEVERSION=2021-1

if test "$enable_isabelle_libs" = no; then
    enable_isabelle_support=no
    reason_isabelle_support=" (disabled by user)"
else
    # Extract the first word of "isabelle", so it can be a program name with args.
set dummy isabelle; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_ISABELLE+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$ISABELLE"; then
  ac_cv_prog_ISABELLE="$ISABELLE" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_ISABELLE="isabelle"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_ISABELLE" && ac_cv_prog_ISABELLE="no"
fi
fi
ISABELLE=$ac_cv_prog_ISABELLE
if test -n "$ISABELLE"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ISABELLE" >&5
printf "%s\n" "$ISABELLE" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


    if test "$ISABELLE" = no ; then
       enable_isabelle_support=no
       reason_isabelle_support=" (isabelle not found)"
    else
        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking Isabelle version" >&5
printf %s "checking Isabelle version... " >&6; }
        ISABELLEDETECTEDVERSION=`$ISABELLE version | sed -n -e 's|Isabelle\([^:]*\).*$|\1|p'`
        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ISABELLEDETECTEDVERSION" >&5
printf "%s\n" "$ISABELLEDETECTEDVERSION" >&6; }
        case $ISABELLEDETECTEDVERSION in
          2019*)
	        enable_isabelle_support=yes
                ISABELLEVERSION=2019
                ;;
          2021-1*)
	        enable_isabelle_support=yes
                ISABELLEVERSION=2021-1
                ;;
          2022*)
                enable_isabelle_support=yes
                ISABELLEVERSION=2021-1
                ;;
          *)
                enable_isabelle_support=no
	        { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: You need Isabelle 2019 or later; Isabelle discarded." >&5
printf "%s\n" "$as_me: WARNING: You need Isabelle 2019 or later; Isabelle discarded." >&2;}
                reason_isabelle_support=" (need version >= 2019)"
                ;;
        esac
    fi
fi

if test "$enable_isabelle_support" = no; then
   enable_isabelle_libs=no
fi

if test "$enable_pvs_libs" = yes; then
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for NASA PVS library" >&5
printf %s "checking for NASA PVS library... " >&6; }
   enable_pvs_libs=no
   reason_pvs_libs=" (no NASA PVS library in PVS_LIBRARY_PATH)"
   for dir in  `echo $PVS_LIBRARY_PATH | tr ':' ' '`; do
       if test -f $dir/nasalib-version; then
          enable_pvs_libs=yes
          reason_pvs_libs=""
       fi
   done
   { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_pvs_libs" >&5
printf "%s\n" "$enable_pvs_libs" >&6; }
fi

#check frama-c
FRAMAC_SUPPORTED=Sulfur
if test "$enable_frama_c" = yes ; then
   # Extract the first word of "frama-c", so it can be a program name with args.
set dummy frama-c; ac_word=$2
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
printf %s "checking for $ac_word... " >&6; }
if test ${ac_cv_prog_FRAMAC+y}
then :
  printf %s "(cached) " >&6
else $as_nop
  if test -n "$FRAMAC"; then
  ac_cv_prog_FRAMAC="$FRAMAC" # Let the user override the test.
else
as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    for ac_exec_ext in '' $ac_executable_extensions; do
  if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then
    ac_cv_prog_FRAMAC="frama-c"
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
  done
IFS=$as_save_IFS

  test -z "$ac_cv_prog_FRAMAC" && ac_cv_prog_FRAMAC="no"
fi
fi
FRAMAC=$ac_cv_prog_FRAMAC
if test -n "$FRAMAC"; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $FRAMAC" >&5
printf "%s\n" "$FRAMAC" >&6; }
else
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5
printf "%s\n" "no" >&6; }
fi


   if test "$FRAMAC" = no ; then
        enable_frama_c="no"
        reason_frama_c=" (frama-c not found)"
   else
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking Frama-C version" >&5
printf %s "checking Frama-C version... " >&6; }
      FRAMAC_VERSION=`$FRAMAC -version | sed -n -e 's|\(Version: \)\?\(.*\)$|\2|p'`
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $FRAMAC_VERSION" >&5
printf "%s\n" "$FRAMAC_VERSION" >&6; }
      case $FRAMAC_VERSION in
         $FRAMAC_SUPPORTED-*) ;;
         *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Version $FRAMAC_SUPPORTED required." >&5
printf "%s\n" "$as_me: WARNING: Version $FRAMAC_SUPPORTED required." >&2;}
            enable_frama_c=no
            reason_frama_c=" (version $FRAMAC_SUPPORTED required)"
            ;;
      esac
   fi
fi

if test "$enable_frama_c" = yes; then
   FRAMAC_SHARE=`$FRAMAC -print-path`
   FRAMAC_LIBDIR=`$FRAMAC -print-libpath`
   FRAMAC_INCLUDE="-I $FRAMAC_LIBDIR"
fi

VERSION=$PACKAGE_VERSION

# default editor

if test -z "$EDITOR"; then
   case `uname -s` in
   Darwin)
      EDITOR=open
      ;;
   MINGW*)
      EDITOR="cmd.exe -c start"
      ;;
   *)
      EDITOR=xdg-open
      ;;
   esac
fi

# substitutions to perform

















































































































# Finally create the Makefile from Makefile.in
ac_config_files="$ac_config_files Makefile"

ac_config_files="$ac_config_files src/config.sh"

ac_config_files="$ac_config_files lib/why3/META"

ac_config_files="$ac_config_files .merlin"

ac_config_files="$ac_config_files src/jessie/Makefile"

ac_config_files="$ac_config_files src/jessie/.merlin"

ac_config_files="$ac_config_files lib/coq/version lib/pvs/version"

ac_config_commands="$ac_config_commands chmod"


cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
# tests run on this system so they can be shared between configure
# scripts and configure runs, see configure's option --config-cache.
# It is not useful on other systems.  If it contains results you don't
# want to keep, you may remove or edit it.
#
# config.status only pays attention to the cache file if you give it
# the --recheck option to rerun configure.
#
# `ac_cv_env_foo' variables (set or unset) will be overridden when
# loading this file, other *unset* `ac_cv_foo' will be assigned the
# following values.

_ACEOF

# The following way of writing the cache mishandles newlines in values,
# but we know of no workaround that is simple, portable, and efficient.
# So, we kill variables containing newlines.
# Ultrix sh set writes to stderr and can't be redirected directly,
# and sets the high bit in the cache file unless we assign to the vars.
(
  for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
    eval ac_val=\$$ac_var
    case $ac_val in #(
    *${as_nl}*)
      case $ac_var in #(
      *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
      esac
      case $ac_var in #(
      _ | IFS | as_nl) ;; #(
      BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
      *) { eval $ac_var=; unset $ac_var;} ;;
      esac ;;
    esac
  done

  (set) 2>&1 |
    case $as_nl`(ac_space=' '; set) 2>&1` in #(
    *${as_nl}ac_space=\ *)
      # `set' does not quote correctly, so add quotes: double-quote
      # substitution turns \\\\ into \\, and sed turns \\ into \.
      sed -n \
	"s/'/'\\\\''/g;
	  s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
      ;; #(
    *)
      # `set' quotes correctly as required by POSIX, so do not add quotes.
      sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
      ;;
    esac |
    sort
) |
  sed '
     /^ac_cv_env_/b end
     t clear
     :clear
     s/^\([^=]*\)=\(.*[{}].*\)$/test ${\1+y} || &/
     t end
     s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
     :end' >>confcache
if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
  if test -w "$cache_file"; then
    if test "x$cache_file" != "x/dev/null"; then
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
printf "%s\n" "$as_me: updating cache $cache_file" >&6;}
      if test ! -f "$cache_file" || test -h "$cache_file"; then
	cat confcache >"$cache_file"
      else
        case $cache_file in #(
        */* | ?:*)
	  mv -f confcache "$cache_file"$$ &&
	  mv -f "$cache_file"$$ "$cache_file" ;; #(
        *)
	  mv -f confcache "$cache_file" ;;
	esac
      fi
    fi
  else
    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
printf "%s\n" "$as_me: not updating unwritable cache $cache_file" >&6;}
  fi
fi
rm -f confcache

test "x$prefix" = xNONE && prefix=$ac_default_prefix
# Let make expand exec_prefix.
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'

# Transform confdefs.h into DEFS.
# Protect against shell expansion while executing Makefile rules.
# Protect against Makefile macro expansion.
#
# If the first sed substitution is executed (which looks for macros that
# take arguments), then branch to the quote section.  Otherwise,
# look for a macro that doesn't take arguments.
ac_script='
:mline
/\\$/{
 N
 s,\\\n,,
 b mline
}
t clear
:clear
s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 (][^	 (]*([^)]*)\)[	 ]*\(.*\)/-D\1=\2/g
t quote
s/^[	 ]*#[	 ]*define[	 ][	 ]*\([^	 ][^	 ]*\)[	 ]*\(.*\)/-D\1=\2/g
t quote
b any
:quote
s/[	 `~#$^&*(){}\\|;'\''"<>?]/\\&/g
s/\[/\\&/g
s/\]/\\&/g
s/\$/$$/g
H
:any
${
	g
	s/^\n//
	s/\n/ /g
	p
}
'
DEFS=`sed -n "$ac_script" confdefs.h`


ac_libobjs=
ac_ltlibobjs=
U=
for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
  # 1. Remove the extension, and $U if already installed.
  ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
  ac_i=`printf "%s\n" "$ac_i" | sed "$ac_script"`
  # 2. Prepend LIBOBJDIR.  When used with automake>=1.10 LIBOBJDIR
  #    will be set to the directory where LIBOBJS objects are built.
  as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
  as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
done
LIBOBJS=$ac_libobjs

LTLIBOBJS=$ac_ltlibobjs



: "${CONFIG_STATUS=./config.status}"
ac_write_fail=0
ac_clean_files_save=$ac_clean_files
ac_clean_files="$ac_clean_files $CONFIG_STATUS"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
printf "%s\n" "$as_me: creating $CONFIG_STATUS" >&6;}
as_write_fail=0
cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
#! $SHELL
# Generated by $as_me.
# Run this file to recreate the current configuration.
# Compiler output produced by configure, useful for debugging
# configure, is in config.log if it exists.

debug=false
ac_cs_recheck=false
ac_cs_silent=false

SHELL=\${CONFIG_SHELL-$SHELL}
export SHELL
_ASEOF
cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
## -------------------- ##
## M4sh Initialization. ##
## -------------------- ##

# Be more Bourne compatible
DUALCASE=1; export DUALCASE # for MKS sh
as_nop=:
if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1
then :
  emulate sh
  NULLCMD=:
  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
  # is contrary to our usage.  Disable this feature.
  alias -g '${1+"$@"}'='"$@"'
  setopt NO_GLOB_SUBST
else $as_nop
  case `(set -o) 2>/dev/null` in #(
  *posix*) :
    set -o posix ;; #(
  *) :
     ;;
esac
fi



# Reset variables that may have inherited troublesome values from
# the environment.

# IFS needs to be set, to space, tab, and newline, in precisely that order.
# (If _AS_PATH_WALK were called with IFS unset, it would have the
# side effect of setting IFS to empty, thus disabling word splitting.)
# Quoting is to prevent editors from complaining about space-tab.
as_nl='
'
export as_nl
IFS=" ""	$as_nl"

PS1='$ '
PS2='> '
PS4='+ '

# Ensure predictable behavior from utilities with locale-dependent output.
LC_ALL=C
export LC_ALL
LANGUAGE=C
export LANGUAGE

# We cannot yet rely on "unset" to work, but we need these variables
# to be unset--not just set to an empty or harmless value--now, to
# avoid bugs in old shells (e.g. pre-3.0 UWIN ksh).  This construct
# also avoids known problems related to "unset" and subshell syntax
# in other old shells (e.g. bash 2.01 and pdksh 5.2.14).
for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH
do eval test \${$as_var+y} \
  && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
done

# Ensure that fds 0, 1, and 2 are open.
if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi
if (exec 3>&2)            ; then :; else exec 2>/dev/null; fi

# The user is always right.
if ${PATH_SEPARATOR+false} :; then
  PATH_SEPARATOR=:
  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
      PATH_SEPARATOR=';'
  }
fi


# Find who we are.  Look in the path if we contain no directory separator.
as_myself=
case $0 in #((
  *[\\/]* ) as_myself=$0 ;;
  *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
  IFS=$as_save_IFS
  case $as_dir in #(((
    '') as_dir=./ ;;
    */) ;;
    *) as_dir=$as_dir/ ;;
  esac
    test -r "$as_dir$0" && as_myself=$as_dir$0 && break
  done
IFS=$as_save_IFS

     ;;
esac
# We did not find ourselves, most probably we were run as `sh COMMAND'
# in which case we are not to be found in the path.
if test "x$as_myself" = x; then
  as_myself=$0
fi
if test ! -f "$as_myself"; then
  printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
  exit 1
fi



# as_fn_error STATUS ERROR [LINENO LOG_FD]
# ----------------------------------------
# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
# script with STATUS, using 1 if that was 0.
as_fn_error ()
{
  as_status=$1; test $as_status -eq 0 && as_status=1
  if test "$4"; then
    as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
    printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
  fi
  printf "%s\n" "$as_me: error: $2" >&2
  as_fn_exit $as_status
} # as_fn_error



# as_fn_set_status STATUS
# -----------------------
# Set $? to STATUS, without forking.
as_fn_set_status ()
{
  return $1
} # as_fn_set_status

# as_fn_exit STATUS
# -----------------
# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
as_fn_exit ()
{
  set +e
  as_fn_set_status $1
  exit $1
} # as_fn_exit

# as_fn_unset VAR
# ---------------
# Portably unset VAR.
as_fn_unset ()
{
  { eval $1=; unset $1;}
}
as_unset=as_fn_unset

# as_fn_append VAR VALUE
# ----------------------
# Append the text in VALUE to the end of the definition contained in VAR. Take
# advantage of any shell optimizations that allow amortized linear growth over
# repeated appends, instead of the typical quadratic growth present in naive
# implementations.
if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null
then :
  eval 'as_fn_append ()
  {
    eval $1+=\$2
  }'
else $as_nop
  as_fn_append ()
  {
    eval $1=\$$1\$2
  }
fi # as_fn_append

# as_fn_arith ARG...
# ------------------
# Perform arithmetic evaluation on the ARGs, and store the result in the
# global $as_val. Take advantage of shells that can avoid forks. The arguments
# must be portable across $(()) and expr.
if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null
then :
  eval 'as_fn_arith ()
  {
    as_val=$(( $* ))
  }'
else $as_nop
  as_fn_arith ()
  {
    as_val=`expr "$@" || test $? -eq 1`
  }
fi # as_fn_arith


if expr a : '\(a\)' >/dev/null 2>&1 &&
   test "X`expr 00001 : '.*\(...\)'`" = X001; then
  as_expr=expr
else
  as_expr=false
fi

if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
  as_basename=basename
else
  as_basename=false
fi

if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
  as_dirname=dirname
else
  as_dirname=false
fi

as_me=`$as_basename -- "$0" ||
$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
	 X"$0" : 'X\(//\)$' \| \
	 X"$0" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X/"$0" |
    sed '/^.*\/\([^/][^/]*\)\/*$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\/\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`

# Avoid depending upon Character Ranges.
as_cr_letters='abcdefghijklmnopqrstuvwxyz'
as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
as_cr_Letters=$as_cr_letters$as_cr_LETTERS
as_cr_digits='0123456789'
as_cr_alnum=$as_cr_Letters$as_cr_digits


# Determine whether it's possible to make 'echo' print without a newline.
# These variables are no longer used directly by Autoconf, but are AC_SUBSTed
# for compatibility with existing Makefiles.
ECHO_C= ECHO_N= ECHO_T=
case `echo -n x` in #(((((
-n*)
  case `echo 'xy\c'` in
  *c*) ECHO_T='	';;	# ECHO_T is single tab character.
  xy)  ECHO_C='\c';;
  *)   echo `echo ksh88 bug on AIX 6.1` > /dev/null
       ECHO_T='	';;
  esac;;
*)
  ECHO_N='-n';;
esac

# For backward compatibility with old third-party macros, we provide
# the shell variables $as_echo and $as_echo_n.  New code should use
# AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively.
as_echo='printf %s\n'
as_echo_n='printf %s'

rm -f conf$$ conf$$.exe conf$$.file
if test -d conf$$.dir; then
  rm -f conf$$.dir/conf$$.file
else
  rm -f conf$$.dir
  mkdir conf$$.dir 2>/dev/null
fi
if (echo >conf$$.file) 2>/dev/null; then
  if ln -s conf$$.file conf$$ 2>/dev/null; then
    as_ln_s='ln -s'
    # ... but there are two gotchas:
    # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
    # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
    # In both cases, we have to default to `cp -pR'.
    ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
      as_ln_s='cp -pR'
  elif ln conf$$.file conf$$ 2>/dev/null; then
    as_ln_s=ln
  else
    as_ln_s='cp -pR'
  fi
else
  as_ln_s='cp -pR'
fi
rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
rmdir conf$$.dir 2>/dev/null


# as_fn_mkdir_p
# -------------
# Create "$as_dir" as a directory, including parents if necessary.
as_fn_mkdir_p ()
{

  case $as_dir in #(
  -*) as_dir=./$as_dir;;
  esac
  test -d "$as_dir" || eval $as_mkdir_p || {
    as_dirs=
    while :; do
      case $as_dir in #(
      *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
      *) as_qdir=$as_dir;;
      esac
      as_dirs="'$as_qdir' $as_dirs"
      as_dir=`$as_dirname -- "$as_dir" ||
$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$as_dir" : 'X\(//\)[^/]' \| \
	 X"$as_dir" : 'X\(//\)$' \| \
	 X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X"$as_dir" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
      test -d "$as_dir" && break
    done
    test -z "$as_dirs" || eval "mkdir $as_dirs"
  } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"


} # as_fn_mkdir_p
if mkdir -p . 2>/dev/null; then
  as_mkdir_p='mkdir -p "$as_dir"'
else
  test -d ./-p && rmdir ./-p
  as_mkdir_p=false
fi


# as_fn_executable_p FILE
# -----------------------
# Test if FILE is an executable regular file.
as_fn_executable_p ()
{
  test -f "$1" && test -x "$1"
} # as_fn_executable_p
as_test_x='test -x'
as_executable_p=as_fn_executable_p

# Sed expression to map a string onto a valid CPP name.
as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"

# Sed expression to map a string onto a valid variable name.
as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"


exec 6>&1
## ----------------------------------- ##
## Main body of $CONFIG_STATUS script. ##
## ----------------------------------- ##
_ASEOF
test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# Save the log message, to keep $0 and so on meaningful, and to
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by Why3 $as_me 1.6.0, which was
generated by GNU Autoconf 2.71.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
  CONFIG_HEADERS  = $CONFIG_HEADERS
  CONFIG_LINKS    = $CONFIG_LINKS
  CONFIG_COMMANDS = $CONFIG_COMMANDS
  $ $0 $@

on `(hostname || uname -n) 2>/dev/null | sed 1q`
"

_ACEOF

case $ac_config_files in *"
"*) set x $ac_config_files; shift; ac_config_files=$*;;
esac



cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
# Files that config.status was made for.
config_files="$ac_config_files"
config_commands="$ac_config_commands"

_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
ac_cs_usage="\
\`$as_me' instantiates files and other configuration actions
from templates according to the current configuration.  Unless the files
and actions are specified as TAGs, all are instantiated by default.

Usage: $0 [OPTION]... [TAG]...

  -h, --help       print this help, then exit
  -V, --version    print version number and configuration settings, then exit
      --config     print configuration, then exit
  -q, --quiet, --silent
                   do not print progress messages
  -d, --debug      don't remove temporary files
      --recheck    update $as_me by reconfiguring in the same conditions
      --file=FILE[:TEMPLATE]
                   instantiate the configuration file FILE

Configuration files:
$config_files

Configuration commands:
$config_commands

Report bugs to the package provider."

_ACEOF
ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"`
ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"`
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
Why3 config.status 1.6.0
configured by $0, generated by GNU Autoconf 2.71,
  with options \\"\$ac_cs_config\\"

Copyright (C) 2021 Free Software Foundation, Inc.
This config.status script is free software; the Free Software Foundation
gives unlimited permission to copy, distribute and modify it."

ac_pwd='$ac_pwd'
srcdir='$srcdir'
INSTALL='$INSTALL'
MKDIR_P='$MKDIR_P'
test -n "\$AWK" || AWK=awk
_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# The default lists apply if the user does not specify any file.
ac_need_defaults=:
while test $# != 0
do
  case $1 in
  --*=?*)
    ac_option=`expr "X$1" : 'X\([^=]*\)='`
    ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
    ac_shift=:
    ;;
  --*=)
    ac_option=`expr "X$1" : 'X\([^=]*\)='`
    ac_optarg=
    ac_shift=:
    ;;
  *)
    ac_option=$1
    ac_optarg=$2
    ac_shift=shift
    ;;
  esac

  case $ac_option in
  # Handling of the options.
  -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
    ac_cs_recheck=: ;;
  --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
    printf "%s\n" "$ac_cs_version"; exit ;;
  --config | --confi | --conf | --con | --co | --c )
    printf "%s\n" "$ac_cs_config"; exit ;;
  --debug | --debu | --deb | --de | --d | -d )
    debug=: ;;
  --file | --fil | --fi | --f )
    $ac_shift
    case $ac_optarg in
    *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
    '') as_fn_error $? "missing file argument" ;;
    esac
    as_fn_append CONFIG_FILES " '$ac_optarg'"
    ac_need_defaults=false;;
  --he | --h |  --help | --hel | -h )
    printf "%s\n" "$ac_cs_usage"; exit ;;
  -q | -quiet | --quiet | --quie | --qui | --qu | --q \
  | -silent | --silent | --silen | --sile | --sil | --si | --s)
    ac_cs_silent=: ;;

  # This is an error.
  -*) as_fn_error $? "unrecognized option: \`$1'
Try \`$0 --help' for more information." ;;

  *) as_fn_append ac_config_targets " $1"
     ac_need_defaults=false ;;

  esac
  shift
done

ac_configure_extra_args=

if $ac_cs_silent; then
  exec 6>/dev/null
  ac_configure_extra_args="$ac_configure_extra_args --silent"
fi

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
if \$ac_cs_recheck; then
  set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
  shift
  \printf "%s\n" "running CONFIG_SHELL=$SHELL \$*" >&6
  CONFIG_SHELL='$SHELL'
  export CONFIG_SHELL
  exec "\$@"
fi

_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
exec 5>>config.log
{
  echo
  sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
## Running $as_me. ##
_ASBOX
  printf "%s\n" "$ac_log"
} >&5

_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1

# Handling of arguments.
for ac_config_target in $ac_config_targets
do
  case $ac_config_target in
    "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
    "src/config.sh") CONFIG_FILES="$CONFIG_FILES src/config.sh" ;;
    "lib/why3/META") CONFIG_FILES="$CONFIG_FILES lib/why3/META" ;;
    ".merlin") CONFIG_FILES="$CONFIG_FILES .merlin" ;;
    "src/jessie/Makefile") CONFIG_FILES="$CONFIG_FILES src/jessie/Makefile" ;;
    "src/jessie/.merlin") CONFIG_FILES="$CONFIG_FILES src/jessie/.merlin" ;;
    "lib/coq/version") CONFIG_FILES="$CONFIG_FILES lib/coq/version" ;;
    "lib/pvs/version") CONFIG_FILES="$CONFIG_FILES lib/pvs/version" ;;
    "chmod") CONFIG_COMMANDS="$CONFIG_COMMANDS chmod" ;;

  *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
  esac
done


# If the user did not use the arguments to specify the items to instantiate,
# then the envvar interface is used.  Set only those that are not.
# We use the long form for the default assignment because of an extremely
# bizarre bug on SunOS 4.1.3.
if $ac_need_defaults; then
  test ${CONFIG_FILES+y} || CONFIG_FILES=$config_files
  test ${CONFIG_COMMANDS+y} || CONFIG_COMMANDS=$config_commands
fi

# Have a temporary directory for convenience.  Make it in the build tree
# simply because there is no reason against having it here, and in addition,
# creating and moving files from /tmp can sometimes cause problems.
# Hook for its removal unless debugging.
# Note that there is a small window in which the directory will not be cleaned:
# after its creation but before its name has been assigned to `$tmp'.
$debug ||
{
  tmp= ac_tmp=
  trap 'exit_status=$?
  : "${ac_tmp:=$tmp}"
  { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
' 0
  trap 'as_fn_exit 1' 1 2 13 15
}
# Create a (secure) tmp directory for tmp files.

{
  tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
  test -d "$tmp"
}  ||
{
  tmp=./conf$$-$RANDOM
  (umask 077 && mkdir "$tmp")
} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
ac_tmp=$tmp

# Set up the scripts for CONFIG_FILES section.
# No need to generate them if there are no CONFIG_FILES.
# This happens for instance with `./config.status config.h'.
if test -n "$CONFIG_FILES"; then


ac_cr=`echo X | tr X '\015'`
# On cygwin, bash can eat \r inside `` if the user requested igncr.
# But we know of no other shell where ac_cr would be empty at this
# point, so we can use a bashism as a fallback.
if test "x$ac_cr" = x; then
  eval ac_cr=\$\'\\r\'
fi
ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null`
if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
  ac_cs_awk_cr='\\r'
else
  ac_cs_awk_cr=$ac_cr
fi

echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
_ACEOF


{
  echo "cat >conf$$subs.awk <<_ACEOF" &&
  echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
  echo "_ACEOF"
} >conf$$subs.sh ||
  as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
ac_delim='%!_!# '
for ac_last_try in false false false false false :; do
  . ./conf$$subs.sh ||
    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5

  ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
  if test $ac_delim_n = $ac_delim_num; then
    break
  elif $ac_last_try; then
    as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
  else
    ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
  fi
done
rm -f conf$$subs.sh

cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
_ACEOF
sed -n '
h
s/^/S["/; s/!.*/"]=/
p
g
s/^[^!]*!//
:repl
t repl
s/'"$ac_delim"'$//
t delim
:nl
h
s/\(.\{148\}\)..*/\1/
t more1
s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
p
n
b repl
:more1
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t nl
:delim
h
s/\(.\{148\}\)..*/\1/
t more2
s/["\\]/\\&/g; s/^/"/; s/$/"/
p
b
:more2
s/["\\]/\\&/g; s/^/"/; s/$/"\\/
p
g
s/.\{148\}//
t delim
' >$CONFIG_STATUS || ac_write_fail=1
rm -f conf$$subs.awk
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
_ACAWK
cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
  for (key in S) S_is_set[key] = 1
  FS = ""

}
{
  line = $ 0
  nfields = split(line, field, "@")
  substed = 0
  len = length(field[1])
  for (i = 2; i < nfields; i++) {
    key = field[i]
    keylen = length(key)
    if (S_is_set[key]) {
      value = S[key]
      line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
      len += length(value) + length(field[++i])
      substed = 1
    } else
      len += 1 + keylen
  }

  print line
}

_ACAWK
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
  sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
else
  cat
fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
  || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
_ACEOF

# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
# trailing colons and then remove the whole line if VPATH becomes empty
# (actually we leave an empty line to preserve line numbers).
if test "x$srcdir" = x.; then
  ac_vpsub='/^[	 ]*VPATH[	 ]*=[	 ]*/{
h
s///
s/^/:/
s/[	 ]*$/:/
s/:\$(srcdir):/:/g
s/:\${srcdir}:/:/g
s/:@srcdir@:/:/g
s/^:*//
s/:*$//
x
s/\(=[	 ]*\).*/\1/
G
s/\n//
s/^[^=]*=[	 ]*$//
}'
fi

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
fi # test -n "$CONFIG_FILES"


eval set X "  :F $CONFIG_FILES      :C $CONFIG_COMMANDS"
shift
for ac_tag
do
  case $ac_tag in
  :[FHLC]) ac_mode=$ac_tag; continue;;
  esac
  case $ac_mode$ac_tag in
  :[FHL]*:*);;
  :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
  :[FH]-) ac_tag=-:-;;
  :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
  esac
  ac_save_IFS=$IFS
  IFS=:
  set x $ac_tag
  IFS=$ac_save_IFS
  shift
  ac_file=$1
  shift

  case $ac_mode in
  :L) ac_source=$1;;
  :[FH])
    ac_file_inputs=
    for ac_f
    do
      case $ac_f in
      -) ac_f="$ac_tmp/stdin";;
      *) # Look for the file first in the build tree, then in the source tree
	 # (if the path is not absolute).  The absolute path cannot be DOS-style,
	 # because $ac_f cannot contain `:'.
	 test -f "$ac_f" ||
	   case $ac_f in
	   [\\/$]*) false;;
	   *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
	   esac ||
	   as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
      esac
      case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
      as_fn_append ac_file_inputs " '$ac_f'"
    done

    # Let's still pretend it is `configure' which instantiates (i.e., don't
    # use $as_me), people would be surprised to read:
    #    /* config.h.  Generated by config.status.  */
    configure_input='Generated from '`
	  printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
	`' by configure.'
    if test x"$ac_file" != x-; then
      configure_input="$ac_file.  $configure_input"
      { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
printf "%s\n" "$as_me: creating $ac_file" >&6;}
    fi
    # Neutralize special characters interpreted by sed in replacement strings.
    case $configure_input in #(
    *\&* | *\|* | *\\* )
       ac_sed_conf_input=`printf "%s\n" "$configure_input" |
       sed 's/[\\\\&|]/\\\\&/g'`;; #(
    *) ac_sed_conf_input=$configure_input;;
    esac

    case $ac_tag in
    *:-:* | *:-) cat >"$ac_tmp/stdin" \
      || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
    esac
    ;;
  esac

  ac_dir=`$as_dirname -- "$ac_file" ||
$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
	 X"$ac_file" : 'X\(//\)[^/]' \| \
	 X"$ac_file" : 'X\(//\)$' \| \
	 X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
printf "%s\n" X"$ac_file" |
    sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)[^/].*/{
	    s//\1/
	    q
	  }
	  /^X\(\/\/\)$/{
	    s//\1/
	    q
	  }
	  /^X\(\/\).*/{
	    s//\1/
	    q
	  }
	  s/.*/./; q'`
  as_dir="$ac_dir"; as_fn_mkdir_p
  ac_builddir=.

case "$ac_dir" in
.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
*)
  ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'`
  # A ".." for each directory in $ac_dir_suffix.
  ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
  case $ac_top_builddir_sub in
  "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
  *)  ac_top_build_prefix=$ac_top_builddir_sub/ ;;
  esac ;;
esac
ac_abs_top_builddir=$ac_pwd
ac_abs_builddir=$ac_pwd$ac_dir_suffix
# for backward compatibility:
ac_top_builddir=$ac_top_build_prefix

case $srcdir in
  .)  # We are building in place.
    ac_srcdir=.
    ac_top_srcdir=$ac_top_builddir_sub
    ac_abs_top_srcdir=$ac_pwd ;;
  [\\/]* | ?:[\\/]* )  # Absolute name.
    ac_srcdir=$srcdir$ac_dir_suffix;
    ac_top_srcdir=$srcdir
    ac_abs_top_srcdir=$srcdir ;;
  *) # Relative name.
    ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
    ac_top_srcdir=$ac_top_build_prefix$srcdir
    ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
esac
ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix


  case $ac_mode in
  :F)
  #
  # CONFIG_FILE
  #

  case $INSTALL in
  [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;;
  *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;;
  esac
  ac_MKDIR_P=$MKDIR_P
  case $MKDIR_P in
  [\\/$]* | ?:[\\/]* ) ;;
  */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;;
  esac
_ACEOF

cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# If the template does not know about datarootdir, expand it.
# FIXME: This hack should be removed a few years after 2.60.
ac_datarootdir_hack=; ac_datarootdir_seen=
ac_sed_dataroot='
/datarootdir/ {
  p
  q
}
/@datadir@/p
/@docdir@/p
/@infodir@/p
/@localedir@/p
/@mandir@/p'
case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
*datarootdir*) ac_datarootdir_seen=yes;;
*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
printf "%s\n" "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
  ac_datarootdir_hack='
  s&@datadir@&$datadir&g
  s&@docdir@&$docdir&g
  s&@infodir@&$infodir&g
  s&@localedir@&$localedir&g
  s&@mandir@&$mandir&g
  s&\\\${datarootdir}&$datarootdir&g' ;;
esac
_ACEOF

# Neutralize VPATH when `$srcdir' = `.'.
# Shell code in configure.ac might set extrasub.
# FIXME: do we really want to maintain this feature?
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_sed_extra="$ac_vpsub
$extrasub
_ACEOF
cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
:t
/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
s|@configure_input@|$ac_sed_conf_input|;t t
s&@top_builddir@&$ac_top_builddir_sub&;t t
s&@top_build_prefix@&$ac_top_build_prefix&;t t
s&@srcdir@&$ac_srcdir&;t t
s&@abs_srcdir@&$ac_abs_srcdir&;t t
s&@top_srcdir@&$ac_top_srcdir&;t t
s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
s&@builddir@&$ac_builddir&;t t
s&@abs_builddir@&$ac_abs_builddir&;t t
s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
s&@INSTALL@&$ac_INSTALL&;t t
s&@MKDIR_P@&$ac_MKDIR_P&;t t
$ac_datarootdir_hack
"
eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
  >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5

test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
  { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
  { ac_out=`sed -n '/^[	 ]*datarootdir[	 ]*:*=/p' \
      "$ac_tmp/out"`; test -z "$ac_out"; } &&
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined.  Please make sure it is defined" >&5
printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
which seems to be undefined.  Please make sure it is defined" >&2;}

  rm -f "$ac_tmp/stdin"
  case $ac_file in
  -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
  *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
  esac \
  || as_fn_error $? "could not create $ac_file" "$LINENO" 5
 ;;


  :C)  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5
printf "%s\n" "$as_me: executing $ac_file commands" >&6;}
 ;;
  esac


  case $ac_file$ac_mode in
    "chmod":C) chmod a-w Makefile src/jessie/Makefile;
chmod a-w src/config.sh;
chmod a-w lib/why3/META;
chmod a-w .merlin;
chmod a-w src/jessie/Makefile;
chmod a-w src/jessie/.merlin;
chmod a-w lib/coq/version lib/pvs/version;
chmod u+x src/config.sh ;;

  esac
done # for ac_tag


as_fn_exit 0
_ACEOF
ac_clean_files=$ac_clean_files_save

test $ac_write_fail = 0 ||
  as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5


# configure is writing to config.log, and then calls config.status.
# config.status does its own redirection, appending to config.log.
# Unfortunately, on DOS this fails, as config.log is still kept open
# by configure, so config.status won't be able to write to it; its
# output is simply discarded.  So we exec the FD to /dev/null,
# effectively closing config.log, so it can be properly (re)opened and
# appended to by config.status.  When coming back to configure, we
# need to make the FD available again.
if test "$no_create" != yes; then
  ac_cs_success=:
  ac_config_status_args=
  test "$silent" = yes &&
    ac_config_status_args="$ac_config_status_args --quiet"
  exec 5>/dev/null
  $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
  exec 5>>config.log
  # Use ||, not &&, to avoid exiting from the if with $? = 1, which
  # would make configure fail if this is the last instruction.
  $ac_cs_success || as_fn_exit 1
fi
if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
fi



# Summary

echo
echo "                 Summary"
echo "-----------------------------------------"
echo "Verbose make                : $enable_verbose_make"
echo "OCaml compiler              : yes"
echo "    Version                 : $OCAMLVERSION"
echo "    Library path            : $OCAMLLIB"
echo "    Ocamlfind               : $enable_ocamlfind$reason_ocamlfind"
echo "    Native compilation      : $enable_native_code"
echo "    Memory profiling        : $enable_statmemprof$reason_statmemprof"
echo "    PPX                     : $enable_ppx$reason_ppx"
echo "    S-expr for why3pp       : $enable_pp_sexp$reason_pp_sexp"
echo "    Javascript support      : $enable_js_of_ocaml$reason_js_of_ocaml"
echo "    MPFR support            : $enable_mpfr$reason_mpfr"
echo "    Re support              : $enable_re$reason_re"
echo "Components"
echo "    Why3 library            : $enable_why3_lib"
echo "    GTK IDE                 : $enable_ide$reason_ide"
echo "    Web IDE                 : $enable_web_ide$reason_web_ide"
echo "    GMP arithmetic          : $enable_zarith$reason_zarith"
echo "    Compressed sessions     : $enable_zip$reason_zip"
echo "    Hypothesis selection    : $enable_hypothesis_selection$reason_hypothesis_selection"
echo "    Stackify                : $enable_stackify$reason_stackify"
echo "    Invariant inference(exp): $enable_infer$reason_infer"
echo "    Inference with BDDs(exp): $enable_bddinfer$reason_bddinfer"
echo "    Frama-C support         : $enable_frama_c$reason_frama_c"
if test "$enable_frama_c" = yes ; then
   echo "        Version             : $FRAMAC_VERSION"
   echo "        Share path          : $FRAMAC_SHARE"
   echo "        Library path        : $FRAMAC_LIBDIR"
fi
echo "Documentation               : $enable_doc$reason_doc"
if test "$enable_doc" = yes ; then
   echo "    HTML                    : yes"
   echo "    PDF                     : $enable_pdf_doc$reason_pdf_doc"
fi
echo "Support for interactive proof assistants"
echo "    Coq                     : $enable_coq_support$reason_coq_support"
if test "$enable_coq_support" = yes ; then
   echo "        Version             : $COQVERSION"
   echo "        Library path        : $COQLIB"
   echo "        Realization support : $enable_coq_libs$reason_coq_libs"
   if test "$enable_coq_libs" = yes ; then
      echo "            FP arithmetic   : $enable_coq_fp_libs$reason_coq_fp_libs"
   fi
fi
echo "    PVS                     : $enable_pvs_support$reason_pvs_support"
if test "$enable_pvs_support" = yes ; then
   echo "        Version             : $PVSVERSION"
   echo "        Library path        : $PVSLIB"
   echo "        Realization support : $enable_pvs_libs$reason_pvs_libs"
fi
echo "    Isabelle                : $enable_isabelle_support$reason_isabelle_support"
if test "$enable_isabelle_support" = yes ; then
   echo "        Version             : $ISABELLEVERSION ($ISABELLEDETECTEDVERSION)"
   echo "        Realization support : $enable_isabelle_libs$reason_isabelle_libs"
fi
if test "$enable_local" = yes ; then
   echo "Installable                 : no"
   echo "    OCaml library path      : $OCAMLINSTALLLIB/why3"
else
   echo "Installable                 : yes"
   echo "    Binary path             : $bindir"
   echo "    Library path            : $libdir/why3"
   echo "    Data path               : $datarootdir/why3"
   echo "    OCaml library path      : $OCAMLINSTALLLIB/why3"
   echo "    Relocatable             : $enable_relocation"
fi